[ { "path": ".editorconfig", "content": "root = true\n\n[*]\nindent_style = space\nindent_size = 4\nend_of_line = lf\ninsert_final_newline = true\ntrim_trailing_whitespace = true" }, { "path": ".gitattributes", "content": "Sources/CNIOBoringSSL/* linguist-vendored\n" }, { "path": ".github/release.yml", "content": "changelog:\n categories:\n - title: SemVer Major\n labels:\n - ⚠️ semver/major\n - title: SemVer Minor\n labels:\n - 🆕 semver/minor\n - title: SemVer Patch\n labels:\n - 🔨 semver/patch\n - title: Other Changes\n labels:\n - semver/none\n" }, { "path": ".github/workflows/main.yml", "content": "name: Main\n\npermissions:\n contents: read\n\non:\n push:\n branches: [main]\n schedule:\n - cron: \"0 8,20 * * *\"\n\njobs:\n unit-tests:\n name: Unit tests\n uses: apple/swift-nio/.github/workflows/unit_tests.yml@main\n with:\n linux_5_10_arguments_override: \"-Xswiftc -warnings-as-errors --explicit-target-dependency-import-check error\"\n linux_6_1_arguments_override: \"-Xswiftc -warnings-as-errors --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable\"\n linux_6_2_arguments_override: \"-Xswiftc -warnings-as-errors --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable\"\n linux_6_3_arguments_override: \"-Xswiftc -warnings-as-errors --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable\"\n linux_nightly_next_arguments_override: \"--explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable\"\n linux_nightly_main_arguments_override: \"--explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable\"\n\n construct-integration-test-matrix:\n name: Construct integration matrix\n runs-on: ubuntu-latest\n outputs:\n integration-test-matrix: '${{ steps.generate-matrix.outputs.integration-test-matrix }}'\n steps:\n - name: Checkout repository\n uses: actions/checkout@v6\n with:\n persist-credentials: false\n - id: generate-matrix\n run: echo \"integration-test-matrix=$(curl -s https://raw.githubusercontent.com/apple/swift-nio/main/scripts/generate_matrix.sh | bash)\" >> \"$GITHUB_OUTPUT\"\n env:\n MATRIX_LINUX_SETUP_COMMAND: apt-get update -y && apt-get install -yq execstack lsof dnsutils netcat-openbsd net-tools expect curl jq\n MATRIX_LINUX_COMMAND: ./scripts/integration_tests.sh -f test_01_renegotiation\n\n integration-test:\n name: Integration test\n needs: construct-integration-test-matrix\n uses: apple/swift-nio/.github/workflows/swift_test_matrix.yml@main\n with:\n name: \"Integration test\"\n matrix_string: '${{ needs.construct-integration-test-matrix.outputs.integration-test-matrix }}'\n\n benchmarks:\n name: Benchmarks\n uses: apple/swift-nio/.github/workflows/benchmarks.yml@main\n with:\n benchmark_package_path: \"Benchmarks\"\n\n macos-tests:\n name: macOS tests\n uses: apple/swift-nio/.github/workflows/macos_tests.yml@main\n with:\n runner_pool: nightly\n build_scheme: swift-nio-ssl-Package\n xcode_16_2_build_arguments_override: \"-Xswiftc -Xfrontend -Xswiftc -require-explicit-sendable\"\n xcode_16_3_build_arguments_override: \"-Xswiftc -Xfrontend -Xswiftc -require-explicit-sendable\"\n\n static-sdk:\n name: Static SDK\n uses: apple/swift-nio/.github/workflows/static_sdk.yml@main\n\n release-builds:\n name: Release builds\n uses: apple/swift-nio/.github/workflows/release_builds.yml@main\n" }, { "path": ".github/workflows/pull_request.yml", "content": "name: PR\n\npermissions:\n contents: read\n\non:\n pull_request:\n types: [opened, reopened, synchronize]\n\njobs:\n soundness:\n name: Soundness\n uses: swiftlang/github-workflows/.github/workflows/soundness.yml@0.0.7\n with:\n license_header_check_project_name: \"SwiftNIO\"\n unit-tests:\n name: Unit tests\n uses: apple/swift-nio/.github/workflows/unit_tests.yml@main\n with:\n linux_5_10_arguments_override: \"-Xswiftc -warnings-as-errors --explicit-target-dependency-import-check error\"\n # We can't set warnings-as-errors for 6.1 because we can't suppress the ImplementationOnly import warning.\n linux_6_1_arguments_override: \"--explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable\"\n linux_6_2_arguments_override: \"-Xswiftc -warnings-as-errors -Xswiftc -Wwarning -Xswiftc ImplementationOnlyDeprecated --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable\"\n linux_6_3_arguments_override: \"-Xswiftc -warnings-as-errors -Xswiftc -Wwarning -Xswiftc ImplementationOnlyDeprecated --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable\"\n linux_nightly_next_arguments_override: \"-Xswiftc -warnings-as-errors -Xswiftc -Wwarning -Xswiftc ImplementationOnlyDeprecated --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable\"\n linux_nightly_main_arguments_override: \"-Xswiftc -warnings-as-errors -Xswiftc -Wwarning -Xswiftc ImplementationOnlyDeprecated --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable\"\n\n construct-integration-test-matrix:\n name: Construct integration matrix\n runs-on: ubuntu-latest\n outputs:\n integration-test-matrix: '${{ steps.generate-matrix.outputs.integration-test-matrix }}'\n steps:\n - name: Checkout repository\n uses: actions/checkout@v6\n with:\n persist-credentials: false\n - id: generate-matrix\n run: echo \"integration-test-matrix=$(curl -s https://raw.githubusercontent.com/apple/swift-nio/main/scripts/generate_matrix.sh | bash)\" >> \"$GITHUB_OUTPUT\"\n env:\n MATRIX_LINUX_SETUP_COMMAND: apt-get update -y && apt-get install -yq execstack lsof dnsutils netcat-openbsd net-tools expect curl jq\n MATRIX_LINUX_COMMAND: ./scripts/integration_tests.sh -f test_01_renegotiation\n\n integration-test:\n name: Integration test\n needs: construct-integration-test-matrix\n uses: apple/swift-nio/.github/workflows/swift_test_matrix.yml@main\n with:\n name: \"Integration test\"\n matrix_string: '${{ needs.construct-integration-test-matrix.outputs.integration-test-matrix }}'\n\n benchmarks:\n name: Benchmarks\n uses: apple/swift-nio/.github/workflows/benchmarks.yml@main\n with:\n benchmark_package_path: \"Benchmarks\"\n\n cxx-interop:\n name: Cxx interop\n uses: apple/swift-nio/.github/workflows/cxx_interop.yml@main\n\n macos-tests:\n name: macOS tests\n uses: apple/swift-nio/.github/workflows/macos_tests.yml@main\n with:\n runner_pool: general\n build_scheme: swift-nio-ssl-Package\n xcode_16_2_build_arguments_override: \"-Xswiftc -Xfrontend -Xswiftc -require-explicit-sendable\"\n xcode_16_3_build_arguments_override: \"-Xswiftc -Xfrontend -Xswiftc -require-explicit-sendable\"\n\n static-sdk:\n name: Static SDK\n uses: apple/swift-nio/.github/workflows/static_sdk.yml@main\n\n release-builds:\n name: Release builds\n uses: apple/swift-nio/.github/workflows/release_builds.yml@main\n" }, { "path": ".github/workflows/pull_request_label.yml", "content": "name: PR label\n\npermissions:\n contents: read\n\non:\n pull_request:\n types: [labeled, unlabeled, opened, reopened, synchronize]\n\njobs:\n semver-label-check:\n name: Semantic version label check\n runs-on: ubuntu-latest\n timeout-minutes: 1\n steps:\n - name: Checkout repository\n uses: actions/checkout@v6\n with:\n persist-credentials: false\n - name: Check for Semantic Version label\n uses: apple/swift-nio/.github/actions/pull_request_semver_label_checker@main\n" }, { "path": ".gitignore", "content": ".DS_Store\n/.build\n/Packages\n/*.xcodeproj\nPackage.pins\nPackage.resolved\n*.pem\n/docs\nDerivedData\n/.idea\n.swiftpm\n" }, { "path": ".licenseignore", "content": ".gitignore\n**/.gitignore\n.licenseignore\n.gitattributes\n.git-blame-ignore-revs\n.mailfilter\n.mailmap\n.spi.yml\n.swift-format\n.editorconfig\n.github/*\n*.md\n*.txt\n*.yml\n*.yaml\n*.json\nPackage.swift\n**/Package.swift\nPackage@-*.swift\n**/Package@-*.swift\nPackage.resolved\n**/Package.resolved\nMakefile\n*.modulemap\n**/*.modulemap\n**/*.docc/*\n*.xcprivacy\n**/*.xcprivacy\n*.symlink\n**/*.symlink\nDockerfile\n**/Dockerfile\nSnippets/*\nSources/CNIOBoringSSL/*\ndev/alloc-limits-from-test-output\ndev/boxed-existentials.d\ndev/git.commit.template\ndev/lldb-smoker\ndev/make-single-file-spm\ndev/malloc-aggregation.d\ndev/update-alloc-limits-to-last-completed-ci-build\nscripts/patch-1-inttypes.patch\nscripts/patch-2-inttypes.patch\nscripts/patch-3-more-inttypes.patch\n.unacceptablelanguageignore\n" }, { "path": ".spi.yml", "content": "version: 1\nbuilder:\n configs:\n - documentation_targets: [NIOSSL]\n" }, { "path": ".swift-format", "content": "{\n \"version\" : 1,\n \"indentation\" : {\n \"spaces\" : 4\n },\n \"tabWidth\" : 4,\n \"fileScopedDeclarationPrivacy\" : {\n \"accessLevel\" : \"private\"\n },\n \"spacesAroundRangeFormationOperators\" : false,\n \"indentConditionalCompilationBlocks\" : false,\n \"indentSwitchCaseLabels\" : false,\n \"lineBreakAroundMultilineExpressionChainComponents\" : false,\n \"lineBreakBeforeControlFlowKeywords\" : false,\n \"lineBreakBeforeEachArgument\" : true,\n \"lineBreakBeforeEachGenericRequirement\" : true,\n \"lineLength\" : 120,\n \"maximumBlankLines\" : 1,\n \"respectsExistingLineBreaks\" : true,\n \"prioritizeKeepingFunctionOutputTogether\" : true,\n \"rules\" : {\n \"AllPublicDeclarationsHaveDocumentation\" : false,\n \"AlwaysUseLiteralForEmptyCollectionInit\" : false,\n \"AlwaysUseLowerCamelCase\" : false,\n \"AmbiguousTrailingClosureOverload\" : true,\n \"BeginDocumentationCommentWithOneLineSummary\" : false,\n \"DoNotUseSemicolons\" : true,\n \"DontRepeatTypeInStaticProperties\" : true,\n \"FileScopedDeclarationPrivacy\" : true,\n \"FullyIndirectEnum\" : true,\n \"GroupNumericLiterals\" : true,\n \"IdentifiersMustBeASCII\" : true,\n \"NeverForceUnwrap\" : false,\n \"NeverUseForceTry\" : false,\n \"NeverUseImplicitlyUnwrappedOptionals\" : false,\n \"NoAccessLevelOnExtensionDeclaration\" : true,\n \"NoAssignmentInExpressions\" : true,\n \"NoBlockComments\" : true,\n \"NoCasesWithOnlyFallthrough\" : true,\n \"NoEmptyTrailingClosureParentheses\" : true,\n \"NoLabelsInCasePatterns\" : true,\n \"NoLeadingUnderscores\" : false,\n \"NoParensAroundConditions\" : true,\n \"NoVoidReturnOnFunctionSignature\" : true,\n \"OmitExplicitReturns\" : true,\n \"OneCasePerLine\" : true,\n \"OneVariableDeclarationPerLine\" : true,\n \"OnlyOneTrailingClosureArgument\" : true,\n \"OrderedImports\" : true,\n \"ReplaceForEachWithForLoop\" : true,\n \"ReturnVoidInsteadOfEmptyTuple\" : true,\n \"UseEarlyExits\" : false,\n \"UseExplicitNilCheckInConditions\" : false,\n \"UseLetInEveryBoundCaseVariable\" : false,\n \"UseShorthandTypeNames\" : true,\n \"UseSingleLinePropertyGetter\" : false,\n \"UseSynthesizedInitializer\" : false,\n \"UseTripleSlashForDocumentationComments\" : true,\n \"UseWhereClausesInForLoops\" : false,\n \"ValidateDocumentationComments\" : false\n }\n}\n" }, { "path": ".unacceptablelanguageignore", "content": "Sources/CNIOBoringSSL/*\nNOTICE.txt\n" }, { "path": "Benchmarks/Benchmarks/NIOSSLBenchmarks/Benchmarks.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2024 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport Benchmark\nimport NIOCore\nimport NIOEmbedded\nimport NIOSSL\n\nlet benchmarks: @Sendable () -> Void = {\n let defaultMetrics: [BenchmarkMetric] = [\n .mallocCountTotal\n ]\n\n Benchmark(\n \"SimpleHandshake\",\n configuration: .init(\n metrics: defaultMetrics,\n scalingFactor: .kilo,\n maxDuration: .seconds(10_000_000),\n maxIterations: 10,\n thresholds: [.mallocCountTotal: .init(absolute: [.p90: 50])]\n )\n ) { benchmark in\n try runSimpleHandshake(\n handshakeCount: benchmark.scaledIterations.upperBound\n )\n }\n\n Benchmark(\n \"ManyWrites\",\n configuration: .init(\n metrics: defaultMetrics,\n scalingFactor: .kilo,\n maxDuration: .seconds(10_000_000),\n maxIterations: 10,\n thresholds: [.mallocCountTotal: .init(absolute: [.p90: 50])]\n )\n ) { benchmark in\n try runManyWrites(\n writeCount: benchmark.scaledIterations.upperBound\n )\n }\n}\n" }, { "path": "Benchmarks/Benchmarks/NIOSSLBenchmarks/ManyWrites.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2019-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\nimport NIOEmbedded\nimport NIOSSL\n\nfunc runManyWrites(writeCount: Int) throws {\n let serverContext = try NIOSSLContext(\n configuration: .makeServerConfiguration(\n certificateChain: [.certificate(.forTesting())],\n privateKey: .privateKey(.forTesting())\n )\n )\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.trustRoots = try .certificates([.forTesting()])\n let clientContext = try NIOSSLContext(configuration: clientConfig)\n\n let dummyAddress = try SocketAddress(ipAddress: \"1.2.3.4\", port: 5678)\n let backToBack = BackToBackEmbeddedChannel()\n let serverHandler = NIOSSLServerHandler(context: serverContext)\n let clientHandler = try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\")\n try backToBack.client.pipeline.addHandler(clientHandler).wait()\n try backToBack.server.pipeline.addHandler(serverHandler).wait()\n\n // To trigger activation of both channels we use connect().\n try backToBack.client.connect(to: dummyAddress).wait()\n try backToBack.server.connect(to: dummyAddress).wait()\n\n try backToBack.interactInMemory()\n\n // Let's try 512 bytes.\n var buffer = backToBack.client.allocator.buffer(capacity: 512)\n buffer.writeBytes(repeatElement(0, count: 512))\n\n for _ in 0.. NIOSSLCertificate {\n try .init(bytes: certificatePemBytes, format: .pem)\n }\n}\n\nextension NIOSSLPrivateKey {\n static func forTesting() throws -> NIOSSLPrivateKey {\n try .init(bytes: keyPemBytes, format: .pem)\n }\n}\n\nprivate let certificatePemBytes = Array(\n \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIBTzCB9qADAgECAhQkvv72Je/v+B/cgJ53f84O82z6WTAKBggqhkjOPQQDAjAU\n MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTkxMTI3MTAxMjMwWhcNMjkxMTI0MTAx\n MjMwWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMB\n BwNCAAShtZ9TRt7I+7Y0o99XUkrgSYmUmpr4K8CB0IkTCX6b1tXp3Xqs1V5BckTd\n qrls+zsm3AfeiNBb9EDdxiX9DdzuoyYwJDAUBgNVHREEDTALgglsb2NhbGhvc3Qw\n DAYDVR0TAQH/BAIwADAKBggqhkjOPQQDAgNIADBFAiAKxYON+YTnIHNR0R6SLP8R\n R7hjsjV5NDs18XLoeRnA1gIhANwyggmE6NQW/r9l59fexj/ZrjaS3jYOTNCfC1Lo\n 5NgJ\n -----END CERTIFICATE-----\n \"\"\".utf8\n)\n\nprivate let keyPemBytes = Array(\n \"\"\"\n -----BEGIN PRIVATE KEY-----\n MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgCn182hBmYVMAiNPO\n +7w05F40SlAqqxgBEYJZOeK47aihRANCAAShtZ9TRt7I+7Y0o99XUkrgSYmUmpr4\n K8CB0IkTCX6b1tXp3Xqs1V5BckTdqrls+zsm3AfeiNBb9EDdxiX9Ddzu\n -----END PRIVATE KEY-----\n \"\"\".utf8\n)\n" }, { "path": "Benchmarks/Benchmarks/NIOSSLBenchmarks/SimpleHandshake.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2019-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\nimport NIOEmbedded\nimport NIOSSL\n\nfunc runSimpleHandshake(handshakeCount: Int) throws {\n let serverContext = try NIOSSLContext(\n configuration: .makeServerConfiguration(\n certificateChain: [.certificate(.forTesting())],\n privateKey: .privateKey(.forTesting())\n )\n )\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.trustRoots = try .certificates([.forTesting()])\n let clientContext = try NIOSSLContext(configuration: clientConfig)\n\n let dummyAddress = try SocketAddress(ipAddress: \"1.2.3.4\", port: 5678)\n\n for _ in 0..\n" }, { "path": "CONTRIBUTING.md", "content": "## Legal\n\nBy submitting a pull request, you represent that you have the right to license\nyour contribution to Apple and the community, and agree by submitting the patch\nthat your contributions are licensed under the Apache 2.0 license (see\n`LICENSE.txt`).\n\n\n## How to submit a bug report\n\nPlease ensure to specify the following:\n\n* SwiftNIO commit hash\n* Contextual information (e.g. what you were trying to achieve with SwiftNIO)\n* Simplest possible steps to reproduce\n * More complex the steps are, lower the priority will be.\n * A pull request with failing test case is preferred, but it's just fine to paste the test case into the issue description.\n* Anything that might be relevant in your opinion, such as:\n * Swift version or the output of `swift --version`\n * OS version and the output of `uname -a`\n * Network configuration\n\n\n### Example\n\n```\nSwiftNIO commit hash: 22ec043dc9d24bb011b47ece4f9ee97ee5be2757\n\nContext:\nWhile load testing my HTTP web server written with SwiftNIO, I noticed\nthat one file descriptor is leaked per request.\n\nSteps to reproduce:\n1. ...\n2. ...\n3. ...\n4. ...\n\n$ swift --version\nSwift version 4.0.2 (swift-4.0.2-RELEASE)\nTarget: x86_64-unknown-linux-gnu\n\nOperating system: Ubuntu Linux 16.04 64-bit\n\n$ uname -a\nLinux beefy.machine 4.4.0-101-generic #124-Ubuntu SMP Fri Nov 10 18:29:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux\n\nMy system has IPv6 disabled.\n```\n\n## Writing a Patch\n\nA good SwiftNIO patch is:\n\n1. Concise, and contains as few changes as needed to achieve the end result.\n2. Tested, ensuring that any tests provided failed before the patch and pass after it.\n3. Documented, adding API documentation as needed to cover new functions and properties.\n4. Accompanied by a great commit message, using our commit message template.\n\n### Commit Message Template\n\nWe require that your commit messages match our template. The easiest way to do that is to get git to help you by explicitly using the template. To do that, `cd` to the root of our repository and run:\n\n git config commit.template dev/git.commit.template\n\n### Run CI checks locally\n\nYou can run the Github Actions workflows locally using [act](https://github.com/nektos/act). For detailed steps on how to do this please see [https://github.com/swiftlang/github-workflows?tab=readme-ov-file#running-workflows-locally](https://github.com/swiftlang/github-workflows?tab=readme-ov-file#running-workflows-locally).\n\n\n## How to contribute your work\n\nPlease open a pull request at https://github.com/apple/swift-nio. Make sure the CI passes, and then wait for code review.\n" }, { "path": "CONTRIBUTORS.txt", "content": "For the purpose of tracking copyright, this is the list of individuals and\norganizations who have contributed source code to SwiftNIO.\n\nFor employees of an organization/company where the copyright of work done\nby employees of that company is held by the company itself, only the company\nneeds to be listed here.\n\n## COPYRIGHT HOLDERS\n\n- Apple Inc. (all contributors with '@apple.com')\n\n### Contributors\n\n- Cory Benfield \n- Johannes Weiß \n- Norman Maurer \n- Tom Doron \n" }, { "path": "IntegrationTests/plugin_echo.sh", "content": "#!/bin/bash\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\n\nfunction plugin_echo_test_suite_begin() {\n echo \"Running test suite '$1'\"\n}\n\nfunction plugin_echo_test_suite_end() {\n true\n}\n\n# test_name\nfunction plugin_echo_test_begin() {\n echo -n \"Running test '$1'... \"\n}\n\nfunction plugin_echo_test_skip() {\n echo \"Skipping test '$1'\"\n}\n\nfunction plugin_echo_test_ok() {\n echo \"OK (${1}s)\"\n}\n\nfunction plugin_echo_test_fail() {\n echo \"FAILURE ($1)\"\n echo \"--- OUTPUT BEGIN ---\"\n cat \"$2\"\n echo \"--- OUTPUT END ---\"\n}\n\nfunction plugin_echo_test_end() {\n true\n}\n\nfunction plugin_echo_summary_ok() {\n echo \"OK (ran $1 tests successfully)\"\n}\n\nfunction plugin_echo_summary_fail() {\n echo \"FAILURE (oks: $1, failures: $2)\"\n}\n\nfunction plugin_echo_init() {\n true\n}\n" }, { "path": "IntegrationTests/plugin_junit_xml.sh", "content": "#!/bin/bash\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\n\njunit_testsuite_time=0\n\nfunction junit_output_write() {\n extra_flags=\"\"\n if [[ \"$1\" == \"-n\" ]]; then\n extra_flags=\"-n\"\n shift\n fi\n test -n \"$junit_xml_output\"\n echo $extra_flags \"$*\" >> \"$junit_xml_output\"\n}\n\nfunction junit_output_cat() {\n cat \"$@\" >> \"$junit_xml_output\"\n}\n\n# search, replace\nfunction junit_output_replace() {\n test -n \"$junit_xml_output\"\n case \"$(uname -s)\" in\n Linux)\n sed -i \"s/$1/$2/g\" \"$junit_xml_output\"\n ;;\n *)\n sed -i \"\" \"s/$1/$2/g\" \"$junit_xml_output\"\n ;;\n esac\n}\n\nfunction plugin_junit_xml_test_suite_begin() {\n junit_testsuite_time=0\n junit_output_write \"\"\n}\n\nfunction plugin_junit_xml_test_suite_end() {\n junit_repl_success_and_fail \"$1\" \"$2\"\n junit_output_write \"\"\n}\n\n# test_name\nfunction plugin_junit_xml_test_begin() {\n junit_output_write -n \" \"\n junit_testsuite_time=$((junit_testsuite_time + time_ms))\n}\n\nfunction plugin_junit_xml_test_fail() {\n time_ms=$1\n junit_output_write \" time='$time_ms'>\"\n junit_output_write \" \"\n junit_output_write \" \"\n junit_output_write ' '\n junit_output_write \" \"\n junit_output_write \" \"\n}\n\nfunction plugin_junit_xml_test_end() {\n junit_output_write \" \"\n}\n\nfunction junit_repl_success_and_fail() {\n junit_output_replace XXX-TESTS-XXX \"$(($1 + $2))\"\n junit_output_replace XXX-FAILURES-XXX \"$2\"\n junit_output_replace XXX-TIME-XXX \"$junit_testsuite_time\"\n}\n\nfunction plugin_junit_xml_summary_ok() {\n junit_output_write \"\"\n}\n\nfunction plugin_junit_xml_summary_fail() {\n junit_output_write \"\"\n}\n\nfunction plugin_junit_xml_init() {\n junit_xml_output=\"\"\n for f in \"$@\"; do\n if [[ \"$junit_xml_output\" = \"PLACEHOLDER\" ]]; then\n junit_xml_output=\"$f\"\n fi\n if [[ \"$f\" == \"--junit-xml\" && -z \"$junit_xml_output\" ]]; then\n junit_xml_output=\"PLACEHOLDER\"\n fi\n done\n\n if [[ -z \"$junit_xml_output\" || \"$junit_xml_output\" = \"PLACEHOLDER\" ]]; then\n echo >&2 \"ERROR: you need to specify the output after the --junit-xml argument\"\n false\n fi\n echo \"\" > \"$junit_xml_output\"\n}\n" }, { "path": "IntegrationTests/run-single-test.sh", "content": "#!/bin/bash\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\n\n(\n# this sub-shell is where the actual test is run\nset -eu\nset -x\nset -o pipefail\n\ntest=\"$1\"\n# shellcheck disable=SC2034 # Used by whatever we source transpile in\ntmp=\"$2\"\n# shellcheck disable=SC2034 # Used by whatever we source transpile in\nroot=\"$3\"\n# shellcheck disable=SC2034 # Used by whatever we source transpile in\ng_show_info=\"$4\"\nhere=\"$( cd \"$( dirname \"${BASH_SOURCE[0]}\" )\" && pwd )\"\n\n# shellcheck source=IntegrationTests/test_functions.sh\nsource \"$here/test_functions.sh\"\n# shellcheck source=/dev/null\nsource \"$test\"\nwait\n)\nexit_code=$?\nexit $exit_code\n" }, { "path": "IntegrationTests/run-tests.sh", "content": "#!/bin/bash\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\n\nset -eu\n\nshopt -s nullglob\n\nhere=\"$( cd \"$( dirname \"${BASH_SOURCE[0]}\" )\" && pwd )\"\ntmp=$(mktemp -d /tmp/.swift-nio-http1-server-sh-tests_XXXXXX)\n\n# start_time\nfunction time_diff_to_now() {\n echo \"$(( $(date +%s) - $1 ))\"\n}\n\nfunction plugins_do() {\n local method\n method=\"$1\"\n shift\n for plugin in $plugins; do\n cd \"$orig_cwd\"\n \"plugin_${plugin}_${method}\" \"$@\"\n cd - > /dev/null\n done\n}\n\n# shellcheck source=IntegrationTests/plugin_echo.sh\nsource \"$here/plugin_echo.sh\"\n# shellcheck source=/dev/null\nsource \"$here/plugin_junit_xml.sh\"\n\nplugins=\"echo\"\nplugin_opts_ind=0\nif [[ \"${1-default}\" == \"--junit-xml\" ]]; then\n plugins=\"echo junit_xml\"\n plugin_opts_ind=2\nfi\n\nfunction usage() {\n echo >&2 \"Usage: $0 [OPTIONS]\"\n echo >&2\n echo >&2 \"OPTIONS:\"\n echo >&2 \" -f FILTER: Only run tests matching FILTER (regex)\"\n}\n\norig_cwd=$(pwd)\ncd \"$here\"\n\nplugins_do init \"$@\"\nshift $plugin_opts_ind\n\nfilter=\".\"\nverbose=false\nshow_info=false\ndebug=false\nwhile getopts \"f:vid\" opt; do\n case $opt in\n f)\n filter=\"$OPTARG\"\n ;;\n v)\n verbose=true\n ;;\n i)\n show_info=true\n ;;\n d)\n debug=true\n ;;\n \\?)\n usage\n exit 1\n ;;\n esac\ndone\n\nfunction run_test() {\n if $verbose; then\n \"$@\" 2>&1 | tee -a \"$out\"\n # we need to return the return value of the first command\n return \"${PIPESTATUS[0]}\"\n else\n \"$@\" >> \"$out\" 2>&1\n fi\n}\n\nexec 3>&1 4>&2 # copy stdout/err to fd 3/4 to we can output control messages\ncnt_ok=0\ncnt_fail=0\nfor f in tests_*; do\n suite_ok=0\n suite_fail=0\n plugins_do test_suite_begin \"$f\"\n start_suite=$(date +%s)\n cd \"$f\"\n for t in test_*.sh; do\n if [[ ! \"$f/$t\" =~ $filter ]]; then\n plugins_do test_skip \"$t\"\n continue\n fi\n out=$(mktemp \"$tmp/test.out_XXXXXX\")\n test_tmp=$(mktemp -d \"$tmp/test.tmp_XXXXXX\")\n plugins_do test_begin \"$t\" \"$f\"\n start=$(date +%s)\n if run_test \"$here/run-single-test.sh\" \"$here/$f/$t\" \"$test_tmp\" \"$here/..\" \"$show_info\"; then\n plugins_do test_ok \"$(time_diff_to_now \"$start\")\"\n suite_ok=$((suite_ok+1))\n if $verbose; then\n cat \"$out\"\n fi\n else\n plugins_do test_fail \"$(time_diff_to_now \"$start\")\" \"$out\"\n suite_fail=$((suite_fail+1))\n fi\n if ! $debug; then\n rm \"$out\"\n rm -rf \"$test_tmp\"\n fi\n plugins_do test_end\n done\n cnt_ok=$((cnt_ok + suite_ok))\n cnt_fail=$((cnt_fail + suite_fail))\n cd ..\n plugins_do test_suite_end \"$(time_diff_to_now \"$start_suite\")\" \"$suite_ok\" \"$suite_fail\"\ndone\n\nif ! $debug; then\n rm -rf \"$tmp\"\nelse\n echo >&2 \"debug mode, not deleting '$tmp'\"\nfi\n\n\n# report\nif [[ $cnt_fail -gt 0 ]]; then\n # terminate leftovers (the whole process group)\n trap '' TERM\n kill 0 # ignore-unacceptable-language\n\n plugins_do summary_fail \"$cnt_ok\" \"$cnt_fail\"\nelse\n plugins_do summary_ok \"$cnt_ok\" \"$cnt_fail\"\nfi\n\nif [[ $cnt_fail -gt 0 ]]; then\n exit 1\nelse\n exit 0\nfi\n" }, { "path": "IntegrationTests/test_functions.sh", "content": "#!/bin/bash\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\nfunction fail() {\n echo >&2 \"FAILURE: $*\"\n false\n}\n\nfunction assert_equal() {\n if [[ \"$1\" != \"$2\" ]]; then\n fail \"expected '$1', got '$2' ${3-}\"\n fi\n}\n\nfunction assert_equal_files() {\n if ! cmp -s \"$1\" \"$2\"; then\n diff -u \"$1\" \"$2\" || true\n echo\n echo \"--- SNIP ($1, size=$(wc \"$1\"), SHA=$(shasum \"$1\")) ---\"\n cat \"$1\"\n echo \"--- SNAP ($1)---\"\n echo \"--- SNIP ($2, size=$(wc \"$2\"), SHA=$(shasum \"$2\")) ---\"\n cat \"$2\"\n echo \"--- SNAP ($2) ---\"\n fail \"file '$1' not equal to '$2'\"\n fi\n}\n\nfunction assert_less_than() {\n if [[ ! \"$1\" -lt \"$2\" ]]; then\n fail \"assertion '$1' < '$2' failed\"\n fi\n}\n\nfunction assert_less_than_or_equal() {\n if [[ ! \"$1\" -le \"$2\" ]]; then\n fail \"assertion '$1' <= '$2' failed\"\n fi\n}\n\nfunction assert_greater_than() {\n if [[ ! \"$1\" -gt \"$2\" ]]; then\n fail \"assertion '$1' > '$2' failed\"\n fi\n}\n\nfunction assert_greater_than_or_equal() {\n if [[ ! \"$1\" -ge \"$2\" ]]; then\n fail \"assertion '$1' >= '$2' failed\"\n fi\n}\n\ng_has_previously_infoed=false\n\nfunction info() {\n # shellcheck disable=SC2154 # Defined by an include our by being source transpiled in\n if $g_show_info; then\n if ! $g_has_previously_infoed; then\n echo >&3 || true # echo an extra newline so it looks better\n g_has_previously_infoed=true\n fi\n echo >&3 \"info: $*\" || true\n fi\n}\n\nfunction warn() {\n echo >&4 \"warning: $*\"\n}\n" }, { "path": "IntegrationTests/tests_01_general/defines.sh", "content": "#!/bin/bash\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2017-2019 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\n\nfunction client_path() {\n echo \"$(swift build --show-bin-path)/NIOSSLHTTP1Client\"\n}\n\n" }, { "path": "IntegrationTests/tests_01_general/test_01_renegotiation.sh", "content": "#!/bin/bash\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2019 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\n\n# shellcheck source=IntegrationTests/tests_01_general/defines.sh\nsource defines.sh\n\nswift build\n\n# Generate a self-signed certificate.\n\n# shellcheck disable=SC2154 # Provided by framework\ncat << EOF > \"$tmp/openssl.cnf\"\n[ req ]\ndistinguished_name = subject\nreq_extensions = req_ext\nx509_extensions = x509_ext\n\n[ subject ]\ncountryName = Country Name (2 letter code)\ncountryName_default = US\n\nstateOrProvinceName = State or Province Name (full name)\nstateOrProvinceName_default = NY\n\nlocalityName = Locality Name (eg, city)\nlocalityName_default = New York\n\norganizationName = Organization Name (eg, company)\norganizationName_default = Example, LLC\n\n[ req_ext ]\n\nbasicConstraints = CA:FALSE\n\n[ x509_ext ]\nsubjectKeyIdentifier = hash\nsubjectAltName = @alternate_names\n\n[ alternate_names ]\nDNS.1 = localhost\nEOF\n\n\nopenssl req -new -newkey rsa:4096 -days 365 -nodes -config \"$tmp/openssl.cnf\" -x509 \\\n -subj \"/C=US/ST=NJ/L=Wall/O=NIO/CN=localhost\" \\\n -keyout \"$tmp/key.pem\" -out \"$tmp/cert.pem\"\n\nexpect -c \"\n spawn openssl s_server -no_tls1_3 -cert \\\"$tmp/cert.pem\\\" -key \\\"$tmp/key.pem\\\"\n set serverspawn \\$spawn_id\n expect {\n \\\"ACCEPT\\\" {\n }\n timeout {\n exit 1\n }\n }\n\n spawn $(client_path) http://localhost:4433/get \\\"$tmp/cert.pem\\\" \\\"$tmp/key.pem\\\" \\\"$tmp/cert.pem\\\"\n set spawn_id \\$serverspawn\n\n expect {\n \\\"close\\\\r\\\\r\\\" {\n }\n timeout {\n exit 2\n }\n }\n send \\\"R\\r\\\"\n expect {\n \\\"Read BLOCK\\\\r\\\" {\n }\n timeout {\n exit 3\n }\n }\n \"\n\n" }, { "path": "IntegrationTests/tests_01_general/test_02_execstack.sh", "content": "#!/bin/bash\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2019 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\n\n# shellcheck source=IntegrationTests/tests_01_general/defines.sh\nsource defines.sh\n\nif [[ \"$(uname -s)\" == \"Darwin\" ]]; then\n echo \"No need to run execstack on Darwin\"\n exit 0\nfi\n\nswift build -c debug\nswift build -c release\n\nDEBUG_SERVER_PATH=\"$(swift build --show-bin-path)/NIOTLSServer\"\nRELEASE_SERVER_PATH=\"$(swift build --show-bin-path -c release)/NIOTLSServer\"\n\nresults=$(execstack \"$DEBUG_SERVER_PATH\" \"$RELEASE_SERVER_PATH\")\ncount=$(echo \"$results\" | grep -c '^X' || true)\nif [ \"$count\" -ne 0 ]; then\n exit 1\nelse\n exit 0\nfi\n" }, { "path": "LICENSE.txt", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "NOTICE.txt", "content": "\n The SwiftNIO Project\n ====================\n\nPlease visit the SwiftNIO web site for more information:\n\n * https://github.com/apple/swift-nio\n\nCopyright 2017, 2018 The SwiftNIO Project\n\nThe SwiftNIO Project licenses this file to you under the Apache License,\nversion 2.0 (the \"License\"); you may not use this file except in compliance\nwith the License. You may obtain a copy of the License at:\n\n https://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\nWARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the\nLicense for the specific language governing permissions and limitations\nunder the License.\n\nAlso, please refer to each LICENSE..txt file, which is located in\nthe 'license' directory of the distribution file, for the license terms of the\ncomponents that this product depends on.\n\n-------------------------------------------------------------------------------\n\nThis product is heavily influenced by Netty.\n\n * LICENSE (Apache License 2.0):\n * https://github.com/netty/netty/blob/4.1/LICENSE.txt\n * HOMEPAGE:\n * https://netty.io\n\n---\n\nThis product contains a derivation of the Tony Stone's 'process_test_files.rb'.\n\n * LICENSE (Apache License 2.0):\n * https://www.apache.org/licenses/LICENSE-2.0\n * HOMEPAGE:\n * https://codegists.com/snippet/ruby/generate_xctest_linux_runnerrb_tonystone_ruby\n\n---\n\nThis product contains code derived from grpc-swift.\n\n * LICENSE (Apache License 2.0):\n * https://github.com/grpc/grpc-swift/blob/0.7.0/LICENSE\n * HOMEPAGE:\n * https://github.com/grpc/grpc-swift\n\n---\n\nThis product contains code from boringssl.\n\n * LICENSE (Combination ISC and OpenSSL license)\n * https://boringssl.googlesource.com/boringssl/+/refs/heads/master/LICENSE\n * HOMEPAGE:\n * https://boringssl.googlesource.com/boringssl/\n\n" }, { "path": "Package.swift", "content": "// swift-tools-version:6.1\n//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport PackageDescription\n\n// This package contains a vendored copy of BoringSSL. For ease of tracking\n// down problems with the copy of BoringSSL in use, we include a copy of the\n// commit hash of the revision of BoringSSL included in the given release.\n// This is also reproduced in a file called hash.txt in the\n// Sources/CNIOBoringSSL directory. The source repository is at\n// https://boringssl.googlesource.com/boringssl.\n//\n// BoringSSL Commit: 817ab07ebb53da35afea409ab9328f578492832d\n\n/// This function generates the dependencies we want to express.\n///\n/// Importantly, it tolerates the possibility that we are being used as part\n/// of the Swift toolchain, and so need to use local checkouts of our\n/// dependencies.\nfunc generateDependencies() -> [Package.Dependency] {\n if Context.environment[\"SWIFTCI_USE_LOCAL_DEPS\"] == nil {\n return [\n .package(url: \"https://github.com/apple/swift-nio.git\", from: \"2.80.0\")\n ]\n } else {\n return [\n .package(path: \"../swift-nio\")\n ]\n }\n}\n\n// This doesn't work when cross-compiling: the privacy manifest will be included in the Bundle and\n// Foundation will be linked. This is, however, strictly better than unconditionally adding the\n// resource.\n#if canImport(Darwin)\nlet includePrivacyManifest = true\n#else\nlet includePrivacyManifest = false\n#endif\n\nlet strictConcurrencyDevelopment = false\n\nlet strictConcurrencySettings: [SwiftSetting] = {\n var initialSettings: [SwiftSetting] = []\n\n if strictConcurrencyDevelopment {\n // -warnings-as-errors here is a workaround so that IDE-based development can\n // get tripped up on -require-explicit-sendable.\n initialSettings.append(.unsafeFlags([\"-Xfrontend\", \"-require-explicit-sendable\", \"-warnings-as-errors\"]))\n }\n\n return initialSettings\n}()\n\n// swift-format-ignore: NoBlockComments\nlet package = Package(\n name: \"swift-nio-ssl\",\n products: [\n .library(name: \"NIOSSL\", targets: [\"NIOSSL\"]),\n .executable(name: \"NIOTLSServer\", targets: [\"NIOTLSServer\"]),\n .executable(name: \"NIOSSLHTTP1Client\", targets: [\"NIOSSLHTTP1Client\"]),\n /* This target is used only for symbol mangling. It's added and removed automatically because it emits build warnings. MANGLE_START\n .library(name: \"CNIOBoringSSL\", type: .static, targets: [\"CNIOBoringSSL\"]),\n MANGLE_END */\n ],\n dependencies: generateDependencies(),\n targets: [\n .target(\n name: \"CNIOBoringSSL\",\n cSettings: [\n .define(\"_GNU_SOURCE\"),\n .define(\"_POSIX_C_SOURCE\", to: \"200112L\"),\n .define(\"_DARWIN_C_SOURCE\"),\n ]\n ),\n .target(\n name: \"CNIOBoringSSLShims\",\n dependencies: [\n \"CNIOBoringSSL\"\n ],\n cSettings: [\n .define(\"_GNU_SOURCE\")\n ]\n ),\n .target(\n name: \"NIOSSL\",\n dependencies: [\n \"CNIOBoringSSL\",\n \"CNIOBoringSSLShims\",\n .product(name: \"NIO\", package: \"swift-nio\"),\n .product(name: \"NIOCore\", package: \"swift-nio\"),\n .product(name: \"NIOConcurrencyHelpers\", package: \"swift-nio\"),\n .product(name: \"NIOTLS\", package: \"swift-nio\"),\n ],\n exclude: includePrivacyManifest ? [] : [\"PrivacyInfo.xcprivacy\"],\n resources: includePrivacyManifest ? [.copy(\"PrivacyInfo.xcprivacy\")] : [],\n swiftSettings: strictConcurrencySettings\n ),\n .executableTarget(\n name: \"NIOTLSServer\",\n dependencies: [\n \"NIOSSL\",\n .product(name: \"NIOCore\", package: \"swift-nio\"),\n .product(name: \"NIOPosix\", package: \"swift-nio\"),\n .product(name: \"NIOConcurrencyHelpers\", package: \"swift-nio\"),\n ],\n exclude: [\n \"README.md\"\n ],\n swiftSettings: strictConcurrencySettings\n ),\n .executableTarget(\n name: \"NIOSSLHTTP1Client\",\n dependencies: [\n \"NIOSSL\",\n .product(name: \"NIOCore\", package: \"swift-nio\"),\n .product(name: \"NIOPosix\", package: \"swift-nio\"),\n .product(name: \"NIOHTTP1\", package: \"swift-nio\"),\n .product(name: \"NIOFoundationCompat\", package: \"swift-nio\"),\n ],\n exclude: [\n \"README.md\"\n ],\n swiftSettings: strictConcurrencySettings\n ),\n .executableTarget(\n name: \"NIOSSLPerformanceTester\",\n dependencies: [\n \"NIOSSL\",\n .product(name: \"NIOCore\", package: \"swift-nio\"),\n .product(name: \"NIOEmbedded\", package: \"swift-nio\"),\n .product(name: \"NIOTLS\", package: \"swift-nio\"),\n ],\n swiftSettings: strictConcurrencySettings\n ),\n .testTarget(\n name: \"NIOSSLTests\",\n dependencies: [\n \"NIOSSL\",\n .product(name: \"NIOCore\", package: \"swift-nio\"),\n .product(name: \"NIOEmbedded\", package: \"swift-nio\"),\n .product(name: \"NIOPosix\", package: \"swift-nio\"),\n .product(name: \"NIOTLS\", package: \"swift-nio\"),\n ],\n swiftSettings: strictConcurrencySettings\n ),\n ],\n cxxLanguageStandard: .cxx17\n)\n\n// --- STANDARD CROSS-REPO SETTINGS DO NOT EDIT --- //\nfor target in package.targets {\n switch target.type {\n case .regular, .test, .executable:\n var settings = target.swiftSettings ?? []\n // https://github.com/swiftlang/swift-evolution/blob/main/proposals/0444-member-import-visibility.md\n settings.append(.enableUpcomingFeature(\"MemberImportVisibility\"))\n target.swiftSettings = settings\n case .macro, .plugin, .system, .binary:\n () // not applicable\n @unknown default:\n () // we don't know what to do here, do nothing\n }\n}\n// --- END: STANDARD CROSS-REPO SETTINGS DO NOT EDIT --- //\n" }, { "path": "README.md", "content": "# SwiftNIO SSL\n\nSwiftNIO SSL is a Swift package that contains an implementation of TLS based on BoringSSL. This package allows users of [SwiftNIO](https://github.com/apple/swift-nio) to write protocol clients and servers that use TLS to secure data in flight.\n\nThe name is inspired primarily by the names of the library this package uses (BoringSSL), and not because we don't know the name of the protocol. We know the protocol is TLS!\n\nTo get started, check out the [API docs](https://swiftpackageindex.com/apple/swift-nio-ssl/main/documentation/niossl).\n\n## Using SwiftNIO SSL\n\nSwiftNIO SSL provides two `ChannelHandler`s to use to secure a data stream: the `NIOSSLClientHandler` and the `NIOSSLServerHandler`. Each of these can be added to a `Channel` to secure the communications on that channel.\n\nAdditionally, we provide a number of low-level primitives for configuring your TLS connections. These will be shown below.\n\nTo secure a server connection, you will need a X.509 certificate chain in a file (either PEM or DER, but PEM is far easier), and the associated private key for the leaf certificate. These objects can then be wrapped up in a `TLSConfiguration` object that is used to initialize the `ChannelHandler`.\n\nFor example:\n\n```swift\nlet configuration = TLSConfiguration.makeServerConfiguration(\n certificateChain: try NIOSSLCertificate.fromPEMFile(\"cert.pem\").map { .certificate($0) },\n privateKey: try .privateKey(.init(file: \"key.pem\", format: .pem))\n)\nlet sslContext = try NIOSSLContext(configuration: configuration)\n\nlet server = ServerBootstrap(group: group)\n .childChannelInitializer { channel in\n // important: The handler must be initialized _inside_ the `childChannelInitializer`\n let handler = NIOSSLServerHandler(context: sslContext)\n\n [...]\n channel.pipeline.syncOperations.addHandler(handler)\n [...]\n }\n```\n\nFor clients, it is a bit simpler as there is no need to have a certificate chain or private key (though clients *may* have these things). Setup for clients may be done like this:\n\n```swift\nlet configuration = TLSConfiguration.makeClientConfiguration()\nlet sslContext = try NIOSSLContext(configuration: configuration)\n\nlet client = ClientBootstrap(group: group)\n .channelInitializer { channel in\n // important: The handler must be initialized _inside_ the `channelInitializer`\n let handler = try NIOSSLClientHandler(context: sslContext)\n\n [...]\n channel.pipeline.syncOperations.addHandler(handler)\n [...]\n }\n```\n\nThe most recent versions of SwiftNIO SSL support Swift 5.7 and newer. The minimum Swift version supported by SwiftNIO SSL releases are detailed below:\n\nSwiftNIO SSL | Minimum Swift Version\n--------------------|----------------------\n`2.0.0 ..< 2.14.0` | 5.0\n`2.14.0 ..< 2.19.0` | 5.2\n`2.19.0 ..< 2.23.0` | 5.4\n`2.23.0 ..< 2.23.2` | 5.5.2\n`2.23.2 ..< 2.26.0` | 5.6\n`2.26.0 ..< 2.27.0` | 5.7\n`2.27.0 ..< 2.29.3` | 5.8\n`2.29.3 ..< 2.31.0` | 5.9\n`2.31.0 ..< 2.35.0` | 5.10\n`2.35.0 ..< 2.37.0` | 6.0\n`2.37.0 ..<` | 6.1\n" }, { "path": "SECURITY.md", "content": "# Security\n\nPlease refer to the security guidelines set out in the\n[apple/swift-nio](https://github.com/apple/swift-nio) repository:\n\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_bitstr.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nint ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, const unsigned char *d,\n ossl_ssize_t len) {\n return ASN1_STRING_set(x, d, len);\n}\n\nint asn1_bit_string_length(const ASN1_BIT_STRING *str,\n uint8_t *out_padding_bits) {\n int len = str->length;\n if (str->flags & ASN1_STRING_FLAG_BITS_LEFT) {\n // If the string is already empty, it cannot have padding bits.\n *out_padding_bits = len == 0 ? 0 : str->flags & 0x07;\n return len;\n }\n\n // TODO(https://crbug.com/boringssl/447): If we move this logic to\n // |ASN1_BIT_STRING_set_bit|, can we remove this representation?\n while (len > 0 && str->data[len - 1] == 0) {\n len--;\n }\n uint8_t padding_bits = 0;\n if (len > 0) {\n uint8_t last = str->data[len - 1];\n assert(last != 0);\n for (; padding_bits < 7; padding_bits++) {\n if (last & (1 << padding_bits)) {\n break;\n }\n }\n }\n *out_padding_bits = padding_bits;\n return len;\n}\n\nint ASN1_BIT_STRING_num_bytes(const ASN1_BIT_STRING *str, size_t *out) {\n uint8_t padding_bits;\n int len = asn1_bit_string_length(str, &padding_bits);\n if (padding_bits != 0) {\n return 0;\n }\n *out = len;\n return 1;\n}\n\nint i2c_ASN1_BIT_STRING(const ASN1_BIT_STRING *a, unsigned char **pp) {\n if (a == NULL) {\n return 0;\n }\n\n uint8_t bits;\n int len = asn1_bit_string_length(a, &bits);\n if (len > INT_MAX - 1) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW);\n return 0;\n }\n int ret = 1 + len;\n if (pp == NULL) {\n return ret;\n }\n\n uint8_t *p = *pp;\n *(p++) = bits;\n OPENSSL_memcpy(p, a->data, len);\n if (len > 0) {\n p[len - 1] &= (0xff << bits);\n }\n p += len;\n *pp = p;\n return ret;\n}\n\nASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,\n const unsigned char **pp, long len) {\n ASN1_BIT_STRING *ret = NULL;\n const unsigned char *p;\n unsigned char *s;\n int padding;\n uint8_t padding_mask;\n\n if (len < 1) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_SHORT);\n goto err;\n }\n\n if (len > INT_MAX) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG);\n goto err;\n }\n\n if ((a == NULL) || ((*a) == NULL)) {\n if ((ret = ASN1_BIT_STRING_new()) == NULL) {\n return NULL;\n }\n } else {\n ret = (*a);\n }\n\n p = *pp;\n padding = *(p++);\n len--;\n if (padding > 7) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);\n goto err;\n }\n\n // Unused bits in a BIT STRING must be zero.\n padding_mask = (1 << padding) - 1;\n if (padding != 0 && (len < 1 || (p[len - 1] & padding_mask) != 0)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BIT_STRING_PADDING);\n goto err;\n }\n\n // We do this to preserve the settings. If we modify the settings, via\n // the _set_bit function, we will recalculate on output\n ret->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); // clear\n ret->flags |= (ASN1_STRING_FLAG_BITS_LEFT | padding); // set\n\n if (len > 0) {\n s = reinterpret_cast(OPENSSL_memdup(p, len));\n if (s == NULL) {\n goto err;\n }\n p += len;\n } else {\n s = NULL;\n }\n\n ret->length = (int)len;\n OPENSSL_free(ret->data);\n ret->data = s;\n ret->type = V_ASN1_BIT_STRING;\n if (a != NULL) {\n (*a) = ret;\n }\n *pp = p;\n return ret;\nerr:\n if ((ret != NULL) && ((a == NULL) || (*a != ret))) {\n ASN1_BIT_STRING_free(ret);\n }\n return NULL;\n}\n\n// These next 2 functions from Goetz Babin-Ebell \nint ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) {\n int w, v, iv;\n unsigned char *c;\n\n w = n / 8;\n v = 1 << (7 - (n & 0x07));\n iv = ~v;\n if (!value) {\n v = 0;\n }\n\n if (a == NULL) {\n return 0;\n }\n\n a->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); // clear, set on write\n\n if ((a->length < (w + 1)) || (a->data == NULL)) {\n if (!value) {\n return 1; // Don't need to set\n }\n if (a->data == NULL) {\n c = (unsigned char *)OPENSSL_malloc(w + 1);\n } else {\n c = (unsigned char *)OPENSSL_realloc(a->data, w + 1);\n }\n if (c == NULL) {\n return 0;\n }\n if (w + 1 - a->length > 0) {\n OPENSSL_memset(c + a->length, 0, w + 1 - a->length);\n }\n a->data = c;\n a->length = w + 1;\n }\n a->data[w] = ((a->data[w]) & iv) | v;\n while ((a->length > 0) && (a->data[a->length - 1] == 0)) {\n a->length--;\n }\n return 1;\n}\n\nint ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n) {\n int w, v;\n\n w = n / 8;\n v = 1 << (7 - (n & 0x07));\n if ((a == NULL) || (a->length < (w + 1)) || (a->data == NULL)) {\n return 0;\n }\n return ((a->data[w] & v) != 0);\n}\n\n// Checks if the given bit string contains only bits specified by\n// the flags vector. Returns 0 if there is at least one bit set in 'a'\n// which is not specified in 'flags', 1 otherwise.\n// 'len' is the length of 'flags'.\nint ASN1_BIT_STRING_check(const ASN1_BIT_STRING *a, const unsigned char *flags,\n int flags_len) {\n int i, ok;\n // Check if there is one bit set at all.\n if (!a || !a->data) {\n return 1;\n }\n\n // Check each byte of the internal representation of the bit string.\n ok = 1;\n for (i = 0; i < a->length && ok; ++i) {\n unsigned char mask = i < flags_len ? ~flags[i] : 0xff;\n // We are done if there is an unneeded bit set.\n ok = (a->data[i] & mask) == 0;\n }\n return ok;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_bool.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \"../bytestring/internal.h\"\n\n\nint i2d_ASN1_BOOLEAN(ASN1_BOOLEAN a, unsigned char **outp) {\n CBB cbb;\n if (!CBB_init(&cbb, 3) || //\n !CBB_add_asn1_bool(&cbb, a != ASN1_BOOLEAN_FALSE)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n\nASN1_BOOLEAN d2i_ASN1_BOOLEAN(ASN1_BOOLEAN *out, const unsigned char **inp,\n long len) {\n if (len < 0) {\n return ASN1_BOOLEAN_NONE;\n }\n\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n int val;\n if (!CBS_get_asn1_bool(&cbs, &val)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);\n return ASN1_BOOLEAN_NONE;\n }\n\n ASN1_BOOLEAN ret = val ? ASN1_BOOLEAN_TRUE : ASN1_BOOLEAN_FALSE;\n if (out != NULL) {\n *out = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_d2i_fp.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n\nvoid *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x) {\n uint8_t *data;\n size_t len;\n // Historically, this function did not impose a limit in OpenSSL and is used\n // to read CRLs, so we leave this without an external bound.\n if (!BIO_read_asn1(in, &data, &len, INT_MAX)) {\n return NULL;\n }\n const uint8_t *ptr = data;\n void *ret = ASN1_item_d2i(reinterpret_cast(x), &ptr, len, it);\n OPENSSL_free(data);\n return ret;\n}\n\nvoid *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x) {\n BIO *b = BIO_new_fp(in, BIO_NOCLOSE);\n if (b == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_BUF_LIB);\n return NULL;\n }\n void *ret = ASN1_item_d2i_bio(it, b, x);\n BIO_free(b);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_dup.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n// ASN1_ITEM version of dup: this follows the model above except we don't\n// need to allocate the buffer. At some point this could be rewritten to\n// directly dup the underlying structure instead of doing and encode and\n// decode.\nvoid *ASN1_item_dup(const ASN1_ITEM *it, void *x) {\n unsigned char *b = NULL;\n const unsigned char *p;\n long i;\n void *ret;\n\n if (x == NULL) {\n return NULL;\n }\n\n i = ASN1_item_i2d(reinterpret_cast(x), &b, it);\n if (b == NULL) {\n return NULL;\n }\n p = b;\n ret = ASN1_item_d2i(NULL, &p, i, it);\n OPENSSL_free(b);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_gentm.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"internal.h\"\n\nint asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d) {\n if (d->type != V_ASN1_GENERALIZEDTIME) {\n return 0;\n }\n CBS cbs;\n CBS_init(&cbs, d->data, (size_t)d->length);\n if (!CBS_parse_generalized_time(&cbs, tm, /*allow_timezone_offset=*/0)) {\n return 0;\n }\n return 1;\n}\n\nint ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *d) {\n return asn1_generalizedtime_to_tm(NULL, d);\n}\n\nint ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str) {\n size_t len = strlen(str);\n CBS cbs;\n CBS_init(&cbs, (const uint8_t *)str, len);\n if (!CBS_parse_generalized_time(&cbs, /*out_tm=*/NULL,\n /*allow_timezone_offset=*/0)) {\n return 0;\n }\n if (s != NULL) {\n if (!ASN1_STRING_set(s, str, len)) {\n return 0;\n }\n s->type = V_ASN1_GENERALIZEDTIME;\n }\n return 1;\n}\n\nASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,\n int64_t posix_time) {\n return ASN1_GENERALIZEDTIME_adj(s, posix_time, 0, 0);\n}\n\nASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,\n int64_t posix_time,\n int offset_day,\n long offset_sec) {\n struct tm data;\n if (!OPENSSL_posix_to_tm(posix_time, &data)) {\n return NULL;\n }\n\n if (offset_day || offset_sec) {\n if (!OPENSSL_gmtime_adj(&data, offset_day, offset_sec)) {\n return NULL;\n }\n }\n\n if (data.tm_year < 0 - 1900 || data.tm_year > 9999 - 1900) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_TIME_VALUE);\n return NULL;\n }\n\n char buf[16];\n int ret = snprintf(buf, sizeof(buf), \"%04d%02d%02d%02d%02d%02dZ\",\n data.tm_year + 1900, data.tm_mon + 1, data.tm_mday,\n data.tm_hour, data.tm_min, data.tm_sec);\n // |snprintf| must write exactly 15 bytes (plus the NUL) to the buffer.\n BSSL_CHECK(ret == static_cast(sizeof(buf) - 1));\n\n int free_s = 0;\n if (s == NULL) {\n free_s = 1;\n s = ASN1_UTCTIME_new();\n if (s == NULL) {\n return NULL;\n }\n }\n\n if (!ASN1_STRING_set(s, buf, strlen(buf))) {\n if (free_s) {\n ASN1_UTCTIME_free(s);\n }\n return NULL;\n }\n s->type = V_ASN1_GENERALIZEDTIME;\n return s;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_i2d_fp.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n\nint ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x) {\n BIO *b = BIO_new_fp(out, BIO_NOCLOSE);\n if (b == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_BUF_LIB);\n return 0;\n }\n int ret = ASN1_item_i2d_bio(it, b, x);\n BIO_free(b);\n return ret;\n}\n\nint ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x) {\n unsigned char *b = NULL;\n int n = ASN1_item_i2d(reinterpret_cast(x), &b, it);\n if (b == NULL) {\n return 0;\n }\n\n int ret = BIO_write_all(out, b, n);\n OPENSSL_free(b);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_int.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../internal.h\"\n\n\nASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x) {\n return ASN1_STRING_dup(x);\n}\n\nint ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y) {\n // Compare signs.\n int neg = x->type & V_ASN1_NEG;\n if (neg != (y->type & V_ASN1_NEG)) {\n return neg ? -1 : 1;\n }\n\n int ret = ASN1_STRING_cmp(x, y);\n if (neg) {\n // This could be |-ret|, but |ASN1_STRING_cmp| is not forbidden from\n // returning |INT_MIN|.\n if (ret < 0) {\n return 1;\n } else if (ret > 0) {\n return -1;\n } else {\n return 0;\n }\n }\n\n return ret;\n}\n\n// negate_twos_complement negates |len| bytes from |buf| in-place, interpreted\n// as a signed, big-endian two's complement value.\nstatic void negate_twos_complement(uint8_t *buf, size_t len) {\n uint8_t borrow = 0;\n for (size_t i = len - 1; i < len; i--) {\n uint8_t t = buf[i];\n buf[i] = 0u - borrow - t;\n borrow |= t != 0;\n }\n}\n\nstatic int is_all_zeros(const uint8_t *in, size_t len) {\n for (size_t i = 0; i < len; i++) {\n if (in[i] != 0) {\n return 0;\n }\n }\n return 1;\n}\n\nint i2c_ASN1_INTEGER(const ASN1_INTEGER *in, unsigned char **outp) {\n if (in == NULL) {\n return 0;\n }\n\n // |ASN1_INTEGER|s should be represented minimally, but it is possible to\n // construct invalid ones. Skip leading zeros so this does not produce an\n // invalid encoding or break invariants.\n CBS cbs;\n CBS_init(&cbs, in->data, in->length);\n while (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0) {\n CBS_skip(&cbs, 1);\n }\n\n int is_negative = (in->type & V_ASN1_NEG) != 0;\n size_t pad;\n CBS copy = cbs;\n uint8_t msb;\n if (!CBS_get_u8(©, &msb)) {\n // Zero is represented as a single byte.\n is_negative = 0;\n pad = 1;\n } else if (is_negative) {\n // 0x80...01 through 0xff...ff have a two's complement of 0x7f...ff\n // through 0x00...01 and need an extra byte to be negative.\n // 0x01...00 through 0x80...00 have a two's complement of 0xfe...ff\n // through 0x80...00 and can be negated as-is.\n pad = msb > 0x80 ||\n (msb == 0x80 && !is_all_zeros(CBS_data(©), CBS_len(©)));\n } else {\n // If the high bit is set, the signed representation needs an extra\n // byte to be positive.\n pad = (msb & 0x80) != 0;\n }\n\n if (CBS_len(&cbs) > INT_MAX - pad) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW);\n return 0;\n }\n int len = (int)(pad + CBS_len(&cbs));\n assert(len > 0);\n if (outp == NULL) {\n return len;\n }\n\n if (pad) {\n (*outp)[0] = 0;\n }\n OPENSSL_memcpy(*outp + pad, CBS_data(&cbs), CBS_len(&cbs));\n if (is_negative) {\n negate_twos_complement(*outp, len);\n assert((*outp)[0] >= 0x80);\n } else {\n assert((*outp)[0] < 0x80);\n }\n *outp += len;\n return len;\n}\n\nASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **out, const unsigned char **inp,\n long len) {\n // This function can handle lengths up to INT_MAX - 1, but the rest of the\n // legacy ASN.1 code mixes integer types, so avoid exposing it to\n // ASN1_INTEGERS with larger lengths.\n if (len < 0 || len > INT_MAX / 2) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);\n return NULL;\n }\n\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n int is_negative;\n if (!CBS_is_valid_asn1_integer(&cbs, &is_negative)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER);\n return NULL;\n }\n\n ASN1_INTEGER *ret = NULL;\n if (out == NULL || *out == NULL) {\n ret = ASN1_INTEGER_new();\n if (ret == NULL) {\n return NULL;\n }\n } else {\n ret = *out;\n }\n\n // Convert to |ASN1_INTEGER|'s sign-and-magnitude representation. First,\n // determine the size needed for a minimal result.\n if (is_negative) {\n // 0xff00...01 through 0xff7f..ff have a two's complement of 0x00ff...ff\n // through 0x000100...001 and need one leading zero removed. 0x8000...00\n // through 0xff00...00 have a two's complement of 0x8000...00 through\n // 0x0100...00 and will be minimally-encoded as-is.\n if (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0xff &&\n !is_all_zeros(CBS_data(&cbs) + 1, CBS_len(&cbs) - 1)) {\n CBS_skip(&cbs, 1);\n }\n } else {\n // Remove the leading zero byte, if any.\n if (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0x00) {\n CBS_skip(&cbs, 1);\n }\n }\n\n if (!ASN1_STRING_set(ret, CBS_data(&cbs), CBS_len(&cbs))) {\n goto err;\n }\n\n if (is_negative) {\n ret->type = V_ASN1_NEG_INTEGER;\n negate_twos_complement(ret->data, ret->length);\n } else {\n ret->type = V_ASN1_INTEGER;\n }\n\n // The value should be minimally-encoded.\n assert(ret->length == 0 || ret->data[0] != 0);\n // Zero is not negative.\n assert(!is_negative || ret->length > 0);\n\n *inp += len;\n if (out != NULL) {\n *out = ret;\n }\n return ret;\n\nerr:\n if (ret != NULL && (out == NULL || *out != ret)) {\n ASN1_INTEGER_free(ret);\n }\n return NULL;\n}\n\nint ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t v) {\n if (v >= 0) {\n return ASN1_INTEGER_set_uint64(a, (uint64_t)v);\n }\n\n if (!ASN1_INTEGER_set_uint64(a, 0 - (uint64_t)v)) {\n return 0;\n }\n\n a->type = V_ASN1_NEG_INTEGER;\n return 1;\n}\n\nint ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *a, int64_t v) {\n if (v >= 0) {\n return ASN1_ENUMERATED_set_uint64(a, (uint64_t)v);\n }\n\n if (!ASN1_ENUMERATED_set_uint64(a, 0 - (uint64_t)v)) {\n return 0;\n }\n\n a->type = V_ASN1_NEG_ENUMERATED;\n return 1;\n}\n\nint ASN1_INTEGER_set(ASN1_INTEGER *a, long v) {\n static_assert(sizeof(long) <= sizeof(int64_t), \"long fits in int64_t\");\n return ASN1_INTEGER_set_int64(a, v);\n}\n\nint ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v) {\n static_assert(sizeof(long) <= sizeof(int64_t), \"long fits in int64_t\");\n return ASN1_ENUMERATED_set_int64(a, v);\n}\n\nstatic int asn1_string_set_uint64(ASN1_STRING *out, uint64_t v, int type) {\n uint8_t buf[sizeof(uint64_t)];\n CRYPTO_store_u64_be(buf, v);\n size_t leading_zeros;\n for (leading_zeros = 0; leading_zeros < sizeof(buf); leading_zeros++) {\n if (buf[leading_zeros] != 0) {\n break;\n }\n }\n\n if (!ASN1_STRING_set(out, buf + leading_zeros, sizeof(buf) - leading_zeros)) {\n return 0;\n }\n out->type = type;\n return 1;\n}\n\nint ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v) {\n return asn1_string_set_uint64(out, v, V_ASN1_INTEGER);\n}\n\nint ASN1_ENUMERATED_set_uint64(ASN1_ENUMERATED *out, uint64_t v) {\n return asn1_string_set_uint64(out, v, V_ASN1_ENUMERATED);\n}\n\nstatic int asn1_string_get_abs_uint64(uint64_t *out, const ASN1_STRING *a,\n int type) {\n if ((a->type & ~V_ASN1_NEG) != type) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_INTEGER_TYPE);\n return 0;\n }\n uint8_t buf[sizeof(uint64_t)] = {0};\n if (a->length > (int)sizeof(buf)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER);\n return 0;\n }\n OPENSSL_memcpy(buf + sizeof(buf) - a->length, a->data, a->length);\n *out = CRYPTO_load_u64_be(buf);\n return 1;\n}\n\nstatic int asn1_string_get_uint64(uint64_t *out, const ASN1_STRING *a,\n int type) {\n if (!asn1_string_get_abs_uint64(out, a, type)) {\n return 0;\n }\n if (a->type & V_ASN1_NEG) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER);\n return 0;\n }\n return 1;\n}\n\nint ASN1_INTEGER_get_uint64(uint64_t *out, const ASN1_INTEGER *a) {\n return asn1_string_get_uint64(out, a, V_ASN1_INTEGER);\n}\n\nint ASN1_ENUMERATED_get_uint64(uint64_t *out, const ASN1_ENUMERATED *a) {\n return asn1_string_get_uint64(out, a, V_ASN1_ENUMERATED);\n}\n\nstatic int asn1_string_get_int64(int64_t *out, const ASN1_STRING *a, int type) {\n uint64_t v;\n if (!asn1_string_get_abs_uint64(&v, a, type)) {\n return 0;\n }\n int64_t i64;\n int fits_in_i64;\n // Check |v != 0| to handle manually-constructed negative zeros.\n if ((a->type & V_ASN1_NEG) && v != 0) {\n i64 = (int64_t)(0u - v);\n fits_in_i64 = i64 < 0;\n } else {\n i64 = (int64_t)v;\n fits_in_i64 = i64 >= 0;\n }\n if (!fits_in_i64) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER);\n return 0;\n }\n *out = i64;\n return 1;\n}\n\nint ASN1_INTEGER_get_int64(int64_t *out, const ASN1_INTEGER *a) {\n return asn1_string_get_int64(out, a, V_ASN1_INTEGER);\n}\n\nint ASN1_ENUMERATED_get_int64(int64_t *out, const ASN1_ENUMERATED *a) {\n return asn1_string_get_int64(out, a, V_ASN1_ENUMERATED);\n}\n\nstatic long asn1_string_get_long(const ASN1_STRING *a, int type) {\n if (a == NULL) {\n return 0;\n }\n\n int64_t v;\n if (!asn1_string_get_int64(&v, a, type) || //\n v < LONG_MIN || v > LONG_MAX) {\n // This function's return value does not distinguish overflow from -1.\n ERR_clear_error();\n return -1;\n }\n\n return (long)v;\n}\n\nlong ASN1_INTEGER_get(const ASN1_INTEGER *a) {\n return asn1_string_get_long(a, V_ASN1_INTEGER);\n}\n\nlong ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a) {\n return asn1_string_get_long(a, V_ASN1_ENUMERATED);\n}\n\nstatic ASN1_STRING *bn_to_asn1_string(const BIGNUM *bn, ASN1_STRING *ai,\n int type) {\n ASN1_INTEGER *ret;\n if (ai == NULL) {\n ret = ASN1_STRING_type_new(type);\n } else {\n ret = ai;\n }\n int len;\n if (ret == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n goto err;\n }\n\n if (BN_is_negative(bn) && !BN_is_zero(bn)) {\n ret->type = type | V_ASN1_NEG;\n } else {\n ret->type = type;\n }\n\n len = BN_num_bytes(bn);\n if (!ASN1_STRING_set(ret, NULL, len) ||\n !BN_bn2bin_padded(ret->data, len, bn)) {\n goto err;\n }\n return ret;\n\nerr:\n if (ret != ai) {\n ASN1_STRING_free(ret);\n }\n return NULL;\n}\n\nASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) {\n return bn_to_asn1_string(bn, ai, V_ASN1_INTEGER);\n}\n\nASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai) {\n return bn_to_asn1_string(bn, ai, V_ASN1_ENUMERATED);\n}\n\nstatic BIGNUM *asn1_string_to_bn(const ASN1_STRING *ai, BIGNUM *bn, int type) {\n if ((ai->type & ~V_ASN1_NEG) != type) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_INTEGER_TYPE);\n return NULL;\n }\n\n BIGNUM *ret;\n if ((ret = BN_bin2bn(ai->data, ai->length, bn)) == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BN_LIB);\n } else if (ai->type & V_ASN1_NEG) {\n BN_set_negative(ret, 1);\n }\n return ret;\n}\n\nBIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn) {\n return asn1_string_to_bn(ai, bn, V_ASN1_INTEGER);\n}\n\nBIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn) {\n return asn1_string_to_bn(ai, bn, V_ASN1_ENUMERATED);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_mbstr.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../bytestring/internal.h\"\n#include \"internal.h\"\n\n// These functions take a string in UTF8, ASCII or multibyte form and a mask\n// of permissible ASN1 string types. It then works out the minimal type\n// (using the order Printable < IA5 < T61 < BMP < Universal < UTF8) and\n// creates a string of the correct type with the supplied data. Yes this is\n// horrible: it has to be :-( The 'ncopy' form checks minimum and maximum\n// size limits too.\n\nint ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in,\n ossl_ssize_t len, int inform, unsigned long mask) {\n return ASN1_mbstring_ncopy(out, in, len, inform, mask, /*minsize=*/0,\n /*maxsize=*/0);\n}\n\nOPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_BMPSTRING)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_UNIVERSALSTRING)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_UTF8STRING)\n\nint ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in,\n ossl_ssize_t len, int inform, unsigned long mask,\n ossl_ssize_t minsize, ossl_ssize_t maxsize) {\n if (len == -1) {\n len = strlen((const char *)in);\n }\n if (!mask) {\n mask = DIRSTRING_TYPE;\n }\n\n int (*decode_func)(CBS *, uint32_t *);\n int error;\n switch (inform) {\n case MBSTRING_BMP:\n decode_func = CBS_get_ucs2_be;\n error = ASN1_R_INVALID_BMPSTRING;\n break;\n\n case MBSTRING_UNIV:\n decode_func = CBS_get_utf32_be;\n error = ASN1_R_INVALID_UNIVERSALSTRING;\n break;\n\n case MBSTRING_UTF8:\n decode_func = CBS_get_utf8;\n error = ASN1_R_INVALID_UTF8STRING;\n break;\n\n case MBSTRING_ASC:\n decode_func = CBS_get_latin1;\n error = ERR_R_INTERNAL_ERROR; // Latin-1 inputs are never invalid.\n break;\n\n default:\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_FORMAT);\n return -1;\n }\n\n // Check |minsize| and |maxsize| and work out the minimal type, if any.\n CBS cbs;\n CBS_init(&cbs, in, len);\n size_t utf8_len = 0, nchar = 0;\n while (CBS_len(&cbs) != 0) {\n uint32_t c;\n if (!decode_func(&cbs, &c)) {\n OPENSSL_PUT_ERROR(ASN1, error);\n return -1;\n }\n if (nchar == 0 && (inform == MBSTRING_BMP || inform == MBSTRING_UNIV) &&\n c == 0xfeff) {\n // Reject byte-order mark. We could drop it but that would mean\n // adding ambiguity around whether a BOM was included or not when\n // matching strings.\n //\n // For a little-endian UCS-2 string, the BOM will appear as 0xfffe\n // and will be rejected as noncharacter, below.\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_CHARACTERS);\n return -1;\n }\n\n // Update which output formats are still possible.\n if ((mask & B_ASN1_PRINTABLESTRING) && !asn1_is_printable(c)) {\n mask &= ~B_ASN1_PRINTABLESTRING;\n }\n if ((mask & B_ASN1_IA5STRING) && (c > 127)) {\n mask &= ~B_ASN1_IA5STRING;\n }\n if ((mask & B_ASN1_T61STRING) && (c > 0xff)) {\n mask &= ~B_ASN1_T61STRING;\n }\n if ((mask & B_ASN1_BMPSTRING) && (c > 0xffff)) {\n mask &= ~B_ASN1_BMPSTRING;\n }\n if (!mask) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_CHARACTERS);\n return -1;\n }\n\n nchar++;\n utf8_len += CBB_get_utf8_len(c);\n if (maxsize > 0 && nchar > (size_t)maxsize) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG);\n ERR_add_error_dataf(\"maxsize=%zu\", (size_t)maxsize);\n return -1;\n }\n }\n\n if (minsize > 0 && nchar < (size_t)minsize) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_SHORT);\n ERR_add_error_dataf(\"minsize=%zu\", (size_t)minsize);\n return -1;\n }\n\n // Now work out output format and string type\n int str_type;\n int (*encode_func)(CBB *, uint32_t) = CBB_add_latin1;\n size_t size_estimate = nchar;\n int outform = MBSTRING_ASC;\n if (mask & B_ASN1_PRINTABLESTRING) {\n str_type = V_ASN1_PRINTABLESTRING;\n } else if (mask & B_ASN1_IA5STRING) {\n str_type = V_ASN1_IA5STRING;\n } else if (mask & B_ASN1_T61STRING) {\n str_type = V_ASN1_T61STRING;\n } else if (mask & B_ASN1_BMPSTRING) {\n str_type = V_ASN1_BMPSTRING;\n outform = MBSTRING_BMP;\n encode_func = CBB_add_ucs2_be;\n size_estimate = 2 * nchar;\n } else if (mask & B_ASN1_UNIVERSALSTRING) {\n str_type = V_ASN1_UNIVERSALSTRING;\n encode_func = CBB_add_utf32_be;\n size_estimate = 4 * nchar;\n outform = MBSTRING_UNIV;\n } else if (mask & B_ASN1_UTF8STRING) {\n str_type = V_ASN1_UTF8STRING;\n outform = MBSTRING_UTF8;\n encode_func = CBB_add_utf8;\n size_estimate = utf8_len;\n } else {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_CHARACTERS);\n return -1;\n }\n\n if (!out) {\n return str_type;\n }\n\n int free_dest = 0;\n ASN1_STRING *dest;\n if (*out) {\n dest = *out;\n } else {\n free_dest = 1;\n dest = ASN1_STRING_type_new(str_type);\n if (!dest) {\n return -1;\n }\n }\n\n CBB cbb;\n CBB_zero(&cbb);\n // If both the same type just copy across\n uint8_t *data = NULL;\n size_t data_len = 0;\n if (inform == outform) {\n if (!ASN1_STRING_set(dest, in, len)) {\n goto err;\n }\n dest->type = str_type;\n *out = dest;\n return str_type;\n }\n if (!CBB_init(&cbb, size_estimate + 1)) {\n goto err;\n }\n CBS_init(&cbs, in, len);\n while (CBS_len(&cbs) != 0) {\n uint32_t c;\n if (!decode_func(&cbs, &c) || !encode_func(&cbb, c)) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n }\n if (/* OpenSSL historically NUL-terminated this value with a single byte,\n * even for |MBSTRING_BMP| and |MBSTRING_UNIV|. */\n !CBB_add_u8(&cbb, 0) || //\n !CBB_finish(&cbb, &data, &data_len) || //\n data_len < 1 || //\n data_len > INT_MAX) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR);\n OPENSSL_free(data);\n goto err;\n }\n dest->type = str_type;\n ASN1_STRING_set0(dest, data, (int)data_len - 1);\n *out = dest;\n return str_type;\n\nerr:\n if (free_dest) {\n ASN1_STRING_free(dest);\n }\n CBB_cleanup(&cbb);\n return -1;\n}\n\nint asn1_is_printable(uint32_t value) {\n if (value > 0x7f) {\n return 0;\n }\n return OPENSSL_isalnum(value) || //\n value == ' ' || value == '\\'' || value == '(' || value == ')' ||\n value == '+' || value == ',' || value == '-' || value == '.' ||\n value == '/' || value == ':' || value == '=' || value == '?';\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_object.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../bytestring/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nint i2d_ASN1_OBJECT(const ASN1_OBJECT *in, unsigned char **outp) {\n if (in == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_PASSED_NULL_PARAMETER);\n return -1;\n }\n\n if (in->length <= 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OBJECT);\n return -1;\n }\n\n CBB cbb, child;\n if (!CBB_init(&cbb, (size_t)in->length + 2) ||\n !CBB_add_asn1(&cbb, &child, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&child, in->data, in->length)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n\n return CBB_finish_i2d(&cbb, outp);\n}\n\nint i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a) {\n return OBJ_obj2txt(buf, buf_len, a, 0);\n}\n\nstatic int write_str(BIO *bp, const char *str) {\n size_t len = strlen(str);\n if (len > INT_MAX) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW);\n return -1;\n }\n return BIO_write(bp, str, (int)len) == (int)len ? (int)len : -1;\n}\n\nint i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a) {\n if (a == NULL || a->data == NULL) {\n return write_str(bp, \"NULL\");\n }\n\n char buf[80], *allocated = NULL;\n const char *str = buf;\n int len = i2t_ASN1_OBJECT(buf, sizeof(buf), a);\n if (len > (int)sizeof(buf) - 1) {\n // The input was truncated. Allocate a buffer that fits.\n allocated = reinterpret_cast(OPENSSL_malloc(len + 1));\n if (allocated == NULL) {\n return -1;\n }\n len = i2t_ASN1_OBJECT(allocated, len + 1, a);\n str = allocated;\n }\n if (len <= 0) {\n str = \"\";\n }\n\n int ret = write_str(bp, str);\n OPENSSL_free(allocated);\n return ret;\n}\n\nASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **out, const unsigned char **inp,\n long len) {\n if (len < 0) {\n return NULL;\n }\n\n CBS cbs, child;\n CBS_init(&cbs, *inp, (size_t)len);\n if (!CBS_get_asn1(&cbs, &child, CBS_ASN1_OBJECT)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);\n return NULL;\n }\n\n const uint8_t *contents = CBS_data(&child);\n ASN1_OBJECT *ret = c2i_ASN1_OBJECT(out, &contents, CBS_len(&child));\n if (ret != NULL) {\n // |c2i_ASN1_OBJECT| should have consumed the entire input.\n assert(CBS_data(&cbs) == contents);\n *inp = CBS_data(&cbs);\n }\n return ret;\n}\n\nASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **out, const unsigned char **inp,\n long len) {\n if (len < 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_OBJECT_ENCODING);\n return NULL;\n }\n\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n if (!CBS_is_valid_asn1_oid(&cbs)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_OBJECT_ENCODING);\n return NULL;\n }\n\n ASN1_OBJECT *ret = ASN1_OBJECT_create(NID_undef, *inp, (size_t)len,\n /*sn=*/NULL, /*ln=*/NULL);\n if (ret == NULL) {\n return NULL;\n }\n\n if (out != NULL) {\n ASN1_OBJECT_free(*out);\n *out = ret;\n }\n *inp += len; // All bytes were consumed.\n return ret;\n}\n\nASN1_OBJECT *ASN1_OBJECT_new(void) {\n ASN1_OBJECT *ret;\n\n ret = (ASN1_OBJECT *)OPENSSL_malloc(sizeof(ASN1_OBJECT));\n if (ret == NULL) {\n return NULL;\n }\n ret->length = 0;\n ret->data = NULL;\n ret->nid = 0;\n ret->sn = NULL;\n ret->ln = NULL;\n ret->flags = ASN1_OBJECT_FLAG_DYNAMIC;\n return ret;\n}\n\nvoid ASN1_OBJECT_free(ASN1_OBJECT *a) {\n if (a == NULL) {\n return;\n }\n if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) {\n OPENSSL_free((void *)a->sn);\n OPENSSL_free((void *)a->ln);\n a->sn = a->ln = NULL;\n }\n if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_DATA) {\n OPENSSL_free((void *)a->data);\n a->data = NULL;\n a->length = 0;\n }\n if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC) {\n OPENSSL_free(a);\n }\n}\n\nASN1_OBJECT *ASN1_OBJECT_create(int nid, const unsigned char *data, size_t len,\n const char *sn, const char *ln) {\n if (len > INT_MAX) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG);\n return NULL;\n }\n\n ASN1_OBJECT o;\n o.sn = sn;\n o.ln = ln;\n o.data = data;\n o.nid = nid;\n o.length = (int)len;\n o.flags = ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |\n ASN1_OBJECT_FLAG_DYNAMIC_DATA;\n return OBJ_dup(&o);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_octet.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\nASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(const ASN1_OCTET_STRING *x) {\n return ASN1_STRING_dup(x);\n}\n\nint ASN1_OCTET_STRING_cmp(const ASN1_OCTET_STRING *a,\n const ASN1_OCTET_STRING *b) {\n return ASN1_STRING_cmp(a, b);\n}\n\nint ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *x, const unsigned char *d,\n int len) {\n return ASN1_STRING_set(x, d, len);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_strex.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../bytestring/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n#define ESC_FLAGS \\\n (ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_QUOTE | ASN1_STRFLGS_ESC_CTRL | \\\n ASN1_STRFLGS_ESC_MSB)\n\nstatic int maybe_write(BIO *out, const void *buf, int len) {\n // If |out| is NULL, ignore the output but report the length.\n return out == NULL || BIO_write(out, buf, len) == len;\n}\n\nstatic int is_control_character(unsigned char c) { return c < 32 || c == 127; }\n\nstatic int do_esc_char(uint32_t c, unsigned long flags, char *do_quotes,\n BIO *out, int is_first, int is_last) {\n // |c| is a |uint32_t| because, depending on |ASN1_STRFLGS_UTF8_CONVERT|,\n // we may be escaping bytes or Unicode codepoints.\n char buf[16]; // Large enough for \"\\\\W01234567\".\n unsigned char u8 = (unsigned char)c;\n if (c > 0xffff) {\n snprintf(buf, sizeof(buf), \"\\\\W%08\" PRIX32, c);\n } else if (c > 0xff) {\n snprintf(buf, sizeof(buf), \"\\\\U%04\" PRIX32, c);\n } else if ((flags & ASN1_STRFLGS_ESC_MSB) && c > 0x7f) {\n snprintf(buf, sizeof(buf), \"\\\\%02X\", c);\n } else if ((flags & ASN1_STRFLGS_ESC_CTRL) && is_control_character(c)) {\n snprintf(buf, sizeof(buf), \"\\\\%02X\", c);\n } else if (flags & ASN1_STRFLGS_ESC_2253) {\n // See RFC 2253, sections 2.4 and 4.\n if (c == '\\\\' || c == '\"') {\n // Quotes and backslashes are always escaped, quoted or not.\n snprintf(buf, sizeof(buf), \"\\\\%c\", (int)c);\n } else if (c == ',' || c == '+' || c == '<' || c == '>' || c == ';' ||\n (is_first && (c == ' ' || c == '#')) ||\n (is_last && (c == ' '))) {\n if (flags & ASN1_STRFLGS_ESC_QUOTE) {\n // No need to escape, just tell the caller to quote.\n if (do_quotes != NULL) {\n *do_quotes = 1;\n }\n return maybe_write(out, &u8, 1) ? 1 : -1;\n }\n snprintf(buf, sizeof(buf), \"\\\\%c\", (int)c);\n } else {\n return maybe_write(out, &u8, 1) ? 1 : -1;\n }\n } else if ((flags & ESC_FLAGS) && c == '\\\\') {\n // If any escape flags are set, also escape backslashes.\n snprintf(buf, sizeof(buf), \"\\\\%c\", (int)c);\n } else {\n return maybe_write(out, &u8, 1) ? 1 : -1;\n }\n\n static_assert(sizeof(buf) < INT_MAX, \"len may not fit in int\");\n int len = (int)strlen(buf);\n return maybe_write(out, buf, len) ? len : -1;\n}\n\n// This function sends each character in a buffer to do_esc_char(). It\n// interprets the content formats and converts to or from UTF8 as\n// appropriate.\n\nstatic int do_buf(const unsigned char *buf, int buflen, int encoding,\n unsigned long flags, char *quotes, BIO *out) {\n int (*get_char)(CBS *cbs, uint32_t *out);\n int get_char_error;\n switch (encoding) {\n case MBSTRING_UNIV:\n get_char = CBS_get_utf32_be;\n get_char_error = ASN1_R_INVALID_UNIVERSALSTRING;\n break;\n case MBSTRING_BMP:\n get_char = CBS_get_ucs2_be;\n get_char_error = ASN1_R_INVALID_BMPSTRING;\n break;\n case MBSTRING_ASC:\n get_char = CBS_get_latin1;\n get_char_error = ERR_R_INTERNAL_ERROR; // Should not be possible.\n break;\n case MBSTRING_UTF8:\n get_char = CBS_get_utf8;\n get_char_error = ASN1_R_INVALID_UTF8STRING;\n break;\n default:\n assert(0);\n return -1;\n }\n\n CBS cbs;\n CBS_init(&cbs, buf, buflen);\n int outlen = 0;\n while (CBS_len(&cbs) != 0) {\n const int is_first = CBS_data(&cbs) == buf;\n uint32_t c;\n if (!get_char(&cbs, &c)) {\n OPENSSL_PUT_ERROR(ASN1, get_char_error);\n return -1;\n }\n const int is_last = CBS_len(&cbs) == 0;\n if (flags & ASN1_STRFLGS_UTF8_CONVERT) {\n uint8_t utf8_buf[6];\n CBB utf8_cbb;\n CBB_init_fixed(&utf8_cbb, utf8_buf, sizeof(utf8_buf));\n if (!CBB_add_utf8(&utf8_cbb, c)) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR);\n return 1;\n }\n size_t utf8_len = CBB_len(&utf8_cbb);\n for (size_t i = 0; i < utf8_len; i++) {\n int len = do_esc_char(utf8_buf[i], flags, quotes, out,\n is_first && i == 0, is_last && i == utf8_len - 1);\n if (len < 0) {\n return -1;\n }\n outlen += len;\n }\n } else {\n int len = do_esc_char(c, flags, quotes, out, is_first, is_last);\n if (len < 0) {\n return -1;\n }\n outlen += len;\n }\n }\n return outlen;\n}\n\n// This function hex dumps a buffer of characters\n\nstatic int do_hex_dump(BIO *out, unsigned char *buf, int buflen) {\n static const char hexdig[] = \"0123456789ABCDEF\";\n unsigned char *p, *q;\n char hextmp[2];\n if (out) {\n p = buf;\n q = buf + buflen;\n while (p != q) {\n hextmp[0] = hexdig[*p >> 4];\n hextmp[1] = hexdig[*p & 0xf];\n if (!maybe_write(out, hextmp, 2)) {\n return -1;\n }\n p++;\n }\n }\n return buflen << 1;\n}\n\n// \"dump\" a string. This is done when the type is unknown, or the flags\n// request it. We can either dump the content octets or the entire DER\n// encoding. This uses the RFC 2253 #01234 format.\n\nstatic int do_dump(unsigned long flags, BIO *out, const ASN1_STRING *str) {\n if (!maybe_write(out, \"#\", 1)) {\n return -1;\n }\n\n // If we don't dump DER encoding just dump content octets\n if (!(flags & ASN1_STRFLGS_DUMP_DER)) {\n int outlen = do_hex_dump(out, str->data, str->length);\n if (outlen < 0) {\n return -1;\n }\n return outlen + 1;\n }\n\n // Placing the ASN1_STRING in a temporary ASN1_TYPE allows the DER encoding\n // to readily obtained.\n ASN1_TYPE t;\n OPENSSL_memset(&t, 0, sizeof(ASN1_TYPE));\n asn1_type_set0_string(&t, (ASN1_STRING *)str);\n unsigned char *der_buf = NULL;\n int der_len = i2d_ASN1_TYPE(&t, &der_buf);\n if (der_len < 0) {\n return -1;\n }\n int outlen = do_hex_dump(out, der_buf, der_len);\n OPENSSL_free(der_buf);\n if (outlen < 0) {\n return -1;\n }\n return outlen + 1;\n}\n\n// string_type_to_encoding returns the |MBSTRING_*| constant for the encoding\n// used by the |ASN1_STRING| type |type|, or -1 if |tag| is not a string\n// type.\nstatic int string_type_to_encoding(int type) {\n // This function is sometimes passed ASN.1 universal types and sometimes\n // passed |ASN1_STRING| type values\n switch (type) {\n case V_ASN1_UTF8STRING:\n return MBSTRING_UTF8;\n case V_ASN1_NUMERICSTRING:\n case V_ASN1_PRINTABLESTRING:\n case V_ASN1_T61STRING:\n case V_ASN1_IA5STRING:\n case V_ASN1_UTCTIME:\n case V_ASN1_GENERALIZEDTIME:\n case V_ASN1_ISO64STRING:\n // |MBSTRING_ASC| refers to Latin-1, not ASCII.\n return MBSTRING_ASC;\n case V_ASN1_UNIVERSALSTRING:\n return MBSTRING_UNIV;\n case V_ASN1_BMPSTRING:\n return MBSTRING_BMP;\n }\n return -1;\n}\n\n// This is the main function, print out an ASN1_STRING taking note of various\n// escape and display options. Returns number of characters written or -1 if\n// an error occurred.\n\nint ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str,\n unsigned long flags) {\n int type = str->type;\n int outlen = 0;\n if (flags & ASN1_STRFLGS_SHOW_TYPE) {\n const char *tagname = ASN1_tag2str(type);\n outlen += strlen(tagname);\n if (!maybe_write(out, tagname, outlen) || !maybe_write(out, \":\", 1)) {\n return -1;\n }\n outlen++;\n }\n\n // Decide what to do with |str|, either dump the contents or display it.\n int encoding;\n if (flags & ASN1_STRFLGS_DUMP_ALL) {\n // Dump everything.\n encoding = -1;\n } else if (flags & ASN1_STRFLGS_IGNORE_TYPE) {\n // Ignore the string type and interpret the contents as Latin-1.\n encoding = MBSTRING_ASC;\n } else {\n encoding = string_type_to_encoding(type);\n if (encoding == -1 && (flags & ASN1_STRFLGS_DUMP_UNKNOWN) == 0) {\n encoding = MBSTRING_ASC;\n }\n }\n\n if (encoding == -1) {\n int len = do_dump(flags, out, str);\n if (len < 0) {\n return -1;\n }\n outlen += len;\n return outlen;\n }\n\n // Measure the length.\n char quotes = 0;\n int len = do_buf(str->data, str->length, encoding, flags, "es, NULL);\n if (len < 0) {\n return -1;\n }\n outlen += len;\n if (quotes) {\n outlen += 2;\n }\n if (!out) {\n return outlen;\n }\n\n // Encode the value.\n if ((quotes && !maybe_write(out, \"\\\"\", 1)) ||\n do_buf(str->data, str->length, encoding, flags, NULL, out) < 0 ||\n (quotes && !maybe_write(out, \"\\\"\", 1))) {\n return -1;\n }\n return outlen;\n}\n\nint ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str,\n unsigned long flags) {\n BIO *bio = NULL;\n if (fp != NULL) {\n // If |fp| is NULL, this function returns the number of bytes without\n // writing.\n bio = BIO_new_fp(fp, BIO_NOCLOSE);\n if (bio == NULL) {\n return -1;\n }\n }\n int ret = ASN1_STRING_print_ex(bio, str, flags);\n BIO_free(bio);\n return ret;\n}\n\nint ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in) {\n if (!in) {\n return -1;\n }\n int mbflag = string_type_to_encoding(in->type);\n if (mbflag == -1) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_TAG);\n return -1;\n }\n ASN1_STRING stmp, *str = &stmp;\n stmp.data = NULL;\n stmp.length = 0;\n stmp.flags = 0;\n int ret =\n ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);\n if (ret < 0) {\n return ret;\n }\n *out = stmp.data;\n return stmp.length;\n}\n\nint ASN1_STRING_print(BIO *bp, const ASN1_STRING *v) {\n int i, n;\n char buf[80];\n const char *p;\n\n if (v == NULL) {\n return 0;\n }\n n = 0;\n p = (const char *)v->data;\n for (i = 0; i < v->length; i++) {\n if ((p[i] > '~') || ((p[i] < ' ') && (p[i] != '\\n') && (p[i] != '\\r'))) {\n buf[n] = '.';\n } else {\n buf[n] = p[i];\n }\n n++;\n if (n >= 80) {\n if (BIO_write(bp, buf, n) <= 0) {\n return 0;\n }\n n = 0;\n }\n }\n if (n > 0) {\n if (BIO_write(bp, buf, n) <= 0) {\n return 0;\n }\n }\n return 1;\n}\n\nint ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm) {\n if (tm->type == V_ASN1_UTCTIME) {\n return ASN1_UTCTIME_print(bp, tm);\n }\n if (tm->type == V_ASN1_GENERALIZEDTIME) {\n return ASN1_GENERALIZEDTIME_print(bp, tm);\n }\n BIO_puts(bp, \"Bad time value\");\n return 0;\n}\n\nstatic const char *const mon[12] = {\"Jan\", \"Feb\", \"Mar\", \"Apr\", \"May\", \"Jun\",\n \"Jul\", \"Aug\", \"Sep\", \"Oct\", \"Nov\", \"Dec\"};\n\nint ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm) {\n CBS cbs;\n CBS_init(&cbs, tm->data, tm->length);\n struct tm utc;\n if (!CBS_parse_generalized_time(&cbs, &utc, /*allow_timezone_offset=*/0)) {\n BIO_puts(bp, \"Bad time value\");\n return 0;\n }\n\n return BIO_printf(bp, \"%s %2d %02d:%02d:%02d %d GMT\", mon[utc.tm_mon],\n utc.tm_mday, utc.tm_hour, utc.tm_min, utc.tm_sec,\n utc.tm_year + 1900) > 0;\n}\n\nint ASN1_UTCTIME_print(BIO *bp, const ASN1_UTCTIME *tm) {\n CBS cbs;\n CBS_init(&cbs, tm->data, tm->length);\n struct tm utc;\n if (!CBS_parse_utc_time(&cbs, &utc, /*allow_timezone_offset=*/0)) {\n BIO_puts(bp, \"Bad time value\");\n return 0;\n }\n\n return BIO_printf(bp, \"%s %2d %02d:%02d:%02d %d GMT\", mon[utc.tm_mon],\n utc.tm_mday, utc.tm_hour, utc.tm_min, utc.tm_sec,\n utc.tm_year + 1900) > 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_strnid.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"../lhash/internal.h\"\n#include \"internal.h\"\n\n\nDEFINE_LHASH_OF(ASN1_STRING_TABLE)\n\nstatic LHASH_OF(ASN1_STRING_TABLE) *string_tables = NULL;\nstatic CRYPTO_MUTEX string_tables_lock = CRYPTO_MUTEX_INIT;\n\nvoid ASN1_STRING_set_default_mask(unsigned long mask) {}\n\nunsigned long ASN1_STRING_get_default_mask(void) { return B_ASN1_UTF8STRING; }\n\nint ASN1_STRING_set_default_mask_asc(const char *p) { return 1; }\n\nstatic const ASN1_STRING_TABLE *asn1_string_table_get(int nid);\n\n// The following function generates an ASN1_STRING based on limits in a\n// table. Frequently the types and length of an ASN1_STRING are restricted by\n// a corresponding OID. For example certificates and certificate requests.\n\nASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,\n ossl_ssize_t len, int inform, int nid) {\n ASN1_STRING *str = NULL;\n int ret;\n if (!out) {\n out = &str;\n }\n const ASN1_STRING_TABLE *tbl = asn1_string_table_get(nid);\n if (tbl != NULL) {\n unsigned long mask = tbl->mask;\n if (!(tbl->flags & STABLE_NO_MASK)) {\n mask &= B_ASN1_UTF8STRING;\n }\n ret = ASN1_mbstring_ncopy(out, in, len, inform, mask, tbl->minsize,\n tbl->maxsize);\n } else {\n ret = ASN1_mbstring_copy(out, in, len, inform, B_ASN1_UTF8STRING);\n }\n if (ret <= 0) {\n return NULL;\n }\n return *out;\n}\n\n// Now the tables and helper functions for the string table:\n\n// See RFC 5280.\n#define ub_name 32768\n#define ub_common_name 64\n#define ub_locality_name 128\n#define ub_state_name 128\n#define ub_organization_name 64\n#define ub_organization_unit_name 64\n#define ub_email_address 128\n#define ub_serial_number 64\n\n// This table must be kept in NID order\n\nstatic const ASN1_STRING_TABLE tbl_standard[] = {\n {NID_commonName, 1, ub_common_name, DIRSTRING_TYPE, 0},\n {NID_countryName, 2, 2, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},\n {NID_localityName, 1, ub_locality_name, DIRSTRING_TYPE, 0},\n {NID_stateOrProvinceName, 1, ub_state_name, DIRSTRING_TYPE, 0},\n {NID_organizationName, 1, ub_organization_name, DIRSTRING_TYPE, 0},\n {NID_organizationalUnitName, 1, ub_organization_unit_name, DIRSTRING_TYPE,\n 0},\n {NID_pkcs9_emailAddress, 1, ub_email_address, B_ASN1_IA5STRING,\n STABLE_NO_MASK},\n {NID_pkcs9_unstructuredName, 1, -1, PKCS9STRING_TYPE, 0},\n {NID_pkcs9_challengePassword, 1, -1, PKCS9STRING_TYPE, 0},\n {NID_pkcs9_unstructuredAddress, 1, -1, DIRSTRING_TYPE, 0},\n {NID_givenName, 1, ub_name, DIRSTRING_TYPE, 0},\n {NID_surname, 1, ub_name, DIRSTRING_TYPE, 0},\n {NID_initials, 1, ub_name, DIRSTRING_TYPE, 0},\n {NID_serialNumber, 1, ub_serial_number, B_ASN1_PRINTABLESTRING,\n STABLE_NO_MASK},\n {NID_friendlyName, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK},\n {NID_name, 1, ub_name, DIRSTRING_TYPE, 0},\n {NID_dnQualifier, -1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},\n {NID_domainComponent, 1, -1, B_ASN1_IA5STRING, STABLE_NO_MASK},\n {NID_ms_csp_name, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}};\n\nstatic int table_cmp(const ASN1_STRING_TABLE *a, const ASN1_STRING_TABLE *b) {\n if (a->nid < b->nid) {\n return -1;\n }\n if (a->nid > b->nid) {\n return 1;\n }\n return 0;\n}\n\nstatic int table_cmp_void(const void *a, const void *b) {\n return table_cmp(reinterpret_cast(a),\n reinterpret_cast(b));\n}\n\nstatic uint32_t table_hash(const ASN1_STRING_TABLE *tbl) {\n return OPENSSL_hash32(&tbl->nid, sizeof(tbl->nid));\n}\n\nstatic const ASN1_STRING_TABLE *asn1_string_table_get(int nid) {\n ASN1_STRING_TABLE key;\n key.nid = nid;\n const ASN1_STRING_TABLE *tbl = reinterpret_cast(\n bsearch(&key, tbl_standard, OPENSSL_ARRAY_SIZE(tbl_standard),\n sizeof(ASN1_STRING_TABLE), table_cmp_void));\n if (tbl != NULL) {\n return tbl;\n }\n\n CRYPTO_MUTEX_lock_read(&string_tables_lock);\n if (string_tables != NULL) {\n tbl = lh_ASN1_STRING_TABLE_retrieve(string_tables, &key);\n }\n CRYPTO_MUTEX_unlock_read(&string_tables_lock);\n // Note returning |tbl| without the lock is only safe because\n // |ASN1_STRING_TABLE_add| cannot modify or delete existing entries. If we\n // wish to support that, this function must copy the result under a lock.\n return tbl;\n}\n\nint ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize,\n unsigned long mask, unsigned long flags) {\n // Existing entries cannot be overwritten.\n if (asn1_string_table_get(nid) != NULL) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n int ret = 0;\n CRYPTO_MUTEX_lock_write(&string_tables_lock);\n\n ASN1_STRING_TABLE *tbl = NULL;\n if (string_tables == NULL) {\n string_tables = lh_ASN1_STRING_TABLE_new(table_hash, table_cmp);\n if (string_tables == NULL) {\n goto err;\n }\n } else {\n // Check again for an existing entry. One may have been added while\n // unlocked.\n ASN1_STRING_TABLE key;\n key.nid = nid;\n if (lh_ASN1_STRING_TABLE_retrieve(string_tables, &key) != NULL) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n goto err;\n }\n }\n\n tbl = reinterpret_cast(\n OPENSSL_malloc(sizeof(ASN1_STRING_TABLE)));\n if (tbl == NULL) {\n goto err;\n }\n tbl->nid = nid;\n tbl->flags = flags;\n tbl->minsize = minsize;\n tbl->maxsize = maxsize;\n tbl->mask = mask;\n ASN1_STRING_TABLE *old_tbl;\n if (!lh_ASN1_STRING_TABLE_insert(string_tables, &old_tbl, tbl)) {\n OPENSSL_free(tbl);\n goto err;\n }\n assert(old_tbl == NULL);\n ret = 1;\n\nerr:\n CRYPTO_MUTEX_unlock_write(&string_tables_lock);\n return ret;\n}\n\nvoid ASN1_STRING_TABLE_cleanup(void) {}\n\nvoid asn1_get_string_table_for_testing(const ASN1_STRING_TABLE **out_ptr,\n size_t *out_len) {\n *out_ptr = tbl_standard;\n *out_len = OPENSSL_ARRAY_SIZE(tbl_standard);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_time.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n// This is an implementation of the ASN1 Time structure which is: Time ::=\n// CHOICE { utcTime UTCTime, generalTime GeneralizedTime } written by Steve\n// Henson.\n\nIMPLEMENT_ASN1_MSTRING(ASN1_TIME, B_ASN1_TIME)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(ASN1_TIME)\n\nASN1_TIME *ASN1_TIME_set_posix(ASN1_TIME *s, int64_t posix_time) {\n return ASN1_TIME_adj(s, posix_time, 0, 0);\n}\n\nASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t time) {\n return ASN1_TIME_adj(s, time, 0, 0);\n}\n\nstatic int fits_in_utc_time(const struct tm *tm) {\n return 50 <= tm->tm_year && tm->tm_year < 150;\n}\n\nASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, int64_t posix_time, int offset_day,\n long offset_sec) {\n struct tm tm;\n\n if (!OPENSSL_posix_to_tm(posix_time, &tm)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ERROR_GETTING_TIME);\n return NULL;\n }\n if (offset_day || offset_sec) {\n if (!OPENSSL_gmtime_adj(&tm, offset_day, offset_sec)) {\n return NULL;\n }\n }\n if (fits_in_utc_time(&tm)) {\n return ASN1_UTCTIME_adj(s, posix_time, offset_day, offset_sec);\n }\n return ASN1_GENERALIZEDTIME_adj(s, posix_time, offset_day, offset_sec);\n}\n\nint ASN1_TIME_check(const ASN1_TIME *t) {\n if (t->type == V_ASN1_GENERALIZEDTIME) {\n return ASN1_GENERALIZEDTIME_check(t);\n } else if (t->type == V_ASN1_UTCTIME) {\n return ASN1_UTCTIME_check(t);\n }\n return 0;\n}\n\n// Convert an ASN1_TIME structure to GeneralizedTime\nASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *in,\n ASN1_GENERALIZEDTIME **out) {\n if (!ASN1_TIME_check(in)) {\n return NULL;\n }\n\n ASN1_GENERALIZEDTIME *ret = NULL;\n if (!out || !*out) {\n if (!(ret = ASN1_GENERALIZEDTIME_new())) {\n goto err;\n }\n } else {\n ret = *out;\n }\n\n // If already GeneralizedTime just copy across\n if (in->type == V_ASN1_GENERALIZEDTIME) {\n if (!ASN1_STRING_set(ret, in->data, in->length)) {\n goto err;\n }\n goto done;\n }\n\n // Grow the string to accomodate the two-digit century.\n if (!ASN1_STRING_set(ret, NULL, in->length + 2)) {\n goto err;\n }\n\n {\n char *const out_str = (char *)ret->data;\n // |ASN1_STRING_set| also allocates an additional byte for a trailing NUL.\n const size_t out_str_capacity = in->length + 2 + 1;\n // Work out the century and prepend\n if (in->data[0] >= '5') {\n OPENSSL_strlcpy(out_str, \"19\", out_str_capacity);\n } else {\n OPENSSL_strlcpy(out_str, \"20\", out_str_capacity);\n }\n OPENSSL_strlcat(out_str, (const char *)in->data, out_str_capacity);\n }\n\ndone:\n if (out != NULL && *out == NULL) {\n *out = ret;\n }\n return ret;\n\nerr:\n if (out == NULL || *out != ret) {\n ASN1_GENERALIZEDTIME_free(ret);\n }\n return NULL;\n}\n\nint ASN1_TIME_set_string(ASN1_TIME *s, const char *str) {\n return ASN1_UTCTIME_set_string(s, str) ||\n ASN1_GENERALIZEDTIME_set_string(s, str);\n}\n\nint ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str) {\n CBS cbs;\n CBS_init(&cbs, (const uint8_t *)str, strlen(str));\n int type;\n struct tm tm;\n if (CBS_parse_utc_time(&cbs, /*out_tm=*/NULL,\n /*allow_timezone_offset=*/0)) {\n type = V_ASN1_UTCTIME;\n } else if (CBS_parse_generalized_time(&cbs, &tm,\n /*allow_timezone_offset=*/0)) {\n type = V_ASN1_GENERALIZEDTIME;\n if (fits_in_utc_time(&tm)) {\n type = V_ASN1_UTCTIME;\n CBS_skip(&cbs, 2);\n }\n } else {\n return 0;\n }\n\n if (s != NULL) {\n if (!ASN1_STRING_set(s, CBS_data(&cbs), CBS_len(&cbs))) {\n return 0;\n }\n s->type = type;\n }\n return 1;\n}\n\nstatic int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *t,\n int allow_timezone_offset) {\n if (t == NULL) {\n if (OPENSSL_posix_to_tm(time(NULL), tm)) {\n return 1;\n }\n return 0;\n }\n\n if (t->type == V_ASN1_UTCTIME) {\n return asn1_utctime_to_tm(tm, t, allow_timezone_offset);\n } else if (t->type == V_ASN1_GENERALIZEDTIME) {\n return asn1_generalizedtime_to_tm(tm, t);\n }\n\n return 0;\n}\n\nint ASN1_TIME_diff(int *out_days, int *out_seconds, const ASN1_TIME *from,\n const ASN1_TIME *to) {\n struct tm tm_from, tm_to;\n if (!asn1_time_to_tm(&tm_from, from, /*allow_timezone_offset=*/1)) {\n return 0;\n }\n if (!asn1_time_to_tm(&tm_to, to, /*allow_timezone_offset=*/1)) {\n return 0;\n }\n return OPENSSL_gmtime_diff(out_days, out_seconds, &tm_from, &tm_to);\n}\n\nint ASN1_TIME_to_posix_nonstandard(const ASN1_TIME *t, int64_t *out_time) {\n struct tm tm;\n if (!asn1_time_to_tm(&tm, t, /*allow_timezone_offset=*/1)) {\n return 0;\n }\n return OPENSSL_tm_to_posix(&tm, out_time);\n}\n\n// The functions below do *not* permissively allow the use of four digit\n// timezone offsets in UTC times, as is done elsewhere in the code. They are\n// both new API, and used internally to X509_cmp_time. This is to discourage the\n// use of nonstandard times in new code, and to ensure that this code behaves\n// correctly in X509_cmp_time which historically did its own time validations\n// slightly different than the many other copies of X.509 time validation\n// sprinkled through the codebase. The custom checks in X509_cmp_time meant that\n// it did not allow four digit timezone offsets in UTC times.\nint ASN1_TIME_to_time_t(const ASN1_TIME *t, time_t *out_time) {\n struct tm tm;\n if (!asn1_time_to_tm(&tm, t, /*allow_timezone_offset=*/0)) {\n return 0;\n }\n return OPENSSL_timegm(&tm, out_time);\n}\n\nint ASN1_TIME_to_posix(const ASN1_TIME *t, int64_t *out_time) {\n struct tm tm;\n if (!asn1_time_to_tm(&tm, t, /*allow_timezone_offset=*/0)) {\n return 0;\n }\n return OPENSSL_tm_to_posix(&tm, out_time);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_type.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nint ASN1_TYPE_get(const ASN1_TYPE *a) {\n switch (a->type) {\n case V_ASN1_NULL:\n case V_ASN1_BOOLEAN:\n return a->type;\n case V_ASN1_OBJECT:\n return a->value.object != NULL ? a->type : 0;\n default:\n return a->value.asn1_string != NULL ? a->type : 0;\n }\n}\n\nconst void *asn1_type_value_as_pointer(const ASN1_TYPE *a) {\n switch (a->type) {\n case V_ASN1_NULL:\n return NULL;\n case V_ASN1_BOOLEAN:\n return a->value.boolean ? (void *)0xff : NULL;\n case V_ASN1_OBJECT:\n return a->value.object;\n default:\n return a->value.asn1_string;\n }\n}\n\nvoid asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str) {\n // |ASN1_STRING| types are almost the same as |ASN1_TYPE| types, except that\n // the negative flag is not reflected into |ASN1_TYPE|.\n int type = str->type;\n if (type == V_ASN1_NEG_INTEGER) {\n type = V_ASN1_INTEGER;\n } else if (type == V_ASN1_NEG_ENUMERATED) {\n type = V_ASN1_ENUMERATED;\n }\n\n // These types are not |ASN1_STRING| types and use a different\n // representation when stored in |ASN1_TYPE|.\n assert(type != V_ASN1_NULL && type != V_ASN1_OBJECT &&\n type != V_ASN1_BOOLEAN);\n ASN1_TYPE_set(a, type, str);\n}\n\nvoid asn1_type_cleanup(ASN1_TYPE *a) {\n switch (a->type) {\n case V_ASN1_NULL:\n a->value.ptr = NULL;\n break;\n case V_ASN1_BOOLEAN:\n a->value.boolean = ASN1_BOOLEAN_NONE;\n break;\n case V_ASN1_OBJECT:\n ASN1_OBJECT_free(a->value.object);\n a->value.object = NULL;\n break;\n default:\n ASN1_STRING_free(a->value.asn1_string);\n a->value.asn1_string = NULL;\n break;\n }\n}\n\nvoid ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value) {\n asn1_type_cleanup(a);\n a->type = type;\n switch (type) {\n case V_ASN1_NULL:\n a->value.ptr = NULL;\n break;\n case V_ASN1_BOOLEAN:\n a->value.boolean = value ? ASN1_BOOLEAN_TRUE : ASN1_BOOLEAN_FALSE;\n break;\n case V_ASN1_OBJECT:\n a->value.object = reinterpret_cast(value);\n break;\n default:\n a->value.asn1_string = reinterpret_cast(value);\n break;\n }\n}\n\nint ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value) {\n if (!value || (type == V_ASN1_BOOLEAN)) {\n void *p = (void *)value;\n ASN1_TYPE_set(a, type, p);\n } else if (type == V_ASN1_OBJECT) {\n ASN1_OBJECT *odup;\n odup = OBJ_dup(reinterpret_cast(value));\n if (!odup) {\n return 0;\n }\n ASN1_TYPE_set(a, type, odup);\n } else {\n ASN1_STRING *sdup;\n sdup = ASN1_STRING_dup(reinterpret_cast(value));\n if (!sdup) {\n return 0;\n }\n ASN1_TYPE_set(a, type, sdup);\n }\n return 1;\n}\n\n// Returns 0 if they are equal, != 0 otherwise.\nint ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) {\n int result = -1;\n\n if (!a || !b || a->type != b->type) {\n return -1;\n }\n\n switch (a->type) {\n case V_ASN1_OBJECT:\n result = OBJ_cmp(a->value.object, b->value.object);\n break;\n case V_ASN1_NULL:\n result = 0; // They do not have content.\n break;\n case V_ASN1_BOOLEAN:\n result = a->value.boolean - b->value.boolean;\n break;\n case V_ASN1_INTEGER:\n case V_ASN1_ENUMERATED:\n case V_ASN1_BIT_STRING:\n case V_ASN1_OCTET_STRING:\n case V_ASN1_SEQUENCE:\n case V_ASN1_SET:\n case V_ASN1_NUMERICSTRING:\n case V_ASN1_PRINTABLESTRING:\n case V_ASN1_T61STRING:\n case V_ASN1_VIDEOTEXSTRING:\n case V_ASN1_IA5STRING:\n case V_ASN1_UTCTIME:\n case V_ASN1_GENERALIZEDTIME:\n case V_ASN1_GRAPHICSTRING:\n case V_ASN1_VISIBLESTRING:\n case V_ASN1_GENERALSTRING:\n case V_ASN1_UNIVERSALSTRING:\n case V_ASN1_BMPSTRING:\n case V_ASN1_UTF8STRING:\n case V_ASN1_OTHER:\n default:\n result = ASN1_STRING_cmp(a->value.asn1_string, b->value.asn1_string);\n break;\n }\n\n return result;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/a_utctm.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"internal.h\"\n\nint asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d,\n int allow_timezone_offset) {\n if (d->type != V_ASN1_UTCTIME) {\n return 0;\n }\n CBS cbs;\n CBS_init(&cbs, d->data, (size_t)d->length);\n if (!CBS_parse_utc_time(&cbs, tm, allow_timezone_offset)) {\n return 0;\n }\n return 1;\n}\n\nint ASN1_UTCTIME_check(const ASN1_UTCTIME *d) {\n return asn1_utctime_to_tm(NULL, d, /*allow_timezone_offset=*/1);\n}\n\nint ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str) {\n // Although elsewhere we allow timezone offsets with UTCTime, to be compatible\n // with some existing misissued certificates, this function is used to\n // construct new certificates and can be stricter.\n size_t len = strlen(str);\n CBS cbs;\n CBS_init(&cbs, (const uint8_t *)str, len);\n if (!CBS_parse_utc_time(&cbs, /*out_tm=*/NULL,\n /*allow_timezone_offset=*/0)) {\n return 0;\n }\n if (s != NULL) {\n if (!ASN1_STRING_set(s, str, len)) {\n return 0;\n }\n s->type = V_ASN1_UTCTIME;\n }\n return 1;\n}\n\nASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, int64_t posix_time) {\n return ASN1_UTCTIME_adj(s, posix_time, 0, 0);\n}\n\nASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, int64_t posix_time,\n int offset_day, long offset_sec) {\n struct tm data;\n if (!OPENSSL_posix_to_tm(posix_time, &data)) {\n return NULL;\n }\n\n if (offset_day || offset_sec) {\n if (!OPENSSL_gmtime_adj(&data, offset_day, offset_sec)) {\n return NULL;\n }\n }\n\n if (data.tm_year < 50 || data.tm_year >= 150) {\n return NULL;\n }\n\n char buf[14];\n int ret = snprintf(buf, sizeof(buf), \"%02d%02d%02d%02d%02d%02dZ\",\n data.tm_year % 100, data.tm_mon + 1, data.tm_mday,\n data.tm_hour, data.tm_min, data.tm_sec);\n // |snprintf| must write exactly 15 bytes (plus the NUL) to the buffer.\n BSSL_CHECK(ret == static_cast(sizeof(buf) - 1));\n\n int free_s = 0;\n if (s == NULL) {\n free_s = 1;\n s = ASN1_UTCTIME_new();\n if (s == NULL) {\n return NULL;\n }\n }\n\n if (!ASN1_STRING_set(s, buf, strlen(buf))) {\n if (free_s) {\n ASN1_UTCTIME_free(s);\n }\n return NULL;\n }\n s->type = V_ASN1_UTCTIME;\n return s;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/asn1_lib.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n// Cross-module errors from crypto/x509/i2d_pr.c.\nOPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_PUBLIC_KEY_TYPE)\n\n// Cross-module errors from crypto/x509/algorithm.c.\nOPENSSL_DECLARE_ERROR_REASON(ASN1, CONTEXT_NOT_INITIALISED)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, DIGEST_AND_KEY_TYPE_NOT_SUPPORTED)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_MESSAGE_DIGEST_ALGORITHM)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_SIGNATURE_ALGORITHM)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, WRONG_PUBLIC_KEY_TYPE)\n// Cross-module errors from crypto/x509/asn1_gen.c. TODO(davidben): Remove\n// these once asn1_gen.c is gone.\nOPENSSL_DECLARE_ERROR_REASON(ASN1, DEPTH_EXCEEDED)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_BITSTRING_FORMAT)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_BOOLEAN)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_FORMAT)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_HEX)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_IMPLICIT_TAG)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_INTEGER)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_NESTED_TAGGING)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_NULL_VALUE)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_OBJECT)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ILLEGAL_TIME_VALUE)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, INTEGER_NOT_ASCII_FORMAT)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_MODIFIER)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, INVALID_NUMBER)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, LIST_ERROR)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, MISSING_VALUE)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, NOT_ASCII_FORMAT)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, OBJECT_NOT_ASCII_FORMAT)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, SEQUENCE_OR_SET_NEEDS_CONFIG)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, TIME_NOT_ASCII_FORMAT)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_FORMAT)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_TAG)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_TYPE)\n\n// Limit |ASN1_STRING|s to 64 MiB of data. Most of this module, as well as\n// downstream code, does not correctly handle overflow. We cap string fields\n// more tightly than strictly necessary to fit in |int|. This is not expected to\n// impact real world uses of this field.\n//\n// In particular, this limit is small enough that the bit count of a BIT STRING\n// comfortably fits in an |int|, with room for arithmetic.\n#define ASN1_STRING_MAX (64 * 1024 * 1024)\n\nstatic void asn1_put_length(unsigned char **pp, int length);\n\nint ASN1_get_object(const unsigned char **inp, long *out_len, int *out_tag,\n int *out_class, long in_len) {\n if (in_len < 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG);\n return 0x80;\n }\n\n CBS_ASN1_TAG tag;\n CBS cbs, body;\n CBS_init(&cbs, *inp, (size_t)in_len);\n if (!CBS_get_any_asn1(&cbs, &body, &tag) ||\n // Bound the length to comfortably fit in an int. Lengths in this\n // module often switch between int and long without overflow checks.\n CBS_len(&body) > INT_MAX / 2) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG);\n return 0x80;\n }\n\n // Convert between tag representations.\n int tag_class = (tag & CBS_ASN1_CLASS_MASK) >> CBS_ASN1_TAG_SHIFT;\n int constructed = (tag & CBS_ASN1_CONSTRUCTED) >> CBS_ASN1_TAG_SHIFT;\n int tag_number = tag & CBS_ASN1_TAG_NUMBER_MASK;\n\n // To avoid ambiguity with V_ASN1_NEG, impose a limit on universal tags.\n if (tag_class == V_ASN1_UNIVERSAL && tag_number > V_ASN1_MAX_UNIVERSAL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG);\n return 0x80;\n }\n\n *inp = CBS_data(&body);\n *out_len = CBS_len(&body);\n *out_tag = tag_number;\n *out_class = tag_class;\n return constructed;\n}\n\n// class 0 is constructed constructed == 2 for indefinite length constructed\nvoid ASN1_put_object(unsigned char **pp, int constructed, int length, int tag,\n int xclass) {\n unsigned char *p = *pp;\n int i, ttag;\n\n i = (constructed) ? V_ASN1_CONSTRUCTED : 0;\n i |= (xclass & V_ASN1_PRIVATE);\n if (tag < 31) {\n *(p++) = i | (tag & V_ASN1_PRIMITIVE_TAG);\n } else {\n *(p++) = i | V_ASN1_PRIMITIVE_TAG;\n for (i = 0, ttag = tag; ttag > 0; i++) {\n ttag >>= 7;\n }\n ttag = i;\n while (i-- > 0) {\n p[i] = tag & 0x7f;\n if (i != (ttag - 1)) {\n p[i] |= 0x80;\n }\n tag >>= 7;\n }\n p += ttag;\n }\n if (constructed == 2) {\n *(p++) = 0x80;\n } else {\n asn1_put_length(&p, length);\n }\n *pp = p;\n}\n\nint ASN1_put_eoc(unsigned char **pp) {\n // This function is no longer used in the library, but some external code\n // uses it.\n unsigned char *p = *pp;\n *p++ = 0;\n *p++ = 0;\n *pp = p;\n return 2;\n}\n\nstatic void asn1_put_length(unsigned char **pp, int length) {\n unsigned char *p = *pp;\n int i, l;\n if (length <= 127) {\n *(p++) = (unsigned char)length;\n } else {\n l = length;\n for (i = 0; l > 0; i++) {\n l >>= 8;\n }\n *(p++) = i | 0x80;\n l = i;\n while (i-- > 0) {\n p[i] = length & 0xff;\n length >>= 8;\n }\n p += l;\n }\n *pp = p;\n}\n\nint ASN1_object_size(int constructed, int length, int tag) {\n int ret = 1;\n if (length < 0) {\n return -1;\n }\n if (tag >= 31) {\n while (tag > 0) {\n tag >>= 7;\n ret++;\n }\n }\n if (constructed == 2) {\n ret += 3;\n } else {\n ret++;\n if (length > 127) {\n int tmplen = length;\n while (tmplen > 0) {\n tmplen >>= 8;\n ret++;\n }\n }\n }\n if (ret >= INT_MAX - length) {\n return -1;\n }\n return ret + length;\n}\n\nint ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str) {\n if (str == NULL) {\n return 0;\n }\n if (!ASN1_STRING_set(dst, str->data, str->length)) {\n return 0;\n }\n dst->type = str->type;\n dst->flags = str->flags;\n return 1;\n}\n\nASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *str) {\n ASN1_STRING *ret;\n if (!str) {\n return NULL;\n }\n ret = ASN1_STRING_new();\n if (!ret) {\n return NULL;\n }\n if (!ASN1_STRING_copy(ret, str)) {\n ASN1_STRING_free(ret);\n return NULL;\n }\n return ret;\n}\n\nint ASN1_STRING_set(ASN1_STRING *str, const void *_data, ossl_ssize_t len_s) {\n const char *data = reinterpret_cast(_data);\n size_t len;\n if (len_s < 0) {\n if (data == NULL) {\n return 0;\n }\n len = strlen(data);\n } else {\n len = (size_t)len_s;\n }\n\n static_assert(ASN1_STRING_MAX < INT_MAX, \"len will not overflow int\");\n if (len > ASN1_STRING_MAX) {\n OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW);\n return 0;\n }\n\n if (str->length <= (int)len || str->data == NULL) {\n unsigned char *c = str->data;\n if (c == NULL) {\n str->data = reinterpret_cast(OPENSSL_malloc(len + 1));\n } else {\n str->data = reinterpret_cast(OPENSSL_realloc(c, len + 1));\n }\n\n if (str->data == NULL) {\n str->data = c;\n return 0;\n }\n }\n str->length = (int)len;\n if (data != NULL) {\n OPENSSL_memcpy(str->data, data, len);\n // Historically, OpenSSL would NUL-terminate most (but not all)\n // |ASN1_STRING|s, in case anyone accidentally passed |str->data| into a\n // function expecting a C string. We retain this behavior for compatibility,\n // but code must not rely on this. See CVE-2021-3712.\n str->data[len] = '\\0';\n }\n return 1;\n}\n\nvoid ASN1_STRING_set0(ASN1_STRING *str, void *data, int len) {\n OPENSSL_free(str->data);\n str->data = reinterpret_cast(data);\n str->length = len;\n}\n\nASN1_STRING *ASN1_STRING_new(void) {\n return (ASN1_STRING_type_new(V_ASN1_OCTET_STRING));\n}\n\nASN1_STRING *ASN1_STRING_type_new(int type) {\n ASN1_STRING *ret;\n\n ret = (ASN1_STRING *)OPENSSL_malloc(sizeof(ASN1_STRING));\n if (ret == NULL) {\n return NULL;\n }\n ret->length = 0;\n ret->type = type;\n ret->data = NULL;\n ret->flags = 0;\n return ret;\n}\n\nvoid ASN1_STRING_free(ASN1_STRING *str) {\n if (str == NULL) {\n return;\n }\n OPENSSL_free(str->data);\n OPENSSL_free(str);\n}\n\nint ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b) {\n // Capture padding bits and implicit truncation in BIT STRINGs.\n int a_length = a->length, b_length = b->length;\n uint8_t a_padding = 0, b_padding = 0;\n if (a->type == V_ASN1_BIT_STRING) {\n a_length = asn1_bit_string_length(a, &a_padding);\n }\n if (b->type == V_ASN1_BIT_STRING) {\n b_length = asn1_bit_string_length(b, &b_padding);\n }\n\n if (a_length < b_length) {\n return -1;\n }\n if (a_length > b_length) {\n return 1;\n }\n // In a BIT STRING, the number of bits is 8 * length - padding. Invert this\n // comparison so we compare by lengths.\n if (a_padding > b_padding) {\n return -1;\n }\n if (a_padding < b_padding) {\n return 1;\n }\n\n int ret = OPENSSL_memcmp(a->data, b->data, a_length);\n if (ret != 0) {\n return ret;\n }\n\n // Comparing the type first is more natural, but this matches OpenSSL.\n if (a->type < b->type) {\n return -1;\n }\n if (a->type > b->type) {\n return 1;\n }\n return 0;\n}\n\nint ASN1_STRING_length(const ASN1_STRING *str) { return str->length; }\n\nint ASN1_STRING_type(const ASN1_STRING *str) { return str->type; }\n\nunsigned char *ASN1_STRING_data(ASN1_STRING *str) { return str->data; }\n\nconst unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *str) {\n return str->data;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/asn1_par.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n\nconst char *ASN1_tag2str(int tag) {\n static const char *const tag2str[] = {\n \"EOC\",\n \"BOOLEAN\",\n \"INTEGER\",\n \"BIT STRING\",\n \"OCTET STRING\",\n \"NULL\",\n \"OBJECT\",\n \"OBJECT DESCRIPTOR\",\n \"EXTERNAL\",\n \"REAL\",\n \"ENUMERATED\",\n \"\",\n \"UTF8STRING\",\n \"\",\n \"\",\n \"\",\n \"SEQUENCE\",\n \"SET\",\n \"NUMERICSTRING\",\n \"PRINTABLESTRING\",\n \"T61STRING\",\n \"VIDEOTEXSTRING\",\n \"IA5STRING\",\n \"UTCTIME\",\n \"GENERALIZEDTIME\",\n \"GRAPHICSTRING\",\n \"VISIBLESTRING\",\n \"GENERALSTRING\",\n \"UNIVERSALSTRING\",\n \"\",\n \"BMPSTRING\",\n };\n\n if ((tag == V_ASN1_NEG_INTEGER) || (tag == V_ASN1_NEG_ENUMERATED)) {\n tag &= ~V_ASN1_NEG;\n }\n\n if (tag < 0 || tag > 30) {\n return \"(unknown)\";\n }\n return tag2str[tag];\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/asn_pack.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n\nASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **out) {\n uint8_t *new_data = NULL;\n int len = ASN1_item_i2d(reinterpret_cast(obj), &new_data, it);\n if (len <= 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ENCODE_ERROR);\n return NULL;\n }\n\n ASN1_STRING *ret = NULL;\n if (out == NULL || *out == NULL) {\n ret = ASN1_STRING_new();\n if (ret == NULL) {\n OPENSSL_free(new_data);\n return NULL;\n }\n } else {\n ret = *out;\n }\n\n ASN1_STRING_set0(ret, new_data, len);\n if (out != NULL) {\n *out = ret;\n }\n return ret;\n}\n\nvoid *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it) {\n const unsigned char *p = oct->data;\n void *ret = ASN1_item_d2i(NULL, &p, oct->length, it);\n if (ret == NULL || p != oct->data + oct->length) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);\n ASN1_item_free(reinterpret_cast(ret), it);\n return NULL;\n }\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/f_int.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\nint i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a) {\n int i, n = 0;\n static const char *h = \"0123456789ABCDEF\";\n char buf[2];\n\n if (a == NULL) {\n return 0;\n }\n\n if (a->type & V_ASN1_NEG) {\n if (BIO_write(bp, \"-\", 1) != 1) {\n goto err;\n }\n n = 1;\n }\n\n if (a->length == 0) {\n if (BIO_write(bp, \"00\", 2) != 2) {\n goto err;\n }\n n += 2;\n } else {\n for (i = 0; i < a->length; i++) {\n if ((i != 0) && (i % 35 == 0)) {\n if (BIO_write(bp, \"\\\\\\n\", 2) != 2) {\n goto err;\n }\n n += 2;\n }\n buf[0] = h[((unsigned char)a->data[i] >> 4) & 0x0f];\n buf[1] = h[((unsigned char)a->data[i]) & 0x0f];\n if (BIO_write(bp, buf, 2) != 2) {\n goto err;\n }\n n += 2;\n }\n }\n return n;\nerr:\n return -1;\n}\n\nint i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a) {\n return i2a_ASN1_INTEGER(bp, a);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/f_string.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\nint i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type) {\n int i, n = 0;\n static const char *h = \"0123456789ABCDEF\";\n char buf[2];\n\n if (a == NULL) {\n return 0;\n }\n\n if (a->length == 0) {\n if (BIO_write(bp, \"0\", 1) != 1) {\n goto err;\n }\n n = 1;\n } else {\n for (i = 0; i < a->length; i++) {\n if ((i != 0) && (i % 35 == 0)) {\n if (BIO_write(bp, \"\\\\\\n\", 2) != 2) {\n goto err;\n }\n n += 2;\n }\n buf[0] = h[((unsigned char)a->data[i] >> 4) & 0x0f];\n buf[1] = h[((unsigned char)a->data[i]) & 0x0f];\n if (BIO_write(bp, buf, 2) != 2) {\n goto err;\n }\n n += 2;\n }\n }\n return n;\nerr:\n return -1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/internal.h", "content": "/*\n * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_ASN1_INTERNAL_H\n#define OPENSSL_HEADER_ASN1_INTERNAL_H\n\n#include \n\n#include \n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Wrapper functions for time functions.\n\n// OPENSSL_gmtime converts a time_t value in |time| which must be in the range\n// of year 0000 to 9999 to a broken out time value in |tm|. On success |tm| is\n// returned. On failure NULL is returned.\nOPENSSL_EXPORT struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result);\n\n// OPENSSL_gmtime_adj returns one on success, and updates |tm| by adding\n// |offset_day| days and |offset_sec| seconds. It returns zero on failure. |tm|\n// must be in the range of year 0000 to 9999 both before and after the update or\n// a failure will be returned.\nOPENSSL_EXPORT int OPENSSL_gmtime_adj(struct tm *tm, int offset_day,\n int64_t offset_sec);\n\n// OPENSSL_gmtime_diff calculates the difference between |from| and |to|. It\n// returns one, and outputs the difference as a number of days and seconds in\n// |*out_days| and |*out_secs| on success. It returns zero on failure. Both\n// |from| and |to| must be in the range of year 0000 to 9999 or a failure will\n// be returned.\nOPENSSL_EXPORT int OPENSSL_gmtime_diff(int *out_days, int *out_secs,\n const struct tm *from,\n const struct tm *to);\n\n// Internal ASN1 structures and functions: not for application use\n\n// These are used internally in the ASN1_OBJECT to keep track of\n// whether the names and data need to be free()ed\n#define ASN1_OBJECT_FLAG_DYNAMIC 0x01 // internal use\n#define ASN1_OBJECT_FLAG_DYNAMIC_STRINGS 0x04 // internal use\n#define ASN1_OBJECT_FLAG_DYNAMIC_DATA 0x08 // internal use\n\n// An asn1_object_st (aka |ASN1_OBJECT|) represents an ASN.1 OBJECT IDENTIFIER.\n// Note: Mutating an |ASN1_OBJECT| is only permitted when initializing it. The\n// library maintains a table of static |ASN1_OBJECT|s, which may be referenced\n// by non-const |ASN1_OBJECT| pointers. Code which receives an |ASN1_OBJECT|\n// pointer externally must assume it is immutable, even if the pointer is not\n// const.\nstruct asn1_object_st {\n const char *sn, *ln;\n int nid;\n int length;\n const unsigned char *data; // data remains const after init\n int flags; // Should we free this one\n};\n\nASN1_OBJECT *ASN1_OBJECT_new(void);\n\n// ASN1_ENCODING is used to save the received encoding of an ASN.1 type. This\n// avoids problems with invalid encodings that break signatures.\ntypedef struct ASN1_ENCODING_st {\n // enc is the saved DER encoding. Its ownership is determined by |buf|.\n uint8_t *enc;\n // len is the length of |enc|. If zero, there is no saved encoding.\n size_t len;\n // buf, if non-NULL, is the |CRYPTO_BUFFER| that |enc| points into. If NULL,\n // |enc| must be released with |OPENSSL_free|.\n CRYPTO_BUFFER *buf;\n} ASN1_ENCODING;\n\nOPENSSL_EXPORT int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d,\n int allow_timezone_offset);\nOPENSSL_EXPORT int asn1_generalizedtime_to_tm(struct tm *tm,\n const ASN1_GENERALIZEDTIME *d);\n\nint ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it);\nvoid ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it);\n\nvoid ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);\n\n// ASN1_item_ex_d2i parses |len| bytes from |*in| as a structure of type |it|\n// and writes the result to |*pval|. If |tag| is non-negative, |it| is\n// implicitly tagged with the tag specified by |tag| and |aclass|. If |opt| is\n// non-zero, the value is optional. If |buf| is non-NULL, |*in| must point into\n// |buf|.\n//\n// This function returns one and advances |*in| if an object was successfully\n// parsed, -1 if an optional value was successfully skipped, and zero on error.\nint ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,\n const ASN1_ITEM *it, int tag, int aclass, char opt,\n CRYPTO_BUFFER *buf);\n\n// ASN1_item_ex_i2d encodes |*pval| as a value of type |it| to |out| under the\n// i2d output convention. It returns a non-zero length on success and -1 on\n// error. If |tag| is -1. the tag and class come from |it|. Otherwise, the tag\n// number is |tag| and the class is |aclass|. This is used for implicit tagging.\n// This function treats a missing value as an error, not an optional field.\nint ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,\n const ASN1_ITEM *it, int tag, int aclass);\n\nvoid ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it);\n\n// asn1_get_choice_selector returns the CHOICE selector value for |*pval|, which\n// must of type |it|.\nint asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it);\n\nint asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it);\n\n// asn1_get_field_ptr returns a pointer to the field in |*pval| corresponding to\n// |tt|.\nASN1_VALUE **asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);\n\n// asn1_do_adb returns the |ASN1_TEMPLATE| for the ANY DEFINED BY field |tt|,\n// based on the selector INTEGER or OID in |*pval|. If |tt| is not an ADB field,\n// it returns |tt|. If the selector does not match any value, it returns NULL.\n// If |nullerr| is non-zero, it will additionally push an error to the error\n// queue when there is no match.\nconst ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt,\n int nullerr);\n\nvoid asn1_refcount_set_one(ASN1_VALUE **pval, const ASN1_ITEM *it);\nint asn1_refcount_dec_and_test_zero(ASN1_VALUE **pval, const ASN1_ITEM *it);\n\nvoid asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it);\nvoid asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it);\n\n// asn1_enc_restore, if |*pval| has a saved encoding, writes it to |out| under\n// the i2d output convention, sets |*len| to the length, and returns one. If it\n// has no saved encoding, it returns zero.\nint asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval,\n const ASN1_ITEM *it);\n\n// asn1_enc_save saves |inlen| bytes from |in| as |*pval|'s saved encoding. It\n// returns one on success and zero on error. If |buf| is non-NULL, |in| must\n// point into |buf|.\nint asn1_enc_save(ASN1_VALUE **pval, const uint8_t *in, size_t inlen,\n const ASN1_ITEM *it, CRYPTO_BUFFER *buf);\n\n// asn1_encoding_clear clears the cached encoding in |enc|.\nvoid asn1_encoding_clear(ASN1_ENCODING *enc);\n\n// asn1_type_value_as_pointer returns |a|'s value in pointer form. This is\n// usually the value object but, for BOOLEAN values, is 0 or 0xff cast to\n// a pointer.\nconst void *asn1_type_value_as_pointer(const ASN1_TYPE *a);\n\n// asn1_type_set0_string sets |a|'s value to the object represented by |str| and\n// takes ownership of |str|.\nvoid asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str);\n\n// asn1_type_cleanup releases memory associated with |a|'s value, without\n// freeing |a| itself.\nvoid asn1_type_cleanup(ASN1_TYPE *a);\n\n// asn1_is_printable returns one if |value| is a valid Unicode codepoint for an\n// ASN.1 PrintableString, and zero otherwise.\nint asn1_is_printable(uint32_t value);\n\n// asn1_bit_string_length returns the number of bytes in |str| and sets\n// |*out_padding_bits| to the number of padding bits.\n//\n// This function should be used instead of |ASN1_STRING_length| to correctly\n// handle the non-|ASN1_STRING_FLAG_BITS_LEFT| case.\nint asn1_bit_string_length(const ASN1_BIT_STRING *str,\n uint8_t *out_padding_bits);\n\ntypedef struct {\n int nid;\n long minsize;\n long maxsize;\n unsigned long mask;\n unsigned long flags;\n} ASN1_STRING_TABLE;\n\n// asn1_get_string_table_for_testing sets |*out_ptr| and |*out_len| to the table\n// of built-in |ASN1_STRING_TABLE| values. It is exported for testing.\nOPENSSL_EXPORT void asn1_get_string_table_for_testing(\n const ASN1_STRING_TABLE **out_ptr, size_t *out_len);\n\ntypedef ASN1_VALUE *ASN1_new_func(void);\ntypedef void ASN1_free_func(ASN1_VALUE *a);\ntypedef ASN1_VALUE *ASN1_d2i_func(ASN1_VALUE **a, const unsigned char **in,\n long length);\ntypedef int ASN1_i2d_func(ASN1_VALUE *a, unsigned char **in);\n\ntypedef int ASN1_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,\n const ASN1_ITEM *it, int opt, ASN1_TLC *ctx);\n\ntypedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out,\n const ASN1_ITEM *it);\ntypedef int ASN1_ex_new_func(ASN1_VALUE **pval, const ASN1_ITEM *it);\ntypedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it);\n\ntypedef struct ASN1_EXTERN_FUNCS_st {\n ASN1_ex_new_func *asn1_ex_new;\n ASN1_ex_free_func *asn1_ex_free;\n ASN1_ex_d2i *asn1_ex_d2i;\n ASN1_ex_i2d *asn1_ex_i2d;\n} ASN1_EXTERN_FUNCS;\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_ASN1_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/posix_time.cc", "content": "/* Copyright 2022 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// Time conversion to/from POSIX time_t and struct tm, with no support\n// for time zones other than UTC\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n#define SECS_PER_HOUR (60 * 60)\n#define SECS_PER_DAY (INT64_C(24) * SECS_PER_HOUR)\n\n\n// Is a year/month/day combination valid, in the range from year 0000\n// to 9999?\nstatic int is_valid_date(int64_t year, int64_t month, int64_t day) {\n if (day < 1 || month < 1 || year < 0 || year > 9999) {\n return 0;\n }\n switch (month) {\n case 1:\n case 3:\n case 5:\n case 7:\n case 8:\n case 10:\n case 12:\n return day > 0 && day <= 31;\n case 4:\n case 6:\n case 9:\n case 11:\n return day > 0 && day <= 30;\n case 2:\n if ((year % 4 == 0 && year % 100 != 0) || year % 400 == 0) {\n return day > 0 && day <= 29;\n } else {\n return day > 0 && day <= 28;\n }\n default:\n return 0;\n }\n}\n\n// Is a time valid? Leap seconds of 60 are not considered valid, as\n// the POSIX time in seconds does not include them.\nstatic int is_valid_time(int64_t hours, int64_t minutes, int64_t seconds) {\n if (hours < 0 || minutes < 0 || seconds < 0 || hours > 23 || minutes > 59 ||\n seconds > 59) {\n return 0;\n }\n return 1;\n}\n\n// 0000-01-01 00:00:00 UTC\n#define MIN_POSIX_TIME INT64_C(-62167219200)\n// 9999-12-31 23:59:59 UTC\n#define MAX_POSIX_TIME INT64_C(253402300799)\n\n// Is an int64 time within our expected range?\nstatic int is_valid_posix_time(int64_t time) {\n return MIN_POSIX_TIME <= time && time <= MAX_POSIX_TIME;\n}\n\n// Inspired by algorithms presented in\n// https://howardhinnant.github.io/date_algorithms.html\n// (Public Domain)\nstatic int posix_time_from_utc(int64_t year, int64_t month, int64_t day,\n int64_t hours, int64_t minutes, int64_t seconds,\n int64_t *out_time) {\n if (!is_valid_date(year, month, day) ||\n !is_valid_time(hours, minutes, seconds)) {\n return 0;\n }\n if (month <= 2) {\n year--; // Start years on Mar 1, so leap days always finish a year.\n }\n // At this point year will be in the range -1 and 9999.\n assert(-1 <= year && year <= 9999);\n int64_t era = (year >= 0 ? year : year - 399) / 400;\n int64_t year_of_era = year - era * 400;\n int64_t day_of_year =\n (153 * (month > 2 ? month - 3 : month + 9) + 2) / 5 + day - 1;\n int64_t day_of_era =\n year_of_era * 365 + year_of_era / 4 - year_of_era / 100 + day_of_year;\n int64_t posix_days = era * 146097 + day_of_era - 719468;\n *out_time = posix_days * SECS_PER_DAY + hours * SECS_PER_HOUR + minutes * 60 +\n seconds;\n return 1;\n}\n\n// Inspired by algorithms presented in\n// https://howardhinnant.github.io/date_algorithms.html\n// (Public Domain)\nstatic int utc_from_posix_time(int64_t time, int *out_year, int *out_month,\n int *out_day, int *out_hours, int *out_minutes,\n int *out_seconds) {\n if (!is_valid_posix_time(time)) {\n return 0;\n }\n int64_t days = time / SECS_PER_DAY;\n int64_t leftover_seconds = time % SECS_PER_DAY;\n if (leftover_seconds < 0) {\n days--;\n leftover_seconds += SECS_PER_DAY;\n }\n days += 719468; // Shift to starting epoch of Mar 1 0000.\n // At this point, days will be in the range -61 and 3652364.\n assert(-61 <= days && days <= 3652364);\n int64_t era = (days > 0 ? days : days - 146096) / 146097;\n int64_t day_of_era = days - era * 146097;\n int64_t year_of_era = (day_of_era - day_of_era / 1460 + day_of_era / 36524 -\n day_of_era / 146096) /\n 365;\n *out_year = (int)(year_of_era + era * 400); // Year starting on Mar 1.\n int64_t day_of_year =\n day_of_era - (365 * year_of_era + year_of_era / 4 - year_of_era / 100);\n int64_t month_of_year = (5 * day_of_year + 2) / 153;\n *out_month =\n (int)(month_of_year < 10 ? month_of_year + 3 : month_of_year - 9);\n if (*out_month <= 2) {\n (*out_year)++; // Adjust year back to Jan 1 start of year.\n }\n *out_day = (int)(day_of_year - (153 * month_of_year + 2) / 5 + 1);\n *out_hours = (int)(leftover_seconds / SECS_PER_HOUR);\n leftover_seconds %= SECS_PER_HOUR;\n *out_minutes = (int)(leftover_seconds / 60);\n *out_seconds = (int)(leftover_seconds % 60);\n return 1;\n}\n\nint OPENSSL_tm_to_posix(const struct tm *tm, int64_t *out) {\n return posix_time_from_utc(tm->tm_year + INT64_C(1900),\n tm->tm_mon + INT64_C(1), tm->tm_mday, tm->tm_hour,\n tm->tm_min, tm->tm_sec, out);\n}\n\nint OPENSSL_posix_to_tm(int64_t time, struct tm *out_tm) {\n struct tm tmp_tm = {};\n if (!utc_from_posix_time(time, &tmp_tm.tm_year, &tmp_tm.tm_mon,\n &tmp_tm.tm_mday, &tmp_tm.tm_hour, &tmp_tm.tm_min,\n &tmp_tm.tm_sec)) {\n return 0;\n }\n tmp_tm.tm_year -= 1900;\n tmp_tm.tm_mon -= 1;\n *out_tm = tmp_tm;\n\n return 1;\n}\n\nint OPENSSL_timegm(const struct tm *tm, time_t *out) {\n static_assert(\n sizeof(time_t) == sizeof(int32_t) || sizeof(time_t) == sizeof(int64_t),\n \"time_t is broken\");\n int64_t posix_time;\n if (!OPENSSL_tm_to_posix(tm, &posix_time)) {\n return 0;\n }\n if (sizeof(time_t) == sizeof(int32_t) &&\n (posix_time > INT32_MAX || posix_time < INT32_MIN)) {\n return 0;\n }\n *out = (time_t)posix_time;\n return 1;\n}\n\nstruct tm *OPENSSL_gmtime(const time_t *time, struct tm *out_tm) {\n static_assert(\n sizeof(time_t) == sizeof(int32_t) || sizeof(time_t) == sizeof(int64_t),\n \"time_t is broken\");\n int64_t posix_time = *time;\n if (!OPENSSL_posix_to_tm(posix_time, out_tm)) {\n return NULL;\n }\n return out_tm;\n}\n\nint OPENSSL_gmtime_adj(struct tm *tm, int offset_day, int64_t offset_sec) {\n int64_t posix_time;\n if (!OPENSSL_tm_to_posix(tm, &posix_time)) {\n return 0;\n }\n static_assert(INT_MAX <= INT64_MAX / SECS_PER_DAY,\n \"day offset in seconds cannot overflow\");\n static_assert(MAX_POSIX_TIME <= INT64_MAX - INT_MAX * SECS_PER_DAY,\n \"addition cannot overflow\");\n static_assert(MIN_POSIX_TIME >= INT64_MIN - INT_MIN * SECS_PER_DAY,\n \"addition cannot underflow\");\n posix_time += offset_day * SECS_PER_DAY;\n if (posix_time > 0 && offset_sec > INT64_MAX - posix_time) {\n return 0;\n }\n if (posix_time < 0 && offset_sec < INT64_MIN - posix_time) {\n return 0;\n }\n posix_time += offset_sec;\n\n if (!OPENSSL_posix_to_tm(posix_time, tm)) {\n return 0;\n }\n\n return 1;\n}\n\nint OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from,\n const struct tm *to) {\n int64_t time_to, time_from;\n if (!OPENSSL_tm_to_posix(to, &time_to) ||\n !OPENSSL_tm_to_posix(from, &time_from)) {\n return 0;\n }\n // Times are in range, so these calculations can not overflow.\n static_assert(SECS_PER_DAY <= INT_MAX, \"seconds per day does not fit in int\");\n static_assert((MAX_POSIX_TIME - MIN_POSIX_TIME) / SECS_PER_DAY <= INT_MAX,\n \"range of valid POSIX times, in days, does not fit in int\");\n int64_t timediff = time_to - time_from;\n int64_t daydiff = timediff / SECS_PER_DAY;\n timediff %= SECS_PER_DAY;\n *out_secs = (int)timediff;\n *out_days = (int)daydiff;\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/tasn_dec.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../bytestring/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n// Constructed types with a recursive definition (such as can be found in PKCS7)\n// could eventually exceed the stack given malicious input with excessive\n// recursion. Therefore we limit the stack depth. This is the maximum number of\n// recursive invocations of asn1_item_embed_d2i().\n#define ASN1_MAX_CONSTRUCTED_NEST 30\n\nstatic int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,\n char *cst, const unsigned char **in, long len,\n int exptag, int expclass, char opt);\n\nstatic int asn1_template_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,\n long len, const ASN1_TEMPLATE *tt, char opt,\n CRYPTO_BUFFER *buf, int depth);\nstatic int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in,\n long len, const ASN1_TEMPLATE *tt, char opt,\n CRYPTO_BUFFER *buf, int depth);\nstatic int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len,\n int utype, const ASN1_ITEM *it);\nstatic int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in,\n long len, const ASN1_ITEM *it, int tag,\n int aclass, char opt);\nstatic int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,\n long len, const ASN1_ITEM *it, int tag, int aclass,\n char opt, CRYPTO_BUFFER *buf, int depth);\n\n// Table to convert tags to bit values, used for MSTRING type\nstatic const unsigned long tag2bit[31] = {\n 0, // (reserved)\n 0, // BOOLEAN\n 0, // INTEGER\n B_ASN1_BIT_STRING,\n B_ASN1_OCTET_STRING,\n 0, // NULL\n 0, // OBJECT IDENTIFIER\n B_ASN1_UNKNOWN, // ObjectDescriptor\n B_ASN1_UNKNOWN, // EXTERNAL\n B_ASN1_UNKNOWN, // REAL\n B_ASN1_UNKNOWN, // ENUMERATED\n B_ASN1_UNKNOWN, // EMBEDDED PDV\n B_ASN1_UTF8STRING,\n B_ASN1_UNKNOWN, // RELATIVE-OID\n B_ASN1_UNKNOWN, // TIME\n B_ASN1_UNKNOWN, // (reserved)\n B_ASN1_SEQUENCE,\n 0, // SET\n B_ASN1_NUMERICSTRING,\n B_ASN1_PRINTABLESTRING,\n B_ASN1_T61STRING,\n B_ASN1_VIDEOTEXSTRING,\n B_ASN1_IA5STRING,\n B_ASN1_UTCTIME,\n B_ASN1_GENERALIZEDTIME,\n B_ASN1_GRAPHICSTRING,\n B_ASN1_ISO64STRING,\n B_ASN1_GENERALSTRING,\n B_ASN1_UNIVERSALSTRING,\n B_ASN1_UNKNOWN, // CHARACTER STRING\n B_ASN1_BMPSTRING,\n};\n\nunsigned long ASN1_tag2bit(int tag) {\n if (tag < 0 || tag > 30) {\n return 0;\n }\n return tag2bit[tag];\n}\n\nstatic int is_supported_universal_type(int tag, int aclass) {\n if (aclass != V_ASN1_UNIVERSAL) {\n return 0;\n }\n return tag == V_ASN1_OBJECT || tag == V_ASN1_NULL || tag == V_ASN1_BOOLEAN ||\n tag == V_ASN1_BIT_STRING || tag == V_ASN1_INTEGER ||\n tag == V_ASN1_ENUMERATED || tag == V_ASN1_OCTET_STRING ||\n tag == V_ASN1_NUMERICSTRING || tag == V_ASN1_PRINTABLESTRING ||\n tag == V_ASN1_T61STRING || tag == V_ASN1_VIDEOTEXSTRING ||\n tag == V_ASN1_IA5STRING || tag == V_ASN1_UTCTIME ||\n tag == V_ASN1_GENERALIZEDTIME || tag == V_ASN1_GRAPHICSTRING ||\n tag == V_ASN1_VISIBLESTRING || tag == V_ASN1_GENERALSTRING ||\n tag == V_ASN1_UNIVERSALSTRING || tag == V_ASN1_BMPSTRING ||\n tag == V_ASN1_UTF8STRING || tag == V_ASN1_SET ||\n tag == V_ASN1_SEQUENCE;\n}\n\n// Macro to initialize and invalidate the cache\n\n// Decode an ASN1 item, this currently behaves just like a standard 'd2i'\n// function. 'in' points to a buffer to read the data from, in future we\n// will have more advanced versions that can input data a piece at a time and\n// this will simply be a special case.\n\nASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,\n const ASN1_ITEM *it) {\n ASN1_VALUE *ret = NULL;\n if (asn1_item_ex_d2i(&ret, in, len, it, /*tag=*/-1, /*aclass=*/0, /*opt=*/0,\n /*buf=*/NULL, /*depth=*/0) <= 0) {\n // Clean up, in case the caller left a partial object.\n //\n // TODO(davidben): I don't think it can leave one, but the codepaths below\n // are a bit inconsistent. Revisit this when rewriting this function.\n ASN1_item_ex_free(&ret, it);\n }\n\n // If the caller supplied an output pointer, free the old one and replace it\n // with |ret|. This differs from OpenSSL slightly in that we don't support\n // object reuse. We run this on both success and failure. On failure, even\n // with object reuse, OpenSSL destroys the previous object.\n if (pval != NULL) {\n ASN1_item_ex_free(pval, it);\n *pval = ret;\n }\n return ret;\n}\n\n// Decode an item, taking care of IMPLICIT tagging, if any. If 'opt' set and\n// tag mismatch return -1 to handle OPTIONAL\n//\n// TODO(davidben): Historically, all functions in this file had to account for\n// |*pval| containing an arbitrary existing value. This is no longer the case\n// because |ASN1_item_d2i| now always starts from NULL. As part of rewriting\n// this function, take the simplified assumptions into account. Though we must\n// still account for the internal calls to |ASN1_item_ex_new|.\n\nstatic int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in,\n long len, const ASN1_ITEM *it, int tag, int aclass,\n char opt, CRYPTO_BUFFER *buf, int depth) {\n const ASN1_TEMPLATE *tt, *errtt = NULL;\n const unsigned char *p = NULL, *q;\n unsigned char oclass;\n char cst, isopt;\n int i;\n int otag;\n int ret = 0;\n ASN1_VALUE **pchptr;\n if (!pval) {\n return 0;\n }\n\n if (buf != NULL) {\n assert(CRYPTO_BUFFER_data(buf) <= *in &&\n *in + len <= CRYPTO_BUFFER_data(buf) + CRYPTO_BUFFER_len(buf));\n }\n\n // Bound |len| to comfortably fit in an int. Lengths in this module often\n // switch between int and long without overflow checks.\n if (len > INT_MAX / 2) {\n len = INT_MAX / 2;\n }\n\n if (++depth > ASN1_MAX_CONSTRUCTED_NEST) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_TOO_DEEP);\n goto err;\n }\n\n switch (it->itype) {\n case ASN1_ITYPE_PRIMITIVE:\n if (it->templates) {\n // tagging or OPTIONAL is currently illegal on an item template\n // because the flags can't get passed down. In practice this\n // isn't a problem: we include the relevant flags from the item\n // template in the template itself.\n if ((tag != -1) || opt) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE);\n goto err;\n }\n return asn1_template_ex_d2i(pval, in, len, it->templates, opt, buf,\n depth);\n }\n return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt);\n break;\n\n case ASN1_ITYPE_MSTRING:\n // It never makes sense for multi-strings to have implicit tagging, so\n // if tag != -1, then this looks like an error in the template.\n if (tag != -1) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);\n goto err;\n }\n\n p = *in;\n // Just read in tag and class\n ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, &p, len, -1, 0, 1);\n if (!ret) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n goto err;\n }\n\n // Must be UNIVERSAL class\n if (oclass != V_ASN1_UNIVERSAL) {\n // If OPTIONAL, assume this is OK\n if (opt) {\n return -1;\n }\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_NOT_UNIVERSAL);\n goto err;\n }\n // Check tag matches bit map\n if (!(ASN1_tag2bit(otag) & it->utype)) {\n // If OPTIONAL, assume this is OK\n if (opt) {\n return -1;\n }\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_WRONG_TAG);\n goto err;\n }\n return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0);\n\n case ASN1_ITYPE_EXTERN: {\n // We don't support implicit tagging with external types.\n if (tag != -1) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);\n goto err;\n }\n const ASN1_EXTERN_FUNCS *ef =\n reinterpret_cast(it->funcs);\n return ef->asn1_ex_d2i(pval, in, len, it, opt, NULL);\n }\n\n case ASN1_ITYPE_CHOICE: {\n // It never makes sense for CHOICE types to have implicit tagging, so if\n // tag != -1, then this looks like an error in the template.\n if (tag != -1) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);\n goto err;\n }\n\n const ASN1_AUX *aux = reinterpret_cast(it->funcs);\n ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;\n if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) {\n goto auxerr;\n }\n\n if (*pval) {\n // Free up and zero CHOICE value if initialised\n i = asn1_get_choice_selector(pval, it);\n if ((i >= 0) && (i < it->tcount)) {\n tt = it->templates + i;\n pchptr = asn1_get_field_ptr(pval, tt);\n ASN1_template_free(pchptr, tt);\n asn1_set_choice_selector(pval, -1, it);\n }\n } else if (!ASN1_item_ex_new(pval, it)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n goto err;\n }\n // CHOICE type, try each possibility in turn\n p = *in;\n for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {\n pchptr = asn1_get_field_ptr(pval, tt);\n // We mark field as OPTIONAL so its absence can be recognised.\n ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, buf, depth);\n // If field not present, try the next one\n if (ret == -1) {\n continue;\n }\n // If positive return, read OK, break loop\n if (ret > 0) {\n break;\n }\n // Otherwise must be an ASN1 parsing error\n errtt = tt;\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n goto err;\n }\n\n // Did we fall off the end without reading anything?\n if (i == it->tcount) {\n // If OPTIONAL, this is OK\n if (opt) {\n // Free and zero it\n ASN1_item_ex_free(pval, it);\n return -1;\n }\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NO_MATCHING_CHOICE_TYPE);\n goto err;\n }\n\n asn1_set_choice_selector(pval, i, it);\n if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) {\n goto auxerr;\n }\n *in = p;\n return 1;\n }\n\n case ASN1_ITYPE_SEQUENCE: {\n p = *in;\n\n // If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL\n if (tag == -1) {\n tag = V_ASN1_SEQUENCE;\n aclass = V_ASN1_UNIVERSAL;\n }\n // Get SEQUENCE length and update len, p\n ret = asn1_check_tlen(&len, NULL, NULL, &cst, &p, len, tag, aclass, opt);\n if (!ret) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n goto err;\n } else if (ret == -1) {\n return -1;\n }\n if (!cst) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_NOT_CONSTRUCTED);\n goto err;\n }\n\n if (!*pval && !ASN1_item_ex_new(pval, it)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n goto err;\n }\n\n const ASN1_AUX *aux = reinterpret_cast(it->funcs);\n ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;\n if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) {\n goto auxerr;\n }\n\n // Free up and zero any ADB found\n for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {\n if (tt->flags & ASN1_TFLG_ADB_MASK) {\n const ASN1_TEMPLATE *seqtt;\n ASN1_VALUE **pseqval;\n seqtt = asn1_do_adb(pval, tt, 0);\n if (seqtt == NULL) {\n continue;\n }\n pseqval = asn1_get_field_ptr(pval, seqtt);\n ASN1_template_free(pseqval, seqtt);\n }\n }\n\n // Get each field entry\n for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {\n const ASN1_TEMPLATE *seqtt;\n ASN1_VALUE **pseqval;\n seqtt = asn1_do_adb(pval, tt, 1);\n if (seqtt == NULL) {\n goto err;\n }\n pseqval = asn1_get_field_ptr(pval, seqtt);\n // Have we ran out of data?\n if (!len) {\n break;\n }\n q = p;\n // This determines the OPTIONAL flag value. The field cannot be\n // omitted if it is the last of a SEQUENCE and there is still\n // data to be read. This isn't strictly necessary but it\n // increases efficiency in some cases.\n if (i == (it->tcount - 1)) {\n isopt = 0;\n } else {\n isopt = (seqtt->flags & ASN1_TFLG_OPTIONAL) != 0;\n }\n // attempt to read in field, allowing each to be OPTIONAL\n\n ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, buf, depth);\n if (!ret) {\n errtt = seqtt;\n goto err;\n } else if (ret == -1) {\n // OPTIONAL component absent. Free and zero the field.\n ASN1_template_free(pseqval, seqtt);\n continue;\n }\n // Update length\n len -= p - q;\n }\n\n // Check all data read\n if (len) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_LENGTH_MISMATCH);\n goto err;\n }\n\n // If we get here we've got no more data in the SEQUENCE, however we\n // may not have read all fields so check all remaining are OPTIONAL\n // and clear any that are.\n for (; i < it->tcount; tt++, i++) {\n const ASN1_TEMPLATE *seqtt;\n seqtt = asn1_do_adb(pval, tt, 1);\n if (seqtt == NULL) {\n goto err;\n }\n if (seqtt->flags & ASN1_TFLG_OPTIONAL) {\n ASN1_VALUE **pseqval;\n pseqval = asn1_get_field_ptr(pval, seqtt);\n ASN1_template_free(pseqval, seqtt);\n } else {\n errtt = seqtt;\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_FIELD_MISSING);\n goto err;\n }\n }\n // Save encoding\n if (!asn1_enc_save(pval, *in, p - *in, it, buf)) {\n goto auxerr;\n }\n if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) {\n goto auxerr;\n }\n *in = p;\n return 1;\n }\n\n default:\n return 0;\n }\nauxerr:\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_AUX_ERROR);\nerr:\n ASN1_item_ex_free(pval, it);\n if (errtt) {\n ERR_add_error_data(4, \"Field=\", errtt->field_name, \", Type=\", it->sname);\n } else {\n ERR_add_error_data(2, \"Type=\", it->sname);\n }\n return 0;\n}\n\nint ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,\n const ASN1_ITEM *it, int tag, int aclass, char opt,\n CRYPTO_BUFFER *buf) {\n return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, buf,\n /*depth=*/0);\n}\n\n// Templates are handled with two separate functions. One handles any\n// EXPLICIT tag and the other handles the rest.\n\nstatic int asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in,\n long inlen, const ASN1_TEMPLATE *tt, char opt,\n CRYPTO_BUFFER *buf, int depth) {\n int aclass;\n int ret;\n long len;\n const unsigned char *p, *q;\n if (!val) {\n return 0;\n }\n uint32_t flags = tt->flags;\n aclass = flags & ASN1_TFLG_TAG_CLASS;\n\n p = *in;\n\n // Check if EXPLICIT tag expected\n if (flags & ASN1_TFLG_EXPTAG) {\n char cst;\n // Need to work out amount of data available to the inner content and\n // where it starts: so read in EXPLICIT header to get the info.\n ret = asn1_check_tlen(&len, NULL, NULL, &cst, &p, inlen, tt->tag, aclass,\n opt);\n q = p;\n if (!ret) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n return 0;\n } else if (ret == -1) {\n return -1;\n }\n if (!cst) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED);\n return 0;\n }\n // We've found the field so it can't be OPTIONAL now\n ret = asn1_template_noexp_d2i(val, &p, len, tt, /*opt=*/0, buf, depth);\n if (!ret) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n return 0;\n }\n // We read the field in OK so update length\n len -= p - q;\n // Check for trailing data.\n if (len) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH);\n goto err;\n }\n } else {\n return asn1_template_noexp_d2i(val, in, inlen, tt, opt, buf, depth);\n }\n\n *in = p;\n return 1;\n\nerr:\n ASN1_template_free(val, tt);\n return 0;\n}\n\nstatic int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in,\n long len, const ASN1_TEMPLATE *tt, char opt,\n CRYPTO_BUFFER *buf, int depth) {\n int aclass;\n int ret;\n const unsigned char *p;\n if (!val) {\n return 0;\n }\n uint32_t flags = tt->flags;\n aclass = flags & ASN1_TFLG_TAG_CLASS;\n\n p = *in;\n\n if (flags & ASN1_TFLG_SK_MASK) {\n // SET OF, SEQUENCE OF\n int sktag, skaclass;\n // First work out expected inner tag value\n if (flags & ASN1_TFLG_IMPTAG) {\n sktag = tt->tag;\n skaclass = aclass;\n } else {\n skaclass = V_ASN1_UNIVERSAL;\n if (flags & ASN1_TFLG_SET_OF) {\n sktag = V_ASN1_SET;\n } else {\n sktag = V_ASN1_SEQUENCE;\n }\n }\n // Get the tag\n ret =\n asn1_check_tlen(&len, NULL, NULL, NULL, &p, len, sktag, skaclass, opt);\n if (!ret) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n return 0;\n } else if (ret == -1) {\n return -1;\n }\n if (!*val) {\n *val = (ASN1_VALUE *)sk_ASN1_VALUE_new_null();\n } else {\n // We've got a valid STACK: free up any items present\n STACK_OF(ASN1_VALUE) *sktmp = (STACK_OF(ASN1_VALUE) *)*val;\n ASN1_VALUE *vtmp;\n while (sk_ASN1_VALUE_num(sktmp) > 0) {\n vtmp = sk_ASN1_VALUE_pop(sktmp);\n ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item));\n }\n }\n\n if (!*val) {\n goto err;\n }\n\n // Read as many items as we can\n while (len > 0) {\n ASN1_VALUE *skfield;\n const unsigned char *q = p;\n skfield = NULL;\n if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item),\n /*tag=*/-1, /*aclass=*/0, /*opt=*/0, buf, depth)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n goto err;\n }\n len -= p - q;\n if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, skfield)) {\n ASN1_item_ex_free(&skfield, ASN1_ITEM_ptr(tt->item));\n goto err;\n }\n }\n } else if (flags & ASN1_TFLG_IMPTAG) {\n // IMPLICIT tagging\n ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag,\n aclass, opt, buf, depth);\n if (!ret) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n goto err;\n } else if (ret == -1) {\n return -1;\n }\n } else {\n // Nothing special\n ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), /*tag=*/-1,\n /*aclass=*/0, opt, buf, depth);\n if (!ret) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n goto err;\n } else if (ret == -1) {\n return -1;\n }\n }\n\n *in = p;\n return 1;\n\nerr:\n ASN1_template_free(val, tt);\n return 0;\n}\n\nstatic int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in,\n long inlen, const ASN1_ITEM *it, int tag,\n int aclass, char opt) {\n int ret = 0, utype;\n long plen;\n char cst;\n const unsigned char *p;\n const unsigned char *cont = NULL;\n long len;\n if (!pval) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NULL);\n return 0; // Should never happen\n }\n\n if (it->itype == ASN1_ITYPE_MSTRING) {\n utype = tag;\n tag = -1;\n } else {\n utype = it->utype;\n }\n\n if (utype == V_ASN1_ANY) {\n // If type is ANY need to figure out type from tag\n unsigned char oclass;\n if (tag >= 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_TAGGED_ANY);\n return 0;\n }\n if (opt) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OPTIONAL_ANY);\n return 0;\n }\n p = *in;\n ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, &p, inlen, -1, 0, 0);\n if (!ret) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n return 0;\n }\n if (!is_supported_universal_type(utype, oclass)) {\n utype = V_ASN1_OTHER;\n }\n }\n if (tag == -1) {\n tag = utype;\n aclass = V_ASN1_UNIVERSAL;\n }\n p = *in;\n // Check header\n ret = asn1_check_tlen(&plen, NULL, NULL, &cst, &p, inlen, tag, aclass, opt);\n if (!ret) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR);\n return 0;\n } else if (ret == -1) {\n return -1;\n }\n ret = 0;\n // SEQUENCE, SET and \"OTHER\" are left in encoded form\n if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) ||\n (utype == V_ASN1_OTHER)) {\n // SEQUENCE and SET must be constructed\n if (utype != V_ASN1_OTHER && !cst) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_CONSTRUCTED);\n return 0;\n }\n\n cont = *in;\n len = p - cont + plen;\n p += plen;\n } else if (cst) {\n // This parser historically supported BER constructed strings. We no\n // longer do and will gradually tighten this parser into a DER\n // parser. BER types should use |CBS_asn1_ber_to_der|.\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE);\n return 0;\n } else {\n cont = p;\n len = plen;\n p += plen;\n }\n\n // We now have content length and type: translate into a structure\n if (!asn1_ex_c2i(pval, cont, len, utype, it)) {\n goto err;\n }\n\n *in = p;\n ret = 1;\nerr:\n return ret;\n}\n\n// Translate ASN1 content octets into a structure\n\nstatic int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len,\n int utype, const ASN1_ITEM *it) {\n ASN1_VALUE **opval = NULL;\n ASN1_STRING *stmp;\n ASN1_TYPE *typ = NULL;\n int ret = 0;\n ASN1_INTEGER **tint;\n\n // Historically, |it->funcs| for primitive types contained an\n // |ASN1_PRIMITIVE_FUNCS| table of callbacks.\n assert(it->funcs == NULL);\n\n // If ANY type clear type and set pointer to internal value\n if (it->utype == V_ASN1_ANY) {\n if (!*pval) {\n typ = ASN1_TYPE_new();\n if (typ == NULL) {\n goto err;\n }\n *pval = (ASN1_VALUE *)typ;\n } else {\n typ = (ASN1_TYPE *)*pval;\n }\n\n if (utype != typ->type) {\n ASN1_TYPE_set(typ, utype, NULL);\n }\n opval = pval;\n pval = &typ->value.asn1_value;\n }\n switch (utype) {\n case V_ASN1_OBJECT:\n if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &cont, len)) {\n goto err;\n }\n break;\n\n case V_ASN1_NULL:\n if (len) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NULL_IS_WRONG_LENGTH);\n goto err;\n }\n *pval = (ASN1_VALUE *)1;\n break;\n\n case V_ASN1_BOOLEAN:\n if (len != 1) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BOOLEAN_IS_WRONG_LENGTH);\n goto err;\n } else {\n ASN1_BOOLEAN *tbool;\n tbool = (ASN1_BOOLEAN *)pval;\n *tbool = *cont;\n }\n break;\n\n case V_ASN1_BIT_STRING:\n if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &cont, len)) {\n goto err;\n }\n break;\n\n case V_ASN1_INTEGER:\n case V_ASN1_ENUMERATED:\n tint = (ASN1_INTEGER **)pval;\n if (!c2i_ASN1_INTEGER(tint, &cont, len)) {\n goto err;\n }\n // Fixup type to match the expected form\n (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG);\n break;\n\n case V_ASN1_OCTET_STRING:\n case V_ASN1_NUMERICSTRING:\n case V_ASN1_PRINTABLESTRING:\n case V_ASN1_T61STRING:\n case V_ASN1_VIDEOTEXSTRING:\n case V_ASN1_IA5STRING:\n case V_ASN1_UTCTIME:\n case V_ASN1_GENERALIZEDTIME:\n case V_ASN1_GRAPHICSTRING:\n case V_ASN1_VISIBLESTRING:\n case V_ASN1_GENERALSTRING:\n case V_ASN1_UNIVERSALSTRING:\n case V_ASN1_BMPSTRING:\n case V_ASN1_UTF8STRING:\n case V_ASN1_OTHER:\n case V_ASN1_SET:\n case V_ASN1_SEQUENCE:\n // TODO(crbug.com/boringssl/412): This default case should be removed, now\n // that we've resolved https://crbug.com/boringssl/561. However, it is still\n // needed to support some edge cases in |ASN1_PRINTABLE|. |ASN1_PRINTABLE|\n // broadly doesn't tolerate unrecognized universal tags, but except for\n // eight values that map to |B_ASN1_UNKNOWN| instead of zero. See the\n // X509Test.NameAttributeValues test.\n default: {\n CBS cbs;\n CBS_init(&cbs, cont, (size_t)len);\n if (utype == V_ASN1_BMPSTRING) {\n while (CBS_len(&cbs) != 0) {\n uint32_t c;\n if (!CBS_get_ucs2_be(&cbs, &c)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BMPSTRING);\n goto err;\n }\n }\n }\n if (utype == V_ASN1_UNIVERSALSTRING) {\n while (CBS_len(&cbs) != 0) {\n uint32_t c;\n if (!CBS_get_utf32_be(&cbs, &c)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UNIVERSALSTRING);\n goto err;\n }\n }\n }\n if (utype == V_ASN1_UTF8STRING) {\n while (CBS_len(&cbs) != 0) {\n uint32_t c;\n if (!CBS_get_utf8(&cbs, &c)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UTF8STRING);\n goto err;\n }\n }\n }\n if (utype == V_ASN1_UTCTIME) {\n if (!CBS_parse_utc_time(&cbs, NULL, /*allow_timezone_offset=*/1)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_TIME_FORMAT);\n goto err;\n }\n }\n if (utype == V_ASN1_GENERALIZEDTIME) {\n if (!CBS_parse_generalized_time(&cbs, NULL,\n /*allow_timezone_offset=*/0)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_TIME_FORMAT);\n goto err;\n }\n }\n // TODO(https://crbug.com/boringssl/427): Check other string types.\n\n // All based on ASN1_STRING and handled the same\n if (!*pval) {\n stmp = ASN1_STRING_type_new(utype);\n if (!stmp) {\n goto err;\n }\n *pval = (ASN1_VALUE *)stmp;\n } else {\n stmp = (ASN1_STRING *)*pval;\n stmp->type = utype;\n }\n if (!ASN1_STRING_set(stmp, cont, len)) {\n ASN1_STRING_free(stmp);\n *pval = NULL;\n goto err;\n }\n break;\n }\n }\n // If ASN1_ANY and NULL type fix up value\n if (typ && (utype == V_ASN1_NULL)) {\n typ->value.ptr = NULL;\n }\n\n ret = 1;\nerr:\n if (!ret) {\n ASN1_TYPE_free(typ);\n if (opval) {\n *opval = NULL;\n }\n }\n return ret;\n}\n\n// Check an ASN1 tag and length: a bit like ASN1_get_object but it\n// checks the expected tag.\n\nstatic int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass,\n char *cst, const unsigned char **in, long len,\n int exptag, int expclass, char opt) {\n int i;\n int ptag, pclass;\n long plen;\n const unsigned char *p;\n p = *in;\n\n i = ASN1_get_object(&p, &plen, &ptag, &pclass, len);\n if (i & 0x80) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER);\n return 0;\n }\n if (exptag >= 0) {\n if ((exptag != ptag) || (expclass != pclass)) {\n // If type is OPTIONAL, not an error: indicate missing type.\n if (opt) {\n return -1;\n }\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TAG);\n return 0;\n }\n }\n\n if (cst) {\n *cst = i & V_ASN1_CONSTRUCTED;\n }\n\n if (olen) {\n *olen = plen;\n }\n\n if (oclass) {\n *oclass = pclass;\n }\n\n if (otag) {\n *otag = ptag;\n }\n\n *in = p;\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/tasn_enc.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic int asn1_item_ex_i2d_opt(ASN1_VALUE **pval, unsigned char **out,\n const ASN1_ITEM *it, int tag, int aclass,\n int optional);\nstatic int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,\n const ASN1_ITEM *it, int tag, int aclass,\n int optional);\nstatic int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cont, int *out_omit,\n int *putype, const ASN1_ITEM *it);\nstatic int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,\n int skcontlen, const ASN1_ITEM *item, int do_sort);\nstatic int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,\n const ASN1_TEMPLATE *tt, int tag, int aclass,\n int optional);\n\n// Top level i2d equivalents\n\nint ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it) {\n if (out && !*out) {\n unsigned char *p, *buf;\n int len = ASN1_item_ex_i2d(&val, NULL, it, /*tag=*/-1, /*aclass=*/0);\n if (len <= 0) {\n return len;\n }\n buf = reinterpret_cast(OPENSSL_malloc(len));\n if (!buf) {\n return -1;\n }\n p = buf;\n int len2 = ASN1_item_ex_i2d(&val, &p, it, /*tag=*/-1, /*aclass=*/0);\n if (len2 <= 0) {\n OPENSSL_free(buf);\n return len2;\n }\n assert(len == len2);\n *out = buf;\n return len;\n }\n\n return ASN1_item_ex_i2d(&val, out, it, /*tag=*/-1, /*aclass=*/0);\n}\n\n// Encode an item, taking care of IMPLICIT tagging (if any). This function\n// performs the normal item handling: it can be used in external types.\n\nint ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,\n const ASN1_ITEM *it, int tag, int aclass) {\n int ret = asn1_item_ex_i2d_opt(pval, out, it, tag, aclass, /*optional=*/0);\n assert(ret != 0);\n return ret;\n}\n\n// asn1_item_ex_i2d_opt behaves like |ASN1_item_ex_i2d| but, if |optional| is\n// non-zero and |*pval| is omitted, it returns zero and writes no bytes.\nint asn1_item_ex_i2d_opt(ASN1_VALUE **pval, unsigned char **out,\n const ASN1_ITEM *it, int tag, int aclass,\n int optional) {\n const ASN1_TEMPLATE *tt = NULL;\n int i, seqcontlen, seqlen;\n\n // Historically, |aclass| was repurposed to pass additional flags into the\n // encoding process.\n assert((aclass & ASN1_TFLG_TAG_CLASS) == aclass);\n // If not overridding the tag, |aclass| is ignored and should be zero.\n assert(tag != -1 || aclass == 0);\n\n // All fields are pointers, except for boolean |ASN1_ITYPE_PRIMITIVE|s.\n // Optional primitives are handled later.\n if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) {\n if (optional) {\n return 0;\n }\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_VALUE);\n return -1;\n }\n\n switch (it->itype) {\n case ASN1_ITYPE_PRIMITIVE:\n if (it->templates) {\n // This is an |ASN1_ITEM_TEMPLATE|.\n if (it->templates->flags & ASN1_TFLG_OPTIONAL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);\n return -1;\n }\n return asn1_template_ex_i2d(pval, out, it->templates, tag, aclass,\n optional);\n }\n return asn1_i2d_ex_primitive(pval, out, it, tag, aclass, optional);\n\n case ASN1_ITYPE_MSTRING:\n // It never makes sense for multi-strings to have implicit tagging, so\n // if tag != -1, then this looks like an error in the template.\n if (tag != -1) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);\n return -1;\n }\n return asn1_i2d_ex_primitive(pval, out, it, -1, 0, optional);\n\n case ASN1_ITYPE_CHOICE: {\n // It never makes sense for CHOICE types to have implicit tagging, so if\n // tag != -1, then this looks like an error in the template.\n if (tag != -1) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);\n return -1;\n }\n i = asn1_get_choice_selector(pval, it);\n if (i < 0 || i >= it->tcount) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NO_MATCHING_CHOICE_TYPE);\n return -1;\n }\n const ASN1_TEMPLATE *chtt = it->templates + i;\n if (chtt->flags & ASN1_TFLG_OPTIONAL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);\n return -1;\n }\n ASN1_VALUE **pchval = asn1_get_field_ptr(pval, chtt);\n return asn1_template_ex_i2d(pchval, out, chtt, -1, 0, /*optional=*/0);\n }\n\n case ASN1_ITYPE_EXTERN: {\n // We don't support implicit tagging with external types.\n if (tag != -1) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);\n return -1;\n }\n const ASN1_EXTERN_FUNCS *ef =\n reinterpret_cast(it->funcs);\n int ret = ef->asn1_ex_i2d(pval, out, it);\n if (ret == 0) {\n // |asn1_ex_i2d| should never return zero. We have already checked\n // for optional values generically, and |ASN1_ITYPE_EXTERN| fields\n // must be pointers.\n OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR);\n return -1;\n }\n return ret;\n }\n\n case ASN1_ITYPE_SEQUENCE: {\n i = asn1_enc_restore(&seqcontlen, out, pval, it);\n // An error occurred\n if (i < 0) {\n return -1;\n }\n // We have a valid cached encoding...\n if (i > 0) {\n return seqcontlen;\n }\n // Otherwise carry on\n seqcontlen = 0;\n // If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL\n if (tag == -1) {\n tag = V_ASN1_SEQUENCE;\n aclass = V_ASN1_UNIVERSAL;\n }\n // First work out sequence content length\n for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {\n const ASN1_TEMPLATE *seqtt;\n ASN1_VALUE **pseqval;\n int tmplen;\n seqtt = asn1_do_adb(pval, tt, 1);\n if (!seqtt) {\n return -1;\n }\n pseqval = asn1_get_field_ptr(pval, seqtt);\n tmplen =\n asn1_template_ex_i2d(pseqval, NULL, seqtt, -1, 0, /*optional=*/0);\n if (tmplen == -1 || (tmplen > INT_MAX - seqcontlen)) {\n return -1;\n }\n seqcontlen += tmplen;\n }\n\n seqlen = ASN1_object_size(/*constructed=*/1, seqcontlen, tag);\n if (!out || seqlen == -1) {\n return seqlen;\n }\n // Output SEQUENCE header\n ASN1_put_object(out, /*constructed=*/1, seqcontlen, tag, aclass);\n for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {\n const ASN1_TEMPLATE *seqtt;\n ASN1_VALUE **pseqval;\n seqtt = asn1_do_adb(pval, tt, 1);\n if (!seqtt) {\n return -1;\n }\n pseqval = asn1_get_field_ptr(pval, seqtt);\n if (asn1_template_ex_i2d(pseqval, out, seqtt, -1, 0, /*optional=*/0) <\n 0) {\n return -1;\n }\n }\n return seqlen;\n }\n\n default:\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);\n return -1;\n }\n}\n\n// asn1_template_ex_i2d behaves like |asn1_item_ex_i2d_opt| but uses an\n// |ASN1_TEMPLATE| instead of an |ASN1_ITEM|. An |ASN1_TEMPLATE| wraps an\n// |ASN1_ITEM| with modifiers such as tagging, SEQUENCE or SET, etc.\nstatic int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out,\n const ASN1_TEMPLATE *tt, int tag, int iclass,\n int optional) {\n int i, ret, ttag, tclass;\n size_t j;\n uint32_t flags = tt->flags;\n\n // Historically, |iclass| was repurposed to pass additional flags into the\n // encoding process.\n assert((iclass & ASN1_TFLG_TAG_CLASS) == iclass);\n // If not overridding the tag, |iclass| is ignored and should be zero.\n assert(tag != -1 || iclass == 0);\n\n // Work out tag and class to use: tagging may come either from the\n // template or the arguments, not both because this would create\n // ambiguity.\n if (flags & ASN1_TFLG_TAG_MASK) {\n // Error if argument and template tagging\n if (tag != -1) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE);\n return -1;\n }\n // Get tagging from template\n ttag = tt->tag;\n tclass = flags & ASN1_TFLG_TAG_CLASS;\n } else if (tag != -1) {\n // No template tagging, get from arguments\n ttag = tag;\n tclass = iclass & ASN1_TFLG_TAG_CLASS;\n } else {\n ttag = -1;\n tclass = 0;\n }\n\n // The template may itself by marked as optional, or this may be the template\n // of an |ASN1_ITEM_TEMPLATE| type which was contained inside an outer\n // optional template. (They cannot both be true because the\n // |ASN1_ITEM_TEMPLATE| codepath rejects optional templates.)\n assert(!optional || (flags & ASN1_TFLG_OPTIONAL) == 0);\n optional = optional || (flags & ASN1_TFLG_OPTIONAL) != 0;\n\n // At this point 'ttag' contains the outer tag to use, and 'tclass' is the\n // class.\n\n if (flags & ASN1_TFLG_SK_MASK) {\n // SET OF, SEQUENCE OF\n STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;\n int isset, sktag, skaclass;\n int skcontlen, sklen;\n ASN1_VALUE *skitem;\n\n if (!*pval) {\n if (optional) {\n return 0;\n }\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_VALUE);\n return -1;\n }\n\n if (flags & ASN1_TFLG_SET_OF) {\n isset = 1;\n // Historically, types with both bits set were mutated when\n // serialized to apply the sort. We no longer support this.\n assert((flags & ASN1_TFLG_SEQUENCE_OF) == 0);\n } else {\n isset = 0;\n }\n\n // Work out inner tag value: if EXPLICIT or no tagging use underlying\n // type.\n if ((ttag != -1) && !(flags & ASN1_TFLG_EXPTAG)) {\n sktag = ttag;\n skaclass = tclass;\n } else {\n skaclass = V_ASN1_UNIVERSAL;\n if (isset) {\n sktag = V_ASN1_SET;\n } else {\n sktag = V_ASN1_SEQUENCE;\n }\n }\n\n // Determine total length of items\n skcontlen = 0;\n for (j = 0; j < sk_ASN1_VALUE_num(sk); j++) {\n int tmplen;\n skitem = sk_ASN1_VALUE_value(sk, j);\n tmplen = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), -1, 0);\n if (tmplen == -1 || (skcontlen > INT_MAX - tmplen)) {\n return -1;\n }\n skcontlen += tmplen;\n }\n sklen = ASN1_object_size(/*constructed=*/1, skcontlen, sktag);\n if (sklen == -1) {\n return -1;\n }\n // If EXPLICIT need length of surrounding tag\n if (flags & ASN1_TFLG_EXPTAG) {\n ret = ASN1_object_size(/*constructed=*/1, sklen, ttag);\n } else {\n ret = sklen;\n }\n\n if (!out || ret == -1) {\n return ret;\n }\n\n // Now encode this lot...\n // EXPLICIT tag\n if (flags & ASN1_TFLG_EXPTAG) {\n ASN1_put_object(out, /*constructed=*/1, sklen, ttag, tclass);\n }\n // SET or SEQUENCE and IMPLICIT tag\n ASN1_put_object(out, /*constructed=*/1, skcontlen, sktag, skaclass);\n // And the stuff itself\n if (!asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item), isset)) {\n return -1;\n }\n return ret;\n }\n\n if (flags & ASN1_TFLG_EXPTAG) {\n // EXPLICIT tagging\n // Find length of tagged item\n i = asn1_item_ex_i2d_opt(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, 0,\n optional);\n if (i <= 0) {\n return i;\n }\n // Find length of EXPLICIT tag\n ret = ASN1_object_size(/*constructed=*/1, i, ttag);\n if (out && ret != -1) {\n // Output tag and item\n ASN1_put_object(out, /*constructed=*/1, i, ttag, tclass);\n if (ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, 0) < 0) {\n return -1;\n }\n }\n return ret;\n }\n\n // Either normal or IMPLICIT tagging\n return asn1_item_ex_i2d_opt(pval, out, ASN1_ITEM_ptr(tt->item), ttag, tclass,\n optional);\n}\n\n// Temporary structure used to hold DER encoding of items for SET OF\n\ntypedef struct {\n unsigned char *data;\n int length;\n} DER_ENC;\n\nstatic int der_cmp(const void *a, const void *b) {\n const DER_ENC *d1 = reinterpret_cast(a),\n *d2 = reinterpret_cast(b);\n int cmplen, i;\n cmplen = (d1->length < d2->length) ? d1->length : d2->length;\n i = OPENSSL_memcmp(d1->data, d2->data, cmplen);\n if (i) {\n return i;\n }\n return d1->length - d2->length;\n}\n\n// asn1_set_seq_out writes |sk| to |out| under the i2d output convention,\n// excluding the tag and length. It returns one on success and zero on error.\n// |skcontlen| must be the total encoded size. If |do_sort| is non-zero, the\n// elements are sorted for a SET OF type. Each element of |sk| has type\n// |item|.\nstatic int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out,\n int skcontlen, const ASN1_ITEM *item, int do_sort) {\n // No need to sort if there are fewer than two items.\n if (!do_sort || sk_ASN1_VALUE_num(sk) < 2) {\n for (size_t i = 0; i < sk_ASN1_VALUE_num(sk); i++) {\n ASN1_VALUE *skitem = sk_ASN1_VALUE_value(sk, i);\n if (ASN1_item_ex_i2d(&skitem, out, item, -1, 0) < 0) {\n return 0;\n }\n }\n return 1;\n }\n\n int ret = 0;\n uint8_t *const buf = reinterpret_cast(OPENSSL_malloc(skcontlen));\n DER_ENC *encoded = reinterpret_cast(\n OPENSSL_calloc(sk_ASN1_VALUE_num(sk), sizeof(*encoded)));\n uint8_t *p = buf;\n if (encoded == NULL || buf == NULL) {\n goto err;\n }\n\n // Encode all the elements into |buf| and populate |encoded|.\n for (size_t i = 0; i < sk_ASN1_VALUE_num(sk); i++) {\n ASN1_VALUE *skitem = sk_ASN1_VALUE_value(sk, i);\n encoded[i].data = p;\n encoded[i].length = ASN1_item_ex_i2d(&skitem, &p, item, -1, 0);\n if (encoded[i].length < 0) {\n goto err;\n }\n assert(p - buf <= skcontlen);\n }\n\n qsort(encoded, sk_ASN1_VALUE_num(sk), sizeof(*encoded), der_cmp);\n\n // Output the elements in sorted order.\n p = *out;\n for (size_t i = 0; i < sk_ASN1_VALUE_num(sk); i++) {\n OPENSSL_memcpy(p, encoded[i].data, encoded[i].length);\n p += encoded[i].length;\n }\n *out = p;\n\n ret = 1;\n\nerr:\n OPENSSL_free(encoded);\n OPENSSL_free(buf);\n return ret;\n}\n\n// asn1_i2d_ex_primitive behaves like |ASN1_item_ex_i2d| but |item| must be a\n// a PRIMITIVE or MSTRING type that is not an |ASN1_ITEM_TEMPLATE|.\nstatic int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,\n const ASN1_ITEM *it, int tag, int aclass,\n int optional) {\n // Get length of content octets and maybe find out the underlying type.\n int omit;\n int utype = it->utype;\n int len = asn1_ex_i2c(pval, NULL, &omit, &utype, it);\n if (len < 0) {\n return -1;\n }\n if (omit) {\n if (optional) {\n return 0;\n }\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_VALUE);\n return -1;\n }\n\n // If SEQUENCE, SET or OTHER then header is included in pseudo content\n // octets so don't include tag+length. We need to check here because the\n // call to asn1_ex_i2c() could change utype.\n int usetag =\n utype != V_ASN1_SEQUENCE && utype != V_ASN1_SET && utype != V_ASN1_OTHER;\n\n // If not implicitly tagged get tag from underlying type\n if (tag == -1) {\n tag = utype;\n }\n\n // Output tag+length followed by content octets\n if (out) {\n if (usetag) {\n ASN1_put_object(out, /*constructed=*/0, len, tag, aclass);\n }\n int len2 = asn1_ex_i2c(pval, *out, &omit, &utype, it);\n if (len2 < 0) {\n return -1;\n }\n assert(len == len2);\n assert(!omit);\n *out += len;\n }\n\n if (usetag) {\n return ASN1_object_size(/*constructed=*/0, len, tag);\n }\n return len;\n}\n\n// asn1_ex_i2c writes the |*pval| to |cout| under the i2d output convention,\n// excluding the tag and length. It returns the number of bytes written,\n// possibly zero, on success or -1 on error. If |*pval| should be omitted, it\n// returns zero and sets |*out_omit| to true.\n//\n// If |it| is an MSTRING or ANY type, it gets the underlying type from |*pval|,\n// which must be an |ASN1_STRING| or |ASN1_TYPE|, respectively. It then updates\n// |*putype| with the tag number of type used, or |V_ASN1_OTHER| if it was not a\n// universal type. If |*putype| is set to |V_ASN1_SEQUENCE|, |V_ASN1_SET|, or\n// |V_ASN1_OTHER|, it additionally outputs the tag and length, so the caller\n// must not do so.\n//\n// Otherwise, |*putype| must contain |it->utype|.\n//\n// WARNING: Unlike most functions in this file, |asn1_ex_i2c| can return zero\n// without omitting the element. ASN.1 values may have empty contents.\nstatic int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *out_omit,\n int *putype, const ASN1_ITEM *it) {\n ASN1_BOOLEAN *tbool = NULL;\n ASN1_STRING *strtmp;\n ASN1_OBJECT *otmp;\n int utype;\n const unsigned char *cont;\n unsigned char c;\n int len;\n\n // Historically, |it->funcs| for primitive types contained an\n // |ASN1_PRIMITIVE_FUNCS| table of callbacks.\n assert(it->funcs == NULL);\n\n *out_omit = 0;\n\n // Should type be omitted?\n if ((it->itype != ASN1_ITYPE_PRIMITIVE) || (it->utype != V_ASN1_BOOLEAN)) {\n if (!*pval) {\n *out_omit = 1;\n return 0;\n }\n }\n\n if (it->itype == ASN1_ITYPE_MSTRING) {\n // If MSTRING type set the underlying type\n strtmp = (ASN1_STRING *)*pval;\n utype = strtmp->type;\n if (utype < 0 && utype != V_ASN1_OTHER) {\n // MSTRINGs can have type -1 when default-constructed.\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE);\n return -1;\n }\n // Negative INTEGER and ENUMERATED values use |ASN1_STRING| type values\n // that do not match their corresponding utype values. INTEGERs cannot\n // participate in MSTRING types, but ENUMERATEDs can.\n //\n // TODO(davidben): Is this a bug? Although arguably one of the MSTRING\n // types should contain more values, rather than less. See\n // https://crbug.com/boringssl/412. But it is not possible to fit all\n // possible ANY values into an |ASN1_STRING|, so matching the spec here\n // is somewhat hopeless.\n if (utype == V_ASN1_NEG_INTEGER) {\n utype = V_ASN1_INTEGER;\n } else if (utype == V_ASN1_NEG_ENUMERATED) {\n utype = V_ASN1_ENUMERATED;\n }\n *putype = utype;\n } else if (it->utype == V_ASN1_ANY) {\n // If ANY set type and pointer to value\n ASN1_TYPE *typ;\n typ = (ASN1_TYPE *)*pval;\n utype = typ->type;\n if (utype < 0 && utype != V_ASN1_OTHER) {\n // |ASN1_TYPE|s can have type -1 when default-constructed.\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE);\n return -1;\n }\n *putype = utype;\n pval = &typ->value.asn1_value;\n } else {\n utype = *putype;\n }\n\n switch (utype) {\n case V_ASN1_OBJECT:\n otmp = (ASN1_OBJECT *)*pval;\n cont = otmp->data;\n len = otmp->length;\n if (len == 0) {\n // Some |ASN1_OBJECT|s do not have OIDs and cannot be serialized.\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OBJECT);\n return -1;\n }\n break;\n\n case V_ASN1_NULL:\n cont = NULL;\n len = 0;\n break;\n\n case V_ASN1_BOOLEAN:\n tbool = (ASN1_BOOLEAN *)pval;\n if (*tbool == ASN1_BOOLEAN_NONE) {\n *out_omit = 1;\n return 0;\n }\n if (it->utype != V_ASN1_ANY) {\n // Default handling if value == size field then omit\n if ((*tbool && (it->size > 0)) || (!*tbool && !it->size)) {\n *out_omit = 1;\n return 0;\n }\n }\n c = *tbool ? 0xff : 0x00;\n cont = &c;\n len = 1;\n break;\n\n case V_ASN1_BIT_STRING: {\n int ret =\n i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? &cout : NULL);\n // |i2c_ASN1_BIT_STRING| returns zero on error instead of -1.\n return ret <= 0 ? -1 : ret;\n }\n\n case V_ASN1_INTEGER:\n case V_ASN1_ENUMERATED: {\n // |i2c_ASN1_INTEGER| also handles ENUMERATED.\n int ret = i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : NULL);\n // |i2c_ASN1_INTEGER| returns zero on error instead of -1.\n return ret <= 0 ? -1 : ret;\n }\n\n case V_ASN1_OCTET_STRING:\n case V_ASN1_NUMERICSTRING:\n case V_ASN1_PRINTABLESTRING:\n case V_ASN1_T61STRING:\n case V_ASN1_VIDEOTEXSTRING:\n case V_ASN1_IA5STRING:\n case V_ASN1_UTCTIME:\n case V_ASN1_GENERALIZEDTIME:\n case V_ASN1_GRAPHICSTRING:\n case V_ASN1_VISIBLESTRING:\n case V_ASN1_GENERALSTRING:\n case V_ASN1_UNIVERSALSTRING:\n case V_ASN1_BMPSTRING:\n case V_ASN1_UTF8STRING:\n case V_ASN1_SEQUENCE:\n case V_ASN1_SET:\n // This is not a valid |ASN1_ITEM| type, but it appears in |ASN1_TYPE|.\n case V_ASN1_OTHER:\n // TODO(crbug.com/boringssl/412): This default case should be removed, now\n // that we've resolved https://crbug.com/boringssl/561. However, it is still\n // needed to support some edge cases in |ASN1_PRINTABLE|. |ASN1_PRINTABLE|\n // broadly doesn't tolerate unrecognized universal tags, but except for\n // eight values that map to |B_ASN1_UNKNOWN| instead of zero. See the\n // X509Test.NameAttributeValues test.\n default:\n // All based on ASN1_STRING and handled the same\n strtmp = (ASN1_STRING *)*pval;\n cont = strtmp->data;\n len = strtmp->length;\n break;\n }\n if (cout && len) {\n OPENSSL_memcpy(cout, cont, len);\n }\n return len;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/tasn_fre.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n\n#include \"internal.h\"\n\n// Free up an ASN1 structure\n\nvoid ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it) {\n ASN1_item_ex_free(&val, it);\n}\n\nvoid ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n if (!pval) {\n return;\n }\n if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) {\n return;\n }\n\n switch (it->itype) {\n case ASN1_ITYPE_PRIMITIVE:\n if (it->templates) {\n ASN1_template_free(pval, it->templates);\n } else {\n ASN1_primitive_free(pval, it);\n }\n break;\n\n case ASN1_ITYPE_MSTRING:\n ASN1_primitive_free(pval, it);\n break;\n\n case ASN1_ITYPE_CHOICE: {\n const ASN1_AUX *aux = reinterpret_cast(it->funcs);\n ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;\n if (asn1_cb) {\n if (asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL) == 2) {\n return;\n }\n }\n int i = asn1_get_choice_selector(pval, it);\n if ((i >= 0) && (i < it->tcount)) {\n const ASN1_TEMPLATE *tt = it->templates + i;\n ASN1_VALUE **pchval = asn1_get_field_ptr(pval, tt);\n ASN1_template_free(pchval, tt);\n }\n if (asn1_cb) {\n asn1_cb(ASN1_OP_FREE_POST, pval, it, NULL);\n }\n OPENSSL_free(*pval);\n *pval = NULL;\n break;\n }\n\n case ASN1_ITYPE_EXTERN: {\n const ASN1_EXTERN_FUNCS *ef =\n reinterpret_cast(it->funcs);\n if (ef && ef->asn1_ex_free) {\n ef->asn1_ex_free(pval, it);\n }\n break;\n }\n\n case ASN1_ITYPE_SEQUENCE: {\n if (!asn1_refcount_dec_and_test_zero(pval, it)) {\n return;\n }\n const ASN1_AUX *aux = reinterpret_cast(it->funcs);\n ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;\n if (asn1_cb) {\n if (asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL) == 2) {\n return;\n }\n }\n asn1_enc_free(pval, it);\n // If we free up as normal we will invalidate any ANY DEFINED BY\n // field and we wont be able to determine the type of the field it\n // defines. So free up in reverse order.\n for (int i = it->tcount - 1; i >= 0; i--) {\n const ASN1_TEMPLATE *seqtt = asn1_do_adb(pval, &it->templates[i], 0);\n if (!seqtt) {\n continue;\n }\n ASN1_VALUE **pseqval = asn1_get_field_ptr(pval, seqtt);\n ASN1_template_free(pseqval, seqtt);\n }\n if (asn1_cb) {\n asn1_cb(ASN1_OP_FREE_POST, pval, it, NULL);\n }\n OPENSSL_free(*pval);\n *pval = NULL;\n break;\n }\n }\n}\n\nvoid ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt) {\n if (tt->flags & ASN1_TFLG_SK_MASK) {\n STACK_OF(ASN1_VALUE) *sk = (STACK_OF(ASN1_VALUE) *)*pval;\n for (size_t i = 0; i < sk_ASN1_VALUE_num(sk); i++) {\n ASN1_VALUE *vtmp = sk_ASN1_VALUE_value(sk, i);\n ASN1_item_ex_free(&vtmp, ASN1_ITEM_ptr(tt->item));\n }\n sk_ASN1_VALUE_free(sk);\n *pval = NULL;\n } else {\n ASN1_item_ex_free(pval, ASN1_ITEM_ptr(tt->item));\n }\n}\n\nvoid ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n // Historically, |it->funcs| for primitive types contained an\n // |ASN1_PRIMITIVE_FUNCS| table of calbacks.\n assert(it->funcs == NULL);\n\n int utype = it->itype == ASN1_ITYPE_MSTRING ? -1 : it->utype;\n switch (utype) {\n case V_ASN1_OBJECT:\n ASN1_OBJECT_free((ASN1_OBJECT *)*pval);\n break;\n\n case V_ASN1_BOOLEAN:\n if (it) {\n *(ASN1_BOOLEAN *)pval = (ASN1_BOOLEAN)it->size;\n } else {\n *(ASN1_BOOLEAN *)pval = ASN1_BOOLEAN_NONE;\n }\n return;\n\n case V_ASN1_NULL:\n break;\n\n case V_ASN1_ANY:\n if (*pval != NULL) {\n asn1_type_cleanup((ASN1_TYPE *)*pval);\n OPENSSL_free(*pval);\n }\n break;\n\n default:\n ASN1_STRING_free((ASN1_STRING *)*pval);\n *pval = NULL;\n break;\n }\n *pval = NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/tasn_new.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);\nstatic int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);\nstatic void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt);\nstatic int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it);\nstatic void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);\n\nASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it) {\n ASN1_VALUE *ret = NULL;\n if (ASN1_item_ex_new(&ret, it) > 0) {\n return ret;\n }\n return NULL;\n}\n\n// Allocate an ASN1 structure\n\nint ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n const ASN1_TEMPLATE *tt = NULL;\n const ASN1_EXTERN_FUNCS *ef;\n ASN1_VALUE **pseqval;\n int i;\n\n switch (it->itype) {\n case ASN1_ITYPE_EXTERN:\n ef = reinterpret_cast(it->funcs);\n if (ef && ef->asn1_ex_new) {\n if (!ef->asn1_ex_new(pval, it)) {\n goto memerr;\n }\n }\n break;\n\n case ASN1_ITYPE_PRIMITIVE:\n if (it->templates) {\n if (!ASN1_template_new(pval, it->templates)) {\n goto memerr;\n }\n } else if (!ASN1_primitive_new(pval, it)) {\n goto memerr;\n }\n break;\n\n case ASN1_ITYPE_MSTRING:\n if (!ASN1_primitive_new(pval, it)) {\n goto memerr;\n }\n break;\n\n case ASN1_ITYPE_CHOICE: {\n const ASN1_AUX *aux = reinterpret_cast(it->funcs);\n ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;\n if (asn1_cb) {\n i = asn1_cb(ASN1_OP_NEW_PRE, pval, it, NULL);\n if (!i) {\n goto auxerr;\n }\n if (i == 2) {\n return 1;\n }\n }\n *pval = reinterpret_cast(OPENSSL_zalloc(it->size));\n if (!*pval) {\n goto memerr;\n }\n asn1_set_choice_selector(pval, -1, it);\n if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL)) {\n goto auxerr2;\n }\n break;\n }\n\n case ASN1_ITYPE_SEQUENCE: {\n const ASN1_AUX *aux = reinterpret_cast(it->funcs);\n ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL;\n if (asn1_cb) {\n i = asn1_cb(ASN1_OP_NEW_PRE, pval, it, NULL);\n if (!i) {\n goto auxerr;\n }\n if (i == 2) {\n return 1;\n }\n }\n *pval = reinterpret_cast(OPENSSL_zalloc(it->size));\n if (!*pval) {\n goto memerr;\n }\n asn1_refcount_set_one(pval, it);\n asn1_enc_init(pval, it);\n for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) {\n pseqval = asn1_get_field_ptr(pval, tt);\n if (!ASN1_template_new(pseqval, tt)) {\n goto memerr2;\n }\n }\n if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL)) {\n goto auxerr2;\n }\n break;\n }\n }\n return 1;\n\nmemerr2:\n ASN1_item_ex_free(pval, it);\nmemerr:\n return 0;\n\nauxerr2:\n ASN1_item_ex_free(pval, it);\nauxerr:\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_AUX_ERROR);\n return 0;\n}\n\nstatic void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n switch (it->itype) {\n case ASN1_ITYPE_EXTERN:\n *pval = NULL;\n break;\n\n case ASN1_ITYPE_PRIMITIVE:\n if (it->templates) {\n asn1_template_clear(pval, it->templates);\n } else {\n asn1_primitive_clear(pval, it);\n }\n break;\n\n case ASN1_ITYPE_MSTRING:\n asn1_primitive_clear(pval, it);\n break;\n\n case ASN1_ITYPE_CHOICE:\n case ASN1_ITYPE_SEQUENCE:\n *pval = NULL;\n break;\n }\n}\n\nstatic int ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt) {\n const ASN1_ITEM *it = ASN1_ITEM_ptr(tt->item);\n int ret;\n if (tt->flags & ASN1_TFLG_OPTIONAL) {\n asn1_template_clear(pval, tt);\n return 1;\n }\n // If ANY DEFINED BY nothing to do\n\n if (tt->flags & ASN1_TFLG_ADB_MASK) {\n *pval = NULL;\n return 1;\n }\n // If SET OF or SEQUENCE OF, its a STACK\n if (tt->flags & ASN1_TFLG_SK_MASK) {\n STACK_OF(ASN1_VALUE) *skval;\n skval = sk_ASN1_VALUE_new_null();\n if (!skval) {\n ret = 0;\n goto done;\n }\n *pval = (ASN1_VALUE *)skval;\n ret = 1;\n goto done;\n }\n // Otherwise pass it back to the item routine\n ret = ASN1_item_ex_new(pval, it);\ndone:\n return ret;\n}\n\nstatic void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt) {\n // If ADB or STACK just NULL the field\n if (tt->flags & (ASN1_TFLG_ADB_MASK | ASN1_TFLG_SK_MASK)) {\n *pval = NULL;\n } else {\n asn1_item_clear(pval, ASN1_ITEM_ptr(tt->item));\n }\n}\n\n// NB: could probably combine most of the real XXX_new() behaviour and junk\n// all the old functions.\n\nstatic int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n if (!it) {\n return 0;\n }\n\n // Historically, |it->funcs| for primitive types contained an\n // |ASN1_PRIMITIVE_FUNCS| table of calbacks.\n assert(it->funcs == NULL);\n\n int utype;\n if (it->itype == ASN1_ITYPE_MSTRING) {\n utype = -1;\n } else {\n utype = it->utype;\n }\n switch (utype) {\n case V_ASN1_OBJECT:\n *pval = (ASN1_VALUE *)OBJ_get_undef();\n return 1;\n\n case V_ASN1_BOOLEAN:\n *(ASN1_BOOLEAN *)pval = (ASN1_BOOLEAN)it->size;\n return 1;\n\n case V_ASN1_NULL:\n *pval = (ASN1_VALUE *)1;\n return 1;\n\n case V_ASN1_ANY: {\n ASN1_TYPE *typ =\n reinterpret_cast(OPENSSL_malloc(sizeof(ASN1_TYPE)));\n if (!typ) {\n return 0;\n }\n typ->value.ptr = NULL;\n typ->type = -1;\n *pval = (ASN1_VALUE *)typ;\n break;\n }\n\n default:\n *pval = (ASN1_VALUE *)ASN1_STRING_type_new(utype);\n break;\n }\n if (*pval) {\n return 1;\n }\n return 0;\n}\n\nstatic void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n int utype;\n // Historically, |it->funcs| for primitive types contained an\n // |ASN1_PRIMITIVE_FUNCS| table of calbacks.\n assert(it == NULL || it->funcs == NULL);\n if (!it || (it->itype == ASN1_ITYPE_MSTRING)) {\n utype = -1;\n } else {\n utype = it->utype;\n }\n if (utype == V_ASN1_BOOLEAN) {\n *(ASN1_BOOLEAN *)pval = (ASN1_BOOLEAN)it->size;\n } else {\n *pval = NULL;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/tasn_typ.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n// Declarations for string types\n\n#define IMPLEMENT_ASN1_STRING_FUNCTIONS(sname) \\\n IMPLEMENT_ASN1_TYPE(sname) \\\n IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(sname, sname, sname) \\\n sname *sname##_new(void) { return ASN1_STRING_type_new(V_##sname); } \\\n void sname##_free(sname *x) { ASN1_STRING_free(x); }\n\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_OCTET_STRING)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_INTEGER)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_ENUMERATED)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_BIT_STRING)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UTF8STRING)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_PRINTABLESTRING)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_T61STRING)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_IA5STRING)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_GENERALSTRING)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UTCTIME)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_GENERALIZEDTIME)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_VISIBLESTRING)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UNIVERSALSTRING)\nIMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_BMPSTRING)\n\nIMPLEMENT_ASN1_TYPE(ASN1_NULL)\nIMPLEMENT_ASN1_FUNCTIONS_const(ASN1_NULL)\n\nIMPLEMENT_ASN1_TYPE(ASN1_OBJECT)\n\nIMPLEMENT_ASN1_TYPE(ASN1_ANY)\n\n// Just swallow an ASN1_SEQUENCE in an ASN1_STRING\nIMPLEMENT_ASN1_TYPE(ASN1_SEQUENCE)\n\nIMPLEMENT_ASN1_FUNCTIONS_const_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE)\n\n// Multistring types\n\nIMPLEMENT_ASN1_MSTRING(ASN1_PRINTABLE, B_ASN1_PRINTABLE)\nIMPLEMENT_ASN1_FUNCTIONS_const_fname(ASN1_STRING, ASN1_PRINTABLE,\n ASN1_PRINTABLE)\n\nIMPLEMENT_ASN1_MSTRING(DISPLAYTEXT, B_ASN1_DISPLAYTEXT)\nIMPLEMENT_ASN1_FUNCTIONS_const_fname(ASN1_STRING, DISPLAYTEXT, DISPLAYTEXT)\n\nIMPLEMENT_ASN1_MSTRING(DIRECTORYSTRING, B_ASN1_DIRECTORYSTRING)\nIMPLEMENT_ASN1_FUNCTIONS_const_fname(ASN1_STRING, DIRECTORYSTRING,\n DIRECTORYSTRING)\n\n// Three separate BOOLEAN type: normal, DEFAULT TRUE and DEFAULT FALSE\nIMPLEMENT_ASN1_TYPE_ex(ASN1_BOOLEAN, ASN1_BOOLEAN, ASN1_BOOLEAN_NONE)\nIMPLEMENT_ASN1_TYPE_ex(ASN1_TBOOLEAN, ASN1_BOOLEAN, ASN1_BOOLEAN_TRUE)\nIMPLEMENT_ASN1_TYPE_ex(ASN1_FBOOLEAN, ASN1_BOOLEAN, ASN1_BOOLEAN_FALSE)\n\nASN1_ITEM_TEMPLATE(ASN1_SEQUENCE_ANY) =\n ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, ASN1_SEQUENCE_ANY, ASN1_ANY)\nASN1_ITEM_TEMPLATE_END(ASN1_SEQUENCE_ANY)\n\nASN1_ITEM_TEMPLATE(ASN1_SET_ANY) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF, 0,\n ASN1_SET_ANY, ASN1_ANY)\nASN1_ITEM_TEMPLATE_END(ASN1_SET_ANY)\n\nIMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(ASN1_SEQUENCE_ANY,\n ASN1_SEQUENCE_ANY,\n ASN1_SEQUENCE_ANY)\nIMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(ASN1_SEQUENCE_ANY, ASN1_SET_ANY,\n ASN1_SET_ANY)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/asn1/tasn_utl.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n// Utility functions for manipulating fields and offsets\n\n// Add 'offset' to 'addr'\n#define offset2ptr(addr, offset) (void *)(((char *)(addr)) + (offset))\n\n// Given an ASN1_ITEM CHOICE type return the selector value\nint asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n int *sel = reinterpret_cast(offset2ptr(*pval, it->utype));\n return *sel;\n}\n\n// Given an ASN1_ITEM CHOICE type set the selector value, return old value.\nint asn1_set_choice_selector(ASN1_VALUE **pval, int value,\n const ASN1_ITEM *it) {\n int *sel, ret;\n sel = reinterpret_cast(offset2ptr(*pval, it->utype));\n ret = *sel;\n *sel = value;\n return ret;\n}\n\nstatic CRYPTO_refcount_t *asn1_get_references(ASN1_VALUE **pval,\n const ASN1_ITEM *it) {\n if (it->itype != ASN1_ITYPE_SEQUENCE) {\n return NULL;\n }\n const ASN1_AUX *aux = reinterpret_cast(it->funcs);\n if (!aux || !(aux->flags & ASN1_AFLG_REFCOUNT)) {\n return NULL;\n }\n return reinterpret_cast(\n offset2ptr(*pval, aux->ref_offset));\n}\n\nvoid asn1_refcount_set_one(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n CRYPTO_refcount_t *references = asn1_get_references(pval, it);\n if (references != NULL) {\n *references = 1;\n }\n}\n\nint asn1_refcount_dec_and_test_zero(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n CRYPTO_refcount_t *references = asn1_get_references(pval, it);\n if (references != NULL) {\n return CRYPTO_refcount_dec_and_test_zero(references);\n }\n return 1;\n}\n\nstatic ASN1_ENCODING *asn1_get_enc_ptr(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n assert(it->itype == ASN1_ITYPE_SEQUENCE);\n const ASN1_AUX *aux;\n if (!pval || !*pval) {\n return NULL;\n }\n aux = reinterpret_cast(it->funcs);\n if (!aux || !(aux->flags & ASN1_AFLG_ENCODING)) {\n return NULL;\n }\n return reinterpret_cast(offset2ptr(*pval, aux->enc_offset));\n}\n\nvoid asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n ASN1_ENCODING *enc = asn1_get_enc_ptr(pval, it);\n if (enc) {\n enc->enc = NULL;\n enc->len = 0;\n enc->buf = NULL;\n }\n}\n\nvoid asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n ASN1_ENCODING *enc = asn1_get_enc_ptr(pval, it);\n if (enc) {\n asn1_encoding_clear(enc);\n }\n}\n\nint asn1_enc_save(ASN1_VALUE **pval, const uint8_t *in, size_t in_len,\n const ASN1_ITEM *it, CRYPTO_BUFFER *buf) {\n ASN1_ENCODING *enc;\n enc = asn1_get_enc_ptr(pval, it);\n if (!enc) {\n return 1;\n }\n\n asn1_encoding_clear(enc);\n if (buf != NULL) {\n assert(CRYPTO_BUFFER_data(buf) <= in &&\n in + in_len <= CRYPTO_BUFFER_data(buf) + CRYPTO_BUFFER_len(buf));\n CRYPTO_BUFFER_up_ref(buf);\n enc->buf = buf;\n enc->enc = (uint8_t *)in;\n } else {\n enc->enc = reinterpret_cast(OPENSSL_memdup(in, in_len));\n if (!enc->enc) {\n return 0;\n }\n }\n\n enc->len = in_len;\n return 1;\n}\n\nvoid asn1_encoding_clear(ASN1_ENCODING *enc) {\n if (enc->buf != NULL) {\n CRYPTO_BUFFER_free(enc->buf);\n } else {\n OPENSSL_free(enc->enc);\n }\n enc->enc = NULL;\n enc->len = 0;\n enc->buf = NULL;\n}\n\nint asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval,\n const ASN1_ITEM *it) {\n ASN1_ENCODING *enc = asn1_get_enc_ptr(pval, it);\n if (!enc || enc->len == 0) {\n return 0;\n }\n if (out) {\n OPENSSL_memcpy(*out, enc->enc, enc->len);\n *out += enc->len;\n }\n if (len) {\n *len = enc->len;\n }\n return 1;\n}\n\n// Given an ASN1_TEMPLATE get a pointer to a field\nASN1_VALUE **asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt) {\n ASN1_VALUE **pvaltmp =\n reinterpret_cast(offset2ptr(*pval, tt->offset));\n // NOTE for BOOLEAN types the field is just a plain int so we can't return\n // int **, so settle for (int *).\n return pvaltmp;\n}\n\n// Handle ANY DEFINED BY template, find the selector, look up the relevant\n// ASN1_TEMPLATE in the table and return it.\nconst ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt,\n int nullerr) {\n const ASN1_ADB *adb;\n const ASN1_ADB_TABLE *atbl;\n ASN1_VALUE **sfld;\n int i;\n if (!(tt->flags & ASN1_TFLG_ADB_MASK)) {\n return tt;\n }\n\n // Else ANY DEFINED BY ... get the table\n adb = ASN1_ADB_ptr(tt->item);\n\n // Get the selector field\n sfld = reinterpret_cast(offset2ptr(*pval, adb->offset));\n\n // Check if NULL\n int selector;\n if (*sfld == NULL) {\n if (!adb->null_tt) {\n goto err;\n }\n return adb->null_tt;\n }\n\n // Convert type to a NID:\n // NB: don't check for NID_undef here because it\n // might be a legitimate value in the table\n assert(tt->flags & ASN1_TFLG_ADB_OID);\n selector = OBJ_obj2nid((ASN1_OBJECT *)*sfld);\n\n // Try to find matching entry in table Maybe should check application types\n // first to allow application override? Might also be useful to have a flag\n // which indicates table is sorted and we can do a binary search. For now\n // stick to a linear search.\n\n for (atbl = adb->tbl, i = 0; i < adb->tblcount; i++, atbl++) {\n if (atbl->value == selector) {\n return &atbl->tt;\n }\n }\n\n // FIXME: need to search application table too\n\n // No match, return default type\n if (!adb->default_tt) {\n goto err;\n }\n return adb->default_tt;\n\nerr:\n // FIXME: should log the value or OID of unsupported type\n if (nullerr) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE);\n }\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/base64/base64.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \"../internal.h\"\n\n\n// constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t|\n// arguments for a slightly simpler implementation.\nstatic inline uint8_t constant_time_lt_args_8(uint8_t a, uint8_t b) {\n crypto_word_t aw = a;\n crypto_word_t bw = b;\n // |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same\n // MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1.\n return constant_time_msb_w(aw - bw);\n}\n\n// constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max|\n// and |CONSTTIME_FALSE_8| otherwise.\nstatic inline uint8_t constant_time_in_range_8(uint8_t a, uint8_t min,\n uint8_t max) {\n a -= min;\n return constant_time_lt_args_8(a, max - min + 1);\n}\n\n// Encoding.\n\nstatic uint8_t conv_bin2ascii(uint8_t a) {\n // Since PEM is sometimes used to carry private keys, we encode base64 data\n // itself in constant-time.\n a &= 0x3f;\n uint8_t ret = constant_time_select_8(constant_time_eq_8(a, 62), '+', '/');\n ret =\n constant_time_select_8(constant_time_lt_args_8(a, 62), a - 52 + '0', ret);\n ret =\n constant_time_select_8(constant_time_lt_args_8(a, 52), a - 26 + 'a', ret);\n ret = constant_time_select_8(constant_time_lt_args_8(a, 26), a + 'A', ret);\n return ret;\n}\n\nstatic_assert(sizeof(((EVP_ENCODE_CTX *)(NULL))->data) % 3 == 0,\n \"data length must be a multiple of base64 chunk size\");\n\nint EVP_EncodedLength(size_t *out_len, size_t len) {\n if (len + 2 < len) {\n return 0;\n }\n len += 2;\n len /= 3;\n\n if (((len << 2) >> 2) != len) {\n return 0;\n }\n len <<= 2;\n\n if (len + 1 < len) {\n return 0;\n }\n len++;\n\n *out_len = len;\n return 1;\n}\n\nEVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) {\n return reinterpret_cast(\n OPENSSL_zalloc(sizeof(EVP_ENCODE_CTX)));\n}\n\nvoid EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) { OPENSSL_free(ctx); }\n\nvoid EVP_EncodeInit(EVP_ENCODE_CTX *ctx) {\n OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX));\n}\n\nvoid EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,\n const uint8_t *in, size_t in_len) {\n size_t total = 0;\n\n *out_len = 0;\n if (in_len == 0) {\n return;\n }\n\n assert(ctx->data_used < sizeof(ctx->data));\n\n if (sizeof(ctx->data) - ctx->data_used > in_len) {\n OPENSSL_memcpy(&ctx->data[ctx->data_used], in, in_len);\n ctx->data_used += (unsigned)in_len;\n return;\n }\n\n if (ctx->data_used != 0) {\n const size_t todo = sizeof(ctx->data) - ctx->data_used;\n OPENSSL_memcpy(&ctx->data[ctx->data_used], in, todo);\n in += todo;\n in_len -= todo;\n\n size_t encoded = EVP_EncodeBlock(out, ctx->data, sizeof(ctx->data));\n ctx->data_used = 0;\n\n out += encoded;\n *(out++) = '\\n';\n *out = '\\0';\n\n total = encoded + 1;\n }\n\n while (in_len >= sizeof(ctx->data)) {\n size_t encoded = EVP_EncodeBlock(out, in, sizeof(ctx->data));\n in += sizeof(ctx->data);\n in_len -= sizeof(ctx->data);\n\n out += encoded;\n *(out++) = '\\n';\n *out = '\\0';\n\n if (total + encoded + 1 < total) {\n *out_len = 0;\n return;\n }\n\n total += encoded + 1;\n }\n\n if (in_len != 0) {\n OPENSSL_memcpy(ctx->data, in, in_len);\n }\n\n ctx->data_used = (unsigned)in_len;\n\n if (total > INT_MAX) {\n // We cannot signal an error, but we can at least avoid making *out_len\n // negative.\n total = 0;\n }\n *out_len = (int)total;\n}\n\nvoid EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len) {\n if (ctx->data_used == 0) {\n *out_len = 0;\n return;\n }\n\n size_t encoded = EVP_EncodeBlock(out, ctx->data, ctx->data_used);\n out[encoded++] = '\\n';\n out[encoded] = '\\0';\n ctx->data_used = 0;\n\n // ctx->data_used is bounded by sizeof(ctx->data), so this does not\n // overflow.\n assert(encoded <= INT_MAX);\n *out_len = (int)encoded;\n}\n\nsize_t EVP_EncodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {\n uint32_t l;\n size_t remaining = src_len, ret = 0;\n\n while (remaining) {\n if (remaining >= 3) {\n l = (((uint32_t)src[0]) << 16L) | (((uint32_t)src[1]) << 8L) | src[2];\n *(dst++) = conv_bin2ascii(l >> 18L);\n *(dst++) = conv_bin2ascii(l >> 12L);\n *(dst++) = conv_bin2ascii(l >> 6L);\n *(dst++) = conv_bin2ascii(l);\n remaining -= 3;\n } else {\n l = ((uint32_t)src[0]) << 16L;\n if (remaining == 2) {\n l |= ((uint32_t)src[1] << 8L);\n }\n\n *(dst++) = conv_bin2ascii(l >> 18L);\n *(dst++) = conv_bin2ascii(l >> 12L);\n *(dst++) = (remaining == 1) ? '=' : conv_bin2ascii(l >> 6L);\n *(dst++) = '=';\n remaining = 0;\n }\n ret += 4;\n src += 3;\n }\n\n *dst = '\\0';\n return ret;\n}\n\n\n// Decoding.\n\nint EVP_DecodedLength(size_t *out_len, size_t len) {\n if (len % 4 != 0) {\n return 0;\n }\n\n *out_len = (len / 4) * 3;\n return 1;\n}\n\nvoid EVP_DecodeInit(EVP_ENCODE_CTX *ctx) {\n OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX));\n}\n\nstatic uint8_t base64_ascii_to_bin(uint8_t a) {\n // Since PEM is sometimes used to carry private keys, we decode base64 data\n // itself in constant-time.\n const uint8_t is_upper = constant_time_in_range_8(a, 'A', 'Z');\n const uint8_t is_lower = constant_time_in_range_8(a, 'a', 'z');\n const uint8_t is_digit = constant_time_in_range_8(a, '0', '9');\n const uint8_t is_plus = constant_time_eq_8(a, '+');\n const uint8_t is_slash = constant_time_eq_8(a, '/');\n const uint8_t is_equals = constant_time_eq_8(a, '=');\n\n uint8_t ret = 0;\n ret |= is_upper & (a - 'A'); // [0,26)\n ret |= is_lower & (a - 'a' + 26); // [26,52)\n ret |= is_digit & (a - '0' + 52); // [52,62)\n ret |= is_plus & 62;\n ret |= is_slash & 63;\n // Invalid inputs, 'A', and '=' have all been mapped to zero. Map invalid\n // inputs to 0xff. Note '=' is padding and handled separately by the caller.\n const uint8_t is_valid =\n is_upper | is_lower | is_digit | is_plus | is_slash | is_equals;\n ret |= ~is_valid;\n return ret;\n}\n\n// base64_decode_quad decodes a single “quad” (i.e. four characters) of base64\n// data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the\n// number of bytes written, which will be less than three if the quad ended\n// with padding. It returns one on success or zero on error.\nstatic int base64_decode_quad(uint8_t *out, size_t *out_num_bytes,\n const uint8_t *in) {\n const uint8_t a = base64_ascii_to_bin(in[0]);\n const uint8_t b = base64_ascii_to_bin(in[1]);\n const uint8_t c = base64_ascii_to_bin(in[2]);\n const uint8_t d = base64_ascii_to_bin(in[3]);\n if (a == 0xff || b == 0xff || c == 0xff || d == 0xff) {\n return 0;\n }\n\n const uint32_t v = ((uint32_t)a) << 18 | ((uint32_t)b) << 12 |\n ((uint32_t)c) << 6 | (uint32_t)d;\n\n const unsigned padding_pattern = (in[0] == '=') << 3 | //\n (in[1] == '=') << 2 | //\n (in[2] == '=') << 1 | //\n (in[3] == '=');\n\n // In presence of padding, the lowest bits of v are unused. Canonical encoding\n // (RFC 4648, section 3.5) requires that these bits all be set to zero. Common\n // PEM parsers accept noncanonical base64, adding to the malleability of the\n // format. This decoder follows OpenSSL's and Go's PEM parsers and accepts it.\n switch (padding_pattern) {\n case 0:\n // The common case of no padding.\n *out_num_bytes = 3;\n out[0] = v >> 16;\n out[1] = v >> 8;\n out[2] = v;\n break;\n\n case 1: // xxx=\n *out_num_bytes = 2;\n out[0] = v >> 16;\n out[1] = v >> 8;\n break;\n\n case 3: // xx==\n *out_num_bytes = 1;\n out[0] = v >> 16;\n break;\n\n default:\n return 0;\n }\n\n return 1;\n}\n\nint EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,\n const uint8_t *in, size_t in_len) {\n *out_len = 0;\n\n if (ctx->error_encountered) {\n return -1;\n }\n\n size_t bytes_out = 0, i;\n for (i = 0; i < in_len; i++) {\n const char c = in[i];\n switch (c) {\n case ' ':\n case '\\t':\n case '\\r':\n case '\\n':\n continue;\n }\n\n if (ctx->eof_seen) {\n ctx->error_encountered = 1;\n return -1;\n }\n\n ctx->data[ctx->data_used++] = c;\n if (ctx->data_used == 4) {\n size_t num_bytes_resulting;\n if (!base64_decode_quad(out, &num_bytes_resulting, ctx->data)) {\n ctx->error_encountered = 1;\n return -1;\n }\n\n ctx->data_used = 0;\n bytes_out += num_bytes_resulting;\n out += num_bytes_resulting;\n\n if (num_bytes_resulting < 3) {\n ctx->eof_seen = 1;\n }\n }\n }\n\n if (bytes_out > INT_MAX) {\n ctx->error_encountered = 1;\n *out_len = 0;\n return -1;\n }\n *out_len = (int)bytes_out;\n\n if (ctx->eof_seen) {\n return 0;\n }\n\n return 1;\n}\n\nint EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len) {\n *out_len = 0;\n if (ctx->error_encountered || ctx->data_used != 0) {\n return -1;\n }\n\n return 1;\n}\n\nint EVP_DecodeBase64(uint8_t *out, size_t *out_len, size_t max_out,\n const uint8_t *in, size_t in_len) {\n *out_len = 0;\n\n if (in_len % 4 != 0) {\n return 0;\n }\n\n size_t max_len;\n if (!EVP_DecodedLength(&max_len, in_len) || max_out < max_len) {\n return 0;\n }\n\n size_t i, bytes_out = 0;\n for (i = 0; i < in_len; i += 4) {\n size_t num_bytes_resulting;\n\n if (!base64_decode_quad(out, &num_bytes_resulting, &in[i])) {\n return 0;\n }\n\n bytes_out += num_bytes_resulting;\n out += num_bytes_resulting;\n if (num_bytes_resulting != 3 && i != in_len - 4) {\n return 0;\n }\n }\n\n *out_len = bytes_out;\n return 1;\n}\n\nint EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len) {\n // Trim spaces and tabs from the beginning of the input.\n while (src_len > 0) {\n if (src[0] != ' ' && src[0] != '\\t') {\n break;\n }\n\n src++;\n src_len--;\n }\n\n // Trim newlines, spaces and tabs from the end of the line.\n while (src_len > 0) {\n switch (src[src_len - 1]) {\n case ' ':\n case '\\t':\n case '\\r':\n case '\\n':\n src_len--;\n continue;\n }\n\n break;\n }\n\n size_t dst_len;\n if (!EVP_DecodedLength(&dst_len, src_len) || dst_len > INT_MAX ||\n !EVP_DecodeBase64(dst, &dst_len, dst_len, src, src_len)) {\n return -1;\n }\n\n // EVP_DecodeBlock does not take padding into account, so put the\n // NULs back in... so the caller can strip them back out.\n while (dst_len % 3 != 0) {\n dst[dst_len++] = '\\0';\n }\n assert(dst_len <= INT_MAX);\n\n return (int)dst_len;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bcm_support.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H\n#define OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H\n\n#include \n\n#include \n\n// Provided by libcrypto, called from BCM\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n#if defined(OPENSSL_LINUX)\n// On linux we use MADVISE instead of pthread_atfork(), due\n// to concerns about clone() being used for address space\n// duplication.\n#define OPENSSL_FORK_DETECTION\n#define OPENSSL_FORK_DETECTION_MADVISE\n#elif defined(OPENSSL_MACOS) || defined(OPENSSL_IOS) || \\\n defined(OPENSSL_OPENBSD) || defined(OPENSSL_FREEBSD)\n// These platforms may detect address space duplication with pthread_atfork.\n// iOS doesn't normally allow fork in apps, but it's there.\n#define OPENSSL_FORK_DETECTION\n#define OPENSSL_FORK_DETECTION_PTHREAD_ATFORK\n#elif defined(OPENSSL_WINDOWS) || defined(OPENSSL_TRUSTY) || \\\n defined(__ZEPHYR__) || defined(CROS_EC)\n// These platforms do not fork.\n#define OPENSSL_DOES_NOT_FORK\n#endif\n\n#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)\n#define OPENSSL_RAND_DETERMINISTIC\n#elif defined(OPENSSL_TRUSTY)\n#define OPENSSL_RAND_TRUSTY\n#elif defined(OPENSSL_WINDOWS)\n#define OPENSSL_RAND_WINDOWS\n#elif defined(OPENSSL_LINUX)\n#define OPENSSL_RAND_URANDOM\n#elif defined(OPENSSL_APPLE) && !defined(OPENSSL_MACOS)\n// Unlike macOS, iOS and similar hide away getentropy().\n#define OPENSSL_RAND_IOS\n#else\n// By default if you are integrating BoringSSL we expect you to\n// provide getentropy from the header file.\n#define OPENSSL_RAND_GETENTROPY\n#endif\n\n// Provided by libcrypto, called from BCM\n\n// CRYPTO_init_sysrand initializes long-lived resources needed to draw entropy\n// from the operating system, if the operating system requires initialization.\nvoid CRYPTO_init_sysrand(void);\n\n// CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating\n// system.\nvoid CRYPTO_sysrand(uint8_t *buf, size_t len);\n\n// CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the\n// operating system, or early /dev/urandom data, and returns 1, _if_ the entropy\n// pool is initialized or if getrandom() is not available and not in FIPS mode.\n// Otherwise it will not block and will instead fill |buf| with all zeros and\n// return 0.\nint CRYPTO_sysrand_if_available(uint8_t *buf, size_t len);\n\n// CRYPTO_sysrand_for_seed fills |len| bytes at |buf| with entropy from the\n// operating system. It may draw from the |GRND_RANDOM| pool on Android,\n// depending on the vendor's configuration.\nvoid CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len);\n\n// RAND_need_entropy is called whenever the BCM module has stopped because it\n// has run out of entropy.\nvoid RAND_need_entropy(size_t bytes_needed);\n\n// crypto_get_fork_generation returns the fork generation number for the current\n// process, or zero if not supported on the platform. The fork generation number\n// is a non-zero, strictly-monotonic counter with the property that, if queried\n// in an address space and then again in a subsequently forked copy, the forked\n// address space will observe a greater value.\n//\n// This function may be used to clear cached values across a fork. When\n// initializing a cache, record the fork generation. Before using the cache,\n// check if the fork generation has changed. If so, drop the cache and update\n// the save fork generation. Note this logic transparently handles platforms\n// which always return zero.\n//\n// This is not reliably supported on all platforms which implement |fork|, so it\n// should only be used as a hardening measure.\nOPENSSL_EXPORT uint64_t CRYPTO_get_fork_generation(void);\n\n// CRYPTO_fork_detect_force_madv_wipeonfork_for_testing is an internal detail\n// used for testing purposes.\nOPENSSL_EXPORT void CRYPTO_fork_detect_force_madv_wipeonfork_for_testing(\n int on);\n\n// CRYPTO_get_stderr returns stderr. This function exists to avoid BCM needing\n// a data dependency on libc.\nFILE *CRYPTO_get_stderr(void);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/bio.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n\n\nstatic CRYPTO_EX_DATA_CLASS g_ex_data_class =\n CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;\n\nBIO *BIO_new(const BIO_METHOD *method) {\n BIO *ret = reinterpret_cast(OPENSSL_zalloc(sizeof(BIO)));\n if (ret == NULL) {\n return NULL;\n }\n\n ret->method = method;\n ret->shutdown = 1;\n ret->references = 1;\n CRYPTO_new_ex_data(&ret->ex_data);\n\n if (method->create != NULL && !method->create(ret)) {\n OPENSSL_free(ret);\n return NULL;\n }\n\n return ret;\n}\n\nint BIO_free(BIO *bio) {\n BIO *next_bio;\n\n for (; bio != NULL; bio = next_bio) {\n if (!CRYPTO_refcount_dec_and_test_zero(&bio->references)) {\n return 0;\n }\n\n next_bio = BIO_pop(bio);\n\n if (bio->method != NULL && bio->method->destroy != NULL) {\n bio->method->destroy(bio);\n }\n\n CRYPTO_free_ex_data(&g_ex_data_class, bio, &bio->ex_data);\n OPENSSL_free(bio);\n }\n return 1;\n}\n\nint BIO_up_ref(BIO *bio) {\n CRYPTO_refcount_inc(&bio->references);\n return 1;\n}\n\nvoid BIO_vfree(BIO *bio) { BIO_free(bio); }\n\nvoid BIO_free_all(BIO *bio) { BIO_free(bio); }\n\nint BIO_read(BIO *bio, void *buf, int len) {\n if (bio == NULL || bio->method == NULL || bio->method->bread == NULL) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);\n return -2;\n }\n if (!bio->init) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);\n return -2;\n }\n if (len <= 0) {\n return 0;\n }\n int ret = bio->method->bread(bio, reinterpret_cast(buf), len);\n if (ret > 0) {\n bio->num_read += ret;\n }\n return ret;\n}\n\nint BIO_gets(BIO *bio, char *buf, int len) {\n if (bio == NULL || bio->method == NULL || bio->method->bgets == NULL) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);\n return -2;\n }\n if (!bio->init) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);\n return -2;\n }\n if (len <= 0) {\n return 0;\n }\n int ret = bio->method->bgets(bio, buf, len);\n if (ret > 0) {\n bio->num_read += ret;\n }\n return ret;\n}\n\nint BIO_write(BIO *bio, const void *in, int inl) {\n if (bio == NULL || bio->method == NULL || bio->method->bwrite == NULL) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);\n return -2;\n }\n if (!bio->init) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED);\n return -2;\n }\n if (inl <= 0) {\n return 0;\n }\n int ret = bio->method->bwrite(bio, reinterpret_cast(in), inl);\n if (ret > 0) {\n bio->num_write += ret;\n }\n return ret;\n}\n\nint BIO_write_all(BIO *bio, const void *data, size_t len) {\n const uint8_t *data_u8 = reinterpret_cast(data);\n while (len > 0) {\n int ret = BIO_write(bio, data_u8, len > INT_MAX ? INT_MAX : (int)len);\n if (ret <= 0) {\n return 0;\n }\n data_u8 += ret;\n len -= ret;\n }\n return 1;\n}\n\nint BIO_puts(BIO *bio, const char *in) {\n size_t len = strlen(in);\n if (len > INT_MAX) {\n // |BIO_write| and the return value both assume the string fits in |int|.\n OPENSSL_PUT_ERROR(BIO, ERR_R_OVERFLOW);\n return -1;\n }\n return BIO_write(bio, in, (int)len);\n}\n\nint BIO_flush(BIO *bio) { return (int)BIO_ctrl(bio, BIO_CTRL_FLUSH, 0, NULL); }\n\nlong BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) {\n if (bio == NULL) {\n return 0;\n }\n\n if (bio->method == NULL || bio->method->ctrl == NULL) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);\n return -2;\n }\n\n return bio->method->ctrl(bio, cmd, larg, parg);\n}\n\nchar *BIO_ptr_ctrl(BIO *b, int cmd, long larg) {\n char *p = NULL;\n\n if (BIO_ctrl(b, cmd, larg, (void *)&p) <= 0) {\n return NULL;\n }\n\n return p;\n}\n\nlong BIO_int_ctrl(BIO *b, int cmd, long larg, int iarg) {\n int i = iarg;\n\n return BIO_ctrl(b, cmd, larg, (void *)&i);\n}\n\nint BIO_reset(BIO *bio) { return (int)BIO_ctrl(bio, BIO_CTRL_RESET, 0, NULL); }\n\nint BIO_eof(BIO *bio) { return (int)BIO_ctrl(bio, BIO_CTRL_EOF, 0, NULL); }\n\nvoid BIO_set_flags(BIO *bio, int flags) { bio->flags |= flags; }\n\nint BIO_test_flags(const BIO *bio, int flags) { return bio->flags & flags; }\n\nint BIO_should_read(const BIO *bio) {\n return BIO_test_flags(bio, BIO_FLAGS_READ);\n}\n\nint BIO_should_write(const BIO *bio) {\n return BIO_test_flags(bio, BIO_FLAGS_WRITE);\n}\n\nint BIO_should_retry(const BIO *bio) {\n return BIO_test_flags(bio, BIO_FLAGS_SHOULD_RETRY);\n}\n\nint BIO_should_io_special(const BIO *bio) {\n return BIO_test_flags(bio, BIO_FLAGS_IO_SPECIAL);\n}\n\nint BIO_get_retry_reason(const BIO *bio) { return bio->retry_reason; }\n\nvoid BIO_set_retry_reason(BIO *bio, int reason) { bio->retry_reason = reason; }\n\nvoid BIO_clear_flags(BIO *bio, int flags) { bio->flags &= ~flags; }\n\nvoid BIO_set_retry_read(BIO *bio) {\n bio->flags |= BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY;\n}\n\nvoid BIO_set_retry_write(BIO *bio) {\n bio->flags |= BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY;\n}\n\nstatic const int kRetryFlags = BIO_FLAGS_RWS | BIO_FLAGS_SHOULD_RETRY;\n\nint BIO_get_retry_flags(BIO *bio) { return bio->flags & kRetryFlags; }\n\nvoid BIO_clear_retry_flags(BIO *bio) {\n bio->flags &= ~kRetryFlags;\n bio->retry_reason = 0;\n}\n\nint BIO_method_type(const BIO *bio) { return bio->method->type; }\n\nvoid BIO_copy_next_retry(BIO *bio) {\n BIO_clear_retry_flags(bio);\n BIO_set_flags(bio, BIO_get_retry_flags(bio->next_bio));\n bio->retry_reason = bio->next_bio->retry_reason;\n}\n\nlong BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {\n if (bio == NULL) {\n return 0;\n }\n\n if (bio->method == NULL || bio->method->callback_ctrl == NULL) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD);\n return 0;\n }\n\n return bio->method->callback_ctrl(bio, cmd, fp);\n}\n\nsize_t BIO_pending(const BIO *bio) {\n const long r = BIO_ctrl((BIO *)bio, BIO_CTRL_PENDING, 0, NULL);\n assert(r >= 0);\n\n if (r < 0) {\n return 0;\n }\n return r;\n}\n\nsize_t BIO_ctrl_pending(const BIO *bio) { return BIO_pending(bio); }\n\nsize_t BIO_wpending(const BIO *bio) {\n const long r = BIO_ctrl((BIO *)bio, BIO_CTRL_WPENDING, 0, NULL);\n assert(r >= 0);\n\n if (r < 0) {\n return 0;\n }\n return r;\n}\n\nint BIO_set_close(BIO *bio, int close_flag) {\n return (int)BIO_ctrl(bio, BIO_CTRL_SET_CLOSE, close_flag, NULL);\n}\n\nOPENSSL_EXPORT uint64_t BIO_number_read(const BIO *bio) {\n return bio->num_read;\n}\n\nOPENSSL_EXPORT uint64_t BIO_number_written(const BIO *bio) {\n return bio->num_write;\n}\n\nBIO *BIO_push(BIO *bio, BIO *appended_bio) {\n BIO *last_bio;\n\n if (bio == NULL) {\n return bio;\n }\n\n last_bio = bio;\n while (last_bio->next_bio != NULL) {\n last_bio = last_bio->next_bio;\n }\n\n last_bio->next_bio = appended_bio;\n return bio;\n}\n\nBIO *BIO_pop(BIO *bio) {\n BIO *ret;\n\n if (bio == NULL) {\n return NULL;\n }\n ret = bio->next_bio;\n bio->next_bio = NULL;\n return ret;\n}\n\nBIO *BIO_next(BIO *bio) {\n if (!bio) {\n return NULL;\n }\n return bio->next_bio;\n}\n\nBIO *BIO_find_type(BIO *bio, int type) {\n int method_type, mask;\n\n if (!bio) {\n return NULL;\n }\n mask = type & 0xff;\n\n do {\n if (bio->method != NULL) {\n method_type = bio->method->type;\n\n if (!mask) {\n if (method_type & type) {\n return bio;\n }\n } else if (method_type == type) {\n return bio;\n }\n }\n bio = bio->next_bio;\n } while (bio != NULL);\n\n return NULL;\n}\n\nint BIO_indent(BIO *bio, unsigned indent, unsigned max_indent) {\n if (indent > max_indent) {\n indent = max_indent;\n }\n\n while (indent--) {\n if (BIO_puts(bio, \" \") != 1) {\n return 0;\n }\n }\n return 1;\n}\n\nstatic int print_bio(const char *str, size_t len, void *bio) {\n return BIO_write_all((BIO *)bio, str, len);\n}\n\nvoid ERR_print_errors(BIO *bio) { ERR_print_errors_cb(print_bio, bio); }\n\n// bio_read_all reads everything from |bio| and prepends |prefix| to it. On\n// success, |*out| is set to an allocated buffer (which should be freed with\n// |OPENSSL_free|), |*out_len| is set to its length and one is returned. The\n// buffer will contain |prefix| followed by the contents of |bio|. On failure,\n// zero is returned.\n//\n// The function will fail if the size of the output would equal or exceed\n// |max_len|.\nstatic int bio_read_all(BIO *bio, uint8_t **out, size_t *out_len,\n const uint8_t *prefix, size_t prefix_len,\n size_t max_len) {\n static const size_t kChunkSize = 4096;\n\n size_t len = prefix_len + kChunkSize;\n if (len > max_len) {\n len = max_len;\n }\n if (len < prefix_len) {\n return 0;\n }\n *out = reinterpret_cast(OPENSSL_malloc(len));\n if (*out == NULL) {\n return 0;\n }\n OPENSSL_memcpy(*out, prefix, prefix_len);\n size_t done = prefix_len;\n\n for (;;) {\n if (done == len) {\n OPENSSL_free(*out);\n return 0;\n }\n size_t todo = len - done;\n if (todo > INT_MAX) {\n todo = INT_MAX;\n }\n const int n = BIO_read(bio, *out + done, (int)todo);\n if (n == 0) {\n *out_len = done;\n return 1;\n } else if (n == -1) {\n OPENSSL_free(*out);\n return 0;\n }\n\n done += n;\n if (len < max_len && len - done < kChunkSize / 2) {\n len += kChunkSize;\n if (len < kChunkSize || len > max_len) {\n len = max_len;\n }\n uint8_t *new_buf =\n reinterpret_cast(OPENSSL_realloc(*out, len));\n if (new_buf == NULL) {\n OPENSSL_free(*out);\n return 0;\n }\n *out = new_buf;\n }\n }\n}\n\n// bio_read_full reads |len| bytes |bio| and writes them into |out|. It\n// tolerates partial reads from |bio| and returns one on success or zero if a\n// read fails before |len| bytes are read. On failure, it additionally sets\n// |*out_eof_on_first_read| to whether the error was due to |bio| returning zero\n// on the first read. |out_eof_on_first_read| may be NULL to discard the value.\nstatic int bio_read_full(BIO *bio, uint8_t *out, int *out_eof_on_first_read,\n size_t len) {\n int first_read = 1;\n while (len > 0) {\n int todo = len <= INT_MAX ? (int)len : INT_MAX;\n int ret = BIO_read(bio, out, todo);\n if (ret <= 0) {\n if (out_eof_on_first_read != NULL) {\n *out_eof_on_first_read = first_read && ret == 0;\n }\n return 0;\n }\n out += ret;\n len -= (size_t)ret;\n first_read = 0;\n }\n\n return 1;\n}\n\n// For compatibility with existing |d2i_*_bio| callers, |BIO_read_asn1| uses\n// |ERR_LIB_ASN1| errors.\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ASN1_R_DECODE_ERROR)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ASN1_R_HEADER_TOO_LONG)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ASN1_R_NOT_ENOUGH_DATA)\nOPENSSL_DECLARE_ERROR_REASON(ASN1, ASN1_R_TOO_LONG)\n\nint BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) {\n uint8_t header[6];\n\n static const size_t kInitialHeaderLen = 2;\n int eof_on_first_read;\n if (!bio_read_full(bio, header, &eof_on_first_read, kInitialHeaderLen)) {\n if (eof_on_first_read) {\n // Historically, OpenSSL returned |ASN1_R_HEADER_TOO_LONG| when\n // |d2i_*_bio| could not read anything. CPython conditions on this to\n // determine if |bio| was empty.\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG);\n } else {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);\n }\n return 0;\n }\n\n const uint8_t tag = header[0];\n const uint8_t length_byte = header[1];\n\n if ((tag & 0x1f) == 0x1f) {\n // Long form tags are not supported.\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);\n return 0;\n }\n\n size_t len, header_len;\n if ((length_byte & 0x80) == 0) {\n // Short form length.\n len = length_byte;\n header_len = kInitialHeaderLen;\n } else {\n const size_t num_bytes = length_byte & 0x7f;\n\n if ((tag & 0x20 /* constructed */) != 0 && num_bytes == 0) {\n // indefinite length.\n if (!bio_read_all(bio, out, out_len, header, kInitialHeaderLen,\n max_len)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);\n return 0;\n }\n return 1;\n }\n\n if (num_bytes == 0 || num_bytes > 4) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);\n return 0;\n }\n\n if (!bio_read_full(bio, header + kInitialHeaderLen, NULL, num_bytes)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);\n return 0;\n }\n header_len = kInitialHeaderLen + num_bytes;\n\n uint32_t len32 = 0;\n for (unsigned i = 0; i < num_bytes; i++) {\n len32 <<= 8;\n len32 |= header[kInitialHeaderLen + i];\n }\n\n if (len32 < 128) {\n // Length should have used short-form encoding.\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);\n return 0;\n }\n\n if ((len32 >> ((num_bytes - 1) * 8)) == 0) {\n // Length should have been at least one byte shorter.\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);\n return 0;\n }\n\n len = len32;\n }\n\n if (len + header_len < len || len + header_len > max_len || len > INT_MAX) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);\n return 0;\n }\n len += header_len;\n *out_len = len;\n\n *out = reinterpret_cast(OPENSSL_malloc(len));\n if (*out == NULL) {\n return 0;\n }\n OPENSSL_memcpy(*out, header, header_len);\n if (!bio_read_full(bio, (*out) + header_len, NULL, len - header_len)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA);\n OPENSSL_free(*out);\n return 0;\n }\n\n return 1;\n}\n\nvoid BIO_set_retry_special(BIO *bio) {\n bio->flags |= BIO_FLAGS_READ | BIO_FLAGS_IO_SPECIAL;\n}\n\nint BIO_set_write_buffer_size(BIO *bio, int buffer_size) { return 0; }\n\nstatic CRYPTO_MUTEX g_index_lock = CRYPTO_MUTEX_INIT;\nstatic int g_index = BIO_TYPE_START;\n\nint BIO_get_new_index(void) {\n CRYPTO_MUTEX_lock_write(&g_index_lock);\n // If |g_index| exceeds 255, it will collide with the flags bits.\n int ret = g_index > 255 ? -1 : g_index++;\n CRYPTO_MUTEX_unlock_write(&g_index_lock);\n return ret;\n}\n\nBIO_METHOD *BIO_meth_new(int type, const char *name) {\n BIO_METHOD *method =\n reinterpret_cast(OPENSSL_zalloc(sizeof(BIO_METHOD)));\n if (method == NULL) {\n return NULL;\n }\n method->type = type;\n method->name = name;\n return method;\n}\n\nvoid BIO_meth_free(BIO_METHOD *method) { OPENSSL_free(method); }\n\nint BIO_meth_set_create(BIO_METHOD *method, int (*create_func)(BIO *)) {\n method->create = create_func;\n return 1;\n}\n\nint BIO_meth_set_destroy(BIO_METHOD *method, int (*destroy_func)(BIO *)) {\n method->destroy = destroy_func;\n return 1;\n}\n\nint BIO_meth_set_write(BIO_METHOD *method,\n int (*write_func)(BIO *, const char *, int)) {\n method->bwrite = write_func;\n return 1;\n}\n\nint BIO_meth_set_read(BIO_METHOD *method,\n int (*read_func)(BIO *, char *, int)) {\n method->bread = read_func;\n return 1;\n}\n\nint BIO_meth_set_gets(BIO_METHOD *method,\n int (*gets_func)(BIO *, char *, int)) {\n method->bgets = gets_func;\n return 1;\n}\n\nint BIO_meth_set_ctrl(BIO_METHOD *method,\n long (*ctrl_func)(BIO *, int, long, void *)) {\n method->ctrl = ctrl_func;\n return 1;\n}\n\nvoid BIO_set_data(BIO *bio, void *ptr) { bio->ptr = ptr; }\n\nvoid *BIO_get_data(BIO *bio) { return bio->ptr; }\n\nvoid BIO_set_init(BIO *bio, int init) { bio->init = init; }\n\nint BIO_get_init(BIO *bio) { return bio->init; }\n\nvoid BIO_set_shutdown(BIO *bio, int shutdown) { bio->shutdown = shutdown; }\n\nint BIO_get_shutdown(BIO *bio) { return bio->shutdown; }\n\nint BIO_meth_set_puts(BIO_METHOD *method, int (*puts)(BIO *, const char *)) {\n // Ignore the parameter. We implement |BIO_puts| using |BIO_write|.\n return 1;\n}\n\nint BIO_get_ex_new_index(long argl, void *argp, //\n CRYPTO_EX_unused *unused, //\n CRYPTO_EX_dup *dup_unused, //\n CRYPTO_EX_free *free_func) {\n return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func);\n}\n\nint BIO_set_ex_data(BIO *bio, int idx, void *data) {\n return CRYPTO_set_ex_data(&bio->ex_data, idx, data);\n}\n\nvoid *BIO_get_ex_data(const BIO *bio, int idx) {\n return CRYPTO_get_ex_data(&bio->ex_data, idx);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/bio_mem.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../internal.h\"\n\n\nBIO *BIO_new_mem_buf(const void *buf, ossl_ssize_t len) {\n BIO *ret;\n BUF_MEM *b;\n const size_t size = len < 0 ? strlen((char *)buf) : (size_t)len;\n\n if (!buf && len != 0) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_NULL_PARAMETER);\n return NULL;\n }\n\n ret = BIO_new(BIO_s_mem());\n if (ret == NULL) {\n return NULL;\n }\n\n b = (BUF_MEM *)ret->ptr;\n // BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to.\n b->data = reinterpret_cast(const_cast(buf));\n b->length = size;\n b->max = size;\n\n ret->flags |= BIO_FLAGS_MEM_RDONLY;\n\n // |num| is used to store the value that this BIO will return when it runs\n // out of data. If it's negative then the retry flags will also be set. Since\n // this is static data, retrying wont help\n ret->num = 0;\n\n return ret;\n}\n\nstatic int mem_new(BIO *bio) {\n BUF_MEM *b;\n\n b = BUF_MEM_new();\n if (b == NULL) {\n return 0;\n }\n\n // |shutdown| is used to store the close flag: whether the BIO has ownership\n // of the BUF_MEM.\n bio->shutdown = 1;\n bio->init = 1;\n bio->num = -1;\n bio->ptr = (char *)b;\n\n return 1;\n}\n\nstatic int mem_free(BIO *bio) {\n if (!bio->shutdown || !bio->init || bio->ptr == NULL) {\n return 1;\n }\n\n BUF_MEM *b = (BUF_MEM *)bio->ptr;\n if (bio->flags & BIO_FLAGS_MEM_RDONLY) {\n b->data = NULL;\n }\n BUF_MEM_free(b);\n bio->ptr = NULL;\n return 1;\n}\n\nstatic int mem_read(BIO *bio, char *out, int outl) {\n BIO_clear_retry_flags(bio);\n if (outl <= 0) {\n return 0;\n }\n\n BUF_MEM *b = reinterpret_cast(bio->ptr);\n int ret = outl;\n if ((size_t)ret > b->length) {\n ret = (int)b->length;\n }\n\n if (ret > 0) {\n OPENSSL_memcpy(out, b->data, ret);\n b->length -= ret;\n if (bio->flags & BIO_FLAGS_MEM_RDONLY) {\n b->data += ret;\n } else {\n OPENSSL_memmove(b->data, &b->data[ret], b->length);\n }\n } else if (b->length == 0) {\n ret = bio->num;\n if (ret != 0) {\n BIO_set_retry_read(bio);\n }\n }\n return ret;\n}\n\nstatic int mem_write(BIO *bio, const char *in, int inl) {\n BIO_clear_retry_flags(bio);\n if (inl <= 0) {\n return 0; // Successfully write zero bytes.\n }\n\n if (bio->flags & BIO_FLAGS_MEM_RDONLY) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_WRITE_TO_READ_ONLY_BIO);\n return -1;\n }\n\n BUF_MEM *b = reinterpret_cast(bio->ptr);\n if (!BUF_MEM_append(b, in, inl)) {\n return -1;\n }\n\n return inl;\n}\n\nstatic int mem_gets(BIO *bio, char *buf, int size) {\n BIO_clear_retry_flags(bio);\n if (size <= 0) {\n return 0;\n }\n\n // The buffer size includes space for the trailing NUL, so we can read at most\n // one fewer byte.\n BUF_MEM *b = reinterpret_cast(bio->ptr);\n int ret = size - 1;\n if ((size_t)ret > b->length) {\n ret = (int)b->length;\n }\n\n // Stop at the first newline.\n const char *newline =\n reinterpret_cast(OPENSSL_memchr(b->data, '\\n', ret));\n if (newline != NULL) {\n ret = (int)(newline - b->data + 1);\n }\n\n ret = mem_read(bio, buf, ret);\n if (ret >= 0) {\n buf[ret] = '\\0';\n }\n return ret;\n}\n\nstatic long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) {\n long ret = 1;\n\n BUF_MEM *b = (BUF_MEM *)bio->ptr;\n\n switch (cmd) {\n case BIO_CTRL_RESET:\n if (b->data != NULL) {\n // For read only case reset to the start again\n if (bio->flags & BIO_FLAGS_MEM_RDONLY) {\n b->data -= b->max - b->length;\n b->length = b->max;\n } else {\n OPENSSL_memset(b->data, 0, b->max);\n b->length = 0;\n }\n }\n break;\n case BIO_CTRL_EOF:\n ret = (long)(b->length == 0);\n break;\n case BIO_C_SET_BUF_MEM_EOF_RETURN:\n bio->num = (int)num;\n break;\n case BIO_CTRL_INFO:\n ret = (long)b->length;\n if (ptr != NULL) {\n char **pptr = reinterpret_cast(ptr);\n *pptr = b->data;\n }\n break;\n case BIO_C_SET_BUF_MEM:\n mem_free(bio);\n bio->shutdown = (int)num;\n bio->ptr = ptr;\n break;\n case BIO_C_GET_BUF_MEM_PTR:\n if (ptr != NULL) {\n BUF_MEM **pptr = reinterpret_cast(ptr);\n *pptr = b;\n }\n break;\n case BIO_CTRL_GET_CLOSE:\n ret = (long)bio->shutdown;\n break;\n case BIO_CTRL_SET_CLOSE:\n bio->shutdown = (int)num;\n break;\n\n case BIO_CTRL_WPENDING:\n ret = 0L;\n break;\n case BIO_CTRL_PENDING:\n ret = (long)b->length;\n break;\n case BIO_CTRL_FLUSH:\n ret = 1;\n break;\n default:\n ret = 0;\n break;\n }\n return ret;\n}\n\nstatic const BIO_METHOD mem_method = {\n BIO_TYPE_MEM, \"memory buffer\",\n mem_write, mem_read,\n NULL /* puts */, mem_gets,\n mem_ctrl, mem_new,\n mem_free, NULL /* callback_ctrl */,\n};\n\nconst BIO_METHOD *BIO_s_mem(void) { return &mem_method; }\n\nint BIO_mem_contents(const BIO *bio, const uint8_t **out_contents,\n size_t *out_len) {\n const BUF_MEM *b;\n if (bio->method != &mem_method) {\n return 0;\n }\n\n b = (BUF_MEM *)bio->ptr;\n *out_contents = (uint8_t *)b->data;\n *out_len = b->length;\n return 1;\n}\n\nlong BIO_get_mem_data(BIO *bio, char **contents) {\n return BIO_ctrl(bio, BIO_CTRL_INFO, 0, contents);\n}\n\nint BIO_get_mem_ptr(BIO *bio, BUF_MEM **out) {\n return (int)BIO_ctrl(bio, BIO_C_GET_BUF_MEM_PTR, 0, out);\n}\n\nint BIO_set_mem_buf(BIO *bio, BUF_MEM *b, int take_ownership) {\n return (int)BIO_ctrl(bio, BIO_C_SET_BUF_MEM, take_ownership, b);\n}\n\nint BIO_set_mem_eof_return(BIO *bio, int eof_value) {\n return (int)BIO_ctrl(bio, BIO_C_SET_BUF_MEM_EOF_RETURN, eof_value, NULL);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/connect.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#if !defined(OPENSSL_NO_SOCK)\n\n#include \n#include \n#include \n\n#if !defined(OPENSSL_WINDOWS)\n#include \n#include \n#include \n#include \n#else\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\n#endif\n\n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nenum {\n BIO_CONN_S_BEFORE,\n BIO_CONN_S_BLOCKED_CONNECT,\n BIO_CONN_S_OK,\n};\n\nnamespace {\ntypedef struct bio_connect_st {\n int state;\n\n char *param_hostname;\n char *param_port;\n int nbio;\n\n unsigned short port;\n\n struct sockaddr_storage them;\n socklen_t them_length;\n\n // the file descriptor is kept in bio->num in order to match the socket\n // BIO.\n\n // info_callback is called when the connection is initially made\n // callback(BIO,state,ret); The callback should return 'ret', state is for\n // compatibility with the SSL info_callback.\n int (*info_callback)(const BIO *bio, int state, int ret);\n} BIO_CONNECT;\n} // namespace\n\n#if !defined(OPENSSL_WINDOWS)\nstatic int closesocket(int sock) { return close(sock); }\n#endif\n\n// split_host_and_port sets |*out_host| and |*out_port| to the host and port\n// parsed from |name|. It returns one on success or zero on error. Even when\n// successful, |*out_port| may be NULL on return if no port was specified.\nstatic int split_host_and_port(char **out_host, char **out_port,\n const char *name) {\n const char *host, *port = NULL;\n size_t host_len = 0;\n\n *out_host = NULL;\n *out_port = NULL;\n\n if (name[0] == '[') { // bracketed IPv6 address\n const char *close = strchr(name, ']');\n if (close == NULL) {\n return 0;\n }\n host = name + 1;\n host_len = close - host;\n if (close[1] == ':') { // [IP]:port\n port = close + 2;\n } else if (close[1] != 0) {\n return 0;\n }\n } else {\n const char *colon = strchr(name, ':');\n if (colon == NULL || strchr(colon + 1, ':') != NULL) { // IPv6 address\n host = name;\n host_len = strlen(name);\n } else { // host:port\n host = name;\n host_len = colon - name;\n port = colon + 1;\n }\n }\n\n *out_host = OPENSSL_strndup(host, host_len);\n if (*out_host == NULL) {\n return 0;\n }\n if (port == NULL) {\n *out_port = NULL;\n return 1;\n }\n *out_port = OPENSSL_strdup(port);\n if (*out_port == NULL) {\n OPENSSL_free(*out_host);\n *out_host = NULL;\n return 0;\n }\n return 1;\n}\n\nstatic int conn_state(BIO *bio, BIO_CONNECT *c) {\n int ret = -1, i;\n int (*cb)(const BIO *, int, int) = NULL;\n\n if (c->info_callback != NULL) {\n cb = c->info_callback;\n }\n\n for (;;) {\n switch (c->state) {\n case BIO_CONN_S_BEFORE:\n // If there's a hostname and a port, assume that both are\n // exactly what they say. If there is only a hostname, try\n // (just once) to split it into a hostname and port.\n\n if (c->param_hostname == NULL) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_NO_HOSTNAME_SPECIFIED);\n goto exit_loop;\n }\n\n if (c->param_port == NULL) {\n char *host, *port;\n if (!split_host_and_port(&host, &port, c->param_hostname) ||\n port == NULL) {\n OPENSSL_free(host);\n OPENSSL_free(port);\n OPENSSL_PUT_ERROR(BIO, BIO_R_NO_PORT_SPECIFIED);\n ERR_add_error_data(2, \"host=\", c->param_hostname);\n goto exit_loop;\n }\n\n OPENSSL_free(c->param_port);\n c->param_port = port;\n OPENSSL_free(c->param_hostname);\n c->param_hostname = host;\n }\n\n if (!bio_ip_and_port_to_socket_and_addr(\n &bio->num, &c->them, &c->them_length, c->param_hostname,\n c->param_port)) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_UNABLE_TO_CREATE_SOCKET);\n ERR_add_error_data(4, \"host=\", c->param_hostname, \":\", c->param_port);\n goto exit_loop;\n }\n\n if (c->nbio) {\n if (!bio_socket_nbio(bio->num, 1)) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_ERROR_SETTING_NBIO);\n ERR_add_error_data(4, \"host=\", c->param_hostname, \":\",\n c->param_port);\n goto exit_loop;\n }\n }\n\n i = 1;\n ret = setsockopt(bio->num, SOL_SOCKET, SO_KEEPALIVE, (char *)&i,\n sizeof(i));\n if (ret < 0) {\n OPENSSL_PUT_SYSTEM_ERROR();\n OPENSSL_PUT_ERROR(BIO, BIO_R_KEEPALIVE);\n ERR_add_error_data(4, \"host=\", c->param_hostname, \":\", c->param_port);\n goto exit_loop;\n }\n\n BIO_clear_retry_flags(bio);\n ret = connect(bio->num, (struct sockaddr *)&c->them, c->them_length);\n if (ret < 0) {\n if (bio_socket_should_retry(ret)) {\n BIO_set_flags(bio, (BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY));\n c->state = BIO_CONN_S_BLOCKED_CONNECT;\n bio->retry_reason = BIO_RR_CONNECT;\n } else {\n OPENSSL_PUT_SYSTEM_ERROR();\n OPENSSL_PUT_ERROR(BIO, BIO_R_CONNECT_ERROR);\n ERR_add_error_data(4, \"host=\", c->param_hostname, \":\",\n c->param_port);\n }\n goto exit_loop;\n } else {\n c->state = BIO_CONN_S_OK;\n }\n break;\n\n case BIO_CONN_S_BLOCKED_CONNECT:\n i = bio_sock_error(bio->num);\n if (i) {\n if (bio_socket_should_retry(ret)) {\n BIO_set_flags(bio, (BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY));\n c->state = BIO_CONN_S_BLOCKED_CONNECT;\n bio->retry_reason = BIO_RR_CONNECT;\n ret = -1;\n } else {\n BIO_clear_retry_flags(bio);\n OPENSSL_PUT_SYSTEM_ERROR();\n OPENSSL_PUT_ERROR(BIO, BIO_R_NBIO_CONNECT_ERROR);\n ERR_add_error_data(4, \"host=\", c->param_hostname, \":\",\n c->param_port);\n ret = 0;\n }\n goto exit_loop;\n } else {\n c->state = BIO_CONN_S_OK;\n }\n break;\n\n case BIO_CONN_S_OK:\n ret = 1;\n goto exit_loop;\n default:\n assert(0);\n goto exit_loop;\n }\n\n if (cb != NULL) {\n ret = cb((BIO *)bio, c->state, ret);\n if (ret == 0) {\n goto end;\n }\n }\n }\n\nexit_loop:\n if (cb != NULL) {\n ret = cb((BIO *)bio, c->state, ret);\n }\n\nend:\n return ret;\n}\n\nstatic BIO_CONNECT *BIO_CONNECT_new(void) {\n BIO_CONNECT *ret =\n reinterpret_cast(OPENSSL_zalloc(sizeof(BIO_CONNECT)));\n if (ret == NULL) {\n return NULL;\n }\n ret->state = BIO_CONN_S_BEFORE;\n return ret;\n}\n\nstatic void BIO_CONNECT_free(BIO_CONNECT *c) {\n if (c == nullptr) {\n return;\n }\n OPENSSL_free(c->param_hostname);\n OPENSSL_free(c->param_port);\n OPENSSL_free(c);\n}\n\nstatic int conn_new(BIO *bio) {\n bio->init = 0;\n bio->num = -1;\n bio->flags = 0;\n bio->ptr = BIO_CONNECT_new();\n return bio->ptr != NULL;\n}\n\nstatic void conn_close_socket(BIO *bio) {\n BIO_CONNECT *c = (BIO_CONNECT *)bio->ptr;\n\n if (bio->num == -1) {\n return;\n }\n\n // Only do a shutdown if things were established\n if (c->state == BIO_CONN_S_OK) {\n shutdown(bio->num, 2);\n }\n closesocket(bio->num);\n bio->num = -1;\n}\n\nstatic int conn_free(BIO *bio) {\n if (bio->shutdown) {\n conn_close_socket(bio);\n }\n\n BIO_CONNECT_free((BIO_CONNECT *)bio->ptr);\n\n return 1;\n}\n\nstatic int conn_read(BIO *bio, char *out, int out_len) {\n int ret = 0;\n BIO_CONNECT *data;\n\n data = (BIO_CONNECT *)bio->ptr;\n if (data->state != BIO_CONN_S_OK) {\n ret = conn_state(bio, data);\n if (ret <= 0) {\n return ret;\n }\n }\n\n bio_clear_socket_error();\n ret = (int)recv(bio->num, out, out_len, 0);\n BIO_clear_retry_flags(bio);\n if (ret <= 0) {\n if (bio_socket_should_retry(ret)) {\n BIO_set_retry_read(bio);\n }\n }\n\n return ret;\n}\n\nstatic int conn_write(BIO *bio, const char *in, int in_len) {\n int ret;\n BIO_CONNECT *data;\n\n data = (BIO_CONNECT *)bio->ptr;\n if (data->state != BIO_CONN_S_OK) {\n ret = conn_state(bio, data);\n if (ret <= 0) {\n return ret;\n }\n }\n\n bio_clear_socket_error();\n ret = (int)send(bio->num, in, in_len, 0);\n BIO_clear_retry_flags(bio);\n if (ret <= 0) {\n if (bio_socket_should_retry(ret)) {\n BIO_set_retry_write(bio);\n }\n }\n\n return ret;\n}\n\nstatic long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) {\n int *ip;\n long ret = 1;\n BIO_CONNECT *data;\n\n data = (BIO_CONNECT *)bio->ptr;\n\n switch (cmd) {\n case BIO_CTRL_RESET:\n ret = 0;\n data->state = BIO_CONN_S_BEFORE;\n conn_close_socket(bio);\n bio->flags = 0;\n break;\n case BIO_C_DO_STATE_MACHINE:\n // use this one to start the connection\n if (data->state != BIO_CONN_S_OK) {\n ret = (long)conn_state(bio, data);\n } else {\n ret = 1;\n }\n break;\n case BIO_C_SET_CONNECT:\n if (ptr != NULL) {\n bio->init = 1;\n if (num == 0) {\n OPENSSL_free(data->param_hostname);\n data->param_hostname =\n OPENSSL_strdup(reinterpret_cast(ptr));\n if (data->param_hostname == NULL) {\n ret = 0;\n }\n } else if (num == 1) {\n OPENSSL_free(data->param_port);\n data->param_port =\n OPENSSL_strdup(reinterpret_cast(ptr));\n if (data->param_port == NULL) {\n ret = 0;\n }\n } else {\n ret = 0;\n }\n }\n break;\n case BIO_C_SET_NBIO:\n data->nbio = (int)num;\n break;\n case BIO_C_GET_FD:\n if (bio->init) {\n ip = (int *)ptr;\n if (ip != NULL) {\n *ip = bio->num;\n }\n ret = bio->num;\n } else {\n ret = -1;\n }\n break;\n case BIO_CTRL_GET_CLOSE:\n ret = bio->shutdown;\n break;\n case BIO_CTRL_SET_CLOSE:\n bio->shutdown = (int)num;\n break;\n case BIO_CTRL_PENDING:\n case BIO_CTRL_WPENDING:\n ret = 0;\n break;\n case BIO_CTRL_FLUSH:\n break;\n case BIO_CTRL_GET_CALLBACK: {\n int (**fptr)(const BIO *bio, int state, int xret);\n fptr = reinterpret_cast(ptr);\n *fptr = data->info_callback;\n } break;\n default:\n ret = 0;\n break;\n }\n return ret;\n}\n\nstatic long conn_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {\n long ret = 1;\n BIO_CONNECT *data;\n\n data = (BIO_CONNECT *)bio->ptr;\n\n switch (cmd) {\n case BIO_CTRL_SET_CALLBACK:\n // This is the actual type signature of |fp|. The caller is expected to\n // cast it to |bio_info_cb| due to the |BIO_callback_ctrl| calling\n // convention.\n OPENSSL_MSVC_PRAGMA(warning(push))\n OPENSSL_MSVC_PRAGMA(warning(disable : 4191))\n OPENSSL_CLANG_PRAGMA(\"clang diagnostic push\")\n OPENSSL_CLANG_PRAGMA(\n \"clang diagnostic ignored \\\"-Wunknown-warning-option\\\"\")\n OPENSSL_CLANG_PRAGMA(\"clang diagnostic ignored \\\"-Wcast-function-type\\\"\")\n data->info_callback = (int (*)(const struct bio_st *, int, int))fp;\n OPENSSL_CLANG_PRAGMA(\"clang diagnostic pop\")\n OPENSSL_MSVC_PRAGMA(warning(pop))\n break;\n default:\n ret = 0;\n break;\n }\n return ret;\n}\n\nBIO *BIO_new_connect(const char *hostname) {\n BIO *ret;\n\n ret = BIO_new(BIO_s_connect());\n if (ret == NULL) {\n return NULL;\n }\n if (!BIO_set_conn_hostname(ret, hostname)) {\n BIO_free(ret);\n return NULL;\n }\n return ret;\n}\n\nstatic const BIO_METHOD methods_connectp = {\n BIO_TYPE_CONNECT, \"socket connect\", conn_write, conn_read,\n NULL /* puts */, NULL /* gets */, conn_ctrl, conn_new,\n conn_free, conn_callback_ctrl,\n};\n\nconst BIO_METHOD *BIO_s_connect(void) { return &methods_connectp; }\n\nint BIO_set_conn_hostname(BIO *bio, const char *name) {\n return (int)BIO_ctrl(bio, BIO_C_SET_CONNECT, 0, (void *)name);\n}\n\nint BIO_set_conn_port(BIO *bio, const char *port_str) {\n return (int)BIO_ctrl(bio, BIO_C_SET_CONNECT, 1, (void *)port_str);\n}\n\nint BIO_set_conn_int_port(BIO *bio, const int *port) {\n char buf[DECIMAL_SIZE(int) + 1];\n snprintf(buf, sizeof(buf), \"%d\", *port);\n return BIO_set_conn_port(bio, buf);\n}\n\nint BIO_set_nbio(BIO *bio, int on) {\n return (int)BIO_ctrl(bio, BIO_C_SET_NBIO, on, NULL);\n}\n\nint BIO_do_connect(BIO *bio) {\n return (int)BIO_ctrl(bio, BIO_C_DO_STATE_MACHINE, 0, NULL);\n}\n\n#endif // OPENSSL_NO_SOCK\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/errno.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"internal.h\"\n\n\nint bio_errno_should_retry(int return_value) {\n if (return_value != -1) {\n return 0;\n }\n\n return\n#ifdef EWOULDBLOCK\n errno == EWOULDBLOCK ||\n#endif\n#ifdef ENOTCONN\n errno == ENOTCONN ||\n#endif\n#ifdef EINTR\n errno == EINTR ||\n#endif\n#ifdef EAGAIN\n errno == EAGAIN ||\n#endif\n#ifdef EPROTO\n errno == EPROTO ||\n#endif\n#ifdef EINPROGRESS\n errno == EINPROGRESS ||\n#endif\n#ifdef EALREADY\n errno == EALREADY ||\n#endif\n 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/fd.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#if !defined(OPENSSL_NO_POSIX_IO)\n\n#include \n#include \n\n#if !defined(OPENSSL_WINDOWS)\n#include \n#else\n#include \n#endif\n\n#include \n#include \n\n#include \"internal.h\"\n#include \"../internal.h\"\n\n\n#if defined(OPENSSL_WINDOWS)\n #define BORINGSSL_CLOSE _close\n #define BORINGSSL_LSEEK _lseek\n #define BORINGSSL_READ _read\n #define BORINGSSL_WRITE _write\n#else\n #define BORINGSSL_CLOSE close\n #define BORINGSSL_LSEEK lseek\n #define BORINGSSL_READ read\n #define BORINGSSL_WRITE write\n#endif\n\nBIO *BIO_new_fd(int fd, int close_flag) {\n BIO *ret = BIO_new(BIO_s_fd());\n if (ret == NULL) {\n return NULL;\n }\n BIO_set_fd(ret, fd, close_flag);\n return ret;\n}\n\nstatic int fd_new(BIO *bio) {\n // num is used to store the file descriptor.\n bio->num = -1;\n return 1;\n}\n\nstatic int fd_free(BIO *bio) {\n if (bio->shutdown) {\n if (bio->init) {\n BORINGSSL_CLOSE(bio->num);\n }\n bio->init = 0;\n }\n return 1;\n}\n\nstatic int fd_read(BIO *b, char *out, int outl) {\n int ret = 0;\n\n ret = (int)BORINGSSL_READ(b->num, out, outl);\n BIO_clear_retry_flags(b);\n if (ret <= 0) {\n if (bio_errno_should_retry(ret)) {\n BIO_set_retry_read(b);\n }\n }\n\n return ret;\n}\n\nstatic int fd_write(BIO *b, const char *in, int inl) {\n int ret = (int)BORINGSSL_WRITE(b->num, in, inl);\n BIO_clear_retry_flags(b);\n if (ret <= 0) {\n if (bio_errno_should_retry(ret)) {\n BIO_set_retry_write(b);\n }\n }\n\n return ret;\n}\n\nstatic long fd_ctrl(BIO *b, int cmd, long num, void *ptr) {\n long ret = 1;\n int *ip;\n\n switch (cmd) {\n case BIO_CTRL_RESET:\n num = 0;\n [[fallthrough]];\n case BIO_C_FILE_SEEK:\n ret = 0;\n if (b->init) {\n ret = (long)BORINGSSL_LSEEK(b->num, num, SEEK_SET);\n }\n break;\n case BIO_C_FILE_TELL:\n case BIO_CTRL_INFO:\n ret = 0;\n if (b->init) {\n ret = (long)BORINGSSL_LSEEK(b->num, 0, SEEK_CUR);\n }\n break;\n case BIO_C_SET_FD:\n fd_free(b);\n b->num = *((int *)ptr);\n b->shutdown = (int)num;\n b->init = 1;\n break;\n case BIO_C_GET_FD:\n if (b->init) {\n ip = (int *)ptr;\n if (ip != NULL) {\n *ip = b->num;\n }\n return b->num;\n } else {\n ret = -1;\n }\n break;\n case BIO_CTRL_GET_CLOSE:\n ret = b->shutdown;\n break;\n case BIO_CTRL_SET_CLOSE:\n b->shutdown = (int)num;\n break;\n case BIO_CTRL_PENDING:\n case BIO_CTRL_WPENDING:\n ret = 0;\n break;\n case BIO_CTRL_FLUSH:\n ret = 1;\n break;\n default:\n ret = 0;\n break;\n }\n\n return ret;\n}\n\nstatic int fd_gets(BIO *bp, char *buf, int size) {\n if (size <= 0) {\n return 0;\n }\n\n char *ptr = buf;\n char *end = buf + size - 1;\n while (ptr < end && fd_read(bp, ptr, 1) > 0) {\n char c = ptr[0];\n ptr++;\n if (c == '\\n') {\n break;\n }\n }\n\n ptr[0] = '\\0';\n\n // The output length is bounded by |size|.\n return (int)(ptr - buf);\n}\n\nstatic const BIO_METHOD methods_fdp = {\n BIO_TYPE_FD, \"file descriptor\", fd_write, fd_read, NULL /* puts */,\n fd_gets, fd_ctrl, fd_new, fd_free, NULL /* callback_ctrl */,\n};\n\nconst BIO_METHOD *BIO_s_fd(void) { return &methods_fdp; }\n\n#endif // OPENSSL_NO_POSIX_IO\n\nint BIO_set_fd(BIO *bio, int fd, int close_flag) {\n return (int)BIO_int_ctrl(bio, BIO_C_SET_FD, close_flag, fd);\n}\n\nint BIO_get_fd(BIO *bio, int *out_fd) {\n return (int)BIO_ctrl(bio, BIO_C_GET_FD, 0, (char *) out_fd);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/file.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#if defined(__linux) || defined(__sun) || defined(__hpux)\n// Following definition aliases fopen to fopen64 on above mentioned\n// platforms. This makes it possible to open and sequentially access\n// files larger than 2GB from 32-bit application. It does not allow to\n// traverse them beyond 2GB with fseek/ftell, but on the other hand *no*\n// 32-bit platform permits that, not with fseek/ftell. Not to mention\n// that breaking 2GB limit for seeking would require surgery to *our*\n// API. But sequential access suffices for practical cases when you\n// can run into large files, such as fingerprinting, so we can let API\n// alone. For reference, the list of 32-bit platforms which allow for\n// sequential access of large files without extra \"magic\" comprise *BSD,\n// Darwin, IRIX...\n#ifndef _FILE_OFFSET_BITS\n#define _FILE_OFFSET_BITS 64\n#endif\n#endif\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n\n#if defined(OPENSSL_WINDOWS)\n#include \n#include \n#endif\n\n#define BIO_FP_READ 0x02\n#define BIO_FP_WRITE 0x04\n#define BIO_FP_APPEND 0x08\n\n#if !defined(OPENSSL_NO_FILESYSTEM)\n#define fopen_if_available fopen\n#else\nstatic FILE *fopen_if_available(const char *path, const char *mode) {\n errno = ENOENT;\n return NULL;\n}\n#endif\n\nBIO *BIO_new_file(const char *filename, const char *mode) {\n BIO *ret;\n FILE *file;\n\n file = fopen_if_available(filename, mode);\n if (file == NULL) {\n OPENSSL_PUT_SYSTEM_ERROR();\n\n ERR_add_error_data(5, \"fopen('\", filename, \"','\", mode, \"')\");\n if (errno == ENOENT) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_NO_SUCH_FILE);\n } else {\n OPENSSL_PUT_ERROR(BIO, BIO_R_SYS_LIB);\n }\n return NULL;\n }\n\n ret = BIO_new_fp(file, BIO_CLOSE);\n if (ret == NULL) {\n fclose(file);\n return NULL;\n }\n\n return ret;\n}\n\nBIO *BIO_new_fp(FILE *stream, int flags) {\n BIO *ret = BIO_new(BIO_s_file());\n if (ret == NULL) {\n return NULL;\n }\n\n BIO_set_fp(ret, stream, flags);\n return ret;\n}\n\nstatic int file_free(BIO *bio) {\n if (!bio->shutdown) {\n return 1;\n }\n\n if (bio->init && bio->ptr != NULL) {\n fclose(reinterpret_cast(bio->ptr));\n bio->ptr = NULL;\n }\n bio->init = 0;\n\n return 1;\n}\n\nstatic int file_read(BIO *b, char *out, int outl) {\n if (!b->init) {\n return 0;\n }\n\n size_t ret = fread(out, 1, outl, (FILE *)b->ptr);\n if (ret == 0 && ferror((FILE *)b->ptr)) {\n OPENSSL_PUT_SYSTEM_ERROR();\n OPENSSL_PUT_ERROR(BIO, ERR_R_SYS_LIB);\n return -1;\n }\n\n // fread reads at most |outl| bytes, so |ret| fits in an int.\n return (int)ret;\n}\n\nstatic int file_write(BIO *b, const char *in, int inl) {\n if (!b->init) {\n return 0;\n }\n\n int ret = (int)fwrite(in, inl, 1, (FILE *)b->ptr);\n if (ret > 0) {\n ret = inl;\n }\n return ret;\n}\n\nstatic long file_ctrl(BIO *b, int cmd, long num, void *ptr) {\n long ret = 1;\n FILE *fp = (FILE *)b->ptr;\n FILE **fpp;\n\n switch (cmd) {\n case BIO_CTRL_RESET:\n num = 0;\n [[fallthrough]];\n case BIO_C_FILE_SEEK:\n ret = (long)fseek(fp, num, 0);\n break;\n case BIO_CTRL_EOF:\n ret = (long)feof(fp);\n break;\n case BIO_C_FILE_TELL:\n case BIO_CTRL_INFO:\n ret = ftell(fp);\n break;\n case BIO_C_SET_FILE_PTR:\n file_free(b);\n static_assert((BIO_CLOSE & BIO_FP_TEXT) == 0,\n \"BIO_CLOSE and BIO_FP_TEXT must not collide\");\n#if defined(OPENSSL_WINDOWS)\n // If |BIO_FP_TEXT| is not set, OpenSSL will switch the file to binary\n // mode. BoringSSL intentionally diverges here because it means code\n // tested under POSIX will inadvertently change the state of |FILE|\n // objects when wrapping them in a |BIO|.\n if (num & BIO_FP_TEXT) {\n _setmode(_fileno(reinterpret_cast(ptr)), _O_TEXT);\n }\n#endif\n b->shutdown = (int)num & BIO_CLOSE;\n b->ptr = ptr;\n b->init = 1;\n break;\n case BIO_C_SET_FILENAME:\n file_free(b);\n b->shutdown = (int)num & BIO_CLOSE;\n const char *mode;\n if (num & BIO_FP_APPEND) {\n if (num & BIO_FP_READ) {\n mode = \"ab+\";\n } else {\n mode = \"ab\";\n }\n } else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE)) {\n mode = \"rb+\";\n } else if (num & BIO_FP_WRITE) {\n mode = \"wb\";\n } else if (num & BIO_FP_READ) {\n mode = \"rb\";\n } else {\n OPENSSL_PUT_ERROR(BIO, BIO_R_BAD_FOPEN_MODE);\n ret = 0;\n break;\n }\n fp = fopen_if_available(reinterpret_cast(ptr), mode);\n if (fp == NULL) {\n OPENSSL_PUT_SYSTEM_ERROR();\n ERR_add_error_data(5, \"fopen('\", ptr, \"','\", mode, \"')\");\n OPENSSL_PUT_ERROR(BIO, ERR_R_SYS_LIB);\n ret = 0;\n break;\n }\n b->ptr = fp;\n b->init = 1;\n break;\n case BIO_C_GET_FILE_PTR:\n // the ptr parameter is actually a FILE ** in this case.\n if (ptr != NULL) {\n fpp = (FILE **)ptr;\n *fpp = (FILE *)b->ptr;\n }\n break;\n case BIO_CTRL_GET_CLOSE:\n ret = (long)b->shutdown;\n break;\n case BIO_CTRL_SET_CLOSE:\n b->shutdown = (int)num;\n break;\n case BIO_CTRL_FLUSH:\n ret = 0 == fflush((FILE *)b->ptr);\n break;\n case BIO_CTRL_WPENDING:\n case BIO_CTRL_PENDING:\n default:\n ret = 0;\n break;\n }\n return ret;\n}\n\nstatic int file_gets(BIO *bp, char *buf, int size) {\n if (size == 0) {\n return 0;\n }\n\n if (!fgets(buf, size, (FILE *)bp->ptr)) {\n buf[0] = 0;\n // TODO(davidben): This doesn't distinguish error and EOF. This should check\n // |ferror| as in |file_read|.\n return 0;\n }\n\n return (int)strlen(buf);\n}\n\nstatic const BIO_METHOD methods_filep = {\n BIO_TYPE_FILE, \"FILE pointer\",\n file_write, file_read,\n NULL /* puts */, file_gets,\n file_ctrl, NULL /* create */,\n file_free, NULL /* callback_ctrl */,\n};\n\nconst BIO_METHOD *BIO_s_file(void) { return &methods_filep; }\n\n\nint BIO_get_fp(BIO *bio, FILE **out_file) {\n return (int)BIO_ctrl(bio, BIO_C_GET_FILE_PTR, 0, (char *)out_file);\n}\n\nint BIO_set_fp(BIO *bio, FILE *file, int flags) {\n return (int)BIO_ctrl(bio, BIO_C_SET_FILE_PTR, flags, (char *)file);\n}\n\nint BIO_read_filename(BIO *bio, const char *filename) {\n return (int)BIO_ctrl(bio, BIO_C_SET_FILENAME, BIO_CLOSE | BIO_FP_READ,\n (char *)filename);\n}\n\nint BIO_write_filename(BIO *bio, const char *filename) {\n return (int)BIO_ctrl(bio, BIO_C_SET_FILENAME, BIO_CLOSE | BIO_FP_WRITE,\n (char *)filename);\n}\n\nint BIO_append_filename(BIO *bio, const char *filename) {\n return (int)BIO_ctrl(bio, BIO_C_SET_FILENAME, BIO_CLOSE | BIO_FP_APPEND,\n (char *)filename);\n}\n\nint BIO_rw_filename(BIO *bio, const char *filename) {\n return (int)BIO_ctrl(bio, BIO_C_SET_FILENAME,\n BIO_CLOSE | BIO_FP_READ | BIO_FP_WRITE,\n (char *)filename);\n}\n\nlong BIO_tell(BIO *bio) { return BIO_ctrl(bio, BIO_C_FILE_TELL, 0, NULL); }\n\nlong BIO_seek(BIO *bio, long offset) {\n return BIO_ctrl(bio, BIO_C_FILE_SEEK, offset, NULL);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/hexdump.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n\n\nnamespace {\n// hexdump_ctx contains the state of a hexdump.\nstruct hexdump_ctx {\n BIO *bio;\n char right_chars[18]; // the contents of the right-hand side, ASCII dump.\n unsigned used; // number of bytes in the current line.\n size_t n; // number of bytes total.\n unsigned indent;\n};\n} // namespace\n\nstatic void hexbyte(char *out, uint8_t b) {\n static const char hextable[] = \"0123456789abcdef\";\n out[0] = hextable[b >> 4];\n out[1] = hextable[b & 0x0f];\n}\n\nstatic char to_char(uint8_t b) {\n if (b < 32 || b > 126) {\n return '.';\n }\n return b;\n}\n\n// hexdump_write adds |len| bytes of |data| to the current hex dump described by\n// |ctx|.\nstatic int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data,\n size_t len) {\n char buf[10];\n unsigned l;\n\n // Output lines look like:\n // 00000010 2e 2f 30 31 32 33 34 35 36 37 38 ... 3c 3d // |./0123456789:;<=|\n // ^ offset ^ extra space ^ ASCII of line\n\n for (size_t i = 0; i < len; i++) {\n if (ctx->used == 0) {\n // The beginning of a line.\n BIO_indent(ctx->bio, ctx->indent, UINT_MAX);\n\n hexbyte(&buf[0], ctx->n >> 24);\n hexbyte(&buf[2], ctx->n >> 16);\n hexbyte(&buf[4], ctx->n >> 8);\n hexbyte(&buf[6], ctx->n);\n buf[8] = buf[9] = ' ';\n if (BIO_write(ctx->bio, buf, 10) < 0) {\n return 0;\n }\n }\n\n hexbyte(buf, data[i]);\n buf[2] = ' ';\n l = 3;\n if (ctx->used == 7) {\n // There's an additional space after the 8th byte.\n buf[3] = ' ';\n l = 4;\n } else if (ctx->used == 15) {\n // At the end of the line there's an extra space and the bar for the\n // right column.\n buf[3] = ' ';\n buf[4] = '|';\n l = 5;\n }\n\n if (BIO_write(ctx->bio, buf, l) < 0) {\n return 0;\n }\n ctx->right_chars[ctx->used] = to_char(data[i]);\n ctx->used++;\n ctx->n++;\n if (ctx->used == 16) {\n ctx->right_chars[16] = '|';\n ctx->right_chars[17] = '\\n';\n if (BIO_write(ctx->bio, ctx->right_chars, sizeof(ctx->right_chars)) < 0) {\n return 0;\n }\n ctx->used = 0;\n }\n }\n\n return 1;\n}\n\n// finish flushes any buffered data in |ctx|.\nstatic int finish(struct hexdump_ctx *ctx) {\n // See the comments in |hexdump| for the details of this format.\n const unsigned n_bytes = ctx->used;\n unsigned l;\n char buf[5];\n\n if (n_bytes == 0) {\n return 1;\n }\n\n OPENSSL_memset(buf, ' ', 4);\n buf[4] = '|';\n\n for (; ctx->used < 16; ctx->used++) {\n l = 3;\n if (ctx->used == 7) {\n l = 4;\n } else if (ctx->used == 15) {\n l = 5;\n }\n if (BIO_write(ctx->bio, buf, l) < 0) {\n return 0;\n }\n }\n\n ctx->right_chars[n_bytes] = '|';\n ctx->right_chars[n_bytes + 1] = '\\n';\n if (BIO_write(ctx->bio, ctx->right_chars, n_bytes + 2) < 0) {\n return 0;\n }\n return 1;\n}\n\nint BIO_hexdump(BIO *bio, const uint8_t *data, size_t len, unsigned indent) {\n struct hexdump_ctx ctx;\n OPENSSL_memset(&ctx, 0, sizeof(ctx));\n ctx.bio = bio;\n ctx.indent = indent;\n\n if (!hexdump_write(&ctx, data, len) || !finish(&ctx)) {\n return 0;\n }\n\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_BIO_INTERNAL_H\n#define OPENSSL_HEADER_BIO_INTERNAL_H\n\n#include \n\n#if !defined(OPENSSL_NO_SOCK)\n#if !defined(OPENSSL_WINDOWS)\n#if defined(OPENSSL_PNACL)\n// newlib uses u_short in socket.h without defining it.\ntypedef unsigned short u_short;\n#endif\n#include \n#include \n#else\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\ntypedef int socklen_t;\n#endif\n#endif // !OPENSSL_NO_SOCK\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n#if !defined(OPENSSL_NO_SOCK)\n\n// bio_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr|\n// and |*out_addr_length| with the correct values for connecting to |hostname|\n// on |port_str|. It returns one on success or zero on error.\nint bio_ip_and_port_to_socket_and_addr(int *out_sock,\n struct sockaddr_storage *out_addr,\n socklen_t *out_addr_length,\n const char *hostname,\n const char *port_str);\n\n// bio_socket_nbio sets whether |sock| is non-blocking. It returns one on\n// success and zero otherwise.\nint bio_socket_nbio(int sock, int on);\n\n// bio_clear_socket_error clears the last system socket error.\n//\n// TODO(fork): remove all callers of this.\nvoid bio_clear_socket_error(void);\n\n// bio_sock_error returns the last socket error on |sock|.\nint bio_sock_error(int sock);\n\n// bio_socket_should_retry returns non-zero if |return_value| indicates an error\n// and the last socket error indicates that it's non-fatal.\nint bio_socket_should_retry(int return_value);\n\n#endif // !OPENSSL_NO_SOCK\n\n// bio_errno_should_retry returns non-zero if |return_value| indicates an error\n// and |errno| indicates that it's non-fatal.\nint bio_errno_should_retry(int return_value);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_BIO_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/pair.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n\n\nnamespace {\nstruct bio_bio_st {\n BIO *peer; // NULL if buf == NULL.\n // If peer != NULL, then peer->ptr is also a bio_bio_st,\n // and its \"peer\" member points back to us.\n // peer != NULL iff init != 0 in the BIO.\n\n // This is for what we write (i.e. reading uses peer's struct):\n int closed; // valid iff peer != NULL\n size_t len; // valid iff buf != NULL; 0 if peer == NULL\n size_t offset; // valid iff buf != NULL; 0 if len == 0\n size_t size;\n uint8_t *buf; // \"size\" elements (if != NULL)\n\n size_t request; // valid iff peer != NULL; 0 if len != 0,\n // otherwise set by peer to number of bytes\n // it (unsuccessfully) tried to read,\n // never more than buffer space (size-len) warrants.\n};\n} // namespace\n\nstatic int bio_new(BIO *bio) {\n struct bio_bio_st *b =\n reinterpret_cast(OPENSSL_zalloc(sizeof *b));\n if (b == NULL) {\n return 0;\n }\n\n b->size = 17 * 1024; // enough for one TLS record (just a default)\n bio->ptr = b;\n return 1;\n}\n\nstatic void bio_destroy_pair(BIO *bio) {\n struct bio_bio_st *b = reinterpret_cast(bio->ptr);\n BIO *peer_bio;\n struct bio_bio_st *peer_b;\n\n if (b == NULL) {\n return;\n }\n\n peer_bio = b->peer;\n if (peer_bio == NULL) {\n return;\n }\n\n peer_b = reinterpret_cast(peer_bio->ptr);\n\n assert(peer_b != NULL);\n assert(peer_b->peer == bio);\n\n peer_b->peer = NULL;\n peer_bio->init = 0;\n assert(peer_b->buf != NULL);\n peer_b->len = 0;\n peer_b->offset = 0;\n\n b->peer = NULL;\n bio->init = 0;\n assert(b->buf != NULL);\n b->len = 0;\n b->offset = 0;\n}\n\nstatic int bio_free(BIO *bio) {\n struct bio_bio_st *b = reinterpret_cast(bio->ptr);\n\n assert(b != NULL);\n\n if (b->peer) {\n bio_destroy_pair(bio);\n }\n\n OPENSSL_free(b->buf);\n OPENSSL_free(b);\n\n return 1;\n}\n\nstatic int bio_read(BIO *bio, char *buf, int size_) {\n size_t size = size_;\n size_t rest;\n struct bio_bio_st *b, *peer_b;\n\n BIO_clear_retry_flags(bio);\n\n if (!bio->init) {\n return 0;\n }\n\n b = reinterpret_cast(bio->ptr);\n assert(b != NULL);\n assert(b->peer != NULL);\n peer_b = reinterpret_cast(b->peer->ptr);\n assert(peer_b != NULL);\n assert(peer_b->buf != NULL);\n\n peer_b->request = 0; // will be set in \"retry_read\" situation\n\n if (buf == NULL || size == 0) {\n return 0;\n }\n\n if (peer_b->len == 0) {\n if (peer_b->closed) {\n return 0; // writer has closed, and no data is left\n } else {\n BIO_set_retry_read(bio); // buffer is empty\n if (size <= peer_b->size) {\n peer_b->request = size;\n } else {\n // don't ask for more than the peer can\n // deliver in one write\n peer_b->request = peer_b->size;\n }\n return -1;\n }\n }\n\n // we can read\n if (peer_b->len < size) {\n size = peer_b->len;\n }\n\n // now read \"size\" bytes\n rest = size;\n\n assert(rest > 0);\n // one or two iterations\n do {\n size_t chunk;\n\n assert(rest <= peer_b->len);\n if (peer_b->offset + rest <= peer_b->size) {\n chunk = rest;\n } else {\n // wrap around ring buffer\n chunk = peer_b->size - peer_b->offset;\n }\n assert(peer_b->offset + chunk <= peer_b->size);\n\n OPENSSL_memcpy(buf, peer_b->buf + peer_b->offset, chunk);\n\n peer_b->len -= chunk;\n if (peer_b->len) {\n peer_b->offset += chunk;\n assert(peer_b->offset <= peer_b->size);\n if (peer_b->offset == peer_b->size) {\n peer_b->offset = 0;\n }\n buf += chunk;\n } else {\n // buffer now empty, no need to advance \"buf\"\n assert(chunk == rest);\n peer_b->offset = 0;\n }\n rest -= chunk;\n } while (rest);\n\n // |size| is bounded by the buffer size, which fits in |int|.\n return (int)size;\n}\n\nstatic int bio_write(BIO *bio, const char *buf, int num_) {\n size_t num = num_;\n size_t rest;\n struct bio_bio_st *b;\n\n BIO_clear_retry_flags(bio);\n\n if (!bio->init || buf == NULL || num == 0) {\n return 0;\n }\n\n b = reinterpret_cast(bio->ptr);\n assert(b != NULL);\n assert(b->peer != NULL);\n assert(b->buf != NULL);\n\n b->request = 0;\n if (b->closed) {\n // we already closed\n OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE);\n return -1;\n }\n\n assert(b->len <= b->size);\n\n if (b->len == b->size) {\n BIO_set_retry_write(bio); // buffer is full\n return -1;\n }\n\n // we can write\n if (num > b->size - b->len) {\n num = b->size - b->len;\n }\n\n // now write \"num\" bytes\n rest = num;\n\n assert(rest > 0);\n // one or two iterations\n do {\n size_t write_offset;\n size_t chunk;\n\n assert(b->len + rest <= b->size);\n\n write_offset = b->offset + b->len;\n if (write_offset >= b->size) {\n write_offset -= b->size;\n }\n // b->buf[write_offset] is the first byte we can write to.\n\n if (write_offset + rest <= b->size) {\n chunk = rest;\n } else {\n // wrap around ring buffer\n chunk = b->size - write_offset;\n }\n\n OPENSSL_memcpy(b->buf + write_offset, buf, chunk);\n\n b->len += chunk;\n\n assert(b->len <= b->size);\n\n rest -= chunk;\n buf += chunk;\n } while (rest);\n\n // |num| is bounded by the buffer size, which fits in |int|.\n return (int)num;\n}\n\nstatic int bio_make_pair(BIO *bio1, BIO *bio2, size_t writebuf1_len,\n size_t writebuf2_len) {\n struct bio_bio_st *b1, *b2;\n\n assert(bio1 != NULL);\n assert(bio2 != NULL);\n\n b1 = reinterpret_cast(bio1->ptr);\n b2 = reinterpret_cast(bio2->ptr);\n\n if (b1->peer != NULL || b2->peer != NULL) {\n OPENSSL_PUT_ERROR(BIO, BIO_R_IN_USE);\n return 0;\n }\n\n if (b1->buf == NULL) {\n if (writebuf1_len) {\n b1->size = writebuf1_len;\n }\n b1->buf = reinterpret_cast(OPENSSL_malloc(b1->size));\n if (b1->buf == NULL) {\n return 0;\n }\n b1->len = 0;\n b1->offset = 0;\n }\n\n if (b2->buf == NULL) {\n if (writebuf2_len) {\n b2->size = writebuf2_len;\n }\n b2->buf = reinterpret_cast(OPENSSL_malloc(b2->size));\n if (b2->buf == NULL) {\n return 0;\n }\n b2->len = 0;\n b2->offset = 0;\n }\n\n b1->peer = bio2;\n b1->closed = 0;\n b1->request = 0;\n b2->peer = bio1;\n b2->closed = 0;\n b2->request = 0;\n\n bio1->init = 1;\n bio2->init = 1;\n\n return 1;\n}\n\nstatic long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) {\n long ret;\n struct bio_bio_st *b = reinterpret_cast(bio->ptr);\n\n assert(b != NULL);\n\n switch (cmd) {\n // Specific control codes first:\n case BIO_C_GET_WRITE_BUF_SIZE:\n ret = (long)b->size;\n break;\n\n case BIO_C_GET_WRITE_GUARANTEE:\n // How many bytes can the caller feed to the next write\n // without having to keep any?\n if (b->peer == NULL || b->closed) {\n ret = 0;\n } else {\n ret = (long)b->size - b->len;\n }\n break;\n\n case BIO_C_GET_READ_REQUEST:\n // If the peer unsuccessfully tried to read, how many bytes\n // were requested? (As with BIO_CTRL_PENDING, that number\n // can usually be treated as boolean.)\n ret = (long)b->request;\n break;\n\n case BIO_C_RESET_READ_REQUEST:\n // Reset request. (Can be useful after read attempts\n // at the other side that are meant to be non-blocking,\n // e.g. when probing SSL_read to see if any data is\n // available.)\n b->request = 0;\n ret = 1;\n break;\n\n case BIO_C_SHUTDOWN_WR:\n // similar to shutdown(..., SHUT_WR)\n b->closed = 1;\n ret = 1;\n break;\n\n\n // Standard control codes:\n case BIO_CTRL_GET_CLOSE:\n ret = bio->shutdown;\n break;\n\n case BIO_CTRL_SET_CLOSE:\n bio->shutdown = (int)num;\n ret = 1;\n break;\n\n case BIO_CTRL_PENDING:\n if (b->peer != NULL) {\n struct bio_bio_st *peer_b =\n reinterpret_cast(b->peer->ptr);\n ret = (long)peer_b->len;\n } else {\n ret = 0;\n }\n break;\n\n case BIO_CTRL_WPENDING:\n ret = 0;\n if (b->buf != NULL) {\n ret = (long)b->len;\n }\n break;\n\n case BIO_CTRL_FLUSH:\n ret = 1;\n break;\n\n case BIO_CTRL_EOF: {\n BIO *other_bio = reinterpret_cast(ptr);\n\n if (other_bio) {\n struct bio_bio_st *other_b =\n reinterpret_cast(other_bio->ptr);\n assert(other_b != NULL);\n ret = other_b->len == 0 && other_b->closed;\n } else {\n ret = 1;\n }\n } break;\n\n default:\n ret = 0;\n }\n return ret;\n}\n\n\nstatic const BIO_METHOD methods_biop = {\n BIO_TYPE_BIO, \"BIO pair\", bio_write, bio_read, NULL /* puts */,\n NULL /* gets */, bio_ctrl, bio_new, bio_free, NULL /* callback_ctrl */,\n};\n\nstatic const BIO_METHOD *bio_s_bio(void) { return &methods_biop; }\n\nint BIO_new_bio_pair(BIO **bio1_p, size_t writebuf1_len, BIO **bio2_p,\n size_t writebuf2_len) {\n BIO *bio1 = BIO_new(bio_s_bio());\n BIO *bio2 = BIO_new(bio_s_bio());\n if (bio1 == NULL || bio2 == NULL ||\n !bio_make_pair(bio1, bio2, writebuf1_len, writebuf2_len)) {\n BIO_free(bio1);\n BIO_free(bio2);\n *bio1_p = NULL;\n *bio2_p = NULL;\n return 0;\n }\n\n *bio1_p = bio1;\n *bio2_p = bio2;\n return 1;\n}\n\nsize_t BIO_ctrl_get_read_request(BIO *bio) {\n return BIO_ctrl(bio, BIO_C_GET_READ_REQUEST, 0, NULL);\n}\n\nsize_t BIO_ctrl_get_write_guarantee(BIO *bio) {\n return BIO_ctrl(bio, BIO_C_GET_WRITE_GUARANTEE, 0, NULL);\n}\n\nint BIO_shutdown_wr(BIO *bio) {\n return (int)BIO_ctrl(bio, BIO_C_SHUTDOWN_WR, 0, NULL);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/printf.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n\nint BIO_printf(BIO *bio, const char *format, ...) {\n va_list args;\n char buf[256], *out, out_malloced = 0;\n int out_len, ret;\n\n va_start(args, format);\n out_len = vsnprintf(buf, sizeof(buf), format, args);\n va_end(args);\n if (out_len < 0) {\n return -1;\n }\n\n if ((size_t)out_len >= sizeof(buf)) {\n const size_t requested_len = (size_t)out_len;\n // The output was truncated. Note that vsnprintf's return value does not\n // include a trailing NUL, but the buffer must be sized for it.\n out = reinterpret_cast(OPENSSL_malloc(requested_len + 1));\n out_malloced = 1;\n if (out == NULL) {\n return -1;\n }\n va_start(args, format);\n out_len = vsnprintf(out, requested_len + 1, format, args);\n va_end(args);\n assert(out_len == (int)requested_len);\n } else {\n out = buf;\n }\n\n ret = BIO_write(bio, out, out_len);\n if (out_malloced) {\n OPENSSL_free(out);\n }\n\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/socket.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#if !defined(OPENSSL_NO_SOCK)\n\n#include \n#include \n\n#if !defined(OPENSSL_WINDOWS)\n#include \n#else\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\n\nOPENSSL_MSVC_PRAGMA(comment(lib, \"Ws2_32.lib\"))\n#endif\n\n#include \"internal.h\"\n\n\n#if !defined(OPENSSL_WINDOWS)\nstatic int closesocket(int sock) {\n return close(sock);\n}\n#endif\n\nstatic int sock_free(BIO *bio) {\n if (bio->shutdown) {\n if (bio->init) {\n closesocket(bio->num);\n }\n bio->init = 0;\n bio->flags = 0;\n }\n return 1;\n}\n\nstatic int sock_read(BIO *b, char *out, int outl) {\n if (out == NULL) {\n return 0;\n }\n\n bio_clear_socket_error();\n#if defined(OPENSSL_WINDOWS)\n int ret = recv(b->num, out, outl, 0);\n#else\n int ret = (int)read(b->num, out, outl);\n#endif\n BIO_clear_retry_flags(b);\n if (ret <= 0) {\n if (bio_socket_should_retry(ret)) {\n BIO_set_retry_read(b);\n }\n }\n return ret;\n}\n\nstatic int sock_write(BIO *b, const char *in, int inl) {\n bio_clear_socket_error();\n#if defined(OPENSSL_WINDOWS)\n int ret = send(b->num, in, inl, 0);\n#else\n int ret = (int)write(b->num, in, inl);\n#endif\n BIO_clear_retry_flags(b);\n if (ret <= 0) {\n if (bio_socket_should_retry(ret)) {\n BIO_set_retry_write(b);\n }\n }\n return ret;\n}\n\nstatic long sock_ctrl(BIO *b, int cmd, long num, void *ptr) {\n long ret = 1;\n int *ip;\n\n switch (cmd) {\n case BIO_C_SET_FD:\n sock_free(b);\n b->num = *((int *)ptr);\n b->shutdown = (int)num;\n b->init = 1;\n break;\n case BIO_C_GET_FD:\n if (b->init) {\n ip = (int *)ptr;\n if (ip != NULL) {\n *ip = b->num;\n }\n ret = b->num;\n } else {\n ret = -1;\n }\n break;\n case BIO_CTRL_GET_CLOSE:\n ret = b->shutdown;\n break;\n case BIO_CTRL_SET_CLOSE:\n b->shutdown = (int)num;\n break;\n case BIO_CTRL_FLUSH:\n ret = 1;\n break;\n default:\n ret = 0;\n break;\n }\n return ret;\n}\n\nstatic const BIO_METHOD methods_sockp = {\n BIO_TYPE_SOCKET, \"socket\",\n sock_write, sock_read,\n NULL /* puts */, NULL /* gets, */,\n sock_ctrl, NULL /* create */,\n sock_free, NULL /* callback_ctrl */,\n};\n\nconst BIO_METHOD *BIO_s_socket(void) { return &methods_sockp; }\n\nBIO *BIO_new_socket(int fd, int close_flag) {\n BIO *ret;\n\n ret = BIO_new(BIO_s_socket());\n if (ret == NULL) {\n return NULL;\n }\n BIO_set_fd(ret, fd, close_flag);\n return ret;\n}\n\n#endif // OPENSSL_NO_SOCK\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bio/socket_helper.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#if defined(__linux__)\n#undef _POSIX_C_SOURCE\n#define _POSIX_C_SOURCE 200112L\n#endif\n\n#include \n#include \n\n#if !defined(OPENSSL_NO_SOCK)\n\n#include \n#include \n#include \n\n#if !defined(OPENSSL_WINDOWS)\n#include \n#include \n#else\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\n#endif\n\n#include \"internal.h\"\n#include \"../internal.h\"\n\n\nint bio_ip_and_port_to_socket_and_addr(int *out_sock,\n struct sockaddr_storage *out_addr,\n socklen_t *out_addr_length,\n const char *hostname,\n const char *port_str) {\n struct addrinfo hint, *result, *cur;\n int ret;\n\n *out_sock = -1;\n\n OPENSSL_memset(&hint, 0, sizeof(hint));\n hint.ai_family = AF_UNSPEC;\n hint.ai_socktype = SOCK_STREAM;\n\n ret = getaddrinfo(hostname, port_str, &hint, &result);\n if (ret != 0) {\n OPENSSL_PUT_ERROR(SYS, 0);\n#if defined(OPENSSL_WINDOWS)\n ERR_add_error_data(1, gai_strerrorA(ret));\n#else\n ERR_add_error_data(1, gai_strerror(ret));\n#endif\n return 0;\n }\n\n ret = 0;\n\n for (cur = result; cur; cur = cur->ai_next) {\n if ((size_t) cur->ai_addrlen > sizeof(struct sockaddr_storage)) {\n continue;\n }\n OPENSSL_memset(out_addr, 0, sizeof(struct sockaddr_storage));\n OPENSSL_memcpy(out_addr, cur->ai_addr, cur->ai_addrlen);\n *out_addr_length = cur->ai_addrlen;\n\n *out_sock = socket(cur->ai_family, cur->ai_socktype, cur->ai_protocol);\n if (*out_sock < 0) {\n OPENSSL_PUT_SYSTEM_ERROR();\n goto out;\n }\n\n ret = 1;\n break;\n }\n\nout:\n freeaddrinfo(result);\n return ret;\n}\n\nint bio_socket_nbio(int sock, int on) {\n#if defined(OPENSSL_WINDOWS)\n u_long arg = on;\n\n return 0 == ioctlsocket(sock, FIONBIO, &arg);\n#else\n int flags = fcntl(sock, F_GETFL, 0);\n if (flags < 0) {\n return 0;\n }\n if (!on) {\n flags &= ~O_NONBLOCK;\n } else {\n flags |= O_NONBLOCK;\n }\n return fcntl(sock, F_SETFL, flags) == 0;\n#endif\n}\n\nvoid bio_clear_socket_error(void) {}\n\nint bio_sock_error(int sock) {\n int error;\n socklen_t error_size = sizeof(error);\n\n if (getsockopt(sock, SOL_SOCKET, SO_ERROR, (char *)&error, &error_size) < 0) {\n return 1;\n }\n return error;\n}\n\nint bio_socket_should_retry(int return_value) {\n#if defined(OPENSSL_WINDOWS)\n return return_value == -1 && WSAGetLastError() == WSAEWOULDBLOCK;\n#else\n // On POSIX platforms, sockets and fds are the same.\n return bio_errno_should_retry(return_value);\n#endif\n}\n\n#endif // OPENSSL_NO_SOCK\n" }, { "path": "Sources/CNIOBoringSSL/crypto/blake2/blake2.cc", "content": "/* Copyright 2021 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"../internal.h\"\n\n// https://tools.ietf.org/html/rfc7693#section-2.6\nstatic const uint64_t kIV[8] = {\n UINT64_C(0x6a09e667f3bcc908), UINT64_C(0xbb67ae8584caa73b),\n UINT64_C(0x3c6ef372fe94f82b), UINT64_C(0xa54ff53a5f1d36f1),\n UINT64_C(0x510e527fade682d1), UINT64_C(0x9b05688c2b3e6c1f),\n UINT64_C(0x1f83d9abfb41bd6b), UINT64_C(0x5be0cd19137e2179),\n};\n\n// https://tools.ietf.org/html/rfc7693#section-2.7\nstatic const uint8_t kSigma[10 * 16] = {\n // clang-format off\n 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,\n 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3,\n 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4,\n 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8,\n 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13,\n 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9,\n 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11,\n 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10,\n 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5,\n 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0,\n // clang-format on\n};\n\n// https://tools.ietf.org/html/rfc7693#section-3.1\nstatic void blake2b_mix(uint64_t v[16], int a, int b, int c, int d, uint64_t x,\n uint64_t y) {\n v[a] = v[a] + v[b] + x;\n v[d] = CRYPTO_rotr_u64(v[d] ^ v[a], 32);\n v[c] = v[c] + v[d];\n v[b] = CRYPTO_rotr_u64(v[b] ^ v[c], 24);\n v[a] = v[a] + v[b] + y;\n v[d] = CRYPTO_rotr_u64(v[d] ^ v[a], 16);\n v[c] = v[c] + v[d];\n v[b] = CRYPTO_rotr_u64(v[b] ^ v[c], 63);\n}\n\nstatic uint64_t blake2b_load(const uint8_t block[BLAKE2B_CBLOCK], size_t i) {\n return CRYPTO_load_u64_le(block + 8 * i);\n}\n\nstatic void blake2b_transform(BLAKE2B_CTX *b2b,\n const uint8_t block[BLAKE2B_CBLOCK],\n size_t num_bytes, int is_final_block) {\n // https://tools.ietf.org/html/rfc7693#section-3.2\n uint64_t v[16];\n static_assert(sizeof(v) == sizeof(b2b->h) + sizeof(kIV), \"\");\n OPENSSL_memcpy(v, b2b->h, sizeof(b2b->h));\n OPENSSL_memcpy(&v[8], kIV, sizeof(kIV));\n\n b2b->t_low += num_bytes;\n if (b2b->t_low < num_bytes) {\n b2b->t_high++;\n }\n v[12] ^= b2b->t_low;\n v[13] ^= b2b->t_high;\n\n if (is_final_block) {\n v[14] = ~v[14];\n }\n\n for (int round = 0; round < 12; round++) {\n const uint8_t *const s = &kSigma[16 * (round % 10)];\n blake2b_mix(v, 0, 4, 8, 12, blake2b_load(block, s[0]),\n blake2b_load(block, s[1]));\n blake2b_mix(v, 1, 5, 9, 13, blake2b_load(block, s[2]),\n blake2b_load(block, s[3]));\n blake2b_mix(v, 2, 6, 10, 14, blake2b_load(block, s[4]),\n blake2b_load(block, s[5]));\n blake2b_mix(v, 3, 7, 11, 15, blake2b_load(block, s[6]),\n blake2b_load(block, s[7]));\n blake2b_mix(v, 0, 5, 10, 15, blake2b_load(block, s[8]),\n blake2b_load(block, s[9]));\n blake2b_mix(v, 1, 6, 11, 12, blake2b_load(block, s[10]),\n blake2b_load(block, s[11]));\n blake2b_mix(v, 2, 7, 8, 13, blake2b_load(block, s[12]),\n blake2b_load(block, s[13]));\n blake2b_mix(v, 3, 4, 9, 14, blake2b_load(block, s[14]),\n blake2b_load(block, s[15]));\n }\n\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(b2b->h); i++) {\n b2b->h[i] ^= v[i];\n b2b->h[i] ^= v[i + 8];\n }\n}\n\nvoid BLAKE2B256_Init(BLAKE2B_CTX *b2b) {\n OPENSSL_memset(b2b, 0, sizeof(BLAKE2B_CTX));\n\n static_assert(sizeof(kIV) == sizeof(b2b->h), \"\");\n OPENSSL_memcpy(&b2b->h, kIV, sizeof(kIV));\n\n // https://tools.ietf.org/html/rfc7693#section-2.5\n b2b->h[0] ^= 0x01010000 | BLAKE2B256_DIGEST_LENGTH;\n}\n\nvoid BLAKE2B256_Update(BLAKE2B_CTX *b2b, const void *in_data, size_t len) {\n if (len == 0) {\n // Work around a C language bug. See https://crbug.com/1019588.\n return;\n }\n\n const uint8_t *data = reinterpret_cast(in_data);\n size_t todo = sizeof(b2b->block) - b2b->block_used;\n if (todo > len) {\n todo = len;\n }\n OPENSSL_memcpy(&b2b->block[b2b->block_used], data, todo);\n b2b->block_used += todo;\n data += todo;\n len -= todo;\n\n if (!len) {\n return;\n }\n\n // More input remains therefore we must have filled |b2b->block|.\n assert(b2b->block_used == BLAKE2B_CBLOCK);\n blake2b_transform(b2b, b2b->block, BLAKE2B_CBLOCK,\n /*is_final_block=*/0);\n b2b->block_used = 0;\n\n while (len > BLAKE2B_CBLOCK) {\n blake2b_transform(b2b, data, BLAKE2B_CBLOCK, /*is_final_block=*/0);\n data += BLAKE2B_CBLOCK;\n len -= BLAKE2B_CBLOCK;\n }\n\n OPENSSL_memcpy(b2b->block, data, len);\n b2b->block_used = len;\n}\n\nvoid BLAKE2B256_Final(uint8_t out[BLAKE2B256_DIGEST_LENGTH], BLAKE2B_CTX *b2b) {\n OPENSSL_memset(&b2b->block[b2b->block_used], 0,\n sizeof(b2b->block) - b2b->block_used);\n blake2b_transform(b2b, b2b->block, b2b->block_used,\n /*is_final_block=*/1);\n static_assert(BLAKE2B256_DIGEST_LENGTH <= sizeof(b2b->h), \"\");\n memcpy(out, b2b->h, BLAKE2B256_DIGEST_LENGTH);\n}\n\nvoid BLAKE2B256(const uint8_t *data, size_t len,\n uint8_t out[BLAKE2B256_DIGEST_LENGTH]) {\n BLAKE2B_CTX ctx;\n BLAKE2B256_Init(&ctx);\n BLAKE2B256_Update(&ctx, data, len);\n BLAKE2B256_Final(out, &ctx);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bn/bn_asn1.cc", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n\nint BN_parse_asn1_unsigned(CBS *cbs, BIGNUM *ret) {\n CBS child;\n int is_negative;\n if (!CBS_get_asn1(cbs, &child, CBS_ASN1_INTEGER) ||\n !CBS_is_valid_asn1_integer(&child, &is_negative)) {\n OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);\n return 0;\n }\n\n if (is_negative) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n\n return BN_bin2bn(CBS_data(&child), CBS_len(&child), ret) != NULL;\n}\n\nint BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) {\n // Negative numbers are unsupported.\n if (BN_is_negative(bn)) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n\n CBB child;\n if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER) ||\n // The number must be padded with a leading zero if the high bit would\n // otherwise be set or if |bn| is zero.\n (BN_num_bits(bn) % 8 == 0 && !CBB_add_u8(&child, 0x00)) ||\n !BN_bn2cbb_padded(&child, BN_num_bytes(bn), bn) ||\n !CBB_flush(cbb)) {\n OPENSSL_PUT_ERROR(BN, BN_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bn/convert.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/bn/internal.h\"\n\n\nint BN_bn2cbb_padded(CBB *out, size_t len, const BIGNUM *in) {\n uint8_t *ptr;\n return CBB_add_space(out, &ptr, len) && BN_bn2bin_padded(ptr, len, in);\n}\n\nstatic const char hextable[] = \"0123456789abcdef\";\n\nchar *BN_bn2hex(const BIGNUM *bn) {\n int width = bn_minimal_width(bn);\n char *buf = reinterpret_cast(\n OPENSSL_malloc(1 /* leading '-' */ + 1 /* zero is non-empty */ +\n width * BN_BYTES * 2 + 1 /* trailing NUL */));\n if (buf == NULL) {\n return NULL;\n }\n\n char *p = buf;\n if (bn->neg) {\n *(p++) = '-';\n }\n\n if (BN_is_zero(bn)) {\n *(p++) = '0';\n }\n\n int z = 0;\n for (int i = width - 1; i >= 0; i--) {\n for (int j = BN_BITS2 - 8; j >= 0; j -= 8) {\n // strip leading zeros\n int v = ((int)(bn->d[i] >> (long)j)) & 0xff;\n if (z || v != 0) {\n *(p++) = hextable[v >> 4];\n *(p++) = hextable[v & 0x0f];\n z = 1;\n }\n }\n }\n *p = '\\0';\n\n return buf;\n}\n\n// decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|.\nstatic int decode_hex(BIGNUM *bn, const char *in, int in_len) {\n if (in_len > INT_MAX / 4) {\n OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);\n return 0;\n }\n // |in_len| is the number of hex digits.\n if (!bn_expand(bn, in_len * 4)) {\n return 0;\n }\n\n int i = 0;\n while (in_len > 0) {\n // Decode one |BN_ULONG| at a time.\n int todo = BN_BYTES * 2;\n if (todo > in_len) {\n todo = in_len;\n }\n\n BN_ULONG word = 0;\n int j;\n for (j = todo; j > 0; j--) {\n uint8_t hex = 0;\n if (!OPENSSL_fromxdigit(&hex, in[in_len - j])) {\n // This shouldn't happen. The caller checks |OPENSSL_isxdigit|.\n assert(0);\n }\n word = (word << 4) | hex;\n }\n\n bn->d[i++] = word;\n in_len -= todo;\n }\n assert(i <= bn->dmax);\n bn->width = i;\n return 1;\n}\n\n// decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|.\nstatic int decode_dec(BIGNUM *bn, const char *in, int in_len) {\n int i, j;\n BN_ULONG l = 0;\n\n // Decode |BN_DEC_NUM| digits at a time.\n j = BN_DEC_NUM - (in_len % BN_DEC_NUM);\n if (j == BN_DEC_NUM) {\n j = 0;\n }\n l = 0;\n for (i = 0; i < in_len; i++) {\n l *= 10;\n l += in[i] - '0';\n if (++j == BN_DEC_NUM) {\n if (!BN_mul_word(bn, BN_DEC_CONV) || !BN_add_word(bn, l)) {\n return 0;\n }\n l = 0;\n j = 0;\n }\n }\n return 1;\n}\n\ntypedef int (*decode_func)(BIGNUM *bn, const char *in, int in_len);\ntypedef int (*char_test_func)(int c);\n\nstatic int bn_x2bn(BIGNUM **outp, const char *in, decode_func decode,\n char_test_func want_char) {\n BIGNUM *ret = NULL;\n int neg = 0, i;\n int num;\n\n if (in == NULL || *in == 0) {\n return 0;\n }\n\n if (*in == '-') {\n neg = 1;\n in++;\n }\n\n for (i = 0; want_char((unsigned char)in[i]) && i + neg < INT_MAX; i++) {\n }\n\n num = i + neg;\n if (outp == NULL) {\n return num;\n }\n\n // in is the start of the hex digits, and it is 'i' long\n if (*outp == NULL) {\n ret = BN_new();\n if (ret == NULL) {\n return 0;\n }\n } else {\n ret = *outp;\n BN_zero(ret);\n }\n\n if (!decode(ret, in, i)) {\n goto err;\n }\n\n bn_set_minimal_width(ret);\n if (!BN_is_zero(ret)) {\n ret->neg = neg;\n }\n\n *outp = ret;\n return num;\n\nerr:\n if (*outp == NULL) {\n BN_free(ret);\n }\n\n return 0;\n}\n\nint BN_hex2bn(BIGNUM **outp, const char *in) {\n return bn_x2bn(outp, in, decode_hex, OPENSSL_isxdigit);\n}\n\nchar *BN_bn2dec(const BIGNUM *a) {\n // It is easier to print strings little-endian, so we assemble it in reverse\n // and fix at the end.\n BIGNUM *copy = NULL;\n CBB cbb;\n if (!CBB_init(&cbb, 16) || //\n !CBB_add_u8(&cbb, 0 /* trailing NUL */)) {\n goto err;\n }\n\n if (BN_is_zero(a)) {\n if (!CBB_add_u8(&cbb, '0')) {\n goto err;\n }\n } else {\n copy = BN_dup(a);\n if (copy == NULL) {\n goto err;\n }\n\n while (!BN_is_zero(copy)) {\n BN_ULONG word = BN_div_word(copy, BN_DEC_CONV);\n if (word == (BN_ULONG)-1) {\n goto err;\n }\n\n const int add_leading_zeros = !BN_is_zero(copy);\n for (int i = 0; i < BN_DEC_NUM && (add_leading_zeros || word != 0); i++) {\n if (!CBB_add_u8(&cbb, '0' + word % 10)) {\n goto err;\n }\n word /= 10;\n }\n assert(word == 0);\n }\n }\n\n if (BN_is_negative(a) && //\n !CBB_add_u8(&cbb, '-')) {\n goto err;\n }\n\n uint8_t *data;\n size_t len;\n if (!CBB_finish(&cbb, &data, &len)) {\n goto err;\n }\n\n // Reverse the buffer.\n for (size_t i = 0; i < len / 2; i++) {\n uint8_t tmp = data[i];\n data[i] = data[len - 1 - i];\n data[len - 1 - i] = tmp;\n }\n\n BN_free(copy);\n return (char *)data;\n\nerr:\n BN_free(copy);\n CBB_cleanup(&cbb);\n return NULL;\n}\n\nint BN_dec2bn(BIGNUM **outp, const char *in) {\n return bn_x2bn(outp, in, decode_dec, OPENSSL_isdigit);\n}\n\nint BN_asc2bn(BIGNUM **outp, const char *in) {\n const char *const orig_in = in;\n if (*in == '-') {\n in++;\n }\n\n if (in[0] == '0' && (in[1] == 'X' || in[1] == 'x')) {\n if (!BN_hex2bn(outp, in + 2)) {\n return 0;\n }\n } else {\n if (!BN_dec2bn(outp, in)) {\n return 0;\n }\n }\n\n if (*orig_in == '-' && !BN_is_zero(*outp)) {\n (*outp)->neg = 1;\n }\n\n return 1;\n}\n\nint BN_print(BIO *bp, const BIGNUM *a) {\n int i, j, v, z = 0;\n int ret = 0;\n\n if (a->neg && BIO_write(bp, \"-\", 1) != 1) {\n goto end;\n }\n\n if (BN_is_zero(a) && BIO_write(bp, \"0\", 1) != 1) {\n goto end;\n }\n\n for (i = bn_minimal_width(a) - 1; i >= 0; i--) {\n for (j = BN_BITS2 - 4; j >= 0; j -= 4) {\n // strip leading zeros\n v = ((int)(a->d[i] >> (long)j)) & 0x0f;\n if (z || v != 0) {\n if (BIO_write(bp, &hextable[v], 1) != 1) {\n goto end;\n }\n z = 1;\n }\n }\n }\n ret = 1;\n\nend:\n return ret;\n}\n\nint BN_print_fp(FILE *fp, const BIGNUM *a) {\n BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);\n if (b == NULL) {\n return 0;\n }\n\n int ret = BN_print(b, a);\n BIO_free(b);\n return ret;\n}\n\n\nsize_t BN_bn2mpi(const BIGNUM *in, uint8_t *out) {\n const size_t bits = BN_num_bits(in);\n const size_t bytes = (bits + 7) / 8;\n // If the number of bits is a multiple of 8, i.e. if the MSB is set,\n // prefix with a zero byte.\n int extend = 0;\n if (bytes != 0 && (bits & 0x07) == 0) {\n extend = 1;\n }\n\n const size_t len = bytes + extend;\n if (len < bytes || 4 + len < len || (len & 0xffffffff) != len) {\n // If we cannot represent the number then we emit zero as the interface\n // doesn't allow an error to be signalled.\n if (out) {\n OPENSSL_memset(out, 0, 4);\n }\n return 4;\n }\n\n if (out == NULL) {\n return 4 + len;\n }\n\n out[0] = len >> 24;\n out[1] = len >> 16;\n out[2] = len >> 8;\n out[3] = len;\n if (extend) {\n out[4] = 0;\n }\n BN_bn2bin(in, out + 4 + extend);\n if (in->neg && len > 0) {\n out[4] |= 0x80;\n }\n return len + 4;\n}\n\nBIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out) {\n if (len < 4) {\n OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);\n return NULL;\n }\n const size_t in_len = ((size_t)in[0] << 24) | //\n ((size_t)in[1] << 16) | //\n ((size_t)in[2] << 8) | //\n ((size_t)in[3]);\n if (in_len != len - 4) {\n OPENSSL_PUT_ERROR(BN, BN_R_BAD_ENCODING);\n return NULL;\n }\n\n int out_is_alloced = 0;\n if (out == NULL) {\n out = BN_new();\n if (out == NULL) {\n return NULL;\n }\n out_is_alloced = 1;\n }\n\n if (in_len == 0) {\n BN_zero(out);\n return out;\n }\n\n in += 4;\n if (BN_bin2bn(in, in_len, out) == NULL) {\n if (out_is_alloced) {\n BN_free(out);\n }\n return NULL;\n }\n out->neg = ((*in) & 0x80) != 0;\n if (out->neg) {\n BN_clear_bit(out, BN_num_bits(out) - 1);\n }\n return out;\n}\n\nint BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len) {\n if (len < 0 || //\n !BN_bn2bin_padded(out, (size_t)len, in)) {\n return -1;\n }\n return len;\n}\n\nint BN_bn2lebinpad(const BIGNUM *in, uint8_t *out, int len) {\n if (len < 0 || //\n !BN_bn2le_padded(out, (size_t)len, in)) {\n return -1;\n }\n return len;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/buf/buf.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n\n\nBUF_MEM *BUF_MEM_new(void) {\n return reinterpret_cast(OPENSSL_zalloc(sizeof(BUF_MEM)));\n}\n\nvoid BUF_MEM_free(BUF_MEM *buf) {\n if (buf == nullptr) {\n return;\n }\n OPENSSL_free(buf->data);\n OPENSSL_free(buf);\n}\n\nint BUF_MEM_reserve(BUF_MEM *buf, size_t cap) {\n if (buf->max >= cap) {\n return 1;\n }\n\n size_t n = cap + 3;\n if (n < cap) {\n OPENSSL_PUT_ERROR(BUF, ERR_R_OVERFLOW);\n return 0;\n }\n n = n / 3;\n size_t alloc_size = n * 4;\n if (alloc_size / 4 != n) {\n OPENSSL_PUT_ERROR(BUF, ERR_R_OVERFLOW);\n return 0;\n }\n\n char *new_buf =\n reinterpret_cast(OPENSSL_realloc(buf->data, alloc_size));\n if (new_buf == NULL) {\n return 0;\n }\n\n buf->data = new_buf;\n buf->max = alloc_size;\n return 1;\n}\n\nsize_t BUF_MEM_grow(BUF_MEM *buf, size_t len) {\n if (!BUF_MEM_reserve(buf, len)) {\n return 0;\n }\n if (buf->length < len) {\n OPENSSL_memset(&buf->data[buf->length], 0, len - buf->length);\n }\n buf->length = len;\n return len;\n}\n\nsize_t BUF_MEM_grow_clean(BUF_MEM *buf, size_t len) {\n return BUF_MEM_grow(buf, len);\n}\n\nint BUF_MEM_append(BUF_MEM *buf, const void *in, size_t len) {\n // Work around a C language bug. See https://crbug.com/1019588.\n if (len == 0) {\n return 1;\n }\n size_t new_len = buf->length + len;\n if (new_len < len) {\n OPENSSL_PUT_ERROR(BUF, ERR_R_OVERFLOW);\n return 0;\n }\n if (!BUF_MEM_reserve(buf, new_len)) {\n return 0;\n }\n OPENSSL_memcpy(buf->data + buf->length, in, len);\n buf->length = new_len;\n return 1;\n}\n\nchar *BUF_strdup(const char *str) { return OPENSSL_strdup(str); }\n\nsize_t BUF_strnlen(const char *str, size_t max_len) {\n return OPENSSL_strnlen(str, max_len);\n}\n\nchar *BUF_strndup(const char *str, size_t size) {\n return OPENSSL_strndup(str, size);\n}\n\nsize_t BUF_strlcpy(char *dst, const char *src, size_t dst_size) {\n return OPENSSL_strlcpy(dst, src, dst_size);\n}\n\nsize_t BUF_strlcat(char *dst, const char *src, size_t dst_size) {\n return OPENSSL_strlcat(dst, src, dst_size);\n}\n\nvoid *BUF_memdup(const void *data, size_t size) {\n return OPENSSL_memdup(data, size);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bytestring/asn1_compat.cc", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n\n#include \n\n#include \n#include \n#include \n\n#include \n\n#include \"internal.h\"\n#include \"../internal.h\"\n\n\nint CBB_finish_i2d(CBB *cbb, uint8_t **outp) {\n assert(!cbb->is_child);\n assert(cbb->u.base.can_resize);\n\n uint8_t *der;\n size_t der_len;\n if (!CBB_finish(cbb, &der, &der_len)) {\n CBB_cleanup(cbb);\n return -1;\n }\n if (der_len > INT_MAX) {\n OPENSSL_free(der);\n return -1;\n }\n if (outp != NULL) {\n if (*outp == NULL) {\n *outp = der;\n der = NULL;\n } else {\n OPENSSL_memcpy(*outp, der, der_len);\n *outp += der_len;\n }\n }\n OPENSSL_free(der);\n return (int)der_len;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bytestring/ber.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \"internal.h\"\n\n\n// kMaxDepth limits the recursion depth to avoid overflowing the stack.\nstatic const uint32_t kMaxDepth = 128;\n\n// is_string_type returns one if |tag| is a string type and zero otherwise. It\n// ignores the constructed bit.\nstatic int is_string_type(CBS_ASN1_TAG tag) {\n // While BER supports constructed BIT STRINGS, OpenSSL misparses them. To\n // avoid acting on an ambiguous input, we do not support constructed BIT\n // STRINGS. See https://github.com/openssl/openssl/issues/12810.\n switch (tag & ~CBS_ASN1_CONSTRUCTED) {\n case CBS_ASN1_OCTETSTRING:\n case CBS_ASN1_UTF8STRING:\n case CBS_ASN1_NUMERICSTRING:\n case CBS_ASN1_PRINTABLESTRING:\n case CBS_ASN1_T61STRING:\n case CBS_ASN1_VIDEOTEXSTRING:\n case CBS_ASN1_IA5STRING:\n case CBS_ASN1_GRAPHICSTRING:\n case CBS_ASN1_VISIBLESTRING:\n case CBS_ASN1_GENERALSTRING:\n case CBS_ASN1_UNIVERSALSTRING:\n case CBS_ASN1_BMPSTRING:\n return 1;\n default:\n return 0;\n }\n}\n\n// cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found|\n// depending on whether an indefinite length element or constructed string was\n// found. The value of |orig_in| is not changed. It returns one on success (i.e.\n// |*ber_found| was set) and zero on error.\nstatic int cbs_find_ber(const CBS *orig_in, int *ber_found, uint32_t depth) {\n if (depth > kMaxDepth) {\n return 0;\n }\n\n CBS in = *orig_in;\n *ber_found = 0;\n\n while (CBS_len(&in) > 0) {\n CBS contents;\n CBS_ASN1_TAG tag;\n size_t header_len;\n int indefinite;\n if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len,\n ber_found, &indefinite)) {\n return 0;\n }\n if (*ber_found) {\n return 1;\n }\n if (tag & CBS_ASN1_CONSTRUCTED) {\n if (is_string_type(tag)) {\n // Constructed strings are only legal in BER and require conversion.\n *ber_found = 1;\n return 1;\n }\n if (!CBS_skip(&contents, header_len) ||\n !cbs_find_ber(&contents, ber_found, depth + 1)) {\n return 0;\n }\n if (*ber_found) {\n // We already found BER. No need to continue parsing.\n return 1;\n }\n }\n }\n\n return 1;\n}\n\n// cbs_get_eoc returns one if |cbs| begins with an \"end of contents\" (EOC) value\n// and zero otherwise. If an EOC was found, it advances |cbs| past it.\nstatic int cbs_get_eoc(CBS *cbs) {\n if (CBS_len(cbs) >= 2 &&\n CBS_data(cbs)[0] == 0 && CBS_data(cbs)[1] == 0) {\n return CBS_skip(cbs, 2);\n }\n return 0;\n}\n\n// cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If\n// |string_tag| is non-zero, then all elements must match |string_tag| up to the\n// constructed bit and primitive element bodies are written to |out| without\n// element headers. This is used when concatenating the fragments of a\n// constructed string. If |looking_for_eoc| is set then any EOC elements found\n// will cause the function to return after consuming it. It returns one on\n// success and zero on error.\nstatic int cbs_convert_ber(CBS *in, CBB *out, CBS_ASN1_TAG string_tag,\n int looking_for_eoc, uint32_t depth) {\n assert(!(string_tag & CBS_ASN1_CONSTRUCTED));\n\n if (depth > kMaxDepth) {\n return 0;\n }\n\n while (CBS_len(in) > 0) {\n if (looking_for_eoc && cbs_get_eoc(in)) {\n return 1;\n }\n\n CBS contents;\n CBS_ASN1_TAG tag, child_string_tag = string_tag;\n size_t header_len;\n int indefinite;\n CBB *out_contents, out_contents_storage;\n if (!CBS_get_any_ber_asn1_element(in, &contents, &tag, &header_len,\n /*out_ber_found=*/NULL, &indefinite)) {\n return 0;\n }\n\n if (string_tag != 0) {\n // This is part of a constructed string. All elements must match\n // |string_tag| up to the constructed bit and get appended to |out|\n // without a child element.\n if ((tag & ~CBS_ASN1_CONSTRUCTED) != string_tag) {\n return 0;\n }\n out_contents = out;\n } else {\n CBS_ASN1_TAG out_tag = tag;\n if ((tag & CBS_ASN1_CONSTRUCTED) && is_string_type(tag)) {\n // If a constructed string, clear the constructed bit and inform\n // children to concatenate bodies.\n out_tag &= ~CBS_ASN1_CONSTRUCTED;\n child_string_tag = out_tag;\n }\n if (!CBB_add_asn1(out, &out_contents_storage, out_tag)) {\n return 0;\n }\n out_contents = &out_contents_storage;\n }\n\n if (indefinite) {\n if (!cbs_convert_ber(in, out_contents, child_string_tag,\n /*looking_for_eoc=*/1, depth + 1) ||\n !CBB_flush(out)) {\n return 0;\n }\n continue;\n }\n\n if (!CBS_skip(&contents, header_len)) {\n return 0;\n }\n\n if (tag & CBS_ASN1_CONSTRUCTED) {\n // Recurse into children.\n if (!cbs_convert_ber(&contents, out_contents, child_string_tag,\n /*looking_for_eoc=*/0, depth + 1)) {\n return 0;\n }\n } else {\n // Copy primitive contents as-is.\n if (!CBB_add_bytes(out_contents, CBS_data(&contents),\n CBS_len(&contents))) {\n return 0;\n }\n }\n\n if (!CBB_flush(out)) {\n return 0;\n }\n }\n\n return looking_for_eoc == 0;\n}\n\nint CBS_asn1_ber_to_der(CBS *in, CBS *out, uint8_t **out_storage) {\n CBB cbb;\n\n // First, do a quick walk to find any indefinite-length elements. Most of the\n // time we hope that there aren't any and thus we can quickly return.\n int conversion_needed;\n if (!cbs_find_ber(in, &conversion_needed, 0)) {\n return 0;\n }\n\n if (!conversion_needed) {\n if (!CBS_get_any_asn1_element(in, out, NULL, NULL)) {\n return 0;\n }\n *out_storage = NULL;\n return 1;\n }\n\n size_t len;\n if (!CBB_init(&cbb, CBS_len(in)) ||\n !cbs_convert_ber(in, &cbb, 0, 0, 0) ||\n !CBB_finish(&cbb, out_storage, &len)) {\n CBB_cleanup(&cbb);\n return 0;\n }\n\n CBS_init(out, *out_storage, len);\n return 1;\n}\n\nint CBS_get_asn1_implicit_string(CBS *in, CBS *out, uint8_t **out_storage,\n CBS_ASN1_TAG outer_tag,\n CBS_ASN1_TAG inner_tag) {\n assert(!(outer_tag & CBS_ASN1_CONSTRUCTED));\n assert(!(inner_tag & CBS_ASN1_CONSTRUCTED));\n assert(is_string_type(inner_tag));\n\n if (CBS_peek_asn1_tag(in, outer_tag)) {\n // Normal implicitly-tagged string.\n *out_storage = NULL;\n return CBS_get_asn1(in, out, outer_tag);\n }\n\n // Otherwise, try to parse an implicitly-tagged constructed string.\n // |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep\n // of nesting.\n CBB result;\n CBS child;\n if (!CBB_init(&result, CBS_len(in)) ||\n !CBS_get_asn1(in, &child, outer_tag | CBS_ASN1_CONSTRUCTED)) {\n goto err;\n }\n\n while (CBS_len(&child) > 0) {\n CBS chunk;\n if (!CBS_get_asn1(&child, &chunk, inner_tag) ||\n !CBB_add_bytes(&result, CBS_data(&chunk), CBS_len(&chunk))) {\n goto err;\n }\n }\n\n uint8_t *data;\n size_t len;\n if (!CBB_finish(&result, &data, &len)) {\n goto err;\n }\n\n CBS_init(out, data, len);\n *out_storage = data;\n return 1;\n\nerr:\n CBB_cleanup(&result);\n return 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bytestring/cbb.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n\n\nvoid CBB_zero(CBB *cbb) { OPENSSL_memset(cbb, 0, sizeof(CBB)); }\n\nstatic void cbb_init(CBB *cbb, uint8_t *buf, size_t cap, int can_resize) {\n cbb->is_child = 0;\n cbb->child = NULL;\n cbb->u.base.buf = buf;\n cbb->u.base.len = 0;\n cbb->u.base.cap = cap;\n cbb->u.base.can_resize = can_resize;\n cbb->u.base.error = 0;\n}\n\nint CBB_init(CBB *cbb, size_t initial_capacity) {\n CBB_zero(cbb);\n\n uint8_t *buf = reinterpret_cast(OPENSSL_malloc(initial_capacity));\n if (initial_capacity > 0 && buf == NULL) {\n return 0;\n }\n\n cbb_init(cbb, buf, initial_capacity, /*can_resize=*/1);\n return 1;\n}\n\nint CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) {\n CBB_zero(cbb);\n cbb_init(cbb, buf, len, /*can_resize=*/0);\n return 1;\n}\n\nvoid CBB_cleanup(CBB *cbb) {\n // Child |CBB|s are non-owning. They are implicitly discarded and should not\n // be used with |CBB_cleanup| or |ScopedCBB|.\n assert(!cbb->is_child);\n if (cbb->is_child) {\n return;\n }\n\n if (cbb->u.base.can_resize) {\n OPENSSL_free(cbb->u.base.buf);\n }\n}\n\nstatic int cbb_buffer_reserve(struct cbb_buffer_st *base, uint8_t **out,\n size_t len) {\n if (base == NULL) {\n return 0;\n }\n\n size_t newlen = base->len + len;\n if (newlen < base->len) {\n // Overflow\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW);\n goto err;\n }\n\n if (newlen > base->cap) {\n if (!base->can_resize) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW);\n goto err;\n }\n\n size_t newcap = base->cap * 2;\n if (newcap < base->cap || newcap < newlen) {\n newcap = newlen;\n }\n uint8_t *newbuf =\n reinterpret_cast(OPENSSL_realloc(base->buf, newcap));\n if (newbuf == NULL) {\n goto err;\n }\n\n base->buf = newbuf;\n base->cap = newcap;\n }\n\n if (out) {\n *out = base->buf + base->len;\n }\n\n return 1;\n\nerr:\n base->error = 1;\n return 0;\n}\n\nstatic int cbb_buffer_add(struct cbb_buffer_st *base, uint8_t **out,\n size_t len) {\n if (!cbb_buffer_reserve(base, out, len)) {\n return 0;\n }\n // This will not overflow or |cbb_buffer_reserve| would have failed.\n base->len += len;\n return 1;\n}\n\nint CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) {\n if (cbb->is_child) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n if (!CBB_flush(cbb)) {\n return 0;\n }\n\n if (cbb->u.base.can_resize && (out_data == NULL || out_len == NULL)) {\n // |out_data| and |out_len| can only be NULL if the CBB is fixed.\n return 0;\n }\n\n if (out_data != NULL) {\n *out_data = cbb->u.base.buf;\n }\n if (out_len != NULL) {\n *out_len = cbb->u.base.len;\n }\n cbb->u.base.buf = NULL;\n CBB_cleanup(cbb);\n return 1;\n}\n\nstatic struct cbb_buffer_st *cbb_get_base(CBB *cbb) {\n if (cbb->is_child) {\n return cbb->u.child.base;\n }\n return &cbb->u.base;\n}\n\nstatic void cbb_on_error(CBB *cbb) {\n // Due to C's lack of destructors and |CBB|'s auto-flushing API, a failing\n // |CBB|-taking function may leave a dangling pointer to a child |CBB|. As a\n // result, the convention is callers may not write to |CBB|s that have failed.\n // But, as a safety measure, we lock the |CBB| into an error state. Once the\n // error bit is set, |cbb->child| will not be read.\n //\n // TODO(davidben): This still isn't quite ideal. A |CBB| function *outside*\n // this file may originate an error while the |CBB| points to a local child.\n // In that case we don't set the error bit and are reliant on the error\n // convention. Perhaps we allow |CBB_cleanup| on child |CBB|s and make every\n // child's |CBB_cleanup| set the error bit if unflushed. That will be\n // convenient for C++ callers, but very tedious for C callers. So C callers\n // perhaps should get a |CBB_on_error| function that can be, less tediously,\n // stuck in a |goto err| block.\n cbb_get_base(cbb)->error = 1;\n\n // Clearing the pointer is not strictly necessary, but GCC's dangling pointer\n // warning does not know |cbb->child| will not be read once |error| is set\n // above.\n cbb->child = NULL;\n}\n\n// CBB_flush recurses and then writes out any pending length prefix. The\n// current length of the underlying base is taken to be the length of the\n// length-prefixed data.\nint CBB_flush(CBB *cbb) {\n // If |base| has hit an error, the buffer is in an undefined state, so\n // fail all following calls. In particular, |cbb->child| may point to invalid\n // memory.\n struct cbb_buffer_st *base = cbb_get_base(cbb);\n if (base == NULL || base->error) {\n return 0;\n }\n\n if (cbb->child == NULL) {\n // Nothing to flush.\n return 1;\n }\n\n assert(cbb->child->is_child);\n struct cbb_child_st *child = &cbb->child->u.child;\n assert(child->base == base);\n size_t child_start = child->offset + child->pending_len_len;\n\n size_t len;\n if (!CBB_flush(cbb->child) || child_start < child->offset ||\n base->len < child_start) {\n goto err;\n }\n\n len = base->len - child_start;\n\n if (child->pending_is_asn1) {\n // For ASN.1 we assume that we'll only need a single byte for the length.\n // If that turned out to be incorrect, we have to move the contents along\n // in order to make space.\n uint8_t len_len;\n uint8_t initial_length_byte;\n\n assert(child->pending_len_len == 1);\n\n if (len > 0xfffffffe) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW);\n // Too large.\n goto err;\n } else if (len > 0xffffff) {\n len_len = 5;\n initial_length_byte = 0x80 | 4;\n } else if (len > 0xffff) {\n len_len = 4;\n initial_length_byte = 0x80 | 3;\n } else if (len > 0xff) {\n len_len = 3;\n initial_length_byte = 0x80 | 2;\n } else if (len > 0x7f) {\n len_len = 2;\n initial_length_byte = 0x80 | 1;\n } else {\n len_len = 1;\n initial_length_byte = (uint8_t)len;\n len = 0;\n }\n\n if (len_len != 1) {\n // We need to move the contents along in order to make space.\n size_t extra_bytes = len_len - 1;\n if (!cbb_buffer_add(base, NULL, extra_bytes)) {\n goto err;\n }\n OPENSSL_memmove(base->buf + child_start + extra_bytes,\n base->buf + child_start, len);\n }\n base->buf[child->offset++] = initial_length_byte;\n child->pending_len_len = len_len - 1;\n }\n\n for (size_t i = child->pending_len_len - 1; i < child->pending_len_len; i--) {\n base->buf[child->offset + i] = (uint8_t)len;\n len >>= 8;\n }\n if (len != 0) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW);\n goto err;\n }\n\n child->base = NULL;\n cbb->child = NULL;\n\n return 1;\n\nerr:\n cbb_on_error(cbb);\n return 0;\n}\n\nconst uint8_t *CBB_data(const CBB *cbb) {\n assert(cbb->child == NULL);\n if (cbb->is_child) {\n return cbb->u.child.base->buf + cbb->u.child.offset +\n cbb->u.child.pending_len_len;\n }\n return cbb->u.base.buf;\n}\n\nsize_t CBB_len(const CBB *cbb) {\n assert(cbb->child == NULL);\n if (cbb->is_child) {\n assert(cbb->u.child.offset + cbb->u.child.pending_len_len <=\n cbb->u.child.base->len);\n return cbb->u.child.base->len - cbb->u.child.offset -\n cbb->u.child.pending_len_len;\n }\n return cbb->u.base.len;\n}\n\nstatic int cbb_add_child(CBB *cbb, CBB *out_child, uint8_t len_len,\n int is_asn1) {\n assert(cbb->child == NULL);\n assert(!is_asn1 || len_len == 1);\n struct cbb_buffer_st *base = cbb_get_base(cbb);\n size_t offset = base->len;\n\n // Reserve space for the length prefix.\n uint8_t *prefix_bytes;\n if (!cbb_buffer_add(base, &prefix_bytes, len_len)) {\n return 0;\n }\n OPENSSL_memset(prefix_bytes, 0, len_len);\n\n CBB_zero(out_child);\n out_child->is_child = 1;\n out_child->u.child.base = base;\n out_child->u.child.offset = offset;\n out_child->u.child.pending_len_len = len_len;\n out_child->u.child.pending_is_asn1 = is_asn1;\n cbb->child = out_child;\n return 1;\n}\n\nstatic int cbb_add_length_prefixed(CBB *cbb, CBB *out_contents,\n uint8_t len_len) {\n if (!CBB_flush(cbb)) {\n return 0;\n }\n\n return cbb_add_child(cbb, out_contents, len_len, /*is_asn1=*/0);\n}\n\nint CBB_add_u8_length_prefixed(CBB *cbb, CBB *out_contents) {\n return cbb_add_length_prefixed(cbb, out_contents, 1);\n}\n\nint CBB_add_u16_length_prefixed(CBB *cbb, CBB *out_contents) {\n return cbb_add_length_prefixed(cbb, out_contents, 2);\n}\n\nint CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents) {\n return cbb_add_length_prefixed(cbb, out_contents, 3);\n}\n\n// add_base128_integer encodes |v| as a big-endian base-128 integer where the\n// high bit of each byte indicates where there is more data. This is the\n// encoding used in DER for both high tag number form and OID components.\nstatic int add_base128_integer(CBB *cbb, uint64_t v) {\n unsigned len_len = 0;\n uint64_t copy = v;\n while (copy > 0) {\n len_len++;\n copy >>= 7;\n }\n if (len_len == 0) {\n len_len = 1; // Zero is encoded with one byte.\n }\n for (unsigned i = len_len - 1; i < len_len; i--) {\n uint8_t byte = (v >> (7 * i)) & 0x7f;\n if (i != 0) {\n // The high bit denotes whether there is more data.\n byte |= 0x80;\n }\n if (!CBB_add_u8(cbb, byte)) {\n return 0;\n }\n }\n return 1;\n}\n\nint CBB_add_asn1(CBB *cbb, CBB *out_contents, CBS_ASN1_TAG tag) {\n if (!CBB_flush(cbb)) {\n return 0;\n }\n\n // Split the tag into leading bits and tag number.\n uint8_t tag_bits = (tag >> CBS_ASN1_TAG_SHIFT) & 0xe0;\n CBS_ASN1_TAG tag_number = tag & CBS_ASN1_TAG_NUMBER_MASK;\n if (tag_number >= 0x1f) {\n // Set all the bits in the tag number to signal high tag number form.\n if (!CBB_add_u8(cbb, tag_bits | 0x1f) ||\n !add_base128_integer(cbb, tag_number)) {\n return 0;\n }\n } else if (!CBB_add_u8(cbb, tag_bits | tag_number)) {\n return 0;\n }\n\n // Reserve one byte of length prefix. |CBB_flush| will finish it later.\n return cbb_add_child(cbb, out_contents, /*len_len=*/1, /*is_asn1=*/1);\n}\n\nint CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len) {\n uint8_t *out;\n if (!CBB_add_space(cbb, &out, len)) {\n return 0;\n }\n OPENSSL_memcpy(out, data, len);\n return 1;\n}\n\nint CBB_add_zeros(CBB *cbb, size_t len) {\n uint8_t *out;\n if (!CBB_add_space(cbb, &out, len)) {\n return 0;\n }\n OPENSSL_memset(out, 0, len);\n return 1;\n}\n\nint CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len) {\n if (!CBB_flush(cbb) || !cbb_buffer_add(cbb_get_base(cbb), out_data, len)) {\n return 0;\n }\n return 1;\n}\n\nint CBB_reserve(CBB *cbb, uint8_t **out_data, size_t len) {\n if (!CBB_flush(cbb) ||\n !cbb_buffer_reserve(cbb_get_base(cbb), out_data, len)) {\n return 0;\n }\n return 1;\n}\n\nint CBB_did_write(CBB *cbb, size_t len) {\n struct cbb_buffer_st *base = cbb_get_base(cbb);\n size_t newlen = base->len + len;\n if (cbb->child != NULL || newlen < base->len || newlen > base->cap) {\n return 0;\n }\n base->len = newlen;\n return 1;\n}\n\nstatic int cbb_add_u(CBB *cbb, uint64_t v, size_t len_len) {\n uint8_t *buf;\n if (!CBB_add_space(cbb, &buf, len_len)) {\n return 0;\n }\n\n for (size_t i = len_len - 1; i < len_len; i--) {\n buf[i] = v;\n v >>= 8;\n }\n\n // |v| must fit in |len_len| bytes.\n if (v != 0) {\n cbb_on_error(cbb);\n return 0;\n }\n\n return 1;\n}\n\nint CBB_add_u8(CBB *cbb, uint8_t value) { return cbb_add_u(cbb, value, 1); }\n\nint CBB_add_u16(CBB *cbb, uint16_t value) { return cbb_add_u(cbb, value, 2); }\n\nint CBB_add_u16le(CBB *cbb, uint16_t value) {\n return CBB_add_u16(cbb, CRYPTO_bswap2(value));\n}\n\nint CBB_add_u24(CBB *cbb, uint32_t value) { return cbb_add_u(cbb, value, 3); }\n\nint CBB_add_u32(CBB *cbb, uint32_t value) { return cbb_add_u(cbb, value, 4); }\n\nint CBB_add_u32le(CBB *cbb, uint32_t value) {\n return CBB_add_u32(cbb, CRYPTO_bswap4(value));\n}\n\nint CBB_add_u64(CBB *cbb, uint64_t value) { return cbb_add_u(cbb, value, 8); }\n\nint CBB_add_u64le(CBB *cbb, uint64_t value) {\n return CBB_add_u64(cbb, CRYPTO_bswap8(value));\n}\n\nvoid CBB_discard_child(CBB *cbb) {\n if (cbb->child == NULL) {\n return;\n }\n\n struct cbb_buffer_st *base = cbb_get_base(cbb);\n assert(cbb->child->is_child);\n base->len = cbb->child->u.child.offset;\n\n cbb->child->u.child.base = NULL;\n cbb->child = NULL;\n}\n\nint CBB_add_asn1_uint64(CBB *cbb, uint64_t value) {\n return CBB_add_asn1_uint64_with_tag(cbb, value, CBS_ASN1_INTEGER);\n}\n\nint CBB_add_asn1_uint64_with_tag(CBB *cbb, uint64_t value, CBS_ASN1_TAG tag) {\n CBB child;\n int started = 0;\n if (!CBB_add_asn1(cbb, &child, tag)) {\n goto err;\n }\n\n for (size_t i = 0; i < 8; i++) {\n uint8_t byte = (value >> 8 * (7 - i)) & 0xff;\n if (!started) {\n if (byte == 0) {\n // Don't encode leading zeros.\n continue;\n }\n // If the high bit is set, add a padding byte to make it\n // unsigned.\n if ((byte & 0x80) && !CBB_add_u8(&child, 0)) {\n goto err;\n }\n started = 1;\n }\n if (!CBB_add_u8(&child, byte)) {\n goto err;\n }\n }\n\n // 0 is encoded as a single 0, not the empty string.\n if (!started && !CBB_add_u8(&child, 0)) {\n goto err;\n }\n\n return CBB_flush(cbb);\n\nerr:\n cbb_on_error(cbb);\n return 0;\n}\n\nint CBB_add_asn1_int64(CBB *cbb, int64_t value) {\n return CBB_add_asn1_int64_with_tag(cbb, value, CBS_ASN1_INTEGER);\n}\n\nint CBB_add_asn1_int64_with_tag(CBB *cbb, int64_t value, CBS_ASN1_TAG tag) {\n if (value >= 0) {\n return CBB_add_asn1_uint64_with_tag(cbb, (uint64_t)value, tag);\n }\n\n uint8_t bytes[sizeof(int64_t)];\n memcpy(bytes, &value, sizeof(value));\n int start = 7;\n // Skip leading sign-extension bytes unless they are necessary.\n while (start > 0 && (bytes[start] == 0xff && (bytes[start - 1] & 0x80))) {\n start--;\n }\n\n CBB child;\n if (!CBB_add_asn1(cbb, &child, tag)) {\n goto err;\n }\n for (int i = start; i >= 0; i--) {\n if (!CBB_add_u8(&child, bytes[i])) {\n goto err;\n }\n }\n return CBB_flush(cbb);\n\nerr:\n cbb_on_error(cbb);\n return 0;\n}\n\nint CBB_add_asn1_octet_string(CBB *cbb, const uint8_t *data, size_t data_len) {\n CBB child;\n if (!CBB_add_asn1(cbb, &child, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_bytes(&child, data, data_len) || !CBB_flush(cbb)) {\n cbb_on_error(cbb);\n return 0;\n }\n\n return 1;\n}\n\nint CBB_add_asn1_bool(CBB *cbb, int value) {\n CBB child;\n if (!CBB_add_asn1(cbb, &child, CBS_ASN1_BOOLEAN) ||\n !CBB_add_u8(&child, value != 0 ? 0xff : 0) || !CBB_flush(cbb)) {\n cbb_on_error(cbb);\n return 0;\n }\n\n return 1;\n}\n\n// parse_dotted_decimal parses one decimal component from |cbs|, where |cbs| is\n// an OID literal, e.g., \"1.2.840.113554.4.1.72585\". It consumes both the\n// component and the dot, so |cbs| may be passed into the function again for the\n// next value.\nstatic int parse_dotted_decimal(CBS *cbs, uint64_t *out) {\n if (!CBS_get_u64_decimal(cbs, out)) {\n return 0;\n }\n\n // The integer must have either ended at the end of the string, or a\n // non-terminal dot, which should be consumed. If the string ends with a dot,\n // this is not a valid OID string.\n uint8_t dot;\n return !CBS_get_u8(cbs, &dot) || (dot == '.' && CBS_len(cbs) > 0);\n}\n\nint CBB_add_asn1_oid_from_text(CBB *cbb, const char *text, size_t len) {\n if (!CBB_flush(cbb)) {\n return 0;\n }\n\n CBS cbs;\n CBS_init(&cbs, (const uint8_t *)text, len);\n\n // OIDs must have at least two components.\n uint64_t a, b;\n if (!parse_dotted_decimal(&cbs, &a) || !parse_dotted_decimal(&cbs, &b)) {\n return 0;\n }\n\n // The first component is encoded as 40 * |a| + |b|. This assumes that |a| is\n // 0, 1, or 2 and that, when it is 0 or 1, |b| is at most 39.\n if (a > 2 || (a < 2 && b > 39) || b > UINT64_MAX - 80 ||\n !add_base128_integer(cbb, 40u * a + b)) {\n return 0;\n }\n\n // The remaining components are encoded unmodified.\n while (CBS_len(&cbs) > 0) {\n if (!parse_dotted_decimal(&cbs, &a) || !add_base128_integer(cbb, a)) {\n return 0;\n }\n }\n\n return 1;\n}\n\nstatic int compare_set_of_element(const void *a_ptr, const void *b_ptr) {\n // See X.690, section 11.6 for the ordering. They are sorted in ascending\n // order by their DER encoding.\n const CBS *a = reinterpret_cast(a_ptr),\n *b = reinterpret_cast(b_ptr);\n size_t a_len = CBS_len(a), b_len = CBS_len(b);\n size_t min_len = a_len < b_len ? a_len : b_len;\n int ret = OPENSSL_memcmp(CBS_data(a), CBS_data(b), min_len);\n if (ret != 0) {\n return ret;\n }\n if (a_len == b_len) {\n return 0;\n }\n // If one is a prefix of the other, the shorter one sorts first. (This is not\n // actually reachable. No DER encoding is a prefix of another DER encoding.)\n return a_len < b_len ? -1 : 1;\n}\n\nint CBB_flush_asn1_set_of(CBB *cbb) {\n if (!CBB_flush(cbb)) {\n return 0;\n }\n\n CBS cbs;\n size_t num_children = 0;\n CBS_init(&cbs, CBB_data(cbb), CBB_len(cbb));\n while (CBS_len(&cbs) != 0) {\n if (!CBS_get_any_asn1_element(&cbs, NULL, NULL, NULL)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n num_children++;\n }\n\n if (num_children < 2) {\n return 1; // Nothing to do. This is the common case for X.509.\n }\n\n // Parse out the children and sort. We alias them into a copy of so they\n // remain valid as we rewrite |cbb|.\n int ret = 0;\n size_t buf_len = CBB_len(cbb);\n uint8_t *buf =\n reinterpret_cast(OPENSSL_memdup(CBB_data(cbb), buf_len));\n CBS *children =\n reinterpret_cast(OPENSSL_calloc(num_children, sizeof(CBS)));\n uint8_t *out;\n size_t offset = 0;\n if (buf == NULL || children == NULL) {\n goto err;\n }\n CBS_init(&cbs, buf, buf_len);\n for (size_t i = 0; i < num_children; i++) {\n if (!CBS_get_any_asn1_element(&cbs, &children[i], NULL, NULL)) {\n goto err;\n }\n }\n qsort(children, num_children, sizeof(CBS), compare_set_of_element);\n\n // Write the contents back in the new order.\n out = (uint8_t *)CBB_data(cbb);\n for (size_t i = 0; i < num_children; i++) {\n OPENSSL_memcpy(out + offset, CBS_data(&children[i]), CBS_len(&children[i]));\n offset += CBS_len(&children[i]);\n }\n assert(offset == buf_len);\n\n ret = 1;\n\nerr:\n OPENSSL_free(buf);\n OPENSSL_free(children);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bytestring/cbs.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../asn1/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic int cbs_get(CBS *cbs, const uint8_t **p, size_t n) {\n if (cbs->len < n) {\n return 0;\n }\n\n *p = cbs->data;\n cbs->data += n;\n cbs->len -= n;\n return 1;\n}\n\nint CBS_skip(CBS *cbs, size_t len) {\n const uint8_t *dummy;\n return cbs_get(cbs, &dummy, len);\n}\n\nint CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len) {\n OPENSSL_free(*out_ptr);\n *out_ptr = NULL;\n *out_len = 0;\n\n if (cbs->len == 0) {\n return 1;\n }\n *out_ptr = reinterpret_cast(OPENSSL_memdup(cbs->data, cbs->len));\n if (*out_ptr == NULL) {\n return 0;\n }\n *out_len = cbs->len;\n return 1;\n}\n\nint CBS_strdup(const CBS *cbs, char **out_ptr) {\n if (*out_ptr != NULL) {\n OPENSSL_free(*out_ptr);\n }\n *out_ptr = OPENSSL_strndup((const char *)cbs->data, cbs->len);\n return (*out_ptr != NULL);\n}\n\nint CBS_contains_zero_byte(const CBS *cbs) {\n return OPENSSL_memchr(cbs->data, 0, cbs->len) != NULL;\n}\n\nint CBS_mem_equal(const CBS *cbs, const uint8_t *data, size_t len) {\n if (len != cbs->len) {\n return 0;\n }\n return CRYPTO_memcmp(cbs->data, data, len) == 0;\n}\n\nstatic int cbs_get_u(CBS *cbs, uint64_t *out, size_t len) {\n uint64_t result = 0;\n const uint8_t *data;\n\n if (!cbs_get(cbs, &data, len)) {\n return 0;\n }\n for (size_t i = 0; i < len; i++) {\n result <<= 8;\n result |= data[i];\n }\n *out = result;\n return 1;\n}\n\nint CBS_get_u8(CBS *cbs, uint8_t *out) {\n const uint8_t *v;\n if (!cbs_get(cbs, &v, 1)) {\n return 0;\n }\n *out = *v;\n return 1;\n}\n\nint CBS_get_u16(CBS *cbs, uint16_t *out) {\n uint64_t v;\n if (!cbs_get_u(cbs, &v, 2)) {\n return 0;\n }\n *out = v;\n return 1;\n}\n\nint CBS_get_u16le(CBS *cbs, uint16_t *out) {\n if (!CBS_get_u16(cbs, out)) {\n return 0;\n }\n *out = CRYPTO_bswap2(*out);\n return 1;\n}\n\nint CBS_get_u24(CBS *cbs, uint32_t *out) {\n uint64_t v;\n if (!cbs_get_u(cbs, &v, 3)) {\n return 0;\n }\n *out = (uint32_t)v;\n return 1;\n}\n\nint CBS_get_u32(CBS *cbs, uint32_t *out) {\n uint64_t v;\n if (!cbs_get_u(cbs, &v, 4)) {\n return 0;\n }\n *out = (uint32_t)v;\n return 1;\n}\n\nint CBS_get_u32le(CBS *cbs, uint32_t *out) {\n if (!CBS_get_u32(cbs, out)) {\n return 0;\n }\n *out = CRYPTO_bswap4(*out);\n return 1;\n}\n\nint CBS_get_u64(CBS *cbs, uint64_t *out) { return cbs_get_u(cbs, out, 8); }\n\nint CBS_get_u64le(CBS *cbs, uint64_t *out) {\n if (!cbs_get_u(cbs, out, 8)) {\n return 0;\n }\n *out = CRYPTO_bswap8(*out);\n return 1;\n}\n\nint CBS_get_last_u8(CBS *cbs, uint8_t *out) {\n if (cbs->len == 0) {\n return 0;\n }\n *out = cbs->data[cbs->len - 1];\n cbs->len--;\n return 1;\n}\n\nint CBS_get_bytes(CBS *cbs, CBS *out, size_t len) {\n const uint8_t *v;\n if (!cbs_get(cbs, &v, len)) {\n return 0;\n }\n CBS_init(out, v, len);\n return 1;\n}\n\nint CBS_copy_bytes(CBS *cbs, uint8_t *out, size_t len) {\n const uint8_t *v;\n if (!cbs_get(cbs, &v, len)) {\n return 0;\n }\n OPENSSL_memcpy(out, v, len);\n return 1;\n}\n\nstatic int cbs_get_length_prefixed(CBS *cbs, CBS *out, size_t len_len) {\n uint64_t len;\n if (!cbs_get_u(cbs, &len, len_len)) {\n return 0;\n }\n // If |len_len| <= 3 then we know that |len| will fit into a |size_t|, even on\n // 32-bit systems.\n assert(len_len <= 3);\n return CBS_get_bytes(cbs, out, len);\n}\n\nint CBS_get_u8_length_prefixed(CBS *cbs, CBS *out) {\n return cbs_get_length_prefixed(cbs, out, 1);\n}\n\nint CBS_get_u16_length_prefixed(CBS *cbs, CBS *out) {\n return cbs_get_length_prefixed(cbs, out, 2);\n}\n\nint CBS_get_u24_length_prefixed(CBS *cbs, CBS *out) {\n return cbs_get_length_prefixed(cbs, out, 3);\n}\n\nint CBS_get_until_first(CBS *cbs, CBS *out, uint8_t c) {\n const uint8_t *split = reinterpret_cast(\n OPENSSL_memchr(CBS_data(cbs), c, CBS_len(cbs)));\n if (split == NULL) {\n return 0;\n }\n return CBS_get_bytes(cbs, out, split - CBS_data(cbs));\n}\n\nint CBS_get_u64_decimal(CBS *cbs, uint64_t *out) {\n uint64_t v = 0;\n int seen_digit = 0;\n while (CBS_len(cbs) != 0) {\n uint8_t c = CBS_data(cbs)[0];\n if (!OPENSSL_isdigit(c)) {\n break;\n }\n CBS_skip(cbs, 1);\n if (/* Forbid stray leading zeros */\n (v == 0 && seen_digit) ||\n // Check for overflow.\n v > UINT64_MAX / 10 || //\n v * 10 > UINT64_MAX - (c - '0')) {\n return 0;\n }\n v = v * 10 + (c - '0');\n seen_digit = 1;\n }\n\n *out = v;\n return seen_digit;\n}\n\n// parse_base128_integer reads a big-endian base-128 integer from |cbs| and sets\n// |*out| to the result. This is the encoding used in DER for both high tag\n// number form and OID components.\nstatic int parse_base128_integer(CBS *cbs, uint64_t *out) {\n uint64_t v = 0;\n uint8_t b;\n do {\n if (!CBS_get_u8(cbs, &b)) {\n return 0;\n }\n if ((v >> (64 - 7)) != 0) {\n // The value is too large.\n return 0;\n }\n if (v == 0 && b == 0x80) {\n // The value must be minimally encoded.\n return 0;\n }\n v = (v << 7) | (b & 0x7f);\n\n // Values end at an octet with the high bit cleared.\n } while (b & 0x80);\n\n *out = v;\n return 1;\n}\n\nstatic int parse_asn1_tag(CBS *cbs, CBS_ASN1_TAG *out) {\n uint8_t tag_byte;\n if (!CBS_get_u8(cbs, &tag_byte)) {\n return 0;\n }\n\n // ITU-T X.690 section 8.1.2.3 specifies the format for identifiers with a tag\n // number no greater than 30.\n //\n // If the number portion is 31 (0x1f, the largest value that fits in the\n // allotted bits), then the tag is more than one byte long and the\n // continuation bytes contain the tag number.\n CBS_ASN1_TAG tag = ((CBS_ASN1_TAG)tag_byte & 0xe0) << CBS_ASN1_TAG_SHIFT;\n CBS_ASN1_TAG tag_number = tag_byte & 0x1f;\n if (tag_number == 0x1f) {\n uint64_t v;\n if (!parse_base128_integer(cbs, &v) ||\n // Check the tag number is within our supported bounds.\n v > CBS_ASN1_TAG_NUMBER_MASK ||\n // Small tag numbers should have used low tag number form, even in BER.\n v < 0x1f) {\n return 0;\n }\n tag_number = (CBS_ASN1_TAG)v;\n }\n\n tag |= tag_number;\n\n // Tag [UNIVERSAL 0] is reserved for use by the encoding. Reject it here to\n // avoid some ambiguity around ANY values and BER indefinite-length EOCs. See\n // https://crbug.com/boringssl/455.\n if ((tag & ~CBS_ASN1_CONSTRUCTED) == 0) {\n return 0;\n }\n\n *out = tag;\n return 1;\n}\n\nstatic int cbs_get_any_asn1_element(CBS *cbs, CBS *out, CBS_ASN1_TAG *out_tag,\n size_t *out_header_len, int *out_ber_found,\n int *out_indefinite, int ber_ok) {\n CBS header = *cbs;\n CBS throwaway;\n\n if (out == NULL) {\n out = &throwaway;\n }\n if (ber_ok) {\n *out_ber_found = 0;\n *out_indefinite = 0;\n } else {\n assert(out_ber_found == NULL);\n assert(out_indefinite == NULL);\n }\n\n CBS_ASN1_TAG tag;\n if (!parse_asn1_tag(&header, &tag)) {\n return 0;\n }\n if (out_tag != NULL) {\n *out_tag = tag;\n }\n\n uint8_t length_byte;\n if (!CBS_get_u8(&header, &length_byte)) {\n return 0;\n }\n\n size_t header_len = CBS_len(cbs) - CBS_len(&header);\n\n size_t len;\n // The format for the length encoding is specified in ITU-T X.690 section\n // 8.1.3.\n if ((length_byte & 0x80) == 0) {\n // Short form length.\n len = ((size_t)length_byte) + header_len;\n if (out_header_len != NULL) {\n *out_header_len = header_len;\n }\n } else {\n // The high bit indicate that this is the long form, while the next 7 bits\n // encode the number of subsequent octets used to encode the length (ITU-T\n // X.690 clause 8.1.3.5.b).\n const size_t num_bytes = length_byte & 0x7f;\n uint64_t len64;\n\n if (ber_ok && (tag & CBS_ASN1_CONSTRUCTED) != 0 && num_bytes == 0) {\n // indefinite length\n if (out_header_len != NULL) {\n *out_header_len = header_len;\n }\n *out_ber_found = 1;\n *out_indefinite = 1;\n return CBS_get_bytes(cbs, out, header_len);\n }\n\n // ITU-T X.690 clause 8.1.3.5.c specifies that the value 0xff shall not be\n // used as the first byte of the length. If this parser encounters that\n // value, num_bytes will be parsed as 127, which will fail this check.\n if (num_bytes == 0 || num_bytes > 4) {\n return 0;\n }\n if (!cbs_get_u(&header, &len64, num_bytes)) {\n return 0;\n }\n // ITU-T X.690 section 10.1 (DER length forms) requires encoding the\n // length with the minimum number of octets. BER could, technically, have\n // 125 superfluous zero bytes. We do not attempt to handle that and still\n // require that the length fit in a |uint32_t| for BER.\n if (len64 < 128) {\n // Length should have used short-form encoding.\n if (ber_ok) {\n *out_ber_found = 1;\n } else {\n return 0;\n }\n }\n if ((len64 >> ((num_bytes - 1) * 8)) == 0) {\n // Length should have been at least one byte shorter.\n if (ber_ok) {\n *out_ber_found = 1;\n } else {\n return 0;\n }\n }\n len = len64;\n if (len + header_len + num_bytes < len) {\n // Overflow.\n return 0;\n }\n len += header_len + num_bytes;\n if (out_header_len != NULL) {\n *out_header_len = header_len + num_bytes;\n }\n }\n\n return CBS_get_bytes(cbs, out, len);\n}\n\nint CBS_get_any_asn1(CBS *cbs, CBS *out, CBS_ASN1_TAG *out_tag) {\n size_t header_len;\n if (!CBS_get_any_asn1_element(cbs, out, out_tag, &header_len)) {\n return 0;\n }\n\n if (!CBS_skip(out, header_len)) {\n assert(0);\n return 0;\n }\n\n return 1;\n}\n\nint CBS_get_any_asn1_element(CBS *cbs, CBS *out, CBS_ASN1_TAG *out_tag,\n size_t *out_header_len) {\n return cbs_get_any_asn1_element(cbs, out, out_tag, out_header_len, NULL, NULL,\n /*ber_ok=*/0);\n}\n\nint CBS_get_any_ber_asn1_element(CBS *cbs, CBS *out, CBS_ASN1_TAG *out_tag,\n size_t *out_header_len, int *out_ber_found,\n int *out_indefinite) {\n int ber_found_temp;\n return cbs_get_any_asn1_element(\n cbs, out, out_tag, out_header_len,\n out_ber_found ? out_ber_found : &ber_found_temp, out_indefinite,\n /*ber_ok=*/1);\n}\n\nstatic int cbs_get_asn1(CBS *cbs, CBS *out, CBS_ASN1_TAG tag_value,\n int skip_header) {\n size_t header_len;\n CBS_ASN1_TAG tag;\n CBS throwaway;\n\n if (out == NULL) {\n out = &throwaway;\n }\n\n if (!CBS_get_any_asn1_element(cbs, out, &tag, &header_len) ||\n tag != tag_value) {\n return 0;\n }\n\n if (skip_header && !CBS_skip(out, header_len)) {\n assert(0);\n return 0;\n }\n\n return 1;\n}\n\nint CBS_get_asn1(CBS *cbs, CBS *out, CBS_ASN1_TAG tag_value) {\n return cbs_get_asn1(cbs, out, tag_value, 1 /* skip header */);\n}\n\nint CBS_get_asn1_element(CBS *cbs, CBS *out, CBS_ASN1_TAG tag_value) {\n return cbs_get_asn1(cbs, out, tag_value, 0 /* include header */);\n}\n\nint CBS_peek_asn1_tag(const CBS *cbs, CBS_ASN1_TAG tag_value) {\n CBS copy = *cbs;\n CBS_ASN1_TAG actual_tag;\n return parse_asn1_tag(©, &actual_tag) && tag_value == actual_tag;\n}\n\nint CBS_get_asn1_uint64(CBS *cbs, uint64_t *out) {\n CBS bytes;\n if (!CBS_get_asn1(cbs, &bytes, CBS_ASN1_INTEGER) ||\n !CBS_is_unsigned_asn1_integer(&bytes)) {\n return 0;\n }\n\n *out = 0;\n const uint8_t *data = CBS_data(&bytes);\n size_t len = CBS_len(&bytes);\n for (size_t i = 0; i < len; i++) {\n if ((*out >> 56) != 0) {\n // Too large to represent as a uint64_t.\n return 0;\n }\n *out <<= 8;\n *out |= data[i];\n }\n\n return 1;\n}\n\nint CBS_get_asn1_int64(CBS *cbs, int64_t *out) {\n int is_negative;\n CBS bytes;\n if (!CBS_get_asn1(cbs, &bytes, CBS_ASN1_INTEGER) ||\n !CBS_is_valid_asn1_integer(&bytes, &is_negative)) {\n return 0;\n }\n const uint8_t *data = CBS_data(&bytes);\n const size_t len = CBS_len(&bytes);\n if (len > sizeof(int64_t)) {\n return 0;\n }\n uint8_t sign_extend[sizeof(int64_t)];\n OPENSSL_memset(sign_extend, is_negative ? 0xff : 0, sizeof(sign_extend));\n OPENSSL_memcpy(sign_extend + sizeof(int64_t) - len, data, len);\n *out = CRYPTO_load_u64_be(sign_extend);\n return 1;\n}\n\nint CBS_get_asn1_bool(CBS *cbs, int *out) {\n CBS bytes;\n if (!CBS_get_asn1(cbs, &bytes, CBS_ASN1_BOOLEAN) || CBS_len(&bytes) != 1) {\n return 0;\n }\n\n const uint8_t value = *CBS_data(&bytes);\n if (value != 0 && value != 0xff) {\n return 0;\n }\n\n *out = !!value;\n return 1;\n}\n\nint CBS_get_optional_asn1(CBS *cbs, CBS *out, int *out_present,\n CBS_ASN1_TAG tag) {\n int present = 0;\n\n if (CBS_peek_asn1_tag(cbs, tag)) {\n if (!CBS_get_asn1(cbs, out, tag)) {\n return 0;\n }\n present = 1;\n }\n\n if (out_present != NULL) {\n *out_present = present;\n }\n\n return 1;\n}\n\nint CBS_get_optional_asn1_octet_string(CBS *cbs, CBS *out, int *out_present,\n CBS_ASN1_TAG tag) {\n CBS child;\n int present;\n if (!CBS_get_optional_asn1(cbs, &child, &present, tag)) {\n return 0;\n }\n if (present) {\n assert(out);\n if (!CBS_get_asn1(&child, out, CBS_ASN1_OCTETSTRING) ||\n CBS_len(&child) != 0) {\n return 0;\n }\n } else {\n CBS_init(out, NULL, 0);\n }\n if (out_present) {\n *out_present = present;\n }\n return 1;\n}\n\nint CBS_get_optional_asn1_uint64(CBS *cbs, uint64_t *out, CBS_ASN1_TAG tag,\n uint64_t default_value) {\n CBS child;\n int present;\n if (!CBS_get_optional_asn1(cbs, &child, &present, tag)) {\n return 0;\n }\n if (present) {\n if (!CBS_get_asn1_uint64(&child, out) || CBS_len(&child) != 0) {\n return 0;\n }\n } else {\n *out = default_value;\n }\n return 1;\n}\n\nint CBS_get_optional_asn1_bool(CBS *cbs, int *out, CBS_ASN1_TAG tag,\n int default_value) {\n CBS child, child2;\n int present;\n if (!CBS_get_optional_asn1(cbs, &child, &present, tag)) {\n return 0;\n }\n if (present) {\n uint8_t boolean;\n\n if (!CBS_get_asn1(&child, &child2, CBS_ASN1_BOOLEAN) ||\n CBS_len(&child2) != 1 || CBS_len(&child) != 0) {\n return 0;\n }\n\n boolean = CBS_data(&child2)[0];\n if (boolean == 0) {\n *out = 0;\n } else if (boolean == 0xff) {\n *out = 1;\n } else {\n return 0;\n }\n } else {\n *out = default_value;\n }\n return 1;\n}\n\nint CBS_is_valid_asn1_bitstring(const CBS *cbs) {\n CBS in = *cbs;\n uint8_t num_unused_bits;\n if (!CBS_get_u8(&in, &num_unused_bits) || num_unused_bits > 7) {\n return 0;\n }\n\n if (num_unused_bits == 0) {\n return 1;\n }\n\n // All num_unused_bits bits must exist and be zeros.\n uint8_t last;\n if (!CBS_get_last_u8(&in, &last) ||\n (last & ((1 << num_unused_bits) - 1)) != 0) {\n return 0;\n }\n\n return 1;\n}\n\nint CBS_asn1_bitstring_has_bit(const CBS *cbs, unsigned bit) {\n if (!CBS_is_valid_asn1_bitstring(cbs)) {\n return 0;\n }\n\n const unsigned byte_num = (bit >> 3) + 1;\n const unsigned bit_num = 7 - (bit & 7);\n\n // Unused bits are zero, and this function does not distinguish between\n // missing and unset bits. Thus it is sufficient to do a byte-level length\n // check.\n return byte_num < CBS_len(cbs) &&\n (CBS_data(cbs)[byte_num] & (1 << bit_num)) != 0;\n}\n\nint CBS_is_valid_asn1_integer(const CBS *cbs, int *out_is_negative) {\n CBS copy = *cbs;\n uint8_t first_byte, second_byte;\n if (!CBS_get_u8(©, &first_byte)) {\n return 0; // INTEGERs may not be empty.\n }\n if (out_is_negative != NULL) {\n *out_is_negative = (first_byte & 0x80) != 0;\n }\n if (!CBS_get_u8(©, &second_byte)) {\n return 1; // One byte INTEGERs are always minimal.\n }\n if ((first_byte == 0x00 && (second_byte & 0x80) == 0) ||\n (first_byte == 0xff && (second_byte & 0x80) != 0)) {\n return 0; // The value is minimal iff the first 9 bits are not all equal.\n }\n return 1;\n}\n\nint CBS_is_unsigned_asn1_integer(const CBS *cbs) {\n int is_negative;\n return CBS_is_valid_asn1_integer(cbs, &is_negative) && !is_negative;\n}\n\nstatic int add_decimal(CBB *out, uint64_t v) {\n char buf[DECIMAL_SIZE(uint64_t) + 1];\n snprintf(buf, sizeof(buf), \"%\" PRIu64, v);\n return CBB_add_bytes(out, (const uint8_t *)buf, strlen(buf));\n}\n\nint CBS_is_valid_asn1_oid(const CBS *cbs) {\n if (CBS_len(cbs) == 0) {\n return 0; // OID encodings cannot be empty.\n }\n\n CBS copy = *cbs;\n uint8_t v, prev = 0;\n while (CBS_get_u8(©, &v)) {\n // OID encodings are a sequence of minimally-encoded base-128 integers (see\n // |parse_base128_integer|). If |prev|'s MSB was clear, it was the last byte\n // of an integer (or |v| is the first byte). |v| is then the first byte of\n // the next integer. If first byte of an integer is 0x80, it is not\n // minimally-encoded.\n if ((prev & 0x80) == 0 && v == 0x80) {\n return 0;\n }\n prev = v;\n }\n\n // The last byte should must end an integer encoding.\n return (prev & 0x80) == 0;\n}\n\nchar *CBS_asn1_oid_to_text(const CBS *cbs) {\n CBS copy = *cbs;\n CBB cbb;\n if (!CBB_init(&cbb, 32)) {\n goto err;\n }\n\n // The first component is 40 * value1 + value2, where value1 is 0, 1, or 2.\n uint64_t v;\n if (!parse_base128_integer(©, &v)) {\n goto err;\n }\n\n if (v >= 80) {\n if (!CBB_add_bytes(&cbb, (const uint8_t *)\"2.\", 2) ||\n !add_decimal(&cbb, v - 80)) {\n goto err;\n }\n } else if (!add_decimal(&cbb, v / 40) || !CBB_add_u8(&cbb, '.') ||\n !add_decimal(&cbb, v % 40)) {\n goto err;\n }\n\n while (CBS_len(©) != 0) {\n if (!parse_base128_integer(©, &v) || !CBB_add_u8(&cbb, '.') ||\n !add_decimal(&cbb, v)) {\n goto err;\n }\n }\n\n uint8_t *txt;\n size_t txt_len;\n if (!CBB_add_u8(&cbb, '\\0') || !CBB_finish(&cbb, &txt, &txt_len)) {\n goto err;\n }\n\n return (char *)txt;\n\nerr:\n CBB_cleanup(&cbb);\n return NULL;\n}\n\nstatic int cbs_get_two_digits(CBS *cbs, int *out) {\n uint8_t first_digit, second_digit;\n if (!CBS_get_u8(cbs, &first_digit)) {\n return 0;\n }\n if (!OPENSSL_isdigit(first_digit)) {\n return 0;\n }\n if (!CBS_get_u8(cbs, &second_digit)) {\n return 0;\n }\n if (!OPENSSL_isdigit(second_digit)) {\n return 0;\n }\n *out = (first_digit - '0') * 10 + (second_digit - '0');\n return 1;\n}\n\nstatic int is_valid_day(int year, int month, int day) {\n if (day < 1) {\n return 0;\n }\n switch (month) {\n case 1:\n case 3:\n case 5:\n case 7:\n case 8:\n case 10:\n case 12:\n return day <= 31;\n case 4:\n case 6:\n case 9:\n case 11:\n return day <= 30;\n case 2:\n if ((year % 4 == 0 && year % 100 != 0) || year % 400 == 0) {\n return day <= 29;\n } else {\n return day <= 28;\n }\n default:\n return 0;\n }\n}\n\nstatic int CBS_parse_rfc5280_time_internal(const CBS *cbs, int is_gentime,\n int allow_timezone_offset,\n struct tm *out_tm) {\n int year, month, day, hour, min, sec, tmp;\n CBS copy = *cbs;\n uint8_t tz;\n\n if (is_gentime) {\n if (!cbs_get_two_digits(©, &tmp)) {\n return 0;\n }\n year = tmp * 100;\n if (!cbs_get_two_digits(©, &tmp)) {\n return 0;\n }\n year += tmp;\n } else {\n year = 1900;\n if (!cbs_get_two_digits(©, &tmp)) {\n return 0;\n }\n year += tmp;\n if (year < 1950) {\n year += 100;\n }\n if (year >= 2050) {\n return 0; // A Generalized time must be used.\n }\n }\n if (!cbs_get_two_digits(©, &month) || month < 1 ||\n month > 12 || // Reject invalid months.\n !cbs_get_two_digits(©, &day) ||\n !is_valid_day(year, month, day) || // Reject invalid days.\n !cbs_get_two_digits(©, &hour) ||\n hour > 23 || // Reject invalid hours.\n !cbs_get_two_digits(©, &min) ||\n min > 59 || // Reject invalid minutes.\n !cbs_get_two_digits(©, &sec) || sec > 59 || !CBS_get_u8(©, &tz)) {\n return 0;\n }\n\n int offset_sign = 0;\n switch (tz) {\n case 'Z':\n break; // We correctly have 'Z' on the end as per spec.\n case '+':\n offset_sign = 1;\n break; // Should not be allowed per RFC 5280.\n case '-':\n offset_sign = -1;\n break; // Should not be allowed per RFC 5280.\n default:\n return 0; // Reject anything else after the time.\n }\n\n // If allow_timezone_offset is non-zero, allow for a four digit timezone\n // offset to be specified even though this is not allowed by RFC 5280. We are\n // permissive of this for UTCTimes due to the unfortunate existence of\n // artisinally rolled long lived certificates that were baked into places that\n // are now difficult to change. These certificates were generated with the\n // 'openssl' command that permissively allowed the creation of certificates\n // with notBefore and notAfter times specified as strings for direct\n // certificate inclusion on the command line. For context see cl/237068815.\n //\n // TODO(bbe): This has been expunged from public web-pki as the ecosystem has\n // managed to encourage CA compliance with standards. We should find a way to\n // get rid of this or make it off by default.\n int offset_seconds = 0;\n if (offset_sign != 0) {\n if (!allow_timezone_offset) {\n return 0;\n }\n int offset_hours, offset_minutes;\n if (!cbs_get_two_digits(©, &offset_hours) ||\n offset_hours > 23 || // Reject invalid hours.\n !cbs_get_two_digits(©, &offset_minutes) ||\n offset_minutes > 59) { // Reject invalid minutes.\n return 0;\n }\n offset_seconds = offset_sign * (offset_hours * 3600 + offset_minutes * 60);\n }\n\n if (CBS_len(©) != 0) {\n return 0; // Reject invalid lengths.\n }\n\n if (out_tm != NULL) {\n // Fill in the tm fields corresponding to what we validated.\n out_tm->tm_year = year - 1900;\n out_tm->tm_mon = month - 1;\n out_tm->tm_mday = day;\n out_tm->tm_hour = hour;\n out_tm->tm_min = min;\n out_tm->tm_sec = sec;\n if (offset_seconds && !OPENSSL_gmtime_adj(out_tm, 0, offset_seconds)) {\n return 0;\n }\n }\n return 1;\n}\n\nint CBS_parse_generalized_time(const CBS *cbs, struct tm *out_tm,\n int allow_timezone_offset) {\n return CBS_parse_rfc5280_time_internal(cbs, 1, allow_timezone_offset, out_tm);\n}\n\nint CBS_parse_utc_time(const CBS *cbs, struct tm *out_tm,\n int allow_timezone_offset) {\n return CBS_parse_rfc5280_time_internal(cbs, 0, allow_timezone_offset, out_tm);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bytestring/internal.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_BYTESTRING_INTERNAL_H\n#define OPENSSL_HEADER_BYTESTRING_INTERNAL_H\n\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// CBS_asn1_ber_to_der reads a BER element from |in|. If it finds\n// indefinite-length elements or constructed strings then it converts the BER\n// data to DER, sets |out| to the converted contents and |*out_storage| to a\n// buffer which the caller must release with |OPENSSL_free|. Otherwise, it sets\n// |out| to the original BER element in |in| and |*out_storage| to NULL.\n// Additionally, |*in| will be advanced over the BER element.\n//\n// This function should successfully process any valid BER input, however it\n// will not convert all of BER's deviations from DER. BER is ambiguous between\n// implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed\n// strings. Implicitly-tagged strings must be parsed with\n// |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller\n// must also account for BER variations in the contents of a primitive.\n//\n// It returns one on success and zero otherwise.\nOPENSSL_EXPORT int CBS_asn1_ber_to_der(CBS *in, CBS *out,\n uint8_t **out_storage);\n\n// CBS_get_asn1_implicit_string parses a BER string of primitive type\n// |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the\n// contents. If concatenation was needed, it sets |*out_storage| to a buffer\n// which the caller must release with |OPENSSL_free|. Otherwise, it sets\n// |*out_storage| to NULL.\n//\n// This function does not parse all of BER. It requires the string be\n// definite-length. Constructed strings are allowed, but all children of the\n// outermost element must be primitive. The caller should use\n// |CBS_asn1_ber_to_der| before running this function.\n//\n// It returns one on success and zero otherwise.\nOPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out,\n uint8_t **out_storage,\n CBS_ASN1_TAG outer_tag,\n CBS_ASN1_TAG inner_tag);\n\n// CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized\n// with |CBB_init|. If |outp| is not NULL then the result is written to |*outp|\n// and |*outp| is advanced just past the output. It returns the number of bytes\n// in the result, whether written or not, or a negative value on error. On\n// error, it calls |CBB_cleanup| on |cbb|.\n//\n// This function may be used to help implement legacy i2d ASN.1 functions.\nint CBB_finish_i2d(CBB *cbb, uint8_t **outp);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_BYTESTRING_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/bytestring/unicode.cc", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \"internal.h\"\n\n\nstatic int is_valid_code_point(uint32_t v) {\n // References in the following are to Unicode 15.0.0.\n if (// The Unicode space runs from zero to 0x10ffff (3.4 D9).\n v > 0x10ffff ||\n // Values 0x...fffe, 0x...ffff, and 0xfdd0-0xfdef are permanently reserved\n // as noncharacters (3.4 D14). See also 23.7. As our APIs are intended for\n // \"open interchange\", such as ASN.1, we reject them.\n (v & 0xfffe) == 0xfffe ||\n (v >= 0xfdd0 && v <= 0xfdef) ||\n // Surrogate code points are invalid (3.2 C1).\n (v >= 0xd800 && v <= 0xdfff)) {\n return 0;\n }\n return 1;\n}\n\n// BOTTOM_BITS returns a byte with the bottom |n| bits set.\n#define BOTTOM_BITS(n) (uint8_t)((1u << (n)) - 1)\n\n// TOP_BITS returns a byte with the top |n| bits set.\n#define TOP_BITS(n) ((uint8_t)~BOTTOM_BITS(8 - (n)))\n\nint CBS_get_utf8(CBS *cbs, uint32_t *out) {\n uint8_t c;\n if (!CBS_get_u8(cbs, &c)) {\n return 0;\n }\n if (c <= 0x7f) {\n *out = c;\n return 1;\n }\n uint32_t v, lower_bound;\n size_t len;\n if ((c & TOP_BITS(3)) == TOP_BITS(2)) {\n v = c & BOTTOM_BITS(5);\n len = 1;\n lower_bound = 0x80;\n } else if ((c & TOP_BITS(4)) == TOP_BITS(3)) {\n v = c & BOTTOM_BITS(4);\n len = 2;\n lower_bound = 0x800;\n } else if ((c & TOP_BITS(5)) == TOP_BITS(4)) {\n v = c & BOTTOM_BITS(3);\n len = 3;\n lower_bound = 0x10000;\n } else {\n return 0;\n }\n for (size_t i = 0; i < len; i++) {\n if (!CBS_get_u8(cbs, &c) ||\n (c & TOP_BITS(2)) != TOP_BITS(1)) {\n return 0;\n }\n v <<= 6;\n v |= c & BOTTOM_BITS(6);\n }\n if (!is_valid_code_point(v) ||\n v < lower_bound) {\n return 0;\n }\n *out = v;\n return 1;\n}\n\nint CBS_get_latin1(CBS *cbs, uint32_t *out) {\n uint8_t c;\n if (!CBS_get_u8(cbs, &c)) {\n return 0;\n }\n *out = c;\n return 1;\n}\n\nint CBS_get_ucs2_be(CBS *cbs, uint32_t *out) {\n // Note UCS-2 (used by BMPString) does not support surrogates.\n uint16_t c;\n if (!CBS_get_u16(cbs, &c) ||\n !is_valid_code_point(c)) {\n return 0;\n }\n *out = c;\n return 1;\n}\n\nint CBS_get_utf32_be(CBS *cbs, uint32_t *out) {\n return CBS_get_u32(cbs, out) && is_valid_code_point(*out);\n}\n\nsize_t CBB_get_utf8_len(uint32_t u) {\n if (u <= 0x7f) {\n return 1;\n }\n if (u <= 0x7ff) {\n return 2;\n }\n if (u <= 0xffff) {\n return 3;\n }\n return 4;\n}\n\nint CBB_add_utf8(CBB *cbb, uint32_t u) {\n if (!is_valid_code_point(u)) {\n return 0;\n }\n if (u <= 0x7f) {\n return CBB_add_u8(cbb, (uint8_t)u);\n }\n if (u <= 0x7ff) {\n return CBB_add_u8(cbb, TOP_BITS(2) | (u >> 6)) &&\n CBB_add_u8(cbb, TOP_BITS(1) | (u & BOTTOM_BITS(6)));\n }\n if (u <= 0xffff) {\n return CBB_add_u8(cbb, TOP_BITS(3) | (u >> 12)) &&\n CBB_add_u8(cbb, TOP_BITS(1) | ((u >> 6) & BOTTOM_BITS(6))) &&\n CBB_add_u8(cbb, TOP_BITS(1) | (u & BOTTOM_BITS(6)));\n }\n if (u <= 0x10ffff) {\n return CBB_add_u8(cbb, TOP_BITS(4) | (u >> 18)) &&\n CBB_add_u8(cbb, TOP_BITS(1) | ((u >> 12) & BOTTOM_BITS(6))) &&\n CBB_add_u8(cbb, TOP_BITS(1) | ((u >> 6) & BOTTOM_BITS(6))) &&\n CBB_add_u8(cbb, TOP_BITS(1) | (u & BOTTOM_BITS(6)));\n }\n return 0;\n}\n\nint CBB_add_latin1(CBB *cbb, uint32_t u) {\n return u <= 0xff && CBB_add_u8(cbb, (uint8_t)u);\n}\n\nint CBB_add_ucs2_be(CBB *cbb, uint32_t u) {\n return u <= 0xffff && is_valid_code_point(u) && CBB_add_u16(cbb, (uint16_t)u);\n}\n\nint CBB_add_utf32_be(CBB *cbb, uint32_t u) {\n return is_valid_code_point(u) && CBB_add_u32(cbb, u);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/chacha/chacha.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// Adapted from the public domain, estream code by D. Bernstein.\n\n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n// sigma contains the ChaCha constants, which happen to be an ASCII string.\nstatic const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3',\n '2', '-', 'b', 'y', 't', 'e', ' ', 'k' };\n\n// QUARTERROUND updates a, b, c, d with a ChaCha \"quarter\" round.\n#define QUARTERROUND(a, b, c, d) \\\n x[a] += x[b]; \\\n x[d] = CRYPTO_rotl_u32(x[d] ^ x[a], 16); \\\n x[c] += x[d]; \\\n x[b] = CRYPTO_rotl_u32(x[b] ^ x[c], 12); \\\n x[a] += x[b]; \\\n x[d] = CRYPTO_rotl_u32(x[d] ^ x[a], 8); \\\n x[c] += x[d]; \\\n x[b] = CRYPTO_rotl_u32(x[b] ^ x[c], 7);\n\nvoid CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32],\n const uint8_t nonce[16]) {\n uint32_t x[16];\n OPENSSL_memcpy(x, sigma, sizeof(sigma));\n OPENSSL_memcpy(&x[4], key, 32);\n OPENSSL_memcpy(&x[12], nonce, 16);\n\n for (size_t i = 0; i < 20; i += 2) {\n QUARTERROUND(0, 4, 8, 12)\n QUARTERROUND(1, 5, 9, 13)\n QUARTERROUND(2, 6, 10, 14)\n QUARTERROUND(3, 7, 11, 15)\n QUARTERROUND(0, 5, 10, 15)\n QUARTERROUND(1, 6, 11, 12)\n QUARTERROUND(2, 7, 8, 13)\n QUARTERROUND(3, 4, 9, 14)\n }\n\n OPENSSL_memcpy(out, &x[0], sizeof(uint32_t) * 4);\n OPENSSL_memcpy(&out[16], &x[12], sizeof(uint32_t) * 4);\n}\n\n#if defined(CHACHA20_ASM_NOHW)\nstatic void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len,\n const uint32_t key[8], const uint32_t counter[4]) {\n#if defined(CHACHA20_ASM_NEON)\n if (ChaCha20_ctr32_neon_capable(in_len)) {\n ChaCha20_ctr32_neon(out, in, in_len, key, counter);\n return;\n }\n#endif\n#if defined(CHACHA20_ASM_AVX2)\n if (ChaCha20_ctr32_avx2_capable(in_len)) {\n ChaCha20_ctr32_avx2(out, in, in_len, key, counter);\n return;\n }\n#endif\n#if defined(CHACHA20_ASM_SSSE3_4X)\n if (ChaCha20_ctr32_ssse3_4x_capable(in_len)) {\n ChaCha20_ctr32_ssse3_4x(out, in, in_len, key, counter);\n return;\n }\n#endif\n#if defined(CHACHA20_ASM_SSSE3)\n if (ChaCha20_ctr32_ssse3_capable(in_len)) {\n ChaCha20_ctr32_ssse3(out, in, in_len, key, counter);\n return;\n }\n#endif\n if (in_len > 0) {\n ChaCha20_ctr32_nohw(out, in, in_len, key, counter);\n }\n}\n#endif\n\n#if defined(CHACHA20_ASM_NOHW)\n\nvoid CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,\n const uint8_t key[32], const uint8_t nonce[12],\n uint32_t counter) {\n assert(!buffers_alias(out, in_len, in, in_len) || in == out);\n\n uint32_t counter_nonce[4];\n counter_nonce[0] = counter;\n counter_nonce[1] = CRYPTO_load_u32_le(nonce + 0);\n counter_nonce[2] = CRYPTO_load_u32_le(nonce + 4);\n counter_nonce[3] = CRYPTO_load_u32_le(nonce + 8);\n\n const uint32_t *key_ptr = (const uint32_t *)key;\n#if !defined(OPENSSL_X86) && !defined(OPENSSL_X86_64)\n // The assembly expects the key to be four-byte aligned.\n uint32_t key_u32[8];\n if ((((uintptr_t)key) & 3) != 0) {\n key_u32[0] = CRYPTO_load_u32_le(key + 0);\n key_u32[1] = CRYPTO_load_u32_le(key + 4);\n key_u32[2] = CRYPTO_load_u32_le(key + 8);\n key_u32[3] = CRYPTO_load_u32_le(key + 12);\n key_u32[4] = CRYPTO_load_u32_le(key + 16);\n key_u32[5] = CRYPTO_load_u32_le(key + 20);\n key_u32[6] = CRYPTO_load_u32_le(key + 24);\n key_u32[7] = CRYPTO_load_u32_le(key + 28);\n\n key_ptr = key_u32;\n }\n#endif\n\n while (in_len > 0) {\n // The assembly functions do not have defined overflow behavior. While\n // overflow is almost always a bug in the caller, we prefer our functions to\n // behave the same across platforms, so divide into multiple calls to avoid\n // this case.\n uint64_t todo = 64 * ((UINT64_C(1) << 32) - counter_nonce[0]);\n if (todo > in_len) {\n todo = in_len;\n }\n\n ChaCha20_ctr32(out, in, (size_t)todo, key_ptr, counter_nonce);\n in += todo;\n out += todo;\n in_len -= todo;\n\n // We're either done and will next break out of the loop, or we stopped at\n // the wraparound point and the counter should continue at zero.\n counter_nonce[0] = 0;\n }\n}\n\n#else\n\n// chacha_core performs 20 rounds of ChaCha on the input words in\n// |input| and writes the 64 output bytes to |output|.\nstatic void chacha_core(uint8_t output[64], const uint32_t input[16]) {\n uint32_t x[16];\n int i;\n\n OPENSSL_memcpy(x, input, sizeof(uint32_t) * 16);\n for (i = 20; i > 0; i -= 2) {\n QUARTERROUND(0, 4, 8, 12)\n QUARTERROUND(1, 5, 9, 13)\n QUARTERROUND(2, 6, 10, 14)\n QUARTERROUND(3, 7, 11, 15)\n QUARTERROUND(0, 5, 10, 15)\n QUARTERROUND(1, 6, 11, 12)\n QUARTERROUND(2, 7, 8, 13)\n QUARTERROUND(3, 4, 9, 14)\n }\n\n for (i = 0; i < 16; ++i) {\n x[i] += input[i];\n }\n for (i = 0; i < 16; ++i) {\n CRYPTO_store_u32_le(output + 4 * i, x[i]);\n }\n}\n\nvoid CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,\n const uint8_t key[32], const uint8_t nonce[12],\n uint32_t counter) {\n assert(!buffers_alias(out, in_len, in, in_len) || in == out);\n\n uint32_t input[16];\n uint8_t buf[64];\n size_t todo, i;\n\n input[0] = CRYPTO_load_u32_le(sigma + 0);\n input[1] = CRYPTO_load_u32_le(sigma + 4);\n input[2] = CRYPTO_load_u32_le(sigma + 8);\n input[3] = CRYPTO_load_u32_le(sigma + 12);\n\n input[4] = CRYPTO_load_u32_le(key + 0);\n input[5] = CRYPTO_load_u32_le(key + 4);\n input[6] = CRYPTO_load_u32_le(key + 8);\n input[7] = CRYPTO_load_u32_le(key + 12);\n\n input[8] = CRYPTO_load_u32_le(key + 16);\n input[9] = CRYPTO_load_u32_le(key + 20);\n input[10] = CRYPTO_load_u32_le(key + 24);\n input[11] = CRYPTO_load_u32_le(key + 28);\n\n input[12] = counter;\n input[13] = CRYPTO_load_u32_le(nonce + 0);\n input[14] = CRYPTO_load_u32_le(nonce + 4);\n input[15] = CRYPTO_load_u32_le(nonce + 8);\n\n while (in_len > 0) {\n todo = sizeof(buf);\n if (in_len < todo) {\n todo = in_len;\n }\n\n chacha_core(buf, input);\n for (i = 0; i < todo; i++) {\n out[i] = in[i] ^ buf[i];\n }\n\n out += todo;\n in += todo;\n in_len -= todo;\n\n input[12]++;\n }\n}\n\n#endif\n" }, { "path": "Sources/CNIOBoringSSL/crypto/chacha/internal.h", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CHACHA_INTERNAL\n#define OPENSSL_HEADER_CHACHA_INTERNAL\n\n#include \n\n#include \"../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// CRYPTO_hchacha20 computes the HChaCha20 function, which should only be used\n// as part of XChaCha20.\nvoid CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32],\n const uint8_t nonce[16]);\n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86)\n\n#define CHACHA20_ASM_NOHW\n\n#define CHACHA20_ASM_SSSE3\ninline int ChaCha20_ctr32_ssse3_capable(size_t len) {\n // Unlike the x86_64 version, the x86 SSSE3 routine runs for all non-zero\n // lengths.\n return len > 0 && CRYPTO_is_SSSE3_capable() && CRYPTO_is_FXSR_capable();\n}\nvoid ChaCha20_ctr32_ssse3(uint8_t *out, const uint8_t *in, size_t in_len,\n const uint32_t key[8], const uint32_t counter[4]);\n\n#elif !defined(OPENSSL_NO_ASM) && \\\n (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))\n\n#define CHACHA20_ASM_NOHW\n\n#define CHACHA20_ASM_NEON\ninline int ChaCha20_ctr32_neon_capable(size_t len) {\n return len >= 192 && CRYPTO_is_NEON_capable();\n}\nvoid ChaCha20_ctr32_neon(uint8_t *out, const uint8_t *in, size_t in_len,\n const uint32_t key[8], const uint32_t counter[4]);\n#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64)\n#define CHACHA20_ASM_NOHW\n\n#define CHACHA20_ASM_AVX2\ninline int ChaCha20_ctr32_avx2_capable(size_t len) {\n return len > 128 && CRYPTO_is_AVX2_capable();\n}\nvoid ChaCha20_ctr32_avx2(uint8_t *out, const uint8_t *in, size_t in_len,\n const uint32_t key[8], const uint32_t counter[4]);\n\n#define CHACHA20_ASM_SSSE3_4X\ninline int ChaCha20_ctr32_ssse3_4x_capable(size_t len) {\n int capable = len > 128 && CRYPTO_is_SSSE3_capable();\n int faster = len > 192 || !CRYPTO_cpu_perf_is_like_silvermont();\n return capable && faster;\n}\nvoid ChaCha20_ctr32_ssse3_4x(uint8_t *out, const uint8_t *in, size_t in_len,\n const uint32_t key[8], const uint32_t counter[4]);\n\n#define CHACHA20_ASM_SSSE3\ninline int ChaCha20_ctr32_ssse3_capable(size_t len) {\n return len > 128 && CRYPTO_is_SSSE3_capable();\n}\nvoid ChaCha20_ctr32_ssse3(uint8_t *out, const uint8_t *in, size_t in_len,\n const uint32_t key[8], const uint32_t counter[4]);\n#endif\n\n#if defined(CHACHA20_ASM_NOHW)\n// ChaCha20_ctr32_nohw encrypts |in_len| bytes from |in| and writes the result\n// to |out|. If |in| and |out| alias, they must be equal. |in_len| may not be\n// zero.\n//\n// |counter[0]| is the initial 32-bit block counter, and the remainder is the\n// 96-bit nonce. If the counter overflows, the output is undefined. The function\n// will produce output, but the output may vary by machine and may not be\n// self-consistent. (On some architectures, the assembly implements a mix of\n// 64-bit and 32-bit counters.)\nvoid ChaCha20_ctr32_nohw(uint8_t *out, const uint8_t *in, size_t in_len,\n const uint32_t key[8], const uint32_t counter[4]);\n#endif\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CHACHA_INTERNAL\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/derive_key.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n\n\n#define PKCS5_SALT_LEN 8\n\nint EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,\n const uint8_t *salt, const uint8_t *data, size_t data_len,\n unsigned count, uint8_t *key, uint8_t *iv) {\n EVP_MD_CTX c;\n uint8_t md_buf[EVP_MAX_MD_SIZE];\n unsigned addmd = 0;\n unsigned mds = 0, i;\n int rv = 0;\n\n unsigned nkey = EVP_CIPHER_key_length(type);\n unsigned niv = EVP_CIPHER_iv_length(type);\n\n assert(nkey <= EVP_MAX_KEY_LENGTH);\n assert(niv <= EVP_MAX_IV_LENGTH);\n\n if (data == NULL) {\n return nkey;\n }\n\n EVP_MD_CTX_init(&c);\n for (;;) {\n if (!EVP_DigestInit_ex(&c, md, NULL)) {\n goto err;\n }\n if (addmd++) {\n if (!EVP_DigestUpdate(&c, md_buf, mds)) {\n goto err;\n }\n }\n if (!EVP_DigestUpdate(&c, data, data_len)) {\n goto err;\n }\n if (salt != NULL) {\n if (!EVP_DigestUpdate(&c, salt, PKCS5_SALT_LEN)) {\n goto err;\n }\n }\n if (!EVP_DigestFinal_ex(&c, md_buf, &mds)) {\n goto err;\n }\n\n for (i = 1; i < count; i++) {\n if (!EVP_DigestInit_ex(&c, md, NULL) ||\n !EVP_DigestUpdate(&c, md_buf, mds) ||\n !EVP_DigestFinal_ex(&c, md_buf, &mds)) {\n goto err;\n }\n }\n\n i = 0;\n if (nkey) {\n for (;;) {\n if (nkey == 0 || i == mds) {\n break;\n }\n if (key != NULL) {\n *(key++) = md_buf[i];\n }\n nkey--;\n i++;\n }\n }\n\n if (niv && i != mds) {\n for (;;) {\n if (niv == 0 || i == mds) {\n break;\n }\n if (iv != NULL) {\n *(iv++) = md_buf[i];\n }\n niv--;\n i++;\n }\n }\n if (nkey == 0 && niv == 0) {\n break;\n }\n }\n rv = EVP_CIPHER_key_length(type);\n\nerr:\n EVP_MD_CTX_cleanup(&c);\n OPENSSL_cleanse(md_buf, EVP_MAX_MD_SIZE);\n return rv;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/e_aesctrhmac.cc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/aes/internal.h\"\n#include \"../fipsmodule/cipher/internal.h\"\n\n\n#define EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN SHA256_DIGEST_LENGTH\n#define EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN 12\n\nstruct aead_aes_ctr_hmac_sha256_ctx {\n union {\n double align;\n AES_KEY ks;\n } ks;\n ctr128_f ctr;\n block128_f block;\n SHA256_CTX inner_init_state;\n SHA256_CTX outer_init_state;\n};\n\nstatic_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=\n sizeof(struct aead_aes_ctr_hmac_sha256_ctx),\n \"AEAD state is too small\");\nstatic_assert(alignof(union evp_aead_ctx_st_state) >=\n alignof(struct aead_aes_ctr_hmac_sha256_ctx),\n \"AEAD state has insufficient alignment\");\n\nstatic void hmac_init(SHA256_CTX *out_inner, SHA256_CTX *out_outer,\n const uint8_t hmac_key[32]) {\n static const size_t hmac_key_len = 32;\n uint8_t block[SHA256_CBLOCK];\n OPENSSL_memcpy(block, hmac_key, hmac_key_len);\n OPENSSL_memset(block + hmac_key_len, 0x36, sizeof(block) - hmac_key_len);\n\n unsigned i;\n for (i = 0; i < hmac_key_len; i++) {\n block[i] ^= 0x36;\n }\n\n SHA256_Init(out_inner);\n SHA256_Update(out_inner, block, sizeof(block));\n\n OPENSSL_memset(block + hmac_key_len, 0x5c, sizeof(block) - hmac_key_len);\n for (i = 0; i < hmac_key_len; i++) {\n block[i] ^= (0x36 ^ 0x5c);\n }\n\n SHA256_Init(out_outer);\n SHA256_Update(out_outer, block, sizeof(block));\n}\n\nstatic int aead_aes_ctr_hmac_sha256_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t tag_len) {\n struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx =\n (struct aead_aes_ctr_hmac_sha256_ctx *)&ctx->state;\n static const size_t hmac_key_len = 32;\n\n if (key_len < hmac_key_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);\n return 0; // EVP_AEAD_CTX_init should catch this.\n }\n\n const size_t aes_key_len = key_len - hmac_key_len;\n if (aes_key_len != 16 && aes_key_len != 32) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);\n return 0; // EVP_AEAD_CTX_init should catch this.\n }\n\n if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {\n tag_len = EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN;\n }\n\n if (tag_len > EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);\n return 0;\n }\n\n aes_ctx->ctr =\n aes_ctr_set_key(&aes_ctx->ks.ks, NULL, &aes_ctx->block, key, aes_key_len);\n ctx->tag_len = tag_len;\n hmac_init(&aes_ctx->inner_init_state, &aes_ctx->outer_init_state,\n key + aes_key_len);\n\n return 1;\n}\n\nstatic void aead_aes_ctr_hmac_sha256_cleanup(EVP_AEAD_CTX *ctx) {}\n\nstatic void hmac_update_uint64(SHA256_CTX *sha256, uint64_t value) {\n unsigned i;\n uint8_t bytes[8];\n\n for (i = 0; i < sizeof(bytes); i++) {\n bytes[i] = value & 0xff;\n value >>= 8;\n }\n SHA256_Update(sha256, bytes, sizeof(bytes));\n}\n\nstatic void hmac_calculate(uint8_t out[SHA256_DIGEST_LENGTH],\n const SHA256_CTX *inner_init_state,\n const SHA256_CTX *outer_init_state,\n const uint8_t *ad, size_t ad_len,\n const uint8_t *nonce, const uint8_t *ciphertext,\n size_t ciphertext_len) {\n SHA256_CTX sha256;\n OPENSSL_memcpy(&sha256, inner_init_state, sizeof(sha256));\n hmac_update_uint64(&sha256, ad_len);\n hmac_update_uint64(&sha256, ciphertext_len);\n SHA256_Update(&sha256, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);\n SHA256_Update(&sha256, ad, ad_len);\n\n // Pad with zeros to the end of the SHA-256 block.\n const unsigned num_padding =\n (SHA256_CBLOCK - ((sizeof(uint64_t)*2 +\n EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN + ad_len) %\n SHA256_CBLOCK)) %\n SHA256_CBLOCK;\n uint8_t padding[SHA256_CBLOCK];\n OPENSSL_memset(padding, 0, num_padding);\n SHA256_Update(&sha256, padding, num_padding);\n\n SHA256_Update(&sha256, ciphertext, ciphertext_len);\n\n uint8_t inner_digest[SHA256_DIGEST_LENGTH];\n SHA256_Final(inner_digest, &sha256);\n\n OPENSSL_memcpy(&sha256, outer_init_state, sizeof(sha256));\n SHA256_Update(&sha256, inner_digest, sizeof(inner_digest));\n SHA256_Final(out, &sha256);\n}\n\nstatic void aead_aes_ctr_hmac_sha256_crypt(\n const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx, uint8_t *out,\n const uint8_t *in, size_t len, const uint8_t *nonce) {\n // Since the AEAD operation is one-shot, keeping a buffer of unused keystream\n // bytes is pointless. However, |CRYPTO_ctr128_encrypt_ctr32| requires it.\n uint8_t partial_block_buffer[AES_BLOCK_SIZE];\n unsigned partial_block_offset = 0;\n OPENSSL_memset(partial_block_buffer, 0, sizeof(partial_block_buffer));\n\n uint8_t counter[AES_BLOCK_SIZE];\n OPENSSL_memcpy(counter, nonce, EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN);\n OPENSSL_memset(counter + EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN, 0, 4);\n\n CRYPTO_ctr128_encrypt_ctr32(in, out, len, &aes_ctx->ks.ks, counter,\n partial_block_buffer, &partial_block_offset,\n aes_ctx->ctr);\n}\n\nstatic int aead_aes_ctr_hmac_sha256_seal_scatter(\n const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len) {\n const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx =\n (struct aead_aes_ctr_hmac_sha256_ctx *) &ctx->state;\n const uint64_t in_len_64 = in_len;\n\n if (in_len_64 >= (UINT64_C(1) << 32) * AES_BLOCK_SIZE) {\n // This input is so large it would overflow the 32-bit block counter.\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n if (max_out_tag_len < ctx->tag_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, in_len, nonce);\n\n uint8_t hmac_result[SHA256_DIGEST_LENGTH];\n hmac_calculate(hmac_result, &aes_ctx->inner_init_state,\n &aes_ctx->outer_init_state, ad, ad_len, nonce, out, in_len);\n OPENSSL_memcpy(out_tag, hmac_result, ctx->tag_len);\n *out_tag_len = ctx->tag_len;\n\n return 1;\n}\n\nstatic int aead_aes_ctr_hmac_sha256_open_gather(\n const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,\n size_t in_tag_len, const uint8_t *ad, size_t ad_len) {\n const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx =\n (struct aead_aes_ctr_hmac_sha256_ctx *) &ctx->state;\n\n if (in_tag_len != ctx->tag_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n if (nonce_len != EVP_AEAD_AES_CTR_HMAC_SHA256_NONCE_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n uint8_t hmac_result[SHA256_DIGEST_LENGTH];\n hmac_calculate(hmac_result, &aes_ctx->inner_init_state,\n &aes_ctx->outer_init_state, ad, ad_len, nonce, in,\n in_len);\n if (CRYPTO_memcmp(hmac_result, in_tag, ctx->tag_len) != 0) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n aead_aes_ctr_hmac_sha256_crypt(aes_ctx, out, in, in_len, nonce);\n\n return 1;\n}\n\nstatic const EVP_AEAD aead_aes_128_ctr_hmac_sha256 = {\n 16 /* AES key */ + 32 /* HMAC key */,\n 12, // nonce length\n EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // overhead\n EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n aead_aes_ctr_hmac_sha256_init,\n NULL /* init_with_direction */,\n aead_aes_ctr_hmac_sha256_cleanup,\n NULL /* open */,\n aead_aes_ctr_hmac_sha256_seal_scatter,\n aead_aes_ctr_hmac_sha256_open_gather,\n NULL /* get_iv */,\n NULL /* tag_len */,\n};\n\nstatic const EVP_AEAD aead_aes_256_ctr_hmac_sha256 = {\n 32 /* AES key */ + 32 /* HMAC key */,\n 12, // nonce length\n EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // overhead\n EVP_AEAD_AES_CTR_HMAC_SHA256_TAG_LEN, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n aead_aes_ctr_hmac_sha256_init,\n NULL /* init_with_direction */,\n aead_aes_ctr_hmac_sha256_cleanup,\n NULL /* open */,\n aead_aes_ctr_hmac_sha256_seal_scatter,\n aead_aes_ctr_hmac_sha256_open_gather,\n NULL /* get_iv */,\n NULL /* tag_len */,\n};\n\nconst EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void) {\n return &aead_aes_128_ctr_hmac_sha256;\n}\n\nconst EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void) {\n return &aead_aes_256_ctr_hmac_sha256;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/e_aesgcmsiv.cc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"../fipsmodule/aes/internal.h\"\n#include \"../fipsmodule/cipher/internal.h\"\n#include \"../internal.h\"\n\n\n#define EVP_AEAD_AES_GCM_SIV_NONCE_LEN 12\n#define EVP_AEAD_AES_GCM_SIV_TAG_LEN 16\n\n// TODO(davidben): AES-GCM-SIV assembly is not correct for Windows. It must save\n// and restore xmm6 through xmm15.\n#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \\\n !defined(OPENSSL_WINDOWS)\n#define AES_GCM_SIV_ASM\n\n// Optimised AES-GCM-SIV\n\nnamespace {\nstruct aead_aes_gcm_siv_asm_ctx {\n alignas(16) uint8_t key[16 * 15];\n int is_128_bit;\n};\n} // namespace\n\n// The assembly code assumes 8-byte alignment of the EVP_AEAD_CTX's state, and\n// aligns to 16 bytes itself.\nstatic_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) + 8 >=\n sizeof(struct aead_aes_gcm_siv_asm_ctx),\n \"AEAD state is too small\");\nstatic_assert(alignof(union evp_aead_ctx_st_state) >= 8,\n \"AEAD state has insufficient alignment\");\n\n// asm_ctx_from_ctx returns a 16-byte aligned context pointer from |ctx|.\nstatic struct aead_aes_gcm_siv_asm_ctx *asm_ctx_from_ctx(\n const EVP_AEAD_CTX *ctx) {\n // ctx->state must already be 8-byte aligned. Thus, at most, we may need to\n // add eight to align it to 16 bytes.\n const uintptr_t offset = ((uintptr_t)&ctx->state) & 8;\n return (struct aead_aes_gcm_siv_asm_ctx *)(&ctx->state.opaque[offset]);\n}\n\nextern \"C\" {\n// aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to\n// |out_expanded_key|.\nextern void aes128gcmsiv_aes_ks(const uint8_t key[16],\n uint8_t out_expanded_key[16 * 15]);\n\n// aes256gcmsiv_aes_ks writes an AES-256 key schedule for |key| to\n// |out_expanded_key|.\nextern void aes256gcmsiv_aes_ks(const uint8_t key[32],\n uint8_t out_expanded_key[16 * 15]);\n}\n\nstatic int aead_aes_gcm_siv_asm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t tag_len) {\n const size_t key_bits = key_len * 8;\n\n if (key_bits != 128 && key_bits != 256) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);\n return 0; // EVP_AEAD_CTX_init should catch this.\n }\n\n if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {\n tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN;\n }\n\n if (tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);\n return 0;\n }\n\n struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx);\n assert((((uintptr_t)gcm_siv_ctx) & 15) == 0);\n\n if (key_bits == 128) {\n aes128gcmsiv_aes_ks(key, &gcm_siv_ctx->key[0]);\n gcm_siv_ctx->is_128_bit = 1;\n } else {\n aes256gcmsiv_aes_ks(key, &gcm_siv_ctx->key[0]);\n gcm_siv_ctx->is_128_bit = 0;\n }\n\n ctx->tag_len = tag_len;\n\n return 1;\n}\n\nstatic void aead_aes_gcm_siv_asm_cleanup(EVP_AEAD_CTX *ctx) {}\n\nextern \"C\" {\n// aesgcmsiv_polyval_horner updates the POLYVAL value in |in_out_poly| to\n// include a number (|in_blocks|) of 16-byte blocks of data from |in|, given\n// the POLYVAL key in |key|.\nextern void aesgcmsiv_polyval_horner(const uint8_t in_out_poly[16],\n const uint8_t key[16], const uint8_t *in,\n size_t in_blocks);\n\n// aesgcmsiv_htable_init writes powers 1..8 of |auth_key| to |out_htable|.\nextern void aesgcmsiv_htable_init(uint8_t out_htable[16 * 8],\n const uint8_t auth_key[16]);\n\n// aesgcmsiv_htable6_init writes powers 1..6 of |auth_key| to |out_htable|.\nextern void aesgcmsiv_htable6_init(uint8_t out_htable[16 * 6],\n const uint8_t auth_key[16]);\n\n// aesgcmsiv_htable_polyval updates the POLYVAL value in |in_out_poly| to\n// include |in_len| bytes of data from |in|. (Where |in_len| must be a multiple\n// of 16.) It uses the precomputed powers of the key given in |htable|.\nextern void aesgcmsiv_htable_polyval(const uint8_t htable[16 * 8],\n const uint8_t *in, size_t in_len,\n uint8_t in_out_poly[16]);\n\n// aes128gcmsiv_dec decrypts |in_len| & ~15 bytes from |out| and writes them to\n// |in|. |in| and |out| may be equal, but must not otherwise alias.\n//\n// |in_out_calculated_tag_and_scratch|, on entry, must contain:\n// 1. The current value of the calculated tag, which will be updated during\n// decryption and written back to the beginning of this buffer on exit.\n// 2. The claimed tag, which is needed to derive counter values.\n//\n// While decrypting, the whole of |in_out_calculated_tag_and_scratch| may be\n// used for other purposes. In order to decrypt and update the POLYVAL value, it\n// uses the expanded key from |key| and the table of powers in |htable|.\nextern void aes128gcmsiv_dec(const uint8_t *in, uint8_t *out,\n uint8_t in_out_calculated_tag_and_scratch[16 * 8],\n const uint8_t htable[16 * 6],\n const struct aead_aes_gcm_siv_asm_ctx *key,\n size_t in_len);\n\n// aes256gcmsiv_dec acts like |aes128gcmsiv_dec|, but for AES-256.\nextern void aes256gcmsiv_dec(const uint8_t *in, uint8_t *out,\n uint8_t in_out_calculated_tag_and_scratch[16 * 8],\n const uint8_t htable[16 * 6],\n const struct aead_aes_gcm_siv_asm_ctx *key,\n size_t in_len);\n\n// aes128gcmsiv_kdf performs the AES-GCM-SIV KDF given the expanded key from\n// |key_schedule| and the nonce in |nonce|. Note that, while only 12 bytes of\n// the nonce are used, 16 bytes are read and so the value must be\n// right-padded.\nextern void aes128gcmsiv_kdf(const uint8_t nonce[16],\n uint64_t out_key_material[8],\n const uint8_t *key_schedule);\n\n// aes256gcmsiv_kdf acts like |aes128gcmsiv_kdf|, but for AES-256.\nextern void aes256gcmsiv_kdf(const uint8_t nonce[16],\n uint64_t out_key_material[12],\n const uint8_t *key_schedule);\n\n// aes128gcmsiv_aes_ks_enc_x1 performs a key expansion of the AES-128 key in\n// |key|, writes the expanded key to |out_expanded_key| and encrypts a single\n// block from |in| to |out|.\nextern void aes128gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16],\n uint8_t out_expanded_key[16 * 15],\n const uint64_t key[2]);\n\n// aes256gcmsiv_aes_ks_enc_x1 acts like |aes128gcmsiv_aes_ks_enc_x1|, but for\n// AES-256.\nextern void aes256gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16],\n uint8_t out_expanded_key[16 * 15],\n const uint64_t key[4]);\n\n// aes128gcmsiv_ecb_enc_block encrypts a single block from |in| to |out| using\n// the expanded key in |expanded_key|.\nextern void aes128gcmsiv_ecb_enc_block(\n const uint8_t in[16], uint8_t out[16],\n const struct aead_aes_gcm_siv_asm_ctx *expanded_key);\n\n// aes256gcmsiv_ecb_enc_block acts like |aes128gcmsiv_ecb_enc_block|, but for\n// AES-256.\nextern void aes256gcmsiv_ecb_enc_block(\n const uint8_t in[16], uint8_t out[16],\n const struct aead_aes_gcm_siv_asm_ctx *expanded_key);\n\n// aes128gcmsiv_enc_msg_x4 encrypts |in_len| bytes from |in| to |out| using the\n// expanded key from |key|. (The value of |in_len| must be a multiple of 16.)\n// The |in| and |out| buffers may be equal but must not otherwise overlap. The\n// initial counter is constructed from the given |tag| as required by\n// AES-GCM-SIV.\nextern void aes128gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out,\n const uint8_t *tag,\n const struct aead_aes_gcm_siv_asm_ctx *key,\n size_t in_len);\n\n// aes256gcmsiv_enc_msg_x4 acts like |aes128gcmsiv_enc_msg_x4|, but for\n// AES-256.\nextern void aes256gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out,\n const uint8_t *tag,\n const struct aead_aes_gcm_siv_asm_ctx *key,\n size_t in_len);\n\n// aes128gcmsiv_enc_msg_x8 acts like |aes128gcmsiv_enc_msg_x4|, but is\n// optimised for longer messages.\nextern void aes128gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out,\n const uint8_t *tag,\n const struct aead_aes_gcm_siv_asm_ctx *key,\n size_t in_len);\n\n// aes256gcmsiv_enc_msg_x8 acts like |aes256gcmsiv_enc_msg_x4|, but is\n// optimised for longer messages.\nextern void aes256gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out,\n const uint8_t *tag,\n const struct aead_aes_gcm_siv_asm_ctx *key,\n size_t in_len);\n}\n\n// gcm_siv_asm_polyval evaluates POLYVAL at |auth_key| on the given plaintext\n// and AD. The result is written to |out_tag|.\nstatic void gcm_siv_asm_polyval(uint8_t out_tag[16], const uint8_t *in,\n size_t in_len, const uint8_t *ad, size_t ad_len,\n const uint8_t auth_key[16],\n const uint8_t nonce[12]) {\n OPENSSL_memset(out_tag, 0, 16);\n const size_t ad_blocks = ad_len / 16;\n const size_t in_blocks = in_len / 16;\n int htable_init = 0;\n alignas(16) uint8_t htable[16 * 8];\n\n if (ad_blocks > 8 || in_blocks > 8) {\n htable_init = 1;\n aesgcmsiv_htable_init(htable, auth_key);\n }\n\n if (htable_init) {\n aesgcmsiv_htable_polyval(htable, ad, ad_len & ~15, out_tag);\n } else {\n aesgcmsiv_polyval_horner(out_tag, auth_key, ad, ad_blocks);\n }\n\n uint8_t scratch[16];\n if (ad_len & 15) {\n OPENSSL_memset(scratch, 0, sizeof(scratch));\n OPENSSL_memcpy(scratch, &ad[ad_len & ~15], ad_len & 15);\n aesgcmsiv_polyval_horner(out_tag, auth_key, scratch, 1);\n }\n\n if (htable_init) {\n aesgcmsiv_htable_polyval(htable, in, in_len & ~15, out_tag);\n } else {\n aesgcmsiv_polyval_horner(out_tag, auth_key, in, in_blocks);\n }\n\n if (in_len & 15) {\n OPENSSL_memset(scratch, 0, sizeof(scratch));\n OPENSSL_memcpy(scratch, &in[in_len & ~15], in_len & 15);\n aesgcmsiv_polyval_horner(out_tag, auth_key, scratch, 1);\n }\n\n uint8_t length_block[16];\n CRYPTO_store_u64_le(length_block, ad_len * 8);\n CRYPTO_store_u64_le(length_block + 8, in_len * 8);\n aesgcmsiv_polyval_horner(out_tag, auth_key, length_block, 1);\n\n for (size_t i = 0; i < 12; i++) {\n out_tag[i] ^= nonce[i];\n }\n\n out_tag[15] &= 0x7f;\n}\n\n// aead_aes_gcm_siv_asm_crypt_last_block handles the encryption/decryption\n// (same thing in CTR mode) of the final block of a plaintext/ciphertext. It\n// writes |in_len| & 15 bytes to |out| + |in_len|, based on an initial counter\n// derived from |tag|.\nstatic void aead_aes_gcm_siv_asm_crypt_last_block(\n int is_128_bit, uint8_t *out, const uint8_t *in, size_t in_len,\n const uint8_t tag[16],\n const struct aead_aes_gcm_siv_asm_ctx *enc_key_expanded) {\n alignas(16) uint8_t counter[16];\n OPENSSL_memcpy(&counter, tag, sizeof(counter));\n counter[15] |= 0x80;\n CRYPTO_store_u32_le(counter, CRYPTO_load_u32_le(counter) + in_len / 16);\n\n if (is_128_bit) {\n aes128gcmsiv_ecb_enc_block(counter, counter, enc_key_expanded);\n } else {\n aes256gcmsiv_ecb_enc_block(counter, counter, enc_key_expanded);\n }\n\n const size_t last_bytes_offset = in_len & ~15;\n const size_t last_bytes_len = in_len & 15;\n uint8_t *last_bytes_out = &out[last_bytes_offset];\n const uint8_t *last_bytes_in = &in[last_bytes_offset];\n for (size_t i = 0; i < last_bytes_len; i++) {\n last_bytes_out[i] = last_bytes_in[i] ^ counter[i];\n }\n}\n\n// aead_aes_gcm_siv_kdf calculates the record encryption and authentication\n// keys given the |nonce|.\nstatic void aead_aes_gcm_siv_kdf(\n int is_128_bit, const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx,\n uint64_t out_record_auth_key[2], uint64_t out_record_enc_key[4],\n const uint8_t nonce[12]) {\n alignas(16) uint8_t padded_nonce[16];\n OPENSSL_memcpy(padded_nonce, nonce, 12);\n\n alignas(16) uint64_t key_material[12];\n if (is_128_bit) {\n aes128gcmsiv_kdf(padded_nonce, key_material, &gcm_siv_ctx->key[0]);\n out_record_enc_key[0] = key_material[4];\n out_record_enc_key[1] = key_material[6];\n } else {\n aes256gcmsiv_kdf(padded_nonce, key_material, &gcm_siv_ctx->key[0]);\n out_record_enc_key[0] = key_material[4];\n out_record_enc_key[1] = key_material[6];\n out_record_enc_key[2] = key_material[8];\n out_record_enc_key[3] = key_material[10];\n }\n\n out_record_auth_key[0] = key_material[0];\n out_record_auth_key[1] = key_material[2];\n}\n\nstatic int aead_aes_gcm_siv_asm_seal_scatter(\n const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len) {\n const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx);\n const uint64_t in_len_64 = in_len;\n const uint64_t ad_len_64 = ad_len;\n\n if (in_len_64 > (UINT64_C(1) << 36) || ad_len_64 >= (UINT64_C(1) << 61)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n if (max_out_tag_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (nonce_len != EVP_AEAD_AES_GCM_SIV_NONCE_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n alignas(16) uint64_t record_auth_key[2];\n alignas(16) uint64_t record_enc_key[4];\n aead_aes_gcm_siv_kdf(gcm_siv_ctx->is_128_bit, gcm_siv_ctx, record_auth_key,\n record_enc_key, nonce);\n\n alignas(16) uint8_t tag[16] = {0};\n gcm_siv_asm_polyval(tag, in, in_len, ad, ad_len,\n (const uint8_t *)record_auth_key, nonce);\n\n struct aead_aes_gcm_siv_asm_ctx enc_key_expanded;\n\n if (gcm_siv_ctx->is_128_bit) {\n aes128gcmsiv_aes_ks_enc_x1(tag, tag, &enc_key_expanded.key[0],\n record_enc_key);\n\n if (in_len < 128) {\n aes128gcmsiv_enc_msg_x4(in, out, tag, &enc_key_expanded, in_len & ~15);\n } else {\n aes128gcmsiv_enc_msg_x8(in, out, tag, &enc_key_expanded, in_len & ~15);\n }\n } else {\n aes256gcmsiv_aes_ks_enc_x1(tag, tag, &enc_key_expanded.key[0],\n record_enc_key);\n\n if (in_len < 128) {\n aes256gcmsiv_enc_msg_x4(in, out, tag, &enc_key_expanded, in_len & ~15);\n } else {\n aes256gcmsiv_enc_msg_x8(in, out, tag, &enc_key_expanded, in_len & ~15);\n }\n }\n\n if (in_len & 15) {\n aead_aes_gcm_siv_asm_crypt_last_block(gcm_siv_ctx->is_128_bit, out, in,\n in_len, tag, &enc_key_expanded);\n }\n\n OPENSSL_memcpy(out_tag, tag, sizeof(tag));\n *out_tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN;\n\n return 1;\n}\n\nstatic int aead_aes_gcm_siv_asm_open_gather(\n const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,\n size_t in_tag_len, const uint8_t *ad, size_t ad_len) {\n const uint64_t ad_len_64 = ad_len;\n if (ad_len_64 >= (UINT64_C(1) << 61)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n const uint64_t in_len_64 = in_len;\n if (in_len_64 > UINT64_C(1) << 36 ||\n in_tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n if (nonce_len != EVP_AEAD_AES_GCM_SIV_NONCE_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx);\n\n alignas(16) uint64_t record_auth_key[2];\n alignas(16) uint64_t record_enc_key[4];\n aead_aes_gcm_siv_kdf(gcm_siv_ctx->is_128_bit, gcm_siv_ctx, record_auth_key,\n record_enc_key, nonce);\n\n struct aead_aes_gcm_siv_asm_ctx expanded_key;\n if (gcm_siv_ctx->is_128_bit) {\n aes128gcmsiv_aes_ks((const uint8_t *)record_enc_key, &expanded_key.key[0]);\n } else {\n aes256gcmsiv_aes_ks((const uint8_t *)record_enc_key, &expanded_key.key[0]);\n }\n // calculated_tag is 16*8 bytes, rather than 16 bytes, because\n // aes[128|256]gcmsiv_dec uses the extra as scratch space.\n alignas(16) uint8_t calculated_tag[16 * 8] = {0};\n\n OPENSSL_memset(calculated_tag, 0, EVP_AEAD_AES_GCM_SIV_TAG_LEN);\n const size_t ad_blocks = ad_len / 16;\n aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key, ad,\n ad_blocks);\n\n uint8_t scratch[16];\n if (ad_len & 15) {\n OPENSSL_memset(scratch, 0, sizeof(scratch));\n OPENSSL_memcpy(scratch, &ad[ad_len & ~15], ad_len & 15);\n aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key,\n scratch, 1);\n }\n\n alignas(16) uint8_t htable[16 * 6];\n aesgcmsiv_htable6_init(htable, (const uint8_t *)record_auth_key);\n\n // aes[128|256]gcmsiv_dec needs access to the claimed tag. So it's put into\n // its scratch space.\n memcpy(calculated_tag + 16, in_tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN);\n if (gcm_siv_ctx->is_128_bit) {\n aes128gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, in_len);\n } else {\n aes256gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, in_len);\n }\n\n if (in_len & 15) {\n aead_aes_gcm_siv_asm_crypt_last_block(gcm_siv_ctx->is_128_bit, out, in,\n in_len, in_tag, &expanded_key);\n OPENSSL_memset(scratch, 0, sizeof(scratch));\n OPENSSL_memcpy(scratch, out + (in_len & ~15), in_len & 15);\n aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key,\n scratch, 1);\n }\n\n uint8_t length_block[16];\n CRYPTO_store_u64_le(length_block, ad_len * 8);\n CRYPTO_store_u64_le(length_block + 8, in_len * 8);\n aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key,\n length_block, 1);\n\n for (size_t i = 0; i < 12; i++) {\n calculated_tag[i] ^= nonce[i];\n }\n\n calculated_tag[15] &= 0x7f;\n\n if (gcm_siv_ctx->is_128_bit) {\n aes128gcmsiv_ecb_enc_block(calculated_tag, calculated_tag, &expanded_key);\n } else {\n aes256gcmsiv_ecb_enc_block(calculated_tag, calculated_tag, &expanded_key);\n }\n\n if (CRYPTO_memcmp(calculated_tag, in_tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN) !=\n 0) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n return 1;\n}\n\nstatic const EVP_AEAD aead_aes_128_gcm_siv_asm = {\n 16, // key length\n EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length\n EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead\n EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n aead_aes_gcm_siv_asm_init,\n NULL /* init_with_direction */,\n aead_aes_gcm_siv_asm_cleanup,\n NULL /* open */,\n aead_aes_gcm_siv_asm_seal_scatter,\n aead_aes_gcm_siv_asm_open_gather,\n NULL /* get_iv */,\n NULL /* tag_len */,\n};\n\nstatic const EVP_AEAD aead_aes_256_gcm_siv_asm = {\n 32, // key length\n EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length\n EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead\n EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n aead_aes_gcm_siv_asm_init,\n NULL /* init_with_direction */,\n aead_aes_gcm_siv_asm_cleanup,\n NULL /* open */,\n aead_aes_gcm_siv_asm_seal_scatter,\n aead_aes_gcm_siv_asm_open_gather,\n NULL /* get_iv */,\n NULL /* tag_len */,\n};\n\n#endif // X86_64 && !NO_ASM && !WINDOWS\n\nnamespace {\nstruct aead_aes_gcm_siv_ctx {\n union {\n double align;\n AES_KEY ks;\n } ks;\n block128_f kgk_block;\n unsigned is_256 : 1;\n};\n} // namespace\n\nstatic_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=\n sizeof(struct aead_aes_gcm_siv_ctx),\n \"AEAD state is too small\");\nstatic_assert(alignof(union evp_aead_ctx_st_state) >=\n alignof(struct aead_aes_gcm_siv_ctx),\n \"AEAD state has insufficient alignment\");\n\nstatic int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t tag_len) {\n const size_t key_bits = key_len * 8;\n\n if (key_bits != 128 && key_bits != 256) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);\n return 0; // EVP_AEAD_CTX_init should catch this.\n }\n\n if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {\n tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN;\n }\n if (tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);\n return 0;\n }\n\n struct aead_aes_gcm_siv_ctx *gcm_siv_ctx =\n (struct aead_aes_gcm_siv_ctx *)&ctx->state;\n OPENSSL_memset(gcm_siv_ctx, 0, sizeof(struct aead_aes_gcm_siv_ctx));\n\n aes_ctr_set_key(&gcm_siv_ctx->ks.ks, NULL, &gcm_siv_ctx->kgk_block, key,\n key_len);\n gcm_siv_ctx->is_256 = (key_len == 32);\n ctx->tag_len = tag_len;\n\n return 1;\n}\n\nstatic void aead_aes_gcm_siv_cleanup(EVP_AEAD_CTX *ctx) {}\n\n// gcm_siv_crypt encrypts (or decrypts—it's the same thing) |in_len| bytes from\n// |in| to |out|, using the block function |enc_block| with |key| in counter\n// mode, starting at |initial_counter|. This differs from the traditional\n// counter mode code in that the counter is handled little-endian, only the\n// first four bytes are used and the GCM-SIV tweak to the final byte is\n// applied. The |in| and |out| pointers may be equal but otherwise must not\n// alias.\nstatic void gcm_siv_crypt(uint8_t *out, const uint8_t *in, size_t in_len,\n const uint8_t initial_counter[AES_BLOCK_SIZE],\n block128_f enc_block, const AES_KEY *key) {\n uint8_t counter[16];\n\n OPENSSL_memcpy(counter, initial_counter, AES_BLOCK_SIZE);\n counter[15] |= 0x80;\n\n for (size_t done = 0; done < in_len;) {\n uint8_t keystream[AES_BLOCK_SIZE];\n enc_block(counter, keystream, key);\n CRYPTO_store_u32_le(counter, CRYPTO_load_u32_le(counter) + 1);\n\n size_t todo = AES_BLOCK_SIZE;\n if (in_len - done < todo) {\n todo = in_len - done;\n }\n\n for (size_t i = 0; i < todo; i++) {\n out[done + i] = keystream[i] ^ in[done + i];\n }\n\n done += todo;\n }\n}\n\n// gcm_siv_polyval evaluates POLYVAL at |auth_key| on the given plaintext and\n// AD. The result is written to |out_tag|.\nstatic void gcm_siv_polyval(\n uint8_t out_tag[16], const uint8_t *in, size_t in_len, const uint8_t *ad,\n size_t ad_len, const uint8_t auth_key[16],\n const uint8_t nonce[EVP_AEAD_AES_GCM_SIV_NONCE_LEN]) {\n struct polyval_ctx polyval_ctx;\n CRYPTO_POLYVAL_init(&polyval_ctx, auth_key);\n\n CRYPTO_POLYVAL_update_blocks(&polyval_ctx, ad, ad_len & ~15);\n\n uint8_t scratch[16];\n if (ad_len & 15) {\n OPENSSL_memset(scratch, 0, sizeof(scratch));\n OPENSSL_memcpy(scratch, &ad[ad_len & ~15], ad_len & 15);\n CRYPTO_POLYVAL_update_blocks(&polyval_ctx, scratch, sizeof(scratch));\n }\n\n CRYPTO_POLYVAL_update_blocks(&polyval_ctx, in, in_len & ~15);\n if (in_len & 15) {\n OPENSSL_memset(scratch, 0, sizeof(scratch));\n OPENSSL_memcpy(scratch, &in[in_len & ~15], in_len & 15);\n CRYPTO_POLYVAL_update_blocks(&polyval_ctx, scratch, sizeof(scratch));\n }\n\n uint8_t length_block[16];\n CRYPTO_store_u64_le(length_block, ((uint64_t)ad_len) * 8);\n CRYPTO_store_u64_le(length_block + 8, ((uint64_t)in_len) * 8);\n CRYPTO_POLYVAL_update_blocks(&polyval_ctx, length_block,\n sizeof(length_block));\n\n CRYPTO_POLYVAL_finish(&polyval_ctx, out_tag);\n for (size_t i = 0; i < EVP_AEAD_AES_GCM_SIV_NONCE_LEN; i++) {\n out_tag[i] ^= nonce[i];\n }\n out_tag[15] &= 0x7f;\n}\n\nnamespace {\n// gcm_siv_record_keys contains the keys used for a specific GCM-SIV record.\nstruct gcm_siv_record_keys {\n uint8_t auth_key[16];\n union {\n double align;\n AES_KEY ks;\n } enc_key;\n block128_f enc_block;\n};\n} // namespace\n\n// gcm_siv_keys calculates the keys for a specific GCM-SIV record with the\n// given nonce and writes them to |*out_keys|.\nstatic void gcm_siv_keys(const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx,\n struct gcm_siv_record_keys *out_keys,\n const uint8_t nonce[EVP_AEAD_AES_GCM_SIV_NONCE_LEN]) {\n const AES_KEY *const key = &gcm_siv_ctx->ks.ks;\n uint8_t key_material[(128 /* POLYVAL key */ + 256 /* max AES key */) / 8];\n const size_t blocks_needed = gcm_siv_ctx->is_256 ? 6 : 4;\n\n uint8_t counter[AES_BLOCK_SIZE];\n OPENSSL_memset(counter, 0, AES_BLOCK_SIZE - EVP_AEAD_AES_GCM_SIV_NONCE_LEN);\n OPENSSL_memcpy(counter + AES_BLOCK_SIZE - EVP_AEAD_AES_GCM_SIV_NONCE_LEN,\n nonce, EVP_AEAD_AES_GCM_SIV_NONCE_LEN);\n for (size_t i = 0; i < blocks_needed; i++) {\n counter[0] = i;\n\n uint8_t ciphertext[AES_BLOCK_SIZE];\n gcm_siv_ctx->kgk_block(counter, ciphertext, key);\n OPENSSL_memcpy(&key_material[i * 8], ciphertext, 8);\n }\n\n OPENSSL_memcpy(out_keys->auth_key, key_material, 16);\n // Note the |ctr128_f| function uses a big-endian couner, while AES-GCM-SIV\n // uses a little-endian counter. We ignore the return value and only use\n // |block128_f|. This has a significant performance cost for the fallback\n // bitsliced AES implementations (bsaes and aes_nohw).\n //\n // We currently do not consider AES-GCM-SIV to be performance-sensitive on\n // client hardware. If this changes, we can write little-endian |ctr128_f|\n // functions.\n aes_ctr_set_key(&out_keys->enc_key.ks, NULL, &out_keys->enc_block,\n key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16);\n}\n\nstatic int aead_aes_gcm_siv_seal_scatter(\n const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len) {\n const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx =\n (struct aead_aes_gcm_siv_ctx *)&ctx->state;\n const uint64_t in_len_64 = in_len;\n const uint64_t ad_len_64 = ad_len;\n\n if (in_len + EVP_AEAD_AES_GCM_SIV_TAG_LEN < in_len ||\n in_len_64 > (UINT64_C(1) << 36) || ad_len_64 >= (UINT64_C(1) << 61)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n if (max_out_tag_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (nonce_len != EVP_AEAD_AES_GCM_SIV_NONCE_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n struct gcm_siv_record_keys keys;\n gcm_siv_keys(gcm_siv_ctx, &keys, nonce);\n\n uint8_t tag[16];\n gcm_siv_polyval(tag, in, in_len, ad, ad_len, keys.auth_key, nonce);\n keys.enc_block(tag, tag, &keys.enc_key.ks);\n\n gcm_siv_crypt(out, in, in_len, tag, keys.enc_block, &keys.enc_key.ks);\n\n OPENSSL_memcpy(out_tag, tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN);\n *out_tag_len = EVP_AEAD_AES_GCM_SIV_TAG_LEN;\n\n return 1;\n}\n\nstatic int aead_aes_gcm_siv_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,\n const uint8_t *nonce, size_t nonce_len,\n const uint8_t *in, size_t in_len,\n const uint8_t *in_tag,\n size_t in_tag_len, const uint8_t *ad,\n size_t ad_len) {\n const uint64_t ad_len_64 = ad_len;\n if (ad_len_64 >= (UINT64_C(1) << 61)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n const uint64_t in_len_64 = in_len;\n if (in_tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN ||\n in_len_64 > (UINT64_C(1) << 36) + AES_BLOCK_SIZE) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n if (nonce_len != EVP_AEAD_AES_GCM_SIV_NONCE_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx =\n (struct aead_aes_gcm_siv_ctx *)&ctx->state;\n\n struct gcm_siv_record_keys keys;\n gcm_siv_keys(gcm_siv_ctx, &keys, nonce);\n\n gcm_siv_crypt(out, in, in_len, in_tag, keys.enc_block, &keys.enc_key.ks);\n\n uint8_t expected_tag[EVP_AEAD_AES_GCM_SIV_TAG_LEN];\n gcm_siv_polyval(expected_tag, out, in_len, ad, ad_len, keys.auth_key, nonce);\n keys.enc_block(expected_tag, expected_tag, &keys.enc_key.ks);\n\n if (CRYPTO_memcmp(expected_tag, in_tag, sizeof(expected_tag)) != 0) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n return 1;\n}\n\nstatic const EVP_AEAD aead_aes_128_gcm_siv = {\n 16, // key length\n EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length\n EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead\n EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n aead_aes_gcm_siv_init,\n NULL /* init_with_direction */,\n aead_aes_gcm_siv_cleanup,\n NULL /* open */,\n aead_aes_gcm_siv_seal_scatter,\n aead_aes_gcm_siv_open_gather,\n NULL /* get_iv */,\n NULL /* tag_len */,\n};\n\nstatic const EVP_AEAD aead_aes_256_gcm_siv = {\n 32, // key length\n EVP_AEAD_AES_GCM_SIV_NONCE_LEN, // nonce length\n EVP_AEAD_AES_GCM_SIV_TAG_LEN, // overhead\n EVP_AEAD_AES_GCM_SIV_TAG_LEN, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n aead_aes_gcm_siv_init,\n NULL /* init_with_direction */,\n aead_aes_gcm_siv_cleanup,\n NULL /* open */,\n aead_aes_gcm_siv_seal_scatter,\n aead_aes_gcm_siv_open_gather,\n NULL /* get_iv */,\n NULL /* tag_len */,\n};\n\n#if defined(AES_GCM_SIV_ASM)\n\nconst EVP_AEAD *EVP_aead_aes_128_gcm_siv(void) {\n if (CRYPTO_is_AVX_capable() && CRYPTO_is_AESNI_capable()) {\n return &aead_aes_128_gcm_siv_asm;\n }\n return &aead_aes_128_gcm_siv;\n}\n\nconst EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) {\n if (CRYPTO_is_AVX_capable() && CRYPTO_is_AESNI_capable()) {\n return &aead_aes_256_gcm_siv_asm;\n }\n return &aead_aes_256_gcm_siv;\n}\n\n#else\n\nconst EVP_AEAD *EVP_aead_aes_128_gcm_siv(void) { return &aead_aes_128_gcm_siv; }\n\nconst EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) { return &aead_aes_256_gcm_siv; }\n\n#endif // AES_GCM_SIV_ASM\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/e_chacha20poly1305.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n#include \"../chacha/internal.h\"\n#include \"../fipsmodule/cipher/internal.h\"\n#include \"../internal.h\"\n\nstruct aead_chacha20_poly1305_ctx {\n uint8_t key[32];\n};\n\nstatic_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=\n sizeof(struct aead_chacha20_poly1305_ctx),\n \"AEAD state is too small\");\nstatic_assert(alignof(union evp_aead_ctx_st_state) >=\n alignof(struct aead_chacha20_poly1305_ctx),\n \"AEAD state has insufficient alignment\");\n\nstatic int aead_chacha20_poly1305_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t tag_len) {\n struct aead_chacha20_poly1305_ctx *c20_ctx =\n (struct aead_chacha20_poly1305_ctx *)&ctx->state;\n\n if (tag_len == 0) {\n tag_len = POLY1305_TAG_LEN;\n }\n\n if (tag_len > POLY1305_TAG_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n if (key_len != sizeof(c20_ctx->key)) {\n return 0; // internal error - EVP_AEAD_CTX_init should catch this.\n }\n\n OPENSSL_memcpy(c20_ctx->key, key, key_len);\n ctx->tag_len = tag_len;\n\n return 1;\n}\n\nstatic void aead_chacha20_poly1305_cleanup(EVP_AEAD_CTX *ctx) {}\n\nstatic void poly1305_update_length(poly1305_state *poly1305, size_t data_len) {\n uint8_t length_bytes[8];\n\n for (unsigned i = 0; i < sizeof(length_bytes); i++) {\n length_bytes[i] = data_len;\n data_len >>= 8;\n }\n\n CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));\n}\n\n// calc_tag fills |tag| with the authentication tag for the given inputs.\nstatic void calc_tag(uint8_t tag[POLY1305_TAG_LEN], const uint8_t *key,\n const uint8_t nonce[12], const uint8_t *ad, size_t ad_len,\n const uint8_t *ciphertext, size_t ciphertext_len,\n const uint8_t *ciphertext_extra,\n size_t ciphertext_extra_len) {\n alignas(16) uint8_t poly1305_key[32];\n OPENSSL_memset(poly1305_key, 0, sizeof(poly1305_key));\n CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), key, nonce,\n 0);\n\n static const uint8_t padding[16] = { 0 }; // Padding is all zeros.\n poly1305_state ctx;\n CRYPTO_poly1305_init(&ctx, poly1305_key);\n CRYPTO_poly1305_update(&ctx, ad, ad_len);\n if (ad_len % 16 != 0) {\n CRYPTO_poly1305_update(&ctx, padding, sizeof(padding) - (ad_len % 16));\n }\n CRYPTO_poly1305_update(&ctx, ciphertext, ciphertext_len);\n CRYPTO_poly1305_update(&ctx, ciphertext_extra, ciphertext_extra_len);\n const size_t ciphertext_total = ciphertext_len + ciphertext_extra_len;\n if (ciphertext_total % 16 != 0) {\n CRYPTO_poly1305_update(&ctx, padding,\n sizeof(padding) - (ciphertext_total % 16));\n }\n poly1305_update_length(&ctx, ad_len);\n poly1305_update_length(&ctx, ciphertext_total);\n CRYPTO_poly1305_finish(&ctx, tag);\n}\n\nstatic int chacha20_poly1305_seal_scatter(\n const uint8_t *key, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {\n if (extra_in_len + tag_len < tag_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n if (max_out_tag_len < tag_len + extra_in_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n return 0;\n }\n if (nonce_len != 12) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow\n // individual operations that work on more than 256GB at a time.\n // |in_len_64| is needed because, on 32-bit platforms, size_t is only\n // 32-bits and this produces a warning because it's always false.\n // Casting to uint64_t inside the conditional is not sufficient to stop\n // the warning.\n const uint64_t in_len_64 = in_len;\n if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n if (max_out_tag_len < tag_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n // The the extra input is given, it is expected to be very short and so is\n // encrypted byte-by-byte first.\n if (extra_in_len) {\n static const size_t kChaChaBlockSize = 64;\n uint32_t block_counter = (uint32_t)(1 + (in_len / kChaChaBlockSize));\n size_t offset = in_len % kChaChaBlockSize;\n uint8_t block[64 /* kChaChaBlockSize */];\n\n for (size_t done = 0; done < extra_in_len; block_counter++) {\n memset(block, 0, sizeof(block));\n CRYPTO_chacha_20(block, block, sizeof(block), key, nonce,\n block_counter);\n for (size_t i = offset; i < sizeof(block) && done < extra_in_len;\n i++, done++) {\n out_tag[done] = extra_in[done] ^ block[i];\n }\n offset = 0;\n }\n }\n\n union chacha20_poly1305_seal_data data;\n if (chacha20_poly1305_asm_capable()) {\n OPENSSL_memcpy(data.in.key, key, 32);\n data.in.counter = 0;\n OPENSSL_memcpy(data.in.nonce, nonce, 12);\n data.in.extra_ciphertext = out_tag;\n data.in.extra_ciphertext_len = extra_in_len;\n chacha20_poly1305_seal(out, in, in_len, ad, ad_len, &data);\n } else {\n CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);\n calc_tag(data.out.tag, key, nonce, ad, ad_len, out, in_len, out_tag,\n extra_in_len);\n }\n\n OPENSSL_memcpy(out_tag + extra_in_len, data.out.tag, tag_len);\n *out_tag_len = extra_in_len + tag_len;\n return 1;\n}\n\nstatic int aead_chacha20_poly1305_seal_scatter(\n const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len) {\n const struct aead_chacha20_poly1305_ctx *c20_ctx =\n (struct aead_chacha20_poly1305_ctx *)&ctx->state;\n\n return chacha20_poly1305_seal_scatter(\n c20_ctx->key, out, out_tag, out_tag_len, max_out_tag_len, nonce,\n nonce_len, in, in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len);\n}\n\nstatic int aead_xchacha20_poly1305_seal_scatter(\n const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len) {\n const struct aead_chacha20_poly1305_ctx *c20_ctx =\n (struct aead_chacha20_poly1305_ctx *)&ctx->state;\n\n if (nonce_len != 24) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n alignas(4) uint8_t derived_key[32];\n alignas(4) uint8_t derived_nonce[12];\n CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);\n OPENSSL_memset(derived_nonce, 0, 4);\n OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);\n\n return chacha20_poly1305_seal_scatter(\n derived_key, out, out_tag, out_tag_len, max_out_tag_len,\n derived_nonce, sizeof(derived_nonce), in, in_len, extra_in, extra_in_len,\n ad, ad_len, ctx->tag_len);\n}\n\nstatic int chacha20_poly1305_open_gather(\n const uint8_t *key, uint8_t *out, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,\n size_t in_tag_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {\n if (nonce_len != 12) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n if (in_tag_len != tag_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow\n // individual operations that work on more than 256GB at a time.\n // |in_len_64| is needed because, on 32-bit platforms, size_t is only\n // 32-bits and this produces a warning because it's always false.\n // Casting to uint64_t inside the conditional is not sufficient to stop\n // the warning.\n const uint64_t in_len_64 = in_len;\n if (in_len_64 >= (UINT64_C(1) << 32) * 64 - 64) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n union chacha20_poly1305_open_data data;\n if (chacha20_poly1305_asm_capable()) {\n OPENSSL_memcpy(data.in.key, key, 32);\n data.in.counter = 0;\n OPENSSL_memcpy(data.in.nonce, nonce, 12);\n chacha20_poly1305_open(out, in, in_len, ad, ad_len, &data);\n } else {\n calc_tag(data.out.tag, key, nonce, ad, ad_len, in, in_len, NULL, 0);\n CRYPTO_chacha_20(out, in, in_len, key, nonce, 1);\n }\n\n if (CRYPTO_memcmp(data.out.tag, in_tag, tag_len) != 0) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n return 1;\n}\n\nstatic int aead_chacha20_poly1305_open_gather(\n const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,\n size_t in_tag_len, const uint8_t *ad, size_t ad_len) {\n const struct aead_chacha20_poly1305_ctx *c20_ctx =\n (struct aead_chacha20_poly1305_ctx *)&ctx->state;\n\n return chacha20_poly1305_open_gather(c20_ctx->key, out, nonce, nonce_len, in,\n in_len, in_tag, in_tag_len, ad, ad_len,\n ctx->tag_len);\n}\n\nstatic int aead_xchacha20_poly1305_open_gather(\n const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,\n size_t in_tag_len, const uint8_t *ad, size_t ad_len) {\n const struct aead_chacha20_poly1305_ctx *c20_ctx =\n (struct aead_chacha20_poly1305_ctx *)&ctx->state;\n\n if (nonce_len != 24) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n alignas(4) uint8_t derived_key[32];\n alignas(4) uint8_t derived_nonce[12];\n CRYPTO_hchacha20(derived_key, c20_ctx->key, nonce);\n OPENSSL_memset(derived_nonce, 0, 4);\n OPENSSL_memcpy(&derived_nonce[4], &nonce[16], 8);\n\n return chacha20_poly1305_open_gather(\n derived_key, out, derived_nonce, sizeof(derived_nonce), in, in_len,\n in_tag, in_tag_len, ad, ad_len, ctx->tag_len);\n}\n\nstatic const EVP_AEAD aead_chacha20_poly1305 = {\n 32, // key len\n 12, // nonce len\n POLY1305_TAG_LEN, // overhead\n POLY1305_TAG_LEN, // max tag length\n 1, // seal_scatter_supports_extra_in\n\n aead_chacha20_poly1305_init,\n NULL, // init_with_direction\n aead_chacha20_poly1305_cleanup,\n NULL /* open */,\n aead_chacha20_poly1305_seal_scatter,\n aead_chacha20_poly1305_open_gather,\n NULL, // get_iv\n NULL, // tag_len\n};\n\nstatic const EVP_AEAD aead_xchacha20_poly1305 = {\n 32, // key len\n 24, // nonce len\n POLY1305_TAG_LEN, // overhead\n POLY1305_TAG_LEN, // max tag length\n 1, // seal_scatter_supports_extra_in\n\n aead_chacha20_poly1305_init,\n NULL, // init_with_direction\n aead_chacha20_poly1305_cleanup,\n NULL /* open */,\n aead_xchacha20_poly1305_seal_scatter,\n aead_xchacha20_poly1305_open_gather,\n NULL, // get_iv\n NULL, // tag_len\n};\n\nconst EVP_AEAD *EVP_aead_chacha20_poly1305(void) {\n return &aead_chacha20_poly1305;\n}\n\nconst EVP_AEAD *EVP_aead_xchacha20_poly1305(void) {\n return &aead_xchacha20_poly1305;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/e_des.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n\n#include \"../des/internal.h\"\n#include \"../fipsmodule/cipher/internal.h\"\n#include \"internal.h\"\n\n\ntypedef struct {\n union {\n double align;\n DES_key_schedule ks;\n } ks;\n} EVP_DES_KEY;\n\nstatic int des_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,\n const uint8_t *iv, int enc) {\n EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data;\n DES_set_key_ex(key, &dat->ks.ks);\n return 1;\n}\n\nstatic int des_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t in_len) {\n EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data;\n DES_ncbc_encrypt_ex(in, out, in_len, &dat->ks.ks, ctx->iv, ctx->encrypt);\n return 1;\n}\n\nstatic const EVP_CIPHER evp_des_cbc = {\n /*nid=*/NID_des_cbc,\n /*block_size=*/8,\n /*key_len=*/8,\n /*iv_len=*/8,\n /*ctx_size=*/sizeof(EVP_DES_KEY),\n /*flags=*/EVP_CIPH_CBC_MODE,\n /*init=*/des_init_key,\n /*cipher=*/des_cbc_cipher,\n /*cleanup=*/nullptr,\n /*ctrl=*/nullptr,\n};\n\nconst EVP_CIPHER *EVP_des_cbc(void) { return &evp_des_cbc; }\n\nstatic int des_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t in_len) {\n if (in_len < ctx->cipher->block_size) {\n return 1;\n }\n in_len -= ctx->cipher->block_size;\n\n EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data;\n for (size_t i = 0; i <= in_len; i += ctx->cipher->block_size) {\n DES_ecb_encrypt_ex(in + i, out + i, &dat->ks.ks, ctx->encrypt);\n }\n return 1;\n}\n\nstatic const EVP_CIPHER evp_des_ecb = {\n /*nid=*/NID_des_ecb,\n /*block_size=*/8,\n /*key_len=*/8,\n /*iv_len=*/0,\n /*ctx_size=*/sizeof(EVP_DES_KEY),\n /*flags=*/EVP_CIPH_ECB_MODE,\n /*init=*/des_init_key,\n /*cipher=*/des_ecb_cipher,\n /*cleanup=*/nullptr,\n /*ctrl=*/nullptr,\n};\n\nconst EVP_CIPHER *EVP_des_ecb(void) { return &evp_des_ecb; }\n\ntypedef struct {\n union {\n double align;\n DES_key_schedule ks[3];\n } ks;\n} DES_EDE_KEY;\n\nstatic int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,\n const uint8_t *iv, int enc) {\n DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data;\n DES_set_key_ex(key, &dat->ks.ks[0]);\n DES_set_key_ex(key + 8, &dat->ks.ks[1]);\n DES_set_key_ex(key + 16, &dat->ks.ks[2]);\n return 1;\n}\n\nstatic int des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,\n const uint8_t *in, size_t in_len) {\n DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data;\n DES_ede3_cbc_encrypt_ex(in, out, in_len, &dat->ks.ks[0], &dat->ks.ks[1],\n &dat->ks.ks[2], ctx->iv, ctx->encrypt);\n return 1;\n}\n\nstatic const EVP_CIPHER evp_des_ede3_cbc = {\n /*nid=*/NID_des_ede3_cbc,\n /*block_size=*/8,\n /*key_len=*/24,\n /*iv_len=*/8,\n /*ctx_size=*/sizeof(DES_EDE_KEY),\n /*flags=*/EVP_CIPH_CBC_MODE,\n /*init=*/des_ede3_init_key,\n /*cipher=*/des_ede3_cbc_cipher,\n /*cleanup=*/nullptr,\n /*ctrl=*/nullptr,\n};\n\nconst EVP_CIPHER *EVP_des_ede3_cbc(void) { return &evp_des_ede3_cbc; }\n\nstatic int des_ede_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,\n const uint8_t *iv, int enc) {\n DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data;\n // 2-DES is 3-DES with the first key used twice.\n DES_set_key_ex(key, &dat->ks.ks[0]);\n DES_set_key_ex(key + 8, &dat->ks.ks[1]);\n DES_set_key_ex(key, &dat->ks.ks[2]);\n return 1;\n}\n\nstatic const EVP_CIPHER evp_des_ede_cbc = {\n /*nid=*/NID_des_ede_cbc,\n /*block_size=*/8,\n /*key_len=*/16,\n /*iv_len=*/8,\n /*ctx_size=*/sizeof(DES_EDE_KEY),\n /*flags=*/EVP_CIPH_CBC_MODE,\n /*init=*/des_ede_init_key,\n /*cipher=*/des_ede3_cbc_cipher,\n /*cleanup=*/nullptr,\n /*ctrl=*/nullptr,\n};\n\nconst EVP_CIPHER *EVP_des_ede_cbc(void) { return &evp_des_ede_cbc; }\n\nstatic int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,\n const uint8_t *in, size_t in_len) {\n if (in_len < ctx->cipher->block_size) {\n return 1;\n }\n in_len -= ctx->cipher->block_size;\n\n DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data;\n for (size_t i = 0; i <= in_len; i += ctx->cipher->block_size) {\n DES_ecb3_encrypt_ex(in + i, out + i, &dat->ks.ks[0], &dat->ks.ks[1],\n &dat->ks.ks[2], ctx->encrypt);\n }\n return 1;\n}\n\nstatic const EVP_CIPHER evp_des_ede = {\n /*nid=*/NID_des_ede_ecb,\n /*block_size=*/8,\n /*key_len=*/16,\n /*iv_len=*/0,\n /*ctx_size=*/sizeof(DES_EDE_KEY),\n /*flags=*/EVP_CIPH_ECB_MODE,\n /*init=*/des_ede_init_key,\n /*cipher=*/des_ede_ecb_cipher,\n /*cleanup=*/nullptr,\n /*ctrl=*/nullptr,\n};\n\nconst EVP_CIPHER *EVP_des_ede(void) { return &evp_des_ede; }\n\nstatic const EVP_CIPHER evp_des_ede3 = {\n /*nid=*/NID_des_ede3_ecb,\n /*block_size=*/8,\n /*key_len=*/24,\n /*iv_len=*/0,\n /*ctx_size=*/sizeof(DES_EDE_KEY),\n /*flags=*/EVP_CIPH_ECB_MODE,\n /*init=*/des_ede3_init_key,\n /*cipher=*/des_ede_ecb_cipher,\n /*cleanup=*/nullptr,\n /*ctrl=*/nullptr,\n};\n\nconst EVP_CIPHER *EVP_des_ede3(void) { return &evp_des_ede3; }\n\nconst EVP_CIPHER *EVP_des_ede3_ecb(void) { return EVP_des_ede3(); }\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/e_null.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n\n#include \"../fipsmodule/cipher/internal.h\"\n#include \"../internal.h\"\n\n\nstatic int null_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,\n const uint8_t *iv, int enc) {\n return 1;\n}\n\nstatic int null_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t in_len) {\n if (in != out) {\n OPENSSL_memcpy(out, in, in_len);\n }\n return 1;\n}\n\nstatic const EVP_CIPHER n_cipher = {\n /*nid=*/NID_undef,\n /*block_size=*/1,\n /*key_len=*/0,\n /*iv_len=*/0,\n /*ctx_size=*/0,\n /*flags=*/0,\n /*init=*/null_init_key,\n /*cipher=*/null_cipher,\n /*cleanup=*/nullptr,\n /*ctrl=*/nullptr,\n};\n\nconst EVP_CIPHER *EVP_enc_null(void) { return &n_cipher; }\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/e_rc2.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \"../fipsmodule/cipher/internal.h\"\n#include \"../internal.h\"\n\n\n#define c2l(c, l) \\\n do { \\\n (l) = ((uint32_t)(*((c)++))); \\\n (l) |= ((uint32_t)(*((c)++))) << 8L; \\\n (l) |= ((uint32_t)(*((c)++))) << 16L; \\\n (l) |= ((uint32_t)(*((c)++))) << 24L; \\\n } while (0)\n\n#define c2ln(c, l1, l2, n) \\\n do { \\\n (c) += (n); \\\n (l1) = (l2) = 0; \\\n switch (n) { \\\n case 8: \\\n (l2) = ((uint32_t)(*(--(c)))) << 24L; \\\n [[fallthrough]]; \\\n case 7: \\\n (l2) |= ((uint32_t)(*(--(c)))) << 16L; \\\n [[fallthrough]]; \\\n case 6: \\\n (l2) |= ((uint32_t)(*(--(c)))) << 8L; \\\n [[fallthrough]]; \\\n case 5: \\\n (l2) |= ((uint32_t)(*(--(c)))); \\\n [[fallthrough]]; \\\n case 4: \\\n (l1) = ((uint32_t)(*(--(c)))) << 24L; \\\n [[fallthrough]]; \\\n case 3: \\\n (l1) |= ((uint32_t)(*(--(c)))) << 16L; \\\n [[fallthrough]]; \\\n case 2: \\\n (l1) |= ((uint32_t)(*(--(c)))) << 8L; \\\n [[fallthrough]]; \\\n case 1: \\\n (l1) |= ((uint32_t)(*(--(c)))); \\\n } \\\n } while (0)\n\n#define l2c(l, c) \\\n do { \\\n *((c)++) = (uint8_t)(((l)) & 0xff); \\\n *((c)++) = (uint8_t)(((l) >> 8L) & 0xff); \\\n *((c)++) = (uint8_t)(((l) >> 16L) & 0xff); \\\n *((c)++) = (uint8_t)(((l) >> 24L) & 0xff); \\\n } while (0)\n\n#define l2cn(l1, l2, c, n) \\\n do { \\\n (c) += (n); \\\n switch (n) { \\\n case 8: \\\n *(--(c)) = (uint8_t)(((l2) >> 24L) & 0xff); \\\n [[fallthrough]]; \\\n case 7: \\\n *(--(c)) = (uint8_t)(((l2) >> 16L) & 0xff); \\\n [[fallthrough]]; \\\n case 6: \\\n *(--(c)) = (uint8_t)(((l2) >> 8L) & 0xff); \\\n [[fallthrough]]; \\\n case 5: \\\n *(--(c)) = (uint8_t)(((l2)) & 0xff); \\\n [[fallthrough]]; \\\n case 4: \\\n *(--(c)) = (uint8_t)(((l1) >> 24L) & 0xff); \\\n [[fallthrough]]; \\\n case 3: \\\n *(--(c)) = (uint8_t)(((l1) >> 16L) & 0xff); \\\n [[fallthrough]]; \\\n case 2: \\\n *(--(c)) = (uint8_t)(((l1) >> 8L) & 0xff); \\\n [[fallthrough]]; \\\n case 1: \\\n *(--(c)) = (uint8_t)(((l1)) & 0xff); \\\n } \\\n } while (0)\n\ntypedef struct rc2_key_st {\n uint16_t data[64];\n} RC2_KEY;\n\nstatic void RC2_encrypt(uint32_t *d, RC2_KEY *key) {\n int i, n;\n uint16_t *p0, *p1;\n uint16_t x0, x1, x2, x3, t;\n uint32_t l;\n\n l = d[0];\n x0 = (uint16_t)l & 0xffff;\n x1 = (uint16_t)(l >> 16L);\n l = d[1];\n x2 = (uint16_t)l & 0xffff;\n x3 = (uint16_t)(l >> 16L);\n\n n = 3;\n i = 5;\n\n p0 = p1 = &key->data[0];\n for (;;) {\n t = (x0 + (x1 & ~x3) + (x2 & x3) + *(p0++)) & 0xffff;\n x0 = (t << 1) | (t >> 15);\n t = (x1 + (x2 & ~x0) + (x3 & x0) + *(p0++)) & 0xffff;\n x1 = (t << 2) | (t >> 14);\n t = (x2 + (x3 & ~x1) + (x0 & x1) + *(p0++)) & 0xffff;\n x2 = (t << 3) | (t >> 13);\n t = (x3 + (x0 & ~x2) + (x1 & x2) + *(p0++)) & 0xffff;\n x3 = (t << 5) | (t >> 11);\n\n if (--i == 0) {\n if (--n == 0) {\n break;\n }\n i = (n == 2) ? 6 : 5;\n\n x0 += p1[x3 & 0x3f];\n x1 += p1[x0 & 0x3f];\n x2 += p1[x1 & 0x3f];\n x3 += p1[x2 & 0x3f];\n }\n }\n\n d[0] = (uint32_t)(x0 & 0xffff) | ((uint32_t)(x1 & 0xffff) << 16L);\n d[1] = (uint32_t)(x2 & 0xffff) | ((uint32_t)(x3 & 0xffff) << 16L);\n}\n\nstatic void RC2_decrypt(uint32_t *d, RC2_KEY *key) {\n int i, n;\n uint16_t *p0, *p1;\n uint16_t x0, x1, x2, x3, t;\n uint32_t l;\n\n l = d[0];\n x0 = (uint16_t)l & 0xffff;\n x1 = (uint16_t)(l >> 16L);\n l = d[1];\n x2 = (uint16_t)l & 0xffff;\n x3 = (uint16_t)(l >> 16L);\n\n n = 3;\n i = 5;\n\n p0 = &key->data[63];\n p1 = &key->data[0];\n for (;;) {\n t = ((x3 << 11) | (x3 >> 5)) & 0xffff;\n x3 = (t - (x0 & ~x2) - (x1 & x2) - *(p0--)) & 0xffff;\n t = ((x2 << 13) | (x2 >> 3)) & 0xffff;\n x2 = (t - (x3 & ~x1) - (x0 & x1) - *(p0--)) & 0xffff;\n t = ((x1 << 14) | (x1 >> 2)) & 0xffff;\n x1 = (t - (x2 & ~x0) - (x3 & x0) - *(p0--)) & 0xffff;\n t = ((x0 << 15) | (x0 >> 1)) & 0xffff;\n x0 = (t - (x1 & ~x3) - (x2 & x3) - *(p0--)) & 0xffff;\n\n if (--i == 0) {\n if (--n == 0) {\n break;\n }\n i = (n == 2) ? 6 : 5;\n\n x3 = (x3 - p1[x2 & 0x3f]) & 0xffff;\n x2 = (x2 - p1[x1 & 0x3f]) & 0xffff;\n x1 = (x1 - p1[x0 & 0x3f]) & 0xffff;\n x0 = (x0 - p1[x3 & 0x3f]) & 0xffff;\n }\n }\n\n d[0] = (uint32_t)(x0 & 0xffff) | ((uint32_t)(x1 & 0xffff) << 16L);\n d[1] = (uint32_t)(x2 & 0xffff) | ((uint32_t)(x3 & 0xffff) << 16L);\n}\n\nstatic void RC2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,\n RC2_KEY *ks, uint8_t *iv, int encrypt) {\n uint32_t tin0, tin1;\n uint32_t tout0, tout1, xor0, xor1;\n long l = length;\n uint32_t tin[2];\n\n if (encrypt) {\n c2l(iv, tout0);\n c2l(iv, tout1);\n iv -= 8;\n for (l -= 8; l >= 0; l -= 8) {\n c2l(in, tin0);\n c2l(in, tin1);\n tin0 ^= tout0;\n tin1 ^= tout1;\n tin[0] = tin0;\n tin[1] = tin1;\n RC2_encrypt(tin, ks);\n tout0 = tin[0];\n l2c(tout0, out);\n tout1 = tin[1];\n l2c(tout1, out);\n }\n if (l != -8) {\n c2ln(in, tin0, tin1, l + 8);\n tin0 ^= tout0;\n tin1 ^= tout1;\n tin[0] = tin0;\n tin[1] = tin1;\n RC2_encrypt(tin, ks);\n tout0 = tin[0];\n l2c(tout0, out);\n tout1 = tin[1];\n l2c(tout1, out);\n }\n l2c(tout0, iv);\n l2c(tout1, iv);\n } else {\n c2l(iv, xor0);\n c2l(iv, xor1);\n iv -= 8;\n for (l -= 8; l >= 0; l -= 8) {\n c2l(in, tin0);\n tin[0] = tin0;\n c2l(in, tin1);\n tin[1] = tin1;\n RC2_decrypt(tin, ks);\n tout0 = tin[0] ^ xor0;\n tout1 = tin[1] ^ xor1;\n l2c(tout0, out);\n l2c(tout1, out);\n xor0 = tin0;\n xor1 = tin1;\n }\n if (l != -8) {\n c2l(in, tin0);\n tin[0] = tin0;\n c2l(in, tin1);\n tin[1] = tin1;\n RC2_decrypt(tin, ks);\n tout0 = tin[0] ^ xor0;\n tout1 = tin[1] ^ xor1;\n l2cn(tout0, tout1, out, l + 8);\n xor0 = tin0;\n xor1 = tin1;\n }\n l2c(xor0, iv);\n l2c(xor1, iv);\n }\n tin[0] = tin[1] = 0;\n}\n\nstatic const uint8_t key_table[256] = {\n 0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, 0x28, 0xe9, 0xfd, 0x79,\n 0x4a, 0xa0, 0xd8, 0x9d, 0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e,\n 0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2, 0x17, 0x9a, 0x59, 0xf5,\n 0x87, 0xb3, 0x4f, 0x13, 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32,\n 0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, 0xf0, 0x95, 0x21, 0x22,\n 0x5c, 0x6b, 0x4e, 0x82, 0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c,\n 0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc, 0x12, 0x75, 0xca, 0x1f,\n 0x3b, 0xbe, 0xe4, 0xd1, 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26,\n 0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, 0x27, 0xf2, 0x1d, 0x9b,\n 0xbc, 0x94, 0x43, 0x03, 0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7,\n 0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7, 0x08, 0xe8, 0xea, 0xde,\n 0x80, 0x52, 0xee, 0xf7, 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a,\n 0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, 0x4b, 0x9f, 0xd0, 0x5e,\n 0x04, 0x18, 0xa4, 0xec, 0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc,\n 0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39, 0x99, 0x7c, 0x3a, 0x85,\n 0x23, 0xb8, 0xb4, 0x7a, 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31,\n 0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, 0x05, 0xdf, 0x29, 0x10,\n 0x67, 0x6c, 0xba, 0xc9, 0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c,\n 0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9, 0x0d, 0x38, 0x34, 0x1b,\n 0xab, 0x33, 0xff, 0xb0, 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e,\n 0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, 0x0a, 0xa6, 0x20, 0x68,\n 0xfe, 0x7f, 0xc1, 0xad,\n};\n\nstatic void RC2_set_key(RC2_KEY *key, int len, const uint8_t *data, int bits) {\n int i, j;\n uint8_t *k;\n uint16_t *ki;\n unsigned int c, d;\n\n k = (uint8_t *)&key->data[0];\n *k = 0; // for if there is a zero length key\n\n if (len > 128) {\n len = 128;\n }\n if (bits <= 0) {\n bits = 1024;\n }\n if (bits > 1024) {\n bits = 1024;\n }\n\n for (i = 0; i < len; i++) {\n k[i] = data[i];\n }\n\n // expand table\n d = k[len - 1];\n j = 0;\n for (i = len; i < 128; i++, j++) {\n d = key_table[(k[j] + d) & 0xff];\n k[i] = d;\n }\n\n // hmm.... key reduction to 'bits' bits\n\n j = (bits + 7) >> 3;\n i = 128 - j;\n c = (0xff >> (-bits & 0x07));\n\n d = key_table[k[i] & c];\n k[i] = d;\n while (i--) {\n d = key_table[k[i + j] ^ d];\n k[i] = d;\n }\n\n // copy from bytes into uint16_t's\n ki = &(key->data[63]);\n for (i = 127; i >= 0; i -= 2) {\n *(ki--) = ((k[i] << 8) | k[i - 1]) & 0xffff;\n }\n}\n\ntypedef struct {\n int key_bits; // effective key bits\n RC2_KEY ks; // key schedule\n} EVP_RC2_KEY;\n\nstatic int rc2_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,\n const uint8_t *iv, int enc) {\n EVP_RC2_KEY *rc2_key = (EVP_RC2_KEY *)ctx->cipher_data;\n RC2_set_key(&rc2_key->ks, EVP_CIPHER_CTX_key_length(ctx), key,\n rc2_key->key_bits);\n return 1;\n}\n\nstatic int rc2_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t inl) {\n EVP_RC2_KEY *key = (EVP_RC2_KEY *)ctx->cipher_data;\n static const size_t kChunkSize = 0x10000;\n\n while (inl >= kChunkSize) {\n RC2_cbc_encrypt(in, out, kChunkSize, &key->ks, ctx->iv, ctx->encrypt);\n inl -= kChunkSize;\n in += kChunkSize;\n out += kChunkSize;\n }\n if (inl) {\n RC2_cbc_encrypt(in, out, inl, &key->ks, ctx->iv, ctx->encrypt);\n }\n return 1;\n}\n\nstatic int rc2_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) {\n EVP_RC2_KEY *key = (EVP_RC2_KEY *)ctx->cipher_data;\n\n switch (type) {\n case EVP_CTRL_INIT:\n key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8;\n return 1;\n case EVP_CTRL_SET_RC2_KEY_BITS:\n // Should be overridden by later call to |EVP_CTRL_INIT|, but\n // people call it, so it may as well work.\n key->key_bits = arg;\n return 1;\n\n default:\n return -1;\n }\n}\n\nstatic const EVP_CIPHER rc2_40_cbc = {\n /*nid=*/NID_rc2_40_cbc,\n /*block_size=*/8,\n /*key_len=*/5 /* 40 bit */,\n /*iv_len=*/8,\n /*ctx_size=*/sizeof(EVP_RC2_KEY),\n /*flags=*/EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,\n /*init=*/rc2_init_key,\n /*cipher=*/rc2_cbc_cipher,\n /*cleanup=*/nullptr,\n /*ctrl=*/rc2_ctrl,\n};\n\nconst EVP_CIPHER *EVP_rc2_40_cbc(void) { return &rc2_40_cbc; }\n\nstatic const EVP_CIPHER rc2_cbc = {\n /*nid=*/NID_rc2_cbc,\n /*block_size=*/8,\n /*key_len=*/16 /* 128 bit */,\n /*iv_len=*/8,\n /*ctx_size=*/sizeof(EVP_RC2_KEY),\n /*flags=*/EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT,\n /*init=*/rc2_init_key,\n /*cipher=*/rc2_cbc_cipher,\n /*cleanup=*/nullptr,\n /*ctrl=*/rc2_ctrl,\n};\n\nconst EVP_CIPHER *EVP_rc2_cbc(void) { return &rc2_cbc; }\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/e_rc4.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../fipsmodule/cipher/internal.h\"\n\n\nstatic int rc4_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,\n const uint8_t *iv, int enc) {\n RC4_KEY *rc4key = (RC4_KEY *)ctx->cipher_data;\n\n RC4_set_key(rc4key, EVP_CIPHER_CTX_key_length(ctx), key);\n return 1;\n}\n\nstatic int rc4_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t in_len) {\n RC4_KEY *rc4key = (RC4_KEY *)ctx->cipher_data;\n\n RC4(rc4key, in_len, in, out);\n return 1;\n}\n\nstatic const EVP_CIPHER rc4 = {\n /*nid=*/NID_rc4,\n /*block_size=*/1,\n /*key_len=*/16,\n /*iv_len=*/0,\n /*ctx_size=*/sizeof(RC4_KEY),\n /*flags=*/EVP_CIPH_VARIABLE_LENGTH,\n /*init=*/rc4_init_key,\n /*cipher=*/rc4_cipher,\n /*cleanup=*/nullptr,\n /*ctrl=*/nullptr,\n};\n\nconst EVP_CIPHER *EVP_rc4(void) { return &rc4; }\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/e_tls.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/cipher/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\ntypedef struct {\n EVP_CIPHER_CTX cipher_ctx;\n HMAC_CTX hmac_ctx;\n // mac_key is the portion of the key used for the MAC. It is retained\n // separately for the constant-time CBC code.\n uint8_t mac_key[EVP_MAX_MD_SIZE];\n uint8_t mac_key_len;\n // implicit_iv is one iff this is a pre-TLS-1.1 CBC cipher without an explicit\n // IV.\n char implicit_iv;\n} AEAD_TLS_CTX;\n\nstatic_assert(EVP_MAX_MD_SIZE < 256, \"mac_key_len does not fit in uint8_t\");\n\nstatic_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >= sizeof(AEAD_TLS_CTX),\n \"AEAD state is too small\");\nstatic_assert(alignof(union evp_aead_ctx_st_state) >= alignof(AEAD_TLS_CTX),\n \"AEAD state has insufficient alignment\");\n\nstatic void aead_tls_cleanup(EVP_AEAD_CTX *ctx) {\n AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;\n EVP_CIPHER_CTX_cleanup(&tls_ctx->cipher_ctx);\n HMAC_CTX_cleanup(&tls_ctx->hmac_ctx);\n}\n\nstatic int aead_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len,\n size_t tag_len, enum evp_aead_direction_t dir,\n const EVP_CIPHER *cipher, const EVP_MD *md,\n char implicit_iv) {\n if (tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH &&\n tag_len != EVP_MD_size(md)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_TAG_SIZE);\n return 0;\n }\n\n if (key_len != EVP_AEAD_key_length(ctx->aead)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);\n return 0;\n }\n\n size_t mac_key_len = EVP_MD_size(md);\n size_t enc_key_len = EVP_CIPHER_key_length(cipher);\n assert(mac_key_len + enc_key_len +\n (implicit_iv ? EVP_CIPHER_iv_length(cipher) : 0) == key_len);\n\n AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;\n EVP_CIPHER_CTX_init(&tls_ctx->cipher_ctx);\n HMAC_CTX_init(&tls_ctx->hmac_ctx);\n assert(mac_key_len <= EVP_MAX_MD_SIZE);\n OPENSSL_memcpy(tls_ctx->mac_key, key, mac_key_len);\n tls_ctx->mac_key_len = (uint8_t)mac_key_len;\n tls_ctx->implicit_iv = implicit_iv;\n\n if (!EVP_CipherInit_ex(&tls_ctx->cipher_ctx, cipher, NULL, &key[mac_key_len],\n implicit_iv ? &key[mac_key_len + enc_key_len] : NULL,\n dir == evp_aead_seal) ||\n !HMAC_Init_ex(&tls_ctx->hmac_ctx, key, mac_key_len, md, NULL)) {\n aead_tls_cleanup(ctx);\n return 0;\n }\n EVP_CIPHER_CTX_set_padding(&tls_ctx->cipher_ctx, 0);\n\n return 1;\n}\n\nstatic size_t aead_tls_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len,\n const size_t extra_in_len) {\n assert(extra_in_len == 0);\n const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;\n\n const size_t hmac_len = HMAC_size(&tls_ctx->hmac_ctx);\n if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE) {\n // The NULL cipher.\n return hmac_len;\n }\n\n const size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);\n // An overflow of |in_len + hmac_len| doesn't affect the result mod\n // |block_size|, provided that |block_size| is a smaller power of two.\n assert(block_size != 0 && (block_size & (block_size - 1)) == 0);\n const size_t pad_len = block_size - (in_len + hmac_len) % block_size;\n return hmac_len + pad_len;\n}\n\nstatic int aead_tls_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,\n uint8_t *out_tag, size_t *out_tag_len,\n const size_t max_out_tag_len,\n const uint8_t *nonce, const size_t nonce_len,\n const uint8_t *in, const size_t in_len,\n const uint8_t *extra_in,\n const size_t extra_in_len, const uint8_t *ad,\n const size_t ad_len) {\n AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;\n\n if (!tls_ctx->cipher_ctx.encrypt) {\n // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);\n return 0;\n }\n\n if (in_len > INT_MAX) {\n // EVP_CIPHER takes int as input.\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n if (max_out_tag_len < aead_tls_tag_len(ctx, in_len, extra_in_len)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);\n return 0;\n }\n\n if (ad_len != 13 - 2 /* length bytes */) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);\n return 0;\n }\n\n // To allow for CBC mode which changes cipher length, |ad| doesn't include the\n // length for legacy ciphers.\n uint8_t ad_extra[2];\n ad_extra[0] = (uint8_t)(in_len >> 8);\n ad_extra[1] = (uint8_t)(in_len & 0xff);\n\n // Compute the MAC. This must be first in case the operation is being done\n // in-place.\n uint8_t mac[EVP_MAX_MD_SIZE];\n unsigned mac_len;\n if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||\n !HMAC_Update(&tls_ctx->hmac_ctx, ad, ad_len) ||\n !HMAC_Update(&tls_ctx->hmac_ctx, ad_extra, sizeof(ad_extra)) ||\n !HMAC_Update(&tls_ctx->hmac_ctx, in, in_len) ||\n !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len)) {\n return 0;\n }\n\n // Configure the explicit IV.\n if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&\n !tls_ctx->implicit_iv &&\n !EVP_EncryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {\n return 0;\n }\n\n // Encrypt the input.\n int len;\n if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {\n return 0;\n }\n\n unsigned block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx);\n\n // Feed the MAC into the cipher in two steps. First complete the final partial\n // block from encrypting the input and split the result between |out| and\n // |out_tag|. Then feed the rest.\n\n const size_t early_mac_len = (block_size - (in_len % block_size)) % block_size;\n if (early_mac_len != 0) {\n assert(len + block_size - early_mac_len == in_len);\n uint8_t buf[EVP_MAX_BLOCK_LENGTH];\n int buf_len;\n if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, buf, &buf_len, mac,\n (int)early_mac_len)) {\n return 0;\n }\n assert(buf_len == (int)block_size);\n OPENSSL_memcpy(out + len, buf, block_size - early_mac_len);\n OPENSSL_memcpy(out_tag, buf + block_size - early_mac_len, early_mac_len);\n }\n size_t tag_len = early_mac_len;\n\n if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,\n mac + tag_len, mac_len - tag_len)) {\n return 0;\n }\n tag_len += len;\n\n if (block_size > 1) {\n assert(block_size <= 256);\n assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE);\n\n // Compute padding and feed that into the cipher.\n uint8_t padding[256];\n unsigned padding_len = block_size - ((in_len + mac_len) % block_size);\n OPENSSL_memset(padding, padding_len - 1, padding_len);\n if (!EVP_EncryptUpdate(&tls_ctx->cipher_ctx, out_tag + tag_len, &len,\n padding, (int)padding_len)) {\n return 0;\n }\n tag_len += len;\n }\n\n if (!EVP_EncryptFinal_ex(&tls_ctx->cipher_ctx, out_tag + tag_len, &len)) {\n return 0;\n }\n assert(len == 0); // Padding is explicit.\n assert(tag_len == aead_tls_tag_len(ctx, in_len, extra_in_len));\n\n *out_tag_len = tag_len;\n return 1;\n}\n\nstatic int aead_tls_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,\n size_t max_out_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len,\n const uint8_t *ad, size_t ad_len) {\n AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;\n\n if (tls_ctx->cipher_ctx.encrypt) {\n // Unlike a normal AEAD, a TLS AEAD may only be used in one direction.\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);\n return 0;\n }\n\n if (in_len < HMAC_size(&tls_ctx->hmac_ctx)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n if (max_out_len < in_len) {\n // This requires that the caller provide space for the MAC, even though it\n // will always be removed on return.\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);\n return 0;\n }\n\n if (ad_len != 13 - 2 /* length bytes */) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_AD_SIZE);\n return 0;\n }\n\n if (in_len > INT_MAX) {\n // EVP_CIPHER takes int as input.\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n // Configure the explicit IV.\n if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&\n !tls_ctx->implicit_iv &&\n !EVP_DecryptInit_ex(&tls_ctx->cipher_ctx, NULL, NULL, NULL, nonce)) {\n return 0;\n }\n\n // Decrypt to get the plaintext + MAC + padding.\n size_t total = 0;\n int len;\n if (!EVP_DecryptUpdate(&tls_ctx->cipher_ctx, out, &len, in, (int)in_len)) {\n return 0;\n }\n total += len;\n if (!EVP_DecryptFinal_ex(&tls_ctx->cipher_ctx, out + total, &len)) {\n return 0;\n }\n total += len;\n assert(total == in_len);\n\n CONSTTIME_SECRET(out, total);\n\n // Remove CBC padding. Code from here on is timing-sensitive with respect to\n // |padding_ok| and |data_plus_mac_len| for CBC ciphers.\n size_t data_plus_mac_len;\n crypto_word_t padding_ok;\n if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE) {\n if (!EVP_tls_cbc_remove_padding(\n &padding_ok, &data_plus_mac_len, out, total,\n EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx),\n HMAC_size(&tls_ctx->hmac_ctx))) {\n // Publicly invalid. This can be rejected in non-constant time.\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n } else {\n padding_ok = CONSTTIME_TRUE_W;\n data_plus_mac_len = total;\n // |data_plus_mac_len| = |total| = |in_len| at this point. |in_len| has\n // already been checked against the MAC size at the top of the function.\n assert(data_plus_mac_len >= HMAC_size(&tls_ctx->hmac_ctx));\n }\n size_t data_len = data_plus_mac_len - HMAC_size(&tls_ctx->hmac_ctx);\n\n // At this point, if the padding is valid, the first |data_plus_mac_len| bytes\n // after |out| are the plaintext and MAC. Otherwise, |data_plus_mac_len| is\n // still large enough to extract a MAC, but it will be irrelevant.\n\n // To allow for CBC mode which changes cipher length, |ad| doesn't include the\n // length for legacy ciphers.\n uint8_t ad_fixed[13];\n OPENSSL_memcpy(ad_fixed, ad, 11);\n ad_fixed[11] = (uint8_t)(data_len >> 8);\n ad_fixed[12] = (uint8_t)(data_len & 0xff);\n ad_len += 2;\n\n // Compute the MAC and extract the one in the record.\n uint8_t mac[EVP_MAX_MD_SIZE];\n size_t mac_len;\n uint8_t record_mac_tmp[EVP_MAX_MD_SIZE];\n uint8_t *record_mac;\n if (EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) == EVP_CIPH_CBC_MODE &&\n EVP_tls_cbc_record_digest_supported(tls_ctx->hmac_ctx.md)) {\n if (!EVP_tls_cbc_digest_record(tls_ctx->hmac_ctx.md, mac, &mac_len,\n ad_fixed, out, data_len, total,\n tls_ctx->mac_key, tls_ctx->mac_key_len)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));\n\n record_mac = record_mac_tmp;\n EVP_tls_cbc_copy_mac(record_mac, mac_len, out, data_plus_mac_len, total);\n } else {\n // We should support the constant-time path for all CBC-mode ciphers\n // implemented.\n assert(EVP_CIPHER_CTX_mode(&tls_ctx->cipher_ctx) != EVP_CIPH_CBC_MODE);\n\n unsigned mac_len_u;\n if (!HMAC_Init_ex(&tls_ctx->hmac_ctx, NULL, 0, NULL, NULL) ||\n !HMAC_Update(&tls_ctx->hmac_ctx, ad_fixed, ad_len) ||\n !HMAC_Update(&tls_ctx->hmac_ctx, out, data_len) ||\n !HMAC_Final(&tls_ctx->hmac_ctx, mac, &mac_len_u)) {\n return 0;\n }\n mac_len = mac_len_u;\n\n assert(mac_len == HMAC_size(&tls_ctx->hmac_ctx));\n record_mac = &out[data_len];\n }\n\n // Perform the MAC check and the padding check in constant-time. It should be\n // safe to simply perform the padding check first, but it would not be under a\n // different choice of MAC location on padding failure. See\n // EVP_tls_cbc_remove_padding.\n crypto_word_t good =\n constant_time_eq_int(CRYPTO_memcmp(record_mac, mac, mac_len), 0);\n good &= padding_ok;\n CONSTTIME_DECLASSIFY(&good, sizeof(good));\n if (!good) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n CONSTTIME_DECLASSIFY(&data_len, sizeof(data_len));\n CONSTTIME_DECLASSIFY(out, data_len);\n\n // End of timing-sensitive code.\n\n *out_len = data_len;\n return 1;\n}\n\nstatic int aead_aes_128_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t tag_len,\n enum evp_aead_direction_t dir) {\n return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),\n EVP_sha1(), 0);\n}\n\nstatic int aead_aes_128_cbc_sha1_tls_implicit_iv_init(\n EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,\n enum evp_aead_direction_t dir) {\n return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),\n EVP_sha1(), 1);\n}\n\nstatic int aead_aes_128_cbc_sha256_tls_init(EVP_AEAD_CTX *ctx,\n const uint8_t *key, size_t key_len,\n size_t tag_len,\n enum evp_aead_direction_t dir) {\n return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_128_cbc(),\n EVP_sha256(), 0);\n}\n\nstatic int aead_aes_256_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t tag_len,\n enum evp_aead_direction_t dir) {\n return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),\n EVP_sha1(), 0);\n}\n\nstatic int aead_aes_256_cbc_sha1_tls_implicit_iv_init(\n EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,\n enum evp_aead_direction_t dir) {\n return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_aes_256_cbc(),\n EVP_sha1(), 1);\n}\n\nstatic int aead_des_ede3_cbc_sha1_tls_init(EVP_AEAD_CTX *ctx,\n const uint8_t *key, size_t key_len,\n size_t tag_len,\n enum evp_aead_direction_t dir) {\n return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),\n EVP_sha1(), 0);\n}\n\nstatic int aead_des_ede3_cbc_sha1_tls_implicit_iv_init(\n EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, size_t tag_len,\n enum evp_aead_direction_t dir) {\n return aead_tls_init(ctx, key, key_len, tag_len, dir, EVP_des_ede3_cbc(),\n EVP_sha1(), 1);\n}\n\nstatic int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,\n size_t *out_iv_len) {\n const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state;\n const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx);\n if (iv_len <= 1) {\n OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n *out_iv = tls_ctx->cipher_ctx.iv;\n *out_iv_len = iv_len;\n return 1;\n}\n\nstatic const EVP_AEAD aead_aes_128_cbc_sha1_tls = {\n SHA_DIGEST_LENGTH + 16, // key len (SHA1 + AES128)\n 16, // nonce len (IV)\n 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)\n SHA_DIGEST_LENGTH, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n NULL, // init\n aead_aes_128_cbc_sha1_tls_init,\n aead_tls_cleanup,\n aead_tls_open,\n aead_tls_seal_scatter,\n NULL, // open_gather\n NULL, // get_iv\n aead_tls_tag_len,\n};\n\nstatic const EVP_AEAD aead_aes_128_cbc_sha1_tls_implicit_iv = {\n SHA_DIGEST_LENGTH + 16 + 16, // key len (SHA1 + AES128 + IV)\n 0, // nonce len\n 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)\n SHA_DIGEST_LENGTH, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n NULL, // init\n aead_aes_128_cbc_sha1_tls_implicit_iv_init,\n aead_tls_cleanup,\n aead_tls_open,\n aead_tls_seal_scatter,\n NULL, // open_gather\n aead_tls_get_iv, // get_iv\n aead_tls_tag_len,\n};\n\nstatic const EVP_AEAD aead_aes_128_cbc_sha256_tls = {\n SHA256_DIGEST_LENGTH + 16, // key len (SHA256 + AES128)\n 16, // nonce len (IV)\n 16 + SHA256_DIGEST_LENGTH, // overhead (padding + SHA256)\n SHA256_DIGEST_LENGTH, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n NULL, // init\n aead_aes_128_cbc_sha256_tls_init,\n aead_tls_cleanup,\n aead_tls_open,\n aead_tls_seal_scatter,\n NULL, // open_gather\n NULL, // get_iv\n aead_tls_tag_len,\n};\n\nstatic const EVP_AEAD aead_aes_256_cbc_sha1_tls = {\n SHA_DIGEST_LENGTH + 32, // key len (SHA1 + AES256)\n 16, // nonce len (IV)\n 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)\n SHA_DIGEST_LENGTH, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n NULL, // init\n aead_aes_256_cbc_sha1_tls_init,\n aead_tls_cleanup,\n aead_tls_open,\n aead_tls_seal_scatter,\n NULL, // open_gather\n NULL, // get_iv\n aead_tls_tag_len,\n};\n\nstatic const EVP_AEAD aead_aes_256_cbc_sha1_tls_implicit_iv = {\n SHA_DIGEST_LENGTH + 32 + 16, // key len (SHA1 + AES256 + IV)\n 0, // nonce len\n 16 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)\n SHA_DIGEST_LENGTH, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n NULL, // init\n aead_aes_256_cbc_sha1_tls_implicit_iv_init,\n aead_tls_cleanup,\n aead_tls_open,\n aead_tls_seal_scatter,\n NULL, // open_gather\n aead_tls_get_iv, // get_iv\n aead_tls_tag_len,\n};\n\nstatic const EVP_AEAD aead_des_ede3_cbc_sha1_tls = {\n SHA_DIGEST_LENGTH + 24, // key len (SHA1 + 3DES)\n 8, // nonce len (IV)\n 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)\n SHA_DIGEST_LENGTH, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n NULL, // init\n aead_des_ede3_cbc_sha1_tls_init,\n aead_tls_cleanup,\n aead_tls_open,\n aead_tls_seal_scatter,\n NULL, // open_gather\n NULL, // get_iv\n aead_tls_tag_len,\n};\n\nstatic const EVP_AEAD aead_des_ede3_cbc_sha1_tls_implicit_iv = {\n SHA_DIGEST_LENGTH + 24 + 8, // key len (SHA1 + 3DES + IV)\n 0, // nonce len\n 8 + SHA_DIGEST_LENGTH, // overhead (padding + SHA1)\n SHA_DIGEST_LENGTH, // max tag length\n 0, // seal_scatter_supports_extra_in\n\n NULL, // init\n aead_des_ede3_cbc_sha1_tls_implicit_iv_init,\n aead_tls_cleanup,\n aead_tls_open,\n aead_tls_seal_scatter,\n NULL, // open_gather\n aead_tls_get_iv, // get_iv\n aead_tls_tag_len,\n};\n\nconst EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void) {\n return &aead_aes_128_cbc_sha1_tls;\n}\n\nconst EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void) {\n return &aead_aes_128_cbc_sha1_tls_implicit_iv;\n}\n\nconst EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void) {\n return &aead_aes_128_cbc_sha256_tls;\n}\n\nconst EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void) {\n return &aead_aes_256_cbc_sha1_tls;\n}\n\nconst EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void) {\n return &aead_aes_256_cbc_sha1_tls_implicit_iv;\n}\n\nconst EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void) {\n return &aead_des_ede3_cbc_sha1_tls;\n}\n\nconst EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void) {\n return &aead_des_ede3_cbc_sha1_tls_implicit_iv;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/get_cipher.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"internal.h\"\n#include \"../internal.h\"\n\n\nstatic const struct {\n int nid;\n const char *name;\n const EVP_CIPHER *(*func)(void);\n} kCiphers[] = {\n {NID_aes_128_cbc, \"aes-128-cbc\", EVP_aes_128_cbc},\n {NID_aes_128_ctr, \"aes-128-ctr\", EVP_aes_128_ctr},\n {NID_aes_128_ecb, \"aes-128-ecb\", EVP_aes_128_ecb},\n {NID_aes_128_gcm, \"aes-128-gcm\", EVP_aes_128_gcm},\n {NID_aes_128_ofb128, \"aes-128-ofb\", EVP_aes_128_ofb},\n {NID_aes_192_cbc, \"aes-192-cbc\", EVP_aes_192_cbc},\n {NID_aes_192_ctr, \"aes-192-ctr\", EVP_aes_192_ctr},\n {NID_aes_192_ecb, \"aes-192-ecb\", EVP_aes_192_ecb},\n {NID_aes_192_gcm, \"aes-192-gcm\", EVP_aes_192_gcm},\n {NID_aes_192_ofb128, \"aes-192-ofb\", EVP_aes_192_ofb},\n {NID_aes_256_cbc, \"aes-256-cbc\", EVP_aes_256_cbc},\n {NID_aes_256_ctr, \"aes-256-ctr\", EVP_aes_256_ctr},\n {NID_aes_256_ecb, \"aes-256-ecb\", EVP_aes_256_ecb},\n {NID_aes_256_gcm, \"aes-256-gcm\", EVP_aes_256_gcm},\n {NID_aes_256_ofb128, \"aes-256-ofb\", EVP_aes_256_ofb},\n {NID_des_cbc, \"des-cbc\", EVP_des_cbc},\n {NID_des_ecb, \"des-ecb\", EVP_des_ecb},\n {NID_des_ede_cbc, \"des-ede-cbc\", EVP_des_ede_cbc},\n {NID_des_ede_ecb, \"des-ede\", EVP_des_ede},\n {NID_des_ede3_cbc, \"des-ede3-cbc\", EVP_des_ede3_cbc},\n {NID_rc2_cbc, \"rc2-cbc\", EVP_rc2_cbc},\n {NID_rc4, \"rc4\", EVP_rc4},\n};\n\nconst EVP_CIPHER *EVP_get_cipherbynid(int nid) {\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCiphers); i++) {\n if (kCiphers[i].nid == nid) {\n return kCiphers[i].func();\n }\n }\n return NULL;\n}\n\nconst EVP_CIPHER *EVP_get_cipherbyname(const char *name) {\n if (name == NULL) {\n return NULL;\n }\n\n // This is not a name used by OpenSSL, but tcpdump registers it with\n // |EVP_add_cipher_alias|. Our |EVP_add_cipher_alias| is a no-op, so we\n // support the name here.\n if (OPENSSL_strcasecmp(name, \"3des\") == 0) {\n name = \"des-ede3-cbc\";\n }\n\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCiphers); i++) {\n if (OPENSSL_strcasecmp(kCiphers[i].name, name) == 0) {\n return kCiphers[i].func();\n }\n }\n\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H\n#define OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H\n\n#include \n#include \n\n#include \n\n#include \"../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC\n// record in |in|. This decrypted record should not include any \"decrypted\"\n// explicit IV. If the record is publicly invalid, it returns zero. Otherwise,\n// it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the\n// padding is valid and zero otherwise. It then sets |*out_len| to the length\n// with the padding removed or |in_len| if invalid.\n//\n// If the function returns one, it runs in time independent of the contents of\n// |in|. It is also guaranteed that |*out_len| >= |mac_size|, satisfying\n// |EVP_tls_cbc_copy_mac|'s precondition.\nint EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,\n const uint8_t *in, size_t in_len,\n size_t block_size, size_t mac_size);\n\n// EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first\n// |in_len| bytes of |in| to |out| in constant time (independent of the concrete\n// value of |in_len|, which may vary within a 256-byte window). |in| must point\n// to a buffer of |orig_len| bytes.\n//\n// On entry:\n// orig_len >= in_len >= md_size\n// md_size <= EVP_MAX_MD_SIZE\nvoid EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,\n size_t in_len, size_t orig_len);\n\n// EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function\n// which EVP_tls_cbc_digest_record supports.\nint EVP_tls_cbc_record_digest_supported(const EVP_MD *md);\n\n// EVP_sha1_final_with_secret_suffix computes the result of hashing |len| bytes\n// from |in| to |ctx| and writes the resulting hash to |out|. |len| is treated\n// as secret and must be at most |max_len|, which is treated as public. |in|\n// must point to a buffer of at least |max_len| bytes. It returns one on success\n// and zero if inputs are too long.\n//\n// This function is exported for unit tests.\nOPENSSL_EXPORT int EVP_sha1_final_with_secret_suffix(\n SHA_CTX *ctx, uint8_t out[SHA_DIGEST_LENGTH], const uint8_t *in, size_t len,\n size_t max_len);\n\n// EVP_sha256_final_with_secret_suffix acts like\n// |EVP_sha1_final_with_secret_suffix|, but for SHA-256.\n//\n// This function is exported for unit tests.\nOPENSSL_EXPORT int EVP_sha256_final_with_secret_suffix(\n SHA256_CTX *ctx, uint8_t out[SHA256_DIGEST_LENGTH], const uint8_t *in,\n size_t len, size_t max_len);\n\n// EVP_tls_cbc_digest_record computes the MAC of a decrypted, padded TLS\n// record.\n//\n// md: the hash function used in the HMAC.\n// EVP_tls_cbc_record_digest_supported must return true for this hash.\n// md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.\n// md_out_size: the number of output bytes is written here.\n// header: the 13-byte, TLS record header.\n// data: the record data itself\n// data_size: the secret, reported length of the data once the padding and MAC\n// have been removed.\n// data_plus_mac_plus_padding_size: the public length of the whole\n// record, including padding.\n//\n// On entry: by virtue of having been through one of the remove_padding\n// functions, above, we know that data_plus_mac_size is large enough to contain\n// a padding byte and MAC. (If the padding was invalid, it might contain the\n// padding too. )\nint EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,\n size_t *md_out_size, const uint8_t header[13],\n const uint8_t *data, size_t data_size,\n size_t data_plus_mac_plus_padding_size,\n const uint8_t *mac_secret,\n unsigned mac_secret_length);\n\n#define POLY1305_TAG_LEN 16\n\n// For convenience (the x86_64 calling convention allows only six parameters in\n// registers), the final parameter for the assembly functions is both an input\n// and output parameter.\nunion chacha20_poly1305_open_data {\n struct {\n alignas(16) uint8_t key[32];\n uint32_t counter;\n uint8_t nonce[12];\n } in;\n struct {\n uint8_t tag[POLY1305_TAG_LEN];\n } out;\n};\n\nunion chacha20_poly1305_seal_data {\n struct {\n alignas(16) uint8_t key[32];\n uint32_t counter;\n uint8_t nonce[12];\n const uint8_t *extra_ciphertext;\n size_t extra_ciphertext_len;\n } in;\n struct {\n uint8_t tag[POLY1305_TAG_LEN];\n } out;\n};\n\n#if (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \\\n !defined(OPENSSL_NO_ASM)\n\nstatic_assert(sizeof(union chacha20_poly1305_open_data) == 48,\n \"wrong chacha20_poly1305_open_data size\");\nstatic_assert(sizeof(union chacha20_poly1305_seal_data) == 48 + 8 + 8,\n \"wrong chacha20_poly1305_seal_data size\");\n\ninline int chacha20_poly1305_asm_capable(void) {\n#if defined(OPENSSL_X86_64)\n return CRYPTO_is_SSE4_1_capable();\n#elif defined(OPENSSL_AARCH64)\n return CRYPTO_is_NEON_capable();\n#endif\n}\n\n// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It decrypts\n// |plaintext_len| bytes from |ciphertext| and writes them to |out_plaintext|.\n// Additional input parameters are passed in |aead_data->in|. On exit, it will\n// write calculated tag value to |aead_data->out.tag|, which the caller must\n// check.\n#if defined(OPENSSL_X86_64)\nextern void chacha20_poly1305_open_nohw(\n uint8_t *out_plaintext, const uint8_t *ciphertext, size_t plaintext_len,\n const uint8_t *ad, size_t ad_len, union chacha20_poly1305_open_data *data);\nextern void chacha20_poly1305_open_avx2(\n uint8_t *out_plaintext, const uint8_t *ciphertext, size_t plaintext_len,\n const uint8_t *ad, size_t ad_len, union chacha20_poly1305_open_data *data);\ninline void chacha20_poly1305_open(uint8_t *out_plaintext,\n const uint8_t *ciphertext,\n size_t plaintext_len, const uint8_t *ad,\n size_t ad_len,\n union chacha20_poly1305_open_data *data) {\n if (CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable()) {\n chacha20_poly1305_open_avx2(out_plaintext, ciphertext, plaintext_len, ad,\n ad_len, data);\n } else {\n chacha20_poly1305_open_nohw(out_plaintext, ciphertext, plaintext_len, ad,\n ad_len, data);\n }\n}\n#else\nextern void chacha20_poly1305_open(uint8_t *out_plaintext,\n const uint8_t *ciphertext,\n size_t plaintext_len, const uint8_t *ad,\n size_t ad_len,\n union chacha20_poly1305_open_data *data);\n#endif\n\n// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It encrypts\n// |plaintext_len| bytes from |plaintext| and writes them to |out_ciphertext|.\n// Additional input parameters are passed in |aead_data->in|. The calculated tag\n// value is over the computed ciphertext concatenated with |extra_ciphertext|\n// and written to |aead_data->out.tag|.\n#if defined(OPENSSL_X86_64)\nextern void chacha20_poly1305_seal_nohw(\n uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len,\n const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data);\nextern void chacha20_poly1305_seal_avx2(\n uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len,\n const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data);\ninline void chacha20_poly1305_seal(uint8_t *out_ciphertext,\n const uint8_t *plaintext,\n size_t plaintext_len, const uint8_t *ad,\n size_t ad_len,\n union chacha20_poly1305_seal_data *data) {\n if (CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable()) {\n chacha20_poly1305_seal_avx2(out_ciphertext, plaintext, plaintext_len, ad,\n ad_len, data);\n } else {\n chacha20_poly1305_seal_nohw(out_ciphertext, plaintext, plaintext_len, ad,\n ad_len, data);\n }\n}\n#else\nextern void chacha20_poly1305_seal(uint8_t *out_ciphertext,\n const uint8_t *plaintext,\n size_t plaintext_len, const uint8_t *ad,\n size_t ad_len,\n union chacha20_poly1305_seal_data *data);\n#endif\n\n#else\n\ninline int chacha20_poly1305_asm_capable(void) { return 0; }\n\ninline void chacha20_poly1305_open(uint8_t *out_plaintext,\n const uint8_t *ciphertext,\n size_t plaintext_len, const uint8_t *ad,\n size_t ad_len,\n union chacha20_poly1305_open_data *data) {\n abort();\n}\n\ninline void chacha20_poly1305_seal(uint8_t *out_ciphertext,\n const uint8_t *plaintext,\n size_t plaintext_len, const uint8_t *ad,\n size_t ad_len,\n union chacha20_poly1305_seal_data *data) {\n abort();\n}\n#endif\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CIPHER_EXTRA_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cipher/tls_cbc.cc", "content": "/*\n * Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n#include \"../fipsmodule/cipher/internal.h\"\n\n\nint EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len,\n const uint8_t *in, size_t in_len,\n size_t block_size, size_t mac_size) {\n const size_t overhead = 1 /* padding length byte */ + mac_size;\n\n // These lengths are all public so we can test them in non-constant time.\n if (overhead > in_len) {\n return 0;\n }\n\n size_t padding_length = in[in_len - 1];\n\n crypto_word_t good = constant_time_ge_w(in_len, overhead + padding_length);\n // The padding consists of a length byte at the end of the record and\n // then that many bytes of padding, all with the same value as the\n // length byte. Thus, with the length byte included, there are i+1\n // bytes of padding.\n //\n // We can't check just |padding_length+1| bytes because that leaks\n // decrypted information. Therefore we always have to check the maximum\n // amount of padding possible. (Again, the length of the record is\n // public information so we can use it.)\n size_t to_check = 256; // maximum amount of padding, inc length byte.\n if (to_check > in_len) {\n to_check = in_len;\n }\n\n for (size_t i = 0; i < to_check; i++) {\n uint8_t mask = constant_time_ge_8(padding_length, i);\n uint8_t b = in[in_len - 1 - i];\n // The final |padding_length+1| bytes should all have the value\n // |padding_length|. Therefore the XOR should be zero.\n good &= ~(mask & (padding_length ^ b));\n }\n\n // If any of the final |padding_length+1| bytes had the wrong value,\n // one or more of the lower eight bits of |good| will be cleared.\n good = constant_time_eq_w(0xff, good & 0xff);\n\n // Always treat |padding_length| as zero on error. If, assuming block size of\n // 16, a padding of [<15 arbitrary bytes> 15] treated |padding_length| as 16\n // and returned -1, distinguishing good MAC and bad padding from bad MAC and\n // bad padding would give POODLE's padding oracle.\n padding_length = good & (padding_length + 1);\n *out_len = in_len - padding_length;\n *out_padding_ok = good;\n return 1;\n}\n\nvoid EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in,\n size_t in_len, size_t orig_len) {\n uint8_t rotated_mac1[EVP_MAX_MD_SIZE], rotated_mac2[EVP_MAX_MD_SIZE];\n uint8_t *rotated_mac = rotated_mac1;\n uint8_t *rotated_mac_tmp = rotated_mac2;\n\n // mac_end is the index of |in| just after the end of the MAC.\n size_t mac_end = in_len;\n size_t mac_start = mac_end - md_size;\n\n declassify_assert(orig_len >= in_len);\n declassify_assert(in_len >= md_size);\n assert(md_size <= EVP_MAX_MD_SIZE);\n assert(md_size > 0);\n\n // scan_start contains the number of bytes that we can ignore because\n // the MAC's position can only vary by 255 bytes.\n size_t scan_start = 0;\n // This information is public so it's safe to branch based on it.\n if (orig_len > md_size + 255 + 1) {\n scan_start = orig_len - (md_size + 255 + 1);\n }\n\n size_t rotate_offset = 0;\n uint8_t mac_started = 0;\n OPENSSL_memset(rotated_mac, 0, md_size);\n for (size_t i = scan_start, j = 0; i < orig_len; i++, j++) {\n if (j >= md_size) {\n j -= md_size;\n }\n crypto_word_t is_mac_start = constant_time_eq_w(i, mac_start);\n mac_started |= is_mac_start;\n uint8_t mac_ended = constant_time_ge_8(i, mac_end);\n rotated_mac[j] |= in[i] & mac_started & ~mac_ended;\n // Save the offset that |mac_start| is mapped to.\n rotate_offset |= j & is_mac_start;\n }\n\n // Now rotate the MAC. We rotate in log(md_size) steps, one for each bit\n // position.\n for (size_t offset = 1; offset < md_size; offset <<= 1, rotate_offset >>= 1) {\n // Rotate by |offset| iff the corresponding bit is set in\n // |rotate_offset|, placing the result in |rotated_mac_tmp|.\n const uint8_t skip_rotate = (rotate_offset & 1) - 1;\n for (size_t i = 0, j = offset; i < md_size; i++, j++) {\n if (j >= md_size) {\n j -= md_size;\n }\n rotated_mac_tmp[i] =\n constant_time_select_8(skip_rotate, rotated_mac[i], rotated_mac[j]);\n }\n\n // Swap pointers so |rotated_mac| contains the (possibly) rotated value.\n // Note the number of iterations and thus the identity of these pointers is\n // public information.\n uint8_t *tmp = rotated_mac;\n rotated_mac = rotated_mac_tmp;\n rotated_mac_tmp = tmp;\n }\n\n OPENSSL_memcpy(out, rotated_mac, md_size);\n}\n\nint EVP_sha1_final_with_secret_suffix(SHA_CTX *ctx,\n uint8_t out[SHA_DIGEST_LENGTH],\n const uint8_t *in, size_t len,\n size_t max_len) {\n // Bound the input length so |total_bits| below fits in four bytes. This is\n // redundant with TLS record size limits. This also ensures |input_idx| below\n // does not overflow.\n size_t max_len_bits = max_len << 3;\n if (ctx->Nh != 0 ||\n (max_len_bits >> 3) != max_len || // Overflow\n ctx->Nl + max_len_bits < max_len_bits ||\n ctx->Nl + max_len_bits > UINT32_MAX) {\n return 0;\n }\n\n // We need to hash the following into |ctx|:\n //\n // - ctx->data[:ctx->num]\n // - in[:len]\n // - A 0x80 byte\n // - However many zero bytes are needed to pad up to a block.\n // - Eight bytes of length.\n size_t num_blocks = (ctx->num + len + 1 + 8 + SHA_CBLOCK - 1) >> 6;\n size_t last_block = num_blocks - 1;\n size_t max_blocks = (ctx->num + max_len + 1 + 8 + SHA_CBLOCK - 1) >> 6;\n\n // The bounds above imply |total_bits| fits in four bytes.\n size_t total_bits = ctx->Nl + (len << 3);\n uint8_t length_bytes[4];\n length_bytes[0] = (uint8_t)(total_bits >> 24);\n length_bytes[1] = (uint8_t)(total_bits >> 16);\n length_bytes[2] = (uint8_t)(total_bits >> 8);\n length_bytes[3] = (uint8_t)total_bits;\n\n // We now construct and process each expected block in constant-time.\n uint8_t block[SHA_CBLOCK] = {0};\n uint32_t result[5] = {0};\n // input_idx is the index into |in| corresponding to the current block.\n // However, we allow this index to overflow beyond |max_len|, to simplify the\n // 0x80 byte.\n size_t input_idx = 0;\n for (size_t i = 0; i < max_blocks; i++) {\n // Fill |block| with data from the partial block in |ctx| and |in|. We copy\n // as if we were hashing up to |max_len| and then zero the excess later.\n size_t block_start = 0;\n if (i == 0) {\n OPENSSL_memcpy(block, ctx->data, ctx->num);\n block_start = ctx->num;\n }\n if (input_idx < max_len) {\n size_t to_copy = SHA_CBLOCK - block_start;\n if (to_copy > max_len - input_idx) {\n to_copy = max_len - input_idx;\n }\n OPENSSL_memcpy(block + block_start, in + input_idx, to_copy);\n }\n\n // Zero any bytes beyond |len| and add the 0x80 byte.\n for (size_t j = block_start; j < SHA_CBLOCK; j++) {\n // input[idx] corresponds to block[j].\n size_t idx = input_idx + j - block_start;\n // The barriers on |len| are not strictly necessary. However, without\n // them, GCC compiles this code by incorporating |len| into the loop\n // counter and subtracting it out later. This is still constant-time, but\n // it frustrates attempts to validate this.\n uint8_t is_in_bounds = constant_time_lt_8(idx, value_barrier_w(len));\n uint8_t is_padding_byte = constant_time_eq_8(idx, value_barrier_w(len));\n block[j] &= is_in_bounds;\n block[j] |= 0x80 & is_padding_byte;\n }\n\n input_idx += SHA_CBLOCK - block_start;\n\n // Fill in the length if this is the last block.\n crypto_word_t is_last_block = constant_time_eq_w(i, last_block);\n for (size_t j = 0; j < 4; j++) {\n block[SHA_CBLOCK - 4 + j] |= is_last_block & length_bytes[j];\n }\n\n // Process the block and save the hash state if it is the final value.\n SHA1_Transform(ctx, block);\n for (size_t j = 0; j < 5; j++) {\n result[j] |= is_last_block & ctx->h[j];\n }\n }\n\n // Write the output.\n for (size_t i = 0; i < 5; i++) {\n CRYPTO_store_u32_be(out + 4 * i, result[i]);\n }\n return 1;\n}\n\nint EVP_sha256_final_with_secret_suffix(SHA256_CTX *ctx,\n uint8_t out[SHA256_DIGEST_LENGTH],\n const uint8_t *in, size_t len,\n size_t max_len) {\n // Bound the input length so |total_bits| below fits in four bytes. This is\n // redundant with TLS record size limits. This also ensures |input_idx| below\n // does not overflow.\n size_t max_len_bits = max_len << 3;\n if (ctx->Nh != 0 ||\n (max_len_bits >> 3) != max_len || // Overflow\n ctx->Nl + max_len_bits < max_len_bits ||\n ctx->Nl + max_len_bits > UINT32_MAX) {\n return 0;\n }\n\n // We need to hash the following into |ctx|:\n //\n // - ctx->data[:ctx->num]\n // - in[:len]\n // - A 0x80 byte\n // - However many zero bytes are needed to pad up to a block.\n // - Eight bytes of length.\n size_t num_blocks = (ctx->num + len + 1 + 8 + SHA256_CBLOCK - 1) >> 6;\n size_t last_block = num_blocks - 1;\n size_t max_blocks = (ctx->num + max_len + 1 + 8 + SHA256_CBLOCK - 1) >> 6;\n\n // The bounds above imply |total_bits| fits in four bytes.\n size_t total_bits = ctx->Nl + (len << 3);\n uint8_t length_bytes[4];\n length_bytes[0] = (uint8_t)(total_bits >> 24);\n length_bytes[1] = (uint8_t)(total_bits >> 16);\n length_bytes[2] = (uint8_t)(total_bits >> 8);\n length_bytes[3] = (uint8_t)total_bits;\n\n // We now construct and process each expected block in constant-time.\n uint8_t block[SHA256_CBLOCK] = {0};\n uint32_t result[8] = {0};\n // input_idx is the index into |in| corresponding to the current block.\n // However, we allow this index to overflow beyond |max_len|, to simplify the\n // 0x80 byte.\n size_t input_idx = 0;\n for (size_t i = 0; i < max_blocks; i++) {\n // Fill |block| with data from the partial block in |ctx| and |in|. We copy\n // as if we were hashing up to |max_len| and then zero the excess later.\n size_t block_start = 0;\n if (i == 0) {\n OPENSSL_memcpy(block, ctx->data, ctx->num);\n block_start = ctx->num;\n }\n if (input_idx < max_len) {\n size_t to_copy = SHA256_CBLOCK - block_start;\n if (to_copy > max_len - input_idx) {\n to_copy = max_len - input_idx;\n }\n OPENSSL_memcpy(block + block_start, in + input_idx, to_copy);\n }\n\n // Zero any bytes beyond |len| and add the 0x80 byte.\n for (size_t j = block_start; j < SHA256_CBLOCK; j++) {\n // input[idx] corresponds to block[j].\n size_t idx = input_idx + j - block_start;\n // The barriers on |len| are not strictly necessary. However, without\n // them, GCC compiles this code by incorporating |len| into the loop\n // counter and subtracting it out later. This is still constant-time, but\n // it frustrates attempts to validate this.\n uint8_t is_in_bounds = constant_time_lt_8(idx, value_barrier_w(len));\n uint8_t is_padding_byte = constant_time_eq_8(idx, value_barrier_w(len));\n block[j] &= is_in_bounds;\n block[j] |= 0x80 & is_padding_byte;\n }\n\n input_idx += SHA256_CBLOCK - block_start;\n\n // Fill in the length if this is the last block.\n crypto_word_t is_last_block = constant_time_eq_w(i, last_block);\n for (size_t j = 0; j < 4; j++) {\n block[SHA256_CBLOCK - 4 + j] |= is_last_block & length_bytes[j];\n }\n\n // Process the block and save the hash state if it is the final value.\n SHA256_Transform(ctx, block);\n for (size_t j = 0; j < 8; j++) {\n result[j] |= is_last_block & ctx->h[j];\n }\n }\n\n // Write the output.\n for (size_t i = 0; i < 8; i++) {\n CRYPTO_store_u32_be(out + 4 * i, result[i]);\n }\n return 1;\n}\n\nint EVP_tls_cbc_record_digest_supported(const EVP_MD *md) {\n switch (EVP_MD_type(md)) {\n case NID_sha1:\n case NID_sha256:\n return 1;\n default:\n return 0;\n }\n}\n\nstatic int tls_cbc_digest_record_sha1(uint8_t *md_out, size_t *md_out_size,\n const uint8_t header[13],\n const uint8_t *data, size_t data_size,\n size_t data_plus_mac_plus_padding_size,\n const uint8_t *mac_secret,\n unsigned mac_secret_length) {\n if (mac_secret_length > SHA_CBLOCK) {\n // HMAC pads small keys with zeros and hashes large keys down. This function\n // should never reach the large key case.\n assert(0);\n return 0;\n }\n\n // Compute the initial HMAC block.\n uint8_t hmac_pad[SHA_CBLOCK];\n OPENSSL_memset(hmac_pad, 0, sizeof(hmac_pad));\n OPENSSL_memcpy(hmac_pad, mac_secret, mac_secret_length);\n for (size_t i = 0; i < SHA_CBLOCK; i++) {\n hmac_pad[i] ^= 0x36;\n }\n\n SHA_CTX ctx;\n SHA1_Init(&ctx);\n SHA1_Update(&ctx, hmac_pad, SHA_CBLOCK);\n SHA1_Update(&ctx, header, 13);\n\n // There are at most 256 bytes of padding, so we can compute the public\n // minimum length for |data_size|.\n size_t min_data_size = 0;\n if (data_plus_mac_plus_padding_size > SHA_DIGEST_LENGTH + 256) {\n min_data_size = data_plus_mac_plus_padding_size - SHA_DIGEST_LENGTH - 256;\n }\n\n // Hash the public minimum length directly. This reduces the number of blocks\n // that must be computed in constant-time.\n SHA1_Update(&ctx, data, min_data_size);\n\n // Hash the remaining data without leaking |data_size|.\n uint8_t mac_out[SHA_DIGEST_LENGTH];\n if (!EVP_sha1_final_with_secret_suffix(\n &ctx, mac_out, data + min_data_size, data_size - min_data_size,\n data_plus_mac_plus_padding_size - min_data_size)) {\n return 0;\n }\n\n // Complete the HMAC in the standard manner.\n SHA1_Init(&ctx);\n for (size_t i = 0; i < SHA_CBLOCK; i++) {\n hmac_pad[i] ^= 0x6a;\n }\n\n SHA1_Update(&ctx, hmac_pad, SHA_CBLOCK);\n SHA1_Update(&ctx, mac_out, SHA_DIGEST_LENGTH);\n SHA1_Final(md_out, &ctx);\n *md_out_size = SHA_DIGEST_LENGTH;\n return 1;\n}\n\nstatic int tls_cbc_digest_record_sha256(uint8_t *md_out, size_t *md_out_size,\n const uint8_t header[13],\n const uint8_t *data, size_t data_size,\n size_t data_plus_mac_plus_padding_size,\n const uint8_t *mac_secret,\n unsigned mac_secret_length) {\n if (mac_secret_length > SHA256_CBLOCK) {\n // HMAC pads small keys with zeros and hashes large keys down. This function\n // should never reach the large key case.\n assert(0);\n return 0;\n }\n\n // Compute the initial HMAC block.\n uint8_t hmac_pad[SHA256_CBLOCK];\n OPENSSL_memset(hmac_pad, 0, sizeof(hmac_pad));\n OPENSSL_memcpy(hmac_pad, mac_secret, mac_secret_length);\n for (size_t i = 0; i < SHA256_CBLOCK; i++) {\n hmac_pad[i] ^= 0x36;\n }\n\n SHA256_CTX ctx;\n SHA256_Init(&ctx);\n SHA256_Update(&ctx, hmac_pad, SHA256_CBLOCK);\n SHA256_Update(&ctx, header, 13);\n\n // There are at most 256 bytes of padding, so we can compute the public\n // minimum length for |data_size|.\n size_t min_data_size = 0;\n if (data_plus_mac_plus_padding_size > SHA256_DIGEST_LENGTH + 256) {\n min_data_size =\n data_plus_mac_plus_padding_size - SHA256_DIGEST_LENGTH - 256;\n }\n\n // Hash the public minimum length directly. This reduces the number of blocks\n // that must be computed in constant-time.\n SHA256_Update(&ctx, data, min_data_size);\n\n // Hash the remaining data without leaking |data_size|.\n uint8_t mac_out[SHA256_DIGEST_LENGTH];\n if (!EVP_sha256_final_with_secret_suffix(\n &ctx, mac_out, data + min_data_size, data_size - min_data_size,\n data_plus_mac_plus_padding_size - min_data_size)) {\n return 0;\n }\n\n // Complete the HMAC in the standard manner.\n SHA256_Init(&ctx);\n for (size_t i = 0; i < SHA256_CBLOCK; i++) {\n hmac_pad[i] ^= 0x6a;\n }\n\n SHA256_Update(&ctx, hmac_pad, SHA256_CBLOCK);\n SHA256_Update(&ctx, mac_out, SHA256_DIGEST_LENGTH);\n SHA256_Final(md_out, &ctx);\n *md_out_size = SHA256_DIGEST_LENGTH;\n return 1;\n}\n\nint EVP_tls_cbc_digest_record(const EVP_MD *md, uint8_t *md_out,\n size_t *md_out_size, const uint8_t header[13],\n const uint8_t *data, size_t data_size,\n size_t data_plus_mac_plus_padding_size,\n const uint8_t *mac_secret,\n unsigned mac_secret_length) {\n switch (EVP_MD_type(md)) {\n case NID_sha1:\n return tls_cbc_digest_record_sha1(\n md_out, md_out_size, header, data, data_size,\n data_plus_mac_plus_padding_size, mac_secret, mac_secret_length);\n\n case NID_sha256:\n return tls_cbc_digest_record_sha256(\n md_out, md_out_size, header, data, data_size,\n data_plus_mac_plus_padding_size, mac_secret, mac_secret_length);\n\n default:\n // EVP_tls_cbc_record_digest_supported should have been called first to\n // check that the hash function is supported.\n assert(0);\n *md_out_size = 0;\n return 0;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/conf/conf.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstruct conf_section_st {\n char *name;\n // values contains non-owning pointers to the values in the section.\n STACK_OF(CONF_VALUE) *values;\n};\n\nstatic const char kDefaultSectionName[] = \"default\";\n\nstatic uint32_t conf_section_hash(const CONF_SECTION *s) {\n return OPENSSL_strhash(s->name);\n}\n\nstatic int conf_section_cmp(const CONF_SECTION *a, const CONF_SECTION *b) {\n return strcmp(a->name, b->name);\n}\n\nstatic uint32_t conf_value_hash(const CONF_VALUE *v) {\n const uint32_t section_hash = OPENSSL_strhash(v->section);\n const uint32_t name_hash = OPENSSL_strhash(v->name);\n return (section_hash << 2) ^ name_hash;\n}\n\nstatic int conf_value_cmp(const CONF_VALUE *a, const CONF_VALUE *b) {\n int cmp = strcmp(a->section, b->section);\n if (cmp != 0) {\n return cmp;\n }\n\n return strcmp(a->name, b->name);\n}\n\nCONF *NCONF_new(void *method) {\n if (method != NULL) {\n return NULL;\n }\n\n CONF *conf = reinterpret_cast(OPENSSL_malloc(sizeof(CONF)));\n if (conf == NULL) {\n return NULL;\n }\n\n conf->sections = lh_CONF_SECTION_new(conf_section_hash, conf_section_cmp);\n conf->values = lh_CONF_VALUE_new(conf_value_hash, conf_value_cmp);\n if (conf->sections == NULL || conf->values == NULL) {\n NCONF_free(conf);\n return NULL;\n }\n\n return conf;\n}\n\nCONF_VALUE *CONF_VALUE_new(void) {\n return reinterpret_cast(OPENSSL_zalloc(sizeof(CONF_VALUE)));\n}\n\nstatic void value_free(CONF_VALUE *value) {\n if (value == NULL) {\n return;\n }\n OPENSSL_free(value->section);\n OPENSSL_free(value->name);\n OPENSSL_free(value->value);\n OPENSSL_free(value);\n}\n\nstatic void section_free(CONF_SECTION *section) {\n if (section == NULL) {\n return;\n }\n OPENSSL_free(section->name);\n sk_CONF_VALUE_free(section->values);\n OPENSSL_free(section);\n}\n\nstatic void value_free_arg(CONF_VALUE *value, void *arg) { value_free(value); }\n\nstatic void section_free_arg(CONF_SECTION *section, void *arg) {\n section_free(section);\n}\n\nvoid NCONF_free(CONF *conf) {\n if (conf == NULL) {\n return;\n }\n\n lh_CONF_SECTION_doall_arg(conf->sections, section_free_arg, NULL);\n lh_CONF_SECTION_free(conf->sections);\n lh_CONF_VALUE_doall_arg(conf->values, value_free_arg, NULL);\n lh_CONF_VALUE_free(conf->values);\n OPENSSL_free(conf);\n}\n\nstatic CONF_SECTION *NCONF_new_section(const CONF *conf, const char *section) {\n CONF_SECTION *s =\n reinterpret_cast(OPENSSL_malloc(sizeof(CONF_SECTION)));\n if (!s) {\n return NULL;\n }\n s->name = OPENSSL_strdup(section);\n s->values = sk_CONF_VALUE_new_null();\n if (s->name == NULL || s->values == NULL) {\n goto err;\n }\n\n CONF_SECTION *old_section;\n if (!lh_CONF_SECTION_insert(conf->sections, &old_section, s)) {\n goto err;\n }\n section_free(old_section);\n return s;\n\nerr:\n section_free(s);\n return NULL;\n}\n\nstatic int is_comment(char c) { return c == '#'; }\n\nstatic int is_quote(char c) { return c == '\"' || c == '\\'' || c == '`'; }\n\nstatic int is_esc(char c) { return c == '\\\\'; }\n\nstatic int is_conf_ws(char c) {\n // This differs from |OPENSSL_isspace| in that CONF does not accept '\\v' and\n // '\\f' as whitespace.\n return c == ' ' || c == '\\t' || c == '\\r' || c == '\\n';\n}\n\nstatic int is_name_char(char c) {\n // Alphanumeric characters, and a handful of symbols, may appear in value and\n // section names without escaping.\n return OPENSSL_isalnum(c) || c == '_' || c == '!' || c == '.' || c == '%' ||\n c == '&' || c == '*' || c == '+' || c == ',' || c == '/' || c == ';' ||\n c == '?' || c == '@' || c == '^' || c == '~' || c == '|' || c == '-';\n}\n\nstatic int str_copy(CONF *conf, char *section, char **pto, char *from) {\n int q, to = 0, len = 0;\n char v;\n BUF_MEM *buf;\n\n buf = BUF_MEM_new();\n if (buf == NULL) {\n return 0;\n }\n\n len = strlen(from) + 1;\n if (!BUF_MEM_grow(buf, len)) {\n goto err;\n }\n\n for (;;) {\n if (is_quote(*from)) {\n q = *from;\n from++;\n while (*from != '\\0' && *from != q) {\n if (is_esc(*from)) {\n from++;\n if (*from == '\\0') {\n break;\n }\n }\n buf->data[to++] = *(from++);\n }\n if (*from == q) {\n from++;\n }\n } else if (is_esc(*from)) {\n from++;\n v = *(from++);\n if (v == '\\0') {\n break;\n } else if (v == 'r') {\n v = '\\r';\n } else if (v == 'n') {\n v = '\\n';\n } else if (v == 'b') {\n v = '\\b';\n } else if (v == 't') {\n v = '\\t';\n }\n buf->data[to++] = v;\n } else if (*from == '\\0') {\n break;\n } else if (*from == '$') {\n // Historically, $foo would expand to a previously-parsed value. This\n // feature has been removed as it was unused and is a DoS vector. If\n // trying to embed '$' in a line, either escape it or wrap the value in\n // quotes.\n OPENSSL_PUT_ERROR(CONF, CONF_R_VARIABLE_EXPANSION_NOT_SUPPORTED);\n goto err;\n } else {\n buf->data[to++] = *(from++);\n }\n }\n\n buf->data[to] = '\\0';\n OPENSSL_free(*pto);\n *pto = buf->data;\n OPENSSL_free(buf);\n return 1;\n\nerr:\n BUF_MEM_free(buf);\n return 0;\n}\n\nstatic CONF_SECTION *get_section(const CONF *conf, const char *section) {\n CONF_SECTION templ;\n OPENSSL_memset(&templ, 0, sizeof(templ));\n templ.name = (char *)section;\n return lh_CONF_SECTION_retrieve(conf->sections, &templ);\n}\n\nconst STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf,\n const char *section) {\n const CONF_SECTION *section_obj = get_section(conf, section);\n if (section_obj == NULL) {\n return NULL;\n }\n return section_obj->values;\n}\n\nconst char *NCONF_get_string(const CONF *conf, const char *section,\n const char *name) {\n CONF_VALUE templ, *value;\n\n if (section == NULL) {\n section = kDefaultSectionName;\n }\n\n OPENSSL_memset(&templ, 0, sizeof(templ));\n templ.section = (char *)section;\n templ.name = (char *)name;\n value = lh_CONF_VALUE_retrieve(conf->values, &templ);\n if (value == NULL) {\n return NULL;\n }\n return value->value;\n}\n\nstatic int add_string(const CONF *conf, CONF_SECTION *section,\n CONF_VALUE *value) {\n value->section = OPENSSL_strdup(section->name);\n if (value->section == NULL) {\n return 0;\n }\n\n if (!sk_CONF_VALUE_push(section->values, value)) {\n return 0;\n }\n\n CONF_VALUE *old_value;\n if (!lh_CONF_VALUE_insert(conf->values, &old_value, value)) {\n // Remove |value| from |section->values|, so we do not leave a dangling\n // pointer.\n sk_CONF_VALUE_pop(section->values);\n return 0;\n }\n if (old_value != NULL) {\n (void)sk_CONF_VALUE_delete_ptr(section->values, old_value);\n value_free(old_value);\n }\n\n return 1;\n}\n\nstatic char *eat_ws(char *p) {\n while (*p != '\\0' && is_conf_ws(*p)) {\n p++;\n }\n return p;\n}\n\nstatic char *scan_esc(char *p) {\n assert(p[0] == '\\\\');\n return p[1] == '\\0' ? p + 1 : p + 2;\n}\n\nstatic char *eat_name(char *p) {\n for (;;) {\n if (is_esc(*p)) {\n p = scan_esc(p);\n continue;\n }\n if (!is_name_char(*p)) {\n return p;\n }\n p++;\n }\n}\n\nstatic char *scan_quote(char *p) {\n int q = *p;\n\n p++;\n while (*p != '\\0' && *p != q) {\n if (is_esc(*p)) {\n p++;\n if (*p == '\\0') {\n return p;\n }\n }\n p++;\n }\n if (*p == q) {\n p++;\n }\n return p;\n}\n\nstatic void clear_comments(char *p) {\n for (;;) {\n if (!is_conf_ws(*p)) {\n break;\n }\n p++;\n }\n\n for (;;) {\n if (is_comment(*p)) {\n *p = '\\0';\n return;\n }\n if (is_quote(*p)) {\n p = scan_quote(p);\n continue;\n }\n if (is_esc(*p)) {\n p = scan_esc(p);\n continue;\n }\n if (*p == '\\0') {\n return;\n } else {\n p++;\n }\n }\n}\n\nint NCONF_load_bio(CONF *conf, BIO *in, long *out_error_line) {\n static const size_t CONFBUFSIZE = 512;\n int bufnum = 0, i, ii;\n BUF_MEM *buff = NULL;\n char *s, *p, *end;\n int again;\n long eline = 0;\n CONF_VALUE *v = NULL;\n CONF_SECTION *sv = NULL;\n char *section = NULL, *buf;\n char *start, *psection, *pname;\n\n if ((buff = BUF_MEM_new()) == NULL) {\n OPENSSL_PUT_ERROR(CONF, ERR_R_BUF_LIB);\n goto err;\n }\n\n section = OPENSSL_strdup(kDefaultSectionName);\n if (section == NULL) {\n goto err;\n }\n\n sv = NCONF_new_section(conf, section);\n if (sv == NULL) {\n OPENSSL_PUT_ERROR(CONF, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);\n goto err;\n }\n\n bufnum = 0;\n again = 0;\n for (;;) {\n if (!BUF_MEM_grow(buff, bufnum + CONFBUFSIZE)) {\n OPENSSL_PUT_ERROR(CONF, ERR_R_BUF_LIB);\n goto err;\n }\n p = &(buff->data[bufnum]);\n *p = '\\0';\n BIO_gets(in, p, CONFBUFSIZE - 1);\n p[CONFBUFSIZE - 1] = '\\0';\n ii = i = strlen(p);\n if (i == 0 && !again) {\n break;\n }\n again = 0;\n while (i > 0) {\n if ((p[i - 1] != '\\r') && (p[i - 1] != '\\n')) {\n break;\n } else {\n i--;\n }\n }\n // we removed some trailing stuff so there is a new\n // line on the end.\n if (ii && i == ii) {\n again = 1; // long line\n } else {\n p[i] = '\\0';\n eline++; // another input line\n }\n\n // we now have a line with trailing \\r\\n removed\n\n // i is the number of bytes\n bufnum += i;\n\n v = NULL;\n // check for line continuation\n if (bufnum >= 1) {\n // If we have bytes and the last char '\\\\' and\n // second last char is not '\\\\'\n p = &(buff->data[bufnum - 1]);\n if (is_esc(p[0]) && ((bufnum <= 1) || !is_esc(p[-1]))) {\n bufnum--;\n again = 1;\n }\n }\n if (again) {\n continue;\n }\n bufnum = 0;\n buf = buff->data;\n\n clear_comments(buf);\n s = eat_ws(buf);\n if (*s == '\\0') {\n continue; // blank line\n }\n if (*s == '[') {\n char *ss;\n\n s++;\n start = eat_ws(s);\n ss = start;\n again:\n end = eat_name(ss);\n p = eat_ws(end);\n if (*p != ']') {\n if (*p != '\\0' && ss != p) {\n ss = p;\n goto again;\n }\n OPENSSL_PUT_ERROR(CONF, CONF_R_MISSING_CLOSE_SQUARE_BRACKET);\n goto err;\n }\n *end = '\\0';\n if (!str_copy(conf, NULL, §ion, start)) {\n goto err;\n }\n if ((sv = get_section(conf, section)) == NULL) {\n sv = NCONF_new_section(conf, section);\n }\n if (sv == NULL) {\n OPENSSL_PUT_ERROR(CONF, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);\n goto err;\n }\n continue;\n } else {\n pname = s;\n psection = NULL;\n end = eat_name(s);\n if ((end[0] == ':') && (end[1] == ':')) {\n *end = '\\0';\n end += 2;\n psection = pname;\n pname = end;\n end = eat_name(end);\n }\n p = eat_ws(end);\n if (*p != '=') {\n OPENSSL_PUT_ERROR(CONF, CONF_R_MISSING_EQUAL_SIGN);\n goto err;\n }\n *end = '\\0';\n p++;\n start = eat_ws(p);\n while (*p != '\\0') {\n p++;\n }\n p--;\n while (p != start && is_conf_ws(*p)) {\n p--;\n }\n p++;\n *p = '\\0';\n\n if (!(v = CONF_VALUE_new())) {\n goto err;\n }\n if (psection == NULL) {\n psection = section;\n }\n v->name = OPENSSL_strdup(pname);\n if (v->name == NULL) {\n goto err;\n }\n if (!str_copy(conf, psection, &(v->value), start)) {\n goto err;\n }\n\n CONF_SECTION *tv;\n if (strcmp(psection, section) != 0) {\n if ((tv = get_section(conf, psection)) == NULL) {\n tv = NCONF_new_section(conf, psection);\n }\n if (tv == NULL) {\n OPENSSL_PUT_ERROR(CONF, CONF_R_UNABLE_TO_CREATE_NEW_SECTION);\n goto err;\n }\n } else {\n tv = sv;\n }\n if (add_string(conf, tv, v) == 0) {\n goto err;\n }\n v = NULL;\n }\n }\n BUF_MEM_free(buff);\n OPENSSL_free(section);\n return 1;\n\nerr:\n BUF_MEM_free(buff);\n OPENSSL_free(section);\n if (out_error_line != NULL) {\n *out_error_line = eline;\n }\n ERR_add_error_dataf(\"line %ld\", eline);\n value_free(v);\n return 0;\n}\n\nint NCONF_load(CONF *conf, const char *filename, long *out_error_line) {\n BIO *in = BIO_new_file(filename, \"rb\");\n int ret;\n\n if (in == NULL) {\n OPENSSL_PUT_ERROR(CONF, ERR_R_SYS_LIB);\n return 0;\n }\n\n ret = NCONF_load_bio(conf, in, out_error_line);\n BIO_free(in);\n\n return ret;\n}\n\nint CONF_parse_list(const char *list, char sep, int remove_whitespace,\n int (*list_cb)(const char *elem, size_t len, void *usr),\n void *arg) {\n int ret;\n const char *lstart, *tmpend, *p;\n\n if (list == NULL) {\n OPENSSL_PUT_ERROR(CONF, CONF_R_LIST_CANNOT_BE_NULL);\n return 0;\n }\n\n lstart = list;\n for (;;) {\n if (remove_whitespace) {\n while (*lstart && OPENSSL_isspace((unsigned char)*lstart)) {\n lstart++;\n }\n }\n p = strchr(lstart, sep);\n if (p == lstart || !*lstart) {\n ret = list_cb(NULL, 0, arg);\n } else {\n if (p) {\n tmpend = p - 1;\n } else {\n tmpend = lstart + strlen(lstart) - 1;\n }\n if (remove_whitespace) {\n while (OPENSSL_isspace((unsigned char)*tmpend)) {\n tmpend--;\n }\n }\n ret = list_cb(lstart, tmpend - lstart + 1, arg);\n }\n if (ret <= 0) {\n return ret;\n }\n if (p == NULL) {\n return 1;\n }\n lstart = p + 1;\n }\n}\n\nint CONF_modules_load_file(const char *filename, const char *appname,\n unsigned long flags) {\n return 1;\n}\n\nvoid CONF_modules_free(void) {}\n\nvoid OPENSSL_config(const char *config_name) {}\n\nvoid OPENSSL_no_config(void) {}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/conf/internal.h", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_CONF_INTERNAL_H\n#define OPENSSL_HEADER_CRYPTO_CONF_INTERNAL_H\n\n#include \n\n#include \"../lhash/internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\ntypedef struct conf_section_st CONF_SECTION;\n\nDEFINE_LHASH_OF(CONF_SECTION)\nDEFINE_LHASH_OF(CONF_VALUE)\n\nstruct conf_st {\n LHASH_OF(CONF_VALUE) *values;\n LHASH_OF(CONF_SECTION) *sections;\n};\n\n// CONF_VALUE_new returns a freshly allocated and zeroed |CONF_VALUE|.\nCONF_VALUE *CONF_VALUE_new(void);\n\n// CONF_parse_list takes a list separated by 'sep' and calls |list_cb| giving\n// the start and length of each member, optionally stripping leading and\n// trailing whitespace. This can be used to parse comma separated lists for\n// example. If |list_cb| returns <= 0, then the iteration is halted and that\n// value is returned immediately. Otherwise it returns one. Note that |list_cb|\n// may be called on an empty member.\nOPENSSL_EXPORT int CONF_parse_list(\n const char *list, char sep, int remove_whitespace,\n int (*list_cb)(const char *elem, size_t len, void *usr), void *arg);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_CONF_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cpu_aarch64_apple.cc", "content": "/* Copyright 2021 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \"internal.h\"\n\n#if defined(OPENSSL_AARCH64) && defined(OPENSSL_APPLE) && \\\n !defined(OPENSSL_STATIC_ARMCAP) && !defined(OPENSSL_NO_ASM)\n\n#include \n#include \n\n#include \n\n\nstatic int has_hw_feature(const char *name) {\n int value;\n size_t len = sizeof(value);\n if (sysctlbyname(name, &value, &len, NULL, 0) != 0) {\n return 0;\n }\n if (len != sizeof(int)) {\n // This should not happen. All the values queried should be integer-valued.\n assert(0);\n return 0;\n }\n\n // Per sys/sysctl.h:\n //\n // Selectors that return errors are not support on the system. Supported\n // features will return 1 if they are recommended or 0 if they are supported\n // but are not expected to help performance. Future versions of these\n // selectors may return larger values as necessary so it is best to test for\n // non zero.\n return value != 0;\n}\n\nvoid OPENSSL_cpuid_setup(void) {\n // Apple ARM64 platforms have NEON and cryptography extensions available\n // statically, so we do not need to query them. In particular, there sometimes\n // are no sysctls corresponding to such features. See below.\n#if !defined(__ARM_NEON) || !defined(__ARM_FEATURE_AES) || \\\n !defined(__ARM_FEATURE_SHA2)\n#error \"NEON and crypto extensions should be statically available.\"\n#endif\n OPENSSL_armcap_P =\n ARMV7_NEON | ARMV8_AES | ARMV8_PMULL | ARMV8_SHA1 | ARMV8_SHA256;\n\n // See Apple's documentation for sysctl names:\n // https://developer.apple.com/documentation/kernel/1387446-sysctlbyname/determining_instruction_set_characteristics\n //\n // The new feature names, e.g. \"hw.optional.arm.FEAT_SHA512\", are only\n // available in macOS 12. For compatibility with macOS 11, we also support\n // the old names. The old names don't have values for features like FEAT_AES,\n // so instead we detect them statically above.\n //\n // If querying new sysctls, update the Chromium sandbox definition. See\n // https://crrev.com/c/4415225.\n if (has_hw_feature(\"hw.optional.arm.FEAT_SHA512\") ||\n has_hw_feature(\"hw.optional.armv8_2_sha512\")) {\n OPENSSL_armcap_P |= ARMV8_SHA512;\n }\n}\n\n#endif // OPENSSL_AARCH64 && OPENSSL_APPLE && !OPENSSL_STATIC_ARMCAP\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cpu_aarch64_fuchsia.cc", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \"internal.h\"\n\n#if defined(OPENSSL_AARCH64) && defined(OPENSSL_FUCHSIA) && \\\n !defined(OPENSSL_STATIC_ARMCAP) && !defined(OPENSSL_NO_ASM)\n\n#include \n#include \n#include \n\n#include \n\n\nvoid OPENSSL_cpuid_setup(void) {\n uint32_t hwcap;\n zx_status_t rc = zx_system_get_features(ZX_FEATURE_KIND_CPU, &hwcap);\n if (rc != ZX_OK || (hwcap & ZX_ARM64_FEATURE_ISA_ASIMD) == 0) {\n // If NEON/ASIMD is missing, don't report other features either. This\n // matches OpenSSL, and the other features depend on SIMD registers.\n return;\n }\n\n OPENSSL_armcap_P |= ARMV7_NEON;\n\n if (hwcap & ZX_ARM64_FEATURE_ISA_AES) {\n OPENSSL_armcap_P |= ARMV8_AES;\n }\n if (hwcap & ZX_ARM64_FEATURE_ISA_PMULL) {\n OPENSSL_armcap_P |= ARMV8_PMULL;\n }\n if (hwcap & ZX_ARM64_FEATURE_ISA_SHA1) {\n OPENSSL_armcap_P |= ARMV8_SHA1;\n }\n if (hwcap & ZX_ARM64_FEATURE_ISA_SHA256) {\n OPENSSL_armcap_P |= ARMV8_SHA256;\n }\n if (hwcap & ZX_ARM64_FEATURE_ISA_SHA512) {\n OPENSSL_armcap_P |= ARMV8_SHA512;\n }\n}\n\n#endif // OPENSSL_AARCH64 && OPENSSL_FUCHSIA && !OPENSSL_STATIC_ARMCAP\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cpu_aarch64_linux.cc", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \"internal.h\"\n\n#if defined(OPENSSL_AARCH64) && defined(OPENSSL_LINUX) && \\\n !defined(OPENSSL_STATIC_ARMCAP) && !defined(OPENSSL_NO_ASM)\n\n#include \n\n#include \n\n\nvoid OPENSSL_cpuid_setup(void) {\n unsigned long hwcap = getauxval(AT_HWCAP);\n\n // See /usr/include/asm/hwcap.h on an aarch64 installation for the source of\n // these values.\n static const unsigned long kNEON = 1 << 1;\n static const unsigned long kAES = 1 << 3;\n static const unsigned long kPMULL = 1 << 4;\n static const unsigned long kSHA1 = 1 << 5;\n static const unsigned long kSHA256 = 1 << 6;\n static const unsigned long kSHA512 = 1 << 21;\n\n if ((hwcap & kNEON) == 0) {\n // Matching OpenSSL, if NEON is missing, don't report other features\n // either.\n return;\n }\n\n OPENSSL_armcap_P |= ARMV7_NEON;\n\n if (hwcap & kAES) {\n OPENSSL_armcap_P |= ARMV8_AES;\n }\n if (hwcap & kPMULL) {\n OPENSSL_armcap_P |= ARMV8_PMULL;\n }\n if (hwcap & kSHA1) {\n OPENSSL_armcap_P |= ARMV8_SHA1;\n }\n if (hwcap & kSHA256) {\n OPENSSL_armcap_P |= ARMV8_SHA256;\n }\n if (hwcap & kSHA512) {\n OPENSSL_armcap_P |= ARMV8_SHA512;\n }\n}\n\n#endif // OPENSSL_AARCH64 && OPENSSL_LINUX && !OPENSSL_STATIC_ARMCAP\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cpu_aarch64_openbsd.cc", "content": "/* Copyright (c) 2022, Robert Nagy \n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#if defined(OPENSSL_AARCH64) && defined(OPENSSL_OPENBSD) && \\\n !defined(OPENSSL_STATIC_ARMCAP) && !defined(OPENSSL_NO_ASM)\n\n#include \n#include \n#include \n\n#include \n\n#include \"internal.h\"\n\n\nvoid OPENSSL_cpuid_setup(void) {\n int isar0_mib[] = {CTL_MACHDEP, CPU_ID_AA64ISAR0};\n uint64_t cpu_id = 0;\n size_t len = sizeof(cpu_id);\n\n if (sysctl(isar0_mib, 2, &cpu_id, &len, NULL, 0) < 0) {\n return;\n }\n\n OPENSSL_armcap_P |= ARMV7_NEON;\n\n if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_BASE) {\n OPENSSL_armcap_P |= ARMV8_AES;\n }\n\n if (ID_AA64ISAR0_AES(cpu_id) >= ID_AA64ISAR0_AES_PMULL) {\n OPENSSL_armcap_P |= ARMV8_PMULL;\n }\n\n if (ID_AA64ISAR0_SHA1(cpu_id) >= ID_AA64ISAR0_SHA1_BASE) {\n OPENSSL_armcap_P |= ARMV8_SHA1;\n }\n\n if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_BASE) {\n OPENSSL_armcap_P |= ARMV8_SHA256;\n }\n\n if (ID_AA64ISAR0_SHA2(cpu_id) >= ID_AA64ISAR0_SHA2_512) {\n OPENSSL_armcap_P |= ARMV8_SHA512;\n }\n}\n\n#endif // OPENSSL_AARCH64 && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cpu_aarch64_sysreg.cc", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \"internal.h\"\n\n// While Arm system registers are normally not available to userspace, FreeBSD\n// expects userspace to simply read them. It traps the reads and fills in CPU\n// capabilities.\n#if defined(OPENSSL_AARCH64) && !defined(OPENSSL_STATIC_ARMCAP) && \\\n (defined(ANDROID_BAREMETAL) || defined(OPENSSL_FREEBSD)) && \\\n !defined(OPENSSL_NO_ASM)\n\n#include \n\n#define ID_AA64PFR0_EL1_ADVSIMD 5\n\n#define ID_AA64ISAR0_EL1_AES 1\n#define ID_AA64ISAR0_EL1_SHA1 2\n#define ID_AA64ISAR0_EL1_SHA2 3\n\n#define NBITS_ID_FIELD 4\n\n#define READ_SYSREG(name) \\\n ({ \\\n uint64_t _r; \\\n __asm__(\"mrs %0, \" name : \"=r\"(_r)); \\\n _r; \\\n })\n\nstatic unsigned get_id_field(uint64_t reg, unsigned field) {\n return (reg >> (field * NBITS_ID_FIELD)) & ((1 << NBITS_ID_FIELD) - 1);\n}\n\nstatic int get_signed_id_field(uint64_t reg, unsigned field) {\n unsigned value = get_id_field(reg, field);\n if (value & (1 << (NBITS_ID_FIELD - 1))) {\n return (int)(value | (UINT64_MAX << NBITS_ID_FIELD));\n } else {\n return (int)value;\n }\n}\n\nstatic uint32_t read_armcap(void) {\n uint32_t armcap = ARMV7_NEON;\n\n uint64_t id_aa64pfr0_el1 = READ_SYSREG(\"id_aa64pfr0_el1\");\n\n if (get_signed_id_field(id_aa64pfr0_el1, ID_AA64PFR0_EL1_ADVSIMD) < 0) {\n // If AdvSIMD (\"NEON\") is missing, don't report other features either.\n // This matches OpenSSL.\n return 0;\n }\n\n uint64_t id_aa64isar0_el1 = READ_SYSREG(\"id_aa64isar0_el1\");\n\n unsigned aes = get_id_field(id_aa64isar0_el1, ID_AA64ISAR0_EL1_AES);\n if (aes > 0) {\n armcap |= ARMV8_AES;\n }\n if (aes > 1) {\n armcap |= ARMV8_PMULL;\n }\n\n unsigned sha1 = get_id_field(id_aa64isar0_el1, ID_AA64ISAR0_EL1_SHA1);\n if (sha1 > 0) {\n armcap |= ARMV8_SHA1;\n }\n\n unsigned sha2 = get_id_field(id_aa64isar0_el1, ID_AA64ISAR0_EL1_SHA2);\n if (sha2 > 0) {\n armcap |= ARMV8_SHA256;\n }\n if (sha2 > 1) {\n armcap |= ARMV8_SHA512;\n }\n\n return armcap;\n}\n\nvoid OPENSSL_cpuid_setup(void) { OPENSSL_armcap_P |= read_armcap(); }\n\n#endif // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP &&\n // (ANDROID_BAREMETAL || OPENSSL_FREEBSD)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cpu_aarch64_win.cc", "content": "/* Copyright 2018 The BoringSSL Authors\n * Copyright (c) 2020, Arm Ltd.\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \"internal.h\"\n\n#if defined(OPENSSL_AARCH64) && defined(OPENSSL_WINDOWS) && \\\n !defined(OPENSSL_STATIC_ARMCAP) && !defined(OPENSSL_NO_ASM)\n\n#include \n\n#include \n\n\nvoid OPENSSL_cpuid_setup(void) {\n // We do not need to check for the presence of NEON, as Armv8-A always has it\n OPENSSL_armcap_P |= ARMV7_NEON;\n\n if (IsProcessorFeaturePresent(PF_ARM_V8_CRYPTO_INSTRUCTIONS_AVAILABLE)) {\n // These are all covered by one call in Windows\n OPENSSL_armcap_P |= ARMV8_AES;\n OPENSSL_armcap_P |= ARMV8_PMULL;\n OPENSSL_armcap_P |= ARMV8_SHA1;\n OPENSSL_armcap_P |= ARMV8_SHA256;\n }\n // As of writing, Windows does not have a |PF_*| value for ARMv8.2 SHA-512\n // extensions. When it does, add it here.\n}\n\n#endif // OPENSSL_AARCH64 && OPENSSL_WINDOWS && !OPENSSL_STATIC_ARMCAP\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cpu_arm_freebsd.cc", "content": "/* Copyright 2022 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \"internal.h\"\n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && \\\n defined(OPENSSL_FREEBSD) && !defined(OPENSSL_STATIC_ARMCAP)\n#include \n#include \n\n#include \n#include \n\n\nvoid OPENSSL_cpuid_setup(void) {\n unsigned long hwcap = 0, hwcap2 = 0;\n\n // |elf_aux_info| may fail, in which case |hwcap| and |hwcap2| will be\n // left at zero. The rest of this function will then gracefully report\n // the features are absent.\n elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap));\n elf_aux_info(AT_HWCAP2, &hwcap2, sizeof(hwcap2));\n\n // Matching OpenSSL, only report other features if NEON is present.\n if (hwcap & HWCAP_NEON) {\n OPENSSL_armcap_P |= ARMV7_NEON;\n\n if (hwcap2 & HWCAP2_AES) {\n OPENSSL_armcap_P |= ARMV8_AES;\n }\n if (hwcap2 & HWCAP2_PMULL) {\n OPENSSL_armcap_P |= ARMV8_PMULL;\n }\n if (hwcap2 & HWCAP2_SHA1) {\n OPENSSL_armcap_P |= ARMV8_SHA1;\n }\n if (hwcap2 & HWCAP2_SHA2) {\n OPENSSL_armcap_P |= ARMV8_SHA256;\n }\n }\n}\n\n#endif // OPENSSL_ARM && OPENSSL_OPENBSD && !OPENSSL_STATIC_ARMCAP\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cpu_arm_linux.cc", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \"internal.h\"\n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && \\\n defined(OPENSSL_LINUX) && !defined(OPENSSL_STATIC_ARMCAP)\n#include \n#include \n#include \n#include \n#include \n\n#include \n#include \n\n#include \"cpu_arm_linux.h\"\n\nstatic int open_eintr(const char *path, int flags) {\n int ret;\n do {\n ret = open(path, flags);\n } while (ret < 0 && errno == EINTR);\n return ret;\n}\n\nstatic ssize_t read_eintr(int fd, void *out, size_t len) {\n ssize_t ret;\n do {\n ret = read(fd, out, len);\n } while (ret < 0 && errno == EINTR);\n return ret;\n}\n\n// read_file opens |path| and reads until end-of-file. On success, it returns\n// one and sets |*out_ptr| and |*out_len| to a newly-allocated buffer with the\n// contents. Otherwise, it returns zero.\nstatic int read_file(char **out_ptr, size_t *out_len, const char *path) {\n int fd = open_eintr(path, O_RDONLY);\n if (fd < 0) {\n return 0;\n }\n\n static const size_t kReadSize = 1024;\n int ret = 0;\n size_t cap = kReadSize, len = 0;\n char *buf = reinterpret_cast(OPENSSL_malloc(cap));\n if (buf == NULL) {\n goto err;\n }\n\n for (;;) {\n if (cap - len < kReadSize) {\n size_t new_cap = cap * 2;\n if (new_cap < cap) {\n goto err;\n }\n char *new_buf = reinterpret_cast(OPENSSL_realloc(buf, new_cap));\n if (new_buf == NULL) {\n goto err;\n }\n buf = new_buf;\n cap = new_cap;\n }\n\n ssize_t bytes_read = read_eintr(fd, buf + len, kReadSize);\n if (bytes_read < 0) {\n goto err;\n }\n if (bytes_read == 0) {\n break;\n }\n len += bytes_read;\n }\n\n *out_ptr = buf;\n *out_len = len;\n ret = 1;\n buf = NULL;\n\nerr:\n OPENSSL_free(buf);\n close(fd);\n return ret;\n}\n\nstatic int g_needs_hwcap2_workaround;\n\nvoid OPENSSL_cpuid_setup(void) {\n // We ignore the return value of |read_file| and proceed with an empty\n // /proc/cpuinfo on error. If |getauxval| works, we will still detect\n // capabilities.\n char *cpuinfo_data = NULL;\n size_t cpuinfo_len = 0;\n read_file(&cpuinfo_data, &cpuinfo_len, \"/proc/cpuinfo\");\n STRING_PIECE cpuinfo;\n cpuinfo.data = cpuinfo_data;\n cpuinfo.len = cpuinfo_len;\n\n // Matching OpenSSL, only report other features if NEON is present.\n unsigned long hwcap = getauxval(AT_HWCAP);\n if (hwcap & HWCAP_NEON) {\n OPENSSL_armcap_P |= ARMV7_NEON;\n\n // Some ARMv8 Android devices don't expose AT_HWCAP2. Fall back to\n // /proc/cpuinfo. See https://crbug.com/boringssl/46. As of February 2021,\n // this is now rare (see Chrome's Net.NeedsHWCAP2Workaround metric), but AES\n // and PMULL extensions are very useful, so we still carry the workaround\n // for now.\n unsigned long hwcap2 = getauxval(AT_HWCAP2);\n if (hwcap2 == 0) {\n hwcap2 = crypto_get_arm_hwcap2_from_cpuinfo(&cpuinfo);\n g_needs_hwcap2_workaround = hwcap2 != 0;\n }\n\n if (hwcap2 & HWCAP2_AES) {\n OPENSSL_armcap_P |= ARMV8_AES;\n }\n if (hwcap2 & HWCAP2_PMULL) {\n OPENSSL_armcap_P |= ARMV8_PMULL;\n }\n if (hwcap2 & HWCAP2_SHA1) {\n OPENSSL_armcap_P |= ARMV8_SHA1;\n }\n if (hwcap2 & HWCAP2_SHA2) {\n OPENSSL_armcap_P |= ARMV8_SHA256;\n }\n }\n\n OPENSSL_free(cpuinfo_data);\n}\n\nint CRYPTO_has_broken_NEON(void) { return 0; }\n\nint CRYPTO_needs_hwcap2_workaround(void) {\n OPENSSL_init_cpuid();\n return g_needs_hwcap2_workaround;\n}\n\n#endif // OPENSSL_ARM && OPENSSL_LINUX && !OPENSSL_STATIC_ARMCAP\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cpu_arm_linux.h", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_CPU_ARM_LINUX_H\n#define OPENSSL_HEADER_CRYPTO_CPU_ARM_LINUX_H\n\n#include \n\n#include \n\n#include \"internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// The cpuinfo parser lives in a header file so it may be accessible from\n// cross-platform fuzzers without adding code to those platforms normally.\n\n#define HWCAP_NEON (1 << 12)\n\n// See /usr/include/asm/hwcap.h on an ARM installation for the source of\n// these values.\n#define HWCAP2_AES (1 << 0)\n#define HWCAP2_PMULL (1 << 1)\n#define HWCAP2_SHA1 (1 << 2)\n#define HWCAP2_SHA2 (1 << 3)\n\ntypedef struct {\n const char *data;\n size_t len;\n} STRING_PIECE;\n\nstatic int STRING_PIECE_equals(const STRING_PIECE *a, const char *b) {\n size_t b_len = strlen(b);\n return a->len == b_len && OPENSSL_memcmp(a->data, b, b_len) == 0;\n}\n\n// STRING_PIECE_split finds the first occurence of |sep| in |in| and, if found,\n// sets |*out_left| and |*out_right| to |in| split before and after it. It\n// returns one if |sep| was found and zero otherwise.\nstatic int STRING_PIECE_split(STRING_PIECE *out_left, STRING_PIECE *out_right,\n const STRING_PIECE *in, char sep) {\n const char *p = (const char *)OPENSSL_memchr(in->data, sep, in->len);\n if (p == NULL) {\n return 0;\n }\n // |out_left| or |out_right| may alias |in|, so make a copy.\n STRING_PIECE in_copy = *in;\n out_left->data = in_copy.data;\n out_left->len = p - in_copy.data;\n out_right->data = in_copy.data + out_left->len + 1;\n out_right->len = in_copy.len - out_left->len - 1;\n return 1;\n}\n\n// STRING_PIECE_get_delimited reads a |sep|-delimited entry from |s|, writing it\n// to |out| and updating |s| to point beyond it. It returns one on success and\n// zero if |s| is empty. If |s| is has no copies of |sep| and is non-empty, it\n// reads the entire string to |out|.\nstatic int STRING_PIECE_get_delimited(STRING_PIECE *s, STRING_PIECE *out, char sep) {\n if (s->len == 0) {\n return 0;\n }\n if (!STRING_PIECE_split(out, s, s, sep)) {\n // |s| had no instances of |sep|. Return the entire string.\n *out = *s;\n s->data += s->len;\n s->len = 0;\n }\n return 1;\n}\n\n// STRING_PIECE_trim removes leading and trailing whitespace from |s|.\nstatic void STRING_PIECE_trim(STRING_PIECE *s) {\n while (s->len != 0 && (s->data[0] == ' ' || s->data[0] == '\\t')) {\n s->data++;\n s->len--;\n }\n while (s->len != 0 &&\n (s->data[s->len - 1] == ' ' || s->data[s->len - 1] == '\\t')) {\n s->len--;\n }\n}\n\n// extract_cpuinfo_field extracts a /proc/cpuinfo field named |field| from\n// |in|. If found, it sets |*out| to the value and returns one. Otherwise, it\n// returns zero.\nstatic int extract_cpuinfo_field(STRING_PIECE *out, const STRING_PIECE *in,\n const char *field) {\n // Process |in| one line at a time.\n STRING_PIECE remaining = *in, line;\n while (STRING_PIECE_get_delimited(&remaining, &line, '\\n')) {\n STRING_PIECE key, value;\n if (!STRING_PIECE_split(&key, &value, &line, ':')) {\n continue;\n }\n STRING_PIECE_trim(&key);\n if (STRING_PIECE_equals(&key, field)) {\n STRING_PIECE_trim(&value);\n *out = value;\n return 1;\n }\n }\n\n return 0;\n}\n\n// has_list_item treats |list| as a space-separated list of items and returns\n// one if |item| is contained in |list| and zero otherwise.\nstatic int has_list_item(const STRING_PIECE *list, const char *item) {\n STRING_PIECE remaining = *list, feature;\n while (STRING_PIECE_get_delimited(&remaining, &feature, ' ')) {\n if (STRING_PIECE_equals(&feature, item)) {\n return 1;\n }\n }\n return 0;\n}\n\n// crypto_get_arm_hwcap2_from_cpuinfo returns an equivalent ARM |AT_HWCAP2|\n// value from |cpuinfo|.\nstatic unsigned long crypto_get_arm_hwcap2_from_cpuinfo(\n const STRING_PIECE *cpuinfo) {\n STRING_PIECE features;\n if (!extract_cpuinfo_field(&features, cpuinfo, \"Features\")) {\n return 0;\n }\n\n unsigned long ret = 0;\n if (has_list_item(&features, \"aes\")) {\n ret |= HWCAP2_AES;\n }\n if (has_list_item(&features, \"pmull\")) {\n ret |= HWCAP2_PMULL;\n }\n if (has_list_item(&features, \"sha1\")) {\n ret |= HWCAP2_SHA1;\n }\n if (has_list_item(&features, \"sha2\")) {\n ret |= HWCAP2_SHA2;\n }\n return ret;\n}\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_CPU_ARM_LINUX_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/cpu_intel.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && \\\n (defined(OPENSSL_X86) || defined(OPENSSL_X86_64))\n\n#include \n#include \n#include \n#include \n\n#if defined(_MSC_VER)\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\n#endif\n\n#include \"internal.h\"\n\n\n// OPENSSL_cpuid runs the cpuid instruction. |leaf| is passed in as EAX and ECX\n// is set to zero. It writes EAX, EBX, ECX, and EDX to |*out_eax| through\n// |*out_edx|.\nstatic void OPENSSL_cpuid(uint32_t *out_eax, uint32_t *out_ebx,\n uint32_t *out_ecx, uint32_t *out_edx, uint32_t leaf) {\n#if defined(_MSC_VER)\n int tmp[4];\n __cpuid(tmp, (int)leaf);\n *out_eax = (uint32_t)tmp[0];\n *out_ebx = (uint32_t)tmp[1];\n *out_ecx = (uint32_t)tmp[2];\n *out_edx = (uint32_t)tmp[3];\n#elif defined(__pic__) && defined(OPENSSL_32_BIT)\n // Inline assembly may not clobber the PIC register. For 32-bit, this is EBX.\n // See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=47602.\n __asm__ volatile(\n \"xor %%ecx, %%ecx\\n\"\n \"mov %%ebx, %%edi\\n\"\n \"cpuid\\n\"\n \"xchg %%edi, %%ebx\\n\"\n : \"=a\"(*out_eax), \"=D\"(*out_ebx), \"=c\"(*out_ecx), \"=d\"(*out_edx)\n : \"a\"(leaf));\n#else\n __asm__ volatile(\n \"xor %%ecx, %%ecx\\n\"\n \"cpuid\\n\"\n : \"=a\"(*out_eax), \"=b\"(*out_ebx), \"=c\"(*out_ecx), \"=d\"(*out_edx)\n : \"a\"(leaf));\n#endif\n}\n\n// OPENSSL_xgetbv returns the value of an Intel Extended Control Register (XCR).\n// Currently only XCR0 is defined by Intel so |xcr| should always be zero.\nstatic uint64_t OPENSSL_xgetbv(uint32_t xcr) {\n#if defined(_MSC_VER)\n return (uint64_t)_xgetbv(xcr);\n#else\n uint32_t eax, edx;\n __asm__ volatile(\"xgetbv\" : \"=a\"(eax), \"=d\"(edx) : \"c\"(xcr));\n return (((uint64_t)edx) << 32) | eax;\n#endif\n}\n\nstatic bool os_supports_avx512(uint64_t xcr0) {\n#if defined(__APPLE__)\n // The Darwin kernel had a bug where it could corrupt the opmask registers.\n // See\n // https://community.intel.com/t5/Software-Tuning-Performance/MacOS-Darwin-kernel-bug-clobbers-AVX-512-opmask-register-state/m-p/1327259\n // Darwin also does not initially set the XCR0 bits for AVX512, but they are\n // set if the thread tries to use AVX512 anyway. Thus, to safely and\n // consistently use AVX512 on macOS we'd need to check the kernel version as\n // well as detect AVX512 support using a macOS-specific method. We don't\n // bother with this, especially given Apple's transition to arm64.\n return false;\n#else\n return (xcr0 & 0xe6) == 0xe6;\n#endif\n}\n\n// handle_cpu_env applies the value from |in| to the CPUID values in |out[0]|\n// and |out[1]|. See the comment in |OPENSSL_cpuid_setup| about this.\nstatic void handle_cpu_env(uint32_t *out, const char *in) {\n const int invert_op = in[0] == '~';\n const int or_op = in[0] == '|';\n const int skip_first_byte = invert_op || or_op;\n const int hex = in[skip_first_byte] == '0' && in[skip_first_byte + 1] == 'x';\n\n int sscanf_result;\n uint64_t v;\n if (hex) {\n sscanf_result = sscanf(in + invert_op + 2, \"%\" PRIx64, &v);\n } else {\n sscanf_result = sscanf(in + invert_op, \"%\" PRIu64, &v);\n }\n\n if (!sscanf_result) {\n return;\n }\n\n if (invert_op) {\n out[0] &= ~v;\n out[1] &= ~(v >> 32);\n } else if (or_op) {\n out[0] |= v;\n out[1] |= (v >> 32);\n } else {\n out[0] = v;\n out[1] = v >> 32;\n }\n}\n\nvoid OPENSSL_cpuid_setup(void) {\n // Determine the vendor and maximum input value.\n uint32_t eax, ebx, ecx, edx;\n OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 0);\n\n uint32_t num_ids = eax;\n\n int is_intel = ebx == 0x756e6547 /* Genu */ && //\n edx == 0x49656e69 /* ineI */ && //\n ecx == 0x6c65746e /* ntel */;\n int is_amd = ebx == 0x68747541 /* Auth */ && //\n edx == 0x69746e65 /* enti */ && //\n ecx == 0x444d4163 /* cAMD */;\n\n uint32_t extended_features[2] = {0};\n if (num_ids >= 7) {\n OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 7);\n extended_features[0] = ebx;\n extended_features[1] = ecx;\n }\n\n OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 1);\n\n const uint32_t base_family = (eax >> 8) & 15;\n const uint32_t base_model = (eax >> 4) & 15;\n\n uint32_t family = base_family;\n uint32_t model = base_model;\n if (base_family == 15) {\n const uint32_t ext_family = (eax >> 20) & 255;\n family += ext_family;\n }\n if (base_family == 6 || base_family == 15) {\n const uint32_t ext_model = (eax >> 16) & 15;\n model |= ext_model << 4;\n }\n\n if (is_amd) {\n if (family < 0x17 || (family == 0x17 && 0x70 <= model && model <= 0x7f)) {\n // Disable RDRAND on AMD families before 0x17 (Zen) due to reported\n // failures after suspend.\n // https://bugzilla.redhat.com/show_bug.cgi?id=1150286\n // Also disable for family 0x17, models 0x70–0x7f, due to possible RDRAND\n // failures there too.\n ecx &= ~(1u << 30);\n }\n }\n\n // Force the hyper-threading bit so that the more conservative path is always\n // chosen.\n edx |= 1u << 28;\n\n // Reserved bit #20 was historically repurposed to control the in-memory\n // representation of RC4 state. Always set it to zero.\n edx &= ~(1u << 20);\n\n // Reserved bit #30 is repurposed to signal an Intel CPU.\n if (is_intel) {\n edx |= (1u << 30);\n } else {\n edx &= ~(1u << 30);\n }\n\n // The SDBG bit is repurposed to denote AMD XOP support. Don't ever use AMD\n // XOP code paths.\n ecx &= ~(1u << 11);\n\n uint64_t xcr0 = 0;\n if (ecx & (1u << 27)) {\n // XCR0 may only be queried if the OSXSAVE bit is set.\n xcr0 = OPENSSL_xgetbv(0);\n }\n // See Intel manual, volume 1, section 14.3.\n if ((xcr0 & 6) != 6) {\n // YMM registers cannot be used.\n ecx &= ~(1u << 28); // AVX\n ecx &= ~(1u << 12); // FMA\n ecx &= ~(1u << 11); // AMD XOP\n extended_features[0] &= ~(1u << 5); // AVX2\n extended_features[1] &= ~(1u << 9); // VAES\n extended_features[1] &= ~(1u << 10); // VPCLMULQDQ\n }\n // See Intel manual, volume 1, sections 15.2 (\"Detection of AVX-512 Foundation\n // Instructions\") through 15.4 (\"Detection of Intel AVX-512 Instruction Groups\n // Operating at 256 and 128-bit Vector Lengths\").\n if (!os_supports_avx512(xcr0)) {\n // Without XCR0.111xx11x, no AVX512 feature can be used. This includes ZMM\n // registers, masking, SIMD registers 16-31 (even if accessed as YMM or\n // XMM), and EVEX-coded instructions (even on YMM or XMM). Even if only\n // XCR0.ZMM_Hi256 is missing, it isn't valid to use AVX512 features on\n // shorter vectors, since AVX512 ties everything to the availability of\n // 512-bit vectors. See the above-mentioned sections of the Intel manual,\n // which say that *all* these XCR0 bits must be checked even when just using\n // 128-bit or 256-bit vectors, and also volume 2a section 2.7.11 (\"#UD\n // Equations for EVEX\") which says that all EVEX-coded instructions raise an\n // undefined-instruction exception if any of these XCR0 bits is zero.\n //\n // AVX10 fixes this by reorganizing the features that used to be part of\n // \"AVX512\" and allowing them to be used independently of 512-bit support.\n // TODO: add AVX10 detection.\n extended_features[0] &= ~(1u << 16); // AVX512F\n extended_features[0] &= ~(1u << 17); // AVX512DQ\n extended_features[0] &= ~(1u << 21); // AVX512IFMA\n extended_features[0] &= ~(1u << 26); // AVX512PF\n extended_features[0] &= ~(1u << 27); // AVX512ER\n extended_features[0] &= ~(1u << 28); // AVX512CD\n extended_features[0] &= ~(1u << 30); // AVX512BW\n extended_features[0] &= ~(1u << 31); // AVX512VL\n extended_features[1] &= ~(1u << 1); // AVX512VBMI\n extended_features[1] &= ~(1u << 6); // AVX512VBMI2\n extended_features[1] &= ~(1u << 11); // AVX512VNNI\n extended_features[1] &= ~(1u << 12); // AVX512BITALG\n extended_features[1] &= ~(1u << 14); // AVX512VPOPCNTDQ\n }\n\n // Repurpose the bit for the removed MPX feature to indicate when using zmm\n // registers should be avoided even when they are supported. (When set, AVX512\n // features can still be used, but only using ymm or xmm registers.) Skylake\n // suffered from severe downclocking when zmm registers were used, which\n // affected unrelated code running on the system, making zmm registers not too\n // useful outside of benchmarks. The situation improved significantly by Ice\n // Lake, but a small amount of downclocking remained. (See\n // https://lore.kernel.org/linux-crypto/e8ce1146-3952-6977-1d0e-a22758e58914@intel.com/)\n // We take a conservative approach of not allowing zmm registers until after\n // Ice Lake and Tiger Lake, i.e. until Sapphire Rapids on the server side.\n //\n // AMD CPUs, which support AVX512 starting with Zen 4, have not been reported\n // to have any downclocking problem when zmm registers are used.\n if (is_intel && family == 6 &&\n (model == 85 || // Skylake, Cascade Lake, Cooper Lake (server)\n model == 106 || // Ice Lake (server)\n model == 108 || // Ice Lake (micro server)\n model == 125 || // Ice Lake (client)\n model == 126 || // Ice Lake (mobile)\n model == 140 || // Tiger Lake (mobile)\n model == 141)) { // Tiger Lake (client)\n extended_features[0] |= 1u << 14;\n } else {\n extended_features[0] &= ~(1u << 14);\n }\n\n OPENSSL_ia32cap_P[0] = edx;\n OPENSSL_ia32cap_P[1] = ecx;\n OPENSSL_ia32cap_P[2] = extended_features[0];\n OPENSSL_ia32cap_P[3] = extended_features[1];\n\n const char *env1, *env2;\n env1 = getenv(\"OPENSSL_ia32cap\");\n if (env1 == NULL) {\n return;\n }\n\n // OPENSSL_ia32cap can contain zero, one or two values, separated with a ':'.\n // Each value is a 64-bit, unsigned value which may start with \"0x\" to\n // indicate a hex value. Prior to the 64-bit value, a '~' or '|' may be given.\n //\n // If the '~' prefix is present:\n // the value is inverted and ANDed with the probed CPUID result\n // If the '|' prefix is present:\n // the value is ORed with the probed CPUID result\n // Otherwise:\n // the value is taken as the result of the CPUID\n //\n // The first value determines OPENSSL_ia32cap_P[0] and [1]. The second [2]\n // and [3].\n\n handle_cpu_env(&OPENSSL_ia32cap_P[0], env1);\n env2 = strchr(env1, ':');\n if (env2 != NULL) {\n handle_cpu_env(&OPENSSL_ia32cap_P[2], env2 + 1);\n }\n}\n\n#endif // !OPENSSL_NO_ASM && (OPENSSL_X86 || OPENSSL_X86_64)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/crypto.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \"bcm_support.h\"\n#include \"fipsmodule/rand/internal.h\"\n#include \"internal.h\"\n\n\nstatic_assert(sizeof(ossl_ssize_t) == sizeof(size_t),\n \"ossl_ssize_t should be the same size as size_t\");\n\n\n// Our assembly does not use the GOT to reference symbols, which means\n// references to visible symbols will often require a TEXTREL. This is\n// undesirable, so all assembly-referenced symbols should be hidden. CPU\n// capabilities are the only such symbols defined in C. Explicitly hide them,\n// rather than rely on being built with -fvisibility=hidden.\n#if defined(OPENSSL_WINDOWS)\n#define HIDDEN\n#else\n#define HIDDEN __attribute__((visibility(\"hidden\")))\n#endif\n\n\n// The capability variables are defined in this file in order to work around a\n// linker bug. When linking with a .a, if no symbols in a .o are referenced\n// then the .o is discarded, even if it has constructor functions.\n//\n// This still means that any binaries that don't include some functionality\n// that tests the capability values will still skip the constructor but, so\n// far, the init constructor function only sets the capability variables.\n\n#if defined(BORINGSSL_DISPATCH_TEST)\n// This value must be explicitly initialised to zero in order to work around a\n// bug in libtool or the linker on OS X.\n//\n// If not initialised then it becomes a \"common symbol\". When put into an\n// archive, linking on OS X will fail to resolve common symbols. By\n// initialising it to zero, it becomes a \"data symbol\", which isn't so\n// affected.\nHIDDEN uint8_t BORINGSSL_function_hit[9] = {0};\n#endif\n\n#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)\n\n// This value must be explicitly initialized to zero. See similar comment above.\nHIDDEN uint32_t OPENSSL_ia32cap_P[4] = {0};\n\nuint32_t OPENSSL_get_ia32cap(int idx) {\n OPENSSL_init_cpuid();\n return OPENSSL_ia32cap_P[idx];\n}\n\n#elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)\n\n#include \n\n#if defined(OPENSSL_STATIC_ARMCAP)\n\n// See ARM ACLE for the definitions of these macros. Note |__ARM_FEATURE_AES|\n// covers both AES and PMULL and |__ARM_FEATURE_SHA2| covers SHA-1 and SHA-256.\n// https://developer.arm.com/architectures/system-architectures/software-standards/acle\n// https://github.com/ARM-software/acle/issues/152\n//\n// TODO(davidben): Do we still need |OPENSSL_STATIC_ARMCAP_*| or are the\n// standard flags and -march sufficient?\nHIDDEN uint32_t OPENSSL_armcap_P =\n#if defined(OPENSSL_STATIC_ARMCAP_NEON) || defined(__ARM_NEON)\n ARMV7_NEON |\n#endif\n#if defined(OPENSSL_STATIC_ARMCAP_AES) || defined(__ARM_FEATURE_AES)\n ARMV8_AES |\n#endif\n#if defined(OPENSSL_STATIC_ARMCAP_PMULL) || defined(__ARM_FEATURE_AES)\n ARMV8_PMULL |\n#endif\n#if defined(OPENSSL_STATIC_ARMCAP_SHA1) || defined(__ARM_FEATURE_SHA2)\n ARMV8_SHA1 |\n#endif\n#if defined(OPENSSL_STATIC_ARMCAP_SHA256) || defined(__ARM_FEATURE_SHA2)\n ARMV8_SHA256 |\n#endif\n#if defined(__ARM_FEATURE_SHA512)\n ARMV8_SHA512 |\n#endif\n 0;\n\n#else\nHIDDEN uint32_t OPENSSL_armcap_P = 0;\n\nuint32_t *OPENSSL_get_armcap_pointer_for_test(void) {\n OPENSSL_init_cpuid();\n return &OPENSSL_armcap_P;\n}\n#endif\n\nuint32_t OPENSSL_get_armcap(void) {\n OPENSSL_init_cpuid();\n return OPENSSL_armcap_P;\n}\n\n#endif\n\n#if defined(NEED_CPUID)\nstatic CRYPTO_once_t once = CRYPTO_ONCE_INIT;\nvoid OPENSSL_init_cpuid(void) { CRYPTO_once(&once, OPENSSL_cpuid_setup); }\n#endif\n\nvoid CRYPTO_library_init(void) {}\n\nint CRYPTO_is_confidential_build(void) {\n#if defined(BORINGSSL_CONFIDENTIAL)\n return 1;\n#else\n return 0;\n#endif\n}\n\nvoid CRYPTO_pre_sandbox_init(void) {\n // Read from /proc/cpuinfo if needed.\n OPENSSL_init_cpuid();\n // Open /dev/urandom if needed.\n CRYPTO_init_sysrand();\n // Set up MADV_WIPEONFORK state if needed.\n CRYPTO_get_fork_generation();\n}\n\nconst char *SSLeay_version(int which) { return OpenSSL_version(which); }\n\nconst char *OpenSSL_version(int which) {\n switch (which) {\n case OPENSSL_VERSION:\n return \"BoringSSL\";\n case OPENSSL_CFLAGS:\n return \"compiler: n/a\";\n case OPENSSL_BUILT_ON:\n return \"built on: n/a\";\n case OPENSSL_PLATFORM:\n return \"platform: n/a\";\n case OPENSSL_DIR:\n return \"OPENSSLDIR: n/a\";\n default:\n return \"not available\";\n }\n}\n\nunsigned long SSLeay(void) { return OPENSSL_VERSION_NUMBER; }\n\nunsigned long OpenSSL_version_num(void) { return OPENSSL_VERSION_NUMBER; }\n\nint CRYPTO_malloc_init(void) { return 1; }\n\nint OPENSSL_malloc_init(void) { return 1; }\n\nvoid ENGINE_load_builtin_engines(void) {}\n\nint ENGINE_register_all_complete(void) { return 1; }\n\nvoid OPENSSL_load_builtin_modules(void) {}\n\nint OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {\n return 1;\n}\n\nvoid OPENSSL_cleanup(void) {}\n\nFILE *CRYPTO_get_stderr(void) { return stderr; }\n" }, { "path": "Sources/CNIOBoringSSL/crypto/curve25519/asm/x25519-asm-arm.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n#if defined(__arm__) && defined(__linux__)\n/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This file is taken from crypto_scalarmult/curve25519/neon2/scalarmult.s in\n * SUPERCOP 20141124 (http://bench.cr.yp.to/supercop.html). That code is public\n * domain licensed but the standard ISC license is included above to keep\n * licensing simple. */\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n\n.fpu neon\n.text\n.align 4\n\n.global x25519_NEON\n.hidden x25519_NEON\n.type x25519_NEON, %function\nx25519_NEON:\nvpush {q4,q5,q6,q7}\nmov r12,sp\nsub sp,sp,#736\nand sp,sp,#0xffffffe0\nstrd r4,[sp,#0]\nstrd r6,[sp,#8]\nstrd r8,[sp,#16]\nstrd r10,[sp,#24]\nstr r12,[sp,#480]\nstr r14,[sp,#484]\nmov r0,r0\nmov r1,r1\nmov r2,r2\nadd r3,sp,#32\nldr r4,=0\nldr r5,=254\nvmov.i32 q0,#1\nvshr.u64 q1,q0,#7\nvshr.u64 q0,q0,#8\nvmov.i32 d4,#19\nvmov.i32 d5,#38\nadd r6,sp,#512\nvst1.8 {d2-d3},[r6,: 128]\nadd r6,sp,#528\nvst1.8 {d0-d1},[r6,: 128]\nadd r6,sp,#544\nvst1.8 {d4-d5},[r6,: 128]\nadd r6,r3,#0\nvmov.i32 q2,#0\nvst1.8 {d4-d5},[r6,: 128]!\nvst1.8 {d4-d5},[r6,: 128]!\nvst1.8 d4,[r6,: 64]\nadd r6,r3,#0\nldr r7,=960\nsub r7,r7,#2\nneg r7,r7\nsub r7,r7,r7,LSL #7\nstr r7,[r6]\nadd r6,sp,#704\nvld1.8 {d4-d5},[r1]!\nvld1.8 {d6-d7},[r1]\nvst1.8 {d4-d5},[r6,: 128]!\nvst1.8 {d6-d7},[r6,: 128]\nsub r1,r6,#16\nldrb r6,[r1]\nand r6,r6,#248\nstrb r6,[r1]\nldrb r6,[r1,#31]\nand r6,r6,#127\norr r6,r6,#64\nstrb r6,[r1,#31]\nvmov.i64 q2,#0xffffffff\nvshr.u64 q3,q2,#7\nvshr.u64 q2,q2,#6\nvld1.8 {d8},[r2]\nvld1.8 {d10},[r2]\nadd r2,r2,#6\nvld1.8 {d12},[r2]\nvld1.8 {d14},[r2]\nadd r2,r2,#6\nvld1.8 {d16},[r2]\nadd r2,r2,#4\nvld1.8 {d18},[r2]\nvld1.8 {d20},[r2]\nadd r2,r2,#6\nvld1.8 {d22},[r2]\nadd r2,r2,#2\nvld1.8 {d24},[r2]\nvld1.8 {d26},[r2]\nvshr.u64 q5,q5,#26\nvshr.u64 q6,q6,#3\nvshr.u64 q7,q7,#29\nvshr.u64 q8,q8,#6\nvshr.u64 q10,q10,#25\nvshr.u64 q11,q11,#3\nvshr.u64 q12,q12,#12\nvshr.u64 q13,q13,#38\nvand q4,q4,q2\nvand q6,q6,q2\nvand q8,q8,q2\nvand q10,q10,q2\nvand q2,q12,q2\nvand q5,q5,q3\nvand q7,q7,q3\nvand q9,q9,q3\nvand q11,q11,q3\nvand q3,q13,q3\nadd r2,r3,#48\nvadd.i64 q12,q4,q1\nvadd.i64 q13,q10,q1\nvshr.s64 q12,q12,#26\nvshr.s64 q13,q13,#26\nvadd.i64 q5,q5,q12\nvshl.i64 q12,q12,#26\nvadd.i64 q14,q5,q0\nvadd.i64 q11,q11,q13\nvshl.i64 q13,q13,#26\nvadd.i64 q15,q11,q0\nvsub.i64 q4,q4,q12\nvshr.s64 q12,q14,#25\nvsub.i64 q10,q10,q13\nvshr.s64 q13,q15,#25\nvadd.i64 q6,q6,q12\nvshl.i64 q12,q12,#25\nvadd.i64 q14,q6,q1\nvadd.i64 q2,q2,q13\nvsub.i64 q5,q5,q12\nvshr.s64 q12,q14,#26\nvshl.i64 q13,q13,#25\nvadd.i64 q14,q2,q1\nvadd.i64 q7,q7,q12\nvshl.i64 q12,q12,#26\nvadd.i64 q15,q7,q0\nvsub.i64 q11,q11,q13\nvshr.s64 q13,q14,#26\nvsub.i64 q6,q6,q12\nvshr.s64 q12,q15,#25\nvadd.i64 q3,q3,q13\nvshl.i64 q13,q13,#26\nvadd.i64 q14,q3,q0\nvadd.i64 q8,q8,q12\nvshl.i64 q12,q12,#25\nvadd.i64 q15,q8,q1\nadd r2,r2,#8\nvsub.i64 q2,q2,q13\nvshr.s64 q13,q14,#25\nvsub.i64 q7,q7,q12\nvshr.s64 q12,q15,#26\nvadd.i64 q14,q13,q13\nvadd.i64 q9,q9,q12\nvtrn.32 d12,d14\nvshl.i64 q12,q12,#26\nvtrn.32 d13,d15\nvadd.i64 q0,q9,q0\nvadd.i64 q4,q4,q14\nvst1.8 d12,[r2,: 64]!\nvshl.i64 q6,q13,#4\nvsub.i64 q7,q8,q12\nvshr.s64 q0,q0,#25\nvadd.i64 q4,q4,q6\nvadd.i64 q6,q10,q0\nvshl.i64 q0,q0,#25\nvadd.i64 q8,q6,q1\nvadd.i64 q4,q4,q13\nvshl.i64 q10,q13,#25\nvadd.i64 q1,q4,q1\nvsub.i64 q0,q9,q0\nvshr.s64 q8,q8,#26\nvsub.i64 q3,q3,q10\nvtrn.32 d14,d0\nvshr.s64 q1,q1,#26\nvtrn.32 d15,d1\nvadd.i64 q0,q11,q8\nvst1.8 d14,[r2,: 64]\nvshl.i64 q7,q8,#26\nvadd.i64 q5,q5,q1\nvtrn.32 d4,d6\nvshl.i64 q1,q1,#26\nvtrn.32 d5,d7\nvsub.i64 q3,q6,q7\nadd r2,r2,#16\nvsub.i64 q1,q4,q1\nvst1.8 d4,[r2,: 64]\nvtrn.32 d6,d0\nvtrn.32 d7,d1\nsub r2,r2,#8\nvtrn.32 d2,d10\nvtrn.32 d3,d11\nvst1.8 d6,[r2,: 64]\nsub r2,r2,#24\nvst1.8 d2,[r2,: 64]\nadd r2,r3,#96\nvmov.i32 q0,#0\nvmov.i64 d2,#0xff\nvmov.i64 d3,#0\nvshr.u32 q1,q1,#7\nvst1.8 {d2-d3},[r2,: 128]!\nvst1.8 {d0-d1},[r2,: 128]!\nvst1.8 d0,[r2,: 64]\nadd r2,r3,#144\nvmov.i32 q0,#0\nvst1.8 {d0-d1},[r2,: 128]!\nvst1.8 {d0-d1},[r2,: 128]!\nvst1.8 d0,[r2,: 64]\nadd r2,r3,#240\nvmov.i32 q0,#0\nvmov.i64 d2,#0xff\nvmov.i64 d3,#0\nvshr.u32 q1,q1,#7\nvst1.8 {d2-d3},[r2,: 128]!\nvst1.8 {d0-d1},[r2,: 128]!\nvst1.8 d0,[r2,: 64]\nadd r2,r3,#48\nadd r6,r3,#192\nvld1.8 {d0-d1},[r2,: 128]!\nvld1.8 {d2-d3},[r2,: 128]!\nvld1.8 {d4},[r2,: 64]\nvst1.8 {d0-d1},[r6,: 128]!\nvst1.8 {d2-d3},[r6,: 128]!\nvst1.8 d4,[r6,: 64]\n._mainloop:\nmov r2,r5,LSR #3\nand r6,r5,#7\nldrb r2,[r1,r2]\nmov r2,r2,LSR r6\nand r2,r2,#1\nstr r5,[sp,#488]\neor r4,r4,r2\nstr r2,[sp,#492]\nneg r2,r4\nadd r4,r3,#96\nadd r5,r3,#192\nadd r6,r3,#144\nvld1.8 {d8-d9},[r4,: 128]!\nadd r7,r3,#240\nvld1.8 {d10-d11},[r5,: 128]!\nveor q6,q4,q5\nvld1.8 {d14-d15},[r6,: 128]!\nvdup.i32 q8,r2\nvld1.8 {d18-d19},[r7,: 128]!\nveor q10,q7,q9\nvld1.8 {d22-d23},[r4,: 128]!\nvand q6,q6,q8\nvld1.8 {d24-d25},[r5,: 128]!\nvand q10,q10,q8\nvld1.8 {d26-d27},[r6,: 128]!\nveor q4,q4,q6\nvld1.8 {d28-d29},[r7,: 128]!\nveor q5,q5,q6\nvld1.8 {d0},[r4,: 64]\nveor q6,q7,q10\nvld1.8 {d2},[r5,: 64]\nveor q7,q9,q10\nvld1.8 {d4},[r6,: 64]\nveor q9,q11,q12\nvld1.8 {d6},[r7,: 64]\nveor q10,q0,q1\nsub r2,r4,#32\nvand q9,q9,q8\nsub r4,r5,#32\nvand q10,q10,q8\nsub r5,r6,#32\nveor q11,q11,q9\nsub r6,r7,#32\nveor q0,q0,q10\nveor q9,q12,q9\nveor q1,q1,q10\nveor q10,q13,q14\nveor q12,q2,q3\nvand q10,q10,q8\nvand q8,q12,q8\nveor q12,q13,q10\nveor q2,q2,q8\nveor q10,q14,q10\nveor q3,q3,q8\nvadd.i32 q8,q4,q6\nvsub.i32 q4,q4,q6\nvst1.8 {d16-d17},[r2,: 128]!\nvadd.i32 q6,q11,q12\nvst1.8 {d8-d9},[r5,: 128]!\nvsub.i32 q4,q11,q12\nvst1.8 {d12-d13},[r2,: 128]!\nvadd.i32 q6,q0,q2\nvst1.8 {d8-d9},[r5,: 128]!\nvsub.i32 q0,q0,q2\nvst1.8 d12,[r2,: 64]\nvadd.i32 q2,q5,q7\nvst1.8 d0,[r5,: 64]\nvsub.i32 q0,q5,q7\nvst1.8 {d4-d5},[r4,: 128]!\nvadd.i32 q2,q9,q10\nvst1.8 {d0-d1},[r6,: 128]!\nvsub.i32 q0,q9,q10\nvst1.8 {d4-d5},[r4,: 128]!\nvadd.i32 q2,q1,q3\nvst1.8 {d0-d1},[r6,: 128]!\nvsub.i32 q0,q1,q3\nvst1.8 d4,[r4,: 64]\nvst1.8 d0,[r6,: 64]\nadd r2,sp,#544\nadd r4,r3,#96\nadd r5,r3,#144\nvld1.8 {d0-d1},[r2,: 128]\nvld1.8 {d2-d3},[r4,: 128]!\nvld1.8 {d4-d5},[r5,: 128]!\nvzip.i32 q1,q2\nvld1.8 {d6-d7},[r4,: 128]!\nvld1.8 {d8-d9},[r5,: 128]!\nvshl.i32 q5,q1,#1\nvzip.i32 q3,q4\nvshl.i32 q6,q2,#1\nvld1.8 {d14},[r4,: 64]\nvshl.i32 q8,q3,#1\nvld1.8 {d15},[r5,: 64]\nvshl.i32 q9,q4,#1\nvmul.i32 d21,d7,d1\nvtrn.32 d14,d15\nvmul.i32 q11,q4,q0\nvmul.i32 q0,q7,q0\nvmull.s32 q12,d2,d2\nvmlal.s32 q12,d11,d1\nvmlal.s32 q12,d12,d0\nvmlal.s32 q12,d13,d23\nvmlal.s32 q12,d16,d22\nvmlal.s32 q12,d7,d21\nvmull.s32 q10,d2,d11\nvmlal.s32 q10,d4,d1\nvmlal.s32 q10,d13,d0\nvmlal.s32 q10,d6,d23\nvmlal.s32 q10,d17,d22\nvmull.s32 q13,d10,d4\nvmlal.s32 q13,d11,d3\nvmlal.s32 q13,d13,d1\nvmlal.s32 q13,d16,d0\nvmlal.s32 q13,d17,d23\nvmlal.s32 q13,d8,d22\nvmull.s32 q1,d10,d5\nvmlal.s32 q1,d11,d4\nvmlal.s32 q1,d6,d1\nvmlal.s32 q1,d17,d0\nvmlal.s32 q1,d8,d23\nvmull.s32 q14,d10,d6\nvmlal.s32 q14,d11,d13\nvmlal.s32 q14,d4,d4\nvmlal.s32 q14,d17,d1\nvmlal.s32 q14,d18,d0\nvmlal.s32 q14,d9,d23\nvmull.s32 q11,d10,d7\nvmlal.s32 q11,d11,d6\nvmlal.s32 q11,d12,d5\nvmlal.s32 q11,d8,d1\nvmlal.s32 q11,d19,d0\nvmull.s32 q15,d10,d8\nvmlal.s32 q15,d11,d17\nvmlal.s32 q15,d12,d6\nvmlal.s32 q15,d13,d5\nvmlal.s32 q15,d19,d1\nvmlal.s32 q15,d14,d0\nvmull.s32 q2,d10,d9\nvmlal.s32 q2,d11,d8\nvmlal.s32 q2,d12,d7\nvmlal.s32 q2,d13,d6\nvmlal.s32 q2,d14,d1\nvmull.s32 q0,d15,d1\nvmlal.s32 q0,d10,d14\nvmlal.s32 q0,d11,d19\nvmlal.s32 q0,d12,d8\nvmlal.s32 q0,d13,d17\nvmlal.s32 q0,d6,d6\nadd r2,sp,#512\nvld1.8 {d18-d19},[r2,: 128]\nvmull.s32 q3,d16,d7\nvmlal.s32 q3,d10,d15\nvmlal.s32 q3,d11,d14\nvmlal.s32 q3,d12,d9\nvmlal.s32 q3,d13,d8\nadd r2,sp,#528\nvld1.8 {d8-d9},[r2,: 128]\nvadd.i64 q5,q12,q9\nvadd.i64 q6,q15,q9\nvshr.s64 q5,q5,#26\nvshr.s64 q6,q6,#26\nvadd.i64 q7,q10,q5\nvshl.i64 q5,q5,#26\nvadd.i64 q8,q7,q4\nvadd.i64 q2,q2,q6\nvshl.i64 q6,q6,#26\nvadd.i64 q10,q2,q4\nvsub.i64 q5,q12,q5\nvshr.s64 q8,q8,#25\nvsub.i64 q6,q15,q6\nvshr.s64 q10,q10,#25\nvadd.i64 q12,q13,q8\nvshl.i64 q8,q8,#25\nvadd.i64 q13,q12,q9\nvadd.i64 q0,q0,q10\nvsub.i64 q7,q7,q8\nvshr.s64 q8,q13,#26\nvshl.i64 q10,q10,#25\nvadd.i64 q13,q0,q9\nvadd.i64 q1,q1,q8\nvshl.i64 q8,q8,#26\nvadd.i64 q15,q1,q4\nvsub.i64 q2,q2,q10\nvshr.s64 q10,q13,#26\nvsub.i64 q8,q12,q8\nvshr.s64 q12,q15,#25\nvadd.i64 q3,q3,q10\nvshl.i64 q10,q10,#26\nvadd.i64 q13,q3,q4\nvadd.i64 q14,q14,q12\nadd r2,r3,#288\nvshl.i64 q12,q12,#25\nadd r4,r3,#336\nvadd.i64 q15,q14,q9\nadd r2,r2,#8\nvsub.i64 q0,q0,q10\nadd r4,r4,#8\nvshr.s64 q10,q13,#25\nvsub.i64 q1,q1,q12\nvshr.s64 q12,q15,#26\nvadd.i64 q13,q10,q10\nvadd.i64 q11,q11,q12\nvtrn.32 d16,d2\nvshl.i64 q12,q12,#26\nvtrn.32 d17,d3\nvadd.i64 q1,q11,q4\nvadd.i64 q4,q5,q13\nvst1.8 d16,[r2,: 64]!\nvshl.i64 q5,q10,#4\nvst1.8 d17,[r4,: 64]!\nvsub.i64 q8,q14,q12\nvshr.s64 q1,q1,#25\nvadd.i64 q4,q4,q5\nvadd.i64 q5,q6,q1\nvshl.i64 q1,q1,#25\nvadd.i64 q6,q5,q9\nvadd.i64 q4,q4,q10\nvshl.i64 q10,q10,#25\nvadd.i64 q9,q4,q9\nvsub.i64 q1,q11,q1\nvshr.s64 q6,q6,#26\nvsub.i64 q3,q3,q10\nvtrn.32 d16,d2\nvshr.s64 q9,q9,#26\nvtrn.32 d17,d3\nvadd.i64 q1,q2,q6\nvst1.8 d16,[r2,: 64]\nvshl.i64 q2,q6,#26\nvst1.8 d17,[r4,: 64]\nvadd.i64 q6,q7,q9\nvtrn.32 d0,d6\nvshl.i64 q7,q9,#26\nvtrn.32 d1,d7\nvsub.i64 q2,q5,q2\nadd r2,r2,#16\nvsub.i64 q3,q4,q7\nvst1.8 d0,[r2,: 64]\nadd r4,r4,#16\nvst1.8 d1,[r4,: 64]\nvtrn.32 d4,d2\nvtrn.32 d5,d3\nsub r2,r2,#8\nsub r4,r4,#8\nvtrn.32 d6,d12\nvtrn.32 d7,d13\nvst1.8 d4,[r2,: 64]\nvst1.8 d5,[r4,: 64]\nsub r2,r2,#24\nsub r4,r4,#24\nvst1.8 d6,[r2,: 64]\nvst1.8 d7,[r4,: 64]\nadd r2,r3,#240\nadd r4,r3,#96\nvld1.8 {d0-d1},[r4,: 128]!\nvld1.8 {d2-d3},[r4,: 128]!\nvld1.8 {d4},[r4,: 64]\nadd r4,r3,#144\nvld1.8 {d6-d7},[r4,: 128]!\nvtrn.32 q0,q3\nvld1.8 {d8-d9},[r4,: 128]!\nvshl.i32 q5,q0,#4\nvtrn.32 q1,q4\nvshl.i32 q6,q3,#4\nvadd.i32 q5,q5,q0\nvadd.i32 q6,q6,q3\nvshl.i32 q7,q1,#4\nvld1.8 {d5},[r4,: 64]\nvshl.i32 q8,q4,#4\nvtrn.32 d4,d5\nvadd.i32 q7,q7,q1\nvadd.i32 q8,q8,q4\nvld1.8 {d18-d19},[r2,: 128]!\nvshl.i32 q10,q2,#4\nvld1.8 {d22-d23},[r2,: 128]!\nvadd.i32 q10,q10,q2\nvld1.8 {d24},[r2,: 64]\nvadd.i32 q5,q5,q0\nadd r2,r3,#192\nvld1.8 {d26-d27},[r2,: 128]!\nvadd.i32 q6,q6,q3\nvld1.8 {d28-d29},[r2,: 128]!\nvadd.i32 q8,q8,q4\nvld1.8 {d25},[r2,: 64]\nvadd.i32 q10,q10,q2\nvtrn.32 q9,q13\nvadd.i32 q7,q7,q1\nvadd.i32 q5,q5,q0\nvtrn.32 q11,q14\nvadd.i32 q6,q6,q3\nadd r2,sp,#560\nvadd.i32 q10,q10,q2\nvtrn.32 d24,d25\nvst1.8 {d12-d13},[r2,: 128]\nvshl.i32 q6,q13,#1\nadd r2,sp,#576\nvst1.8 {d20-d21},[r2,: 128]\nvshl.i32 q10,q14,#1\nadd r2,sp,#592\nvst1.8 {d12-d13},[r2,: 128]\nvshl.i32 q15,q12,#1\nvadd.i32 q8,q8,q4\nvext.32 d10,d31,d30,#0\nvadd.i32 q7,q7,q1\nadd r2,sp,#608\nvst1.8 {d16-d17},[r2,: 128]\nvmull.s32 q8,d18,d5\nvmlal.s32 q8,d26,d4\nvmlal.s32 q8,d19,d9\nvmlal.s32 q8,d27,d3\nvmlal.s32 q8,d22,d8\nvmlal.s32 q8,d28,d2\nvmlal.s32 q8,d23,d7\nvmlal.s32 q8,d29,d1\nvmlal.s32 q8,d24,d6\nvmlal.s32 q8,d25,d0\nadd r2,sp,#624\nvst1.8 {d14-d15},[r2,: 128]\nvmull.s32 q2,d18,d4\nvmlal.s32 q2,d12,d9\nvmlal.s32 q2,d13,d8\nvmlal.s32 q2,d19,d3\nvmlal.s32 q2,d22,d2\nvmlal.s32 q2,d23,d1\nvmlal.s32 q2,d24,d0\nadd r2,sp,#640\nvst1.8 {d20-d21},[r2,: 128]\nvmull.s32 q7,d18,d9\nvmlal.s32 q7,d26,d3\nvmlal.s32 q7,d19,d8\nvmlal.s32 q7,d27,d2\nvmlal.s32 q7,d22,d7\nvmlal.s32 q7,d28,d1\nvmlal.s32 q7,d23,d6\nvmlal.s32 q7,d29,d0\nadd r2,sp,#656\nvst1.8 {d10-d11},[r2,: 128]\nvmull.s32 q5,d18,d3\nvmlal.s32 q5,d19,d2\nvmlal.s32 q5,d22,d1\nvmlal.s32 q5,d23,d0\nvmlal.s32 q5,d12,d8\nadd r2,sp,#672\nvst1.8 {d16-d17},[r2,: 128]\nvmull.s32 q4,d18,d8\nvmlal.s32 q4,d26,d2\nvmlal.s32 q4,d19,d7\nvmlal.s32 q4,d27,d1\nvmlal.s32 q4,d22,d6\nvmlal.s32 q4,d28,d0\nvmull.s32 q8,d18,d7\nvmlal.s32 q8,d26,d1\nvmlal.s32 q8,d19,d6\nvmlal.s32 q8,d27,d0\nadd r2,sp,#576\nvld1.8 {d20-d21},[r2,: 128]\nvmlal.s32 q7,d24,d21\nvmlal.s32 q7,d25,d20\nvmlal.s32 q4,d23,d21\nvmlal.s32 q4,d29,d20\nvmlal.s32 q8,d22,d21\nvmlal.s32 q8,d28,d20\nvmlal.s32 q5,d24,d20\nadd r2,sp,#576\nvst1.8 {d14-d15},[r2,: 128]\nvmull.s32 q7,d18,d6\nvmlal.s32 q7,d26,d0\nadd r2,sp,#656\nvld1.8 {d30-d31},[r2,: 128]\nvmlal.s32 q2,d30,d21\nvmlal.s32 q7,d19,d21\nvmlal.s32 q7,d27,d20\nadd r2,sp,#624\nvld1.8 {d26-d27},[r2,: 128]\nvmlal.s32 q4,d25,d27\nvmlal.s32 q8,d29,d27\nvmlal.s32 q8,d25,d26\nvmlal.s32 q7,d28,d27\nvmlal.s32 q7,d29,d26\nadd r2,sp,#608\nvld1.8 {d28-d29},[r2,: 128]\nvmlal.s32 q4,d24,d29\nvmlal.s32 q8,d23,d29\nvmlal.s32 q8,d24,d28\nvmlal.s32 q7,d22,d29\nvmlal.s32 q7,d23,d28\nadd r2,sp,#608\nvst1.8 {d8-d9},[r2,: 128]\nadd r2,sp,#560\nvld1.8 {d8-d9},[r2,: 128]\nvmlal.s32 q7,d24,d9\nvmlal.s32 q7,d25,d31\nvmull.s32 q1,d18,d2\nvmlal.s32 q1,d19,d1\nvmlal.s32 q1,d22,d0\nvmlal.s32 q1,d24,d27\nvmlal.s32 q1,d23,d20\nvmlal.s32 q1,d12,d7\nvmlal.s32 q1,d13,d6\nvmull.s32 q6,d18,d1\nvmlal.s32 q6,d19,d0\nvmlal.s32 q6,d23,d27\nvmlal.s32 q6,d22,d20\nvmlal.s32 q6,d24,d26\nvmull.s32 q0,d18,d0\nvmlal.s32 q0,d22,d27\nvmlal.s32 q0,d23,d26\nvmlal.s32 q0,d24,d31\nvmlal.s32 q0,d19,d20\nadd r2,sp,#640\nvld1.8 {d18-d19},[r2,: 128]\nvmlal.s32 q2,d18,d7\nvmlal.s32 q2,d19,d6\nvmlal.s32 q5,d18,d6\nvmlal.s32 q5,d19,d21\nvmlal.s32 q1,d18,d21\nvmlal.s32 q1,d19,d29\nvmlal.s32 q0,d18,d28\nvmlal.s32 q0,d19,d9\nvmlal.s32 q6,d18,d29\nvmlal.s32 q6,d19,d28\nadd r2,sp,#592\nvld1.8 {d18-d19},[r2,: 128]\nadd r2,sp,#512\nvld1.8 {d22-d23},[r2,: 128]\nvmlal.s32 q5,d19,d7\nvmlal.s32 q0,d18,d21\nvmlal.s32 q0,d19,d29\nvmlal.s32 q6,d18,d6\nadd r2,sp,#528\nvld1.8 {d6-d7},[r2,: 128]\nvmlal.s32 q6,d19,d21\nadd r2,sp,#576\nvld1.8 {d18-d19},[r2,: 128]\nvmlal.s32 q0,d30,d8\nadd r2,sp,#672\nvld1.8 {d20-d21},[r2,: 128]\nvmlal.s32 q5,d30,d29\nadd r2,sp,#608\nvld1.8 {d24-d25},[r2,: 128]\nvmlal.s32 q1,d30,d28\nvadd.i64 q13,q0,q11\nvadd.i64 q14,q5,q11\nvmlal.s32 q6,d30,d9\nvshr.s64 q4,q13,#26\nvshr.s64 q13,q14,#26\nvadd.i64 q7,q7,q4\nvshl.i64 q4,q4,#26\nvadd.i64 q14,q7,q3\nvadd.i64 q9,q9,q13\nvshl.i64 q13,q13,#26\nvadd.i64 q15,q9,q3\nvsub.i64 q0,q0,q4\nvshr.s64 q4,q14,#25\nvsub.i64 q5,q5,q13\nvshr.s64 q13,q15,#25\nvadd.i64 q6,q6,q4\nvshl.i64 q4,q4,#25\nvadd.i64 q14,q6,q11\nvadd.i64 q2,q2,q13\nvsub.i64 q4,q7,q4\nvshr.s64 q7,q14,#26\nvshl.i64 q13,q13,#25\nvadd.i64 q14,q2,q11\nvadd.i64 q8,q8,q7\nvshl.i64 q7,q7,#26\nvadd.i64 q15,q8,q3\nvsub.i64 q9,q9,q13\nvshr.s64 q13,q14,#26\nvsub.i64 q6,q6,q7\nvshr.s64 q7,q15,#25\nvadd.i64 q10,q10,q13\nvshl.i64 q13,q13,#26\nvadd.i64 q14,q10,q3\nvadd.i64 q1,q1,q7\nadd r2,r3,#144\nvshl.i64 q7,q7,#25\nadd r4,r3,#96\nvadd.i64 q15,q1,q11\nadd r2,r2,#8\nvsub.i64 q2,q2,q13\nadd r4,r4,#8\nvshr.s64 q13,q14,#25\nvsub.i64 q7,q8,q7\nvshr.s64 q8,q15,#26\nvadd.i64 q14,q13,q13\nvadd.i64 q12,q12,q8\nvtrn.32 d12,d14\nvshl.i64 q8,q8,#26\nvtrn.32 d13,d15\nvadd.i64 q3,q12,q3\nvadd.i64 q0,q0,q14\nvst1.8 d12,[r2,: 64]!\nvshl.i64 q7,q13,#4\nvst1.8 d13,[r4,: 64]!\nvsub.i64 q1,q1,q8\nvshr.s64 q3,q3,#25\nvadd.i64 q0,q0,q7\nvadd.i64 q5,q5,q3\nvshl.i64 q3,q3,#25\nvadd.i64 q6,q5,q11\nvadd.i64 q0,q0,q13\nvshl.i64 q7,q13,#25\nvadd.i64 q8,q0,q11\nvsub.i64 q3,q12,q3\nvshr.s64 q6,q6,#26\nvsub.i64 q7,q10,q7\nvtrn.32 d2,d6\nvshr.s64 q8,q8,#26\nvtrn.32 d3,d7\nvadd.i64 q3,q9,q6\nvst1.8 d2,[r2,: 64]\nvshl.i64 q6,q6,#26\nvst1.8 d3,[r4,: 64]\nvadd.i64 q1,q4,q8\nvtrn.32 d4,d14\nvshl.i64 q4,q8,#26\nvtrn.32 d5,d15\nvsub.i64 q5,q5,q6\nadd r2,r2,#16\nvsub.i64 q0,q0,q4\nvst1.8 d4,[r2,: 64]\nadd r4,r4,#16\nvst1.8 d5,[r4,: 64]\nvtrn.32 d10,d6\nvtrn.32 d11,d7\nsub r2,r2,#8\nsub r4,r4,#8\nvtrn.32 d0,d2\nvtrn.32 d1,d3\nvst1.8 d10,[r2,: 64]\nvst1.8 d11,[r4,: 64]\nsub r2,r2,#24\nsub r4,r4,#24\nvst1.8 d0,[r2,: 64]\nvst1.8 d1,[r4,: 64]\nadd r2,r3,#288\nadd r4,r3,#336\nvld1.8 {d0-d1},[r2,: 128]!\nvld1.8 {d2-d3},[r4,: 128]!\nvsub.i32 q0,q0,q1\nvld1.8 {d2-d3},[r2,: 128]!\nvld1.8 {d4-d5},[r4,: 128]!\nvsub.i32 q1,q1,q2\nadd r5,r3,#240\nvld1.8 {d4},[r2,: 64]\nvld1.8 {d6},[r4,: 64]\nvsub.i32 q2,q2,q3\nvst1.8 {d0-d1},[r5,: 128]!\nvst1.8 {d2-d3},[r5,: 128]!\nvst1.8 d4,[r5,: 64]\nadd r2,r3,#144\nadd r4,r3,#96\nadd r5,r3,#144\nadd r6,r3,#192\nvld1.8 {d0-d1},[r2,: 128]!\nvld1.8 {d2-d3},[r4,: 128]!\nvsub.i32 q2,q0,q1\nvadd.i32 q0,q0,q1\nvld1.8 {d2-d3},[r2,: 128]!\nvld1.8 {d6-d7},[r4,: 128]!\nvsub.i32 q4,q1,q3\nvadd.i32 q1,q1,q3\nvld1.8 {d6},[r2,: 64]\nvld1.8 {d10},[r4,: 64]\nvsub.i32 q6,q3,q5\nvadd.i32 q3,q3,q5\nvst1.8 {d4-d5},[r5,: 128]!\nvst1.8 {d0-d1},[r6,: 128]!\nvst1.8 {d8-d9},[r5,: 128]!\nvst1.8 {d2-d3},[r6,: 128]!\nvst1.8 d12,[r5,: 64]\nvst1.8 d6,[r6,: 64]\nadd r2,r3,#0\nadd r4,r3,#240\nvld1.8 {d0-d1},[r4,: 128]!\nvld1.8 {d2-d3},[r4,: 128]!\nvld1.8 {d4},[r4,: 64]\nadd r4,r3,#336\nvld1.8 {d6-d7},[r4,: 128]!\nvtrn.32 q0,q3\nvld1.8 {d8-d9},[r4,: 128]!\nvshl.i32 q5,q0,#4\nvtrn.32 q1,q4\nvshl.i32 q6,q3,#4\nvadd.i32 q5,q5,q0\nvadd.i32 q6,q6,q3\nvshl.i32 q7,q1,#4\nvld1.8 {d5},[r4,: 64]\nvshl.i32 q8,q4,#4\nvtrn.32 d4,d5\nvadd.i32 q7,q7,q1\nvadd.i32 q8,q8,q4\nvld1.8 {d18-d19},[r2,: 128]!\nvshl.i32 q10,q2,#4\nvld1.8 {d22-d23},[r2,: 128]!\nvadd.i32 q10,q10,q2\nvld1.8 {d24},[r2,: 64]\nvadd.i32 q5,q5,q0\nadd r2,r3,#288\nvld1.8 {d26-d27},[r2,: 128]!\nvadd.i32 q6,q6,q3\nvld1.8 {d28-d29},[r2,: 128]!\nvadd.i32 q8,q8,q4\nvld1.8 {d25},[r2,: 64]\nvadd.i32 q10,q10,q2\nvtrn.32 q9,q13\nvadd.i32 q7,q7,q1\nvadd.i32 q5,q5,q0\nvtrn.32 q11,q14\nvadd.i32 q6,q6,q3\nadd r2,sp,#560\nvadd.i32 q10,q10,q2\nvtrn.32 d24,d25\nvst1.8 {d12-d13},[r2,: 128]\nvshl.i32 q6,q13,#1\nadd r2,sp,#576\nvst1.8 {d20-d21},[r2,: 128]\nvshl.i32 q10,q14,#1\nadd r2,sp,#592\nvst1.8 {d12-d13},[r2,: 128]\nvshl.i32 q15,q12,#1\nvadd.i32 q8,q8,q4\nvext.32 d10,d31,d30,#0\nvadd.i32 q7,q7,q1\nadd r2,sp,#608\nvst1.8 {d16-d17},[r2,: 128]\nvmull.s32 q8,d18,d5\nvmlal.s32 q8,d26,d4\nvmlal.s32 q8,d19,d9\nvmlal.s32 q8,d27,d3\nvmlal.s32 q8,d22,d8\nvmlal.s32 q8,d28,d2\nvmlal.s32 q8,d23,d7\nvmlal.s32 q8,d29,d1\nvmlal.s32 q8,d24,d6\nvmlal.s32 q8,d25,d0\nadd r2,sp,#624\nvst1.8 {d14-d15},[r2,: 128]\nvmull.s32 q2,d18,d4\nvmlal.s32 q2,d12,d9\nvmlal.s32 q2,d13,d8\nvmlal.s32 q2,d19,d3\nvmlal.s32 q2,d22,d2\nvmlal.s32 q2,d23,d1\nvmlal.s32 q2,d24,d0\nadd r2,sp,#640\nvst1.8 {d20-d21},[r2,: 128]\nvmull.s32 q7,d18,d9\nvmlal.s32 q7,d26,d3\nvmlal.s32 q7,d19,d8\nvmlal.s32 q7,d27,d2\nvmlal.s32 q7,d22,d7\nvmlal.s32 q7,d28,d1\nvmlal.s32 q7,d23,d6\nvmlal.s32 q7,d29,d0\nadd r2,sp,#656\nvst1.8 {d10-d11},[r2,: 128]\nvmull.s32 q5,d18,d3\nvmlal.s32 q5,d19,d2\nvmlal.s32 q5,d22,d1\nvmlal.s32 q5,d23,d0\nvmlal.s32 q5,d12,d8\nadd r2,sp,#672\nvst1.8 {d16-d17},[r2,: 128]\nvmull.s32 q4,d18,d8\nvmlal.s32 q4,d26,d2\nvmlal.s32 q4,d19,d7\nvmlal.s32 q4,d27,d1\nvmlal.s32 q4,d22,d6\nvmlal.s32 q4,d28,d0\nvmull.s32 q8,d18,d7\nvmlal.s32 q8,d26,d1\nvmlal.s32 q8,d19,d6\nvmlal.s32 q8,d27,d0\nadd r2,sp,#576\nvld1.8 {d20-d21},[r2,: 128]\nvmlal.s32 q7,d24,d21\nvmlal.s32 q7,d25,d20\nvmlal.s32 q4,d23,d21\nvmlal.s32 q4,d29,d20\nvmlal.s32 q8,d22,d21\nvmlal.s32 q8,d28,d20\nvmlal.s32 q5,d24,d20\nadd r2,sp,#576\nvst1.8 {d14-d15},[r2,: 128]\nvmull.s32 q7,d18,d6\nvmlal.s32 q7,d26,d0\nadd r2,sp,#656\nvld1.8 {d30-d31},[r2,: 128]\nvmlal.s32 q2,d30,d21\nvmlal.s32 q7,d19,d21\nvmlal.s32 q7,d27,d20\nadd r2,sp,#624\nvld1.8 {d26-d27},[r2,: 128]\nvmlal.s32 q4,d25,d27\nvmlal.s32 q8,d29,d27\nvmlal.s32 q8,d25,d26\nvmlal.s32 q7,d28,d27\nvmlal.s32 q7,d29,d26\nadd r2,sp,#608\nvld1.8 {d28-d29},[r2,: 128]\nvmlal.s32 q4,d24,d29\nvmlal.s32 q8,d23,d29\nvmlal.s32 q8,d24,d28\nvmlal.s32 q7,d22,d29\nvmlal.s32 q7,d23,d28\nadd r2,sp,#608\nvst1.8 {d8-d9},[r2,: 128]\nadd r2,sp,#560\nvld1.8 {d8-d9},[r2,: 128]\nvmlal.s32 q7,d24,d9\nvmlal.s32 q7,d25,d31\nvmull.s32 q1,d18,d2\nvmlal.s32 q1,d19,d1\nvmlal.s32 q1,d22,d0\nvmlal.s32 q1,d24,d27\nvmlal.s32 q1,d23,d20\nvmlal.s32 q1,d12,d7\nvmlal.s32 q1,d13,d6\nvmull.s32 q6,d18,d1\nvmlal.s32 q6,d19,d0\nvmlal.s32 q6,d23,d27\nvmlal.s32 q6,d22,d20\nvmlal.s32 q6,d24,d26\nvmull.s32 q0,d18,d0\nvmlal.s32 q0,d22,d27\nvmlal.s32 q0,d23,d26\nvmlal.s32 q0,d24,d31\nvmlal.s32 q0,d19,d20\nadd r2,sp,#640\nvld1.8 {d18-d19},[r2,: 128]\nvmlal.s32 q2,d18,d7\nvmlal.s32 q2,d19,d6\nvmlal.s32 q5,d18,d6\nvmlal.s32 q5,d19,d21\nvmlal.s32 q1,d18,d21\nvmlal.s32 q1,d19,d29\nvmlal.s32 q0,d18,d28\nvmlal.s32 q0,d19,d9\nvmlal.s32 q6,d18,d29\nvmlal.s32 q6,d19,d28\nadd r2,sp,#592\nvld1.8 {d18-d19},[r2,: 128]\nadd r2,sp,#512\nvld1.8 {d22-d23},[r2,: 128]\nvmlal.s32 q5,d19,d7\nvmlal.s32 q0,d18,d21\nvmlal.s32 q0,d19,d29\nvmlal.s32 q6,d18,d6\nadd r2,sp,#528\nvld1.8 {d6-d7},[r2,: 128]\nvmlal.s32 q6,d19,d21\nadd r2,sp,#576\nvld1.8 {d18-d19},[r2,: 128]\nvmlal.s32 q0,d30,d8\nadd r2,sp,#672\nvld1.8 {d20-d21},[r2,: 128]\nvmlal.s32 q5,d30,d29\nadd r2,sp,#608\nvld1.8 {d24-d25},[r2,: 128]\nvmlal.s32 q1,d30,d28\nvadd.i64 q13,q0,q11\nvadd.i64 q14,q5,q11\nvmlal.s32 q6,d30,d9\nvshr.s64 q4,q13,#26\nvshr.s64 q13,q14,#26\nvadd.i64 q7,q7,q4\nvshl.i64 q4,q4,#26\nvadd.i64 q14,q7,q3\nvadd.i64 q9,q9,q13\nvshl.i64 q13,q13,#26\nvadd.i64 q15,q9,q3\nvsub.i64 q0,q0,q4\nvshr.s64 q4,q14,#25\nvsub.i64 q5,q5,q13\nvshr.s64 q13,q15,#25\nvadd.i64 q6,q6,q4\nvshl.i64 q4,q4,#25\nvadd.i64 q14,q6,q11\nvadd.i64 q2,q2,q13\nvsub.i64 q4,q7,q4\nvshr.s64 q7,q14,#26\nvshl.i64 q13,q13,#25\nvadd.i64 q14,q2,q11\nvadd.i64 q8,q8,q7\nvshl.i64 q7,q7,#26\nvadd.i64 q15,q8,q3\nvsub.i64 q9,q9,q13\nvshr.s64 q13,q14,#26\nvsub.i64 q6,q6,q7\nvshr.s64 q7,q15,#25\nvadd.i64 q10,q10,q13\nvshl.i64 q13,q13,#26\nvadd.i64 q14,q10,q3\nvadd.i64 q1,q1,q7\nadd r2,r3,#288\nvshl.i64 q7,q7,#25\nadd r4,r3,#96\nvadd.i64 q15,q1,q11\nadd r2,r2,#8\nvsub.i64 q2,q2,q13\nadd r4,r4,#8\nvshr.s64 q13,q14,#25\nvsub.i64 q7,q8,q7\nvshr.s64 q8,q15,#26\nvadd.i64 q14,q13,q13\nvadd.i64 q12,q12,q8\nvtrn.32 d12,d14\nvshl.i64 q8,q8,#26\nvtrn.32 d13,d15\nvadd.i64 q3,q12,q3\nvadd.i64 q0,q0,q14\nvst1.8 d12,[r2,: 64]!\nvshl.i64 q7,q13,#4\nvst1.8 d13,[r4,: 64]!\nvsub.i64 q1,q1,q8\nvshr.s64 q3,q3,#25\nvadd.i64 q0,q0,q7\nvadd.i64 q5,q5,q3\nvshl.i64 q3,q3,#25\nvadd.i64 q6,q5,q11\nvadd.i64 q0,q0,q13\nvshl.i64 q7,q13,#25\nvadd.i64 q8,q0,q11\nvsub.i64 q3,q12,q3\nvshr.s64 q6,q6,#26\nvsub.i64 q7,q10,q7\nvtrn.32 d2,d6\nvshr.s64 q8,q8,#26\nvtrn.32 d3,d7\nvadd.i64 q3,q9,q6\nvst1.8 d2,[r2,: 64]\nvshl.i64 q6,q6,#26\nvst1.8 d3,[r4,: 64]\nvadd.i64 q1,q4,q8\nvtrn.32 d4,d14\nvshl.i64 q4,q8,#26\nvtrn.32 d5,d15\nvsub.i64 q5,q5,q6\nadd r2,r2,#16\nvsub.i64 q0,q0,q4\nvst1.8 d4,[r2,: 64]\nadd r4,r4,#16\nvst1.8 d5,[r4,: 64]\nvtrn.32 d10,d6\nvtrn.32 d11,d7\nsub r2,r2,#8\nsub r4,r4,#8\nvtrn.32 d0,d2\nvtrn.32 d1,d3\nvst1.8 d10,[r2,: 64]\nvst1.8 d11,[r4,: 64]\nsub r2,r2,#24\nsub r4,r4,#24\nvst1.8 d0,[r2,: 64]\nvst1.8 d1,[r4,: 64]\nadd r2,sp,#544\nadd r4,r3,#144\nadd r5,r3,#192\nvld1.8 {d0-d1},[r2,: 128]\nvld1.8 {d2-d3},[r4,: 128]!\nvld1.8 {d4-d5},[r5,: 128]!\nvzip.i32 q1,q2\nvld1.8 {d6-d7},[r4,: 128]!\nvld1.8 {d8-d9},[r5,: 128]!\nvshl.i32 q5,q1,#1\nvzip.i32 q3,q4\nvshl.i32 q6,q2,#1\nvld1.8 {d14},[r4,: 64]\nvshl.i32 q8,q3,#1\nvld1.8 {d15},[r5,: 64]\nvshl.i32 q9,q4,#1\nvmul.i32 d21,d7,d1\nvtrn.32 d14,d15\nvmul.i32 q11,q4,q0\nvmul.i32 q0,q7,q0\nvmull.s32 q12,d2,d2\nvmlal.s32 q12,d11,d1\nvmlal.s32 q12,d12,d0\nvmlal.s32 q12,d13,d23\nvmlal.s32 q12,d16,d22\nvmlal.s32 q12,d7,d21\nvmull.s32 q10,d2,d11\nvmlal.s32 q10,d4,d1\nvmlal.s32 q10,d13,d0\nvmlal.s32 q10,d6,d23\nvmlal.s32 q10,d17,d22\nvmull.s32 q13,d10,d4\nvmlal.s32 q13,d11,d3\nvmlal.s32 q13,d13,d1\nvmlal.s32 q13,d16,d0\nvmlal.s32 q13,d17,d23\nvmlal.s32 q13,d8,d22\nvmull.s32 q1,d10,d5\nvmlal.s32 q1,d11,d4\nvmlal.s32 q1,d6,d1\nvmlal.s32 q1,d17,d0\nvmlal.s32 q1,d8,d23\nvmull.s32 q14,d10,d6\nvmlal.s32 q14,d11,d13\nvmlal.s32 q14,d4,d4\nvmlal.s32 q14,d17,d1\nvmlal.s32 q14,d18,d0\nvmlal.s32 q14,d9,d23\nvmull.s32 q11,d10,d7\nvmlal.s32 q11,d11,d6\nvmlal.s32 q11,d12,d5\nvmlal.s32 q11,d8,d1\nvmlal.s32 q11,d19,d0\nvmull.s32 q15,d10,d8\nvmlal.s32 q15,d11,d17\nvmlal.s32 q15,d12,d6\nvmlal.s32 q15,d13,d5\nvmlal.s32 q15,d19,d1\nvmlal.s32 q15,d14,d0\nvmull.s32 q2,d10,d9\nvmlal.s32 q2,d11,d8\nvmlal.s32 q2,d12,d7\nvmlal.s32 q2,d13,d6\nvmlal.s32 q2,d14,d1\nvmull.s32 q0,d15,d1\nvmlal.s32 q0,d10,d14\nvmlal.s32 q0,d11,d19\nvmlal.s32 q0,d12,d8\nvmlal.s32 q0,d13,d17\nvmlal.s32 q0,d6,d6\nadd r2,sp,#512\nvld1.8 {d18-d19},[r2,: 128]\nvmull.s32 q3,d16,d7\nvmlal.s32 q3,d10,d15\nvmlal.s32 q3,d11,d14\nvmlal.s32 q3,d12,d9\nvmlal.s32 q3,d13,d8\nadd r2,sp,#528\nvld1.8 {d8-d9},[r2,: 128]\nvadd.i64 q5,q12,q9\nvadd.i64 q6,q15,q9\nvshr.s64 q5,q5,#26\nvshr.s64 q6,q6,#26\nvadd.i64 q7,q10,q5\nvshl.i64 q5,q5,#26\nvadd.i64 q8,q7,q4\nvadd.i64 q2,q2,q6\nvshl.i64 q6,q6,#26\nvadd.i64 q10,q2,q4\nvsub.i64 q5,q12,q5\nvshr.s64 q8,q8,#25\nvsub.i64 q6,q15,q6\nvshr.s64 q10,q10,#25\nvadd.i64 q12,q13,q8\nvshl.i64 q8,q8,#25\nvadd.i64 q13,q12,q9\nvadd.i64 q0,q0,q10\nvsub.i64 q7,q7,q8\nvshr.s64 q8,q13,#26\nvshl.i64 q10,q10,#25\nvadd.i64 q13,q0,q9\nvadd.i64 q1,q1,q8\nvshl.i64 q8,q8,#26\nvadd.i64 q15,q1,q4\nvsub.i64 q2,q2,q10\nvshr.s64 q10,q13,#26\nvsub.i64 q8,q12,q8\nvshr.s64 q12,q15,#25\nvadd.i64 q3,q3,q10\nvshl.i64 q10,q10,#26\nvadd.i64 q13,q3,q4\nvadd.i64 q14,q14,q12\nadd r2,r3,#144\nvshl.i64 q12,q12,#25\nadd r4,r3,#192\nvadd.i64 q15,q14,q9\nadd r2,r2,#8\nvsub.i64 q0,q0,q10\nadd r4,r4,#8\nvshr.s64 q10,q13,#25\nvsub.i64 q1,q1,q12\nvshr.s64 q12,q15,#26\nvadd.i64 q13,q10,q10\nvadd.i64 q11,q11,q12\nvtrn.32 d16,d2\nvshl.i64 q12,q12,#26\nvtrn.32 d17,d3\nvadd.i64 q1,q11,q4\nvadd.i64 q4,q5,q13\nvst1.8 d16,[r2,: 64]!\nvshl.i64 q5,q10,#4\nvst1.8 d17,[r4,: 64]!\nvsub.i64 q8,q14,q12\nvshr.s64 q1,q1,#25\nvadd.i64 q4,q4,q5\nvadd.i64 q5,q6,q1\nvshl.i64 q1,q1,#25\nvadd.i64 q6,q5,q9\nvadd.i64 q4,q4,q10\nvshl.i64 q10,q10,#25\nvadd.i64 q9,q4,q9\nvsub.i64 q1,q11,q1\nvshr.s64 q6,q6,#26\nvsub.i64 q3,q3,q10\nvtrn.32 d16,d2\nvshr.s64 q9,q9,#26\nvtrn.32 d17,d3\nvadd.i64 q1,q2,q6\nvst1.8 d16,[r2,: 64]\nvshl.i64 q2,q6,#26\nvst1.8 d17,[r4,: 64]\nvadd.i64 q6,q7,q9\nvtrn.32 d0,d6\nvshl.i64 q7,q9,#26\nvtrn.32 d1,d7\nvsub.i64 q2,q5,q2\nadd r2,r2,#16\nvsub.i64 q3,q4,q7\nvst1.8 d0,[r2,: 64]\nadd r4,r4,#16\nvst1.8 d1,[r4,: 64]\nvtrn.32 d4,d2\nvtrn.32 d5,d3\nsub r2,r2,#8\nsub r4,r4,#8\nvtrn.32 d6,d12\nvtrn.32 d7,d13\nvst1.8 d4,[r2,: 64]\nvst1.8 d5,[r4,: 64]\nsub r2,r2,#24\nsub r4,r4,#24\nvst1.8 d6,[r2,: 64]\nvst1.8 d7,[r4,: 64]\nadd r2,r3,#336\nadd r4,r3,#288\nvld1.8 {d0-d1},[r2,: 128]!\nvld1.8 {d2-d3},[r4,: 128]!\nvadd.i32 q0,q0,q1\nvld1.8 {d2-d3},[r2,: 128]!\nvld1.8 {d4-d5},[r4,: 128]!\nvadd.i32 q1,q1,q2\nadd r5,r3,#288\nvld1.8 {d4},[r2,: 64]\nvld1.8 {d6},[r4,: 64]\nvadd.i32 q2,q2,q3\nvst1.8 {d0-d1},[r5,: 128]!\nvst1.8 {d2-d3},[r5,: 128]!\nvst1.8 d4,[r5,: 64]\nadd r2,r3,#48\nadd r4,r3,#144\nvld1.8 {d0-d1},[r4,: 128]!\nvld1.8 {d2-d3},[r4,: 128]!\nvld1.8 {d4},[r4,: 64]\nadd r4,r3,#288\nvld1.8 {d6-d7},[r4,: 128]!\nvtrn.32 q0,q3\nvld1.8 {d8-d9},[r4,: 128]!\nvshl.i32 q5,q0,#4\nvtrn.32 q1,q4\nvshl.i32 q6,q3,#4\nvadd.i32 q5,q5,q0\nvadd.i32 q6,q6,q3\nvshl.i32 q7,q1,#4\nvld1.8 {d5},[r4,: 64]\nvshl.i32 q8,q4,#4\nvtrn.32 d4,d5\nvadd.i32 q7,q7,q1\nvadd.i32 q8,q8,q4\nvld1.8 {d18-d19},[r2,: 128]!\nvshl.i32 q10,q2,#4\nvld1.8 {d22-d23},[r2,: 128]!\nvadd.i32 q10,q10,q2\nvld1.8 {d24},[r2,: 64]\nvadd.i32 q5,q5,q0\nadd r2,r3,#240\nvld1.8 {d26-d27},[r2,: 128]!\nvadd.i32 q6,q6,q3\nvld1.8 {d28-d29},[r2,: 128]!\nvadd.i32 q8,q8,q4\nvld1.8 {d25},[r2,: 64]\nvadd.i32 q10,q10,q2\nvtrn.32 q9,q13\nvadd.i32 q7,q7,q1\nvadd.i32 q5,q5,q0\nvtrn.32 q11,q14\nvadd.i32 q6,q6,q3\nadd r2,sp,#560\nvadd.i32 q10,q10,q2\nvtrn.32 d24,d25\nvst1.8 {d12-d13},[r2,: 128]\nvshl.i32 q6,q13,#1\nadd r2,sp,#576\nvst1.8 {d20-d21},[r2,: 128]\nvshl.i32 q10,q14,#1\nadd r2,sp,#592\nvst1.8 {d12-d13},[r2,: 128]\nvshl.i32 q15,q12,#1\nvadd.i32 q8,q8,q4\nvext.32 d10,d31,d30,#0\nvadd.i32 q7,q7,q1\nadd r2,sp,#608\nvst1.8 {d16-d17},[r2,: 128]\nvmull.s32 q8,d18,d5\nvmlal.s32 q8,d26,d4\nvmlal.s32 q8,d19,d9\nvmlal.s32 q8,d27,d3\nvmlal.s32 q8,d22,d8\nvmlal.s32 q8,d28,d2\nvmlal.s32 q8,d23,d7\nvmlal.s32 q8,d29,d1\nvmlal.s32 q8,d24,d6\nvmlal.s32 q8,d25,d0\nadd r2,sp,#624\nvst1.8 {d14-d15},[r2,: 128]\nvmull.s32 q2,d18,d4\nvmlal.s32 q2,d12,d9\nvmlal.s32 q2,d13,d8\nvmlal.s32 q2,d19,d3\nvmlal.s32 q2,d22,d2\nvmlal.s32 q2,d23,d1\nvmlal.s32 q2,d24,d0\nadd r2,sp,#640\nvst1.8 {d20-d21},[r2,: 128]\nvmull.s32 q7,d18,d9\nvmlal.s32 q7,d26,d3\nvmlal.s32 q7,d19,d8\nvmlal.s32 q7,d27,d2\nvmlal.s32 q7,d22,d7\nvmlal.s32 q7,d28,d1\nvmlal.s32 q7,d23,d6\nvmlal.s32 q7,d29,d0\nadd r2,sp,#656\nvst1.8 {d10-d11},[r2,: 128]\nvmull.s32 q5,d18,d3\nvmlal.s32 q5,d19,d2\nvmlal.s32 q5,d22,d1\nvmlal.s32 q5,d23,d0\nvmlal.s32 q5,d12,d8\nadd r2,sp,#672\nvst1.8 {d16-d17},[r2,: 128]\nvmull.s32 q4,d18,d8\nvmlal.s32 q4,d26,d2\nvmlal.s32 q4,d19,d7\nvmlal.s32 q4,d27,d1\nvmlal.s32 q4,d22,d6\nvmlal.s32 q4,d28,d0\nvmull.s32 q8,d18,d7\nvmlal.s32 q8,d26,d1\nvmlal.s32 q8,d19,d6\nvmlal.s32 q8,d27,d0\nadd r2,sp,#576\nvld1.8 {d20-d21},[r2,: 128]\nvmlal.s32 q7,d24,d21\nvmlal.s32 q7,d25,d20\nvmlal.s32 q4,d23,d21\nvmlal.s32 q4,d29,d20\nvmlal.s32 q8,d22,d21\nvmlal.s32 q8,d28,d20\nvmlal.s32 q5,d24,d20\nadd r2,sp,#576\nvst1.8 {d14-d15},[r2,: 128]\nvmull.s32 q7,d18,d6\nvmlal.s32 q7,d26,d0\nadd r2,sp,#656\nvld1.8 {d30-d31},[r2,: 128]\nvmlal.s32 q2,d30,d21\nvmlal.s32 q7,d19,d21\nvmlal.s32 q7,d27,d20\nadd r2,sp,#624\nvld1.8 {d26-d27},[r2,: 128]\nvmlal.s32 q4,d25,d27\nvmlal.s32 q8,d29,d27\nvmlal.s32 q8,d25,d26\nvmlal.s32 q7,d28,d27\nvmlal.s32 q7,d29,d26\nadd r2,sp,#608\nvld1.8 {d28-d29},[r2,: 128]\nvmlal.s32 q4,d24,d29\nvmlal.s32 q8,d23,d29\nvmlal.s32 q8,d24,d28\nvmlal.s32 q7,d22,d29\nvmlal.s32 q7,d23,d28\nadd r2,sp,#608\nvst1.8 {d8-d9},[r2,: 128]\nadd r2,sp,#560\nvld1.8 {d8-d9},[r2,: 128]\nvmlal.s32 q7,d24,d9\nvmlal.s32 q7,d25,d31\nvmull.s32 q1,d18,d2\nvmlal.s32 q1,d19,d1\nvmlal.s32 q1,d22,d0\nvmlal.s32 q1,d24,d27\nvmlal.s32 q1,d23,d20\nvmlal.s32 q1,d12,d7\nvmlal.s32 q1,d13,d6\nvmull.s32 q6,d18,d1\nvmlal.s32 q6,d19,d0\nvmlal.s32 q6,d23,d27\nvmlal.s32 q6,d22,d20\nvmlal.s32 q6,d24,d26\nvmull.s32 q0,d18,d0\nvmlal.s32 q0,d22,d27\nvmlal.s32 q0,d23,d26\nvmlal.s32 q0,d24,d31\nvmlal.s32 q0,d19,d20\nadd r2,sp,#640\nvld1.8 {d18-d19},[r2,: 128]\nvmlal.s32 q2,d18,d7\nvmlal.s32 q2,d19,d6\nvmlal.s32 q5,d18,d6\nvmlal.s32 q5,d19,d21\nvmlal.s32 q1,d18,d21\nvmlal.s32 q1,d19,d29\nvmlal.s32 q0,d18,d28\nvmlal.s32 q0,d19,d9\nvmlal.s32 q6,d18,d29\nvmlal.s32 q6,d19,d28\nadd r2,sp,#592\nvld1.8 {d18-d19},[r2,: 128]\nadd r2,sp,#512\nvld1.8 {d22-d23},[r2,: 128]\nvmlal.s32 q5,d19,d7\nvmlal.s32 q0,d18,d21\nvmlal.s32 q0,d19,d29\nvmlal.s32 q6,d18,d6\nadd r2,sp,#528\nvld1.8 {d6-d7},[r2,: 128]\nvmlal.s32 q6,d19,d21\nadd r2,sp,#576\nvld1.8 {d18-d19},[r2,: 128]\nvmlal.s32 q0,d30,d8\nadd r2,sp,#672\nvld1.8 {d20-d21},[r2,: 128]\nvmlal.s32 q5,d30,d29\nadd r2,sp,#608\nvld1.8 {d24-d25},[r2,: 128]\nvmlal.s32 q1,d30,d28\nvadd.i64 q13,q0,q11\nvadd.i64 q14,q5,q11\nvmlal.s32 q6,d30,d9\nvshr.s64 q4,q13,#26\nvshr.s64 q13,q14,#26\nvadd.i64 q7,q7,q4\nvshl.i64 q4,q4,#26\nvadd.i64 q14,q7,q3\nvadd.i64 q9,q9,q13\nvshl.i64 q13,q13,#26\nvadd.i64 q15,q9,q3\nvsub.i64 q0,q0,q4\nvshr.s64 q4,q14,#25\nvsub.i64 q5,q5,q13\nvshr.s64 q13,q15,#25\nvadd.i64 q6,q6,q4\nvshl.i64 q4,q4,#25\nvadd.i64 q14,q6,q11\nvadd.i64 q2,q2,q13\nvsub.i64 q4,q7,q4\nvshr.s64 q7,q14,#26\nvshl.i64 q13,q13,#25\nvadd.i64 q14,q2,q11\nvadd.i64 q8,q8,q7\nvshl.i64 q7,q7,#26\nvadd.i64 q15,q8,q3\nvsub.i64 q9,q9,q13\nvshr.s64 q13,q14,#26\nvsub.i64 q6,q6,q7\nvshr.s64 q7,q15,#25\nvadd.i64 q10,q10,q13\nvshl.i64 q13,q13,#26\nvadd.i64 q14,q10,q3\nvadd.i64 q1,q1,q7\nadd r2,r3,#240\nvshl.i64 q7,q7,#25\nadd r4,r3,#144\nvadd.i64 q15,q1,q11\nadd r2,r2,#8\nvsub.i64 q2,q2,q13\nadd r4,r4,#8\nvshr.s64 q13,q14,#25\nvsub.i64 q7,q8,q7\nvshr.s64 q8,q15,#26\nvadd.i64 q14,q13,q13\nvadd.i64 q12,q12,q8\nvtrn.32 d12,d14\nvshl.i64 q8,q8,#26\nvtrn.32 d13,d15\nvadd.i64 q3,q12,q3\nvadd.i64 q0,q0,q14\nvst1.8 d12,[r2,: 64]!\nvshl.i64 q7,q13,#4\nvst1.8 d13,[r4,: 64]!\nvsub.i64 q1,q1,q8\nvshr.s64 q3,q3,#25\nvadd.i64 q0,q0,q7\nvadd.i64 q5,q5,q3\nvshl.i64 q3,q3,#25\nvadd.i64 q6,q5,q11\nvadd.i64 q0,q0,q13\nvshl.i64 q7,q13,#25\nvadd.i64 q8,q0,q11\nvsub.i64 q3,q12,q3\nvshr.s64 q6,q6,#26\nvsub.i64 q7,q10,q7\nvtrn.32 d2,d6\nvshr.s64 q8,q8,#26\nvtrn.32 d3,d7\nvadd.i64 q3,q9,q6\nvst1.8 d2,[r2,: 64]\nvshl.i64 q6,q6,#26\nvst1.8 d3,[r4,: 64]\nvadd.i64 q1,q4,q8\nvtrn.32 d4,d14\nvshl.i64 q4,q8,#26\nvtrn.32 d5,d15\nvsub.i64 q5,q5,q6\nadd r2,r2,#16\nvsub.i64 q0,q0,q4\nvst1.8 d4,[r2,: 64]\nadd r4,r4,#16\nvst1.8 d5,[r4,: 64]\nvtrn.32 d10,d6\nvtrn.32 d11,d7\nsub r2,r2,#8\nsub r4,r4,#8\nvtrn.32 d0,d2\nvtrn.32 d1,d3\nvst1.8 d10,[r2,: 64]\nvst1.8 d11,[r4,: 64]\nsub r2,r2,#24\nsub r4,r4,#24\nvst1.8 d0,[r2,: 64]\nvst1.8 d1,[r4,: 64]\nldr r2,[sp,#488]\nldr r4,[sp,#492]\nsubs r5,r2,#1\nbge ._mainloop\nadd r1,r3,#144\nadd r2,r3,#336\nvld1.8 {d0-d1},[r1,: 128]!\nvld1.8 {d2-d3},[r1,: 128]!\nvld1.8 {d4},[r1,: 64]\nvst1.8 {d0-d1},[r2,: 128]!\nvst1.8 {d2-d3},[r2,: 128]!\nvst1.8 d4,[r2,: 64]\nldr r1,=0\n._invertloop:\nadd r2,r3,#144\nldr r4,=0\nldr r5,=2\ncmp r1,#1\nldreq r5,=1\naddeq r2,r3,#336\naddeq r4,r3,#48\ncmp r1,#2\nldreq r5,=1\naddeq r2,r3,#48\ncmp r1,#3\nldreq r5,=5\naddeq r4,r3,#336\ncmp r1,#4\nldreq r5,=10\ncmp r1,#5\nldreq r5,=20\ncmp r1,#6\nldreq r5,=10\naddeq r2,r3,#336\naddeq r4,r3,#336\ncmp r1,#7\nldreq r5,=50\ncmp r1,#8\nldreq r5,=100\ncmp r1,#9\nldreq r5,=50\naddeq r2,r3,#336\ncmp r1,#10\nldreq r5,=5\naddeq r2,r3,#48\ncmp r1,#11\nldreq r5,=0\naddeq r2,r3,#96\nadd r6,r3,#144\nadd r7,r3,#288\nvld1.8 {d0-d1},[r6,: 128]!\nvld1.8 {d2-d3},[r6,: 128]!\nvld1.8 {d4},[r6,: 64]\nvst1.8 {d0-d1},[r7,: 128]!\nvst1.8 {d2-d3},[r7,: 128]!\nvst1.8 d4,[r7,: 64]\ncmp r5,#0\nbeq ._skipsquaringloop\n._squaringloop:\nadd r6,r3,#288\nadd r7,r3,#288\nadd r8,r3,#288\nvmov.i32 q0,#19\nvmov.i32 q1,#0\nvmov.i32 q2,#1\nvzip.i32 q1,q2\nvld1.8 {d4-d5},[r7,: 128]!\nvld1.8 {d6-d7},[r7,: 128]!\nvld1.8 {d9},[r7,: 64]\nvld1.8 {d10-d11},[r6,: 128]!\nadd r7,sp,#416\nvld1.8 {d12-d13},[r6,: 128]!\nvmul.i32 q7,q2,q0\nvld1.8 {d8},[r6,: 64]\nvext.32 d17,d11,d10,#1\nvmul.i32 q9,q3,q0\nvext.32 d16,d10,d8,#1\nvshl.u32 q10,q5,q1\nvext.32 d22,d14,d4,#1\nvext.32 d24,d18,d6,#1\nvshl.u32 q13,q6,q1\nvshl.u32 d28,d8,d2\nvrev64.i32 d22,d22\nvmul.i32 d1,d9,d1\nvrev64.i32 d24,d24\nvext.32 d29,d8,d13,#1\nvext.32 d0,d1,d9,#1\nvrev64.i32 d0,d0\nvext.32 d2,d9,d1,#1\nvext.32 d23,d15,d5,#1\nvmull.s32 q4,d20,d4\nvrev64.i32 d23,d23\nvmlal.s32 q4,d21,d1\nvrev64.i32 d2,d2\nvmlal.s32 q4,d26,d19\nvext.32 d3,d5,d15,#1\nvmlal.s32 q4,d27,d18\nvrev64.i32 d3,d3\nvmlal.s32 q4,d28,d15\nvext.32 d14,d12,d11,#1\nvmull.s32 q5,d16,d23\nvext.32 d15,d13,d12,#1\nvmlal.s32 q5,d17,d4\nvst1.8 d8,[r7,: 64]!\nvmlal.s32 q5,d14,d1\nvext.32 d12,d9,d8,#0\nvmlal.s32 q5,d15,d19\nvmov.i64 d13,#0\nvmlal.s32 q5,d29,d18\nvext.32 d25,d19,d7,#1\nvmlal.s32 q6,d20,d5\nvrev64.i32 d25,d25\nvmlal.s32 q6,d21,d4\nvst1.8 d11,[r7,: 64]!\nvmlal.s32 q6,d26,d1\nvext.32 d9,d10,d10,#0\nvmlal.s32 q6,d27,d19\nvmov.i64 d8,#0\nvmlal.s32 q6,d28,d18\nvmlal.s32 q4,d16,d24\nvmlal.s32 q4,d17,d5\nvmlal.s32 q4,d14,d4\nvst1.8 d12,[r7,: 64]!\nvmlal.s32 q4,d15,d1\nvext.32 d10,d13,d12,#0\nvmlal.s32 q4,d29,d19\nvmov.i64 d11,#0\nvmlal.s32 q5,d20,d6\nvmlal.s32 q5,d21,d5\nvmlal.s32 q5,d26,d4\nvext.32 d13,d8,d8,#0\nvmlal.s32 q5,d27,d1\nvmov.i64 d12,#0\nvmlal.s32 q5,d28,d19\nvst1.8 d9,[r7,: 64]!\nvmlal.s32 q6,d16,d25\nvmlal.s32 q6,d17,d6\nvst1.8 d10,[r7,: 64]\nvmlal.s32 q6,d14,d5\nvext.32 d8,d11,d10,#0\nvmlal.s32 q6,d15,d4\nvmov.i64 d9,#0\nvmlal.s32 q6,d29,d1\nvmlal.s32 q4,d20,d7\nvmlal.s32 q4,d21,d6\nvmlal.s32 q4,d26,d5\nvext.32 d11,d12,d12,#0\nvmlal.s32 q4,d27,d4\nvmov.i64 d10,#0\nvmlal.s32 q4,d28,d1\nvmlal.s32 q5,d16,d0\nsub r6,r7,#32\nvmlal.s32 q5,d17,d7\nvmlal.s32 q5,d14,d6\nvext.32 d30,d9,d8,#0\nvmlal.s32 q5,d15,d5\nvld1.8 {d31},[r6,: 64]!\nvmlal.s32 q5,d29,d4\nvmlal.s32 q15,d20,d0\nvext.32 d0,d6,d18,#1\nvmlal.s32 q15,d21,d25\nvrev64.i32 d0,d0\nvmlal.s32 q15,d26,d24\nvext.32 d1,d7,d19,#1\nvext.32 d7,d10,d10,#0\nvmlal.s32 q15,d27,d23\nvrev64.i32 d1,d1\nvld1.8 {d6},[r6,: 64]\nvmlal.s32 q15,d28,d22\nvmlal.s32 q3,d16,d4\nadd r6,r6,#24\nvmlal.s32 q3,d17,d2\nvext.32 d4,d31,d30,#0\nvmov d17,d11\nvmlal.s32 q3,d14,d1\nvext.32 d11,d13,d13,#0\nvext.32 d13,d30,d30,#0\nvmlal.s32 q3,d15,d0\nvext.32 d1,d8,d8,#0\nvmlal.s32 q3,d29,d3\nvld1.8 {d5},[r6,: 64]\nsub r6,r6,#16\nvext.32 d10,d6,d6,#0\nvmov.i32 q1,#0xffffffff\nvshl.i64 q4,q1,#25\nadd r7,sp,#512\nvld1.8 {d14-d15},[r7,: 128]\nvadd.i64 q9,q2,q7\nvshl.i64 q1,q1,#26\nvshr.s64 q10,q9,#26\nvld1.8 {d0},[r6,: 64]!\nvadd.i64 q5,q5,q10\nvand q9,q9,q1\nvld1.8 {d16},[r6,: 64]!\nadd r6,sp,#528\nvld1.8 {d20-d21},[r6,: 128]\nvadd.i64 q11,q5,q10\nvsub.i64 q2,q2,q9\nvshr.s64 q9,q11,#25\nvext.32 d12,d5,d4,#0\nvand q11,q11,q4\nvadd.i64 q0,q0,q9\nvmov d19,d7\nvadd.i64 q3,q0,q7\nvsub.i64 q5,q5,q11\nvshr.s64 q11,q3,#26\nvext.32 d18,d11,d10,#0\nvand q3,q3,q1\nvadd.i64 q8,q8,q11\nvadd.i64 q11,q8,q10\nvsub.i64 q0,q0,q3\nvshr.s64 q3,q11,#25\nvand q11,q11,q4\nvadd.i64 q3,q6,q3\nvadd.i64 q6,q3,q7\nvsub.i64 q8,q8,q11\nvshr.s64 q11,q6,#26\nvand q6,q6,q1\nvadd.i64 q9,q9,q11\nvadd.i64 d25,d19,d21\nvsub.i64 q3,q3,q6\nvshr.s64 d23,d25,#25\nvand q4,q12,q4\nvadd.i64 d21,d23,d23\nvshl.i64 d25,d23,#4\nvadd.i64 d21,d21,d23\nvadd.i64 d25,d25,d21\nvadd.i64 d4,d4,d25\nvzip.i32 q0,q8\nvadd.i64 d12,d4,d14\nadd r6,r8,#8\nvst1.8 d0,[r6,: 64]\nvsub.i64 d19,d19,d9\nadd r6,r6,#16\nvst1.8 d16,[r6,: 64]\nvshr.s64 d22,d12,#26\nvand q0,q6,q1\nvadd.i64 d10,d10,d22\nvzip.i32 q3,q9\nvsub.i64 d4,d4,d0\nsub r6,r6,#8\nvst1.8 d6,[r6,: 64]\nadd r6,r6,#16\nvst1.8 d18,[r6,: 64]\nvzip.i32 q2,q5\nsub r6,r6,#32\nvst1.8 d4,[r6,: 64]\nsubs r5,r5,#1\nbhi ._squaringloop\n._skipsquaringloop:\nmov r2,r2\nadd r5,r3,#288\nadd r6,r3,#144\nvmov.i32 q0,#19\nvmov.i32 q1,#0\nvmov.i32 q2,#1\nvzip.i32 q1,q2\nvld1.8 {d4-d5},[r5,: 128]!\nvld1.8 {d6-d7},[r5,: 128]!\nvld1.8 {d9},[r5,: 64]\nvld1.8 {d10-d11},[r2,: 128]!\nadd r5,sp,#416\nvld1.8 {d12-d13},[r2,: 128]!\nvmul.i32 q7,q2,q0\nvld1.8 {d8},[r2,: 64]\nvext.32 d17,d11,d10,#1\nvmul.i32 q9,q3,q0\nvext.32 d16,d10,d8,#1\nvshl.u32 q10,q5,q1\nvext.32 d22,d14,d4,#1\nvext.32 d24,d18,d6,#1\nvshl.u32 q13,q6,q1\nvshl.u32 d28,d8,d2\nvrev64.i32 d22,d22\nvmul.i32 d1,d9,d1\nvrev64.i32 d24,d24\nvext.32 d29,d8,d13,#1\nvext.32 d0,d1,d9,#1\nvrev64.i32 d0,d0\nvext.32 d2,d9,d1,#1\nvext.32 d23,d15,d5,#1\nvmull.s32 q4,d20,d4\nvrev64.i32 d23,d23\nvmlal.s32 q4,d21,d1\nvrev64.i32 d2,d2\nvmlal.s32 q4,d26,d19\nvext.32 d3,d5,d15,#1\nvmlal.s32 q4,d27,d18\nvrev64.i32 d3,d3\nvmlal.s32 q4,d28,d15\nvext.32 d14,d12,d11,#1\nvmull.s32 q5,d16,d23\nvext.32 d15,d13,d12,#1\nvmlal.s32 q5,d17,d4\nvst1.8 d8,[r5,: 64]!\nvmlal.s32 q5,d14,d1\nvext.32 d12,d9,d8,#0\nvmlal.s32 q5,d15,d19\nvmov.i64 d13,#0\nvmlal.s32 q5,d29,d18\nvext.32 d25,d19,d7,#1\nvmlal.s32 q6,d20,d5\nvrev64.i32 d25,d25\nvmlal.s32 q6,d21,d4\nvst1.8 d11,[r5,: 64]!\nvmlal.s32 q6,d26,d1\nvext.32 d9,d10,d10,#0\nvmlal.s32 q6,d27,d19\nvmov.i64 d8,#0\nvmlal.s32 q6,d28,d18\nvmlal.s32 q4,d16,d24\nvmlal.s32 q4,d17,d5\nvmlal.s32 q4,d14,d4\nvst1.8 d12,[r5,: 64]!\nvmlal.s32 q4,d15,d1\nvext.32 d10,d13,d12,#0\nvmlal.s32 q4,d29,d19\nvmov.i64 d11,#0\nvmlal.s32 q5,d20,d6\nvmlal.s32 q5,d21,d5\nvmlal.s32 q5,d26,d4\nvext.32 d13,d8,d8,#0\nvmlal.s32 q5,d27,d1\nvmov.i64 d12,#0\nvmlal.s32 q5,d28,d19\nvst1.8 d9,[r5,: 64]!\nvmlal.s32 q6,d16,d25\nvmlal.s32 q6,d17,d6\nvst1.8 d10,[r5,: 64]\nvmlal.s32 q6,d14,d5\nvext.32 d8,d11,d10,#0\nvmlal.s32 q6,d15,d4\nvmov.i64 d9,#0\nvmlal.s32 q6,d29,d1\nvmlal.s32 q4,d20,d7\nvmlal.s32 q4,d21,d6\nvmlal.s32 q4,d26,d5\nvext.32 d11,d12,d12,#0\nvmlal.s32 q4,d27,d4\nvmov.i64 d10,#0\nvmlal.s32 q4,d28,d1\nvmlal.s32 q5,d16,d0\nsub r2,r5,#32\nvmlal.s32 q5,d17,d7\nvmlal.s32 q5,d14,d6\nvext.32 d30,d9,d8,#0\nvmlal.s32 q5,d15,d5\nvld1.8 {d31},[r2,: 64]!\nvmlal.s32 q5,d29,d4\nvmlal.s32 q15,d20,d0\nvext.32 d0,d6,d18,#1\nvmlal.s32 q15,d21,d25\nvrev64.i32 d0,d0\nvmlal.s32 q15,d26,d24\nvext.32 d1,d7,d19,#1\nvext.32 d7,d10,d10,#0\nvmlal.s32 q15,d27,d23\nvrev64.i32 d1,d1\nvld1.8 {d6},[r2,: 64]\nvmlal.s32 q15,d28,d22\nvmlal.s32 q3,d16,d4\nadd r2,r2,#24\nvmlal.s32 q3,d17,d2\nvext.32 d4,d31,d30,#0\nvmov d17,d11\nvmlal.s32 q3,d14,d1\nvext.32 d11,d13,d13,#0\nvext.32 d13,d30,d30,#0\nvmlal.s32 q3,d15,d0\nvext.32 d1,d8,d8,#0\nvmlal.s32 q3,d29,d3\nvld1.8 {d5},[r2,: 64]\nsub r2,r2,#16\nvext.32 d10,d6,d6,#0\nvmov.i32 q1,#0xffffffff\nvshl.i64 q4,q1,#25\nadd r5,sp,#512\nvld1.8 {d14-d15},[r5,: 128]\nvadd.i64 q9,q2,q7\nvshl.i64 q1,q1,#26\nvshr.s64 q10,q9,#26\nvld1.8 {d0},[r2,: 64]!\nvadd.i64 q5,q5,q10\nvand q9,q9,q1\nvld1.8 {d16},[r2,: 64]!\nadd r2,sp,#528\nvld1.8 {d20-d21},[r2,: 128]\nvadd.i64 q11,q5,q10\nvsub.i64 q2,q2,q9\nvshr.s64 q9,q11,#25\nvext.32 d12,d5,d4,#0\nvand q11,q11,q4\nvadd.i64 q0,q0,q9\nvmov d19,d7\nvadd.i64 q3,q0,q7\nvsub.i64 q5,q5,q11\nvshr.s64 q11,q3,#26\nvext.32 d18,d11,d10,#0\nvand q3,q3,q1\nvadd.i64 q8,q8,q11\nvadd.i64 q11,q8,q10\nvsub.i64 q0,q0,q3\nvshr.s64 q3,q11,#25\nvand q11,q11,q4\nvadd.i64 q3,q6,q3\nvadd.i64 q6,q3,q7\nvsub.i64 q8,q8,q11\nvshr.s64 q11,q6,#26\nvand q6,q6,q1\nvadd.i64 q9,q9,q11\nvadd.i64 d25,d19,d21\nvsub.i64 q3,q3,q6\nvshr.s64 d23,d25,#25\nvand q4,q12,q4\nvadd.i64 d21,d23,d23\nvshl.i64 d25,d23,#4\nvadd.i64 d21,d21,d23\nvadd.i64 d25,d25,d21\nvadd.i64 d4,d4,d25\nvzip.i32 q0,q8\nvadd.i64 d12,d4,d14\nadd r2,r6,#8\nvst1.8 d0,[r2,: 64]\nvsub.i64 d19,d19,d9\nadd r2,r2,#16\nvst1.8 d16,[r2,: 64]\nvshr.s64 d22,d12,#26\nvand q0,q6,q1\nvadd.i64 d10,d10,d22\nvzip.i32 q3,q9\nvsub.i64 d4,d4,d0\nsub r2,r2,#8\nvst1.8 d6,[r2,: 64]\nadd r2,r2,#16\nvst1.8 d18,[r2,: 64]\nvzip.i32 q2,q5\nsub r2,r2,#32\nvst1.8 d4,[r2,: 64]\ncmp r4,#0\nbeq ._skippostcopy\nadd r2,r3,#144\nmov r4,r4\nvld1.8 {d0-d1},[r2,: 128]!\nvld1.8 {d2-d3},[r2,: 128]!\nvld1.8 {d4},[r2,: 64]\nvst1.8 {d0-d1},[r4,: 128]!\nvst1.8 {d2-d3},[r4,: 128]!\nvst1.8 d4,[r4,: 64]\n._skippostcopy:\ncmp r1,#1\nbne ._skipfinalcopy\nadd r2,r3,#288\nadd r4,r3,#144\nvld1.8 {d0-d1},[r2,: 128]!\nvld1.8 {d2-d3},[r2,: 128]!\nvld1.8 {d4},[r2,: 64]\nvst1.8 {d0-d1},[r4,: 128]!\nvst1.8 {d2-d3},[r4,: 128]!\nvst1.8 d4,[r4,: 64]\n._skipfinalcopy:\nadd r1,r1,#1\ncmp r1,#12\nblo ._invertloop\nadd r1,r3,#144\nldr r2,[r1],#4\nldr r3,[r1],#4\nldr r4,[r1],#4\nldr r5,[r1],#4\nldr r6,[r1],#4\nldr r7,[r1],#4\nldr r8,[r1],#4\nldr r9,[r1],#4\nldr r10,[r1],#4\nldr r1,[r1]\nadd r11,r1,r1,LSL #4\nadd r11,r11,r1,LSL #1\nadd r11,r11,#16777216\nmov r11,r11,ASR #25\nadd r11,r11,r2\nmov r11,r11,ASR #26\nadd r11,r11,r3\nmov r11,r11,ASR #25\nadd r11,r11,r4\nmov r11,r11,ASR #26\nadd r11,r11,r5\nmov r11,r11,ASR #25\nadd r11,r11,r6\nmov r11,r11,ASR #26\nadd r11,r11,r7\nmov r11,r11,ASR #25\nadd r11,r11,r8\nmov r11,r11,ASR #26\nadd r11,r11,r9\nmov r11,r11,ASR #25\nadd r11,r11,r10\nmov r11,r11,ASR #26\nadd r11,r11,r1\nmov r11,r11,ASR #25\nadd r2,r2,r11\nadd r2,r2,r11,LSL #1\nadd r2,r2,r11,LSL #4\nmov r11,r2,ASR #26\nadd r3,r3,r11\nsub r2,r2,r11,LSL #26\nmov r11,r3,ASR #25\nadd r4,r4,r11\nsub r3,r3,r11,LSL #25\nmov r11,r4,ASR #26\nadd r5,r5,r11\nsub r4,r4,r11,LSL #26\nmov r11,r5,ASR #25\nadd r6,r6,r11\nsub r5,r5,r11,LSL #25\nmov r11,r6,ASR #26\nadd r7,r7,r11\nsub r6,r6,r11,LSL #26\nmov r11,r7,ASR #25\nadd r8,r8,r11\nsub r7,r7,r11,LSL #25\nmov r11,r8,ASR #26\nadd r9,r9,r11\nsub r8,r8,r11,LSL #26\nmov r11,r9,ASR #25\nadd r10,r10,r11\nsub r9,r9,r11,LSL #25\nmov r11,r10,ASR #26\nadd r1,r1,r11\nsub r10,r10,r11,LSL #26\nmov r11,r1,ASR #25\nsub r1,r1,r11,LSL #25\nadd r2,r2,r3,LSL #26\nmov r3,r3,LSR #6\nadd r3,r3,r4,LSL #19\nmov r4,r4,LSR #13\nadd r4,r4,r5,LSL #13\nmov r5,r5,LSR #19\nadd r5,r5,r6,LSL #6\nadd r6,r7,r8,LSL #25\nmov r7,r8,LSR #7\nadd r7,r7,r9,LSL #19\nmov r8,r9,LSR #13\nadd r8,r8,r10,LSL #12\nmov r9,r10,LSR #20\nadd r1,r9,r1,LSL #6\nstr r2,[r0],#4\nstr r3,[r0],#4\nstr r4,[r0],#4\nstr r5,[r0],#4\nstr r6,[r0],#4\nstr r7,[r0],#4\nstr r8,[r0],#4\nstr r1,[r0]\nldrd r4,[sp,#0]\nldrd r6,[sp,#8]\nldrd r8,[sp,#16]\nldrd r10,[sp,#24]\nldr r12,[sp,#480]\nldr r14,[sp,#484]\nldr r0,=0\nmov sp,r12\nvpop {q4,q5,q6,q7}\nbx lr\n\n#endif /* !OPENSSL_NO_ASM && OPENSSL_ARM && __ELF__ */\n#endif // defined(__arm__) && defined(__linux__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/crypto/curve25519/curve25519.cc", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// Some of this code is taken from the ref10 version of Ed25519 in SUPERCOP\n// 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as\n// public domain. Other parts have been replaced to call into code generated by\n// Fiat (https://github.com/mit-plv/fiat-crypto) in //third_party/fiat.\n//\n// The field functions are shared by Ed25519 and X25519 where possible.\n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n// Various pre-computed constants.\n#include \"./curve25519_tables.h\"\n\n#if defined(BORINGSSL_HAS_UINT128)\n#include \"../../third_party/fiat/curve25519_64.h\"\n#elif defined(OPENSSL_64_BIT)\n#include \"../../third_party/fiat/curve25519_64_msvc.h\"\n#else\n#include \"../../third_party/fiat/curve25519_32.h\"\n#endif\n\n\n// Low-level intrinsic operations\n\nstatic uint64_t load_3(const uint8_t *in) {\n uint64_t result;\n result = (uint64_t)in[0];\n result |= ((uint64_t)in[1]) << 8;\n result |= ((uint64_t)in[2]) << 16;\n return result;\n}\n\nstatic uint64_t load_4(const uint8_t *in) {\n uint64_t result;\n result = (uint64_t)in[0];\n result |= ((uint64_t)in[1]) << 8;\n result |= ((uint64_t)in[2]) << 16;\n result |= ((uint64_t)in[3]) << 24;\n return result;\n}\n\n\n// Field operations.\n\n#if defined(OPENSSL_64_BIT)\n\ntypedef uint64_t fe_limb_t;\n#define FE_NUM_LIMBS 5\n\n// assert_fe asserts that |f| satisfies bounds:\n//\n// [[0x0 ~> 0x8cccccccccccc],\n// [0x0 ~> 0x8cccccccccccc],\n// [0x0 ~> 0x8cccccccccccc],\n// [0x0 ~> 0x8cccccccccccc],\n// [0x0 ~> 0x8cccccccccccc]]\n//\n// See comments in curve25519_64.h for which functions use these bounds for\n// inputs or outputs.\n#define assert_fe(f) \\\n do { \\\n for (unsigned _assert_fe_i = 0; _assert_fe_i < 5; _assert_fe_i++) { \\\n declassify_assert(f[_assert_fe_i] <= UINT64_C(0x8cccccccccccc)); \\\n } \\\n } while (0)\n\n// assert_fe_loose asserts that |f| satisfies bounds:\n//\n// [[0x0 ~> 0x1a666666666664],\n// [0x0 ~> 0x1a666666666664],\n// [0x0 ~> 0x1a666666666664],\n// [0x0 ~> 0x1a666666666664],\n// [0x0 ~> 0x1a666666666664]]\n//\n// See comments in curve25519_64.h for which functions use these bounds for\n// inputs or outputs.\n#define assert_fe_loose(f) \\\n do { \\\n for (unsigned _assert_fe_i = 0; _assert_fe_i < 5; _assert_fe_i++) { \\\n declassify_assert(f[_assert_fe_i] <= UINT64_C(0x1a666666666664)); \\\n } \\\n } while (0)\n\n#else\n\ntypedef uint32_t fe_limb_t;\n#define FE_NUM_LIMBS 10\n\n// assert_fe asserts that |f| satisfies bounds:\n//\n// [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333],\n// [0x0 ~> 0x4666666], [0x0 ~> 0x2333333],\n// [0x0 ~> 0x4666666], [0x0 ~> 0x2333333],\n// [0x0 ~> 0x4666666], [0x0 ~> 0x2333333],\n// [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]]\n//\n// See comments in curve25519_32.h for which functions use these bounds for\n// inputs or outputs.\n#define assert_fe(f) \\\n do { \\\n for (unsigned _assert_fe_i = 0; _assert_fe_i < 10; _assert_fe_i++) { \\\n declassify_assert(f[_assert_fe_i] <= \\\n ((_assert_fe_i & 1) ? 0x2333333u : 0x4666666u)); \\\n } \\\n } while (0)\n\n// assert_fe_loose asserts that |f| satisfies bounds:\n//\n// [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999],\n// [0x0 ~> 0xd333332], [0x0 ~> 0x6999999],\n// [0x0 ~> 0xd333332], [0x0 ~> 0x6999999],\n// [0x0 ~> 0xd333332], [0x0 ~> 0x6999999],\n// [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]]\n//\n// See comments in curve25519_32.h for which functions use these bounds for\n// inputs or outputs.\n#define assert_fe_loose(f) \\\n do { \\\n for (unsigned _assert_fe_i = 0; _assert_fe_i < 10; _assert_fe_i++) { \\\n declassify_assert(f[_assert_fe_i] <= \\\n ((_assert_fe_i & 1) ? 0x6999999u : 0xd333332u)); \\\n } \\\n } while (0)\n\n#endif // OPENSSL_64_BIT\n\nstatic_assert(sizeof(fe) == sizeof(fe_limb_t) * FE_NUM_LIMBS,\n \"fe_limb_t[FE_NUM_LIMBS] is inconsistent with fe\");\n\nstatic void fe_frombytes_strict(fe *h, const uint8_t s[32]) {\n // |fiat_25519_from_bytes| requires the top-most bit be clear.\n declassify_assert((s[31] & 0x80) == 0);\n fiat_25519_from_bytes(h->v, s);\n assert_fe(h->v);\n}\n\nstatic void fe_frombytes(fe *h, const uint8_t s[32]) {\n uint8_t s_copy[32];\n OPENSSL_memcpy(s_copy, s, 32);\n s_copy[31] &= 0x7f;\n fe_frombytes_strict(h, s_copy);\n}\n\nstatic void fe_tobytes(uint8_t s[32], const fe *f) {\n assert_fe(f->v);\n fiat_25519_to_bytes(s, f->v);\n}\n\n// h = 0\nstatic void fe_0(fe *h) { OPENSSL_memset(h, 0, sizeof(fe)); }\n\nstatic void fe_loose_0(fe_loose *h) { OPENSSL_memset(h, 0, sizeof(fe_loose)); }\n\n// h = 1\nstatic void fe_1(fe *h) {\n OPENSSL_memset(h, 0, sizeof(fe));\n h->v[0] = 1;\n}\n\nstatic void fe_loose_1(fe_loose *h) {\n OPENSSL_memset(h, 0, sizeof(fe_loose));\n h->v[0] = 1;\n}\n\n// h = f + g\n// Can overlap h with f or g.\nstatic void fe_add(fe_loose *h, const fe *f, const fe *g) {\n assert_fe(f->v);\n assert_fe(g->v);\n fiat_25519_add(h->v, f->v, g->v);\n assert_fe_loose(h->v);\n}\n\n// h = f - g\n// Can overlap h with f or g.\nstatic void fe_sub(fe_loose *h, const fe *f, const fe *g) {\n assert_fe(f->v);\n assert_fe(g->v);\n fiat_25519_sub(h->v, f->v, g->v);\n assert_fe_loose(h->v);\n}\n\nstatic void fe_carry(fe *h, const fe_loose *f) {\n assert_fe_loose(f->v);\n fiat_25519_carry(h->v, f->v);\n assert_fe(h->v);\n}\n\nstatic void fe_mul_impl(fe_limb_t out[FE_NUM_LIMBS],\n const fe_limb_t in1[FE_NUM_LIMBS],\n const fe_limb_t in2[FE_NUM_LIMBS]) {\n assert_fe_loose(in1);\n assert_fe_loose(in2);\n fiat_25519_carry_mul(out, in1, in2);\n assert_fe(out);\n}\n\nstatic void fe_mul_ltt(fe_loose *h, const fe *f, const fe *g) {\n fe_mul_impl(h->v, f->v, g->v);\n}\n\nstatic void fe_mul_llt(fe_loose *h, const fe_loose *f, const fe *g) {\n fe_mul_impl(h->v, f->v, g->v);\n}\n\nstatic void fe_mul_ttt(fe *h, const fe *f, const fe *g) {\n fe_mul_impl(h->v, f->v, g->v);\n}\n\nstatic void fe_mul_tlt(fe *h, const fe_loose *f, const fe *g) {\n fe_mul_impl(h->v, f->v, g->v);\n}\n\nstatic void fe_mul_ttl(fe *h, const fe *f, const fe_loose *g) {\n fe_mul_impl(h->v, f->v, g->v);\n}\n\nstatic void fe_mul_tll(fe *h, const fe_loose *f, const fe_loose *g) {\n fe_mul_impl(h->v, f->v, g->v);\n}\n\nstatic void fe_sq_tl(fe *h, const fe_loose *f) {\n assert_fe_loose(f->v);\n fiat_25519_carry_square(h->v, f->v);\n assert_fe(h->v);\n}\n\nstatic void fe_sq_tt(fe *h, const fe *f) {\n assert_fe_loose(f->v);\n fiat_25519_carry_square(h->v, f->v);\n assert_fe(h->v);\n}\n\n// Replace (f,g) with (g,f) if b == 1;\n// replace (f,g) with (f,g) if b == 0.\n//\n// Preconditions: b in {0,1}.\nstatic void fe_cswap(fe *f, fe *g, fe_limb_t b) {\n b = 0 - b;\n for (unsigned i = 0; i < FE_NUM_LIMBS; i++) {\n fe_limb_t x = f->v[i] ^ g->v[i];\n x &= b;\n f->v[i] ^= x;\n g->v[i] ^= x;\n }\n}\n\nstatic void fe_mul121666(fe *h, const fe_loose *f) {\n assert_fe_loose(f->v);\n fiat_25519_carry_scmul_121666(h->v, f->v);\n assert_fe(h->v);\n}\n\n// h = -f\nstatic void fe_neg(fe_loose *h, const fe *f) {\n assert_fe(f->v);\n fiat_25519_opp(h->v, f->v);\n assert_fe_loose(h->v);\n}\n\n// Replace (f,g) with (g,g) if b == 1;\n// replace (f,g) with (f,g) if b == 0.\n//\n// Preconditions: b in {0,1}.\nstatic void fe_cmov(fe_loose *f, const fe_loose *g, fe_limb_t b) {\n // Silence an unused function warning. |fiat_25519_selectznz| isn't quite the\n // calling convention the rest of this code wants, so implement it by hand.\n //\n // TODO(davidben): Switch to fiat's calling convention, or ask fiat to emit a\n // different one.\n\n b = 0 - b;\n for (unsigned i = 0; i < FE_NUM_LIMBS; i++) {\n fe_limb_t x = f->v[i] ^ g->v[i];\n x &= b;\n f->v[i] ^= x;\n }\n}\n\n// h = f\nstatic void fe_copy(fe *h, const fe *f) { OPENSSL_memmove(h, f, sizeof(fe)); }\n\nstatic void fe_copy_lt(fe_loose *h, const fe *f) {\n static_assert(sizeof(fe_loose) == sizeof(fe), \"fe and fe_loose mismatch\");\n OPENSSL_memmove(h, f, sizeof(fe));\n}\n\nstatic void fe_loose_invert(fe *out, const fe_loose *z) {\n fe t0;\n fe t1;\n fe t2;\n fe t3;\n int i;\n\n fe_sq_tl(&t0, z);\n fe_sq_tt(&t1, &t0);\n for (i = 1; i < 2; ++i) {\n fe_sq_tt(&t1, &t1);\n }\n fe_mul_tlt(&t1, z, &t1);\n fe_mul_ttt(&t0, &t0, &t1);\n fe_sq_tt(&t2, &t0);\n fe_mul_ttt(&t1, &t1, &t2);\n fe_sq_tt(&t2, &t1);\n for (i = 1; i < 5; ++i) {\n fe_sq_tt(&t2, &t2);\n }\n fe_mul_ttt(&t1, &t2, &t1);\n fe_sq_tt(&t2, &t1);\n for (i = 1; i < 10; ++i) {\n fe_sq_tt(&t2, &t2);\n }\n fe_mul_ttt(&t2, &t2, &t1);\n fe_sq_tt(&t3, &t2);\n for (i = 1; i < 20; ++i) {\n fe_sq_tt(&t3, &t3);\n }\n fe_mul_ttt(&t2, &t3, &t2);\n fe_sq_tt(&t2, &t2);\n for (i = 1; i < 10; ++i) {\n fe_sq_tt(&t2, &t2);\n }\n fe_mul_ttt(&t1, &t2, &t1);\n fe_sq_tt(&t2, &t1);\n for (i = 1; i < 50; ++i) {\n fe_sq_tt(&t2, &t2);\n }\n fe_mul_ttt(&t2, &t2, &t1);\n fe_sq_tt(&t3, &t2);\n for (i = 1; i < 100; ++i) {\n fe_sq_tt(&t3, &t3);\n }\n fe_mul_ttt(&t2, &t3, &t2);\n fe_sq_tt(&t2, &t2);\n for (i = 1; i < 50; ++i) {\n fe_sq_tt(&t2, &t2);\n }\n fe_mul_ttt(&t1, &t2, &t1);\n fe_sq_tt(&t1, &t1);\n for (i = 1; i < 5; ++i) {\n fe_sq_tt(&t1, &t1);\n }\n fe_mul_ttt(out, &t1, &t0);\n}\n\nstatic void fe_invert(fe *out, const fe *z) {\n fe_loose l;\n fe_copy_lt(&l, z);\n fe_loose_invert(out, &l);\n}\n\n// return 0 if f == 0\n// return 1 if f != 0\nstatic int fe_isnonzero(const fe_loose *f) {\n fe tight;\n fe_carry(&tight, f);\n uint8_t s[32];\n fe_tobytes(s, &tight);\n\n static const uint8_t zero[32] = {0};\n return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;\n}\n\n// return 1 if f is in {1,3,5,...,q-2}\n// return 0 if f is in {0,2,4,...,q-1}\nstatic int fe_isnegative(const fe *f) {\n uint8_t s[32];\n fe_tobytes(s, f);\n return s[0] & 1;\n}\n\nstatic void fe_sq2_tt(fe *h, const fe *f) {\n // h = f^2\n fe_sq_tt(h, f);\n\n // h = h + h\n fe_loose tmp;\n fe_add(&tmp, h, h);\n fe_carry(h, &tmp);\n}\n\nstatic void fe_pow22523(fe *out, const fe *z) {\n fe t0;\n fe t1;\n fe t2;\n int i;\n\n fe_sq_tt(&t0, z);\n fe_sq_tt(&t1, &t0);\n for (i = 1; i < 2; ++i) {\n fe_sq_tt(&t1, &t1);\n }\n fe_mul_ttt(&t1, z, &t1);\n fe_mul_ttt(&t0, &t0, &t1);\n fe_sq_tt(&t0, &t0);\n fe_mul_ttt(&t0, &t1, &t0);\n fe_sq_tt(&t1, &t0);\n for (i = 1; i < 5; ++i) {\n fe_sq_tt(&t1, &t1);\n }\n fe_mul_ttt(&t0, &t1, &t0);\n fe_sq_tt(&t1, &t0);\n for (i = 1; i < 10; ++i) {\n fe_sq_tt(&t1, &t1);\n }\n fe_mul_ttt(&t1, &t1, &t0);\n fe_sq_tt(&t2, &t1);\n for (i = 1; i < 20; ++i) {\n fe_sq_tt(&t2, &t2);\n }\n fe_mul_ttt(&t1, &t2, &t1);\n fe_sq_tt(&t1, &t1);\n for (i = 1; i < 10; ++i) {\n fe_sq_tt(&t1, &t1);\n }\n fe_mul_ttt(&t0, &t1, &t0);\n fe_sq_tt(&t1, &t0);\n for (i = 1; i < 50; ++i) {\n fe_sq_tt(&t1, &t1);\n }\n fe_mul_ttt(&t1, &t1, &t0);\n fe_sq_tt(&t2, &t1);\n for (i = 1; i < 100; ++i) {\n fe_sq_tt(&t2, &t2);\n }\n fe_mul_ttt(&t1, &t2, &t1);\n fe_sq_tt(&t1, &t1);\n for (i = 1; i < 50; ++i) {\n fe_sq_tt(&t1, &t1);\n }\n fe_mul_ttt(&t0, &t1, &t0);\n fe_sq_tt(&t0, &t0);\n for (i = 1; i < 2; ++i) {\n fe_sq_tt(&t0, &t0);\n }\n fe_mul_ttt(out, &t0, z);\n}\n\n\n// Group operations.\n\nvoid x25519_ge_tobytes(uint8_t s[32], const ge_p2 *h) {\n fe recip;\n fe x;\n fe y;\n\n fe_invert(&recip, &h->Z);\n fe_mul_ttt(&x, &h->X, &recip);\n fe_mul_ttt(&y, &h->Y, &recip);\n fe_tobytes(s, &y);\n s[31] ^= fe_isnegative(&x) << 7;\n}\n\nstatic void ge_p3_tobytes(uint8_t s[32], const ge_p3 *h) {\n fe recip;\n fe x;\n fe y;\n\n fe_invert(&recip, &h->Z);\n fe_mul_ttt(&x, &h->X, &recip);\n fe_mul_ttt(&y, &h->Y, &recip);\n fe_tobytes(s, &y);\n s[31] ^= fe_isnegative(&x) << 7;\n}\n\nint x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]) {\n fe u;\n fe_loose v;\n fe w;\n fe vxx;\n fe_loose check;\n\n fe_frombytes(&h->Y, s);\n fe_1(&h->Z);\n fe_sq_tt(&w, &h->Y);\n fe_mul_ttt(&vxx, &w, &d);\n fe_sub(&v, &w, &h->Z); // u = y^2-1\n fe_carry(&u, &v);\n fe_add(&v, &vxx, &h->Z); // v = dy^2+1\n\n fe_mul_ttl(&w, &u, &v); // w = u*v\n fe_pow22523(&h->X, &w); // x = w^((q-5)/8)\n fe_mul_ttt(&h->X, &h->X, &u); // x = u*w^((q-5)/8)\n\n fe_sq_tt(&vxx, &h->X);\n fe_mul_ttl(&vxx, &vxx, &v);\n fe_sub(&check, &vxx, &u);\n if (fe_isnonzero(&check)) {\n fe_add(&check, &vxx, &u);\n if (fe_isnonzero(&check)) {\n return 0;\n }\n fe_mul_ttt(&h->X, &h->X, &sqrtm1);\n }\n\n if (fe_isnegative(&h->X) != (s[31] >> 7)) {\n fe_loose t;\n fe_neg(&t, &h->X);\n fe_carry(&h->X, &t);\n }\n\n fe_mul_ttt(&h->T, &h->X, &h->Y);\n return 1;\n}\n\nstatic void ge_p2_0(ge_p2 *h) {\n fe_0(&h->X);\n fe_1(&h->Y);\n fe_1(&h->Z);\n}\n\nstatic void ge_p3_0(ge_p3 *h) {\n fe_0(&h->X);\n fe_1(&h->Y);\n fe_1(&h->Z);\n fe_0(&h->T);\n}\n\nstatic void ge_cached_0(ge_cached *h) {\n fe_loose_1(&h->YplusX);\n fe_loose_1(&h->YminusX);\n fe_loose_1(&h->Z);\n fe_loose_0(&h->T2d);\n}\n\nstatic void ge_precomp_0(ge_precomp *h) {\n fe_loose_1(&h->yplusx);\n fe_loose_1(&h->yminusx);\n fe_loose_0(&h->xy2d);\n}\n\n// r = p\nstatic void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {\n fe_copy(&r->X, &p->X);\n fe_copy(&r->Y, &p->Y);\n fe_copy(&r->Z, &p->Z);\n}\n\n// r = p\nvoid x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {\n fe_add(&r->YplusX, &p->Y, &p->X);\n fe_sub(&r->YminusX, &p->Y, &p->X);\n fe_copy_lt(&r->Z, &p->Z);\n fe_mul_ltt(&r->T2d, &p->T, &d2);\n}\n\n// r = p\nvoid x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) {\n fe_mul_tll(&r->X, &p->X, &p->T);\n fe_mul_tll(&r->Y, &p->Y, &p->Z);\n fe_mul_tll(&r->Z, &p->Z, &p->T);\n}\n\n// r = p\nvoid x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) {\n fe_mul_tll(&r->X, &p->X, &p->T);\n fe_mul_tll(&r->Y, &p->Y, &p->Z);\n fe_mul_tll(&r->Z, &p->Z, &p->T);\n fe_mul_tll(&r->T, &p->X, &p->Y);\n}\n\n// r = p\nstatic void ge_p1p1_to_cached(ge_cached *r, const ge_p1p1 *p) {\n ge_p3 t;\n x25519_ge_p1p1_to_p3(&t, p);\n x25519_ge_p3_to_cached(r, &t);\n}\n\n// r = 2 * p\nstatic void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) {\n fe trX, trZ, trT;\n fe t0;\n\n fe_sq_tt(&trX, &p->X);\n fe_sq_tt(&trZ, &p->Y);\n fe_sq2_tt(&trT, &p->Z);\n fe_add(&r->Y, &p->X, &p->Y);\n fe_sq_tl(&t0, &r->Y);\n\n fe_add(&r->Y, &trZ, &trX);\n fe_sub(&r->Z, &trZ, &trX);\n fe_carry(&trZ, &r->Y);\n fe_sub(&r->X, &t0, &trZ);\n fe_carry(&trZ, &r->Z);\n fe_sub(&r->T, &trT, &trZ);\n}\n\n// r = 2 * p\nstatic void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) {\n ge_p2 q;\n ge_p3_to_p2(&q, p);\n ge_p2_dbl(r, &q);\n}\n\n// r = p + q\nstatic void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {\n fe trY, trZ, trT;\n\n fe_add(&r->X, &p->Y, &p->X);\n fe_sub(&r->Y, &p->Y, &p->X);\n fe_mul_tll(&trZ, &r->X, &q->yplusx);\n fe_mul_tll(&trY, &r->Y, &q->yminusx);\n fe_mul_tlt(&trT, &q->xy2d, &p->T);\n fe_add(&r->T, &p->Z, &p->Z);\n fe_sub(&r->X, &trZ, &trY);\n fe_add(&r->Y, &trZ, &trY);\n fe_carry(&trZ, &r->T);\n fe_add(&r->Z, &trZ, &trT);\n fe_sub(&r->T, &trZ, &trT);\n}\n\n// r = p - q\nstatic void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {\n fe trY, trZ, trT;\n\n fe_add(&r->X, &p->Y, &p->X);\n fe_sub(&r->Y, &p->Y, &p->X);\n fe_mul_tll(&trZ, &r->X, &q->yminusx);\n fe_mul_tll(&trY, &r->Y, &q->yplusx);\n fe_mul_tlt(&trT, &q->xy2d, &p->T);\n fe_add(&r->T, &p->Z, &p->Z);\n fe_sub(&r->X, &trZ, &trY);\n fe_add(&r->Y, &trZ, &trY);\n fe_carry(&trZ, &r->T);\n fe_sub(&r->Z, &trZ, &trT);\n fe_add(&r->T, &trZ, &trT);\n}\n\n// r = p + q\nvoid x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {\n fe trX, trY, trZ, trT;\n\n fe_add(&r->X, &p->Y, &p->X);\n fe_sub(&r->Y, &p->Y, &p->X);\n fe_mul_tll(&trZ, &r->X, &q->YplusX);\n fe_mul_tll(&trY, &r->Y, &q->YminusX);\n fe_mul_tlt(&trT, &q->T2d, &p->T);\n fe_mul_ttl(&trX, &p->Z, &q->Z);\n fe_add(&r->T, &trX, &trX);\n fe_sub(&r->X, &trZ, &trY);\n fe_add(&r->Y, &trZ, &trY);\n fe_carry(&trZ, &r->T);\n fe_add(&r->Z, &trZ, &trT);\n fe_sub(&r->T, &trZ, &trT);\n}\n\n// r = p - q\nvoid x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {\n fe trX, trY, trZ, trT;\n\n fe_add(&r->X, &p->Y, &p->X);\n fe_sub(&r->Y, &p->Y, &p->X);\n fe_mul_tll(&trZ, &r->X, &q->YminusX);\n fe_mul_tll(&trY, &r->Y, &q->YplusX);\n fe_mul_tlt(&trT, &q->T2d, &p->T);\n fe_mul_ttl(&trX, &p->Z, &q->Z);\n fe_add(&r->T, &trX, &trX);\n fe_sub(&r->X, &trZ, &trY);\n fe_add(&r->Y, &trZ, &trY);\n fe_carry(&trZ, &r->T);\n fe_sub(&r->Z, &trZ, &trT);\n fe_add(&r->T, &trZ, &trT);\n}\n\nstatic void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b) {\n fe_cmov(&t->yplusx, &u->yplusx, b);\n fe_cmov(&t->yminusx, &u->yminusx, b);\n fe_cmov(&t->xy2d, &u->xy2d, b);\n}\n\nvoid x25519_ge_scalarmult_small_precomp(\n ge_p3 *h, const uint8_t a[32], const uint8_t precomp_table[15 * 2 * 32]) {\n // precomp_table is first expanded into matching |ge_precomp|\n // elements.\n ge_precomp multiples[15];\n\n unsigned i;\n for (i = 0; i < 15; i++) {\n // The precomputed table is assumed to already clear the top bit, so\n // |fe_frombytes_strict| may be used directly.\n const uint8_t *bytes = &precomp_table[i * (2 * 32)];\n fe x, y;\n fe_frombytes_strict(&x, bytes);\n fe_frombytes_strict(&y, bytes + 32);\n\n ge_precomp *out = &multiples[i];\n fe_add(&out->yplusx, &y, &x);\n fe_sub(&out->yminusx, &y, &x);\n fe_mul_ltt(&out->xy2d, &x, &y);\n fe_mul_llt(&out->xy2d, &out->xy2d, &d2);\n }\n\n // See the comment above |k25519SmallPrecomp| about the structure of the\n // precomputed elements. This loop does 64 additions and 64 doublings to\n // calculate the result.\n ge_p3_0(h);\n\n for (i = 63; i < 64; i--) {\n unsigned j;\n signed char index = 0;\n\n for (j = 0; j < 4; j++) {\n const uint8_t bit = 1 & (a[(8 * j) + (i / 8)] >> (i & 7));\n index |= (bit << j);\n }\n\n ge_precomp e;\n ge_precomp_0(&e);\n\n for (j = 1; j < 16; j++) {\n cmov(&e, &multiples[j - 1], 1 & constant_time_eq_w(index, j));\n }\n\n ge_cached cached;\n ge_p1p1 r;\n x25519_ge_p3_to_cached(&cached, h);\n x25519_ge_add(&r, h, &cached);\n x25519_ge_p1p1_to_p3(h, &r);\n\n ge_madd(&r, h, &e);\n x25519_ge_p1p1_to_p3(h, &r);\n }\n}\n\n#if defined(OPENSSL_SMALL)\n\nvoid x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {\n x25519_ge_scalarmult_small_precomp(h, a, k25519SmallPrecomp);\n}\n\n#else\n\nstatic void table_select(ge_precomp *t, const int pos, const signed char b) {\n uint8_t bnegative = constant_time_msb_w(b);\n uint8_t babs = b - ((bnegative & b) << 1);\n\n uint8_t t_bytes[3][32] = {\n {static_cast(constant_time_is_zero_w(b) & 1)},\n {static_cast(constant_time_is_zero_w(b) & 1)},\n {0}};\n#if defined(__clang__) // materialize for vectorization, 6% speedup\n __asm__(\"\" : \"+m\"(t_bytes) : /*no inputs*/);\n#endif\n static_assert(sizeof(t_bytes) == sizeof(k25519Precomp[pos][0]), \"\");\n for (int i = 0; i < 8; i++) {\n constant_time_conditional_memxor(t_bytes, k25519Precomp[pos][i],\n sizeof(t_bytes),\n constant_time_eq_w(babs, 1 + i));\n }\n\n fe yplusx, yminusx, xy2d;\n fe_frombytes_strict(&yplusx, t_bytes[0]);\n fe_frombytes_strict(&yminusx, t_bytes[1]);\n fe_frombytes_strict(&xy2d, t_bytes[2]);\n\n fe_copy_lt(&t->yplusx, &yplusx);\n fe_copy_lt(&t->yminusx, &yminusx);\n fe_copy_lt(&t->xy2d, &xy2d);\n\n ge_precomp minust;\n fe_copy_lt(&minust.yplusx, &yminusx);\n fe_copy_lt(&minust.yminusx, &yplusx);\n fe_neg(&minust.xy2d, &xy2d);\n cmov(t, &minust, bnegative >> 7);\n}\n\n// h = a * B\n// where a = a[0]+256*a[1]+...+256^31 a[31]\n// B is the Ed25519 base point (x,4/5) with x positive.\n//\n// Preconditions:\n// a[31] <= 127\nvoid x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {\n#if defined(BORINGSSL_FE25519_ADX)\n if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() &&\n CRYPTO_is_ADX_capable()) {\n uint8_t t[4][32];\n x25519_ge_scalarmult_base_adx(t, a);\n fiat_25519_from_bytes(h->X.v, t[0]);\n fiat_25519_from_bytes(h->Y.v, t[1]);\n fiat_25519_from_bytes(h->Z.v, t[2]);\n fiat_25519_from_bytes(h->T.v, t[3]);\n return;\n }\n#endif\n signed char e[64];\n signed char carry;\n ge_p1p1 r;\n ge_p2 s;\n ge_precomp t;\n int i;\n\n for (i = 0; i < 32; ++i) {\n e[2 * i + 0] = (a[i] >> 0) & 15;\n e[2 * i + 1] = (a[i] >> 4) & 15;\n }\n // each e[i] is between 0 and 15\n // e[63] is between 0 and 7\n\n carry = 0;\n for (i = 0; i < 63; ++i) {\n e[i] += carry;\n carry = e[i] + 8;\n carry >>= 4;\n e[i] -= carry << 4;\n }\n e[63] += carry;\n // each e[i] is between -8 and 8\n\n ge_p3_0(h);\n for (i = 1; i < 64; i += 2) {\n table_select(&t, i / 2, e[i]);\n ge_madd(&r, h, &t);\n x25519_ge_p1p1_to_p3(h, &r);\n }\n\n ge_p3_dbl(&r, h);\n x25519_ge_p1p1_to_p2(&s, &r);\n ge_p2_dbl(&r, &s);\n x25519_ge_p1p1_to_p2(&s, &r);\n ge_p2_dbl(&r, &s);\n x25519_ge_p1p1_to_p2(&s, &r);\n ge_p2_dbl(&r, &s);\n x25519_ge_p1p1_to_p3(h, &r);\n\n for (i = 0; i < 64; i += 2) {\n table_select(&t, i / 2, e[i]);\n ge_madd(&r, h, &t);\n x25519_ge_p1p1_to_p3(h, &r);\n }\n}\n\n#endif\n\nstatic void cmov_cached(ge_cached *t, ge_cached *u, uint8_t b) {\n fe_cmov(&t->YplusX, &u->YplusX, b);\n fe_cmov(&t->YminusX, &u->YminusX, b);\n fe_cmov(&t->Z, &u->Z, b);\n fe_cmov(&t->T2d, &u->T2d, b);\n}\n\n// r = scalar * A.\n// where a = a[0]+256*a[1]+...+256^31 a[31].\nvoid x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) {\n ge_p2 Ai_p2[8];\n ge_cached Ai[16];\n ge_p1p1 t;\n\n ge_cached_0(&Ai[0]);\n x25519_ge_p3_to_cached(&Ai[1], A);\n ge_p3_to_p2(&Ai_p2[1], A);\n\n unsigned i;\n for (i = 2; i < 16; i += 2) {\n ge_p2_dbl(&t, &Ai_p2[i / 2]);\n ge_p1p1_to_cached(&Ai[i], &t);\n if (i < 8) {\n x25519_ge_p1p1_to_p2(&Ai_p2[i], &t);\n }\n x25519_ge_add(&t, A, &Ai[i]);\n ge_p1p1_to_cached(&Ai[i + 1], &t);\n if (i < 7) {\n x25519_ge_p1p1_to_p2(&Ai_p2[i + 1], &t);\n }\n }\n\n ge_p2_0(r);\n ge_p3 u;\n\n for (i = 0; i < 256; i += 4) {\n ge_p2_dbl(&t, r);\n x25519_ge_p1p1_to_p2(r, &t);\n ge_p2_dbl(&t, r);\n x25519_ge_p1p1_to_p2(r, &t);\n ge_p2_dbl(&t, r);\n x25519_ge_p1p1_to_p2(r, &t);\n ge_p2_dbl(&t, r);\n x25519_ge_p1p1_to_p3(&u, &t);\n\n uint8_t index = scalar[31 - i / 8];\n index >>= 4 - (i & 4);\n index &= 0xf;\n\n unsigned j;\n ge_cached selected;\n ge_cached_0(&selected);\n for (j = 0; j < 16; j++) {\n cmov_cached(&selected, &Ai[j], 1 & constant_time_eq_w(index, j));\n }\n\n x25519_ge_add(&t, &u, &selected);\n x25519_ge_p1p1_to_p2(r, &t);\n }\n}\n\nstatic void slide(signed char *r, const uint8_t *a) {\n int i;\n int b;\n int k;\n\n for (i = 0; i < 256; ++i) {\n r[i] = 1 & (a[i >> 3] >> (i & 7));\n }\n\n for (i = 0; i < 256; ++i) {\n if (r[i]) {\n for (b = 1; b <= 6 && i + b < 256; ++b) {\n if (r[i + b]) {\n if (r[i] + (r[i + b] << b) <= 15) {\n r[i] += r[i + b] << b;\n r[i + b] = 0;\n } else if (r[i] - (r[i + b] << b) >= -15) {\n r[i] -= r[i + b] << b;\n for (k = i + b; k < 256; ++k) {\n if (!r[k]) {\n r[k] = 1;\n break;\n }\n r[k] = 0;\n }\n } else {\n break;\n }\n }\n }\n }\n }\n}\n\n// r = a * A + b * B\n// where a = a[0]+256*a[1]+...+256^31 a[31].\n// and b = b[0]+256*b[1]+...+256^31 b[31].\n// B is the Ed25519 base point (x,4/5) with x positive.\nstatic void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,\n const ge_p3 *A, const uint8_t *b) {\n signed char aslide[256];\n signed char bslide[256];\n ge_cached Ai[8]; // A,3A,5A,7A,9A,11A,13A,15A\n ge_p1p1 t;\n ge_p3 u;\n ge_p3 A2;\n int i;\n\n slide(aslide, a);\n slide(bslide, b);\n\n x25519_ge_p3_to_cached(&Ai[0], A);\n ge_p3_dbl(&t, A);\n x25519_ge_p1p1_to_p3(&A2, &t);\n x25519_ge_add(&t, &A2, &Ai[0]);\n x25519_ge_p1p1_to_p3(&u, &t);\n x25519_ge_p3_to_cached(&Ai[1], &u);\n x25519_ge_add(&t, &A2, &Ai[1]);\n x25519_ge_p1p1_to_p3(&u, &t);\n x25519_ge_p3_to_cached(&Ai[2], &u);\n x25519_ge_add(&t, &A2, &Ai[2]);\n x25519_ge_p1p1_to_p3(&u, &t);\n x25519_ge_p3_to_cached(&Ai[3], &u);\n x25519_ge_add(&t, &A2, &Ai[3]);\n x25519_ge_p1p1_to_p3(&u, &t);\n x25519_ge_p3_to_cached(&Ai[4], &u);\n x25519_ge_add(&t, &A2, &Ai[4]);\n x25519_ge_p1p1_to_p3(&u, &t);\n x25519_ge_p3_to_cached(&Ai[5], &u);\n x25519_ge_add(&t, &A2, &Ai[5]);\n x25519_ge_p1p1_to_p3(&u, &t);\n x25519_ge_p3_to_cached(&Ai[6], &u);\n x25519_ge_add(&t, &A2, &Ai[6]);\n x25519_ge_p1p1_to_p3(&u, &t);\n x25519_ge_p3_to_cached(&Ai[7], &u);\n\n ge_p2_0(r);\n\n for (i = 255; i >= 0; --i) {\n if (aslide[i] || bslide[i]) {\n break;\n }\n }\n\n for (; i >= 0; --i) {\n ge_p2_dbl(&t, r);\n\n if (aslide[i] > 0) {\n x25519_ge_p1p1_to_p3(&u, &t);\n x25519_ge_add(&t, &u, &Ai[aslide[i] / 2]);\n } else if (aslide[i] < 0) {\n x25519_ge_p1p1_to_p3(&u, &t);\n x25519_ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]);\n }\n\n if (bslide[i] > 0) {\n x25519_ge_p1p1_to_p3(&u, &t);\n ge_madd(&t, &u, &Bi[bslide[i] / 2]);\n } else if (bslide[i] < 0) {\n x25519_ge_p1p1_to_p3(&u, &t);\n ge_msub(&t, &u, &Bi[(-bslide[i]) / 2]);\n }\n\n x25519_ge_p1p1_to_p2(r, &t);\n }\n}\n\n// int64_lshift21 returns |a << 21| but is defined when shifting bits into the\n// sign bit. This works around a language flaw in C.\nstatic inline int64_t int64_lshift21(int64_t a) {\n return (int64_t)((uint64_t)a << 21);\n}\n\n// The set of scalars is \\Z/l\n// where l = 2^252 + 27742317777372353535851937790883648493.\n\n// Input:\n// s[0]+256*s[1]+...+256^63*s[63] = s\n//\n// Output:\n// s[0]+256*s[1]+...+256^31*s[31] = s mod l\n// where l = 2^252 + 27742317777372353535851937790883648493.\n// Overwrites s in place.\nvoid x25519_sc_reduce(uint8_t s[64]) {\n int64_t s0 = 2097151 & load_3(s);\n int64_t s1 = 2097151 & (load_4(s + 2) >> 5);\n int64_t s2 = 2097151 & (load_3(s + 5) >> 2);\n int64_t s3 = 2097151 & (load_4(s + 7) >> 7);\n int64_t s4 = 2097151 & (load_4(s + 10) >> 4);\n int64_t s5 = 2097151 & (load_3(s + 13) >> 1);\n int64_t s6 = 2097151 & (load_4(s + 15) >> 6);\n int64_t s7 = 2097151 & (load_3(s + 18) >> 3);\n int64_t s8 = 2097151 & load_3(s + 21);\n int64_t s9 = 2097151 & (load_4(s + 23) >> 5);\n int64_t s10 = 2097151 & (load_3(s + 26) >> 2);\n int64_t s11 = 2097151 & (load_4(s + 28) >> 7);\n int64_t s12 = 2097151 & (load_4(s + 31) >> 4);\n int64_t s13 = 2097151 & (load_3(s + 34) >> 1);\n int64_t s14 = 2097151 & (load_4(s + 36) >> 6);\n int64_t s15 = 2097151 & (load_3(s + 39) >> 3);\n int64_t s16 = 2097151 & load_3(s + 42);\n int64_t s17 = 2097151 & (load_4(s + 44) >> 5);\n int64_t s18 = 2097151 & (load_3(s + 47) >> 2);\n int64_t s19 = 2097151 & (load_4(s + 49) >> 7);\n int64_t s20 = 2097151 & (load_4(s + 52) >> 4);\n int64_t s21 = 2097151 & (load_3(s + 55) >> 1);\n int64_t s22 = 2097151 & (load_4(s + 57) >> 6);\n int64_t s23 = (load_4(s + 60) >> 3);\n int64_t carry0;\n int64_t carry1;\n int64_t carry2;\n int64_t carry3;\n int64_t carry4;\n int64_t carry5;\n int64_t carry6;\n int64_t carry7;\n int64_t carry8;\n int64_t carry9;\n int64_t carry10;\n int64_t carry11;\n int64_t carry12;\n int64_t carry13;\n int64_t carry14;\n int64_t carry15;\n int64_t carry16;\n\n s11 += s23 * 666643;\n s12 += s23 * 470296;\n s13 += s23 * 654183;\n s14 -= s23 * 997805;\n s15 += s23 * 136657;\n s16 -= s23 * 683901;\n s23 = 0;\n\n s10 += s22 * 666643;\n s11 += s22 * 470296;\n s12 += s22 * 654183;\n s13 -= s22 * 997805;\n s14 += s22 * 136657;\n s15 -= s22 * 683901;\n s22 = 0;\n\n s9 += s21 * 666643;\n s10 += s21 * 470296;\n s11 += s21 * 654183;\n s12 -= s21 * 997805;\n s13 += s21 * 136657;\n s14 -= s21 * 683901;\n s21 = 0;\n\n s8 += s20 * 666643;\n s9 += s20 * 470296;\n s10 += s20 * 654183;\n s11 -= s20 * 997805;\n s12 += s20 * 136657;\n s13 -= s20 * 683901;\n s20 = 0;\n\n s7 += s19 * 666643;\n s8 += s19 * 470296;\n s9 += s19 * 654183;\n s10 -= s19 * 997805;\n s11 += s19 * 136657;\n s12 -= s19 * 683901;\n s19 = 0;\n\n s6 += s18 * 666643;\n s7 += s18 * 470296;\n s8 += s18 * 654183;\n s9 -= s18 * 997805;\n s10 += s18 * 136657;\n s11 -= s18 * 683901;\n s18 = 0;\n\n carry6 = (s6 + (1 << 20)) >> 21;\n s7 += carry6;\n s6 -= int64_lshift21(carry6);\n carry8 = (s8 + (1 << 20)) >> 21;\n s9 += carry8;\n s8 -= int64_lshift21(carry8);\n carry10 = (s10 + (1 << 20)) >> 21;\n s11 += carry10;\n s10 -= int64_lshift21(carry10);\n carry12 = (s12 + (1 << 20)) >> 21;\n s13 += carry12;\n s12 -= int64_lshift21(carry12);\n carry14 = (s14 + (1 << 20)) >> 21;\n s15 += carry14;\n s14 -= int64_lshift21(carry14);\n carry16 = (s16 + (1 << 20)) >> 21;\n s17 += carry16;\n s16 -= int64_lshift21(carry16);\n\n carry7 = (s7 + (1 << 20)) >> 21;\n s8 += carry7;\n s7 -= int64_lshift21(carry7);\n carry9 = (s9 + (1 << 20)) >> 21;\n s10 += carry9;\n s9 -= int64_lshift21(carry9);\n carry11 = (s11 + (1 << 20)) >> 21;\n s12 += carry11;\n s11 -= int64_lshift21(carry11);\n carry13 = (s13 + (1 << 20)) >> 21;\n s14 += carry13;\n s13 -= int64_lshift21(carry13);\n carry15 = (s15 + (1 << 20)) >> 21;\n s16 += carry15;\n s15 -= int64_lshift21(carry15);\n\n s5 += s17 * 666643;\n s6 += s17 * 470296;\n s7 += s17 * 654183;\n s8 -= s17 * 997805;\n s9 += s17 * 136657;\n s10 -= s17 * 683901;\n s17 = 0;\n\n s4 += s16 * 666643;\n s5 += s16 * 470296;\n s6 += s16 * 654183;\n s7 -= s16 * 997805;\n s8 += s16 * 136657;\n s9 -= s16 * 683901;\n s16 = 0;\n\n s3 += s15 * 666643;\n s4 += s15 * 470296;\n s5 += s15 * 654183;\n s6 -= s15 * 997805;\n s7 += s15 * 136657;\n s8 -= s15 * 683901;\n s15 = 0;\n\n s2 += s14 * 666643;\n s3 += s14 * 470296;\n s4 += s14 * 654183;\n s5 -= s14 * 997805;\n s6 += s14 * 136657;\n s7 -= s14 * 683901;\n s14 = 0;\n\n s1 += s13 * 666643;\n s2 += s13 * 470296;\n s3 += s13 * 654183;\n s4 -= s13 * 997805;\n s5 += s13 * 136657;\n s6 -= s13 * 683901;\n s13 = 0;\n\n s0 += s12 * 666643;\n s1 += s12 * 470296;\n s2 += s12 * 654183;\n s3 -= s12 * 997805;\n s4 += s12 * 136657;\n s5 -= s12 * 683901;\n s12 = 0;\n\n carry0 = (s0 + (1 << 20)) >> 21;\n s1 += carry0;\n s0 -= int64_lshift21(carry0);\n carry2 = (s2 + (1 << 20)) >> 21;\n s3 += carry2;\n s2 -= int64_lshift21(carry2);\n carry4 = (s4 + (1 << 20)) >> 21;\n s5 += carry4;\n s4 -= int64_lshift21(carry4);\n carry6 = (s6 + (1 << 20)) >> 21;\n s7 += carry6;\n s6 -= int64_lshift21(carry6);\n carry8 = (s8 + (1 << 20)) >> 21;\n s9 += carry8;\n s8 -= int64_lshift21(carry8);\n carry10 = (s10 + (1 << 20)) >> 21;\n s11 += carry10;\n s10 -= int64_lshift21(carry10);\n\n carry1 = (s1 + (1 << 20)) >> 21;\n s2 += carry1;\n s1 -= int64_lshift21(carry1);\n carry3 = (s3 + (1 << 20)) >> 21;\n s4 += carry3;\n s3 -= int64_lshift21(carry3);\n carry5 = (s5 + (1 << 20)) >> 21;\n s6 += carry5;\n s5 -= int64_lshift21(carry5);\n carry7 = (s7 + (1 << 20)) >> 21;\n s8 += carry7;\n s7 -= int64_lshift21(carry7);\n carry9 = (s9 + (1 << 20)) >> 21;\n s10 += carry9;\n s9 -= int64_lshift21(carry9);\n carry11 = (s11 + (1 << 20)) >> 21;\n s12 += carry11;\n s11 -= int64_lshift21(carry11);\n\n s0 += s12 * 666643;\n s1 += s12 * 470296;\n s2 += s12 * 654183;\n s3 -= s12 * 997805;\n s4 += s12 * 136657;\n s5 -= s12 * 683901;\n s12 = 0;\n\n carry0 = s0 >> 21;\n s1 += carry0;\n s0 -= int64_lshift21(carry0);\n carry1 = s1 >> 21;\n s2 += carry1;\n s1 -= int64_lshift21(carry1);\n carry2 = s2 >> 21;\n s3 += carry2;\n s2 -= int64_lshift21(carry2);\n carry3 = s3 >> 21;\n s4 += carry3;\n s3 -= int64_lshift21(carry3);\n carry4 = s4 >> 21;\n s5 += carry4;\n s4 -= int64_lshift21(carry4);\n carry5 = s5 >> 21;\n s6 += carry5;\n s5 -= int64_lshift21(carry5);\n carry6 = s6 >> 21;\n s7 += carry6;\n s6 -= int64_lshift21(carry6);\n carry7 = s7 >> 21;\n s8 += carry7;\n s7 -= int64_lshift21(carry7);\n carry8 = s8 >> 21;\n s9 += carry8;\n s8 -= int64_lshift21(carry8);\n carry9 = s9 >> 21;\n s10 += carry9;\n s9 -= int64_lshift21(carry9);\n carry10 = s10 >> 21;\n s11 += carry10;\n s10 -= int64_lshift21(carry10);\n carry11 = s11 >> 21;\n s12 += carry11;\n s11 -= int64_lshift21(carry11);\n\n s0 += s12 * 666643;\n s1 += s12 * 470296;\n s2 += s12 * 654183;\n s3 -= s12 * 997805;\n s4 += s12 * 136657;\n s5 -= s12 * 683901;\n s12 = 0;\n\n carry0 = s0 >> 21;\n s1 += carry0;\n s0 -= int64_lshift21(carry0);\n carry1 = s1 >> 21;\n s2 += carry1;\n s1 -= int64_lshift21(carry1);\n carry2 = s2 >> 21;\n s3 += carry2;\n s2 -= int64_lshift21(carry2);\n carry3 = s3 >> 21;\n s4 += carry3;\n s3 -= int64_lshift21(carry3);\n carry4 = s4 >> 21;\n s5 += carry4;\n s4 -= int64_lshift21(carry4);\n carry5 = s5 >> 21;\n s6 += carry5;\n s5 -= int64_lshift21(carry5);\n carry6 = s6 >> 21;\n s7 += carry6;\n s6 -= int64_lshift21(carry6);\n carry7 = s7 >> 21;\n s8 += carry7;\n s7 -= int64_lshift21(carry7);\n carry8 = s8 >> 21;\n s9 += carry8;\n s8 -= int64_lshift21(carry8);\n carry9 = s9 >> 21;\n s10 += carry9;\n s9 -= int64_lshift21(carry9);\n carry10 = s10 >> 21;\n s11 += carry10;\n s10 -= int64_lshift21(carry10);\n\n s[0] = s0 >> 0;\n s[1] = s0 >> 8;\n s[2] = (s0 >> 16) | (s1 << 5);\n s[3] = s1 >> 3;\n s[4] = s1 >> 11;\n s[5] = (s1 >> 19) | (s2 << 2);\n s[6] = s2 >> 6;\n s[7] = (s2 >> 14) | (s3 << 7);\n s[8] = s3 >> 1;\n s[9] = s3 >> 9;\n s[10] = (s3 >> 17) | (s4 << 4);\n s[11] = s4 >> 4;\n s[12] = s4 >> 12;\n s[13] = (s4 >> 20) | (s5 << 1);\n s[14] = s5 >> 7;\n s[15] = (s5 >> 15) | (s6 << 6);\n s[16] = s6 >> 2;\n s[17] = s6 >> 10;\n s[18] = (s6 >> 18) | (s7 << 3);\n s[19] = s7 >> 5;\n s[20] = s7 >> 13;\n s[21] = s8 >> 0;\n s[22] = s8 >> 8;\n s[23] = (s8 >> 16) | (s9 << 5);\n s[24] = s9 >> 3;\n s[25] = s9 >> 11;\n s[26] = (s9 >> 19) | (s10 << 2);\n s[27] = s10 >> 6;\n s[28] = (s10 >> 14) | (s11 << 7);\n s[29] = s11 >> 1;\n s[30] = s11 >> 9;\n s[31] = s11 >> 17;\n}\n\n// Input:\n// a[0]+256*a[1]+...+256^31*a[31] = a\n// b[0]+256*b[1]+...+256^31*b[31] = b\n// c[0]+256*c[1]+...+256^31*c[31] = c\n//\n// Output:\n// s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l\n// where l = 2^252 + 27742317777372353535851937790883648493.\nstatic void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,\n const uint8_t *c) {\n int64_t a0 = 2097151 & load_3(a);\n int64_t a1 = 2097151 & (load_4(a + 2) >> 5);\n int64_t a2 = 2097151 & (load_3(a + 5) >> 2);\n int64_t a3 = 2097151 & (load_4(a + 7) >> 7);\n int64_t a4 = 2097151 & (load_4(a + 10) >> 4);\n int64_t a5 = 2097151 & (load_3(a + 13) >> 1);\n int64_t a6 = 2097151 & (load_4(a + 15) >> 6);\n int64_t a7 = 2097151 & (load_3(a + 18) >> 3);\n int64_t a8 = 2097151 & load_3(a + 21);\n int64_t a9 = 2097151 & (load_4(a + 23) >> 5);\n int64_t a10 = 2097151 & (load_3(a + 26) >> 2);\n int64_t a11 = (load_4(a + 28) >> 7);\n int64_t b0 = 2097151 & load_3(b);\n int64_t b1 = 2097151 & (load_4(b + 2) >> 5);\n int64_t b2 = 2097151 & (load_3(b + 5) >> 2);\n int64_t b3 = 2097151 & (load_4(b + 7) >> 7);\n int64_t b4 = 2097151 & (load_4(b + 10) >> 4);\n int64_t b5 = 2097151 & (load_3(b + 13) >> 1);\n int64_t b6 = 2097151 & (load_4(b + 15) >> 6);\n int64_t b7 = 2097151 & (load_3(b + 18) >> 3);\n int64_t b8 = 2097151 & load_3(b + 21);\n int64_t b9 = 2097151 & (load_4(b + 23) >> 5);\n int64_t b10 = 2097151 & (load_3(b + 26) >> 2);\n int64_t b11 = (load_4(b + 28) >> 7);\n int64_t c0 = 2097151 & load_3(c);\n int64_t c1 = 2097151 & (load_4(c + 2) >> 5);\n int64_t c2 = 2097151 & (load_3(c + 5) >> 2);\n int64_t c3 = 2097151 & (load_4(c + 7) >> 7);\n int64_t c4 = 2097151 & (load_4(c + 10) >> 4);\n int64_t c5 = 2097151 & (load_3(c + 13) >> 1);\n int64_t c6 = 2097151 & (load_4(c + 15) >> 6);\n int64_t c7 = 2097151 & (load_3(c + 18) >> 3);\n int64_t c8 = 2097151 & load_3(c + 21);\n int64_t c9 = 2097151 & (load_4(c + 23) >> 5);\n int64_t c10 = 2097151 & (load_3(c + 26) >> 2);\n int64_t c11 = (load_4(c + 28) >> 7);\n int64_t s0;\n int64_t s1;\n int64_t s2;\n int64_t s3;\n int64_t s4;\n int64_t s5;\n int64_t s6;\n int64_t s7;\n int64_t s8;\n int64_t s9;\n int64_t s10;\n int64_t s11;\n int64_t s12;\n int64_t s13;\n int64_t s14;\n int64_t s15;\n int64_t s16;\n int64_t s17;\n int64_t s18;\n int64_t s19;\n int64_t s20;\n int64_t s21;\n int64_t s22;\n int64_t s23;\n int64_t carry0;\n int64_t carry1;\n int64_t carry2;\n int64_t carry3;\n int64_t carry4;\n int64_t carry5;\n int64_t carry6;\n int64_t carry7;\n int64_t carry8;\n int64_t carry9;\n int64_t carry10;\n int64_t carry11;\n int64_t carry12;\n int64_t carry13;\n int64_t carry14;\n int64_t carry15;\n int64_t carry16;\n int64_t carry17;\n int64_t carry18;\n int64_t carry19;\n int64_t carry20;\n int64_t carry21;\n int64_t carry22;\n\n s0 = c0 + a0 * b0;\n s1 = c1 + a0 * b1 + a1 * b0;\n s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;\n s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;\n s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;\n s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;\n s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;\n s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 +\n a6 * b1 + a7 * b0;\n s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 +\n a6 * b2 + a7 * b1 + a8 * b0;\n s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 +\n a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;\n s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 +\n a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;\n s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 +\n a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;\n s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 +\n a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;\n s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 +\n a9 * b4 + a10 * b3 + a11 * b2;\n s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 +\n a10 * b4 + a11 * b3;\n s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 +\n a11 * b4;\n s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;\n s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;\n s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;\n s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;\n s20 = a9 * b11 + a10 * b10 + a11 * b9;\n s21 = a10 * b11 + a11 * b10;\n s22 = a11 * b11;\n s23 = 0;\n\n carry0 = (s0 + (1 << 20)) >> 21;\n s1 += carry0;\n s0 -= int64_lshift21(carry0);\n carry2 = (s2 + (1 << 20)) >> 21;\n s3 += carry2;\n s2 -= int64_lshift21(carry2);\n carry4 = (s4 + (1 << 20)) >> 21;\n s5 += carry4;\n s4 -= int64_lshift21(carry4);\n carry6 = (s6 + (1 << 20)) >> 21;\n s7 += carry6;\n s6 -= int64_lshift21(carry6);\n carry8 = (s8 + (1 << 20)) >> 21;\n s9 += carry8;\n s8 -= int64_lshift21(carry8);\n carry10 = (s10 + (1 << 20)) >> 21;\n s11 += carry10;\n s10 -= int64_lshift21(carry10);\n carry12 = (s12 + (1 << 20)) >> 21;\n s13 += carry12;\n s12 -= int64_lshift21(carry12);\n carry14 = (s14 + (1 << 20)) >> 21;\n s15 += carry14;\n s14 -= int64_lshift21(carry14);\n carry16 = (s16 + (1 << 20)) >> 21;\n s17 += carry16;\n s16 -= int64_lshift21(carry16);\n carry18 = (s18 + (1 << 20)) >> 21;\n s19 += carry18;\n s18 -= int64_lshift21(carry18);\n carry20 = (s20 + (1 << 20)) >> 21;\n s21 += carry20;\n s20 -= int64_lshift21(carry20);\n carry22 = (s22 + (1 << 20)) >> 21;\n s23 += carry22;\n s22 -= int64_lshift21(carry22);\n\n carry1 = (s1 + (1 << 20)) >> 21;\n s2 += carry1;\n s1 -= int64_lshift21(carry1);\n carry3 = (s3 + (1 << 20)) >> 21;\n s4 += carry3;\n s3 -= int64_lshift21(carry3);\n carry5 = (s5 + (1 << 20)) >> 21;\n s6 += carry5;\n s5 -= int64_lshift21(carry5);\n carry7 = (s7 + (1 << 20)) >> 21;\n s8 += carry7;\n s7 -= int64_lshift21(carry7);\n carry9 = (s9 + (1 << 20)) >> 21;\n s10 += carry9;\n s9 -= int64_lshift21(carry9);\n carry11 = (s11 + (1 << 20)) >> 21;\n s12 += carry11;\n s11 -= int64_lshift21(carry11);\n carry13 = (s13 + (1 << 20)) >> 21;\n s14 += carry13;\n s13 -= int64_lshift21(carry13);\n carry15 = (s15 + (1 << 20)) >> 21;\n s16 += carry15;\n s15 -= int64_lshift21(carry15);\n carry17 = (s17 + (1 << 20)) >> 21;\n s18 += carry17;\n s17 -= int64_lshift21(carry17);\n carry19 = (s19 + (1 << 20)) >> 21;\n s20 += carry19;\n s19 -= int64_lshift21(carry19);\n carry21 = (s21 + (1 << 20)) >> 21;\n s22 += carry21;\n s21 -= int64_lshift21(carry21);\n\n s11 += s23 * 666643;\n s12 += s23 * 470296;\n s13 += s23 * 654183;\n s14 -= s23 * 997805;\n s15 += s23 * 136657;\n s16 -= s23 * 683901;\n s23 = 0;\n\n s10 += s22 * 666643;\n s11 += s22 * 470296;\n s12 += s22 * 654183;\n s13 -= s22 * 997805;\n s14 += s22 * 136657;\n s15 -= s22 * 683901;\n s22 = 0;\n\n s9 += s21 * 666643;\n s10 += s21 * 470296;\n s11 += s21 * 654183;\n s12 -= s21 * 997805;\n s13 += s21 * 136657;\n s14 -= s21 * 683901;\n s21 = 0;\n\n s8 += s20 * 666643;\n s9 += s20 * 470296;\n s10 += s20 * 654183;\n s11 -= s20 * 997805;\n s12 += s20 * 136657;\n s13 -= s20 * 683901;\n s20 = 0;\n\n s7 += s19 * 666643;\n s8 += s19 * 470296;\n s9 += s19 * 654183;\n s10 -= s19 * 997805;\n s11 += s19 * 136657;\n s12 -= s19 * 683901;\n s19 = 0;\n\n s6 += s18 * 666643;\n s7 += s18 * 470296;\n s8 += s18 * 654183;\n s9 -= s18 * 997805;\n s10 += s18 * 136657;\n s11 -= s18 * 683901;\n s18 = 0;\n\n carry6 = (s6 + (1 << 20)) >> 21;\n s7 += carry6;\n s6 -= int64_lshift21(carry6);\n carry8 = (s8 + (1 << 20)) >> 21;\n s9 += carry8;\n s8 -= int64_lshift21(carry8);\n carry10 = (s10 + (1 << 20)) >> 21;\n s11 += carry10;\n s10 -= int64_lshift21(carry10);\n carry12 = (s12 + (1 << 20)) >> 21;\n s13 += carry12;\n s12 -= int64_lshift21(carry12);\n carry14 = (s14 + (1 << 20)) >> 21;\n s15 += carry14;\n s14 -= int64_lshift21(carry14);\n carry16 = (s16 + (1 << 20)) >> 21;\n s17 += carry16;\n s16 -= int64_lshift21(carry16);\n\n carry7 = (s7 + (1 << 20)) >> 21;\n s8 += carry7;\n s7 -= int64_lshift21(carry7);\n carry9 = (s9 + (1 << 20)) >> 21;\n s10 += carry9;\n s9 -= int64_lshift21(carry9);\n carry11 = (s11 + (1 << 20)) >> 21;\n s12 += carry11;\n s11 -= int64_lshift21(carry11);\n carry13 = (s13 + (1 << 20)) >> 21;\n s14 += carry13;\n s13 -= int64_lshift21(carry13);\n carry15 = (s15 + (1 << 20)) >> 21;\n s16 += carry15;\n s15 -= int64_lshift21(carry15);\n\n s5 += s17 * 666643;\n s6 += s17 * 470296;\n s7 += s17 * 654183;\n s8 -= s17 * 997805;\n s9 += s17 * 136657;\n s10 -= s17 * 683901;\n s17 = 0;\n\n s4 += s16 * 666643;\n s5 += s16 * 470296;\n s6 += s16 * 654183;\n s7 -= s16 * 997805;\n s8 += s16 * 136657;\n s9 -= s16 * 683901;\n s16 = 0;\n\n s3 += s15 * 666643;\n s4 += s15 * 470296;\n s5 += s15 * 654183;\n s6 -= s15 * 997805;\n s7 += s15 * 136657;\n s8 -= s15 * 683901;\n s15 = 0;\n\n s2 += s14 * 666643;\n s3 += s14 * 470296;\n s4 += s14 * 654183;\n s5 -= s14 * 997805;\n s6 += s14 * 136657;\n s7 -= s14 * 683901;\n s14 = 0;\n\n s1 += s13 * 666643;\n s2 += s13 * 470296;\n s3 += s13 * 654183;\n s4 -= s13 * 997805;\n s5 += s13 * 136657;\n s6 -= s13 * 683901;\n s13 = 0;\n\n s0 += s12 * 666643;\n s1 += s12 * 470296;\n s2 += s12 * 654183;\n s3 -= s12 * 997805;\n s4 += s12 * 136657;\n s5 -= s12 * 683901;\n s12 = 0;\n\n carry0 = (s0 + (1 << 20)) >> 21;\n s1 += carry0;\n s0 -= int64_lshift21(carry0);\n carry2 = (s2 + (1 << 20)) >> 21;\n s3 += carry2;\n s2 -= int64_lshift21(carry2);\n carry4 = (s4 + (1 << 20)) >> 21;\n s5 += carry4;\n s4 -= int64_lshift21(carry4);\n carry6 = (s6 + (1 << 20)) >> 21;\n s7 += carry6;\n s6 -= int64_lshift21(carry6);\n carry8 = (s8 + (1 << 20)) >> 21;\n s9 += carry8;\n s8 -= int64_lshift21(carry8);\n carry10 = (s10 + (1 << 20)) >> 21;\n s11 += carry10;\n s10 -= int64_lshift21(carry10);\n\n carry1 = (s1 + (1 << 20)) >> 21;\n s2 += carry1;\n s1 -= int64_lshift21(carry1);\n carry3 = (s3 + (1 << 20)) >> 21;\n s4 += carry3;\n s3 -= int64_lshift21(carry3);\n carry5 = (s5 + (1 << 20)) >> 21;\n s6 += carry5;\n s5 -= int64_lshift21(carry5);\n carry7 = (s7 + (1 << 20)) >> 21;\n s8 += carry7;\n s7 -= int64_lshift21(carry7);\n carry9 = (s9 + (1 << 20)) >> 21;\n s10 += carry9;\n s9 -= int64_lshift21(carry9);\n carry11 = (s11 + (1 << 20)) >> 21;\n s12 += carry11;\n s11 -= int64_lshift21(carry11);\n\n s0 += s12 * 666643;\n s1 += s12 * 470296;\n s2 += s12 * 654183;\n s3 -= s12 * 997805;\n s4 += s12 * 136657;\n s5 -= s12 * 683901;\n s12 = 0;\n\n carry0 = s0 >> 21;\n s1 += carry0;\n s0 -= int64_lshift21(carry0);\n carry1 = s1 >> 21;\n s2 += carry1;\n s1 -= int64_lshift21(carry1);\n carry2 = s2 >> 21;\n s3 += carry2;\n s2 -= int64_lshift21(carry2);\n carry3 = s3 >> 21;\n s4 += carry3;\n s3 -= int64_lshift21(carry3);\n carry4 = s4 >> 21;\n s5 += carry4;\n s4 -= int64_lshift21(carry4);\n carry5 = s5 >> 21;\n s6 += carry5;\n s5 -= int64_lshift21(carry5);\n carry6 = s6 >> 21;\n s7 += carry6;\n s6 -= int64_lshift21(carry6);\n carry7 = s7 >> 21;\n s8 += carry7;\n s7 -= int64_lshift21(carry7);\n carry8 = s8 >> 21;\n s9 += carry8;\n s8 -= int64_lshift21(carry8);\n carry9 = s9 >> 21;\n s10 += carry9;\n s9 -= int64_lshift21(carry9);\n carry10 = s10 >> 21;\n s11 += carry10;\n s10 -= int64_lshift21(carry10);\n carry11 = s11 >> 21;\n s12 += carry11;\n s11 -= int64_lshift21(carry11);\n\n s0 += s12 * 666643;\n s1 += s12 * 470296;\n s2 += s12 * 654183;\n s3 -= s12 * 997805;\n s4 += s12 * 136657;\n s5 -= s12 * 683901;\n s12 = 0;\n\n carry0 = s0 >> 21;\n s1 += carry0;\n s0 -= int64_lshift21(carry0);\n carry1 = s1 >> 21;\n s2 += carry1;\n s1 -= int64_lshift21(carry1);\n carry2 = s2 >> 21;\n s3 += carry2;\n s2 -= int64_lshift21(carry2);\n carry3 = s3 >> 21;\n s4 += carry3;\n s3 -= int64_lshift21(carry3);\n carry4 = s4 >> 21;\n s5 += carry4;\n s4 -= int64_lshift21(carry4);\n carry5 = s5 >> 21;\n s6 += carry5;\n s5 -= int64_lshift21(carry5);\n carry6 = s6 >> 21;\n s7 += carry6;\n s6 -= int64_lshift21(carry6);\n carry7 = s7 >> 21;\n s8 += carry7;\n s7 -= int64_lshift21(carry7);\n carry8 = s8 >> 21;\n s9 += carry8;\n s8 -= int64_lshift21(carry8);\n carry9 = s9 >> 21;\n s10 += carry9;\n s9 -= int64_lshift21(carry9);\n carry10 = s10 >> 21;\n s11 += carry10;\n s10 -= int64_lshift21(carry10);\n\n s[0] = s0 >> 0;\n s[1] = s0 >> 8;\n s[2] = (s0 >> 16) | (s1 << 5);\n s[3] = s1 >> 3;\n s[4] = s1 >> 11;\n s[5] = (s1 >> 19) | (s2 << 2);\n s[6] = s2 >> 6;\n s[7] = (s2 >> 14) | (s3 << 7);\n s[8] = s3 >> 1;\n s[9] = s3 >> 9;\n s[10] = (s3 >> 17) | (s4 << 4);\n s[11] = s4 >> 4;\n s[12] = s4 >> 12;\n s[13] = (s4 >> 20) | (s5 << 1);\n s[14] = s5 >> 7;\n s[15] = (s5 >> 15) | (s6 << 6);\n s[16] = s6 >> 2;\n s[17] = s6 >> 10;\n s[18] = (s6 >> 18) | (s7 << 3);\n s[19] = s7 >> 5;\n s[20] = s7 >> 13;\n s[21] = s8 >> 0;\n s[22] = s8 >> 8;\n s[23] = (s8 >> 16) | (s9 << 5);\n s[24] = s9 >> 3;\n s[25] = s9 >> 11;\n s[26] = (s9 >> 19) | (s10 << 2);\n s[27] = s10 >> 6;\n s[28] = (s10 >> 14) | (s11 << 7);\n s[29] = s11 >> 1;\n s[30] = s11 >> 9;\n s[31] = s11 >> 17;\n}\n\nvoid ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) {\n uint8_t seed[32];\n RAND_bytes(seed, 32);\n ED25519_keypair_from_seed(out_public_key, out_private_key, seed);\n}\n\nint ED25519_sign(uint8_t out_sig[64], const uint8_t *message,\n size_t message_len, const uint8_t private_key[64]) {\n // NOTE: The documentation on this function says that it returns zero on\n // allocation failure. While that can't happen with the current\n // implementation, we want to reserve the ability to allocate in this\n // implementation in the future.\n\n uint8_t az[SHA512_DIGEST_LENGTH];\n SHA512(private_key, 32, az);\n\n az[0] &= 248;\n az[31] &= 63;\n az[31] |= 64;\n\n SHA512_CTX hash_ctx;\n SHA512_Init(&hash_ctx);\n SHA512_Update(&hash_ctx, az + 32, 32);\n SHA512_Update(&hash_ctx, message, message_len);\n uint8_t nonce[SHA512_DIGEST_LENGTH];\n SHA512_Final(nonce, &hash_ctx);\n\n x25519_sc_reduce(nonce);\n ge_p3 R;\n x25519_ge_scalarmult_base(&R, nonce);\n ge_p3_tobytes(out_sig, &R);\n\n SHA512_Init(&hash_ctx);\n SHA512_Update(&hash_ctx, out_sig, 32);\n SHA512_Update(&hash_ctx, private_key + 32, 32);\n SHA512_Update(&hash_ctx, message, message_len);\n uint8_t hram[SHA512_DIGEST_LENGTH];\n SHA512_Final(hram, &hash_ctx);\n\n x25519_sc_reduce(hram);\n sc_muladd(out_sig + 32, hram, az, nonce);\n\n // The signature is computed from the private key, but is public.\n CONSTTIME_DECLASSIFY(out_sig, 64);\n return 1;\n}\n\nint ED25519_verify(const uint8_t *message, size_t message_len,\n const uint8_t signature[64], const uint8_t public_key[32]) {\n ge_p3 A;\n if ((signature[63] & 224) != 0 ||\n !x25519_ge_frombytes_vartime(&A, public_key)) {\n return 0;\n }\n\n fe_loose t;\n fe_neg(&t, &A.X);\n fe_carry(&A.X, &t);\n fe_neg(&t, &A.T);\n fe_carry(&A.T, &t);\n\n uint8_t pkcopy[32];\n OPENSSL_memcpy(pkcopy, public_key, 32);\n uint8_t rcopy[32];\n OPENSSL_memcpy(rcopy, signature, 32);\n uint8_t scopy[32];\n OPENSSL_memcpy(scopy, signature + 32, 32);\n\n // https://tools.ietf.org/html/rfc8032#section-5.1.7 requires that s be in\n // the range [0, order) in order to prevent signature malleability.\n\n // kOrder is the order of Curve25519 in little-endian form.\n static const uint64_t kOrder[4] = {\n UINT64_C(0x5812631a5cf5d3ed),\n UINT64_C(0x14def9dea2f79cd6),\n 0,\n UINT64_C(0x1000000000000000),\n };\n for (size_t i = 3;; i--) {\n uint64_t word = CRYPTO_load_u64_le(scopy + i * 8);\n if (word > kOrder[i]) {\n return 0;\n } else if (word < kOrder[i]) {\n break;\n } else if (i == 0) {\n return 0;\n }\n }\n\n SHA512_CTX hash_ctx;\n SHA512_Init(&hash_ctx);\n SHA512_Update(&hash_ctx, signature, 32);\n SHA512_Update(&hash_ctx, public_key, 32);\n SHA512_Update(&hash_ctx, message, message_len);\n uint8_t h[SHA512_DIGEST_LENGTH];\n SHA512_Final(h, &hash_ctx);\n\n x25519_sc_reduce(h);\n\n ge_p2 R;\n ge_double_scalarmult_vartime(&R, h, &A, scopy);\n\n uint8_t rcheck[32];\n x25519_ge_tobytes(rcheck, &R);\n\n return CRYPTO_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;\n}\n\nvoid ED25519_keypair_from_seed(uint8_t out_public_key[32],\n uint8_t out_private_key[64],\n const uint8_t seed[32]) {\n uint8_t az[SHA512_DIGEST_LENGTH];\n SHA512(seed, 32, az);\n\n az[0] &= 248;\n az[31] &= 127;\n az[31] |= 64;\n\n ge_p3 A;\n x25519_ge_scalarmult_base(&A, az);\n ge_p3_tobytes(out_public_key, &A);\n // The public key is derived from the private key, but it is public.\n CONSTTIME_DECLASSIFY(out_public_key, 32);\n\n OPENSSL_memcpy(out_private_key, seed, 32);\n OPENSSL_memcpy(out_private_key + 32, out_public_key, 32);\n}\n\n\nstatic void x25519_scalar_mult_generic(uint8_t out[32],\n const uint8_t scalar[32],\n const uint8_t point[32]) {\n fe x1, x2, z2, x3, z3, tmp0, tmp1;\n fe_loose x2l, z2l, x3l, tmp0l, tmp1l;\n\n uint8_t e[32];\n OPENSSL_memcpy(e, scalar, 32);\n e[0] &= 248;\n e[31] &= 127;\n e[31] |= 64;\n\n // The following implementation was transcribed to Coq and proven to\n // correspond to unary scalar multiplication in affine coordinates given that\n // x1 != 0 is the x coordinate of some point on the curve. It was also checked\n // in Coq that doing a ladderstep with x1 = x3 = 0 gives z2' = z3' = 0, and z2\n // = z3 = 0 gives z2' = z3' = 0. The statement was quantified over the\n // underlying field, so it applies to Curve25519 itself and the quadratic\n // twist of Curve25519. It was not proven in Coq that prime-field arithmetic\n // correctly simulates extension-field arithmetic on prime-field values.\n // The decoding of the byte array representation of e was not considered.\n // Specification of Montgomery curves in affine coordinates:\n // \n // Proof that these form a group that is isomorphic to a Weierstrass curve:\n // \n // Coq transcription and correctness proof of the loop (where scalarbits=255):\n // \n // \n // preconditions: 0 <= e < 2^255 (not necessarily e < order), fe_invert(0) = 0\n fe_frombytes(&x1, point);\n fe_1(&x2);\n fe_0(&z2);\n fe_copy(&x3, &x1);\n fe_1(&z3);\n\n unsigned swap = 0;\n int pos;\n for (pos = 254; pos >= 0; --pos) {\n // loop invariant as of right before the test, for the case where x1 != 0:\n // pos >= -1; if z2 = 0 then x2 is nonzero; if z3 = 0 then x3 is nonzero\n // let r := e >> (pos+1) in the following equalities of projective points:\n // to_xz (r*P) === if swap then (x3, z3) else (x2, z2)\n // to_xz ((r+1)*P) === if swap then (x2, z2) else (x3, z3)\n // x1 is the nonzero x coordinate of the nonzero point (r*P-(r+1)*P)\n unsigned b = 1 & (e[pos / 8] >> (pos & 7));\n swap ^= b;\n fe_cswap(&x2, &x3, swap);\n fe_cswap(&z2, &z3, swap);\n swap = b;\n // Coq transcription of ladderstep formula (called from transcribed loop):\n // \n // \n // x1 != 0\n // \n // x1 = 0\n // \n fe_sub(&tmp0l, &x3, &z3);\n fe_sub(&tmp1l, &x2, &z2);\n fe_add(&x2l, &x2, &z2);\n fe_add(&z2l, &x3, &z3);\n fe_mul_tll(&z3, &tmp0l, &x2l);\n fe_mul_tll(&z2, &z2l, &tmp1l);\n fe_sq_tl(&tmp0, &tmp1l);\n fe_sq_tl(&tmp1, &x2l);\n fe_add(&x3l, &z3, &z2);\n fe_sub(&z2l, &z3, &z2);\n fe_mul_ttt(&x2, &tmp1, &tmp0);\n fe_sub(&tmp1l, &tmp1, &tmp0);\n fe_sq_tl(&z2, &z2l);\n fe_mul121666(&z3, &tmp1l);\n fe_sq_tl(&x3, &x3l);\n fe_add(&tmp0l, &tmp0, &z3);\n fe_mul_ttt(&z3, &x1, &z2);\n fe_mul_tll(&z2, &tmp1l, &tmp0l);\n }\n // here pos=-1, so r=e, so to_xz (e*P) === if swap then (x3, z3) else (x2, z2)\n fe_cswap(&x2, &x3, swap);\n fe_cswap(&z2, &z3, swap);\n\n fe_invert(&z2, &z2);\n fe_mul_ttt(&x2, &x2, &z2);\n fe_tobytes(out, &x2);\n}\n\nstatic void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],\n const uint8_t point[32]) {\n#if defined(BORINGSSL_X25519_NEON)\n if (CRYPTO_is_NEON_capable()) {\n x25519_NEON(out, scalar, point);\n return;\n }\n#elif defined(BORINGSSL_FE25519_ADX)\n if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() &&\n CRYPTO_is_ADX_capable()) {\n x25519_scalar_mult_adx(out, scalar, point);\n return;\n }\n#endif\n\n x25519_scalar_mult_generic(out, scalar, point);\n}\n\nvoid X25519_keypair(uint8_t out_public_value[32], uint8_t out_private_key[32]) {\n RAND_bytes(out_private_key, 32);\n\n // All X25519 implementations should decode scalars correctly (see\n // https://tools.ietf.org/html/rfc7748#section-5). However, if an\n // implementation doesn't then it might interoperate with random keys a\n // fraction of the time because they'll, randomly, happen to be correctly\n // formed.\n //\n // Thus we do the opposite of the masking here to make sure that our private\n // keys are never correctly masked and so, hopefully, any incorrect\n // implementations are deterministically broken.\n //\n // This does not affect security because, although we're throwing away\n // entropy, a valid implementation of scalarmult should throw away the exact\n // same bits anyway.\n out_private_key[0] |= ~248;\n out_private_key[31] &= ~64;\n out_private_key[31] |= ~127;\n\n X25519_public_from_private(out_public_value, out_private_key);\n}\n\nint X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],\n const uint8_t peer_public_value[32]) {\n static const uint8_t kZeros[32] = {0};\n x25519_scalar_mult(out_shared_key, private_key, peer_public_value);\n // The all-zero output results when the input is a point of small order.\n return constant_time_declassify_int(\n CRYPTO_memcmp(kZeros, out_shared_key, 32)) != 0;\n}\n\nvoid X25519_public_from_private(uint8_t out_public_value[32],\n const uint8_t private_key[32]) {\n#if defined(BORINGSSL_X25519_NEON)\n if (CRYPTO_is_NEON_capable()) {\n static const uint8_t kMongomeryBasePoint[32] = {9};\n x25519_NEON(out_public_value, private_key, kMongomeryBasePoint);\n return;\n }\n#endif\n\n uint8_t e[32];\n OPENSSL_memcpy(e, private_key, 32);\n e[0] &= 248;\n e[31] &= 127;\n e[31] |= 64;\n\n ge_p3 A;\n x25519_ge_scalarmult_base(&A, e);\n\n // We only need the u-coordinate of the curve25519 point. The map is\n // u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y).\n fe_loose zplusy, zminusy;\n fe zminusy_inv;\n fe_add(&zplusy, &A.Z, &A.Y);\n fe_sub(&zminusy, &A.Z, &A.Y);\n fe_loose_invert(&zminusy_inv, &zminusy);\n fe_mul_tlt(&zminusy_inv, &zplusy, &zminusy_inv);\n fe_tobytes(out_public_value, &zminusy_inv);\n CONSTTIME_DECLASSIFY(out_public_value, 32);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/curve25519/curve25519_64_adx.cc", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \"internal.h\"\n#if defined(BORINGSSL_FE25519_ADX)\n#include \"../../third_party/fiat/curve25519_64_adx.h\"\n#endif\n" }, { "path": "Sources/CNIOBoringSSL/crypto/curve25519/curve25519_tables.h", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// This file is generated from\n// ./make_curve25519_tables.py > curve25519_tables.h\n\n\nstatic const fe d = {{\n#if defined(OPENSSL_64_BIT)\n 929955233495203, 466365720129213, 1662059464998953, 2033849074728123,\n 1442794654840575\n#else\n 56195235, 13857412, 51736253, 6949390, 114729, 24766616, 60832955, 30306712,\n 48412415, 21499315\n#endif\n}};\n\nstatic const fe sqrtm1 = {{\n#if defined(OPENSSL_64_BIT)\n 1718705420411056, 234908883556509, 2233514472574048, 2117202627021982,\n 765476049583133\n#else\n 34513072, 25610706, 9377949, 3500415, 12389472, 33281959, 41962654,\n 31548777, 326685, 11406482\n#endif\n}};\n\nstatic const fe d2 = {{\n#if defined(OPENSSL_64_BIT)\n 1859910466990425, 932731440258426, 1072319116312658, 1815898335770999,\n 633789495995903\n#else\n 45281625, 27714825, 36363642, 13898781, 229458, 15978800, 54557047,\n 27058993, 29715967, 9444199\n#endif\n}};\n\n#if defined(OPENSSL_SMALL)\n\n// This block of code replaces the standard base-point table with a much smaller\n// one. The standard table is 30,720 bytes while this one is just 960.\n//\n// This table contains 15 pairs of group elements, (x, y), where each field\n// element is serialised with |fe_tobytes|. If |i| is the index of the group\n// element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀\n// is the most significant bit). The value of the group element is then:\n// (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator.\nstatic const uint8_t k25519SmallPrecomp[15 * 2 * 32] = {\n 0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,\n 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,\n 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21, 0x58, 0x66, 0x66, 0x66,\n 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,\n 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,\n 0x66, 0x66, 0x66, 0x66, 0x02, 0xa2, 0xed, 0xf4, 0x8f, 0x6b, 0x0b, 0x3e,\n 0xeb, 0x35, 0x1a, 0xd5, 0x7e, 0xdb, 0x78, 0x00, 0x96, 0x8a, 0xa0, 0xb4,\n 0xcf, 0x60, 0x4b, 0xd4, 0xd5, 0xf9, 0x2d, 0xbf, 0x88, 0xbd, 0x22, 0x62,\n 0x13, 0x53, 0xe4, 0x82, 0x57, 0xfa, 0x1e, 0x8f, 0x06, 0x2b, 0x90, 0xba,\n 0x08, 0xb6, 0x10, 0x54, 0x4f, 0x7c, 0x1b, 0x26, 0xed, 0xda, 0x6b, 0xdd,\n 0x25, 0xd0, 0x4e, 0xea, 0x42, 0xbb, 0x25, 0x03, 0xa2, 0xfb, 0xcc, 0x61,\n 0x67, 0x06, 0x70, 0x1a, 0xc4, 0x78, 0x3a, 0xff, 0x32, 0x62, 0xdd, 0x2c,\n 0xab, 0x50, 0x19, 0x3b, 0xf2, 0x9b, 0x7d, 0xb8, 0xfd, 0x4f, 0x29, 0x9c,\n 0xa7, 0x91, 0xba, 0x0e, 0x46, 0x5e, 0x51, 0xfe, 0x1d, 0xbf, 0xe5, 0xe5,\n 0x9b, 0x95, 0x0d, 0x67, 0xf8, 0xd1, 0xb5, 0x5a, 0xa1, 0x93, 0x2c, 0xc3,\n 0xde, 0x0e, 0x97, 0x85, 0x2d, 0x7f, 0xea, 0xab, 0x3e, 0x47, 0x30, 0x18,\n 0x24, 0xe8, 0xb7, 0x60, 0xae, 0x47, 0x80, 0xfc, 0xe5, 0x23, 0xe7, 0xc2,\n 0xc9, 0x85, 0xe6, 0x98, 0xa0, 0x29, 0x4e, 0xe1, 0x84, 0x39, 0x2d, 0x95,\n 0x2c, 0xf3, 0x45, 0x3c, 0xff, 0xaf, 0x27, 0x4c, 0x6b, 0xa6, 0xf5, 0x4b,\n 0x11, 0xbd, 0xba, 0x5b, 0x9e, 0xc4, 0xa4, 0x51, 0x1e, 0xbe, 0xd0, 0x90,\n 0x3a, 0x9c, 0xc2, 0x26, 0xb6, 0x1e, 0xf1, 0x95, 0x7d, 0xc8, 0x6d, 0x52,\n 0xe6, 0x99, 0x2c, 0x5f, 0x9a, 0x96, 0x0c, 0x68, 0x29, 0xfd, 0xe2, 0xfb,\n 0xe6, 0xbc, 0xec, 0x31, 0x08, 0xec, 0xe6, 0xb0, 0x53, 0x60, 0xc3, 0x8c,\n 0xbe, 0xc1, 0xb3, 0x8a, 0x8f, 0xe4, 0x88, 0x2b, 0x55, 0xe5, 0x64, 0x6e,\n 0x9b, 0xd0, 0xaf, 0x7b, 0x64, 0x2a, 0x35, 0x25, 0x10, 0x52, 0xc5, 0x9e,\n 0x58, 0x11, 0x39, 0x36, 0x45, 0x51, 0xb8, 0x39, 0x93, 0xfc, 0x9d, 0x6a,\n 0xbe, 0x58, 0xcb, 0xa4, 0x0f, 0x51, 0x3c, 0x38, 0x05, 0xca, 0xab, 0x43,\n 0x63, 0x0e, 0xf3, 0x8b, 0x41, 0xa6, 0xf8, 0x9b, 0x53, 0x70, 0x80, 0x53,\n 0x86, 0x5e, 0x8f, 0xe3, 0xc3, 0x0d, 0x18, 0xc8, 0x4b, 0x34, 0x1f, 0xd8,\n 0x1d, 0xbc, 0xf2, 0x6d, 0x34, 0x3a, 0xbe, 0xdf, 0xd9, 0xf6, 0xf3, 0x89,\n 0xa1, 0xe1, 0x94, 0x9f, 0x5d, 0x4c, 0x5d, 0xe9, 0xa1, 0x49, 0x92, 0xef,\n 0x0e, 0x53, 0x81, 0x89, 0x58, 0x87, 0xa6, 0x37, 0xf1, 0xdd, 0x62, 0x60,\n 0x63, 0x5a, 0x9d, 0x1b, 0x8c, 0xc6, 0x7d, 0x52, 0xea, 0x70, 0x09, 0x6a,\n 0xe1, 0x32, 0xf3, 0x73, 0x21, 0x1f, 0x07, 0x7b, 0x7c, 0x9b, 0x49, 0xd8,\n 0xc0, 0xf3, 0x25, 0x72, 0x6f, 0x9d, 0xed, 0x31, 0x67, 0x36, 0x36, 0x54,\n 0x40, 0x92, 0x71, 0xe6, 0x11, 0x28, 0x11, 0xad, 0x93, 0x32, 0x85, 0x7b,\n 0x3e, 0xb7, 0x3b, 0x49, 0x13, 0x1c, 0x07, 0xb0, 0x2e, 0x93, 0xaa, 0xfd,\n 0xfd, 0x28, 0x47, 0x3d, 0x8d, 0xd2, 0xda, 0xc7, 0x44, 0xd6, 0x7a, 0xdb,\n 0x26, 0x7d, 0x1d, 0xb8, 0xe1, 0xde, 0x9d, 0x7a, 0x7d, 0x17, 0x7e, 0x1c,\n 0x37, 0x04, 0x8d, 0x2d, 0x7c, 0x5e, 0x18, 0x38, 0x1e, 0xaf, 0xc7, 0x1b,\n 0x33, 0x48, 0x31, 0x00, 0x59, 0xf6, 0xf2, 0xca, 0x0f, 0x27, 0x1b, 0x63,\n 0x12, 0x7e, 0x02, 0x1d, 0x49, 0xc0, 0x5d, 0x79, 0x87, 0xef, 0x5e, 0x7a,\n 0x2f, 0x1f, 0x66, 0x55, 0xd8, 0x09, 0xd9, 0x61, 0x38, 0x68, 0xb0, 0x07,\n 0xa3, 0xfc, 0xcc, 0x85, 0x10, 0x7f, 0x4c, 0x65, 0x65, 0xb3, 0xfa, 0xfa,\n 0xa5, 0x53, 0x6f, 0xdb, 0x74, 0x4c, 0x56, 0x46, 0x03, 0xe2, 0xd5, 0x7a,\n 0x29, 0x1c, 0xc6, 0x02, 0xbc, 0x59, 0xf2, 0x04, 0x75, 0x63, 0xc0, 0x84,\n 0x2f, 0x60, 0x1c, 0x67, 0x76, 0xfd, 0x63, 0x86, 0xf3, 0xfa, 0xbf, 0xdc,\n 0xd2, 0x2d, 0x90, 0x91, 0xbd, 0x33, 0xa9, 0xe5, 0x66, 0x0c, 0xda, 0x42,\n 0x27, 0xca, 0xf4, 0x66, 0xc2, 0xec, 0x92, 0x14, 0x57, 0x06, 0x63, 0xd0,\n 0x4d, 0x15, 0x06, 0xeb, 0x69, 0x58, 0x4f, 0x77, 0xc5, 0x8b, 0xc7, 0xf0,\n 0x8e, 0xed, 0x64, 0xa0, 0xb3, 0x3c, 0x66, 0x71, 0xc6, 0x2d, 0xda, 0x0a,\n 0x0d, 0xfe, 0x70, 0x27, 0x64, 0xf8, 0x27, 0xfa, 0xf6, 0x5f, 0x30, 0xa5,\n 0x0d, 0x6c, 0xda, 0xf2, 0x62, 0x5e, 0x78, 0x47, 0xd3, 0x66, 0x00, 0x1c,\n 0xfd, 0x56, 0x1f, 0x5d, 0x3f, 0x6f, 0xf4, 0x4c, 0xd8, 0xfd, 0x0e, 0x27,\n 0xc9, 0x5c, 0x2b, 0xbc, 0xc0, 0xa4, 0xe7, 0x23, 0x29, 0x02, 0x9f, 0x31,\n 0xd6, 0xe9, 0xd7, 0x96, 0xf4, 0xe0, 0x5e, 0x0b, 0x0e, 0x13, 0xee, 0x3c,\n 0x09, 0xed, 0xf2, 0x3d, 0x76, 0x91, 0xc3, 0xa4, 0x97, 0xae, 0xd4, 0x87,\n 0xd0, 0x5d, 0xf6, 0x18, 0x47, 0x1f, 0x1d, 0x67, 0xf2, 0xcf, 0x63, 0xa0,\n 0x91, 0x27, 0xf8, 0x93, 0x45, 0x75, 0x23, 0x3f, 0xd1, 0xf1, 0xad, 0x23,\n 0xdd, 0x64, 0x93, 0x96, 0x41, 0x70, 0x7f, 0xf7, 0xf5, 0xa9, 0x89, 0xa2,\n 0x34, 0xb0, 0x8d, 0x1b, 0xae, 0x19, 0x15, 0x49, 0x58, 0x23, 0x6d, 0x87,\n 0x15, 0x4f, 0x81, 0x76, 0xfb, 0x23, 0xb5, 0xea, 0xcf, 0xac, 0x54, 0x8d,\n 0x4e, 0x42, 0x2f, 0xeb, 0x0f, 0x63, 0xdb, 0x68, 0x37, 0xa8, 0xcf, 0x8b,\n 0xab, 0xf5, 0xa4, 0x6e, 0x96, 0x2a, 0xb2, 0xd6, 0xbe, 0x9e, 0xbd, 0x0d,\n 0xb4, 0x42, 0xa9, 0xcf, 0x01, 0x83, 0x8a, 0x17, 0x47, 0x76, 0xc4, 0xc6,\n 0x83, 0x04, 0x95, 0x0b, 0xfc, 0x11, 0xc9, 0x62, 0xb8, 0x0c, 0x76, 0x84,\n 0xd9, 0xb9, 0x37, 0xfa, 0xfc, 0x7c, 0xc2, 0x6d, 0x58, 0x3e, 0xb3, 0x04,\n 0xbb, 0x8c, 0x8f, 0x48, 0xbc, 0x91, 0x27, 0xcc, 0xf9, 0xb7, 0x22, 0x19,\n 0x83, 0x2e, 0x09, 0xb5, 0x72, 0xd9, 0x54, 0x1c, 0x4d, 0xa1, 0xea, 0x0b,\n 0xf1, 0xc6, 0x08, 0x72, 0x46, 0x87, 0x7a, 0x6e, 0x80, 0x56, 0x0a, 0x8a,\n 0xc0, 0xdd, 0x11, 0x6b, 0xd6, 0xdd, 0x47, 0xdf, 0x10, 0xd9, 0xd8, 0xea,\n 0x7c, 0xb0, 0x8f, 0x03, 0x00, 0x2e, 0xc1, 0x8f, 0x44, 0xa8, 0xd3, 0x30,\n 0x06, 0x89, 0xa2, 0xf9, 0x34, 0xad, 0xdc, 0x03, 0x85, 0xed, 0x51, 0xa7,\n 0x82, 0x9c, 0xe7, 0x5d, 0x52, 0x93, 0x0c, 0x32, 0x9a, 0x5b, 0xe1, 0xaa,\n 0xca, 0xb8, 0x02, 0x6d, 0x3a, 0xd4, 0xb1, 0x3a, 0xf0, 0x5f, 0xbe, 0xb5,\n 0x0d, 0x10, 0x6b, 0x38, 0x32, 0xac, 0x76, 0x80, 0xbd, 0xca, 0x94, 0x71,\n 0x7a, 0xf2, 0xc9, 0x35, 0x2a, 0xde, 0x9f, 0x42, 0x49, 0x18, 0x01, 0xab,\n 0xbc, 0xef, 0x7c, 0x64, 0x3f, 0x58, 0x3d, 0x92, 0x59, 0xdb, 0x13, 0xdb,\n 0x58, 0x6e, 0x0a, 0xe0, 0xb7, 0x91, 0x4a, 0x08, 0x20, 0xd6, 0x2e, 0x3c,\n 0x45, 0xc9, 0x8b, 0x17, 0x79, 0xe7, 0xc7, 0x90, 0x99, 0x3a, 0x18, 0x25,\n};\n\n#else\n\n// k25519Precomp[i][j] = (j+1)*256^i*B\nconst uint8_t k25519Precomp[32][8][3][32] = {\n {\n {\n {0x85, 0x3b, 0x8c, 0xf5, 0xc6, 0x93, 0xbc, 0x2f, 0x19, 0xe, 0x8c,\n 0xfb, 0xc6, 0x2d, 0x93, 0xcf, 0xc2, 0x42, 0x3d, 0x64, 0x98, 0x48,\n 0xb, 0x27, 0x65, 0xba, 0xd4, 0x33, 0x3a, 0x9d, 0xcf, 0x7},\n {0x3e, 0x91, 0x40, 0xd7, 0x5, 0x39, 0x10, 0x9d, 0xb3, 0xbe, 0x40,\n 0xd1, 0x5, 0x9f, 0x39, 0xfd, 0x9, 0x8a, 0x8f, 0x68, 0x34, 0x84,\n 0xc1, 0xa5, 0x67, 0x12, 0xf8, 0x98, 0x92, 0x2f, 0xfd, 0x44},\n {0x68, 0xaa, 0x7a, 0x87, 0x5, 0x12, 0xc9, 0xab, 0x9e, 0xc4, 0xaa,\n 0xcc, 0x23, 0xe8, 0xd9, 0x26, 0x8c, 0x59, 0x43, 0xdd, 0xcb, 0x7d,\n 0x1b, 0x5a, 0xa8, 0x65, 0xc, 0x9f, 0x68, 0x7b, 0x11, 0x6f},\n },\n {\n {0xd7, 0x71, 0x3c, 0x93, 0xfc, 0xe7, 0x24, 0x92, 0xb5, 0xf5, 0xf,\n 0x7a, 0x96, 0x9d, 0x46, 0x9f, 0x2, 0x7, 0xd6, 0xe1, 0x65, 0x9a,\n 0xa6, 0x5a, 0x2e, 0x2e, 0x7d, 0xa8, 0x3f, 0x6, 0xc, 0x59},\n {0xa8, 0xd5, 0xb4, 0x42, 0x60, 0xa5, 0x99, 0x8a, 0xf6, 0xac, 0x60,\n 0x4e, 0xc, 0x81, 0x2b, 0x8f, 0xaa, 0x37, 0x6e, 0xb1, 0x6b, 0x23,\n 0x9e, 0xe0, 0x55, 0x25, 0xc9, 0x69, 0xa6, 0x95, 0xb5, 0x6b},\n {0x5f, 0x7a, 0x9b, 0xa5, 0xb3, 0xa8, 0xfa, 0x43, 0x78, 0xcf, 0x9a,\n 0x5d, 0xdd, 0x6b, 0xc1, 0x36, 0x31, 0x6a, 0x3d, 0xb, 0x84, 0xa0,\n 0xf, 0x50, 0x73, 0xb, 0xa5, 0x3e, 0xb1, 0xf5, 0x1a, 0x70},\n },\n {\n {0x30, 0x97, 0xee, 0x4c, 0xa8, 0xb0, 0x25, 0xaf, 0x8a, 0x4b, 0x86,\n 0xe8, 0x30, 0x84, 0x5a, 0x2, 0x32, 0x67, 0x1, 0x9f, 0x2, 0x50,\n 0x1b, 0xc1, 0xf4, 0xf8, 0x80, 0x9a, 0x1b, 0x4e, 0x16, 0x7a},\n {0x65, 0xd2, 0xfc, 0xa4, 0xe8, 0x1f, 0x61, 0x56, 0x7d, 0xba, 0xc1,\n 0xe5, 0xfd, 0x53, 0xd3, 0x3b, 0xbd, 0xd6, 0x4b, 0x21, 0x1a, 0xf3,\n 0x31, 0x81, 0x62, 0xda, 0x5b, 0x55, 0x87, 0x15, 0xb9, 0x2a},\n {0x89, 0xd8, 0xd0, 0xd, 0x3f, 0x93, 0xae, 0x14, 0x62, 0xda, 0x35,\n 0x1c, 0x22, 0x23, 0x94, 0x58, 0x4c, 0xdb, 0xf2, 0x8c, 0x45, 0xe5,\n 0x70, 0xd1, 0xc6, 0xb4, 0xb9, 0x12, 0xaf, 0x26, 0x28, 0x5a},\n },\n {\n {0x9f, 0x9, 0xfc, 0x8e, 0xb9, 0x51, 0x73, 0x28, 0x38, 0x25, 0xfd,\n 0x7d, 0xf4, 0xc6, 0x65, 0x67, 0x65, 0x92, 0xa, 0xfb, 0x3d, 0x8d,\n 0x34, 0xca, 0x27, 0x87, 0xe5, 0x21, 0x3, 0x91, 0xe, 0x68},\n {0xbf, 0x18, 0x68, 0x5, 0xa, 0x5, 0xfe, 0x95, 0xa9, 0xfa, 0x60,\n 0x56, 0x71, 0x89, 0x7e, 0x32, 0x73, 0x50, 0xa0, 0x6, 0xcd, 0xe3,\n 0xe8, 0xc3, 0x9a, 0xa4, 0x45, 0x74, 0x4c, 0x3f, 0x93, 0x27},\n {0x9, 0xff, 0x76, 0xc4, 0xe9, 0xfb, 0x13, 0x5a, 0x72, 0xc1, 0x5c,\n 0x7b, 0x45, 0x39, 0x9e, 0x6e, 0x94, 0x44, 0x2b, 0x10, 0xf9, 0xdc,\n 0xdb, 0x5d, 0x2b, 0x3e, 0x55, 0x63, 0xbf, 0xc, 0x9d, 0x7f},\n },\n {\n {0x33, 0xbb, 0xa5, 0x8, 0x44, 0xbc, 0x12, 0xa2, 0x2, 0xed, 0x5e,\n 0xc7, 0xc3, 0x48, 0x50, 0x8d, 0x44, 0xec, 0xbf, 0x5a, 0xc, 0xeb,\n 0x1b, 0xdd, 0xeb, 0x6, 0xe2, 0x46, 0xf1, 0xcc, 0x45, 0x29},\n {0xba, 0xd6, 0x47, 0xa4, 0xc3, 0x82, 0x91, 0x7f, 0xb7, 0x29, 0x27,\n 0x4b, 0xd1, 0x14, 0x0, 0xd5, 0x87, 0xa0, 0x64, 0xb8, 0x1c, 0xf1,\n 0x3c, 0xe3, 0xf3, 0x55, 0x1b, 0xeb, 0x73, 0x7e, 0x4a, 0x15},\n {0x85, 0x82, 0x2a, 0x81, 0xf1, 0xdb, 0xbb, 0xbc, 0xfc, 0xd1, 0xbd,\n 0xd0, 0x7, 0x8, 0xe, 0x27, 0x2d, 0xa7, 0xbd, 0x1b, 0xb, 0x67,\n 0x1b, 0xb4, 0x9a, 0xb6, 0x3b, 0x6b, 0x69, 0xbe, 0xaa, 0x43},\n },\n {\n {0x31, 0x71, 0x15, 0x77, 0xeb, 0xee, 0xc, 0x3a, 0x88, 0xaf, 0xc8,\n 0x0, 0x89, 0x15, 0x27, 0x9b, 0x36, 0xa7, 0x59, 0xda, 0x68, 0xb6,\n 0x65, 0x80, 0xbd, 0x38, 0xcc, 0xa2, 0xb6, 0x7b, 0xe5, 0x51},\n {0xa4, 0x8c, 0x7d, 0x7b, 0xb6, 0x6, 0x98, 0x49, 0x39, 0x27, 0xd2,\n 0x27, 0x84, 0xe2, 0x5b, 0x57, 0xb9, 0x53, 0x45, 0x20, 0xe7, 0x5c,\n 0x8, 0xbb, 0x84, 0x78, 0x41, 0xae, 0x41, 0x4c, 0xb6, 0x38},\n {0x71, 0x4b, 0xea, 0x2, 0x67, 0x32, 0xac, 0x85, 0x1, 0xbb, 0xa1,\n 0x41, 0x3, 0xe0, 0x70, 0xbe, 0x44, 0xc1, 0x3b, 0x8, 0x4b, 0xa2,\n 0xe4, 0x53, 0xe3, 0x61, 0xd, 0x9f, 0x1a, 0xe9, 0xb8, 0x10},\n },\n {\n {0xbf, 0xa3, 0x4e, 0x94, 0xd0, 0x5c, 0x1a, 0x6b, 0xd2, 0xc0, 0x9d,\n 0xb3, 0x3a, 0x35, 0x70, 0x74, 0x49, 0x2e, 0x54, 0x28, 0x82, 0x52,\n 0xb2, 0x71, 0x7e, 0x92, 0x3c, 0x28, 0x69, 0xea, 0x1b, 0x46},\n {0xb1, 0x21, 0x32, 0xaa, 0x9a, 0x2c, 0x6f, 0xba, 0xa7, 0x23, 0xba,\n 0x3b, 0x53, 0x21, 0xa0, 0x6c, 0x3a, 0x2c, 0x19, 0x92, 0x4f, 0x76,\n 0xea, 0x9d, 0xe0, 0x17, 0x53, 0x2e, 0x5d, 0xdd, 0x6e, 0x1d},\n {0xa2, 0xb3, 0xb8, 0x1, 0xc8, 0x6d, 0x83, 0xf1, 0x9a, 0xa4, 0x3e,\n 0x5, 0x47, 0x5f, 0x3, 0xb3, 0xf3, 0xad, 0x77, 0x58, 0xba, 0x41,\n 0x9c, 0x52, 0xa7, 0x90, 0xf, 0x6a, 0x1c, 0xbb, 0x9f, 0x7a},\n },\n {\n {0x8f, 0x3e, 0xdd, 0x4, 0x66, 0x59, 0xb7, 0x59, 0x2c, 0x70, 0x88,\n 0xe2, 0x77, 0x3, 0xb3, 0x6c, 0x23, 0xc3, 0xd9, 0x5e, 0x66, 0x9c,\n 0x33, 0xb1, 0x2f, 0xe5, 0xbc, 0x61, 0x60, 0xe7, 0x15, 0x9},\n {0xd9, 0x34, 0x92, 0xf3, 0xed, 0x5d, 0xa7, 0xe2, 0xf9, 0x58, 0xb5,\n 0xe1, 0x80, 0x76, 0x3d, 0x96, 0xfb, 0x23, 0x3c, 0x6e, 0xac, 0x41,\n 0x27, 0x2c, 0xc3, 0x1, 0xe, 0x32, 0xa1, 0x24, 0x90, 0x3a},\n {0x1a, 0x91, 0xa2, 0xc9, 0xd9, 0xf5, 0xc1, 0xe7, 0xd7, 0xa7, 0xcc,\n 0x8b, 0x78, 0x71, 0xa3, 0xb8, 0x32, 0x2a, 0xb6, 0xe, 0x19, 0x12,\n 0x64, 0x63, 0x95, 0x4e, 0xcc, 0x2e, 0x5c, 0x7c, 0x90, 0x26},\n },\n },\n {\n {\n {0x1d, 0x9c, 0x2f, 0x63, 0xe, 0xdd, 0xcc, 0x2e, 0x15, 0x31, 0x89,\n 0x76, 0x96, 0xb6, 0xd0, 0x51, 0x58, 0x7a, 0x63, 0xa8, 0x6b, 0xb7,\n 0xdf, 0x52, 0x39, 0xef, 0xe, 0xa0, 0x49, 0x7d, 0xd3, 0x6d},\n {0x5e, 0x51, 0xaa, 0x49, 0x54, 0x63, 0x5b, 0xed, 0x3a, 0x82, 0xc6,\n 0xb, 0x9f, 0xc4, 0x65, 0xa8, 0xc4, 0xd1, 0x42, 0x5b, 0xe9, 0x1f,\n 0xc, 0x85, 0xb9, 0x15, 0xd3, 0x3, 0x6f, 0x6d, 0xd7, 0x30},\n {0xc7, 0xe4, 0x6, 0x21, 0x17, 0x44, 0x44, 0x6c, 0x69, 0x7f, 0x8d,\n 0x92, 0x80, 0xd6, 0x53, 0xfb, 0x26, 0x3f, 0x4d, 0x69, 0xa4, 0x9e,\n 0x73, 0xb4, 0xb0, 0x4b, 0x86, 0x2e, 0x11, 0x97, 0xc6, 0x10},\n },\n {\n {0x5, 0xc8, 0x58, 0x83, 0xa0, 0x2a, 0xa6, 0xc, 0x47, 0x42, 0x20,\n 0x7a, 0xe3, 0x4a, 0x3d, 0x6a, 0xdc, 0xed, 0x11, 0x3b, 0xa6, 0xd3,\n 0x64, 0x74, 0xef, 0x6, 0x8, 0x55, 0xaf, 0x9b, 0xbf, 0x3},\n {0xde, 0x5f, 0xbe, 0x7d, 0x27, 0xc4, 0x93, 0x64, 0xa2, 0x7e, 0xad,\n 0x19, 0xad, 0x4f, 0x5d, 0x26, 0x90, 0x45, 0x30, 0x46, 0xc8, 0xdf,\n 0x0, 0xe, 0x9, 0xfe, 0x66, 0xed, 0xab, 0x1c, 0xe6, 0x25},\n {0x4, 0x66, 0x58, 0xcc, 0x28, 0xe1, 0x13, 0x3f, 0x7e, 0x74, 0x59,\n 0xb4, 0xec, 0x73, 0x58, 0x6f, 0xf5, 0x68, 0x12, 0xcc, 0xed, 0x3d,\n 0xb6, 0xa0, 0x2c, 0xe2, 0x86, 0x45, 0x63, 0x78, 0x6d, 0x56},\n },\n {\n {0xd0, 0x2f, 0x5a, 0xc6, 0x85, 0x42, 0x5, 0xa1, 0xc3, 0x67, 0x16,\n 0xf3, 0x2a, 0x11, 0x64, 0x6c, 0x58, 0xee, 0x1a, 0x73, 0x40, 0xe2,\n 0xa, 0x68, 0x2a, 0xb2, 0x93, 0x47, 0xf3, 0xa5, 0xfb, 0x14},\n {0x34, 0x8, 0xc1, 0x9c, 0x9f, 0xa4, 0x37, 0x16, 0x51, 0xc4, 0x9b,\n 0xa8, 0xd5, 0x56, 0x8e, 0xbc, 0xdb, 0xd2, 0x7f, 0x7f, 0xf, 0xec,\n 0xb5, 0x1c, 0xd9, 0x35, 0xcc, 0x5e, 0xca, 0x5b, 0x97, 0x33},\n {0xd4, 0xf7, 0x85, 0x69, 0x16, 0x46, 0xd7, 0x3c, 0x57, 0x0, 0xc8,\n 0xc9, 0x84, 0x5e, 0x3e, 0x59, 0x1e, 0x13, 0x61, 0x7b, 0xb6, 0xf2,\n 0xc3, 0x2f, 0x6c, 0x52, 0xfc, 0x83, 0xea, 0x9c, 0x82, 0x14},\n },\n {\n {0xb8, 0xec, 0x71, 0x4e, 0x2f, 0xb, 0xe7, 0x21, 0xe3, 0x77, 0xa4,\n 0x40, 0xb9, 0xdd, 0x56, 0xe6, 0x80, 0x4f, 0x1d, 0xce, 0xce, 0x56,\n 0x65, 0xbf, 0x7e, 0x7b, 0x5d, 0x53, 0xc4, 0x3b, 0xfc, 0x5},\n {0xc2, 0x95, 0xdd, 0x97, 0x84, 0x7b, 0x43, 0xff, 0xa7, 0xb5, 0x4e,\n 0xaa, 0x30, 0x4e, 0x74, 0x6c, 0x8b, 0xe8, 0x85, 0x3c, 0x61, 0x5d,\n 0xc, 0x9e, 0x73, 0x81, 0x75, 0x5f, 0x1e, 0xc7, 0xd9, 0x2f},\n {0xdd, 0xde, 0xaf, 0x52, 0xae, 0xb3, 0xb8, 0x24, 0xcf, 0x30, 0x3b,\n 0xed, 0x8c, 0x63, 0x95, 0x34, 0x95, 0x81, 0xbe, 0xa9, 0x83, 0xbc,\n 0xa4, 0x33, 0x4, 0x1f, 0x65, 0x5c, 0x47, 0x67, 0x37, 0x37},\n },\n {\n {0x90, 0x65, 0x24, 0x14, 0xcb, 0x95, 0x40, 0x63, 0x35, 0x55, 0xc1,\n 0x16, 0x40, 0x14, 0x12, 0xef, 0x60, 0xbc, 0x10, 0x89, 0xc, 0x14,\n 0x38, 0x9e, 0x8c, 0x7c, 0x90, 0x30, 0x57, 0x90, 0xf5, 0x6b},\n {0xd9, 0xad, 0xd1, 0x40, 0xfd, 0x99, 0xba, 0x2f, 0x27, 0xd0, 0xf4,\n 0x96, 0x6f, 0x16, 0x7, 0xb3, 0xae, 0x3b, 0xf0, 0x15, 0x52, 0xf0,\n 0x63, 0x43, 0x99, 0xf9, 0x18, 0x3b, 0x6c, 0xa5, 0xbe, 0x1f},\n {0x8a, 0x5b, 0x41, 0xe1, 0xf1, 0x78, 0xa7, 0xf, 0x7e, 0xa7, 0xc3,\n 0xba, 0xf7, 0x9f, 0x40, 0x6, 0x50, 0x9a, 0xa2, 0x9a, 0xb8, 0xd7,\n 0x52, 0x6f, 0x56, 0x5a, 0x63, 0x7a, 0xf6, 0x1c, 0x52, 0x2},\n },\n {\n {0xe4, 0x5e, 0x2f, 0x77, 0x20, 0x67, 0x14, 0xb1, 0xce, 0x9a, 0x7,\n 0x96, 0xb1, 0x94, 0xf8, 0xe8, 0x4a, 0x82, 0xac, 0x0, 0x4d, 0x22,\n 0xf8, 0x4a, 0xc4, 0x6c, 0xcd, 0xf7, 0xd9, 0x53, 0x17, 0x0},\n {0x94, 0x52, 0x9d, 0xa, 0xb, 0xee, 0x3f, 0x51, 0x66, 0x5a, 0xdf,\n 0xf, 0x5c, 0xe7, 0x98, 0x8f, 0xce, 0x7, 0xe1, 0xbf, 0x88, 0x86,\n 0x61, 0xd4, 0xed, 0x2c, 0x38, 0x71, 0x7e, 0xa, 0xa0, 0x3f},\n {0x34, 0xdb, 0x3d, 0x96, 0x2d, 0x23, 0x69, 0x3c, 0x58, 0x38, 0x97,\n 0xb4, 0xda, 0x87, 0xde, 0x1d, 0x85, 0xf2, 0x91, 0xa0, 0xf9, 0xd1,\n 0xd7, 0xaa, 0xb6, 0xed, 0x48, 0xa0, 0x2f, 0xfe, 0xb5, 0x12},\n },\n {\n {0x92, 0x1e, 0x6f, 0xad, 0x26, 0x7c, 0x2b, 0xdf, 0x13, 0x89, 0x4b,\n 0x50, 0x23, 0xd3, 0x66, 0x4b, 0xc3, 0x8b, 0x1c, 0x75, 0xc0, 0x9d,\n 0x40, 0x8c, 0xb8, 0xc7, 0x96, 0x7, 0xc2, 0x93, 0x7e, 0x6f},\n {0x4d, 0xe3, 0xfc, 0x96, 0xc4, 0xfb, 0xf0, 0x71, 0xed, 0x5b, 0xf3,\n 0xad, 0x6b, 0x82, 0xb9, 0x73, 0x61, 0xc5, 0x28, 0xff, 0x61, 0x72,\n 0x4, 0xd2, 0x6f, 0x20, 0xb1, 0x6f, 0xf9, 0x76, 0x9b, 0x74},\n {0x5, 0xae, 0xa6, 0xae, 0x4, 0xf6, 0x5a, 0x1f, 0x99, 0x9c, 0xe4,\n 0xbe, 0xf1, 0x51, 0x23, 0xc1, 0x66, 0x6b, 0xff, 0xee, 0xb5, 0x8,\n 0xa8, 0x61, 0x51, 0x21, 0xe0, 0x1, 0xf, 0xc1, 0xce, 0xf},\n },\n {\n {0x45, 0x4e, 0x24, 0xc4, 0x9d, 0xd2, 0xf2, 0x3d, 0xa, 0xde, 0xd8,\n 0x93, 0x74, 0xe, 0x2, 0x2b, 0x4d, 0x21, 0xc, 0x82, 0x7e, 0x6,\n 0xc8, 0x6c, 0xa, 0xb9, 0xea, 0x6f, 0x16, 0x79, 0x37, 0x41},\n {0x44, 0x1e, 0xfe, 0x49, 0xa6, 0x58, 0x4d, 0x64, 0x7e, 0x77, 0xad,\n 0x31, 0xa2, 0xae, 0xfc, 0x21, 0xd2, 0xd0, 0x7f, 0x88, 0x5a, 0x1c,\n 0x44, 0x2, 0xf3, 0x11, 0xc5, 0x83, 0x71, 0xaa, 0x1, 0x49},\n {0xf0, 0xf8, 0x1a, 0x8c, 0x54, 0xb7, 0xb1, 0x8, 0xb4, 0x99, 0x62,\n 0x24, 0x7c, 0x7a, 0xf, 0xce, 0x39, 0xd9, 0x6, 0x1e, 0xf9, 0xb0,\n 0x60, 0xf7, 0x13, 0x12, 0x6d, 0x72, 0x7b, 0x88, 0xbb, 0x41},\n },\n },\n {\n {\n {0xae, 0x91, 0x66, 0x7c, 0x59, 0x4c, 0x23, 0x7e, 0xc8, 0xb4, 0x85,\n 0xa, 0x3d, 0x9d, 0x88, 0x64, 0xe7, 0xfa, 0x4a, 0x35, 0xc, 0xc9,\n 0xe2, 0xda, 0x1d, 0x9e, 0x6a, 0xc, 0x7, 0x1e, 0x87, 0xa},\n {0xbe, 0x46, 0x43, 0x74, 0x44, 0x7d, 0xe8, 0x40, 0x25, 0x2b, 0xb5,\n 0x15, 0xd4, 0xda, 0x48, 0x1d, 0x3e, 0x60, 0x3b, 0xa1, 0x18, 0x8a,\n 0x3a, 0x7c, 0xf7, 0xbd, 0xcd, 0x2f, 0xc1, 0x28, 0xb7, 0x4e},\n {0x89, 0x89, 0xbc, 0x4b, 0x99, 0xb5, 0x1, 0x33, 0x60, 0x42, 0xdd,\n 0x5b, 0x3a, 0xae, 0x6b, 0x73, 0x3c, 0x9e, 0xd5, 0x19, 0xe2, 0xad,\n 0x61, 0xd, 0x64, 0xd4, 0x85, 0x26, 0xf, 0x30, 0xe7, 0x3e},\n },\n {\n {0x18, 0x75, 0x1e, 0x84, 0x47, 0x79, 0xfa, 0x43, 0xd7, 0x46, 0x9c,\n 0x63, 0x59, 0xfa, 0xc6, 0xe5, 0x74, 0x2b, 0x5, 0xe3, 0x1d, 0x5e,\n 0x6, 0xa1, 0x30, 0x90, 0xb8, 0xcf, 0xa2, 0xc6, 0x47, 0x7d},\n {0xb7, 0xd6, 0x7d, 0x9e, 0xe4, 0x55, 0xd2, 0xf5, 0xac, 0x1e, 0xb,\n 0x61, 0x5c, 0x11, 0x16, 0x80, 0xca, 0x87, 0xe1, 0x92, 0x5d, 0x97,\n 0x99, 0x3c, 0xc2, 0x25, 0x91, 0x97, 0x62, 0x57, 0x81, 0x13},\n {0xe0, 0xd6, 0xf0, 0x8e, 0x14, 0xd0, 0xda, 0x3f, 0x3c, 0x6f, 0x54,\n 0x91, 0x9a, 0x74, 0x3e, 0x9d, 0x57, 0x81, 0xbb, 0x26, 0x10, 0x62,\n 0xec, 0x71, 0x80, 0xec, 0xc9, 0x34, 0x8d, 0xf5, 0x8c, 0x14},\n },\n {\n {0x6d, 0x75, 0xe4, 0x9a, 0x7d, 0x2f, 0x57, 0xe2, 0x7f, 0x48, 0xf3,\n 0x88, 0xbb, 0x45, 0xc3, 0x56, 0x8d, 0xa8, 0x60, 0x69, 0x6d, 0xb,\n 0xd1, 0x9f, 0xb9, 0xa1, 0xae, 0x4e, 0xad, 0xeb, 0x8f, 0x27},\n {0x27, 0xf0, 0x34, 0x79, 0xf6, 0x92, 0xa4, 0x46, 0xa9, 0xa, 0x84,\n 0xf6, 0xbe, 0x84, 0x99, 0x46, 0x54, 0x18, 0x61, 0x89, 0x2a, 0xbc,\n 0xa1, 0x5c, 0xd4, 0xbb, 0x5d, 0xbd, 0x1e, 0xfa, 0xf2, 0x3f},\n {0x66, 0x39, 0x93, 0x8c, 0x1f, 0x68, 0xaa, 0xb1, 0x98, 0xc, 0x29,\n 0x20, 0x9c, 0x94, 0x21, 0x8c, 0x52, 0x3c, 0x9d, 0x21, 0x91, 0x52,\n 0x11, 0x39, 0x7b, 0x67, 0x9c, 0xfe, 0x2, 0xdd, 0x4, 0x41},\n },\n {\n {0xb8, 0x6a, 0x9, 0xdb, 0x6, 0x4e, 0x21, 0x81, 0x35, 0x4f, 0xe4,\n 0xc, 0xc9, 0xb6, 0xa8, 0x21, 0xf5, 0x2a, 0x9e, 0x40, 0x2a, 0xc1,\n 0x24, 0x65, 0x81, 0xa4, 0xfc, 0x8e, 0xa4, 0xb5, 0x65, 0x1},\n {0x2a, 0x42, 0x24, 0x11, 0x5e, 0xbf, 0xb2, 0x72, 0xb5, 0x3a, 0xa3,\n 0x98, 0x33, 0xc, 0xfa, 0xa1, 0x66, 0xb6, 0x52, 0xfa, 0x1, 0x61,\n 0xcb, 0x94, 0xd5, 0x53, 0xaf, 0xaf, 0x0, 0x3b, 0x86, 0x2c},\n {0x76, 0x6a, 0x84, 0xa0, 0x74, 0xa4, 0x90, 0xf1, 0xc0, 0x7c, 0x2f,\n 0xcd, 0x84, 0xf9, 0xef, 0x12, 0x8f, 0x2b, 0xaa, 0x58, 0x6, 0x29,\n 0x5e, 0x69, 0xb8, 0xc8, 0xfe, 0xbf, 0xd9, 0x67, 0x1b, 0x59},\n },\n {\n {0x5d, 0xb5, 0x18, 0x9f, 0x71, 0xb3, 0xb9, 0x99, 0x1e, 0x64, 0x8c,\n 0xa1, 0xfa, 0xe5, 0x65, 0xe4, 0xed, 0x5, 0x9f, 0xc2, 0x36, 0x11,\n 0x8, 0x61, 0x8b, 0x12, 0x30, 0x70, 0x86, 0x4f, 0x9b, 0x48},\n {0xfa, 0x9b, 0xb4, 0x80, 0x1c, 0xd, 0x2f, 0x31, 0x8a, 0xec, 0xf3,\n 0xab, 0x5e, 0x51, 0x79, 0x59, 0x88, 0x1c, 0xf0, 0x9e, 0xc0, 0x33,\n 0x70, 0x72, 0xcb, 0x7b, 0x8f, 0xca, 0xc7, 0x2e, 0xe0, 0x3d},\n {0xef, 0x92, 0xeb, 0x3a, 0x2d, 0x10, 0x32, 0xd2, 0x61, 0xa8, 0x16,\n 0x61, 0xb4, 0x53, 0x62, 0xe1, 0x24, 0xaa, 0xb, 0x19, 0xe7, 0xab,\n 0x7e, 0x3d, 0xbf, 0xbe, 0x6c, 0x49, 0xba, 0xfb, 0xf5, 0x49},\n },\n {\n {0x2e, 0x57, 0x9c, 0x1e, 0x8c, 0x62, 0x5d, 0x15, 0x41, 0x47, 0x88,\n 0xc5, 0xac, 0x86, 0x4d, 0x8a, 0xeb, 0x63, 0x57, 0x51, 0xf6, 0x52,\n 0xa3, 0x91, 0x5b, 0x51, 0x67, 0x88, 0xc2, 0xa6, 0xa1, 0x6},\n {0xd4, 0xcf, 0x5b, 0x8a, 0x10, 0x9a, 0x94, 0x30, 0xeb, 0x73, 0x64,\n 0xbc, 0x70, 0xdd, 0x40, 0xdc, 0x1c, 0xd, 0x7c, 0x30, 0xc1, 0x94,\n 0xc2, 0x92, 0x74, 0x6e, 0xfa, 0xcb, 0x6d, 0xa8, 0x4, 0x56},\n {0xb6, 0x64, 0x17, 0x7c, 0xd4, 0xd1, 0x88, 0x72, 0x51, 0x8b, 0x41,\n 0xe0, 0x40, 0x11, 0x54, 0x72, 0xd1, 0xf6, 0xac, 0x18, 0x60, 0x1a,\n 0x3, 0x9f, 0xc6, 0x42, 0x27, 0xfe, 0x89, 0x9e, 0x98, 0x20},\n },\n {\n {0x2e, 0xec, 0xea, 0x85, 0x8b, 0x27, 0x74, 0x16, 0xdf, 0x2b, 0xcb,\n 0x7a, 0x7, 0xdc, 0x21, 0x56, 0x5a, 0xf4, 0xcb, 0x61, 0x16, 0x4c,\n 0xa, 0x64, 0xd3, 0x95, 0x5, 0xf7, 0x50, 0x99, 0xb, 0x73},\n {0x7f, 0xcc, 0x2d, 0x3a, 0xfd, 0x77, 0x97, 0x49, 0x92, 0xd8, 0x4f,\n 0xa5, 0x2c, 0x7c, 0x85, 0x32, 0xa0, 0xe3, 0x7, 0xd2, 0x64, 0xd8,\n 0x79, 0xa2, 0x29, 0x7e, 0xa6, 0xc, 0x1d, 0xed, 0x3, 0x4},\n {0x52, 0xc5, 0x4e, 0x87, 0x35, 0x2d, 0x4b, 0xc9, 0x8d, 0x6f, 0x24,\n 0x98, 0xcf, 0xc8, 0xe6, 0xc5, 0xce, 0x35, 0xc0, 0x16, 0xfa, 0x46,\n 0xcb, 0xf7, 0xcc, 0x3d, 0x30, 0x8, 0x43, 0x45, 0xd7, 0x5b},\n },\n {\n {0x2a, 0x79, 0xe7, 0x15, 0x21, 0x93, 0xc4, 0x85, 0xc9, 0xdd, 0xcd,\n 0xbd, 0xa2, 0x89, 0x4c, 0xc6, 0x62, 0xd7, 0xa3, 0xad, 0xa8, 0x3d,\n 0x1e, 0x9d, 0x2c, 0xf8, 0x67, 0x30, 0x12, 0xdb, 0xb7, 0x5b},\n {0xc2, 0x4c, 0xb2, 0x28, 0x95, 0xd1, 0x9a, 0x7f, 0x81, 0xc1, 0x35,\n 0x63, 0x65, 0x54, 0x6b, 0x7f, 0x36, 0x72, 0xc0, 0x4f, 0x6e, 0xb6,\n 0xb8, 0x66, 0x83, 0xad, 0x80, 0x73, 0x0, 0x78, 0x3a, 0x13},\n {0xbe, 0x62, 0xca, 0xc6, 0x67, 0xf4, 0x61, 0x9, 0xee, 0x52, 0x19,\n 0x21, 0xd6, 0x21, 0xec, 0x4, 0x70, 0x47, 0xd5, 0x9b, 0x77, 0x60,\n 0x23, 0x18, 0xd2, 0xe0, 0xf0, 0x58, 0x6d, 0xca, 0xd, 0x74},\n },\n },\n {\n {\n {0x3c, 0x43, 0x78, 0x4, 0x57, 0x8c, 0x1a, 0x23, 0x9d, 0x43, 0x81,\n 0xc2, 0xe, 0x27, 0xb5, 0xb7, 0x9f, 0x7, 0xd9, 0xe3, 0xea, 0x99,\n 0xaa, 0xdb, 0xd9, 0x3, 0x2b, 0x6c, 0x25, 0xf5, 0x3, 0x2c},\n {0x4e, 0xce, 0xcf, 0x52, 0x7, 0xee, 0x48, 0xdf, 0xb7, 0x8, 0xec,\n 0x6, 0xf3, 0xfa, 0xff, 0xc3, 0xc4, 0x59, 0x54, 0xb9, 0x2a, 0xb,\n 0x71, 0x5, 0x8d, 0xa3, 0x3e, 0x96, 0xfa, 0x25, 0x1d, 0x16},\n {0x7d, 0xa4, 0x53, 0x7b, 0x75, 0x18, 0xf, 0x79, 0x79, 0x58, 0xc,\n 0xcf, 0x30, 0x1, 0x7b, 0x30, 0xf9, 0xf7, 0x7e, 0x25, 0x77, 0x3d,\n 0x90, 0x31, 0xaf, 0xbb, 0x96, 0xbd, 0xbd, 0x68, 0x94, 0x69},\n },\n {\n {0x48, 0x19, 0xa9, 0x6a, 0xe6, 0x3d, 0xdd, 0xd8, 0xcc, 0xd2, 0xc0,\n 0x2f, 0xc2, 0x64, 0x50, 0x48, 0x2f, 0xea, 0xfd, 0x34, 0x66, 0x24,\n 0x48, 0x9b, 0x3a, 0x2e, 0x4a, 0x6c, 0x4e, 0x1c, 0x3e, 0x29},\n {0xcf, 0xfe, 0xda, 0xf4, 0x46, 0x2f, 0x1f, 0xbd, 0xf7, 0xd6, 0x7f,\n 0xa4, 0x14, 0x1, 0xef, 0x7c, 0x7f, 0xb3, 0x47, 0x4a, 0xda, 0xfd,\n 0x1f, 0xd3, 0x85, 0x57, 0x90, 0x73, 0xa4, 0x19, 0x52, 0x52},\n {0xe1, 0x12, 0x51, 0x92, 0x4b, 0x13, 0x6e, 0x37, 0xa0, 0x5d, 0xa1,\n 0xdc, 0xb5, 0x78, 0x37, 0x70, 0x11, 0x31, 0x1c, 0x46, 0xaf, 0x89,\n 0x45, 0xb0, 0x23, 0x28, 0x3, 0x7f, 0x44, 0x5c, 0x60, 0x5b},\n },\n {\n {0x4c, 0xf0, 0xe7, 0xf0, 0xc6, 0xfe, 0xe9, 0x3b, 0x62, 0x49, 0xe3,\n 0x75, 0x9e, 0x57, 0x6a, 0x86, 0x1a, 0xe6, 0x1d, 0x1e, 0x16, 0xef,\n 0x42, 0x55, 0xd5, 0xbd, 0x5a, 0xcc, 0xf4, 0xfe, 0x12, 0x2f},\n {0x89, 0x7c, 0xc4, 0x20, 0x59, 0x80, 0x65, 0xb9, 0xcc, 0x8f, 0x3b,\n 0x92, 0xc, 0x10, 0xf0, 0xe7, 0x77, 0xef, 0xe2, 0x2, 0x65, 0x25,\n 0x1, 0x0, 0xee, 0xb3, 0xae, 0xa8, 0xce, 0x6d, 0xa7, 0x24},\n {0x40, 0xc7, 0xc0, 0xdf, 0xb2, 0x22, 0x45, 0xa, 0x7, 0xa4, 0xc9,\n 0x40, 0x7f, 0x6e, 0xd0, 0x10, 0x68, 0xf6, 0xcf, 0x78, 0x41, 0x14,\n 0xcf, 0xc6, 0x90, 0x37, 0xa4, 0x18, 0x25, 0x7b, 0x60, 0x5e},\n },\n {\n {0x14, 0xcf, 0x96, 0xa5, 0x1c, 0x43, 0x2c, 0xa0, 0x0, 0xe4, 0xd3,\n 0xae, 0x40, 0x2d, 0xc4, 0xe3, 0xdb, 0x26, 0xf, 0x2e, 0x80, 0x26,\n 0x45, 0xd2, 0x68, 0x70, 0x45, 0x9e, 0x13, 0x33, 0x1f, 0x20},\n {0x18, 0x18, 0xdf, 0x6c, 0x8f, 0x1d, 0xb3, 0x58, 0xa2, 0x58, 0x62,\n 0xc3, 0x4f, 0xa7, 0xcf, 0x35, 0x6e, 0x1d, 0xe6, 0x66, 0x4f, 0xff,\n 0xb3, 0xe1, 0xf7, 0xd5, 0xcd, 0x6c, 0xab, 0xac, 0x67, 0x50},\n {0x51, 0x9d, 0x3, 0x8, 0x6b, 0x7f, 0x52, 0xfd, 0x6, 0x0, 0x7c,\n 0x1, 0x64, 0x49, 0xb1, 0x18, 0xa8, 0xa4, 0x25, 0x2e, 0xb0, 0xe,\n 0x22, 0xd5, 0x75, 0x3, 0x46, 0x62, 0x88, 0xba, 0x7c, 0x39},\n },\n {\n {0xe7, 0x79, 0x13, 0xc8, 0xfb, 0xc3, 0x15, 0x78, 0xf1, 0x2a, 0xe1,\n 0xdd, 0x20, 0x94, 0x61, 0xa6, 0xd5, 0xfd, 0xa8, 0x85, 0xf8, 0xc0,\n 0xa9, 0xff, 0x52, 0xc2, 0xe1, 0xc1, 0x22, 0x40, 0x1b, 0x77},\n {0xb2, 0x59, 0x59, 0xf0, 0x93, 0x30, 0xc1, 0x30, 0x76, 0x79, 0xa9,\n 0xe9, 0x8d, 0xa1, 0x3a, 0xe2, 0x26, 0x5e, 0x1d, 0x72, 0x91, 0xd4,\n 0x2f, 0x22, 0x3a, 0x6c, 0x6e, 0x76, 0x20, 0xd3, 0x39, 0x23},\n {0xa7, 0x2f, 0x3a, 0x51, 0x86, 0xd9, 0x7d, 0xd8, 0x8, 0xcf, 0xd4,\n 0xf9, 0x71, 0x9b, 0xac, 0xf5, 0xb3, 0x83, 0xa2, 0x1e, 0x1b, 0xc3,\n 0x6b, 0xd0, 0x76, 0x1a, 0x97, 0x19, 0x92, 0x18, 0x1a, 0x33},\n },\n {\n {0xaf, 0x72, 0x75, 0x9d, 0x3a, 0x2f, 0x51, 0x26, 0x9e, 0x4a, 0x7,\n 0x68, 0x88, 0xe2, 0xcb, 0x5b, 0xc4, 0xf7, 0x80, 0x11, 0xc1, 0xc1,\n 0xed, 0x84, 0x7b, 0xa6, 0x49, 0xf6, 0x9f, 0x61, 0xc9, 0x1a},\n {0xc6, 0x80, 0x4f, 0xfb, 0x45, 0x6f, 0x16, 0xf5, 0xcf, 0x75, 0xc7,\n 0x61, 0xde, 0xc7, 0x36, 0x9c, 0x1c, 0xd9, 0x41, 0x90, 0x1b, 0xe8,\n 0xd4, 0xe3, 0x21, 0xfe, 0xbd, 0x83, 0x6b, 0x7c, 0x16, 0x31},\n {0x68, 0x10, 0x4b, 0x52, 0x42, 0x38, 0x2b, 0xf2, 0x87, 0xe9, 0x9c,\n 0xee, 0x3b, 0x34, 0x68, 0x50, 0xc8, 0x50, 0x62, 0x4a, 0x84, 0x71,\n 0x9d, 0xfc, 0x11, 0xb1, 0x8, 0x1f, 0x34, 0x36, 0x24, 0x61},\n },\n {\n {0x38, 0x26, 0x2d, 0x1a, 0xe3, 0x49, 0x63, 0x8b, 0x35, 0xfd, 0xd3,\n 0x9b, 0x0, 0xb7, 0xdf, 0x9d, 0xa4, 0x6b, 0xa0, 0xa3, 0xb8, 0xf1,\n 0x8b, 0x7f, 0x45, 0x4, 0xd9, 0x78, 0x31, 0xaa, 0x22, 0x15},\n {0x8d, 0x89, 0x4e, 0x87, 0xdb, 0x41, 0x9d, 0xd9, 0x20, 0xdc, 0x7,\n 0x6c, 0xf1, 0xa5, 0xfe, 0x9, 0xbc, 0x9b, 0xf, 0xd0, 0x67, 0x2c,\n 0x3d, 0x79, 0x40, 0xff, 0x5e, 0x9e, 0x30, 0xe2, 0xeb, 0x46},\n {0x38, 0x49, 0x61, 0x69, 0x53, 0x2f, 0x38, 0x2c, 0x10, 0x6d, 0x2d,\n 0xb7, 0x9a, 0x40, 0xfe, 0xda, 0x27, 0xf2, 0x46, 0xb6, 0x91, 0x33,\n 0xc8, 0xe8, 0x6c, 0x30, 0x24, 0x5, 0xf5, 0x70, 0xfe, 0x45},\n },\n {\n {0x91, 0x14, 0x95, 0xc8, 0x20, 0x49, 0xf2, 0x62, 0xa2, 0xc, 0x63,\n 0x3f, 0xc8, 0x7, 0xf0, 0x5, 0xb8, 0xd4, 0xc9, 0xf5, 0xd2, 0x45,\n 0xbb, 0x6f, 0x45, 0x22, 0x7a, 0xb5, 0x6d, 0x9f, 0x61, 0x16},\n {0x8c, 0xb, 0xc, 0x96, 0xa6, 0x75, 0x48, 0xda, 0x20, 0x2f, 0xe,\n 0xef, 0x76, 0xd0, 0x68, 0x5b, 0xd4, 0x8f, 0xb, 0x3d, 0xcf, 0x51,\n 0xfb, 0x7, 0xd4, 0x92, 0xe3, 0xa0, 0x23, 0x16, 0x8d, 0x42},\n {0xfd, 0x8, 0xa3, 0x1, 0x44, 0x4a, 0x4f, 0x8, 0xac, 0xca, 0xa5,\n 0x76, 0xc3, 0x19, 0x22, 0xa8, 0x7d, 0xbc, 0xd1, 0x43, 0x46, 0xde,\n 0xb8, 0xde, 0xc6, 0x38, 0xbd, 0x60, 0x2d, 0x59, 0x81, 0x1d},\n },\n },\n {\n {\n {0xe8, 0xc5, 0x85, 0x7b, 0x9f, 0xb6, 0x65, 0x87, 0xb2, 0xba, 0x68,\n 0xd1, 0x8b, 0x67, 0xf0, 0x6f, 0x9b, 0xf, 0x33, 0x1d, 0x7c, 0xe7,\n 0x70, 0x3a, 0x7c, 0x8e, 0xaf, 0xb0, 0x51, 0x6d, 0x5f, 0x3a},\n {0x5f, 0xac, 0xd, 0xa6, 0x56, 0x87, 0x36, 0x61, 0x57, 0xdc, 0xab,\n 0xeb, 0x6a, 0x2f, 0xe0, 0x17, 0x7d, 0xf, 0xce, 0x4c, 0x2d, 0x3f,\n 0x19, 0x7f, 0xf0, 0xdc, 0xec, 0x89, 0x77, 0x4a, 0x23, 0x20},\n {0x52, 0xb2, 0x78, 0x71, 0xb6, 0xd, 0xd2, 0x76, 0x60, 0xd1, 0x1e,\n 0xd5, 0xf9, 0x34, 0x1c, 0x7, 0x70, 0x11, 0xe4, 0xb3, 0x20, 0x4a,\n 0x2a, 0xf6, 0x66, 0xe3, 0xff, 0x3c, 0x35, 0x82, 0xd6, 0x7c},\n },\n {\n {0xf3, 0xf4, 0xac, 0x68, 0x60, 0xcd, 0x65, 0xa6, 0xd3, 0xe3, 0xd7,\n 0x3c, 0x18, 0x2d, 0xd9, 0x42, 0xd9, 0x25, 0x60, 0x33, 0x9d, 0x38,\n 0x59, 0x57, 0xff, 0xd8, 0x2c, 0x2b, 0x3b, 0x25, 0xf0, 0x3e},\n {0xb6, 0xfa, 0x87, 0xd8, 0x5b, 0xa4, 0xe1, 0xb, 0x6e, 0x3b, 0x40,\n 0xba, 0x32, 0x6a, 0x84, 0x2a, 0x0, 0x60, 0x6e, 0xe9, 0x12, 0x10,\n 0x92, 0xd9, 0x43, 0x9, 0xdc, 0x3b, 0x86, 0xc8, 0x38, 0x28},\n {0x30, 0x50, 0x46, 0x4a, 0xcf, 0xb0, 0x6b, 0xd1, 0xab, 0x77, 0xc5,\n 0x15, 0x41, 0x6b, 0x49, 0xfa, 0x9d, 0x41, 0xab, 0xf4, 0x8a, 0xae,\n 0xcf, 0x82, 0x12, 0x28, 0xa8, 0x6, 0xa6, 0xb8, 0xdc, 0x21},\n },\n {\n {0xba, 0x31, 0x77, 0xbe, 0xfa, 0x0, 0x8d, 0x9a, 0x89, 0x18, 0x9e,\n 0x62, 0x7e, 0x60, 0x3, 0x82, 0x7f, 0xd9, 0xf3, 0x43, 0x37, 0x2,\n 0xcc, 0xb2, 0x8b, 0x67, 0x6f, 0x6c, 0xbf, 0xd, 0x84, 0x5d},\n {0xc8, 0x9f, 0x9d, 0x8c, 0x46, 0x4, 0x60, 0x5c, 0xcb, 0xa3, 0x2a,\n 0xd4, 0x6e, 0x9, 0x40, 0x25, 0x9c, 0x2f, 0xee, 0x12, 0x4c, 0x4d,\n 0x5b, 0x12, 0xab, 0x1d, 0xa3, 0x94, 0x81, 0xd0, 0xc3, 0xb},\n {0x8b, 0xe1, 0x9f, 0x30, 0xd, 0x38, 0x6e, 0x70, 0xc7, 0x65, 0xe1,\n 0xb9, 0xa6, 0x2d, 0xb0, 0x6e, 0xab, 0x20, 0xae, 0x7d, 0x99, 0xba,\n 0xbb, 0x57, 0xdd, 0x96, 0xc1, 0x2a, 0x23, 0x76, 0x42, 0x3a},\n },\n {\n {0xcb, 0x7e, 0x44, 0xdb, 0x72, 0xc1, 0xf8, 0x3b, 0xbd, 0x2d, 0x28,\n 0xc6, 0x1f, 0xc4, 0xcf, 0x5f, 0xfe, 0x15, 0xaa, 0x75, 0xc0, 0xff,\n 0xac, 0x80, 0xf9, 0xa9, 0xe1, 0x24, 0xe8, 0xc9, 0x70, 0x7},\n {0xfa, 0x84, 0x70, 0x8a, 0x2c, 0x43, 0x42, 0x4b, 0x45, 0xe5, 0xb9,\n 0xdf, 0xe3, 0x19, 0x8a, 0x89, 0x5d, 0xe4, 0x58, 0x9c, 0x21, 0x0,\n 0x9f, 0xbe, 0xd1, 0xeb, 0x6d, 0xa1, 0xce, 0x77, 0xf1, 0x1f},\n {0xfd, 0xb5, 0xb5, 0x45, 0x9a, 0xd9, 0x61, 0xcf, 0x24, 0x79, 0x3a,\n 0x1b, 0xe9, 0x84, 0x9, 0x86, 0x89, 0x3e, 0x3e, 0x30, 0x19, 0x9,\n 0x30, 0xe7, 0x1e, 0xb, 0x50, 0x41, 0xfd, 0x64, 0xf2, 0x39},\n },\n {\n {0xe1, 0x7b, 0x9, 0xfe, 0xab, 0x4a, 0x9b, 0xd1, 0x29, 0x19, 0xe0,\n 0xdf, 0xe1, 0xfc, 0x6d, 0xa4, 0xff, 0xf1, 0xa6, 0x2c, 0x94, 0x8,\n 0xc9, 0xc3, 0x4e, 0xf1, 0x35, 0x2c, 0x27, 0x21, 0xc6, 0x65},\n {0x9c, 0xe2, 0xe7, 0xdb, 0x17, 0x34, 0xad, 0xa7, 0x9c, 0x13, 0x9c,\n 0x2b, 0x6a, 0x37, 0x94, 0xbd, 0xa9, 0x7b, 0x59, 0x93, 0x8e, 0x1b,\n 0xe9, 0xa0, 0x40, 0x98, 0x88, 0x68, 0x34, 0xd7, 0x12, 0x17},\n {0xdd, 0x93, 0x31, 0xce, 0xf8, 0x89, 0x2b, 0xe7, 0xbb, 0xc0, 0x25,\n 0xa1, 0x56, 0x33, 0x10, 0x4d, 0x83, 0xfe, 0x1c, 0x2e, 0x3d, 0xa9,\n 0x19, 0x4, 0x72, 0xe2, 0x9c, 0xb1, 0xa, 0x80, 0xf9, 0x22},\n },\n {\n {0xac, 0xfd, 0x6e, 0x9a, 0xdd, 0x9f, 0x2, 0x42, 0x41, 0x49, 0xa5,\n 0x34, 0xbe, 0xce, 0x12, 0xb9, 0x7b, 0xf3, 0xbd, 0x87, 0xb9, 0x64,\n 0xf, 0x64, 0xb4, 0xca, 0x98, 0x85, 0xd3, 0xa4, 0x71, 0x41},\n {0xcb, 0xf8, 0x9e, 0x3e, 0x8a, 0x36, 0x5a, 0x60, 0x15, 0x47, 0x50,\n 0xa5, 0x22, 0xc0, 0xe9, 0xe3, 0x8f, 0x24, 0x24, 0x5f, 0xb0, 0x48,\n 0x3d, 0x55, 0xe5, 0x26, 0x76, 0x64, 0xcd, 0x16, 0xf4, 0x13},\n {0x8c, 0x4c, 0xc9, 0x99, 0xaa, 0x58, 0x27, 0xfa, 0x7, 0xb8, 0x0,\n 0xb0, 0x6f, 0x6f, 0x0, 0x23, 0x92, 0x53, 0xda, 0xad, 0xdd, 0x91,\n 0xd2, 0xfb, 0xab, 0xd1, 0x4b, 0x57, 0xfa, 0x14, 0x82, 0x50},\n },\n {\n {0xd6, 0x3, 0xd0, 0x53, 0xbb, 0x15, 0x1a, 0x46, 0x65, 0xc9, 0xf3,\n 0xbc, 0x88, 0x28, 0x10, 0xb2, 0x5a, 0x3a, 0x68, 0x6c, 0x75, 0x76,\n 0xc5, 0x27, 0x47, 0xb4, 0x6c, 0xc8, 0xa4, 0x58, 0x77, 0x3a},\n {0x4b, 0xfe, 0xd6, 0x3e, 0x15, 0x69, 0x2, 0xc2, 0xc4, 0x77, 0x1d,\n 0x51, 0x39, 0x67, 0x5a, 0xa6, 0x94, 0xaf, 0x14, 0x2c, 0x46, 0x26,\n 0xde, 0xcb, 0x4b, 0xa7, 0xab, 0x6f, 0xec, 0x60, 0xf9, 0x22},\n {0x76, 0x50, 0xae, 0x93, 0xf6, 0x11, 0x81, 0x54, 0xa6, 0x54, 0xfd,\n 0x1d, 0xdf, 0x21, 0xae, 0x1d, 0x65, 0x5e, 0x11, 0xf3, 0x90, 0x8c,\n 0x24, 0x12, 0x94, 0xf4, 0xe7, 0x8d, 0x5f, 0xd1, 0x9f, 0x5d},\n },\n {\n {0x1e, 0x52, 0xd7, 0xee, 0x2a, 0x4d, 0x24, 0x3f, 0x15, 0x96, 0x2e,\n 0x43, 0x28, 0x90, 0x3a, 0x8e, 0xd4, 0x16, 0x9c, 0x2e, 0x77, 0xba,\n 0x64, 0xe1, 0xd8, 0x98, 0xeb, 0x47, 0xfa, 0x87, 0xc1, 0x3b},\n {0x7f, 0x72, 0x63, 0x6d, 0xd3, 0x8, 0x14, 0x3, 0x33, 0xb5, 0xc7,\n 0xd7, 0xef, 0x9a, 0x37, 0x6a, 0x4b, 0xe2, 0xae, 0xcc, 0xc5, 0x8f,\n 0xe1, 0xa9, 0xd3, 0xbe, 0x8f, 0x4f, 0x91, 0x35, 0x2f, 0x33},\n {0xc, 0xc2, 0x86, 0xea, 0x15, 0x1, 0x47, 0x6d, 0x25, 0xd1, 0x46,\n 0x6c, 0xcb, 0xb7, 0x8a, 0x99, 0x88, 0x1, 0x66, 0x3a, 0xb5, 0x32,\n 0x78, 0xd7, 0x3, 0xba, 0x6f, 0x90, 0xce, 0x81, 0xd, 0x45},\n },\n },\n {\n {\n {0x3f, 0x74, 0xae, 0x1c, 0x96, 0xd8, 0x74, 0xd0, 0xed, 0x63, 0x1c,\n 0xee, 0xf5, 0x18, 0x6d, 0xf8, 0x29, 0xed, 0xf4, 0xe7, 0x5b, 0xc5,\n 0xbd, 0x97, 0x8, 0xb1, 0x3a, 0x66, 0x79, 0xd2, 0xba, 0x4c},\n {0x75, 0x52, 0x20, 0xa6, 0xa1, 0xb6, 0x7b, 0x6e, 0x83, 0x8e, 0x3c,\n 0x41, 0xd7, 0x21, 0x4f, 0xaa, 0xb2, 0x5c, 0x8f, 0xe8, 0x55, 0xd1,\n 0x56, 0x6f, 0xe1, 0x5b, 0x34, 0xa6, 0x4b, 0x5d, 0xe2, 0x2d},\n {0xcd, 0x1f, 0xd7, 0xa0, 0x24, 0x90, 0xd1, 0x80, 0xf8, 0x8a, 0x28,\n 0xfb, 0xa, 0xc2, 0x25, 0xc5, 0x19, 0x64, 0x3a, 0x5f, 0x4b, 0x97,\n 0xa3, 0xb1, 0x33, 0x72, 0x0, 0xe2, 0xef, 0xbc, 0x7f, 0x7d},\n },\n {\n {0x94, 0x90, 0xc2, 0xf3, 0xc5, 0x5d, 0x7c, 0xcd, 0xab, 0x5, 0x91,\n 0x2a, 0x9a, 0xa2, 0x81, 0xc7, 0x58, 0x30, 0x1c, 0x42, 0x36, 0x1d,\n 0xc6, 0x80, 0xd7, 0xd4, 0xd8, 0xdc, 0x96, 0xd1, 0x9c, 0x4f},\n {0x1, 0x28, 0x6b, 0x26, 0x6a, 0x1e, 0xef, 0xfa, 0x16, 0x9f, 0x73,\n 0xd5, 0xc4, 0x68, 0x6c, 0x86, 0x2c, 0x76, 0x3, 0x1b, 0xbc, 0x2f,\n 0x8a, 0xf6, 0x8d, 0x5a, 0xb7, 0x87, 0x5e, 0x43, 0x75, 0x59},\n {0x68, 0x37, 0x7b, 0x6a, 0xd8, 0x97, 0x92, 0x19, 0x63, 0x7a, 0xd1,\n 0x1a, 0x24, 0x58, 0xd0, 0xd0, 0x17, 0xc, 0x1c, 0x5c, 0xad, 0x9c,\n 0x2, 0xba, 0x7, 0x3, 0x7a, 0x38, 0x84, 0xd0, 0xcd, 0x7c},\n },\n {\n {0x93, 0xcc, 0x60, 0x67, 0x18, 0x84, 0xc, 0x9b, 0x99, 0x2a, 0xb3,\n 0x1a, 0x7a, 0x0, 0xae, 0xcd, 0x18, 0xda, 0xb, 0x62, 0x86, 0xec,\n 0x8d, 0xa8, 0x44, 0xca, 0x90, 0x81, 0x84, 0xca, 0x93, 0x35},\n {0x17, 0x4, 0x26, 0x6d, 0x2c, 0x42, 0xa6, 0xdc, 0xbd, 0x40, 0x82,\n 0x94, 0x50, 0x3d, 0x15, 0xae, 0x77, 0xc6, 0x68, 0xfb, 0xb4, 0xc1,\n 0xc0, 0xa9, 0x53, 0xcf, 0xd0, 0x61, 0xed, 0xd0, 0x8b, 0x42},\n {0xa7, 0x9a, 0x84, 0x5e, 0x9a, 0x18, 0x13, 0x92, 0xcd, 0xfa, 0xd8,\n 0x65, 0x35, 0xc3, 0xd8, 0xd4, 0xd1, 0xbb, 0xfd, 0x53, 0x5b, 0x54,\n 0x52, 0x8c, 0xe6, 0x63, 0x2d, 0xda, 0x8, 0x83, 0x39, 0x27},\n },\n {\n {0x53, 0x24, 0x70, 0xa, 0x4c, 0xe, 0xa1, 0xb9, 0xde, 0x1b, 0x7d,\n 0xd5, 0x66, 0x58, 0xa2, 0xf, 0xf7, 0xda, 0x27, 0xcd, 0xb5, 0xd9,\n 0xb9, 0xff, 0xfd, 0x33, 0x2c, 0x49, 0x45, 0x29, 0x2c, 0x57},\n {0x13, 0xd4, 0x5e, 0x43, 0x28, 0x8d, 0xc3, 0x42, 0xc9, 0xcc, 0x78,\n 0x32, 0x60, 0xf3, 0x50, 0xbd, 0xef, 0x3, 0xda, 0x79, 0x1a, 0xab,\n 0x7, 0xbb, 0x55, 0x33, 0x8c, 0xbe, 0xae, 0x97, 0x95, 0x26},\n {0xbe, 0x30, 0xcd, 0xd6, 0x45, 0xc7, 0x7f, 0xc7, 0xfb, 0xae, 0xba,\n 0xe3, 0xd3, 0xe8, 0xdf, 0xe4, 0xc, 0xda, 0x5d, 0xaa, 0x30, 0x88,\n 0x2c, 0xa2, 0x80, 0xca, 0x5b, 0xc0, 0x98, 0x54, 0x98, 0x7f},\n },\n {\n {0x63, 0x63, 0xbf, 0xf, 0x52, 0x15, 0x56, 0xd3, 0xa6, 0xfb, 0x4d,\n 0xcf, 0x45, 0x5a, 0x4, 0x8, 0xc2, 0xa0, 0x3f, 0x87, 0xbc, 0x4f,\n 0xc2, 0xee, 0xe7, 0x12, 0x9b, 0xd6, 0x3c, 0x65, 0xf2, 0x30},\n {0x17, 0xe1, 0xb, 0x9f, 0x88, 0xce, 0x49, 0x38, 0x88, 0xa2, 0x54,\n 0x7b, 0x1b, 0xad, 0x5, 0x80, 0x1c, 0x92, 0xfc, 0x23, 0x9f, 0xc3,\n 0xa3, 0x3d, 0x4, 0xf3, 0x31, 0xa, 0x47, 0xec, 0xc2, 0x76},\n {0x85, 0xc, 0xc1, 0xaa, 0x38, 0xc9, 0x8, 0x8a, 0xcb, 0x6b, 0x27,\n 0xdb, 0x60, 0x9b, 0x17, 0x46, 0x70, 0xac, 0x6f, 0xe, 0x1e, 0xc0,\n 0x20, 0xa9, 0xda, 0x73, 0x64, 0x59, 0xf1, 0x73, 0x12, 0x2f},\n },\n {\n {0xc0, 0xb, 0xa7, 0x55, 0xd7, 0x8b, 0x48, 0x30, 0xe7, 0x42, 0xd4,\n 0xf1, 0xa4, 0xb5, 0xd6, 0x6, 0x62, 0x61, 0x59, 0xbc, 0x9e, 0xa6,\n 0xd1, 0xea, 0x84, 0xf7, 0xc5, 0xed, 0x97, 0x19, 0xac, 0x38},\n {0x11, 0x1e, 0xe0, 0x8a, 0x7c, 0xfc, 0x39, 0x47, 0x9f, 0xab, 0x6a,\n 0x4a, 0x90, 0x74, 0x52, 0xfd, 0x2e, 0x8f, 0x72, 0x87, 0x82, 0x8a,\n 0xd9, 0x41, 0xf2, 0x69, 0x5b, 0xd8, 0x2a, 0x57, 0x9e, 0x5d},\n {0x3b, 0xb1, 0x51, 0xa7, 0x17, 0xb5, 0x66, 0x6, 0x8c, 0x85, 0x9b,\n 0x7e, 0x86, 0x6, 0x7d, 0x74, 0x49, 0xde, 0x4d, 0x45, 0x11, 0xc0,\n 0xac, 0xac, 0x9c, 0xe6, 0xe9, 0xbf, 0x9c, 0xcd, 0xdf, 0x22},\n },\n {\n {0xa1, 0xe0, 0x3b, 0x10, 0xb4, 0x59, 0xec, 0x56, 0x69, 0xf9, 0x59,\n 0xd2, 0xec, 0xba, 0xe3, 0x2e, 0x32, 0xcd, 0xf5, 0x13, 0x94, 0xb2,\n 0x7c, 0x79, 0x72, 0xe4, 0xcd, 0x24, 0x78, 0x87, 0xe9, 0xf},\n {0xd9, 0xc, 0xd, 0xc3, 0xe0, 0xd2, 0xdb, 0x8d, 0x33, 0x43, 0xbb,\n 0xac, 0x5f, 0x66, 0x8e, 0xad, 0x1f, 0x96, 0x2a, 0x32, 0x8c, 0x25,\n 0x6b, 0x8f, 0xc7, 0xc1, 0x48, 0x54, 0xc0, 0x16, 0x29, 0x6b},\n {0x3b, 0x91, 0xba, 0xa, 0xd1, 0x34, 0xdb, 0x7e, 0xe, 0xac, 0x6d,\n 0x2e, 0x82, 0xcd, 0xa3, 0x4e, 0x15, 0xf8, 0x78, 0x65, 0xff, 0x3d,\n 0x8, 0x66, 0x17, 0xa, 0xf0, 0x7f, 0x30, 0x3f, 0x30, 0x4c},\n },\n {\n {0x0, 0x45, 0xd9, 0xd, 0x58, 0x3, 0xfc, 0x29, 0x93, 0xec, 0xbb,\n 0x6f, 0xa4, 0x7a, 0xd2, 0xec, 0xf8, 0xa7, 0xe2, 0xc2, 0x5f, 0x15,\n 0xa, 0x13, 0xd5, 0xa1, 0x6, 0xb7, 0x1a, 0x15, 0x6b, 0x41},\n {0x85, 0x8c, 0xb2, 0x17, 0xd6, 0x3b, 0xa, 0xd3, 0xea, 0x3b, 0x77,\n 0x39, 0xb7, 0x77, 0xd3, 0xc5, 0xbf, 0x5c, 0x6a, 0x1e, 0x8c, 0xe7,\n 0xc6, 0xc6, 0xc4, 0xb7, 0x2a, 0x8b, 0xf7, 0xb8, 0x61, 0xd},\n {0xb0, 0x36, 0xc1, 0xe9, 0xef, 0xd7, 0xa8, 0x56, 0x20, 0x4b, 0xe4,\n 0x58, 0xcd, 0xe5, 0x7, 0xbd, 0xab, 0xe0, 0x57, 0x1b, 0xda, 0x2f,\n 0xe6, 0xaf, 0xd2, 0xe8, 0x77, 0x42, 0xf7, 0x2a, 0x1a, 0x19},\n },\n },\n {\n {\n {0xfb, 0xe, 0x46, 0x4f, 0x43, 0x2b, 0xe6, 0x9f, 0xd6, 0x7, 0x36,\n 0xa6, 0xd4, 0x3, 0xd3, 0xde, 0x24, 0xda, 0xa0, 0xb7, 0xe, 0x21,\n 0x52, 0xf0, 0x93, 0x5b, 0x54, 0x0, 0xbe, 0x7d, 0x7e, 0x23},\n {0x31, 0x14, 0x3c, 0xc5, 0x4b, 0xf7, 0x16, 0xce, 0xde, 0xed, 0x72,\n 0x20, 0xce, 0x25, 0x97, 0x2b, 0xe7, 0x3e, 0xb2, 0xb5, 0x6f, 0xc3,\n 0xb9, 0xb8, 0x8, 0xc9, 0x5c, 0xb, 0x45, 0xe, 0x2e, 0x7e},\n {0x30, 0xb4, 0x1, 0x67, 0xed, 0x75, 0x35, 0x1, 0x10, 0xfd, 0xb,\n 0x9f, 0xe6, 0x94, 0x10, 0x23, 0x22, 0x7f, 0xe4, 0x83, 0x15, 0xf,\n 0x32, 0x75, 0xe3, 0x55, 0x11, 0xb1, 0x99, 0xa6, 0xaf, 0x71},\n },\n {\n {0xd6, 0x50, 0x3b, 0x47, 0x1c, 0x3c, 0x42, 0xea, 0x10, 0xef, 0x38,\n 0x3b, 0x1f, 0x7a, 0xe8, 0x51, 0x95, 0xbe, 0xc9, 0xb2, 0x5f, 0xbf,\n 0x84, 0x9b, 0x1c, 0x9a, 0xf8, 0x78, 0xbc, 0x1f, 0x73, 0x0},\n {0x1d, 0xb6, 0x53, 0x39, 0x9b, 0x6f, 0xce, 0x65, 0xe6, 0x41, 0xa1,\n 0xaf, 0xea, 0x39, 0x58, 0xc6, 0xfe, 0x59, 0xf7, 0xa9, 0xfd, 0x5f,\n 0x43, 0xf, 0x8e, 0xc2, 0xb1, 0xc2, 0xe9, 0x42, 0x11, 0x2},\n {0x80, 0x18, 0xf8, 0x48, 0x18, 0xc7, 0x30, 0xe4, 0x19, 0xc1, 0xce,\n 0x5e, 0x22, 0xc, 0x96, 0xbf, 0xe3, 0x15, 0xba, 0x6b, 0x83, 0xe0,\n 0xda, 0xb6, 0x8, 0x58, 0xe1, 0x47, 0x33, 0x6f, 0x4d, 0x4c},\n },\n {\n {0x70, 0x19, 0x8f, 0x98, 0xfc, 0xdd, 0xc, 0x2f, 0x1b, 0xf5, 0xb9,\n 0xb0, 0x27, 0x62, 0x91, 0x6b, 0xbe, 0x76, 0x91, 0x77, 0xc4, 0xb6,\n 0xc7, 0x6e, 0xa8, 0x9f, 0x8f, 0xa8, 0x0, 0x95, 0xbf, 0x38},\n {0xc9, 0x1f, 0x7d, 0xc1, 0xcf, 0xec, 0xf7, 0x18, 0x14, 0x3c, 0x40,\n 0x51, 0xa6, 0xf5, 0x75, 0x6c, 0xdf, 0xc, 0xee, 0xf7, 0x2b, 0x71,\n 0xde, 0xdb, 0x22, 0x7a, 0xe4, 0xa7, 0xaa, 0xdd, 0x3f, 0x19},\n {0x6f, 0x87, 0xe8, 0x37, 0x3c, 0xc9, 0xd2, 0x1f, 0x2c, 0x46, 0xd1,\n 0x18, 0x5a, 0x1e, 0xf6, 0xa2, 0x76, 0x12, 0x24, 0x39, 0x82, 0xf5,\n 0x80, 0x50, 0x69, 0x49, 0xd, 0xbf, 0x9e, 0xb9, 0x6f, 0x6a},\n },\n {\n {0xc6, 0x23, 0xe4, 0xb6, 0xb5, 0x22, 0xb1, 0xee, 0x8e, 0xff, 0x86,\n 0xf2, 0x10, 0x70, 0x9d, 0x93, 0x8c, 0x5d, 0xcf, 0x1d, 0x83, 0x2a,\n 0xa9, 0x90, 0x10, 0xeb, 0xc5, 0x42, 0x9f, 0xda, 0x6f, 0x13},\n {0xeb, 0x55, 0x8, 0x56, 0xbb, 0xc1, 0x46, 0x6a, 0x9d, 0xf0, 0x93,\n 0xf8, 0x38, 0xbb, 0x16, 0x24, 0xc1, 0xac, 0x71, 0x8f, 0x37, 0x11,\n 0x1d, 0xd7, 0xea, 0x96, 0x18, 0xa3, 0x14, 0x69, 0xf7, 0x75},\n {0xd1, 0xbd, 0x5, 0xa3, 0xb1, 0xdf, 0x4c, 0xf9, 0x8, 0x2c, 0xf8,\n 0x9f, 0x9d, 0x4b, 0x36, 0xf, 0x8a, 0x58, 0xbb, 0xc3, 0xa5, 0xd8,\n 0x87, 0x2a, 0xba, 0xdc, 0xe8, 0xb, 0x51, 0x83, 0x21, 0x2},\n },\n {\n {0x7f, 0x7a, 0x30, 0x43, 0x1, 0x71, 0x5a, 0x9d, 0x5f, 0xa4, 0x7d,\n 0xc4, 0x9e, 0xde, 0x63, 0xb0, 0xd3, 0x7a, 0x92, 0xbe, 0x52, 0xfe,\n 0xbb, 0x22, 0x6c, 0x42, 0x40, 0xfd, 0x41, 0xc4, 0x87, 0x13},\n {0x14, 0x2d, 0xad, 0x5e, 0x38, 0x66, 0xf7, 0x4a, 0x30, 0x58, 0x7c,\n 0xca, 0x80, 0xd8, 0x8e, 0xa0, 0x3d, 0x1e, 0x21, 0x10, 0xe6, 0xa6,\n 0x13, 0xd, 0x3, 0x6c, 0x80, 0x7b, 0xe1, 0x1c, 0x7, 0x6a},\n {0xf8, 0x8a, 0x97, 0x87, 0xd1, 0xc3, 0xd3, 0xb5, 0x13, 0x44, 0xe,\n 0x7f, 0x3d, 0x5a, 0x2b, 0x72, 0xa0, 0x7c, 0x47, 0xbb, 0x48, 0x48,\n 0x7b, 0xd, 0x92, 0xdc, 0x1e, 0xaf, 0x6a, 0xb2, 0x71, 0x31},\n },\n {\n {0xd1, 0x47, 0x8a, 0xb2, 0xd8, 0xb7, 0xd, 0xa6, 0xf1, 0xa4, 0x70,\n 0x17, 0xd6, 0x14, 0xbf, 0xa6, 0x58, 0xbd, 0xdd, 0x53, 0x93, 0xf8,\n 0xa1, 0xd4, 0xe9, 0x43, 0x42, 0x34, 0x63, 0x4a, 0x51, 0x6c},\n {0xa8, 0x4c, 0x56, 0x97, 0x90, 0x31, 0x2f, 0xa9, 0x19, 0xe1, 0x75,\n 0x22, 0x4c, 0xb8, 0x7b, 0xff, 0x50, 0x51, 0x87, 0xa4, 0x37, 0xfe,\n 0x55, 0x4f, 0x5a, 0x83, 0xf0, 0x3c, 0x87, 0xd4, 0x1f, 0x22},\n {0x41, 0x63, 0x15, 0x3a, 0x4f, 0x20, 0x22, 0x23, 0x2d, 0x3, 0xa,\n 0xba, 0xe9, 0xe0, 0x73, 0xfb, 0xe, 0x3, 0xf, 0x41, 0x4c, 0xdd,\n 0xe0, 0xfc, 0xaa, 0x4a, 0x92, 0xfb, 0x96, 0xa5, 0xda, 0x48},\n },\n {\n {0x93, 0x97, 0x4c, 0xc8, 0x5d, 0x1d, 0xf6, 0x14, 0x6, 0x82, 0x41,\n 0xef, 0xe3, 0xf9, 0x41, 0x99, 0xac, 0x77, 0x62, 0x34, 0x8f, 0xb8,\n 0xf5, 0xcd, 0xa9, 0x79, 0x8a, 0xe, 0xfa, 0x37, 0xc8, 0x58},\n {0xc7, 0x9c, 0xa5, 0x5c, 0x66, 0x8e, 0xca, 0x6e, 0xa0, 0xac, 0x38,\n 0x2e, 0x4b, 0x25, 0x47, 0xa8, 0xce, 0x17, 0x1e, 0xd2, 0x8, 0xc7,\n 0xaf, 0x31, 0xf7, 0x4a, 0xd8, 0xca, 0xfc, 0xd6, 0x6d, 0x67},\n {0x58, 0x90, 0xfc, 0x96, 0x85, 0x68, 0xf9, 0xc, 0x1b, 0xa0, 0x56,\n 0x7b, 0xf3, 0xbb, 0xdc, 0x1d, 0x6a, 0xd6, 0x35, 0x49, 0x7d, 0xe7,\n 0xc2, 0xdc, 0xa, 0x7f, 0xa5, 0xc6, 0xf2, 0x73, 0x4f, 0x1c},\n },\n {\n {0x84, 0x34, 0x7c, 0xfc, 0x6e, 0x70, 0x6e, 0xb3, 0x61, 0xcf, 0xc1,\n 0xc3, 0xb4, 0xc9, 0xdf, 0x73, 0xe5, 0xc7, 0x1c, 0x78, 0xc9, 0x79,\n 0x1d, 0xeb, 0x5c, 0x67, 0xaf, 0x7d, 0xdb, 0x9a, 0x45, 0x70},\n {0xbb, 0xa0, 0x5f, 0x30, 0xbd, 0x4f, 0x7a, 0xe, 0xad, 0x63, 0xc6,\n 0x54, 0xe0, 0x4c, 0x9d, 0x82, 0x48, 0x38, 0xe3, 0x2f, 0x83, 0xc3,\n 0x21, 0xf4, 0x42, 0x4c, 0xf6, 0x1b, 0xd, 0xc8, 0x5a, 0x79},\n {0xb3, 0x2b, 0xb4, 0x91, 0x49, 0xdb, 0x91, 0x1b, 0xca, 0xdc, 0x2,\n 0x4b, 0x23, 0x96, 0x26, 0x57, 0xdc, 0x78, 0x8c, 0x1f, 0xe5, 0x9e,\n 0xdf, 0x9f, 0xd3, 0x1f, 0xe2, 0x8c, 0x84, 0x62, 0xe1, 0x5f},\n },\n },\n {\n {\n {0x8, 0xb2, 0x7c, 0x5d, 0x2d, 0x85, 0x79, 0x28, 0xe7, 0xf2, 0x7d,\n 0x68, 0x70, 0xdd, 0xde, 0xb8, 0x91, 0x78, 0x68, 0x21, 0xab, 0xff,\n 0xb, 0xdc, 0x35, 0xaa, 0x7d, 0x67, 0x43, 0xc0, 0x44, 0x2b},\n {0x1a, 0x96, 0x94, 0xe1, 0x4f, 0x21, 0x59, 0x4e, 0x4f, 0xcd, 0x71,\n 0xd, 0xc7, 0x7d, 0xbe, 0x49, 0x2d, 0xf2, 0x50, 0x3b, 0xd2, 0xcf,\n 0x0, 0x93, 0x32, 0x72, 0x91, 0xfc, 0x46, 0xd4, 0x89, 0x47},\n {0x8e, 0xb7, 0x4e, 0x7, 0xab, 0x87, 0x1c, 0x1a, 0x67, 0xf4, 0xda,\n 0x99, 0x8e, 0xd1, 0xc6, 0xfa, 0x67, 0x90, 0x4f, 0x48, 0xcd, 0xbb,\n 0xac, 0x3e, 0xe4, 0xa4, 0xb9, 0x2b, 0xef, 0x2e, 0xc5, 0x60},\n },\n {\n {0x11, 0x6d, 0xae, 0x7c, 0xc2, 0xc5, 0x2b, 0x70, 0xab, 0x8c, 0xa4,\n 0x54, 0x9b, 0x69, 0xc7, 0x44, 0xb2, 0x2e, 0x49, 0xba, 0x56, 0x40,\n 0xbc, 0xef, 0x6d, 0x67, 0xb6, 0xd9, 0x48, 0x72, 0xd7, 0x70},\n {0xf1, 0x8b, 0xfd, 0x3b, 0xbc, 0x89, 0x5d, 0xb, 0x1a, 0x55, 0xf3,\n 0xc9, 0x37, 0x92, 0x6b, 0xb0, 0xf5, 0x28, 0x30, 0xd5, 0xb0, 0x16,\n 0x4c, 0xe, 0xab, 0xca, 0xcf, 0x2c, 0x31, 0x9c, 0xbc, 0x10},\n {0x5b, 0xa0, 0xc2, 0x3e, 0x4b, 0xe8, 0x8a, 0xaa, 0xe0, 0x81, 0x17,\n 0xed, 0xf4, 0x9e, 0x69, 0x98, 0xd1, 0x85, 0x8e, 0x70, 0xe4, 0x13,\n 0x45, 0x79, 0x13, 0xf4, 0x76, 0xa9, 0xd3, 0x5b, 0x75, 0x63},\n },\n {\n {0xb7, 0xac, 0xf1, 0x97, 0x18, 0x10, 0xc7, 0x3d, 0xd8, 0xbb, 0x65,\n 0xc1, 0x5e, 0x7d, 0xda, 0x5d, 0xf, 0x2, 0xa1, 0xf, 0x9c, 0x5b,\n 0x8e, 0x50, 0x56, 0x2a, 0xc5, 0x37, 0x17, 0x75, 0x63, 0x27},\n {0x53, 0x8, 0xd1, 0x2a, 0x3e, 0xa0, 0x5f, 0xb5, 0x69, 0x35, 0xe6,\n 0x9e, 0x90, 0x75, 0x6f, 0x35, 0x90, 0xb8, 0x69, 0xbe, 0xfd, 0xf1,\n 0xf9, 0x9f, 0x84, 0x6f, 0xc1, 0x8b, 0xc4, 0xc1, 0x8c, 0xd},\n {0xa9, 0x19, 0xb4, 0x6e, 0xd3, 0x2, 0x94, 0x2, 0xa5, 0x60, 0xb4,\n 0x77, 0x7e, 0x4e, 0xb4, 0xf0, 0x56, 0x49, 0x3c, 0xd4, 0x30, 0x62,\n 0xa8, 0xcf, 0xe7, 0x66, 0xd1, 0x7a, 0x8a, 0xdd, 0xc2, 0x70},\n },\n {\n {0x13, 0x7e, 0xed, 0xb8, 0x7d, 0x96, 0xd4, 0x91, 0x7a, 0x81, 0x76,\n 0xd7, 0xa, 0x2f, 0x25, 0x74, 0x64, 0x25, 0x85, 0xd, 0xe0, 0x82,\n 0x9, 0xe4, 0xe5, 0x3c, 0xa5, 0x16, 0x38, 0x61, 0xb8, 0x32},\n {0xe, 0xec, 0x6f, 0x9f, 0x50, 0x94, 0x61, 0x65, 0x8d, 0x51, 0xc6,\n 0x46, 0xa9, 0x7e, 0x2e, 0xee, 0x5c, 0x9b, 0xe0, 0x67, 0xf3, 0xc1,\n 0x33, 0x97, 0x95, 0x84, 0x94, 0x63, 0x63, 0xac, 0xf, 0x2e},\n {0x64, 0xcd, 0x48, 0xe4, 0xbe, 0xf7, 0xe7, 0x79, 0xd0, 0x86, 0x78,\n 0x8, 0x67, 0x3a, 0xc8, 0x6a, 0x2e, 0xdb, 0xe4, 0xa0, 0xd9, 0xd4,\n 0x9f, 0xf8, 0x41, 0x4f, 0x5a, 0x73, 0x5c, 0x21, 0x79, 0x41},\n },\n {\n {0x34, 0xcd, 0x6b, 0x28, 0xb9, 0x33, 0xae, 0xe4, 0xdc, 0xd6, 0x9d,\n 0x55, 0xb6, 0x7e, 0xef, 0xb7, 0x1f, 0x8e, 0xd3, 0xb3, 0x1f, 0x14,\n 0x8b, 0x27, 0x86, 0xc2, 0x41, 0x22, 0x66, 0x85, 0xfa, 0x31},\n {0x2a, 0xed, 0xdc, 0xd7, 0xe7, 0x94, 0x70, 0x8c, 0x70, 0x9c, 0xd3,\n 0x47, 0xc3, 0x8a, 0xfb, 0x97, 0x2, 0xd9, 0x6, 0xa9, 0x33, 0xe0,\n 0x3b, 0xe1, 0x76, 0x9d, 0xd9, 0xc, 0xa3, 0x44, 0x3, 0x70},\n {0xf4, 0x22, 0x36, 0x2e, 0x42, 0x6c, 0x82, 0xaf, 0x2d, 0x50, 0x33,\n 0x98, 0x87, 0x29, 0x20, 0xc1, 0x23, 0x91, 0x38, 0x2b, 0xe1, 0xb7,\n 0xc1, 0x9b, 0x89, 0x24, 0x95, 0xa9, 0x12, 0x23, 0xbb, 0x24},\n },\n {\n {0x6b, 0x5c, 0xf8, 0xf5, 0x2a, 0xc, 0xf8, 0x41, 0x94, 0x67, 0xfa,\n 0x4, 0xc3, 0x84, 0x72, 0x68, 0xad, 0x1b, 0xba, 0xa3, 0x99, 0xdf,\n 0x45, 0x89, 0x16, 0x5d, 0xeb, 0xff, 0xf9, 0x2a, 0x1d, 0xd},\n {0xc3, 0x67, 0xde, 0x32, 0x17, 0xed, 0xa8, 0xb1, 0x48, 0x49, 0x1b,\n 0x46, 0x18, 0x94, 0xb4, 0x3c, 0xd2, 0xbc, 0xcf, 0x76, 0x43, 0x43,\n 0xbd, 0x8e, 0x8, 0x80, 0x18, 0x1e, 0x87, 0x3e, 0xee, 0xf},\n {0xdf, 0x1e, 0x62, 0x32, 0xa1, 0x8a, 0xda, 0xa9, 0x79, 0x65, 0x22,\n 0x59, 0xa1, 0x22, 0xb8, 0x30, 0x93, 0xc1, 0x9a, 0xa7, 0x7b, 0x19,\n 0x4, 0x40, 0x76, 0x1d, 0x53, 0x18, 0x97, 0xd7, 0xac, 0x16},\n },\n {\n {0xad, 0xb6, 0x87, 0x78, 0xc5, 0xc6, 0x59, 0xc9, 0xba, 0xfe, 0x90,\n 0x5f, 0xad, 0x9e, 0xe1, 0x94, 0x4, 0xf5, 0x42, 0xa3, 0x62, 0x4e,\n 0xe2, 0x16, 0x0, 0x17, 0x16, 0x18, 0x4b, 0xd3, 0x4e, 0x16},\n {0x3d, 0x1d, 0x9b, 0x2d, 0xaf, 0x72, 0xdf, 0x72, 0x5a, 0x24, 0x32,\n 0xa4, 0x36, 0x2a, 0x46, 0x63, 0x37, 0x96, 0xb3, 0x16, 0x79, 0xa0,\n 0xce, 0x3e, 0x9, 0x23, 0x30, 0xb9, 0xf6, 0xe, 0x3e, 0x12},\n {0x9a, 0xe6, 0x2f, 0x19, 0x4c, 0xd9, 0x7e, 0x48, 0x13, 0x15, 0x91,\n 0x3a, 0xea, 0x2c, 0xae, 0x61, 0x27, 0xde, 0xa4, 0xb9, 0xd3, 0xf6,\n 0x7b, 0x87, 0xeb, 0xf3, 0x73, 0x10, 0xc6, 0xf, 0xda, 0x78},\n },\n {\n {0x94, 0x3a, 0xc, 0x68, 0xf1, 0x80, 0x9f, 0xa2, 0xe6, 0xe7, 0xe9,\n 0x1a, 0x15, 0x7e, 0xf7, 0x71, 0x73, 0x79, 0x1, 0x48, 0x58, 0xf1,\n 0x0, 0x11, 0xdd, 0x8d, 0xb3, 0x16, 0xb3, 0xa4, 0x4a, 0x5},\n {0x6a, 0xc6, 0x2b, 0xe5, 0x28, 0x5d, 0xf1, 0x5b, 0x8e, 0x1a, 0xf0,\n 0x70, 0x18, 0xe3, 0x47, 0x2c, 0xdd, 0x8b, 0xc2, 0x6, 0xbc, 0xaf,\n 0x19, 0x24, 0x3a, 0x17, 0x6b, 0x25, 0xeb, 0xde, 0x25, 0x2d},\n {0xb8, 0x7c, 0x26, 0x19, 0x8d, 0x46, 0xc8, 0xdf, 0xaf, 0x4d, 0xe5,\n 0x66, 0x9c, 0x78, 0x28, 0xb, 0x17, 0xec, 0x6e, 0x66, 0x2a, 0x1d,\n 0xeb, 0x2a, 0x60, 0xa7, 0x7d, 0xab, 0xa6, 0x10, 0x46, 0x13},\n },\n },\n {\n {\n {0x15, 0xf5, 0xd1, 0x77, 0xe7, 0x65, 0x2a, 0xcd, 0xf1, 0x60, 0xaa,\n 0x8f, 0x87, 0x91, 0x89, 0x54, 0xe5, 0x6, 0xbc, 0xda, 0xbc, 0x3b,\n 0xb7, 0xb1, 0xfb, 0xc9, 0x7c, 0xa9, 0xcb, 0x78, 0x48, 0x65},\n {0xfe, 0xb0, 0xf6, 0x8d, 0xc7, 0x8e, 0x13, 0x51, 0x1b, 0xf5, 0x75,\n 0xe5, 0x89, 0xda, 0x97, 0x53, 0xb9, 0xf1, 0x7a, 0x71, 0x1d, 0x7a,\n 0x20, 0x9, 0x50, 0xd6, 0x20, 0x2b, 0xba, 0xfd, 0x2, 0x21},\n {0xa1, 0xe6, 0x5c, 0x5, 0x5, 0xe4, 0x9e, 0x96, 0x29, 0xad, 0x51,\n 0x12, 0x68, 0xa7, 0xbc, 0x36, 0x15, 0xa4, 0x7d, 0xaa, 0x17, 0xf5,\n 0x1a, 0x3a, 0xba, 0xb2, 0xec, 0x29, 0xdb, 0x25, 0xd7, 0xa},\n },\n {\n {0x85, 0x6f, 0x5, 0x9b, 0xc, 0xbc, 0xc7, 0xfe, 0xd7, 0xff, 0xf5,\n 0xe7, 0x68, 0x52, 0x7d, 0x53, 0xfa, 0xae, 0x12, 0x43, 0x62, 0xc6,\n 0xaf, 0x77, 0xd9, 0x9f, 0x39, 0x2, 0x53, 0x5f, 0x67, 0x4f},\n {0x57, 0x24, 0x4e, 0x83, 0xb1, 0x67, 0x42, 0xdc, 0xc5, 0x1b, 0xce,\n 0x70, 0xb5, 0x44, 0x75, 0xb6, 0xd7, 0x5e, 0xd1, 0xf7, 0xb, 0x7a,\n 0xf0, 0x1a, 0x50, 0x36, 0xa0, 0x71, 0xfb, 0xcf, 0xef, 0x4a},\n {0x1e, 0x17, 0x15, 0x4, 0x36, 0x36, 0x2d, 0xc3, 0x3b, 0x48, 0x98,\n 0x89, 0x11, 0xef, 0x2b, 0xcd, 0x10, 0x51, 0x94, 0xd0, 0xad, 0x6e,\n 0xa, 0x87, 0x61, 0x65, 0xa8, 0xa2, 0x72, 0xbb, 0xcc, 0xb},\n },\n {\n {0x96, 0x12, 0xfe, 0x50, 0x4c, 0x5e, 0x6d, 0x18, 0x7e, 0x9f, 0xe8,\n 0xfe, 0x82, 0x7b, 0x39, 0xe0, 0xb0, 0x31, 0x70, 0x50, 0xc5, 0xf6,\n 0xc7, 0x3b, 0xc2, 0x37, 0x8f, 0x10, 0x69, 0xfd, 0x78, 0x66},\n {0xc8, 0xa9, 0xb1, 0xea, 0x2f, 0x96, 0x5e, 0x18, 0xcd, 0x7d, 0x14,\n 0x65, 0x35, 0xe6, 0xe7, 0x86, 0xf2, 0x6d, 0x5b, 0xbb, 0x31, 0xe0,\n 0x92, 0xb0, 0x3e, 0xb7, 0xd6, 0x59, 0xab, 0xf0, 0x24, 0x40},\n {0xc2, 0x63, 0x68, 0x63, 0x31, 0xfa, 0x86, 0x15, 0xf2, 0x33, 0x2d,\n 0x57, 0x48, 0x8c, 0xf6, 0x7, 0xfc, 0xae, 0x9e, 0x78, 0x9f, 0xcc,\n 0x73, 0x4f, 0x1, 0x47, 0xad, 0x8e, 0x10, 0xe2, 0x42, 0x2d},\n },\n {\n {0x93, 0x75, 0x53, 0xf, 0xd, 0x7b, 0x71, 0x21, 0x4c, 0x6, 0x1e,\n 0x13, 0xb, 0x69, 0x4e, 0x91, 0x9f, 0xe0, 0x2a, 0x75, 0xae, 0x87,\n 0xb6, 0x1b, 0x6e, 0x3c, 0x42, 0x9b, 0xa7, 0xf3, 0xb, 0x42},\n {0x9b, 0xd2, 0xdf, 0x94, 0x15, 0x13, 0xf5, 0x97, 0x6a, 0x4c, 0x3f,\n 0x31, 0x5d, 0x98, 0x55, 0x61, 0x10, 0x50, 0x45, 0x8, 0x7, 0x3f,\n 0xa1, 0xeb, 0x22, 0xd3, 0xd2, 0xb8, 0x8, 0x26, 0x6b, 0x67},\n {0x47, 0x2b, 0x5b, 0x1c, 0x65, 0xba, 0x38, 0x81, 0x80, 0x1b, 0x1b,\n 0x31, 0xec, 0xb6, 0x71, 0x86, 0xb0, 0x35, 0x31, 0xbc, 0xb1, 0xc,\n 0xff, 0x7b, 0xe0, 0xf1, 0xc, 0x9c, 0xfa, 0x2f, 0x5d, 0x74},\n },\n {\n {0x6a, 0x4e, 0xd3, 0x21, 0x57, 0xdf, 0x36, 0x60, 0xd0, 0xb3, 0x7b,\n 0x99, 0x27, 0x88, 0xdb, 0xb1, 0xfa, 0x6a, 0x75, 0xc8, 0xc3, 0x9,\n 0xc2, 0xd3, 0x39, 0xc8, 0x1d, 0x4c, 0xe5, 0x5b, 0xe1, 0x6},\n {0xbd, 0xc8, 0xc9, 0x2b, 0x1e, 0x5a, 0x52, 0xbf, 0x81, 0x9d, 0x47,\n 0x26, 0x8, 0x26, 0x5b, 0xea, 0xdb, 0x55, 0x1, 0xdf, 0xe, 0xc7,\n 0x11, 0xd5, 0xd0, 0xf5, 0xc, 0x96, 0xeb, 0x3c, 0xe2, 0x1a},\n {0x4a, 0x99, 0x32, 0x19, 0x87, 0x5d, 0x72, 0x5b, 0xb0, 0xda, 0xb1,\n 0xce, 0xb5, 0x1c, 0x35, 0x32, 0x5, 0xca, 0xb7, 0xda, 0x49, 0x15,\n 0xc4, 0x7d, 0xf7, 0xc1, 0x8e, 0x27, 0x61, 0xd8, 0xde, 0x58},\n },\n {\n {0xa8, 0xc9, 0xc2, 0xb6, 0xa8, 0x5b, 0xfb, 0x2d, 0x8c, 0x59, 0x2c,\n 0xf5, 0x8e, 0xef, 0xee, 0x48, 0x73, 0x15, 0x2d, 0xf1, 0x7, 0x91,\n 0x80, 0x33, 0xd8, 0x5b, 0x1d, 0x53, 0x6b, 0x69, 0xba, 0x8},\n {0x5c, 0xc5, 0x66, 0xf2, 0x93, 0x37, 0x17, 0xd8, 0x49, 0x4e, 0x45,\n 0xcc, 0xc5, 0x76, 0xc9, 0xc8, 0xa8, 0xc3, 0x26, 0xbc, 0xf8, 0x82,\n 0xe3, 0x5c, 0xf9, 0xf6, 0x85, 0x54, 0xe8, 0x9d, 0xf3, 0x2f},\n {0x7a, 0xc5, 0xef, 0xc3, 0xee, 0x3e, 0xed, 0x77, 0x11, 0x48, 0xff,\n 0xd4, 0x17, 0x55, 0xe0, 0x4, 0xcb, 0x71, 0xa6, 0xf1, 0x3f, 0x7a,\n 0x3d, 0xea, 0x54, 0xfe, 0x7c, 0x94, 0xb4, 0x33, 0x6, 0x12},\n },\n {\n {0xa, 0x10, 0x12, 0x49, 0x47, 0x31, 0xbd, 0x82, 0x6, 0xbe, 0x6f,\n 0x7e, 0x6d, 0x7b, 0x23, 0xde, 0xc6, 0x79, 0xea, 0x11, 0x19, 0x76,\n 0x1e, 0xe1, 0xde, 0x3b, 0x39, 0xcb, 0xe3, 0x3b, 0x43, 0x7},\n {0x42, 0x0, 0x61, 0x91, 0x78, 0x98, 0x94, 0xb, 0xe8, 0xfa, 0xeb,\n 0xec, 0x3c, 0xb1, 0xe7, 0x4e, 0xc0, 0xa4, 0xf0, 0x94, 0x95, 0x73,\n 0xbe, 0x70, 0x85, 0x91, 0xd5, 0xb4, 0x99, 0xa, 0xd3, 0x35},\n {0xf4, 0x97, 0xe9, 0x5c, 0xc0, 0x44, 0x79, 0xff, 0xa3, 0x51, 0x5c,\n 0xb0, 0xe4, 0x3d, 0x5d, 0x57, 0x7c, 0x84, 0x76, 0x5a, 0xfd, 0x81,\n 0x33, 0x58, 0x9f, 0xda, 0xf6, 0x7a, 0xde, 0x3e, 0x87, 0x2d},\n },\n {\n {0x81, 0xf9, 0x5d, 0x4e, 0xe1, 0x2, 0x62, 0xaa, 0xf5, 0xe1, 0x15,\n 0x50, 0x17, 0x59, 0xd, 0xa2, 0x6c, 0x1d, 0xe2, 0xba, 0xd3, 0x75,\n 0xa2, 0x18, 0x53, 0x2, 0x60, 0x1, 0x8a, 0x61, 0x43, 0x5},\n {0x9, 0x34, 0x37, 0x43, 0x64, 0x31, 0x7a, 0x15, 0xd9, 0x81, 0xaa,\n 0xf4, 0xee, 0xb7, 0xb8, 0xfa, 0x6, 0x48, 0xa6, 0xf5, 0xe6, 0xfe,\n 0x93, 0xb0, 0xb6, 0xa7, 0x7f, 0x70, 0x54, 0x36, 0x77, 0x2e},\n {0xc1, 0x23, 0x4c, 0x97, 0xf4, 0xbd, 0xea, 0xd, 0x93, 0x46, 0xce,\n 0x9d, 0x25, 0xa, 0x6f, 0xaa, 0x2c, 0xba, 0x9a, 0xa2, 0xb8, 0x2c,\n 0x20, 0x4, 0xd, 0x96, 0x7, 0x2d, 0x36, 0x43, 0x14, 0x4b},\n },\n },\n {\n {\n {0xcb, 0x9c, 0x52, 0x1c, 0xe9, 0x54, 0x7c, 0x96, 0xfb, 0x35, 0xc6,\n 0x64, 0x92, 0x26, 0xf6, 0x30, 0x65, 0x19, 0x12, 0x78, 0xf4, 0xaf,\n 0x47, 0x27, 0x5c, 0x6f, 0xf6, 0xea, 0x18, 0x84, 0x3, 0x17},\n {0x7a, 0x1f, 0x6e, 0xb6, 0xc7, 0xb7, 0xc4, 0xcc, 0x7e, 0x2f, 0xc,\n 0xf5, 0x25, 0x7e, 0x15, 0x44, 0x1c, 0xaf, 0x3e, 0x71, 0xfc, 0x6d,\n 0xf0, 0x3e, 0xf7, 0x63, 0xda, 0x52, 0x67, 0x44, 0x2f, 0x58},\n {0xe4, 0x4c, 0x32, 0x20, 0xd3, 0x7b, 0x31, 0xc6, 0xc4, 0x8b, 0x48,\n 0xa4, 0xe8, 0x42, 0x10, 0xa8, 0x64, 0x13, 0x5a, 0x4e, 0x8b, 0xf1,\n 0x1e, 0xb2, 0xc9, 0x8d, 0xa2, 0xcd, 0x4b, 0x1c, 0x2a, 0xc},\n },\n {\n {0x45, 0x69, 0xbd, 0x69, 0x48, 0x81, 0xc4, 0xed, 0x22, 0x8d, 0x1c,\n 0xbe, 0x7d, 0x90, 0x6d, 0xd, 0xab, 0xc5, 0x5c, 0xd5, 0x12, 0xd2,\n 0x3b, 0xc6, 0x83, 0xdc, 0x14, 0xa3, 0x30, 0x9b, 0x6a, 0x5a},\n {0x47, 0x4, 0x1f, 0x6f, 0xd0, 0xc7, 0x4d, 0xd2, 0x59, 0xc0, 0x87,\n 0xdb, 0x3e, 0x9e, 0x26, 0xb2, 0x8f, 0xd2, 0xb2, 0xfb, 0x72, 0x2,\n 0x5b, 0xd1, 0x77, 0x48, 0xf6, 0xc6, 0xd1, 0x8b, 0x55, 0x7c},\n {0x3d, 0x46, 0x96, 0xd3, 0x24, 0x15, 0xec, 0xd0, 0xf0, 0x24, 0x5a,\n 0xc3, 0x8a, 0x62, 0xbb, 0x12, 0xa4, 0x5f, 0xbc, 0x1c, 0x79, 0x3a,\n 0xc, 0xa5, 0xc3, 0xaf, 0xfb, 0xa, 0xca, 0xa5, 0x4, 0x4},\n },\n {\n {0xd1, 0x6f, 0x41, 0x2a, 0x1b, 0x9e, 0xbc, 0x62, 0x8b, 0x59, 0x50,\n 0xe3, 0x28, 0xf7, 0xc6, 0xb5, 0x67, 0x69, 0x5d, 0x3d, 0xd8, 0x3f,\n 0x34, 0x4, 0x98, 0xee, 0xf8, 0xe7, 0x16, 0x75, 0x52, 0x39},\n {0xd6, 0x43, 0xa7, 0xa, 0x7, 0x40, 0x1f, 0x8c, 0xe8, 0x5e, 0x26,\n 0x5b, 0xcb, 0xd0, 0xba, 0xcc, 0xde, 0xd2, 0x8f, 0x66, 0x6b, 0x4,\n 0x4b, 0x57, 0x33, 0x96, 0xdd, 0xca, 0xfd, 0x5b, 0x39, 0x46},\n {0x9c, 0x9a, 0x5d, 0x1a, 0x2d, 0xdb, 0x7f, 0x11, 0x2a, 0x5c, 0x0,\n 0xd1, 0xbc, 0x45, 0x77, 0x9c, 0xea, 0x6f, 0xd5, 0x54, 0xf1, 0xbe,\n 0xd4, 0xef, 0x16, 0xd0, 0x22, 0xe8, 0x29, 0x9a, 0x57, 0x76},\n },\n {\n {0xf2, 0x34, 0xb4, 0x52, 0x13, 0xb5, 0x3c, 0x33, 0xe1, 0x80, 0xde,\n 0x93, 0x49, 0x28, 0x32, 0xd8, 0xce, 0x35, 0xd, 0x75, 0x87, 0x28,\n 0x51, 0xb5, 0xc1, 0x77, 0x27, 0x2a, 0xbb, 0x14, 0xc5, 0x2},\n {0x17, 0x2a, 0xc0, 0x49, 0x7e, 0x8e, 0xb6, 0x45, 0x7f, 0xa3, 0xa9,\n 0xbc, 0xa2, 0x51, 0xcd, 0x23, 0x1b, 0x4c, 0x22, 0xec, 0x11, 0x5f,\n 0xd6, 0x3e, 0xb1, 0xbd, 0x5, 0x9e, 0xdc, 0x84, 0xa3, 0x43},\n {0x45, 0xb6, 0xf1, 0x8b, 0xda, 0xd5, 0x4b, 0x68, 0x53, 0x4b, 0xb5,\n 0xf6, 0x7e, 0xd3, 0x8b, 0xfb, 0x53, 0xd2, 0xb0, 0xa9, 0xd7, 0x16,\n 0x39, 0x31, 0x59, 0x80, 0x54, 0x61, 0x9, 0x92, 0x60, 0x11},\n },\n {\n {0xcd, 0x4d, 0x9b, 0x36, 0x16, 0x56, 0x38, 0x7a, 0x63, 0x35, 0x5c,\n 0x65, 0xa7, 0x2c, 0xc0, 0x75, 0x21, 0x80, 0xf1, 0xd4, 0xf9, 0x1b,\n 0xc2, 0x7d, 0x42, 0xe0, 0xe6, 0x91, 0x74, 0x7d, 0x63, 0x2f},\n {0xaa, 0xcf, 0xda, 0x29, 0x69, 0x16, 0x4d, 0xb4, 0x8f, 0x59, 0x13,\n 0x84, 0x4c, 0x9f, 0x52, 0xda, 0x59, 0x55, 0x3d, 0x45, 0xca, 0x63,\n 0xef, 0xe9, 0xb, 0x8e, 0x69, 0xc5, 0x5b, 0x12, 0x1e, 0x35},\n {0xbe, 0x7b, 0xf6, 0x1a, 0x46, 0x9b, 0xb4, 0xd4, 0x61, 0x89, 0xab,\n 0xc8, 0x7a, 0x3, 0x3, 0xd6, 0xfb, 0x99, 0xa6, 0xf9, 0x9f, 0xe1,\n 0xde, 0x71, 0x9a, 0x2a, 0xce, 0xe7, 0x6, 0x2d, 0x18, 0x7f},\n },\n {\n {0x22, 0x75, 0x21, 0x8e, 0x72, 0x4b, 0x45, 0x9, 0xd8, 0xb8, 0x84,\n 0xd4, 0xf4, 0xe8, 0x58, 0xaa, 0x3c, 0x90, 0x46, 0x7f, 0x4d, 0x25,\n 0x58, 0xd3, 0x17, 0x52, 0x1c, 0x24, 0x43, 0xc0, 0xac, 0x44},\n {0xec, 0x68, 0x1, 0xab, 0x64, 0x8e, 0x7c, 0x7a, 0x43, 0xc5, 0xed,\n 0x15, 0x55, 0x4a, 0x5a, 0xcb, 0xda, 0xe, 0xcd, 0x47, 0xd3, 0x19,\n 0x55, 0x9, 0xb0, 0x93, 0x3e, 0x34, 0x8c, 0xac, 0xd4, 0x67},\n {0x77, 0x57, 0x7a, 0x4f, 0xbb, 0x6b, 0x7d, 0x1c, 0xe1, 0x13, 0x83,\n 0x91, 0xd4, 0xfe, 0x35, 0x8b, 0x84, 0x46, 0x6b, 0xc9, 0xc6, 0xa1,\n 0xdc, 0x4a, 0xbd, 0x71, 0xad, 0x12, 0x83, 0x1c, 0x6d, 0x55},\n },\n {\n {0x21, 0xe8, 0x1b, 0xb1, 0x56, 0x67, 0xf0, 0x81, 0xdd, 0xf3, 0xa3,\n 0x10, 0x23, 0xf8, 0xaf, 0xf, 0x5d, 0x46, 0x99, 0x6a, 0x55, 0xd0,\n 0xb2, 0xf8, 0x5, 0x7f, 0x8c, 0xcc, 0x38, 0xbe, 0x7a, 0x9},\n {0x82, 0x39, 0x8d, 0xc, 0xe3, 0x40, 0xef, 0x17, 0x34, 0xfa, 0xa3,\n 0x15, 0x3e, 0x7, 0xf7, 0x31, 0x6e, 0x64, 0x73, 0x7, 0xcb, 0xf3,\n 0x21, 0x4f, 0xff, 0x4e, 0x82, 0x1d, 0x6d, 0x6c, 0x6c, 0x74},\n {0xa4, 0x2d, 0xa5, 0x7e, 0x87, 0xc9, 0x49, 0xc, 0x43, 0x1d, 0xdc,\n 0x9b, 0x55, 0x69, 0x43, 0x4c, 0xd2, 0xeb, 0xcc, 0xf7, 0x9, 0x38,\n 0x2c, 0x2, 0xbd, 0x84, 0xee, 0x4b, 0xa3, 0x14, 0x7e, 0x57},\n },\n {\n {0x2b, 0xd7, 0x4d, 0xbd, 0xbe, 0xce, 0xfe, 0x94, 0x11, 0x22, 0xf,\n 0x6, 0xda, 0x4f, 0x6a, 0xf4, 0xff, 0xd1, 0xc8, 0xc0, 0x77, 0x59,\n 0x4a, 0x12, 0x95, 0x92, 0x0, 0xfb, 0xb8, 0x4, 0x53, 0x70},\n {0xa, 0x3b, 0xa7, 0x61, 0xac, 0x68, 0xe2, 0xf0, 0xf5, 0xa5, 0x91,\n 0x37, 0x10, 0xfa, 0xfa, 0xf2, 0xe9, 0x0, 0x6d, 0x6b, 0x82, 0x3e,\n 0xe1, 0xc1, 0x42, 0x8f, 0xd7, 0x6f, 0xe9, 0x7e, 0xfa, 0x60},\n {0xc6, 0x6e, 0x29, 0x4d, 0x35, 0x1d, 0x3d, 0xb6, 0xd8, 0x31, 0xad,\n 0x5f, 0x3e, 0x5, 0xc3, 0xf3, 0xec, 0x42, 0xbd, 0xb4, 0x8c, 0x95,\n 0xb, 0x67, 0xfd, 0x53, 0x63, 0xa1, 0xc, 0x8e, 0x39, 0x21},\n },\n },\n {\n {\n {0x1, 0x56, 0xb7, 0xb4, 0xf9, 0xaa, 0x98, 0x27, 0x72, 0xad, 0x8d,\n 0x5c, 0x13, 0x72, 0xac, 0x5e, 0x23, 0xa0, 0xb7, 0x61, 0x61, 0xaa,\n 0xce, 0xd2, 0x4e, 0x7d, 0x8f, 0xe9, 0x84, 0xb2, 0xbf, 0x1b},\n {0xf3, 0x33, 0x2b, 0x38, 0x8a, 0x5, 0xf5, 0x89, 0xb4, 0xc0, 0x48,\n 0xad, 0xb, 0xba, 0xe2, 0x5a, 0x6e, 0xb3, 0x3d, 0xa5, 0x3, 0xb5,\n 0x93, 0x8f, 0xe6, 0x32, 0xa2, 0x95, 0x9d, 0xed, 0xa3, 0x5a},\n {0x61, 0x65, 0xd9, 0xc7, 0xe9, 0x77, 0x67, 0x65, 0x36, 0x80, 0xc7,\n 0x72, 0x54, 0x12, 0x2b, 0xcb, 0xee, 0x6e, 0x50, 0xd9, 0x99, 0x32,\n 0x5, 0x65, 0xcc, 0x57, 0x89, 0x5e, 0x4e, 0xe1, 0x7, 0x4a},\n },\n {\n {0x9b, 0xa4, 0x77, 0xc4, 0xcd, 0x58, 0xb, 0x24, 0x17, 0xf0, 0x47,\n 0x64, 0xde, 0xda, 0x38, 0xfd, 0xad, 0x6a, 0xc8, 0xa7, 0x32, 0x8d,\n 0x92, 0x19, 0x81, 0xa0, 0xaf, 0x84, 0xed, 0x7a, 0xaf, 0x50},\n {0x99, 0xf9, 0xd, 0x98, 0xcb, 0x12, 0xe4, 0x4e, 0x71, 0xc7, 0x6e,\n 0x3c, 0x6f, 0xd7, 0x15, 0xa3, 0xfd, 0x77, 0x5c, 0x92, 0xde, 0xed,\n 0xa5, 0xbb, 0x2, 0x34, 0x31, 0x1d, 0x39, 0xac, 0xb, 0x3f},\n {0xe5, 0x5b, 0xf6, 0x15, 0x1, 0xde, 0x4f, 0x6e, 0xb2, 0x9, 0x61,\n 0x21, 0x21, 0x26, 0x98, 0x29, 0xd9, 0xd6, 0xad, 0xb, 0x81, 0x5,\n 0x2, 0x78, 0x6, 0xd0, 0xeb, 0xba, 0x16, 0xa3, 0x21, 0x19},\n },\n {\n {0x8b, 0xc1, 0xf3, 0xd9, 0x9a, 0xad, 0x5a, 0xd7, 0x9c, 0xc1, 0xb1,\n 0x60, 0xef, 0xe, 0x6a, 0x56, 0xd9, 0xe, 0x5c, 0x25, 0xac, 0xb,\n 0x9a, 0x3e, 0xf5, 0xc7, 0x62, 0xa0, 0xec, 0x9d, 0x4, 0x7b},\n {0xfc, 0x70, 0xb8, 0xdf, 0x7e, 0x2f, 0x42, 0x89, 0xbd, 0xb3, 0x76,\n 0x4f, 0xeb, 0x6b, 0x29, 0x2c, 0xf7, 0x4d, 0xc2, 0x36, 0xd4, 0xf1,\n 0x38, 0x7, 0xb0, 0xae, 0x73, 0xe2, 0x41, 0xdf, 0x58, 0x64},\n {0x83, 0x44, 0x44, 0x35, 0x7a, 0xe3, 0xcb, 0xdc, 0x93, 0xbe, 0xed,\n 0xf, 0x33, 0x79, 0x88, 0x75, 0x87, 0xdd, 0xc5, 0x12, 0xc3, 0x4,\n 0x60, 0x78, 0x64, 0xe, 0x95, 0xc2, 0xcb, 0xdc, 0x93, 0x60},\n },\n {\n {0x4b, 0x3, 0x84, 0x60, 0xbe, 0xee, 0xde, 0x6b, 0x54, 0xb8, 0xf,\n 0x78, 0xb6, 0xc2, 0x99, 0x31, 0x95, 0x6, 0x2d, 0xb6, 0xab, 0x76,\n 0x33, 0x97, 0x90, 0x7d, 0x64, 0x8b, 0xc9, 0x80, 0x31, 0x6e},\n {0x6d, 0x70, 0xe0, 0x85, 0x85, 0x9a, 0xf3, 0x1f, 0x33, 0x39, 0xe7,\n 0xb3, 0xd8, 0xa5, 0xd0, 0x36, 0x3b, 0x45, 0x8f, 0x71, 0xe1, 0xf2,\n 0xb9, 0x43, 0x7c, 0xa9, 0x27, 0x48, 0x8, 0xea, 0xd1, 0x57},\n {0x71, 0xb0, 0x28, 0xa1, 0xe7, 0xb6, 0x7a, 0xee, 0xaa, 0x8b, 0xa8,\n 0x93, 0x6d, 0x59, 0xc1, 0xa4, 0x30, 0x61, 0x21, 0xb2, 0x82, 0xde,\n 0xb4, 0xf7, 0x18, 0xbd, 0x97, 0xdd, 0x9d, 0x99, 0x3e, 0x36},\n },\n {\n {0xc6, 0xae, 0x4b, 0xe2, 0xdc, 0x48, 0x18, 0x2f, 0x60, 0xaf, 0xbc,\n 0xba, 0x55, 0x72, 0x9b, 0x76, 0x31, 0xe9, 0xef, 0x3c, 0x6e, 0x3c,\n 0xcb, 0x90, 0x55, 0xb3, 0xf9, 0xc6, 0x9b, 0x97, 0x1f, 0x23},\n {0xc4, 0x1f, 0xee, 0x35, 0xc1, 0x43, 0xa8, 0x96, 0xcf, 0xc8, 0xe4,\n 0x8, 0x55, 0xb3, 0x6e, 0x97, 0x30, 0xd3, 0x8c, 0xb5, 0x1, 0x68,\n 0x2f, 0xb4, 0x2b, 0x5, 0x3a, 0x69, 0x78, 0x9b, 0xee, 0x48},\n {0xc6, 0xf3, 0x2a, 0xcc, 0x4b, 0xde, 0x31, 0x5c, 0x1f, 0x8d, 0x20,\n 0xfe, 0x30, 0xb0, 0x4b, 0xb0, 0x66, 0xb4, 0x4f, 0xc1, 0x9, 0x70,\n 0x8d, 0xb7, 0x13, 0x24, 0x79, 0x8, 0x9b, 0xfa, 0x9b, 0x7},\n },\n {\n {0x45, 0x42, 0xd5, 0xa2, 0x80, 0xed, 0xc9, 0xf3, 0x52, 0x39, 0xf6,\n 0x77, 0x78, 0x8b, 0xa0, 0xa, 0x75, 0x54, 0x8, 0xd1, 0x63, 0xac,\n 0x6d, 0xd7, 0x6b, 0x63, 0x70, 0x94, 0x15, 0xfb, 0xf4, 0x1e},\n {0xf4, 0xd, 0x30, 0xda, 0x51, 0x3a, 0x90, 0xe3, 0xb0, 0x5a, 0xa9,\n 0x3d, 0x23, 0x64, 0x39, 0x84, 0x80, 0x64, 0x35, 0xb, 0x2d, 0xf1,\n 0x3c, 0xed, 0x94, 0x71, 0x81, 0x84, 0xf6, 0x77, 0x8c, 0x3},\n {0xec, 0x7b, 0x16, 0x5b, 0xe6, 0x5e, 0x4e, 0x85, 0xc2, 0xcd, 0xd0,\n 0x96, 0x42, 0xa, 0x59, 0x59, 0x99, 0x21, 0x10, 0x98, 0x34, 0xdf,\n 0xb2, 0x72, 0x56, 0xff, 0xb, 0x4a, 0x2a, 0xe9, 0x5e, 0x57},\n },\n {\n {0x1, 0xd8, 0xa4, 0xa, 0x45, 0xbc, 0x46, 0x5d, 0xd8, 0xb9, 0x33,\n 0xa5, 0x27, 0x12, 0xaf, 0xc3, 0xc2, 0x6, 0x89, 0x2b, 0x26, 0x3b,\n 0x9e, 0x38, 0x1b, 0x58, 0x2f, 0x38, 0x7e, 0x1e, 0xa, 0x20},\n {0xcf, 0x2f, 0x18, 0x8a, 0x90, 0x80, 0xc0, 0xd4, 0xbd, 0x9d, 0x48,\n 0x99, 0xc2, 0x70, 0xe1, 0x30, 0xde, 0x33, 0xf7, 0x52, 0x57, 0xbd,\n 0xba, 0x5, 0x0, 0xfd, 0xd3, 0x2c, 0x11, 0xe7, 0xd4, 0x43},\n {0xc5, 0x3a, 0xf9, 0xea, 0x67, 0xb9, 0x8d, 0x51, 0xc0, 0x52, 0x66,\n 0x5, 0x9b, 0x98, 0xbc, 0x71, 0xf5, 0x97, 0x71, 0x56, 0xd9, 0x85,\n 0x2b, 0xfe, 0x38, 0x4e, 0x1e, 0x65, 0x52, 0xca, 0xe, 0x5},\n },\n {\n {0xea, 0x68, 0xe6, 0x60, 0x76, 0x39, 0xac, 0x97, 0x97, 0xb4, 0x3a,\n 0x15, 0xfe, 0xbb, 0x19, 0x9b, 0x9f, 0xa7, 0xec, 0x34, 0xb5, 0x79,\n 0xb1, 0x4c, 0x57, 0xae, 0x31, 0xa1, 0x9f, 0xc0, 0x51, 0x61},\n {0x9c, 0xc, 0x3f, 0x45, 0xde, 0x1a, 0x43, 0xc3, 0x9b, 0x3b, 0x70,\n 0xff, 0x5e, 0x4, 0xf5, 0xe9, 0x3d, 0x7b, 0x84, 0xed, 0xc9, 0x7a,\n 0xd9, 0xfc, 0xc6, 0xf4, 0x58, 0x1c, 0xc2, 0xe6, 0xe, 0x4b},\n {0x96, 0x5d, 0xf0, 0xfd, 0xd, 0x5c, 0xf5, 0x3a, 0x7a, 0xee, 0xb4,\n 0x2a, 0xe0, 0x2e, 0x26, 0xdd, 0x9, 0x17, 0x17, 0x12, 0x87, 0xbb,\n 0xb2, 0x11, 0xb, 0x3, 0xf, 0x80, 0xfa, 0x24, 0xef, 0x1f},\n },\n },\n {\n {\n {0x86, 0x6b, 0x97, 0x30, 0xf5, 0xaf, 0xd2, 0x22, 0x4, 0x46, 0xd2,\n 0xc2, 0x6, 0xb8, 0x90, 0x8d, 0xe5, 0xba, 0xe5, 0x4d, 0x6c, 0x89,\n 0xa1, 0xdc, 0x17, 0xc, 0x34, 0xc8, 0xe6, 0x5f, 0x0, 0x28},\n {0x96, 0x31, 0xa7, 0x1a, 0xfb, 0x53, 0xd6, 0x37, 0x18, 0x64, 0xd7,\n 0x3f, 0x30, 0x95, 0x94, 0xf, 0xb2, 0x17, 0x3a, 0xfb, 0x9, 0xb,\n 0x20, 0xad, 0x3e, 0x61, 0xc8, 0x2f, 0x29, 0x49, 0x4d, 0x54},\n {0x88, 0x86, 0x52, 0x34, 0x9f, 0xba, 0xef, 0x6a, 0xa1, 0x7d, 0x10,\n 0x25, 0x94, 0xff, 0x1b, 0x5c, 0x36, 0x4b, 0xd9, 0x66, 0xcd, 0xbb,\n 0x5b, 0xf7, 0xfa, 0x6d, 0x31, 0xf, 0x93, 0x72, 0xe4, 0x72},\n },\n {\n {0x27, 0x76, 0x2a, 0xd3, 0x35, 0xf6, 0xf3, 0x7, 0xf0, 0x66, 0x65,\n 0x5f, 0x86, 0x4d, 0xaa, 0x7a, 0x50, 0x44, 0xd0, 0x28, 0x97, 0xe7,\n 0x85, 0x3c, 0x38, 0x64, 0xe0, 0xf, 0x0, 0x7f, 0xee, 0x1f},\n {0x4f, 0x8, 0x81, 0x97, 0x8c, 0x20, 0x95, 0x26, 0xe1, 0xe, 0x45,\n 0x23, 0xb, 0x2a, 0x50, 0xb1, 0x2, 0xde, 0xef, 0x3, 0xa6, 0xae,\n 0x9d, 0xfd, 0x4c, 0xa3, 0x33, 0x27, 0x8c, 0x2e, 0x9d, 0x5a},\n {0xe5, 0xf7, 0xdb, 0x3, 0xda, 0x5, 0x53, 0x76, 0xbd, 0xcd, 0x34,\n 0x14, 0x49, 0xf2, 0xda, 0xa4, 0xec, 0x88, 0x4a, 0xd2, 0xcd, 0xd5,\n 0x4a, 0x7b, 0x43, 0x5, 0x4, 0xee, 0x51, 0x40, 0xf9, 0x0},\n },\n {\n {0x53, 0x97, 0xaf, 0x7, 0xbb, 0x93, 0xef, 0xd7, 0xa7, 0x66, 0xb7,\n 0x3d, 0xcf, 0xd0, 0x3e, 0x58, 0xc5, 0x1e, 0xb, 0x6e, 0xbf, 0x98,\n 0x69, 0xce, 0x52, 0x4, 0xd4, 0x5d, 0xd2, 0xff, 0xb7, 0x47},\n {0xb2, 0x30, 0xd3, 0xc3, 0x23, 0x6b, 0x35, 0x8d, 0x6, 0x1b, 0x47,\n 0xb0, 0x9b, 0x8b, 0x1c, 0xf2, 0x3c, 0xb8, 0x42, 0x6e, 0x6c, 0x31,\n 0x6c, 0xb3, 0xd, 0xb1, 0xea, 0x8b, 0x7e, 0x9c, 0xd7, 0x7},\n {0x12, 0xdd, 0x8, 0xbc, 0x9c, 0xfb, 0xfb, 0x87, 0x9b, 0xc2, 0xee,\n 0xe1, 0x3a, 0x6b, 0x6, 0x8a, 0xbf, 0xc1, 0x1f, 0xdb, 0x2b, 0x24,\n 0x57, 0xd, 0xb6, 0x4b, 0xa6, 0x5e, 0xa3, 0x20, 0x35, 0x1c},\n },\n {\n {0x59, 0xc0, 0x6b, 0x21, 0x40, 0x6f, 0xa8, 0xcd, 0x7e, 0xd8, 0xbc,\n 0x12, 0x1d, 0x23, 0xbb, 0x1f, 0x90, 0x9, 0xc7, 0x17, 0x9e, 0x6a,\n 0x95, 0xb4, 0x55, 0x2e, 0xd1, 0x66, 0x3b, 0xc, 0x75, 0x38},\n {0x4a, 0xa3, 0xcb, 0xbc, 0xa6, 0x53, 0xd2, 0x80, 0x9b, 0x21, 0x38,\n 0x38, 0xa1, 0xc3, 0x61, 0x3e, 0x96, 0xe3, 0x82, 0x98, 0x1, 0xb6,\n 0xc3, 0x90, 0x6f, 0xe6, 0xe, 0x5d, 0x77, 0x5, 0x3d, 0x1c},\n {0x1a, 0xe5, 0x22, 0x94, 0x40, 0xf1, 0x2e, 0x69, 0x71, 0xf6, 0x5d,\n 0x2b, 0x3c, 0xc7, 0xc0, 0xcb, 0x29, 0xe0, 0x4c, 0x74, 0xe7, 0x4f,\n 0x1, 0x21, 0x7c, 0x48, 0x30, 0xd3, 0xc7, 0xe2, 0x21, 0x6},\n },\n {\n {0xf3, 0xf0, 0xdb, 0xb0, 0x96, 0x17, 0xae, 0xb7, 0x96, 0xe1, 0x7c,\n 0xe1, 0xb9, 0xaf, 0xdf, 0x54, 0xb4, 0xa3, 0xaa, 0xe9, 0x71, 0x30,\n 0x92, 0x25, 0x9d, 0x2e, 0x0, 0xa1, 0x9c, 0x58, 0x8e, 0x5d},\n {0x8d, 0x83, 0x59, 0x82, 0xcc, 0x60, 0x98, 0xaf, 0xdc, 0x9a, 0x9f,\n 0xc6, 0xc1, 0x48, 0xea, 0x90, 0x30, 0x1e, 0x58, 0x65, 0x37, 0x48,\n 0x26, 0x65, 0xbc, 0xa5, 0xd3, 0x7b, 0x9, 0xd6, 0x7, 0x0},\n {0x4b, 0xa9, 0x42, 0x8, 0x95, 0x1d, 0xbf, 0xc0, 0x3e, 0x2e, 0x8f,\n 0x58, 0x63, 0xc3, 0xd3, 0xb2, 0xef, 0xe2, 0x51, 0xbb, 0x38, 0x14,\n 0x96, 0xa, 0x86, 0xbf, 0x1c, 0x3c, 0x78, 0xd7, 0x83, 0x15},\n },\n {\n {0xc7, 0x28, 0x9d, 0xcc, 0x4, 0x47, 0x3, 0x90, 0x8f, 0xc5, 0x2c,\n 0xf7, 0x9e, 0x67, 0x1b, 0x1d, 0x26, 0x87, 0x5b, 0xbe, 0x5f, 0x2b,\n 0xe1, 0x16, 0xa, 0x58, 0xc5, 0x83, 0x4e, 0x6, 0x58, 0x49},\n {0xe1, 0x7a, 0xa2, 0x5d, 0xef, 0xa2, 0xee, 0xec, 0x74, 0x1, 0x67,\n 0x55, 0x14, 0x3a, 0x7c, 0x59, 0x7a, 0x16, 0x9, 0x66, 0x12, 0x2a,\n 0xa6, 0xc9, 0x70, 0x8f, 0xed, 0x81, 0x2e, 0x5f, 0x2a, 0x25},\n {0xd, 0xe8, 0x66, 0x50, 0x26, 0x94, 0x28, 0xd, 0x6b, 0x8c, 0x7c,\n 0x30, 0x85, 0xf7, 0xc3, 0xfc, 0xfd, 0x12, 0x11, 0xc, 0x78, 0xda,\n 0x53, 0x1b, 0x88, 0xb3, 0x43, 0xd8, 0xb, 0x17, 0x9c, 0x7},\n },\n {\n {0x56, 0xd0, 0xd5, 0xc0, 0x50, 0xcd, 0xd6, 0xcd, 0x3b, 0x57, 0x3,\n 0xbb, 0x6d, 0x68, 0xf7, 0x9a, 0x48, 0xef, 0xc3, 0xf3, 0x3f, 0x72,\n 0xa6, 0x3c, 0xcc, 0x8a, 0x7b, 0x31, 0xd7, 0xc0, 0x68, 0x67},\n {0xff, 0x6f, 0xfa, 0x64, 0xe4, 0xec, 0x6, 0x5, 0x23, 0xe5, 0x5,\n 0x62, 0x1e, 0x43, 0xe3, 0xbe, 0x42, 0xea, 0xb8, 0x51, 0x24, 0x42,\n 0x79, 0x35, 0x0, 0xfb, 0xc9, 0x4a, 0xe3, 0x5, 0xec, 0x6d},\n {0xb3, 0xc1, 0x55, 0xf1, 0xe5, 0x25, 0xb6, 0x94, 0x91, 0x7b, 0x7b,\n 0x99, 0xa7, 0xf3, 0x7b, 0x41, 0x0, 0x26, 0x6b, 0x6d, 0xdc, 0xbd,\n 0x2c, 0xc2, 0xf4, 0x52, 0xcd, 0xdd, 0x14, 0x5e, 0x44, 0x51},\n },\n {\n {0x55, 0xa4, 0xbe, 0x2b, 0xab, 0x47, 0x31, 0x89, 0x29, 0x91, 0x7,\n 0x92, 0x4f, 0xa2, 0x53, 0x8c, 0xa7, 0xf7, 0x30, 0xbe, 0x48, 0xf9,\n 0x49, 0x4b, 0x3d, 0xd4, 0x4f, 0x6e, 0x8, 0x90, 0xe9, 0x12},\n {0x51, 0x49, 0x14, 0x3b, 0x4b, 0x2b, 0x50, 0x57, 0xb3, 0xbc, 0x4b,\n 0x44, 0x6b, 0xff, 0x67, 0x8e, 0xdb, 0x85, 0x63, 0x16, 0x27, 0x69,\n 0xbd, 0xb8, 0xc8, 0x95, 0x92, 0xe3, 0x31, 0x6f, 0x18, 0x13},\n {0x2e, 0xbb, 0xdf, 0x7f, 0xb3, 0x96, 0xc, 0xf1, 0xf9, 0xea, 0x1c,\n 0x12, 0x5e, 0x93, 0x9a, 0x9f, 0x3f, 0x98, 0x5b, 0x3a, 0xc4, 0x36,\n 0x11, 0xdf, 0xaf, 0x99, 0x3e, 0x5d, 0xf0, 0xe3, 0xb2, 0x77},\n },\n },\n {\n {\n {0xa4, 0xb0, 0xdd, 0x12, 0x9c, 0x63, 0x98, 0xd5, 0x6b, 0x86, 0x24,\n 0xc0, 0x30, 0x9f, 0xd1, 0xa5, 0x60, 0xe4, 0xfc, 0x58, 0x3, 0x2f,\n 0x7c, 0xd1, 0x8a, 0x5e, 0x9, 0x2e, 0x15, 0x95, 0xa1, 0x7},\n {0xde, 0xc4, 0x2e, 0x9c, 0xc5, 0xa9, 0x6f, 0x29, 0xcb, 0xf3, 0x84,\n 0x4f, 0xbf, 0x61, 0x8b, 0xbc, 0x8, 0xf9, 0xa8, 0x17, 0xd9, 0x6,\n 0x77, 0x1c, 0x5d, 0x25, 0xd3, 0x7a, 0xfc, 0x95, 0xb7, 0x63},\n {0xc8, 0x5f, 0x9e, 0x38, 0x2, 0x8f, 0x36, 0xa8, 0x3b, 0xe4, 0x8d,\n 0xcf, 0x2, 0x3b, 0x43, 0x90, 0x43, 0x26, 0x41, 0xc5, 0x5d, 0xfd,\n 0xa1, 0xaf, 0x37, 0x1, 0x2f, 0x3, 0x3d, 0xe8, 0x8f, 0x3e},\n },\n {\n {0x3c, 0xd1, 0xef, 0xe8, 0x8d, 0x4c, 0x70, 0x8, 0x31, 0x37, 0xe0,\n 0x33, 0x8e, 0x1a, 0xc5, 0xdf, 0xe3, 0xcd, 0x60, 0x12, 0xa5, 0x5d,\n 0x9d, 0xa5, 0x86, 0x8c, 0x25, 0xa6, 0x99, 0x8, 0xd6, 0x22},\n {0x94, 0xa2, 0x70, 0x5, 0xb9, 0x15, 0x8b, 0x2f, 0x49, 0x45, 0x8,\n 0x67, 0x70, 0x42, 0xf2, 0x94, 0x84, 0xfd, 0xbb, 0x61, 0xe1, 0x5a,\n 0x1c, 0xde, 0x7, 0x40, 0xac, 0x7f, 0x79, 0x3b, 0xba, 0x75},\n {0x96, 0xd1, 0xcd, 0x70, 0xc0, 0xdb, 0x39, 0x62, 0x9a, 0x8a, 0x7d,\n 0x6c, 0x8b, 0x8a, 0xfe, 0x60, 0x60, 0x12, 0x40, 0xeb, 0xbc, 0x47,\n 0x88, 0xb3, 0x5e, 0x9e, 0x77, 0x87, 0x7b, 0xd0, 0x4, 0x9},\n },\n {\n {0xb9, 0x40, 0xf9, 0x48, 0x66, 0x2d, 0x32, 0xf4, 0x39, 0xc, 0x2d,\n 0xbd, 0xc, 0x2f, 0x95, 0x6, 0x31, 0xf9, 0x81, 0xa0, 0xad, 0x97,\n 0x76, 0x16, 0x6c, 0x2a, 0xf7, 0xba, 0xce, 0xaa, 0x40, 0x62},\n {0x9c, 0x91, 0xba, 0xdd, 0xd4, 0x1f, 0xce, 0xb4, 0xaa, 0x8d, 0x4c,\n 0xc7, 0x3e, 0xdb, 0x31, 0xcf, 0x51, 0xcc, 0x86, 0xad, 0x63, 0xcc,\n 0x63, 0x2c, 0x7, 0xde, 0x1d, 0xbc, 0x3f, 0x14, 0xe2, 0x43},\n {0xa0, 0x95, 0xa2, 0x5b, 0x9c, 0x74, 0x34, 0xf8, 0x5a, 0xd2, 0x37,\n 0xca, 0x5b, 0x7c, 0x94, 0xd6, 0x6a, 0x31, 0xc9, 0xe7, 0xa7, 0x3b,\n 0xf1, 0x66, 0xac, 0xc, 0xb4, 0x8d, 0x23, 0xaf, 0xbd, 0x56},\n },\n {\n {0xb2, 0x3b, 0x9d, 0xc1, 0x6c, 0xd3, 0x10, 0x13, 0xb9, 0x86, 0x23,\n 0x62, 0xb7, 0x6b, 0x2a, 0x6, 0x5c, 0x4f, 0xa1, 0xd7, 0x91, 0x85,\n 0x9b, 0x7c, 0x54, 0x57, 0x1e, 0x7e, 0x50, 0x31, 0xaa, 0x3},\n {0xeb, 0x33, 0x35, 0xf5, 0xe3, 0xb9, 0x2a, 0x36, 0x40, 0x3d, 0xb9,\n 0x6e, 0xd5, 0x68, 0x85, 0x33, 0x72, 0x55, 0x5a, 0x1d, 0x52, 0x14,\n 0xe, 0x9e, 0x18, 0x13, 0x74, 0x83, 0x6d, 0xa8, 0x24, 0x1d},\n {0x1f, 0xce, 0xd4, 0xff, 0x48, 0x76, 0xec, 0xf4, 0x1c, 0x8c, 0xac,\n 0x54, 0xf0, 0xea, 0x45, 0xe0, 0x7c, 0x35, 0x9, 0x1d, 0x82, 0x25,\n 0xd2, 0x88, 0x59, 0x48, 0xeb, 0x9a, 0xdc, 0x61, 0xb2, 0x43},\n },\n {\n {0x64, 0x13, 0x95, 0x6c, 0x8b, 0x3d, 0x51, 0x19, 0x7b, 0xf4, 0xb,\n 0x0, 0x26, 0x71, 0xfe, 0x94, 0x67, 0x95, 0x4f, 0xd5, 0xdd, 0x10,\n 0x8d, 0x2, 0x64, 0x9, 0x94, 0x42, 0xe2, 0xd5, 0xb4, 0x2},\n {0xbb, 0x79, 0xbb, 0x88, 0x19, 0x1e, 0x5b, 0xe5, 0x9d, 0x35, 0x7a,\n 0xc1, 0x7d, 0xd0, 0x9e, 0xa0, 0x33, 0xea, 0x3d, 0x60, 0xe2, 0x2e,\n 0x2c, 0xb0, 0xc2, 0x6b, 0x27, 0x5b, 0xcf, 0x55, 0x60, 0x32},\n {0xf2, 0x8d, 0xd1, 0x28, 0xcb, 0x55, 0xa1, 0xb4, 0x8, 0xe5, 0x6c,\n 0x18, 0x46, 0x46, 0xcc, 0xea, 0x89, 0x43, 0x82, 0x6c, 0x93, 0xf4,\n 0x9c, 0xc4, 0x10, 0x34, 0x5d, 0xae, 0x9, 0xc8, 0xa6, 0x27},\n },\n {\n {0x54, 0x69, 0x3d, 0xc4, 0xa, 0x27, 0x2c, 0xcd, 0xb2, 0xca, 0x66,\n 0x6a, 0x57, 0x3e, 0x4a, 0xdd, 0x6c, 0x3, 0xd7, 0x69, 0x24, 0x59,\n 0xfa, 0x79, 0x99, 0x25, 0x8c, 0x3d, 0x60, 0x3, 0x15, 0x22},\n {0x88, 0xb1, 0xd, 0x1f, 0xcd, 0xeb, 0xa6, 0x8b, 0xe8, 0x5b, 0x5a,\n 0x67, 0x3a, 0xd7, 0xd3, 0x37, 0x5a, 0x58, 0xf5, 0x15, 0xa3, 0xdf,\n 0x2e, 0xf2, 0x7e, 0xa1, 0x60, 0xff, 0x74, 0x71, 0xb6, 0x2c},\n {0xd0, 0xe1, 0xb, 0x39, 0xf9, 0xcd, 0xee, 0x59, 0xf1, 0xe3, 0x8c,\n 0x72, 0x44, 0x20, 0x42, 0xa9, 0xf4, 0xf0, 0x94, 0x7a, 0x66, 0x1c,\n 0x89, 0x82, 0x36, 0xf4, 0x90, 0x38, 0xb7, 0xf4, 0x1d, 0x7b},\n },\n {\n {0x8c, 0xf5, 0xf8, 0x7, 0x18, 0x22, 0x2e, 0x5f, 0xd4, 0x9, 0x94,\n 0xd4, 0x9f, 0x5c, 0x55, 0xe3, 0x30, 0xa6, 0xb6, 0x1f, 0x8d, 0xa8,\n 0xaa, 0xb2, 0x3d, 0xe0, 0x52, 0xd3, 0x45, 0x82, 0x69, 0x68},\n {0x24, 0xa2, 0xb2, 0xb3, 0xe0, 0xf2, 0x92, 0xe4, 0x60, 0x11, 0x55,\n 0x2b, 0x6, 0x9e, 0x6c, 0x7c, 0xe, 0x7b, 0x7f, 0xd, 0xe2, 0x8f,\n 0xeb, 0x15, 0x92, 0x59, 0xfc, 0x58, 0x26, 0xef, 0xfc, 0x61},\n {0x7a, 0x18, 0x18, 0x2a, 0x85, 0x5d, 0xb1, 0xdb, 0xd7, 0xac, 0xdd,\n 0x86, 0xd3, 0xaa, 0xe4, 0xf3, 0x82, 0xc4, 0xf6, 0xf, 0x81, 0xe2,\n 0xba, 0x44, 0xcf, 0x1, 0xaf, 0x3d, 0x47, 0x4c, 0xcf, 0x46},\n },\n {\n {0x40, 0x81, 0x49, 0xf1, 0xa7, 0x6e, 0x3c, 0x21, 0x54, 0x48, 0x2b,\n 0x39, 0xf8, 0x7e, 0x1e, 0x7c, 0xba, 0xce, 0x29, 0x56, 0x8c, 0xc3,\n 0x88, 0x24, 0xbb, 0xc5, 0x8c, 0xd, 0xe5, 0xaa, 0x65, 0x10},\n {0xf9, 0xe5, 0xc4, 0x9e, 0xed, 0x25, 0x65, 0x42, 0x3, 0x33, 0x90,\n 0x16, 0x1, 0xda, 0x5e, 0xe, 0xdc, 0xca, 0xe5, 0xcb, 0xf2, 0xa7,\n 0xb1, 0x72, 0x40, 0x5f, 0xeb, 0x14, 0xcd, 0x7b, 0x38, 0x29},\n {0x57, 0xd, 0x20, 0xdf, 0x25, 0x45, 0x2c, 0x1c, 0x4a, 0x67, 0xca,\n 0xbf, 0xd6, 0x2d, 0x3b, 0x5c, 0x30, 0x40, 0x83, 0xe1, 0xb1, 0xe7,\n 0x7, 0xa, 0x16, 0xe7, 0x1c, 0x4f, 0xe6, 0x98, 0xa1, 0x69},\n },\n },\n {\n {\n {0xed, 0xca, 0xc5, 0xdc, 0x34, 0x44, 0x1, 0xe1, 0x33, 0xfb, 0x84,\n 0x3c, 0x96, 0x5d, 0xed, 0x47, 0xe7, 0xa0, 0x86, 0xed, 0x76, 0x95,\n 0x1, 0x70, 0xe4, 0xf9, 0x67, 0xd2, 0x7b, 0x69, 0xb2, 0x25},\n {0xbc, 0x78, 0x1a, 0xd9, 0xe0, 0xb2, 0x62, 0x90, 0x67, 0x96, 0x50,\n 0xc8, 0x9c, 0x88, 0xc9, 0x47, 0xb8, 0x70, 0x50, 0x40, 0x66, 0x4a,\n 0xf5, 0x9d, 0xbf, 0xa1, 0x93, 0x24, 0xa9, 0xe6, 0x69, 0x73},\n {0x64, 0x68, 0x98, 0x13, 0xfb, 0x3f, 0x67, 0x9d, 0xb8, 0xc7, 0x5d,\n 0x41, 0xd9, 0xfb, 0xa5, 0x3c, 0x5e, 0x3b, 0x27, 0xdf, 0x3b, 0xcc,\n 0x4e, 0xe0, 0xd2, 0x4c, 0x4e, 0xb5, 0x3d, 0x68, 0x20, 0x14},\n },\n {\n {0xd0, 0x5a, 0xcc, 0xc1, 0x6f, 0xbb, 0xee, 0x34, 0x8b, 0xac, 0x46,\n 0x96, 0xe9, 0xc, 0x1b, 0x6a, 0x53, 0xde, 0x6b, 0xa6, 0x49, 0xda,\n 0xb0, 0xd3, 0xc1, 0x81, 0xd0, 0x61, 0x41, 0x3b, 0xe8, 0x31},\n {0x97, 0xd1, 0x9d, 0x24, 0x1e, 0xbd, 0x78, 0xb4, 0x2, 0xc1, 0x58,\n 0x5e, 0x0, 0x35, 0xc, 0x62, 0x5c, 0xac, 0xba, 0xcc, 0x2f, 0xd3,\n 0x2, 0xfb, 0x2d, 0xa7, 0x8, 0xf5, 0xeb, 0x3b, 0xb6, 0x60},\n {0x4f, 0x2b, 0x6, 0x9e, 0x12, 0xc7, 0xe8, 0x97, 0xd8, 0xa, 0x32,\n 0x29, 0x4f, 0x8f, 0xe4, 0x49, 0x3f, 0x68, 0x18, 0x6f, 0x4b, 0xe1,\n 0xec, 0x5b, 0x17, 0x3, 0x55, 0x2d, 0xb6, 0x1e, 0xcf, 0x55},\n },\n {\n {0x52, 0x8c, 0xf5, 0x7d, 0xe3, 0xb5, 0x76, 0x30, 0x36, 0xcc, 0x99,\n 0xe7, 0xdd, 0xb9, 0x3a, 0xd7, 0x20, 0xee, 0x13, 0x49, 0xe3, 0x1c,\n 0x83, 0xbd, 0x33, 0x1, 0xba, 0x62, 0xaa, 0xfb, 0x56, 0x1a},\n {0x58, 0x3d, 0xc2, 0x65, 0x10, 0x10, 0x79, 0x58, 0x9c, 0x81, 0x94,\n 0x50, 0x6d, 0x8, 0x9d, 0x8b, 0xa7, 0x5f, 0xc5, 0x12, 0xa9, 0x2f,\n 0x40, 0xe2, 0xd4, 0x91, 0x8, 0x57, 0x64, 0x65, 0x9a, 0x66},\n {0xec, 0xc9, 0x9d, 0x5c, 0x50, 0x6b, 0x3e, 0x94, 0x1a, 0x37, 0x7c,\n 0xa7, 0xbb, 0x57, 0x25, 0x30, 0x51, 0x76, 0x34, 0x41, 0x56, 0xae,\n 0x73, 0x98, 0x5c, 0x8a, 0xc5, 0x99, 0x67, 0x83, 0xc4, 0x13},\n },\n {\n {0x80, 0xd0, 0x8b, 0x5d, 0x6a, 0xfb, 0xdc, 0xc4, 0x42, 0x48, 0x1a,\n 0x57, 0xec, 0xc4, 0xeb, 0xde, 0x65, 0x53, 0xe5, 0xb8, 0x83, 0xe8,\n 0xb2, 0xd4, 0x27, 0xb8, 0xe5, 0xc8, 0x7d, 0xc8, 0xbd, 0x50},\n {0xb9, 0xe1, 0xb3, 0x5a, 0x46, 0x5d, 0x3a, 0x42, 0x61, 0x3f, 0xf1,\n 0xc7, 0x87, 0xc1, 0x13, 0xfc, 0xb6, 0xb9, 0xb5, 0xec, 0x64, 0x36,\n 0xf8, 0x19, 0x7, 0xb6, 0x37, 0xa6, 0x93, 0xc, 0xf8, 0x66},\n {0x11, 0xe1, 0xdf, 0x6e, 0x83, 0x37, 0x6d, 0x60, 0xd9, 0xab, 0x11,\n 0xf0, 0x15, 0x3e, 0x35, 0x32, 0x96, 0x3b, 0xb7, 0x25, 0xc3, 0x3a,\n 0xb0, 0x64, 0xae, 0xd5, 0x5f, 0x72, 0x44, 0x64, 0xd5, 0x1d},\n },\n {\n {0x9a, 0xc8, 0xba, 0x8, 0x0, 0xe6, 0x97, 0xc2, 0xe0, 0xc3, 0xe1,\n 0xea, 0x11, 0xea, 0x4c, 0x7d, 0x7c, 0x97, 0xe7, 0x9f, 0xe1, 0x8b,\n 0xe3, 0xf3, 0xcd, 0x5, 0xa3, 0x63, 0xf, 0x45, 0x3a, 0x3a},\n {0x7d, 0x12, 0x62, 0x33, 0xf8, 0x7f, 0xa4, 0x8f, 0x15, 0x7c, 0xcd,\n 0x71, 0xc4, 0x6a, 0x9f, 0xbc, 0x8b, 0xc, 0x22, 0x49, 0x43, 0x45,\n 0x71, 0x6e, 0x2e, 0x73, 0x9f, 0x21, 0x12, 0x59, 0x64, 0xe},\n {0x27, 0x46, 0x39, 0xd8, 0x31, 0x2f, 0x8f, 0x7, 0x10, 0xa5, 0x94,\n 0xde, 0x83, 0x31, 0x9d, 0x38, 0x80, 0x6f, 0x99, 0x17, 0x6d, 0x6c,\n 0xe3, 0xd1, 0x7b, 0xa8, 0xa9, 0x93, 0x93, 0x8d, 0x8c, 0x31},\n },\n {\n {0x98, 0xd3, 0x1d, 0xab, 0x29, 0x9e, 0x66, 0x5d, 0x3b, 0x9e, 0x2d,\n 0x34, 0x58, 0x16, 0x92, 0xfc, 0xcd, 0x73, 0x59, 0xf3, 0xfd, 0x1d,\n 0x85, 0x55, 0xf6, 0xa, 0x95, 0x25, 0xc3, 0x41, 0x9a, 0x50},\n {0x19, 0xfe, 0xff, 0x2a, 0x3, 0x5d, 0x74, 0xf2, 0x66, 0xdb, 0x24,\n 0x7f, 0x49, 0x3c, 0x9f, 0xc, 0xef, 0x98, 0x85, 0xba, 0xe3, 0xd3,\n 0x98, 0xbc, 0x14, 0x53, 0x1d, 0x9a, 0x67, 0x7c, 0x4c, 0x22},\n {0xe9, 0x25, 0xf9, 0xa6, 0xdc, 0x6e, 0xc0, 0xbd, 0x33, 0x1f, 0x1b,\n 0x64, 0xf4, 0xf3, 0x3e, 0x79, 0x89, 0x3e, 0x83, 0x9d, 0x80, 0x12,\n 0xec, 0x82, 0x89, 0x13, 0xa1, 0x28, 0x23, 0xf0, 0xbf, 0x5},\n },\n {\n {0xe4, 0x12, 0xc5, 0xd, 0xdd, 0xa0, 0x81, 0x68, 0xfe, 0xfa, 0xa5,\n 0x44, 0xc8, 0xd, 0xe7, 0x4f, 0x40, 0x52, 0x4a, 0x8f, 0x6b, 0x8e,\n 0x74, 0x1f, 0xea, 0xa3, 0x1, 0xee, 0xcd, 0x77, 0x62, 0x57},\n {0xb, 0xe0, 0xca, 0x23, 0x70, 0x13, 0x32, 0x36, 0x59, 0xcf, 0xac,\n 0xd1, 0xa, 0xcf, 0x4a, 0x54, 0x88, 0x1c, 0x1a, 0xd2, 0x49, 0x10,\n 0x74, 0x96, 0xa7, 0x44, 0x2a, 0xfa, 0xc3, 0x8c, 0xb, 0x78},\n {0x5f, 0x30, 0x4f, 0x23, 0xbc, 0x8a, 0xf3, 0x1e, 0x8, 0xde, 0x5,\n 0x14, 0xbd, 0x7f, 0x57, 0x9a, 0xd, 0x2a, 0xe6, 0x34, 0x14, 0xa5,\n 0x82, 0x5e, 0xa1, 0xb7, 0x71, 0x62, 0x72, 0x18, 0xf4, 0x5f},\n },\n {\n {0x40, 0x95, 0xb6, 0x13, 0xe8, 0x47, 0xdb, 0xe5, 0xe1, 0x10, 0x26,\n 0x43, 0x3b, 0x2a, 0x5d, 0xf3, 0x76, 0x12, 0x78, 0x38, 0xe9, 0x26,\n 0x1f, 0xac, 0x69, 0xcb, 0xa0, 0xa0, 0x8c, 0xdb, 0xd4, 0x29},\n {0x9d, 0xdb, 0x89, 0x17, 0xc, 0x8, 0x8e, 0x39, 0xf5, 0x78, 0xe7,\n 0xf3, 0x25, 0x20, 0x60, 0xa7, 0x5d, 0x3, 0xbd, 0x6, 0x4c, 0x89,\n 0x98, 0xfa, 0xbe, 0x66, 0xa9, 0x25, 0xdc, 0x3, 0x6a, 0x10},\n {0xd0, 0x53, 0x33, 0x33, 0xaf, 0xa, 0xad, 0xd9, 0xe5, 0x9, 0xd3,\n 0xac, 0xa5, 0x9d, 0x66, 0x38, 0xf0, 0xf7, 0x88, 0xc8, 0x8a, 0x65,\n 0x57, 0x3c, 0xfa, 0xbe, 0x2c, 0x5, 0x51, 0x8a, 0xb3, 0x4a},\n },\n },\n {\n {\n {0x9c, 0xc0, 0xdd, 0x5f, 0xef, 0xd1, 0xcf, 0xd6, 0xce, 0x5d, 0x57,\n 0xf7, 0xfd, 0x3e, 0x2b, 0xe8, 0xc2, 0x34, 0x16, 0x20, 0x5d, 0x6b,\n 0xd5, 0x25, 0x9b, 0x2b, 0xed, 0x4, 0xbb, 0xc6, 0x41, 0x30},\n {0x93, 0xd5, 0x68, 0x67, 0x25, 0x2b, 0x7c, 0xda, 0x13, 0xca, 0x22,\n 0x44, 0x57, 0xc0, 0xc1, 0x98, 0x1d, 0xce, 0xa, 0xca, 0xd5, 0xb,\n 0xa8, 0xf1, 0x90, 0xa6, 0x88, 0xc0, 0xad, 0xd1, 0xcd, 0x29},\n {0x48, 0xe1, 0x56, 0xd9, 0xf9, 0xf2, 0xf2, 0xf, 0x2e, 0x6b, 0x35,\n 0x9f, 0x75, 0x97, 0xe7, 0xad, 0x5c, 0x2, 0x6c, 0x5f, 0xbb, 0x98,\n 0x46, 0x1a, 0x7b, 0x9a, 0x4, 0x14, 0x68, 0xbd, 0x4b, 0x10},\n },\n {\n {0x63, 0xf1, 0x7f, 0xd6, 0x5f, 0x9a, 0x5d, 0xa9, 0x81, 0x56, 0xc7,\n 0x4c, 0x9d, 0xe6, 0x2b, 0xe9, 0x57, 0xf2, 0x20, 0xde, 0x4c, 0x2,\n 0xf8, 0xb7, 0xf5, 0x2d, 0x7, 0xfb, 0x20, 0x2a, 0x4f, 0x20},\n {0x67, 0xed, 0xf1, 0x68, 0x31, 0xfd, 0xf0, 0x51, 0xc2, 0x3b, 0x6f,\n 0xd8, 0xcd, 0x1d, 0x81, 0x2c, 0xde, 0xf2, 0xd2, 0x4, 0x43, 0x5c,\n 0xdc, 0x44, 0x49, 0x71, 0x2a, 0x9, 0x57, 0xcc, 0xe8, 0x5b},\n {0x79, 0xb0, 0xeb, 0x30, 0x3d, 0x3b, 0x14, 0xc8, 0x30, 0x2e, 0x65,\n 0xbd, 0x5a, 0x15, 0x89, 0x75, 0x31, 0x5c, 0x6d, 0x8f, 0x31, 0x3c,\n 0x3c, 0x65, 0x1f, 0x16, 0x79, 0xc2, 0x17, 0xfb, 0x70, 0x25},\n },\n {\n {0x5a, 0x24, 0xb8, 0xb, 0x55, 0xa9, 0x2e, 0x19, 0xd1, 0x50, 0x90,\n 0x8f, 0xa8, 0xfb, 0xe6, 0xc8, 0x35, 0xc9, 0xa4, 0x88, 0x2d, 0xea,\n 0x86, 0x79, 0x68, 0x86, 0x1, 0xde, 0x91, 0x5f, 0x1c, 0x24},\n {0x75, 0x15, 0xb6, 0x2c, 0x7f, 0x36, 0xfa, 0x3e, 0x6c, 0x2, 0xd6,\n 0x1c, 0x76, 0x6f, 0xf9, 0xf5, 0x62, 0x25, 0xb5, 0x65, 0x2a, 0x14,\n 0xc7, 0xe8, 0xcd, 0xa, 0x3, 0x53, 0xea, 0x65, 0xcb, 0x3d},\n {0xaa, 0x6c, 0xde, 0x40, 0x29, 0x17, 0xd8, 0x28, 0x3a, 0x73, 0xd9,\n 0x22, 0xf0, 0x2c, 0xbf, 0x8f, 0xd1, 0x1, 0x5b, 0x23, 0xdd, 0xfc,\n 0xd7, 0x16, 0xe5, 0xf0, 0xcd, 0x5f, 0xdd, 0xe, 0x42, 0x8},\n },\n {\n {0xce, 0x10, 0xf4, 0x4, 0x4e, 0xc3, 0x58, 0x3, 0x85, 0x6, 0x6e,\n 0x27, 0x5a, 0x5b, 0x13, 0xb6, 0x21, 0x15, 0xb9, 0xeb, 0xc7, 0x70,\n 0x96, 0x5d, 0x9c, 0x88, 0xdb, 0x21, 0xf3, 0x54, 0xd6, 0x4},\n {0x4a, 0xfa, 0x62, 0x83, 0xab, 0x20, 0xff, 0xcd, 0x6e, 0x3e, 0x1a,\n 0xe2, 0xd4, 0x18, 0xe1, 0x57, 0x2b, 0xe6, 0x39, 0xfc, 0x17, 0x96,\n 0x17, 0xe3, 0xfd, 0x69, 0x17, 0xbc, 0xef, 0x53, 0x9a, 0xd},\n {0xd5, 0xb5, 0xbd, 0xdd, 0x16, 0xc1, 0x7d, 0x5e, 0x2d, 0xdd, 0xa5,\n 0x8d, 0xb6, 0xde, 0x54, 0x29, 0x92, 0xa2, 0x34, 0x33, 0x17, 0x8,\n 0xb6, 0x1c, 0xd7, 0x1a, 0x99, 0x18, 0x26, 0x4f, 0x7a, 0x4a},\n },\n {\n {0x4b, 0x2a, 0x37, 0xaf, 0x91, 0xb2, 0xc3, 0x24, 0xf2, 0x47, 0x81,\n 0x71, 0x70, 0x82, 0xda, 0x93, 0xf2, 0x9e, 0x89, 0x86, 0x64, 0x85,\n 0x84, 0xdd, 0x33, 0xee, 0xe0, 0x23, 0x42, 0x31, 0x96, 0x4a},\n {0x95, 0x5f, 0xb1, 0x5f, 0x2, 0x18, 0xa7, 0xf4, 0x8f, 0x1b, 0x5c,\n 0x6b, 0x34, 0x5f, 0xf6, 0x3d, 0x12, 0x11, 0xe0, 0x0, 0x85, 0xf0,\n 0xfc, 0xcd, 0x48, 0x18, 0xd3, 0xdd, 0x4c, 0xc, 0xb5, 0x11},\n {0xd6, 0xff, 0xa4, 0x8, 0x44, 0x27, 0xe8, 0xa6, 0xd9, 0x76, 0x15,\n 0x9c, 0x7e, 0x17, 0x8e, 0x73, 0xf2, 0xb3, 0x2, 0x3d, 0xb6, 0x48,\n 0x33, 0x77, 0x51, 0xcc, 0x6b, 0xce, 0x4d, 0xce, 0x4b, 0x4f},\n },\n {\n {0x6f, 0xb, 0x9d, 0xc4, 0x6e, 0x61, 0xe2, 0x30, 0x17, 0x23, 0xec,\n 0xca, 0x8f, 0x71, 0x56, 0xe4, 0xa6, 0x4f, 0x6b, 0xf2, 0x9b, 0x40,\n 0xeb, 0x48, 0x37, 0x5f, 0x59, 0x61, 0xe5, 0xce, 0x42, 0x30},\n {0x84, 0x25, 0x24, 0xe2, 0x5a, 0xce, 0x1f, 0xa7, 0x9e, 0x8a, 0xf5,\n 0x92, 0x56, 0x72, 0xea, 0x26, 0xf4, 0x3c, 0xea, 0x1c, 0xd7, 0x9,\n 0x1a, 0xd2, 0xe6, 0x1, 0x1c, 0xb7, 0x14, 0xdd, 0xfc, 0x73},\n {0x41, 0xac, 0x9b, 0x44, 0x79, 0x70, 0x7e, 0x42, 0xa, 0x31, 0xe2,\n 0xbc, 0x6d, 0xe3, 0x5a, 0x85, 0x7c, 0x1a, 0x84, 0x5f, 0x21, 0x76,\n 0xae, 0x4c, 0xd6, 0xe1, 0x9c, 0x9a, 0xc, 0x74, 0x9e, 0x38},\n },\n {\n {0x28, 0xac, 0xe, 0x57, 0xf6, 0x78, 0xbd, 0xc9, 0xe1, 0x9c, 0x91,\n 0x27, 0x32, 0xb, 0x5b, 0xe5, 0xed, 0x91, 0x9b, 0xa1, 0xab, 0x3e,\n 0xfc, 0x65, 0x90, 0x36, 0x26, 0xd6, 0xe5, 0x25, 0xc4, 0x25},\n {0xce, 0xb9, 0xdc, 0x34, 0xae, 0xb3, 0xfc, 0x64, 0xad, 0xd0, 0x48,\n 0xe3, 0x23, 0x3, 0x50, 0x97, 0x1b, 0x38, 0xc6, 0x62, 0x7d, 0xf0,\n 0xb3, 0x45, 0x88, 0x67, 0x5a, 0x46, 0x79, 0x53, 0x54, 0x61},\n {0x6e, 0xde, 0xd7, 0xf1, 0xa6, 0x6, 0x3e, 0x3f, 0x8, 0x23, 0x6,\n 0x8e, 0x27, 0x76, 0xf9, 0x3e, 0x77, 0x6c, 0x8a, 0x4e, 0x26, 0xf6,\n 0x14, 0x8c, 0x59, 0x47, 0x48, 0x15, 0x89, 0xa0, 0x39, 0x65},\n },\n {\n {0x19, 0x4a, 0xbb, 0x14, 0xd4, 0xdb, 0xc4, 0xdd, 0x8e, 0x4f, 0x42,\n 0x98, 0x3c, 0xbc, 0xb2, 0x19, 0x69, 0x71, 0xca, 0x36, 0xd7, 0x9f,\n 0xa8, 0x48, 0x90, 0xbd, 0x19, 0xf0, 0xe, 0x32, 0x65, 0xf},\n {0x73, 0xf7, 0xd2, 0xc3, 0x74, 0x1f, 0xd2, 0xe9, 0x45, 0x68, 0xc4,\n 0x25, 0x41, 0x54, 0x50, 0xc1, 0x33, 0x9e, 0xb9, 0xf9, 0xe8, 0x5c,\n 0x4e, 0x62, 0x6c, 0x18, 0xcd, 0xc5, 0xaa, 0xe4, 0xc5, 0x11},\n {0xc6, 0xe0, 0xfd, 0xca, 0xb1, 0xd1, 0x86, 0xd4, 0x81, 0x51, 0x3b,\n 0x16, 0xe3, 0xe6, 0x3f, 0x4f, 0x9a, 0x93, 0xf2, 0xfa, 0xd, 0xaf,\n 0xa8, 0x59, 0x2a, 0x7, 0x33, 0xec, 0xbd, 0xc7, 0xab, 0x4c},\n },\n },\n {\n {\n {0x89, 0xd2, 0x78, 0x3f, 0x8f, 0x78, 0x8f, 0xc0, 0x9f, 0x4d, 0x40,\n 0xa1, 0x2c, 0xa7, 0x30, 0xfe, 0x9d, 0xcc, 0x65, 0xcf, 0xfc, 0x8b,\n 0x77, 0xf2, 0x21, 0x20, 0xcb, 0x5a, 0x16, 0x98, 0xe4, 0x7e},\n {0x2e, 0xa, 0x9c, 0x8, 0x24, 0x96, 0x9e, 0x23, 0x38, 0x47, 0xfe,\n 0x3a, 0xc0, 0xc4, 0x48, 0xc7, 0x2a, 0xa1, 0x4f, 0x76, 0x2a, 0xed,\n 0xdb, 0x17, 0x82, 0x85, 0x1c, 0x32, 0xf0, 0x93, 0x9b, 0x63},\n {0xc3, 0xa1, 0x11, 0x91, 0xe3, 0x8, 0xd5, 0x7b, 0x89, 0x74, 0x90,\n 0x80, 0xd4, 0x90, 0x2b, 0x2b, 0x19, 0xfd, 0x72, 0xae, 0xc2, 0xae,\n 0xd2, 0xe7, 0xa6, 0x2, 0xb6, 0x85, 0x3c, 0x49, 0xdf, 0xe},\n },\n {\n {0x13, 0x41, 0x76, 0x84, 0xd2, 0xc4, 0x67, 0x67, 0x35, 0xf8, 0xf5,\n 0xf7, 0x3f, 0x40, 0x90, 0xa0, 0xde, 0xbe, 0xe6, 0xca, 0xfa, 0xcf,\n 0x8f, 0x1c, 0x69, 0xa3, 0xdf, 0xd1, 0x54, 0xc, 0xc0, 0x4},\n {0x68, 0x5a, 0x9b, 0x59, 0x58, 0x81, 0xcc, 0xae, 0xe, 0xe2, 0xad,\n 0xeb, 0xf, 0x4f, 0x57, 0xea, 0x7, 0x7f, 0xb6, 0x22, 0x74, 0x1d,\n 0xe4, 0x4f, 0xb4, 0x4f, 0x9d, 0x1, 0xe3, 0x92, 0x3b, 0x40},\n {0xf8, 0x5c, 0x46, 0x8b, 0x81, 0x2f, 0xc2, 0x4d, 0xf8, 0xef, 0x80,\n 0x14, 0x5a, 0xf3, 0xa0, 0x71, 0x57, 0xd6, 0xc7, 0x4, 0xad, 0xbf,\n 0xe8, 0xae, 0xf4, 0x76, 0x61, 0xb2, 0x2a, 0xb1, 0x5b, 0x35},\n },\n {\n {0x18, 0x73, 0x8c, 0x5a, 0xc7, 0xda, 0x1, 0xa3, 0x11, 0xaa, 0xce,\n 0xb3, 0x9d, 0x3, 0x90, 0xed, 0x2d, 0x3f, 0xae, 0x3b, 0xbf, 0x7c,\n 0x7, 0x6f, 0x8e, 0xad, 0x52, 0xe0, 0xf8, 0xea, 0x18, 0x75},\n {0xf4, 0xbb, 0x93, 0x74, 0xcc, 0x64, 0x1e, 0xa7, 0xc3, 0xb0, 0xa3,\n 0xec, 0xd9, 0x84, 0xbd, 0xe5, 0x85, 0xe7, 0x5, 0xfa, 0xc, 0xc5,\n 0x6b, 0xa, 0x12, 0xc3, 0x2e, 0x18, 0x32, 0x81, 0x9b, 0xf},\n {0x32, 0x6c, 0x7f, 0x1b, 0xc4, 0x59, 0x88, 0xa4, 0x98, 0x32, 0x38,\n 0xf4, 0xbc, 0x60, 0x2d, 0xf, 0xd9, 0xd1, 0xb1, 0xc9, 0x29, 0xa9,\n 0x15, 0x18, 0xc4, 0x55, 0x17, 0xbb, 0x1b, 0x87, 0xc3, 0x47},\n },\n {\n {0xb0, 0x66, 0x50, 0xc8, 0x50, 0x5d, 0xe6, 0xfb, 0xb0, 0x99, 0xa2,\n 0xb3, 0xb0, 0xc4, 0xec, 0x62, 0xe0, 0xe8, 0x1a, 0x44, 0xea, 0x54,\n 0x37, 0xe5, 0x5f, 0x8d, 0xd4, 0xe8, 0x2c, 0xa0, 0xfe, 0x8},\n {0x48, 0x4f, 0xec, 0x71, 0x97, 0x53, 0x44, 0x51, 0x6e, 0x5d, 0x8c,\n 0xc9, 0x7d, 0xb1, 0x5, 0xf8, 0x6b, 0xc6, 0xc3, 0x47, 0x1a, 0xc1,\n 0x62, 0xf7, 0xdc, 0x99, 0x46, 0x76, 0x85, 0x9b, 0xb8, 0x0},\n {0xd0, 0xea, 0xde, 0x68, 0x76, 0xdd, 0x4d, 0x82, 0x23, 0x5d, 0x68,\n 0x4b, 0x20, 0x45, 0x64, 0xc8, 0x65, 0xd6, 0x89, 0x5d, 0xcd, 0xcf,\n 0x14, 0xb5, 0x37, 0xd5, 0x75, 0x4f, 0xa7, 0x29, 0x38, 0x47},\n },\n {\n {0xc9, 0x2, 0x39, 0xad, 0x3a, 0x53, 0xd9, 0x23, 0x8f, 0x58, 0x3,\n 0xef, 0xce, 0xdd, 0xc2, 0x64, 0xb4, 0x2f, 0xe1, 0xcf, 0x90, 0x73,\n 0x25, 0x15, 0x90, 0xd3, 0xe4, 0x44, 0x4d, 0x8b, 0x66, 0x6c},\n {0x18, 0xc4, 0x79, 0x46, 0x75, 0xda, 0xd2, 0x82, 0xf0, 0x8d, 0x61,\n 0xb2, 0xd8, 0xd7, 0x3b, 0xe6, 0xa, 0xeb, 0x47, 0xac, 0x24, 0xef,\n 0x5e, 0x35, 0xb4, 0xc6, 0x33, 0x48, 0x4c, 0x68, 0x78, 0x20},\n {0xc, 0x82, 0x78, 0x7a, 0x21, 0xcf, 0x48, 0x3b, 0x97, 0x3e, 0x27,\n 0x81, 0xb2, 0xa, 0x6a, 0xf7, 0x7b, 0xed, 0x8e, 0x8c, 0xa7, 0x65,\n 0x6c, 0xa9, 0x3f, 0x43, 0x8a, 0x4f, 0x5, 0xa6, 0x11, 0x74},\n },\n {\n {0xb4, 0x75, 0xb1, 0x18, 0x3d, 0xe5, 0x9a, 0x57, 0x2, 0xa1, 0x92,\n 0xf3, 0x59, 0x31, 0x71, 0x68, 0xf5, 0x35, 0xef, 0x1e, 0xba, 0xec,\n 0x55, 0x84, 0x8f, 0x39, 0x8c, 0x45, 0x72, 0xa8, 0xc9, 0x1e},\n {0x6d, 0xc8, 0x9d, 0xb9, 0x32, 0x9d, 0x65, 0x4d, 0x15, 0xf1, 0x3a,\n 0x60, 0x75, 0xdc, 0x4c, 0x4, 0x88, 0xe4, 0xc2, 0xdc, 0x2c, 0x71,\n 0x4c, 0xb3, 0xff, 0x34, 0x81, 0xfb, 0x74, 0x65, 0x13, 0x7c},\n {0x9b, 0x50, 0xa2, 0x0, 0xd4, 0xa4, 0xe6, 0xb8, 0xb4, 0x82, 0xc8,\n 0xb, 0x2, 0xd7, 0x81, 0x9b, 0x61, 0x75, 0x95, 0xf1, 0x9b, 0xcc,\n 0xe7, 0x57, 0x60, 0x64, 0xcd, 0xc7, 0xa5, 0x88, 0xdd, 0x3a},\n },\n {\n {0x46, 0x30, 0x39, 0x59, 0xd4, 0x98, 0xc2, 0x85, 0xec, 0x59, 0xf6,\n 0x5f, 0x98, 0x35, 0x7e, 0x8f, 0x3a, 0x6e, 0xf6, 0xf2, 0x2a, 0xa2,\n 0x2c, 0x1d, 0x20, 0xa7, 0x6, 0xa4, 0x31, 0x11, 0xba, 0x61},\n {0xf2, 0xdc, 0x35, 0xb6, 0x70, 0x57, 0x89, 0xab, 0xbc, 0x1f, 0x6c,\n 0xf6, 0x6c, 0xef, 0xdf, 0x2, 0x87, 0xd1, 0xb6, 0xbe, 0x68, 0x2,\n 0x53, 0x85, 0x74, 0x9e, 0x87, 0xcc, 0xfc, 0x29, 0x99, 0x24},\n {0x29, 0x90, 0x95, 0x16, 0xf1, 0xa0, 0xd0, 0xa3, 0x89, 0xbd, 0x7e,\n 0xba, 0x6c, 0x6b, 0x3b, 0x2, 0x7, 0x33, 0x78, 0x26, 0x3e, 0x5a,\n 0xf1, 0x7b, 0xe7, 0xec, 0xd8, 0xbb, 0xc, 0x31, 0x20, 0x56},\n },\n {\n {0xd6, 0x85, 0xe2, 0x77, 0xf4, 0xb5, 0x46, 0x66, 0x93, 0x61, 0x8f,\n 0x6c, 0x67, 0xff, 0xe8, 0x40, 0xdd, 0x94, 0xb5, 0xab, 0x11, 0x73,\n 0xec, 0xa6, 0x4d, 0xec, 0x8c, 0x65, 0xf3, 0x46, 0xc8, 0x7e},\n {0x43, 0xd6, 0x34, 0x49, 0x43, 0x93, 0x89, 0x52, 0xf5, 0x22, 0x12,\n 0xa5, 0x6, 0xf8, 0xdb, 0xb9, 0x22, 0x1c, 0xf4, 0xc3, 0x8f, 0x87,\n 0x6d, 0x8f, 0x30, 0x97, 0x9d, 0x4d, 0x2a, 0x6a, 0x67, 0x37},\n {0xc7, 0x2e, 0xa2, 0x1d, 0x3f, 0x8f, 0x5e, 0x9b, 0x13, 0xcd, 0x1,\n 0x6c, 0x77, 0x1d, 0xf, 0x13, 0xb8, 0x9f, 0x98, 0xa2, 0xcf, 0x8f,\n 0x4c, 0x21, 0xd5, 0x9d, 0x9b, 0x39, 0x23, 0xf7, 0xaa, 0x6d},\n },\n },\n {\n {\n {0xa2, 0x8e, 0xad, 0xac, 0xbf, 0x4, 0x3b, 0x58, 0x84, 0xe8, 0x8b,\n 0x14, 0xe8, 0x43, 0xb7, 0x29, 0xdb, 0xc5, 0x10, 0x8, 0x3b, 0x58,\n 0x1e, 0x2b, 0xaa, 0xbb, 0xb3, 0x8e, 0xe5, 0x49, 0x54, 0x2b},\n {0x47, 0xbe, 0x3d, 0xeb, 0x62, 0x75, 0x3a, 0x5f, 0xb8, 0xa0, 0xbd,\n 0x8e, 0x54, 0x38, 0xea, 0xf7, 0x99, 0x72, 0x74, 0x45, 0x31, 0xe5,\n 0xc3, 0x0, 0x51, 0xd5, 0x27, 0x16, 0xe7, 0xe9, 0x4, 0x13},\n {0xfe, 0x9c, 0xdc, 0x6a, 0xd2, 0x14, 0x98, 0x78, 0xb, 0xdd, 0x48,\n 0x8b, 0x3f, 0xab, 0x1b, 0x3c, 0xa, 0xc6, 0x79, 0xf9, 0xff, 0xe1,\n 0xf, 0xda, 0x93, 0xd6, 0x2d, 0x7c, 0x2d, 0xde, 0x68, 0x44},\n },\n {\n {0xce, 0x7, 0x63, 0xf8, 0xc6, 0xd8, 0x9a, 0x4b, 0x28, 0xc, 0x5d,\n 0x43, 0x31, 0x35, 0x11, 0x21, 0x2c, 0x77, 0x7a, 0x65, 0xc5, 0x66,\n 0xa8, 0xd4, 0x52, 0x73, 0x24, 0x63, 0x7e, 0x42, 0xa6, 0x5d},\n {0x9e, 0x46, 0x19, 0x94, 0x5e, 0x35, 0xbb, 0x51, 0x54, 0xc7, 0xdd,\n 0x23, 0x4c, 0xdc, 0xe6, 0x33, 0x62, 0x99, 0x7f, 0x44, 0xd6, 0xb6,\n 0xa5, 0x93, 0x63, 0xbd, 0x44, 0xfb, 0x6f, 0x7c, 0xce, 0x6c},\n {0xca, 0x22, 0xac, 0xde, 0x88, 0xc6, 0x94, 0x1a, 0xf8, 0x1f, 0xae,\n 0xbb, 0xf7, 0x6e, 0x6, 0xb9, 0xf, 0x58, 0x59, 0x8d, 0x38, 0x8c,\n 0xad, 0x88, 0xa8, 0x2c, 0x9f, 0xe7, 0xbf, 0x9a, 0xf2, 0x58},\n },\n {\n {0xf6, 0xcd, 0xe, 0x71, 0xbf, 0x64, 0x5a, 0x4b, 0x3c, 0x29, 0x2c,\n 0x46, 0x38, 0xe5, 0x4c, 0xb1, 0xb9, 0x3a, 0xb, 0xd5, 0x56, 0xd0,\n 0x43, 0x36, 0x70, 0x48, 0x5b, 0x18, 0x24, 0x37, 0xf9, 0x6a},\n {0x68, 0x3e, 0xe7, 0x8d, 0xab, 0xcf, 0xe, 0xe9, 0xa5, 0x76, 0x7e,\n 0x37, 0x9f, 0x6f, 0x3, 0x54, 0x82, 0x59, 0x1, 0xbe, 0xb, 0x5b,\n 0x49, 0xf0, 0x36, 0x1e, 0xf4, 0xa7, 0xc4, 0x29, 0x76, 0x57},\n {0x88, 0xa8, 0xc6, 0x9, 0x45, 0x2, 0x20, 0x32, 0x73, 0x89, 0x55,\n 0x4b, 0x13, 0x36, 0xe0, 0xd2, 0x9f, 0x28, 0x33, 0x3c, 0x23, 0x36,\n 0xe2, 0x83, 0x8f, 0xc1, 0xae, 0xc, 0xbb, 0x25, 0x1f, 0x70},\n },\n {\n {0x13, 0xc1, 0xbe, 0x7c, 0xd9, 0xf6, 0x18, 0x9d, 0xe4, 0xdb, 0xbf,\n 0x74, 0xe6, 0x6, 0x4a, 0x84, 0xd6, 0x60, 0x4e, 0xac, 0x22, 0xb5,\n 0xf5, 0x20, 0x51, 0x5e, 0x95, 0x50, 0xc0, 0x5b, 0xa, 0x72},\n {0xed, 0x6c, 0x61, 0xe4, 0xf8, 0xb0, 0xa8, 0xc3, 0x7d, 0xa8, 0x25,\n 0x9e, 0xe, 0x66, 0x0, 0xf7, 0x9c, 0xa5, 0xbc, 0xf4, 0x1f, 0x6,\n 0xe3, 0x61, 0xe9, 0xb, 0xc4, 0xbd, 0xbf, 0x92, 0xc, 0x2e},\n {0x35, 0x5a, 0x80, 0x9b, 0x43, 0x9, 0x3f, 0xc, 0xfc, 0xab, 0x42,\n 0x62, 0x37, 0x8b, 0x4e, 0xe8, 0x46, 0x93, 0x22, 0x5c, 0xf3, 0x17,\n 0x14, 0x69, 0xec, 0xf0, 0x4e, 0x14, 0xbb, 0x9c, 0x9b, 0xe},\n },\n {\n {0xee, 0xbe, 0xb1, 0x5d, 0xd5, 0x9b, 0xee, 0x8d, 0xb9, 0x3f, 0x72,\n 0xa, 0x37, 0xab, 0xc3, 0xc9, 0x91, 0xd7, 0x68, 0x1c, 0xbf, 0xf1,\n 0xa8, 0x44, 0xde, 0x3c, 0xfd, 0x1c, 0x19, 0x44, 0x6d, 0x36},\n {0xad, 0x20, 0x57, 0xfb, 0x8f, 0xd4, 0xba, 0xfb, 0xe, 0xd, 0xf9,\n 0xdb, 0x6b, 0x91, 0x81, 0xee, 0xbf, 0x43, 0x55, 0x63, 0x52, 0x31,\n 0x81, 0xd4, 0xd8, 0x7b, 0x33, 0x3f, 0xeb, 0x4, 0x11, 0x22},\n {0x14, 0x8c, 0xbc, 0xf2, 0x43, 0x17, 0x3c, 0x9e, 0x3b, 0x6c, 0x85,\n 0xb5, 0xfc, 0x26, 0xda, 0x2e, 0x97, 0xfb, 0xa7, 0x68, 0xe, 0x2f,\n 0xb8, 0xcc, 0x44, 0x32, 0x59, 0xbc, 0xe6, 0xa4, 0x67, 0x41},\n },\n {\n {0xee, 0x8f, 0xce, 0xf8, 0x65, 0x26, 0xbe, 0xc2, 0x2c, 0xd6, 0x80,\n 0xe8, 0x14, 0xff, 0x67, 0xe9, 0xee, 0x4e, 0x36, 0x2f, 0x7e, 0x6e,\n 0x2e, 0xf1, 0xf6, 0xd2, 0x7e, 0xcb, 0x70, 0x33, 0xb3, 0x34},\n {0x0, 0x27, 0xf6, 0x76, 0x28, 0x9d, 0x3b, 0x64, 0xeb, 0x68, 0x76,\n 0xe, 0x40, 0x9d, 0x1d, 0x5d, 0x84, 0x6, 0xfc, 0x21, 0x3, 0x43,\n 0x4b, 0x1b, 0x6a, 0x24, 0x55, 0x22, 0x7e, 0xbb, 0x38, 0x79},\n {0xcc, 0xd6, 0x81, 0x86, 0xee, 0x91, 0xc5, 0xcd, 0x53, 0xa7, 0x85,\n 0xed, 0x9c, 0x10, 0x2, 0xce, 0x83, 0x88, 0x80, 0x58, 0xc1, 0x85,\n 0x74, 0xed, 0xe4, 0x65, 0xfe, 0x2d, 0x6e, 0xfc, 0x76, 0x11},\n },\n {\n {0xb8, 0xe, 0x77, 0x49, 0x89, 0xe2, 0x90, 0xdb, 0xa3, 0x40, 0xf4,\n 0xac, 0x2a, 0xcc, 0xfb, 0x98, 0x9b, 0x87, 0xd7, 0xde, 0xfe, 0x4f,\n 0x35, 0x21, 0xb6, 0x6, 0x69, 0xf2, 0x54, 0x3e, 0x6a, 0x1f},\n {0x9b, 0x61, 0x9c, 0x5b, 0xd0, 0x6c, 0xaf, 0xb4, 0x80, 0x84, 0xa5,\n 0xb2, 0xf4, 0xc9, 0xdf, 0x2d, 0xc4, 0x4d, 0xe9, 0xeb, 0x2, 0xa5,\n 0x4f, 0x3d, 0x34, 0x5f, 0x7d, 0x67, 0x4c, 0x3a, 0xfc, 0x8},\n {0xea, 0x34, 0x7, 0xd3, 0x99, 0xc1, 0xa4, 0x60, 0xd6, 0x5c, 0x16,\n 0x31, 0xb6, 0x85, 0xc0, 0x40, 0x95, 0x82, 0x59, 0xf7, 0x23, 0x3e,\n 0x33, 0xe2, 0xd1, 0x0, 0xb9, 0x16, 0x1, 0xad, 0x2f, 0x4f},\n },\n {\n {0x38, 0xb6, 0x3b, 0xb7, 0x1d, 0xd9, 0x2c, 0x96, 0x8, 0x9c, 0x12,\n 0xfc, 0xaa, 0x77, 0x5, 0xe6, 0x89, 0x16, 0xb6, 0xf3, 0x39, 0x9b,\n 0x61, 0x6f, 0x81, 0xee, 0x44, 0x29, 0x5f, 0x99, 0x51, 0x34},\n {0x54, 0x4e, 0xae, 0x94, 0x41, 0xb2, 0xbe, 0x44, 0x6c, 0xef, 0x57,\n 0x18, 0x51, 0x1c, 0x54, 0x5f, 0x98, 0x4, 0x8d, 0x36, 0x2d, 0x6b,\n 0x1e, 0xa6, 0xab, 0xf7, 0x2e, 0x97, 0xa4, 0x84, 0x54, 0x44},\n {0x7c, 0x7d, 0xea, 0x9f, 0xd0, 0xfc, 0x52, 0x91, 0xf6, 0x5c, 0x93,\n 0xb0, 0x94, 0x6c, 0x81, 0x4a, 0x40, 0x5c, 0x28, 0x47, 0xaa, 0x9a,\n 0x8e, 0x25, 0xb7, 0x93, 0x28, 0x4, 0xa6, 0x9c, 0xb8, 0x10},\n },\n },\n {\n {\n {0x6e, 0xf0, 0x45, 0x5a, 0xbe, 0x41, 0x39, 0x75, 0x65, 0x5f, 0x9c,\n 0x6d, 0xed, 0xae, 0x7c, 0xd0, 0xb6, 0x51, 0xff, 0x72, 0x9c, 0x6b,\n 0x77, 0x11, 0xa9, 0x4d, 0xd, 0xef, 0xd9, 0xd1, 0xd2, 0x17},\n {0x9c, 0x28, 0x18, 0x97, 0x49, 0x47, 0x59, 0x3d, 0x26, 0x3f, 0x53,\n 0x24, 0xc5, 0xf8, 0xeb, 0x12, 0x15, 0xef, 0xc3, 0x14, 0xcb, 0xbf,\n 0x62, 0x2, 0x8e, 0x51, 0xb7, 0x77, 0xd5, 0x78, 0xb8, 0x20},\n {0x6a, 0x3e, 0x3f, 0x7, 0x18, 0xaf, 0xf2, 0x27, 0x69, 0x10, 0x52,\n 0xd7, 0x19, 0xe5, 0x3f, 0xfd, 0x22, 0x0, 0xa6, 0x3c, 0x2c, 0xb7,\n 0xe3, 0x22, 0xa7, 0xc6, 0x65, 0xcc, 0x63, 0x4f, 0x21, 0x72},\n },\n {\n {0xc9, 0x29, 0x3b, 0xf4, 0xb9, 0xb7, 0x9d, 0x1d, 0x75, 0x8f, 0x51,\n 0x4f, 0x4a, 0x82, 0x5, 0xd6, 0xc4, 0x9d, 0x2f, 0x31, 0xbd, 0x72,\n 0xc0, 0xf2, 0xb0, 0x45, 0x15, 0x5a, 0x85, 0xac, 0x24, 0x1f},\n {0x93, 0xa6, 0x7, 0x53, 0x40, 0x7f, 0xe3, 0xb4, 0x95, 0x67, 0x33,\n 0x2f, 0xd7, 0x14, 0xa7, 0xab, 0x99, 0x10, 0x76, 0x73, 0xa7, 0xd0,\n 0xfb, 0xd6, 0xc9, 0xcb, 0x71, 0x81, 0xc5, 0x48, 0xdf, 0x5f},\n {0xaa, 0x5, 0x95, 0x8e, 0x32, 0x8, 0xd6, 0x24, 0xee, 0x20, 0x14,\n 0xc, 0xd1, 0xc1, 0x48, 0x47, 0xa2, 0x25, 0xfb, 0x6, 0x5c, 0xe4,\n 0xff, 0xc7, 0xe6, 0x95, 0xe3, 0x2a, 0x9e, 0x73, 0xba, 0x0},\n },\n {\n {0x26, 0xbb, 0x88, 0xea, 0xf5, 0x26, 0x44, 0xae, 0xfb, 0x3b, 0x97,\n 0x84, 0xd9, 0x79, 0x6, 0x36, 0x50, 0x4e, 0x69, 0x26, 0xc, 0x3,\n 0x9f, 0x5c, 0x26, 0xd2, 0x18, 0xd5, 0xe7, 0x7d, 0x29, 0x72},\n {0xd6, 0x90, 0x87, 0x5c, 0xde, 0x98, 0x2e, 0x59, 0xdf, 0xa2, 0xc2,\n 0x45, 0xd3, 0xb7, 0xbf, 0xe5, 0x22, 0x99, 0xb4, 0xf9, 0x60, 0x3b,\n 0x5a, 0x11, 0xf3, 0x78, 0xad, 0x67, 0x3e, 0x3a, 0x28, 0x3},\n {0x39, 0xb9, 0xc, 0xbe, 0xc7, 0x1d, 0x24, 0x48, 0x80, 0x30, 0x63,\n 0x8b, 0x4d, 0x9b, 0xf1, 0x32, 0x8, 0x93, 0x28, 0x2, 0xd, 0xc9,\n 0xdf, 0xd3, 0x45, 0x19, 0x27, 0x46, 0x68, 0x29, 0xe1, 0x5},\n },\n {\n {0x50, 0x45, 0x2c, 0x24, 0xc8, 0xbb, 0xbf, 0xad, 0xd9, 0x81, 0x30,\n 0xd0, 0xec, 0xc, 0xc8, 0xbc, 0x92, 0xdf, 0xc8, 0xf5, 0xa6, 0x66,\n 0x35, 0x84, 0x4c, 0xce, 0x58, 0x82, 0xd3, 0x25, 0xcf, 0x78},\n {0x5a, 0x49, 0x9c, 0x2d, 0xb3, 0xee, 0x82, 0xba, 0x7c, 0xb9, 0x2b,\n 0xf1, 0xfc, 0xc8, 0xef, 0xce, 0xe0, 0xd1, 0xb5, 0x93, 0xae, 0xab,\n 0x2d, 0xb0, 0x9b, 0x8d, 0x69, 0x13, 0x9c, 0xc, 0xc0, 0x39},\n {0x68, 0x9d, 0x48, 0x31, 0x8e, 0x6b, 0xae, 0x15, 0x87, 0xf0, 0x2b,\n 0x9c, 0xab, 0x1c, 0x85, 0xaa, 0x5, 0xfa, 0x4e, 0xf0, 0x97, 0x5a,\n 0xa7, 0xc9, 0x32, 0xf8, 0x3f, 0x6b, 0x7, 0x52, 0x6b, 0x0},\n },\n {\n {0x2d, 0x8, 0xce, 0xb9, 0x16, 0x7e, 0xcb, 0xf5, 0x29, 0xbc, 0x7a,\n 0x41, 0x4c, 0xf1, 0x7, 0x34, 0xab, 0xa7, 0xf4, 0x2b, 0xce, 0x6b,\n 0xb3, 0xd4, 0xce, 0x75, 0x9f, 0x1a, 0x56, 0xe9, 0xe2, 0x7d},\n {0x1c, 0x78, 0x95, 0x9d, 0xe1, 0xcf, 0xe0, 0x29, 0xe2, 0x10, 0x63,\n 0x96, 0x18, 0xdf, 0x81, 0xb6, 0x39, 0x6b, 0x51, 0x70, 0xd3, 0x39,\n 0xdf, 0x57, 0x22, 0x61, 0xc7, 0x3b, 0x44, 0xe3, 0x57, 0x4d},\n {0xcb, 0x5e, 0xa5, 0xb6, 0xf4, 0xd4, 0x70, 0xde, 0x99, 0xdb, 0x85,\n 0x5d, 0x7f, 0x52, 0x1, 0x48, 0x81, 0x9a, 0xee, 0xd3, 0x40, 0xc4,\n 0xc9, 0xdb, 0xed, 0x29, 0x60, 0x1a, 0xaf, 0x90, 0x2a, 0x6b},\n },\n {\n {0xa, 0xd8, 0xb2, 0x5b, 0x24, 0xf3, 0xeb, 0x77, 0x9b, 0x7, 0xb9,\n 0x2f, 0x47, 0x1b, 0x30, 0xd8, 0x33, 0x73, 0xee, 0x4c, 0xf2, 0xe6,\n 0x47, 0xc6, 0x9, 0x21, 0x6c, 0x27, 0xc8, 0x12, 0x58, 0x46},\n {0x97, 0x1e, 0xe6, 0x9a, 0xfc, 0xf4, 0x23, 0x69, 0xd1, 0x5f, 0x3f,\n 0xe0, 0x1d, 0x28, 0x35, 0x57, 0x2d, 0xd1, 0xed, 0xe6, 0x43, 0xae,\n 0x64, 0xa7, 0x4a, 0x3e, 0x2d, 0xd1, 0xe9, 0xf4, 0xd8, 0x5f},\n {0xd9, 0x62, 0x10, 0x2a, 0xb2, 0xbe, 0x43, 0x4d, 0x16, 0xdc, 0x31,\n 0x38, 0x75, 0xfb, 0x65, 0x70, 0xd7, 0x68, 0x29, 0xde, 0x7b, 0x4a,\n 0xd, 0x18, 0x90, 0x67, 0xb1, 0x1c, 0x2b, 0x2c, 0xb3, 0x5},\n },\n {\n {0x95, 0x81, 0xd5, 0x7a, 0x2c, 0xa4, 0xfc, 0xf7, 0xcc, 0xf3, 0x33,\n 0x43, 0x6e, 0x28, 0x14, 0x32, 0x9d, 0x97, 0xb, 0x34, 0xd, 0x9d,\n 0xc2, 0xb6, 0xe1, 0x7, 0x73, 0x56, 0x48, 0x1a, 0x77, 0x31},\n {0xfd, 0xa8, 0x4d, 0xd2, 0xcc, 0x5e, 0xc0, 0xc8, 0x83, 0xef, 0xdf,\n 0x5, 0xac, 0x1a, 0xcf, 0xa1, 0x61, 0xcd, 0xf9, 0x7d, 0xf2, 0xef,\n 0xbe, 0xdb, 0x99, 0x1e, 0x47, 0x7b, 0xa3, 0x56, 0x55, 0x3b},\n {0x82, 0xd4, 0x4d, 0xe1, 0x24, 0xc5, 0xb0, 0x32, 0xb6, 0xa4, 0x2b,\n 0x1a, 0x54, 0x51, 0xb3, 0xed, 0xf3, 0x5a, 0x2b, 0x28, 0x48, 0x60,\n 0xd1, 0xa3, 0xeb, 0x36, 0x73, 0x7a, 0xd2, 0x79, 0xc0, 0x4f},\n },\n {\n {0xd, 0xc5, 0x86, 0xc, 0x44, 0x8b, 0x34, 0xdc, 0x51, 0xe6, 0x94,\n 0xcc, 0xc9, 0xcb, 0x37, 0x13, 0xb9, 0x3c, 0x3e, 0x64, 0x4d, 0xf7,\n 0x22, 0x64, 0x8, 0xcd, 0xe3, 0xba, 0xc2, 0x70, 0x11, 0x24},\n {0x7f, 0x2f, 0xbf, 0x89, 0xb0, 0x38, 0xc9, 0x51, 0xa7, 0xe9, 0xdf,\n 0x2, 0x65, 0xbd, 0x97, 0x24, 0x53, 0xe4, 0x80, 0x78, 0x9c, 0xc0,\n 0xff, 0xff, 0x92, 0x8e, 0xf9, 0xca, 0xce, 0x67, 0x45, 0x12},\n {0xb4, 0x73, 0xc4, 0xa, 0x86, 0xab, 0xf9, 0x3f, 0x35, 0xe4, 0x13,\n 0x1, 0xee, 0x1d, 0x91, 0xf0, 0xaf, 0xc4, 0xc6, 0xeb, 0x60, 0x50,\n 0xe7, 0x4a, 0xd, 0x0, 0x87, 0x6c, 0x96, 0x12, 0x86, 0x3f},\n },\n },\n {\n {\n {0x13, 0x8d, 0x4, 0x36, 0xfa, 0xfc, 0x18, 0x9c, 0xdd, 0x9d, 0x89,\n 0x73, 0xb3, 0x9d, 0x15, 0x29, 0xaa, 0xd0, 0x92, 0x9f, 0xb, 0x35,\n 0x9f, 0xdc, 0xd4, 0x19, 0x8a, 0x87, 0xee, 0x7e, 0xf5, 0x26},\n {0xde, 0xd, 0x2a, 0x78, 0xc9, 0xc, 0x9a, 0x55, 0x85, 0x83, 0x71,\n 0xea, 0xb2, 0xcd, 0x1d, 0x55, 0x8c, 0x23, 0xef, 0x31, 0x5b, 0x86,\n 0x62, 0x7f, 0x3d, 0x61, 0x73, 0x79, 0x76, 0xa7, 0x4a, 0x50},\n {0xb1, 0xef, 0x87, 0x56, 0xd5, 0x2c, 0xab, 0xc, 0x7b, 0xf1, 0x7a,\n 0x24, 0x62, 0xd1, 0x80, 0x51, 0x67, 0x24, 0x5a, 0x4f, 0x34, 0x5a,\n 0xc1, 0x85, 0x69, 0x30, 0xba, 0x9d, 0x3d, 0x94, 0x41, 0x40},\n },\n {\n {0xdd, 0xaa, 0x6c, 0xa2, 0x43, 0x77, 0x21, 0x4b, 0xce, 0xb7, 0x8a,\n 0x64, 0x24, 0xb4, 0xa6, 0x47, 0xe3, 0xc9, 0xfb, 0x3, 0x7a, 0x4f,\n 0x1d, 0xcb, 0x19, 0xd0, 0x0, 0x98, 0x42, 0x31, 0xd9, 0x12},\n {0x96, 0xcc, 0xeb, 0x43, 0xba, 0xee, 0xc0, 0xc3, 0xaf, 0x9c, 0xea,\n 0x26, 0x9c, 0x9c, 0x74, 0x8d, 0xc6, 0xcc, 0x77, 0x1c, 0xee, 0x95,\n 0xfa, 0xd9, 0xf, 0x34, 0x84, 0x76, 0xd9, 0xa1, 0x20, 0x14},\n {0x4f, 0x59, 0x37, 0xd3, 0x99, 0x77, 0xc6, 0x0, 0x7b, 0xa4, 0x3a,\n 0xb2, 0x40, 0x51, 0x3c, 0x5e, 0x95, 0xf3, 0x5f, 0xe3, 0x54, 0x28,\n 0x18, 0x44, 0x12, 0xa0, 0x59, 0x43, 0x31, 0x92, 0x4f, 0x1b},\n },\n {\n {0xb1, 0x66, 0x98, 0xa4, 0x30, 0x30, 0xcf, 0x33, 0x59, 0x48, 0x5f,\n 0x21, 0xd2, 0x73, 0x1f, 0x25, 0xf6, 0xf4, 0xde, 0x51, 0x40, 0xaa,\n 0x82, 0xab, 0xf6, 0x23, 0x9a, 0x6f, 0xd5, 0x91, 0xf1, 0x5f},\n {0x51, 0x9, 0x15, 0x89, 0x9d, 0x10, 0x5c, 0x3e, 0x6a, 0x69, 0xe9,\n 0x2d, 0x91, 0xfa, 0xce, 0x39, 0x20, 0x30, 0x5f, 0x97, 0x3f, 0xe4,\n 0xea, 0x20, 0xae, 0x2d, 0x13, 0x7f, 0x2a, 0x57, 0x9b, 0x23},\n {0x68, 0x90, 0x2d, 0xac, 0x33, 0xd4, 0x9e, 0x81, 0x23, 0x85, 0xc9,\n 0x5f, 0x79, 0xab, 0x83, 0x28, 0x3d, 0xeb, 0x93, 0x55, 0x80, 0x72,\n 0x45, 0xef, 0xcb, 0x36, 0x8f, 0x75, 0x6a, 0x52, 0xc, 0x2},\n },\n {\n {0x89, 0xcc, 0x42, 0xf0, 0x59, 0xef, 0x31, 0xe9, 0xb6, 0x4b, 0x12,\n 0x8e, 0x9d, 0x9c, 0x58, 0x2c, 0x97, 0x59, 0xc7, 0xae, 0x8a, 0xe1,\n 0xc8, 0xad, 0xc, 0xc5, 0x2, 0x56, 0xa, 0xfe, 0x2c, 0x45},\n {0xbc, 0xdb, 0xd8, 0x9e, 0xf8, 0x34, 0x98, 0x77, 0x6c, 0xa4, 0x7c,\n 0xdc, 0xf9, 0xaa, 0xf2, 0xc8, 0x74, 0xb0, 0xe1, 0xa3, 0xdc, 0x4c,\n 0x52, 0xa9, 0x77, 0x38, 0x31, 0x15, 0x46, 0xcc, 0xaa, 0x2},\n {0xdf, 0x77, 0x78, 0x64, 0xa0, 0xf7, 0xa0, 0x86, 0x9f, 0x7c, 0x60,\n 0xe, 0x27, 0x64, 0xc4, 0xbb, 0xc9, 0x11, 0xfb, 0xf1, 0x25, 0xea,\n 0x17, 0xab, 0x7b, 0x87, 0x4b, 0x30, 0x7b, 0x7d, 0xfb, 0x4c},\n },\n {\n {0x12, 0xef, 0x89, 0x97, 0xc2, 0x99, 0x86, 0xe2, 0xd, 0x19, 0x57,\n 0xdf, 0x71, 0xcd, 0x6e, 0x2b, 0xd0, 0x70, 0xc9, 0xec, 0x57, 0xc8,\n 0x43, 0xc3, 0xc5, 0x3a, 0x4d, 0x43, 0xbc, 0x4c, 0x1d, 0x5b},\n {0xfe, 0x75, 0x9b, 0xb8, 0x6c, 0x3d, 0xb4, 0x72, 0x80, 0xdc, 0x6a,\n 0x9c, 0xd9, 0x94, 0xc6, 0x54, 0x9f, 0x4c, 0xe3, 0x3e, 0x37, 0xaa,\n 0xc3, 0xb8, 0x64, 0x53, 0x7, 0x39, 0x2b, 0x62, 0xb4, 0x14},\n {0x26, 0x9f, 0xa, 0xcc, 0x15, 0x26, 0xfb, 0xb6, 0xe5, 0xcc, 0x8d,\n 0xb8, 0x2b, 0xe, 0x4f, 0x3a, 0x5, 0xa7, 0x69, 0x33, 0x8b, 0x49,\n 0x1, 0x13, 0xd1, 0x2d, 0x59, 0x58, 0x12, 0xf7, 0x98, 0x2f},\n },\n {\n {0x1, 0xa7, 0x54, 0x4f, 0x44, 0xae, 0x12, 0x2e, 0xde, 0xd7, 0xcb,\n 0xa9, 0xf0, 0x3e, 0xfe, 0xfc, 0xe0, 0x5d, 0x83, 0x75, 0xd, 0x89,\n 0xbf, 0xce, 0x54, 0x45, 0x61, 0xe7, 0xe9, 0x62, 0x80, 0x1d},\n {0x56, 0x9e, 0xf, 0xb5, 0x4c, 0xa7, 0x94, 0xc, 0x20, 0x13, 0x8e,\n 0x8e, 0xa9, 0xf4, 0x1f, 0x5b, 0x67, 0xf, 0x30, 0x82, 0x21, 0xcc,\n 0x2a, 0x9a, 0xf9, 0xaa, 0x6, 0xd8, 0x49, 0xe2, 0x6a, 0x3a},\n {0x5a, 0x7c, 0x90, 0xa9, 0x85, 0xda, 0x7a, 0x65, 0x62, 0xf, 0xb9,\n 0x91, 0xb5, 0xa8, 0xe, 0x1a, 0xe9, 0xb4, 0x34, 0xdf, 0xfb, 0x1d,\n 0xe, 0x8d, 0xf3, 0x5f, 0xf2, 0xae, 0xe8, 0x8c, 0x8b, 0x29},\n },\n {\n {0xde, 0x65, 0x21, 0xa, 0xea, 0x72, 0x7a, 0x83, 0xf6, 0x79, 0xcf,\n 0xb, 0xb4, 0x7, 0xab, 0x3f, 0x70, 0xae, 0x38, 0x77, 0xc7, 0x36,\n 0x16, 0x52, 0xdc, 0xd7, 0xa7, 0x3, 0x18, 0x27, 0xa6, 0x6b},\n {0xb2, 0xc, 0xf7, 0xef, 0x53, 0x79, 0x92, 0x2a, 0x76, 0x70, 0x15,\n 0x79, 0x2a, 0xc9, 0x89, 0x4b, 0x6a, 0xcf, 0xa7, 0x30, 0x7a, 0x45,\n 0x18, 0x94, 0x85, 0xe4, 0x5c, 0x4d, 0x40, 0xa8, 0xb8, 0x34},\n {0x35, 0x33, 0x69, 0x83, 0xb5, 0xec, 0x6e, 0xc2, 0xfd, 0xfe, 0xb5,\n 0x63, 0xdf, 0x13, 0xa8, 0xd5, 0x73, 0x25, 0xb2, 0xa4, 0x9a, 0xaa,\n 0x93, 0xa2, 0x6a, 0x1c, 0x5e, 0x46, 0xdd, 0x2b, 0xd6, 0x71},\n },\n {\n {0xf5, 0x5e, 0xf7, 0xb1, 0xda, 0xb5, 0x2d, 0xcd, 0xf5, 0x65, 0xb0,\n 0x16, 0xcf, 0x95, 0x7f, 0xd7, 0x85, 0xf0, 0x49, 0x3f, 0xea, 0x1f,\n 0x57, 0x14, 0x3d, 0x2b, 0x2b, 0x26, 0x21, 0x36, 0x33, 0x1c},\n {0x80, 0xdf, 0x78, 0xd3, 0x28, 0xcc, 0x33, 0x65, 0xb4, 0xa4, 0xf,\n 0xa, 0x79, 0x43, 0xdb, 0xf6, 0x5a, 0xda, 0x1, 0xf7, 0xf9, 0x5f,\n 0x64, 0xe3, 0xa4, 0x2b, 0x17, 0xf3, 0x17, 0xf3, 0xd5, 0x74},\n {0x81, 0xca, 0xd9, 0x67, 0x54, 0xe5, 0x6f, 0xa8, 0x37, 0x8c, 0x29,\n 0x2b, 0x75, 0x7c, 0x8b, 0x39, 0x3b, 0x62, 0xac, 0xe3, 0x92, 0x8,\n 0x6d, 0xda, 0x8c, 0xd9, 0xe9, 0x47, 0x45, 0xcc, 0xeb, 0x4a},\n },\n },\n {\n {\n {0x10, 0xb6, 0x54, 0x73, 0x9e, 0x8d, 0x40, 0xb, 0x6e, 0x5b, 0xa8,\n 0x5b, 0x53, 0x32, 0x6b, 0x80, 0x7, 0xa2, 0x58, 0x4a, 0x3, 0x3a,\n 0xe6, 0xdb, 0x2c, 0xdf, 0xa1, 0xc9, 0xdd, 0xd9, 0x3b, 0x17},\n {0xc9, 0x1, 0x6d, 0x27, 0x1b, 0x7, 0xf0, 0x12, 0x70, 0x8c, 0xc4,\n 0x86, 0xc5, 0xba, 0xb8, 0xe7, 0xa9, 0xfb, 0xd6, 0x71, 0x9b, 0x12,\n 0x8, 0x53, 0x92, 0xb7, 0x3d, 0x5a, 0xf9, 0xfb, 0x88, 0x5d},\n {0xdf, 0x72, 0x58, 0xfe, 0x1e, 0xf, 0x50, 0x2b, 0xc1, 0x18, 0x39,\n 0xd4, 0x2e, 0x58, 0xd6, 0x58, 0xe0, 0x3a, 0x67, 0xc9, 0x8e, 0x27,\n 0xed, 0xe6, 0x19, 0xa3, 0x9e, 0xb1, 0x13, 0xcd, 0xe1, 0x6},\n },\n {\n {0x53, 0x3, 0x5b, 0x9e, 0x62, 0xaf, 0x2b, 0x47, 0x47, 0x4, 0x8d,\n 0x27, 0x90, 0xb, 0xaa, 0x3b, 0x27, 0xbf, 0x43, 0x96, 0x46, 0x5f,\n 0x78, 0xc, 0x13, 0x7b, 0x83, 0x8d, 0x1a, 0x6a, 0x3a, 0x7f},\n {0x23, 0x6f, 0x16, 0x6f, 0x51, 0xad, 0xd0, 0x40, 0xbe, 0x6a, 0xab,\n 0x1f, 0x93, 0x32, 0x8e, 0x11, 0x8e, 0x8, 0x4d, 0xa0, 0x14, 0x5e,\n 0xe3, 0x3f, 0x66, 0x62, 0xe1, 0x26, 0x35, 0x60, 0x80, 0x30},\n {0xb, 0x80, 0x3d, 0x5d, 0x39, 0x44, 0xe6, 0xf7, 0xf6, 0xed, 0x1,\n 0xc9, 0x55, 0xd5, 0xa8, 0x95, 0x39, 0x63, 0x2c, 0x59, 0x30, 0x78,\n 0xcd, 0x68, 0x7e, 0x30, 0x51, 0x2e, 0xed, 0xfd, 0xd0, 0x30},\n },\n {\n {0x50, 0x47, 0xb8, 0x68, 0x1e, 0x97, 0xb4, 0x9c, 0xcf, 0xbb, 0x64,\n 0x66, 0x29, 0x72, 0x95, 0xa0, 0x2b, 0x41, 0xfa, 0x72, 0x26, 0xe7,\n 0x8d, 0x5c, 0xd9, 0x89, 0xc5, 0x51, 0x43, 0x8, 0x15, 0x46},\n {0xb3, 0x33, 0x12, 0xf2, 0x1a, 0x4d, 0x59, 0xe0, 0x9c, 0x4d, 0xcc,\n 0xf0, 0x8e, 0xe7, 0xdb, 0x1b, 0x77, 0x9a, 0x49, 0x8f, 0x7f, 0x18,\n 0x65, 0x69, 0x68, 0x98, 0x9, 0x2c, 0x20, 0x14, 0x92, 0xa},\n {0x2e, 0xa0, 0xb9, 0xae, 0xc0, 0x19, 0x90, 0xbc, 0xae, 0x4c, 0x3,\n 0x16, 0xd, 0x11, 0xc7, 0x55, 0xec, 0x32, 0x99, 0x65, 0x1, 0xf5,\n 0x6d, 0xe, 0xfe, 0x5d, 0xca, 0x95, 0x28, 0xd, 0xca, 0x3b},\n },\n {\n {0xbf, 0x1, 0xcc, 0x9e, 0xb6, 0x8e, 0x68, 0x9c, 0x6f, 0x89, 0x44,\n 0xa6, 0xad, 0x83, 0xbc, 0xf0, 0xe2, 0x9f, 0x7a, 0x5f, 0x5f, 0x95,\n 0x2d, 0xca, 0x41, 0x82, 0xf2, 0x8d, 0x3, 0xb4, 0xa8, 0x4e},\n {0xa4, 0x62, 0x5d, 0x3c, 0xbc, 0x31, 0xf0, 0x40, 0x60, 0x7a, 0xf0,\n 0xcf, 0x3e, 0x8b, 0xfc, 0x19, 0x45, 0xb5, 0xf, 0x13, 0xa2, 0x3d,\n 0x18, 0x98, 0xcd, 0x13, 0x8f, 0xae, 0xdd, 0xde, 0x31, 0x56},\n {0x2, 0xd2, 0xca, 0xf1, 0xa, 0x46, 0xed, 0x2a, 0x83, 0xee, 0x8c,\n 0xa4, 0x5, 0x53, 0x30, 0x46, 0x5f, 0x1a, 0xf1, 0x49, 0x45, 0x77,\n 0x21, 0x91, 0x63, 0xa4, 0x2c, 0x54, 0x30, 0x9, 0xce, 0x24},\n },\n {\n {0x85, 0xb, 0xf3, 0xfd, 0x55, 0xa1, 0xcf, 0x3f, 0xa4, 0x2e, 0x37,\n 0x36, 0x8e, 0x16, 0xf7, 0xd2, 0x44, 0xf8, 0x92, 0x64, 0xde, 0x64,\n 0xe0, 0xb2, 0x80, 0x42, 0x4f, 0x32, 0xa7, 0x28, 0x99, 0x54},\n {0x6, 0xc1, 0x6, 0xfd, 0xf5, 0x90, 0xe8, 0x1f, 0xf2, 0x10, 0x88,\n 0x5d, 0x35, 0x68, 0xc4, 0xb5, 0x3e, 0xaf, 0x8c, 0x6e, 0xfe, 0x8,\n 0x78, 0x82, 0x4b, 0xd7, 0x6, 0x8a, 0xc2, 0xe3, 0xd4, 0x41},\n {0x2e, 0x1a, 0xee, 0x63, 0xa7, 0x32, 0x6e, 0xf2, 0xea, 0xfd, 0x5f,\n 0xd2, 0xb7, 0xe4, 0x91, 0xae, 0x69, 0x4d, 0x7f, 0xd1, 0x3b, 0xd3,\n 0x3b, 0xbc, 0x6a, 0xff, 0xdc, 0xc0, 0xde, 0x66, 0x1b, 0x49},\n },\n {\n {0xa1, 0x64, 0xda, 0xd0, 0x8e, 0x4a, 0xf0, 0x75, 0x4b, 0x28, 0xe2,\n 0x67, 0xaf, 0x2c, 0x22, 0xed, 0xa4, 0x7b, 0x7b, 0x1f, 0x79, 0xa3,\n 0x34, 0x82, 0x67, 0x8b, 0x1, 0xb7, 0xb0, 0xb8, 0xf6, 0x4c},\n {0xa7, 0x32, 0xea, 0xc7, 0x3d, 0xb1, 0xf5, 0x98, 0x98, 0xdb, 0x16,\n 0x7e, 0xcc, 0xf8, 0xd5, 0xe3, 0x47, 0xd9, 0xf8, 0xcb, 0x52, 0xbf,\n 0xa, 0xac, 0xac, 0xe4, 0x5e, 0xc8, 0xd0, 0x38, 0xf3, 0x8},\n {0xbd, 0x73, 0x1a, 0x99, 0x21, 0xa8, 0x83, 0xc3, 0x7a, 0xc, 0x32,\n 0xdf, 0x1, 0xbc, 0x27, 0xab, 0x63, 0x70, 0x77, 0x84, 0x1b, 0x33,\n 0x3d, 0xc1, 0x99, 0x8a, 0x7, 0xeb, 0x82, 0x4a, 0xd, 0x53},\n },\n {\n {0x9e, 0xbf, 0x9a, 0x6c, 0x45, 0x73, 0x69, 0x6d, 0x80, 0xa8, 0x0,\n 0x49, 0xfc, 0xb2, 0x7f, 0x25, 0x50, 0xb8, 0xcf, 0xc8, 0x12, 0xf4,\n 0xac, 0x2b, 0x5b, 0xbd, 0xbf, 0xc, 0xe0, 0xe7, 0xb3, 0xd},\n {0x25, 0x48, 0xf9, 0xe1, 0x30, 0x36, 0x4c, 0x0, 0x5a, 0x53, 0xab,\n 0x8c, 0x26, 0x78, 0x2d, 0x7e, 0x8b, 0xff, 0x84, 0xcc, 0x23, 0x23,\n 0x48, 0xc7, 0xb9, 0x70, 0x17, 0x10, 0x3f, 0x75, 0xea, 0x65},\n {0x63, 0x63, 0x9, 0xe2, 0x3e, 0xfc, 0x66, 0x3d, 0x6b, 0xcb, 0xb5,\n 0x61, 0x7f, 0x2c, 0xd6, 0x81, 0x1a, 0x3b, 0x44, 0x13, 0x42, 0x4,\n 0xbe, 0xf, 0xdb, 0xa1, 0xe1, 0x21, 0x19, 0xec, 0xa4, 0x2},\n },\n {\n {0x5f, 0x79, 0xcf, 0xf1, 0x62, 0x61, 0xc8, 0xf5, 0xf2, 0x57, 0xee,\n 0x26, 0x19, 0x86, 0x8c, 0x11, 0x78, 0x35, 0x6, 0x1c, 0x85, 0x24,\n 0x21, 0x17, 0xcf, 0x7f, 0x6, 0xec, 0x5d, 0x2b, 0xd1, 0x36},\n {0xa2, 0xb8, 0x24, 0x3b, 0x9a, 0x25, 0xe6, 0x5c, 0xb8, 0xa0, 0xaf,\n 0x45, 0xcc, 0x7a, 0x57, 0xb8, 0x37, 0x70, 0xa0, 0x8b, 0xe8, 0xe6,\n 0xcb, 0xcc, 0xbf, 0x9, 0x78, 0x12, 0x51, 0x3c, 0x14, 0x3d},\n {0x57, 0x45, 0x15, 0x79, 0x91, 0x27, 0x6d, 0x12, 0xa, 0x3a, 0x78,\n 0xfc, 0x5c, 0x8f, 0xe4, 0xd5, 0xac, 0x9b, 0x17, 0xdf, 0xe8, 0xb6,\n 0xbd, 0x36, 0x59, 0x28, 0xa8, 0x5b, 0x88, 0x17, 0xf5, 0x2e},\n },\n },\n {\n {\n {0x51, 0x2f, 0x5b, 0x30, 0xfb, 0xbf, 0xee, 0x96, 0xb8, 0x96, 0x95,\n 0x88, 0xad, 0x38, 0xf9, 0xd3, 0x25, 0xdd, 0xd5, 0x46, 0xc7, 0x2d,\n 0xf5, 0xf0, 0x95, 0x0, 0x3a, 0xbb, 0x90, 0x82, 0x96, 0x57},\n {0xdc, 0xae, 0x58, 0x8c, 0x4e, 0x97, 0x37, 0x46, 0xa4, 0x41, 0xf0,\n 0xab, 0xfb, 0x22, 0xef, 0xb9, 0x8a, 0x71, 0x80, 0xe9, 0x56, 0xd9,\n 0x85, 0xe1, 0xa6, 0xa8, 0x43, 0xb1, 0xfa, 0x78, 0x1b, 0x2f},\n {0x1, 0xe1, 0x20, 0xa, 0x43, 0xb8, 0x1a, 0xf7, 0x47, 0xec, 0xf0,\n 0x24, 0x8d, 0x65, 0x93, 0xf3, 0xd1, 0xee, 0xe2, 0x6e, 0xa8, 0x9,\n 0x75, 0xcf, 0xe1, 0xa3, 0x2a, 0xdc, 0x35, 0x3e, 0xc4, 0x7d},\n },\n {\n {0x18, 0x97, 0x3e, 0x27, 0x5c, 0x2a, 0x78, 0x5a, 0x94, 0xfd, 0x4e,\n 0x5e, 0x99, 0xc6, 0x76, 0x35, 0x3e, 0x7d, 0x23, 0x1f, 0x5, 0xd8,\n 0x2e, 0xf, 0x99, 0xa, 0xd5, 0x82, 0x1d, 0xb8, 0x4f, 0x4},\n {0xc3, 0xd9, 0x7d, 0x88, 0x65, 0x66, 0x96, 0x85, 0x55, 0x53, 0xb0,\n 0x4b, 0x31, 0x9b, 0xf, 0xc9, 0xb1, 0x79, 0x20, 0xef, 0xf8, 0x8d,\n 0xe0, 0xc6, 0x2f, 0xc1, 0x8c, 0x75, 0x16, 0x20, 0xf7, 0x7e},\n {0xd9, 0xe3, 0x7, 0xa9, 0xc5, 0x18, 0xdf, 0xc1, 0x59, 0x63, 0x4c,\n 0xce, 0x1d, 0x37, 0xb3, 0x57, 0x49, 0xbb, 0x1, 0xb2, 0x34, 0x45,\n 0x70, 0xca, 0x2e, 0xdd, 0x30, 0x9c, 0x3f, 0x82, 0x79, 0x7f},\n },\n {\n {0xba, 0x87, 0xf5, 0x68, 0xf0, 0x1f, 0x9c, 0x6a, 0xde, 0xc8, 0x50,\n 0x0, 0x4e, 0x89, 0x27, 0x8, 0xe7, 0x5b, 0xed, 0x7d, 0x55, 0x99,\n 0xbf, 0x3c, 0xf0, 0xd6, 0x6, 0x1c, 0x43, 0xb0, 0xa9, 0x64},\n {0xe8, 0x13, 0xb5, 0xa3, 0x39, 0xd2, 0x34, 0x83, 0xd8, 0xa8, 0x1f,\n 0xb9, 0xd4, 0x70, 0x36, 0xc1, 0x33, 0xbd, 0x90, 0xf5, 0x36, 0x41,\n 0xb5, 0x12, 0xb4, 0xd9, 0x84, 0xd7, 0x73, 0x3, 0x4e, 0xa},\n {0x19, 0x29, 0x7d, 0x5b, 0xa1, 0xd6, 0xb3, 0x2e, 0x35, 0x82, 0x3a,\n 0xd5, 0xa0, 0xf6, 0xb4, 0xb0, 0x47, 0x5d, 0xa4, 0x89, 0x43, 0xce,\n 0x56, 0x71, 0x6c, 0x34, 0x18, 0xce, 0xa, 0x7d, 0x1a, 0x7},\n },\n {\n {0x31, 0x44, 0xe1, 0x20, 0x52, 0x35, 0xc, 0xcc, 0x41, 0x51, 0xb1,\n 0x9, 0x7, 0x95, 0x65, 0xd, 0x36, 0x5f, 0x9d, 0x20, 0x1b, 0x62,\n 0xf5, 0x9a, 0xd3, 0x55, 0x77, 0x61, 0xf7, 0xbc, 0x69, 0x7c},\n {0xb, 0xba, 0x87, 0xc8, 0xaa, 0x2d, 0x7, 0xd3, 0xee, 0x62, 0xa5,\n 0xbf, 0x5, 0x29, 0x26, 0x1, 0x8b, 0x76, 0xef, 0xc0, 0x2, 0x30,\n 0x54, 0xcf, 0x9c, 0x7e, 0xea, 0x46, 0x71, 0xcc, 0x3b, 0x2c},\n {0x5f, 0x29, 0xe8, 0x4, 0xeb, 0xd7, 0xf0, 0x7, 0x7d, 0xf3, 0x50,\n 0x2f, 0x25, 0x18, 0xdb, 0x10, 0xd7, 0x98, 0x17, 0x17, 0xa3, 0xa9,\n 0x51, 0xe9, 0x1d, 0xa5, 0xac, 0x22, 0x73, 0x9a, 0x5a, 0x6f},\n },\n {\n {0xbe, 0x44, 0xd9, 0xa3, 0xeb, 0xd4, 0x29, 0xe7, 0x9e, 0xaf, 0x78,\n 0x80, 0x40, 0x9, 0x9e, 0x8d, 0x3, 0x9c, 0x86, 0x47, 0x7a, 0x56,\n 0x25, 0x45, 0x24, 0x3b, 0x8d, 0xee, 0x80, 0x96, 0xab, 0x2},\n {0xc5, 0xc6, 0x41, 0x2f, 0xc, 0x0, 0xa1, 0x8b, 0x9b, 0xfb, 0xfe,\n 0xc, 0xc1, 0x79, 0x9f, 0xc4, 0x9f, 0x1c, 0xc5, 0x3c, 0x70, 0x47,\n 0xfa, 0x4e, 0xca, 0xaf, 0x47, 0xe1, 0xa2, 0x21, 0x4e, 0x49},\n {0x9a, 0xd, 0xe5, 0xdd, 0x85, 0x8a, 0xa4, 0xef, 0x49, 0xa2, 0xb9,\n 0xf, 0x4e, 0x22, 0x9a, 0x21, 0xd9, 0xf6, 0x1e, 0xd9, 0x1d, 0x1f,\n 0x9, 0xfa, 0x34, 0xbb, 0x46, 0xea, 0xcb, 0x76, 0x5d, 0x6b},\n },\n {\n {0x22, 0x25, 0x78, 0x1e, 0x17, 0x41, 0xf9, 0xe0, 0xd3, 0x36, 0x69,\n 0x3, 0x74, 0xae, 0xe6, 0xf1, 0x46, 0xc7, 0xfc, 0xd0, 0xa2, 0x3e,\n 0x8b, 0x40, 0x3e, 0x31, 0xdd, 0x3, 0x9c, 0x86, 0xfb, 0x16},\n {0x94, 0xd9, 0xc, 0xec, 0x6c, 0x55, 0x57, 0x88, 0xba, 0x1d, 0xd0,\n 0x5c, 0x6f, 0xdc, 0x72, 0x64, 0x77, 0xb4, 0x42, 0x8f, 0x14, 0x69,\n 0x1, 0xaf, 0x54, 0x73, 0x27, 0x85, 0xf6, 0x33, 0xe3, 0xa},\n {0x62, 0x9, 0xb6, 0x33, 0x97, 0x19, 0x8e, 0x28, 0x33, 0xe1, 0xab,\n 0xd8, 0xb4, 0x72, 0xfc, 0x24, 0x3e, 0xd0, 0x91, 0x9, 0xed, 0xf7,\n 0x11, 0x48, 0x75, 0xd0, 0x70, 0x8f, 0x8b, 0xe3, 0x81, 0x3f},\n },\n {\n {0x24, 0xc8, 0x17, 0x5f, 0x35, 0x7f, 0xdb, 0xa, 0xa4, 0x99, 0x42,\n 0xd7, 0xc3, 0x23, 0xb9, 0x74, 0xf7, 0xea, 0xf8, 0xcb, 0x8b, 0x3e,\n 0x7c, 0xd5, 0x3d, 0xdc, 0xde, 0x4c, 0xd3, 0xe2, 0xd3, 0xa},\n {0xfe, 0xaf, 0xd9, 0x7e, 0xcc, 0xf, 0x91, 0x7f, 0x4b, 0x87, 0x65,\n 0x24, 0xa1, 0xb8, 0x5c, 0x54, 0x4, 0x47, 0xc, 0x4b, 0xd2, 0x7e,\n 0x39, 0xa8, 0x93, 0x9, 0xf5, 0x4, 0xc1, 0xf, 0x51, 0x50},\n {0x9d, 0x24, 0x6e, 0x33, 0xc5, 0xf, 0xc, 0x6f, 0xd9, 0xcf, 0x31,\n 0xc3, 0x19, 0xde, 0x5e, 0x74, 0x1c, 0xfe, 0xee, 0x9, 0x0, 0xfd,\n 0xd6, 0xf2, 0xbe, 0x1e, 0xfa, 0xf0, 0x8b, 0x15, 0x7c, 0x12},\n },\n {\n {0x74, 0xb9, 0x51, 0xae, 0xc4, 0x8f, 0xa2, 0xde, 0x96, 0xfe, 0x4d,\n 0x74, 0xd3, 0x73, 0x99, 0x1d, 0xa8, 0x48, 0x38, 0x87, 0xb, 0x68,\n 0x40, 0x62, 0x95, 0xdf, 0x67, 0xd1, 0x79, 0x24, 0xd8, 0x4e},\n {0xa2, 0x79, 0x98, 0x2e, 0x42, 0x7c, 0x19, 0xf6, 0x47, 0x36, 0xca,\n 0x52, 0xd4, 0xdd, 0x4a, 0xa4, 0xcb, 0xac, 0x4e, 0x4b, 0xc1, 0x3f,\n 0x41, 0x9b, 0x68, 0x4f, 0xef, 0x7, 0x7d, 0xf8, 0x4e, 0x35},\n {0x75, 0xd9, 0xc5, 0x60, 0x22, 0xb5, 0xe3, 0xfe, 0xb8, 0xb0, 0x41,\n 0xeb, 0xfc, 0x2e, 0x35, 0x50, 0x3c, 0x65, 0xf6, 0xa9, 0x30, 0xac,\n 0x8, 0x88, 0x6d, 0x23, 0x39, 0x5, 0xd2, 0x92, 0x2d, 0x30},\n },\n },\n {\n {\n {0x77, 0xf1, 0xe0, 0xe4, 0xb6, 0x6f, 0xbc, 0x2d, 0x93, 0x6a, 0xbd,\n 0xa4, 0x29, 0xbf, 0xe1, 0x4, 0xe8, 0xf6, 0x7a, 0x78, 0xd4, 0x66,\n 0x19, 0x5e, 0x60, 0xd0, 0x26, 0xb4, 0x5e, 0x5f, 0xdc, 0xe},\n {0x3d, 0x28, 0xa4, 0xbc, 0xa2, 0xc1, 0x13, 0x78, 0xd9, 0x3d, 0x86,\n 0xa1, 0x91, 0xf0, 0x62, 0xed, 0x86, 0xfa, 0x68, 0xc2, 0xb8, 0xbc,\n 0xc7, 0xae, 0x4c, 0xae, 0x1c, 0x6f, 0xb7, 0xd3, 0xe5, 0x10},\n {0x67, 0x8e, 0xda, 0x53, 0xd6, 0xbf, 0x53, 0x54, 0x41, 0xf6, 0xa9,\n 0x24, 0xec, 0x1e, 0xdc, 0xe9, 0x23, 0x8a, 0x57, 0x3, 0x3b, 0x26,\n 0x87, 0xbf, 0x72, 0xba, 0x1c, 0x36, 0x51, 0x6c, 0xb4, 0x45},\n },\n {\n {0xe4, 0xe3, 0x7f, 0x8a, 0xdd, 0x4d, 0x9d, 0xce, 0x30, 0xe, 0x62,\n 0x76, 0x56, 0x64, 0x13, 0xab, 0x58, 0x99, 0xe, 0xb3, 0x7b, 0x4f,\n 0x59, 0x4b, 0xdf, 0x29, 0x12, 0x32, 0xef, 0xa, 0x1c, 0x5c},\n {0xa1, 0x7f, 0x4f, 0x31, 0xbf, 0x2a, 0x40, 0xa9, 0x50, 0xf4, 0x8c,\n 0x8e, 0xdc, 0xf1, 0x57, 0xe2, 0x84, 0xbe, 0xa8, 0x23, 0x4b, 0xd5,\n 0xbb, 0x1d, 0x3b, 0x71, 0xcb, 0x6d, 0xa3, 0xbf, 0x77, 0x21},\n {0x8f, 0xdb, 0x79, 0xfa, 0xbc, 0x1b, 0x8, 0x37, 0xb3, 0x59, 0x5f,\n 0xc2, 0x1e, 0x81, 0x48, 0x60, 0x87, 0x24, 0x83, 0x9c, 0x65, 0x76,\n 0x7a, 0x8, 0xbb, 0xb5, 0x8a, 0x7d, 0x38, 0x19, 0xe6, 0x4a},\n },\n {\n {0x83, 0xfb, 0x5b, 0x98, 0x44, 0x7e, 0x11, 0x61, 0x36, 0x31, 0x96,\n 0x71, 0x2a, 0x46, 0xe0, 0xfc, 0x4b, 0x90, 0x25, 0xd4, 0x48, 0x34,\n 0xac, 0x83, 0x64, 0x3d, 0xa4, 0x5b, 0xbe, 0x5a, 0x68, 0x75},\n {0x2e, 0xa3, 0x44, 0x53, 0xaa, 0xf6, 0xdb, 0x8d, 0x78, 0x40, 0x1b,\n 0xb4, 0xb4, 0xea, 0x88, 0x7d, 0x60, 0xd, 0x13, 0x4a, 0x97, 0xeb,\n 0xb0, 0x5e, 0x3, 0x3e, 0xbf, 0x17, 0x1b, 0xd9, 0x0, 0x1a},\n {0xb2, 0xf2, 0x61, 0xeb, 0x33, 0x9, 0x96, 0x6e, 0x52, 0x49, 0xff,\n 0xc9, 0xa8, 0xf, 0x3d, 0x54, 0x69, 0x65, 0xf6, 0x7a, 0x10, 0x75,\n 0x72, 0xdf, 0xaa, 0xe6, 0xb0, 0x23, 0xb6, 0x29, 0x55, 0x13},\n },\n {\n {0xfe, 0x83, 0x2e, 0xe2, 0xbc, 0x16, 0xc7, 0xf5, 0xc1, 0x85, 0x9,\n 0xe8, 0x19, 0xeb, 0x2b, 0xb4, 0xae, 0x4a, 0x25, 0x14, 0x37, 0xa6,\n 0x9d, 0xec, 0x13, 0xa6, 0x90, 0x15, 0x5, 0xea, 0x72, 0x59},\n {0x18, 0xd5, 0xd1, 0xad, 0xd7, 0xdb, 0xf0, 0x18, 0x11, 0x1f, 0xc1,\n 0xcf, 0x88, 0x78, 0x9f, 0x97, 0x9b, 0x75, 0x14, 0x71, 0xf0, 0xe1,\n 0x32, 0x87, 0x1, 0x3a, 0xca, 0x65, 0x1a, 0xb8, 0xb5, 0x79},\n {0x11, 0x78, 0x8f, 0xdc, 0x20, 0xac, 0xd4, 0xf, 0xa8, 0x4f, 0x4d,\n 0xac, 0x94, 0xd2, 0x9a, 0x9a, 0x34, 0x4, 0x36, 0xb3, 0x64, 0x2d,\n 0x1b, 0xc0, 0xdb, 0x3b, 0x5f, 0x90, 0x95, 0x9c, 0x7e, 0x4f},\n },\n {\n {0xfe, 0x99, 0x52, 0x35, 0x3d, 0x44, 0xc8, 0x71, 0xd7, 0xea, 0xeb,\n 0xdb, 0x1c, 0x3b, 0xcd, 0x8b, 0x66, 0x94, 0xa4, 0xf1, 0x9e, 0x49,\n 0x92, 0x80, 0xc8, 0xad, 0x44, 0xa1, 0xc4, 0xee, 0x42, 0x19},\n {0x2e, 0x30, 0x81, 0x57, 0xbc, 0x4b, 0x67, 0x62, 0xf, 0xdc, 0xad,\n 0x89, 0x39, 0xf, 0x52, 0xd8, 0xc6, 0xd9, 0xfb, 0x53, 0xae, 0x99,\n 0x29, 0x8c, 0x4c, 0x8e, 0x63, 0x2e, 0xd9, 0x3a, 0x99, 0x31},\n {0x92, 0x49, 0x23, 0xae, 0x19, 0x53, 0xac, 0x7d, 0x92, 0x3e, 0xea,\n 0xc, 0x91, 0x3d, 0x1b, 0x2c, 0x22, 0x11, 0x3c, 0x25, 0x94, 0xe4,\n 0x3c, 0x55, 0x75, 0xca, 0xf9, 0x4e, 0x31, 0x65, 0xa, 0x2a},\n },\n {\n {0x3a, 0x79, 0x1c, 0x3c, 0xcd, 0x1a, 0x36, 0xcf, 0x3b, 0xbc, 0x35,\n 0x5a, 0xac, 0xbc, 0x9e, 0x2f, 0xab, 0xa6, 0xcd, 0xa8, 0xe9, 0x60,\n 0xe8, 0x60, 0x13, 0x1a, 0xea, 0x6d, 0x9b, 0xc3, 0x5d, 0x5},\n {0xc2, 0x27, 0xf9, 0xf7, 0x7f, 0x93, 0xb7, 0x2d, 0x35, 0xa6, 0xd0,\n 0x17, 0x6, 0x1f, 0x74, 0xdb, 0x76, 0xaf, 0x55, 0x11, 0xa2, 0xf3,\n 0x82, 0x59, 0xed, 0x2d, 0x7c, 0x64, 0x18, 0xe2, 0xf6, 0x4c},\n {0xb6, 0x5b, 0x8d, 0xc2, 0x7c, 0x22, 0x19, 0xb1, 0xab, 0xff, 0x4d,\n 0x77, 0xbc, 0x4e, 0xe2, 0x7, 0x89, 0x2c, 0xa3, 0xe4, 0xce, 0x78,\n 0x3c, 0xa8, 0xb6, 0x24, 0xaa, 0x10, 0x77, 0x30, 0x1a, 0x12},\n },\n {\n {0xc9, 0x83, 0x74, 0xc7, 0x3e, 0x71, 0x59, 0xd6, 0xaf, 0x96, 0x2b,\n 0xb8, 0x77, 0xe0, 0xbf, 0x88, 0xd3, 0xbc, 0x97, 0x10, 0x23, 0x28,\n 0x9e, 0x28, 0x9b, 0x3a, 0xed, 0x6c, 0x4a, 0xb9, 0x7b, 0x52},\n {0x97, 0x4a, 0x3, 0x9f, 0x5e, 0x5d, 0xdb, 0xe4, 0x2d, 0xbc, 0x34,\n 0x30, 0x9, 0xfc, 0x53, 0xe1, 0xb1, 0xd3, 0x51, 0x95, 0x91, 0x46,\n 0x5, 0x46, 0x2d, 0xe5, 0x40, 0x7a, 0x6c, 0xc7, 0x3f, 0x33},\n {0x2e, 0x48, 0x5b, 0x99, 0x2a, 0x99, 0x3d, 0x56, 0x1, 0x38, 0x38,\n 0x6e, 0x7c, 0xd0, 0x5, 0x34, 0xe5, 0xd8, 0x64, 0x2f, 0xde, 0x35,\n 0x50, 0x48, 0xf7, 0xa9, 0xa7, 0x20, 0x9b, 0x6, 0x89, 0x6b},\n },\n {\n {0x77, 0xdb, 0xc7, 0xb5, 0x8c, 0xfa, 0x82, 0x40, 0x55, 0xc1, 0x34,\n 0xc7, 0xf8, 0x86, 0x86, 0x6, 0x7e, 0xa5, 0xe7, 0xf6, 0xd9, 0xc8,\n 0xe6, 0x29, 0xcf, 0x9b, 0x63, 0xa7, 0x8, 0xd3, 0x73, 0x4},\n {0xd, 0x22, 0x70, 0x62, 0x41, 0xa0, 0x2a, 0x81, 0x4e, 0x5b, 0x24,\n 0xf9, 0xfa, 0x89, 0x5a, 0x99, 0x5, 0xef, 0x72, 0x50, 0xce, 0xc4,\n 0xad, 0xff, 0x73, 0xeb, 0x73, 0xaa, 0x3, 0x21, 0xbc, 0x23},\n {0x5, 0x9e, 0x58, 0x3, 0x26, 0x79, 0xee, 0xca, 0x92, 0xc4, 0xdc,\n 0x46, 0x12, 0x42, 0x4b, 0x2b, 0x4f, 0xa9, 0x1, 0xe6, 0x74, 0xef,\n 0xa1, 0x2, 0x1a, 0x34, 0x4, 0xde, 0xbf, 0x73, 0x2f, 0x10},\n },\n },\n {\n {\n {0x9a, 0x1c, 0x51, 0xb5, 0xe0, 0xda, 0xb4, 0xa2, 0x6, 0xff, 0xff,\n 0x2b, 0x29, 0x60, 0xc8, 0x7a, 0x34, 0x42, 0x50, 0xf5, 0x5d, 0x37,\n 0x1f, 0x98, 0x2d, 0xa1, 0x4e, 0xda, 0x25, 0xd7, 0x6b, 0x3f},\n {0xc6, 0x45, 0x57, 0x7f, 0xab, 0xb9, 0x18, 0xeb, 0x90, 0xc6, 0x87,\n 0x57, 0xee, 0x8a, 0x3a, 0x2, 0xa9, 0xaf, 0xf7, 0x2d, 0xda, 0x12,\n 0x27, 0xb7, 0x3d, 0x1, 0x5c, 0xea, 0x25, 0x7d, 0x59, 0x36},\n {0xac, 0x58, 0x60, 0x10, 0x7b, 0x8d, 0x4d, 0x73, 0x5f, 0x90, 0xc6,\n 0x6f, 0x9e, 0x57, 0x40, 0xd9, 0x2d, 0x93, 0x2, 0x92, 0xf9, 0xf8,\n 0x66, 0x64, 0xd0, 0xd6, 0x60, 0xda, 0x19, 0xcc, 0x7e, 0x7b},\n },\n {\n {0x9b, 0xfa, 0x7c, 0xa7, 0x51, 0x4a, 0xae, 0x6d, 0x50, 0x86, 0xa3,\n 0xe7, 0x54, 0x36, 0x26, 0x82, 0xdb, 0x82, 0x2d, 0x8f, 0xcd, 0xff,\n 0xbb, 0x9, 0xba, 0xca, 0xf5, 0x1b, 0x66, 0xdc, 0xbe, 0x3},\n {0xd, 0x69, 0x5c, 0x69, 0x3c, 0x37, 0xc2, 0x78, 0x6e, 0x90, 0x42,\n 0x6, 0x66, 0x2e, 0x25, 0xdd, 0xd2, 0x2b, 0xe1, 0x4a, 0x44, 0x44,\n 0x1d, 0x95, 0x56, 0x39, 0x74, 0x1, 0x76, 0xad, 0x35, 0x42},\n {0xf5, 0x75, 0x89, 0x7, 0xd, 0xcb, 0x58, 0x62, 0x98, 0xf2, 0x89,\n 0x91, 0x54, 0x42, 0x29, 0x49, 0xe4, 0x6e, 0xe3, 0xe2, 0x23, 0xb4,\n 0xca, 0xa0, 0xa1, 0x66, 0xf0, 0xcd, 0xb0, 0xe2, 0x7c, 0xe},\n },\n {\n {0xf9, 0x70, 0x4b, 0xd9, 0xdf, 0xfe, 0xa6, 0xfe, 0x2d, 0xba, 0xfc,\n 0xc1, 0x51, 0xc0, 0x30, 0xf1, 0x89, 0xab, 0x2f, 0x7f, 0x7e, 0xd4,\n 0x82, 0x48, 0xb5, 0xee, 0xec, 0x8a, 0x13, 0x56, 0x52, 0x61},\n {0xa3, 0x85, 0x8c, 0xc4, 0x3a, 0x64, 0x94, 0xc4, 0xad, 0x39, 0x61,\n 0x3c, 0xf4, 0x1d, 0x36, 0xfd, 0x48, 0x4d, 0xe9, 0x3a, 0xdd, 0x17,\n 0xdb, 0x9, 0x4a, 0x67, 0xb4, 0x8f, 0x5d, 0xa, 0x6e, 0x66},\n {0xd, 0xcb, 0x70, 0x48, 0x4e, 0xf6, 0xbb, 0x2a, 0x6b, 0x8b, 0x45,\n 0xaa, 0xf0, 0xbc, 0x65, 0xcd, 0x5d, 0x98, 0xe8, 0x75, 0xba, 0x4e,\n 0xbe, 0x9a, 0xe4, 0xde, 0x14, 0xd5, 0x10, 0xc8, 0xb, 0x7f},\n },\n {\n {0xa0, 0x13, 0x72, 0x73, 0xad, 0x9d, 0xac, 0x83, 0x98, 0x2e, 0xf7,\n 0x2e, 0xba, 0xf8, 0xf6, 0x9f, 0x57, 0x69, 0xec, 0x43, 0xdd, 0x2e,\n 0x1e, 0x31, 0x75, 0xab, 0xc5, 0xde, 0x7d, 0x90, 0x3a, 0x1d},\n {0x6f, 0x13, 0xf4, 0x26, 0xa4, 0x6b, 0x0, 0xb9, 0x35, 0x30, 0xe0,\n 0x57, 0x9e, 0x36, 0x67, 0x8d, 0x28, 0x3c, 0x46, 0x4f, 0xd9, 0xdf,\n 0xc8, 0xcb, 0xf5, 0xdb, 0xee, 0xf8, 0xbc, 0x8d, 0x1f, 0xd},\n {0xdc, 0x81, 0xd0, 0x3e, 0x31, 0x93, 0x16, 0xba, 0x80, 0x34, 0x1b,\n 0x85, 0xad, 0x9f, 0x32, 0x29, 0xcb, 0x21, 0x3, 0x3, 0x3c, 0x1,\n 0x28, 0x1, 0xe3, 0xfd, 0x1b, 0xa3, 0x44, 0x1b, 0x1, 0x0},\n },\n {\n {0x5c, 0xa7, 0xa, 0x6a, 0x69, 0x1f, 0x56, 0x16, 0x6a, 0xbd, 0x52,\n 0x58, 0x5c, 0x72, 0xbf, 0xc1, 0xad, 0x66, 0x79, 0x9a, 0x7f, 0xdd,\n 0xa8, 0x11, 0x26, 0x10, 0x85, 0xd2, 0xa2, 0x88, 0xd9, 0x63},\n {0xc, 0x6c, 0xc6, 0x3f, 0x6c, 0xa0, 0xdf, 0x3f, 0xd2, 0xd, 0xd6,\n 0x4d, 0x8e, 0xe3, 0x40, 0x5d, 0x71, 0x4d, 0x8e, 0x26, 0x38, 0x8b,\n 0xe3, 0x7a, 0xe1, 0x57, 0x83, 0x6e, 0x91, 0x8d, 0xc4, 0x3a},\n {0x2e, 0x23, 0xbd, 0xaf, 0x53, 0x7, 0x12, 0x0, 0x83, 0xf6, 0xd8,\n 0xfd, 0xb8, 0xce, 0x2b, 0xe9, 0x91, 0x2b, 0xe7, 0x84, 0xb3, 0x69,\n 0x16, 0xf8, 0x66, 0xa0, 0x68, 0x23, 0x2b, 0xd5, 0xfa, 0x33},\n },\n {\n {0xe8, 0xcf, 0x22, 0xc4, 0xd0, 0xc8, 0x2c, 0x8d, 0xcb, 0x3a, 0xa1,\n 0x5, 0x7b, 0x4f, 0x2b, 0x7, 0x6f, 0xa5, 0xf6, 0xec, 0xe6, 0xb6,\n 0xfe, 0xa3, 0xe2, 0x71, 0xa, 0xb9, 0xcc, 0x55, 0xc3, 0x3c},\n {0x16, 0x1e, 0xe4, 0xc5, 0xc6, 0x49, 0x6, 0x54, 0x35, 0x77, 0x3f,\n 0x33, 0x30, 0x64, 0xf8, 0xa, 0x46, 0xe7, 0x5, 0xf3, 0xd2, 0xfc,\n 0xac, 0xb2, 0xa7, 0xdc, 0x56, 0xa2, 0x29, 0xf4, 0xc0, 0x16},\n {0x31, 0x91, 0x3e, 0x90, 0x43, 0x94, 0xb6, 0xe9, 0xce, 0x37, 0x56,\n 0x7a, 0xcb, 0x94, 0xa4, 0xb8, 0x44, 0x92, 0xba, 0xba, 0xa4, 0xd1,\n 0x7c, 0xc8, 0x68, 0x75, 0xae, 0x6b, 0x42, 0xaf, 0x1e, 0x63},\n },\n {\n {0xe8, 0xd, 0x70, 0xa3, 0xb9, 0x75, 0xd9, 0x47, 0x52, 0x5, 0xf8,\n 0xe2, 0xfb, 0xc5, 0x80, 0x72, 0xe1, 0x5d, 0xe4, 0x32, 0x27, 0x8f,\n 0x65, 0x53, 0xb5, 0x80, 0x5f, 0x66, 0x7f, 0x2c, 0x1f, 0x43},\n {0x9f, 0xfe, 0x66, 0xda, 0x10, 0x4, 0xe9, 0xb3, 0xa6, 0xe5, 0x16,\n 0x6c, 0x52, 0x4b, 0xdd, 0x85, 0x83, 0xbf, 0xf9, 0x1e, 0x61, 0x97,\n 0x3d, 0xbc, 0xb5, 0x19, 0xa9, 0x1e, 0x8b, 0x64, 0x99, 0x55},\n {0x19, 0x7b, 0x8f, 0x85, 0x44, 0x63, 0x2, 0xd6, 0x4a, 0x51, 0xea,\n 0xa1, 0x2f, 0x35, 0xab, 0x14, 0xd7, 0xa9, 0x90, 0x20, 0x1a, 0x44,\n 0x0, 0x89, 0x26, 0x3b, 0x25, 0x91, 0x5f, 0x71, 0x4, 0x7b},\n },\n {\n {0xc6, 0xba, 0xe6, 0xc4, 0x80, 0xc2, 0x76, 0xb3, 0xb, 0x9b, 0x1d,\n 0x6d, 0xdd, 0xd3, 0xe, 0x97, 0x44, 0xf9, 0xb, 0x45, 0x58, 0x95,\n 0x9a, 0xb0, 0x23, 0xe2, 0xcd, 0x57, 0xfa, 0xac, 0xd0, 0x48},\n {0x43, 0xae, 0xf6, 0xac, 0x28, 0xbd, 0xed, 0x83, 0xb4, 0x7a, 0x5c,\n 0x7d, 0x8b, 0x7c, 0x35, 0x86, 0x44, 0x2c, 0xeb, 0xb7, 0x69, 0x47,\n 0x40, 0xc0, 0x3f, 0x58, 0xf6, 0xc2, 0xf5, 0x7b, 0xb3, 0x59},\n {0x71, 0xe6, 0xab, 0x7d, 0xe4, 0x26, 0xf, 0xb6, 0x37, 0x3a, 0x2f,\n 0x62, 0x97, 0xa1, 0xd1, 0xf1, 0x94, 0x3, 0x96, 0xe9, 0x7e, 0xce,\n 0x8, 0x42, 0xdb, 0x3b, 0x6d, 0x33, 0x91, 0x41, 0x23, 0x16},\n },\n },\n {\n {\n {0x40, 0x86, 0xf3, 0x1f, 0xd6, 0x9c, 0x49, 0xdd, 0xa0, 0x25, 0x36,\n 0x6, 0xc3, 0x9b, 0xcd, 0x29, 0xc3, 0x3d, 0xd7, 0x3d, 0x2, 0xd8,\n 0xe2, 0x51, 0x31, 0x92, 0x3b, 0x20, 0x7a, 0x70, 0x25, 0x4a},\n {0xf6, 0x7f, 0x26, 0xf6, 0xde, 0x99, 0xe4, 0xb9, 0x43, 0x8, 0x2c,\n 0x74, 0x7b, 0xca, 0x72, 0x77, 0xb1, 0xf2, 0xa4, 0xe9, 0x3f, 0x15,\n 0xa0, 0x23, 0x6, 0x50, 0xd0, 0xd5, 0xec, 0xdf, 0xdf, 0x2c},\n {0x6a, 0xed, 0xf6, 0x53, 0x8a, 0x66, 0xb7, 0x2a, 0xa1, 0x70, 0xd1,\n 0x1d, 0x58, 0x42, 0x42, 0x30, 0x61, 0x1, 0xe2, 0x3a, 0x4c, 0x14,\n 0x0, 0x40, 0xfc, 0x49, 0x8e, 0x24, 0x6d, 0x89, 0x21, 0x57},\n },\n {\n {0x4e, 0xda, 0xd0, 0xa1, 0x91, 0x50, 0x5d, 0x28, 0x8, 0x3e, 0xfe,\n 0xb5, 0xa7, 0x6f, 0xaa, 0x4b, 0xb3, 0x93, 0x93, 0xe1, 0x7c, 0x17,\n 0xe5, 0x63, 0xfd, 0x30, 0xb0, 0xc4, 0xaf, 0x35, 0xc9, 0x3},\n {0xae, 0x1b, 0x18, 0xfd, 0x17, 0x55, 0x6e, 0xb, 0xb4, 0x63, 0xb9,\n 0x2b, 0x9f, 0x62, 0x22, 0x90, 0x25, 0x46, 0x6, 0x32, 0xe9, 0xbc,\n 0x9, 0x55, 0xda, 0x13, 0x3c, 0xf6, 0x74, 0xdd, 0x8e, 0x57},\n {0x3d, 0xc, 0x2b, 0x49, 0xc6, 0x76, 0x72, 0x99, 0xfc, 0x5, 0xe2,\n 0xdf, 0xc4, 0xc2, 0xcc, 0x47, 0x3c, 0x3a, 0x62, 0xdd, 0x84, 0x9b,\n 0xd2, 0xdc, 0xa2, 0xc7, 0x88, 0x2, 0x59, 0xab, 0xc2, 0x3e},\n },\n {\n {0xcb, 0xd1, 0x32, 0xae, 0x9, 0x3a, 0x21, 0xa7, 0xd5, 0xc2, 0xf5,\n 0x40, 0xdf, 0x87, 0x2b, 0xf, 0x29, 0xab, 0x1e, 0xe8, 0xc6, 0xa4,\n 0xae, 0xb, 0x5e, 0xac, 0xdb, 0x6a, 0x6c, 0xf6, 0x1b, 0xe},\n {0xb9, 0x7b, 0xd8, 0xe4, 0x7b, 0xd2, 0xa0, 0xa1, 0xed, 0x1a, 0x39,\n 0x61, 0xeb, 0x4d, 0x8b, 0xa9, 0x83, 0x9b, 0xcb, 0x73, 0xd0, 0xdd,\n 0xa0, 0x99, 0xce, 0xca, 0xf, 0x20, 0x5a, 0xc2, 0xd5, 0x2d},\n {0x7e, 0x88, 0x2c, 0x79, 0xe9, 0xd5, 0xab, 0xe2, 0x5d, 0x6d, 0x92,\n 0xcb, 0x18, 0x0, 0x2, 0x1a, 0x1e, 0x5f, 0xae, 0xba, 0xcd, 0x69,\n 0xba, 0xbf, 0x5f, 0x8f, 0xe8, 0x5a, 0xb3, 0x48, 0x5, 0x73},\n },\n {\n {0x34, 0xe3, 0xd6, 0xa1, 0x4b, 0x9, 0x5b, 0x80, 0x19, 0x3f, 0x35,\n 0x9, 0x77, 0xf1, 0x3e, 0xbf, 0x2b, 0x70, 0x22, 0x6, 0xcb, 0x6,\n 0x3f, 0x42, 0xdd, 0x45, 0x78, 0xd8, 0x77, 0x22, 0x5a, 0x58},\n {0xee, 0xb8, 0xa8, 0xcb, 0xa3, 0x51, 0x35, 0xc4, 0x16, 0x5f, 0x11,\n 0xb2, 0x1d, 0x6f, 0xa2, 0x65, 0x50, 0x38, 0x8c, 0xab, 0x52, 0x4f,\n 0xf, 0x76, 0xca, 0xb8, 0x1d, 0x41, 0x3b, 0x44, 0x43, 0x30},\n {0x62, 0x89, 0xd4, 0x33, 0x82, 0x5f, 0x8a, 0xa1, 0x7f, 0x25, 0x78,\n 0xec, 0xb5, 0xc4, 0x98, 0x66, 0xff, 0x41, 0x3e, 0x37, 0xa5, 0x6f,\n 0x8e, 0xa7, 0x1f, 0x98, 0xef, 0x50, 0x89, 0x27, 0x56, 0x76},\n },\n {\n {0x9d, 0xcf, 0x86, 0xea, 0xa3, 0x73, 0x70, 0xe1, 0xdc, 0x5f, 0x15,\n 0x7, 0xb7, 0xfb, 0x8c, 0x3a, 0x8e, 0x8a, 0x83, 0x31, 0xfc, 0xe7,\n 0x53, 0x48, 0x16, 0xf6, 0x13, 0xb6, 0x84, 0xf4, 0xbb, 0x28},\n {0xc0, 0xc8, 0x1f, 0xd5, 0x59, 0xcf, 0xc3, 0x38, 0xf2, 0xb6, 0x6,\n 0x5, 0xfd, 0xd2, 0xed, 0x9b, 0x8f, 0xe, 0x57, 0xab, 0x9f, 0x10,\n 0xbf, 0x26, 0xa6, 0x46, 0xb8, 0xc1, 0xa8, 0x60, 0x41, 0x3f},\n {0x7c, 0x6c, 0x13, 0x6f, 0x5c, 0x2f, 0x61, 0xf2, 0xbe, 0x11, 0xdd,\n 0xf6, 0x7, 0xd1, 0xea, 0xaf, 0x33, 0x6f, 0xde, 0x13, 0xd2, 0x9a,\n 0x7e, 0x52, 0x5d, 0xf7, 0x88, 0x81, 0x35, 0xcb, 0x79, 0x1e},\n },\n {\n {0x81, 0x81, 0xe0, 0xf5, 0xd8, 0x53, 0xe9, 0x77, 0xd9, 0xde, 0x9d,\n 0x29, 0x44, 0xc, 0xa5, 0x84, 0xe5, 0x25, 0x45, 0x86, 0xc, 0x2d,\n 0x6c, 0xdc, 0xf4, 0xf2, 0xd1, 0x39, 0x2d, 0xb5, 0x8a, 0x47},\n {0xf1, 0xe3, 0xf7, 0xee, 0xc3, 0x36, 0x34, 0x1, 0xf8, 0x10, 0x9e,\n 0xfe, 0x7f, 0x6a, 0x8b, 0x82, 0xfc, 0xde, 0xf9, 0xbc, 0xe5, 0x8,\n 0xf9, 0x7f, 0x31, 0x38, 0x3b, 0x3a, 0x1b, 0x95, 0xd7, 0x65},\n {0x59, 0xd1, 0x52, 0x92, 0xd3, 0xa4, 0xa6, 0x66, 0x7, 0xc8, 0x1a,\n 0x87, 0xbc, 0xe1, 0xdd, 0xe5, 0x6f, 0xc9, 0xc1, 0xa6, 0x40, 0x6b,\n 0x2c, 0xb8, 0x14, 0x22, 0x21, 0x1a, 0x41, 0x7a, 0xd8, 0x16},\n },\n {\n {0x83, 0x5, 0x4e, 0xd5, 0xe2, 0xd5, 0xa4, 0xfb, 0xfa, 0x99, 0xbd,\n 0x2e, 0xd7, 0xaf, 0x1f, 0xe2, 0x8f, 0x77, 0xe9, 0x6e, 0x73, 0xc2,\n 0x7a, 0x49, 0xde, 0x6d, 0x5a, 0x7a, 0x57, 0xb, 0x99, 0x1f},\n {0x15, 0x62, 0x6, 0x42, 0x5a, 0x7e, 0xbd, 0xb3, 0xc1, 0x24, 0x5a,\n 0xc, 0xcd, 0xe3, 0x9b, 0x87, 0xb7, 0x94, 0xf9, 0xd6, 0xb1, 0x5d,\n 0xc0, 0x57, 0xa6, 0x8c, 0xf3, 0x65, 0x81, 0x7c, 0xf8, 0x28},\n {0xd6, 0xf7, 0xe8, 0x1b, 0xad, 0x4e, 0x34, 0xa3, 0x8f, 0x79, 0xea,\n 0xac, 0xeb, 0x50, 0x1e, 0x7d, 0x52, 0xe0, 0xd, 0x52, 0x9e, 0x56,\n 0xc6, 0x77, 0x3e, 0x6d, 0x4d, 0x53, 0xe1, 0x2f, 0x88, 0x45},\n },\n {\n {0xe4, 0x6f, 0x3c, 0x94, 0x29, 0x99, 0xac, 0xd8, 0xa2, 0x92, 0x83,\n 0xa3, 0x61, 0xf1, 0xf9, 0xb5, 0xf3, 0x9a, 0xc8, 0xbe, 0x13, 0xdb,\n 0x99, 0x26, 0x74, 0xf0, 0x5, 0xe4, 0x3c, 0x84, 0xcf, 0x7d},\n {0xd6, 0x83, 0x79, 0x75, 0x5d, 0x34, 0x69, 0x66, 0xa6, 0x11, 0xaa,\n 0x17, 0x11, 0xed, 0xb6, 0x62, 0x8f, 0x12, 0x5e, 0x98, 0x57, 0x18,\n 0xdd, 0x7d, 0xdd, 0xf6, 0x26, 0xf6, 0xb8, 0xe5, 0x8f, 0x68},\n {0xc0, 0x32, 0x47, 0x4a, 0x48, 0xd6, 0x90, 0x6c, 0x99, 0x32, 0x56,\n 0xca, 0xfd, 0x43, 0x21, 0xd5, 0xe1, 0xc6, 0x5d, 0x91, 0xc3, 0x28,\n 0xbe, 0xb3, 0x1b, 0x19, 0x27, 0x73, 0x7e, 0x68, 0x39, 0x67},\n },\n },\n {\n {\n {0xc0, 0x1a, 0xc, 0xc8, 0x9d, 0xcc, 0x6d, 0xa6, 0x36, 0xa4, 0x38,\n 0x1b, 0xf4, 0x5c, 0xa0, 0x97, 0xc6, 0xd7, 0xdb, 0x95, 0xbe, 0xf3,\n 0xeb, 0xa7, 0xab, 0x7d, 0x7e, 0x8d, 0xf6, 0xb8, 0xa0, 0x7d},\n {0xa6, 0x75, 0x56, 0x38, 0x14, 0x20, 0x78, 0xef, 0xe8, 0xa9, 0xfd,\n 0xaa, 0x30, 0x9f, 0x64, 0xa2, 0xcb, 0xa8, 0xdf, 0x5c, 0x50, 0xeb,\n 0xd1, 0x4c, 0xb3, 0xc0, 0x4d, 0x1d, 0xba, 0x5a, 0x11, 0x46},\n {0x76, 0xda, 0xb5, 0xc3, 0x53, 0x19, 0xf, 0xd4, 0x9b, 0x9e, 0x11,\n 0x21, 0x73, 0x6f, 0xac, 0x1d, 0x60, 0x59, 0xb2, 0xfe, 0x21, 0x60,\n 0xcc, 0x3, 0x4b, 0x4b, 0x67, 0x83, 0x7e, 0x88, 0x5f, 0x5a},\n },\n {\n {0xb9, 0x43, 0xa6, 0xa0, 0xd3, 0x28, 0x96, 0x9e, 0x64, 0x20, 0xc3,\n 0xe6, 0x0, 0xcb, 0xc3, 0xb5, 0x32, 0xec, 0x2d, 0x7c, 0x89, 0x2,\n 0x53, 0x9b, 0xc, 0xc7, 0xd1, 0xd5, 0xe2, 0x7a, 0xe3, 0x43},\n {0x11, 0x3d, 0xa1, 0x70, 0xcf, 0x1, 0x63, 0x8f, 0xc4, 0xd0, 0xd,\n 0x35, 0x15, 0xb8, 0xce, 0xcf, 0x7e, 0xa4, 0xbc, 0xa4, 0xd4, 0x97,\n 0x2, 0xf7, 0x34, 0x14, 0x4d, 0xe4, 0x56, 0xb6, 0x69, 0x36},\n {0x33, 0xe1, 0xa6, 0xed, 0x6, 0x3f, 0x7e, 0x38, 0xc0, 0x3a, 0xa1,\n 0x99, 0x51, 0x1d, 0x30, 0x67, 0x11, 0x38, 0x26, 0x36, 0xf8, 0xd8,\n 0x5a, 0xbd, 0xbe, 0xe9, 0xd5, 0x4f, 0xcd, 0xe6, 0x21, 0x6a},\n },\n {\n {0xe3, 0xb2, 0x99, 0x66, 0x12, 0x29, 0x41, 0xef, 0x1, 0x13, 0x8d,\n 0x70, 0x47, 0x8, 0xd3, 0x71, 0xbd, 0xb0, 0x82, 0x11, 0xd0, 0x32,\n 0x54, 0x32, 0x36, 0x8b, 0x1e, 0x0, 0x7, 0x1b, 0x37, 0x45},\n {0x5f, 0xe6, 0x46, 0x30, 0xa, 0x17, 0xc6, 0xf1, 0x24, 0x35, 0xd2,\n 0x0, 0x2a, 0x2a, 0x71, 0x58, 0x55, 0xb7, 0x82, 0x8c, 0x3c, 0xbd,\n 0xdb, 0x69, 0x57, 0xff, 0x95, 0xa1, 0xf1, 0xf9, 0x6b, 0x58},\n {0xb, 0x79, 0xf8, 0x5e, 0x8d, 0x8, 0xdb, 0xa6, 0xe5, 0x37, 0x9,\n 0x61, 0xdc, 0xf0, 0x78, 0x52, 0xb8, 0x6e, 0xa1, 0x61, 0xd2, 0x49,\n 0x3, 0xac, 0x79, 0x21, 0xe5, 0x90, 0x37, 0xb0, 0xaf, 0xe},\n },\n {\n {0x1d, 0xae, 0x75, 0xf, 0x5e, 0x80, 0x40, 0x51, 0x30, 0xcc, 0x62,\n 0x26, 0xe3, 0xfb, 0x2, 0xec, 0x6d, 0x39, 0x92, 0xea, 0x1e, 0xdf,\n 0xeb, 0x2c, 0xb3, 0x5b, 0x43, 0xc5, 0x44, 0x33, 0xae, 0x44},\n {0x2f, 0x4, 0x48, 0x37, 0xc1, 0x55, 0x5, 0x96, 0x11, 0xaa, 0xb,\n 0x82, 0xe6, 0x41, 0x9a, 0x21, 0xc, 0x6d, 0x48, 0x73, 0x38, 0xf7,\n 0x81, 0x1c, 0x61, 0xc6, 0x2, 0x5a, 0x67, 0xcc, 0x9a, 0x30},\n {0xee, 0x43, 0xa5, 0xbb, 0xb9, 0x89, 0xf2, 0x9c, 0x42, 0x71, 0xc9,\n 0x5a, 0x9d, 0xe, 0x76, 0xf3, 0xaa, 0x60, 0x93, 0x4f, 0xc6, 0xe5,\n 0x82, 0x1d, 0x8f, 0x67, 0x94, 0x7f, 0x1b, 0x22, 0xd5, 0x62},\n },\n {\n {0x3c, 0x7a, 0xf7, 0x3a, 0x26, 0xd4, 0x85, 0x75, 0x4d, 0x14, 0xe9,\n 0xfe, 0x11, 0x7b, 0xae, 0xdf, 0x3d, 0x19, 0xf7, 0x59, 0x80, 0x70,\n 0x6, 0xa5, 0x37, 0x20, 0x92, 0x83, 0x53, 0x9a, 0xf2, 0x14},\n {0x6d, 0x93, 0xd0, 0x18, 0x9c, 0x29, 0x4c, 0x52, 0xc, 0x1a, 0xc,\n 0x8a, 0x6c, 0xb5, 0x6b, 0xc8, 0x31, 0x86, 0x4a, 0xdb, 0x2e, 0x5,\n 0x75, 0xa3, 0x62, 0x45, 0x75, 0xbc, 0xe4, 0xfd, 0xe, 0x5c},\n {0xf5, 0xd7, 0xb2, 0x25, 0xdc, 0x7e, 0x71, 0xdf, 0x40, 0x30, 0xb5,\n 0x99, 0xdb, 0x70, 0xf9, 0x21, 0x62, 0x4c, 0xed, 0xc3, 0xb7, 0x34,\n 0x92, 0xda, 0x3e, 0x9, 0xee, 0x7b, 0x5c, 0x36, 0x72, 0x5e},\n },\n {\n {0x3e, 0xb3, 0x8, 0x2f, 0x6, 0x39, 0x93, 0x7d, 0xbe, 0x32, 0x9f,\n 0xdf, 0xe5, 0x59, 0x96, 0x5b, 0xfd, 0xbd, 0x9e, 0x1f, 0xad, 0x3d,\n 0xff, 0xac, 0xb7, 0x49, 0x73, 0xcb, 0x55, 0x5, 0xb2, 0x70},\n {0x7f, 0x21, 0x71, 0x45, 0x7, 0xfc, 0x5b, 0x57, 0x5b, 0xd9, 0x94,\n 0x6, 0x5d, 0x67, 0x79, 0x37, 0x33, 0x1e, 0x19, 0xf4, 0xbb, 0x37,\n 0xa, 0x9a, 0xbc, 0xea, 0xb4, 0x47, 0x4c, 0x10, 0xf1, 0x77},\n {0x4c, 0x2c, 0x11, 0x55, 0xc5, 0x13, 0x51, 0xbe, 0xcd, 0x1f, 0x88,\n 0x9a, 0x3a, 0x42, 0x88, 0x66, 0x47, 0x3b, 0x50, 0x5e, 0x85, 0x77,\n 0x66, 0x44, 0x4a, 0x40, 0x6, 0x4a, 0x8f, 0x39, 0x34, 0xe},\n },\n {\n {0x28, 0x19, 0x4b, 0x3e, 0x9, 0xb, 0x93, 0x18, 0x40, 0xf6, 0xf3,\n 0x73, 0xe, 0xe1, 0xe3, 0x7d, 0x6f, 0x5d, 0x39, 0x73, 0xda, 0x17,\n 0x32, 0xf4, 0x3e, 0x9c, 0x37, 0xca, 0xd6, 0xde, 0x8a, 0x6f},\n {0xe8, 0xbd, 0xce, 0x3e, 0xd9, 0x22, 0x7d, 0xb6, 0x7, 0x2f, 0x82,\n 0x27, 0x41, 0xe8, 0xb3, 0x9, 0x8d, 0x6d, 0x5b, 0xb0, 0x1f, 0xa6,\n 0x3f, 0x74, 0x72, 0x23, 0x36, 0x8a, 0x36, 0x5, 0x54, 0x5e},\n {0x9a, 0xb2, 0xb7, 0xfd, 0x3d, 0x12, 0x40, 0xe3, 0x91, 0xb2, 0x1a,\n 0xa2, 0xe1, 0x97, 0x7b, 0x48, 0x9e, 0x94, 0xe6, 0xfd, 0x2, 0x7d,\n 0x96, 0xf9, 0x97, 0xde, 0xd3, 0xc8, 0x2e, 0xe7, 0xd, 0x78},\n },\n {\n {0x72, 0x27, 0xf4, 0x0, 0xf3, 0xea, 0x1f, 0x67, 0xaa, 0x41, 0x8c,\n 0x2a, 0x2a, 0xeb, 0x72, 0x8f, 0x92, 0x32, 0x37, 0x97, 0xd7, 0x7f,\n 0xa1, 0x29, 0xa6, 0x87, 0xb5, 0x32, 0xad, 0xc6, 0xef, 0x1d},\n {0xbc, 0xe7, 0x9a, 0x8, 0x45, 0x85, 0xe2, 0xa, 0x6, 0x4d, 0x7f,\n 0x1c, 0xcf, 0xde, 0x8d, 0x38, 0xb8, 0x11, 0x48, 0xa, 0x51, 0x15,\n 0xac, 0x38, 0xe4, 0x8c, 0x92, 0x71, 0xf6, 0x8b, 0xb2, 0xe},\n {0xa7, 0x95, 0x51, 0xef, 0x1a, 0xbe, 0x5b, 0xaf, 0xed, 0x15, 0x7b,\n 0x91, 0x77, 0x12, 0x8c, 0x14, 0x2e, 0xda, 0xe5, 0x7a, 0xfb, 0xf7,\n 0x91, 0x29, 0x67, 0x28, 0xdd, 0xf8, 0x1b, 0x20, 0x7d, 0x46},\n },\n },\n {\n {\n {0xa9, 0xe7, 0x7a, 0x56, 0xbd, 0xf4, 0x1e, 0xbc, 0xbd, 0x98, 0x44,\n 0xd6, 0xb2, 0x4c, 0x62, 0x3f, 0xc8, 0x4e, 0x1f, 0x2c, 0xd2, 0x64,\n 0x10, 0xe4, 0x1, 0x40, 0x38, 0xba, 0xa5, 0xc5, 0xf9, 0x2e},\n {0xad, 0x4f, 0xef, 0x74, 0x9a, 0x91, 0xfe, 0x95, 0xa2, 0x8, 0xa3,\n 0xf6, 0xec, 0x7b, 0x82, 0x3a, 0x1, 0x7b, 0xa4, 0x9, 0xd3, 0x1,\n 0x4e, 0x96, 0x97, 0xc7, 0xa3, 0x5b, 0x4f, 0x3c, 0xc4, 0x71},\n {0xcd, 0x74, 0x9e, 0xfa, 0xf6, 0x6d, 0xfd, 0xb6, 0x7a, 0x26, 0xaf,\n 0xe4, 0xbc, 0x78, 0x82, 0xf1, 0xe, 0x99, 0xef, 0xf1, 0xd0, 0xb3,\n 0x55, 0x82, 0x93, 0xf2, 0xc5, 0x90, 0xa3, 0x8c, 0x75, 0x5a},\n },\n {\n {0x94, 0xdc, 0x61, 0x1d, 0x8b, 0x91, 0xe0, 0x8c, 0x66, 0x30, 0x81,\n 0x9a, 0x46, 0x36, 0xed, 0x8d, 0xd3, 0xaa, 0xe8, 0xaf, 0x29, 0xa8,\n 0xe6, 0xd4, 0x3f, 0xd4, 0x39, 0xf6, 0x27, 0x80, 0x73, 0xa},\n {0x95, 0x24, 0x46, 0xd9, 0x10, 0x27, 0xb7, 0xa2, 0x3, 0x50, 0x7d,\n 0xd5, 0xd2, 0xc6, 0xa8, 0x3a, 0xca, 0x87, 0xb4, 0xa0, 0xbf, 0x0,\n 0xd4, 0xe3, 0xec, 0x72, 0xeb, 0xb3, 0x44, 0xe2, 0xba, 0x2d},\n {0xcc, 0xe1, 0xff, 0x57, 0x2f, 0x4a, 0xf, 0x98, 0x43, 0x98, 0x83,\n 0xe1, 0xd, 0xd, 0x67, 0x0, 0xfd, 0x15, 0xfb, 0x49, 0x4a, 0x3f,\n 0x5c, 0x10, 0x9c, 0xa6, 0x26, 0x51, 0x63, 0xca, 0x98, 0x26},\n },\n {\n {0xe, 0xd9, 0x3d, 0x5e, 0x2f, 0x70, 0x3d, 0x2e, 0x86, 0x53, 0xd2,\n 0xe4, 0x18, 0x9, 0x3f, 0x9e, 0x6a, 0xa9, 0x4d, 0x2, 0xf6, 0x3e,\n 0x77, 0x5e, 0x32, 0x33, 0xfa, 0x4a, 0xc, 0x4b, 0x0, 0x3c},\n {0x78, 0xba, 0xb0, 0x32, 0x88, 0x31, 0x65, 0xe7, 0x8b, 0xff, 0x5c,\n 0x92, 0xf7, 0x31, 0x18, 0x38, 0xcc, 0x1f, 0x29, 0xa0, 0x91, 0x1b,\n 0xa8, 0x8, 0x7, 0xeb, 0xca, 0x49, 0xcc, 0x3d, 0xb4, 0x1f},\n {0x2b, 0xb8, 0xf4, 0x6, 0xac, 0x46, 0xa9, 0x9a, 0xf3, 0xc4, 0x6,\n 0xa8, 0xa5, 0x84, 0xa2, 0x1c, 0x87, 0x47, 0xcd, 0xc6, 0x5f, 0x26,\n 0xd3, 0x3e, 0x17, 0xd2, 0x1f, 0xcd, 0x1, 0xfd, 0x43, 0x6b},\n },\n {\n {0xf3, 0xe, 0x76, 0x3e, 0x58, 0x42, 0xc7, 0xb5, 0x90, 0xb9, 0xa,\n 0xee, 0xb9, 0x52, 0xdc, 0x75, 0x3f, 0x92, 0x2b, 0x7, 0xc2, 0x27,\n 0x14, 0xbf, 0xf0, 0xd9, 0xf0, 0x6f, 0x2d, 0xb, 0x42, 0x73},\n {0x44, 0xc5, 0x97, 0x46, 0x4b, 0x5d, 0xa7, 0xc7, 0xbf, 0xff, 0xf,\n 0xdf, 0x48, 0xf8, 0xfd, 0x15, 0x5a, 0x78, 0x46, 0xaa, 0xeb, 0xb9,\n 0x68, 0x28, 0x14, 0xf7, 0x52, 0x5b, 0x10, 0xd7, 0x68, 0x5a},\n {0x6, 0x1e, 0x85, 0x9e, 0xcb, 0xf6, 0x2c, 0xaf, 0xc4, 0x38, 0x22,\n 0xc6, 0x13, 0x39, 0x59, 0x8f, 0x73, 0xf3, 0xfb, 0x99, 0x96, 0xb8,\n 0x8a, 0xda, 0x9e, 0xbc, 0x34, 0xea, 0x2f, 0x63, 0xb5, 0x3d},\n },\n {\n {0xd5, 0x25, 0x98, 0x82, 0xb1, 0x90, 0x49, 0x2e, 0x91, 0x89, 0x9a,\n 0x3e, 0x87, 0xeb, 0xea, 0xed, 0xf8, 0x4a, 0x70, 0x4c, 0x39, 0x3d,\n 0xf0, 0xee, 0xe, 0x2b, 0xdf, 0x95, 0xa4, 0x7e, 0x19, 0x59},\n {0xd8, 0xd9, 0x5d, 0xf7, 0x2b, 0xee, 0x6e, 0xf4, 0xa5, 0x59, 0x67,\n 0x39, 0xf6, 0xb1, 0x17, 0xd, 0x73, 0x72, 0x9e, 0x49, 0x31, 0xd1,\n 0xf2, 0x1b, 0x13, 0x5f, 0xd7, 0x49, 0xdf, 0x1a, 0x32, 0x4},\n {0xae, 0x5a, 0xe5, 0xe4, 0x19, 0x60, 0xe1, 0x4, 0xe9, 0x92, 0x2f,\n 0x7e, 0x7a, 0x43, 0x7b, 0xe7, 0xa4, 0x9a, 0x15, 0x6f, 0xc1, 0x2d,\n 0xce, 0xc7, 0xc0, 0xc, 0xd7, 0xf4, 0xc1, 0xfd, 0xea, 0x45},\n },\n {\n {0xed, 0xb1, 0xcc, 0xcf, 0x24, 0x46, 0xe, 0xb6, 0x95, 0x3, 0x5c,\n 0xbd, 0x92, 0xc2, 0xdb, 0x59, 0xc9, 0x81, 0x4, 0xdc, 0x1d, 0x9d,\n 0xa0, 0x31, 0x40, 0xd9, 0x56, 0x5d, 0xea, 0xce, 0x73, 0x3f},\n {0x2b, 0xd7, 0x45, 0x80, 0x85, 0x1, 0x84, 0x69, 0x51, 0x6, 0x2f,\n 0xcf, 0xa2, 0xfa, 0x22, 0x4c, 0xc6, 0x2d, 0x22, 0x6b, 0x65, 0x36,\n 0x1a, 0x94, 0xde, 0xda, 0x62, 0x3, 0xc8, 0xeb, 0x5e, 0x5a},\n {0xc6, 0x8d, 0x4e, 0xa, 0xd1, 0xbf, 0xa7, 0xb7, 0x39, 0xb3, 0xc9,\n 0x44, 0x7e, 0x0, 0x57, 0xbe, 0xfa, 0xae, 0x57, 0x15, 0x7f, 0x20,\n 0xc1, 0x60, 0xdb, 0x18, 0x62, 0x26, 0x91, 0x88, 0x5, 0x26},\n },\n {\n {0x42, 0xe5, 0x76, 0xc6, 0x3c, 0x8e, 0x81, 0x4c, 0xad, 0xcc, 0xce,\n 0x3, 0x93, 0x2c, 0x42, 0x5e, 0x8, 0x9f, 0x12, 0xb4, 0xca, 0xcc,\n 0x7, 0xec, 0xb8, 0x43, 0x44, 0xb2, 0x10, 0xfa, 0xed, 0xd},\n {0x4, 0xff, 0x60, 0x83, 0xa6, 0x4, 0xf7, 0x59, 0xf4, 0xe6, 0x61,\n 0x76, 0xde, 0x3f, 0xd9, 0xc3, 0x51, 0x35, 0x87, 0x12, 0x73, 0x2a,\n 0x1b, 0x83, 0x57, 0x5d, 0x61, 0x4e, 0x2e, 0xc, 0xad, 0x54},\n {0x2a, 0x52, 0x2b, 0xb8, 0xd5, 0x67, 0x3b, 0xee, 0xeb, 0xc1, 0xa5,\n 0x9f, 0x46, 0x63, 0xf1, 0x36, 0xd3, 0x9f, 0xc1, 0x6e, 0xf2, 0xd2,\n 0xb4, 0xa5, 0x8, 0x94, 0x7a, 0xa7, 0xba, 0xb2, 0xec, 0x62},\n },\n {\n {0x74, 0x28, 0xb6, 0xaf, 0x36, 0x28, 0x7, 0x92, 0xa5, 0x4, 0xe1,\n 0x79, 0x85, 0x5e, 0xcd, 0x5f, 0x4a, 0xa1, 0x30, 0xc6, 0xad, 0x1,\n 0xad, 0x5a, 0x98, 0x3f, 0x66, 0x75, 0x50, 0x3d, 0x91, 0x61},\n {0x3d, 0x2b, 0x15, 0x61, 0x52, 0x79, 0xed, 0xe5, 0xd1, 0xd7, 0xdd,\n 0xe, 0x7d, 0x35, 0x62, 0x49, 0x71, 0x4c, 0x6b, 0xb9, 0xd0, 0xc8,\n 0x82, 0x74, 0xbe, 0xd8, 0x66, 0xa9, 0x19, 0xf9, 0x59, 0x2e},\n {0xda, 0x31, 0x32, 0x1a, 0x36, 0x2d, 0xc6, 0xd, 0x70, 0x2, 0x20,\n 0x94, 0x32, 0x58, 0x47, 0xfa, 0xce, 0x94, 0x95, 0x3f, 0x51, 0x1,\n 0xd8, 0x2, 0x5c, 0x5d, 0xc0, 0x31, 0xa1, 0xc2, 0xdb, 0x3d},\n },\n },\n {\n {\n {0x14, 0xbb, 0x96, 0x27, 0xa2, 0x57, 0xaa, 0xf3, 0x21, 0xda, 0x7,\n 0x9b, 0xb7, 0xba, 0x3a, 0x88, 0x1c, 0x39, 0xa0, 0x31, 0x18, 0xe2,\n 0x4b, 0xe5, 0xf9, 0x5, 0x32, 0xd8, 0x38, 0xfb, 0xe7, 0x5e},\n {0x4b, 0xc5, 0x5e, 0xce, 0xf9, 0xf, 0xdc, 0x9a, 0xd, 0x13, 0x2f,\n 0x8c, 0x6b, 0x2a, 0x9c, 0x3, 0x15, 0x95, 0xf8, 0xf0, 0xc7, 0x7,\n 0x80, 0x2, 0x6b, 0xb3, 0x4, 0xac, 0x14, 0x83, 0x96, 0x78},\n {0x8e, 0x6a, 0x44, 0x41, 0xcb, 0xfd, 0x8d, 0x53, 0xf9, 0x37, 0x49,\n 0x43, 0xa9, 0xfd, 0xac, 0xa5, 0x78, 0x8c, 0x3c, 0x26, 0x8d, 0x90,\n 0xaf, 0x46, 0x9, 0xd, 0xca, 0x9b, 0x3c, 0x63, 0xd0, 0x61},\n },\n {\n {0xdf, 0x73, 0xfc, 0xf8, 0xbc, 0x28, 0xa3, 0xad, 0xfc, 0x37, 0xf0,\n 0xa6, 0x5d, 0x69, 0x84, 0xee, 0x9, 0xa9, 0xc2, 0x38, 0xdb, 0xb4,\n 0x7f, 0x63, 0xdc, 0x7b, 0x6, 0xf8, 0x2d, 0xac, 0x23, 0x5b},\n {0x66, 0x25, 0xdb, 0xff, 0x35, 0x49, 0x74, 0x63, 0xbb, 0x68, 0xb,\n 0x78, 0x89, 0x6b, 0xbd, 0xc5, 0x3, 0xec, 0x3e, 0x55, 0x80, 0x32,\n 0x1b, 0x6f, 0xf5, 0xd7, 0xae, 0x47, 0xd8, 0x5f, 0x96, 0x6e},\n {0x7b, 0x52, 0x80, 0xee, 0x53, 0xb9, 0xd2, 0x9a, 0x8d, 0x6d, 0xde,\n 0xfa, 0xaa, 0x19, 0x8f, 0xe8, 0xcf, 0x82, 0xe, 0x15, 0x4, 0x17,\n 0x71, 0xe, 0xdc, 0xde, 0x95, 0xdd, 0xb9, 0xbb, 0xb9, 0x79},\n },\n {\n {0x74, 0x73, 0x9f, 0x8e, 0xae, 0x7d, 0x99, 0xd1, 0x16, 0x8, 0xbb,\n 0xcf, 0xf8, 0xa2, 0x32, 0xa0, 0xa, 0x5f, 0x44, 0x6d, 0x12, 0xba,\n 0x6c, 0xcd, 0x34, 0xb8, 0xcc, 0xa, 0x46, 0x11, 0xa8, 0x1b},\n {0xc2, 0x26, 0x31, 0x6a, 0x40, 0x55, 0xb3, 0xeb, 0x93, 0xc3, 0xc8,\n 0x68, 0xa8, 0x83, 0x63, 0xd2, 0x82, 0x7a, 0xb9, 0xe5, 0x29, 0x64,\n 0xc, 0x6c, 0x47, 0x21, 0xfd, 0xc9, 0x58, 0xf1, 0x65, 0x50},\n {0x54, 0x99, 0x42, 0xc, 0xfb, 0x69, 0x81, 0x70, 0x67, 0xcf, 0x6e,\n 0xd7, 0xac, 0x0, 0x46, 0xe1, 0xba, 0x45, 0xe6, 0x70, 0x8a, 0xb9,\n 0xaa, 0x2e, 0xf2, 0xfa, 0xa4, 0x58, 0x9e, 0xf3, 0x81, 0x39},\n },\n {\n {0xde, 0x6f, 0xe6, 0x6d, 0xa5, 0xdf, 0x45, 0xc8, 0x3a, 0x48, 0x40,\n 0x2c, 0x0, 0xa5, 0x52, 0xe1, 0x32, 0xf6, 0xb4, 0xc7, 0x63, 0xe1,\n 0xd2, 0xe9, 0x65, 0x1b, 0xbc, 0xdc, 0x2e, 0x45, 0xf4, 0x30},\n {0x93, 0xa, 0x23, 0x59, 0x75, 0x8a, 0xfb, 0x18, 0x5d, 0xf4, 0xe6,\n 0x60, 0x69, 0x8f, 0x16, 0x1d, 0xb5, 0x3c, 0xa9, 0x14, 0x45, 0xa9,\n 0x85, 0x3a, 0xfd, 0xd0, 0xac, 0x5, 0x37, 0x8, 0xdc, 0x38},\n {0x40, 0x97, 0x75, 0xc5, 0x82, 0x27, 0x6d, 0x85, 0xcc, 0xbe, 0x9c,\n 0xf9, 0x69, 0x45, 0x13, 0xfa, 0x71, 0x4e, 0xea, 0xc0, 0x73, 0xfc,\n 0x44, 0x88, 0x69, 0x24, 0x3f, 0x59, 0x1a, 0x9a, 0x2d, 0x63},\n },\n {\n {0xa7, 0x84, 0xc, 0xed, 0x11, 0xfd, 0x9, 0xbf, 0x3a, 0x69, 0x9f,\n 0xd, 0x81, 0x71, 0xf0, 0x63, 0x79, 0x87, 0xcf, 0x57, 0x2d, 0x8c,\n 0x90, 0x21, 0xa2, 0x4b, 0xf6, 0x8a, 0xf2, 0x7d, 0x5a, 0x3a},\n {0xa6, 0xcb, 0x7, 0xb8, 0x15, 0x6b, 0xbb, 0xf6, 0xd7, 0xf0, 0x54,\n 0xbc, 0xdf, 0xc7, 0x23, 0x18, 0xb, 0x67, 0x29, 0x6e, 0x3, 0x97,\n 0x1d, 0xbb, 0x57, 0x4a, 0xed, 0x47, 0x88, 0xf4, 0x24, 0xb},\n {0xc7, 0xea, 0x1b, 0x51, 0xbe, 0xd4, 0xda, 0xdc, 0xf2, 0xcc, 0x26,\n 0xed, 0x75, 0x80, 0x53, 0xa4, 0x65, 0x9a, 0x5f, 0x0, 0x9f, 0xff,\n 0x9c, 0xe1, 0x63, 0x1f, 0x48, 0x75, 0x44, 0xf7, 0xfc, 0x34},\n },\n {\n {0x98, 0xaa, 0xcf, 0x78, 0xab, 0x1d, 0xbb, 0xa5, 0xf2, 0x72, 0xb,\n 0x19, 0x67, 0xa2, 0xed, 0x5c, 0x8e, 0x60, 0x92, 0xa, 0x11, 0xc9,\n 0x9, 0x93, 0xb0, 0x74, 0xb3, 0x2f, 0x4, 0xa3, 0x19, 0x1},\n {0xca, 0x67, 0x97, 0x78, 0x4c, 0xe0, 0x97, 0xc1, 0x7d, 0x46, 0xd9,\n 0x38, 0xcb, 0x4d, 0x71, 0xb8, 0xa8, 0x5f, 0xf9, 0x83, 0x82, 0x88,\n 0xde, 0x55, 0xf7, 0x63, 0xfa, 0x4d, 0x16, 0xdc, 0x3b, 0x3d},\n {0x7d, 0x17, 0xc2, 0xe8, 0x9c, 0xd8, 0xa2, 0x67, 0xc1, 0xd0, 0x95,\n 0x68, 0xf6, 0xa5, 0x9d, 0x66, 0xb0, 0xa2, 0x82, 0xb2, 0xe5, 0x98,\n 0x65, 0xf5, 0x73, 0xa, 0xe2, 0xed, 0xf1, 0x88, 0xc0, 0x56},\n },\n {\n {0x2, 0x8f, 0xf3, 0x24, 0xac, 0x5f, 0x1b, 0x58, 0xbd, 0xc, 0xe3,\n 0xba, 0xfe, 0xe9, 0xb, 0xa9, 0xf0, 0x92, 0xcf, 0x8a, 0x2, 0x69,\n 0x21, 0x9a, 0x8f, 0x3, 0x59, 0x83, 0xa4, 0x7e, 0x8b, 0x3},\n {0x17, 0x6e, 0xa8, 0x10, 0x11, 0x3d, 0x6d, 0x33, 0xfa, 0xb2, 0x75,\n 0xb, 0x32, 0x88, 0xf3, 0xd7, 0x88, 0x29, 0x7, 0x25, 0x76, 0x33,\n 0x15, 0xf9, 0x87, 0x8b, 0x10, 0x99, 0x6b, 0x4c, 0x67, 0x9},\n {0xf8, 0x6f, 0x31, 0x99, 0x21, 0xf8, 0x4e, 0x9f, 0x4f, 0x8d, 0xa7,\n 0xea, 0x82, 0xd2, 0x49, 0x2f, 0x74, 0x31, 0xef, 0x5a, 0xab, 0xa5,\n 0x71, 0x9, 0x65, 0xeb, 0x69, 0x59, 0x2, 0x31, 0x5e, 0x6e},\n },\n {\n {0x22, 0x62, 0x6, 0x63, 0xe, 0xfb, 0x4, 0x33, 0x3f, 0xba, 0xac,\n 0x87, 0x89, 0x6, 0x35, 0xfb, 0xa3, 0x61, 0x10, 0x8c, 0x77, 0x24,\n 0x19, 0xbd, 0x20, 0x86, 0x83, 0xd1, 0x43, 0xad, 0x58, 0x30},\n {0xfb, 0x93, 0xe5, 0x87, 0xf5, 0x62, 0x6c, 0xb1, 0x71, 0x3e, 0x5d,\n 0xca, 0xde, 0xed, 0x99, 0x49, 0x6d, 0x3e, 0xcc, 0x14, 0xe0, 0xc1,\n 0x91, 0xb4, 0xa8, 0xdb, 0xa8, 0x89, 0x47, 0x11, 0xf5, 0x8},\n {0xd0, 0x63, 0x76, 0xe5, 0xfd, 0xf, 0x3c, 0x32, 0x10, 0xa6, 0x2e,\n 0xa2, 0x38, 0xdf, 0xc3, 0x5, 0x9a, 0x4f, 0x99, 0xac, 0xbd, 0x8a,\n 0xc7, 0xbd, 0x99, 0xdc, 0xe3, 0xef, 0xa4, 0x9f, 0x54, 0x26},\n },\n },\n {\n {\n {0x6e, 0x66, 0x3f, 0xaf, 0x49, 0x85, 0x46, 0xdb, 0xa5, 0xe, 0x4a,\n 0xf1, 0x4, 0xcf, 0x7f, 0xd7, 0x47, 0xc, 0xba, 0xa4, 0xf7, 0x3f,\n 0xf2, 0x3d, 0x85, 0x3c, 0xce, 0x32, 0xe1, 0xdf, 0x10, 0x3a},\n {0xd6, 0xf9, 0x6b, 0x1e, 0x46, 0x5a, 0x1d, 0x74, 0x81, 0xa5, 0x77,\n 0x77, 0xfc, 0xb3, 0x5, 0x23, 0xd9, 0xd3, 0x74, 0x64, 0xa2, 0x74,\n 0x55, 0xd4, 0xff, 0xe0, 0x1, 0x64, 0xdc, 0xe1, 0x26, 0x19},\n {0xa0, 0xce, 0x17, 0xea, 0x8a, 0x4e, 0x7f, 0xe0, 0xfd, 0xc1, 0x1f,\n 0x3a, 0x46, 0x15, 0xd5, 0x2f, 0xf1, 0xc0, 0xf2, 0x31, 0xfd, 0x22,\n 0x53, 0x17, 0x15, 0x5d, 0x1e, 0x86, 0x1d, 0xd0, 0xa1, 0x1f},\n },\n {\n {0xab, 0x94, 0xdf, 0xd1, 0x0, 0xac, 0xdc, 0x38, 0xe9, 0xd, 0x8,\n 0xd1, 0xdd, 0x2b, 0x71, 0x2e, 0x62, 0xe2, 0xd5, 0xfd, 0x3e, 0xe9,\n 0x13, 0x7f, 0xe5, 0x1, 0x9a, 0xee, 0x18, 0xed, 0xfc, 0x73},\n {0x32, 0x98, 0x59, 0x7d, 0x94, 0x55, 0x80, 0xcc, 0x20, 0x55, 0xf1,\n 0x37, 0xda, 0x56, 0x46, 0x1e, 0x20, 0x93, 0x5, 0x4e, 0x74, 0xf7,\n 0xf6, 0x99, 0x33, 0xcf, 0x75, 0x6a, 0xbc, 0x63, 0x35, 0x77},\n {0xb3, 0x9c, 0x13, 0x63, 0x8, 0xe9, 0xb1, 0x6, 0xcd, 0x3e, 0xa0,\n 0xc5, 0x67, 0xda, 0x93, 0xa4, 0x32, 0x89, 0x63, 0xad, 0xc8, 0xce,\n 0x77, 0x8d, 0x44, 0x4f, 0x86, 0x1b, 0x70, 0x6b, 0x42, 0x1f},\n },\n {\n {0x52, 0x25, 0xa1, 0x91, 0xc8, 0x35, 0x7e, 0xf1, 0x76, 0x9c, 0x5e,\n 0x57, 0x53, 0x81, 0x6b, 0xb7, 0x3e, 0x72, 0x9b, 0xd, 0x6f, 0x40,\n 0x83, 0xfa, 0x38, 0xe4, 0xa7, 0x3f, 0x1b, 0xbb, 0x76, 0xb},\n {0x1, 0x1c, 0x91, 0x41, 0x4c, 0x26, 0xc9, 0xef, 0x25, 0x2c, 0xa2,\n 0x17, 0xb8, 0xb7, 0xa3, 0xf1, 0x47, 0x14, 0xf, 0xf3, 0x6b, 0xda,\n 0x75, 0x58, 0x90, 0xb0, 0x31, 0x1d, 0x27, 0xf5, 0x1a, 0x4e},\n {0x9b, 0x93, 0x92, 0x7f, 0xf9, 0xc1, 0xb8, 0x8, 0x6e, 0xab, 0x44,\n 0xd4, 0xcb, 0x71, 0x67, 0xbe, 0x17, 0x80, 0xbb, 0x99, 0x63, 0x64,\n 0xe5, 0x22, 0x55, 0xa9, 0x72, 0xb7, 0x1e, 0xd6, 0x6d, 0x7b},\n },\n {\n {0xc7, 0xd2, 0x1, 0xab, 0xf9, 0xab, 0x30, 0x57, 0x18, 0x3b, 0x14,\n 0x40, 0xdc, 0x76, 0xfb, 0x16, 0x81, 0xb2, 0xcb, 0xa0, 0x65, 0xbe,\n 0x6c, 0x86, 0xfe, 0x6a, 0xff, 0x9b, 0x65, 0x9b, 0xfa, 0x53},\n {0x92, 0x3d, 0xf3, 0x50, 0xe8, 0xc1, 0xad, 0xb7, 0xcf, 0xd5, 0x8c,\n 0x60, 0x4f, 0xfa, 0x98, 0x79, 0xdb, 0x5b, 0xfc, 0x8d, 0xbd, 0x2d,\n 0x96, 0xad, 0x4f, 0x2f, 0x1d, 0xaf, 0xce, 0x9b, 0x3e, 0x70},\n {0x55, 0x54, 0x88, 0x94, 0xe9, 0xc8, 0x14, 0x6c, 0xe5, 0xd4, 0xae,\n 0x65, 0x66, 0x5d, 0x3a, 0x84, 0xf1, 0x5a, 0xd6, 0xbc, 0x3e, 0xb7,\n 0x1b, 0x18, 0x50, 0x1f, 0xc6, 0xc4, 0xe5, 0x93, 0x8d, 0x39},\n },\n {\n {0xf2, 0xe3, 0xe7, 0xd2, 0x60, 0x7c, 0x87, 0xc3, 0xb1, 0x8b, 0x82,\n 0x30, 0xa0, 0xaa, 0x34, 0x3b, 0x38, 0xf1, 0x9e, 0x73, 0xe7, 0x26,\n 0x3e, 0x28, 0x77, 0x5, 0xc3, 0x2, 0x90, 0x9c, 0x9c, 0x69},\n {0xf3, 0x48, 0xe2, 0x33, 0x67, 0xd1, 0x4b, 0x1c, 0x5f, 0xa, 0xbf,\n 0x15, 0x87, 0x12, 0x9e, 0xbd, 0x76, 0x3, 0xb, 0xa1, 0xf0, 0x8c,\n 0x3f, 0xd4, 0x13, 0x1b, 0x19, 0xdf, 0x5d, 0x9b, 0xb0, 0x53},\n {0xcc, 0xf1, 0x46, 0x59, 0x23, 0xa7, 0x6, 0xf3, 0x7d, 0xd9, 0xe5,\n 0xcc, 0xb5, 0x18, 0x17, 0x92, 0x75, 0xe9, 0xb4, 0x81, 0x47, 0xd2,\n 0xcd, 0x28, 0x7, 0xd9, 0xcd, 0x6f, 0xc, 0xf3, 0xca, 0x51},\n },\n {\n {0xc7, 0x54, 0xac, 0x18, 0x9a, 0xf9, 0x7a, 0x73, 0xf, 0xb3, 0x1c,\n 0xc5, 0xdc, 0x78, 0x33, 0x90, 0xc7, 0xc, 0xe1, 0x4c, 0x33, 0xbc,\n 0x89, 0x2b, 0x9a, 0xe9, 0xf8, 0x89, 0xc1, 0x29, 0xae, 0x12},\n {0xa, 0xe0, 0x74, 0x76, 0x42, 0xa7, 0xb, 0xa6, 0xf3, 0x7b, 0x7a,\n 0xa1, 0x70, 0x85, 0xe, 0x63, 0xcc, 0x24, 0x33, 0xcf, 0x3d, 0x56,\n 0x58, 0x37, 0xaa, 0xfd, 0x83, 0x23, 0x29, 0xaa, 0x4, 0x55},\n {0xcf, 0x1, 0xd, 0x1f, 0xcb, 0xc0, 0x9e, 0xa9, 0xae, 0xf7, 0x34,\n 0x3a, 0xcc, 0xef, 0xd1, 0xd, 0x22, 0x4e, 0x9c, 0xd0, 0x21, 0x75,\n 0xca, 0x55, 0xea, 0xa5, 0xeb, 0x58, 0xe9, 0x4f, 0xd1, 0x5f},\n },\n {\n {0x8e, 0xcb, 0x93, 0xbf, 0x5e, 0xfe, 0x42, 0x3c, 0x5f, 0x56, 0xd4,\n 0x36, 0x51, 0xa8, 0xdf, 0xbe, 0xe8, 0x20, 0x42, 0x88, 0x9e, 0x85,\n 0xf0, 0xe0, 0x28, 0xd1, 0x25, 0x7, 0x96, 0x3f, 0xd7, 0x7d},\n {0x2c, 0xab, 0x45, 0x28, 0xdf, 0x2d, 0xdc, 0xb5, 0x93, 0xe9, 0x7f,\n 0xa, 0xb1, 0x91, 0x94, 0x6, 0x46, 0xe3, 0x2, 0x40, 0xd6, 0xf3,\n 0xaa, 0x4d, 0xd1, 0x74, 0x64, 0x58, 0x6e, 0xf2, 0x3f, 0x9},\n {0x29, 0x98, 0x5, 0x68, 0xfe, 0x24, 0xd, 0xb1, 0xe5, 0x23, 0xaf,\n 0xdb, 0x72, 0x6, 0x73, 0x75, 0x29, 0xac, 0x57, 0xb4, 0x3a, 0x25,\n 0x67, 0x13, 0xa4, 0x70, 0xb4, 0x86, 0xbc, 0xbc, 0x59, 0x2f},\n },\n {\n {0x1, 0xc3, 0x91, 0xb6, 0x60, 0xd5, 0x41, 0x70, 0x1e, 0xe7, 0xd7,\n 0xad, 0x3f, 0x1b, 0x20, 0x85, 0x85, 0x55, 0x33, 0x11, 0x63, 0xe1,\n 0xc2, 0x16, 0xb1, 0x28, 0x8, 0x1, 0x3d, 0x5e, 0xa5, 0x2a},\n {0x5f, 0x13, 0x17, 0x99, 0x42, 0x7d, 0x84, 0x83, 0xd7, 0x3, 0x7d,\n 0x56, 0x1f, 0x91, 0x1b, 0xad, 0xd1, 0xaa, 0x77, 0xbe, 0xd9, 0x48,\n 0x77, 0x7e, 0x4a, 0xaf, 0x51, 0x2e, 0x2e, 0xb4, 0x58, 0x54},\n {0x4f, 0x44, 0x7, 0xc, 0xe6, 0x92, 0x51, 0xed, 0x10, 0x1d, 0x42,\n 0x74, 0x2d, 0x4e, 0xc5, 0x42, 0x64, 0xc8, 0xb5, 0xfd, 0x82, 0x4c,\n 0x2b, 0x35, 0x64, 0x86, 0x76, 0x8a, 0x4a, 0x0, 0xe9, 0x13},\n },\n },\n {\n {\n {0x7f, 0x87, 0x3b, 0x19, 0xc9, 0x0, 0x2e, 0xbb, 0x6b, 0x50, 0xdc,\n 0xe0, 0x90, 0xa8, 0xe3, 0xec, 0x9f, 0x64, 0xde, 0x36, 0xc0, 0xb7,\n 0xf3, 0xec, 0x1a, 0x9e, 0xde, 0x98, 0x8, 0x4, 0x46, 0x5f},\n {0xdb, 0xce, 0x2f, 0x83, 0x45, 0x88, 0x9d, 0x73, 0x63, 0xf8, 0x6b,\n 0xae, 0xc9, 0xd6, 0x38, 0xfa, 0xf7, 0xfe, 0x4f, 0xb7, 0xca, 0xd,\n 0xbc, 0x32, 0x5e, 0xe4, 0xbc, 0x14, 0x88, 0x7e, 0x93, 0x73},\n {0x8d, 0xf4, 0x7b, 0x29, 0x16, 0x71, 0x3, 0xb9, 0x34, 0x68, 0xf0,\n 0xd4, 0x22, 0x3b, 0xd1, 0xa9, 0xc6, 0xbd, 0x96, 0x46, 0x57, 0x15,\n 0x97, 0xe1, 0x35, 0xe8, 0xd5, 0x91, 0xe8, 0xa4, 0xf8, 0x2c},\n },\n {\n {0xa2, 0x6b, 0xd0, 0x17, 0x7e, 0x48, 0xb5, 0x2c, 0x6b, 0x19, 0x50,\n 0x39, 0x1c, 0x38, 0xd2, 0x24, 0x30, 0x8a, 0x97, 0x85, 0x81, 0x9c,\n 0x65, 0xd7, 0xf6, 0xa4, 0xd6, 0x91, 0x28, 0x7f, 0x6f, 0x7a},\n {0x67, 0xf, 0x11, 0x7, 0x87, 0xfd, 0x93, 0x6d, 0x49, 0xb5, 0x38,\n 0x7c, 0xd3, 0x9, 0x4c, 0xdd, 0x86, 0x6a, 0x73, 0xc2, 0x4c, 0x6a,\n 0xb1, 0x7c, 0x9, 0x2a, 0x25, 0x58, 0x6e, 0xbd, 0x49, 0x20},\n {0x49, 0xef, 0x9a, 0x6a, 0x8d, 0xfd, 0x9, 0x7d, 0xb, 0xb9, 0x3d,\n 0x5b, 0xbe, 0x60, 0xee, 0xf0, 0xd4, 0xbf, 0x9e, 0x51, 0x2c, 0xb5,\n 0x21, 0x4c, 0x1d, 0x94, 0x45, 0xc5, 0xdf, 0xaa, 0x11, 0x60},\n },\n {\n {0x90, 0xf8, 0xcb, 0x2, 0xc8, 0xd0, 0xde, 0x63, 0xaa, 0x6a, 0xff,\n 0xd, 0xca, 0x98, 0xd0, 0xfb, 0x99, 0xed, 0xb6, 0xb9, 0xfd, 0xa,\n 0x4d, 0x62, 0x1e, 0xb, 0x34, 0x79, 0xb7, 0x18, 0xce, 0x69},\n {0x3c, 0xf8, 0x95, 0xcf, 0x6d, 0x92, 0x67, 0x5f, 0x71, 0x90, 0x28,\n 0x71, 0x61, 0x85, 0x7e, 0x7c, 0x5b, 0x7a, 0x8f, 0x99, 0xf3, 0xe7,\n 0xa1, 0xd6, 0xe0, 0xf9, 0x62, 0xb, 0x1b, 0xcc, 0xc5, 0x6f},\n {0xcb, 0x79, 0x98, 0xb2, 0x28, 0x55, 0xef, 0xd1, 0x92, 0x90, 0x7e,\n 0xd4, 0x3c, 0xae, 0x1a, 0xdd, 0x52, 0x23, 0x9f, 0x18, 0x42, 0x4,\n 0x7e, 0x12, 0xf1, 0x1, 0x71, 0xe5, 0x3a, 0x6b, 0x59, 0x15},\n },\n {\n {0xca, 0x24, 0x51, 0x7e, 0x16, 0x31, 0xff, 0x9, 0xdf, 0x45, 0xc7,\n 0xd9, 0x8b, 0x15, 0xe4, 0xb, 0xe5, 0x56, 0xf5, 0x7e, 0x22, 0x7d,\n 0x2b, 0x29, 0x38, 0xd1, 0xb6, 0xaf, 0x41, 0xe2, 0xa4, 0x3a},\n {0xa2, 0x79, 0x91, 0x3f, 0xd2, 0x39, 0x27, 0x46, 0xcf, 0xdd, 0xd6,\n 0x97, 0x31, 0x12, 0x83, 0xff, 0x8a, 0x14, 0xf2, 0x53, 0xb5, 0xde,\n 0x7, 0x13, 0xda, 0x4d, 0x5f, 0x7b, 0x68, 0x37, 0x22, 0xd},\n {0xf5, 0x5, 0x33, 0x2a, 0xbf, 0x38, 0xc1, 0x2c, 0xc3, 0x26, 0xe9,\n 0xa2, 0x8f, 0x3f, 0x58, 0x48, 0xeb, 0xd2, 0x49, 0x55, 0xa2, 0xb1,\n 0x3a, 0x8, 0x6c, 0xa3, 0x87, 0x46, 0x6e, 0xaa, 0xfc, 0x32},\n },\n {\n {0xdf, 0xcc, 0x87, 0x27, 0x73, 0xa4, 0x7, 0x32, 0xf8, 0xe3, 0x13,\n 0xf2, 0x8, 0x19, 0xe3, 0x17, 0x4e, 0x96, 0xd, 0xf6, 0xd7, 0xec,\n 0xb2, 0xd5, 0xe9, 0xb, 0x60, 0xc2, 0x36, 0x63, 0x6f, 0x74},\n {0xf5, 0x9a, 0x7d, 0xc5, 0x8d, 0x6e, 0xc5, 0x7b, 0xf2, 0xbd, 0xf0,\n 0x9d, 0xed, 0xd2, 0xb, 0x3e, 0xa3, 0xe4, 0xef, 0x22, 0xde, 0x14,\n 0xc0, 0xaa, 0x5c, 0x6a, 0xbd, 0xfe, 0xce, 0xe9, 0x27, 0x46},\n {0x1c, 0x97, 0x6c, 0xab, 0x45, 0xf3, 0x4a, 0x3f, 0x1f, 0x73, 0x43,\n 0x99, 0x72, 0xeb, 0x88, 0xe2, 0x6d, 0x18, 0x44, 0x3, 0x8a, 0x6a,\n 0x59, 0x33, 0x93, 0x62, 0xd6, 0x7e, 0x0, 0x17, 0x49, 0x7b},\n },\n {\n {0xdd, 0xa2, 0x53, 0xdd, 0x28, 0x1b, 0x34, 0x54, 0x3f, 0xfc, 0x42,\n 0xdf, 0x5b, 0x90, 0x17, 0xaa, 0xf4, 0xf8, 0xd2, 0x4d, 0xd9, 0x92,\n 0xf5, 0xf, 0x7d, 0xd3, 0x8c, 0xe0, 0xf, 0x62, 0x3, 0x1d},\n {0x64, 0xb0, 0x84, 0xab, 0x5c, 0xfb, 0x85, 0x2d, 0x14, 0xbc, 0xf3,\n 0x89, 0xd2, 0x10, 0x78, 0x49, 0xc, 0xce, 0x15, 0x7b, 0x44, 0xdc,\n 0x6a, 0x47, 0x7b, 0xfd, 0x44, 0xf8, 0x76, 0xa3, 0x2b, 0x12},\n {0x54, 0xe5, 0xb4, 0xa2, 0xcd, 0x32, 0x2, 0xc2, 0x7f, 0x18, 0x5d,\n 0x11, 0x42, 0xfd, 0xd0, 0x9e, 0xd9, 0x79, 0xd4, 0x7d, 0xbe, 0xb4,\n 0xab, 0x2e, 0x4c, 0xec, 0x68, 0x2b, 0xf5, 0xb, 0xc7, 0x2},\n },\n {\n {0xe1, 0x72, 0x8d, 0x45, 0xbf, 0x32, 0xe5, 0xac, 0xb5, 0x3c, 0xb7,\n 0x7c, 0xe0, 0x68, 0xe7, 0x5b, 0xe7, 0xbd, 0x8b, 0xee, 0x94, 0x7d,\n 0xcf, 0x56, 0x3, 0x3a, 0xb4, 0xfe, 0xe3, 0x97, 0x6, 0x6b},\n {0xbb, 0x2f, 0xb, 0x5d, 0x4b, 0xec, 0x87, 0xa2, 0xca, 0x82, 0x48,\n 0x7, 0x90, 0x57, 0x5c, 0x41, 0x5c, 0x81, 0xd0, 0xc1, 0x1e, 0xa6,\n 0x44, 0xe0, 0xe0, 0xf5, 0x9e, 0x40, 0xa, 0x4f, 0x33, 0x26},\n {0xc0, 0xa3, 0x62, 0xdf, 0x4a, 0xf0, 0xc8, 0xb6, 0x5d, 0xa4, 0x6d,\n 0x7, 0xef, 0x0, 0xf0, 0x3e, 0xa9, 0xd2, 0xf0, 0x49, 0x58, 0xb9,\n 0x9c, 0x9c, 0xae, 0x2f, 0x1b, 0x44, 0x43, 0x7f, 0xc3, 0x1c},\n },\n {\n {0xb9, 0xae, 0xce, 0xc9, 0xf1, 0x56, 0x66, 0xd7, 0x6a, 0x65, 0xe5,\n 0x18, 0xf8, 0x15, 0x5b, 0x1c, 0x34, 0x23, 0x4c, 0x84, 0x32, 0x28,\n 0xe7, 0x26, 0x38, 0x68, 0x19, 0x2f, 0x77, 0x6f, 0x34, 0x3a},\n {0x4f, 0x32, 0xc7, 0x5c, 0x5a, 0x56, 0x8f, 0x50, 0x22, 0xa9, 0x6,\n 0xe5, 0xc0, 0xc4, 0x61, 0xd0, 0x19, 0xac, 0x45, 0x5c, 0xdb, 0xab,\n 0x18, 0xfb, 0x4a, 0x31, 0x80, 0x3, 0xc1, 0x9, 0x68, 0x6c},\n {0xc8, 0x6a, 0xda, 0xe2, 0x12, 0x51, 0xd5, 0xd2, 0xed, 0x51, 0xe8,\n 0xb1, 0x31, 0x3, 0xbd, 0xe9, 0x62, 0x72, 0xc6, 0x8e, 0xdd, 0x46,\n 0x7, 0x96, 0xd0, 0xc5, 0xf7, 0x6e, 0x9f, 0x1b, 0x91, 0x5},\n },\n },\n {\n {\n {0xef, 0xea, 0x2e, 0x51, 0xf3, 0xac, 0x49, 0x53, 0x49, 0xcb, 0xc1,\n 0x1c, 0xd3, 0x41, 0xc1, 0x20, 0x8d, 0x68, 0x9a, 0xa9, 0x7, 0xc,\n 0x18, 0x24, 0x17, 0x2d, 0x4b, 0xc6, 0xd1, 0xf9, 0x5e, 0x55},\n {0xbb, 0xe, 0xdf, 0xf5, 0x83, 0x99, 0x33, 0xc1, 0xac, 0x4c, 0x2c,\n 0x51, 0x8f, 0x75, 0xf3, 0xc0, 0xe1, 0x98, 0xb3, 0xb, 0xa, 0x13,\n 0xf1, 0x2c, 0x62, 0xc, 0x27, 0xaa, 0xf9, 0xec, 0x3c, 0x6b},\n {0x8, 0xbd, 0x73, 0x3b, 0xba, 0x70, 0xa7, 0x36, 0xc, 0xbf, 0xaf,\n 0xa3, 0x8, 0xef, 0x4a, 0x62, 0xf2, 0x46, 0x9, 0xb4, 0x98, 0xff,\n 0x37, 0x57, 0x9d, 0x74, 0x81, 0x33, 0xe1, 0x4d, 0x5f, 0x67},\n },\n {\n {0x1d, 0xb3, 0xda, 0x3b, 0xd9, 0xf6, 0x2f, 0xa1, 0xfe, 0x2d, 0x65,\n 0x9d, 0xf, 0xd8, 0x25, 0x7, 0x87, 0x94, 0xbe, 0x9a, 0xf3, 0x4f,\n 0x9c, 0x1, 0x43, 0x3c, 0xcd, 0x82, 0xb8, 0x50, 0xf4, 0x60},\n {0xfc, 0x82, 0x17, 0x6b, 0x3, 0x52, 0x2c, 0xe, 0xb4, 0x83, 0xad,\n 0x6c, 0x81, 0x6c, 0x81, 0x64, 0x3e, 0x7, 0x64, 0x69, 0xd9, 0xbd,\n 0xdc, 0xd0, 0x20, 0xc5, 0x64, 0x1, 0xf7, 0x9d, 0xd9, 0x13},\n {0xca, 0xc0, 0xe5, 0x21, 0xc3, 0x5e, 0x4b, 0x1, 0xa2, 0xbf, 0x19,\n 0xd7, 0xc9, 0x69, 0xcb, 0x4f, 0xa0, 0x23, 0x0, 0x75, 0x18, 0x1c,\n 0x5f, 0x4e, 0x80, 0xac, 0xed, 0x55, 0x9e, 0xde, 0x6, 0x1c},\n },\n {\n {0xaa, 0x69, 0x6d, 0xff, 0x40, 0x2b, 0xd5, 0xff, 0xbb, 0x49, 0x40,\n 0xdc, 0x18, 0xb, 0x53, 0x34, 0x97, 0x98, 0x4d, 0xa3, 0x2f, 0x5c,\n 0x4a, 0x5e, 0x2d, 0xba, 0x32, 0x7d, 0x8e, 0x6f, 0x9, 0x78},\n {0xe2, 0xc4, 0x3e, 0xa3, 0xd6, 0x7a, 0xf, 0x99, 0x8e, 0xe0, 0x2e,\n 0xbe, 0x38, 0xf9, 0x8, 0x66, 0x15, 0x45, 0x28, 0x63, 0xc5, 0x43,\n 0xa1, 0x9c, 0xd, 0xb6, 0x2d, 0xec, 0x1f, 0x8a, 0xf3, 0x4c},\n {0xe7, 0x5c, 0xfa, 0xd, 0x65, 0xaa, 0xaa, 0xa0, 0x8c, 0x47, 0xb5,\n 0x48, 0x2a, 0x9e, 0xc4, 0xf9, 0x5b, 0x72, 0x3, 0x70, 0x7d, 0xcc,\n 0x9, 0x4f, 0xbe, 0x1a, 0x9, 0x26, 0x3a, 0xad, 0x3c, 0x37},\n },\n {\n {0xad, 0xbb, 0xdd, 0x89, 0xfb, 0xa8, 0xbe, 0xf1, 0xcb, 0xae, 0xae,\n 0x61, 0xbc, 0x2c, 0xcb, 0x3b, 0x9d, 0x8d, 0x9b, 0x1f, 0xbb, 0xa7,\n 0x58, 0x8f, 0x86, 0xa6, 0x12, 0x51, 0xda, 0x7e, 0x54, 0x21},\n {0x7c, 0xf5, 0xc9, 0x82, 0x4d, 0x63, 0x94, 0xb2, 0x36, 0x45, 0x93,\n 0x24, 0xe1, 0xfd, 0xcb, 0x1f, 0x5a, 0xdb, 0x8c, 0x41, 0xb3, 0x4d,\n 0x9c, 0x9e, 0xfc, 0x19, 0x44, 0x45, 0xd9, 0xf3, 0x40, 0x0},\n {0xd3, 0x86, 0x59, 0xfd, 0x39, 0xe9, 0xfd, 0xde, 0xc, 0x38, 0xa,\n 0x51, 0x89, 0x2c, 0x27, 0xf4, 0xb9, 0x19, 0x31, 0xbb, 0x7, 0xa4,\n 0x2b, 0xb7, 0xf4, 0x4d, 0x25, 0x4a, 0x33, 0xa, 0x55, 0x63},\n },\n {\n {0x49, 0x7b, 0x54, 0x72, 0x45, 0x58, 0xba, 0x9b, 0xe0, 0x8, 0xc4,\n 0xe2, 0xfa, 0xc6, 0x5, 0xf3, 0x8d, 0xf1, 0x34, 0xc7, 0x69, 0xfa,\n 0xe8, 0x60, 0x7a, 0x76, 0x7d, 0xaa, 0xaf, 0x2b, 0xa9, 0x39},\n {0x37, 0xcf, 0x69, 0xb5, 0xed, 0xd6, 0x7, 0x65, 0xe1, 0x2e, 0xa5,\n 0xc, 0xb0, 0x29, 0x84, 0x17, 0x5d, 0xd6, 0x6b, 0xeb, 0x90, 0x0,\n 0x7c, 0xea, 0x51, 0x8f, 0xf7, 0xda, 0xc7, 0x62, 0xea, 0x3e},\n {0x4e, 0x27, 0x93, 0xe6, 0x13, 0xc7, 0x24, 0x9d, 0x75, 0xd3, 0xdb,\n 0x68, 0x77, 0x85, 0x63, 0x5f, 0x9a, 0xb3, 0x8a, 0xeb, 0x60, 0x55,\n 0x52, 0x70, 0xcd, 0xc4, 0xc9, 0x65, 0x6, 0x6a, 0x43, 0x68},\n },\n {\n {0x7c, 0x10, 0x20, 0xe8, 0x17, 0xd3, 0x56, 0x1e, 0x65, 0xe9, 0xa,\n 0x84, 0x44, 0x68, 0x26, 0xc5, 0x7a, 0xfc, 0xf, 0x32, 0xc6, 0xa1,\n 0xe0, 0xc1, 0x72, 0x14, 0x61, 0x91, 0x9c, 0x66, 0x73, 0x53},\n {0x27, 0x3f, 0x2f, 0x20, 0xe8, 0x35, 0x2, 0xbc, 0xb0, 0x75, 0xf9,\n 0x64, 0xe2, 0x0, 0x5c, 0xc7, 0x16, 0x24, 0x8c, 0xa3, 0xd5, 0xe9,\n 0xa4, 0x91, 0xf9, 0x89, 0xb7, 0x8a, 0xf6, 0xe7, 0xb6, 0x17},\n {0x57, 0x52, 0xe, 0x9a, 0xab, 0x14, 0x28, 0x5d, 0xfc, 0xb3, 0xca,\n 0xc9, 0x84, 0x20, 0x8f, 0x90, 0xca, 0x1e, 0x2d, 0x5b, 0x88, 0xf5,\n 0xca, 0xaf, 0x11, 0x7d, 0xf8, 0x78, 0xa6, 0xb5, 0xb4, 0x1c},\n },\n {\n {0xe7, 0x7, 0xa0, 0xa2, 0x62, 0xaa, 0x74, 0x6b, 0xb1, 0xc7, 0x71,\n 0xf0, 0xb0, 0xe0, 0x11, 0xf3, 0x23, 0xe2, 0xb, 0x0, 0x38, 0xe4,\n 0x7, 0x57, 0xac, 0x6e, 0xef, 0x82, 0x2d, 0xfd, 0xc0, 0x2d},\n {0x6c, 0xfc, 0x4a, 0x39, 0x6b, 0xc0, 0x64, 0xb6, 0xb1, 0x5f, 0xda,\n 0x98, 0x24, 0xde, 0x88, 0xc, 0x34, 0xd8, 0xca, 0x4b, 0x16, 0x3,\n 0x8d, 0x4f, 0xa2, 0x34, 0x74, 0xde, 0x78, 0xca, 0xb, 0x33},\n {0x4e, 0x74, 0x19, 0x11, 0x84, 0xff, 0x2e, 0x98, 0x24, 0x47, 0x7,\n 0x2b, 0x96, 0x5e, 0x69, 0xf9, 0xfb, 0x53, 0xc9, 0xbf, 0x4f, 0xc1,\n 0x8a, 0xc5, 0xf5, 0x1c, 0x9f, 0x36, 0x1b, 0xbe, 0x31, 0x3c},\n },\n {\n {0x72, 0x42, 0xcb, 0xf9, 0x93, 0xbc, 0x68, 0xc1, 0x98, 0xdb, 0xce,\n 0xc7, 0x1f, 0x71, 0xb8, 0xae, 0x7a, 0x8d, 0xac, 0x34, 0xaa, 0x52,\n 0xe, 0x7f, 0xbb, 0x55, 0x7d, 0x7e, 0x9, 0xc1, 0xce, 0x41},\n {0xee, 0x8a, 0x94, 0x8, 0x4d, 0x86, 0xf4, 0xb0, 0x6f, 0x1c, 0xba,\n 0x91, 0xee, 0x19, 0xdc, 0x7, 0x58, 0xa1, 0xac, 0xa6, 0xae, 0xcd,\n 0x75, 0x79, 0xbb, 0xd4, 0x62, 0x42, 0x13, 0x61, 0xb, 0x33},\n {0x8a, 0x80, 0x6d, 0xa2, 0xd7, 0x19, 0x96, 0xf7, 0x6d, 0x15, 0x9e,\n 0x1d, 0x9e, 0xd4, 0x1f, 0xbb, 0x27, 0xdf, 0xa1, 0xdb, 0x6c, 0xc3,\n 0xd7, 0x73, 0x7d, 0x77, 0x28, 0x1f, 0xd9, 0x4c, 0xb4, 0x26},\n },\n },\n {\n {\n {0x83, 0x3, 0x73, 0x62, 0x93, 0xf2, 0xb7, 0xe1, 0x2c, 0x8a, 0xca,\n 0xeb, 0xff, 0x79, 0x52, 0x4b, 0x14, 0x13, 0xd4, 0xbf, 0x8a, 0x77,\n 0xfc, 0xda, 0xf, 0x61, 0x72, 0x9c, 0x14, 0x10, 0xeb, 0x7d},\n {0x75, 0x74, 0x38, 0x8f, 0x47, 0x48, 0xf0, 0x51, 0x3c, 0xcb, 0xbe,\n 0x9c, 0xf4, 0xbc, 0x5d, 0xb2, 0x55, 0x20, 0x9f, 0xd9, 0x44, 0x12,\n 0xab, 0x9a, 0xd6, 0xa5, 0x10, 0x1c, 0x6c, 0x9e, 0x70, 0x2c},\n {0x7a, 0xee, 0x66, 0x87, 0x6a, 0xaf, 0x62, 0xcb, 0xe, 0xcd, 0x53,\n 0x55, 0x4, 0xec, 0xcb, 0x66, 0xb5, 0xe4, 0xb, 0xf, 0x38, 0x1,\n 0x80, 0x58, 0xea, 0xe2, 0x2c, 0xf6, 0x9f, 0x8e, 0xe6, 0x8},\n },\n {\n {0xf9, 0xf2, 0xb8, 0xa, 0xd5, 0x9, 0x2d, 0x2f, 0xdf, 0x23, 0x59,\n 0xc5, 0x8d, 0x21, 0xb9, 0xac, 0xb9, 0x6c, 0x76, 0x73, 0x26, 0x34,\n 0x8f, 0x4a, 0xf5, 0x19, 0xf7, 0x38, 0xd7, 0x3b, 0xb1, 0x4c},\n {0xad, 0x30, 0xc1, 0x4b, 0xa, 0x50, 0xad, 0x34, 0x9c, 0xd4, 0xb,\n 0x3d, 0x49, 0xdb, 0x38, 0x8d, 0xbe, 0x89, 0xa, 0x50, 0x98, 0x3d,\n 0x5c, 0xa2, 0x9, 0x3b, 0xba, 0xee, 0x87, 0x3f, 0x1f, 0x2f},\n {0x4a, 0xb6, 0x15, 0xe5, 0x75, 0x8c, 0x84, 0xf7, 0x38, 0x90, 0x4a,\n 0xdb, 0xba, 0x1, 0x95, 0xa5, 0x50, 0x1b, 0x75, 0x3f, 0x3f, 0x31,\n 0xd, 0xc2, 0xe8, 0x2e, 0xae, 0xc0, 0x53, 0xe3, 0xa1, 0x19},\n },\n {\n {0xbd, 0xbd, 0x96, 0xd5, 0xcd, 0x72, 0x21, 0xb4, 0x40, 0xfc, 0xee,\n 0x98, 0x43, 0x45, 0xe0, 0x93, 0xb5, 0x9, 0x41, 0xb4, 0x47, 0x53,\n 0xb1, 0x9f, 0x34, 0xae, 0x66, 0x2, 0x99, 0xd3, 0x6b, 0x73},\n {0xc3, 0x5, 0xfa, 0xba, 0x60, 0x75, 0x1c, 0x7d, 0x61, 0x5e, 0xe5,\n 0xc6, 0xa0, 0xa0, 0xe1, 0xb3, 0x73, 0x64, 0xd6, 0xc0, 0x18, 0x97,\n 0x52, 0xe3, 0x86, 0x34, 0xc, 0xc2, 0x11, 0x6b, 0x54, 0x41},\n {0xb4, 0xb3, 0x34, 0x93, 0x50, 0x2d, 0x53, 0x85, 0x73, 0x65, 0x81,\n 0x60, 0x4b, 0x11, 0xfd, 0x46, 0x75, 0x83, 0x5c, 0x42, 0x30, 0x5f,\n 0x5f, 0xcc, 0x5c, 0xab, 0x7f, 0xb8, 0xa2, 0x95, 0x22, 0x41},\n },\n {\n {0xc6, 0xea, 0x93, 0xe2, 0x61, 0x52, 0x65, 0x2e, 0xdb, 0xac, 0x33,\n 0x21, 0x3, 0x92, 0x5a, 0x84, 0x6b, 0x99, 0x0, 0x79, 0xcb, 0x75,\n 0x9, 0x46, 0x80, 0xdd, 0x5a, 0x19, 0x8d, 0xbb, 0x60, 0x7},\n {0xe9, 0xd6, 0x7e, 0xf5, 0x88, 0x9b, 0xc9, 0x19, 0x25, 0xc8, 0xf8,\n 0x6d, 0x26, 0xcb, 0x93, 0x53, 0x73, 0xd2, 0xa, 0xb3, 0x13, 0x32,\n 0xee, 0x5c, 0x34, 0x2e, 0x2d, 0xb5, 0xeb, 0x53, 0xe1, 0x14},\n {0x8a, 0x81, 0xe6, 0xcd, 0x17, 0x1a, 0x3e, 0x41, 0x84, 0xa0, 0x69,\n 0xed, 0xa9, 0x6d, 0x15, 0x57, 0xb1, 0xcc, 0xca, 0x46, 0x8f, 0x26,\n 0xbf, 0x2c, 0xf2, 0xc5, 0x3a, 0xc3, 0x9b, 0xbe, 0x34, 0x6b},\n },\n {\n {0xd3, 0xf2, 0x71, 0x65, 0x65, 0x69, 0xfc, 0x11, 0x7a, 0x73, 0xe,\n 0x53, 0x45, 0xe8, 0xc9, 0xc6, 0x35, 0x50, 0xfe, 0xd4, 0xa2, 0xe7,\n 0x3a, 0xe3, 0xb, 0xd3, 0x6d, 0x2e, 0xb6, 0xc7, 0xb9, 0x1},\n {0xb2, 0xc0, 0x78, 0x3a, 0x64, 0x2f, 0xdf, 0xf3, 0x7c, 0x2, 0x2e,\n 0xf2, 0x1e, 0x97, 0x3e, 0x4c, 0xa3, 0xb5, 0xc1, 0x49, 0x5e, 0x1c,\n 0x7d, 0xec, 0x2d, 0xdd, 0x22, 0x9, 0x8f, 0xc1, 0x12, 0x20},\n {0x29, 0x9d, 0xc8, 0x5a, 0xe5, 0x55, 0xb, 0x88, 0x63, 0xa7, 0xa0,\n 0x45, 0x1f, 0x24, 0x83, 0x14, 0x1f, 0x6c, 0xe7, 0xc2, 0xdf, 0xef,\n 0x36, 0x3d, 0xe8, 0xad, 0x4b, 0x4e, 0x78, 0x5b, 0xaf, 0x8},\n },\n {\n {0x4b, 0x2c, 0xcc, 0x89, 0xd2, 0x14, 0x73, 0xe2, 0x8d, 0x17, 0x87,\n 0xa2, 0x11, 0xbd, 0xe4, 0x4b, 0xce, 0x64, 0x33, 0xfa, 0xd6, 0x28,\n 0xd5, 0x18, 0x6e, 0x82, 0xd9, 0xaf, 0xd5, 0xc1, 0x23, 0x64},\n {0x33, 0x25, 0x1f, 0x88, 0xdc, 0x99, 0x34, 0x28, 0xb6, 0x23, 0x93,\n 0x77, 0xda, 0x25, 0x5, 0x9d, 0xf4, 0x41, 0x34, 0x67, 0xfb, 0xdd,\n 0x7a, 0x89, 0x8d, 0x16, 0x3a, 0x16, 0x71, 0x9d, 0xb7, 0x32},\n {0x6a, 0xb3, 0xfc, 0xed, 0xd9, 0xf8, 0x85, 0xcc, 0xf9, 0xe5, 0x46,\n 0x37, 0x8f, 0xc2, 0xbc, 0x22, 0xcd, 0xd3, 0xe5, 0xf9, 0x38, 0xe3,\n 0x9d, 0xe4, 0xcc, 0x2d, 0x3e, 0xc1, 0xfb, 0x5e, 0xa, 0x48},\n },\n {\n {0x1f, 0x22, 0xce, 0x42, 0xe4, 0x4c, 0x61, 0xb6, 0x28, 0x39, 0x5,\n 0x4c, 0xcc, 0x9d, 0x19, 0x6e, 0x3, 0xbe, 0x1c, 0xdc, 0xa4, 0xb4,\n 0x3f, 0x66, 0x6, 0x8e, 0x1c, 0x69, 0x47, 0x1d, 0xb3, 0x24},\n {0x71, 0x20, 0x62, 0x1, 0xb, 0xe7, 0x51, 0xb, 0xc5, 0xaf, 0x1d,\n 0x8b, 0xcf, 0x5, 0xb5, 0x6, 0xcd, 0xab, 0x5a, 0xef, 0x61, 0xb0,\n 0x6b, 0x2c, 0x31, 0xbf, 0xb7, 0xc, 0x60, 0x27, 0xaa, 0x47},\n {0xc3, 0xf8, 0x15, 0xc0, 0xed, 0x1e, 0x54, 0x2a, 0x7c, 0x3f, 0x69,\n 0x7c, 0x7e, 0xfe, 0xa4, 0x11, 0xd6, 0x78, 0xa2, 0x4e, 0x13, 0x66,\n 0xaf, 0xf0, 0x94, 0xa0, 0xdd, 0x14, 0x5d, 0x58, 0x5b, 0x54},\n },\n {\n {0xe1, 0x21, 0xb3, 0xe3, 0xd0, 0xe4, 0x4, 0x62, 0x95, 0x1e, 0xff,\n 0x28, 0x7a, 0x63, 0xaa, 0x3b, 0x9e, 0xbd, 0x99, 0x5b, 0xfd, 0xcf,\n 0xc, 0xb, 0x71, 0xd0, 0xc8, 0x64, 0x3e, 0xdc, 0x22, 0x4d},\n {0xf, 0x3a, 0xd4, 0xa0, 0x5e, 0x27, 0xbf, 0x67, 0xbe, 0xee, 0x9b,\n 0x8, 0x34, 0x8e, 0xe6, 0xad, 0x2e, 0xe7, 0x79, 0xd4, 0x4c, 0x13,\n 0x89, 0x42, 0x54, 0x54, 0xba, 0x32, 0xc3, 0xf9, 0x62, 0xf},\n {0x39, 0x5f, 0x3b, 0xd6, 0x89, 0x65, 0xb4, 0xfc, 0x61, 0xcf, 0xcb,\n 0x57, 0x3f, 0x6a, 0xae, 0x5c, 0x5, 0xfa, 0x3a, 0x95, 0xd2, 0xc2,\n 0xba, 0xfe, 0x36, 0x14, 0x37, 0x36, 0x1a, 0xa0, 0xf, 0x1c},\n },\n },\n {\n {\n {0x50, 0x6a, 0x93, 0x8c, 0xe, 0x2b, 0x8, 0x69, 0xb6, 0xc5, 0xda,\n 0xc1, 0x35, 0xa0, 0xc9, 0xf9, 0x34, 0xb6, 0xdf, 0xc4, 0x54, 0x3e,\n 0xb7, 0x6f, 0x40, 0xc1, 0x2b, 0x1d, 0x9b, 0x41, 0x5, 0x40},\n {0xff, 0x3d, 0x94, 0x22, 0xb6, 0x4, 0xc6, 0xd2, 0xa0, 0xb3, 0xcf,\n 0x44, 0xce, 0xbe, 0x8c, 0xbc, 0x78, 0x86, 0x80, 0x97, 0xf3, 0x4f,\n 0x25, 0x5d, 0xbf, 0xa6, 0x1c, 0x3b, 0x4f, 0x61, 0xa3, 0xf},\n {0xf0, 0x82, 0xbe, 0xb9, 0xbd, 0xfe, 0x3, 0xa0, 0x90, 0xac, 0x44,\n 0x3a, 0xaf, 0xc1, 0x89, 0x20, 0x8e, 0xfa, 0x54, 0x19, 0x91, 0x9f,\n 0x49, 0xf8, 0x42, 0xab, 0x40, 0xef, 0x8a, 0x21, 0xba, 0x1f},\n },\n {\n {0x94, 0x1, 0x7b, 0x3e, 0x4, 0x57, 0x3e, 0x4f, 0x7f, 0xaf, 0xda,\n 0x8, 0xee, 0x3e, 0x1d, 0xa8, 0xf1, 0xde, 0xdc, 0x99, 0xab, 0xc6,\n 0x39, 0xc8, 0xd5, 0x61, 0x77, 0xff, 0x13, 0x5d, 0x53, 0x6c},\n {0x3e, 0xf5, 0xc8, 0xfa, 0x48, 0x94, 0x54, 0xab, 0x41, 0x37, 0xa6,\n 0x7b, 0x9a, 0xe8, 0xf6, 0x81, 0x1, 0x5e, 0x2b, 0x6c, 0x7d, 0x6c,\n 0xfd, 0x74, 0x42, 0x6e, 0xc8, 0xa8, 0xca, 0x3a, 0x2e, 0x39},\n {0xaf, 0x35, 0x8a, 0x3e, 0xe9, 0x34, 0xbd, 0x4c, 0x16, 0xe8, 0x87,\n 0x58, 0x44, 0x81, 0x7, 0x2e, 0xab, 0xb0, 0x9a, 0xf2, 0x76, 0x9c,\n 0x31, 0x19, 0x3b, 0xc1, 0xa, 0xd5, 0xe4, 0x7f, 0xe1, 0x25},\n },\n {\n {0xa7, 0x21, 0xf1, 0x76, 0xf5, 0x7f, 0x5f, 0x91, 0xe3, 0x87, 0xcd,\n 0x2f, 0x27, 0x32, 0x4a, 0xc3, 0x26, 0xe5, 0x1b, 0x4d, 0xde, 0x2f,\n 0xba, 0xcc, 0x9b, 0x89, 0x69, 0x89, 0x8f, 0x82, 0xba, 0x6b},\n {0x76, 0xf6, 0x4, 0x1e, 0xd7, 0x9b, 0x28, 0xa, 0x95, 0xf, 0x42,\n 0xd6, 0x52, 0x1c, 0x8e, 0x20, 0xab, 0x1f, 0x69, 0x34, 0xb0, 0xd8,\n 0x86, 0x51, 0x51, 0xb3, 0x9f, 0x2a, 0x44, 0x51, 0x57, 0x25},\n {0x1, 0x39, 0xfe, 0x90, 0x66, 0xbc, 0xd1, 0xe2, 0xd5, 0x7a, 0x99,\n 0xa0, 0x18, 0x4a, 0xb5, 0x4c, 0xd4, 0x60, 0x84, 0xaf, 0x14, 0x69,\n 0x1d, 0x97, 0xe4, 0x7b, 0x6b, 0x7f, 0x4f, 0x50, 0x9d, 0x55},\n },\n {\n {0xfd, 0x66, 0xd2, 0xf6, 0xe7, 0x91, 0x48, 0x9c, 0x1b, 0x78, 0x7,\n 0x3, 0x9b, 0xa1, 0x44, 0x7, 0x3b, 0xe2, 0x61, 0x60, 0x1d, 0x8f,\n 0x38, 0x88, 0xe, 0xd5, 0x4b, 0x35, 0xa3, 0xa6, 0x3e, 0x12},\n {0xd5, 0x54, 0xeb, 0xb3, 0x78, 0x83, 0x73, 0xa7, 0x7c, 0x3c, 0x55,\n 0xa5, 0x66, 0xd3, 0x69, 0x1d, 0xba, 0x0, 0x28, 0xf9, 0x62, 0xcf,\n 0x26, 0xa, 0x17, 0x32, 0x7e, 0x80, 0xd5, 0x12, 0xab, 0x1},\n {0x96, 0x2d, 0xe3, 0x41, 0x90, 0x18, 0x8d, 0x11, 0x48, 0x58, 0x31,\n 0xd8, 0xc2, 0xe3, 0xed, 0xb9, 0xd9, 0x45, 0x32, 0xd8, 0x71, 0x42,\n 0xab, 0x1e, 0x54, 0xa1, 0x18, 0xc9, 0xe2, 0x61, 0x39, 0x4a},\n },\n {\n {0x1e, 0x3f, 0x23, 0xf3, 0x44, 0xd6, 0x27, 0x3, 0x16, 0xf0, 0xfc,\n 0x34, 0xe, 0x26, 0x9a, 0x49, 0x79, 0xb9, 0xda, 0xf2, 0x16, 0xa7,\n 0xb5, 0x83, 0x1f, 0x11, 0xd4, 0x9b, 0xad, 0xee, 0xac, 0x68},\n {0xa0, 0xbb, 0xe6, 0xf8, 0xe0, 0x3b, 0xdc, 0x71, 0xa, 0xe3, 0xff,\n 0x7e, 0x34, 0xf8, 0xce, 0xd6, 0x6a, 0x47, 0x3a, 0xe1, 0x5f, 0x42,\n 0x92, 0xa9, 0x63, 0xb7, 0x1d, 0xfb, 0xe3, 0xbc, 0xd6, 0x2c},\n {0x10, 0xc2, 0xd7, 0xf3, 0xe, 0xc9, 0xb4, 0x38, 0xc, 0x4, 0xad,\n 0xb7, 0x24, 0x6e, 0x8e, 0x30, 0x23, 0x3e, 0xe7, 0xb7, 0xf1, 0xd9,\n 0x60, 0x38, 0x97, 0xf5, 0x8, 0xb5, 0xd5, 0x60, 0x57, 0x59},\n },\n {\n {0x90, 0x27, 0x2, 0xfd, 0xeb, 0xcb, 0x2a, 0x88, 0x60, 0x57, 0x11,\n 0xc4, 0x5, 0x33, 0xaf, 0x89, 0xf4, 0x73, 0x34, 0x7d, 0xe3, 0x92,\n 0xf4, 0x65, 0x2b, 0x5a, 0x51, 0x54, 0xdf, 0xc5, 0xb2, 0x2c},\n {0x97, 0x63, 0xaa, 0x4, 0xe1, 0xbf, 0x29, 0x61, 0xcb, 0xfc, 0xa7,\n 0xa4, 0x8, 0x0, 0x96, 0x8f, 0x58, 0x94, 0x90, 0x7d, 0x89, 0xc0,\n 0x8b, 0x3f, 0xa9, 0x91, 0xb2, 0xdc, 0x3e, 0xa4, 0x9f, 0x70},\n {0xca, 0x2a, 0xfd, 0x63, 0x8c, 0x5d, 0xa, 0xeb, 0xff, 0x4e, 0x69,\n 0x2e, 0x66, 0xc1, 0x2b, 0xd2, 0x3a, 0xb0, 0xcb, 0xf8, 0x6e, 0xf3,\n 0x23, 0x27, 0x1f, 0x13, 0xc8, 0xf0, 0xec, 0x29, 0xf0, 0x70},\n },\n {\n {0xb9, 0xb0, 0x10, 0x5e, 0xaa, 0xaf, 0x6a, 0x2a, 0xa9, 0x1a, 0x4,\n 0xef, 0x70, 0xa3, 0xf0, 0x78, 0x1f, 0xd6, 0x3a, 0xaa, 0x77, 0xfb,\n 0x3e, 0x77, 0xe1, 0xd9, 0x4b, 0xa7, 0xa2, 0xa5, 0xec, 0x44},\n {0x33, 0x3e, 0xed, 0x2e, 0xb3, 0x7, 0x13, 0x46, 0xe7, 0x81, 0x55,\n 0xa4, 0x33, 0x2f, 0x4, 0xae, 0x66, 0x3, 0x5f, 0x19, 0xd3, 0x49,\n 0x44, 0xc9, 0x58, 0x48, 0x31, 0x6c, 0x8a, 0x5d, 0x7d, 0xb},\n {0x43, 0xd5, 0x95, 0x7b, 0x32, 0x48, 0xd4, 0x25, 0x1d, 0xf, 0x34,\n 0xa3, 0x0, 0x83, 0xd3, 0x70, 0x2b, 0xc5, 0xe1, 0x60, 0x1c, 0x53,\n 0x1c, 0xde, 0xe4, 0xe9, 0x7d, 0x2c, 0x51, 0x24, 0x22, 0x27},\n },\n {\n {0xfc, 0x75, 0xa9, 0x42, 0x8a, 0xbb, 0x7b, 0xbf, 0x58, 0xa3, 0xad,\n 0x96, 0x77, 0x39, 0x5c, 0x8c, 0x48, 0xaa, 0xed, 0xcd, 0x6f, 0xc7,\n 0x7f, 0xe2, 0xa6, 0x20, 0xbc, 0xf6, 0xd7, 0x5f, 0x73, 0x19},\n {0x2e, 0x34, 0xc5, 0x49, 0xaf, 0x92, 0xbc, 0x1a, 0xd0, 0xfa, 0xe6,\n 0xb2, 0x11, 0xd8, 0xee, 0xff, 0x29, 0x4e, 0xc8, 0xfc, 0x8d, 0x8c,\n 0xa2, 0xef, 0x43, 0xc5, 0x4c, 0xa4, 0x18, 0xdf, 0xb5, 0x11},\n {0x66, 0x42, 0xc8, 0x42, 0xd0, 0x90, 0xab, 0xe3, 0x7e, 0x54, 0x19,\n 0x7f, 0xf, 0x8e, 0x84, 0xeb, 0xb9, 0x97, 0xa4, 0x65, 0xd0, 0xa1,\n 0x3, 0x25, 0x5f, 0x89, 0xdf, 0x91, 0x11, 0x91, 0xef, 0xf},\n },\n },\n};\n\n#endif // OPENSSL_SMALL\n\n// Bi[i] = (2*i+1)*B\nstatic const ge_precomp Bi[8] = {\n {\n {{\n#if defined(OPENSSL_64_BIT)\n 1288382639258501, 245678601348599, 269427782077623,\n 1462984067271730, 137412439391563\n#else\n 25967493, 19198397, 29566455, 3660896, 54414519, 4014786, 27544626,\n 21800161, 61029707, 2047604\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 62697248952638, 204681361388450, 631292143396476, 338455783676468,\n 1213667448819585\n#else\n 54563134, 934261, 64385954, 3049989, 66381436, 9406985, 12720692,\n 5043384, 19500929, 18085054\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 301289933810280, 1259582250014073, 1422107436869536,\n 796239922652654, 1953934009299142\n#else\n 58370664, 4489569, 9688441, 18769238, 10184608, 21191052, 29287918,\n 11864899, 42594502, 29115885\n#endif\n }},\n },\n {\n {{\n#if defined(OPENSSL_64_BIT)\n 1601611775252272, 1720807796594148, 1132070835939856,\n 1260455018889551, 2147779492816911\n#else\n 15636272, 23865875, 24204772, 25642034, 616976, 16869170, 27787599,\n 18782243, 28944399, 32004408\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 316559037616741, 2177824224946892, 1459442586438991,\n 1461528397712656, 751590696113597\n#else\n 16568933, 4717097, 55552716, 32452109, 15682895, 21747389, 16354576,\n 21778470, 7689661, 11199574\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 1850748884277385, 1200145853858453, 1068094770532492,\n 672251375690438, 1586055907191707\n#else\n 30464137, 27578307, 55329429, 17883566, 23220364, 15915852, 7512774,\n 10017326, 49359771, 23634074\n#endif\n }},\n },\n {\n {{\n#if defined(OPENSSL_64_BIT)\n 769950342298419, 132954430919746, 844085933195555, 974092374476333,\n 726076285546016\n#else\n 10861363, 11473154, 27284546, 1981175, 37044515, 12577860, 32867885,\n 14515107, 51670560, 10819379\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 425251763115706, 608463272472562, 442562545713235, 837766094556764,\n 374555092627893\n#else\n 4708026, 6336745, 20377586, 9066809, 55836755, 6594695, 41455196,\n 12483687, 54440373, 5581305\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 1086255230780037, 274979815921559, 1960002765731872,\n 929474102396301, 1190409889297339\n#else\n 19563141, 16186464, 37722007, 4097518, 10237984, 29206317, 28542349,\n 13850243, 43430843, 17738489\n#endif\n }},\n },\n {\n {{\n#if defined(OPENSSL_64_BIT)\n 665000864555967, 2065379846933859, 370231110385876, 350988370788628,\n 1233371373142985\n#else\n 5153727, 9909285, 1723747, 30776558, 30523604, 5516873, 19480852,\n 5230134, 43156425, 18378665\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 2019367628972465, 676711900706637, 110710997811333,\n 1108646842542025, 517791959672113\n#else\n 36839857, 30090922, 7665485, 10083793, 28475525, 1649722, 20654025,\n 16520125, 30598449, 7715701\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 965130719900578, 247011430587952, 526356006571389, 91986625355052,\n 2157223321444601\n#else\n 28881826, 14381568, 9657904, 3680757, 46927229, 7843315, 35708204,\n 1370707, 29794553, 32145132\n#endif\n }},\n },\n {\n {{\n#if defined(OPENSSL_64_BIT)\n 1802695059465007, 1664899123557221, 593559490740857,\n 2160434469266659, 927570450755031\n#else\n 44589871, 26862249, 14201701, 24808930, 43598457, 8844725, 18474211,\n 32192982, 54046167, 13821876\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 1725674970513508, 1933645953859181, 1542344539275782,\n 1767788773573747, 1297447965928905\n#else\n 60653668, 25714560, 3374701, 28813570, 40010246, 22982724, 31655027,\n 26342105, 18853321, 19333481\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 1381809363726107, 1430341051343062, 2061843536018959,\n 1551778050872521, 2036394857967624\n#else\n 4566811, 20590564, 38133974, 21313742, 59506191, 30723862, 58594505,\n 23123294, 2207752, 30344648\n#endif\n }},\n },\n {\n {{\n#if defined(OPENSSL_64_BIT)\n 1970894096313054, 528066325833207, 1619374932191227,\n 2207306624415883, 1169170329061080\n#else\n 41954014, 29368610, 29681143, 7868801, 60254203, 24130566, 54671499,\n 32891431, 35997400, 17421995\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 2070390218572616, 1458919061857835, 624171843017421,\n 1055332792707765, 433987520732508\n#else\n 25576264, 30851218, 7349803, 21739588, 16472781, 9300885, 3844789,\n 15725684, 171356, 6466918\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 893653801273833, 1168026499324677, 1242553501121234,\n 1306366254304474, 1086752658510815\n#else\n 23103977, 13316479, 9739013, 17404951, 817874, 18515490, 8965338,\n 19466374, 36393951, 16193876\n#endif\n }},\n },\n {\n {{\n#if defined(OPENSSL_64_BIT)\n 213454002618221, 939771523987438, 1159882208056014, 317388369627517,\n 621213314200687\n#else\n 33587053, 3180712, 64714734, 14003686, 50205390, 17283591, 17238397,\n 4729455, 49034351, 9256799\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 1971678598905747, 338026507889165, 762398079972271, 655096486107477,\n 42299032696322\n#else\n 41926547, 29380300, 32336397, 5036987, 45872047, 11360616, 22616405,\n 9761698, 47281666, 630304\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 177130678690680, 1754759263300204, 1864311296286618,\n 1180675631479880, 1292726903152791\n#else\n 53388152, 2639452, 42871404, 26147950, 9494426, 27780403, 60554312,\n 17593437, 64659607, 19263131\n#endif\n }},\n },\n {\n {{\n#if defined(OPENSSL_64_BIT)\n 1913163449625248, 460779200291993, 2193883288642314,\n 1008900146920800, 1721983679009502\n#else\n 63957664, 28508356, 9282713, 6866145, 35201802, 32691408, 48168288,\n 15033783, 25105118, 25659556\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 1070401523076875, 1272492007800961, 1910153608563310,\n 2075579521696771, 1191169788841221\n#else\n 42782475, 15950225, 35307649, 18961608, 55446126, 28463506, 1573891,\n 30928545, 2198789, 17749813\n#endif\n }},\n {{\n#if defined(OPENSSL_64_BIT)\n 692896803108118, 500174642072499, 2068223309439677,\n 1162190621851337, 1426986007309901\n#else\n 64009494, 10324966, 64867251, 7453182, 61661885, 30818928, 53296841,\n 17317989, 34647629, 21263748\n#endif\n }},\n },\n};\n" }, { "path": "Sources/CNIOBoringSSL/crypto/curve25519/internal.h", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CURVE25519_INTERNAL_H\n#define OPENSSL_HEADER_CURVE25519_INTERNAL_H\n\n#include \n\n#include \"../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n#if defined(OPENSSL_ARM) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_APPLE)\n#define BORINGSSL_X25519_NEON\n\n// x25519_NEON is defined in asm/x25519-arm.S.\nvoid x25519_NEON(uint8_t out[32], const uint8_t scalar[32],\n const uint8_t point[32]);\n#endif\n\n#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SMALL) && \\\n defined(__GNUC__) && defined(__x86_64__) && !defined(OPENSSL_WINDOWS)\n#define BORINGSSL_FE25519_ADX\n\n// fiat_curve25519_adx_mul is defined in\n// third_party/fiat/asm/fiat_curve25519_adx_mul.S\nvoid __attribute__((sysv_abi))\nfiat_curve25519_adx_mul(uint64_t out[4], const uint64_t in1[4],\n const uint64_t in2[4]);\n\n// fiat_curve25519_adx_square is defined in\n// third_party/fiat/asm/fiat_curve25519_adx_square.S\nvoid __attribute__((sysv_abi))\nfiat_curve25519_adx_square(uint64_t out[4], const uint64_t in[4]);\n\n// x25519_scalar_mult_adx is defined in third_party/fiat/curve25519_64_adx.h\nvoid x25519_scalar_mult_adx(uint8_t out[32], const uint8_t scalar[32],\n const uint8_t point[32]);\nvoid x25519_ge_scalarmult_base_adx(uint8_t h[4][32], const uint8_t a[32]);\n#endif\n\n#if defined(OPENSSL_64_BIT)\n// fe means field element. Here the field is \\Z/(2^255-19). An element t,\n// entries t[0]...t[4], represents the integer t[0]+2^51 t[1]+2^102 t[2]+2^153\n// t[3]+2^204 t[4].\n// fe limbs are bounded by 1.125*2^51.\n// Multiplication and carrying produce fe from fe_loose.\ntypedef struct fe { uint64_t v[5]; } fe;\n\n// fe_loose limbs are bounded by 3.375*2^51.\n// Addition and subtraction produce fe_loose from (fe, fe).\ntypedef struct fe_loose { uint64_t v[5]; } fe_loose;\n#else\n// fe means field element. Here the field is \\Z/(2^255-19). An element t,\n// entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77\n// t[3]+2^102 t[4]+...+2^230 t[9].\n// fe limbs are bounded by 1.125*2^26,1.125*2^25,1.125*2^26,1.125*2^25,etc.\n// Multiplication and carrying produce fe from fe_loose.\ntypedef struct fe { uint32_t v[10]; } fe;\n\n// fe_loose limbs are bounded by 3.375*2^26,3.375*2^25,3.375*2^26,3.375*2^25,etc.\n// Addition and subtraction produce fe_loose from (fe, fe).\ntypedef struct fe_loose { uint32_t v[10]; } fe_loose;\n#endif\n\n// ge means group element.\n//\n// Here the group is the set of pairs (x,y) of field elements (see fe.h)\n// satisfying -x^2 + y^2 = 1 + d x^2y^2\n// where d = -121665/121666.\n//\n// Representations:\n// ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z\n// ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT\n// ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T\n// ge_precomp (Duif): (y+x,y-x,2dxy)\n\ntypedef struct {\n fe X;\n fe Y;\n fe Z;\n} ge_p2;\n\ntypedef struct {\n fe X;\n fe Y;\n fe Z;\n fe T;\n} ge_p3;\n\ntypedef struct {\n fe_loose X;\n fe_loose Y;\n fe_loose Z;\n fe_loose T;\n} ge_p1p1;\n\ntypedef struct {\n fe_loose yplusx;\n fe_loose yminusx;\n fe_loose xy2d;\n} ge_precomp;\n\ntypedef struct {\n fe_loose YplusX;\n fe_loose YminusX;\n fe_loose Z;\n fe_loose T2d;\n} ge_cached;\n\nvoid x25519_ge_tobytes(uint8_t s[32], const ge_p2 *h);\nint x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]);\nvoid x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p);\nvoid x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p);\nvoid x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p);\nvoid x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q);\nvoid x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q);\nvoid x25519_ge_scalarmult_small_precomp(\n ge_p3 *h, const uint8_t a[32], const uint8_t precomp_table[15 * 2 * 32]);\nvoid x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]);\nvoid x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A);\nvoid x25519_sc_reduce(uint8_t s[64]);\n\nenum spake2_state_t {\n spake2_state_init = 0,\n spake2_state_msg_generated,\n spake2_state_key_generated,\n};\n\nstruct spake2_ctx_st {\n uint8_t private_key[32];\n uint8_t my_msg[32];\n uint8_t password_scalar[32];\n uint8_t password_hash[64];\n uint8_t *my_name;\n size_t my_name_len;\n uint8_t *their_name;\n size_t their_name_len;\n enum spake2_role_t my_role;\n enum spake2_state_t state;\n char disable_password_scalar_hack;\n};\n\n\nextern const uint8_t k25519Precomp[32][8][3][32];\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CURVE25519_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/curve25519/spake25519.cc", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/bn/internal.h\"\n#include \"../internal.h\"\n#include \"./internal.h\"\n\n\n// The following precomputation tables are for the following\n// points used in the SPAKE2 protocol.\n//\n// N:\n// x:\n// 49918732221787544735331783592030787422991506689877079631459872391322455579424\n// y:\n// 54629554431565467720832445949441049581317094546788069926228343916274969994000\n// encoded: 10e3df0ae37d8e7a99b5fe74b44672103dbddcbd06af680d71329a11693bc778\n//\n// M:\n// x:\n// 31406539342727633121250288103050113562375374900226415211311216773867585644232\n// y:\n// 21177308356423958466833845032658859666296341766942662650232962324899758529114\n// encoded: 5ada7e4bf6ddd9adb6626d32131c6b5c51a1e347a3478f53cfcf441b88eed12e\n//\n// These points and their precomputation tables are generated with the\n// following Python code. For a description of the precomputation table,\n// see curve25519.c in this directory.\n//\n// Exact copies of the source code are kept in bug 27296743.\n\n/*\nimport hashlib\nimport ed25519 as E # http://ed25519.cr.yp.to/python/ed25519.py\n\nSEED_N = 'edwards25519 point generation seed (N)'\nSEED_M = 'edwards25519 point generation seed (M)'\n\ndef genpoint(seed):\n v = hashlib.sha256(seed).digest()\n it = 1\n while True:\n try:\n x,y = E.decodepoint(v)\n except Exception, e:\n print e\n it += 1\n v = hashlib.sha256(v).digest()\n continue\n print \"Found in %d iterations:\" % it\n print \" x = %d\" % x\n print \" y = %d\" % y\n print \" Encoded (hex)\"\n print E.encodepoint((x,y)).encode('hex')\n return (x,y)\n\ndef gentable(P):\n t = []\n for i in range(1,16):\n k = ((i >> 3 & 1) * (1 << 192) +\n (i >> 2 & 1) * (1 << 128) +\n (i >> 1 & 1) * (1 << 64) +\n (i & 1))\n t.append(E.scalarmult(P, k))\n return ''.join(E.encodeint(x) + E.encodeint(y) for (x,y) in t)\n\ndef printtable(table, name):\n print \"static const uint8_t %s[15 * 2 * 32] = {\" % name,\n for i in range(15 * 2 * 32):\n if i % 12 == 0:\n print \"\\n \",\n print \" 0x%02x,\" % ord(table[i]),\n print \"\\n};\"\n\nif __name__ == \"__main__\":\n print \"Searching for N\"\n N = genpoint(SEED_N)\n print \"Generating precomputation table for N\"\n Ntable = gentable(N)\n printtable(Ntable, \"kSpakeNSmallPrecomp\")\n\n print \"Searching for M\"\n M = genpoint(SEED_M)\n print \"Generating precomputation table for M\"\n Mtable = gentable(M)\n printtable(Mtable, \"kSpakeMSmallPrecomp\")\n*/\n\nstatic const uint8_t kSpakeNSmallPrecomp[15 * 2 * 32] = {\n 0x20, 0x1b, 0xc5, 0xb3, 0x43, 0x17, 0x71, 0x10, 0x44, 0x1e, 0x73, 0xb3,\n 0xae, 0x3f, 0xbf, 0x9f, 0xf5, 0x44, 0xc8, 0x13, 0x8f, 0xd1, 0x01, 0xc2,\n 0x8a, 0x1a, 0x6d, 0xea, 0x4d, 0x00, 0x5d, 0x6e, 0x10, 0xe3, 0xdf, 0x0a,\n 0xe3, 0x7d, 0x8e, 0x7a, 0x99, 0xb5, 0xfe, 0x74, 0xb4, 0x46, 0x72, 0x10,\n 0x3d, 0xbd, 0xdc, 0xbd, 0x06, 0xaf, 0x68, 0x0d, 0x71, 0x32, 0x9a, 0x11,\n 0x69, 0x3b, 0xc7, 0x78, 0x93, 0xf1, 0x57, 0x97, 0x6e, 0xf0, 0x6e, 0x45,\n 0x37, 0x4a, 0xf4, 0x0b, 0x18, 0x51, 0xf5, 0x4f, 0x67, 0x3c, 0xdc, 0xec,\n 0x84, 0xed, 0xd0, 0xeb, 0xca, 0xfb, 0xdb, 0xff, 0x7f, 0xeb, 0xa8, 0x23,\n 0x68, 0x87, 0x13, 0x64, 0x6a, 0x10, 0xf7, 0x45, 0xe0, 0x0f, 0x32, 0x21,\n 0x59, 0x7c, 0x0e, 0x50, 0xad, 0x56, 0xd7, 0x12, 0x69, 0x7b, 0x58, 0xf8,\n 0xb9, 0x3b, 0xa5, 0xbb, 0x4d, 0x1b, 0x87, 0x1c, 0x46, 0xa7, 0x17, 0x9d,\n 0x6d, 0x84, 0x45, 0xbe, 0x7f, 0x95, 0xd2, 0x34, 0xcd, 0x89, 0x95, 0xc0,\n 0xf0, 0xd3, 0xdf, 0x6e, 0x10, 0x4a, 0xe3, 0x7b, 0xce, 0x7f, 0x40, 0x27,\n 0xc7, 0x2b, 0xab, 0x66, 0x03, 0x59, 0xb4, 0x7b, 0xc7, 0xc7, 0xf0, 0x39,\n 0x9a, 0x33, 0x35, 0xbf, 0xcc, 0x2f, 0xf3, 0x2e, 0x68, 0x9d, 0x53, 0x5c,\n 0x88, 0x52, 0xe3, 0x77, 0x90, 0xa1, 0x27, 0x85, 0xc5, 0x74, 0x7f, 0x23,\n 0x0e, 0x93, 0x01, 0x3e, 0xe7, 0x2e, 0x2e, 0x95, 0xf3, 0x0d, 0xc2, 0x25,\n 0x25, 0x39, 0x39, 0x3d, 0x6e, 0x8e, 0x89, 0xbd, 0xe8, 0xbb, 0x67, 0x5e,\n 0x8c, 0x66, 0x8b, 0x63, 0x28, 0x1e, 0x4e, 0x74, 0x85, 0xa8, 0xaf, 0x0f,\n 0x12, 0x5d, 0xb6, 0x8a, 0x83, 0x1a, 0x77, 0x76, 0x5e, 0x62, 0x8a, 0xa7,\n 0x3c, 0xb8, 0x05, 0x57, 0x2b, 0xaf, 0x36, 0x2e, 0x10, 0x90, 0xb2, 0x39,\n 0xb4, 0x3e, 0x75, 0x6d, 0x3a, 0xa8, 0x31, 0x35, 0xc2, 0x1e, 0x8f, 0xc2,\n 0x79, 0x89, 0x35, 0x16, 0x26, 0xd1, 0xc7, 0x0b, 0x04, 0x1f, 0x1d, 0xf9,\n 0x9c, 0x05, 0xa6, 0x6b, 0xb5, 0x19, 0x5a, 0x24, 0x6d, 0x91, 0xc5, 0x31,\n 0xfd, 0xc5, 0xfa, 0xe7, 0xa6, 0xcb, 0x0e, 0x4b, 0x18, 0x0d, 0x94, 0xc7,\n 0xee, 0x1d, 0x46, 0x1f, 0x92, 0xb1, 0xb2, 0x4a, 0x2b, 0x43, 0x37, 0xfe,\n 0xc2, 0x15, 0x11, 0x89, 0xef, 0x59, 0x73, 0x3c, 0x06, 0x76, 0x78, 0xcb,\n 0xa6, 0x0d, 0x79, 0x5f, 0x28, 0x0b, 0x5b, 0x8c, 0x9e, 0xe4, 0xaa, 0x51,\n 0x9a, 0x42, 0x6f, 0x11, 0x50, 0x3d, 0x01, 0xd6, 0x21, 0xc0, 0x99, 0x5e,\n 0x1a, 0xe8, 0x81, 0x25, 0x80, 0xeb, 0xed, 0x5d, 0x37, 0x47, 0x30, 0x70,\n 0xa0, 0x4e, 0x0b, 0x43, 0x17, 0xbe, 0xb6, 0x47, 0xe7, 0x2a, 0x62, 0x9d,\n 0x5d, 0xa6, 0xc5, 0x33, 0x62, 0x9d, 0x56, 0x24, 0x9d, 0x1d, 0xb2, 0x13,\n 0xbc, 0x17, 0x66, 0x43, 0xd1, 0x68, 0xd5, 0x3b, 0x17, 0x69, 0x17, 0xa6,\n 0x06, 0x9e, 0x12, 0xb8, 0x7c, 0xd5, 0xaf, 0x3e, 0x21, 0x1b, 0x31, 0xeb,\n 0x0b, 0xa4, 0x98, 0x1c, 0xf2, 0x6a, 0x5e, 0x7c, 0x9b, 0x45, 0x8f, 0xb2,\n 0x12, 0x06, 0xd5, 0x8c, 0x1d, 0xb2, 0xa7, 0x57, 0x5f, 0x2f, 0x4f, 0xdb,\n 0x52, 0x99, 0x7c, 0x58, 0x01, 0x5f, 0xf2, 0xa5, 0xf6, 0x51, 0x86, 0x21,\n 0x2f, 0x5b, 0x8d, 0x6a, 0xae, 0x83, 0x34, 0x6d, 0x58, 0x4b, 0xef, 0xfe,\n 0xbf, 0x73, 0x5d, 0xdb, 0xc4, 0x97, 0x2a, 0x85, 0xf3, 0x6c, 0x46, 0x42,\n 0xb3, 0x90, 0xc1, 0x57, 0x97, 0x50, 0x35, 0xb1, 0x9d, 0xb7, 0xc7, 0x3c,\n 0x85, 0x6d, 0x6c, 0xfd, 0xce, 0xb0, 0xc9, 0xa2, 0x77, 0xee, 0xc3, 0x6b,\n 0x0c, 0x37, 0xfa, 0x30, 0x91, 0xd1, 0x2c, 0xb8, 0x5e, 0x7f, 0x81, 0x5f,\n 0x87, 0xfd, 0x18, 0x02, 0x5a, 0x30, 0x4e, 0x62, 0xbc, 0x65, 0xc6, 0xce,\n 0x1a, 0xcf, 0x2b, 0xaa, 0x56, 0x3e, 0x4d, 0xcf, 0xba, 0x62, 0x5f, 0x9a,\n 0xd0, 0x72, 0xff, 0xef, 0x28, 0xbd, 0xbe, 0xd8, 0x57, 0x3d, 0xf5, 0x57,\n 0x7d, 0xe9, 0x71, 0x31, 0xec, 0x98, 0x90, 0x94, 0xd9, 0x54, 0xbf, 0x84,\n 0x0b, 0xe3, 0x06, 0x47, 0x19, 0x9a, 0x13, 0x1d, 0xef, 0x9d, 0x13, 0xf3,\n 0xdb, 0xc3, 0x5c, 0x72, 0x9e, 0xed, 0x24, 0xaa, 0x64, 0xed, 0xe7, 0x0d,\n 0xa0, 0x7c, 0x73, 0xba, 0x9b, 0x86, 0xa7, 0x3b, 0x55, 0xab, 0x58, 0x30,\n 0xf1, 0x15, 0x81, 0x83, 0x2f, 0xf9, 0x62, 0x84, 0x98, 0x66, 0xf6, 0x55,\n 0x21, 0xd8, 0xf2, 0x25, 0x64, 0x71, 0x4b, 0x12, 0x76, 0x59, 0xc5, 0xaa,\n 0x93, 0x67, 0xc3, 0x86, 0x25, 0xab, 0x4e, 0x4b, 0xf6, 0xd8, 0x3f, 0x44,\n 0x2e, 0x11, 0xe0, 0xbd, 0x6a, 0xf2, 0x5d, 0xf5, 0xf9, 0x53, 0xea, 0xa4,\n 0xc8, 0xd9, 0x50, 0x33, 0x81, 0xd9, 0xa8, 0x2d, 0x91, 0x7d, 0x13, 0x2a,\n 0x11, 0xcf, 0xde, 0x3f, 0x0a, 0xd2, 0xbc, 0x33, 0xb2, 0x62, 0x53, 0xea,\n 0x77, 0x88, 0x43, 0x66, 0x27, 0x43, 0x85, 0xe9, 0x5f, 0x55, 0xf5, 0x2a,\n 0x8a, 0xac, 0xdf, 0xff, 0x9b, 0x4c, 0x96, 0x9c, 0xa5, 0x7a, 0xce, 0xd5,\n 0x79, 0x18, 0xf1, 0x0b, 0x58, 0x95, 0x7a, 0xe7, 0xd3, 0x74, 0x65, 0x0b,\n 0xa4, 0x64, 0x30, 0xe8, 0x5c, 0xfc, 0x55, 0x56, 0xee, 0x14, 0x14, 0xd3,\n 0x45, 0x3b, 0xf8, 0xde, 0x05, 0x3e, 0xb9, 0x3c, 0xd7, 0x6a, 0x52, 0x72,\n 0x5b, 0x39, 0x09, 0xbe, 0x82, 0x23, 0x10, 0x4a, 0xb7, 0xc3, 0xdc, 0x4c,\n 0x5d, 0xc9, 0xf1, 0x14, 0x83, 0xf9, 0x0b, 0x9b, 0xe9, 0x23, 0x84, 0x6a,\n 0xc4, 0x08, 0x3d, 0xda, 0x3d, 0x12, 0x95, 0x87, 0x18, 0xa4, 0x7d, 0x3f,\n 0x23, 0xde, 0xd4, 0x1e, 0xa8, 0x47, 0xc3, 0x71, 0xdb, 0xf5, 0x03, 0x6c,\n 0x57, 0xe7, 0xa4, 0x43, 0x82, 0x33, 0x7b, 0x62, 0x46, 0x7d, 0xf7, 0x10,\n 0x69, 0x18, 0x38, 0x27, 0x9a, 0x6f, 0x38, 0xac, 0xfa, 0x92, 0xc5, 0xae,\n 0x66, 0xa6, 0x73, 0x95, 0x15, 0x0e, 0x4c, 0x04, 0xb6, 0xfc, 0xf5, 0xc7,\n 0x21, 0x3a, 0x99, 0xdb, 0x0e, 0x36, 0xf0, 0x56, 0xbc, 0x75, 0xf9, 0x87,\n 0x9b, 0x11, 0x18, 0x92, 0x64, 0x1a, 0xe7, 0xc7, 0xab, 0x5a, 0xc7, 0x26,\n 0x7f, 0x13, 0x98, 0x42, 0x52, 0x43, 0xdb, 0xc8, 0x6d, 0x0b, 0xb7, 0x31,\n 0x93, 0x24, 0xd6, 0xe8, 0x24, 0x1f, 0x6f, 0x21, 0xa7, 0x8c, 0xeb, 0xdb,\n 0x83, 0xb8, 0x89, 0xe3, 0xc1, 0xd7, 0x69, 0x3b, 0x02, 0x6b, 0x54, 0x0f,\n 0x84, 0x2f, 0xb5, 0x5c, 0x17, 0x77, 0xbe, 0xe5, 0x61, 0x0d, 0xc5, 0xdf,\n 0x3b, 0xcf, 0x3e, 0x93, 0x4f, 0xf5, 0x89, 0xb9, 0x5a, 0xc5, 0x29, 0x31,\n 0xc0, 0xc2, 0xff, 0xe5, 0x3f, 0xa6, 0xac, 0x03, 0xca, 0xf5, 0xff, 0xe0,\n 0x36, 0xce, 0xf3, 0xe2, 0xb7, 0x9c, 0x02, 0xe9, 0x9e, 0xd2, 0xbc, 0x87,\n 0x2f, 0x3d, 0x9a, 0x1d, 0x8f, 0xc5, 0x72, 0xb8, 0xa2, 0x01, 0xd4, 0x68,\n 0xb1, 0x84, 0x16, 0x10, 0xf6, 0xf3, 0x52, 0x25, 0xd9, 0xdc, 0x4c, 0xdd,\n 0x0f, 0xd6, 0x4a, 0xcf, 0x60, 0x96, 0x7e, 0xcc, 0x42, 0x0f, 0x64, 0x9d,\n 0x72, 0x46, 0x04, 0x07, 0xf2, 0x5b, 0xf4, 0x07, 0xd1, 0xf4, 0x59, 0x71,\n};\n\nstatic const uint8_t kSpakeMSmallPrecomp[15 * 2 * 32] = {\n 0xc8, 0xa6, 0x63, 0xc5, 0x97, 0xf1, 0xee, 0x40, 0xab, 0x62, 0x42, 0xee,\n 0x25, 0x6f, 0x32, 0x6c, 0x75, 0x2c, 0xa7, 0xd3, 0xbd, 0x32, 0x3b, 0x1e,\n 0x11, 0x9c, 0xbd, 0x04, 0xa9, 0x78, 0x6f, 0x45, 0x5a, 0xda, 0x7e, 0x4b,\n 0xf6, 0xdd, 0xd9, 0xad, 0xb6, 0x62, 0x6d, 0x32, 0x13, 0x1c, 0x6b, 0x5c,\n 0x51, 0xa1, 0xe3, 0x47, 0xa3, 0x47, 0x8f, 0x53, 0xcf, 0xcf, 0x44, 0x1b,\n 0x88, 0xee, 0xd1, 0x2e, 0x03, 0x89, 0xaf, 0xc0, 0x61, 0x2d, 0x9e, 0x35,\n 0xeb, 0x0e, 0x03, 0xe0, 0xb7, 0xfb, 0xa5, 0xbc, 0x44, 0xbe, 0x0c, 0x89,\n 0x0a, 0x0f, 0xd6, 0x59, 0x47, 0x9e, 0xe6, 0x3d, 0x36, 0x9d, 0xff, 0x44,\n 0x5e, 0xac, 0xab, 0xe5, 0x3a, 0xd5, 0xb0, 0x35, 0x9f, 0x6d, 0x7f, 0xba,\n 0xc0, 0x85, 0x0e, 0xf4, 0x70, 0x3f, 0x13, 0x90, 0x4c, 0x50, 0x1a, 0xee,\n 0xc5, 0xeb, 0x69, 0xfe, 0x98, 0x42, 0x87, 0x1d, 0xce, 0x6c, 0x29, 0xaa,\n 0x2b, 0x31, 0xc2, 0x38, 0x7b, 0x6b, 0xee, 0x88, 0x0b, 0xba, 0xce, 0xa8,\n 0xca, 0x19, 0x60, 0x1b, 0x16, 0xf1, 0x25, 0x1e, 0xcf, 0x63, 0x66, 0x1e,\n 0xbb, 0x63, 0xeb, 0x7d, 0xca, 0xd2, 0xb4, 0x23, 0x5a, 0x01, 0x6f, 0x05,\n 0xd1, 0xdc, 0x41, 0x73, 0x75, 0xc0, 0xfd, 0x30, 0x91, 0x52, 0x68, 0x96,\n 0x45, 0xb3, 0x66, 0x01, 0x3b, 0x53, 0x89, 0x3c, 0x69, 0xbc, 0x6c, 0x69,\n 0xe3, 0x51, 0x8f, 0xe3, 0xd2, 0x84, 0xd5, 0x28, 0x66, 0xb5, 0xe6, 0x06,\n 0x09, 0xfe, 0x6d, 0xb0, 0x72, 0x16, 0xe0, 0x8a, 0xce, 0x61, 0x65, 0xa9,\n 0x21, 0x32, 0x48, 0xdc, 0x7a, 0x1d, 0xe1, 0x38, 0x7f, 0x8c, 0x75, 0x88,\n 0x3d, 0x08, 0xa9, 0x4a, 0x6f, 0x3d, 0x9f, 0x7f, 0x3f, 0xbd, 0x57, 0x6b,\n 0x19, 0xce, 0x3f, 0x4a, 0xc9, 0xd3, 0xf9, 0x6e, 0x72, 0x7b, 0x5b, 0x74,\n 0xea, 0xbe, 0x9c, 0x7a, 0x6d, 0x9c, 0x40, 0x49, 0xe6, 0xfb, 0x2a, 0x1a,\n 0x75, 0x70, 0xe5, 0x4e, 0xed, 0x74, 0xe0, 0x75, 0xac, 0xc0, 0xb1, 0x11,\n 0x3e, 0xf2, 0xaf, 0x88, 0x4d, 0x66, 0xb6, 0xf6, 0x15, 0x4f, 0x3c, 0x6c,\n 0x77, 0xae, 0x47, 0x51, 0x63, 0x9a, 0xfe, 0xe1, 0xb4, 0x1a, 0x12, 0xdf,\n 0xe9, 0x54, 0x8d, 0x3b, 0x30, 0x2a, 0x75, 0xe3, 0xe5, 0x29, 0xb1, 0x4c,\n 0xb0, 0x7c, 0x6d, 0xb5, 0xae, 0x85, 0xdb, 0x1e, 0x38, 0x55, 0x96, 0xa5,\n 0x5b, 0x9f, 0x15, 0x23, 0x28, 0x36, 0xb8, 0xa2, 0x41, 0xb4, 0xd7, 0x19,\n 0x91, 0x8d, 0x26, 0x3e, 0xca, 0x9c, 0x05, 0x7a, 0x2b, 0x60, 0x45, 0x86,\n 0x8b, 0xee, 0x64, 0x6f, 0x5c, 0x09, 0x4d, 0x4b, 0x5a, 0x7f, 0xb0, 0xc3,\n 0x26, 0x9d, 0x8b, 0xb8, 0x83, 0x69, 0xcf, 0x16, 0x72, 0x62, 0x3e, 0x5e,\n 0x53, 0x4f, 0x9c, 0x73, 0x76, 0xfc, 0x19, 0xef, 0xa0, 0x74, 0x3a, 0x11,\n 0x1e, 0xd0, 0x4d, 0xb7, 0x87, 0xa1, 0xd6, 0x87, 0x6c, 0x0e, 0x6c, 0x8c,\n 0xe9, 0xa0, 0x44, 0xc4, 0x72, 0x3e, 0x73, 0x17, 0x13, 0xd1, 0x4e, 0x3d,\n 0x8e, 0x1d, 0x5a, 0x8b, 0x75, 0xcb, 0x59, 0x2c, 0x47, 0x87, 0x15, 0x41,\n 0xfe, 0x08, 0xe9, 0xa6, 0x97, 0x17, 0x08, 0x26, 0x6a, 0xb5, 0xbb, 0x73,\n 0xaa, 0xb8, 0x5b, 0x65, 0x65, 0x5b, 0x30, 0x9e, 0x62, 0x59, 0x02, 0xf8,\n 0xb8, 0x0f, 0x32, 0x10, 0xc1, 0x36, 0x08, 0x52, 0x98, 0x4a, 0x1e, 0xf0,\n 0xab, 0x21, 0x5e, 0xde, 0x16, 0x0c, 0xda, 0x09, 0x99, 0x6b, 0x9e, 0xc0,\n 0x90, 0xa5, 0x5a, 0xcc, 0xb0, 0xb7, 0xbb, 0xd2, 0x8b, 0x5f, 0xd3, 0x3b,\n 0x3e, 0x8c, 0xa5, 0x71, 0x66, 0x06, 0xe3, 0x28, 0xd4, 0xf8, 0x3f, 0xe5,\n 0x27, 0xdf, 0xfe, 0x0f, 0x09, 0xb2, 0x8a, 0x09, 0x5a, 0x23, 0x61, 0x0d,\n 0x2d, 0xf5, 0x44, 0xf1, 0x5c, 0xf8, 0x82, 0x4e, 0xdc, 0x78, 0x7a, 0xab,\n 0xc3, 0x57, 0x91, 0xaf, 0x65, 0x6e, 0x71, 0xf1, 0x44, 0xbf, 0xed, 0x43,\n 0x50, 0xb4, 0x67, 0x48, 0xef, 0x5a, 0x10, 0x46, 0x81, 0xb4, 0x0c, 0xc8,\n 0x48, 0xed, 0x99, 0x7a, 0x45, 0xa5, 0x92, 0xc3, 0x69, 0xd6, 0xd7, 0x8a,\n 0x20, 0x1b, 0xeb, 0x8f, 0xb2, 0xff, 0xec, 0x6d, 0x76, 0x04, 0xf8, 0xc2,\n 0x58, 0x9b, 0xf2, 0x20, 0x53, 0xc4, 0x74, 0x91, 0x19, 0xdd, 0x2d, 0x12,\n 0x53, 0xc7, 0x6e, 0xd0, 0x02, 0x51, 0x3c, 0xa6, 0x7d, 0x80, 0x75, 0x6b,\n 0x1d, 0xdf, 0xf8, 0x6a, 0x52, 0xbb, 0x81, 0xf8, 0x30, 0x45, 0xef, 0x51,\n 0x85, 0x36, 0xbe, 0x8e, 0xcf, 0x0b, 0x9a, 0x46, 0xe8, 0x3f, 0x99, 0xfd,\n 0xf7, 0xd9, 0x3e, 0x84, 0xe5, 0xe3, 0x37, 0xcf, 0x98, 0x7f, 0xeb, 0x5e,\n 0x5a, 0x53, 0x77, 0x1c, 0x20, 0xdc, 0xf1, 0x20, 0x99, 0xec, 0x60, 0x40,\n 0x93, 0xef, 0x5c, 0x1c, 0x81, 0xe2, 0xa5, 0xad, 0x2a, 0xc2, 0xdb, 0x6b,\n 0xc1, 0x7e, 0x8f, 0xa9, 0x23, 0x5b, 0xd9, 0x0d, 0xfe, 0xa0, 0xac, 0x11,\n 0x28, 0xba, 0x8e, 0x92, 0x07, 0x2d, 0x07, 0x40, 0x83, 0x14, 0x4c, 0x35,\n 0x8d, 0xd0, 0x11, 0xff, 0x98, 0xdb, 0x00, 0x30, 0x6f, 0x65, 0xb6, 0xa0,\n 0x7f, 0x9c, 0x08, 0xb8, 0xce, 0xb3, 0xa8, 0x42, 0xd3, 0x84, 0x45, 0xe1,\n 0xe3, 0x8f, 0xa6, 0x89, 0x21, 0xd7, 0x74, 0x02, 0x4d, 0x64, 0xdf, 0x54,\n 0x15, 0x9e, 0xba, 0x12, 0x49, 0x09, 0x41, 0xf6, 0x10, 0x24, 0xa1, 0x84,\n 0x15, 0xfd, 0x68, 0x6a, 0x57, 0x66, 0xb3, 0x6d, 0x4c, 0xea, 0xbf, 0xbc,\n 0x60, 0x3f, 0x52, 0x1c, 0x44, 0x1b, 0xc0, 0x4a, 0x25, 0xe3, 0xd9, 0x4c,\n 0x9a, 0x74, 0xad, 0xfc, 0x9e, 0x8d, 0x0b, 0x18, 0x66, 0x24, 0xd1, 0x06,\n 0xac, 0x68, 0xc1, 0xae, 0x14, 0xce, 0xb1, 0xf3, 0x86, 0x9f, 0x87, 0x11,\n 0xd7, 0x9f, 0x30, 0x92, 0xdb, 0xec, 0x0b, 0x4a, 0xe8, 0xf6, 0x53, 0x36,\n 0x68, 0x12, 0x11, 0x5e, 0xe0, 0x34, 0xa4, 0xff, 0x00, 0x0a, 0x26, 0xb8,\n 0x62, 0x79, 0x9c, 0x0c, 0xd5, 0xe5, 0xf5, 0x1c, 0x1a, 0x16, 0x84, 0x4d,\n 0x8e, 0x5d, 0x31, 0x7e, 0xf7, 0xe2, 0xd3, 0xa1, 0x41, 0x90, 0x61, 0x5d,\n 0x04, 0xb2, 0x9a, 0x18, 0x9e, 0x54, 0xfb, 0xd1, 0x61, 0x95, 0x1b, 0x08,\n 0xca, 0x7c, 0x49, 0x44, 0x74, 0x1d, 0x2f, 0xca, 0xc4, 0x7a, 0xe1, 0x8b,\n 0x2f, 0xbb, 0x96, 0xee, 0x19, 0x8a, 0x5d, 0xfb, 0x3e, 0x82, 0xe7, 0x15,\n 0xdb, 0x29, 0x14, 0xee, 0xc9, 0x4d, 0x9a, 0xfb, 0x9f, 0x8a, 0xbb, 0x17,\n 0x37, 0x1b, 0x6e, 0x28, 0x6c, 0xf9, 0xff, 0xb5, 0xb5, 0x8b, 0x9d, 0x88,\n 0x20, 0x08, 0x10, 0xd7, 0xca, 0x58, 0xf6, 0xe1, 0x32, 0x91, 0x6f, 0x36,\n 0xc0, 0xad, 0xc1, 0x57, 0x5d, 0x76, 0x31, 0x43, 0xf3, 0xdd, 0xec, 0xf1,\n 0xa9, 0x79, 0xe9, 0xe9, 0x85, 0xd7, 0x91, 0xc7, 0x31, 0x62, 0x3c, 0xd2,\n 0x90, 0x2c, 0x9c, 0xa4, 0x56, 0x37, 0x7b, 0xbe, 0x40, 0x58, 0xc0, 0x81,\n 0x83, 0x22, 0xe8, 0x13, 0x79, 0x18, 0xdb, 0x3a, 0x1b, 0x31, 0x0d, 0x00,\n 0x6c, 0x22, 0x62, 0x75, 0x70, 0xd8, 0x96, 0x59, 0x99, 0x44, 0x79, 0x71,\n 0xa6, 0x76, 0x81, 0x28, 0xb2, 0x65, 0xe8, 0x47, 0x14, 0xc6, 0x39, 0x06,\n};\n\nSPAKE2_CTX *SPAKE2_CTX_new(enum spake2_role_t my_role, const uint8_t *my_name,\n size_t my_name_len, const uint8_t *their_name,\n size_t their_name_len) {\n SPAKE2_CTX *ctx =\n reinterpret_cast(OPENSSL_zalloc(sizeof(SPAKE2_CTX)));\n if (ctx == NULL) {\n return NULL;\n }\n\n ctx->my_role = my_role;\n\n CBS my_name_cbs, their_name_cbs;\n CBS_init(&my_name_cbs, my_name, my_name_len);\n CBS_init(&their_name_cbs, their_name, their_name_len);\n if (!CBS_stow(&my_name_cbs, &ctx->my_name, &ctx->my_name_len) ||\n !CBS_stow(&their_name_cbs, &ctx->their_name, &ctx->their_name_len)) {\n SPAKE2_CTX_free(ctx);\n return NULL;\n }\n\n return ctx;\n}\n\nvoid SPAKE2_CTX_free(SPAKE2_CTX *ctx) {\n if (ctx == NULL) {\n return;\n }\n\n OPENSSL_free(ctx->my_name);\n OPENSSL_free(ctx->their_name);\n OPENSSL_free(ctx);\n}\n\n// left_shift_3 sets |n| to |n|*8, where |n| is represented in little-endian\n// order.\nstatic void left_shift_3(uint8_t n[32]) {\n uint8_t carry = 0;\n unsigned i;\n\n for (i = 0; i < 32; i++) {\n const uint8_t next_carry = n[i] >> 5;\n n[i] = (n[i] << 3) | carry;\n carry = next_carry;\n }\n}\n\nnamespace {\ntypedef struct {\n BN_ULONG words[32 / sizeof(BN_ULONG)];\n} scalar;\n} // namespace\n\n// kOrder is the order of the prime-order subgroup of curve25519.\nstatic const scalar kOrder = {\n {TOBN(0x5812631a, 0x5cf5d3ed), TOBN(0x14def9de, 0xa2f79cd6),\n TOBN(0x00000000, 0x00000000), TOBN(0x10000000, 0x00000000)}};\n\n// scalar_cmov copies |src| to |dest| if |mask| is all ones.\nstatic void scalar_cmov(scalar *dest, const scalar *src, crypto_word_t mask) {\n bn_select_words(dest->words, mask, src->words, dest->words,\n OPENSSL_ARRAY_SIZE(dest->words));\n}\n\n// scalar_double sets |s| to |2×s|.\nstatic void scalar_double(scalar *s) {\n bn_add_words(s->words, s->words, s->words, OPENSSL_ARRAY_SIZE(s->words));\n}\n\n// scalar_add sets |dest| to |dest| plus |src|.\nstatic void scalar_add(scalar *dest, const scalar *src) {\n bn_add_words(dest->words, dest->words, src->words,\n OPENSSL_ARRAY_SIZE(dest->words));\n}\n\nint SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len,\n size_t max_out_len, const uint8_t *password,\n size_t password_len) {\n if (ctx->state != spake2_state_init) {\n return 0;\n }\n\n if (max_out_len < sizeof(ctx->my_msg)) {\n return 0;\n }\n\n uint8_t private_tmp[64];\n RAND_bytes(private_tmp, sizeof(private_tmp));\n x25519_sc_reduce(private_tmp);\n // Multiply by the cofactor (eight) so that we'll clear it when operating on\n // the peer's point later in the protocol.\n left_shift_3(private_tmp);\n OPENSSL_memcpy(ctx->private_key, private_tmp, sizeof(ctx->private_key));\n\n ge_p3 P;\n x25519_ge_scalarmult_base(&P, ctx->private_key);\n\n // mask = h(password) * .\n uint8_t password_tmp[SHA512_DIGEST_LENGTH];\n SHA512(password, password_len, password_tmp);\n OPENSSL_memcpy(ctx->password_hash, password_tmp, sizeof(ctx->password_hash));\n x25519_sc_reduce(password_tmp);\n\n // Due to a copy-paste error, the call to |left_shift_3| was omitted after\n // the |x25519_sc_reduce|, just above. This meant that |ctx->password_scalar|\n // was not a multiple of eight to clear the cofactor and thus three bits of\n // the password hash would leak. In order to fix this in a unilateral way,\n // points of small order are added to the mask point such that it is in the\n // prime-order subgroup. Since the ephemeral scalar is a multiple of eight,\n // these points will cancel out when calculating the shared secret.\n //\n // Adding points of small order is the same as adding multiples of the prime\n // order to the password scalar. Since that's faster, that is what is done\n // below. The prime order (kOrder) is a large prime, thus odd, thus the LSB\n // is one. So adding it will flip the LSB. Adding twice it will flip the next\n // bit and so one for all the bottom three bits.\n\n scalar password_scalar;\n OPENSSL_memcpy(&password_scalar, password_tmp, sizeof(password_scalar));\n\n // |password_scalar| is the result of |x25519_sc_reduce| and thus is, at\n // most, $l-1$ (where $l$ is |kOrder|, the order of the prime-order subgroup\n // of Ed25519). In the following, we may add $l + 2×l + 4×l$ for a max value\n // of $8×l-1$. That is < 2**256, as required.\n\n if (!ctx->disable_password_scalar_hack) {\n scalar order = kOrder;\n scalar tmp;\n\n OPENSSL_memset(&tmp, 0, sizeof(tmp));\n scalar_cmov(&tmp, &order,\n constant_time_eq_w(password_scalar.words[0] & 1, 1));\n scalar_add(&password_scalar, &tmp);\n\n scalar_double(&order);\n OPENSSL_memset(&tmp, 0, sizeof(tmp));\n scalar_cmov(&tmp, &order,\n constant_time_eq_w(password_scalar.words[0] & 2, 2));\n scalar_add(&password_scalar, &tmp);\n\n scalar_double(&order);\n OPENSSL_memset(&tmp, 0, sizeof(tmp));\n scalar_cmov(&tmp, &order,\n constant_time_eq_w(password_scalar.words[0] & 4, 4));\n scalar_add(&password_scalar, &tmp);\n\n assert((password_scalar.words[0] & 7) == 0);\n }\n\n OPENSSL_memcpy(ctx->password_scalar, password_scalar.words,\n sizeof(ctx->password_scalar));\n\n ge_p3 mask;\n x25519_ge_scalarmult_small_precomp(&mask, ctx->password_scalar,\n ctx->my_role == spake2_role_alice\n ? kSpakeMSmallPrecomp\n : kSpakeNSmallPrecomp);\n\n // P* = P + mask.\n ge_cached mask_cached;\n x25519_ge_p3_to_cached(&mask_cached, &mask);\n ge_p1p1 Pstar;\n x25519_ge_add(&Pstar, &P, &mask_cached);\n\n // Encode P*\n ge_p2 Pstar_proj;\n x25519_ge_p1p1_to_p2(&Pstar_proj, &Pstar);\n x25519_ge_tobytes(ctx->my_msg, &Pstar_proj);\n\n OPENSSL_memcpy(out, ctx->my_msg, sizeof(ctx->my_msg));\n *out_len = sizeof(ctx->my_msg);\n ctx->state = spake2_state_msg_generated;\n\n return 1;\n}\n\nstatic void update_with_length_prefix(SHA512_CTX *sha, const uint8_t *data,\n const size_t len) {\n uint8_t len_le[8];\n size_t l = len;\n unsigned i;\n\n for (i = 0; i < 8; i++) {\n len_le[i] = l & 0xff;\n l >>= 8;\n }\n\n SHA512_Update(sha, len_le, sizeof(len_le));\n SHA512_Update(sha, data, len);\n}\n\nint SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key, size_t *out_key_len,\n size_t max_out_key_len, const uint8_t *their_msg,\n size_t their_msg_len) {\n if (ctx->state != spake2_state_msg_generated || their_msg_len != 32) {\n return 0;\n }\n\n ge_p3 Qstar;\n if (!x25519_ge_frombytes_vartime(&Qstar, their_msg)) {\n // Point received from peer was not on the curve.\n return 0;\n }\n\n // Unmask peer's value.\n ge_p3 peers_mask;\n x25519_ge_scalarmult_small_precomp(&peers_mask, ctx->password_scalar,\n ctx->my_role == spake2_role_alice\n ? kSpakeNSmallPrecomp\n : kSpakeMSmallPrecomp);\n\n ge_cached peers_mask_cached;\n x25519_ge_p3_to_cached(&peers_mask_cached, &peers_mask);\n\n ge_p1p1 Q_compl;\n ge_p3 Q_ext;\n x25519_ge_sub(&Q_compl, &Qstar, &peers_mask_cached);\n x25519_ge_p1p1_to_p3(&Q_ext, &Q_compl);\n\n ge_p2 dh_shared;\n x25519_ge_scalarmult(&dh_shared, ctx->private_key, &Q_ext);\n\n uint8_t dh_shared_encoded[32];\n x25519_ge_tobytes(dh_shared_encoded, &dh_shared);\n\n SHA512_CTX sha;\n SHA512_Init(&sha);\n if (ctx->my_role == spake2_role_alice) {\n update_with_length_prefix(&sha, ctx->my_name, ctx->my_name_len);\n update_with_length_prefix(&sha, ctx->their_name, ctx->their_name_len);\n update_with_length_prefix(&sha, ctx->my_msg, sizeof(ctx->my_msg));\n update_with_length_prefix(&sha, their_msg, 32);\n } else {\n update_with_length_prefix(&sha, ctx->their_name, ctx->their_name_len);\n update_with_length_prefix(&sha, ctx->my_name, ctx->my_name_len);\n update_with_length_prefix(&sha, their_msg, 32);\n update_with_length_prefix(&sha, ctx->my_msg, sizeof(ctx->my_msg));\n }\n update_with_length_prefix(&sha, dh_shared_encoded, sizeof(dh_shared_encoded));\n update_with_length_prefix(&sha, ctx->password_hash,\n sizeof(ctx->password_hash));\n\n uint8_t key[SHA512_DIGEST_LENGTH];\n SHA512_Final(key, &sha);\n\n size_t to_copy = max_out_key_len;\n if (to_copy > sizeof(key)) {\n to_copy = sizeof(key);\n }\n OPENSSL_memcpy(out_key, key, to_copy);\n *out_key_len = to_copy;\n ctx->state = spake2_state_key_generated;\n\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/des/des.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"internal.h\"\n\n\n/* IP and FP\n * The problem is more of a geometric problem that random bit fiddling.\n 0 1 2 3 4 5 6 7 62 54 46 38 30 22 14 6\n 8 9 10 11 12 13 14 15 60 52 44 36 28 20 12 4\n16 17 18 19 20 21 22 23 58 50 42 34 26 18 10 2\n24 25 26 27 28 29 30 31 to 56 48 40 32 24 16 8 0\n\n32 33 34 35 36 37 38 39 63 55 47 39 31 23 15 7\n40 41 42 43 44 45 46 47 61 53 45 37 29 21 13 5\n48 49 50 51 52 53 54 55 59 51 43 35 27 19 11 3\n56 57 58 59 60 61 62 63 57 49 41 33 25 17 9 1\n\nThe output has been subject to swaps of the form\n0 1 -> 3 1 but the odd and even bits have been put into\n2 3 2 0\ndifferent words. The main trick is to remember that\nt=((l>>size)^r)&(mask);\nr^=t;\nl^=(t<> (n)) ^ (b)) & (m)); \\\n (b) ^= (t); \\\n (a) ^= ((t) << (n)); \\\n } while (0)\n\n#define IP(l, r) \\\n do { \\\n uint32_t tt; \\\n PERM_OP(r, l, tt, 4, 0x0f0f0f0fL); \\\n PERM_OP(l, r, tt, 16, 0x0000ffffL); \\\n PERM_OP(r, l, tt, 2, 0x33333333L); \\\n PERM_OP(l, r, tt, 8, 0x00ff00ffL); \\\n PERM_OP(r, l, tt, 1, 0x55555555L); \\\n } while (0)\n\n#define FP(l, r) \\\n do { \\\n uint32_t tt; \\\n PERM_OP(l, r, tt, 1, 0x55555555L); \\\n PERM_OP(r, l, tt, 8, 0x00ff00ffL); \\\n PERM_OP(l, r, tt, 2, 0x33333333L); \\\n PERM_OP(r, l, tt, 16, 0x0000ffffL); \\\n PERM_OP(l, r, tt, 4, 0x0f0f0f0fL); \\\n } while (0)\n\n#define LOAD_DATA(ks, R, S, u, t, E0, E1) \\\n do { \\\n (u) = (R) ^ (ks)->subkeys[S][0]; \\\n (t) = (R) ^ (ks)->subkeys[S][1]; \\\n } while (0)\n\n#define D_ENCRYPT(ks, LL, R, S) \\\n do { \\\n LOAD_DATA(ks, R, S, u, t, E0, E1); \\\n t = CRYPTO_rotr_u32(t, 4); \\\n (LL) ^= \\\n DES_SPtrans[0][(u >> 2L) & 0x3f] ^ DES_SPtrans[2][(u >> 10L) & 0x3f] ^ \\\n DES_SPtrans[4][(u >> 18L) & 0x3f] ^ \\\n DES_SPtrans[6][(u >> 26L) & 0x3f] ^ DES_SPtrans[1][(t >> 2L) & 0x3f] ^ \\\n DES_SPtrans[3][(t >> 10L) & 0x3f] ^ \\\n DES_SPtrans[5][(t >> 18L) & 0x3f] ^ DES_SPtrans[7][(t >> 26L) & 0x3f]; \\\n } while (0)\n\n#define ITERATIONS 16\n#define HALF_ITERATIONS 8\n\nstatic const uint32_t des_skb[8][64] = {\n { // for C bits (numbered as per FIPS 46) 1 2 3 4 5 6\n 0x00000000, 0x00000010, 0x20000000, 0x20000010, 0x00010000,\n 0x00010010, 0x20010000, 0x20010010, 0x00000800, 0x00000810,\n 0x20000800, 0x20000810, 0x00010800, 0x00010810, 0x20010800,\n 0x20010810, 0x00000020, 0x00000030, 0x20000020, 0x20000030,\n 0x00010020, 0x00010030, 0x20010020, 0x20010030, 0x00000820,\n 0x00000830, 0x20000820, 0x20000830, 0x00010820, 0x00010830,\n 0x20010820, 0x20010830, 0x00080000, 0x00080010, 0x20080000,\n 0x20080010, 0x00090000, 0x00090010, 0x20090000, 0x20090010,\n 0x00080800, 0x00080810, 0x20080800, 0x20080810, 0x00090800,\n 0x00090810, 0x20090800, 0x20090810, 0x00080020, 0x00080030,\n 0x20080020, 0x20080030, 0x00090020, 0x00090030, 0x20090020,\n 0x20090030, 0x00080820, 0x00080830, 0x20080820, 0x20080830,\n 0x00090820, 0x00090830, 0x20090820, 0x20090830, },\n { // for C bits (numbered as per FIPS 46) 7 8 10 11 12 13\n 0x00000000, 0x02000000, 0x00002000, 0x02002000, 0x00200000,\n 0x02200000, 0x00202000, 0x02202000, 0x00000004, 0x02000004,\n 0x00002004, 0x02002004, 0x00200004, 0x02200004, 0x00202004,\n 0x02202004, 0x00000400, 0x02000400, 0x00002400, 0x02002400,\n 0x00200400, 0x02200400, 0x00202400, 0x02202400, 0x00000404,\n 0x02000404, 0x00002404, 0x02002404, 0x00200404, 0x02200404,\n 0x00202404, 0x02202404, 0x10000000, 0x12000000, 0x10002000,\n 0x12002000, 0x10200000, 0x12200000, 0x10202000, 0x12202000,\n 0x10000004, 0x12000004, 0x10002004, 0x12002004, 0x10200004,\n 0x12200004, 0x10202004, 0x12202004, 0x10000400, 0x12000400,\n 0x10002400, 0x12002400, 0x10200400, 0x12200400, 0x10202400,\n 0x12202400, 0x10000404, 0x12000404, 0x10002404, 0x12002404,\n 0x10200404, 0x12200404, 0x10202404, 0x12202404, },\n { // for C bits (numbered as per FIPS 46) 14 15 16 17 19 20\n 0x00000000, 0x00000001, 0x00040000, 0x00040001, 0x01000000,\n 0x01000001, 0x01040000, 0x01040001, 0x00000002, 0x00000003,\n 0x00040002, 0x00040003, 0x01000002, 0x01000003, 0x01040002,\n 0x01040003, 0x00000200, 0x00000201, 0x00040200, 0x00040201,\n 0x01000200, 0x01000201, 0x01040200, 0x01040201, 0x00000202,\n 0x00000203, 0x00040202, 0x00040203, 0x01000202, 0x01000203,\n 0x01040202, 0x01040203, 0x08000000, 0x08000001, 0x08040000,\n 0x08040001, 0x09000000, 0x09000001, 0x09040000, 0x09040001,\n 0x08000002, 0x08000003, 0x08040002, 0x08040003, 0x09000002,\n 0x09000003, 0x09040002, 0x09040003, 0x08000200, 0x08000201,\n 0x08040200, 0x08040201, 0x09000200, 0x09000201, 0x09040200,\n 0x09040201, 0x08000202, 0x08000203, 0x08040202, 0x08040203,\n 0x09000202, 0x09000203, 0x09040202, 0x09040203, },\n { // for C bits (numbered as per FIPS 46) 21 23 24 26 27 28\n 0x00000000, 0x00100000, 0x00000100, 0x00100100, 0x00000008,\n 0x00100008, 0x00000108, 0x00100108, 0x00001000, 0x00101000,\n 0x00001100, 0x00101100, 0x00001008, 0x00101008, 0x00001108,\n 0x00101108, 0x04000000, 0x04100000, 0x04000100, 0x04100100,\n 0x04000008, 0x04100008, 0x04000108, 0x04100108, 0x04001000,\n 0x04101000, 0x04001100, 0x04101100, 0x04001008, 0x04101008,\n 0x04001108, 0x04101108, 0x00020000, 0x00120000, 0x00020100,\n 0x00120100, 0x00020008, 0x00120008, 0x00020108, 0x00120108,\n 0x00021000, 0x00121000, 0x00021100, 0x00121100, 0x00021008,\n 0x00121008, 0x00021108, 0x00121108, 0x04020000, 0x04120000,\n 0x04020100, 0x04120100, 0x04020008, 0x04120008, 0x04020108,\n 0x04120108, 0x04021000, 0x04121000, 0x04021100, 0x04121100,\n 0x04021008, 0x04121008, 0x04021108, 0x04121108, },\n { // for D bits (numbered as per FIPS 46) 1 2 3 4 5 6\n 0x00000000, 0x10000000, 0x00010000, 0x10010000, 0x00000004,\n 0x10000004, 0x00010004, 0x10010004, 0x20000000, 0x30000000,\n 0x20010000, 0x30010000, 0x20000004, 0x30000004, 0x20010004,\n 0x30010004, 0x00100000, 0x10100000, 0x00110000, 0x10110000,\n 0x00100004, 0x10100004, 0x00110004, 0x10110004, 0x20100000,\n 0x30100000, 0x20110000, 0x30110000, 0x20100004, 0x30100004,\n 0x20110004, 0x30110004, 0x00001000, 0x10001000, 0x00011000,\n 0x10011000, 0x00001004, 0x10001004, 0x00011004, 0x10011004,\n 0x20001000, 0x30001000, 0x20011000, 0x30011000, 0x20001004,\n 0x30001004, 0x20011004, 0x30011004, 0x00101000, 0x10101000,\n 0x00111000, 0x10111000, 0x00101004, 0x10101004, 0x00111004,\n 0x10111004, 0x20101000, 0x30101000, 0x20111000, 0x30111000,\n 0x20101004, 0x30101004, 0x20111004, 0x30111004, },\n { // for D bits (numbered as per FIPS 46) 8 9 11 12 13 14\n 0x00000000, 0x08000000, 0x00000008, 0x08000008, 0x00000400,\n 0x08000400, 0x00000408, 0x08000408, 0x00020000, 0x08020000,\n 0x00020008, 0x08020008, 0x00020400, 0x08020400, 0x00020408,\n 0x08020408, 0x00000001, 0x08000001, 0x00000009, 0x08000009,\n 0x00000401, 0x08000401, 0x00000409, 0x08000409, 0x00020001,\n 0x08020001, 0x00020009, 0x08020009, 0x00020401, 0x08020401,\n 0x00020409, 0x08020409, 0x02000000, 0x0A000000, 0x02000008,\n 0x0A000008, 0x02000400, 0x0A000400, 0x02000408, 0x0A000408,\n 0x02020000, 0x0A020000, 0x02020008, 0x0A020008, 0x02020400,\n 0x0A020400, 0x02020408, 0x0A020408, 0x02000001, 0x0A000001,\n 0x02000009, 0x0A000009, 0x02000401, 0x0A000401, 0x02000409,\n 0x0A000409, 0x02020001, 0x0A020001, 0x02020009, 0x0A020009,\n 0x02020401, 0x0A020401, 0x02020409, 0x0A020409, },\n { // for D bits (numbered as per FIPS 46) 16 17 18 19 20 21\n 0x00000000, 0x00000100, 0x00080000, 0x00080100, 0x01000000,\n 0x01000100, 0x01080000, 0x01080100, 0x00000010, 0x00000110,\n 0x00080010, 0x00080110, 0x01000010, 0x01000110, 0x01080010,\n 0x01080110, 0x00200000, 0x00200100, 0x00280000, 0x00280100,\n 0x01200000, 0x01200100, 0x01280000, 0x01280100, 0x00200010,\n 0x00200110, 0x00280010, 0x00280110, 0x01200010, 0x01200110,\n 0x01280010, 0x01280110, 0x00000200, 0x00000300, 0x00080200,\n 0x00080300, 0x01000200, 0x01000300, 0x01080200, 0x01080300,\n 0x00000210, 0x00000310, 0x00080210, 0x00080310, 0x01000210,\n 0x01000310, 0x01080210, 0x01080310, 0x00200200, 0x00200300,\n 0x00280200, 0x00280300, 0x01200200, 0x01200300, 0x01280200,\n 0x01280300, 0x00200210, 0x00200310, 0x00280210, 0x00280310,\n 0x01200210, 0x01200310, 0x01280210, 0x01280310, },\n { // for D bits (numbered as per FIPS 46) 22 23 24 25 27 28\n 0x00000000, 0x04000000, 0x00040000, 0x04040000, 0x00000002,\n 0x04000002, 0x00040002, 0x04040002, 0x00002000, 0x04002000,\n 0x00042000, 0x04042000, 0x00002002, 0x04002002, 0x00042002,\n 0x04042002, 0x00000020, 0x04000020, 0x00040020, 0x04040020,\n 0x00000022, 0x04000022, 0x00040022, 0x04040022, 0x00002020,\n 0x04002020, 0x00042020, 0x04042020, 0x00002022, 0x04002022,\n 0x00042022, 0x04042022, 0x00000800, 0x04000800, 0x00040800,\n 0x04040800, 0x00000802, 0x04000802, 0x00040802, 0x04040802,\n 0x00002800, 0x04002800, 0x00042800, 0x04042800, 0x00002802,\n 0x04002802, 0x00042802, 0x04042802, 0x00000820, 0x04000820,\n 0x00040820, 0x04040820, 0x00000822, 0x04000822, 0x00040822,\n 0x04040822, 0x00002820, 0x04002820, 0x00042820, 0x04042820,\n 0x00002822, 0x04002822, 0x00042822, 0x04042822, }};\n\nstatic const uint32_t DES_SPtrans[8][64] = {\n { // nibble 0\n 0x02080800, 0x00080000, 0x02000002, 0x02080802, 0x02000000,\n 0x00080802, 0x00080002, 0x02000002, 0x00080802, 0x02080800,\n 0x02080000, 0x00000802, 0x02000802, 0x02000000, 0x00000000,\n 0x00080002, 0x00080000, 0x00000002, 0x02000800, 0x00080800,\n 0x02080802, 0x02080000, 0x00000802, 0x02000800, 0x00000002,\n 0x00000800, 0x00080800, 0x02080002, 0x00000800, 0x02000802,\n 0x02080002, 0x00000000, 0x00000000, 0x02080802, 0x02000800,\n 0x00080002, 0x02080800, 0x00080000, 0x00000802, 0x02000800,\n 0x02080002, 0x00000800, 0x00080800, 0x02000002, 0x00080802,\n 0x00000002, 0x02000002, 0x02080000, 0x02080802, 0x00080800,\n 0x02080000, 0x02000802, 0x02000000, 0x00000802, 0x00080002,\n 0x00000000, 0x00080000, 0x02000000, 0x02000802, 0x02080800,\n 0x00000002, 0x02080002, 0x00000800, 0x00080802, },\n { // nibble 1\n 0x40108010, 0x00000000, 0x00108000, 0x40100000, 0x40000010,\n 0x00008010, 0x40008000, 0x00108000, 0x00008000, 0x40100010,\n 0x00000010, 0x40008000, 0x00100010, 0x40108000, 0x40100000,\n 0x00000010, 0x00100000, 0x40008010, 0x40100010, 0x00008000,\n 0x00108010, 0x40000000, 0x00000000, 0x00100010, 0x40008010,\n 0x00108010, 0x40108000, 0x40000010, 0x40000000, 0x00100000,\n 0x00008010, 0x40108010, 0x00100010, 0x40108000, 0x40008000,\n 0x00108010, 0x40108010, 0x00100010, 0x40000010, 0x00000000,\n 0x40000000, 0x00008010, 0x00100000, 0x40100010, 0x00008000,\n 0x40000000, 0x00108010, 0x40008010, 0x40108000, 0x00008000,\n 0x00000000, 0x40000010, 0x00000010, 0x40108010, 0x00108000,\n 0x40100000, 0x40100010, 0x00100000, 0x00008010, 0x40008000,\n 0x40008010, 0x00000010, 0x40100000, 0x00108000, },\n { // nibble 2\n 0x04000001, 0x04040100, 0x00000100, 0x04000101, 0x00040001,\n 0x04000000, 0x04000101, 0x00040100, 0x04000100, 0x00040000,\n 0x04040000, 0x00000001, 0x04040101, 0x00000101, 0x00000001,\n 0x04040001, 0x00000000, 0x00040001, 0x04040100, 0x00000100,\n 0x00000101, 0x04040101, 0x00040000, 0x04000001, 0x04040001,\n 0x04000100, 0x00040101, 0x04040000, 0x00040100, 0x00000000,\n 0x04000000, 0x00040101, 0x04040100, 0x00000100, 0x00000001,\n 0x00040000, 0x00000101, 0x00040001, 0x04040000, 0x04000101,\n 0x00000000, 0x04040100, 0x00040100, 0x04040001, 0x00040001,\n 0x04000000, 0x04040101, 0x00000001, 0x00040101, 0x04000001,\n 0x04000000, 0x04040101, 0x00040000, 0x04000100, 0x04000101,\n 0x00040100, 0x04000100, 0x00000000, 0x04040001, 0x00000101,\n 0x04000001, 0x00040101, 0x00000100, 0x04040000, },\n { // nibble 3\n 0x00401008, 0x10001000, 0x00000008, 0x10401008, 0x00000000,\n 0x10400000, 0x10001008, 0x00400008, 0x10401000, 0x10000008,\n 0x10000000, 0x00001008, 0x10000008, 0x00401008, 0x00400000,\n 0x10000000, 0x10400008, 0x00401000, 0x00001000, 0x00000008,\n 0x00401000, 0x10001008, 0x10400000, 0x00001000, 0x00001008,\n 0x00000000, 0x00400008, 0x10401000, 0x10001000, 0x10400008,\n 0x10401008, 0x00400000, 0x10400008, 0x00001008, 0x00400000,\n 0x10000008, 0x00401000, 0x10001000, 0x00000008, 0x10400000,\n 0x10001008, 0x00000000, 0x00001000, 0x00400008, 0x00000000,\n 0x10400008, 0x10401000, 0x00001000, 0x10000000, 0x10401008,\n 0x00401008, 0x00400000, 0x10401008, 0x00000008, 0x10001000,\n 0x00401008, 0x00400008, 0x00401000, 0x10400000, 0x10001008,\n 0x00001008, 0x10000000, 0x10000008, 0x10401000, },\n { // nibble 4\n 0x08000000, 0x00010000, 0x00000400, 0x08010420, 0x08010020,\n 0x08000400, 0x00010420, 0x08010000, 0x00010000, 0x00000020,\n 0x08000020, 0x00010400, 0x08000420, 0x08010020, 0x08010400,\n 0x00000000, 0x00010400, 0x08000000, 0x00010020, 0x00000420,\n 0x08000400, 0x00010420, 0x00000000, 0x08000020, 0x00000020,\n 0x08000420, 0x08010420, 0x00010020, 0x08010000, 0x00000400,\n 0x00000420, 0x08010400, 0x08010400, 0x08000420, 0x00010020,\n 0x08010000, 0x00010000, 0x00000020, 0x08000020, 0x08000400,\n 0x08000000, 0x00010400, 0x08010420, 0x00000000, 0x00010420,\n 0x08000000, 0x00000400, 0x00010020, 0x08000420, 0x00000400,\n 0x00000000, 0x08010420, 0x08010020, 0x08010400, 0x00000420,\n 0x00010000, 0x00010400, 0x08010020, 0x08000400, 0x00000420,\n 0x00000020, 0x00010420, 0x08010000, 0x08000020, },\n { // nibble 5\n 0x80000040, 0x00200040, 0x00000000, 0x80202000, 0x00200040,\n 0x00002000, 0x80002040, 0x00200000, 0x00002040, 0x80202040,\n 0x00202000, 0x80000000, 0x80002000, 0x80000040, 0x80200000,\n 0x00202040, 0x00200000, 0x80002040, 0x80200040, 0x00000000,\n 0x00002000, 0x00000040, 0x80202000, 0x80200040, 0x80202040,\n 0x80200000, 0x80000000, 0x00002040, 0x00000040, 0x00202000,\n 0x00202040, 0x80002000, 0x00002040, 0x80000000, 0x80002000,\n 0x00202040, 0x80202000, 0x00200040, 0x00000000, 0x80002000,\n 0x80000000, 0x00002000, 0x80200040, 0x00200000, 0x00200040,\n 0x80202040, 0x00202000, 0x00000040, 0x80202040, 0x00202000,\n 0x00200000, 0x80002040, 0x80000040, 0x80200000, 0x00202040,\n 0x00000000, 0x00002000, 0x80000040, 0x80002040, 0x80202000,\n 0x80200000, 0x00002040, 0x00000040, 0x80200040, },\n { // nibble 6\n 0x00004000, 0x00000200, 0x01000200, 0x01000004, 0x01004204,\n 0x00004004, 0x00004200, 0x00000000, 0x01000000, 0x01000204,\n 0x00000204, 0x01004000, 0x00000004, 0x01004200, 0x01004000,\n 0x00000204, 0x01000204, 0x00004000, 0x00004004, 0x01004204,\n 0x00000000, 0x01000200, 0x01000004, 0x00004200, 0x01004004,\n 0x00004204, 0x01004200, 0x00000004, 0x00004204, 0x01004004,\n 0x00000200, 0x01000000, 0x00004204, 0x01004000, 0x01004004,\n 0x00000204, 0x00004000, 0x00000200, 0x01000000, 0x01004004,\n 0x01000204, 0x00004204, 0x00004200, 0x00000000, 0x00000200,\n 0x01000004, 0x00000004, 0x01000200, 0x00000000, 0x01000204,\n 0x01000200, 0x00004200, 0x00000204, 0x00004000, 0x01004204,\n 0x01000000, 0x01004200, 0x00000004, 0x00004004, 0x01004204,\n 0x01000004, 0x01004200, 0x01004000, 0x00004004, },\n { // nibble 7\n 0x20800080, 0x20820000, 0x00020080, 0x00000000, 0x20020000,\n 0x00800080, 0x20800000, 0x20820080, 0x00000080, 0x20000000,\n 0x00820000, 0x00020080, 0x00820080, 0x20020080, 0x20000080,\n 0x20800000, 0x00020000, 0x00820080, 0x00800080, 0x20020000,\n 0x20820080, 0x20000080, 0x00000000, 0x00820000, 0x20000000,\n 0x00800000, 0x20020080, 0x20800080, 0x00800000, 0x00020000,\n 0x20820000, 0x00000080, 0x00800000, 0x00020000, 0x20000080,\n 0x20820080, 0x00020080, 0x20000000, 0x00000000, 0x00820000,\n 0x20800080, 0x20020080, 0x20020000, 0x00800080, 0x20820000,\n 0x00000080, 0x00800080, 0x20020000, 0x20820080, 0x00800000,\n 0x20800000, 0x20000080, 0x00820000, 0x00020080, 0x20020080,\n 0x20800000, 0x00000080, 0x20820000, 0x00820080, 0x00000000,\n 0x20000000, 0x20800080, 0x00020000, 0x00820080, }};\n\n#define HPERM_OP(a, t, n, m) \\\n ((t) = ((((a) << (16 - (n))) ^ (a)) & (m)), \\\n (a) = (a) ^ (t) ^ ((t) >> (16 - (n))))\n\nvoid DES_set_key(const DES_cblock *key, DES_key_schedule *schedule) {\n DES_set_key_ex(key->bytes, schedule);\n}\n\nvoid DES_set_key_ex(const uint8_t key[8], DES_key_schedule *schedule) {\n static const int shifts2[16] = {0, 0, 1, 1, 1, 1, 1, 1,\n 0, 1, 1, 1, 1, 1, 1, 0};\n uint32_t c, d, t, s, t2;\n const uint8_t *in;\n int i;\n\n in = key;\n\n c2l(in, c);\n c2l(in, d);\n\n // do PC1 in 47 simple operations :-)\n // Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)\n // for the inspiration. :-)\n PERM_OP(d, c, t, 4, 0x0f0f0f0f);\n HPERM_OP(c, t, -2, 0xcccc0000);\n HPERM_OP(d, t, -2, 0xcccc0000);\n PERM_OP(d, c, t, 1, 0x55555555);\n PERM_OP(c, d, t, 8, 0x00ff00ff);\n PERM_OP(d, c, t, 1, 0x55555555);\n d = (((d & 0x000000ff) << 16) | (d & 0x0000ff00) |\n ((d & 0x00ff0000) >> 16) | ((c & 0xf0000000) >> 4));\n c &= 0x0fffffff;\n\n for (i = 0; i < ITERATIONS; i++) {\n if (shifts2[i]) {\n c = ((c >> 2) | (c << 26));\n d = ((d >> 2) | (d << 26));\n } else {\n c = ((c >> 1) | (c << 27));\n d = ((d >> 1) | (d << 27));\n }\n c &= 0x0fffffff;\n d &= 0x0fffffff;\n // could be a few less shifts but I am to lazy at this\n // point in time to investigate\n s = des_skb[0][(c) & 0x3f] |\n des_skb[1][((c >> 6) & 0x03) | ((c >> 7) & 0x3c)] |\n des_skb[2][((c >> 13) & 0x0f) | ((c >> 14) & 0x30)] |\n des_skb[3][((c >> 20) & 0x01) | ((c >> 21) & 0x06) |\n ((c >> 22) & 0x38)];\n t = des_skb[4][(d) & 0x3f] |\n des_skb[5][((d >> 7) & 0x03) | ((d >> 8) & 0x3c)] |\n des_skb[6][(d >> 15) & 0x3f] |\n des_skb[7][((d >> 21) & 0x0f) | ((d >> 22) & 0x30)];\n\n // table contained 0213 4657\n t2 = ((t << 16) | (s & 0x0000ffff)) & 0xffffffff;\n schedule->subkeys[i][0] = CRYPTO_rotr_u32(t2, 30);\n\n t2 = ((s >> 16) | (t & 0xffff0000));\n schedule->subkeys[i][1] = CRYPTO_rotr_u32(t2, 26);\n }\n}\n\nstatic const uint8_t kOddParity[256] = {\n 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14,\n 14, 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28,\n 31, 31, 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44,\n 44, 47, 47, 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59,\n 61, 61, 62, 62, 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74,\n 74, 76, 76, 79, 79, 81, 81, 82, 82, 84, 84, 87, 87, 88, 88,\n 91, 91, 93, 93, 94, 94, 97, 97, 98, 98, 100, 100, 103, 103, 104,\n 104, 107, 107, 109, 109, 110, 110, 112, 112, 115, 115, 117, 117, 118, 118,\n 121, 121, 122, 122, 124, 124, 127, 127, 128, 128, 131, 131, 133, 133, 134,\n 134, 137, 137, 138, 138, 140, 140, 143, 143, 145, 145, 146, 146, 148, 148,\n 151, 151, 152, 152, 155, 155, 157, 157, 158, 158, 161, 161, 162, 162, 164,\n 164, 167, 167, 168, 168, 171, 171, 173, 173, 174, 174, 176, 176, 179, 179,\n 181, 181, 182, 182, 185, 185, 186, 186, 188, 188, 191, 191, 193, 193, 194,\n 194, 196, 196, 199, 199, 200, 200, 203, 203, 205, 205, 206, 206, 208, 208,\n 211, 211, 213, 213, 214, 214, 217, 217, 218, 218, 220, 220, 223, 223, 224,\n 224, 227, 227, 229, 229, 230, 230, 233, 233, 234, 234, 236, 236, 239, 239,\n 241, 241, 242, 242, 244, 244, 247, 247, 248, 248, 251, 251, 253, 253, 254,\n 254\n};\n\nvoid DES_set_odd_parity(DES_cblock *key) {\n unsigned i;\n\n for (i = 0; i < DES_KEY_SZ; i++) {\n key->bytes[i] = kOddParity[key->bytes[i]];\n }\n}\n\nstatic void DES_encrypt1(uint32_t data[2], const DES_key_schedule *ks,\n int enc) {\n uint32_t l, r, t, u;\n\n r = data[0];\n l = data[1];\n\n IP(r, l);\n // Things have been modified so that the initial rotate is done outside\n // the loop. This required the DES_SPtrans values in sp.h to be\n // rotated 1 bit to the right. One perl script later and things have a\n // 5% speed up on a sparc2. Thanks to Richard Outerbridge\n // <71755.204@CompuServe.COM> for pointing this out.\n // clear the top bits on machines with 8byte longs\n // shift left by 2\n r = CRYPTO_rotr_u32(r, 29);\n l = CRYPTO_rotr_u32(l, 29);\n\n // I don't know if it is worth the effort of loop unrolling the\n // inner loop\n if (enc) {\n D_ENCRYPT(ks, l, r, 0);\n D_ENCRYPT(ks, r, l, 1);\n D_ENCRYPT(ks, l, r, 2);\n D_ENCRYPT(ks, r, l, 3);\n D_ENCRYPT(ks, l, r, 4);\n D_ENCRYPT(ks, r, l, 5);\n D_ENCRYPT(ks, l, r, 6);\n D_ENCRYPT(ks, r, l, 7);\n D_ENCRYPT(ks, l, r, 8);\n D_ENCRYPT(ks, r, l, 9);\n D_ENCRYPT(ks, l, r, 10);\n D_ENCRYPT(ks, r, l, 11);\n D_ENCRYPT(ks, l, r, 12);\n D_ENCRYPT(ks, r, l, 13);\n D_ENCRYPT(ks, l, r, 14);\n D_ENCRYPT(ks, r, l, 15);\n } else {\n D_ENCRYPT(ks, l, r, 15);\n D_ENCRYPT(ks, r, l, 14);\n D_ENCRYPT(ks, l, r, 13);\n D_ENCRYPT(ks, r, l, 12);\n D_ENCRYPT(ks, l, r, 11);\n D_ENCRYPT(ks, r, l, 10);\n D_ENCRYPT(ks, l, r, 9);\n D_ENCRYPT(ks, r, l, 8);\n D_ENCRYPT(ks, l, r, 7);\n D_ENCRYPT(ks, r, l, 6);\n D_ENCRYPT(ks, l, r, 5);\n D_ENCRYPT(ks, r, l, 4);\n D_ENCRYPT(ks, l, r, 3);\n D_ENCRYPT(ks, r, l, 2);\n D_ENCRYPT(ks, l, r, 1);\n D_ENCRYPT(ks, r, l, 0);\n }\n\n // rotate and clear the top bits on machines with 8byte longs\n l = CRYPTO_rotr_u32(l, 3);\n r = CRYPTO_rotr_u32(r, 3);\n\n FP(r, l);\n data[0] = l;\n data[1] = r;\n}\n\nstatic void DES_encrypt2(uint32_t data[2], const DES_key_schedule *ks,\n int enc) {\n uint32_t l, r, t, u;\n\n r = data[0];\n l = data[1];\n\n // Things have been modified so that the initial rotate is done outside the\n // loop. This required the DES_SPtrans values in sp.h to be rotated 1 bit to\n // the right. One perl script later and things have a 5% speed up on a\n // sparc2. Thanks to Richard Outerbridge <71755.204@CompuServe.COM> for\n // pointing this out.\n // clear the top bits on machines with 8byte longs\n r = CRYPTO_rotr_u32(r, 29);\n l = CRYPTO_rotr_u32(l, 29);\n\n // I don't know if it is worth the effort of loop unrolling the\n // inner loop\n if (enc) {\n D_ENCRYPT(ks, l, r, 0);\n D_ENCRYPT(ks, r, l, 1);\n D_ENCRYPT(ks, l, r, 2);\n D_ENCRYPT(ks, r, l, 3);\n D_ENCRYPT(ks, l, r, 4);\n D_ENCRYPT(ks, r, l, 5);\n D_ENCRYPT(ks, l, r, 6);\n D_ENCRYPT(ks, r, l, 7);\n D_ENCRYPT(ks, l, r, 8);\n D_ENCRYPT(ks, r, l, 9);\n D_ENCRYPT(ks, l, r, 10);\n D_ENCRYPT(ks, r, l, 11);\n D_ENCRYPT(ks, l, r, 12);\n D_ENCRYPT(ks, r, l, 13);\n D_ENCRYPT(ks, l, r, 14);\n D_ENCRYPT(ks, r, l, 15);\n } else {\n D_ENCRYPT(ks, l, r, 15);\n D_ENCRYPT(ks, r, l, 14);\n D_ENCRYPT(ks, l, r, 13);\n D_ENCRYPT(ks, r, l, 12);\n D_ENCRYPT(ks, l, r, 11);\n D_ENCRYPT(ks, r, l, 10);\n D_ENCRYPT(ks, l, r, 9);\n D_ENCRYPT(ks, r, l, 8);\n D_ENCRYPT(ks, l, r, 7);\n D_ENCRYPT(ks, r, l, 6);\n D_ENCRYPT(ks, l, r, 5);\n D_ENCRYPT(ks, r, l, 4);\n D_ENCRYPT(ks, l, r, 3);\n D_ENCRYPT(ks, r, l, 2);\n D_ENCRYPT(ks, l, r, 1);\n D_ENCRYPT(ks, r, l, 0);\n }\n // rotate and clear the top bits on machines with 8byte longs\n data[0] = CRYPTO_rotr_u32(l, 3);\n data[1] = CRYPTO_rotr_u32(r, 3);\n}\n\nvoid DES_encrypt3(uint32_t data[2], const DES_key_schedule *ks1,\n const DES_key_schedule *ks2, const DES_key_schedule *ks3) {\n uint32_t l, r;\n\n l = data[0];\n r = data[1];\n IP(l, r);\n data[0] = l;\n data[1] = r;\n DES_encrypt2(data, ks1, DES_ENCRYPT);\n DES_encrypt2(data, ks2, DES_DECRYPT);\n DES_encrypt2(data, ks3, DES_ENCRYPT);\n l = data[0];\n r = data[1];\n FP(r, l);\n data[0] = l;\n data[1] = r;\n}\n\nvoid DES_decrypt3(uint32_t data[2], const DES_key_schedule *ks1,\n const DES_key_schedule *ks2, const DES_key_schedule *ks3) {\n uint32_t l, r;\n\n l = data[0];\n r = data[1];\n IP(l, r);\n data[0] = l;\n data[1] = r;\n DES_encrypt2(data, ks3, DES_DECRYPT);\n DES_encrypt2(data, ks2, DES_ENCRYPT);\n DES_encrypt2(data, ks1, DES_DECRYPT);\n l = data[0];\n r = data[1];\n FP(r, l);\n data[0] = l;\n data[1] = r;\n}\n\nvoid DES_ecb_encrypt(const DES_cblock *in_block, DES_cblock *out_block,\n const DES_key_schedule *schedule, int is_encrypt) {\n DES_ecb_encrypt_ex(in_block->bytes, out_block->bytes, schedule, is_encrypt);\n}\n\nvoid DES_ecb_encrypt_ex(const uint8_t in[8], uint8_t out[8],\n const DES_key_schedule *schedule, int is_encrypt) {\n uint32_t ll[2];\n ll[0] = CRYPTO_load_u32_le(in);\n ll[1] = CRYPTO_load_u32_le(in + 4);\n DES_encrypt1(ll, schedule, is_encrypt);\n CRYPTO_store_u32_le(out, ll[0]);\n CRYPTO_store_u32_le(out + 4, ll[1]);\n}\n\nvoid DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const DES_key_schedule *schedule, DES_cblock *ivec,\n int enc) {\n DES_ncbc_encrypt_ex(in, out, len, schedule, ivec->bytes, enc);\n}\n\nvoid DES_ncbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len,\n const DES_key_schedule *schedule, uint8_t ivec[8],\n int enc) {\n uint32_t tin0, tin1;\n uint32_t tout0, tout1, xor0, xor1;\n uint32_t tin[2];\n unsigned char *iv;\n\n iv = ivec;\n\n if (enc) {\n c2l(iv, tout0);\n c2l(iv, tout1);\n for (; len >= 8; len -= 8) {\n c2l(in, tin0);\n c2l(in, tin1);\n tin0 ^= tout0;\n tin[0] = tin0;\n tin1 ^= tout1;\n tin[1] = tin1;\n DES_encrypt1(tin, schedule, DES_ENCRYPT);\n tout0 = tin[0];\n l2c(tout0, out);\n tout1 = tin[1];\n l2c(tout1, out);\n }\n if (len != 0) {\n c2ln(in, tin0, tin1, len);\n tin0 ^= tout0;\n tin[0] = tin0;\n tin1 ^= tout1;\n tin[1] = tin1;\n DES_encrypt1(tin, schedule, DES_ENCRYPT);\n tout0 = tin[0];\n l2c(tout0, out);\n tout1 = tin[1];\n l2c(tout1, out);\n }\n iv = ivec;\n l2c(tout0, iv);\n l2c(tout1, iv);\n } else {\n c2l(iv, xor0);\n c2l(iv, xor1);\n for (; len >= 8; len -= 8) {\n c2l(in, tin0);\n tin[0] = tin0;\n c2l(in, tin1);\n tin[1] = tin1;\n DES_encrypt1(tin, schedule, DES_DECRYPT);\n tout0 = tin[0] ^ xor0;\n tout1 = tin[1] ^ xor1;\n l2c(tout0, out);\n l2c(tout1, out);\n xor0 = tin0;\n xor1 = tin1;\n }\n if (len != 0) {\n c2l(in, tin0);\n tin[0] = tin0;\n c2l(in, tin1);\n tin[1] = tin1;\n DES_encrypt1(tin, schedule, DES_DECRYPT);\n tout0 = tin[0] ^ xor0;\n tout1 = tin[1] ^ xor1;\n l2cn(tout0, tout1, out, len);\n xor0 = tin0;\n xor1 = tin1;\n }\n iv = ivec;\n l2c(xor0, iv);\n l2c(xor1, iv);\n }\n tin[0] = tin[1] = 0;\n}\n\nvoid DES_ecb3_encrypt(const DES_cblock *input, DES_cblock *output,\n const DES_key_schedule *ks1, const DES_key_schedule *ks2,\n const DES_key_schedule *ks3, int enc) {\n DES_ecb3_encrypt_ex(input->bytes, output->bytes, ks1, ks2, ks3, enc);\n}\n\nvoid DES_ecb3_encrypt_ex(const uint8_t in[8], uint8_t out[8],\n const DES_key_schedule *ks1,\n const DES_key_schedule *ks2,\n const DES_key_schedule *ks3, int enc) {\n uint32_t ll[2];\n ll[0] = CRYPTO_load_u32_le(in);\n ll[1] = CRYPTO_load_u32_le(in + 4);\n if (enc) {\n DES_encrypt3(ll, ks1, ks2, ks3);\n } else {\n DES_decrypt3(ll, ks1, ks2, ks3);\n }\n CRYPTO_store_u32_le(out, ll[0]);\n CRYPTO_store_u32_le(out + 4, ll[1]);\n}\n\nvoid DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const DES_key_schedule *ks1,\n const DES_key_schedule *ks2,\n const DES_key_schedule *ks3, DES_cblock *ivec,\n int enc) {\n DES_ede3_cbc_encrypt_ex(in, out, len, ks1, ks2, ks3, ivec->bytes, enc);\n}\n\nvoid DES_ede3_cbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len,\n const DES_key_schedule *ks1,\n const DES_key_schedule *ks2,\n const DES_key_schedule *ks3, uint8_t ivec[8],\n int enc) {\n uint32_t tin0, tin1;\n uint32_t tout0, tout1, xor0, xor1;\n uint32_t tin[2];\n uint8_t *iv;\n\n iv = ivec;\n\n if (enc) {\n c2l(iv, tout0);\n c2l(iv, tout1);\n for (; len >= 8; len -= 8) {\n c2l(in, tin0);\n c2l(in, tin1);\n tin0 ^= tout0;\n tin1 ^= tout1;\n\n tin[0] = tin0;\n tin[1] = tin1;\n DES_encrypt3(tin, ks1, ks2, ks3);\n tout0 = tin[0];\n tout1 = tin[1];\n\n l2c(tout0, out);\n l2c(tout1, out);\n }\n if (len != 0) {\n c2ln(in, tin0, tin1, len);\n tin0 ^= tout0;\n tin1 ^= tout1;\n\n tin[0] = tin0;\n tin[1] = tin1;\n DES_encrypt3(tin, ks1, ks2, ks3);\n tout0 = tin[0];\n tout1 = tin[1];\n\n l2c(tout0, out);\n l2c(tout1, out);\n }\n iv = ivec;\n l2c(tout0, iv);\n l2c(tout1, iv);\n } else {\n uint32_t t0, t1;\n\n c2l(iv, xor0);\n c2l(iv, xor1);\n for (; len >= 8; len -= 8) {\n c2l(in, tin0);\n c2l(in, tin1);\n\n t0 = tin0;\n t1 = tin1;\n\n tin[0] = tin0;\n tin[1] = tin1;\n DES_decrypt3(tin, ks1, ks2, ks3);\n tout0 = tin[0];\n tout1 = tin[1];\n\n tout0 ^= xor0;\n tout1 ^= xor1;\n l2c(tout0, out);\n l2c(tout1, out);\n xor0 = t0;\n xor1 = t1;\n }\n if (len != 0) {\n c2l(in, tin0);\n c2l(in, tin1);\n\n t0 = tin0;\n t1 = tin1;\n\n tin[0] = tin0;\n tin[1] = tin1;\n DES_decrypt3(tin, ks1, ks2, ks3);\n tout0 = tin[0];\n tout1 = tin[1];\n\n tout0 ^= xor0;\n tout1 ^= xor1;\n l2cn(tout0, tout1, out, len);\n xor0 = t0;\n xor1 = t1;\n }\n\n iv = ivec;\n l2c(xor0, iv);\n l2c(xor1, iv);\n }\n\n tin[0] = tin[1] = 0;\n}\n\nvoid DES_ede2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const DES_key_schedule *ks1,\n const DES_key_schedule *ks2,\n DES_cblock *ivec,\n int enc) {\n DES_ede3_cbc_encrypt(in, out, len, ks1, ks2, ks1, ivec, enc);\n}\n\n\n// Deprecated functions.\n\nvoid DES_set_key_unchecked(const DES_cblock *key, DES_key_schedule *schedule) {\n DES_set_key(key, schedule);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/des/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_DES_INTERNAL_H\n#define OPENSSL_HEADER_DES_INTERNAL_H\n\n#include \n#include \n\n#include \"../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// TODO(davidben): Ideally these macros would be replaced with\n// |CRYPTO_load_u32_le| and |CRYPTO_store_u32_le|.\n\n#define c2l(c, l) \\\n do { \\\n (l) = ((uint32_t)(*((c)++))); \\\n (l) |= ((uint32_t)(*((c)++))) << 8L; \\\n (l) |= ((uint32_t)(*((c)++))) << 16L; \\\n (l) |= ((uint32_t)(*((c)++))) << 24L; \\\n } while (0)\n\n#define l2c(l, c) \\\n do { \\\n *((c)++) = (unsigned char)(((l)) & 0xff); \\\n *((c)++) = (unsigned char)(((l) >> 8L) & 0xff); \\\n *((c)++) = (unsigned char)(((l) >> 16L) & 0xff); \\\n *((c)++) = (unsigned char)(((l) >> 24L) & 0xff); \\\n } while (0)\n\n// NOTE - c is not incremented as per c2l\n#define c2ln(c, l1, l2, n) \\\n do { \\\n (c) += (n); \\\n (l1) = (l2) = 0; \\\n switch (n) { \\\n case 8: \\\n (l2) = ((uint32_t)(*(--(c)))) << 24L; \\\n [[fallthrough]]; \\\n case 7: \\\n (l2) |= ((uint32_t)(*(--(c)))) << 16L; \\\n [[fallthrough]]; \\\n case 6: \\\n (l2) |= ((uint32_t)(*(--(c)))) << 8L; \\\n [[fallthrough]]; \\\n case 5: \\\n (l2) |= ((uint32_t)(*(--(c)))); \\\n [[fallthrough]]; \\\n case 4: \\\n (l1) = ((uint32_t)(*(--(c)))) << 24L; \\\n [[fallthrough]]; \\\n case 3: \\\n (l1) |= ((uint32_t)(*(--(c)))) << 16L; \\\n [[fallthrough]]; \\\n case 2: \\\n (l1) |= ((uint32_t)(*(--(c)))) << 8L; \\\n [[fallthrough]]; \\\n case 1: \\\n (l1) |= ((uint32_t)(*(--(c)))); \\\n } \\\n } while (0)\n\n// NOTE - c is not incremented as per l2c\n#define l2cn(l1, l2, c, n) \\\n do { \\\n (c) += (n); \\\n switch (n) { \\\n case 8: \\\n *(--(c)) = (unsigned char)(((l2) >> 24L) & 0xff); \\\n [[fallthrough]]; \\\n case 7: \\\n *(--(c)) = (unsigned char)(((l2) >> 16L) & 0xff); \\\n [[fallthrough]]; \\\n case 6: \\\n *(--(c)) = (unsigned char)(((l2) >> 8L) & 0xff); \\\n [[fallthrough]]; \\\n case 5: \\\n *(--(c)) = (unsigned char)(((l2)) & 0xff); \\\n [[fallthrough]]; \\\n case 4: \\\n *(--(c)) = (unsigned char)(((l1) >> 24L) & 0xff); \\\n [[fallthrough]]; \\\n case 3: \\\n *(--(c)) = (unsigned char)(((l1) >> 16L) & 0xff); \\\n [[fallthrough]]; \\\n case 2: \\\n *(--(c)) = (unsigned char)(((l1) >> 8L) & 0xff); \\\n [[fallthrough]]; \\\n case 1: \\\n *(--(c)) = (unsigned char)(((l1)) & 0xff); \\\n } \\\n } while (0)\n\n\n// Correctly-typed versions of DES functions.\n//\n// See https://crbug.com/boringssl/683.\n\nvoid DES_set_key_ex(const uint8_t key[8], DES_key_schedule *schedule);\nvoid DES_ecb_encrypt_ex(const uint8_t in[8], uint8_t out[8],\n const DES_key_schedule *schedule, int is_encrypt);\nvoid DES_ncbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len,\n const DES_key_schedule *schedule, uint8_t ivec[8],\n int enc);\nvoid DES_ecb3_encrypt_ex(const uint8_t input[8], uint8_t output[8],\n const DES_key_schedule *ks1,\n const DES_key_schedule *ks2,\n const DES_key_schedule *ks3, int enc);\nvoid DES_ede3_cbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len,\n const DES_key_schedule *ks1,\n const DES_key_schedule *ks2,\n const DES_key_schedule *ks3, uint8_t ivec[8],\n int enc);\n\n\n// Private functions.\n//\n// These functions are only exported for use in |decrepit|.\n\nOPENSSL_EXPORT void DES_decrypt3(uint32_t data[2], const DES_key_schedule *ks1,\n const DES_key_schedule *ks2,\n const DES_key_schedule *ks3);\n\nOPENSSL_EXPORT void DES_encrypt3(uint32_t data[2], const DES_key_schedule *ks1,\n const DES_key_schedule *ks2,\n const DES_key_schedule *ks3);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_DES_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/dh/dh_asn1.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../bytestring/internal.h\"\n#include \"../fipsmodule/dh/internal.h\"\n\n\nstatic int parse_integer(CBS *cbs, BIGNUM **out) {\n assert(*out == NULL);\n *out = BN_new();\n if (*out == NULL) {\n return 0;\n }\n return BN_parse_asn1_unsigned(cbs, *out);\n}\n\nstatic int marshal_integer(CBB *cbb, BIGNUM *bn) {\n if (bn == NULL) {\n // A DH object may be missing some components.\n OPENSSL_PUT_ERROR(DH, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n return BN_marshal_asn1(cbb, bn);\n}\n\nDH *DH_parse_parameters(CBS *cbs) {\n DH *ret = DH_new();\n if (ret == NULL) {\n return NULL;\n }\n\n CBS child;\n if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||\n !parse_integer(&child, &ret->p) ||\n !parse_integer(&child, &ret->g)) {\n goto err;\n }\n\n uint64_t priv_length;\n if (CBS_len(&child) != 0) {\n if (!CBS_get_asn1_uint64(&child, &priv_length) ||\n priv_length > UINT_MAX) {\n goto err;\n }\n ret->priv_length = (unsigned)priv_length;\n }\n\n if (CBS_len(&child) != 0) {\n goto err;\n }\n\n if (!dh_check_params_fast(ret)) {\n goto err;\n }\n\n return ret;\n\nerr:\n OPENSSL_PUT_ERROR(DH, DH_R_DECODE_ERROR);\n DH_free(ret);\n return NULL;\n}\n\nint DH_marshal_parameters(CBB *cbb, const DH *dh) {\n CBB child;\n if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||\n !marshal_integer(&child, dh->p) ||\n !marshal_integer(&child, dh->g) ||\n (dh->priv_length != 0 &&\n !CBB_add_asn1_uint64(&child, dh->priv_length)) ||\n !CBB_flush(cbb)) {\n OPENSSL_PUT_ERROR(DH, DH_R_ENCODE_ERROR);\n return 0;\n }\n return 1;\n}\n\nDH *d2i_DHparams(DH **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return NULL;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n DH *ret = DH_parse_parameters(&cbs);\n if (ret == NULL) {\n return NULL;\n }\n if (out != NULL) {\n DH_free(*out);\n *out = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n\nint i2d_DHparams(const DH *in, uint8_t **outp) {\n CBB cbb;\n if (!CBB_init(&cbb, 0) ||\n !DH_marshal_parameters(&cbb, in)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/dh/params.cc", "content": "/*\n * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \"../fipsmodule/bn/internal.h\"\n#include \"../fipsmodule/dh/internal.h\"\n\n\nstatic BIGNUM *get_params(BIGNUM *ret, const BN_ULONG *words, size_t num_words) {\n BIGNUM *alloc = NULL;\n if (ret == NULL) {\n alloc = BN_new();\n if (alloc == NULL) {\n return NULL;\n }\n ret = alloc;\n }\n\n if (!bn_set_words(ret, words, num_words)) {\n BN_free(alloc);\n return NULL;\n }\n\n return ret;\n}\n\nBIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *ret) {\n static const BN_ULONG kWords[] = {\n TOBN(0xffffffff, 0xffffffff), TOBN(0xf1746c08, 0xca237327),\n TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),\n TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),\n TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),\n TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),\n TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),\n TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),\n TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),\n TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),\n TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),\n TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),\n TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),\n };\n return get_params(ret, kWords, OPENSSL_ARRAY_SIZE(kWords));\n}\n\nBIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *ret) {\n static const BN_ULONG kWords[] = {\n TOBN(0xffffffff, 0xffffffff), TOBN(0x15728e5a, 0x8aacaa68),\n TOBN(0x15d22618, 0x98fa0510), TOBN(0x3995497c, 0xea956ae5),\n TOBN(0xde2bcbf6, 0x95581718), TOBN(0xb5c55df0, 0x6f4c52c9),\n TOBN(0x9b2783a2, 0xec07a28f), TOBN(0xe39e772c, 0x180e8603),\n TOBN(0x32905e46, 0x2e36ce3b), TOBN(0xf1746c08, 0xca18217c),\n TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),\n TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),\n TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),\n TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),\n TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),\n TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),\n TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),\n TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),\n TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),\n TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),\n TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),\n };\n return get_params(ret, kWords, OPENSSL_ARRAY_SIZE(kWords));\n}\n\nBIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *ret) {\n static const BN_ULONG kWords[] = {\n TOBN(0xffffffff, 0xffffffff), TOBN(0x4b82d120, 0xa93ad2ca),\n TOBN(0x43db5bfc, 0xe0fd108e), TOBN(0x08e24fa0, 0x74e5ab31),\n TOBN(0x770988c0, 0xbad946e2), TOBN(0xbbe11757, 0x7a615d6c),\n TOBN(0x521f2b18, 0x177b200c), TOBN(0xd8760273, 0x3ec86a64),\n TOBN(0xf12ffa06, 0xd98a0864), TOBN(0xcee3d226, 0x1ad2ee6b),\n TOBN(0x1e8c94e0, 0x4a25619d), TOBN(0xabf5ae8c, 0xdb0933d7),\n TOBN(0xb3970f85, 0xa6e1e4c7), TOBN(0x8aea7157, 0x5d060c7d),\n TOBN(0xecfb8504, 0x58dbef0a), TOBN(0xa85521ab, 0xdf1cba64),\n TOBN(0xad33170d, 0x04507a33), TOBN(0x15728e5a, 0x8aaac42d),\n TOBN(0x15d22618, 0x98fa0510), TOBN(0x3995497c, 0xea956ae5),\n TOBN(0xde2bcbf6, 0x95581718), TOBN(0xb5c55df0, 0x6f4c52c9),\n TOBN(0x9b2783a2, 0xec07a28f), TOBN(0xe39e772c, 0x180e8603),\n TOBN(0x32905e46, 0x2e36ce3b), TOBN(0xf1746c08, 0xca18217c),\n TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),\n TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),\n TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),\n TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),\n TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),\n TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),\n TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),\n TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),\n TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),\n TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),\n TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),\n };\n return get_params(ret, kWords, OPENSSL_ARRAY_SIZE(kWords));\n}\n\nBIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *ret) {\n static const BN_ULONG kWords[] = {\n TOBN(0xffffffff, 0xffffffff), TOBN(0x4df435c9, 0x34063199),\n TOBN(0x86ffb7dc, 0x90a6c08f), TOBN(0x93b4ea98, 0x8d8fddc1),\n TOBN(0xd0069127, 0xd5b05aa9), TOBN(0xb81bdd76, 0x2170481c),\n TOBN(0x1f612970, 0xcee2d7af), TOBN(0x233ba186, 0x515be7ed),\n TOBN(0x99b2964f, 0xa090c3a2), TOBN(0x287c5947, 0x4e6bc05d),\n TOBN(0x2e8efc14, 0x1fbecaa6), TOBN(0xdbbbc2db, 0x04de8ef9),\n TOBN(0x2583e9ca, 0x2ad44ce8), TOBN(0x1a946834, 0xb6150bda),\n TOBN(0x99c32718, 0x6af4e23c), TOBN(0x88719a10, 0xbdba5b26),\n TOBN(0x1a723c12, 0xa787e6d7), TOBN(0x4b82d120, 0xa9210801),\n TOBN(0x43db5bfc, 0xe0fd108e), TOBN(0x08e24fa0, 0x74e5ab31),\n TOBN(0x770988c0, 0xbad946e2), TOBN(0xbbe11757, 0x7a615d6c),\n TOBN(0x521f2b18, 0x177b200c), TOBN(0xd8760273, 0x3ec86a64),\n TOBN(0xf12ffa06, 0xd98a0864), TOBN(0xcee3d226, 0x1ad2ee6b),\n TOBN(0x1e8c94e0, 0x4a25619d), TOBN(0xabf5ae8c, 0xdb0933d7),\n TOBN(0xb3970f85, 0xa6e1e4c7), TOBN(0x8aea7157, 0x5d060c7d),\n TOBN(0xecfb8504, 0x58dbef0a), TOBN(0xa85521ab, 0xdf1cba64),\n TOBN(0xad33170d, 0x04507a33), TOBN(0x15728e5a, 0x8aaac42d),\n TOBN(0x15d22618, 0x98fa0510), TOBN(0x3995497c, 0xea956ae5),\n TOBN(0xde2bcbf6, 0x95581718), TOBN(0xb5c55df0, 0x6f4c52c9),\n TOBN(0x9b2783a2, 0xec07a28f), TOBN(0xe39e772c, 0x180e8603),\n TOBN(0x32905e46, 0x2e36ce3b), TOBN(0xf1746c08, 0xca18217c),\n TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),\n TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),\n TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),\n TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),\n TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),\n TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),\n TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),\n TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),\n TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),\n TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),\n TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),\n };\n return get_params(ret, kWords, OPENSSL_ARRAY_SIZE(kWords));\n}\n\nBIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *ret) {\n static const BN_ULONG kWords[] = {\n TOBN(0xffffffff, 0xffffffff), TOBN(0xe694f91e, 0x6dcc4024),\n TOBN(0x12bf2d5b, 0x0b7474d6), TOBN(0x043e8f66, 0x3f4860ee),\n TOBN(0x387fe8d7, 0x6e3c0468), TOBN(0xda56c9ec, 0x2ef29632),\n TOBN(0xeb19ccb1, 0xa313d55c), TOBN(0xf550aa3d, 0x8a1fbff0),\n TOBN(0x06a1d58b, 0xb7c5da76), TOBN(0xa79715ee, 0xf29be328),\n TOBN(0x14cc5ed2, 0x0f8037e0), TOBN(0xcc8f6d7e, 0xbf48e1d8),\n TOBN(0x4bd407b2, 0x2b4154aa), TOBN(0x0f1d45b7, 0xff585ac5),\n TOBN(0x23a97a7e, 0x36cc88be), TOBN(0x59e7c97f, 0xbec7e8f3),\n TOBN(0xb5a84031, 0x900b1c9e), TOBN(0xd55e702f, 0x46980c82),\n TOBN(0xf482d7ce, 0x6e74fef6), TOBN(0xf032ea15, 0xd1721d03),\n TOBN(0x5983ca01, 0xc64b92ec), TOBN(0x6fb8f401, 0x378cd2bf),\n TOBN(0x33205151, 0x2bd7af42), TOBN(0xdb7f1447, 0xe6cc254b),\n TOBN(0x44ce6cba, 0xced4bb1b), TOBN(0xda3edbeb, 0xcf9b14ed),\n TOBN(0x179727b0, 0x865a8918), TOBN(0xb06a53ed, 0x9027d831),\n TOBN(0xe5db382f, 0x413001ae), TOBN(0xf8ff9406, 0xad9e530e),\n TOBN(0xc9751e76, 0x3dba37bd), TOBN(0xc1d4dcb2, 0x602646de),\n TOBN(0x36c3fab4, 0xd27c7026), TOBN(0x4df435c9, 0x34028492),\n TOBN(0x86ffb7dc, 0x90a6c08f), TOBN(0x93b4ea98, 0x8d8fddc1),\n TOBN(0xd0069127, 0xd5b05aa9), TOBN(0xb81bdd76, 0x2170481c),\n TOBN(0x1f612970, 0xcee2d7af), TOBN(0x233ba186, 0x515be7ed),\n TOBN(0x99b2964f, 0xa090c3a2), TOBN(0x287c5947, 0x4e6bc05d),\n TOBN(0x2e8efc14, 0x1fbecaa6), TOBN(0xdbbbc2db, 0x04de8ef9),\n TOBN(0x2583e9ca, 0x2ad44ce8), TOBN(0x1a946834, 0xb6150bda),\n TOBN(0x99c32718, 0x6af4e23c), TOBN(0x88719a10, 0xbdba5b26),\n TOBN(0x1a723c12, 0xa787e6d7), TOBN(0x4b82d120, 0xa9210801),\n TOBN(0x43db5bfc, 0xe0fd108e), TOBN(0x08e24fa0, 0x74e5ab31),\n TOBN(0x770988c0, 0xbad946e2), TOBN(0xbbe11757, 0x7a615d6c),\n TOBN(0x521f2b18, 0x177b200c), TOBN(0xd8760273, 0x3ec86a64),\n TOBN(0xf12ffa06, 0xd98a0864), TOBN(0xcee3d226, 0x1ad2ee6b),\n TOBN(0x1e8c94e0, 0x4a25619d), TOBN(0xabf5ae8c, 0xdb0933d7),\n TOBN(0xb3970f85, 0xa6e1e4c7), TOBN(0x8aea7157, 0x5d060c7d),\n TOBN(0xecfb8504, 0x58dbef0a), TOBN(0xa85521ab, 0xdf1cba64),\n TOBN(0xad33170d, 0x04507a33), TOBN(0x15728e5a, 0x8aaac42d),\n TOBN(0x15d22618, 0x98fa0510), TOBN(0x3995497c, 0xea956ae5),\n TOBN(0xde2bcbf6, 0x95581718), TOBN(0xb5c55df0, 0x6f4c52c9),\n TOBN(0x9b2783a2, 0xec07a28f), TOBN(0xe39e772c, 0x180e8603),\n TOBN(0x32905e46, 0x2e36ce3b), TOBN(0xf1746c08, 0xca18217c),\n TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),\n TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),\n TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),\n TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),\n TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),\n TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),\n TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),\n TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),\n TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),\n TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),\n TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),\n };\n return get_params(ret, kWords, OPENSSL_ARRAY_SIZE(kWords));\n}\n\nBIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *ret) {\n static const BN_ULONG kWords[] = {\n TOBN(0xffffffff, 0xffffffff), TOBN(0x60c980dd, 0x98edd3df),\n TOBN(0xc81f56e8, 0x80b96e71), TOBN(0x9e3050e2, 0x765694df),\n TOBN(0x9558e447, 0x5677e9aa), TOBN(0xc9190da6, 0xfc026e47),\n TOBN(0x889a002e, 0xd5ee382b), TOBN(0x4009438b, 0x481c6cd7),\n TOBN(0x359046f4, 0xeb879f92), TOBN(0xfaf36bc3, 0x1ecfa268),\n TOBN(0xb1d510bd, 0x7ee74d73), TOBN(0xf9ab4819, 0x5ded7ea1),\n TOBN(0x64f31cc5, 0x0846851d), TOBN(0x4597e899, 0xa0255dc1),\n TOBN(0xdf310ee0, 0x74ab6a36), TOBN(0x6d2a13f8, 0x3f44f82d),\n TOBN(0x062b3cf5, 0xb3a278a6), TOBN(0x79683303, 0xed5bdd3a),\n TOBN(0xfa9d4b7f, 0xa2c087e8), TOBN(0x4bcbc886, 0x2f8385dd),\n TOBN(0x3473fc64, 0x6cea306b), TOBN(0x13eb57a8, 0x1a23f0c7),\n TOBN(0x22222e04, 0xa4037c07), TOBN(0xe3fdb8be, 0xfc848ad9),\n TOBN(0x238f16cb, 0xe39d652d), TOBN(0x3423b474, 0x2bf1c978),\n TOBN(0x3aab639c, 0x5ae4f568), TOBN(0x2576f693, 0x6ba42466),\n TOBN(0x741fa7bf, 0x8afc47ed), TOBN(0x3bc832b6, 0x8d9dd300),\n TOBN(0xd8bec4d0, 0x73b931ba), TOBN(0x38777cb6, 0xa932df8c),\n TOBN(0x74a3926f, 0x12fee5e4), TOBN(0xe694f91e, 0x6dbe1159),\n TOBN(0x12bf2d5b, 0x0b7474d6), TOBN(0x043e8f66, 0x3f4860ee),\n TOBN(0x387fe8d7, 0x6e3c0468), TOBN(0xda56c9ec, 0x2ef29632),\n TOBN(0xeb19ccb1, 0xa313d55c), TOBN(0xf550aa3d, 0x8a1fbff0),\n TOBN(0x06a1d58b, 0xb7c5da76), TOBN(0xa79715ee, 0xf29be328),\n TOBN(0x14cc5ed2, 0x0f8037e0), TOBN(0xcc8f6d7e, 0xbf48e1d8),\n TOBN(0x4bd407b2, 0x2b4154aa), TOBN(0x0f1d45b7, 0xff585ac5),\n TOBN(0x23a97a7e, 0x36cc88be), TOBN(0x59e7c97f, 0xbec7e8f3),\n TOBN(0xb5a84031, 0x900b1c9e), TOBN(0xd55e702f, 0x46980c82),\n TOBN(0xf482d7ce, 0x6e74fef6), TOBN(0xf032ea15, 0xd1721d03),\n TOBN(0x5983ca01, 0xc64b92ec), TOBN(0x6fb8f401, 0x378cd2bf),\n TOBN(0x33205151, 0x2bd7af42), TOBN(0xdb7f1447, 0xe6cc254b),\n TOBN(0x44ce6cba, 0xced4bb1b), TOBN(0xda3edbeb, 0xcf9b14ed),\n TOBN(0x179727b0, 0x865a8918), TOBN(0xb06a53ed, 0x9027d831),\n TOBN(0xe5db382f, 0x413001ae), TOBN(0xf8ff9406, 0xad9e530e),\n TOBN(0xc9751e76, 0x3dba37bd), TOBN(0xc1d4dcb2, 0x602646de),\n TOBN(0x36c3fab4, 0xd27c7026), TOBN(0x4df435c9, 0x34028492),\n TOBN(0x86ffb7dc, 0x90a6c08f), TOBN(0x93b4ea98, 0x8d8fddc1),\n TOBN(0xd0069127, 0xd5b05aa9), TOBN(0xb81bdd76, 0x2170481c),\n TOBN(0x1f612970, 0xcee2d7af), TOBN(0x233ba186, 0x515be7ed),\n TOBN(0x99b2964f, 0xa090c3a2), TOBN(0x287c5947, 0x4e6bc05d),\n TOBN(0x2e8efc14, 0x1fbecaa6), TOBN(0xdbbbc2db, 0x04de8ef9),\n TOBN(0x2583e9ca, 0x2ad44ce8), TOBN(0x1a946834, 0xb6150bda),\n TOBN(0x99c32718, 0x6af4e23c), TOBN(0x88719a10, 0xbdba5b26),\n TOBN(0x1a723c12, 0xa787e6d7), TOBN(0x4b82d120, 0xa9210801),\n TOBN(0x43db5bfc, 0xe0fd108e), TOBN(0x08e24fa0, 0x74e5ab31),\n TOBN(0x770988c0, 0xbad946e2), TOBN(0xbbe11757, 0x7a615d6c),\n TOBN(0x521f2b18, 0x177b200c), TOBN(0xd8760273, 0x3ec86a64),\n TOBN(0xf12ffa06, 0xd98a0864), TOBN(0xcee3d226, 0x1ad2ee6b),\n TOBN(0x1e8c94e0, 0x4a25619d), TOBN(0xabf5ae8c, 0xdb0933d7),\n TOBN(0xb3970f85, 0xa6e1e4c7), TOBN(0x8aea7157, 0x5d060c7d),\n TOBN(0xecfb8504, 0x58dbef0a), TOBN(0xa85521ab, 0xdf1cba64),\n TOBN(0xad33170d, 0x04507a33), TOBN(0x15728e5a, 0x8aaac42d),\n TOBN(0x15d22618, 0x98fa0510), TOBN(0x3995497c, 0xea956ae5),\n TOBN(0xde2bcbf6, 0x95581718), TOBN(0xb5c55df0, 0x6f4c52c9),\n TOBN(0x9b2783a2, 0xec07a28f), TOBN(0xe39e772c, 0x180e8603),\n TOBN(0x32905e46, 0x2e36ce3b), TOBN(0xf1746c08, 0xca18217c),\n TOBN(0x670c354e, 0x4abc9804), TOBN(0x9ed52907, 0x7096966d),\n TOBN(0x1c62f356, 0x208552bb), TOBN(0x83655d23, 0xdca3ad96),\n TOBN(0x69163fa8, 0xfd24cf5f), TOBN(0x98da4836, 0x1c55d39a),\n TOBN(0xc2007cb8, 0xa163bf05), TOBN(0x49286651, 0xece45b3d),\n TOBN(0xae9f2411, 0x7c4b1fe6), TOBN(0xee386bfb, 0x5a899fa5),\n TOBN(0x0bff5cb6, 0xf406b7ed), TOBN(0xf44c42e9, 0xa637ed6b),\n TOBN(0xe485b576, 0x625e7ec6), TOBN(0x4fe1356d, 0x6d51c245),\n TOBN(0x302b0a6d, 0xf25f1437), TOBN(0xef9519b3, 0xcd3a431b),\n TOBN(0x514a0879, 0x8e3404dd), TOBN(0x020bbea6, 0x3b139b22),\n TOBN(0x29024e08, 0x8a67cc74), TOBN(0xc4c6628b, 0x80dc1cd1),\n TOBN(0xc90fdaa2, 0x2168c234), TOBN(0xffffffff, 0xffffffff),\n };\n return get_params(ret, kWords, OPENSSL_ARRAY_SIZE(kWords));\n}\n\nint DH_generate_parameters_ex(DH *dh, int prime_bits, int generator,\n BN_GENCB *cb) {\n // We generate DH parameters as follows\n // find a prime q which is prime_bits/2 bits long.\n // p=(2*q)+1 or (p-1)/2 = q\n // For this case, g is a generator if\n // g^((p-1)/q) mod p != 1 for values of q which are the factors of p-1.\n // Since the factors of p-1 are q and 2, we just need to check\n // g^2 mod p != 1 and g^q mod p != 1.\n //\n // Having said all that,\n // there is another special case method for the generators 2, 3 and 5.\n // for 2, p mod 24 == 11\n // for 3, p mod 12 == 5 <<<<< does not work for safe primes.\n // for 5, p mod 10 == 3 or 7\n //\n // Thanks to Phil Karn for the pointers about the\n // special generators and for answering some of my questions.\n //\n // I've implemented the second simple method :-).\n // Since DH should be using a safe prime (both p and q are prime),\n // this generator function can take a very very long time to run.\n\n // Actually there is no reason to insist that 'generator' be a generator.\n // It's just as OK (and in some sense better) to use a generator of the\n // order-q subgroup.\n\n if (prime_bits <= 0 || prime_bits > OPENSSL_DH_MAX_MODULUS_BITS) {\n OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE);\n return 0;\n }\n\n BIGNUM *t1, *t2;\n int g, ok = 0;\n BN_CTX *ctx = NULL;\n\n ctx = BN_CTX_new();\n if (ctx == NULL) {\n goto err;\n }\n BN_CTX_start(ctx);\n t1 = BN_CTX_get(ctx);\n t2 = BN_CTX_get(ctx);\n if (t1 == NULL || t2 == NULL) {\n goto err;\n }\n\n // Make sure |dh| has the necessary elements\n if (dh->p == NULL) {\n dh->p = BN_new();\n if (dh->p == NULL) {\n goto err;\n }\n }\n if (dh->g == NULL) {\n dh->g = BN_new();\n if (dh->g == NULL) {\n goto err;\n }\n }\n\n if (generator <= 1) {\n OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);\n goto err;\n }\n if (generator == DH_GENERATOR_2) {\n if (!BN_set_word(t1, 24)) {\n goto err;\n }\n if (!BN_set_word(t2, 11)) {\n goto err;\n }\n g = 2;\n } else if (generator == DH_GENERATOR_5) {\n if (!BN_set_word(t1, 10)) {\n goto err;\n }\n if (!BN_set_word(t2, 3)) {\n goto err;\n }\n // BN_set_word(t3,7); just have to miss\n // out on these ones :-(\n g = 5;\n } else {\n // in the general case, don't worry if 'generator' is a\n // generator or not: since we are using safe primes,\n // it will generate either an order-q or an order-2q group,\n // which both is OK\n if (!BN_set_word(t1, 2)) {\n goto err;\n }\n if (!BN_set_word(t2, 1)) {\n goto err;\n }\n g = generator;\n }\n\n if (!BN_generate_prime_ex(dh->p, prime_bits, 1, t1, t2, cb)) {\n goto err;\n }\n if (!BN_GENCB_call(cb, 3, 0)) {\n goto err;\n }\n if (!BN_set_word(dh->g, g)) {\n goto err;\n }\n ok = 1;\n\nerr:\n if (!ok) {\n OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB);\n }\n\n if (ctx != NULL) {\n BN_CTX_end(ctx);\n BN_CTX_free(ctx);\n }\n return ok;\n}\n\nstatic int int_dh_bn_cpy(BIGNUM **dst, const BIGNUM *src) {\n BIGNUM *a = NULL;\n\n if (src) {\n a = BN_dup(src);\n if (!a) {\n return 0;\n }\n }\n\n BN_free(*dst);\n *dst = a;\n return 1;\n}\n\nstatic int int_dh_param_copy(DH *to, const DH *from, int is_x942) {\n if (is_x942 == -1) {\n is_x942 = !!from->q;\n }\n if (!int_dh_bn_cpy(&to->p, from->p) ||\n !int_dh_bn_cpy(&to->g, from->g)) {\n return 0;\n }\n\n if (!is_x942) {\n return 1;\n }\n\n if (!int_dh_bn_cpy(&to->q, from->q)) {\n return 0;\n }\n\n return 1;\n}\n\nDH *DHparams_dup(const DH *dh) {\n DH *ret = DH_new();\n if (!ret) {\n return NULL;\n }\n\n if (!int_dh_param_copy(ret, dh, -1)) {\n DH_free(ret);\n return NULL;\n }\n\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/digest/digest_extra.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../asn1/internal.h\"\n#include \"../fipsmodule/digest/internal.h\"\n#include \"../internal.h\"\n\n\nstruct nid_to_digest {\n int nid;\n const EVP_MD *(*md_func)(void);\n const char *short_name;\n const char *long_name;\n};\n\nstatic const struct nid_to_digest nid_to_digest_mapping[] = {\n {NID_md4, EVP_md4, SN_md4, LN_md4},\n {NID_md5, EVP_md5, SN_md5, LN_md5},\n {NID_sha1, EVP_sha1, SN_sha1, LN_sha1},\n {NID_sha224, EVP_sha224, SN_sha224, LN_sha224},\n {NID_sha256, EVP_sha256, SN_sha256, LN_sha256},\n {NID_sha384, EVP_sha384, SN_sha384, LN_sha384},\n {NID_sha512, EVP_sha512, SN_sha512, LN_sha512},\n {NID_sha512_256, EVP_sha512_256, SN_sha512_256, LN_sha512_256},\n {NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1},\n // As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding\n // hash function when given a signature OID. To avoid unintended lax parsing\n // of hash OIDs, this is no longer supported for lookup by OID or NID.\n // Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to\n // consumers so we retain it there.\n {NID_undef, EVP_sha1, SN_dsaWithSHA, LN_dsaWithSHA},\n {NID_undef, EVP_sha1, SN_dsaWithSHA1, LN_dsaWithSHA1},\n {NID_undef, EVP_sha1, SN_ecdsa_with_SHA1, NULL},\n {NID_undef, EVP_md5, SN_md5WithRSAEncryption, LN_md5WithRSAEncryption},\n {NID_undef, EVP_sha1, SN_sha1WithRSAEncryption, LN_sha1WithRSAEncryption},\n {NID_undef, EVP_sha224, SN_sha224WithRSAEncryption,\n LN_sha224WithRSAEncryption},\n {NID_undef, EVP_sha256, SN_sha256WithRSAEncryption,\n LN_sha256WithRSAEncryption},\n {NID_undef, EVP_sha384, SN_sha384WithRSAEncryption,\n LN_sha384WithRSAEncryption},\n {NID_undef, EVP_sha512, SN_sha512WithRSAEncryption,\n LN_sha512WithRSAEncryption},\n};\n\nconst EVP_MD *EVP_get_digestbynid(int nid) {\n if (nid == NID_undef) {\n // Skip the |NID_undef| entries in |nid_to_digest_mapping|.\n return NULL;\n }\n\n for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(nid_to_digest_mapping); i++) {\n if (nid_to_digest_mapping[i].nid == nid) {\n return nid_to_digest_mapping[i].md_func();\n }\n }\n\n return NULL;\n}\n\nstatic const struct {\n uint8_t oid[9];\n uint8_t oid_len;\n int nid;\n} kMDOIDs[] = {\n // 1.2.840.113549.2.4\n {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x04}, 8, NID_md4},\n // 1.2.840.113549.2.5\n {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05}, 8, NID_md5},\n // 1.3.14.3.2.26\n {{0x2b, 0x0e, 0x03, 0x02, 0x1a}, 5, NID_sha1},\n // 2.16.840.1.101.3.4.2.1\n {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01}, 9, NID_sha256},\n // 2.16.840.1.101.3.4.2.2\n {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02}, 9, NID_sha384},\n // 2.16.840.1.101.3.4.2.3\n {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03}, 9, NID_sha512},\n // 2.16.840.1.101.3.4.2.4\n {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04}, 9, NID_sha224},\n};\n\nstatic const EVP_MD *cbs_to_md(const CBS *cbs) {\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMDOIDs); i++) {\n if (CBS_len(cbs) == kMDOIDs[i].oid_len &&\n OPENSSL_memcmp(CBS_data(cbs), kMDOIDs[i].oid, kMDOIDs[i].oid_len) ==\n 0) {\n return EVP_get_digestbynid(kMDOIDs[i].nid);\n }\n }\n\n return NULL;\n}\n\nconst EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj) {\n // Handle objects with no corresponding OID. Note we don't use |OBJ_obj2nid|\n // here to avoid pulling in the OID table.\n if (obj->nid != NID_undef) {\n return EVP_get_digestbynid(obj->nid);\n }\n\n CBS cbs;\n CBS_init(&cbs, OBJ_get0_data(obj), OBJ_length(obj));\n return cbs_to_md(&cbs);\n}\n\nconst EVP_MD *EVP_parse_digest_algorithm(CBS *cbs) {\n CBS algorithm, oid;\n if (!CBS_get_asn1(cbs, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&algorithm, &oid, CBS_ASN1_OBJECT)) {\n OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_DECODE_ERROR);\n return NULL;\n }\n\n const EVP_MD *ret = cbs_to_md(&oid);\n if (ret == NULL) {\n OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_UNKNOWN_HASH);\n return NULL;\n }\n\n // The parameters, if present, must be NULL. Historically, whether the NULL\n // was included or omitted was not well-specified. When parsing an\n // AlgorithmIdentifier, we allow both. (Note this code is not used when\n // verifying RSASSA-PKCS1-v1_5 signatures.)\n if (CBS_len(&algorithm) > 0) {\n CBS param;\n if (!CBS_get_asn1(&algorithm, ¶m, CBS_ASN1_NULL) ||\n CBS_len(¶m) != 0 || //\n CBS_len(&algorithm) != 0) {\n OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_DECODE_ERROR);\n return NULL;\n }\n }\n\n return ret;\n}\n\nint EVP_marshal_digest_algorithm(CBB *cbb, const EVP_MD *md) {\n CBB algorithm, oid, null;\n if (!CBB_add_asn1(cbb, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT)) {\n return 0;\n }\n\n int found = 0;\n int nid = EVP_MD_type(md);\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMDOIDs); i++) {\n if (nid == kMDOIDs[i].nid) {\n if (!CBB_add_bytes(&oid, kMDOIDs[i].oid, kMDOIDs[i].oid_len)) {\n return 0;\n }\n found = 1;\n break;\n }\n }\n\n if (!found) {\n OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_UNKNOWN_HASH);\n return 0;\n }\n\n // TODO(crbug.com/boringssl/710): Is this correct? See RFC 4055, section 2.1.\n if (!CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) || //\n !CBB_flush(cbb)) {\n return 0;\n }\n\n return 1;\n}\n\nconst EVP_MD *EVP_get_digestbyname(const char *name) {\n for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(nid_to_digest_mapping); i++) {\n const char *short_name = nid_to_digest_mapping[i].short_name;\n const char *long_name = nid_to_digest_mapping[i].long_name;\n if ((short_name && strcmp(short_name, name) == 0) ||\n (long_name && strcmp(long_name, name) == 0)) {\n return nid_to_digest_mapping[i].md_func();\n }\n }\n\n return NULL;\n}\n\nstatic void blake2b256_init(EVP_MD_CTX *ctx) {\n BLAKE2B256_Init(reinterpret_cast(ctx->md_data));\n}\n\nstatic void blake2b256_update(EVP_MD_CTX *ctx, const void *data, size_t len) {\n BLAKE2B256_Update(reinterpret_cast(ctx->md_data), data, len);\n}\n\nstatic void blake2b256_final(EVP_MD_CTX *ctx, uint8_t *md) {\n BLAKE2B256_Final(md, reinterpret_cast(ctx->md_data));\n}\n\nstatic const EVP_MD evp_md_blake2b256 = {\n NID_undef, BLAKE2B256_DIGEST_LENGTH, 0,\n blake2b256_init, blake2b256_update, blake2b256_final,\n BLAKE2B_CBLOCK, sizeof(BLAKE2B_CTX),\n};\n\nconst EVP_MD *EVP_blake2b256(void) { return &evp_md_blake2b256; }\n\n\nstatic void md4_init(EVP_MD_CTX *ctx) {\n BSSL_CHECK(MD4_Init(reinterpret_cast(ctx->md_data)));\n}\n\nstatic void md4_update(EVP_MD_CTX *ctx, const void *data, size_t count) {\n BSSL_CHECK(\n MD4_Update(reinterpret_cast(ctx->md_data), data, count));\n}\n\nstatic void md4_final(EVP_MD_CTX *ctx, uint8_t *out) {\n BSSL_CHECK(MD4_Final(out, reinterpret_cast(ctx->md_data)));\n}\n\nstatic const EVP_MD evp_md_md4 = {\n NID_md4, //\n MD4_DIGEST_LENGTH, //\n 0,\n md4_init,\n md4_update,\n md4_final,\n 64,\n sizeof(MD4_CTX),\n};\n\nconst EVP_MD *EVP_md4(void) { return &evp_md_md4; }\n\nstatic void md5_init(EVP_MD_CTX *ctx) {\n BSSL_CHECK(MD5_Init(reinterpret_cast(ctx->md_data)));\n}\n\nstatic void md5_update(EVP_MD_CTX *ctx, const void *data, size_t count) {\n BSSL_CHECK(\n MD5_Update(reinterpret_cast(ctx->md_data), data, count));\n}\n\nstatic void md5_final(EVP_MD_CTX *ctx, uint8_t *out) {\n BSSL_CHECK(MD5_Final(out, reinterpret_cast(ctx->md_data)));\n}\n\nstatic const EVP_MD evp_md_md5 = {\n NID_md5, MD5_DIGEST_LENGTH, 0, md5_init,\n md5_update, md5_final, 64, sizeof(MD5_CTX),\n};\n\nconst EVP_MD *EVP_md5(void) { return &evp_md_md5; }\n\ntypedef struct {\n MD5_CTX md5;\n SHA_CTX sha1;\n} MD5_SHA1_CTX;\n\nstatic void md5_sha1_init(EVP_MD_CTX *md_ctx) {\n MD5_SHA1_CTX *ctx = reinterpret_cast(md_ctx->md_data);\n BSSL_CHECK(MD5_Init(&ctx->md5) && SHA1_Init(&ctx->sha1));\n}\n\nstatic void md5_sha1_update(EVP_MD_CTX *md_ctx, const void *data,\n size_t count) {\n MD5_SHA1_CTX *ctx = reinterpret_cast(md_ctx->md_data);\n BSSL_CHECK(MD5_Update(&ctx->md5, data, count) &&\n SHA1_Update(&ctx->sha1, data, count));\n}\n\nstatic void md5_sha1_final(EVP_MD_CTX *md_ctx, uint8_t *out) {\n MD5_SHA1_CTX *ctx = reinterpret_cast(md_ctx->md_data);\n BSSL_CHECK(MD5_Final(out, &ctx->md5) &&\n SHA1_Final(out + MD5_DIGEST_LENGTH, &ctx->sha1));\n}\n\nconst EVP_MD evp_md_md5_sha1 = {\n NID_md5_sha1,\n MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH,\n 0,\n md5_sha1_init,\n md5_sha1_update,\n md5_sha1_final,\n 64,\n sizeof(MD5_SHA1_CTX),\n};\n\nconst EVP_MD *EVP_md5_sha1(void) { return &evp_md_md5_sha1; }\n" }, { "path": "Sources/CNIOBoringSSL/crypto/dsa/dsa.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/bn/internal.h\"\n#include \"../fipsmodule/dh/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n// Primality test according to FIPS PUB 186[-1], Appendix 2.1: 50 rounds of\n// Miller-Rabin.\n#define DSS_prime_checks 50\n\nstatic int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv,\n BIGNUM **out_r);\n\nstatic CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;\n\nDSA *DSA_new(void) {\n DSA *dsa = reinterpret_cast(OPENSSL_zalloc(sizeof(DSA)));\n if (dsa == NULL) {\n return NULL;\n }\n\n dsa->references = 1;\n CRYPTO_MUTEX_init(&dsa->method_mont_lock);\n CRYPTO_new_ex_data(&dsa->ex_data);\n return dsa;\n}\n\nvoid DSA_free(DSA *dsa) {\n if (dsa == NULL) {\n return;\n }\n\n if (!CRYPTO_refcount_dec_and_test_zero(&dsa->references)) {\n return;\n }\n\n CRYPTO_free_ex_data(&g_ex_data_class, dsa, &dsa->ex_data);\n\n BN_clear_free(dsa->p);\n BN_clear_free(dsa->q);\n BN_clear_free(dsa->g);\n BN_clear_free(dsa->pub_key);\n BN_clear_free(dsa->priv_key);\n BN_MONT_CTX_free(dsa->method_mont_p);\n BN_MONT_CTX_free(dsa->method_mont_q);\n CRYPTO_MUTEX_cleanup(&dsa->method_mont_lock);\n OPENSSL_free(dsa);\n}\n\nint DSA_up_ref(DSA *dsa) {\n CRYPTO_refcount_inc(&dsa->references);\n return 1;\n}\n\nunsigned DSA_bits(const DSA *dsa) { return BN_num_bits(dsa->p); }\n\nconst BIGNUM *DSA_get0_pub_key(const DSA *dsa) { return dsa->pub_key; }\n\nconst BIGNUM *DSA_get0_priv_key(const DSA *dsa) { return dsa->priv_key; }\n\nconst BIGNUM *DSA_get0_p(const DSA *dsa) { return dsa->p; }\n\nconst BIGNUM *DSA_get0_q(const DSA *dsa) { return dsa->q; }\n\nconst BIGNUM *DSA_get0_g(const DSA *dsa) { return dsa->g; }\n\nvoid DSA_get0_key(const DSA *dsa, const BIGNUM **out_pub_key,\n const BIGNUM **out_priv_key) {\n if (out_pub_key != NULL) {\n *out_pub_key = dsa->pub_key;\n }\n if (out_priv_key != NULL) {\n *out_priv_key = dsa->priv_key;\n }\n}\n\nvoid DSA_get0_pqg(const DSA *dsa, const BIGNUM **out_p, const BIGNUM **out_q,\n const BIGNUM **out_g) {\n if (out_p != NULL) {\n *out_p = dsa->p;\n }\n if (out_q != NULL) {\n *out_q = dsa->q;\n }\n if (out_g != NULL) {\n *out_g = dsa->g;\n }\n}\n\nint DSA_set0_key(DSA *dsa, BIGNUM *pub_key, BIGNUM *priv_key) {\n if (dsa->pub_key == NULL && pub_key == NULL) {\n return 0;\n }\n\n if (pub_key != NULL) {\n BN_free(dsa->pub_key);\n dsa->pub_key = pub_key;\n }\n if (priv_key != NULL) {\n BN_free(dsa->priv_key);\n dsa->priv_key = priv_key;\n }\n\n return 1;\n}\n\nint DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g) {\n if ((dsa->p == NULL && p == NULL) || (dsa->q == NULL && q == NULL) ||\n (dsa->g == NULL && g == NULL)) {\n return 0;\n }\n\n if (p != NULL) {\n BN_free(dsa->p);\n dsa->p = p;\n }\n if (q != NULL) {\n BN_free(dsa->q);\n dsa->q = q;\n }\n if (g != NULL) {\n BN_free(dsa->g);\n dsa->g = g;\n }\n\n BN_MONT_CTX_free(dsa->method_mont_p);\n dsa->method_mont_p = NULL;\n BN_MONT_CTX_free(dsa->method_mont_q);\n dsa->method_mont_q = NULL;\n return 1;\n}\n\nint DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in,\n size_t seed_len, int *out_counter,\n unsigned long *out_h, BN_GENCB *cb) {\n if (bits > OPENSSL_DSA_MAX_MODULUS_BITS) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);\n return 0;\n }\n\n int ok = 0;\n unsigned char seed[SHA256_DIGEST_LENGTH];\n unsigned char md[SHA256_DIGEST_LENGTH];\n unsigned char buf[SHA256_DIGEST_LENGTH], buf2[SHA256_DIGEST_LENGTH];\n BIGNUM *r0, *W, *X, *c, *test;\n BIGNUM *g = NULL, *q = NULL, *p = NULL;\n BN_MONT_CTX *mont = NULL;\n int k, n = 0, m = 0;\n int counter = 0;\n int r = 0;\n BN_CTX *ctx = NULL;\n unsigned int h = 2;\n const EVP_MD *evpmd;\n\n evpmd = (bits >= 2048) ? EVP_sha256() : EVP_sha1();\n size_t qsize = EVP_MD_size(evpmd);\n\n if (bits < 512) {\n bits = 512;\n }\n\n bits = (bits + 63) / 64 * 64;\n\n if (seed_in != NULL) {\n if (seed_len < qsize) {\n return 0;\n }\n if (seed_len > qsize) {\n // Only consume as much seed as is expected.\n seed_len = qsize;\n }\n OPENSSL_memcpy(seed, seed_in, seed_len);\n }\n\n ctx = BN_CTX_new();\n if (ctx == NULL) {\n goto err;\n }\n BN_CTX_start(ctx);\n\n r0 = BN_CTX_get(ctx);\n g = BN_CTX_get(ctx);\n W = BN_CTX_get(ctx);\n q = BN_CTX_get(ctx);\n X = BN_CTX_get(ctx);\n c = BN_CTX_get(ctx);\n p = BN_CTX_get(ctx);\n test = BN_CTX_get(ctx);\n\n if (test == NULL || !BN_lshift(test, BN_value_one(), bits - 1)) {\n goto err;\n }\n\n for (;;) {\n // Find q.\n for (;;) {\n // step 1\n if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, m++)) {\n goto err;\n }\n\n int use_random_seed = (seed_in == NULL);\n if (use_random_seed) {\n if (!RAND_bytes(seed, qsize)) {\n goto err;\n }\n // DSA parameters are public.\n CONSTTIME_DECLASSIFY(seed, qsize);\n } else {\n // If we come back through, use random seed next time.\n seed_in = NULL;\n }\n OPENSSL_memcpy(buf, seed, qsize);\n OPENSSL_memcpy(buf2, seed, qsize);\n // precompute \"SEED + 1\" for step 7:\n for (size_t i = qsize - 1; i < qsize; i--) {\n buf[i]++;\n if (buf[i] != 0) {\n break;\n }\n }\n\n // step 2\n if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL) ||\n !EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL)) {\n goto err;\n }\n for (size_t i = 0; i < qsize; i++) {\n md[i] ^= buf2[i];\n }\n\n // step 3\n md[0] |= 0x80;\n md[qsize - 1] |= 0x01;\n if (!BN_bin2bn(md, qsize, q)) {\n goto err;\n }\n\n // step 4\n r = BN_is_prime_fasttest_ex(q, DSS_prime_checks, ctx, use_random_seed,\n cb);\n if (r > 0) {\n break;\n }\n if (r != 0) {\n goto err;\n }\n\n // do a callback call\n // step 5\n }\n\n if (!BN_GENCB_call(cb, 2, 0) || !BN_GENCB_call(cb, 3, 0)) {\n goto err;\n }\n\n // step 6\n counter = 0;\n // \"offset = 2\"\n\n n = (bits - 1) / 160;\n\n for (;;) {\n if ((counter != 0) && !BN_GENCB_call(cb, BN_GENCB_GENERATED, counter)) {\n goto err;\n }\n\n // step 7\n BN_zero(W);\n // now 'buf' contains \"SEED + offset - 1\"\n for (k = 0; k <= n; k++) {\n // obtain \"SEED + offset + k\" by incrementing:\n for (size_t i = qsize - 1; i < qsize; i--) {\n buf[i]++;\n if (buf[i] != 0) {\n break;\n }\n }\n\n if (!EVP_Digest(buf, qsize, md, NULL, evpmd, NULL)) {\n goto err;\n }\n\n // step 8\n if (!BN_bin2bn(md, qsize, r0) || !BN_lshift(r0, r0, (qsize << 3) * k) ||\n !BN_add(W, W, r0)) {\n goto err;\n }\n }\n\n // more of step 8\n if (!BN_mask_bits(W, bits - 1) || !BN_copy(X, W) || !BN_add(X, X, test)) {\n goto err;\n }\n\n // step 9\n if (!BN_lshift1(r0, q) || !BN_mod(c, X, r0, ctx) ||\n !BN_sub(r0, c, BN_value_one()) || !BN_sub(p, X, r0)) {\n goto err;\n }\n\n // step 10\n if (BN_cmp(p, test) >= 0) {\n // step 11\n r = BN_is_prime_fasttest_ex(p, DSS_prime_checks, ctx, 1, cb);\n if (r > 0) {\n goto end; // found it\n }\n if (r != 0) {\n goto err;\n }\n }\n\n // step 13\n counter++;\n // \"offset = offset + n + 1\"\n\n // step 14\n if (counter >= 4096) {\n break;\n }\n }\n }\nend:\n if (!BN_GENCB_call(cb, 2, 1)) {\n goto err;\n }\n\n // We now need to generate g\n // Set r0=(p-1)/q\n if (!BN_sub(test, p, BN_value_one()) || !BN_div(r0, NULL, test, q, ctx)) {\n goto err;\n }\n\n mont = BN_MONT_CTX_new_for_modulus(p, ctx);\n if (mont == NULL || !BN_set_word(test, h)) {\n goto err;\n }\n\n for (;;) {\n // g=test^r0%p\n if (!BN_mod_exp_mont(g, test, r0, p, ctx, mont)) {\n goto err;\n }\n if (!BN_is_one(g)) {\n break;\n }\n if (!BN_add(test, test, BN_value_one())) {\n goto err;\n }\n h++;\n }\n\n if (!BN_GENCB_call(cb, 3, 1)) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n if (ok) {\n BN_free(dsa->p);\n BN_free(dsa->q);\n BN_free(dsa->g);\n dsa->p = BN_dup(p);\n dsa->q = BN_dup(q);\n dsa->g = BN_dup(g);\n if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) {\n ok = 0;\n goto err;\n }\n if (out_counter != NULL) {\n *out_counter = counter;\n }\n if (out_h != NULL) {\n *out_h = h;\n }\n }\n\n if (ctx) {\n BN_CTX_end(ctx);\n BN_CTX_free(ctx);\n }\n\n BN_MONT_CTX_free(mont);\n\n return ok;\n}\n\nDSA *DSAparams_dup(const DSA *dsa) {\n DSA *ret = DSA_new();\n if (ret == NULL) {\n return NULL;\n }\n ret->p = BN_dup(dsa->p);\n ret->q = BN_dup(dsa->q);\n ret->g = BN_dup(dsa->g);\n if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {\n DSA_free(ret);\n return NULL;\n }\n return ret;\n}\n\nint DSA_generate_key(DSA *dsa) {\n if (!dsa_check_key(dsa)) {\n return 0;\n }\n\n int ok = 0;\n BIGNUM *pub_key = NULL, *priv_key = NULL;\n BN_CTX *ctx = BN_CTX_new();\n if (ctx == NULL) {\n goto err;\n }\n\n priv_key = dsa->priv_key;\n if (priv_key == NULL) {\n priv_key = BN_new();\n if (priv_key == NULL) {\n goto err;\n }\n }\n\n if (!BN_rand_range_ex(priv_key, 1, dsa->q)) {\n goto err;\n }\n\n pub_key = dsa->pub_key;\n if (pub_key == NULL) {\n pub_key = BN_new();\n if (pub_key == NULL) {\n goto err;\n }\n }\n\n if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, &dsa->method_mont_lock,\n dsa->p, ctx) ||\n !BN_mod_exp_mont_consttime(pub_key, dsa->g, priv_key, dsa->p, ctx,\n dsa->method_mont_p)) {\n goto err;\n }\n\n // The public key is computed from the private key, but is public.\n bn_declassify(pub_key);\n\n dsa->priv_key = priv_key;\n dsa->pub_key = pub_key;\n ok = 1;\n\nerr:\n if (dsa->pub_key == NULL) {\n BN_free(pub_key);\n }\n if (dsa->priv_key == NULL) {\n BN_free(priv_key);\n }\n BN_CTX_free(ctx);\n\n return ok;\n}\n\nDSA_SIG *DSA_SIG_new(void) {\n return reinterpret_cast(OPENSSL_zalloc(sizeof(DSA_SIG)));\n}\n\nvoid DSA_SIG_free(DSA_SIG *sig) {\n if (!sig) {\n return;\n }\n\n BN_free(sig->r);\n BN_free(sig->s);\n OPENSSL_free(sig);\n}\n\nvoid DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **out_r,\n const BIGNUM **out_s) {\n if (out_r != NULL) {\n *out_r = sig->r;\n }\n if (out_s != NULL) {\n *out_s = sig->s;\n }\n}\n\nint DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) {\n if (r == NULL || s == NULL) {\n return 0;\n }\n BN_free(sig->r);\n BN_free(sig->s);\n sig->r = r;\n sig->s = s;\n return 1;\n}\n\n// mod_mul_consttime sets |r| to |a| * |b| modulo |mont->N|, treating |a| and\n// |b| as secret. This function internally uses Montgomery reduction, but\n// neither inputs nor outputs are in Montgomery form.\nstatic int mod_mul_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BN_MONT_CTX *mont, BN_CTX *ctx) {\n BN_CTX_start(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n // |BN_mod_mul_montgomery| removes a factor of R, so we cancel it with a\n // single |BN_to_montgomery| which adds one factor of R.\n int ok = tmp != NULL && BN_to_montgomery(tmp, a, mont, ctx) &&\n BN_mod_mul_montgomery(r, tmp, b, mont, ctx);\n BN_CTX_end(ctx);\n return ok;\n}\n\nDSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) {\n if (!dsa_check_key(dsa)) {\n return NULL;\n }\n\n if (dsa->priv_key == NULL) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);\n return NULL;\n }\n\n BIGNUM *kinv = NULL, *r = NULL, *s = NULL;\n BIGNUM m;\n BIGNUM xr;\n BN_CTX *ctx = NULL;\n DSA_SIG *ret = NULL;\n\n BN_init(&m);\n BN_init(&xr);\n s = BN_new();\n {\n if (s == NULL) {\n goto err;\n }\n ctx = BN_CTX_new();\n if (ctx == NULL) {\n goto err;\n }\n\n // Cap iterations so that invalid parameters do not infinite loop. This does\n // not impact valid parameters because the probability of requiring even one\n // retry is negligible, let alone 32. Unfortunately, DSA was mis-specified,\n // so invalid parameters are reachable from most callers handling untrusted\n // private keys. (The |dsa_check_key| call above is not sufficient. Checking\n // whether arbitrary paremeters form a valid DSA group is expensive.)\n static const int kMaxIterations = 32;\n int iters = 0;\n redo:\n if (!dsa_sign_setup(dsa, ctx, &kinv, &r)) {\n goto err;\n }\n\n if (digest_len > BN_num_bytes(dsa->q)) {\n // If the digest length is greater than the size of |dsa->q| use the\n // BN_num_bits(dsa->q) leftmost bits of the digest, see FIPS 186-3, 4.2.\n // Note the above check that |dsa->q| is a multiple of 8 bits.\n digest_len = BN_num_bytes(dsa->q);\n }\n\n if (BN_bin2bn(digest, digest_len, &m) == NULL) {\n goto err;\n }\n\n // |m| is bounded by 2^(num_bits(q)), which is slightly looser than q. This\n // violates |bn_mod_add_consttime| and |mod_mul_consttime|'s preconditions.\n // (The underlying algorithms could accept looser bounds, but we reduce for\n // simplicity.)\n size_t q_width = bn_minimal_width(dsa->q);\n if (!bn_resize_words(&m, q_width) || !bn_resize_words(&xr, q_width)) {\n goto err;\n }\n bn_reduce_once_in_place(m.d, 0 /* no carry word */, dsa->q->d,\n xr.d /* scratch space */, q_width);\n\n // Compute s = inv(k) (m + xr) mod q. Note |dsa->method_mont_q| is\n // initialized by |dsa_sign_setup|.\n if (!mod_mul_consttime(&xr, dsa->priv_key, r, dsa->method_mont_q, ctx) ||\n !bn_mod_add_consttime(s, &xr, &m, dsa->q, ctx) ||\n !mod_mul_consttime(s, s, kinv, dsa->method_mont_q, ctx)) {\n goto err;\n }\n\n // The signature is computed from the private key, but is public.\n bn_declassify(r);\n bn_declassify(s);\n\n // Redo if r or s is zero as required by FIPS 186-3: this is\n // very unlikely.\n if (BN_is_zero(r) || BN_is_zero(s)) {\n iters++;\n if (iters > kMaxIterations) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_TOO_MANY_ITERATIONS);\n goto err;\n }\n goto redo;\n }\n\n ret = DSA_SIG_new();\n if (ret == NULL) {\n goto err;\n }\n ret->r = r;\n ret->s = s;\n }\n\nerr:\n if (ret == NULL) {\n OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);\n BN_free(r);\n BN_free(s);\n }\n BN_CTX_free(ctx);\n BN_clear_free(&m);\n BN_clear_free(&xr);\n BN_clear_free(kinv);\n\n return ret;\n}\n\nint DSA_do_verify(const uint8_t *digest, size_t digest_len, const DSA_SIG *sig,\n const DSA *dsa) {\n int valid;\n if (!DSA_do_check_signature(&valid, digest, digest_len, sig, dsa)) {\n return -1;\n }\n return valid;\n}\n\nint DSA_do_check_signature(int *out_valid, const uint8_t *digest,\n size_t digest_len, const DSA_SIG *sig,\n const DSA *dsa) {\n *out_valid = 0;\n if (!dsa_check_key(dsa)) {\n return 0;\n }\n\n if (dsa->pub_key == NULL) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);\n return 0;\n }\n\n int ret = 0;\n BIGNUM u1, u2, t1;\n BN_init(&u1);\n BN_init(&u2);\n BN_init(&t1);\n BN_CTX *ctx = BN_CTX_new();\n {\n if (ctx == NULL) {\n goto err;\n }\n\n if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||\n BN_ucmp(sig->r, dsa->q) >= 0) {\n ret = 1;\n goto err;\n }\n if (BN_is_zero(sig->s) || BN_is_negative(sig->s) ||\n BN_ucmp(sig->s, dsa->q) >= 0) {\n ret = 1;\n goto err;\n }\n\n // Calculate W = inv(S) mod Q\n // save W in u2\n if (BN_mod_inverse(&u2, sig->s, dsa->q, ctx) == NULL) {\n goto err;\n }\n\n // save M in u1\n unsigned q_bits = BN_num_bits(dsa->q);\n if (digest_len > (q_bits >> 3)) {\n // if the digest length is greater than the size of q use the\n // BN_num_bits(dsa->q) leftmost bits of the digest, see\n // fips 186-3, 4.2\n digest_len = (q_bits >> 3);\n }\n\n if (BN_bin2bn(digest, digest_len, &u1) == NULL) {\n goto err;\n }\n\n // u1 = M * w mod q\n if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) {\n goto err;\n }\n\n // u2 = r * w mod q\n if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) {\n goto err;\n }\n\n if (!BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,\n (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,\n ctx)) {\n goto err;\n }\n\n if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx,\n dsa->method_mont_p)) {\n goto err;\n }\n\n // BN_copy(&u1,&t1);\n // let u1 = u1 mod q\n if (!BN_mod(&u1, &t1, dsa->q, ctx)) {\n goto err;\n }\n\n // V is now in u1. If the signature is correct, it will be\n // equal to R.\n *out_valid = BN_ucmp(&u1, sig->r) == 0;\n ret = 1;\n }\n\nerr:\n if (ret != 1) {\n OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);\n }\n BN_CTX_free(ctx);\n BN_free(&u1);\n BN_free(&u2);\n BN_free(&t1);\n\n return ret;\n}\n\nint DSA_sign(int type, const uint8_t *digest, size_t digest_len,\n uint8_t *out_sig, unsigned int *out_siglen, const DSA *dsa) {\n DSA_SIG *s;\n\n s = DSA_do_sign(digest, digest_len, dsa);\n if (s == NULL) {\n *out_siglen = 0;\n return 0;\n }\n\n *out_siglen = i2d_DSA_SIG(s, &out_sig);\n DSA_SIG_free(s);\n return 1;\n}\n\nint DSA_verify(int type, const uint8_t *digest, size_t digest_len,\n const uint8_t *sig, size_t sig_len, const DSA *dsa) {\n int valid;\n if (!DSA_check_signature(&valid, digest, digest_len, sig, sig_len, dsa)) {\n return -1;\n }\n return valid;\n}\n\nint DSA_check_signature(int *out_valid, const uint8_t *digest,\n size_t digest_len, const uint8_t *sig, size_t sig_len,\n const DSA *dsa) {\n DSA_SIG *s = NULL;\n int ret = 0;\n uint8_t *der = NULL;\n\n s = DSA_SIG_new();\n {\n if (s == NULL) {\n goto err;\n }\n\n const uint8_t *sigp = sig;\n if (d2i_DSA_SIG(&s, &sigp, sig_len) == NULL || sigp != sig + sig_len) {\n goto err;\n }\n\n // Ensure that the signature uses DER and doesn't have trailing garbage.\n int der_len = i2d_DSA_SIG(s, &der);\n if (der_len < 0 || (size_t)der_len != sig_len ||\n OPENSSL_memcmp(sig, der, sig_len)) {\n goto err;\n }\n\n ret = DSA_do_check_signature(out_valid, digest, digest_len, s, dsa);\n }\n\nerr:\n OPENSSL_free(der);\n DSA_SIG_free(s);\n return ret;\n}\n\n// der_len_len returns the number of bytes needed to represent a length of |len|\n// in DER.\nstatic size_t der_len_len(size_t len) {\n if (len < 0x80) {\n return 1;\n }\n size_t ret = 1;\n while (len > 0) {\n ret++;\n len >>= 8;\n }\n return ret;\n}\n\nint DSA_size(const DSA *dsa) {\n if (dsa->q == NULL) {\n return 0;\n }\n\n size_t order_len = BN_num_bytes(dsa->q);\n // Compute the maximum length of an |order_len| byte integer. Defensively\n // assume that the leading 0x00 is included.\n size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;\n if (integer_len < order_len) {\n return 0;\n }\n // A DSA signature is two INTEGERs.\n size_t value_len = 2 * integer_len;\n if (value_len < integer_len) {\n return 0;\n }\n // Add the header.\n size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;\n if (ret < value_len) {\n return 0;\n }\n return ret;\n}\n\nstatic int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx, BIGNUM **out_kinv,\n BIGNUM **out_r) {\n int ret = 0;\n BIGNUM k;\n BN_init(&k);\n BIGNUM *r = BN_new();\n BIGNUM *kinv = BN_new();\n if (r == NULL || kinv == NULL ||\n // Get random k\n !BN_rand_range_ex(&k, 1, dsa->q) ||\n !BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_p,\n (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->p,\n ctx) ||\n !BN_MONT_CTX_set_locked((BN_MONT_CTX **)&dsa->method_mont_q,\n (CRYPTO_MUTEX *)&dsa->method_mont_lock, dsa->q,\n ctx) ||\n // Compute r = (g^k mod p) mod q\n !BN_mod_exp_mont_consttime(r, dsa->g, &k, dsa->p, ctx,\n dsa->method_mont_p)) {\n OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);\n goto err;\n }\n // Note |BN_mod| below is not constant-time and may leak information about\n // |r|. |dsa->p| may be significantly larger than |dsa->q|, so this is not\n // easily performed in constant-time with Montgomery reduction.\n //\n // However, |r| at this point is g^k (mod p). It is almost the value of |r|\n // revealed in the signature anyway (g^k (mod p) (mod q)), going from it to\n // |k| would require computing a discrete log.\n bn_declassify(r);\n if (!BN_mod(r, r, dsa->q, ctx) ||\n // Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little\n // Theorem.\n !bn_mod_inverse_prime(kinv, &k, dsa->q, ctx, dsa->method_mont_q)) {\n OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB);\n goto err;\n }\n\n BN_clear_free(*out_kinv);\n *out_kinv = kinv;\n kinv = NULL;\n\n BN_clear_free(*out_r);\n *out_r = r;\n r = NULL;\n\n ret = 1;\n\nerr:\n BN_clear_free(&k);\n BN_clear_free(r);\n BN_clear_free(kinv);\n return ret;\n}\n\nint DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {\n return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func);\n}\n\nint DSA_set_ex_data(DSA *dsa, int idx, void *arg) {\n return CRYPTO_set_ex_data(&dsa->ex_data, idx, arg);\n}\n\nvoid *DSA_get_ex_data(const DSA *dsa, int idx) {\n return CRYPTO_get_ex_data(&dsa->ex_data, idx);\n}\n\nDH *DSA_dup_DH(const DSA *dsa) {\n if (dsa == NULL) {\n return NULL;\n }\n\n DH *ret = DH_new();\n if (ret == NULL) {\n goto err;\n }\n if (dsa->q != NULL) {\n ret->priv_length = BN_num_bits(dsa->q);\n if ((ret->q = BN_dup(dsa->q)) == NULL) {\n goto err;\n }\n }\n if ((dsa->p != NULL && (ret->p = BN_dup(dsa->p)) == NULL) ||\n (dsa->g != NULL && (ret->g = BN_dup(dsa->g)) == NULL) ||\n (dsa->pub_key != NULL && (ret->pub_key = BN_dup(dsa->pub_key)) == NULL) ||\n (dsa->priv_key != NULL &&\n (ret->priv_key = BN_dup(dsa->priv_key)) == NULL)) {\n goto err;\n }\n\n return ret;\n\nerr:\n DH_free(ret);\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/dsa/dsa_asn1.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n#include \"../bytestring/internal.h\"\n\n\n// This function is in dsa_asn1.c rather than dsa.c because it is reachable from\n// |EVP_PKEY| parsers. This makes it easier for the static linker to drop most\n// of the DSA implementation.\nint dsa_check_key(const DSA *dsa) {\n if (!dsa->p || !dsa->q || !dsa->g) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_MISSING_PARAMETERS);\n return 0;\n }\n\n // Fully checking for invalid DSA groups is expensive, so security and\n // correctness of the signature scheme depend on how |dsa| was computed. I.e.\n // we leave \"assurance of domain parameter validity\" from FIPS 186-4 to the\n // caller. However, we check bounds on all values to avoid DoS vectors even\n // when domain parameters are invalid. In particular, signing will infinite\n // loop if |g| is zero.\n if (BN_is_negative(dsa->p) || BN_is_negative(dsa->q) || BN_is_zero(dsa->p) ||\n BN_is_zero(dsa->q) || !BN_is_odd(dsa->p) || !BN_is_odd(dsa->q) ||\n // |q| must be a prime divisor of |p - 1|, which implies |q < p|.\n BN_cmp(dsa->q, dsa->p) >= 0 ||\n // |g| is in the multiplicative group of |p|.\n BN_is_negative(dsa->g) || BN_is_zero(dsa->g) ||\n BN_cmp(dsa->g, dsa->p) >= 0) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);\n return 0;\n }\n\n // FIPS 186-4 allows only three different sizes for q.\n unsigned q_bits = BN_num_bits(dsa->q);\n if (q_bits != 160 && q_bits != 224 && q_bits != 256) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_Q_VALUE);\n return 0;\n }\n\n // Bound |dsa->p| to avoid a DoS vector. Note this limit is much larger than\n // the one in FIPS 186-4, which only allows L = 1024, 2048, and 3072.\n if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_MODULUS_TOO_LARGE);\n return 0;\n }\n\n if (dsa->pub_key != NULL) {\n // The public key is also in the multiplicative group of |p|.\n if (BN_is_negative(dsa->pub_key) || BN_is_zero(dsa->pub_key) ||\n BN_cmp(dsa->pub_key, dsa->p) >= 0) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);\n return 0;\n }\n }\n\n if (dsa->priv_key != NULL) {\n // The private key is a non-zero element of the scalar field, determined by\n // |q|.\n if (BN_is_negative(dsa->priv_key) ||\n constant_time_declassify_int(BN_is_zero(dsa->priv_key)) ||\n constant_time_declassify_int(BN_cmp(dsa->priv_key, dsa->q) >= 0)) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS);\n return 0;\n }\n }\n\n return 1;\n}\n\nstatic int parse_integer(CBS *cbs, BIGNUM **out) {\n assert(*out == NULL);\n *out = BN_new();\n if (*out == NULL) {\n return 0;\n }\n return BN_parse_asn1_unsigned(cbs, *out);\n}\n\nstatic int marshal_integer(CBB *cbb, BIGNUM *bn) {\n if (bn == NULL) {\n // A DSA object may be missing some components.\n OPENSSL_PUT_ERROR(DSA, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n return BN_marshal_asn1(cbb, bn);\n}\n\nDSA_SIG *DSA_SIG_parse(CBS *cbs) {\n DSA_SIG *ret = DSA_SIG_new();\n if (ret == NULL) {\n return NULL;\n }\n CBS child;\n if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||\n !parse_integer(&child, &ret->r) ||\n !parse_integer(&child, &ret->s) ||\n CBS_len(&child) != 0) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);\n DSA_SIG_free(ret);\n return NULL;\n }\n return ret;\n}\n\nint DSA_SIG_marshal(CBB *cbb, const DSA_SIG *sig) {\n CBB child;\n if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||\n !marshal_integer(&child, sig->r) ||\n !marshal_integer(&child, sig->s) ||\n !CBB_flush(cbb)) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);\n return 0;\n }\n return 1;\n}\n\nDSA *DSA_parse_public_key(CBS *cbs) {\n DSA *ret = DSA_new();\n if (ret == NULL) {\n return NULL;\n }\n CBS child;\n if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||\n !parse_integer(&child, &ret->pub_key) ||\n !parse_integer(&child, &ret->p) ||\n !parse_integer(&child, &ret->q) ||\n !parse_integer(&child, &ret->g) ||\n CBS_len(&child) != 0) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);\n goto err;\n }\n if (!dsa_check_key(ret)) {\n goto err;\n }\n return ret;\n\nerr:\n DSA_free(ret);\n return NULL;\n}\n\nint DSA_marshal_public_key(CBB *cbb, const DSA *dsa) {\n CBB child;\n if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||\n !marshal_integer(&child, dsa->pub_key) ||\n !marshal_integer(&child, dsa->p) ||\n !marshal_integer(&child, dsa->q) ||\n !marshal_integer(&child, dsa->g) ||\n !CBB_flush(cbb)) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);\n return 0;\n }\n return 1;\n}\n\nDSA *DSA_parse_parameters(CBS *cbs) {\n DSA *ret = DSA_new();\n if (ret == NULL) {\n return NULL;\n }\n CBS child;\n if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||\n !parse_integer(&child, &ret->p) ||\n !parse_integer(&child, &ret->q) ||\n !parse_integer(&child, &ret->g) ||\n CBS_len(&child) != 0) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);\n goto err;\n }\n if (!dsa_check_key(ret)) {\n goto err;\n }\n return ret;\n\nerr:\n DSA_free(ret);\n return NULL;\n}\n\nint DSA_marshal_parameters(CBB *cbb, const DSA *dsa) {\n CBB child;\n if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||\n !marshal_integer(&child, dsa->p) ||\n !marshal_integer(&child, dsa->q) ||\n !marshal_integer(&child, dsa->g) ||\n !CBB_flush(cbb)) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);\n return 0;\n }\n return 1;\n}\n\nDSA *DSA_parse_private_key(CBS *cbs) {\n DSA *ret = DSA_new();\n if (ret == NULL) {\n return NULL;\n }\n\n CBS child;\n uint64_t version;\n if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1_uint64(&child, &version)) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);\n goto err;\n }\n\n if (version != 0) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_BAD_VERSION);\n goto err;\n }\n\n if (!parse_integer(&child, &ret->p) ||\n !parse_integer(&child, &ret->q) ||\n !parse_integer(&child, &ret->g) ||\n !parse_integer(&child, &ret->pub_key) ||\n !parse_integer(&child, &ret->priv_key) ||\n CBS_len(&child) != 0) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_DECODE_ERROR);\n goto err;\n }\n if (!dsa_check_key(ret)) {\n goto err;\n }\n\n return ret;\n\nerr:\n DSA_free(ret);\n return NULL;\n}\n\nint DSA_marshal_private_key(CBB *cbb, const DSA *dsa) {\n CBB child;\n if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&child, 0 /* version */) ||\n !marshal_integer(&child, dsa->p) ||\n !marshal_integer(&child, dsa->q) ||\n !marshal_integer(&child, dsa->g) ||\n !marshal_integer(&child, dsa->pub_key) ||\n !marshal_integer(&child, dsa->priv_key) ||\n !CBB_flush(cbb)) {\n OPENSSL_PUT_ERROR(DSA, DSA_R_ENCODE_ERROR);\n return 0;\n }\n return 1;\n}\n\nDSA_SIG *d2i_DSA_SIG(DSA_SIG **out_sig, const uint8_t **inp, long len) {\n if (len < 0) {\n return NULL;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n DSA_SIG *ret = DSA_SIG_parse(&cbs);\n if (ret == NULL) {\n return NULL;\n }\n if (out_sig != NULL) {\n DSA_SIG_free(*out_sig);\n *out_sig = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n\nint i2d_DSA_SIG(const DSA_SIG *in, uint8_t **outp) {\n CBB cbb;\n if (!CBB_init(&cbb, 0) ||\n !DSA_SIG_marshal(&cbb, in)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n\nDSA *d2i_DSAPublicKey(DSA **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return NULL;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n DSA *ret = DSA_parse_public_key(&cbs);\n if (ret == NULL) {\n return NULL;\n }\n if (out != NULL) {\n DSA_free(*out);\n *out = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n\nint i2d_DSAPublicKey(const DSA *in, uint8_t **outp) {\n CBB cbb;\n if (!CBB_init(&cbb, 0) ||\n !DSA_marshal_public_key(&cbb, in)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n\nDSA *d2i_DSAPrivateKey(DSA **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return NULL;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n DSA *ret = DSA_parse_private_key(&cbs);\n if (ret == NULL) {\n return NULL;\n }\n if (out != NULL) {\n DSA_free(*out);\n *out = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n\nint i2d_DSAPrivateKey(const DSA *in, uint8_t **outp) {\n CBB cbb;\n if (!CBB_init(&cbb, 0) ||\n !DSA_marshal_private_key(&cbb, in)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n\nDSA *d2i_DSAparams(DSA **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return NULL;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n DSA *ret = DSA_parse_parameters(&cbs);\n if (ret == NULL) {\n return NULL;\n }\n if (out != NULL) {\n DSA_free(*out);\n *out = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n\nint i2d_DSAparams(const DSA *in, uint8_t **outp) {\n CBB cbb;\n if (!CBB_init(&cbb, 0) ||\n !DSA_marshal_parameters(&cbb, in)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/dsa/internal.h", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_DSA_INTERNAL_H\n#define OPENSSL_HEADER_DSA_INTERNAL_H\n\n#include \n\n#include \n\n#include \"../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\nstruct dsa_st {\n BIGNUM *p;\n BIGNUM *q;\n BIGNUM *g;\n\n BIGNUM *pub_key;\n BIGNUM *priv_key;\n\n // Normally used to cache montgomery values\n CRYPTO_MUTEX method_mont_lock;\n BN_MONT_CTX *method_mont_p;\n BN_MONT_CTX *method_mont_q;\n CRYPTO_refcount_t references;\n CRYPTO_EX_DATA ex_data;\n};\n\n// dsa_check_key performs cheap self-checks on |dsa|, and ensures it is within\n// DoS bounds. It returns one on success and zero on error.\nint dsa_check_key(const DSA *dsa);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_DSA_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/ec/ec_asn1.cc", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../bytestring/internal.h\"\n#include \"../fipsmodule/ec/internal.h\"\n#include \"../internal.h\"\n\n\nstatic const CBS_ASN1_TAG kParametersTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0;\nstatic const CBS_ASN1_TAG kPublicKeyTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;\n\n// TODO(https://crbug.com/boringssl/497): Allow parsers to specify a list of\n// acceptable groups, so parsers don't have to pull in all four.\ntypedef const EC_GROUP *(*ec_group_func)(void);\nstatic const ec_group_func kAllGroups[] = {\n &EC_group_p224,\n &EC_group_p256,\n &EC_group_p384,\n &EC_group_p521,\n};\n\nEC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group) {\n CBS ec_private_key, private_key;\n uint64_t version;\n if (!CBS_get_asn1(cbs, &ec_private_key, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1_uint64(&ec_private_key, &version) || //\n version != 1 ||\n !CBS_get_asn1(&ec_private_key, &private_key, CBS_ASN1_OCTETSTRING)) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n return NULL;\n }\n\n // Parse the optional parameters field.\n EC_KEY *ret = NULL;\n BIGNUM *priv_key = NULL;\n if (CBS_peek_asn1_tag(&ec_private_key, kParametersTag)) {\n // Per SEC 1, as an alternative to omitting it, one is allowed to specify\n // this field and put in a NULL to mean inheriting this value. This was\n // omitted in a previous version of this logic without problems, so leave it\n // unimplemented.\n CBS child;\n if (!CBS_get_asn1(&ec_private_key, &child, kParametersTag)) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n goto err;\n }\n const EC_GROUP *inner_group = EC_KEY_parse_parameters(&child);\n if (inner_group == NULL) {\n goto err;\n }\n if (group == NULL) {\n group = inner_group;\n } else if (EC_GROUP_cmp(group, inner_group, NULL) != 0) {\n // If a group was supplied externally, it must match.\n OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);\n goto err;\n }\n if (CBS_len(&child) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n goto err;\n }\n }\n\n if (group == NULL) {\n OPENSSL_PUT_ERROR(EC, EC_R_MISSING_PARAMETERS);\n goto err;\n }\n\n ret = EC_KEY_new();\n if (ret == NULL || !EC_KEY_set_group(ret, group)) {\n goto err;\n }\n\n // Although RFC 5915 specifies the length of the key, OpenSSL historically\n // got this wrong, so accept any length. See upstream's\n // 30cd4ff294252c4b6a4b69cbef6a5b4117705d22.\n priv_key = BN_bin2bn(CBS_data(&private_key), CBS_len(&private_key), NULL);\n ret->pub_key = EC_POINT_new(group);\n if (priv_key == NULL || ret->pub_key == NULL ||\n !EC_KEY_set_private_key(ret, priv_key)) {\n goto err;\n }\n\n if (CBS_peek_asn1_tag(&ec_private_key, kPublicKeyTag)) {\n CBS child, public_key;\n uint8_t padding;\n if (!CBS_get_asn1(&ec_private_key, &child, kPublicKeyTag) ||\n !CBS_get_asn1(&child, &public_key, CBS_ASN1_BITSTRING) ||\n // As in a SubjectPublicKeyInfo, the byte-encoded public key is then\n // encoded as a BIT STRING with bits ordered as in the DER encoding.\n !CBS_get_u8(&public_key, &padding) || //\n padding != 0 ||\n // Explicitly check |public_key| is non-empty to save the conversion\n // form later.\n CBS_len(&public_key) == 0 ||\n !EC_POINT_oct2point(group, ret->pub_key, CBS_data(&public_key),\n CBS_len(&public_key), NULL) ||\n CBS_len(&child) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n goto err;\n }\n\n // Save the point conversion form.\n // TODO(davidben): Consider removing this.\n ret->conv_form =\n (point_conversion_form_t)(CBS_data(&public_key)[0] & ~0x01);\n } else {\n // Compute the public key instead.\n if (!ec_point_mul_scalar_base(group, &ret->pub_key->raw,\n &ret->priv_key->scalar)) {\n goto err;\n }\n // Remember the original private-key-only encoding.\n // TODO(davidben): Consider removing this.\n ret->enc_flag |= EC_PKEY_NO_PUBKEY;\n }\n\n if (CBS_len(&ec_private_key) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n goto err;\n }\n\n // Ensure the resulting key is valid.\n if (!EC_KEY_check_key(ret)) {\n goto err;\n }\n\n BN_free(priv_key);\n return ret;\n\nerr:\n EC_KEY_free(ret);\n BN_free(priv_key);\n return NULL;\n}\n\nint EC_KEY_marshal_private_key(CBB *cbb, const EC_KEY *key,\n unsigned enc_flags) {\n if (key == NULL || key->group == NULL || key->priv_key == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n CBB ec_private_key, private_key;\n if (!CBB_add_asn1(cbb, &ec_private_key, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&ec_private_key, 1 /* version */) ||\n !CBB_add_asn1(&ec_private_key, &private_key, CBS_ASN1_OCTETSTRING) ||\n !BN_bn2cbb_padded(&private_key,\n BN_num_bytes(EC_GROUP_get0_order(key->group)),\n EC_KEY_get0_private_key(key))) {\n OPENSSL_PUT_ERROR(EC, EC_R_ENCODE_ERROR);\n return 0;\n }\n\n if (!(enc_flags & EC_PKEY_NO_PARAMETERS)) {\n CBB child;\n if (!CBB_add_asn1(&ec_private_key, &child, kParametersTag) ||\n !EC_KEY_marshal_curve_name(&child, key->group) ||\n !CBB_flush(&ec_private_key)) {\n OPENSSL_PUT_ERROR(EC, EC_R_ENCODE_ERROR);\n return 0;\n }\n }\n\n // TODO(fork): replace this flexibility with sensible default?\n if (!(enc_flags & EC_PKEY_NO_PUBKEY) && key->pub_key != NULL) {\n CBB child, public_key;\n if (!CBB_add_asn1(&ec_private_key, &child, kPublicKeyTag) ||\n !CBB_add_asn1(&child, &public_key, CBS_ASN1_BITSTRING) ||\n // As in a SubjectPublicKeyInfo, the byte-encoded public key is then\n // encoded as a BIT STRING with bits ordered as in the DER encoding.\n !CBB_add_u8(&public_key, 0 /* padding */) ||\n !EC_POINT_point2cbb(&public_key, key->group, key->pub_key,\n key->conv_form, NULL) ||\n !CBB_flush(&ec_private_key)) {\n OPENSSL_PUT_ERROR(EC, EC_R_ENCODE_ERROR);\n return 0;\n }\n }\n\n if (!CBB_flush(cbb)) {\n OPENSSL_PUT_ERROR(EC, EC_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n\n// kPrimeFieldOID is the encoding of 1.2.840.10045.1.1.\nstatic const uint8_t kPrimeField[] = {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01};\n\nnamespace {\nstruct explicit_prime_curve {\n CBS prime, a, b, base_x, base_y, order;\n};\n} // namespace\n\nstatic int parse_explicit_prime_curve(CBS *in,\n struct explicit_prime_curve *out) {\n // See RFC 3279, section 2.3.5. Note that RFC 3279 calls this structure an\n // ECParameters while RFC 5480 calls it a SpecifiedECDomain.\n CBS params, field_id, field_type, curve, base, cofactor;\n int has_cofactor;\n uint64_t version;\n if (!CBS_get_asn1(in, ¶ms, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1_uint64(¶ms, &version) || //\n version != 1 || //\n !CBS_get_asn1(¶ms, &field_id, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&field_id, &field_type, CBS_ASN1_OBJECT) ||\n CBS_len(&field_type) != sizeof(kPrimeField) ||\n OPENSSL_memcmp(CBS_data(&field_type), kPrimeField, sizeof(kPrimeField)) !=\n 0 ||\n !CBS_get_asn1(&field_id, &out->prime, CBS_ASN1_INTEGER) ||\n !CBS_is_unsigned_asn1_integer(&out->prime) || //\n CBS_len(&field_id) != 0 ||\n !CBS_get_asn1(¶ms, &curve, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&curve, &out->a, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&curve, &out->b, CBS_ASN1_OCTETSTRING) ||\n // |curve| has an optional BIT STRING seed which we ignore.\n !CBS_get_optional_asn1(&curve, NULL, NULL, CBS_ASN1_BITSTRING) ||\n CBS_len(&curve) != 0 ||\n !CBS_get_asn1(¶ms, &base, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(¶ms, &out->order, CBS_ASN1_INTEGER) ||\n !CBS_is_unsigned_asn1_integer(&out->order) ||\n !CBS_get_optional_asn1(¶ms, &cofactor, &has_cofactor,\n CBS_ASN1_INTEGER) ||\n CBS_len(¶ms) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n return 0;\n }\n\n if (has_cofactor) {\n // We only support prime-order curves so the cofactor must be one.\n if (CBS_len(&cofactor) != 1 || //\n CBS_data(&cofactor)[0] != 1) {\n OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);\n return 0;\n }\n }\n\n // Require that the base point use uncompressed form.\n uint8_t form;\n if (!CBS_get_u8(&base, &form) || form != POINT_CONVERSION_UNCOMPRESSED) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FORM);\n return 0;\n }\n\n if (CBS_len(&base) % 2 != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n return 0;\n }\n size_t field_len = CBS_len(&base) / 2;\n CBS_init(&out->base_x, CBS_data(&base), field_len);\n CBS_init(&out->base_y, CBS_data(&base) + field_len, field_len);\n\n return 1;\n}\n\n// integers_equal returns one if |bytes| is a big-endian encoding of |bn|, and\n// zero otherwise.\nstatic int integers_equal(const CBS *bytes, const BIGNUM *bn) {\n // Although, in SEC 1, Field-Element-to-Octet-String has a fixed width,\n // OpenSSL mis-encodes the |a| and |b|, so we tolerate any number of leading\n // zeros. (This matters for P-521 whose |b| has a leading 0.)\n CBS copy = *bytes;\n while (CBS_len(©) > 0 && CBS_data(©)[0] == 0) {\n CBS_skip(©, 1);\n }\n\n if (CBS_len(©) > EC_MAX_BYTES) {\n return 0;\n }\n uint8_t buf[EC_MAX_BYTES];\n if (!BN_bn2bin_padded(buf, CBS_len(©), bn)) {\n ERR_clear_error();\n return 0;\n }\n\n return CBS_mem_equal(©, buf, CBS_len(©));\n}\n\nEC_GROUP *EC_KEY_parse_curve_name(CBS *cbs) {\n CBS named_curve;\n if (!CBS_get_asn1(cbs, &named_curve, CBS_ASN1_OBJECT)) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n return NULL;\n }\n\n // Look for a matching curve.\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kAllGroups); i++) {\n const EC_GROUP *group = kAllGroups[i]();\n if (CBS_mem_equal(&named_curve, group->oid, group->oid_len)) {\n return (EC_GROUP *)group;\n }\n }\n\n OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);\n return NULL;\n}\n\nint EC_KEY_marshal_curve_name(CBB *cbb, const EC_GROUP *group) {\n if (group->oid_len == 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);\n return 0;\n }\n\n CBB child;\n return CBB_add_asn1(cbb, &child, CBS_ASN1_OBJECT) &&\n CBB_add_bytes(&child, group->oid, group->oid_len) && //\n CBB_flush(cbb);\n}\n\nEC_GROUP *EC_KEY_parse_parameters(CBS *cbs) {\n if (!CBS_peek_asn1_tag(cbs, CBS_ASN1_SEQUENCE)) {\n return EC_KEY_parse_curve_name(cbs);\n }\n\n // OpenSSL sometimes produces ECPrivateKeys with explicitly-encoded versions\n // of named curves.\n //\n // TODO(davidben): Remove support for this.\n struct explicit_prime_curve curve;\n if (!parse_explicit_prime_curve(cbs, &curve)) {\n return NULL;\n }\n\n const EC_GROUP *ret = NULL;\n BIGNUM *p = BN_new(), *a = BN_new(), *b = BN_new(), *x = BN_new(),\n *y = BN_new();\n if (p == NULL || a == NULL || b == NULL || x == NULL || y == NULL) {\n goto err;\n }\n\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kAllGroups); i++) {\n const EC_GROUP *group = kAllGroups[i]();\n if (!integers_equal(&curve.order, EC_GROUP_get0_order(group))) {\n continue;\n }\n\n // The order alone uniquely identifies the group, but we check the other\n // parameters to avoid misinterpreting the group.\n if (!EC_GROUP_get_curve_GFp(group, p, a, b, NULL)) {\n goto err;\n }\n if (!integers_equal(&curve.prime, p) || !integers_equal(&curve.a, a) ||\n !integers_equal(&curve.b, b)) {\n break;\n }\n if (!EC_POINT_get_affine_coordinates_GFp(\n group, EC_GROUP_get0_generator(group), x, y, NULL)) {\n goto err;\n }\n if (!integers_equal(&curve.base_x, x) ||\n !integers_equal(&curve.base_y, y)) {\n break;\n }\n ret = group;\n break;\n }\n\n if (ret == NULL) {\n OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);\n }\n\nerr:\n BN_free(p);\n BN_free(a);\n BN_free(b);\n BN_free(x);\n BN_free(y);\n return (EC_GROUP *)ret;\n}\n\nint EC_POINT_point2cbb(CBB *out, const EC_GROUP *group, const EC_POINT *point,\n point_conversion_form_t form, BN_CTX *ctx) {\n size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, ctx);\n if (len == 0) {\n return 0;\n }\n uint8_t *p;\n return CBB_add_space(out, &p, len) &&\n EC_POINT_point2oct(group, point, form, p, len, ctx) == len;\n}\n\nEC_KEY *d2i_ECPrivateKey(EC_KEY **out, const uint8_t **inp, long len) {\n // This function treats its |out| parameter differently from other |d2i|\n // functions. If supplied, take the group from |*out|.\n const EC_GROUP *group = NULL;\n if (out != NULL && *out != NULL) {\n group = EC_KEY_get0_group(*out);\n }\n\n if (len < 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n return NULL;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n EC_KEY *ret = EC_KEY_parse_private_key(&cbs, group);\n if (ret == NULL) {\n return NULL;\n }\n if (out != NULL) {\n EC_KEY_free(*out);\n *out = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n\nint i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp) {\n CBB cbb;\n if (!CBB_init(&cbb, 0) ||\n !EC_KEY_marshal_private_key(&cbb, key, EC_KEY_get_enc_flags(key))) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n\nEC_GROUP *d2i_ECPKParameters(EC_GROUP **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return NULL;\n }\n\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n EC_GROUP *ret = EC_KEY_parse_parameters(&cbs);\n if (ret == NULL) {\n return NULL;\n }\n\n if (out != NULL) {\n EC_GROUP_free(*out);\n *out = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n\nint i2d_ECPKParameters(const EC_GROUP *group, uint8_t **outp) {\n if (group == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return -1;\n }\n\n CBB cbb;\n if (!CBB_init(&cbb, 0) || //\n !EC_KEY_marshal_curve_name(&cbb, group)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n\nEC_KEY *d2i_ECParameters(EC_KEY **out_key, const uint8_t **inp, long len) {\n if (len < 0) {\n return NULL;\n }\n\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n const EC_GROUP *group = EC_KEY_parse_parameters(&cbs);\n if (group == NULL) {\n return NULL;\n }\n\n EC_KEY *ret = EC_KEY_new();\n if (ret == NULL || !EC_KEY_set_group(ret, group)) {\n EC_KEY_free(ret);\n return NULL;\n }\n\n if (out_key != NULL) {\n EC_KEY_free(*out_key);\n *out_key = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n\nint i2d_ECParameters(const EC_KEY *key, uint8_t **outp) {\n if (key == NULL || key->group == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return -1;\n }\n\n CBB cbb;\n if (!CBB_init(&cbb, 0) || //\n !EC_KEY_marshal_curve_name(&cbb, key->group)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n\nEC_KEY *o2i_ECPublicKey(EC_KEY **keyp, const uint8_t **inp, long len) {\n EC_KEY *ret = NULL;\n\n if (keyp == NULL || *keyp == NULL || (*keyp)->group == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return NULL;\n }\n ret = *keyp;\n if (ret->pub_key == NULL &&\n (ret->pub_key = EC_POINT_new(ret->group)) == NULL) {\n return NULL;\n }\n if (!EC_POINT_oct2point(ret->group, ret->pub_key, *inp, len, NULL)) {\n OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);\n return NULL;\n }\n // save the point conversion form\n ret->conv_form = (point_conversion_form_t)(*inp[0] & ~0x01);\n *inp += len;\n return ret;\n}\n\nint i2o_ECPublicKey(const EC_KEY *key, uint8_t **outp) {\n if (key == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n CBB cbb;\n if (!CBB_init(&cbb, 0) || //\n !EC_POINT_point2cbb(&cbb, key->group, key->pub_key, key->conv_form,\n NULL)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n int ret = CBB_finish_i2d(&cbb, outp);\n // Historically, this function used the wrong return value on error.\n return ret > 0 ? ret : 0;\n}\n\nsize_t EC_get_builtin_curves(EC_builtin_curve *out_curves,\n size_t max_num_curves) {\n if (max_num_curves > OPENSSL_ARRAY_SIZE(kAllGroups)) {\n max_num_curves = OPENSSL_ARRAY_SIZE(kAllGroups);\n }\n for (size_t i = 0; i < max_num_curves; i++) {\n const EC_GROUP *group = kAllGroups[i]();\n out_curves[i].nid = group->curve_name;\n out_curves[i].comment = group->comment;\n }\n return OPENSSL_ARRAY_SIZE(kAllGroups);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/ec/ec_derive.cc", "content": "/* Copyright 2019 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/ec/internal.h\"\n\n\nEC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret,\n size_t secret_len) {\n#define EC_KEY_DERIVE_MAX_NAME_LEN 16\n const char *name = EC_curve_nid2nist(EC_GROUP_get_curve_name(group));\n if (name == NULL || strlen(name) > EC_KEY_DERIVE_MAX_NAME_LEN) {\n OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);\n return NULL;\n }\n\n // Assemble a label string to provide some key separation in case |secret| is\n // misused, but ultimately it's on the caller to ensure |secret| is suitably\n // separated.\n static const char kLabel[] = \"derive EC key \";\n char info[sizeof(kLabel) + EC_KEY_DERIVE_MAX_NAME_LEN];\n OPENSSL_strlcpy(info, kLabel, sizeof(info));\n OPENSSL_strlcat(info, name, sizeof(info));\n\n // Generate 128 bits beyond the group order so the bias is at most 2^-128.\n#define EC_KEY_DERIVE_EXTRA_BITS 128\n#define EC_KEY_DERIVE_EXTRA_BYTES (EC_KEY_DERIVE_EXTRA_BITS / 8)\n\n if (EC_GROUP_order_bits(group) <= EC_KEY_DERIVE_EXTRA_BITS + 8) {\n // The reduction strategy below requires the group order be large enough.\n // (The actual bound is a bit tighter, but our curves are much larger than\n // 128-bit.)\n OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);\n return NULL;\n }\n\n uint8_t derived[EC_KEY_DERIVE_EXTRA_BYTES + EC_MAX_BYTES];\n size_t derived_len =\n BN_num_bytes(EC_GROUP_get0_order(group)) + EC_KEY_DERIVE_EXTRA_BYTES;\n assert(derived_len <= sizeof(derived));\n if (!HKDF(derived, derived_len, EVP_sha256(), secret, secret_len,\n /*salt=*/NULL, /*salt_len=*/0, (const uint8_t *)info,\n strlen(info))) {\n return NULL;\n }\n\n EC_KEY *key = EC_KEY_new();\n BN_CTX *ctx = BN_CTX_new();\n BIGNUM *priv = BN_bin2bn(derived, derived_len, NULL);\n EC_POINT *pub = EC_POINT_new(group);\n if (key == NULL || ctx == NULL || priv == NULL || pub == NULL ||\n // Reduce |priv| with Montgomery reduction. First, convert \"from\"\n // Montgomery form to compute |priv| * R^-1 mod |order|. This requires\n // |priv| be under order * R, which is true if the group order is large\n // enough. 2^(num_bytes(order)) < 2^8 * order, so:\n //\n // priv < 2^8 * order * 2^128 < order * order < order * R\n !BN_from_montgomery(priv, priv, &group->order, ctx) ||\n // Multiply by R^2 and do another Montgomery reduction to compute\n // priv * R^-1 * R^2 * R^-1 = priv mod order.\n !BN_to_montgomery(priv, priv, &group->order, ctx) ||\n !EC_POINT_mul(group, pub, priv, NULL, NULL, ctx) ||\n !EC_KEY_set_group(key, group) || !EC_KEY_set_public_key(key, pub) ||\n !EC_KEY_set_private_key(key, priv)) {\n EC_KEY_free(key);\n key = NULL;\n goto err;\n }\n\nerr:\n OPENSSL_cleanse(derived, sizeof(derived));\n BN_CTX_free(ctx);\n BN_free(priv);\n EC_POINT_free(pub);\n return key;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/ec/hash_to_curve.cc", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n\n#include \n\n#include \"../fipsmodule/bn/internal.h\"\n#include \"../fipsmodule/ec/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n// This file implements hash-to-curve, as described in RFC 9380.\n//\n// This hash-to-curve implementation is written generically with the\n// expectation that we will eventually wish to support other curves. If it\n// becomes a performance bottleneck, some possible optimizations by\n// specializing it to the curve:\n//\n// - Rather than using a generic |felem_exp|, specialize the exponentation to\n// c2 with a faster addition chain.\n//\n// - |felem_mul| and |felem_sqr| are indirect calls to generic Montgomery\n// code. Given the few curves, we could specialize\n// |map_to_curve_simple_swu|. But doing this reasonably without duplicating\n// code in C is difficult. (C++ templates would be useful here.)\n//\n// - P-521's Z and c2 have small power-of-two absolute values. We could save\n// two multiplications in SSWU. (Other curves have reasonable values of Z\n// and inconvenient c2.) This is unlikely to be worthwhile without C++\n// templates to make specializing more convenient.\n\n// expand_message_xmd implements the operation described in section 5.3.1 of\n// RFC 9380. It returns one on success and zero on error.\nstatic int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len,\n const uint8_t *msg, size_t msg_len,\n const uint8_t *dst, size_t dst_len) {\n // See https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/issues/352\n if (dst_len == 0) {\n OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n int ret = 0;\n const size_t block_size = EVP_MD_block_size(md);\n const size_t md_size = EVP_MD_size(md);\n EVP_MD_CTX ctx;\n EVP_MD_CTX_init(&ctx);\n\n {\n // Long DSTs are hashed down to size. See section 5.3.3.\n static_assert(EVP_MAX_MD_SIZE < 256, \"hashed DST still too large\");\n uint8_t dst_buf[EVP_MAX_MD_SIZE];\n if (dst_len >= 256) {\n static const char kPrefix[] = \"H2C-OVERSIZE-DST-\";\n if (!EVP_DigestInit_ex(&ctx, md, NULL) ||\n !EVP_DigestUpdate(&ctx, kPrefix, sizeof(kPrefix) - 1) ||\n !EVP_DigestUpdate(&ctx, dst, dst_len) ||\n !EVP_DigestFinal_ex(&ctx, dst_buf, NULL)) {\n goto err;\n }\n dst = dst_buf;\n dst_len = md_size;\n }\n uint8_t dst_len_u8 = (uint8_t)dst_len;\n\n // Compute b_0.\n static const uint8_t kZeros[EVP_MAX_MD_BLOCK_SIZE] = {0};\n // If |out_len| exceeds 16 bits then |i| will wrap below causing an error to\n // be returned. This depends on the static assert above.\n uint8_t l_i_b_str_zero[3] = {static_cast(out_len >> 8),\n static_cast(out_len), 0};\n uint8_t b_0[EVP_MAX_MD_SIZE];\n if (!EVP_DigestInit_ex(&ctx, md, NULL) ||\n !EVP_DigestUpdate(&ctx, kZeros, block_size) ||\n !EVP_DigestUpdate(&ctx, msg, msg_len) ||\n !EVP_DigestUpdate(&ctx, l_i_b_str_zero, sizeof(l_i_b_str_zero)) ||\n !EVP_DigestUpdate(&ctx, dst, dst_len) ||\n !EVP_DigestUpdate(&ctx, &dst_len_u8, 1) ||\n !EVP_DigestFinal_ex(&ctx, b_0, NULL)) {\n goto err;\n }\n\n uint8_t b_i[EVP_MAX_MD_SIZE];\n uint8_t i = 1;\n while (out_len > 0) {\n if (i == 0) {\n // Input was too large.\n OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n if (i > 1) {\n for (size_t j = 0; j < md_size; j++) {\n b_i[j] ^= b_0[j];\n }\n } else {\n OPENSSL_memcpy(b_i, b_0, md_size);\n }\n\n if (!EVP_DigestInit_ex(&ctx, md, NULL) ||\n !EVP_DigestUpdate(&ctx, b_i, md_size) ||\n !EVP_DigestUpdate(&ctx, &i, 1) ||\n !EVP_DigestUpdate(&ctx, dst, dst_len) ||\n !EVP_DigestUpdate(&ctx, &dst_len_u8, 1) ||\n !EVP_DigestFinal_ex(&ctx, b_i, NULL)) {\n goto err;\n }\n\n size_t todo = out_len >= md_size ? md_size : out_len;\n OPENSSL_memcpy(out, b_i, todo);\n out += todo;\n out_len -= todo;\n i++;\n }\n\n ret = 1;\n }\n\nerr:\n EVP_MD_CTX_cleanup(&ctx);\n return ret;\n}\n\n// num_bytes_to_derive determines the number of bytes to derive when hashing to\n// a number modulo |modulus|. See the hash_to_field operation defined in\n// section 5.2 of RFC 9380.\nstatic int num_bytes_to_derive(size_t *out, const BIGNUM *modulus, unsigned k) {\n size_t bits = BN_num_bits(modulus);\n size_t L = (bits + k + 7) / 8;\n // We require 2^(8*L) < 2^(2*bits - 2) <= n^2 so to fit in bounds for\n // |felem_reduce| and |ec_scalar_reduce|. All defined hash-to-curve suites\n // define |k| to be well under this bound. (|k| is usually around half of\n // |p_bits|.)\n if (L * 8 >= 2 * bits - 2 || L > 2 * EC_MAX_BYTES) {\n assert(0);\n OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n *out = L;\n return 1;\n}\n\n// big_endian_to_words decodes |in| as a big-endian integer and writes the\n// result to |out|. |num_words| must be large enough to contain the output.\nstatic void big_endian_to_words(BN_ULONG *out, size_t num_words,\n const uint8_t *in, size_t len) {\n assert(len <= num_words * sizeof(BN_ULONG));\n // Ensure any excess bytes are zeroed.\n OPENSSL_memset(out, 0, num_words * sizeof(BN_ULONG));\n uint8_t *out_u8 = (uint8_t *)out;\n for (size_t i = 0; i < len; i++) {\n out_u8[len - 1 - i] = in[i];\n }\n}\n\n// hash_to_field implements the operation described in section 5.2\n// of RFC 9380, with count = 2. |k| is the security factor.\nstatic int hash_to_field2(const EC_GROUP *group, const EVP_MD *md,\n EC_FELEM *out1, EC_FELEM *out2, const uint8_t *dst,\n size_t dst_len, unsigned k, const uint8_t *msg,\n size_t msg_len) {\n size_t L;\n uint8_t buf[4 * EC_MAX_BYTES];\n if (!num_bytes_to_derive(&L, &group->field.N, k) ||\n !expand_message_xmd(md, buf, 2 * L, msg, msg_len, dst, dst_len)) {\n return 0;\n }\n BN_ULONG words[2 * EC_MAX_WORDS];\n size_t num_words = 2 * group->field.N.width;\n big_endian_to_words(words, num_words, buf, L);\n group->meth->felem_reduce(group, out1, words, num_words);\n big_endian_to_words(words, num_words, buf + L, L);\n group->meth->felem_reduce(group, out2, words, num_words);\n return 1;\n}\n\n// hash_to_scalar behaves like |hash_to_field2| but returns a value modulo the\n// group order rather than a field element. |k| is the security factor.\nstatic int hash_to_scalar(const EC_GROUP *group, const EVP_MD *md,\n EC_SCALAR *out, const uint8_t *dst, size_t dst_len,\n unsigned k, const uint8_t *msg, size_t msg_len) {\n const BIGNUM *order = EC_GROUP_get0_order(group);\n size_t L;\n uint8_t buf[EC_MAX_BYTES * 2];\n if (!num_bytes_to_derive(&L, order, k) ||\n !expand_message_xmd(md, buf, L, msg, msg_len, dst, dst_len)) {\n return 0;\n }\n\n BN_ULONG words[2 * EC_MAX_WORDS];\n size_t num_words = 2 * order->width;\n big_endian_to_words(words, num_words, buf, L);\n ec_scalar_reduce(group, out, words, num_words);\n return 1;\n}\n\nstatic inline void mul_A(const EC_GROUP *group, EC_FELEM *out,\n const EC_FELEM *in) {\n assert(group->a_is_minus3);\n EC_FELEM tmp;\n ec_felem_add(group, &tmp, in, in); // tmp = 2*in\n ec_felem_add(group, &tmp, &tmp, &tmp); // tmp = 4*in\n ec_felem_sub(group, out, in, &tmp); // out = -3*in\n}\n\n// sgn0 implements the operation described in section 4.1.2 of RFC 9380.\nstatic BN_ULONG sgn0(const EC_GROUP *group, const EC_FELEM *a) {\n uint8_t buf[EC_MAX_BYTES];\n size_t len;\n ec_felem_to_bytes(group, buf, &len, a);\n return buf[len - 1] & 1;\n}\n\n[[maybe_unused]] static int is_3mod4(const EC_GROUP *group) {\n return group->field.N.width > 0 && (group->field.N.d[0] & 3) == 3;\n}\n\n// sqrt_ratio_3mod4 implements the operation described in appendix F.2.1.2\n// of RFC 9380.\nstatic BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z,\n const BN_ULONG *c1, size_t num_c1,\n const EC_FELEM *c2, EC_FELEM *out_y,\n const EC_FELEM *u, const EC_FELEM *v) {\n assert(is_3mod4(group));\n\n void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,\n const EC_FELEM *b) = group->meth->felem_mul;\n void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) =\n group->meth->felem_sqr;\n\n EC_FELEM tv1, tv2, tv3, y1, y2;\n felem_sqr(group, &tv1, v); // 1. tv1 = v^2\n felem_mul(group, &tv2, u, v); // 2. tv2 = u * v\n felem_mul(group, &tv1, &tv1, &tv2); // 3. tv1 = tv1 * tv2\n group->meth->felem_exp(group, &y1, &tv1, c1, num_c1); // 4. y1 = tv1^c1\n felem_mul(group, &y1, &y1, &tv2); // 5. y1 = y1 * tv2\n felem_mul(group, &y2, &y1, c2); // 6. y2 = y1 * c2\n felem_sqr(group, &tv3, &y1); // 7. tv3 = y1^2\n felem_mul(group, &tv3, &tv3, v); // 8. tv3 = tv3 * v\n\n // 9. isQR = tv3 == u\n // 10. y = CMOV(y2, y1, isQR)\n // 11. return (isQR, y)\n //\n // Note the specification's CMOV function and our |ec_felem_select| have the\n // opposite argument order.\n ec_felem_sub(group, &tv1, &tv3, u);\n const BN_ULONG isQR = ~ec_felem_non_zero_mask(group, &tv1);\n ec_felem_select(group, out_y, isQR, &y1, &y2);\n return isQR;\n}\n\n// map_to_curve_simple_swu implements the operation described in section 6.6.2\n// of RFC 9380, using the straight-line implementation in appendix F.2.\nstatic void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z,\n const BN_ULONG *c1, size_t num_c1,\n const EC_FELEM *c2, EC_JACOBIAN *out,\n const EC_FELEM *u) {\n // This function requires the prime be 3 mod 4, and that A = -3.\n assert(is_3mod4(group));\n assert(group->a_is_minus3);\n\n void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,\n const EC_FELEM *b) = group->meth->felem_mul;\n void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) =\n group->meth->felem_sqr;\n\n EC_FELEM tv1, tv2, tv3, tv4, tv5, tv6, x, y, y1;\n felem_sqr(group, &tv1, u); // 1. tv1 = u^2\n felem_mul(group, &tv1, Z, &tv1); // 2. tv1 = Z * tv1\n felem_sqr(group, &tv2, &tv1); // 3. tv2 = tv1^2\n ec_felem_add(group, &tv2, &tv2, &tv1); // 4. tv2 = tv2 + tv1\n ec_felem_add(group, &tv3, &tv2, ec_felem_one(group)); // 5. tv3 = tv2 + 1\n felem_mul(group, &tv3, &group->b, &tv3); // 6. tv3 = B * tv3\n\n // 7. tv4 = CMOV(Z, -tv2, tv2 != 0)\n const BN_ULONG tv2_non_zero = ec_felem_non_zero_mask(group, &tv2);\n ec_felem_neg(group, &tv4, &tv2);\n ec_felem_select(group, &tv4, tv2_non_zero, &tv4, Z);\n\n mul_A(group, &tv4, &tv4); // 8. tv4 = A * tv4\n felem_sqr(group, &tv2, &tv3); // 9. tv2 = tv3^2\n felem_sqr(group, &tv6, &tv4); // 10. tv6 = tv4^2\n mul_A(group, &tv5, &tv6); // 11. tv5 = A * tv6\n ec_felem_add(group, &tv2, &tv2, &tv5); // 12. tv2 = tv2 + tv5\n felem_mul(group, &tv2, &tv2, &tv3); // 13. tv2 = tv2 * tv3\n felem_mul(group, &tv6, &tv6, &tv4); // 14. tv6 = tv6 * tv4\n felem_mul(group, &tv5, &group->b, &tv6); // 15. tv5 = B * tv6\n ec_felem_add(group, &tv2, &tv2, &tv5); // 16. tv2 = tv2 + tv5\n felem_mul(group, &x, &tv1, &tv3); // 17. x = tv1 * tv3\n\n // 18. (is_gx1_square, y1) = sqrt_ratio(tv2, tv6)\n const BN_ULONG is_gx1_square =\n sqrt_ratio_3mod4(group, Z, c1, num_c1, c2, &y1, &tv2, &tv6);\n\n felem_mul(group, &y, &tv1, u); // 19. y = tv1 * u\n felem_mul(group, &y, &y, &y1); // 20. y = y * y1\n\n // 21. x = CMOV(x, tv3, is_gx1_square)\n ec_felem_select(group, &x, is_gx1_square, &tv3, &x);\n // 22. y = CMOV(y, y1, is_gx1_square)\n ec_felem_select(group, &y, is_gx1_square, &y1, &y);\n\n // 23. e1 = sgn0(u) == sgn0(y)\n BN_ULONG sgn0_u = sgn0(group, u);\n BN_ULONG sgn0_y = sgn0(group, &y);\n BN_ULONG not_e1 = sgn0_u ^ sgn0_y;\n not_e1 = ((BN_ULONG)0) - not_e1;\n\n // 24. y = CMOV(-y, y, e1)\n ec_felem_neg(group, &tv1, &y);\n ec_felem_select(group, &y, not_e1, &tv1, &y);\n\n // 25. x = x / tv4\n //\n // Our output is in projective coordinates, so rather than inverting |tv4|\n // now, represent (x / tv4, y) as (x * tv4, y * tv4^3, tv4). This is much more\n // efficient if the caller will do further computation on the output. (If the\n // caller will immediately convert to affine coordinates, it is slightly less\n // efficient, but only by a few field multiplications.)\n felem_mul(group, &out->X, &x, &tv4);\n felem_mul(group, &out->Y, &y, &tv6);\n out->Z = tv4;\n}\n\nstatic int hash_to_curve(const EC_GROUP *group, const EVP_MD *md,\n const EC_FELEM *Z, const EC_FELEM *c2, unsigned k,\n EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len) {\n EC_FELEM u0, u1;\n if (!hash_to_field2(group, md, &u0, &u1, dst, dst_len, k, msg, msg_len)) {\n return 0;\n }\n\n // Compute |c1| = (p - 3) / 4.\n BN_ULONG c1[EC_MAX_WORDS];\n size_t num_c1 = group->field.N.width;\n if (!bn_copy_words(c1, num_c1, &group->field.N)) {\n return 0;\n }\n bn_rshift_words(c1, c1, /*shift=*/2, /*num=*/num_c1);\n\n EC_JACOBIAN Q0, Q1;\n map_to_curve_simple_swu(group, Z, c1, num_c1, c2, &Q0, &u0);\n map_to_curve_simple_swu(group, Z, c1, num_c1, c2, &Q1, &u1);\n\n group->meth->add(group, out, &Q0, &Q1); // R = Q0 + Q1\n // All our curves have cofactor one, so |clear_cofactor| is a no-op.\n return 1;\n}\n\nstatic int felem_from_u8(const EC_GROUP *group, EC_FELEM *out, uint8_t a) {\n uint8_t bytes[EC_MAX_BYTES] = {0};\n size_t len = BN_num_bytes(&group->field.N);\n bytes[len - 1] = a;\n return ec_felem_from_bytes(group, out, bytes, len);\n}\n\n// kP256Sqrt10 is sqrt(10) in P-256's field. It was computed as follows in\n// python3:\n//\n// p = 2**256 - 2**224 + 2**192 + 2**96 - 1\n// c2 = pow(10, (p+1)//4, p)\n// assert pow(c2, 2, p) == 10\n// \", \".join(\"0x%02x\" % b for b in c2.to_bytes(256//8, 'big'))\nstatic const uint8_t kP256Sqrt10[] = {\n 0xda, 0x53, 0x8e, 0x3b, 0xe1, 0xd8, 0x9b, 0x99, 0xc9, 0x78, 0xfc,\n 0x67, 0x51, 0x80, 0xaa, 0xb2, 0x7b, 0x8d, 0x1f, 0xf8, 0x4c, 0x55,\n 0xd5, 0xb6, 0x2c, 0xcd, 0x34, 0x27, 0xe4, 0x33, 0xc4, 0x7f};\n\n// kP384Sqrt12 is sqrt(12) in P-384's field. It was computed as follows in\n// python3:\n//\n// p = 2**384 - 2**128 - 2**96 + 2**32 - 1\n// c2 = pow(12, (p+1)//4, p)\n// assert pow(c2, 2, p) == 12\n// \", \".join(\"0x%02x\" % b for b in c2.to_bytes(384//8, 'big'))\nstatic const uint8_t kP384Sqrt12[] = {\n 0x2a, 0xcc, 0xb4, 0xa6, 0x56, 0xb0, 0x24, 0x9c, 0x71, 0xf0, 0x50, 0x0e,\n 0x83, 0xda, 0x2f, 0xdd, 0x7f, 0x98, 0xe3, 0x83, 0xd6, 0x8b, 0x53, 0x87,\n 0x1f, 0x87, 0x2f, 0xcb, 0x9c, 0xcb, 0x80, 0xc5, 0x3c, 0x0d, 0xe1, 0xf8,\n 0xa8, 0x0f, 0x7e, 0x19, 0x14, 0xe2, 0xec, 0x69, 0xf5, 0xa6, 0x26, 0xb3};\n\nint ec_hash_to_curve_p256_xmd_sha256_sswu(const EC_GROUP *group,\n EC_JACOBIAN *out, const uint8_t *dst,\n size_t dst_len, const uint8_t *msg,\n size_t msg_len) {\n // See section 8.3 of RFC 9380.\n if (EC_GROUP_get_curve_name(group) != NID_X9_62_prime256v1) {\n OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);\n return 0;\n }\n\n // Z = -10, c2 = sqrt(10)\n EC_FELEM Z, c2;\n if (!felem_from_u8(group, &Z, 10) ||\n !ec_felem_from_bytes(group, &c2, kP256Sqrt10, sizeof(kP256Sqrt10))) {\n return 0;\n }\n ec_felem_neg(group, &Z, &Z);\n\n return hash_to_curve(group, EVP_sha256(), &Z, &c2, /*k=*/128, out, dst,\n dst_len, msg, msg_len);\n}\n\nint EC_hash_to_curve_p256_xmd_sha256_sswu(const EC_GROUP *group, EC_POINT *out,\n const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len) {\n if (EC_GROUP_cmp(group, out->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n return ec_hash_to_curve_p256_xmd_sha256_sswu(group, &out->raw, dst, dst_len,\n msg, msg_len);\n}\n\nint ec_hash_to_curve_p384_xmd_sha384_sswu(const EC_GROUP *group,\n EC_JACOBIAN *out, const uint8_t *dst,\n size_t dst_len, const uint8_t *msg,\n size_t msg_len) {\n // See section 8.3 of RFC 9380.\n if (EC_GROUP_get_curve_name(group) != NID_secp384r1) {\n OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);\n return 0;\n }\n\n // Z = -12, c2 = sqrt(12)\n EC_FELEM Z, c2;\n if (!felem_from_u8(group, &Z, 12) ||\n !ec_felem_from_bytes(group, &c2, kP384Sqrt12, sizeof(kP384Sqrt12))) {\n return 0;\n }\n ec_felem_neg(group, &Z, &Z);\n\n return hash_to_curve(group, EVP_sha384(), &Z, &c2, /*k=*/192, out, dst,\n dst_len, msg, msg_len);\n}\n\nint EC_hash_to_curve_p384_xmd_sha384_sswu(const EC_GROUP *group, EC_POINT *out,\n const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len) {\n if (EC_GROUP_cmp(group, out->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n return ec_hash_to_curve_p384_xmd_sha384_sswu(group, &out->raw, dst, dst_len,\n msg, msg_len);\n}\n\nint ec_hash_to_scalar_p384_xmd_sha384(const EC_GROUP *group, EC_SCALAR *out,\n const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len) {\n if (EC_GROUP_get_curve_name(group) != NID_secp384r1) {\n OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);\n return 0;\n }\n\n return hash_to_scalar(group, EVP_sha384(), out, dst, dst_len, /*k=*/192, msg,\n msg_len);\n}\n\nint ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(\n const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len) {\n // See section 8.3 of draft-irtf-cfrg-hash-to-curve-07.\n if (EC_GROUP_get_curve_name(group) != NID_secp384r1) {\n OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);\n return 0;\n }\n\n // Z = -12, c2 = sqrt(12)\n EC_FELEM Z, c2;\n if (!felem_from_u8(group, &Z, 12) ||\n !ec_felem_from_bytes(group, &c2, kP384Sqrt12, sizeof(kP384Sqrt12))) {\n return 0;\n }\n ec_felem_neg(group, &Z, &Z);\n\n return hash_to_curve(group, EVP_sha512(), &Z, &c2, /*k=*/192, out, dst,\n dst_len, msg, msg_len);\n}\n\nint ec_hash_to_scalar_p384_xmd_sha512_draft07(\n const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len) {\n if (EC_GROUP_get_curve_name(group) != NID_secp384r1) {\n OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);\n return 0;\n }\n\n return hash_to_scalar(group, EVP_sha512(), out, dst, dst_len, /*k=*/192, msg,\n msg_len);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/ec/internal.h", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_EC_EXTRA_INTERNAL_H\n#define OPENSSL_HEADER_EC_EXTRA_INTERNAL_H\n\n#include \n\n#include \"../fipsmodule/ec/internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Hash-to-curve.\n//\n// Internal |EC_JACOBIAN| versions of the corresponding public APIs.\n\n// ec_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and\n// writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite\n// from RFC 9380. It returns one on success and zero on error.\nOPENSSL_EXPORT int ec_hash_to_curve_p256_xmd_sha256_sswu(\n const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len);\n\n// ec_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and\n// writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite\n// from RFC 9380. It returns one on success and zero on error.\nOPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha384_sswu(\n const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len);\n\n// ec_hash_to_scalar_p384_xmd_sha384 hashes |msg| to a scalar on |group|\n// and writes the result to |out|, using the hash_to_field operation from the\n// P384_XMD:SHA-384_SSWU_RO_ suite from RFC 9380, but generating a value modulo\n// the group order rather than a field element.\nOPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha384(\n const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len);\n\n// ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 hashes |msg| to a point on\n// |group| and writes the result to |out|, implementing the\n// P384_XMD:SHA-512_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-07. It\n// returns one on success and zero on error.\n//\n// TODO(https://crbug.com/1414562): Migrate this to the final version.\nOPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(\n const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len);\n\n// ec_hash_to_scalar_p384_xmd_sha512_draft07 hashes |msg| to a scalar on |group|\n// and writes the result to |out|, using the hash_to_field operation from the\n// P384_XMD:SHA-512_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-07, but\n// generating a value modulo the group order rather than a field element.\n//\n// TODO(https://crbug.com/1414562): Migrate this to the final version.\nOPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha512_draft07(\n const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_EC_EXTRA_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/ecdh/ecdh.cc", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../fipsmodule/ec/internal.h\"\n#include \"../internal.h\"\n\n\nint ECDH_compute_key(void *out, size_t out_len, const EC_POINT *pub_key,\n const EC_KEY *priv_key,\n void *(*kdf)(const void *in, size_t inlen, void *out,\n size_t *out_len)) {\n if (priv_key->priv_key == NULL) {\n OPENSSL_PUT_ERROR(ECDH, ECDH_R_NO_PRIVATE_VALUE);\n return -1;\n }\n const EC_SCALAR *const priv = &priv_key->priv_key->scalar;\n const EC_GROUP *const group = EC_KEY_get0_group(priv_key);\n if (EC_GROUP_cmp(group, pub_key->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return -1;\n }\n\n EC_JACOBIAN shared_point;\n uint8_t buf[EC_MAX_BYTES];\n size_t buf_len;\n if (!ec_point_mul_scalar(group, &shared_point, &pub_key->raw, priv) ||\n !ec_get_x_coordinate_as_bytes(group, buf, &buf_len, sizeof(buf),\n &shared_point)) {\n OPENSSL_PUT_ERROR(ECDH, ECDH_R_POINT_ARITHMETIC_FAILURE);\n return -1;\n }\n\n if (kdf != NULL) {\n if (kdf(buf, buf_len, out, &out_len) == NULL) {\n OPENSSL_PUT_ERROR(ECDH, ECDH_R_KDF_FAILED);\n return -1;\n }\n } else {\n // no KDF, just copy as much as we can\n if (buf_len < out_len) {\n out_len = buf_len;\n }\n OPENSSL_memcpy(out, buf, out_len);\n }\n\n if (out_len > INT_MAX) {\n OPENSSL_PUT_ERROR(ECDH, ERR_R_OVERFLOW);\n return -1;\n }\n\n return (int)out_len;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/ecdsa/ecdsa_asn1.cc", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../bytestring/internal.h\"\n#include \"../fipsmodule/ecdsa/internal.h\"\n#include \"../internal.h\"\n\n\nstatic ECDSA_SIG *ecdsa_sig_from_fixed(const EC_KEY *key, const uint8_t *in,\n size_t len) {\n const EC_GROUP *group = EC_KEY_get0_group(key);\n if (group == NULL) {\n OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);\n return NULL;\n }\n size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));\n if (len != 2 * scalar_len) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);\n return NULL;\n }\n ECDSA_SIG *ret = ECDSA_SIG_new();\n if (ret == NULL || !BN_bin2bn(in, scalar_len, ret->r) ||\n !BN_bin2bn(in + scalar_len, scalar_len, ret->s)) {\n ECDSA_SIG_free(ret);\n return NULL;\n }\n return ret;\n}\n\nstatic int ecdsa_sig_to_fixed(const EC_KEY *key, uint8_t *out, size_t *out_len,\n size_t max_out, const ECDSA_SIG *sig) {\n const EC_GROUP *group = EC_KEY_get0_group(key);\n if (group == NULL) {\n OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));\n if (max_out < 2 * scalar_len) {\n OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);\n return 0;\n }\n if (BN_is_negative(sig->r) || !BN_bn2bin_padded(out, scalar_len, sig->r) ||\n BN_is_negative(sig->s) ||\n !BN_bn2bin_padded(out + scalar_len, scalar_len, sig->s)) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);\n return 0;\n }\n *out_len = 2 * scalar_len;\n return 1;\n}\n\nint ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig,\n unsigned int *out_sig_len, const EC_KEY *eckey) {\n if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {\n return eckey->ecdsa_meth->sign(digest, digest_len, sig, out_sig_len,\n (EC_KEY *)eckey /* cast away const */);\n }\n\n *out_sig_len = 0;\n uint8_t fixed[ECDSA_MAX_FIXED_LEN];\n size_t fixed_len;\n if (!ecdsa_sign_fixed(digest, digest_len, fixed, &fixed_len, sizeof(fixed),\n eckey)) {\n return 0;\n }\n\n // TODO(davidben): We can actually do better and go straight from the DER\n // format to the fixed-width format without a malloc.\n ECDSA_SIG *s = ecdsa_sig_from_fixed(eckey, fixed, fixed_len);\n if (s == NULL) {\n return 0;\n }\n\n int ret = 0;\n CBB cbb;\n CBB_init_fixed(&cbb, sig, ECDSA_size(eckey));\n size_t len;\n if (!ECDSA_SIG_marshal(&cbb, s) || !CBB_finish(&cbb, NULL, &len)) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);\n goto err;\n }\n *out_sig_len = (unsigned)len;\n ret = 1;\n\nerr:\n ECDSA_SIG_free(s);\n return ret;\n}\n\nint ECDSA_verify(int type, const uint8_t *digest, size_t digest_len,\n const uint8_t *sig, size_t sig_len, const EC_KEY *eckey) {\n // Decode the ECDSA signature.\n //\n // TODO(davidben): We can actually do better and go straight from the DER\n // format to the fixed-width format without a malloc.\n int ret = 0;\n uint8_t *der = NULL;\n ECDSA_SIG *s = ECDSA_SIG_from_bytes(sig, sig_len);\n if (s == NULL) {\n goto err;\n }\n\n // Defend against potential laxness in the DER parser.\n size_t der_len;\n if (!ECDSA_SIG_to_bytes(&der, &der_len, s) || der_len != sig_len ||\n OPENSSL_memcmp(sig, der, sig_len) != 0) {\n // This should never happen. crypto/bytestring is strictly DER.\n OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n\n uint8_t fixed[ECDSA_MAX_FIXED_LEN];\n size_t fixed_len;\n ret = ecdsa_sig_to_fixed(eckey, fixed, &fixed_len, sizeof(fixed), s) &&\n ecdsa_verify_fixed(digest, digest_len, fixed, fixed_len, eckey);\n\nerr:\n OPENSSL_free(der);\n ECDSA_SIG_free(s);\n return ret;\n}\n\n\nsize_t ECDSA_size(const EC_KEY *key) {\n if (key == NULL) {\n return 0;\n }\n\n const EC_GROUP *group = EC_KEY_get0_group(key);\n if (group == NULL) {\n return 0;\n }\n\n size_t group_order_size = BN_num_bytes(EC_GROUP_get0_order(group));\n return ECDSA_SIG_max_len(group_order_size);\n}\n\nECDSA_SIG *ECDSA_SIG_new(void) {\n ECDSA_SIG *sig =\n reinterpret_cast(OPENSSL_malloc(sizeof(ECDSA_SIG)));\n if (sig == NULL) {\n return NULL;\n }\n sig->r = BN_new();\n sig->s = BN_new();\n if (sig->r == NULL || sig->s == NULL) {\n ECDSA_SIG_free(sig);\n return NULL;\n }\n return sig;\n}\n\nvoid ECDSA_SIG_free(ECDSA_SIG *sig) {\n if (sig == NULL) {\n return;\n }\n\n BN_free(sig->r);\n BN_free(sig->s);\n OPENSSL_free(sig);\n}\n\nconst BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig) { return sig->r; }\n\nconst BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig) { return sig->s; }\n\nvoid ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r,\n const BIGNUM **out_s) {\n if (out_r != NULL) {\n *out_r = sig->r;\n }\n if (out_s != NULL) {\n *out_s = sig->s;\n }\n}\n\nint ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {\n if (r == NULL || s == NULL) {\n return 0;\n }\n BN_free(sig->r);\n BN_free(sig->s);\n sig->r = r;\n sig->s = s;\n return 1;\n}\n\nint ECDSA_do_verify(const uint8_t *digest, size_t digest_len,\n const ECDSA_SIG *sig, const EC_KEY *eckey) {\n uint8_t fixed[ECDSA_MAX_FIXED_LEN];\n size_t fixed_len;\n return ecdsa_sig_to_fixed(eckey, fixed, &fixed_len, sizeof(fixed), sig) &&\n ecdsa_verify_fixed(digest, digest_len, fixed, fixed_len, eckey);\n}\n\n// This function is only exported for testing and is not called in production\n// code.\nECDSA_SIG *ECDSA_sign_with_nonce_and_leak_private_key_for_testing(\n const uint8_t *digest, size_t digest_len, const EC_KEY *eckey,\n const uint8_t *nonce, size_t nonce_len) {\n uint8_t sig[ECDSA_MAX_FIXED_LEN];\n size_t sig_len;\n if (!ecdsa_sign_fixed_with_nonce_for_known_answer_test(\n digest, digest_len, sig, &sig_len, sizeof(sig), eckey, nonce,\n nonce_len)) {\n return NULL;\n }\n\n return ecdsa_sig_from_fixed(eckey, sig, sig_len);\n}\n\nECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len,\n const EC_KEY *eckey) {\n uint8_t sig[ECDSA_MAX_FIXED_LEN];\n size_t sig_len;\n if (!ecdsa_sign_fixed(digest, digest_len, sig, &sig_len, sizeof(sig),\n eckey)) {\n return NULL;\n }\n\n return ecdsa_sig_from_fixed(eckey, sig, sig_len);\n}\n\nECDSA_SIG *ECDSA_SIG_parse(CBS *cbs) {\n ECDSA_SIG *ret = ECDSA_SIG_new();\n if (ret == NULL) {\n return NULL;\n }\n CBS child;\n if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||\n !BN_parse_asn1_unsigned(&child, ret->r) ||\n !BN_parse_asn1_unsigned(&child, ret->s) || CBS_len(&child) != 0) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);\n ECDSA_SIG_free(ret);\n return NULL;\n }\n return ret;\n}\n\nECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in, size_t in_len) {\n CBS cbs;\n CBS_init(&cbs, in, in_len);\n ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);\n if (ret == NULL || CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);\n ECDSA_SIG_free(ret);\n return NULL;\n }\n return ret;\n}\n\nint ECDSA_SIG_marshal(CBB *cbb, const ECDSA_SIG *sig) {\n CBB child;\n if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||\n !BN_marshal_asn1(&child, sig->r) || !BN_marshal_asn1(&child, sig->s) ||\n !CBB_flush(cbb)) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);\n return 0;\n }\n return 1;\n}\n\nint ECDSA_SIG_to_bytes(uint8_t **out_bytes, size_t *out_len,\n const ECDSA_SIG *sig) {\n CBB cbb;\n CBB_zero(&cbb);\n if (!CBB_init(&cbb, 0) || !ECDSA_SIG_marshal(&cbb, sig) ||\n !CBB_finish(&cbb, out_bytes, out_len)) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR);\n CBB_cleanup(&cbb);\n return 0;\n }\n return 1;\n}\n\n// der_len_len returns the number of bytes needed to represent a length of |len|\n// in DER.\nstatic size_t der_len_len(size_t len) {\n if (len < 0x80) {\n return 1;\n }\n size_t ret = 1;\n while (len > 0) {\n ret++;\n len >>= 8;\n }\n return ret;\n}\n\nsize_t ECDSA_SIG_max_len(size_t order_len) {\n // Compute the maximum length of an |order_len| byte integer. Defensively\n // assume that the leading 0x00 is included.\n size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len;\n if (integer_len < order_len) {\n return 0;\n }\n // An ECDSA signature is two INTEGERs.\n size_t value_len = 2 * integer_len;\n if (value_len < integer_len) {\n return 0;\n }\n // Add the header.\n size_t ret = 1 /* tag */ + der_len_len(value_len) + value_len;\n if (ret < value_len) {\n return 0;\n }\n return ret;\n}\n\nECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return NULL;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n ECDSA_SIG *ret = ECDSA_SIG_parse(&cbs);\n if (ret == NULL) {\n return NULL;\n }\n if (out != NULL) {\n ECDSA_SIG_free(*out);\n *out = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n\nint i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp) {\n CBB cbb;\n if (!CBB_init(&cbb, 0) || !ECDSA_SIG_marshal(&cbb, sig)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/engine/engine.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n\n\nstruct engine_st {\n RSA_METHOD *rsa_method;\n ECDSA_METHOD *ecdsa_method;\n};\n\nENGINE *ENGINE_new(void) {\n return reinterpret_cast(OPENSSL_zalloc(sizeof(ENGINE)));\n}\n\nint ENGINE_free(ENGINE *engine) {\n // Methods are currently required to be static so are not unref'ed.\n OPENSSL_free(engine);\n return 1;\n}\n\n// set_method takes a pointer to a method and its given size and sets\n// |*out_member| to point to it. This function might want to be extended in the\n// future to support making a copy of the method so that a stable ABI for\n// ENGINEs can be supported. But, for the moment, all *_METHODS must be\n// static.\nstatic int set_method(void **out_member, const void *method, size_t method_size,\n size_t compiled_size) {\n const struct openssl_method_common_st *common =\n reinterpret_cast(method);\n if (method_size != compiled_size || !common->is_static) {\n return 0;\n }\n\n *out_member = (void *)method;\n return 1;\n}\n\nint ENGINE_set_RSA_method(ENGINE *engine, const RSA_METHOD *method,\n size_t method_size) {\n return set_method((void **)&engine->rsa_method, method, method_size,\n sizeof(RSA_METHOD));\n}\n\nRSA_METHOD *ENGINE_get_RSA_method(const ENGINE *engine) {\n return engine->rsa_method;\n}\n\nint ENGINE_set_ECDSA_method(ENGINE *engine, const ECDSA_METHOD *method,\n size_t method_size) {\n return set_method((void **)&engine->ecdsa_method, method, method_size,\n sizeof(ECDSA_METHOD));\n}\n\nECDSA_METHOD *ENGINE_get_ECDSA_method(const ENGINE *engine) {\n return engine->ecdsa_method;\n}\n\nvoid METHOD_ref(void *method_in) {\n assert(((struct openssl_method_common_st *)method_in)->is_static);\n}\n\nvoid METHOD_unref(void *method_in) {\n struct openssl_method_common_st *method =\n reinterpret_cast(method_in);\n\n if (method == NULL) {\n return;\n }\n assert(method->is_static);\n}\n\nOPENSSL_DECLARE_ERROR_REASON(ENGINE, OPERATION_NOT_SUPPORTED)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/err/err.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n// Ensure we can't call OPENSSL_malloc circularly.\n#define _BORINGSSL_PROHIBIT_OPENSSL_MALLOC\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#if defined(OPENSSL_WINDOWS)\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\n#endif\n\n#include \n#include \n\n#include \"../internal.h\"\n#include \"./internal.h\"\n\n\nnamespace {\nstruct err_error_st {\n // file contains the filename where the error occurred.\n const char *file;\n // data contains a NUL-terminated string with optional data. It is allocated\n // with system |malloc| and must be freed with |free| (not |OPENSSL_free|)\n char *data;\n // packed contains the error library and reason, as packed by ERR_PACK.\n uint32_t packed;\n // line contains the line number where the error occurred.\n uint16_t line;\n // mark indicates a reversion point in the queue. See |ERR_pop_to_mark|.\n unsigned mark : 1;\n};\n\n// ERR_STATE contains the per-thread, error queue.\ntypedef struct err_state_st {\n // errors contains up to ERR_NUM_ERRORS - 1 most recent errors, organised as a\n // ring buffer.\n struct err_error_st errors[ERR_NUM_ERRORS];\n // top contains the index of the most recent error. If |top| equals |bottom|\n // then the queue is empty.\n unsigned top;\n // bottom contains the index before the least recent error in the queue.\n unsigned bottom;\n\n // to_free, if not NULL, contains a pointer owned by this structure that was\n // previously a |data| pointer of one of the elements of |errors|.\n void *to_free;\n} ERR_STATE;\n} // namespace\n\nextern const uint32_t kOpenSSLReasonValues[];\nextern const size_t kOpenSSLReasonValuesLen;\nextern const char kOpenSSLReasonStringData[];\n\nstatic char *strdup_libc_malloc(const char *str) {\n // |strdup| is not in C until C23, so MSVC triggers deprecation warnings, and\n // glibc and musl gate it on a feature macro. Reimplementing it is easier.\n size_t len = strlen(str);\n char *ret = reinterpret_cast(malloc(len + 1));\n if (ret != NULL) {\n memcpy(ret, str, len + 1);\n }\n return ret;\n}\n\n// err_clear clears the given queued error.\nstatic void err_clear(struct err_error_st *error) {\n free(error->data);\n OPENSSL_memset(error, 0, sizeof(struct err_error_st));\n}\n\nstatic void err_copy(struct err_error_st *dst, const struct err_error_st *src) {\n err_clear(dst);\n dst->file = src->file;\n if (src->data != NULL) {\n // We can't use OPENSSL_strdup because we don't want to call OPENSSL_malloc,\n // which can affect the error stack.\n dst->data = strdup_libc_malloc(src->data);\n }\n dst->packed = src->packed;\n dst->line = src->line;\n}\n\n\n// global_next_library contains the next custom library value to return.\nstatic int global_next_library = ERR_NUM_LIBS;\n\n// global_next_library_mutex protects |global_next_library| from concurrent\n// updates.\nstatic CRYPTO_MUTEX global_next_library_mutex = CRYPTO_MUTEX_INIT;\n\nstatic void err_state_free(void *statep) {\n ERR_STATE *state = reinterpret_cast(statep);\n\n if (state == NULL) {\n return;\n }\n\n for (unsigned i = 0; i < ERR_NUM_ERRORS; i++) {\n err_clear(&state->errors[i]);\n }\n free(state->to_free);\n free(state);\n}\n\n// err_get_state gets the ERR_STATE object for the current thread.\nstatic ERR_STATE *err_get_state(void) {\n ERR_STATE *state = reinterpret_cast(\n CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_ERR));\n if (state == NULL) {\n state = reinterpret_cast(malloc(sizeof(ERR_STATE)));\n if (state == NULL) {\n return NULL;\n }\n OPENSSL_memset(state, 0, sizeof(ERR_STATE));\n if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_ERR, state,\n err_state_free)) {\n return NULL;\n }\n }\n\n return state;\n}\n\nstatic uint32_t get_error_values(int inc, int top, const char **file, int *line,\n const char **data, int *flags) {\n unsigned i = 0;\n ERR_STATE *state;\n struct err_error_st *error;\n uint32_t ret;\n\n state = err_get_state();\n if (state == NULL || state->bottom == state->top) {\n return 0;\n }\n\n if (top) {\n assert(!inc);\n // last error\n i = state->top;\n } else {\n i = (state->bottom + 1) % ERR_NUM_ERRORS;\n }\n\n error = &state->errors[i];\n ret = error->packed;\n\n if (file != NULL && line != NULL) {\n if (error->file == NULL) {\n *file = \"NA\";\n *line = 0;\n } else {\n *file = error->file;\n *line = error->line;\n }\n }\n\n if (data != NULL) {\n if (error->data == NULL) {\n *data = \"\";\n if (flags != NULL) {\n *flags = 0;\n }\n } else {\n *data = error->data;\n if (flags != NULL) {\n // Without |ERR_FLAG_MALLOCED|, rust-openssl assumes the string has a\n // static lifetime. In both cases, we retain ownership of the string,\n // and the caller is not expected to free it.\n *flags = ERR_FLAG_STRING | ERR_FLAG_MALLOCED;\n }\n // If this error is being removed, take ownership of data from\n // the error. The semantics are such that the caller doesn't\n // take ownership either. Instead the error system takes\n // ownership and retains it until the next call that affects the\n // error queue.\n if (inc) {\n if (error->data != NULL) {\n free(state->to_free);\n state->to_free = error->data;\n }\n error->data = NULL;\n }\n }\n }\n\n if (inc) {\n assert(!top);\n err_clear(error);\n state->bottom = i;\n }\n\n return ret;\n}\n\nuint32_t ERR_get_error(void) {\n return get_error_values(1 /* inc */, 0 /* bottom */, NULL, NULL, NULL, NULL);\n}\n\nuint32_t ERR_get_error_line(const char **file, int *line) {\n return get_error_values(1 /* inc */, 0 /* bottom */, file, line, NULL, NULL);\n}\n\nuint32_t ERR_get_error_line_data(const char **file, int *line,\n const char **data, int *flags) {\n return get_error_values(1 /* inc */, 0 /* bottom */, file, line, data, flags);\n}\n\nuint32_t ERR_peek_error(void) {\n return get_error_values(0 /* peek */, 0 /* bottom */, NULL, NULL, NULL, NULL);\n}\n\nuint32_t ERR_peek_error_line(const char **file, int *line) {\n return get_error_values(0 /* peek */, 0 /* bottom */, file, line, NULL, NULL);\n}\n\nuint32_t ERR_peek_error_line_data(const char **file, int *line,\n const char **data, int *flags) {\n return get_error_values(0 /* peek */, 0 /* bottom */, file, line, data,\n flags);\n}\n\nuint32_t ERR_peek_last_error(void) {\n return get_error_values(0 /* peek */, 1 /* top */, NULL, NULL, NULL, NULL);\n}\n\nuint32_t ERR_peek_last_error_line(const char **file, int *line) {\n return get_error_values(0 /* peek */, 1 /* top */, file, line, NULL, NULL);\n}\n\nuint32_t ERR_peek_last_error_line_data(const char **file, int *line,\n const char **data, int *flags) {\n return get_error_values(0 /* peek */, 1 /* top */, file, line, data, flags);\n}\n\nvoid ERR_clear_error(void) {\n ERR_STATE *const state = err_get_state();\n unsigned i;\n\n if (state == NULL) {\n return;\n }\n\n for (i = 0; i < ERR_NUM_ERRORS; i++) {\n err_clear(&state->errors[i]);\n }\n free(state->to_free);\n state->to_free = NULL;\n\n state->top = state->bottom = 0;\n}\n\nvoid ERR_remove_thread_state(const CRYPTO_THREADID *tid) {\n if (tid != NULL) {\n assert(0);\n return;\n }\n\n ERR_clear_error();\n}\n\nint ERR_get_next_error_library(void) {\n int ret;\n\n CRYPTO_MUTEX_lock_write(&global_next_library_mutex);\n ret = global_next_library++;\n CRYPTO_MUTEX_unlock_write(&global_next_library_mutex);\n\n return ret;\n}\n\nvoid ERR_remove_state(unsigned long pid) { ERR_clear_error(); }\n\nvoid ERR_clear_system_error(void) { errno = 0; }\n\n// err_string_cmp is a compare function for searching error values with\n// |bsearch| in |err_string_lookup|.\nstatic int err_string_cmp(const void *a, const void *b) {\n const uint32_t a_key = *((const uint32_t *)a) >> 15;\n const uint32_t b_key = *((const uint32_t *)b) >> 15;\n\n if (a_key < b_key) {\n return -1;\n } else if (a_key > b_key) {\n return 1;\n } else {\n return 0;\n }\n}\n\n// err_string_lookup looks up the string associated with |lib| and |key| in\n// |values| and |string_data|. It returns the string or NULL if not found.\nstatic const char *err_string_lookup(uint32_t lib, uint32_t key,\n const uint32_t *values, size_t num_values,\n const char *string_data) {\n // |values| points to data in err_data.h, which is generated by\n // err_data_generate.go. It's an array of uint32_t values. Each value has the\n // following structure:\n // | lib | key | offset |\n // |6 bits| 11 bits | 15 bits |\n //\n // The |lib| value is a library identifier: one of the |ERR_LIB_*| values.\n // The |key| is a reason code, depending on the context.\n // The |offset| is the number of bytes from the start of |string_data| where\n // the (NUL terminated) string for this value can be found.\n //\n // Values are sorted based on treating the |lib| and |key| part as an\n // unsigned integer.\n if (lib >= (1 << 6) || key >= (1 << 11)) {\n return NULL;\n }\n uint32_t search_key = lib << 26 | key << 15;\n const uint32_t *result = reinterpret_cast(bsearch(\n &search_key, values, num_values, sizeof(uint32_t), err_string_cmp));\n if (result == NULL) {\n return NULL;\n }\n\n return &string_data[(*result) & 0x7fff];\n}\n\nnamespace {\ntypedef struct library_name_st {\n const char *str;\n const char *symbol;\n const char *reason_symbol;\n} LIBRARY_NAME;\n} // namespace\n\nstatic const LIBRARY_NAME kLibraryNames[ERR_NUM_LIBS] = {\n {\"invalid library (0)\", NULL, NULL},\n {\"unknown library\", \"NONE\", \"NONE_LIB\"},\n {\"system library\", \"SYS\", \"SYS_LIB\"},\n {\"bignum routines\", \"BN\", \"BN_LIB\"},\n {\"RSA routines\", \"RSA\", \"RSA_LIB\"},\n {\"Diffie-Hellman routines\", \"DH\", \"DH_LIB\"},\n {\"public key routines\", \"EVP\", \"EVP_LIB\"},\n {\"memory buffer routines\", \"BUF\", \"BUF_LIB\"},\n {\"object identifier routines\", \"OBJ\", \"OBJ_LIB\"},\n {\"PEM routines\", \"PEM\", \"PEM_LIB\"},\n {\"DSA routines\", \"DSA\", \"DSA_LIB\"},\n {\"X.509 certificate routines\", \"X509\", \"X509_LIB\"},\n {\"ASN.1 encoding routines\", \"ASN1\", \"ASN1_LIB\"},\n {\"configuration file routines\", \"CONF\", \"CONF_LIB\"},\n {\"common libcrypto routines\", \"CRYPTO\", \"CRYPTO_LIB\"},\n {\"elliptic curve routines\", \"EC\", \"EC_LIB\"},\n {\"SSL routines\", \"SSL\", \"SSL_LIB\"},\n {\"BIO routines\", \"BIO\", \"BIO_LIB\"},\n {\"PKCS7 routines\", \"PKCS7\", \"PKCS7_LIB\"},\n {\"PKCS8 routines\", \"PKCS8\", \"PKCS8_LIB\"},\n {\"X509 V3 routines\", \"X509V3\", \"X509V3_LIB\"},\n {\"random number generator\", \"RAND\", \"RAND_LIB\"},\n {\"ENGINE routines\", \"ENGINE\", \"ENGINE_LIB\"},\n {\"OCSP routines\", \"OCSP\", \"OCSP_LIB\"},\n {\"UI routines\", \"UI\", \"UI_LIB\"},\n {\"COMP routines\", \"COMP\", \"COMP_LIB\"},\n {\"ECDSA routines\", \"ECDSA\", \"ECDSA_LIB\"},\n {\"ECDH routines\", \"ECDH\", \"ECDH_LIB\"},\n {\"HMAC routines\", \"HMAC\", \"HMAC_LIB\"},\n {\"Digest functions\", \"DIGEST\", \"DIGEST_LIB\"},\n {\"Cipher functions\", \"CIPHER\", \"CIPHER_LIB\"},\n {\"HKDF functions\", \"HKDF\", \"HKDF_LIB\"},\n {\"Trust Token functions\", \"TRUST_TOKEN\", \"TRUST_TOKEN_LIB\"},\n {\"User defined functions\", \"USER\", \"USER_LIB\"},\n};\n\nstatic const char *err_lib_error_string(uint32_t packed_error) {\n const uint32_t lib = ERR_GET_LIB(packed_error);\n return lib >= ERR_NUM_LIBS ? NULL : kLibraryNames[lib].str;\n}\n\nconst char *ERR_lib_error_string(uint32_t packed_error) {\n const char *ret = err_lib_error_string(packed_error);\n return ret == NULL ? \"unknown library\" : ret;\n}\n\nconst char *ERR_lib_symbol_name(uint32_t packed_error) {\n const uint32_t lib = ERR_GET_LIB(packed_error);\n return lib >= ERR_NUM_LIBS ? NULL : kLibraryNames[lib].symbol;\n}\n\nconst char *ERR_func_error_string(uint32_t packed_error) {\n return \"OPENSSL_internal\";\n}\n\nstatic const char *err_reason_error_string(uint32_t packed_error, int symbol) {\n const uint32_t lib = ERR_GET_LIB(packed_error);\n const uint32_t reason = ERR_GET_REASON(packed_error);\n\n if (lib == ERR_LIB_SYS) {\n if (!symbol && reason < 127) {\n return strerror(reason);\n }\n return NULL;\n }\n\n if (reason < ERR_NUM_LIBS) {\n return symbol ? kLibraryNames[reason].reason_symbol\n : kLibraryNames[reason].str;\n }\n\n if (reason < 100) {\n // TODO(davidben): All our other reason strings match the symbol name. Only\n // the common ones differ. Should we just consistently return the symbol\n // name?\n switch (reason) {\n case ERR_R_MALLOC_FAILURE:\n return symbol ? \"MALLOC_FAILURE\" : \"malloc failure\";\n case ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED:\n return symbol ? \"SHOULD_NOT_HAVE_BEEN_CALLED\"\n : \"function should not have been called\";\n case ERR_R_PASSED_NULL_PARAMETER:\n return symbol ? \"PASSED_NULL_PARAMETER\" : \"passed a null parameter\";\n case ERR_R_INTERNAL_ERROR:\n return symbol ? \"INTERNAL_ERROR\" : \"internal error\";\n case ERR_R_OVERFLOW:\n return symbol ? \"OVERFLOW\" : \"overflow\";\n default:\n return NULL;\n }\n }\n\n // Unlike OpenSSL, BoringSSL's reason strings already match symbol name, so we\n // do not need to check |symbol|.\n return err_string_lookup(lib, reason, kOpenSSLReasonValues,\n kOpenSSLReasonValuesLen, kOpenSSLReasonStringData);\n}\n\nconst char *ERR_reason_error_string(uint32_t packed_error) {\n const char *ret = err_reason_error_string(packed_error, /*symbol=*/0);\n return ret == NULL ? \"unknown error\" : ret;\n}\n\nconst char *ERR_reason_symbol_name(uint32_t packed_error) {\n return err_reason_error_string(packed_error, /*symbol=*/1);\n}\n\nchar *ERR_error_string(uint32_t packed_error, char *ret) {\n static char buf[ERR_ERROR_STRING_BUF_LEN];\n\n if (ret == NULL) {\n // TODO(fork): remove this.\n ret = buf;\n }\n\n#if !defined(NDEBUG)\n // This is aimed to help catch callers who don't provide\n // |ERR_ERROR_STRING_BUF_LEN| bytes of space.\n OPENSSL_memset(ret, 0, ERR_ERROR_STRING_BUF_LEN);\n#endif\n\n return ERR_error_string_n(packed_error, ret, ERR_ERROR_STRING_BUF_LEN);\n}\n\nchar *ERR_error_string_n(uint32_t packed_error, char *buf, size_t len) {\n if (len == 0) {\n return NULL;\n }\n\n unsigned lib = ERR_GET_LIB(packed_error);\n unsigned reason = ERR_GET_REASON(packed_error);\n\n const char *lib_str = err_lib_error_string(packed_error);\n const char *reason_str = err_reason_error_string(packed_error, /*symbol=*/0);\n\n char lib_buf[32], reason_buf[32];\n if (lib_str == NULL) {\n snprintf(lib_buf, sizeof(lib_buf), \"lib(%u)\", lib);\n lib_str = lib_buf;\n }\n\n if (reason_str == NULL) {\n snprintf(reason_buf, sizeof(reason_buf), \"reason(%u)\", reason);\n reason_str = reason_buf;\n }\n\n int ret = snprintf(buf, len, \"error:%08\" PRIx32 \":%s:OPENSSL_internal:%s\",\n packed_error, lib_str, reason_str);\n if (ret >= 0 && (size_t)ret >= len) {\n // The output was truncated; make sure we always have 5 colon-separated\n // fields, i.e. 4 colons.\n static const unsigned num_colons = 4;\n unsigned i;\n char *s = buf;\n\n if (len <= num_colons) {\n // In this situation it's not possible to ensure that the correct number\n // of colons are included in the output.\n return buf;\n }\n\n for (i = 0; i < num_colons; i++) {\n char *colon = strchr(s, ':');\n char *last_pos = &buf[len - 1] - num_colons + i;\n\n if (colon == NULL || colon > last_pos) {\n // set colon |i| at last possible position (buf[len-1] is the\n // terminating 0). If we're setting this colon, then all whole of the\n // rest of the string must be colons in order to have the correct\n // number.\n OPENSSL_memset(last_pos, ':', num_colons - i);\n break;\n }\n\n s = colon + 1;\n }\n }\n\n return buf;\n}\n\nvoid ERR_print_errors_cb(ERR_print_errors_callback_t callback, void *ctx) {\n char buf[ERR_ERROR_STRING_BUF_LEN];\n char buf2[1024];\n const char *file, *data;\n int line, flags;\n uint32_t packed_error;\n\n // thread_hash is the least-significant bits of the |ERR_STATE| pointer value\n // for this thread.\n const unsigned long thread_hash = (uintptr_t)err_get_state();\n\n for (;;) {\n packed_error = ERR_get_error_line_data(&file, &line, &data, &flags);\n if (packed_error == 0) {\n break;\n }\n\n ERR_error_string_n(packed_error, buf, sizeof(buf));\n snprintf(buf2, sizeof(buf2), \"%lu:%s:%s:%d:%s\\n\", thread_hash, buf, file,\n line, (flags & ERR_FLAG_STRING) ? data : \"\");\n if (callback(buf2, strlen(buf2), ctx) <= 0) {\n break;\n }\n }\n}\n\nstatic int print_errors_to_file(const char *msg, size_t msg_len, void *ctx) {\n assert(msg[msg_len] == '\\0');\n FILE *fp = reinterpret_cast(ctx);\n int res = fputs(msg, fp);\n return res < 0 ? 0 : 1;\n}\n\nvoid ERR_print_errors_fp(FILE *file) {\n ERR_print_errors_cb(print_errors_to_file, file);\n}\n\n// err_set_error_data sets the data on the most recent error.\nstatic void err_set_error_data(char *data) {\n ERR_STATE *const state = err_get_state();\n struct err_error_st *error;\n\n if (state == NULL || state->top == state->bottom) {\n free(data);\n return;\n }\n\n error = &state->errors[state->top];\n\n free(error->data);\n error->data = data;\n}\n\nvoid ERR_put_error(int library, int unused, int reason, const char *file,\n unsigned line) {\n ERR_STATE *const state = err_get_state();\n struct err_error_st *error;\n\n if (state == NULL) {\n return;\n }\n\n if (library == ERR_LIB_SYS && reason == 0) {\n#if defined(OPENSSL_WINDOWS)\n reason = GetLastError();\n#else\n reason = errno;\n#endif\n }\n\n state->top = (state->top + 1) % ERR_NUM_ERRORS;\n if (state->top == state->bottom) {\n state->bottom = (state->bottom + 1) % ERR_NUM_ERRORS;\n }\n\n error = &state->errors[state->top];\n err_clear(error);\n error->file = file;\n error->line = line;\n error->packed = ERR_PACK(library, reason);\n}\n\n// ERR_add_error_data_vdata takes a variable number of const char* pointers,\n// concatenates them and sets the result as the data on the most recent\n// error.\nstatic void err_add_error_vdata(unsigned num, va_list args) {\n size_t total_size = 0;\n const char *substr;\n char *buf;\n\n va_list args_copy;\n va_copy(args_copy, args);\n for (size_t i = 0; i < num; i++) {\n substr = va_arg(args_copy, const char *);\n if (substr == NULL) {\n continue;\n }\n size_t substr_len = strlen(substr);\n if (SIZE_MAX - total_size < substr_len) {\n return; // Would overflow.\n }\n total_size += substr_len;\n }\n va_end(args_copy);\n if (total_size == SIZE_MAX) {\n return; // Would overflow.\n }\n total_size += 1; // NUL terminator.\n if ((buf = reinterpret_cast(malloc(total_size))) == NULL) {\n return;\n }\n buf[0] = '\\0';\n for (size_t i = 0; i < num; i++) {\n substr = va_arg(args, const char *);\n if (substr == NULL) {\n continue;\n }\n if (OPENSSL_strlcat(buf, substr, total_size) >= total_size) {\n assert(0); // should not be possible.\n }\n }\n err_set_error_data(buf);\n}\n\nvoid ERR_add_error_data(unsigned count, ...) {\n va_list args;\n va_start(args, count);\n err_add_error_vdata(count, args);\n va_end(args);\n}\n\nvoid ERR_add_error_dataf(const char *format, ...) {\n char *buf = NULL;\n va_list ap;\n\n va_start(ap, format);\n if (OPENSSL_vasprintf_internal(&buf, format, ap, /*system_malloc=*/1) == -1) {\n return;\n }\n va_end(ap);\n\n err_set_error_data(buf);\n}\n\nvoid ERR_set_error_data(char *data, int flags) {\n if (!(flags & ERR_FLAG_STRING)) {\n // We do not support non-string error data.\n assert(0);\n return;\n }\n // We can not use OPENSSL_strdup because we don't want to call OPENSSL_malloc,\n // which can affect the error stack.\n char *copy = strdup_libc_malloc(data);\n if (copy != NULL) {\n err_set_error_data(copy);\n }\n if (flags & ERR_FLAG_MALLOCED) {\n // We can not take ownership of |data| directly because it is allocated with\n // |OPENSSL_malloc| and we will free it with system |free| later.\n OPENSSL_free(data);\n }\n}\n\nint ERR_set_mark(void) {\n ERR_STATE *const state = err_get_state();\n\n if (state == NULL || state->bottom == state->top) {\n return 0;\n }\n state->errors[state->top].mark = 1;\n return 1;\n}\n\nint ERR_pop_to_mark(void) {\n ERR_STATE *const state = err_get_state();\n\n if (state == NULL) {\n return 0;\n }\n\n while (state->bottom != state->top) {\n struct err_error_st *error = &state->errors[state->top];\n\n if (error->mark) {\n error->mark = 0;\n return 1;\n }\n\n err_clear(error);\n if (state->top == 0) {\n state->top = ERR_NUM_ERRORS - 1;\n } else {\n state->top--;\n }\n }\n\n return 0;\n}\n\nvoid ERR_load_crypto_strings(void) {}\n\nvoid ERR_free_strings(void) {}\n\nvoid ERR_load_BIO_strings(void) {}\n\nvoid ERR_load_ERR_strings(void) {}\n\nvoid ERR_load_RAND_strings(void) {}\n\nstruct err_save_state_st {\n struct err_error_st *errors;\n size_t num_errors;\n};\n\nvoid ERR_SAVE_STATE_free(ERR_SAVE_STATE *state) {\n if (state == NULL) {\n return;\n }\n for (size_t i = 0; i < state->num_errors; i++) {\n err_clear(&state->errors[i]);\n }\n free(state->errors);\n free(state);\n}\n\nERR_SAVE_STATE *ERR_save_state(void) {\n ERR_STATE *const state = err_get_state();\n if (state == NULL || state->top == state->bottom) {\n return NULL;\n }\n\n ERR_SAVE_STATE *ret =\n reinterpret_cast(malloc(sizeof(ERR_SAVE_STATE)));\n if (ret == NULL) {\n return NULL;\n }\n\n // Errors are stored in the range (bottom, top].\n size_t num_errors = state->top >= state->bottom\n ? state->top - state->bottom\n : ERR_NUM_ERRORS + state->top - state->bottom;\n assert(num_errors < ERR_NUM_ERRORS);\n ret->errors = reinterpret_cast(\n malloc(num_errors * sizeof(struct err_error_st)));\n if (ret->errors == NULL) {\n free(ret);\n return NULL;\n }\n OPENSSL_memset(ret->errors, 0, num_errors * sizeof(struct err_error_st));\n ret->num_errors = num_errors;\n\n for (size_t i = 0; i < num_errors; i++) {\n size_t j = (state->bottom + i + 1) % ERR_NUM_ERRORS;\n err_copy(&ret->errors[i], &state->errors[j]);\n }\n return ret;\n}\n\nvoid ERR_restore_state(const ERR_SAVE_STATE *state) {\n if (state == NULL || state->num_errors == 0) {\n ERR_clear_error();\n return;\n }\n\n if (state->num_errors >= ERR_NUM_ERRORS) {\n abort();\n }\n\n ERR_STATE *const dst = err_get_state();\n if (dst == NULL) {\n return;\n }\n\n for (size_t i = 0; i < state->num_errors; i++) {\n err_copy(&dst->errors[i], &state->errors[i]);\n }\n dst->top = (unsigned)(state->num_errors - 1);\n dst->bottom = ERR_NUM_ERRORS - 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/err/internal.h", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_ERR_INTERNAL_H\n#define OPENSSL_HEADER_CRYPTO_ERR_INTERNAL_H\n\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Private error queue functions.\n\n// ERR_SAVE_STATE contains a saved representation of the error queue. It is\n// slightly more compact than |ERR_STATE| as the error queue will typically not\n// contain |ERR_NUM_ERRORS| entries.\ntypedef struct err_save_state_st ERR_SAVE_STATE;\n\n// ERR_SAVE_STATE_free releases all memory associated with |state|.\nOPENSSL_EXPORT void ERR_SAVE_STATE_free(ERR_SAVE_STATE *state);\n\n// ERR_save_state returns a newly-allocated |ERR_SAVE_STATE| structure\n// containing the current state of the error queue or NULL on allocation\n// error. It should be released with |ERR_SAVE_STATE_free|.\nOPENSSL_EXPORT ERR_SAVE_STATE *ERR_save_state(void);\n\n// ERR_restore_state clears the error queue and replaces it with |state|.\nOPENSSL_EXPORT void ERR_restore_state(const ERR_SAVE_STATE *state);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(ERR_SAVE_STATE, ERR_SAVE_STATE_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_ERR_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/evp.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n// Node depends on |EVP_R_NOT_XOF_OR_INVALID_LENGTH|.\n//\n// TODO(davidben): Fix Node to not touch the error queue itself and remove this.\nOPENSSL_DECLARE_ERROR_REASON(EVP, NOT_XOF_OR_INVALID_LENGTH)\n\n// The HPKE module uses the EVP error namespace, but it lives in another\n// directory.\nOPENSSL_DECLARE_ERROR_REASON(EVP, EMPTY_PSK)\n\nEVP_PKEY *EVP_PKEY_new(void) {\n EVP_PKEY *ret =\n reinterpret_cast(OPENSSL_zalloc(sizeof(EVP_PKEY)));\n if (ret == NULL) {\n return NULL;\n }\n\n ret->type = EVP_PKEY_NONE;\n ret->references = 1;\n return ret;\n}\n\nstatic void free_it(EVP_PKEY *pkey) {\n if (pkey->ameth && pkey->ameth->pkey_free) {\n pkey->ameth->pkey_free(pkey);\n pkey->pkey = NULL;\n pkey->type = EVP_PKEY_NONE;\n }\n}\n\nvoid EVP_PKEY_free(EVP_PKEY *pkey) {\n if (pkey == NULL) {\n return;\n }\n\n if (!CRYPTO_refcount_dec_and_test_zero(&pkey->references)) {\n return;\n }\n\n free_it(pkey);\n OPENSSL_free(pkey);\n}\n\nint EVP_PKEY_up_ref(EVP_PKEY *pkey) {\n CRYPTO_refcount_inc(&pkey->references);\n return 1;\n}\n\nint EVP_PKEY_is_opaque(const EVP_PKEY *pkey) {\n if (pkey->ameth && pkey->ameth->pkey_opaque) {\n return pkey->ameth->pkey_opaque(pkey);\n }\n return 0;\n}\n\nint EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {\n if (a->type != b->type) {\n return -1;\n }\n\n if (a->ameth) {\n int ret;\n // Compare parameters if the algorithm has them\n if (a->ameth->param_cmp) {\n ret = a->ameth->param_cmp(a, b);\n if (ret <= 0) {\n return ret;\n }\n }\n\n if (a->ameth->pub_cmp) {\n return a->ameth->pub_cmp(a, b);\n }\n }\n\n return -2;\n}\n\nint EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) {\n if (to->type == EVP_PKEY_NONE) {\n evp_pkey_set_method(to, from->ameth);\n } else if (to->type != from->type) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_KEY_TYPES);\n return 0;\n }\n\n if (EVP_PKEY_missing_parameters(from)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_MISSING_PARAMETERS);\n return 0;\n }\n\n // Once set, parameters may not change.\n if (!EVP_PKEY_missing_parameters(to)) {\n if (EVP_PKEY_cmp_parameters(to, from) == 1) {\n return 1;\n }\n OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_PARAMETERS);\n return 0;\n }\n\n if (from->ameth && from->ameth->param_copy) {\n return from->ameth->param_copy(to, from);\n }\n\n // TODO(https://crbug.com/boringssl/536): If the algorithm takes no\n // parameters, copying them should vacuously succeed.\n return 0;\n}\n\nint EVP_PKEY_missing_parameters(const EVP_PKEY *pkey) {\n if (pkey->ameth && pkey->ameth->param_missing) {\n return pkey->ameth->param_missing(pkey);\n }\n return 0;\n}\n\nint EVP_PKEY_size(const EVP_PKEY *pkey) {\n if (pkey && pkey->ameth && pkey->ameth->pkey_size) {\n return pkey->ameth->pkey_size(pkey);\n }\n return 0;\n}\n\nint EVP_PKEY_bits(const EVP_PKEY *pkey) {\n if (pkey && pkey->ameth && pkey->ameth->pkey_bits) {\n return pkey->ameth->pkey_bits(pkey);\n }\n return 0;\n}\n\nint EVP_PKEY_id(const EVP_PKEY *pkey) { return pkey->type; }\n\n// evp_pkey_asn1_find returns the ASN.1 method table for the given |nid|, which\n// should be one of the |EVP_PKEY_*| values. It returns NULL if |nid| is\n// unknown.\nstatic const EVP_PKEY_ASN1_METHOD *evp_pkey_asn1_find(int nid) {\n switch (nid) {\n case EVP_PKEY_RSA:\n return &rsa_asn1_meth;\n case EVP_PKEY_EC:\n return &ec_asn1_meth;\n case EVP_PKEY_DSA:\n return &dsa_asn1_meth;\n case EVP_PKEY_ED25519:\n return &ed25519_asn1_meth;\n case EVP_PKEY_X25519:\n return &x25519_asn1_meth;\n default:\n return NULL;\n }\n}\n\nvoid evp_pkey_set_method(EVP_PKEY *pkey, const EVP_PKEY_ASN1_METHOD *method) {\n free_it(pkey);\n pkey->ameth = method;\n pkey->type = pkey->ameth->pkey_id;\n}\n\nint EVP_PKEY_type(int nid) {\n // In OpenSSL, this was used to map between type aliases. BoringSSL supports\n // no type aliases, so this function is just the identity.\n return nid;\n}\n\nint EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) {\n // This function can only be used to assign RSA, DSA, EC, and DH keys. Other\n // key types have internal representations which are not exposed through the\n // public API.\n switch (type) {\n case EVP_PKEY_RSA:\n return EVP_PKEY_assign_RSA(pkey, reinterpret_cast(key));\n case EVP_PKEY_DSA:\n return EVP_PKEY_assign_DSA(pkey, reinterpret_cast(key));\n case EVP_PKEY_EC:\n return EVP_PKEY_assign_EC_KEY(pkey, reinterpret_cast(key));\n case EVP_PKEY_DH:\n return EVP_PKEY_assign_DH(pkey, reinterpret_cast(key));\n }\n\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n ERR_add_error_dataf(\"algorithm %d\", type);\n return 0;\n}\n\nint EVP_PKEY_set_type(EVP_PKEY *pkey, int type) {\n if (pkey && pkey->pkey) {\n // This isn't strictly necessary, but historically |EVP_PKEY_set_type| would\n // clear |pkey| even if |evp_pkey_asn1_find| failed, so we preserve that\n // behavior.\n free_it(pkey);\n }\n\n const EVP_PKEY_ASN1_METHOD *ameth = evp_pkey_asn1_find(type);\n if (ameth == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n ERR_add_error_dataf(\"algorithm %d\", type);\n return 0;\n }\n\n if (pkey) {\n evp_pkey_set_method(pkey, ameth);\n }\n\n return 1;\n}\n\nEVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *unused,\n const uint8_t *in, size_t len) {\n // To avoid pulling in all key types, look for specifically the key types that\n // support |set_priv_raw|.\n const EVP_PKEY_ASN1_METHOD *method;\n switch (type) {\n case EVP_PKEY_X25519:\n method = &x25519_asn1_meth;\n break;\n case EVP_PKEY_ED25519:\n method = &ed25519_asn1_meth;\n break;\n default:\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n return nullptr;\n }\n\n bssl::UniquePtr ret(EVP_PKEY_new());\n if (ret == nullptr) {\n return nullptr;\n }\n evp_pkey_set_method(ret.get(), method);\n\n if (!ret->ameth->set_priv_raw(ret.get(), in, len)) {\n return nullptr;\n }\n\n return ret.release();\n}\n\nEVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *unused,\n const uint8_t *in, size_t len) {\n // To avoid pulling in all key types, look for specifically the key types that\n // support |set_pub_raw|.\n const EVP_PKEY_ASN1_METHOD *method;\n switch (type) {\n case EVP_PKEY_X25519:\n method = &x25519_asn1_meth;\n break;\n case EVP_PKEY_ED25519:\n method = &ed25519_asn1_meth;\n break;\n default:\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n return nullptr;\n }\n\n bssl::UniquePtr ret(EVP_PKEY_new());\n if (ret == nullptr) {\n return nullptr;\n }\n evp_pkey_set_method(ret.get(), method);\n\n if (!ret->ameth->set_pub_raw(ret.get(), in, len)) {\n return nullptr;\n }\n\n return ret.release();\n}\n\nint EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, uint8_t *out,\n size_t *out_len) {\n if (pkey->ameth->get_priv_raw == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n return pkey->ameth->get_priv_raw(pkey, out, out_len);\n}\n\nint EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, uint8_t *out,\n size_t *out_len) {\n if (pkey->ameth->get_pub_raw == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n return pkey->ameth->get_pub_raw(pkey, out, out_len);\n}\n\nint EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) {\n if (a->type != b->type) {\n return -1;\n }\n if (a->ameth && a->ameth->param_cmp) {\n return a->ameth->param_cmp(a, b);\n }\n // TODO(https://crbug.com/boringssl/536): If the algorithm doesn't use\n // parameters, they should compare as vacuously equal.\n return -2;\n}\n\nint EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {\n return EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_MD, 0,\n (void *)md);\n}\n\nint EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {\n return EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, EVP_PKEY_CTRL_GET_MD,\n 0, (void *)out_md);\n}\n\nvoid *EVP_PKEY_get0(const EVP_PKEY *pkey) {\n // Node references, but never calls this function, so for now we return NULL.\n // If other projects require complete support, call |EVP_PKEY_get0_RSA|, etc.,\n // rather than reading |pkey->pkey| directly. This avoids problems if our\n // internal representation does not match the type the caller expects from\n // OpenSSL.\n return NULL;\n}\n\nvoid OpenSSL_add_all_algorithms(void) {}\n\nvoid OPENSSL_add_all_algorithms_conf(void) {}\n\nvoid OpenSSL_add_all_ciphers(void) {}\n\nvoid OpenSSL_add_all_digests(void) {}\n\nvoid EVP_cleanup(void) {}\n\nint EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey, const uint8_t *in,\n size_t len) {\n if (pkey->ameth->set1_tls_encodedpoint == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n return pkey->ameth->set1_tls_encodedpoint(pkey, in, len);\n}\n\nsize_t EVP_PKEY_get1_tls_encodedpoint(const EVP_PKEY *pkey, uint8_t **out_ptr) {\n if (pkey->ameth->get1_tls_encodedpoint == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n return pkey->ameth->get1_tls_encodedpoint(pkey, out_ptr);\n}\n\nint EVP_PKEY_base_id(const EVP_PKEY *pkey) {\n // OpenSSL has two notions of key type because it supports multiple OIDs for\n // the same algorithm: NID_rsa vs NID_rsaEncryption and five distinct spelling\n // of DSA. We do not support these, so the base ID is simply the ID.\n return EVP_PKEY_id(pkey);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/evp_asn1.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n#include \"../bytestring/internal.h\"\n#include \"../internal.h\"\n\n\n// We intentionally omit |dh_asn1_meth| from this list. It is not serializable.\nstatic const EVP_PKEY_ASN1_METHOD *const kASN1Methods[] = {\n &rsa_asn1_meth,\n &ec_asn1_meth,\n &dsa_asn1_meth,\n &ed25519_asn1_meth,\n &x25519_asn1_meth,\n};\n\nstatic const EVP_PKEY_ASN1_METHOD *parse_key_type(CBS *cbs) {\n CBS oid;\n if (!CBS_get_asn1(cbs, &oid, CBS_ASN1_OBJECT)) {\n return NULL;\n }\n\n for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(kASN1Methods); i++) {\n const EVP_PKEY_ASN1_METHOD *method = kASN1Methods[i];\n if (CBS_len(&oid) == method->oid_len &&\n OPENSSL_memcmp(CBS_data(&oid), method->oid, method->oid_len) == 0) {\n return method;\n }\n }\n\n return NULL;\n}\n\nEVP_PKEY *EVP_parse_public_key(CBS *cbs) {\n // Parse the SubjectPublicKeyInfo.\n CBS spki, algorithm, key;\n uint8_t padding;\n if (!CBS_get_asn1(cbs, &spki, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&spki, &key, CBS_ASN1_BITSTRING) ||\n CBS_len(&spki) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return nullptr;\n }\n const EVP_PKEY_ASN1_METHOD *method = parse_key_type(&algorithm);\n if (method == nullptr) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n return nullptr;\n }\n if (// Every key type defined encodes the key as a byte string with the same\n // conversion to BIT STRING.\n !CBS_get_u8(&key, &padding) ||\n padding != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return nullptr;\n }\n\n // Set up an |EVP_PKEY| of the appropriate type.\n bssl::UniquePtr ret(EVP_PKEY_new());\n if (ret == nullptr) {\n return nullptr;\n }\n evp_pkey_set_method(ret.get(), method);\n\n // Call into the type-specific SPKI decoding function.\n if (ret->ameth->pub_decode == nullptr) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n return nullptr;\n }\n if (!ret->ameth->pub_decode(ret.get(), &algorithm, &key)) {\n return nullptr;\n }\n\n return ret.release();\n}\n\nint EVP_marshal_public_key(CBB *cbb, const EVP_PKEY *key) {\n if (key->ameth == NULL || key->ameth->pub_encode == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n return 0;\n }\n\n return key->ameth->pub_encode(cbb, key);\n}\n\nEVP_PKEY *EVP_parse_private_key(CBS *cbs) {\n // Parse the PrivateKeyInfo.\n CBS pkcs8, algorithm, key;\n uint64_t version;\n if (!CBS_get_asn1(cbs, &pkcs8, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1_uint64(&pkcs8, &version) ||\n version != 0 ||\n !CBS_get_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&pkcs8, &key, CBS_ASN1_OCTETSTRING)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return nullptr;\n }\n const EVP_PKEY_ASN1_METHOD *method = parse_key_type(&algorithm);\n if (method == nullptr) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n return nullptr;\n }\n\n // A PrivateKeyInfo ends with a SET of Attributes which we ignore.\n\n // Set up an |EVP_PKEY| of the appropriate type.\n bssl::UniquePtr ret(EVP_PKEY_new());\n if (ret == nullptr) {\n return nullptr;\n }\n evp_pkey_set_method(ret.get(), method);\n\n // Call into the type-specific PrivateKeyInfo decoding function.\n if (ret->ameth->priv_decode == nullptr) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n return nullptr;\n }\n if (!ret->ameth->priv_decode(ret.get(), &algorithm, &key)) {\n return nullptr;\n }\n\n return ret.release();\n}\n\nint EVP_marshal_private_key(CBB *cbb, const EVP_PKEY *key) {\n if (key->ameth == NULL || key->ameth->priv_encode == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n return 0;\n }\n\n return key->ameth->priv_encode(cbb, key);\n}\n\nstatic bssl::UniquePtr old_priv_decode(CBS *cbs, int type) {\n bssl::UniquePtr ret(EVP_PKEY_new());\n if (ret == nullptr) {\n return nullptr;\n }\n\n switch (type) {\n case EVP_PKEY_EC: {\n bssl::UniquePtr ec_key(EC_KEY_parse_private_key(cbs, nullptr));\n if (ec_key == nullptr) {\n return nullptr;\n }\n EVP_PKEY_assign_EC_KEY(ret.get(), ec_key.release());\n return ret;\n }\n case EVP_PKEY_DSA: {\n bssl::UniquePtr dsa(DSA_parse_private_key(cbs));\n if (dsa == nullptr) {\n return nullptr;\n }\n EVP_PKEY_assign_DSA(ret.get(), dsa.release());\n return ret;\n }\n case EVP_PKEY_RSA: {\n bssl::UniquePtr rsa(RSA_parse_private_key(cbs));\n if (rsa == nullptr) {\n return nullptr;\n }\n EVP_PKEY_assign_RSA(ret.get(), rsa.release());\n return ret;\n }\n default:\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNKNOWN_PUBLIC_KEY_TYPE);\n return nullptr;\n }\n}\n\nEVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out, const uint8_t **inp,\n long len) {\n if (len < 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return nullptr;\n }\n\n // Parse with the legacy format.\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n bssl::UniquePtr ret = old_priv_decode(&cbs, type);\n if (ret == nullptr) {\n // Try again with PKCS#8.\n ERR_clear_error();\n CBS_init(&cbs, *inp, (size_t)len);\n ret.reset(EVP_parse_private_key(&cbs));\n if (ret == nullptr) {\n return nullptr;\n }\n if (ret->type != type) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_KEY_TYPES);\n return nullptr;\n }\n }\n\n if (out != nullptr) {\n EVP_PKEY_free(*out);\n *out = ret.get();\n }\n *inp = CBS_data(&cbs);\n return ret.release();\n}\n\n// num_elements parses one SEQUENCE from |in| and returns the number of elements\n// in it. On parse error, it returns zero.\nstatic size_t num_elements(const uint8_t *in, size_t in_len) {\n CBS cbs, sequence;\n CBS_init(&cbs, in, (size_t)in_len);\n\n if (!CBS_get_asn1(&cbs, &sequence, CBS_ASN1_SEQUENCE)) {\n return 0;\n }\n\n size_t count = 0;\n while (CBS_len(&sequence) > 0) {\n if (!CBS_get_any_asn1_element(&sequence, NULL, NULL, NULL)) {\n return 0;\n }\n\n count++;\n }\n\n return count;\n}\n\nEVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **out, const uint8_t **inp, long len) {\n if (len < 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return NULL;\n }\n\n // Parse the input as a PKCS#8 PrivateKeyInfo.\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n EVP_PKEY *ret = EVP_parse_private_key(&cbs);\n if (ret != NULL) {\n if (out != NULL) {\n EVP_PKEY_free(*out);\n *out = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n }\n ERR_clear_error();\n\n // Count the elements to determine the legacy key format.\n switch (num_elements(*inp, (size_t)len)) {\n case 4:\n return d2i_PrivateKey(EVP_PKEY_EC, out, inp, len);\n\n case 6:\n return d2i_PrivateKey(EVP_PKEY_DSA, out, inp, len);\n\n default:\n return d2i_PrivateKey(EVP_PKEY_RSA, out, inp, len);\n }\n}\n\nint i2d_PublicKey(const EVP_PKEY *key, uint8_t **outp) {\n switch (key->type) {\n case EVP_PKEY_RSA:\n return i2d_RSAPublicKey(EVP_PKEY_get0_RSA(key), outp);\n case EVP_PKEY_DSA:\n return i2d_DSAPublicKey(EVP_PKEY_get0_DSA(key), outp);\n case EVP_PKEY_EC:\n return i2o_ECPublicKey(EVP_PKEY_get0_EC_KEY(key), outp);\n default:\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE);\n return -1;\n }\n}\n\nEVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **out, const uint8_t **inp,\n long len) {\n bssl::UniquePtr ret(EVP_PKEY_new());\n if (ret == nullptr) {\n return nullptr;\n }\n\n CBS cbs;\n CBS_init(&cbs, *inp, len < 0 ? 0 : (size_t)len);\n switch (type) {\n case EVP_PKEY_RSA: {\n bssl::UniquePtr rsa(RSA_parse_public_key(&cbs));\n if (rsa == nullptr) {\n return nullptr;\n }\n EVP_PKEY_assign_RSA(ret.get(), rsa.release());\n break;\n }\n\n // Unlike OpenSSL, we do not support EC keys with this API. The raw EC\n // public key serialization requires knowing the group. In OpenSSL, calling\n // this function with |EVP_PKEY_EC| and setting |out| to nullptr does not\n // work. It requires |*out| to include a partially-initialized |EVP_PKEY| to\n // extract the group.\n default:\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE);\n return nullptr;\n }\n\n *inp = CBS_data(&cbs);\n if (out != nullptr) {\n EVP_PKEY_free(*out);\n *out = ret.get();\n }\n return ret.release();\n}\n\nEVP_PKEY *d2i_PUBKEY(EVP_PKEY **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return nullptr;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n bssl::UniquePtr ret(EVP_parse_public_key(&cbs));\n if (ret == nullptr) {\n return nullptr;\n }\n if (out != nullptr) {\n EVP_PKEY_free(*out);\n *out = ret.get();\n }\n *inp = CBS_data(&cbs);\n return ret.release();\n}\n\nint i2d_PUBKEY(const EVP_PKEY *pkey, uint8_t **outp) {\n if (pkey == NULL) {\n return 0;\n }\n\n CBB cbb;\n if (!CBB_init(&cbb, 128) ||\n !EVP_marshal_public_key(&cbb, pkey)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n\nRSA *d2i_RSA_PUBKEY(RSA **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return nullptr;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n bssl::UniquePtr pkey(EVP_parse_public_key(&cbs));\n if (pkey == nullptr) {\n return nullptr;\n }\n bssl::UniquePtr rsa(EVP_PKEY_get1_RSA(pkey.get()));\n if (rsa == nullptr) {\n return nullptr;\n }\n if (out != nullptr) {\n RSA_free(*out);\n *out = rsa.get();\n }\n *inp = CBS_data(&cbs);\n return rsa.release();\n}\n\nint i2d_RSA_PUBKEY(const RSA *rsa, uint8_t **outp) {\n if (rsa == nullptr) {\n return 0;\n }\n\n bssl::UniquePtr pkey(EVP_PKEY_new());\n if (pkey == nullptr ||\n !EVP_PKEY_set1_RSA(pkey.get(), const_cast(rsa))) {\n return -1;\n }\n\n return i2d_PUBKEY(pkey.get(), outp);\n}\n\nDSA *d2i_DSA_PUBKEY(DSA **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return nullptr;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n bssl::UniquePtr pkey(EVP_parse_public_key(&cbs));\n if (pkey == nullptr) {\n return nullptr;\n }\n bssl::UniquePtr dsa(EVP_PKEY_get1_DSA(pkey.get()));\n if (dsa == nullptr) {\n return nullptr;\n }\n if (out != nullptr) {\n DSA_free(*out);\n *out = dsa.get();\n }\n *inp = CBS_data(&cbs);\n return dsa.release();\n}\n\nint i2d_DSA_PUBKEY(const DSA *dsa, uint8_t **outp) {\n if (dsa == nullptr) {\n return 0;\n }\n\n bssl::UniquePtr pkey(EVP_PKEY_new());\n if (pkey == nullptr ||\n !EVP_PKEY_set1_DSA(pkey.get(), const_cast(dsa))) {\n return -1;\n }\n\n return i2d_PUBKEY(pkey.get(), outp);\n}\n\nEC_KEY *d2i_EC_PUBKEY(EC_KEY **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return NULL;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n EVP_PKEY *pkey = EVP_parse_public_key(&cbs);\n if (pkey == NULL) {\n return NULL;\n }\n EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(pkey);\n EVP_PKEY_free(pkey);\n if (ec_key == NULL) {\n return NULL;\n }\n if (out != NULL) {\n EC_KEY_free(*out);\n *out = ec_key;\n }\n *inp = CBS_data(&cbs);\n return ec_key;\n}\n\nint i2d_EC_PUBKEY(const EC_KEY *ec_key, uint8_t **outp) {\n if (ec_key == NULL) {\n return 0;\n }\n\n bssl::UniquePtr pkey(EVP_PKEY_new());\n if (pkey == nullptr ||\n !EVP_PKEY_set1_EC_KEY(pkey.get(), const_cast(ec_key))) {\n return -1;\n }\n\n return i2d_PUBKEY(pkey.get(), outp);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/evp_ctx.cc", "content": "/*\n * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic const EVP_PKEY_METHOD *const evp_methods[] = {\n &rsa_pkey_meth, &ec_pkey_meth, &ed25519_pkey_meth,\n &x25519_pkey_meth, &hkdf_pkey_meth,\n};\n\nstatic const EVP_PKEY_METHOD *evp_pkey_meth_find(int type) {\n for (size_t i = 0; i < sizeof(evp_methods) / sizeof(EVP_PKEY_METHOD *); i++) {\n if (evp_methods[i]->pkey_id == type) {\n return evp_methods[i];\n }\n }\n\n return NULL;\n}\n\nstatic EVP_PKEY_CTX *evp_pkey_ctx_new(EVP_PKEY *pkey, ENGINE *e,\n const EVP_PKEY_METHOD *pmeth) {\n EVP_PKEY_CTX *ret =\n reinterpret_cast(OPENSSL_zalloc(sizeof(EVP_PKEY_CTX)));\n if (!ret) {\n return NULL;\n }\n\n ret->engine = e;\n ret->pmeth = pmeth;\n ret->operation = EVP_PKEY_OP_UNDEFINED;\n\n if (pkey) {\n EVP_PKEY_up_ref(pkey);\n ret->pkey = pkey;\n }\n\n if (pmeth->init) {\n if (pmeth->init(ret) <= 0) {\n EVP_PKEY_free(ret->pkey);\n OPENSSL_free(ret);\n return NULL;\n }\n }\n\n return ret;\n}\n\nEVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e) {\n if (pkey == NULL || pkey->ameth == NULL) {\n OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER);\n return NULL;\n }\n\n const EVP_PKEY_METHOD *pkey_method = pkey->ameth->pkey_method;\n if (pkey_method == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n ERR_add_error_dataf(\"algorithm %d\", pkey->ameth->pkey_id);\n return NULL;\n }\n\n return evp_pkey_ctx_new(pkey, e, pkey_method);\n}\n\nEVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e) {\n const EVP_PKEY_METHOD *pkey_method = evp_pkey_meth_find(id);\n if (pkey_method == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM);\n ERR_add_error_dataf(\"algorithm %d\", id);\n return NULL;\n }\n\n return evp_pkey_ctx_new(NULL, e, pkey_method);\n}\n\nvoid EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx) {\n if (ctx == NULL) {\n return;\n }\n if (ctx->pmeth && ctx->pmeth->cleanup) {\n ctx->pmeth->cleanup(ctx);\n }\n EVP_PKEY_free(ctx->pkey);\n EVP_PKEY_free(ctx->peerkey);\n OPENSSL_free(ctx);\n}\n\nEVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *ctx) {\n if (!ctx->pmeth || !ctx->pmeth->copy) {\n return NULL;\n }\n\n EVP_PKEY_CTX *ret =\n reinterpret_cast(OPENSSL_zalloc(sizeof(EVP_PKEY_CTX)));\n if (!ret) {\n return NULL;\n }\n\n ret->pmeth = ctx->pmeth;\n ret->engine = ctx->engine;\n ret->operation = ctx->operation;\n\n if (ctx->pkey != NULL) {\n EVP_PKEY_up_ref(ctx->pkey);\n ret->pkey = ctx->pkey;\n }\n\n if (ctx->peerkey != NULL) {\n EVP_PKEY_up_ref(ctx->peerkey);\n ret->peerkey = ctx->peerkey;\n }\n\n if (ctx->pmeth->copy(ret, ctx) <= 0) {\n ret->pmeth = NULL;\n EVP_PKEY_CTX_free(ret);\n OPENSSL_PUT_ERROR(EVP, ERR_LIB_EVP);\n return NULL;\n }\n\n return ret;\n}\n\nEVP_PKEY *EVP_PKEY_CTX_get0_pkey(EVP_PKEY_CTX *ctx) { return ctx->pkey; }\n\nint EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, int cmd,\n int p1, void *p2) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->ctrl) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);\n return 0;\n }\n if (keytype != -1 && ctx->pmeth->pkey_id != keytype) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n if (ctx->operation == EVP_PKEY_OP_UNDEFINED) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NO_OPERATION_SET);\n return 0;\n }\n\n if (optype != -1 && !(ctx->operation & optype)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_OPERATION);\n return 0;\n }\n\n return ctx->pmeth->ctrl(ctx, cmd, p1, p2);\n}\n\nint EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx) {\n if (ctx == NULL || ctx->pmeth == NULL ||\n (ctx->pmeth->sign == NULL && ctx->pmeth->sign_message == NULL)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n ctx->operation = EVP_PKEY_OP_SIGN;\n return 1;\n}\n\nint EVP_PKEY_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *sig_len,\n const uint8_t *digest, size_t digest_len) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->sign) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n if (ctx->operation != EVP_PKEY_OP_SIGN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED);\n return 0;\n }\n return ctx->pmeth->sign(ctx, sig, sig_len, digest, digest_len);\n}\n\nint EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx) {\n if (ctx == NULL || ctx->pmeth == NULL ||\n (ctx->pmeth->verify == NULL && ctx->pmeth->verify_message == NULL)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n ctx->operation = EVP_PKEY_OP_VERIFY;\n return 1;\n}\n\nint EVP_PKEY_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t sig_len,\n const uint8_t *digest, size_t digest_len) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->verify) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n if (ctx->operation != EVP_PKEY_OP_VERIFY) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED);\n return 0;\n }\n return ctx->pmeth->verify(ctx, sig, sig_len, digest, digest_len);\n}\n\nint EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->encrypt) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n ctx->operation = EVP_PKEY_OP_ENCRYPT;\n return 1;\n}\n\nint EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,\n const uint8_t *in, size_t inlen) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->encrypt) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n if (ctx->operation != EVP_PKEY_OP_ENCRYPT) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED);\n return 0;\n }\n return ctx->pmeth->encrypt(ctx, out, outlen, in, inlen);\n}\n\nint EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->decrypt) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n ctx->operation = EVP_PKEY_OP_DECRYPT;\n return 1;\n}\n\nint EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,\n const uint8_t *in, size_t inlen) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->decrypt) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n if (ctx->operation != EVP_PKEY_OP_DECRYPT) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED);\n return 0;\n }\n return ctx->pmeth->decrypt(ctx, out, outlen, in, inlen);\n}\n\nint EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->verify_recover) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n ctx->operation = EVP_PKEY_OP_VERIFYRECOVER;\n return 1;\n}\n\nint EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len,\n const uint8_t *sig, size_t sig_len) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->verify_recover) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n if (ctx->operation != EVP_PKEY_OP_VERIFYRECOVER) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED);\n return 0;\n }\n return ctx->pmeth->verify_recover(ctx, out, out_len, sig, sig_len);\n}\n\nint EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->derive) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n ctx->operation = EVP_PKEY_OP_DERIVE;\n return 1;\n}\n\nint EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer) {\n int ret;\n if (!ctx || !ctx->pmeth ||\n !(ctx->pmeth->derive || ctx->pmeth->encrypt || ctx->pmeth->decrypt) ||\n !ctx->pmeth->ctrl) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n if (ctx->operation != EVP_PKEY_OP_DERIVE &&\n ctx->operation != EVP_PKEY_OP_ENCRYPT &&\n ctx->operation != EVP_PKEY_OP_DECRYPT) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED);\n return 0;\n }\n\n ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 0, peer);\n\n if (ret <= 0) {\n return 0;\n }\n\n if (ret == 2) {\n return 1;\n }\n\n if (!ctx->pkey) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NO_KEY_SET);\n return 0;\n }\n\n if (ctx->pkey->type != peer->type) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_KEY_TYPES);\n return 0;\n }\n\n // ran@cryptocom.ru: For clarity. The error is if parameters in peer are\n // present (!missing) but don't match. EVP_PKEY_cmp_parameters may return\n // 1 (match), 0 (don't match) and -2 (comparison is not defined). -1\n // (different key types) is impossible here because it is checked earlier.\n // -2 is OK for us here, as well as 1, so we can check for 0 only.\n if (!EVP_PKEY_missing_parameters(peer) &&\n !EVP_PKEY_cmp_parameters(ctx->pkey, peer)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_PARAMETERS);\n return 0;\n }\n\n EVP_PKEY_free(ctx->peerkey);\n ctx->peerkey = peer;\n\n ret = ctx->pmeth->ctrl(ctx, EVP_PKEY_CTRL_PEER_KEY, 1, peer);\n\n if (ret <= 0) {\n ctx->peerkey = NULL;\n return 0;\n }\n\n EVP_PKEY_up_ref(peer);\n return 1;\n}\n\nint EVP_PKEY_derive(EVP_PKEY_CTX *ctx, uint8_t *key, size_t *out_key_len) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->derive) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n if (ctx->operation != EVP_PKEY_OP_DERIVE) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED);\n return 0;\n }\n return ctx->pmeth->derive(ctx, key, out_key_len);\n}\n\nint EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->keygen) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n ctx->operation = EVP_PKEY_OP_KEYGEN;\n return 1;\n}\n\nint EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->keygen) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n if (ctx->operation != EVP_PKEY_OP_KEYGEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED);\n return 0;\n }\n\n if (!out_pkey) {\n return 0;\n }\n\n if (!*out_pkey) {\n *out_pkey = EVP_PKEY_new();\n if (!*out_pkey) {\n OPENSSL_PUT_ERROR(EVP, ERR_LIB_EVP);\n return 0;\n }\n }\n\n if (!ctx->pmeth->keygen(ctx, *out_pkey)) {\n EVP_PKEY_free(*out_pkey);\n *out_pkey = NULL;\n return 0;\n }\n return 1;\n}\n\nint EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->paramgen) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n ctx->operation = EVP_PKEY_OP_PARAMGEN;\n return 1;\n}\n\nint EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey) {\n if (!ctx || !ctx->pmeth || !ctx->pmeth->paramgen) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n if (ctx->operation != EVP_PKEY_OP_PARAMGEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATON_NOT_INITIALIZED);\n return 0;\n }\n\n if (!out_pkey) {\n return 0;\n }\n\n if (!*out_pkey) {\n *out_pkey = EVP_PKEY_new();\n if (!*out_pkey) {\n OPENSSL_PUT_ERROR(EVP, ERR_LIB_EVP);\n return 0;\n }\n }\n\n if (!ctx->pmeth->paramgen(ctx, *out_pkey)) {\n EVP_PKEY_free(*out_pkey);\n *out_pkey = NULL;\n return 0;\n }\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/internal.h", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_EVP_INTERNAL_H\n#define OPENSSL_HEADER_EVP_INTERNAL_H\n\n#include \n\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\ntypedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD;\ntypedef struct evp_pkey_method_st EVP_PKEY_METHOD;\n\nstruct evp_pkey_asn1_method_st {\n int pkey_id;\n uint8_t oid[9];\n uint8_t oid_len;\n\n const EVP_PKEY_METHOD *pkey_method;\n\n // pub_decode decodes |params| and |key| as a SubjectPublicKeyInfo\n // and writes the result into |out|. It returns one on success and zero on\n // error. |params| is the AlgorithmIdentifier after the OBJECT IDENTIFIER\n // type field, and |key| is the contents of the subjectPublicKey with the\n // leading padding byte checked and removed. Although X.509 uses BIT STRINGs\n // to represent SubjectPublicKeyInfo, every key type defined encodes the key\n // as a byte string with the same conversion to BIT STRING.\n int (*pub_decode)(EVP_PKEY *out, CBS *params, CBS *key);\n\n // pub_encode encodes |key| as a SubjectPublicKeyInfo and appends the result\n // to |out|. It returns one on success and zero on error.\n int (*pub_encode)(CBB *out, const EVP_PKEY *key);\n\n int (*pub_cmp)(const EVP_PKEY *a, const EVP_PKEY *b);\n\n // priv_decode decodes |params| and |key| as a PrivateKeyInfo and writes the\n // result into |out|. It returns one on success and zero on error. |params| is\n // the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, and |key|\n // is the contents of the OCTET STRING privateKey field.\n int (*priv_decode)(EVP_PKEY *out, CBS *params, CBS *key);\n\n // priv_encode encodes |key| as a PrivateKeyInfo and appends the result to\n // |out|. It returns one on success and zero on error.\n int (*priv_encode)(CBB *out, const EVP_PKEY *key);\n\n int (*set_priv_raw)(EVP_PKEY *pkey, const uint8_t *in, size_t len);\n int (*set_pub_raw)(EVP_PKEY *pkey, const uint8_t *in, size_t len);\n int (*get_priv_raw)(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len);\n int (*get_pub_raw)(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len);\n\n // TODO(davidben): Can these be merged with the functions above? OpenSSL does\n // not implement |EVP_PKEY_get_raw_public_key|, etc., for |EVP_PKEY_EC|, but\n // the distinction seems unimportant. OpenSSL 3.0 has since renamed\n // |EVP_PKEY_get1_tls_encodedpoint| to |EVP_PKEY_get1_encoded_public_key|, and\n // what is the difference between \"raw\" and an \"encoded\" public key.\n //\n // One nuisance is the notion of \"raw\" is slightly ambiguous for EC keys. Is\n // it a DER ECPrivateKey or just the scalar?\n int (*set1_tls_encodedpoint)(EVP_PKEY *pkey, const uint8_t *in, size_t len);\n size_t (*get1_tls_encodedpoint)(const EVP_PKEY *pkey, uint8_t **out_ptr);\n\n // pkey_opaque returns 1 if the |pk| is opaque. Opaque keys are backed by\n // custom implementations which do not expose key material and parameters.\n int (*pkey_opaque)(const EVP_PKEY *pk);\n\n int (*pkey_size)(const EVP_PKEY *pk);\n int (*pkey_bits)(const EVP_PKEY *pk);\n\n int (*param_missing)(const EVP_PKEY *pk);\n int (*param_copy)(EVP_PKEY *to, const EVP_PKEY *from);\n int (*param_cmp)(const EVP_PKEY *a, const EVP_PKEY *b);\n\n void (*pkey_free)(EVP_PKEY *pkey);\n} /* EVP_PKEY_ASN1_METHOD */;\n\nstruct evp_pkey_st {\n CRYPTO_refcount_t references;\n\n // type contains one of the EVP_PKEY_* values or NID_undef and determines\n // the type of |pkey|.\n int type;\n\n // pkey contains a pointer to a structure dependent on |type|.\n void *pkey;\n\n // ameth contains a pointer to a method table that contains many ASN.1\n // methods for the key type.\n const EVP_PKEY_ASN1_METHOD *ameth;\n} /* EVP_PKEY */;\n\n#define EVP_PKEY_OP_UNDEFINED 0\n#define EVP_PKEY_OP_KEYGEN (1 << 2)\n#define EVP_PKEY_OP_SIGN (1 << 3)\n#define EVP_PKEY_OP_VERIFY (1 << 4)\n#define EVP_PKEY_OP_VERIFYRECOVER (1 << 5)\n#define EVP_PKEY_OP_ENCRYPT (1 << 6)\n#define EVP_PKEY_OP_DECRYPT (1 << 7)\n#define EVP_PKEY_OP_DERIVE (1 << 8)\n#define EVP_PKEY_OP_PARAMGEN (1 << 9)\n\n#define EVP_PKEY_OP_TYPE_SIG \\\n (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY | EVP_PKEY_OP_VERIFYRECOVER)\n\n#define EVP_PKEY_OP_TYPE_CRYPT (EVP_PKEY_OP_ENCRYPT | EVP_PKEY_OP_DECRYPT)\n\n#define EVP_PKEY_OP_TYPE_NOGEN \\\n (EVP_PKEY_OP_SIG | EVP_PKEY_OP_CRYPT | EVP_PKEY_OP_DERIVE)\n\n#define EVP_PKEY_OP_TYPE_GEN (EVP_PKEY_OP_KEYGEN | EVP_PKEY_OP_PARAMGEN)\n\n// EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype|\n// arguments can be -1 to specify that any type and operation are acceptable,\n// otherwise |keytype| must match the type of |ctx| and the bits of |optype|\n// must intersect the operation flags set on |ctx|.\n//\n// The |p1| and |p2| arguments depend on the value of |cmd|.\n//\n// It returns one on success and zero on error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype,\n int cmd, int p1, void *p2);\n\n#define EVP_PKEY_CTRL_MD 1\n#define EVP_PKEY_CTRL_GET_MD 2\n\n// EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|:\n// 0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key.\n// If the return value is <= 0, the key is rejected.\n// 1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a\n// peer key. If the return value is <= 0, the key is rejected.\n// 2: Is called with |p2| == NULL to test whether the peer's key was used.\n// (EC)DH always return one in this case.\n// 3: Is called with |p2| == NULL to set whether the peer's key was used.\n// (EC)DH always return one in this case. This was only used for GOST.\n#define EVP_PKEY_CTRL_PEER_KEY 3\n\n// EVP_PKEY_ALG_CTRL is the base value from which key-type specific ctrl\n// commands are numbered.\n#define EVP_PKEY_ALG_CTRL 0x1000\n\n#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1)\n#define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 2)\n#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 3)\n#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 4)\n#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 5)\n#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 6)\n#define EVP_PKEY_CTRL_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 7)\n#define EVP_PKEY_CTRL_GET_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 8)\n#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 9)\n#define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 10)\n#define EVP_PKEY_CTRL_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 11)\n#define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12)\n#define EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID (EVP_PKEY_ALG_CTRL + 13)\n#define EVP_PKEY_CTRL_HKDF_MODE (EVP_PKEY_ALG_CTRL + 14)\n#define EVP_PKEY_CTRL_HKDF_MD (EVP_PKEY_ALG_CTRL + 15)\n#define EVP_PKEY_CTRL_HKDF_KEY (EVP_PKEY_ALG_CTRL + 16)\n#define EVP_PKEY_CTRL_HKDF_SALT (EVP_PKEY_ALG_CTRL + 17)\n#define EVP_PKEY_CTRL_HKDF_INFO (EVP_PKEY_ALG_CTRL + 18)\n#define EVP_PKEY_CTRL_DH_PAD (EVP_PKEY_ALG_CTRL + 19)\n\nstruct evp_pkey_ctx_st {\n // Method associated with this operation\n const EVP_PKEY_METHOD *pmeth;\n // Engine that implements this method or NULL if builtin\n ENGINE *engine;\n // Key: may be NULL\n EVP_PKEY *pkey;\n // Peer key for key agreement, may be NULL\n EVP_PKEY *peerkey;\n // operation contains one of the |EVP_PKEY_OP_*| values.\n int operation;\n // Algorithm specific data\n void *data;\n} /* EVP_PKEY_CTX */;\n\nstruct evp_pkey_method_st {\n int pkey_id;\n\n int (*init)(EVP_PKEY_CTX *ctx);\n int (*copy)(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src);\n void (*cleanup)(EVP_PKEY_CTX *ctx);\n\n int (*keygen)(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);\n\n int (*sign)(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,\n const uint8_t *tbs, size_t tbslen);\n\n int (*sign_message)(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,\n const uint8_t *tbs, size_t tbslen);\n\n int (*verify)(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen,\n const uint8_t *tbs, size_t tbslen);\n\n int (*verify_message)(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen,\n const uint8_t *tbs, size_t tbslen);\n\n int (*verify_recover)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len,\n const uint8_t *sig, size_t sig_len);\n\n int (*encrypt)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,\n const uint8_t *in, size_t inlen);\n\n int (*decrypt)(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,\n const uint8_t *in, size_t inlen);\n\n int (*derive)(EVP_PKEY_CTX *ctx, uint8_t *key, size_t *keylen);\n\n int (*paramgen)(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);\n\n int (*ctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2);\n} /* EVP_PKEY_METHOD */;\n\ntypedef struct {\n // key is the concatenation of the private seed and public key. It is stored\n // as a single 64-bit array to allow passing to |ED25519_sign|. If\n // |has_private| is false, the first 32 bytes are uninitialized and the public\n // key is in the last 32 bytes.\n uint8_t key[64];\n char has_private;\n} ED25519_KEY;\n\n#define ED25519_PUBLIC_KEY_OFFSET 32\n\ntypedef struct {\n uint8_t pub[32];\n uint8_t priv[32];\n char has_private;\n} X25519_KEY;\n\nextern const EVP_PKEY_ASN1_METHOD dsa_asn1_meth;\nextern const EVP_PKEY_ASN1_METHOD ec_asn1_meth;\nextern const EVP_PKEY_ASN1_METHOD rsa_asn1_meth;\nextern const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth;\nextern const EVP_PKEY_ASN1_METHOD x25519_asn1_meth;\nextern const EVP_PKEY_ASN1_METHOD dh_asn1_meth;\n\nextern const EVP_PKEY_METHOD rsa_pkey_meth;\nextern const EVP_PKEY_METHOD ec_pkey_meth;\nextern const EVP_PKEY_METHOD ed25519_pkey_meth;\nextern const EVP_PKEY_METHOD x25519_pkey_meth;\nextern const EVP_PKEY_METHOD hkdf_pkey_meth;\nextern const EVP_PKEY_METHOD dh_pkey_meth;\n\n// evp_pkey_set_method behaves like |EVP_PKEY_set_type|, but takes a pointer to\n// a method table. This avoids depending on every |EVP_PKEY_ASN1_METHOD|.\nvoid evp_pkey_set_method(EVP_PKEY *pkey, const EVP_PKEY_ASN1_METHOD *method);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_EVP_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_dh.cc", "content": "/*\n * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nnamespace {\ntypedef struct dh_pkey_ctx_st {\n int pad;\n} DH_PKEY_CTX;\n} // namespace\n\nstatic int pkey_dh_init(EVP_PKEY_CTX *ctx) {\n DH_PKEY_CTX *dctx =\n reinterpret_cast(OPENSSL_zalloc(sizeof(DH_PKEY_CTX)));\n if (dctx == NULL) {\n return 0;\n }\n\n ctx->data = dctx;\n return 1;\n}\n\nstatic int pkey_dh_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {\n if (!pkey_dh_init(dst)) {\n return 0;\n }\n\n const DH_PKEY_CTX *sctx = reinterpret_cast(src->data);\n DH_PKEY_CTX *dctx = reinterpret_cast(dst->data);\n dctx->pad = sctx->pad;\n return 1;\n}\n\nstatic void pkey_dh_cleanup(EVP_PKEY_CTX *ctx) {\n OPENSSL_free(ctx->data);\n ctx->data = NULL;\n}\n\nstatic int pkey_dh_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {\n DH *dh = DH_new();\n if (dh == NULL || !EVP_PKEY_assign_DH(pkey, dh)) {\n DH_free(dh);\n return 0;\n }\n\n if (ctx->pkey != NULL && !EVP_PKEY_copy_parameters(pkey, ctx->pkey)) {\n return 0;\n }\n\n return DH_generate_key(dh);\n}\n\nstatic int pkey_dh_derive(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len) {\n DH_PKEY_CTX *dctx = reinterpret_cast(ctx->data);\n if (ctx->pkey == NULL || ctx->peerkey == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET);\n return 0;\n }\n\n DH *our_key = reinterpret_cast(ctx->pkey->pkey);\n DH *peer_key = reinterpret_cast(ctx->peerkey->pkey);\n if (our_key == NULL || peer_key == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET);\n return 0;\n }\n\n const BIGNUM *pub_key = DH_get0_pub_key(peer_key);\n if (pub_key == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET);\n return 0;\n }\n\n if (out == NULL) {\n *out_len = DH_size(our_key);\n return 1;\n }\n\n if (*out_len < (size_t)DH_size(our_key)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n int ret = dctx->pad ? DH_compute_key_padded(out, pub_key, our_key)\n : DH_compute_key(out, pub_key, our_key);\n if (ret < 0) {\n return 0;\n }\n\n assert(ret <= DH_size(our_key));\n *out_len = (size_t)ret;\n return 1;\n}\n\nstatic int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {\n DH_PKEY_CTX *dctx = reinterpret_cast(ctx->data);\n switch (type) {\n case EVP_PKEY_CTRL_PEER_KEY:\n // |EVP_PKEY_derive_set_peer| requires the key implement this command,\n // even if it is a no-op.\n return 1;\n\n case EVP_PKEY_CTRL_DH_PAD:\n dctx->pad = p1;\n return 1;\n\n default:\n OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);\n return 0;\n }\n}\n\nconst EVP_PKEY_METHOD dh_pkey_meth = {\n /*pkey_id=*/EVP_PKEY_DH,\n /*init=*/pkey_dh_init,\n /*copy=*/pkey_dh_copy,\n /*cleanup=*/pkey_dh_cleanup,\n /*keygen=*/pkey_dh_keygen,\n /*sign=*/nullptr,\n /*sign_message=*/nullptr,\n /*verify=*/nullptr,\n /*verify_message=*/nullptr,\n /*verify_recover=*/nullptr,\n /*encrypt=*/nullptr,\n /*decrypt=*/nullptr,\n /*derive=*/pkey_dh_derive,\n /*paramgen=*/nullptr,\n /*ctrl=*/pkey_dh_ctrl,\n};\n\nint EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_DERIVE,\n EVP_PKEY_CTRL_DH_PAD, pad, NULL);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_dh_asn1.cc", "content": "/*\n * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic void dh_free(EVP_PKEY *pkey) {\n DH_free(reinterpret_cast(pkey->pkey));\n pkey->pkey = NULL;\n}\n\nstatic int dh_size(const EVP_PKEY *pkey) {\n return DH_size(reinterpret_cast(pkey->pkey));\n}\n\nstatic int dh_bits(const EVP_PKEY *pkey) {\n return DH_bits(reinterpret_cast(pkey->pkey));\n}\n\nstatic int dh_param_missing(const EVP_PKEY *pkey) {\n const DH *dh = reinterpret_cast(pkey->pkey);\n return dh == NULL || DH_get0_p(dh) == NULL || DH_get0_g(dh) == NULL;\n}\n\nstatic int dh_param_copy(EVP_PKEY *to, const EVP_PKEY *from) {\n if (dh_param_missing(from)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_MISSING_PARAMETERS);\n return 0;\n }\n\n const DH *dh = reinterpret_cast(from->pkey);\n const BIGNUM *q_old = DH_get0_q(dh);\n BIGNUM *p = BN_dup(DH_get0_p(dh));\n BIGNUM *q = q_old == NULL ? NULL : BN_dup(q_old);\n BIGNUM *g = BN_dup(DH_get0_g(dh));\n if (p == NULL || (q_old != NULL && q == NULL) || g == NULL ||\n !DH_set0_pqg(reinterpret_cast(to->pkey), p, q, g)) {\n BN_free(p);\n BN_free(q);\n BN_free(g);\n return 0;\n }\n\n // |DH_set0_pqg| took ownership of |p|, |q|, and |g|.\n return 1;\n}\n\nstatic int dh_param_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {\n if (dh_param_missing(a) || dh_param_missing(b)) {\n return -2;\n }\n\n // Matching OpenSSL, only compare p and g for PKCS#3-style Diffie-Hellman.\n // OpenSSL only checks q in X9.42-style Diffie-Hellman (\"DHX\").\n const DH *a_dh = reinterpret_cast(a->pkey);\n const DH *b_dh = reinterpret_cast(b->pkey);\n return BN_cmp(DH_get0_p(a_dh), DH_get0_p(b_dh)) == 0 &&\n BN_cmp(DH_get0_g(a_dh), DH_get0_g(b_dh)) == 0;\n}\n\nstatic int dh_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {\n if (dh_param_cmp(a, b) <= 0) {\n return 0;\n }\n\n const DH *a_dh = reinterpret_cast(a->pkey);\n const DH *b_dh = reinterpret_cast(b->pkey);\n return BN_cmp(DH_get0_pub_key(a_dh), DH_get0_pub_key(b_dh)) == 0;\n}\n\nconst EVP_PKEY_ASN1_METHOD dh_asn1_meth = {\n /*pkey_id=*/EVP_PKEY_DH,\n /*oid=*/{0},\n /*oid_len=*/0,\n /*pkey_method=*/&dh_pkey_meth,\n /*pub_decode=*/nullptr,\n /*pub_encode=*/nullptr,\n /*pub_cmp=*/dh_pub_cmp,\n /*priv_decode=*/nullptr,\n /*priv_encode=*/nullptr,\n /*set_priv_raw=*/nullptr,\n /*set_pub_raw=*/nullptr,\n /*get_priv_raw=*/nullptr,\n /*get_pub_raw=*/nullptr,\n /*set1_tls_encodedpoint=*/nullptr,\n /*get1_tls_encodedpoint=*/nullptr,\n /*pkey_opaque=*/nullptr,\n /*pkey_size=*/dh_size,\n /*pkey_bits=*/dh_bits,\n /*param_missing=*/dh_param_missing,\n /*param_copy=*/dh_param_copy,\n /*param_cmp=*/dh_param_cmp,\n /*pkey_free=*/dh_free,\n};\n\nint EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) {\n if (EVP_PKEY_assign_DH(pkey, key)) {\n DH_up_ref(key);\n return 1;\n }\n return 0;\n}\n\nint EVP_PKEY_assign_DH(EVP_PKEY *pkey, DH *key) {\n evp_pkey_set_method(pkey, &dh_asn1_meth);\n pkey->pkey = key;\n return key != NULL;\n}\n\nDH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey) {\n if (pkey->type != EVP_PKEY_DH) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_A_DH_KEY);\n return NULL;\n }\n return reinterpret_cast(const_cast(pkey)->pkey);\n}\n\nDH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey) {\n DH *dh = EVP_PKEY_get0_DH(pkey);\n if (dh != NULL) {\n DH_up_ref(dh);\n }\n return dh;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_dsa_asn1.cc", "content": "/*\n * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../dsa/internal.h\"\n#include \"internal.h\"\n\n\nstatic int dsa_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {\n // See RFC 3279, section 2.3.2.\n\n // Parameters may or may not be present.\n bssl::UniquePtr dsa;\n if (CBS_len(params) == 0) {\n dsa.reset(DSA_new());\n if (dsa == nullptr) {\n return 0;\n }\n } else {\n dsa.reset(DSA_parse_parameters(params));\n if (dsa == nullptr || CBS_len(params) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n }\n\n dsa->pub_key = BN_new();\n if (dsa->pub_key == nullptr) {\n return 0;\n }\n\n if (!BN_parse_asn1_unsigned(key, dsa->pub_key) || CBS_len(key) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n EVP_PKEY_assign_DSA(out, dsa.release());\n return 1;\n}\n\nstatic int dsa_pub_encode(CBB *out, const EVP_PKEY *key) {\n const DSA *dsa = reinterpret_cast(key->pkey);\n const int has_params =\n dsa->p != nullptr && dsa->q != nullptr && dsa->g != nullptr;\n\n // See RFC 5480, section 2.\n CBB spki, algorithm, oid, key_bitstring;\n if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, dsa_asn1_meth.oid, dsa_asn1_meth.oid_len) ||\n (has_params && !DSA_marshal_parameters(&algorithm, dsa)) ||\n !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) ||\n !CBB_add_u8(&key_bitstring, 0 /* padding */) ||\n !BN_marshal_asn1(&key_bitstring, dsa->pub_key) || !CBB_flush(out)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nstatic int dsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {\n // See PKCS#11, v2.40, section 2.5.\n\n // Decode parameters.\n bssl::UniquePtr dsa(DSA_parse_parameters(params));\n if (dsa == nullptr || CBS_len(params) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n dsa->priv_key = BN_new();\n if (dsa->priv_key == nullptr) {\n return 0;\n }\n if (!BN_parse_asn1_unsigned(key, dsa->priv_key) || CBS_len(key) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n // To avoid DoS attacks when importing private keys, check bounds on |dsa|.\n // This bounds |dsa->priv_key| against |dsa->q| and bounds |dsa->q|'s bit\n // width.\n if (!dsa_check_key(dsa.get())) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n // Calculate the public key.\n bssl::UniquePtr ctx(BN_CTX_new());\n dsa->pub_key = BN_new();\n if (ctx == nullptr || dsa->pub_key == nullptr ||\n !BN_mod_exp_mont_consttime(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p,\n ctx.get(), nullptr)) {\n return 0;\n }\n\n EVP_PKEY_assign_DSA(out, dsa.release());\n return 1;\n}\n\nstatic int dsa_priv_encode(CBB *out, const EVP_PKEY *key) {\n const DSA *dsa = reinterpret_cast(key->pkey);\n if (dsa == nullptr || dsa->priv_key == nullptr) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_MISSING_PARAMETERS);\n return 0;\n }\n\n // See PKCS#11, v2.40, section 2.5.\n CBB pkcs8, algorithm, oid, private_key;\n if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||\n !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, dsa_asn1_meth.oid, dsa_asn1_meth.oid_len) ||\n !DSA_marshal_parameters(&algorithm, dsa) ||\n !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) ||\n !BN_marshal_asn1(&private_key, dsa->priv_key) || !CBB_flush(out)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nstatic int int_dsa_size(const EVP_PKEY *pkey) {\n const DSA *dsa = reinterpret_cast(pkey->pkey);\n return DSA_size(dsa);\n}\n\nstatic int dsa_bits(const EVP_PKEY *pkey) {\n const DSA *dsa = reinterpret_cast(pkey->pkey);\n return BN_num_bits(DSA_get0_p(dsa));\n}\n\nstatic int dsa_missing_parameters(const EVP_PKEY *pkey) {\n const DSA *dsa = reinterpret_cast(pkey->pkey);\n if (DSA_get0_p(dsa) == nullptr || DSA_get0_q(dsa) == nullptr ||\n DSA_get0_g(dsa) == nullptr) {\n return 1;\n }\n return 0;\n}\n\nstatic int dup_bn_into(BIGNUM **out, BIGNUM *src) {\n bssl::UniquePtr a(BN_dup(src));\n if (a == nullptr) {\n return 0;\n }\n BN_free(*out);\n *out = a.release();\n return 1;\n}\n\nstatic int dsa_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) {\n DSA *to_dsa = reinterpret_cast(to->pkey);\n const DSA *from_dsa = reinterpret_cast(from->pkey);\n if (!dup_bn_into(&to_dsa->p, from_dsa->p) ||\n !dup_bn_into(&to_dsa->q, from_dsa->q) ||\n !dup_bn_into(&to_dsa->g, from_dsa->g)) {\n return 0;\n }\n\n return 1;\n}\n\nstatic int dsa_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) {\n const DSA *a_dsa = reinterpret_cast(a->pkey);\n const DSA *b_dsa = reinterpret_cast(b->pkey);\n return BN_cmp(DSA_get0_p(a_dsa), DSA_get0_p(b_dsa)) == 0 &&\n BN_cmp(DSA_get0_q(a_dsa), DSA_get0_q(b_dsa)) == 0 &&\n BN_cmp(DSA_get0_g(a_dsa), DSA_get0_g(b_dsa)) == 0;\n}\n\nstatic int dsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {\n const DSA *a_dsa = reinterpret_cast(a->pkey);\n const DSA *b_dsa = reinterpret_cast(b->pkey);\n return BN_cmp(DSA_get0_pub_key(b_dsa), DSA_get0_pub_key(a_dsa)) == 0;\n}\n\nstatic void int_dsa_free(EVP_PKEY *pkey) {\n DSA_free(reinterpret_cast(pkey->pkey));\n pkey->pkey = nullptr;\n}\n\nconst EVP_PKEY_ASN1_METHOD dsa_asn1_meth = {\n EVP_PKEY_DSA,\n // 1.2.840.10040.4.1\n {0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x01},\n 7,\n\n /*pkey_method=*/nullptr,\n\n dsa_pub_decode,\n dsa_pub_encode,\n dsa_pub_cmp,\n\n dsa_priv_decode,\n dsa_priv_encode,\n\n /*set_priv_raw=*/nullptr,\n /*set_pub_raw=*/nullptr,\n /*get_priv_raw=*/nullptr,\n /*get_pub_raw=*/nullptr,\n /*set1_tls_encodedpoint=*/nullptr,\n /*get1_tls_encodedpoint=*/nullptr,\n\n /*pkey_opaque=*/nullptr,\n\n int_dsa_size,\n dsa_bits,\n\n dsa_missing_parameters,\n dsa_copy_parameters,\n dsa_cmp_parameters,\n\n int_dsa_free,\n};\n\nint EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits) {\n // BoringSSL does not support DSA in |EVP_PKEY_CTX|.\n OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n}\n\nint EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits) {\n // BoringSSL does not support DSA in |EVP_PKEY_CTX|.\n OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n}\n\nint EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key) {\n if (EVP_PKEY_assign_DSA(pkey, key)) {\n DSA_up_ref(key);\n return 1;\n }\n return 0;\n}\n\nint EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key) {\n evp_pkey_set_method(pkey, &dsa_asn1_meth);\n pkey->pkey = key;\n return key != nullptr;\n}\n\nDSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey) {\n if (pkey->type != EVP_PKEY_DSA) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_A_DSA_KEY);\n return nullptr;\n }\n return reinterpret_cast(pkey->pkey);\n}\n\nDSA *EVP_PKEY_get1_DSA(const EVP_PKEY *pkey) {\n DSA *dsa = EVP_PKEY_get0_DSA(pkey);\n if (dsa != nullptr) {\n DSA_up_ref(dsa);\n }\n return dsa;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_ec.cc", "content": "/*\n * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/ec/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\ntypedef struct {\n // message digest\n const EVP_MD *md;\n const EC_GROUP *gen_group;\n} EC_PKEY_CTX;\n\n\nstatic int pkey_ec_init(EVP_PKEY_CTX *ctx) {\n EC_PKEY_CTX *dctx =\n reinterpret_cast(OPENSSL_zalloc(sizeof(EC_PKEY_CTX)));\n if (!dctx) {\n return 0;\n }\n\n ctx->data = dctx;\n return 1;\n}\n\nstatic int pkey_ec_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {\n if (!pkey_ec_init(dst)) {\n return 0;\n }\n\n const EC_PKEY_CTX *sctx = reinterpret_cast(src->data);\n EC_PKEY_CTX *dctx = reinterpret_cast(dst->data);\n dctx->md = sctx->md;\n dctx->gen_group = sctx->gen_group;\n return 1;\n}\n\nstatic void pkey_ec_cleanup(EVP_PKEY_CTX *ctx) {\n EC_PKEY_CTX *dctx = reinterpret_cast(ctx->data);\n if (!dctx) {\n return;\n }\n\n OPENSSL_free(dctx);\n}\n\nstatic int pkey_ec_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,\n const uint8_t *tbs, size_t tbslen) {\n const EC_KEY *ec = reinterpret_cast(ctx->pkey->pkey);\n if (!sig) {\n *siglen = ECDSA_size(ec);\n return 1;\n } else if (*siglen < (size_t)ECDSA_size(ec)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n unsigned int sltmp;\n if (!ECDSA_sign(0, tbs, tbslen, sig, &sltmp, ec)) {\n return 0;\n }\n *siglen = (size_t)sltmp;\n return 1;\n}\n\nstatic int pkey_ec_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen,\n const uint8_t *tbs, size_t tbslen) {\n const EC_KEY *ec_key = reinterpret_cast(ctx->pkey->pkey);\n return ECDSA_verify(0, tbs, tbslen, sig, siglen, ec_key);\n}\n\nstatic int pkey_ec_derive(EVP_PKEY_CTX *ctx, uint8_t *key, size_t *keylen) {\n if (!ctx->pkey || !ctx->peerkey) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET);\n return 0;\n }\n\n const EC_KEY *eckey = reinterpret_cast(ctx->pkey->pkey);\n if (!key) {\n const EC_GROUP *group;\n group = EC_KEY_get0_group(eckey);\n *keylen = (EC_GROUP_get_degree(group) + 7) / 8;\n return 1;\n }\n\n const EC_KEY *eckey_peer = reinterpret_cast(ctx->peerkey->pkey);\n const EC_POINT *pubkey = EC_KEY_get0_public_key(eckey_peer);\n\n // NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is\n // not an error, the result is truncated.\n size_t outlen = *keylen;\n int ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0);\n if (ret < 0) {\n return 0;\n }\n *keylen = ret;\n return 1;\n}\n\nstatic int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {\n EC_PKEY_CTX *dctx = reinterpret_cast(ctx->data);\n\n switch (type) {\n case EVP_PKEY_CTRL_MD: {\n const EVP_MD *md = reinterpret_cast(p2);\n int md_type = EVP_MD_type(md);\n if (md_type != NID_sha1 && md_type != NID_sha224 &&\n md_type != NID_sha256 && md_type != NID_sha384 &&\n md_type != NID_sha512) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_DIGEST_TYPE);\n return 0;\n }\n dctx->md = md;\n return 1;\n }\n\n case EVP_PKEY_CTRL_GET_MD:\n *(const EVP_MD **)p2 = dctx->md;\n return 1;\n\n case EVP_PKEY_CTRL_PEER_KEY:\n // Default behaviour is OK\n return 1;\n\n case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID: {\n const EC_GROUP *group = EC_GROUP_new_by_curve_name(p1);\n if (group == NULL) {\n return 0;\n }\n dctx->gen_group = group;\n return 1;\n }\n\n default:\n OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);\n return 0;\n }\n}\n\nstatic int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {\n EC_PKEY_CTX *dctx = reinterpret_cast(ctx->data);\n const EC_GROUP *group = dctx->gen_group;\n if (group == NULL) {\n if (ctx->pkey == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NO_PARAMETERS_SET);\n return 0;\n }\n group = EC_KEY_get0_group(reinterpret_cast(ctx->pkey->pkey));\n }\n EC_KEY *ec = EC_KEY_new();\n if (ec == NULL || !EC_KEY_set_group(ec, group) || !EC_KEY_generate_key(ec)) {\n EC_KEY_free(ec);\n return 0;\n }\n EVP_PKEY_assign_EC_KEY(pkey, ec);\n return 1;\n}\n\nstatic int pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {\n EC_PKEY_CTX *dctx = reinterpret_cast(ctx->data);\n if (dctx->gen_group == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NO_PARAMETERS_SET);\n return 0;\n }\n EC_KEY *ec = EC_KEY_new();\n if (ec == NULL || !EC_KEY_set_group(ec, dctx->gen_group)) {\n EC_KEY_free(ec);\n return 0;\n }\n EVP_PKEY_assign_EC_KEY(pkey, ec);\n return 1;\n}\n\nconst EVP_PKEY_METHOD ec_pkey_meth = {\n EVP_PKEY_EC,\n pkey_ec_init,\n pkey_ec_copy,\n pkey_ec_cleanup,\n pkey_ec_keygen,\n pkey_ec_sign,\n NULL /* sign_message */,\n pkey_ec_verify,\n NULL /* verify_message */,\n NULL /* verify_recover */,\n NULL /* encrypt */,\n NULL /* decrypt */,\n pkey_ec_derive,\n pkey_ec_paramgen,\n pkey_ec_ctrl,\n};\n\nint EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_TYPE_GEN,\n EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL);\n}\n\nint EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int encoding) {\n // BoringSSL only supports named curve syntax.\n if (encoding != OPENSSL_EC_NAMED_CURVE) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PARAMETERS);\n return 0;\n }\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_ec_asn1.cc", "content": "/*\n * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nstatic int eckey_pub_encode(CBB *out, const EVP_PKEY *key) {\n const EC_KEY *ec_key = reinterpret_cast(key->pkey);\n const EC_GROUP *group = EC_KEY_get0_group(ec_key);\n const EC_POINT *public_key = EC_KEY_get0_public_key(ec_key);\n\n // See RFC 5480, section 2.\n CBB spki, algorithm, oid, key_bitstring;\n if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, ec_asn1_meth.oid, ec_asn1_meth.oid_len) ||\n !EC_KEY_marshal_curve_name(&algorithm, group) ||\n !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) ||\n !CBB_add_u8(&key_bitstring, 0 /* padding */) ||\n !EC_POINT_point2cbb(&key_bitstring, group, public_key,\n POINT_CONVERSION_UNCOMPRESSED, NULL) ||\n !CBB_flush(out)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nstatic int eckey_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {\n // See RFC 5480, section 2.\n\n // The parameters are a named curve.\n const EC_GROUP *group = EC_KEY_parse_curve_name(params);\n if (group == NULL || CBS_len(params) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n bssl::UniquePtr eckey(EC_KEY_new());\n if (eckey == nullptr || //\n !EC_KEY_set_group(eckey.get(), group) ||\n !EC_KEY_oct2key(eckey.get(), CBS_data(key), CBS_len(key), nullptr)) {\n return 0;\n }\n\n EVP_PKEY_assign_EC_KEY(out, eckey.release());\n return 1;\n}\n\nstatic int eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {\n const EC_KEY *a_ec = reinterpret_cast(a->pkey);\n const EC_KEY *b_ec = reinterpret_cast(b->pkey);\n const EC_GROUP *group = EC_KEY_get0_group(b_ec);\n const EC_POINT *pa = EC_KEY_get0_public_key(a_ec),\n *pb = EC_KEY_get0_public_key(b_ec);\n int r = EC_POINT_cmp(group, pa, pb, NULL);\n if (r == 0) {\n return 1;\n } else if (r == 1) {\n return 0;\n } else {\n return -2;\n }\n}\n\nstatic int eckey_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {\n // See RFC 5915.\n const EC_GROUP *group = EC_KEY_parse_parameters(params);\n if (group == NULL || CBS_len(params) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n EC_KEY *ec_key = EC_KEY_parse_private_key(key, group);\n if (ec_key == NULL || CBS_len(key) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n EC_KEY_free(ec_key);\n return 0;\n }\n\n EVP_PKEY_assign_EC_KEY(out, ec_key);\n return 1;\n}\n\nstatic int eckey_priv_encode(CBB *out, const EVP_PKEY *key) {\n const EC_KEY *ec_key = reinterpret_cast(key->pkey);\n\n // Omit the redundant copy of the curve name. This contradicts RFC 5915 but\n // aligns with PKCS #11. SEC 1 only says they may be omitted if known by other\n // means. Both OpenSSL and NSS omit the redundant parameters, so we omit them\n // as well.\n unsigned enc_flags = EC_KEY_get_enc_flags(ec_key) | EC_PKEY_NO_PARAMETERS;\n\n // See RFC 5915.\n CBB pkcs8, algorithm, oid, private_key;\n if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||\n !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, ec_asn1_meth.oid, ec_asn1_meth.oid_len) ||\n !EC_KEY_marshal_curve_name(&algorithm, EC_KEY_get0_group(ec_key)) ||\n !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) ||\n !EC_KEY_marshal_private_key(&private_key, ec_key, enc_flags) ||\n !CBB_flush(out)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nstatic int eckey_set1_tls_encodedpoint(EVP_PKEY *pkey, const uint8_t *in,\n size_t len) {\n EC_KEY *ec_key = reinterpret_cast(pkey->pkey);\n if (ec_key == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NO_KEY_SET);\n return 0;\n }\n\n return EC_KEY_oct2key(ec_key, in, len, NULL);\n}\n\nstatic size_t eckey_get1_tls_encodedpoint(const EVP_PKEY *pkey,\n uint8_t **out_ptr) {\n const EC_KEY *ec_key = reinterpret_cast(pkey->pkey);\n if (ec_key == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NO_KEY_SET);\n return 0;\n }\n\n return EC_KEY_key2buf(ec_key, POINT_CONVERSION_UNCOMPRESSED, out_ptr, NULL);\n}\n\nstatic int int_ec_size(const EVP_PKEY *pkey) {\n const EC_KEY *ec_key = reinterpret_cast(pkey->pkey);\n return ECDSA_size(ec_key);\n}\n\nstatic int ec_bits(const EVP_PKEY *pkey) {\n const EC_KEY *ec_key = reinterpret_cast(pkey->pkey);\n const EC_GROUP *group = EC_KEY_get0_group(ec_key);\n if (group == NULL) {\n ERR_clear_error();\n return 0;\n }\n return EC_GROUP_order_bits(group);\n}\n\nstatic int ec_missing_parameters(const EVP_PKEY *pkey) {\n const EC_KEY *ec_key = reinterpret_cast(pkey->pkey);\n return ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL;\n}\n\nstatic int ec_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) {\n const EC_KEY *from_key = reinterpret_cast(from->pkey);\n if (from_key == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NO_KEY_SET);\n return 0;\n }\n const EC_GROUP *group = EC_KEY_get0_group(from_key);\n if (group == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_MISSING_PARAMETERS);\n return 0;\n }\n if (to->pkey == NULL) {\n to->pkey = EC_KEY_new();\n if (to->pkey == NULL) {\n return 0;\n }\n }\n return EC_KEY_set_group(reinterpret_cast(to->pkey), group);\n}\n\nstatic int ec_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) {\n const EC_KEY *a_ec = reinterpret_cast(a->pkey);\n const EC_KEY *b_ec = reinterpret_cast(b->pkey);\n if (a_ec == NULL || b_ec == NULL) {\n return -2;\n }\n const EC_GROUP *group_a = EC_KEY_get0_group(a_ec),\n *group_b = EC_KEY_get0_group(b_ec);\n if (group_a == NULL || group_b == NULL) {\n return -2;\n }\n if (EC_GROUP_cmp(group_a, group_b, NULL) != 0) {\n // mismatch\n return 0;\n }\n return 1;\n}\n\nstatic void int_ec_free(EVP_PKEY *pkey) {\n EC_KEY_free(reinterpret_cast(pkey->pkey));\n pkey->pkey = NULL;\n}\n\nstatic int eckey_opaque(const EVP_PKEY *pkey) {\n const EC_KEY *ec_key = reinterpret_cast(pkey->pkey);\n return EC_KEY_is_opaque(ec_key);\n}\n\nconst EVP_PKEY_ASN1_METHOD ec_asn1_meth = {\n EVP_PKEY_EC,\n // 1.2.840.10045.2.1\n {0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01},\n 7,\n\n &ec_pkey_meth,\n\n eckey_pub_decode,\n eckey_pub_encode,\n eckey_pub_cmp,\n\n eckey_priv_decode,\n eckey_priv_encode,\n\n /*set_priv_raw=*/NULL,\n /*set_pub_raw=*/NULL,\n /*get_priv_raw=*/NULL,\n /*get_pub_raw=*/NULL,\n eckey_set1_tls_encodedpoint,\n eckey_get1_tls_encodedpoint,\n\n eckey_opaque,\n\n int_ec_size,\n ec_bits,\n\n ec_missing_parameters,\n ec_copy_parameters,\n ec_cmp_parameters,\n\n int_ec_free,\n};\n\nint EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) {\n if (EVP_PKEY_assign_EC_KEY(pkey, key)) {\n EC_KEY_up_ref(key);\n return 1;\n }\n return 0;\n}\n\nint EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) {\n evp_pkey_set_method(pkey, &ec_asn1_meth);\n pkey->pkey = key;\n return key != NULL;\n}\n\nEC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) {\n if (pkey->type != EVP_PKEY_EC) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_AN_EC_KEY_KEY);\n return NULL;\n }\n return reinterpret_cast(pkey->pkey);\n}\n\nEC_KEY *EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey) {\n EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);\n if (ec_key != NULL) {\n EC_KEY_up_ref(ec_key);\n }\n return ec_key;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_ed25519.cc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\n// Ed25519 has no parameters to copy.\nstatic int pkey_ed25519_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { return 1; }\n\nstatic int pkey_ed25519_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {\n ED25519_KEY *key =\n reinterpret_cast(OPENSSL_malloc(sizeof(ED25519_KEY)));\n if (key == NULL) {\n return 0;\n }\n\n evp_pkey_set_method(pkey, &ed25519_asn1_meth);\n\n uint8_t pubkey_unused[32];\n ED25519_keypair(pubkey_unused, key->key);\n key->has_private = 1;\n\n OPENSSL_free(pkey->pkey);\n pkey->pkey = key;\n return 1;\n}\n\nstatic int pkey_ed25519_sign_message(EVP_PKEY_CTX *ctx, uint8_t *sig,\n size_t *siglen, const uint8_t *tbs,\n size_t tbslen) {\n const ED25519_KEY *key =\n reinterpret_cast(ctx->pkey->pkey);\n if (!key->has_private) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);\n return 0;\n }\n\n if (sig == NULL) {\n *siglen = 64;\n return 1;\n }\n\n if (*siglen < 64) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (!ED25519_sign(sig, tbs, tbslen, key->key)) {\n return 0;\n }\n\n *siglen = 64;\n return 1;\n}\n\nstatic int pkey_ed25519_verify_message(EVP_PKEY_CTX *ctx, const uint8_t *sig,\n size_t siglen, const uint8_t *tbs,\n size_t tbslen) {\n const ED25519_KEY *key =\n reinterpret_cast(ctx->pkey->pkey);\n if (siglen != 64 ||\n !ED25519_verify(tbs, tbslen, sig, key->key + ED25519_PUBLIC_KEY_OFFSET)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_SIGNATURE);\n return 0;\n }\n\n return 1;\n}\n\nconst EVP_PKEY_METHOD ed25519_pkey_meth = {\n /*pkey_id=*/EVP_PKEY_ED25519,\n /*init=*/nullptr,\n /*copy=*/pkey_ed25519_copy,\n /*cleanup=*/nullptr,\n /*keygen=*/pkey_ed25519_keygen,\n /*sign=*/nullptr,\n /*sign_message=*/pkey_ed25519_sign_message,\n /*verify=*/nullptr,\n /*verify_message=*/pkey_ed25519_verify_message,\n /*verify_recover=*/nullptr,\n /*encrypt=*/nullptr,\n /*decrypt=*/nullptr,\n /*derive=*/nullptr,\n /*paramgen=*/nullptr,\n /*ctrl=*/nullptr,\n};\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_ed25519_asn1.cc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic void ed25519_free(EVP_PKEY *pkey) {\n OPENSSL_free(pkey->pkey);\n pkey->pkey = NULL;\n}\n\nstatic int ed25519_set_priv_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) {\n if (len != 32) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n ED25519_KEY *key =\n reinterpret_cast(OPENSSL_malloc(sizeof(ED25519_KEY)));\n if (key == NULL) {\n return 0;\n }\n\n // The RFC 8032 encoding stores only the 32-byte seed, so we must recover the\n // full representation which we use from it.\n uint8_t pubkey_unused[32];\n ED25519_keypair_from_seed(pubkey_unused, key->key, in);\n key->has_private = 1;\n\n ed25519_free(pkey);\n pkey->pkey = key;\n return 1;\n}\n\nstatic int ed25519_set_pub_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) {\n if (len != 32) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n ED25519_KEY *key =\n reinterpret_cast(OPENSSL_malloc(sizeof(ED25519_KEY)));\n if (key == NULL) {\n return 0;\n }\n\n OPENSSL_memcpy(key->key + ED25519_PUBLIC_KEY_OFFSET, in, 32);\n key->has_private = 0;\n\n ed25519_free(pkey);\n pkey->pkey = key;\n return 1;\n}\n\nstatic int ed25519_get_priv_raw(const EVP_PKEY *pkey, uint8_t *out,\n size_t *out_len) {\n const ED25519_KEY *key = reinterpret_cast(pkey->pkey);\n if (!key->has_private) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);\n return 0;\n }\n\n if (out == NULL) {\n *out_len = 32;\n return 1;\n }\n\n if (*out_len < 32) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n // The raw private key format is the first 32 bytes of the private key.\n OPENSSL_memcpy(out, key->key, 32);\n *out_len = 32;\n return 1;\n}\n\nstatic int ed25519_get_pub_raw(const EVP_PKEY *pkey, uint8_t *out,\n size_t *out_len) {\n const ED25519_KEY *key = reinterpret_cast(pkey->pkey);\n if (out == NULL) {\n *out_len = 32;\n return 1;\n }\n\n if (*out_len < 32) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n OPENSSL_memcpy(out, key->key + ED25519_PUBLIC_KEY_OFFSET, 32);\n *out_len = 32;\n return 1;\n}\n\nstatic int ed25519_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {\n // See RFC 8410, section 4.\n\n // The parameters must be omitted. Public keys have length 32.\n if (CBS_len(params) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n return ed25519_set_pub_raw(out, CBS_data(key), CBS_len(key));\n}\n\nstatic int ed25519_pub_encode(CBB *out, const EVP_PKEY *pkey) {\n const ED25519_KEY *key = reinterpret_cast(pkey->pkey);\n\n // See RFC 8410, section 4.\n CBB spki, algorithm, oid, key_bitstring;\n if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, ed25519_asn1_meth.oid, ed25519_asn1_meth.oid_len) ||\n !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) ||\n !CBB_add_u8(&key_bitstring, 0 /* padding */) ||\n !CBB_add_bytes(&key_bitstring, key->key + ED25519_PUBLIC_KEY_OFFSET,\n 32) ||\n !CBB_flush(out)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nstatic int ed25519_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {\n const ED25519_KEY *a_key = reinterpret_cast(a->pkey);\n const ED25519_KEY *b_key = reinterpret_cast(b->pkey);\n return OPENSSL_memcmp(a_key->key + ED25519_PUBLIC_KEY_OFFSET,\n b_key->key + ED25519_PUBLIC_KEY_OFFSET, 32) == 0;\n}\n\nstatic int ed25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {\n // See RFC 8410, section 7.\n\n // Parameters must be empty. The key is a 32-byte value wrapped in an extra\n // OCTET STRING layer.\n CBS inner;\n if (CBS_len(params) != 0 ||\n !CBS_get_asn1(key, &inner, CBS_ASN1_OCTETSTRING) || CBS_len(key) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n return ed25519_set_priv_raw(out, CBS_data(&inner), CBS_len(&inner));\n}\n\nstatic int ed25519_priv_encode(CBB *out, const EVP_PKEY *pkey) {\n const ED25519_KEY *key = reinterpret_cast(pkey->pkey);\n if (!key->has_private) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);\n return 0;\n }\n\n // See RFC 8410, section 7.\n CBB pkcs8, algorithm, oid, private_key, inner;\n if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||\n !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, ed25519_asn1_meth.oid, ed25519_asn1_meth.oid_len) ||\n !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_asn1(&private_key, &inner, CBS_ASN1_OCTETSTRING) ||\n // The PKCS#8 encoding stores only the 32-byte seed which is the first 32\n // bytes of the private key.\n !CBB_add_bytes(&inner, key->key, 32) || //\n !CBB_flush(out)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nstatic int ed25519_size(const EVP_PKEY *pkey) { return 64; }\n\nstatic int ed25519_bits(const EVP_PKEY *pkey) { return 253; }\n\nconst EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = {\n EVP_PKEY_ED25519,\n {0x2b, 0x65, 0x70},\n 3,\n &ed25519_pkey_meth,\n ed25519_pub_decode,\n ed25519_pub_encode,\n ed25519_pub_cmp,\n ed25519_priv_decode,\n ed25519_priv_encode,\n ed25519_set_priv_raw,\n ed25519_set_pub_raw,\n ed25519_get_priv_raw,\n ed25519_get_pub_raw,\n /*set1_tls_encodedpoint=*/NULL,\n /*get1_tls_encodedpoint=*/NULL,\n /*pkey_opaque=*/NULL,\n ed25519_size,\n ed25519_bits,\n /*param_missing=*/NULL,\n /*param_copy=*/NULL,\n /*param_cmp=*/NULL,\n ed25519_free,\n};\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_hkdf.cc", "content": "/* Copyright 2022 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\ntypedef struct {\n int mode;\n const EVP_MD *md;\n uint8_t *key;\n size_t key_len;\n uint8_t *salt;\n size_t salt_len;\n CBB info;\n} HKDF_PKEY_CTX;\n\nstatic int pkey_hkdf_init(EVP_PKEY_CTX *ctx) {\n HKDF_PKEY_CTX *hctx =\n reinterpret_cast(OPENSSL_zalloc(sizeof(HKDF_PKEY_CTX)));\n if (hctx == NULL) {\n return 0;\n }\n\n if (!CBB_init(&hctx->info, 0)) {\n OPENSSL_free(hctx);\n return 0;\n }\n\n ctx->data = hctx;\n return 1;\n}\n\nstatic int pkey_hkdf_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {\n if (!pkey_hkdf_init(dst)) {\n return 0;\n }\n\n HKDF_PKEY_CTX *hctx_dst = reinterpret_cast(dst->data);\n const HKDF_PKEY_CTX *hctx_src =\n reinterpret_cast(src->data);\n hctx_dst->mode = hctx_src->mode;\n hctx_dst->md = hctx_src->md;\n\n if (hctx_src->key_len != 0) {\n hctx_dst->key = reinterpret_cast(\n OPENSSL_memdup(hctx_src->key, hctx_src->key_len));\n if (hctx_dst->key == NULL) {\n return 0;\n }\n hctx_dst->key_len = hctx_src->key_len;\n }\n\n if (hctx_src->salt_len != 0) {\n hctx_dst->salt = reinterpret_cast(\n OPENSSL_memdup(hctx_src->salt, hctx_src->salt_len));\n if (hctx_dst->salt == NULL) {\n return 0;\n }\n hctx_dst->salt_len = hctx_src->salt_len;\n }\n\n if (!CBB_add_bytes(&hctx_dst->info, CBB_data(&hctx_src->info),\n CBB_len(&hctx_src->info))) {\n return 0;\n }\n\n return 1;\n}\n\nstatic void pkey_hkdf_cleanup(EVP_PKEY_CTX *ctx) {\n HKDF_PKEY_CTX *hctx = reinterpret_cast(ctx->data);\n if (hctx != NULL) {\n OPENSSL_free(hctx->key);\n OPENSSL_free(hctx->salt);\n CBB_cleanup(&hctx->info);\n OPENSSL_free(hctx);\n ctx->data = NULL;\n }\n}\n\nstatic int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len) {\n HKDF_PKEY_CTX *hctx = reinterpret_cast(ctx->data);\n if (hctx->md == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_MISSING_PARAMETERS);\n return 0;\n }\n if (hctx->key_len == 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NO_KEY_SET);\n return 0;\n }\n\n if (out == NULL) {\n if (hctx->mode == EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) {\n *out_len = EVP_MD_size(hctx->md);\n }\n // HKDF-Expand is variable-length and returns |*out_len| bytes. \"Output\" the\n // input length by leaving it alone.\n return 1;\n }\n\n switch (hctx->mode) {\n case EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND:\n return HKDF(out, *out_len, hctx->md, hctx->key, hctx->key_len, hctx->salt,\n hctx->salt_len, CBB_data(&hctx->info), CBB_len(&hctx->info));\n\n case EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY:\n if (*out_len < EVP_MD_size(hctx->md)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n return HKDF_extract(out, out_len, hctx->md, hctx->key, hctx->key_len,\n hctx->salt, hctx->salt_len);\n\n case EVP_PKEY_HKDEF_MODE_EXPAND_ONLY:\n return HKDF_expand(out, *out_len, hctx->md, hctx->key, hctx->key_len,\n CBB_data(&hctx->info), CBB_len(&hctx->info));\n }\n OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);\n return 0;\n}\n\nstatic int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {\n HKDF_PKEY_CTX *hctx = reinterpret_cast(ctx->data);\n switch (type) {\n case EVP_PKEY_CTRL_HKDF_MODE:\n if (p1 != EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND &&\n p1 != EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY &&\n p1 != EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_OPERATION);\n return 0;\n }\n hctx->mode = p1;\n return 1;\n case EVP_PKEY_CTRL_HKDF_MD:\n hctx->md = reinterpret_cast(p2);\n return 1;\n case EVP_PKEY_CTRL_HKDF_KEY: {\n const CBS *key = reinterpret_cast(p2);\n if (!CBS_stow(key, &hctx->key, &hctx->key_len)) {\n return 0;\n }\n return 1;\n }\n case EVP_PKEY_CTRL_HKDF_SALT: {\n const CBS *salt = reinterpret_cast(p2);\n if (!CBS_stow(salt, &hctx->salt, &hctx->salt_len)) {\n return 0;\n }\n return 1;\n }\n case EVP_PKEY_CTRL_HKDF_INFO: {\n const CBS *info = reinterpret_cast(p2);\n // |EVP_PKEY_CTX_add1_hkdf_info| appends to the info string, rather than\n // replacing it.\n if (!CBB_add_bytes(&hctx->info, CBS_data(info), CBS_len(info))) {\n return 0;\n }\n return 1;\n }\n default:\n OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);\n return 0;\n }\n}\n\nconst EVP_PKEY_METHOD hkdf_pkey_meth = {\n /*pkey_id=*/EVP_PKEY_HKDF,\n pkey_hkdf_init,\n pkey_hkdf_copy,\n pkey_hkdf_cleanup,\n /*keygen=*/NULL,\n /*sign=*/NULL,\n /*sign_message=*/NULL,\n /*verify=*/NULL,\n /*verify_message=*/NULL,\n /*verify_recover=*/NULL,\n /*encrypt=*/NULL,\n /*decrypt=*/NULL,\n pkey_hkdf_derive,\n /*paramgen=*/NULL,\n pkey_hkdf_ctrl,\n};\n\nint EVP_PKEY_CTX_hkdf_mode(EVP_PKEY_CTX *ctx, int mode) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_HKDF, EVP_PKEY_OP_DERIVE,\n EVP_PKEY_CTRL_HKDF_MODE, mode, NULL);\n}\n\nint EVP_PKEY_CTX_set_hkdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_HKDF, EVP_PKEY_OP_DERIVE,\n EVP_PKEY_CTRL_HKDF_MD, 0, (void *)md);\n}\n\nint EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx, const uint8_t *key,\n size_t key_len) {\n CBS cbs;\n CBS_init(&cbs, key, key_len);\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_HKDF, EVP_PKEY_OP_DERIVE,\n EVP_PKEY_CTRL_HKDF_KEY, 0, &cbs);\n}\n\nint EVP_PKEY_CTX_set1_hkdf_salt(EVP_PKEY_CTX *ctx, const uint8_t *salt,\n size_t salt_len) {\n CBS cbs;\n CBS_init(&cbs, salt, salt_len);\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_HKDF, EVP_PKEY_OP_DERIVE,\n EVP_PKEY_CTRL_HKDF_SALT, 0, &cbs);\n}\n\nint EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx, const uint8_t *info,\n size_t info_len) {\n CBS cbs;\n CBS_init(&cbs, info, info_len);\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_HKDF, EVP_PKEY_OP_DERIVE,\n EVP_PKEY_CTRL_HKDF_INFO, 0, &cbs);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_rsa.cc", "content": "/*\n * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"../rsa/internal.h\"\n#include \"internal.h\"\n\n\ntypedef struct {\n // Key gen parameters\n int nbits;\n BIGNUM *pub_exp;\n // RSA padding mode\n int pad_mode;\n // message digest\n const EVP_MD *md;\n // message digest for MGF1\n const EVP_MD *mgf1md;\n // PSS salt length\n int saltlen;\n // tbuf is a buffer which is either NULL, or is the size of the RSA modulus.\n // It's used to store the output of RSA operations.\n uint8_t *tbuf;\n // OAEP label\n uint8_t *oaep_label;\n size_t oaep_labellen;\n} RSA_PKEY_CTX;\n\ntypedef struct {\n uint8_t *data;\n size_t len;\n} RSA_OAEP_LABEL_PARAMS;\n\nstatic int pkey_rsa_init(EVP_PKEY_CTX *ctx) {\n RSA_PKEY_CTX *rctx =\n reinterpret_cast(OPENSSL_zalloc(sizeof(RSA_PKEY_CTX)));\n if (!rctx) {\n return 0;\n }\n\n rctx->nbits = 2048;\n rctx->pad_mode = RSA_PKCS1_PADDING;\n rctx->saltlen = -2;\n\n ctx->data = rctx;\n\n return 1;\n}\n\nstatic int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) {\n RSA_PKEY_CTX *dctx, *sctx;\n if (!pkey_rsa_init(dst)) {\n return 0;\n }\n sctx = reinterpret_cast(src->data);\n dctx = reinterpret_cast(dst->data);\n dctx->nbits = sctx->nbits;\n if (sctx->pub_exp) {\n dctx->pub_exp = BN_dup(sctx->pub_exp);\n if (!dctx->pub_exp) {\n return 0;\n }\n }\n\n dctx->pad_mode = sctx->pad_mode;\n dctx->md = sctx->md;\n dctx->mgf1md = sctx->mgf1md;\n dctx->saltlen = sctx->saltlen;\n if (sctx->oaep_label) {\n OPENSSL_free(dctx->oaep_label);\n dctx->oaep_label = reinterpret_cast(\n OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen));\n if (!dctx->oaep_label) {\n return 0;\n }\n dctx->oaep_labellen = sctx->oaep_labellen;\n }\n\n return 1;\n}\n\nstatic void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) {\n RSA_PKEY_CTX *rctx = reinterpret_cast(ctx->data);\n\n if (rctx == NULL) {\n return;\n }\n\n BN_free(rctx->pub_exp);\n OPENSSL_free(rctx->tbuf);\n OPENSSL_free(rctx->oaep_label);\n OPENSSL_free(rctx);\n}\n\nstatic int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) {\n if (ctx->tbuf) {\n return 1;\n }\n ctx->tbuf =\n reinterpret_cast(OPENSSL_malloc(EVP_PKEY_size(pk->pkey)));\n if (!ctx->tbuf) {\n return 0;\n }\n return 1;\n}\n\nstatic int pkey_rsa_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *siglen,\n const uint8_t *tbs, size_t tbslen) {\n RSA_PKEY_CTX *rctx = reinterpret_cast(ctx->data);\n RSA *rsa = reinterpret_cast(ctx->pkey->pkey);\n const size_t key_len = EVP_PKEY_size(ctx->pkey);\n\n if (!sig) {\n *siglen = key_len;\n return 1;\n }\n\n if (*siglen < key_len) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (rctx->md) {\n unsigned out_len;\n switch (rctx->pad_mode) {\n case RSA_PKCS1_PADDING:\n if (!RSA_sign(EVP_MD_type(rctx->md), tbs, tbslen, sig, &out_len, rsa)) {\n return 0;\n }\n *siglen = out_len;\n return 1;\n\n case RSA_PKCS1_PSS_PADDING:\n return RSA_sign_pss_mgf1(rsa, siglen, sig, *siglen, tbs, tbslen,\n rctx->md, rctx->mgf1md, rctx->saltlen);\n\n default:\n return 0;\n }\n }\n\n return RSA_sign_raw(rsa, siglen, sig, *siglen, tbs, tbslen, rctx->pad_mode);\n}\n\nstatic int pkey_rsa_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t siglen,\n const uint8_t *tbs, size_t tbslen) {\n RSA_PKEY_CTX *rctx = reinterpret_cast(ctx->data);\n RSA *rsa = reinterpret_cast(ctx->pkey->pkey);\n\n if (rctx->md) {\n switch (rctx->pad_mode) {\n case RSA_PKCS1_PADDING:\n return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa);\n\n case RSA_PKCS1_PSS_PADDING:\n return RSA_verify_pss_mgf1(rsa, tbs, tbslen, rctx->md, rctx->mgf1md,\n rctx->saltlen, sig, siglen);\n\n default:\n return 0;\n }\n }\n\n size_t rslen;\n const size_t key_len = EVP_PKEY_size(ctx->pkey);\n if (!setup_tbuf(rctx, ctx) ||\n !RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, siglen,\n rctx->pad_mode)) {\n return 0;\n }\n if (rslen != tbslen || CRYPTO_memcmp(tbs, rctx->tbuf, rslen) != 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);\n return 0;\n }\n\n return 1;\n}\n\nstatic int pkey_rsa_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out,\n size_t *out_len, const uint8_t *sig,\n size_t sig_len) {\n RSA_PKEY_CTX *rctx = reinterpret_cast(ctx->data);\n RSA *rsa = reinterpret_cast(ctx->pkey->pkey);\n const size_t key_len = EVP_PKEY_size(ctx->pkey);\n\n if (out == NULL) {\n *out_len = key_len;\n return 1;\n }\n\n if (*out_len < key_len) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (rctx->md == NULL) {\n return RSA_verify_raw(rsa, out_len, out, *out_len, sig, sig_len,\n rctx->pad_mode);\n }\n\n if (rctx->pad_mode != RSA_PKCS1_PADDING) {\n return 0;\n }\n\n // Assemble the encoded hash, using a placeholder hash value.\n static const uint8_t kDummyHash[EVP_MAX_MD_SIZE] = {0};\n const size_t hash_len = EVP_MD_size(rctx->md);\n uint8_t *asn1_prefix;\n size_t asn1_prefix_len;\n int asn1_prefix_allocated;\n if (!setup_tbuf(rctx, ctx) ||\n !RSA_add_pkcs1_prefix(&asn1_prefix, &asn1_prefix_len,\n &asn1_prefix_allocated, EVP_MD_type(rctx->md),\n kDummyHash, hash_len)) {\n return 0;\n }\n\n size_t rslen;\n int ok = 1;\n if (!RSA_verify_raw(rsa, &rslen, rctx->tbuf, key_len, sig, sig_len,\n RSA_PKCS1_PADDING) ||\n rslen != asn1_prefix_len ||\n // Compare all but the hash suffix.\n CRYPTO_memcmp(rctx->tbuf, asn1_prefix, asn1_prefix_len - hash_len) != 0) {\n ok = 0;\n }\n\n if (asn1_prefix_allocated) {\n OPENSSL_free(asn1_prefix);\n }\n\n if (!ok) {\n return 0;\n }\n\n if (out != NULL) {\n OPENSSL_memcpy(out, rctx->tbuf + rslen - hash_len, hash_len);\n }\n *out_len = hash_len;\n\n return 1;\n}\n\nstatic int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,\n const uint8_t *in, size_t inlen) {\n RSA_PKEY_CTX *rctx = reinterpret_cast(ctx->data);\n RSA *rsa = reinterpret_cast(ctx->pkey->pkey);\n const size_t key_len = EVP_PKEY_size(ctx->pkey);\n\n if (!out) {\n *outlen = key_len;\n return 1;\n }\n\n if (*outlen < key_len) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {\n if (!setup_tbuf(rctx, ctx) ||\n !RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, key_len, in, inlen,\n rctx->oaep_label, rctx->oaep_labellen,\n rctx->md, rctx->mgf1md) ||\n !RSA_encrypt(rsa, outlen, out, *outlen, rctx->tbuf, key_len,\n RSA_NO_PADDING)) {\n return 0;\n }\n return 1;\n }\n\n return RSA_encrypt(rsa, outlen, out, *outlen, in, inlen, rctx->pad_mode);\n}\n\nstatic int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *outlen,\n const uint8_t *in, size_t inlen) {\n RSA_PKEY_CTX *rctx = reinterpret_cast(ctx->data);\n RSA *rsa = reinterpret_cast(ctx->pkey->pkey);\n const size_t key_len = EVP_PKEY_size(ctx->pkey);\n\n if (!out) {\n *outlen = key_len;\n return 1;\n }\n\n if (*outlen < key_len) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) {\n size_t padded_len;\n if (!setup_tbuf(rctx, ctx) ||\n !RSA_decrypt(rsa, &padded_len, rctx->tbuf, key_len, in, inlen,\n RSA_NO_PADDING) ||\n !RSA_padding_check_PKCS1_OAEP_mgf1(\n out, outlen, key_len, rctx->tbuf, padded_len, rctx->oaep_label,\n rctx->oaep_labellen, rctx->md, rctx->mgf1md)) {\n return 0;\n }\n return 1;\n }\n\n return RSA_decrypt(rsa, outlen, out, key_len, in, inlen, rctx->pad_mode);\n}\n\nstatic int check_padding_md(const EVP_MD *md, int padding) {\n if (!md) {\n return 1;\n }\n\n if (padding == RSA_NO_PADDING) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);\n return 0;\n }\n\n return 1;\n}\n\nstatic int is_known_padding(int padding_mode) {\n switch (padding_mode) {\n case RSA_PKCS1_PADDING:\n case RSA_NO_PADDING:\n case RSA_PKCS1_OAEP_PADDING:\n case RSA_PKCS1_PSS_PADDING:\n return 1;\n default:\n return 0;\n }\n}\n\nstatic int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {\n RSA_PKEY_CTX *rctx = reinterpret_cast(ctx->data);\n switch (type) {\n case EVP_PKEY_CTRL_RSA_PADDING:\n if (!is_known_padding(p1) || !check_padding_md(rctx->md, p1) ||\n (p1 == RSA_PKCS1_PSS_PADDING &&\n 0 == (ctx->operation & (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY))) ||\n (p1 == RSA_PKCS1_OAEP_PADDING &&\n 0 == (ctx->operation & EVP_PKEY_OP_TYPE_CRYPT))) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);\n return 0;\n }\n if ((p1 == RSA_PKCS1_PSS_PADDING || p1 == RSA_PKCS1_OAEP_PADDING) &&\n rctx->md == NULL) {\n rctx->md = EVP_sha1();\n }\n rctx->pad_mode = p1;\n return 1;\n\n case EVP_PKEY_CTRL_GET_RSA_PADDING:\n *(int *)p2 = rctx->pad_mode;\n return 1;\n\n case EVP_PKEY_CTRL_RSA_PSS_SALTLEN:\n case EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN:\n if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN);\n return 0;\n }\n if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) {\n *(int *)p2 = rctx->saltlen;\n } else {\n if (p1 < -2) {\n return 0;\n }\n rctx->saltlen = p1;\n }\n return 1;\n\n case EVP_PKEY_CTRL_RSA_KEYGEN_BITS:\n if (p1 < 256) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_KEYBITS);\n return 0;\n }\n rctx->nbits = p1;\n return 1;\n\n case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:\n if (!p2) {\n return 0;\n }\n BN_free(rctx->pub_exp);\n rctx->pub_exp = reinterpret_cast(p2);\n return 1;\n\n case EVP_PKEY_CTRL_RSA_OAEP_MD:\n case EVP_PKEY_CTRL_GET_RSA_OAEP_MD:\n if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);\n return 0;\n }\n if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) {\n *(const EVP_MD **)p2 = rctx->md;\n } else {\n rctx->md = reinterpret_cast(p2);\n }\n return 1;\n\n case EVP_PKEY_CTRL_MD:\n if (!check_padding_md(reinterpret_cast(p2), rctx->pad_mode)) {\n return 0;\n }\n rctx->md = reinterpret_cast(p2);\n return 1;\n\n case EVP_PKEY_CTRL_GET_MD:\n *(const EVP_MD **)p2 = rctx->md;\n return 1;\n\n case EVP_PKEY_CTRL_RSA_MGF1_MD:\n case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:\n if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING &&\n rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_MGF1_MD);\n return 0;\n }\n if (type == EVP_PKEY_CTRL_GET_RSA_MGF1_MD) {\n if (rctx->mgf1md) {\n *(const EVP_MD **)p2 = rctx->mgf1md;\n } else {\n *(const EVP_MD **)p2 = rctx->md;\n }\n } else {\n rctx->mgf1md = reinterpret_cast(p2);\n }\n return 1;\n\n case EVP_PKEY_CTRL_RSA_OAEP_LABEL: {\n if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);\n return 0;\n }\n OPENSSL_free(rctx->oaep_label);\n RSA_OAEP_LABEL_PARAMS *params =\n reinterpret_cast(p2);\n rctx->oaep_label = params->data;\n rctx->oaep_labellen = params->len;\n return 1;\n }\n\n case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:\n if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);\n return 0;\n }\n CBS_init((CBS *)p2, rctx->oaep_label, rctx->oaep_labellen);\n return 1;\n\n default:\n OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);\n return 0;\n }\n}\n\nstatic int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {\n RSA *rsa = NULL;\n RSA_PKEY_CTX *rctx = reinterpret_cast(ctx->data);\n\n if (!rctx->pub_exp) {\n rctx->pub_exp = BN_new();\n if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) {\n return 0;\n }\n }\n rsa = RSA_new();\n if (!rsa) {\n return 0;\n }\n\n if (!RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, NULL)) {\n RSA_free(rsa);\n return 0;\n }\n\n EVP_PKEY_assign_RSA(pkey, rsa);\n return 1;\n}\n\nconst EVP_PKEY_METHOD rsa_pkey_meth = {\n EVP_PKEY_RSA,\n pkey_rsa_init,\n pkey_rsa_copy,\n pkey_rsa_cleanup,\n pkey_rsa_keygen,\n pkey_rsa_sign,\n NULL /* sign_message */,\n pkey_rsa_verify,\n NULL /* verify_message */,\n pkey_rsa_verify_recover,\n pkey_rsa_encrypt,\n pkey_rsa_decrypt,\n NULL /* derive */,\n NULL /* paramgen */,\n pkey_rsa_ctrl,\n};\n\nint EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING,\n padding, NULL);\n}\n\nint EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_GET_RSA_PADDING,\n 0, out_padding);\n}\n\nint EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {\n return 0;\n}\n\nint EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int salt_len) {\n return 0;\n}\n\nint EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx,\n const EVP_MD *md) {\n return 0;\n}\n\nint EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,\n (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),\n EVP_PKEY_CTRL_RSA_PSS_SALTLEN, salt_len, NULL);\n}\n\nint EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *out_salt_len) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,\n (EVP_PKEY_OP_SIGN | EVP_PKEY_OP_VERIFY),\n EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, out_salt_len);\n}\n\nint EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,\n EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL);\n}\n\nint EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN,\n EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, e);\n}\n\nint EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,\n EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md);\n}\n\nint EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,\n EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)out_md);\n}\n\nint EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,\n EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,\n EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md);\n}\n\nint EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md) {\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA,\n EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT,\n EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)out_md);\n}\n\nint EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label,\n size_t label_len) {\n RSA_OAEP_LABEL_PARAMS params = {label, label_len};\n return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,\n EVP_PKEY_CTRL_RSA_OAEP_LABEL, 0, ¶ms);\n}\n\nint EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,\n const uint8_t **out_label) {\n CBS label;\n if (!EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,\n EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, &label)) {\n return -1;\n }\n if (CBS_len(&label) > INT_MAX) {\n OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);\n return -1;\n }\n *out_label = CBS_data(&label);\n return (int)CBS_len(&label);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_rsa_asn1.cc", "content": "/*\n * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/rsa/internal.h\"\n#include \"internal.h\"\n\n\nstatic int rsa_pub_encode(CBB *out, const EVP_PKEY *key) {\n // See RFC 3279, section 2.3.1.\n const RSA *rsa = reinterpret_cast(key->pkey);\n CBB spki, algorithm, oid, null, key_bitstring;\n if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, rsa_asn1_meth.oid, rsa_asn1_meth.oid_len) ||\n !CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) ||\n !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) ||\n !CBB_add_u8(&key_bitstring, 0 /* padding */) ||\n !RSA_marshal_public_key(&key_bitstring, rsa) || //\n !CBB_flush(out)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nstatic int rsa_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {\n // See RFC 3279, section 2.3.1.\n\n // The parameters must be NULL.\n CBS null;\n if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) || CBS_len(&null) != 0 ||\n CBS_len(params) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n RSA *rsa = RSA_parse_public_key(key);\n if (rsa == NULL || CBS_len(key) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n RSA_free(rsa);\n return 0;\n }\n\n EVP_PKEY_assign_RSA(out, rsa);\n return 1;\n}\n\nstatic int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {\n const RSA *a_rsa = reinterpret_cast(a->pkey);\n const RSA *b_rsa = reinterpret_cast(b->pkey);\n return BN_cmp(RSA_get0_n(b_rsa), RSA_get0_n(a_rsa)) == 0 &&\n BN_cmp(RSA_get0_e(b_rsa), RSA_get0_e(a_rsa)) == 0;\n}\n\nstatic int rsa_priv_encode(CBB *out, const EVP_PKEY *key) {\n const RSA *rsa = reinterpret_cast(key->pkey);\n CBB pkcs8, algorithm, oid, null, private_key;\n if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||\n !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, rsa_asn1_meth.oid, rsa_asn1_meth.oid_len) ||\n !CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) ||\n !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) ||\n !RSA_marshal_private_key(&private_key, rsa) || //\n !CBB_flush(out)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nstatic int rsa_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {\n // Per RFC 3447, A.1, the parameters have type NULL.\n CBS null;\n if (!CBS_get_asn1(params, &null, CBS_ASN1_NULL) || CBS_len(&null) != 0 ||\n CBS_len(params) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n RSA *rsa = RSA_parse_private_key(key);\n if (rsa == NULL || CBS_len(key) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n RSA_free(rsa);\n return 0;\n }\n\n EVP_PKEY_assign_RSA(out, rsa);\n return 1;\n}\n\nstatic int rsa_opaque(const EVP_PKEY *pkey) {\n const RSA *rsa = reinterpret_cast(pkey->pkey);\n return RSA_is_opaque(rsa);\n}\n\nstatic int int_rsa_size(const EVP_PKEY *pkey) {\n const RSA *rsa = reinterpret_cast(pkey->pkey);\n return RSA_size(rsa);\n}\n\nstatic int rsa_bits(const EVP_PKEY *pkey) {\n const RSA *rsa = reinterpret_cast(pkey->pkey);\n return RSA_bits(rsa);\n}\n\nstatic void int_rsa_free(EVP_PKEY *pkey) {\n RSA_free(reinterpret_cast(pkey->pkey));\n pkey->pkey = NULL;\n}\n\nconst EVP_PKEY_ASN1_METHOD rsa_asn1_meth = {\n EVP_PKEY_RSA,\n // 1.2.840.113549.1.1.1\n {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01},\n 9,\n\n &rsa_pkey_meth,\n\n rsa_pub_decode,\n rsa_pub_encode,\n rsa_pub_cmp,\n\n rsa_priv_decode,\n rsa_priv_encode,\n\n /*set_priv_raw=*/NULL,\n /*set_pub_raw=*/NULL,\n /*get_priv_raw=*/NULL,\n /*get_pub_raw=*/NULL,\n /*set1_tls_encodedpoint=*/NULL,\n /*get1_tls_encodedpoint=*/NULL,\n\n rsa_opaque,\n\n int_rsa_size,\n rsa_bits,\n\n 0,\n 0,\n 0,\n\n int_rsa_free,\n};\n\nint EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) {\n if (EVP_PKEY_assign_RSA(pkey, key)) {\n RSA_up_ref(key);\n return 1;\n }\n return 0;\n}\n\nint EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key) {\n evp_pkey_set_method(pkey, &rsa_asn1_meth);\n pkey->pkey = key;\n return key != NULL;\n}\n\nRSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) {\n if (pkey->type != EVP_PKEY_RSA) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_AN_RSA_KEY);\n return NULL;\n }\n return reinterpret_cast(pkey->pkey);\n}\n\nRSA *EVP_PKEY_get1_RSA(const EVP_PKEY *pkey) {\n RSA *rsa = EVP_PKEY_get0_RSA(pkey);\n if (rsa != NULL) {\n RSA_up_ref(rsa);\n }\n return rsa;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_x25519.cc", "content": "/* Copyright 2019 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\n// X25519 has no parameters to copy.\nstatic int pkey_x25519_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { return 1; }\n\nstatic int pkey_x25519_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) {\n X25519_KEY *key =\n reinterpret_cast(OPENSSL_malloc(sizeof(X25519_KEY)));\n if (key == NULL) {\n return 0;\n }\n\n evp_pkey_set_method(pkey, &x25519_asn1_meth);\n\n X25519_keypair(key->pub, key->priv);\n key->has_private = 1;\n\n OPENSSL_free(pkey->pkey);\n pkey->pkey = key;\n return 1;\n}\n\nstatic int pkey_x25519_derive(EVP_PKEY_CTX *ctx, uint8_t *out,\n size_t *out_len) {\n if (ctx->pkey == NULL || ctx->peerkey == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET);\n return 0;\n }\n\n const X25519_KEY *our_key =\n reinterpret_cast(ctx->pkey->pkey);\n const X25519_KEY *peer_key =\n reinterpret_cast(ctx->peerkey->pkey);\n if (our_key == NULL || peer_key == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET);\n return 0;\n }\n\n if (!our_key->has_private) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);\n return 0;\n }\n\n if (out != NULL) {\n if (*out_len < 32) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n if (!X25519(out, our_key->priv, peer_key->pub)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);\n return 0;\n }\n }\n\n *out_len = 32;\n return 1;\n}\n\nstatic int pkey_x25519_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) {\n switch (type) {\n case EVP_PKEY_CTRL_PEER_KEY:\n // |EVP_PKEY_derive_set_peer| requires the key implement this command,\n // even if it is a no-op.\n return 1;\n\n default:\n OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED);\n return 0;\n }\n}\n\nconst EVP_PKEY_METHOD x25519_pkey_meth = {\n /*pkey_id=*/EVP_PKEY_X25519,\n /*init=*/NULL,\n /*copy=*/pkey_x25519_copy,\n /*cleanup=*/NULL,\n /*keygen=*/pkey_x25519_keygen,\n /*sign=*/NULL,\n /*sign_message=*/NULL,\n /*verify=*/NULL,\n /*verify_message=*/NULL,\n /*verify_recover=*/NULL,\n /*encrypt=*/NULL,\n /*decrypt=*/NULL,\n /*derive=*/pkey_x25519_derive,\n /*paramgen=*/NULL,\n /*ctrl=*/pkey_x25519_ctrl,\n};\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/p_x25519_asn1.cc", "content": "/* Copyright 2019 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic void x25519_free(EVP_PKEY *pkey) {\n OPENSSL_free(pkey->pkey);\n pkey->pkey = NULL;\n}\n\nstatic int x25519_set_priv_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) {\n if (len != 32) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n X25519_KEY *key =\n reinterpret_cast(OPENSSL_malloc(sizeof(X25519_KEY)));\n if (key == NULL) {\n return 0;\n }\n\n OPENSSL_memcpy(key->priv, in, 32);\n X25519_public_from_private(key->pub, key->priv);\n key->has_private = 1;\n\n x25519_free(pkey);\n pkey->pkey = key;\n return 1;\n}\n\nstatic int x25519_set_pub_raw(EVP_PKEY *pkey, const uint8_t *in, size_t len) {\n if (len != 32) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n X25519_KEY *key =\n reinterpret_cast(OPENSSL_malloc(sizeof(X25519_KEY)));\n if (key == NULL) {\n return 0;\n }\n\n OPENSSL_memcpy(key->pub, in, 32);\n key->has_private = 0;\n\n x25519_free(pkey);\n pkey->pkey = key;\n return 1;\n}\n\nstatic int x25519_get_priv_raw(const EVP_PKEY *pkey, uint8_t *out,\n size_t *out_len) {\n const X25519_KEY *key = reinterpret_cast(pkey->pkey);\n if (!key->has_private) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);\n return 0;\n }\n\n if (out == NULL) {\n *out_len = 32;\n return 1;\n }\n\n if (*out_len < 32) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n OPENSSL_memcpy(out, key->priv, 32);\n *out_len = 32;\n return 1;\n}\n\nstatic int x25519_get_pub_raw(const EVP_PKEY *pkey, uint8_t *out,\n size_t *out_len) {\n const X25519_KEY *key = reinterpret_cast(pkey->pkey);\n if (out == NULL) {\n *out_len = 32;\n return 1;\n }\n\n if (*out_len < 32) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n OPENSSL_memcpy(out, key->pub, 32);\n *out_len = 32;\n return 1;\n}\n\nstatic int x25519_set1_tls_encodedpoint(EVP_PKEY *pkey, const uint8_t *in,\n size_t len) {\n return x25519_set_pub_raw(pkey, in, len);\n}\n\nstatic size_t x25519_get1_tls_encodedpoint(const EVP_PKEY *pkey,\n uint8_t **out_ptr) {\n const X25519_KEY *key = reinterpret_cast(pkey->pkey);\n if (key == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NO_KEY_SET);\n return 0;\n }\n\n *out_ptr = reinterpret_cast(OPENSSL_memdup(key->pub, 32));\n return *out_ptr == NULL ? 0 : 32;\n}\n\nstatic int x25519_pub_decode(EVP_PKEY *out, CBS *params, CBS *key) {\n // See RFC 8410, section 4.\n\n // The parameters must be omitted. Public keys have length 32.\n if (CBS_len(params) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n return x25519_set_pub_raw(out, CBS_data(key), CBS_len(key));\n}\n\nstatic int x25519_pub_encode(CBB *out, const EVP_PKEY *pkey) {\n const X25519_KEY *key = reinterpret_cast(pkey->pkey);\n\n // See RFC 8410, section 4.\n CBB spki, algorithm, oid, key_bitstring;\n if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, x25519_asn1_meth.oid, x25519_asn1_meth.oid_len) ||\n !CBB_add_asn1(&spki, &key_bitstring, CBS_ASN1_BITSTRING) ||\n !CBB_add_u8(&key_bitstring, 0 /* padding */) ||\n !CBB_add_bytes(&key_bitstring, key->pub, 32) || //\n !CBB_flush(out)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nstatic int x25519_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) {\n const X25519_KEY *a_key = reinterpret_cast(a->pkey);\n const X25519_KEY *b_key = reinterpret_cast(b->pkey);\n return OPENSSL_memcmp(a_key->pub, b_key->pub, 32) == 0;\n}\n\nstatic int x25519_priv_decode(EVP_PKEY *out, CBS *params, CBS *key) {\n // See RFC 8410, section 7.\n\n // Parameters must be empty. The key is a 32-byte value wrapped in an extra\n // OCTET STRING layer.\n CBS inner;\n if (CBS_len(params) != 0 ||\n !CBS_get_asn1(key, &inner, CBS_ASN1_OCTETSTRING) || CBS_len(key) != 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n return x25519_set_priv_raw(out, CBS_data(&inner), CBS_len(&inner));\n}\n\nstatic int x25519_priv_encode(CBB *out, const EVP_PKEY *pkey) {\n const X25519_KEY *key = reinterpret_cast(pkey->pkey);\n if (!key->has_private) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY);\n return 0;\n }\n\n // See RFC 8410, section 7.\n CBB pkcs8, algorithm, oid, private_key, inner;\n if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) ||\n !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, x25519_asn1_meth.oid, x25519_asn1_meth.oid_len) ||\n !CBB_add_asn1(&pkcs8, &private_key, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_asn1(&private_key, &inner, CBS_ASN1_OCTETSTRING) ||\n // The PKCS#8 encoding stores only the 32-byte seed which is the first 32\n // bytes of the private key.\n !CBB_add_bytes(&inner, key->priv, 32) || //\n !CBB_flush(out)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_ENCODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nstatic int x25519_size(const EVP_PKEY *pkey) { return 32; }\n\nstatic int x25519_bits(const EVP_PKEY *pkey) { return 253; }\n\nconst EVP_PKEY_ASN1_METHOD x25519_asn1_meth = {\n EVP_PKEY_X25519,\n {0x2b, 0x65, 0x6e},\n 3,\n &x25519_pkey_meth,\n x25519_pub_decode,\n x25519_pub_encode,\n x25519_pub_cmp,\n x25519_priv_decode,\n x25519_priv_encode,\n x25519_set_priv_raw,\n x25519_set_pub_raw,\n x25519_get_priv_raw,\n x25519_get_pub_raw,\n x25519_set1_tls_encodedpoint,\n x25519_get1_tls_encodedpoint,\n /*pkey_opaque=*/NULL,\n x25519_size,\n x25519_bits,\n /*param_missing=*/NULL,\n /*param_copy=*/NULL,\n /*param_cmp=*/NULL,\n x25519_free,\n};\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/pbkdf.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n\n#include \"../internal.h\"\n\n\nint PKCS5_PBKDF2_HMAC(const char *password, size_t password_len,\n const uint8_t *salt, size_t salt_len, uint32_t iterations,\n const EVP_MD *digest, size_t key_len, uint8_t *out_key) {\n // See RFC 8018, section 5.2.\n bssl::ScopedHMAC_CTX hctx;\n if (!HMAC_Init_ex(hctx.get(), password, password_len, digest, NULL)) {\n return 0;\n }\n\n uint32_t i = 1;\n size_t md_len = EVP_MD_size(digest);\n while (key_len > 0) {\n size_t todo = md_len;\n if (todo > key_len) {\n todo = key_len;\n }\n\n uint8_t i_buf[4];\n i_buf[0] = (uint8_t)((i >> 24) & 0xff);\n i_buf[1] = (uint8_t)((i >> 16) & 0xff);\n i_buf[2] = (uint8_t)((i >> 8) & 0xff);\n i_buf[3] = (uint8_t)(i & 0xff);\n\n // Compute U_1.\n uint8_t digest_tmp[EVP_MAX_MD_SIZE];\n if (!HMAC_Init_ex(hctx.get(), NULL, 0, NULL, NULL) ||\n !HMAC_Update(hctx.get(), salt, salt_len) ||\n !HMAC_Update(hctx.get(), i_buf, 4) ||\n !HMAC_Final(hctx.get(), digest_tmp, NULL)) {\n return 0;\n }\n\n OPENSSL_memcpy(out_key, digest_tmp, todo);\n for (uint32_t j = 1; j < iterations; j++) {\n // Compute the remaining U_* values and XOR.\n if (!HMAC_Init_ex(hctx.get(), NULL, 0, NULL, NULL) ||\n !HMAC_Update(hctx.get(), digest_tmp, md_len) ||\n !HMAC_Final(hctx.get(), digest_tmp, NULL)) {\n return 0;\n }\n for (size_t k = 0; k < todo; k++) {\n out_key[k] ^= digest_tmp[k];\n }\n }\n\n key_len -= todo;\n out_key += todo;\n i++;\n }\n\n // RFC 8018 describes iterations (c) as being a \"positive integer\", so a\n // value of 0 is an error.\n //\n // Unfortunately not all consumers of PKCS5_PBKDF2_HMAC() check their return\n // value, expecting it to succeed and unconditionally using |out_key|. As a\n // precaution for such callsites in external code, the old behavior of\n // iterations < 1 being treated as iterations == 1 is preserved, but\n // additionally an error result is returned.\n //\n // TODO(eroman): Figure out how to remove this compatibility hack, or change\n // the default to something more sensible like 2048.\n if (iterations == 0) {\n return 0;\n }\n\n return 1;\n}\n\nint PKCS5_PBKDF2_HMAC_SHA1(const char *password, size_t password_len,\n const uint8_t *salt, size_t salt_len,\n uint32_t iterations, size_t key_len,\n uint8_t *out_key) {\n return PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len, iterations,\n EVP_sha1(), key_len, out_key);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/print.cc", "content": "/*\n * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/rsa/internal.h\"\n#include \"../internal.h\"\n\n\nstatic int print_hex(BIO *bp, const uint8_t *data, size_t len, int off) {\n for (size_t i = 0; i < len; i++) {\n if ((i % 15) == 0) {\n if (BIO_puts(bp, \"\\n\") <= 0 || //\n !BIO_indent(bp, off + 4, 128)) {\n return 0;\n }\n }\n if (BIO_printf(bp, \"%02x%s\", data[i], (i + 1 == len) ? \"\" : \":\") <= 0) {\n return 0;\n }\n }\n if (BIO_write(bp, \"\\n\", 1) <= 0) {\n return 0;\n }\n return 1;\n}\n\nstatic int bn_print(BIO *bp, const char *name, const BIGNUM *num, int off) {\n if (num == NULL) {\n return 1;\n }\n\n if (!BIO_indent(bp, off, 128)) {\n return 0;\n }\n if (BN_is_zero(num)) {\n if (BIO_printf(bp, \"%s 0\\n\", name) <= 0) {\n return 0;\n }\n return 1;\n }\n\n uint64_t u64;\n if (BN_get_u64(num, &u64)) {\n const char *neg = BN_is_negative(num) ? \"-\" : \"\";\n return BIO_printf(bp, \"%s %s%\" PRIu64 \" (%s0x%\" PRIx64 \")\\n\", name, neg,\n u64, neg, u64) > 0;\n }\n\n if (BIO_printf(bp, \"%s%s\", name,\n (BN_is_negative(num)) ? \" (Negative)\" : \"\") <= 0) {\n return 0;\n }\n\n // Print |num| in hex, adding a leading zero, as in ASN.1, if the high bit\n // is set.\n //\n // TODO(davidben): Do we need to do this? We already print \"(Negative)\" above\n // and negative values are never valid in keys anyway.\n size_t len = BN_num_bytes(num);\n uint8_t *buf = reinterpret_cast(OPENSSL_malloc(len + 1));\n if (buf == NULL) {\n return 0;\n }\n\n buf[0] = 0;\n BN_bn2bin(num, buf + 1);\n int ret;\n if (len > 0 && (buf[1] & 0x80) != 0) {\n // Print the whole buffer.\n ret = print_hex(bp, buf, len + 1, off);\n } else {\n // Skip the leading zero.\n ret = print_hex(bp, buf + 1, len, off);\n }\n OPENSSL_free(buf);\n return ret;\n}\n\n// RSA keys.\n\nstatic int do_rsa_print(BIO *out, const RSA *rsa, int off,\n int include_private) {\n int mod_len = 0;\n if (rsa->n != NULL) {\n mod_len = BN_num_bits(rsa->n);\n }\n\n if (!BIO_indent(out, off, 128)) {\n return 0;\n }\n\n const char *s, *str;\n if (include_private && rsa->d) {\n if (BIO_printf(out, \"Private-Key: (%d bit)\\n\", mod_len) <= 0) {\n return 0;\n }\n str = \"modulus:\";\n s = \"publicExponent:\";\n } else {\n if (BIO_printf(out, \"Public-Key: (%d bit)\\n\", mod_len) <= 0) {\n return 0;\n }\n str = \"Modulus:\";\n s = \"Exponent:\";\n }\n if (!bn_print(out, str, rsa->n, off) || !bn_print(out, s, rsa->e, off)) {\n return 0;\n }\n\n if (include_private) {\n if (!bn_print(out, \"privateExponent:\", rsa->d, off) ||\n !bn_print(out, \"prime1:\", rsa->p, off) ||\n !bn_print(out, \"prime2:\", rsa->q, off) ||\n !bn_print(out, \"exponent1:\", rsa->dmp1, off) ||\n !bn_print(out, \"exponent2:\", rsa->dmq1, off) ||\n !bn_print(out, \"coefficient:\", rsa->iqmp, off)) {\n return 0;\n }\n }\n\n return 1;\n}\n\nstatic int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent) {\n return do_rsa_print(bp, EVP_PKEY_get0_RSA(pkey), indent, 0);\n}\n\nstatic int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent) {\n return do_rsa_print(bp, EVP_PKEY_get0_RSA(pkey), indent, 1);\n}\n\n\n// DSA keys.\n\nstatic int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) {\n const BIGNUM *priv_key = NULL;\n if (ptype == 2) {\n priv_key = DSA_get0_priv_key(x);\n }\n\n const BIGNUM *pub_key = NULL;\n if (ptype > 0) {\n pub_key = DSA_get0_pub_key(x);\n }\n\n const char *ktype = \"DSA-Parameters\";\n if (ptype == 2) {\n ktype = \"Private-Key\";\n } else if (ptype == 1) {\n ktype = \"Public-Key\";\n }\n\n if (!BIO_indent(bp, off, 128) ||\n BIO_printf(bp, \"%s: (%u bit)\\n\", ktype, BN_num_bits(DSA_get0_p(x))) <=\n 0 ||\n // |priv_key| and |pub_key| may be NULL, in which case |bn_print| will\n // silently skip them.\n !bn_print(bp, \"priv:\", priv_key, off) ||\n !bn_print(bp, \"pub:\", pub_key, off) ||\n !bn_print(bp, \"P:\", DSA_get0_p(x), off) ||\n !bn_print(bp, \"Q:\", DSA_get0_q(x), off) ||\n !bn_print(bp, \"G:\", DSA_get0_g(x), off)) {\n return 0;\n }\n\n return 1;\n}\n\nstatic int dsa_param_print(BIO *bp, const EVP_PKEY *pkey, int indent) {\n return do_dsa_print(bp, EVP_PKEY_get0_DSA(pkey), indent, 0);\n}\n\nstatic int dsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent) {\n return do_dsa_print(bp, EVP_PKEY_get0_DSA(pkey), indent, 1);\n}\n\nstatic int dsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent) {\n return do_dsa_print(bp, EVP_PKEY_get0_DSA(pkey), indent, 2);\n}\n\n\n// EC keys.\n\nstatic int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype) {\n const EC_GROUP *group;\n if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL) {\n OPENSSL_PUT_ERROR(EVP, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n const char *ecstr;\n if (ktype == 2) {\n ecstr = \"Private-Key\";\n } else if (ktype == 1) {\n ecstr = \"Public-Key\";\n } else {\n ecstr = \"ECDSA-Parameters\";\n }\n\n if (!BIO_indent(bp, off, 128)) {\n return 0;\n }\n int curve_name = EC_GROUP_get_curve_name(group);\n if (BIO_printf(bp, \"%s: (%s)\\n\", ecstr,\n curve_name == NID_undef\n ? \"unknown curve\"\n : EC_curve_nid2nist(curve_name)) <= 0) {\n return 0;\n }\n\n if (ktype == 2) {\n const BIGNUM *priv_key = EC_KEY_get0_private_key(x);\n if (priv_key != NULL && //\n !bn_print(bp, \"priv:\", priv_key, off)) {\n return 0;\n }\n }\n\n if (ktype > 0 && EC_KEY_get0_public_key(x) != NULL) {\n uint8_t *pub = NULL;\n size_t pub_len = EC_KEY_key2buf(x, EC_KEY_get_conv_form(x), &pub, NULL);\n if (pub_len == 0) {\n return 0;\n }\n int ret = BIO_indent(bp, off, 128) && //\n BIO_puts(bp, \"pub:\") > 0 && //\n print_hex(bp, pub, pub_len, off);\n OPENSSL_free(pub);\n if (!ret) {\n return 0;\n }\n }\n\n return 1;\n}\n\nstatic int eckey_param_print(BIO *bp, const EVP_PKEY *pkey, int indent) {\n return do_EC_KEY_print(bp, EVP_PKEY_get0_EC_KEY(pkey), indent, 0);\n}\n\nstatic int eckey_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent) {\n return do_EC_KEY_print(bp, EVP_PKEY_get0_EC_KEY(pkey), indent, 1);\n}\n\n\nstatic int eckey_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent) {\n return do_EC_KEY_print(bp, EVP_PKEY_get0_EC_KEY(pkey), indent, 2);\n}\n\n\ntypedef struct {\n int type;\n int (*pub_print)(BIO *out, const EVP_PKEY *pkey, int indent);\n int (*priv_print)(BIO *out, const EVP_PKEY *pkey, int indent);\n int (*param_print)(BIO *out, const EVP_PKEY *pkey, int indent);\n} EVP_PKEY_PRINT_METHOD;\n\nstatic EVP_PKEY_PRINT_METHOD kPrintMethods[] = {\n {\n EVP_PKEY_RSA,\n rsa_pub_print,\n rsa_priv_print,\n NULL /* param_print */,\n },\n {\n EVP_PKEY_DSA,\n dsa_pub_print,\n dsa_priv_print,\n dsa_param_print,\n },\n {\n EVP_PKEY_EC,\n eckey_pub_print,\n eckey_priv_print,\n eckey_param_print,\n },\n};\n\nstatic size_t kPrintMethodsLen = OPENSSL_ARRAY_SIZE(kPrintMethods);\n\nstatic EVP_PKEY_PRINT_METHOD *find_method(int type) {\n for (size_t i = 0; i < kPrintMethodsLen; i++) {\n if (kPrintMethods[i].type == type) {\n return &kPrintMethods[i];\n }\n }\n return NULL;\n}\n\nstatic int print_unsupported(BIO *out, const EVP_PKEY *pkey, int indent,\n const char *kstr) {\n BIO_indent(out, indent, 128);\n BIO_printf(out, \"%s algorithm unsupported\\n\", kstr);\n return 1;\n}\n\nint EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey, int indent,\n ASN1_PCTX *pctx) {\n EVP_PKEY_PRINT_METHOD *method = find_method(EVP_PKEY_id(pkey));\n if (method != NULL && method->pub_print != NULL) {\n return method->pub_print(out, pkey, indent);\n }\n return print_unsupported(out, pkey, indent, \"Public Key\");\n}\n\nint EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey, int indent,\n ASN1_PCTX *pctx) {\n EVP_PKEY_PRINT_METHOD *method = find_method(EVP_PKEY_id(pkey));\n if (method != NULL && method->priv_print != NULL) {\n return method->priv_print(out, pkey, indent);\n }\n return print_unsupported(out, pkey, indent, \"Private Key\");\n}\n\nint EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey, int indent,\n ASN1_PCTX *pctx) {\n EVP_PKEY_PRINT_METHOD *method = find_method(EVP_PKEY_id(pkey));\n if (method != NULL && method->param_print != NULL) {\n return method->param_print(out, pkey, indent);\n }\n return print_unsupported(out, pkey, indent, \"Parameters\");\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/scrypt.cc", "content": "/*\n * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n\n\n// This file implements scrypt, described in RFC 7914.\n//\n// Note scrypt refers to both \"blocks\" and a \"block size\" parameter, r. These\n// are two different notions of blocks. A Salsa20 block is 64 bytes long,\n// represented in this implementation by 16 |uint32_t|s. |r| determines the\n// number of 64-byte Salsa20 blocks in a scryptBlockMix block, which is 2 * |r|\n// Salsa20 blocks. This implementation refers to them as Salsa20 blocks and\n// scrypt blocks, respectively.\n\n// A block_t is a Salsa20 block.\ntypedef struct {\n uint32_t words[16];\n} block_t;\n\nstatic_assert(sizeof(block_t) == 64, \"block_t has padding\");\n\n// salsa208_word_specification implements the Salsa20/8 core function, also\n// described in RFC 7914, section 3. It modifies the block at |inout|\n// in-place.\nstatic void salsa208_word_specification(block_t *inout) {\n block_t x;\n OPENSSL_memcpy(&x, inout, sizeof(x));\n\n for (int i = 8; i > 0; i -= 2) {\n x.words[4] ^= CRYPTO_rotl_u32(x.words[0] + x.words[12], 7);\n x.words[8] ^= CRYPTO_rotl_u32(x.words[4] + x.words[0], 9);\n x.words[12] ^= CRYPTO_rotl_u32(x.words[8] + x.words[4], 13);\n x.words[0] ^= CRYPTO_rotl_u32(x.words[12] + x.words[8], 18);\n x.words[9] ^= CRYPTO_rotl_u32(x.words[5] + x.words[1], 7);\n x.words[13] ^= CRYPTO_rotl_u32(x.words[9] + x.words[5], 9);\n x.words[1] ^= CRYPTO_rotl_u32(x.words[13] + x.words[9], 13);\n x.words[5] ^= CRYPTO_rotl_u32(x.words[1] + x.words[13], 18);\n x.words[14] ^= CRYPTO_rotl_u32(x.words[10] + x.words[6], 7);\n x.words[2] ^= CRYPTO_rotl_u32(x.words[14] + x.words[10], 9);\n x.words[6] ^= CRYPTO_rotl_u32(x.words[2] + x.words[14], 13);\n x.words[10] ^= CRYPTO_rotl_u32(x.words[6] + x.words[2], 18);\n x.words[3] ^= CRYPTO_rotl_u32(x.words[15] + x.words[11], 7);\n x.words[7] ^= CRYPTO_rotl_u32(x.words[3] + x.words[15], 9);\n x.words[11] ^= CRYPTO_rotl_u32(x.words[7] + x.words[3], 13);\n x.words[15] ^= CRYPTO_rotl_u32(x.words[11] + x.words[7], 18);\n x.words[1] ^= CRYPTO_rotl_u32(x.words[0] + x.words[3], 7);\n x.words[2] ^= CRYPTO_rotl_u32(x.words[1] + x.words[0], 9);\n x.words[3] ^= CRYPTO_rotl_u32(x.words[2] + x.words[1], 13);\n x.words[0] ^= CRYPTO_rotl_u32(x.words[3] + x.words[2], 18);\n x.words[6] ^= CRYPTO_rotl_u32(x.words[5] + x.words[4], 7);\n x.words[7] ^= CRYPTO_rotl_u32(x.words[6] + x.words[5], 9);\n x.words[4] ^= CRYPTO_rotl_u32(x.words[7] + x.words[6], 13);\n x.words[5] ^= CRYPTO_rotl_u32(x.words[4] + x.words[7], 18);\n x.words[11] ^= CRYPTO_rotl_u32(x.words[10] + x.words[9], 7);\n x.words[8] ^= CRYPTO_rotl_u32(x.words[11] + x.words[10], 9);\n x.words[9] ^= CRYPTO_rotl_u32(x.words[8] + x.words[11], 13);\n x.words[10] ^= CRYPTO_rotl_u32(x.words[9] + x.words[8], 18);\n x.words[12] ^= CRYPTO_rotl_u32(x.words[15] + x.words[14], 7);\n x.words[13] ^= CRYPTO_rotl_u32(x.words[12] + x.words[15], 9);\n x.words[14] ^= CRYPTO_rotl_u32(x.words[13] + x.words[12], 13);\n x.words[15] ^= CRYPTO_rotl_u32(x.words[14] + x.words[13], 18);\n }\n\n for (int i = 0; i < 16; ++i) {\n inout->words[i] += x.words[i];\n }\n}\n\n// xor_block sets |*out| to be |*a| XOR |*b|.\nstatic void xor_block(block_t *out, const block_t *a, const block_t *b) {\n for (size_t i = 0; i < 16; i++) {\n out->words[i] = a->words[i] ^ b->words[i];\n }\n}\n\n// scryptBlockMix implements the function described in RFC 7914, section 4. B'\n// is written to |out|. |out| and |B| may not alias and must be each one scrypt\n// block (2 * |r| Salsa20 blocks) long.\nstatic void scryptBlockMix(block_t *out, const block_t *B, uint64_t r) {\n assert(out != B);\n\n block_t X;\n OPENSSL_memcpy(&X, &B[r * 2 - 1], sizeof(X));\n for (uint64_t i = 0; i < r * 2; i++) {\n xor_block(&X, &X, &B[i]);\n salsa208_word_specification(&X);\n\n // This implements the permutation in step 3.\n OPENSSL_memcpy(&out[i / 2 + (i & 1) * r], &X, sizeof(X));\n }\n}\n\n// scryptROMix implements the function described in RFC 7914, section 5. |B| is\n// an scrypt block (2 * |r| Salsa20 blocks) and is modified in-place. |T| and\n// |V| are scratch space allocated by the caller. |T| must have space for one\n// scrypt block (2 * |r| Salsa20 blocks). |V| must have space for |N| scrypt\n// blocks (2 * |r| * |N| Salsa20 blocks).\nstatic void scryptROMix(block_t *B, uint64_t r, uint64_t N, block_t *T,\n block_t *V) {\n // Steps 1 and 2.\n OPENSSL_memcpy(V, B, 2 * r * sizeof(block_t));\n for (uint64_t i = 1; i < N; i++) {\n scryptBlockMix(&V[2 * r * i /* scrypt block i */],\n &V[2 * r * (i - 1) /* scrypt block i-1 */], r);\n }\n scryptBlockMix(B, &V[2 * r * (N - 1) /* scrypt block N-1 */], r);\n\n // Step 3.\n for (uint64_t i = 0; i < N; i++) {\n // Note this assumes |N| <= 2^32 and is a power of 2.\n uint32_t j = B[2 * r - 1].words[0] & (N - 1);\n for (size_t k = 0; k < 2 * r; k++) {\n xor_block(&T[k], &B[k], &V[2 * r * j + k]);\n }\n scryptBlockMix(B, T, r);\n }\n}\n\n// SCRYPT_PR_MAX is the maximum value of p * r. This is equivalent to the\n// bounds on p in section 6:\n//\n// p <= ((2^32-1) * hLen) / MFLen iff\n// p <= ((2^32-1) * 32) / (128 * r) iff\n// p * r <= (2^30-1)\n#define SCRYPT_PR_MAX ((1 << 30) - 1)\n\n// SCRYPT_MAX_MEM is the default maximum memory that may be allocated by\n// |EVP_PBE_scrypt|.\n#define SCRYPT_MAX_MEM (1024 * 1024 * 65)\n\nint EVP_PBE_scrypt(const char *password, size_t password_len,\n const uint8_t *salt, size_t salt_len, uint64_t N, uint64_t r,\n uint64_t p, size_t max_mem, uint8_t *out_key,\n size_t key_len) {\n if (r == 0 || p == 0 || p > SCRYPT_PR_MAX / r ||\n // |N| must be a power of two.\n N < 2 || (N & (N - 1)) ||\n // We only support |N| <= 2^32 in |scryptROMix|.\n N > UINT64_C(1) << 32 ||\n // Check that |N| < 2^(128×r / 8).\n (16 * r <= 63 && N >= UINT64_C(1) << (16 * r))) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PARAMETERS);\n return 0;\n }\n\n // Determine the amount of memory needed. B, T, and V are |p|, 1, and |N|\n // scrypt blocks, respectively. Each scrypt block is 2*|r| |block_t|s.\n if (max_mem == 0) {\n max_mem = SCRYPT_MAX_MEM;\n }\n\n size_t max_scrypt_blocks = max_mem / (2 * r * sizeof(block_t));\n if (max_scrypt_blocks < p + 1 || max_scrypt_blocks - p - 1 < N) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_MEMORY_LIMIT_EXCEEDED);\n return 0;\n }\n\n // Allocate and divide up the scratch space. |max_mem| fits in a size_t, which\n // is no bigger than uint64_t, so none of these operations may overflow.\n static_assert(UINT64_MAX >= SIZE_MAX, \"size_t exceeds uint64_t\");\n size_t B_blocks = p * 2 * r;\n size_t B_bytes = B_blocks * sizeof(block_t);\n size_t T_blocks = 2 * r;\n size_t V_blocks = N * 2 * r;\n block_t *B = reinterpret_cast(\n OPENSSL_calloc(B_blocks + T_blocks + V_blocks, sizeof(block_t)));\n if (B == NULL) {\n return 0;\n }\n\n int ret = 0;\n block_t *T = B + B_blocks;\n block_t *V = T + T_blocks;\n\n // NOTE: PKCS5_PBKDF2_HMAC can only fail due to allocation failure\n // or |iterations| of 0 (we pass 1 here). This is consistent with\n // the documented failure conditions of EVP_PBE_scrypt.\n if (!PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len, 1,\n EVP_sha256(), B_bytes, (uint8_t *)B)) {\n goto err;\n }\n\n for (uint64_t i = 0; i < p; i++) {\n scryptROMix(B + 2 * r * i, r, N, T, V);\n }\n\n if (!PKCS5_PBKDF2_HMAC(password, password_len, (const uint8_t *)B, B_bytes, 1,\n EVP_sha256(), key_len, out_key)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n OPENSSL_free(B);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/evp/sign.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n\n#include \"internal.h\"\n\n\nint EVP_SignInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) {\n return EVP_DigestInit_ex(ctx, type, impl);\n}\n\nint EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type) {\n return EVP_DigestInit(ctx, type);\n}\n\nint EVP_SignUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) {\n return EVP_DigestUpdate(ctx, data, len);\n}\n\nint EVP_SignFinal(const EVP_MD_CTX *ctx, uint8_t *sig, unsigned *out_sig_len,\n EVP_PKEY *pkey) {\n uint8_t m[EVP_MAX_MD_SIZE];\n unsigned m_len;\n int ret = 0;\n EVP_MD_CTX tmp_ctx;\n EVP_PKEY_CTX *pkctx = NULL;\n size_t sig_len = EVP_PKEY_size(pkey);\n\n // Ensure the final result will fit in |unsigned|.\n if (sig_len > UINT_MAX) {\n sig_len = UINT_MAX;\n }\n\n *out_sig_len = 0;\n EVP_MD_CTX_init(&tmp_ctx);\n if (!EVP_MD_CTX_copy_ex(&tmp_ctx, ctx) ||\n !EVP_DigestFinal_ex(&tmp_ctx, m, &m_len)) {\n goto out;\n }\n EVP_MD_CTX_cleanup(&tmp_ctx);\n\n pkctx = EVP_PKEY_CTX_new(pkey, NULL);\n if (!pkctx || //\n !EVP_PKEY_sign_init(pkctx) ||\n !EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest) ||\n !EVP_PKEY_sign(pkctx, sig, &sig_len, m, m_len)) {\n goto out;\n }\n *out_sig_len = (unsigned)sig_len;\n ret = 1;\n\nout:\n EVP_PKEY_CTX_free(pkctx);\n return ret;\n}\n\nint EVP_VerifyInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) {\n return EVP_DigestInit_ex(ctx, type, impl);\n}\n\nint EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type) {\n return EVP_DigestInit(ctx, type);\n}\n\nint EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) {\n return EVP_DigestUpdate(ctx, data, len);\n}\n\nint EVP_VerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len,\n EVP_PKEY *pkey) {\n uint8_t m[EVP_MAX_MD_SIZE];\n unsigned m_len;\n int ret = 0;\n EVP_MD_CTX tmp_ctx;\n EVP_PKEY_CTX *pkctx = NULL;\n\n EVP_MD_CTX_init(&tmp_ctx);\n if (!EVP_MD_CTX_copy_ex(&tmp_ctx, ctx) ||\n !EVP_DigestFinal_ex(&tmp_ctx, m, &m_len)) {\n EVP_MD_CTX_cleanup(&tmp_ctx);\n goto out;\n }\n EVP_MD_CTX_cleanup(&tmp_ctx);\n\n pkctx = EVP_PKEY_CTX_new(pkey, NULL);\n if (!pkctx ||\n !EVP_PKEY_verify_init(pkctx) ||\n !EVP_PKEY_CTX_set_signature_md(pkctx, ctx->digest)) {\n goto out;\n }\n ret = EVP_PKEY_verify(pkctx, sig, sig_len, m, m_len);\n\nout:\n EVP_PKEY_CTX_free(pkctx);\n return ret;\n}\n\n" }, { "path": "Sources/CNIOBoringSSL/crypto/ex_data.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nDEFINE_STACK_OF(CRYPTO_EX_DATA_FUNCS)\n\nstruct crypto_ex_data_func_st {\n long argl; // Arbitary long\n void *argp; // Arbitary void pointer\n CRYPTO_EX_free *free_func;\n // next points to the next |CRYPTO_EX_DATA_FUNCS| or NULL if this is the last\n // one. It may only be read if synchronized with a read from |num_funcs|.\n CRYPTO_EX_DATA_FUNCS *next;\n};\n\nint CRYPTO_get_ex_new_index_ex(CRYPTO_EX_DATA_CLASS *ex_data_class, long argl,\n void *argp, CRYPTO_EX_free *free_func) {\n CRYPTO_EX_DATA_FUNCS *funcs = reinterpret_cast(\n OPENSSL_malloc(sizeof(CRYPTO_EX_DATA_FUNCS)));\n if (funcs == NULL) {\n return -1;\n }\n\n funcs->argl = argl;\n funcs->argp = argp;\n funcs->free_func = free_func;\n funcs->next = NULL;\n\n CRYPTO_MUTEX_lock_write(&ex_data_class->lock);\n\n uint32_t num_funcs = CRYPTO_atomic_load_u32(&ex_data_class->num_funcs);\n // The index must fit in |int|.\n if (num_funcs > (size_t)(INT_MAX - ex_data_class->num_reserved)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW);\n CRYPTO_MUTEX_unlock_write(&ex_data_class->lock);\n return -1;\n }\n\n // Append |funcs| to the linked list.\n if (ex_data_class->last == NULL) {\n assert(num_funcs == 0);\n ex_data_class->funcs = funcs;\n ex_data_class->last = funcs;\n } else {\n ex_data_class->last->next = funcs;\n ex_data_class->last = funcs;\n }\n\n CRYPTO_atomic_store_u32(&ex_data_class->num_funcs, num_funcs + 1);\n CRYPTO_MUTEX_unlock_write(&ex_data_class->lock);\n return (int)num_funcs + ex_data_class->num_reserved;\n}\n\nint CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val) {\n if (index < 0) {\n // A caller that can accidentally pass in an invalid index into this\n // function will hit an memory error if |index| happened to be valid, and\n // expected |val| to be of a different type.\n abort();\n }\n\n if (ad->sk == NULL) {\n ad->sk = sk_void_new_null();\n if (ad->sk == NULL) {\n return 0;\n }\n }\n\n // Add NULL values until the stack is long enough.\n for (size_t i = sk_void_num(ad->sk); i <= (size_t)index; i++) {\n if (!sk_void_push(ad->sk, NULL)) {\n return 0;\n }\n }\n\n sk_void_set(ad->sk, (size_t)index, val);\n return 1;\n}\n\nvoid *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int idx) {\n if (ad->sk == NULL || idx < 0 || (size_t)idx >= sk_void_num(ad->sk)) {\n return NULL;\n }\n return sk_void_value(ad->sk, idx);\n}\n\nvoid CRYPTO_new_ex_data(CRYPTO_EX_DATA *ad) { ad->sk = NULL; }\n\nvoid CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, void *obj,\n CRYPTO_EX_DATA *ad) {\n if (ad->sk == NULL) {\n // Nothing to do.\n return;\n }\n\n uint32_t num_funcs = CRYPTO_atomic_load_u32(&ex_data_class->num_funcs);\n // |CRYPTO_get_ex_new_index_ex| will not allocate indices beyond |INT_MAX|.\n assert(num_funcs <= (size_t)(INT_MAX - ex_data_class->num_reserved));\n\n // Defer dereferencing |ex_data_class->funcs| and |funcs->next|. It must come\n // after the |num_funcs| comparison to be correctly synchronized.\n CRYPTO_EX_DATA_FUNCS *const *funcs = &ex_data_class->funcs;\n for (uint32_t i = 0; i < num_funcs; i++) {\n if ((*funcs)->free_func != NULL) {\n int index = (int)i + ex_data_class->num_reserved;\n void *ptr = CRYPTO_get_ex_data(ad, index);\n (*funcs)->free_func(obj, ptr, ad, index, (*funcs)->argl, (*funcs)->argp);\n }\n funcs = &(*funcs)->next;\n }\n\n sk_void_free(ad->sk);\n ad->sk = NULL;\n}\n\nvoid CRYPTO_cleanup_all_ex_data(void) {}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes.cc.inc", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"internal.h\"\n\n\n// Be aware that different sets of AES functions use incompatible key\n// representations, varying in format of the key schedule, the |AES_KEY.rounds|\n// value, or both. Therefore they cannot mix. Also, on AArch64, the plain-C\n// code, above, is incompatible with the |aes_hw_*| functions.\n\nvoid AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {\n if (hwaes_capable()) {\n aes_hw_encrypt(in, out, key);\n } else if (vpaes_capable()) {\n vpaes_encrypt(in, out, key);\n } else {\n aes_nohw_encrypt(in, out, key);\n }\n}\n\nvoid AES_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {\n if (hwaes_capable()) {\n aes_hw_decrypt(in, out, key);\n } else if (vpaes_capable()) {\n vpaes_decrypt(in, out, key);\n } else {\n aes_nohw_decrypt(in, out, key);\n }\n}\n\nint AES_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) {\n if (bits != 128 && bits != 192 && bits != 256) {\n return -2;\n }\n if (hwaes_capable()) {\n return aes_hw_set_encrypt_key(key, bits, aeskey);\n } else if (vpaes_capable()) {\n return vpaes_set_encrypt_key(key, bits, aeskey);\n } else {\n return aes_nohw_set_encrypt_key(key, bits, aeskey);\n }\n}\n\nint AES_set_decrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) {\n if (bits != 128 && bits != 192 && bits != 256) {\n return -2;\n }\n if (hwaes_capable()) {\n return aes_hw_set_decrypt_key(key, bits, aeskey);\n } else if (vpaes_capable()) {\n return vpaes_set_decrypt_key(key, bits, aeskey);\n } else {\n return aes_nohw_set_decrypt_key(key, bits, aeskey);\n }\n}\n\n#if defined(HWAES) && (defined(OPENSSL_X86) || defined(OPENSSL_X86_64))\n// On x86 and x86_64, |aes_hw_set_decrypt_key|, we implement\n// |aes_hw_encrypt_key_to_decrypt_key| in assembly and rely on C code to combine\n// the operations.\nint aes_hw_set_decrypt_key(const uint8_t *user_key, int bits, AES_KEY *key) {\n int ret = aes_hw_set_encrypt_key(user_key, bits, key);\n if (ret == 0) {\n aes_hw_encrypt_key_to_decrypt_key(key);\n }\n return ret;\n}\n\nint aes_hw_set_encrypt_key(const uint8_t *user_key, int bits, AES_KEY *key) {\n if (aes_hw_set_encrypt_key_alt_preferred()) {\n return aes_hw_set_encrypt_key_alt(user_key, bits, key);\n } else {\n return aes_hw_set_encrypt_key_base(user_key, bits, key);\n }\n}\n#endif\n\n#if defined(VPAES) && defined(OPENSSL_X86)\n// On x86, there is no |vpaes_ctr32_encrypt_blocks|, so we implement it\n// ourselves. This avoids all callers needing to account for a missing function.\nvoid vpaes_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t blocks,\n const AES_KEY *key, const uint8_t iv[16]) {\n uint32_t ctr = CRYPTO_load_u32_be(iv + 12);\n uint8_t iv_buf[16], enc[16];\n OPENSSL_memcpy(iv_buf, iv, 12);\n for (size_t i = 0; i < blocks; i++) {\n CRYPTO_store_u32_be(iv_buf + 12, ctr);\n vpaes_encrypt(iv_buf, enc, key);\n CRYPTO_xor16(out, in, enc);\n ctr++;\n in += 16;\n out += 16;\n }\n}\n#endif\n\n#if defined(BSAES)\nvoid vpaes_ctr32_encrypt_blocks_with_bsaes(const uint8_t *in, uint8_t *out,\n size_t blocks, const AES_KEY *key,\n const uint8_t ivec[16]) {\n // |bsaes_ctr32_encrypt_blocks| is faster than |vpaes_ctr32_encrypt_blocks|,\n // but it takes at least one full 8-block batch to amortize the conversion.\n if (blocks < 8) {\n vpaes_ctr32_encrypt_blocks(in, out, blocks, key, ivec);\n return;\n }\n\n size_t bsaes_blocks = blocks;\n if (bsaes_blocks % 8 < 6) {\n // |bsaes_ctr32_encrypt_blocks| internally works in 8-block batches. If the\n // final batch is too small (under six blocks), it is faster to loop over\n // |vpaes_encrypt|. Round |bsaes_blocks| down to a multiple of 8.\n bsaes_blocks -= bsaes_blocks % 8;\n }\n\n AES_KEY bsaes;\n vpaes_encrypt_key_to_bsaes(&bsaes, key);\n bsaes_ctr32_encrypt_blocks(in, out, bsaes_blocks, &bsaes, ivec);\n OPENSSL_cleanse(&bsaes, sizeof(bsaes));\n\n in += 16 * bsaes_blocks;\n out += 16 * bsaes_blocks;\n blocks -= bsaes_blocks;\n\n uint8_t new_ivec[16];\n memcpy(new_ivec, ivec, 12);\n uint32_t ctr = CRYPTO_load_u32_be(ivec + 12) + bsaes_blocks;\n CRYPTO_store_u32_be(new_ivec + 12, ctr);\n\n // Finish any remaining blocks with |vpaes_ctr32_encrypt_blocks|.\n vpaes_ctr32_encrypt_blocks(in, out, blocks, key, new_ivec);\n}\n#endif // BSAES\n\nctr128_f aes_ctr_set_key(AES_KEY *aes_key, int *out_is_hwaes,\n block128_f *out_block, const uint8_t *key,\n size_t key_bytes) {\n // This function assumes the key length was previously validated.\n assert(key_bytes == 128 / 8 || key_bytes == 192 / 8 || key_bytes == 256 / 8);\n if (hwaes_capable()) {\n aes_hw_set_encrypt_key(key, (int)key_bytes * 8, aes_key);\n if (out_is_hwaes) {\n *out_is_hwaes = 1;\n }\n if (out_block) {\n *out_block = aes_hw_encrypt;\n }\n return aes_hw_ctr32_encrypt_blocks;\n }\n\n if (vpaes_capable()) {\n vpaes_set_encrypt_key(key, (int)key_bytes * 8, aes_key);\n if (out_block) {\n *out_block = vpaes_encrypt;\n }\n if (out_is_hwaes) {\n *out_is_hwaes = 0;\n }\n#if defined(BSAES)\n assert(bsaes_capable());\n return vpaes_ctr32_encrypt_blocks_with_bsaes;\n#else\n return vpaes_ctr32_encrypt_blocks;\n#endif\n }\n\n aes_nohw_set_encrypt_key(key, (int)key_bytes * 8, aes_key);\n if (out_is_hwaes) {\n *out_is_hwaes = 0;\n }\n if (out_block) {\n *out_block = aes_nohw_encrypt;\n }\n return aes_nohw_ctr32_encrypt_blocks;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes_nohw.cc.inc", "content": "/* Copyright 2019 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n#include \"internal.h\"\n\n#if defined(OPENSSL_SSE2)\n#include \n#endif\n\n\n// This file contains a constant-time implementation of AES, bitsliced with\n// 32-bit, 64-bit, or 128-bit words, operating on two-, four-, and eight-block\n// batches, respectively. The 128-bit implementation requires SSE2 intrinsics.\n//\n// This implementation is based on the algorithms described in the following\n// references:\n// - https://bearssl.org/constanttime.html#aes\n// - https://eprint.iacr.org/2009/129.pdf\n// - https://eprint.iacr.org/2009/191.pdf\n\n\n// Word operations.\n//\n// An aes_word_t is the word used for this AES implementation. Throughout this\n// file, bits and bytes are ordered little-endian, though \"left\" and \"right\"\n// shifts match the operations themselves, which makes them reversed in a\n// little-endian, left-to-right reading.\n//\n// Eight |aes_word_t|s contain |AES_NOHW_BATCH_SIZE| blocks. The bits in an\n// |aes_word_t| are divided into 16 consecutive groups of |AES_NOHW_BATCH_SIZE|\n// bits each, each corresponding to a byte in an AES block in column-major\n// order (AES's byte order). We refer to these as \"logical bytes\". Note, in the\n// 32-bit and 64-bit implementations, they are smaller than a byte. (The\n// contents of a logical byte will be described later.)\n//\n// MSVC does not support C bit operators on |__m128i|, so the wrapper functions\n// |aes_nohw_and|, etc., should be used instead. Note |aes_nohw_shift_left| and\n// |aes_nohw_shift_right| measure the shift in logical bytes. That is, the shift\n// value ranges from 0 to 15 independent of |aes_word_t| and\n// |AES_NOHW_BATCH_SIZE|.\n//\n// This ordering is different from https://eprint.iacr.org/2009/129.pdf, which\n// uses row-major order. Matching the AES order was easier to reason about, and\n// we do not have PSHUFB available to arbitrarily permute bytes.\n\n#if defined(OPENSSL_SSE2)\ntypedef __m128i aes_word_t;\n// AES_NOHW_WORD_SIZE is sizeof(aes_word_t). alignas(sizeof(T)) does not work in\n// MSVC, so we define a constant.\n#define AES_NOHW_WORD_SIZE 16\n#define AES_NOHW_BATCH_SIZE 8\n#define AES_NOHW_ROW0_MASK \\\n _mm_set_epi32(0x000000ff, 0x000000ff, 0x000000ff, 0x000000ff)\n#define AES_NOHW_ROW1_MASK \\\n _mm_set_epi32(0x0000ff00, 0x0000ff00, 0x0000ff00, 0x0000ff00)\n#define AES_NOHW_ROW2_MASK \\\n _mm_set_epi32(0x00ff0000, 0x00ff0000, 0x00ff0000, 0x00ff0000)\n#define AES_NOHW_ROW3_MASK \\\n _mm_set_epi32(0xff000000, 0xff000000, 0xff000000, 0xff000000)\n#define AES_NOHW_COL01_MASK \\\n _mm_set_epi32(0x00000000, 0x00000000, 0xffffffff, 0xffffffff)\n#define AES_NOHW_COL2_MASK \\\n _mm_set_epi32(0x00000000, 0xffffffff, 0x00000000, 0x00000000)\n#define AES_NOHW_COL3_MASK \\\n _mm_set_epi32(0xffffffff, 0x00000000, 0x00000000, 0x00000000)\n\nstatic inline aes_word_t aes_nohw_and(aes_word_t a, aes_word_t b) {\n return _mm_and_si128(a, b);\n}\n\nstatic inline aes_word_t aes_nohw_or(aes_word_t a, aes_word_t b) {\n return _mm_or_si128(a, b);\n}\n\nstatic inline aes_word_t aes_nohw_xor(aes_word_t a, aes_word_t b) {\n return _mm_xor_si128(a, b);\n}\n\nstatic inline aes_word_t aes_nohw_not(aes_word_t a) {\n return _mm_xor_si128(\n a, _mm_set_epi32(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff));\n}\n\n// These are macros because parameters to |_mm_slli_si128| and |_mm_srli_si128|\n// must be constants.\n#define aes_nohw_shift_left(/* aes_word_t */ a, /* const */ i) \\\n _mm_slli_si128((a), (i))\n#define aes_nohw_shift_right(/* aes_word_t */ a, /* const */ i) \\\n _mm_srli_si128((a), (i))\n#else // !OPENSSL_SSE2\n#if defined(OPENSSL_64_BIT)\ntypedef uint64_t aes_word_t;\n#define AES_NOHW_WORD_SIZE 8\n#define AES_NOHW_BATCH_SIZE 4\n#define AES_NOHW_ROW0_MASK UINT64_C(0x000f000f000f000f)\n#define AES_NOHW_ROW1_MASK UINT64_C(0x00f000f000f000f0)\n#define AES_NOHW_ROW2_MASK UINT64_C(0x0f000f000f000f00)\n#define AES_NOHW_ROW3_MASK UINT64_C(0xf000f000f000f000)\n#define AES_NOHW_COL01_MASK UINT64_C(0x00000000ffffffff)\n#define AES_NOHW_COL2_MASK UINT64_C(0x0000ffff00000000)\n#define AES_NOHW_COL3_MASK UINT64_C(0xffff000000000000)\n#else // !OPENSSL_64_BIT\ntypedef uint32_t aes_word_t;\n#define AES_NOHW_WORD_SIZE 4\n#define AES_NOHW_BATCH_SIZE 2\n#define AES_NOHW_ROW0_MASK 0x03030303\n#define AES_NOHW_ROW1_MASK 0x0c0c0c0c\n#define AES_NOHW_ROW2_MASK 0x30303030\n#define AES_NOHW_ROW3_MASK 0xc0c0c0c0\n#define AES_NOHW_COL01_MASK 0x0000ffff\n#define AES_NOHW_COL2_MASK 0x00ff0000\n#define AES_NOHW_COL3_MASK 0xff000000\n#endif // OPENSSL_64_BIT\n\nstatic inline aes_word_t aes_nohw_and(aes_word_t a, aes_word_t b) {\n return a & b;\n}\n\nstatic inline aes_word_t aes_nohw_or(aes_word_t a, aes_word_t b) {\n return a | b;\n}\n\nstatic inline aes_word_t aes_nohw_xor(aes_word_t a, aes_word_t b) {\n return a ^ b;\n}\n\nstatic inline aes_word_t aes_nohw_not(aes_word_t a) { return ~a; }\n\nstatic inline aes_word_t aes_nohw_shift_left(aes_word_t a, aes_word_t i) {\n return a << (i * AES_NOHW_BATCH_SIZE);\n}\n\nstatic inline aes_word_t aes_nohw_shift_right(aes_word_t a, aes_word_t i) {\n return a >> (i * AES_NOHW_BATCH_SIZE);\n}\n#endif // OPENSSL_SSE2\n\nstatic_assert(AES_NOHW_BATCH_SIZE * 128 == 8 * 8 * sizeof(aes_word_t),\n \"batch size does not match word size\");\nstatic_assert(AES_NOHW_WORD_SIZE == sizeof(aes_word_t),\n \"AES_NOHW_WORD_SIZE is incorrect\");\n\n\n// Block representations.\n//\n// This implementation uses three representations for AES blocks. First, the\n// public API represents blocks as uint8_t[16] in the usual way. Second, most\n// AES steps are evaluated in bitsliced form, stored in an |AES_NOHW_BATCH|.\n// This stores |AES_NOHW_BATCH_SIZE| blocks in bitsliced order. For 64-bit words\n// containing bitsliced blocks a, b, c, d, this would be as follows (vertical\n// bars divide logical bytes):\n//\n// batch.w[0] = a0 b0 c0 d0 | a8 b8 c8 d8 | a16 b16 c16 d16 ...\n// batch.w[1] = a1 b1 c1 d1 | a9 b9 c9 d9 | a17 b17 c17 d17 ...\n// batch.w[2] = a2 b2 c2 d2 | a10 b10 c10 d10 | a18 b18 c18 d18 ...\n// batch.w[3] = a3 b3 c3 d3 | a11 b11 c11 d11 | a19 b19 c19 d19 ...\n// ...\n//\n// Finally, an individual block may be stored as an intermediate form in an\n// aes_word_t[AES_NOHW_BLOCK_WORDS]. In this form, we permute the bits in each\n// block, so that block[0]'s ith logical byte contains least-significant\n// |AES_NOHW_BATCH_SIZE| bits of byte i, block[1] contains the next group of\n// |AES_NOHW_BATCH_SIZE| bits, and so on. We refer to this transformation as\n// \"compacting\" the block. Note this is no-op with 128-bit words because then\n// |AES_NOHW_BLOCK_WORDS| is one and |AES_NOHW_BATCH_SIZE| is eight. For 64-bit\n// words, one block would be stored in two words:\n//\n// block[0] = a0 a1 a2 a3 | a8 a9 a10 a11 | a16 a17 a18 a19 ...\n// block[1] = a4 a5 a6 a7 | a12 a13 a14 a15 | a20 a21 a22 a23 ...\n//\n// Observe that the distances between corresponding bits in bitsliced and\n// compact bit orders match. If we line up corresponding words of each block,\n// the bitsliced and compact representations may be converted by tranposing bits\n// in corresponding logical bytes. Continuing the 64-bit example:\n//\n// block_a[0] = a0 a1 a2 a3 | a8 a9 a10 a11 | a16 a17 a18 a19 ...\n// block_b[0] = b0 b1 b2 b3 | b8 b9 b10 b11 | b16 b17 b18 b19 ...\n// block_c[0] = c0 c1 c2 c3 | c8 c9 c10 c11 | c16 c17 c18 c19 ...\n// block_d[0] = d0 d1 d2 d3 | d8 d9 d10 d11 | d16 d17 d18 d19 ...\n//\n// batch.w[0] = a0 b0 c0 d0 | a8 b8 c8 d8 | a16 b16 c16 d16 ...\n// batch.w[1] = a1 b1 c1 d1 | a9 b9 c9 d9 | a17 b17 c17 d17 ...\n// batch.w[2] = a2 b2 c2 d2 | a10 b10 c10 d10 | a18 b18 c18 d18 ...\n// batch.w[3] = a3 b3 c3 d3 | a11 b11 c11 d11 | a19 b19 c19 d19 ...\n//\n// Note also that bitwise operations and (logical) byte permutations on an\n// |aes_word_t| work equally for the bitsliced and compact words.\n//\n// We use the compact form in the |AES_KEY| representation to save work\n// inflating round keys into |AES_NOHW_BATCH|. The compact form also exists\n// temporarily while moving blocks in or out of an |AES_NOHW_BATCH|, immediately\n// before or after |aes_nohw_transpose|.\n\n#define AES_NOHW_BLOCK_WORDS (16 / sizeof(aes_word_t))\n\n// An AES_NOHW_BATCH stores |AES_NOHW_BATCH_SIZE| blocks. Unless otherwise\n// specified, it is in bitsliced form.\ntypedef struct {\n aes_word_t w[8];\n} AES_NOHW_BATCH;\n\n// An AES_NOHW_SCHEDULE is an expanded bitsliced AES key schedule. It is\n// suitable for encryption or decryption. It is as large as |AES_NOHW_BATCH|\n// |AES_KEY|s so it should not be used as a long-term key representation.\ntypedef struct {\n // keys is an array of batches, one for each round key. Each batch stores\n // |AES_NOHW_BATCH_SIZE| copies of the round key in bitsliced form.\n AES_NOHW_BATCH keys[AES_MAXNR + 1];\n} AES_NOHW_SCHEDULE;\n\n// aes_nohw_batch_set sets the |i|th block of |batch| to |in|. |batch| is in\n// compact form.\nstatic inline void aes_nohw_batch_set(AES_NOHW_BATCH *batch,\n const aes_word_t in[AES_NOHW_BLOCK_WORDS],\n size_t i) {\n // Note the words are interleaved. The order comes from |aes_nohw_transpose|.\n // If |i| is zero and this is the 64-bit implementation, in[0] contains bits\n // 0-3 and in[1] contains bits 4-7. We place in[0] at w[0] and in[1] at\n // w[4] so that bits 0 and 4 are in the correct position. (In general, bits\n // along diagonals of |AES_NOHW_BATCH_SIZE| by |AES_NOHW_BATCH_SIZE| squares\n // will be correctly placed.)\n assert(i < AES_NOHW_BATCH_SIZE);\n#if defined(OPENSSL_SSE2)\n batch->w[i] = in[0];\n#elif defined(OPENSSL_64_BIT)\n batch->w[i] = in[0];\n batch->w[i + 4] = in[1];\n#else\n batch->w[i] = in[0];\n batch->w[i + 2] = in[1];\n batch->w[i + 4] = in[2];\n batch->w[i + 6] = in[3];\n#endif\n}\n\n// aes_nohw_batch_get writes the |i|th block of |batch| to |out|. |batch| is in\n// compact form.\nstatic inline void aes_nohw_batch_get(const AES_NOHW_BATCH *batch,\n aes_word_t out[AES_NOHW_BLOCK_WORDS],\n size_t i) {\n assert(i < AES_NOHW_BATCH_SIZE);\n#if defined(OPENSSL_SSE2)\n out[0] = batch->w[i];\n#elif defined(OPENSSL_64_BIT)\n out[0] = batch->w[i];\n out[1] = batch->w[i + 4];\n#else\n out[0] = batch->w[i];\n out[1] = batch->w[i + 2];\n out[2] = batch->w[i + 4];\n out[3] = batch->w[i + 6];\n#endif\n}\n\n#if !defined(OPENSSL_SSE2)\n// aes_nohw_delta_swap returns |a| with bits |a & mask| and\n// |a & (mask << shift)| swapped. |mask| and |mask << shift| may not overlap.\nstatic inline aes_word_t aes_nohw_delta_swap(aes_word_t a, aes_word_t mask,\n aes_word_t shift) {\n // See\n // https://reflectionsonsecurity.wordpress.com/2014/05/11/efficient-bit-permutation-using-delta-swaps/\n aes_word_t b = (a ^ (a >> shift)) & mask;\n return a ^ b ^ (b << shift);\n}\n\n// In the 32-bit and 64-bit implementations, a block spans multiple words.\n// |aes_nohw_compact_block| must permute bits across different words. First we\n// implement |aes_nohw_compact_word| which performs a smaller version of the\n// transformation which stays within a single word.\n//\n// These transformations are generalizations of the output of\n// http://programming.sirrida.de/calcperm.php on smaller inputs.\n#if defined(OPENSSL_64_BIT)\nstatic inline uint64_t aes_nohw_compact_word(uint64_t a) {\n // Numbering the 64/2 = 16 4-bit chunks, least to most significant, we swap\n // quartets of those chunks:\n // 0 1 2 3 | 4 5 6 7 | 8 9 10 11 | 12 13 14 15 =>\n // 0 2 1 3 | 4 6 5 7 | 8 10 9 11 | 12 14 13 15\n a = aes_nohw_delta_swap(a, UINT64_C(0x00f000f000f000f0), 4);\n // Swap quartets of 8-bit chunks (still numbering by 4-bit chunks):\n // 0 2 1 3 | 4 6 5 7 | 8 10 9 11 | 12 14 13 15 =>\n // 0 2 4 6 | 1 3 5 7 | 8 10 12 14 | 9 11 13 15\n a = aes_nohw_delta_swap(a, UINT64_C(0x0000ff000000ff00), 8);\n // Swap quartets of 16-bit chunks (still numbering by 4-bit chunks):\n // 0 2 4 6 | 1 3 5 7 | 8 10 12 14 | 9 11 13 15 =>\n // 0 2 4 6 | 8 10 12 14 | 1 3 5 7 | 9 11 13 15\n a = aes_nohw_delta_swap(a, UINT64_C(0x00000000ffff0000), 16);\n return a;\n}\n\nstatic inline uint64_t aes_nohw_uncompact_word(uint64_t a) {\n // Reverse the steps of |aes_nohw_uncompact_word|.\n a = aes_nohw_delta_swap(a, UINT64_C(0x00000000ffff0000), 16);\n a = aes_nohw_delta_swap(a, UINT64_C(0x0000ff000000ff00), 8);\n a = aes_nohw_delta_swap(a, UINT64_C(0x00f000f000f000f0), 4);\n return a;\n}\n#else // !OPENSSL_64_BIT\nstatic inline uint32_t aes_nohw_compact_word(uint32_t a) {\n // Numbering the 32/2 = 16 pairs of bits, least to most significant, we swap:\n // 0 1 2 3 | 4 5 6 7 | 8 9 10 11 | 12 13 14 15 =>\n // 0 4 2 6 | 1 5 3 7 | 8 12 10 14 | 9 13 11 15\n // Note: 0x00cc = 0b0000_0000_1100_1100\n // 0x00cc << 6 = 0b0011_0011_0000_0000\n a = aes_nohw_delta_swap(a, 0x00cc00cc, 6);\n // Now we swap groups of four bits (still numbering by pairs):\n // 0 4 2 6 | 1 5 3 7 | 8 12 10 14 | 9 13 11 15 =>\n // 0 4 8 12 | 1 5 9 13 | 2 6 10 14 | 3 7 11 15\n // Note: 0x0000_f0f0 << 12 = 0x0f0f_0000\n a = aes_nohw_delta_swap(a, 0x0000f0f0, 12);\n return a;\n}\n\nstatic inline uint32_t aes_nohw_uncompact_word(uint32_t a) {\n // Reverse the steps of |aes_nohw_uncompact_word|.\n a = aes_nohw_delta_swap(a, 0x0000f0f0, 12);\n a = aes_nohw_delta_swap(a, 0x00cc00cc, 6);\n return a;\n}\n\nstatic inline uint32_t aes_nohw_word_from_bytes(uint8_t a0, uint8_t a1,\n uint8_t a2, uint8_t a3) {\n return (uint32_t)a0 | ((uint32_t)a1 << 8) | ((uint32_t)a2 << 16) |\n ((uint32_t)a3 << 24);\n}\n#endif // OPENSSL_64_BIT\n#endif // !OPENSSL_SSE2\n\nstatic inline void aes_nohw_compact_block(aes_word_t out[AES_NOHW_BLOCK_WORDS],\n const uint8_t in[16]) {\n memcpy(out, in, 16);\n#if defined(OPENSSL_SSE2)\n // No conversions needed.\n#elif defined(OPENSSL_64_BIT)\n uint64_t a0 = aes_nohw_compact_word(out[0]);\n uint64_t a1 = aes_nohw_compact_word(out[1]);\n out[0] = (a0 & UINT64_C(0x00000000ffffffff)) | (a1 << 32);\n out[1] = (a1 & UINT64_C(0xffffffff00000000)) | (a0 >> 32);\n#else\n uint32_t a0 = aes_nohw_compact_word(out[0]);\n uint32_t a1 = aes_nohw_compact_word(out[1]);\n uint32_t a2 = aes_nohw_compact_word(out[2]);\n uint32_t a3 = aes_nohw_compact_word(out[3]);\n // Note clang, when building for ARM Thumb2, will sometimes miscompile\n // expressions such as (a0 & 0x0000ff00) << 8, particularly when building\n // without optimizations. This bug was introduced in\n // https://reviews.llvm.org/rL340261 and fixed in\n // https://reviews.llvm.org/rL351310. The following is written to avoid this.\n out[0] = aes_nohw_word_from_bytes(a0, a1, a2, a3);\n out[1] = aes_nohw_word_from_bytes(a0 >> 8, a1 >> 8, a2 >> 8, a3 >> 8);\n out[2] = aes_nohw_word_from_bytes(a0 >> 16, a1 >> 16, a2 >> 16, a3 >> 16);\n out[3] = aes_nohw_word_from_bytes(a0 >> 24, a1 >> 24, a2 >> 24, a3 >> 24);\n#endif\n}\n\nstatic inline void aes_nohw_uncompact_block(\n uint8_t out[16], const aes_word_t in[AES_NOHW_BLOCK_WORDS]) {\n#if defined(OPENSSL_SSE2)\n memcpy(out, in, 16); // No conversions needed.\n#elif defined(OPENSSL_64_BIT)\n uint64_t a0 = in[0];\n uint64_t a1 = in[1];\n uint64_t b0 =\n aes_nohw_uncompact_word((a0 & UINT64_C(0x00000000ffffffff)) | (a1 << 32));\n uint64_t b1 =\n aes_nohw_uncompact_word((a1 & UINT64_C(0xffffffff00000000)) | (a0 >> 32));\n memcpy(out, &b0, 8);\n memcpy(out + 8, &b1, 8);\n#else\n uint32_t a0 = in[0];\n uint32_t a1 = in[1];\n uint32_t a2 = in[2];\n uint32_t a3 = in[3];\n // Note clang, when building for ARM Thumb2, will sometimes miscompile\n // expressions such as (a0 & 0x0000ff00) << 8, particularly when building\n // without optimizations. This bug was introduced in\n // https://reviews.llvm.org/rL340261 and fixed in\n // https://reviews.llvm.org/rL351310. The following is written to avoid this.\n uint32_t b0 = aes_nohw_word_from_bytes(a0, a1, a2, a3);\n uint32_t b1 = aes_nohw_word_from_bytes(a0 >> 8, a1 >> 8, a2 >> 8, a3 >> 8);\n uint32_t b2 =\n aes_nohw_word_from_bytes(a0 >> 16, a1 >> 16, a2 >> 16, a3 >> 16);\n uint32_t b3 =\n aes_nohw_word_from_bytes(a0 >> 24, a1 >> 24, a2 >> 24, a3 >> 24);\n b0 = aes_nohw_uncompact_word(b0);\n b1 = aes_nohw_uncompact_word(b1);\n b2 = aes_nohw_uncompact_word(b2);\n b3 = aes_nohw_uncompact_word(b3);\n memcpy(out, &b0, 4);\n memcpy(out + 4, &b1, 4);\n memcpy(out + 8, &b2, 4);\n memcpy(out + 12, &b3, 4);\n#endif\n}\n\n// aes_nohw_swap_bits is a variation on a delta swap. It swaps the bits in\n// |*a & (mask << shift)| with the bits in |*b & mask|. |mask| and\n// |mask << shift| must not overlap. |mask| is specified as a |uint32_t|, but it\n// is repeated to the full width of |aes_word_t|.\n#if defined(OPENSSL_SSE2)\n// This must be a macro because |_mm_srli_epi32| and |_mm_slli_epi32| require\n// constant shift values.\n#define aes_nohw_swap_bits(/*__m128i* */ a, /*__m128i* */ b, \\\n /* uint32_t */ mask, /* const */ shift) \\\n do { \\\n __m128i swap = \\\n _mm_and_si128(_mm_xor_si128(_mm_srli_epi32(*(a), (shift)), *(b)), \\\n _mm_set_epi32((mask), (mask), (mask), (mask))); \\\n *(a) = _mm_xor_si128(*(a), _mm_slli_epi32(swap, (shift))); \\\n *(b) = _mm_xor_si128(*(b), swap); \\\n \\\n } while (0)\n#else\nstatic inline void aes_nohw_swap_bits(aes_word_t *a, aes_word_t *b,\n uint32_t mask, aes_word_t shift) {\n#if defined(OPENSSL_64_BIT)\n aes_word_t mask_w = (((uint64_t)mask) << 32) | mask;\n#else\n aes_word_t mask_w = mask;\n#endif\n // This is a variation on a delta swap.\n aes_word_t swap = ((*a >> shift) ^ *b) & mask_w;\n *a ^= swap << shift;\n *b ^= swap;\n}\n#endif // OPENSSL_SSE2\n\n// aes_nohw_transpose converts |batch| to and from bitsliced form. It divides\n// the 8 × word_size bits into AES_NOHW_BATCH_SIZE × AES_NOHW_BATCH_SIZE squares\n// and transposes each square.\nstatic void aes_nohw_transpose(AES_NOHW_BATCH *batch) {\n // Swap bits with index 0 and 1 mod 2 (0x55 = 0b01010101).\n aes_nohw_swap_bits(&batch->w[0], &batch->w[1], 0x55555555, 1);\n aes_nohw_swap_bits(&batch->w[2], &batch->w[3], 0x55555555, 1);\n aes_nohw_swap_bits(&batch->w[4], &batch->w[5], 0x55555555, 1);\n aes_nohw_swap_bits(&batch->w[6], &batch->w[7], 0x55555555, 1);\n\n#if AES_NOHW_BATCH_SIZE >= 4\n // Swap bits with index 0-1 and 2-3 mod 4 (0x33 = 0b00110011).\n aes_nohw_swap_bits(&batch->w[0], &batch->w[2], 0x33333333, 2);\n aes_nohw_swap_bits(&batch->w[1], &batch->w[3], 0x33333333, 2);\n aes_nohw_swap_bits(&batch->w[4], &batch->w[6], 0x33333333, 2);\n aes_nohw_swap_bits(&batch->w[5], &batch->w[7], 0x33333333, 2);\n#endif\n\n#if AES_NOHW_BATCH_SIZE >= 8\n // Swap bits with index 0-3 and 4-7 mod 8 (0x0f = 0b00001111).\n aes_nohw_swap_bits(&batch->w[0], &batch->w[4], 0x0f0f0f0f, 4);\n aes_nohw_swap_bits(&batch->w[1], &batch->w[5], 0x0f0f0f0f, 4);\n aes_nohw_swap_bits(&batch->w[2], &batch->w[6], 0x0f0f0f0f, 4);\n aes_nohw_swap_bits(&batch->w[3], &batch->w[7], 0x0f0f0f0f, 4);\n#endif\n}\n\n// aes_nohw_to_batch initializes |out| with the |num_blocks| blocks from |in|.\n// |num_blocks| must be at most |AES_NOHW_BATCH|.\nstatic void aes_nohw_to_batch(AES_NOHW_BATCH *out, const uint8_t *in,\n size_t num_blocks) {\n // Don't leave unused blocks uninitialized.\n memset(out, 0, sizeof(AES_NOHW_BATCH));\n assert(num_blocks <= AES_NOHW_BATCH_SIZE);\n for (size_t i = 0; i < num_blocks; i++) {\n aes_word_t block[AES_NOHW_BLOCK_WORDS];\n aes_nohw_compact_block(block, in + 16 * i);\n aes_nohw_batch_set(out, block, i);\n }\n\n aes_nohw_transpose(out);\n}\n\n// aes_nohw_to_batch writes the first |num_blocks| blocks in |batch| to |out|.\n// |num_blocks| must be at most |AES_NOHW_BATCH|.\nstatic void aes_nohw_from_batch(uint8_t *out, size_t num_blocks,\n const AES_NOHW_BATCH *batch) {\n AES_NOHW_BATCH copy = *batch;\n aes_nohw_transpose(©);\n\n assert(num_blocks <= AES_NOHW_BATCH_SIZE);\n for (size_t i = 0; i < num_blocks; i++) {\n aes_word_t block[AES_NOHW_BLOCK_WORDS];\n aes_nohw_batch_get(©, block, i);\n aes_nohw_uncompact_block(out + 16 * i, block);\n }\n}\n\n\n// AES round steps.\n\nstatic void aes_nohw_add_round_key(AES_NOHW_BATCH *batch,\n const AES_NOHW_BATCH *key) {\n for (size_t i = 0; i < 8; i++) {\n batch->w[i] = aes_nohw_xor(batch->w[i], key->w[i]);\n }\n}\n\nstatic void aes_nohw_sub_bytes(AES_NOHW_BATCH *batch) {\n // See https://eprint.iacr.org/2009/191.pdf, Appendix C.\n aes_word_t x0 = batch->w[7];\n aes_word_t x1 = batch->w[6];\n aes_word_t x2 = batch->w[5];\n aes_word_t x3 = batch->w[4];\n aes_word_t x4 = batch->w[3];\n aes_word_t x5 = batch->w[2];\n aes_word_t x6 = batch->w[1];\n aes_word_t x7 = batch->w[0];\n\n // Figure 2, the top linear transformation.\n aes_word_t y14 = aes_nohw_xor(x3, x5);\n aes_word_t y13 = aes_nohw_xor(x0, x6);\n aes_word_t y9 = aes_nohw_xor(x0, x3);\n aes_word_t y8 = aes_nohw_xor(x0, x5);\n aes_word_t t0 = aes_nohw_xor(x1, x2);\n aes_word_t y1 = aes_nohw_xor(t0, x7);\n aes_word_t y4 = aes_nohw_xor(y1, x3);\n aes_word_t y12 = aes_nohw_xor(y13, y14);\n aes_word_t y2 = aes_nohw_xor(y1, x0);\n aes_word_t y5 = aes_nohw_xor(y1, x6);\n aes_word_t y3 = aes_nohw_xor(y5, y8);\n aes_word_t t1 = aes_nohw_xor(x4, y12);\n aes_word_t y15 = aes_nohw_xor(t1, x5);\n aes_word_t y20 = aes_nohw_xor(t1, x1);\n aes_word_t y6 = aes_nohw_xor(y15, x7);\n aes_word_t y10 = aes_nohw_xor(y15, t0);\n aes_word_t y11 = aes_nohw_xor(y20, y9);\n aes_word_t y7 = aes_nohw_xor(x7, y11);\n aes_word_t y17 = aes_nohw_xor(y10, y11);\n aes_word_t y19 = aes_nohw_xor(y10, y8);\n aes_word_t y16 = aes_nohw_xor(t0, y11);\n aes_word_t y21 = aes_nohw_xor(y13, y16);\n aes_word_t y18 = aes_nohw_xor(x0, y16);\n\n // Figure 3, the middle non-linear section.\n aes_word_t t2 = aes_nohw_and(y12, y15);\n aes_word_t t3 = aes_nohw_and(y3, y6);\n aes_word_t t4 = aes_nohw_xor(t3, t2);\n aes_word_t t5 = aes_nohw_and(y4, x7);\n aes_word_t t6 = aes_nohw_xor(t5, t2);\n aes_word_t t7 = aes_nohw_and(y13, y16);\n aes_word_t t8 = aes_nohw_and(y5, y1);\n aes_word_t t9 = aes_nohw_xor(t8, t7);\n aes_word_t t10 = aes_nohw_and(y2, y7);\n aes_word_t t11 = aes_nohw_xor(t10, t7);\n aes_word_t t12 = aes_nohw_and(y9, y11);\n aes_word_t t13 = aes_nohw_and(y14, y17);\n aes_word_t t14 = aes_nohw_xor(t13, t12);\n aes_word_t t15 = aes_nohw_and(y8, y10);\n aes_word_t t16 = aes_nohw_xor(t15, t12);\n aes_word_t t17 = aes_nohw_xor(t4, t14);\n aes_word_t t18 = aes_nohw_xor(t6, t16);\n aes_word_t t19 = aes_nohw_xor(t9, t14);\n aes_word_t t20 = aes_nohw_xor(t11, t16);\n aes_word_t t21 = aes_nohw_xor(t17, y20);\n aes_word_t t22 = aes_nohw_xor(t18, y19);\n aes_word_t t23 = aes_nohw_xor(t19, y21);\n aes_word_t t24 = aes_nohw_xor(t20, y18);\n aes_word_t t25 = aes_nohw_xor(t21, t22);\n aes_word_t t26 = aes_nohw_and(t21, t23);\n aes_word_t t27 = aes_nohw_xor(t24, t26);\n aes_word_t t28 = aes_nohw_and(t25, t27);\n aes_word_t t29 = aes_nohw_xor(t28, t22);\n aes_word_t t30 = aes_nohw_xor(t23, t24);\n aes_word_t t31 = aes_nohw_xor(t22, t26);\n aes_word_t t32 = aes_nohw_and(t31, t30);\n aes_word_t t33 = aes_nohw_xor(t32, t24);\n aes_word_t t34 = aes_nohw_xor(t23, t33);\n aes_word_t t35 = aes_nohw_xor(t27, t33);\n aes_word_t t36 = aes_nohw_and(t24, t35);\n aes_word_t t37 = aes_nohw_xor(t36, t34);\n aes_word_t t38 = aes_nohw_xor(t27, t36);\n aes_word_t t39 = aes_nohw_and(t29, t38);\n aes_word_t t40 = aes_nohw_xor(t25, t39);\n aes_word_t t41 = aes_nohw_xor(t40, t37);\n aes_word_t t42 = aes_nohw_xor(t29, t33);\n aes_word_t t43 = aes_nohw_xor(t29, t40);\n aes_word_t t44 = aes_nohw_xor(t33, t37);\n aes_word_t t45 = aes_nohw_xor(t42, t41);\n aes_word_t z0 = aes_nohw_and(t44, y15);\n aes_word_t z1 = aes_nohw_and(t37, y6);\n aes_word_t z2 = aes_nohw_and(t33, x7);\n aes_word_t z3 = aes_nohw_and(t43, y16);\n aes_word_t z4 = aes_nohw_and(t40, y1);\n aes_word_t z5 = aes_nohw_and(t29, y7);\n aes_word_t z6 = aes_nohw_and(t42, y11);\n aes_word_t z7 = aes_nohw_and(t45, y17);\n aes_word_t z8 = aes_nohw_and(t41, y10);\n aes_word_t z9 = aes_nohw_and(t44, y12);\n aes_word_t z10 = aes_nohw_and(t37, y3);\n aes_word_t z11 = aes_nohw_and(t33, y4);\n aes_word_t z12 = aes_nohw_and(t43, y13);\n aes_word_t z13 = aes_nohw_and(t40, y5);\n aes_word_t z14 = aes_nohw_and(t29, y2);\n aes_word_t z15 = aes_nohw_and(t42, y9);\n aes_word_t z16 = aes_nohw_and(t45, y14);\n aes_word_t z17 = aes_nohw_and(t41, y8);\n\n // Figure 4, bottom linear transformation.\n aes_word_t t46 = aes_nohw_xor(z15, z16);\n aes_word_t t47 = aes_nohw_xor(z10, z11);\n aes_word_t t48 = aes_nohw_xor(z5, z13);\n aes_word_t t49 = aes_nohw_xor(z9, z10);\n aes_word_t t50 = aes_nohw_xor(z2, z12);\n aes_word_t t51 = aes_nohw_xor(z2, z5);\n aes_word_t t52 = aes_nohw_xor(z7, z8);\n aes_word_t t53 = aes_nohw_xor(z0, z3);\n aes_word_t t54 = aes_nohw_xor(z6, z7);\n aes_word_t t55 = aes_nohw_xor(z16, z17);\n aes_word_t t56 = aes_nohw_xor(z12, t48);\n aes_word_t t57 = aes_nohw_xor(t50, t53);\n aes_word_t t58 = aes_nohw_xor(z4, t46);\n aes_word_t t59 = aes_nohw_xor(z3, t54);\n aes_word_t t60 = aes_nohw_xor(t46, t57);\n aes_word_t t61 = aes_nohw_xor(z14, t57);\n aes_word_t t62 = aes_nohw_xor(t52, t58);\n aes_word_t t63 = aes_nohw_xor(t49, t58);\n aes_word_t t64 = aes_nohw_xor(z4, t59);\n aes_word_t t65 = aes_nohw_xor(t61, t62);\n aes_word_t t66 = aes_nohw_xor(z1, t63);\n aes_word_t s0 = aes_nohw_xor(t59, t63);\n aes_word_t s6 = aes_nohw_xor(t56, aes_nohw_not(t62));\n aes_word_t s7 = aes_nohw_xor(t48, aes_nohw_not(t60));\n aes_word_t t67 = aes_nohw_xor(t64, t65);\n aes_word_t s3 = aes_nohw_xor(t53, t66);\n aes_word_t s4 = aes_nohw_xor(t51, t66);\n aes_word_t s5 = aes_nohw_xor(t47, t65);\n aes_word_t s1 = aes_nohw_xor(t64, aes_nohw_not(s3));\n aes_word_t s2 = aes_nohw_xor(t55, aes_nohw_not(t67));\n\n batch->w[0] = s7;\n batch->w[1] = s6;\n batch->w[2] = s5;\n batch->w[3] = s4;\n batch->w[4] = s3;\n batch->w[5] = s2;\n batch->w[6] = s1;\n batch->w[7] = s0;\n}\n\n// aes_nohw_sub_bytes_inv_affine inverts the affine transform portion of the AES\n// S-box, defined in FIPS PUB 197, section 5.1.1, step 2.\nstatic void aes_nohw_sub_bytes_inv_affine(AES_NOHW_BATCH *batch) {\n aes_word_t a0 = batch->w[0];\n aes_word_t a1 = batch->w[1];\n aes_word_t a2 = batch->w[2];\n aes_word_t a3 = batch->w[3];\n aes_word_t a4 = batch->w[4];\n aes_word_t a5 = batch->w[5];\n aes_word_t a6 = batch->w[6];\n aes_word_t a7 = batch->w[7];\n\n // Apply the circulant [0 0 1 0 0 1 0 1]. This is the inverse of the circulant\n // [1 0 0 0 1 1 1 1].\n aes_word_t b0 = aes_nohw_xor(a2, aes_nohw_xor(a5, a7));\n aes_word_t b1 = aes_nohw_xor(a3, aes_nohw_xor(a6, a0));\n aes_word_t b2 = aes_nohw_xor(a4, aes_nohw_xor(a7, a1));\n aes_word_t b3 = aes_nohw_xor(a5, aes_nohw_xor(a0, a2));\n aes_word_t b4 = aes_nohw_xor(a6, aes_nohw_xor(a1, a3));\n aes_word_t b5 = aes_nohw_xor(a7, aes_nohw_xor(a2, a4));\n aes_word_t b6 = aes_nohw_xor(a0, aes_nohw_xor(a3, a5));\n aes_word_t b7 = aes_nohw_xor(a1, aes_nohw_xor(a4, a6));\n\n // XOR 0x05. Equivalently, we could XOR 0x63 before applying the circulant,\n // but 0x05 has lower Hamming weight. (0x05 is the circulant applied to 0x63.)\n batch->w[0] = aes_nohw_not(b0);\n batch->w[1] = b1;\n batch->w[2] = aes_nohw_not(b2);\n batch->w[3] = b3;\n batch->w[4] = b4;\n batch->w[5] = b5;\n batch->w[6] = b6;\n batch->w[7] = b7;\n}\n\nstatic void aes_nohw_inv_sub_bytes(AES_NOHW_BATCH *batch) {\n // We implement the inverse S-box using the forwards implementation with the\n // technique described in https://www.bearssl.org/constanttime.html#aes.\n //\n // The forwards S-box inverts its input and applies an affine transformation:\n // S(x) = A(Inv(x)). Thus Inv(x) = InvA(S(x)). The inverse S-box is then:\n //\n // InvS(x) = Inv(InvA(x)).\n // = InvA(S(InvA(x)))\n aes_nohw_sub_bytes_inv_affine(batch);\n aes_nohw_sub_bytes(batch);\n aes_nohw_sub_bytes_inv_affine(batch);\n}\n\n// aes_nohw_rotate_cols_right returns |v| with the columns in each row rotated\n// to the right by |n|. This is a macro because |aes_nohw_shift_*| require\n// constant shift counts in the SSE2 implementation.\n#define aes_nohw_rotate_cols_right(/* aes_word_t */ v, /* const */ n) \\\n (aes_nohw_or(aes_nohw_shift_right((v), (n)*4), \\\n aes_nohw_shift_left((v), 16 - (n)*4)))\n\nstatic void aes_nohw_shift_rows(AES_NOHW_BATCH *batch) {\n for (size_t i = 0; i < 8; i++) {\n aes_word_t row0 = aes_nohw_and(batch->w[i], AES_NOHW_ROW0_MASK);\n aes_word_t row1 = aes_nohw_and(batch->w[i], AES_NOHW_ROW1_MASK);\n aes_word_t row2 = aes_nohw_and(batch->w[i], AES_NOHW_ROW2_MASK);\n aes_word_t row3 = aes_nohw_and(batch->w[i], AES_NOHW_ROW3_MASK);\n row1 = aes_nohw_rotate_cols_right(row1, 1);\n row2 = aes_nohw_rotate_cols_right(row2, 2);\n row3 = aes_nohw_rotate_cols_right(row3, 3);\n batch->w[i] = aes_nohw_or(aes_nohw_or(row0, row1), aes_nohw_or(row2, row3));\n }\n}\n\nstatic void aes_nohw_inv_shift_rows(AES_NOHW_BATCH *batch) {\n for (size_t i = 0; i < 8; i++) {\n aes_word_t row0 = aes_nohw_and(batch->w[i], AES_NOHW_ROW0_MASK);\n aes_word_t row1 = aes_nohw_and(batch->w[i], AES_NOHW_ROW1_MASK);\n aes_word_t row2 = aes_nohw_and(batch->w[i], AES_NOHW_ROW2_MASK);\n aes_word_t row3 = aes_nohw_and(batch->w[i], AES_NOHW_ROW3_MASK);\n row1 = aes_nohw_rotate_cols_right(row1, 3);\n row2 = aes_nohw_rotate_cols_right(row2, 2);\n row3 = aes_nohw_rotate_cols_right(row3, 1);\n batch->w[i] = aes_nohw_or(aes_nohw_or(row0, row1), aes_nohw_or(row2, row3));\n }\n}\n\n// aes_nohw_rotate_rows_down returns |v| with the rows in each column rotated\n// down by one.\nstatic inline aes_word_t aes_nohw_rotate_rows_down(aes_word_t v) {\n#if defined(OPENSSL_SSE2)\n return _mm_or_si128(_mm_srli_epi32(v, 8), _mm_slli_epi32(v, 24));\n#elif defined(OPENSSL_64_BIT)\n return ((v >> 4) & UINT64_C(0x0fff0fff0fff0fff)) |\n ((v << 12) & UINT64_C(0xf000f000f000f000));\n#else\n return ((v >> 2) & 0x3f3f3f3f) | ((v << 6) & 0xc0c0c0c0);\n#endif\n}\n\n// aes_nohw_rotate_rows_twice returns |v| with the rows in each column rotated\n// by two.\nstatic inline aes_word_t aes_nohw_rotate_rows_twice(aes_word_t v) {\n#if defined(OPENSSL_SSE2)\n return _mm_or_si128(_mm_srli_epi32(v, 16), _mm_slli_epi32(v, 16));\n#elif defined(OPENSSL_64_BIT)\n return ((v >> 8) & UINT64_C(0x00ff00ff00ff00ff)) |\n ((v << 8) & UINT64_C(0xff00ff00ff00ff00));\n#else\n return ((v >> 4) & 0x0f0f0f0f) | ((v << 4) & 0xf0f0f0f0);\n#endif\n}\n\nstatic void aes_nohw_mix_columns(AES_NOHW_BATCH *batch) {\n // See https://eprint.iacr.org/2009/129.pdf, section 4.4 and appendix A.\n aes_word_t a0 = batch->w[0];\n aes_word_t a1 = batch->w[1];\n aes_word_t a2 = batch->w[2];\n aes_word_t a3 = batch->w[3];\n aes_word_t a4 = batch->w[4];\n aes_word_t a5 = batch->w[5];\n aes_word_t a6 = batch->w[6];\n aes_word_t a7 = batch->w[7];\n\n aes_word_t r0 = aes_nohw_rotate_rows_down(a0);\n aes_word_t a0_r0 = aes_nohw_xor(a0, r0);\n aes_word_t r1 = aes_nohw_rotate_rows_down(a1);\n aes_word_t a1_r1 = aes_nohw_xor(a1, r1);\n aes_word_t r2 = aes_nohw_rotate_rows_down(a2);\n aes_word_t a2_r2 = aes_nohw_xor(a2, r2);\n aes_word_t r3 = aes_nohw_rotate_rows_down(a3);\n aes_word_t a3_r3 = aes_nohw_xor(a3, r3);\n aes_word_t r4 = aes_nohw_rotate_rows_down(a4);\n aes_word_t a4_r4 = aes_nohw_xor(a4, r4);\n aes_word_t r5 = aes_nohw_rotate_rows_down(a5);\n aes_word_t a5_r5 = aes_nohw_xor(a5, r5);\n aes_word_t r6 = aes_nohw_rotate_rows_down(a6);\n aes_word_t a6_r6 = aes_nohw_xor(a6, r6);\n aes_word_t r7 = aes_nohw_rotate_rows_down(a7);\n aes_word_t a7_r7 = aes_nohw_xor(a7, r7);\n\n batch->w[0] =\n aes_nohw_xor(aes_nohw_xor(a7_r7, r0), aes_nohw_rotate_rows_twice(a0_r0));\n batch->w[1] =\n aes_nohw_xor(aes_nohw_xor(a0_r0, a7_r7),\n aes_nohw_xor(r1, aes_nohw_rotate_rows_twice(a1_r1)));\n batch->w[2] =\n aes_nohw_xor(aes_nohw_xor(a1_r1, r2), aes_nohw_rotate_rows_twice(a2_r2));\n batch->w[3] =\n aes_nohw_xor(aes_nohw_xor(a2_r2, a7_r7),\n aes_nohw_xor(r3, aes_nohw_rotate_rows_twice(a3_r3)));\n batch->w[4] =\n aes_nohw_xor(aes_nohw_xor(a3_r3, a7_r7),\n aes_nohw_xor(r4, aes_nohw_rotate_rows_twice(a4_r4)));\n batch->w[5] =\n aes_nohw_xor(aes_nohw_xor(a4_r4, r5), aes_nohw_rotate_rows_twice(a5_r5));\n batch->w[6] =\n aes_nohw_xor(aes_nohw_xor(a5_r5, r6), aes_nohw_rotate_rows_twice(a6_r6));\n batch->w[7] =\n aes_nohw_xor(aes_nohw_xor(a6_r6, r7), aes_nohw_rotate_rows_twice(a7_r7));\n}\n\nstatic void aes_nohw_inv_mix_columns(AES_NOHW_BATCH *batch) {\n aes_word_t a0 = batch->w[0];\n aes_word_t a1 = batch->w[1];\n aes_word_t a2 = batch->w[2];\n aes_word_t a3 = batch->w[3];\n aes_word_t a4 = batch->w[4];\n aes_word_t a5 = batch->w[5];\n aes_word_t a6 = batch->w[6];\n aes_word_t a7 = batch->w[7];\n\n // bsaes-x86_64.pl describes the following decomposition of the inverse\n // MixColumns matrix, credited to Jussi Kivilinna. This gives a much simpler\n // multiplication.\n //\n // | 0e 0b 0d 09 | | 02 03 01 01 | | 05 00 04 00 |\n // | 09 0e 0b 0d | = | 01 02 03 01 | x | 00 05 00 04 |\n // | 0d 09 0e 0b | | 01 01 02 03 | | 04 00 05 00 |\n // | 0b 0d 09 0e | | 03 01 01 02 | | 00 04 00 05 |\n //\n // First, apply the [5 0 4 0] matrix. Multiplying by 4 in F_(2^8) is described\n // by the following bit equations:\n //\n // b0 = a6\n // b1 = a6 ^ a7\n // b2 = a0 ^ a7\n // b3 = a1 ^ a6\n // b4 = a2 ^ a6 ^ a7\n // b5 = a3 ^ a7\n // b6 = a4\n // b7 = a5\n //\n // Each coefficient is given by:\n //\n // b_ij = 05·a_ij ⊕ 04·a_i(j+2) = 04·(a_ij ⊕ a_i(j+2)) ⊕ a_ij\n //\n // We combine the two equations below. Note a_i(j+2) is a row rotation.\n aes_word_t a0_r0 = aes_nohw_xor(a0, aes_nohw_rotate_rows_twice(a0));\n aes_word_t a1_r1 = aes_nohw_xor(a1, aes_nohw_rotate_rows_twice(a1));\n aes_word_t a2_r2 = aes_nohw_xor(a2, aes_nohw_rotate_rows_twice(a2));\n aes_word_t a3_r3 = aes_nohw_xor(a3, aes_nohw_rotate_rows_twice(a3));\n aes_word_t a4_r4 = aes_nohw_xor(a4, aes_nohw_rotate_rows_twice(a4));\n aes_word_t a5_r5 = aes_nohw_xor(a5, aes_nohw_rotate_rows_twice(a5));\n aes_word_t a6_r6 = aes_nohw_xor(a6, aes_nohw_rotate_rows_twice(a6));\n aes_word_t a7_r7 = aes_nohw_xor(a7, aes_nohw_rotate_rows_twice(a7));\n\n batch->w[0] = aes_nohw_xor(a0, a6_r6);\n batch->w[1] = aes_nohw_xor(a1, aes_nohw_xor(a6_r6, a7_r7));\n batch->w[2] = aes_nohw_xor(a2, aes_nohw_xor(a0_r0, a7_r7));\n batch->w[3] = aes_nohw_xor(a3, aes_nohw_xor(a1_r1, a6_r6));\n batch->w[4] =\n aes_nohw_xor(aes_nohw_xor(a4, a2_r2), aes_nohw_xor(a6_r6, a7_r7));\n batch->w[5] = aes_nohw_xor(a5, aes_nohw_xor(a3_r3, a7_r7));\n batch->w[6] = aes_nohw_xor(a6, a4_r4);\n batch->w[7] = aes_nohw_xor(a7, a5_r5);\n\n // Apply the [02 03 01 01] matrix, which is just MixColumns.\n aes_nohw_mix_columns(batch);\n}\n\nstatic void aes_nohw_encrypt_batch(const AES_NOHW_SCHEDULE *key,\n size_t num_rounds, AES_NOHW_BATCH *batch) {\n aes_nohw_add_round_key(batch, &key->keys[0]);\n for (size_t i = 1; i < num_rounds; i++) {\n aes_nohw_sub_bytes(batch);\n aes_nohw_shift_rows(batch);\n aes_nohw_mix_columns(batch);\n aes_nohw_add_round_key(batch, &key->keys[i]);\n }\n aes_nohw_sub_bytes(batch);\n aes_nohw_shift_rows(batch);\n aes_nohw_add_round_key(batch, &key->keys[num_rounds]);\n}\n\nstatic void aes_nohw_decrypt_batch(const AES_NOHW_SCHEDULE *key,\n size_t num_rounds, AES_NOHW_BATCH *batch) {\n aes_nohw_add_round_key(batch, &key->keys[num_rounds]);\n aes_nohw_inv_shift_rows(batch);\n aes_nohw_inv_sub_bytes(batch);\n for (size_t i = num_rounds - 1; i > 0; i--) {\n aes_nohw_add_round_key(batch, &key->keys[i]);\n aes_nohw_inv_mix_columns(batch);\n aes_nohw_inv_shift_rows(batch);\n aes_nohw_inv_sub_bytes(batch);\n }\n aes_nohw_add_round_key(batch, &key->keys[0]);\n}\n\n\n// Key schedule.\n\nstatic void aes_nohw_expand_round_keys(AES_NOHW_SCHEDULE *out,\n const AES_KEY *key) {\n for (size_t i = 0; i <= key->rounds; i++) {\n // Copy the round key into each block in the batch.\n for (size_t j = 0; j < AES_NOHW_BATCH_SIZE; j++) {\n aes_word_t tmp[AES_NOHW_BLOCK_WORDS];\n memcpy(tmp, key->rd_key + 4 * i, 16);\n aes_nohw_batch_set(&out->keys[i], tmp, j);\n }\n aes_nohw_transpose(&out->keys[i]);\n }\n}\n\nstatic const uint8_t aes_nohw_rcon[10] = {0x01, 0x02, 0x04, 0x08, 0x10,\n 0x20, 0x40, 0x80, 0x1b, 0x36};\n\n// aes_nohw_rcon_slice returns the |i|th group of |AES_NOHW_BATCH_SIZE| bits in\n// |rcon|, stored in a |aes_word_t|.\nstatic inline aes_word_t aes_nohw_rcon_slice(uint8_t rcon, size_t i) {\n rcon = (rcon >> (i * AES_NOHW_BATCH_SIZE)) & ((1 << AES_NOHW_BATCH_SIZE) - 1);\n#if defined(OPENSSL_SSE2)\n return _mm_set_epi32(0, 0, 0, rcon);\n#else\n return ((aes_word_t)rcon);\n#endif\n}\n\nstatic void aes_nohw_sub_block(aes_word_t out[AES_NOHW_BLOCK_WORDS],\n const aes_word_t in[AES_NOHW_BLOCK_WORDS]) {\n AES_NOHW_BATCH batch;\n memset(&batch, 0, sizeof(batch));\n aes_nohw_batch_set(&batch, in, 0);\n aes_nohw_transpose(&batch);\n aes_nohw_sub_bytes(&batch);\n aes_nohw_transpose(&batch);\n aes_nohw_batch_get(&batch, out, 0);\n}\n\nstatic void aes_nohw_setup_key_128(AES_KEY *key, const uint8_t in[16]) {\n key->rounds = 10;\n\n aes_word_t block[AES_NOHW_BLOCK_WORDS];\n aes_nohw_compact_block(block, in);\n memcpy(key->rd_key, block, 16);\n\n for (size_t i = 1; i <= 10; i++) {\n aes_word_t sub[AES_NOHW_BLOCK_WORDS];\n aes_nohw_sub_block(sub, block);\n uint8_t rcon = aes_nohw_rcon[i - 1];\n for (size_t j = 0; j < AES_NOHW_BLOCK_WORDS; j++) {\n // Incorporate |rcon| and the transformed word into the first word.\n block[j] = aes_nohw_xor(block[j], aes_nohw_rcon_slice(rcon, j));\n block[j] = aes_nohw_xor(\n block[j],\n aes_nohw_shift_right(aes_nohw_rotate_rows_down(sub[j]), 12));\n // Propagate to the remaining words. Note this is reordered from the usual\n // formulation to avoid needing masks.\n aes_word_t v = block[j];\n block[j] = aes_nohw_xor(block[j], aes_nohw_shift_left(v, 4));\n block[j] = aes_nohw_xor(block[j], aes_nohw_shift_left(v, 8));\n block[j] = aes_nohw_xor(block[j], aes_nohw_shift_left(v, 12));\n }\n memcpy(key->rd_key + 4 * i, block, 16);\n }\n}\n\nstatic void aes_nohw_setup_key_192(AES_KEY *key, const uint8_t in[24]) {\n key->rounds = 12;\n\n aes_word_t storage1[AES_NOHW_BLOCK_WORDS], storage2[AES_NOHW_BLOCK_WORDS];\n aes_word_t *block1 = storage1, *block2 = storage2;\n\n // AES-192's key schedule is complex because each key schedule iteration\n // produces six words, but we compute on blocks and each block is four words.\n // We maintain a sliding window of two blocks, filled to 1.5 blocks at a time.\n // We loop below every three blocks or two key schedule iterations.\n //\n // On entry to the loop, |block1| and the first half of |block2| contain the\n // previous key schedule iteration. |block1| has been written to |key|, but\n // |block2| has not as it is incomplete.\n aes_nohw_compact_block(block1, in);\n memcpy(key->rd_key, block1, 16);\n\n uint8_t half_block[16] = {0};\n memcpy(half_block, in + 16, 8);\n aes_nohw_compact_block(block2, half_block);\n\n for (size_t i = 0; i < 4; i++) {\n aes_word_t sub[AES_NOHW_BLOCK_WORDS];\n aes_nohw_sub_block(sub, block2);\n uint8_t rcon = aes_nohw_rcon[2 * i];\n for (size_t j = 0; j < AES_NOHW_BLOCK_WORDS; j++) {\n // Compute the first two words of the next key schedule iteration, which\n // go in the second half of |block2|. The first two words of the previous\n // iteration are in the first half of |block1|. Apply |rcon| here too\n // because the shifts match.\n block2[j] = aes_nohw_or(\n block2[j],\n aes_nohw_shift_left(\n aes_nohw_xor(block1[j], aes_nohw_rcon_slice(rcon, j)), 8));\n // Incorporate the transformed word and propagate. Note the last word of\n // the previous iteration corresponds to the second word of |copy|. This\n // is incorporated into the first word of the next iteration, or the third\n // word of |block2|.\n block2[j] = aes_nohw_xor(\n block2[j], aes_nohw_and(aes_nohw_shift_left(\n aes_nohw_rotate_rows_down(sub[j]), 4),\n AES_NOHW_COL2_MASK));\n block2[j] = aes_nohw_xor(\n block2[j],\n aes_nohw_and(aes_nohw_shift_left(block2[j], 4), AES_NOHW_COL3_MASK));\n\n // Compute the remaining four words, which fill |block1|. Begin by moving\n // the corresponding words of the previous iteration: the second half of\n // |block1| and the first half of |block2|.\n block1[j] = aes_nohw_shift_right(block1[j], 8);\n block1[j] = aes_nohw_or(block1[j], aes_nohw_shift_left(block2[j], 8));\n // Incorporate the second word, computed previously in |block2|, and\n // propagate.\n block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_right(block2[j], 12));\n aes_word_t v = block1[j];\n block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_left(v, 4));\n block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_left(v, 8));\n block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_left(v, 12));\n }\n\n // This completes two round keys. Note half of |block2| was computed in the\n // previous loop iteration but was not yet output.\n memcpy(key->rd_key + 4 * (3 * i + 1), block2, 16);\n memcpy(key->rd_key + 4 * (3 * i + 2), block1, 16);\n\n aes_nohw_sub_block(sub, block1);\n rcon = aes_nohw_rcon[2 * i + 1];\n for (size_t j = 0; j < AES_NOHW_BLOCK_WORDS; j++) {\n // Compute the first four words of the next key schedule iteration in\n // |block2|. Begin by moving the corresponding words of the previous\n // iteration: the second half of |block2| and the first half of |block1|.\n block2[j] = aes_nohw_shift_right(block2[j], 8);\n block2[j] = aes_nohw_or(block2[j], aes_nohw_shift_left(block1[j], 8));\n // Incorporate rcon and the transformed word. Note the last word of the\n // previous iteration corresponds to the last word of |copy|.\n block2[j] = aes_nohw_xor(block2[j], aes_nohw_rcon_slice(rcon, j));\n block2[j] = aes_nohw_xor(\n block2[j],\n aes_nohw_shift_right(aes_nohw_rotate_rows_down(sub[j]), 12));\n // Propagate to the remaining words.\n aes_word_t v = block2[j];\n block2[j] = aes_nohw_xor(block2[j], aes_nohw_shift_left(v, 4));\n block2[j] = aes_nohw_xor(block2[j], aes_nohw_shift_left(v, 8));\n block2[j] = aes_nohw_xor(block2[j], aes_nohw_shift_left(v, 12));\n\n // Compute the last two words, which go in the first half of |block1|. The\n // last two words of the previous iteration are in the second half of\n // |block1|.\n block1[j] = aes_nohw_shift_right(block1[j], 8);\n // Propagate blocks and mask off the excess.\n block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_right(block2[j], 12));\n block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_left(block1[j], 4));\n block1[j] = aes_nohw_and(block1[j], AES_NOHW_COL01_MASK);\n }\n\n // |block2| has a complete round key. |block1| will be completed in the next\n // iteration.\n memcpy(key->rd_key + 4 * (3 * i + 3), block2, 16);\n\n // Swap blocks to restore the invariant.\n aes_word_t *tmp = block1;\n block1 = block2;\n block2 = tmp;\n }\n}\n\nstatic void aes_nohw_setup_key_256(AES_KEY *key, const uint8_t in[32]) {\n key->rounds = 14;\n\n // Each key schedule iteration produces two round keys.\n aes_word_t block1[AES_NOHW_BLOCK_WORDS], block2[AES_NOHW_BLOCK_WORDS];\n aes_nohw_compact_block(block1, in);\n memcpy(key->rd_key, block1, 16);\n\n aes_nohw_compact_block(block2, in + 16);\n memcpy(key->rd_key + 4, block2, 16);\n\n for (size_t i = 2; i <= 14; i += 2) {\n aes_word_t sub[AES_NOHW_BLOCK_WORDS];\n aes_nohw_sub_block(sub, block2);\n uint8_t rcon = aes_nohw_rcon[i / 2 - 1];\n for (size_t j = 0; j < AES_NOHW_BLOCK_WORDS; j++) {\n // Incorporate |rcon| and the transformed word into the first word.\n block1[j] = aes_nohw_xor(block1[j], aes_nohw_rcon_slice(rcon, j));\n block1[j] = aes_nohw_xor(\n block1[j],\n aes_nohw_shift_right(aes_nohw_rotate_rows_down(sub[j]), 12));\n // Propagate to the remaining words.\n aes_word_t v = block1[j];\n block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_left(v, 4));\n block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_left(v, 8));\n block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_left(v, 12));\n }\n memcpy(key->rd_key + 4 * i, block1, 16);\n\n if (i == 14) {\n break;\n }\n\n aes_nohw_sub_block(sub, block1);\n for (size_t j = 0; j < AES_NOHW_BLOCK_WORDS; j++) {\n // Incorporate the transformed word into the first word.\n block2[j] = aes_nohw_xor(block2[j], aes_nohw_shift_right(sub[j], 12));\n // Propagate to the remaining words.\n aes_word_t v = block2[j];\n block2[j] = aes_nohw_xor(block2[j], aes_nohw_shift_left(v, 4));\n block2[j] = aes_nohw_xor(block2[j], aes_nohw_shift_left(v, 8));\n block2[j] = aes_nohw_xor(block2[j], aes_nohw_shift_left(v, 12));\n }\n memcpy(key->rd_key + 4 * (i + 1), block2, 16);\n }\n}\n\n\n// External API.\n\nint aes_nohw_set_encrypt_key(const uint8_t *key, unsigned bits,\n AES_KEY *aeskey) {\n switch (bits) {\n case 128:\n aes_nohw_setup_key_128(aeskey, key);\n return 0;\n case 192:\n aes_nohw_setup_key_192(aeskey, key);\n return 0;\n case 256:\n aes_nohw_setup_key_256(aeskey, key);\n return 0;\n }\n return 1;\n}\n\nint aes_nohw_set_decrypt_key(const uint8_t *key, unsigned bits,\n AES_KEY *aeskey) {\n return aes_nohw_set_encrypt_key(key, bits, aeskey);\n}\n\nvoid aes_nohw_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {\n AES_NOHW_SCHEDULE sched;\n aes_nohw_expand_round_keys(&sched, key);\n AES_NOHW_BATCH batch;\n aes_nohw_to_batch(&batch, in, /*num_blocks=*/1);\n aes_nohw_encrypt_batch(&sched, key->rounds, &batch);\n aes_nohw_from_batch(out, /*num_blocks=*/1, &batch);\n}\n\nvoid aes_nohw_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {\n AES_NOHW_SCHEDULE sched;\n aes_nohw_expand_round_keys(&sched, key);\n AES_NOHW_BATCH batch;\n aes_nohw_to_batch(&batch, in, /*num_blocks=*/1);\n aes_nohw_decrypt_batch(&sched, key->rounds, &batch);\n aes_nohw_from_batch(out, /*num_blocks=*/1, &batch);\n}\n\nstatic inline void aes_nohw_xor_block(uint8_t out[16], const uint8_t a[16],\n const uint8_t b[16]) {\n for (size_t i = 0; i < 16; i += sizeof(aes_word_t)) {\n aes_word_t x, y;\n memcpy(&x, a + i, sizeof(aes_word_t));\n memcpy(&y, b + i, sizeof(aes_word_t));\n x = aes_nohw_xor(x, y);\n memcpy(out + i, &x, sizeof(aes_word_t));\n }\n}\n\nvoid aes_nohw_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out,\n size_t blocks, const AES_KEY *key,\n const uint8_t ivec[16]) {\n if (blocks == 0) {\n return;\n }\n\n AES_NOHW_SCHEDULE sched;\n aes_nohw_expand_round_keys(&sched, key);\n\n // Make |AES_NOHW_BATCH_SIZE| copies of |ivec|.\n alignas(AES_NOHW_WORD_SIZE) uint8_t ivs[AES_NOHW_BATCH_SIZE * 16];\n alignas(AES_NOHW_WORD_SIZE) uint8_t enc_ivs[AES_NOHW_BATCH_SIZE * 16];\n for (size_t i = 0; i < AES_NOHW_BATCH_SIZE; i++) {\n memcpy(ivs + 16 * i, ivec, 16);\n }\n\n uint32_t ctr = CRYPTO_load_u32_be(ivs + 12);\n for (;;) {\n // Update counters.\n for (size_t i = 0; i < AES_NOHW_BATCH_SIZE; i++) {\n CRYPTO_store_u32_be(ivs + 16 * i + 12, ctr + (uint32_t)i);\n }\n\n size_t todo = blocks >= AES_NOHW_BATCH_SIZE ? AES_NOHW_BATCH_SIZE : blocks;\n AES_NOHW_BATCH batch;\n aes_nohw_to_batch(&batch, ivs, todo);\n aes_nohw_encrypt_batch(&sched, key->rounds, &batch);\n aes_nohw_from_batch(enc_ivs, todo, &batch);\n\n for (size_t i = 0; i < todo; i++) {\n aes_nohw_xor_block(out + 16 * i, in + 16 * i, enc_ivs + 16 * i);\n }\n\n blocks -= todo;\n if (blocks == 0) {\n break;\n }\n\n in += 16 * AES_NOHW_BATCH_SIZE;\n out += 16 * AES_NOHW_BATCH_SIZE;\n ctr += AES_NOHW_BATCH_SIZE;\n }\n}\n\nvoid aes_nohw_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t *ivec, const int enc) {\n assert(len % 16 == 0);\n size_t blocks = len / 16;\n if (blocks == 0) {\n return;\n }\n\n AES_NOHW_SCHEDULE sched;\n aes_nohw_expand_round_keys(&sched, key);\n alignas(AES_NOHW_WORD_SIZE) uint8_t iv[16];\n memcpy(iv, ivec, 16);\n\n if (enc) {\n // CBC encryption is not parallelizable.\n while (blocks > 0) {\n aes_nohw_xor_block(iv, iv, in);\n\n AES_NOHW_BATCH batch;\n aes_nohw_to_batch(&batch, iv, /*num_blocks=*/1);\n aes_nohw_encrypt_batch(&sched, key->rounds, &batch);\n aes_nohw_from_batch(out, /*num_blocks=*/1, &batch);\n\n memcpy(iv, out, 16);\n\n in += 16;\n out += 16;\n blocks--;\n }\n memcpy(ivec, iv, 16);\n return;\n }\n\n for (;;) {\n size_t todo = blocks >= AES_NOHW_BATCH_SIZE ? AES_NOHW_BATCH_SIZE : blocks;\n // Make a copy of the input so we can decrypt in-place.\n alignas(AES_NOHW_WORD_SIZE) uint8_t copy[AES_NOHW_BATCH_SIZE * 16];\n memcpy(copy, in, todo * 16);\n\n AES_NOHW_BATCH batch;\n aes_nohw_to_batch(&batch, in, todo);\n aes_nohw_decrypt_batch(&sched, key->rounds, &batch);\n aes_nohw_from_batch(out, todo, &batch);\n\n aes_nohw_xor_block(out, out, iv);\n for (size_t i = 1; i < todo; i++) {\n aes_nohw_xor_block(out + 16 * i, out + 16 * i, copy + 16 * (i - 1));\n }\n\n // Save the last block as the IV.\n memcpy(iv, copy + 16 * (todo - 1), 16);\n\n blocks -= todo;\n if (blocks == 0) {\n break;\n }\n\n in += 16 * AES_NOHW_BATCH_SIZE;\n out += 16 * AES_NOHW_BATCH_SIZE;\n }\n\n memcpy(ivec, iv, 16);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/cbc.cc.inc", "content": "/*\n * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \"internal.h\"\n#include \"../../internal.h\"\n\n\nvoid CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n block128_f block) {\n assert(key != NULL && ivec != NULL);\n if (len == 0) {\n // Avoid |ivec| == |iv| in the |memcpy| below, which is not legal in C.\n return;\n }\n\n assert(in != NULL && out != NULL);\n size_t n;\n const uint8_t *iv = ivec;\n while (len >= 16) {\n CRYPTO_xor16(out, in, iv);\n (*block)(out, out, key);\n iv = out;\n len -= 16;\n in += 16;\n out += 16;\n }\n\n while (len) {\n for (n = 0; n < 16 && n < len; ++n) {\n out[n] = in[n] ^ iv[n];\n }\n for (; n < 16; ++n) {\n out[n] = iv[n];\n }\n (*block)(out, out, key);\n iv = out;\n if (len <= 16) {\n break;\n }\n len -= 16;\n in += 16;\n out += 16;\n }\n\n OPENSSL_memcpy(ivec, iv, 16);\n}\n\nvoid CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n block128_f block) {\n assert(key != NULL && ivec != NULL);\n if (len == 0) {\n // Avoid |ivec| == |iv| in the |memcpy| below, which is not legal in C.\n return;\n }\n\n assert(in != NULL && out != NULL);\n\n const uintptr_t inptr = (uintptr_t) in;\n const uintptr_t outptr = (uintptr_t) out;\n // If |in| and |out| alias, |in| must be ahead.\n assert(inptr >= outptr || inptr + len <= outptr);\n\n size_t n;\n alignas(16) uint8_t tmp[16];\n if ((inptr >= 32 && outptr <= inptr - 32) || inptr < outptr) {\n // If |out| is at least two blocks behind |in| or completely disjoint, there\n // is no need to decrypt to a temporary block.\n const uint8_t *iv = ivec;\n while (len >= 16) {\n (*block)(in, out, key);\n CRYPTO_xor16(out, out, iv);\n iv = in;\n len -= 16;\n in += 16;\n out += 16;\n }\n OPENSSL_memcpy(ivec, iv, 16);\n } else {\n static_assert(16 % sizeof(crypto_word_t) == 0,\n \"block cannot be evenly divided into words\");\n\n while (len >= 16) {\n (*block)(in, tmp, key);\n for (n = 0; n < 16; n += sizeof(crypto_word_t)) {\n crypto_word_t c = CRYPTO_load_word_le(in + n);\n CRYPTO_store_word_le(out + n, CRYPTO_load_word_le(tmp + n) ^\n CRYPTO_load_word_le(ivec + n));\n CRYPTO_store_word_le(ivec + n, c);\n }\n len -= 16;\n in += 16;\n out += 16;\n }\n }\n\n while (len) {\n uint8_t c;\n (*block)(in, tmp, key);\n for (n = 0; n < 16 && n < len; ++n) {\n c = in[n];\n out[n] = tmp[n] ^ ivec[n];\n ivec[n] = c;\n }\n if (len <= 16) {\n for (; n < 16; ++n) {\n ivec[n] = in[n];\n }\n break;\n }\n len -= 16;\n in += 16;\n out += 16;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/cfb.cc.inc", "content": "/*\n * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \"internal.h\"\n\n\nstatic_assert(16 % sizeof(size_t) == 0, \"block cannot be divided into size_t\");\n\nvoid CRYPTO_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16], unsigned *num,\n int enc, block128_f block) {\n assert(in && out && key && ivec && num);\n\n unsigned n = *num;\n\n if (enc) {\n while (n && len) {\n *(out++) = ivec[n] ^= *(in++);\n --len;\n n = (n + 1) % 16;\n }\n while (len >= 16) {\n (*block)(ivec, ivec, key);\n for (; n < 16; n += sizeof(crypto_word_t)) {\n crypto_word_t tmp =\n CRYPTO_load_word_le(ivec + n) ^ CRYPTO_load_word_le(in + n);\n CRYPTO_store_word_le(ivec + n, tmp);\n CRYPTO_store_word_le(out + n, tmp);\n }\n len -= 16;\n out += 16;\n in += 16;\n n = 0;\n }\n if (len) {\n (*block)(ivec, ivec, key);\n while (len--) {\n out[n] = ivec[n] ^= in[n];\n ++n;\n }\n }\n *num = n;\n return;\n } else {\n while (n && len) {\n uint8_t c;\n *(out++) = ivec[n] ^ (c = *(in++));\n ivec[n] = c;\n --len;\n n = (n + 1) % 16;\n }\n while (len >= 16) {\n (*block)(ivec, ivec, key);\n for (; n < 16; n += sizeof(crypto_word_t)) {\n crypto_word_t t = CRYPTO_load_word_le(in + n);\n CRYPTO_store_word_le(out + n, CRYPTO_load_word_le(ivec + n) ^ t);\n CRYPTO_store_word_le(ivec + n, t);\n }\n len -= 16;\n out += 16;\n in += 16;\n n = 0;\n }\n if (len) {\n (*block)(ivec, ivec, key);\n while (len--) {\n uint8_t c;\n out[n] = ivec[n] ^ (c = in[n]);\n ivec[n] = c;\n ++n;\n }\n }\n *num = n;\n return;\n }\n}\n\n\n/* This expects a single block of size nbits for both in and out. Note that\n it corrupts any extra bits in the last byte of out */\nstatic void cfbr_encrypt_block(const uint8_t *in, uint8_t *out, unsigned nbits,\n const AES_KEY *key, uint8_t ivec[16], int enc,\n block128_f block) {\n int n, rem, num;\n uint8_t ovec[16 * 2 + 1]; /* +1 because we dererefence (but don't use) one\n byte off the end */\n\n if (nbits <= 0 || nbits > 128) {\n return;\n }\n\n // fill in the first half of the new IV with the current IV\n OPENSSL_memcpy(ovec, ivec, 16);\n // construct the new IV\n (*block)(ivec, ivec, key);\n num = (nbits + 7) / 8;\n if (enc) {\n // encrypt the input\n for (n = 0; n < num; ++n) {\n out[n] = (ovec[16 + n] = in[n] ^ ivec[n]);\n }\n } else {\n // decrypt the input\n for (n = 0; n < num; ++n) {\n out[n] = (ovec[16 + n] = in[n]) ^ ivec[n];\n }\n }\n // shift ovec left...\n rem = nbits % 8;\n num = nbits / 8;\n if (rem == 0) {\n OPENSSL_memcpy(ivec, ovec + num, 16);\n } else {\n for (n = 0; n < 16; ++n) {\n ivec[n] = ovec[n + num] << rem | ovec[n + num + 1] >> (8 - rem);\n }\n }\n\n // it is not necessary to cleanse ovec, since the IV is not secret\n}\n\n// N.B. This expects the input to be packed, MS bit first\nvoid CRYPTO_cfb128_1_encrypt(const uint8_t *in, uint8_t *out, size_t bits,\n const AES_KEY *key, uint8_t ivec[16],\n unsigned *num, int enc, block128_f block) {\n size_t n;\n uint8_t c[1], d[1];\n\n assert(in && out && key && ivec && num);\n assert(*num == 0);\n\n for (n = 0; n < bits; ++n) {\n c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0;\n cfbr_encrypt_block(c, d, 1, key, ivec, enc, block);\n out[n / 8] = (out[n / 8] & ~(1 << (unsigned int)(7 - n % 8))) |\n ((d[0] & 0x80) >> (unsigned int)(n % 8));\n }\n}\n\nvoid CRYPTO_cfb128_8_encrypt(const unsigned char *in, unsigned char *out,\n size_t length, const AES_KEY *key,\n unsigned char ivec[16], unsigned *num, int enc,\n block128_f block) {\n size_t n;\n\n assert(in && out && key && ivec && num);\n assert(*num == 0);\n\n for (n = 0; n < length; ++n) {\n cfbr_encrypt_block(&in[n], &out[n], 8, key, ivec, enc, block);\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/ctr.cc.inc", "content": "/*\n * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \"internal.h\"\n#include \"../../internal.h\"\n\n\nstatic_assert(16 % sizeof(crypto_word_t) == 0,\n \"block cannot be divided into crypto_word_t\");\n\n// increment upper 96 bits of 128-bit counter by 1\nstatic void ctr96_inc(uint8_t *counter) {\n uint32_t n = 12, c = 1;\n\n do {\n --n;\n c += counter[n];\n counter[n] = (uint8_t) c;\n c >>= 8;\n } while (n);\n}\n\nvoid CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n uint8_t ecount_buf[16], unsigned int *num,\n ctr128_f func) {\n unsigned int n, ctr32;\n\n assert(key && ecount_buf && num);\n assert(len == 0 || (in && out));\n assert(*num < 16);\n\n n = *num;\n\n while (n && len) {\n *(out++) = *(in++) ^ ecount_buf[n];\n --len;\n n = (n + 1) % 16;\n }\n\n ctr32 = CRYPTO_load_u32_be(ivec + 12);\n while (len >= 16) {\n size_t blocks = len / 16;\n // 1<<28 is just a not-so-small yet not-so-large number...\n // Below condition is practically never met, but it has to\n // be checked for code correctness.\n if (sizeof(size_t) > sizeof(unsigned int) && blocks > (1U << 28)) {\n blocks = (1U << 28);\n }\n // As (*func) operates on 32-bit counter, caller\n // has to handle overflow. 'if' below detects the\n // overflow, which is then handled by limiting the\n // amount of blocks to the exact overflow point...\n ctr32 += (uint32_t)blocks;\n if (ctr32 < blocks) {\n blocks -= ctr32;\n ctr32 = 0;\n }\n (*func)(in, out, blocks, key, ivec);\n // (*func) does not update ivec, caller does:\n CRYPTO_store_u32_be(ivec + 12, ctr32);\n // ... overflow was detected, propogate carry.\n if (ctr32 == 0) {\n ctr96_inc(ivec);\n }\n blocks *= 16;\n len -= blocks;\n out += blocks;\n in += blocks;\n }\n if (len) {\n OPENSSL_memset(ecount_buf, 0, 16);\n (*func)(ecount_buf, ecount_buf, 1, key, ivec);\n ++ctr32;\n CRYPTO_store_u32_be(ivec + 12, ctr32);\n if (ctr32 == 0) {\n ctr96_inc(ivec);\n }\n while (len--) {\n out[n] = in[n] ^ ecount_buf[n];\n ++n;\n }\n }\n\n *num = n;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/gcm.cc.inc", "content": "/*\n * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n\n#include \"../../internal.h\"\n#include \"../aes/internal.h\"\n#include \"internal.h\"\n\n\n// kSizeTWithoutLower4Bits is a mask that can be used to zero the lower four\n// bits of a |size_t|.\nstatic const size_t kSizeTWithoutLower4Bits = (size_t) -16;\n\n\n#define GCM_MUL(key, ctx, Xi) gcm_gmult_nohw((ctx)->Xi, (key)->Htable)\n#define GHASH(key, ctx, in, len) \\\n gcm_ghash_nohw((ctx)->Xi, (key)->Htable, in, len)\n// GHASH_CHUNK is \"stride parameter\" missioned to mitigate cache\n// trashing effect. In other words idea is to hash data while it's\n// still in L1 cache after encryption pass...\n#define GHASH_CHUNK (3 * 1024)\n\n#if defined(GHASH_ASM_X86_64) || defined(GHASH_ASM_X86)\nstatic inline void gcm_reduce_1bit(u128 *V) {\n if (sizeof(crypto_word_t) == 8) {\n uint64_t T = UINT64_C(0xe100000000000000) & (0 - (V->hi & 1));\n V->hi = (V->lo << 63) | (V->hi >> 1);\n V->lo = (V->lo >> 1) ^ T;\n } else {\n uint32_t T = 0xe1000000U & (0 - (uint32_t)(V->hi & 1));\n V->hi = (V->lo << 63) | (V->hi >> 1);\n V->lo = (V->lo >> 1) ^ ((uint64_t)T << 32);\n }\n}\n\nvoid gcm_init_ssse3(u128 Htable[16], const uint64_t H[2]) {\n Htable[0].hi = 0;\n Htable[0].lo = 0;\n u128 V;\n V.hi = H[1];\n V.lo = H[0];\n\n Htable[8] = V;\n gcm_reduce_1bit(&V);\n Htable[4] = V;\n gcm_reduce_1bit(&V);\n Htable[2] = V;\n gcm_reduce_1bit(&V);\n Htable[1] = V;\n Htable[3].hi = V.hi ^ Htable[2].hi, Htable[3].lo = V.lo ^ Htable[2].lo;\n V = Htable[4];\n Htable[5].hi = V.hi ^ Htable[1].hi, Htable[5].lo = V.lo ^ Htable[1].lo;\n Htable[6].hi = V.hi ^ Htable[2].hi, Htable[6].lo = V.lo ^ Htable[2].lo;\n Htable[7].hi = V.hi ^ Htable[3].hi, Htable[7].lo = V.lo ^ Htable[3].lo;\n V = Htable[8];\n Htable[9].hi = V.hi ^ Htable[1].hi, Htable[9].lo = V.lo ^ Htable[1].lo;\n Htable[10].hi = V.hi ^ Htable[2].hi, Htable[10].lo = V.lo ^ Htable[2].lo;\n Htable[11].hi = V.hi ^ Htable[3].hi, Htable[11].lo = V.lo ^ Htable[3].lo;\n Htable[12].hi = V.hi ^ Htable[4].hi, Htable[12].lo = V.lo ^ Htable[4].lo;\n Htable[13].hi = V.hi ^ Htable[5].hi, Htable[13].lo = V.lo ^ Htable[5].lo;\n Htable[14].hi = V.hi ^ Htable[6].hi, Htable[14].lo = V.lo ^ Htable[6].lo;\n Htable[15].hi = V.hi ^ Htable[7].hi, Htable[15].lo = V.lo ^ Htable[7].lo;\n\n // Treat |Htable| as a 16x16 byte table and transpose it. Thus, Htable[i]\n // contains the i'th byte of j*H for all j.\n uint8_t *Hbytes = (uint8_t *)Htable;\n for (int i = 0; i < 16; i++) {\n for (int j = 0; j < i; j++) {\n uint8_t tmp = Hbytes[16*i + j];\n Hbytes[16*i + j] = Hbytes[16*j + i];\n Hbytes[16*j + i] = tmp;\n }\n }\n}\n#endif // GHASH_ASM_X86_64 || GHASH_ASM_X86\n\n#ifdef GCM_FUNCREF\n#undef GCM_MUL\n#define GCM_MUL(key, ctx, Xi) (*gcm_gmult_p)((ctx)->Xi, (key)->Htable)\n#undef GHASH\n#define GHASH(key, ctx, in, len) \\\n (*gcm_ghash_p)((ctx)->Xi, (key)->Htable, in, len)\n#endif // GCM_FUNCREF\n\n#if defined(HW_GCM) && defined(OPENSSL_X86_64)\nstatic size_t hw_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n uint8_t Xi[16], const u128 Htable[16],\n enum gcm_impl_t impl) {\n switch (impl) {\n case gcm_x86_vaes_avx2:\n len &= kSizeTWithoutLower4Bits;\n aes_gcm_enc_update_vaes_avx2(in, out, len, key, ivec, Htable, Xi);\n CRYPTO_store_u32_be(&ivec[12], CRYPTO_load_u32_be(&ivec[12]) + len / 16);\n return len;\n case gcm_x86_vaes_avx10_512:\n len &= kSizeTWithoutLower4Bits;\n aes_gcm_enc_update_vaes_avx10_512(in, out, len, key, ivec, Htable, Xi);\n CRYPTO_store_u32_be(&ivec[12], CRYPTO_load_u32_be(&ivec[12]) + len / 16);\n return len;\n default:\n return aesni_gcm_encrypt(in, out, len, key, ivec, Htable, Xi);\n }\n}\n\nstatic size_t hw_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n uint8_t Xi[16], const u128 Htable[16],\n enum gcm_impl_t impl) {\n switch (impl) {\n case gcm_x86_vaes_avx2:\n len &= kSizeTWithoutLower4Bits;\n aes_gcm_dec_update_vaes_avx2(in, out, len, key, ivec, Htable, Xi);\n CRYPTO_store_u32_be(&ivec[12], CRYPTO_load_u32_be(&ivec[12]) + len / 16);\n return len;\n case gcm_x86_vaes_avx10_512:\n len &= kSizeTWithoutLower4Bits;\n aes_gcm_dec_update_vaes_avx10_512(in, out, len, key, ivec, Htable, Xi);\n CRYPTO_store_u32_be(&ivec[12], CRYPTO_load_u32_be(&ivec[12]) + len / 16);\n return len;\n default:\n return aesni_gcm_decrypt(in, out, len, key, ivec, Htable, Xi);\n }\n}\n#endif // HW_GCM && X86_64\n\n#if defined(HW_GCM) && defined(OPENSSL_AARCH64)\n\nstatic size_t hw_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n uint8_t Xi[16], const u128 Htable[16],\n enum gcm_impl_t impl) {\n const size_t len_blocks = len & kSizeTWithoutLower4Bits;\n if (!len_blocks) {\n return 0;\n }\n aes_gcm_enc_kernel(in, len_blocks * 8, out, Xi, ivec, key, Htable);\n return len_blocks;\n}\n\nstatic size_t hw_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n uint8_t Xi[16], const u128 Htable[16],\n enum gcm_impl_t impl) {\n const size_t len_blocks = len & kSizeTWithoutLower4Bits;\n if (!len_blocks) {\n return 0;\n }\n aes_gcm_dec_kernel(in, len_blocks * 8, out, Xi, ivec, key, Htable);\n return len_blocks;\n}\n\n#endif // HW_GCM && AARCH64\n\nvoid CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,\n u128 out_table[16], const uint8_t gcm_key[16]) {\n // H is passed to |gcm_init_*| as a pair of byte-swapped, 64-bit values.\n uint64_t H[2] = {CRYPTO_load_u64_be(gcm_key),\n CRYPTO_load_u64_be(gcm_key + 8)};\n\n#if defined(GHASH_ASM_X86_64)\n if (crypto_gcm_clmul_enabled()) {\n if (CRYPTO_is_VPCLMULQDQ_capable() && CRYPTO_is_AVX2_capable()) {\n if (CRYPTO_is_AVX512BW_capable() && CRYPTO_is_AVX512VL_capable() &&\n CRYPTO_is_BMI2_capable() && !CRYPTO_cpu_avoid_zmm_registers()) {\n gcm_init_vpclmulqdq_avx10_512(out_table, H);\n *out_mult = gcm_gmult_vpclmulqdq_avx10;\n *out_hash = gcm_ghash_vpclmulqdq_avx10_512;\n return;\n }\n gcm_init_vpclmulqdq_avx2(out_table, H);\n *out_mult = gcm_gmult_vpclmulqdq_avx2;\n *out_hash = gcm_ghash_vpclmulqdq_avx2;\n return;\n }\n if (CRYPTO_is_AVX_capable() && CRYPTO_is_MOVBE_capable()) {\n gcm_init_avx(out_table, H);\n *out_mult = gcm_gmult_avx;\n *out_hash = gcm_ghash_avx;\n return;\n }\n gcm_init_clmul(out_table, H);\n *out_mult = gcm_gmult_clmul;\n *out_hash = gcm_ghash_clmul;\n return;\n }\n if (CRYPTO_is_SSSE3_capable()) {\n gcm_init_ssse3(out_table, H);\n *out_mult = gcm_gmult_ssse3;\n *out_hash = gcm_ghash_ssse3;\n return;\n }\n#elif defined(GHASH_ASM_X86)\n if (crypto_gcm_clmul_enabled()) {\n gcm_init_clmul(out_table, H);\n *out_mult = gcm_gmult_clmul;\n *out_hash = gcm_ghash_clmul;\n return;\n }\n if (CRYPTO_is_SSSE3_capable()) {\n gcm_init_ssse3(out_table, H);\n *out_mult = gcm_gmult_ssse3;\n *out_hash = gcm_ghash_ssse3;\n return;\n }\n#elif defined(GHASH_ASM_ARM)\n if (gcm_pmull_capable()) {\n gcm_init_v8(out_table, H);\n *out_mult = gcm_gmult_v8;\n *out_hash = gcm_ghash_v8;\n return;\n }\n\n if (gcm_neon_capable()) {\n gcm_init_neon(out_table, H);\n *out_mult = gcm_gmult_neon;\n *out_hash = gcm_ghash_neon;\n return;\n }\n#endif\n\n gcm_init_nohw(out_table, H);\n *out_mult = gcm_gmult_nohw;\n *out_hash = gcm_ghash_nohw;\n}\n\nvoid CRYPTO_gcm128_init_aes_key(GCM128_KEY *gcm_key, const uint8_t *key,\n size_t key_bytes) {\n switch (key_bytes) {\n case 16:\n boringssl_fips_inc_counter(fips_counter_evp_aes_128_gcm);\n break;\n\n case 32:\n boringssl_fips_inc_counter(fips_counter_evp_aes_256_gcm);\n break;\n }\n\n OPENSSL_memset(gcm_key, 0, sizeof(*gcm_key));\n int is_hwaes;\n gcm_key->ctr = aes_ctr_set_key(&gcm_key->aes, &is_hwaes, &gcm_key->block, key,\n key_bytes);\n\n uint8_t ghash_key[16];\n OPENSSL_memset(ghash_key, 0, sizeof(ghash_key));\n gcm_key->block(ghash_key, ghash_key, &gcm_key->aes);\n\n CRYPTO_ghash_init(&gcm_key->gmult, &gcm_key->ghash, gcm_key->Htable,\n ghash_key);\n\n#if !defined(OPENSSL_NO_ASM)\n#if defined(OPENSSL_X86_64)\n if (gcm_key->ghash == gcm_ghash_vpclmulqdq_avx10_512 &&\n CRYPTO_is_VAES_capable()) {\n gcm_key->impl = gcm_x86_vaes_avx10_512;\n } else if (gcm_key->ghash == gcm_ghash_vpclmulqdq_avx2 &&\n CRYPTO_is_VAES_capable()) {\n gcm_key->impl = gcm_x86_vaes_avx2;\n } else if (gcm_key->ghash == gcm_ghash_avx && is_hwaes) {\n gcm_key->impl = gcm_x86_aesni;\n }\n#elif defined(OPENSSL_AARCH64)\n if (gcm_pmull_capable() && is_hwaes) {\n gcm_key->impl = gcm_arm64_aes;\n }\n#endif\n#endif\n}\n\nvoid CRYPTO_gcm128_init_ctx(const GCM128_KEY *key, GCM128_CONTEXT *ctx,\n const uint8_t *iv, size_t iv_len) {\n#ifdef GCM_FUNCREF\n void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) = key->gmult;\n#endif\n\n OPENSSL_memset(&ctx->Yi, 0, sizeof(ctx->Yi));\n OPENSSL_memset(&ctx->Xi, 0, sizeof(ctx->Xi));\n ctx->len.aad = 0;\n ctx->len.msg = 0;\n ctx->ares = 0;\n ctx->mres = 0;\n\n uint32_t ctr;\n if (iv_len == 12) {\n OPENSSL_memcpy(ctx->Yi, iv, 12);\n ctx->Yi[15] = 1;\n ctr = 1;\n } else {\n uint64_t len0 = iv_len;\n\n while (iv_len >= 16) {\n CRYPTO_xor16(ctx->Yi, ctx->Yi, iv);\n GCM_MUL(key, ctx, Yi);\n iv += 16;\n iv_len -= 16;\n }\n if (iv_len) {\n for (size_t i = 0; i < iv_len; ++i) {\n ctx->Yi[i] ^= iv[i];\n }\n GCM_MUL(key, ctx, Yi);\n }\n\n uint8_t len_block[16];\n OPENSSL_memset(len_block, 0, 8);\n CRYPTO_store_u64_be(len_block + 8, len0 << 3);\n CRYPTO_xor16(ctx->Yi, ctx->Yi, len_block);\n\n GCM_MUL(key, ctx, Yi);\n ctr = CRYPTO_load_u32_be(ctx->Yi + 12);\n }\n\n key->block(ctx->Yi, ctx->EK0, &key->aes);\n ++ctr;\n CRYPTO_store_u32_be(ctx->Yi + 12, ctr);\n}\n\nint CRYPTO_gcm128_aad(const GCM128_KEY *key, GCM128_CONTEXT *ctx,\n const uint8_t *aad, size_t aad_len) {\n#ifdef GCM_FUNCREF\n void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) = key->gmult;\n void (*gcm_ghash_p)(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,\n size_t len) = key->ghash;\n#endif\n\n if (ctx->len.msg != 0) {\n // The caller must have finished the AAD before providing other input.\n return 0;\n }\n\n uint64_t alen = ctx->len.aad + aad_len;\n if (alen > (UINT64_C(1) << 61) || (sizeof(aad_len) == 8 && alen < aad_len)) {\n return 0;\n }\n ctx->len.aad = alen;\n\n unsigned n = ctx->ares;\n if (n) {\n while (n && aad_len) {\n ctx->Xi[n] ^= *(aad++);\n --aad_len;\n n = (n + 1) % 16;\n }\n if (n == 0) {\n GCM_MUL(key, ctx, Xi);\n } else {\n ctx->ares = n;\n return 1;\n }\n }\n\n // Process a whole number of blocks.\n size_t len_blocks = aad_len & kSizeTWithoutLower4Bits;\n if (len_blocks != 0) {\n GHASH(key, ctx, aad, len_blocks);\n aad += len_blocks;\n aad_len -= len_blocks;\n }\n\n // Process the remainder.\n if (aad_len != 0) {\n n = (unsigned int)aad_len;\n for (size_t i = 0; i < aad_len; ++i) {\n ctx->Xi[i] ^= aad[i];\n }\n }\n\n ctx->ares = n;\n return 1;\n}\n\nint CRYPTO_gcm128_encrypt(const GCM128_KEY *key, GCM128_CONTEXT *ctx,\n const uint8_t *in, uint8_t *out, size_t len) {\n#ifdef GCM_FUNCREF\n void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) = key->gmult;\n void (*gcm_ghash_p)(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,\n size_t len) = key->ghash;\n#endif\n\n uint64_t mlen = ctx->len.msg + len;\n if (mlen > ((UINT64_C(1) << 36) - 32) ||\n (sizeof(len) == 8 && mlen < len)) {\n return 0;\n }\n ctx->len.msg = mlen;\n\n if (ctx->ares) {\n // First call to encrypt finalizes GHASH(AAD)\n GCM_MUL(key, ctx, Xi);\n ctx->ares = 0;\n }\n\n unsigned n = ctx->mres;\n if (n) {\n while (n && len) {\n ctx->Xi[n] ^= *(out++) = *(in++) ^ ctx->EKi[n];\n --len;\n n = (n + 1) % 16;\n }\n if (n == 0) {\n GCM_MUL(key, ctx, Xi);\n } else {\n ctx->mres = n;\n return 1;\n }\n }\n\n#if defined(HW_GCM)\n // Check |len| to work around a C language bug. See https://crbug.com/1019588.\n if (key->impl != gcm_separate && len > 0) {\n // |hw_gcm_encrypt| may not process all the input given to it. It may\n // not process *any* of its input if it is deemed too small.\n size_t bulk = hw_gcm_encrypt(in, out, len, &key->aes, ctx->Yi, ctx->Xi,\n key->Htable, key->impl);\n in += bulk;\n out += bulk;\n len -= bulk;\n }\n#endif\n\n uint32_t ctr = CRYPTO_load_u32_be(ctx->Yi + 12);\n ctr128_f stream = key->ctr;\n while (len >= GHASH_CHUNK) {\n (*stream)(in, out, GHASH_CHUNK / 16, &key->aes, ctx->Yi);\n ctr += GHASH_CHUNK / 16;\n CRYPTO_store_u32_be(ctx->Yi + 12, ctr);\n GHASH(key, ctx, out, GHASH_CHUNK);\n out += GHASH_CHUNK;\n in += GHASH_CHUNK;\n len -= GHASH_CHUNK;\n }\n\n size_t len_blocks = len & kSizeTWithoutLower4Bits;\n if (len_blocks != 0) {\n size_t j = len_blocks / 16;\n (*stream)(in, out, j, &key->aes, ctx->Yi);\n ctr += (uint32_t)j;\n CRYPTO_store_u32_be(ctx->Yi + 12, ctr);\n in += len_blocks;\n len -= len_blocks;\n GHASH(key, ctx, out, len_blocks);\n out += len_blocks;\n }\n\n if (len) {\n key->block(ctx->Yi, ctx->EKi, &key->aes);\n ++ctr;\n CRYPTO_store_u32_be(ctx->Yi + 12, ctr);\n while (len--) {\n ctx->Xi[n] ^= out[n] = in[n] ^ ctx->EKi[n];\n ++n;\n }\n }\n\n ctx->mres = n;\n return 1;\n}\n\nint CRYPTO_gcm128_decrypt(const GCM128_KEY *key, GCM128_CONTEXT *ctx,\n const uint8_t *in, uint8_t *out, size_t len) {\n#ifdef GCM_FUNCREF\n void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) = key->gmult;\n void (*gcm_ghash_p)(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,\n size_t len) = key->ghash;\n#endif\n\n uint64_t mlen = ctx->len.msg + len;\n if (mlen > ((UINT64_C(1) << 36) - 32) ||\n (sizeof(len) == 8 && mlen < len)) {\n return 0;\n }\n ctx->len.msg = mlen;\n\n if (ctx->ares) {\n // First call to decrypt finalizes GHASH(AAD)\n GCM_MUL(key, ctx, Xi);\n ctx->ares = 0;\n }\n\n unsigned n = ctx->mres;\n if (n) {\n while (n && len) {\n uint8_t c = *(in++);\n *(out++) = c ^ ctx->EKi[n];\n ctx->Xi[n] ^= c;\n --len;\n n = (n + 1) % 16;\n }\n if (n == 0) {\n GCM_MUL(key, ctx, Xi);\n } else {\n ctx->mres = n;\n return 1;\n }\n }\n\n#if defined(HW_GCM)\n // Check |len| to work around a C language bug. See https://crbug.com/1019588.\n if (key->impl != gcm_separate && len > 0) {\n // |hw_gcm_decrypt| may not process all the input given to it. It may\n // not process *any* of its input if it is deemed too small.\n size_t bulk = hw_gcm_decrypt(in, out, len, &key->aes, ctx->Yi, ctx->Xi,\n key->Htable, key->impl);\n in += bulk;\n out += bulk;\n len -= bulk;\n }\n#endif\n\n uint32_t ctr = CRYPTO_load_u32_be(ctx->Yi + 12);\n ctr128_f stream = key->ctr;\n while (len >= GHASH_CHUNK) {\n GHASH(key, ctx, in, GHASH_CHUNK);\n (*stream)(in, out, GHASH_CHUNK / 16, &key->aes, ctx->Yi);\n ctr += GHASH_CHUNK / 16;\n CRYPTO_store_u32_be(ctx->Yi + 12, ctr);\n out += GHASH_CHUNK;\n in += GHASH_CHUNK;\n len -= GHASH_CHUNK;\n }\n\n size_t len_blocks = len & kSizeTWithoutLower4Bits;\n if (len_blocks != 0) {\n size_t j = len_blocks / 16;\n GHASH(key, ctx, in, len_blocks);\n (*stream)(in, out, j, &key->aes, ctx->Yi);\n ctr += (uint32_t)j;\n CRYPTO_store_u32_be(ctx->Yi + 12, ctr);\n out += len_blocks;\n in += len_blocks;\n len -= len_blocks;\n }\n\n if (len) {\n key->block(ctx->Yi, ctx->EKi, &key->aes);\n ++ctr;\n CRYPTO_store_u32_be(ctx->Yi + 12, ctr);\n while (len--) {\n uint8_t c = in[n];\n ctx->Xi[n] ^= c;\n out[n] = c ^ ctx->EKi[n];\n ++n;\n }\n }\n\n ctx->mres = n;\n return 1;\n}\n\nint CRYPTO_gcm128_finish(const GCM128_KEY *key, GCM128_CONTEXT *ctx,\n const uint8_t *tag, size_t len) {\n#ifdef GCM_FUNCREF\n void (*gcm_gmult_p)(uint8_t Xi[16], const u128 Htable[16]) = key->gmult;\n#endif\n\n if (ctx->mres || ctx->ares) {\n GCM_MUL(key, ctx, Xi);\n }\n\n uint8_t len_block[16];\n CRYPTO_store_u64_be(len_block, ctx->len.aad << 3);\n CRYPTO_store_u64_be(len_block + 8, ctx->len.msg << 3);\n CRYPTO_xor16(ctx->Xi, ctx->Xi, len_block);\n GCM_MUL(key, ctx, Xi);\n CRYPTO_xor16(ctx->Xi, ctx->Xi, ctx->EK0);\n\n if (tag && len <= sizeof(ctx->Xi)) {\n return CRYPTO_memcmp(ctx->Xi, tag, len) == 0;\n } else {\n return 0;\n }\n}\n\nvoid CRYPTO_gcm128_tag(const GCM128_KEY *key, GCM128_CONTEXT *ctx, uint8_t *tag,\n size_t len) {\n CRYPTO_gcm128_finish(key, ctx, NULL, 0);\n OPENSSL_memcpy(tag, ctx->Xi, len <= sizeof(ctx->Xi) ? len : sizeof(ctx->Xi));\n}\n\n#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)\nint crypto_gcm_clmul_enabled(void) {\n#if defined(GHASH_ASM_X86) || defined(GHASH_ASM_X86_64)\n return CRYPTO_is_FXSR_capable() && CRYPTO_is_PCLMUL_capable();\n#else\n return 0;\n#endif\n}\n#endif\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/gcm_nohw.cc.inc", "content": "/* Copyright 2019 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \"../../internal.h\"\n#include \"internal.h\"\n\n#if !defined(BORINGSSL_HAS_UINT128) && defined(OPENSSL_SSE2)\n#include \n#endif\n\n\n// This file contains a constant-time implementation of GHASH based on the notes\n// in https://bearssl.org/constanttime.html#ghash-for-gcm and the reduction\n// algorithm described in\n// https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf.\n//\n// Unlike the BearSSL notes, we use uint128_t in the 64-bit implementation. Our\n// primary compilers (clang, clang-cl, and gcc) all support it. MSVC will run\n// the 32-bit implementation, but we can use its intrinsics if necessary.\n\n#if defined(BORINGSSL_HAS_UINT128)\n\nstatic void gcm_mul64_nohw(uint64_t *out_lo, uint64_t *out_hi, uint64_t a,\n uint64_t b) {\n // One term every four bits means the largest term is 64/4 = 16, which barely\n // overflows into the next term. Using one term every five bits would cost 25\n // multiplications instead of 16. It is faster to mask off the bottom four\n // bits of |a|, giving a largest term of 60/4 = 15, and apply the bottom bits\n // separately.\n uint64_t a0 = a & UINT64_C(0x1111111111111110);\n uint64_t a1 = a & UINT64_C(0x2222222222222220);\n uint64_t a2 = a & UINT64_C(0x4444444444444440);\n uint64_t a3 = a & UINT64_C(0x8888888888888880);\n\n uint64_t b0 = b & UINT64_C(0x1111111111111111);\n uint64_t b1 = b & UINT64_C(0x2222222222222222);\n uint64_t b2 = b & UINT64_C(0x4444444444444444);\n uint64_t b3 = b & UINT64_C(0x8888888888888888);\n\n uint128_t c0 = (a0 * (uint128_t)b0) ^ (a1 * (uint128_t)b3) ^\n (a2 * (uint128_t)b2) ^ (a3 * (uint128_t)b1);\n uint128_t c1 = (a0 * (uint128_t)b1) ^ (a1 * (uint128_t)b0) ^\n (a2 * (uint128_t)b3) ^ (a3 * (uint128_t)b2);\n uint128_t c2 = (a0 * (uint128_t)b2) ^ (a1 * (uint128_t)b1) ^\n (a2 * (uint128_t)b0) ^ (a3 * (uint128_t)b3);\n uint128_t c3 = (a0 * (uint128_t)b3) ^ (a1 * (uint128_t)b2) ^\n (a2 * (uint128_t)b1) ^ (a3 * (uint128_t)b0);\n\n // Multiply the bottom four bits of |a| with |b|.\n uint64_t a0_mask = UINT64_C(0) - (a & 1);\n uint64_t a1_mask = UINT64_C(0) - ((a >> 1) & 1);\n uint64_t a2_mask = UINT64_C(0) - ((a >> 2) & 1);\n uint64_t a3_mask = UINT64_C(0) - ((a >> 3) & 1);\n uint128_t extra = (a0_mask & b) ^ ((uint128_t)(a1_mask & b) << 1) ^\n ((uint128_t)(a2_mask & b) << 2) ^\n ((uint128_t)(a3_mask & b) << 3);\n\n *out_lo = (((uint64_t)c0) & UINT64_C(0x1111111111111111)) ^\n (((uint64_t)c1) & UINT64_C(0x2222222222222222)) ^\n (((uint64_t)c2) & UINT64_C(0x4444444444444444)) ^\n (((uint64_t)c3) & UINT64_C(0x8888888888888888)) ^ ((uint64_t)extra);\n *out_hi = (((uint64_t)(c0 >> 64)) & UINT64_C(0x1111111111111111)) ^\n (((uint64_t)(c1 >> 64)) & UINT64_C(0x2222222222222222)) ^\n (((uint64_t)(c2 >> 64)) & UINT64_C(0x4444444444444444)) ^\n (((uint64_t)(c3 >> 64)) & UINT64_C(0x8888888888888888)) ^\n ((uint64_t)(extra >> 64));\n}\n\n#elif defined(OPENSSL_SSE2)\n\nstatic __m128i gcm_mul32_nohw(uint32_t a, uint32_t b) {\n // One term every four bits means the largest term is 32/4 = 8, which does not\n // overflow into the next term.\n __m128i aa = _mm_setr_epi32(a, 0, a, 0);\n __m128i bb = _mm_setr_epi32(b, 0, b, 0);\n\n __m128i a0a0 =\n _mm_and_si128(aa, _mm_setr_epi32(0x11111111, 0, 0x11111111, 0));\n __m128i a2a2 =\n _mm_and_si128(aa, _mm_setr_epi32(0x44444444, 0, 0x44444444, 0));\n __m128i b0b1 =\n _mm_and_si128(bb, _mm_setr_epi32(0x11111111, 0, 0x22222222, 0));\n __m128i b2b3 =\n _mm_and_si128(bb, _mm_setr_epi32(0x44444444, 0, 0x88888888, 0));\n\n __m128i c0c1 =\n _mm_xor_si128(_mm_mul_epu32(a0a0, b0b1), _mm_mul_epu32(a2a2, b2b3));\n __m128i c2c3 =\n _mm_xor_si128(_mm_mul_epu32(a2a2, b0b1), _mm_mul_epu32(a0a0, b2b3));\n\n __m128i a1a1 =\n _mm_and_si128(aa, _mm_setr_epi32(0x22222222, 0, 0x22222222, 0));\n __m128i a3a3 =\n _mm_and_si128(aa, _mm_setr_epi32(0x88888888, 0, 0x88888888, 0));\n __m128i b3b0 =\n _mm_and_si128(bb, _mm_setr_epi32(0x88888888, 0, 0x11111111, 0));\n __m128i b1b2 =\n _mm_and_si128(bb, _mm_setr_epi32(0x22222222, 0, 0x44444444, 0));\n\n c0c1 = _mm_xor_si128(c0c1, _mm_mul_epu32(a1a1, b3b0));\n c0c1 = _mm_xor_si128(c0c1, _mm_mul_epu32(a3a3, b1b2));\n c2c3 = _mm_xor_si128(c2c3, _mm_mul_epu32(a3a3, b3b0));\n c2c3 = _mm_xor_si128(c2c3, _mm_mul_epu32(a1a1, b1b2));\n\n c0c1 = _mm_and_si128(\n c0c1, _mm_setr_epi32(0x11111111, 0x11111111, 0x22222222, 0x22222222));\n c2c3 = _mm_and_si128(\n c2c3, _mm_setr_epi32(0x44444444, 0x44444444, 0x88888888, 0x88888888));\n\n c0c1 = _mm_xor_si128(c0c1, c2c3);\n // c0 ^= c1\n c0c1 = _mm_xor_si128(c0c1, _mm_srli_si128(c0c1, 8));\n return c0c1;\n}\n\nstatic void gcm_mul64_nohw(uint64_t *out_lo, uint64_t *out_hi, uint64_t a,\n uint64_t b) {\n uint32_t a0 = a & 0xffffffff;\n uint32_t a1 = a >> 32;\n uint32_t b0 = b & 0xffffffff;\n uint32_t b1 = b >> 32;\n // Karatsuba multiplication.\n __m128i lo = gcm_mul32_nohw(a0, b0);\n __m128i hi = gcm_mul32_nohw(a1, b1);\n __m128i mid = gcm_mul32_nohw(a0 ^ a1, b0 ^ b1);\n mid = _mm_xor_si128(mid, lo);\n mid = _mm_xor_si128(mid, hi);\n __m128i ret = _mm_unpacklo_epi64(lo, hi);\n mid = _mm_slli_si128(mid, 4);\n mid = _mm_and_si128(mid, _mm_setr_epi32(0, 0xffffffff, 0xffffffff, 0));\n ret = _mm_xor_si128(ret, mid);\n memcpy(out_lo, &ret, 8);\n memcpy(out_hi, ((char*)&ret) + 8, 8);\n}\n\n#else // !BORINGSSL_HAS_UINT128 && !OPENSSL_SSE2\n\nstatic uint64_t gcm_mul32_nohw(uint32_t a, uint32_t b) {\n // One term every four bits means the largest term is 32/4 = 8, which does not\n // overflow into the next term.\n uint32_t a0 = a & 0x11111111;\n uint32_t a1 = a & 0x22222222;\n uint32_t a2 = a & 0x44444444;\n uint32_t a3 = a & 0x88888888;\n\n uint32_t b0 = b & 0x11111111;\n uint32_t b1 = b & 0x22222222;\n uint32_t b2 = b & 0x44444444;\n uint32_t b3 = b & 0x88888888;\n\n uint64_t c0 = (a0 * (uint64_t)b0) ^ (a1 * (uint64_t)b3) ^\n (a2 * (uint64_t)b2) ^ (a3 * (uint64_t)b1);\n uint64_t c1 = (a0 * (uint64_t)b1) ^ (a1 * (uint64_t)b0) ^\n (a2 * (uint64_t)b3) ^ (a3 * (uint64_t)b2);\n uint64_t c2 = (a0 * (uint64_t)b2) ^ (a1 * (uint64_t)b1) ^\n (a2 * (uint64_t)b0) ^ (a3 * (uint64_t)b3);\n uint64_t c3 = (a0 * (uint64_t)b3) ^ (a1 * (uint64_t)b2) ^\n (a2 * (uint64_t)b1) ^ (a3 * (uint64_t)b0);\n\n return (c0 & UINT64_C(0x1111111111111111)) |\n (c1 & UINT64_C(0x2222222222222222)) |\n (c2 & UINT64_C(0x4444444444444444)) |\n (c3 & UINT64_C(0x8888888888888888));\n}\n\nstatic void gcm_mul64_nohw(uint64_t *out_lo, uint64_t *out_hi, uint64_t a,\n uint64_t b) {\n uint32_t a0 = a & 0xffffffff;\n uint32_t a1 = a >> 32;\n uint32_t b0 = b & 0xffffffff;\n uint32_t b1 = b >> 32;\n // Karatsuba multiplication.\n uint64_t lo = gcm_mul32_nohw(a0, b0);\n uint64_t hi = gcm_mul32_nohw(a1, b1);\n uint64_t mid = gcm_mul32_nohw(a0 ^ a1, b0 ^ b1) ^ lo ^ hi;\n *out_lo = lo ^ (mid << 32);\n *out_hi = hi ^ (mid >> 32);\n}\n\n#endif // BORINGSSL_HAS_UINT128\n\nvoid gcm_init_nohw(u128 Htable[16], const uint64_t Xi[2]) {\n // We implement GHASH in terms of POLYVAL, as described in RFC 8452. This\n // avoids a shift by 1 in the multiplication, needed to account for bit\n // reversal losing a bit after multiplication, that is,\n // rev128(X) * rev128(Y) = rev255(X*Y).\n //\n // Per Appendix A, we run mulX_POLYVAL. Note this is the same transformation\n // applied by |gcm_init_clmul|, etc. Note |Xi| has already been byteswapped.\n //\n // See also slide 16 of\n // https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf\n Htable[0].lo = Xi[1];\n Htable[0].hi = Xi[0];\n\n uint64_t carry = Htable[0].hi >> 63;\n carry = 0u - carry;\n\n Htable[0].hi <<= 1;\n Htable[0].hi |= Htable[0].lo >> 63;\n Htable[0].lo <<= 1;\n\n // The irreducible polynomial is 1 + x^121 + x^126 + x^127 + x^128, so we\n // conditionally add 0xc200...0001.\n Htable[0].lo ^= carry & 1;\n Htable[0].hi ^= carry & UINT64_C(0xc200000000000000);\n\n // This implementation does not use the rest of |Htable|.\n}\n\nstatic void gcm_polyval_nohw(uint64_t Xi[2], const u128 *H) {\n // Karatsuba multiplication. The product of |Xi| and |H| is stored in |r0|\n // through |r3|. Note there is no byte or bit reversal because we are\n // evaluating POLYVAL.\n uint64_t r0, r1;\n gcm_mul64_nohw(&r0, &r1, Xi[0], H->lo);\n uint64_t r2, r3;\n gcm_mul64_nohw(&r2, &r3, Xi[1], H->hi);\n uint64_t mid0, mid1;\n gcm_mul64_nohw(&mid0, &mid1, Xi[0] ^ Xi[1], H->hi ^ H->lo);\n mid0 ^= r0 ^ r2;\n mid1 ^= r1 ^ r3;\n r2 ^= mid1;\n r1 ^= mid0;\n\n // Now we multiply our 256-bit result by x^-128 and reduce. |r2| and\n // |r3| shifts into position and we must multiply |r0| and |r1| by x^-128. We\n // have:\n //\n // 1 = x^121 + x^126 + x^127 + x^128\n // x^-128 = x^-7 + x^-2 + x^-1 + 1\n //\n // This is the GHASH reduction step, but with bits flowing in reverse.\n\n // The x^-7, x^-2, and x^-1 terms shift bits past x^0, which would require\n // another reduction steps. Instead, we gather the excess bits, incorporate\n // them into |r0| and |r1| and reduce once. See slides 17-19\n // of https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf.\n r1 ^= (r0 << 63) ^ (r0 << 62) ^ (r0 << 57);\n\n // 1\n r2 ^= r0;\n r3 ^= r1;\n\n // x^-1\n r2 ^= r0 >> 1;\n r2 ^= r1 << 63;\n r3 ^= r1 >> 1;\n\n // x^-2\n r2 ^= r0 >> 2;\n r2 ^= r1 << 62;\n r3 ^= r1 >> 2;\n\n // x^-7\n r2 ^= r0 >> 7;\n r2 ^= r1 << 57;\n r3 ^= r1 >> 7;\n\n Xi[0] = r2;\n Xi[1] = r3;\n}\n\nvoid gcm_gmult_nohw(uint8_t Xi[16], const u128 Htable[16]) {\n uint64_t swapped[2];\n swapped[0] = CRYPTO_load_u64_be(Xi + 8);\n swapped[1] = CRYPTO_load_u64_be(Xi);\n gcm_polyval_nohw(swapped, &Htable[0]);\n CRYPTO_store_u64_be(Xi, swapped[1]);\n CRYPTO_store_u64_be(Xi + 8, swapped[0]);\n}\n\nvoid gcm_ghash_nohw(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,\n size_t len) {\n uint64_t swapped[2];\n swapped[0] = CRYPTO_load_u64_be(Xi + 8);\n swapped[1] = CRYPTO_load_u64_be(Xi);\n\n while (len >= 16) {\n swapped[0] ^= CRYPTO_load_u64_be(inp + 8);\n swapped[1] ^= CRYPTO_load_u64_be(inp);\n gcm_polyval_nohw(swapped, &Htable[0]);\n inp += 16;\n len -= 16;\n }\n\n CRYPTO_store_u64_be(Xi, swapped[1]);\n CRYPTO_store_u64_be(Xi + 8, swapped[0]);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/internal.h", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_AES_INTERNAL_H\n#define OPENSSL_HEADER_AES_INTERNAL_H\n\n#include \n\n#include \n\n#include \"../../internal.h\"\n\nextern \"C\" {\n\n\n// block128_f is the type of an AES block cipher implementation.\n//\n// Unlike upstream OpenSSL, it and the other functions in this file hard-code\n// |AES_KEY|. It is undefined in C to call a function pointer with anything\n// other than the original type. Thus we either must match |block128_f| to the\n// type signature of |AES_encrypt| and friends or pass in |void*| wrapper\n// functions.\n//\n// These functions are called exclusively with AES, so we use the former.\ntypedef void (*block128_f)(const uint8_t in[16], uint8_t out[16],\n const AES_KEY *key);\n\n// ctr128_f is the type of a function that performs CTR-mode encryption.\ntypedef void (*ctr128_f)(const uint8_t *in, uint8_t *out, size_t blocks,\n const AES_KEY *key, const uint8_t ivec[16]);\n\n// aes_ctr_set_key initialises |*aes_key| using |key_bytes| bytes from |key|,\n// where |key_bytes| must either be 16, 24 or 32. If not NULL, |*out_block| is\n// set to a function that encrypts single blocks. If not NULL, |*out_is_hwaes|\n// is set to whether the hardware AES implementation was used. It returns a\n// function for optimised CTR-mode.\nctr128_f aes_ctr_set_key(AES_KEY *aes_key, int *out_is_hwaes,\n block128_f *out_block, const uint8_t *key,\n size_t key_bytes);\n\n\n// AES implementations.\n\n#if !defined(OPENSSL_NO_ASM)\n\n#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)\n#define HWAES\n#define HWAES_ECB\n\ninline int hwaes_capable(void) { return CRYPTO_is_AESNI_capable(); }\n\n#define VPAES\n#define VPAES_CBC\ninline int vpaes_capable(void) { return CRYPTO_is_SSSE3_capable(); }\n\n#elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)\n#define HWAES\n\ninline int hwaes_capable(void) { return CRYPTO_is_ARMv8_AES_capable(); }\n\n#if defined(OPENSSL_ARM)\n#define BSAES\n#define VPAES\ninline int bsaes_capable(void) { return CRYPTO_is_NEON_capable(); }\ninline int vpaes_capable(void) { return CRYPTO_is_NEON_capable(); }\n#endif\n\n#if defined(OPENSSL_AARCH64)\n#define VPAES\n#define VPAES_CBC\ninline int vpaes_capable(void) { return CRYPTO_is_NEON_capable(); }\n#endif\n\n#endif\n\n#endif // !NO_ASM\n\n\n#if defined(HWAES)\n\nint aes_hw_set_encrypt_key(const uint8_t *user_key, int bits, AES_KEY *key);\nint aes_hw_set_decrypt_key(const uint8_t *user_key, int bits, AES_KEY *key);\nvoid aes_hw_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);\nvoid aes_hw_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);\nvoid aes_hw_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,\n const AES_KEY *key, uint8_t *ivec, int enc);\nvoid aes_hw_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, const uint8_t ivec[16]);\n\n#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)\n// On x86 and x86_64, |aes_hw_set_decrypt_key| is implemented in terms of\n// |aes_hw_set_encrypt_key| and a conversion function.\nvoid aes_hw_encrypt_key_to_decrypt_key(AES_KEY *key);\n\n// There are two variants of this function, one which uses aeskeygenassist\n// (\"base\") and one which uses aesenclast + pshufb (\"alt\"). aesenclast is\n// overall faster but is slower on some older processors. It doesn't use AVX,\n// but AVX is used as a proxy to detecting this. See\n// https://groups.google.com/g/mailing.openssl.dev/c/OuFXwW4NfO8/m/7d2ZXVjkxVkJ\n//\n// TODO(davidben): It is unclear if the aeskeygenassist version is still\n// worthwhile. However, the aesenclast version requires SSSE3. SSSE3 long\n// predates AES-NI, but it's not clear if AES-NI implies SSSE3. In OpenSSL, the\n// CCM AES-NI assembly seems to assume it does.\ninline int aes_hw_set_encrypt_key_alt_capable(void) {\n return hwaes_capable() && CRYPTO_is_SSSE3_capable();\n}\ninline int aes_hw_set_encrypt_key_alt_preferred(void) {\n return hwaes_capable() && CRYPTO_is_AVX_capable();\n}\nint aes_hw_set_encrypt_key_base(const uint8_t *user_key, int bits,\n AES_KEY *key);\nint aes_hw_set_encrypt_key_alt(const uint8_t *user_key, int bits, AES_KEY *key);\n#endif // OPENSSL_X86 || OPENSSL_X86_64\n\n#else\n\n// If HWAES isn't defined then we provide dummy functions for each of the hwaes\n// functions.\ninline int hwaes_capable(void) { return 0; }\n\ninline int aes_hw_set_encrypt_key(const uint8_t *user_key, int bits,\n AES_KEY *key) {\n abort();\n}\n\ninline int aes_hw_set_decrypt_key(const uint8_t *user_key, int bits,\n AES_KEY *key) {\n abort();\n}\n\ninline void aes_hw_encrypt(const uint8_t *in, uint8_t *out,\n const AES_KEY *key) {\n abort();\n}\n\ninline void aes_hw_decrypt(const uint8_t *in, uint8_t *out,\n const AES_KEY *key) {\n abort();\n}\n\ninline void aes_hw_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,\n const AES_KEY *key, uint8_t *ivec, int enc) {\n abort();\n}\n\ninline void aes_hw_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out,\n size_t len, const AES_KEY *key,\n const uint8_t ivec[16]) {\n abort();\n}\n\n#endif // !HWAES\n\n\n#if defined(HWAES_ECB)\nvoid aes_hw_ecb_encrypt(const uint8_t *in, uint8_t *out, size_t length,\n const AES_KEY *key, int enc);\n#endif // HWAES_ECB\n\n\n#if defined(BSAES)\n// Note |bsaes_cbc_encrypt| requires |enc| to be zero.\nvoid bsaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,\n const AES_KEY *key, uint8_t ivec[16], int enc);\nvoid bsaes_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, const uint8_t ivec[16]);\n// VPAES to BSAES conversions are available on all BSAES platforms.\nvoid vpaes_encrypt_key_to_bsaes(AES_KEY *out_bsaes, const AES_KEY *vpaes);\nvoid vpaes_decrypt_key_to_bsaes(AES_KEY *out_bsaes, const AES_KEY *vpaes);\nvoid vpaes_ctr32_encrypt_blocks_with_bsaes(const uint8_t *in, uint8_t *out,\n size_t blocks, const AES_KEY *key,\n const uint8_t ivec[16]);\n#else\ninline int bsaes_capable(void) { return 0; }\n\n// On other platforms, bsaes_capable() will always return false and so the\n// following will never be called.\ninline void bsaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,\n const AES_KEY *key, uint8_t ivec[16], int enc) {\n abort();\n}\n\ninline void bsaes_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out,\n size_t len, const AES_KEY *key,\n const uint8_t ivec[16]) {\n abort();\n}\n\ninline void vpaes_encrypt_key_to_bsaes(AES_KEY *out_bsaes,\n const AES_KEY *vpaes) {\n abort();\n}\n\ninline void vpaes_decrypt_key_to_bsaes(AES_KEY *out_bsaes,\n const AES_KEY *vpaes) {\n abort();\n}\n#endif // !BSAES\n\n\n#if defined(VPAES)\n// On platforms where VPAES gets defined (just above), then these functions are\n// provided by asm.\nint vpaes_set_encrypt_key(const uint8_t *userKey, int bits, AES_KEY *key);\nint vpaes_set_decrypt_key(const uint8_t *userKey, int bits, AES_KEY *key);\n\nvoid vpaes_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);\nvoid vpaes_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);\n\n#if defined(VPAES_CBC)\nvoid vpaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,\n const AES_KEY *key, uint8_t *ivec, int enc);\n#endif\nvoid vpaes_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, const uint8_t ivec[16]);\n#else\ninline int vpaes_capable(void) { return 0; }\n\n// On other platforms, vpaes_capable() will always return false and so the\n// following will never be called.\ninline int vpaes_set_encrypt_key(const uint8_t *userKey, int bits,\n AES_KEY *key) {\n abort();\n}\ninline int vpaes_set_decrypt_key(const uint8_t *userKey, int bits,\n AES_KEY *key) {\n abort();\n}\ninline void vpaes_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {\n abort();\n}\ninline void vpaes_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) {\n abort();\n}\ninline void vpaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length,\n const AES_KEY *key, uint8_t *ivec, int enc) {\n abort();\n}\ninline void vpaes_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out,\n size_t len, const AES_KEY *key,\n const uint8_t ivec[16]) {\n abort();\n}\n#endif // !VPAES\n\n\nint aes_nohw_set_encrypt_key(const uint8_t *key, unsigned bits,\n AES_KEY *aeskey);\nint aes_nohw_set_decrypt_key(const uint8_t *key, unsigned bits,\n AES_KEY *aeskey);\nvoid aes_nohw_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);\nvoid aes_nohw_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key);\nvoid aes_nohw_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out,\n size_t blocks, const AES_KEY *key,\n const uint8_t ivec[16]);\nvoid aes_nohw_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t *ivec, int enc);\n\n// Modes\n\ninline void CRYPTO_xor16(uint8_t out[16], const uint8_t a[16],\n const uint8_t b[16]) {\n // TODO(davidben): Ideally we'd leave this to the compiler, which could use\n // vector registers, etc. But the compiler doesn't know that |in| and |out|\n // cannot partially alias. |restrict| is slightly two strict (we allow exact\n // aliasing), but perhaps in-place could be a separate function?\n static_assert(16 % sizeof(crypto_word_t) == 0,\n \"block cannot be evenly divided into words\");\n for (size_t i = 0; i < 16; i += sizeof(crypto_word_t)) {\n CRYPTO_store_word_le(\n out + i, CRYPTO_load_word_le(a + i) ^ CRYPTO_load_word_le(b + i));\n }\n}\n\n\n// CTR.\n\n// CRYPTO_ctr128_encrypt_ctr32 encrypts (or decrypts, it's the same in CTR mode)\n// |len| bytes from |in| to |out| using |block| in counter mode. There's no\n// requirement that |len| be a multiple of any value and any partial blocks are\n// stored in |ecount_buf| and |*num|, which must be zeroed before the initial\n// call. The counter is a 128-bit, big-endian value in |ivec| and is\n// incremented by this function. If the counter overflows, it wraps around.\n// |ctr| must be a function that performs CTR mode but only deals with the lower\n// 32 bits of the counter.\nvoid CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n uint8_t ecount_buf[16], unsigned *num,\n ctr128_f ctr);\n\n\n// GCM.\n//\n// This API differs from the upstream API slightly. The |GCM128_CONTEXT| does\n// not have a |key| pointer that points to the key as upstream's version does.\n// Instead, every function takes a |key| parameter. This way |GCM128_CONTEXT|\n// can be safely copied. Additionally, |gcm_key| is split into a separate\n// struct.\n\n// gcm_impl_t specifies an assembly implementation of AES-GCM.\nenum gcm_impl_t {\n gcm_separate = 0, // No combined AES-GCM, but may have AES-CTR and GHASH.\n gcm_x86_aesni,\n gcm_x86_vaes_avx2,\n gcm_x86_vaes_avx10_512,\n gcm_arm64_aes,\n};\n\ntypedef struct { uint64_t hi,lo; } u128;\n\n// gmult_func multiplies |Xi| by the GCM key and writes the result back to\n// |Xi|.\ntypedef void (*gmult_func)(uint8_t Xi[16], const u128 Htable[16]);\n\n// ghash_func repeatedly multiplies |Xi| by the GCM key and adds in blocks from\n// |inp|. The result is written back to |Xi| and the |len| argument must be a\n// multiple of 16.\ntypedef void (*ghash_func)(uint8_t Xi[16], const u128 Htable[16],\n const uint8_t *inp, size_t len);\n\ntypedef struct gcm128_key_st {\n u128 Htable[16];\n gmult_func gmult;\n ghash_func ghash;\n AES_KEY aes;\n\n ctr128_f ctr;\n block128_f block;\n enum gcm_impl_t impl;\n} GCM128_KEY;\n\n// GCM128_CONTEXT contains state for a single GCM operation. The structure\n// should be zero-initialized before use.\ntypedef struct {\n // The following 5 names follow names in GCM specification\n uint8_t Yi[16];\n uint8_t EKi[16];\n uint8_t EK0[16];\n struct {\n uint64_t aad;\n uint64_t msg;\n } len;\n uint8_t Xi[16];\n unsigned mres, ares;\n} GCM128_CONTEXT;\n\n#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)\n// crypto_gcm_clmul_enabled returns one if the CLMUL implementation of GCM is\n// used.\nint crypto_gcm_clmul_enabled(void);\n#endif\n\n// CRYPTO_ghash_init writes a precomputed table of powers of |gcm_key| to\n// |out_table| and sets |*out_mult| and |*out_hash| to (potentially hardware\n// accelerated) functions for performing operations in the GHASH field.\nvoid CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash,\n u128 out_table[16], const uint8_t gcm_key[16]);\n\n// CRYPTO_gcm128_init_aes_key initialises |gcm_key| to with AES key |key|.\nvoid CRYPTO_gcm128_init_aes_key(GCM128_KEY *gcm_key, const uint8_t *key,\n size_t key_bytes);\n\n// CRYPTO_gcm128_init_ctx initializes |ctx| to encrypt with |key| and |iv|.\nvoid CRYPTO_gcm128_init_ctx(const GCM128_KEY *key, GCM128_CONTEXT *ctx,\n const uint8_t *iv, size_t iv_len);\n\n// CRYPTO_gcm128_aad adds to the authenticated data for an instance of GCM.\n// This must be called before and data is encrypted. |key| must be the same\n// value that was passed to |CRYPTO_gcm128_init_ctx|. It returns one on success\n// and zero otherwise.\nint CRYPTO_gcm128_aad(const GCM128_KEY *key, GCM128_CONTEXT *ctx,\n const uint8_t *aad, size_t aad_len);\n\n// CRYPTO_gcm128_encrypt encrypts |len| bytes from |in| to |out|. |key| must be\n// the same value that was passed to |CRYPTO_gcm128_init_ctx|. It returns one on\n// success and zero otherwise.\nint CRYPTO_gcm128_encrypt(const GCM128_KEY *key, GCM128_CONTEXT *ctx,\n const uint8_t *in, uint8_t *out, size_t len);\n\n// CRYPTO_gcm128_decrypt decrypts |len| bytes from |in| to |out|. |key| must be\n// the same value that was passed to |CRYPTO_gcm128_init_ctx|. It returns one on\n// success and zero otherwise.\nint CRYPTO_gcm128_decrypt(const GCM128_KEY *key, GCM128_CONTEXT *ctx,\n const uint8_t *in, uint8_t *out, size_t len);\n\n// CRYPTO_gcm128_finish calculates the authenticator and compares it against\n// |len| bytes of |tag|. |key| must be the same value that was passed to\n// |CRYPTO_gcm128_init_ctx|. It returns one on success and zero otherwise.\nint CRYPTO_gcm128_finish(const GCM128_KEY *key, GCM128_CONTEXT *ctx,\n const uint8_t *tag, size_t len);\n\n// CRYPTO_gcm128_tag calculates the authenticator and copies it into |tag|.\n// The minimum of |len| and 16 bytes are copied into |tag|. |key| must be the\n// same value that was passed to |CRYPTO_gcm128_init_ctx|.\nvoid CRYPTO_gcm128_tag(const GCM128_KEY *key, GCM128_CONTEXT *ctx, uint8_t *tag,\n size_t len);\n\n\n// GCM assembly.\n\nvoid gcm_init_nohw(u128 Htable[16], const uint64_t H[2]);\nvoid gcm_gmult_nohw(uint8_t Xi[16], const u128 Htable[16]);\nvoid gcm_ghash_nohw(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,\n size_t len);\n\n#if !defined(OPENSSL_NO_ASM)\n\n#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)\n#define GCM_FUNCREF\nvoid gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]);\nvoid gcm_gmult_clmul(uint8_t Xi[16], const u128 Htable[16]);\nvoid gcm_ghash_clmul(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,\n size_t len);\n\nvoid gcm_init_ssse3(u128 Htable[16], const uint64_t Xi[2]);\nvoid gcm_gmult_ssse3(uint8_t Xi[16], const u128 Htable[16]);\nvoid gcm_ghash_ssse3(uint8_t Xi[16], const u128 Htable[16], const uint8_t *in,\n size_t len);\n\n#if defined(OPENSSL_X86_64)\n#define GHASH_ASM_X86_64\nvoid gcm_init_avx(u128 Htable[16], const uint64_t Xi[2]);\nvoid gcm_gmult_avx(uint8_t Xi[16], const u128 Htable[16]);\nvoid gcm_ghash_avx(uint8_t Xi[16], const u128 Htable[16], const uint8_t *in,\n size_t len);\n\n#define HW_GCM\nsize_t aesni_gcm_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n const u128 Htable[16], uint8_t Xi[16]);\nsize_t aesni_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n const u128 Htable[16], uint8_t Xi[16]);\n\nvoid gcm_init_vpclmulqdq_avx2(u128 Htable[16], const uint64_t H[2]);\nvoid gcm_gmult_vpclmulqdq_avx2(uint8_t Xi[16], const u128 Htable[16]);\nvoid gcm_ghash_vpclmulqdq_avx2(uint8_t Xi[16], const u128 Htable[16],\n const uint8_t *in, size_t len);\nvoid aes_gcm_enc_update_vaes_avx2(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, const uint8_t ivec[16],\n const u128 Htable[16], uint8_t Xi[16]);\nvoid aes_gcm_dec_update_vaes_avx2(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, const uint8_t ivec[16],\n const u128 Htable[16], uint8_t Xi[16]);\n\nvoid gcm_init_vpclmulqdq_avx10_512(u128 Htable[16], const uint64_t H[2]);\nvoid gcm_gmult_vpclmulqdq_avx10(uint8_t Xi[16], const u128 Htable[16]);\nvoid gcm_ghash_vpclmulqdq_avx10_512(uint8_t Xi[16], const u128 Htable[16],\n const uint8_t *in, size_t len);\nvoid aes_gcm_enc_update_vaes_avx10_512(const uint8_t *in, uint8_t *out,\n size_t len, const AES_KEY *key,\n const uint8_t ivec[16],\n const u128 Htable[16], uint8_t Xi[16]);\nvoid aes_gcm_dec_update_vaes_avx10_512(const uint8_t *in, uint8_t *out,\n size_t len, const AES_KEY *key,\n const uint8_t ivec[16],\n const u128 Htable[16], uint8_t Xi[16]);\n\n#endif // OPENSSL_X86_64\n\n#if defined(OPENSSL_X86)\n#define GHASH_ASM_X86\n#endif // OPENSSL_X86\n\n#elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)\n\n#define GHASH_ASM_ARM\n#define GCM_FUNCREF\n\ninline int gcm_pmull_capable(void) { return CRYPTO_is_ARMv8_PMULL_capable(); }\n\nvoid gcm_init_v8(u128 Htable[16], const uint64_t H[2]);\nvoid gcm_gmult_v8(uint8_t Xi[16], const u128 Htable[16]);\nvoid gcm_ghash_v8(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,\n size_t len);\n\ninline int gcm_neon_capable(void) { return CRYPTO_is_NEON_capable(); }\n\nvoid gcm_init_neon(u128 Htable[16], const uint64_t H[2]);\nvoid gcm_gmult_neon(uint8_t Xi[16], const u128 Htable[16]);\nvoid gcm_ghash_neon(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp,\n size_t len);\n\n#if defined(OPENSSL_AARCH64)\n#define HW_GCM\n// These functions are defined in aesv8-gcm-armv8.pl.\nvoid aes_gcm_enc_kernel(const uint8_t *in, uint64_t in_bits, void *out,\n void *Xi, uint8_t *ivec, const AES_KEY *key,\n const u128 Htable[16]);\nvoid aes_gcm_dec_kernel(const uint8_t *in, uint64_t in_bits, void *out,\n void *Xi, uint8_t *ivec, const AES_KEY *key,\n const u128 Htable[16]);\n#endif\n\n#endif\n#endif // OPENSSL_NO_ASM\n\n\n// CBC.\n\n// cbc128_f is the type of a function that performs CBC-mode encryption.\ntypedef void (*cbc128_f)(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16], int enc);\n\n// CRYPTO_cbc128_encrypt encrypts |len| bytes from |in| to |out| using the\n// given IV and block cipher in CBC mode. The input need not be a multiple of\n// 128 bits long, but the output will round up to the nearest 128 bit multiple,\n// zero padding the input if needed. The IV will be updated on return.\nvoid CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n block128_f block);\n\n// CRYPTO_cbc128_decrypt decrypts |len| bytes from |in| to |out| using the\n// given IV and block cipher in CBC mode. If |len| is not a multiple of 128\n// bits then only that many bytes will be written, but a multiple of 128 bits\n// is always read from |in|. The IV will be updated on return.\nvoid CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n block128_f block);\n\n\n// OFB.\n\n// CRYPTO_ofb128_encrypt encrypts (or decrypts, it's the same with OFB mode)\n// |len| bytes from |in| to |out| using |block| in OFB mode. There's no\n// requirement that |len| be a multiple of any value and any partial blocks are\n// stored in |ivec| and |*num|, the latter must be zero before the initial\n// call.\nvoid CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16], unsigned *num,\n block128_f block);\n\n\n// CFB.\n\n// CRYPTO_cfb128_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes\n// from |in| to |out| using |block| in CFB mode. There's no requirement that\n// |len| be a multiple of any value and any partial blocks are stored in |ivec|\n// and |*num|, the latter must be zero before the initial call.\nvoid CRYPTO_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16], unsigned *num,\n int enc, block128_f block);\n\n// CRYPTO_cfb128_8_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes\n// from |in| to |out| using |block| in CFB-8 mode. Prior to the first call\n// |num| should be set to zero.\nvoid CRYPTO_cfb128_8_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n unsigned *num, int enc, block128_f block);\n\n// CRYPTO_cfb128_1_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes\n// from |in| to |out| using |block| in CFB-1 mode. Prior to the first call\n// |num| should be set to zero.\nvoid CRYPTO_cfb128_1_encrypt(const uint8_t *in, uint8_t *out, size_t bits,\n const AES_KEY *key, uint8_t ivec[16],\n unsigned *num, int enc, block128_f block);\n\nsize_t CRYPTO_cts128_encrypt_block(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16],\n block128_f block);\n\n\n// POLYVAL.\n//\n// POLYVAL is a polynomial authenticator that operates over a field very\n// similar to the one that GHASH uses. See\n// https://www.rfc-editor.org/rfc/rfc8452.html#section-3.\n\nstruct polyval_ctx {\n uint8_t S[16];\n u128 Htable[16];\n gmult_func gmult;\n ghash_func ghash;\n};\n\n// CRYPTO_POLYVAL_init initialises |ctx| using |key|.\nvoid CRYPTO_POLYVAL_init(struct polyval_ctx *ctx, const uint8_t key[16]);\n\n// CRYPTO_POLYVAL_update_blocks updates the accumulator in |ctx| given the\n// blocks from |in|. Only a whole number of blocks can be processed so |in_len|\n// must be a multiple of 16.\nvoid CRYPTO_POLYVAL_update_blocks(struct polyval_ctx *ctx, const uint8_t *in,\n size_t in_len);\n\n// CRYPTO_POLYVAL_finish writes the accumulator from |ctx| to |out|.\nvoid CRYPTO_POLYVAL_finish(const struct polyval_ctx *ctx, uint8_t out[16]);\n\n\n} // extern C\n\n#endif // OPENSSL_HEADER_AES_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/key_wrap.cc.inc", "content": "/*\n * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n\n#include \"../../internal.h\"\n#include \"../service_indicator/internal.h\"\n\n\n// kDefaultIV is the default IV value given in RFC 3394, 2.2.3.1.\nstatic const uint8_t kDefaultIV[] = {\n 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6, 0xa6,\n};\n\nstatic const unsigned kBound = 6;\n\nint AES_wrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,\n const uint8_t *in, size_t in_len) {\n // See RFC 3394, section 2.2.1. Additionally, note that section 2 requires the\n // plaintext be at least two 8-byte blocks.\n\n if (in_len > INT_MAX - 8 || in_len < 16 || in_len % 8 != 0) {\n return -1;\n }\n\n if (iv == NULL) {\n iv = kDefaultIV;\n }\n\n OPENSSL_memmove(out + 8, in, in_len);\n uint8_t A[AES_BLOCK_SIZE];\n OPENSSL_memcpy(A, iv, 8);\n\n size_t n = in_len / 8;\n\n for (unsigned j = 0; j < kBound; j++) {\n for (size_t i = 1; i <= n; i++) {\n OPENSSL_memcpy(A + 8, out + 8 * i, 8);\n AES_encrypt(A, A, key);\n\n uint32_t t = (uint32_t)(n * j + i);\n A[7] ^= t & 0xff;\n A[6] ^= (t >> 8) & 0xff;\n A[5] ^= (t >> 16) & 0xff;\n A[4] ^= (t >> 24) & 0xff;\n OPENSSL_memcpy(out + 8 * i, A + 8, 8);\n }\n }\n\n OPENSSL_memcpy(out, A, 8);\n FIPS_service_indicator_update_state();\n return (int)in_len + 8;\n}\n\n// aes_unwrap_key_inner performs steps one and two from\n// https://tools.ietf.org/html/rfc3394#section-2.2.2\nstatic int aes_unwrap_key_inner(const AES_KEY *key, uint8_t *out,\n uint8_t out_iv[8], const uint8_t *in,\n size_t in_len) {\n // See RFC 3394, section 2.2.2. Additionally, note that section 2 requires the\n // plaintext be at least two 8-byte blocks, so the ciphertext must be at least\n // three blocks.\n\n if (in_len > INT_MAX || in_len < 24 || in_len % 8 != 0) {\n return 0;\n }\n\n uint8_t A[AES_BLOCK_SIZE];\n OPENSSL_memcpy(A, in, 8);\n OPENSSL_memmove(out, in + 8, in_len - 8);\n\n size_t n = (in_len / 8) - 1;\n\n for (unsigned j = kBound - 1; j < kBound; j--) {\n for (size_t i = n; i > 0; i--) {\n uint32_t t = (uint32_t)(n * j + i);\n A[7] ^= t & 0xff;\n A[6] ^= (t >> 8) & 0xff;\n A[5] ^= (t >> 16) & 0xff;\n A[4] ^= (t >> 24) & 0xff;\n OPENSSL_memcpy(A + 8, out + 8 * (i - 1), 8);\n AES_decrypt(A, A, key);\n OPENSSL_memcpy(out + 8 * (i - 1), A + 8, 8);\n }\n }\n\n memcpy(out_iv, A, 8);\n return 1;\n}\n\nint AES_unwrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out,\n const uint8_t *in, size_t in_len) {\n uint8_t calculated_iv[8];\n if (!aes_unwrap_key_inner(key, out, calculated_iv, in, in_len)) {\n return -1;\n }\n\n if (iv == NULL) {\n iv = kDefaultIV;\n }\n if (CRYPTO_memcmp(calculated_iv, iv, 8) != 0) {\n return -1;\n }\n\n FIPS_service_indicator_update_state();\n return (int)in_len - 8;\n}\n\n// kPaddingConstant is used in Key Wrap with Padding. See\n// https://tools.ietf.org/html/rfc5649#section-3\nstatic const uint8_t kPaddingConstant[4] = {0xa6, 0x59, 0x59, 0xa6};\n\nint AES_wrap_key_padded(const AES_KEY *key, uint8_t *out, size_t *out_len,\n size_t max_out, const uint8_t *in, size_t in_len) {\n // See https://tools.ietf.org/html/rfc5649#section-4.1\n const uint64_t in_len64 = in_len;\n const size_t padded_len = (in_len + 7) & ~7;\n *out_len = 0;\n if (in_len == 0 || in_len64 > 0xffffffffu || in_len + 7 < in_len ||\n padded_len + 8 < padded_len || max_out < padded_len + 8) {\n return 0;\n }\n\n uint8_t block[AES_BLOCK_SIZE];\n memcpy(block, kPaddingConstant, sizeof(kPaddingConstant));\n CRYPTO_store_u32_be(block + 4, (uint32_t)in_len);\n\n if (in_len <= 8) {\n memset(block + 8, 0, 8);\n memcpy(block + 8, in, in_len);\n AES_encrypt(block, out, key);\n *out_len = AES_BLOCK_SIZE;\n return 1;\n }\n\n uint8_t *padded_in = reinterpret_cast(OPENSSL_malloc(padded_len));\n if (padded_in == NULL) {\n return 0;\n }\n assert(padded_len >= 8);\n memset(padded_in + padded_len - 8, 0, 8);\n memcpy(padded_in, in, in_len);\n FIPS_service_indicator_lock_state();\n const int ret = AES_wrap_key(key, block, out, padded_in, padded_len);\n FIPS_service_indicator_unlock_state();\n OPENSSL_free(padded_in);\n if (ret < 0) {\n return 0;\n }\n *out_len = ret;\n FIPS_service_indicator_update_state();\n return 1;\n}\n\nint AES_unwrap_key_padded(const AES_KEY *key, uint8_t *out, size_t *out_len,\n size_t max_out, const uint8_t *in, size_t in_len) {\n *out_len = 0;\n if (in_len < AES_BLOCK_SIZE || max_out < in_len - 8) {\n return 0;\n }\n\n uint8_t iv[8];\n if (in_len == AES_BLOCK_SIZE) {\n uint8_t block[AES_BLOCK_SIZE];\n AES_decrypt(in, block, key);\n memcpy(iv, block, sizeof(iv));\n memcpy(out, block + 8, 8);\n } else if (!aes_unwrap_key_inner(key, out, iv, in, in_len)) {\n return 0;\n }\n assert(in_len % 8 == 0);\n\n crypto_word_t ok = constant_time_eq_int(\n CRYPTO_memcmp(iv, kPaddingConstant, sizeof(kPaddingConstant)), 0);\n\n const size_t claimed_len = CRYPTO_load_u32_be(iv + 4);\n ok &= ~constant_time_is_zero_w(claimed_len);\n ok &= constant_time_eq_w((claimed_len - 1) >> 3, (in_len - 9) >> 3);\n\n // Check that padding bytes are all zero.\n for (size_t i = in_len - 15; i < in_len - 8; i++) {\n ok &= constant_time_is_zero_w(constant_time_ge_8(i, claimed_len) & out[i]);\n }\n\n *out_len = constant_time_select_w(ok, claimed_len, 0);\n const int ret = ok & 1;\n if (ret) {\n FIPS_service_indicator_update_state();\n }\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/mode_wrappers.cc.inc", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"../aes/internal.h\"\n#include \"../service_indicator/internal.h\"\n\n\nvoid AES_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[AES_BLOCK_SIZE],\n uint8_t ecount_buf[AES_BLOCK_SIZE], unsigned int *num) {\n if (hwaes_capable()) {\n CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, ivec, ecount_buf, num,\n aes_hw_ctr32_encrypt_blocks);\n } else if (vpaes_capable()) {\n // TODO(davidben): On ARM, where |BSAES| is additionally defined, this could\n // use |vpaes_ctr32_encrypt_blocks_with_bsaes|.\n CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, ivec, ecount_buf, num,\n vpaes_ctr32_encrypt_blocks);\n } else {\n CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, ivec, ecount_buf, num,\n aes_nohw_ctr32_encrypt_blocks);\n }\n\n FIPS_service_indicator_update_state();\n}\n\nvoid AES_ecb_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key,\n const int enc) {\n assert(in && out && key);\n assert((AES_ENCRYPT == enc) || (AES_DECRYPT == enc));\n\n if (AES_ENCRYPT == enc) {\n AES_encrypt(in, out, key);\n } else {\n AES_decrypt(in, out, key);\n }\n\n FIPS_service_indicator_update_state();\n}\n\nvoid AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t *ivec, const int enc) {\n if (hwaes_capable()) {\n aes_hw_cbc_encrypt(in, out, len, key, ivec, enc);\n } else if (!vpaes_capable()) {\n aes_nohw_cbc_encrypt(in, out, len, key, ivec, enc);\n } else if (enc) {\n CRYPTO_cbc128_encrypt(in, out, len, key, ivec, AES_encrypt);\n } else {\n CRYPTO_cbc128_decrypt(in, out, len, key, ivec, AES_decrypt);\n }\n\n FIPS_service_indicator_update_state();\n}\n\nvoid AES_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t length,\n const AES_KEY *key, uint8_t *ivec, int *num) {\n unsigned num_u = (unsigned)(*num);\n CRYPTO_ofb128_encrypt(in, out, length, key, ivec, &num_u, AES_encrypt);\n *num = (int)num_u;\n}\n\nvoid AES_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t length,\n const AES_KEY *key, uint8_t *ivec, int *num,\n int enc) {\n unsigned num_u = (unsigned)(*num);\n CRYPTO_cfb128_encrypt(in, out, length, key, ivec, &num_u, enc, AES_encrypt);\n *num = (int)num_u;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/ofb.cc.inc", "content": "/*\n * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \"internal.h\"\n\n\nstatic_assert(16 % sizeof(size_t) == 0, \"block cannot be divided into size_t\");\n\nvoid CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t ivec[16], unsigned *num,\n block128_f block) {\n assert(key != NULL && ivec != NULL && num != NULL);\n assert(len == 0 || (in != NULL && out != NULL));\n\n unsigned n = *num;\n\n while (n && len) {\n *(out++) = *(in++) ^ ivec[n];\n --len;\n n = (n + 1) % 16;\n }\n\n while (len >= 16) {\n (*block)(ivec, ivec, key);\n CRYPTO_xor16(out, in, ivec);\n len -= 16;\n out += 16;\n in += 16;\n n = 0;\n }\n if (len) {\n (*block)(ivec, ivec, key);\n while (len--) {\n out[n] = in[n] ^ ivec[n];\n ++n;\n }\n }\n *num = n;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/aes/polyval.cc.inc", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \"internal.h\"\n#include \"../../internal.h\"\n\n\n// byte_reverse reverses the order of the bytes in |b->c|.\nstatic void byte_reverse(uint8_t b[16]) {\n uint64_t hi = CRYPTO_load_u64_le(b);\n uint64_t lo = CRYPTO_load_u64_le(b + 8);\n CRYPTO_store_u64_le(b, CRYPTO_bswap8(lo));\n CRYPTO_store_u64_le(b + 8, CRYPTO_bswap8(hi));\n}\n\n// reverse_and_mulX_ghash interprets |b| as a reversed element of the GHASH\n// field, multiplies that by 'x' and serialises the result back into |b|, but\n// with GHASH's backwards bit ordering.\nstatic void reverse_and_mulX_ghash(uint8_t b[16]) {\n uint64_t hi = CRYPTO_load_u64_le(b);\n uint64_t lo = CRYPTO_load_u64_le(b + 8);\n const crypto_word_t carry = constant_time_eq_w(hi & 1, 1);\n hi >>= 1;\n hi |= lo << 63;\n lo >>= 1;\n lo ^= ((uint64_t) constant_time_select_w(carry, 0xe1, 0)) << 56;\n\n CRYPTO_store_u64_le(b, CRYPTO_bswap8(lo));\n CRYPTO_store_u64_le(b + 8, CRYPTO_bswap8(hi));\n}\n\n// POLYVAL(H, X_1, ..., X_n) =\n// ByteReverse(GHASH(mulX_GHASH(ByteReverse(H)), ByteReverse(X_1), ...,\n// ByteReverse(X_n))).\n//\n// See https://www.rfc-editor.org/rfc/rfc8452.html#appendix-A.\n\nvoid CRYPTO_POLYVAL_init(struct polyval_ctx *ctx, const uint8_t key[16]) {\n alignas(8) uint8_t H[16];\n OPENSSL_memcpy(H, key, 16);\n reverse_and_mulX_ghash(H);\n\n CRYPTO_ghash_init(&ctx->gmult, &ctx->ghash, ctx->Htable, H);\n OPENSSL_memset(&ctx->S, 0, sizeof(ctx->S));\n}\n\nvoid CRYPTO_POLYVAL_update_blocks(struct polyval_ctx *ctx, const uint8_t *in,\n size_t in_len) {\n assert((in_len & 15) == 0);\n alignas(8) uint8_t buf[32 * 16];\n\n while (in_len > 0) {\n size_t todo = in_len;\n if (todo > sizeof(buf)) {\n todo = sizeof(buf);\n }\n OPENSSL_memcpy(buf, in, todo);\n in += todo;\n in_len -= todo;\n\n size_t blocks = todo / 16;\n for (size_t i = 0; i < blocks; i++) {\n byte_reverse(buf + 16 * i);\n }\n\n ctx->ghash(ctx->S, ctx->Htable, buf, todo);\n }\n}\n\nvoid CRYPTO_POLYVAL_finish(const struct polyval_ctx *ctx, uint8_t out[16]) {\n OPENSSL_memcpy(out, &ctx->S, 16);\n byte_reverse(out);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bcm.cc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#if !defined(_GNU_SOURCE)\n#define _GNU_SOURCE // needed for syscall() on Linux.\n#endif\n\n#include \n\n#include \n#if defined(BORINGSSL_FIPS)\n#include \n#include \n#endif\n\n#include \n#include \n#include \n\n#include \"../bcm_support.h\"\n#include \"../internal.h\"\n#include \"bcm_interface.h\"\n\n// TODO(crbug.com/362530616): When delocate is removed, build these files as\n// separate compilation units again.\n#include \"aes/aes.cc.inc\"\n#include \"aes/aes_nohw.cc.inc\"\n#include \"aes/cbc.cc.inc\"\n#include \"aes/cfb.cc.inc\"\n#include \"aes/ctr.cc.inc\"\n#include \"aes/gcm.cc.inc\"\n#include \"aes/gcm_nohw.cc.inc\"\n#include \"aes/key_wrap.cc.inc\"\n#include \"aes/mode_wrappers.cc.inc\"\n#include \"aes/ofb.cc.inc\"\n#include \"aes/polyval.cc.inc\"\n#include \"bn/add.cc.inc\"\n#include \"bn/asm/x86_64-gcc.cc.inc\"\n#include \"bn/bn.cc.inc\"\n#include \"bn/bytes.cc.inc\"\n#include \"bn/cmp.cc.inc\"\n#include \"bn/ctx.cc.inc\"\n#include \"bn/div.cc.inc\"\n#include \"bn/div_extra.cc.inc\"\n#include \"bn/exponentiation.cc.inc\"\n#include \"bn/gcd.cc.inc\"\n#include \"bn/gcd_extra.cc.inc\"\n#include \"bn/generic.cc.inc\"\n#include \"bn/jacobi.cc.inc\"\n#include \"bn/montgomery.cc.inc\"\n#include \"bn/montgomery_inv.cc.inc\"\n#include \"bn/mul.cc.inc\"\n#include \"bn/prime.cc.inc\"\n#include \"bn/random.cc.inc\"\n#include \"bn/rsaz_exp.cc.inc\"\n#include \"bn/shift.cc.inc\"\n#include \"bn/sqrt.cc.inc\"\n#include \"cipher/aead.cc.inc\"\n#include \"cipher/cipher.cc.inc\"\n#include \"cipher/e_aes.cc.inc\"\n#include \"cipher/e_aesccm.cc.inc\"\n#include \"cmac/cmac.cc.inc\"\n#include \"dh/check.cc.inc\"\n#include \"dh/dh.cc.inc\"\n#include \"digest/digest.cc.inc\"\n#include \"digest/digests.cc.inc\"\n#include \"digestsign/digestsign.cc.inc\"\n#include \"ec/ec.cc.inc\"\n#include \"ec/ec_key.cc.inc\"\n#include \"ec/ec_montgomery.cc.inc\"\n#include \"ec/felem.cc.inc\"\n#include \"ec/oct.cc.inc\"\n#include \"ec/p224-64.cc.inc\"\n#include \"ec/p256-nistz.cc.inc\"\n#include \"ec/p256.cc.inc\"\n#include \"ec/scalar.cc.inc\"\n#include \"ec/simple.cc.inc\"\n#include \"ec/simple_mul.cc.inc\"\n#include \"ec/util.cc.inc\"\n#include \"ec/wnaf.cc.inc\"\n#include \"ecdh/ecdh.cc.inc\"\n#include \"ecdsa/ecdsa.cc.inc\"\n#include \"hkdf/hkdf.cc.inc\"\n#include \"hmac/hmac.cc.inc\"\n#include \"keccak/keccak.cc.inc\"\n#include \"mldsa/mldsa.cc.inc\"\n#include \"mlkem/mlkem.cc.inc\"\n#include \"rand/ctrdrbg.cc.inc\"\n#include \"rand/rand.cc.inc\"\n#include \"rsa/blinding.cc.inc\"\n#include \"rsa/padding.cc.inc\"\n#include \"rsa/rsa.cc.inc\"\n#include \"rsa/rsa_impl.cc.inc\"\n#include \"self_check/fips.cc.inc\"\n#include \"self_check/self_check.cc.inc\"\n#include \"service_indicator/service_indicator.cc.inc\"\n#include \"sha/sha1.cc.inc\"\n#include \"sha/sha256.cc.inc\"\n#include \"sha/sha512.cc.inc\"\n#include \"slhdsa/fors.cc.inc\"\n#include \"slhdsa/merkle.cc.inc\"\n#include \"slhdsa/slhdsa.cc.inc\"\n#include \"slhdsa/thash.cc.inc\"\n#include \"slhdsa/wots.cc.inc\"\n#include \"tls/kdf.cc.inc\"\n\n\n#if defined(BORINGSSL_FIPS)\n\n#if !defined(OPENSSL_ASAN)\n\n// These symbols are filled in by delocate.go (in static builds) or a linker\n// script (in shared builds). They point to the start and end of the module, and\n// the location of the integrity hash, respectively.\nextern const uint8_t BORINGSSL_bcm_text_start[];\nextern const uint8_t BORINGSSL_bcm_text_end[];\nextern const uint8_t BORINGSSL_bcm_text_hash[];\n#if defined(BORINGSSL_SHARED_LIBRARY)\nextern const uint8_t BORINGSSL_bcm_rodata_start[];\nextern const uint8_t BORINGSSL_bcm_rodata_end[];\n#endif\n\n// assert_within is used to sanity check that certain symbols are within the\n// bounds of the integrity check. It checks that start <= symbol < end and\n// aborts otherwise.\nstatic void assert_within(const void *start, const void *symbol,\n const void *end) {\n const uintptr_t start_val = (uintptr_t)start;\n const uintptr_t symbol_val = (uintptr_t)symbol;\n const uintptr_t end_val = (uintptr_t)end;\n\n if (start_val <= symbol_val && symbol_val < end_val) {\n return;\n }\n\n fprintf(CRYPTO_get_stderr(),\n \"FIPS module doesn't span expected symbol. Expected %p <= %p < %p\\n\",\n start, symbol, end);\n BORINGSSL_FIPS_abort();\n}\n\n#if defined(OPENSSL_ANDROID) && defined(OPENSSL_AARCH64)\nstatic void BORINGSSL_maybe_set_module_text_permissions(int permission) {\n // Android may be compiled in execute-only-memory mode, in which case the\n // .text segment cannot be read. That conflicts with the need for a FIPS\n // module to hash its own contents, therefore |mprotect| is used to make\n // the module's .text readable for the duration of the hashing process. In\n // other build configurations this is a no-op.\n const uintptr_t page_size = getpagesize();\n const uintptr_t page_start =\n ((uintptr_t)BORINGSSL_bcm_text_start) & ~(page_size - 1);\n\n if (mprotect((void *)page_start,\n ((uintptr_t)BORINGSSL_bcm_text_end) - page_start,\n permission) != 0) {\n perror(\"BoringSSL: mprotect\");\n }\n}\n#else\nstatic void BORINGSSL_maybe_set_module_text_permissions(int permission) {}\n#endif // !ANDROID\n\n#endif // !ASAN\n\nstatic void __attribute__((constructor))\nBORINGSSL_bcm_power_on_self_test(void) {\n#if !defined(OPENSSL_ASAN)\n // Integrity tests cannot run under ASAN because it involves reading the full\n // .text section, which triggers the global-buffer overflow detection.\n if (!BORINGSSL_integrity_test()) {\n goto err;\n }\n#endif // OPENSSL_ASAN\n\n if (!boringssl_self_test_startup()) {\n goto err;\n }\n\n return;\n\nerr:\n BORINGSSL_FIPS_abort();\n}\n\n#if !defined(OPENSSL_ASAN)\nint BORINGSSL_integrity_test(void) {\n const uint8_t *const start = BORINGSSL_bcm_text_start;\n const uint8_t *const end = BORINGSSL_bcm_text_end;\n\n assert_within(start, reinterpret_cast(AES_encrypt), end);\n assert_within(start, reinterpret_cast(RSA_sign), end);\n assert_within(start, reinterpret_cast(BCM_rand_bytes), end);\n assert_within(start, reinterpret_cast(EC_GROUP_cmp), end);\n assert_within(start, reinterpret_cast(BCM_sha256_update), end);\n assert_within(start, reinterpret_cast(ecdsa_verify_fixed), end);\n assert_within(start, reinterpret_cast(EVP_AEAD_CTX_seal), end);\n\n#if defined(BORINGSSL_SHARED_LIBRARY)\n const uint8_t *const rodata_start = BORINGSSL_bcm_rodata_start;\n const uint8_t *const rodata_end = BORINGSSL_bcm_rodata_end;\n#else\n // In the static build, read-only data is placed within the .text segment.\n const uint8_t *const rodata_start = BORINGSSL_bcm_text_start;\n const uint8_t *const rodata_end = BORINGSSL_bcm_text_end;\n#endif\n\n assert_within(rodata_start, kPrimes, rodata_end);\n assert_within(rodata_start, kP256Field, rodata_end);\n assert_within(rodata_start, kPKCS1SigPrefixes, rodata_end);\n\n uint8_t result[SHA256_DIGEST_LENGTH];\n const EVP_MD *const kHashFunction = EVP_sha256();\n if (!boringssl_self_test_sha256() || !boringssl_self_test_hmac_sha256()) {\n return 0;\n }\n\n static const uint8_t kHMACKey[64] = {0};\n unsigned result_len;\n HMAC_CTX hmac_ctx;\n HMAC_CTX_init(&hmac_ctx);\n if (!HMAC_Init_ex(&hmac_ctx, kHMACKey, sizeof(kHMACKey), kHashFunction,\n NULL /* no ENGINE */)) {\n fprintf(CRYPTO_get_stderr(), \"HMAC_Init_ex failed.\\n\");\n return 0;\n }\n\n BORINGSSL_maybe_set_module_text_permissions(PROT_READ | PROT_EXEC);\n#if defined(BORINGSSL_SHARED_LIBRARY)\n uint64_t length = end - start;\n HMAC_Update(&hmac_ctx, (const uint8_t *)&length, sizeof(length));\n HMAC_Update(&hmac_ctx, start, length);\n\n length = rodata_end - rodata_start;\n HMAC_Update(&hmac_ctx, (const uint8_t *)&length, sizeof(length));\n HMAC_Update(&hmac_ctx, rodata_start, length);\n#else\n HMAC_Update(&hmac_ctx, start, end - start);\n#endif\n BORINGSSL_maybe_set_module_text_permissions(PROT_EXEC);\n\n if (!HMAC_Final(&hmac_ctx, result, &result_len) ||\n result_len != sizeof(result)) {\n fprintf(CRYPTO_get_stderr(), \"HMAC failed.\\n\");\n return 0;\n }\n HMAC_CTX_cleanse(&hmac_ctx); // FIPS 140-3, AS05.10.\n\n const uint8_t *expected = BORINGSSL_bcm_text_hash;\n\n if (!check_test(expected, result, sizeof(result), \"FIPS integrity test\")) {\n#if !defined(BORINGSSL_FIPS_BREAK_TESTS)\n return 0;\n#endif\n }\n\n OPENSSL_cleanse(result, sizeof(result)); // FIPS 140-3, AS05.10.\n return 1;\n}\n\nconst uint8_t *FIPS_module_hash(void) { return BORINGSSL_bcm_text_hash; }\n\n#endif // OPENSSL_ASAN\n\nvoid BORINGSSL_FIPS_abort(void) {\n for (;;) {\n abort();\n exit(1);\n }\n}\n\n#endif // BORINGSSL_FIPS\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bcm_interface.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_BCM_INTERFACE_H\n#define OPENSSL_HEADER_CRYPTO_BCM_INTERFACE_H\n\n#include \n\n// This header will eventually become the interface between BCM and the\n// rest of libcrypto. More cleanly separating the two is still a work in\n// progress (see https://crbug.com/boringssl/722) so, at the moment, we\n// consider this no different from any other header in BCM.\n//\n// Over time, calls from libcrypto to BCM will all move to this header\n// and the separation will become more meaningful.\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n// Enumerated types for return values from bcm functions, both infallible\n// and fallible functions. Two success values are used to correspond to the\n// FIPS service indicator. For the moment, the official service indicator\n// remains the counter, not these values. Once we fully transition to\n// these return values from bcm we will change that.\nenum class bcm_infallible_t {\n approved,\n not_approved,\n};\n\nenum class bcm_status_t {\n approved,\n not_approved,\n failure,\n};\ntypedef enum bcm_status_t bcm_status;\ntypedef enum bcm_infallible_t bcm_infallible;\n\ninline int bcm_success(bcm_status status) {\n return status == bcm_status::approved || status == bcm_status::not_approved;\n}\n\ninline bcm_status_t bcm_as_approved_status(int result) {\n return result ? bcm_status::approved : bcm_status::failure;\n}\n\n\n// Random number generator.\n\n#if defined(BORINGSSL_FIPS)\n\n// We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to whiten.\n// TODO(bbe): disentangle this value which is used to calculate the size of the\n// stack buffer in RAND_need entropy based on a calculation.\n#define BORINGSSL_FIPS_OVERREAD 10\n\n#endif // BORINGSSL_FIPS\n\n// BCM_rand_load_entropy supplies |entropy_len| bytes of entropy to the BCM\n// module. The |want_additional_input| parameter is true iff the entropy was\n// obtained from a source other than the system, e.g. directly from the CPU.\nbcm_infallible BCM_rand_load_entropy(const uint8_t *entropy, size_t entropy_len,\n int want_additional_input);\n\n// BCM_rand_bytes is the same as the public |RAND_bytes| function, other\n// than returning a bcm_infallible status indicator.\nOPENSSL_EXPORT bcm_infallible BCM_rand_bytes(uint8_t *out, size_t out_len);\n\n// BCM_rand_bytes_hwrng attempts to fill |out| with |len| bytes of entropy from\n// the CPU hardware random number generator if one is present.\n// bcm_status_approved is returned on success, and a failure status is\n// returned otherwise.\nbcm_status BCM_rand_bytes_hwrng(uint8_t *out, size_t len);\n\n// BCM_rand_bytes_with_additional_data samples from the RNG after mixing 32\n// bytes from |user_additional_data| in.\nbcm_infallible BCM_rand_bytes_with_additional_data(\n uint8_t *out, size_t out_len, const uint8_t user_additional_data[32]);\n\n\n// SHA-1\n\n// BCM_SHA_DIGEST_LENGTH is the length of a SHA-1 digest.\n#define BCM_SHA_DIGEST_LENGTH 20\n\n// BCM_sha1_init initialises |sha|.\nbcm_infallible BCM_sha1_init(SHA_CTX *sha);\n\n// BCM_SHA1_transform is a low-level function that performs a single, SHA-1\n// block transformation using the state from |sha| and |SHA_CBLOCK| bytes from\n// |block|.\nbcm_infallible BCM_sha1_transform(SHA_CTX *c,\n const uint8_t data[BCM_SHA_CBLOCK]);\n\n// BCM_sha1_update adds |len| bytes from |data| to |sha|.\nbcm_infallible BCM_sha1_update(SHA_CTX *c, const void *data, size_t len);\n\n// BCM_sha1_final adds the final padding to |sha| and writes the resulting\n// digest to |out|, which must have at least |SHA_DIGEST_LENGTH| bytes of space.\nbcm_infallible BCM_sha1_final(uint8_t out[BCM_SHA_DIGEST_LENGTH], SHA_CTX *c);\n\n\n// BCM_fips_186_2_prf derives |out_len| bytes from |xkey| using the PRF\n// defined in FIPS 186-2, Appendix 3.1, with change notice 1 applied. The b\n// parameter is 160 and seed, XKEY, is also 160 bits. The optional XSEED user\n// input is all zeros.\n//\n// The PRF generates a sequence of 320-bit numbers. Each number is encoded as a\n// 40-byte string in big-endian and then concatenated to form |out|. If\n// |out_len| is not a multiple of 40, the result is truncated. This matches the\n// construction used in Section 7 of RFC 4186 and Section 7 of RFC 4187.\n//\n// This PRF is based on SHA-1, a weak hash function, and should not be used\n// in new protocols. It is provided for compatibility with some legacy EAP\n// methods.\nbcm_infallible BCM_fips_186_2_prf(uint8_t *out, size_t out_len,\n const uint8_t xkey[BCM_SHA_DIGEST_LENGTH]);\n\n\n// SHA-224\n\n// SHA224_DIGEST_LENGTH is the length of a SHA-224 digest.\n#define BCM_SHA224_DIGEST_LENGTH 28\n\n// BCM_sha224_unit initialises |sha|.\nbcm_infallible BCM_sha224_init(SHA256_CTX *sha);\n\n// BCM_sha224_update adds |len| bytes from |data| to |sha|.\nbcm_infallible BCM_sha224_update(SHA256_CTX *sha, const void *data, size_t len);\n\n// BCM_sha224_final adds the final padding to |sha| and writes the resulting\n// digest to |out|, which must have at least |SHA224_DIGEST_LENGTH| bytes of\n// space. It aborts on programmer error.\nbcm_infallible BCM_sha224_final(uint8_t out[BCM_SHA224_DIGEST_LENGTH],\n SHA256_CTX *sha);\n\n\n// SHA-256\n\n// BCM_SHA256_DIGEST_LENGTH is the length of a SHA-256 digest.\n#define BCM_SHA256_DIGEST_LENGTH 32\n\n// BCM_sha256_init initialises |sha|.\nbcm_infallible BCM_sha256_init(SHA256_CTX *sha);\n\n// BCM_sha256_update adds |len| bytes from |data| to |sha|.\nbcm_infallible BCM_sha256_update(SHA256_CTX *sha, const void *data, size_t len);\n\n// BCM_sha256_final adds the final padding to |sha| and writes the resulting\n// digest to |out|, which must have at least |BCM_SHA256_DIGEST_LENGTH| bytes of\n// space. It aborts on programmer error.\nbcm_infallible BCM_sha256_final(uint8_t out[BCM_SHA256_DIGEST_LENGTH],\n SHA256_CTX *sha);\n\n// BCM_sha256_transform is a low-level function that performs a single, SHA-256\n// block transformation using the state from |sha| and |BCM_SHA256_CBLOCK| bytes\n// from |block|.\nbcm_infallible BCM_sha256_transform(SHA256_CTX *sha,\n const uint8_t block[BCM_SHA256_CBLOCK]);\n\n// BCM_sha256_transform_blocks is a low-level function that takes |num_blocks| *\n// |BCM_SHA256_CBLOCK| bytes of data and performs SHA-256 transforms on it to\n// update |state|.\nbcm_infallible BCM_sha256_transform_blocks(uint32_t state[8],\n const uint8_t *data,\n size_t num_blocks);\n\n\n// SHA-384.\n\n// BCM_SHA384_DIGEST_LENGTH is the length of a SHA-384 digest.\n#define BCM_SHA384_DIGEST_LENGTH 48\n\n// BCM_sha384_init initialises |sha|.\nbcm_infallible BCM_sha384_init(SHA512_CTX *sha);\n\n// BCM_sha384_update adds |len| bytes from |data| to |sha|.\nbcm_infallible BCM_sha384_update(SHA512_CTX *sha, const void *data, size_t len);\n\n// BCM_sha384_final adds the final padding to |sha| and writes the resulting\n// digest to |out|, which must have at least |BCM_sha384_DIGEST_LENGTH| bytes of\n// space. It may abort on programmer error.\nbcm_infallible BCM_sha384_final(uint8_t out[BCM_SHA384_DIGEST_LENGTH],\n SHA512_CTX *sha);\n\n\n// SHA-512.\n\n// BCM_SHA512_DIGEST_LENGTH is the length of a SHA-512 digest.\n#define BCM_SHA512_DIGEST_LENGTH 64\n\n// BCM_sha512_init initialises |sha|.\nbcm_infallible BCM_sha512_init(SHA512_CTX *sha);\n\n// BCM_sha512_update adds |len| bytes from |data| to |sha|.\nbcm_infallible BCM_sha512_update(SHA512_CTX *sha, const void *data, size_t len);\n\n// BCM_sha512_final adds the final padding to |sha| and writes the resulting\n// digest to |out|, which must have at least |BCM_sha512_DIGEST_LENGTH| bytes of\n// space.\nbcm_infallible BCM_sha512_final(uint8_t out[BCM_SHA512_DIGEST_LENGTH],\n SHA512_CTX *sha);\n\n// BCM_sha512_transform is a low-level function that performs a single, SHA-512\n// block transformation using the state from |sha| and |BCM_sha512_CBLOCK| bytes\n// from |block|.\nbcm_infallible BCM_sha512_transform(SHA512_CTX *sha,\n const uint8_t block[BCM_SHA512_CBLOCK]);\n\n\n// SHA-512-256\n//\n// See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf section 5.3.6\n\n#define BCM_SHA512_256_DIGEST_LENGTH 32\n\n// BCM_sha512_256_init initialises |sha|.\nbcm_infallible BCM_sha512_256_init(SHA512_CTX *sha);\n\n// BCM_sha512_256_update adds |len| bytes from |data| to |sha|.\nbcm_infallible BCM_sha512_256_update(SHA512_CTX *sha, const void *data,\n size_t len);\n\n// BCM_sha512_256_final adds the final padding to |sha| and writes the resulting\n// digest to |out|, which must have at least |BCM_sha512_256_DIGEST_LENGTH|\n// bytes of space. It may abort on programmer error.\nbcm_infallible BCM_sha512_256_final(uint8_t out[BCM_SHA512_256_DIGEST_LENGTH],\n SHA512_CTX *sha);\n\n\n// ML-DSA\n//\n// Where not commented, these functions have the same signature as the\n// corresponding public function.\n\n// BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES is the number of bytes of uniformly\n// random entropy necessary to generate a signature in randomized mode.\n#define BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES 32\n\n// BCM_MLDSA_SEED_BYTES is the number of bytes in an ML-DSA seed value.\n#define BCM_MLDSA_SEED_BYTES 32\n\n// BCM_MLDSA65_PRIVATE_KEY_BYTES is the number of bytes in an encoded ML-DSA-65\n// private key.\n#define BCM_MLDSA65_PRIVATE_KEY_BYTES 4032\n\n// BCM_MLDSA65_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-DSA-65\n// public key.\n#define BCM_MLDSA65_PUBLIC_KEY_BYTES 1952\n\n// BCM_MLDSA65_SIGNATURE_BYTES is the number of bytes in an encoded ML-DSA-65\n// signature.\n#define BCM_MLDSA65_SIGNATURE_BYTES 3309\n\nstruct BCM_mldsa65_private_key {\n union {\n uint8_t bytes[32 + 32 + 64 + 256 * 4 * (5 + 6 + 6)];\n uint32_t alignment;\n } opaque;\n};\n\nstruct BCM_mldsa65_public_key {\n union {\n uint8_t bytes[32 + 64 + 256 * 4 * 6];\n uint32_t alignment;\n } opaque;\n};\n\nOPENSSL_EXPORT bcm_status BCM_mldsa65_generate_key(\n uint8_t out_encoded_public_key[BCM_MLDSA65_PUBLIC_KEY_BYTES],\n uint8_t out_seed[BCM_MLDSA_SEED_BYTES],\n struct BCM_mldsa65_private_key *out_private_key);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa65_private_key_from_seed(\n struct BCM_mldsa65_private_key *out_private_key,\n const uint8_t seed[BCM_MLDSA_SEED_BYTES]);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa65_public_from_private(\n struct BCM_mldsa65_public_key *out_public_key,\n const struct BCM_mldsa65_private_key *private_key);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa65_sign(\n uint8_t out_encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES],\n const struct BCM_mldsa65_private_key *private_key, const uint8_t *msg,\n size_t msg_len, const uint8_t *context, size_t context_len);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa65_verify(\n const struct BCM_mldsa65_public_key *public_key,\n const uint8_t signature[BCM_MLDSA65_SIGNATURE_BYTES], const uint8_t *msg,\n size_t msg_len, const uint8_t *context, size_t context_len);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa65_marshal_public_key(\n CBB *out, const struct BCM_mldsa65_public_key *public_key);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa65_parse_public_key(\n struct BCM_mldsa65_public_key *public_key, CBS *in);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa65_parse_private_key(\n struct BCM_mldsa65_private_key *private_key, CBS *in);\n\n// BCM_mldsa65_generate_key_external_entropy generates a public/private key pair\n// using the given seed, writes the encoded public key to\n// |out_encoded_public_key| and sets |out_private_key| to the private key.\nOPENSSL_EXPORT bcm_status BCM_mldsa65_generate_key_external_entropy(\n uint8_t out_encoded_public_key[BCM_MLDSA65_PUBLIC_KEY_BYTES],\n struct BCM_mldsa65_private_key *out_private_key,\n const uint8_t entropy[BCM_MLDSA_SEED_BYTES]);\n\n// BCM_mldsa5_sign_internal signs |msg| using |private_key| and writes the\n// signature to |out_encoded_signature|. The |context_prefix| and |context| are\n// prefixed to the message, in that order, before signing. The |randomizer|\n// value can be set to zero bytes in order to make a deterministic signature, or\n// else filled with entropy for the usual |MLDSA_sign| behavior.\nOPENSSL_EXPORT bcm_status BCM_mldsa65_sign_internal(\n uint8_t out_encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES],\n const struct BCM_mldsa65_private_key *private_key, const uint8_t *msg,\n size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len,\n const uint8_t *context, size_t context_len,\n const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]);\n\n// BCM_mldsa5_verify_internal verifies that |encoded_signature| is a valid\n// signature of |msg| by |public_key|. The |context_prefix| and |context| are\n// prefixed to the message before verification, in that order.\nOPENSSL_EXPORT bcm_status BCM_mldsa65_verify_internal(\n const struct BCM_mldsa65_public_key *public_key,\n const uint8_t encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix,\n size_t context_prefix_len, const uint8_t *context, size_t context_len);\n\n// BCM_mldsa65_marshal_private_key serializes |private_key| to |out| in the\n// NIST format for ML-DSA-65 private keys.\nOPENSSL_EXPORT bcm_status BCM_mldsa65_marshal_private_key(\n CBB *out, const struct BCM_mldsa65_private_key *private_key);\n\n\n// BCM_MLDSA87_PRIVATE_KEY_BYTES is the number of bytes in an encoded ML-DSA-87\n// private key.\n#define BCM_MLDSA87_PRIVATE_KEY_BYTES 4896\n\n// BCM_MLDSA87_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-DSA-87\n// public key.\n#define BCM_MLDSA87_PUBLIC_KEY_BYTES 2592\n\n// BCM_MLDSA87_SIGNATURE_BYTES is the number of bytes in an encoded ML-DSA-87\n// signature.\n#define BCM_MLDSA87_SIGNATURE_BYTES 4627\n\nstruct BCM_mldsa87_private_key {\n union {\n uint8_t bytes[32 + 32 + 64 + 256 * 4 * (7 + 8 + 8)];\n uint32_t alignment;\n } opaque;\n};\n\nstruct BCM_mldsa87_public_key {\n union {\n uint8_t bytes[32 + 64 + 256 * 4 * 8];\n uint32_t alignment;\n } opaque;\n};\n\nOPENSSL_EXPORT bcm_status BCM_mldsa87_generate_key(\n uint8_t out_encoded_public_key[BCM_MLDSA87_PUBLIC_KEY_BYTES],\n uint8_t out_seed[BCM_MLDSA_SEED_BYTES],\n struct BCM_mldsa87_private_key *out_private_key);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa87_private_key_from_seed(\n struct BCM_mldsa87_private_key *out_private_key,\n const uint8_t seed[BCM_MLDSA_SEED_BYTES]);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa87_public_from_private(\n struct BCM_mldsa87_public_key *out_public_key,\n const struct BCM_mldsa87_private_key *private_key);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa87_sign(\n uint8_t out_encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES],\n const struct BCM_mldsa87_private_key *private_key, const uint8_t *msg,\n size_t msg_len, const uint8_t *context, size_t context_len);\n\nOPENSSL_EXPORT bcm_status\nBCM_mldsa87_verify(const struct BCM_mldsa87_public_key *public_key,\n const uint8_t *signature, const uint8_t *msg, size_t msg_len,\n const uint8_t *context, size_t context_len);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa87_marshal_public_key(\n CBB *out, const struct BCM_mldsa87_public_key *public_key);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa87_parse_public_key(\n struct BCM_mldsa87_public_key *public_key, CBS *in);\n\nOPENSSL_EXPORT bcm_status BCM_mldsa87_parse_private_key(\n struct BCM_mldsa87_private_key *private_key, CBS *in);\n\n// BCM_mldsa87_generate_key_external_entropy generates a public/private key pair\n// using the given seed, writes the encoded public key to\n// |out_encoded_public_key| and sets |out_private_key| to the private key.\nOPENSSL_EXPORT bcm_status BCM_mldsa87_generate_key_external_entropy(\n uint8_t out_encoded_public_key[BCM_MLDSA87_PUBLIC_KEY_BYTES],\n struct BCM_mldsa87_private_key *out_private_key,\n const uint8_t entropy[BCM_MLDSA_SEED_BYTES]);\n\n// BCM_mldsa87_sign_internal signs |msg| using |private_key| and writes the\n// signature to |out_encoded_signature|. The |context_prefix| and |context| are\n// prefixed to the message, in that order, before signing. The |randomizer|\n// value can be set to zero bytes in order to make a deterministic signature, or\n// else filled with entropy for the usual |MLDSA_sign| behavior.\nOPENSSL_EXPORT bcm_status BCM_mldsa87_sign_internal(\n uint8_t out_encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES],\n const struct BCM_mldsa87_private_key *private_key, const uint8_t *msg,\n size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len,\n const uint8_t *context, size_t context_len,\n const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]);\n\n// BCM_mldsa87_verify_internal verifies that |encoded_signature| is a valid\n// signature of |msg| by |public_key|. The |context_prefix| and |context| are\n// prefixed to the message before verification, in that order.\nOPENSSL_EXPORT bcm_status BCM_mldsa87_verify_internal(\n const struct BCM_mldsa87_public_key *public_key,\n const uint8_t encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix,\n size_t context_prefix_len, const uint8_t *context, size_t context_len);\n\n// BCM_mldsa87_marshal_private_key serializes |private_key| to |out| in the\n// NIST format for ML-DSA-87 private keys.\nOPENSSL_EXPORT bcm_status BCM_mldsa87_marshal_private_key(\n CBB *out, const struct BCM_mldsa87_private_key *private_key);\n\n\n// ML-KEM\n//\n// Where not commented, these functions have the same signature as the\n// corresponding public function.\n\n// BCM_MLKEM_ENCAP_ENTROPY is the number of bytes of uniformly random entropy\n// necessary to encapsulate a secret. The entropy will be leaked to the\n// decapsulating party.\n#define BCM_MLKEM_ENCAP_ENTROPY 32\n\n// BCM_MLKEM768_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-768\n// public key.\n#define BCM_MLKEM768_PUBLIC_KEY_BYTES 1184\n\n// BCM_MLKEM1024_PUBLIC_KEY_BYTES is the number of bytes in an encoded\n// ML-KEM-1024 public key.\n#define BCM_MLKEM1024_PUBLIC_KEY_BYTES 1568\n\n// BCM_MLKEM768_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-768\n// ciphertext.\n#define BCM_MLKEM768_CIPHERTEXT_BYTES 1088\n\n// BCM_MLKEM1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024\n// ciphertext.\n#define BCM_MLKEM1024_CIPHERTEXT_BYTES 1568\n\n// BCM_MLKEM768_PRIVATE_KEY_BYTES is the length of the data produced by\n// |BCM_mlkem768_marshal_private_key|.\n#define BCM_MLKEM768_PRIVATE_KEY_BYTES 2400\n\n// BCM_MLKEM1024_PRIVATE_KEY_BYTES is the length of the data produced by\n// |BCM_mlkem1024_marshal_private_key|.\n#define BCM_MLKEM1024_PRIVATE_KEY_BYTES 3168\n\n// BCM_MLKEM_SEED_BYTES is the number of bytes in an ML-KEM seed.\n#define BCM_MLKEM_SEED_BYTES 64\n\n// BCM_mlkem_SHARED_SECRET_BYTES is the number of bytes in an ML-KEM shared\n// secret.\n#define BCM_MLKEM_SHARED_SECRET_BYTES 32\n\nstruct BCM_mlkem768_public_key {\n union {\n uint8_t bytes[512 * (3 + 9) + 32 + 32];\n uint16_t alignment;\n } opaque;\n};\n\nstruct BCM_mlkem768_private_key {\n union {\n uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32];\n uint16_t alignment;\n } opaque;\n};\n\nOPENSSL_EXPORT bcm_infallible BCM_mlkem768_generate_key(\n uint8_t out_encoded_public_key[BCM_MLKEM768_PUBLIC_KEY_BYTES],\n uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES],\n struct BCM_mlkem768_private_key *out_private_key);\n\nOPENSSL_EXPORT bcm_status BCM_mlkem768_private_key_from_seed(\n struct BCM_mlkem768_private_key *out_private_key, const uint8_t *seed,\n size_t seed_len);\n\nOPENSSL_EXPORT bcm_infallible BCM_mlkem768_public_from_private(\n struct BCM_mlkem768_public_key *out_public_key,\n const struct BCM_mlkem768_private_key *private_key);\n\nOPENSSL_EXPORT bcm_infallible\nBCM_mlkem768_encap(uint8_t out_ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const struct BCM_mlkem768_public_key *public_key);\n\nOPENSSL_EXPORT bcm_status\nBCM_mlkem768_decap(uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const uint8_t *ciphertext, size_t ciphertext_len,\n const struct BCM_mlkem768_private_key *private_key);\n\nOPENSSL_EXPORT bcm_status BCM_mlkem768_marshal_public_key(\n CBB *out, const struct BCM_mlkem768_public_key *public_key);\n\nOPENSSL_EXPORT bcm_status BCM_mlkem768_parse_public_key(\n struct BCM_mlkem768_public_key *out_public_key, CBS *in);\n\n// BCM_mlkem768_parse_private_key parses a private key, in NIST's format for\n// private keys, from |in| and writes the result to |out_private_key|. It\n// returns one on success or zero on parse error or if there are trailing bytes\n// in |in|. This format is verbose and should be avoided. Private keys should be\n// stored as seeds and parsed using |BCM_mlkem768_private_key_from_seed|.\nOPENSSL_EXPORT bcm_status BCM_mlkem768_parse_private_key(\n struct BCM_mlkem768_private_key *out_private_key, CBS *in);\n\n// BCM_mlkem768_generate_key_external_seed is a deterministic function to create\n// a pair of ML-KEM-768 keys, using the supplied seed. The seed needs to be\n// uniformly random. This function should only be used for tests; regular\n// callers should use the non-deterministic |BCM_mlkem768_generate_key|\n// directly.\nOPENSSL_EXPORT bcm_infallible BCM_mlkem768_generate_key_external_seed(\n uint8_t out_encoded_public_key[BCM_MLKEM768_PUBLIC_KEY_BYTES],\n struct BCM_mlkem768_private_key *out_private_key,\n const uint8_t seed[BCM_MLKEM_SEED_BYTES]);\n\n// BCM_mlkem768_encap_external_entropy behaves like |MLKEM768_encap|, but uses\n// |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating\n// side will be able to recover |entropy| in full. This function should only be\n// used for tests, regular callers should use the non-deterministic\n// |BCM_mlkem768_encap| directly.\nOPENSSL_EXPORT bcm_infallible BCM_mlkem768_encap_external_entropy(\n uint8_t out_ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const struct BCM_mlkem768_public_key *public_key,\n const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]);\n\n// BCM_mlkem768_marshal_private_key serializes |private_key| to |out| in the\n// NIST format for ML-KEM-768 private keys. (Note that one can also save just\n// the seed value produced by |BCM_mlkem768_generate_key|, which is\n// significantly smaller.)\nOPENSSL_EXPORT bcm_status BCM_mlkem768_marshal_private_key(\n CBB *out, const struct BCM_mlkem768_private_key *private_key);\n\nstruct BCM_mlkem1024_public_key {\n union {\n uint8_t bytes[512 * (4 + 16) + 32 + 32];\n uint16_t alignment;\n } opaque;\n};\n\nstruct BCM_mlkem1024_private_key {\n union {\n uint8_t bytes[512 * (4 + 4 + 16) + 32 + 32 + 32];\n uint16_t alignment;\n } opaque;\n};\n\nOPENSSL_EXPORT bcm_infallible BCM_mlkem1024_generate_key(\n uint8_t out_encoded_public_key[BCM_MLKEM1024_PUBLIC_KEY_BYTES],\n uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES],\n struct BCM_mlkem1024_private_key *out_private_key);\n\nOPENSSL_EXPORT bcm_status BCM_mlkem1024_private_key_from_seed(\n struct BCM_mlkem1024_private_key *out_private_key, const uint8_t *seed,\n size_t seed_len);\n\nOPENSSL_EXPORT bcm_infallible BCM_mlkem1024_public_from_private(\n struct BCM_mlkem1024_public_key *out_public_key,\n const struct BCM_mlkem1024_private_key *private_key);\n\nOPENSSL_EXPORT bcm_infallible\nBCM_mlkem1024_encap(uint8_t out_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const struct BCM_mlkem1024_public_key *public_key);\n\nOPENSSL_EXPORT bcm_status\nBCM_mlkem1024_decap(uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const uint8_t *ciphertext, size_t ciphertext_len,\n const struct BCM_mlkem1024_private_key *private_key);\n\nOPENSSL_EXPORT bcm_status BCM_mlkem1024_marshal_public_key(\n CBB *out, const struct BCM_mlkem1024_public_key *public_key);\n\nOPENSSL_EXPORT bcm_status BCM_mlkem1024_parse_public_key(\n struct BCM_mlkem1024_public_key *out_public_key, CBS *in);\n\n// BCM_mlkem1024_parse_private_key parses a private key, in NIST's format for\n// private keys, from |in| and writes the result to |out_private_key|. It\n// returns one on success or zero on parse error or if there are trailing bytes\n// in |in|. This format is verbose and should be avoided. Private keys should be\n// stored as seeds and parsed using |BCM_mlkem1024_private_key_from_seed|.\nOPENSSL_EXPORT bcm_status BCM_mlkem1024_parse_private_key(\n struct BCM_mlkem1024_private_key *out_private_key, CBS *in);\n\n// BCM_mlkem1024_generate_key_external_seed is a deterministic function to\n// create a pair of ML-KEM-1024 keys, using the supplied seed. The seed needs to\n// be uniformly random. This function should only be used for tests, regular\n// callers should use the non-deterministic |BCM_mlkem1024_generate_key|\n// directly.\nOPENSSL_EXPORT bcm_infallible BCM_mlkem1024_generate_key_external_seed(\n uint8_t out_encoded_public_key[BCM_MLKEM1024_PUBLIC_KEY_BYTES],\n struct BCM_mlkem1024_private_key *out_private_key,\n const uint8_t seed[BCM_MLKEM_SEED_BYTES]);\n\n// BCM_mlkem1024_encap_external_entropy behaves like |MLKEM1024_encap|, but uses\n// |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The\n// decapsulating side will be able to recover |entropy| in full. This function\n// should only be used for tests, regular callers should use the\n// non-deterministic |BCM_mlkem1024_encap| directly.\nOPENSSL_EXPORT bcm_infallible BCM_mlkem1024_encap_external_entropy(\n uint8_t out_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const struct BCM_mlkem1024_public_key *public_key,\n const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]);\n\n// BCM_mlkem1024_marshal_private_key serializes |private_key| to |out| in the\n// NIST format for ML-KEM-1024 private keys. (Note that one can also save just\n// the seed value produced by |BCM_mlkem1024_generate_key|, which is\n// significantly smaller.)\nOPENSSL_EXPORT bcm_status BCM_mlkem1024_marshal_private_key(\n CBB *out, const struct BCM_mlkem1024_private_key *private_key);\n\n\n// SLH-DSA\n\n// Output length of the hash function.\n#define BCM_SLHDSA_SHA2_128S_N 16\n\n// The number of bytes at the beginning of M', the augmented message, before the\n// context.\n#define BCM_SLHDSA_M_PRIME_HEADER_LEN 2\n\n// SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES is the number of bytes in an\n// SLH-DSA-SHA2-128s public key.\n#define BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES 32\n\n// BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES is the number of bytes in an\n// SLH-DSA-SHA2-128s private key.\n#define BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES 64\n\n// BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES is the number of bytes in an\n// SLH-DSA-SHA2-128s signature.\n#define BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES 7856\n\n// SLHDSA_SHA2_128S_generate_key_from_seed generates an SLH-DSA-SHA2-128s key\n// pair from a 48-byte seed and writes the result to |out_public_key| and\n// |out_secret_key|.\nOPENSSL_EXPORT bcm_infallible BCM_slhdsa_sha2_128s_generate_key_from_seed(\n uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n uint8_t out_secret_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t seed[3 * BCM_SLHDSA_SHA2_128S_N]);\n\n// BCM_slhdsa_sha2_128s_sign_internal acts like |SLHDSA_SHA2_128S_sign| but\n// accepts an explicit entropy input, which can be PK.seed (bytes 32..48 of\n// the private key) to generate deterministic signatures. It also takes the\n// input message in three parts so that the \"internal\" version of the signing\n// function, from section 9.2, can be implemented. The |header| argument may be\n// NULL to omit it.\nOPENSSL_EXPORT bcm_infallible BCM_slhdsa_sha2_128s_sign_internal(\n uint8_t out_signature[BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t secret_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context,\n size_t context_len, const uint8_t *msg, size_t msg_len,\n const uint8_t entropy[BCM_SLHDSA_SHA2_128S_N]);\n\n// BCM_slhdsa_sha2_128s_verify_internal acts like |SLHDSA_SHA2_128S_verify| but\n// takes the input message in three parts so that the \"internal\" version of the\n// verification function, from section 9.3, can be implemented. The |header|\n// argument may be NULL to omit it.\nOPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_verify_internal(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context,\n size_t context_len, const uint8_t *msg, size_t msg_len);\n\nOPENSSL_EXPORT bcm_infallible BCM_slhdsa_sha2_128s_generate_key(\n uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n uint8_t out_private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]);\n\nOPENSSL_EXPORT bcm_infallible BCM_slhdsa_sha2_128s_public_from_private(\n uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]);\n\nOPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_sign(\n uint8_t out_signature[BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context,\n size_t context_len);\n\nOPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_verify(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context,\n size_t context_len);\n\nOPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_prehash_sign(\n uint8_t out_signature[BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len);\n\nOPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_prehash_verify(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_BCM_INTERFACE_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/add.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n#include \"internal.h\"\n\n\nint BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {\n const BIGNUM *tmp;\n int a_neg = a->neg, ret;\n\n // a + b\ta+b\n // a + -b\ta-b\n // -a + b\tb-a\n // -a + -b\t-(a+b)\n if (a_neg ^ b->neg) {\n // only one is negative\n if (a_neg) {\n tmp = a;\n a = b;\n b = tmp;\n }\n\n // we are now a - b\n if (BN_ucmp(a, b) < 0) {\n if (!BN_usub(r, b, a)) {\n return 0;\n }\n r->neg = 1;\n } else {\n if (!BN_usub(r, a, b)) {\n return 0;\n }\n r->neg = 0;\n }\n return 1;\n }\n\n ret = BN_uadd(r, a, b);\n r->neg = a_neg;\n return ret;\n}\n\nint bn_uadd_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {\n // Widths are public, so we normalize to make |a| the larger one.\n if (a->width < b->width) {\n const BIGNUM *tmp = a;\n a = b;\n b = tmp;\n }\n\n int max = a->width;\n int min = b->width;\n if (!bn_wexpand(r, max + 1)) {\n return 0;\n }\n r->width = max + 1;\n\n BN_ULONG carry = bn_add_words(r->d, a->d, b->d, min);\n for (int i = min; i < max; i++) {\n r->d[i] = CRYPTO_addc_w(a->d[i], 0, carry, &carry);\n }\n\n r->d[max] = carry;\n return 1;\n}\n\nint BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {\n if (!bn_uadd_consttime(r, a, b)) {\n return 0;\n }\n bn_set_minimal_width(r);\n return 1;\n}\n\nint BN_add_word(BIGNUM *a, BN_ULONG w) {\n BN_ULONG l;\n int i;\n\n // degenerate case: w is zero\n if (!w) {\n return 1;\n }\n\n // degenerate case: a is zero\n if (BN_is_zero(a)) {\n return BN_set_word(a, w);\n }\n\n // handle 'a' when negative\n if (a->neg) {\n a->neg = 0;\n i = BN_sub_word(a, w);\n if (!BN_is_zero(a)) {\n a->neg = !(a->neg);\n }\n return i;\n }\n\n for (i = 0; w != 0 && i < a->width; i++) {\n a->d[i] = l = a->d[i] + w;\n w = (w > l) ? 1 : 0;\n }\n\n if (w && i == a->width) {\n if (!bn_wexpand(a, a->width + 1)) {\n return 0;\n }\n a->width++;\n a->d[i] = w;\n }\n\n return 1;\n}\n\nint BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {\n int add = 0, neg = 0;\n const BIGNUM *tmp;\n\n // a - b\ta-b\n // a - -b\ta+b\n // -a - b\t-(a+b)\n // -a - -b\tb-a\n if (a->neg) {\n if (b->neg) {\n tmp = a;\n a = b;\n b = tmp;\n } else {\n add = 1;\n neg = 1;\n }\n } else {\n if (b->neg) {\n add = 1;\n neg = 0;\n }\n }\n\n if (add) {\n if (!BN_uadd(r, a, b)) {\n return 0;\n }\n\n r->neg = neg;\n return 1;\n }\n\n if (BN_ucmp(a, b) < 0) {\n if (!BN_usub(r, b, a)) {\n return 0;\n }\n r->neg = 1;\n } else {\n if (!BN_usub(r, a, b)) {\n return 0;\n }\n r->neg = 0;\n }\n\n return 1;\n}\n\nint bn_usub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {\n // |b| may have more words than |a| given non-minimal inputs, but all words\n // beyond |a->width| must then be zero.\n int b_width = b->width;\n if (b_width > a->width) {\n if (!bn_fits_in_words(b, a->width)) {\n OPENSSL_PUT_ERROR(BN, BN_R_ARG2_LT_ARG3);\n return 0;\n }\n b_width = a->width;\n }\n\n if (!bn_wexpand(r, a->width)) {\n return 0;\n }\n\n BN_ULONG borrow = bn_sub_words(r->d, a->d, b->d, b_width);\n for (int i = b_width; i < a->width; i++) {\n r->d[i] = CRYPTO_subc_w(a->d[i], 0, borrow, &borrow);\n }\n\n if (borrow) {\n OPENSSL_PUT_ERROR(BN, BN_R_ARG2_LT_ARG3);\n return 0;\n }\n\n r->width = a->width;\n r->neg = 0;\n return 1;\n}\n\nint BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) {\n if (!bn_usub_consttime(r, a, b)) {\n return 0;\n }\n bn_set_minimal_width(r);\n return 1;\n}\n\nint BN_sub_word(BIGNUM *a, BN_ULONG w) {\n int i;\n\n // degenerate case: w is zero\n if (!w) {\n return 1;\n }\n\n // degenerate case: a is zero\n if (BN_is_zero(a)) {\n i = BN_set_word(a, w);\n if (i != 0) {\n BN_set_negative(a, 1);\n }\n return i;\n }\n\n // handle 'a' when negative\n if (a->neg) {\n a->neg = 0;\n i = BN_add_word(a, w);\n a->neg = 1;\n return i;\n }\n\n if ((bn_minimal_width(a) == 1) && (a->d[0] < w)) {\n a->d[0] = w - a->d[0];\n a->neg = 1;\n return 1;\n }\n\n i = 0;\n for (;;) {\n if (a->d[i] >= w) {\n a->d[i] -= w;\n break;\n } else {\n a->d[i] -= w;\n i++;\n w = 1;\n }\n }\n\n if ((a->d[i] == 0) && (i == (a->width - 1))) {\n a->width--;\n }\n\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n/* x86_64 BIGNUM accelerator version 0.1, December 2002.\n *\n * Implemented by Andy Polyakov for the OpenSSL\n * project.\n *\n * Rights for redistribution and usage in source and binary forms are\n * granted according to the OpenSSL license. Warranty of any kind is\n * disclaimed.\n *\n * Q. Version 0.1? It doesn't sound like Andy, he used to assign real\n * versions, like 1.0...\n * A. Well, that's because this code is basically a quick-n-dirty\n * proof-of-concept hack. As you can see it's implemented with\n * inline assembler, which means that you're bound to GCC and that\n * there might be enough room for further improvement.\n *\n * Q. Why inline assembler?\n * A. x86_64 features own ABI which I'm not familiar with. This is\n * why I decided to let the compiler take care of subroutine\n * prologue/epilogue as well as register allocation. For reference.\n * Win64 implements different ABI for AMD64, different from Linux.\n *\n * Q. How much faster does it get?\n * A. 'apps/openssl speed rsa dsa' output with no-asm:\n *\n *\t sign verify sign/s verify/s\n *\trsa 512 bits 0.0006s 0.0001s 1683.8 18456.2\n *\trsa 1024 bits 0.0028s 0.0002s 356.0 6407.0\n *\trsa 2048 bits 0.0172s 0.0005s 58.0 1957.8\n *\trsa 4096 bits 0.1155s 0.0018s 8.7 555.6\n *\t sign verify sign/s verify/s\n *\tdsa 512 bits 0.0005s 0.0006s 2100.8 1768.3\n *\tdsa 1024 bits 0.0014s 0.0018s 692.3 559.2\n *\tdsa 2048 bits 0.0049s 0.0061s 204.7 165.0\n *\n * 'apps/openssl speed rsa dsa' output with this module:\n *\n *\t sign verify sign/s verify/s\n *\trsa 512 bits 0.0004s 0.0000s 2767.1 33297.9\n *\trsa 1024 bits 0.0012s 0.0001s 867.4 14674.7\n *\trsa 2048 bits 0.0061s 0.0002s 164.0 5270.0\n *\trsa 4096 bits 0.0384s 0.0006s 26.1 1650.8\n *\t sign verify sign/s verify/s\n *\tdsa 512 bits 0.0002s 0.0003s 4442.2 3786.3\n *\tdsa 1024 bits 0.0005s 0.0007s 1835.1 1497.4\n *\tdsa 2048 bits 0.0016s 0.0020s 620.4 504.6\n *\n * For the reference. IA-32 assembler implementation performs\n * very much like 64-bit code compiled with no-asm on the same\n * machine.\n */\n\n#include \n\n// TODO(davidben): Get this file working on MSVC x64.\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \\\n (defined(__GNUC__) || defined(__clang__))\n\n#include \"../internal.h\"\n\n\n#undef mul\n#undef mul_add\n\n// \"m\"(a), \"+m\"(r)\tis the way to favor DirectPath µ-code;\n// \"g\"(0)\t\tlet the compiler to decide where does it\n//\t\t\twant to keep the value of zero;\n#define mul_add(r, a, word, carry) \\\n do { \\\n BN_ULONG high, low; \\\n __asm__(\"mulq %3\" : \"=a\"(low), \"=d\"(high) : \"a\"(word), \"m\"(a) : \"cc\"); \\\n __asm__(\"addq %2,%0; adcq %3,%1\" \\\n : \"+r\"(carry), \"+d\"(high) \\\n : \"a\"(low), \"g\"(0) \\\n : \"cc\"); \\\n __asm__(\"addq %2,%0; adcq %3,%1\" \\\n : \"+m\"(r), \"+d\"(high) \\\n : \"r\"(carry), \"g\"(0) \\\n : \"cc\"); \\\n (carry) = high; \\\n } while (0)\n\n#define mul(r, a, word, carry) \\\n do { \\\n BN_ULONG high, low; \\\n __asm__(\"mulq %3\" : \"=a\"(low), \"=d\"(high) : \"a\"(word), \"g\"(a) : \"cc\"); \\\n __asm__(\"addq %2,%0; adcq %3,%1\" \\\n : \"+r\"(carry), \"+d\"(high) \\\n : \"a\"(low), \"g\"(0) \\\n : \"cc\"); \\\n (r) = (carry); \\\n (carry) = high; \\\n } while (0)\n#undef sqr\n#define sqr(r0, r1, a) __asm__(\"mulq %2\" : \"=a\"(r0), \"=d\"(r1) : \"a\"(a) : \"cc\");\n\nBN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num,\n BN_ULONG w) {\n BN_ULONG c1 = 0;\n\n if (num == 0) {\n return (c1);\n }\n\n while (num & ~3) {\n mul_add(rp[0], ap[0], w, c1);\n mul_add(rp[1], ap[1], w, c1);\n mul_add(rp[2], ap[2], w, c1);\n mul_add(rp[3], ap[3], w, c1);\n ap += 4;\n rp += 4;\n num -= 4;\n }\n if (num) {\n mul_add(rp[0], ap[0], w, c1);\n if (--num == 0) {\n return c1;\n }\n mul_add(rp[1], ap[1], w, c1);\n if (--num == 0) {\n return c1;\n }\n mul_add(rp[2], ap[2], w, c1);\n return c1;\n }\n\n return c1;\n}\n\nBN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num,\n BN_ULONG w) {\n BN_ULONG c1 = 0;\n\n if (num == 0) {\n return c1;\n }\n\n while (num & ~3) {\n mul(rp[0], ap[0], w, c1);\n mul(rp[1], ap[1], w, c1);\n mul(rp[2], ap[2], w, c1);\n mul(rp[3], ap[3], w, c1);\n ap += 4;\n rp += 4;\n num -= 4;\n }\n if (num) {\n mul(rp[0], ap[0], w, c1);\n if (--num == 0) {\n return c1;\n }\n mul(rp[1], ap[1], w, c1);\n if (--num == 0) {\n return c1;\n }\n mul(rp[2], ap[2], w, c1);\n }\n return c1;\n}\n\nvoid bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, size_t n) {\n if (n == 0) {\n return;\n }\n\n while (n & ~3) {\n sqr(r[0], r[1], a[0]);\n sqr(r[2], r[3], a[1]);\n sqr(r[4], r[5], a[2]);\n sqr(r[6], r[7], a[3]);\n a += 4;\n r += 8;\n n -= 4;\n }\n if (n) {\n sqr(r[0], r[1], a[0]);\n if (--n == 0) {\n return;\n }\n sqr(r[2], r[3], a[1]);\n if (--n == 0) {\n return;\n }\n sqr(r[4], r[5], a[2]);\n }\n}\n\nBN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n size_t n) {\n BN_ULONG ret;\n size_t i = 0;\n\n if (n == 0) {\n return 0;\n }\n\n __asm__ volatile(\n \"\tsubq\t%0,%0\t\t\\n\" // clear carry\n \"\tjmp\t1f\t\t\\n\"\n \".p2align 4\t\t\t\\n\"\n \"1:\"\n \"\tmovq\t(%4,%2,8),%0\t\\n\"\n \"\tadcq\t(%5,%2,8),%0\t\\n\"\n \"\tmovq\t%0,(%3,%2,8)\t\\n\"\n \"\tlea\t1(%2),%2\t\\n\"\n \"\tdec\t%1\t\t\\n\"\n \"\tjnz\t1b\t\t\\n\"\n \"\tsbbq\t%0,%0\t\t\\n\"\n : \"=&r\"(ret), \"+c\"(n), \"+r\"(i)\n : \"r\"(rp), \"r\"(ap), \"r\"(bp)\n : \"cc\", \"memory\");\n\n return ret & 1;\n}\n\nBN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n size_t n) {\n BN_ULONG ret;\n size_t i = 0;\n\n if (n == 0) {\n return 0;\n }\n\n __asm__ volatile(\n \"\tsubq\t%0,%0\t\t\\n\" // clear borrow\n \"\tjmp\t1f\t\t\\n\"\n \".p2align 4\t\t\t\\n\"\n \"1:\"\n \"\tmovq\t(%4,%2,8),%0\t\\n\"\n \"\tsbbq\t(%5,%2,8),%0\t\\n\"\n \"\tmovq\t%0,(%3,%2,8)\t\\n\"\n \"\tlea\t1(%2),%2\t\\n\"\n \"\tdec\t%1\t\t\\n\"\n \"\tjnz\t1b\t\t\\n\"\n \"\tsbbq\t%0,%0\t\t\\n\"\n : \"=&r\"(ret), \"+c\"(n), \"+r\"(i)\n : \"r\"(rp), \"r\"(ap), \"r\"(bp)\n : \"cc\", \"memory\");\n\n return ret & 1;\n}\n\n// mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0)\n// mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0)\n// sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0)\n// sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0)\n\n// Keep in mind that carrying into high part of multiplication result can not\n// overflow, because it cannot be all-ones.\n#define mul_add_c(a, b, c0, c1, c2) \\\n do { \\\n BN_ULONG t1, t2; \\\n __asm__(\"mulq %3\" : \"=a\"(t1), \"=d\"(t2) : \"a\"(a), \"m\"(b) : \"cc\"); \\\n __asm__(\"addq %3,%0; adcq %4,%1; adcq %5,%2\" \\\n : \"+r\"(c0), \"+r\"(c1), \"+r\"(c2) \\\n : \"r\"(t1), \"r\"(t2), \"g\"(0) \\\n : \"cc\"); \\\n } while (0)\n\n#define sqr_add_c(a, i, c0, c1, c2) \\\n do { \\\n BN_ULONG t1, t2; \\\n __asm__(\"mulq %2\" : \"=a\"(t1), \"=d\"(t2) : \"a\"((a)[i]) : \"cc\"); \\\n __asm__(\"addq %3,%0; adcq %4,%1; adcq %5,%2\" \\\n : \"+r\"(c0), \"+r\"(c1), \"+r\"(c2) \\\n : \"r\"(t1), \"r\"(t2), \"g\"(0) \\\n : \"cc\"); \\\n } while (0)\n\n#define mul_add_c2(a, b, c0, c1, c2) \\\n do { \\\n BN_ULONG t1, t2; \\\n __asm__(\"mulq %3\" : \"=a\"(t1), \"=d\"(t2) : \"a\"(a), \"m\"(b) : \"cc\"); \\\n __asm__(\"addq %3,%0; adcq %4,%1; adcq %5,%2\" \\\n : \"+r\"(c0), \"+r\"(c1), \"+r\"(c2) \\\n : \"r\"(t1), \"r\"(t2), \"g\"(0) \\\n : \"cc\"); \\\n __asm__(\"addq %3,%0; adcq %4,%1; adcq %5,%2\" \\\n : \"+r\"(c0), \"+r\"(c1), \"+r\"(c2) \\\n : \"r\"(t1), \"r\"(t2), \"g\"(0) \\\n : \"cc\"); \\\n } while (0)\n\n#define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2)\n\nvoid bn_mul_comba8(BN_ULONG r[16], const BN_ULONG a[8], const BN_ULONG b[8]) {\n BN_ULONG c1, c2, c3;\n\n c1 = 0;\n c2 = 0;\n c3 = 0;\n mul_add_c(a[0], b[0], c1, c2, c3);\n r[0] = c1;\n c1 = 0;\n mul_add_c(a[0], b[1], c2, c3, c1);\n mul_add_c(a[1], b[0], c2, c3, c1);\n r[1] = c2;\n c2 = 0;\n mul_add_c(a[2], b[0], c3, c1, c2);\n mul_add_c(a[1], b[1], c3, c1, c2);\n mul_add_c(a[0], b[2], c3, c1, c2);\n r[2] = c3;\n c3 = 0;\n mul_add_c(a[0], b[3], c1, c2, c3);\n mul_add_c(a[1], b[2], c1, c2, c3);\n mul_add_c(a[2], b[1], c1, c2, c3);\n mul_add_c(a[3], b[0], c1, c2, c3);\n r[3] = c1;\n c1 = 0;\n mul_add_c(a[4], b[0], c2, c3, c1);\n mul_add_c(a[3], b[1], c2, c3, c1);\n mul_add_c(a[2], b[2], c2, c3, c1);\n mul_add_c(a[1], b[3], c2, c3, c1);\n mul_add_c(a[0], b[4], c2, c3, c1);\n r[4] = c2;\n c2 = 0;\n mul_add_c(a[0], b[5], c3, c1, c2);\n mul_add_c(a[1], b[4], c3, c1, c2);\n mul_add_c(a[2], b[3], c3, c1, c2);\n mul_add_c(a[3], b[2], c3, c1, c2);\n mul_add_c(a[4], b[1], c3, c1, c2);\n mul_add_c(a[5], b[0], c3, c1, c2);\n r[5] = c3;\n c3 = 0;\n mul_add_c(a[6], b[0], c1, c2, c3);\n mul_add_c(a[5], b[1], c1, c2, c3);\n mul_add_c(a[4], b[2], c1, c2, c3);\n mul_add_c(a[3], b[3], c1, c2, c3);\n mul_add_c(a[2], b[4], c1, c2, c3);\n mul_add_c(a[1], b[5], c1, c2, c3);\n mul_add_c(a[0], b[6], c1, c2, c3);\n r[6] = c1;\n c1 = 0;\n mul_add_c(a[0], b[7], c2, c3, c1);\n mul_add_c(a[1], b[6], c2, c3, c1);\n mul_add_c(a[2], b[5], c2, c3, c1);\n mul_add_c(a[3], b[4], c2, c3, c1);\n mul_add_c(a[4], b[3], c2, c3, c1);\n mul_add_c(a[5], b[2], c2, c3, c1);\n mul_add_c(a[6], b[1], c2, c3, c1);\n mul_add_c(a[7], b[0], c2, c3, c1);\n r[7] = c2;\n c2 = 0;\n mul_add_c(a[7], b[1], c3, c1, c2);\n mul_add_c(a[6], b[2], c3, c1, c2);\n mul_add_c(a[5], b[3], c3, c1, c2);\n mul_add_c(a[4], b[4], c3, c1, c2);\n mul_add_c(a[3], b[5], c3, c1, c2);\n mul_add_c(a[2], b[6], c3, c1, c2);\n mul_add_c(a[1], b[7], c3, c1, c2);\n r[8] = c3;\n c3 = 0;\n mul_add_c(a[2], b[7], c1, c2, c3);\n mul_add_c(a[3], b[6], c1, c2, c3);\n mul_add_c(a[4], b[5], c1, c2, c3);\n mul_add_c(a[5], b[4], c1, c2, c3);\n mul_add_c(a[6], b[3], c1, c2, c3);\n mul_add_c(a[7], b[2], c1, c2, c3);\n r[9] = c1;\n c1 = 0;\n mul_add_c(a[7], b[3], c2, c3, c1);\n mul_add_c(a[6], b[4], c2, c3, c1);\n mul_add_c(a[5], b[5], c2, c3, c1);\n mul_add_c(a[4], b[6], c2, c3, c1);\n mul_add_c(a[3], b[7], c2, c3, c1);\n r[10] = c2;\n c2 = 0;\n mul_add_c(a[4], b[7], c3, c1, c2);\n mul_add_c(a[5], b[6], c3, c1, c2);\n mul_add_c(a[6], b[5], c3, c1, c2);\n mul_add_c(a[7], b[4], c3, c1, c2);\n r[11] = c3;\n c3 = 0;\n mul_add_c(a[7], b[5], c1, c2, c3);\n mul_add_c(a[6], b[6], c1, c2, c3);\n mul_add_c(a[5], b[7], c1, c2, c3);\n r[12] = c1;\n c1 = 0;\n mul_add_c(a[6], b[7], c2, c3, c1);\n mul_add_c(a[7], b[6], c2, c3, c1);\n r[13] = c2;\n c2 = 0;\n mul_add_c(a[7], b[7], c3, c1, c2);\n r[14] = c3;\n r[15] = c1;\n}\n\nvoid bn_mul_comba4(BN_ULONG r[8], const BN_ULONG a[4], const BN_ULONG b[4]) {\n BN_ULONG c1, c2, c3;\n\n c1 = 0;\n c2 = 0;\n c3 = 0;\n mul_add_c(a[0], b[0], c1, c2, c3);\n r[0] = c1;\n c1 = 0;\n mul_add_c(a[0], b[1], c2, c3, c1);\n mul_add_c(a[1], b[0], c2, c3, c1);\n r[1] = c2;\n c2 = 0;\n mul_add_c(a[2], b[0], c3, c1, c2);\n mul_add_c(a[1], b[1], c3, c1, c2);\n mul_add_c(a[0], b[2], c3, c1, c2);\n r[2] = c3;\n c3 = 0;\n mul_add_c(a[0], b[3], c1, c2, c3);\n mul_add_c(a[1], b[2], c1, c2, c3);\n mul_add_c(a[2], b[1], c1, c2, c3);\n mul_add_c(a[3], b[0], c1, c2, c3);\n r[3] = c1;\n c1 = 0;\n mul_add_c(a[3], b[1], c2, c3, c1);\n mul_add_c(a[2], b[2], c2, c3, c1);\n mul_add_c(a[1], b[3], c2, c3, c1);\n r[4] = c2;\n c2 = 0;\n mul_add_c(a[2], b[3], c3, c1, c2);\n mul_add_c(a[3], b[2], c3, c1, c2);\n r[5] = c3;\n c3 = 0;\n mul_add_c(a[3], b[3], c1, c2, c3);\n r[6] = c1;\n r[7] = c2;\n}\n\nvoid bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[8]) {\n BN_ULONG c1, c2, c3;\n\n c1 = 0;\n c2 = 0;\n c3 = 0;\n sqr_add_c(a, 0, c1, c2, c3);\n r[0] = c1;\n c1 = 0;\n sqr_add_c2(a, 1, 0, c2, c3, c1);\n r[1] = c2;\n c2 = 0;\n sqr_add_c(a, 1, c3, c1, c2);\n sqr_add_c2(a, 2, 0, c3, c1, c2);\n r[2] = c3;\n c3 = 0;\n sqr_add_c2(a, 3, 0, c1, c2, c3);\n sqr_add_c2(a, 2, 1, c1, c2, c3);\n r[3] = c1;\n c1 = 0;\n sqr_add_c(a, 2, c2, c3, c1);\n sqr_add_c2(a, 3, 1, c2, c3, c1);\n sqr_add_c2(a, 4, 0, c2, c3, c1);\n r[4] = c2;\n c2 = 0;\n sqr_add_c2(a, 5, 0, c3, c1, c2);\n sqr_add_c2(a, 4, 1, c3, c1, c2);\n sqr_add_c2(a, 3, 2, c3, c1, c2);\n r[5] = c3;\n c3 = 0;\n sqr_add_c(a, 3, c1, c2, c3);\n sqr_add_c2(a, 4, 2, c1, c2, c3);\n sqr_add_c2(a, 5, 1, c1, c2, c3);\n sqr_add_c2(a, 6, 0, c1, c2, c3);\n r[6] = c1;\n c1 = 0;\n sqr_add_c2(a, 7, 0, c2, c3, c1);\n sqr_add_c2(a, 6, 1, c2, c3, c1);\n sqr_add_c2(a, 5, 2, c2, c3, c1);\n sqr_add_c2(a, 4, 3, c2, c3, c1);\n r[7] = c2;\n c2 = 0;\n sqr_add_c(a, 4, c3, c1, c2);\n sqr_add_c2(a, 5, 3, c3, c1, c2);\n sqr_add_c2(a, 6, 2, c3, c1, c2);\n sqr_add_c2(a, 7, 1, c3, c1, c2);\n r[8] = c3;\n c3 = 0;\n sqr_add_c2(a, 7, 2, c1, c2, c3);\n sqr_add_c2(a, 6, 3, c1, c2, c3);\n sqr_add_c2(a, 5, 4, c1, c2, c3);\n r[9] = c1;\n c1 = 0;\n sqr_add_c(a, 5, c2, c3, c1);\n sqr_add_c2(a, 6, 4, c2, c3, c1);\n sqr_add_c2(a, 7, 3, c2, c3, c1);\n r[10] = c2;\n c2 = 0;\n sqr_add_c2(a, 7, 4, c3, c1, c2);\n sqr_add_c2(a, 6, 5, c3, c1, c2);\n r[11] = c3;\n c3 = 0;\n sqr_add_c(a, 6, c1, c2, c3);\n sqr_add_c2(a, 7, 5, c1, c2, c3);\n r[12] = c1;\n c1 = 0;\n sqr_add_c2(a, 7, 6, c2, c3, c1);\n r[13] = c2;\n c2 = 0;\n sqr_add_c(a, 7, c3, c1, c2);\n r[14] = c3;\n r[15] = c1;\n}\n\nvoid bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]) {\n BN_ULONG c1, c2, c3;\n\n c1 = 0;\n c2 = 0;\n c3 = 0;\n sqr_add_c(a, 0, c1, c2, c3);\n r[0] = c1;\n c1 = 0;\n sqr_add_c2(a, 1, 0, c2, c3, c1);\n r[1] = c2;\n c2 = 0;\n sqr_add_c(a, 1, c3, c1, c2);\n sqr_add_c2(a, 2, 0, c3, c1, c2);\n r[2] = c3;\n c3 = 0;\n sqr_add_c2(a, 3, 0, c1, c2, c3);\n sqr_add_c2(a, 2, 1, c1, c2, c3);\n r[3] = c1;\n c1 = 0;\n sqr_add_c(a, 2, c2, c3, c1);\n sqr_add_c2(a, 3, 1, c2, c3, c1);\n r[4] = c2;\n c2 = 0;\n sqr_add_c2(a, 3, 2, c3, c1, c2);\n r[5] = c3;\n c3 = 0;\n sqr_add_c(a, 3, c1, c2, c3);\n r[6] = c1;\n r[7] = c2;\n}\n\n#undef mul_add\n#undef mul\n#undef sqr\n#undef mul_add_c\n#undef sqr_add_c\n#undef mul_add_c2\n#undef sqr_add_c2\n\n#endif // !NO_ASM && X86_64 && (__GNUC__ || __clang__)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bn.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n\n#include \"../delocate.h\"\n#include \"internal.h\"\n\n\n// BN_MAX_WORDS is the maximum number of words allowed in a |BIGNUM|. It is\n// sized so byte and bit counts of a |BIGNUM| always fit in |int|, with room to\n// spare.\n#define BN_MAX_WORDS (INT_MAX / (4 * BN_BITS2))\n\nBIGNUM *BN_new(void) {\n BIGNUM *bn = reinterpret_cast(OPENSSL_malloc(sizeof(BIGNUM)));\n\n if (bn == NULL) {\n return NULL;\n }\n\n OPENSSL_memset(bn, 0, sizeof(BIGNUM));\n bn->flags = BN_FLG_MALLOCED;\n\n return bn;\n}\n\nBIGNUM *BN_secure_new(void) { return BN_new(); }\n\nvoid BN_init(BIGNUM *bn) { OPENSSL_memset(bn, 0, sizeof(BIGNUM)); }\n\nvoid BN_free(BIGNUM *bn) {\n if (bn == NULL) {\n return;\n }\n\n if ((bn->flags & BN_FLG_STATIC_DATA) == 0) {\n OPENSSL_free(bn->d);\n }\n\n if (bn->flags & BN_FLG_MALLOCED) {\n OPENSSL_free(bn);\n } else {\n bn->d = NULL;\n }\n}\n\nvoid BN_clear_free(BIGNUM *bn) { BN_free(bn); }\n\nBIGNUM *BN_dup(const BIGNUM *src) {\n BIGNUM *copy;\n\n if (src == NULL) {\n return NULL;\n }\n\n copy = BN_new();\n if (copy == NULL) {\n return NULL;\n }\n\n if (!BN_copy(copy, src)) {\n BN_free(copy);\n return NULL;\n }\n\n return copy;\n}\n\nBIGNUM *BN_copy(BIGNUM *dest, const BIGNUM *src) {\n if (src == dest) {\n return dest;\n }\n\n if (!bn_wexpand(dest, src->width)) {\n return NULL;\n }\n\n OPENSSL_memcpy(dest->d, src->d, sizeof(src->d[0]) * src->width);\n\n dest->width = src->width;\n dest->neg = src->neg;\n return dest;\n}\n\nvoid BN_clear(BIGNUM *bn) {\n if (bn->d != NULL) {\n OPENSSL_memset(bn->d, 0, bn->dmax * sizeof(bn->d[0]));\n }\n\n bn->width = 0;\n bn->neg = 0;\n}\n\nDEFINE_METHOD_FUNCTION(BIGNUM, BN_value_one) {\n static const BN_ULONG kOneLimbs[1] = {1};\n out->d = (BN_ULONG *)kOneLimbs;\n out->width = 1;\n out->dmax = 1;\n out->neg = 0;\n out->flags = BN_FLG_STATIC_DATA;\n}\n\n// BN_num_bits_word returns the minimum number of bits needed to represent the\n// value in |l|.\nunsigned BN_num_bits_word(BN_ULONG l) {\n // |BN_num_bits| is often called on RSA prime factors. These have public bit\n // lengths, but all bits beyond the high bit are secret, so count bits in\n // constant time.\n BN_ULONG x, mask;\n int bits = (l != 0);\n\n#if BN_BITS2 > 32\n // Look at the upper half of |x|. |x| is at most 64 bits long.\n x = l >> 32;\n // Set |mask| to all ones if |x| (the top 32 bits of |l|) is non-zero and all\n // all zeros otherwise.\n mask = 0u - x;\n mask = (0u - (mask >> (BN_BITS2 - 1)));\n // If |x| is non-zero, the lower half is included in the bit count in full,\n // and we count the upper half. Otherwise, we count the lower half.\n bits += 32 & mask;\n l ^= (x ^ l) & mask; // |l| is |x| if |mask| and remains |l| otherwise.\n#endif\n\n // The remaining blocks are analogous iterations at lower powers of two.\n x = l >> 16;\n mask = 0u - x;\n mask = (0u - (mask >> (BN_BITS2 - 1)));\n bits += 16 & mask;\n l ^= (x ^ l) & mask;\n\n x = l >> 8;\n mask = 0u - x;\n mask = (0u - (mask >> (BN_BITS2 - 1)));\n bits += 8 & mask;\n l ^= (x ^ l) & mask;\n\n x = l >> 4;\n mask = 0u - x;\n mask = (0u - (mask >> (BN_BITS2 - 1)));\n bits += 4 & mask;\n l ^= (x ^ l) & mask;\n\n x = l >> 2;\n mask = 0u - x;\n mask = (0u - (mask >> (BN_BITS2 - 1)));\n bits += 2 & mask;\n l ^= (x ^ l) & mask;\n\n x = l >> 1;\n mask = 0u - x;\n mask = (0u - (mask >> (BN_BITS2 - 1)));\n bits += 1 & mask;\n\n return bits;\n}\n\nunsigned BN_num_bits(const BIGNUM *bn) {\n const int width = bn_minimal_width(bn);\n if (width == 0) {\n return 0;\n }\n\n return (width - 1) * BN_BITS2 + BN_num_bits_word(bn->d[width - 1]);\n}\n\nunsigned BN_num_bytes(const BIGNUM *bn) { return (BN_num_bits(bn) + 7) / 8; }\n\nvoid BN_zero(BIGNUM *bn) { bn->width = bn->neg = 0; }\n\nint BN_one(BIGNUM *bn) { return BN_set_word(bn, 1); }\n\nint BN_set_word(BIGNUM *bn, BN_ULONG value) {\n if (value == 0) {\n BN_zero(bn);\n return 1;\n }\n\n if (!bn_wexpand(bn, 1)) {\n return 0;\n }\n\n bn->neg = 0;\n bn->d[0] = value;\n bn->width = 1;\n return 1;\n}\n\nint BN_set_u64(BIGNUM *bn, uint64_t value) {\n#if BN_BITS2 == 64\n return BN_set_word(bn, value);\n#elif BN_BITS2 == 32\n if (value <= BN_MASK2) {\n return BN_set_word(bn, (BN_ULONG)value);\n }\n\n if (!bn_wexpand(bn, 2)) {\n return 0;\n }\n\n bn->neg = 0;\n bn->d[0] = (BN_ULONG)value;\n bn->d[1] = (BN_ULONG)(value >> 32);\n bn->width = 2;\n return 1;\n#else\n#error \"BN_BITS2 must be 32 or 64.\"\n#endif\n}\n\nint bn_set_words(BIGNUM *bn, const BN_ULONG *words, size_t num) {\n if (!bn_wexpand(bn, num)) {\n return 0;\n }\n OPENSSL_memmove(bn->d, words, num * sizeof(BN_ULONG));\n // |bn_wexpand| verified that |num| isn't too large.\n bn->width = (int)num;\n bn->neg = 0;\n return 1;\n}\n\nvoid bn_set_static_words(BIGNUM *bn, const BN_ULONG *words, size_t num) {\n if ((bn->flags & BN_FLG_STATIC_DATA) == 0) {\n OPENSSL_free(bn->d);\n }\n bn->d = (BN_ULONG *)words;\n\n assert(num <= BN_MAX_WORDS);\n bn->width = (int)num;\n bn->dmax = (int)num;\n bn->neg = 0;\n bn->flags |= BN_FLG_STATIC_DATA;\n}\n\nint bn_fits_in_words(const BIGNUM *bn, size_t num) {\n // All words beyond |num| must be zero.\n BN_ULONG mask = 0;\n for (size_t i = num; i < (size_t)bn->width; i++) {\n mask |= bn->d[i];\n }\n return mask == 0;\n}\n\nint bn_copy_words(BN_ULONG *out, size_t num, const BIGNUM *bn) {\n if (bn->neg) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n\n size_t width = (size_t)bn->width;\n if (width > num) {\n if (!bn_fits_in_words(bn, num)) {\n OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);\n return 0;\n }\n width = num;\n }\n\n OPENSSL_memset(out, 0, sizeof(BN_ULONG) * num);\n OPENSSL_memcpy(out, bn->d, sizeof(BN_ULONG) * width);\n return 1;\n}\n\nint BN_is_negative(const BIGNUM *bn) { return bn->neg != 0; }\n\nvoid BN_set_negative(BIGNUM *bn, int sign) {\n if (sign && !BN_is_zero(bn)) {\n bn->neg = 1;\n } else {\n bn->neg = 0;\n }\n}\n\nint bn_wexpand(BIGNUM *bn, size_t words) {\n BN_ULONG *a;\n\n if (words <= (size_t)bn->dmax) {\n return 1;\n }\n\n if (words > BN_MAX_WORDS) {\n OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);\n return 0;\n }\n\n if (bn->flags & BN_FLG_STATIC_DATA) {\n OPENSSL_PUT_ERROR(BN, BN_R_EXPAND_ON_STATIC_BIGNUM_DATA);\n return 0;\n }\n\n a = reinterpret_cast(OPENSSL_calloc(words, sizeof(BN_ULONG)));\n if (a == NULL) {\n return 0;\n }\n\n OPENSSL_memcpy(a, bn->d, sizeof(BN_ULONG) * bn->width);\n\n OPENSSL_free(bn->d);\n bn->d = a;\n bn->dmax = (int)words;\n\n return 1;\n}\n\nint bn_expand(BIGNUM *bn, size_t bits) {\n if (bits + BN_BITS2 - 1 < bits) {\n OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);\n return 0;\n }\n return bn_wexpand(bn, (bits + BN_BITS2 - 1) / BN_BITS2);\n}\n\nint bn_resize_words(BIGNUM *bn, size_t words) {\n if ((size_t)bn->width <= words) {\n if (!bn_wexpand(bn, words)) {\n return 0;\n }\n OPENSSL_memset(bn->d + bn->width, 0,\n (words - bn->width) * sizeof(BN_ULONG));\n bn->width = (int)words;\n return 1;\n }\n\n // All words beyond the new width must be zero.\n if (!bn_fits_in_words(bn, words)) {\n OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);\n return 0;\n }\n bn->width = (int)words;\n return 1;\n}\n\nvoid bn_select_words(BN_ULONG *r, BN_ULONG mask, const BN_ULONG *a,\n const BN_ULONG *b, size_t num) {\n for (size_t i = 0; i < num; i++) {\n static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),\n \"crypto_word_t is too small\");\n r[i] = constant_time_select_w(mask, a[i], b[i]);\n }\n}\n\nint bn_minimal_width(const BIGNUM *bn) {\n int ret = bn->width;\n while (ret > 0 && bn->d[ret - 1] == 0) {\n ret--;\n }\n return ret;\n}\n\nvoid bn_set_minimal_width(BIGNUM *bn) {\n bn->width = bn_minimal_width(bn);\n if (bn->width == 0) {\n bn->neg = 0;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bytes.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \"internal.h\"\n\nvoid bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in,\n size_t in_len) {\n // The caller should have sized |out| to fit |in| without truncating. This\n // condition ensures we do not overflow |out|, so use a runtime check.\n BSSL_CHECK(in_len <= out_len * sizeof(BN_ULONG));\n\n // Load whole words.\n while (in_len >= sizeof(BN_ULONG)) {\n in_len -= sizeof(BN_ULONG);\n out[0] = CRYPTO_load_word_be(in + in_len);\n out++;\n out_len--;\n }\n\n // Load the last partial word.\n if (in_len != 0) {\n BN_ULONG word = 0;\n for (size_t i = 0; i < in_len; i++) {\n word = (word << 8) | in[i];\n }\n out[0] = word;\n out++;\n out_len--;\n }\n\n // Fill the remainder with zeros.\n OPENSSL_memset(out, 0, out_len * sizeof(BN_ULONG));\n}\n\nBIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) {\n BIGNUM *bn = NULL;\n if (ret == NULL) {\n bn = BN_new();\n if (bn == NULL) {\n return NULL;\n }\n ret = bn;\n }\n\n if (len == 0) {\n ret->width = 0;\n return ret;\n }\n\n size_t num_words = ((len - 1) / BN_BYTES) + 1;\n if (!bn_wexpand(ret, num_words)) {\n BN_free(bn);\n return NULL;\n }\n\n // |bn_wexpand| must check bounds on |num_words| to write it into\n // |ret->dmax|.\n assert(num_words <= INT_MAX);\n ret->width = (int)num_words;\n ret->neg = 0;\n\n bn_big_endian_to_words(ret->d, ret->width, in, len);\n return ret;\n}\n\nBIGNUM *BN_lebin2bn(const uint8_t *in, size_t len, BIGNUM *ret) {\n BIGNUM *bn = NULL;\n if (ret == NULL) {\n bn = BN_new();\n if (bn == NULL) {\n return NULL;\n }\n ret = bn;\n }\n\n if (len == 0) {\n ret->width = 0;\n ret->neg = 0;\n return ret;\n }\n\n // Reserve enough space in |ret|.\n size_t num_words = ((len - 1) / BN_BYTES) + 1;\n if (!bn_wexpand(ret, num_words)) {\n BN_free(bn);\n return NULL;\n }\n ret->width = (int)num_words;\n\n // Make sure the top bytes will be zeroed.\n ret->d[num_words - 1] = 0;\n\n // We only support little-endian platforms, so we can simply memcpy the\n // internal representation.\n OPENSSL_memcpy(ret->d, in, len);\n return ret;\n}\n\nBIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) {\n return BN_lebin2bn(in, len, ret);\n}\n\n// fits_in_bytes returns one if the |num_words| words in |words| can be\n// represented in |num_bytes| bytes.\nstatic int fits_in_bytes(const BN_ULONG *words, size_t num_words,\n size_t num_bytes) {\n const uint8_t *bytes = (const uint8_t *)words;\n size_t tot_bytes = num_words * sizeof(BN_ULONG);\n uint8_t mask = 0;\n for (size_t i = num_bytes; i < tot_bytes; i++) {\n mask |= bytes[i];\n }\n return mask == 0;\n}\n\nvoid bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num) {\n const uint8_t *bytes = (const uint8_t *)bn->d;\n size_t tot_bytes = bn->width * sizeof(BN_ULONG);\n if (tot_bytes > num) {\n CONSTTIME_DECLASSIFY(bytes + num, tot_bytes - num);\n for (size_t i = num; i < tot_bytes; i++) {\n assert(bytes[i] == 0);\n }\n (void)bytes;\n }\n}\n\nvoid bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in,\n size_t in_len) {\n // The caller should have selected an output length without truncation.\n declassify_assert(fits_in_bytes(in, in_len, out_len));\n\n // We only support little-endian platforms, so the internal representation is\n // also little-endian as bytes. We can simply copy it in reverse.\n const uint8_t *bytes = (const uint8_t *)in;\n size_t num_bytes = in_len * sizeof(BN_ULONG);\n if (out_len < num_bytes) {\n num_bytes = out_len;\n }\n\n for (size_t i = 0; i < num_bytes; i++) {\n out[out_len - i - 1] = bytes[i];\n }\n // Pad out the rest of the buffer with zeroes.\n OPENSSL_memset(out, 0, out_len - num_bytes);\n}\n\nsize_t BN_bn2bin(const BIGNUM *in, uint8_t *out) {\n size_t n = BN_num_bytes(in);\n bn_words_to_big_endian(out, n, in->d, in->width);\n return n;\n}\n\nint BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in) {\n if (!fits_in_bytes(in->d, in->width, len)) {\n return 0;\n }\n\n // We only support little-endian platforms, so we can simply memcpy into the\n // internal representation.\n const uint8_t *bytes = (const uint8_t *)in->d;\n size_t num_bytes = in->width * BN_BYTES;\n if (len < num_bytes) {\n num_bytes = len;\n }\n\n OPENSSL_memcpy(out, bytes, num_bytes);\n // Pad out the rest of the buffer with zeroes.\n OPENSSL_memset(out + num_bytes, 0, len - num_bytes);\n return 1;\n}\n\nint BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) {\n if (!fits_in_bytes(in->d, in->width, len)) {\n return 0;\n }\n\n bn_words_to_big_endian(out, len, in->d, in->width);\n return 1;\n}\n\nBN_ULONG BN_get_word(const BIGNUM *bn) {\n switch (bn_minimal_width(bn)) {\n case 0:\n return 0;\n case 1:\n return bn->d[0];\n default:\n return BN_MASK2;\n }\n}\n\nint BN_get_u64(const BIGNUM *bn, uint64_t *out) {\n switch (bn_minimal_width(bn)) {\n case 0:\n *out = 0;\n return 1;\n case 1:\n *out = bn->d[0];\n return 1;\n#if defined(OPENSSL_32_BIT)\n case 2:\n *out = (uint64_t) bn->d[0] | (((uint64_t) bn->d[1]) << 32);\n return 1;\n#endif\n default:\n return 0;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/cmp.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n\n#include \"internal.h\"\n#include \"../../internal.h\"\n\n\nstatic int bn_cmp_words_consttime(const BN_ULONG *a, size_t a_len,\n const BN_ULONG *b, size_t b_len) {\n static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),\n \"crypto_word_t is too small\");\n int ret = 0;\n // Process the common words in little-endian order.\n size_t min = a_len < b_len ? a_len : b_len;\n for (size_t i = 0; i < min; i++) {\n crypto_word_t eq = constant_time_eq_w(a[i], b[i]);\n crypto_word_t lt = constant_time_lt_w(a[i], b[i]);\n ret =\n constant_time_select_int(eq, ret, constant_time_select_int(lt, -1, 1));\n }\n\n // If |a| or |b| has non-zero words beyond |min|, they take precedence.\n if (a_len < b_len) {\n crypto_word_t mask = 0;\n for (size_t i = a_len; i < b_len; i++) {\n mask |= b[i];\n }\n ret = constant_time_select_int(constant_time_is_zero_w(mask), ret, -1);\n } else if (b_len < a_len) {\n crypto_word_t mask = 0;\n for (size_t i = b_len; i < a_len; i++) {\n mask |= a[i];\n }\n ret = constant_time_select_int(constant_time_is_zero_w(mask), ret, 1);\n }\n\n return ret;\n}\n\nint BN_ucmp(const BIGNUM *a, const BIGNUM *b) {\n return bn_cmp_words_consttime(a->d, a->width, b->d, b->width);\n}\n\nint BN_cmp(const BIGNUM *a, const BIGNUM *b) {\n if ((a == NULL) || (b == NULL)) {\n if (a != NULL) {\n return -1;\n } else if (b != NULL) {\n return 1;\n } else {\n return 0;\n }\n }\n\n // We do not attempt to process the sign bit in constant time. Negative\n // |BIGNUM|s should never occur in crypto, only calculators.\n if (a->neg != b->neg) {\n if (a->neg) {\n return -1;\n }\n return 1;\n }\n\n int ret = BN_ucmp(a, b);\n return a->neg ? -ret : ret;\n}\n\nint bn_less_than_words(const BN_ULONG *a, const BN_ULONG *b, size_t len) {\n return bn_cmp_words_consttime(a, len, b, len) < 0;\n}\n\nint BN_abs_is_word(const BIGNUM *bn, BN_ULONG w) {\n if (bn->width == 0) {\n return w == 0;\n }\n BN_ULONG mask = bn->d[0] ^ w;\n for (int i = 1; i < bn->width; i++) {\n mask |= bn->d[i];\n }\n return mask == 0;\n}\n\nint BN_cmp_word(const BIGNUM *a, BN_ULONG b) {\n BIGNUM b_bn;\n BN_init(&b_bn);\n\n b_bn.d = &b;\n b_bn.width = b > 0;\n b_bn.dmax = 1;\n b_bn.flags = BN_FLG_STATIC_DATA;\n return BN_cmp(a, &b_bn);\n}\n\nint BN_is_zero(const BIGNUM *bn) {\n return bn_fits_in_words(bn, 0);\n}\n\nint BN_is_one(const BIGNUM *bn) {\n return bn->neg == 0 && BN_abs_is_word(bn, 1);\n}\n\nint BN_is_word(const BIGNUM *bn, BN_ULONG w) {\n return BN_abs_is_word(bn, w) && (w == 0 || bn->neg == 0);\n}\n\nint BN_is_odd(const BIGNUM *bn) {\n return bn->width > 0 && (bn->d[0] & 1) == 1;\n}\n\nint BN_is_pow2(const BIGNUM *bn) {\n int width = bn_minimal_width(bn);\n if (width == 0 || bn->neg) {\n return 0;\n }\n\n for (int i = 0; i < width - 1; i++) {\n if (bn->d[i] != 0) {\n return 0;\n }\n }\n\n return 0 == (bn->d[width-1] & (bn->d[width-1] - 1));\n}\n\nint BN_equal_consttime(const BIGNUM *a, const BIGNUM *b) {\n BN_ULONG mask = 0;\n // If |a| or |b| has more words than the other, all those words must be zero.\n for (int i = a->width; i < b->width; i++) {\n mask |= b->d[i];\n }\n for (int i = b->width; i < a->width; i++) {\n mask |= a->d[i];\n }\n // Common words must match.\n int min = a->width < b->width ? a->width : b->width;\n for (int i = 0; i < min; i++) {\n mask |= (a->d[i] ^ b->d[i]);\n }\n // The sign bit must match.\n mask |= (a->neg ^ b->neg);\n return mask == 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/ctx.cc.inc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n\n\n// The stack frame info is resizing, set a first-time expansion size;\n#define BN_CTX_START_FRAMES 32\n\n\n// BN_STACK\n\n// A |BN_STACK| is a stack of |size_t| values.\ntypedef struct {\n // Array of indexes into |ctx->bignums|.\n size_t *indexes;\n // Number of stack frames, and the size of the allocated array\n size_t depth, size;\n} BN_STACK;\n\nstatic void BN_STACK_init(BN_STACK *);\nstatic void BN_STACK_cleanup(BN_STACK *);\nstatic int BN_STACK_push(BN_STACK *, size_t idx);\nstatic size_t BN_STACK_pop(BN_STACK *);\n\n\n// BN_CTX\n\nDEFINE_STACK_OF(BIGNUM)\n\n// The opaque BN_CTX type\nstruct bignum_ctx {\n // bignums is the stack of |BIGNUM|s managed by this |BN_CTX|.\n STACK_OF(BIGNUM) *bignums;\n // stack is the stack of |BN_CTX_start| frames. It is the value of |used| at\n // the time |BN_CTX_start| was called.\n BN_STACK stack;\n // used is the number of |BIGNUM|s from |bignums| that have been used.\n size_t used;\n // error is one if any operation on this |BN_CTX| failed. All subsequent\n // operations will fail.\n char error;\n // defer_error is one if an operation on this |BN_CTX| has failed, but no\n // error has been pushed to the queue yet. This is used to defer errors from\n // |BN_CTX_start| to |BN_CTX_get|.\n char defer_error;\n};\n\nBN_CTX *BN_CTX_new(void) {\n BN_CTX *ret = reinterpret_cast(OPENSSL_malloc(sizeof(BN_CTX)));\n if (!ret) {\n return NULL;\n }\n\n // Initialise the structure\n ret->bignums = NULL;\n BN_STACK_init(&ret->stack);\n ret->used = 0;\n ret->error = 0;\n ret->defer_error = 0;\n return ret;\n}\n\nvoid BN_CTX_free(BN_CTX *ctx) {\n // All |BN_CTX_start| calls must be matched with |BN_CTX_end|, otherwise the\n // function may use more memory than expected, potentially without bound if\n // done in a loop. Assert that all |BIGNUM|s have been released.\n if (ctx == nullptr) {\n return;\n }\n assert(ctx->used == 0 || ctx->error);\n sk_BIGNUM_pop_free(ctx->bignums, BN_free);\n BN_STACK_cleanup(&ctx->stack);\n OPENSSL_free(ctx);\n}\n\nvoid BN_CTX_start(BN_CTX *ctx) {\n if (ctx->error) {\n // Once an operation has failed, |ctx->stack| no longer matches the number\n // of |BN_CTX_end| calls to come. Do nothing.\n return;\n }\n\n if (!BN_STACK_push(&ctx->stack, ctx->used)) {\n ctx->error = 1;\n // |BN_CTX_start| cannot fail, so defer the error to |BN_CTX_get|.\n ctx->defer_error = 1;\n }\n}\n\nBIGNUM *BN_CTX_get(BN_CTX *ctx) {\n // Once any operation has failed, they all do.\n if (ctx->error) {\n if (ctx->defer_error) {\n OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_TEMPORARY_VARIABLES);\n ctx->defer_error = 0;\n }\n return NULL;\n }\n\n if (ctx->bignums == NULL) {\n ctx->bignums = sk_BIGNUM_new_null();\n if (ctx->bignums == NULL) {\n ctx->error = 1;\n return NULL;\n }\n }\n\n if (ctx->used == sk_BIGNUM_num(ctx->bignums)) {\n BIGNUM *bn = BN_new();\n if (bn == NULL || !sk_BIGNUM_push(ctx->bignums, bn)) {\n OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_TEMPORARY_VARIABLES);\n BN_free(bn);\n ctx->error = 1;\n return NULL;\n }\n }\n\n BIGNUM *ret = sk_BIGNUM_value(ctx->bignums, ctx->used);\n BN_zero(ret);\n // This is bounded by |sk_BIGNUM_num|, so it cannot overflow.\n ctx->used++;\n return ret;\n}\n\nvoid BN_CTX_end(BN_CTX *ctx) {\n if (ctx->error) {\n // Once an operation has failed, |ctx->stack| no longer matches the number\n // of |BN_CTX_end| calls to come. Do nothing.\n return;\n }\n\n ctx->used = BN_STACK_pop(&ctx->stack);\n}\n\n\n// BN_STACK\n\nstatic void BN_STACK_init(BN_STACK *st) {\n st->indexes = NULL;\n st->depth = st->size = 0;\n}\n\nstatic void BN_STACK_cleanup(BN_STACK *st) { OPENSSL_free(st->indexes); }\n\nstatic int BN_STACK_push(BN_STACK *st, size_t idx) {\n if (st->depth == st->size) {\n // This function intentionally does not push to the error queue on error.\n // Error-reporting is deferred to |BN_CTX_get|.\n size_t new_size = st->size != 0 ? st->size * 3 / 2 : BN_CTX_START_FRAMES;\n if (new_size <= st->size || new_size > SIZE_MAX / sizeof(size_t)) {\n return 0;\n }\n size_t *new_indexes = reinterpret_cast(\n OPENSSL_realloc(st->indexes, new_size * sizeof(size_t)));\n if (new_indexes == NULL) {\n return 0;\n }\n st->indexes = new_indexes;\n st->size = new_size;\n }\n\n st->indexes[st->depth] = idx;\n st->depth++;\n return 1;\n}\n\nstatic size_t BN_STACK_pop(BN_STACK *st) {\n assert(st->depth > 0);\n st->depth--;\n return st->indexes[st->depth];\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n\n#include \"internal.h\"\n\n\n// bn_div_words divides a double-width |h|,|l| by |d| and returns the result,\n// which must fit in a |BN_ULONG|.\nstatic inline BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) {\n BN_ULONG dh, dl, q, ret = 0, th, tl, t;\n int i, count = 2;\n\n if (d == 0) {\n return BN_MASK2;\n }\n\n i = BN_num_bits_word(d);\n assert((i == BN_BITS2) || (h <= (BN_ULONG)1 << i));\n\n i = BN_BITS2 - i;\n if (h >= d) {\n h -= d;\n }\n\n if (i) {\n d <<= i;\n h = (h << i) | (l >> (BN_BITS2 - i));\n l <<= i;\n }\n dh = (d & BN_MASK2h) >> BN_BITS4;\n dl = (d & BN_MASK2l);\n for (;;) {\n if ((h >> BN_BITS4) == dh) {\n q = BN_MASK2l;\n } else {\n q = h / dh;\n }\n\n th = q * dh;\n tl = dl * q;\n for (;;) {\n t = h - th;\n if ((t & BN_MASK2h) ||\n ((tl) <= ((t << BN_BITS4) | ((l & BN_MASK2h) >> BN_BITS4)))) {\n break;\n }\n q--;\n th -= dh;\n tl -= dl;\n }\n t = (tl >> BN_BITS4);\n tl = (tl << BN_BITS4) & BN_MASK2h;\n th += t;\n\n if (l < tl) {\n th++;\n }\n l -= tl;\n if (h < th) {\n h += d;\n q--;\n }\n h -= th;\n\n if (--count == 0) {\n break;\n }\n\n ret = q << BN_BITS4;\n h = (h << BN_BITS4) | (l >> BN_BITS4);\n l = (l & BN_MASK2l) << BN_BITS4;\n }\n\n ret |= q;\n return ret;\n}\n\nstatic inline void bn_div_rem_words(BN_ULONG *quotient_out, BN_ULONG *rem_out,\n BN_ULONG n0, BN_ULONG n1, BN_ULONG d0) {\n // GCC and Clang generate function calls to |__udivdi3| and |__umoddi3| when\n // the |BN_ULLONG|-based C code is used.\n //\n // GCC bugs:\n // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=14224\n // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=43721\n // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=54183\n // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58897\n // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65668\n //\n // Clang bugs:\n // * https://github.com/llvm/llvm-project/issues/6769\n // * https://github.com/llvm/llvm-project/issues/12790\n //\n // These is specific to x86 and x86_64; Arm and RISC-V do not have double-wide\n // division instructions.\n#if defined(BN_CAN_USE_INLINE_ASM) && defined(OPENSSL_X86)\n __asm__ volatile(\"divl %4\"\n : \"=a\"(*quotient_out), \"=d\"(*rem_out)\n : \"a\"(n1), \"d\"(n0), \"rm\"(d0)\n : \"cc\");\n#elif defined(BN_CAN_USE_INLINE_ASM) && defined(OPENSSL_X86_64)\n __asm__ volatile(\"divq %4\"\n : \"=a\"(*quotient_out), \"=d\"(*rem_out)\n : \"a\"(n1), \"d\"(n0), \"rm\"(d0)\n : \"cc\");\n#else\n#if defined(BN_CAN_DIVIDE_ULLONG)\n BN_ULLONG n = (((BN_ULLONG)n0) << BN_BITS2) | n1;\n *quotient_out = (BN_ULONG)(n / d0);\n#else\n *quotient_out = bn_div_words(n0, n1, d0);\n#endif\n *rem_out = n1 - (*quotient_out * d0);\n#endif\n}\n\nint BN_div(BIGNUM *quotient, BIGNUM *rem, const BIGNUM *numerator,\n const BIGNUM *divisor, BN_CTX *ctx) {\n // This function implements long division, per Knuth, The Art of Computer\n // Programming, Volume 2, Chapter 4.3.1, Algorithm D. This algorithm only\n // divides non-negative integers, but we round towards zero, so we divide\n // absolute values and adjust the signs separately.\n //\n // Inputs to this function are assumed public and may be leaked by timing and\n // cache side channels. Division with secret inputs should use other\n // implementation strategies such as Montgomery reduction.\n if (BN_is_zero(divisor)) {\n OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);\n return 0;\n }\n\n BN_CTX_start(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n BIGNUM *snum = BN_CTX_get(ctx);\n BIGNUM *sdiv = BN_CTX_get(ctx);\n BIGNUM *res = quotient == NULL ? BN_CTX_get(ctx) : quotient;\n int norm_shift, num_n, loop, div_n;\n BN_ULONG d0, d1;\n if (tmp == NULL || snum == NULL || sdiv == NULL || res == NULL) {\n goto err;\n }\n\n // Knuth step D1: Normalise the numbers such that the divisor's MSB is set.\n // This ensures, in Knuth's terminology, that v1 >= b/2, needed for the\n // quotient estimation step.\n norm_shift = BN_BITS2 - (BN_num_bits(divisor) % BN_BITS2);\n if (!BN_lshift(sdiv, divisor, norm_shift) ||\n !BN_lshift(snum, numerator, norm_shift)) {\n goto err;\n }\n\n // This algorithm relies on |sdiv| being minimal width. We do not use this\n // function on secret inputs, so leaking this is fine. Also minimize |snum| to\n // avoid looping on leading zeros, as we're not trying to be leak-free.\n bn_set_minimal_width(sdiv);\n bn_set_minimal_width(snum);\n div_n = sdiv->width;\n d0 = sdiv->d[div_n - 1];\n d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];\n assert(d0 & (((BN_ULONG)1) << (BN_BITS2 - 1)));\n\n // Extend |snum| with zeros to satisfy the long division invariants:\n // - |snum| must have at least |div_n| + 1 words.\n // - |snum|'s most significant word must be zero to guarantee the first loop\n // iteration works with a prefix greater than |sdiv|. (This is the extra u0\n // digit in Knuth step D1.)\n num_n = snum->width <= div_n ? div_n + 1 : snum->width + 1;\n if (!bn_resize_words(snum, num_n)) {\n goto err;\n }\n\n // Knuth step D2: The quotient's width is the difference between numerator and\n // denominator. Also set up its sign and size a temporary for the loop.\n loop = num_n - div_n;\n res->neg = snum->neg ^ sdiv->neg;\n if (!bn_wexpand(res, loop) || //\n !bn_wexpand(tmp, div_n + 1)) {\n goto err;\n }\n res->width = loop;\n\n // Knuth steps D2 through D7: Compute the quotient with a word-by-word long\n // division. Note that Knuth indexes words from most to least significant, so\n // our index is reversed. Each loop iteration computes res->d[i] of the\n // quotient and updates snum with the running remainder. Before each loop\n // iteration, the div_n words beginning at snum->d[i+1] must be less than\n // snum.\n for (int i = loop - 1; i >= 0; i--) {\n // The next word of the quotient, q, is floor(wnum / sdiv), where wnum is\n // the div_n + 1 words beginning at snum->d[i]. i starts at\n // num_n - div_n - 1, so there are at least div_n + 1 words available.\n //\n // Knuth step D3: Compute q', an estimate of q by looking at the top words\n // of wnum and sdiv. We must estimate such that q' = q or q' = q + 1.\n BN_ULONG q, rm = 0;\n BN_ULONG *wnum = snum->d + i;\n BN_ULONG n0 = wnum[div_n];\n BN_ULONG n1 = wnum[div_n - 1];\n if (n0 == d0) {\n // Estimate q' = b - 1, where b is the base.\n q = BN_MASK2;\n // Knuth also runs the fixup routine in this case, but this would require\n // computing rm and is unnecessary. q' is already close enough. That is,\n // the true quotient, q is either b - 1 or b - 2.\n //\n // By the loop invariant, q <= b - 1, so we must show that q >= b - 2. We\n // do this by showing wnum / sdiv >= b - 2. Suppose wnum / sdiv < b - 2.\n // wnum and sdiv have the same most significant word, so:\n //\n // wnum >= n0 * b^div_n\n // sdiv < (n0 + 1) * b^(d_div - 1)\n //\n // Thus:\n //\n // b - 2 > wnum / sdiv\n // > (n0 * b^div_n) / (n0 + 1) * b^(div_n - 1)\n // = (n0 * b) / (n0 + 1)\n //\n // (n0 + 1) * (b - 2) > n0 * b\n // n0 * b + b - 2 * n0 - 2 > n0 * b\n // b - 2 > 2 * n0\n // b/2 - 1 > n0\n //\n // This contradicts the normalization condition, so q >= b - 2 and our\n // estimate is close enough.\n } else {\n // Estimate q' = floor(n0n1 / d0). Per Theorem B, q' - 2 <= q <= q', which\n // is slightly outside of our bounds.\n assert(n0 < d0);\n bn_div_rem_words(&q, &rm, n0, n1, d0);\n\n // Fix the estimate by examining one more word and adjusting q' as needed.\n // This is the second half of step D3 and is sufficient per exercises 19,\n // 20, and 21. Although only one iteration is needed to correct q + 2 to\n // q + 1, Knuth uses a loop. A loop will often also correct q + 1 to q,\n // saving the slightly more expensive underflow handling below.\n if (div_n > 1) {\n BN_ULONG n2 = wnum[div_n - 2];\n#ifdef BN_ULLONG\n BN_ULLONG t2 = (BN_ULLONG)d1 * q;\n for (;;) {\n if (t2 <= ((((BN_ULLONG)rm) << BN_BITS2) | n2)) {\n break;\n }\n q--;\n rm += d0;\n if (rm < d0) {\n // If rm overflows, the true value exceeds BN_ULONG and the next\n // t2 comparison should exit the loop.\n break;\n }\n t2 -= d1;\n }\n#else // !BN_ULLONG\n BN_ULONG t2l, t2h;\n BN_UMULT_LOHI(t2l, t2h, d1, q);\n for (;;) {\n if (t2h < rm || (t2h == rm && t2l <= n2)) {\n break;\n }\n q--;\n rm += d0;\n if (rm < d0) {\n // If rm overflows, the true value exceeds BN_ULONG and the next\n // t2 comparison should exit the loop.\n break;\n }\n if (t2l < d1) {\n t2h--;\n }\n t2l -= d1;\n }\n#endif // !BN_ULLONG\n }\n }\n\n // Knuth step D4 through D6: Now q' = q or q' = q + 1, and\n // -sdiv < wnum - sdiv * q < sdiv. If q' = q + 1, the subtraction will\n // underflow, and we fix it up below.\n tmp->d[div_n] = bn_mul_words(tmp->d, sdiv->d, div_n, q);\n if (bn_sub_words(wnum, wnum, tmp->d, div_n + 1)) {\n q--;\n // The final addition is expected to overflow, canceling the underflow.\n wnum[div_n] += bn_add_words(wnum, wnum, sdiv->d, div_n);\n }\n\n // q is now correct, and wnum has been updated to the running remainder.\n res->d[i] = q;\n }\n\n // Trim leading zeros and correct any negative zeros.\n bn_set_minimal_width(snum);\n bn_set_minimal_width(res);\n\n // Knuth step D8: Unnormalize. snum now contains the remainder.\n if (rem != NULL && !BN_rshift(rem, snum, norm_shift)) {\n goto err;\n }\n\n BN_CTX_end(ctx);\n return 1;\n\nerr:\n BN_CTX_end(ctx);\n return 0;\n}\n\nint BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx) {\n if (!(BN_mod(r, m, d, ctx))) {\n return 0;\n }\n if (!r->neg) {\n return 1;\n }\n\n // now -d < r < 0, so we have to set r := r + d. Ignoring the sign bits, this\n // is r = d - r.\n return BN_usub(r, d, r);\n}\n\nBN_ULONG bn_reduce_once(BN_ULONG *r, const BN_ULONG *a, BN_ULONG carry,\n const BN_ULONG *m, size_t num) {\n assert(r != a);\n // |r| = |a| - |m|. |bn_sub_words| performs the bulk of the subtraction, and\n // then we apply the borrow to |carry|.\n carry -= bn_sub_words(r, a, m, num);\n // We know 0 <= |a| < 2*|m|, so -|m| <= |r| < |m|.\n //\n // If 0 <= |r| < |m|, |r| fits in |num| words and |carry| is zero. We then\n // wish to select |r| as the answer. Otherwise -m <= r < 0 and we wish to\n // return |r| + |m|, or |a|. |carry| must then be -1 or all ones. In both\n // cases, |carry| is a suitable input to |bn_select_words|.\n //\n // Although |carry| may be one if it was one on input and |bn_sub_words|\n // returns zero, this would give |r| > |m|, violating our input assumptions.\n declassify_assert(carry + 1 <= 1);\n bn_select_words(r, carry, a /* r < 0 */, r /* r >= 0 */, num);\n return carry;\n}\n\nBN_ULONG bn_reduce_once_in_place(BN_ULONG *r, BN_ULONG carry, const BN_ULONG *m,\n BN_ULONG *tmp, size_t num) {\n // See |bn_reduce_once| for why this logic works.\n carry -= bn_sub_words(tmp, r, m, num);\n declassify_assert(carry + 1 <= 1);\n bn_select_words(r, carry, r /* tmp < 0 */, tmp /* tmp >= 0 */, num);\n return carry;\n}\n\nvoid bn_mod_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,\n const BN_ULONG *m, BN_ULONG *tmp, size_t num) {\n // r = a - b\n BN_ULONG borrow = bn_sub_words(r, a, b, num);\n // tmp = a - b + m\n bn_add_words(tmp, r, m, num);\n bn_select_words(r, 0 - borrow, tmp /* r < 0 */, r /* r >= 0 */, num);\n}\n\nvoid bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,\n const BN_ULONG *m, BN_ULONG *tmp, size_t num) {\n BN_ULONG carry = bn_add_words(r, a, b, num);\n bn_reduce_once_in_place(r, carry, m, tmp, num);\n}\n\nint bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder,\n const BIGNUM *numerator, const BIGNUM *divisor,\n unsigned divisor_min_bits, BN_CTX *ctx) {\n if (BN_is_negative(numerator) || BN_is_negative(divisor)) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n if (BN_is_zero(divisor)) {\n OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);\n return 0;\n }\n\n // This function implements long division in binary. It is not very efficient,\n // but it is simple, easy to make constant-time, and performant enough for RSA\n // key generation.\n\n int ret = 0;\n BN_CTX_start(ctx);\n BIGNUM *q = quotient, *r = remainder;\n if (quotient == NULL || quotient == numerator || quotient == divisor) {\n q = BN_CTX_get(ctx);\n }\n if (remainder == NULL || remainder == numerator || remainder == divisor) {\n r = BN_CTX_get(ctx);\n }\n BIGNUM *tmp = BN_CTX_get(ctx);\n int initial_words;\n if (q == NULL || r == NULL || tmp == NULL ||\n !bn_wexpand(q, numerator->width) || !bn_wexpand(r, divisor->width) ||\n !bn_wexpand(tmp, divisor->width)) {\n goto err;\n }\n\n OPENSSL_memset(q->d, 0, numerator->width * sizeof(BN_ULONG));\n q->width = numerator->width;\n q->neg = 0;\n\n OPENSSL_memset(r->d, 0, divisor->width * sizeof(BN_ULONG));\n r->width = divisor->width;\n r->neg = 0;\n\n // Incorporate |numerator| into |r|, one bit at a time, reducing after each\n // step. We maintain the invariant that |0 <= r < divisor| and\n // |q * divisor + r = n| where |n| is the portion of |numerator| incorporated\n // so far.\n //\n // First, we short-circuit the loop: if we know |divisor| has at least\n // |divisor_min_bits| bits, the top |divisor_min_bits - 1| can be incorporated\n // without reductions. This significantly speeds up |RSA_check_key|. For\n // simplicity, we round down to a whole number of words.\n declassify_assert(divisor_min_bits <= BN_num_bits(divisor));\n initial_words = 0;\n if (divisor_min_bits > 0) {\n initial_words = (divisor_min_bits - 1) / BN_BITS2;\n if (initial_words > numerator->width) {\n initial_words = numerator->width;\n }\n OPENSSL_memcpy(r->d, numerator->d + numerator->width - initial_words,\n initial_words * sizeof(BN_ULONG));\n }\n\n for (int i = numerator->width - initial_words - 1; i >= 0; i--) {\n for (int bit = BN_BITS2 - 1; bit >= 0; bit--) {\n // Incorporate the next bit of the numerator, by computing\n // r = 2*r or 2*r + 1. Note the result fits in one more word. We store the\n // extra word in |carry|.\n BN_ULONG carry = bn_add_words(r->d, r->d, r->d, divisor->width);\n r->d[0] |= (numerator->d[i] >> bit) & 1;\n // |r| was previously fully-reduced, so we know:\n // 2*0 <= r <= 2*(divisor-1) + 1\n // 0 <= r <= 2*divisor - 1 < 2*divisor.\n // Thus |r| satisfies the preconditions for |bn_reduce_once_in_place|.\n BN_ULONG subtracted = bn_reduce_once_in_place(r->d, carry, divisor->d,\n tmp->d, divisor->width);\n // The corresponding bit of the quotient is set iff we needed to subtract.\n q->d[i] |= (~subtracted & 1) << bit;\n }\n }\n\n if ((quotient != NULL && !BN_copy(quotient, q)) ||\n (remainder != NULL && !BN_copy(remainder, r))) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nstatic BIGNUM *bn_scratch_space_from_ctx(size_t width, BN_CTX *ctx) {\n BIGNUM *ret = BN_CTX_get(ctx);\n if (ret == NULL || !bn_wexpand(ret, width)) {\n return NULL;\n }\n ret->neg = 0;\n ret->width = (int)width;\n return ret;\n}\n\n// bn_resized_from_ctx returns |bn| with width at least |width| or NULL on\n// error. This is so it may be used with low-level \"words\" functions. If\n// necessary, it allocates a new |BIGNUM| with a lifetime of the current scope\n// in |ctx|, so the caller does not need to explicitly free it. |bn| must fit in\n// |width| words.\nstatic const BIGNUM *bn_resized_from_ctx(const BIGNUM *bn, size_t width,\n BN_CTX *ctx) {\n if ((size_t)bn->width >= width) {\n // Any excess words must be zero.\n assert(bn_fits_in_words(bn, width));\n return bn;\n }\n BIGNUM *ret = bn_scratch_space_from_ctx(width, ctx);\n if (ret == NULL || !BN_copy(ret, bn) || !bn_resize_words(ret, width)) {\n return NULL;\n }\n return ret;\n}\n\nint BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,\n BN_CTX *ctx) {\n if (!BN_add(r, a, b)) {\n return 0;\n }\n return BN_nnmod(r, r, m, ctx);\n}\n\nint BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BIGNUM *m) {\n BN_CTX *ctx = BN_CTX_new();\n int ok = ctx != NULL && bn_mod_add_consttime(r, a, b, m, ctx);\n BN_CTX_free(ctx);\n return ok;\n}\n\nint bn_mod_add_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BIGNUM *m, BN_CTX *ctx) {\n BN_CTX_start(ctx);\n a = bn_resized_from_ctx(a, m->width, ctx);\n b = bn_resized_from_ctx(b, m->width, ctx);\n BIGNUM *tmp = bn_scratch_space_from_ctx(m->width, ctx);\n int ok = a != NULL && b != NULL && tmp != NULL && bn_wexpand(r, m->width);\n if (ok) {\n bn_mod_add_words(r->d, a->d, b->d, m->d, tmp->d, m->width);\n r->width = m->width;\n r->neg = 0;\n }\n BN_CTX_end(ctx);\n return ok;\n}\n\nint BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,\n BN_CTX *ctx) {\n if (!BN_sub(r, a, b)) {\n return 0;\n }\n return BN_nnmod(r, r, m, ctx);\n}\n\nint bn_mod_sub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BIGNUM *m, BN_CTX *ctx) {\n BN_CTX_start(ctx);\n a = bn_resized_from_ctx(a, m->width, ctx);\n b = bn_resized_from_ctx(b, m->width, ctx);\n BIGNUM *tmp = bn_scratch_space_from_ctx(m->width, ctx);\n int ok = a != NULL && b != NULL && tmp != NULL && bn_wexpand(r, m->width);\n if (ok) {\n bn_mod_sub_words(r->d, a->d, b->d, m->d, tmp->d, m->width);\n r->width = m->width;\n r->neg = 0;\n }\n BN_CTX_end(ctx);\n return ok;\n}\n\nint BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BIGNUM *m) {\n BN_CTX *ctx = BN_CTX_new();\n int ok = ctx != NULL && bn_mod_sub_consttime(r, a, b, m, ctx);\n BN_CTX_free(ctx);\n return ok;\n}\n\nint BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,\n BN_CTX *ctx) {\n BIGNUM *t;\n int ret = 0;\n\n BN_CTX_start(ctx);\n t = BN_CTX_get(ctx);\n if (t == NULL) {\n goto err;\n }\n\n if (a == b) {\n if (!BN_sqr(t, a, ctx)) {\n goto err;\n }\n } else {\n if (!BN_mul(t, a, b, ctx)) {\n goto err;\n }\n }\n\n if (!BN_nnmod(r, t, m, ctx)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nint BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) {\n if (!BN_sqr(r, a, ctx)) {\n return 0;\n }\n\n // r->neg == 0, thus we don't need BN_nnmod\n return BN_mod(r, r, m, ctx);\n}\n\nint BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m,\n BN_CTX *ctx) {\n BIGNUM *abs_m = NULL;\n int ret;\n\n if (!BN_nnmod(r, a, m, ctx)) {\n return 0;\n }\n\n if (m->neg) {\n abs_m = BN_dup(m);\n if (abs_m == NULL) {\n return 0;\n }\n abs_m->neg = 0;\n }\n\n ret = bn_mod_lshift_consttime(r, r, n, (abs_m ? abs_m : m), ctx);\n\n BN_free(abs_m);\n return ret;\n}\n\nint bn_mod_lshift_consttime(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m,\n BN_CTX *ctx) {\n if (!BN_copy(r, a) || !bn_resize_words(r, m->width)) {\n return 0;\n }\n\n BN_CTX_start(ctx);\n BIGNUM *tmp = bn_scratch_space_from_ctx(m->width, ctx);\n int ok = tmp != NULL;\n if (ok) {\n for (int i = 0; i < n; i++) {\n bn_mod_add_words(r->d, r->d, r->d, m->d, tmp->d, m->width);\n }\n r->neg = 0;\n }\n BN_CTX_end(ctx);\n return ok;\n}\n\nint BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m) {\n BN_CTX *ctx = BN_CTX_new();\n int ok = ctx != NULL && bn_mod_lshift_consttime(r, a, n, m, ctx);\n BN_CTX_free(ctx);\n return ok;\n}\n\nint BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) {\n if (!BN_lshift1(r, a)) {\n return 0;\n }\n\n return BN_nnmod(r, r, m, ctx);\n}\n\nint bn_mod_lshift1_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *m,\n BN_CTX *ctx) {\n return bn_mod_add_consttime(r, a, a, m, ctx);\n}\n\nint BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m) {\n BN_CTX *ctx = BN_CTX_new();\n int ok = ctx != NULL && bn_mod_lshift1_consttime(r, a, m, ctx);\n BN_CTX_free(ctx);\n return ok;\n}\n\nBN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w) {\n BN_ULONG ret = 0;\n int i, j;\n\n if (!w) {\n // actually this an error (division by zero)\n return (BN_ULONG)-1;\n }\n\n if (a->width == 0) {\n return 0;\n }\n\n // normalize input for |bn_div_rem_words|.\n j = BN_BITS2 - BN_num_bits_word(w);\n w <<= j;\n if (!BN_lshift(a, a, j)) {\n return (BN_ULONG)-1;\n }\n\n for (i = a->width - 1; i >= 0; i--) {\n BN_ULONG l = a->d[i];\n BN_ULONG d;\n BN_ULONG unused_rem;\n bn_div_rem_words(&d, &unused_rem, ret, l, w);\n ret = l - (d * w);\n a->d[i] = d;\n }\n\n bn_set_minimal_width(a);\n ret >>= j;\n return ret;\n}\n\nBN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w) {\n#ifndef BN_CAN_DIVIDE_ULLONG\n BN_ULONG ret = 0;\n#else\n BN_ULLONG ret = 0;\n#endif\n int i;\n\n if (w == 0) {\n return (BN_ULONG)-1;\n }\n\n#ifndef BN_CAN_DIVIDE_ULLONG\n // If |w| is too long and we don't have |BN_ULLONG| division then we need to\n // fall back to using |BN_div_word|.\n if (w > ((BN_ULONG)1 << BN_BITS4)) {\n BIGNUM *tmp = BN_dup(a);\n if (tmp == NULL) {\n return (BN_ULONG)-1;\n }\n ret = BN_div_word(tmp, w);\n BN_free(tmp);\n return ret;\n }\n#endif\n\n for (i = a->width - 1; i >= 0; i--) {\n#ifndef BN_CAN_DIVIDE_ULLONG\n ret = ((ret << BN_BITS4) | ((a->d[i] >> BN_BITS4) & BN_MASK2l)) % w;\n ret = ((ret << BN_BITS4) | (a->d[i] & BN_MASK2l)) % w;\n#else\n ret = (BN_ULLONG)(((ret << (BN_ULLONG)BN_BITS2) | a->d[i]) % (BN_ULLONG)w);\n#endif\n }\n return (BN_ULONG)ret;\n}\n\nint BN_mod_pow2(BIGNUM *r, const BIGNUM *a, size_t e) {\n if (e == 0 || a->width == 0) {\n BN_zero(r);\n return 1;\n }\n\n size_t num_words = 1 + ((e - 1) / BN_BITS2);\n\n // If |a| definitely has less than |e| bits, just BN_copy.\n if ((size_t)a->width < num_words) {\n return BN_copy(r, a) != NULL;\n }\n\n // Otherwise, first make sure we have enough space in |r|.\n // Note that this will fail if num_words > INT_MAX.\n if (!bn_wexpand(r, num_words)) {\n return 0;\n }\n\n // Copy the content of |a| into |r|.\n OPENSSL_memcpy(r->d, a->d, num_words * sizeof(BN_ULONG));\n\n // If |e| isn't word-aligned, we have to mask off some of our bits.\n size_t top_word_exponent = e % (sizeof(BN_ULONG) * 8);\n if (top_word_exponent != 0) {\n r->d[num_words - 1] &= (((BN_ULONG)1) << top_word_exponent) - 1;\n }\n\n // Fill in the remaining fields of |r|.\n r->neg = a->neg;\n r->width = (int)num_words;\n bn_set_minimal_width(r);\n return 1;\n}\n\nint BN_nnmod_pow2(BIGNUM *r, const BIGNUM *a, size_t e) {\n if (!BN_mod_pow2(r, a, e)) {\n return 0;\n }\n\n // If the returned value was non-negative, we're done.\n if (BN_is_zero(r) || !r->neg) {\n return 1;\n }\n\n size_t num_words = 1 + (e - 1) / BN_BITS2;\n\n // Expand |r| to the size of our modulus.\n if (!bn_wexpand(r, num_words)) {\n return 0;\n }\n\n // Clear the upper words of |r|.\n OPENSSL_memset(&r->d[r->width], 0, (num_words - r->width) * BN_BYTES);\n\n // Set parameters of |r|.\n r->neg = 0;\n r->width = (int)num_words;\n\n // Now, invert every word. The idea here is that we want to compute 2^e-|x|,\n // which is actually equivalent to the twos-complement representation of |x|\n // in |e| bits, which is -x = ~x + 1.\n for (int i = 0; i < r->width; i++) {\n r->d[i] = ~r->d[i];\n }\n\n // If our exponent doesn't span the top word, we have to mask the rest.\n size_t top_word_exponent = e % BN_BITS2;\n if (top_word_exponent != 0) {\n r->d[r->width - 1] &= (((BN_ULONG)1) << top_word_exponent) - 1;\n }\n\n // Keep the minimal-width invariant for |BIGNUM|.\n bn_set_minimal_width(r);\n\n // Finally, add one, for the reason described above.\n return BN_add(r, r, BN_value_one());\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div_extra.cc.inc", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"internal.h\"\n\n\n// The following functions use a Barrett reduction variant to avoid leaking the\n// numerator. See http://ridiculousfish.com/blog/posts/labor-of-division-episode-i.html\n//\n// We use 32-bit numerator and 16-bit divisor for simplicity. This allows\n// computing |m| and |q| without architecture-specific code.\n\n// mod_u16 returns |n| mod |d|. |p| and |m| are the \"magic numbers\" for |d| (see\n// reference). For proof of correctness in Coq, see\n// https://github.com/davidben/fiat-crypto/blob/barrett/src/Arithmetic/BarrettReduction/RidiculousFish.v\n// Note the Coq version of |mod_u16| additionally includes the computation of\n// |p| and |m| from |bn_mod_u16_consttime| below.\nstatic uint16_t mod_u16(uint32_t n, uint16_t d, uint32_t p, uint32_t m) {\n // Compute floor(n/d) per steps 3 through 5.\n uint32_t q = ((uint64_t)m * n) >> 32;\n // Note there is a typo in the reference. We right-shift by one, not two.\n uint32_t t = ((n - q) >> 1) + q;\n t = t >> (p - 1);\n\n // Multiply and subtract to get the remainder.\n n -= d * t;\n declassify_assert(n < d);\n return n;\n}\n\n// shift_and_add_mod_u16 returns |r| * 2^32 + |a| mod |d|. |p| and |m| are the\n// \"magic numbers\" for |d| (see reference).\nstatic uint16_t shift_and_add_mod_u16(uint16_t r, uint32_t a, uint16_t d,\n uint32_t p, uint32_t m) {\n // Incorporate |a| in two 16-bit chunks.\n uint32_t t = r;\n t <<= 16;\n t |= a >> 16;\n t = mod_u16(t, d, p, m);\n\n t <<= 16;\n t |= a & 0xffff;\n t = mod_u16(t, d, p, m);\n return t;\n}\n\nuint16_t bn_mod_u16_consttime(const BIGNUM *bn, uint16_t d) {\n if (d <= 1) {\n return 0;\n }\n\n // Compute the \"magic numbers\" for |d|. See steps 1 and 2.\n // This computes p = ceil(log_2(d)).\n uint32_t p = BN_num_bits_word(d - 1);\n // This operation is not constant-time, but |p| and |d| are public values.\n // Note that |p| is at most 16, so the computation fits in |uint64_t|.\n assert(p <= 16);\n uint32_t m = (uint32_t)(((UINT64_C(1) << (32 + p)) + d - 1) / d);\n\n uint16_t ret = 0;\n for (int i = bn->width - 1; i >= 0; i--) {\n#if BN_BITS2 == 32\n ret = shift_and_add_mod_u16(ret, bn->d[i], d, p, m);\n#elif BN_BITS2 == 64\n ret = shift_and_add_mod_u16(ret, bn->d[i] >> 32, d, p, m);\n ret = shift_and_add_mod_u16(ret, bn->d[i] & 0xffffffff, d, p, m);\n#else\n#error \"Unknown BN_ULONG size\"\n#endif\n }\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/exponentiation.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n\n#include \"internal.h\"\n#include \"rsaz_exp.h\"\n\n#if defined(OPENSSL_BN_ASM_MONT5)\n\n// bn_mul_mont_gather5 multiples loads index |power| of |table|, multiplies it\n// by |ap| modulo |np|, and stores the result in |rp|. The values are |num|\n// words long and represented in Montgomery form. |n0| is a pointer to the\n// corresponding field in |BN_MONT_CTX|. |table| must be aligned to at least\n// 16 bytes. |power| must be less than 32 and is treated as secret.\n//\n// WARNING: This function implements Almost Montgomery Multiplication from\n// https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced.\n// However, even if they are fully reduced, the output may not be.\nstatic void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,\n const BN_ULONG *table, const BN_ULONG *np,\n const BN_ULONG *n0, int num, int power) {\n if (bn_mulx4x_mont_gather5_capable(num)) {\n bn_mulx4x_mont_gather5(rp, ap, table, np, n0, num, power);\n } else if (bn_mul4x_mont_gather5_capable(num)) {\n bn_mul4x_mont_gather5(rp, ap, table, np, n0, num, power);\n } else {\n bn_mul_mont_gather5_nohw(rp, ap, table, np, n0, num, power);\n }\n}\n\n// bn_power5 squares |ap| five times and multiplies it by the value stored at\n// index |power| of |table|, modulo |np|. It stores the result in |rp|. The\n// values are |num| words long and represented in Montgomery form. |n0| is a\n// pointer to the corresponding field in |BN_MONT_CTX|. |num| must be divisible\n// by 8. |power| must be less than 32 and is treated as secret.\n//\n// WARNING: This function implements Almost Montgomery Multiplication from\n// https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced.\n// However, even if they are fully reduced, the output may not be.\nstatic void bn_power5(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table,\n const BN_ULONG *np, const BN_ULONG *n0, int num,\n int power) {\n assert(bn_power5_capable(num));\n if (bn_powerx5_capable(num)) {\n bn_powerx5(rp, ap, table, np, n0, num, power);\n } else {\n bn_power5_nohw(rp, ap, table, np, n0, num, power);\n }\n}\n\n#endif // defined(OPENSSL_BN_ASM_MONT5)\n\nint BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {\n int i, bits, ret = 0;\n BIGNUM *v, *rr;\n\n BN_CTX_start(ctx);\n if (r == a || r == p) {\n rr = BN_CTX_get(ctx);\n } else {\n rr = r;\n }\n\n v = BN_CTX_get(ctx);\n if (rr == NULL || v == NULL) {\n goto err;\n }\n\n if (BN_copy(v, a) == NULL) {\n goto err;\n }\n bits = BN_num_bits(p);\n\n if (BN_is_odd(p)) {\n if (BN_copy(rr, a) == NULL) {\n goto err;\n }\n } else {\n if (!BN_one(rr)) {\n goto err;\n }\n }\n\n for (i = 1; i < bits; i++) {\n if (!BN_sqr(v, v, ctx)) {\n goto err;\n }\n if (BN_is_bit_set(p, i)) {\n if (!BN_mul(rr, rr, v, ctx)) {\n goto err;\n }\n }\n }\n\n if (r != rr && !BN_copy(r, rr)) {\n goto err;\n }\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nnamespace {\ntypedef struct bn_recp_ctx_st {\n BIGNUM N; // the divisor\n BIGNUM Nr; // the reciprocal\n int num_bits;\n int shift;\n int flags;\n} BN_RECP_CTX;\n} // namespace\n\nstatic void BN_RECP_CTX_init(BN_RECP_CTX *recp) {\n BN_init(&recp->N);\n BN_init(&recp->Nr);\n recp->num_bits = 0;\n recp->shift = 0;\n recp->flags = 0;\n}\n\nstatic void BN_RECP_CTX_free(BN_RECP_CTX *recp) {\n if (recp == nullptr) {\n return;\n }\n BN_free(&recp->N);\n BN_free(&recp->Nr);\n}\n\nstatic int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *d, BN_CTX *ctx) {\n if (!BN_copy(&(recp->N), d)) {\n return 0;\n }\n BN_zero(&recp->Nr);\n recp->num_bits = BN_num_bits(d);\n recp->shift = 0;\n\n return 1;\n}\n\n// len is the expected size of the result We actually calculate with an extra\n// word of precision, so we can do faster division if the remainder is not\n// required.\n// r := 2^len / m\nstatic int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx) {\n int ret = -1;\n BIGNUM *t;\n\n BN_CTX_start(ctx);\n t = BN_CTX_get(ctx);\n if (t == NULL) {\n goto err;\n }\n\n if (!BN_set_bit(t, len)) {\n goto err;\n }\n\n if (!BN_div(r, NULL, t, m, ctx)) {\n goto err;\n }\n\n ret = len;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nstatic int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,\n BN_RECP_CTX *recp, BN_CTX *ctx) {\n int i, j, ret = 0;\n BIGNUM *a, *b, *d, *r;\n\n BN_CTX_start(ctx);\n a = BN_CTX_get(ctx);\n b = BN_CTX_get(ctx);\n if (dv != NULL) {\n d = dv;\n } else {\n d = BN_CTX_get(ctx);\n }\n\n if (rem != NULL) {\n r = rem;\n } else {\n r = BN_CTX_get(ctx);\n }\n\n if (a == NULL || b == NULL || d == NULL || r == NULL) {\n goto err;\n }\n\n if (BN_ucmp(m, &recp->N) < 0) {\n BN_zero(d);\n if (!BN_copy(r, m)) {\n goto err;\n }\n BN_CTX_end(ctx);\n return 1;\n }\n\n // We want the remainder\n // Given input of ABCDEF / ab\n // we need multiply ABCDEF by 3 digests of the reciprocal of ab\n\n // i := max(BN_num_bits(m), 2*BN_num_bits(N))\n i = BN_num_bits(m);\n j = recp->num_bits << 1;\n if (j > i) {\n i = j;\n }\n\n // Nr := round(2^i / N)\n if (i != recp->shift) {\n recp->shift =\n BN_reciprocal(&(recp->Nr), &(recp->N), i,\n ctx); // BN_reciprocal returns i, or -1 for an error\n }\n\n if (recp->shift == -1) {\n goto err;\n }\n\n // d := |round(round(m / 2^BN_num_bits(N)) * recp->Nr / 2^(i -\n // BN_num_bits(N)))|\n // = |round(round(m / 2^BN_num_bits(N)) * round(2^i / N) / 2^(i -\n // BN_num_bits(N)))|\n // <= |(m / 2^BN_num_bits(N)) * (2^i / N) * (2^BN_num_bits(N) / 2^i)|\n // = |m/N|\n if (!BN_rshift(a, m, recp->num_bits)) {\n goto err;\n }\n if (!BN_mul(b, a, &(recp->Nr), ctx)) {\n goto err;\n }\n if (!BN_rshift(d, b, i - recp->num_bits)) {\n goto err;\n }\n d->neg = 0;\n\n if (!BN_mul(b, &(recp->N), d, ctx)) {\n goto err;\n }\n if (!BN_usub(r, m, b)) {\n goto err;\n }\n r->neg = 0;\n\n j = 0;\n while (BN_ucmp(r, &(recp->N)) >= 0) {\n if (j++ > 2) {\n OPENSSL_PUT_ERROR(BN, BN_R_BAD_RECIPROCAL);\n goto err;\n }\n if (!BN_usub(r, r, &(recp->N))) {\n goto err;\n }\n if (!BN_add_word(d, 1)) {\n goto err;\n }\n }\n\n r->neg = BN_is_zero(r) ? 0 : m->neg;\n d->neg = m->neg ^ recp->N.neg;\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nstatic int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y,\n BN_RECP_CTX *recp, BN_CTX *ctx) {\n int ret = 0;\n BIGNUM *a;\n const BIGNUM *ca;\n\n BN_CTX_start(ctx);\n a = BN_CTX_get(ctx);\n if (a == NULL) {\n goto err;\n }\n\n if (y != NULL) {\n if (x == y) {\n if (!BN_sqr(a, x, ctx)) {\n goto err;\n }\n } else {\n if (!BN_mul(a, x, y, ctx)) {\n goto err;\n }\n }\n ca = a;\n } else {\n ca = x; // Just do the mod\n }\n\n ret = BN_div_recp(NULL, r, ca, recp, ctx);\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\n// BN_window_bits_for_exponent_size returns sliding window size for mod_exp with\n// a |b| bit exponent.\n//\n// For window size 'w' (w >= 2) and a random 'b' bits exponent, the number of\n// multiplications is a constant plus on average\n//\n// 2^(w-1) + (b-w)/(w+1);\n//\n// here 2^(w-1) is for precomputing the table (we actually need entries only\n// for windows that have the lowest bit set), and (b-w)/(w+1) is an\n// approximation for the expected number of w-bit windows, not counting the\n// first one.\n//\n// Thus we should use\n//\n// w >= 6 if b > 671\n// w = 5 if 671 > b > 239\n// w = 4 if 239 > b > 79\n// w = 3 if 79 > b > 23\n// w <= 2 if 23 > b\n//\n// (with draws in between). Very small exponents are often selected\n// with low Hamming weight, so we use w = 1 for b <= 23.\nstatic int BN_window_bits_for_exponent_size(size_t b) {\n if (b > 671) {\n return 6;\n }\n if (b > 239) {\n return 5;\n }\n if (b > 79) {\n return 4;\n }\n if (b > 23) {\n return 3;\n }\n return 1;\n}\n\n// TABLE_SIZE is the maximum precomputation table size for *variable* sliding\n// windows. This must be 2^(max_window - 1), where max_window is the largest\n// value returned from |BN_window_bits_for_exponent_size|.\n#define TABLE_SIZE 32\n\n// TABLE_BITS_SMALL is the smallest value returned from\n// |BN_window_bits_for_exponent_size| when |b| is at most |BN_BITS2| *\n// |BN_SMALL_MAX_WORDS| words.\n#define TABLE_BITS_SMALL 5\n\n// TABLE_SIZE_SMALL is the same as |TABLE_SIZE|, but when |b| is at most\n// |BN_BITS2| * |BN_SMALL_MAX_WORDS|.\n#define TABLE_SIZE_SMALL (1 << (TABLE_BITS_SMALL - 1))\n\nstatic int mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,\n const BIGNUM *m, BN_CTX *ctx) {\n int i, j, ret = 0, wstart, window;\n int start = 1;\n BIGNUM *aa;\n // Table of variables obtained from 'ctx'\n BIGNUM *val[TABLE_SIZE];\n BN_RECP_CTX recp;\n\n // This function is only called on even moduli.\n assert(!BN_is_odd(m));\n\n int bits = BN_num_bits(p);\n if (bits == 0) {\n return BN_one(r);\n }\n\n BN_RECP_CTX_init(&recp);\n BN_CTX_start(ctx);\n aa = BN_CTX_get(ctx);\n val[0] = BN_CTX_get(ctx);\n if (!aa || !val[0]) {\n goto err;\n }\n\n if (m->neg) {\n // ignore sign of 'm'\n if (!BN_copy(aa, m)) {\n goto err;\n }\n aa->neg = 0;\n if (BN_RECP_CTX_set(&recp, aa, ctx) <= 0) {\n goto err;\n }\n } else {\n if (BN_RECP_CTX_set(&recp, m, ctx) <= 0) {\n goto err;\n }\n }\n\n if (!BN_nnmod(val[0], a, m, ctx)) {\n goto err; // 1\n }\n if (BN_is_zero(val[0])) {\n BN_zero(r);\n ret = 1;\n goto err;\n }\n\n window = BN_window_bits_for_exponent_size(bits);\n if (window > 1) {\n if (!BN_mod_mul_reciprocal(aa, val[0], val[0], &recp, ctx)) {\n goto err; // 2\n }\n j = 1 << (window - 1);\n for (i = 1; i < j; i++) {\n if (((val[i] = BN_CTX_get(ctx)) == NULL) ||\n !BN_mod_mul_reciprocal(val[i], val[i - 1], aa, &recp, ctx)) {\n goto err;\n }\n }\n }\n\n start = 1; // This is used to avoid multiplication etc\n // when there is only the value '1' in the\n // buffer.\n wstart = bits - 1; // The top bit of the window\n\n if (!BN_one(r)) {\n goto err;\n }\n\n for (;;) {\n int wvalue; // The 'value' of the window\n int wend; // The bottom bit of the window\n\n if (!BN_is_bit_set(p, wstart)) {\n if (!start) {\n if (!BN_mod_mul_reciprocal(r, r, r, &recp, ctx)) {\n goto err;\n }\n }\n if (wstart == 0) {\n break;\n }\n wstart--;\n continue;\n }\n\n // We now have wstart on a 'set' bit, we now need to work out\n // how bit a window to do. To do this we need to scan\n // forward until the last set bit before the end of the\n // window\n wvalue = 1;\n wend = 0;\n for (i = 1; i < window; i++) {\n if (wstart - i < 0) {\n break;\n }\n if (BN_is_bit_set(p, wstart - i)) {\n wvalue <<= (i - wend);\n wvalue |= 1;\n wend = i;\n }\n }\n\n // wend is the size of the current window\n j = wend + 1;\n // add the 'bytes above'\n if (!start) {\n for (i = 0; i < j; i++) {\n if (!BN_mod_mul_reciprocal(r, r, r, &recp, ctx)) {\n goto err;\n }\n }\n }\n\n // wvalue will be an odd number < 2^window\n if (!BN_mod_mul_reciprocal(r, r, val[wvalue >> 1], &recp, ctx)) {\n goto err;\n }\n\n // move the 'window' down further\n wstart -= wend + 1;\n start = 0;\n if (wstart < 0) {\n break;\n }\n }\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n BN_RECP_CTX_free(&recp);\n return ret;\n}\n\nint BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m,\n BN_CTX *ctx) {\n if (m->neg) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n if (a->neg || BN_ucmp(a, m) >= 0) {\n if (!BN_nnmod(r, a, m, ctx)) {\n return 0;\n }\n a = r;\n }\n\n if (BN_is_odd(m)) {\n return BN_mod_exp_mont(r, a, p, m, ctx, NULL);\n }\n\n return mod_exp_recp(r, a, p, m, ctx);\n}\n\nint BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,\n const BIGNUM *m, BN_CTX *ctx, const BN_MONT_CTX *mont) {\n if (!BN_is_odd(m)) {\n OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);\n return 0;\n }\n if (m->neg) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n // |a| is secret, but |a < m| is not.\n if (a->neg || constant_time_declassify_int(BN_ucmp(a, m)) >= 0) {\n OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);\n return 0;\n }\n\n int bits = BN_num_bits(p);\n if (bits == 0) {\n // x**0 mod 1 is still zero.\n if (BN_abs_is_word(m, 1)) {\n BN_zero(rr);\n return 1;\n }\n return BN_one(rr);\n }\n\n int ret = 0;\n BIGNUM *val[TABLE_SIZE];\n BN_MONT_CTX *new_mont = NULL;\n\n BN_CTX_start(ctx);\n BIGNUM *r = BN_CTX_get(ctx);\n val[0] = BN_CTX_get(ctx);\n int window, r_is_one, wstart;\n if (r == NULL || val[0] == NULL) {\n goto err;\n }\n\n // Allocate a montgomery context if it was not supplied by the caller.\n if (mont == NULL) {\n new_mont = BN_MONT_CTX_new_consttime(m, ctx);\n if (new_mont == NULL) {\n goto err;\n }\n mont = new_mont;\n }\n\n // We exponentiate by looking at sliding windows of the exponent and\n // precomputing powers of |a|. Windows may be shifted so they always end on a\n // set bit, so only precompute odd powers. We compute val[i] = a^(2*i + 1)\n // for i = 0 to 2^(window-1), all in Montgomery form.\n window = BN_window_bits_for_exponent_size(bits);\n if (!BN_to_montgomery(val[0], a, mont, ctx)) {\n goto err;\n }\n if (window > 1) {\n BIGNUM *d = BN_CTX_get(ctx);\n if (d == NULL || !BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) {\n goto err;\n }\n for (int i = 1; i < 1 << (window - 1); i++) {\n val[i] = BN_CTX_get(ctx);\n if (val[i] == NULL ||\n !BN_mod_mul_montgomery(val[i], val[i - 1], d, mont, ctx)) {\n goto err;\n }\n }\n }\n\n // |p| is non-zero, so at least one window is non-zero. To save some\n // multiplications, defer initializing |r| until then.\n r_is_one = 1;\n wstart = bits - 1; // The top bit of the window.\n for (;;) {\n if (!BN_is_bit_set(p, wstart)) {\n if (!r_is_one && !BN_mod_mul_montgomery(r, r, r, mont, ctx)) {\n goto err;\n }\n if (wstart == 0) {\n break;\n }\n wstart--;\n continue;\n }\n\n // We now have wstart on a set bit. Find the largest window we can use.\n int wvalue = 1;\n int wsize = 0;\n for (int i = 1; i < window && i <= wstart; i++) {\n if (BN_is_bit_set(p, wstart - i)) {\n wvalue <<= (i - wsize);\n wvalue |= 1;\n wsize = i;\n }\n }\n\n // Shift |r| to the end of the window.\n if (!r_is_one) {\n for (int i = 0; i < wsize + 1; i++) {\n if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) {\n goto err;\n }\n }\n }\n\n assert(wvalue & 1);\n assert(wvalue < (1 << window));\n if (r_is_one) {\n if (!BN_copy(r, val[wvalue >> 1])) {\n goto err;\n }\n } else if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx)) {\n goto err;\n }\n\n r_is_one = 0;\n if (wstart == wsize) {\n break;\n }\n wstart -= wsize + 1;\n }\n\n // |p| is non-zero, so |r_is_one| must be cleared at some point.\n assert(!r_is_one);\n\n if (!BN_from_montgomery(rr, r, mont, ctx)) {\n goto err;\n }\n ret = 1;\n\nerr:\n BN_MONT_CTX_free(new_mont);\n BN_CTX_end(ctx);\n return ret;\n}\n\nvoid bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num,\n const BN_ULONG *p, size_t num_p,\n const BN_MONT_CTX *mont) {\n if (num != (size_t)mont->N.width || num > BN_SMALL_MAX_WORDS ||\n num_p > SIZE_MAX / BN_BITS2) {\n abort();\n }\n assert(BN_is_odd(&mont->N));\n\n // Count the number of bits in |p|, skipping leading zeros. Note this function\n // treats |p| as public.\n while (num_p != 0 && p[num_p - 1] == 0) {\n num_p--;\n }\n if (num_p == 0) {\n bn_from_montgomery_small(r, num, mont->RR.d, num, mont);\n return;\n }\n size_t bits = BN_num_bits_word(p[num_p - 1]) + (num_p - 1) * BN_BITS2;\n assert(bits != 0);\n\n // We exponentiate by looking at sliding windows of the exponent and\n // precomputing powers of |a|. Windows may be shifted so they always end on a\n // set bit, so only precompute odd powers. We compute val[i] = a^(2*i + 1) for\n // i = 0 to 2^(window-1), all in Montgomery form.\n unsigned window = BN_window_bits_for_exponent_size(bits);\n if (window > TABLE_BITS_SMALL) {\n window = TABLE_BITS_SMALL; // Tolerate excessively large |p|.\n }\n BN_ULONG val[TABLE_SIZE_SMALL][BN_SMALL_MAX_WORDS];\n OPENSSL_memcpy(val[0], a, num * sizeof(BN_ULONG));\n if (window > 1) {\n BN_ULONG d[BN_SMALL_MAX_WORDS];\n bn_mod_mul_montgomery_small(d, val[0], val[0], num, mont);\n for (unsigned i = 1; i < 1u << (window - 1); i++) {\n bn_mod_mul_montgomery_small(val[i], val[i - 1], d, num, mont);\n }\n }\n\n // |p| is non-zero, so at least one window is non-zero. To save some\n // multiplications, defer initializing |r| until then.\n int r_is_one = 1;\n size_t wstart = bits - 1; // The top bit of the window.\n for (;;) {\n if (!bn_is_bit_set_words(p, num_p, wstart)) {\n if (!r_is_one) {\n bn_mod_mul_montgomery_small(r, r, r, num, mont);\n }\n if (wstart == 0) {\n break;\n }\n wstart--;\n continue;\n }\n\n // We now have wstart on a set bit. Find the largest window we can use.\n unsigned wvalue = 1;\n unsigned wsize = 0;\n for (unsigned i = 1; i < window && i <= wstart; i++) {\n if (bn_is_bit_set_words(p, num_p, wstart - i)) {\n wvalue <<= (i - wsize);\n wvalue |= 1;\n wsize = i;\n }\n }\n\n // Shift |r| to the end of the window.\n if (!r_is_one) {\n for (unsigned i = 0; i < wsize + 1; i++) {\n bn_mod_mul_montgomery_small(r, r, r, num, mont);\n }\n }\n\n assert(wvalue & 1);\n assert(wvalue < (1u << window));\n if (r_is_one) {\n OPENSSL_memcpy(r, val[wvalue >> 1], num * sizeof(BN_ULONG));\n } else {\n bn_mod_mul_montgomery_small(r, r, val[wvalue >> 1], num, mont);\n }\n r_is_one = 0;\n if (wstart == wsize) {\n break;\n }\n wstart -= wsize + 1;\n }\n\n // |p| is non-zero, so |r_is_one| must be cleared at some point.\n assert(!r_is_one);\n OPENSSL_cleanse(val, sizeof(val));\n}\n\nvoid bn_mod_inverse0_prime_mont_small(BN_ULONG *r, const BN_ULONG *a,\n size_t num, const BN_MONT_CTX *mont) {\n if (num != (size_t)mont->N.width || num > BN_SMALL_MAX_WORDS) {\n abort();\n }\n\n // Per Fermat's Little Theorem, a^-1 = a^(p-2) (mod p) for p prime.\n BN_ULONG p_minus_two[BN_SMALL_MAX_WORDS];\n const BN_ULONG *p = mont->N.d;\n OPENSSL_memcpy(p_minus_two, p, num * sizeof(BN_ULONG));\n if (p_minus_two[0] >= 2) {\n p_minus_two[0] -= 2;\n } else {\n p_minus_two[0] -= 2;\n for (size_t i = 1; i < num; i++) {\n if (p_minus_two[i]-- != 0) {\n break;\n }\n }\n }\n\n bn_mod_exp_mont_small(r, a, num, p_minus_two, num, mont);\n}\n\nstatic void copy_to_prebuf(const BIGNUM *b, int top, BN_ULONG *table, int idx,\n int window) {\n int ret = bn_copy_words(table + idx * top, top, b);\n assert(ret); // |b| is guaranteed to fit.\n (void)ret;\n}\n\nstatic int copy_from_prebuf(BIGNUM *b, int top, const BN_ULONG *table, int idx,\n int window) {\n if (!bn_wexpand(b, top)) {\n return 0;\n }\n\n OPENSSL_memset(b->d, 0, sizeof(BN_ULONG) * top);\n const int width = 1 << window;\n for (int i = 0; i < width; i++, table += top) {\n // Use a value barrier to prevent Clang from adding a branch when |i != idx|\n // and making this copy not constant time. Clang is still allowed to learn\n // that |mask| is constant across the inner loop, so this won't inhibit any\n // vectorization it might do.\n BN_ULONG mask = value_barrier_w(constant_time_eq_int(i, idx));\n for (int j = 0; j < top; j++) {\n b->d[j] |= table[j] & mask;\n }\n }\n\n b->width = top;\n return 1;\n}\n\n// Window sizes optimized for fixed window size modular exponentiation\n// algorithm (BN_mod_exp_mont_consttime).\n//\n// TODO(davidben): These window sizes were originally set for 64-byte cache\n// lines with a cache-line-dependent constant-time mitigation. They can probably\n// be revised now that our implementation is no longer cache-time-dependent.\n#define BN_window_bits_for_ctime_exponent_size(b) \\\n ((b) > 937 ? 6 : (b) > 306 ? 5 : (b) > 89 ? 4 : (b) > 22 ? 3 : 1)\n#define BN_MAX_MOD_EXP_CTIME_WINDOW (6)\n\n// This variant of |BN_mod_exp_mont| uses fixed windows and fixed memory access\n// patterns to protect secret exponents (cf. the hyper-threading timing attacks\n// pointed out by Colin Percival,\n// http://www.daemonology.net/hyperthreading-considered-harmful/)\nint BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,\n const BIGNUM *m, BN_CTX *ctx,\n const BN_MONT_CTX *mont) {\n int i, ret = 0, wvalue;\n BN_MONT_CTX *new_mont = NULL;\n\n void *powerbuf_free = NULL;\n size_t powerbuf_len = 0;\n BN_ULONG *powerbuf = NULL;\n\n if (!BN_is_odd(m)) {\n OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);\n return 0;\n }\n if (m->neg) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n // |a| is secret, but it is required to be in range, so these comparisons may\n // be leaked.\n if (a->neg || constant_time_declassify_int(BN_ucmp(a, m) >= 0)) {\n OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);\n return 0;\n }\n\n // Use all bits stored in |p|, rather than |BN_num_bits|, so we do not leak\n // whether the top bits are zero.\n int max_bits = p->width * BN_BITS2;\n int bits = max_bits;\n if (bits == 0) {\n // x**0 mod 1 is still zero.\n if (BN_abs_is_word(m, 1)) {\n BN_zero(rr);\n return 1;\n }\n return BN_one(rr);\n }\n\n // Allocate a montgomery context if it was not supplied by the caller.\n int top, num_powers, window;\n if (mont == NULL) {\n new_mont = BN_MONT_CTX_new_consttime(m, ctx);\n if (new_mont == NULL) {\n goto err;\n }\n mont = new_mont;\n }\n\n // Use the width in |mont->N|, rather than the copy in |m|. The assembly\n // implementation assumes it can use |top| to size R.\n top = mont->N.width;\n\n#if defined(OPENSSL_BN_ASM_MONT5) || defined(RSAZ_ENABLED)\n // Share one large stack-allocated buffer between the RSAZ and non-RSAZ code\n // paths. If we were to use separate static buffers for each then there is\n // some chance that both large buffers would be allocated on the stack,\n // causing the stack space requirement to be truly huge (~10KB).\n alignas(MOD_EXP_CTIME_ALIGN) BN_ULONG storage[MOD_EXP_CTIME_STORAGE_LEN];\n#endif\n#if defined(RSAZ_ENABLED)\n // If the size of the operands allow it, perform the optimized RSAZ\n // exponentiation. For further information see crypto/fipsmodule/bn/rsaz_exp.c\n // and accompanying assembly modules.\n if (a->width == 16 && p->width == 16 && BN_num_bits(m) == 1024 &&\n rsaz_avx2_preferred()) {\n if (!bn_wexpand(rr, 16)) {\n goto err;\n }\n RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d, mont->n0[0],\n storage);\n rr->width = 16;\n rr->neg = 0;\n ret = 1;\n goto err;\n }\n#endif\n\n // Get the window size to use with size of p.\n window = BN_window_bits_for_ctime_exponent_size(bits);\n assert(window <= BN_MAX_MOD_EXP_CTIME_WINDOW);\n\n // Calculating |powerbuf_len| below cannot overflow because of the bound on\n // Montgomery reduction.\n assert((size_t)top <= BN_MONTGOMERY_MAX_WORDS);\n static_assert(\n BN_MONTGOMERY_MAX_WORDS <=\n INT_MAX / sizeof(BN_ULONG) / ((1 << BN_MAX_MOD_EXP_CTIME_WINDOW) + 3),\n \"powerbuf_len may overflow\");\n\n#if defined(OPENSSL_BN_ASM_MONT5)\n if (window >= 5) {\n window = 5; // ~5% improvement for RSA2048 sign, and even for RSA4096\n // Reserve space for the |mont->N| copy.\n powerbuf_len += top * sizeof(mont->N.d[0]);\n }\n#endif\n\n // Allocate a buffer large enough to hold all of the pre-computed\n // powers of |am|, |am| itself, and |tmp|.\n num_powers = 1 << window;\n powerbuf_len += sizeof(m->d[0]) * top * (num_powers + 2);\n\n#if defined(OPENSSL_BN_ASM_MONT5)\n if (powerbuf_len <= sizeof(storage)) {\n powerbuf = storage;\n }\n // |storage| is more than large enough to handle 1024-bit inputs.\n assert(powerbuf != NULL || top * BN_BITS2 > 1024);\n#endif\n if (powerbuf == NULL) {\n powerbuf_free = OPENSSL_malloc(powerbuf_len + MOD_EXP_CTIME_ALIGN);\n if (powerbuf_free == NULL) {\n goto err;\n }\n powerbuf = reinterpret_cast(\n align_pointer(powerbuf_free, MOD_EXP_CTIME_ALIGN));\n }\n OPENSSL_memset(powerbuf, 0, powerbuf_len);\n\n // Place |tmp| and |am| right after powers table.\n BIGNUM tmp, am;\n tmp.d = powerbuf + top * num_powers;\n am.d = tmp.d + top;\n tmp.width = am.width = 0;\n tmp.dmax = am.dmax = top;\n tmp.neg = am.neg = 0;\n tmp.flags = am.flags = BN_FLG_STATIC_DATA;\n\n if (!bn_one_to_montgomery(&tmp, mont, ctx) || !bn_resize_words(&tmp, top)) {\n goto err;\n }\n\n // Prepare a^1 in the Montgomery domain.\n assert(!a->neg);\n declassify_assert(BN_ucmp(a, m) < 0);\n if (!BN_to_montgomery(&am, a, mont, ctx) || !bn_resize_words(&am, top)) {\n goto err;\n }\n\n#if defined(OPENSSL_BN_ASM_MONT5)\n // This optimization uses ideas from https://eprint.iacr.org/2011/239,\n // specifically optimization of cache-timing attack countermeasures,\n // pre-computation optimization, and Almost Montgomery Multiplication.\n //\n // The paper discusses a 4-bit window to optimize 512-bit modular\n // exponentiation, used in RSA-1024 with CRT, but RSA-1024 is no longer\n // important.\n //\n // |bn_mul_mont_gather5| and |bn_power5| implement the \"almost\" reduction\n // variant, so the values here may not be fully reduced. They are bounded by R\n // (i.e. they fit in |top| words), not |m|. Additionally, we pass these\n // \"almost\" reduced inputs into |bn_mul_mont|, which implements the normal\n // reduction variant. Given those inputs, |bn_mul_mont| may not give reduced\n // output, but it will still produce \"almost\" reduced output.\n //\n // TODO(davidben): Using \"almost\" reduction complicates analysis of this code,\n // and its interaction with other parts of the project. Determine whether this\n // is actually necessary for performance.\n if (window == 5 && top > 1) {\n // Copy |mont->N| to improve cache locality.\n BN_ULONG *np = am.d + top;\n for (i = 0; i < top; i++) {\n np[i] = mont->N.d[i];\n }\n\n // Fill |powerbuf| with the first 32 powers of |am|.\n const BN_ULONG *n0 = mont->n0;\n bn_scatter5(tmp.d, top, powerbuf, 0);\n bn_scatter5(am.d, am.width, powerbuf, 1);\n bn_mul_mont(tmp.d, am.d, am.d, np, n0, top);\n bn_scatter5(tmp.d, top, powerbuf, 2);\n\n // Square to compute powers of two.\n for (i = 4; i < 32; i *= 2) {\n bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);\n bn_scatter5(tmp.d, top, powerbuf, i);\n }\n // Compute odd powers |i| based on |i - 1|, then all powers |i * 2^j|.\n for (i = 3; i < 32; i += 2) {\n bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, n0, top, i - 1);\n bn_scatter5(tmp.d, top, powerbuf, i);\n for (int j = 2 * i; j < 32; j *= 2) {\n bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);\n bn_scatter5(tmp.d, top, powerbuf, j);\n }\n }\n\n bits--;\n for (wvalue = 0, i = bits % 5; i >= 0; i--, bits--) {\n wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);\n }\n bn_gather5(tmp.d, top, powerbuf, wvalue);\n\n // At this point |bits| is 4 mod 5 and at least -1. (|bits| is the first bit\n // that has not been read yet.)\n assert(bits >= -1 && (bits == -1 || bits % 5 == 4));\n\n // Scan the exponent one window at a time starting from the most\n // significant bits.\n if (!bn_power5_capable(top)) {\n while (bits >= 0) {\n for (wvalue = 0, i = 0; i < 5; i++, bits--) {\n wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);\n }\n\n bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);\n bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);\n bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);\n bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);\n bn_mul_mont(tmp.d, tmp.d, tmp.d, np, n0, top);\n bn_mul_mont_gather5(tmp.d, tmp.d, powerbuf, np, n0, top, wvalue);\n }\n } else {\n const uint8_t *p_bytes = (const uint8_t *)p->d;\n assert(bits < max_bits);\n // |p = 0| has been handled as a special case, so |max_bits| is at least\n // one word.\n assert(max_bits >= 64);\n\n // If the first bit to be read lands in the last byte, unroll the first\n // iteration to avoid reading past the bounds of |p->d|. (After the first\n // iteration, we are guaranteed to be past the last byte.) Note |bits|\n // here is the top bit, inclusive.\n if (bits - 4 >= max_bits - 8) {\n // Read five bits from |bits-4| through |bits|, inclusive.\n wvalue = p_bytes[p->width * BN_BYTES - 1];\n wvalue >>= (bits - 4) & 7;\n wvalue &= 0x1f;\n bits -= 5;\n bn_power5(tmp.d, tmp.d, powerbuf, np, n0, top, wvalue);\n }\n while (bits >= 0) {\n // Read five bits from |bits-4| through |bits|, inclusive.\n int first_bit = bits - 4;\n uint16_t val;\n OPENSSL_memcpy(&val, p_bytes + (first_bit >> 3), sizeof(val));\n val >>= first_bit & 7;\n val &= 0x1f;\n bits -= 5;\n bn_power5(tmp.d, tmp.d, powerbuf, np, n0, top, val);\n }\n }\n // The result is now in |tmp| in Montgomery form, but it may not be fully\n // reduced. This is within bounds for |BN_from_montgomery| (tmp < R <= m*R)\n // so it will, when converting from Montgomery form, produce a fully reduced\n // result.\n //\n // This differs from Figure 2 of the paper, which uses AMM(h, 1) to convert\n // from Montgomery form with unreduced output, followed by an extra\n // reduction step. In the paper's terminology, we replace steps 9 and 10\n // with MM(h, 1).\n } else\n#endif\n {\n copy_to_prebuf(&tmp, top, powerbuf, 0, window);\n copy_to_prebuf(&am, top, powerbuf, 1, window);\n\n // If the window size is greater than 1, then calculate\n // val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)\n // (even powers could instead be computed as (a^(i/2))^2\n // to use the slight performance advantage of sqr over mul).\n if (window > 1) {\n if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx)) {\n goto err;\n }\n\n copy_to_prebuf(&tmp, top, powerbuf, 2, window);\n\n for (i = 3; i < num_powers; i++) {\n // Calculate a^i = a^(i-1) * a\n if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx)) {\n goto err;\n }\n\n copy_to_prebuf(&tmp, top, powerbuf, i, window);\n }\n }\n\n bits--;\n for (wvalue = 0, i = bits % window; i >= 0; i--, bits--) {\n wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);\n }\n if (!copy_from_prebuf(&tmp, top, powerbuf, wvalue, window)) {\n goto err;\n }\n\n // Scan the exponent one window at a time starting from the most\n // significant bits.\n while (bits >= 0) {\n wvalue = 0; // The 'value' of the window\n\n // Scan the window, squaring the result as we go\n for (i = 0; i < window; i++, bits--) {\n if (!BN_mod_mul_montgomery(&tmp, &tmp, &tmp, mont, ctx)) {\n goto err;\n }\n wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);\n }\n\n // Fetch the appropriate pre-computed value from the pre-buf\n if (!copy_from_prebuf(&am, top, powerbuf, wvalue, window)) {\n goto err;\n }\n\n // Multiply the result into the intermediate result\n if (!BN_mod_mul_montgomery(&tmp, &tmp, &am, mont, ctx)) {\n goto err;\n }\n }\n }\n\n // Convert the final result from Montgomery to standard format. If we used the\n // |OPENSSL_BN_ASM_MONT5| codepath, |tmp| may not be fully reduced. It is only\n // bounded by R rather than |m|. However, that is still within bounds for\n // |BN_from_montgomery|, which implements full Montgomery reduction, not\n // \"almost\" Montgomery reduction.\n if (!BN_from_montgomery(rr, &tmp, mont, ctx)) {\n goto err;\n }\n ret = 1;\n\nerr:\n BN_MONT_CTX_free(new_mont);\n if (powerbuf != NULL && powerbuf_free == NULL) {\n OPENSSL_cleanse(powerbuf, powerbuf_len);\n }\n OPENSSL_free(powerbuf_free);\n return ret;\n}\n\nint BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,\n const BIGNUM *m, BN_CTX *ctx,\n const BN_MONT_CTX *mont) {\n BIGNUM a_bignum;\n BN_init(&a_bignum);\n\n int ret = 0;\n\n // BN_mod_exp_mont requires reduced inputs.\n if (bn_minimal_width(m) == 1) {\n a %= m->d[0];\n }\n\n if (!BN_set_word(&a_bignum, a)) {\n OPENSSL_PUT_ERROR(BN, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n\n ret = BN_mod_exp_mont(rr, &a_bignum, p, m, ctx, mont);\n\nerr:\n BN_free(&a_bignum);\n\n return ret;\n}\n\n#define TABLE_SIZE 32\n\nint BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,\n const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m,\n BN_CTX *ctx, const BN_MONT_CTX *mont) {\n BIGNUM tmp;\n BN_init(&tmp);\n\n int ret = 0;\n BN_MONT_CTX *new_mont = NULL;\n\n // Allocate a montgomery context if it was not supplied by the caller.\n if (mont == NULL) {\n new_mont = BN_MONT_CTX_new_for_modulus(m, ctx);\n if (new_mont == NULL) {\n goto err;\n }\n mont = new_mont;\n }\n\n // BN_mod_mul_montgomery removes one Montgomery factor, so passing one\n // Montgomery-encoded and one non-Montgomery-encoded value gives a\n // non-Montgomery-encoded result.\n if (!BN_mod_exp_mont(rr, a1, p1, m, ctx, mont) ||\n !BN_mod_exp_mont(&tmp, a2, p2, m, ctx, mont) ||\n !BN_to_montgomery(rr, rr, mont, ctx) ||\n !BN_mod_mul_montgomery(rr, rr, &tmp, mont, ctx)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n BN_MONT_CTX_free(new_mont);\n BN_free(&tmp);\n\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"internal.h\"\n\n\nint BN_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,\n const BIGNUM *n, BN_CTX *ctx) {\n *out_no_inverse = 0;\n\n if (!BN_is_odd(n)) {\n OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);\n return 0;\n }\n\n if (BN_is_negative(a) || BN_cmp(a, n) >= 0) {\n OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);\n return 0;\n }\n\n BIGNUM *A, *B, *X, *Y;\n int ret = 0;\n int sign;\n\n BN_CTX_start(ctx);\n A = BN_CTX_get(ctx);\n B = BN_CTX_get(ctx);\n X = BN_CTX_get(ctx);\n Y = BN_CTX_get(ctx);\n BIGNUM *R = out;\n if (Y == NULL) {\n goto err;\n }\n\n BN_zero(Y);\n if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {\n goto err;\n }\n A->neg = 0;\n sign = -1;\n // From B = a mod |n|, A = |n| it follows that\n //\n // 0 <= B < A,\n // -sign*X*a == B (mod |n|),\n // sign*Y*a == A (mod |n|).\n\n // Binary inversion algorithm; requires odd modulus. This is faster than the\n // general algorithm if the modulus is sufficiently small (about 400 .. 500\n // bits on 32-bit systems, but much more on 64-bit systems)\n int shift;\n\n while (!BN_is_zero(B)) {\n // 0 < B < |n|,\n // 0 < A <= |n|,\n // (1) -sign*X*a == B (mod |n|),\n // (2) sign*Y*a == A (mod |n|)\n\n // Now divide B by the maximum possible power of two in the integers,\n // and divide X by the same value mod |n|.\n // When we're done, (1) still holds.\n shift = 0;\n while (!BN_is_bit_set(B, shift)) {\n // note that 0 < B\n shift++;\n\n if (BN_is_odd(X)) {\n if (!BN_uadd(X, X, n)) {\n goto err;\n }\n }\n // now X is even, so we can easily divide it by two\n if (!BN_rshift1(X, X)) {\n goto err;\n }\n }\n if (shift > 0) {\n if (!BN_rshift(B, B, shift)) {\n goto err;\n }\n }\n\n // Same for A and Y. Afterwards, (2) still holds.\n shift = 0;\n while (!BN_is_bit_set(A, shift)) {\n // note that 0 < A\n shift++;\n\n if (BN_is_odd(Y)) {\n if (!BN_uadd(Y, Y, n)) {\n goto err;\n }\n }\n // now Y is even\n if (!BN_rshift1(Y, Y)) {\n goto err;\n }\n }\n if (shift > 0) {\n if (!BN_rshift(A, A, shift)) {\n goto err;\n }\n }\n\n // We still have (1) and (2).\n // Both A and B are odd.\n // The following computations ensure that\n //\n // 0 <= B < |n|,\n // 0 < A < |n|,\n // (1) -sign*X*a == B (mod |n|),\n // (2) sign*Y*a == A (mod |n|),\n //\n // and that either A or B is even in the next iteration.\n if (BN_ucmp(B, A) >= 0) {\n // -sign*(X + Y)*a == B - A (mod |n|)\n if (!BN_uadd(X, X, Y)) {\n goto err;\n }\n // NB: we could use BN_mod_add_quick(X, X, Y, n), but that\n // actually makes the algorithm slower\n if (!BN_usub(B, B, A)) {\n goto err;\n }\n } else {\n // sign*(X + Y)*a == A - B (mod |n|)\n if (!BN_uadd(Y, Y, X)) {\n goto err;\n }\n // as above, BN_mod_add_quick(Y, Y, X, n) would slow things down\n if (!BN_usub(A, A, B)) {\n goto err;\n }\n }\n }\n\n if (!BN_is_one(A)) {\n *out_no_inverse = 1;\n OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);\n goto err;\n }\n\n // The while loop (Euclid's algorithm) ends when\n // A == gcd(a,n);\n // we have\n // sign*Y*a == A (mod |n|),\n // where Y is non-negative.\n\n if (sign < 0) {\n if (!BN_sub(Y, n, Y)) {\n goto err;\n }\n }\n // Now Y*a == A (mod |n|).\n\n // Y*a == 1 (mod |n|)\n if (Y->neg || BN_ucmp(Y, n) >= 0) {\n if (!BN_nnmod(Y, Y, n, ctx)) {\n goto err;\n }\n }\n if (!BN_copy(R, Y)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nBIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n,\n BN_CTX *ctx) {\n BIGNUM *new_out = NULL;\n if (out == NULL) {\n new_out = BN_new();\n if (new_out == NULL) {\n return NULL;\n }\n out = new_out;\n }\n\n int ok = 0;\n BIGNUM *a_reduced = NULL;\n if (a->neg || BN_ucmp(a, n) >= 0) {\n a_reduced = BN_dup(a);\n if (a_reduced == NULL) {\n goto err;\n }\n if (!BN_nnmod(a_reduced, a_reduced, n, ctx)) {\n goto err;\n }\n a = a_reduced;\n }\n\n int no_inverse;\n if (!BN_is_odd(n)) {\n if (!bn_mod_inverse_consttime(out, &no_inverse, a, n, ctx)) {\n goto err;\n }\n } else if (!BN_mod_inverse_odd(out, &no_inverse, a, n, ctx)) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n if (!ok) {\n BN_free(new_out);\n out = NULL;\n }\n BN_free(a_reduced);\n return out;\n}\n\nint BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,\n const BN_MONT_CTX *mont, BN_CTX *ctx) {\n *out_no_inverse = 0;\n\n // |a| is secret, but it is required to be in range, so these comparisons may\n // be leaked.\n if (BN_is_negative(a) ||\n constant_time_declassify_int(BN_cmp(a, &mont->N) >= 0)) {\n OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);\n return 0;\n }\n\n int ret = 0;\n BIGNUM blinding_factor;\n BN_init(&blinding_factor);\n\n // |BN_mod_inverse_odd| is leaky, so generate a secret blinding factor and\n // blind |a|. This works because (ar)^-1 * r = a^-1, supposing r is\n // invertible. If r is not invertible, this function will fail. However, we\n // only use this in RSA, where stumbling on an uninvertible element means\n // stumbling on the key's factorization. That is, if this function fails, the\n // RSA key was not actually a product of two large primes.\n //\n // TODO(crbug.com/boringssl/677): When the PRNG output is marked secret by\n // default, the explicit |bn_secret| call can be removed.\n if (!BN_rand_range_ex(&blinding_factor, 1, &mont->N)) {\n goto err;\n }\n bn_secret(&blinding_factor);\n if (!BN_mod_mul_montgomery(out, &blinding_factor, a, mont, ctx)) {\n goto err;\n }\n\n // Once blinded, |out| is no longer secret, so it may be passed to a leaky\n // mod inverse function. Note |blinding_factor| is secret, so |out| will be\n // secret again after multiplying.\n bn_declassify(out);\n if (!BN_mod_inverse_odd(out, out_no_inverse, out, &mont->N, ctx) ||\n !BN_mod_mul_montgomery(out, &blinding_factor, out, mont, ctx)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n BN_free(&blinding_factor);\n return ret;\n}\n\nint bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,\n BN_CTX *ctx, const BN_MONT_CTX *mont_p) {\n BN_CTX_start(ctx);\n BIGNUM *p_minus_2 = BN_CTX_get(ctx);\n int ok = p_minus_2 != NULL && BN_copy(p_minus_2, p) &&\n BN_sub_word(p_minus_2, 2) &&\n BN_mod_exp_mont(out, a, p_minus_2, p, ctx, mont_p);\n BN_CTX_end(ctx);\n return ok;\n}\n\nint bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,\n BN_CTX *ctx, const BN_MONT_CTX *mont_p) {\n BN_CTX_start(ctx);\n BIGNUM *p_minus_2 = BN_CTX_get(ctx);\n int ok = p_minus_2 != NULL && BN_copy(p_minus_2, p) &&\n BN_sub_word(p_minus_2, 2) &&\n BN_mod_exp_mont_consttime(out, a, p_minus_2, p, ctx, mont_p);\n BN_CTX_end(ctx);\n return ok;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd_extra.cc.inc", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \n\n#include \"internal.h\"\n\n\nstatic BN_ULONG word_is_odd_mask(BN_ULONG a) { return (BN_ULONG)0 - (a & 1); }\n\nstatic void maybe_rshift1_words(BN_ULONG *a, BN_ULONG mask, BN_ULONG *tmp,\n size_t num) {\n bn_rshift1_words(tmp, a, num);\n bn_select_words(a, mask, tmp, a, num);\n}\n\nstatic void maybe_rshift1_words_carry(BN_ULONG *a, BN_ULONG carry,\n BN_ULONG mask, BN_ULONG *tmp,\n size_t num) {\n maybe_rshift1_words(a, mask, tmp, num);\n if (num != 0) {\n carry &= mask;\n a[num - 1] |= carry << (BN_BITS2 - 1);\n }\n}\n\nstatic BN_ULONG maybe_add_words(BN_ULONG *a, BN_ULONG mask, const BN_ULONG *b,\n BN_ULONG *tmp, size_t num) {\n BN_ULONG carry = bn_add_words(tmp, a, b, num);\n bn_select_words(a, mask, tmp, a, num);\n return carry & mask;\n}\n\nstatic int bn_gcd_consttime(BIGNUM *r, unsigned *out_shift, const BIGNUM *x,\n const BIGNUM *y, BN_CTX *ctx) {\n size_t width = x->width > y->width ? x->width : y->width;\n if (width == 0) {\n *out_shift = 0;\n BN_zero(r);\n return 1;\n }\n\n // This is a constant-time implementation of Stein's algorithm (binary GCD).\n int ret = 0;\n BN_CTX_start(ctx);\n BIGNUM *u = BN_CTX_get(ctx);\n BIGNUM *v = BN_CTX_get(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n unsigned x_bits, y_bits, num_iters, shift;\n if (u == NULL || v == NULL || tmp == NULL || //\n !BN_copy(u, x) || //\n !BN_copy(v, y) || //\n !bn_resize_words(u, width) || //\n !bn_resize_words(v, width) || //\n !bn_resize_words(tmp, width)) {\n goto err;\n }\n\n // Each loop iteration halves at least one of |u| and |v|. Thus we need at\n // most the combined bit width of inputs for at least one value to be zero.\n x_bits = x->width * BN_BITS2;\n y_bits = y->width * BN_BITS2;\n num_iters = x_bits + y_bits;\n if (num_iters < x_bits) {\n OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);\n goto err;\n }\n\n shift = 0;\n for (unsigned i = 0; i < num_iters; i++) {\n BN_ULONG both_odd = word_is_odd_mask(u->d[0]) & word_is_odd_mask(v->d[0]);\n\n // If both |u| and |v| are odd, subtract the smaller from the larger.\n BN_ULONG u_less_than_v =\n (BN_ULONG)0 - bn_sub_words(tmp->d, u->d, v->d, width);\n bn_select_words(u->d, both_odd & ~u_less_than_v, tmp->d, u->d, width);\n bn_sub_words(tmp->d, v->d, u->d, width);\n bn_select_words(v->d, both_odd & u_less_than_v, tmp->d, v->d, width);\n\n // At least one of |u| and |v| is now even.\n BN_ULONG u_is_odd = word_is_odd_mask(u->d[0]);\n BN_ULONG v_is_odd = word_is_odd_mask(v->d[0]);\n declassify_assert(!(u_is_odd & v_is_odd));\n\n // If both are even, the final GCD gains a factor of two.\n shift += 1 & (~u_is_odd & ~v_is_odd);\n\n // Halve any which are even.\n maybe_rshift1_words(u->d, ~u_is_odd, tmp->d, width);\n maybe_rshift1_words(v->d, ~v_is_odd, tmp->d, width);\n }\n\n // One of |u| or |v| is zero at this point. The algorithm usually makes |u|\n // zero, unless |y| was already zero on input. Fix this by combining the\n // values.\n declassify_assert(BN_is_zero(u) | BN_is_zero(v));\n for (size_t i = 0; i < width; i++) {\n v->d[i] |= u->d[i];\n }\n\n *out_shift = shift;\n ret = bn_set_words(r, v->d, width);\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nint BN_gcd(BIGNUM *r, const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) {\n unsigned shift;\n return bn_gcd_consttime(r, &shift, x, y, ctx) && BN_lshift(r, r, shift);\n}\n\nint bn_is_relatively_prime(int *out_relatively_prime, const BIGNUM *x,\n const BIGNUM *y, BN_CTX *ctx) {\n int ret = 0;\n BN_CTX_start(ctx);\n unsigned shift;\n BIGNUM *gcd = BN_CTX_get(ctx);\n if (gcd == NULL || !bn_gcd_consttime(gcd, &shift, x, y, ctx)) {\n goto err;\n }\n\n // Check that 2^|shift| * |gcd| is one.\n if (gcd->width == 0) {\n *out_relatively_prime = 0;\n } else {\n BN_ULONG mask = shift | (gcd->d[0] ^ 1);\n for (int i = 1; i < gcd->width; i++) {\n mask |= gcd->d[i];\n }\n *out_relatively_prime = mask == 0;\n }\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nint bn_lcm_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {\n BN_CTX_start(ctx);\n unsigned shift;\n BIGNUM *gcd = BN_CTX_get(ctx);\n int ret = gcd != NULL && //\n bn_mul_consttime(r, a, b, ctx) &&\n bn_gcd_consttime(gcd, &shift, a, b, ctx) &&\n // |gcd| has a secret bit width.\n bn_div_consttime(r, NULL, r, gcd, /*divisor_min_bits=*/0, ctx) &&\n bn_rshift_secret_shift(r, r, shift, ctx);\n BN_CTX_end(ctx);\n return ret;\n}\n\nint bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, const BIGNUM *a,\n const BIGNUM *n, BN_CTX *ctx) {\n *out_no_inverse = 0;\n if (BN_is_negative(a) || BN_ucmp(a, n) >= 0) {\n OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED);\n return 0;\n }\n if (BN_is_zero(a)) {\n if (BN_is_one(n)) {\n BN_zero(r);\n return 1;\n }\n *out_no_inverse = 1;\n OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);\n return 0;\n }\n\n // This is a constant-time implementation of the extended binary GCD\n // algorithm. It is adapted from the Handbook of Applied Cryptography, section\n // 14.4.3, algorithm 14.51, and modified to bound coefficients and avoid\n // negative numbers.\n //\n // For more details and proof of correctness, see\n // https://github.com/mit-plv/fiat-crypto/pull/333. In particular, see |step|\n // and |mod_inverse_consttime| for the algorithm in Gallina and see\n // |mod_inverse_consttime_spec| for the correctness result.\n\n if (!BN_is_odd(a) && !BN_is_odd(n)) {\n *out_no_inverse = 1;\n OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);\n return 0;\n }\n\n // This function exists to compute the RSA private exponent, where |a| is one\n // word. We'll thus use |a_width| when available.\n size_t n_width = n->width, a_width = a->width;\n if (a_width > n_width) {\n a_width = n_width;\n }\n\n int ret = 0;\n BN_CTX_start(ctx);\n BIGNUM *u = BN_CTX_get(ctx);\n BIGNUM *v = BN_CTX_get(ctx);\n BIGNUM *A = BN_CTX_get(ctx);\n BIGNUM *B = BN_CTX_get(ctx);\n BIGNUM *C = BN_CTX_get(ctx);\n BIGNUM *D = BN_CTX_get(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n BIGNUM *tmp2 = BN_CTX_get(ctx);\n size_t a_bits, num_iters, n_bits;\n if (u == NULL || //\n v == NULL || //\n A == NULL || //\n B == NULL || //\n C == NULL || //\n D == NULL || //\n tmp == NULL || //\n tmp2 == NULL || //\n !BN_copy(u, a) || //\n !BN_copy(v, n) || //\n !BN_one(A) || //\n !BN_one(D) ||\n // For convenience, size |u| and |v| equivalently.\n !bn_resize_words(u, n_width) || //\n !bn_resize_words(v, n_width) ||\n // |A| and |C| are bounded by |m|.\n !bn_resize_words(A, n_width) || //\n !bn_resize_words(C, n_width) ||\n // |B| and |D| are bounded by |a|.\n !bn_resize_words(B, a_width) || //\n !bn_resize_words(D, a_width) ||\n // |tmp| and |tmp2| may be used at either size.\n !bn_resize_words(tmp, n_width) || //\n !bn_resize_words(tmp2, n_width)) {\n goto err;\n }\n\n // Each loop iteration halves at least one of |u| and |v|. Thus we need at\n // most the combined bit width of inputs for at least one value to be zero.\n // |a_bits| and |n_bits| cannot overflow because |bn_wexpand| ensures bit\n // counts fit in even |int|.\n a_bits = a_width * BN_BITS2;\n n_bits = n_width * BN_BITS2;\n num_iters = a_bits + n_bits;\n if (num_iters < a_bits) {\n OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);\n goto err;\n }\n\n // Before and after each loop iteration, the following hold:\n //\n // u = A*a - B*n\n // v = D*n - C*a\n // 0 < u <= a\n // 0 <= v <= n\n // 0 <= A < n\n // 0 <= B <= a\n // 0 <= C < n\n // 0 <= D <= a\n //\n // After each loop iteration, u and v only get smaller, and at least one of\n // them shrinks by at least a factor of two.\n for (size_t i = 0; i < num_iters; i++) {\n BN_ULONG both_odd = word_is_odd_mask(u->d[0]) & word_is_odd_mask(v->d[0]);\n\n // If both |u| and |v| are odd, subtract the smaller from the larger.\n BN_ULONG v_less_than_u =\n (BN_ULONG)0 - bn_sub_words(tmp->d, v->d, u->d, n_width);\n bn_select_words(v->d, both_odd & ~v_less_than_u, tmp->d, v->d, n_width);\n bn_sub_words(tmp->d, u->d, v->d, n_width);\n bn_select_words(u->d, both_odd & v_less_than_u, tmp->d, u->d, n_width);\n\n // If we updated one of the values, update the corresponding coefficient.\n BN_ULONG carry = bn_add_words(tmp->d, A->d, C->d, n_width);\n carry -= bn_sub_words(tmp2->d, tmp->d, n->d, n_width);\n bn_select_words(tmp->d, carry, tmp->d, tmp2->d, n_width);\n bn_select_words(A->d, both_odd & v_less_than_u, tmp->d, A->d, n_width);\n bn_select_words(C->d, both_odd & ~v_less_than_u, tmp->d, C->d, n_width);\n\n bn_add_words(tmp->d, B->d, D->d, a_width);\n bn_sub_words(tmp2->d, tmp->d, a->d, a_width);\n bn_select_words(tmp->d, carry, tmp->d, tmp2->d, a_width);\n bn_select_words(B->d, both_odd & v_less_than_u, tmp->d, B->d, a_width);\n bn_select_words(D->d, both_odd & ~v_less_than_u, tmp->d, D->d, a_width);\n\n // Our loop invariants hold at this point. Additionally, exactly one of |u|\n // and |v| is now even.\n BN_ULONG u_is_even = ~word_is_odd_mask(u->d[0]);\n BN_ULONG v_is_even = ~word_is_odd_mask(v->d[0]);\n declassify_assert(u_is_even != v_is_even);\n\n // Halve the even one and adjust the corresponding coefficient.\n maybe_rshift1_words(u->d, u_is_even, tmp->d, n_width);\n BN_ULONG A_or_B_is_odd =\n word_is_odd_mask(A->d[0]) | word_is_odd_mask(B->d[0]);\n BN_ULONG A_carry =\n maybe_add_words(A->d, A_or_B_is_odd & u_is_even, n->d, tmp->d, n_width);\n BN_ULONG B_carry =\n maybe_add_words(B->d, A_or_B_is_odd & u_is_even, a->d, tmp->d, a_width);\n maybe_rshift1_words_carry(A->d, A_carry, u_is_even, tmp->d, n_width);\n maybe_rshift1_words_carry(B->d, B_carry, u_is_even, tmp->d, a_width);\n\n maybe_rshift1_words(v->d, v_is_even, tmp->d, n_width);\n BN_ULONG C_or_D_is_odd =\n word_is_odd_mask(C->d[0]) | word_is_odd_mask(D->d[0]);\n BN_ULONG C_carry =\n maybe_add_words(C->d, C_or_D_is_odd & v_is_even, n->d, tmp->d, n_width);\n BN_ULONG D_carry =\n maybe_add_words(D->d, C_or_D_is_odd & v_is_even, a->d, tmp->d, a_width);\n maybe_rshift1_words_carry(C->d, C_carry, v_is_even, tmp->d, n_width);\n maybe_rshift1_words_carry(D->d, D_carry, v_is_even, tmp->d, a_width);\n }\n\n declassify_assert(BN_is_zero(v));\n // While the inputs and output are secret, this function considers whether the\n // input was invertible to be public. It is used as part of RSA key\n // generation, where inputs are chosen to already be invertible.\n if (constant_time_declassify_int(!BN_is_one(u))) {\n *out_no_inverse = 1;\n OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);\n goto err;\n }\n\n ret = BN_copy(r, A) != NULL;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/generic.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"internal.h\"\n\n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86)\n// See asm/bn-586.pl.\n#define BN_ADD_ASM\n#define BN_MUL_ASM\n#endif\n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \\\n (defined(__GNUC__) || defined(__clang__))\n// See asm/x86_64-gcc.c\n#define BN_ADD_ASM\n#define BN_MUL_ASM\n#endif\n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64)\n// See asm/bn-armv8.pl.\n#define BN_ADD_ASM\n#endif\n\n#if !defined(BN_MUL_ASM)\n\n#ifdef BN_ULLONG\n#define mul_add(r, a, w, c) \\\n do { \\\n BN_ULLONG t; \\\n t = (BN_ULLONG)(w) * (a) + (r) + (c); \\\n (r) = Lw(t); \\\n (c) = Hw(t); \\\n } while (0)\n\n#define mul(r, a, w, c) \\\n do { \\\n BN_ULLONG t; \\\n t = (BN_ULLONG)(w) * (a) + (c); \\\n (r) = Lw(t); \\\n (c) = Hw(t); \\\n } while (0)\n\n#define sqr(r0, r1, a) \\\n do { \\\n BN_ULLONG t; \\\n t = (BN_ULLONG)(a) * (a); \\\n (r0) = Lw(t); \\\n (r1) = Hw(t); \\\n } while (0)\n\n#else\n\n#define mul_add(r, a, w, c) \\\n do { \\\n BN_ULONG high, low, ret, tmp = (a); \\\n ret = (r); \\\n BN_UMULT_LOHI(low, high, w, tmp); \\\n ret += (c); \\\n (c) = (ret < (c)) ? 1 : 0; \\\n (c) += high; \\\n ret += low; \\\n (c) += (ret < low) ? 1 : 0; \\\n (r) = ret; \\\n } while (0)\n\n#define mul(r, a, w, c) \\\n do { \\\n BN_ULONG high, low, ret, ta = (a); \\\n BN_UMULT_LOHI(low, high, w, ta); \\\n ret = low + (c); \\\n (c) = high; \\\n (c) += (ret < low) ? 1 : 0; \\\n (r) = ret; \\\n } while (0)\n\n#define sqr(r0, r1, a) \\\n do { \\\n BN_ULONG tmp = (a); \\\n BN_UMULT_LOHI(r0, r1, tmp, tmp); \\\n } while (0)\n\n#endif // !BN_ULLONG\n\nBN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num,\n BN_ULONG w) {\n BN_ULONG c1 = 0;\n\n if (num == 0) {\n return c1;\n }\n\n while (num & ~3) {\n mul_add(rp[0], ap[0], w, c1);\n mul_add(rp[1], ap[1], w, c1);\n mul_add(rp[2], ap[2], w, c1);\n mul_add(rp[3], ap[3], w, c1);\n ap += 4;\n rp += 4;\n num -= 4;\n }\n\n while (num) {\n mul_add(rp[0], ap[0], w, c1);\n ap++;\n rp++;\n num--;\n }\n\n return c1;\n}\n\nBN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num,\n BN_ULONG w) {\n BN_ULONG c1 = 0;\n\n if (num == 0) {\n return c1;\n }\n\n while (num & ~3) {\n mul(rp[0], ap[0], w, c1);\n mul(rp[1], ap[1], w, c1);\n mul(rp[2], ap[2], w, c1);\n mul(rp[3], ap[3], w, c1);\n ap += 4;\n rp += 4;\n num -= 4;\n }\n while (num) {\n mul(rp[0], ap[0], w, c1);\n ap++;\n rp++;\n num--;\n }\n return c1;\n}\n\nvoid bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, size_t n) {\n if (n == 0) {\n return;\n }\n\n while (n & ~3) {\n sqr(r[0], r[1], a[0]);\n sqr(r[2], r[3], a[1]);\n sqr(r[4], r[5], a[2]);\n sqr(r[6], r[7], a[3]);\n a += 4;\n r += 8;\n n -= 4;\n }\n while (n) {\n sqr(r[0], r[1], a[0]);\n a++;\n r += 2;\n n--;\n }\n}\n\n// mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0)\n// mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0)\n// sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0)\n// sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0)\n\n#ifdef BN_ULLONG\n\n// Keep in mind that additions to multiplication result can not overflow,\n// because its high half cannot be all-ones.\n#define mul_add_c(a, b, c0, c1, c2) \\\n do { \\\n BN_ULONG hi; \\\n BN_ULLONG t = (BN_ULLONG)(a) * (b); \\\n t += (c0); /* no carry */ \\\n (c0) = (BN_ULONG)Lw(t); \\\n hi = (BN_ULONG)Hw(t); \\\n (c1) += (hi); \\\n (c2) += (c1) < hi; \\\n } while (0)\n\n#define mul_add_c2(a, b, c0, c1, c2) \\\n do { \\\n BN_ULONG hi; \\\n BN_ULLONG t = (BN_ULLONG)(a) * (b); \\\n BN_ULLONG tt = t + (c0); /* no carry */ \\\n (c0) = (BN_ULONG)Lw(tt); \\\n hi = (BN_ULONG)Hw(tt); \\\n (c1) += hi; \\\n (c2) += (c1) < hi; \\\n t += (c0); /* no carry */ \\\n (c0) = (BN_ULONG)Lw(t); \\\n hi = (BN_ULONG)Hw(t); \\\n (c1) += hi; \\\n (c2) += (c1) < hi; \\\n } while (0)\n\n#define sqr_add_c(a, i, c0, c1, c2) \\\n do { \\\n BN_ULONG hi; \\\n BN_ULLONG t = (BN_ULLONG)(a)[i] * (a)[i]; \\\n t += (c0); /* no carry */ \\\n (c0) = (BN_ULONG)Lw(t); \\\n hi = (BN_ULONG)Hw(t); \\\n (c1) += hi; \\\n (c2) += (c1) < hi; \\\n } while (0)\n\n#define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2)\n\n#else\n\n// Keep in mind that additions to hi can not overflow, because the high word of\n// a multiplication result cannot be all-ones.\n#define mul_add_c(a, b, c0, c1, c2) \\\n do { \\\n BN_ULONG ta = (a), tb = (b); \\\n BN_ULONG lo, hi; \\\n BN_UMULT_LOHI(lo, hi, ta, tb); \\\n (c0) += lo; \\\n hi += ((c0) < lo) ? 1 : 0; \\\n (c1) += hi; \\\n (c2) += ((c1) < hi) ? 1 : 0; \\\n } while (0)\n\n#define mul_add_c2(a, b, c0, c1, c2) \\\n do { \\\n BN_ULONG ta = (a), tb = (b); \\\n BN_ULONG lo, hi, tt; \\\n BN_UMULT_LOHI(lo, hi, ta, tb); \\\n (c0) += lo; \\\n tt = hi + (((c0) < lo) ? 1 : 0); \\\n (c1) += tt; \\\n (c2) += ((c1) < tt) ? 1 : 0; \\\n (c0) += lo; \\\n hi += (c0 < lo) ? 1 : 0; \\\n (c1) += hi; \\\n (c2) += ((c1) < hi) ? 1 : 0; \\\n } while (0)\n\n#define sqr_add_c(a, i, c0, c1, c2) \\\n do { \\\n BN_ULONG ta = (a)[i]; \\\n BN_ULONG lo, hi; \\\n BN_UMULT_LOHI(lo, hi, ta, ta); \\\n (c0) += lo; \\\n hi += (c0 < lo) ? 1 : 0; \\\n (c1) += hi; \\\n (c2) += ((c1) < hi) ? 1 : 0; \\\n } while (0)\n\n#define sqr_add_c2(a, i, j, c0, c1, c2) mul_add_c2((a)[i], (a)[j], c0, c1, c2)\n\n#endif // !BN_ULLONG\n\nvoid bn_mul_comba8(BN_ULONG r[16], const BN_ULONG a[8], const BN_ULONG b[8]) {\n BN_ULONG c1, c2, c3;\n\n c1 = 0;\n c2 = 0;\n c3 = 0;\n mul_add_c(a[0], b[0], c1, c2, c3);\n r[0] = c1;\n c1 = 0;\n mul_add_c(a[0], b[1], c2, c3, c1);\n mul_add_c(a[1], b[0], c2, c3, c1);\n r[1] = c2;\n c2 = 0;\n mul_add_c(a[2], b[0], c3, c1, c2);\n mul_add_c(a[1], b[1], c3, c1, c2);\n mul_add_c(a[0], b[2], c3, c1, c2);\n r[2] = c3;\n c3 = 0;\n mul_add_c(a[0], b[3], c1, c2, c3);\n mul_add_c(a[1], b[2], c1, c2, c3);\n mul_add_c(a[2], b[1], c1, c2, c3);\n mul_add_c(a[3], b[0], c1, c2, c3);\n r[3] = c1;\n c1 = 0;\n mul_add_c(a[4], b[0], c2, c3, c1);\n mul_add_c(a[3], b[1], c2, c3, c1);\n mul_add_c(a[2], b[2], c2, c3, c1);\n mul_add_c(a[1], b[3], c2, c3, c1);\n mul_add_c(a[0], b[4], c2, c3, c1);\n r[4] = c2;\n c2 = 0;\n mul_add_c(a[0], b[5], c3, c1, c2);\n mul_add_c(a[1], b[4], c3, c1, c2);\n mul_add_c(a[2], b[3], c3, c1, c2);\n mul_add_c(a[3], b[2], c3, c1, c2);\n mul_add_c(a[4], b[1], c3, c1, c2);\n mul_add_c(a[5], b[0], c3, c1, c2);\n r[5] = c3;\n c3 = 0;\n mul_add_c(a[6], b[0], c1, c2, c3);\n mul_add_c(a[5], b[1], c1, c2, c3);\n mul_add_c(a[4], b[2], c1, c2, c3);\n mul_add_c(a[3], b[3], c1, c2, c3);\n mul_add_c(a[2], b[4], c1, c2, c3);\n mul_add_c(a[1], b[5], c1, c2, c3);\n mul_add_c(a[0], b[6], c1, c2, c3);\n r[6] = c1;\n c1 = 0;\n mul_add_c(a[0], b[7], c2, c3, c1);\n mul_add_c(a[1], b[6], c2, c3, c1);\n mul_add_c(a[2], b[5], c2, c3, c1);\n mul_add_c(a[3], b[4], c2, c3, c1);\n mul_add_c(a[4], b[3], c2, c3, c1);\n mul_add_c(a[5], b[2], c2, c3, c1);\n mul_add_c(a[6], b[1], c2, c3, c1);\n mul_add_c(a[7], b[0], c2, c3, c1);\n r[7] = c2;\n c2 = 0;\n mul_add_c(a[7], b[1], c3, c1, c2);\n mul_add_c(a[6], b[2], c3, c1, c2);\n mul_add_c(a[5], b[3], c3, c1, c2);\n mul_add_c(a[4], b[4], c3, c1, c2);\n mul_add_c(a[3], b[5], c3, c1, c2);\n mul_add_c(a[2], b[6], c3, c1, c2);\n mul_add_c(a[1], b[7], c3, c1, c2);\n r[8] = c3;\n c3 = 0;\n mul_add_c(a[2], b[7], c1, c2, c3);\n mul_add_c(a[3], b[6], c1, c2, c3);\n mul_add_c(a[4], b[5], c1, c2, c3);\n mul_add_c(a[5], b[4], c1, c2, c3);\n mul_add_c(a[6], b[3], c1, c2, c3);\n mul_add_c(a[7], b[2], c1, c2, c3);\n r[9] = c1;\n c1 = 0;\n mul_add_c(a[7], b[3], c2, c3, c1);\n mul_add_c(a[6], b[4], c2, c3, c1);\n mul_add_c(a[5], b[5], c2, c3, c1);\n mul_add_c(a[4], b[6], c2, c3, c1);\n mul_add_c(a[3], b[7], c2, c3, c1);\n r[10] = c2;\n c2 = 0;\n mul_add_c(a[4], b[7], c3, c1, c2);\n mul_add_c(a[5], b[6], c3, c1, c2);\n mul_add_c(a[6], b[5], c3, c1, c2);\n mul_add_c(a[7], b[4], c3, c1, c2);\n r[11] = c3;\n c3 = 0;\n mul_add_c(a[7], b[5], c1, c2, c3);\n mul_add_c(a[6], b[6], c1, c2, c3);\n mul_add_c(a[5], b[7], c1, c2, c3);\n r[12] = c1;\n c1 = 0;\n mul_add_c(a[6], b[7], c2, c3, c1);\n mul_add_c(a[7], b[6], c2, c3, c1);\n r[13] = c2;\n c2 = 0;\n mul_add_c(a[7], b[7], c3, c1, c2);\n r[14] = c3;\n r[15] = c1;\n}\n\nvoid bn_mul_comba4(BN_ULONG r[8], const BN_ULONG a[4], const BN_ULONG b[4]) {\n BN_ULONG c1, c2, c3;\n\n c1 = 0;\n c2 = 0;\n c3 = 0;\n mul_add_c(a[0], b[0], c1, c2, c3);\n r[0] = c1;\n c1 = 0;\n mul_add_c(a[0], b[1], c2, c3, c1);\n mul_add_c(a[1], b[0], c2, c3, c1);\n r[1] = c2;\n c2 = 0;\n mul_add_c(a[2], b[0], c3, c1, c2);\n mul_add_c(a[1], b[1], c3, c1, c2);\n mul_add_c(a[0], b[2], c3, c1, c2);\n r[2] = c3;\n c3 = 0;\n mul_add_c(a[0], b[3], c1, c2, c3);\n mul_add_c(a[1], b[2], c1, c2, c3);\n mul_add_c(a[2], b[1], c1, c2, c3);\n mul_add_c(a[3], b[0], c1, c2, c3);\n r[3] = c1;\n c1 = 0;\n mul_add_c(a[3], b[1], c2, c3, c1);\n mul_add_c(a[2], b[2], c2, c3, c1);\n mul_add_c(a[1], b[3], c2, c3, c1);\n r[4] = c2;\n c2 = 0;\n mul_add_c(a[2], b[3], c3, c1, c2);\n mul_add_c(a[3], b[2], c3, c1, c2);\n r[5] = c3;\n c3 = 0;\n mul_add_c(a[3], b[3], c1, c2, c3);\n r[6] = c1;\n r[7] = c2;\n}\n\nvoid bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[8]) {\n BN_ULONG c1, c2, c3;\n\n c1 = 0;\n c2 = 0;\n c3 = 0;\n sqr_add_c(a, 0, c1, c2, c3);\n r[0] = c1;\n c1 = 0;\n sqr_add_c2(a, 1, 0, c2, c3, c1);\n r[1] = c2;\n c2 = 0;\n sqr_add_c(a, 1, c3, c1, c2);\n sqr_add_c2(a, 2, 0, c3, c1, c2);\n r[2] = c3;\n c3 = 0;\n sqr_add_c2(a, 3, 0, c1, c2, c3);\n sqr_add_c2(a, 2, 1, c1, c2, c3);\n r[3] = c1;\n c1 = 0;\n sqr_add_c(a, 2, c2, c3, c1);\n sqr_add_c2(a, 3, 1, c2, c3, c1);\n sqr_add_c2(a, 4, 0, c2, c3, c1);\n r[4] = c2;\n c2 = 0;\n sqr_add_c2(a, 5, 0, c3, c1, c2);\n sqr_add_c2(a, 4, 1, c3, c1, c2);\n sqr_add_c2(a, 3, 2, c3, c1, c2);\n r[5] = c3;\n c3 = 0;\n sqr_add_c(a, 3, c1, c2, c3);\n sqr_add_c2(a, 4, 2, c1, c2, c3);\n sqr_add_c2(a, 5, 1, c1, c2, c3);\n sqr_add_c2(a, 6, 0, c1, c2, c3);\n r[6] = c1;\n c1 = 0;\n sqr_add_c2(a, 7, 0, c2, c3, c1);\n sqr_add_c2(a, 6, 1, c2, c3, c1);\n sqr_add_c2(a, 5, 2, c2, c3, c1);\n sqr_add_c2(a, 4, 3, c2, c3, c1);\n r[7] = c2;\n c2 = 0;\n sqr_add_c(a, 4, c3, c1, c2);\n sqr_add_c2(a, 5, 3, c3, c1, c2);\n sqr_add_c2(a, 6, 2, c3, c1, c2);\n sqr_add_c2(a, 7, 1, c3, c1, c2);\n r[8] = c3;\n c3 = 0;\n sqr_add_c2(a, 7, 2, c1, c2, c3);\n sqr_add_c2(a, 6, 3, c1, c2, c3);\n sqr_add_c2(a, 5, 4, c1, c2, c3);\n r[9] = c1;\n c1 = 0;\n sqr_add_c(a, 5, c2, c3, c1);\n sqr_add_c2(a, 6, 4, c2, c3, c1);\n sqr_add_c2(a, 7, 3, c2, c3, c1);\n r[10] = c2;\n c2 = 0;\n sqr_add_c2(a, 7, 4, c3, c1, c2);\n sqr_add_c2(a, 6, 5, c3, c1, c2);\n r[11] = c3;\n c3 = 0;\n sqr_add_c(a, 6, c1, c2, c3);\n sqr_add_c2(a, 7, 5, c1, c2, c3);\n r[12] = c1;\n c1 = 0;\n sqr_add_c2(a, 7, 6, c2, c3, c1);\n r[13] = c2;\n c2 = 0;\n sqr_add_c(a, 7, c3, c1, c2);\n r[14] = c3;\n r[15] = c1;\n}\n\nvoid bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]) {\n BN_ULONG c1, c2, c3;\n\n c1 = 0;\n c2 = 0;\n c3 = 0;\n sqr_add_c(a, 0, c1, c2, c3);\n r[0] = c1;\n c1 = 0;\n sqr_add_c2(a, 1, 0, c2, c3, c1);\n r[1] = c2;\n c2 = 0;\n sqr_add_c(a, 1, c3, c1, c2);\n sqr_add_c2(a, 2, 0, c3, c1, c2);\n r[2] = c3;\n c3 = 0;\n sqr_add_c2(a, 3, 0, c1, c2, c3);\n sqr_add_c2(a, 2, 1, c1, c2, c3);\n r[3] = c1;\n c1 = 0;\n sqr_add_c(a, 2, c2, c3, c1);\n sqr_add_c2(a, 3, 1, c2, c3, c1);\n r[4] = c2;\n c2 = 0;\n sqr_add_c2(a, 3, 2, c3, c1, c2);\n r[5] = c3;\n c3 = 0;\n sqr_add_c(a, 3, c1, c2, c3);\n r[6] = c1;\n r[7] = c2;\n}\n\n#undef mul_add\n#undef mul\n#undef sqr\n#undef mul_add_c\n#undef mul_add_c2\n#undef sqr_add_c\n#undef sqr_add_c2\n\n#endif // !BN_MUL_ASM\n\n#if !defined(BN_ADD_ASM)\n\nBN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,\n size_t n) {\n if (n == 0) {\n return 0;\n }\n\n BN_ULONG carry = 0;\n while (n & ~3) {\n r[0] = CRYPTO_addc_w(a[0], b[0], carry, &carry);\n r[1] = CRYPTO_addc_w(a[1], b[1], carry, &carry);\n r[2] = CRYPTO_addc_w(a[2], b[2], carry, &carry);\n r[3] = CRYPTO_addc_w(a[3], b[3], carry, &carry);\n a += 4;\n b += 4;\n r += 4;\n n -= 4;\n }\n while (n) {\n r[0] = CRYPTO_addc_w(a[0], b[0], carry, &carry);\n a++;\n b++;\n r++;\n n--;\n }\n return carry;\n}\n\nBN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,\n size_t n) {\n if (n == 0) {\n return (BN_ULONG)0;\n }\n\n BN_ULONG borrow = 0;\n while (n & ~3) {\n r[0] = CRYPTO_subc_w(a[0], b[0], borrow, &borrow);\n r[1] = CRYPTO_subc_w(a[1], b[1], borrow, &borrow);\n r[2] = CRYPTO_subc_w(a[2], b[2], borrow, &borrow);\n r[3] = CRYPTO_subc_w(a[3], b[3], borrow, &borrow);\n a += 4;\n b += 4;\n r += 4;\n n -= 4;\n }\n while (n) {\n r[0] = CRYPTO_subc_w(a[0], b[0], borrow, &borrow);\n a++;\n b++;\n r++;\n n--;\n }\n return borrow;\n}\n\n#endif // !BN_ADD_ASM\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_BN_INTERNAL_H\n#define OPENSSL_HEADER_BN_INTERNAL_H\n\n#include \n\n#if defined(OPENSSL_X86_64) && defined(_MSC_VER)\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\n#pragma intrinsic(__umulh, _umul128)\n#endif\n\n#include \"../../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n#if defined(OPENSSL_64_BIT)\n\n#if defined(BORINGSSL_HAS_UINT128)\n// MSVC doesn't support two-word integers on 64-bit.\n#define BN_ULLONG uint128_t\n#if defined(BORINGSSL_CAN_DIVIDE_UINT128)\n#define BN_CAN_DIVIDE_ULLONG\n#endif\n#endif\n\n#define BN_BITS2 64\n#define BN_BITS2_LG 6\n#define BN_BYTES 8\n#define BN_BITS4 32\n#define BN_MASK2 (0xffffffffffffffffUL)\n#define BN_MASK2l (0xffffffffUL)\n#define BN_MASK2h (0xffffffff00000000UL)\n#define BN_MASK2h1 (0xffffffff80000000UL)\n#define BN_MONT_CTX_N0_LIMBS 1\n#define BN_DEC_CONV (10000000000000000000UL)\n#define BN_DEC_NUM 19\n#define TOBN(hi, lo) ((BN_ULONG)(hi) << 32 | (lo))\n\n#elif defined(OPENSSL_32_BIT)\n\n#define BN_ULLONG uint64_t\n#define BN_CAN_DIVIDE_ULLONG\n#define BN_BITS2 32\n#define BN_BITS2_LG 5\n#define BN_BYTES 4\n#define BN_BITS4 16\n#define BN_MASK2 (0xffffffffUL)\n#define BN_MASK2l (0xffffUL)\n#define BN_MASK2h1 (0xffff8000UL)\n#define BN_MASK2h (0xffff0000UL)\n// On some 32-bit platforms, Montgomery multiplication is done using 64-bit\n// arithmetic with SIMD instructions. On such platforms, |BN_MONT_CTX::n0|\n// needs to be two words long. Only certain 32-bit platforms actually make use\n// of n0[1] and shorter R value would suffice for the others. However,\n// currently only the assembly files know which is which.\n#define BN_MONT_CTX_N0_LIMBS 2\n#define BN_DEC_CONV (1000000000UL)\n#define BN_DEC_NUM 9\n#define TOBN(hi, lo) (lo), (hi)\n\n#else\n#error \"Must define either OPENSSL_32_BIT or OPENSSL_64_BIT\"\n#endif\n\n#if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__))\n#define BN_CAN_USE_INLINE_ASM\n#endif\n\n// MOD_EXP_CTIME_ALIGN is the alignment needed for |BN_mod_exp_mont_consttime|'s\n// tables.\n//\n// TODO(davidben): Historically, this alignment came from cache line\n// assumptions, which we've since removed. Is 64-byte alignment still necessary\n// or ideal? The true alignment requirement seems to now be 32 bytes, coming\n// from RSAZ's use of VMOVDQA to a YMM register. Non-x86_64 has even fewer\n// requirements.\n#define MOD_EXP_CTIME_ALIGN 64\n\n// MOD_EXP_CTIME_STORAGE_LEN is the number of |BN_ULONG|s needed for the\n// |BN_mod_exp_mont_consttime| stack-allocated storage buffer. The buffer is\n// just the right size for the RSAZ and is about ~1KB larger than what's\n// necessary (4480 bytes) for 1024-bit inputs.\n#define MOD_EXP_CTIME_STORAGE_LEN \\\n (((320u * 3u) + (32u * 9u * 16u)) / sizeof(BN_ULONG))\n\n#define STATIC_BIGNUM(x) \\\n { \\\n (BN_ULONG *)(x), sizeof(x) / sizeof(BN_ULONG), \\\n sizeof(x) / sizeof(BN_ULONG), 0, BN_FLG_STATIC_DATA \\\n }\n\n#if defined(BN_ULLONG)\n#define Lw(t) ((BN_ULONG)(t))\n#define Hw(t) ((BN_ULONG)((t) >> BN_BITS2))\n#endif\n\n// bn_minimal_width returns the minimal number of words needed to represent\n// |bn|.\nint bn_minimal_width(const BIGNUM *bn);\n\n// bn_set_minimal_width sets |bn->width| to |bn_minimal_width(bn)|. If |bn| is\n// zero, |bn->neg| is set to zero.\nvoid bn_set_minimal_width(BIGNUM *bn);\n\n// bn_wexpand ensures that |bn| has at least |words| works of space without\n// altering its value. It returns one on success or zero on allocation\n// failure.\nint bn_wexpand(BIGNUM *bn, size_t words);\n\n// bn_expand acts the same as |bn_wexpand|, but takes a number of bits rather\n// than a number of words.\nint bn_expand(BIGNUM *bn, size_t bits);\n\n// bn_resize_words adjusts |bn->width| to be |words|. It returns one on success\n// and zero on allocation error or if |bn|'s value is too large.\nOPENSSL_EXPORT int bn_resize_words(BIGNUM *bn, size_t words);\n\n// bn_select_words sets |r| to |a| if |mask| is all ones or |b| if |mask| is\n// all zeros.\nvoid bn_select_words(BN_ULONG *r, BN_ULONG mask, const BN_ULONG *a,\n const BN_ULONG *b, size_t num);\n\n// bn_set_words sets |bn| to the value encoded in the |num| words in |words|,\n// least significant word first.\nint bn_set_words(BIGNUM *bn, const BN_ULONG *words, size_t num);\n\n// bn_set_static_words acts like |bn_set_words|, but doesn't copy the data. A\n// flag is set on |bn| so that |BN_free| won't attempt to free the data.\n//\n// The |STATIC_BIGNUM| macro is probably a better solution for this outside of\n// the FIPS module. Inside of the FIPS module that macro generates rel.ro data,\n// which doesn't work with FIPS requirements.\nvoid bn_set_static_words(BIGNUM *bn, const BN_ULONG *words, size_t num);\n\n// bn_fits_in_words returns one if |bn| may be represented in |num| words, plus\n// a sign bit, and zero otherwise.\nint bn_fits_in_words(const BIGNUM *bn, size_t num);\n\n// bn_copy_words copies the value of |bn| to |out| and returns one if the value\n// is representable in |num| words. Otherwise, it returns zero.\nint bn_copy_words(BN_ULONG *out, size_t num, const BIGNUM *bn);\n\n// bn_assert_fits_in_bytes asserts that |bn| fits in |num| bytes. This is a\n// no-op in release builds, but triggers an assert in debug builds, and\n// declassifies all bytes which are therefore known to be zero in constant-time\n// validation.\nvoid bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num);\n\n// bn_secret marks |bn|'s contents, but not its width or sign, as secret. See\n// |CONSTTIME_SECRET| for details.\ninline void bn_secret(BIGNUM *bn) {\n CONSTTIME_SECRET(bn->d, bn->width * sizeof(BN_ULONG));\n}\n\n// bn_declassify marks |bn|'s value as public. See |CONSTTIME_DECLASSIFY| for\n// details.\ninline void bn_declassify(BIGNUM *bn) {\n CONSTTIME_DECLASSIFY(bn->d, bn->width * sizeof(BN_ULONG));\n}\n\n// bn_mul_add_words multiples |ap| by |w|, adds the result to |rp|, and places\n// the result in |rp|. |ap| and |rp| must both be |num| words long. It returns\n// the carry word of the operation. |ap| and |rp| may be equal but otherwise may\n// not alias.\nBN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num,\n BN_ULONG w);\n\n// bn_mul_words multiples |ap| by |w| and places the result in |rp|. |ap| and\n// |rp| must both be |num| words long. It returns the carry word of the\n// operation. |ap| and |rp| may be equal but otherwise may not alias.\nBN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num, BN_ULONG w);\n\n// bn_sqr_words sets |rp[2*i]| and |rp[2*i+1]| to |ap[i]|'s square, for all |i|\n// up to |num|. |ap| is an array of |num| words and |rp| an array of |2*num|\n// words. |ap| and |rp| may not alias.\n//\n// This gives the contribution of the |ap[i]*ap[i]| terms when squaring |ap|.\nvoid bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num);\n\n// bn_add_words adds |ap| to |bp| and places the result in |rp|, each of which\n// are |num| words long. It returns the carry bit, which is one if the operation\n// overflowed and zero otherwise. Any pair of |ap|, |bp|, and |rp| may be equal\n// to each other but otherwise may not alias.\nBN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n size_t num);\n\n// bn_sub_words subtracts |bp| from |ap| and places the result in |rp|. It\n// returns the borrow bit, which is one if the computation underflowed and zero\n// otherwise. Any pair of |ap|, |bp|, and |rp| may be equal to each other but\n// otherwise may not alias.\nBN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n size_t num);\n\n// bn_mul_comba4 sets |r| to the product of |a| and |b|.\nvoid bn_mul_comba4(BN_ULONG r[8], const BN_ULONG a[4], const BN_ULONG b[4]);\n\n// bn_mul_comba8 sets |r| to the product of |a| and |b|.\nvoid bn_mul_comba8(BN_ULONG r[16], const BN_ULONG a[8], const BN_ULONG b[8]);\n\n// bn_sqr_comba8 sets |r| to |a|^2.\nvoid bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[8]);\n\n// bn_sqr_comba4 sets |r| to |a|^2.\nvoid bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]);\n\n// bn_less_than_words returns one if |a| < |b| and zero otherwise, where |a|\n// and |b| both are |len| words long. It runs in constant time.\nint bn_less_than_words(const BN_ULONG *a, const BN_ULONG *b, size_t len);\n\n// bn_in_range_words returns one if |min_inclusive| <= |a| < |max_exclusive|,\n// where |a| and |max_exclusive| both are |len| words long. |a| and\n// |max_exclusive| are treated as secret.\nint bn_in_range_words(const BN_ULONG *a, BN_ULONG min_inclusive,\n const BN_ULONG *max_exclusive, size_t len);\n\n// bn_rand_range_words sets |out| to a uniformly distributed random number from\n// |min_inclusive| to |max_exclusive|. Both |out| and |max_exclusive| are |len|\n// words long.\n//\n// This function runs in time independent of the result, but |min_inclusive| and\n// |max_exclusive| are public data. (Information about the range is unavoidably\n// leaked by how many iterations it took to select a number.)\nint bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,\n const BN_ULONG *max_exclusive, size_t len,\n const uint8_t additional_data[32]);\n\n// bn_range_secret_range behaves like |BN_rand_range_ex|, but treats\n// |max_exclusive| as secret. Because of this constraint, the distribution of\n// values returned is more complex.\n//\n// Rather than repeatedly generating values until one is in range, which would\n// leak information, it generates one value. If the value is in range, it sets\n// |*out_is_uniform| to one. Otherwise, it sets |*out_is_uniform| to zero,\n// fixing up the value to force it in range.\n//\n// The subset of calls to |bn_rand_secret_range| which set |*out_is_uniform| to\n// one are uniformly distributed in the target range. Calls overall are not.\n// This function is intended for use in situations where the extra values are\n// still usable and where the number of iterations needed to reach the target\n// number of uniform outputs may be blinded for negligible probabilities of\n// timing leaks.\n//\n// Although this function treats |max_exclusive| as secret, it treats the number\n// of bits in |max_exclusive| as public.\nint bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive,\n const BIGNUM *max_exclusive);\n\n// BN_MONTGOMERY_MAX_WORDS is the maximum numer of words allowed in a |BIGNUM|\n// used with Montgomery reduction. Ideally this limit would be applied to all\n// |BIGNUM|s, in |bn_wexpand|, but the exactfloat library needs to create 8 MiB\n// values for other operations.\n#define BN_MONTGOMERY_MAX_WORDS (8 * 1024 / sizeof(BN_ULONG))\n\n#if !defined(OPENSSL_NO_ASM) && \\\n (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \\\n defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))\n#define OPENSSL_BN_ASM_MONT\n// bn_mul_mont writes |ap| * |bp| mod |np| to |rp|, each |num| words\n// long. Inputs and outputs are in Montgomery form. |n0| is a pointer to the\n// corresponding field in |BN_MONT_CTX|. It returns one if |bn_mul_mont| handles\n// inputs of this size and zero otherwise.\n//\n// If at least one of |ap| or |bp| is fully reduced, |rp| will be fully reduced.\n// If neither is fully-reduced, the output may not be either.\n//\n// This function allocates |num| words on the stack, so |num| should be at most\n// |BN_MONTGOMERY_MAX_WORDS|.\n//\n// TODO(davidben): The x86_64 implementation expects a 32-bit input and masks\n// off upper bits. The aarch64 implementation expects a 64-bit input and does\n// not. |size_t| is the safer option but not strictly correct for x86_64. But\n// the |BN_MONTGOMERY_MAX_WORDS| bound makes this moot.\n//\n// See also discussion in |ToWord| in abi_test.h for notes on smaller-than-word\n// inputs.\nint bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n const BN_ULONG *np, const BN_ULONG *n0, size_t num);\n\n#if defined(OPENSSL_X86_64)\ninline int bn_mulx_adx_capable(void) {\n // MULX is in BMI2.\n return CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable();\n}\nint bn_mul_mont_nohw(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n const BN_ULONG *np, const BN_ULONG *n0, size_t num);\ninline int bn_mul4x_mont_capable(size_t num) {\n return num >= 8 && (num & 3) == 0;\n}\nint bn_mul4x_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n const BN_ULONG *np, const BN_ULONG *n0, size_t num);\ninline int bn_mulx4x_mont_capable(size_t num) {\n return bn_mul4x_mont_capable(num) && bn_mulx_adx_capable();\n}\nint bn_mulx4x_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n const BN_ULONG *np, const BN_ULONG *n0, size_t num);\ninline int bn_sqr8x_mont_capable(size_t num) {\n return num >= 8 && (num & 7) == 0;\n}\nint bn_sqr8x_mont(BN_ULONG *rp, const BN_ULONG *ap, BN_ULONG mulx_adx_capable,\n const BN_ULONG *np, const BN_ULONG *n0, size_t num);\n#elif defined(OPENSSL_ARM)\ninline int bn_mul8x_mont_neon_capable(size_t num) {\n return (num & 7) == 0 && CRYPTO_is_NEON_capable();\n}\nint bn_mul8x_mont_neon(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n const BN_ULONG *np, const BN_ULONG *n0, size_t num);\nint bn_mul_mont_nohw(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n const BN_ULONG *np, const BN_ULONG *n0, size_t num);\n#endif\n\n#endif // OPENSSL_BN_ASM_MONT\n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64)\n#define OPENSSL_BN_ASM_MONT5\n\n// The following functions implement |bn_mul_mont_gather5|. See\n// |bn_mul_mont_gather5| for details.\ninline int bn_mul4x_mont_gather5_capable(int num) { return (num & 7) == 0; }\nvoid bn_mul4x_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,\n const BN_ULONG *table, const BN_ULONG *np,\n const BN_ULONG *n0, int num, int power);\n\ninline int bn_mulx4x_mont_gather5_capable(int num) {\n return bn_mul4x_mont_gather5_capable(num) && CRYPTO_is_ADX_capable() &&\n CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable();\n}\nvoid bn_mulx4x_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap,\n const BN_ULONG *table, const BN_ULONG *np,\n const BN_ULONG *n0, int num, int power);\n\nvoid bn_mul_mont_gather5_nohw(BN_ULONG *rp, const BN_ULONG *ap,\n const BN_ULONG *table, const BN_ULONG *np,\n const BN_ULONG *n0, int num, int power);\n\n// bn_scatter5 stores |inp| to index |power| of |table|. |inp| and each entry of\n// |table| are |num| words long. |power| must be less than 32 and is treated as\n// public. |table| must be 32*|num| words long. |table| must be aligned to at\n// least 16 bytes.\nvoid bn_scatter5(const BN_ULONG *inp, size_t num, BN_ULONG *table,\n size_t power);\n\n// bn_gather5 loads index |power| of |table| and stores it in |out|. |out| and\n// each entry of |table| are |num| words long. |power| must be less than 32 and\n// is treated as secret. |table| must be aligned to at least 16 bytes.\nvoid bn_gather5(BN_ULONG *out, size_t num, const BN_ULONG *table, size_t power);\n\n// The following functions implement |bn_power5|. See |bn_power5| for details.\nvoid bn_power5_nohw(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table,\n const BN_ULONG *np, const BN_ULONG *n0, int num, int power);\n\ninline int bn_power5_capable(int num) { return (num & 7) == 0; }\n\ninline int bn_powerx5_capable(int num) {\n return bn_power5_capable(num) && CRYPTO_is_ADX_capable() &&\n CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable();\n}\nvoid bn_powerx5(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table,\n const BN_ULONG *np, const BN_ULONG *n0, int num, int power);\n\n#endif // !OPENSSL_NO_ASM && OPENSSL_X86_64\n\nuint64_t bn_mont_n0(const BIGNUM *n);\n\n// bn_mont_ctx_set_RR_consttime initializes |mont->RR|. It returns one on\n// success and zero on error. |mont->N| and |mont->n0| must have been\n// initialized already. The bit width of |mont->N| is assumed public, but\n// |mont->N| is otherwise treated as secret.\nint bn_mont_ctx_set_RR_consttime(BN_MONT_CTX *mont, BN_CTX *ctx);\n\n#if defined(_MSC_VER)\n#if defined(OPENSSL_X86_64)\n#define BN_UMULT_LOHI(low, high, a, b) ((low) = _umul128((a), (b), &(high)))\n#elif defined(OPENSSL_AARCH64)\n#define BN_UMULT_LOHI(low, high, a, b) \\\n do { \\\n const BN_ULONG _a = (a); \\\n const BN_ULONG _b = (b); \\\n (low) = _a * _b; \\\n (high) = __umulh(_a, _b); \\\n } while (0)\n#endif\n#endif // _MSC_VER\n\n#if !defined(BN_ULLONG) && !defined(BN_UMULT_LOHI)\n#error \"Either BN_ULLONG or BN_UMULT_LOHI must be defined on every platform.\"\n#endif\n\n// bn_jacobi returns the Jacobi symbol of |a| and |b| (which is -1, 0 or 1), or\n// -2 on error.\nint bn_jacobi(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);\n\n// bn_is_bit_set_words returns one if bit |bit| is set in |a| and zero\n// otherwise.\nint bn_is_bit_set_words(const BN_ULONG *a, size_t num, size_t bit);\n\n// bn_one_to_montgomery sets |r| to one in Montgomery form. It returns one on\n// success and zero on error. This function treats the bit width of the modulus\n// as public.\nint bn_one_to_montgomery(BIGNUM *r, const BN_MONT_CTX *mont, BN_CTX *ctx);\n\n// bn_less_than_montgomery_R returns one if |bn| is less than the Montgomery R\n// value for |mont| and zero otherwise.\nint bn_less_than_montgomery_R(const BIGNUM *bn, const BN_MONT_CTX *mont);\n\n// bn_mod_u16_consttime returns |bn| mod |d|, ignoring |bn|'s sign bit. It runs\n// in time independent of the value of |bn|, but it treats |d| as public.\nOPENSSL_EXPORT uint16_t bn_mod_u16_consttime(const BIGNUM *bn, uint16_t d);\n\n// bn_odd_number_is_obviously_composite returns one if |bn| is divisible by one\n// of the first several odd primes and zero otherwise.\nint bn_odd_number_is_obviously_composite(const BIGNUM *bn);\n\n// A BN_MILLER_RABIN stores state common to each Miller-Rabin iteration. It is\n// initialized within an existing |BN_CTX| scope and may not be used after\n// that scope is released with |BN_CTX_end|. Field names match those in FIPS\n// 186-4, section C.3.1.\ntypedef struct {\n // w1 is w-1.\n BIGNUM *w1;\n // m is (w-1)/2^a.\n BIGNUM *m;\n // one_mont is 1 (mod w) in Montgomery form.\n BIGNUM *one_mont;\n // w1_mont is w-1 (mod w) in Montgomery form.\n BIGNUM *w1_mont;\n // w_bits is BN_num_bits(w).\n int w_bits;\n // a is the largest integer such that 2^a divides w-1.\n int a;\n} BN_MILLER_RABIN;\n\n// bn_miller_rabin_init initializes |miller_rabin| for testing if |mont->N| is\n// prime. It returns one on success and zero on error.\nOPENSSL_EXPORT int bn_miller_rabin_init(BN_MILLER_RABIN *miller_rabin,\n const BN_MONT_CTX *mont, BN_CTX *ctx);\n\n// bn_miller_rabin_iteration performs one Miller-Rabin iteration, checking if\n// |b| is a composite witness for |mont->N|. |miller_rabin| must have been\n// initialized with |bn_miller_rabin_setup|. On success, it returns one and sets\n// |*out_is_possibly_prime| to one if |mont->N| may still be prime or zero if\n// |b| shows it is composite. On allocation or internal failure, it returns\n// zero.\nOPENSSL_EXPORT int bn_miller_rabin_iteration(\n const BN_MILLER_RABIN *miller_rabin, int *out_is_possibly_prime,\n const BIGNUM *b, const BN_MONT_CTX *mont, BN_CTX *ctx);\n\n// bn_rshift1_words sets |r| to |a| >> 1, where both arrays are |num| bits wide.\nvoid bn_rshift1_words(BN_ULONG *r, const BN_ULONG *a, size_t num);\n\n// bn_rshift_words sets |r| to |a| >> |shift|, where both arrays are |num| bits\n// wide.\nvoid bn_rshift_words(BN_ULONG *r, const BN_ULONG *a, unsigned shift,\n size_t num);\n\n// bn_rshift_secret_shift behaves like |BN_rshift| but runs in time independent\n// of both |a| and |n|.\nOPENSSL_EXPORT int bn_rshift_secret_shift(BIGNUM *r, const BIGNUM *a,\n unsigned n, BN_CTX *ctx);\n\n// bn_reduce_once sets |r| to |a| mod |m| where 0 <= |a| < 2*|m|. It returns\n// zero if |a| < |m| and a mask of all ones if |a| >= |m|. Each array is |num|\n// words long, but |a| has an additional word specified by |carry|. |carry| must\n// be zero or one, as implied by the bounds on |a|.\n//\n// |r|, |a|, and |m| may not alias. Use |bn_reduce_once_in_place| if |r| and |a|\n// must alias.\nBN_ULONG bn_reduce_once(BN_ULONG *r, const BN_ULONG *a, BN_ULONG carry,\n const BN_ULONG *m, size_t num);\n\n// bn_reduce_once_in_place behaves like |bn_reduce_once| but acts in-place on\n// |r|, using |tmp| as scratch space. |r|, |tmp|, and |m| may not alias.\nBN_ULONG bn_reduce_once_in_place(BN_ULONG *r, BN_ULONG carry, const BN_ULONG *m,\n BN_ULONG *tmp, size_t num);\n\n\n// Constant-time non-modular arithmetic.\n//\n// The following functions implement non-modular arithmetic in constant-time\n// and pessimally set |r->width| to the largest possible word size.\n//\n// Note this means that, e.g., repeatedly multiplying by one will cause widths\n// to increase without bound. The corresponding public API functions minimize\n// their outputs to avoid regressing calculator consumers.\n\n// bn_uadd_consttime behaves like |BN_uadd|, but it pessimally sets\n// |r->width| = |a->width| + |b->width| + 1.\nint bn_uadd_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);\n\n// bn_usub_consttime behaves like |BN_usub|, but it pessimally sets\n// |r->width| = |a->width|.\nint bn_usub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);\n\n// bn_abs_sub_consttime sets |r| to the absolute value of |a| - |b|, treating\n// both inputs as secret. It returns one on success and zero on error.\nOPENSSL_EXPORT int bn_abs_sub_consttime(BIGNUM *r, const BIGNUM *a,\n const BIGNUM *b, BN_CTX *ctx);\n\n// bn_mul_consttime behaves like |BN_mul|, but it rejects negative inputs and\n// pessimally sets |r->width| to |a->width| + |b->width|, to avoid leaking\n// information about |a| and |b|.\nint bn_mul_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);\n\n// bn_sqrt_consttime behaves like |BN_sqrt|, but it pessimally sets |r->width|\n// to 2*|a->width|, to avoid leaking information about |a| and |b|.\nint bn_sqr_consttime(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);\n\n// bn_div_consttime behaves like |BN_div|, but it rejects negative inputs and\n// treats both inputs, including their magnitudes, as secret. It is, as a\n// result, much slower than |BN_div| and should only be used for rare operations\n// where Montgomery reduction is not available. |divisor_min_bits| is a\n// public lower bound for |BN_num_bits(divisor)|. When |divisor|'s bit width is\n// public, this can speed up the operation.\n//\n// Note that |quotient->width| will be set pessimally to |numerator->width|.\nOPENSSL_EXPORT int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder,\n const BIGNUM *numerator,\n const BIGNUM *divisor,\n unsigned divisor_min_bits, BN_CTX *ctx);\n\n// bn_is_relatively_prime checks whether GCD(|x|, |y|) is one. On success, it\n// returns one and sets |*out_relatively_prime| to one if the GCD was one and\n// zero otherwise. On error, it returns zero.\nOPENSSL_EXPORT int bn_is_relatively_prime(int *out_relatively_prime,\n const BIGNUM *x, const BIGNUM *y,\n BN_CTX *ctx);\n\n// bn_lcm_consttime sets |r| to LCM(|a|, |b|). It returns one and success and\n// zero on error. |a| and |b| are both treated as secret.\nOPENSSL_EXPORT int bn_lcm_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n BN_CTX *ctx);\n\n// bn_mont_ctx_init zero-initialies |mont|.\nvoid bn_mont_ctx_init(BN_MONT_CTX *mont);\n\n// bn_mont_ctx_cleanup releases memory associated with |mont|, without freeing\n// |mont| itself.\nvoid bn_mont_ctx_cleanup(BN_MONT_CTX *mont);\n\n\n// Constant-time modular arithmetic.\n//\n// The following functions implement basic constant-time modular arithmetic.\n\n// bn_mod_add_words sets |r| to |a| + |b| (mod |m|), using |tmp| as scratch\n// space. Each array is |num| words long. |a| and |b| must be < |m|. Any pair of\n// |r|, |a|, and |b| may alias.\nvoid bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,\n const BN_ULONG *m, BN_ULONG *tmp, size_t num);\n\n// bn_mod_add_consttime acts like |BN_mod_add_quick| but takes a |BN_CTX|.\nint bn_mod_add_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BIGNUM *m, BN_CTX *ctx);\n\n// bn_mod_sub_words sets |r| to |a| - |b| (mod |m|), using |tmp| as scratch\n// space. Each array is |num| words long. |a| and |b| must be < |m|. Any pair of\n// |r|, |a|, and |b| may alias.\nvoid bn_mod_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,\n const BN_ULONG *m, BN_ULONG *tmp, size_t num);\n\n// bn_mod_sub_consttime acts like |BN_mod_sub_quick| but takes a |BN_CTX|.\nint bn_mod_sub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BIGNUM *m, BN_CTX *ctx);\n\n// bn_mod_lshift1_consttime acts like |BN_mod_lshift1_quick| but takes a\n// |BN_CTX|.\nint bn_mod_lshift1_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *m,\n BN_CTX *ctx);\n\n// bn_mod_lshift_consttime acts like |BN_mod_lshift_quick| but takes a |BN_CTX|.\nint bn_mod_lshift_consttime(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m,\n BN_CTX *ctx);\n\n// bn_mod_inverse_consttime sets |r| to |a|^-1, mod |n|. |a| must be non-\n// negative and less than |n|. It returns one on success and zero on error. On\n// failure, if the failure was caused by |a| having no inverse mod |n| then\n// |*out_no_inverse| will be set to one; otherwise it will be set to zero.\n//\n// This function treats both |a| and |n| as secret, provided they are both non-\n// zero and the inverse exists. It should only be used for even moduli where\n// none of the less general implementations are applicable.\nOPENSSL_EXPORT int bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse,\n const BIGNUM *a, const BIGNUM *n,\n BN_CTX *ctx);\n\n// bn_mod_inverse_prime sets |out| to the modular inverse of |a| modulo |p|,\n// computed with Fermat's Little Theorem. It returns one on success and zero on\n// error. If |mont_p| is NULL, one will be computed temporarily.\nint bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,\n BN_CTX *ctx, const BN_MONT_CTX *mont_p);\n\n// bn_mod_inverse_secret_prime behaves like |bn_mod_inverse_prime| but uses\n// |BN_mod_exp_mont_consttime| instead of |BN_mod_exp_mont| in hopes of\n// protecting the exponent.\nint bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p,\n BN_CTX *ctx, const BN_MONT_CTX *mont_p);\n\n// BN_MONT_CTX_set_locked takes |lock| and checks whether |*pmont| is NULL. If\n// so, it creates a new |BN_MONT_CTX| and sets the modulus for it to |mod|. It\n// then stores it as |*pmont|. It returns one on success and zero on error. Note\n// this function assumes |mod| is public.\n//\n// If |*pmont| is already non-NULL then it does nothing and returns one.\nint BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock,\n const BIGNUM *mod, BN_CTX *bn_ctx);\n\n\n// Low-level operations for small numbers.\n//\n// The following functions implement algorithms suitable for use with scalars\n// and field elements in elliptic curves. They rely on the number being small\n// both to stack-allocate various temporaries and because they do not implement\n// optimizations useful for the larger values used in RSA.\n\n// BN_SMALL_MAX_WORDS is the largest size input these functions handle. This\n// limit allows temporaries to be more easily stack-allocated. This limit is set\n// to accommodate P-521.\n#if defined(OPENSSL_32_BIT)\n#define BN_SMALL_MAX_WORDS 17\n#else\n#define BN_SMALL_MAX_WORDS 9\n#endif\n\n// bn_mul_small sets |r| to |a|*|b|. |num_r| must be |num_a| + |num_b|. |r| may\n// not alias with |a| or |b|.\nvoid bn_mul_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a, size_t num_a,\n const BN_ULONG *b, size_t num_b);\n\n// bn_sqr_small sets |r| to |a|^2. |num_a| must be at most |BN_SMALL_MAX_WORDS|.\n// |num_r| must be |num_a|*2. |r| and |a| may not alias.\nvoid bn_sqr_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a, size_t num_a);\n\n// In the following functions, the modulus must be at most |BN_SMALL_MAX_WORDS|\n// words long.\n\n// bn_to_montgomery_small sets |r| to |a| translated to the Montgomery domain.\n// |r| and |a| are |num| words long, which must be |mont->N.width|. |a| must be\n// fully reduced and may alias |r|.\nvoid bn_to_montgomery_small(BN_ULONG *r, const BN_ULONG *a, size_t num,\n const BN_MONT_CTX *mont);\n\n// bn_from_montgomery_small sets |r| to |a| translated out of the Montgomery\n// domain. |r| and |a| are |num_r| and |num_a| words long, respectively. |num_r|\n// must be |mont->N.width|. |a| must be at most |mont->N|^2 and may alias |r|.\n//\n// Unlike most of these functions, only |num_r| is bounded by\n// |BN_SMALL_MAX_WORDS|. |num_a| may exceed it, but must be at most 2 * |num_r|.\nvoid bn_from_montgomery_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a,\n size_t num_a, const BN_MONT_CTX *mont);\n\n// bn_mod_mul_montgomery_small sets |r| to |a| * |b| mod |mont->N|. Both inputs\n// and outputs are in the Montgomery domain. Each array is |num| words long,\n// which must be |mont->N.width|. Any two of |r|, |a|, and |b| may alias. |a|\n// and |b| must be reduced on input.\nvoid bn_mod_mul_montgomery_small(BN_ULONG *r, const BN_ULONG *a,\n const BN_ULONG *b, size_t num,\n const BN_MONT_CTX *mont);\n\n// bn_mod_exp_mont_small sets |r| to |a|^|p| mod |mont->N|. It returns one on\n// success and zero on programmer or internal error. Both inputs and outputs are\n// in the Montgomery domain. |r| and |a| are |num| words long, which must be\n// |mont->N.width| and at most |BN_SMALL_MAX_WORDS|. |num_p|, measured in bits,\n// must fit in |size_t|. |a| must be fully-reduced. This function runs in time\n// independent of |a|, but |p| and |mont->N| are public values. |a| must be\n// fully-reduced and may alias with |r|.\n//\n// Note this function differs from |BN_mod_exp_mont| which uses Montgomery\n// reduction but takes input and output outside the Montgomery domain. Combine\n// this function with |bn_from_montgomery_small| and |bn_to_montgomery_small|\n// if necessary.\nvoid bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num,\n const BN_ULONG *p, size_t num_p,\n const BN_MONT_CTX *mont);\n\n// bn_mod_inverse0_prime_mont_small sets |r| to |a|^-1 mod |mont->N|. If |a| is\n// zero, |r| is set to zero. |mont->N| must be a prime. |r| and |a| are |num|\n// words long, which must be |mont->N.width| and at most |BN_SMALL_MAX_WORDS|.\n// |a| must be fully-reduced and may alias |r|. This function runs in time\n// independent of |a|, but |mont->N| is a public value.\nvoid bn_mod_inverse0_prime_mont_small(BN_ULONG *r, const BN_ULONG *a,\n size_t num, const BN_MONT_CTX *mont);\n\n\n// Word-based byte conversion functions.\n\n// bn_big_endian_to_words interprets |in_len| bytes from |in| as a big-endian,\n// unsigned integer and writes the result to |out_len| words in |out|. |out_len|\n// must be large enough to represent any |in_len|-byte value. That is, |in_len|\n// must be at most |BN_BYTES * out_len|.\nvoid bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in,\n size_t in_len);\n\n// bn_words_to_big_endian represents |in_len| words from |in| as a big-endian,\n// unsigned integer in |out_len| bytes. It writes the result to |out|. |out_len|\n// must be large enough to represent |in| without truncation.\n//\n// Note |out_len| may be less than |BN_BYTES * in_len| if |in| is known to have\n// leading zeros.\nvoid bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in,\n size_t in_len);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_BN_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/jacobi.cc.inc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"internal.h\"\n\n\n// least significant word\n#define BN_lsw(n) (((n)->width == 0) ? (BN_ULONG) 0 : (n)->d[0])\n\nint bn_jacobi(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {\n // In 'tab', only odd-indexed entries are relevant:\n // For any odd BIGNUM n,\n // tab[BN_lsw(n) & 7]\n // is $(-1)^{(n^2-1)/8}$ (using TeX notation).\n // Note that the sign of n does not matter.\n static const int tab[8] = {0, 1, 0, -1, 0, -1, 0, 1};\n\n // The Jacobi symbol is only defined for odd modulus.\n if (!BN_is_odd(b)) {\n OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);\n return -2;\n }\n\n // Require b be positive.\n if (BN_is_negative(b)) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return -2;\n }\n\n int ret = -2;\n BN_CTX_start(ctx);\n BIGNUM *A = BN_CTX_get(ctx);\n BIGNUM *B = BN_CTX_get(ctx);\n if (B == NULL) {\n goto end;\n }\n\n if (!BN_copy(A, a) ||\n !BN_copy(B, b)) {\n goto end;\n }\n\n // Adapted from logic to compute the Kronecker symbol, originally implemented\n // according to Henri Cohen, \"A Course in Computational Algebraic Number\n // Theory\" (algorithm 1.4.10).\n\n ret = 1;\n\n while (1) {\n // Cohen's step 3:\n\n // B is positive and odd\n if (BN_is_zero(A)) {\n ret = BN_is_one(B) ? ret : 0;\n goto end;\n }\n\n // now A is non-zero\n int i = 0;\n while (!BN_is_bit_set(A, i)) {\n i++;\n }\n if (!BN_rshift(A, A, i)) {\n ret = -2;\n goto end;\n }\n if (i & 1) {\n // i is odd\n // multiply 'ret' by $(-1)^{(B^2-1)/8}$\n ret = ret * tab[BN_lsw(B) & 7];\n }\n\n // Cohen's step 4:\n // multiply 'ret' by $(-1)^{(A-1)(B-1)/4}$\n if ((A->neg ? ~BN_lsw(A) : BN_lsw(A)) & BN_lsw(B) & 2) {\n ret = -ret;\n }\n\n // (A, B) := (B mod |A|, |A|)\n if (!BN_nnmod(B, B, A, ctx)) {\n ret = -2;\n goto end;\n }\n BIGNUM *tmp = A;\n A = B;\n B = tmp;\n tmp->neg = 0;\n }\n\nend:\n BN_CTX_end(ctx);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"internal.h\"\n\n\nvoid bn_mont_ctx_init(BN_MONT_CTX *mont) {\n OPENSSL_memset(mont, 0, sizeof(BN_MONT_CTX));\n BN_init(&mont->RR);\n BN_init(&mont->N);\n}\n\nvoid bn_mont_ctx_cleanup(BN_MONT_CTX *mont) {\n BN_free(&mont->RR);\n BN_free(&mont->N);\n}\n\nBN_MONT_CTX *BN_MONT_CTX_new(void) {\n BN_MONT_CTX *ret =\n reinterpret_cast(OPENSSL_malloc(sizeof(BN_MONT_CTX)));\n if (ret == NULL) {\n return NULL;\n }\n\n bn_mont_ctx_init(ret);\n return ret;\n}\n\nvoid BN_MONT_CTX_free(BN_MONT_CTX *mont) {\n if (mont == nullptr) {\n return;\n }\n bn_mont_ctx_cleanup(mont);\n OPENSSL_free(mont);\n}\n\nBN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, const BN_MONT_CTX *from) {\n if (to == from) {\n return to;\n }\n\n if (!BN_copy(&to->RR, &from->RR) || !BN_copy(&to->N, &from->N)) {\n return NULL;\n }\n to->n0[0] = from->n0[0];\n to->n0[1] = from->n0[1];\n return to;\n}\n\nstatic int bn_mont_ctx_set_N_and_n0(BN_MONT_CTX *mont, const BIGNUM *mod) {\n if (BN_is_zero(mod)) {\n OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO);\n return 0;\n }\n if (!BN_is_odd(mod)) {\n OPENSSL_PUT_ERROR(BN, BN_R_CALLED_WITH_EVEN_MODULUS);\n return 0;\n }\n if (BN_is_negative(mod)) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n if (!bn_fits_in_words(mod, BN_MONTGOMERY_MAX_WORDS)) {\n OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);\n return 0;\n }\n\n // Save the modulus.\n if (!BN_copy(&mont->N, mod)) {\n OPENSSL_PUT_ERROR(BN, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n // |mont->N| is always stored minimally. Computing RR efficiently leaks the\n // size of the modulus. While the modulus may be private in RSA (one of the\n // primes), their sizes are public, so this is fine.\n bn_set_minimal_width(&mont->N);\n\n // Find n0 such that n0 * N == -1 (mod r).\n //\n // Only certain BN_BITS2<=32 platforms actually make use of n0[1]. For the\n // others, we could use a shorter R value and use faster |BN_ULONG|-based\n // math instead of |uint64_t|-based math, which would be double-precision.\n // However, currently only the assembler files know which is which.\n static_assert(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2,\n \"BN_MONT_CTX_N0_LIMBS value is invalid\");\n static_assert(sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS == sizeof(uint64_t),\n \"uint64_t is insufficient precision for n0\");\n uint64_t n0 = bn_mont_n0(&mont->N);\n mont->n0[0] = (BN_ULONG)n0;\n#if BN_MONT_CTX_N0_LIMBS == 2\n mont->n0[1] = (BN_ULONG)(n0 >> BN_BITS2);\n#else\n mont->n0[1] = 0;\n#endif\n return 1;\n}\n\nint BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) {\n if (!bn_mont_ctx_set_N_and_n0(mont, mod)) {\n return 0;\n }\n\n BN_CTX *new_ctx = NULL;\n if (ctx == NULL) {\n new_ctx = BN_CTX_new();\n if (new_ctx == NULL) {\n return 0;\n }\n ctx = new_ctx;\n }\n\n // Save RR = R**2 (mod N). R is the smallest power of 2**BN_BITS2 such that R\n // > mod. Even though the assembly on some 32-bit platforms works with 64-bit\n // values, using |BN_BITS2| here, rather than |BN_MONT_CTX_N0_LIMBS *\n // BN_BITS2|, is correct because R**2 will still be a multiple of the latter\n // as |BN_MONT_CTX_N0_LIMBS| is either one or two.\n unsigned lgBigR = mont->N.width * BN_BITS2;\n BN_zero(&mont->RR);\n int ok = BN_set_bit(&mont->RR, lgBigR * 2) &&\n BN_mod(&mont->RR, &mont->RR, &mont->N, ctx) &&\n bn_resize_words(&mont->RR, mont->N.width);\n BN_CTX_free(new_ctx);\n return ok;\n}\n\nBN_MONT_CTX *BN_MONT_CTX_new_for_modulus(const BIGNUM *mod, BN_CTX *ctx) {\n BN_MONT_CTX *mont = BN_MONT_CTX_new();\n if (mont == NULL || !BN_MONT_CTX_set(mont, mod, ctx)) {\n BN_MONT_CTX_free(mont);\n return NULL;\n }\n return mont;\n}\n\nBN_MONT_CTX *BN_MONT_CTX_new_consttime(const BIGNUM *mod, BN_CTX *ctx) {\n BN_MONT_CTX *mont = BN_MONT_CTX_new();\n if (mont == NULL || !bn_mont_ctx_set_N_and_n0(mont, mod) ||\n !bn_mont_ctx_set_RR_consttime(mont, ctx)) {\n BN_MONT_CTX_free(mont);\n return NULL;\n }\n return mont;\n}\n\nint BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, CRYPTO_MUTEX *lock,\n const BIGNUM *mod, BN_CTX *bn_ctx) {\n CRYPTO_MUTEX_lock_read(lock);\n BN_MONT_CTX *ctx = *pmont;\n CRYPTO_MUTEX_unlock_read(lock);\n\n if (ctx) {\n return 1;\n }\n\n CRYPTO_MUTEX_lock_write(lock);\n if (*pmont == NULL) {\n *pmont = BN_MONT_CTX_new_for_modulus(mod, bn_ctx);\n }\n const int ok = *pmont != NULL;\n CRYPTO_MUTEX_unlock_write(lock);\n return ok;\n}\n\nint BN_to_montgomery(BIGNUM *ret, const BIGNUM *a, const BN_MONT_CTX *mont,\n BN_CTX *ctx) {\n return BN_mod_mul_montgomery(ret, a, &mont->RR, mont, ctx);\n}\n\nstatic int bn_from_montgomery_in_place(BN_ULONG *r, size_t num_r, BN_ULONG *a,\n size_t num_a, const BN_MONT_CTX *mont) {\n const BN_ULONG *n = mont->N.d;\n size_t num_n = mont->N.width;\n if (num_r != num_n || num_a != 2 * num_n) {\n OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n // Add multiples of |n| to |r| until R = 2^(nl * BN_BITS2) divides it. On\n // input, we had |r| < |n| * R, so now |r| < 2 * |n| * R. Note that |r|\n // includes |carry| which is stored separately.\n BN_ULONG n0 = mont->n0[0];\n BN_ULONG carry = 0;\n for (size_t i = 0; i < num_n; i++) {\n BN_ULONG v = bn_mul_add_words(a + i, n, num_n, a[i] * n0);\n v += carry + a[i + num_n];\n carry |= (v != a[i + num_n]);\n carry &= (v <= a[i + num_n]);\n a[i + num_n] = v;\n }\n\n // Shift |num_n| words to divide by R. We have |a| < 2 * |n|. Note that |a|\n // includes |carry| which is stored separately.\n a += num_n;\n\n // |a| thus requires at most one additional subtraction |n| to be reduced.\n bn_reduce_once(r, a, carry, n, num_n);\n return 1;\n}\n\nstatic int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r,\n const BN_MONT_CTX *mont) {\n if (r->neg) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n\n const BIGNUM *n = &mont->N;\n if (n->width == 0) {\n ret->width = 0;\n return 1;\n }\n\n int max = 2 * n->width; // carry is stored separately\n if (!bn_resize_words(r, max) || !bn_wexpand(ret, n->width)) {\n return 0;\n }\n\n ret->width = n->width;\n ret->neg = 0;\n return bn_from_montgomery_in_place(ret->d, ret->width, r->d, r->width, mont);\n}\n\nint BN_from_montgomery(BIGNUM *r, const BIGNUM *a, const BN_MONT_CTX *mont,\n BN_CTX *ctx) {\n int ret = 0;\n BIGNUM *t;\n\n BN_CTX_start(ctx);\n t = BN_CTX_get(ctx);\n if (t == NULL || !BN_copy(t, a)) {\n goto err;\n }\n\n ret = BN_from_montgomery_word(r, t, mont);\n\nerr:\n BN_CTX_end(ctx);\n\n return ret;\n}\n\nint bn_one_to_montgomery(BIGNUM *r, const BN_MONT_CTX *mont, BN_CTX *ctx) {\n // If the high bit of |n| is set, R = 2^(width*BN_BITS2) < 2 * |n|, so we\n // compute R - |n| rather than perform Montgomery reduction.\n const BIGNUM *n = &mont->N;\n if (n->width > 0 && (n->d[n->width - 1] >> (BN_BITS2 - 1)) != 0) {\n if (!bn_wexpand(r, n->width)) {\n return 0;\n }\n r->d[0] = 0 - n->d[0];\n for (int i = 1; i < n->width; i++) {\n r->d[i] = ~n->d[i];\n }\n r->width = n->width;\n r->neg = 0;\n return 1;\n }\n\n return BN_from_montgomery(r, &mont->RR, mont, ctx);\n}\n\nstatic int bn_mod_mul_montgomery_fallback(BIGNUM *r, const BIGNUM *a,\n const BIGNUM *b,\n const BN_MONT_CTX *mont,\n BN_CTX *ctx) {\n int ret = 0;\n\n BN_CTX_start(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n if (tmp == NULL) {\n goto err;\n }\n\n if (a == b) {\n if (!bn_sqr_consttime(tmp, a, ctx)) {\n goto err;\n }\n } else {\n if (!bn_mul_consttime(tmp, a, b, ctx)) {\n goto err;\n }\n }\n\n // reduce from aRR to aR\n if (!BN_from_montgomery_word(r, tmp, mont)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nint BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BN_MONT_CTX *mont, BN_CTX *ctx) {\n if (a->neg || b->neg) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n\n#if defined(OPENSSL_BN_ASM_MONT)\n // |bn_mul_mont| requires at least 128 bits of limbs, at least for x86.\n int num = mont->N.width;\n if (num >= (128 / BN_BITS2) && a->width == num && b->width == num) {\n if (!bn_wexpand(r, num)) {\n return 0;\n }\n // This bound is implied by |bn_mont_ctx_set_N_and_n0|. |bn_mul_mont|\n // allocates |num| words on the stack, so |num| cannot be too large.\n assert((size_t)num <= BN_MONTGOMERY_MAX_WORDS);\n if (!bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) {\n // The check above ensures this won't happen.\n assert(0);\n OPENSSL_PUT_ERROR(BN, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n r->neg = 0;\n r->width = num;\n return 1;\n }\n#endif\n\n return bn_mod_mul_montgomery_fallback(r, a, b, mont, ctx);\n}\n\nint bn_less_than_montgomery_R(const BIGNUM *bn, const BN_MONT_CTX *mont) {\n return !BN_is_negative(bn) && bn_fits_in_words(bn, mont->N.width);\n}\n\nvoid bn_to_montgomery_small(BN_ULONG *r, const BN_ULONG *a, size_t num,\n const BN_MONT_CTX *mont) {\n bn_mod_mul_montgomery_small(r, a, mont->RR.d, num, mont);\n}\n\nvoid bn_from_montgomery_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a,\n size_t num_a, const BN_MONT_CTX *mont) {\n if (num_r != (size_t)mont->N.width || num_r > BN_SMALL_MAX_WORDS ||\n num_a > 2 * num_r) {\n abort();\n }\n BN_ULONG tmp[BN_SMALL_MAX_WORDS * 2] = {0};\n OPENSSL_memcpy(tmp, a, num_a * sizeof(BN_ULONG));\n if (!bn_from_montgomery_in_place(r, num_r, tmp, 2 * num_r, mont)) {\n abort();\n }\n OPENSSL_cleanse(tmp, 2 * num_r * sizeof(BN_ULONG));\n}\n\nvoid bn_mod_mul_montgomery_small(BN_ULONG *r, const BN_ULONG *a,\n const BN_ULONG *b, size_t num,\n const BN_MONT_CTX *mont) {\n if (num != (size_t)mont->N.width || num > BN_SMALL_MAX_WORDS) {\n abort();\n }\n\n#if defined(OPENSSL_BN_ASM_MONT)\n // |bn_mul_mont| requires at least 128 bits of limbs, at least for x86.\n if (num >= (128 / BN_BITS2)) {\n if (!bn_mul_mont(r, a, b, mont->N.d, mont->n0, num)) {\n abort(); // The check above ensures this won't happen.\n }\n return;\n }\n#endif\n\n // Compute the product.\n BN_ULONG tmp[2 * BN_SMALL_MAX_WORDS];\n if (a == b) {\n bn_sqr_small(tmp, 2 * num, a, num);\n } else {\n bn_mul_small(tmp, 2 * num, a, num, b, num);\n }\n\n // Reduce.\n if (!bn_from_montgomery_in_place(r, num, tmp, 2 * num, mont)) {\n abort();\n }\n OPENSSL_cleanse(tmp, 2 * num * sizeof(BN_ULONG));\n}\n\n#if defined(OPENSSL_BN_ASM_MONT) && defined(OPENSSL_X86_64)\nint bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n const BN_ULONG *np, const BN_ULONG *n0, size_t num) {\n if (ap == bp && bn_sqr8x_mont_capable(num)) {\n return bn_sqr8x_mont(rp, ap, bn_mulx_adx_capable(), np, n0, num);\n }\n if (bn_mulx4x_mont_capable(num)) {\n return bn_mulx4x_mont(rp, ap, bp, np, n0, num);\n }\n if (bn_mul4x_mont_capable(num)) {\n return bn_mul4x_mont(rp, ap, bp, np, n0, num);\n }\n return bn_mul_mont_nohw(rp, ap, bp, np, n0, num);\n}\n#endif\n\n#if defined(OPENSSL_BN_ASM_MONT) && defined(OPENSSL_ARM)\nint bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n const BN_ULONG *np, const BN_ULONG *n0, size_t num) {\n if (bn_mul8x_mont_neon_capable(num)) {\n return bn_mul8x_mont_neon(rp, ap, bp, np, n0, num);\n }\n return bn_mul_mont_nohw(rp, ap, bp, np, n0, num);\n}\n#endif\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery_inv.cc.inc", "content": "/* Copyright 2016 Brian Smith.\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"internal.h\"\n#include \"../../internal.h\"\n\n\nstatic uint64_t bn_neg_inv_mod_r_u64(uint64_t n);\n\nstatic_assert(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2,\n \"BN_MONT_CTX_N0_LIMBS value is invalid\");\nstatic_assert(sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS == sizeof(uint64_t),\n \"uint64_t is insufficient precision for n0\");\n\n// LG_LITTLE_R is log_2(r).\n#define LG_LITTLE_R (BN_MONT_CTX_N0_LIMBS * BN_BITS2)\n\nuint64_t bn_mont_n0(const BIGNUM *n) {\n // These conditions are checked by the caller, |BN_MONT_CTX_set| or\n // |BN_MONT_CTX_new_consttime|.\n assert(!BN_is_zero(n));\n assert(!BN_is_negative(n));\n assert(BN_is_odd(n));\n\n // r == 2**(BN_MONT_CTX_N0_LIMBS * BN_BITS2) and LG_LITTLE_R == lg(r). This\n // ensures that we can do integer division by |r| by simply ignoring\n // |BN_MONT_CTX_N0_LIMBS| limbs. Similarly, we can calculate values modulo\n // |r| by just looking at the lowest |BN_MONT_CTX_N0_LIMBS| limbs. This is\n // what makes Montgomery multiplication efficient.\n //\n // As shown in Algorithm 1 of \"Fast Prime Field Elliptic Curve Cryptography\n // with 256 Bit Primes\" by Shay Gueron and Vlad Krasnov, in the loop of a\n // multi-limb Montgomery multiplication of |a * b (mod n)|, given the\n // unreduced product |t == a * b|, we repeatedly calculate:\n //\n // t1 := t % r |t1| is |t|'s lowest limb (see previous paragraph).\n // t2 := t1*n0*n\n // t3 := t + t2\n // t := t3 / r copy all limbs of |t3| except the lowest to |t|.\n //\n // In the last step, it would only make sense to ignore the lowest limb of\n // |t3| if it were zero. The middle steps ensure that this is the case:\n //\n // t3 == 0 (mod r)\n // t + t2 == 0 (mod r)\n // t + t1*n0*n == 0 (mod r)\n // t1*n0*n == -t (mod r)\n // t*n0*n == -t (mod r)\n // n0*n == -1 (mod r)\n // n0 == -1/n (mod r)\n //\n // Thus, in each iteration of the loop, we multiply by the constant factor\n // |n0|, the negative inverse of n (mod r).\n\n // n_mod_r = n % r. As explained above, this is done by taking the lowest\n // |BN_MONT_CTX_N0_LIMBS| limbs of |n|.\n uint64_t n_mod_r = n->d[0];\n#if BN_MONT_CTX_N0_LIMBS == 2\n if (n->width > 1) {\n n_mod_r |= (uint64_t)n->d[1] << BN_BITS2;\n }\n#endif\n\n return bn_neg_inv_mod_r_u64(n_mod_r);\n}\n\n// bn_neg_inv_r_mod_n_u64 calculates the -1/n mod r; i.e. it calculates |v|\n// such that u*r - v*n == 1. |r| is the constant defined in |bn_mont_n0|. |n|\n// must be odd.\n//\n// This is derived from |xbinGCD| in Henry S. Warren, Jr.'s \"Montgomery\n// Multiplication\" (http://www.hackersdelight.org/MontgomeryMultiplication.pdf).\n// It is very similar to the MODULAR-INVERSE function in Stephen R. Dussé's and\n// Burton S. Kaliski Jr.'s \"A Cryptographic Library for the Motorola DSP56000\"\n// (http://link.springer.com/chapter/10.1007%2F3-540-46877-3_21).\n//\n// This is inspired by Joppe W. Bos's \"Constant Time Modular Inversion\"\n// (http://www.joppebos.com/files/CTInversion.pdf) so that the inversion is\n// constant-time with respect to |n|. We assume uint64_t additions,\n// subtractions, shifts, and bitwise operations are all constant time, which\n// may be a large leap of faith on 32-bit targets. We avoid division and\n// multiplication, which tend to be the most problematic in terms of timing\n// leaks.\n//\n// Most GCD implementations return values such that |u*r + v*n == 1|, so the\n// caller would have to negate the resultant |v| for the purpose of Montgomery\n// multiplication. This implementation does the negation implicitly by doing\n// the computations as a difference instead of a sum.\nstatic uint64_t bn_neg_inv_mod_r_u64(uint64_t n) {\n assert(n % 2 == 1);\n\n // alpha == 2**(lg r - 1) == r / 2.\n static const uint64_t alpha = UINT64_C(1) << (LG_LITTLE_R - 1);\n\n const uint64_t beta = n;\n\n uint64_t u = 1;\n uint64_t v = 0;\n\n // The invariant maintained from here on is:\n // 2**(lg r - i) == u*2*alpha - v*beta.\n for (size_t i = 0; i < LG_LITTLE_R; ++i) {\n#if BN_BITS2 == 64 && defined(BN_ULLONG)\n assert((BN_ULLONG)(1) << (LG_LITTLE_R - i) ==\n ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));\n#endif\n\n // Delete a common factor of 2 in u and v if |u| is even. Otherwise, set\n // |u = (u + beta) / 2| and |v = (v / 2) + alpha|.\n\n uint64_t u_is_odd = UINT64_C(0) - (u & 1); // Either 0xff..ff or 0.\n\n // The addition can overflow, so use Dietz's method for it.\n //\n // Dietz calculates (x+y)/2 by (x⊕y)>>1 + x&y. This is valid for all\n // (unsigned) x and y, even when x+y overflows. Evidence for 32-bit values\n // (embedded in 64 bits to so that overflow can be ignored):\n //\n // (declare-fun x () (_ BitVec 64))\n // (declare-fun y () (_ BitVec 64))\n // (assert (let (\n // (one (_ bv1 64))\n // (thirtyTwo (_ bv32 64)))\n // (and\n // (bvult x (bvshl one thirtyTwo))\n // (bvult y (bvshl one thirtyTwo))\n // (not (=\n // (bvadd (bvlshr (bvxor x y) one) (bvand x y))\n // (bvlshr (bvadd x y) one)))\n // )))\n // (check-sat)\n uint64_t beta_if_u_is_odd = beta & u_is_odd; // Either |beta| or 0.\n u = ((u ^ beta_if_u_is_odd) >> 1) + (u & beta_if_u_is_odd);\n\n uint64_t alpha_if_u_is_odd = alpha & u_is_odd; // Either |alpha| or 0.\n v = (v >> 1) + alpha_if_u_is_odd;\n }\n\n // The invariant now shows that u*r - v*n == 1 since r == 2 * alpha.\n#if BN_BITS2 == 64 && defined(BN_ULLONG)\n declassify_assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));\n#endif\n\n return v;\n}\n\nint bn_mont_ctx_set_RR_consttime(BN_MONT_CTX *mont, BN_CTX *ctx) {\n assert(!BN_is_zero(&mont->N));\n assert(!BN_is_negative(&mont->N));\n assert(BN_is_odd(&mont->N));\n assert(bn_minimal_width(&mont->N) == mont->N.width);\n\n unsigned n_bits = BN_num_bits(&mont->N);\n assert(n_bits != 0);\n if (n_bits == 1) {\n BN_zero(&mont->RR);\n return bn_resize_words(&mont->RR, mont->N.width);\n }\n\n unsigned lgBigR = mont->N.width * BN_BITS2;\n assert(lgBigR >= n_bits);\n\n // RR is R, or 2^lgBigR, in the Montgomery domain. We can compute 2 in the\n // Montgomery domain, 2R or 2^(lgBigR+1), and then use Montgomery\n // square-and-multiply to exponentiate.\n //\n // The square steps take 2^n R to (2^n)*(2^n) R = 2^2n R. This is the same as\n // doubling 2^n R, n times (doubling any x, n times, computes 2^n * x). When n\n // is below some threshold, doubling is faster; when above, squaring is\n // faster. From benchmarking various 32-bit and 64-bit architectures, the word\n // count seems to work well as a threshold. (Doubling scales linearly and\n // Montgomery reduction scales quadratically, so the threshold should scale\n // roughly linearly.)\n //\n // The multiply steps take 2^n R to 2*2^n R = 2^(n+1) R. It is faster to\n // double the value instead, so the square-and-multiply exponentiation would\n // become square-and-double. However, when using the word count as the\n // threshold, it turns out that no multiply/double steps will be needed at\n // all, because squaring any x, i times, computes x^(2^i):\n //\n // (2^threshold)^(2^BN_BITS2_LG) R\n // (2^mont->N.width)^BN_BITS2 R\n // = 2^(mont->N.width*BN_BITS2) R\n // = 2^lgBigR R\n // = RR\n int threshold = mont->N.width;\n\n // Calculate 2^threshold R = 2^(threshold + lgBigR) by doubling. The\n // first n_bits - 1 doubles can be skipped because we don't need to reduce.\n if (!BN_set_bit(&mont->RR, n_bits - 1) ||\n !bn_mod_lshift_consttime(&mont->RR, &mont->RR,\n threshold + (lgBigR - (n_bits - 1)),\n &mont->N, ctx)) {\n return 0;\n }\n\n // The above steps are the same regardless of the threshold. The steps below\n // need to be modified if the threshold changes.\n assert(threshold == mont->N.width);\n for (unsigned i = 0; i < BN_BITS2_LG; i++) {\n if (!BN_mod_mul_montgomery(&mont->RR, &mont->RR, &mont->RR, mont, ctx)) {\n return 0;\n }\n }\n\n return bn_resize_words(&mont->RR, mont->N.width);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/mul.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n#include \"internal.h\"\n\n\n#define BN_MUL_RECURSIVE_SIZE_NORMAL 16\n#define BN_SQR_RECURSIVE_SIZE_NORMAL BN_MUL_RECURSIVE_SIZE_NORMAL\n\n\nstatic void bn_abs_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,\n size_t num, BN_ULONG *tmp) {\n BN_ULONG borrow = bn_sub_words(tmp, a, b, num);\n bn_sub_words(r, b, a, num);\n bn_select_words(r, 0 - borrow, r /* tmp < 0 */, tmp /* tmp >= 0 */, num);\n}\n\nstatic void bn_mul_normal(BN_ULONG *r, const BN_ULONG *a, size_t na,\n const BN_ULONG *b, size_t nb) {\n if (na < nb) {\n size_t itmp = na;\n na = nb;\n nb = itmp;\n const BN_ULONG *ltmp = a;\n a = b;\n b = ltmp;\n }\n BN_ULONG *rr = &(r[na]);\n if (nb == 0) {\n OPENSSL_memset(r, 0, na * sizeof(BN_ULONG));\n return;\n }\n rr[0] = bn_mul_words(r, a, na, b[0]);\n\n for (;;) {\n if (--nb == 0) {\n return;\n }\n rr[1] = bn_mul_add_words(&(r[1]), a, na, b[1]);\n if (--nb == 0) {\n return;\n }\n rr[2] = bn_mul_add_words(&(r[2]), a, na, b[2]);\n if (--nb == 0) {\n return;\n }\n rr[3] = bn_mul_add_words(&(r[3]), a, na, b[3]);\n if (--nb == 0) {\n return;\n }\n rr[4] = bn_mul_add_words(&(r[4]), a, na, b[4]);\n rr += 4;\n r += 4;\n b += 4;\n }\n}\n\n// bn_sub_part_words sets |r| to |a| - |b|. It returns the borrow bit, which is\n// one if the operation underflowed and zero otherwise. |cl| is the common\n// length, that is, the shorter of len(a) or len(b). |dl| is the delta length,\n// that is, len(a) - len(b). |r|'s length matches the larger of |a| and |b|, or\n// cl + abs(dl).\n//\n// TODO(davidben): Make this take |size_t|. The |cl| + |dl| calling convention\n// is confusing.\nstatic BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a,\n const BN_ULONG *b, int cl, int dl) {\n assert(cl >= 0);\n BN_ULONG borrow = bn_sub_words(r, a, b, cl);\n if (dl == 0) {\n return borrow;\n }\n\n r += cl;\n a += cl;\n b += cl;\n\n if (dl < 0) {\n // |a| is shorter than |b|. Complete the subtraction as if the excess words\n // in |a| were zeros.\n dl = -dl;\n for (int i = 0; i < dl; i++) {\n r[i] = CRYPTO_subc_w(0, b[i], borrow, &borrow);\n }\n } else {\n // |b| is shorter than |a|. Complete the subtraction as if the excess words\n // in |b| were zeros.\n for (int i = 0; i < dl; i++) {\n r[i] = CRYPTO_subc_w(a[i], 0, borrow, &borrow);\n }\n }\n\n return borrow;\n}\n\n// bn_abs_sub_part_words computes |r| = |a| - |b|, storing the absolute value\n// and returning a mask of all ones if the result was negative and all zeros if\n// the result was positive. |cl| and |dl| follow the |bn_sub_part_words| calling\n// convention.\n//\n// TODO(davidben): Make this take |size_t|. The |cl| + |dl| calling convention\n// is confusing.\nstatic BN_ULONG bn_abs_sub_part_words(BN_ULONG *r, const BN_ULONG *a,\n const BN_ULONG *b, int cl, int dl,\n BN_ULONG *tmp) {\n BN_ULONG borrow = bn_sub_part_words(tmp, a, b, cl, dl);\n bn_sub_part_words(r, b, a, cl, -dl);\n int r_len = cl + (dl < 0 ? -dl : dl);\n borrow = 0 - borrow;\n bn_select_words(r, borrow, r /* tmp < 0 */, tmp /* tmp >= 0 */, r_len);\n return borrow;\n}\n\nint bn_abs_sub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n BN_CTX *ctx) {\n int cl = a->width < b->width ? a->width : b->width;\n int dl = a->width - b->width;\n int r_len = a->width < b->width ? b->width : a->width;\n BN_CTX_start(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n int ok = tmp != NULL && bn_wexpand(r, r_len) && bn_wexpand(tmp, r_len);\n if (ok) {\n bn_abs_sub_part_words(r->d, a->d, b->d, cl, dl, tmp->d);\n r->width = r_len;\n }\n BN_CTX_end(ctx);\n return ok;\n}\n\n// Karatsuba recursive multiplication algorithm\n// (cf. Knuth, The Art of Computer Programming, Vol. 2)\n\n// bn_mul_recursive sets |r| to |a| * |b|, using |t| as scratch space. |r| has\n// length 2*|n2|, |a| has length |n2| + |dna|, |b| has length |n2| + |dnb|, and\n// |t| has length 4*|n2|. |n2| must be a power of two. Finally, we must have\n// -|BN_MUL_RECURSIVE_SIZE_NORMAL|/2 <= |dna| <= 0 and\n// -|BN_MUL_RECURSIVE_SIZE_NORMAL|/2 <= |dnb| <= 0.\n//\n// TODO(davidben): Simplify and |size_t| the calling convention around lengths\n// here.\nstatic void bn_mul_recursive(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,\n int n2, int dna, int dnb, BN_ULONG *t) {\n // |n2| is a power of two.\n assert(n2 != 0 && (n2 & (n2 - 1)) == 0);\n // Check |dna| and |dnb| are in range.\n assert(-BN_MUL_RECURSIVE_SIZE_NORMAL / 2 <= dna && dna <= 0);\n assert(-BN_MUL_RECURSIVE_SIZE_NORMAL / 2 <= dnb && dnb <= 0);\n\n // Only call bn_mul_comba 8 if n2 == 8 and the\n // two arrays are complete [steve]\n if (n2 == 8 && dna == 0 && dnb == 0) {\n bn_mul_comba8(r, a, b);\n return;\n }\n\n // Else do normal multiply\n if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) {\n bn_mul_normal(r, a, n2 + dna, b, n2 + dnb);\n if (dna + dnb < 0) {\n OPENSSL_memset(&r[2 * n2 + dna + dnb], 0,\n sizeof(BN_ULONG) * -(dna + dnb));\n }\n return;\n }\n\n // Split |a| and |b| into a0,a1 and b0,b1, where a0 and b0 have size |n|.\n // Split |t| into t0,t1,t2,t3, each of size |n|, with the remaining 4*|n| used\n // for recursive calls.\n // Split |r| into r0,r1,r2,r3. We must contribute a0*b0 to r0,r1, a0*a1+b0*b1\n // to r1,r2, and a1*b1 to r2,r3. The middle term we will compute as:\n //\n // a0*a1 + b0*b1 = (a0 - a1)*(b1 - b0) + a1*b1 + a0*b0\n //\n // Note that we know |n| >= |BN_MUL_RECURSIVE_SIZE_NORMAL|/2 above, so\n // |tna| and |tnb| are non-negative.\n int n = n2 / 2, tna = n + dna, tnb = n + dnb;\n\n // t0 = a0 - a1 and t1 = b1 - b0. The result will be multiplied, so we XOR\n // their sign masks, giving the sign of (a0 - a1)*(b1 - b0). t0 and t1\n // themselves store the absolute value.\n BN_ULONG neg = bn_abs_sub_part_words(t, a, &a[n], tna, n - tna, &t[n2]);\n neg ^= bn_abs_sub_part_words(&t[n], &b[n], b, tnb, tnb - n, &t[n2]);\n\n // Compute:\n // t2,t3 = t0 * t1 = |(a0 - a1)*(b1 - b0)|\n // r0,r1 = a0 * b0\n // r2,r3 = a1 * b1\n if (n == 4 && dna == 0 && dnb == 0) {\n bn_mul_comba4(&t[n2], t, &t[n]);\n\n bn_mul_comba4(r, a, b);\n bn_mul_comba4(&r[n2], &a[n], &b[n]);\n } else if (n == 8 && dna == 0 && dnb == 0) {\n bn_mul_comba8(&t[n2], t, &t[n]);\n\n bn_mul_comba8(r, a, b);\n bn_mul_comba8(&r[n2], &a[n], &b[n]);\n } else {\n BN_ULONG *p = &t[n2 * 2];\n bn_mul_recursive(&t[n2], t, &t[n], n, 0, 0, p);\n bn_mul_recursive(r, a, b, n, 0, 0, p);\n bn_mul_recursive(&r[n2], &a[n], &b[n], n, dna, dnb, p);\n }\n\n // t0,t1,c = r0,r1 + r2,r3 = a0*b0 + a1*b1\n BN_ULONG c = bn_add_words(t, r, &r[n2], n2);\n\n // t2,t3,c = t0,t1,c + neg*t2,t3 = (a0 - a1)*(b1 - b0) + a1*b1 + a0*b0.\n // The second term is stored as the absolute value, so we do this with a\n // constant-time select.\n BN_ULONG c_neg = c - bn_sub_words(&t[n2 * 2], t, &t[n2], n2);\n BN_ULONG c_pos = c + bn_add_words(&t[n2], t, &t[n2], n2);\n bn_select_words(&t[n2], neg, &t[n2 * 2], &t[n2], n2);\n static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),\n \"crypto_word_t is too small\");\n c = constant_time_select_w(neg, c_neg, c_pos);\n\n // We now have our three components. Add them together.\n // r1,r2,c = r1,r2 + t2,t3,c\n c += bn_add_words(&r[n], &r[n], &t[n2], n2);\n\n // Propagate the carry bit to the end.\n for (int i = n + n2; i < n2 + n2; i++) {\n BN_ULONG old = r[i];\n r[i] = old + c;\n c = r[i] < old;\n }\n\n // The product should fit without carries.\n declassify_assert(c == 0);\n}\n\n// bn_mul_part_recursive sets |r| to |a| * |b|, using |t| as scratch space. |r|\n// has length 4*|n|, |a| has length |n| + |tna|, |b| has length |n| + |tnb|, and\n// |t| has length 8*|n|. |n| must be a power of two. Additionally, we must have\n// 0 <= tna < n and 0 <= tnb < n, and |tna| and |tnb| must differ by at most\n// one.\n//\n// TODO(davidben): Make this take |size_t| and perhaps the actual lengths of |a|\n// and |b|.\nstatic void bn_mul_part_recursive(BN_ULONG *r, const BN_ULONG *a,\n const BN_ULONG *b, int n, int tna, int tnb,\n BN_ULONG *t) {\n // |n| is a power of two.\n assert(n != 0 && (n & (n - 1)) == 0);\n // Check |tna| and |tnb| are in range.\n assert(0 <= tna && tna < n);\n assert(0 <= tnb && tnb < n);\n assert(-1 <= tna - tnb && tna - tnb <= 1);\n\n int n2 = n * 2;\n if (n < 8) {\n bn_mul_normal(r, a, n + tna, b, n + tnb);\n OPENSSL_memset(r + n2 + tna + tnb, 0, n2 - tna - tnb);\n return;\n }\n\n // Split |a| and |b| into a0,a1 and b0,b1, where a0 and b0 have size |n|. |a1|\n // and |b1| have size |tna| and |tnb|, respectively.\n // Split |t| into t0,t1,t2,t3, each of size |n|, with the remaining 4*|n| used\n // for recursive calls.\n // Split |r| into r0,r1,r2,r3. We must contribute a0*b0 to r0,r1, a0*a1+b0*b1\n // to r1,r2, and a1*b1 to r2,r3. The middle term we will compute as:\n //\n // a0*a1 + b0*b1 = (a0 - a1)*(b1 - b0) + a1*b1 + a0*b0\n\n // t0 = a0 - a1 and t1 = b1 - b0. The result will be multiplied, so we XOR\n // their sign masks, giving the sign of (a0 - a1)*(b1 - b0). t0 and t1\n // themselves store the absolute value.\n BN_ULONG neg = bn_abs_sub_part_words(t, a, &a[n], tna, n - tna, &t[n2]);\n neg ^= bn_abs_sub_part_words(&t[n], &b[n], b, tnb, tnb - n, &t[n2]);\n\n // Compute:\n // t2,t3 = t0 * t1 = |(a0 - a1)*(b1 - b0)|\n // r0,r1 = a0 * b0\n // r2,r3 = a1 * b1\n if (n == 8) {\n bn_mul_comba8(&t[n2], t, &t[n]);\n bn_mul_comba8(r, a, b);\n\n bn_mul_normal(&r[n2], &a[n], tna, &b[n], tnb);\n // |bn_mul_normal| only writes |tna| + |tna| words. Zero the rest.\n OPENSSL_memset(&r[n2 + tna + tnb], 0, sizeof(BN_ULONG) * (n2 - tna - tnb));\n } else {\n BN_ULONG *p = &t[n2 * 2];\n bn_mul_recursive(&t[n2], t, &t[n], n, 0, 0, p);\n bn_mul_recursive(r, a, b, n, 0, 0, p);\n\n OPENSSL_memset(&r[n2], 0, sizeof(BN_ULONG) * n2);\n if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL &&\n tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) {\n bn_mul_normal(&r[n2], &a[n], tna, &b[n], tnb);\n } else {\n int i = n;\n for (;;) {\n i /= 2;\n if (i < tna || i < tnb) {\n // E.g., n == 16, i == 8 and tna == 11. |tna| and |tnb| are within one\n // of each other, so if |tna| is larger and tna > i, then we know\n // tnb >= i, and this call is valid.\n bn_mul_part_recursive(&r[n2], &a[n], &b[n], i, tna - i, tnb - i, p);\n break;\n }\n if (i == tna || i == tnb) {\n // If there is only a bottom half to the number, just do it. We know\n // the larger of |tna - i| and |tnb - i| is zero. The other is zero or\n // -1 by because of |tna| and |tnb| differ by at most one.\n bn_mul_recursive(&r[n2], &a[n], &b[n], i, tna - i, tnb - i, p);\n break;\n }\n\n // This loop will eventually terminate when |i| falls below\n // |BN_MUL_RECURSIVE_SIZE_NORMAL| because we know one of |tna| and |tnb|\n // exceeds that.\n }\n }\n }\n\n // t0,t1,c = r0,r1 + r2,r3 = a0*b0 + a1*b1\n BN_ULONG c = bn_add_words(t, r, &r[n2], n2);\n\n // t2,t3,c = t0,t1,c + neg*t2,t3 = (a0 - a1)*(b1 - b0) + a1*b1 + a0*b0.\n // The second term is stored as the absolute value, so we do this with a\n // constant-time select.\n BN_ULONG c_neg = c - bn_sub_words(&t[n2 * 2], t, &t[n2], n2);\n BN_ULONG c_pos = c + bn_add_words(&t[n2], t, &t[n2], n2);\n bn_select_words(&t[n2], neg, &t[n2 * 2], &t[n2], n2);\n static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),\n \"crypto_word_t is too small\");\n c = constant_time_select_w(neg, c_neg, c_pos);\n\n // We now have our three components. Add them together.\n // r1,r2,c = r1,r2 + t2,t3,c\n c += bn_add_words(&r[n], &r[n], &t[n2], n2);\n\n // Propagate the carry bit to the end.\n for (int i = n + n2; i < n2 + n2; i++) {\n BN_ULONG old = r[i];\n r[i] = old + c;\n c = r[i] < old;\n }\n\n // The product should fit without carries.\n declassify_assert(c == 0);\n}\n\n// bn_mul_impl implements |BN_mul| and |bn_mul_consttime|. Note this function\n// breaks |BIGNUM| invariants and may return a negative zero. This is handled by\n// the callers.\nstatic int bn_mul_impl(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n BN_CTX *ctx) {\n int al = a->width;\n int bl = b->width;\n if (al == 0 || bl == 0) {\n BN_zero(r);\n return 1;\n }\n\n int ret = 0, i, top;\n BIGNUM *rr;\n BN_CTX_start(ctx);\n if (r == a || r == b) {\n rr = BN_CTX_get(ctx);\n if (rr == NULL) {\n goto err;\n }\n } else {\n rr = r;\n }\n rr->neg = a->neg ^ b->neg;\n\n i = al - bl;\n if (i == 0) {\n if (al == 8) {\n if (!bn_wexpand(rr, 16)) {\n goto err;\n }\n rr->width = 16;\n bn_mul_comba8(rr->d, a->d, b->d);\n goto end;\n }\n }\n\n top = al + bl;\n static const int kMulNormalSize = 16;\n if (al >= kMulNormalSize && bl >= kMulNormalSize) {\n if (-1 <= i && i <= 1) {\n // Find the largest power of two less than or equal to the larger length.\n int j;\n if (i >= 0) {\n j = BN_num_bits_word((BN_ULONG)al);\n } else {\n j = BN_num_bits_word((BN_ULONG)bl);\n }\n j = 1 << (j - 1);\n assert(j <= al || j <= bl);\n BIGNUM *t = BN_CTX_get(ctx);\n if (t == NULL) {\n goto err;\n }\n if (al > j || bl > j) {\n // We know |al| and |bl| are at most one from each other, so if al > j,\n // bl >= j, and vice versa. Thus we can use |bn_mul_part_recursive|.\n //\n // TODO(davidben): This codepath is almost unused in standard\n // algorithms. Is this optimization necessary? See notes in\n // https://boringssl-review.googlesource.com/q/I0bd604e2cd6a75c266f64476c23a730ca1721ea6\n assert(al >= j && bl >= j);\n if (!bn_wexpand(t, j * 8) || !bn_wexpand(rr, j * 4)) {\n goto err;\n }\n bn_mul_part_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);\n } else {\n // al <= j && bl <= j. Additionally, we know j <= al or j <= bl, so one\n // of al - j or bl - j is zero. The other, by the bound on |i| above, is\n // zero or -1. Thus, we can use |bn_mul_recursive|.\n if (!bn_wexpand(t, j * 4) || !bn_wexpand(rr, j * 2)) {\n goto err;\n }\n bn_mul_recursive(rr->d, a->d, b->d, j, al - j, bl - j, t->d);\n }\n rr->width = top;\n goto end;\n }\n }\n\n if (!bn_wexpand(rr, top)) {\n goto err;\n }\n rr->width = top;\n bn_mul_normal(rr->d, a->d, al, b->d, bl);\n\nend:\n if (r != rr && !BN_copy(r, rr)) {\n goto err;\n }\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nint BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {\n if (!bn_mul_impl(r, a, b, ctx)) {\n return 0;\n }\n\n // This additionally fixes any negative zeros created by |bn_mul_impl|.\n bn_set_minimal_width(r);\n return 1;\n}\n\nint bn_mul_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) {\n // Prevent negative zeros.\n if (a->neg || b->neg) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n\n return bn_mul_impl(r, a, b, ctx);\n}\n\nvoid bn_mul_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a, size_t num_a,\n const BN_ULONG *b, size_t num_b) {\n if (num_r != num_a + num_b) {\n abort();\n }\n // TODO(davidben): Should this call |bn_mul_comba4| too? |BN_mul| does not\n // hit that code.\n if (num_a == 8 && num_b == 8) {\n bn_mul_comba8(r, a, b);\n } else {\n bn_mul_normal(r, a, num_a, b, num_b);\n }\n}\n\n// tmp must have 2*n words\nstatic void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, size_t n,\n BN_ULONG *tmp) {\n if (n == 0) {\n return;\n }\n\n size_t max = n * 2;\n const BN_ULONG *ap = a;\n BN_ULONG *rp = r;\n rp[0] = rp[max - 1] = 0;\n rp++;\n\n // Compute the contribution of a[i] * a[j] for all i < j.\n if (n > 1) {\n ap++;\n rp[n - 1] = bn_mul_words(rp, ap, n - 1, ap[-1]);\n rp += 2;\n }\n if (n > 2) {\n for (size_t i = n - 2; i > 0; i--) {\n ap++;\n rp[i] = bn_mul_add_words(rp, ap, i, ap[-1]);\n rp += 2;\n }\n }\n\n // The final result fits in |max| words, so none of the following operations\n // will overflow.\n\n // Double |r|, giving the contribution of a[i] * a[j] for all i != j.\n bn_add_words(r, r, r, max);\n\n // Add in the contribution of a[i] * a[i] for all i.\n bn_sqr_words(tmp, a, n);\n bn_add_words(r, r, tmp, max);\n}\n\n// bn_sqr_recursive sets |r| to |a|^2, using |t| as scratch space. |r| has\n// length 2*|n2|, |a| has length |n2|, and |t| has length 4*|n2|. |n2| must be\n// a power of two.\nstatic void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, size_t n2,\n BN_ULONG *t) {\n // |n2| is a power of two.\n assert(n2 != 0 && (n2 & (n2 - 1)) == 0);\n\n if (n2 == 4) {\n bn_sqr_comba4(r, a);\n return;\n }\n if (n2 == 8) {\n bn_sqr_comba8(r, a);\n return;\n }\n if (n2 < BN_SQR_RECURSIVE_SIZE_NORMAL) {\n bn_sqr_normal(r, a, n2, t);\n return;\n }\n\n // Split |a| into a0,a1, each of size |n|.\n // Split |t| into t0,t1,t2,t3, each of size |n|, with the remaining 4*|n| used\n // for recursive calls.\n // Split |r| into r0,r1,r2,r3. We must contribute a0^2 to r0,r1, 2*a0*a1 to\n // r1,r2, and a1^2 to r2,r3.\n size_t n = n2 / 2;\n BN_ULONG *t_recursive = &t[n2 * 2];\n\n // t0 = |a0 - a1|.\n bn_abs_sub_words(t, a, &a[n], n, &t[n]);\n // t2,t3 = t0^2 = |a0 - a1|^2 = a0^2 - 2*a0*a1 + a1^2\n bn_sqr_recursive(&t[n2], t, n, t_recursive);\n\n // r0,r1 = a0^2\n bn_sqr_recursive(r, a, n, t_recursive);\n\n // r2,r3 = a1^2\n bn_sqr_recursive(&r[n2], &a[n], n, t_recursive);\n\n // t0,t1,c = r0,r1 + r2,r3 = a0^2 + a1^2\n BN_ULONG c = bn_add_words(t, r, &r[n2], n2);\n // t2,t3,c = t0,t1,c - t2,t3 = 2*a0*a1\n c -= bn_sub_words(&t[n2], t, &t[n2], n2);\n\n // We now have our three components. Add them together.\n // r1,r2,c = r1,r2 + t2,t3,c\n c += bn_add_words(&r[n], &r[n], &t[n2], n2);\n\n // Propagate the carry bit to the end.\n for (size_t i = n + n2; i < n2 + n2; i++) {\n BN_ULONG old = r[i];\n r[i] = old + c;\n c = r[i] < old;\n }\n\n // The square should fit without carries.\n assert(c == 0);\n}\n\nint BN_mul_word(BIGNUM *bn, BN_ULONG w) {\n if (!bn->width) {\n return 1;\n }\n\n if (w == 0) {\n BN_zero(bn);\n return 1;\n }\n\n BN_ULONG ll = bn_mul_words(bn->d, bn->d, bn->width, w);\n if (ll) {\n if (!bn_wexpand(bn, bn->width + 1)) {\n return 0;\n }\n bn->d[bn->width++] = ll;\n }\n\n return 1;\n}\n\nint bn_sqr_consttime(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) {\n int al = a->width;\n if (al <= 0) {\n r->width = 0;\n r->neg = 0;\n return 1;\n }\n\n int ret = 0, max;\n BN_CTX_start(ctx);\n BIGNUM *rr = (a != r) ? r : BN_CTX_get(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n if (!rr || !tmp) {\n goto err;\n }\n\n max = 2 * al; // Non-zero (from above)\n if (!bn_wexpand(rr, max)) {\n goto err;\n }\n\n if (al == 4) {\n bn_sqr_comba4(rr->d, a->d);\n } else if (al == 8) {\n bn_sqr_comba8(rr->d, a->d);\n } else {\n if (al < BN_SQR_RECURSIVE_SIZE_NORMAL) {\n BN_ULONG t[BN_SQR_RECURSIVE_SIZE_NORMAL * 2];\n bn_sqr_normal(rr->d, a->d, al, t);\n } else {\n // If |al| is a power of two, we can use |bn_sqr_recursive|.\n if (al != 0 && (al & (al - 1)) == 0) {\n if (!bn_wexpand(tmp, al * 4)) {\n goto err;\n }\n bn_sqr_recursive(rr->d, a->d, al, tmp->d);\n } else {\n if (!bn_wexpand(tmp, max)) {\n goto err;\n }\n bn_sqr_normal(rr->d, a->d, al, tmp->d);\n }\n }\n }\n\n rr->neg = 0;\n rr->width = max;\n\n if (rr != r && !BN_copy(r, rr)) {\n goto err;\n }\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nint BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) {\n if (!bn_sqr_consttime(r, a, ctx)) {\n return 0;\n }\n\n bn_set_minimal_width(r);\n return 1;\n}\n\nvoid bn_sqr_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a, size_t num_a) {\n if (num_r != 2 * num_a || num_a > BN_SMALL_MAX_WORDS) {\n abort();\n }\n if (num_a == 4) {\n bn_sqr_comba4(r, a);\n } else if (num_a == 8) {\n bn_sqr_comba8(r, a);\n } else {\n BN_ULONG tmp[2 * BN_SMALL_MAX_WORDS];\n bn_sqr_normal(r, a, num_a, tmp);\n OPENSSL_cleanse(tmp, 2 * num_a * sizeof(BN_ULONG));\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/prime.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n#include \"internal.h\"\n\n\n// kPrimes contains the first 1024 primes.\nstatic const uint16_t kPrimes[] = {\n 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37,\n 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89,\n 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151,\n 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223,\n 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281,\n 283, 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359,\n 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433,\n 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503,\n 509, 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593,\n 599, 601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659,\n 661, 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743,\n 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827,\n 829, 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911,\n 919, 929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997,\n 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, 1051, 1061, 1063, 1069,\n 1087, 1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163,\n 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223, 1229, 1231, 1237, 1249,\n 1259, 1277, 1279, 1283, 1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321,\n 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, 1427, 1429, 1433, 1439,\n 1447, 1451, 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511,\n 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, 1601,\n 1607, 1609, 1613, 1619, 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693,\n 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 1753, 1759, 1777, 1783,\n 1787, 1789, 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877,\n 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, 1951, 1973, 1979, 1987,\n 1993, 1997, 1999, 2003, 2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069,\n 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, 2131, 2137, 2141, 2143,\n 2153, 2161, 2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267,\n 2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311, 2333, 2339, 2341, 2347,\n 2351, 2357, 2371, 2377, 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423,\n 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, 2521, 2531, 2539, 2543,\n 2549, 2551, 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657,\n 2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693, 2699, 2707, 2711, 2713,\n 2719, 2729, 2731, 2741, 2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801,\n 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 2879, 2887, 2897, 2903,\n 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011,\n 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079, 3083, 3089, 3109, 3119,\n 3121, 3137, 3163, 3167, 3169, 3181, 3187, 3191, 3203, 3209, 3217, 3221,\n 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, 3307, 3313, 3319, 3323,\n 3329, 3331, 3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413,\n 3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491, 3499, 3511, 3517, 3527,\n 3529, 3533, 3539, 3541, 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607,\n 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, 3673, 3677, 3691, 3697,\n 3701, 3709, 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797,\n 3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889, 3907,\n 3911, 3917, 3919, 3923, 3929, 3931, 3943, 3947, 3967, 3989, 4001, 4003,\n 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 4073, 4079, 4091, 4093,\n 4099, 4111, 4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211,\n 4217, 4219, 4229, 4231, 4241, 4243, 4253, 4259, 4261, 4271, 4273, 4283,\n 4289, 4297, 4327, 4337, 4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409,\n 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, 4483, 4493, 4507, 4513,\n 4517, 4519, 4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621,\n 4637, 4639, 4643, 4649, 4651, 4657, 4663, 4673, 4679, 4691, 4703, 4721,\n 4723, 4729, 4733, 4751, 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813,\n 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, 4919, 4931, 4933, 4937,\n 4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011,\n 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, 5099, 5101, 5107, 5113,\n 5119, 5147, 5153, 5167, 5171, 5179, 5189, 5197, 5209, 5227, 5231, 5233,\n 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, 5323, 5333, 5347, 5351,\n 5381, 5387, 5393, 5399, 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443,\n 5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507, 5519, 5521, 5527, 5531,\n 5557, 5563, 5569, 5573, 5581, 5591, 5623, 5639, 5641, 5647, 5651, 5653,\n 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, 5717, 5737, 5741, 5743,\n 5749, 5779, 5783, 5791, 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849,\n 5851, 5857, 5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939,\n 5953, 5981, 5987, 6007, 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073,\n 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 6143, 6151, 6163, 6173,\n 6197, 6199, 6203, 6211, 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271,\n 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, 6337, 6343, 6353, 6359,\n 6361, 6367, 6373, 6379, 6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473,\n 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, 6569, 6571, 6577, 6581,\n 6599, 6607, 6619, 6637, 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701,\n 6703, 6709, 6719, 6733, 6737, 6761, 6763, 6779, 6781, 6791, 6793, 6803,\n 6823, 6827, 6829, 6833, 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907,\n 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, 6977, 6983, 6991, 6997,\n 7001, 7013, 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121,\n 7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207, 7211, 7213, 7219, 7229,\n 7237, 7243, 7247, 7253, 7283, 7297, 7307, 7309, 7321, 7331, 7333, 7349,\n 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, 7459, 7477, 7481, 7487,\n 7489, 7499, 7507, 7517, 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561,\n 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621, 7639, 7643, 7649, 7669,\n 7673, 7681, 7687, 7691, 7699, 7703, 7717, 7723, 7727, 7741, 7753, 7757,\n 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, 7867, 7873, 7877, 7879,\n 7883, 7901, 7907, 7919, 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009,\n 8011, 8017, 8039, 8053, 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111,\n 8117, 8123, 8147, 8161,\n};\n\n// BN_prime_checks_for_size returns the number of Miller-Rabin iterations\n// necessary for generating a 'bits'-bit candidate prime.\n//\n//\n// This table is generated using the algorithm of FIPS PUB 186-4\n// Digital Signature Standard (DSS), section F.1, page 117.\n// (https://doi.org/10.6028/NIST.FIPS.186-4)\n// The following magma script was used to generate the output:\n// securitybits:=125;\n// k:=1024;\n// for t:=1 to 65 do\n// for M:=3 to Floor(2*Sqrt(k-1)-1) do\n// S:=0;\n// // Sum over m\n// for m:=3 to M do\n// s:=0;\n// // Sum over j\n// for j:=2 to m do\n// s+:=(RealField(32)!2)^-(j+(k-1)/j);\n// end for;\n// S+:=2^(m-(m-1)*t)*s;\n// end for;\n// A:=2^(k-2-M*t);\n// B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S;\n// pkt:=2.00743*Log(2)*k*2^-k*(A+B);\n// seclevel:=Floor(-Log(2,pkt));\n// if seclevel ge securitybits then\n// printf \"k: %5o, security: %o bits (t: %o, M: %o)\\n\",k,seclevel,t,M;\n// break;\n// end if;\n// end for;\n// if seclevel ge securitybits then break; end if;\n// end for;\n//\n// It can be run online at: http://magma.maths.usyd.edu.au/calc\n// And will output:\n// k: 1024, security: 129 bits (t: 6, M: 23)\n// k is the number of bits of the prime, securitybits is the level we want to\n// reach.\n// prime length | RSA key size | # MR tests | security level\n// -------------+--------------|------------+---------------\n// (b) >= 6394 | >= 12788 | 3 | 256 bit\n// (b) >= 3747 | >= 7494 | 3 | 192 bit\n// (b) >= 1345 | >= 2690 | 4 | 128 bit\n// (b) >= 1080 | >= 2160 | 5 | 128 bit\n// (b) >= 852 | >= 1704 | 5 | 112 bit\n// (b) >= 476 | >= 952 | 5 | 80 bit\n// (b) >= 400 | >= 800 | 6 | 80 bit\n// (b) >= 347 | >= 694 | 7 | 80 bit\n// (b) >= 308 | >= 616 | 8 | 80 bit\n// (b) >= 55 | >= 110 | 27 | 64 bit\n// (b) >= 6 | >= 12 | 34 | 64 bit\nstatic int BN_prime_checks_for_size(int bits) {\n if (bits >= 3747) {\n return 3;\n }\n if (bits >= 1345) {\n return 4;\n }\n if (bits >= 476) {\n return 5;\n }\n if (bits >= 400) {\n return 6;\n }\n if (bits >= 347) {\n return 7;\n }\n if (bits >= 308) {\n return 8;\n }\n if (bits >= 55) {\n return 27;\n }\n return 34;\n}\n\n// num_trial_division_primes returns the number of primes to try with trial\n// division before using more expensive checks. For larger numbers, the value\n// of excluding a candidate with trial division is larger.\nstatic size_t num_trial_division_primes(const BIGNUM *n) {\n if (n->width * BN_BITS2 > 1024) {\n return OPENSSL_ARRAY_SIZE(kPrimes);\n }\n return OPENSSL_ARRAY_SIZE(kPrimes) / 2;\n}\n\n// BN_PRIME_CHECKS_BLINDED is the iteration count for blinding the constant-time\n// primality test. See |BN_primality_test| for details. This number is selected\n// so that, for a candidate N-bit RSA prime, picking |BN_PRIME_CHECKS_BLINDED|\n// random N-bit numbers will have at least |BN_prime_checks_for_size(N)| values\n// in range with high probability.\n//\n// The following Python script computes the blinding factor needed for the\n// corresponding iteration count.\n/*\nimport math\n\n# We choose candidate RSA primes between sqrt(2)/2 * 2^N and 2^N and select\n# witnesses by generating random N-bit numbers. Thus the probability of\n# selecting one in range is at least sqrt(2)/2.\np = math.sqrt(2) / 2\n\n# Target around 2^-8 probability of the blinding being insufficient given that\n# key generation is a one-time, noisy operation.\nepsilon = 2**-8\n\ndef choose(a, b):\n r = 1\n for i in xrange(b):\n r *= a - i\n r /= (i + 1)\n return r\n\ndef failure_rate(min_uniform, iterations):\n \"\"\" Returns the probability that, for |iterations| candidate witnesses, fewer\n than |min_uniform| of them will be uniform. \"\"\"\n prob = 0.0\n for i in xrange(min_uniform):\n prob += (choose(iterations, i) *\n p**i * (1-p)**(iterations - i))\n return prob\n\nfor min_uniform in (3, 4, 5, 6, 8, 13, 19, 28):\n # Find the smallest number of iterations under the target failure rate.\n iterations = min_uniform\n while True:\n prob = failure_rate(min_uniform, iterations)\n if prob < epsilon:\n print min_uniform, iterations, prob\n break\n iterations += 1\n\nOutput:\n 3 9 0.00368894873911\n 4 11 0.00363319494662\n 5 13 0.00336215573898\n 6 15 0.00300145783158\n 8 19 0.00225214119331\n 13 27 0.00385610026955\n 19 38 0.0021410539126\n 28 52 0.00325405801769\n\n16 iterations suffices for 400-bit primes and larger (6 uniform samples needed),\nwhich is already well below the minimum acceptable key size for RSA.\n*/\n#define BN_PRIME_CHECKS_BLINDED 16\n\nstatic int probable_prime(BIGNUM *rnd, int bits);\nstatic int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,\n const BIGNUM *rem, BN_CTX *ctx);\nstatic int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add,\n const BIGNUM *rem, BN_CTX *ctx);\n\nBN_GENCB *BN_GENCB_new(void) {\n return reinterpret_cast(OPENSSL_zalloc(sizeof(BN_GENCB)));\n}\n\nvoid BN_GENCB_free(BN_GENCB *callback) { OPENSSL_free(callback); }\n\nvoid BN_GENCB_set(BN_GENCB *callback,\n int (*f)(int event, int n, struct bn_gencb_st *), void *arg) {\n callback->callback = f;\n callback->arg = arg;\n}\n\nint BN_GENCB_call(BN_GENCB *callback, int event, int n) {\n if (!callback) {\n return 1;\n }\n\n return callback->callback(event, n, callback);\n}\n\nvoid *BN_GENCB_get_arg(const BN_GENCB *callback) { return callback->arg; }\n\nint BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add,\n const BIGNUM *rem, BN_GENCB *cb) {\n BIGNUM *t;\n int found = 0;\n int i, j, c1 = 0;\n BN_CTX *ctx;\n int checks = BN_prime_checks_for_size(bits);\n\n if (bits < 2) {\n // There are no prime numbers this small.\n OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);\n return 0;\n } else if (bits == 2 && safe) {\n // The smallest safe prime (7) is three bits.\n OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);\n return 0;\n }\n\n ctx = BN_CTX_new();\n if (ctx == NULL) {\n goto err;\n }\n BN_CTX_start(ctx);\n t = BN_CTX_get(ctx);\n if (!t) {\n goto err;\n }\n\nloop:\n // make a random number and set the top and bottom bits\n if (add == NULL) {\n if (!probable_prime(ret, bits)) {\n goto err;\n }\n } else {\n if (safe) {\n if (!probable_prime_dh_safe(ret, bits, add, rem, ctx)) {\n goto err;\n }\n } else {\n if (!probable_prime_dh(ret, bits, add, rem, ctx)) {\n goto err;\n }\n }\n }\n\n if (!BN_GENCB_call(cb, BN_GENCB_GENERATED, c1++)) {\n // aborted\n goto err;\n }\n\n if (!safe) {\n i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb);\n if (i == -1) {\n goto err;\n } else if (i == 0) {\n goto loop;\n }\n } else {\n // for \"safe prime\" generation, check that (p-1)/2 is prime. Since a prime\n // is odd, We just need to divide by 2\n if (!BN_rshift1(t, ret)) {\n goto err;\n }\n\n // Interleave |ret| and |t|'s primality tests to avoid paying the full\n // iteration count on |ret| only to quickly discover |t| is composite.\n //\n // TODO(davidben): This doesn't quite work because an iteration count of 1\n // still runs the blinding mechanism.\n for (i = 0; i < checks; i++) {\n j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, NULL);\n if (j == -1) {\n goto err;\n } else if (j == 0) {\n goto loop;\n }\n\n j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, NULL);\n if (j == -1) {\n goto err;\n } else if (j == 0) {\n goto loop;\n }\n\n if (!BN_GENCB_call(cb, BN_GENCB_PRIME_TEST, i)) {\n goto err;\n }\n // We have a safe prime test pass\n }\n }\n\n // we have a prime :-)\n found = 1;\n\nerr:\n if (ctx != NULL) {\n BN_CTX_end(ctx);\n BN_CTX_free(ctx);\n }\n\n return found;\n}\n\nstatic int bn_trial_division(uint16_t *out, const BIGNUM *bn) {\n const size_t num_primes = num_trial_division_primes(bn);\n for (size_t i = 1; i < num_primes; i++) {\n // During RSA key generation, |bn| may be secret, but only if |bn| was\n // prime, so it is safe to leak failed trial divisions.\n if (constant_time_declassify_int(bn_mod_u16_consttime(bn, kPrimes[i]) ==\n 0)) {\n *out = kPrimes[i];\n return 1;\n }\n }\n return 0;\n}\n\nint bn_odd_number_is_obviously_composite(const BIGNUM *bn) {\n uint16_t prime;\n return bn_trial_division(&prime, bn) && !BN_is_word(bn, prime);\n}\n\nint bn_miller_rabin_init(BN_MILLER_RABIN *miller_rabin, const BN_MONT_CTX *mont,\n BN_CTX *ctx) {\n // This function corresponds to steps 1 through 3 of FIPS 186-4, C.3.1.\n const BIGNUM *w = &mont->N;\n // Note we do not call |BN_CTX_start| in this function. We intentionally\n // allocate values in the containing scope so they outlive this function.\n miller_rabin->w1 = BN_CTX_get(ctx);\n miller_rabin->m = BN_CTX_get(ctx);\n miller_rabin->one_mont = BN_CTX_get(ctx);\n miller_rabin->w1_mont = BN_CTX_get(ctx);\n if (miller_rabin->w1 == NULL || //\n miller_rabin->m == NULL || //\n miller_rabin->one_mont == NULL || //\n miller_rabin->w1_mont == NULL) {\n return 0;\n }\n\n // See FIPS 186-4, C.3.1, steps 1 through 3.\n if (!bn_usub_consttime(miller_rabin->w1, w, BN_value_one())) {\n return 0;\n }\n miller_rabin->a = BN_count_low_zero_bits(miller_rabin->w1);\n if (!bn_rshift_secret_shift(miller_rabin->m, miller_rabin->w1,\n miller_rabin->a, ctx)) {\n return 0;\n }\n miller_rabin->w_bits = BN_num_bits(w);\n\n // Precompute some values in Montgomery form.\n if (!bn_one_to_montgomery(miller_rabin->one_mont, mont, ctx) ||\n // w - 1 is -1 mod w, so we can compute it in the Montgomery domain, -R,\n // with a subtraction. (|one_mont| cannot be zero.)\n !bn_usub_consttime(miller_rabin->w1_mont, w, miller_rabin->one_mont)) {\n return 0;\n }\n\n return 1;\n}\n\nint bn_miller_rabin_iteration(const BN_MILLER_RABIN *miller_rabin,\n int *out_is_possibly_prime, const BIGNUM *b,\n const BN_MONT_CTX *mont, BN_CTX *ctx) {\n // This function corresponds to steps 4.3 through 4.5 of FIPS 186-4, C.3.1.\n int ret = 0;\n BN_CTX_start(ctx);\n\n // Step 4.3. We use Montgomery-encoding for better performance and to avoid\n // timing leaks.\n const BIGNUM *w = &mont->N;\n BIGNUM *z = BN_CTX_get(ctx);\n crypto_word_t is_possibly_prime;\n if (z == NULL ||\n !BN_mod_exp_mont_consttime(z, b, miller_rabin->m, w, ctx, mont) ||\n !BN_to_montgomery(z, z, mont, ctx)) {\n goto err;\n }\n\n // is_possibly_prime is all ones if we have determined |b| is not a composite\n // witness for |w|. This is equivalent to going to step 4.7 in the original\n // algorithm. To avoid timing leaks, we run the algorithm to the end for prime\n // inputs.\n is_possibly_prime = 0;\n\n // Step 4.4. If z = 1 or z = w-1, b is not a composite witness and w is still\n // possibly prime.\n is_possibly_prime = BN_equal_consttime(z, miller_rabin->one_mont) |\n BN_equal_consttime(z, miller_rabin->w1_mont);\n is_possibly_prime = 0 - is_possibly_prime; // Make it all zeros or all ones.\n\n // Step 4.5.\n //\n // To avoid leaking |a|, we run the loop to |w_bits| and mask off all\n // iterations once |j| = |a|.\n for (int j = 1; j < miller_rabin->w_bits; j++) {\n if (constant_time_declassify_w(constant_time_eq_int(j, miller_rabin->a) &\n ~is_possibly_prime)) {\n // If the loop is done and we haven't seen z = 1 or z = w-1 yet, the\n // value is composite and we can break in variable time.\n break;\n }\n\n // Step 4.5.1.\n if (!BN_mod_mul_montgomery(z, z, z, mont, ctx)) {\n goto err;\n }\n\n // Step 4.5.2. If z = w-1 and the loop is not done, this is not a composite\n // witness.\n crypto_word_t z_is_w1_mont = BN_equal_consttime(z, miller_rabin->w1_mont);\n z_is_w1_mont = 0 - z_is_w1_mont; // Make it all zeros or all ones.\n is_possibly_prime |= z_is_w1_mont; // Go to step 4.7 if |z_is_w1_mont|.\n\n // Step 4.5.3. If z = 1 and the loop is not done, the previous value of z\n // was not -1. There are no non-trivial square roots of 1 modulo a prime, so\n // w is composite and we may exit in variable time.\n if (constant_time_declassify_w(\n BN_equal_consttime(z, miller_rabin->one_mont) &\n ~is_possibly_prime)) {\n break;\n }\n }\n\n *out_is_possibly_prime = constant_time_declassify_w(is_possibly_prime) & 1;\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nint BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks,\n BN_CTX *ctx, int do_trial_division, BN_GENCB *cb) {\n // This function's secrecy and performance requirements come from RSA key\n // generation. We generate RSA keys by selecting two large, secret primes with\n // rejection sampling.\n //\n // We thus treat |w| as secret if turns out to be a large prime. However, if\n // |w| is composite, we treat this and |w| itself as public. (Conversely, if\n // |w| is prime, that it is prime is public. Only the value is secret.) This\n // is fine for RSA key generation, but note it is important that we use\n // rejection sampling, with each candidate prime chosen independently. This\n // would not work for, e.g., an algorithm which looked for primes in\n // consecutive integers. These assumptions allow us to discard composites\n // quickly. We additionally treat |w| as public when it is a small prime to\n // simplify trial decryption and some edge cases.\n //\n // One RSA key generation will call this function on exactly two primes and\n // many more composites. The overall cost is a combination of several factors:\n //\n // 1. Checking if |w| is divisible by a small prime is much faster than\n // learning it is composite by Miller-Rabin (see below for details on that\n // cost). Trial division by p saves 1/p of Miller-Rabin calls, so this is\n // worthwhile until p exceeds the ratio of the two costs.\n //\n // 2. For a random (i.e. non-adversarial) candidate large prime and candidate\n // witness, the probability of false witness is very low. (This is why FIPS\n // 186-4 only requires a few iterations.) Thus composites not discarded by\n // trial decryption, in practice, cost one Miller-Rabin iteration. Only the\n // two actual primes cost the full iteration count.\n //\n // 3. A Miller-Rabin iteration is a modular exponentiation plus |a| additional\n // modular squares, where |a| is the number of factors of two in |w-1|. |a|\n // is likely small (the distribution falls exponentially), but it is also\n // potentially secret, so we loop up to its log(w) upper bound when |w| is\n // prime. When |w| is composite, we break early, so only two calls pay this\n // cost. (Note that all calls pay the modular exponentiation which is,\n // itself, log(w) modular multiplications and squares.)\n //\n // 4. While there are only two prime calls, they multiplicatively pay the full\n // costs of (2) and (3).\n //\n // 5. After the primes are chosen, RSA keys derive some values from the\n // primes, but this cost is negligible in comparison.\n\n *out_is_probably_prime = 0;\n\n if (BN_cmp(w, BN_value_one()) <= 0) {\n return 1;\n }\n\n if (!BN_is_odd(w)) {\n // The only even prime is two.\n *out_is_probably_prime = BN_is_word(w, 2);\n return 1;\n }\n\n // Miller-Rabin does not work for three.\n if (BN_is_word(w, 3)) {\n *out_is_probably_prime = 1;\n return 1;\n }\n\n if (do_trial_division) {\n // Perform additional trial division checks to discard small primes.\n uint16_t prime;\n if (bn_trial_division(&prime, w)) {\n *out_is_probably_prime = BN_is_word(w, prime);\n return 1;\n }\n if (!BN_GENCB_call(cb, BN_GENCB_PRIME_TEST, -1)) {\n return 0;\n }\n }\n\n if (checks == BN_prime_checks_for_generation) {\n checks = BN_prime_checks_for_size(BN_num_bits(w));\n }\n\n BN_CTX *new_ctx = NULL;\n if (ctx == NULL) {\n new_ctx = BN_CTX_new();\n if (new_ctx == NULL) {\n return 0;\n }\n ctx = new_ctx;\n }\n\n // See C.3.1 from FIPS 186-4.\n int ret = 0;\n BN_CTX_start(ctx);\n BIGNUM *b = BN_CTX_get(ctx);\n BN_MONT_CTX *mont = BN_MONT_CTX_new_consttime(w, ctx);\n BN_MILLER_RABIN miller_rabin;\n crypto_word_t uniform_iterations = 0;\n if (b == NULL || mont == NULL ||\n // Steps 1-3.\n !bn_miller_rabin_init(&miller_rabin, mont, ctx)) {\n goto err;\n }\n\n // The following loop performs in inner iteration of the Miller-Rabin\n // Primality test (Step 4).\n //\n // The algorithm as specified in FIPS 186-4 leaks information on |w|, the RSA\n // private key. Instead, we run through each iteration unconditionally,\n // performing modular multiplications, masking off any effects to behave\n // equivalently to the specified algorithm.\n //\n // We also blind the number of values of |b| we try. Steps 4.1–4.2 say to\n // discard out-of-range values. To avoid leaking information on |w|, we use\n // |bn_rand_secret_range| which, rather than discarding bad values, adjusts\n // them to be in range. Though not uniformly selected, these adjusted values\n // are still usable as Miller-Rabin checks.\n //\n // Miller-Rabin is already probabilistic, so we could reach the desired\n // confidence levels by just suitably increasing the iteration count. However,\n // to align with FIPS 186-4, we use a more pessimal analysis: we do not count\n // the non-uniform values towards the iteration count. As a result, this\n // function is more complex and has more timing risk than necessary.\n //\n // We count both total iterations and uniform ones and iterate until we've\n // reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively.\n // If the latter is large enough, it will be the limiting factor with high\n // probability and we won't leak information.\n //\n // Note this blinding does not impact most calls when picking primes because\n // composites are rejected early. Only the two secret primes see extra work.\n\n // Using |constant_time_lt_w| seems to prevent the compiler from optimizing\n // this into two jumps.\n for (int i = 1; constant_time_declassify_w(\n (i <= BN_PRIME_CHECKS_BLINDED) |\n constant_time_lt_w(uniform_iterations, checks));\n i++) {\n // Step 4.1-4.2\n int is_uniform;\n if (!bn_rand_secret_range(b, &is_uniform, 2, miller_rabin.w1)) {\n goto err;\n }\n uniform_iterations += is_uniform;\n\n // Steps 4.3-4.5\n int is_possibly_prime = 0;\n if (!bn_miller_rabin_iteration(&miller_rabin, &is_possibly_prime, b, mont,\n ctx)) {\n goto err;\n }\n\n if (!is_possibly_prime) {\n // Step 4.6. We did not see z = w-1 before z = 1, so w must be composite.\n *out_is_probably_prime = 0;\n ret = 1;\n goto err;\n }\n\n // Step 4.7\n if (!BN_GENCB_call(cb, BN_GENCB_PRIME_TEST, i - 1)) {\n goto err;\n }\n }\n\n declassify_assert(uniform_iterations >= (crypto_word_t)checks);\n *out_is_probably_prime = 1;\n ret = 1;\n\nerr:\n BN_MONT_CTX_free(mont);\n BN_CTX_end(ctx);\n BN_CTX_free(new_ctx);\n return ret;\n}\n\nint BN_is_prime_ex(const BIGNUM *candidate, int checks, BN_CTX *ctx,\n BN_GENCB *cb) {\n return BN_is_prime_fasttest_ex(candidate, checks, ctx, 0, cb);\n}\n\nint BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx,\n int do_trial_division, BN_GENCB *cb) {\n int is_probably_prime;\n if (!BN_primality_test(&is_probably_prime, a, checks, ctx, do_trial_division,\n cb)) {\n return -1;\n }\n return is_probably_prime;\n}\n\nint BN_enhanced_miller_rabin_primality_test(\n enum bn_primality_result_t *out_result, const BIGNUM *w, int checks,\n BN_CTX *ctx, BN_GENCB *cb) {\n // Enhanced Miller-Rabin is only valid on odd integers greater than 3.\n if (!BN_is_odd(w) || BN_cmp_word(w, 3) <= 0) {\n OPENSSL_PUT_ERROR(BN, BN_R_INVALID_INPUT);\n return 0;\n }\n\n if (checks == BN_prime_checks_for_generation) {\n checks = BN_prime_checks_for_size(BN_num_bits(w));\n }\n\n int ret = 0;\n BN_MONT_CTX *mont = NULL;\n\n BN_CTX_start(ctx);\n\n BIGNUM *w1 = BN_CTX_get(ctx);\n BIGNUM *b, *g, *z, *x, *x1, *m;\n int a;\n if (w1 == NULL || !BN_copy(w1, w) || !BN_sub_word(w1, 1)) {\n goto err;\n }\n\n // Write w1 as m*2^a (Steps 1 and 2).\n a = 0;\n while (!BN_is_bit_set(w1, a)) {\n a++;\n }\n m = BN_CTX_get(ctx);\n if (m == NULL || !BN_rshift(m, w1, a)) {\n goto err;\n }\n\n b = BN_CTX_get(ctx);\n g = BN_CTX_get(ctx);\n z = BN_CTX_get(ctx);\n x = BN_CTX_get(ctx);\n x1 = BN_CTX_get(ctx);\n if (b == NULL || g == NULL || z == NULL || x == NULL || x1 == NULL) {\n goto err;\n }\n\n // Montgomery setup for computations mod w\n mont = BN_MONT_CTX_new_for_modulus(w, ctx);\n if (mont == NULL) {\n goto err;\n }\n\n // The following loop performs in inner iteration of the Enhanced Miller-Rabin\n // Primality test (Step 4).\n for (int i = 1; i <= checks; i++) {\n // Step 4.1-4.2\n if (!BN_rand_range_ex(b, 2, w1)) {\n goto err;\n }\n\n // Step 4.3-4.4\n if (!BN_gcd(g, b, w, ctx)) {\n goto err;\n }\n if (BN_cmp_word(g, 1) > 0) {\n *out_result = bn_composite;\n ret = 1;\n goto err;\n }\n\n // Step 4.5\n if (!BN_mod_exp_mont(z, b, m, w, ctx, mont)) {\n goto err;\n }\n\n // Step 4.6\n if (BN_is_one(z) || BN_cmp(z, w1) == 0) {\n goto loop;\n }\n\n // Step 4.7\n for (int j = 1; j < a; j++) {\n if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {\n goto err;\n }\n if (BN_cmp(z, w1) == 0) {\n goto loop;\n }\n if (BN_is_one(z)) {\n goto composite;\n }\n }\n\n // Step 4.8-4.9\n if (!BN_copy(x, z) || !BN_mod_mul(z, x, x, w, ctx)) {\n goto err;\n }\n\n // Step 4.10-4.11\n if (!BN_is_one(z) && !BN_copy(x, z)) {\n goto err;\n }\n\n composite:\n // Step 4.12-4.14\n if (!BN_copy(x1, x) || !BN_sub_word(x1, 1) || !BN_gcd(g, x1, w, ctx)) {\n goto err;\n }\n if (BN_cmp_word(g, 1) > 0) {\n *out_result = bn_composite;\n } else {\n *out_result = bn_non_prime_power_composite;\n }\n\n ret = 1;\n goto err;\n\n loop:\n // Step 4.15\n if (!BN_GENCB_call(cb, BN_GENCB_PRIME_TEST, i - 1)) {\n goto err;\n }\n }\n\n *out_result = bn_probably_prime;\n ret = 1;\n\nerr:\n BN_MONT_CTX_free(mont);\n BN_CTX_end(ctx);\n\n return ret;\n}\n\nstatic int probable_prime(BIGNUM *rnd, int bits) {\n do {\n if (!BN_rand(rnd, bits, BN_RAND_TOP_TWO, BN_RAND_BOTTOM_ODD)) {\n return 0;\n }\n } while (bn_odd_number_is_obviously_composite(rnd));\n return 1;\n}\n\nstatic int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,\n const BIGNUM *rem, BN_CTX *ctx) {\n int ret = 0;\n BIGNUM *t1;\n\n BN_CTX_start(ctx);\n size_t num_primes;\n if ((t1 = BN_CTX_get(ctx)) == NULL) {\n goto err;\n }\n\n if (!BN_rand(rnd, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) {\n goto err;\n }\n\n // we need ((rnd-rem) % add) == 0\n\n if (!BN_mod(t1, rnd, add, ctx)) {\n goto err;\n }\n if (!BN_sub(rnd, rnd, t1)) {\n goto err;\n }\n if (rem == NULL) {\n if (!BN_add_word(rnd, 1)) {\n goto err;\n }\n } else {\n if (!BN_add(rnd, rnd, rem)) {\n goto err;\n }\n }\n // we now have a random number 'rand' to test.\n\n num_primes = num_trial_division_primes(rnd);\nloop:\n for (size_t i = 1; i < num_primes; i++) {\n // check that rnd is a prime\n if (bn_mod_u16_consttime(rnd, kPrimes[i]) <= 1) {\n if (!BN_add(rnd, rnd, add)) {\n goto err;\n }\n goto loop;\n }\n }\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nstatic int probable_prime_dh_safe(BIGNUM *p, int bits, const BIGNUM *padd,\n const BIGNUM *rem, BN_CTX *ctx) {\n int ret = 0;\n BIGNUM *t1, *qadd, *q;\n\n bits--;\n BN_CTX_start(ctx);\n t1 = BN_CTX_get(ctx);\n q = BN_CTX_get(ctx);\n qadd = BN_CTX_get(ctx);\n size_t num_primes;\n if (qadd == NULL) {\n goto err;\n }\n\n if (!BN_rshift1(qadd, padd)) {\n goto err;\n }\n\n if (!BN_rand(q, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD)) {\n goto err;\n }\n\n // we need ((rnd-rem) % add) == 0\n if (!BN_mod(t1, q, qadd, ctx)) {\n goto err;\n }\n\n if (!BN_sub(q, q, t1)) {\n goto err;\n }\n\n if (rem == NULL) {\n if (!BN_add_word(q, 1)) {\n goto err;\n }\n } else {\n if (!BN_rshift1(t1, rem)) {\n goto err;\n }\n if (!BN_add(q, q, t1)) {\n goto err;\n }\n }\n\n // we now have a random number 'rand' to test.\n if (!BN_lshift1(p, q)) {\n goto err;\n }\n if (!BN_add_word(p, 1)) {\n goto err;\n }\n\n num_primes = num_trial_division_primes(p);\nloop:\n for (size_t i = 1; i < num_primes; i++) {\n // check that p and q are prime\n // check that for p and q\n // gcd(p-1,primes) == 1 (except for 2)\n if (bn_mod_u16_consttime(p, kPrimes[i]) == 0 ||\n bn_mod_u16_consttime(q, kPrimes[i]) == 0) {\n if (!BN_add(p, p, padd)) {\n goto err;\n }\n if (!BN_add(q, q, qadd)) {\n goto err;\n }\n goto loop;\n }\n }\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/random.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n\n#include \"../../internal.h\"\n#include \"../bcm_interface.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\nint BN_rand(BIGNUM *rnd, int bits, int top, int bottom) {\n if (rnd == NULL) {\n return 0;\n }\n\n if (top != BN_RAND_TOP_ANY && top != BN_RAND_TOP_ONE &&\n top != BN_RAND_TOP_TWO) {\n OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n if (bottom != BN_RAND_BOTTOM_ANY && bottom != BN_RAND_BOTTOM_ODD) {\n OPENSSL_PUT_ERROR(BN, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n if (bits == 0) {\n BN_zero(rnd);\n return 1;\n }\n\n if (bits > INT_MAX - (BN_BITS2 - 1)) {\n OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG);\n return 0;\n }\n\n int words = (bits + BN_BITS2 - 1) / BN_BITS2;\n int bit = (bits - 1) % BN_BITS2;\n const BN_ULONG kOne = 1;\n const BN_ULONG kThree = 3;\n BN_ULONG mask = bit < BN_BITS2 - 1 ? (kOne << (bit + 1)) - 1 : BN_MASK2;\n if (!bn_wexpand(rnd, words)) {\n return 0;\n }\n\n FIPS_service_indicator_lock_state();\n BCM_rand_bytes((uint8_t *)rnd->d, words * sizeof(BN_ULONG));\n FIPS_service_indicator_unlock_state();\n\n rnd->d[words - 1] &= mask;\n if (top != BN_RAND_TOP_ANY) {\n if (top == BN_RAND_TOP_TWO && bits > 1) {\n if (bit == 0) {\n rnd->d[words - 1] |= 1;\n rnd->d[words - 2] |= kOne << (BN_BITS2 - 1);\n } else {\n rnd->d[words - 1] |= kThree << (bit - 1);\n }\n } else {\n rnd->d[words - 1] |= kOne << bit;\n }\n }\n if (bottom == BN_RAND_BOTTOM_ODD) {\n rnd->d[0] |= 1;\n }\n\n rnd->neg = 0;\n rnd->width = words;\n return 1;\n}\n\nint BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) {\n return BN_rand(rnd, bits, top, bottom);\n}\n\n// bn_less_than_word_mask returns a mask of all ones if the number represented\n// by |len| words at |a| is less than |b| and zero otherwise. It performs this\n// computation in time independent of the value of |a|. |b| is assumed public.\nstatic crypto_word_t bn_less_than_word_mask(const BN_ULONG *a, size_t len,\n BN_ULONG b) {\n if (b == 0) {\n return CONSTTIME_FALSE_W;\n }\n if (len == 0) {\n return CONSTTIME_TRUE_W;\n }\n\n // |a| < |b| iff a[1..len-1] are all zero and a[0] < b.\n static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),\n \"crypto_word_t is too small\");\n crypto_word_t mask = 0;\n for (size_t i = 1; i < len; i++) {\n mask |= a[i];\n }\n // |mask| is now zero iff a[1..len-1] are all zero.\n mask = constant_time_is_zero_w(mask);\n mask &= constant_time_lt_w(a[0], b);\n return mask;\n}\n\nint bn_in_range_words(const BN_ULONG *a, BN_ULONG min_inclusive,\n const BN_ULONG *max_exclusive, size_t len) {\n crypto_word_t mask = ~bn_less_than_word_mask(a, len, min_inclusive);\n return mask & bn_less_than_words(a, max_exclusive, len);\n}\n\nstatic int bn_range_to_mask(size_t *out_words, BN_ULONG *out_mask,\n size_t min_inclusive, const BN_ULONG *max_exclusive,\n size_t len) {\n // The magnitude of |max_exclusive| is assumed public.\n size_t words = len;\n while (words > 0 && max_exclusive[words - 1] == 0) {\n words--;\n }\n if (words == 0 || (words == 1 && max_exclusive[0] <= min_inclusive)) {\n OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);\n return 0;\n }\n BN_ULONG mask = max_exclusive[words - 1];\n // This sets all bits in |mask| below the most significant bit.\n mask |= mask >> 1;\n mask |= mask >> 2;\n mask |= mask >> 4;\n mask |= mask >> 8;\n mask |= mask >> 16;\n#if defined(OPENSSL_64_BIT)\n mask |= mask >> 32;\n#endif\n\n *out_words = words;\n *out_mask = mask;\n return 1;\n}\n\nint bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive,\n const BN_ULONG *max_exclusive, size_t len,\n const uint8_t additional_data[32]) {\n // This function implements the equivalent of steps 4 through 7 of FIPS 186-4\n // appendices B.4.2 and B.5.2. When called in those contexts, |max_exclusive|\n // is n and |min_inclusive| is one.\n\n // Compute the bit length of |max_exclusive| (step 1), in terms of a number of\n // |words| worth of entropy to fill and a mask of bits to clear in the top\n // word.\n size_t words;\n BN_ULONG mask;\n if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive, len)) {\n return 0;\n }\n\n // Fill any unused words with zero.\n OPENSSL_memset(out + words, 0, (len - words) * sizeof(BN_ULONG));\n\n unsigned count = 100;\n do {\n if (!--count) {\n OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);\n return 0;\n }\n\n // Steps 4 and 5. Use |words| and |mask| together to obtain a string of N\n // bits, where N is the bit length of |max_exclusive|.\n FIPS_service_indicator_lock_state();\n BCM_rand_bytes_with_additional_data(\n (uint8_t *)out, words * sizeof(BN_ULONG), additional_data);\n FIPS_service_indicator_unlock_state();\n out[words - 1] &= mask;\n\n // If out >= max_exclusive or out < min_inclusive, retry. This implements\n // the equivalent of steps 6 and 7 without leaking the value of |out|. The\n // result of this comparison may be treated as public. It only reveals how\n // many attempts were needed before we found a value in range. This is\n // independent of the final secret output, and has a distribution that\n // depends only on |min_inclusive| and |max_exclusive|, both of which are\n // public.\n } while (!constant_time_declassify_int(\n bn_in_range_words(out, min_inclusive, max_exclusive, words)));\n return 1;\n}\n\nint BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,\n const BIGNUM *max_exclusive) {\n static const uint8_t kDefaultAdditionalData[32] = {0};\n if (!bn_wexpand(r, max_exclusive->width) ||\n !bn_rand_range_words(r->d, min_inclusive, max_exclusive->d,\n max_exclusive->width, kDefaultAdditionalData)) {\n return 0;\n }\n\n r->neg = 0;\n r->width = max_exclusive->width;\n return 1;\n}\n\nint bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive,\n const BIGNUM *max_exclusive) {\n size_t words;\n BN_ULONG mask;\n if (!bn_range_to_mask(&words, &mask, min_inclusive, max_exclusive->d,\n max_exclusive->width) ||\n !bn_wexpand(r, words)) {\n return 0;\n }\n\n assert(words > 0);\n assert(mask != 0);\n // The range must be large enough for bit tricks to fix invalid values.\n if (words == 1 && min_inclusive > mask >> 1) {\n OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE);\n return 0;\n }\n\n // Select a uniform random number with num_bits(max_exclusive) bits.\n FIPS_service_indicator_lock_state();\n BCM_rand_bytes((uint8_t *)r->d, words * sizeof(BN_ULONG));\n FIPS_service_indicator_unlock_state();\n r->d[words - 1] &= mask;\n\n // Check, in constant-time, if the value is in range.\n *out_is_uniform =\n bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words);\n crypto_word_t in_range = *out_is_uniform;\n in_range = 0 - in_range;\n\n // If the value is not in range, force it to be in range.\n r->d[0] |= constant_time_select_w(in_range, 0, min_inclusive);\n r->d[words - 1] &= constant_time_select_w(in_range, BN_MASK2, mask >> 1);\n declassify_assert(\n bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words));\n\n r->neg = 0;\n r->width = (int)words;\n return 1;\n}\n\nint BN_rand_range(BIGNUM *r, const BIGNUM *range) {\n return BN_rand_range_ex(r, 0, range);\n}\n\nint BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) {\n return BN_rand_range(r, range);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/rsaz_exp.cc.inc", "content": "/*\n * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2012, Intel Corporation. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n *\n * Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1)\n * (1) Intel Corporation, Israel Development Center, Haifa, Israel\n * (2) University of Haifa, Israel\n */\n\n#include \"rsaz_exp.h\"\n\n#if defined(RSAZ_ENABLED)\n\n#include \n\n#include \n\n#include \"internal.h\"\n#include \"../../internal.h\"\n\n\n// rsaz_one is 1 in RSAZ's representation.\nalignas(64) static const BN_ULONG rsaz_one[40] = {\n 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\n// rsaz_two80 is 2^80 in RSAZ's representation. Note RSAZ uses base 2^29, so this is\n// 2^(29*2 + 22) = 2^80, not 2^(64*2 + 22).\nalignas(64) static const BN_ULONG rsaz_two80[40] = {\n 0, 0, 1 << 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};\n\nvoid RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16],\n const BN_ULONG base_norm[16],\n const BN_ULONG exponent[16],\n const BN_ULONG m_norm[16], const BN_ULONG RR[16],\n BN_ULONG k0,\n BN_ULONG storage[MOD_EXP_CTIME_STORAGE_LEN]) {\n static_assert(MOD_EXP_CTIME_ALIGN % 64 == 0,\n \"MOD_EXP_CTIME_ALIGN is too small\");\n assert((uintptr_t)storage % 64 == 0);\n\n BN_ULONG *a_inv, *m, *result, *table_s = storage + 40 * 3, *R2 = table_s;\n // Note |R2| aliases |table_s|.\n if (((((uintptr_t)storage & 4095) + 320) >> 12) != 0) {\n result = storage;\n a_inv = storage + 40;\n m = storage + 40 * 2; // should not cross page\n } else {\n m = storage; // should not cross page\n result = storage + 40;\n a_inv = storage + 40 * 2;\n }\n\n rsaz_1024_norm2red_avx2(m, m_norm);\n rsaz_1024_norm2red_avx2(a_inv, base_norm);\n rsaz_1024_norm2red_avx2(R2, RR);\n\n // Convert |R2| from the usual radix, giving R = 2^1024, to RSAZ's radix,\n // giving R = 2^(36*29) = 2^1044.\n rsaz_1024_mul_avx2(R2, R2, R2, m, k0);\n // R2 = 2^2048 * 2^2048 / 2^1044 = 2^3052\n rsaz_1024_mul_avx2(R2, R2, rsaz_two80, m, k0);\n // R2 = 2^3052 * 2^80 / 2^1044 = 2^2088 = (2^1044)^2\n\n // table[0] = 1\n // table[1] = a_inv^1\n rsaz_1024_mul_avx2(result, R2, rsaz_one, m, k0);\n rsaz_1024_mul_avx2(a_inv, a_inv, R2, m, k0);\n rsaz_1024_scatter5_avx2(table_s, result, 0);\n rsaz_1024_scatter5_avx2(table_s, a_inv, 1);\n // table[2] = a_inv^2\n rsaz_1024_sqr_avx2(result, a_inv, m, k0, 1);\n rsaz_1024_scatter5_avx2(table_s, result, 2);\n // table[4] = a_inv^4\n rsaz_1024_sqr_avx2(result, result, m, k0, 1);\n rsaz_1024_scatter5_avx2(table_s, result, 4);\n // table[8] = a_inv^8\n rsaz_1024_sqr_avx2(result, result, m, k0, 1);\n rsaz_1024_scatter5_avx2(table_s, result, 8);\n // table[16] = a_inv^16\n rsaz_1024_sqr_avx2(result, result, m, k0, 1);\n rsaz_1024_scatter5_avx2(table_s, result, 16);\n for (int i = 3; i < 32; i += 2) {\n // table[i] = table[i-1] * a_inv = a_inv^i\n rsaz_1024_gather5_avx2(result, table_s, i - 1);\n rsaz_1024_mul_avx2(result, result, a_inv, m, k0);\n rsaz_1024_scatter5_avx2(table_s, result, i);\n for (int j = 2 * i; j < 32; j *= 2) {\n // table[j] = table[j/2]^2 = a_inv^j\n rsaz_1024_sqr_avx2(result, result, m, k0, 1);\n rsaz_1024_scatter5_avx2(table_s, result, j);\n }\n }\n\n // Load the first window.\n const uint8_t *p_str = (const uint8_t *)exponent;\n int wvalue = p_str[127] >> 3;\n rsaz_1024_gather5_avx2(result, table_s, wvalue);\n\n int index = 1014;\n while (index > -1) { // Loop for the remaining 127 windows.\n rsaz_1024_sqr_avx2(result, result, m, k0, 5);\n\n uint16_t wvalue_16;\n memcpy(&wvalue_16, &p_str[index / 8], sizeof(wvalue_16));\n wvalue = wvalue_16;\n wvalue = (wvalue >> (index % 8)) & 31;\n index -= 5;\n\n rsaz_1024_gather5_avx2(a_inv, table_s, wvalue); // Borrow |a_inv|.\n rsaz_1024_mul_avx2(result, result, a_inv, m, k0);\n }\n\n // Square four times.\n rsaz_1024_sqr_avx2(result, result, m, k0, 4);\n\n wvalue = p_str[0] & 15;\n\n rsaz_1024_gather5_avx2(a_inv, table_s, wvalue); // Borrow |a_inv|.\n rsaz_1024_mul_avx2(result, result, a_inv, m, k0);\n\n // Convert from Montgomery.\n rsaz_1024_mul_avx2(result, result, rsaz_one, m, k0);\n\n rsaz_1024_red2norm_avx2(result_norm, result);\n BN_ULONG scratch[16];\n bn_reduce_once_in_place(result_norm, /*carry=*/0, m_norm, scratch, 16);\n\n OPENSSL_cleanse(storage, MOD_EXP_CTIME_STORAGE_LEN * sizeof(BN_ULONG));\n}\n\n#endif // RSAZ_ENABLED\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/rsaz_exp.h", "content": "/*\n * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2012, Intel Corporation. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n *\n * Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1)\n * (1) Intel Corporation, Israel Development Center, Haifa, Israel\n * (2) University of Haifa, Israel\n */\n\n#ifndef OPENSSL_HEADER_BN_RSAZ_EXP_H\n#define OPENSSL_HEADER_BN_RSAZ_EXP_H\n\n#include \n\n#include \"internal.h\"\n#include \"../../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64)\n#define RSAZ_ENABLED\n\n\n// RSAZ_1024_mod_exp_avx2 sets |result| to |base_norm| raised to |exponent|\n// modulo |m_norm|. |base_norm| must be fully-reduced and |exponent| must have\n// the high bit set (it is 1024 bits wide). |RR| and |k0| must be |RR| and |n0|,\n// respectively, extracted from |m_norm|'s |BN_MONT_CTX|. |storage_words| is a\n// temporary buffer that must be aligned to |MOD_EXP_CTIME_ALIGN| bytes.\nvoid RSAZ_1024_mod_exp_avx2(BN_ULONG result[16], const BN_ULONG base_norm[16],\n const BN_ULONG exponent[16],\n const BN_ULONG m_norm[16], const BN_ULONG RR[16],\n BN_ULONG k0,\n BN_ULONG storage_words[MOD_EXP_CTIME_STORAGE_LEN]);\n\ninline int rsaz_avx2_capable(void) { return CRYPTO_is_AVX2_capable(); }\n\ninline int rsaz_avx2_preferred(void) {\n if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() &&\n CRYPTO_is_ADX_capable()) {\n // If BMI1, BMI2, and ADX are available, x86_64-mont5.pl is faster. See the\n // .Lmulx4x_enter and .Lpowerx5_enter branches.\n return 0;\n }\n return CRYPTO_is_AVX2_capable();\n}\n\n\n// Assembly functions.\n\n// RSAZ represents 1024-bit integers using unsaturated 29-bit limbs stored in\n// 64-bit integers. This requires 36 limbs but padded up to 40.\n//\n// See crypto/bn/asm/rsaz-avx2.pl for further details.\n\n// rsaz_1024_norm2red_avx2 converts |norm| from |BIGNUM| to RSAZ representation\n// and writes the result to |red|.\nvoid rsaz_1024_norm2red_avx2(BN_ULONG red[40], const BN_ULONG norm[16]);\n\n// rsaz_1024_mul_avx2 computes |a| * |b| mod |n| and writes the result to |ret|.\n// Inputs and outputs are in Montgomery form, using RSAZ's representation. |k|\n// is -|n|^-1 mod 2^64 or |n0| from |BN_MONT_CTX|.\nvoid rsaz_1024_mul_avx2(BN_ULONG ret[40], const BN_ULONG a[40],\n const BN_ULONG b[40], const BN_ULONG n[40], BN_ULONG k);\n\n// rsaz_1024_mul_avx2 computes |a|^(2*|count|) mod |n| and writes the result to\n// |ret|. Inputs and outputs are in Montgomery form, using RSAZ's\n// representation. |k| is -|n|^-1 mod 2^64 or |n0| from |BN_MONT_CTX|.\nvoid rsaz_1024_sqr_avx2(BN_ULONG ret[40], const BN_ULONG a[40],\n const BN_ULONG n[40], BN_ULONG k, int count);\n\n// rsaz_1024_scatter5_avx2 stores |val| at index |i| of |tbl|. |i| must be\n// positive and at most 31. It is treated as public. Note the table only uses 18\n// |BN_ULONG|s per entry instead of 40. It packs two 29-bit limbs into each\n// |BN_ULONG| and only stores 36 limbs rather than the padded 40.\nvoid rsaz_1024_scatter5_avx2(BN_ULONG tbl[32 * 18], const BN_ULONG val[40],\n int i);\n\n// rsaz_1024_gather5_avx2 loads index |i| of |tbl| and writes it to |val|. |i|\n// must be positive and at most 31. It is treated as secret. |tbl| must be\n// aligned to 32 bytes.\nvoid rsaz_1024_gather5_avx2(BN_ULONG val[40], const BN_ULONG tbl[32 * 18],\n int i);\n\n// rsaz_1024_red2norm_avx2 converts |red| from RSAZ to |BIGNUM| representation\n// and writes the result to |norm|. The result will be <= the modulus.\n//\n// WARNING: The result of this operation may not be fully reduced. |norm| may be\n// the modulus instead of zero. This function should be followed by a call to\n// |bn_reduce_once|.\nvoid rsaz_1024_red2norm_avx2(BN_ULONG norm[16], const BN_ULONG red[40]);\n\n\n#endif // !OPENSSL_NO_ASM && OPENSSL_X86_64\n\n#if defined(__cplusplus)\n} // extern \"C\"\n#endif\n\n#endif // OPENSSL_HEADER_BN_RSAZ_EXP_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/shift.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n\n#include \"internal.h\"\n\n\nint BN_lshift(BIGNUM *r, const BIGNUM *a, int n) {\n int i, nw, lb, rb;\n BN_ULONG *t, *f;\n BN_ULONG l;\n\n if (n < 0) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n\n r->neg = a->neg;\n nw = n / BN_BITS2;\n if (!bn_wexpand(r, a->width + nw + 1)) {\n return 0;\n }\n lb = n % BN_BITS2;\n rb = BN_BITS2 - lb;\n f = a->d;\n t = r->d;\n t[a->width + nw] = 0;\n if (lb == 0) {\n for (i = a->width - 1; i >= 0; i--) {\n t[nw + i] = f[i];\n }\n } else {\n for (i = a->width - 1; i >= 0; i--) {\n l = f[i];\n t[nw + i + 1] |= l >> rb;\n t[nw + i] = l << lb;\n }\n }\n OPENSSL_memset(t, 0, nw * sizeof(t[0]));\n r->width = a->width + nw + 1;\n bn_set_minimal_width(r);\n\n return 1;\n}\n\nint BN_lshift1(BIGNUM *r, const BIGNUM *a) {\n BN_ULONG *ap, *rp, t, c;\n int i;\n\n if (r != a) {\n r->neg = a->neg;\n if (!bn_wexpand(r, a->width + 1)) {\n return 0;\n }\n r->width = a->width;\n } else {\n if (!bn_wexpand(r, a->width + 1)) {\n return 0;\n }\n }\n ap = a->d;\n rp = r->d;\n c = 0;\n for (i = 0; i < a->width; i++) {\n t = *(ap++);\n *(rp++) = (t << 1) | c;\n c = t >> (BN_BITS2 - 1);\n }\n if (c) {\n *rp = 1;\n r->width++;\n }\n\n return 1;\n}\n\nvoid bn_rshift_words(BN_ULONG *r, const BN_ULONG *a, unsigned shift,\n size_t num) {\n unsigned shift_bits = shift % BN_BITS2;\n size_t shift_words = shift / BN_BITS2;\n if (shift_words >= num) {\n OPENSSL_memset(r, 0, num * sizeof(BN_ULONG));\n return;\n }\n if (shift_bits == 0) {\n OPENSSL_memmove(r, a + shift_words, (num - shift_words) * sizeof(BN_ULONG));\n } else {\n for (size_t i = shift_words; i < num - 1; i++) {\n r[i - shift_words] =\n (a[i] >> shift_bits) | (a[i + 1] << (BN_BITS2 - shift_bits));\n }\n r[num - 1 - shift_words] = a[num - 1] >> shift_bits;\n }\n OPENSSL_memset(r + num - shift_words, 0, shift_words * sizeof(BN_ULONG));\n}\n\nint BN_rshift(BIGNUM *r, const BIGNUM *a, int n) {\n if (n < 0) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n\n if (!bn_wexpand(r, a->width)) {\n return 0;\n }\n bn_rshift_words(r->d, a->d, n, a->width);\n r->neg = a->neg;\n r->width = a->width;\n bn_set_minimal_width(r);\n return 1;\n}\n\nint bn_rshift_secret_shift(BIGNUM *r, const BIGNUM *a, unsigned n,\n BN_CTX *ctx) {\n int ret = 0;\n BN_CTX_start(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n unsigned max_bits;\n if (tmp == NULL || !BN_copy(r, a) || !bn_wexpand(tmp, r->width)) {\n goto err;\n }\n\n // Shift conditionally by powers of two.\n max_bits = BN_BITS2 * r->width;\n for (unsigned i = 0; (max_bits >> i) != 0; i++) {\n BN_ULONG mask = (n >> i) & 1;\n mask = 0 - mask;\n bn_rshift_words(tmp->d, r->d, 1u << i, r->width);\n bn_select_words(r->d, mask, tmp->d /* apply shift */,\n r->d /* ignore shift */, r->width);\n }\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nvoid bn_rshift1_words(BN_ULONG *r, const BN_ULONG *a, size_t num) {\n if (num == 0) {\n return;\n }\n for (size_t i = 0; i < num - 1; i++) {\n r[i] = (a[i] >> 1) | (a[i + 1] << (BN_BITS2 - 1));\n }\n r[num - 1] = a[num - 1] >> 1;\n}\n\nint BN_rshift1(BIGNUM *r, const BIGNUM *a) {\n if (!bn_wexpand(r, a->width)) {\n return 0;\n }\n bn_rshift1_words(r->d, a->d, a->width);\n r->width = a->width;\n r->neg = a->neg;\n bn_set_minimal_width(r);\n return 1;\n}\n\nint BN_set_bit(BIGNUM *a, int n) {\n if (n < 0) {\n return 0;\n }\n\n int i = n / BN_BITS2;\n int j = n % BN_BITS2;\n if (a->width <= i) {\n if (!bn_wexpand(a, i + 1)) {\n return 0;\n }\n for (int k = a->width; k < i + 1; k++) {\n a->d[k] = 0;\n }\n a->width = i + 1;\n }\n\n a->d[i] |= (((BN_ULONG)1) << j);\n\n return 1;\n}\n\nint BN_clear_bit(BIGNUM *a, int n) {\n int i, j;\n\n if (n < 0) {\n return 0;\n }\n\n i = n / BN_BITS2;\n j = n % BN_BITS2;\n if (a->width <= i) {\n return 0;\n }\n\n a->d[i] &= (~(((BN_ULONG)1) << j));\n bn_set_minimal_width(a);\n return 1;\n}\n\nint bn_is_bit_set_words(const BN_ULONG *a, size_t num, size_t bit) {\n size_t i = bit / BN_BITS2;\n size_t j = bit % BN_BITS2;\n if (i >= num) {\n return 0;\n }\n return (a[i] >> j) & 1;\n}\n\nint BN_is_bit_set(const BIGNUM *a, int n) {\n if (n < 0) {\n return 0;\n }\n return bn_is_bit_set_words(a->d, a->width, n);\n}\n\nint BN_mask_bits(BIGNUM *a, int n) {\n if (n < 0) {\n return 0;\n }\n\n int w = n / BN_BITS2;\n int b = n % BN_BITS2;\n if (w >= a->width) {\n return 1;\n }\n if (b == 0) {\n a->width = w;\n } else {\n a->width = w + 1;\n a->d[w] &= ~(BN_MASK2 << b);\n }\n\n bn_set_minimal_width(a);\n return 1;\n}\n\nstatic int bn_count_low_zero_bits_word(BN_ULONG l) {\n static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),\n \"crypto_word_t is too small\");\n static_assert(sizeof(int) <= sizeof(crypto_word_t),\n \"crypto_word_t is too small\");\n static_assert(BN_BITS2 == sizeof(BN_ULONG) * 8, \"BN_ULONG has padding bits\");\n // C has very bizarre rules for types smaller than an int.\n static_assert(sizeof(BN_ULONG) >= sizeof(int),\n \"BN_ULONG gets promoted to int\");\n\n crypto_word_t mask;\n int bits = 0;\n\n#if BN_BITS2 > 32\n // Check if the lower half of |x| are all zero.\n mask = constant_time_is_zero_w(l << (BN_BITS2 - 32));\n // If the lower half is all zeros, it is included in the bit count and we\n // count the upper half. Otherwise, we count the lower half.\n bits += 32 & mask;\n l = constant_time_select_w(mask, l >> 32, l);\n#endif\n\n // The remaining blocks are analogous iterations at lower powers of two.\n mask = constant_time_is_zero_w(l << (BN_BITS2 - 16));\n bits += 16 & mask;\n l = constant_time_select_w(mask, l >> 16, l);\n\n mask = constant_time_is_zero_w(l << (BN_BITS2 - 8));\n bits += 8 & mask;\n l = constant_time_select_w(mask, l >> 8, l);\n\n mask = constant_time_is_zero_w(l << (BN_BITS2 - 4));\n bits += 4 & mask;\n l = constant_time_select_w(mask, l >> 4, l);\n\n mask = constant_time_is_zero_w(l << (BN_BITS2 - 2));\n bits += 2 & mask;\n l = constant_time_select_w(mask, l >> 2, l);\n\n mask = constant_time_is_zero_w(l << (BN_BITS2 - 1));\n bits += 1 & mask;\n\n return bits;\n}\n\nint BN_count_low_zero_bits(const BIGNUM *bn) {\n static_assert(sizeof(BN_ULONG) <= sizeof(crypto_word_t),\n \"crypto_word_t is too small\");\n static_assert(sizeof(int) <= sizeof(crypto_word_t),\n \"crypto_word_t is too small\");\n\n int ret = 0;\n crypto_word_t saw_nonzero = 0;\n for (int i = 0; i < bn->width; i++) {\n crypto_word_t nonzero = ~constant_time_is_zero_w(bn->d[i]);\n crypto_word_t first_nonzero = ~saw_nonzero & nonzero;\n saw_nonzero |= nonzero;\n\n int bits = bn_count_low_zero_bits_word(bn->d[i]);\n ret |= first_nonzero & (i * BN_BITS2 + bits);\n }\n\n // If got to the end of |bn| and saw no non-zero words, |bn| is zero. |ret|\n // will then remain zero.\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/bn/sqrt.cc.inc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"internal.h\"\n\n\nBIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) {\n // Compute a square root of |a| mod |p| using the Tonelli/Shanks algorithm\n // (cf. Henri Cohen, \"A Course in Algebraic Computational Number Theory\",\n // algorithm 1.5.1). |p| is assumed to be a prime.\n\n BIGNUM *ret = in;\n int err = 1;\n int r;\n BIGNUM *A, *b, *q, *t, *x, *y;\n int e, i, j;\n\n if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) {\n if (BN_abs_is_word(p, 2)) {\n if (ret == NULL) {\n ret = BN_new();\n }\n if (ret == NULL ||\n !BN_set_word(ret, BN_is_bit_set(a, 0))) {\n if (ret != in) {\n BN_free(ret);\n }\n return NULL;\n }\n return ret;\n }\n\n OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);\n return NULL;\n }\n\n if (BN_is_zero(a) || BN_is_one(a)) {\n if (ret == NULL) {\n ret = BN_new();\n }\n if (ret == NULL ||\n !BN_set_word(ret, BN_is_one(a))) {\n if (ret != in) {\n BN_free(ret);\n }\n return NULL;\n }\n return ret;\n }\n\n BN_CTX_start(ctx);\n A = BN_CTX_get(ctx);\n b = BN_CTX_get(ctx);\n q = BN_CTX_get(ctx);\n t = BN_CTX_get(ctx);\n x = BN_CTX_get(ctx);\n y = BN_CTX_get(ctx);\n if (y == NULL) {\n goto end;\n }\n\n if (ret == NULL) {\n ret = BN_new();\n }\n if (ret == NULL) {\n goto end;\n }\n\n // A = a mod p\n if (!BN_nnmod(A, a, p, ctx)) {\n goto end;\n }\n\n // now write |p| - 1 as 2^e*q where q is odd\n e = 1;\n while (!BN_is_bit_set(p, e)) {\n e++;\n }\n // we'll set q later (if needed)\n\n if (e == 1) {\n // The easy case: (|p|-1)/2 is odd, so 2 has an inverse\n // modulo (|p|-1)/2, and square roots can be computed\n // directly by modular exponentiation.\n // We have\n // 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2),\n // so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1.\n if (!BN_rshift(q, p, 2)) {\n goto end;\n }\n q->neg = 0;\n if (!BN_add_word(q, 1) ||\n !BN_mod_exp_mont(ret, A, q, p, ctx, NULL)) {\n goto end;\n }\n err = 0;\n goto vrfy;\n }\n\n if (e == 2) {\n // |p| == 5 (mod 8)\n //\n // In this case 2 is always a non-square since\n // Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime.\n // So if a really is a square, then 2*a is a non-square.\n // Thus for\n // b := (2*a)^((|p|-5)/8),\n // i := (2*a)*b^2\n // we have\n // i^2 = (2*a)^((1 + (|p|-5)/4)*2)\n // = (2*a)^((p-1)/2)\n // = -1;\n // so if we set\n // x := a*b*(i-1),\n // then\n // x^2 = a^2 * b^2 * (i^2 - 2*i + 1)\n // = a^2 * b^2 * (-2*i)\n // = a*(-i)*(2*a*b^2)\n // = a*(-i)*i\n // = a.\n //\n // (This is due to A.O.L. Atkin,\n // ,\n // November 1992.)\n\n // t := 2*a\n if (!bn_mod_lshift1_consttime(t, A, p, ctx)) {\n goto end;\n }\n\n // b := (2*a)^((|p|-5)/8)\n if (!BN_rshift(q, p, 3)) {\n goto end;\n }\n q->neg = 0;\n if (!BN_mod_exp_mont(b, t, q, p, ctx, NULL)) {\n goto end;\n }\n\n // y := b^2\n if (!BN_mod_sqr(y, b, p, ctx)) {\n goto end;\n }\n\n // t := (2*a)*b^2 - 1\n if (!BN_mod_mul(t, t, y, p, ctx) ||\n !BN_sub_word(t, 1)) {\n goto end;\n }\n\n // x = a*b*t\n if (!BN_mod_mul(x, A, b, p, ctx) ||\n !BN_mod_mul(x, x, t, p, ctx)) {\n goto end;\n }\n\n if (!BN_copy(ret, x)) {\n goto end;\n }\n err = 0;\n goto vrfy;\n }\n\n // e > 2, so we really have to use the Tonelli/Shanks algorithm.\n // First, find some y that is not a square.\n if (!BN_copy(q, p)) {\n goto end; // use 'q' as temp\n }\n q->neg = 0;\n i = 2;\n do {\n // For efficiency, try small numbers first;\n // if this fails, try random numbers.\n if (i < 22) {\n if (!BN_set_word(y, i)) {\n goto end;\n }\n } else {\n if (!BN_pseudo_rand(y, BN_num_bits(p), 0, 0)) {\n goto end;\n }\n if (BN_ucmp(y, p) >= 0) {\n if (BN_usub(y, y, p)) {\n goto end;\n }\n }\n // now 0 <= y < |p|\n if (BN_is_zero(y)) {\n if (!BN_set_word(y, i)) {\n goto end;\n }\n }\n }\n\n r = bn_jacobi(y, q, ctx); // here 'q' is |p|\n if (r < -1) {\n goto end;\n }\n if (r == 0) {\n // m divides p\n OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);\n goto end;\n }\n } while (r == 1 && ++i < 82);\n\n if (r != -1) {\n // Many rounds and still no non-square -- this is more likely\n // a bug than just bad luck.\n // Even if p is not prime, we should have found some y\n // such that r == -1.\n OPENSSL_PUT_ERROR(BN, BN_R_TOO_MANY_ITERATIONS);\n goto end;\n }\n\n // Here's our actual 'q':\n if (!BN_rshift(q, q, e)) {\n goto end;\n }\n\n // Now that we have some non-square, we can find an element\n // of order 2^e by computing its q'th power.\n if (!BN_mod_exp_mont(y, y, q, p, ctx, NULL)) {\n goto end;\n }\n if (BN_is_one(y)) {\n OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME);\n goto end;\n }\n\n // Now we know that (if p is indeed prime) there is an integer\n // k, 0 <= k < 2^e, such that\n //\n // a^q * y^k == 1 (mod p).\n //\n // As a^q is a square and y is not, k must be even.\n // q+1 is even, too, so there is an element\n //\n // X := a^((q+1)/2) * y^(k/2),\n //\n // and it satisfies\n //\n // X^2 = a^q * a * y^k\n // = a,\n //\n // so it is the square root that we are looking for.\n\n // t := (q-1)/2 (note that q is odd)\n if (!BN_rshift1(t, q)) {\n goto end;\n }\n\n // x := a^((q-1)/2)\n if (BN_is_zero(t)) { // special case: p = 2^e + 1\n if (!BN_nnmod(t, A, p, ctx)) {\n goto end;\n }\n if (BN_is_zero(t)) {\n // special case: a == 0 (mod p)\n BN_zero(ret);\n err = 0;\n goto end;\n } else if (!BN_one(x)) {\n goto end;\n }\n } else {\n if (!BN_mod_exp_mont(x, A, t, p, ctx, NULL)) {\n goto end;\n }\n if (BN_is_zero(x)) {\n // special case: a == 0 (mod p)\n BN_zero(ret);\n err = 0;\n goto end;\n }\n }\n\n // b := a*x^2 (= a^q)\n if (!BN_mod_sqr(b, x, p, ctx) ||\n !BN_mod_mul(b, b, A, p, ctx)) {\n goto end;\n }\n\n // x := a*x (= a^((q+1)/2))\n if (!BN_mod_mul(x, x, A, p, ctx)) {\n goto end;\n }\n\n while (1) {\n // Now b is a^q * y^k for some even k (0 <= k < 2^E\n // where E refers to the original value of e, which we\n // don't keep in a variable), and x is a^((q+1)/2) * y^(k/2).\n //\n // We have a*b = x^2,\n // y^2^(e-1) = -1,\n // b^2^(e-1) = 1.\n if (BN_is_one(b)) {\n if (!BN_copy(ret, x)) {\n goto end;\n }\n err = 0;\n goto vrfy;\n }\n\n // Find the smallest i, 0 < i < e, such that b^(2^i) = 1\n for (i = 1; i < e; i++) {\n if (i == 1) {\n if (!BN_mod_sqr(t, b, p, ctx)) {\n goto end;\n }\n } else {\n if (!BN_mod_mul(t, t, t, p, ctx)) {\n goto end;\n }\n }\n if (BN_is_one(t)) {\n break;\n }\n }\n // If not found, a is not a square or p is not a prime.\n if (i >= e) {\n OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);\n goto end;\n }\n\n // t := y^2^(e - i - 1)\n if (!BN_copy(t, y)) {\n goto end;\n }\n for (j = e - i - 1; j > 0; j--) {\n if (!BN_mod_sqr(t, t, p, ctx)) {\n goto end;\n }\n }\n if (!BN_mod_mul(y, t, t, p, ctx) ||\n !BN_mod_mul(x, x, t, p, ctx) ||\n !BN_mod_mul(b, b, y, p, ctx)) {\n goto end;\n }\n\n // e decreases each iteration, so this loop will terminate.\n assert(i < e);\n e = i;\n }\n\nvrfy:\n if (!err) {\n // Verify the result. The input might have been not a square.\n if (!BN_mod_sqr(x, ret, p, ctx)) {\n err = 1;\n }\n\n if (!err && 0 != BN_cmp(x, A)) {\n OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);\n err = 1;\n }\n }\n\nend:\n if (err) {\n if (ret != in) {\n BN_clear_free(ret);\n }\n ret = NULL;\n }\n BN_CTX_end(ctx);\n return ret;\n}\n\nint BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) {\n BIGNUM *estimate, *tmp, *delta, *last_delta, *tmp2;\n int ok = 0, last_delta_valid = 0;\n\n if (in->neg) {\n OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER);\n return 0;\n }\n if (BN_is_zero(in)) {\n BN_zero(out_sqrt);\n return 1;\n }\n\n BN_CTX_start(ctx);\n if (out_sqrt == in) {\n estimate = BN_CTX_get(ctx);\n } else {\n estimate = out_sqrt;\n }\n tmp = BN_CTX_get(ctx);\n last_delta = BN_CTX_get(ctx);\n delta = BN_CTX_get(ctx);\n if (estimate == NULL || tmp == NULL || last_delta == NULL || delta == NULL) {\n goto err;\n }\n\n // We estimate that the square root of an n-bit number is 2^{n/2}.\n if (!BN_lshift(estimate, BN_value_one(), BN_num_bits(in)/2)) {\n goto err;\n }\n\n // This is Newton's method for finding a root of the equation |estimate|^2 -\n // |in| = 0.\n for (;;) {\n // |estimate| = 1/2 * (|estimate| + |in|/|estimate|)\n if (!BN_div(tmp, NULL, in, estimate, ctx) ||\n !BN_add(tmp, tmp, estimate) ||\n !BN_rshift1(estimate, tmp) ||\n // |tmp| = |estimate|^2\n !BN_sqr(tmp, estimate, ctx) ||\n // |delta| = |in| - |tmp|\n !BN_sub(delta, in, tmp)) {\n OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB);\n goto err;\n }\n\n delta->neg = 0;\n // The difference between |in| and |estimate| squared is required to always\n // decrease. This ensures that the loop always terminates, but I don't have\n // a proof that it always finds the square root for a given square.\n if (last_delta_valid && BN_cmp(delta, last_delta) >= 0) {\n break;\n }\n\n last_delta_valid = 1;\n\n tmp2 = last_delta;\n last_delta = delta;\n delta = tmp2;\n }\n\n if (BN_cmp(tmp, in) != 0) {\n OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE);\n goto err;\n }\n\n ok = 1;\n\nerr:\n if (ok && out_sqrt == in && !BN_copy(out_sqrt, estimate)) {\n ok = 0;\n }\n BN_CTX_end(ctx);\n return ok;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/aead.cc.inc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"internal.h\"\n\n\nsize_t EVP_AEAD_key_length(const EVP_AEAD *aead) { return aead->key_len; }\n\nsize_t EVP_AEAD_nonce_length(const EVP_AEAD *aead) { return aead->nonce_len; }\n\nsize_t EVP_AEAD_max_overhead(const EVP_AEAD *aead) { return aead->overhead; }\n\nsize_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead) { return aead->max_tag_len; }\n\nvoid EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx) {\n OPENSSL_memset(ctx, 0, sizeof(EVP_AEAD_CTX));\n}\n\nEVP_AEAD_CTX *EVP_AEAD_CTX_new(const EVP_AEAD *aead, const uint8_t *key,\n size_t key_len, size_t tag_len) {\n EVP_AEAD_CTX *ctx =\n reinterpret_cast(OPENSSL_malloc(sizeof(EVP_AEAD_CTX)));\n if (!ctx) {\n return NULL;\n }\n EVP_AEAD_CTX_zero(ctx);\n\n if (EVP_AEAD_CTX_init(ctx, aead, key, key_len, tag_len, NULL)) {\n return ctx;\n }\n\n EVP_AEAD_CTX_free(ctx);\n return NULL;\n}\n\nvoid EVP_AEAD_CTX_free(EVP_AEAD_CTX *ctx) {\n if (ctx == NULL) {\n return;\n }\n EVP_AEAD_CTX_cleanup(ctx);\n OPENSSL_free(ctx);\n}\n\nint EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,\n const uint8_t *key, size_t key_len, size_t tag_len,\n ENGINE *impl) {\n if (!aead->init) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_DIRECTION_SET);\n ctx->aead = NULL;\n return 0;\n }\n return EVP_AEAD_CTX_init_with_direction(ctx, aead, key, key_len, tag_len,\n evp_aead_open);\n}\n\nint EVP_AEAD_CTX_init_with_direction(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,\n const uint8_t *key, size_t key_len,\n size_t tag_len,\n enum evp_aead_direction_t dir) {\n if (key_len != aead->key_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_KEY_SIZE);\n ctx->aead = NULL;\n return 0;\n }\n\n ctx->aead = aead;\n\n int ok;\n if (aead->init) {\n ok = aead->init(ctx, key, key_len, tag_len);\n } else {\n ok = aead->init_with_direction(ctx, key, key_len, tag_len, dir);\n }\n\n if (!ok) {\n ctx->aead = NULL;\n }\n\n return ok;\n}\n\nvoid EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx) {\n if (ctx->aead == NULL) {\n return;\n }\n ctx->aead->cleanup(ctx);\n ctx->aead = NULL;\n}\n\n// check_alias returns 1 if |out| is compatible with |in| and 0 otherwise. If\n// |in| and |out| alias, we require that |in| == |out|.\nstatic int check_alias(const uint8_t *in, size_t in_len, const uint8_t *out,\n size_t out_len) {\n if (!buffers_alias(in, in_len, out, out_len)) {\n return 1;\n }\n\n return in == out;\n}\n\nint EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,\n size_t max_out_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len,\n const uint8_t *ad, size_t ad_len) {\n if (in_len + ctx->aead->overhead < in_len /* overflow */) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n goto error;\n }\n\n if (max_out_len < in_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n goto error;\n }\n\n if (!check_alias(in, in_len, out, max_out_len)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);\n goto error;\n }\n\n size_t out_tag_len;\n if (ctx->aead->seal_scatter(ctx, out, out + in_len, &out_tag_len,\n max_out_len - in_len, nonce, nonce_len, in,\n in_len, NULL, 0, ad, ad_len)) {\n *out_len = in_len + out_tag_len;\n return 1;\n }\n\nerror:\n // In the event of an error, clear the output buffer so that a caller\n // that doesn't check the return value doesn't send raw data.\n OPENSSL_memset(out, 0, max_out_len);\n *out_len = 0;\n return 0;\n}\n\nint EVP_AEAD_CTX_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out,\n uint8_t *out_tag, size_t *out_tag_len,\n size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in,\n size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad,\n size_t ad_len) {\n // |in| and |out| may alias exactly, |out_tag| may not alias.\n if (!check_alias(in, in_len, out, in_len) ||\n buffers_alias(out, in_len, out_tag, max_out_tag_len) ||\n buffers_alias(in, in_len, out_tag, max_out_tag_len)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);\n goto error;\n }\n\n if (!ctx->aead->seal_scatter_supports_extra_in && extra_in_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_OPERATION);\n goto error;\n }\n\n if (ctx->aead->seal_scatter(ctx, out, out_tag, out_tag_len, max_out_tag_len,\n nonce, nonce_len, in, in_len, extra_in,\n extra_in_len, ad, ad_len)) {\n return 1;\n }\n\nerror:\n // In the event of an error, clear the output buffer so that a caller\n // that doesn't check the return value doesn't send raw data.\n OPENSSL_memset(out, 0, in_len);\n OPENSSL_memset(out_tag, 0, max_out_tag_len);\n *out_tag_len = 0;\n return 0;\n}\n\nint EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,\n size_t max_out_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len,\n const uint8_t *ad, size_t ad_len) {\n size_t plaintext_len;\n if (!check_alias(in, in_len, out, max_out_len)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);\n goto error;\n }\n\n if (ctx->aead->open) {\n if (!ctx->aead->open(ctx, out, out_len, max_out_len, nonce, nonce_len, in,\n in_len, ad, ad_len)) {\n goto error;\n }\n return 1;\n }\n\n // AEADs that use the default implementation of open() must set |tag_len| at\n // initialization time.\n assert(ctx->tag_len);\n\n if (in_len < ctx->tag_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n goto error;\n }\n\n plaintext_len = in_len - ctx->tag_len;\n if (max_out_len < plaintext_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n goto error;\n }\n if (EVP_AEAD_CTX_open_gather(ctx, out, nonce, nonce_len, in, plaintext_len,\n in + plaintext_len, ctx->tag_len, ad, ad_len)) {\n *out_len = plaintext_len;\n return 1;\n }\n\nerror:\n // In the event of an error, clear the output buffer so that a caller\n // that doesn't check the return value doesn't try and process bad\n // data.\n OPENSSL_memset(out, 0, max_out_len);\n *out_len = 0;\n return 0;\n}\n\nint EVP_AEAD_CTX_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,\n const uint8_t *nonce, size_t nonce_len,\n const uint8_t *in, size_t in_len,\n const uint8_t *in_tag, size_t in_tag_len,\n const uint8_t *ad, size_t ad_len) {\n if (!check_alias(in, in_len, out, in_len)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);\n goto error;\n }\n\n if (!ctx->aead->open_gather) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_NOT_IMPLEMENTED);\n goto error;\n }\n\n if (ctx->aead->open_gather(ctx, out, nonce, nonce_len, in, in_len, in_tag,\n in_tag_len, ad, ad_len)) {\n return 1;\n }\n\nerror:\n // In the event of an error, clear the output buffer so that a caller\n // that doesn't check the return value doesn't try and process bad\n // data.\n OPENSSL_memset(out, 0, in_len);\n return 0;\n}\n\nconst EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx) { return ctx->aead; }\n\nint EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,\n size_t *out_len) {\n if (ctx->aead->get_iv == NULL) {\n OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n return ctx->aead->get_iv(ctx, out_iv, out_len);\n}\n\nint EVP_AEAD_CTX_tag_len(const EVP_AEAD_CTX *ctx, size_t *out_tag_len,\n const size_t in_len, const size_t extra_in_len) {\n assert(ctx->aead->seal_scatter_supports_extra_in || !extra_in_len);\n\n if (ctx->aead->tag_len) {\n *out_tag_len = ctx->aead->tag_len(ctx, in_len, extra_in_len);\n return 1;\n }\n\n if (extra_in_len + ctx->tag_len < extra_in_len) {\n OPENSSL_PUT_ERROR(CIPHER, ERR_R_OVERFLOW);\n *out_tag_len = 0;\n return 0;\n }\n *out_tag_len = extra_in_len + ctx->tag_len;\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/cipher.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\nvoid EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx) {\n OPENSSL_memset(ctx, 0, sizeof(EVP_CIPHER_CTX));\n}\n\nEVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) {\n EVP_CIPHER_CTX *ctx = reinterpret_cast(\n OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)));\n if (ctx) {\n EVP_CIPHER_CTX_init(ctx);\n }\n return ctx;\n}\n\nint EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) {\n if (c->cipher != NULL && c->cipher->cleanup) {\n c->cipher->cleanup(c);\n }\n OPENSSL_free(c->cipher_data);\n\n OPENSSL_memset(c, 0, sizeof(EVP_CIPHER_CTX));\n return 1;\n}\n\nvoid EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) {\n if (ctx) {\n EVP_CIPHER_CTX_cleanup(ctx);\n OPENSSL_free(ctx);\n }\n}\n\nint EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) {\n if (in == NULL || in->cipher == NULL) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INPUT_NOT_INITIALIZED);\n return 0;\n }\n\n if (in->poisoned) {\n OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n EVP_CIPHER_CTX_cleanup(out);\n OPENSSL_memcpy(out, in, sizeof(EVP_CIPHER_CTX));\n\n if (in->cipher_data && in->cipher->ctx_size) {\n out->cipher_data = OPENSSL_memdup(in->cipher_data, in->cipher->ctx_size);\n if (!out->cipher_data) {\n out->cipher = NULL;\n return 0;\n }\n }\n\n if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY) {\n if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, 0, out)) {\n out->cipher = NULL;\n return 0;\n }\n }\n\n return 1;\n}\n\nint EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) {\n EVP_CIPHER_CTX_cleanup(ctx);\n EVP_CIPHER_CTX_init(ctx);\n return 1;\n}\n\nint EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,\n ENGINE *engine, const uint8_t *key, const uint8_t *iv,\n int enc) {\n if (enc == -1) {\n enc = ctx->encrypt;\n } else {\n if (enc) {\n enc = 1;\n }\n ctx->encrypt = enc;\n }\n\n if (cipher) {\n // Ensure a context left from last time is cleared (the previous check\n // attempted to avoid this if the same ENGINE and EVP_CIPHER could be\n // used).\n if (ctx->cipher) {\n EVP_CIPHER_CTX_cleanup(ctx);\n // Restore encrypt and flags\n ctx->encrypt = enc;\n }\n\n ctx->cipher = cipher;\n if (ctx->cipher->ctx_size) {\n ctx->cipher_data = OPENSSL_malloc(ctx->cipher->ctx_size);\n if (!ctx->cipher_data) {\n ctx->cipher = NULL;\n return 0;\n }\n } else {\n ctx->cipher_data = NULL;\n }\n\n ctx->key_len = cipher->key_len;\n ctx->flags = 0;\n\n if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {\n if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {\n ctx->cipher = NULL;\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INITIALIZATION_ERROR);\n return 0;\n }\n }\n } else if (!ctx->cipher) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET);\n return 0;\n }\n\n // we assume block size is a power of 2 in *cryptUpdate\n assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 ||\n ctx->cipher->block_size == 16);\n\n if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {\n switch (EVP_CIPHER_CTX_mode(ctx)) {\n case EVP_CIPH_STREAM_CIPHER:\n case EVP_CIPH_ECB_MODE:\n break;\n\n case EVP_CIPH_CFB_MODE:\n ctx->num = 0;\n [[fallthrough]];\n\n case EVP_CIPH_CBC_MODE:\n assert(EVP_CIPHER_CTX_iv_length(ctx) <= sizeof(ctx->iv));\n if (iv) {\n OPENSSL_memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx));\n }\n OPENSSL_memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));\n break;\n\n case EVP_CIPH_CTR_MODE:\n case EVP_CIPH_OFB_MODE:\n ctx->num = 0;\n // Don't reuse IV for CTR mode\n if (iv) {\n OPENSSL_memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx));\n }\n break;\n\n default:\n return 0;\n }\n }\n\n if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {\n if (!ctx->cipher->init(ctx, key, iv, enc)) {\n return 0;\n }\n }\n\n ctx->buf_len = 0;\n ctx->final_used = 0;\n // Clear the poisoned flag to permit re-use of a CTX that previously had a\n // failed operation.\n ctx->poisoned = 0;\n return 1;\n}\n\nint EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,\n ENGINE *impl, const uint8_t *key, const uint8_t *iv) {\n return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 1);\n}\n\nint EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,\n ENGINE *impl, const uint8_t *key, const uint8_t *iv) {\n return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0);\n}\n\n// block_remainder returns the number of bytes to remove from |len| to get a\n// multiple of |ctx|'s block size.\nstatic int block_remainder(const EVP_CIPHER_CTX *ctx, int len) {\n // |block_size| must be a power of two.\n assert(ctx->cipher->block_size != 0);\n assert((ctx->cipher->block_size & (ctx->cipher->block_size - 1)) == 0);\n return len & (ctx->cipher->block_size - 1);\n}\n\nint EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,\n const uint8_t *in, int in_len) {\n if (ctx->poisoned) {\n OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n // If the first call to |cipher| succeeds and the second fails, |ctx| may be\n // left in an indeterminate state. We set a poison flag on failure to ensure\n // callers do not continue to use the object in that case.\n ctx->poisoned = 1;\n\n // Ciphers that use blocks may write up to |bl| extra bytes. Ensure the output\n // does not overflow |*out_len|.\n int bl = ctx->cipher->block_size;\n if (bl > 1 && in_len > INT_MAX - bl) {\n OPENSSL_PUT_ERROR(CIPHER, ERR_R_OVERFLOW);\n return 0;\n }\n\n if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {\n int ret = ctx->cipher->cipher(ctx, out, in, in_len);\n if (ret < 0) {\n return 0;\n } else {\n *out_len = ret;\n }\n ctx->poisoned = 0;\n return 1;\n }\n\n if (in_len <= 0) {\n *out_len = 0;\n if (in_len == 0) {\n ctx->poisoned = 0;\n return 1;\n }\n return 0;\n }\n\n if (ctx->buf_len == 0 && block_remainder(ctx, in_len) == 0) {\n if (ctx->cipher->cipher(ctx, out, in, in_len)) {\n *out_len = in_len;\n ctx->poisoned = 0;\n return 1;\n } else {\n *out_len = 0;\n return 0;\n }\n }\n\n int i = ctx->buf_len;\n assert(bl <= (int)sizeof(ctx->buf));\n if (i != 0) {\n if (bl - i > in_len) {\n OPENSSL_memcpy(&ctx->buf[i], in, in_len);\n ctx->buf_len += in_len;\n *out_len = 0;\n ctx->poisoned = 0;\n return 1;\n } else {\n int j = bl - i;\n OPENSSL_memcpy(&ctx->buf[i], in, j);\n if (!ctx->cipher->cipher(ctx, out, ctx->buf, bl)) {\n return 0;\n }\n in_len -= j;\n in += j;\n out += bl;\n *out_len = bl;\n }\n } else {\n *out_len = 0;\n }\n\n i = block_remainder(ctx, in_len);\n in_len -= i;\n if (in_len > 0) {\n if (!ctx->cipher->cipher(ctx, out, in, in_len)) {\n return 0;\n }\n *out_len += in_len;\n }\n\n if (i != 0) {\n OPENSSL_memcpy(ctx->buf, &in[in_len], i);\n }\n ctx->buf_len = i;\n ctx->poisoned = 0;\n return 1;\n}\n\nint EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {\n int n;\n unsigned int i, b, bl;\n\n if (ctx->poisoned) {\n OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {\n // When EVP_CIPH_FLAG_CUSTOM_CIPHER is set, the return value of |cipher| is\n // the number of bytes written, or -1 on error. Otherwise the return value\n // is one on success and zero on error.\n const int num_bytes = ctx->cipher->cipher(ctx, out, NULL, 0);\n if (num_bytes < 0) {\n return 0;\n }\n *out_len = num_bytes;\n goto out;\n }\n\n b = ctx->cipher->block_size;\n assert(b <= sizeof(ctx->buf));\n if (b == 1) {\n *out_len = 0;\n goto out;\n }\n\n bl = ctx->buf_len;\n if (ctx->flags & EVP_CIPH_NO_PADDING) {\n if (bl) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);\n return 0;\n }\n *out_len = 0;\n goto out;\n }\n\n n = b - bl;\n for (i = bl; i < b; i++) {\n ctx->buf[i] = n;\n }\n if (!ctx->cipher->cipher(ctx, out, ctx->buf, b)) {\n return 0;\n }\n *out_len = b;\n\nout:\n EVP_Cipher_verify_service_indicator(ctx);\n return 1;\n}\n\nint EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,\n const uint8_t *in, int in_len) {\n if (ctx->poisoned) {\n OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n // Ciphers that use blocks may write up to |bl| extra bytes. Ensure the output\n // does not overflow |*out_len|.\n unsigned int b = ctx->cipher->block_size;\n if (b > 1 && in_len > INT_MAX - (int)b) {\n OPENSSL_PUT_ERROR(CIPHER, ERR_R_OVERFLOW);\n return 0;\n }\n\n if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {\n int r = ctx->cipher->cipher(ctx, out, in, in_len);\n if (r < 0) {\n *out_len = 0;\n return 0;\n } else {\n *out_len = r;\n }\n return 1;\n }\n\n if (in_len <= 0) {\n *out_len = 0;\n return in_len == 0;\n }\n\n if (ctx->flags & EVP_CIPH_NO_PADDING) {\n return EVP_EncryptUpdate(ctx, out, out_len, in, in_len);\n }\n\n assert(b <= sizeof(ctx->final));\n int fix_len = 0;\n if (ctx->final_used) {\n OPENSSL_memcpy(out, ctx->final, b);\n out += b;\n fix_len = 1;\n }\n\n if (!EVP_EncryptUpdate(ctx, out, out_len, in, in_len)) {\n return 0;\n }\n\n // if we have 'decrypted' a multiple of block size, make sure\n // we have a copy of this last block\n if (b > 1 && !ctx->buf_len) {\n *out_len -= b;\n ctx->final_used = 1;\n OPENSSL_memcpy(ctx->final, &out[*out_len], b);\n } else {\n ctx->final_used = 0;\n }\n\n if (fix_len) {\n *out_len += b;\n }\n\n return 1;\n}\n\nint EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *out_len) {\n int i, n;\n unsigned int b;\n *out_len = 0;\n\n if (ctx->poisoned) {\n OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {\n i = ctx->cipher->cipher(ctx, out, NULL, 0);\n if (i < 0) {\n return 0;\n } else {\n *out_len = i;\n }\n goto out;\n }\n\n b = ctx->cipher->block_size;\n if (ctx->flags & EVP_CIPH_NO_PADDING) {\n if (ctx->buf_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH);\n return 0;\n }\n *out_len = 0;\n goto out;\n }\n\n if (b > 1) {\n if (ctx->buf_len || !ctx->final_used) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_WRONG_FINAL_BLOCK_LENGTH);\n return 0;\n }\n assert(b <= sizeof(ctx->final));\n\n // The following assumes that the ciphertext has been authenticated.\n // Otherwise it provides a padding oracle.\n n = ctx->final[b - 1];\n if (n == 0 || n > (int)b) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n for (i = 0; i < n; i++) {\n if (ctx->final[--b] != n) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n }\n\n n = ctx->cipher->block_size - n;\n for (i = 0; i < n; i++) {\n out[i] = ctx->final[i];\n }\n *out_len = n;\n } else {\n *out_len = 0;\n }\n\nout:\n EVP_Cipher_verify_service_indicator(ctx);\n return 1;\n}\n\nint EVP_Cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t in_len) {\n const int ret = ctx->cipher->cipher(ctx, out, in, in_len);\n\n // |EVP_CIPH_FLAG_CUSTOM_CIPHER| never sets the FIPS indicator via\n // |EVP_Cipher| because it's complicated whether the operation has completed\n // or not. E.g. AES-GCM with a non-NULL |in| argument hasn't completed an\n // operation. Callers should use the |EVP_AEAD| API or, at least,\n // |EVP_CipherUpdate| etc.\n //\n // This call can't be pushed into |EVP_Cipher_verify_service_indicator|\n // because whether |ret| indicates success or not depends on whether\n // |EVP_CIPH_FLAG_CUSTOM_CIPHER| is set. (This unreasonable, but matches\n // OpenSSL.)\n if (!(ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) && ret) {\n EVP_Cipher_verify_service_indicator(ctx);\n }\n\n return ret;\n}\n\nint EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len,\n const uint8_t *in, int in_len) {\n if (ctx->encrypt) {\n return EVP_EncryptUpdate(ctx, out, out_len, in, in_len);\n } else {\n return EVP_DecryptUpdate(ctx, out, out_len, in, in_len);\n }\n}\n\nint EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {\n if (ctx->encrypt) {\n return EVP_EncryptFinal_ex(ctx, out, out_len);\n } else {\n return EVP_DecryptFinal_ex(ctx, out, out_len);\n }\n}\n\nconst EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) {\n return ctx->cipher;\n}\n\nint EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx) { return ctx->cipher->nid; }\n\nint EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx) {\n return ctx->encrypt;\n}\n\nunsigned EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx) {\n return ctx->cipher->block_size;\n}\n\nunsigned EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) {\n return ctx->key_len;\n}\n\nunsigned EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) {\n if (EVP_CIPHER_mode(ctx->cipher) == EVP_CIPH_GCM_MODE) {\n int length;\n int res = EVP_CIPHER_CTX_ctrl((EVP_CIPHER_CTX *)ctx, EVP_CTRL_GET_IVLEN, 0,\n &length);\n // EVP_CIPHER_CTX_ctrl returning an error should be impossible under this\n // circumstance. If it somehow did, fallback to the static cipher iv_len.\n if (res == 1) {\n return length;\n }\n }\n return ctx->cipher->iv_len;\n}\n\nvoid *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx) {\n return ctx->app_data;\n}\n\nvoid EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data) {\n ctx->app_data = data;\n}\n\nuint32_t EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx) {\n return ctx->cipher->flags & ~EVP_CIPH_MODE_MASK;\n}\n\nuint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx) {\n return ctx->cipher->flags & EVP_CIPH_MODE_MASK;\n}\n\nint EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command, int arg, void *ptr) {\n int ret;\n if (!ctx->cipher) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_NO_CIPHER_SET);\n return 0;\n }\n\n if (!ctx->cipher->ctrl) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_NOT_IMPLEMENTED);\n return 0;\n }\n\n ret = ctx->cipher->ctrl(ctx, command, arg, ptr);\n if (ret == -1) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED);\n return 0;\n }\n\n return ret;\n}\n\nint EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad) {\n if (pad) {\n ctx->flags &= ~EVP_CIPH_NO_PADDING;\n } else {\n ctx->flags |= EVP_CIPH_NO_PADDING;\n }\n return 1;\n}\n\nint EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, unsigned key_len) {\n if (c->key_len == key_len) {\n return 1;\n }\n\n if (key_len == 0 || !(c->cipher->flags & EVP_CIPH_VARIABLE_LENGTH)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_KEY_LENGTH);\n return 0;\n }\n\n c->key_len = key_len;\n return 1;\n}\n\nint EVP_CIPHER_nid(const EVP_CIPHER *cipher) { return cipher->nid; }\n\nunsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher) {\n return cipher->block_size;\n}\n\nunsigned EVP_CIPHER_key_length(const EVP_CIPHER *cipher) {\n return cipher->key_len;\n}\n\nunsigned EVP_CIPHER_iv_length(const EVP_CIPHER *cipher) {\n return cipher->iv_len;\n}\n\nuint32_t EVP_CIPHER_flags(const EVP_CIPHER *cipher) {\n return cipher->flags & ~EVP_CIPH_MODE_MASK;\n}\n\nuint32_t EVP_CIPHER_mode(const EVP_CIPHER *cipher) {\n return cipher->flags & EVP_CIPH_MODE_MASK;\n}\n\nint EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,\n const uint8_t *key, const uint8_t *iv, int enc) {\n if (cipher) {\n EVP_CIPHER_CTX_init(ctx);\n }\n return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, enc);\n}\n\nint EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,\n const uint8_t *key, const uint8_t *iv) {\n return EVP_CipherInit(ctx, cipher, key, iv, 1);\n}\n\nint EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,\n const uint8_t *key, const uint8_t *iv) {\n return EVP_CipherInit(ctx, cipher, key, iv, 0);\n}\n\nint EVP_CipherFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {\n return EVP_CipherFinal_ex(ctx, out, out_len);\n}\n\nint EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {\n return EVP_EncryptFinal_ex(ctx, out, out_len);\n}\n\nint EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) {\n return EVP_DecryptFinal_ex(ctx, out, out_len);\n}\n\nint EVP_add_cipher_alias(const char *a, const char *b) { return 1; }\n\nvoid EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx, uint32_t flags) {}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aes.cc.inc", "content": "/*\n * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../aes/internal.h\"\n#include \"../bcm_interface.h\"\n#include \"../delocate.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\nOPENSSL_MSVC_PRAGMA(warning(push))\nOPENSSL_MSVC_PRAGMA(warning(disable : 4702)) // Unreachable code.\n\n#define AES_GCM_NONCE_LENGTH 12\n\ntypedef struct {\n union {\n double align;\n AES_KEY ks;\n } ks;\n block128_f block;\n union {\n cbc128_f cbc;\n ctr128_f ctr;\n } stream;\n} EVP_AES_KEY;\n\ntypedef struct {\n GCM128_KEY key;\n GCM128_CONTEXT gcm;\n int key_set; // Set if key initialised\n int iv_set; // Set if an iv is set\n uint8_t *iv; // Temporary IV store\n int ivlen; // IV length\n int taglen;\n int iv_gen; // It is OK to generate IVs\n ctr128_f ctr;\n} EVP_AES_GCM_CTX;\n\nstatic int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,\n const uint8_t *iv, int enc) {\n int ret;\n EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;\n const int mode = ctx->cipher->flags & EVP_CIPH_MODE_MASK;\n\n if (mode == EVP_CIPH_CTR_MODE) {\n switch (ctx->key_len) {\n case 16:\n boringssl_fips_inc_counter(fips_counter_evp_aes_128_ctr);\n break;\n\n case 32:\n boringssl_fips_inc_counter(fips_counter_evp_aes_256_ctr);\n break;\n }\n }\n\n if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) {\n if (hwaes_capable()) {\n ret = aes_hw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);\n dat->block = aes_hw_decrypt;\n dat->stream.cbc = NULL;\n if (mode == EVP_CIPH_CBC_MODE) {\n dat->stream.cbc = aes_hw_cbc_encrypt;\n }\n } else if (bsaes_capable() && mode == EVP_CIPH_CBC_MODE) {\n assert(vpaes_capable());\n ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);\n if (ret == 0) {\n vpaes_decrypt_key_to_bsaes(&dat->ks.ks, &dat->ks.ks);\n }\n // If |dat->stream.cbc| is provided, |dat->block| is never used.\n dat->block = NULL;\n dat->stream.cbc = bsaes_cbc_encrypt;\n } else if (vpaes_capable()) {\n ret = vpaes_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);\n dat->block = vpaes_decrypt;\n dat->stream.cbc = NULL;\n#if defined(VPAES_CBC)\n if (mode == EVP_CIPH_CBC_MODE) {\n dat->stream.cbc = vpaes_cbc_encrypt;\n }\n#endif\n } else {\n ret = aes_nohw_set_decrypt_key(key, ctx->key_len * 8, &dat->ks.ks);\n dat->block = aes_nohw_decrypt;\n dat->stream.cbc = NULL;\n if (mode == EVP_CIPH_CBC_MODE) {\n dat->stream.cbc = aes_nohw_cbc_encrypt;\n }\n }\n } else if (hwaes_capable()) {\n ret = aes_hw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);\n dat->block = aes_hw_encrypt;\n dat->stream.cbc = NULL;\n if (mode == EVP_CIPH_CBC_MODE) {\n dat->stream.cbc = aes_hw_cbc_encrypt;\n } else if (mode == EVP_CIPH_CTR_MODE) {\n dat->stream.ctr = aes_hw_ctr32_encrypt_blocks;\n }\n } else if (vpaes_capable()) {\n ret = vpaes_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);\n dat->block = vpaes_encrypt;\n dat->stream.cbc = NULL;\n#if defined(VPAES_CBC)\n if (mode == EVP_CIPH_CBC_MODE) {\n dat->stream.cbc = vpaes_cbc_encrypt;\n }\n#endif\n if (mode == EVP_CIPH_CTR_MODE) {\n#if defined(BSAES)\n assert(bsaes_capable());\n dat->stream.ctr = vpaes_ctr32_encrypt_blocks_with_bsaes;\n#else\n dat->stream.ctr = vpaes_ctr32_encrypt_blocks;\n#endif\n }\n } else {\n ret = aes_nohw_set_encrypt_key(key, ctx->key_len * 8, &dat->ks.ks);\n dat->block = aes_nohw_encrypt;\n dat->stream.cbc = NULL;\n if (mode == EVP_CIPH_CBC_MODE) {\n dat->stream.cbc = aes_nohw_cbc_encrypt;\n } else if (mode == EVP_CIPH_CTR_MODE) {\n dat->stream.ctr = aes_nohw_ctr32_encrypt_blocks;\n }\n }\n\n if (ret < 0) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_AES_KEY_SETUP_FAILED);\n return 0;\n }\n\n return 1;\n}\n\nstatic int aes_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t len) {\n EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;\n\n if (dat->stream.cbc) {\n (*dat->stream.cbc)(in, out, len, &dat->ks.ks, ctx->iv, ctx->encrypt);\n } else if (ctx->encrypt) {\n CRYPTO_cbc128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block);\n } else {\n CRYPTO_cbc128_decrypt(in, out, len, &dat->ks.ks, ctx->iv, dat->block);\n }\n\n return 1;\n}\n\nstatic int aes_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t len) {\n size_t bl = ctx->cipher->block_size;\n EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;\n\n if (len < bl) {\n return 1;\n }\n\n len -= bl;\n for (size_t i = 0; i <= len; i += bl) {\n (*dat->block)(in + i, out + i, &dat->ks.ks);\n }\n\n return 1;\n}\n\nstatic int aes_ctr_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t len) {\n EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;\n CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks.ks, ctx->iv, ctx->buf,\n &ctx->num, dat->stream.ctr);\n return 1;\n}\n\nstatic int aes_ofb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t len) {\n EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;\n\n CRYPTO_ofb128_encrypt(in, out, len, &dat->ks.ks, ctx->iv, &ctx->num,\n dat->block);\n return 1;\n}\n\nstatic int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,\n const uint8_t *iv, int enc) {\n EVP_AES_GCM_CTX *gctx = reinterpret_cast(ctx->cipher_data);\n if (!iv && !key) {\n return 1;\n }\n\n // We must configure first the key, then the IV, but the caller may pass both\n // together, or separately in either order.\n if (key) {\n OPENSSL_memset(&gctx->gcm, 0, sizeof(gctx->gcm));\n CRYPTO_gcm128_init_aes_key(&gctx->key, key, ctx->key_len);\n // Use the IV if specified. Otherwise, use the saved IV, if any.\n if (iv == NULL && gctx->iv_set) {\n iv = gctx->iv;\n }\n if (iv) {\n CRYPTO_gcm128_init_ctx(&gctx->key, &gctx->gcm, iv, gctx->ivlen);\n gctx->iv_set = 1;\n }\n gctx->key_set = 1;\n } else {\n if (gctx->key_set) {\n CRYPTO_gcm128_init_ctx(&gctx->key, &gctx->gcm, iv, gctx->ivlen);\n } else {\n // The caller specified the IV before the key. Save the IV for later.\n OPENSSL_memcpy(gctx->iv, iv, gctx->ivlen);\n }\n gctx->iv_set = 1;\n gctx->iv_gen = 0;\n }\n return 1;\n}\n\nstatic void aes_gcm_cleanup(EVP_CIPHER_CTX *c) {\n EVP_AES_GCM_CTX *gctx = reinterpret_cast(c->cipher_data);\n OPENSSL_cleanse(&gctx->key, sizeof(gctx->key));\n OPENSSL_cleanse(&gctx->gcm, sizeof(gctx->gcm));\n if (gctx->iv != c->iv) {\n OPENSSL_free(gctx->iv);\n }\n}\n\nstatic int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {\n EVP_AES_GCM_CTX *gctx = reinterpret_cast(c->cipher_data);\n switch (type) {\n case EVP_CTRL_INIT:\n gctx->key_set = 0;\n gctx->iv_set = 0;\n gctx->ivlen = c->cipher->iv_len;\n gctx->iv = c->iv;\n gctx->taglen = -1;\n gctx->iv_gen = 0;\n return 1;\n\n case EVP_CTRL_AEAD_SET_IVLEN:\n if (arg <= 0) {\n return 0;\n }\n\n // Allocate memory for IV if needed\n if (arg > EVP_MAX_IV_LENGTH && arg > gctx->ivlen) {\n if (gctx->iv != c->iv) {\n OPENSSL_free(gctx->iv);\n }\n gctx->iv = reinterpret_cast(OPENSSL_malloc(arg));\n if (!gctx->iv) {\n return 0;\n }\n }\n gctx->ivlen = arg;\n return 1;\n\n case EVP_CTRL_GET_IVLEN:\n *(int *)ptr = gctx->ivlen;\n return 1;\n\n case EVP_CTRL_AEAD_SET_TAG:\n if (arg <= 0 || arg > 16 || c->encrypt) {\n return 0;\n }\n OPENSSL_memcpy(c->buf, ptr, arg);\n gctx->taglen = arg;\n return 1;\n\n case EVP_CTRL_AEAD_GET_TAG:\n if (arg <= 0 || arg > 16 || !c->encrypt || gctx->taglen < 0) {\n return 0;\n }\n OPENSSL_memcpy(ptr, c->buf, arg);\n return 1;\n\n case EVP_CTRL_AEAD_SET_IV_FIXED:\n // Special case: -1 length restores whole IV\n if (arg == -1) {\n OPENSSL_memcpy(gctx->iv, ptr, gctx->ivlen);\n gctx->iv_gen = 1;\n return 1;\n }\n // Fixed field must be at least 4 bytes and invocation field\n // at least 8.\n if (arg < 4 || (gctx->ivlen - arg) < 8) {\n return 0;\n }\n OPENSSL_memcpy(gctx->iv, ptr, arg);\n if (c->encrypt) {\n // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with\n // state lock functions to avoid updating the service indicator with the\n // DRBG functions.\n FIPS_service_indicator_lock_state();\n BCM_rand_bytes(gctx->iv + arg, gctx->ivlen - arg);\n FIPS_service_indicator_unlock_state();\n }\n gctx->iv_gen = 1;\n return 1;\n\n case EVP_CTRL_GCM_IV_GEN: {\n if (gctx->iv_gen == 0 || gctx->key_set == 0) {\n return 0;\n }\n CRYPTO_gcm128_init_ctx(&gctx->key, &gctx->gcm, gctx->iv, gctx->ivlen);\n if (arg <= 0 || arg > gctx->ivlen) {\n arg = gctx->ivlen;\n }\n OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg);\n // Invocation field will be at least 8 bytes in size, so no need to check\n // wrap around or increment more than last 8 bytes.\n uint8_t *ctr = gctx->iv + gctx->ivlen - 8;\n CRYPTO_store_u64_be(ctr, CRYPTO_load_u64_be(ctr) + 1);\n gctx->iv_set = 1;\n return 1;\n }\n\n case EVP_CTRL_GCM_SET_IV_INV:\n if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) {\n return 0;\n }\n OPENSSL_memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg);\n CRYPTO_gcm128_init_ctx(&gctx->key, &gctx->gcm, gctx->iv, gctx->ivlen);\n gctx->iv_set = 1;\n return 1;\n\n case EVP_CTRL_COPY: {\n EVP_CIPHER_CTX *out = reinterpret_cast(ptr);\n EVP_AES_GCM_CTX *gctx_out =\n reinterpret_cast(out->cipher_data);\n if (gctx->iv == c->iv) {\n gctx_out->iv = out->iv;\n } else {\n gctx_out->iv =\n reinterpret_cast(OPENSSL_memdup(gctx->iv, gctx->ivlen));\n if (!gctx_out->iv) {\n return 0;\n }\n }\n return 1;\n }\n\n default:\n return -1;\n }\n}\n\nstatic int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t len) {\n EVP_AES_GCM_CTX *gctx = reinterpret_cast(ctx->cipher_data);\n\n // If not set up, return error\n if (!gctx->key_set) {\n return -1;\n }\n if (!gctx->iv_set) {\n return -1;\n }\n\n if (len > INT_MAX) {\n // This function signature can only express up to |INT_MAX| bytes encrypted.\n //\n // TODO(https://crbug.com/boringssl/494): Make the internal |EVP_CIPHER|\n // calling convention |size_t|-clean.\n return -1;\n }\n\n if (in) {\n if (out == NULL) {\n if (!CRYPTO_gcm128_aad(&gctx->key, &gctx->gcm, in, len)) {\n return -1;\n }\n } else if (ctx->encrypt) {\n if (!CRYPTO_gcm128_encrypt(&gctx->key, &gctx->gcm, in, out, len)) {\n return -1;\n }\n } else {\n if (!CRYPTO_gcm128_decrypt(&gctx->key, &gctx->gcm, in, out, len)) {\n return -1;\n }\n }\n return (int)len;\n } else {\n if (!ctx->encrypt) {\n if (gctx->taglen < 0 || !CRYPTO_gcm128_finish(&gctx->key, &gctx->gcm,\n ctx->buf, gctx->taglen)) {\n return -1;\n }\n gctx->iv_set = 0;\n return 0;\n }\n CRYPTO_gcm128_tag(&gctx->key, &gctx->gcm, ctx->buf, 16);\n gctx->taglen = 16;\n // Don't reuse the IV\n gctx->iv_set = 0;\n return 0;\n }\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_cbc) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_128_cbc;\n out->block_size = 16;\n out->key_len = 16;\n out->iv_len = 16;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_CBC_MODE;\n out->init = aes_init_key;\n out->cipher = aes_cbc_cipher;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ctr) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_128_ctr;\n out->block_size = 1;\n out->key_len = 16;\n out->iv_len = 16;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_CTR_MODE;\n out->init = aes_init_key;\n out->cipher = aes_ctr_cipher;\n}\n\nDEFINE_LOCAL_DATA(EVP_CIPHER, aes_128_ecb_generic) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_128_ecb;\n out->block_size = 16;\n out->key_len = 16;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_ECB_MODE;\n out->init = aes_init_key;\n out->cipher = aes_ecb_cipher;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_ofb) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_128_ofb128;\n out->block_size = 1;\n out->key_len = 16;\n out->iv_len = 16;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_OFB_MODE;\n out->init = aes_init_key;\n out->cipher = aes_ofb_cipher;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_128_gcm) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_128_gcm;\n out->block_size = 1;\n out->key_len = 16;\n out->iv_len = AES_GCM_NONCE_LENGTH;\n out->ctx_size = sizeof(EVP_AES_GCM_CTX);\n out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY |\n EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT |\n EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER;\n out->init = aes_gcm_init_key;\n out->cipher = aes_gcm_cipher;\n out->cleanup = aes_gcm_cleanup;\n out->ctrl = aes_gcm_ctrl;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_cbc) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_192_cbc;\n out->block_size = 16;\n out->key_len = 24;\n out->iv_len = 16;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_CBC_MODE;\n out->init = aes_init_key;\n out->cipher = aes_cbc_cipher;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ctr) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_192_ctr;\n out->block_size = 1;\n out->key_len = 24;\n out->iv_len = 16;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_CTR_MODE;\n out->init = aes_init_key;\n out->cipher = aes_ctr_cipher;\n}\n\nDEFINE_LOCAL_DATA(EVP_CIPHER, aes_192_ecb_generic) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_192_ecb;\n out->block_size = 16;\n out->key_len = 24;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_ECB_MODE;\n out->init = aes_init_key;\n out->cipher = aes_ecb_cipher;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_ofb) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_192_ofb128;\n out->block_size = 1;\n out->key_len = 24;\n out->iv_len = 16;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_OFB_MODE;\n out->init = aes_init_key;\n out->cipher = aes_ofb_cipher;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_192_gcm) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_192_gcm;\n out->block_size = 1;\n out->key_len = 24;\n out->iv_len = AES_GCM_NONCE_LENGTH;\n out->ctx_size = sizeof(EVP_AES_GCM_CTX);\n out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY |\n EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT |\n EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER;\n out->init = aes_gcm_init_key;\n out->cipher = aes_gcm_cipher;\n out->cleanup = aes_gcm_cleanup;\n out->ctrl = aes_gcm_ctrl;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_cbc) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_256_cbc;\n out->block_size = 16;\n out->key_len = 32;\n out->iv_len = 16;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_CBC_MODE;\n out->init = aes_init_key;\n out->cipher = aes_cbc_cipher;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_ctr) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_256_ctr;\n out->block_size = 1;\n out->key_len = 32;\n out->iv_len = 16;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_CTR_MODE;\n out->init = aes_init_key;\n out->cipher = aes_ctr_cipher;\n}\n\nDEFINE_LOCAL_DATA(EVP_CIPHER, aes_256_ecb_generic) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_256_ecb;\n out->block_size = 16;\n out->key_len = 32;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_ECB_MODE;\n out->init = aes_init_key;\n out->cipher = aes_ecb_cipher;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_ofb) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_256_ofb128;\n out->block_size = 1;\n out->key_len = 32;\n out->iv_len = 16;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_OFB_MODE;\n out->init = aes_init_key;\n out->cipher = aes_ofb_cipher;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_aes_256_gcm) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_256_gcm;\n out->block_size = 1;\n out->key_len = 32;\n out->iv_len = AES_GCM_NONCE_LENGTH;\n out->ctx_size = sizeof(EVP_AES_GCM_CTX);\n out->flags = EVP_CIPH_GCM_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_CUSTOM_COPY |\n EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT |\n EVP_CIPH_CTRL_INIT | EVP_CIPH_FLAG_AEAD_CIPHER;\n out->init = aes_gcm_init_key;\n out->cipher = aes_gcm_cipher;\n out->cleanup = aes_gcm_cleanup;\n out->ctrl = aes_gcm_ctrl;\n}\n\n#if defined(HWAES_ECB)\n\nstatic int aes_hw_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,\n const uint8_t *in, size_t len) {\n size_t bl = ctx->cipher->block_size;\n\n if (len < bl) {\n return 1;\n }\n\n aes_hw_ecb_encrypt(in, out, len,\n reinterpret_cast(ctx->cipher_data),\n ctx->encrypt);\n\n return 1;\n}\n\nDEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_128_ecb) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_128_ecb;\n out->block_size = 16;\n out->key_len = 16;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_ECB_MODE;\n out->init = aes_init_key;\n out->cipher = aes_hw_ecb_cipher;\n}\n\nDEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_192_ecb) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_192_ecb;\n out->block_size = 16;\n out->key_len = 24;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_ECB_MODE;\n out->init = aes_init_key;\n out->cipher = aes_hw_ecb_cipher;\n}\n\nDEFINE_LOCAL_DATA(EVP_CIPHER, aes_hw_256_ecb) {\n memset(out, 0, sizeof(EVP_CIPHER));\n\n out->nid = NID_aes_256_ecb;\n out->block_size = 16;\n out->key_len = 32;\n out->ctx_size = sizeof(EVP_AES_KEY);\n out->flags = EVP_CIPH_ECB_MODE;\n out->init = aes_init_key;\n out->cipher = aes_hw_ecb_cipher;\n}\n\n#define EVP_ECB_CIPHER_FUNCTION(keybits) \\\n const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \\\n if (hwaes_capable()) { \\\n return aes_hw_##keybits##_ecb(); \\\n } \\\n return aes_##keybits##_ecb_generic(); \\\n }\n\n#else\n\n#define EVP_ECB_CIPHER_FUNCTION(keybits) \\\n const EVP_CIPHER *EVP_aes_##keybits##_ecb(void) { \\\n return aes_##keybits##_ecb_generic(); \\\n }\n\n#endif // HWAES_ECB\n\nEVP_ECB_CIPHER_FUNCTION(128)\nEVP_ECB_CIPHER_FUNCTION(192)\nEVP_ECB_CIPHER_FUNCTION(256)\n\n\n#define EVP_AEAD_AES_GCM_TAG_LEN 16\n\nnamespace {\nstruct aead_aes_gcm_ctx {\n GCM128_KEY key;\n};\n} // namespace\n\nstatic int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx,\n size_t *out_tag_len, const uint8_t *key,\n size_t key_len, size_t tag_len) {\n const size_t key_bits = key_len * 8;\n if (key_bits != 128 && key_bits != 192 && key_bits != 256) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);\n return 0; // EVP_AEAD_CTX_init should catch this.\n }\n\n if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {\n tag_len = EVP_AEAD_AES_GCM_TAG_LEN;\n }\n\n if (tag_len > EVP_AEAD_AES_GCM_TAG_LEN) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);\n return 0;\n }\n\n CRYPTO_gcm128_init_aes_key(&gcm_ctx->key, key, key_len);\n *out_tag_len = tag_len;\n return 1;\n}\n\nstatic_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=\n sizeof(struct aead_aes_gcm_ctx),\n \"AEAD state is too small\");\nstatic_assert(alignof(union evp_aead_ctx_st_state) >=\n alignof(struct aead_aes_gcm_ctx),\n \"AEAD state has insufficient alignment\");\n\nstatic int aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t requested_tag_len) {\n struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *)&ctx->state;\n\n size_t actual_tag_len;\n if (!aead_aes_gcm_init_impl(gcm_ctx, &actual_tag_len, key, key_len,\n requested_tag_len)) {\n return 0;\n }\n\n ctx->tag_len = actual_tag_len;\n return 1;\n}\n\nstatic void aead_aes_gcm_cleanup(EVP_AEAD_CTX *ctx) {}\n\nstatic int aead_aes_gcm_seal_scatter_impl(\n const struct aead_aes_gcm_ctx *gcm_ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len, size_t tag_len) {\n if (extra_in_len + tag_len < tag_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n if (max_out_tag_len < extra_in_len + tag_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n return 0;\n }\n if (nonce_len == 0) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);\n return 0;\n }\n\n const GCM128_KEY *key = &gcm_ctx->key;\n GCM128_CONTEXT gcm;\n CRYPTO_gcm128_init_ctx(key, &gcm, nonce, nonce_len);\n\n if (ad_len > 0 && !CRYPTO_gcm128_aad(key, &gcm, ad, ad_len)) {\n return 0;\n }\n\n if (!CRYPTO_gcm128_encrypt(key, &gcm, in, out, in_len)) {\n return 0;\n }\n\n if (extra_in_len > 0 &&\n !CRYPTO_gcm128_encrypt(key, &gcm, extra_in, out_tag, extra_in_len)) {\n return 0;\n }\n\n CRYPTO_gcm128_tag(key, &gcm, out_tag + extra_in_len, tag_len);\n *out_tag_len = tag_len + extra_in_len;\n\n return 1;\n}\n\nstatic int aead_aes_gcm_seal_scatter(\n const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len) {\n const struct aead_aes_gcm_ctx *gcm_ctx =\n (const struct aead_aes_gcm_ctx *)&ctx->state;\n return aead_aes_gcm_seal_scatter_impl(\n gcm_ctx, out, out_tag, out_tag_len, max_out_tag_len, nonce, nonce_len, in,\n in_len, extra_in, extra_in_len, ad, ad_len, ctx->tag_len);\n}\n\nstatic int aead_aes_gcm_open_gather_impl(const struct aead_aes_gcm_ctx *gcm_ctx,\n uint8_t *out, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in,\n size_t in_len, const uint8_t *in_tag,\n size_t in_tag_len, const uint8_t *ad,\n size_t ad_len, size_t tag_len) {\n uint8_t tag[EVP_AEAD_AES_GCM_TAG_LEN];\n\n if (nonce_len == 0) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);\n return 0;\n }\n\n if (in_tag_len != tag_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n const GCM128_KEY *key = &gcm_ctx->key;\n GCM128_CONTEXT gcm;\n CRYPTO_gcm128_init_ctx(key, &gcm, nonce, nonce_len);\n\n if (!CRYPTO_gcm128_aad(key, &gcm, ad, ad_len)) {\n return 0;\n }\n\n if (!CRYPTO_gcm128_decrypt(key, &gcm, in, out, in_len)) {\n return 0;\n }\n\n CRYPTO_gcm128_tag(key, &gcm, tag, tag_len);\n if (CRYPTO_memcmp(tag, in_tag, tag_len) != 0) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n return 1;\n}\n\nstatic int aead_aes_gcm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,\n const uint8_t *nonce, size_t nonce_len,\n const uint8_t *in, size_t in_len,\n const uint8_t *in_tag, size_t in_tag_len,\n const uint8_t *ad, size_t ad_len) {\n struct aead_aes_gcm_ctx *gcm_ctx = (struct aead_aes_gcm_ctx *)&ctx->state;\n if (!aead_aes_gcm_open_gather_impl(gcm_ctx, out, nonce, nonce_len, in, in_len,\n in_tag, in_tag_len, ad, ad_len,\n ctx->tag_len)) {\n return 0;\n }\n\n AEAD_GCM_verify_service_indicator(ctx);\n return 1;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 16;\n out->nonce_len = AES_GCM_NONCE_LENGTH;\n out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;\n out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;\n out->seal_scatter_supports_extra_in = 1;\n\n out->init = aead_aes_gcm_init;\n out->cleanup = aead_aes_gcm_cleanup;\n out->seal_scatter = aead_aes_gcm_seal_scatter;\n out->open_gather = aead_aes_gcm_open_gather;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_192_gcm) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 24;\n out->nonce_len = AES_GCM_NONCE_LENGTH;\n out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;\n out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;\n out->seal_scatter_supports_extra_in = 1;\n\n out->init = aead_aes_gcm_init;\n out->cleanup = aead_aes_gcm_cleanup;\n out->seal_scatter = aead_aes_gcm_seal_scatter;\n out->open_gather = aead_aes_gcm_open_gather;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 32;\n out->nonce_len = AES_GCM_NONCE_LENGTH;\n out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;\n out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;\n out->seal_scatter_supports_extra_in = 1;\n\n out->init = aead_aes_gcm_init;\n out->cleanup = aead_aes_gcm_cleanup;\n out->seal_scatter = aead_aes_gcm_seal_scatter;\n out->open_gather = aead_aes_gcm_open_gather;\n}\n\nstatic int aead_aes_gcm_init_randnonce(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len,\n size_t requested_tag_len) {\n if (requested_tag_len != EVP_AEAD_DEFAULT_TAG_LENGTH) {\n if (requested_tag_len < AES_GCM_NONCE_LENGTH) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n return 0;\n }\n requested_tag_len -= AES_GCM_NONCE_LENGTH;\n }\n\n if (!aead_aes_gcm_init(ctx, key, key_len, requested_tag_len)) {\n return 0;\n }\n\n ctx->tag_len += AES_GCM_NONCE_LENGTH;\n return 1;\n}\n\nstatic int aead_aes_gcm_seal_scatter_randnonce(\n const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *external_nonce,\n size_t external_nonce_len, const uint8_t *in, size_t in_len,\n const uint8_t *extra_in, size_t extra_in_len, const uint8_t *ad,\n size_t ad_len) {\n if (external_nonce_len != 0) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);\n return 0;\n }\n\n uint8_t nonce[AES_GCM_NONCE_LENGTH];\n if (max_out_tag_len < sizeof(nonce)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with state\n // lock functions to avoid updating the service indicator with the DRBG\n // functions.\n FIPS_service_indicator_lock_state();\n BCM_rand_bytes(nonce, sizeof(nonce));\n FIPS_service_indicator_unlock_state();\n\n const struct aead_aes_gcm_ctx *gcm_ctx =\n (const struct aead_aes_gcm_ctx *)&ctx->state;\n if (!aead_aes_gcm_seal_scatter_impl(gcm_ctx, out, out_tag, out_tag_len,\n max_out_tag_len - AES_GCM_NONCE_LENGTH,\n nonce, sizeof(nonce), in, in_len,\n extra_in, extra_in_len, ad, ad_len,\n ctx->tag_len - AES_GCM_NONCE_LENGTH)) {\n return 0;\n }\n\n assert(*out_tag_len + sizeof(nonce) <= max_out_tag_len);\n memcpy(out_tag + *out_tag_len, nonce, sizeof(nonce));\n *out_tag_len += sizeof(nonce);\n\n AEAD_GCM_verify_service_indicator(ctx);\n return 1;\n}\n\nstatic int aead_aes_gcm_open_gather_randnonce(\n const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *external_nonce,\n size_t external_nonce_len, const uint8_t *in, size_t in_len,\n const uint8_t *in_tag, size_t in_tag_len, const uint8_t *ad,\n size_t ad_len) {\n if (external_nonce_len != 0) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);\n return 0;\n }\n\n if (in_tag_len < AES_GCM_NONCE_LENGTH) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n const uint8_t *nonce = in_tag + in_tag_len - AES_GCM_NONCE_LENGTH;\n\n const struct aead_aes_gcm_ctx *gcm_ctx =\n (const struct aead_aes_gcm_ctx *)&ctx->state;\n if (!aead_aes_gcm_open_gather_impl(\n gcm_ctx, out, nonce, AES_GCM_NONCE_LENGTH, in, in_len, in_tag,\n in_tag_len - AES_GCM_NONCE_LENGTH, ad, ad_len,\n ctx->tag_len - AES_GCM_NONCE_LENGTH)) {\n return 0;\n }\n\n AEAD_GCM_verify_service_indicator(ctx);\n return 1;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_randnonce) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 16;\n out->nonce_len = 0;\n out->overhead = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH;\n out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH;\n out->seal_scatter_supports_extra_in = 1;\n\n out->init = aead_aes_gcm_init_randnonce;\n out->cleanup = aead_aes_gcm_cleanup;\n out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce;\n out->open_gather = aead_aes_gcm_open_gather_randnonce;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_randnonce) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 32;\n out->nonce_len = 0;\n out->overhead = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH;\n out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN + AES_GCM_NONCE_LENGTH;\n out->seal_scatter_supports_extra_in = 1;\n\n out->init = aead_aes_gcm_init_randnonce;\n out->cleanup = aead_aes_gcm_cleanup;\n out->seal_scatter = aead_aes_gcm_seal_scatter_randnonce;\n out->open_gather = aead_aes_gcm_open_gather_randnonce;\n}\n\nnamespace {\nstruct aead_aes_gcm_tls12_ctx {\n struct aead_aes_gcm_ctx gcm_ctx;\n uint64_t min_next_nonce;\n};\n} // namespace\n\nstatic_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=\n sizeof(struct aead_aes_gcm_tls12_ctx),\n \"AEAD state is too small\");\nstatic_assert(alignof(union evp_aead_ctx_st_state) >=\n alignof(struct aead_aes_gcm_tls12_ctx),\n \"AEAD state has insufficient alignment\");\n\nstatic int aead_aes_gcm_tls12_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t requested_tag_len) {\n struct aead_aes_gcm_tls12_ctx *gcm_ctx =\n (struct aead_aes_gcm_tls12_ctx *)&ctx->state;\n\n gcm_ctx->min_next_nonce = 0;\n\n size_t actual_tag_len;\n if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len,\n requested_tag_len)) {\n return 0;\n }\n\n ctx->tag_len = actual_tag_len;\n return 1;\n}\n\nstatic int aead_aes_gcm_tls12_seal_scatter(\n const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len) {\n struct aead_aes_gcm_tls12_ctx *gcm_ctx =\n (struct aead_aes_gcm_tls12_ctx *)&ctx->state;\n\n if (nonce_len != AES_GCM_NONCE_LENGTH) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n // The given nonces must be strictly monotonically increasing.\n uint64_t given_counter =\n CRYPTO_load_u64_be(nonce + nonce_len - sizeof(uint64_t));\n if (given_counter == UINT64_MAX || given_counter < gcm_ctx->min_next_nonce) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE);\n return 0;\n }\n\n gcm_ctx->min_next_nonce = given_counter + 1;\n\n if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len,\n max_out_tag_len, nonce, nonce_len, in, in_len,\n extra_in, extra_in_len, ad, ad_len)) {\n return 0;\n }\n\n AEAD_GCM_verify_service_indicator(ctx);\n return 1;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls12) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 16;\n out->nonce_len = AES_GCM_NONCE_LENGTH;\n out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;\n out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;\n out->seal_scatter_supports_extra_in = 1;\n\n out->init = aead_aes_gcm_tls12_init;\n out->cleanup = aead_aes_gcm_cleanup;\n out->seal_scatter = aead_aes_gcm_tls12_seal_scatter;\n out->open_gather = aead_aes_gcm_open_gather;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls12) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 32;\n out->nonce_len = AES_GCM_NONCE_LENGTH;\n out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;\n out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;\n out->seal_scatter_supports_extra_in = 1;\n\n out->init = aead_aes_gcm_tls12_init;\n out->cleanup = aead_aes_gcm_cleanup;\n out->seal_scatter = aead_aes_gcm_tls12_seal_scatter;\n out->open_gather = aead_aes_gcm_open_gather;\n}\n\nnamespace {\nstruct aead_aes_gcm_tls13_ctx {\n struct aead_aes_gcm_ctx gcm_ctx;\n uint64_t min_next_nonce;\n uint64_t mask;\n uint8_t first;\n};\n} // namespace\n\nstatic_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=\n sizeof(struct aead_aes_gcm_tls13_ctx),\n \"AEAD state is too small\");\nstatic_assert(alignof(union evp_aead_ctx_st_state) >=\n alignof(struct aead_aes_gcm_tls13_ctx),\n \"AEAD state has insufficient alignment\");\n\nstatic int aead_aes_gcm_tls13_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t requested_tag_len) {\n struct aead_aes_gcm_tls13_ctx *gcm_ctx =\n (struct aead_aes_gcm_tls13_ctx *)&ctx->state;\n\n gcm_ctx->min_next_nonce = 0;\n gcm_ctx->first = 1;\n\n size_t actual_tag_len;\n if (!aead_aes_gcm_init_impl(&gcm_ctx->gcm_ctx, &actual_tag_len, key, key_len,\n requested_tag_len)) {\n return 0;\n }\n\n ctx->tag_len = actual_tag_len;\n return 1;\n}\n\nstatic int aead_aes_gcm_tls13_seal_scatter(\n const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len) {\n struct aead_aes_gcm_tls13_ctx *gcm_ctx =\n (struct aead_aes_gcm_tls13_ctx *)&ctx->state;\n\n if (nonce_len != AES_GCM_NONCE_LENGTH) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_UNSUPPORTED_NONCE_SIZE);\n return 0;\n }\n\n // The given nonces must be strictly monotonically increasing. See\n // https://tools.ietf.org/html/rfc8446#section-5.3 for details of the TLS 1.3\n // nonce construction.\n uint64_t given_counter =\n CRYPTO_load_u64_be(nonce + nonce_len - sizeof(uint64_t));\n\n if (gcm_ctx->first) {\n // In the first call the sequence number will be zero and therefore the\n // given nonce will be 0 ^ mask = mask.\n gcm_ctx->mask = given_counter;\n gcm_ctx->first = 0;\n }\n given_counter ^= gcm_ctx->mask;\n\n if (given_counter == UINT64_MAX || given_counter < gcm_ctx->min_next_nonce) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE);\n return 0;\n }\n\n gcm_ctx->min_next_nonce = given_counter + 1;\n\n if (!aead_aes_gcm_seal_scatter(ctx, out, out_tag, out_tag_len,\n max_out_tag_len, nonce, nonce_len, in, in_len,\n extra_in, extra_in_len, ad, ad_len)) {\n return 0;\n }\n\n AEAD_GCM_verify_service_indicator(ctx);\n return 1;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_gcm_tls13) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 16;\n out->nonce_len = AES_GCM_NONCE_LENGTH;\n out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;\n out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;\n out->seal_scatter_supports_extra_in = 1;\n\n out->init = aead_aes_gcm_tls13_init;\n out->cleanup = aead_aes_gcm_cleanup;\n out->seal_scatter = aead_aes_gcm_tls13_seal_scatter;\n out->open_gather = aead_aes_gcm_open_gather;\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_256_gcm_tls13) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 32;\n out->nonce_len = AES_GCM_NONCE_LENGTH;\n out->overhead = EVP_AEAD_AES_GCM_TAG_LEN;\n out->max_tag_len = EVP_AEAD_AES_GCM_TAG_LEN;\n out->seal_scatter_supports_extra_in = 1;\n\n out->init = aead_aes_gcm_tls13_init;\n out->cleanup = aead_aes_gcm_cleanup;\n out->seal_scatter = aead_aes_gcm_tls13_seal_scatter;\n out->open_gather = aead_aes_gcm_open_gather;\n}\n\nint EVP_has_aes_hardware(void) {\n#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)\n return hwaes_capable() && crypto_gcm_clmul_enabled();\n#elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)\n return hwaes_capable() && CRYPTO_is_ARMv8_PMULL_capable();\n#else\n return 0;\n#endif\n}\n\nOPENSSL_MSVC_PRAGMA(warning(pop))\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aesccm.cc.inc", "content": "/*\n * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"../aes/internal.h\"\n#include \"../delocate.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\nstruct ccm128_context {\n block128_f block;\n ctr128_f ctr;\n unsigned M, L;\n};\n\nstruct ccm128_state {\n alignas(16) uint8_t nonce[16];\n alignas(16) uint8_t cmac[16];\n};\n\nstatic int CRYPTO_ccm128_init(struct ccm128_context *ctx, const AES_KEY *key,\n block128_f block, ctr128_f ctr, unsigned M,\n unsigned L) {\n if (M < 4 || M > 16 || (M & 1) != 0 || L < 2 || L > 8) {\n return 0;\n }\n ctx->block = block;\n ctx->ctr = ctr;\n ctx->M = M;\n ctx->L = L;\n return 1;\n}\n\nstatic size_t CRYPTO_ccm128_max_input(const struct ccm128_context *ctx) {\n return ctx->L >= sizeof(size_t) ? SIZE_MAX\n : (((size_t)1) << (ctx->L * 8)) - 1;\n}\n\nstatic int ccm128_init_state(const struct ccm128_context *ctx,\n struct ccm128_state *state, const AES_KEY *key,\n const uint8_t *nonce, size_t nonce_len,\n const uint8_t *aad, size_t aad_len,\n size_t plaintext_len) {\n const block128_f block = ctx->block;\n const unsigned M = ctx->M;\n const unsigned L = ctx->L;\n\n // |L| determines the expected |nonce_len| and the limit for |plaintext_len|.\n if (plaintext_len > CRYPTO_ccm128_max_input(ctx) //\n || nonce_len != 15 - L) {\n return 0;\n }\n\n // Assemble the first block for computing the MAC.\n OPENSSL_memset(state, 0, sizeof(*state));\n state->nonce[0] = (uint8_t)((L - 1) | ((M - 2) / 2) << 3);\n if (aad_len != 0) {\n state->nonce[0] |= 0x40; // Set AAD Flag\n }\n OPENSSL_memcpy(&state->nonce[1], nonce, nonce_len);\n for (unsigned i = 0; i < L; i++) {\n state->nonce[15 - i] = (uint8_t)(plaintext_len >> (8 * i));\n }\n\n (*block)(state->nonce, state->cmac, key);\n size_t blocks = 1;\n\n if (aad_len != 0) {\n unsigned i;\n // Cast to u64 to avoid the compiler complaining about invalid shifts.\n uint64_t aad_len_u64 = aad_len;\n if (aad_len_u64 < 0x10000 - 0x100) {\n state->cmac[0] ^= (uint8_t)(aad_len_u64 >> 8);\n state->cmac[1] ^= (uint8_t)aad_len_u64;\n i = 2;\n } else if (aad_len_u64 <= 0xffffffff) {\n state->cmac[0] ^= 0xff;\n state->cmac[1] ^= 0xfe;\n state->cmac[2] ^= (uint8_t)(aad_len_u64 >> 24);\n state->cmac[3] ^= (uint8_t)(aad_len_u64 >> 16);\n state->cmac[4] ^= (uint8_t)(aad_len_u64 >> 8);\n state->cmac[5] ^= (uint8_t)aad_len_u64;\n i = 6;\n } else {\n state->cmac[0] ^= 0xff;\n state->cmac[1] ^= 0xff;\n state->cmac[2] ^= (uint8_t)(aad_len_u64 >> 56);\n state->cmac[3] ^= (uint8_t)(aad_len_u64 >> 48);\n state->cmac[4] ^= (uint8_t)(aad_len_u64 >> 40);\n state->cmac[5] ^= (uint8_t)(aad_len_u64 >> 32);\n state->cmac[6] ^= (uint8_t)(aad_len_u64 >> 24);\n state->cmac[7] ^= (uint8_t)(aad_len_u64 >> 16);\n state->cmac[8] ^= (uint8_t)(aad_len_u64 >> 8);\n state->cmac[9] ^= (uint8_t)aad_len_u64;\n i = 10;\n }\n\n do {\n for (; i < 16 && aad_len != 0; i++) {\n state->cmac[i] ^= *aad;\n aad++;\n aad_len--;\n }\n (*block)(state->cmac, state->cmac, key);\n blocks++;\n i = 0;\n } while (aad_len != 0);\n }\n\n // Per RFC 3610, section 2.6, the total number of block cipher operations done\n // must not exceed 2^61. There are two block cipher operations remaining per\n // message block, plus one block at the end to encrypt the MAC.\n size_t remaining_blocks = 2 * ((plaintext_len + 15) / 16) + 1;\n if (plaintext_len + 15 < plaintext_len ||\n remaining_blocks + blocks < blocks ||\n (uint64_t)remaining_blocks + blocks > UINT64_C(1) << 61) {\n return 0;\n }\n\n // Assemble the first block for encrypting and decrypting. The bottom |L|\n // bytes are replaced with a counter and all bit the encoding of |L| is\n // cleared in the first byte.\n state->nonce[0] &= 7;\n return 1;\n}\n\nstatic int ccm128_encrypt(const struct ccm128_context *ctx,\n struct ccm128_state *state, const AES_KEY *key,\n uint8_t *out, const uint8_t *in, size_t len) {\n // The counter for encryption begins at one.\n for (unsigned i = 0; i < ctx->L; i++) {\n state->nonce[15 - i] = 0;\n }\n state->nonce[15] = 1;\n\n uint8_t partial_buf[16];\n unsigned num = 0;\n CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, state->nonce, partial_buf,\n &num, ctx->ctr);\n return 1;\n}\n\nstatic int ccm128_compute_mac(const struct ccm128_context *ctx,\n struct ccm128_state *state, const AES_KEY *key,\n uint8_t *out_tag, size_t tag_len,\n const uint8_t *in, size_t len) {\n block128_f block = ctx->block;\n if (tag_len != ctx->M) {\n return 0;\n }\n\n // Incorporate |in| into the MAC.\n while (len >= 16) {\n CRYPTO_xor16(state->cmac, state->cmac, in);\n (*block)(state->cmac, state->cmac, key);\n in += 16;\n len -= 16;\n }\n if (len > 0) {\n for (size_t i = 0; i < len; i++) {\n state->cmac[i] ^= in[i];\n }\n (*block)(state->cmac, state->cmac, key);\n }\n\n // Encrypt the MAC with counter zero.\n for (unsigned i = 0; i < ctx->L; i++) {\n state->nonce[15 - i] = 0;\n }\n alignas(16) uint8_t tmp[16];\n (*block)(state->nonce, tmp, key);\n CRYPTO_xor16(state->cmac, state->cmac, tmp);\n\n OPENSSL_memcpy(out_tag, state->cmac, tag_len);\n return 1;\n}\n\nstatic int CRYPTO_ccm128_encrypt(const struct ccm128_context *ctx,\n const AES_KEY *key, uint8_t *out,\n uint8_t *out_tag, size_t tag_len,\n const uint8_t *nonce, size_t nonce_len,\n const uint8_t *in, size_t len,\n const uint8_t *aad, size_t aad_len) {\n struct ccm128_state state;\n return ccm128_init_state(ctx, &state, key, nonce, nonce_len, aad, aad_len,\n len) &&\n ccm128_compute_mac(ctx, &state, key, out_tag, tag_len, in, len) &&\n ccm128_encrypt(ctx, &state, key, out, in, len);\n}\n\nstatic int CRYPTO_ccm128_decrypt(const struct ccm128_context *ctx,\n const AES_KEY *key, uint8_t *out,\n uint8_t *out_tag, size_t tag_len,\n const uint8_t *nonce, size_t nonce_len,\n const uint8_t *in, size_t len,\n const uint8_t *aad, size_t aad_len) {\n struct ccm128_state state;\n return ccm128_init_state(ctx, &state, key, nonce, nonce_len, aad, aad_len,\n len) &&\n ccm128_encrypt(ctx, &state, key, out, in, len) &&\n ccm128_compute_mac(ctx, &state, key, out_tag, tag_len, out, len);\n}\n\n#define EVP_AEAD_AES_CCM_MAX_TAG_LEN 16\n\nnamespace {\nstruct aead_aes_ccm_ctx {\n union {\n double align;\n AES_KEY ks;\n } ks;\n struct ccm128_context ccm;\n};\n} // namespace\n\nstatic_assert(sizeof(((EVP_AEAD_CTX *)NULL)->state) >=\n sizeof(struct aead_aes_ccm_ctx),\n \"AEAD state is too small\");\nstatic_assert(alignof(union evp_aead_ctx_st_state) >=\n alignof(struct aead_aes_ccm_ctx),\n \"AEAD state has insufficient alignment\");\n\nstatic int aead_aes_ccm_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t tag_len, unsigned M,\n unsigned L) {\n assert(M == EVP_AEAD_max_overhead(ctx->aead));\n assert(M == EVP_AEAD_max_tag_len(ctx->aead));\n assert(15 - L == EVP_AEAD_nonce_length(ctx->aead));\n\n if (key_len != EVP_AEAD_key_length(ctx->aead)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH);\n return 0; // EVP_AEAD_CTX_init should catch this.\n }\n\n if (tag_len == EVP_AEAD_DEFAULT_TAG_LENGTH) {\n tag_len = M;\n }\n\n if (tag_len != M) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TAG_TOO_LARGE);\n return 0;\n }\n\n struct aead_aes_ccm_ctx *ccm_ctx = (struct aead_aes_ccm_ctx *)&ctx->state;\n\n block128_f block;\n ctr128_f ctr = aes_ctr_set_key(&ccm_ctx->ks.ks, NULL, &block, key, key_len);\n ctx->tag_len = tag_len;\n if (!CRYPTO_ccm128_init(&ccm_ctx->ccm, &ccm_ctx->ks.ks, block, ctr, M, L)) {\n OPENSSL_PUT_ERROR(CIPHER, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nstatic void aead_aes_ccm_cleanup(EVP_AEAD_CTX *ctx) {}\n\nstatic int aead_aes_ccm_seal_scatter(\n const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len) {\n const struct aead_aes_ccm_ctx *ccm_ctx =\n (struct aead_aes_ccm_ctx *)&ctx->state;\n\n if (in_len > CRYPTO_ccm128_max_input(&ccm_ctx->ccm)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n if (max_out_tag_len < ctx->tag_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);\n return 0;\n }\n\n if (!CRYPTO_ccm128_encrypt(&ccm_ctx->ccm, &ccm_ctx->ks.ks, out, out_tag,\n ctx->tag_len, nonce, nonce_len, in, in_len, ad,\n ad_len)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n *out_tag_len = ctx->tag_len;\n AEAD_CCM_verify_service_indicator(ctx);\n return 1;\n}\n\nstatic int aead_aes_ccm_open_gather(const EVP_AEAD_CTX *ctx, uint8_t *out,\n const uint8_t *nonce, size_t nonce_len,\n const uint8_t *in, size_t in_len,\n const uint8_t *in_tag, size_t in_tag_len,\n const uint8_t *ad, size_t ad_len) {\n const struct aead_aes_ccm_ctx *ccm_ctx =\n (struct aead_aes_ccm_ctx *)&ctx->state;\n\n if (in_len > CRYPTO_ccm128_max_input(&ccm_ctx->ccm)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n if (nonce_len != EVP_AEAD_nonce_length(ctx->aead)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_INVALID_NONCE_SIZE);\n return 0;\n }\n\n if (in_tag_len != ctx->tag_len) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n uint8_t tag[EVP_AEAD_AES_CCM_MAX_TAG_LEN];\n assert(ctx->tag_len <= EVP_AEAD_AES_CCM_MAX_TAG_LEN);\n if (!CRYPTO_ccm128_decrypt(&ccm_ctx->ccm, &ccm_ctx->ks.ks, out, tag,\n ctx->tag_len, nonce, nonce_len, in, in_len, ad,\n ad_len)) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE);\n return 0;\n }\n\n if (CRYPTO_memcmp(tag, in_tag, ctx->tag_len) != 0) {\n OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT);\n return 0;\n }\n\n AEAD_CCM_verify_service_indicator(ctx);\n return 1;\n}\n\nstatic int aead_aes_ccm_bluetooth_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t tag_len) {\n return aead_aes_ccm_init(ctx, key, key_len, tag_len, 4, 2);\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_ccm_bluetooth) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 16;\n out->nonce_len = 13;\n out->overhead = 4;\n out->max_tag_len = 4;\n\n out->init = aead_aes_ccm_bluetooth_init;\n out->cleanup = aead_aes_ccm_cleanup;\n out->seal_scatter = aead_aes_ccm_seal_scatter;\n out->open_gather = aead_aes_ccm_open_gather;\n}\n\nstatic int aead_aes_ccm_bluetooth_8_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t tag_len) {\n return aead_aes_ccm_init(ctx, key, key_len, tag_len, 8, 2);\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_ccm_bluetooth_8) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 16;\n out->nonce_len = 13;\n out->overhead = 8;\n out->max_tag_len = 8;\n\n out->init = aead_aes_ccm_bluetooth_8_init;\n out->cleanup = aead_aes_ccm_cleanup;\n out->seal_scatter = aead_aes_ccm_seal_scatter;\n out->open_gather = aead_aes_ccm_open_gather;\n}\n\nstatic int aead_aes_ccm_matter_init(EVP_AEAD_CTX *ctx, const uint8_t *key,\n size_t key_len, size_t tag_len) {\n return aead_aes_ccm_init(ctx, key, key_len, tag_len, 16, 2);\n}\n\nDEFINE_METHOD_FUNCTION(EVP_AEAD, EVP_aead_aes_128_ccm_matter) {\n memset(out, 0, sizeof(EVP_AEAD));\n\n out->key_len = 16;\n out->nonce_len = 13;\n out->overhead = 16;\n out->max_tag_len = 16;\n\n out->init = aead_aes_ccm_matter_init;\n out->cleanup = aead_aes_ccm_cleanup;\n out->seal_scatter = aead_aes_ccm_seal_scatter;\n out->open_gather = aead_aes_ccm_open_gather;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_CIPHER_INTERNAL_H\n#define OPENSSL_HEADER_CIPHER_INTERNAL_H\n\n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../aes/internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// EVP_CIPH_MODE_MASK contains the bits of |flags| that represent the mode.\n#define EVP_CIPH_MODE_MASK 0x3f\n\n// EVP_AEAD represents a specific AEAD algorithm.\nstruct evp_aead_st {\n uint8_t key_len;\n uint8_t nonce_len;\n uint8_t overhead;\n uint8_t max_tag_len;\n int seal_scatter_supports_extra_in;\n\n // init initialises an |EVP_AEAD_CTX|. If this call returns zero then\n // |cleanup| will not be called for that context.\n int (*init)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,\n size_t tag_len);\n int (*init_with_direction)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len,\n size_t tag_len, enum evp_aead_direction_t dir);\n void (*cleanup)(EVP_AEAD_CTX *);\n\n int (*open)(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,\n size_t max_out_len, const uint8_t *nonce, size_t nonce_len,\n const uint8_t *in, size_t in_len, const uint8_t *ad,\n size_t ad_len);\n\n int (*seal_scatter)(const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag,\n size_t *out_tag_len, size_t max_out_tag_len,\n const uint8_t *nonce, size_t nonce_len, const uint8_t *in,\n size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len, const uint8_t *ad, size_t ad_len);\n\n int (*open_gather)(const EVP_AEAD_CTX *ctx, uint8_t *out,\n const uint8_t *nonce, size_t nonce_len, const uint8_t *in,\n size_t in_len, const uint8_t *in_tag, size_t in_tag_len,\n const uint8_t *ad, size_t ad_len);\n\n int (*get_iv)(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv,\n size_t *out_len);\n\n size_t (*tag_len)(const EVP_AEAD_CTX *ctx, size_t in_Len,\n size_t extra_in_len);\n};\n\nstruct evp_cipher_st {\n // type contains a NID identifying the cipher. (e.g. NID_aes_128_gcm.)\n int nid;\n\n // block_size contains the block size, in bytes, of the cipher, or 1 for a\n // stream cipher.\n unsigned block_size;\n\n // key_len contains the key size, in bytes, for the cipher. If the cipher\n // takes a variable key size then this contains the default size.\n unsigned key_len;\n\n // iv_len contains the IV size, in bytes, or zero if inapplicable.\n unsigned iv_len;\n\n // ctx_size contains the size, in bytes, of the per-key context for this\n // cipher.\n unsigned ctx_size;\n\n // flags contains the OR of a number of flags. See |EVP_CIPH_*|.\n uint32_t flags;\n\n int (*init)(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv,\n int enc);\n\n int (*cipher)(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,\n size_t inl);\n\n // cleanup, if non-NULL, releases memory associated with the context. It is\n // called if |EVP_CTRL_INIT| succeeds. Note that |init| may not have been\n // called at this point.\n void (*cleanup)(EVP_CIPHER_CTX *);\n\n int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr);\n};\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CIPHER_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/cmac/cmac.cc.inc", "content": "/*\n * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../service_indicator/internal.h\"\n\n\nstruct cmac_ctx_st {\n EVP_CIPHER_CTX cipher_ctx;\n // k1 and k2 are the CMAC subkeys. See\n // https://tools.ietf.org/html/rfc4493#section-2.3\n uint8_t k1[AES_BLOCK_SIZE];\n uint8_t k2[AES_BLOCK_SIZE];\n // Last (possibly partial) scratch\n uint8_t block[AES_BLOCK_SIZE];\n // block_used contains the number of valid bytes in |block|.\n unsigned block_used;\n};\n\nstatic void CMAC_CTX_init(CMAC_CTX *ctx) {\n EVP_CIPHER_CTX_init(&ctx->cipher_ctx);\n}\n\nstatic void CMAC_CTX_cleanup(CMAC_CTX *ctx) {\n EVP_CIPHER_CTX_cleanup(&ctx->cipher_ctx);\n OPENSSL_cleanse(ctx->k1, sizeof(ctx->k1));\n OPENSSL_cleanse(ctx->k2, sizeof(ctx->k2));\n OPENSSL_cleanse(ctx->block, sizeof(ctx->block));\n}\n\nint AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,\n const uint8_t *in, size_t in_len) {\n const EVP_CIPHER *cipher;\n switch (key_len) {\n // WARNING: this code assumes that all supported key sizes are FIPS\n // Approved.\n case 16:\n cipher = EVP_aes_128_cbc();\n break;\n case 32:\n cipher = EVP_aes_256_cbc();\n break;\n default:\n return 0;\n }\n\n size_t scratch_out_len;\n CMAC_CTX ctx;\n CMAC_CTX_init(&ctx);\n\n // We have to verify that all the CMAC services actually succeed before\n // updating the indicator state, so we lock the state here.\n FIPS_service_indicator_lock_state();\n const int ok = CMAC_Init(&ctx, key, key_len, cipher, NULL /* engine */) &&\n CMAC_Update(&ctx, in, in_len) &&\n CMAC_Final(&ctx, out, &scratch_out_len);\n FIPS_service_indicator_unlock_state();\n\n if (ok) {\n FIPS_service_indicator_update_state();\n }\n CMAC_CTX_cleanup(&ctx);\n return ok;\n}\n\nCMAC_CTX *CMAC_CTX_new(void) {\n CMAC_CTX *ctx = reinterpret_cast(OPENSSL_malloc(sizeof(*ctx)));\n if (ctx != NULL) {\n CMAC_CTX_init(ctx);\n }\n return ctx;\n}\n\nvoid CMAC_CTX_free(CMAC_CTX *ctx) {\n if (ctx == NULL) {\n return;\n }\n\n CMAC_CTX_cleanup(ctx);\n OPENSSL_free(ctx);\n}\n\nint CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in) {\n if (!EVP_CIPHER_CTX_copy(&out->cipher_ctx, &in->cipher_ctx)) {\n return 0;\n }\n OPENSSL_memcpy(out->k1, in->k1, AES_BLOCK_SIZE);\n OPENSSL_memcpy(out->k2, in->k2, AES_BLOCK_SIZE);\n OPENSSL_memcpy(out->block, in->block, AES_BLOCK_SIZE);\n out->block_used = in->block_used;\n return 1;\n}\n\n// binary_field_mul_x_128 treats the 128 bits at |in| as an element of GF(2¹²⁸)\n// with a hard-coded reduction polynomial and sets |out| as x times the input.\n//\n// See https://tools.ietf.org/html/rfc4493#section-2.3\nstatic void binary_field_mul_x_128(uint8_t out[16], const uint8_t in[16]) {\n unsigned i;\n\n // Shift |in| to left, including carry.\n for (i = 0; i < 15; i++) {\n out[i] = (in[i] << 1) | (in[i + 1] >> 7);\n }\n\n // If MSB set fixup with R.\n const uint8_t carry = in[0] >> 7;\n out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87);\n}\n\n// binary_field_mul_x_64 behaves like |binary_field_mul_x_128| but acts on an\n// element of GF(2⁶⁴).\n//\n// See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf\nstatic void binary_field_mul_x_64(uint8_t out[8], const uint8_t in[8]) {\n unsigned i;\n\n // Shift |in| to left, including carry.\n for (i = 0; i < 7; i++) {\n out[i] = (in[i] << 1) | (in[i + 1] >> 7);\n }\n\n // If MSB set fixup with R.\n const uint8_t carry = in[0] >> 7;\n out[i] = (in[i] << 1) ^ ((0 - carry) & 0x1b);\n}\n\nstatic const uint8_t kZeroIV[AES_BLOCK_SIZE] = {0};\n\nint CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,\n const EVP_CIPHER *cipher, ENGINE *engine) {\n int ret = 0;\n uint8_t scratch[AES_BLOCK_SIZE];\n\n // We have to avoid the underlying AES-CBC |EVP_CIPHER| services updating the\n // indicator state, so we lock the state here.\n FIPS_service_indicator_lock_state();\n\n size_t block_size = EVP_CIPHER_block_size(cipher);\n if ((block_size != AES_BLOCK_SIZE && block_size != 8 /* 3-DES */) ||\n EVP_CIPHER_key_length(cipher) != key_len ||\n !EVP_EncryptInit_ex(&ctx->cipher_ctx, cipher, NULL,\n reinterpret_cast(key), kZeroIV) ||\n !EVP_Cipher(&ctx->cipher_ctx, scratch, kZeroIV, block_size) ||\n // Reset context again ready for first data.\n !EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV)) {\n goto out;\n }\n\n if (block_size == AES_BLOCK_SIZE) {\n binary_field_mul_x_128(ctx->k1, scratch);\n binary_field_mul_x_128(ctx->k2, ctx->k1);\n } else {\n binary_field_mul_x_64(ctx->k1, scratch);\n binary_field_mul_x_64(ctx->k2, ctx->k1);\n }\n ctx->block_used = 0;\n ret = 1;\n\nout:\n FIPS_service_indicator_unlock_state();\n return ret;\n}\n\nint CMAC_Reset(CMAC_CTX *ctx) {\n ctx->block_used = 0;\n return EVP_EncryptInit_ex(&ctx->cipher_ctx, NULL, NULL, NULL, kZeroIV);\n}\n\nint CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) {\n int ret = 0;\n\n // We have to avoid the underlying AES-CBC |EVP_Cipher| services updating the\n // indicator state, so we lock the state here.\n FIPS_service_indicator_lock_state();\n\n size_t block_size = EVP_CIPHER_CTX_block_size(&ctx->cipher_ctx);\n assert(block_size <= AES_BLOCK_SIZE);\n uint8_t scratch[AES_BLOCK_SIZE];\n\n if (ctx->block_used > 0) {\n size_t todo = block_size - ctx->block_used;\n if (in_len < todo) {\n todo = in_len;\n }\n\n OPENSSL_memcpy(ctx->block + ctx->block_used, in, todo);\n in += todo;\n in_len -= todo;\n ctx->block_used += todo;\n\n // If |in_len| is zero then either |ctx->block_used| is less than\n // |block_size|, in which case we can stop here, or |ctx->block_used| is\n // exactly |block_size| but there's no more data to process. In the latter\n // case we don't want to process this block now because it might be the last\n // block and that block is treated specially.\n if (in_len == 0) {\n ret = 1;\n goto out;\n }\n\n assert(ctx->block_used == block_size);\n\n if (!EVP_Cipher(&ctx->cipher_ctx, scratch, ctx->block, block_size)) {\n goto out;\n }\n }\n\n // Encrypt all but one of the remaining blocks.\n while (in_len > block_size) {\n if (!EVP_Cipher(&ctx->cipher_ctx, scratch, in, block_size)) {\n goto out;\n }\n in += block_size;\n in_len -= block_size;\n }\n\n OPENSSL_memcpy(ctx->block, in, in_len);\n // |in_len| is bounded by |block_size|, which fits in |unsigned|.\n static_assert(EVP_MAX_BLOCK_LENGTH < UINT_MAX,\n \"EVP_MAX_BLOCK_LENGTH is too large\");\n ctx->block_used = (unsigned)in_len;\n ret = 1;\n\nout:\n FIPS_service_indicator_unlock_state();\n return ret;\n}\n\nint CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) {\n int ret = 0;\n size_t block_size = EVP_CIPHER_CTX_block_size(&ctx->cipher_ctx);\n assert(block_size <= AES_BLOCK_SIZE);\n\n // We have to avoid the underlying AES-CBC |EVP_Cipher| services updating the\n // indicator state, so we lock the state here.\n FIPS_service_indicator_lock_state();\n\n *out_len = block_size;\n const uint8_t *mask = ctx->k1;\n if (out == NULL) {\n ret = 1;\n goto out;\n }\n\n if (ctx->block_used != block_size) {\n // If the last block is incomplete, terminate it with a single 'one' bit\n // followed by zeros.\n ctx->block[ctx->block_used] = 0x80;\n OPENSSL_memset(ctx->block + ctx->block_used + 1, 0,\n block_size - (ctx->block_used + 1));\n\n mask = ctx->k2;\n }\n\n for (unsigned i = 0; i < block_size; i++) {\n out[i] = ctx->block[i] ^ mask[i];\n }\n ret = EVP_Cipher(&ctx->cipher_ctx, out, out, block_size);\n\nout:\n FIPS_service_indicator_unlock_state();\n if (ret) {\n FIPS_service_indicator_update_state();\n }\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/delocate.h", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_FIPSMODULE_DELOCATE_H\n#define OPENSSL_HEADER_FIPSMODULE_DELOCATE_H\n\n#include \n\n#include \"../internal.h\"\n\n\n#if !defined(BORINGSSL_SHARED_LIBRARY) && defined(BORINGSSL_FIPS) && \\\n !defined(OPENSSL_ASAN) && !defined(OPENSSL_MSAN)\n#define DEFINE_BSS_GET(type, name, init_value) \\\n static type name __attribute__((used)) = init_value; \\\n extern \"C\" { \\\n type *name##_bss_get(void) __attribute__((const)); \\\n }\n// For FIPS builds we require that CRYPTO_ONCE_INIT be zero.\n#define DEFINE_STATIC_ONCE(name) \\\n DEFINE_BSS_GET(CRYPTO_once_t, name, CRYPTO_ONCE_INIT)\n// For FIPS builds we require that CRYPTO_MUTEX_INIT be zero.\n#define DEFINE_STATIC_MUTEX(name) \\\n DEFINE_BSS_GET(CRYPTO_MUTEX, name, CRYPTO_MUTEX_INIT)\n// For FIPS builds we require that CRYPTO_EX_DATA_CLASS_INIT be zero.\n#define DEFINE_STATIC_EX_DATA_CLASS(name) \\\n DEFINE_BSS_GET(CRYPTO_EX_DATA_CLASS, name, CRYPTO_EX_DATA_CLASS_INIT)\n#else\n#define DEFINE_BSS_GET(type, name, init_value) \\\n static type name = init_value; \\\n static type *name##_bss_get(void) { return &name; }\n#define DEFINE_STATIC_ONCE(name) \\\n static CRYPTO_once_t name = CRYPTO_ONCE_INIT; \\\n static CRYPTO_once_t *name##_bss_get(void) { return &name; }\n#define DEFINE_STATIC_MUTEX(name) \\\n static CRYPTO_MUTEX name = CRYPTO_MUTEX_INIT; \\\n static CRYPTO_MUTEX *name##_bss_get(void) { return &name; }\n#define DEFINE_STATIC_EX_DATA_CLASS(name) \\\n static CRYPTO_EX_DATA_CLASS name = CRYPTO_EX_DATA_CLASS_INIT; \\\n static CRYPTO_EX_DATA_CLASS *name##_bss_get(void) { return &name; }\n#endif\n\n#define DEFINE_DATA(type, name, accessor_decorations) \\\n DEFINE_BSS_GET(type, name##_storage, {}) \\\n DEFINE_STATIC_ONCE(name##_once) \\\n static void name##_do_init(type *out); \\\n static void name##_init(void) { name##_do_init(name##_storage_bss_get()); } \\\n accessor_decorations type *name(void) { \\\n CRYPTO_once(name##_once_bss_get(), name##_init); \\\n /* See http://c-faq.com/ansi/constmismatch.html for why the following \\\n * cast is needed. */ \\\n return (const type *)name##_storage_bss_get(); \\\n } \\\n static void name##_do_init(type *out)\n\n// DEFINE_METHOD_FUNCTION defines a function named |name| which returns a\n// method table of type const |type|*. In FIPS mode, to avoid rel.ro data, it\n// is split into a CRYPTO_once_t-guarded initializer in the module and\n// unhashed, non-module accessor functions to space reserved in the BSS. The\n// method table is initialized by a caller-supplied function which takes a\n// parameter named |out| of type |type|*. The caller should follow the macro\n// invocation with the body of this function:\n//\n// DEFINE_METHOD_FUNCTION(EVP_MD, EVP_md4) {\n// out->type = NID_md4;\n// out->md_size = MD4_DIGEST_LENGTH;\n// out->flags = 0;\n// out->init = md4_init;\n// out->update = md4_update;\n// out->final = md4_final;\n// out->block_size = 64;\n// out->ctx_size = sizeof(MD4_CTX);\n// }\n//\n// This mechanism does not use a static initializer because their execution\n// order is undefined. See FIPS.md for more details.\n#define DEFINE_METHOD_FUNCTION(type, name) DEFINE_DATA(type, name, const)\n\n#define DEFINE_LOCAL_DATA(type, name) DEFINE_DATA(type, name, static const)\n\n#endif // OPENSSL_HEADER_FIPSMODULE_DELOCATE_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/dh/check.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \"internal.h\"\n\n\nint dh_check_params_fast(const DH *dh) {\n // Most operations scale with p and q.\n if (BN_is_negative(dh->p) || !BN_is_odd(dh->p) ||\n BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {\n OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS);\n return 0;\n }\n\n // q must be bounded by p.\n if (dh->q != NULL && (BN_is_negative(dh->q) || BN_ucmp(dh->q, dh->p) > 0)) {\n OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS);\n return 0;\n }\n\n // g must be an element of p's multiplicative group.\n if (BN_is_negative(dh->g) || BN_is_zero(dh->g) ||\n BN_ucmp(dh->g, dh->p) >= 0) {\n OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS);\n return 0;\n }\n\n return 1;\n}\n\nint DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) {\n *out_flags = 0;\n if (!dh_check_params_fast(dh)) {\n return 0;\n }\n\n BN_CTX *ctx = BN_CTX_new();\n if (ctx == NULL) {\n return 0;\n }\n BN_CTX_start(ctx);\n\n int ok = 0;\n\n // Check |pub_key| is greater than 1.\n if (BN_cmp(pub_key, BN_value_one()) <= 0) {\n *out_flags |= DH_CHECK_PUBKEY_TOO_SMALL;\n }\n\n // Check |pub_key| is less than |dh->p| - 1.\n BIGNUM *tmp = BN_CTX_get(ctx);\n if (tmp == NULL ||\n !BN_copy(tmp, dh->p) ||\n !BN_sub_word(tmp, 1)) {\n goto err;\n }\n if (BN_cmp(pub_key, tmp) >= 0) {\n *out_flags |= DH_CHECK_PUBKEY_TOO_LARGE;\n }\n\n if (dh->q != NULL) {\n // Check |pub_key|^|dh->q| is 1 mod |dh->p|. This is necessary for RFC 5114\n // groups which are not safe primes but pick a generator on a prime-order\n // subgroup of size |dh->q|.\n if (!BN_mod_exp_mont(tmp, pub_key, dh->q, dh->p, ctx, NULL)) {\n goto err;\n }\n if (!BN_is_one(tmp)) {\n *out_flags |= DH_CHECK_PUBKEY_INVALID;\n }\n }\n\n ok = 1;\n\nerr:\n BN_CTX_end(ctx);\n BN_CTX_free(ctx);\n return ok;\n}\n\n\nint DH_check(const DH *dh, int *out_flags) {\n *out_flags = 0;\n if (!dh_check_params_fast(dh)) {\n return 0;\n }\n\n // Check that p is a safe prime and if g is 2, 3 or 5, check that it is a\n // suitable generator where:\n // for 2, p mod 24 == 11\n // for 3, p mod 12 == 5\n // for 5, p mod 10 == 3 or 7\n // should hold.\n int ok = 0, r;\n BN_CTX *ctx = NULL;\n BN_ULONG l;\n BIGNUM *t1 = NULL, *t2 = NULL;\n\n ctx = BN_CTX_new();\n if (ctx == NULL) {\n goto err;\n }\n BN_CTX_start(ctx);\n t1 = BN_CTX_get(ctx);\n if (t1 == NULL) {\n goto err;\n }\n t2 = BN_CTX_get(ctx);\n if (t2 == NULL) {\n goto err;\n }\n\n if (dh->q) {\n if (BN_cmp(dh->g, BN_value_one()) <= 0) {\n *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;\n } else if (BN_cmp(dh->g, dh->p) >= 0) {\n *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;\n } else {\n // Check g^q == 1 mod p\n if (!BN_mod_exp_mont(t1, dh->g, dh->q, dh->p, ctx, NULL)) {\n goto err;\n }\n if (!BN_is_one(t1)) {\n *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;\n }\n }\n r = BN_is_prime_ex(dh->q, BN_prime_checks_for_validation, ctx, NULL);\n if (r < 0) {\n goto err;\n }\n if (!r) {\n *out_flags |= DH_CHECK_Q_NOT_PRIME;\n }\n // Check p == 1 mod q i.e. q divides p - 1\n if (!BN_div(t1, t2, dh->p, dh->q, ctx)) {\n goto err;\n }\n if (!BN_is_one(t2)) {\n *out_flags |= DH_CHECK_INVALID_Q_VALUE;\n }\n } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {\n l = BN_mod_word(dh->p, 24);\n if (l == (BN_ULONG)-1) {\n goto err;\n }\n if (l != 11) {\n *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;\n }\n } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {\n l = BN_mod_word(dh->p, 10);\n if (l == (BN_ULONG)-1) {\n goto err;\n }\n if (l != 3 && l != 7) {\n *out_flags |= DH_CHECK_NOT_SUITABLE_GENERATOR;\n }\n } else {\n *out_flags |= DH_CHECK_UNABLE_TO_CHECK_GENERATOR;\n }\n\n r = BN_is_prime_ex(dh->p, BN_prime_checks_for_validation, ctx, NULL);\n if (r < 0) {\n goto err;\n }\n if (!r) {\n *out_flags |= DH_CHECK_P_NOT_PRIME;\n } else if (!dh->q) {\n if (!BN_rshift1(t1, dh->p)) {\n goto err;\n }\n r = BN_is_prime_ex(t1, BN_prime_checks_for_validation, ctx, NULL);\n if (r < 0) {\n goto err;\n }\n if (!r) {\n *out_flags |= DH_CHECK_P_NOT_SAFE_PRIME;\n }\n }\n ok = 1;\n\nerr:\n if (ctx != NULL) {\n BN_CTX_end(ctx);\n BN_CTX_free(ctx);\n }\n return ok;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/dh/dh.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bn/internal.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\nDH *DH_new(void) {\n DH *dh = reinterpret_cast(OPENSSL_zalloc(sizeof(DH)));\n if (dh == NULL) {\n return NULL;\n }\n\n CRYPTO_MUTEX_init(&dh->method_mont_p_lock);\n dh->references = 1;\n return dh;\n}\n\nvoid DH_free(DH *dh) {\n if (dh == NULL) {\n return;\n }\n\n if (!CRYPTO_refcount_dec_and_test_zero(&dh->references)) {\n return;\n }\n\n BN_MONT_CTX_free(dh->method_mont_p);\n BN_clear_free(dh->p);\n BN_clear_free(dh->g);\n BN_clear_free(dh->q);\n BN_clear_free(dh->pub_key);\n BN_clear_free(dh->priv_key);\n CRYPTO_MUTEX_cleanup(&dh->method_mont_p_lock);\n\n OPENSSL_free(dh);\n}\n\nunsigned DH_bits(const DH *dh) { return BN_num_bits(dh->p); }\n\nconst BIGNUM *DH_get0_pub_key(const DH *dh) { return dh->pub_key; }\n\nconst BIGNUM *DH_get0_priv_key(const DH *dh) { return dh->priv_key; }\n\nconst BIGNUM *DH_get0_p(const DH *dh) { return dh->p; }\n\nconst BIGNUM *DH_get0_q(const DH *dh) { return dh->q; }\n\nconst BIGNUM *DH_get0_g(const DH *dh) { return dh->g; }\n\nvoid DH_get0_key(const DH *dh, const BIGNUM **out_pub_key,\n const BIGNUM **out_priv_key) {\n if (out_pub_key != NULL) {\n *out_pub_key = dh->pub_key;\n }\n if (out_priv_key != NULL) {\n *out_priv_key = dh->priv_key;\n }\n}\n\nint DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) {\n if (pub_key != NULL) {\n BN_free(dh->pub_key);\n dh->pub_key = pub_key;\n }\n\n if (priv_key != NULL) {\n BN_free(dh->priv_key);\n dh->priv_key = priv_key;\n }\n\n return 1;\n}\n\nvoid DH_get0_pqg(const DH *dh, const BIGNUM **out_p, const BIGNUM **out_q,\n const BIGNUM **out_g) {\n if (out_p != NULL) {\n *out_p = dh->p;\n }\n if (out_q != NULL) {\n *out_q = dh->q;\n }\n if (out_g != NULL) {\n *out_g = dh->g;\n }\n}\n\nint DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {\n if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) {\n return 0;\n }\n\n if (p != NULL) {\n BN_free(dh->p);\n dh->p = p;\n }\n\n if (q != NULL) {\n BN_free(dh->q);\n dh->q = q;\n }\n\n if (g != NULL) {\n BN_free(dh->g);\n dh->g = g;\n }\n\n // Invalidate the cached Montgomery parameters.\n BN_MONT_CTX_free(dh->method_mont_p);\n dh->method_mont_p = NULL;\n return 1;\n}\n\nint DH_set_length(DH *dh, unsigned priv_length) {\n dh->priv_length = priv_length;\n return 1;\n}\n\nint DH_generate_key(DH *dh) {\n boringssl_ensure_ffdh_self_test();\n\n if (!dh_check_params_fast(dh)) {\n return 0;\n }\n\n int ok = 0;\n int generate_new_key = 0;\n BN_CTX *ctx = NULL;\n BIGNUM *pub_key = NULL, *priv_key = NULL, *priv_key_limit = NULL;\n\n ctx = BN_CTX_new();\n if (ctx == NULL) {\n goto err;\n }\n\n if (dh->priv_key == NULL) {\n priv_key = BN_new();\n if (priv_key == NULL) {\n goto err;\n }\n generate_new_key = 1;\n } else {\n priv_key = dh->priv_key;\n }\n\n if (dh->pub_key == NULL) {\n pub_key = BN_new();\n if (pub_key == NULL) {\n goto err;\n }\n } else {\n pub_key = dh->pub_key;\n }\n\n if (!BN_MONT_CTX_set_locked(&dh->method_mont_p, &dh->method_mont_p_lock,\n dh->p, ctx)) {\n goto err;\n }\n\n if (generate_new_key) {\n if (dh->q) {\n // Section 5.6.1.1.4 of SP 800-56A Rev3 generates a private key uniformly\n // from [1, min(2^N-1, q-1)].\n //\n // Although SP 800-56A Rev3 now permits a private key length N,\n // |dh->priv_length| historically was ignored when q is available. We\n // continue to ignore it and interpret such a configuration as N = len(q).\n if (!BN_rand_range_ex(priv_key, 1, dh->q)) {\n goto err;\n }\n } else {\n // If q is unspecified, we expect p to be a safe prime, with g generating\n // the (p-1)/2 subgroup. So, we use q = (p-1)/2. (If g generates a smaller\n // prime-order subgroup, q will still divide (p-1)/2.)\n //\n // We set N from |dh->priv_length|. Section 5.6.1.1.4 of SP 800-56A Rev3\n // says to reject N > len(q), or N > num_bits(p) - 1. However, this logic\n // originally aligned with PKCS#3, which allows num_bits(p). Instead, we\n // clamp |dh->priv_length| before invoking the algorithm.\n\n // Compute M = min(2^N, q).\n priv_key_limit = BN_new();\n if (priv_key_limit == NULL) {\n goto err;\n }\n if (dh->priv_length == 0 || dh->priv_length >= BN_num_bits(dh->p) - 1) {\n // M = q = (p - 1) / 2.\n if (!BN_rshift1(priv_key_limit, dh->p)) {\n goto err;\n }\n } else {\n // M = 2^N.\n if (!BN_set_bit(priv_key_limit, dh->priv_length)) {\n goto err;\n }\n }\n\n // Choose a private key uniformly from [1, M-1].\n if (!BN_rand_range_ex(priv_key, 1, priv_key_limit)) {\n goto err;\n }\n }\n }\n\n if (!BN_mod_exp_mont_consttime(pub_key, dh->g, priv_key, dh->p, ctx,\n dh->method_mont_p)) {\n goto err;\n }\n\n dh->pub_key = pub_key;\n dh->priv_key = priv_key;\n ok = 1;\n\nerr:\n if (ok != 1) {\n OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB);\n }\n\n if (dh->pub_key == NULL) {\n BN_free(pub_key);\n }\n if (dh->priv_key == NULL) {\n BN_free(priv_key);\n }\n BN_free(priv_key_limit);\n BN_CTX_free(ctx);\n return ok;\n}\n\nstatic int dh_compute_key(DH *dh, BIGNUM *out_shared_key,\n const BIGNUM *peers_key, BN_CTX *ctx) {\n if (!dh_check_params_fast(dh)) {\n return 0;\n }\n\n if (dh->priv_key == NULL) {\n OPENSSL_PUT_ERROR(DH, DH_R_NO_PRIVATE_VALUE);\n return 0;\n }\n\n int check_result;\n if (!DH_check_pub_key(dh, peers_key, &check_result) || check_result) {\n OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PUBKEY);\n return 0;\n }\n\n int ret = 0;\n BN_CTX_start(ctx);\n BIGNUM *p_minus_1 = BN_CTX_get(ctx);\n\n if (!p_minus_1 ||\n !BN_MONT_CTX_set_locked(&dh->method_mont_p, &dh->method_mont_p_lock,\n dh->p, ctx)) {\n goto err;\n }\n\n if (!BN_mod_exp_mont_consttime(out_shared_key, peers_key, dh->priv_key, dh->p,\n ctx, dh->method_mont_p) ||\n !BN_copy(p_minus_1, dh->p) || !BN_sub_word(p_minus_1, 1)) {\n OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB);\n goto err;\n }\n\n // This performs the check required by SP 800-56Ar3 section 5.7.1.1 step two.\n if (BN_cmp_word(out_shared_key, 1) <= 0 ||\n BN_cmp(out_shared_key, p_minus_1) == 0) {\n OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PUBKEY);\n goto err;\n }\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nint dh_compute_key_padded_no_self_test(unsigned char *out,\n const BIGNUM *peers_key, DH *dh) {\n BN_CTX *ctx = BN_CTX_new();\n if (ctx == NULL) {\n return -1;\n }\n BN_CTX_start(ctx);\n\n int dh_size = DH_size(dh);\n int ret = -1;\n BIGNUM *shared_key = BN_CTX_get(ctx);\n if (shared_key && dh_compute_key(dh, shared_key, peers_key, ctx) &&\n BN_bn2bin_padded(out, dh_size, shared_key)) {\n ret = dh_size;\n }\n\n BN_CTX_end(ctx);\n BN_CTX_free(ctx);\n return ret;\n}\n\nint DH_compute_key_padded(unsigned char *out, const BIGNUM *peers_key, DH *dh) {\n boringssl_ensure_ffdh_self_test();\n\n return dh_compute_key_padded_no_self_test(out, peers_key, dh);\n}\n\nint DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) {\n boringssl_ensure_ffdh_self_test();\n\n BN_CTX *ctx = BN_CTX_new();\n if (ctx == NULL) {\n return -1;\n }\n BN_CTX_start(ctx);\n\n int ret = -1;\n BIGNUM *shared_key = BN_CTX_get(ctx);\n if (shared_key && dh_compute_key(dh, shared_key, peers_key, ctx)) {\n // A |BIGNUM|'s byte count fits in |int|.\n ret = (int)BN_bn2bin(shared_key, out);\n }\n\n BN_CTX_end(ctx);\n BN_CTX_free(ctx);\n return ret;\n}\n\nint DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len,\n size_t max_out_len, const BIGNUM *peers_key,\n const EVP_MD *digest) {\n *out_len = SIZE_MAX;\n\n const size_t digest_len = EVP_MD_size(digest);\n if (digest_len > max_out_len) {\n return 0;\n }\n\n FIPS_service_indicator_lock_state();\n\n int ret = 0;\n const size_t dh_len = DH_size(dh);\n uint8_t *shared_bytes = reinterpret_cast(OPENSSL_malloc(dh_len));\n unsigned out_len_unsigned;\n if (!shared_bytes ||\n // SP 800-56A is ambiguous about whether the output should be padded prior\n // to revision three. But revision three, section C.1, awkwardly specifies\n // padding to the length of p.\n //\n // Also, padded output avoids side-channels, so is always strongly\n // advisable.\n DH_compute_key_padded(shared_bytes, peers_key, dh) != (int)dh_len ||\n !EVP_Digest(shared_bytes, dh_len, out, &out_len_unsigned, digest, NULL) ||\n out_len_unsigned != digest_len) {\n goto err;\n }\n\n *out_len = digest_len;\n ret = 1;\n\nerr:\n FIPS_service_indicator_unlock_state();\n OPENSSL_free(shared_bytes);\n return ret;\n}\n\nint DH_size(const DH *dh) { return BN_num_bytes(dh->p); }\n\nunsigned DH_num_bits(const DH *dh) { return BN_num_bits(dh->p); }\n\nint DH_up_ref(DH *dh) {\n CRYPTO_refcount_inc(&dh->references);\n return 1;\n}\n\nDH *DH_get_rfc7919_2048(void) {\n // This is the prime from https://tools.ietf.org/html/rfc7919#appendix-A.1,\n // which is specifically approved for FIPS in appendix D of SP 800-56Ar3.\n static const BN_ULONG kFFDHE2048Data[] = {\n TOBN(0xffffffff, 0xffffffff), TOBN(0x886b4238, 0x61285c97),\n TOBN(0xc6f34a26, 0xc1b2effa), TOBN(0xc58ef183, 0x7d1683b2),\n TOBN(0x3bb5fcbc, 0x2ec22005), TOBN(0xc3fe3b1b, 0x4c6fad73),\n TOBN(0x8e4f1232, 0xeef28183), TOBN(0x9172fe9c, 0xe98583ff),\n TOBN(0xc03404cd, 0x28342f61), TOBN(0x9e02fce1, 0xcdf7e2ec),\n TOBN(0x0b07a7c8, 0xee0a6d70), TOBN(0xae56ede7, 0x6372bb19),\n TOBN(0x1d4f42a3, 0xde394df4), TOBN(0xb96adab7, 0x60d7f468),\n TOBN(0xd108a94b, 0xb2c8e3fb), TOBN(0xbc0ab182, 0xb324fb61),\n TOBN(0x30acca4f, 0x483a797a), TOBN(0x1df158a1, 0x36ade735),\n TOBN(0xe2a689da, 0xf3efe872), TOBN(0x984f0c70, 0xe0e68b77),\n TOBN(0xb557135e, 0x7f57c935), TOBN(0x85636555, 0x3ded1af3),\n TOBN(0x2433f51f, 0x5f066ed0), TOBN(0xd3df1ed5, 0xd5fd6561),\n TOBN(0xf681b202, 0xaec4617a), TOBN(0x7d2fe363, 0x630c75d8),\n TOBN(0xcc939dce, 0x249b3ef9), TOBN(0xa9e13641, 0x146433fb),\n TOBN(0xd8b9c583, 0xce2d3695), TOBN(0xafdc5620, 0x273d3cf1),\n TOBN(0xadf85458, 0xa2bb4a9a), TOBN(0xffffffff, 0xffffffff),\n };\n\n BIGNUM *const ffdhe2048_p = BN_new();\n BIGNUM *const ffdhe2048_q = BN_new();\n BIGNUM *const ffdhe2048_g = BN_new();\n DH *const dh = DH_new();\n\n if (!ffdhe2048_p || !ffdhe2048_q || !ffdhe2048_g || !dh) {\n goto err;\n }\n\n bn_set_static_words(ffdhe2048_p, kFFDHE2048Data,\n OPENSSL_ARRAY_SIZE(kFFDHE2048Data));\n\n if (!BN_rshift1(ffdhe2048_q, ffdhe2048_p) || !BN_set_word(ffdhe2048_g, 2) ||\n !DH_set0_pqg(dh, ffdhe2048_p, ffdhe2048_q, ffdhe2048_g)) {\n goto err;\n }\n\n return dh;\n\nerr:\n BN_free(ffdhe2048_p);\n BN_free(ffdhe2048_q);\n BN_free(ffdhe2048_g);\n DH_free(dh);\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/dh/internal.h", "content": "/* Copyright 2022 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_DH_INTERNAL_H\n#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_DH_INTERNAL_H\n\n#include \n\n#include \n\n#include \"../../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\nstruct dh_st {\n BIGNUM *p;\n BIGNUM *g;\n BIGNUM *q;\n BIGNUM *pub_key; // g^x mod p\n BIGNUM *priv_key; // x\n\n // priv_length contains the length, in bits, of the private value. If zero,\n // the private value will be the same length as |p|.\n unsigned priv_length;\n\n CRYPTO_MUTEX method_mont_p_lock;\n BN_MONT_CTX *method_mont_p;\n\n int flags;\n CRYPTO_refcount_t references;\n};\n\n// dh_check_params_fast checks basic invariants on |dh|'s domain parameters. It\n// does not check that |dh| forms a valid group, only that the sizes are within\n// DoS bounds.\nint dh_check_params_fast(const DH *dh);\n\n// dh_compute_key_padded_no_self_test does the same as |DH_compute_key_padded|,\n// but doesn't try to run the self-test first. This is for use in the self tests\n// themselves, to prevent an infinite loop.\nint dh_compute_key_padded_no_self_test(unsigned char *out,\n const BIGNUM *peers_key, DH *dh);\n\n\n#if defined(__cplusplus)\n}\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_DH_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digest.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n#include \"internal.h\"\n\n\nint EVP_MD_type(const EVP_MD *md) { return md->type; }\n\nint EVP_MD_nid(const EVP_MD *md) { return EVP_MD_type(md); }\n\nuint32_t EVP_MD_flags(const EVP_MD *md) { return md->flags; }\n\nsize_t EVP_MD_size(const EVP_MD *md) { return md->md_size; }\n\nsize_t EVP_MD_block_size(const EVP_MD *md) { return md->block_size; }\n\n\nvoid EVP_MD_CTX_init(EVP_MD_CTX *ctx) {\n OPENSSL_memset(ctx, 0, sizeof(EVP_MD_CTX));\n}\n\nEVP_MD_CTX *EVP_MD_CTX_new(void) {\n EVP_MD_CTX *ctx =\n reinterpret_cast(OPENSSL_malloc(sizeof(EVP_MD_CTX)));\n\n if (ctx) {\n EVP_MD_CTX_init(ctx);\n }\n\n return ctx;\n}\n\nEVP_MD_CTX *EVP_MD_CTX_create(void) { return EVP_MD_CTX_new(); }\n\nint EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) {\n OPENSSL_free(ctx->md_data);\n\n assert(ctx->pctx == NULL || ctx->pctx_ops != NULL);\n if (ctx->pctx_ops) {\n ctx->pctx_ops->free(ctx->pctx);\n }\n\n EVP_MD_CTX_init(ctx);\n\n return 1;\n}\n\nvoid EVP_MD_CTX_cleanse(EVP_MD_CTX *ctx) {\n OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);\n EVP_MD_CTX_cleanup(ctx);\n}\n\nvoid EVP_MD_CTX_free(EVP_MD_CTX *ctx) {\n if (!ctx) {\n return;\n }\n\n EVP_MD_CTX_cleanup(ctx);\n OPENSSL_free(ctx);\n}\n\nvoid EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) { EVP_MD_CTX_free(ctx); }\n\nint EVP_DigestFinalXOF(EVP_MD_CTX *ctx, uint8_t *out, size_t len) {\n OPENSSL_PUT_ERROR(DIGEST, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n}\n\nuint32_t EVP_MD_meth_get_flags(const EVP_MD *md) { return EVP_MD_flags(md); }\n\nvoid EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags) {}\n\nint EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) {\n // |in->digest| may be NULL if this is a signing |EVP_MD_CTX| for, e.g.,\n // Ed25519 which does not hash with |EVP_MD_CTX|.\n if (in == NULL || (in->pctx == NULL && in->digest == NULL)) {\n OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_INPUT_NOT_INITIALIZED);\n return 0;\n }\n\n EVP_PKEY_CTX *pctx = NULL;\n assert(in->pctx == NULL || in->pctx_ops != NULL);\n if (in->pctx) {\n pctx = in->pctx_ops->dup(in->pctx);\n if (!pctx) {\n return 0;\n }\n }\n\n uint8_t *tmp_buf = NULL;\n if (in->digest != NULL) {\n if (out->digest != in->digest) {\n assert(in->digest->ctx_size != 0);\n tmp_buf =\n reinterpret_cast(OPENSSL_malloc(in->digest->ctx_size));\n if (tmp_buf == NULL) {\n if (pctx) {\n in->pctx_ops->free(pctx);\n }\n return 0;\n }\n } else {\n // |md_data| will be the correct size in this case. It's removed from\n // |out| so that |EVP_MD_CTX_cleanup| doesn't free it, and then it's\n // reused.\n tmp_buf = reinterpret_cast(out->md_data);\n out->md_data = NULL;\n }\n }\n\n EVP_MD_CTX_cleanup(out);\n\n out->digest = in->digest;\n out->md_data = tmp_buf;\n if (in->digest != NULL) {\n OPENSSL_memcpy(out->md_data, in->md_data, in->digest->ctx_size);\n }\n out->pctx = pctx;\n out->pctx_ops = in->pctx_ops;\n assert(out->pctx == NULL || out->pctx_ops != NULL);\n\n return 1;\n}\n\nvoid EVP_MD_CTX_move(EVP_MD_CTX *out, EVP_MD_CTX *in) {\n EVP_MD_CTX_cleanup(out);\n // While not guaranteed, |EVP_MD_CTX| is currently safe to move with |memcpy|.\n // bssl-crypto currently relies on this, however, so if we change this, we\n // need to box the |HMAC_CTX|. (Relying on this is only fine because we assume\n // BoringSSL and bssl-crypto will always be updated atomically. We do not\n // allow any version skew between the two.)\n OPENSSL_memcpy(out, in, sizeof(EVP_MD_CTX));\n EVP_MD_CTX_init(in);\n}\n\nint EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in) {\n EVP_MD_CTX_init(out);\n return EVP_MD_CTX_copy_ex(out, in);\n}\n\nint EVP_MD_CTX_reset(EVP_MD_CTX *ctx) {\n EVP_MD_CTX_cleanup(ctx);\n EVP_MD_CTX_init(ctx);\n return 1;\n}\n\nint EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *engine) {\n if (ctx->digest != type) {\n assert(type->ctx_size != 0);\n uint8_t *md_data =\n reinterpret_cast(OPENSSL_malloc(type->ctx_size));\n if (md_data == NULL) {\n return 0;\n }\n\n OPENSSL_free(ctx->md_data);\n ctx->md_data = md_data;\n ctx->digest = type;\n }\n\n assert(ctx->pctx == NULL || ctx->pctx_ops != NULL);\n\n ctx->digest->init(ctx);\n return 1;\n}\n\nint EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) {\n EVP_MD_CTX_init(ctx);\n return EVP_DigestInit_ex(ctx, type, NULL);\n}\n\nint EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) {\n ctx->digest->update(ctx, data, len);\n return 1;\n}\n\nint EVP_DigestFinal_ex(EVP_MD_CTX *ctx, uint8_t *md_out, unsigned int *size) {\n assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);\n ctx->digest->final(ctx, md_out);\n if (size != NULL) {\n *size = ctx->digest->md_size;\n }\n OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size);\n return 1;\n}\n\nint EVP_DigestFinal(EVP_MD_CTX *ctx, uint8_t *md, unsigned int *size) {\n (void)EVP_DigestFinal_ex(ctx, md, size);\n EVP_MD_CTX_cleanup(ctx);\n return 1;\n}\n\nint EVP_Digest(const void *data, size_t count, uint8_t *out_md,\n unsigned int *out_size, const EVP_MD *type, ENGINE *impl) {\n EVP_MD_CTX ctx;\n int ret;\n\n EVP_MD_CTX_init(&ctx);\n ret = EVP_DigestInit_ex(&ctx, type, impl) &&\n EVP_DigestUpdate(&ctx, data, count) &&\n EVP_DigestFinal_ex(&ctx, out_md, out_size);\n EVP_MD_CTX_cleanup(&ctx);\n\n return ret;\n}\n\nconst EVP_MD *EVP_MD_CTX_get0_md(const EVP_MD_CTX *ctx) {\n if (ctx == NULL) {\n return NULL;\n }\n return ctx->digest;\n}\n\nconst EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx) {\n return EVP_MD_CTX_get0_md(ctx);\n}\n\nsize_t EVP_MD_CTX_size(const EVP_MD_CTX *ctx) {\n return EVP_MD_size(EVP_MD_CTX_get0_md(ctx));\n}\n\nsize_t EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx) {\n return EVP_MD_block_size(EVP_MD_CTX_get0_md(ctx));\n}\n\nint EVP_MD_CTX_type(const EVP_MD_CTX *ctx) {\n return EVP_MD_type(EVP_MD_CTX_get0_md(ctx));\n}\n\nint EVP_add_digest(const EVP_MD *digest) { return 1; }\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digests.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n\n#include \"../../internal.h\"\n#include \"../bcm_interface.h\"\n#include \"../delocate.h\"\n#include \"internal.h\"\n\n#if defined(NDEBUG)\n#define CHECK(x) (void)(x)\n#else\n#define CHECK(x) assert(x)\n#endif\n\n\nstatic void sha1_init(EVP_MD_CTX *ctx) {\n BCM_sha1_init(reinterpret_cast(ctx->md_data));\n}\n\nstatic void sha1_update(EVP_MD_CTX *ctx, const void *data, size_t count) {\n BCM_sha1_update(reinterpret_cast(ctx->md_data), data, count);\n}\n\nstatic void sha1_final(EVP_MD_CTX *ctx, uint8_t *md) {\n BCM_sha1_final(md, reinterpret_cast(ctx->md_data));\n}\n\nDEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha1) {\n out->type = NID_sha1;\n out->md_size = BCM_SHA_DIGEST_LENGTH;\n out->flags = 0;\n out->init = sha1_init;\n out->update = sha1_update;\n out->final = sha1_final;\n out->block_size = 64;\n out->ctx_size = sizeof(SHA_CTX);\n}\n\n\nstatic void sha224_init(EVP_MD_CTX *ctx) {\n BCM_sha224_init(reinterpret_cast(ctx->md_data));\n}\n\nstatic void sha224_update(EVP_MD_CTX *ctx, const void *data, size_t count) {\n BCM_sha224_update(reinterpret_cast(ctx->md_data), data, count);\n}\n\nstatic void sha224_final(EVP_MD_CTX *ctx, uint8_t *md) {\n BCM_sha224_final(md, reinterpret_cast(ctx->md_data));\n}\n\nDEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha224) {\n out->type = NID_sha224;\n out->md_size = BCM_SHA224_DIGEST_LENGTH;\n out->flags = 0;\n out->init = sha224_init;\n out->update = sha224_update;\n out->final = sha224_final;\n out->block_size = 64;\n out->ctx_size = sizeof(SHA256_CTX);\n}\n\n\nstatic void sha256_init(EVP_MD_CTX *ctx) {\n BCM_sha256_init(reinterpret_cast(ctx->md_data));\n}\n\nstatic void sha256_update(EVP_MD_CTX *ctx, const void *data, size_t count) {\n BCM_sha256_update(reinterpret_cast(ctx->md_data), data, count);\n}\n\nstatic void sha256_final(EVP_MD_CTX *ctx, uint8_t *md) {\n BCM_sha256_final(md, reinterpret_cast(ctx->md_data));\n}\n\nDEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha256) {\n out->type = NID_sha256;\n out->md_size = BCM_SHA256_DIGEST_LENGTH;\n out->flags = 0;\n out->init = sha256_init;\n out->update = sha256_update;\n out->final = sha256_final;\n out->block_size = 64;\n out->ctx_size = sizeof(SHA256_CTX);\n}\n\n\nstatic void sha384_init(EVP_MD_CTX *ctx) {\n BCM_sha384_init(reinterpret_cast(ctx->md_data));\n}\n\nstatic void sha384_update(EVP_MD_CTX *ctx, const void *data, size_t count) {\n BCM_sha384_update(reinterpret_cast(ctx->md_data), data, count);\n}\n\nstatic void sha384_final(EVP_MD_CTX *ctx, uint8_t *md) {\n BCM_sha384_final(md, reinterpret_cast(ctx->md_data));\n}\n\nDEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha384) {\n out->type = NID_sha384;\n out->md_size = BCM_SHA384_DIGEST_LENGTH;\n out->flags = 0;\n out->init = sha384_init;\n out->update = sha384_update;\n out->final = sha384_final;\n out->block_size = 128;\n out->ctx_size = sizeof(SHA512_CTX);\n}\n\n\nstatic void sha512_init(EVP_MD_CTX *ctx) {\n BCM_sha512_init(reinterpret_cast(ctx->md_data));\n}\n\nstatic void sha512_update(EVP_MD_CTX *ctx, const void *data, size_t count) {\n BCM_sha512_update(reinterpret_cast(ctx->md_data), data, count);\n}\n\nstatic void sha512_final(EVP_MD_CTX *ctx, uint8_t *md) {\n BCM_sha512_final(md, reinterpret_cast(ctx->md_data));\n}\n\nDEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512) {\n out->type = NID_sha512;\n out->md_size = BCM_SHA512_DIGEST_LENGTH;\n out->flags = 0;\n out->init = sha512_init;\n out->update = sha512_update;\n out->final = sha512_final;\n out->block_size = 128;\n out->ctx_size = sizeof(SHA512_CTX);\n}\n\n\nstatic void sha512_256_init(EVP_MD_CTX *ctx) {\n BCM_sha512_256_init(reinterpret_cast(ctx->md_data));\n}\n\nstatic void sha512_256_update(EVP_MD_CTX *ctx, const void *data, size_t count) {\n BCM_sha512_256_update(reinterpret_cast(ctx->md_data), data,\n count);\n}\n\nstatic void sha512_256_final(EVP_MD_CTX *ctx, uint8_t *md) {\n BCM_sha512_256_final(md, reinterpret_cast(ctx->md_data));\n}\n\nDEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512_256) {\n out->type = NID_sha512_256;\n out->md_size = BCM_SHA512_256_DIGEST_LENGTH;\n out->flags = 0;\n out->init = sha512_256_init;\n out->update = sha512_256_update;\n out->final = sha512_256_final;\n out->block_size = 128;\n out->ctx_size = sizeof(SHA512_CTX);\n}\n\n#undef CHECK\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/digest/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_DIGEST_INTERNAL_H\n#define OPENSSL_HEADER_DIGEST_INTERNAL_H\n\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\nstruct env_md_st {\n // type contains a NID identifing the digest function. (For example,\n // NID_md5.)\n int type;\n\n // md_size contains the size, in bytes, of the resulting digest.\n unsigned md_size;\n\n // flags contains the OR of |EVP_MD_FLAG_*| values.\n uint32_t flags;\n\n // init initialises the state in |ctx->md_data|.\n void (*init)(EVP_MD_CTX *ctx);\n\n // update hashes |len| bytes of |data| into the state in |ctx->md_data|.\n void (*update)(EVP_MD_CTX *ctx, const void *data, size_t count);\n\n // final completes the hash and writes |md_size| bytes of digest to |out|.\n void (*final)(EVP_MD_CTX *ctx, uint8_t *out);\n\n // block_size contains the hash's native block size.\n unsigned block_size;\n\n // ctx_size contains the size, in bytes, of the state of the hash function.\n unsigned ctx_size;\n};\n\n// evp_md_pctx_ops contains function pointers to allow the |pctx| member of\n// |EVP_MD_CTX| to be manipulated without breaking layering by calling EVP\n// functions.\nstruct evp_md_pctx_ops {\n // free is called when an |EVP_MD_CTX| is being freed and the |pctx| also\n // needs to be freed.\n void (*free) (EVP_PKEY_CTX *pctx);\n\n // dup is called when an |EVP_MD_CTX| is copied and so the |pctx| also needs\n // to be copied.\n EVP_PKEY_CTX* (*dup) (EVP_PKEY_CTX *pctx);\n};\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_DIGEST_INTERNAL\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/digest/md32_common.h", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_DIGEST_MD32_COMMON_H\n#define OPENSSL_HEADER_DIGEST_MD32_COMMON_H\n\n#include \n\n#include \n\n#include \"../../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// This is a generic 32-bit \"collector\" for message digest algorithms. It\n// collects input character stream into chunks of 32-bit values and invokes the\n// block function that performs the actual hash calculations.\n//\n// To make use of this mechanism, the hash context should be defined with the\n// following parameters.\n//\n// typedef struct _state_st {\n// uint32_t h[ / sizeof(uint32_t)];\n// uint32_t Nl, Nh;\n// uint8_t data[];\n// unsigned num;\n// ...\n// } _CTX;\n//\n// is the output length of the hash in bytes, before\n// any truncation (e.g. 64 for SHA-224 and SHA-256, 128 for SHA-384 and\n// SHA-512).\n//\n// |h| is the hash state and is updated by a function of type\n// |crypto_md32_block_func|. |data| is the partial unprocessed block and has\n// |num| bytes. |Nl| and |Nh| maintain the number of bits processed so far.\n\n// A crypto_md32_block_func should incorporate |num_blocks| of input from |data|\n// into |state|. It is assumed the caller has sized |state| and |data| for the\n// hash function.\ntypedef void (*crypto_md32_block_func)(uint32_t *state, const uint8_t *data,\n size_t num_blocks);\n\n// crypto_md32_update adds |len| bytes from |in| to the digest. |data| must be a\n// buffer of length |block_size| with the first |*num| bytes containing a\n// partial block. This function combines the partial block with |in| and\n// incorporates any complete blocks into the digest state |h|. It then updates\n// |data| and |*num| with the new partial block and updates |*Nh| and |*Nl| with\n// the data consumed.\nstatic inline void crypto_md32_update(crypto_md32_block_func block_func,\n uint32_t *h, uint8_t *data,\n size_t block_size, unsigned *num,\n uint32_t *Nh, uint32_t *Nl,\n const uint8_t *in, size_t len) {\n if (len == 0) {\n return;\n }\n\n uint32_t l = *Nl + (((uint32_t)len) << 3);\n if (l < *Nl) {\n // Handle carries.\n (*Nh)++;\n }\n *Nh += (uint32_t)(len >> 29);\n *Nl = l;\n\n size_t n = *num;\n if (n != 0) {\n if (len >= block_size || len + n >= block_size) {\n OPENSSL_memcpy(data + n, in, block_size - n);\n block_func(h, data, 1);\n n = block_size - n;\n in += n;\n len -= n;\n *num = 0;\n // Keep |data| zeroed when unused.\n OPENSSL_memset(data, 0, block_size);\n } else {\n OPENSSL_memcpy(data + n, in, len);\n *num += (unsigned)len;\n return;\n }\n }\n\n n = len / block_size;\n if (n > 0) {\n block_func(h, in, n);\n n *= block_size;\n in += n;\n len -= n;\n }\n\n if (len != 0) {\n *num = (unsigned)len;\n OPENSSL_memcpy(data, in, len);\n }\n}\n\n// crypto_md32_final incorporates the partial block and trailing length into the\n// digest state |h|. The trailing length is encoded in little-endian if\n// |is_big_endian| is zero and big-endian otherwise. |data| must be a buffer of\n// length |block_size| with the first |*num| bytes containing a partial block.\n// |Nh| and |Nl| contain the total number of bits processed. On return, this\n// function clears the partial block in |data| and\n// |*num|.\n//\n// This function does not serialize |h| into a final digest. This is the\n// responsibility of the caller.\nstatic inline void crypto_md32_final(crypto_md32_block_func block_func,\n uint32_t *h, uint8_t *data,\n size_t block_size, unsigned *num,\n uint32_t Nh, uint32_t Nl,\n int is_big_endian) {\n // |data| always has room for at least one byte. A full block would have\n // been consumed.\n size_t n = *num;\n assert(n < block_size);\n data[n] = 0x80;\n n++;\n\n // Fill the block with zeros if there isn't room for a 64-bit length.\n if (n > block_size - 8) {\n OPENSSL_memset(data + n, 0, block_size - n);\n n = 0;\n block_func(h, data, 1);\n }\n OPENSSL_memset(data + n, 0, block_size - 8 - n);\n\n // Append a 64-bit length to the block and process it.\n if (is_big_endian) {\n CRYPTO_store_u32_be(data + block_size - 8, Nh);\n CRYPTO_store_u32_be(data + block_size - 4, Nl);\n } else {\n CRYPTO_store_u32_le(data + block_size - 8, Nl);\n CRYPTO_store_u32_le(data + block_size - 4, Nh);\n }\n block_func(h, data, 1);\n *num = 0;\n OPENSSL_memset(data, 0, block_size);\n}\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_DIGEST_MD32_COMMON_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/digestsign/digestsign.cc.inc", "content": "/*\n * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"../../evp/internal.h\"\n#include \"../delocate.h\"\n#include \"../digest/internal.h\"\n#include \"../service_indicator/internal.h\"\n\n\nenum evp_sign_verify_t {\n evp_sign,\n evp_verify,\n};\n\nDEFINE_LOCAL_DATA(struct evp_md_pctx_ops, md_pctx_ops) {\n out->free = EVP_PKEY_CTX_free;\n out->dup = EVP_PKEY_CTX_dup;\n}\n\nstatic int uses_prehash(EVP_MD_CTX *ctx, enum evp_sign_verify_t op) {\n return (op == evp_sign) ? (ctx->pctx->pmeth->sign != NULL)\n : (ctx->pctx->pmeth->verify != NULL);\n}\n\nstatic int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,\n const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey,\n enum evp_sign_verify_t op) {\n if (ctx->pctx == NULL) {\n ctx->pctx = EVP_PKEY_CTX_new(pkey, e);\n }\n if (ctx->pctx == NULL) {\n return 0;\n }\n ctx->pctx_ops = md_pctx_ops();\n\n if (op == evp_verify) {\n if (!EVP_PKEY_verify_init(ctx->pctx)) {\n return 0;\n }\n } else {\n if (!EVP_PKEY_sign_init(ctx->pctx)) {\n return 0;\n }\n }\n\n if (type != NULL &&\n !EVP_PKEY_CTX_set_signature_md(ctx->pctx, type)) {\n return 0;\n }\n\n if (uses_prehash(ctx, op)) {\n if (type == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_NO_DEFAULT_DIGEST);\n return 0;\n }\n if (!EVP_DigestInit_ex(ctx, type, e)) {\n return 0;\n }\n }\n\n if (pctx) {\n *pctx = ctx->pctx;\n }\n return 1;\n}\n\nint EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type,\n ENGINE *e, EVP_PKEY *pkey) {\n return do_sigver_init(ctx, pctx, type, e, pkey, evp_sign);\n}\n\nint EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,\n const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey) {\n return do_sigver_init(ctx, pctx, type, e, pkey, evp_verify);\n}\n\nint EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) {\n if (!uses_prehash(ctx, evp_sign)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n return EVP_DigestUpdate(ctx, data, len);\n}\n\nint EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) {\n if (!uses_prehash(ctx, evp_verify)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n return EVP_DigestUpdate(ctx, data, len);\n}\n\nint EVP_DigestSignFinal(EVP_MD_CTX *ctx, uint8_t *out_sig,\n size_t *out_sig_len) {\n if (!uses_prehash(ctx, evp_sign)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n if (out_sig) {\n EVP_MD_CTX tmp_ctx;\n int ret;\n uint8_t md[EVP_MAX_MD_SIZE];\n unsigned int mdlen;\n\n FIPS_service_indicator_lock_state();\n EVP_MD_CTX_init(&tmp_ctx);\n ret = EVP_MD_CTX_copy_ex(&tmp_ctx, ctx) &&\n EVP_DigestFinal_ex(&tmp_ctx, md, &mdlen) &&\n EVP_PKEY_sign(ctx->pctx, out_sig, out_sig_len, md, mdlen);\n EVP_MD_CTX_cleanup(&tmp_ctx);\n FIPS_service_indicator_unlock_state();\n\n if (ret) {\n EVP_DigestSign_verify_service_indicator(ctx);\n }\n\n return ret;\n } else {\n size_t s = EVP_MD_size(ctx->digest);\n return EVP_PKEY_sign(ctx->pctx, out_sig, out_sig_len, NULL, s);\n }\n}\n\nint EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig,\n size_t sig_len) {\n if (!uses_prehash(ctx, evp_verify)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n EVP_MD_CTX tmp_ctx;\n int ret;\n uint8_t md[EVP_MAX_MD_SIZE];\n unsigned int mdlen;\n\n FIPS_service_indicator_lock_state();\n EVP_MD_CTX_init(&tmp_ctx);\n ret = EVP_MD_CTX_copy_ex(&tmp_ctx, ctx) &&\n EVP_DigestFinal_ex(&tmp_ctx, md, &mdlen) &&\n EVP_PKEY_verify(ctx->pctx, sig, sig_len, md, mdlen);\n FIPS_service_indicator_unlock_state();\n EVP_MD_CTX_cleanup(&tmp_ctx);\n\n if (ret) {\n EVP_DigestVerify_verify_service_indicator(ctx);\n }\n\n return ret;\n}\n\nint EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig, size_t *out_sig_len,\n const uint8_t *data, size_t data_len) {\n FIPS_service_indicator_lock_state();\n int ret = 0;\n\n if (uses_prehash(ctx, evp_sign)) {\n // If |out_sig| is NULL, the caller is only querying the maximum output\n // length. |data| should only be incorporated in the final call.\n if (out_sig != NULL &&\n !EVP_DigestSignUpdate(ctx, data, data_len)) {\n goto end;\n }\n\n ret = EVP_DigestSignFinal(ctx, out_sig, out_sig_len);\n goto end;\n }\n\n if (ctx->pctx->pmeth->sign_message == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n goto end;\n }\n\n ret = ctx->pctx->pmeth->sign_message(ctx->pctx, out_sig, out_sig_len, data,\n data_len);\n\nend:\n FIPS_service_indicator_unlock_state();\n if (ret) {\n EVP_DigestSign_verify_service_indicator(ctx);\n }\n return ret;\n}\n\nint EVP_DigestVerify(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len,\n const uint8_t *data, size_t len) {\n FIPS_service_indicator_lock_state();\n int ret = 0;\n\n if (uses_prehash(ctx, evp_verify)) {\n ret = EVP_DigestVerifyUpdate(ctx, data, len) &&\n EVP_DigestVerifyFinal(ctx, sig, sig_len);\n goto end;\n }\n\n if (ctx->pctx->pmeth->verify_message == NULL) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n goto end;\n }\n\n ret = ctx->pctx->pmeth->verify_message(ctx->pctx, sig, sig_len, data, len);\n\nend:\n FIPS_service_indicator_unlock_state();\n if (ret) {\n EVP_DigestVerify_verify_service_indicator(ctx);\n }\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/builtin_curves.h", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// This file is generated by make_tables.go.\n\n// P-224\n[[maybe_unused]] static const uint64_t kP224FieldN0 = 0xffffffffffffffff;\n[[maybe_unused]] static const uint64_t kP224OrderN0 = 0xd6e242706a1fc2eb;\n#if defined(OPENSSL_64_BIT)\n[[maybe_unused]] static const uint64_t kP224Field[] = {\n 0x0000000000000001, 0xffffffff00000000, 0xffffffffffffffff,\n 0x00000000ffffffff};\n[[maybe_unused]] static const uint64_t kP224Order[] = {\n 0x13dd29455c5c2a3d, 0xffff16a2e0b8f03e, 0xffffffffffffffff,\n 0x00000000ffffffff};\n[[maybe_unused]] static const uint64_t kP224B[] = {\n 0x270b39432355ffb4, 0x5044b0b7d7bfd8ba, 0x0c04b3abf5413256,\n 0x00000000b4050a85};\n[[maybe_unused]] static const uint64_t kP224GX[] = {\n 0x343280d6115c1d21, 0x4a03c1d356c21122, 0x6bb4bf7f321390b9,\n 0x00000000b70e0cbd};\n[[maybe_unused]] static const uint64_t kP224GY[] = {\n 0x44d5819985007e34, 0xcd4375a05a074764, 0xb5f723fb4c22dfe6,\n 0x00000000bd376388};\n[[maybe_unused]] static const uint64_t kP224FieldR[] = {\n 0xffffffff00000000, 0xffffffffffffffff, 0x0000000000000000,\n 0x0000000000000000};\n[[maybe_unused]] static const uint64_t kP224FieldRR[] = {\n 0xffffffff00000001, 0xffffffff00000000, 0xfffffffe00000000,\n 0x00000000ffffffff};\n[[maybe_unused]] static const uint64_t kP224OrderRR[] = {\n 0x29947a695f517d15, 0xabc8ff5931d63f4b, 0x6ad15f7cd9714856,\n 0x00000000b1e97961};\n[[maybe_unused]] static const uint64_t kP224MontB[] = {\n 0xe768cdf663c059cd, 0x107ac2f3ccf01310, 0x3dceba98c8528151,\n 0x000000007fc02f93};\n[[maybe_unused]] static const uint64_t kP224MontGX[] = {\n 0xbc9052266d0a4aea, 0x852597366018bfaa, 0x6dd3af9bf96bec05,\n 0x00000000a21b5e60};\n[[maybe_unused]] static const uint64_t kP224MontGY[] = {\n 0x2edca1e5eff3ede8, 0xf8cd672b05335a6b, 0xaea9c5ae03dfe878,\n 0x00000000614786f1};\n#elif defined(OPENSSL_32_BIT)\n[[maybe_unused]] static const uint32_t kP224Field[] = {\n 0x00000001, 0x00000000, 0x00000000, 0xffffffff, 0xffffffff, 0xffffffff,\n 0xffffffff};\n[[maybe_unused]] static const uint32_t kP224Order[] = {\n 0x5c5c2a3d, 0x13dd2945, 0xe0b8f03e, 0xffff16a2, 0xffffffff, 0xffffffff,\n 0xffffffff};\n[[maybe_unused]] static const uint32_t kP224B[] = {\n 0x2355ffb4, 0x270b3943, 0xd7bfd8ba, 0x5044b0b7, 0xf5413256, 0x0c04b3ab,\n 0xb4050a85};\n[[maybe_unused]] static const uint32_t kP224GX[] = {\n 0x115c1d21, 0x343280d6, 0x56c21122, 0x4a03c1d3, 0x321390b9, 0x6bb4bf7f,\n 0xb70e0cbd};\n[[maybe_unused]] static const uint32_t kP224GY[] = {\n 0x85007e34, 0x44d58199, 0x5a074764, 0xcd4375a0, 0x4c22dfe6, 0xb5f723fb,\n 0xbd376388};\n[[maybe_unused]] static const uint32_t kP224FieldR[] = {\n 0xffffffff, 0xffffffff, 0xffffffff, 0x00000000, 0x00000000, 0x00000000,\n 0x00000000};\n[[maybe_unused]] static const uint32_t kP224FieldRR[] = {\n 0x00000001, 0x00000000, 0x00000000, 0xfffffffe, 0xffffffff, 0xffffffff,\n 0x00000000};\n[[maybe_unused]] static const uint32_t kP224OrderRR[] = {\n 0x3ad01289, 0x6bdaae6c, 0x97a54552, 0x6ad09d91, 0xb1e97961, 0x1822bc47,\n 0xd4baa4cf};\n[[maybe_unused]] static const uint32_t kP224MontB[] = {\n 0xe768cdf7, 0xccf01310, 0x743b1cc0, 0xc8528150, 0x3dceba98, 0x7fc02f93,\n 0x9c3fa633};\n[[maybe_unused]] static const uint32_t kP224MontGX[] = {\n 0xbc905227, 0x6018bfaa, 0xf22fe220, 0xf96bec04, 0x6dd3af9b, 0xa21b5e60,\n 0x92f5b516};\n[[maybe_unused]] static const uint32_t kP224MontGY[] = {\n 0x2edca1e6, 0x05335a6b, 0xe8c15513, 0x03dfe878, 0xaea9c5ae, 0x614786f1,\n 0x100c1218};\n#else\n#error \"unknown word size\"\n#endif\n\n// P-256\n[[maybe_unused]] static const uint64_t kP256FieldN0 = 0x0000000000000001;\n[[maybe_unused]] static const uint64_t kP256OrderN0 = 0xccd1c8aaee00bc4f;\n#if defined(OPENSSL_64_BIT)\n[[maybe_unused]] static const uint64_t kP256Field[] = {\n 0xffffffffffffffff, 0x00000000ffffffff, 0x0000000000000000,\n 0xffffffff00000001};\n[[maybe_unused]] static const uint64_t kP256Order[] = {\n 0xf3b9cac2fc632551, 0xbce6faada7179e84, 0xffffffffffffffff,\n 0xffffffff00000000};\n[[maybe_unused]] static const uint64_t kP256FieldR[] = {\n 0x0000000000000001, 0xffffffff00000000, 0xffffffffffffffff,\n 0x00000000fffffffe};\n[[maybe_unused]] static const uint64_t kP256FieldRR[] = {\n 0x0000000000000003, 0xfffffffbffffffff, 0xfffffffffffffffe,\n 0x00000004fffffffd};\n[[maybe_unused]] static const uint64_t kP256OrderRR[] = {\n 0x83244c95be79eea2, 0x4699799c49bd6fa6, 0x2845b2392b6bec59,\n 0x66e12d94f3d95620};\n[[maybe_unused]] static const uint64_t kP256MontB[] = {\n 0xd89cdf6229c4bddf, 0xacf005cd78843090, 0xe5a220abf7212ed6,\n 0xdc30061d04874834};\n[[maybe_unused]] static const uint64_t kP256MontGX[] = {\n 0x79e730d418a9143c, 0x75ba95fc5fedb601, 0x79fb732b77622510,\n 0x18905f76a53755c6};\n[[maybe_unused]] static const uint64_t kP256MontGY[] = {\n 0xddf25357ce95560a, 0x8b4ab8e4ba19e45c, 0xd2e88688dd21f325,\n 0x8571ff1825885d85};\n#elif defined(OPENSSL_32_BIT)\n[[maybe_unused]] static const uint32_t kP256Field[] = {\n 0xffffffff, 0xffffffff, 0xffffffff, 0x00000000, 0x00000000, 0x00000000,\n 0x00000001, 0xffffffff};\n[[maybe_unused]] static const uint32_t kP256Order[] = {\n 0xfc632551, 0xf3b9cac2, 0xa7179e84, 0xbce6faad, 0xffffffff, 0xffffffff,\n 0x00000000, 0xffffffff};\n[[maybe_unused]] static const uint32_t kP256FieldR[] = {\n 0x00000001, 0x00000000, 0x00000000, 0xffffffff, 0xffffffff, 0xffffffff,\n 0xfffffffe, 0x00000000};\n[[maybe_unused]] static const uint32_t kP256FieldRR[] = {\n 0x00000003, 0x00000000, 0xffffffff, 0xfffffffb, 0xfffffffe, 0xffffffff,\n 0xfffffffd, 0x00000004};\n[[maybe_unused]] static const uint32_t kP256OrderRR[] = {\n 0xbe79eea2, 0x83244c95, 0x49bd6fa6, 0x4699799c, 0x2b6bec59, 0x2845b239,\n 0xf3d95620, 0x66e12d94};\n[[maybe_unused]] static const uint32_t kP256MontB[] = {\n 0x29c4bddf, 0xd89cdf62, 0x78843090, 0xacf005cd, 0xf7212ed6, 0xe5a220ab,\n 0x04874834, 0xdc30061d};\n[[maybe_unused]] static const uint32_t kP256MontGX[] = {\n 0x18a9143c, 0x79e730d4, 0x5fedb601, 0x75ba95fc, 0x77622510, 0x79fb732b,\n 0xa53755c6, 0x18905f76};\n[[maybe_unused]] static const uint32_t kP256MontGY[] = {\n 0xce95560a, 0xddf25357, 0xba19e45c, 0x8b4ab8e4, 0xdd21f325, 0xd2e88688,\n 0x25885d85, 0x8571ff18};\n#else\n#error \"unknown word size\"\n#endif\n\n// P-384\n[[maybe_unused]] static const uint64_t kP384FieldN0 = 0x0000000100000001;\n[[maybe_unused]] static const uint64_t kP384OrderN0 = 0x6ed46089e88fdc45;\n#if defined(OPENSSL_64_BIT)\n[[maybe_unused]] static const uint64_t kP384Field[] = {\n 0x00000000ffffffff, 0xffffffff00000000, 0xfffffffffffffffe,\n 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};\n[[maybe_unused]] static const uint64_t kP384Order[] = {\n 0xecec196accc52973, 0x581a0db248b0a77a, 0xc7634d81f4372ddf,\n 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};\n[[maybe_unused]] static const uint64_t kP384FieldR[] = {\n 0xffffffff00000001, 0x00000000ffffffff, 0x0000000000000001,\n 0x0000000000000000, 0x0000000000000000, 0x0000000000000000};\n[[maybe_unused]] static const uint64_t kP384FieldRR[] = {\n 0xfffffffe00000001, 0x0000000200000000, 0xfffffffe00000000,\n 0x0000000200000000, 0x0000000000000001, 0x0000000000000000};\n[[maybe_unused]] static const uint64_t kP384OrderRR[] = {\n 0x2d319b2419b409a9, 0xff3d81e5df1aa419, 0xbc3e483afcb82947,\n 0xd40d49174aab1cc5, 0x3fb05b7a28266895, 0x0c84ee012b39bf21};\n[[maybe_unused]] static const uint64_t kP384MontB[] = {\n 0x081188719d412dcc, 0xf729add87a4c32ec, 0x77f2209b1920022e,\n 0xe3374bee94938ae2, 0xb62b21f41f022094, 0xcd08114b604fbff9};\n[[maybe_unused]] static const uint64_t kP384MontGX[] = {\n 0x3dd0756649c0b528, 0x20e378e2a0d6ce38, 0x879c3afc541b4d6e,\n 0x6454868459a30eff, 0x812ff723614ede2b, 0x4d3aadc2299e1513};\n[[maybe_unused]] static const uint64_t kP384MontGY[] = {\n 0x23043dad4b03a4fe, 0xa1bfa8bf7bb4a9ac, 0x8bade7562e83b050,\n 0xc6c3521968f4ffd9, 0xdd8002263969a840, 0x2b78abc25a15c5e9};\n#elif defined(OPENSSL_32_BIT)\n[[maybe_unused]] static const uint32_t kP384Field[] = {\n 0xffffffff, 0x00000000, 0x00000000, 0xffffffff, 0xfffffffe, 0xffffffff,\n 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff};\n[[maybe_unused]] static const uint32_t kP384Order[] = {\n 0xccc52973, 0xecec196a, 0x48b0a77a, 0x581a0db2, 0xf4372ddf, 0xc7634d81,\n 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff};\n[[maybe_unused]] static const uint32_t kP384FieldR[] = {\n 0x00000001, 0xffffffff, 0xffffffff, 0x00000000, 0x00000001, 0x00000000,\n 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000};\n[[maybe_unused]] static const uint32_t kP384FieldRR[] = {\n 0x00000001, 0xfffffffe, 0x00000000, 0x00000002, 0x00000000, 0xfffffffe,\n 0x00000000, 0x00000002, 0x00000001, 0x00000000, 0x00000000, 0x00000000};\n[[maybe_unused]] static const uint32_t kP384OrderRR[] = {\n 0x19b409a9, 0x2d319b24, 0xdf1aa419, 0xff3d81e5, 0xfcb82947, 0xbc3e483a,\n 0x4aab1cc5, 0xd40d4917, 0x28266895, 0x3fb05b7a, 0x2b39bf21, 0x0c84ee01};\n[[maybe_unused]] static const uint32_t kP384MontB[] = {\n 0x9d412dcc, 0x08118871, 0x7a4c32ec, 0xf729add8, 0x1920022e, 0x77f2209b,\n 0x94938ae2, 0xe3374bee, 0x1f022094, 0xb62b21f4, 0x604fbff9, 0xcd08114b};\n[[maybe_unused]] static const uint32_t kP384MontGX[] = {\n 0x49c0b528, 0x3dd07566, 0xa0d6ce38, 0x20e378e2, 0x541b4d6e, 0x879c3afc,\n 0x59a30eff, 0x64548684, 0x614ede2b, 0x812ff723, 0x299e1513, 0x4d3aadc2};\n[[maybe_unused]] static const uint32_t kP384MontGY[] = {\n 0x4b03a4fe, 0x23043dad, 0x7bb4a9ac, 0xa1bfa8bf, 0x2e83b050, 0x8bade756,\n 0x68f4ffd9, 0xc6c35219, 0x3969a840, 0xdd800226, 0x5a15c5e9, 0x2b78abc2};\n#else\n#error \"unknown word size\"\n#endif\n\n// P-521\n[[maybe_unused]] static const uint64_t kP521FieldN0 = 0x0000000000000001;\n[[maybe_unused]] static const uint64_t kP521OrderN0 = 0x1d2f5ccd79a995c7;\n#if defined(OPENSSL_64_BIT)\n[[maybe_unused]] static const uint64_t kP521Field[] = {\n 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,\n 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,\n 0xffffffffffffffff, 0xffffffffffffffff, 0x00000000000001ff};\n[[maybe_unused]] static const uint64_t kP521Order[] = {\n 0xbb6fb71e91386409, 0x3bb5c9b8899c47ae, 0x7fcc0148f709a5d0,\n 0x51868783bf2f966b, 0xfffffffffffffffa, 0xffffffffffffffff,\n 0xffffffffffffffff, 0xffffffffffffffff, 0x00000000000001ff};\n[[maybe_unused]] static const uint64_t kP521FieldR[] = {\n 0x0080000000000000, 0x0000000000000000, 0x0000000000000000,\n 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,\n 0x0000000000000000, 0x0000000000000000, 0x0000000000000000};\n[[maybe_unused]] static const uint64_t kP521FieldRR[] = {\n 0x0000000000000000, 0x0000400000000000, 0x0000000000000000,\n 0x0000000000000000, 0x0000000000000000, 0x0000000000000000,\n 0x0000000000000000, 0x0000000000000000, 0x0000000000000000};\n[[maybe_unused]] static const uint64_t kP521OrderRR[] = {\n 0x137cd04dcf15dd04, 0xf707badce5547ea3, 0x12a78d38794573ff,\n 0xd3721ef557f75e06, 0xdd6e23d82e49c7db, 0xcff3d142b7756e3e,\n 0x5bcc6d61a8e567bc, 0x2d8e03d1492d0d45, 0x000000000000003d};\n[[maybe_unused]] static const uint64_t kP521MontB[] = {\n 0x8014654fae586387, 0x78f7a28fea35a81f, 0x839ab9efc41e961a,\n 0xbd8b29605e9dd8df, 0xf0ab0c9ca8f63f49, 0xf9dc5a44c8c77884,\n 0x77516d392dccd98a, 0x0fc94d10d05b42a0, 0x000000000000004d};\n[[maybe_unused]] static const uint64_t kP521MontGX[] = {\n 0xb331a16381adc101, 0x4dfcbf3f18e172de, 0x6f19a459e0c2b521,\n 0x947f0ee093d17fd4, 0xdd50a5af3bf7f3ac, 0x90fc1457b035a69e,\n 0x214e32409c829fda, 0xe6cf1f65b311cada, 0x0000000000000074};\n[[maybe_unused]] static const uint64_t kP521MontGY[] = {\n 0x28460e4a5a9e268e, 0x20445f4a3b4fe8b3, 0xb09a9e3843513961,\n 0x2062a85c809fd683, 0x164bf7394caf7a13, 0x340bd7de8b939f33,\n 0xeccc7aa224abcda2, 0x022e452fda163e8d, 0x00000000000001e0};\n#elif defined(OPENSSL_32_BIT)\n[[maybe_unused]] static const uint32_t kP521Field[] = {\n 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff,\n 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff,\n 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x000001ff};\n[[maybe_unused]] static const uint32_t kP521Order[] = {\n 0x91386409, 0xbb6fb71e, 0x899c47ae, 0x3bb5c9b8, 0xf709a5d0, 0x7fcc0148,\n 0xbf2f966b, 0x51868783, 0xfffffffa, 0xffffffff, 0xffffffff, 0xffffffff,\n 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x000001ff};\n[[maybe_unused]] static const uint32_t kP521FieldR[] = {\n 0x00800000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,\n 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,\n 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000};\n[[maybe_unused]] static const uint32_t kP521FieldRR[] = {\n 0x00000000, 0x00004000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,\n 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,\n 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000};\n[[maybe_unused]] static const uint32_t kP521OrderRR[] = {\n 0x61c64ca7, 0x1163115a, 0x4374a642, 0x18354a56, 0x0791d9dc, 0x5d4dd6d3,\n 0xd3402705, 0x4fb35b72, 0xb7756e3a, 0xcff3d142, 0xa8e567bc, 0x5bcc6d61,\n 0x492d0d45, 0x2d8e03d1, 0x8c44383d, 0x5b5a3afe, 0x0000019a};\n[[maybe_unused]] static const uint32_t kP521MontB[] = {\n 0x8014654f, 0xea35a81f, 0x78f7a28f, 0xc41e961a, 0x839ab9ef, 0x5e9dd8df,\n 0xbd8b2960, 0xa8f63f49, 0xf0ab0c9c, 0xc8c77884, 0xf9dc5a44, 0x2dccd98a,\n 0x77516d39, 0xd05b42a0, 0x0fc94d10, 0xb0c70e4d, 0x0000015c};\n[[maybe_unused]] static const uint32_t kP521MontGX[] = {\n 0xb331a163, 0x18e172de, 0x4dfcbf3f, 0xe0c2b521, 0x6f19a459, 0x93d17fd4,\n 0x947f0ee0, 0x3bf7f3ac, 0xdd50a5af, 0xb035a69e, 0x90fc1457, 0x9c829fda,\n 0x214e3240, 0xb311cada, 0xe6cf1f65, 0x5b820274, 0x00000103};\n[[maybe_unused]] static const uint32_t kP521MontGY[] = {\n 0x28460e4a, 0x3b4fe8b3, 0x20445f4a, 0x43513961, 0xb09a9e38, 0x809fd683,\n 0x2062a85c, 0x4caf7a13, 0x164bf739, 0x8b939f33, 0x340bd7de, 0x24abcda2,\n 0xeccc7aa2, 0xda163e8d, 0x022e452f, 0x3c4d1de0, 0x000000b5};\n#else\n#error \"unknown word size\"\n#endif\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec.cc.inc", "content": "/*\n * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bn/internal.h\"\n#include \"../delocate.h\"\n#include \"internal.h\"\n\n#include \"builtin_curves.h\"\n\n\nstatic void ec_point_free(EC_POINT *point, int free_group);\n\nstatic void ec_group_init_static_mont(BN_MONT_CTX *mont, size_t num_words,\n const BN_ULONG *modulus,\n const BN_ULONG *rr, uint64_t n0) {\n bn_set_static_words(&mont->N, modulus, num_words);\n bn_set_static_words(&mont->RR, rr, num_words);\n#if defined(OPENSSL_64_BIT)\n mont->n0[0] = n0;\n#elif defined(OPENSSL_32_BIT)\n mont->n0[0] = (uint32_t)n0;\n mont->n0[1] = (uint32_t)(n0 >> 32);\n#else\n#error \"unknown word length\"\n#endif\n}\n\nstatic void ec_group_set_a_minus3(EC_GROUP *group) {\n const EC_FELEM *one = ec_felem_one(group);\n group->a_is_minus3 = 1;\n ec_felem_neg(group, &group->a, one);\n ec_felem_sub(group, &group->a, &group->a, one);\n ec_felem_sub(group, &group->a, &group->a, one);\n}\n\nDEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p224) {\n out->curve_name = NID_secp224r1;\n out->comment = \"NIST P-224\";\n // 1.3.132.0.33\n static const uint8_t kOIDP224[] = {0x2b, 0x81, 0x04, 0x00, 0x21};\n OPENSSL_memcpy(out->oid, kOIDP224, sizeof(kOIDP224));\n out->oid_len = sizeof(kOIDP224);\n\n ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP224Field),\n kP224Field, kP224FieldRR, kP224FieldN0);\n ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP224Order),\n kP224Order, kP224OrderRR, kP224OrderN0);\n\n#if defined(BORINGSSL_HAS_UINT128) && !defined(OPENSSL_SMALL)\n out->meth = EC_GFp_nistp224_method();\n OPENSSL_memcpy(out->generator.raw.X.words, kP224GX, sizeof(kP224GX));\n OPENSSL_memcpy(out->generator.raw.Y.words, kP224GY, sizeof(kP224GY));\n out->generator.raw.Z.words[0] = 1;\n OPENSSL_memcpy(out->b.words, kP224B, sizeof(kP224B));\n#else\n out->meth = EC_GFp_mont_method();\n OPENSSL_memcpy(out->generator.raw.X.words, kP224MontGX, sizeof(kP224MontGX));\n OPENSSL_memcpy(out->generator.raw.Y.words, kP224MontGY, sizeof(kP224MontGY));\n OPENSSL_memcpy(out->generator.raw.Z.words, kP224FieldR, sizeof(kP224FieldR));\n OPENSSL_memcpy(out->b.words, kP224MontB, sizeof(kP224MontB));\n#endif\n out->generator.group = out;\n\n ec_group_set_a_minus3(out);\n out->has_order = 1;\n out->field_greater_than_order = 1;\n}\n\nDEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p256) {\n out->curve_name = NID_X9_62_prime256v1;\n out->comment = \"NIST P-256\";\n // 1.2.840.10045.3.1.7\n static const uint8_t kOIDP256[] = {0x2a, 0x86, 0x48, 0xce,\n 0x3d, 0x03, 0x01, 0x07};\n OPENSSL_memcpy(out->oid, kOIDP256, sizeof(kOIDP256));\n out->oid_len = sizeof(kOIDP256);\n\n ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP256Field),\n kP256Field, kP256FieldRR, kP256FieldN0);\n ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP256Order),\n kP256Order, kP256OrderRR, kP256OrderN0);\n\n#if !defined(OPENSSL_NO_ASM) && \\\n (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \\\n !defined(OPENSSL_SMALL)\n out->meth = EC_GFp_nistz256_method();\n#else\n out->meth = EC_GFp_nistp256_method();\n#endif\n out->generator.group = out;\n OPENSSL_memcpy(out->generator.raw.X.words, kP256MontGX, sizeof(kP256MontGX));\n OPENSSL_memcpy(out->generator.raw.Y.words, kP256MontGY, sizeof(kP256MontGY));\n OPENSSL_memcpy(out->generator.raw.Z.words, kP256FieldR, sizeof(kP256FieldR));\n OPENSSL_memcpy(out->b.words, kP256MontB, sizeof(kP256MontB));\n\n ec_group_set_a_minus3(out);\n out->has_order = 1;\n out->field_greater_than_order = 1;\n}\n\nDEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p384) {\n out->curve_name = NID_secp384r1;\n out->comment = \"NIST P-384\";\n // 1.3.132.0.34\n static const uint8_t kOIDP384[] = {0x2b, 0x81, 0x04, 0x00, 0x22};\n OPENSSL_memcpy(out->oid, kOIDP384, sizeof(kOIDP384));\n out->oid_len = sizeof(kOIDP384);\n\n ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP384Field),\n kP384Field, kP384FieldRR, kP384FieldN0);\n ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP384Order),\n kP384Order, kP384OrderRR, kP384OrderN0);\n\n out->meth = EC_GFp_mont_method();\n out->generator.group = out;\n OPENSSL_memcpy(out->generator.raw.X.words, kP384MontGX, sizeof(kP384MontGX));\n OPENSSL_memcpy(out->generator.raw.Y.words, kP384MontGY, sizeof(kP384MontGY));\n OPENSSL_memcpy(out->generator.raw.Z.words, kP384FieldR, sizeof(kP384FieldR));\n OPENSSL_memcpy(out->b.words, kP384MontB, sizeof(kP384MontB));\n\n ec_group_set_a_minus3(out);\n out->has_order = 1;\n out->field_greater_than_order = 1;\n}\n\nDEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p521) {\n out->curve_name = NID_secp521r1;\n out->comment = \"NIST P-521\";\n // 1.3.132.0.35\n static const uint8_t kOIDP521[] = {0x2b, 0x81, 0x04, 0x00, 0x23};\n OPENSSL_memcpy(out->oid, kOIDP521, sizeof(kOIDP521));\n out->oid_len = sizeof(kOIDP521);\n\n ec_group_init_static_mont(&out->field, OPENSSL_ARRAY_SIZE(kP521Field),\n kP521Field, kP521FieldRR, kP521FieldN0);\n ec_group_init_static_mont(&out->order, OPENSSL_ARRAY_SIZE(kP521Order),\n kP521Order, kP521OrderRR, kP521OrderN0);\n\n out->meth = EC_GFp_mont_method();\n out->generator.group = out;\n OPENSSL_memcpy(out->generator.raw.X.words, kP521MontGX, sizeof(kP521MontGX));\n OPENSSL_memcpy(out->generator.raw.Y.words, kP521MontGY, sizeof(kP521MontGY));\n OPENSSL_memcpy(out->generator.raw.Z.words, kP521FieldR, sizeof(kP521FieldR));\n OPENSSL_memcpy(out->b.words, kP521MontB, sizeof(kP521MontB));\n\n ec_group_set_a_minus3(out);\n out->has_order = 1;\n out->field_greater_than_order = 1;\n}\n\nEC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a,\n const BIGNUM *b, BN_CTX *ctx) {\n if (BN_num_bytes(p) > EC_MAX_BYTES) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD);\n return NULL;\n }\n\n BN_CTX *new_ctx = NULL;\n if (ctx == NULL) {\n ctx = new_ctx = BN_CTX_new();\n if (ctx == NULL) {\n return NULL;\n }\n }\n\n // Historically, |a| and |b| were not required to be fully reduced.\n // TODO(davidben): Can this be removed?\n EC_GROUP *ret = NULL;\n BN_CTX_start(ctx);\n BIGNUM *a_reduced = BN_CTX_get(ctx);\n BIGNUM *b_reduced = BN_CTX_get(ctx);\n if (a_reduced == NULL || b_reduced == NULL ||\n !BN_nnmod(a_reduced, a, p, ctx) || !BN_nnmod(b_reduced, b, p, ctx)) {\n goto err;\n }\n\n ret = reinterpret_cast(OPENSSL_zalloc(sizeof(EC_GROUP)));\n if (ret == NULL) {\n return NULL;\n }\n ret->references = 1;\n ret->meth = EC_GFp_mont_method();\n bn_mont_ctx_init(&ret->field);\n bn_mont_ctx_init(&ret->order);\n ret->generator.group = ret;\n if (!ec_GFp_simple_group_set_curve(ret, p, a_reduced, b_reduced, ctx)) {\n EC_GROUP_free(ret);\n ret = NULL;\n goto err;\n }\n\nerr:\n BN_CTX_end(ctx);\n BN_CTX_free(new_ctx);\n return ret;\n}\n\nint EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator,\n const BIGNUM *order, const BIGNUM *cofactor) {\n if (group->curve_name != NID_undef || group->has_order ||\n generator->group != group) {\n // |EC_GROUP_set_generator| may only be used with |EC_GROUP|s returned by\n // |EC_GROUP_new_curve_GFp| and may only used once on each group.\n // |generator| must have been created from |EC_GROUP_new_curve_GFp|, not a\n // copy, so that |generator->group->generator| is set correctly.\n OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n if (BN_num_bytes(order) > EC_MAX_BYTES) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);\n return 0;\n }\n\n // Require a cofactor of one for custom curves, which implies prime order.\n if (!BN_is_one(cofactor)) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COFACTOR);\n return 0;\n }\n\n // Require that p < 2×order. This simplifies some ECDSA operations.\n //\n // Note any curve which did not satisfy this must have been invalid or use a\n // tiny prime (less than 17). See the proof in |field_element_to_scalar| in\n // the ECDSA implementation.\n int ret = 0;\n BIGNUM *tmp = BN_new();\n if (tmp == NULL || !BN_lshift1(tmp, order)) {\n goto err;\n }\n if (BN_cmp(tmp, &group->field.N) <= 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);\n goto err;\n }\n\n EC_AFFINE affine;\n if (!ec_jacobian_to_affine(group, &affine, &generator->raw) ||\n !BN_MONT_CTX_set(&group->order, order, NULL)) {\n goto err;\n }\n\n group->field_greater_than_order = BN_cmp(&group->field.N, order) > 0;\n group->generator.raw.X = affine.X;\n group->generator.raw.Y = affine.Y;\n // |raw.Z| was set to 1 by |EC_GROUP_new_curve_GFp|.\n group->has_order = 1;\n ret = 1;\n\nerr:\n BN_free(tmp);\n return ret;\n}\n\nEC_GROUP *EC_GROUP_new_by_curve_name(int nid) {\n switch (nid) {\n case NID_secp224r1:\n return (EC_GROUP *)EC_group_p224();\n case NID_X9_62_prime256v1:\n return (EC_GROUP *)EC_group_p256();\n case NID_secp384r1:\n return (EC_GROUP *)EC_group_p384();\n case NID_secp521r1:\n return (EC_GROUP *)EC_group_p521();\n default:\n OPENSSL_PUT_ERROR(EC, EC_R_UNKNOWN_GROUP);\n return NULL;\n }\n}\n\nvoid EC_GROUP_free(EC_GROUP *group) {\n if (group == NULL ||\n // Built-in curves are static.\n group->curve_name != NID_undef ||\n !CRYPTO_refcount_dec_and_test_zero(&group->references)) {\n return;\n }\n\n bn_mont_ctx_cleanup(&group->order);\n bn_mont_ctx_cleanup(&group->field);\n OPENSSL_free(group);\n}\n\nEC_GROUP *EC_GROUP_dup(const EC_GROUP *a) {\n if (a == NULL ||\n // Built-in curves are static.\n a->curve_name != NID_undef) {\n return (EC_GROUP *)a;\n }\n\n // Groups are logically immutable (but for |EC_GROUP_set_generator| which must\n // be called early on), so we simply take a reference.\n EC_GROUP *group = (EC_GROUP *)a;\n CRYPTO_refcount_inc(&group->references);\n return group;\n}\n\nint EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ignored) {\n // Note this function returns 0 if equal and non-zero otherwise.\n if (a == b) {\n return 0;\n }\n if (a->curve_name != b->curve_name) {\n return 1;\n }\n if (a->curve_name != NID_undef) {\n // Built-in curves may be compared by curve name alone.\n return 0;\n }\n\n // |a| and |b| are both custom curves. We compare the entire curve\n // structure. If |a| or |b| is incomplete (due to legacy OpenSSL mistakes,\n // custom curve construction is sadly done in two parts) but otherwise not the\n // same object, we consider them always unequal.\n return a->meth != b->meth || //\n !a->has_order || !b->has_order ||\n BN_cmp(&a->order.N, &b->order.N) != 0 ||\n BN_cmp(&a->field.N, &b->field.N) != 0 ||\n !ec_felem_equal(a, &a->a, &b->a) || //\n !ec_felem_equal(a, &a->b, &b->b) ||\n !ec_GFp_simple_points_equal(a, &a->generator.raw, &b->generator.raw);\n}\n\nconst EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group) {\n return group->has_order ? &group->generator : NULL;\n}\n\nconst BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group) {\n assert(group->has_order);\n return &group->order.N;\n}\n\nint EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) {\n if (BN_copy(order, EC_GROUP_get0_order(group)) == NULL) {\n return 0;\n }\n return 1;\n}\n\nint EC_GROUP_order_bits(const EC_GROUP *group) {\n return BN_num_bits(&group->order.N);\n}\n\nint EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor,\n BN_CTX *ctx) {\n // All |EC_GROUP|s have cofactor 1.\n return BN_set_word(cofactor, 1);\n}\n\nint EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *out_p, BIGNUM *out_a,\n BIGNUM *out_b, BN_CTX *ctx) {\n return ec_GFp_simple_group_get_curve(group, out_p, out_a, out_b);\n}\n\nint EC_GROUP_get_curve_name(const EC_GROUP *group) { return group->curve_name; }\n\nunsigned EC_GROUP_get_degree(const EC_GROUP *group) {\n return BN_num_bits(&group->field.N);\n}\n\nconst char *EC_curve_nid2nist(int nid) {\n switch (nid) {\n case NID_secp224r1:\n return \"P-224\";\n case NID_X9_62_prime256v1:\n return \"P-256\";\n case NID_secp384r1:\n return \"P-384\";\n case NID_secp521r1:\n return \"P-521\";\n }\n return NULL;\n}\n\nint EC_curve_nist2nid(const char *name) {\n if (strcmp(name, \"P-224\") == 0) {\n return NID_secp224r1;\n }\n if (strcmp(name, \"P-256\") == 0) {\n return NID_X9_62_prime256v1;\n }\n if (strcmp(name, \"P-384\") == 0) {\n return NID_secp384r1;\n }\n if (strcmp(name, \"P-521\") == 0) {\n return NID_secp521r1;\n }\n return NID_undef;\n}\n\nEC_POINT *EC_POINT_new(const EC_GROUP *group) {\n if (group == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return NULL;\n }\n\n EC_POINT *ret = reinterpret_cast(OPENSSL_malloc(sizeof *ret));\n if (ret == NULL) {\n return NULL;\n }\n\n ret->group = EC_GROUP_dup(group);\n ec_GFp_simple_point_init(&ret->raw);\n return ret;\n}\n\nstatic void ec_point_free(EC_POINT *point, int free_group) {\n if (!point) {\n return;\n }\n if (free_group) {\n EC_GROUP_free(point->group);\n }\n OPENSSL_free(point);\n}\n\nvoid EC_POINT_free(EC_POINT *point) {\n ec_point_free(point, 1 /* free group */);\n}\n\nvoid EC_POINT_clear_free(EC_POINT *point) { EC_POINT_free(point); }\n\nint EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) {\n if (EC_GROUP_cmp(dest->group, src->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n if (dest == src) {\n return 1;\n }\n ec_GFp_simple_point_copy(&dest->raw, &src->raw);\n return 1;\n}\n\nEC_POINT *EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group) {\n if (a == NULL) {\n return NULL;\n }\n\n EC_POINT *ret = EC_POINT_new(group);\n if (ret == NULL || !EC_POINT_copy(ret, a)) {\n EC_POINT_free(ret);\n return NULL;\n }\n\n return ret;\n}\n\nint EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point) {\n if (EC_GROUP_cmp(group, point->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n ec_GFp_simple_point_set_to_infinity(group, &point->raw);\n return 1;\n}\n\nint EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) {\n if (EC_GROUP_cmp(group, point->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n return ec_GFp_simple_is_at_infinity(group, &point->raw);\n}\n\nint EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point,\n BN_CTX *ctx) {\n if (EC_GROUP_cmp(group, point->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n return ec_GFp_simple_is_on_curve(group, &point->raw);\n}\n\nint EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b,\n BN_CTX *ctx) {\n if (EC_GROUP_cmp(group, a->group, NULL) != 0 ||\n EC_GROUP_cmp(group, b->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return -1;\n }\n\n // Note |EC_POINT_cmp| returns zero for equality and non-zero for inequality.\n return ec_GFp_simple_points_equal(group, &a->raw, &b->raw) ? 0 : 1;\n}\n\nint EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,\n const EC_POINT *point, BIGNUM *x,\n BIGNUM *y, BN_CTX *ctx) {\n if (group->meth->point_get_affine_coordinates == 0) {\n OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n if (EC_GROUP_cmp(group, point->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n EC_FELEM x_felem, y_felem;\n if (!group->meth->point_get_affine_coordinates(group, &point->raw,\n x == NULL ? NULL : &x_felem,\n y == NULL ? NULL : &y_felem) ||\n (x != NULL && !ec_felem_to_bignum(group, x, &x_felem)) ||\n (y != NULL && !ec_felem_to_bignum(group, y, &y_felem))) {\n return 0;\n }\n return 1;\n}\n\nint EC_POINT_get_affine_coordinates(const EC_GROUP *group,\n const EC_POINT *point, BIGNUM *x, BIGNUM *y,\n BN_CTX *ctx) {\n return EC_POINT_get_affine_coordinates_GFp(group, point, x, y, ctx);\n}\n\nvoid ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out,\n const EC_AFFINE *p) {\n out->X = p->X;\n out->Y = p->Y;\n out->Z = *ec_felem_one(group);\n}\n\nint ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out,\n const EC_JACOBIAN *p) {\n return group->meth->point_get_affine_coordinates(group, p, &out->X, &out->Y);\n}\n\nint ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out,\n const EC_JACOBIAN *in, size_t num) {\n if (group->meth->jacobian_to_affine_batch == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n return group->meth->jacobian_to_affine_batch(group, out, in, num);\n}\n\nint ec_point_set_affine_coordinates(const EC_GROUP *group, EC_AFFINE *out,\n const EC_FELEM *x, const EC_FELEM *y) {\n void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,\n const EC_FELEM *b) = group->meth->felem_mul;\n void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) =\n group->meth->felem_sqr;\n\n // Check if the point is on the curve.\n EC_FELEM lhs, rhs;\n felem_sqr(group, &lhs, y); // lhs = y^2\n felem_sqr(group, &rhs, x); // rhs = x^2\n ec_felem_add(group, &rhs, &rhs, &group->a); // rhs = x^2 + a\n felem_mul(group, &rhs, &rhs, x); // rhs = x^3 + ax\n ec_felem_add(group, &rhs, &rhs, &group->b); // rhs = x^3 + ax + b\n if (!ec_felem_equal(group, &lhs, &rhs)) {\n OPENSSL_PUT_ERROR(EC, EC_R_POINT_IS_NOT_ON_CURVE);\n // In the event of an error, defend against the caller not checking the\n // return value by setting a known safe value. Note this may not be possible\n // if the caller is in the process of constructing an arbitrary group and\n // the generator is missing.\n if (group->has_order) {\n out->X = group->generator.raw.X;\n out->Y = group->generator.raw.Y;\n }\n return 0;\n }\n\n out->X = *x;\n out->Y = *y;\n return 1;\n}\n\nint EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point,\n const BIGNUM *x, const BIGNUM *y,\n BN_CTX *ctx) {\n if (EC_GROUP_cmp(group, point->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n\n if (x == NULL || y == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n EC_FELEM x_felem, y_felem;\n EC_AFFINE affine;\n if (!ec_bignum_to_felem(group, &x_felem, x) ||\n !ec_bignum_to_felem(group, &y_felem, y) ||\n !ec_point_set_affine_coordinates(group, &affine, &x_felem, &y_felem)) {\n // In the event of an error, defend against the caller not checking the\n // return value by setting a known safe value.\n ec_set_to_safe_point(group, &point->raw);\n return 0;\n }\n\n ec_affine_to_jacobian(group, &point->raw, &affine);\n return 1;\n}\n\nint EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,\n const BIGNUM *x, const BIGNUM *y,\n BN_CTX *ctx) {\n return EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx);\n}\n\nint EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,\n const EC_POINT *b, BN_CTX *ctx) {\n if (EC_GROUP_cmp(group, r->group, NULL) != 0 ||\n EC_GROUP_cmp(group, a->group, NULL) != 0 ||\n EC_GROUP_cmp(group, b->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n group->meth->add(group, &r->raw, &a->raw, &b->raw);\n return 1;\n}\n\nint EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,\n BN_CTX *ctx) {\n if (EC_GROUP_cmp(group, r->group, NULL) != 0 ||\n EC_GROUP_cmp(group, a->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n group->meth->dbl(group, &r->raw, &a->raw);\n return 1;\n}\n\n\nint EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) {\n if (EC_GROUP_cmp(group, a->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n ec_GFp_simple_invert(group, &a->raw);\n return 1;\n}\n\nstatic int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,\n const BIGNUM *in, BN_CTX *ctx) {\n if (ec_bignum_to_scalar(group, out, in)) {\n return 1;\n }\n\n ERR_clear_error();\n\n // This is an unusual input, so we do not guarantee constant-time processing.\n BN_CTX_start(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n int ok = tmp != NULL && BN_nnmod(tmp, in, EC_GROUP_get0_order(group), ctx) &&\n ec_bignum_to_scalar(group, out, tmp);\n BN_CTX_end(ctx);\n return ok;\n}\n\nint ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r,\n const BIGNUM *g_scalar, const EC_POINT *p,\n const BIGNUM *p_scalar, BN_CTX *ctx) {\n // Previously, this function set |r| to the point at infinity if there was\n // nothing to multiply. But, nobody should be calling this function with\n // nothing to multiply in the first place.\n if ((g_scalar == NULL && p_scalar == NULL) ||\n (p == NULL) != (p_scalar == NULL)) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n if (EC_GROUP_cmp(group, r->group, NULL) != 0 ||\n (p != NULL && EC_GROUP_cmp(group, p->group, NULL) != 0)) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n\n int ret = 0;\n BN_CTX *new_ctx = NULL;\n if (ctx == NULL) {\n new_ctx = BN_CTX_new();\n if (new_ctx == NULL) {\n goto err;\n }\n ctx = new_ctx;\n }\n\n // If both |g_scalar| and |p_scalar| are non-NULL,\n // |ec_point_mul_scalar_public| would share the doublings between the two\n // products, which would be more efficient. However, we conservatively assume\n // the caller needs a constant-time operation. (ECDSA verification does not\n // use this function.)\n //\n // Previously, the low-level constant-time multiplication function aligned\n // with this function's calling convention, but this was misleading. Curves\n // which combined the two multiplications did not avoid the doubling case\n // in the incomplete addition formula and were not constant-time.\n\n if (g_scalar != NULL) {\n EC_SCALAR scalar;\n if (!arbitrary_bignum_to_scalar(group, &scalar, g_scalar, ctx) ||\n !ec_point_mul_scalar_base(group, &r->raw, &scalar)) {\n goto err;\n }\n }\n\n if (p_scalar != NULL) {\n EC_SCALAR scalar;\n EC_JACOBIAN tmp;\n if (!arbitrary_bignum_to_scalar(group, &scalar, p_scalar, ctx) ||\n !ec_point_mul_scalar(group, &tmp, &p->raw, &scalar)) {\n goto err;\n }\n if (g_scalar == NULL) {\n OPENSSL_memcpy(&r->raw, &tmp, sizeof(EC_JACOBIAN));\n } else {\n group->meth->add(group, &r->raw, &r->raw, &tmp);\n }\n }\n\n ret = 1;\n\nerr:\n BN_CTX_free(new_ctx);\n return ret;\n}\n\nint EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,\n const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) {\n boringssl_ensure_ecc_self_test();\n\n return ec_point_mul_no_self_test(group, r, g_scalar, p, p_scalar, ctx);\n}\n\nint ec_point_mul_scalar_public(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *g_scalar, const EC_JACOBIAN *p,\n const EC_SCALAR *p_scalar) {\n if (g_scalar == NULL || p_scalar == NULL || p == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n if (group->meth->mul_public == NULL) {\n return group->meth->mul_public_batch(group, r, g_scalar, p, p_scalar, 1);\n }\n\n group->meth->mul_public(group, r, g_scalar, p, p_scalar);\n return 1;\n}\n\nint ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *g_scalar,\n const EC_JACOBIAN *points,\n const EC_SCALAR *scalars, size_t num) {\n if (group->meth->mul_public_batch == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n return group->meth->mul_public_batch(group, r, g_scalar, points, scalars,\n num);\n}\n\nint ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p, const EC_SCALAR *scalar) {\n if (p == NULL || scalar == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n group->meth->mul(group, r, p, scalar);\n\n // Check the result is on the curve to defend against fault attacks or bugs.\n // This has negligible cost compared to the multiplication.\n if (!ec_GFp_simple_is_on_curve(group, r)) {\n OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nint ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *scalar) {\n if (scalar == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n group->meth->mul_base(group, r, scalar);\n\n // Check the result is on the curve to defend against fault attacks or bugs.\n // This has negligible cost compared to the multiplication. This can only\n // happen on bug or CPU fault, so it okay to leak this. The alternative would\n // be to proceed with bad data.\n if (!constant_time_declassify_int(ec_GFp_simple_is_on_curve(group, r))) {\n OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nint ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,\n const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,\n const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) {\n if (group->meth->mul_batch == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n group->meth->mul_batch(group, r, p0, scalar0, p1, scalar1, p2, scalar2);\n\n // Check the result is on the curve to defend against fault attacks or bugs.\n // This has negligible cost compared to the multiplication.\n if (!ec_GFp_simple_is_on_curve(group, r)) {\n OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nint ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,\n const EC_JACOBIAN *p) {\n if (group->meth->init_precomp == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n return group->meth->init_precomp(group, out, p);\n}\n\nint ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_PRECOMP *p0, const EC_SCALAR *scalar0,\n const EC_PRECOMP *p1, const EC_SCALAR *scalar1,\n const EC_PRECOMP *p2,\n const EC_SCALAR *scalar2) {\n if (group->meth->mul_precomp == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n group->meth->mul_precomp(group, r, p0, scalar0, p1, scalar1, p2, scalar2);\n\n // Check the result is on the curve to defend against fault attacks or bugs.\n // This has negligible cost compared to the multiplication.\n if (!ec_GFp_simple_is_on_curve(group, r)) {\n OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n return 1;\n}\n\nvoid ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask,\n const EC_JACOBIAN *a, const EC_JACOBIAN *b) {\n ec_felem_select(group, &out->X, mask, &a->X, &b->X);\n ec_felem_select(group, &out->Y, mask, &a->Y, &b->Y);\n ec_felem_select(group, &out->Z, mask, &a->Z, &b->Z);\n}\n\nvoid ec_affine_select(const EC_GROUP *group, EC_AFFINE *out, BN_ULONG mask,\n const EC_AFFINE *a, const EC_AFFINE *b) {\n ec_felem_select(group, &out->X, mask, &a->X, &b->X);\n ec_felem_select(group, &out->Y, mask, &a->Y, &b->Y);\n}\n\nvoid ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask,\n const EC_PRECOMP *a, const EC_PRECOMP *b) {\n static_assert(sizeof(out->comb) == sizeof(*out),\n \"out->comb does not span the entire structure\");\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(out->comb); i++) {\n ec_affine_select(group, &out->comb[i], mask, &a->comb[i], &b->comb[i]);\n }\n}\n\nint ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,\n const EC_SCALAR *r) {\n return group->meth->cmp_x_coordinate(group, p, r);\n}\n\nint ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,\n const EC_JACOBIAN *p) {\n uint8_t bytes[EC_MAX_BYTES];\n size_t len;\n if (!ec_get_x_coordinate_as_bytes(group, bytes, &len, sizeof(bytes), p)) {\n return 0;\n }\n\n // The x-coordinate is bounded by p, but we need a scalar, bounded by the\n // order. These may not have the same size. However, we must have p < 2×order,\n // assuming p is not tiny (p >= 17).\n //\n // Thus |bytes| will fit in |order.width + 1| words, and we can reduce by\n // performing at most one subtraction.\n //\n // Proof: We only work with prime order curves, so the number of points on\n // the curve is the order. Thus Hasse's theorem gives:\n //\n // |order - (p + 1)| <= 2×sqrt(p)\n // p + 1 - order <= 2×sqrt(p)\n // p + 1 - 2×sqrt(p) <= order\n // p + 1 - 2×(p/4) < order (p/4 > sqrt(p) for p >= 17)\n // p/2 < p/2 + 1 < order\n // p < 2×order\n //\n // Additionally, one can manually check this property for built-in curves. It\n // is enforced for legacy custom curves in |EC_GROUP_set_generator|.\n const BIGNUM *order = EC_GROUP_get0_order(group);\n BN_ULONG words[EC_MAX_WORDS + 1] = {0};\n bn_big_endian_to_words(words, order->width + 1, bytes, len);\n bn_reduce_once(out->words, words, /*carry=*/words[order->width], order->d,\n order->width);\n return 1;\n}\n\nint ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out,\n size_t *out_len, size_t max_out,\n const EC_JACOBIAN *p) {\n size_t len = BN_num_bytes(&group->field.N);\n assert(len <= EC_MAX_BYTES);\n if (max_out < len) {\n OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n EC_FELEM x;\n if (!group->meth->point_get_affine_coordinates(group, p, &x, NULL)) {\n return 0;\n }\n\n ec_felem_to_bytes(group, out, out_len, &x);\n *out_len = len;\n return 1;\n}\n\nvoid ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out) {\n if (group->has_order) {\n ec_GFp_simple_point_copy(out, &group->generator.raw);\n } else {\n // The generator can be missing if the caller is in the process of\n // constructing an arbitrary group. In this case, we give up and use the\n // point at infinity.\n ec_GFp_simple_point_set_to_infinity(group, out);\n }\n}\n\nvoid EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) {}\n\nint EC_GROUP_get_asn1_flag(const EC_GROUP *group) {\n return OPENSSL_EC_NAMED_CURVE;\n}\n\nconst EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group) {\n // This function exists purely to give callers a way to call\n // |EC_METHOD_get_field_type|. cryptography.io crashes if |EC_GROUP_method_of|\n // returns NULL, so return some other garbage pointer.\n return (const EC_METHOD *)0x12340000;\n}\n\nint EC_METHOD_get_field_type(const EC_METHOD *meth) {\n return NID_X9_62_prime_field;\n}\n\nvoid EC_GROUP_set_point_conversion_form(EC_GROUP *group,\n point_conversion_form_t form) {\n if (form != POINT_CONVERSION_UNCOMPRESSED) {\n abort();\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_key.cc.inc", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bcm_interface.h\"\n#include \"../delocate.h\"\n#include \"../ecdsa/internal.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\nDEFINE_STATIC_EX_DATA_CLASS(g_ec_ex_data_class)\n\nstatic EC_WRAPPED_SCALAR *ec_wrapped_scalar_new(const EC_GROUP *group) {\n EC_WRAPPED_SCALAR *wrapped = reinterpret_cast(\n OPENSSL_zalloc(sizeof(EC_WRAPPED_SCALAR)));\n if (wrapped == NULL) {\n return NULL;\n }\n\n wrapped->bignum.d = wrapped->scalar.words;\n wrapped->bignum.width = group->order.N.width;\n wrapped->bignum.dmax = group->order.N.width;\n wrapped->bignum.flags = BN_FLG_STATIC_DATA;\n return wrapped;\n}\n\nstatic void ec_wrapped_scalar_free(EC_WRAPPED_SCALAR *scalar) {\n OPENSSL_free(scalar);\n}\n\nEC_KEY *EC_KEY_new(void) { return EC_KEY_new_method(NULL); }\n\nEC_KEY *EC_KEY_new_method(const ENGINE *engine) {\n EC_KEY *ret = reinterpret_cast(OPENSSL_zalloc(sizeof(EC_KEY)));\n if (ret == NULL) {\n return NULL;\n }\n\n if (engine) {\n ret->ecdsa_meth = ENGINE_get_ECDSA_method(engine);\n }\n if (ret->ecdsa_meth) {\n METHOD_ref(ret->ecdsa_meth);\n }\n\n ret->conv_form = POINT_CONVERSION_UNCOMPRESSED;\n ret->references = 1;\n\n CRYPTO_new_ex_data(&ret->ex_data);\n\n if (ret->ecdsa_meth && ret->ecdsa_meth->init && !ret->ecdsa_meth->init(ret)) {\n CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), ret, &ret->ex_data);\n if (ret->ecdsa_meth) {\n METHOD_unref(ret->ecdsa_meth);\n }\n OPENSSL_free(ret);\n return NULL;\n }\n\n return ret;\n}\n\nEC_KEY *EC_KEY_new_by_curve_name(int nid) {\n EC_KEY *ret = EC_KEY_new();\n if (ret == NULL) {\n return NULL;\n }\n ret->group = EC_GROUP_new_by_curve_name(nid);\n if (ret->group == NULL) {\n EC_KEY_free(ret);\n return NULL;\n }\n return ret;\n}\n\nvoid EC_KEY_free(EC_KEY *r) {\n if (r == NULL) {\n return;\n }\n\n if (!CRYPTO_refcount_dec_and_test_zero(&r->references)) {\n return;\n }\n\n if (r->ecdsa_meth) {\n if (r->ecdsa_meth->finish) {\n r->ecdsa_meth->finish(r);\n }\n METHOD_unref(r->ecdsa_meth);\n }\n\n CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data);\n\n EC_GROUP_free(r->group);\n EC_POINT_free(r->pub_key);\n ec_wrapped_scalar_free(r->priv_key);\n\n OPENSSL_free(r);\n}\n\nEC_KEY *EC_KEY_dup(const EC_KEY *src) {\n if (src == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return NULL;\n }\n\n EC_KEY *ret = EC_KEY_new();\n if (ret == NULL) {\n return NULL;\n }\n\n if ((src->group != NULL && !EC_KEY_set_group(ret, src->group)) ||\n (src->pub_key != NULL && !EC_KEY_set_public_key(ret, src->pub_key)) ||\n (src->priv_key != NULL &&\n !EC_KEY_set_private_key(ret, EC_KEY_get0_private_key(src)))) {\n EC_KEY_free(ret);\n return NULL;\n }\n\n ret->enc_flag = src->enc_flag;\n ret->conv_form = src->conv_form;\n return ret;\n}\n\nint EC_KEY_up_ref(EC_KEY *r) {\n CRYPTO_refcount_inc(&r->references);\n return 1;\n}\n\nint EC_KEY_is_opaque(const EC_KEY *key) {\n return key->ecdsa_meth && (key->ecdsa_meth->flags & ECDSA_FLAG_OPAQUE);\n}\n\nconst EC_GROUP *EC_KEY_get0_group(const EC_KEY *key) { return key->group; }\n\nint EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) {\n // If |key| already has a group, it is an error to switch to another one.\n if (key->group != NULL) {\n if (EC_GROUP_cmp(key->group, group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);\n return 0;\n }\n return 1;\n }\n\n assert(key->priv_key == NULL);\n assert(key->pub_key == NULL);\n\n EC_GROUP_free(key->group);\n key->group = EC_GROUP_dup(group);\n return key->group != NULL;\n}\n\nconst BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key) {\n return key->priv_key != NULL ? &key->priv_key->bignum : NULL;\n}\n\nint EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) {\n if (key->group == NULL) {\n OPENSSL_PUT_ERROR(EC, EC_R_MISSING_PARAMETERS);\n return 0;\n }\n\n EC_WRAPPED_SCALAR *scalar = ec_wrapped_scalar_new(key->group);\n if (scalar == NULL) {\n return 0;\n }\n if (!ec_bignum_to_scalar(key->group, &scalar->scalar, priv_key) ||\n // Zero is not a valid private key, so it is safe to leak the result of\n // this comparison.\n constant_time_declassify_int(\n ec_scalar_is_zero(key->group, &scalar->scalar))) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_PRIVATE_KEY);\n ec_wrapped_scalar_free(scalar);\n return 0;\n }\n ec_wrapped_scalar_free(key->priv_key);\n key->priv_key = scalar;\n return 1;\n}\n\nconst EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key) {\n return key->pub_key;\n}\n\nint EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key) {\n if (key->group == NULL) {\n OPENSSL_PUT_ERROR(EC, EC_R_MISSING_PARAMETERS);\n return 0;\n }\n\n if (pub_key != NULL && EC_GROUP_cmp(key->group, pub_key->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH);\n return 0;\n }\n\n EC_POINT_free(key->pub_key);\n key->pub_key = EC_POINT_dup(pub_key, key->group);\n return (key->pub_key == NULL) ? 0 : 1;\n}\n\nunsigned int EC_KEY_get_enc_flags(const EC_KEY *key) { return key->enc_flag; }\n\nvoid EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags) {\n key->enc_flag = flags;\n}\n\npoint_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key) {\n return key->conv_form;\n}\n\nvoid EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform) {\n key->conv_form = cform;\n}\n\nint EC_KEY_check_key(const EC_KEY *eckey) {\n if (!eckey || !eckey->group || !eckey->pub_key) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) {\n OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);\n return 0;\n }\n\n // Test whether the public key is on the elliptic curve.\n if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, NULL)) {\n OPENSSL_PUT_ERROR(EC, EC_R_POINT_IS_NOT_ON_CURVE);\n return 0;\n }\n\n // Check the public and private keys match.\n //\n // NOTE: this is a FIPS pair-wise consistency check for the ECDH case. See SP\n // 800-56Ar3, page 36.\n if (eckey->priv_key != NULL) {\n EC_JACOBIAN point;\n if (!ec_point_mul_scalar_base(eckey->group, &point,\n &eckey->priv_key->scalar)) {\n OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB);\n return 0;\n }\n // Leaking this comparison only leaks whether |eckey|'s public key was\n // correct.\n if (!constant_time_declassify_int(ec_GFp_simple_points_equal(\n eckey->group, &point, &eckey->pub_key->raw))) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_PRIVATE_KEY);\n return 0;\n }\n }\n\n return 1;\n}\n\nint EC_KEY_check_fips(const EC_KEY *key) {\n int ret = 0;\n FIPS_service_indicator_lock_state();\n\n if (!EC_KEY_check_key(key)) {\n goto end;\n }\n\n if (key->priv_key) {\n uint8_t digest[BCM_SHA256_DIGEST_LENGTH] = {0};\n uint8_t sig[ECDSA_MAX_FIXED_LEN];\n size_t sig_len;\n if (!ecdsa_sign_fixed(digest, sizeof(digest), sig, &sig_len, sizeof(sig),\n key)) {\n goto end;\n }\n if (boringssl_fips_break_test(\"ECDSA_PWCT\")) {\n digest[0] = ~digest[0];\n }\n if (!ecdsa_verify_fixed(digest, sizeof(digest), sig, sig_len, key)) {\n OPENSSL_PUT_ERROR(EC, EC_R_PUBLIC_KEY_VALIDATION_FAILED);\n goto end;\n }\n }\n\n ret = 1;\n\nend:\n FIPS_service_indicator_unlock_state();\n if (ret) {\n EC_KEY_keygen_verify_service_indicator(key);\n }\n\n return ret;\n}\n\nint EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, const BIGNUM *x,\n const BIGNUM *y) {\n EC_POINT *point = NULL;\n int ok = 0;\n\n if (!key || !key->group || !x || !y) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n point = EC_POINT_new(key->group);\n if (point == NULL ||\n !EC_POINT_set_affine_coordinates_GFp(key->group, point, x, y, NULL) ||\n !EC_KEY_set_public_key(key, point) || !EC_KEY_check_key(key)) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n EC_POINT_free(point);\n return ok;\n}\n\nint EC_KEY_oct2key(EC_KEY *key, const uint8_t *in, size_t len, BN_CTX *ctx) {\n if (key->group == NULL) {\n OPENSSL_PUT_ERROR(EC, EC_R_MISSING_PARAMETERS);\n return 0;\n }\n\n EC_POINT *point = EC_POINT_new(key->group);\n int ok = point != NULL &&\n EC_POINT_oct2point(key->group, point, in, len, ctx) &&\n EC_KEY_set_public_key(key, point);\n EC_POINT_free(point);\n return ok;\n}\n\nsize_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form,\n uint8_t **out_buf, BN_CTX *ctx) {\n if (key == NULL || key->pub_key == NULL || key->group == NULL) {\n OPENSSL_PUT_ERROR(EC, EC_R_MISSING_PARAMETERS);\n return 0;\n }\n\n return EC_POINT_point2buf(key->group, key->pub_key, form, out_buf, ctx);\n}\n\nint EC_KEY_oct2priv(EC_KEY *key, const uint8_t *in, size_t len) {\n if (key->group == NULL) {\n OPENSSL_PUT_ERROR(EC, EC_R_MISSING_PARAMETERS);\n return 0;\n }\n\n if (len != BN_num_bytes(EC_GROUP_get0_order(key->group))) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n return 0;\n }\n\n BIGNUM *priv_key = BN_bin2bn(in, len, NULL);\n int ok = priv_key != NULL && //\n EC_KEY_set_private_key(key, priv_key);\n BN_free(priv_key);\n return ok;\n}\n\nsize_t EC_KEY_priv2oct(const EC_KEY *key, uint8_t *out, size_t max_out) {\n if (key->group == NULL || key->priv_key == NULL) {\n OPENSSL_PUT_ERROR(EC, EC_R_MISSING_PARAMETERS);\n return 0;\n }\n\n size_t len = BN_num_bytes(EC_GROUP_get0_order(key->group));\n if (out == NULL) {\n return len;\n }\n\n if (max_out < len) {\n OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n size_t bytes_written;\n ec_scalar_to_bytes(key->group, out, &bytes_written, &key->priv_key->scalar);\n assert(bytes_written == len);\n return len;\n}\n\nsize_t EC_KEY_priv2buf(const EC_KEY *key, uint8_t **out_buf) {\n *out_buf = NULL;\n size_t len = EC_KEY_priv2oct(key, NULL, 0);\n if (len == 0) {\n return 0;\n }\n\n uint8_t *buf = reinterpret_cast(OPENSSL_malloc(len));\n if (buf == NULL) {\n return 0;\n }\n\n len = EC_KEY_priv2oct(key, buf, len);\n if (len == 0) {\n OPENSSL_free(buf);\n return 0;\n }\n\n *out_buf = buf;\n return len;\n}\n\nint EC_KEY_generate_key(EC_KEY *key) {\n if (key == NULL || key->group == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n // Check that the group order is FIPS compliant (FIPS 186-4 B.4.2).\n if (EC_GROUP_order_bits(key->group) < 160) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);\n return 0;\n }\n\n static const uint8_t kDefaultAdditionalData[32] = {0};\n EC_WRAPPED_SCALAR *priv_key = ec_wrapped_scalar_new(key->group);\n EC_POINT *pub_key = EC_POINT_new(key->group);\n if (priv_key == NULL || pub_key == NULL ||\n // Generate the private key by testing candidates (FIPS 186-4 B.4.2).\n !ec_random_nonzero_scalar(key->group, &priv_key->scalar,\n kDefaultAdditionalData) ||\n !ec_point_mul_scalar_base(key->group, &pub_key->raw, &priv_key->scalar)) {\n EC_POINT_free(pub_key);\n ec_wrapped_scalar_free(priv_key);\n return 0;\n }\n\n // The public key is derived from the private key, but it is public.\n //\n // TODO(crbug.com/boringssl/677): This isn't quite right. While |pub_key|\n // represents a public point, it is still in Jacobian form and the exact\n // Jacobian representation is secret. We need to make it affine first. See\n // discussion in the bug.\n CONSTTIME_DECLASSIFY(&pub_key->raw, sizeof(pub_key->raw));\n\n ec_wrapped_scalar_free(key->priv_key);\n key->priv_key = priv_key;\n EC_POINT_free(key->pub_key);\n key->pub_key = pub_key;\n return 1;\n}\n\nint EC_KEY_generate_key_fips(EC_KEY *eckey) {\n if (eckey == NULL || eckey->group == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n boringssl_ensure_ecc_self_test();\n\n if (EC_KEY_generate_key(eckey) && EC_KEY_check_fips(eckey)) {\n return 1;\n }\n\n EC_POINT_free(eckey->pub_key);\n ec_wrapped_scalar_free(eckey->priv_key);\n eckey->pub_key = NULL;\n eckey->priv_key = NULL;\n return 0;\n}\n\nint EC_KEY_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func) {\n return CRYPTO_get_ex_new_index_ex(g_ec_ex_data_class_bss_get(), argl, argp,\n free_func);\n}\n\nint EC_KEY_set_ex_data(EC_KEY *d, int idx, void *arg) {\n return CRYPTO_set_ex_data(&d->ex_data, idx, arg);\n}\n\nvoid *EC_KEY_get_ex_data(const EC_KEY *d, int idx) {\n return CRYPTO_get_ex_data(&d->ex_data, idx);\n}\n\nvoid EC_KEY_set_asn1_flag(EC_KEY *key, int flag) {}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_montgomery.cc.inc", "content": "/*\n * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \"../bn/internal.h\"\n#include \"../delocate.h\"\n#include \"internal.h\"\n\n\nstatic void ec_GFp_mont_felem_to_montgomery(const EC_GROUP *group,\n EC_FELEM *out, const EC_FELEM *in) {\n bn_to_montgomery_small(out->words, in->words, group->field.N.width,\n &group->field);\n}\n\nstatic void ec_GFp_mont_felem_from_montgomery(const EC_GROUP *group,\n EC_FELEM *out,\n const EC_FELEM *in) {\n bn_from_montgomery_small(out->words, group->field.N.width, in->words,\n group->field.N.width, &group->field);\n}\n\nstatic void ec_GFp_mont_felem_inv0(const EC_GROUP *group, EC_FELEM *out,\n const EC_FELEM *a) {\n bn_mod_inverse0_prime_mont_small(out->words, a->words, group->field.N.width,\n &group->field);\n}\n\nvoid ec_GFp_mont_felem_mul(const EC_GROUP *group, EC_FELEM *r,\n const EC_FELEM *a, const EC_FELEM *b) {\n bn_mod_mul_montgomery_small(r->words, a->words, b->words,\n group->field.N.width, &group->field);\n}\n\nvoid ec_GFp_mont_felem_sqr(const EC_GROUP *group, EC_FELEM *r,\n const EC_FELEM *a) {\n bn_mod_mul_montgomery_small(r->words, a->words, a->words,\n group->field.N.width, &group->field);\n}\n\nvoid ec_GFp_mont_felem_to_bytes(const EC_GROUP *group, uint8_t *out,\n size_t *out_len, const EC_FELEM *in) {\n EC_FELEM tmp;\n ec_GFp_mont_felem_from_montgomery(group, &tmp, in);\n ec_GFp_simple_felem_to_bytes(group, out, out_len, &tmp);\n}\n\nint ec_GFp_mont_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out,\n const uint8_t *in, size_t len) {\n if (!ec_GFp_simple_felem_from_bytes(group, out, in, len)) {\n return 0;\n }\n\n ec_GFp_mont_felem_to_montgomery(group, out, out);\n return 1;\n}\n\nvoid ec_GFp_mont_felem_reduce(const EC_GROUP *group, EC_FELEM *out,\n const BN_ULONG *words, size_t num) {\n // Convert \"from\" Montgomery form so the value is reduced mod p.\n bn_from_montgomery_small(out->words, group->field.N.width, words, num,\n &group->field);\n // Convert \"to\" Montgomery form to remove the R^-1 factor added.\n ec_GFp_mont_felem_to_montgomery(group, out, out);\n // Convert to Montgomery form to match this implementation's representation.\n ec_GFp_mont_felem_to_montgomery(group, out, out);\n}\n\nvoid ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out,\n const EC_FELEM *a, const BN_ULONG *exp,\n size_t num_exp) {\n bn_mod_exp_mont_small(out->words, a->words, group->field.N.width, exp,\n num_exp, &group->field);\n}\n\nstatic int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group,\n const EC_JACOBIAN *point,\n EC_FELEM *x, EC_FELEM *y) {\n if (constant_time_declassify_int(\n ec_GFp_simple_is_at_infinity(group, point))) {\n OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);\n return 0;\n }\n\n // Transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3). Note the check above\n // ensures |point->Z| is non-zero, so the inverse always exists.\n EC_FELEM z1, z2;\n ec_GFp_mont_felem_inv0(group, &z2, &point->Z);\n ec_GFp_mont_felem_sqr(group, &z1, &z2);\n\n if (x != NULL) {\n ec_GFp_mont_felem_mul(group, x, &point->X, &z1);\n }\n\n if (y != NULL) {\n ec_GFp_mont_felem_mul(group, &z1, &z1, &z2);\n ec_GFp_mont_felem_mul(group, y, &point->Y, &z1);\n }\n\n return 1;\n}\n\nstatic int ec_GFp_mont_jacobian_to_affine_batch(const EC_GROUP *group,\n EC_AFFINE *out,\n const EC_JACOBIAN *in,\n size_t num) {\n if (num == 0) {\n return 1;\n }\n\n // Compute prefix products of all Zs. Use |out[i].X| as scratch space\n // to store these values.\n out[0].X = in[0].Z;\n for (size_t i = 1; i < num; i++) {\n ec_GFp_mont_felem_mul(group, &out[i].X, &out[i - 1].X, &in[i].Z);\n }\n\n // Some input was infinity iff the product of all Zs is zero.\n if (ec_felem_non_zero_mask(group, &out[num - 1].X) == 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);\n return 0;\n }\n\n // Invert the product of all Zs.\n EC_FELEM zinvprod;\n ec_GFp_mont_felem_inv0(group, &zinvprod, &out[num - 1].X);\n for (size_t i = num - 1; i < num; i--) {\n // Our loop invariant is that |zinvprod| is Z0^-1 * Z1^-1 * ... * Zi^-1.\n // Recover Zi^-1 by multiplying by the previous product.\n EC_FELEM zinv, zinv2;\n if (i == 0) {\n zinv = zinvprod;\n } else {\n ec_GFp_mont_felem_mul(group, &zinv, &zinvprod, &out[i - 1].X);\n // Maintain the loop invariant for the next iteration.\n ec_GFp_mont_felem_mul(group, &zinvprod, &zinvprod, &in[i].Z);\n }\n\n // Compute affine coordinates: x = X * Z^-2 and y = Y * Z^-3.\n ec_GFp_mont_felem_sqr(group, &zinv2, &zinv);\n ec_GFp_mont_felem_mul(group, &out[i].X, &in[i].X, &zinv2);\n ec_GFp_mont_felem_mul(group, &out[i].Y, &in[i].Y, &zinv2);\n ec_GFp_mont_felem_mul(group, &out[i].Y, &out[i].Y, &zinv);\n }\n\n return 1;\n}\n\nvoid ec_GFp_mont_add(const EC_GROUP *group, EC_JACOBIAN *out,\n const EC_JACOBIAN *a, const EC_JACOBIAN *b) {\n if (a == b) {\n ec_GFp_mont_dbl(group, out, a);\n return;\n }\n\n // The method is taken from:\n // http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#addition-add-2007-bl\n //\n // Coq transcription and correctness proof:\n // \n // \n EC_FELEM x_out, y_out, z_out;\n BN_ULONG z1nz = ec_felem_non_zero_mask(group, &a->Z);\n BN_ULONG z2nz = ec_felem_non_zero_mask(group, &b->Z);\n\n // z1z1 = z1z1 = z1**2\n EC_FELEM z1z1;\n ec_GFp_mont_felem_sqr(group, &z1z1, &a->Z);\n\n // z2z2 = z2**2\n EC_FELEM z2z2;\n ec_GFp_mont_felem_sqr(group, &z2z2, &b->Z);\n\n // u1 = x1*z2z2\n EC_FELEM u1;\n ec_GFp_mont_felem_mul(group, &u1, &a->X, &z2z2);\n\n // two_z1z2 = (z1 + z2)**2 - (z1z1 + z2z2) = 2z1z2\n EC_FELEM two_z1z2;\n ec_felem_add(group, &two_z1z2, &a->Z, &b->Z);\n ec_GFp_mont_felem_sqr(group, &two_z1z2, &two_z1z2);\n ec_felem_sub(group, &two_z1z2, &two_z1z2, &z1z1);\n ec_felem_sub(group, &two_z1z2, &two_z1z2, &z2z2);\n\n // s1 = y1 * z2**3\n EC_FELEM s1;\n ec_GFp_mont_felem_mul(group, &s1, &b->Z, &z2z2);\n ec_GFp_mont_felem_mul(group, &s1, &s1, &a->Y);\n\n // u2 = x2*z1z1\n EC_FELEM u2;\n ec_GFp_mont_felem_mul(group, &u2, &b->X, &z1z1);\n\n // h = u2 - u1\n EC_FELEM h;\n ec_felem_sub(group, &h, &u2, &u1);\n\n BN_ULONG xneq = ec_felem_non_zero_mask(group, &h);\n\n // z_out = two_z1z2 * h\n ec_GFp_mont_felem_mul(group, &z_out, &h, &two_z1z2);\n\n // z1z1z1 = z1 * z1z1\n EC_FELEM z1z1z1;\n ec_GFp_mont_felem_mul(group, &z1z1z1, &a->Z, &z1z1);\n\n // s2 = y2 * z1**3\n EC_FELEM s2;\n ec_GFp_mont_felem_mul(group, &s2, &b->Y, &z1z1z1);\n\n // r = (s2 - s1)*2\n EC_FELEM r;\n ec_felem_sub(group, &r, &s2, &s1);\n ec_felem_add(group, &r, &r, &r);\n\n BN_ULONG yneq = ec_felem_non_zero_mask(group, &r);\n\n // This case will never occur in the constant-time |ec_GFp_mont_mul|.\n BN_ULONG is_nontrivial_double = ~xneq & ~yneq & z1nz & z2nz;\n if (constant_time_declassify_w(is_nontrivial_double)) {\n ec_GFp_mont_dbl(group, out, a);\n return;\n }\n\n // I = (2h)**2\n EC_FELEM i;\n ec_felem_add(group, &i, &h, &h);\n ec_GFp_mont_felem_sqr(group, &i, &i);\n\n // J = h * I\n EC_FELEM j;\n ec_GFp_mont_felem_mul(group, &j, &h, &i);\n\n // V = U1 * I\n EC_FELEM v;\n ec_GFp_mont_felem_mul(group, &v, &u1, &i);\n\n // x_out = r**2 - J - 2V\n ec_GFp_mont_felem_sqr(group, &x_out, &r);\n ec_felem_sub(group, &x_out, &x_out, &j);\n ec_felem_sub(group, &x_out, &x_out, &v);\n ec_felem_sub(group, &x_out, &x_out, &v);\n\n // y_out = r(V-x_out) - 2 * s1 * J\n ec_felem_sub(group, &y_out, &v, &x_out);\n ec_GFp_mont_felem_mul(group, &y_out, &y_out, &r);\n EC_FELEM s1j;\n ec_GFp_mont_felem_mul(group, &s1j, &s1, &j);\n ec_felem_sub(group, &y_out, &y_out, &s1j);\n ec_felem_sub(group, &y_out, &y_out, &s1j);\n\n ec_felem_select(group, &x_out, z1nz, &x_out, &b->X);\n ec_felem_select(group, &out->X, z2nz, &x_out, &a->X);\n ec_felem_select(group, &y_out, z1nz, &y_out, &b->Y);\n ec_felem_select(group, &out->Y, z2nz, &y_out, &a->Y);\n ec_felem_select(group, &z_out, z1nz, &z_out, &b->Z);\n ec_felem_select(group, &out->Z, z2nz, &z_out, &a->Z);\n}\n\nvoid ec_GFp_mont_dbl(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *a) {\n if (group->a_is_minus3) {\n // The method is taken from:\n // http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b\n //\n // Coq transcription and correctness proof:\n // \n // \n EC_FELEM delta, gamma, beta, ftmp, ftmp2, tmptmp, alpha, fourbeta;\n // delta = z^2\n ec_GFp_mont_felem_sqr(group, &delta, &a->Z);\n // gamma = y^2\n ec_GFp_mont_felem_sqr(group, &gamma, &a->Y);\n // beta = x*gamma\n ec_GFp_mont_felem_mul(group, &beta, &a->X, &gamma);\n\n // alpha = 3*(x-delta)*(x+delta)\n ec_felem_sub(group, &ftmp, &a->X, &delta);\n ec_felem_add(group, &ftmp2, &a->X, &delta);\n\n ec_felem_add(group, &tmptmp, &ftmp2, &ftmp2);\n ec_felem_add(group, &ftmp2, &ftmp2, &tmptmp);\n ec_GFp_mont_felem_mul(group, &alpha, &ftmp, &ftmp2);\n\n // x' = alpha^2 - 8*beta\n ec_GFp_mont_felem_sqr(group, &r->X, &alpha);\n ec_felem_add(group, &fourbeta, &beta, &beta);\n ec_felem_add(group, &fourbeta, &fourbeta, &fourbeta);\n ec_felem_add(group, &tmptmp, &fourbeta, &fourbeta);\n ec_felem_sub(group, &r->X, &r->X, &tmptmp);\n\n // z' = (y + z)^2 - gamma - delta\n ec_felem_add(group, &delta, &gamma, &delta);\n ec_felem_add(group, &ftmp, &a->Y, &a->Z);\n ec_GFp_mont_felem_sqr(group, &r->Z, &ftmp);\n ec_felem_sub(group, &r->Z, &r->Z, &delta);\n\n // y' = alpha*(4*beta - x') - 8*gamma^2\n ec_felem_sub(group, &r->Y, &fourbeta, &r->X);\n ec_felem_add(group, &gamma, &gamma, &gamma);\n ec_GFp_mont_felem_sqr(group, &gamma, &gamma);\n ec_GFp_mont_felem_mul(group, &r->Y, &alpha, &r->Y);\n ec_felem_add(group, &gamma, &gamma, &gamma);\n ec_felem_sub(group, &r->Y, &r->Y, &gamma);\n } else {\n // The method is taken from:\n // http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html#doubling-dbl-2007-bl\n //\n // Coq transcription and correctness proof:\n // \n // \n EC_FELEM xx, yy, yyyy, zz;\n ec_GFp_mont_felem_sqr(group, &xx, &a->X);\n ec_GFp_mont_felem_sqr(group, &yy, &a->Y);\n ec_GFp_mont_felem_sqr(group, &yyyy, &yy);\n ec_GFp_mont_felem_sqr(group, &zz, &a->Z);\n\n // s = 2*((x_in + yy)^2 - xx - yyyy)\n EC_FELEM s;\n ec_felem_add(group, &s, &a->X, &yy);\n ec_GFp_mont_felem_sqr(group, &s, &s);\n ec_felem_sub(group, &s, &s, &xx);\n ec_felem_sub(group, &s, &s, &yyyy);\n ec_felem_add(group, &s, &s, &s);\n\n // m = 3*xx + a*zz^2\n EC_FELEM m;\n ec_GFp_mont_felem_sqr(group, &m, &zz);\n ec_GFp_mont_felem_mul(group, &m, &group->a, &m);\n ec_felem_add(group, &m, &m, &xx);\n ec_felem_add(group, &m, &m, &xx);\n ec_felem_add(group, &m, &m, &xx);\n\n // x_out = m^2 - 2*s\n ec_GFp_mont_felem_sqr(group, &r->X, &m);\n ec_felem_sub(group, &r->X, &r->X, &s);\n ec_felem_sub(group, &r->X, &r->X, &s);\n\n // z_out = (y_in + z_in)^2 - yy - zz\n ec_felem_add(group, &r->Z, &a->Y, &a->Z);\n ec_GFp_mont_felem_sqr(group, &r->Z, &r->Z);\n ec_felem_sub(group, &r->Z, &r->Z, &yy);\n ec_felem_sub(group, &r->Z, &r->Z, &zz);\n\n // y_out = m*(s-x_out) - 8*yyyy\n ec_felem_add(group, &yyyy, &yyyy, &yyyy);\n ec_felem_add(group, &yyyy, &yyyy, &yyyy);\n ec_felem_add(group, &yyyy, &yyyy, &yyyy);\n ec_felem_sub(group, &r->Y, &s, &r->X);\n ec_GFp_mont_felem_mul(group, &r->Y, &r->Y, &m);\n ec_felem_sub(group, &r->Y, &r->Y, &yyyy);\n }\n}\n\nstatic int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group,\n const EC_JACOBIAN *p,\n const EC_SCALAR *r) {\n if (!group->field_greater_than_order ||\n group->field.N.width != group->order.N.width) {\n // Do not bother optimizing this case. p > order in all commonly-used\n // curves.\n return ec_GFp_simple_cmp_x_coordinate(group, p, r);\n }\n\n if (ec_GFp_simple_is_at_infinity(group, p)) {\n return 0;\n }\n\n // We wish to compare X/Z^2 with r. This is equivalent to comparing X with\n // r*Z^2. Note that X and Z are represented in Montgomery form, while r is\n // not.\n EC_FELEM r_Z2, Z2_mont, X;\n ec_GFp_mont_felem_mul(group, &Z2_mont, &p->Z, &p->Z);\n // r < order < p, so this is valid.\n OPENSSL_memcpy(r_Z2.words, r->words, group->field.N.width * sizeof(BN_ULONG));\n ec_GFp_mont_felem_mul(group, &r_Z2, &r_Z2, &Z2_mont);\n ec_GFp_mont_felem_from_montgomery(group, &X, &p->X);\n\n if (ec_felem_equal(group, &r_Z2, &X)) {\n return 1;\n }\n\n // During signing the x coefficient is reduced modulo the group order.\n // Therefore there is a small possibility, less than 1/2^128, that group_order\n // < p.x < P. in that case we need not only to compare against |r| but also to\n // compare against r+group_order.\n BN_ULONG carry = bn_add_words(r_Z2.words, r->words, group->order.N.d,\n group->field.N.width);\n if (carry == 0 &&\n bn_less_than_words(r_Z2.words, group->field.N.d, group->field.N.width)) {\n // r + group_order < p, so compare (r + group_order) * Z^2 against X.\n ec_GFp_mont_felem_mul(group, &r_Z2, &r_Z2, &Z2_mont);\n if (ec_felem_equal(group, &r_Z2, &X)) {\n return 1;\n }\n }\n\n return 0;\n}\n\nDEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_mont_method) {\n out->point_get_affine_coordinates = ec_GFp_mont_point_get_affine_coordinates;\n out->jacobian_to_affine_batch = ec_GFp_mont_jacobian_to_affine_batch;\n out->add = ec_GFp_mont_add;\n out->dbl = ec_GFp_mont_dbl;\n out->mul = ec_GFp_mont_mul;\n out->mul_base = ec_GFp_mont_mul_base;\n out->mul_batch = ec_GFp_mont_mul_batch;\n out->mul_public_batch = ec_GFp_mont_mul_public_batch;\n out->init_precomp = ec_GFp_mont_init_precomp;\n out->mul_precomp = ec_GFp_mont_mul_precomp;\n out->felem_mul = ec_GFp_mont_felem_mul;\n out->felem_sqr = ec_GFp_mont_felem_sqr;\n out->felem_to_bytes = ec_GFp_mont_felem_to_bytes;\n out->felem_from_bytes = ec_GFp_mont_felem_from_bytes;\n out->felem_reduce = ec_GFp_mont_felem_reduce;\n out->felem_exp = ec_GFp_mont_felem_exp;\n out->scalar_inv0_montgomery = ec_simple_scalar_inv0_montgomery;\n out->scalar_to_montgomery_inv_vartime =\n ec_simple_scalar_to_montgomery_inv_vartime;\n out->cmp_x_coordinate = ec_GFp_mont_cmp_x_coordinate;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/felem.cc.inc", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n#include \n#include \n\n#include \n\n#include \"internal.h\"\n#include \"../bn/internal.h\"\n#include \"../../internal.h\"\n\n\nconst EC_FELEM *ec_felem_one(const EC_GROUP *group) {\n // We reuse generator.Z as a cache for 1 in the field.\n return &group->generator.raw.Z;\n}\n\nint ec_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out, const BIGNUM *in) {\n uint8_t bytes[EC_MAX_BYTES];\n size_t len = BN_num_bytes(&group->field.N);\n assert(sizeof(bytes) >= len);\n if (BN_is_negative(in) || BN_cmp(in, &group->field.N) >= 0 ||\n !BN_bn2bin_padded(bytes, len, in)) {\n OPENSSL_PUT_ERROR(EC, EC_R_COORDINATES_OUT_OF_RANGE);\n return 0;\n }\n\n return ec_felem_from_bytes(group, out, bytes, len);\n}\n\nint ec_felem_to_bignum(const EC_GROUP *group, BIGNUM *out, const EC_FELEM *in) {\n uint8_t bytes[EC_MAX_BYTES];\n size_t len;\n ec_felem_to_bytes(group, bytes, &len, in);\n return BN_bin2bn(bytes, len, out) != NULL;\n}\n\nvoid ec_felem_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len,\n const EC_FELEM *in) {\n group->meth->felem_to_bytes(group, out, out_len, in);\n}\n\nint ec_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, const uint8_t *in,\n size_t len) {\n return group->meth->felem_from_bytes(group, out, in, len);\n}\n\nvoid ec_felem_neg(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a) {\n // -a is zero if a is zero and p-a otherwise.\n BN_ULONG mask = ec_felem_non_zero_mask(group, a);\n BN_ULONG borrow = bn_sub_words(out->words, group->field.N.d, a->words,\n group->field.N.width);\n assert(borrow == 0);\n (void)borrow;\n for (int i = 0; i < group->field.N.width; i++) {\n out->words[i] &= mask;\n }\n}\n\nvoid ec_felem_add(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a,\n const EC_FELEM *b) {\n EC_FELEM tmp;\n bn_mod_add_words(out->words, a->words, b->words, group->field.N.d, tmp.words,\n group->field.N.width);\n}\n\nvoid ec_felem_sub(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a,\n const EC_FELEM *b) {\n EC_FELEM tmp;\n bn_mod_sub_words(out->words, a->words, b->words, group->field.N.d, tmp.words,\n group->field.N.width);\n}\n\nBN_ULONG ec_felem_non_zero_mask(const EC_GROUP *group, const EC_FELEM *a) {\n BN_ULONG mask = 0;\n for (int i = 0; i < group->field.N.width; i++) {\n mask |= a->words[i];\n }\n return ~constant_time_is_zero_w(mask);\n}\n\nvoid ec_felem_select(const EC_GROUP *group, EC_FELEM *out, BN_ULONG mask,\n const EC_FELEM *a, const EC_FELEM *b) {\n bn_select_words(out->words, mask, a->words, b->words, group->field.N.width);\n}\n\nint ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a,\n const EC_FELEM *b) {\n return CRYPTO_memcmp(a->words, b->words,\n group->field.N.width * sizeof(BN_ULONG)) == 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/internal.h", "content": "/*\n * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_EC_INTERNAL_H\n#define OPENSSL_HEADER_EC_INTERNAL_H\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"../bn/internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// EC internals.\n\n\n// Cap the size of all field elements and scalars, including custom curves, to\n// 66 bytes, large enough to fit secp521r1 and brainpoolP512r1, which appear to\n// be the largest fields anyone plausibly uses.\n#define EC_MAX_BYTES 66\n#define EC_MAX_WORDS ((EC_MAX_BYTES + BN_BYTES - 1) / BN_BYTES)\n#define EC_MAX_COMPRESSED (EC_MAX_BYTES + 1)\n#define EC_MAX_UNCOMPRESSED (2 * EC_MAX_BYTES + 1)\n\nstatic_assert(EC_MAX_WORDS <= BN_SMALL_MAX_WORDS,\n \"bn_*_small functions not usable\");\n\n\n// Scalars.\n\n// An EC_SCALAR is an integer fully reduced modulo the order. Only the first\n// |order->width| words are used. An |EC_SCALAR| is specific to an |EC_GROUP|\n// and must not be mixed between groups.\ntypedef struct {\n BN_ULONG words[EC_MAX_WORDS];\n} EC_SCALAR;\n\n// ec_bignum_to_scalar converts |in| to an |EC_SCALAR| and writes it to\n// |*out|. It returns one on success and zero if |in| is out of range.\nOPENSSL_EXPORT int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,\n const BIGNUM *in);\n\n// ec_scalar_to_bytes serializes |in| as a big-endian bytestring to |out| and\n// sets |*out_len| to the number of bytes written. The number of bytes written\n// is |BN_num_bytes(&group->order)|, which is at most |EC_MAX_BYTES|.\nOPENSSL_EXPORT void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out,\n size_t *out_len, const EC_SCALAR *in);\n\n// ec_scalar_from_bytes deserializes |in| and stores the resulting scalar over\n// group |group| to |out|. It returns one on success and zero if |in| is\n// invalid.\nOPENSSL_EXPORT int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out,\n const uint8_t *in, size_t len);\n\n// ec_scalar_reduce sets |out| to |words|, reduced modulo the group order.\n// |words| must be less than order^2. |num| must be at most twice the width of\n// group order. This function treats |words| as secret.\nvoid ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out,\n const BN_ULONG *words, size_t num);\n\n// ec_random_nonzero_scalar sets |out| to a uniformly selected random value from\n// zero to |group->order| - 1. It returns one on success and zero on error.\nint ec_random_scalar(const EC_GROUP *group, EC_SCALAR *out,\n const uint8_t additional_data[32]);\n\n// ec_random_nonzero_scalar sets |out| to a uniformly selected random value from\n// 1 to |group->order| - 1. It returns one on success and zero on error.\nint ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,\n const uint8_t additional_data[32]);\n\n// ec_scalar_equal_vartime returns one if |a| and |b| are equal and zero\n// otherwise. Both values are treated as public.\nint ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a,\n const EC_SCALAR *b);\n\n// ec_scalar_is_zero returns one if |a| is zero and zero otherwise.\nint ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a);\n\n// ec_scalar_add sets |r| to |a| + |b|.\nvoid ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,\n const EC_SCALAR *b);\n\n// ec_scalar_sub sets |r| to |a| - |b|.\nvoid ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,\n const EC_SCALAR *b);\n\n// ec_scalar_neg sets |r| to -|a|.\nvoid ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a);\n\n// ec_scalar_to_montgomery sets |r| to |a| in Montgomery form.\nvoid ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a);\n\n// ec_scalar_to_montgomery sets |r| to |a| converted from Montgomery form.\nvoid ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a);\n\n// ec_scalar_mul_montgomery sets |r| to |a| * |b| where inputs and outputs are\n// in Montgomery form.\nvoid ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a, const EC_SCALAR *b);\n\n// ec_scalar_inv0_montgomery sets |r| to |a|^-1 where inputs and outputs are in\n// Montgomery form. If |a| is zero, |r| is set to zero.\nvoid ec_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a);\n\n// ec_scalar_to_montgomery_inv_vartime sets |r| to |a|^-1 R. That is, it takes\n// in |a| not in Montgomery form and computes the inverse in Montgomery form. It\n// returns one on success and zero if |a| has no inverse. This function assumes\n// |a| is public and may leak information about it via timing.\n//\n// Note this is not the same operation as |ec_scalar_inv0_montgomery|.\nint ec_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a);\n\n// ec_scalar_select, in constant time, sets |out| to |a| if |mask| is all ones\n// and |b| if |mask| is all zeros.\nvoid ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask,\n const EC_SCALAR *a, const EC_SCALAR *b);\n\n\n// Field elements.\n\n// An EC_FELEM represents a field element. Only the first |field->width| words\n// are used. An |EC_FELEM| is specific to an |EC_GROUP| and must not be mixed\n// between groups. Additionally, the representation (whether or not elements are\n// represented in Montgomery-form) may vary between |EC_METHOD|s.\ntypedef struct {\n BN_ULONG words[EC_MAX_WORDS];\n} EC_FELEM;\n\n// ec_felem_one returns one in |group|'s field.\nconst EC_FELEM *ec_felem_one(const EC_GROUP *group);\n\n// ec_bignum_to_felem converts |in| to an |EC_FELEM|. It returns one on success\n// and zero if |in| is out of range.\nint ec_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out, const BIGNUM *in);\n\n// ec_felem_to_bignum converts |in| to a |BIGNUM|. It returns one on success and\n// zero on allocation failure.\nint ec_felem_to_bignum(const EC_GROUP *group, BIGNUM *out, const EC_FELEM *in);\n\n// ec_felem_to_bytes serializes |in| as a big-endian bytestring to |out| and\n// sets |*out_len| to the number of bytes written. The number of bytes written\n// is |BN_num_bytes(&group->order)|, which is at most |EC_MAX_BYTES|.\nvoid ec_felem_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len,\n const EC_FELEM *in);\n\n// ec_felem_from_bytes deserializes |in| and stores the resulting field element\n// to |out|. It returns one on success and zero if |in| is invalid.\nint ec_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, const uint8_t *in,\n size_t len);\n\n// ec_felem_neg sets |out| to -|a|.\nvoid ec_felem_neg(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a);\n\n// ec_felem_add sets |out| to |a| + |b|.\nvoid ec_felem_add(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a,\n const EC_FELEM *b);\n\n// ec_felem_add sets |out| to |a| - |b|.\nvoid ec_felem_sub(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a,\n const EC_FELEM *b);\n\n// ec_felem_non_zero_mask returns all ones if |a| is non-zero and all zeros\n// otherwise.\nBN_ULONG ec_felem_non_zero_mask(const EC_GROUP *group, const EC_FELEM *a);\n\n// ec_felem_select, in constant time, sets |out| to |a| if |mask| is all ones\n// and |b| if |mask| is all zeros.\nvoid ec_felem_select(const EC_GROUP *group, EC_FELEM *out, BN_ULONG mask,\n const EC_FELEM *a, const EC_FELEM *b);\n\n// ec_felem_equal returns one if |a| and |b| are equal and zero otherwise.\nint ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a, const EC_FELEM *b);\n\n\n// Points.\n//\n// Points may represented in affine coordinates as |EC_AFFINE| or Jacobian\n// coordinates as |EC_JACOBIAN|. Affine coordinates directly represent a\n// point on the curve, but point addition over affine coordinates requires\n// costly field inversions, so arithmetic is done in Jacobian coordinates.\n// Converting from affine to Jacobian is cheap, while converting from Jacobian\n// to affine costs a field inversion. (Jacobian coordinates amortize the field\n// inversions needed in a sequence of point operations.)\n\n// An EC_JACOBIAN represents an elliptic curve point in Jacobian coordinates.\n// Unlike |EC_POINT|, it is a plain struct which can be stack-allocated and\n// needs no cleanup. It is specific to an |EC_GROUP| and must not be mixed\n// between groups.\ntypedef struct {\n // X, Y, and Z are Jacobian projective coordinates. They represent\n // (X/Z^2, Y/Z^3) if Z != 0 and the point at infinity otherwise.\n EC_FELEM X, Y, Z;\n} EC_JACOBIAN;\n\n// An EC_AFFINE represents an elliptic curve point in affine coordinates.\n// coordinates. Note the point at infinity cannot be represented in affine\n// coordinates.\ntypedef struct {\n EC_FELEM X, Y;\n} EC_AFFINE;\n\n// ec_affine_to_jacobian converts |p| to Jacobian form and writes the result to\n// |*out|. This operation is very cheap and only costs a few copies.\nvoid ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out,\n const EC_AFFINE *p);\n\n// ec_jacobian_to_affine converts |p| to affine form and writes the result to\n// |*out|. It returns one on success and zero if |p| was the point at infinity.\n// This operation performs a field inversion and should only be done once per\n// point.\n//\n// If only extracting the x-coordinate, use |ec_get_x_coordinate_*| which is\n// slightly faster.\nOPENSSL_EXPORT int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out,\n const EC_JACOBIAN *p);\n\n// ec_jacobian_to_affine_batch converts |num| points in |in| from Jacobian\n// coordinates to affine coordinates and writes the results to |out|. It returns\n// one on success and zero if any of the input points were infinity.\n//\n// This function is not implemented for all curves. Add implementations as\n// needed.\nint ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out,\n const EC_JACOBIAN *in, size_t num);\n\n// ec_point_set_affine_coordinates sets |out|'s to a point with affine\n// coordinates |x| and |y|. It returns one if the point is on the curve and\n// zero otherwise. If the point is not on the curve, the value of |out| is\n// undefined.\nint ec_point_set_affine_coordinates(const EC_GROUP *group, EC_AFFINE *out,\n const EC_FELEM *x, const EC_FELEM *y);\n\n// ec_point_mul_no_self_test does the same as |EC_POINT_mul|, but doesn't try to\n// run the self-test first. This is for use in the self tests themselves, to\n// prevent an infinite loop.\nint ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r,\n const BIGNUM *g_scalar, const EC_POINT *p,\n const BIGNUM *p_scalar, BN_CTX *ctx);\n\n// ec_point_mul_scalar sets |r| to |p| * |scalar|. Both inputs are considered\n// secret.\nint ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p, const EC_SCALAR *scalar);\n\n// ec_point_mul_scalar_base sets |r| to generator * |scalar|. |scalar| is\n// treated as secret.\nint ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *scalar);\n\n// ec_point_mul_scalar_batch sets |r| to |p0| * |scalar0| + |p1| * |scalar1| +\n// |p2| * |scalar2|. |p2| may be NULL to skip that term.\n//\n// The inputs are treated as secret, however, this function leaks information\n// about whether intermediate computations add a point to itself. Callers must\n// ensure that discrete logs between |p0|, |p1|, and |p2| are uniformly\n// distributed and independent of the scalars, which should be uniformly\n// selected and not under the attackers control. This ensures the doubling case\n// will occur with negligible probability.\n//\n// This function is not implemented for all curves. Add implementations as\n// needed.\n//\n// TODO(davidben): This function does not use base point tables. For now, it is\n// only used with the generic |EC_GFp_mont_method| implementation which has\n// none. If generalizing to tuned curves, this may be useful. However, we still\n// must double up to the least efficient input, so precomputed tables can only\n// save table setup and allow a wider window size.\nint ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,\n const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,\n const EC_JACOBIAN *p2, const EC_SCALAR *scalar2);\n\n#define EC_MONT_PRECOMP_COMB_SIZE 5\n\n// An |EC_PRECOMP| stores precomputed information about a point, to optimize\n// repeated multiplications involving it. It is a union so different\n// |EC_METHOD|s can store different information in it.\ntypedef union {\n EC_AFFINE comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1];\n} EC_PRECOMP;\n\n// ec_init_precomp precomputes multiples of |p| and writes the result to |out|.\n// It returns one on success and zero on error. The resulting table may be used\n// with |ec_point_mul_scalar_precomp|. This function will fail if |p| is the\n// point at infinity.\n//\n// This function is not implemented for all curves. Add implementations as\n// needed.\nint ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,\n const EC_JACOBIAN *p);\n\n// ec_point_mul_scalar_precomp sets |r| to |p0| * |scalar0| + |p1| * |scalar1| +\n// |p2| * |scalar2|. |p1| or |p2| may be NULL to skip the corresponding term.\n// The points are represented as |EC_PRECOMP| and must be initialized with\n// |ec_init_precomp|. This function runs faster than |ec_point_mul_scalar_batch|\n// but requires setup work per input point, so it is only appropriate for points\n// which are used frequently.\n//\n// The inputs are treated as secret, however, this function leaks information\n// about whether intermediate computations add a point to itself. Callers must\n// ensure that discrete logs between |p0|, |p1|, and |p2| are uniformly\n// distributed and independent of the scalars, which should be uniformly\n// selected and not under the attackers control. This ensures the doubling case\n// will occur with negligible probability.\n//\n// This function is not implemented for all curves. Add implementations as\n// needed.\n//\n// TODO(davidben): This function does not use base point tables. For now, it is\n// only used with the generic |EC_GFp_mont_method| implementation which has\n// none. If generalizing to tuned curves, we should add a parameter for the base\n// point and arrange for the generic implementation to have base point tables\n// available.\nint ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_PRECOMP *p0, const EC_SCALAR *scalar0,\n const EC_PRECOMP *p1, const EC_SCALAR *scalar1,\n const EC_PRECOMP *p2, const EC_SCALAR *scalar2);\n\n// ec_point_mul_scalar_public sets |r| to\n// generator * |g_scalar| + |p| * |p_scalar|. It assumes that the inputs are\n// public so there is no concern about leaking their values through timing.\nOPENSSL_EXPORT int ec_point_mul_scalar_public(const EC_GROUP *group,\n EC_JACOBIAN *r,\n const EC_SCALAR *g_scalar,\n const EC_JACOBIAN *p,\n const EC_SCALAR *p_scalar);\n\n// ec_point_mul_scalar_public_batch sets |r| to the sum of generator *\n// |g_scalar| and |points[i]| * |scalars[i]| where |points| and |scalars| have\n// |num| elements. It assumes that the inputs are public so there is no concern\n// about leaking their values through timing. |g_scalar| may be NULL to skip\n// that term.\n//\n// This function is not implemented for all curves. Add implementations as\n// needed.\nint ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *g_scalar,\n const EC_JACOBIAN *points,\n const EC_SCALAR *scalars, size_t num);\n\n// ec_point_select, in constant time, sets |out| to |a| if |mask| is all ones\n// and |b| if |mask| is all zeros.\nvoid ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask,\n const EC_JACOBIAN *a, const EC_JACOBIAN *b);\n\n// ec_affine_select behaves like |ec_point_select| but acts on affine points.\nvoid ec_affine_select(const EC_GROUP *group, EC_AFFINE *out, BN_ULONG mask,\n const EC_AFFINE *a, const EC_AFFINE *b);\n\n// ec_precomp_select behaves like |ec_point_select| but acts on |EC_PRECOMP|.\nvoid ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask,\n const EC_PRECOMP *a, const EC_PRECOMP *b);\n\n// ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group\n// order, with |r|. It returns one if the values match and zero if |p| is the\n// point at infinity of the values do not match. |p| is treated as public.\nint ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,\n const EC_SCALAR *r);\n\n// ec_get_x_coordinate_as_scalar sets |*out| to |p|'s x-coordinate, modulo\n// |group->order|. It returns one on success and zero if |p| is the point at\n// infinity.\nint ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out,\n const EC_JACOBIAN *p);\n\n// ec_get_x_coordinate_as_bytes writes |p|'s affine x-coordinate to |out|, which\n// must have at must |max_out| bytes. It sets |*out_len| to the number of bytes\n// written. The value is written big-endian and zero-padded to the size of the\n// field. This function returns one on success and zero on failure.\nint ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out,\n size_t *out_len, size_t max_out,\n const EC_JACOBIAN *p);\n\n// ec_point_byte_len returns the number of bytes in the byte representation of\n// a non-infinity point in |group|, encoded according to |form|, or zero if\n// |form| is invalid.\nsize_t ec_point_byte_len(const EC_GROUP *group, point_conversion_form_t form);\n\n// ec_point_to_bytes encodes |point| according to |form| and writes the result\n// |buf|. It returns the size of the output on success or zero on error. At most\n// |max_out| bytes will be written. The buffer should be at least\n// |ec_point_byte_len| long to guarantee success.\nsize_t ec_point_to_bytes(const EC_GROUP *group, const EC_AFFINE *point,\n point_conversion_form_t form, uint8_t *buf,\n size_t max_out);\n\n// ec_point_from_uncompressed parses |in| as a point in uncompressed form and\n// sets the result to |out|. It returns one on success and zero if the input was\n// invalid.\nint ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out,\n const uint8_t *in, size_t len);\n\n// ec_set_to_safe_point sets |out| to an arbitrary point on |group|, either the\n// generator or the point at infinity. This is used to guard against callers of\n// external APIs not checking the return value.\nvoid ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out);\n\n// ec_affine_jacobian_equal returns one if |a| and |b| represent the same point\n// and zero otherwise. It treats both inputs as secret.\nint ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a,\n const EC_JACOBIAN *b);\n\n\n// Implementation details.\n\nstruct ec_method_st {\n // point_get_affine_coordinates sets |*x| and |*y| to the affine coordinates\n // of |p|. Either |x| or |y| may be NULL to omit it. It returns one on success\n // and zero if |p| is the point at infinity. It leaks whether |p| was the\n // point at infinity, but otherwise treats |p| as secret.\n int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_JACOBIAN *p,\n EC_FELEM *x, EC_FELEM *y);\n\n // jacobian_to_affine_batch implements |ec_jacobian_to_affine_batch|.\n int (*jacobian_to_affine_batch)(const EC_GROUP *group, EC_AFFINE *out,\n const EC_JACOBIAN *in, size_t num);\n\n // add sets |r| to |a| + |b|.\n void (*add)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a,\n const EC_JACOBIAN *b);\n // dbl sets |r| to |a| + |a|.\n void (*dbl)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *a);\n\n // mul sets |r| to |scalar|*|p|.\n void (*mul)(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p,\n const EC_SCALAR *scalar);\n // mul_base sets |r| to |scalar|*generator.\n void (*mul_base)(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *scalar);\n // mul_batch implements |ec_mul_scalar_batch|.\n void (*mul_batch)(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,\n const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,\n const EC_JACOBIAN *p2, const EC_SCALAR *scalar2);\n // mul_public sets |r| to |g_scalar|*generator + |p_scalar|*|p|. It assumes\n // that the inputs are public so there is no concern about leaking their\n // values through timing.\n //\n // This function may be omitted if |mul_public_batch| is provided.\n void (*mul_public)(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *g_scalar, const EC_JACOBIAN *p,\n const EC_SCALAR *p_scalar);\n // mul_public_batch implements |ec_point_mul_scalar_public_batch|.\n int (*mul_public_batch)(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *g_scalar, const EC_JACOBIAN *points,\n const EC_SCALAR *scalars, size_t num);\n\n // init_precomp implements |ec_init_precomp|.\n int (*init_precomp)(const EC_GROUP *group, EC_PRECOMP *out,\n const EC_JACOBIAN *p);\n // mul_precomp implements |ec_point_mul_scalar_precomp|.\n void (*mul_precomp)(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_PRECOMP *p0, const EC_SCALAR *scalar0,\n const EC_PRECOMP *p1, const EC_SCALAR *scalar1,\n const EC_PRECOMP *p2, const EC_SCALAR *scalar2);\n\n // felem_mul and felem_sqr implement multiplication and squaring,\n // respectively, so that the generic |EC_POINT_add| and |EC_POINT_dbl|\n // implementations can work both with |EC_GFp_mont_method| and the tuned\n // operations.\n //\n // TODO(davidben): This constrains |EC_FELEM|'s internal representation, adds\n // many indirect calls in the middle of the generic code, and a bunch of\n // conversions. If p224-64.c were easily convertable to Montgomery form, we\n // could say |EC_FELEM| is always in Montgomery form. If we routed the rest of\n // simple.c to |EC_METHOD|, we could give |EC_POINT| an |EC_METHOD|-specific\n // representation and say |EC_FELEM| is purely a |EC_GFp_mont_method| type.\n void (*felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,\n const EC_FELEM *b);\n void (*felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a);\n\n void (*felem_to_bytes)(const EC_GROUP *group, uint8_t *out, size_t *out_len,\n const EC_FELEM *in);\n int (*felem_from_bytes)(const EC_GROUP *group, EC_FELEM *out,\n const uint8_t *in, size_t len);\n\n // felem_reduce sets |out| to |words|, reduced modulo the field size, p.\n // |words| must be less than p^2. |num| must be at most twice the width of p.\n // This function treats |words| as secret.\n //\n // This function is only used in hash-to-curve and may be omitted in curves\n // that do not support it.\n void (*felem_reduce)(const EC_GROUP *group, EC_FELEM *out,\n const BN_ULONG *words, size_t num);\n\n // felem_exp sets |out| to |a|^|exp|. It treats |a| is secret but |exp| as\n // public.\n //\n // This function is used in hash-to-curve and may be NULL in curves not used\n // with hash-to-curve.\n //\n // TODO(https://crbug.com/boringssl/567): hash-to-curve uses this as part of\n // computing a square root, which is what compressed coordinates ultimately\n // needs to avoid |BIGNUM|. Can we unify this a bit? By generalizing to\n // arbitrary exponentiation, we also miss an opportunity to use a specialized\n // addition chain.\n void (*felem_exp)(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a,\n const BN_ULONG *exp, size_t num_exp);\n\n // scalar_inv0_montgomery implements |ec_scalar_inv0_montgomery|.\n void (*scalar_inv0_montgomery)(const EC_GROUP *group, EC_SCALAR *out,\n const EC_SCALAR *in);\n\n // scalar_to_montgomery_inv_vartime implements\n // |ec_scalar_to_montgomery_inv_vartime|.\n int (*scalar_to_montgomery_inv_vartime)(const EC_GROUP *group, EC_SCALAR *out,\n const EC_SCALAR *in);\n\n // cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group\n // order, with |r|. It returns one if the values match and zero if |p| is the\n // point at infinity of the values do not match.\n int (*cmp_x_coordinate)(const EC_GROUP *group, const EC_JACOBIAN *p,\n const EC_SCALAR *r);\n} /* EC_METHOD */;\n\nconst EC_METHOD *EC_GFp_mont_method(void);\n\nstruct ec_point_st {\n // group is an owning reference to |group|, unless this is\n // |group->generator|.\n EC_GROUP *group;\n // raw is the group-specific point data. Functions that take |EC_POINT|\n // typically check consistency with |EC_GROUP| while functions that take\n // |EC_JACOBIAN| do not. Thus accesses to this field should be externally\n // checked for consistency.\n EC_JACOBIAN raw;\n} /* EC_POINT */;\n\nstruct ec_group_st {\n const EC_METHOD *meth;\n\n // Unlike all other |EC_POINT|s, |generator| does not own |generator->group|\n // to avoid a reference cycle. Additionally, Z is guaranteed to be one, so X\n // and Y are suitable for use as an |EC_AFFINE|. Before |has_order| is set, Z\n // is one, but X and Y are uninitialized.\n EC_POINT generator;\n\n BN_MONT_CTX order;\n BN_MONT_CTX field;\n\n EC_FELEM a, b; // Curve coefficients.\n\n // comment is a human-readable string describing the curve.\n const char *comment;\n\n int curve_name; // optional NID for named curve\n uint8_t oid[9];\n uint8_t oid_len;\n\n // a_is_minus3 is one if |a| is -3 mod |field| and zero otherwise. Point\n // arithmetic is optimized for -3.\n int a_is_minus3;\n\n // has_order is one if |generator| and |order| have been initialized.\n int has_order;\n\n // field_greater_than_order is one if |field| is greate than |order| and zero\n // otherwise.\n int field_greater_than_order;\n\n CRYPTO_refcount_t references;\n} /* EC_GROUP */;\n\nEC_GROUP *ec_group_new(const EC_METHOD *meth, const BIGNUM *p, const BIGNUM *a,\n const BIGNUM *b, BN_CTX *ctx);\n\nvoid ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p, const EC_SCALAR *scalar);\nvoid ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *scalar);\nvoid ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,\n const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,\n const EC_JACOBIAN *p2, const EC_SCALAR *scalar2);\nint ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,\n const EC_JACOBIAN *p);\nvoid ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_PRECOMP *p0, const EC_SCALAR *scalar0,\n const EC_PRECOMP *p1, const EC_SCALAR *scalar1,\n const EC_PRECOMP *p2, const EC_SCALAR *scalar2);\nvoid ec_GFp_mont_felem_reduce(const EC_GROUP *group, EC_FELEM *out,\n const BN_ULONG *words, size_t num);\nvoid ec_GFp_mont_felem_exp(const EC_GROUP *group, EC_FELEM *out,\n const EC_FELEM *a, const BN_ULONG *exp,\n size_t num_exp);\n\n// ec_compute_wNAF writes the modified width-(w+1) Non-Adjacent Form (wNAF) of\n// |scalar| to |out|. |out| must have room for |bits| + 1 elements, each of\n// which will be either zero or odd with an absolute value less than 2^w\n// satisfying\n// scalar = \\sum_j out[j]*2^j\n// where at most one of any w+1 consecutive digits is non-zero\n// with the exception that the most significant digit may be only\n// w-1 zeros away from that next non-zero digit.\nvoid ec_compute_wNAF(const EC_GROUP *group, int8_t *out,\n const EC_SCALAR *scalar, size_t bits, int w);\n\nint ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *g_scalar,\n const EC_JACOBIAN *points,\n const EC_SCALAR *scalars, size_t num);\n\n// method functions in simple.c\nint ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,\n const BIGNUM *b, BN_CTX *);\nint ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,\n BIGNUM *b);\nvoid ec_GFp_simple_point_init(EC_JACOBIAN *);\nvoid ec_GFp_simple_point_copy(EC_JACOBIAN *, const EC_JACOBIAN *);\nvoid ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_JACOBIAN *);\nvoid ec_GFp_mont_add(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a,\n const EC_JACOBIAN *b);\nvoid ec_GFp_mont_dbl(const EC_GROUP *, EC_JACOBIAN *r, const EC_JACOBIAN *a);\nvoid ec_GFp_simple_invert(const EC_GROUP *, EC_JACOBIAN *);\nint ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_JACOBIAN *);\nint ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_JACOBIAN *);\nint ec_GFp_simple_points_equal(const EC_GROUP *, const EC_JACOBIAN *a,\n const EC_JACOBIAN *b);\nvoid ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a);\n\nint ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,\n EC_SCALAR *r,\n const EC_SCALAR *a);\n\nint ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,\n const EC_SCALAR *r);\n\nvoid ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out,\n size_t *out_len, const EC_FELEM *in);\nint ec_GFp_simple_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out,\n const uint8_t *in, size_t len);\n\n// method functions in montgomery.c\nvoid ec_GFp_mont_felem_mul(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,\n const EC_FELEM *b);\nvoid ec_GFp_mont_felem_sqr(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a);\n\nvoid ec_GFp_mont_felem_to_bytes(const EC_GROUP *group, uint8_t *out,\n size_t *out_len, const EC_FELEM *in);\nint ec_GFp_mont_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out,\n const uint8_t *in, size_t len);\n\nvoid ec_GFp_nistp_recode_scalar_bits(crypto_word_t *sign, crypto_word_t *digit,\n crypto_word_t in);\n\nconst EC_METHOD *EC_GFp_nistp224_method(void);\nconst EC_METHOD *EC_GFp_nistp256_method(void);\n\n// EC_GFp_nistz256_method is a GFp method using montgomery multiplication, with\n// x86-64 optimized P256. See http://eprint.iacr.org/2013/816.\nconst EC_METHOD *EC_GFp_nistz256_method(void);\n\n// An EC_WRAPPED_SCALAR is an |EC_SCALAR| with a parallel |BIGNUM|\n// representation. It exists to support the |EC_KEY_get0_private_key| API.\ntypedef struct {\n BIGNUM bignum;\n EC_SCALAR scalar;\n} EC_WRAPPED_SCALAR;\n\nstruct ec_key_st {\n EC_GROUP *group;\n\n // Ideally |pub_key| would be an |EC_AFFINE| so serializing it does not pay an\n // inversion each time, but the |EC_KEY_get0_public_key| API implies public\n // keys are stored in an |EC_POINT|-compatible form.\n EC_POINT *pub_key;\n EC_WRAPPED_SCALAR *priv_key;\n\n unsigned int enc_flag;\n point_conversion_form_t conv_form;\n\n CRYPTO_refcount_t references;\n\n ECDSA_METHOD *ecdsa_meth;\n\n CRYPTO_EX_DATA ex_data;\n} /* EC_KEY */;\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_EC_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/oct.cc.inc", "content": "/*\n * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \"internal.h\"\n\n\nsize_t ec_point_byte_len(const EC_GROUP *group, point_conversion_form_t form) {\n if (form != POINT_CONVERSION_COMPRESSED &&\n form != POINT_CONVERSION_UNCOMPRESSED) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FORM);\n return 0;\n }\n\n const size_t field_len = BN_num_bytes(&group->field.N);\n size_t output_len = 1 /* type byte */ + field_len;\n if (form == POINT_CONVERSION_UNCOMPRESSED) {\n // Uncompressed points have a second coordinate.\n output_len += field_len;\n }\n return output_len;\n}\n\nsize_t ec_point_to_bytes(const EC_GROUP *group, const EC_AFFINE *point,\n point_conversion_form_t form, uint8_t *buf,\n size_t max_out) {\n size_t output_len = ec_point_byte_len(group, form);\n if (max_out < output_len) {\n OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n size_t field_len;\n ec_felem_to_bytes(group, buf + 1, &field_len, &point->X);\n assert(field_len == BN_num_bytes(&group->field.N));\n\n if (form == POINT_CONVERSION_UNCOMPRESSED) {\n ec_felem_to_bytes(group, buf + 1 + field_len, &field_len, &point->Y);\n assert(field_len == BN_num_bytes(&group->field.N));\n buf[0] = form;\n } else {\n uint8_t y_buf[EC_MAX_BYTES];\n ec_felem_to_bytes(group, y_buf, &field_len, &point->Y);\n buf[0] = form + (y_buf[field_len - 1] & 1);\n }\n\n return output_len;\n}\n\nint ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out,\n const uint8_t *in, size_t len) {\n const size_t field_len = BN_num_bytes(&group->field.N);\n if (len != 1 + 2 * field_len || in[0] != POINT_CONVERSION_UNCOMPRESSED) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_ENCODING);\n return 0;\n }\n\n EC_FELEM x, y;\n if (!ec_felem_from_bytes(group, &x, in + 1, field_len) ||\n !ec_felem_from_bytes(group, &y, in + 1 + field_len, field_len) ||\n !ec_point_set_affine_coordinates(group, out, &x, &y)) {\n return 0;\n }\n\n return 1;\n}\n\nstatic int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point,\n const uint8_t *buf, size_t len,\n BN_CTX *ctx) {\n if (len == 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n uint8_t form = buf[0];\n if (form == static_cast(POINT_CONVERSION_UNCOMPRESSED)) {\n EC_AFFINE affine;\n if (!ec_point_from_uncompressed(group, &affine, buf, len)) {\n // In the event of an error, defend against the caller not checking the\n // return value by setting a known safe value.\n ec_set_to_safe_point(group, &point->raw);\n return 0;\n }\n ec_affine_to_jacobian(group, &point->raw, &affine);\n return 1;\n }\n\n const int y_bit = form & 1;\n const size_t field_len = BN_num_bytes(&group->field.N);\n form = form & ~1u;\n if (form != static_cast(POINT_CONVERSION_COMPRESSED) ||\n len != 1 /* type byte */ + field_len) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_ENCODING);\n return 0;\n }\n\n // TODO(davidben): Integrate compressed coordinates with the lower-level EC\n // abstractions. This requires a way to compute square roots, which is tricky\n // for primes which are not 3 (mod 4), namely P-224 and custom curves. P-224's\n // prime is particularly inconvenient for compressed coordinates. See\n // https://cr.yp.to/papers/sqroot.pdf\n BN_CTX *new_ctx = NULL;\n if (ctx == NULL) {\n ctx = new_ctx = BN_CTX_new();\n if (ctx == NULL) {\n return 0;\n }\n }\n\n int ret = 0;\n BN_CTX_start(ctx);\n BIGNUM *x = BN_CTX_get(ctx);\n if (x == NULL || !BN_bin2bn(buf + 1, field_len, x)) {\n goto err;\n }\n if (BN_ucmp(x, &group->field.N) >= 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_ENCODING);\n goto err;\n }\n\n if (!EC_POINT_set_compressed_coordinates_GFp(group, point, x, y_bit, ctx)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n BN_CTX_free(new_ctx);\n return ret;\n}\n\nint EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,\n const uint8_t *buf, size_t len, BN_CTX *ctx) {\n if (EC_GROUP_cmp(group, point->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n return ec_GFp_simple_oct2point(group, point, buf, len, ctx);\n}\n\nsize_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,\n point_conversion_form_t form, uint8_t *buf,\n size_t max_out, BN_CTX *ctx) {\n if (EC_GROUP_cmp(group, point->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n if (buf == NULL) {\n // When |buf| is NULL, just return the number of bytes that would be\n // written, without doing an expensive Jacobian-to-affine conversion.\n if (ec_GFp_simple_is_at_infinity(group, &point->raw)) {\n OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);\n return 0;\n }\n return ec_point_byte_len(group, form);\n }\n EC_AFFINE affine;\n if (!ec_jacobian_to_affine(group, &affine, &point->raw)) {\n return 0;\n }\n return ec_point_to_bytes(group, &affine, form, buf, max_out);\n}\n\nsize_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point,\n point_conversion_form_t form, uint8_t **out_buf,\n BN_CTX *ctx) {\n *out_buf = NULL;\n size_t len = EC_POINT_point2oct(group, point, form, NULL, 0, ctx);\n if (len == 0) {\n return 0;\n }\n uint8_t *buf = reinterpret_cast(OPENSSL_malloc(len));\n if (buf == NULL) {\n return 0;\n }\n len = EC_POINT_point2oct(group, point, form, buf, len, ctx);\n if (len == 0) {\n OPENSSL_free(buf);\n return 0;\n }\n *out_buf = buf;\n return len;\n}\n\nint EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group,\n EC_POINT *point, const BIGNUM *x,\n int y_bit, BN_CTX *ctx) {\n if (EC_GROUP_cmp(group, point->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n\n const BIGNUM *field = &group->field.N;\n if (BN_is_negative(x) || BN_cmp(x, field) >= 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSED_POINT);\n return 0;\n }\n\n BN_CTX *new_ctx = NULL;\n int ret = 0;\n\n ERR_clear_error();\n\n if (ctx == NULL) {\n ctx = new_ctx = BN_CTX_new();\n if (ctx == NULL) {\n return 0;\n }\n }\n\n y_bit = (y_bit != 0);\n\n BN_CTX_start(ctx);\n BIGNUM *tmp1 = BN_CTX_get(ctx);\n BIGNUM *tmp2 = BN_CTX_get(ctx);\n BIGNUM *a = BN_CTX_get(ctx);\n BIGNUM *b = BN_CTX_get(ctx);\n BIGNUM *y = BN_CTX_get(ctx);\n if (y == NULL || !EC_GROUP_get_curve_GFp(group, NULL, a, b, ctx)) {\n goto err;\n }\n\n // Recover y. We have a Weierstrass equation\n // y^2 = x^3 + a*x + b,\n // so y is one of the square roots of x^3 + a*x + b.\n\n // tmp1 := x^3\n if (!BN_mod_sqr(tmp2, x, field, ctx) ||\n !BN_mod_mul(tmp1, tmp2, x, field, ctx)) {\n goto err;\n }\n\n // tmp1 := tmp1 + a*x\n if (group->a_is_minus3) {\n if (!bn_mod_lshift1_consttime(tmp2, x, field, ctx) ||\n !bn_mod_add_consttime(tmp2, tmp2, x, field, ctx) ||\n !bn_mod_sub_consttime(tmp1, tmp1, tmp2, field, ctx)) {\n goto err;\n }\n } else {\n if (!BN_mod_mul(tmp2, a, x, field, ctx) ||\n !bn_mod_add_consttime(tmp1, tmp1, tmp2, field, ctx)) {\n goto err;\n }\n }\n\n // tmp1 := tmp1 + b\n if (!bn_mod_add_consttime(tmp1, tmp1, b, field, ctx)) {\n goto err;\n }\n\n if (!BN_mod_sqrt(y, tmp1, field, ctx)) {\n uint32_t err = ERR_peek_last_error();\n if (ERR_GET_LIB(err) == ERR_LIB_BN &&\n ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) {\n ERR_clear_error();\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSED_POINT);\n } else {\n OPENSSL_PUT_ERROR(EC, ERR_R_BN_LIB);\n }\n goto err;\n }\n\n if (y_bit != BN_is_odd(y)) {\n if (BN_is_zero(y)) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_COMPRESSION_BIT);\n goto err;\n }\n if (!BN_usub(y, field, y)) {\n goto err;\n }\n }\n if (y_bit != BN_is_odd(y)) {\n OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n\n if (!EC_POINT_set_affine_coordinates_GFp(group, point, x, y, ctx)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n BN_CTX_free(new_ctx);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p224-64.cc.inc", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// A 64-bit implementation of the NIST P-224 elliptic curve point multiplication\n//\n// Inspired by Daniel J. Bernstein's public domain nistp224 implementation\n// and Adam Langley's public domain 64-bit C implementation of curve25519.\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n\n#include \"internal.h\"\n#include \"../delocate.h\"\n#include \"../../internal.h\"\n\n\n#if defined(BORINGSSL_HAS_UINT128) && !defined(OPENSSL_SMALL)\n\n// Field elements are represented as a_0 + 2^56*a_1 + 2^112*a_2 + 2^168*a_3\n// using 64-bit coefficients called 'limbs', and sometimes (for multiplication\n// results) as b_0 + 2^56*b_1 + 2^112*b_2 + 2^168*b_3 + 2^224*b_4 + 2^280*b_5 +\n// 2^336*b_6 using 128-bit coefficients called 'widelimbs'. A 4-p224_limb\n// representation is an 'p224_felem'; a 7-p224_widelimb representation is a\n// 'p224_widefelem'. Even within felems, bits of adjacent limbs overlap, and we\n// don't always reduce the representations: we ensure that inputs to each\n// p224_felem multiplication satisfy a_i < 2^60, so outputs satisfy b_i <\n// 4*2^60*2^60, and fit into a 128-bit word without overflow. The coefficients\n// are then again partially reduced to obtain an p224_felem satisfying a_i <\n// 2^57. We only reduce to the unique minimal representation at the end of the\n// computation.\n\ntypedef uint64_t p224_limb;\ntypedef uint128_t p224_widelimb;\n\ntypedef p224_limb p224_felem[4];\ntypedef p224_widelimb p224_widefelem[7];\n\n// Precomputed multiples of the standard generator\n// Points are given in coordinates (X, Y, Z) where Z normally is 1\n// (0 for the point at infinity).\n// For each field element, slice a_0 is word 0, etc.\n//\n// The table has 2 * 16 elements, starting with the following:\n// index | bits | point\n// ------+---------+------------------------------\n// 0 | 0 0 0 0 | 0G\n// 1 | 0 0 0 1 | 1G\n// 2 | 0 0 1 0 | 2^56G\n// 3 | 0 0 1 1 | (2^56 + 1)G\n// 4 | 0 1 0 0 | 2^112G\n// 5 | 0 1 0 1 | (2^112 + 1)G\n// 6 | 0 1 1 0 | (2^112 + 2^56)G\n// 7 | 0 1 1 1 | (2^112 + 2^56 + 1)G\n// 8 | 1 0 0 0 | 2^168G\n// 9 | 1 0 0 1 | (2^168 + 1)G\n// 10 | 1 0 1 0 | (2^168 + 2^56)G\n// 11 | 1 0 1 1 | (2^168 + 2^56 + 1)G\n// 12 | 1 1 0 0 | (2^168 + 2^112)G\n// 13 | 1 1 0 1 | (2^168 + 2^112 + 1)G\n// 14 | 1 1 1 0 | (2^168 + 2^112 + 2^56)G\n// 15 | 1 1 1 1 | (2^168 + 2^112 + 2^56 + 1)G\n// followed by a copy of this with each element multiplied by 2^28.\n//\n// The reason for this is so that we can clock bits into four different\n// locations when doing simple scalar multiplies against the base point,\n// and then another four locations using the second 16 elements.\nstatic const p224_felem g_p224_pre_comp[2][16][3] = {\n {{{0, 0, 0, 0}, {0, 0, 0, 0}, {0, 0, 0, 0}},\n {{0x3280d6115c1d21, 0xc1d356c2112234, 0x7f321390b94a03, 0xb70e0cbd6bb4bf},\n {0xd5819985007e34, 0x75a05a07476444, 0xfb4c22dfe6cd43, 0xbd376388b5f723},\n {1, 0, 0, 0}},\n {{0xfd9675666ebbe9, 0xbca7664d40ce5e, 0x2242df8d8a2a43, 0x1f49bbb0f99bc5},\n {0x29e0b892dc9c43, 0xece8608436e662, 0xdc858f185310d0, 0x9812dd4eb8d321},\n {1, 0, 0, 0}},\n {{0x6d3e678d5d8eb8, 0x559eed1cb362f1, 0x16e9a3bbce8a3f, 0xeedcccd8c2a748},\n {0xf19f90ed50266d, 0xabf2b4bf65f9df, 0x313865468fafec, 0x5cb379ba910a17},\n {1, 0, 0, 0}},\n {{0x0641966cab26e3, 0x91fb2991fab0a0, 0xefec27a4e13a0b, 0x0499aa8a5f8ebe},\n {0x7510407766af5d, 0x84d929610d5450, 0x81d77aae82f706, 0x6916f6d4338c5b},\n {1, 0, 0, 0}},\n {{0xea95ac3b1f15c6, 0x086000905e82d4, 0xdd323ae4d1c8b1, 0x932b56be7685a3},\n {0x9ef93dea25dbbf, 0x41665960f390f0, 0xfdec76dbe2a8a7, 0x523e80f019062a},\n {1, 0, 0, 0}},\n {{0x822fdd26732c73, 0xa01c83531b5d0f, 0x363f37347c1ba4, 0xc391b45c84725c},\n {0xbbd5e1b2d6ad24, 0xddfbcde19dfaec, 0xc393da7e222a7f, 0x1efb7890ede244},\n {1, 0, 0, 0}},\n {{0x4c9e90ca217da1, 0xd11beca79159bb, 0xff8d33c2c98b7c, 0x2610b39409f849},\n {0x44d1352ac64da0, 0xcdbb7b2c46b4fb, 0x966c079b753c89, 0xfe67e4e820b112},\n {1, 0, 0, 0}},\n {{0xe28cae2df5312d, 0xc71b61d16f5c6e, 0x79b7619a3e7c4c, 0x05c73240899b47},\n {0x9f7f6382c73e3a, 0x18615165c56bda, 0x641fab2116fd56, 0x72855882b08394},\n {1, 0, 0, 0}},\n {{0x0469182f161c09, 0x74a98ca8d00fb5, 0xb89da93489a3e0, 0x41c98768fb0c1d},\n {0xe5ea05fb32da81, 0x3dce9ffbca6855, 0x1cfe2d3fbf59e6, 0x0e5e03408738a7},\n {1, 0, 0, 0}},\n {{0xdab22b2333e87f, 0x4430137a5dd2f6, 0xe03ab9f738beb8, 0xcb0c5d0dc34f24},\n {0x764a7df0c8fda5, 0x185ba5c3fa2044, 0x9281d688bcbe50, 0xc40331df893881},\n {1, 0, 0, 0}},\n {{0xb89530796f0f60, 0xade92bd26909a3, 0x1a0c83fb4884da, 0x1765bf22a5a984},\n {0x772a9ee75db09e, 0x23bc6c67cec16f, 0x4c1edba8b14e2f, 0xe2a215d9611369},\n {1, 0, 0, 0}},\n {{0x571e509fb5efb3, 0xade88696410552, 0xc8ae85fada74fe, 0x6c7e4be83bbde3},\n {0xff9f51160f4652, 0xb47ce2495a6539, 0xa2946c53b582f4, 0x286d2db3ee9a60},\n {1, 0, 0, 0}},\n {{0x40bbd5081a44af, 0x0995183b13926c, 0xbcefba6f47f6d0, 0x215619e9cc0057},\n {0x8bc94d3b0df45e, 0xf11c54a3694f6f, 0x8631b93cdfe8b5, 0xe7e3f4b0982db9},\n {1, 0, 0, 0}},\n {{0xb17048ab3e1c7b, 0xac38f36ff8a1d8, 0x1c29819435d2c6, 0xc813132f4c07e9},\n {0x2891425503b11f, 0x08781030579fea, 0xf5426ba5cc9674, 0x1e28ebf18562bc},\n {1, 0, 0, 0}},\n {{0x9f31997cc864eb, 0x06cd91d28b5e4c, 0xff17036691a973, 0xf1aef351497c58},\n {0xdd1f2d600564ff, 0xdead073b1402db, 0x74a684435bd693, 0xeea7471f962558},\n {1, 0, 0, 0}}},\n {{{0, 0, 0, 0}, {0, 0, 0, 0}, {0, 0, 0, 0}},\n {{0x9665266dddf554, 0x9613d78b60ef2d, 0xce27a34cdba417, 0xd35ab74d6afc31},\n {0x85ccdd22deb15e, 0x2137e5783a6aab, 0xa141cffd8c93c6, 0x355a1830e90f2d},\n {1, 0, 0, 0}},\n {{0x1a494eadaade65, 0xd6da4da77fe53c, 0xe7992996abec86, 0x65c3553c6090e3},\n {0xfa610b1fb09346, 0xf1c6540b8a4aaf, 0xc51a13ccd3cbab, 0x02995b1b18c28a},\n {1, 0, 0, 0}},\n {{0x7874568e7295ef, 0x86b419fbe38d04, 0xdc0690a7550d9a, 0xd3966a44beac33},\n {0x2b7280ec29132f, 0xbeaa3b6a032df3, 0xdc7dd88ae41200, 0xd25e2513e3a100},\n {1, 0, 0, 0}},\n {{0x924857eb2efafd, 0xac2bce41223190, 0x8edaa1445553fc, 0x825800fd3562d5},\n {0x8d79148ea96621, 0x23a01c3dd9ed8d, 0xaf8b219f9416b5, 0xd8db0cc277daea},\n {1, 0, 0, 0}},\n {{0x76a9c3b1a700f0, 0xe9acd29bc7e691, 0x69212d1a6b0327, 0x6322e97fe154be},\n {0x469fc5465d62aa, 0x8d41ed18883b05, 0x1f8eae66c52b88, 0xe4fcbe9325be51},\n {1, 0, 0, 0}},\n {{0x825fdf583cac16, 0x020b857c7b023a, 0x683c17744b0165, 0x14ffd0a2daf2f1},\n {0x323b36184218f9, 0x4944ec4e3b47d4, 0xc15b3080841acf, 0x0bced4b01a28bb},\n {1, 0, 0, 0}},\n {{0x92ac22230df5c4, 0x52f33b4063eda8, 0xcb3f19870c0c93, 0x40064f2ba65233},\n {0xfe16f0924f8992, 0x012da25af5b517, 0x1a57bb24f723a6, 0x06f8bc76760def},\n {1, 0, 0, 0}},\n {{0x4a7084f7817cb9, 0xbcab0738ee9a78, 0x3ec11e11d9c326, 0xdc0fe90e0f1aae},\n {0xcf639ea5f98390, 0x5c350aa22ffb74, 0x9afae98a4047b7, 0x956ec2d617fc45},\n {1, 0, 0, 0}},\n {{0x4306d648c1be6a, 0x9247cd8bc9a462, 0xf5595e377d2f2e, 0xbd1c3caff1a52e},\n {0x045e14472409d0, 0x29f3e17078f773, 0x745a602b2d4f7d, 0x191837685cdfbb},\n {1, 0, 0, 0}},\n {{0x5b6ee254a8cb79, 0x4953433f5e7026, 0xe21faeb1d1def4, 0xc4c225785c09de},\n {0x307ce7bba1e518, 0x31b125b1036db8, 0x47e91868839e8f, 0xc765866e33b9f3},\n {1, 0, 0, 0}},\n {{0x3bfece24f96906, 0x4794da641e5093, 0xde5df64f95db26, 0x297ecd89714b05},\n {0x701bd3ebb2c3aa, 0x7073b4f53cb1d5, 0x13c5665658af16, 0x9895089d66fe58},\n {1, 0, 0, 0}},\n {{0x0fef05f78c4790, 0x2d773633b05d2e, 0x94229c3a951c94, 0xbbbd70df4911bb},\n {0xb2c6963d2c1168, 0x105f47a72b0d73, 0x9fdf6111614080, 0x7b7e94b39e67b0},\n {1, 0, 0, 0}},\n {{0xad1a7d6efbe2b3, 0xf012482c0da69d, 0x6b3bdf12438345, 0x40d7558d7aa4d9},\n {0x8a09fffb5c6d3d, 0x9a356e5d9ffd38, 0x5973f15f4f9b1c, 0xdcd5f59f63c3ea},\n {1, 0, 0, 0}},\n {{0xacf39f4c5ca7ab, 0x4c8071cc5fd737, 0xc64e3602cd1184, 0x0acd4644c9abba},\n {0x6c011a36d8bf6e, 0xfecd87ba24e32a, 0x19f6f56574fad8, 0x050b204ced9405},\n {1, 0, 0, 0}},\n {{0xed4f1cae7d9a96, 0x5ceef7ad94c40a, 0x778e4a3bf3ef9b, 0x7405783dc3b55e},\n {0x32477c61b6e8c6, 0xb46a97570f018b, 0x91176d0a7e95d1, 0x3df90fbc4c7d0e},\n {1, 0, 0, 0}}}};\n\n\n// Helper functions to convert field elements to/from internal representation\n\nstatic void p224_generic_to_felem(p224_felem out, const EC_FELEM *in) {\n // |p224_felem|'s minimal representation uses four 56-bit words. |EC_FELEM|\n // uses four 64-bit words. (The top-most word only has 32 bits.)\n out[0] = in->words[0] & 0x00ffffffffffffff;\n out[1] = ((in->words[0] >> 56) | (in->words[1] << 8)) & 0x00ffffffffffffff;\n out[2] = ((in->words[1] >> 48) | (in->words[2] << 16)) & 0x00ffffffffffffff;\n out[3] = ((in->words[2] >> 40) | (in->words[3] << 24)) & 0x00ffffffffffffff;\n}\n\n// Requires 0 <= in < 2*p (always call p224_felem_reduce first)\nstatic void p224_felem_to_generic(EC_FELEM *out, const p224_felem in) {\n // Reduce to unique minimal representation.\n static const int64_t two56 = ((p224_limb)1) << 56;\n // 0 <= in < 2*p, p = 2^224 - 2^96 + 1\n // if in > p , reduce in = in - 2^224 + 2^96 - 1\n int64_t tmp[4], a;\n tmp[0] = in[0];\n tmp[1] = in[1];\n tmp[2] = in[2];\n tmp[3] = in[3];\n // Case 1: a = 1 iff in >= 2^224\n a = (in[3] >> 56);\n tmp[0] -= a;\n tmp[1] += a << 40;\n tmp[3] &= 0x00ffffffffffffff;\n // Case 2: a = 0 iff p <= in < 2^224, i.e., the high 128 bits are all 1 and\n // the lower part is non-zero\n a = ((in[3] & in[2] & (in[1] | 0x000000ffffffffff)) + 1) |\n (((int64_t)(in[0] + (in[1] & 0x000000ffffffffff)) - 1) >> 63);\n a &= 0x00ffffffffffffff;\n // turn a into an all-one mask (if a = 0) or an all-zero mask\n a = (a - 1) >> 63;\n // subtract 2^224 - 2^96 + 1 if a is all-one\n tmp[3] &= a ^ 0xffffffffffffffff;\n tmp[2] &= a ^ 0xffffffffffffffff;\n tmp[1] &= (a ^ 0xffffffffffffffff) | 0x000000ffffffffff;\n tmp[0] -= 1 & a;\n\n // eliminate negative coefficients: if tmp[0] is negative, tmp[1] must\n // be non-zero, so we only need one step\n a = tmp[0] >> 63;\n tmp[0] += two56 & a;\n tmp[1] -= 1 & a;\n\n // carry 1 -> 2 -> 3\n tmp[2] += tmp[1] >> 56;\n tmp[1] &= 0x00ffffffffffffff;\n\n tmp[3] += tmp[2] >> 56;\n tmp[2] &= 0x00ffffffffffffff;\n\n // Now 0 <= tmp < p\n p224_felem tmp2;\n tmp2[0] = tmp[0];\n tmp2[1] = tmp[1];\n tmp2[2] = tmp[2];\n tmp2[3] = tmp[3];\n\n // |p224_felem|'s minimal representation uses four 56-bit words. |EC_FELEM|\n // uses four 64-bit words. (The top-most word only has 32 bits.)\n out->words[0] = tmp2[0] | (tmp2[1] << 56);\n out->words[1] = (tmp2[1] >> 8) | (tmp2[2] << 48);\n out->words[2] = (tmp2[2] >> 16) | (tmp2[3] << 40);\n out->words[3] = tmp2[3] >> 24;\n}\n\n\n// Field operations, using the internal representation of field elements.\n// NB! These operations are specific to our point multiplication and cannot be\n// expected to be correct in general - e.g., multiplication with a large scalar\n// will cause an overflow.\n\nstatic void p224_felem_assign(p224_felem out, const p224_felem in) {\n out[0] = in[0];\n out[1] = in[1];\n out[2] = in[2];\n out[3] = in[3];\n}\n\n// Sum two field elements: out += in\nstatic void p224_felem_sum(p224_felem out, const p224_felem in) {\n out[0] += in[0];\n out[1] += in[1];\n out[2] += in[2];\n out[3] += in[3];\n}\n\n// Subtract field elements: out -= in\n// Assumes in[i] < 2^57\nstatic void p224_felem_diff(p224_felem out, const p224_felem in) {\n static const p224_limb two58p2 =\n (((p224_limb)1) << 58) + (((p224_limb)1) << 2);\n static const p224_limb two58m2 =\n (((p224_limb)1) << 58) - (((p224_limb)1) << 2);\n static const p224_limb two58m42m2 =\n (((p224_limb)1) << 58) - (((p224_limb)1) << 42) - (((p224_limb)1) << 2);\n\n // Add 0 mod 2^224-2^96+1 to ensure out > in\n out[0] += two58p2;\n out[1] += two58m42m2;\n out[2] += two58m2;\n out[3] += two58m2;\n\n out[0] -= in[0];\n out[1] -= in[1];\n out[2] -= in[2];\n out[3] -= in[3];\n}\n\n// Subtract in unreduced 128-bit mode: out -= in\n// Assumes in[i] < 2^119\nstatic void p224_widefelem_diff(p224_widefelem out, const p224_widefelem in) {\n static const p224_widelimb two120 = ((p224_widelimb)1) << 120;\n static const p224_widelimb two120m64 =\n (((p224_widelimb)1) << 120) - (((p224_widelimb)1) << 64);\n static const p224_widelimb two120m104m64 = (((p224_widelimb)1) << 120) -\n (((p224_widelimb)1) << 104) -\n (((p224_widelimb)1) << 64);\n\n // Add 0 mod 2^224-2^96+1 to ensure out > in\n out[0] += two120;\n out[1] += two120m64;\n out[2] += two120m64;\n out[3] += two120;\n out[4] += two120m104m64;\n out[5] += two120m64;\n out[6] += two120m64;\n\n out[0] -= in[0];\n out[1] -= in[1];\n out[2] -= in[2];\n out[3] -= in[3];\n out[4] -= in[4];\n out[5] -= in[5];\n out[6] -= in[6];\n}\n\n// Subtract in mixed mode: out128 -= in64\n// in[i] < 2^63\nstatic void p224_felem_diff_128_64(p224_widefelem out, const p224_felem in) {\n static const p224_widelimb two64p8 =\n (((p224_widelimb)1) << 64) + (((p224_widelimb)1) << 8);\n static const p224_widelimb two64m8 =\n (((p224_widelimb)1) << 64) - (((p224_widelimb)1) << 8);\n static const p224_widelimb two64m48m8 = (((p224_widelimb)1) << 64) -\n (((p224_widelimb)1) << 48) -\n (((p224_widelimb)1) << 8);\n\n // Add 0 mod 2^224-2^96+1 to ensure out > in\n out[0] += two64p8;\n out[1] += two64m48m8;\n out[2] += two64m8;\n out[3] += two64m8;\n\n out[0] -= in[0];\n out[1] -= in[1];\n out[2] -= in[2];\n out[3] -= in[3];\n}\n\n// Multiply a field element by a scalar: out = out * scalar\n// The scalars we actually use are small, so results fit without overflow\nstatic void p224_felem_scalar(p224_felem out, const p224_limb scalar) {\n out[0] *= scalar;\n out[1] *= scalar;\n out[2] *= scalar;\n out[3] *= scalar;\n}\n\n// Multiply an unreduced field element by a scalar: out = out * scalar\n// The scalars we actually use are small, so results fit without overflow\nstatic void p224_widefelem_scalar(p224_widefelem out,\n const p224_widelimb scalar) {\n out[0] *= scalar;\n out[1] *= scalar;\n out[2] *= scalar;\n out[3] *= scalar;\n out[4] *= scalar;\n out[5] *= scalar;\n out[6] *= scalar;\n}\n\n// Square a field element: out = in^2\nstatic void p224_felem_square(p224_widefelem out, const p224_felem in) {\n p224_limb tmp0, tmp1, tmp2;\n tmp0 = 2 * in[0];\n tmp1 = 2 * in[1];\n tmp2 = 2 * in[2];\n out[0] = ((p224_widelimb)in[0]) * in[0];\n out[1] = ((p224_widelimb)in[0]) * tmp1;\n out[2] = ((p224_widelimb)in[0]) * tmp2 + ((p224_widelimb)in[1]) * in[1];\n out[3] = ((p224_widelimb)in[3]) * tmp0 + ((p224_widelimb)in[1]) * tmp2;\n out[4] = ((p224_widelimb)in[3]) * tmp1 + ((p224_widelimb)in[2]) * in[2];\n out[5] = ((p224_widelimb)in[3]) * tmp2;\n out[6] = ((p224_widelimb)in[3]) * in[3];\n}\n\n// Multiply two field elements: out = in1 * in2\nstatic void p224_felem_mul(p224_widefelem out, const p224_felem in1,\n const p224_felem in2) {\n out[0] = ((p224_widelimb)in1[0]) * in2[0];\n out[1] = ((p224_widelimb)in1[0]) * in2[1] + ((p224_widelimb)in1[1]) * in2[0];\n out[2] = ((p224_widelimb)in1[0]) * in2[2] + ((p224_widelimb)in1[1]) * in2[1] +\n ((p224_widelimb)in1[2]) * in2[0];\n out[3] = ((p224_widelimb)in1[0]) * in2[3] + ((p224_widelimb)in1[1]) * in2[2] +\n ((p224_widelimb)in1[2]) * in2[1] + ((p224_widelimb)in1[3]) * in2[0];\n out[4] = ((p224_widelimb)in1[1]) * in2[3] + ((p224_widelimb)in1[2]) * in2[2] +\n ((p224_widelimb)in1[3]) * in2[1];\n out[5] = ((p224_widelimb)in1[2]) * in2[3] + ((p224_widelimb)in1[3]) * in2[2];\n out[6] = ((p224_widelimb)in1[3]) * in2[3];\n}\n\n// Reduce seven 128-bit coefficients to four 64-bit coefficients.\n// Requires in[i] < 2^126,\n// ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16\nstatic void p224_felem_reduce(p224_felem out, const p224_widefelem in) {\n static const p224_widelimb two127p15 =\n (((p224_widelimb)1) << 127) + (((p224_widelimb)1) << 15);\n static const p224_widelimb two127m71 =\n (((p224_widelimb)1) << 127) - (((p224_widelimb)1) << 71);\n static const p224_widelimb two127m71m55 = (((p224_widelimb)1) << 127) -\n (((p224_widelimb)1) << 71) -\n (((p224_widelimb)1) << 55);\n p224_widelimb output[5];\n\n // Add 0 mod 2^224-2^96+1 to ensure all differences are positive\n output[0] = in[0] + two127p15;\n output[1] = in[1] + two127m71m55;\n output[2] = in[2] + two127m71;\n output[3] = in[3];\n output[4] = in[4];\n\n // Eliminate in[4], in[5], in[6]\n output[4] += in[6] >> 16;\n output[3] += (in[6] & 0xffff) << 40;\n output[2] -= in[6];\n\n output[3] += in[5] >> 16;\n output[2] += (in[5] & 0xffff) << 40;\n output[1] -= in[5];\n\n output[2] += output[4] >> 16;\n output[1] += (output[4] & 0xffff) << 40;\n output[0] -= output[4];\n\n // Carry 2 -> 3 -> 4\n output[3] += output[2] >> 56;\n output[2] &= 0x00ffffffffffffff;\n\n output[4] = output[3] >> 56;\n output[3] &= 0x00ffffffffffffff;\n\n // Now output[2] < 2^56, output[3] < 2^56, output[4] < 2^72\n\n // Eliminate output[4]\n output[2] += output[4] >> 16;\n // output[2] < 2^56 + 2^56 = 2^57\n output[1] += (output[4] & 0xffff) << 40;\n output[0] -= output[4];\n\n // Carry 0 -> 1 -> 2 -> 3\n output[1] += output[0] >> 56;\n out[0] = output[0] & 0x00ffffffffffffff;\n\n output[2] += output[1] >> 56;\n // output[2] < 2^57 + 2^72\n out[1] = output[1] & 0x00ffffffffffffff;\n output[3] += output[2] >> 56;\n // output[3] <= 2^56 + 2^16\n out[2] = output[2] & 0x00ffffffffffffff;\n\n // out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,\n // out[3] <= 2^56 + 2^16 (due to final carry),\n // so out < 2*p\n out[3] = output[3];\n}\n\n// Get negative value: out = -in\n// Requires in[i] < 2^63,\n// ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16\nstatic void p224_felem_neg(p224_felem out, const p224_felem in) {\n p224_widefelem tmp = {0};\n p224_felem_diff_128_64(tmp, in);\n p224_felem_reduce(out, tmp);\n}\n\n// Zero-check: returns 1 if input is 0, and 0 otherwise. We know that field\n// elements are reduced to in < 2^225, so we only need to check three cases: 0,\n// 2^224 - 2^96 + 1, and 2^225 - 2^97 + 2\nstatic p224_limb p224_felem_is_zero(const p224_felem in) {\n p224_limb zero = in[0] | in[1] | in[2] | in[3];\n zero = (((int64_t)(zero)-1) >> 63) & 1;\n\n p224_limb two224m96p1 = (in[0] ^ 1) | (in[1] ^ 0x00ffff0000000000) |\n (in[2] ^ 0x00ffffffffffffff) |\n (in[3] ^ 0x00ffffffffffffff);\n two224m96p1 = (((int64_t)(two224m96p1)-1) >> 63) & 1;\n p224_limb two225m97p2 = (in[0] ^ 2) | (in[1] ^ 0x00fffe0000000000) |\n (in[2] ^ 0x00ffffffffffffff) |\n (in[3] ^ 0x01ffffffffffffff);\n two225m97p2 = (((int64_t)(two225m97p2)-1) >> 63) & 1;\n return (zero | two224m96p1 | two225m97p2);\n}\n\n// Invert a field element\n// Computation chain copied from djb's code\nstatic void p224_felem_inv(p224_felem out, const p224_felem in) {\n p224_felem ftmp, ftmp2, ftmp3, ftmp4;\n p224_widefelem tmp;\n\n p224_felem_square(tmp, in);\n p224_felem_reduce(ftmp, tmp); // 2\n p224_felem_mul(tmp, in, ftmp);\n p224_felem_reduce(ftmp, tmp); // 2^2 - 1\n p224_felem_square(tmp, ftmp);\n p224_felem_reduce(ftmp, tmp); // 2^3 - 2\n p224_felem_mul(tmp, in, ftmp);\n p224_felem_reduce(ftmp, tmp); // 2^3 - 1\n p224_felem_square(tmp, ftmp);\n p224_felem_reduce(ftmp2, tmp); // 2^4 - 2\n p224_felem_square(tmp, ftmp2);\n p224_felem_reduce(ftmp2, tmp); // 2^5 - 4\n p224_felem_square(tmp, ftmp2);\n p224_felem_reduce(ftmp2, tmp); // 2^6 - 8\n p224_felem_mul(tmp, ftmp2, ftmp);\n p224_felem_reduce(ftmp, tmp); // 2^6 - 1\n p224_felem_square(tmp, ftmp);\n p224_felem_reduce(ftmp2, tmp); // 2^7 - 2\n for (size_t i = 0; i < 5; ++i) { // 2^12 - 2^6\n p224_felem_square(tmp, ftmp2);\n p224_felem_reduce(ftmp2, tmp);\n }\n p224_felem_mul(tmp, ftmp2, ftmp);\n p224_felem_reduce(ftmp2, tmp); // 2^12 - 1\n p224_felem_square(tmp, ftmp2);\n p224_felem_reduce(ftmp3, tmp); // 2^13 - 2\n for (size_t i = 0; i < 11; ++i) { // 2^24 - 2^12\n p224_felem_square(tmp, ftmp3);\n p224_felem_reduce(ftmp3, tmp);\n }\n p224_felem_mul(tmp, ftmp3, ftmp2);\n p224_felem_reduce(ftmp2, tmp); // 2^24 - 1\n p224_felem_square(tmp, ftmp2);\n p224_felem_reduce(ftmp3, tmp); // 2^25 - 2\n for (size_t i = 0; i < 23; ++i) { // 2^48 - 2^24\n p224_felem_square(tmp, ftmp3);\n p224_felem_reduce(ftmp3, tmp);\n }\n p224_felem_mul(tmp, ftmp3, ftmp2);\n p224_felem_reduce(ftmp3, tmp); // 2^48 - 1\n p224_felem_square(tmp, ftmp3);\n p224_felem_reduce(ftmp4, tmp); // 2^49 - 2\n for (size_t i = 0; i < 47; ++i) { // 2^96 - 2^48\n p224_felem_square(tmp, ftmp4);\n p224_felem_reduce(ftmp4, tmp);\n }\n p224_felem_mul(tmp, ftmp3, ftmp4);\n p224_felem_reduce(ftmp3, tmp); // 2^96 - 1\n p224_felem_square(tmp, ftmp3);\n p224_felem_reduce(ftmp4, tmp); // 2^97 - 2\n for (size_t i = 0; i < 23; ++i) { // 2^120 - 2^24\n p224_felem_square(tmp, ftmp4);\n p224_felem_reduce(ftmp4, tmp);\n }\n p224_felem_mul(tmp, ftmp2, ftmp4);\n p224_felem_reduce(ftmp2, tmp); // 2^120 - 1\n for (size_t i = 0; i < 6; ++i) { // 2^126 - 2^6\n p224_felem_square(tmp, ftmp2);\n p224_felem_reduce(ftmp2, tmp);\n }\n p224_felem_mul(tmp, ftmp2, ftmp);\n p224_felem_reduce(ftmp, tmp); // 2^126 - 1\n p224_felem_square(tmp, ftmp);\n p224_felem_reduce(ftmp, tmp); // 2^127 - 2\n p224_felem_mul(tmp, ftmp, in);\n p224_felem_reduce(ftmp, tmp); // 2^127 - 1\n for (size_t i = 0; i < 97; ++i) { // 2^224 - 2^97\n p224_felem_square(tmp, ftmp);\n p224_felem_reduce(ftmp, tmp);\n }\n p224_felem_mul(tmp, ftmp, ftmp3);\n p224_felem_reduce(out, tmp); // 2^224 - 2^96 - 1\n}\n\n// Copy in constant time:\n// if icopy == 1, copy in to out,\n// if icopy == 0, copy out to itself.\nstatic void p224_copy_conditional(p224_felem out, const p224_felem in,\n p224_limb icopy) {\n // icopy is a (64-bit) 0 or 1, so copy is either all-zero or all-one\n const p224_limb copy = -icopy;\n for (size_t i = 0; i < 4; ++i) {\n const p224_limb tmp = copy & (in[i] ^ out[i]);\n out[i] ^= tmp;\n }\n}\n\n// ELLIPTIC CURVE POINT OPERATIONS\n//\n// Points are represented in Jacobian projective coordinates:\n// (X, Y, Z) corresponds to the affine point (X/Z^2, Y/Z^3),\n// or to the point at infinity if Z == 0.\n\n// Double an elliptic curve point:\n// (X', Y', Z') = 2 * (X, Y, Z), where\n// X' = (3 * (X - Z^2) * (X + Z^2))^2 - 8 * X * Y^2\n// Y' = 3 * (X - Z^2) * (X + Z^2) * (4 * X * Y^2 - X') - 8 * Y^2\n// Z' = (Y + Z)^2 - Y^2 - Z^2 = 2 * Y * Z\n// Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed,\n// while x_out == y_in is not (maybe this works, but it's not tested).\nstatic void p224_point_double(p224_felem x_out, p224_felem y_out,\n p224_felem z_out, const p224_felem x_in,\n const p224_felem y_in, const p224_felem z_in) {\n p224_widefelem tmp, tmp2;\n p224_felem delta, gamma, beta, alpha, ftmp, ftmp2;\n\n p224_felem_assign(ftmp, x_in);\n p224_felem_assign(ftmp2, x_in);\n\n // delta = z^2\n p224_felem_square(tmp, z_in);\n p224_felem_reduce(delta, tmp);\n\n // gamma = y^2\n p224_felem_square(tmp, y_in);\n p224_felem_reduce(gamma, tmp);\n\n // beta = x*gamma\n p224_felem_mul(tmp, x_in, gamma);\n p224_felem_reduce(beta, tmp);\n\n // alpha = 3*(x-delta)*(x+delta)\n p224_felem_diff(ftmp, delta);\n // ftmp[i] < 2^57 + 2^58 + 2 < 2^59\n p224_felem_sum(ftmp2, delta);\n // ftmp2[i] < 2^57 + 2^57 = 2^58\n p224_felem_scalar(ftmp2, 3);\n // ftmp2[i] < 3 * 2^58 < 2^60\n p224_felem_mul(tmp, ftmp, ftmp2);\n // tmp[i] < 2^60 * 2^59 * 4 = 2^121\n p224_felem_reduce(alpha, tmp);\n\n // x' = alpha^2 - 8*beta\n p224_felem_square(tmp, alpha);\n // tmp[i] < 4 * 2^57 * 2^57 = 2^116\n p224_felem_assign(ftmp, beta);\n p224_felem_scalar(ftmp, 8);\n // ftmp[i] < 8 * 2^57 = 2^60\n p224_felem_diff_128_64(tmp, ftmp);\n // tmp[i] < 2^116 + 2^64 + 8 < 2^117\n p224_felem_reduce(x_out, tmp);\n\n // z' = (y + z)^2 - gamma - delta\n p224_felem_sum(delta, gamma);\n // delta[i] < 2^57 + 2^57 = 2^58\n p224_felem_assign(ftmp, y_in);\n p224_felem_sum(ftmp, z_in);\n // ftmp[i] < 2^57 + 2^57 = 2^58\n p224_felem_square(tmp, ftmp);\n // tmp[i] < 4 * 2^58 * 2^58 = 2^118\n p224_felem_diff_128_64(tmp, delta);\n // tmp[i] < 2^118 + 2^64 + 8 < 2^119\n p224_felem_reduce(z_out, tmp);\n\n // y' = alpha*(4*beta - x') - 8*gamma^2\n p224_felem_scalar(beta, 4);\n // beta[i] < 4 * 2^57 = 2^59\n p224_felem_diff(beta, x_out);\n // beta[i] < 2^59 + 2^58 + 2 < 2^60\n p224_felem_mul(tmp, alpha, beta);\n // tmp[i] < 4 * 2^57 * 2^60 = 2^119\n p224_felem_square(tmp2, gamma);\n // tmp2[i] < 4 * 2^57 * 2^57 = 2^116\n p224_widefelem_scalar(tmp2, 8);\n // tmp2[i] < 8 * 2^116 = 2^119\n p224_widefelem_diff(tmp, tmp2);\n // tmp[i] < 2^119 + 2^120 < 2^121\n p224_felem_reduce(y_out, tmp);\n}\n\n// Add two elliptic curve points:\n// (X_1, Y_1, Z_1) + (X_2, Y_2, Z_2) = (X_3, Y_3, Z_3), where\n// X_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1)^2 - (Z_1^2 * X_2 - Z_2^2 * X_1)^3 -\n// 2 * Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2\n// Y_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1) * (Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 *\n// X_1)^2 - X_3) -\n// Z_2^3 * Y_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^3\n// Z_3 = (Z_1^2 * X_2 - Z_2^2 * X_1) * (Z_1 * Z_2)\n//\n// This runs faster if 'mixed' is set, which requires Z_2 = 1 or Z_2 = 0.\n\n// This function is not entirely constant-time: it includes a branch for\n// checking whether the two input points are equal, (while not equal to the\n// point at infinity). This case never happens during single point\n// multiplication, so there is no timing leak for ECDH or ECDSA signing.\nstatic void p224_point_add(p224_felem x3, p224_felem y3, p224_felem z3,\n const p224_felem x1, const p224_felem y1,\n const p224_felem z1, const int mixed,\n const p224_felem x2, const p224_felem y2,\n const p224_felem z2) {\n p224_felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, x_out, y_out, z_out;\n p224_widefelem tmp, tmp2;\n p224_limb z1_is_zero, z2_is_zero, x_equal, y_equal;\n\n if (!mixed) {\n // ftmp2 = z2^2\n p224_felem_square(tmp, z2);\n p224_felem_reduce(ftmp2, tmp);\n\n // ftmp4 = z2^3\n p224_felem_mul(tmp, ftmp2, z2);\n p224_felem_reduce(ftmp4, tmp);\n\n // ftmp4 = z2^3*y1\n p224_felem_mul(tmp2, ftmp4, y1);\n p224_felem_reduce(ftmp4, tmp2);\n\n // ftmp2 = z2^2*x1\n p224_felem_mul(tmp2, ftmp2, x1);\n p224_felem_reduce(ftmp2, tmp2);\n } else {\n // We'll assume z2 = 1 (special case z2 = 0 is handled later)\n\n // ftmp4 = z2^3*y1\n p224_felem_assign(ftmp4, y1);\n\n // ftmp2 = z2^2*x1\n p224_felem_assign(ftmp2, x1);\n }\n\n // ftmp = z1^2\n p224_felem_square(tmp, z1);\n p224_felem_reduce(ftmp, tmp);\n\n // ftmp3 = z1^3\n p224_felem_mul(tmp, ftmp, z1);\n p224_felem_reduce(ftmp3, tmp);\n\n // tmp = z1^3*y2\n p224_felem_mul(tmp, ftmp3, y2);\n // tmp[i] < 4 * 2^57 * 2^57 = 2^116\n\n // ftmp3 = z1^3*y2 - z2^3*y1\n p224_felem_diff_128_64(tmp, ftmp4);\n // tmp[i] < 2^116 + 2^64 + 8 < 2^117\n p224_felem_reduce(ftmp3, tmp);\n\n // tmp = z1^2*x2\n p224_felem_mul(tmp, ftmp, x2);\n // tmp[i] < 4 * 2^57 * 2^57 = 2^116\n\n // ftmp = z1^2*x2 - z2^2*x1\n p224_felem_diff_128_64(tmp, ftmp2);\n // tmp[i] < 2^116 + 2^64 + 8 < 2^117\n p224_felem_reduce(ftmp, tmp);\n\n // The formulae are incorrect if the points are equal, so we check for this\n // and do doubling if this happens.\n x_equal = p224_felem_is_zero(ftmp);\n y_equal = p224_felem_is_zero(ftmp3);\n z1_is_zero = p224_felem_is_zero(z1);\n z2_is_zero = p224_felem_is_zero(z2);\n // In affine coordinates, (X_1, Y_1) == (X_2, Y_2)\n p224_limb is_nontrivial_double =\n x_equal & y_equal & (1 - z1_is_zero) & (1 - z2_is_zero);\n if (constant_time_declassify_w(is_nontrivial_double)) {\n p224_point_double(x3, y3, z3, x1, y1, z1);\n return;\n }\n\n // ftmp5 = z1*z2\n if (!mixed) {\n p224_felem_mul(tmp, z1, z2);\n p224_felem_reduce(ftmp5, tmp);\n } else {\n // special case z2 = 0 is handled later\n p224_felem_assign(ftmp5, z1);\n }\n\n // z_out = (z1^2*x2 - z2^2*x1)*(z1*z2)\n p224_felem_mul(tmp, ftmp, ftmp5);\n p224_felem_reduce(z_out, tmp);\n\n // ftmp = (z1^2*x2 - z2^2*x1)^2\n p224_felem_assign(ftmp5, ftmp);\n p224_felem_square(tmp, ftmp);\n p224_felem_reduce(ftmp, tmp);\n\n // ftmp5 = (z1^2*x2 - z2^2*x1)^3\n p224_felem_mul(tmp, ftmp, ftmp5);\n p224_felem_reduce(ftmp5, tmp);\n\n // ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2\n p224_felem_mul(tmp, ftmp2, ftmp);\n p224_felem_reduce(ftmp2, tmp);\n\n // tmp = z2^3*y1*(z1^2*x2 - z2^2*x1)^3\n p224_felem_mul(tmp, ftmp4, ftmp5);\n // tmp[i] < 4 * 2^57 * 2^57 = 2^116\n\n // tmp2 = (z1^3*y2 - z2^3*y1)^2\n p224_felem_square(tmp2, ftmp3);\n // tmp2[i] < 4 * 2^57 * 2^57 < 2^116\n\n // tmp2 = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3\n p224_felem_diff_128_64(tmp2, ftmp5);\n // tmp2[i] < 2^116 + 2^64 + 8 < 2^117\n\n // ftmp5 = 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2\n p224_felem_assign(ftmp5, ftmp2);\n p224_felem_scalar(ftmp5, 2);\n // ftmp5[i] < 2 * 2^57 = 2^58\n\n /* x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -\n 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */\n p224_felem_diff_128_64(tmp2, ftmp5);\n // tmp2[i] < 2^117 + 2^64 + 8 < 2^118\n p224_felem_reduce(x_out, tmp2);\n\n // ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out\n p224_felem_diff(ftmp2, x_out);\n // ftmp2[i] < 2^57 + 2^58 + 2 < 2^59\n\n // tmp2 = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out)\n p224_felem_mul(tmp2, ftmp3, ftmp2);\n // tmp2[i] < 4 * 2^57 * 2^59 = 2^118\n\n /* y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -\n z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */\n p224_widefelem_diff(tmp2, tmp);\n // tmp2[i] < 2^118 + 2^120 < 2^121\n p224_felem_reduce(y_out, tmp2);\n\n // the result (x_out, y_out, z_out) is incorrect if one of the inputs is\n // the point at infinity, so we need to check for this separately\n\n // if point 1 is at infinity, copy point 2 to output, and vice versa\n p224_copy_conditional(x_out, x2, z1_is_zero);\n p224_copy_conditional(x_out, x1, z2_is_zero);\n p224_copy_conditional(y_out, y2, z1_is_zero);\n p224_copy_conditional(y_out, y1, z2_is_zero);\n p224_copy_conditional(z_out, z2, z1_is_zero);\n p224_copy_conditional(z_out, z1, z2_is_zero);\n p224_felem_assign(x3, x_out);\n p224_felem_assign(y3, y_out);\n p224_felem_assign(z3, z_out);\n}\n\n// p224_select_point selects the |idx|th point from a precomputation table and\n// copies it to out.\nstatic void p224_select_point(const uint64_t idx, size_t size,\n const p224_felem pre_comp[/*size*/][3],\n p224_felem out[3]) {\n p224_limb *outlimbs = &out[0][0];\n OPENSSL_memset(outlimbs, 0, 3 * sizeof(p224_felem));\n\n for (size_t i = 0; i < size; i++) {\n const p224_limb *inlimbs = &pre_comp[i][0][0];\n static_assert(sizeof(uint64_t) <= sizeof(crypto_word_t),\n \"crypto_word_t too small\");\n static_assert(sizeof(size_t) <= sizeof(crypto_word_t),\n \"crypto_word_t too small\");\n // Without a value barrier, Clang adds a branch here.\n uint64_t mask = value_barrier_w(constant_time_eq_w(i, idx));\n for (size_t j = 0; j < 4 * 3; j++) {\n outlimbs[j] |= inlimbs[j] & mask;\n }\n }\n}\n\n// p224_get_bit returns the |i|th bit in |in|.\nstatic crypto_word_t p224_get_bit(const EC_SCALAR *in, size_t i) {\n if (i >= 224) {\n return 0;\n }\n static_assert(sizeof(in->words[0]) == 8, \"BN_ULONG is not 64-bit\");\n return (in->words[i >> 6] >> (i & 63)) & 1;\n}\n\n// Takes the Jacobian coordinates (X, Y, Z) of a point and returns\n// (X', Y') = (X/Z^2, Y/Z^3)\nstatic int ec_GFp_nistp224_point_get_affine_coordinates(\n const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x,\n EC_FELEM *y) {\n if (constant_time_declassify_int(\n ec_GFp_simple_is_at_infinity(group, point))) {\n OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);\n return 0;\n }\n\n p224_felem z1, z2;\n p224_widefelem tmp;\n p224_generic_to_felem(z1, &point->Z);\n p224_felem_inv(z2, z1);\n p224_felem_square(tmp, z2);\n p224_felem_reduce(z1, tmp);\n\n if (x != NULL) {\n p224_felem x_in, x_out;\n p224_generic_to_felem(x_in, &point->X);\n p224_felem_mul(tmp, x_in, z1);\n p224_felem_reduce(x_out, tmp);\n p224_felem_to_generic(x, x_out);\n }\n\n if (y != NULL) {\n p224_felem y_in, y_out;\n p224_generic_to_felem(y_in, &point->Y);\n p224_felem_mul(tmp, z1, z2);\n p224_felem_reduce(z1, tmp);\n p224_felem_mul(tmp, y_in, z1);\n p224_felem_reduce(y_out, tmp);\n p224_felem_to_generic(y, y_out);\n }\n\n return 1;\n}\n\nstatic void ec_GFp_nistp224_add(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *a, const EC_JACOBIAN *b) {\n p224_felem x1, y1, z1, x2, y2, z2;\n p224_generic_to_felem(x1, &a->X);\n p224_generic_to_felem(y1, &a->Y);\n p224_generic_to_felem(z1, &a->Z);\n p224_generic_to_felem(x2, &b->X);\n p224_generic_to_felem(y2, &b->Y);\n p224_generic_to_felem(z2, &b->Z);\n p224_point_add(x1, y1, z1, x1, y1, z1, 0 /* both Jacobian */, x2, y2, z2);\n // The outputs are already reduced, but still need to be contracted.\n p224_felem_to_generic(&r->X, x1);\n p224_felem_to_generic(&r->Y, y1);\n p224_felem_to_generic(&r->Z, z1);\n}\n\nstatic void ec_GFp_nistp224_dbl(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *a) {\n p224_felem x, y, z;\n p224_generic_to_felem(x, &a->X);\n p224_generic_to_felem(y, &a->Y);\n p224_generic_to_felem(z, &a->Z);\n p224_point_double(x, y, z, x, y, z);\n // The outputs are already reduced, but still need to be contracted.\n p224_felem_to_generic(&r->X, x);\n p224_felem_to_generic(&r->Y, y);\n p224_felem_to_generic(&r->Z, z);\n}\n\nstatic void ec_GFp_nistp224_make_precomp(p224_felem out[17][3],\n const EC_JACOBIAN *p) {\n OPENSSL_memset(out[0], 0, sizeof(p224_felem) * 3);\n\n p224_generic_to_felem(out[1][0], &p->X);\n p224_generic_to_felem(out[1][1], &p->Y);\n p224_generic_to_felem(out[1][2], &p->Z);\n\n for (size_t j = 2; j <= 16; ++j) {\n if (j & 1) {\n p224_point_add(out[j][0], out[j][1], out[j][2], out[1][0], out[1][1],\n out[1][2], 0, out[j - 1][0], out[j - 1][1], out[j - 1][2]);\n } else {\n p224_point_double(out[j][0], out[j][1], out[j][2], out[j / 2][0],\n out[j / 2][1], out[j / 2][2]);\n }\n }\n}\n\nstatic void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p,\n const EC_SCALAR *scalar) {\n p224_felem p_pre_comp[17][3];\n ec_GFp_nistp224_make_precomp(p_pre_comp, p);\n\n // Set nq to the point at infinity.\n p224_felem nq[3], tmp[4];\n OPENSSL_memset(nq, 0, 3 * sizeof(p224_felem));\n\n int skip = 1; // Save two point operations in the first round.\n for (size_t i = 220; i < 221; i--) {\n if (!skip) {\n p224_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);\n }\n\n // Add every 5 doublings.\n if (i % 5 == 0) {\n crypto_word_t bits = p224_get_bit(scalar, i + 4) << 5;\n bits |= p224_get_bit(scalar, i + 3) << 4;\n bits |= p224_get_bit(scalar, i + 2) << 3;\n bits |= p224_get_bit(scalar, i + 1) << 2;\n bits |= p224_get_bit(scalar, i) << 1;\n bits |= p224_get_bit(scalar, i - 1);\n crypto_word_t sign, digit;\n ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);\n\n // Select the point to add or subtract.\n p224_select_point(digit, 17, (const p224_felem(*)[3])p_pre_comp, tmp);\n p224_felem_neg(tmp[3], tmp[1]); // (X, -Y, Z) is the negative point\n p224_copy_conditional(tmp[1], tmp[3], sign);\n\n if (!skip) {\n p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 0 /* mixed */,\n tmp[0], tmp[1], tmp[2]);\n } else {\n OPENSSL_memcpy(nq, tmp, 3 * sizeof(p224_felem));\n skip = 0;\n }\n }\n }\n\n // Reduce the output to its unique minimal representation.\n p224_felem_to_generic(&r->X, nq[0]);\n p224_felem_to_generic(&r->Y, nq[1]);\n p224_felem_to_generic(&r->Z, nq[2]);\n}\n\nstatic void ec_GFp_nistp224_point_mul_base(const EC_GROUP *group,\n EC_JACOBIAN *r,\n const EC_SCALAR *scalar) {\n // Set nq to the point at infinity.\n p224_felem nq[3], tmp[3];\n OPENSSL_memset(nq, 0, 3 * sizeof(p224_felem));\n\n int skip = 1; // Save two point operations in the first round.\n for (size_t i = 27; i < 28; i--) {\n // double\n if (!skip) {\n p224_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);\n }\n\n // First, look 28 bits upwards.\n crypto_word_t bits = p224_get_bit(scalar, i + 196) << 3;\n bits |= p224_get_bit(scalar, i + 140) << 2;\n bits |= p224_get_bit(scalar, i + 84) << 1;\n bits |= p224_get_bit(scalar, i + 28);\n // Select the point to add, in constant time.\n p224_select_point(bits, 16, g_p224_pre_comp[1], tmp);\n\n if (!skip) {\n p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,\n tmp[0], tmp[1], tmp[2]);\n } else {\n OPENSSL_memcpy(nq, tmp, 3 * sizeof(p224_felem));\n skip = 0;\n }\n\n // Second, look at the current position/\n bits = p224_get_bit(scalar, i + 168) << 3;\n bits |= p224_get_bit(scalar, i + 112) << 2;\n bits |= p224_get_bit(scalar, i + 56) << 1;\n bits |= p224_get_bit(scalar, i);\n // Select the point to add, in constant time.\n p224_select_point(bits, 16, g_p224_pre_comp[0], tmp);\n p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,\n tmp[0], tmp[1], tmp[2]);\n }\n\n // Reduce the output to its unique minimal representation.\n p224_felem_to_generic(&r->X, nq[0]);\n p224_felem_to_generic(&r->Y, nq[1]);\n p224_felem_to_generic(&r->Z, nq[2]);\n}\n\nstatic void ec_GFp_nistp224_point_mul_public(const EC_GROUP *group,\n EC_JACOBIAN *r,\n const EC_SCALAR *g_scalar,\n const EC_JACOBIAN *p,\n const EC_SCALAR *p_scalar) {\n // TODO(davidben): If P-224 ECDSA verify performance ever matters, using\n // |ec_compute_wNAF| for |p_scalar| would likely be an easy improvement.\n p224_felem p_pre_comp[17][3];\n ec_GFp_nistp224_make_precomp(p_pre_comp, p);\n\n // Set nq to the point at infinity.\n p224_felem nq[3], tmp[3];\n OPENSSL_memset(nq, 0, 3 * sizeof(p224_felem));\n\n // Loop over both scalars msb-to-lsb, interleaving additions of multiples of\n // the generator (two in each of the last 28 rounds) and additions of p (every\n // 5th round).\n int skip = 1; // Save two point operations in the first round.\n for (size_t i = 220; i < 221; i--) {\n if (!skip) {\n p224_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);\n }\n\n // Add multiples of the generator.\n if (i <= 27) {\n // First, look 28 bits upwards.\n crypto_word_t bits = p224_get_bit(g_scalar, i + 196) << 3;\n bits |= p224_get_bit(g_scalar, i + 140) << 2;\n bits |= p224_get_bit(g_scalar, i + 84) << 1;\n bits |= p224_get_bit(g_scalar, i + 28);\n\n size_t index = (size_t)bits;\n p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,\n g_p224_pre_comp[1][index][0], g_p224_pre_comp[1][index][1],\n g_p224_pre_comp[1][index][2]);\n assert(!skip);\n\n // Second, look at the current position.\n bits = p224_get_bit(g_scalar, i + 168) << 3;\n bits |= p224_get_bit(g_scalar, i + 112) << 2;\n bits |= p224_get_bit(g_scalar, i + 56) << 1;\n bits |= p224_get_bit(g_scalar, i);\n index = (size_t)bits;\n p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,\n g_p224_pre_comp[0][index][0], g_p224_pre_comp[0][index][1],\n g_p224_pre_comp[0][index][2]);\n }\n\n // Incorporate |p_scalar| every 5 doublings.\n if (i % 5 == 0) {\n crypto_word_t bits = p224_get_bit(p_scalar, i + 4) << 5;\n bits |= p224_get_bit(p_scalar, i + 3) << 4;\n bits |= p224_get_bit(p_scalar, i + 2) << 3;\n bits |= p224_get_bit(p_scalar, i + 1) << 2;\n bits |= p224_get_bit(p_scalar, i) << 1;\n bits |= p224_get_bit(p_scalar, i - 1);\n crypto_word_t sign, digit;\n ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);\n\n // Select the point to add or subtract.\n OPENSSL_memcpy(tmp, p_pre_comp[digit], 3 * sizeof(p224_felem));\n if (sign) {\n p224_felem_neg(tmp[1], tmp[1]); // (X, -Y, Z) is the negative point\n }\n\n if (!skip) {\n p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 0 /* mixed */,\n tmp[0], tmp[1], tmp[2]);\n } else {\n OPENSSL_memcpy(nq, tmp, 3 * sizeof(p224_felem));\n skip = 0;\n }\n }\n }\n\n // Reduce the output to its unique minimal representation.\n p224_felem_to_generic(&r->X, nq[0]);\n p224_felem_to_generic(&r->Y, nq[1]);\n p224_felem_to_generic(&r->Z, nq[2]);\n}\n\nstatic void ec_GFp_nistp224_felem_mul(const EC_GROUP *group, EC_FELEM *r,\n const EC_FELEM *a, const EC_FELEM *b) {\n p224_felem felem1, felem2;\n p224_widefelem wide;\n p224_generic_to_felem(felem1, a);\n p224_generic_to_felem(felem2, b);\n p224_felem_mul(wide, felem1, felem2);\n p224_felem_reduce(felem1, wide);\n p224_felem_to_generic(r, felem1);\n}\n\nstatic void ec_GFp_nistp224_felem_sqr(const EC_GROUP *group, EC_FELEM *r,\n const EC_FELEM *a) {\n p224_felem felem;\n p224_generic_to_felem(felem, a);\n p224_widefelem wide;\n p224_felem_square(wide, felem);\n p224_felem_reduce(felem, wide);\n p224_felem_to_generic(r, felem);\n}\n\nDEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp224_method) {\n out->point_get_affine_coordinates =\n ec_GFp_nistp224_point_get_affine_coordinates;\n out->add = ec_GFp_nistp224_add;\n out->dbl = ec_GFp_nistp224_dbl;\n out->mul = ec_GFp_nistp224_point_mul;\n out->mul_base = ec_GFp_nistp224_point_mul_base;\n out->mul_public = ec_GFp_nistp224_point_mul_public;\n out->felem_mul = ec_GFp_nistp224_felem_mul;\n out->felem_sqr = ec_GFp_nistp224_felem_sqr;\n out->felem_to_bytes = ec_GFp_simple_felem_to_bytes;\n out->felem_from_bytes = ec_GFp_simple_felem_from_bytes;\n out->scalar_inv0_montgomery = ec_simple_scalar_inv0_montgomery;\n out->scalar_to_montgomery_inv_vartime =\n ec_simple_scalar_to_montgomery_inv_vartime;\n out->cmp_x_coordinate = ec_GFp_simple_cmp_x_coordinate;\n}\n\n#endif // BORINGSSL_HAS_UINT128 && !SMALL\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz-table.h", "content": "/*\n * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2015, Intel Inc.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n// This is the precomputed constant time access table for the code in\n// p256-nistz.c, for the default generator. The table consists of 37\n// subtables, each subtable contains 64 affine points. The affine points are\n// encoded as eight uint64's, four for the x coordinate and four for the y.\n// Both values are in little-endian order. There are 37 tables because a\n// signed, 6-bit wNAF form of the scalar is used and ceil(256/(6 + 1)) = 37.\n// Within each table there are 64 values because the 6-bit wNAF value can take\n// 64 values, ignoring the sign bit, which is implemented by performing a\n// negation of the affine point when required. We would like to align it to 2MB\n// in order to increase the chances of using a large page but that appears to\n// lead to invalid ELF files being produced.\n\n// This file is generated by make_tables.go.\n\nalignas(4096) static const PRECOMP256_ROW ecp_nistz256_precomputed[37] = {\n {{{TOBN(0x79e730d4, 0x18a9143c), TOBN(0x75ba95fc, 0x5fedb601),\n TOBN(0x79fb732b, 0x77622510), TOBN(0x18905f76, 0xa53755c6)},\n {TOBN(0xddf25357, 0xce95560a), TOBN(0x8b4ab8e4, 0xba19e45c),\n TOBN(0xd2e88688, 0xdd21f325), TOBN(0x8571ff18, 0x25885d85)}},\n {{TOBN(0x850046d4, 0x10ddd64d), TOBN(0xaa6ae3c1, 0xa433827d),\n TOBN(0x73220503, 0x8d1490d9), TOBN(0xf6bb32e4, 0x3dcf3a3b)},\n {TOBN(0x2f3648d3, 0x61bee1a5), TOBN(0x152cd7cb, 0xeb236ff8),\n TOBN(0x19a8fb0e, 0x92042dbe), TOBN(0x78c57751, 0x0a5b8a3b)}},\n {{TOBN(0xffac3f90, 0x4eebc127), TOBN(0xb027f84a, 0x087d81fb),\n TOBN(0x66ad77dd, 0x87cbbc98), TOBN(0x26936a3f, 0xb6ff747e)},\n {TOBN(0xb04c5c1f, 0xc983a7eb), TOBN(0x583e47ad, 0x0861fe1a),\n TOBN(0x78820831, 0x1a2ee98e), TOBN(0xd5f06a29, 0xe587cc07)}},\n {{TOBN(0x74b0b50d, 0x46918dcc), TOBN(0x4650a6ed, 0xc623c173),\n TOBN(0x0cdaacac, 0xe8100af2), TOBN(0x577362f5, 0x41b0176b)},\n {TOBN(0x2d96f24c, 0xe4cbaba6), TOBN(0x17628471, 0xfad6f447),\n TOBN(0x6b6c36de, 0xe5ddd22e), TOBN(0x84b14c39, 0x4c5ab863)}},\n {{TOBN(0xbe1b8aae, 0xc45c61f5), TOBN(0x90ec649a, 0x94b9537d),\n TOBN(0x941cb5aa, 0xd076c20c), TOBN(0xc9079605, 0x890523c8)},\n {TOBN(0xeb309b4a, 0xe7ba4f10), TOBN(0x73c568ef, 0xe5eb882b),\n TOBN(0x3540a987, 0x7e7a1f68), TOBN(0x73a076bb, 0x2dd1e916)}},\n {{TOBN(0x40394737, 0x3e77664a), TOBN(0x55ae744f, 0x346cee3e),\n TOBN(0xd50a961a, 0x5b17a3ad), TOBN(0x13074b59, 0x54213673)},\n {TOBN(0x93d36220, 0xd377e44b), TOBN(0x299c2b53, 0xadff14b5),\n TOBN(0xf424d44c, 0xef639f11), TOBN(0xa4c9916d, 0x4a07f75f)}},\n {{TOBN(0x0746354e, 0xa0173b4f), TOBN(0x2bd20213, 0xd23c00f7),\n TOBN(0xf43eaab5, 0x0c23bb08), TOBN(0x13ba5119, 0xc3123e03)},\n {TOBN(0x2847d030, 0x3f5b9d4d), TOBN(0x6742f2f2, 0x5da67bdd),\n TOBN(0xef933bdc, 0x77c94195), TOBN(0xeaedd915, 0x6e240867)}},\n {{TOBN(0x27f14cd1, 0x9499a78f), TOBN(0x462ab5c5, 0x6f9b3455),\n TOBN(0x8f90f02a, 0xf02cfc6b), TOBN(0xb763891e, 0xb265230d)},\n {TOBN(0xf59da3a9, 0x532d4977), TOBN(0x21e3327d, 0xcf9eba15),\n TOBN(0x123c7b84, 0xbe60bbf0), TOBN(0x56ec12f2, 0x7706df76)}},\n {{TOBN(0x75c96e8f, 0x264e20e8), TOBN(0xabe6bfed, 0x59a7a841),\n TOBN(0x2cc09c04, 0x44c8eb00), TOBN(0xe05b3080, 0xf0c4e16b)},\n {TOBN(0x1eb7777a, 0xa45f3314), TOBN(0x56af7bed, 0xce5d45e3),\n TOBN(0x2b6e019a, 0x88b12f1a), TOBN(0x086659cd, 0xfd835f9b)}},\n {{TOBN(0x2c18dbd1, 0x9dc21ec8), TOBN(0x98f9868a, 0x0fcf8139),\n TOBN(0x737d2cd6, 0x48250b49), TOBN(0xcc61c947, 0x24b3428f)},\n {TOBN(0x0c2b4078, 0x80dd9e76), TOBN(0xc43a8991, 0x383fbe08),\n TOBN(0x5f7d2d65, 0x779be5d2), TOBN(0x78719a54, 0xeb3b4ab5)}},\n {{TOBN(0xea7d260a, 0x6245e404), TOBN(0x9de40795, 0x6e7fdfe0),\n TOBN(0x1ff3a415, 0x8dac1ab5), TOBN(0x3e7090f1, 0x649c9073)},\n {TOBN(0x1a768561, 0x2b944e88), TOBN(0x250f939e, 0xe57f61c8),\n TOBN(0x0c0daa89, 0x1ead643d), TOBN(0x68930023, 0xe125b88e)}},\n {{TOBN(0x04b71aa7, 0xd2697768), TOBN(0xabdedef5, 0xca345a33),\n TOBN(0x2409d29d, 0xee37385e), TOBN(0x4ee1df77, 0xcb83e156)},\n {TOBN(0x0cac12d9, 0x1cbb5b43), TOBN(0x170ed2f6, 0xca895637),\n TOBN(0x28228cfa, 0x8ade6d66), TOBN(0x7ff57c95, 0x53238aca)}},\n {{TOBN(0xccc42563, 0x4b2ed709), TOBN(0x0e356769, 0x856fd30d),\n TOBN(0xbcbcd43f, 0x559e9811), TOBN(0x738477ac, 0x5395b759)},\n {TOBN(0x35752b90, 0xc00ee17f), TOBN(0x68748390, 0x742ed2e3),\n TOBN(0x7cd06422, 0xbd1f5bc1), TOBN(0xfbc08769, 0xc9e7b797)}},\n {{TOBN(0xa242a35b, 0xb0cf664a), TOBN(0x126e48f7, 0x7f9707e3),\n TOBN(0x1717bf54, 0xc6832660), TOBN(0xfaae7332, 0xfd12c72e)},\n {TOBN(0x27b52db7, 0x995d586b), TOBN(0xbe29569e, 0x832237c2),\n TOBN(0xe8e4193e, 0x2a65e7db), TOBN(0x152706dc, 0x2eaa1bbb)}},\n {{TOBN(0x72bcd8b7, 0xbc60055b), TOBN(0x03cc23ee, 0x56e27e4b),\n TOBN(0xee337424, 0xe4819370), TOBN(0xe2aa0e43, 0x0ad3da09)},\n {TOBN(0x40b8524f, 0x6383c45d), TOBN(0xd7663554, 0x42a41b25),\n TOBN(0x64efa6de, 0x778a4797), TOBN(0x2042170a, 0x7079adf4)}},\n {{TOBN(0x808b0b65, 0x0bc6fb80), TOBN(0x5882e075, 0x3ffe2e6b),\n TOBN(0xd5ef2f7c, 0x2c83f549), TOBN(0x54d63c80, 0x9103b723)},\n {TOBN(0xf2f11bd6, 0x52a23f9b), TOBN(0x3670c319, 0x4b0b6587),\n TOBN(0x55c4623b, 0xb1580e9e), TOBN(0x64edf7b2, 0x01efe220)}},\n {{TOBN(0x97091dcb, 0xd53c5c9d), TOBN(0xf17624b6, 0xac0a177b),\n TOBN(0xb0f13975, 0x2cfe2dff), TOBN(0xc1a35c0a, 0x6c7a574e)},\n {TOBN(0x227d3146, 0x93e79987), TOBN(0x0575bf30, 0xe89cb80e),\n TOBN(0x2f4e247f, 0x0d1883bb), TOBN(0xebd51226, 0x3274c3d0)}},\n {{TOBN(0x5f3e51c8, 0x56ada97a), TOBN(0x4afc964d, 0x8f8b403e),\n TOBN(0xa6f247ab, 0x412e2979), TOBN(0x675abd1b, 0x6f80ebda)},\n {TOBN(0x66a2bd72, 0x5e485a1d), TOBN(0x4b2a5caf, 0x8f4f0b3c),\n TOBN(0x2626927f, 0x1b847bba), TOBN(0x6c6fc7d9, 0x0502394d)}},\n {{TOBN(0xfea912ba, 0xa5659ae8), TOBN(0x68363aba, 0x25e1a16e),\n TOBN(0xb8842277, 0x752c41ac), TOBN(0xfe545c28, 0x2897c3fc)},\n {TOBN(0x2d36e9e7, 0xdc4c696b), TOBN(0x5806244a, 0xfba977c5),\n TOBN(0x85665e9b, 0xe39508c1), TOBN(0xf720ee25, 0x6d12597b)}},\n {{TOBN(0x8a979129, 0xd2337a31), TOBN(0x5916868f, 0x0f862bdc),\n TOBN(0x048099d9, 0x5dd283ba), TOBN(0xe2d1eeb6, 0xfe5bfb4e)},\n {TOBN(0x82ef1c41, 0x7884005d), TOBN(0xa2d4ec17, 0xffffcbae),\n TOBN(0x9161c53f, 0x8aa95e66), TOBN(0x5ee104e1, 0xc5fee0d0)}},\n {{TOBN(0x562e4cec, 0xc135b208), TOBN(0x74e1b265, 0x4783f47d),\n TOBN(0x6d2a506c, 0x5a3f3b30), TOBN(0xecead9f4, 0xc16762fc)},\n {TOBN(0xf29dd4b2, 0xe286e5b9), TOBN(0x1b0fadc0, 0x83bb3c61),\n TOBN(0x7a75023e, 0x7fac29a4), TOBN(0xc086d5f1, 0xc9477fa3)}},\n {{TOBN(0x0fc61135, 0x2f6f3076), TOBN(0xc99ffa23, 0xe3912a9a),\n TOBN(0x6a0b0685, 0xd2f8ba3d), TOBN(0xfdc777e8, 0xe93358a4)},\n {TOBN(0x94a787bb, 0x35415f04), TOBN(0x640c2d6a, 0x4d23fea4),\n TOBN(0x9de917da, 0x153a35b5), TOBN(0x793e8d07, 0x5d5cd074)}},\n {{TOBN(0xf4f87653, 0x2de45068), TOBN(0x37c7a7e8, 0x9e2e1f6e),\n TOBN(0xd0825fa2, 0xa3584069), TOBN(0xaf2cea7c, 0x1727bf42)},\n {TOBN(0x0360a4fb, 0x9e4785a9), TOBN(0xe5fda49c, 0x27299f4a),\n TOBN(0x48068e13, 0x71ac2f71), TOBN(0x83d0687b, 0x9077666f)}},\n {{TOBN(0x6d3883b2, 0x15d02819), TOBN(0x6d0d7550, 0x40dd9a35),\n TOBN(0x61d7cbf9, 0x1d2b469f), TOBN(0xf97b232f, 0x2efc3115)},\n {TOBN(0xa551d750, 0xb24bcbc7), TOBN(0x11ea4949, 0x88a1e356),\n TOBN(0x7669f031, 0x93cb7501), TOBN(0x595dc55e, 0xca737b8a)}},\n {{TOBN(0xa4a319ac, 0xd837879f), TOBN(0x6fc1b49e, 0xed6b67b0),\n TOBN(0xe3959933, 0x32f1f3af), TOBN(0x966742eb, 0x65432a2e)},\n {TOBN(0x4b8dc9fe, 0xb4966228), TOBN(0x96cc6312, 0x43f43950),\n TOBN(0x12068859, 0xc9b731ee), TOBN(0x7b948dc3, 0x56f79968)}},\n {{TOBN(0x61e4ad32, 0xed1f8008), TOBN(0xe6c9267a, 0xd8b17538),\n TOBN(0x1ac7c5eb, 0x857ff6fb), TOBN(0x994baaa8, 0x55f2fb10)},\n {TOBN(0x84cf14e1, 0x1d248018), TOBN(0x5a39898b, 0x628ac508),\n TOBN(0x14fde97b, 0x5fa944f5), TOBN(0xed178030, 0xd12e5ac7)}},\n {{TOBN(0x042c2af4, 0x97e2feb4), TOBN(0xd36a42d7, 0xaebf7313),\n TOBN(0x49d2c9eb, 0x084ffdd7), TOBN(0x9f8aa54b, 0x2ef7c76a)},\n {TOBN(0x9200b7ba, 0x09895e70), TOBN(0x3bd0c66f, 0xddb7fb58),\n TOBN(0x2d97d108, 0x78eb4cbb), TOBN(0x2d431068, 0xd84bde31)}},\n {{TOBN(0x4b523eb7, 0x172ccd1f), TOBN(0x7323cb28, 0x30a6a892),\n TOBN(0x97082ec0, 0xcfe153eb), TOBN(0xe97f6b6a, 0xf2aadb97)},\n {TOBN(0x1d3d393e, 0xd1a83da1), TOBN(0xa6a7f9c7, 0x804b2a68),\n TOBN(0x4a688b48, 0x2d0cb71e), TOBN(0xa9b4cc5f, 0x40585278)}},\n {{TOBN(0x5e5db46a, 0xcb66e132), TOBN(0xf1be963a, 0x0d925880),\n TOBN(0x944a7027, 0x0317b9e2), TOBN(0xe266f959, 0x48603d48)},\n {TOBN(0x98db6673, 0x5c208899), TOBN(0x90472447, 0xa2fb18a3),\n TOBN(0x8a966939, 0x777c619f), TOBN(0x3798142a, 0x2a3be21b)}},\n {{TOBN(0xb4241cb1, 0x3298b343), TOBN(0xa3a14e49, 0xb44f65a1),\n TOBN(0xc5f4d6cd, 0x3ac77acd), TOBN(0xd0288cb5, 0x52b6fc3c)},\n {TOBN(0xd5cc8c2f, 0x1c040abc), TOBN(0xb675511e, 0x06bf9b4a),\n TOBN(0xd667da37, 0x9b3aa441), TOBN(0x460d45ce, 0x51601f72)}},\n {{TOBN(0xe2f73c69, 0x6755ff89), TOBN(0xdd3cf7e7, 0x473017e6),\n TOBN(0x8ef5689d, 0x3cf7600d), TOBN(0x948dc4f8, 0xb1fc87b4)},\n {TOBN(0xd9e9fe81, 0x4ea53299), TOBN(0x2d921ca2, 0x98eb6028),\n TOBN(0xfaecedfd, 0x0c9803fc), TOBN(0xf38ae891, 0x4d7b4745)}},\n {{TOBN(0xd8c5fccf, 0xc5e3a3d8), TOBN(0xbefd904c, 0x4079dfbf),\n TOBN(0xbc6d6a58, 0xfead0197), TOBN(0x39227077, 0x695532a4)},\n {TOBN(0x09e23e6d, 0xdbef42f5), TOBN(0x7e449b64, 0x480a9908),\n TOBN(0x7b969c1a, 0xad9a2e40), TOBN(0x6231d792, 0x9591c2a4)}},\n {{TOBN(0x87151456, 0x0f664534), TOBN(0x85ceae7c, 0x4b68f103),\n TOBN(0xac09c4ae, 0x65578ab9), TOBN(0x33ec6868, 0xf044b10c)},\n {TOBN(0x6ac4832b, 0x3a8ec1f1), TOBN(0x5509d128, 0x5847d5ef),\n TOBN(0xf909604f, 0x763f1574), TOBN(0xb16c4303, 0xc32f63c4)}},\n {{TOBN(0xb6ab2014, 0x7ca23cd3), TOBN(0xcaa7a5c6, 0xa391849d),\n TOBN(0x5b0673a3, 0x75678d94), TOBN(0xc982ddd4, 0xdd303e64)},\n {TOBN(0xfd7b000b, 0x5db6f971), TOBN(0xbba2cb1f, 0x6f876f92),\n TOBN(0xc77332a3, 0x3c569426), TOBN(0xa159100c, 0x570d74f8)}},\n {{TOBN(0xfd16847f, 0xdec67ef5), TOBN(0x742ee464, 0x233e76b7),\n TOBN(0x0b8e4134, 0xefc2b4c8), TOBN(0xca640b86, 0x42a3e521)},\n {TOBN(0x653a0190, 0x8ceb6aa9), TOBN(0x313c300c, 0x547852d5),\n TOBN(0x24e4ab12, 0x6b237af7), TOBN(0x2ba90162, 0x8bb47af8)}},\n {{TOBN(0x3d5e58d6, 0xa8219bb7), TOBN(0xc691d0bd, 0x1b06c57f),\n TOBN(0x0ae4cb10, 0xd257576e), TOBN(0x3569656c, 0xd54a3dc3)},\n {TOBN(0xe5ebaebd, 0x94cda03a), TOBN(0x934e82d3, 0x162bfe13),\n TOBN(0x450ac0ba, 0xe251a0c6), TOBN(0x480b9e11, 0xdd6da526)}},\n {{TOBN(0x00467bc5, 0x8cce08b5), TOBN(0xb636458c, 0x7f178d55),\n TOBN(0xc5748bae, 0xa677d806), TOBN(0x2763a387, 0xdfa394eb)},\n {TOBN(0xa12b448a, 0x7d3cebb6), TOBN(0xe7adda3e, 0x6f20d850),\n TOBN(0xf63ebce5, 0x1558462c), TOBN(0x58b36143, 0x620088a8)}},\n {{TOBN(0x8a2cc3ca, 0x4d63c0ee), TOBN(0x51233117, 0x0fe948ce),\n TOBN(0x7463fd85, 0x222ef33b), TOBN(0xadf0c7dc, 0x7c603d6c)},\n {TOBN(0x0ec32d3b, 0xfe7765e5), TOBN(0xccaab359, 0xbf380409),\n TOBN(0xbdaa84d6, 0x8e59319c), TOBN(0xd9a4c280, 0x9c80c34d)}},\n {{TOBN(0xa9d89488, 0xa059c142), TOBN(0x6f5ae714, 0xff0b9346),\n TOBN(0x068f237d, 0x16fb3664), TOBN(0x5853e4c4, 0x363186ac)},\n {TOBN(0xe2d87d23, 0x63c52f98), TOBN(0x2ec4a766, 0x81828876),\n TOBN(0x47b864fa, 0xe14e7b1c), TOBN(0x0c0bc0e5, 0x69192408)}},\n {{TOBN(0xe4d7681d, 0xb82e9f3e), TOBN(0x83200f0b, 0xdf25e13c),\n TOBN(0x8909984c, 0x66f27280), TOBN(0x462d7b00, 0x75f73227)},\n {TOBN(0xd90ba188, 0xf2651798), TOBN(0x74c6e18c, 0x36ab1c34),\n TOBN(0xab256ea3, 0x5ef54359), TOBN(0x03466612, 0xd1aa702f)}},\n {{TOBN(0x624d6049, 0x2ed22e91), TOBN(0x6fdfe0b5, 0x6f072822),\n TOBN(0xeeca1115, 0x39ce2271), TOBN(0x98100a4f, 0xdb01614f)},\n {TOBN(0xb6b0daa2, 0xa35c628f), TOBN(0xb6f94d2e, 0xc87e9a47),\n TOBN(0xc6773259, 0x1d57d9ce), TOBN(0xf70bfeec, 0x03884a7b)}},\n {{TOBN(0x5fb35ccf, 0xed2bad01), TOBN(0xa155cbe3, 0x1da6a5c7),\n TOBN(0xc2e2594c, 0x30a92f8f), TOBN(0x649c89ce, 0x5bfafe43)},\n {TOBN(0xd158667d, 0xe9ff257a), TOBN(0x9b359611, 0xf32c50ae),\n TOBN(0x4b00b20b, 0x906014cf), TOBN(0xf3a8cfe3, 0x89bc7d3d)}},\n {{TOBN(0x4ff23ffd, 0x248a7d06), TOBN(0x80c5bfb4, 0x878873fa),\n TOBN(0xb7d9ad90, 0x05745981), TOBN(0x179c85db, 0x3db01994)},\n {TOBN(0xba41b062, 0x61a6966c), TOBN(0x4d82d052, 0xeadce5a8),\n TOBN(0x9e91cd3b, 0xa5e6a318), TOBN(0x47795f4f, 0x95b2dda0)}},\n {{TOBN(0xecfd7c1f, 0xd55a897c), TOBN(0x009194ab, 0xb29110fb),\n TOBN(0x5f0e2046, 0xe381d3b0), TOBN(0x5f3425f6, 0xa98dd291)},\n {TOBN(0xbfa06687, 0x730d50da), TOBN(0x0423446c, 0x4b083b7f),\n TOBN(0x397a247d, 0xd69d3417), TOBN(0xeb629f90, 0x387ba42a)}},\n {{TOBN(0x1ee426cc, 0xd5cd79bf), TOBN(0x0032940b, 0x946c6e18),\n TOBN(0x1b1e8ae0, 0x57477f58), TOBN(0xe94f7d34, 0x6d823278)},\n {TOBN(0xc747cb96, 0x782ba21a), TOBN(0xc5254469, 0xf72b33a5),\n TOBN(0x772ef6de, 0xc7f80c81), TOBN(0xd73acbfe, 0x2cd9e6b5)}},\n {{TOBN(0x4075b5b1, 0x49ee90d9), TOBN(0x785c339a, 0xa06e9eba),\n TOBN(0xa1030d5b, 0xabf825e0), TOBN(0xcec684c3, 0xa42931dc)},\n {TOBN(0x42ab62c9, 0xc1586e63), TOBN(0x45431d66, 0x5ab43f2b),\n TOBN(0x57c8b2c0, 0x55f7835d), TOBN(0x033da338, 0xc1b7f865)}},\n {{TOBN(0x283c7513, 0xcaa76097), TOBN(0x0a624fa9, 0x36c83906),\n TOBN(0x6b20afec, 0x715af2c7), TOBN(0x4b969974, 0xeba78bfd)},\n {TOBN(0x220755cc, 0xd921d60e), TOBN(0x9b944e10, 0x7baeca13),\n TOBN(0x04819d51, 0x5ded93d4), TOBN(0x9bbff86e, 0x6dddfd27)}},\n {{TOBN(0x6b344130, 0x77adc612), TOBN(0xa7496529, 0xbbd803a0),\n TOBN(0x1a1baaa7, 0x6d8805bd), TOBN(0xc8403902, 0x470343ad)},\n {TOBN(0x39f59f66, 0x175adff1), TOBN(0x0b26d7fb, 0xb7d8c5b7),\n TOBN(0xa875f5ce, 0x529d75e3), TOBN(0x85efc7e9, 0x41325cc2)}},\n {{TOBN(0x21950b42, 0x1ff6acd3), TOBN(0xffe70484, 0x53dc6909),\n TOBN(0xff4cd0b2, 0x28766127), TOBN(0xabdbe608, 0x4fb7db2b)},\n {TOBN(0x837c9228, 0x5e1109e8), TOBN(0x26147d27, 0xf4645b5a),\n TOBN(0x4d78f592, 0xf7818ed8), TOBN(0xd394077e, 0xf247fa36)}},\n {{TOBN(0x0fb9c2d0, 0x488c171a), TOBN(0xa78bfbaa, 0x13685278),\n TOBN(0xedfbe268, 0xd5b1fa6a), TOBN(0x0dceb8db, 0x2b7eaba7)},\n {TOBN(0xbf9e8089, 0x9ae2b710), TOBN(0xefde7ae6, 0xa4449c96),\n TOBN(0x43b7716b, 0xcc143a46), TOBN(0xd7d34194, 0xc3628c13)}},\n {{TOBN(0x508cec1c, 0x3b3f64c9), TOBN(0xe20bc0ba, 0x1e5edf3f),\n TOBN(0xda1deb85, 0x2f4318d4), TOBN(0xd20ebe0d, 0x5c3fa443)},\n {TOBN(0x370b4ea7, 0x73241ea3), TOBN(0x61f1511c, 0x5e1a5f65),\n TOBN(0x99a5e23d, 0x82681c62), TOBN(0xd731e383, 0xa2f54c2d)}},\n {{TOBN(0x2692f36e, 0x83445904), TOBN(0x2e0ec469, 0xaf45f9c0),\n TOBN(0x905a3201, 0xc67528b7), TOBN(0x88f77f34, 0xd0e5e542)},\n {TOBN(0xf67a8d29, 0x5864687c), TOBN(0x23b92eae, 0x22df3562),\n TOBN(0x5c27014b, 0x9bbec39e), TOBN(0x7ef2f226, 0x9c0f0f8d)}},\n {{TOBN(0x97359638, 0x546c4d8d), TOBN(0x5f9c3fc4, 0x92f24679),\n TOBN(0x912e8bed, 0xa8c8acd9), TOBN(0xec3a318d, 0x306634b0)},\n {TOBN(0x80167f41, 0xc31cb264), TOBN(0x3db82f6f, 0x522113f2),\n TOBN(0xb155bcd2, 0xdcafe197), TOBN(0xfba1da59, 0x43465283)}},\n {{TOBN(0xa0425b8e, 0xb212cf53), TOBN(0x4f2e512e, 0xf8557c5f),\n TOBN(0xc1286ff9, 0x25c4d56c), TOBN(0xbb8a0fea, 0xee26c851)},\n {TOBN(0xc28f70d2, 0xe7d6107e), TOBN(0x7ee0c444, 0xe76265aa),\n TOBN(0x3df277a4, 0x1d1936b1), TOBN(0x1a556e3f, 0xea9595eb)}},\n {{TOBN(0x258bbbf9, 0xe7305683), TOBN(0x31eea5bf, 0x07ef5be6),\n TOBN(0x0deb0e4a, 0x46c814c1), TOBN(0x5cee8449, 0xa7b730dd)},\n {TOBN(0xeab495c5, 0xa0182bde), TOBN(0xee759f87, 0x9e27a6b4),\n TOBN(0xc2cf6a68, 0x80e518ca), TOBN(0x25e8013f, 0xf14cf3f4)}},\n {{TOBN(0x8fc44140, 0x7e8d7a14), TOBN(0xbb1ff3ca, 0x9556f36a),\n TOBN(0x6a844385, 0x14600044), TOBN(0xba3f0c4a, 0x7451ae63)},\n {TOBN(0xdfcac25b, 0x1f9af32a), TOBN(0x01e0db86, 0xb1f2214b),\n TOBN(0x4e9a5bc2, 0xa4b596ac), TOBN(0x83927681, 0x026c2c08)}},\n {{TOBN(0x3ec832e7, 0x7acaca28), TOBN(0x1bfeea57, 0xc7385b29),\n TOBN(0x068212e3, 0xfd1eaf38), TOBN(0xc1329830, 0x6acf8ccc)},\n {TOBN(0xb909f2db, 0x2aac9e59), TOBN(0x5748060d, 0xb661782a),\n TOBN(0xc5ab2632, 0xc79b7a01), TOBN(0xda44c6c6, 0x00017626)}},\n {{TOBN(0xf26c00e8, 0xa7ea82f0), TOBN(0x99cac80d, 0xe4299aaf),\n TOBN(0xd66fe3b6, 0x7ed78be1), TOBN(0x305f725f, 0x648d02cd)},\n {TOBN(0x33ed1bc4, 0x623fb21b), TOBN(0xfa70533e, 0x7a6319ad),\n TOBN(0x17ab562d, 0xbe5ffb3e), TOBN(0x06374994, 0x56674741)}},\n {{TOBN(0x69d44ed6, 0x5c46aa8e), TOBN(0x2100d5d3, 0xa8d063d1),\n TOBN(0xcb9727ea, 0xa2d17c36), TOBN(0x4c2bab1b, 0x8add53b7)},\n {TOBN(0xa084e90c, 0x15426704), TOBN(0x778afcd3, 0xa837ebea),\n TOBN(0x6651f701, 0x7ce477f8), TOBN(0xa0624998, 0x46fb7a8b)}},\n {{TOBN(0xdc1e6828, 0xed8a6e19), TOBN(0x33fc2336, 0x4189d9c7),\n TOBN(0x026f8fe2, 0x671c39bc), TOBN(0xd40c4ccd, 0xbc6f9915)},\n {TOBN(0xafa135bb, 0xf80e75ca), TOBN(0x12c651a0, 0x22adff2c),\n TOBN(0xc40a04bd, 0x4f51ad96), TOBN(0x04820109, 0xbbe4e832)}},\n {{TOBN(0x3667eb1a, 0x7f4c04cc), TOBN(0x59556621, 0xa9404f84),\n TOBN(0x71cdf653, 0x7eceb50a), TOBN(0x994a44a6, 0x9b8335fa)},\n {TOBN(0xd7faf819, 0xdbeb9b69), TOBN(0x473c5680, 0xeed4350d),\n TOBN(0xb6658466, 0xda44bba2), TOBN(0x0d1bc780, 0x872bdbf3)}},\n {{TOBN(0xe535f175, 0xa1962f91), TOBN(0x6ed7e061, 0xed58f5a7),\n TOBN(0x177aa4c0, 0x2089a233), TOBN(0x0dbcb03a, 0xe539b413)},\n {TOBN(0xe3dc424e, 0xbb32e38e), TOBN(0x6472e5ef, 0x6806701e),\n TOBN(0xdd47ff98, 0x814be9ee), TOBN(0x6b60cfff, 0x35ace009)}},\n {{TOBN(0xb8d3d931, 0x9ff91fe5), TOBN(0x039c4800, 0xf0518eed),\n TOBN(0x95c37632, 0x9182cb26), TOBN(0x0763a434, 0x82fc568d)},\n {TOBN(0x707c04d5, 0x383e76ba), TOBN(0xac98b930, 0x824e8197),\n TOBN(0x92bf7c8f, 0x91230de0), TOBN(0x90876a01, 0x40959b70)}},\n {{TOBN(0xdb6d96f3, 0x05968b80), TOBN(0x380a0913, 0x089f73b9),\n TOBN(0x7da70b83, 0xc2c61e01), TOBN(0x95fb8394, 0x569b38c7)},\n {TOBN(0x9a3c6512, 0x80edfe2f), TOBN(0x8f726bb9, 0x8faeaf82),\n TOBN(0x8010a4a0, 0x78424bf8), TOBN(0x29672044, 0x0e844970)}}},\n {{{TOBN(0x63c5cb81, 0x7a2ad62a), TOBN(0x7ef2b6b9, 0xac62ff54),\n TOBN(0x3749bba4, 0xb3ad9db5), TOBN(0xad311f2c, 0x46d5a617)},\n {TOBN(0xb77a8087, 0xc2ff3b6d), TOBN(0xb46feaf3, 0x367834ff),\n TOBN(0xf8aa266d, 0x75d6b138), TOBN(0xfa38d320, 0xec008188)}},\n {{TOBN(0x486d8ffa, 0x696946fc), TOBN(0x50fbc6d8, 0xb9cba56d),\n TOBN(0x7e3d423e, 0x90f35a15), TOBN(0x7c3da195, 0xc0dd962c)},\n {TOBN(0xe673fdb0, 0x3cfd5d8b), TOBN(0x0704b7c2, 0x889dfca5),\n TOBN(0xf6ce581f, 0xf52305aa), TOBN(0x399d49eb, 0x914d5e53)}},\n {{TOBN(0x380a496d, 0x6ec293cd), TOBN(0x733dbda7, 0x8e7051f5),\n TOBN(0x037e388d, 0xb849140a), TOBN(0xee4b32b0, 0x5946dbf6)},\n {TOBN(0xb1c4fda9, 0xcae368d1), TOBN(0x5001a7b0, 0xfdb0b2f3),\n TOBN(0x6df59374, 0x2e3ac46e), TOBN(0x4af675f2, 0x39b3e656)}},\n {{TOBN(0x44e38110, 0x39949296), TOBN(0x5b63827b, 0x361db1b5),\n TOBN(0x3e5323ed, 0x206eaff5), TOBN(0x942370d2, 0xc21f4290)},\n {TOBN(0xf2caaf2e, 0xe0d985a1), TOBN(0x192cc64b, 0x7239846d),\n TOBN(0x7c0b8f47, 0xae6312f8), TOBN(0x7dc61f91, 0x96620108)}},\n {{TOBN(0xb830fb5b, 0xc2da7de9), TOBN(0xd0e643df, 0x0ff8d3be),\n TOBN(0x31ee77ba, 0x188a9641), TOBN(0x4e8aa3aa, 0xbcf6d502)},\n {TOBN(0xf9fb6532, 0x9a49110f), TOBN(0xd18317f6, 0x2dd6b220),\n TOBN(0x7e3ced41, 0x52c3ea5a), TOBN(0x0d296a14, 0x7d579c4a)}},\n {{TOBN(0x35d6a53e, 0xed4c3717), TOBN(0x9f8240cf, 0x3d0ed2a3),\n TOBN(0x8c0d4d05, 0xe5543aa5), TOBN(0x45d5bbfb, 0xdd33b4b4)},\n {TOBN(0xfa04cc73, 0x137fd28e), TOBN(0x862ac6ef, 0xc73b3ffd),\n TOBN(0x403ff9f5, 0x31f51ef2), TOBN(0x34d5e0fc, 0xbc73f5a2)}},\n {{TOBN(0xf2526820, 0x08913f4f), TOBN(0xea20ed61, 0xeac93d95),\n TOBN(0x51ed38b4, 0x6ca6b26c), TOBN(0x8662dcbc, 0xea4327b0)},\n {TOBN(0x6daf295c, 0x725d2aaa), TOBN(0xbad2752f, 0x8e52dcda),\n TOBN(0x2210e721, 0x0b17dacc), TOBN(0xa37f7912, 0xd51e8232)}},\n {{TOBN(0x4f7081e1, 0x44cc3add), TOBN(0xd5ffa1d6, 0x87be82cf),\n TOBN(0x89890b6c, 0x0edd6472), TOBN(0xada26e1a, 0x3ed17863)},\n {TOBN(0x276f2715, 0x63483caa), TOBN(0xe6924cd9, 0x2f6077fd),\n TOBN(0x05a7fe98, 0x0a466e3c), TOBN(0xf1c794b0, 0xb1902d1f)}},\n {{TOBN(0xe5213688, 0x82a8042c), TOBN(0xd931cfaf, 0xcd278298),\n TOBN(0x069a0ae0, 0xf597a740), TOBN(0x0adbb3f3, 0xeb59107c)},\n {TOBN(0x983e951e, 0x5eaa8eb8), TOBN(0xe663a8b5, 0x11b48e78),\n TOBN(0x1631cc0d, 0x8a03f2c5), TOBN(0x7577c11e, 0x11e271e2)}},\n {{TOBN(0x33b2385c, 0x08369a90), TOBN(0x2990c59b, 0x190eb4f8),\n TOBN(0x819a6145, 0xc68eac80), TOBN(0x7a786d62, 0x2ec4a014)},\n {TOBN(0x33faadbe, 0x20ac3a8d), TOBN(0x31a21781, 0x5aba2d30),\n TOBN(0x209d2742, 0xdba4f565), TOBN(0xdb2ce9e3, 0x55aa0fbb)}},\n {{TOBN(0x8cef334b, 0x168984df), TOBN(0xe81dce17, 0x33879638),\n TOBN(0xf6e6949c, 0x263720f0), TOBN(0x5c56feaf, 0xf593cbec)},\n {TOBN(0x8bff5601, 0xfde58c84), TOBN(0x74e24117, 0x2eccb314),\n TOBN(0xbcf01b61, 0x4c9a8a78), TOBN(0xa233e35e, 0x544c9868)}},\n {{TOBN(0xb3156bf3, 0x8bd7aff1), TOBN(0x1b5ee4cb, 0x1d81b146),\n TOBN(0x7ba1ac41, 0xd628a915), TOBN(0x8f3a8f9c, 0xfd89699e)},\n {TOBN(0x7329b9c9, 0xa0748be7), TOBN(0x1d391c95, 0xa92e621f),\n TOBN(0xe51e6b21, 0x4d10a837), TOBN(0xd255f53a, 0x4947b435)}},\n {{TOBN(0x07669e04, 0xf1788ee3), TOBN(0xc14f27af, 0xa86938a2),\n TOBN(0x8b47a334, 0xe93a01c0), TOBN(0xff627438, 0xd9366808)},\n {TOBN(0x7a0985d8, 0xca2a5965), TOBN(0x3d9a5542, 0xd6e9b9b3),\n TOBN(0xc23eb80b, 0x4cf972e8), TOBN(0x5c1c33bb, 0x4fdf72fd)}},\n {{TOBN(0x0c4a58d4, 0x74a86108), TOBN(0xf8048a8f, 0xee4c5d90),\n TOBN(0xe3c7c924, 0xe86d4c80), TOBN(0x28c889de, 0x056a1e60)},\n {TOBN(0x57e2662e, 0xb214a040), TOBN(0xe8c48e98, 0x37e10347),\n TOBN(0x87742862, 0x80ac748a), TOBN(0xf1c24022, 0x186b06f2)}},\n {{TOBN(0xac2dd4c3, 0x5f74040a), TOBN(0x409aeb71, 0xfceac957),\n TOBN(0x4fbad782, 0x55c4ec23), TOBN(0xb359ed61, 0x8a7b76ec)},\n {TOBN(0x12744926, 0xed6f4a60), TOBN(0xe21e8d7f, 0x4b912de3),\n TOBN(0xe2575a59, 0xfc705a59), TOBN(0x72f1d4de, 0xed2dbc0e)}},\n {{TOBN(0x3d2b24b9, 0xeb7926b8), TOBN(0xbff88cb3, 0xcdbe5509),\n TOBN(0xd0f399af, 0xe4dd640b), TOBN(0x3c5fe130, 0x2f76ed45)},\n {TOBN(0x6f3562f4, 0x3764fb3d), TOBN(0x7b5af318, 0x3151b62d),\n TOBN(0xd5bd0bc7, 0xd79ce5f3), TOBN(0xfdaf6b20, 0xec66890f)}},\n {{TOBN(0x735c67ec, 0x6063540c), TOBN(0x50b259c2, 0xe5f9cb8f),\n TOBN(0xb8734f9a, 0x3f99c6ab), TOBN(0xf8cc13d5, 0xa3a7bc85)},\n {TOBN(0x80c1b305, 0xc5217659), TOBN(0xfe5364d4, 0x4ec12a54),\n TOBN(0xbd87045e, 0x681345fe), TOBN(0x7f8efeb1, 0x582f897f)}},\n {{TOBN(0xe8cbf1e5, 0xd5923359), TOBN(0xdb0cea9d, 0x539b9fb0),\n TOBN(0x0c5b34cf, 0x49859b98), TOBN(0x5e583c56, 0xa4403cc6)},\n {TOBN(0x11fc1a2d, 0xd48185b7), TOBN(0xc93fbc7e, 0x6e521787),\n TOBN(0x47e7a058, 0x05105b8b), TOBN(0x7b4d4d58, 0xdb8260c8)}},\n {{TOBN(0xe33930b0, 0x46eb842a), TOBN(0x8e844a9a, 0x7bdae56d),\n TOBN(0x34ef3a9e, 0x13f7fdfc), TOBN(0xb3768f82, 0x636ca176)},\n {TOBN(0x2821f4e0, 0x4e09e61c), TOBN(0x414dc3a1, 0xa0c7cddc),\n TOBN(0xd5379437, 0x54945fcd), TOBN(0x151b6eef, 0xb3555ff1)}},\n {{TOBN(0xb31bd613, 0x6339c083), TOBN(0x39ff8155, 0xdfb64701),\n TOBN(0x7c3388d2, 0xe29604ab), TOBN(0x1e19084b, 0xa6b10442)},\n {TOBN(0x17cf54c0, 0xeccd47ef), TOBN(0x89693385, 0x4a5dfb30),\n TOBN(0x69d023fb, 0x47daf9f6), TOBN(0x9222840b, 0x7d91d959)}},\n {{TOBN(0x439108f5, 0x803bac62), TOBN(0x0b7dd91d, 0x379bd45f),\n TOBN(0xd651e827, 0xca63c581), TOBN(0x5c5d75f6, 0x509c104f)},\n {TOBN(0x7d5fc738, 0x1f2dc308), TOBN(0x20faa7bf, 0xd98454be),\n TOBN(0x95374bee, 0xa517b031), TOBN(0xf036b9b1, 0x642692ac)}},\n {{TOBN(0xc5106109, 0x39842194), TOBN(0xb7e2353e, 0x49d05295),\n TOBN(0xfc8c1d5c, 0xefb42ee0), TOBN(0xe04884eb, 0x08ce811c)},\n {TOBN(0xf1f75d81, 0x7419f40e), TOBN(0x5b0ac162, 0xa995c241),\n TOBN(0x120921bb, 0xc4c55646), TOBN(0x713520c2, 0x8d33cf97)}},\n {{TOBN(0xb4a65a5c, 0xe98c5100), TOBN(0x6cec871d, 0x2ddd0f5a),\n TOBN(0x251f0b7f, 0x9ba2e78b), TOBN(0x224a8434, 0xce3a2a5f)},\n {TOBN(0x26827f61, 0x25f5c46f), TOBN(0x6a22bedc, 0x48545ec0),\n TOBN(0x25ae5fa0, 0xb1bb5cdc), TOBN(0xd693682f, 0xfcb9b98f)}},\n {{TOBN(0x32027fe8, 0x91e5d7d3), TOBN(0xf14b7d17, 0x73a07678),\n TOBN(0xf88497b3, 0xc0dfdd61), TOBN(0xf7c2eec0, 0x2a8c4f48)},\n {TOBN(0xaa5573f4, 0x3756e621), TOBN(0xc013a240, 0x1825b948),\n TOBN(0x1c03b345, 0x63878572), TOBN(0xa0472bea, 0x653a4184)}},\n {{TOBN(0xf4222e27, 0x0ac69a80), TOBN(0x34096d25, 0xf51e54f6),\n TOBN(0x00a648cb, 0x8fffa591), TOBN(0x4e87acdc, 0x69b6527f)},\n {TOBN(0x0575e037, 0xe285ccb4), TOBN(0x188089e4, 0x50ddcf52),\n TOBN(0xaa96c9a8, 0x870ff719), TOBN(0x74a56cd8, 0x1fc7e369)}},\n {{TOBN(0x41d04ee2, 0x1726931a), TOBN(0x0bbbb2c8, 0x3660ecfd),\n TOBN(0xa6ef6de5, 0x24818e18), TOBN(0xe421cc51, 0xe7d57887)},\n {TOBN(0xf127d208, 0xbea87be6), TOBN(0x16a475d3, 0xb1cdd682),\n TOBN(0x9db1b684, 0x439b63f7), TOBN(0x5359b3db, 0xf0f113b6)}},\n {{TOBN(0xdfccf1de, 0x8bf06e31), TOBN(0x1fdf8f44, 0xdd383901),\n TOBN(0x10775cad, 0x5017e7d2), TOBN(0xdfc3a597, 0x58d11eef)},\n {TOBN(0x6ec9c8a0, 0xb1ecff10), TOBN(0xee6ed6cc, 0x28400549),\n TOBN(0xb5ad7bae, 0x1b4f8d73), TOBN(0x61b4f11d, 0xe00aaab9)}},\n {{TOBN(0x7b32d69b, 0xd4eff2d7), TOBN(0x88ae6771, 0x4288b60f),\n TOBN(0x159461b4, 0x37a1e723), TOBN(0x1f3d4789, 0x570aae8c)},\n {TOBN(0x869118c0, 0x7f9871da), TOBN(0x35fbda78, 0xf635e278),\n TOBN(0x738f3641, 0xe1541dac), TOBN(0x6794b13a, 0xc0dae45f)}},\n {{TOBN(0x065064ac, 0x09cc0917), TOBN(0x27c53729, 0xc68540fd),\n TOBN(0x0d2d4c8e, 0xef227671), TOBN(0xd23a9f80, 0xa1785a04)},\n {TOBN(0x98c59528, 0x52650359), TOBN(0xfa09ad01, 0x74a1acad),\n TOBN(0x082d5a29, 0x0b55bf5c), TOBN(0xa40f1c67, 0x419b8084)}},\n {{TOBN(0x3a5c752e, 0xdcc18770), TOBN(0x4baf1f2f, 0x8825c3a5),\n TOBN(0xebd63f74, 0x21b153ed), TOBN(0xa2383e47, 0xb2f64723)},\n {TOBN(0xe7bf620a, 0x2646d19a), TOBN(0x56cb44ec, 0x03c83ffd),\n TOBN(0xaf7267c9, 0x4f6be9f1), TOBN(0x8b2dfd7b, 0xc06bb5e9)}},\n {{TOBN(0xb87072f2, 0xa672c5c7), TOBN(0xeacb11c8, 0x0d53c5e2),\n TOBN(0x22dac29d, 0xff435932), TOBN(0x37bdb99d, 0x4408693c)},\n {TOBN(0xf6e62fb6, 0x2899c20f), TOBN(0x3535d512, 0x447ece24),\n TOBN(0xfbdc6b88, 0xff577ce3), TOBN(0x726693bd, 0x190575f2)}},\n {{TOBN(0x6772b0e5, 0xab4b35a2), TOBN(0x1d8b6001, 0xf5eeaacf),\n TOBN(0x728f7ce4, 0x795b9580), TOBN(0x4a20ed2a, 0x41fb81da)},\n {TOBN(0x9f685cd4, 0x4fec01e6), TOBN(0x3ed7ddcc, 0xa7ff50ad),\n TOBN(0x460fd264, 0x0c2d97fd), TOBN(0x3a241426, 0xeb82f4f9)}},\n {{TOBN(0x17d1df2c, 0x6a8ea820), TOBN(0xb2b50d3b, 0xf22cc254),\n TOBN(0x03856cba, 0xb7291426), TOBN(0x87fd26ae, 0x04f5ee39)},\n {TOBN(0x9cb696cc, 0x02bee4ba), TOBN(0x53121804, 0x06820fd6),\n TOBN(0xa5dfc269, 0x0212e985), TOBN(0x666f7ffa, 0x160f9a09)}},\n {{TOBN(0xc503cd33, 0xbccd9617), TOBN(0x365dede4, 0xba7730a3),\n TOBN(0x798c6355, 0x5ddb0786), TOBN(0xa6c3200e, 0xfc9cd3bc)},\n {TOBN(0x060ffb2c, 0xe5e35efd), TOBN(0x99a4e25b, 0x5555a1c1),\n TOBN(0x11d95375, 0xf70b3751), TOBN(0x0a57354a, 0x160e1bf6)}},\n {{TOBN(0xecb3ae4b, 0xf8e4b065), TOBN(0x07a834c4, 0x2e53022b),\n TOBN(0x1cd300b3, 0x8692ed96), TOBN(0x16a6f792, 0x61ee14ec)},\n {TOBN(0x8f1063c6, 0x6a8649ed), TOBN(0xfbcdfcfe, 0x869f3e14),\n TOBN(0x2cfb97c1, 0x00a7b3ec), TOBN(0xcea49b3c, 0x7130c2f1)}},\n {{TOBN(0x462d044f, 0xe9d96488), TOBN(0x4b53d52e, 0x8182a0c1),\n TOBN(0x84b6ddd3, 0x0391e9e9), TOBN(0x80ab7b48, 0xb1741a09)},\n {TOBN(0xec0e15d4, 0x27d3317f), TOBN(0x8dfc1ddb, 0x1a64671e),\n TOBN(0x93cc5d5f, 0xd49c5b92), TOBN(0xc995d53d, 0x3674a331)}},\n {{TOBN(0x302e41ec, 0x090090ae), TOBN(0x2278a0cc, 0xedb06830),\n TOBN(0x1d025932, 0xfbc99690), TOBN(0x0c32fbd2, 0xb80d68da)},\n {TOBN(0xd79146da, 0xf341a6c1), TOBN(0xae0ba139, 0x1bef68a0),\n TOBN(0xc6b8a563, 0x8d774b3a), TOBN(0x1cf307bd, 0x880ba4d7)}},\n {{TOBN(0xc033bdc7, 0x19803511), TOBN(0xa9f97b3b, 0x8888c3be),\n TOBN(0x3d68aebc, 0x85c6d05e), TOBN(0xc3b88a9d, 0x193919eb)},\n {TOBN(0x2d300748, 0xc48b0ee3), TOBN(0x7506bc7c, 0x07a746c1),\n TOBN(0xfc48437c, 0x6e6d57f3), TOBN(0x5bd71587, 0xcfeaa91a)}},\n {{TOBN(0xa4ed0408, 0xc1bc5225), TOBN(0xd0b946db, 0x2719226d),\n TOBN(0x109ecd62, 0x758d2d43), TOBN(0x75c8485a, 0x2751759b)},\n {TOBN(0xb0b75f49, 0x9ce4177a), TOBN(0x4fa61a1e, 0x79c10c3d),\n TOBN(0xc062d300, 0xa167fcd7), TOBN(0x4df3874c, 0x750f0fa8)}},\n {{TOBN(0x29ae2cf9, 0x83dfedc9), TOBN(0xf8437134, 0x8d87631a),\n TOBN(0xaf571711, 0x7429c8d2), TOBN(0x18d15867, 0x146d9272)},\n {TOBN(0x83053ecf, 0x69769bb7), TOBN(0xc55eb856, 0xc479ab82),\n TOBN(0x5ef7791c, 0x21b0f4b2), TOBN(0xaa5956ba, 0x3d491525)}},\n {{TOBN(0x407a96c2, 0x9fe20eba), TOBN(0xf27168bb, 0xe52a5ad3),\n TOBN(0x43b60ab3, 0xbf1d9d89), TOBN(0xe45c51ef, 0x710e727a)},\n {TOBN(0xdfca5276, 0x099b4221), TOBN(0x8dc6407c, 0x2557a159),\n TOBN(0x0ead8335, 0x91035895), TOBN(0x0a9db957, 0x9c55dc32)}},\n {{TOBN(0xe40736d3, 0xdf61bc76), TOBN(0x13a619c0, 0x3f778cdb),\n TOBN(0x6dd921a4, 0xc56ea28f), TOBN(0x76a52433, 0x2fa647b4)},\n {TOBN(0x23591891, 0xac5bdc5d), TOBN(0xff4a1a72, 0xbac7dc01),\n TOBN(0x9905e261, 0x62df8453), TOBN(0x3ac045df, 0xe63b265f)}},\n {{TOBN(0x8a3f341b, 0xad53dba7), TOBN(0x8ec269cc, 0x837b625a),\n TOBN(0xd71a2782, 0x3ae31189), TOBN(0x8fb4f9a3, 0x55e96120)},\n {TOBN(0x804af823, 0xff9875cf), TOBN(0x23224f57, 0x5d442a9b),\n TOBN(0x1c4d3b9e, 0xecc62679), TOBN(0x91da22fb, 0xa0e7ddb1)}},\n {{TOBN(0xa370324d, 0x6c04a661), TOBN(0x9710d3b6, 0x5e376d17),\n TOBN(0xed8c98f0, 0x3044e357), TOBN(0xc364ebbe, 0x6422701c)},\n {TOBN(0x347f5d51, 0x7733d61c), TOBN(0xd55644b9, 0xcea826c3),\n TOBN(0x80c6e0ad, 0x55a25548), TOBN(0x0aa7641d, 0x844220a7)}},\n {{TOBN(0x1438ec81, 0x31810660), TOBN(0x9dfa6507, 0xde4b4043),\n TOBN(0x10b515d8, 0xcc3e0273), TOBN(0x1b6066dd, 0x28d8cfb2)},\n {TOBN(0xd3b04591, 0x9c9efebd), TOBN(0x425d4bdf, 0xa21c1ff4),\n TOBN(0x5fe5af19, 0xd57607d3), TOBN(0xbbf773f7, 0x54481084)}},\n {{TOBN(0x8435bd69, 0x94b03ed1), TOBN(0xd9ad1de3, 0x634cc546),\n TOBN(0x2cf423fc, 0x00e420ca), TOBN(0xeed26d80, 0xa03096dd)},\n {TOBN(0xd7f60be7, 0xa4db09d2), TOBN(0xf47f569d, 0x960622f7),\n TOBN(0xe5925fd7, 0x7296c729), TOBN(0xeff2db26, 0x26ca2715)}},\n {{TOBN(0xa6fcd014, 0xb913e759), TOBN(0x53da4786, 0x8ff4de93),\n TOBN(0x14616d79, 0xc32068e1), TOBN(0xb187d664, 0xccdf352e)},\n {TOBN(0xf7afb650, 0x1dc90b59), TOBN(0x8170e943, 0x7daa1b26),\n TOBN(0xc8e3bdd8, 0x700c0a84), TOBN(0x6e8d345f, 0x6482bdfa)}},\n {{TOBN(0x84cfbfa1, 0xc5c5ea50), TOBN(0xd3baf14c, 0x67960681),\n TOBN(0x26398403, 0x0dd50942), TOBN(0xe4b7839c, 0x4716a663)},\n {TOBN(0xd5f1f794, 0xe7de6dc0), TOBN(0x5cd0f4d4, 0x622aa7ce),\n TOBN(0x5295f3f1, 0x59acfeec), TOBN(0x8d933552, 0x953e0607)}},\n {{TOBN(0xc7db8ec5, 0x776c5722), TOBN(0xdc467e62, 0x2b5f290c),\n TOBN(0xd4297e70, 0x4ff425a9), TOBN(0x4be924c1, 0x0cf7bb72)},\n {TOBN(0x0d5dc5ae, 0xa1892131), TOBN(0x8bf8a8e3, 0xa705c992),\n TOBN(0x73a0b064, 0x7a305ac5), TOBN(0x00c9ca4e, 0x9a8c77a8)}},\n {{TOBN(0x5dfee80f, 0x83774bdd), TOBN(0x63131602, 0x85734485),\n TOBN(0xa1b524ae, 0x914a69a9), TOBN(0xebc2ffaf, 0xd4e300d7)},\n {TOBN(0x52c93db7, 0x7cfa46a5), TOBN(0x71e6161f, 0x21653b50),\n TOBN(0x3574fc57, 0xa4bc580a), TOBN(0xc09015dd, 0xe1bc1253)}},\n {{TOBN(0x4b7b47b2, 0xd174d7aa), TOBN(0x4072d8e8, 0xf3a15d04),\n TOBN(0xeeb7d47f, 0xd6fa07ed), TOBN(0x6f2b9ff9, 0xedbdafb1)},\n {TOBN(0x18c51615, 0x3760fe8a), TOBN(0x7a96e6bf, 0xf06c6c13),\n TOBN(0x4d7a0410, 0x0ea2d071), TOBN(0xa1914e9b, 0x0be2a5ce)}},\n {{TOBN(0x5726e357, 0xd8a3c5cf), TOBN(0x1197ecc3, 0x2abb2b13),\n TOBN(0x6c0d7f7f, 0x31ae88dd), TOBN(0x15b20d1a, 0xfdbb3efe)},\n {TOBN(0xcd06aa26, 0x70584039), TOBN(0x2277c969, 0xa7dc9747),\n TOBN(0xbca69587, 0x7855d815), TOBN(0x899ea238, 0x5188b32a)}},\n {{TOBN(0x37d9228b, 0x760c1c9d), TOBN(0xc7efbb11, 0x9b5c18da),\n TOBN(0x7f0d1bc8, 0x19f6dbc5), TOBN(0x4875384b, 0x07e6905b)},\n {TOBN(0xc7c50baa, 0x3ba8cd86), TOBN(0xb0ce40fb, 0xc2905de0),\n TOBN(0x70840673, 0x7a231952), TOBN(0xa912a262, 0xcf43de26)}},\n {{TOBN(0x9c38ddcc, 0xeb5b76c1), TOBN(0x746f5285, 0x26fc0ab4),\n TOBN(0x52a63a50, 0xd62c269f), TOBN(0x60049c55, 0x99458621)},\n {TOBN(0xe7f48f82, 0x3c2f7c9e), TOBN(0x6bd99043, 0x917d5cf3),\n TOBN(0xeb1317a8, 0x8701f469), TOBN(0xbd3fe2ed, 0x9a449fe0)}},\n {{TOBN(0x421e79ca, 0x12ef3d36), TOBN(0x9ee3c36c, 0x3e7ea5de),\n TOBN(0xe48198b5, 0xcdff36f7), TOBN(0xaff4f967, 0xc6b82228)},\n {TOBN(0x15e19dd0, 0xc47adb7e), TOBN(0x45699b23, 0x032e7dfa),\n TOBN(0x40680c8b, 0x1fae026a), TOBN(0x5a347a48, 0x550dbf4d)}},\n {{TOBN(0xe652533b, 0x3cef0d7d), TOBN(0xd94f7b18, 0x2bbb4381),\n TOBN(0x838752be, 0x0e80f500), TOBN(0x8e6e2488, 0x9e9c9bfb)},\n {TOBN(0xc9751697, 0x16caca6a), TOBN(0x866c49d8, 0x38531ad9),\n TOBN(0xc917e239, 0x7151ade1), TOBN(0x2d016ec1, 0x6037c407)}},\n {{TOBN(0xa407ccc9, 0x00eac3f9), TOBN(0x835f6280, 0xe2ed4748),\n TOBN(0xcc54c347, 0x1cc98e0d), TOBN(0x0e969937, 0xdcb572eb)},\n {TOBN(0x1b16c8e8, 0x8f30c9cb), TOBN(0xa606ae75, 0x373c4661),\n TOBN(0x47aa689b, 0x35502cab), TOBN(0xf89014ae, 0x4d9bb64f)}},\n {{TOBN(0x202f6a9c, 0x31c71f7b), TOBN(0x01f95aa3, 0x296ffe5c),\n TOBN(0x5fc06014, 0x53cec3a3), TOBN(0xeb991237, 0x5f498a45)},\n {TOBN(0xae9a935e, 0x5d91ba87), TOBN(0xc6ac6281, 0x0b564a19),\n TOBN(0x8a8fe81c, 0x3bd44e69), TOBN(0x7c8b467f, 0x9dd11d45)}},\n {{TOBN(0xf772251f, 0xea5b8e69), TOBN(0xaeecb3bd, 0xc5b75fbc),\n TOBN(0x1aca3331, 0x887ff0e5), TOBN(0xbe5d49ff, 0x19f0a131)},\n {TOBN(0x582c13aa, 0xe5c8646f), TOBN(0xdbaa12e8, 0x20e19980),\n TOBN(0x8f40f31a, 0xf7abbd94), TOBN(0x1f13f5a8, 0x1dfc7663)}},\n {{TOBN(0x5d81f1ee, 0xaceb4fc0), TOBN(0x36256002, 0x5e6f0f42),\n TOBN(0x4b67d6d7, 0x751370c8), TOBN(0x2608b698, 0x03e80589)},\n {TOBN(0xcfc0d2fc, 0x05268301), TOBN(0xa6943d39, 0x40309212),\n TOBN(0x192a90c2, 0x1fd0e1c2), TOBN(0xb209f113, 0x37f1dc76)}},\n {{TOBN(0xefcc5e06, 0x97bf1298), TOBN(0xcbdb6730, 0x219d639e),\n TOBN(0xd009c116, 0xb81e8c6f), TOBN(0xa3ffdde3, 0x1a7ce2e5)},\n {TOBN(0xc53fbaaa, 0xa914d3ba), TOBN(0x836d500f, 0x88df85ee),\n TOBN(0xd98dc71b, 0x66ee0751), TOBN(0x5a3d7005, 0x714516fd)}},\n {{TOBN(0x21d3634d, 0x39eedbba), TOBN(0x35cd2e68, 0x0455a46d),\n TOBN(0xc8cafe65, 0xf9d7eb0c), TOBN(0xbda3ce9e, 0x00cefb3e)},\n {TOBN(0xddc17a60, 0x2c9cf7a4), TOBN(0x01572ee4, 0x7bcb8773),\n TOBN(0xa92b2b01, 0x8c7548df), TOBN(0x732fd309, 0xa84600e3)}},\n {{TOBN(0xe22109c7, 0x16543a40), TOBN(0x9acafd36, 0xfede3c6c),\n TOBN(0xfb206852, 0x6824e614), TOBN(0x2a4544a9, 0xda25dca0)},\n {TOBN(0x25985262, 0x91d60b06), TOBN(0x281b7be9, 0x28753545),\n TOBN(0xec667b1a, 0x90f13b27), TOBN(0x33a83aff, 0x940e2eb4)}},\n {{TOBN(0x80009862, 0xd5d721d5), TOBN(0x0c3357a3, 0x5bd3a182),\n TOBN(0x27f3a83b, 0x7aa2cda4), TOBN(0xb58ae74e, 0xf6f83085)},\n {TOBN(0x2a911a81, 0x2e6dad6b), TOBN(0xde286051, 0xf43d6c5b),\n TOBN(0x4bdccc41, 0xf996c4d8), TOBN(0xe7312ec0, 0x0ae1e24e)}}},\n {{{TOBN(0xf8d112e7, 0x6e6485b3), TOBN(0x4d3e24db, 0x771c52f8),\n TOBN(0x48e3ee41, 0x684a2f6d), TOBN(0x7161957d, 0x21d95551)},\n {TOBN(0x19631283, 0xcdb12a6c), TOBN(0xbf3fa882, 0x2e50e164),\n TOBN(0xf6254b63, 0x3166cc73), TOBN(0x3aefa7ae, 0xaee8cc38)}},\n {{TOBN(0x79b0fe62, 0x3b36f9fd), TOBN(0x26543b23, 0xfde19fc0),\n TOBN(0x136e64a0, 0x958482ef), TOBN(0x23f63771, 0x9b095825)},\n {TOBN(0x14cfd596, 0xb6a1142e), TOBN(0x5ea6aac6, 0x335aac0b),\n TOBN(0x86a0e8bd, 0xf3081dd5), TOBN(0x5fb89d79, 0x003dc12a)}},\n {{TOBN(0xf615c33a, 0xf72e34d4), TOBN(0x0bd9ea40, 0x110eec35),\n TOBN(0x1c12bc5b, 0xc1dea34e), TOBN(0x686584c9, 0x49ae4699)},\n {TOBN(0x13ad95d3, 0x8c97b942), TOBN(0x4609561a, 0x4e5c7562),\n TOBN(0x9e94a4ae, 0xf2737f89), TOBN(0xf57594c6, 0x371c78b6)}},\n {{TOBN(0x0f0165fc, 0xe3779ee3), TOBN(0xe00e7f9d, 0xbd495d9e),\n TOBN(0x1fa4efa2, 0x20284e7a), TOBN(0x4564bade, 0x47ac6219)},\n {TOBN(0x90e6312a, 0xc4708e8e), TOBN(0x4f5725fb, 0xa71e9adf),\n TOBN(0xe95f55ae, 0x3d684b9f), TOBN(0x47f7ccb1, 0x1e94b415)}},\n {{TOBN(0x7322851b, 0x8d946581), TOBN(0xf0d13133, 0xbdf4a012),\n TOBN(0xa3510f69, 0x6584dae0), TOBN(0x03a7c171, 0x3c9f6c6d)},\n {TOBN(0x5be97f38, 0xe475381a), TOBN(0xca1ba422, 0x85823334),\n TOBN(0xf83cc5c7, 0x0be17dda), TOBN(0x158b1494, 0x0b918c0f)}},\n {{TOBN(0xda3a77e5, 0x522e6b69), TOBN(0x69c908c3, 0xbbcd6c18),\n TOBN(0x1f1b9e48, 0xd924fd56), TOBN(0x37c64e36, 0xaa4bb3f7)},\n {TOBN(0x5a4fdbdf, 0xee478d7d), TOBN(0xba75c8bc, 0x0193f7a0),\n TOBN(0x84bc1e84, 0x56cd16df), TOBN(0x1fb08f08, 0x46fad151)}},\n {{TOBN(0x8a7cabf9, 0x842e9f30), TOBN(0xa331d4bf, 0x5eab83af),\n TOBN(0xd272cfba, 0x017f2a6a), TOBN(0x27560abc, 0x83aba0e3)},\n {TOBN(0x94b83387, 0x0e3a6b75), TOBN(0x25c6aea2, 0x6b9f50f5),\n TOBN(0x803d691d, 0xb5fdf6d0), TOBN(0x03b77509, 0xe6333514)}},\n {{TOBN(0x36178903, 0x61a341c1), TOBN(0x3604dc60, 0x0cfd6142),\n TOBN(0x022295eb, 0x8533316c), TOBN(0x3dbde4ac, 0x44af2922)},\n {TOBN(0x898afc5d, 0x1c7eef69), TOBN(0x58896805, 0xd14f4fa1),\n TOBN(0x05002160, 0x203c21ca), TOBN(0x6f0d1f30, 0x40ef730b)}},\n {{TOBN(0x8e8c44d4, 0x196224f8), TOBN(0x75a4ab95, 0x374d079d),\n TOBN(0x79085ecc, 0x7d48f123), TOBN(0x56f04d31, 0x1bf65ad8)},\n {TOBN(0xe220bf1c, 0xbda602b2), TOBN(0x73ee1742, 0xf9612c69),\n TOBN(0x76008fc8, 0x084fd06b), TOBN(0x4000ef9f, 0xf11380d1)}},\n {{TOBN(0x48201b4b, 0x12cfe297), TOBN(0x3eee129c, 0x292f74e5),\n TOBN(0xe1fe114e, 0xc9e874e8), TOBN(0x899b055c, 0x92c5fc41)},\n {TOBN(0x4e477a64, 0x3a39c8cf), TOBN(0x82f09efe, 0x78963cc9),\n TOBN(0x6fd3fd8f, 0xd333f863), TOBN(0x85132b2a, 0xdc949c63)}},\n {{TOBN(0x7e06a3ab, 0x516eb17b), TOBN(0x73bec06f, 0xd2c7372b),\n TOBN(0xe4f74f55, 0xba896da6), TOBN(0xbb4afef8, 0x8e9eb40f)},\n {TOBN(0x2d75bec8, 0xe61d66b0), TOBN(0x02bda4b4, 0xef29300b),\n TOBN(0x8bbaa8de, 0x026baa5a), TOBN(0xff54befd, 0xa07f4440)}},\n {{TOBN(0xbd9b8b1d, 0xbe7a2af3), TOBN(0xec51caa9, 0x4fb74a72),\n TOBN(0xb9937a4b, 0x63879697), TOBN(0x7c9a9d20, 0xec2687d5)},\n {TOBN(0x1773e44f, 0x6ef5f014), TOBN(0x8abcf412, 0xe90c6900),\n TOBN(0x387bd022, 0x8142161e), TOBN(0x50393755, 0xfcb6ff2a)}},\n {{TOBN(0x9813fd56, 0xed6def63), TOBN(0x53cf6482, 0x7d53106c),\n TOBN(0x991a35bd, 0x431f7ac1), TOBN(0xf1e274dd, 0x63e65faf)},\n {TOBN(0xf63ffa3c, 0x44cc7880), TOBN(0x411a426b, 0x7c256981),\n TOBN(0xb698b9fd, 0x93a420e0), TOBN(0x89fdddc0, 0xae53f8fe)}},\n {{TOBN(0x766e0722, 0x32398baa), TOBN(0x205fee42, 0x5cfca031),\n TOBN(0xa49f5341, 0x7a029cf2), TOBN(0xa88c68b8, 0x4023890d)},\n {TOBN(0xbc275041, 0x7337aaa8), TOBN(0x9ed364ad, 0x0eb384f4),\n TOBN(0xe0816f85, 0x29aba92f), TOBN(0x2e9e1941, 0x04e38a88)}},\n {{TOBN(0x57eef44a, 0x3dafd2d5), TOBN(0x35d1fae5, 0x97ed98d8),\n TOBN(0x50628c09, 0x2307f9b1), TOBN(0x09d84aae, 0xd6cba5c6)},\n {TOBN(0x67071bc7, 0x88aaa691), TOBN(0x2dea57a9, 0xafe6cb03),\n TOBN(0xdfe11bb4, 0x3d78ac01), TOBN(0x7286418c, 0x7fd7aa51)}},\n {{TOBN(0xfabf7709, 0x77f7195a), TOBN(0x8ec86167, 0xadeb838f),\n TOBN(0xea1285a8, 0xbb4f012d), TOBN(0xd6883503, 0x9a3eab3f)},\n {TOBN(0xee5d24f8, 0x309004c2), TOBN(0xa96e4b76, 0x13ffe95e),\n TOBN(0x0cdffe12, 0xbd223ea4), TOBN(0x8f5c2ee5, 0xb6739a53)}},\n {{TOBN(0x5cb4aaa5, 0xdd968198), TOBN(0xfa131c52, 0x72413a6c),\n TOBN(0x53d46a90, 0x9536d903), TOBN(0xb270f0d3, 0x48606d8e)},\n {TOBN(0x518c7564, 0xa053a3bc), TOBN(0x088254b7, 0x1a86caef),\n TOBN(0xb3ba8cb4, 0x0ab5efd0), TOBN(0x5c59900e, 0x4605945d)}},\n {{TOBN(0xecace1dd, 0xa1887395), TOBN(0x40960f36, 0x932a65de),\n TOBN(0x9611ff5c, 0x3aa95529), TOBN(0xc58215b0, 0x7c1e5a36)},\n {TOBN(0xd48c9b58, 0xf0e1a524), TOBN(0xb406856b, 0xf590dfb8),\n TOBN(0xc7605e04, 0x9cd95662), TOBN(0x0dd036ee, 0xa33ecf82)}},\n {{TOBN(0xa50171ac, 0xc33156b3), TOBN(0xf09d24ea, 0x4a80172e),\n TOBN(0x4e1f72c6, 0x76dc8eef), TOBN(0xe60caadc, 0x5e3d44ee)},\n {TOBN(0x006ef8a6, 0x979b1d8f), TOBN(0x60908a1c, 0x97788d26),\n TOBN(0x6e08f95b, 0x266feec0), TOBN(0x618427c2, 0x22e8c94e)}},\n {{TOBN(0x3d613339, 0x59145a65), TOBN(0xcd9bc368, 0xfa406337),\n TOBN(0x82d11be3, 0x2d8a52a0), TOBN(0xf6877b27, 0x97a1c590)},\n {TOBN(0x837a819b, 0xf5cbdb25), TOBN(0x2a4fd1d8, 0xde090249),\n TOBN(0x622a7de7, 0x74990e5f), TOBN(0x840fa5a0, 0x7945511b)}},\n {{TOBN(0x30b974be, 0x6558842d), TOBN(0x70df8c64, 0x17f3d0a6),\n TOBN(0x7c803520, 0x7542e46d), TOBN(0x7251fe7f, 0xe4ecc823)},\n {TOBN(0xe59134cb, 0x5e9aac9a), TOBN(0x11bb0934, 0xf0045d71),\n TOBN(0x53e5d9b5, 0xdbcb1d4e), TOBN(0x8d97a905, 0x92defc91)}},\n {{TOBN(0xfe289327, 0x7946d3f9), TOBN(0xe132bd24, 0x07472273),\n TOBN(0xeeeb510c, 0x1eb6ae86), TOBN(0x777708c5, 0xf0595067)},\n {TOBN(0x18e2c8cd, 0x1297029e), TOBN(0x2c61095c, 0xbbf9305e),\n TOBN(0xe466c258, 0x6b85d6d9), TOBN(0x8ac06c36, 0xda1ea530)}},\n {{TOBN(0xa365dc39, 0xa1304668), TOBN(0xe4a9c885, 0x07f89606),\n TOBN(0x65a4898f, 0xacc7228d), TOBN(0x3e2347ff, 0x84ca8303)},\n {TOBN(0xa5f6fb77, 0xea7d23a3), TOBN(0x2fac257d, 0x672a71cd),\n TOBN(0x6908bef8, 0x7e6a44d3), TOBN(0x8ff87566, 0x891d3d7a)}},\n {{TOBN(0xe58e90b3, 0x6b0cf82e), TOBN(0x6438d246, 0x2615b5e7),\n TOBN(0x07b1f8fc, 0x669c145a), TOBN(0xb0d8b2da, 0x36f1e1cb)},\n {TOBN(0x54d5dadb, 0xd9184c4d), TOBN(0x3dbb18d5, 0xf93d9976),\n TOBN(0x0a3e0f56, 0xd1147d47), TOBN(0x2afa8c8d, 0xa0a48609)}},\n {{TOBN(0x275353e8, 0xbc36742c), TOBN(0x898f427e, 0xeea0ed90),\n TOBN(0x26f4947e, 0x3e477b00), TOBN(0x8ad8848a, 0x308741e3)},\n {TOBN(0x6c703c38, 0xd74a2a46), TOBN(0x5e3e05a9, 0x9ba17ba2),\n TOBN(0xc1fa6f66, 0x4ab9a9e4), TOBN(0x474a2d9a, 0x3841d6ec)}},\n {{TOBN(0x871239ad, 0x653ae326), TOBN(0x14bcf72a, 0xa74cbb43),\n TOBN(0x8737650e, 0x20d4c083), TOBN(0x3df86536, 0x110ed4af)},\n {TOBN(0xd2d86fe7, 0xb53ca555), TOBN(0x688cb00d, 0xabd5d538),\n TOBN(0xcf81bda3, 0x1ad38468), TOBN(0x7ccfe3cc, 0xf01167b6)}},\n {{TOBN(0xcf4f47e0, 0x6c4c1fe6), TOBN(0x557e1f1a, 0x298bbb79),\n TOBN(0xf93b974f, 0x30d45a14), TOBN(0x174a1d2d, 0x0baf97c4)},\n {TOBN(0x7a003b30, 0xc51fbf53), TOBN(0xd8940991, 0xee68b225),\n TOBN(0x5b0aa7b7, 0x1c0f4173), TOBN(0x975797c9, 0xa20a7153)}},\n {{TOBN(0x26e08c07, 0xe3533d77), TOBN(0xd7222e6a, 0x2e341c99),\n TOBN(0x9d60ec3d, 0x8d2dc4ed), TOBN(0xbdfe0d8f, 0x7c476cf8)},\n {TOBN(0x1fe59ab6, 0x1d056605), TOBN(0xa9ea9df6, 0x86a8551f),\n TOBN(0x8489941e, 0x47fb8d8c), TOBN(0xfeb874eb, 0x4a7f1b10)}},\n {{TOBN(0xfe5fea86, 0x7ee0d98f), TOBN(0x201ad34b, 0xdbf61864),\n TOBN(0x45d8fe47, 0x37c031d4), TOBN(0xd5f49fae, 0x795f0822)},\n {TOBN(0xdb0fb291, 0xc7f4a40c), TOBN(0x2e69d9c1, 0x730ddd92),\n TOBN(0x754e1054, 0x49d76987), TOBN(0x8a24911d, 0x7662db87)}},\n {{TOBN(0x61fc1810, 0x60a71676), TOBN(0xe852d1a8, 0xf66a8ad1),\n TOBN(0x172bbd65, 0x6417231e), TOBN(0x0d6de7bd, 0x3babb11f)},\n {TOBN(0x6fde6f88, 0xc8e347f8), TOBN(0x1c587547, 0x9bd99cc3),\n TOBN(0x78e54ed0, 0x34076950), TOBN(0x97f0f334, 0x796e83ba)}},\n {{TOBN(0xe4dbe1ce, 0x4924867a), TOBN(0xbd5f51b0, 0x60b84917),\n TOBN(0x37530040, 0x3cb09a79), TOBN(0xdb3fe0f8, 0xff1743d8)},\n {TOBN(0xed7894d8, 0x556fa9db), TOBN(0xfa262169, 0x23412fbf),\n TOBN(0x563be0db, 0xba7b9291), TOBN(0x6ca8b8c0, 0x0c9fb234)}},\n {{TOBN(0xed406aa9, 0xbd763802), TOBN(0xc21486a0, 0x65303da1),\n TOBN(0x61ae291e, 0xc7e62ec4), TOBN(0x622a0492, 0xdf99333e)},\n {TOBN(0x7fd80c9d, 0xbb7a8ee0), TOBN(0xdc2ed3bc, 0x6c01aedb),\n TOBN(0x35c35a12, 0x08be74ec), TOBN(0xd540cb1a, 0x469f671f)}},\n {{TOBN(0xd16ced4e, 0xcf84f6c7), TOBN(0x8561fb9c, 0x2d090f43),\n TOBN(0x7e693d79, 0x6f239db4), TOBN(0xa736f928, 0x77bd0d94)},\n {TOBN(0x07b4d929, 0x2c1950ee), TOBN(0xda177543, 0x56dc11b3),\n TOBN(0xa5dfbbaa, 0x7a6a878e), TOBN(0x1c70cb29, 0x4decb08a)}},\n {{TOBN(0xfba28c8b, 0x6f0f7c50), TOBN(0xa8eba2b8, 0x854dcc6d),\n TOBN(0x5ff8e89a, 0x36b78642), TOBN(0x070c1c8e, 0xf6873adf)},\n {TOBN(0xbbd3c371, 0x6484d2e4), TOBN(0xfb78318f, 0x0d414129),\n TOBN(0x2621a39c, 0x6ad93b0b), TOBN(0x979d74c2, 0xa9e917f7)}},\n {{TOBN(0xfc195647, 0x61fb0428), TOBN(0x4d78954a, 0xbee624d4),\n TOBN(0xb94896e0, 0xb8ae86fd), TOBN(0x6667ac0c, 0xc91c8b13)},\n {TOBN(0x9f180512, 0x43bcf832), TOBN(0xfbadf8b7, 0xa0010137),\n TOBN(0xc69b4089, 0xb3ba8aa7), TOBN(0xfac4bacd, 0xe687ce85)}},\n {{TOBN(0x9164088d, 0x977eab40), TOBN(0x51f4c5b6, 0x2760b390),\n TOBN(0xd238238f, 0x340dd553), TOBN(0x358566c3, 0xdb1d31c9)},\n {TOBN(0x3a5ad69e, 0x5068f5ff), TOBN(0xf31435fc, 0xdaff6b06),\n TOBN(0xae549a5b, 0xd6debff0), TOBN(0x59e5f0b7, 0x75e01331)}},\n {{TOBN(0x5d492fb8, 0x98559acf), TOBN(0x96018c2e, 0x4db79b50),\n TOBN(0x55f4a48f, 0x609f66aa), TOBN(0x1943b3af, 0x4900a14f)},\n {TOBN(0xc22496df, 0x15a40d39), TOBN(0xb2a44684, 0x4c20f7c5),\n TOBN(0x76a35afa, 0x3b98404c), TOBN(0xbec75725, 0xff5d1b77)}},\n {{TOBN(0xb67aa163, 0xbea06444), TOBN(0x27e95bb2, 0xf724b6f2),\n TOBN(0x3c20e3e9, 0xd238c8ab), TOBN(0x1213754e, 0xddd6ae17)},\n {TOBN(0x8c431020, 0x716e0f74), TOBN(0x6679c82e, 0xffc095c2),\n TOBN(0x2eb3adf4, 0xd0ac2932), TOBN(0x2cc970d3, 0x01bb7a76)}},\n {{TOBN(0x70c71f2f, 0x740f0e66), TOBN(0x545c616b, 0x2b6b23cc),\n TOBN(0x4528cfcb, 0xb40a8bd7), TOBN(0xff839633, 0x2ab27722)},\n {TOBN(0x049127d9, 0x025ac99a), TOBN(0xd314d4a0, 0x2b63e33b),\n TOBN(0xc8c310e7, 0x28d84519), TOBN(0x0fcb8983, 0xb3bc84ba)}},\n {{TOBN(0x2cc52261, 0x38634818), TOBN(0x501814f4, 0xb44c2e0b),\n TOBN(0xf7e181aa, 0x54dfdba3), TOBN(0xcfd58ff0, 0xe759718c)},\n {TOBN(0xf90cdb14, 0xd3b507a8), TOBN(0x57bd478e, 0xc50bdad8),\n TOBN(0x29c197e2, 0x50e5f9aa), TOBN(0x4db6eef8, 0xe40bc855)}},\n {{TOBN(0x2cc8f21a, 0xd1fc0654), TOBN(0xc71cc963, 0x81269d73),\n TOBN(0xecfbb204, 0x077f49f9), TOBN(0xdde92571, 0xca56b793)},\n {TOBN(0x9abed6a3, 0xf97ad8f7), TOBN(0xe6c19d3f, 0x924de3bd),\n TOBN(0x8dce92f4, 0xa140a800), TOBN(0x85f44d1e, 0x1337af07)}},\n {{TOBN(0x5953c08b, 0x09d64c52), TOBN(0xa1b5e49f, 0xf5df9749),\n TOBN(0x336a8fb8, 0x52735f7d), TOBN(0xb332b6db, 0x9add676b)},\n {TOBN(0x558b88a0, 0xb4511aa4), TOBN(0x09788752, 0xdbd5cc55),\n TOBN(0x16b43b9c, 0xd8cd52bd), TOBN(0x7f0bc5a0, 0xc2a2696b)}},\n {{TOBN(0x146e12d4, 0xc11f61ef), TOBN(0x9ce10754, 0x3a83e79e),\n TOBN(0x08ec73d9, 0x6cbfca15), TOBN(0x09ff29ad, 0x5b49653f)},\n {TOBN(0xe31b72bd, 0xe7da946e), TOBN(0xebf9eb3b, 0xee80a4f2),\n TOBN(0xd1aabd08, 0x17598ce4), TOBN(0x18b5fef4, 0x53f37e80)}},\n {{TOBN(0xd5d5cdd3, 0x5958cd79), TOBN(0x3580a1b5, 0x1d373114),\n TOBN(0xa36e4c91, 0xfa935726), TOBN(0xa38c534d, 0xef20d760)},\n {TOBN(0x7088e40a, 0x2ff5845b), TOBN(0xe5bb40bd, 0xbd78177f),\n TOBN(0x4f06a7a8, 0x857f9920), TOBN(0xe3cc3e50, 0xe968f05d)}},\n {{TOBN(0x1d68b7fe, 0xe5682d26), TOBN(0x5206f76f, 0xaec7f87c),\n TOBN(0x41110530, 0x041951ab), TOBN(0x58ec52c1, 0xd4b5a71a)},\n {TOBN(0xf3488f99, 0x0f75cf9a), TOBN(0xf411951f, 0xba82d0d5),\n TOBN(0x27ee75be, 0x618895ab), TOBN(0xeae060d4, 0x6d8aab14)}},\n {{TOBN(0x9ae1df73, 0x7fb54dc2), TOBN(0x1f3e391b, 0x25963649),\n TOBN(0x242ec32a, 0xfe055081), TOBN(0x5bd450ef, 0x8491c9bd)},\n {TOBN(0x367efc67, 0x981eb389), TOBN(0xed7e1928, 0x3a0550d5),\n TOBN(0x362e776b, 0xab3ce75c), TOBN(0xe890e308, 0x1f24c523)}},\n {{TOBN(0xb961b682, 0xfeccef76), TOBN(0x8b8e11f5, 0x8bba6d92),\n TOBN(0x8f2ccc4c, 0x2b2375c4), TOBN(0x0d7f7a52, 0xe2f86cfa)},\n {TOBN(0xfd94d30a, 0x9efe5633), TOBN(0x2d8d246b, 0x5451f934),\n TOBN(0x2234c6e3, 0x244e6a00), TOBN(0xde2b5b0d, 0xddec8c50)}},\n {{TOBN(0x2ce53c5a, 0xbf776f5b), TOBN(0x6f724071, 0x60357b05),\n TOBN(0xb2593717, 0x71bf3f7a), TOBN(0x87d2501c, 0x440c4a9f)},\n {TOBN(0x440552e1, 0x87b05340), TOBN(0xb7bf7cc8, 0x21624c32),\n TOBN(0x4155a6ce, 0x22facddb), TOBN(0x5a4228cb, 0x889837ef)}},\n {{TOBN(0xef87d6d6, 0xfd4fd671), TOBN(0xa233687e, 0xc2daa10e),\n TOBN(0x75622244, 0x03c0eb96), TOBN(0x7632d184, 0x8bf19be6)},\n {TOBN(0x05d0f8e9, 0x40735ff4), TOBN(0x3a3e6e13, 0xc00931f1),\n TOBN(0x31ccde6a, 0xdafe3f18), TOBN(0xf381366a, 0xcfe51207)}},\n {{TOBN(0x24c222a9, 0x60167d92), TOBN(0x62f9d6f8, 0x7529f18c),\n TOBN(0x412397c0, 0x0353b114), TOBN(0x334d89dc, 0xef808043)},\n {TOBN(0xd9ec63ba, 0x2a4383ce), TOBN(0xcec8e937, 0x5cf92ba0),\n TOBN(0xfb8b4288, 0xc8be74c0), TOBN(0x67d6912f, 0x105d4391)}},\n {{TOBN(0x7b996c46, 0x1b913149), TOBN(0x36aae2ef, 0x3a4e02da),\n TOBN(0xb68aa003, 0x972de594), TOBN(0x284ec70d, 0x4ec6d545)},\n {TOBN(0xf3d2b2d0, 0x61391d54), TOBN(0x69c5d5d6, 0xfe114e92),\n TOBN(0xbe0f00b5, 0xb4482dff), TOBN(0xe1596fa5, 0xf5bf33c5)}},\n {{TOBN(0x10595b56, 0x96a71cba), TOBN(0x944938b2, 0xfdcadeb7),\n TOBN(0xa282da4c, 0xfccd8471), TOBN(0x98ec05f3, 0x0d37bfe1)},\n {TOBN(0xe171ce1b, 0x0698304a), TOBN(0x2d691444, 0x21bdf79b),\n TOBN(0xd0cd3b74, 0x1b21dec1), TOBN(0x712ecd8b, 0x16a15f71)}},\n {{TOBN(0x8d4c00a7, 0x00fd56e1), TOBN(0x02ec9692, 0xf9527c18),\n TOBN(0x21c44937, 0x4a3e42e1), TOBN(0x9176fbab, 0x1392ae0a)},\n {TOBN(0x8726f1ba, 0x44b7b618), TOBN(0xb4d7aae9, 0xf1de491c),\n TOBN(0xf91df7b9, 0x07b582c0), TOBN(0x7e116c30, 0xef60aa3a)}},\n {{TOBN(0x99270f81, 0x466265d7), TOBN(0xb15b6fe2, 0x4df7adf0),\n TOBN(0xfe33b2d3, 0xf9738f7f), TOBN(0x48553ab9, 0xd6d70f95)},\n {TOBN(0x2cc72ac8, 0xc21e94db), TOBN(0x795ac38d, 0xbdc0bbee),\n TOBN(0x0a1be449, 0x2e40478f), TOBN(0x81bd3394, 0x052bde55)}},\n {{TOBN(0x63c8dbe9, 0x56b3c4f2), TOBN(0x017a99cf, 0x904177cc),\n TOBN(0x947bbddb, 0x4d010fc1), TOBN(0xacf9b00b, 0xbb2c9b21)},\n {TOBN(0x2970bc8d, 0x47173611), TOBN(0x1a4cbe08, 0xac7d756f),\n TOBN(0x06d9f4aa, 0x67d541a2), TOBN(0xa3e8b689, 0x59c2cf44)}},\n {{TOBN(0xaad066da, 0x4d88f1dd), TOBN(0xc604f165, 0x7ad35dea),\n TOBN(0x7edc0720, 0x4478ca67), TOBN(0xa10dfae0, 0xba02ce06)},\n {TOBN(0xeceb1c76, 0xaf36f4e4), TOBN(0x994b2292, 0xaf3f8f48),\n TOBN(0xbf9ed77b, 0x77c8a68c), TOBN(0x74f544ea, 0x51744c9d)}},\n {{TOBN(0x82d05bb9, 0x8113a757), TOBN(0x4ef2d2b4, 0x8a9885e4),\n TOBN(0x1e332be5, 0x1aa7865f), TOBN(0x22b76b18, 0x290d1a52)},\n {TOBN(0x308a2310, 0x44351683), TOBN(0x9d861896, 0xa3f22840),\n TOBN(0x5959ddcd, 0x841ed947), TOBN(0x0def0c94, 0x154b73bf)}},\n {{TOBN(0xf0105417, 0x4c7c15e0), TOBN(0x539bfb02, 0x3a277c32),\n TOBN(0xe699268e, 0xf9dccf5f), TOBN(0x9f5796a5, 0x0247a3bd)},\n {TOBN(0x8b839de8, 0x4f157269), TOBN(0xc825c1e5, 0x7a30196b),\n TOBN(0x6ef0aabc, 0xdc8a5a91), TOBN(0xf4a8ce6c, 0x498b7fe6)}},\n {{TOBN(0x1cce35a7, 0x70cbac78), TOBN(0x83488e9b, 0xf6b23958),\n TOBN(0x0341a070, 0xd76cb011), TOBN(0xda6c9d06, 0xae1b2658)},\n {TOBN(0xb701fb30, 0xdd648c52), TOBN(0x994ca02c, 0x52fb9fd1),\n TOBN(0x06933117, 0x6f563086), TOBN(0x3d2b8100, 0x17856bab)}},\n {{TOBN(0xe89f48c8, 0x5963a46e), TOBN(0x658ab875, 0xa99e61c7),\n TOBN(0x6e296f87, 0x4b8517b4), TOBN(0x36c4fcdc, 0xfc1bc656)},\n {TOBN(0xde5227a1, 0xa3906def), TOBN(0x9fe95f57, 0x62418945),\n TOBN(0x20c91e81, 0xfdd96cde), TOBN(0x5adbe47e, 0xda4480de)}},\n {{TOBN(0xa009370f, 0x396de2b6), TOBN(0x98583d4b, 0xf0ecc7bd),\n TOBN(0xf44f6b57, 0xe51d0672), TOBN(0x03d6b078, 0x556b1984)},\n {TOBN(0x27dbdd93, 0xb0b64912), TOBN(0x9b3a3434, 0x15687b09),\n TOBN(0x0dba6461, 0x51ec20a9), TOBN(0xec93db7f, 0xff28187c)}},\n {{TOBN(0x00ff8c24, 0x66e48bdd), TOBN(0x2514f2f9, 0x11ccd78e),\n TOBN(0xeba11f4f, 0xe1250603), TOBN(0x8a22cd41, 0x243fa156)},\n {TOBN(0xa4e58df4, 0xb283e4c6), TOBN(0x78c29859, 0x8b39783f),\n TOBN(0x5235aee2, 0xa5259809), TOBN(0xc16284b5, 0x0e0227dd)}},\n {{TOBN(0xa5f57916, 0x1338830d), TOBN(0x6d4b8a6b, 0xd2123fca),\n TOBN(0x236ea68a, 0xf9c546f8), TOBN(0xc1d36873, 0xfa608d36)},\n {TOBN(0xcd76e495, 0x8d436d13), TOBN(0xd4d9c221, 0x8fb080af),\n TOBN(0x665c1728, 0xe8ad3fb5), TOBN(0xcf1ebe4d, 0xb3d572e0)}},\n {{TOBN(0xa7a8746a, 0x584c5e20), TOBN(0x267e4ea1, 0xb9dc7035),\n TOBN(0x593a15cf, 0xb9548c9b), TOBN(0x5e6e2135, 0x4bd012f3)},\n {TOBN(0xdf31cc6a, 0x8c8f936e), TOBN(0x8af84d04, 0xb5c241dc),\n TOBN(0x63990a6f, 0x345efb86), TOBN(0x6fef4e61, 0xb9b962cb)}}},\n {{{TOBN(0xf6368f09, 0x25722608), TOBN(0x131260db, 0x131cf5c6),\n TOBN(0x40eb353b, 0xfab4f7ac), TOBN(0x85c78880, 0x37eee829)},\n {TOBN(0x4c1581ff, 0xc3bdf24e), TOBN(0x5bff75cb, 0xf5c3c5a8),\n TOBN(0x35e8c83f, 0xa14e6f40), TOBN(0xb81d1c0f, 0x0295e0ca)}},\n {{TOBN(0xfcde7cc8, 0xf43a730f), TOBN(0xe89b6f3c, 0x33ab590e),\n TOBN(0xc823f529, 0xad03240b), TOBN(0x82b79afe, 0x98bea5db)},\n {TOBN(0x568f2856, 0x962fe5de), TOBN(0x0c590adb, 0x60c591f3),\n TOBN(0x1fc74a14, 0x4a28a858), TOBN(0x3b662498, 0xb3203f4c)}},\n {{TOBN(0x91e3cf0d, 0x6c39765a), TOBN(0xa2db3acd, 0xac3cca0b),\n TOBN(0x288f2f08, 0xcb953b50), TOBN(0x2414582c, 0xcf43cf1a)},\n {TOBN(0x8dec8bbc, 0x60eee9a8), TOBN(0x54c79f02, 0x729aa042),\n TOBN(0xd81cd5ec, 0x6532f5d5), TOBN(0xa672303a, 0xcf82e15f)}},\n {{TOBN(0x376aafa8, 0x719c0563), TOBN(0xcd8ad2dc, 0xbc5fc79f),\n TOBN(0x303fdb9f, 0xcb750cd3), TOBN(0x14ff052f, 0x4418b08e)},\n {TOBN(0xf75084cf, 0x3e2d6520), TOBN(0x7ebdf0f8, 0x144ed509),\n TOBN(0xf43bf0f2, 0xd3f25b98), TOBN(0x86ad71cf, 0xa354d837)}},\n {{TOBN(0xb827fe92, 0x26f43572), TOBN(0xdfd3ab5b, 0x5d824758),\n TOBN(0x315dd23a, 0x539094c1), TOBN(0x85c0e37a, 0x66623d68)},\n {TOBN(0x575c7972, 0x7be19ae0), TOBN(0x616a3396, 0xdf0d36b5),\n TOBN(0xa1ebb3c8, 0x26b1ff7e), TOBN(0x635b9485, 0x140ad453)}},\n {{TOBN(0x92bf3cda, 0xda430c0b), TOBN(0x4702850e, 0x3a96dac6),\n TOBN(0xc91cf0a5, 0x15ac326a), TOBN(0x95de4f49, 0xab8c25e4)},\n {TOBN(0xb01bad09, 0xe265c17c), TOBN(0x24e45464, 0x087b3881),\n TOBN(0xd43e583c, 0xe1fac5ca), TOBN(0xe17cb318, 0x6ead97a6)}},\n {{TOBN(0x6cc39243, 0x74dcec46), TOBN(0x33cfc02d, 0x54c2b73f),\n TOBN(0x82917844, 0xf26cd99c), TOBN(0x8819dd95, 0xd1773f89)},\n {TOBN(0x09572aa6, 0x0871f427), TOBN(0x8e0cf365, 0xf6f01c34),\n TOBN(0x7fa52988, 0xbff1f5af), TOBN(0x4eb357ea, 0xe75e8e50)}},\n {{TOBN(0xd9d0c8c4, 0x868af75d), TOBN(0xd7325cff, 0x45c8c7ea),\n TOBN(0xab471996, 0xcc81ecb0), TOBN(0xff5d55f3, 0x611824ed)},\n {TOBN(0xbe314541, 0x1977a0ee), TOBN(0x5085c4c5, 0x722038c6),\n TOBN(0x2d5335bf, 0xf94bb495), TOBN(0x894ad8a6, 0xc8e2a082)}},\n {{TOBN(0x5c3e2341, 0xada35438), TOBN(0xf4a9fc89, 0x049b8c4e),\n TOBN(0xbeeb355a, 0x9f17cf34), TOBN(0x3f311e0e, 0x6c91fe10)},\n {TOBN(0xc2d20038, 0x92ab9891), TOBN(0x257bdcc1, 0x3e8ce9a9),\n TOBN(0x1b2d9789, 0x88c53bee), TOBN(0x927ce89a, 0xcdba143a)}},\n {{TOBN(0xb0a32cca, 0x523db280), TOBN(0x5c889f8a, 0x50d43783),\n TOBN(0x503e04b3, 0x4897d16f), TOBN(0x8cdb6e78, 0x08f5f2e8)},\n {TOBN(0x6ab91cf0, 0x179c8e74), TOBN(0xd8874e52, 0x48211d60),\n TOBN(0xf948d4d5, 0xea851200), TOBN(0x4076d41e, 0xe6f9840a)}},\n {{TOBN(0xc20e263c, 0x47b517ea), TOBN(0x79a448fd, 0x30685e5e),\n TOBN(0xe55f6f78, 0xf90631a0), TOBN(0x88a790b1, 0xa79e6346)},\n {TOBN(0x62160c7d, 0x80969fe8), TOBN(0x54f92fd4, 0x41491bb9),\n TOBN(0xa6645c23, 0x5c957526), TOBN(0xf44cc5ae, 0xbea3ce7b)}},\n {{TOBN(0xf7628327, 0x8b1e68b7), TOBN(0xc731ad7a, 0x303f29d3),\n TOBN(0xfe5a9ca9, 0x57d03ecb), TOBN(0x96c0d50c, 0x41bc97a7)},\n {TOBN(0xc4669fe7, 0x9b4f7f24), TOBN(0xfdd781d8, 0x3d9967ef),\n TOBN(0x7892c7c3, 0x5d2c208d), TOBN(0x8bf64f7c, 0xae545cb3)}},\n {{TOBN(0xc01f862c, 0x467be912), TOBN(0xf4c85ee9, 0xc73d30cc),\n TOBN(0x1fa6f4be, 0x6ab83ec7), TOBN(0xa07a3c1c, 0x4e3e3cf9)},\n {TOBN(0x87f8ef45, 0x0c00beb3), TOBN(0x30e2c2b3, 0x000d4c3e),\n TOBN(0x1aa00b94, 0xfe08bf5b), TOBN(0x32c133aa, 0x9224ef52)}},\n {{TOBN(0x38df16bb, 0x32e5685d), TOBN(0x68a9e069, 0x58e6f544),\n TOBN(0x495aaff7, 0xcdc5ebc6), TOBN(0xf894a645, 0x378b135f)},\n {TOBN(0xf316350a, 0x09e27ecf), TOBN(0xeced201e, 0x58f7179d),\n TOBN(0x2eec273c, 0xe97861ba), TOBN(0x47ec2cae, 0xd693be2e)}},\n {{TOBN(0xfa4c97c4, 0xf68367ce), TOBN(0xe4f47d0b, 0xbe5a5755),\n TOBN(0x17de815d, 0xb298a979), TOBN(0xd7eca659, 0xc177dc7d)},\n {TOBN(0x20fdbb71, 0x49ded0a3), TOBN(0x4cb2aad4, 0xfb34d3c5),\n TOBN(0x2cf31d28, 0x60858a33), TOBN(0x3b6873ef, 0xa24aa40f)}},\n {{TOBN(0x540234b2, 0x2c11bb37), TOBN(0x2d0366dd, 0xed4c74a3),\n TOBN(0xf9a968da, 0xeec5f25d), TOBN(0x36601068, 0x67b63142)},\n {TOBN(0x07cd6d2c, 0x68d7b6d4), TOBN(0xa8f74f09, 0x0c842942),\n TOBN(0xe2751404, 0x7768b1ee), TOBN(0x4b5f7e89, 0xfe62aee4)}},\n {{TOBN(0xc6a77177, 0x89070d26), TOBN(0xa1f28e4e, 0xdd1c8bc7),\n TOBN(0xea5f4f06, 0x469e1f17), TOBN(0x78fc242a, 0xfbdb78e0)},\n {TOBN(0xc9c7c592, 0x8b0588f1), TOBN(0xb6b7a0fd, 0x1535921e),\n TOBN(0xcc5bdb91, 0xbde5ae35), TOBN(0xb42c485e, 0x12ff1864)}},\n {{TOBN(0xa1113e13, 0xdbab98aa), TOBN(0xde9d469b, 0xa17b1024),\n TOBN(0x23f48b37, 0xc0462d3a), TOBN(0x3752e537, 0x7c5c078d)},\n {TOBN(0xe3a86add, 0x15544eb9), TOBN(0xf013aea7, 0x80fba279),\n TOBN(0x8b5bb76c, 0xf22001b5), TOBN(0xe617ba14, 0xf02891ab)}},\n {{TOBN(0xd39182a6, 0x936219d3), TOBN(0x5ce1f194, 0xae51cb19),\n TOBN(0xc78f8598, 0xbf07a74c), TOBN(0x6d7158f2, 0x22cbf1bc)},\n {TOBN(0x3b846b21, 0xe300ce18), TOBN(0x35fba630, 0x2d11275d),\n TOBN(0x5fe25c36, 0xa0239b9b), TOBN(0xd8beb35d, 0xdf05d940)}},\n {{TOBN(0x4db02bb0, 0x1f7e320d), TOBN(0x0641c364, 0x6da320ea),\n TOBN(0x6d95fa5d, 0x821389a3), TOBN(0x92699748, 0x8fcd8e3d)},\n {TOBN(0x316fef17, 0xceb6c143), TOBN(0x67fcb841, 0xd933762b),\n TOBN(0xbb837e35, 0x118b17f8), TOBN(0x4b92552f, 0x9fd24821)}},\n {{TOBN(0xae6bc70e, 0x46aca793), TOBN(0x1cf0b0e4, 0xe579311b),\n TOBN(0x8dc631be, 0x5802f716), TOBN(0x099bdc6f, 0xbddbee4d)},\n {TOBN(0xcc352bb2, 0x0caf8b05), TOBN(0xf74d505a, 0x72d63df2),\n TOBN(0xb9876d4b, 0x91c4f408), TOBN(0x1ce18473, 0x9e229b2d)}},\n {{TOBN(0x49507597, 0x83abdb4a), TOBN(0x850fbcb6, 0xdee84b18),\n TOBN(0x6325236e, 0x609e67dc), TOBN(0x04d831d9, 0x9336c6d8)},\n {TOBN(0x8deaae3b, 0xfa12d45d), TOBN(0xe425f8ce, 0x4746e246),\n TOBN(0x8004c175, 0x24f5f31e), TOBN(0xaca16d8f, 0xad62c3b7)}},\n {{TOBN(0x0dc15a6a, 0x9152f934), TOBN(0xf1235e5d, 0xed0e12c1),\n TOBN(0xc33c06ec, 0xda477dac), TOBN(0x76be8732, 0xb2ea0006)},\n {TOBN(0xcf3f7831, 0x0c0cd313), TOBN(0x3c524553, 0xa614260d),\n TOBN(0x31a756f8, 0xcab22d15), TOBN(0x03ee10d1, 0x77827a20)}},\n {{TOBN(0xd1e059b2, 0x1994ef20), TOBN(0x2a653b69, 0x638ae318),\n TOBN(0x70d5eb58, 0x2f699010), TOBN(0x279739f7, 0x09f5f84a)},\n {TOBN(0x5da4663c, 0x8b799336), TOBN(0xfdfdf14d, 0x203c37eb),\n TOBN(0x32d8a9dc, 0xa1dbfb2d), TOBN(0xab40cff0, 0x77d48f9b)}},\n {{TOBN(0xc018b383, 0xd20b42d5), TOBN(0xf9a810ef, 0x9f78845f),\n TOBN(0x40af3753, 0xbdba9df0), TOBN(0xb90bdcfc, 0x131dfdf9)},\n {TOBN(0x18720591, 0xf01ab782), TOBN(0xc823f211, 0x6af12a88),\n TOBN(0xa51b80f3, 0x0dc14401), TOBN(0xde248f77, 0xfb2dfbe3)}},\n {{TOBN(0xef5a44e5, 0x0cafe751), TOBN(0x73997c9c, 0xd4dcd221),\n TOBN(0x32fd86d1, 0xde854024), TOBN(0xd5b53adc, 0xa09b84bb)},\n {TOBN(0x008d7a11, 0xdcedd8d1), TOBN(0x406bd1c8, 0x74b32c84),\n TOBN(0x5d4472ff, 0x05dde8b1), TOBN(0x2e25f2cd, 0xfce2b32f)}},\n {{TOBN(0xbec0dd5e, 0x29dfc254), TOBN(0x4455fcf6, 0x2b98b267),\n TOBN(0x0b4d43a5, 0xc72df2ad), TOBN(0xea70e6be, 0x48a75397)},\n {TOBN(0x2aad6169, 0x5820f3bf), TOBN(0xf410d2dd, 0x9e37f68f),\n TOBN(0x70fb7dba, 0x7be5ac83), TOBN(0x636bb645, 0x36ec3eec)}},\n {{TOBN(0x27104ea3, 0x9754e21c), TOBN(0xbc87a3e6, 0x8d63c373),\n TOBN(0x483351d7, 0x4109db9a), TOBN(0x0fa724e3, 0x60134da7)},\n {TOBN(0x9ff44c29, 0xb0720b16), TOBN(0x2dd0cf13, 0x06aceead),\n TOBN(0x5942758c, 0xe26929a6), TOBN(0x96c5db92, 0xb766a92b)}},\n {{TOBN(0xcec7d4c0, 0x5f18395e), TOBN(0xd3f22744, 0x1f80d032),\n TOBN(0x7a68b37a, 0xcb86075b), TOBN(0x074764dd, 0xafef92db)},\n {TOBN(0xded1e950, 0x7bc7f389), TOBN(0xc580c850, 0xb9756460),\n TOBN(0xaeeec2a4, 0x7da48157), TOBN(0x3f0b4e7f, 0x82c587b3)}},\n {{TOBN(0x231c6de8, 0xa9f19c53), TOBN(0x5717bd73, 0x6974e34e),\n TOBN(0xd9e1d216, 0xf1508fa9), TOBN(0x9f112361, 0xdadaa124)},\n {TOBN(0x80145e31, 0x823b7348), TOBN(0x4dd8f0d5, 0xac634069),\n TOBN(0xe3d82fc7, 0x2297c258), TOBN(0x276fcfee, 0x9cee7431)}},\n {{TOBN(0x8eb61b5e, 0x2bc0aea9), TOBN(0x4f668fd5, 0xde329431),\n TOBN(0x03a32ab1, 0x38e4b87e), TOBN(0xe1374517, 0x73d0ef0b)},\n {TOBN(0x1a46f7e6, 0x853ac983), TOBN(0xc3bdf42e, 0x68e78a57),\n TOBN(0xacf20785, 0x2ea96dd1), TOBN(0xa10649b9, 0xf1638460)}},\n {{TOBN(0xf2369f0b, 0x879fbbed), TOBN(0x0ff0ae86, 0xda9d1869),\n TOBN(0x5251d759, 0x56766f45), TOBN(0x4984d8c0, 0x2be8d0fc)},\n {TOBN(0x7ecc95a6, 0xd21008f0), TOBN(0x29bd54a0, 0x3a1a1c49),\n TOBN(0xab9828c5, 0xd26c50f3), TOBN(0x32c0087c, 0x51d0d251)}},\n {{TOBN(0x9bac3ce6, 0x0c1cdb26), TOBN(0xcd94d947, 0x557ca205),\n TOBN(0x1b1bd598, 0x9db1fdcd), TOBN(0x0eda0108, 0xa3d8b149)},\n {TOBN(0x95066610, 0x56152fcc), TOBN(0xc2f037e6, 0xe7192b33),\n TOBN(0xdeffb41a, 0xc92e05a4), TOBN(0x1105f6c2, 0xc2f6c62e)}},\n {{TOBN(0x68e73500, 0x8733913c), TOBN(0xcce86163, 0x3f3adc40),\n TOBN(0xf407a942, 0x38a278e9), TOBN(0xd13c1b9d, 0x2ab21292)},\n {TOBN(0x93ed7ec7, 0x1c74cf5c), TOBN(0x8887dc48, 0xf1a4c1b4),\n TOBN(0x3830ff30, 0x4b3a11f1), TOBN(0x358c5a3c, 0x58937cb6)}},\n {{TOBN(0x027dc404, 0x89022829), TOBN(0x40e93977, 0x3b798f79),\n TOBN(0x90ad3337, 0x38be6ead), TOBN(0x9c23f6bc, 0xf34c0a5d)},\n {TOBN(0xd1711a35, 0xfbffd8bb), TOBN(0x60fcfb49, 0x1949d3dd),\n TOBN(0x09c8ef4b, 0x7825d93a), TOBN(0x24233cff, 0xa0a8c968)}},\n {{TOBN(0x67ade46c, 0xe6d982af), TOBN(0xebb6bf3e, 0xe7544d7c),\n TOBN(0xd6b9ba76, 0x3d8bd087), TOBN(0x46fe382d, 0x4dc61280)},\n {TOBN(0xbd39a7e8, 0xb5bdbd75), TOBN(0xab381331, 0xb8f228fe),\n TOBN(0x0709a77c, 0xce1c4300), TOBN(0x6a247e56, 0xf337ceac)}},\n {{TOBN(0x8f34f21b, 0x636288be), TOBN(0x9dfdca74, 0xc8a7c305),\n TOBN(0x6decfd1b, 0xea919e04), TOBN(0xcdf2688d, 0x8e1991f8)},\n {TOBN(0xe607df44, 0xd0f8a67e), TOBN(0xd985df4b, 0x0b58d010),\n TOBN(0x57f834c5, 0x0c24f8f4), TOBN(0xe976ef56, 0xa0bf01ae)}},\n {{TOBN(0x536395ac, 0xa1c32373), TOBN(0x351027aa, 0x734c0a13),\n TOBN(0xd2f1b5d6, 0x5e6bd5bc), TOBN(0x2b539e24, 0x223debed)},\n {TOBN(0xd4994cec, 0x0eaa1d71), TOBN(0x2a83381d, 0x661dcf65),\n TOBN(0x5f1aed2f, 0x7b54c740), TOBN(0x0bea3fa5, 0xd6dda5ee)}},\n {{TOBN(0x9d4fb684, 0x36cc6134), TOBN(0x8eb9bbf3, 0xc0a443dd),\n TOBN(0xfc500e2e, 0x383b7d2a), TOBN(0x7aad621c, 0x5b775257)},\n {TOBN(0x69284d74, 0x0a8f7cc0), TOBN(0xe820c2ce, 0x07562d65),\n TOBN(0xbf9531b9, 0x499758ee), TOBN(0x73e95ca5, 0x6ee0cc2d)}},\n {{TOBN(0xf61790ab, 0xfbaf50a5), TOBN(0xdf55e76b, 0x684e0750),\n TOBN(0xec516da7, 0xf176b005), TOBN(0x575553bb, 0x7a2dddc7)},\n {TOBN(0x37c87ca3, 0x553afa73), TOBN(0x315f3ffc, 0x4d55c251),\n TOBN(0xe846442a, 0xaf3e5d35), TOBN(0x61b91149, 0x6495ff28)}},\n {{TOBN(0x23cc95d3, 0xfa326dc3), TOBN(0x1df4da1f, 0x18fc2cea),\n TOBN(0x24bf9adc, 0xd0a37d59), TOBN(0xb6710053, 0x320d6e1e)},\n {TOBN(0x96f9667e, 0x618344d1), TOBN(0xcc7ce042, 0xa06445af),\n TOBN(0xa02d8514, 0xd68dbc3a), TOBN(0x4ea109e4, 0x280b5a5b)}},\n {{TOBN(0x5741a7ac, 0xb40961bf), TOBN(0x4ada5937, 0x6aa56bfa),\n TOBN(0x7feb9145, 0x02b765d1), TOBN(0x561e97be, 0xe6ad1582)},\n {TOBN(0xbbc4a5b6, 0xda3982f5), TOBN(0x0c2659ed, 0xb546f468),\n TOBN(0xb8e7e6aa, 0x59612d20), TOBN(0xd83dfe20, 0xac19e8e0)}},\n {{TOBN(0x8530c45f, 0xb835398c), TOBN(0x6106a8bf, 0xb38a41c2),\n TOBN(0x21e8f9a6, 0x35f5dcdb), TOBN(0x39707137, 0xcae498ed)},\n {TOBN(0x70c23834, 0xd8249f00), TOBN(0x9f14b58f, 0xab2537a0),\n TOBN(0xd043c365, 0x5f61c0c2), TOBN(0xdc5926d6, 0x09a194a7)}},\n {{TOBN(0xddec0339, 0x8e77738a), TOBN(0xd07a63ef, 0xfba46426),\n TOBN(0x2e58e79c, 0xee7f6e86), TOBN(0xe59b0459, 0xff32d241)},\n {TOBN(0xc5ec84e5, 0x20fa0338), TOBN(0x97939ac8, 0xeaff5ace),\n TOBN(0x0310a4e3, 0xb4a38313), TOBN(0x9115fba2, 0x8f9d9885)}},\n {{TOBN(0x8dd710c2, 0x5fadf8c3), TOBN(0x66be38a2, 0xce19c0e2),\n TOBN(0xd42a279c, 0x4cfe5022), TOBN(0x597bb530, 0x0e24e1b8)},\n {TOBN(0x3cde86b7, 0xc153ca7f), TOBN(0xa8d30fb3, 0x707d63bd),\n TOBN(0xac905f92, 0xbd60d21e), TOBN(0x98e7ffb6, 0x7b9a54ab)}},\n {{TOBN(0xd7147df8, 0xe9726a30), TOBN(0xb5e216ff, 0xafce3533),\n TOBN(0xb550b799, 0x2ff1ec40), TOBN(0x6b613b87, 0xa1e953fd)},\n {TOBN(0x87b88dba, 0x792d5610), TOBN(0x2ee1270a, 0xa190fbe1),\n TOBN(0x02f4e2dc, 0x2ef581da), TOBN(0x016530e4, 0xeff82a95)}},\n {{TOBN(0xcbb93dfd, 0x8fd6ee89), TOBN(0x16d3d986, 0x46848fff),\n TOBN(0x600eff24, 0x1da47adf), TOBN(0x1b9754a0, 0x0ad47a71)},\n {TOBN(0x8f9266df, 0x70c33b98), TOBN(0xaadc87ae, 0xdf34186e),\n TOBN(0x0d2ce8e1, 0x4ad24132), TOBN(0x8a47cbfc, 0x19946eba)}},\n {{TOBN(0x47feeb66, 0x62b5f3af), TOBN(0xcefab561, 0x0abb3734),\n TOBN(0x449de60e, 0x19f35cb1), TOBN(0x39f8db14, 0x157f0eb9)},\n {TOBN(0xffaecc5b, 0x3c61bfd6), TOBN(0xa5a4d41d, 0x41216703),\n TOBN(0x7f8fabed, 0x224e1cc2), TOBN(0x0d5a8186, 0x871ad953)}},\n {{TOBN(0xf10774f7, 0xd22da9a9), TOBN(0x45b8a678, 0xcc8a9b0d),\n TOBN(0xd9c2e722, 0xbdc32cff), TOBN(0xbf71b5f5, 0x337202a5)},\n {TOBN(0x95c57f2f, 0x69fc4db9), TOBN(0xb6dad34c, 0x765d01e1),\n TOBN(0x7e0bd13f, 0xcb904635), TOBN(0x61751253, 0x763a588c)}},\n {{TOBN(0xd85c2997, 0x81af2c2d), TOBN(0xc0f7d9c4, 0x81b9d7da),\n TOBN(0x838a34ae, 0x08533e8d), TOBN(0x15c4cb08, 0x311d8311)},\n {TOBN(0x97f83285, 0x8e121e14), TOBN(0xeea7dc1e, 0x85000a5f),\n TOBN(0x0c6059b6, 0x5d256274), TOBN(0xec9beace, 0xb95075c0)}},\n {{TOBN(0x173daad7, 0x1df97828), TOBN(0xbf851cb5, 0xa8937877),\n TOBN(0xb083c594, 0x01646f3c), TOBN(0x3bad30cf, 0x50c6d352)},\n {TOBN(0xfeb2b202, 0x496bbcea), TOBN(0x3cf9fd4f, 0x18a1e8ba),\n TOBN(0xd26de7ff, 0x1c066029), TOBN(0x39c81e9e, 0x4e9ed4f8)}},\n {{TOBN(0xd8be0cb9, 0x7b390d35), TOBN(0x01df2bbd, 0x964aab27),\n TOBN(0x3e8c1a65, 0xc3ef64f8), TOBN(0x567291d1, 0x716ed1dd)},\n {TOBN(0x95499c6c, 0x5f5406d3), TOBN(0x71fdda39, 0x5ba8e23f),\n TOBN(0xcfeb320e, 0xd5096ece), TOBN(0xbe7ba92b, 0xca66dd16)}},\n {{TOBN(0x4608d36b, 0xc6fb5a7d), TOBN(0xe3eea15a, 0x6d2dd0e0),\n TOBN(0x75b0a3eb, 0x8f97a36a), TOBN(0xf59814cc, 0x1c83de1e)},\n {TOBN(0x56c9c5b0, 0x1c33c23f), TOBN(0xa96c1da4, 0x6faa4136),\n TOBN(0x46bf2074, 0xde316551), TOBN(0x3b866e7b, 0x1f756c8f)}},\n {{TOBN(0x727727d8, 0x1495ed6b), TOBN(0xb2394243, 0xb682dce7),\n TOBN(0x8ab8454e, 0x758610f3), TOBN(0xc243ce84, 0x857d72a4)},\n {TOBN(0x7b320d71, 0xdbbf370f), TOBN(0xff9afa37, 0x78e0f7ca),\n TOBN(0x0119d1e0, 0xea7b523f), TOBN(0xb997f8cb, 0x058c7d42)}},\n {{TOBN(0x285bcd2a, 0x37bbb184), TOBN(0x51dcec49, 0xa45d1fa6),\n TOBN(0x6ade3b64, 0xe29634cb), TOBN(0x080c94a7, 0x26b86ef1)},\n {TOBN(0xba583db1, 0x2283fbe3), TOBN(0x902bddc8, 0x5a9315ed),\n TOBN(0x07c1ccb3, 0x86964bec), TOBN(0x78f4eacf, 0xb6258301)}},\n {{TOBN(0x4bdf3a49, 0x56f90823), TOBN(0xba0f5080, 0x741d777b),\n TOBN(0x091d71c3, 0xf38bf760), TOBN(0x9633d50f, 0x9b625b02)},\n {TOBN(0x03ecb743, 0xb8c9de61), TOBN(0xb4751254, 0x5de74720),\n TOBN(0x9f9defc9, 0x74ce1cb2), TOBN(0x774a4f6a, 0x00bd32ef)}},\n {{TOBN(0xaca385f7, 0x73848f22), TOBN(0x53dad716, 0xf3f8558e),\n TOBN(0xab7b34b0, 0x93c471f9), TOBN(0xf530e069, 0x19644bc7)},\n {TOBN(0x3d9fb1ff, 0xdd59d31a), TOBN(0x4382e0df, 0x08daa795),\n TOBN(0x165c6f4b, 0xd5cc88d7), TOBN(0xeaa392d5, 0x4a18c900)}},\n {{TOBN(0x94203c67, 0x648024ee), TOBN(0x188763f2, 0x8c2fabcd),\n TOBN(0xa80f87ac, 0xbbaec835), TOBN(0x632c96e0, 0xf29d8d54)},\n {TOBN(0x29b0a60e, 0x4c00a95e), TOBN(0x2ef17f40, 0xe011e9fa),\n TOBN(0xf6c0e1d1, 0x15b77223), TOBN(0xaaec2c62, 0x14b04e32)}},\n {{TOBN(0xd35688d8, 0x3d84e58c), TOBN(0x2af5094c, 0x958571db),\n TOBN(0x4fff7e19, 0x760682a6), TOBN(0x4cb27077, 0xe39a407c)},\n {TOBN(0x0f59c547, 0x4ff0e321), TOBN(0x169f34a6, 0x1b34c8ff),\n TOBN(0x2bff1096, 0x52bc1ba7), TOBN(0xa25423b7, 0x83583544)}},\n {{TOBN(0x5d55d5d5, 0x0ac8b782), TOBN(0xff6622ec, 0x2db3c892),\n TOBN(0x48fce741, 0x6b8bb642), TOBN(0x31d6998c, 0x69d7e3dc)},\n {TOBN(0xdbaf8004, 0xcadcaed0), TOBN(0x801b0142, 0xd81d053c),\n TOBN(0x94b189fc, 0x59630ec6), TOBN(0x120e9934, 0xaf762c8e)}},\n {{TOBN(0x53a29aa4, 0xfdc6a404), TOBN(0x19d8e01e, 0xa1909948),\n TOBN(0x3cfcabf1, 0xd7e89681), TOBN(0x3321a50d, 0x4e132d37)},\n {TOBN(0xd0496863, 0xe9a86111), TOBN(0x8c0cde61, 0x06a3bc65),\n TOBN(0xaf866c49, 0xfc9f8eef), TOBN(0x2066350e, 0xff7f5141)}},\n {{TOBN(0x4f8a4689, 0xe56ddfbd), TOBN(0xea1b0c07, 0xfe32983a),\n TOBN(0x2b317462, 0x873cb8cb), TOBN(0x658deddc, 0x2d93229f)},\n {TOBN(0x65efaf4d, 0x0f64ef58), TOBN(0xfe43287d, 0x730cc7a8),\n TOBN(0xaebc0c72, 0x3d047d70), TOBN(0x92efa539, 0xd92d26c9)}},\n {{TOBN(0x06e78457, 0x94b56526), TOBN(0x415cb80f, 0x0961002d),\n TOBN(0x89e5c565, 0x76dcb10f), TOBN(0x8bbb6982, 0xff9259fe)},\n {TOBN(0x4fe8795b, 0x9abc2668), TOBN(0xb5d4f534, 0x1e678fb1),\n TOBN(0x6601f3be, 0x7b7da2b9), TOBN(0x98da59e2, 0xa13d6805)}},\n {{TOBN(0x190d8ea6, 0x01799a52), TOBN(0xa20cec41, 0xb86d2952),\n TOBN(0x3062ffb2, 0x7fff2a7c), TOBN(0x741b32e5, 0x79f19d37)},\n {TOBN(0xf80d8181, 0x4eb57d47), TOBN(0x7a2d0ed4, 0x16aef06b),\n TOBN(0x09735fb0, 0x1cecb588), TOBN(0x1641caaa, 0xc6061f5b)}}},\n {{{TOBN(0x7f99824f, 0x20151427), TOBN(0x206828b6, 0x92430206),\n TOBN(0xaa9097d7, 0xe1112357), TOBN(0xacf9a2f2, 0x09e414ec)},\n {TOBN(0xdbdac9da, 0x27915356), TOBN(0x7e0734b7, 0x001efee3),\n TOBN(0x54fab5bb, 0xd2b288e2), TOBN(0x4c630fc4, 0xf62dd09c)}},\n {{TOBN(0x8537107a, 0x1ac2703b), TOBN(0xb49258d8, 0x6bc857b5),\n TOBN(0x57df14de, 0xbcdaccd1), TOBN(0x24ab68d7, 0xc4ae8529)},\n {TOBN(0x7ed8b5d4, 0x734e59d0), TOBN(0x5f8740c8, 0xc495cc80),\n TOBN(0x84aedd5a, 0x291db9b3), TOBN(0x80b360f8, 0x4fb995be)}},\n {{TOBN(0xae915f5d, 0x5fa067d1), TOBN(0x4134b57f, 0x9668960c),\n TOBN(0xbd3656d6, 0xa48edaac), TOBN(0xdac1e3e4, 0xfc1d7436)},\n {TOBN(0x674ff869, 0xd81fbb26), TOBN(0x449ed3ec, 0xb26c33d4),\n TOBN(0x85138705, 0xd94203e8), TOBN(0xccde538b, 0xbeeb6f4a)}},\n {{TOBN(0x55d5c68d, 0xa61a76fa), TOBN(0x598b441d, 0xca1554dc),\n TOBN(0xd39923b9, 0x773b279c), TOBN(0x33331d3c, 0x36bf9efc)},\n {TOBN(0x2d4c848e, 0x298de399), TOBN(0xcfdb8e77, 0xa1a27f56),\n TOBN(0x94c855ea, 0x57b8ab70), TOBN(0xdcdb9dae, 0x6f7879ba)}},\n {{TOBN(0x7bdff8c2, 0x019f2a59), TOBN(0xb3ce5bb3, 0xcb4fbc74),\n TOBN(0xea907f68, 0x8a9173dd), TOBN(0x6cd3d0d3, 0x95a75439)},\n {TOBN(0x92ecc4d6, 0xefed021c), TOBN(0x09a9f9b0, 0x6a77339a),\n TOBN(0x87ca6b15, 0x7188c64a), TOBN(0x10c29968, 0x44899158)}},\n {{TOBN(0x5859a229, 0xed6e82ef), TOBN(0x16f338e3, 0x65ebaf4e),\n TOBN(0x0cd31387, 0x5ead67ae), TOBN(0x1c73d228, 0x54ef0bb4)},\n {TOBN(0x4cb55131, 0x74a5c8c7), TOBN(0x01cd2970, 0x7f69ad6a),\n TOBN(0xa04d00dd, 0xe966f87e), TOBN(0xd96fe447, 0x0b7b0321)}},\n {{TOBN(0x342ac06e, 0x88fbd381), TOBN(0x02cd4a84, 0x5c35a493),\n TOBN(0xe8fa89de, 0x54f1bbcd), TOBN(0x341d6367, 0x2575ed4c)},\n {TOBN(0xebe357fb, 0xd238202b), TOBN(0x600b4d1a, 0xa984ead9),\n TOBN(0xc35c9f44, 0x52436ea0), TOBN(0x96fe0a39, 0xa370751b)}},\n {{TOBN(0x4c4f0736, 0x7f636a38), TOBN(0x9f943fb7, 0x0e76d5cb),\n TOBN(0xb03510ba, 0xa8b68b8b), TOBN(0xc246780a, 0x9ed07a1f)},\n {TOBN(0x3c051415, 0x6d549fc2), TOBN(0xc2953f31, 0x607781ca),\n TOBN(0x955e2c69, 0xd8d95413), TOBN(0xb300fadc, 0x7bd282e3)}},\n {{TOBN(0x81fe7b50, 0x87e9189f), TOBN(0xdb17375c, 0xf42dda27),\n TOBN(0x22f7d896, 0xcf0a5904), TOBN(0xa0e57c5a, 0xebe348e6)},\n {TOBN(0xa61011d3, 0xf40e3c80), TOBN(0xb1189321, 0x8db705c5),\n TOBN(0x4ed9309e, 0x50fedec3), TOBN(0xdcf14a10, 0x4d6d5c1d)}},\n {{TOBN(0x056c265b, 0x55691342), TOBN(0xe8e08504, 0x91049dc7),\n TOBN(0x131329f5, 0xc9bae20a), TOBN(0x96c8b3e8, 0xd9dccdb4)},\n {TOBN(0x8c5ff838, 0xfb4ee6b4), TOBN(0xfc5a9aeb, 0x41e8ccf0),\n TOBN(0x7417b764, 0xfae050c6), TOBN(0x0953c3d7, 0x00452080)}},\n {{TOBN(0x21372682, 0x38dfe7e8), TOBN(0xea417e15, 0x2bb79d4b),\n TOBN(0x59641f1c, 0x76e7cf2d), TOBN(0x271e3059, 0xea0bcfcc)},\n {TOBN(0x624c7dfd, 0x7253ecbd), TOBN(0x2f552e25, 0x4fca6186),\n TOBN(0xcbf84ecd, 0x4d866e9c), TOBN(0x73967709, 0xf68d4610)}},\n {{TOBN(0xa14b1163, 0xc27901b4), TOBN(0xfd9236e0, 0x899b8bf3),\n TOBN(0x42b091ec, 0xcbc6da0a), TOBN(0xbb1dac6f, 0x5ad1d297)},\n {TOBN(0x80e61d53, 0xa91cf76e), TOBN(0x4110a412, 0xd31f1ee7),\n TOBN(0x2d87c3ba, 0x13efcf77), TOBN(0x1f374bb4, 0xdf450d76)}},\n {{TOBN(0x5e78e2f2, 0x0d188dab), TOBN(0xe3968ed0, 0xf4b885ef),\n TOBN(0x46c0568e, 0x7314570f), TOBN(0x31616338, 0x01170521)},\n {TOBN(0x18e1e7e2, 0x4f0c8afe), TOBN(0x4caa75ff, 0xdeea78da),\n TOBN(0x82db67f2, 0x7c5d8a51), TOBN(0x36a44d86, 0x6f505370)}},\n {{TOBN(0xd72c5bda, 0x0333974f), TOBN(0x5db516ae, 0x27a70146),\n TOBN(0x34705281, 0x210ef921), TOBN(0xbff17a8f, 0x0c9c38e5)},\n {TOBN(0x78f4814e, 0x12476da1), TOBN(0xc1e16613, 0x33c16980),\n TOBN(0x9e5b386f, 0x424d4bca), TOBN(0x4c274e87, 0xc85740de)}},\n {{TOBN(0xb6a9b88d, 0x6c2f5226), TOBN(0x14d1b944, 0x550d7ca8),\n TOBN(0x580c85fc, 0x1fc41709), TOBN(0xc1da368b, 0x54c6d519)},\n {TOBN(0x2b0785ce, 0xd5113cf7), TOBN(0x0670f633, 0x5a34708f),\n TOBN(0x46e23767, 0x15cc3f88), TOBN(0x1b480cfa, 0x50c72c8f)}},\n {{TOBN(0x20288602, 0x4147519a), TOBN(0xd0981eac, 0x26b372f0),\n TOBN(0xa9d4a7ca, 0xa785ebc8), TOBN(0xd953c50d, 0xdbdf58e9)},\n {TOBN(0x9d6361cc, 0xfd590f8f), TOBN(0x72e9626b, 0x44e6c917),\n TOBN(0x7fd96110, 0x22eb64cf), TOBN(0x863ebb7e, 0x9eb288f3)}},\n {{TOBN(0x6e6ab761, 0x6aca8ee7), TOBN(0x97d10b39, 0xd7b40358),\n TOBN(0x1687d377, 0x1e5feb0d), TOBN(0xc83e50e4, 0x8265a27a)},\n {TOBN(0x8f75a9fe, 0xc954b313), TOBN(0xcc2e8f47, 0x310d1f61),\n TOBN(0xf5ba81c5, 0x6557d0e0), TOBN(0x25f9680c, 0x3eaf6207)}},\n {{TOBN(0xf95c6609, 0x4354080b), TOBN(0x5225bfa5, 0x7bf2fe1c),\n TOBN(0xc5c004e2, 0x5c7d98fa), TOBN(0x3561bf1c, 0x019aaf60)},\n {TOBN(0x5e6f9f17, 0xba151474), TOBN(0xdec2f934, 0xb04f6eca),\n TOBN(0x64e368a1, 0x269acb1e), TOBN(0x1332d9e4, 0x0cdda493)}},\n {{TOBN(0x60d6cf69, 0xdf23de05), TOBN(0x66d17da2, 0x009339a0),\n TOBN(0x9fcac985, 0x0a693923), TOBN(0xbcf057fc, 0xed7c6a6d)},\n {TOBN(0xc3c5c8c5, 0xf0b5662c), TOBN(0x25318dd8, 0xdcba4f24),\n TOBN(0x60e8cb75, 0x082b69ff), TOBN(0x7c23b3ee, 0x1e728c01)}},\n {{TOBN(0x15e10a0a, 0x097e4403), TOBN(0xcb3d0a86, 0x19854665),\n TOBN(0x88d8e211, 0xd67d4826), TOBN(0xb39af66e, 0x0b9d2839)},\n {TOBN(0xa5f94588, 0xbd475ca8), TOBN(0xe06b7966, 0xc077b80b),\n TOBN(0xfedb1485, 0xda27c26c), TOBN(0xd290d33a, 0xfe0fd5e0)}},\n {{TOBN(0xa40bcc47, 0xf34fb0fa), TOBN(0xb4760cc8, 0x1fb1ab09),\n TOBN(0x8fca0993, 0xa273bfe3), TOBN(0x13e4fe07, 0xf70b213c)},\n {TOBN(0x3bcdb992, 0xfdb05163), TOBN(0x8c484b11, 0x0c2b19b6),\n TOBN(0x1acb815f, 0xaaf2e3e2), TOBN(0xc6905935, 0xb89ff1b4)}},\n {{TOBN(0xb2ad6f9d, 0x586e74e1), TOBN(0x488883ad, 0x67b80484),\n TOBN(0x758aa2c7, 0x369c3ddb), TOBN(0x8ab74e69, 0x9f9afd31)},\n {TOBN(0x10fc2d28, 0x5e21beb1), TOBN(0x3484518a, 0x318c42f9),\n TOBN(0x377427dc, 0x53cf40c3), TOBN(0x9de0781a, 0x391bc1d9)}},\n {{TOBN(0x8faee858, 0x693807e1), TOBN(0xa3865327, 0x4e81ccc7),\n TOBN(0x02c30ff2, 0x6f835b84), TOBN(0xb604437b, 0x0d3d38d4)},\n {TOBN(0xb3fc8a98, 0x5ca1823d), TOBN(0xb82f7ec9, 0x03be0324),\n TOBN(0xee36d761, 0xcf684a33), TOBN(0x5a01df0e, 0x9f29bf7d)}},\n {{TOBN(0x686202f3, 0x1306583d), TOBN(0x05b10da0, 0x437c622e),\n TOBN(0xbf9aaa0f, 0x076a7bc8), TOBN(0x25e94efb, 0x8f8f4e43)},\n {TOBN(0x8a35c9b7, 0xfa3dc26d), TOBN(0xe0e5fb93, 0x96ff03c5),\n TOBN(0xa77e3843, 0xebc394ce), TOBN(0xcede6595, 0x8361de60)}},\n {{TOBN(0xd27c22f6, 0xa1993545), TOBN(0xab01cc36, 0x24d671ba),\n TOBN(0x63fa2877, 0xa169c28e), TOBN(0x925ef904, 0x2eb08376)},\n {TOBN(0x3b2fa3cf, 0x53aa0b32), TOBN(0xb27beb5b, 0x71c49d7a),\n TOBN(0xb60e1834, 0xd105e27f), TOBN(0xd6089788, 0x4f68570d)}},\n {{TOBN(0x23094ce0, 0xd6fbc2ac), TOBN(0x738037a1, 0x815ff551),\n TOBN(0xda73b1bb, 0x6bef119c), TOBN(0xdcf6c430, 0xeef506ba)},\n {TOBN(0x00e4fe7b, 0xe3ef104a), TOBN(0xebdd9a2c, 0x0a065628),\n TOBN(0x853a81c3, 0x8792043e), TOBN(0x22ad6ece, 0xb3b59108)}},\n {{TOBN(0x9fb813c0, 0x39cd297d), TOBN(0x8ec7e16e, 0x05bda5d9),\n TOBN(0x2834797c, 0x0d104b96), TOBN(0xcc11a2e7, 0x7c511510)},\n {TOBN(0x96ca5a53, 0x96ee6380), TOBN(0x054c8655, 0xcea38742),\n TOBN(0xb5946852, 0xd54dfa7d), TOBN(0x97c422e7, 0x1f4ab207)}},\n {{TOBN(0xbf907509, 0x0c22b540), TOBN(0x2cde42aa, 0xb7c267d4),\n TOBN(0xba18f9ed, 0x5ab0d693), TOBN(0x3ba62aa6, 0x6e4660d9)},\n {TOBN(0xb24bf97b, 0xab9ea96a), TOBN(0x5d039642, 0xe3b60e32),\n TOBN(0x4e6a4506, 0x7c4d9bd5), TOBN(0x666c5b9e, 0x7ed4a6a4)}},\n {{TOBN(0xfa3fdcd9, 0x8edbd7cc), TOBN(0x4660bb87, 0xc6ccd753),\n TOBN(0x9ae90820, 0x21e6b64f), TOBN(0x8a56a713, 0xb36bfb3f)},\n {TOBN(0xabfce096, 0x5726d47f), TOBN(0x9eed01b2, 0x0b1a9a7f),\n TOBN(0x30e9cad4, 0x4eb74a37), TOBN(0x7b2524cc, 0x53e9666d)}},\n {{TOBN(0x6a29683b, 0x8f4b002f), TOBN(0xc2200d7a, 0x41f4fc20),\n TOBN(0xcf3af47a, 0x3a338acc), TOBN(0x6539a4fb, 0xe7128975)},\n {TOBN(0xcec31c14, 0xc33c7fcf), TOBN(0x7eb6799b, 0xc7be322b),\n TOBN(0x119ef4e9, 0x6646f623), TOBN(0x7b7a26a5, 0x54d7299b)}},\n {{TOBN(0xcb37f08d, 0x403f46f2), TOBN(0x94b8fc43, 0x1a0ec0c7),\n TOBN(0xbb8514e3, 0xc332142f), TOBN(0xf3ed2c33, 0xe80d2a7a)},\n {TOBN(0x8d2080af, 0xb639126c), TOBN(0xf7b6be60, 0xe3553ade),\n TOBN(0x3950aa9f, 0x1c7e2b09), TOBN(0x847ff958, 0x6410f02b)}},\n {{TOBN(0x877b7cf5, 0x678a31b0), TOBN(0xd50301ae, 0x3998b620),\n TOBN(0x734257c5, 0xc00fb396), TOBN(0xf9fb18a0, 0x04e672a6)},\n {TOBN(0xff8bd8eb, 0xe8758851), TOBN(0x1e64e4c6, 0x5d99ba44),\n TOBN(0x4b8eaedf, 0x7dfd93b7), TOBN(0xba2f2a98, 0x04e76b8c)}},\n {{TOBN(0x7d790cba, 0xe8053433), TOBN(0xc8e725a0, 0x3d2c9585),\n TOBN(0x58c5c476, 0xcdd8f5ed), TOBN(0xd106b952, 0xefa9fe1d)},\n {TOBN(0x3c5c775b, 0x0eff13a9), TOBN(0x242442ba, 0xe057b930),\n TOBN(0xe9f458d4, 0xc9b70cbd), TOBN(0x69b71448, 0xa3cdb89a)}},\n {{TOBN(0x41ee46f6, 0x0e2ed742), TOBN(0x573f1045, 0x40067493),\n TOBN(0xb1e154ff, 0x9d54c304), TOBN(0x2ad0436a, 0x8d3a7502)},\n {TOBN(0xee4aaa2d, 0x431a8121), TOBN(0xcd38b3ab, 0x886f11ed),\n TOBN(0x57d49ea6, 0x034a0eb7), TOBN(0xd2b773bd, 0xf7e85e58)}},\n {{TOBN(0x4a559ac4, 0x9b5c1f14), TOBN(0xc444be1a, 0x3e54df2b),\n TOBN(0x13aad704, 0xeda41891), TOBN(0xcd927bec, 0x5eb5c788)},\n {TOBN(0xeb3c8516, 0xe48c8a34), TOBN(0x1b7ac812, 0x4b546669),\n TOBN(0x1815f896, 0x594df8ec), TOBN(0x87c6a79c, 0x79227865)}},\n {{TOBN(0xae02a2f0, 0x9b56ddbd), TOBN(0x1339b5ac, 0x8a2f1cf3),\n TOBN(0xf2b569c7, 0x839dff0d), TOBN(0xb0b9e864, 0xfee9a43d)},\n {TOBN(0x4ff8ca41, 0x77bb064e), TOBN(0x145a2812, 0xfd249f63),\n TOBN(0x3ab7beac, 0xf86f689a), TOBN(0x9bafec27, 0x01d35f5e)}},\n {{TOBN(0x28054c65, 0x4265aa91), TOBN(0xa4b18304, 0x035efe42),\n TOBN(0x6887b0e6, 0x9639dec7), TOBN(0xf4b8f6ad, 0x3d52aea5)},\n {TOBN(0xfb9293cc, 0x971a8a13), TOBN(0x3f159e5d, 0x4c934d07),\n TOBN(0x2c50e9b1, 0x09acbc29), TOBN(0x08eb65e6, 0x7154d129)}},\n {{TOBN(0x4feff589, 0x30b75c3e), TOBN(0x0bb82fe2, 0x94491c93),\n TOBN(0xd8ac377a, 0x89af62bb), TOBN(0xd7b51490, 0x9685e49f)},\n {TOBN(0xabca9a7b, 0x04497f19), TOBN(0x1b35ed0a, 0x1a7ad13f),\n TOBN(0x6b601e21, 0x3ec86ed6), TOBN(0xda91fcb9, 0xce0c76f1)}},\n {{TOBN(0x9e28507b, 0xd7ab27e1), TOBN(0x7c19a555, 0x63945b7b),\n TOBN(0x6b43f0a1, 0xaafc9827), TOBN(0x443b4fbd, 0x3aa55b91)},\n {TOBN(0x962b2e65, 0x6962c88f), TOBN(0x139da8d4, 0xce0db0ca),\n TOBN(0xb93f05dd, 0x1b8d6c4f), TOBN(0x779cdff7, 0x180b9824)}},\n {{TOBN(0xbba23fdd, 0xae57c7b7), TOBN(0x345342f2, 0x1b932522),\n TOBN(0xfd9c80fe, 0x556d4aa3), TOBN(0xa03907ba, 0x6525bb61)},\n {TOBN(0x38b010e1, 0xff218933), TOBN(0xc066b654, 0xaa52117b),\n TOBN(0x8e141920, 0x94f2e6ea), TOBN(0x66a27dca, 0x0d32f2b2)}},\n {{TOBN(0x69c7f993, 0x048b3717), TOBN(0xbf5a989a, 0xb178ae1c),\n TOBN(0x49fa9058, 0x564f1d6b), TOBN(0x27ec6e15, 0xd31fde4e)},\n {TOBN(0x4cce0373, 0x7276e7fc), TOBN(0x64086d79, 0x89d6bf02),\n TOBN(0x5a72f046, 0x4ccdd979), TOBN(0x909c3566, 0x47775631)}},\n {{TOBN(0x1c07bc6b, 0x75dd7125), TOBN(0xb4c6bc97, 0x87a0428d),\n TOBN(0x507ece52, 0xfdeb6b9d), TOBN(0xfca56512, 0xb2c95432)},\n {TOBN(0x15d97181, 0xd0e8bd06), TOBN(0x384dd317, 0xc6bb46ea),\n TOBN(0x5441ea20, 0x3952b624), TOBN(0xbcf70dee, 0x4e7dc2fb)}},\n {{TOBN(0x372b016e, 0x6628e8c3), TOBN(0x07a0d667, 0xb60a7522),\n TOBN(0xcf05751b, 0x0a344ee2), TOBN(0x0ec09a48, 0x118bdeec)},\n {TOBN(0x6e4b3d4e, 0xd83dce46), TOBN(0x43a6316d, 0x99d2fc6e),\n TOBN(0xa99d8989, 0x56cf044c), TOBN(0x7c7f4454, 0xae3e5fb7)}},\n {{TOBN(0xb2e6b121, 0xfbabbe92), TOBN(0x281850fb, 0xe1330076),\n TOBN(0x093581ec, 0x97890015), TOBN(0x69b1dded, 0x75ff77f5)},\n {TOBN(0x7cf0b18f, 0xab105105), TOBN(0x953ced31, 0xa89ccfef),\n TOBN(0x3151f85f, 0xeb914009), TOBN(0x3c9f1b87, 0x88ed48ad)}},\n {{TOBN(0xc9aba1a1, 0x4a7eadcb), TOBN(0x928e7501, 0x522e71cf),\n TOBN(0xeaede727, 0x3a2e4f83), TOBN(0x467e10d1, 0x1ce3bbd3)},\n {TOBN(0xf3442ac3, 0xb955dcf0), TOBN(0xba96307d, 0xd3d5e527),\n TOBN(0xf763a10e, 0xfd77f474), TOBN(0x5d744bd0, 0x6a6e1ff0)}},\n {{TOBN(0xd287282a, 0xa777899e), TOBN(0xe20eda8f, 0xd03f3cde),\n TOBN(0x6a7e75bb, 0x50b07d31), TOBN(0x0b7e2a94, 0x6f379de4)},\n {TOBN(0x31cb64ad, 0x19f593cf), TOBN(0x7b1a9e4f, 0x1e76ef1d),\n TOBN(0xe18c9c9d, 0xb62d609c), TOBN(0x439bad6d, 0xe779a650)}},\n {{TOBN(0x219d9066, 0xe032f144), TOBN(0x1db632b8, 0xe8b2ec6a),\n TOBN(0xff0d0fd4, 0xfda12f78), TOBN(0x56fb4c2d, 0x2a25d265)},\n {TOBN(0x5f4e2ee1, 0x255a03f1), TOBN(0x61cd6af2, 0xe96af176),\n TOBN(0xe0317ba8, 0xd068bc97), TOBN(0x927d6bab, 0x264b988e)}},\n {{TOBN(0xa18f07e0, 0xe90fb21e), TOBN(0x00fd2b80, 0xbba7fca1),\n TOBN(0x20387f27, 0x95cd67b5), TOBN(0x5b89a4e7, 0xd39707f7)},\n {TOBN(0x8f83ad3f, 0x894407ce), TOBN(0xa0025b94, 0x6c226132),\n TOBN(0xc79563c7, 0xf906c13b), TOBN(0x5f548f31, 0x4e7bb025)}},\n {{TOBN(0x2b4c6b8f, 0xeac6d113), TOBN(0xa67e3f9c, 0x0e813c76),\n TOBN(0x3982717c, 0x3fe1f4b9), TOBN(0x58865819, 0x26d8050e)},\n {TOBN(0x99f3640c, 0xf7f06f20), TOBN(0xdc610216, 0x2a66ebc2),\n TOBN(0x52f2c175, 0x767a1e08), TOBN(0x05660e1a, 0x5999871b)}},\n {{TOBN(0x6b0f1762, 0x6d3c4693), TOBN(0xf0e7d627, 0x37ed7bea),\n TOBN(0xc51758c7, 0xb75b226d), TOBN(0x40a88628, 0x1f91613b)},\n {TOBN(0x889dbaa7, 0xbbb38ce0), TOBN(0xe0404b65, 0xbddcad81),\n TOBN(0xfebccd3a, 0x8bc9671f), TOBN(0xfbf9a357, 0xee1f5375)}},\n {{TOBN(0x5dc169b0, 0x28f33398), TOBN(0xb07ec11d, 0x72e90f65),\n TOBN(0xae7f3b4a, 0xfaab1eb1), TOBN(0xd970195e, 0x5f17538a)},\n {TOBN(0x52b05cbe, 0x0181e640), TOBN(0xf5debd62, 0x2643313d),\n TOBN(0x76148154, 0x5df31f82), TOBN(0x23e03b33, 0x3a9e13c5)}},\n {{TOBN(0xff758949, 0x4fde0c1f), TOBN(0xbf8a1abe, 0xe5b6ec20),\n TOBN(0x702278fb, 0x87e1db6c), TOBN(0xc447ad7a, 0x35ed658f)},\n {TOBN(0x48d4aa38, 0x03d0ccf2), TOBN(0x80acb338, 0x819a7c03),\n TOBN(0x9bc7c89e, 0x6e17cecc), TOBN(0x46736b8b, 0x03be1d82)}},\n {{TOBN(0xd65d7b60, 0xc0432f96), TOBN(0xddebe7a3, 0xdeb5442f),\n TOBN(0x79a25307, 0x7dff69a2), TOBN(0x37a56d94, 0x02cf3122)},\n {TOBN(0x8bab8aed, 0xf2350d0a), TOBN(0x13c3f276, 0x037b0d9a),\n TOBN(0xc664957c, 0x44c65cae), TOBN(0x88b44089, 0xc2e71a88)}},\n {{TOBN(0xdb88e5a3, 0x5cb02664), TOBN(0x5d4c0bf1, 0x8686c72e),\n TOBN(0xea3d9b62, 0xa682d53e), TOBN(0x9b605ef4, 0x0b2ad431)},\n {TOBN(0x71bac202, 0xc69645d0), TOBN(0xa115f03a, 0x6a1b66e7),\n TOBN(0xfe2c563a, 0x158f4dc4), TOBN(0xf715b3a0, 0x4d12a78c)}},\n {{TOBN(0x8f7f0a48, 0xd413213a), TOBN(0x2035806d, 0xc04becdb),\n TOBN(0xecd34a99, 0x5d8587f5), TOBN(0x4d8c3079, 0x9f6d3a71)},\n {TOBN(0x1b2a2a67, 0x8d95a8f6), TOBN(0xc58c9d7d, 0xf2110d0d),\n TOBN(0xdeee81d5, 0xcf8fba3f), TOBN(0xa42be3c0, 0x0c7cdf68)}},\n {{TOBN(0x2126f742, 0xd43b5eaa), TOBN(0x054a0766, 0xdfa59b85),\n TOBN(0x9d0d5e36, 0x126bfd45), TOBN(0xa1f8fbd7, 0x384f8a8f)},\n {TOBN(0x317680f5, 0xd563fccc), TOBN(0x48ca5055, 0xf280a928),\n TOBN(0xe00b81b2, 0x27b578cf), TOBN(0x10aad918, 0x2994a514)}},\n {{TOBN(0xd9e07b62, 0xb7bdc953), TOBN(0x9f0f6ff2, 0x5bc086dd),\n TOBN(0x09d1ccff, 0x655eee77), TOBN(0x45475f79, 0x5bef7df1)},\n {TOBN(0x3faa28fa, 0x86f702cc), TOBN(0x92e60905, 0x0f021f07),\n TOBN(0xe9e62968, 0x7f8fa8c6), TOBN(0xbd71419a, 0xf036ea2c)}},\n {{TOBN(0x171ee1cc, 0x6028da9a), TOBN(0x5352fe1a, 0xc251f573),\n TOBN(0xf8ff236e, 0x3fa997f4), TOBN(0xd831b6c9, 0xa5749d5f)},\n {TOBN(0x7c872e1d, 0xe350e2c2), TOBN(0xc56240d9, 0x1e0ce403),\n TOBN(0xf9deb077, 0x6974f5cb), TOBN(0x7d50ba87, 0x961c3728)}},\n {{TOBN(0xd6f89426, 0x5a3a2518), TOBN(0xcf817799, 0xc6303d43),\n TOBN(0x510a0471, 0x619e5696), TOBN(0xab049ff6, 0x3a5e307b)},\n {TOBN(0xe4cdf9b0, 0xfeb13ec7), TOBN(0xd5e97117, 0x9d8ff90c),\n TOBN(0xf6f64d06, 0x9afa96af), TOBN(0x00d0bf5e, 0x9d2012a2)}},\n {{TOBN(0xe63f301f, 0x358bcdc0), TOBN(0x07689e99, 0x0a9d47f8),\n TOBN(0x1f689e2f, 0x4f43d43a), TOBN(0x4d542a16, 0x90920904)},\n {TOBN(0xaea293d5, 0x9ca0a707), TOBN(0xd061fe45, 0x8ac68065),\n TOBN(0x1033bf1b, 0x0090008c), TOBN(0x29749558, 0xc08a6db6)}},\n {{TOBN(0x74b5fc59, 0xc1d5d034), TOBN(0xf712e9f6, 0x67e215e0),\n TOBN(0xfd520cbd, 0x860200e6), TOBN(0x0229acb4, 0x3ea22588)},\n {TOBN(0x9cd1e14c, 0xfff0c82e), TOBN(0x87684b62, 0x59c69e73),\n TOBN(0xda85e61c, 0x96ccb989), TOBN(0x2d5dbb02, 0xa3d06493)}},\n {{TOBN(0xf22ad33a, 0xe86b173c), TOBN(0xe8e41ea5, 0xa79ff0e3),\n TOBN(0x01d2d725, 0xdd0d0c10), TOBN(0x31f39088, 0x032d28f9)},\n {TOBN(0x7b3f71e1, 0x7829839e), TOBN(0x0cf691b4, 0x4502ae58),\n TOBN(0xef658dbd, 0xbefc6115), TOBN(0xa5cd6ee5, 0xb3ab5314)}},\n {{TOBN(0x206c8d7b, 0x5f1d2347), TOBN(0x794645ba, 0x4cc2253a),\n TOBN(0xd517d8ff, 0x58389e08), TOBN(0x4fa20dee, 0x9f847288)},\n {TOBN(0xeba072d8, 0xd797770a), TOBN(0x7360c91d, 0xbf429e26),\n TOBN(0x7200a3b3, 0x80af8279), TOBN(0x6a1c9150, 0x82dadce3)}},\n {{TOBN(0x0ee6d3a7, 0xc35d8794), TOBN(0x042e6558, 0x0356bae5),\n TOBN(0x9f59698d, 0x643322fd), TOBN(0x9379ae15, 0x50a61967)},\n {TOBN(0x64b9ae62, 0xfcc9981e), TOBN(0xaed3d631, 0x6d2934c6),\n TOBN(0x2454b302, 0x5e4e65eb), TOBN(0xab09f647, 0xf9950428)}}},\n {{{TOBN(0xb2083a12, 0x22248acc), TOBN(0x1f6ec0ef, 0x3264e366),\n TOBN(0x5659b704, 0x5afdee28), TOBN(0x7a823a40, 0xe6430bb5)},\n {TOBN(0x24592a04, 0xe1900a79), TOBN(0xcde09d4a, 0xc9ee6576),\n TOBN(0x52b6463f, 0x4b5ea54a), TOBN(0x1efe9ed3, 0xd3ca65a7)}},\n {{TOBN(0xe27a6dbe, 0x305406dd), TOBN(0x8eb7dc7f, 0xdd5d1957),\n TOBN(0xf54a6876, 0x387d4d8f), TOBN(0x9c479409, 0xc7762de4)},\n {TOBN(0xbe4d5b5d, 0x99b30778), TOBN(0x25380c56, 0x6e793682),\n TOBN(0x602d37f3, 0xdac740e3), TOBN(0x140deabe, 0x1566e4ae)}},\n {{TOBN(0x4481d067, 0xafd32acf), TOBN(0xd8f0fcca, 0xe1f71ccf),\n TOBN(0xd208dd0c, 0xb596f2da), TOBN(0xd049d730, 0x9aad93f9)},\n {TOBN(0xc79f263d, 0x42ab580e), TOBN(0x09411bb1, 0x23f707b4),\n TOBN(0x8cfde1ff, 0x835e0eda), TOBN(0x72707490, 0x90f03402)}},\n {{TOBN(0xeaee6126, 0xc49a861e), TOBN(0x024f3b65, 0xe14f0d06),\n TOBN(0x51a3f1e8, 0xc69bfc17), TOBN(0xc3c3a8e9, 0xa7686381)},\n {TOBN(0x3400752c, 0xb103d4c8), TOBN(0x02bc4613, 0x9218b36b),\n TOBN(0xc67f75eb, 0x7651504a), TOBN(0xd6848b56, 0xd02aebfa)}},\n {{TOBN(0xbd9802e6, 0xc30fa92b), TOBN(0x5a70d96d, 0x9a552784),\n TOBN(0x9085c4ea, 0x3f83169b), TOBN(0xfa9423bb, 0x06908228)},\n {TOBN(0x2ffebe12, 0xfe97a5b9), TOBN(0x85da6049, 0x71b99118),\n TOBN(0x9cbc2f7f, 0x63178846), TOBN(0xfd96bc70, 0x9153218e)}},\n {{TOBN(0x958381db, 0x1782269b), TOBN(0xae34bf79, 0x2597e550),\n TOBN(0xbb5c6064, 0x5f385153), TOBN(0x6f0e96af, 0xe3088048)},\n {TOBN(0xbf6a0215, 0x77884456), TOBN(0xb3b5688c, 0x69310ea7),\n TOBN(0x17c94295, 0x04fad2de), TOBN(0xe020f0e5, 0x17896d4d)}},\n {{TOBN(0x730ba0ab, 0x0976505f), TOBN(0x567f6813, 0x095e2ec5),\n TOBN(0x47062010, 0x6331ab71), TOBN(0x72cfa977, 0x41d22b9f)},\n {TOBN(0x33e55ead, 0x8a2373da), TOBN(0xa8d0d5f4, 0x7ba45a68),\n TOBN(0xba1d8f9c, 0x03029d15), TOBN(0x8f34f1cc, 0xfc55b9f3)}},\n {{TOBN(0xcca4428d, 0xbbe5a1a9), TOBN(0x8187fd5f, 0x3126bd67),\n TOBN(0x0036973a, 0x48105826), TOBN(0xa39b6663, 0xb8bd61a0)},\n {TOBN(0x6d42deef, 0x2d65a808), TOBN(0x4969044f, 0x94636b19),\n TOBN(0xf611ee47, 0xdd5d564c), TOBN(0x7b2f3a49, 0xd2873077)}},\n {{TOBN(0x94157d45, 0x300eb294), TOBN(0x2b2a656e, 0x169c1494),\n TOBN(0xc000dd76, 0xd3a47aa9), TOBN(0xa2864e4f, 0xa6243ea4)},\n {TOBN(0x82716c47, 0xdb89842e), TOBN(0x12dfd7d7, 0x61479fb7),\n TOBN(0x3b9a2c56, 0xe0b2f6dc), TOBN(0x46be862a, 0xd7f85d67)}},\n {{TOBN(0x03b0d8dd, 0x0f82b214), TOBN(0x460c34f9, 0xf103cbc6),\n TOBN(0xf32e5c03, 0x18d79e19), TOBN(0x8b8888ba, 0xa84117f8)},\n {TOBN(0x8f3c37dc, 0xc0722677), TOBN(0x10d21be9, 0x1c1c0f27),\n TOBN(0xd47c8468, 0xe0f7a0c6), TOBN(0x9bf02213, 0xadecc0e0)}},\n {{TOBN(0x0baa7d12, 0x42b48b99), TOBN(0x1bcb665d, 0x48424096),\n TOBN(0x8b847cd6, 0xebfb5cfb), TOBN(0x87c2ae56, 0x9ad4d10d)},\n {TOBN(0xf1cbb122, 0x0de36726), TOBN(0xe7043c68, 0x3fdfbd21),\n TOBN(0x4bd0826a, 0x4e79d460), TOBN(0x11f5e598, 0x4bd1a2cb)}},\n {{TOBN(0x97554160, 0xb7fe7b6e), TOBN(0x7d16189a, 0x400a3fb2),\n TOBN(0xd73e9bea, 0xe328ca1e), TOBN(0x0dd04b97, 0xe793d8cc)},\n {TOBN(0xa9c83c9b, 0x506db8cc), TOBN(0x5cd47aae, 0xcf38814c),\n TOBN(0x26fc430d, 0xb64b45e6), TOBN(0x079b5499, 0xd818ea84)}},\n {{TOBN(0xebb01102, 0xc1c24a3b), TOBN(0xca24e568, 0x1c161c1a),\n TOBN(0x103eea69, 0x36f00a4a), TOBN(0x9ad76ee8, 0x76176c7b)},\n {TOBN(0x97451fc2, 0x538e0ff7), TOBN(0x94f89809, 0x6604b3b0),\n TOBN(0x6311436e, 0x3249cfd7), TOBN(0x27b4a7bd, 0x41224f69)}},\n {{TOBN(0x03b5d21a, 0xe0ac2941), TOBN(0x279b0254, 0xc2d31937),\n TOBN(0x3307c052, 0xcac992d0), TOBN(0x6aa7cb92, 0xefa8b1f3)},\n {TOBN(0x5a182580, 0x0d37c7a5), TOBN(0x13380c37, 0x342d5422),\n TOBN(0x92ac2d66, 0xd5d2ef92), TOBN(0x035a70c9, 0x030c63c6)}},\n {{TOBN(0xc16025dd, 0x4ce4f152), TOBN(0x1f419a71, 0xf9df7c06),\n TOBN(0x6d5b2214, 0x91e4bb14), TOBN(0xfc43c6cc, 0x839fb4ce)},\n {TOBN(0x49f06591, 0x925d6b2d), TOBN(0x4b37d9d3, 0x62186598),\n TOBN(0x8c54a971, 0xd01b1629), TOBN(0xe1a9c29f, 0x51d50e05)}},\n {{TOBN(0x5109b785, 0x71ba1861), TOBN(0x48b22d5c, 0xd0c8f93d),\n TOBN(0xe8fa84a7, 0x8633bb93), TOBN(0x53fba6ba, 0x5aebbd08)},\n {TOBN(0x7ff27df3, 0xe5eea7d8), TOBN(0x521c8796, 0x68ca7158),\n TOBN(0xb9d5133b, 0xce6f1a05), TOBN(0x2d50cd53, 0xfd0ebee4)}},\n {{TOBN(0xc82115d6, 0xc5a3ef16), TOBN(0x993eff9d, 0xba079221),\n TOBN(0xe4da2c5e, 0x4b5da81c), TOBN(0x9a89dbdb, 0x8033fd85)},\n {TOBN(0x60819ebf, 0x2b892891), TOBN(0x53902b21, 0x5d14a4d5),\n TOBN(0x6ac35051, 0xd7fda421), TOBN(0xcc6ab885, 0x61c83284)}},\n {{TOBN(0x14eba133, 0xf74cff17), TOBN(0x240aaa03, 0xecb813f2),\n TOBN(0xcfbb6540, 0x6f665bee), TOBN(0x084b1fe4, 0xa425ad73)},\n {TOBN(0x009d5d16, 0xd081f6a6), TOBN(0x35304fe8, 0xeef82c90),\n TOBN(0xf20346d5, 0xaa9eaa22), TOBN(0x0ada9f07, 0xac1c91e3)}},\n {{TOBN(0xa6e21678, 0x968a6144), TOBN(0x54c1f77c, 0x07b31a1e),\n TOBN(0xd6bb787e, 0x5781fbe1), TOBN(0x61bd2ee0, 0xe31f1c4a)},\n {TOBN(0xf25aa1e9, 0x781105fc), TOBN(0x9cf2971f, 0x7b2f8e80),\n TOBN(0x26d15412, 0xcdff919b), TOBN(0x01db4ebe, 0x34bc896e)}},\n {{TOBN(0x7d9b3e23, 0xb40df1cf), TOBN(0x59337373, 0x94e971b4),\n TOBN(0xbf57bd14, 0x669cf921), TOBN(0x865daedf, 0x0c1a1064)},\n {TOBN(0x3eb70bd3, 0x83279125), TOBN(0xbc3d5b9f, 0x34ecdaab),\n TOBN(0x91e3ed7e, 0x5f755caf), TOBN(0x49699f54, 0xd41e6f02)}},\n {{TOBN(0x185770e1, 0xd4a7a15b), TOBN(0x08f3587a, 0xeaac87e7),\n TOBN(0x352018db, 0x473133ea), TOBN(0x674ce719, 0x04fd30fc)},\n {TOBN(0x7b8d9835, 0x088b3e0e), TOBN(0x7a0356a9, 0x5d0d47a1),\n TOBN(0x9d9e7659, 0x6474a3c4), TOBN(0x61ea48a7, 0xff66966c)}},\n {{TOBN(0x30417758, 0x0f3e4834), TOBN(0xfdbb21c2, 0x17a9afcb),\n TOBN(0x756fa17f, 0x2f9a67b3), TOBN(0x2a6b2421, 0xa245c1a8)},\n {TOBN(0x64be2794, 0x4af02291), TOBN(0xade465c6, 0x2a5804fe),\n TOBN(0x8dffbd39, 0xa6f08fd7), TOBN(0xc4efa84c, 0xaa14403b)}},\n {{TOBN(0xa1b91b2a, 0x442b0f5c), TOBN(0xb748e317, 0xcf997736),\n TOBN(0x8d1b62bf, 0xcee90e16), TOBN(0x907ae271, 0x0b2078c0)},\n {TOBN(0xdf31534b, 0x0c9bcddd), TOBN(0x043fb054, 0x39adce83),\n TOBN(0x99031043, 0xd826846a), TOBN(0x61a9c0d6, 0xb144f393)}},\n {{TOBN(0xdab48046, 0x47718427), TOBN(0xdf17ff9b, 0x6e830f8b),\n TOBN(0x408d7ee8, 0xe49a1347), TOBN(0x6ac71e23, 0x91c1d4ae)},\n {TOBN(0xc8cbb9fd, 0x1defd73c), TOBN(0x19840657, 0xbbbbfec5),\n TOBN(0x39db1cb5, 0x9e7ef8ea), TOBN(0x78aa8296, 0x64105f30)}},\n {{TOBN(0xa3d9b7f0, 0xa3738c29), TOBN(0x0a2f235a, 0xbc3250a3),\n TOBN(0x55e506f6, 0x445e4caf), TOBN(0x0974f73d, 0x33475f7a)},\n {TOBN(0xd37dbba3, 0x5ba2f5a8), TOBN(0x542c6e63, 0x6af40066),\n TOBN(0x26d99b53, 0xc5d73e2c), TOBN(0x06060d7d, 0x6c3ca33e)}},\n {{TOBN(0xcdbef1c2, 0x065fef4a), TOBN(0x77e60f7d, 0xfd5b92e3),\n TOBN(0xd7c549f0, 0x26708350), TOBN(0x201b3ad0, 0x34f121bf)},\n {TOBN(0x5fcac2a1, 0x0334fc14), TOBN(0x8a9a9e09, 0x344552f6),\n TOBN(0x7dd8a1d3, 0x97653082), TOBN(0x5fc0738f, 0x79d4f289)}},\n {{TOBN(0x787d244d, 0x17d2d8c3), TOBN(0xeffc6345, 0x70830684),\n TOBN(0x5ddb96dd, 0xe4f73ae5), TOBN(0x8efb14b1, 0x172549a5)},\n {TOBN(0x6eb73eee, 0x2245ae7a), TOBN(0xbca4061e, 0xea11f13e),\n TOBN(0xb577421d, 0x30b01f5d), TOBN(0xaa688b24, 0x782e152c)}},\n {{TOBN(0x67608e71, 0xbd3502ba), TOBN(0x4ef41f24, 0xb4de75a0),\n TOBN(0xb08dde5e, 0xfd6125e5), TOBN(0xde484825, 0xa409543f)},\n {TOBN(0x1f198d98, 0x65cc2295), TOBN(0x428a3771, 0x6e0edfa2),\n TOBN(0x4f9697a2, 0xadf35fc7), TOBN(0x01a43c79, 0xf7cac3c7)}},\n {{TOBN(0xb05d7059, 0x0fd3659a), TOBN(0x8927f30c, 0xbb7f2d9a),\n TOBN(0x4023d1ac, 0x8cf984d3), TOBN(0x32125ed3, 0x02897a45)},\n {TOBN(0xfb572dad, 0x3d414205), TOBN(0x73000ef2, 0xe3fa82a9),\n TOBN(0x4c0868e9, 0xf10a5581), TOBN(0x5b61fc67, 0x6b0b3ca5)}},\n {{TOBN(0xc1258d5b, 0x7cae440c), TOBN(0x21c08b41, 0x402b7531),\n TOBN(0xf61a8955, 0xde932321), TOBN(0x3568faf8, 0x2d1408af)},\n {TOBN(0x71b15e99, 0x9ecf965b), TOBN(0xf14ed248, 0xe917276f),\n TOBN(0xc6f4caa1, 0x820cf9e2), TOBN(0x681b20b2, 0x18d83c7e)}},\n {{TOBN(0x6cde738d, 0xc6c01120), TOBN(0x71db0813, 0xae70e0db),\n TOBN(0x95fc0644, 0x74afe18c), TOBN(0x34619053, 0x129e2be7)},\n {TOBN(0x80615cea, 0xdb2a3b15), TOBN(0x0a49a19e, 0xdb4c7073),\n TOBN(0x0e1b84c8, 0x8fd2d367), TOBN(0xd74bf462, 0x033fb8aa)}},\n {{TOBN(0x889f6d65, 0x533ef217), TOBN(0x7158c7e4, 0xc3ca2e87),\n TOBN(0xfb670dfb, 0xdc2b4167), TOBN(0x75910a01, 0x844c257f)},\n {TOBN(0xf336bf07, 0xcf88577d), TOBN(0x22245250, 0xe45e2ace),\n TOBN(0x2ed92e8d, 0x7ca23d85), TOBN(0x29f8be4c, 0x2b812f58)}},\n {{TOBN(0xdd9ebaa7, 0x076fe12b), TOBN(0x3f2400cb, 0xae1537f9),\n TOBN(0x1aa93528, 0x17bdfb46), TOBN(0xc0f98430, 0x67883b41)},\n {TOBN(0x5590ede1, 0x0170911d), TOBN(0x7562f5bb, 0x34d4b17f),\n TOBN(0xe1fa1df2, 0x1826b8d2), TOBN(0xb40b796a, 0x6bd80d59)}},\n {{TOBN(0xd65bf197, 0x3467ba92), TOBN(0x8c9b46db, 0xf70954b0),\n TOBN(0x97c8a0f3, 0x0e78f15d), TOBN(0xa8f3a69a, 0x85a4c961)},\n {TOBN(0x4242660f, 0x61e4ce9b), TOBN(0xbf06aab3, 0x6ea6790c),\n TOBN(0xc6706f8e, 0xec986416), TOBN(0x9e56dec1, 0x9a9fc225)}},\n {{TOBN(0x527c46f4, 0x9a9898d9), TOBN(0xd799e77b, 0x5633cdef),\n TOBN(0x24eacc16, 0x7d9e4297), TOBN(0xabb61cea, 0x6b1cb734)},\n {TOBN(0xbee2e8a7, 0xf778443c), TOBN(0x3bb42bf1, 0x29de2fe6),\n TOBN(0xcbed86a1, 0x3003bb6f), TOBN(0xd3918e6c, 0xd781cdf6)}},\n {{TOBN(0x4bee3271, 0x9a5103f1), TOBN(0x5243efc6, 0xf50eac06),\n TOBN(0xb8e122cb, 0x6adcc119), TOBN(0x1b7faa84, 0xc0b80a08)},\n {TOBN(0x32c3d1bd, 0x6dfcd08c), TOBN(0x129dec4e, 0x0be427de),\n TOBN(0x98ab679c, 0x1d263c83), TOBN(0xafc83cb7, 0xcef64eff)}},\n {{TOBN(0x85eb6088, 0x2fa6be76), TOBN(0x892585fb, 0x1328cbfe),\n TOBN(0xc154d3ed, 0xcf618dda), TOBN(0xc44f601b, 0x3abaf26e)},\n {TOBN(0x7bf57d0b, 0x2be1fdfd), TOBN(0xa833bd2d, 0x21137fee),\n TOBN(0x9353af36, 0x2db591a8), TOBN(0xc76f26dc, 0x5562a056)}},\n {{TOBN(0x1d87e47d, 0x3fdf5a51), TOBN(0x7afb5f93, 0x55c9cab0),\n TOBN(0x91bbf58f, 0x89e0586e), TOBN(0x7c72c018, 0x0d843709)},\n {TOBN(0xa9a5aafb, 0x99b5c3dc), TOBN(0xa48a0f1d, 0x3844aeb0),\n TOBN(0x7178b7dd, 0xb667e482), TOBN(0x453985e9, 0x6e23a59a)}},\n {{TOBN(0x4a54c860, 0x01b25dd8), TOBN(0x0dd37f48, 0xfb897c8a),\n TOBN(0x5f8aa610, 0x0ea90cd9), TOBN(0xc8892c68, 0x16d5830d)},\n {TOBN(0xeb4befc0, 0xef514ca5), TOBN(0x478eb679, 0xe72c9ee6),\n TOBN(0x9bca20da, 0xdbc40d5f), TOBN(0xf015de21, 0xdde4f64a)}},\n {{TOBN(0xaa6a4de0, 0xeaf4b8a5), TOBN(0x68cfd9ca, 0x4bc60e32),\n TOBN(0x668a4b01, 0x7fd15e70), TOBN(0xd9f0694a, 0xf27dc09d)},\n {TOBN(0xf6c3cad5, 0xba708bcd), TOBN(0x5cd2ba69, 0x5bb95c2a),\n TOBN(0xaa28c1d3, 0x33c0a58f), TOBN(0x23e274e3, 0xabc77870)}},\n {{TOBN(0x44c3692d, 0xdfd20a4a), TOBN(0x091c5fd3, 0x81a66653),\n TOBN(0x6c0bb691, 0x09a0757d), TOBN(0x9072e8b9, 0x667343ea)},\n {TOBN(0x31d40eb0, 0x80848bec), TOBN(0x95bd480a, 0x79fd36cc),\n TOBN(0x01a77c61, 0x65ed43f5), TOBN(0xafccd127, 0x2e0d40bf)}},\n {{TOBN(0xeccfc82d, 0x1cc1884b), TOBN(0xc85ac201, 0x5d4753b4),\n TOBN(0xc7a6caac, 0x658e099f), TOBN(0xcf46369e, 0x04b27390)},\n {TOBN(0xe2e7d049, 0x506467ea), TOBN(0x481b63a2, 0x37cdeccc),\n TOBN(0x4029abd8, 0xed80143a), TOBN(0x28bfe3c7, 0xbcb00b88)}},\n {{TOBN(0x3bec1009, 0x0643d84a), TOBN(0x885f3668, 0xabd11041),\n TOBN(0xdb02432c, 0xf83a34d6), TOBN(0x32f7b360, 0x719ceebe)},\n {TOBN(0xf06c7837, 0xdad1fe7a), TOBN(0x60a157a9, 0x5441a0b0),\n TOBN(0x704970e9, 0xe2d47550), TOBN(0xcd2bd553, 0x271b9020)}},\n {{TOBN(0xff57f82f, 0x33e24a0b), TOBN(0x9cbee23f, 0xf2565079),\n TOBN(0x16353427, 0xeb5f5825), TOBN(0x276feec4, 0xe948d662)},\n {TOBN(0xd1b62bc6, 0xda10032b), TOBN(0x718351dd, 0xf0e72a53),\n TOBN(0x93452076, 0x2420e7ba), TOBN(0x96368fff, 0x3a00118d)}},\n {{TOBN(0x00ce2d26, 0x150a49e4), TOBN(0x0c28b636, 0x3f04706b),\n TOBN(0xbad65a46, 0x58b196d0), TOBN(0x6c8455fc, 0xec9f8b7c)},\n {TOBN(0xe90c895f, 0x2d71867e), TOBN(0x5c0be31b, 0xedf9f38c),\n TOBN(0x2a37a15e, 0xd8f6ec04), TOBN(0x239639e7, 0x8cd85251)}},\n {{TOBN(0xd8975315, 0x9c7c4c6b), TOBN(0x603aa3c0, 0xd7409af7),\n TOBN(0xb8d53d0c, 0x007132fb), TOBN(0x68d12af7, 0xa6849238)},\n {TOBN(0xbe0607e7, 0xbf5d9279), TOBN(0x9aa50055, 0xaada74ce),\n TOBN(0xe81079cb, 0xba7e8ccb), TOBN(0x610c71d1, 0xa5f4ff5e)}},\n {{TOBN(0x9e2ee1a7, 0x5aa07093), TOBN(0xca84004b, 0xa75da47c),\n TOBN(0x074d3951, 0x3de75401), TOBN(0xf938f756, 0xbb311592)},\n {TOBN(0x96197618, 0x00a43421), TOBN(0x39a25362, 0x07bc78c8),\n TOBN(0x278f710a, 0x0a171276), TOBN(0xb28446ea, 0x8d1a8f08)}},\n {{TOBN(0x184781bf, 0xe3b6a661), TOBN(0x7751cb1d, 0xe6d279f7),\n TOBN(0xf8ff95d6, 0xc59eb662), TOBN(0x186d90b7, 0x58d3dea7)},\n {TOBN(0x0e4bb6c1, 0xdfb4f754), TOBN(0x5c5cf56b, 0x2b2801dc),\n TOBN(0xc561e452, 0x1f54564d), TOBN(0xb4fb8c60, 0xf0dd7f13)}},\n {{TOBN(0xf8849630, 0x33ff98c7), TOBN(0x9619fffa, 0xcf17769c),\n TOBN(0xf8090bf6, 0x1bfdd80a), TOBN(0x14d9a149, 0x422cfe63)},\n {TOBN(0xb354c360, 0x6f6df9ea), TOBN(0xdbcf770d, 0x218f17ea),\n TOBN(0x207db7c8, 0x79eb3480), TOBN(0x213dbda8, 0x559b6a26)}},\n {{TOBN(0xac4c200b, 0x29fc81b3), TOBN(0xebc3e09f, 0x171d87c1),\n TOBN(0x91799530, 0x1481aa9e), TOBN(0x051b92e1, 0x92e114fa)},\n {TOBN(0xdf8f92e9, 0xecb5537f), TOBN(0x44b1b2cc, 0x290c7483),\n TOBN(0xa711455a, 0x2adeb016), TOBN(0x964b6856, 0x81a10c2c)}},\n {{TOBN(0x4f159d99, 0xcec03623), TOBN(0x05532225, 0xef3271ea),\n TOBN(0xb231bea3, 0xc5ee4849), TOBN(0x57a54f50, 0x7094f103)},\n {TOBN(0x3e2d421d, 0x9598b352), TOBN(0xe865a49c, 0x67412ab4),\n TOBN(0xd2998a25, 0x1cc3a912), TOBN(0x5d092808, 0x0c74d65d)}},\n {{TOBN(0x73f45908, 0x4088567a), TOBN(0xeb6b280e, 0x1f214a61),\n TOBN(0x8c9adc34, 0xcaf0c13d), TOBN(0x39d12938, 0xf561fb80)},\n {TOBN(0xb2dc3a5e, 0xbc6edfb4), TOBN(0x7485b1b1, 0xfe4d210e),\n TOBN(0x062e0400, 0xe186ae72), TOBN(0x91e32d5c, 0x6eeb3b88)}},\n {{TOBN(0x6df574d7, 0x4be59224), TOBN(0xebc88ccc, 0x716d55f3),\n TOBN(0x26c2e6d0, 0xcad6ed33), TOBN(0xc6e21e7d, 0x0d3e8b10)},\n {TOBN(0x2cc5840e, 0x5bcc36bb), TOBN(0x9292445e, 0x7da74f69),\n TOBN(0x8be8d321, 0x4e5193a8), TOBN(0x3ec23629, 0x8df06413)}},\n {{TOBN(0xc7e9ae85, 0xb134defa), TOBN(0x6073b1d0, 0x1bb2d475),\n TOBN(0xb9ad615e, 0x2863c00d), TOBN(0x9e29493d, 0x525f4ac4)},\n {TOBN(0xc32b1dea, 0x4e9acf4f), TOBN(0x3e1f01c8, 0xa50db88d),\n TOBN(0xb05d70ea, 0x04da916c), TOBN(0x714b0d0a, 0xd865803e)}},\n {{TOBN(0x4bd493fc, 0x9920cb5e), TOBN(0x5b44b1f7, 0x92c7a3ac),\n TOBN(0xa2a77293, 0xbcec9235), TOBN(0x5ee06e87, 0xcd378553)},\n {TOBN(0xceff8173, 0xda621607), TOBN(0x2bb03e4c, 0x99f5d290),\n TOBN(0x2945106a, 0xa6f734ac), TOBN(0xb5056604, 0xd25c4732)}},\n {{TOBN(0x5945920c, 0xe079afee), TOBN(0x686e17a0, 0x6789831f),\n TOBN(0x5966bee8, 0xb74a5ae5), TOBN(0x38a673a2, 0x1e258d46)},\n {TOBN(0xbd1cc1f2, 0x83141c95), TOBN(0x3b2ecf4f, 0x0e96e486),\n TOBN(0xcd3aa896, 0x74e5fc78), TOBN(0x415ec10c, 0x2482fa7a)}},\n {{TOBN(0x15234419, 0x80503380), TOBN(0x513d917a, 0xd314b392),\n TOBN(0xb0b52f4e, 0x63caecae), TOBN(0x07bf22ad, 0x2dc7780b)},\n {TOBN(0xe761e8a1, 0xe4306839), TOBN(0x1b3be962, 0x5dd7feaa),\n TOBN(0x4fe728de, 0x74c778f1), TOBN(0xf1fa0bda, 0x5e0070f6)}},\n {{TOBN(0x85205a31, 0x6ec3f510), TOBN(0x2c7e4a14, 0xd2980475),\n TOBN(0xde3c19c0, 0x6f30ebfd), TOBN(0xdb1c1f38, 0xd4b7e644)},\n {TOBN(0xfe291a75, 0x5dce364a), TOBN(0xb7b22a3c, 0x058f5be3),\n TOBN(0x2cd2c302, 0x37fea38c), TOBN(0x2930967a, 0x2e17be17)}},\n {{TOBN(0x87f009de, 0x0c061c65), TOBN(0xcb014aac, 0xedc6ed44),\n TOBN(0x49bd1cb4, 0x3bafb1eb), TOBN(0x81bd8b5c, 0x282d3688)},\n {TOBN(0x1cdab87e, 0xf01a17af), TOBN(0x21f37ac4, 0xe710063b),\n TOBN(0x5a6c5676, 0x42fc8193), TOBN(0xf4753e70, 0x56a6015c)}},\n {{TOBN(0x020f795e, 0xa15b0a44), TOBN(0x8f37c8d7, 0x8958a958),\n TOBN(0x63b7e89b, 0xa4b675b5), TOBN(0xb4fb0c0c, 0x0fc31aea)},\n {TOBN(0xed95e639, 0xa7ff1f2e), TOBN(0x9880f5a3, 0x619614fb),\n TOBN(0xdeb6ff02, 0x947151ab), TOBN(0x5bc5118c, 0xa868dcdb)}},\n {{TOBN(0xd8da2055, 0x4c20cea5), TOBN(0xcac2776e, 0x14c4d69a),\n TOBN(0xcccb22c1, 0x622d599b), TOBN(0xa4ddb653, 0x68a9bb50)},\n {TOBN(0x2c4ff151, 0x1b4941b4), TOBN(0xe1ff19b4, 0x6efba588),\n TOBN(0x35034363, 0xc48345e0), TOBN(0x45542e3d, 0x1e29dfc4)}},\n {{TOBN(0xf197cb91, 0x349f7aed), TOBN(0x3b2b5a00, 0x8fca8420),\n TOBN(0x7c175ee8, 0x23aaf6d8), TOBN(0x54dcf421, 0x35af32b6)},\n {TOBN(0x0ba14307, 0x27d6561e), TOBN(0x879d5ee4, 0xd175b1e2),\n TOBN(0xc7c43673, 0x99807db5), TOBN(0x77a54455, 0x9cd55bcd)}},\n {{TOBN(0xe6c2ff13, 0x0105c072), TOBN(0x18f7a99f, 0x8dda7da4),\n TOBN(0x4c301820, 0x0e2d35c1), TOBN(0x06a53ca0, 0xd9cc6c82)},\n {TOBN(0xaa21cc1e, 0xf1aa1d9e), TOBN(0x32414334, 0x4a75b1e8),\n TOBN(0x2a6d1328, 0x0ebe9fdc), TOBN(0x16bd173f, 0x98a4755a)}},\n {{TOBN(0xfbb9b245, 0x2133ffd9), TOBN(0x39a8b2f1, 0x830f1a20),\n TOBN(0x484bc97d, 0xd5a1f52a), TOBN(0xd6aebf56, 0xa40eddf8)},\n {TOBN(0x32257acb, 0x76ccdac6), TOBN(0xaf4d36ec, 0x1586ff27),\n TOBN(0x8eaa8863, 0xf8de7dd1), TOBN(0x0045d5cf, 0x88647c16)}}},\n {{{TOBN(0xa6f3d574, 0xc005979d), TOBN(0xc2072b42, 0x6a40e350),\n TOBN(0xfca5c156, 0x8de2ecf9), TOBN(0xa8c8bf5b, 0xa515344e)},\n {TOBN(0x97aee555, 0x114df14a), TOBN(0xd4374a4d, 0xfdc5ec6b),\n TOBN(0x754cc28f, 0x2ca85418), TOBN(0x71cb9e27, 0xd3c41f78)}},\n {{TOBN(0x89105079, 0x03605c39), TOBN(0xf0843d9e, 0xa142c96c),\n TOBN(0xf3744934, 0x16923684), TOBN(0x732caa2f, 0xfa0a2893)},\n {TOBN(0xb2e8c270, 0x61160170), TOBN(0xc32788cc, 0x437fbaa3),\n TOBN(0x39cd818e, 0xa6eda3ac), TOBN(0xe2e94239, 0x9e2b2e07)}},\n {{TOBN(0x6967d39b, 0x0260e52a), TOBN(0xd42585cc, 0x90653325),\n TOBN(0x0d9bd605, 0x21ca7954), TOBN(0x4fa20877, 0x81ed57b3)},\n {TOBN(0x60c1eff8, 0xe34a0bbe), TOBN(0x56b0040c, 0x84f6ef64),\n TOBN(0x28be2b24, 0xb1af8483), TOBN(0xb2278163, 0xf5531614)}},\n {{TOBN(0x8df27545, 0x5922ac1c), TOBN(0xa7b3ef5c, 0xa52b3f63),\n TOBN(0x8e77b214, 0x71de57c4), TOBN(0x31682c10, 0x834c008b)},\n {TOBN(0xc76824f0, 0x4bd55d31), TOBN(0xb6d1c086, 0x17b61c71),\n TOBN(0x31db0903, 0xc2a5089d), TOBN(0x9c092172, 0x184e5d3f)}},\n {{TOBN(0xdd7ced5b, 0xc00cc638), TOBN(0x1a2015eb, 0x61278fc2),\n TOBN(0x2e8e5288, 0x6a37f8d6), TOBN(0xc457786f, 0xe79933ad)},\n {TOBN(0xb3fe4cce, 0x2c51211a), TOBN(0xad9b10b2, 0x24c20498),\n TOBN(0x90d87a4f, 0xd28db5e5), TOBN(0x698cd105, 0x3aca2fc3)}},\n {{TOBN(0x4f112d07, 0xe91b536d), TOBN(0xceb982f2, 0x9eba09d6),\n TOBN(0x3c157b2c, 0x197c396f), TOBN(0xe23c2d41, 0x7b66eb24)},\n {TOBN(0x480c57d9, 0x3f330d37), TOBN(0xb3a4c8a1, 0x79108deb),\n TOBN(0x702388de, 0xcb199ce5), TOBN(0x0b019211, 0xb944a8d4)}},\n {{TOBN(0x24f2a692, 0x840bb336), TOBN(0x7c353bdc, 0xa669fa7b),\n TOBN(0xda20d6fc, 0xdec9c300), TOBN(0x625fbe2f, 0xa13a4f17)},\n {TOBN(0xa2b1b61a, 0xdbc17328), TOBN(0x008965bf, 0xa9515621),\n TOBN(0x49690939, 0xc620ff46), TOBN(0x182dd27d, 0x8717e91c)}},\n {{TOBN(0x5ace5035, 0xea6c3997), TOBN(0x54259aaa, 0xc2610bef),\n TOBN(0xef18bb3f, 0x3c80dd39), TOBN(0x6910b95b, 0x5fc3fa39)},\n {TOBN(0xfce2f510, 0x43e09aee), TOBN(0xced56c9f, 0xa7675665),\n TOBN(0x10e265ac, 0xd872db61), TOBN(0x6982812e, 0xae9fce69)}},\n {{TOBN(0x29be11c6, 0xce800998), TOBN(0x72bb1752, 0xb90360d9),\n TOBN(0x2c193197, 0x5a4ad590), TOBN(0x2ba2f548, 0x9fc1dbc0)},\n {TOBN(0x7fe4eebb, 0xe490ebe0), TOBN(0x12a0a4cd, 0x7fae11c0),\n TOBN(0x7197cf81, 0xe903ba37), TOBN(0xcf7d4aa8, 0xde1c6dd8)}},\n {{TOBN(0x92af6bf4, 0x3fd5684c), TOBN(0x2b26eecf, 0x80360aa1),\n TOBN(0xbd960f30, 0x00546a82), TOBN(0x407b3c43, 0xf59ad8fe)},\n {TOBN(0x86cae5fe, 0x249c82ba), TOBN(0x9e0faec7, 0x2463744c),\n TOBN(0x87f551e8, 0x94916272), TOBN(0x033f9344, 0x6ceb0615)}},\n {{TOBN(0x1e5eb0d1, 0x8be82e84), TOBN(0x89967f0e, 0x7a582fef),\n TOBN(0xbcf687d5, 0xa6e921fa), TOBN(0xdfee4cf3, 0xd37a09ba)},\n {TOBN(0x94f06965, 0xb493c465), TOBN(0x638b9a1c, 0x7635c030),\n TOBN(0x76667864, 0x66f05e9f), TOBN(0xccaf6808, 0xc04da725)}},\n {{TOBN(0xca2eb690, 0x768fccfc), TOBN(0xf402d37d, 0xb835b362),\n TOBN(0x0efac0d0, 0xe2fdfcce), TOBN(0xefc9cdef, 0xb638d990)},\n {TOBN(0x2af12b72, 0xd1669a8b), TOBN(0x33c536bc, 0x5774ccbd),\n TOBN(0x30b21909, 0xfb34870e), TOBN(0xc38fa2f7, 0x7df25aca)}},\n {{TOBN(0x74c5f02b, 0xbf81f3f5), TOBN(0x0525a5ae, 0xaf7e4581),\n TOBN(0x88d2aaba, 0x433c54ae), TOBN(0xed9775db, 0x806a56c5)},\n {TOBN(0xd320738a, 0xc0edb37d), TOBN(0x25fdb6ee, 0x66cc1f51),\n TOBN(0xac661d17, 0x10600d76), TOBN(0x931ec1f3, 0xbdd1ed76)}},\n {{TOBN(0x65c11d62, 0x19ee43f1), TOBN(0x5cd57c3e, 0x60829d97),\n TOBN(0xd26c91a3, 0x984be6e8), TOBN(0xf08d9309, 0x8b0c53bd)},\n {TOBN(0x94bc9e5b, 0xc016e4ea), TOBN(0xd3916839, 0x11d43d2b),\n TOBN(0x886c5ad7, 0x73701155), TOBN(0xe0377626, 0x20b00715)}},\n {{TOBN(0x7f01c9ec, 0xaa80ba59), TOBN(0x3083411a, 0x68538e51),\n TOBN(0x970370f1, 0xe88128af), TOBN(0x625cc3db, 0x91dec14b)},\n {TOBN(0xfef9666c, 0x01ac3107), TOBN(0xb2a8d577, 0xd5057ac3),\n TOBN(0xb0f26299, 0x92be5df7), TOBN(0xf579c8e5, 0x00353924)}},\n {{TOBN(0xb8fa3d93, 0x1341ed7a), TOBN(0x4223272c, 0xa7b59d49),\n TOBN(0x3dcb1947, 0x83b8c4a4), TOBN(0x4e413c01, 0xed1302e4)},\n {TOBN(0x6d999127, 0xe17e44ce), TOBN(0xee86bf75, 0x33b3adfb),\n TOBN(0xf6902fe6, 0x25aa96ca), TOBN(0xb73540e4, 0xe5aae47d)}},\n {{TOBN(0x32801d7b, 0x1b4a158c), TOBN(0xe571c99e, 0x27e2a369),\n TOBN(0x40cb76c0, 0x10d9f197), TOBN(0xc308c289, 0x3167c0ae)},\n {TOBN(0xa6ef9dd3, 0xeb7958f2), TOBN(0xa7226dfc, 0x300879b1),\n TOBN(0x6cd0b362, 0x7edf0636), TOBN(0x4efbce6c, 0x7bc37eed)}},\n {{TOBN(0x75f92a05, 0x8d699021), TOBN(0x586d4c79, 0x772566e3),\n TOBN(0x378ca5f1, 0x761ad23a), TOBN(0x650d86fc, 0x1465a8ac)},\n {TOBN(0x7a4ed457, 0x842ba251), TOBN(0x6b65e3e6, 0x42234933),\n TOBN(0xaf1543b7, 0x31aad657), TOBN(0xa4cefe98, 0xcbfec369)}},\n {{TOBN(0xb587da90, 0x9f47befb), TOBN(0x6562e9fb, 0x41312d13),\n TOBN(0xa691ea59, 0xeff1cefe), TOBN(0xcc30477a, 0x05fc4cf6)},\n {TOBN(0xa1632461, 0x0b0ffd3d), TOBN(0xa1f16f3b, 0x5b355956),\n TOBN(0x5b148d53, 0x4224ec24), TOBN(0xdc834e7b, 0xf977012a)}},\n {{TOBN(0x7bfc5e75, 0xb2c69dbc), TOBN(0x3aa77a29, 0x03c3da6c),\n TOBN(0xde0df03c, 0xca910271), TOBN(0xcbd5ca4a, 0x7806dc55)},\n {TOBN(0xe1ca5807, 0x6db476cb), TOBN(0xfde15d62, 0x5f37a31e),\n TOBN(0xf49af520, 0xf41af416), TOBN(0x96c5c5b1, 0x7d342db5)}},\n {{TOBN(0x155c43b7, 0xeb4ceb9b), TOBN(0x2e993010, 0x4e77371a),\n TOBN(0x1d2987da, 0x675d43af), TOBN(0xef2bc1c0, 0x8599fd72)},\n {TOBN(0x96894b7b, 0x9342f6b2), TOBN(0x201eadf2, 0x7c8e71f0),\n TOBN(0xf3479d9f, 0x4a1f3efc), TOBN(0xe0f8a742, 0x702a9704)}},\n {{TOBN(0xeafd44b6, 0xb3eba40c), TOBN(0xf9739f29, 0xc1c1e0d0),\n TOBN(0x0091471a, 0x619d505e), TOBN(0xc15f9c96, 0x9d7c263e)},\n {TOBN(0x5be47285, 0x83afbe33), TOBN(0xa3b6d6af, 0x04f1e092),\n TOBN(0xe76526b9, 0x751a9d11), TOBN(0x2ec5b26d, 0x9a4ae4d2)}},\n {{TOBN(0xeb66f4d9, 0x02f6fb8d), TOBN(0x4063c561, 0x96912164),\n TOBN(0xeb7050c1, 0x80ef3000), TOBN(0x288d1c33, 0xeaa5b3f0)},\n {TOBN(0xe87c68d6, 0x07806fd8), TOBN(0xb2f7f9d5, 0x4bbbf50f),\n TOBN(0x25972f3a, 0xac8d6627), TOBN(0xf8547774, 0x10e8c13b)}},\n {{TOBN(0xcc50ef6c, 0x872b4a60), TOBN(0xab2a34a4, 0x4613521b),\n TOBN(0x39c5c190, 0x983e15d1), TOBN(0x61dde5df, 0x59905512)},\n {TOBN(0xe417f621, 0x9f2275f3), TOBN(0x0750c8b6, 0x451d894b),\n TOBN(0x75b04ab9, 0x78b0bdaa), TOBN(0x3bfd9fd4, 0x458589bd)}},\n {{TOBN(0xf1013e30, 0xee9120b6), TOBN(0x2b51af93, 0x23a4743e),\n TOBN(0xea96ffae, 0x48d14d9e), TOBN(0x71dc0dbe, 0x698a1d32)},\n {TOBN(0x914962d2, 0x0180cca4), TOBN(0x1ae60677, 0xc3568963),\n TOBN(0x8cf227b1, 0x437bc444), TOBN(0xc650c83b, 0xc9962c7a)}},\n {{TOBN(0x23c2c7dd, 0xfe7ccfc4), TOBN(0xf925c89d, 0x1b929d48),\n TOBN(0x4460f74b, 0x06783c33), TOBN(0xac2c8d49, 0xa590475a)},\n {TOBN(0xfb40b407, 0xb807bba0), TOBN(0x9d1e362d, 0x69ff8f3a),\n TOBN(0xa33e9681, 0xcbef64a4), TOBN(0x67ece5fa, 0x332fb4b2)}},\n {{TOBN(0x6900a99b, 0x739f10e3), TOBN(0xc3341ca9, 0xff525925),\n TOBN(0xee18a626, 0xa9e2d041), TOBN(0xa5a83685, 0x29580ddd)},\n {TOBN(0xf3470c81, 0x9d7de3cd), TOBN(0xedf02586, 0x2062cf9c),\n TOBN(0xf43522fa, 0xc010edb0), TOBN(0x30314135, 0x13a4b1ae)}},\n {{TOBN(0xc792e02a, 0xdb22b94b), TOBN(0x993d8ae9, 0xa1eaa45b),\n TOBN(0x8aad6cd3, 0xcd1e1c63), TOBN(0x89529ca7, 0xc5ce688a)},\n {TOBN(0x2ccee3aa, 0xe572a253), TOBN(0xe02b6438, 0x02a21efb),\n TOBN(0xa7091b6e, 0xc9430358), TOBN(0x06d1b1fa, 0x9d7db504)}},\n {{TOBN(0x58846d32, 0xc4744733), TOBN(0x40517c71, 0x379f9e34),\n TOBN(0x2f65655f, 0x130ef6ca), TOBN(0x526e4488, 0xf1f3503f)},\n {TOBN(0x8467bd17, 0x7ee4a976), TOBN(0x1d9dc913, 0x921363d1),\n TOBN(0xd8d24c33, 0xb069e041), TOBN(0x5eb5da0a, 0x2cdf7f51)}},\n {{TOBN(0x1c0f3cb1, 0x197b994f), TOBN(0x3c95a6c5, 0x2843eae9),\n TOBN(0x7766ffc9, 0xa6097ea5), TOBN(0x7bea4093, 0xd723b867)},\n {TOBN(0xb48e1f73, 0x4db378f9), TOBN(0x70025b00, 0xe37b77ac),\n TOBN(0x943dc8e7, 0xaf24ad46), TOBN(0xb98a15ac, 0x16d00a85)}},\n {{TOBN(0x3adc38ba, 0x2743b004), TOBN(0xb1c7f4f7, 0x334415ee),\n TOBN(0xea43df8f, 0x1e62d05a), TOBN(0x32618905, 0x9d76a3b6)},\n {TOBN(0x2fbd0bb5, 0xa23a0f46), TOBN(0x5bc971db, 0x6a01918c),\n TOBN(0x7801d94a, 0xb4743f94), TOBN(0xb94df65e, 0x676ae22b)}},\n {{TOBN(0xaafcbfab, 0xaf95894c), TOBN(0x7b9bdc07, 0x276b2241),\n TOBN(0xeaf98362, 0x5bdda48b), TOBN(0x5977faf2, 0xa3fcb4df)},\n {TOBN(0xbed042ef, 0x052c4b5b), TOBN(0x9fe87f71, 0x067591f0),\n TOBN(0xc89c73ca, 0x22f24ec7), TOBN(0x7d37fa9e, 0xe64a9f1b)}},\n {{TOBN(0x2710841a, 0x15562627), TOBN(0x2c01a613, 0xc243b034),\n TOBN(0x1d135c56, 0x2bc68609), TOBN(0xc2ca1715, 0x8b03f1f6)},\n {TOBN(0xc9966c2d, 0x3eb81d82), TOBN(0xc02abf4a, 0x8f6df13e),\n TOBN(0x77b34bd7, 0x8f72b43b), TOBN(0xaff6218f, 0x360c82b0)}},\n {{TOBN(0x0aa5726c, 0x8d55b9d2), TOBN(0xdc0adbe9, 0x99e9bffb),\n TOBN(0x9097549c, 0xefb9e72a), TOBN(0x16755712, 0x9dfb3111)},\n {TOBN(0xdd8bf984, 0xf26847f9), TOBN(0xbcb8e387, 0xdfb30cb7),\n TOBN(0xc1fd32a7, 0x5171ef9c), TOBN(0x977f3fc7, 0x389b363f)}},\n {{TOBN(0x116eaf2b, 0xf4babda0), TOBN(0xfeab68bd, 0xf7113c8e),\n TOBN(0xd1e3f064, 0xb7def526), TOBN(0x1ac30885, 0xe0b3fa02)},\n {TOBN(0x1c5a6e7b, 0x40142d9d), TOBN(0x839b5603, 0x30921c0b),\n TOBN(0x48f301fa, 0x36a116a3), TOBN(0x380e1107, 0xcfd9ee6d)}},\n {{TOBN(0x7945ead8, 0x58854be1), TOBN(0x4111c12e, 0xcbd4d49d),\n TOBN(0xece3b1ec, 0x3a29c2ef), TOBN(0x6356d404, 0x8d3616f5)},\n {TOBN(0x9f0d6a8f, 0x594d320e), TOBN(0x0989316d, 0xf651ccd2),\n TOBN(0x6c32117a, 0x0f8fdde4), TOBN(0x9abe5cc5, 0xa26a9bbc)}},\n {{TOBN(0xcff560fb, 0x9723f671), TOBN(0x21b2a12d, 0x7f3d593c),\n TOBN(0xe4cb18da, 0x24ba0696), TOBN(0x186e2220, 0xc3543384)},\n {TOBN(0x722f64e0, 0x88312c29), TOBN(0x94282a99, 0x17dc7752),\n TOBN(0x62467bbf, 0x5a85ee89), TOBN(0xf435c650, 0xf10076a0)}},\n {{TOBN(0xc9ff1539, 0x43b3a50b), TOBN(0x7132130c, 0x1a53efbc),\n TOBN(0x31bfe063, 0xf7b0c5b7), TOBN(0xb0179a7d, 0x4ea994cc)},\n {TOBN(0x12d064b3, 0xc85f455b), TOBN(0x47259328, 0x8f6e0062),\n TOBN(0xf64e590b, 0xb875d6d9), TOBN(0x22dd6225, 0xad92bcc7)}},\n {{TOBN(0xb658038e, 0xb9c3bd6d), TOBN(0x00cdb0d6, 0xfbba27c8),\n TOBN(0x0c681337, 0x1062c45d), TOBN(0xd8515b8c, 0x2d33407d)},\n {TOBN(0xcb8f699e, 0x8cbb5ecf), TOBN(0x8c4347f8, 0xc608d7d8),\n TOBN(0x2c11850a, 0xbb3e00db), TOBN(0x20a8dafd, 0xecb49d19)}},\n {{TOBN(0xbd781480, 0x45ee2f40), TOBN(0x75e354af, 0x416b60cf),\n TOBN(0xde0b58a1, 0x8d49a8c4), TOBN(0xe40e94e2, 0xfa359536)},\n {TOBN(0xbd4fa59f, 0x62accd76), TOBN(0x05cf466a, 0x8c762837),\n TOBN(0xb5abda99, 0x448c277b), TOBN(0x5a9e01bf, 0x48b13740)}},\n {{TOBN(0x9d457798, 0x326aad8d), TOBN(0xbdef4954, 0xc396f7e7),\n TOBN(0x6fb274a2, 0xc253e292), TOBN(0x2800bf0a, 0x1cfe53e7)},\n {TOBN(0x22426d31, 0x44438fd4), TOBN(0xef233923, 0x5e259f9a),\n TOBN(0x4188503c, 0x03f66264), TOBN(0x9e5e7f13, 0x7f9fdfab)}},\n {{TOBN(0x565eb76c, 0x5fcc1aba), TOBN(0xea632548, 0x59b5bff8),\n TOBN(0x5587c087, 0xaab6d3fa), TOBN(0x92b639ea, 0x6ce39c1b)},\n {TOBN(0x0706e782, 0x953b135c), TOBN(0x7308912e, 0x425268ef),\n TOBN(0x599e92c7, 0x090e7469), TOBN(0x83b90f52, 0x9bc35e75)}},\n {{TOBN(0x4750b3d0, 0x244975b3), TOBN(0xf3a44358, 0x11965d72),\n TOBN(0x179c6774, 0x9c8dc751), TOBN(0xff18cdfe, 0xd23d9ff0)},\n {TOBN(0xc4013833, 0x2028e247), TOBN(0x96e280e2, 0xf3bfbc79),\n TOBN(0xf60417bd, 0xd0880a84), TOBN(0x263c9f3d, 0x2a568151)}},\n {{TOBN(0x36be15b3, 0x2d2ce811), TOBN(0x846dc0c2, 0xf8291d21),\n TOBN(0x5cfa0ecb, 0x789fcfdb), TOBN(0x45a0beed, 0xd7535b9a)},\n {TOBN(0xec8e9f07, 0x96d69af1), TOBN(0x31a7c5b8, 0x599ab6dc),\n TOBN(0xd36d45ef, 0xf9e2e09f), TOBN(0x3cf49ef1, 0xdcee954b)}},\n {{TOBN(0x6be34cf3, 0x086cff9b), TOBN(0x88dbd491, 0x39a3360f),\n TOBN(0x1e96b8cc, 0x0dbfbd1d), TOBN(0xc1e5f7bf, 0xcb7e2552)},\n {TOBN(0x0547b214, 0x28819d98), TOBN(0xc770dd9c, 0x7aea9dcb),\n TOBN(0xaef0d4c7, 0x041d68c8), TOBN(0xcc2b9818, 0x13cb9ba8)}},\n {{TOBN(0x7fc7bc76, 0xfe86c607), TOBN(0x6b7b9337, 0x502a9a95),\n TOBN(0x1948dc27, 0xd14dab63), TOBN(0x249dd198, 0xdae047be)},\n {TOBN(0xe8356584, 0xa981a202), TOBN(0x3531dd18, 0x3a893387),\n TOBN(0x1be11f90, 0xc85c7209), TOBN(0x93d2fe1e, 0xe2a52b5a)}},\n {{TOBN(0x8225bfe2, 0xec6d6b97), TOBN(0x9cf6d6f4, 0xbd0aa5de),\n TOBN(0x911459cb, 0x54779f5f), TOBN(0x5649cddb, 0x86aeb1f3)},\n {TOBN(0x32133579, 0x3f26ce5a), TOBN(0xc289a102, 0x550f431e),\n TOBN(0x559dcfda, 0x73b84c6f), TOBN(0x84973819, 0xee3ac4d7)}},\n {{TOBN(0xb51e55e6, 0xf2606a82), TOBN(0xe25f7061, 0x90f2fb57),\n TOBN(0xacef6c2a, 0xb1a4e37c), TOBN(0x864e359d, 0x5dcf2706)},\n {TOBN(0x479e6b18, 0x7ce57316), TOBN(0x2cab2500, 0x3a96b23d),\n TOBN(0xed489862, 0x8ef16df7), TOBN(0x2056538c, 0xef3758b5)}},\n {{TOBN(0xa7df865e, 0xf15d3101), TOBN(0x80c5533a, 0x61b553d7),\n TOBN(0x366e1997, 0x4ed14294), TOBN(0x6620741f, 0xb3c0bcd6)},\n {TOBN(0x21d1d9c4, 0xedc45418), TOBN(0x005b859e, 0xc1cc4a9d),\n TOBN(0xdf01f630, 0xa1c462f0), TOBN(0x15d06cf3, 0xf26820c7)}},\n {{TOBN(0x9f7f24ee, 0x3484be47), TOBN(0x2ff33e96, 0x4a0c902f),\n TOBN(0x00bdf457, 0x5a0bc453), TOBN(0x2378dfaf, 0x1aa238db)},\n {TOBN(0x272420ec, 0x856720f2), TOBN(0x2ad9d95b, 0x96797291),\n TOBN(0xd1242cc6, 0x768a1558), TOBN(0x2e287f8b, 0x5cc86aa8)}},\n {{TOBN(0x796873d0, 0x990cecaa), TOBN(0xade55f81, 0x675d4080),\n TOBN(0x2645eea3, 0x21f0cd84), TOBN(0x7a1efa0f, 0xb4e17d02)},\n {TOBN(0xf6858420, 0x037cc061), TOBN(0x682e05f0, 0xd5d43e12),\n TOBN(0x59c36994, 0x27218710), TOBN(0x85cbba4d, 0x3f7cd2fc)}},\n {{TOBN(0x726f9729, 0x7a3cd22a), TOBN(0x9f8cd5dc, 0x4a628397),\n TOBN(0x17b93ab9, 0xc23165ed), TOBN(0xff5f5dbf, 0x122823d4)},\n {TOBN(0xc1e4e4b5, 0x654a446d), TOBN(0xd1a9496f, 0x677257ba),\n TOBN(0x6387ba94, 0xde766a56), TOBN(0x23608bc8, 0x521ec74a)}},\n {{TOBN(0x16a522d7, 0x6688c4d4), TOBN(0x9d6b4282, 0x07373abd),\n TOBN(0xa62f07ac, 0xb42efaa3), TOBN(0xf73e00f7, 0xe3b90180)},\n {TOBN(0x36175fec, 0x49421c3e), TOBN(0xc4e44f9b, 0x3dcf2678),\n TOBN(0x76df436b, 0x7220f09f), TOBN(0x172755fb, 0x3aa8b6cf)}},\n {{TOBN(0xbab89d57, 0x446139cc), TOBN(0x0a0a6e02, 0x5fe0208f),\n TOBN(0xcdbb63e2, 0x11e5d399), TOBN(0x33ecaa12, 0xa8977f0b)},\n {TOBN(0x59598b21, 0xf7c42664), TOBN(0xb3e91b32, 0xab65d08a),\n TOBN(0x035822ee, 0xf4502526), TOBN(0x1dcf0176, 0x720a82a9)}},\n {{TOBN(0x50f8598f, 0x3d589e02), TOBN(0xdf0478ff, 0xb1d63d2c),\n TOBN(0x8b8068bd, 0x1571cd07), TOBN(0x30c3aa4f, 0xd79670cd)},\n {TOBN(0x25e8fd4b, 0x941ade7f), TOBN(0x3d1debdc, 0x32790011),\n TOBN(0x65b6dcbd, 0x3a3f9ff0), TOBN(0x282736a4, 0x793de69c)}},\n {{TOBN(0xef69a0c3, 0xd41d3bd3), TOBN(0xb533b8c9, 0x07a26bde),\n TOBN(0xe2801d97, 0xdb2edf9f), TOBN(0xdc4a8269, 0xe1877af0)},\n {TOBN(0x6c1c5851, 0x3d590dbe), TOBN(0x84632f6b, 0xee4e9357),\n TOBN(0xd36d36b7, 0x79b33374), TOBN(0xb46833e3, 0x9bbca2e6)}},\n {{TOBN(0x37893913, 0xf7fc0586), TOBN(0x385315f7, 0x66bf4719),\n TOBN(0x72c56293, 0xb31855dc), TOBN(0xd1416d4e, 0x849061fe)},\n {TOBN(0xbeb3ab78, 0x51047213), TOBN(0x447f6e61, 0xf040c996),\n TOBN(0xd06d310d, 0x638b1d0c), TOBN(0xe28a413f, 0xbad1522e)}},\n {{TOBN(0x685a76cb, 0x82003f86), TOBN(0x610d07f7, 0x0bcdbca3),\n TOBN(0x6ff66021, 0x9ca4c455), TOBN(0x7df39b87, 0xcea10eec)},\n {TOBN(0xb9255f96, 0xe22db218), TOBN(0x8cc6d9eb, 0x08a34c44),\n TOBN(0xcd4ffb86, 0x859f9276), TOBN(0x8fa15eb2, 0x50d07335)}},\n {{TOBN(0xdf553845, 0xcf2c24b5), TOBN(0x89f66a9f, 0x52f9c3ba),\n TOBN(0x8f22b5b9, 0xe4a7ceb3), TOBN(0xaffef809, 0x0e134686)},\n {TOBN(0x3e53e1c6, 0x8eb8fac2), TOBN(0x93c1e4eb, 0x28aec98e),\n TOBN(0xb6b91ec5, 0x32a43bcb), TOBN(0x2dbfa947, 0xb2d74a51)}},\n {{TOBN(0xe065d190, 0xca84bad7), TOBN(0xfb13919f, 0xad58e65c),\n TOBN(0x3c41718b, 0xf1cb6e31), TOBN(0x688969f0, 0x06d05c3f)},\n {TOBN(0xd4f94ce7, 0x21264d45), TOBN(0xfdfb65e9, 0x7367532b),\n TOBN(0x5b1be8b1, 0x0945a39d), TOBN(0x229f789c, 0x2b8baf3b)}},\n {{TOBN(0xd8f41f3e, 0x6f49f15d), TOBN(0x678ce828, 0x907f0792),\n TOBN(0xc69ace82, 0xfca6e867), TOBN(0x106451ae, 0xd01dcc89)},\n {TOBN(0x1bb4f7f0, 0x19fc32d2), TOBN(0x64633dfc, 0xb00c52d2),\n TOBN(0x8f13549a, 0xad9ea445), TOBN(0x99a3bf50, 0xfb323705)}},\n {{TOBN(0x0c9625a2, 0x534d4dbc), TOBN(0x45b8f1d1, 0xc2a2fea3),\n TOBN(0x76ec21a1, 0xa530fc1a), TOBN(0x4bac9c2a, 0x9e5bd734)},\n {TOBN(0x5996d76a, 0x7b4e3587), TOBN(0x0045cdee, 0x1182d9e3),\n TOBN(0x1aee24b9, 0x1207f13d), TOBN(0x66452e97, 0x97345a41)}},\n {{TOBN(0x16e5b054, 0x9f950cd0), TOBN(0x9cc72fb1, 0xd7fdd075),\n TOBN(0x6edd61e7, 0x66249663), TOBN(0xde4caa4d, 0xf043cccb)},\n {TOBN(0x11b1f57a, 0x55c7ac17), TOBN(0x779cbd44, 0x1a85e24d),\n TOBN(0x78030f86, 0xe46081e7), TOBN(0xfd4a6032, 0x8e20f643)}},\n {{TOBN(0xcc7a6488, 0x0a750c0f), TOBN(0x39bacfe3, 0x4e548e83),\n TOBN(0x3d418c76, 0x0c110f05), TOBN(0x3e4daa4c, 0xb1f11588)},\n {TOBN(0x2733e7b5, 0x5ffc69ff), TOBN(0x46f147bc, 0x92053127),\n TOBN(0x885b2434, 0xd722df94), TOBN(0x6a444f65, 0xe6fc6b7c)}}},\n {{{TOBN(0x7a1a465a, 0xc3f16ea8), TOBN(0x115a461d, 0xb2f1d11c),\n TOBN(0x4767dd95, 0x6c68a172), TOBN(0x3392f2eb, 0xd13a4698)},\n {TOBN(0xc7a99ccd, 0xe526cdc7), TOBN(0x8e537fdc, 0x22292b81),\n TOBN(0x76d8cf69, 0xa6d39198), TOBN(0xffc5ff43, 0x2446852d)}},\n {{TOBN(0x97b14f7e, 0xa90567e6), TOBN(0x513257b7, 0xb6ae5cb7),\n TOBN(0x85454a3c, 0x9f10903d), TOBN(0xd8d2c9ad, 0x69bc3724)},\n {TOBN(0x38da9324, 0x6b29cb44), TOBN(0xb540a21d, 0x77c8cbac),\n TOBN(0x9bbfe435, 0x01918e42), TOBN(0xfffa707a, 0x56c3614e)}},\n {{TOBN(0x0ce4e3f1, 0xd4e353b7), TOBN(0x062d8a14, 0xef46b0a0),\n TOBN(0x6408d5ab, 0x574b73fd), TOBN(0xbc41d1c9, 0xd3273ffd)},\n {TOBN(0x3538e1e7, 0x6be77800), TOBN(0x71fe8b37, 0xc5655031),\n TOBN(0x1cd91621, 0x6b9b331a), TOBN(0xad825d0b, 0xbb388f73)}},\n {{TOBN(0x56c2e05b, 0x1cb76219), TOBN(0x0ec0bf91, 0x71567e7e),\n TOBN(0xe7076f86, 0x61c4c910), TOBN(0xd67b085b, 0xbabc04d9)},\n {TOBN(0x9fb90459, 0x5e93a96a), TOBN(0x7526c1ea, 0xfbdc249a),\n TOBN(0x0d44d367, 0xecdd0bb7), TOBN(0x95399917, 0x9dc0d695)}},\n {{TOBN(0x61360ee9, 0x9e240d18), TOBN(0x057cdcac, 0xb4b94466),\n TOBN(0xe7667cd1, 0x2fe5325c), TOBN(0x1fa297b5, 0x21974e3b)},\n {TOBN(0xfa4081e7, 0xdb083d76), TOBN(0x31993be6, 0xf206bd15),\n TOBN(0x8949269b, 0x14c19f8c), TOBN(0x21468d72, 0xa9d92357)}},\n {{TOBN(0x2ccbc583, 0xa4c506ec), TOBN(0x957ed188, 0xd1acfe97),\n TOBN(0x8baed833, 0x12f1aea2), TOBN(0xef2a6cb4, 0x8325362d)},\n {TOBN(0x130dde42, 0x8e195c43), TOBN(0xc842025a, 0x0e6050c6),\n TOBN(0x2da972a7, 0x08686a5d), TOBN(0xb52999a1, 0xe508b4a8)}},\n {{TOBN(0xd9f090b9, 0x10a5a8bd), TOBN(0xca91d249, 0x096864da),\n TOBN(0x8e6a93be, 0x3f67dbc1), TOBN(0xacae6fba, 0xf5f4764c)},\n {TOBN(0x1563c6e0, 0xd21411a0), TOBN(0x28fa787f, 0xda0a4ad8),\n TOBN(0xd524491c, 0x908c8030), TOBN(0x1257ba0e, 0x4c795f07)}},\n {{TOBN(0x83f49167, 0xceca9754), TOBN(0x426d2cf6, 0x4b7939a0),\n TOBN(0x2555e355, 0x723fd0bf), TOBN(0xa96e6d06, 0xc4f144e2)},\n {TOBN(0x4768a8dd, 0x87880e61), TOBN(0x15543815, 0xe508e4d5),\n TOBN(0x09d7e772, 0xb1b65e15), TOBN(0x63439dd6, 0xac302fa0)}},\n {{TOBN(0xb93f802f, 0xc14e35c2), TOBN(0x71735b7c, 0x4341333c),\n TOBN(0x03a25104, 0x16d4f362), TOBN(0x3f4d069b, 0xbf433c8e)},\n {TOBN(0x0d83ae01, 0xf78f5a7c), TOBN(0x50a8ffbe, 0x7c4eed07),\n TOBN(0xc74f8906, 0x76e10f83), TOBN(0x7d080966, 0x9ddaf8e1)}},\n {{TOBN(0xb11df8e1, 0x698e04cc), TOBN(0x877be203, 0x169005c8),\n TOBN(0x32749e8c, 0x4f3c6179), TOBN(0x2dbc9d0a, 0x7853fc05)},\n {TOBN(0x187d4f93, 0x9454d937), TOBN(0xe682ce9d, 0xb4800e1b),\n TOBN(0xa9129ad8, 0x165e68e8), TOBN(0x0fe29735, 0xbe7f785b)}},\n {{TOBN(0x5303f40c, 0x5b9e02b7), TOBN(0xa37c9692, 0x35ee04e8),\n TOBN(0x5f46cc20, 0x34d6632b), TOBN(0x55ef72b2, 0x96ac545b)},\n {TOBN(0xabec5c1f, 0x7b91b062), TOBN(0x0a79e1c7, 0xbb33e821),\n TOBN(0xbb04b428, 0x3a9f4117), TOBN(0x0de1f28f, 0xfd2a475a)}},\n {{TOBN(0x31019ccf, 0x3a4434b4), TOBN(0xa3458111, 0x1a7954dc),\n TOBN(0xa9dac80d, 0xe34972a7), TOBN(0xb043d054, 0x74f6b8dd)},\n {TOBN(0x021c319e, 0x11137b1a), TOBN(0x00a754ce, 0xed5cc03f),\n TOBN(0x0aa2c794, 0xcbea5ad4), TOBN(0x093e67f4, 0x70c015b6)}},\n {{TOBN(0x72cdfee9, 0xc97e3f6b), TOBN(0xc10bcab4, 0xb6da7461),\n TOBN(0x3b02d2fc, 0xb59806b9), TOBN(0x85185e89, 0xa1de6f47)},\n {TOBN(0x39e6931f, 0x0eb6c4d4), TOBN(0x4d4440bd, 0xd4fa5b04),\n TOBN(0x5418786e, 0x34be7eb8), TOBN(0x6380e521, 0x9d7259bc)}},\n {{TOBN(0x20ac0351, 0xd598d710), TOBN(0x272c4166, 0xcb3a4da4),\n TOBN(0xdb82fe1a, 0xca71de1f), TOBN(0x746e79f2, 0xd8f54b0f)},\n {TOBN(0x6e7fc736, 0x4b573e9b), TOBN(0x75d03f46, 0xfd4b5040),\n TOBN(0x5c1cc36d, 0x0b98d87b), TOBN(0x513ba3f1, 0x1f472da1)}},\n {{TOBN(0x79d0af26, 0xabb177dd), TOBN(0xf82ab568, 0x7891d564),\n TOBN(0x2b6768a9, 0x72232173), TOBN(0xefbb3bb0, 0x8c1f6619)},\n {TOBN(0xb29c11db, 0xa6d18358), TOBN(0x519e2797, 0xb0916d3a),\n TOBN(0xd4dc18f0, 0x9188e290), TOBN(0x648e86e3, 0x98b0ca7f)}},\n {{TOBN(0x859d3145, 0x983c38b5), TOBN(0xb14f176c, 0x637abc8b),\n TOBN(0x2793fb9d, 0xcaff7be6), TOBN(0xebe5a55f, 0x35a66a5a)},\n {TOBN(0x7cec1dcd, 0x9f87dc59), TOBN(0x7c595cd3, 0xfbdbf560),\n TOBN(0x5b543b22, 0x26eb3257), TOBN(0x69080646, 0xc4c935fd)}},\n {{TOBN(0x7f2e4403, 0x81e9ede3), TOBN(0x243c3894, 0xcaf6df0a),\n TOBN(0x7c605bb1, 0x1c073b11), TOBN(0xcd06a541, 0xba6a4a62)},\n {TOBN(0x29168949, 0x49d4e2e5), TOBN(0x33649d07, 0x4af66880),\n TOBN(0xbfc0c885, 0xe9a85035), TOBN(0xb4e52113, 0xfc410f4b)}},\n {{TOBN(0xdca3b706, 0x78a6513b), TOBN(0x92ea4a2a, 0x9edb1943),\n TOBN(0x02642216, 0xdb6e2dd8), TOBN(0x9b45d0b4, 0x9fd57894)},\n {TOBN(0x114e70db, 0xc69d11ae), TOBN(0x1477dd19, 0x4c57595f),\n TOBN(0xbc2208b4, 0xec77c272), TOBN(0x95c5b4d7, 0xdb68f59c)}},\n {{TOBN(0xb8c4fc63, 0x42e532b7), TOBN(0x386ba422, 0x9ae35290),\n TOBN(0xfb5dda42, 0xd201ecbc), TOBN(0x2353dc8b, 0xa0e38fd6)},\n {TOBN(0x9a0b85ea, 0x68f7e978), TOBN(0x96ec5682, 0x2ad6d11f),\n TOBN(0x5e279d6c, 0xe5f6886d), TOBN(0xd3fe03cd, 0x3cb1914d)}},\n {{TOBN(0xfe541fa4, 0x7ea67c77), TOBN(0x952bd2af, 0xe3ea810c),\n TOBN(0x791fef56, 0x8d01d374), TOBN(0xa3a1c621, 0x0f11336e)},\n {TOBN(0x5ad0d5a9, 0xc7ec6d79), TOBN(0xff7038af, 0x3225c342),\n TOBN(0x003c6689, 0xbc69601b), TOBN(0x25059bc7, 0x45e8747d)}},\n {{TOBN(0xfa4965b2, 0xf2086fbf), TOBN(0xf6840ea6, 0x86916078),\n TOBN(0xd7ac7620, 0x70081d6c), TOBN(0xe600da31, 0xb5328645)},\n {TOBN(0x01916f63, 0x529b8a80), TOBN(0xe80e4858, 0x2d7d6f3e),\n TOBN(0x29eb0fe8, 0xd664ca7c), TOBN(0xf017637b, 0xe7b43b0c)}},\n {{TOBN(0x9a75c806, 0x76cb2566), TOBN(0x8f76acb1, 0xb24892d9),\n TOBN(0x7ae7b9cc, 0x1f08fe45), TOBN(0x19ef7329, 0x6a4907d8)},\n {TOBN(0x2db4ab71, 0x5f228bf0), TOBN(0xf3cdea39, 0x817032d7),\n TOBN(0x0b1f482e, 0xdcabe3c0), TOBN(0x3baf76b4, 0xbb86325c)}},\n {{TOBN(0xd49065e0, 0x10089465), TOBN(0x3bab5d29, 0x8e77c596),\n TOBN(0x7636c3a6, 0x193dbd95), TOBN(0xdef5d294, 0xb246e499)},\n {TOBN(0xb22c58b9, 0x286b2475), TOBN(0xa0b93939, 0xcd80862b),\n TOBN(0x3002c83a, 0xf0992388), TOBN(0x6de01f9b, 0xeacbe14c)}},\n {{TOBN(0x6aac688e, 0xadd70482), TOBN(0x708de92a, 0x7b4a4e8a),\n TOBN(0x75b6dd73, 0x758a6eef), TOBN(0xea4bf352, 0x725b3c43)},\n {TOBN(0x10041f2c, 0x87912868), TOBN(0xb1b1be95, 0xef09297a),\n TOBN(0x19ae23c5, 0xa9f3860a), TOBN(0xc4f0f839, 0x515dcf4b)}},\n {{TOBN(0x3c7ecca3, 0x97f6306a), TOBN(0x744c44ae, 0x68a3a4b0),\n TOBN(0x69cd13a0, 0xb3a1d8a2), TOBN(0x7cad0a1e, 0x5256b578)},\n {TOBN(0xea653fcd, 0x33791d9e), TOBN(0x9cc2a05d, 0x74b2e05f),\n TOBN(0x73b391dc, 0xfd7affa2), TOBN(0xddb7091e, 0xb6b05442)}},\n {{TOBN(0xc71e27bf, 0x8538a5c6), TOBN(0x195c63dd, 0x89abff17),\n TOBN(0xfd315285, 0x1b71e3da), TOBN(0x9cbdfda7, 0xfa680fa0)},\n {TOBN(0x9db876ca, 0x849d7eab), TOBN(0xebe2764b, 0x3c273271),\n TOBN(0x663357e3, 0xf208dcea), TOBN(0x8c5bd833, 0x565b1b70)}},\n {{TOBN(0xccc3b4f5, 0x9837fc0d), TOBN(0x9b641ba8, 0xa79cf00f),\n TOBN(0x7428243d, 0xdfdf3990), TOBN(0x83a594c4, 0x020786b1)},\n {TOBN(0xb712451a, 0x526c4502), TOBN(0x9d39438e, 0x6adb3f93),\n TOBN(0xfdb261e3, 0xe9ff0ccd), TOBN(0x80344e3c, 0xe07af4c3)}},\n {{TOBN(0x75900d7c, 0x2fa4f126), TOBN(0x08a3b865, 0x5c99a232),\n TOBN(0x2478b6bf, 0xdb25e0c3), TOBN(0x482cc2c2, 0x71db2edf)},\n {TOBN(0x37df7e64, 0x5f321bb8), TOBN(0x8a93821b, 0x9a8005b4),\n TOBN(0x3fa2f10c, 0xcc8c1958), TOBN(0x0d332218, 0x2c269d0a)}},\n {{TOBN(0x20ab8119, 0xe246b0e6), TOBN(0xb39781e4, 0xd349fd17),\n TOBN(0xd293231e, 0xb31aa100), TOBN(0x4b779c97, 0xbb032168)},\n {TOBN(0x4b3f19e1, 0xc8470500), TOBN(0x45b7efe9, 0x0c4c869d),\n TOBN(0xdb84f38a, 0xa1a6bbcc), TOBN(0x3b59cb15, 0xb2fddbc1)}},\n {{TOBN(0xba5514df, 0x3fd165e8), TOBN(0x499fd6a9, 0x061f8811),\n TOBN(0x72cd1fe0, 0xbfef9f00), TOBN(0x120a4bb9, 0x79ad7e8a)},\n {TOBN(0xf2ffd095, 0x5f4a5ac5), TOBN(0xcfd174f1, 0x95a7a2f0),\n TOBN(0xd42301ba, 0x9d17baf1), TOBN(0xd2fa487a, 0x77f22089)}},\n {{TOBN(0x9cb09efe, 0xb1dc77e1), TOBN(0xe9566939, 0x21c99682),\n TOBN(0x8c546901, 0x6c6067bb), TOBN(0xfd378574, 0x61c24456)},\n {TOBN(0x2b6a6cbe, 0x81796b33), TOBN(0x62d550f6, 0x58e87f8b),\n TOBN(0x1b763e1c, 0x7f1b01b4), TOBN(0x4b93cfea, 0x1b1b5e12)}},\n {{TOBN(0xb9345238, 0x1d531696), TOBN(0x57201c00, 0x88cdde69),\n TOBN(0xdde92251, 0x9a86afc7), TOBN(0xe3043895, 0xbd35cea8)},\n {TOBN(0x7608c1e1, 0x8555970d), TOBN(0x8267dfa9, 0x2535935e),\n TOBN(0xd4c60a57, 0x322ea38b), TOBN(0xe0bf7977, 0x804ef8b5)}},\n {{TOBN(0x1a0dab28, 0xc06fece4), TOBN(0xd405991e, 0x94e7b49d),\n TOBN(0xc542b6d2, 0x706dab28), TOBN(0xcb228da3, 0xa91618fb)},\n {TOBN(0x224e4164, 0x107d1cea), TOBN(0xeb9fdab3, 0xd0f5d8f1),\n TOBN(0xc02ba386, 0x0d6e41cd), TOBN(0x676a72c5, 0x9b1f7146)}},\n {{TOBN(0xffd6dd98, 0x4d6cb00b), TOBN(0xcef9c5ca, 0xde2e8d7c),\n TOBN(0xa1bbf5d7, 0x641c7936), TOBN(0x1b95b230, 0xee8f772e)},\n {TOBN(0xf765a92e, 0xe8ac25b1), TOBN(0xceb04cfc, 0x3a18b7c6),\n TOBN(0x27944cef, 0x0acc8966), TOBN(0xcbb3c957, 0x434c1004)}},\n {{TOBN(0x9c9971a1, 0xa43ff93c), TOBN(0x5bc2db17, 0xa1e358a9),\n TOBN(0x45b4862e, 0xa8d9bc82), TOBN(0x70ebfbfb, 0x2201e052)},\n {TOBN(0xafdf64c7, 0x92871591), TOBN(0xea5bcae6, 0xb42d0219),\n TOBN(0xde536c55, 0x2ad8f03c), TOBN(0xcd6c3f4d, 0xa76aa33c)}},\n {{TOBN(0xbeb5f623, 0x0bca6de3), TOBN(0xdd20dd99, 0xb1e706fd),\n TOBN(0x90b3ff9d, 0xac9059d4), TOBN(0x2d7b2902, 0x7ccccc4e)},\n {TOBN(0x8a090a59, 0xce98840f), TOBN(0xa5d947e0, 0x8410680a),\n TOBN(0x49ae346a, 0x923379a5), TOBN(0x7dbc84f9, 0xb28a3156)}},\n {{TOBN(0xfd40d916, 0x54a1aff2), TOBN(0xabf318ba, 0x3a78fb9b),\n TOBN(0x50152ed8, 0x3029f95e), TOBN(0x9fc1dd77, 0xc58ad7fa)},\n {TOBN(0x5fa57915, 0x13595c17), TOBN(0xb9504668, 0x8f62b3a9),\n TOBN(0x907b5b24, 0xff3055b0), TOBN(0x2e995e35, 0x9a84f125)}},\n {{TOBN(0x87dacf69, 0x7e9bbcfb), TOBN(0x95d0c1d6, 0xe86d96e3),\n TOBN(0x65726e3c, 0x2d95a75c), TOBN(0x2c3c9001, 0xacd27f21)},\n {TOBN(0x1deab561, 0x6c973f57), TOBN(0x108b7e2c, 0xa5221643),\n TOBN(0x5fee9859, 0xc4ef79d4), TOBN(0xbd62b88a, 0x40d4b8c6)}},\n {{TOBN(0xb4dd29c4, 0x197c75d6), TOBN(0x266a6df2, 0xb7076feb),\n TOBN(0x9512d0ea, 0x4bf2df11), TOBN(0x1320c24f, 0x6b0cc9ec)},\n {TOBN(0x6bb1e0e1, 0x01a59596), TOBN(0x8317c5bb, 0xeff9aaac),\n TOBN(0x65bb405e, 0x385aa6c9), TOBN(0x613439c1, 0x8f07988f)}},\n {{TOBN(0xd730049f, 0x16a66e91), TOBN(0xe97f2820, 0xfa1b0e0d),\n TOBN(0x4131e003, 0x304c28ea), TOBN(0x820ab732, 0x526bac62)},\n {TOBN(0xb2ac9ef9, 0x28714423), TOBN(0x54ecfffa, 0xadb10cb2),\n TOBN(0x8781476e, 0xf886a4cc), TOBN(0x4b2c87b5, 0xdb2f8d49)}},\n {{TOBN(0xe857cd20, 0x0a44295d), TOBN(0x707d7d21, 0x58c6b044),\n TOBN(0xae8521f9, 0xf596757c), TOBN(0x87448f03, 0x67b2b714)},\n {TOBN(0x13a9bc45, 0x5ebcd58d), TOBN(0x79bcced9, 0x9122d3c1),\n TOBN(0x3c644247, 0x9e076642), TOBN(0x0cf22778, 0x2df4767d)}},\n {{TOBN(0x5e61aee4, 0x71d444b6), TOBN(0x211236bf, 0xc5084a1d),\n TOBN(0x7e15bc9a, 0x4fd3eaf6), TOBN(0x68df2c34, 0xab622bf5)},\n {TOBN(0x9e674f0f, 0x59bf4f36), TOBN(0xf883669b, 0xd7f34d73),\n TOBN(0xc48ac1b8, 0x31497b1d), TOBN(0x323b925d, 0x5106703b)}},\n {{TOBN(0x22156f42, 0x74082008), TOBN(0xeffc521a, 0xc8482bcb),\n TOBN(0x5c6831bf, 0x12173479), TOBN(0xcaa2528f, 0xc4739490)},\n {TOBN(0x84d2102a, 0x8f1b3c4d), TOBN(0xcf64dfc1, 0x2d9bec0d),\n TOBN(0x433febad, 0x78a546ef), TOBN(0x1f621ec3, 0x7b73cef1)}},\n {{TOBN(0x6aecd627, 0x37338615), TOBN(0x162082ab, 0x01d8edf6),\n TOBN(0x833a8119, 0x19e86b66), TOBN(0x6023a251, 0xd299b5db)},\n {TOBN(0xf5bb0c3a, 0xbbf04b89), TOBN(0x6735eb69, 0xae749a44),\n TOBN(0xd0e058c5, 0x4713de3b), TOBN(0xfdf2593e, 0x2c3d4ccd)}},\n {{TOBN(0x1b8f414e, 0xfdd23667), TOBN(0xdd52aaca, 0xfa2015ee),\n TOBN(0x3e31b517, 0xbd9625ff), TOBN(0x5ec9322d, 0x8db5918c)},\n {TOBN(0xbc73ac85, 0xa96f5294), TOBN(0x82aa5bf3, 0x61a0666a),\n TOBN(0x49755810, 0xbf08ac42), TOBN(0xd21cdfd5, 0x891cedfc)}},\n {{TOBN(0x918cb57b, 0x67f8be10), TOBN(0x365d1a7c, 0x56ffa726),\n TOBN(0x2435c504, 0x6532de93), TOBN(0xc0fc5e10, 0x2674cd02)},\n {TOBN(0x6e51fcf8, 0x9cbbb142), TOBN(0x1d436e5a, 0xafc50692),\n TOBN(0x766bffff, 0x3fbcae22), TOBN(0x3148c2fd, 0xfd55d3b8)}},\n {{TOBN(0x52c7fdc9, 0x233222fa), TOBN(0x89ff1092, 0xe419fb6b),\n TOBN(0x3cd6db99, 0x25254977), TOBN(0x2e85a161, 0x1cf12ca7)},\n {TOBN(0xadd2547c, 0xdc810bc9), TOBN(0xea3f458f, 0x9d257c22),\n TOBN(0x642c1fbe, 0x27d6b19b), TOBN(0xed07e6b5, 0x140481a6)}},\n {{TOBN(0x6ada1d42, 0x86d2e0f8), TOBN(0xe5920122, 0x0e8a9fd5),\n TOBN(0x02c936af, 0x708c1b49), TOBN(0x60f30fee, 0x2b4bfaff)},\n {TOBN(0x6637ad06, 0x858e6a61), TOBN(0xce4c7767, 0x3fd374d0),\n TOBN(0x39d54b2d, 0x7188defb), TOBN(0xa8c9d250, 0xf56a6b66)}},\n {{TOBN(0x58fc0f5e, 0xb24fe1dc), TOBN(0x9eaf9dee, 0x6b73f24c),\n TOBN(0xa90d588b, 0x33650705), TOBN(0xde5b62c5, 0xaf2ec729)},\n {TOBN(0x5c72cfae, 0xd3c2b36e), TOBN(0x868c19d5, 0x034435da),\n TOBN(0x88605f93, 0xe17ee145), TOBN(0xaa60c4ee, 0x77a5d5b1)}},\n {{TOBN(0xbcf5bfd2, 0x3b60c472), TOBN(0xaf4ef13c, 0xeb1d3049),\n TOBN(0x373f44fc, 0xe13895c9), TOBN(0xf29b382f, 0x0cbc9822)},\n {TOBN(0x1bfcb853, 0x73efaef6), TOBN(0xcf56ac9c, 0xa8c96f40),\n TOBN(0xd7adf109, 0x7a191e24), TOBN(0x98035f44, 0xbf8a8dc2)}},\n {{TOBN(0xf40a71b9, 0x1e750c84), TOBN(0xc57f7b0c, 0x5dc6c469),\n TOBN(0x49a0e79c, 0x6fbc19c1), TOBN(0x6b0f5889, 0xa48ebdb8)},\n {TOBN(0x5d3fd084, 0xa07c4e9f), TOBN(0xc3830111, 0xab27de14),\n TOBN(0x0e4929fe, 0x33e08dcc), TOBN(0xf4a5ad24, 0x40bb73a3)}},\n {{TOBN(0xde86c2bf, 0x490f97ca), TOBN(0x288f09c6, 0x67a1ce18),\n TOBN(0x364bb886, 0x1844478d), TOBN(0x7840fa42, 0xceedb040)},\n {TOBN(0x1269fdd2, 0x5a631b37), TOBN(0x94761f1e, 0xa47c8b7d),\n TOBN(0xfc0c2e17, 0x481c6266), TOBN(0x85e16ea2, 0x3daa5fa7)}},\n {{TOBN(0xccd86033, 0x92491048), TOBN(0x0c2f6963, 0xf4d402d7),\n TOBN(0x6336f7df, 0xdf6a865c), TOBN(0x0a2a463c, 0xb5c02a87)},\n {TOBN(0xb0e29be7, 0xbf2f12ee), TOBN(0xf0a22002, 0x66bad988),\n TOBN(0x27f87e03, 0x9123c1d7), TOBN(0x21669c55, 0x328a8c98)}},\n {{TOBN(0x186b9803, 0x92f14529), TOBN(0xd3d056cc, 0x63954df3),\n TOBN(0x2f03fd58, 0x175a46f6), TOBN(0x63e34ebe, 0x11558558)},\n {TOBN(0xe13fedee, 0x5b80cfa5), TOBN(0xe872a120, 0xd401dbd1),\n TOBN(0x52657616, 0xe8a9d667), TOBN(0xbc8da4b6, 0xe08d6693)}},\n {{TOBN(0x370fb9bb, 0x1b703e75), TOBN(0x6773b186, 0xd4338363),\n TOBN(0x18dad378, 0xecef7bff), TOBN(0xaac787ed, 0x995677da)},\n {TOBN(0x4801ea8b, 0x0437164b), TOBN(0xf430ad20, 0x73fe795e),\n TOBN(0xb164154d, 0x8ee5eb73), TOBN(0x0884ecd8, 0x108f7c0e)}},\n {{TOBN(0x0e6ec096, 0x5f520698), TOBN(0x640631fe, 0x44f7b8d9),\n TOBN(0x92fd34fc, 0xa35a68b9), TOBN(0x9c5a4b66, 0x4d40cf4e)},\n {TOBN(0x949454bf, 0x80b6783d), TOBN(0x80e701fe, 0x3a320a10),\n TOBN(0x8d1a564a, 0x1a0a39b2), TOBN(0x1436d53d, 0x320587db)}},\n {{TOBN(0xf5096e6d, 0x6556c362), TOBN(0xbc23a3c0, 0xe2455d7e),\n TOBN(0x3a7aee54, 0x807230f9), TOBN(0x9ba1cfa6, 0x22ae82fd)},\n {TOBN(0x833a057a, 0x99c5d706), TOBN(0x8be85f4b, 0x842315c9),\n TOBN(0xd083179a, 0x66a72f12), TOBN(0x2fc77d5d, 0xcdcc73cd)}},\n {{TOBN(0x22b88a80, 0x5616ee30), TOBN(0xfb09548f, 0xe7ab1083),\n TOBN(0x8ad6ab0d, 0x511270cd), TOBN(0x61f6c57a, 0x6924d9ab)},\n {TOBN(0xa0f7bf72, 0x90aecb08), TOBN(0x849f87c9, 0x0df784a4),\n TOBN(0x27c79c15, 0xcfaf1d03), TOBN(0xbbf9f675, 0xc463face)}},\n {{TOBN(0x91502c65, 0x765ba543), TOBN(0x18ce3cac, 0x42ea60dd),\n TOBN(0xe5cee6ac, 0x6e43ecb3), TOBN(0x63e4e910, 0x68f2aeeb)},\n {TOBN(0x26234fa3, 0xc85932ee), TOBN(0x96883e8b, 0x4c90c44d),\n TOBN(0x29b9e738, 0xa18a50f6), TOBN(0xbfc62b2a, 0x3f0420df)}},\n {{TOBN(0xd22a7d90, 0x6d3e1fa9), TOBN(0x17115618, 0xfe05b8a3),\n TOBN(0x2a0c9926, 0xbb2b9c01), TOBN(0xc739fcc6, 0xe07e76a2)},\n {TOBN(0x540e9157, 0x165e439a), TOBN(0x06353a62, 0x6a9063d8),\n TOBN(0x84d95594, 0x61e927a3), TOBN(0x013b9b26, 0xe2e0be7f)}},\n {{TOBN(0x4feaec3b, 0x973497f1), TOBN(0x15c0f94e, 0x093ebc2d),\n TOBN(0x6af5f227, 0x33af0583), TOBN(0x0c2af206, 0xc61f3340)},\n {TOBN(0xd25dbdf1, 0x4457397c), TOBN(0x2e8ed017, 0xcabcbae0),\n TOBN(0xe3010938, 0xc2815306), TOBN(0xbaa99337, 0xe8c6cd68)}},\n {{TOBN(0x08513182, 0x3b0ec7de), TOBN(0x1e1b822b, 0x58df05df),\n TOBN(0x5c14842f, 0xa5c3b683), TOBN(0x98fe977e, 0x3eba34ce)},\n {TOBN(0xfd2316c2, 0x0d5e8873), TOBN(0xe48d839a, 0xbd0d427d),\n TOBN(0x495b2218, 0x623fc961), TOBN(0x24ee56e7, 0xb46fba5e)}},\n {{TOBN(0x9184a55b, 0x91e4de58), TOBN(0xa7488ca5, 0xdfdea288),\n TOBN(0xa723862e, 0xa8dcc943), TOBN(0x92d762b2, 0x849dc0fc)},\n {TOBN(0x3c444a12, 0x091ff4a9), TOBN(0x581113fa, 0x0cada274),\n TOBN(0xb9de0a45, 0x30d8eae2), TOBN(0x5e0fcd85, 0xdf6b41ea)}},\n {{TOBN(0x6233ea68, 0xc094dbb5), TOBN(0xb77d062e, 0xd968d410),\n TOBN(0x3e719bbc, 0x58b3002d), TOBN(0x68e7dd3d, 0x3dc49d58)},\n {TOBN(0x8d825740, 0x013a5e58), TOBN(0x21311747, 0x3c9e3c1b),\n TOBN(0x0cb0a2a7, 0x7c99b6ab), TOBN(0x5c48a3b3, 0xc2f888f2)}}},\n {{{TOBN(0xc7913e91, 0x991724f3), TOBN(0x5eda799c, 0x39cbd686),\n TOBN(0xddb595c7, 0x63d4fc1e), TOBN(0x6b63b80b, 0xac4fed54)},\n {TOBN(0x6ea0fc69, 0x7e5fb516), TOBN(0x737708ba, 0xd0f1c964),\n TOBN(0x9628745f, 0x11a92ca5), TOBN(0x61f37958, 0x9a86967a)}},\n {{TOBN(0x9af39b2c, 0xaa665072), TOBN(0x78322fa4, 0xefd324ef),\n TOBN(0x3d153394, 0xc327bd31), TOBN(0x81d5f271, 0x3129dab0)},\n {TOBN(0xc72e0c42, 0xf48027f5), TOBN(0xaa40cdbc, 0x8536e717),\n TOBN(0xf45a657a, 0x2d369d0f), TOBN(0xb03bbfc4, 0xea7f74e6)}},\n {{TOBN(0x46a8c418, 0x0d738ded), TOBN(0x6f1a5bb0, 0xe0de5729),\n TOBN(0xf10230b9, 0x8ba81675), TOBN(0x32c6f30c, 0x112b33d4)},\n {TOBN(0x7559129d, 0xd8fffb62), TOBN(0x6a281b47, 0xb459bf05),\n TOBN(0x77c1bd3a, 0xfa3b6776), TOBN(0x0709b380, 0x7829973a)}},\n {{TOBN(0x8c26b232, 0xa3326505), TOBN(0x38d69272, 0xee1d41bf),\n TOBN(0x0459453e, 0xffe32afa), TOBN(0xce8143ad, 0x7cb3ea87)},\n {TOBN(0x932ec1fa, 0x7e6ab666), TOBN(0x6cd2d230, 0x22286264),\n TOBN(0x459a46fe, 0x6736f8ed), TOBN(0x50bf0d00, 0x9eca85bb)}},\n {{TOBN(0x0b825852, 0x877a21ec), TOBN(0x300414a7, 0x0f537a94),\n TOBN(0x3f1cba40, 0x21a9a6a2), TOBN(0x50824eee, 0x76943c00)},\n {TOBN(0xa0dbfcec, 0xf83cba5d), TOBN(0xf9538148, 0x93b4f3c0),\n TOBN(0x61744162, 0x48f24dd7), TOBN(0x5322d64d, 0xe4fb09dd)}},\n {{TOBN(0x57447384, 0x3d9325f3), TOBN(0xa9bef2d0, 0xf371cb84),\n TOBN(0x77d2188b, 0xa61e36c5), TOBN(0xbbd6a7d7, 0xc602df72)},\n {TOBN(0xba3aa902, 0x8f61bc0b), TOBN(0xf49085ed, 0x6ed0b6a1),\n TOBN(0x8bc625d6, 0xae6e8298), TOBN(0x832b0b1d, 0xa2e9c01d)}},\n {{TOBN(0xa337c447, 0xf1f0ced1), TOBN(0x800cc793, 0x9492dd2b),\n TOBN(0x4b93151d, 0xbea08efa), TOBN(0x820cf3f8, 0xde0a741e)},\n {TOBN(0xff1982dc, 0x1c0f7d13), TOBN(0xef921960, 0x84dde6ca),\n TOBN(0x1ad7d972, 0x45f96ee3), TOBN(0x319c8dbe, 0x29dea0c7)}},\n {{TOBN(0xd3ea3871, 0x7b82b99b), TOBN(0x75922d4d, 0x470eb624),\n TOBN(0x8f66ec54, 0x3b95d466), TOBN(0x66e673cc, 0xbee1e346)},\n {TOBN(0x6afe67c4, 0xb5f2b89a), TOBN(0x3de9c1e6, 0x290e5cd3),\n TOBN(0x8c278bb6, 0x310a2ada), TOBN(0x420fa384, 0x0bdb323b)}},\n {{TOBN(0x0ae1d63b, 0x0eb919b0), TOBN(0xd74ee51d, 0xa74b9620),\n TOBN(0x395458d0, 0xa674290c), TOBN(0x324c930f, 0x4620a510)},\n {TOBN(0x2d1f4d19, 0xfbac27d4), TOBN(0x4086e8ca, 0x9bedeeac),\n TOBN(0x0cdd211b, 0x9b679ab8), TOBN(0x5970167d, 0x7090fec4)}},\n {{TOBN(0x3420f2c9, 0xfaf1fc63), TOBN(0x616d333a, 0x328c8bb4),\n TOBN(0x7d65364c, 0x57f1fe4a), TOBN(0x9343e877, 0x55e5c73a)},\n {TOBN(0x5795176b, 0xe970e78c), TOBN(0xa36ccebf, 0x60533627),\n TOBN(0xfc7c7380, 0x09cdfc1b), TOBN(0xb39a2afe, 0xb3fec326)}},\n {{TOBN(0xb7ff1ba1, 0x6224408a), TOBN(0xcc856e92, 0x247cfc5e),\n TOBN(0x01f102e7, 0xc18bc493), TOBN(0x4613ab74, 0x2091c727)},\n {TOBN(0xaa25e89c, 0xc420bf2b), TOBN(0x00a53176, 0x90337ec2),\n TOBN(0xd2be9f43, 0x7d025fc7), TOBN(0x3316fb85, 0x6e6fe3dc)}},\n {{TOBN(0x27520af5, 0x9ac50814), TOBN(0xfdf95e78, 0x9a8e4223),\n TOBN(0xb7e7df2a, 0x56bec5a0), TOBN(0xf7022f7d, 0xdf159e5d)},\n {TOBN(0x93eeeab1, 0xcac1fe8f), TOBN(0x8040188c, 0x37451168),\n TOBN(0x7ee8aa8a, 0xd967dce6), TOBN(0xfa0e79e7, 0x3abc9299)}},\n {{TOBN(0x67332cfc, 0x2064cfd1), TOBN(0x339c31de, 0xb0651934),\n TOBN(0x719b28d5, 0x2a3bcbea), TOBN(0xee74c82b, 0x9d6ae5c6)},\n {TOBN(0x0927d05e, 0xbaf28ee6), TOBN(0x82cecf2c, 0x9d719028),\n TOBN(0x0b0d353e, 0xddb30289), TOBN(0xfe4bb977, 0xfddb2e29)}},\n {{TOBN(0xbb5bb990, 0x640bfd9e), TOBN(0xd226e277, 0x82f62108),\n TOBN(0x4bf00985, 0x02ffdd56), TOBN(0x7756758a, 0x2ca1b1b5)},\n {TOBN(0xc32b62a3, 0x5285fe91), TOBN(0xedbc546a, 0x8c9cd140),\n TOBN(0x1e47a013, 0xaf5cb008), TOBN(0xbca7e720, 0x073ce8f2)}},\n {{TOBN(0xe10b2ab8, 0x17a91cae), TOBN(0xb89aab65, 0x08e27f63),\n TOBN(0x7b3074a7, 0xdba3ddf9), TOBN(0x1c20ce09, 0x330c2972)},\n {TOBN(0x6b9917b4, 0x5fcf7e33), TOBN(0xe6793743, 0x945ceb42),\n TOBN(0x18fc2215, 0x5c633d19), TOBN(0xad1adb3c, 0xc7485474)}},\n {{TOBN(0x646f9679, 0x6424c49b), TOBN(0xf888dfe8, 0x67c241c9),\n TOBN(0xe12d4b93, 0x24f68b49), TOBN(0x9a6b62d8, 0xa571df20)},\n {TOBN(0x81b4b26d, 0x179483cb), TOBN(0x666f9632, 0x9511fae2),\n TOBN(0xd281b3e4, 0xd53aa51f), TOBN(0x7f96a765, 0x7f3dbd16)}},\n {{TOBN(0xa7f8b5bf, 0x074a30ce), TOBN(0xd7f52107, 0x005a32e6),\n TOBN(0x6f9e0907, 0x50237ed4), TOBN(0x2f21da47, 0x8096fa2b)},\n {TOBN(0xf3e19cb4, 0xeec863a0), TOBN(0xd18f77fd, 0x9527620a),\n TOBN(0x9505c81c, 0x407c1cf8), TOBN(0x9998db4e, 0x1b6ec284)}},\n {{TOBN(0x7e3389e5, 0xc247d44d), TOBN(0x12507141, 0x3f4f3d80),\n TOBN(0xd4ba0110, 0x4a78a6c7), TOBN(0x312874a0, 0x767720be)},\n {TOBN(0xded059a6, 0x75944370), TOBN(0xd6123d90, 0x3b2c0bdd),\n TOBN(0xa56b717b, 0x51c108e3), TOBN(0x9bb7940e, 0x070623e9)}},\n {{TOBN(0x794e2d59, 0x84ac066c), TOBN(0xf5954a92, 0xe68c69a0),\n TOBN(0x28c52458, 0x4fd99dcc), TOBN(0x60e639fc, 0xb1012517)},\n {TOBN(0xc2e60125, 0x7de79248), TOBN(0xe9ef6404, 0xf12fc6d7),\n TOBN(0x4c4f2808, 0x2a3b5d32), TOBN(0x865ad32e, 0xc768eb8a)}},\n {{TOBN(0xac02331b, 0x13fb70b6), TOBN(0x037b44c1, 0x95599b27),\n TOBN(0x1a860fc4, 0x60bd082c), TOBN(0xa2e25745, 0xc980cd01)},\n {TOBN(0xee3387a8, 0x1da0263e), TOBN(0x931bfb95, 0x2d10f3d6),\n TOBN(0x5b687270, 0xa1f24a32), TOBN(0xf140e65d, 0xca494b86)}},\n {{TOBN(0x4f4ddf91, 0xb2f1ac7a), TOBN(0xf99eaabb, 0x760fee27),\n TOBN(0x57f4008a, 0x49c228e5), TOBN(0x090be440, 0x1cf713bb)},\n {TOBN(0xac91fbe4, 0x5004f022), TOBN(0xd838c2c2, 0x569e1af6),\n TOBN(0xd6c7d20b, 0x0f1daaa5), TOBN(0xaa063ac1, 0x1bbb02c0)}},\n {{TOBN(0x0938a422, 0x59558a78), TOBN(0x5343c669, 0x8435da2f),\n TOBN(0x96f67b18, 0x034410dc), TOBN(0x7cc1e424, 0x84510804)},\n {TOBN(0x86a1543f, 0x16dfbb7d), TOBN(0x921fa942, 0x5b5bd592),\n TOBN(0x9dcccb6e, 0xb33dd03c), TOBN(0x8581ddd9, 0xb843f51e)}},\n {{TOBN(0x54935fcb, 0x81d73c9e), TOBN(0x6d07e979, 0x0a5e97ab),\n TOBN(0x4dc7b30a, 0xcf3a6bab), TOBN(0x147ab1f3, 0x170bee11)},\n {TOBN(0x0aaf8e3d, 0x9fafdee4), TOBN(0xfab3dbcb, 0x538a8b95),\n TOBN(0x405df4b3, 0x6ef13871), TOBN(0xf1f4e9cb, 0x088d5a49)}},\n {{TOBN(0x9bcd24d3, 0x66b33f1d), TOBN(0x3b97b820, 0x5ce445c0),\n TOBN(0xe2926549, 0xba93ff61), TOBN(0xd9c341ce, 0x4dafe616)},\n {TOBN(0xfb30a76e, 0x16efb6f3), TOBN(0xdf24b8ca, 0x605b953c),\n TOBN(0x8bd52afe, 0xc2fffb9f), TOBN(0xbbac5ff7, 0xe19d0b96)}},\n {{TOBN(0x43c01b87, 0x459afccd), TOBN(0x6bd45143, 0xb7432652),\n TOBN(0x84734530, 0x55b5d78e), TOBN(0x81088fdb, 0x1554ba7d)},\n {TOBN(0xada0a52c, 0x1e269375), TOBN(0xf9f037c4, 0x2dc5ec10),\n TOBN(0xc0660607, 0x94bfbc11), TOBN(0xc0a630bb, 0xc9c40d2f)}},\n {{TOBN(0x5efc797e, 0xab64c31e), TOBN(0xffdb1dab, 0x74507144),\n TOBN(0xf6124287, 0x1ca6790c), TOBN(0xe9609d81, 0xe69bf1bf)},\n {TOBN(0xdb898595, 0x00d24fc9), TOBN(0x9c750333, 0xe51fb417),\n TOBN(0x51830a91, 0xfef7bbde), TOBN(0x0ce67dc8, 0x945f585c)}},\n {{TOBN(0x9a730ed4, 0x4763eb50), TOBN(0x24a0e221, 0xc1ab0d66),\n TOBN(0x643b6393, 0x648748f3), TOBN(0x1982daa1, 0x6d3c6291)},\n {TOBN(0x6f00a9f7, 0x8bbc5549), TOBN(0x7a1783e1, 0x7f36384e),\n TOBN(0xe8346323, 0xde977f50), TOBN(0x91ab688d, 0xb245502a)}},\n {{TOBN(0x331ab6b5, 0x6d0bdd66), TOBN(0x0a6ef32e, 0x64b71229),\n TOBN(0x1028150e, 0xfe7c352f), TOBN(0x27e04350, 0xce7b39d3)},\n {TOBN(0x2a3c8acd, 0xc1070c82), TOBN(0xfb2034d3, 0x80c9feef),\n TOBN(0x2d729621, 0x709f3729), TOBN(0x8df290bf, 0x62cb4549)}},\n {{TOBN(0x02f99f33, 0xfc2e4326), TOBN(0x3b30076d, 0x5eddf032),\n TOBN(0xbb21f8cf, 0x0c652fb5), TOBN(0x314fb49e, 0xed91cf7b)},\n {TOBN(0xa013eca5, 0x2f700750), TOBN(0x2b9e3c23, 0x712a4575),\n TOBN(0xe5355557, 0xaf30fbb0), TOBN(0x1ada3516, 0x7c77e771)}},\n {{TOBN(0x45f6ecb2, 0x7b135670), TOBN(0xe85d19df, 0x7cfc202e),\n TOBN(0x0f1b50c7, 0x58d1be9f), TOBN(0x5ebf2c0a, 0xead2e344)},\n {TOBN(0x1531fe4e, 0xabc199c9), TOBN(0xc7032592, 0x56bab0ae),\n TOBN(0x16ab2e48, 0x6c1fec54), TOBN(0x0f87fda8, 0x04280188)}},\n {{TOBN(0xdc9f46fc, 0x609e4a74), TOBN(0x2a44a143, 0xba667f91),\n TOBN(0xbc3d8b95, 0xb4d83436), TOBN(0xa01e4bd0, 0xc7bd2958)},\n {TOBN(0x7b182932, 0x73483c90), TOBN(0xa79c6aa1, 0xa7c7b598),\n TOBN(0xbf3983c6, 0xeaaac07e), TOBN(0x8f18181e, 0x96e0d4e6)}},\n {{TOBN(0x8553d37c, 0x051af62b), TOBN(0xe9a998eb, 0x0bf94496),\n TOBN(0xe0844f9f, 0xb0d59aa1), TOBN(0x983fd558, 0xe6afb813)},\n {TOBN(0x9670c0ca, 0x65d69804), TOBN(0x732b22de, 0x6ea5ff2d),\n TOBN(0xd7640ba9, 0x5fd8623b), TOBN(0x9f619163, 0xa6351782)}},\n {{TOBN(0x0bfc27ee, 0xacee5043), TOBN(0xae419e73, 0x2eb10f02),\n TOBN(0x19c028d1, 0x8943fb05), TOBN(0x71f01cf7, 0xff13aa2a)},\n {TOBN(0x7790737e, 0x8887a132), TOBN(0x67513309, 0x66318410),\n TOBN(0x9819e8a3, 0x7ddb795e), TOBN(0xfecb8ef5, 0xdad100b2)}},\n {{TOBN(0x59f74a22, 0x3021926a), TOBN(0xb7c28a49, 0x6f9b4c1c),\n TOBN(0xed1a733f, 0x912ad0ab), TOBN(0x42a910af, 0x01a5659c)},\n {TOBN(0x3842c6e0, 0x7bd68cab), TOBN(0x2b57fa38, 0x76d70ac8),\n TOBN(0x8a6707a8, 0x3c53aaeb), TOBN(0x62c1c510, 0x65b4db18)}},\n {{TOBN(0x8de2c1fb, 0xb2d09dc7), TOBN(0xc3dfed12, 0x266bd23b),\n TOBN(0x927d039b, 0xd5b27db6), TOBN(0x2fb2f0f1, 0x103243da)},\n {TOBN(0xf855a07b, 0x80be7399), TOBN(0xed9327ce, 0x1f9f27a8),\n TOBN(0xa0bd99c7, 0x729bdef7), TOBN(0x2b67125e, 0x28250d88)}},\n {{TOBN(0x784b26e8, 0x8670ced7), TOBN(0xe3dfe41f, 0xc31bd3b4),\n TOBN(0x9e353a06, 0xbcc85cbc), TOBN(0x302e2909, 0x60178a9d)},\n {TOBN(0x860abf11, 0xa6eac16e), TOBN(0x76447000, 0xaa2b3aac),\n TOBN(0x46ff9d19, 0x850afdab), TOBN(0x35bdd6a5, 0xfdb2d4c1)}},\n {{TOBN(0xe82594b0, 0x7e5c9ce9), TOBN(0x0f379e53, 0x20af346e),\n TOBN(0x608b31e3, 0xbc65ad4a), TOBN(0x710c6b12, 0x267c4826)},\n {TOBN(0x51c966f9, 0x71954cf1), TOBN(0xb1cec793, 0x0d0aa215),\n TOBN(0x1f155989, 0x86bd23a8), TOBN(0xae2ff99c, 0xf9452e86)}},\n {{TOBN(0xd8dd953c, 0x340ceaa2), TOBN(0x26355275, 0x2e2e9333),\n TOBN(0x15d4e5f9, 0x8586f06d), TOBN(0xd6bf94a8, 0xf7cab546)},\n {TOBN(0x33c59a0a, 0xb76a9af0), TOBN(0x52740ab3, 0xba095af7),\n TOBN(0xc444de8a, 0x24389ca0), TOBN(0xcc6f9863, 0x706da0cb)}},\n {{TOBN(0xb5a741a7, 0x6b2515cf), TOBN(0x71c41601, 0x9585c749),\n TOBN(0x78350d4f, 0xe683de97), TOBN(0x31d61524, 0x63d0b5f5)},\n {TOBN(0x7a0cc5e1, 0xfbce090b), TOBN(0xaac927ed, 0xfbcb2a5b),\n TOBN(0xe920de49, 0x20d84c35), TOBN(0x8c06a0b6, 0x22b4de26)}},\n {{TOBN(0xd34dd58b, 0xafe7ddf3), TOBN(0x55851fed, 0xc1e6e55b),\n TOBN(0xd1395616, 0x960696e7), TOBN(0x940304b2, 0x5f22705f)},\n {TOBN(0x6f43f861, 0xb0a2a860), TOBN(0xcf121282, 0x0e7cc981),\n TOBN(0x12186212, 0x0ab64a96), TOBN(0x09215b9a, 0xb789383c)}},\n {{TOBN(0x311eb305, 0x37387c09), TOBN(0xc5832fce, 0xf03ee760),\n TOBN(0x30358f58, 0x32f7ea19), TOBN(0xe01d3c34, 0x91d53551)},\n {TOBN(0x1ca5ee41, 0xda48ea80), TOBN(0x34e71e8e, 0xcf4fa4c1),\n TOBN(0x312abd25, 0x7af1e1c7), TOBN(0xe3afcdeb, 0x2153f4a5)}},\n {{TOBN(0x9d5c84d7, 0x00235e9a), TOBN(0x0308d3f4, 0x8c4c836f),\n TOBN(0xc0a66b04, 0x89332de5), TOBN(0x610dd399, 0x89e566ef)},\n {TOBN(0xf8eea460, 0xd1ac1635), TOBN(0x84cbb3fb, 0x20a2c0df),\n TOBN(0x40afb488, 0xe74a48c5), TOBN(0x29738198, 0xd326b150)}},\n {{TOBN(0x2a17747f, 0xa6d74081), TOBN(0x60ea4c05, 0x55a26214),\n TOBN(0x53514bb4, 0x1f88c5fe), TOBN(0xedd64567, 0x7e83426c)},\n {TOBN(0xd5d6cbec, 0x96460b25), TOBN(0xa12fd0ce, 0x68dc115e),\n TOBN(0xc5bc3ed2, 0x697840ea), TOBN(0x969876a8, 0xa6331e31)}},\n {{TOBN(0x60c36217, 0x472ff580), TOBN(0xf4229705, 0x4ad41393),\n TOBN(0x4bd99ef0, 0xa03b8b92), TOBN(0x501c7317, 0xc144f4f6)},\n {TOBN(0x159009b3, 0x18464945), TOBN(0x6d5e594c, 0x74c5c6be),\n TOBN(0x2d587011, 0x321a3660), TOBN(0xd1e184b1, 0x3898d022)}},\n {{TOBN(0x5ba04752, 0x4c6a7e04), TOBN(0x47fa1e2b, 0x45550b65),\n TOBN(0x9419daf0, 0x48c0a9a5), TOBN(0x66362953, 0x7c243236)},\n {TOBN(0xcd0744b1, 0x5cb12a88), TOBN(0x561b6f9a, 0x2b646188),\n TOBN(0x599415a5, 0x66c2c0c0), TOBN(0xbe3f0859, 0x0f83f09a)}},\n {{TOBN(0x9141c5be, 0xb92041b8), TOBN(0x01ae38c7, 0x26477d0d),\n TOBN(0xca8b71f3, 0xd12c7a94), TOBN(0xfab5b31f, 0x765c70db)},\n {TOBN(0x76ae7492, 0x487443e9), TOBN(0x8595a310, 0x990d1349),\n TOBN(0xf8dbeda8, 0x7d460a37), TOBN(0x7f7ad082, 0x1e45a38f)}},\n {{TOBN(0xed1d4db6, 0x1059705a), TOBN(0xa3dd492a, 0xe6b9c697),\n TOBN(0x4b92ee3a, 0x6eb38bd5), TOBN(0xbab2609d, 0x67cc0bb7)},\n {TOBN(0x7fc4fe89, 0x6e70ee82), TOBN(0xeff2c56e, 0x13e6b7e3),\n TOBN(0x9b18959e, 0x34d26fca), TOBN(0x2517ab66, 0x889d6b45)}},\n {{TOBN(0xf167b4e0, 0xbdefdd4f), TOBN(0x69958465, 0xf366e401),\n TOBN(0x5aa368ab, 0xa73bbec0), TOBN(0x12148709, 0x7b240c21)},\n {TOBN(0x378c3233, 0x18969006), TOBN(0xcb4d73ce, 0xe1fe53d1),\n TOBN(0x5f50a80e, 0x130c4361), TOBN(0xd67f5951, 0x7ef5212b)}},\n {{TOBN(0xf145e21e, 0x9e70c72e), TOBN(0xb2e52e29, 0x5566d2fb),\n TOBN(0x44eaba4a, 0x032397f5), TOBN(0x5e56937b, 0x7e31a7de)},\n {TOBN(0x68dcf517, 0x456c61e1), TOBN(0xbc2e954a, 0xa8b0a388),\n TOBN(0xe3552fa7, 0x60a8b755), TOBN(0x03442dae, 0x73ad0cde)}},\n {{TOBN(0x37ffe747, 0xceb26210), TOBN(0x983545e8, 0x787baef9),\n TOBN(0x8b8c8535, 0x86a3de31), TOBN(0xc621dbcb, 0xfacd46db)},\n {TOBN(0x82e442e9, 0x59266fbb), TOBN(0xa3514c37, 0x339d471c),\n TOBN(0x3a11b771, 0x62cdad96), TOBN(0xf0cb3b3c, 0xecf9bdf0)}},\n {{TOBN(0x3fcbdbce, 0x478e2135), TOBN(0x7547b5cf, 0xbda35342),\n TOBN(0xa97e81f1, 0x8a677af6), TOBN(0xc8c2bf83, 0x28817987)},\n {TOBN(0xdf07eaaf, 0x45580985), TOBN(0xc68d1f05, 0xc93b45cb),\n TOBN(0x106aa2fe, 0xc77b4cac), TOBN(0x4c1d8afc, 0x04a7ae86)}},\n {{TOBN(0xdb41c3fd, 0x9eb45ab2), TOBN(0x5b234b5b, 0xd4b22e74),\n TOBN(0xda253dec, 0xf215958a), TOBN(0x67e0606e, 0xa04edfa0)},\n {TOBN(0xabbbf070, 0xef751b11), TOBN(0xf352f175, 0xf6f06dce),\n TOBN(0xdfc4b6af, 0x6839f6b4), TOBN(0x53ddf9a8, 0x9959848e)}},\n {{TOBN(0xda49c379, 0xc21520b0), TOBN(0x90864ff0, 0xdbd5d1b6),\n TOBN(0x2f055d23, 0x5f49c7f7), TOBN(0xe51e4e6a, 0xa796b2d8)},\n {TOBN(0xc361a67f, 0x5c9dc340), TOBN(0x5ad53c37, 0xbca7c620),\n TOBN(0xda1d6588, 0x32c756d0), TOBN(0xad60d911, 0x8bb67e13)}},\n {{TOBN(0xd6c47bdf, 0x0eeec8c6), TOBN(0x4a27fec1, 0x078a1821),\n TOBN(0x081f7415, 0xc3099524), TOBN(0x8effdf0b, 0x82cd8060)},\n {TOBN(0xdb70ec1c, 0x65842df8), TOBN(0x8821b358, 0xd319a901),\n TOBN(0x72ee56ee, 0xde42b529), TOBN(0x5bb39592, 0x236e4286)}},\n {{TOBN(0xd1183316, 0xfd6f7140), TOBN(0xf9fadb5b, 0xbd8e81f7),\n TOBN(0x701d5e0c, 0x5a02d962), TOBN(0xfdee4dbf, 0x1b601324)},\n {TOBN(0xbed17407, 0x35d7620e), TOBN(0x04e3c2c3, 0xf48c0012),\n TOBN(0x9ee29da7, 0x3455449a), TOBN(0x562cdef4, 0x91a836c4)}},\n {{TOBN(0x8f682a5f, 0x47701097), TOBN(0x617125d8, 0xff88d0c2),\n TOBN(0x948fda24, 0x57bb86dd), TOBN(0x348abb8f, 0x289f7286)},\n {TOBN(0xeb10eab5, 0x99d94bbd), TOBN(0xd51ba28e, 0x4684d160),\n TOBN(0xabe0e51c, 0x30c8f41a), TOBN(0x66588b45, 0x13254f4a)}},\n {{TOBN(0x147ebf01, 0xfad097a5), TOBN(0x49883ea8, 0x610e815d),\n TOBN(0xe44d60ba, 0x8a11de56), TOBN(0xa970de6e, 0x827a7a6d)},\n {TOBN(0x2be41424, 0x5e17fc19), TOBN(0xd833c657, 0x01214057),\n TOBN(0x1375813b, 0x363e723f), TOBN(0x6820bb88, 0xe6a52e9b)}},\n {{TOBN(0x7e7f6970, 0xd875d56a), TOBN(0xd6a0a9ac, 0x51fbf6bf),\n TOBN(0x54ba8790, 0xa3083c12), TOBN(0xebaeb23d, 0x6ae7eb64)},\n {TOBN(0xa8685c3a, 0xb99a907a), TOBN(0xf1e74550, 0x026bf40b),\n TOBN(0x7b73a027, 0xc802cd9e), TOBN(0x9a8a927c, 0x4fef4635)}},\n {{TOBN(0xe1b6f60c, 0x08191224), TOBN(0xc4126ebb, 0xde4ec091),\n TOBN(0xe1dff4dc, 0x4ae38d84), TOBN(0xde3f57db, 0x4f2ef985)},\n {TOBN(0x34964337, 0xd446a1dd), TOBN(0x7bf217a0, 0x859e77f6),\n TOBN(0x8ff10527, 0x8e1d13f5), TOBN(0xa304ef03, 0x74eeae27)}},\n {{TOBN(0xfc6f5e47, 0xd19dfa5a), TOBN(0xdb007de3, 0x7fad982b),\n TOBN(0x28205ad1, 0x613715f5), TOBN(0x251e6729, 0x7889529e)},\n {TOBN(0x72705184, 0x1ae98e78), TOBN(0xf818537d, 0x271cac32),\n TOBN(0xc8a15b7e, 0xb7f410f5), TOBN(0xc474356f, 0x81f62393)}},\n {{TOBN(0x92dbdc5a, 0xc242316b), TOBN(0xabe060ac, 0xdbf4aff5),\n TOBN(0x6e8c38fe, 0x909a8ec6), TOBN(0x43e514e5, 0x6116cb94)},\n {TOBN(0x2078fa38, 0x07d784f9), TOBN(0x1161a880, 0xf4b5b357),\n TOBN(0x5283ce79, 0x13adea3d), TOBN(0x0756c3e6, 0xcc6a910b)}},\n {{TOBN(0x60bcfe01, 0xaaa79697), TOBN(0x04a73b29, 0x56391db1),\n TOBN(0xdd8dad47, 0x189b45a0), TOBN(0xbfac0dd0, 0x48d5b8d9)},\n {TOBN(0x34ab3af5, 0x7d3d2ec2), TOBN(0x6fa2fc2d, 0x207bd3af),\n TOBN(0x9ff40092, 0x66550ded), TOBN(0x719b3e87, 0x1fd5b913)}},\n {{TOBN(0xa573a496, 0x6d17fbc7), TOBN(0x0cd1a70a, 0x73d2b24e),\n TOBN(0x34e2c5ca, 0xb2676937), TOBN(0xe7050b06, 0xbf669f21)},\n {TOBN(0xfbe948b6, 0x1ede9046), TOBN(0xa0530051, 0x97662659),\n TOBN(0x58cbd4ed, 0xf10124c5), TOBN(0xde2646e4, 0xdd6c06c8)}},\n {{TOBN(0x332f8108, 0x8cad38c0), TOBN(0x471b7e90, 0x6bd68ae2),\n TOBN(0x56ac3fb2, 0x0d8e27a3), TOBN(0xb54660db, 0x136b4b0d)},\n {TOBN(0x123a1e11, 0xa6fd8de4), TOBN(0x44dbffea, 0xa37799ef),\n TOBN(0x4540b977, 0xce6ac17c), TOBN(0x495173a8, 0xaf60acef)}}},\n {{{TOBN(0x9ebb284d, 0x391c2a82), TOBN(0xbcdd4863, 0x158308e8),\n TOBN(0x006f16ec, 0x83f1edca), TOBN(0xa13e2c37, 0x695dc6c8)},\n {TOBN(0x2ab756f0, 0x4a057a87), TOBN(0xa8765500, 0xa6b48f98),\n TOBN(0x4252face, 0x68651c44), TOBN(0xa52b540b, 0xe1765e02)}},\n {{TOBN(0x4f922fc5, 0x16a0d2bb), TOBN(0x0d5cc16c, 0x1a623499),\n TOBN(0x9241cf3a, 0x57c62c8b), TOBN(0x2f5e6961, 0xfd1b667f)},\n {TOBN(0x5c15c70b, 0xf5a01797), TOBN(0x3d20b44d, 0x60956192),\n TOBN(0x04911b37, 0x071fdb52), TOBN(0xf648f916, 0x8d6f0f7b)}},\n {{TOBN(0x6dc1acaf, 0xe60b7cf7), TOBN(0x25860a50, 0x84a9d869),\n TOBN(0x56fc6f09, 0xe7ba8ac4), TOBN(0x828c5bd0, 0x6148d29e)},\n {TOBN(0xac6b435e, 0xdc55ae5f), TOBN(0xa527f56c, 0xc0117411),\n TOBN(0x94d5045e, 0xfd24342c), TOBN(0x2c4c0a35, 0x70b67c0d)}},\n {{TOBN(0x027cc8b8, 0xfac61d9a), TOBN(0x7d25e062, 0xe3c6fe8a),\n TOBN(0xe08805bf, 0xe5bff503), TOBN(0x13271e6c, 0x6ff632f7)},\n {TOBN(0x55dca6c0, 0x232f76a5), TOBN(0x8957c32d, 0x701ef426),\n TOBN(0xee728bcb, 0xa10a5178), TOBN(0x5ea60411, 0xb62c5173)}},\n {{TOBN(0xfc4e964e, 0xd0b8892b), TOBN(0x9ea17683, 0x9301bb74),\n TOBN(0x6265c5ae, 0xfcc48626), TOBN(0xe60cf82e, 0xbb3e9102)},\n {TOBN(0x57adf797, 0xd4df5531), TOBN(0x235b59a1, 0x8deeefe2),\n TOBN(0x60adcf58, 0x3f306eb1), TOBN(0x105c2753, 0x3d09492d)}},\n {{TOBN(0x4090914b, 0xb5def996), TOBN(0x1cb69c83, 0x233dd1e7),\n TOBN(0xc1e9c1d3, 0x9b3d5e76), TOBN(0x1f3338ed, 0xfccf6012)},\n {TOBN(0xb1e95d0d, 0x2f5378a8), TOBN(0xacf4c2c7, 0x2f00cd21),\n TOBN(0x6e984240, 0xeb5fe290), TOBN(0xd66c038d, 0x248088ae)}},\n {{TOBN(0x804d264a, 0xf94d70cf), TOBN(0xbdb802ef, 0x7314bf7e),\n TOBN(0x8fb54de2, 0x4333ed02), TOBN(0x740461e0, 0x285635d9)},\n {TOBN(0x4113b2c8, 0x365e9383), TOBN(0xea762c83, 0x3fdef652),\n TOBN(0x4eec6e2e, 0x47b956c1), TOBN(0xa3d814be, 0x65620fa4)}},\n {{TOBN(0x9ad5462b, 0xb4d8bc50), TOBN(0x181c0b16, 0xa9195770),\n TOBN(0xebd4fe1c, 0x78412a68), TOBN(0xae0341bc, 0xc0dff48c)},\n {TOBN(0xb6bc45cf, 0x7003e866), TOBN(0xf11a6dea, 0x8a24a41b),\n TOBN(0x5407151a, 0xd04c24c2), TOBN(0x62c9d27d, 0xda5b7b68)}},\n {{TOBN(0x2e964235, 0x88cceff6), TOBN(0x8594c54f, 0x8b07ed69),\n TOBN(0x1578e73c, 0xc84d0d0d), TOBN(0x7b4e1055, 0xff532868)},\n {TOBN(0xa348c0d5, 0xb5ec995a), TOBN(0xbf4b9d55, 0x14289a54),\n TOBN(0x9ba155a6, 0x58fbd777), TOBN(0x186ed7a8, 0x1a84491d)}},\n {{TOBN(0xd4992b30, 0x614c0900), TOBN(0xda98d121, 0xbd00c24b),\n TOBN(0x7f534dc8, 0x7ec4bfa1), TOBN(0x4a5ff674, 0x37dc34bc)},\n {TOBN(0x68c196b8, 0x1d7ea1d7), TOBN(0x38cf2893, 0x80a6d208),\n TOBN(0xfd56cd09, 0xe3cbbd6e), TOBN(0xec72e27e, 0x4205a5b6)}},\n {{TOBN(0x15ea68f5, 0xa44f77f7), TOBN(0x7aa5f9fd, 0xb43c52bc),\n TOBN(0x86ff676f, 0x94f0e609), TOBN(0xa4cde963, 0x2e2d432b)},\n {TOBN(0x8cafa0c0, 0xeee470af), TOBN(0x84137d0e, 0x8a3f5ec8),\n TOBN(0xebb40411, 0xfaa31231), TOBN(0xa239c13f, 0x6f7f7ccf)}},\n {{TOBN(0x32865719, 0xa8afd30b), TOBN(0x86798328, 0x8a826dce),\n TOBN(0xdf04e891, 0xc4a8fbe0), TOBN(0xbb6b6e1b, 0xebf56ad3)},\n {TOBN(0x0a695b11, 0x471f1ff0), TOBN(0xd76c3389, 0xbe15baf0),\n TOBN(0x018edb95, 0xbe96c43e), TOBN(0xf2beaaf4, 0x90794158)}},\n {{TOBN(0x152db09e, 0xc3076a27), TOBN(0x5e82908e, 0xe416545d),\n TOBN(0xa2c41272, 0x356d6f2e), TOBN(0xdc9c9642, 0x31fd74e1)},\n {TOBN(0x66ceb88d, 0x519bf615), TOBN(0xe29ecd76, 0x05a2274e),\n TOBN(0x3a0473c4, 0xbf5e2fa0), TOBN(0x6b6eb671, 0x64284e67)}},\n {{TOBN(0xe8b97932, 0xb88756dd), TOBN(0xed4e8652, 0xf17e3e61),\n TOBN(0xc2dd1499, 0x3ee1c4a4), TOBN(0xc0aaee17, 0x597f8c0e)},\n {TOBN(0x15c4edb9, 0x6c168af3), TOBN(0x6563c7bf, 0xb39ae875),\n TOBN(0xadfadb6f, 0x20adb436), TOBN(0xad55e8c9, 0x9a042ac0)}},\n {{TOBN(0x975a1ed8, 0xb76da1f5), TOBN(0x10dfa466, 0xa58acb94),\n TOBN(0x8dd7f7e3, 0xac060282), TOBN(0x6813e66a, 0x572a051e)},\n {TOBN(0xb4ccae1e, 0x350cb901), TOBN(0xb653d656, 0x50cb7822),\n TOBN(0x42484710, 0xdfab3b87), TOBN(0xcd7ee537, 0x9b670fd0)}},\n {{TOBN(0x0a50b12e, 0x523b8bf6), TOBN(0x8009eb5b, 0x8f910c1b),\n TOBN(0xf535af82, 0x4a167588), TOBN(0x0f835f9c, 0xfb2a2abd)},\n {TOBN(0xf59b2931, 0x2afceb62), TOBN(0xc797df2a, 0x169d383f),\n TOBN(0xeb3f5fb0, 0x66ac02b0), TOBN(0x029d4c6f, 0xdaa2d0ca)}},\n {{TOBN(0xd4059bc1, 0xafab4bc5), TOBN(0x833f5c6f, 0x56783247),\n TOBN(0xb5346630, 0x8d2d3605), TOBN(0x83387891, 0xd34d8433)},\n {TOBN(0xd973b30f, 0xadd9419a), TOBN(0xbcca1099, 0xafe3fce8),\n TOBN(0x08178315, 0x0809aac6), TOBN(0x01b7f21a, 0x540f0f11)}},\n {{TOBN(0x65c29219, 0x909523c8), TOBN(0xa62f648f, 0xa3a1c741),\n TOBN(0x88598d4f, 0x60c9e55a), TOBN(0xbce9141b, 0x0e4f347a)},\n {TOBN(0x9af97d84, 0x35f9b988), TOBN(0x0210da62, 0x320475b6),\n TOBN(0x3c076e22, 0x9191476c), TOBN(0x7520dbd9, 0x44fc7834)}},\n {{TOBN(0x6a6b2cfe, 0xc1ab1bbd), TOBN(0xef8a65be, 0xdc650938),\n TOBN(0x72855540, 0x805d7bc4), TOBN(0xda389396, 0xed11fdfd)},\n {TOBN(0xa9d5bd36, 0x74660876), TOBN(0x11d67c54, 0xb45dff35),\n TOBN(0x6af7d148, 0xa4f5da94), TOBN(0xbb8d4c3f, 0xc0bbeb31)}},\n {{TOBN(0x87a7ebd1, 0xe0a1b12a), TOBN(0x1e4ef88d, 0x770ba95f),\n TOBN(0x8c33345c, 0xdc2ae9cb), TOBN(0xcecf1276, 0x01cc8403)},\n {TOBN(0x687c012e, 0x1b39b80f), TOBN(0xfd90d0ad, 0x35c33ba4),\n TOBN(0xa3ef5a67, 0x5c9661c2), TOBN(0x368fc88e, 0xe017429e)}},\n {{TOBN(0xd30c6761, 0x196a2fa2), TOBN(0x931b9817, 0xbd5b312e),\n TOBN(0xba01000c, 0x72f54a31), TOBN(0xa203d2c8, 0x66eaa541)},\n {TOBN(0xf2abdee0, 0x98939db3), TOBN(0xe37d6c2c, 0x3e606c02),\n TOBN(0xf2921574, 0x521ff643), TOBN(0x2781b3c4, 0xd7e2fca3)}},\n {{TOBN(0x664300b0, 0x7850ec06), TOBN(0xac5a38b9, 0x7d3a10cf),\n TOBN(0x9233188d, 0xe34ab39d), TOBN(0xe77057e4, 0x5072cbb9)},\n {TOBN(0xbcf0c042, 0xb59e78df), TOBN(0x4cfc91e8, 0x1d97de52),\n TOBN(0x4661a26c, 0x3ee0ca4a), TOBN(0x5620a4c1, 0xfb8507bc)}},\n {{TOBN(0x4b44d4aa, 0x049f842c), TOBN(0xceabc5d5, 0x1540e82b),\n TOBN(0x306710fd, 0x15c6f156), TOBN(0xbe5ae52b, 0x63db1d72)},\n {TOBN(0x06f1e7e6, 0x334957f1), TOBN(0x57e388f0, 0x31144a70),\n TOBN(0xfb69bb2f, 0xdf96447b), TOBN(0x0f78ebd3, 0x73e38a12)}},\n {{TOBN(0xb8222605, 0x2b7ce542), TOBN(0xe6d4ce99, 0x7472bde1),\n TOBN(0x53e16ebe, 0x09d2f4da), TOBN(0x180ff42e, 0x53b92b2e)},\n {TOBN(0xc59bcc02, 0x2c34a1c6), TOBN(0x3803d6f9, 0x422c46c2),\n TOBN(0x18aff74f, 0x5c14a8a2), TOBN(0x55aebf80, 0x10a08b28)}},\n {{TOBN(0x66097d58, 0x7135593f), TOBN(0x32e6eff7, 0x2be570cd),\n TOBN(0x584e6a10, 0x2a8c860d), TOBN(0xcd185890, 0xa2eb4163)},\n {TOBN(0x7ceae99d, 0x6d97e134), TOBN(0xd42c6b70, 0xdd8447ce),\n TOBN(0x59ddbb4a, 0xb8c50273), TOBN(0x03c612df, 0x3cf34e1e)}},\n {{TOBN(0x84b9ca15, 0x04b6c5a0), TOBN(0x35216f39, 0x18f0e3a3),\n TOBN(0x3ec2d2bc, 0xbd986c00), TOBN(0x8bf546d9, 0xd19228fe)},\n {TOBN(0xd1c655a4, 0x4cd623c3), TOBN(0x366ce718, 0x502b8e5a),\n TOBN(0x2cfc84b4, 0xeea0bfe7), TOBN(0xe01d5cee, 0xcf443e8e)}},\n {{TOBN(0x8ec045d9, 0x036520f8), TOBN(0xdfb3c3d1, 0x92d40e98),\n TOBN(0x0bac4cce, 0xcc559a04), TOBN(0x35eccae5, 0x240ea6b1)},\n {TOBN(0x180b32db, 0xf8a5a0ac), TOBN(0x547972a5, 0xeb699700),\n TOBN(0xa3765801, 0xca26bca0), TOBN(0x57e09d0e, 0xa647f25a)}},\n {{TOBN(0xb956970e, 0x2fdd23cc), TOBN(0xb80288bc, 0x5682e971),\n TOBN(0xe6e6d91e, 0x9ae86ebc), TOBN(0x0564c83f, 0x8c9f1939)},\n {TOBN(0x551932a2, 0x39560368), TOBN(0xe893752b, 0x049c28e2),\n TOBN(0x0b03cee5, 0xa6a158c3), TOBN(0xe12d656b, 0x04964263)}},\n {{TOBN(0x4b47554e, 0x63e3bc1d), TOBN(0xc719b6a2, 0x45044ff7),\n TOBN(0x4f24d30a, 0xe48daa07), TOBN(0xa3f37556, 0xc8c1edc3)},\n {TOBN(0x9a47bf76, 0x0700d360), TOBN(0xbb1a1824, 0x822ae4e2),\n TOBN(0x22e275a3, 0x89f1fb4c), TOBN(0x72b1aa23, 0x9968c5f5)}},\n {{TOBN(0xa75feaca, 0xbe063f64), TOBN(0x9b392f43, 0xbce47a09),\n TOBN(0xd4241509, 0x1ad07aca), TOBN(0x4b0c591b, 0x8d26cd0f)},\n {TOBN(0x2d42ddfd, 0x92f1169a), TOBN(0x63aeb1ac, 0x4cbf2392),\n TOBN(0x1de9e877, 0x0691a2af), TOBN(0xebe79af7, 0xd98021da)}},\n {{TOBN(0xcfdf2a4e, 0x40e50acf), TOBN(0xf0a98ad7, 0xaf01d665),\n TOBN(0xefb640bf, 0x1831be1f), TOBN(0x6fe8bd2f, 0x80e9ada0)},\n {TOBN(0x94c103a1, 0x6cafbc91), TOBN(0x170f8759, 0x8308e08c),\n TOBN(0x5de2d2ab, 0x9780ff4f), TOBN(0x666466bc, 0x45b201f2)}},\n {{TOBN(0x58af2010, 0xf5b343bc), TOBN(0x0f2e400a, 0xf2f142fe),\n TOBN(0x3483bfde, 0xa85f4bdf), TOBN(0xf0b1d093, 0x03bfeaa9)},\n {TOBN(0x2ea01b95, 0xc7081603), TOBN(0xe943e4c9, 0x3dba1097),\n TOBN(0x47be92ad, 0xb438f3a6), TOBN(0x00bb7742, 0xe5bf6636)}},\n {{TOBN(0x136b7083, 0x824297b4), TOBN(0x9d0e5580, 0x5584455f),\n TOBN(0xab48cedc, 0xf1c7d69e), TOBN(0x53a9e481, 0x2a256e76)},\n {TOBN(0x0402b0e0, 0x65eb2413), TOBN(0xdadbbb84, 0x8fc407a7),\n TOBN(0xa65cd5a4, 0x8d7f5492), TOBN(0x21d44293, 0x74bae294)}},\n {{TOBN(0x66917ce6, 0x3b5f1cc4), TOBN(0x37ae52ea, 0xce872e62),\n TOBN(0xbb087b72, 0x2905f244), TOBN(0x12077086, 0x1e6af74f)},\n {TOBN(0x4b644e49, 0x1058edea), TOBN(0x827510e3, 0xb638ca1d),\n TOBN(0x8cf2b704, 0x6038591c), TOBN(0xffc8b47a, 0xfe635063)}},\n {{TOBN(0x3ae220e6, 0x1b4d5e63), TOBN(0xbd864742, 0x9d961b4b),\n TOBN(0x610c107e, 0x9bd16bed), TOBN(0x4270352a, 0x1127147b)},\n {TOBN(0x7d17ffe6, 0x64cfc50e), TOBN(0x50dee01a, 0x1e36cb42),\n TOBN(0x068a7622, 0x35dc5f9a), TOBN(0x9a08d536, 0xdf53f62c)}},\n {{TOBN(0x4ed71457, 0x6be5f7de), TOBN(0xd93006f8, 0xc2263c9e),\n TOBN(0xe073694c, 0xcacacb36), TOBN(0x2ff7a5b4, 0x3ae118ab)},\n {TOBN(0x3cce53f1, 0xcd871236), TOBN(0xf156a39d, 0xc2aa6d52),\n TOBN(0x9cc5f271, 0xb198d76d), TOBN(0xbc615b6f, 0x81383d39)}},\n {{TOBN(0xa54538e8, 0xde3eee6b), TOBN(0x58c77538, 0xab910d91),\n TOBN(0x31e5bdbc, 0x58d278bd), TOBN(0x3cde4adf, 0xb963acae)},\n {TOBN(0xb1881fd2, 0x5302169c), TOBN(0x8ca60fa0, 0xa989ed8b),\n TOBN(0xa1999458, 0xff96a0ee), TOBN(0xc1141f03, 0xac6c283d)}},\n {{TOBN(0x7677408d, 0x6dfafed3), TOBN(0x33a01653, 0x39661588),\n TOBN(0x3c9c15ec, 0x0b726fa0), TOBN(0x090cfd93, 0x6c9b56da)},\n {TOBN(0xe34f4bae, 0xa3c40af5), TOBN(0x3469eadb, 0xd21129f1),\n TOBN(0xcc51674a, 0x1e207ce8), TOBN(0x1e293b24, 0xc83b1ef9)}},\n {{TOBN(0x17173d13, 0x1e6c0bb4), TOBN(0x19004695, 0x90776d35),\n TOBN(0xe7980e34, 0x6de6f922), TOBN(0x873554cb, 0xf4dd9a22)},\n {TOBN(0x0316c627, 0xcbf18a51), TOBN(0x4d93651b, 0x3032c081),\n TOBN(0x207f2771, 0x3946834d), TOBN(0x2c08d7b4, 0x30cdbf80)}},\n {{TOBN(0x137a4fb4, 0x86df2a61), TOBN(0xa1ed9c07, 0xecf7b4a2),\n TOBN(0xb2e460e2, 0x7bd042ff), TOBN(0xb7f5e2fa, 0x5f62f5ec)},\n {TOBN(0x7aa6ec6b, 0xcc2423b7), TOBN(0x75ce0a7f, 0xba63eea7),\n TOBN(0x67a45fb1, 0xf250a6e1), TOBN(0x93bc919c, 0xe53cdc9f)}},\n {{TOBN(0x9271f56f, 0x871942df), TOBN(0x2372ff6f, 0x7859ad66),\n TOBN(0x5f4c2b96, 0x33cb1a78), TOBN(0xe3e29101, 0x5838aa83)},\n {TOBN(0xa7ed1611, 0xe4e8110c), TOBN(0x2a2d70d5, 0x330198ce),\n TOBN(0xbdf132e8, 0x6720efe0), TOBN(0xe61a8962, 0x66a471bf)}},\n {{TOBN(0x796d3a85, 0x825808bd), TOBN(0x51dc3cb7, 0x3fd6e902),\n TOBN(0x643c768a, 0x916219d1), TOBN(0x36cd7685, 0xa2ad7d32)},\n {TOBN(0xe3db9d05, 0xb22922a4), TOBN(0x6494c87e, 0xdba29660),\n TOBN(0xf0ac91df, 0xbcd2ebc7), TOBN(0x4deb57a0, 0x45107f8d)}},\n {{TOBN(0x42271f59, 0xc3d12a73), TOBN(0x5f71687c, 0xa5c2c51d),\n TOBN(0xcb1f50c6, 0x05797bcb), TOBN(0x29ed0ed9, 0xd6d34eb0)},\n {TOBN(0xe5fe5b47, 0x4683c2eb), TOBN(0x4956eeb5, 0x97447c46),\n TOBN(0x5b163a43, 0x71207167), TOBN(0x93fa2fed, 0x0248c5ef)}},\n {{TOBN(0x67930af2, 0x31f63950), TOBN(0xa77797c1, 0x14caa2c9),\n TOBN(0x526e80ee, 0x27ac7e62), TOBN(0xe1e6e626, 0x58b28aec)},\n {TOBN(0x636178b0, 0xb3c9fef0), TOBN(0xaf7752e0, 0x6d5f90be),\n TOBN(0x94ecaf18, 0xeece51cf), TOBN(0x2864d0ed, 0xca806e1f)}},\n {{TOBN(0x6de2e383, 0x97c69134), TOBN(0x5a42c316, 0xeb291293),\n TOBN(0xc7779219, 0x6a60bae0), TOBN(0xa24de346, 0x6b7599d1)},\n {TOBN(0x49d374aa, 0xb75d4941), TOBN(0x98900586, 0x2d501ff0),\n TOBN(0x9f16d40e, 0xeb7974cf), TOBN(0x1033860b, 0xcdd8c115)}},\n {{TOBN(0xb6c69ac8, 0x2094cec3), TOBN(0x9976fb88, 0x403b770c),\n TOBN(0x1dea026c, 0x4859590d), TOBN(0xb6acbb46, 0x8562d1fd)},\n {TOBN(0x7cd6c461, 0x44569d85), TOBN(0xc3190a36, 0x97f0891d),\n TOBN(0xc6f53195, 0x48d5a17d), TOBN(0x7d919966, 0xd749abc8)}},\n {{TOBN(0x65104837, 0xdd1c8a20), TOBN(0x7e5410c8, 0x2f683419),\n TOBN(0x958c3ca8, 0xbe94022e), TOBN(0x605c3197, 0x6145dac2)},\n {TOBN(0x3fc07501, 0x01683d54), TOBN(0x1d7127c5, 0x595b1234),\n TOBN(0x10b8f87c, 0x9481277f), TOBN(0x677db2a8, 0xe65a1adb)}},\n {{TOBN(0xec2fccaa, 0xddce3345), TOBN(0x2a6811b7, 0x012a4350),\n TOBN(0x96760ff1, 0xac598bdc), TOBN(0x054d652a, 0xd1bf4128)},\n {TOBN(0x0a1151d4, 0x92a21005), TOBN(0xad7f3971, 0x33110fdf),\n TOBN(0x8c95928c, 0x1960100f), TOBN(0x6c91c825, 0x7bf03362)}},\n {{TOBN(0xc8c8b2a2, 0xce309f06), TOBN(0xfdb27b59, 0xca27204b),\n TOBN(0xd223eaa5, 0x0848e32e), TOBN(0xb93e4b2e, 0xe7bfaf1e)},\n {TOBN(0xc5308ae6, 0x44aa3ded), TOBN(0x317a666a, 0xc015d573),\n TOBN(0xc888ce23, 0x1a979707), TOBN(0xf141c1e6, 0x0d5c4958)}},\n {{TOBN(0xb53b7de5, 0x61906373), TOBN(0x858dbade, 0xeb999595),\n TOBN(0x8cbb47b2, 0xa59e5c36), TOBN(0x660318b3, 0xdcf4e842)},\n {TOBN(0xbd161ccd, 0x12ba4b7a), TOBN(0xf399daab, 0xf8c8282a),\n TOBN(0x1587633a, 0xeeb2130d), TOBN(0xa465311a, 0xda38dd7d)}},\n {{TOBN(0x5f75eec8, 0x64d3779b), TOBN(0x3c5d0476, 0xad64c171),\n TOBN(0x87410371, 0x2a914428), TOBN(0x8096a891, 0x90e2fc29)},\n {TOBN(0xd3d2ae9d, 0x23b3ebc2), TOBN(0x90bdd6db, 0xa580cfd6),\n TOBN(0x52dbb7f3, 0xc5b01f6c), TOBN(0xe68eded4, 0xe102a2dc)}},\n {{TOBN(0x17785b77, 0x99eb6df0), TOBN(0x26c3cc51, 0x7386b779),\n TOBN(0x345ed988, 0x6417a48e), TOBN(0xe990b4e4, 0x07d6ef31)},\n {TOBN(0x0f456b7e, 0x2586abba), TOBN(0x239ca6a5, 0x59c96e9a),\n TOBN(0xe327459c, 0xe2eb4206), TOBN(0x3a4c3313, 0xa002b90a)}},\n {{TOBN(0x2a114806, 0xf6a3f6fb), TOBN(0xad5cad2f, 0x85c251dd),\n TOBN(0x92c1f613, 0xf5a784d3), TOBN(0xec7bfacf, 0x349766d5)},\n {TOBN(0x04b3cd33, 0x3e23cb3b), TOBN(0x3979fe84, 0xc5a64b2d),\n TOBN(0x192e2720, 0x7e589106), TOBN(0xa60c43d1, 0xa15b527f)}},\n {{TOBN(0x2dae9082, 0xbe7cf3a6), TOBN(0xcc86ba92, 0xbc967274),\n TOBN(0xf28a2ce8, 0xaea0a8a9), TOBN(0x404ca6d9, 0x6ee988b3)},\n {TOBN(0xfd7e9c5d, 0x005921b8), TOBN(0xf56297f1, 0x44e79bf9),\n TOBN(0xa163b460, 0x0d75ddc2), TOBN(0x30b23616, 0xa1f2be87)}},\n {{TOBN(0x4b070d21, 0xbfe50e2b), TOBN(0x7ef8cfd0, 0xe1bfede1),\n TOBN(0xadba0011, 0x2aac4ae0), TOBN(0x2a3e7d01, 0xb9ebd033)},\n {TOBN(0x995277ec, 0xe38d9d1c), TOBN(0xb500249e, 0x9c5d2de3),\n TOBN(0x8912b820, 0xf13ca8c9), TOBN(0xc8798114, 0x877793af)}},\n {{TOBN(0x19e6125d, 0xec3f1dec), TOBN(0x07b1f040, 0x911178da),\n TOBN(0xd93ededa, 0x904a6738), TOBN(0x55187a5a, 0x0bebedcd)},\n {TOBN(0xf7d04722, 0xeb329d41), TOBN(0xf449099e, 0xf170b391),\n TOBN(0xfd317a69, 0xca99f828), TOBN(0x50c3db2b, 0x34a4976d)}},\n {{TOBN(0xe9ba7784, 0x3757b392), TOBN(0x326caefd, 0xaa3ca05a),\n TOBN(0x78e5293b, 0xf1e593d4), TOBN(0x7842a937, 0x0d98fd13)},\n {TOBN(0xe694bf96, 0x5f96b10d), TOBN(0x373a9df6, 0x06a8cd05),\n TOBN(0x997d1e51, 0xe8f0c7fc), TOBN(0x1d019790, 0x63fd972e)}},\n {{TOBN(0x0064d858, 0x5499fb32), TOBN(0x7b67bad9, 0x77a8aeb7),\n TOBN(0x1d3eb977, 0x2d08eec5), TOBN(0x5fc047a6, 0xcbabae1d)},\n {TOBN(0x0577d159, 0xe54a64bb), TOBN(0x8862201b, 0xc43497e4),\n TOBN(0xad6b4e28, 0x2ce0608d), TOBN(0x8b687b7d, 0x0b167aac)}},\n {{TOBN(0x6ed4d367, 0x8b2ecfa9), TOBN(0x24dfe62d, 0xa90c3c38),\n TOBN(0xa1862e10, 0x3fe5c42b), TOBN(0x1ca73dca, 0xd5732a9f)},\n {TOBN(0x35f038b7, 0x76bb87ad), TOBN(0x674976ab, 0xf242b81f),\n TOBN(0x4f2bde7e, 0xb0fd90cd), TOBN(0x6efc172e, 0xa7fdf092)}},\n {{TOBN(0x3806b69b, 0x92222f1f), TOBN(0x5a2459ca, 0x6cf7ae70),\n TOBN(0x6789f69c, 0xa85217ee), TOBN(0x5f232b5e, 0xe3dc85ac)},\n {TOBN(0x660e3ec5, 0x48e9e516), TOBN(0x124b4e47, 0x3197eb31),\n TOBN(0x10a0cb13, 0xaafcca23), TOBN(0x7bd63ba4, 0x8213224f)}},\n {{TOBN(0xaffad7cc, 0x290a7f4f), TOBN(0x6b409c9e, 0x0286b461),\n TOBN(0x58ab809f, 0xffa407af), TOBN(0xc3122eed, 0xc68ac073)},\n {TOBN(0x17bf9e50, 0x4ef24d7e), TOBN(0x5d929794, 0x3e2a5811),\n TOBN(0x519bc867, 0x02902e01), TOBN(0x76bba5da, 0x39c8a851)}},\n {{TOBN(0xe9f9669c, 0xda94951e), TOBN(0x4b6af58d, 0x66b8d418),\n TOBN(0xfa321074, 0x17d426a4), TOBN(0xc78e66a9, 0x9dde6027)},\n {TOBN(0x0516c083, 0x4a53b964), TOBN(0xfc659d38, 0xff602330),\n TOBN(0x0ab55e5c, 0x58c5c897), TOBN(0x985099b2, 0x838bc5df)}},\n {{TOBN(0x061d9efc, 0xc52fc238), TOBN(0x712b2728, 0x6ac1da3f),\n TOBN(0xfb658149, 0x9283fe08), TOBN(0x4954ac94, 0xb8aaa2f7)},\n {TOBN(0x85c0ada4, 0x7fb2e74f), TOBN(0xee8ba98e, 0xb89926b0),\n TOBN(0xe4f9d37d, 0x23d1af5b), TOBN(0x14ccdbf9, 0xba9b015e)}},\n {{TOBN(0xb674481b, 0x7bfe7178), TOBN(0x4e1debae, 0x65405868),\n TOBN(0x061b2821, 0xc48c867d), TOBN(0x69c15b35, 0x513b30ea)},\n {TOBN(0x3b4a1666, 0x36871088), TOBN(0xe5e29f5d, 0x1220b1ff),\n TOBN(0x4b82bb35, 0x233d9f4d), TOBN(0x4e076333, 0x18cdc675)}}},\n {{{TOBN(0x0d53f5c7, 0xa3e6fced), TOBN(0xe8cbbdd5, 0xf45fbdeb),\n TOBN(0xf85c01df, 0x13339a70), TOBN(0x0ff71880, 0x142ceb81)},\n {TOBN(0x4c4e8774, 0xbd70437a), TOBN(0x5fb32891, 0xba0bda6a),\n TOBN(0x1cdbebd2, 0xf18bd26e), TOBN(0x2f9526f1, 0x03a9d522)}},\n {{TOBN(0x40ce3051, 0x92c4d684), TOBN(0x8b04d725, 0x7612efcd),\n TOBN(0xb9dcda36, 0x6f9cae20), TOBN(0x0edc4d24, 0xf058856c)},\n {TOBN(0x64f2e6bf, 0x85427900), TOBN(0x3de81295, 0xdc09dfea),\n TOBN(0xd41b4487, 0x379bf26c), TOBN(0x50b62c6d, 0x6df135a9)}},\n {{TOBN(0xd4f8e3b4, 0xc72dfe67), TOBN(0xc416b0f6, 0x90e19fdf),\n TOBN(0x18b9098d, 0x4c13bd35), TOBN(0xac11118a, 0x15b8cb9e)},\n {TOBN(0xf598a318, 0xf0062841), TOBN(0xbfe0602f, 0x89f356f4),\n TOBN(0x7ae3637e, 0x30177a0c), TOBN(0x34097747, 0x61136537)}},\n {{TOBN(0x0db2fb5e, 0xd005832a), TOBN(0x5f5efd3b, 0x91042e4f),\n TOBN(0x8c4ffdc6, 0xed70f8ca), TOBN(0xe4645d0b, 0xb52da9cc)},\n {TOBN(0x9596f58b, 0xc9001d1f), TOBN(0x52c8f0bc, 0x4e117205),\n TOBN(0xfd4aa0d2, 0xe398a084), TOBN(0x815bfe3a, 0x104f49de)}},\n {{TOBN(0x97e5443f, 0x23885e5f), TOBN(0xf72f8f99, 0xe8433aab),\n TOBN(0xbd00b154, 0xe4d4e604), TOBN(0xd0b35e6a, 0xe5e173ff)},\n {TOBN(0x57b2a048, 0x9164722d), TOBN(0x3e3c665b, 0x88761ec8),\n TOBN(0x6bdd1397, 0x3da83832), TOBN(0x3c8b1a1e, 0x73dafe3b)}},\n {{TOBN(0x4497ace6, 0x54317cac), TOBN(0xbe600ab9, 0x521771b3),\n TOBN(0xb42e409e, 0xb0dfe8b8), TOBN(0x386a67d7, 0x3942310f)},\n {TOBN(0x25548d8d, 0x4431cc28), TOBN(0xa7cff142, 0x985dc524),\n TOBN(0x4d60f5a1, 0x93c4be32), TOBN(0x83ebd5c8, 0xd071c6e1)}},\n {{TOBN(0xba3a80a7, 0xb1fd2b0b), TOBN(0x9b3ad396, 0x5bec33e8),\n TOBN(0xb3868d61, 0x79743fb3), TOBN(0xcfd169fc, 0xfdb462fa)},\n {TOBN(0xd3b499d7, 0x9ce0a6af), TOBN(0x55dc1cf1, 0xe42d3ff8),\n TOBN(0x04fb9e6c, 0xc6c3e1b2), TOBN(0x47e6961d, 0x6f69a474)}},\n {{TOBN(0x54eb3acc, 0xe548b37b), TOBN(0xb38e7542, 0x84d40549),\n TOBN(0x8c3daa51, 0x7b341b4f), TOBN(0x2f6928ec, 0x690bf7fa)},\n {TOBN(0x0496b323, 0x86ce6c41), TOBN(0x01be1c55, 0x10adadcd),\n TOBN(0xc04e67e7, 0x4bb5faf9), TOBN(0x3cbaf678, 0xe15c9985)}},\n {{TOBN(0x8cd12145, 0x50ca4247), TOBN(0xba1aa47a, 0xe7dd30aa),\n TOBN(0x2f81ddf1, 0xe58fee24), TOBN(0x03452936, 0xeec9b0e8)},\n {TOBN(0x8bdc3b81, 0x243aea96), TOBN(0x9a2919af, 0x15c3d0e5),\n TOBN(0x9ea640ec, 0x10948361), TOBN(0x5ac86d5b, 0x6e0bcccf)}},\n {{TOBN(0xf892d918, 0xc36cf440), TOBN(0xaed3e837, 0xc939719c),\n TOBN(0xb07b08d2, 0xc0218b64), TOBN(0x6f1bcbba, 0xce9790dd)},\n {TOBN(0x4a84d6ed, 0x60919b8e), TOBN(0xd8900791, 0x8ac1f9eb),\n TOBN(0xf84941aa, 0x0dd5daef), TOBN(0xb22fe40a, 0x67fd62c5)}},\n {{TOBN(0x97e15ba2, 0x157f2db3), TOBN(0xbda2fc8f, 0x8e28ca9c),\n TOBN(0x5d050da4, 0x37b9f454), TOBN(0x3d57eb57, 0x2379d72e)},\n {TOBN(0xe9b5eba2, 0xfb5ee997), TOBN(0x01648ca2, 0xe11538ca),\n TOBN(0x32bb76f6, 0xf6327974), TOBN(0x338f14b8, 0xff3f4bb7)}},\n {{TOBN(0x524d226a, 0xd7ab9a2d), TOBN(0x9c00090d, 0x7dfae958),\n TOBN(0x0ba5f539, 0x8751d8c2), TOBN(0x8afcbcdd, 0x3ab8262d)},\n {TOBN(0x57392729, 0xe99d043b), TOBN(0xef51263b, 0xaebc943a),\n TOBN(0x9feace93, 0x20862935), TOBN(0x639efc03, 0xb06c817b)}},\n {{TOBN(0x1fe054b3, 0x66b4be7a), TOBN(0x3f25a9de, 0x84a37a1e),\n TOBN(0xf39ef1ad, 0x78d75cd9), TOBN(0xd7b58f49, 0x5062c1b5)},\n {TOBN(0x6f74f9a9, 0xff563436), TOBN(0xf718ff29, 0xe8af51e7),\n TOBN(0x5234d313, 0x15e97fec), TOBN(0xb6a8e2b1, 0x292f1c0a)}},\n {{TOBN(0xa7f53aa8, 0x327720c1), TOBN(0x956ca322, 0xba092cc8),\n TOBN(0x8f03d64a, 0x28746c4d), TOBN(0x51fe1782, 0x66d0d392)},\n {TOBN(0xd19b34db, 0x3c832c80), TOBN(0x60dccc5c, 0x6da2e3b4),\n TOBN(0x245dd62e, 0x0a104ccc), TOBN(0xa7ab1de1, 0x620b21fd)}},\n {{TOBN(0xb293ae0b, 0x3893d123), TOBN(0xf7b75783, 0xb15ee71c),\n TOBN(0x5aa3c614, 0x42a9468b), TOBN(0xd686123c, 0xdb15d744)},\n {TOBN(0x8c616891, 0xa7ab4116), TOBN(0x6fcd72c8, 0xa4e6a459),\n TOBN(0xac219110, 0x77e5fad7), TOBN(0xfb6a20e7, 0x704fa46b)}},\n {{TOBN(0xe839be7d, 0x341d81dc), TOBN(0xcddb6889, 0x32148379),\n TOBN(0xda6211a1, 0xf7026ead), TOBN(0xf3b2575f, 0xf4d1cc5e)},\n {TOBN(0x40cfc8f6, 0xa7a73ae6), TOBN(0x83879a5e, 0x61d5b483),\n TOBN(0xc5acb1ed, 0x41a50ebc), TOBN(0x59a60cc8, 0x3c07d8fa)}},\n {{TOBN(0x1b73bdce, 0xb1876262), TOBN(0x2b0d79f0, 0x12af4ee9),\n TOBN(0x8bcf3b0b, 0xd46e1d07), TOBN(0x17d6af9d, 0xe45d152f)},\n {TOBN(0x73520461, 0x6d736451), TOBN(0x43cbbd97, 0x56b0bf5a),\n TOBN(0xb0833a5b, 0xd5999b9d), TOBN(0x702614f0, 0xeb72e398)}},\n {{TOBN(0x0aadf01a, 0x59c3e9f8), TOBN(0x40200e77, 0xce6b3d16),\n TOBN(0xda22bdd3, 0xdeddafad), TOBN(0x76dedaf4, 0x310d72e1)},\n {TOBN(0x49ef807c, 0x4bc2e88f), TOBN(0x6ba81291, 0x146dd5a5),\n TOBN(0xa1a4077a, 0x7d8d59e9), TOBN(0x87b6a2e7, 0x802db349)}},\n {{TOBN(0xd5679997, 0x1b4e598e), TOBN(0xf499ef1f, 0x06fe4b1d),\n TOBN(0x3978d3ae, 0xfcb267c5), TOBN(0xb582b557, 0x235786d0)},\n {TOBN(0x32b3b2ca, 0x1715cb07), TOBN(0x4c3de6a2, 0x8480241d),\n TOBN(0x63b5ffed, 0xcb571ecd), TOBN(0xeaf53900, 0xed2fe9a9)}},\n {{TOBN(0xdec98d4a, 0xc3b81990), TOBN(0x1cb83722, 0x9e0cc8fe),\n TOBN(0xfe0b0491, 0xd2b427b9), TOBN(0x0f2386ac, 0xe983a66c)},\n {TOBN(0x930c4d1e, 0xb3291213), TOBN(0xa2f82b2e, 0x59a62ae4),\n TOBN(0x77233853, 0xf93e89e3), TOBN(0x7f8063ac, 0x11777c7f)}},\n {{TOBN(0xff0eb567, 0x59ad2877), TOBN(0x6f454642, 0x9865c754),\n TOBN(0xe6fe701a, 0x236e9a84), TOBN(0xc586ef16, 0x06e40fc3)},\n {TOBN(0x3f62b6e0, 0x24bafad9), TOBN(0xc8b42bd2, 0x64da906a),\n TOBN(0xc98e1eb4, 0xda3276a0), TOBN(0x30d0e5fc, 0x06cbf852)}},\n {{TOBN(0x1b6b2ae1, 0xe8b4dfd4), TOBN(0xd754d5c7, 0x8301cbac),\n TOBN(0x66097629, 0x112a39ac), TOBN(0xf86b5999, 0x93ba4ab9)},\n {TOBN(0x26c9dea7, 0x99f9d581), TOBN(0x0473b1a8, 0xc2fafeaa),\n TOBN(0x1469af55, 0x3b2505a5), TOBN(0x227d16d7, 0xd6a43323)}},\n {{TOBN(0x3316f73c, 0xad3d97f9), TOBN(0x52bf3bb5, 0x1f137455),\n TOBN(0x953eafeb, 0x09954e7c), TOBN(0xa721dfed, 0xdd732411)},\n {TOBN(0xb4929821, 0x141d4579), TOBN(0x3411321c, 0xaa3bd435),\n TOBN(0xafb355aa, 0x17fa6015), TOBN(0xb4e7ef4a, 0x18e42f0e)}},\n {{TOBN(0x604ac97c, 0x59371000), TOBN(0xe1c48c70, 0x7f759c18),\n TOBN(0x3f62ecc5, 0xa5db6b65), TOBN(0x0a78b173, 0x38a21495)},\n {TOBN(0x6be1819d, 0xbcc8ad94), TOBN(0x70dc04f6, 0xd89c3400),\n TOBN(0x462557b4, 0xa6b4840a), TOBN(0x544c6ade, 0x60bd21c0)}},\n {{TOBN(0x6a00f24e, 0x907a544b), TOBN(0xa7520dcb, 0x313da210),\n TOBN(0xfe939b75, 0x11e4994b), TOBN(0x918b6ba6, 0xbc275d70)},\n {TOBN(0xd3e5e0fc, 0x644be892), TOBN(0x707a9816, 0xfdaf6c42),\n TOBN(0x60145567, 0xf15c13fe), TOBN(0x4818ebaa, 0xe130a54a)}},\n {{TOBN(0x28aad3ad, 0x58d2f767), TOBN(0xdc5267fd, 0xd7e7c773),\n TOBN(0x4919cc88, 0xc3afcc98), TOBN(0xaa2e6ab0, 0x2db8cd4b)},\n {TOBN(0xd46fec04, 0xd0c63eaa), TOBN(0xa1cb92c5, 0x19ffa832),\n TOBN(0x678dd178, 0xe43a631f), TOBN(0xfb5ae1cd, 0x3dc788b3)}},\n {{TOBN(0x68b4fb90, 0x6e77de04), TOBN(0x7992bcf0, 0xf06dbb97),\n TOBN(0x896e6a13, 0xc417c01d), TOBN(0x8d96332c, 0xb956be01)},\n {TOBN(0x902fc93a, 0x413aa2b9), TOBN(0x99a4d915, 0xfc98c8a5),\n TOBN(0x52c29407, 0x565f1137), TOBN(0x4072690f, 0x21e4f281)}},\n {{TOBN(0x36e607cf, 0x02ff6072), TOBN(0xa47d2ca9, 0x8ad98cdc),\n TOBN(0xbf471d1e, 0xf5f56609), TOBN(0xbcf86623, 0xf264ada0)},\n {TOBN(0xb70c0687, 0xaa9e5cb6), TOBN(0xc98124f2, 0x17401c6c),\n TOBN(0x8189635f, 0xd4a61435), TOBN(0xd28fb8af, 0xa9d98ea6)}},\n {{TOBN(0xb9a67c2a, 0x40c251f8), TOBN(0x88cd5d87, 0xa2da44be),\n TOBN(0x437deb96, 0xe09b5423), TOBN(0x150467db, 0x64287dc1)},\n {TOBN(0xe161debb, 0xcdabb839), TOBN(0xa79e9742, 0xf1839a3e),\n TOBN(0xbb8dd3c2, 0x652d202b), TOBN(0x7b3e67f7, 0xe9f97d96)}},\n {{TOBN(0x5aa5d78f, 0xb1cb6ac9), TOBN(0xffa13e8e, 0xca1d0d45),\n TOBN(0x369295dd, 0x2ba5bf95), TOBN(0xd68bd1f8, 0x39aff05e)},\n {TOBN(0xaf0d86f9, 0x26d783f2), TOBN(0x543a59b3, 0xfc3aafc1),\n TOBN(0x3fcf81d2, 0x7b7da97c), TOBN(0xc990a056, 0xd25dee46)}},\n {{TOBN(0x3e6775b8, 0x519cce2c), TOBN(0xfc9af71f, 0xae13d863),\n TOBN(0x774a4a6f, 0x47c1605c), TOBN(0x46ba4245, 0x2fd205e8)},\n {TOBN(0xa06feea4, 0xd3fd524d), TOBN(0x1e724641, 0x6de1acc2),\n TOBN(0xf53816f1, 0x334e2b42), TOBN(0x49e5918e, 0x922f0024)}},\n {{TOBN(0x439530b6, 0x65c7322d), TOBN(0xcf12cc01, 0xb3c1b3fb),\n TOBN(0xc70b0186, 0x0172f685), TOBN(0xb915ee22, 0x1b58391d)},\n {TOBN(0x9afdf03b, 0xa317db24), TOBN(0x87dec659, 0x17b8ffc4),\n TOBN(0x7f46597b, 0xe4d3d050), TOBN(0x80a1c1ed, 0x006500e7)}},\n {{TOBN(0x84902a96, 0x78bf030e), TOBN(0xfb5e9c9a, 0x50560148),\n TOBN(0x6dae0a92, 0x63362426), TOBN(0xdcaeecf4, 0xa9e30c40)},\n {TOBN(0xc0d887bb, 0x518d0c6b), TOBN(0x99181152, 0xcb985b9d),\n TOBN(0xad186898, 0xef7bc381), TOBN(0x18168ffb, 0x9ee46201)}},\n {{TOBN(0x9a04cdaa, 0x2502753c), TOBN(0xbb279e26, 0x51407c41),\n TOBN(0xeacb03aa, 0xf23564e5), TOBN(0x18336582, 0x71e61016)},\n {TOBN(0x8684b8c4, 0xeb809877), TOBN(0xb336e18d, 0xea0e672e),\n TOBN(0xefb601f0, 0x34ee5867), TOBN(0x2733edbe, 0x1341cfd1)}},\n {{TOBN(0xb15e809a, 0x26025c3c), TOBN(0xe6e981a6, 0x9350df88),\n TOBN(0x92376237, 0x8502fd8e), TOBN(0x4791f216, 0x0c12be9b)},\n {TOBN(0xb7256789, 0x25f02425), TOBN(0xec863194, 0x7a974443),\n TOBN(0x7c0ce882, 0xfb41cc52), TOBN(0xc266ff7e, 0xf25c07f2)}},\n {{TOBN(0x3d4da8c3, 0x017025f3), TOBN(0xefcf628c, 0xfb9579b4),\n TOBN(0x5c4d0016, 0x1f3716ec), TOBN(0x9c27ebc4, 0x6801116e)},\n {TOBN(0x5eba0ea1, 0x1da1767e), TOBN(0xfe151452, 0x47004c57),\n TOBN(0x3ace6df6, 0x8c2373b7), TOBN(0x75c3dffe, 0x5dbc37ac)}},\n {{TOBN(0x3dc32a73, 0xddc925fc), TOBN(0xb679c841, 0x2f65ee0b),\n TOBN(0x715a3295, 0x451cbfeb), TOBN(0xd9889768, 0xf76e9a29)},\n {TOBN(0xec20ce7f, 0xb28ad247), TOBN(0xe99146c4, 0x00894d79),\n TOBN(0x71457d7c, 0x9f5e3ea7), TOBN(0x097b2662, 0x38030031)}},\n {{TOBN(0xdb7f6ae6, 0xcf9f82a8), TOBN(0x319decb9, 0x438f473a),\n TOBN(0xa63ab386, 0x283856c3), TOBN(0x13e3172f, 0xb06a361b)},\n {TOBN(0x2959f8dc, 0x7d5a006c), TOBN(0x2dbc27c6, 0x75fba752),\n TOBN(0xc1227ab2, 0x87c22c9e), TOBN(0x06f61f75, 0x71a268b2)}},\n {{TOBN(0x1b6bb971, 0x04779ce2), TOBN(0xaca83812, 0x0aadcb1d),\n TOBN(0x297ae0bc, 0xaeaab2d5), TOBN(0xa5c14ee7, 0x5bfb9f13)},\n {TOBN(0xaa00c583, 0xf17a62c7), TOBN(0x39eb962c, 0x173759f6),\n TOBN(0x1eeba1d4, 0x86c9a88f), TOBN(0x0ab6c37a, 0xdf016c5e)}},\n {{TOBN(0xa2a147db, 0xa28a0749), TOBN(0x246c20d6, 0xee519165),\n TOBN(0x5068d1b1, 0xd3810715), TOBN(0xb1e7018c, 0x748160b9)},\n {TOBN(0x03f5b1fa, 0xf380ff62), TOBN(0xef7fb1dd, 0xf3cb2c1e),\n TOBN(0xeab539a8, 0xfc91a7da), TOBN(0x83ddb707, 0xf3f9b561)}},\n {{TOBN(0xc550e211, 0xfe7df7a4), TOBN(0xa7cd07f2, 0x063f6f40),\n TOBN(0xb0de3635, 0x2976879c), TOBN(0xb5f83f85, 0xe55741da)},\n {TOBN(0x4ea9d25e, 0xf3d8ac3d), TOBN(0x6fe2066f, 0x62819f02),\n TOBN(0x4ab2b9c2, 0xcef4a564), TOBN(0x1e155d96, 0x5ffa2de3)}},\n {{TOBN(0x0eb0a19b, 0xc3a72d00), TOBN(0x4037665b, 0x8513c31b),\n TOBN(0x2fb2b6bf, 0x04c64637), TOBN(0x45c34d6e, 0x08cdc639)},\n {TOBN(0x56f1e10f, 0xf01fd796), TOBN(0x4dfb8101, 0xfe3667b8),\n TOBN(0xe0eda253, 0x9021d0c0), TOBN(0x7a94e9ff, 0x8a06c6ab)}},\n {{TOBN(0x2d3bb0d9, 0xbb9aa882), TOBN(0xea20e4e5, 0xec05fd10),\n TOBN(0xed7eeb5f, 0x1a1ca64e), TOBN(0x2fa6b43c, 0xc6327cbd)},\n {TOBN(0xb577e3cf, 0x3aa91121), TOBN(0x8c6bd5ea, 0x3a34079b),\n TOBN(0xd7e5ba39, 0x60e02fc0), TOBN(0xf16dd2c3, 0x90141bf8)}},\n {{TOBN(0xb57276d9, 0x80101b98), TOBN(0x760883fd, 0xb82f0f66),\n TOBN(0x89d7de75, 0x4bc3eff3), TOBN(0x03b60643, 0x5dc2ab40)},\n {TOBN(0xcd6e53df, 0xe05beeac), TOBN(0xf2f1e862, 0xbc3325cd),\n TOBN(0xdd0f7921, 0x774f03c3), TOBN(0x97ca7221, 0x4552cc1b)}},\n {{TOBN(0x5a0d6afe, 0x1cd19f72), TOBN(0xa20915dc, 0xf183fbeb),\n TOBN(0x9fda4b40, 0x832c403c), TOBN(0x32738edd, 0xbe425442)},\n {TOBN(0x469a1df6, 0xb5eccf1a), TOBN(0x4b5aff42, 0x28bbe1f0),\n TOBN(0x31359d7f, 0x570dfc93), TOBN(0xa18be235, 0xf0088628)}},\n {{TOBN(0xa5b30fba, 0xb00ed3a9), TOBN(0x34c61374, 0x73cdf8be),\n TOBN(0x2c5c5f46, 0xabc56797), TOBN(0x5cecf93d, 0xb82a8ae2)},\n {TOBN(0x7d3dbe41, 0xa968fbf0), TOBN(0xd23d4583, 0x1a5c7f3d),\n TOBN(0xf28f69a0, 0xc087a9c7), TOBN(0xc2d75471, 0x474471ca)}},\n {{TOBN(0x36ec9f4a, 0x4eb732ec), TOBN(0x6c943bbd, 0xb1ca6bed),\n TOBN(0xd64535e1, 0xf2457892), TOBN(0x8b84a8ea, 0xf7e2ac06)},\n {TOBN(0xe0936cd3, 0x2499dd5f), TOBN(0x12053d7e, 0x0ed04e57),\n TOBN(0x4bdd0076, 0xe4305d9d), TOBN(0x34a527b9, 0x1f67f0a2)}},\n {{TOBN(0xe79a4af0, 0x9cec46ea), TOBN(0xb15347a1, 0x658b9bc7),\n TOBN(0x6bd2796f, 0x35af2f75), TOBN(0xac957990, 0x4051c435)},\n {TOBN(0x2669dda3, 0xc33a655d), TOBN(0x5d503c2e, 0x88514aa3),\n TOBN(0xdfa11337, 0x3753dd41), TOBN(0x3f054673, 0x0b754f78)}},\n {{TOBN(0xbf185677, 0x496125bd), TOBN(0xfb0023c8, 0x3775006c),\n TOBN(0xfa0f072f, 0x3a037899), TOBN(0x4222b6eb, 0x0e4aea57)},\n {TOBN(0x3dde5e76, 0x7866d25a), TOBN(0xb6eb04f8, 0x4837aa6f),\n TOBN(0x5315591a, 0x2cf1cdb8), TOBN(0x6dfb4f41, 0x2d4e683c)}},\n {{TOBN(0x7e923ea4, 0x48ee1f3a), TOBN(0x9604d9f7, 0x05a2afd5),\n TOBN(0xbe1d4a33, 0x40ea4948), TOBN(0x5b45f1f4, 0xb44cbd2f)},\n {TOBN(0x5faf8376, 0x4acc757e), TOBN(0xa7cf9ab8, 0x63d68ff7),\n TOBN(0x8ad62f69, 0xdf0e404b), TOBN(0xd65f33c2, 0x12bdafdf)}},\n {{TOBN(0xc365de15, 0xa377b14e), TOBN(0x6bf5463b, 0x8e39f60c),\n TOBN(0x62030d2d, 0x2ce68148), TOBN(0xd95867ef, 0xe6f843a8)},\n {TOBN(0xd39a0244, 0xef5ab017), TOBN(0x0bd2d8c1, 0x4ab55d12),\n TOBN(0xc9503db3, 0x41639169), TOBN(0x2d4e25b0, 0xf7660c8a)}},\n {{TOBN(0x760cb3b5, 0xe224c5d7), TOBN(0xfa3baf8c, 0x68616919),\n TOBN(0x9fbca113, 0x8d142552), TOBN(0x1ab18bf1, 0x7669ebf5)},\n {TOBN(0x55e6f53e, 0x9bdf25dd), TOBN(0x04cc0bf3, 0xcb6cd154),\n TOBN(0x595bef49, 0x95e89080), TOBN(0xfe9459a8, 0x104a9ac1)}},\n {{TOBN(0xad2d89ca, 0xcce9bb32), TOBN(0xddea65e1, 0xf7de8285),\n TOBN(0x62ed8c35, 0xb351bd4b), TOBN(0x4150ff36, 0x0c0e19a7)},\n {TOBN(0x86e3c801, 0x345f4e47), TOBN(0x3bf21f71, 0x203a266c),\n TOBN(0x7ae110d4, 0x855b1f13), TOBN(0x5d6aaf6a, 0x07262517)}},\n {{TOBN(0x1e0f12e1, 0x813d28f1), TOBN(0x6000e11d, 0x7ad7a523),\n TOBN(0xc7d8deef, 0xc744a17b), TOBN(0x1e990b48, 0x14c05a00)},\n {TOBN(0x68fddaee, 0x93e976d5), TOBN(0x696241d1, 0x46610d63),\n TOBN(0xb204e7c3, 0x893dda88), TOBN(0x8bccfa65, 0x6a3a6946)}},\n {{TOBN(0xb59425b4, 0xc5cd1411), TOBN(0x701b4042, 0xff3658b1),\n TOBN(0xe3e56bca, 0x4784cf93), TOBN(0x27de5f15, 0x8fe68d60)},\n {TOBN(0x4ab9cfce, 0xf8d53f19), TOBN(0xddb10311, 0xa40a730d),\n TOBN(0x6fa73cd1, 0x4eee0a8a), TOBN(0xfd548748, 0x5249719d)}},\n {{TOBN(0x49d66316, 0xa8123ef0), TOBN(0x73c32db4, 0xe7f95438),\n TOBN(0x2e2ed209, 0x0d9e7854), TOBN(0xf98a9329, 0x9d9f0507)},\n {TOBN(0xc5d33cf6, 0x0c6aa20a), TOBN(0x9a32ba14, 0x75279bb2),\n TOBN(0x7e3202cb, 0x774a7307), TOBN(0x64ed4bc4, 0xe8c42dbd)}},\n {{TOBN(0xc20f1a06, 0xd4caed0d), TOBN(0xb8021407, 0x171d22b3),\n TOBN(0xd426ca04, 0xd13268d7), TOBN(0x92377007, 0x25f4d126)},\n {TOBN(0x4204cbc3, 0x71f21a85), TOBN(0x18461b7a, 0xf82369ba),\n TOBN(0xc0c07d31, 0x3fc858f9), TOBN(0x5deb5a50, 0xe2bab569)}},\n {{TOBN(0xd5959d46, 0xd5eea89e), TOBN(0xfdff8424, 0x08437f4b),\n TOBN(0xf21071e4, 0x3cfe254f), TOBN(0x72417696, 0x95468321)},\n {TOBN(0x5d8288b9, 0x102cae3e), TOBN(0x2d143e3d, 0xf1965dff),\n TOBN(0x00c9a376, 0xa078d847), TOBN(0x6fc0da31, 0x26028731)}},\n {{TOBN(0xa2baeadf, 0xe45083a2), TOBN(0x66bc7218, 0x5e5b4bcd),\n TOBN(0x2c826442, 0xd04b8e7f), TOBN(0xc19f5451, 0x6c4b586b)},\n {TOBN(0x60182c49, 0x5b7eeed5), TOBN(0xd9954ecd, 0x7aa9dfa1),\n TOBN(0xa403a8ec, 0xc73884ad), TOBN(0x7fb17de2, 0x9bb39041)}},\n {{TOBN(0x694b64c5, 0xabb020e8), TOBN(0x3d18c184, 0x19c4eec7),\n TOBN(0x9c4673ef, 0x1c4793e5), TOBN(0xc7b8aeb5, 0x056092e6)},\n {TOBN(0x3aa1ca43, 0xf0f8c16b), TOBN(0x224ed5ec, 0xd679b2f6),\n TOBN(0x0d56eeaf, 0x55a205c9), TOBN(0xbfe115ba, 0x4b8e028b)}},\n {{TOBN(0x97e60849, 0x3927f4fe), TOBN(0xf91fbf94, 0x759aa7c5),\n TOBN(0x985af769, 0x6be90a51), TOBN(0xc1277b78, 0x78ccb823)},\n {TOBN(0x395b656e, 0xe7a75952), TOBN(0x00df7de0, 0x928da5f5),\n TOBN(0x09c23175, 0x4ca4454f), TOBN(0x4ec971f4, 0x7aa2d3c1)}},\n {{TOBN(0x45c3c507, 0xe75d9ccc), TOBN(0x63b7be8a, 0x3dc90306),\n TOBN(0x37e09c66, 0x5db44bdc), TOBN(0x50d60da1, 0x6841c6a2)},\n {TOBN(0x6f9b65ee, 0x08df1b12), TOBN(0x38734879, 0x7ff089df),\n TOBN(0x9c331a66, 0x3fe8013d), TOBN(0x017f5de9, 0x5f42fcc8)}},\n {{TOBN(0x43077866, 0xe8e57567), TOBN(0xc9f781ce, 0xf9fcdb18),\n TOBN(0x38131dda, 0x9b12e174), TOBN(0x25d84aa3, 0x8a03752a)},\n {TOBN(0x45e09e09, 0x4d0c0ce2), TOBN(0x1564008b, 0x92bebba5),\n TOBN(0xf7e8ad31, 0xa87284c7), TOBN(0xb7c4b46c, 0x97e7bbaa)}},\n {{TOBN(0x3e22a7b3, 0x97acf4ec), TOBN(0x0426c400, 0x5ea8b640),\n TOBN(0x5e3295a6, 0x4e969285), TOBN(0x22aabc59, 0xa6a45670)},\n {TOBN(0xb929714c, 0x5f5942bc), TOBN(0x9a6168bd, 0xfa3182ed),\n TOBN(0x2216a665, 0x104152ba), TOBN(0x46908d03, 0xb6926368)}}},\n {{{TOBN(0xa9f5d874, 0x5a1251fb), TOBN(0x967747a8, 0xc72725c7),\n TOBN(0x195c33e5, 0x31ffe89e), TOBN(0x609d210f, 0xe964935e)},\n {TOBN(0xcafd6ca8, 0x2fe12227), TOBN(0xaf9b5b96, 0x0426469d),\n TOBN(0x2e9ee04c, 0x5693183c), TOBN(0x1084a333, 0xc8146fef)}},\n {{TOBN(0x96649933, 0xaed1d1f7), TOBN(0x566eaff3, 0x50563090),\n TOBN(0x345057f0, 0xad2e39cf), TOBN(0x148ff65b, 0x1f832124)},\n {TOBN(0x042e89d4, 0xcf94cf0d), TOBN(0x319bec84, 0x520c58b3),\n TOBN(0x2a267626, 0x5361aa0d), TOBN(0xc86fa302, 0x8fbc87ad)}},\n {{TOBN(0xfc83d2ab, 0x5c8b06d5), TOBN(0xb1a785a2, 0xfe4eac46),\n TOBN(0xb99315bc, 0x846f7779), TOBN(0xcf31d816, 0xef9ea505)},\n {TOBN(0x2391fe6a, 0x15d7dc85), TOBN(0x2f132b04, 0xb4016b33),\n TOBN(0x29547fe3, 0x181cb4c7), TOBN(0xdb66d8a6, 0x650155a1)}},\n {{TOBN(0x6b66d7e1, 0xadc1696f), TOBN(0x98ebe593, 0x0acd72d0),\n TOBN(0x65f24550, 0xcc1b7435), TOBN(0xce231393, 0xb4b9a5ec)},\n {TOBN(0x234a22d4, 0xdb067df9), TOBN(0x98dda095, 0xcaff9b00),\n TOBN(0x1bbc75a0, 0x6100c9c1), TOBN(0x1560a9c8, 0x939cf695)}},\n {{TOBN(0xcf006d3e, 0x99e0925f), TOBN(0x2dd74a96, 0x6322375a),\n TOBN(0xc58b446a, 0xb56af5ba), TOBN(0x50292683, 0xe0b9b4f1)},\n {TOBN(0xe2c34cb4, 0x1aeaffa3), TOBN(0x8b17203f, 0x9b9587c1),\n TOBN(0x6d559207, 0xead1350c), TOBN(0x2b66a215, 0xfb7f9604)}},\n {{TOBN(0x0850325e, 0xfe51bf74), TOBN(0x9c4f579e, 0x5e460094),\n TOBN(0x5c87b92a, 0x76da2f25), TOBN(0x889de4e0, 0x6febef33)},\n {TOBN(0x6900ec06, 0x646083ce), TOBN(0xbe2a0335, 0xbfe12773),\n TOBN(0xadd1da35, 0xc5344110), TOBN(0x757568b7, 0xb802cd20)}},\n {{TOBN(0x75559779, 0x00f7e6c8), TOBN(0x38e8b94f, 0x0facd2f0),\n TOBN(0xfea1f3af, 0x03fde375), TOBN(0x5e11a1d8, 0x75881dfc)},\n {TOBN(0xb3a6b02e, 0xc1e2f2ef), TOBN(0x193d2bbb, 0xc605a6c5),\n TOBN(0x325ffeee, 0x339a0b2d), TOBN(0x27b6a724, 0x9e0c8846)}},\n {{TOBN(0xe4050f1c, 0xf1c367ca), TOBN(0x9bc85a9b, 0xc90fbc7d),\n TOBN(0xa373c4a2, 0xe1a11032), TOBN(0xb64232b7, 0xad0393a9)},\n {TOBN(0xf5577eb0, 0x167dad29), TOBN(0x1604f301, 0x94b78ab2),\n TOBN(0x0baa94af, 0xe829348b), TOBN(0x77fbd8dd, 0x41654342)}},\n {{TOBN(0xdab50ea5, 0xb964e39a), TOBN(0xd4c29e3c, 0xd0d3c76e),\n TOBN(0x80dae67c, 0x56d11964), TOBN(0x7307a8bf, 0xe5ffcc2f)},\n {TOBN(0x65bbc1aa, 0x91708c3b), TOBN(0xa151e62c, 0x28bf0eeb),\n TOBN(0x6cb53381, 0x6fa34db7), TOBN(0x5139e05c, 0xa29403a8)}},\n {{TOBN(0x6ff651b4, 0x94a7cd2e), TOBN(0x5671ffd1, 0x0699336c),\n TOBN(0x6f5fd2cc, 0x979a896a), TOBN(0x11e893a8, 0xd8148cef)},\n {TOBN(0x988906a1, 0x65cf7b10), TOBN(0x81b67178, 0xc50d8485),\n TOBN(0x7c0deb35, 0x8a35b3de), TOBN(0x423ac855, 0xc1d29799)}},\n {{TOBN(0xaf580d87, 0xdac50b74), TOBN(0x28b2b89f, 0x5869734c),\n TOBN(0x99a3b936, 0x874e28fb), TOBN(0xbb2c9190, 0x25f3f73a)},\n {TOBN(0x199f6918, 0x84a9d5b7), TOBN(0x7ebe2325, 0x7e770374),\n TOBN(0xf442e107, 0x0738efe2), TOBN(0xcf9f3f56, 0xcf9082d2)}},\n {{TOBN(0x719f69e1, 0x09618708), TOBN(0xcc9e8364, 0xc183f9b1),\n TOBN(0xec203a95, 0x366a21af), TOBN(0x6aec5d6d, 0x068b141f)},\n {TOBN(0xee2df78a, 0x994f04e9), TOBN(0xb39ccae8, 0x271245b0),\n TOBN(0xb875a4a9, 0x97e43f4f), TOBN(0x507dfe11, 0xdb2cea98)}},\n {{TOBN(0x4fbf81cb, 0x489b03e9), TOBN(0xdb86ec5b, 0x6ec414fa),\n TOBN(0xfad444f9, 0xf51b3ae5), TOBN(0xca7d33d6, 0x1914e3fe)},\n {TOBN(0xa9c32f5c, 0x0ae6c4d0), TOBN(0xa9ca1d1e, 0x73969568),\n TOBN(0x98043c31, 0x1aa7467e), TOBN(0xe832e75c, 0xe21b5ac6)}},\n {{TOBN(0x314b7aea, 0x5232123d), TOBN(0x08307c8c, 0x65ae86db),\n TOBN(0x06e7165c, 0xaa4668ed), TOBN(0xb170458b, 0xb4d3ec39)},\n {TOBN(0x4d2e3ec6, 0xc19bb986), TOBN(0xc5f34846, 0xae0304ed),\n TOBN(0x917695a0, 0x6c9f9722), TOBN(0x6c7f7317, 0x4cab1c0a)}},\n {{TOBN(0x6295940e, 0x9d6d2e8b), TOBN(0xd318b8c1, 0x549f7c97),\n TOBN(0x22453204, 0x97713885), TOBN(0x468d834b, 0xa8a440fe)},\n {TOBN(0xd81fe5b2, 0xbfba796e), TOBN(0x152364db, 0x6d71f116),\n TOBN(0xbb8c7c59, 0xb5b66e53), TOBN(0x0b12c61b, 0x2641a192)}},\n {{TOBN(0x31f14802, 0xfcf0a7fd), TOBN(0x42fd0789, 0x5488b01e),\n TOBN(0x71d78d6d, 0x9952b498), TOBN(0x8eb572d9, 0x07ac5201)},\n {TOBN(0xe0a2a44c, 0x4d194a88), TOBN(0xd2b63fd9, 0xba017e66),\n TOBN(0x78efc6c8, 0xf888aefc), TOBN(0xb76f6bda, 0x4a881a11)}},\n {{TOBN(0x187f314b, 0xb46c2397), TOBN(0x004cf566, 0x5ded2819),\n TOBN(0xa9ea5704, 0x38764d34), TOBN(0xbba45217, 0x78084709)},\n {TOBN(0x06474571, 0x1171121e), TOBN(0xad7b7eb1, 0xe7c9b671),\n TOBN(0xdacfbc40, 0x730f7507), TOBN(0x178cd8c6, 0xc7ad7bd1)}},\n {{TOBN(0xbf0be101, 0xb2a67238), TOBN(0x3556d367, 0xaf9c14f2),\n TOBN(0x104b7831, 0xa5662075), TOBN(0x58ca59bb, 0x79d9e60a)},\n {TOBN(0x4bc45392, 0xa569a73b), TOBN(0x517a52e8, 0x5698f6c9),\n TOBN(0x85643da5, 0xaeadd755), TOBN(0x1aed0cd5, 0x2a581b84)}},\n {{TOBN(0xb9b4ff84, 0x80af1372), TOBN(0x244c3113, 0xf1ba5d1f),\n TOBN(0x2a5dacbe, 0xf5f98d31), TOBN(0x2c3323e8, 0x4375bc2a)},\n {TOBN(0x17a3ab4a, 0x5594b1dd), TOBN(0xa1928bfb, 0xceb4797e),\n TOBN(0xe83af245, 0xe4886a19), TOBN(0x8979d546, 0x72b5a74a)}},\n {{TOBN(0xa0f726bc, 0x19f9e967), TOBN(0xd9d03152, 0xe8fbbf4e),\n TOBN(0xcfd6f51d, 0xb7707d40), TOBN(0x633084d9, 0x63f6e6e0)},\n {TOBN(0xedcd9cdc, 0x55667eaf), TOBN(0x73b7f92b, 0x2e44d56f),\n TOBN(0xfb2e39b6, 0x4e962b14), TOBN(0x7d408f6e, 0xf671fcbf)}},\n {{TOBN(0xcc634ddc, 0x164a89bb), TOBN(0x74a42bb2, 0x3ef3bd05),\n TOBN(0x1280dbb2, 0x428decbb), TOBN(0x6103f6bb, 0x402c8596)},\n {TOBN(0xfa2bf581, 0x355a5752), TOBN(0x562f96a8, 0x00946674),\n TOBN(0x4e4ca16d, 0x6da0223b), TOBN(0xfe47819f, 0x28d3aa25)}},\n {{TOBN(0x9eea3075, 0xf8dfcf8a), TOBN(0xa284f0aa, 0x95669825),\n TOBN(0xb3fca250, 0x867d3fd8), TOBN(0x20757b5f, 0x269d691e)},\n {TOBN(0xf2c24020, 0x93b8a5de), TOBN(0xd3f93359, 0xebc06da6),\n TOBN(0x1178293e, 0xb2739c33), TOBN(0xd2a3e770, 0xbcd686e5)}},\n {{TOBN(0xa76f49f4, 0xcd941534), TOBN(0x0d37406b, 0xe3c71c0e),\n TOBN(0x172d9397, 0x3b97f7e3), TOBN(0xec17e239, 0xbd7fd0de)},\n {TOBN(0xe3290551, 0x6f496ba2), TOBN(0x6a693172, 0x36ad50e7),\n TOBN(0xc4e539a2, 0x83e7eff5), TOBN(0x752737e7, 0x18e1b4cf)}},\n {{TOBN(0xa2f7932c, 0x68af43ee), TOBN(0x5502468e, 0x703d00bd),\n TOBN(0xe5dc978f, 0x2fb061f5), TOBN(0xc9a1904a, 0x28c815ad)},\n {TOBN(0xd3af538d, 0x470c56a4), TOBN(0x159abc5f, 0x193d8ced),\n TOBN(0x2a37245f, 0x20108ef3), TOBN(0xfa17081e, 0x223f7178)}},\n {{TOBN(0x27b0fb2b, 0x10c8c0f5), TOBN(0x2102c3ea, 0x40650547),\n TOBN(0x594564df, 0x8ac3bfa7), TOBN(0x98102033, 0x509dad96)},\n {TOBN(0x6989643f, 0xf1d18a13), TOBN(0x35eebd91, 0xd7fc5af0),\n TOBN(0x078d096a, 0xfaeaafd8), TOBN(0xb7a89341, 0xdef3de98)}},\n {{TOBN(0x2a206e8d, 0xecf2a73a), TOBN(0x066a6397, 0x8e551994),\n TOBN(0x3a6a088a, 0xb98d53a2), TOBN(0x0ce7c67c, 0x2d1124aa)},\n {TOBN(0x48cec671, 0x759a113c), TOBN(0xe3b373d3, 0x4f6f67fa),\n TOBN(0x5455d479, 0xfd36727b), TOBN(0xe5a428ee, 0xa13c0d81)}},\n {{TOBN(0xb853dbc8, 0x1c86682b), TOBN(0xb78d2727, 0xb8d02b2a),\n TOBN(0xaaf69bed, 0x8ebc329a), TOBN(0xdb6b40b3, 0x293b2148)},\n {TOBN(0xe42ea77d, 0xb8c4961f), TOBN(0xb1a12f7c, 0x20e5e0ab),\n TOBN(0xa0ec5274, 0x79e8b05e), TOBN(0x68027391, 0xfab60a80)}},\n {{TOBN(0x6bfeea5f, 0x16b1bd5e), TOBN(0xf957e420, 0x4de30ad3),\n TOBN(0xcbaf664e, 0x6a353b9e), TOBN(0x5c873312, 0x26d14feb)},\n {TOBN(0x4e87f98c, 0xb65f57cb), TOBN(0xdb60a621, 0x5e0cdd41),\n TOBN(0x67c16865, 0xa6881440), TOBN(0x1093ef1a, 0x46ab52aa)}},\n {{TOBN(0xc095afb5, 0x3f4ece64), TOBN(0x6a6bb02e, 0x7604551a),\n TOBN(0x55d44b4e, 0x0b26b8cd), TOBN(0xe5f9a999, 0xf971268a)},\n {TOBN(0xc08ec425, 0x11a7de84), TOBN(0x83568095, 0xfda469dd),\n TOBN(0x737bfba1, 0x6c6c90a2), TOBN(0x1cb9c4a0, 0xbe229831)}},\n {{TOBN(0x93bccbba, 0xbb2eec64), TOBN(0xa0c23b64, 0xda03adbe),\n TOBN(0x5f7aa00a, 0xe0e86ac4), TOBN(0x470b941e, 0xfc1401e6)},\n {TOBN(0x5ad8d679, 0x9df43574), TOBN(0x4ccfb8a9, 0x0f65d810),\n TOBN(0x1bce80e3, 0xaa7fbd81), TOBN(0x273291ad, 0x9508d20a)}},\n {{TOBN(0xf5c4b46b, 0x42a92806), TOBN(0x810684ec, 0xa86ab44a),\n TOBN(0x4591640b, 0xca0bc9f8), TOBN(0xb5efcdfc, 0x5c4b6054)},\n {TOBN(0x16fc8907, 0x6e9edd12), TOBN(0xe29d0b50, 0xd4d792f9),\n TOBN(0xa45fd01c, 0x9b03116d), TOBN(0x85035235, 0xc81765a4)}},\n {{TOBN(0x1fe2a9b2, 0xb4b4b67c), TOBN(0xc1d10df0, 0xe8020604),\n TOBN(0x9d64abfc, 0xbc8058d8), TOBN(0x8943b9b2, 0x712a0fbb)},\n {TOBN(0x90eed914, 0x3b3def04), TOBN(0x85ab3aa2, 0x4ce775ff),\n TOBN(0x605fd4ca, 0x7bbc9040), TOBN(0x8b34a564, 0xe2c75dfb)}},\n {{TOBN(0x41ffc94a, 0x10358560), TOBN(0x2d8a5072, 0x9e5c28aa),\n TOBN(0xe915a0fc, 0x4cc7eb15), TOBN(0xe9efab05, 0x8f6d0f5d)},\n {TOBN(0xdbab47a9, 0xd19e9b91), TOBN(0x8cfed745, 0x0276154c),\n TOBN(0x154357ae, 0x2cfede0d), TOBN(0x520630df, 0x19f5a4ef)}},\n {{TOBN(0x25759f7c, 0xe382360f), TOBN(0xb6db05c9, 0x88bf5857),\n TOBN(0x2917d61d, 0x6c58d46c), TOBN(0x14f8e491, 0xfd20cb7a)},\n {TOBN(0xb68a727a, 0x11c20340), TOBN(0x0386f86f, 0xaf7ccbb6),\n TOBN(0x5c8bc6cc, 0xfee09a20), TOBN(0x7d76ff4a, 0xbb7eea35)}},\n {{TOBN(0xa7bdebe7, 0xdb15be7a), TOBN(0x67a08054, 0xd89f0302),\n TOBN(0x56bf0ea9, 0xc1193364), TOBN(0xc8244467, 0x62837ebe)},\n {TOBN(0x32bd8e8b, 0x20d841b8), TOBN(0x127a0548, 0xdbb8a54f),\n TOBN(0x83dd4ca6, 0x63b20236), TOBN(0x87714718, 0x203491fa)}},\n {{TOBN(0x4dabcaaa, 0xaa8a5288), TOBN(0x91cc0c8a, 0xaf23a1c9),\n TOBN(0x34c72c6a, 0x3f220e0c), TOBN(0xbcc20bdf, 0x1232144a)},\n {TOBN(0x6e2f42da, 0xa20ede1b), TOBN(0xc441f00c, 0x74a00515),\n TOBN(0xbf46a5b6, 0x734b8c4b), TOBN(0x57409503, 0x7b56c9a4)}},\n {{TOBN(0x9f735261, 0xe4585d45), TOBN(0x9231faed, 0x6734e642),\n TOBN(0x1158a176, 0xbe70ee6c), TOBN(0x35f1068d, 0x7c3501bf)},\n {TOBN(0x6beef900, 0xa2d26115), TOBN(0x649406f2, 0xef0afee3),\n TOBN(0x3f43a60a, 0xbc2420a1), TOBN(0x509002a7, 0xd5aee4ac)}},\n {{TOBN(0xb46836a5, 0x3ff3571b), TOBN(0x24f98b78, 0x837927c1),\n TOBN(0x6254256a, 0x4533c716), TOBN(0xf27abb0b, 0xd07ee196)},\n {TOBN(0xd7cf64fc, 0x5c6d5bfd), TOBN(0x6915c751, 0xf0cd7a77),\n TOBN(0xd9f59012, 0x8798f534), TOBN(0x772b0da8, 0xf81d8b5f)}},\n {{TOBN(0x1244260c, 0x2e03fa69), TOBN(0x36cf0e3a, 0x3be1a374),\n TOBN(0x6e7c1633, 0xef06b960), TOBN(0xa71a4c55, 0x671f90f6)},\n {TOBN(0x7a941251, 0x33c673db), TOBN(0xc0bea510, 0x73e8c131),\n TOBN(0x61a8a699, 0xd4f6c734), TOBN(0x25e78c88, 0x341ed001)}},\n {{TOBN(0x5c18acf8, 0x8e2f7d90), TOBN(0xfdbf33d7, 0x77be32cd),\n TOBN(0x0a085cd7, 0xd2eb5ee9), TOBN(0x2d702cfb, 0xb3201115)},\n {TOBN(0xb6e0ebdb, 0x85c88ce8), TOBN(0x23a3ce3c, 0x1e01d617),\n TOBN(0x3041618e, 0x567333ac), TOBN(0x9dd0fd8f, 0x157edb6b)}},\n {{TOBN(0x27f74702, 0xb57872b8), TOBN(0x2ef26b4f, 0x657d5fe1),\n TOBN(0x95426f0a, 0x57cf3d40), TOBN(0x847e2ad1, 0x65a6067a)},\n {TOBN(0xd474d9a0, 0x09996a74), TOBN(0x16a56acd, 0x2a26115c),\n TOBN(0x02a615c3, 0xd16f4d43), TOBN(0xcc3fc965, 0xaadb85b7)}},\n {{TOBN(0x386bda73, 0xce07d1b0), TOBN(0xd82910c2, 0x58ad4178),\n TOBN(0x124f82cf, 0xcd2617f4), TOBN(0xcc2f5e8d, 0xef691770)},\n {TOBN(0x82702550, 0xb8c30ccc), TOBN(0x7b856aea, 0x1a8e575a),\n TOBN(0xbb822fef, 0xb1ab9459), TOBN(0x085928bc, 0xec24e38e)}},\n {{TOBN(0x5d0402ec, 0xba8f4b4d), TOBN(0xc07cd4ba, 0x00b4d58b),\n TOBN(0x5d8dffd5, 0x29227e7a), TOBN(0x61d44d0c, 0x31bf386f)},\n {TOBN(0xe486dc2b, 0x135e6f4d), TOBN(0x680962eb, 0xe79410ef),\n TOBN(0xa61bd343, 0xf10088b5), TOBN(0x6aa76076, 0xe2e28686)}},\n {{TOBN(0x80463d11, 0x8fb98871), TOBN(0xcb26f5c3, 0xbbc76aff),\n TOBN(0xd4ab8edd, 0xfbe03614), TOBN(0xc8eb579b, 0xc0cf2dee)},\n {TOBN(0xcc004c15, 0xc93bae41), TOBN(0x46fbae5d, 0x3aeca3b2),\n TOBN(0x671235cf, 0x0f1e9ab1), TOBN(0xadfba934, 0x9ec285c1)}},\n {{TOBN(0x88ded013, 0xf216c980), TOBN(0xc8ac4fb8, 0xf79e0bc1),\n TOBN(0xa29b89c6, 0xfb97a237), TOBN(0xb697b780, 0x9922d8e7)},\n {TOBN(0x3142c639, 0xddb945b5), TOBN(0x447b06c7, 0xe094c3a9),\n TOBN(0xcdcb3642, 0x72266c90), TOBN(0x633aad08, 0xa9385046)}},\n {{TOBN(0xa36c936b, 0xb57c6477), TOBN(0x871f8b64, 0xe94dbcc6),\n TOBN(0x28d0fb62, 0xa591a67b), TOBN(0x9d40e081, 0xc1d926f5)},\n {TOBN(0x3111eaf6, 0xf2d84b5a), TOBN(0x228993f9, 0xa565b644),\n TOBN(0x0ccbf592, 0x2c83188b), TOBN(0xf87b30ab, 0x3df3e197)}},\n {{TOBN(0xb8658b31, 0x7642bca8), TOBN(0x1a032d7f, 0x52800f17),\n TOBN(0x051dcae5, 0x79bf9445), TOBN(0xeba6b8ee, 0x54a2e253)},\n {TOBN(0x5c8b9cad, 0xd4485692), TOBN(0x84bda40e, 0x8986e9be),\n TOBN(0xd16d16a4, 0x2f0db448), TOBN(0x8ec80050, 0xa14d4188)}},\n {{TOBN(0xb2b26107, 0x98fa7aaa), TOBN(0x41209ee4, 0xf073aa4e),\n TOBN(0xf1570359, 0xf2d6b19b), TOBN(0xcbe6868c, 0xfc577caf)},\n {TOBN(0x186c4bdc, 0x32c04dd3), TOBN(0xa6c35fae, 0xcfeee397),\n TOBN(0xb4a1b312, 0xf086c0cf), TOBN(0xe0a5ccc6, 0xd9461fe2)}},\n {{TOBN(0xc32278aa, 0x1536189f), TOBN(0x1126c55f, 0xba6df571),\n TOBN(0x0f71a602, 0xb194560e), TOBN(0x8b2d7405, 0x324bd6e1)},\n {TOBN(0x8481939e, 0x3738be71), TOBN(0xb5090b1a, 0x1a4d97a9),\n TOBN(0x116c65a3, 0xf05ba915), TOBN(0x21863ad3, 0xaae448aa)}},\n {{TOBN(0xd24e2679, 0xa7aae5d3), TOBN(0x7076013d, 0x0de5c1c4),\n TOBN(0x2d50f8ba, 0xbb05b629), TOBN(0x73c1abe2, 0x6e66efbb)},\n {TOBN(0xefd4b422, 0xf2488af7), TOBN(0xe4105d02, 0x663ba575),\n TOBN(0x7eb60a8b, 0x53a69457), TOBN(0x62210008, 0xc945973b)}},\n {{TOBN(0xfb255478, 0x77a50ec6), TOBN(0xbf0392f7, 0x0a37a72c),\n TOBN(0xa0a7a19c, 0x4be18e7a), TOBN(0x90d8ea16, 0x25b1e0af)},\n {TOBN(0x7582a293, 0xef953f57), TOBN(0x90a64d05, 0xbdc5465a),\n TOBN(0xca79c497, 0xe2510717), TOBN(0x560dbb7c, 0x18cb641f)}},\n {{TOBN(0x1d8e3286, 0x4b66abfb), TOBN(0xd26f52e5, 0x59030900),\n TOBN(0x1ee3f643, 0x5584941a), TOBN(0x6d3b3730, 0x569f5958)},\n {TOBN(0x9ff2a62f, 0x4789dba5), TOBN(0x91fcb815, 0x72b5c9b7),\n TOBN(0xf446cb7d, 0x6c8f9a0e), TOBN(0x48f625c1, 0x39b7ecb5)}},\n {{TOBN(0xbabae801, 0x1c6219b8), TOBN(0xe7a562d9, 0x28ac2f23),\n TOBN(0xe1b48732, 0x26e20588), TOBN(0x06ee1cad, 0x775af051)},\n {TOBN(0xda29ae43, 0xfaff79f7), TOBN(0xc141a412, 0x652ee9e0),\n TOBN(0x1e127f6f, 0x195f4bd0), TOBN(0x29c6ab4f, 0x072f34f8)}},\n {{TOBN(0x7b7c1477, 0x30448112), TOBN(0x82b51af1, 0xe4a38656),\n TOBN(0x2bf2028a, 0x2f315010), TOBN(0xc9a4a01f, 0x6ea88cd4)},\n {TOBN(0xf63e95d8, 0x257e5818), TOBN(0xdd8efa10, 0xb4519b16),\n TOBN(0xed8973e0, 0x0da910bf), TOBN(0xed49d077, 0x5c0fe4a9)}},\n {{TOBN(0xac3aac5e, 0xb7caee1e), TOBN(0x1033898d, 0xa7f4da57),\n TOBN(0x42145c0e, 0x5c6669b9), TOBN(0x42daa688, 0xc1aa2aa0)},\n {TOBN(0x629cc15c, 0x1a1d885a), TOBN(0x25572ec0, 0xf4b76817),\n TOBN(0x8312e435, 0x9c8f8f28), TOBN(0x8107f8cd, 0x81965490)}},\n {{TOBN(0x516ff3a3, 0x6fa6110c), TOBN(0x74fb1eb1, 0xfb93561f),\n TOBN(0x6c0c9047, 0x8457522b), TOBN(0xcfd32104, 0x6bb8bdc6)},\n {TOBN(0x2d6884a2, 0xcc80ad57), TOBN(0x7c27fc35, 0x86a9b637),\n TOBN(0x3461baed, 0xadf4e8cd), TOBN(0x1d56251a, 0x617242f0)}},\n {{TOBN(0x0b80d209, 0xc955bef4), TOBN(0xdf02cad2, 0x06adb047),\n TOBN(0xf0d7cb91, 0x5ec74fee), TOBN(0xd2503375, 0x1111ba44)},\n {TOBN(0x9671755e, 0xdf53cb36), TOBN(0x54dcb612, 0x3368551b),\n TOBN(0x66d69aac, 0xc8a025a4), TOBN(0x6be946c6, 0xe77ef445)}},\n {{TOBN(0x719946d1, 0xa995e094), TOBN(0x65e848f6, 0xe51e04d8),\n TOBN(0xe62f3300, 0x6a1e3113), TOBN(0x1541c7c1, 0x501de503)},\n {TOBN(0x4daac9fa, 0xf4acfade), TOBN(0x0e585897, 0x44cd0b71),\n TOBN(0x544fd869, 0x0a51cd77), TOBN(0x60fc20ed, 0x0031016d)}},\n {{TOBN(0x58b404ec, 0xa4276867), TOBN(0x46f6c3cc, 0x34f34993),\n TOBN(0x477ca007, 0xc636e5bd), TOBN(0x8018f5e5, 0x7c458b47)},\n {TOBN(0xa1202270, 0xe47b668f), TOBN(0xcef48ccd, 0xee14f203),\n TOBN(0x23f98bae, 0x62ff9b4d), TOBN(0x55acc035, 0xc589eddd)}},\n {{TOBN(0x3fe712af, 0x64db4444), TOBN(0x19e9d634, 0xbecdd480),\n TOBN(0xe08bc047, 0xa930978a), TOBN(0x2dbf24ec, 0xa1280733)},\n {TOBN(0x3c0ae38c, 0x2cd706b2), TOBN(0x5b012a5b, 0x359017b9),\n TOBN(0x3943c38c, 0x72e0f5ae), TOBN(0x786167ea, 0x57176fa3)}},\n {{TOBN(0xe5f9897d, 0x594881dc), TOBN(0x6b5efad8, 0xcfb820c1),\n TOBN(0xb2179093, 0xd55018de), TOBN(0x39ad7d32, 0x0bac56ce)},\n {TOBN(0xb55122e0, 0x2cfc0e81), TOBN(0x117c4661, 0xf6d89daa),\n TOBN(0x362d01e1, 0xcb64fa09), TOBN(0x6a309b4e, 0x3e9c4ddd)}},\n {{TOBN(0xfa979fb7, 0xabea49b1), TOBN(0xb4b1d27d, 0x10e2c6c5),\n TOBN(0xbd61c2c4, 0x23afde7a), TOBN(0xeb6614f8, 0x9786d358)},\n {TOBN(0x4a5d816b, 0x7f6f7459), TOBN(0xe431a44f, 0x09360e7b),\n TOBN(0x8c27a032, 0xc309914c), TOBN(0xcea5d68a, 0xcaede3d8)}},\n {{TOBN(0x3668f665, 0x3a0a3f95), TOBN(0x89369416, 0x7ceba27b),\n TOBN(0x89981fad, 0xe4728fe9), TOBN(0x7102c8a0, 0x8a093562)},\n {TOBN(0xbb80310e, 0x235d21c8), TOBN(0x505e55d1, 0xbefb7f7b),\n TOBN(0xa0a90811, 0x12958a67), TOBN(0xd67e106a, 0x4d851fef)}},\n {{TOBN(0xb84011a9, 0x431dd80e), TOBN(0xeb7c7cca, 0x73306cd9),\n TOBN(0x20fadd29, 0xd1b3b730), TOBN(0x83858b5b, 0xfe37b3d3)},\n {TOBN(0xbf4cd193, 0xb6251d5c), TOBN(0x1cca1fd3, 0x1352d952),\n TOBN(0xc66157a4, 0x90fbc051), TOBN(0x7990a638, 0x89b98636)}}},\n {{{TOBN(0xe5aa692a, 0x87dec0e1), TOBN(0x010ded8d, 0xf7b39d00),\n TOBN(0x7b1b80c8, 0x54cfa0b5), TOBN(0x66beb876, 0xa0f8ea28)},\n {TOBN(0x50d7f531, 0x3476cd0e), TOBN(0xa63d0e65, 0xb08d3949),\n TOBN(0x1a09eea9, 0x53479fc6), TOBN(0x82ae9891, 0xf499e742)}},\n {{TOBN(0xab58b910, 0x5ca7d866), TOBN(0x582967e2, 0x3adb3b34),\n TOBN(0x89ae4447, 0xcceac0bc), TOBN(0x919c667c, 0x7bf56af5)},\n {TOBN(0x9aec17b1, 0x60f5dcd7), TOBN(0xec697b9f, 0xddcaadbc),\n TOBN(0x0b98f341, 0x463467f5), TOBN(0xb187f1f7, 0xa967132f)}},\n {{TOBN(0x90fe7a1d, 0x214aeb18), TOBN(0x1506af3c, 0x741432f7),\n TOBN(0xbb5565f9, 0xe591a0c4), TOBN(0x10d41a77, 0xb44f1bc3)},\n {TOBN(0xa09d65e4, 0xa84bde96), TOBN(0x42f060d8, 0xf20a6a1c),\n TOBN(0x652a3bfd, 0xf27f9ce7), TOBN(0xb6bdb65c, 0x3b3d739f)}},\n {{TOBN(0xeb5ddcb6, 0xec7fae9f), TOBN(0x995f2714, 0xefb66e5a),\n TOBN(0xdee95d8e, 0x69445d52), TOBN(0x1b6c2d46, 0x09e27620)},\n {TOBN(0x32621c31, 0x8129d716), TOBN(0xb03909f1, 0x0958c1aa),\n TOBN(0x8c468ef9, 0x1af4af63), TOBN(0x162c429f, 0xfba5cdf6)}},\n {{TOBN(0x2f682343, 0x753b9371), TOBN(0x29cab45a, 0x5f1f9cd7),\n TOBN(0x571623ab, 0xb245db96), TOBN(0xc507db09, 0x3fd79999)},\n {TOBN(0x4e2ef652, 0xaf036c32), TOBN(0x86f0cc78, 0x05018e5c),\n TOBN(0xc10a73d4, 0xab8be350), TOBN(0x6519b397, 0x7e826327)}},\n {{TOBN(0xe8cb5eef, 0x9c053df7), TOBN(0x8de25b37, 0xb300ea6f),\n TOBN(0xdb03fa92, 0xc849cffb), TOBN(0x242e43a7, 0xe84169bb)},\n {TOBN(0xe4fa51f4, 0xdd6f958e), TOBN(0x6925a77f, 0xf4445a8d),\n TOBN(0xe6e72a50, 0xe90d8949), TOBN(0xc66648e3, 0x2b1f6390)}},\n {{TOBN(0xb2ab1957, 0x173e460c), TOBN(0x1bbbce75, 0x30704590),\n TOBN(0xc0a90dbd, 0xdb1c7162), TOBN(0x505e399e, 0x15cdd65d)},\n {TOBN(0x68434dcb, 0x57797ab7), TOBN(0x60ad35ba, 0x6a2ca8e8),\n TOBN(0x4bfdb1e0, 0xde3336c1), TOBN(0xbbef99eb, 0xd8b39015)}},\n {{TOBN(0x6c3b96f3, 0x1711ebec), TOBN(0x2da40f1f, 0xce98fdc4),\n TOBN(0xb99774d3, 0x57b4411f), TOBN(0x87c8bdf4, 0x15b65bb6)},\n {TOBN(0xda3a89e3, 0xc2eef12d), TOBN(0xde95bb9b, 0x3c7471f3),\n TOBN(0x600f225b, 0xd812c594), TOBN(0x54907c5d, 0x2b75a56b)}},\n {{TOBN(0xa93cc5f0, 0x8db60e35), TOBN(0x743e3cd6, 0xfa833319),\n TOBN(0x7dad5c41, 0xf81683c9), TOBN(0x70c1e7d9, 0x9c34107e)},\n {TOBN(0x0edc4a39, 0xa6be0907), TOBN(0x36d47035, 0x86d0b7d3),\n TOBN(0x8c76da03, 0x272bfa60), TOBN(0x0b4a07ea, 0x0f08a414)}},\n {{TOBN(0x699e4d29, 0x45c1dd53), TOBN(0xcadc5898, 0x231debb5),\n TOBN(0xdf49fcc7, 0xa77f00e0), TOBN(0x93057bbf, 0xa73e5a0e)},\n {TOBN(0x2f8b7ecd, 0x027a4cd1), TOBN(0x114734b3, 0xc614011a),\n TOBN(0xe7a01db7, 0x67677c68), TOBN(0x89d9be5e, 0x7e273f4f)}},\n {{TOBN(0xd225cb2e, 0x089808ef), TOBN(0xf1f7a27d, 0xd59e4107),\n TOBN(0x53afc761, 0x8211b9c9), TOBN(0x0361bc67, 0xe6819159)},\n {TOBN(0x2a865d0b, 0x7f071426), TOBN(0x6a3c1810, 0xe7072567),\n TOBN(0x3e3bca1e, 0x0d6bcabd), TOBN(0xa1b02bc1, 0x408591bc)}},\n {{TOBN(0xe0deee59, 0x31fba239), TOBN(0xf47424d3, 0x98bd91d1),\n TOBN(0x0f8886f4, 0x071a3c1d), TOBN(0x3f7d41e8, 0xa819233b)},\n {TOBN(0x708623c2, 0xcf6eb998), TOBN(0x86bb49af, 0x609a287f),\n TOBN(0x942bb249, 0x63c90762), TOBN(0x0ef6eea5, 0x55a9654b)}},\n {{TOBN(0x5f6d2d72, 0x36f5defe), TOBN(0xfa9922dc, 0x56f99176),\n TOBN(0x6c8c5ece, 0xf78ce0c7), TOBN(0x7b44589d, 0xbe09b55e)},\n {TOBN(0xe11b3bca, 0x9ea83770), TOBN(0xd7fa2c7f, 0x2ab71547),\n TOBN(0x2a3dd6fa, 0x2a1ddcc0), TOBN(0x09acb430, 0x5a7b7707)}},\n {{TOBN(0x4add4a2e, 0x649d4e57), TOBN(0xcd53a2b0, 0x1917526e),\n TOBN(0xc5262330, 0x20b44ac4), TOBN(0x4028746a, 0xbaa2c31d)},\n {TOBN(0x51318390, 0x64291d4c), TOBN(0xbf48f151, 0xee5ad909),\n TOBN(0xcce57f59, 0x7b185681), TOBN(0x7c3ac1b0, 0x4854d442)}},\n {{TOBN(0x65587dc3, 0xc093c171), TOBN(0xae7acb24, 0x24f42b65),\n TOBN(0x5a338adb, 0x955996cb), TOBN(0xc8e65675, 0x6051f91b)},\n {TOBN(0x66711fba, 0x28b8d0b1), TOBN(0x15d74137, 0xb6c10a90),\n TOBN(0x70cdd7eb, 0x3a232a80), TOBN(0xc9e2f07f, 0x6191ed24)}},\n {{TOBN(0xa80d1db6, 0xf79588c0), TOBN(0xfa52fc69, 0xb55768cc),\n TOBN(0x0b4df1ae, 0x7f54438a), TOBN(0x0cadd1a7, 0xf9b46a4f)},\n {TOBN(0xb40ea6b3, 0x1803dd6f), TOBN(0x488e4fa5, 0x55eaae35),\n TOBN(0x9f047d55, 0x382e4e16), TOBN(0xc9b5b7e0, 0x2f6e0c98)}},\n {{TOBN(0x6b1bd2d3, 0x95762649), TOBN(0xa9604ee7, 0xc7aea3f6),\n TOBN(0x3646ff27, 0x6dc6f896), TOBN(0x9bf0e7f5, 0x2860bad1)},\n {TOBN(0x2d92c821, 0x7cb44b92), TOBN(0xa2f5ce63, 0xaea9c182),\n TOBN(0xd0a2afb1, 0x9154a5fd), TOBN(0x482e474c, 0x95801da6)}},\n {{TOBN(0xc19972d0, 0xb611c24b), TOBN(0x1d468e65, 0x60a8f351),\n TOBN(0xeb758069, 0x7bcf6421), TOBN(0xec9dd0ee, 0x88fbc491)},\n {TOBN(0x5b59d2bf, 0x956c2e32), TOBN(0x73dc6864, 0xdcddf94e),\n TOBN(0xfd5e2321, 0xbcee7665), TOBN(0xa7b4f8ef, 0x5e9a06c4)}},\n {{TOBN(0xfba918dd, 0x7280f855), TOBN(0xbbaac260, 0x8baec688),\n TOBN(0xa3b3f00f, 0x33400f42), TOBN(0x3d2dba29, 0x66f2e6e4)},\n {TOBN(0xb6f71a94, 0x98509375), TOBN(0x8f33031f, 0xcea423cc),\n TOBN(0x009b8dd0, 0x4807e6fb), TOBN(0x5163cfe5, 0x5cdb954c)}},\n {{TOBN(0x03cc8f17, 0xcf41c6e8), TOBN(0xf1f03c2a, 0x037b925c),\n TOBN(0xc39c19cc, 0x66d2427c), TOBN(0x823d24ba, 0x7b6c18e4)},\n {TOBN(0x32ef9013, 0x901f0b4f), TOBN(0x684360f1, 0xf8941c2e),\n TOBN(0x0ebaff52, 0x2c28092e), TOBN(0x7891e4e3, 0x256c932f)}},\n {{TOBN(0x51264319, 0xac445e3d), TOBN(0x553432e7, 0x8ea74381),\n TOBN(0xe6eeaa69, 0x67e9c50a), TOBN(0x27ced284, 0x62e628c7)},\n {TOBN(0x3f96d375, 0x7a4afa57), TOBN(0xde0a14c3, 0xe484c150),\n TOBN(0x364a24eb, 0x38bd9923), TOBN(0x1df18da0, 0xe5177422)}},\n {{TOBN(0x174e8f82, 0xd8d38a9b), TOBN(0x2e97c600, 0xe7de1391),\n TOBN(0xc5709850, 0xa1c175dd), TOBN(0x969041a0, 0x32ae5035)},\n {TOBN(0xcbfd533b, 0x76a2086b), TOBN(0xd6bba71b, 0xd7c2e8fe),\n TOBN(0xb2d58ee6, 0x099dfb67), TOBN(0x3a8b342d, 0x064a85d9)}},\n {{TOBN(0x3bc07649, 0x522f9be3), TOBN(0x690c075b, 0xdf1f49a8),\n TOBN(0x80e1aee8, 0x3854ec42), TOBN(0x2a7dbf44, 0x17689dc7)},\n {TOBN(0xc004fc0e, 0x3faf4078), TOBN(0xb2f02e9e, 0xdf11862c),\n TOBN(0xf10a5e0f, 0xa0a1b7b3), TOBN(0x30aca623, 0x8936ec80)}},\n {{TOBN(0xf83cbf05, 0x02f40d9a), TOBN(0x4681c468, 0x2c318a4d),\n TOBN(0x98575618, 0x0e9c2674), TOBN(0xbe79d046, 0x1847092e)},\n {TOBN(0xaf1e480a, 0x78bd01e0), TOBN(0x6dd359e4, 0x72a51db9),\n TOBN(0x62ce3821, 0xe3afbab6), TOBN(0xc5cee5b6, 0x17733199)}},\n {{TOBN(0xe08b30d4, 0x6ffd9fbb), TOBN(0x6e5bc699, 0x36c610b7),\n TOBN(0xf343cff2, 0x9ce262cf), TOBN(0xca2e4e35, 0x68b914c1)},\n {TOBN(0x011d64c0, 0x16de36c5), TOBN(0xe0b10fdd, 0x42e2b829),\n TOBN(0x78942981, 0x6685aaf8), TOBN(0xe7511708, 0x230ede97)}},\n {{TOBN(0x671ed8fc, 0x3b922bf8), TOBN(0xe4d8c0a0, 0x4c29b133),\n TOBN(0x87eb1239, 0x3b6e99c4), TOBN(0xaff3974c, 0x8793beba)},\n {TOBN(0x03749405, 0x2c18df9b), TOBN(0xc5c3a293, 0x91007139),\n TOBN(0x6a77234f, 0xe37a0b95), TOBN(0x02c29a21, 0xb661c96b)}},\n {{TOBN(0xc3aaf1d6, 0x141ecf61), TOBN(0x9195509e, 0x3bb22f53),\n TOBN(0x29597404, 0x22d51357), TOBN(0x1b083822, 0x537bed60)},\n {TOBN(0xcd7d6e35, 0xe07289f0), TOBN(0x1f94c48c, 0x6dd86eff),\n TOBN(0xc8bb1f82, 0xeb0f9cfa), TOBN(0x9ee0b7e6, 0x1b2eb97d)}},\n {{TOBN(0x5a52fe2e, 0x34d74e31), TOBN(0xa352c310, 0x3bf79ab6),\n TOBN(0x97ff6c5a, 0xabfeeb8f), TOBN(0xbfbe8fef, 0xf5c97305)},\n {TOBN(0xd6081ce6, 0xa7904608), TOBN(0x1f812f3a, 0xc4fca249),\n TOBN(0x9b24bc9a, 0xb9e5e200), TOBN(0x91022c67, 0x38012ee8)}},\n {{TOBN(0xe83d9c5d, 0x30a713a1), TOBN(0x4876e3f0, 0x84ef0f93),\n TOBN(0xc9777029, 0xc1fbf928), TOBN(0xef7a6bb3, 0xbce7d2a4)},\n {TOBN(0xb8067228, 0xdfa2a659), TOBN(0xd5cd3398, 0xd877a48f),\n TOBN(0xbea4fd8f, 0x025d0f3f), TOBN(0xd67d2e35, 0x2eae7c2b)}},\n {{TOBN(0x184de7d7, 0xcc5f4394), TOBN(0xb5551b5c, 0x4536e142),\n TOBN(0x2e89b212, 0xd34aa60a), TOBN(0x14a96fea, 0xf50051d5)},\n {TOBN(0x4e21ef74, 0x0d12bb0b), TOBN(0xc522f020, 0x60b9677e),\n TOBN(0x8b12e467, 0x2df7731d), TOBN(0x39f80382, 0x7b326d31)}},\n {{TOBN(0xdfb8630c, 0x39024a94), TOBN(0xaacb96a8, 0x97319452),\n TOBN(0xd68a3961, 0xeda3867c), TOBN(0x0c58e2b0, 0x77c4ffca)},\n {TOBN(0x3d545d63, 0x4da919fa), TOBN(0xef79b69a, 0xf15e2289),\n TOBN(0x54bc3d3d, 0x808bab10), TOBN(0xc8ab3007, 0x45f82c37)}},\n {{TOBN(0xc12738b6, 0x7c4a658a), TOBN(0xb3c47639, 0x40e72182),\n TOBN(0x3b77be46, 0x8798e44f), TOBN(0xdc047df2, 0x17a7f85f)},\n {TOBN(0x2439d4c5, 0x5e59d92d), TOBN(0xcedca475, 0xe8e64d8d),\n TOBN(0xa724cd0d, 0x87ca9b16), TOBN(0x35e4fd59, 0xa5540dfe)}},\n {{TOBN(0xf8c1ff18, 0xe4bcf6b1), TOBN(0x856d6285, 0x295018fa),\n TOBN(0x433f665c, 0x3263c949), TOBN(0xa6a76dd6, 0xa1f21409)},\n {TOBN(0x17d32334, 0xcc7b4f79), TOBN(0xa1d03122, 0x06720e4a),\n TOBN(0xadb6661d, 0x81d9bed5), TOBN(0xf0d6fb02, 0x11db15d1)}},\n {{TOBN(0x7fd11ad5, 0x1fb747d2), TOBN(0xab50f959, 0x3033762b),\n TOBN(0x2a7e711b, 0xfbefaf5a), TOBN(0xc7393278, 0x3fef2bbf)},\n {TOBN(0xe29fa244, 0x0df6f9be), TOBN(0x9092757b, 0x71efd215),\n TOBN(0xee60e311, 0x4f3d6fd9), TOBN(0x338542d4, 0x0acfb78b)}},\n {{TOBN(0x44a23f08, 0x38961a0f), TOBN(0x1426eade, 0x986987ca),\n TOBN(0x36e6ee2e, 0x4a863cc6), TOBN(0x48059420, 0x628b8b79)},\n {TOBN(0x30303ad8, 0x7396e1de), TOBN(0x5c8bdc48, 0x38c5aad1),\n TOBN(0x3e40e11f, 0x5c8f5066), TOBN(0xabd6e768, 0x8d246bbd)}},\n {{TOBN(0x68aa40bb, 0x23330a01), TOBN(0xd23f5ee4, 0xc34eafa0),\n TOBN(0x3bbee315, 0x5de02c21), TOBN(0x18dd4397, 0xd1d8dd06)},\n {TOBN(0x3ba1939a, 0x122d7b44), TOBN(0xe6d3b40a, 0xa33870d6),\n TOBN(0x8e620f70, 0x1c4fe3f8), TOBN(0xf6bba1a5, 0xd3a50cbf)}},\n {{TOBN(0x4a78bde5, 0xcfc0aee0), TOBN(0x847edc46, 0xc08c50bd),\n TOBN(0xbaa2439c, 0xad63c9b2), TOBN(0xceb4a728, 0x10fc2acb)},\n {TOBN(0xa419e40e, 0x26da033d), TOBN(0x6cc3889d, 0x03e02683),\n TOBN(0x1cd28559, 0xfdccf725), TOBN(0x0fd7e0f1, 0x8d13d208)}},\n {{TOBN(0x01b9733b, 0x1f0df9d4), TOBN(0x8cc2c5f3, 0xa2b5e4f3),\n TOBN(0x43053bfa, 0x3a304fd4), TOBN(0x8e87665c, 0x0a9f1aa7)},\n {TOBN(0x087f29ec, 0xd73dc965), TOBN(0x15ace455, 0x3e9023db),\n TOBN(0x2370e309, 0x2bce28b4), TOBN(0xf9723442, 0xb6b1e84a)}},\n {{TOBN(0xbeee662e, 0xb72d9f26), TOBN(0xb19396de, 0xf0e47109),\n TOBN(0x85b1fa73, 0xe13289d0), TOBN(0x436cf77e, 0x54e58e32)},\n {TOBN(0x0ec833b3, 0xe990ef77), TOBN(0x7373e3ed, 0x1b11fc25),\n TOBN(0xbe0eda87, 0x0fc332ce), TOBN(0xced04970, 0x8d7ea856)}},\n {{TOBN(0xf85ff785, 0x7e977ca0), TOBN(0xb66ee8da, 0xdfdd5d2b),\n TOBN(0xf5e37950, 0x905af461), TOBN(0x587b9090, 0x966d487c)},\n {TOBN(0x6a198a1b, 0x32ba0127), TOBN(0xa7720e07, 0x141615ac),\n TOBN(0xa23f3499, 0x996ef2f2), TOBN(0xef5f64b4, 0x470bcb3d)}},\n {{TOBN(0xa526a962, 0x92b8c559), TOBN(0x0c14aac0, 0x69740a0f),\n TOBN(0x0d41a9e3, 0xa6bdc0a5), TOBN(0x97d52106, 0x9c48aef4)},\n {TOBN(0xcf16bd30, 0x3e7c253b), TOBN(0xcc834b1a, 0x47fdedc1),\n TOBN(0x7362c6e5, 0x373aab2e), TOBN(0x264ed85e, 0xc5f590ff)}},\n {{TOBN(0x7a46d9c0, 0x66d41870), TOBN(0xa50c20b1, 0x4787ba09),\n TOBN(0x185e7e51, 0xe3d44635), TOBN(0xb3b3e080, 0x31e2d8dc)},\n {TOBN(0xbed1e558, 0xa179e9d9), TOBN(0x2daa3f79, 0x74a76781),\n TOBN(0x4372baf2, 0x3a40864f), TOBN(0x46900c54, 0x4fe75cb5)}},\n {{TOBN(0xb95f171e, 0xf76765d0), TOBN(0x4ad726d2, 0x95c87502),\n TOBN(0x2ec769da, 0x4d7c99bd), TOBN(0x5e2ddd19, 0xc36cdfa8)},\n {TOBN(0xc22117fc, 0xa93e6dea), TOBN(0xe8a2583b, 0x93771123),\n TOBN(0xbe2f6089, 0xfa08a3a2), TOBN(0x4809d5ed, 0x8f0e1112)}},\n {{TOBN(0x3b414aa3, 0xda7a095e), TOBN(0x9049acf1, 0x26f5aadd),\n TOBN(0x78d46a4d, 0x6be8b84a), TOBN(0xd66b1963, 0xb732b9b3)},\n {TOBN(0x5c2ac2a0, 0xde6e9555), TOBN(0xcf52d098, 0xb5bd8770),\n TOBN(0x15a15fa6, 0x0fd28921), TOBN(0x56ccb81e, 0x8b27536d)}},\n {{TOBN(0x0f0d8ab8, 0x9f4ccbb8), TOBN(0xed5f44d2, 0xdb221729),\n TOBN(0x43141988, 0x00bed10c), TOBN(0xc94348a4, 0x1d735b8b)},\n {TOBN(0x79f3e9c4, 0x29ef8479), TOBN(0x4c13a4e3, 0x614c693f),\n TOBN(0x32c9af56, 0x8e143a14), TOBN(0xbc517799, 0xe29ac5c4)}},\n {{TOBN(0x05e17992, 0x2774856f), TOBN(0x6e52fb05, 0x6c1bf55f),\n TOBN(0xaeda4225, 0xe4f19e16), TOBN(0x70f4728a, 0xaf5ccb26)},\n {TOBN(0x5d2118d1, 0xb2947f22), TOBN(0xc827ea16, 0x281d6fb9),\n TOBN(0x8412328d, 0x8cf0eabd), TOBN(0x45ee9fb2, 0x03ef9dcf)}},\n {{TOBN(0x8e700421, 0xbb937d63), TOBN(0xdf8ff2d5, 0xcc4b37a6),\n TOBN(0xa4c0d5b2, 0x5ced7b68), TOBN(0x6537c1ef, 0xc7308f59)},\n {TOBN(0x25ce6a26, 0x3b37f8e8), TOBN(0x170e9a9b, 0xdeebc6ce),\n TOBN(0xdd037952, 0x8728d72c), TOBN(0x445b0e55, 0x850154bc)}},\n {{TOBN(0x4b7d0e06, 0x83a7337b), TOBN(0x1e3416d4, 0xffecf249),\n TOBN(0x24840eff, 0x66a2b71f), TOBN(0xd0d9a50a, 0xb37cc26d)},\n {TOBN(0xe2198150, 0x6fe28ef7), TOBN(0x3cc5ef16, 0x23324c7f),\n TOBN(0x220f3455, 0x769b5263), TOBN(0xe2ade2f1, 0xa10bf475)}},\n {{TOBN(0x28cd20fa, 0x458d3671), TOBN(0x1549722c, 0x2dc4847b),\n TOBN(0x6dd01e55, 0x591941e3), TOBN(0x0e6fbcea, 0x27128ccb)},\n {TOBN(0xae1a1e6b, 0x3bef0262), TOBN(0xfa8c472c, 0x8f54e103),\n TOBN(0x7539c0a8, 0x72c052ec), TOBN(0xd7b27369, 0x5a3490e9)}},\n {{TOBN(0x143fe1f1, 0x71684349), TOBN(0x36b4722e, 0x32e19b97),\n TOBN(0xdc059227, 0x90980aff), TOBN(0x175c9c88, 0x9e13d674)},\n {TOBN(0xa7de5b22, 0x6e6bfdb1), TOBN(0x5ea5b7b2, 0xbedb4b46),\n TOBN(0xd5570191, 0xd34a6e44), TOBN(0xfcf60d2e, 0xa24ff7e6)}},\n {{TOBN(0x614a392d, 0x677819e1), TOBN(0x7be74c7e, 0xaa5a29e8),\n TOBN(0xab50fece, 0x63c85f3f), TOBN(0xaca2e2a9, 0x46cab337)},\n {TOBN(0x7f700388, 0x122a6fe3), TOBN(0xdb69f703, 0x882a04a8),\n TOBN(0x9a77935d, 0xcf7aed57), TOBN(0xdf16207c, 0x8d91c86f)}},\n {{TOBN(0x2fca49ab, 0x63ed9998), TOBN(0xa3125c44, 0xa77ddf96),\n TOBN(0x05dd8a86, 0x24344072), TOBN(0xa023dda2, 0xfec3fb56)},\n {TOBN(0x421b41fc, 0x0c743032), TOBN(0x4f2120c1, 0x5e438639),\n TOBN(0xfb7cae51, 0xc83c1b07), TOBN(0xb2370caa, 0xcac2171a)}},\n {{TOBN(0x2eb2d962, 0x6cc820fb), TOBN(0x59feee5c, 0xb85a44bf),\n TOBN(0x94620fca, 0x5b6598f0), TOBN(0x6b922cae, 0x7e314051)},\n {TOBN(0xff8745ad, 0x106bed4e), TOBN(0x546e71f5, 0xdfa1e9ab),\n TOBN(0x935c1e48, 0x1ec29487), TOBN(0x9509216c, 0x4d936530)}},\n {{TOBN(0xc7ca3067, 0x85c9a2db), TOBN(0xd6ae5152, 0x6be8606f),\n TOBN(0x09dbcae6, 0xe14c651d), TOBN(0xc9536e23, 0x9bc32f96)},\n {TOBN(0xa90535a9, 0x34521b03), TOBN(0xf39c526c, 0x878756ff),\n TOBN(0x383172ec, 0x8aedf03c), TOBN(0x20a8075e, 0xefe0c034)}},\n {{TOBN(0xf22f9c62, 0x64026422), TOBN(0x8dd10780, 0x24b9d076),\n TOBN(0x944c742a, 0x3bef2950), TOBN(0x55b9502e, 0x88a2b00b)},\n {TOBN(0xa59e14b4, 0x86a09817), TOBN(0xa39dd3ac, 0x47bb4071),\n TOBN(0x55137f66, 0x3be0592f), TOBN(0x07fcafd4, 0xc9e63f5b)}},\n {{TOBN(0x963652ee, 0x346eb226), TOBN(0x7dfab085, 0xec2facb7),\n TOBN(0x273bf2b8, 0x691add26), TOBN(0x30d74540, 0xf2b46c44)},\n {TOBN(0x05e8e73e, 0xf2c2d065), TOBN(0xff9b8a00, 0xd42eeac9),\n TOBN(0x2fcbd205, 0x97209d22), TOBN(0xeb740ffa, 0xde14ea2c)}},\n {{TOBN(0xc71ff913, 0xa8aef518), TOBN(0x7bfc74bb, 0xfff4cfa2),\n TOBN(0x1716680c, 0xb6b36048), TOBN(0x121b2cce, 0x9ef79af1)},\n {TOBN(0xbff3c836, 0xa01eb3d3), TOBN(0x50eb1c6a, 0x5f79077b),\n TOBN(0xa48c32d6, 0xa004bbcf), TOBN(0x47a59316, 0x7d64f61d)}},\n {{TOBN(0x6068147f, 0x93102016), TOBN(0x12c5f654, 0x94d12576),\n TOBN(0xefb071a7, 0xc9bc6b91), TOBN(0x7c2da0c5, 0x6e23ea95)},\n {TOBN(0xf4fd45b6, 0xd4a1dd5d), TOBN(0x3e7ad9b6, 0x9122b13c),\n TOBN(0x342ca118, 0xe6f57a48), TOBN(0x1c2e94a7, 0x06f8288f)}},\n {{TOBN(0x99e68f07, 0x5a97d231), TOBN(0x7c80de97, 0x4d838758),\n TOBN(0xbce0f5d0, 0x05872727), TOBN(0xbe5d95c2, 0x19c4d016)},\n {TOBN(0x921d5cb1, 0x9c2492ee), TOBN(0x42192dc1, 0x404d6fb3),\n TOBN(0x4c84dcd1, 0x32f988d3), TOBN(0xde26d61f, 0xa17b8e85)}},\n {{TOBN(0xc466dcb6, 0x137c7408), TOBN(0x9a38d7b6, 0x36a266da),\n TOBN(0x7ef5cb06, 0x83bebf1b), TOBN(0xe5cdcbbf, 0x0fd014e3)},\n {TOBN(0x30aa376d, 0xf65965a0), TOBN(0x60fe88c2, 0xebb3e95e),\n TOBN(0x33fd0b61, 0x66ee6f20), TOBN(0x8827dcdb, 0x3f41f0a0)}},\n {{TOBN(0xbf8a9d24, 0x0c56c690), TOBN(0x40265dad, 0xddb7641d),\n TOBN(0x522b05bf, 0x3a6b662b), TOBN(0x466d1dfe, 0xb1478c9b)},\n {TOBN(0xaa616962, 0x1484469b), TOBN(0x0db60549, 0x02df8f9f),\n TOBN(0xc37bca02, 0x3cb8bf51), TOBN(0x5effe346, 0x21371ce8)}},\n {{TOBN(0xe8f65264, 0xff112c32), TOBN(0x8a9c736d, 0x7b971fb2),\n TOBN(0xa4f19470, 0x7b75080d), TOBN(0xfc3f2c5a, 0x8839c59b)},\n {TOBN(0x1d6c777e, 0x5aeb49c2), TOBN(0xf3db034d, 0xda1addfe),\n TOBN(0xd76fee5a, 0x5535affc), TOBN(0x0853ac70, 0xb92251fd)}},\n {{TOBN(0x37e3d594, 0x8b2a29d5), TOBN(0x28f1f457, 0x4de00ddb),\n TOBN(0x8083c1b5, 0xf42c328b), TOBN(0xd8ef1d8f, 0xe493c73b)},\n {TOBN(0x96fb6260, 0x41dc61bd), TOBN(0xf74e8a9d, 0x27ee2f8a),\n TOBN(0x7c605a80, 0x2c946a5d), TOBN(0xeed48d65, 0x3839ccfd)}},\n {{TOBN(0x9894344f, 0x3a29467a), TOBN(0xde81e949, 0xc51eba6d),\n TOBN(0xdaea066b, 0xa5e5c2f2), TOBN(0x3fc8a614, 0x08c8c7b3)},\n {TOBN(0x7adff88f, 0x06d0de9f), TOBN(0xbbc11cf5, 0x3b75ce0a),\n TOBN(0x9fbb7acc, 0xfbbc87d5), TOBN(0xa1458e26, 0x7badfde2)}}},\n {{{TOBN(0x1cb43668, 0xe039c256), TOBN(0x5f26fb8b, 0x7c17fd5d),\n TOBN(0xeee426af, 0x79aa062b), TOBN(0x072002d0, 0xd78fbf04)},\n {TOBN(0x4c9ca237, 0xe84fb7e3), TOBN(0xb401d8a1, 0x0c82133d),\n TOBN(0xaaa52592, 0x6d7e4181), TOBN(0xe9430833, 0x73dbb152)}},\n {{TOBN(0xf92dda31, 0xbe24319a), TOBN(0x03f7d28b, 0xe095a8e7),\n TOBN(0xa52fe840, 0x98782185), TOBN(0x276ddafe, 0x29c24dbc)},\n {TOBN(0x80cd5496, 0x1d7a64eb), TOBN(0xe4360889, 0x7f1dbe42),\n TOBN(0x2f81a877, 0x8438d2d5), TOBN(0x7e4d52a8, 0x85169036)}},\n {{TOBN(0x19e3d5b1, 0x1d59715d), TOBN(0xc7eaa762, 0xd788983e),\n TOBN(0xe5a730b0, 0xabf1f248), TOBN(0xfbab8084, 0xfae3fd83)},\n {TOBN(0x65e50d21, 0x53765b2f), TOBN(0xbdd4e083, 0xfa127f3d),\n TOBN(0x9cf3c074, 0x397b1b10), TOBN(0x59f8090c, 0xb1b59fd3)}},\n {{TOBN(0x7b15fd9d, 0x615faa8f), TOBN(0x8fa1eb40, 0x968554ed),\n TOBN(0x7bb4447e, 0x7aa44882), TOBN(0x2bb2d0d1, 0x029fff32)},\n {TOBN(0x075e2a64, 0x6caa6d2f), TOBN(0x8eb879de, 0x22e7351b),\n TOBN(0xbcd5624e, 0x9a506c62), TOBN(0x218eaef0, 0xa87e24dc)}},\n {{TOBN(0x37e56847, 0x44ddfa35), TOBN(0x9ccfc5c5, 0xdab3f747),\n TOBN(0x9ac1df3f, 0x1ee96cf4), TOBN(0x0c0571a1, 0x3b480b8f)},\n {TOBN(0x2fbeb3d5, 0x4b3a7b3c), TOBN(0x35c03669, 0x5dcdbb99),\n TOBN(0x52a0f5dc, 0xb2415b3a), TOBN(0xd57759b4, 0x4413ed9a)}},\n {{TOBN(0x1fe647d8, 0x3d30a2c5), TOBN(0x0857f77e, 0xf78a81dc),\n TOBN(0x11d5a334, 0x131a4a9b), TOBN(0xc0a94af9, 0x29d393f5)},\n {TOBN(0xbc3a5c0b, 0xdaa6ec1a), TOBN(0xba9fe493, 0x88d2d7ed),\n TOBN(0xbb4335b4, 0xbb614797), TOBN(0x991c4d68, 0x72f83533)}},\n {{TOBN(0x53258c28, 0xd2f01cb3), TOBN(0x93d6eaa3, 0xd75db0b1),\n TOBN(0x419a2b0d, 0xe87d0db4), TOBN(0xa1e48f03, 0xd8fe8493)},\n {TOBN(0xf747faf6, 0xc508b23a), TOBN(0xf137571a, 0x35d53549),\n TOBN(0x9f5e58e2, 0xfcf9b838), TOBN(0xc7186cee, 0xa7fd3cf5)}},\n {{TOBN(0x77b868ce, 0xe978a1d3), TOBN(0xe3a68b33, 0x7ab92d04),\n TOBN(0x51029794, 0x87a5b862), TOBN(0x5f0606c3, 0x3a61d41d)},\n {TOBN(0x2814be27, 0x6f9326f1), TOBN(0x2f521c14, 0xc6fe3c2e),\n TOBN(0x17464d7d, 0xacdf7351), TOBN(0x10f5f9d3, 0x777f7e44)}},\n {{TOBN(0xce8e616b, 0x269fb37d), TOBN(0xaaf73804, 0x7de62de5),\n TOBN(0xaba11175, 0x4fdd4153), TOBN(0x515759ba, 0x3770b49b)},\n {TOBN(0x8b09ebf8, 0xaa423a61), TOBN(0x592245a1, 0xcd41fb92),\n TOBN(0x1cba8ec1, 0x9b4c8936), TOBN(0xa87e91e3, 0xaf36710e)}},\n {{TOBN(0x1fd84ce4, 0x3d34a2e3), TOBN(0xee3759ce, 0xb43b5d61),\n TOBN(0x895bc78c, 0x619186c7), TOBN(0xf19c3809, 0xcbb9725a)},\n {TOBN(0xc0be21aa, 0xde744b1f), TOBN(0xa7d222b0, 0x60f8056b),\n TOBN(0x74be6157, 0xb23efe11), TOBN(0x6fab2b4f, 0x0cd68253)}},\n {{TOBN(0xad33ea5f, 0x4bf1d725), TOBN(0x9c1d8ee2, 0x4f6c950f),\n TOBN(0x544ee78a, 0xa377af06), TOBN(0x54f489bb, 0x94a113e1)},\n {TOBN(0x8f11d634, 0x992fb7e8), TOBN(0x0169a7aa, 0xa2a44347),\n TOBN(0x1d49d4af, 0x95020e00), TOBN(0x95945722, 0xe08e120b)}},\n {{TOBN(0xb6e33878, 0xa4d32282), TOBN(0xe36e029d, 0x48020ae7),\n TOBN(0xe05847fb, 0x37a9b750), TOBN(0xf876812c, 0xb29e3819)},\n {TOBN(0x84ad138e, 0xd23a17f0), TOBN(0x6d7b4480, 0xf0b3950e),\n TOBN(0xdfa8aef4, 0x2fd67ae0), TOBN(0x8d3eea24, 0x52333af6)}},\n {{TOBN(0x0d052075, 0xb15d5acc), TOBN(0xc6d9c79f, 0xbd815bc4),\n TOBN(0x8dcafd88, 0xdfa36cf2), TOBN(0x908ccbe2, 0x38aa9070)},\n {TOBN(0x638722c4, 0xba35afce), TOBN(0x5a3da8b0, 0xfd6abf0b),\n TOBN(0x2dce252c, 0xc9c335c1), TOBN(0x84e7f0de, 0x65aa799b)}},\n {{TOBN(0x2101a522, 0xb99a72cb), TOBN(0x06de6e67, 0x87618016),\n TOBN(0x5ff8c7cd, 0xe6f3653e), TOBN(0x0a821ab5, 0xc7a6754a)},\n {TOBN(0x7e3fa52b, 0x7cb0b5a2), TOBN(0xa7fb121c, 0xc9048790),\n TOBN(0x1a725020, 0x06ce053a), TOBN(0xb490a31f, 0x04e929b0)}},\n {{TOBN(0xe17be47d, 0x62dd61ad), TOBN(0x781a961c, 0x6be01371),\n TOBN(0x1063bfd3, 0xdae3cbba), TOBN(0x35647406, 0x7f73c9ba)},\n {TOBN(0xf50e957b, 0x2736a129), TOBN(0xa6313702, 0xed13f256),\n TOBN(0x9436ee65, 0x3a19fcc5), TOBN(0xcf2bdb29, 0xe7a4c8b6)}},\n {{TOBN(0xb06b1244, 0xc5f95cd8), TOBN(0xda8c8af0, 0xf4ab95f4),\n TOBN(0x1bae59c2, 0xb9e5836d), TOBN(0x07d51e7e, 0x3acffffc)},\n {TOBN(0x01e15e6a, 0xc2ccbcda), TOBN(0x3bc1923f, 0x8528c3e0),\n TOBN(0x43324577, 0xa49fead4), TOBN(0x61a1b884, 0x2aa7a711)}},\n {{TOBN(0xf9a86e08, 0x700230ef), TOBN(0x0af585a1, 0xbd19adf8),\n TOBN(0x7645f361, 0xf55ad8f2), TOBN(0x6e676223, 0x46c3614c)},\n {TOBN(0x23cb257c, 0x4e774d3f), TOBN(0x82a38513, 0xac102d1b),\n TOBN(0x9bcddd88, 0x7b126aa5), TOBN(0xe716998b, 0xeefd3ee4)}},\n {{TOBN(0x4239d571, 0xfb167583), TOBN(0xdd011c78, 0xd16c8f8a),\n TOBN(0x271c2895, 0x69a27519), TOBN(0x9ce0a3b7, 0xd2d64b6a)},\n {TOBN(0x8c977289, 0xd5ec6738), TOBN(0xa3b49f9a, 0x8840ef6b),\n TOBN(0x808c14c9, 0x9a453419), TOBN(0x5c00295b, 0x0cf0a2d5)}},\n {{TOBN(0x524414fb, 0x1d4bcc76), TOBN(0xb07691d2, 0x459a88f1),\n TOBN(0x77f43263, 0xf70d110f), TOBN(0x64ada5e0, 0xb7abf9f3)},\n {TOBN(0xafd0f94e, 0x5b544cf5), TOBN(0xb4a13a15, 0xfd2713fe),\n TOBN(0xb99b7d6e, 0x250c74f4), TOBN(0x097f2f73, 0x20324e45)}},\n {{TOBN(0x994b37d8, 0xaffa8208), TOBN(0xc3c31b0b, 0xdc29aafc),\n TOBN(0x3da74651, 0x7a3a607f), TOBN(0xd8e1b8c1, 0xfe6955d6)},\n {TOBN(0x716e1815, 0xc8418682), TOBN(0x541d487f, 0x7dc91d97),\n TOBN(0x48a04669, 0xc6996982), TOBN(0xf39cab15, 0x83a6502e)}},\n {{TOBN(0x025801a0, 0xe68db055), TOBN(0xf3569758, 0xba3338d5),\n TOBN(0xb0c8c0aa, 0xee2afa84), TOBN(0x4f6985d3, 0xfb6562d1)},\n {TOBN(0x351f1f15, 0x132ed17a), TOBN(0x510ed0b4, 0xc04365fe),\n TOBN(0xa3f98138, 0xe5b1f066), TOBN(0xbc9d95d6, 0x32df03dc)}},\n {{TOBN(0xa83ccf6e, 0x19abd09e), TOBN(0x0b4097c1, 0x4ff17edb),\n TOBN(0x58a5c478, 0xd64a06ce), TOBN(0x2ddcc3fd, 0x544a58fd)},\n {TOBN(0xd449503d, 0x9e8153b8), TOBN(0x3324fd02, 0x7774179b),\n TOBN(0xaf5d47c8, 0xdbd9120c), TOBN(0xeb860162, 0x34fa94db)}},\n {{TOBN(0x5817bdd1, 0x972f07f4), TOBN(0xe5579e2e, 0xd27bbceb),\n TOBN(0x86847a1f, 0x5f11e5a6), TOBN(0xb39ed255, 0x7c3cf048)},\n {TOBN(0xe1076417, 0xa2f62e55), TOBN(0x6b9ab38f, 0x1bcf82a2),\n TOBN(0x4bb7c319, 0x7aeb29f9), TOBN(0xf6d17da3, 0x17227a46)}},\n {{TOBN(0xab53ddbd, 0x0f968c00), TOBN(0xa03da7ec, 0x000c880b),\n TOBN(0x7b239624, 0x6a9ad24d), TOBN(0x612c0401, 0x01ec60d0)},\n {TOBN(0x70d10493, 0x109f5df1), TOBN(0xfbda4030, 0x80af7550),\n TOBN(0x30b93f95, 0xc6b9a9b3), TOBN(0x0c74ec71, 0x007d9418)}},\n {{TOBN(0x94175564, 0x6edb951f), TOBN(0x5f4a9d78, 0x7f22c282),\n TOBN(0xb7870895, 0xb38d1196), TOBN(0xbc593df3, 0xa228ce7c)},\n {TOBN(0xc78c5bd4, 0x6af3641a), TOBN(0x7802200b, 0x3d9b3dcc),\n TOBN(0x0dc73f32, 0x8be33304), TOBN(0x847ed87d, 0x61ffb79a)}},\n {{TOBN(0xf85c974e, 0x6d671192), TOBN(0x1e14100a, 0xde16f60f),\n TOBN(0x45cb0d5a, 0x95c38797), TOBN(0x18923bba, 0x9b022da4)},\n {TOBN(0xef2be899, 0xbbe7e86e), TOBN(0x4a1510ee, 0x216067bf),\n TOBN(0xd98c8154, 0x84d5ce3e), TOBN(0x1af777f0, 0xf92a2b90)}},\n {{TOBN(0x9fbcb400, 0x4ef65724), TOBN(0x3e04a4c9, 0x3c0ca6fe),\n TOBN(0xfb3e2cb5, 0x55002994), TOBN(0x1f3a93c5, 0x5363ecab)},\n {TOBN(0x1fe00efe, 0x3923555b), TOBN(0x744bedd9, 0x1e1751ea),\n TOBN(0x3fb2db59, 0x6ab69357), TOBN(0x8dbd7365, 0xf5e6618b)}},\n {{TOBN(0x99d53099, 0xdf1ea40e), TOBN(0xb3f24a0b, 0x57d61e64),\n TOBN(0xd088a198, 0x596eb812), TOBN(0x22c8361b, 0x5762940b)},\n {TOBN(0x66f01f97, 0xf9c0d95c), TOBN(0x88461172, 0x8e43cdae),\n TOBN(0x11599a7f, 0xb72b15c3), TOBN(0x135a7536, 0x420d95cc)}},\n {{TOBN(0x2dcdf0f7, 0x5f7ae2f6), TOBN(0x15fc6e1d, 0xd7fa6da2),\n TOBN(0x81ca829a, 0xd1d441b6), TOBN(0x84c10cf8, 0x04a106b6)},\n {TOBN(0xa9b26c95, 0xa73fbbd0), TOBN(0x7f24e0cb, 0x4d8f6ee8),\n TOBN(0x48b45937, 0x1e25a043), TOBN(0xf8a74fca, 0x036f3dfe)}},\n {{TOBN(0x1ed46585, 0xc9f84296), TOBN(0x7fbaa8fb, 0x3bc278b0),\n TOBN(0xa8e96cd4, 0x6c4fcbd0), TOBN(0x940a1202, 0x73b60a5f)},\n {TOBN(0x34aae120, 0x55a4aec8), TOBN(0x550e9a74, 0xdbd742f0),\n TOBN(0x794456d7, 0x228c68ab), TOBN(0x492f8868, 0xa4e25ec6)}},\n {{TOBN(0x682915ad, 0xb2d8f398), TOBN(0xf13b51cc, 0x5b84c953),\n TOBN(0xcda90ab8, 0x5bb917d6), TOBN(0x4b615560, 0x4ea3dee1)},\n {TOBN(0x578b4e85, 0x0a52c1c8), TOBN(0xeab1a695, 0x20b75fc4),\n TOBN(0x60c14f3c, 0xaa0bb3c6), TOBN(0x220f448a, 0xb8216094)}},\n {{TOBN(0x4fe7ee31, 0xb0e63d34), TOBN(0xf4600572, 0xa9e54fab),\n TOBN(0xc0493334, 0xd5e7b5a4), TOBN(0x8589fb92, 0x06d54831)},\n {TOBN(0xaa70f5cc, 0x6583553a), TOBN(0x0879094a, 0xe25649e5),\n TOBN(0xcc904507, 0x10044652), TOBN(0xebb0696d, 0x02541c4f)}},\n {{TOBN(0x5a171fde, 0xb9718710), TOBN(0x38f1bed8, 0xf374a9f5),\n TOBN(0xc8c582e1, 0xba39bdc1), TOBN(0xfc457b0a, 0x908cc0ce)},\n {TOBN(0x9a187fd4, 0x883841e2), TOBN(0x8ec25b39, 0x38725381),\n TOBN(0x2553ed05, 0x96f84395), TOBN(0x095c7661, 0x6f6c6897)}},\n {{TOBN(0x917ac85c, 0x4bdc5610), TOBN(0xb2885fe4, 0x179eb301),\n TOBN(0x5fc65547, 0x8b78bdcc), TOBN(0x4a9fc893, 0xe59e4699)},\n {TOBN(0xbb7ff0cd, 0x3ce299af), TOBN(0x195be9b3, 0xadf38b20),\n TOBN(0x6a929c87, 0xd38ddb8f), TOBN(0x55fcc99c, 0xb21a51b9)}},\n {{TOBN(0x2b695b4c, 0x721a4593), TOBN(0xed1e9a15, 0x768eaac2),\n TOBN(0xfb63d71c, 0x7489f914), TOBN(0xf98ba31c, 0x78118910)},\n {TOBN(0x80291373, 0x9b128eb4), TOBN(0x7801214e, 0xd448af4a),\n TOBN(0xdbd2e22b, 0x55418dd3), TOBN(0xeffb3c0d, 0xd3998242)}},\n {{TOBN(0xdfa6077c, 0xc7bf3827), TOBN(0xf2165bcb, 0x47f8238f),\n TOBN(0xfe37cf68, 0x8564d554), TOBN(0xe5f825c4, 0x0a81fb98)},\n {TOBN(0x43cc4f67, 0xffed4d6f), TOBN(0xbc609578, 0xb50a34b0),\n TOBN(0x8aa8fcf9, 0x5041faf1), TOBN(0x5659f053, 0x651773b6)}},\n {{TOBN(0xe87582c3, 0x6044d63b), TOBN(0xa6089409, 0x0cdb0ca0),\n TOBN(0x8c993e0f, 0xbfb2bcf6), TOBN(0xfc64a719, 0x45985cfc)},\n {TOBN(0x15c4da80, 0x83dbedba), TOBN(0x804ae112, 0x2be67df7),\n TOBN(0xda4c9658, 0xa23defde), TOBN(0x12002ddd, 0x5156e0d3)}},\n {{TOBN(0xe68eae89, 0x5dd21b96), TOBN(0x8b99f28b, 0xcf44624d),\n TOBN(0x0ae00808, 0x1ec8897a), TOBN(0xdd0a9303, 0x6712f76e)},\n {TOBN(0x96237522, 0x4e233de4), TOBN(0x192445b1, 0x2b36a8a5),\n TOBN(0xabf9ff74, 0x023993d9), TOBN(0x21f37bf4, 0x2aad4a8f)}},\n {{TOBN(0x340a4349, 0xf8bd2bbd), TOBN(0x1d902cd9, 0x4868195d),\n TOBN(0x3d27bbf1, 0xe5fdb6f1), TOBN(0x7a5ab088, 0x124f9f1c)},\n {TOBN(0xc466ab06, 0xf7a09e03), TOBN(0x2f8a1977, 0x31f2c123),\n TOBN(0xda355dc7, 0x041b6657), TOBN(0xcb840d12, 0x8ece2a7c)}},\n {{TOBN(0xb600ad9f, 0x7db32675), TOBN(0x78fea133, 0x07a06f1b),\n TOBN(0x5d032269, 0xb31f6094), TOBN(0x07753ef5, 0x83ec37aa)},\n {TOBN(0x03485aed, 0x9c0bea78), TOBN(0x41bb3989, 0xbc3f4524),\n TOBN(0x09403761, 0x697f726d), TOBN(0x6109beb3, 0xdf394820)}},\n {{TOBN(0x804111ea, 0x3b6d1145), TOBN(0xb6271ea9, 0xa8582654),\n TOBN(0x619615e6, 0x24e66562), TOBN(0xa2554945, 0xd7b6ad9c)},\n {TOBN(0xd9c4985e, 0x99bfe35f), TOBN(0x9770ccc0, 0x7b51cdf6),\n TOBN(0x7c327013, 0x92881832), TOBN(0x8777d45f, 0x286b26d1)}},\n {{TOBN(0x9bbeda22, 0xd847999d), TOBN(0x03aa33b6, 0xc3525d32),\n TOBN(0x4b7b96d4, 0x28a959a1), TOBN(0xbb3786e5, 0x31e5d234)},\n {TOBN(0xaeb5d3ce, 0x6961f247), TOBN(0x20aa85af, 0x02f93d3f),\n TOBN(0x9cd1ad3d, 0xd7a7ae4f), TOBN(0xbf6688f0, 0x781adaa8)}},\n {{TOBN(0xb1b40e86, 0x7469cead), TOBN(0x1904c524, 0x309fca48),\n TOBN(0x9b7312af, 0x4b54bbc7), TOBN(0xbe24bf8f, 0x593affa2)},\n {TOBN(0xbe5e0790, 0xbd98764b), TOBN(0xa0f45f17, 0xa26e299e),\n TOBN(0x4af0d2c2, 0x6b8fe4c7), TOBN(0xef170db1, 0x8ae8a3e6)}},\n {{TOBN(0x0e8d61a0, 0x29e0ccc1), TOBN(0xcd53e87e, 0x60ad36ca),\n TOBN(0x328c6623, 0xc8173822), TOBN(0x7ee1767d, 0xa496be55)},\n {TOBN(0x89f13259, 0x648945af), TOBN(0x9e45a5fd, 0x25c8009c),\n TOBN(0xaf2febd9, 0x1f61ab8c), TOBN(0x43f6bc86, 0x8a275385)}},\n {{TOBN(0x87792348, 0xf2142e79), TOBN(0x17d89259, 0xc6e6238a),\n TOBN(0x7536d2f6, 0x4a839d9b), TOBN(0x1f428fce, 0x76a1fbdc)},\n {TOBN(0x1c109601, 0x0db06dfe), TOBN(0xbfc16bc1, 0x50a3a3cc),\n TOBN(0xf9cbd9ec, 0x9b30f41b), TOBN(0x5b5da0d6, 0x00138cce)}},\n {{TOBN(0xec1d0a48, 0x56ef96a7), TOBN(0xb47eb848, 0x982bf842),\n TOBN(0x66deae32, 0xec3f700d), TOBN(0x4e43c42c, 0xaa1181e0)},\n {TOBN(0xa1d72a31, 0xd1a4aa2a), TOBN(0x440d4668, 0xc004f3ce),\n TOBN(0x0d6a2d3b, 0x45fe8a7a), TOBN(0x820e52e2, 0xfb128365)}},\n {{TOBN(0x29ac5fcf, 0x25e51b09), TOBN(0x180cd2bf, 0x2023d159),\n TOBN(0xa9892171, 0xa1ebf90e), TOBN(0xf97c4c87, 0x7c132181)},\n {TOBN(0x9f1dc724, 0xc03dbb7e), TOBN(0xae043765, 0x018cbbe4),\n TOBN(0xfb0b2a36, 0x0767d153), TOBN(0xa8e2f4d6, 0x249cbaeb)}},\n {{TOBN(0x172a5247, 0xd95ea168), TOBN(0x1758fada, 0x2970764a),\n TOBN(0xac803a51, 0x1d978169), TOBN(0x299cfe2e, 0xde77e01b)},\n {TOBN(0x652a1e17, 0xb0a98927), TOBN(0x2e26e1d1, 0x20014495),\n TOBN(0x7ae0af9f, 0x7175b56a), TOBN(0xc2e22a80, 0xd64b9f95)}},\n {{TOBN(0x4d0ff9fb, 0xd90a060a), TOBN(0x496a27db, 0xbaf38085),\n TOBN(0x32305401, 0xda776bcf), TOBN(0xb8cdcef6, 0x725f209e)},\n {TOBN(0x61ba0f37, 0x436a0bba), TOBN(0x263fa108, 0x76860049),\n TOBN(0x92beb98e, 0xda3542cf), TOBN(0xa2d4d14a, 0xd5849538)}},\n {{TOBN(0x989b9d68, 0x12e9a1bc), TOBN(0x61d9075c, 0x5f6e3268),\n TOBN(0x352c6aa9, 0x99ace638), TOBN(0xde4e4a55, 0x920f43ff)},\n {TOBN(0xe5e4144a, 0xd673c017), TOBN(0x667417ae, 0x6f6e05ea),\n TOBN(0x613416ae, 0xdcd1bd56), TOBN(0x5eb36201, 0x86693711)}},\n {{TOBN(0x2d7bc504, 0x3a1aa914), TOBN(0x175a1299, 0x76dc5975),\n TOBN(0xe900e0f2, 0x3fc8125c), TOBN(0x569ef68c, 0x11198875)},\n {TOBN(0x9012db63, 0x63a113b4), TOBN(0xe3bd3f56, 0x98835766),\n TOBN(0xa5c94a52, 0x76412dea), TOBN(0xad9e2a09, 0xaa735e5c)}},\n {{TOBN(0x405a984c, 0x508b65e9), TOBN(0xbde4a1d1, 0x6df1a0d1),\n TOBN(0x1a9433a1, 0xdfba80da), TOBN(0xe9192ff9, 0x9440ad2e)},\n {TOBN(0x9f649696, 0x5099fe92), TOBN(0x25ddb65c, 0x0b27a54a),\n TOBN(0x178279dd, 0xc590da61), TOBN(0x5479a999, 0xfbde681a)}},\n {{TOBN(0xd0e84e05, 0x013fe162), TOBN(0xbe11dc92, 0x632d471b),\n TOBN(0xdf0b0c45, 0xfc0e089f), TOBN(0x04fb15b0, 0x4c144025)},\n {TOBN(0xa61d5fc2, 0x13c99927), TOBN(0xa033e9e0, 0x3de2eb35),\n TOBN(0xf8185d5c, 0xb8dacbb4), TOBN(0x9a88e265, 0x8644549d)}},\n {{TOBN(0xf717af62, 0x54671ff6), TOBN(0x4bd4241b, 0x5fa58603),\n TOBN(0x06fba40b, 0xe67773c0), TOBN(0xc1d933d2, 0x6a2847e9)},\n {TOBN(0xf4f5acf3, 0x689e2c70), TOBN(0x92aab0e7, 0x46bafd31),\n TOBN(0x798d76aa, 0x3473f6e5), TOBN(0xcc6641db, 0x93141934)}},\n {{TOBN(0xcae27757, 0xd31e535e), TOBN(0x04cc43b6, 0x87c2ee11),\n TOBN(0x8d1f9675, 0x2e029ffa), TOBN(0xc2150672, 0xe4cc7a2c)},\n {TOBN(0x3b03c1e0, 0x8d68b013), TOBN(0xa9d6816f, 0xedf298f3),\n TOBN(0x1bfbb529, 0xa2804464), TOBN(0x95a52fae, 0x5db22125)}},\n {{TOBN(0x55b32160, 0x0e1cb64e), TOBN(0x004828f6, 0x7e7fc9fe),\n TOBN(0x13394b82, 0x1bb0fb93), TOBN(0xb6293a2d, 0x35f1a920)},\n {TOBN(0xde35ef21, 0xd145d2d9), TOBN(0xbe6225b3, 0xbb8fa603),\n TOBN(0x00fc8f6b, 0x32cf252d), TOBN(0xa28e52e6, 0x117cf8c2)}},\n {{TOBN(0x9d1dc89b, 0x4c371e6d), TOBN(0xcebe0675, 0x36ef0f28),\n TOBN(0x5de05d09, 0xa4292f81), TOBN(0xa8303593, 0x353e3083)},\n {TOBN(0xa1715b0a, 0x7e37a9bb), TOBN(0x8c56f61e, 0x2b8faec3),\n TOBN(0x52507431, 0x33c9b102), TOBN(0x0130cefc, 0xa44431f0)}},\n {{TOBN(0x56039fa0, 0xbd865cfb), TOBN(0x4b03e578, 0xbc5f1dd7),\n TOBN(0x40edf2e4, 0xbabe7224), TOBN(0xc752496d, 0x3a1988f6)},\n {TOBN(0xd1572d3b, 0x564beb6b), TOBN(0x0db1d110, 0x39a1c608),\n TOBN(0x568d1934, 0x16f60126), TOBN(0x05ae9668, 0xf354af33)}},\n {{TOBN(0x19de6d37, 0xc92544f2), TOBN(0xcc084353, 0xa35837d5),\n TOBN(0xcbb6869c, 0x1a514ece), TOBN(0xb633e728, 0x2e1d1066)},\n {TOBN(0xf15dd69f, 0x936c581c), TOBN(0x96e7b8ce, 0x7439c4f9),\n TOBN(0x5e676f48, 0x2e448a5b), TOBN(0xb2ca7d5b, 0xfd916bbb)}},\n {{TOBN(0xd55a2541, 0xf5024025), TOBN(0x47bc5769, 0xe4c2d937),\n TOBN(0x7d31b92a, 0x0362189f), TOBN(0x83f3086e, 0xef7816f9)},\n {TOBN(0xf9f46d94, 0xb587579a), TOBN(0xec2d22d8, 0x30e76c5f),\n TOBN(0x27d57461, 0xb000ffcf), TOBN(0xbb7e65f9, 0x364ffc2c)}},\n {{TOBN(0x7c7c9477, 0x6652a220), TOBN(0x61618f89, 0xd696c981),\n TOBN(0x5021701d, 0x89effff3), TOBN(0xf2c8ff8e, 0x7c314163)},\n {TOBN(0x2da413ad, 0x8efb4d3e), TOBN(0x937b5adf, 0xce176d95),\n TOBN(0x22867d34, 0x2a67d51c), TOBN(0x262b9b10, 0x18eb3ac9)}},\n {{TOBN(0x4e314fe4, 0xc43ff28b), TOBN(0x76476627, 0x6a664e7a),\n TOBN(0x3e90e40b, 0xb7a565c2), TOBN(0x8588993a, 0xc1acf831)},\n {TOBN(0xd7b501d6, 0x8f938829), TOBN(0x996627ee, 0x3edd7d4c),\n TOBN(0x37d44a62, 0x90cd34c7), TOBN(0xa8327499, 0xf3833e8d)}},\n {{TOBN(0x2e18917d, 0x4bf50353), TOBN(0x85dd726b, 0x556765fb),\n TOBN(0x54fe65d6, 0x93d5ab66), TOBN(0x3ddbaced, 0x915c25fe)},\n {TOBN(0xa799d9a4, 0x12f22e85), TOBN(0xe2a24867, 0x6d06f6bc),\n TOBN(0xf4f1ee56, 0x43ca1637), TOBN(0xfda2828b, 0x61ece30a)}},\n {{TOBN(0x758c1a3e, 0xa2dee7a6), TOBN(0xdcde2f3c, 0x734b2284),\n TOBN(0xaba445d2, 0x4eaba6ad), TOBN(0x35aaf668, 0x76cee0a7)},\n {TOBN(0x7e0b04a9, 0xe5aa049a), TOBN(0xe74083ad, 0x91103e84),\n TOBN(0xbeb183ce, 0x40afecc3), TOBN(0x6b89de9f, 0xea043f7a)}}},\n {{{TOBN(0x0e299d23, 0xfe67ba66), TOBN(0x91450760, 0x93cf2f34),\n TOBN(0xf45b5ea9, 0x97fcf913), TOBN(0x5be00843, 0x8bd7ddda)},\n {TOBN(0x358c3e05, 0xd53ff04d), TOBN(0xbf7ccdc3, 0x5de91ef7),\n TOBN(0xad684dbf, 0xb69ec1a0), TOBN(0x367e7cf2, 0x801fd997)}},\n {{TOBN(0x0ca1f3b7, 0xb0dc8595), TOBN(0x27de4608, 0x9f1d9f2e),\n TOBN(0x1af3bf39, 0xbadd82a7), TOBN(0x79356a79, 0x65862448)},\n {TOBN(0xc0602345, 0xf5f9a052), TOBN(0x1a8b0f89, 0x139a42f9),\n TOBN(0xb53eee42, 0x844d40fc), TOBN(0x93b0bfe5, 0x4e5b6368)}},\n {{TOBN(0x5434dd02, 0xc024789c), TOBN(0x90dca9ea, 0x41b57bfc),\n TOBN(0x8aa898e2, 0x243398df), TOBN(0xf607c834, 0x894a94bb)},\n {TOBN(0xbb07be97, 0xc2c99b76), TOBN(0x6576ba67, 0x18c29302),\n TOBN(0x3d79efcc, 0xe703a88c), TOBN(0xf259ced7, 0xb6a0d106)}},\n {{TOBN(0x0f893a5d, 0xc8de610b), TOBN(0xe8c515fb, 0x67e223ce),\n TOBN(0x7774bfa6, 0x4ead6dc5), TOBN(0x89d20f95, 0x925c728f)},\n {TOBN(0x7a1e0966, 0x098583ce), TOBN(0xa2eedb94, 0x93f2a7d7),\n TOBN(0x1b282097, 0x4c304d4a), TOBN(0x0842e3da, 0xc077282d)}},\n {{TOBN(0xe4d972a3, 0x3b9e2d7b), TOBN(0x7cc60b27, 0xc48218ff),\n TOBN(0x8fc70838, 0x84149d91), TOBN(0x5c04346f, 0x2f461ecc)},\n {TOBN(0xebe9fdf2, 0x614650a9), TOBN(0x5e35b537, 0xc1f666ac),\n TOBN(0x645613d1, 0x88babc83), TOBN(0x88cace3a, 0xc5e1c93e)}},\n {{TOBN(0x209ca375, 0x3de92e23), TOBN(0xccb03cc8, 0x5fbbb6e3),\n TOBN(0xccb90f03, 0xd7b1487e), TOBN(0xfa9c2a38, 0xc710941f)},\n {TOBN(0x756c3823, 0x6724ceed), TOBN(0x3a902258, 0x192d0323),\n TOBN(0xb150e519, 0xea5e038e), TOBN(0xdcba2865, 0xc7427591)}},\n {{TOBN(0xe549237f, 0x78890732), TOBN(0xc443bef9, 0x53fcb4d9),\n TOBN(0x9884d8a6, 0xeb3480d6), TOBN(0x8a35b6a1, 0x3048b186)},\n {TOBN(0xb4e44716, 0x65e9a90a), TOBN(0x45bf380d, 0x653006c0),\n TOBN(0x8f3f820d, 0x4fe9ae3b), TOBN(0x244a35a0, 0x979a3b71)}},\n {{TOBN(0xa1010e9d, 0x74cd06ff), TOBN(0x9c17c7df, 0xaca3eeac),\n TOBN(0x74c86cd3, 0x8063aa2b), TOBN(0x8595c4b3, 0x734614ff)},\n {TOBN(0xa3de00ca, 0x990f62cc), TOBN(0xd9bed213, 0xca0c3be5),\n TOBN(0x7886078a, 0xdf8ce9f5), TOBN(0xddb27ce3, 0x5cd44444)}},\n {{TOBN(0xed374a66, 0x58926ddd), TOBN(0x138b2d49, 0x908015b8),\n TOBN(0x886c6579, 0xde1f7ab8), TOBN(0x888b9aa0, 0xc3020b7a)},\n {TOBN(0xd3ec034e, 0x3a96e355), TOBN(0xba65b0b8, 0xf30fbe9a),\n TOBN(0x064c8e50, 0xff21367a), TOBN(0x1f508ea4, 0x0b04b46e)}},\n {{TOBN(0x98561a49, 0x747c866c), TOBN(0xbbb1e5fe, 0x0518a062),\n TOBN(0x20ff4e8b, 0xecdc3608), TOBN(0x7f55cded, 0x20184027)},\n {TOBN(0x8d73ec95, 0xf38c85f0), TOBN(0x5b589fdf, 0x8bc3b8c3),\n TOBN(0xbe95dd98, 0x0f12b66f), TOBN(0xf5bd1a09, 0x0e338e01)}},\n {{TOBN(0x65163ae5, 0x5e915918), TOBN(0x6158d6d9, 0x86f8a46b),\n TOBN(0x8466b538, 0xeeebf99c), TOBN(0xca8761f6, 0xbca477ef)},\n {TOBN(0xaf3449c2, 0x9ebbc601), TOBN(0xef3b0f41, 0xe0c3ae2f),\n TOBN(0xaa6c577d, 0x5de63752), TOBN(0xe9166601, 0x64682a51)}},\n {{TOBN(0x5a3097be, 0xfc15aa1e), TOBN(0x40d12548, 0xb54b0745),\n TOBN(0x5bad4706, 0x519a5f12), TOBN(0xed03f717, 0xa439dee6)},\n {TOBN(0x0794bb6c, 0x4a02c499), TOBN(0xf725083d, 0xcffe71d2),\n TOBN(0x2cad7519, 0x0f3adcaf), TOBN(0x7f68ea1c, 0x43729310)}},\n {{TOBN(0xe747c8c7, 0xb7ffd977), TOBN(0xec104c35, 0x80761a22),\n TOBN(0x8395ebaf, 0x5a3ffb83), TOBN(0xfb3261f4, 0xe4b63db7)},\n {TOBN(0x53544960, 0xd883e544), TOBN(0x13520d70, 0x8cc2eeb8),\n TOBN(0x08f6337b, 0xd3d65f99), TOBN(0x83997db2, 0x781cf95b)}},\n {{TOBN(0xce6ff106, 0x0dbd2c01), TOBN(0x4f8eea6b, 0x1f9ce934),\n TOBN(0x546f7c4b, 0x0e993921), TOBN(0x6236a324, 0x5e753fc7)},\n {TOBN(0x65a41f84, 0xa16022e9), TOBN(0x0c18d878, 0x43d1dbb2),\n TOBN(0x73c55640, 0x2d4cef9c), TOBN(0xa0428108, 0x70444c74)}},\n {{TOBN(0x68e4f15e, 0x9afdfb3c), TOBN(0x49a56143, 0x5bdfb6df),\n TOBN(0xa9bc1bd4, 0x5f823d97), TOBN(0xbceb5970, 0xea111c2a)},\n {TOBN(0x366b455f, 0xb269bbc4), TOBN(0x7cd85e1e, 0xe9bc5d62),\n TOBN(0xc743c41c, 0x4f18b086), TOBN(0xa4b40990, 0x95294fb9)}},\n {{TOBN(0x9c7c581d, 0x26ee8382), TOBN(0xcf17dcc5, 0x359d638e),\n TOBN(0xee8273ab, 0xb728ae3d), TOBN(0x1d112926, 0xf821f047)},\n {TOBN(0x11498477, 0x50491a74), TOBN(0x687fa761, 0xfde0dfb9),\n TOBN(0x2c258022, 0x7ea435ab), TOBN(0x6b8bdb94, 0x91ce7e3f)}},\n {{TOBN(0x4c5b5dc9, 0x3bf834aa), TOBN(0x04371819, 0x4f6c7e4b),\n TOBN(0xc284e00a, 0x3736bcad), TOBN(0x0d881118, 0x21ae8f8d)},\n {TOBN(0xf9cf0f82, 0xf48c8e33), TOBN(0xa11fd075, 0xa1bf40db),\n TOBN(0xdceab0de, 0xdc2733e5), TOBN(0xc560a8b5, 0x8e986bd7)}},\n {{TOBN(0x48dd1fe2, 0x3929d097), TOBN(0x3885b290, 0x92f188f1),\n TOBN(0x0f2ae613, 0xda6fcdac), TOBN(0x9054303e, 0xb662a46c)},\n {TOBN(0xb6871e44, 0x0738042a), TOBN(0x98e6a977, 0xbdaf6449),\n TOBN(0xd8bc0650, 0xd1c9df1b), TOBN(0xef3d6451, 0x36e098f9)}},\n {{TOBN(0x03fbae82, 0xb6d72d28), TOBN(0x77ca9db1, 0xf5d84080),\n TOBN(0x8a112cff, 0xa58efc1c), TOBN(0x518d761c, 0xc564cb4a)},\n {TOBN(0x69b5740e, 0xf0d1b5ce), TOBN(0x717039cc, 0xe9eb1785),\n TOBN(0x3fe29f90, 0x22f53382), TOBN(0x8e54ba56, 0x6bc7c95c)}},\n {{TOBN(0x9c806d8a, 0xf7f91d0f), TOBN(0x3b61b0f1, 0xa82a5728),\n TOBN(0x4640032d, 0x94d76754), TOBN(0x273eb5de, 0x47d834c6)},\n {TOBN(0x2988abf7, 0x7b4e4d53), TOBN(0xb7ce66bf, 0xde401777),\n TOBN(0x9fba6b32, 0x715071b3), TOBN(0x82413c24, 0xad3a1a98)}},\n {{TOBN(0x5b7fc8c4, 0xe0e8ad93), TOBN(0xb5679aee, 0x5fab868d),\n TOBN(0xb1f9d2fa, 0x2b3946f3), TOBN(0x458897dc, 0x5685b50a)},\n {TOBN(0x1e98c930, 0x89d0caf3), TOBN(0x39564c5f, 0x78642e92),\n TOBN(0x1b77729a, 0x0dbdaf18), TOBN(0xf9170722, 0x579e82e6)}},\n {{TOBN(0x680c0317, 0xe4515fa5), TOBN(0xf85cff84, 0xfb0c790f),\n TOBN(0xc7a82aab, 0x6d2e0765), TOBN(0x7446bca9, 0x35c82b32)},\n {TOBN(0x5de607aa, 0x6d63184f), TOBN(0x7c1a46a8, 0x262803a6),\n TOBN(0xd218313d, 0xaebe8035), TOBN(0x92113ffd, 0xc73c51f8)}},\n {{TOBN(0x4b38e083, 0x12e7e46c), TOBN(0x69d0a37a, 0x56126bd5),\n TOBN(0xfb3f324b, 0x73c07e04), TOBN(0xa0c22f67, 0x8fda7267)},\n {TOBN(0x8f2c0051, 0x4d2c7d8f), TOBN(0xbc45ced3, 0xcbe2cae5),\n TOBN(0xe1c6cf07, 0xa8f0f277), TOBN(0xbc392312, 0x1eb99a98)}},\n {{TOBN(0x75537b7e, 0x3cc8ac85), TOBN(0x8d725f57, 0xdd02753b),\n TOBN(0xfd05ff64, 0xb737df2f), TOBN(0x55fe8712, 0xf6d2531d)},\n {TOBN(0x57ce04a9, 0x6ab6b01c), TOBN(0x69a02a89, 0x7cd93724),\n TOBN(0x4f82ac35, 0xcf86699b), TOBN(0x8242d3ad, 0x9cb4b232)}},\n {{TOBN(0x713d0f65, 0xd62105e5), TOBN(0xbb222bfa, 0x2d29be61),\n TOBN(0xf2f9a79e, 0x6cfbef09), TOBN(0xfc24d8d3, 0xd5d6782f)},\n {TOBN(0x5db77085, 0xd4129967), TOBN(0xdb81c3cc, 0xdc3c2a43),\n TOBN(0x9d655fc0, 0x05d8d9a3), TOBN(0x3f5d057a, 0x54298026)}},\n {{TOBN(0x1157f56d, 0x88c54694), TOBN(0xb26baba5, 0x9b09573e),\n TOBN(0x2cab03b0, 0x22adffd1), TOBN(0x60a412c8, 0xdd69f383)},\n {TOBN(0xed76e98b, 0x54b25039), TOBN(0xd4ee67d3, 0x687e714d),\n TOBN(0x87739648, 0x7b00b594), TOBN(0xce419775, 0xc9ef709b)}},\n {{TOBN(0x40f76f85, 0x1c203a40), TOBN(0x30d352d6, 0xeafd8f91),\n TOBN(0xaf196d3d, 0x95578dd2), TOBN(0xea4bb3d7, 0x77cc3f3d)},\n {TOBN(0x42a5bd03, 0xb98e782b), TOBN(0xac958c40, 0x0624920d),\n TOBN(0xb838134c, 0xfc56fcc8), TOBN(0x86ec4ccf, 0x89572e5e)}},\n {{TOBN(0x69c43526, 0x9be47be0), TOBN(0x323b7dd8, 0xcb28fea1),\n TOBN(0xfa5538ba, 0x3a6c67e5), TOBN(0xef921d70, 0x1d378e46)},\n {TOBN(0xf92961fc, 0x3c4b880e), TOBN(0x3f6f914e, 0x98940a67),\n TOBN(0xa990eb0a, 0xfef0ff39), TOBN(0xa6c2920f, 0xf0eeff9c)}},\n {{TOBN(0xca804166, 0x51b8d9a3), TOBN(0x42531bc9, 0x0ffb0db1),\n TOBN(0x72ce4718, 0xaa82e7ce), TOBN(0x6e199913, 0xdf574741)},\n {TOBN(0xd5f1b13d, 0xd5d36946), TOBN(0x8255dc65, 0xf68f0194),\n TOBN(0xdc9df4cd, 0x8710d230), TOBN(0x3453c20f, 0x138c1988)}},\n {{TOBN(0x9af98dc0, 0x89a6ef01), TOBN(0x4dbcc3f0, 0x9857df85),\n TOBN(0x34805601, 0x5c1ad924), TOBN(0x40448da5, 0xd0493046)},\n {TOBN(0xf629926d, 0x4ee343e2), TOBN(0x6343f1bd, 0x90e8a301),\n TOBN(0xefc93491, 0x40815b3f), TOBN(0xf882a423, 0xde8f66fb)}},\n {{TOBN(0x3a12d5f4, 0xe7db9f57), TOBN(0x7dfba38a, 0x3c384c27),\n TOBN(0x7a904bfd, 0x6fc660b1), TOBN(0xeb6c5db3, 0x2773b21c)},\n {TOBN(0xc350ee66, 0x1cdfe049), TOBN(0x9baac0ce, 0x44540f29),\n TOBN(0xbc57b6ab, 0xa5ec6aad), TOBN(0x167ce8c3, 0x0a7c1baa)}},\n {{TOBN(0xb23a03a5, 0x53fb2b56), TOBN(0x6ce141e7, 0x4e057f78),\n TOBN(0x796525c3, 0x89e490d9), TOBN(0x0bc95725, 0xa31a7e75)},\n {TOBN(0x1ec56791, 0x1220fd06), TOBN(0x716e3a3c, 0x408b0bd6),\n TOBN(0x31cd6bf7, 0xe8ebeba9), TOBN(0xa7326ca6, 0xbee6b670)}},\n {{TOBN(0x3d9f851c, 0xcd090c43), TOBN(0x561e8f13, 0xf12c3988),\n TOBN(0x50490b6a, 0x904b7be4), TOBN(0x61690ce1, 0x0410737b)},\n {TOBN(0x299e9a37, 0x0f009052), TOBN(0x258758f0, 0xf026092e),\n TOBN(0x9fa255f3, 0xfdfcdc0f), TOBN(0xdbc9fb1f, 0xc0e1bcd2)}},\n {{TOBN(0x35f9dd6e, 0x24651840), TOBN(0xdca45a84, 0xa5c59abc),\n TOBN(0x103d396f, 0xecca4938), TOBN(0x4532da0a, 0xb97b3f29)},\n {TOBN(0xc4135ea5, 0x1999a6bf), TOBN(0x3aa9505a, 0x5e6bf2ee),\n TOBN(0xf77cef06, 0x3f5be093), TOBN(0x97d1a0f8, 0xa943152e)}},\n {{TOBN(0x2cb0ebba, 0x2e1c21dd), TOBN(0xf41b29fc, 0x2c6797c4),\n TOBN(0xc6e17321, 0xb300101f), TOBN(0x4422b0e9, 0xd0d79a89)},\n {TOBN(0x49e4901c, 0x92f1bfc4), TOBN(0x06ab1f8f, 0xe1e10ed9),\n TOBN(0x84d35577, 0xdb2926b8), TOBN(0xca349d39, 0x356e8ec2)}},\n {{TOBN(0x70b63d32, 0x343bf1a9), TOBN(0x8fd3bd28, 0x37d1a6b1),\n TOBN(0x0454879c, 0x316865b4), TOBN(0xee959ff6, 0xc458efa2)},\n {TOBN(0x0461dcf8, 0x9706dc3f), TOBN(0x737db0e2, 0x164e4b2e),\n TOBN(0x09262680, 0x2f8843c8), TOBN(0x54498bbc, 0x7745e6f6)}},\n {{TOBN(0x359473fa, 0xa29e24af), TOBN(0xfcc3c454, 0x70aa87a1),\n TOBN(0xfd2c4bf5, 0x00573ace), TOBN(0xb65b514e, 0x28dd1965)},\n {TOBN(0xe46ae7cf, 0x2193e393), TOBN(0x60e9a4e1, 0xf5444d97),\n TOBN(0xe7594e96, 0x00ff38ed), TOBN(0x43d84d2f, 0x0a0e0f02)}},\n {{TOBN(0x8b6db141, 0xee398a21), TOBN(0xb88a56ae, 0xe3bcc5be),\n TOBN(0x0a1aa52f, 0x373460ea), TOBN(0x20da1a56, 0x160bb19b)},\n {TOBN(0xfb54999d, 0x65bf0384), TOBN(0x71a14d24, 0x5d5a180e),\n TOBN(0xbc44db7b, 0x21737b04), TOBN(0xd84fcb18, 0x01dd8e92)}},\n {{TOBN(0x80de937b, 0xfa44b479), TOBN(0x53505499, 0x5c98fd4f),\n TOBN(0x1edb12ab, 0x28f08727), TOBN(0x4c58b582, 0xa5f3ef53)},\n {TOBN(0xbfb236d8, 0x8327f246), TOBN(0xc3a3bfaa, 0x4d7df320),\n TOBN(0xecd96c59, 0xb96024f2), TOBN(0xfc293a53, 0x7f4e0433)}},\n {{TOBN(0x5341352b, 0x5acf6e10), TOBN(0xc50343fd, 0xafe652c3),\n TOBN(0x4af3792d, 0x18577a7f), TOBN(0xe1a4c617, 0xaf16823d)},\n {TOBN(0x9b26d0cd, 0x33425d0a), TOBN(0x306399ed, 0x9b7bc47f),\n TOBN(0x2a792f33, 0x706bb20b), TOBN(0x31219614, 0x98111055)}},\n {{TOBN(0x864ec064, 0x87f5d28b), TOBN(0x11392d91, 0x962277fd),\n TOBN(0xb5aa7942, 0xbb6aed5f), TOBN(0x080094dc, 0x47e799d9)},\n {TOBN(0x4afa588c, 0x208ba19b), TOBN(0xd3e7570f, 0x8512f284),\n TOBN(0xcbae64e6, 0x02f5799a), TOBN(0xdeebe7ef, 0x514b9492)}},\n {{TOBN(0x30300f98, 0xe5c298ff), TOBN(0x17f561be, 0x3678361f),\n TOBN(0xf52ff312, 0x98cb9a16), TOBN(0x6233c3bc, 0x5562d490)},\n {TOBN(0x7bfa15a1, 0x92e3a2cb), TOBN(0x961bcfd1, 0xe6365119),\n TOBN(0x3bdd29bf, 0x2c8c53b1), TOBN(0x739704df, 0x822844ba)}},\n {{TOBN(0x7dacfb58, 0x7e7b754b), TOBN(0x23360791, 0xa806c9b9),\n TOBN(0xe7eb88c9, 0x23504452), TOBN(0x2983e996, 0x852c1783)},\n {TOBN(0xdd4ae529, 0x958d881d), TOBN(0x026bae03, 0x262c7b3c),\n TOBN(0x3a6f9193, 0x960b52d1), TOBN(0xd0980f90, 0x92696cfb)}},\n {{TOBN(0x4c1f428c, 0xd5f30851), TOBN(0x94dfed27, 0x2a4f6630),\n TOBN(0x4df53772, 0xfc5d48a4), TOBN(0xdd2d5a2f, 0x933260ce)},\n {TOBN(0x574115bd, 0xd44cc7a5), TOBN(0x4ba6b20d, 0xbd12533a),\n TOBN(0x30e93cb8, 0x243057c9), TOBN(0x794c486a, 0x14de320e)}},\n {{TOBN(0xe925d4ce, 0xf21496e4), TOBN(0xf951d198, 0xec696331),\n TOBN(0x9810e2de, 0x3e8d812f), TOBN(0xd0a47259, 0x389294ab)},\n {TOBN(0x513ba2b5, 0x0e3bab66), TOBN(0x462caff5, 0xabad306f),\n TOBN(0xe2dc6d59, 0xaf04c49e), TOBN(0x1aeb8750, 0xe0b84b0b)}},\n {{TOBN(0xc034f12f, 0x2f7d0ca2), TOBN(0x6d2e8128, 0xe06acf2f),\n TOBN(0x801f4f83, 0x21facc2f), TOBN(0xa1170c03, 0xf40ef607)},\n {TOBN(0xfe0a1d4f, 0x7805a99c), TOBN(0xbde56a36, 0xcc26aba5),\n TOBN(0x5b1629d0, 0x35531f40), TOBN(0xac212c2b, 0x9afa6108)}},\n {{TOBN(0x30a06bf3, 0x15697be5), TOBN(0x6f0545dc, 0x2c63c7c1),\n TOBN(0x5d8cb842, 0x7ccdadaf), TOBN(0xd52e379b, 0xac7015bb)},\n {TOBN(0xc4f56147, 0xf462c23e), TOBN(0xd44a4298, 0x46bc24b0),\n TOBN(0xbc73d23a, 0xe2856d4f), TOBN(0x61cedd8c, 0x0832bcdf)}},\n {{TOBN(0x60953556, 0x99f241d7), TOBN(0xee4adbd7, 0x001a349d),\n TOBN(0x0b35bf6a, 0xaa89e491), TOBN(0x7f0076f4, 0x136f7546)},\n {TOBN(0xd19a18ba, 0x9264da3d), TOBN(0x6eb2d2cd, 0x62a7a28b),\n TOBN(0xcdba941f, 0x8761c971), TOBN(0x1550518b, 0xa3be4a5d)}},\n {{TOBN(0xd0e8e2f0, 0x57d0b70c), TOBN(0xeea8612e, 0xcd133ba3),\n TOBN(0x814670f0, 0x44416aec), TOBN(0x424db6c3, 0x30775061)},\n {TOBN(0xd96039d1, 0x16213fd1), TOBN(0xc61e7fa5, 0x18a3478f),\n TOBN(0xa805bdcc, 0xcb0c5021), TOBN(0xbdd6f3a8, 0x0cc616dd)}},\n {{TOBN(0x06009667, 0x5d97f7e2), TOBN(0x31db0fc1, 0xaf0bf4b6),\n TOBN(0x23680ed4, 0x5491627a), TOBN(0xb99a3c66, 0x7d741fb1)},\n {TOBN(0xe9bb5f55, 0x36b1ff92), TOBN(0x29738577, 0x512b388d),\n TOBN(0xdb8a2ce7, 0x50fcf263), TOBN(0x385346d4, 0x6c4f7b47)}},\n {{TOBN(0xbe86c5ef, 0x31631f9e), TOBN(0xbf91da21, 0x03a57a29),\n TOBN(0xc3b1f796, 0x7b23f821), TOBN(0x0f7d00d2, 0x770db354)},\n {TOBN(0x8ffc6c3b, 0xd8fe79da), TOBN(0xcc5e8c40, 0xd525c996),\n TOBN(0x4640991d, 0xcfff632a), TOBN(0x64d97e8c, 0x67112528)}},\n {{TOBN(0xc232d973, 0x02f1cd1e), TOBN(0xce87eacb, 0x1dd212a4),\n TOBN(0x6e4c8c73, 0xe69802f7), TOBN(0x12ef0290, 0x1fffddbd)},\n {TOBN(0x941ec74e, 0x1bcea6e2), TOBN(0xd0b54024, 0x3cb92cbb),\n TOBN(0x809fb9d4, 0x7e8f9d05), TOBN(0x3bf16159, 0xf2992aae)}},\n {{TOBN(0xad40f279, 0xf8a7a838), TOBN(0x11aea631, 0x05615660),\n TOBN(0xbf52e6f1, 0xa01f6fa1), TOBN(0xef046995, 0x3dc2aec9)},\n {TOBN(0x785dbec9, 0xd8080711), TOBN(0xe1aec60a, 0x9fdedf76),\n TOBN(0xece797b5, 0xfa21c126), TOBN(0xc66e898f, 0x05e52732)}},\n {{TOBN(0x39bb69c4, 0x08811fdb), TOBN(0x8bfe1ef8, 0x2fc7f082),\n TOBN(0xc8e7a393, 0x174f4138), TOBN(0xfba8ad1d, 0xd58d1f98)},\n {TOBN(0xbc21d0ce, 0xbfd2fd5b), TOBN(0x0b839a82, 0x6ee60d61),\n TOBN(0xaacf7658, 0xafd22253), TOBN(0xb526bed8, 0xaae396b3)}},\n {{TOBN(0xccc1bbc2, 0x38564464), TOBN(0x9e3ff947, 0x8c45bc73),\n TOBN(0xcde9bca3, 0x58188a78), TOBN(0x138b8ee0, 0xd73bf8f7)},\n {TOBN(0x5c7e234c, 0x4123c489), TOBN(0x66e69368, 0xfa643297),\n TOBN(0x0629eeee, 0x39a15fa3), TOBN(0x95fab881, 0xa9e2a927)}},\n {{TOBN(0xb2497007, 0xeafbb1e1), TOBN(0xd75c9ce6, 0xe75b7a93),\n TOBN(0x3558352d, 0xefb68d78), TOBN(0xa2f26699, 0x223f6396)},\n {TOBN(0xeb911ecf, 0xe469b17a), TOBN(0x62545779, 0xe72d3ec2),\n TOBN(0x8ea47de7, 0x82cb113f), TOBN(0xebe4b086, 0x4e1fa98d)}},\n {{TOBN(0xec2d5ed7, 0x8cdfedb1), TOBN(0xa535c077, 0xfe211a74),\n TOBN(0x9678109b, 0x11d244c5), TOBN(0xf17c8bfb, 0xbe299a76)},\n {TOBN(0xb651412e, 0xfb11fbc4), TOBN(0xea0b5482, 0x94ab3f65),\n TOBN(0xd8dffd95, 0x0cf78243), TOBN(0x2e719e57, 0xce0361d4)}},\n {{TOBN(0x9007f085, 0x304ddc5b), TOBN(0x095e8c6d, 0x4daba2ea),\n TOBN(0x5a33cdb4, 0x3f9d28a9), TOBN(0x85b95cd8, 0xe2283003)},\n {TOBN(0xbcd6c819, 0xb9744733), TOBN(0x29c5f538, 0xfc7f5783),\n TOBN(0x6c49b2fa, 0xd59038e4), TOBN(0x68349cc1, 0x3bbe1018)}},\n {{TOBN(0xcc490c1d, 0x21830ee5), TOBN(0x36f9c4ee, 0xe9bfa297),\n TOBN(0x58fd7294, 0x48de1a94), TOBN(0xaadb13a8, 0x4e8f2cdc)},\n {TOBN(0x515eaaa0, 0x81313dba), TOBN(0xc76bb468, 0xc2152dd8),\n TOBN(0x357f8d75, 0xa653dbf8), TOBN(0xe4d8c4d1, 0xb14ac143)}},\n {{TOBN(0xbdb8e675, 0xb055cb40), TOBN(0x898f8e7b, 0x977b5167),\n TOBN(0xecc65651, 0xb82fb863), TOBN(0x56544814, 0x6d88f01f)},\n {TOBN(0xb0928e95, 0x263a75a9), TOBN(0xcfb6836f, 0x1a22fcda),\n TOBN(0x651d14db, 0x3f3bd37c), TOBN(0x1d3837fb, 0xb6ad4664)}},\n {{TOBN(0x7c5fb538, 0xff4f94ab), TOBN(0x7243c712, 0x6d7fb8f2),\n TOBN(0xef13d60c, 0xa85c5287), TOBN(0x18cfb7c7, 0x4bb8dd1b)},\n {TOBN(0x82f9bfe6, 0x72908219), TOBN(0x35c4592b, 0x9d5144ab),\n TOBN(0x52734f37, 0x9cf4b42f), TOBN(0x6bac55e7, 0x8c60ddc4)}},\n {{TOBN(0xb5cd811e, 0x94dea0f6), TOBN(0x259ecae4, 0xe18cc1a3),\n TOBN(0x6a0e836e, 0x15e660f8), TOBN(0x6c639ea6, 0x0e02bff2)},\n {TOBN(0x8721b8cb, 0x7e1026fd), TOBN(0x9e73b50b, 0x63261942),\n TOBN(0xb8c70974, 0x77f01da3), TOBN(0x1839e6a6, 0x8268f57f)}},\n {{TOBN(0x571b9415, 0x5150b805), TOBN(0x1892389e, 0xf92c7097),\n TOBN(0x8d69c18e, 0x4a084b95), TOBN(0x7014c512, 0xbe5b495c)},\n {TOBN(0x4780db36, 0x1b07523c), TOBN(0x2f6219ce, 0x2c1c64fa),\n TOBN(0xc38b81b0, 0x602c105a), TOBN(0xab4f4f20, 0x5dc8e360)}},\n {{TOBN(0x20d3c982, 0xcf7d62d2), TOBN(0x1f36e29d, 0x23ba8150),\n TOBN(0x48ae0bf0, 0x92763f9e), TOBN(0x7a527e6b, 0x1d3a7007)},\n {TOBN(0xb4a89097, 0x581a85e3), TOBN(0x1f1a520f, 0xdc158be5),\n TOBN(0xf98db37d, 0x167d726e), TOBN(0x8802786e, 0x1113e862)}}},\n {{{TOBN(0xefb2149e, 0x36f09ab0), TOBN(0x03f163ca, 0x4a10bb5b),\n TOBN(0xd0297045, 0x06e20998), TOBN(0x56f0af00, 0x1b5a3bab)},\n {TOBN(0x7af4cfec, 0x70880e0d), TOBN(0x7332a66f, 0xbe3d913f),\n TOBN(0x32e6c84a, 0x7eceb4bd), TOBN(0xedc4a79a, 0x9c228f55)}},\n {{TOBN(0xc37c7dd0, 0xc55c4496), TOBN(0xa6a96357, 0x25bbabd2),\n TOBN(0x5b7e63f2, 0xadd7f363), TOBN(0x9dce3782, 0x2e73f1df)},\n {TOBN(0xe1e5a16a, 0xb2b91f71), TOBN(0xe4489823, 0x5ba0163c),\n TOBN(0xf2759c32, 0xf6e515ad), TOBN(0xa5e2f1f8, 0x8615eecf)}},\n {{TOBN(0x74519be7, 0xabded551), TOBN(0x03d358b8, 0xc8b74410),\n TOBN(0x4d00b10b, 0x0e10d9a9), TOBN(0x6392b0b1, 0x28da52b7)},\n {TOBN(0x6744a298, 0x0b75c904), TOBN(0xc305b0ae, 0xa8f7f96c),\n TOBN(0x042e421d, 0x182cf932), TOBN(0xf6fc5d50, 0x9e4636ca)}},\n {{TOBN(0x795847c9, 0xd64cc78c), TOBN(0x6c50621b, 0x9b6cb27b),\n TOBN(0x07099bf8, 0xdf8022ab), TOBN(0x48f862eb, 0xc04eda1d)},\n {TOBN(0xd12732ed, 0xe1603c16), TOBN(0x19a80e0f, 0x5c9a9450),\n TOBN(0xe2257f54, 0xb429b4fc), TOBN(0x66d3b2c6, 0x45460515)}},\n {{TOBN(0x6ca4f87e, 0x822e37be), TOBN(0x73f237b4, 0x253bda4e),\n TOBN(0xf747f3a2, 0x41190aeb), TOBN(0xf06fa36f, 0x804cf284)},\n {TOBN(0x0a6bbb6e, 0xfc621c12), TOBN(0x5d624b64, 0x40b80ec6),\n TOBN(0x4b072425, 0x7ba556f3), TOBN(0x7fa0c354, 0x3e2d20a8)}},\n {{TOBN(0xe921fa31, 0xe3229d41), TOBN(0xa929c652, 0x94531bd4),\n TOBN(0x84156027, 0xa6d38209), TOBN(0xf3d69f73, 0x6bdb97bd)},\n {TOBN(0x8906d19a, 0x16833631), TOBN(0x68a34c2e, 0x03d51be3),\n TOBN(0xcb59583b, 0x0e511cd8), TOBN(0x99ce6bfd, 0xfdc132a8)}},\n {{TOBN(0x3facdaaa, 0xffcdb463), TOBN(0x658bbc1a, 0x34a38b08),\n TOBN(0x12a801f8, 0xf1a9078d), TOBN(0x1567bcf9, 0x6ab855de)},\n {TOBN(0xe08498e0, 0x3572359b), TOBN(0xcf0353e5, 0x8659e68b),\n TOBN(0xbb86e9c8, 0x7d23807c), TOBN(0xbc08728d, 0x2198e8a2)}},\n {{TOBN(0x8de2b7bc, 0x453cadd6), TOBN(0x203900a7, 0xbc0bc1f8),\n TOBN(0xbcd86e47, 0xa6abd3af), TOBN(0x911cac12, 0x8502effb)},\n {TOBN(0x2d550242, 0xec965469), TOBN(0x0e9f7692, 0x29e0017e),\n TOBN(0x633f078f, 0x65979885), TOBN(0xfb87d449, 0x4cf751ef)}},\n {{TOBN(0xe1790e4b, 0xfc25419a), TOBN(0x36467203, 0x4bff3cfd),\n TOBN(0xc8db6386, 0x25b6e83f), TOBN(0x6cc69f23, 0x6cad6fd2)},\n {TOBN(0x0219e45a, 0x6bc68bb9), TOBN(0xe43d79b6, 0x297f7334),\n TOBN(0x7d445368, 0x465dc97c), TOBN(0x4b9eea32, 0x2a0b949a)}},\n {{TOBN(0x1b96c6ba, 0x6102d021), TOBN(0xeaafac78, 0x2f4461ea),\n TOBN(0xd4b85c41, 0xc49f19a8), TOBN(0x275c28e4, 0xcf538875)},\n {TOBN(0x35451a9d, 0xdd2e54e0), TOBN(0x6991adb5, 0x0605618b),\n TOBN(0x5b8b4bcd, 0x7b36cd24), TOBN(0x372a4f8c, 0x56f37216)}},\n {{TOBN(0xc890bd73, 0xa6a5da60), TOBN(0x6f083da0, 0xdc4c9ff0),\n TOBN(0xf4e14d94, 0xf0536e57), TOBN(0xf9ee1eda, 0xaaec8243)},\n {TOBN(0x571241ec, 0x8bdcf8e7), TOBN(0xa5db8271, 0x0b041e26),\n TOBN(0x9a0b9a99, 0xe3fff040), TOBN(0xcaaf21dd, 0x7c271202)}},\n {{TOBN(0xb4e2b2e1, 0x4f0dd2e8), TOBN(0xe77e7c4f, 0x0a377ac7),\n TOBN(0x69202c3f, 0x0d7a2198), TOBN(0xf759b7ff, 0x28200eb8)},\n {TOBN(0xc87526ed, 0xdcfe314e), TOBN(0xeb84c524, 0x53d5cf99),\n TOBN(0xb1b52ace, 0x515138b6), TOBN(0x5aa7ff8c, 0x23fca3f4)}},\n {{TOBN(0xff0b13c3, 0xb9791a26), TOBN(0x960022da, 0xcdd58b16),\n TOBN(0xdbd55c92, 0x57aad2de), TOBN(0x3baaaaa3, 0xf30fe619)},\n {TOBN(0x9a4b2346, 0x0d881efd), TOBN(0x506416c0, 0x46325e2a),\n TOBN(0x91381e76, 0x035c18d4), TOBN(0xb3bb68be, 0xf27817b0)}},\n {{TOBN(0x15bfb8bf, 0x5116f937), TOBN(0x7c64a586, 0xc1268943),\n TOBN(0x71e25cc3, 0x8419a2c8), TOBN(0x9fd6b0c4, 0x8335f463)},\n {TOBN(0x4bf0ba3c, 0xe8ee0e0e), TOBN(0x6f6fba60, 0x298c21fa),\n TOBN(0x57d57b39, 0xae66bee0), TOBN(0x292d5130, 0x22672544)}},\n {{TOBN(0xf451105d, 0xbab093b3), TOBN(0x012f59b9, 0x02839986),\n TOBN(0x8a915802, 0x3474a89c), TOBN(0x048c919c, 0x2de03e97)},\n {TOBN(0xc476a2b5, 0x91071cd5), TOBN(0x791ed89a, 0x034970a5),\n TOBN(0x89bd9042, 0xe1b7994b), TOBN(0x8eaf5179, 0xa1057ffd)}},\n {{TOBN(0x6066e2a2, 0xd551ee10), TOBN(0x87a8f1d8, 0x727e09a6),\n TOBN(0x00d08bab, 0x2c01148d), TOBN(0x6da8e4f1, 0x424f33fe)},\n {TOBN(0x466d17f0, 0xcf9a4e71), TOBN(0xff502010, 0x3bf5cb19),\n TOBN(0xdccf97d8, 0xd062ecc0), TOBN(0x80c0d9af, 0x81d80ac4)}},\n {{TOBN(0xe87771d8, 0x033f2876), TOBN(0xb0186ec6, 0x7d5cc3db),\n TOBN(0x58e8bb80, 0x3bc9bc1d), TOBN(0x4d1395cc, 0x6f6ef60e)},\n {TOBN(0xa73c62d6, 0x186244a0), TOBN(0x918e5f23, 0x110a5b53),\n TOBN(0xed4878ca, 0x741b7eab), TOBN(0x3038d71a, 0xdbe03e51)}},\n {{TOBN(0x840204b7, 0xa93c3246), TOBN(0x21ab6069, 0xa0b9b4cd),\n TOBN(0xf5fa6e2b, 0xb1d64218), TOBN(0x1de6ad0e, 0xf3d56191)},\n {TOBN(0x570aaa88, 0xff1929c7), TOBN(0xc6df4c6b, 0x640e87b5),\n TOBN(0xde8a74f2, 0xc65f0ccc), TOBN(0x8b972fd5, 0xe6f6cc01)}},\n {{TOBN(0x3fff36b6, 0x0b846531), TOBN(0xba7e45e6, 0x10a5e475),\n TOBN(0x84a1d10e, 0x4145b6c5), TOBN(0xf1f7f91a, 0x5e046d9d)},\n {TOBN(0x0317a692, 0x44de90d7), TOBN(0x951a1d4a, 0xf199c15e),\n TOBN(0x91f78046, 0xc9d73deb), TOBN(0x74c82828, 0xfab8224f)}},\n {{TOBN(0xaa6778fc, 0xe7560b90), TOBN(0xb4073e61, 0xa7e824ce),\n TOBN(0xff0d693c, 0xd642eba8), TOBN(0x7ce2e57a, 0x5dccef38)},\n {TOBN(0x89c2c789, 0x1df1ad46), TOBN(0x83a06922, 0x098346fd),\n TOBN(0x2d715d72, 0xda2fc177), TOBN(0x7b6dd71d, 0x85b6cf1d)}},\n {{TOBN(0xc60a6d0a, 0x73fa9cb0), TOBN(0xedd3992e, 0x328bf5a9),\n TOBN(0xc380ddd0, 0x832c8c82), TOBN(0xd182d410, 0xa2a0bf50)},\n {TOBN(0x7d9d7438, 0xd9a528db), TOBN(0xe8b1a0e9, 0xcaf53994),\n TOBN(0xddd6e5fe, 0x0e19987c), TOBN(0xacb8df03, 0x190b059d)}},\n {{TOBN(0x53703a32, 0x8300129f), TOBN(0x1f637662, 0x68c43bfd),\n TOBN(0xbcbd1913, 0x00e54051), TOBN(0x812fcc62, 0x7bf5a8c5)},\n {TOBN(0x3f969d5f, 0x29fb85da), TOBN(0x72f4e00a, 0x694759e8),\n TOBN(0x426b6e52, 0x790726b7), TOBN(0x617bbc87, 0x3bdbb209)}},\n {{TOBN(0x511f8bb9, 0x97aee317), TOBN(0x812a4096, 0xe81536a8),\n TOBN(0x137dfe59, 0x3ac09b9b), TOBN(0x0682238f, 0xba8c9a7a)},\n {TOBN(0x7072ead6, 0xaeccb4bd), TOBN(0x6a34e9aa, 0x692ba633),\n TOBN(0xc82eaec2, 0x6fff9d33), TOBN(0xfb753512, 0x1d4d2b62)}},\n {{TOBN(0x1a0445ff, 0x1d7aadab), TOBN(0x65d38260, 0xd5f6a67c),\n TOBN(0x6e62fb08, 0x91cfb26f), TOBN(0xef1e0fa5, 0x5c7d91d6)},\n {TOBN(0x47e7c7ba, 0x33db72cd), TOBN(0x017cbc09, 0xfa7c74b2),\n TOBN(0x3c931590, 0xf50a503c), TOBN(0xcac54f60, 0x616baa42)}},\n {{TOBN(0x9b6cd380, 0xb2369f0f), TOBN(0x97d3a70d, 0x23c76151),\n TOBN(0x5f9dd6fc, 0x9862a9c6), TOBN(0x044c4ab2, 0x12312f51)},\n {TOBN(0x035ea0fd, 0x834a2ddc), TOBN(0x49e6b862, 0xcc7b826d),\n TOBN(0xb03d6883, 0x62fce490), TOBN(0x62f2497a, 0xb37e36e9)}},\n {{TOBN(0x04b005b6, 0xc6458293), TOBN(0x36bb5276, 0xe8d10af7),\n TOBN(0xacf2dc13, 0x8ee617b8), TOBN(0x470d2d35, 0xb004b3d4)},\n {TOBN(0x06790832, 0xfeeb1b77), TOBN(0x2bb75c39, 0x85657f9c),\n TOBN(0xd70bd4ed, 0xc0f60004), TOBN(0xfe797ecc, 0x219b018b)}},\n {{TOBN(0x9b5bec2a, 0x753aebcc), TOBN(0xdaf9f3dc, 0xc939eca5),\n TOBN(0xd6bc6833, 0xd095ad09), TOBN(0x98abdd51, 0xdaa4d2fc)},\n {TOBN(0xd9840a31, 0x8d168be5), TOBN(0xcf7c10e0, 0x2325a23c),\n TOBN(0xa5c02aa0, 0x7e6ecfaf), TOBN(0x2462e7e6, 0xb5bfdf18)}},\n {{TOBN(0xab2d8a8b, 0xa0cc3f12), TOBN(0x68dd485d, 0xbc672a29),\n TOBN(0x72039752, 0x596f2cd3), TOBN(0x5d3eea67, 0xa0cf3d8d)},\n {TOBN(0x810a1a81, 0xe6602671), TOBN(0x8f144a40, 0x14026c0c),\n TOBN(0xbc753a6d, 0x76b50f85), TOBN(0xc4dc21e8, 0x645cd4a4)}},\n {{TOBN(0xc5262dea, 0x521d0378), TOBN(0x802b8e0e, 0x05011c6f),\n TOBN(0x1ba19cbb, 0x0b4c19ea), TOBN(0x21db64b5, 0xebf0aaec)},\n {TOBN(0x1f394ee9, 0x70342f9d), TOBN(0x93a10aee, 0x1bc44a14),\n TOBN(0xa7eed31b, 0x3efd0baa), TOBN(0x6e7c824e, 0x1d154e65)}},\n {{TOBN(0xee23fa81, 0x9966e7ee), TOBN(0x64ec4aa8, 0x05b7920d),\n TOBN(0x2d44462d, 0x2d90aad4), TOBN(0xf44dd195, 0xdf277ad5)},\n {TOBN(0x8d6471f1, 0xbb46b6a1), TOBN(0x1e65d313, 0xfd885090),\n TOBN(0x33a800f5, 0x13a977b4), TOBN(0xaca9d721, 0x0797e1ef)}},\n {{TOBN(0x9a5a85a0, 0xfcff6a17), TOBN(0x9970a3f3, 0x1eca7cee),\n TOBN(0xbb9f0d6b, 0xc9504be3), TOBN(0xe0c504be, 0xadd24ee2)},\n {TOBN(0x7e09d956, 0x77fcc2f4), TOBN(0xef1a5227, 0x65bb5fc4),\n TOBN(0x145d4fb1, 0x8b9286aa), TOBN(0x66fd0c5d, 0x6649028b)}},\n {{TOBN(0x98857ceb, 0x1bf4581c), TOBN(0xe635e186, 0xaca7b166),\n TOBN(0x278ddd22, 0x659722ac), TOBN(0xa0903c4c, 0x1db68007)},\n {TOBN(0x366e4589, 0x48f21402), TOBN(0x31b49c14, 0xb96abda2),\n TOBN(0x329c4b09, 0xe0403190), TOBN(0x97197ca3, 0xd29f43fe)}},\n {{TOBN(0x8073dd1e, 0x274983d8), TOBN(0xda1a3bde, 0x55717c8f),\n TOBN(0xfd3d4da2, 0x0361f9d1), TOBN(0x1332d081, 0x4c7de1ce)},\n {TOBN(0x9b7ef7a3, 0xaa6d0e10), TOBN(0x17db2e73, 0xf54f1c4a),\n TOBN(0xaf3dffae, 0x4cd35567), TOBN(0xaaa2f406, 0xe56f4e71)}},\n {{TOBN(0x8966759e, 0x7ace3fc7), TOBN(0x9594eacf, 0x45a8d8c6),\n TOBN(0x8de3bd8b, 0x91834e0e), TOBN(0xafe4ca53, 0x548c0421)},\n {TOBN(0xfdd7e856, 0xe6ee81c6), TOBN(0x8f671beb, 0x6b891a3a),\n TOBN(0xf7a58f2b, 0xfae63829), TOBN(0x9ab186fb, 0x9c11ac9f)}},\n {{TOBN(0x8d6eb369, 0x10b5be76), TOBN(0x046b7739, 0xfb040bcd),\n TOBN(0xccb4529f, 0xcb73de88), TOBN(0x1df0fefc, 0xcf26be03)},\n {TOBN(0xad7757a6, 0xbcfcd027), TOBN(0xa8786c75, 0xbb3165ca),\n TOBN(0xe9db1e34, 0x7e99a4d9), TOBN(0x99ee86df, 0xb06c504b)}},\n {{TOBN(0x5b7c2ddd, 0xc15c9f0a), TOBN(0xdf87a734, 0x4295989e),\n TOBN(0x59ece47c, 0x03d08fda), TOBN(0xb074d3dd, 0xad5fc702)},\n {TOBN(0x20407903, 0x51a03776), TOBN(0x2bb1f77b, 0x2a608007),\n TOBN(0x25c58f4f, 0xe1153185), TOBN(0xe6df62f6, 0x766e6447)}},\n {{TOBN(0xefb3d1be, 0xed51275a), TOBN(0x5de47dc7, 0x2f0f483f),\n TOBN(0x7932d98e, 0x97c2bedf), TOBN(0xd5c11927, 0x0219f8a1)},\n {TOBN(0x9d751200, 0xa73a294e), TOBN(0x5f88434a, 0x9dc20172),\n TOBN(0xd28d9fd3, 0xa26f506a), TOBN(0xa890cd31, 0x9d1dcd48)}},\n {{TOBN(0x0aebaec1, 0x70f4d3b4), TOBN(0xfd1a1369, 0x0ffc8d00),\n TOBN(0xb9d9c240, 0x57d57838), TOBN(0x45929d26, 0x68bac361)},\n {TOBN(0x5a2cd060, 0x25b15ca6), TOBN(0x4b3c83e1, 0x6e474446),\n TOBN(0x1aac7578, 0xee1e5134), TOBN(0xa418f5d6, 0xc91e2f41)}},\n {{TOBN(0x6936fc8a, 0x213ed68b), TOBN(0x860ae7ed, 0x510a5224),\n TOBN(0x63660335, 0xdef09b53), TOBN(0x641b2897, 0xcd79c98d)},\n {TOBN(0x29bd38e1, 0x01110f35), TOBN(0x79c26f42, 0x648b1937),\n TOBN(0x64dae519, 0x9d9164f4), TOBN(0xd85a2310, 0x0265c273)}},\n {{TOBN(0x7173dd5d, 0x4b07e2b1), TOBN(0xd144c4cb, 0x8d9ea221),\n TOBN(0xe8b04ea4, 0x1105ab14), TOBN(0x92dda542, 0xfe80d8f1)},\n {TOBN(0xe9982fa8, 0xcf03dce6), TOBN(0x8b5ea965, 0x1a22cffc),\n TOBN(0xf7f4ea7f, 0x3fad88c4), TOBN(0x62db773e, 0x6a5ba95c)}},\n {{TOBN(0xd20f02fb, 0x93f24567), TOBN(0xfd46c69a, 0x315257ca),\n TOBN(0x0ac74cc7, 0x8bcab987), TOBN(0x46f31c01, 0x5ceca2f5)},\n {TOBN(0x40aedb59, 0x888b219e), TOBN(0xe50ecc37, 0xe1fccd02),\n TOBN(0x1bcd9dad, 0x911f816c), TOBN(0x583cc1ec, 0x8db9b00c)}},\n {{TOBN(0xf3cd2e66, 0xa483bf11), TOBN(0xfa08a6f5, 0xb1b2c169),\n TOBN(0xf375e245, 0x4be9fa28), TOBN(0x99a7ffec, 0x5b6d011f)},\n {TOBN(0x6a3ebddb, 0xc4ae62da), TOBN(0x6cea00ae, 0x374aef5d),\n TOBN(0xab5fb98d, 0x9d4d05bc), TOBN(0x7cba1423, 0xd560f252)}},\n {{TOBN(0x49b2cc21, 0x208490de), TOBN(0x1ca66ec3, 0xbcfb2879),\n TOBN(0x7f1166b7, 0x1b6fb16f), TOBN(0xfff63e08, 0x65fe5db3)},\n {TOBN(0xb8345abe, 0x8b2610be), TOBN(0xb732ed80, 0x39de3df4),\n TOBN(0x0e24ed50, 0x211c32b4), TOBN(0xd10d8a69, 0x848ff27d)}},\n {{TOBN(0xc1074398, 0xed4de248), TOBN(0xd7cedace, 0x10488927),\n TOBN(0xa4aa6bf8, 0x85673e13), TOBN(0xb46bae91, 0x6daf30af)},\n {TOBN(0x07088472, 0xfcef7ad8), TOBN(0x61151608, 0xd4b35e97),\n TOBN(0xbcfe8f26, 0xdde29986), TOBN(0xeb84c4c7, 0xd5a34c79)}},\n {{TOBN(0xc1eec55c, 0x164e1214), TOBN(0x891be86d, 0xa147bb03),\n TOBN(0x9fab4d10, 0x0ba96835), TOBN(0xbf01e9b8, 0xa5c1ae9f)},\n {TOBN(0x6b4de139, 0xb186ebc0), TOBN(0xd5c74c26, 0x85b91bca),\n TOBN(0x5086a99c, 0xc2d93854), TOBN(0xeed62a7b, 0xa7a9dfbc)}},\n {{TOBN(0x8778ed6f, 0x76b7618a), TOBN(0xbff750a5, 0x03b66062),\n TOBN(0x4cb7be22, 0xb65186db), TOBN(0x369dfbf0, 0xcc3a6d13)},\n {TOBN(0xc7dab26c, 0x7191a321), TOBN(0x9edac3f9, 0x40ed718e),\n TOBN(0xbc142b36, 0xd0cfd183), TOBN(0xc8af82f6, 0x7c991693)}},\n {{TOBN(0xb3d1e4d8, 0x97ce0b2a), TOBN(0xe6d7c87f, 0xc3a55cdf),\n TOBN(0x35846b95, 0x68b81afe), TOBN(0x018d12af, 0xd3c239d8)},\n {TOBN(0x2b2c6208, 0x01206e15), TOBN(0xe0e42453, 0xa3b882c6),\n TOBN(0x854470a3, 0xa50162d5), TOBN(0x08157478, 0x7017a62a)}},\n {{TOBN(0x18bd3fb4, 0x820357c7), TOBN(0x992039ae, 0x6f1458ad),\n TOBN(0x9a1df3c5, 0x25b44aa1), TOBN(0x2d780357, 0xed3d5281)},\n {TOBN(0x58cf7e4d, 0xc77ad4d4), TOBN(0xd49a7998, 0xf9df4fc4),\n TOBN(0x4465a8b5, 0x1d71205e), TOBN(0xa0ee0ea6, 0x649254aa)}},\n {{TOBN(0x4b5eeecf, 0xab7bd771), TOBN(0x6c873073, 0x35c262b9),\n TOBN(0xdc5bd648, 0x3c9d61e7), TOBN(0x233d6d54, 0x321460d2)},\n {TOBN(0xd20c5626, 0xfc195bcc), TOBN(0x25445958, 0x04d78b63),\n TOBN(0xe03fcb3d, 0x17ec8ef3), TOBN(0x54b690d1, 0x46b8f781)}},\n {{TOBN(0x82fa2c8a, 0x21230646), TOBN(0xf51aabb9, 0x084f418c),\n TOBN(0xff4fbec1, 0x1a30ba43), TOBN(0x6a5acf73, 0x743c9df7)},\n {TOBN(0x1da2b357, 0xd635b4d5), TOBN(0xc3de68dd, 0xecd5c1da),\n TOBN(0xa689080b, 0xd61af0dd), TOBN(0xdea5938a, 0xd665bf99)}},\n {{TOBN(0x0231d71a, 0xfe637294), TOBN(0x01968aa6, 0xa5a81cd8),\n TOBN(0x11252d50, 0x048e63b5), TOBN(0xc446bc52, 0x6ca007e9)},\n {TOBN(0xef8c50a6, 0x96d6134b), TOBN(0x9361fbf5, 0x9e09a05c),\n TOBN(0xf17f85a6, 0xdca3291a), TOBN(0xb178d548, 0xff251a21)}},\n {{TOBN(0x87f6374b, 0xa4df3915), TOBN(0x566ce1bf, 0x2fd5d608),\n TOBN(0x425cba4d, 0x7de35102), TOBN(0x6b745f8f, 0x58c5d5e2)},\n {TOBN(0x88402af6, 0x63122edf), TOBN(0x3190f9ed, 0x3b989a89),\n TOBN(0x4ad3d387, 0xebba3156), TOBN(0xef385ad9, 0xc7c469a5)}},\n {{TOBN(0xb08281de, 0x3f642c29), TOBN(0x20be0888, 0x910ffb88),\n TOBN(0xf353dd4a, 0xd5292546), TOBN(0x3f1627de, 0x8377a262)},\n {TOBN(0xa5faa013, 0xeefcd638), TOBN(0x8f3bf626, 0x74cc77c3),\n TOBN(0x32618f65, 0xa348f55e), TOBN(0x5787c0dc, 0x9fefeb9e)}},\n {{TOBN(0xf1673aa2, 0xd9a23e44), TOBN(0x88dfa993, 0x4e10690d),\n TOBN(0x1ced1b36, 0x2bf91108), TOBN(0x9193ceca, 0x3af48649)},\n {TOBN(0xfb34327d, 0x2d738fc5), TOBN(0x6697b037, 0x975fee6c),\n TOBN(0x2f485da0, 0xc04079a5), TOBN(0x2cdf5735, 0x2feaa1ac)}},\n {{TOBN(0x76944420, 0xbd55659e), TOBN(0x7973e32b, 0x4376090c),\n TOBN(0x86bb4fe1, 0x163b591a), TOBN(0x10441aed, 0xc196f0ca)},\n {TOBN(0x3b431f4a, 0x045ad915), TOBN(0x6c11b437, 0xa4afacb1),\n TOBN(0x30b0c7db, 0x71fdbbd8), TOBN(0xb642931f, 0xeda65acd)}},\n {{TOBN(0x4baae6e8, 0x9c92b235), TOBN(0xa73bbd0e, 0x6b3993a1),\n TOBN(0xd06d60ec, 0x693dd031), TOBN(0x03cab91b, 0x7156881c)},\n {TOBN(0xd615862f, 0x1db3574b), TOBN(0x485b0185, 0x64bb061a),\n TOBN(0x27434988, 0xa0181e06), TOBN(0x2cd61ad4, 0xc1c0c757)}},\n {{TOBN(0x3effed5a, 0x2ff9f403), TOBN(0x8dc98d8b, 0x62239029),\n TOBN(0x2206021e, 0x1f17b70d), TOBN(0xafbec0ca, 0xbf510015)},\n {TOBN(0x9fed7164, 0x80130dfa), TOBN(0x306dc2b5, 0x8a02dcf5),\n TOBN(0x48f06620, 0xfeb10fc0), TOBN(0x78d1e1d5, 0x5a57cf51)}},\n {{TOBN(0xadef8c5a, 0x192ef710), TOBN(0x88afbd4b, 0x3b7431f9),\n TOBN(0x7e1f7407, 0x64250c9e), TOBN(0x6e31318d, 0xb58bec07)},\n {TOBN(0xfd4fc4b8, 0x24f89b4e), TOBN(0x65a5dd88, 0x48c36a2a),\n TOBN(0x4f1eccff, 0xf024baa7), TOBN(0x22a21cf2, 0xcba94650)}},\n {{TOBN(0x95d29dee, 0x42a554f7), TOBN(0x828983a5, 0x002ec4ba),\n TOBN(0x8112a1f7, 0x8badb73d), TOBN(0x79ea8897, 0xa27c1839)},\n {TOBN(0x8969a5a7, 0xd065fd83), TOBN(0xf49af791, 0xb262a0bc),\n TOBN(0xfcdea8b6, 0xaf2b5127), TOBN(0x10e913e1, 0x564c2dbc)}},\n {{TOBN(0x51239d14, 0xbc21ef51), TOBN(0xe51c3ceb, 0x4ce57292),\n TOBN(0x795ff068, 0x47bbcc3b), TOBN(0x86b46e1e, 0xbd7e11e6)},\n {TOBN(0x0ea6ba23, 0x80041ef4), TOBN(0xd72fe505, 0x6262342e),\n TOBN(0x8abc6dfd, 0x31d294d4), TOBN(0xbbe017a2, 0x1278c2c9)}},\n {{TOBN(0xb1fcfa09, 0xb389328a), TOBN(0x322fbc62, 0xd01771b5),\n TOBN(0x04c0d063, 0x60b045bf), TOBN(0xdb652edc, 0x10e52d01)},\n {TOBN(0x50ef932c, 0x03ec6627), TOBN(0xde1b3b2d, 0xc1ee50e3),\n TOBN(0x5ab7bdc5, 0xdc37a90d), TOBN(0xfea67213, 0x31e33a96)}},\n {{TOBN(0x6482b5cb, 0x4f2999aa), TOBN(0x38476cc6, 0xb8cbf0dd),\n TOBN(0x93ebfacb, 0x173405bb), TOBN(0x15cdafe7, 0xe52369ec)},\n {TOBN(0xd42d5ba4, 0xd935b7db), TOBN(0x648b6004, 0x1c99a4cd),\n TOBN(0x785101bd, 0xa3b5545b), TOBN(0x4bf2c38a, 0x9dd67faf)}},\n {{TOBN(0xb1aadc63, 0x4442449c), TOBN(0xe0e9921a, 0x33ad4fb8),\n TOBN(0x5c552313, 0xaa686d82), TOBN(0xdee635fa, 0x465d866c)},\n {TOBN(0xbc3c224a, 0x18ee6e8a), TOBN(0xeed748a6, 0xed42e02f),\n TOBN(0xe70f930a, 0xd474cd08), TOBN(0x774ea6ec, 0xfff24adf)}},\n {{TOBN(0x03e2de1c, 0xf3480d4a), TOBN(0xf0d8edc7, 0xbc8acf1a),\n TOBN(0xf23e3303, 0x68295a9c), TOBN(0xfadd5f68, 0xc546a97d)},\n {TOBN(0x895597ad, 0x96f8acb1), TOBN(0xbddd49d5, 0x671bdae2),\n TOBN(0x16fcd528, 0x21dd43f4), TOBN(0xa5a45412, 0x6619141a)}}},\n {{{TOBN(0x8ce9b6bf, 0xc360e25a), TOBN(0xe6425195, 0x075a1a78),\n TOBN(0x9dc756a8, 0x481732f4), TOBN(0x83c0440f, 0x5432b57a)},\n {TOBN(0xc670b3f1, 0xd720281f), TOBN(0x2205910e, 0xd135e051),\n TOBN(0xded14b0e, 0xdb052be7), TOBN(0x697b3d27, 0xc568ea39)}},\n {{TOBN(0x2e599b9a, 0xfb3ff9ed), TOBN(0x28c2e0ab, 0x17f6515c),\n TOBN(0x1cbee4fd, 0x474da449), TOBN(0x071279a4, 0x4f364452)},\n {TOBN(0x97abff66, 0x01fbe855), TOBN(0x3ee394e8, 0x5fda51c4),\n TOBN(0x190385f6, 0x67597c0b), TOBN(0x6e9fccc6, 0xa27ee34b)}},\n {{TOBN(0x0b89de93, 0x14092ebb), TOBN(0xf17256bd, 0x428e240c),\n TOBN(0xcf89a7f3, 0x93d2f064), TOBN(0x4f57841e, 0xe1ed3b14)},\n {TOBN(0x4ee14405, 0xe708d855), TOBN(0x856aae72, 0x03f1c3d0),\n TOBN(0xc8e5424f, 0xbdd7eed5), TOBN(0x3333e4ef, 0x73ab4270)}},\n {{TOBN(0x3bc77ade, 0xdda492f8), TOBN(0xc11a3aea, 0x78297205),\n TOBN(0x5e89a3e7, 0x34931b4c), TOBN(0x17512e2e, 0x9f5694bb)},\n {TOBN(0x5dc349f3, 0x177bf8b6), TOBN(0x232ea4ba, 0x08c7ff3e),\n TOBN(0x9c4f9d16, 0xf511145d), TOBN(0xccf109a3, 0x33b379c3)}},\n {{TOBN(0xe75e7a88, 0xa1f25897), TOBN(0x7ac6961f, 0xa1b5d4d8),\n TOBN(0xe3e10773, 0x08f3ed5c), TOBN(0x208a54ec, 0x0a892dfb)},\n {TOBN(0xbe826e19, 0x78660710), TOBN(0x0cf70a97, 0x237df2c8),\n TOBN(0x418a7340, 0xed704da5), TOBN(0xa3eeb9a9, 0x08ca33fd)}},\n {{TOBN(0x49d96233, 0x169bca96), TOBN(0x04d286d4, 0x2da6aafb),\n TOBN(0xc09606ec, 0xa0c2fa94), TOBN(0x8869d0d5, 0x23ff0fb3)},\n {TOBN(0xa99937e5, 0xd0150d65), TOBN(0xa92e2503, 0x240c14c9),\n TOBN(0x656bf945, 0x108e2d49), TOBN(0x152a733a, 0xa2f59e2b)}},\n {{TOBN(0xb4323d58, 0x8434a920), TOBN(0xc0af8e93, 0x622103c5),\n TOBN(0x667518ef, 0x938dbf9a), TOBN(0xa1843073, 0x83a9cdf2)},\n {TOBN(0x350a94aa, 0x5447ab80), TOBN(0xe5e5a325, 0xc75a3d61),\n TOBN(0x74ba507f, 0x68411a9e), TOBN(0x10581fc1, 0x594f70c5)}},\n {{TOBN(0x60e28570, 0x80eb24a9), TOBN(0x7bedfb4d, 0x488e0cfd),\n TOBN(0x721ebbd7, 0xc259cdb8), TOBN(0x0b0da855, 0xbc6390a9)},\n {TOBN(0x2b4d04db, 0xde314c70), TOBN(0xcdbf1fbc, 0x6c32e846),\n TOBN(0x33833eab, 0xb162fc9e), TOBN(0x9939b48b, 0xb0dd3ab7)}},\n {{TOBN(0x5aaa98a7, 0xcb0c9c8c), TOBN(0x75105f30, 0x81c4375c),\n TOBN(0xceee5057, 0x5ef1c90f), TOBN(0xb31e065f, 0xc23a17bf)},\n {TOBN(0x5364d275, 0xd4b6d45a), TOBN(0xd363f3ad, 0x62ec8996),\n TOBN(0xb5d21239, 0x4391c65b), TOBN(0x84564765, 0xebb41b47)}},\n {{TOBN(0x20d18ecc, 0x37107c78), TOBN(0xacff3b6b, 0x570c2a66),\n TOBN(0x22f975d9, 0x9bd0d845), TOBN(0xef0a0c46, 0xba178fa0)},\n {TOBN(0x1a419651, 0x76b6028e), TOBN(0xc49ec674, 0x248612d4),\n TOBN(0x5b6ac4f2, 0x7338af55), TOBN(0x06145e62, 0x7bee5a36)}},\n {{TOBN(0x33e95d07, 0xe75746b5), TOBN(0x1c1e1f6d, 0xc40c78be),\n TOBN(0x967833ef, 0x222ff8e2), TOBN(0x4bedcf6a, 0xb49180ad)},\n {TOBN(0x6b37e9c1, 0x3d7a4c8a), TOBN(0x2748887c, 0x6ddfe760),\n TOBN(0xf7055123, 0xaa3a5bbc), TOBN(0x954ff225, 0x7bbb8e74)}},\n {{TOBN(0xc42b8ab1, 0x97c3dfb9), TOBN(0x55a549b0, 0xcf168154),\n TOBN(0xad6748e7, 0xc1b50692), TOBN(0x2775780f, 0x6fc5cbcb)},\n {TOBN(0x4eab80b8, 0xe1c9d7c8), TOBN(0x8c69dae1, 0x3fdbcd56),\n TOBN(0x47e6b4fb, 0x9969eace), TOBN(0x002f1085, 0xa705cb5a)}},\n {{TOBN(0x4e23ca44, 0x6d3fea55), TOBN(0xb4ae9c86, 0xf4810568),\n TOBN(0x47bfb91b, 0x2a62f27d), TOBN(0x60deb4c9, 0xd9bac28c)},\n {TOBN(0xa892d894, 0x7de6c34c), TOBN(0x4ee68259, 0x4494587d),\n TOBN(0x914ee14e, 0x1a3f8a5b), TOBN(0xbb113eaa, 0x28700385)}},\n {{TOBN(0x81ca03b9, 0x2115b4c9), TOBN(0x7c163d38, 0x8908cad1),\n TOBN(0xc912a118, 0xaa18179a), TOBN(0xe09ed750, 0x886e3081)},\n {TOBN(0xa676e3fa, 0x26f516ca), TOBN(0x753cacf7, 0x8e732f91),\n TOBN(0x51592aea, 0x833da8b4), TOBN(0xc626f42f, 0x4cbea8aa)}},\n {{TOBN(0xef9dc899, 0xa7b56eaf), TOBN(0x00c0e52c, 0x34ef7316),\n TOBN(0x5b1e4e24, 0xfe818a86), TOBN(0x9d31e20d, 0xc538be47)},\n {TOBN(0x22eb932d, 0x3ed68974), TOBN(0xe44bbc08, 0x7c4e87c4),\n TOBN(0x4121086e, 0x0dde9aef), TOBN(0x8e6b9cff, 0x134f4345)}},\n {{TOBN(0x96892c1f, 0x711b0eb9), TOBN(0xb905f2c8, 0x780ab954),\n TOBN(0xace26309, 0xa20792db), TOBN(0xec8ac9b3, 0x0684e126)},\n {TOBN(0x486ad8b6, 0xb40a2447), TOBN(0x60121fc1, 0x9fe3fb24),\n TOBN(0x5626fccf, 0x1a8e3b3f), TOBN(0x4e568622, 0x6ad1f394)}},\n {{TOBN(0xda7aae0d, 0x196aa5a1), TOBN(0xe0df8c77, 0x1041b5fb),\n TOBN(0x451465d9, 0x26b318b7), TOBN(0xc29b6e55, 0x7ab136e9)},\n {TOBN(0x2c2ab48b, 0x71148463), TOBN(0xb5738de3, 0x64454a76),\n TOBN(0x54ccf9a0, 0x5a03abe4), TOBN(0x377c0296, 0x0427d58e)}},\n {{TOBN(0x73f5f0b9, 0x2bb39c1f), TOBN(0x14373f2c, 0xe608d8c5),\n TOBN(0xdcbfd314, 0x00fbb805), TOBN(0xdf18fb20, 0x83afdcfb)},\n {TOBN(0x81a57f42, 0x42b3523f), TOBN(0xe958532d, 0x87f650fb),\n TOBN(0xaa8dc8b6, 0x8b0a7d7c), TOBN(0x1b75dfb7, 0x150166be)}},\n {{TOBN(0x90e4f7c9, 0x2d7d1413), TOBN(0x67e2d6b5, 0x9834f597),\n TOBN(0x4fd4f4f9, 0xa808c3e8), TOBN(0xaf8237e0, 0xd5281ec1)},\n {TOBN(0x25ab5fdc, 0x84687cee), TOBN(0xc5ded6b1, 0xa5b26c09),\n TOBN(0x8e4a5aec, 0xc8ea7650), TOBN(0x23b73e5c, 0x14cc417f)}},\n {{TOBN(0x2bfb4318, 0x3037bf52), TOBN(0xb61e6db5, 0x78c725d7),\n TOBN(0x8efd4060, 0xbbb3e5d7), TOBN(0x2e014701, 0xdbac488e)},\n {TOBN(0xac75cf9a, 0x360aa449), TOBN(0xb70cfd05, 0x79634d08),\n TOBN(0xa591536d, 0xfffb15ef), TOBN(0xb2c37582, 0xd07c106c)}},\n {{TOBN(0xb4293fdc, 0xf50225f9), TOBN(0xc52e175c, 0xb0e12b03),\n TOBN(0xf649c3ba, 0xd0a8bf64), TOBN(0x745a8fef, 0xeb8ae3c6)},\n {TOBN(0x30d7e5a3, 0x58321bc3), TOBN(0xb1732be7, 0x0bc4df48),\n TOBN(0x1f217993, 0xe9ea5058), TOBN(0xf7a71cde, 0x3e4fd745)}},\n {{TOBN(0x86cc533e, 0x894c5bbb), TOBN(0x6915c7d9, 0x69d83082),\n TOBN(0xa6aa2d05, 0x5815c244), TOBN(0xaeeee592, 0x49b22ce5)},\n {TOBN(0x89e39d13, 0x78135486), TOBN(0x3a275c1f, 0x16b76f2f),\n TOBN(0xdb6bcc1b, 0xe036e8f5), TOBN(0x4df69b21, 0x5e4709f5)}},\n {{TOBN(0xa188b250, 0x2d0f39aa), TOBN(0x622118bb, 0x15a85947),\n TOBN(0x2ebf520f, 0xfde0f4fa), TOBN(0xa40e9f29, 0x4860e539)},\n {TOBN(0x7b6a51eb, 0x22b57f0f), TOBN(0x849a33b9, 0x7e80644a),\n TOBN(0x50e5d16f, 0x1cf095fe), TOBN(0xd754b54e, 0xec55f002)}},\n {{TOBN(0x5cfbbb22, 0x236f4a98), TOBN(0x0b0c59e9, 0x066800bb),\n TOBN(0x4ac69a8f, 0x5a9a7774), TOBN(0x2b33f804, 0xd6bec948)},\n {TOBN(0xb3729295, 0x32e6c466), TOBN(0x68956d0f, 0x4e599c73),\n TOBN(0xa47a249f, 0x155c31cc), TOBN(0x24d80f0d, 0xe1ce284e)}},\n {{TOBN(0xcd821dfb, 0x988baf01), TOBN(0xe6331a7d, 0xdbb16647),\n TOBN(0x1eb8ad33, 0x094cb960), TOBN(0x593cca38, 0xc91bbca5)},\n {TOBN(0x384aac8d, 0x26567456), TOBN(0x40fa0309, 0xc04b6490),\n TOBN(0x97834cd6, 0xdab6c8f6), TOBN(0x68a7318d, 0x3f91e55f)}},\n {{TOBN(0xa00fd04e, 0xfc4d3157), TOBN(0xb56f8ab2, 0x2bf3bdea),\n TOBN(0x014f5648, 0x4fa57172), TOBN(0x948c5860, 0x450abdb3)},\n {TOBN(0x342b5df0, 0x0ebd4f08), TOBN(0x3e5168cd, 0x0e82938e),\n TOBN(0x7aedc1ce, 0xb0df5dd0), TOBN(0x6bbbc6d9, 0xe5732516)}},\n {{TOBN(0xc7bfd486, 0x605daaa6), TOBN(0x46fd72b7, 0xbb9a6c9e),\n TOBN(0xe4847fb1, 0xa124fb89), TOBN(0x75959cbd, 0xa2d8ffbc)},\n {TOBN(0x42579f65, 0xc8a588ee), TOBN(0x368c92e6, 0xb80b499d),\n TOBN(0xea4ef6cd, 0x999a5df1), TOBN(0xaa73bb7f, 0x936fe604)}},\n {{TOBN(0xf347a70d, 0x6457d188), TOBN(0x86eda86b, 0x8b7a388b),\n TOBN(0xb7cdff06, 0x0ccd6013), TOBN(0xbeb1b6c7, 0xd0053fb2)},\n {TOBN(0x0b022387, 0x99240a9f), TOBN(0x1bbb384f, 0x776189b2),\n TOBN(0x8695e71e, 0x9066193a), TOBN(0x2eb50097, 0x06ffac7e)}},\n {{TOBN(0x0654a9c0, 0x4a7d2caa), TOBN(0x6f3fb3d1, 0xa5aaa290),\n TOBN(0x835db041, 0xff476e8f), TOBN(0x540b8b0b, 0xc42295e4)},\n {TOBN(0xa5c73ac9, 0x05e214f5), TOBN(0x9a74075a, 0x56a0b638),\n TOBN(0x2e4b1090, 0xce9e680b), TOBN(0x57a5b479, 0x6b8d9afa)}},\n {{TOBN(0x0dca48e7, 0x26bfe65c), TOBN(0x097e391c, 0x7290c307),\n TOBN(0x683c462e, 0x6669e72e), TOBN(0xf505be1e, 0x062559ac)},\n {TOBN(0x5fbe3ea1, 0xe3a3035a), TOBN(0x6431ebf6, 0x9cd50da8),\n TOBN(0xfd169d5c, 0x1f6407f2), TOBN(0x8d838a95, 0x60fce6b8)}},\n {{TOBN(0x2a2bfa7f, 0x650006f0), TOBN(0xdfd7dad3, 0x50c0fbb2),\n TOBN(0x92452495, 0xccf9ad96), TOBN(0x183bf494, 0xd95635f9)},\n {TOBN(0x02d5df43, 0x4a7bd989), TOBN(0x505385cc, 0xa5431095),\n TOBN(0xdd98e67d, 0xfd43f53e), TOBN(0xd61e1a6c, 0x500c34a9)}},\n {{TOBN(0x5a4b46c6, 0x4a8a3d62), TOBN(0x8469c4d0, 0x247743d2),\n TOBN(0x2bb3a13d, 0x88f7e433), TOBN(0x62b23a10, 0x01be5849)},\n {TOBN(0xe83596b4, 0xa63d1a4c), TOBN(0x454e7fea, 0x7d183f3e),\n TOBN(0x643fce61, 0x17afb01c), TOBN(0x4e65e5e6, 0x1c4c3638)}},\n {{TOBN(0x41d85ea1, 0xef74c45b), TOBN(0x2cfbfa66, 0xae328506),\n TOBN(0x98b078f5, 0x3ada7da9), TOBN(0xd985fe37, 0xec752fbb)},\n {TOBN(0xeece68fe, 0x5a0148b4), TOBN(0x6f9a55c7, 0x2d78136d),\n TOBN(0x232dccc4, 0xd2b729ce), TOBN(0xa27e0dfd, 0x90aafbc4)}},\n {{TOBN(0x96474452, 0x12b4603e), TOBN(0xa876c551, 0x6b706d14),\n TOBN(0xdf145fcf, 0x69a9d412), TOBN(0xe2ab75b7, 0x2d479c34)},\n {TOBN(0x12df9a76, 0x1a23ff97), TOBN(0xc6138992, 0x5d359d10),\n TOBN(0x6e51c7ae, 0xfa835f22), TOBN(0x69a79cb1, 0xc0fcc4d9)}},\n {{TOBN(0xf57f350d, 0x594cc7e1), TOBN(0x3079ca63, 0x3350ab79),\n TOBN(0x226fb614, 0x9aff594a), TOBN(0x35afec02, 0x6d59a62b)},\n {TOBN(0x9bee46f4, 0x06ed2c6e), TOBN(0x58da1735, 0x7d939a57),\n TOBN(0x44c50402, 0x8fd1797e), TOBN(0xd8853e7c, 0x5ccea6ca)}},\n {{TOBN(0x4065508d, 0xa35fcd5f), TOBN(0x8965df8c, 0x495ccaeb),\n TOBN(0x0f2da850, 0x12e1a962), TOBN(0xee471b94, 0xc1cf1cc4)},\n {TOBN(0xcef19bc8, 0x0a08fb75), TOBN(0x704958f5, 0x81de3591),\n TOBN(0x2867f8b2, 0x3aef4f88), TOBN(0x8d749384, 0xea9f9a5f)}},\n {{TOBN(0x1b385537, 0x8c9049f4), TOBN(0x5be948f3, 0x7b92d8b6),\n TOBN(0xd96f725d, 0xb6e2bd6b), TOBN(0x37a222bc, 0x958c454d)},\n {TOBN(0xe7c61abb, 0x8809bf61), TOBN(0x46f07fbc, 0x1346f18d),\n TOBN(0xfb567a7a, 0xe87c0d1c), TOBN(0x84a461c8, 0x7ef3d07a)}},\n {{TOBN(0x0a5adce6, 0xd9278d98), TOBN(0x24d94813, 0x9dfc73e1),\n TOBN(0x4f3528b6, 0x054321c3), TOBN(0x2e03fdde, 0x692ea706)},\n {TOBN(0x10e60619, 0x47b533c0), TOBN(0x1a8bc73f, 0x2ca3c055),\n TOBN(0xae58d4b2, 0x1bb62b8f), TOBN(0xb2045a73, 0x584a24e3)}},\n {{TOBN(0x3ab3d5af, 0xbd76e195), TOBN(0x478dd1ad, 0x6938a810),\n TOBN(0x6ffab393, 0x6ee3d5cb), TOBN(0xdfb693db, 0x22b361e4)},\n {TOBN(0xf9694496, 0x51dbf1a7), TOBN(0xcab4b4ef, 0x08a2e762),\n TOBN(0xe8c92f25, 0xd39bba9a), TOBN(0x850e61bc, 0xf1464d96)}},\n {{TOBN(0xb7e830e3, 0xdc09508b), TOBN(0xfaf6d2cf, 0x74317655),\n TOBN(0x72606ceb, 0xdf690355), TOBN(0x48bb92b3, 0xd0c3ded6)},\n {TOBN(0x65b75484, 0x5c7cf892), TOBN(0xf6cd7ac9, 0xd5d5f01f),\n TOBN(0xc2c30a59, 0x96401d69), TOBN(0x91268650, 0xed921878)}},\n {{TOBN(0x380bf913, 0xb78c558f), TOBN(0x43c0baeb, 0xc8afdaa9),\n TOBN(0x377f61d5, 0x54f169d3), TOBN(0xf8da07e3, 0xae5ff20b)},\n {TOBN(0xb676c49d, 0xa8a90ea8), TOBN(0x81c1ff2b, 0x83a29b21),\n TOBN(0x383297ac, 0x2ad8d276), TOBN(0x3001122f, 0xba89f982)}},\n {{TOBN(0xe1d794be, 0x6718e448), TOBN(0x246c1482, 0x7c3e6e13),\n TOBN(0x56646ef8, 0x5d26b5ef), TOBN(0x80f5091e, 0x88069cdd)},\n {TOBN(0xc5992e2f, 0x724bdd38), TOBN(0x02e915b4, 0x8471e8c7),\n TOBN(0x96ff320a, 0x0d0ff2a9), TOBN(0xbf886487, 0x4384d1a0)}},\n {{TOBN(0xbbe1e6a6, 0xc93f72d6), TOBN(0xd5f75d12, 0xcad800ea),\n TOBN(0xfa40a09f, 0xe7acf117), TOBN(0x32c8cdd5, 0x7581a355)},\n {TOBN(0x74221992, 0x7023c499), TOBN(0xa8afe5d7, 0x38ec3901),\n TOBN(0x5691afcb, 0xa90e83f0), TOBN(0x41bcaa03, 0x0b8f8eac)}},\n {{TOBN(0xe38b5ff9, 0x8d2668d5), TOBN(0x0715281a, 0x7ad81965),\n TOBN(0x1bc8fc7c, 0x03c6ce11), TOBN(0xcbbee6e2, 0x8b650436)},\n {TOBN(0x06b00fe8, 0x0cdb9808), TOBN(0x17d6e066, 0xfe3ed315),\n TOBN(0x2e9d38c6, 0x4d0b5018), TOBN(0xab8bfd56, 0x844dcaef)}},\n {{TOBN(0x42894a59, 0x513aed8b), TOBN(0xf77f3b6d, 0x314bd07a),\n TOBN(0xbbdecb8f, 0x8e42b582), TOBN(0xf10e2fa8, 0xd2390fe6)},\n {TOBN(0xefb95022, 0x62a2f201), TOBN(0x4d59ea50, 0x50ee32b0),\n TOBN(0xd87f7728, 0x6da789a8), TOBN(0xcf98a2cf, 0xf79492c4)}},\n {{TOBN(0xf9577239, 0x720943c2), TOBN(0xba044cf5, 0x3990b9d0),\n TOBN(0x5aa8e823, 0x95f2884a), TOBN(0x834de6ed, 0x0278a0af)},\n {TOBN(0xc8e1ee9a, 0x5f25bd12), TOBN(0x9259ceaa, 0x6f7ab271),\n TOBN(0x7e6d97a2, 0x77d00b76), TOBN(0x5c0c6eea, 0xa437832a)}},\n {{TOBN(0x5232c20f, 0x5606b81d), TOBN(0xabd7b375, 0x0d991ee5),\n TOBN(0x4d2bfe35, 0x8632d951), TOBN(0x78f85146, 0x98ed9364)},\n {TOBN(0x951873f0, 0xf30c3282), TOBN(0x0da8ac80, 0xa789230b),\n TOBN(0x3ac7789c, 0x5398967f), TOBN(0xa69b8f7f, 0xbdda0fb5)}},\n {{TOBN(0xe5db7717, 0x6add8545), TOBN(0x1b71cb66, 0x72c49b66),\n TOBN(0xd8560739, 0x68421d77), TOBN(0x03840fe8, 0x83e3afea)},\n {TOBN(0xb391dad5, 0x1ec69977), TOBN(0xae243fb9, 0x307f6726),\n TOBN(0xc88ac87b, 0xe8ca160c), TOBN(0x5174cced, 0x4ce355f4)}},\n {{TOBN(0x98a35966, 0xe58ba37d), TOBN(0xfdcc8da2, 0x7817335d),\n TOBN(0x5b752830, 0x83fbc7bf), TOBN(0x68e419d4, 0xd9c96984)},\n {TOBN(0x409a39f4, 0x02a40380), TOBN(0x88940faf, 0x1fe977bc),\n TOBN(0xc640a94b, 0x8f8edea6), TOBN(0x1e22cd17, 0xed11547d)}},\n {{TOBN(0xe28568ce, 0x59ffc3e2), TOBN(0x60aa1b55, 0xc1dee4e7),\n TOBN(0xc67497c8, 0x837cb363), TOBN(0x06fb438a, 0x105a2bf2)},\n {TOBN(0x30357ec4, 0x500d8e20), TOBN(0x1ad9095d, 0x0670db10),\n TOBN(0x7f589a05, 0xc73b7cfd), TOBN(0xf544607d, 0x880d6d28)}},\n {{TOBN(0x17ba93b1, 0xa20ef103), TOBN(0xad859130, 0x6ba6577b),\n TOBN(0x65c91cf6, 0x6fa214a0), TOBN(0xd7d49c6c, 0x27990da5)},\n {TOBN(0xecd9ec8d, 0x20bb569d), TOBN(0xbd4b2502, 0xeeffbc33),\n TOBN(0x2056ca5a, 0x6bed0467), TOBN(0x7916a1f7, 0x5b63728c)}},\n {{TOBN(0xd4f9497d, 0x53a4f566), TOBN(0x89734664, 0x97b56810),\n TOBN(0xf8e1da74, 0x0494a621), TOBN(0x82546a93, 0x8d011c68)},\n {TOBN(0x1f3acb19, 0xc61ac162), TOBN(0x52f8fa9c, 0xabad0d3e),\n TOBN(0x15356523, 0xb4b7ea43), TOBN(0x5a16ad61, 0xae608125)}},\n {{TOBN(0xb0bcb87f, 0x4faed184), TOBN(0x5f236b1d, 0x5029f45f),\n TOBN(0xd42c7607, 0x0bc6b1fc), TOBN(0xc644324e, 0x68aefce3)},\n {TOBN(0x8e191d59, 0x5c5d8446), TOBN(0xc0208077, 0x13ae1979),\n TOBN(0xadcaee55, 0x3ba59cc7), TOBN(0x20ed6d6b, 0xa2cb81ba)}},\n {{TOBN(0x0952ba19, 0xb6efcffc), TOBN(0x60f12d68, 0x97c0b87c),\n TOBN(0x4ee2c7c4, 0x9caa30bc), TOBN(0x767238b7, 0x97fbff4e)},\n {TOBN(0xebc73921, 0x501b5d92), TOBN(0x3279e3df, 0xc2a37737),\n TOBN(0x9fc12bc8, 0x6d197543), TOBN(0xfa94dc6f, 0x0a40db4e)}},\n {{TOBN(0x7392b41a, 0x530ccbbd), TOBN(0x87c82146, 0xea823525),\n TOBN(0xa52f984c, 0x05d98d0c), TOBN(0x2ae57d73, 0x5ef6974c)},\n {TOBN(0x9377f7bf, 0x3042a6dd), TOBN(0xb1a007c0, 0x19647a64),\n TOBN(0xfaa9079a, 0x0cca9767), TOBN(0x3d81a25b, 0xf68f72d5)}},\n {{TOBN(0x752067f8, 0xff81578e), TOBN(0x78622150, 0x9045447d),\n TOBN(0xc0c22fcf, 0x0505aa6f), TOBN(0x1030f0a6, 0x6bed1c77)},\n {TOBN(0x31f29f15, 0x1f0bd739), TOBN(0x2d7989c7, 0xe6debe85),\n TOBN(0x5c070e72, 0x8e677e98), TOBN(0x0a817bd3, 0x06e81fd5)}},\n {{TOBN(0xc110d830, 0xb0f2ac95), TOBN(0x48d0995a, 0xab20e64e),\n TOBN(0x0f3e00e1, 0x7729cd9a), TOBN(0x2a570c20, 0xdd556946)},\n {TOBN(0x912dbcfd, 0x4e86214d), TOBN(0x2d014ee2, 0xcf615498),\n TOBN(0x55e2b1e6, 0x3530d76e), TOBN(0xc5135ae4, 0xfd0fd6d1)}},\n {{TOBN(0x0066273a, 0xd4f3049f), TOBN(0xbb8e9893, 0xe7087477),\n TOBN(0x2dba1ddb, 0x14c6e5fd), TOBN(0xdba37886, 0x51f57e6c)},\n {TOBN(0x5aaee0a6, 0x5a72f2cf), TOBN(0x1208bfbf, 0x7bea5642),\n TOBN(0xf5c6aa3b, 0x67872c37), TOBN(0xd726e083, 0x43f93224)}},\n {{TOBN(0x1854daa5, 0x061f1658), TOBN(0xc0016df1, 0xdf0cd2b3),\n TOBN(0xc2a3f23e, 0x833d50de), TOBN(0x73b681d2, 0xbbbd3017)},\n {TOBN(0x2f046dc4, 0x3ac343c0), TOBN(0x9c847e7d, 0x85716421),\n TOBN(0xe1e13c91, 0x0917eed4), TOBN(0x3fc9eebd, 0x63a1b9c6)}},\n {{TOBN(0x0f816a72, 0x7fe02299), TOBN(0x6335ccc2, 0x294f3319),\n TOBN(0x3820179f, 0x4745c5be), TOBN(0xe647b782, 0x922f066e)},\n {TOBN(0xc22e49de, 0x02cafb8a), TOBN(0x299bc2ff, 0xfcc2eccc),\n TOBN(0x9a8feea2, 0x6e0e8282), TOBN(0xa627278b, 0xfe893205)}},\n {{TOBN(0xa7e19733, 0x7933e47b), TOBN(0xf4ff6b13, 0x2e766402),\n TOBN(0xa4d8be0a, 0x98440d9f), TOBN(0x658f5c2f, 0x38938808)},\n {TOBN(0x90b75677, 0xc95b3b3e), TOBN(0xfa044269, 0x3137b6ff),\n TOBN(0x077b039b, 0x43c47c29), TOBN(0xcca95dd3, 0x8a6445b2)}},\n {{TOBN(0x0b498ba4, 0x2333fc4c), TOBN(0x274f8e68, 0xf736a1b1),\n TOBN(0x6ca348fd, 0x5f1d4b2e), TOBN(0x24d3be78, 0xa8f10199)},\n {TOBN(0x8535f858, 0xca14f530), TOBN(0xa6e7f163, 0x5b982e51),\n TOBN(0x847c8512, 0x36e1bf62), TOBN(0xf6a7c58e, 0x03448418)}},\n {{TOBN(0x583f3703, 0xf9374ab6), TOBN(0x864f9195, 0x6e564145),\n TOBN(0x33bc3f48, 0x22526d50), TOBN(0x9f323c80, 0x1262a496)},\n {TOBN(0xaa97a7ae, 0x3f046a9a), TOBN(0x70da183e, 0xdf8a039a),\n TOBN(0x5b68f71c, 0x52aa0ba6), TOBN(0x9be0fe51, 0x21459c2d)}},\n {{TOBN(0xc1e17eb6, 0xcbc613e5), TOBN(0x33131d55, 0x497ea61c),\n TOBN(0x2f69d39e, 0xaf7eded5), TOBN(0x73c2f434, 0xde6af11b)},\n {TOBN(0x4ca52493, 0xa4a375fa), TOBN(0x5f06787c, 0xb833c5c2),\n TOBN(0x814e091f, 0x3e6e71cf), TOBN(0x76451f57, 0x8b746666)}}},\n {{{TOBN(0x80f9bdef, 0x694db7e0), TOBN(0xedca8787, 0xb9fcddc6),\n TOBN(0x51981c34, 0x03b8dce1), TOBN(0x4274dcf1, 0x70e10ba1)},\n {TOBN(0xf72743b8, 0x6def6d1a), TOBN(0xd25b1670, 0xebdb1866),\n TOBN(0xc4491e8c, 0x050c6f58), TOBN(0x2be2b2ab, 0x87fbd7f5)}},\n {{TOBN(0x3e0e5c9d, 0xd111f8ec), TOBN(0xbcc33f8d, 0xb7c4e760),\n TOBN(0x702f9a91, 0xbd392a51), TOBN(0x7da4a795, 0xc132e92d)},\n {TOBN(0x1a0b0ae3, 0x0bb1151b), TOBN(0x54febac8, 0x02e32251),\n TOBN(0xea3a5082, 0x694e9e78), TOBN(0xe58ffec1, 0xe4fe40b8)}},\n {{TOBN(0xf85592fc, 0xd1e0cf9e), TOBN(0xdea75f0d, 0xc0e7b2e8),\n TOBN(0xc04215cf, 0xc135584e), TOBN(0x174fc727, 0x2f57092a)},\n {TOBN(0xe7277877, 0xeb930bea), TOBN(0x504caccb, 0x5eb02a5a),\n TOBN(0xf9fe08f7, 0xf5241b9b), TOBN(0xe7fb62f4, 0x8d5ca954)}},\n {{TOBN(0xfbb8349d, 0x29c4120b), TOBN(0x9f94391f, 0xc0d0d915),\n TOBN(0xc4074fa7, 0x5410ba51), TOBN(0xa66adbf6, 0x150a5911)},\n {TOBN(0xc164543c, 0x34bfca38), TOBN(0xe0f27560, 0xb9e1ccfc),\n TOBN(0x99da0f53, 0xe820219c), TOBN(0xe8234498, 0xc6b4997a)}},\n {{TOBN(0xcfb88b76, 0x9d4c5423), TOBN(0x9e56eb10, 0xb0521c49),\n TOBN(0x418e0b5e, 0xbe8700a1), TOBN(0x00cbaad6, 0xf93cb58a)},\n {TOBN(0xe923fbde, 0xd92a5e67), TOBN(0xca4979ac, 0x1f347f11),\n TOBN(0x89162d85, 0x6bc0585b), TOBN(0xdd6254af, 0xac3c70e3)}},\n {{TOBN(0x7b23c513, 0x516e19e4), TOBN(0x56e2e847, 0xc5c4d593),\n TOBN(0x9f727d73, 0x5ce71ef6), TOBN(0x5b6304a6, 0xf79a44c5)},\n {TOBN(0x6638a736, 0x3ab7e433), TOBN(0x1adea470, 0xfe742f83),\n TOBN(0xe054b854, 0x5b7fc19f), TOBN(0xf935381a, 0xba1d0698)}},\n {{TOBN(0x546eab2d, 0x799e9a74), TOBN(0x96239e0e, 0xa949f729),\n TOBN(0xca274c6b, 0x7090055a), TOBN(0x835142c3, 0x9020c9b0)},\n {TOBN(0xa405667a, 0xa2e8807f), TOBN(0x29f2c085, 0x1aa3d39e),\n TOBN(0xcc555d64, 0x42fc72f5), TOBN(0xe856e0e7, 0xfbeacb3c)}},\n {{TOBN(0xb5504f9d, 0x918e4936), TOBN(0x65035ef6, 0xb2513982),\n TOBN(0x0553a0c2, 0x6f4d9cb9), TOBN(0x6cb10d56, 0xbea85509)},\n {TOBN(0x48d957b7, 0xa242da11), TOBN(0x16a4d3dd, 0x672b7268),\n TOBN(0x3d7e637c, 0x8502a96b), TOBN(0x27c7032b, 0x730d463b)}},\n {{TOBN(0xbdc02b18, 0xe4136a14), TOBN(0xbacf969d, 0x678e32bf),\n TOBN(0xc98d89a3, 0xdd9c3c03), TOBN(0x7b92420a, 0x23becc4f)},\n {TOBN(0xd4b41f78, 0xc64d565c), TOBN(0x9f969d00, 0x10f28295),\n TOBN(0xec7f7f76, 0xb13d051a), TOBN(0x08945e1e, 0xa92da585)}},\n {{TOBN(0x55366b7d, 0x5846426f), TOBN(0xe7d09e89, 0x247d441d),\n TOBN(0x510b404d, 0x736fbf48), TOBN(0x7fa003d0, 0xe784bd7d)},\n {TOBN(0x25f7614f, 0x17fd9596), TOBN(0x49e0e0a1, 0x35cb98db),\n TOBN(0x2c65957b, 0x2e83a76a), TOBN(0x5d40da8d, 0xcddbe0f8)}},\n {{TOBN(0xf2b8c405, 0x050bad24), TOBN(0x8918426d, 0xc2aa4823),\n TOBN(0x2aeab3dd, 0xa38365a7), TOBN(0x72031717, 0x7c91b690)},\n {TOBN(0x8b00d699, 0x60a94120), TOBN(0x478a255d, 0xe99eaeec),\n TOBN(0xbf656a5f, 0x6f60aafd), TOBN(0xdfd7cb75, 0x5dee77b3)}},\n {{TOBN(0x37f68bb4, 0xa595939d), TOBN(0x03556479, 0x28740217),\n TOBN(0x8e740e7c, 0x84ad7612), TOBN(0xd89bc843, 0x9044695f)},\n {TOBN(0xf7f3da5d, 0x85a9184d), TOBN(0x562563bb, 0x9fc0b074),\n TOBN(0x06d2e6aa, 0xf88a888e), TOBN(0x612d8643, 0x161fbe7c)}},\n {{TOBN(0x465edba7, 0xf64085e7), TOBN(0xb230f304, 0x29aa8511),\n TOBN(0x53388426, 0xcda2d188), TOBN(0x90885735, 0x4b666649)},\n {TOBN(0x6f02ff9a, 0x652f54f6), TOBN(0x65c82294, 0x5fae2bf0),\n TOBN(0x7816ade0, 0x62f5eee3), TOBN(0xdcdbdf43, 0xfcc56d70)}},\n {{TOBN(0x9fb3bba3, 0x54530bb2), TOBN(0xbde3ef77, 0xcb0869ea),\n TOBN(0x89bc9046, 0x0b431163), TOBN(0x4d03d7d2, 0xe4819a35)},\n {TOBN(0x33ae4f9e, 0x43b6a782), TOBN(0x216db307, 0x9c88a686),\n TOBN(0x91dd88e0, 0x00ffedd9), TOBN(0xb280da9f, 0x12bd4840)}},\n {{TOBN(0x32a7cb8a, 0x1635e741), TOBN(0xfe14008a, 0x78be02a7),\n TOBN(0x3fafb334, 0x1b7ae030), TOBN(0x7fd508e7, 0x5add0ce9)},\n {TOBN(0x72c83219, 0xd607ad51), TOBN(0x0f229c0a, 0x8d40964a),\n TOBN(0x1be2c336, 0x1c878da2), TOBN(0xe0c96742, 0xeab2ab86)}},\n {{TOBN(0x458f8691, 0x3e538cd7), TOBN(0xa7001f6c, 0x8e08ad53),\n TOBN(0x52b8c6e6, 0xbf5d15ff), TOBN(0x548234a4, 0x011215dd)},\n {TOBN(0xff5a9d2d, 0x3d5b4045), TOBN(0xb0ffeeb6, 0x4a904190),\n TOBN(0x55a3aca4, 0x48607f8b), TOBN(0x8cbd665c, 0x30a0672a)}},\n {{TOBN(0x87f834e0, 0x42583068), TOBN(0x02da2aeb, 0xf3f6e683),\n TOBN(0x6b763e5d, 0x05c12248), TOBN(0x7230378f, 0x65a8aefc)},\n {TOBN(0x93bd80b5, 0x71e8e5ca), TOBN(0x53ab041c, 0xb3b62524),\n TOBN(0x1b860513, 0x6c9c552e), TOBN(0xe84d402c, 0xd5524e66)}},\n {{TOBN(0xa37f3573, 0xf37f5937), TOBN(0xeb0f6c7d, 0xd1e4fca5),\n TOBN(0x2965a554, 0xac8ab0fc), TOBN(0x17fbf56c, 0x274676ac)},\n {TOBN(0x2e2f6bd9, 0xacf7d720), TOBN(0x41fc8f88, 0x10224766),\n TOBN(0x517a14b3, 0x85d53bef), TOBN(0xdae327a5, 0x7d76a7d1)}},\n {{TOBN(0x6ad0a065, 0xc4818267), TOBN(0x33aa189b, 0x37c1bbc1),\n TOBN(0x64970b52, 0x27392a92), TOBN(0x21699a1c, 0x2d1535ea)},\n {TOBN(0xcd20779c, 0xc2d7a7fd), TOBN(0xe3186059, 0x99c83cf2),\n TOBN(0x9b69440b, 0x72c0b8c7), TOBN(0xa81497d7, 0x7b9e0e4d)}},\n {{TOBN(0x515d5c89, 0x1f5f82dc), TOBN(0x9a7f67d7, 0x6361079e),\n TOBN(0xa8da81e3, 0x11a35330), TOBN(0xe44990c4, 0x4b18be1b)},\n {TOBN(0xc7d5ed95, 0xaf103e59), TOBN(0xece8aba7, 0x8dac9261),\n TOBN(0xbe82b099, 0x9394b8d3), TOBN(0x6830f09a, 0x16adfe83)}},\n {{TOBN(0x250a29b4, 0x88172d01), TOBN(0x8b20bd65, 0xcaff9e02),\n TOBN(0xb8a7661e, 0xe8a6329a), TOBN(0x4520304d, 0xd3fce920)},\n {TOBN(0xae45da1f, 0x2b47f7ef), TOBN(0xe07f5288, 0x5bffc540),\n TOBN(0xf7997009, 0x3464f874), TOBN(0x2244c2cd, 0xa6fa1f38)}},\n {{TOBN(0x43c41ac1, 0x94d7d9b1), TOBN(0x5bafdd82, 0xc82e7f17),\n TOBN(0xdf0614c1, 0x5fda0fca), TOBN(0x74b043a7, 0xa8ae37ad)},\n {TOBN(0x3ba6afa1, 0x9e71734c), TOBN(0x15d5437e, 0x9c450f2e),\n TOBN(0x4a5883fe, 0x67e242b1), TOBN(0x5143bdc2, 0x2c1953c2)}},\n {{TOBN(0x542b8b53, 0xfc5e8920), TOBN(0x363bf9a8, 0x9a9cee08),\n TOBN(0x02375f10, 0xc3486e08), TOBN(0x2037543b, 0x8c5e70d2)},\n {TOBN(0x7109bccc, 0x625640b4), TOBN(0xcbc1051e, 0x8bc62c3b),\n TOBN(0xf8455fed, 0x803f26ea), TOBN(0x6badceab, 0xeb372424)}},\n {{TOBN(0xa2a9ce7c, 0x6b53f5f9), TOBN(0x64246595, 0x1b176d99),\n TOBN(0xb1298d36, 0xb95c081b), TOBN(0x53505bb8, 0x1d9a9ee6)},\n {TOBN(0x3f6f9e61, 0xf2ba70b0), TOBN(0xd07e16c9, 0x8afad453),\n TOBN(0x9f1694bb, 0xe7eb4a6a), TOBN(0xdfebced9, 0x3cb0bc8e)}},\n {{TOBN(0x92d3dcdc, 0x53868c8b), TOBN(0x174311a2, 0x386107a6),\n TOBN(0x4109e07c, 0x689b4e64), TOBN(0x30e4587f, 0x2df3dcb6)},\n {TOBN(0x841aea31, 0x0811b3b2), TOBN(0x6144d41d, 0x0cce43ea),\n TOBN(0x464c4581, 0x2a9a7803), TOBN(0xd03d371f, 0x3e158930)}},\n {{TOBN(0xc676d7f2, 0xb1f3390b), TOBN(0x9f7a1b8c, 0xa5b61272),\n TOBN(0x4ebebfc9, 0xc2e127a9), TOBN(0x4602500c, 0x5dd997bf)},\n {TOBN(0x7f09771c, 0x4711230f), TOBN(0x058eb37c, 0x020f09c1),\n TOBN(0xab693d4b, 0xfee5e38b), TOBN(0x9289eb1f, 0x4653cbc0)}},\n {{TOBN(0xbecf46ab, 0xd51b9cf5), TOBN(0xd2aa9c02, 0x9f0121af),\n TOBN(0x36aaf7d2, 0xe90dc274), TOBN(0x909e4ea0, 0x48b95a3c)},\n {TOBN(0xe6b70496, 0x6f32dbdb), TOBN(0x672188a0, 0x8b030b3e),\n TOBN(0xeeffe5b3, 0xcfb617e2), TOBN(0x87e947de, 0x7c82709e)}},\n {{TOBN(0xa44d2b39, 0x1770f5a7), TOBN(0xe4d4d791, 0x0e44eb82),\n TOBN(0x42e69d1e, 0x3f69712a), TOBN(0xbf11c4d6, 0xac6a820e)},\n {TOBN(0xb5e7f3e5, 0x42c4224c), TOBN(0xd6b4e81c, 0x449d941c),\n TOBN(0x5d72bd16, 0x5450e878), TOBN(0x6a61e28a, 0xee25ac54)}},\n {{TOBN(0x33272094, 0xe6f1cd95), TOBN(0x7512f30d, 0x0d18673f),\n TOBN(0x32f7a4ca, 0x5afc1464), TOBN(0x2f095656, 0x6bbb977b)},\n {TOBN(0x586f47ca, 0xa8226200), TOBN(0x02c868ad, 0x1ac07369),\n TOBN(0x4ef2b845, 0xc613acbe), TOBN(0x43d7563e, 0x0386054c)}},\n {{TOBN(0x54da9dc7, 0xab952578), TOBN(0xb5423df2, 0x26e84d0b),\n TOBN(0xa8b64eeb, 0x9b872042), TOBN(0xac205782, 0x5990f6df)},\n {TOBN(0x4ff696eb, 0x21f4c77a), TOBN(0x1a79c3e4, 0xaab273af),\n TOBN(0x29bc922e, 0x9436b3f1), TOBN(0xff807ef8, 0xd6d9a27a)}},\n {{TOBN(0x82acea3d, 0x778f22a0), TOBN(0xfb10b2e8, 0x5b5e7469),\n TOBN(0xc0b16980, 0x2818ee7d), TOBN(0x011afff4, 0xc91c1a2f)},\n {TOBN(0x95a6d126, 0xad124418), TOBN(0x31c081a5, 0xe72e295f),\n TOBN(0x36bb283a, 0xf2f4db75), TOBN(0xd115540f, 0x7acef462)}},\n {{TOBN(0xc7f3a8f8, 0x33f6746c), TOBN(0x21e46f65, 0xfea990ca),\n TOBN(0x915fd5c5, 0xcaddb0a9), TOBN(0xbd41f016, 0x78614555)},\n {TOBN(0x346f4434, 0x426ffb58), TOBN(0x80559436, 0x14dbc204),\n TOBN(0xf3dd20fe, 0x5a969b7f), TOBN(0x9d59e956, 0xe899a39a)}},\n {{TOBN(0xf1b0971c, 0x8ad4cf4b), TOBN(0x03448860, 0x2ffb8fb8),\n TOBN(0xf071ac3c, 0x65340ba4), TOBN(0x408d0596, 0xb27fd758)},\n {TOBN(0xe7c78ea4, 0x98c364b0), TOBN(0xa4aac4a5, 0x051e8ab5),\n TOBN(0xb9e1d560, 0x485d9002), TOBN(0x9acd518a, 0x88844455)}},\n {{TOBN(0xe4ca688f, 0xd06f56c0), TOBN(0xa48af70d, 0xdf027972),\n TOBN(0x691f0f04, 0x5e9a609d), TOBN(0xa9dd82cd, 0xee61270e)},\n {TOBN(0x8903ca63, 0xa0ef18d3), TOBN(0x9fb7ee35, 0x3d6ca3bd),\n TOBN(0xa7b4a09c, 0xabf47d03), TOBN(0x4cdada01, 0x1c67de8e)}},\n {{TOBN(0x52003749, 0x9355a244), TOBN(0xe77fd2b6, 0x4f2151a9),\n TOBN(0x695d6cf6, 0x66b4efcb), TOBN(0xc5a0cacf, 0xda2cfe25)},\n {TOBN(0x104efe5c, 0xef811865), TOBN(0xf52813e8, 0x9ea5cc3d),\n TOBN(0x855683dc, 0x40b58dbc), TOBN(0x0338ecde, 0x175fcb11)}},\n {{TOBN(0xf9a05637, 0x74921592), TOBN(0xb4f1261d, 0xb9bb9d31),\n TOBN(0x551429b7, 0x4e9c5459), TOBN(0xbe182e6f, 0x6ea71f53)},\n {TOBN(0xd3a3b07c, 0xdfc50573), TOBN(0x9ba1afda, 0x62be8d44),\n TOBN(0x9bcfd2cb, 0x52ab65d3), TOBN(0xdf11d547, 0xa9571802)}},\n {{TOBN(0x099403ee, 0x02a2404a), TOBN(0x497406f4, 0x21088a71),\n TOBN(0x99479409, 0x5004ae71), TOBN(0xbdb42078, 0xa812c362)},\n {TOBN(0x2b72a30f, 0xd8828442), TOBN(0x283add27, 0xfcb5ed1c),\n TOBN(0xf7c0e200, 0x66a40015), TOBN(0x3e3be641, 0x08b295ef)}},\n {{TOBN(0xac127dc1, 0xe038a675), TOBN(0x729deff3, 0x8c5c6320),\n TOBN(0xb7df8fd4, 0xa90d2c53), TOBN(0x9b74b0ec, 0x681e7cd3)},\n {TOBN(0x5cb5a623, 0xdab407e5), TOBN(0xcdbd3615, 0x76b340c6),\n TOBN(0xa184415a, 0x7d28392c), TOBN(0xc184c1d8, 0xe96f7830)}},\n {{TOBN(0xc3204f19, 0x81d3a80f), TOBN(0xfde0c841, 0xc8e02432),\n TOBN(0x78203b3e, 0x8149e0c1), TOBN(0x5904bdbb, 0x08053a73)},\n {TOBN(0x30fc1dd1, 0x101b6805), TOBN(0x43c223bc, 0x49aa6d49),\n TOBN(0x9ed67141, 0x7a174087), TOBN(0x311469a0, 0xd5997008)}},\n {{TOBN(0xb189b684, 0x5e43fc61), TOBN(0xf3282375, 0xe0d3ab57),\n TOBN(0x4fa34b67, 0xb1181da8), TOBN(0x621ed0b2, 0x99ee52b8)},\n {TOBN(0x9b178de1, 0xad990676), TOBN(0xd51de67b, 0x56d54065),\n TOBN(0x2a2c27c4, 0x7538c201), TOBN(0x33856ec8, 0x38a40f5c)}},\n {{TOBN(0x2522fc15, 0xbe6cdcde), TOBN(0x1e603f33, 0x9f0c6f89),\n TOBN(0x7994edc3, 0x103e30a6), TOBN(0x033a00db, 0x220c853e)},\n {TOBN(0xd3cfa409, 0xf7bb7fd7), TOBN(0x70f8781e, 0x462d18f6),\n TOBN(0xbbd82980, 0x687fe295), TOBN(0x6eef4c32, 0x595669f3)}},\n {{TOBN(0x86a9303b, 0x2f7e85c3), TOBN(0x5fce4621, 0x71988f9b),\n TOBN(0x5b935bf6, 0xc138acb5), TOBN(0x30ea7d67, 0x25661212)},\n {TOBN(0xef1eb5f4, 0xe51ab9a2), TOBN(0x0587c98a, 0xae067c78),\n TOBN(0xb3ce1b3c, 0x77ca9ca6), TOBN(0x2a553d4d, 0x54b5f057)}},\n {{TOBN(0xc7898236, 0x4da29ec2), TOBN(0xdbdd5d13, 0xb9c57316),\n TOBN(0xc57d6e6b, 0x2cd80d47), TOBN(0x80b460cf, 0xfe9e7391)},\n {TOBN(0x98648cab, 0xf963c31e), TOBN(0x67f9f633, 0xcc4d32fd),\n TOBN(0x0af42a9d, 0xfdf7c687), TOBN(0x55f292a3, 0x0b015ea7)}},\n {{TOBN(0x89e468b2, 0xcd21ab3d), TOBN(0xe504f022, 0xc393d392),\n TOBN(0xab21e1d4, 0xa5013af9), TOBN(0xe3283f78, 0xc2c28acb)},\n {TOBN(0xf38b35f6, 0x226bf99f), TOBN(0xe8354274, 0x0e291e69),\n TOBN(0x61673a15, 0xb20c162d), TOBN(0xc101dc75, 0xb04fbdbe)}},\n {{TOBN(0x8323b4c2, 0x255bd617), TOBN(0x6c969693, 0x6c2a9154),\n TOBN(0xc6e65860, 0x62679387), TOBN(0x8e01db0c, 0xb8c88e23)},\n {TOBN(0x33c42873, 0x893a5559), TOBN(0x7630f04b, 0x47a3e149),\n TOBN(0xb5d80805, 0xddcf35f8), TOBN(0x582ca080, 0x77dfe732)}},\n {{TOBN(0x2c7156e1, 0x0b1894a0), TOBN(0x92034001, 0xd81c68c0),\n TOBN(0xed225d00, 0xc8b115b5), TOBN(0x237f9c22, 0x83b907f2)},\n {TOBN(0x0ea2f32f, 0x4470e2c0), TOBN(0xb725f7c1, 0x58be4e95),\n TOBN(0x0f1dcafa, 0xb1ae5463), TOBN(0x59ed5187, 0x1ba2fc04)}},\n {{TOBN(0xf6e0f316, 0xd0115d4d), TOBN(0x5180b12f, 0xd3691599),\n TOBN(0x157e32c9, 0x527f0a41), TOBN(0x7b0b081d, 0xa8e0ecc0)},\n {TOBN(0x6dbaaa8a, 0xbf4f0dd0), TOBN(0x99b289c7, 0x4d252696),\n TOBN(0x79b7755e, 0xdbf864fe), TOBN(0x6974e2b1, 0x76cad3ab)}},\n {{TOBN(0x35dbbee2, 0x06ddd657), TOBN(0xe7cbdd11, 0x2ff3a96d),\n TOBN(0x88381968, 0x076be758), TOBN(0x2d737e72, 0x08c91f5d)},\n {TOBN(0x5f83ab62, 0x86ec3776), TOBN(0x98aa649d, 0x945fa7a1),\n TOBN(0xf477ec37, 0x72ef0933), TOBN(0x66f52b1e, 0x098c17b1)}},\n {{TOBN(0x9eec58fb, 0xd803738b), TOBN(0x91aaade7, 0xe4e86aa4),\n TOBN(0x6b1ae617, 0xa5b51492), TOBN(0x63272121, 0xbbc45974)},\n {TOBN(0x7e0e28f0, 0x862c5129), TOBN(0x0a8f79a9, 0x3321a4a0),\n TOBN(0xe26d1664, 0x5041c88f), TOBN(0x0571b805, 0x53233e3a)}},\n {{TOBN(0xd1b0ccde, 0xc9520711), TOBN(0x55a9e4ed, 0x3c8b84bf),\n TOBN(0x9426bd39, 0xa1fef314), TOBN(0x4f5f638e, 0x6eb93f2b)},\n {TOBN(0xba2a1ed3, 0x2bf9341b), TOBN(0xd63c1321, 0x4d42d5a9),\n TOBN(0xd2964a89, 0x316dc7c5), TOBN(0xd1759606, 0xca511851)}},\n {{TOBN(0xd8a9201f, 0xf9e6ed35), TOBN(0xb7b5ee45, 0x6736925a),\n TOBN(0x0a83fbbc, 0x99581af7), TOBN(0x3076bc40, 0x64eeb051)},\n {TOBN(0x5511c98c, 0x02dec312), TOBN(0x270de898, 0x238dcb78),\n TOBN(0x2cf4cf9c, 0x539c08c9), TOBN(0xa70cb65e, 0x38d3b06e)}},\n {{TOBN(0xb12ec10e, 0xcfe57bbd), TOBN(0x82c7b656, 0x35a0c2b5),\n TOBN(0xddc7d5cd, 0x161c67bd), TOBN(0xe32e8985, 0xae3a32cc)},\n {TOBN(0x7aba9444, 0xd11a5529), TOBN(0xe964ed02, 0x2427fa1a),\n TOBN(0x1528392d, 0x24a1770a), TOBN(0xa152ce2c, 0x12c72fcd)}},\n {{TOBN(0x714553a4, 0x8ec07649), TOBN(0x18b4c290, 0x459dd453),\n TOBN(0xea32b714, 0x7b64b110), TOBN(0xb871bfa5, 0x2e6f07a2)},\n {TOBN(0xb67112e5, 0x9e2e3c9b), TOBN(0xfbf250e5, 0x44aa90f6),\n TOBN(0xf77aedb8, 0xbd539006), TOBN(0x3b0cdf9a, 0xd172a66f)}},\n {{TOBN(0xedf69fea, 0xf8c51187), TOBN(0x05bb67ec, 0x741e4da7),\n TOBN(0x47df0f32, 0x08114345), TOBN(0x56facb07, 0xbb9792b1)},\n {TOBN(0xf3e007e9, 0x8f6229e4), TOBN(0x62d103f4, 0x526fba0f),\n TOBN(0x4f33bef7, 0xb0339d79), TOBN(0x9841357b, 0xb59bfec1)}},\n {{TOBN(0xfa8dbb59, 0xc34e6705), TOBN(0xc3c7180b, 0x7fdaa84c),\n TOBN(0xf95872fc, 0xa4108537), TOBN(0x8750cc3b, 0x932a3e5a)},\n {TOBN(0xb61cc69d, 0xb7275d7d), TOBN(0xffa0168b, 0x2e59b2e9),\n TOBN(0xca032abc, 0x6ecbb493), TOBN(0x1d86dbd3, 0x2c9082d8)}},\n {{TOBN(0xae1e0b67, 0xe28ef5ba), TOBN(0x2c9a4699, 0xcb18e169),\n TOBN(0x0ecd0e33, 0x1e6bbd20), TOBN(0x571b360e, 0xaf5e81d2)},\n {TOBN(0xcd9fea58, 0x101c1d45), TOBN(0x6651788e, 0x18880452),\n TOBN(0xa9972635, 0x1f8dd446), TOBN(0x44bed022, 0xe37281d0)}},\n {{TOBN(0x094b2b2d, 0x33da525d), TOBN(0xf193678e, 0x13144fd8),\n TOBN(0xb8ab5ba4, 0xf4c1061d), TOBN(0x4343b5fa, 0xdccbe0f4)},\n {TOBN(0xa8702371, 0x63812713), TOBN(0x47bf6d2d, 0xf7611d93),\n TOBN(0x46729b8c, 0xbd21e1d7), TOBN(0x7484d4e0, 0xd629e77d)}},\n {{TOBN(0x830e6eea, 0x60dbac1f), TOBN(0x23d8c484, 0xda06a2f7),\n TOBN(0x896714b0, 0x50ca535b), TOBN(0xdc8d3644, 0xebd97a9b)},\n {TOBN(0x106ef9fa, 0xb12177b4), TOBN(0xf79bf464, 0x534d5d9c),\n TOBN(0x2537a349, 0xa6ab360b), TOBN(0xc7c54253, 0xa00c744f)}},\n {{TOBN(0xb3c7a047, 0xe5911a76), TOBN(0x61ffa5c8, 0x647f1ee7),\n TOBN(0x15aed36f, 0x8f56ab42), TOBN(0x6a0d41b0, 0xa3ff9ac9)},\n {TOBN(0x68f469f5, 0xcc30d357), TOBN(0xbe9adf81, 0x6b72be96),\n TOBN(0x1cd926fe, 0x903ad461), TOBN(0x7e89e38f, 0xcaca441b)}},\n {{TOBN(0xf0f82de5, 0xfacf69d4), TOBN(0x363b7e76, 0x4775344c),\n TOBN(0x6894f312, 0xb2e36d04), TOBN(0x3c6cb4fe, 0x11d1c9a5)},\n {TOBN(0x85d9c339, 0x4008e1f2), TOBN(0x5e9a85ea, 0x249f326c),\n TOBN(0xdc35c60a, 0x678c5e06), TOBN(0xc08b944f, 0x9f86fba9)}},\n {{TOBN(0xde40c02c, 0x89f71f0f), TOBN(0xad8f3e31, 0xff3da3c0),\n TOBN(0x3ea5096b, 0x42125ded), TOBN(0x13879cbf, 0xa7379183)},\n {TOBN(0x6f4714a5, 0x6b306a0b), TOBN(0x359c2ea6, 0x67646c5e),\n TOBN(0xfacf8943, 0x07726368), TOBN(0x07a58935, 0x65ff431e)}},\n {{TOBN(0x24d661d1, 0x68754ab0), TOBN(0x801fce1d, 0x6f429a76),\n TOBN(0xc068a85f, 0xa58ce769), TOBN(0xedc35c54, 0x5d5eca2b)},\n {TOBN(0xea31276f, 0xa3f660d1), TOBN(0xa0184ebe, 0xb8fc7167),\n TOBN(0x0f20f21a, 0x1d8db0ae), TOBN(0xd96d095f, 0x56c35e12)}},\n {{TOBN(0xedf402b5, 0xf8c2a25b), TOBN(0x1bb772b9, 0x059204b6),\n TOBN(0x50cbeae2, 0x19b4e34c), TOBN(0x93109d80, 0x3fa0845a)},\n {TOBN(0x54f7ccf7, 0x8ef59fb5), TOBN(0x3b438fe2, 0x88070963),\n TOBN(0x9e28c659, 0x31f3ba9b), TOBN(0x9cc31b46, 0xead9da92)}},\n {{TOBN(0x3c2f0ba9, 0xb733aa5f), TOBN(0xdece47cb, 0xf05af235),\n TOBN(0xf8e3f715, 0xa2ac82a5), TOBN(0xc97ba641, 0x2203f18a)},\n {TOBN(0xc3af5504, 0x09c11060), TOBN(0x56ea2c05, 0x46af512d),\n TOBN(0xfac28daf, 0xf3f28146), TOBN(0x87fab43a, 0x959ef494)}}},\n {{{TOBN(0x09891641, 0xd4c5105f), TOBN(0x1ae80f8e, 0x6d7fbd65),\n TOBN(0x9d67225f, 0xbee6bdb0), TOBN(0x3b433b59, 0x7fc4d860)},\n {TOBN(0x44e66db6, 0x93e85638), TOBN(0xf7b59252, 0xe3e9862f),\n TOBN(0xdb785157, 0x665c32ec), TOBN(0x702fefd7, 0xae362f50)}},\n {{TOBN(0x3754475d, 0x0fefb0c3), TOBN(0xd48fb56b, 0x46d7c35d),\n TOBN(0xa070b633, 0x363798a4), TOBN(0xae89f3d2, 0x8fdb98e6)},\n {TOBN(0x970b89c8, 0x6363d14c), TOBN(0x89817521, 0x67abd27d),\n TOBN(0x9bf7d474, 0x44d5a021), TOBN(0xb3083baf, 0xcac72aee)}},\n {{TOBN(0x389741de, 0xbe949a44), TOBN(0x638e9388, 0x546a4fa5),\n TOBN(0x3fe6419c, 0xa0047bdc), TOBN(0x7047f648, 0xaaea57ca)},\n {TOBN(0x54e48a90, 0x41fbab17), TOBN(0xda8e0b28, 0x576bdba2),\n TOBN(0xe807eebc, 0xc72afddc), TOBN(0x07d3336d, 0xf42577bf)}},\n {{TOBN(0x62a8c244, 0xbfe20925), TOBN(0x91c19ac3, 0x8fdce867),\n TOBN(0x5a96a5d5, 0xdd387063), TOBN(0x61d587d4, 0x21d324f6)},\n {TOBN(0xe87673a2, 0xa37173ea), TOBN(0x23848008, 0x53778b65),\n TOBN(0x10f8441e, 0x05bab43e), TOBN(0xfa11fe12, 0x4621efbe)}},\n {{TOBN(0x047b772e, 0x81685d7b), TOBN(0x23f27d81, 0xbf34a976),\n TOBN(0xc27608e2, 0x915f48ef), TOBN(0x3b0b43fa, 0xa521d5c3)},\n {TOBN(0x7613fb26, 0x63ca7284), TOBN(0x7f5729b4, 0x1d4db837),\n TOBN(0x87b14898, 0x583b526b), TOBN(0x00b732a6, 0xbbadd3d1)}},\n {{TOBN(0x8e02f426, 0x2048e396), TOBN(0x436b50b6, 0x383d9de4),\n TOBN(0xf78d3481, 0x471e85ad), TOBN(0x8b01ea6a, 0xd005c8d6)},\n {TOBN(0xd3c7afee, 0x97015c07), TOBN(0x46cdf1a9, 0x4e3ba2ae),\n TOBN(0x7a42e501, 0x83d3a1d2), TOBN(0xd54b5268, 0xb541dff4)}},\n {{TOBN(0x3f24cf30, 0x4e23e9bc), TOBN(0x4387f816, 0x126e3624),\n TOBN(0x26a46a03, 0x3b0b6d61), TOBN(0xaf1bc845, 0x8b2d777c)},\n {TOBN(0x25c401ba, 0x527de79c), TOBN(0x0e1346d4, 0x4261bbb6),\n TOBN(0x4b96c44b, 0x287b4bc7), TOBN(0x658493c7, 0x5254562f)}},\n {{TOBN(0x23f949fe, 0xb8a24a20), TOBN(0x17ebfed1, 0xf52ca53f),\n TOBN(0x9b691bbe, 0xbcfb4853), TOBN(0x5617ff6b, 0x6278a05d)},\n {TOBN(0x241b34c5, 0xe3c99ebd), TOBN(0xfc64242e, 0x1784156a),\n TOBN(0x4206482f, 0x695d67df), TOBN(0xb967ce0e, 0xee27c011)}},\n {{TOBN(0x65db3751, 0x21c80b5d), TOBN(0x2e7a563c, 0xa31ecca0),\n TOBN(0xe56ffc4e, 0x5238a07e), TOBN(0x3d6c2966, 0x32ced854)},\n {TOBN(0xe99d7d1a, 0xaf70b885), TOBN(0xafc3bad9, 0x2d686459),\n TOBN(0x9c78bf46, 0x0cc8ba5b), TOBN(0x5a439519, 0x18955aa3)}},\n {{TOBN(0xf8b517a8, 0x5fe4e314), TOBN(0xe60234d0, 0xfcb8906f),\n TOBN(0xffe542ac, 0xf2061b23), TOBN(0x287e191f, 0x6b4cb59c)},\n {TOBN(0x21857ddc, 0x09d877d8), TOBN(0x1c23478c, 0x14678941),\n TOBN(0xbbf0c056, 0xb6e05ea4), TOBN(0x82da4b53, 0xb01594fe)}},\n {{TOBN(0xf7526791, 0xfadb8608), TOBN(0x049e832d, 0x7b74cdf6),\n TOBN(0xa43581cc, 0xc2b90a34), TOBN(0x73639eb8, 0x9360b10c)},\n {TOBN(0x4fba331f, 0xe1e4a71b), TOBN(0x6ffd6b93, 0x8072f919),\n TOBN(0x6e53271c, 0x65679032), TOBN(0x67206444, 0xf14272ce)}},\n {{TOBN(0xc0f734a3, 0xb2335834), TOBN(0x9526205a, 0x90ef6860),\n TOBN(0xcb8be717, 0x04e2bb0d), TOBN(0x2418871e, 0x02f383fa)},\n {TOBN(0xd7177681, 0x4082c157), TOBN(0xcc914ad0, 0x29c20073),\n TOBN(0xf186c1eb, 0xe587e728), TOBN(0x6fdb3c22, 0x61bcd5fd)}},\n {{TOBN(0x30d014a6, 0xf2f9f8e9), TOBN(0x963ece23, 0x4fec49d2),\n TOBN(0x862025c5, 0x9605a8d9), TOBN(0x39874445, 0x19f8929a)},\n {TOBN(0x01b6ff65, 0x12bf476a), TOBN(0x598a64d8, 0x09cf7d91),\n TOBN(0xd7ec7749, 0x93be56ca), TOBN(0x10899785, 0xcbb33615)}},\n {{TOBN(0xb8a092fd, 0x02eee3ad), TOBN(0xa86b3d35, 0x30145270),\n TOBN(0x323d98c6, 0x8512b675), TOBN(0x4b8bc785, 0x62ebb40f)},\n {TOBN(0x7d301f54, 0x413f9cde), TOBN(0xa5e4fb4f, 0x2bab5664),\n TOBN(0x1d2b252d, 0x1cbfec23), TOBN(0xfcd576bb, 0xe177120d)}},\n {{TOBN(0x04427d3e, 0x83731a34), TOBN(0x2bb9028e, 0xed836e8e),\n TOBN(0xb36acff8, 0xb612ca7c), TOBN(0xb88fe5ef, 0xd3d9c73a)},\n {TOBN(0xbe2a6bc6, 0xedea4eb3), TOBN(0x43b93133, 0x488eec77),\n TOBN(0xf41ff566, 0xb17106e1), TOBN(0x469e9172, 0x654efa32)}},\n {{TOBN(0xb4480f04, 0x41c23fa3), TOBN(0xb4712eb0, 0xc1989a2e),\n TOBN(0x3ccbba0f, 0x93a29ca7), TOBN(0x6e205c14, 0xd619428c)},\n {TOBN(0x90db7957, 0xb3641686), TOBN(0x0432691d, 0x45ac8b4e),\n TOBN(0x07a759ac, 0xf64e0350), TOBN(0x0514d89c, 0x9c972517)}},\n {{TOBN(0x1701147f, 0xa8e67fc3), TOBN(0x9e2e0b8b, 0xab2085be),\n TOBN(0xd5651824, 0xac284e57), TOBN(0x890d4325, 0x74893664)},\n {TOBN(0x8a7c5e6e, 0xc55e68a3), TOBN(0xbf12e90b, 0x4339c85a),\n TOBN(0x31846b85, 0xf922b655), TOBN(0x9a54ce4d, 0x0bf4d700)}},\n {{TOBN(0xd7f4e83a, 0xf1a14295), TOBN(0x916f955c, 0xb285d4f9),\n TOBN(0xe57bb0e0, 0x99ffdaba), TOBN(0x28a43034, 0xeab0d152)},\n {TOBN(0x0a36ffa2, 0xb8a9cef8), TOBN(0x5517407e, 0xb9ec051a),\n TOBN(0x9c796096, 0xea68e672), TOBN(0x853db5fb, 0xfb3c77fb)}},\n {{TOBN(0x21474ba9, 0xe864a51a), TOBN(0x6c267699, 0x6e8a1b8b),\n TOBN(0x7c823626, 0x94120a28), TOBN(0xe61e9a48, 0x8383a5db)},\n {TOBN(0x7dd75003, 0x9f84216d), TOBN(0xab020d07, 0xad43cd85),\n TOBN(0x9437ae48, 0xda12c659), TOBN(0x6449c2eb, 0xe65452ad)}},\n {{TOBN(0xcc7c4c1c, 0x2cf9d7c1), TOBN(0x1320886a, 0xee95e5ab),\n TOBN(0xbb7b9056, 0xbeae170c), TOBN(0xc8a5b250, 0xdbc0d662)},\n {TOBN(0x4ed81432, 0xc11d2303), TOBN(0x7da66912, 0x1f03769f),\n TOBN(0x3ac7a5fd, 0x84539828), TOBN(0x14dada94, 0x3bccdd02)}},\n {{TOBN(0x8b84c321, 0x7ef6b0d1), TOBN(0x52a9477a, 0x7c933f22),\n TOBN(0x5ef6728a, 0xfd440b82), TOBN(0x5c3bd859, 0x6ce4bd5e)},\n {TOBN(0x918b80f5, 0xf22c2d3e), TOBN(0x368d5040, 0xb7bb6cc5),\n TOBN(0xb66142a1, 0x2695a11c), TOBN(0x60ac583a, 0xeb19ea70)}},\n {{TOBN(0x317cbb98, 0x0eab2437), TOBN(0x8cc08c55, 0x5e2654c8),\n TOBN(0xfe2d6520, 0xe6d8307f), TOBN(0xe9f147f3, 0x57428993)},\n {TOBN(0x5f9c7d14, 0xd2fd6cf1), TOBN(0xa3ecd064, 0x2d4fcbb0),\n TOBN(0xad83fef0, 0x8e7341f7), TOBN(0x643f23a0, 0x3a63115c)}},\n {{TOBN(0xd38a78ab, 0xe65ab743), TOBN(0xbf7c75b1, 0x35edc89c),\n TOBN(0x3dd8752e, 0x530df568), TOBN(0xf85c4a76, 0xe308c682)},\n {TOBN(0x4c9955b2, 0xe68acf37), TOBN(0xa544df3d, 0xab32af85),\n TOBN(0x4b8ec3f5, 0xa25cf493), TOBN(0x4d8f2764, 0x1a622feb)}},\n {{TOBN(0x7bb4f7aa, 0xf0dcbc49), TOBN(0x7de551f9, 0x70bbb45b),\n TOBN(0xcfd0f3e4, 0x9f2ca2e5), TOBN(0xece58709, 0x1f5c76ef)},\n {TOBN(0x32920edd, 0x167d79ae), TOBN(0x039df8a2, 0xfa7d7ec1),\n TOBN(0xf46206c0, 0xbb30af91), TOBN(0x1ff5e2f5, 0x22676b59)}},\n {{TOBN(0x11f4a039, 0x6ea51d66), TOBN(0x506c1445, 0x807d7a26),\n TOBN(0x60da5705, 0x755a9b24), TOBN(0x8fc8cc32, 0x1f1a319e)},\n {TOBN(0x83642d4d, 0x9433d67d), TOBN(0x7fa5cb8f, 0x6a7dd296),\n TOBN(0x576591db, 0x9b7bde07), TOBN(0x13173d25, 0x419716fb)}},\n {{TOBN(0xea30599d, 0xd5b340ff), TOBN(0xfc6b5297, 0xb0fe76c5),\n TOBN(0x1c6968c8, 0xab8f5adc), TOBN(0xf723c7f5, 0x901c928d)},\n {TOBN(0x4203c321, 0x9773d402), TOBN(0xdf7c6aa3, 0x1b51dd47),\n TOBN(0x3d49e37a, 0x552be23c), TOBN(0x57febee8, 0x0b5a6e87)}},\n {{TOBN(0xc5ecbee4, 0x7bd8e739), TOBN(0x79d44994, 0xae63bf75),\n TOBN(0x168bd00f, 0x38fb8923), TOBN(0x75d48ee4, 0xd0533130)},\n {TOBN(0x554f77aa, 0xdb5cdf33), TOBN(0x3396e896, 0x3c696769),\n TOBN(0x2fdddbf2, 0xd3fd674e), TOBN(0xbbb8f6ee, 0x99d0e3e5)}},\n {{TOBN(0x51b90651, 0xcbae2f70), TOBN(0xefc4bc05, 0x93aaa8eb),\n TOBN(0x8ecd8689, 0xdd1df499), TOBN(0x1aee99a8, 0x22f367a5)},\n {TOBN(0x95d485b9, 0xae8274c5), TOBN(0x6c14d445, 0x7d30b39c),\n TOBN(0xbafea90b, 0xbcc1ef81), TOBN(0x7c5f317a, 0xa459a2ed)}},\n {{TOBN(0x01211075, 0x4ef44227), TOBN(0xa17bed6e, 0xdc20f496),\n TOBN(0x0cdfe424, 0x819853cd), TOBN(0x13793298, 0xf71e2ce7)},\n {TOBN(0x3c1f3078, 0xdbbe307b), TOBN(0x6dd1c20e, 0x76ee9936),\n TOBN(0x23ee4b57, 0x423caa20), TOBN(0x4ac3793b, 0x8efb840e)}},\n {{TOBN(0x934438eb, 0xed1f8ca0), TOBN(0x3e546658, 0x4ebb25a2),\n TOBN(0xc415af0e, 0xc069896f), TOBN(0xc13eddb0, 0x9a5aa43d)},\n {TOBN(0x7a04204f, 0xd49eb8f6), TOBN(0xd0d5bdfc, 0xd74f1670),\n TOBN(0x3697e286, 0x56fc0558), TOBN(0x10207371, 0x01cebade)}},\n {{TOBN(0x5f87e690, 0x0647a82b), TOBN(0x908e0ed4, 0x8f40054f),\n TOBN(0xa9f633d4, 0x79853803), TOBN(0x8ed13c9a, 0x4a28b252)},\n {TOBN(0x3e2ef676, 0x1f460f64), TOBN(0x53930b9b, 0x36d06336),\n TOBN(0x347073ac, 0x8fc4979b), TOBN(0x84380e0e, 0x5ecd5597)}},\n {{TOBN(0xe3b22c6b, 0xc4fe3c39), TOBN(0xba4a8153, 0x6c7bebdf),\n TOBN(0xf23ab6b7, 0x25693459), TOBN(0x53bc3770, 0x14922b11)},\n {TOBN(0x4645c8ab, 0x5afc60db), TOBN(0xaa022355, 0x20b9f2a3),\n TOBN(0x52a2954c, 0xce0fc507), TOBN(0x8c2731bb, 0x7ce1c2e7)}},\n {{TOBN(0xf39608ab, 0x18a0339d), TOBN(0xac7a658d, 0x3735436c),\n TOBN(0xb22c2b07, 0xcd992b4f), TOBN(0x4e83daec, 0xf40dcfd4)},\n {TOBN(0x8a34c7be, 0x2f39ea3e), TOBN(0xef0c005f, 0xb0a56d2e),\n TOBN(0x62731f6a, 0x6edd8038), TOBN(0x5721d740, 0x4e3cb075)}},\n {{TOBN(0x1ea41511, 0xfbeeee1b), TOBN(0xd1ef5e73, 0xef1d0c05),\n TOBN(0x42feefd1, 0x73c07d35), TOBN(0xe530a00a, 0x8a329493)},\n {TOBN(0x5d55b7fe, 0xf15ebfb0), TOBN(0x549de03c, 0xd322491a),\n TOBN(0xf7b5f602, 0x745b3237), TOBN(0x3632a3a2, 0x1ab6e2b6)}},\n {{TOBN(0x0d3bba89, 0x0ef59f78), TOBN(0x0dfc6443, 0xc9e52b9a),\n TOBN(0x1dc79699, 0x72631447), TOBN(0xef033917, 0xb3be20b1)},\n {TOBN(0x0c92735d, 0xb1383948), TOBN(0xc1fc29a2, 0xc0dd7d7d),\n TOBN(0x6485b697, 0x403ed068), TOBN(0x13bfaab3, 0xaac93bdc)}},\n {{TOBN(0x410dc6a9, 0x0deeaf52), TOBN(0xb003fb02, 0x4c641c15),\n TOBN(0x1384978c, 0x5bc504c4), TOBN(0x37640487, 0x864a6a77)},\n {TOBN(0x05991bc6, 0x222a77da), TOBN(0x62260a57, 0x5e47eb11),\n TOBN(0xc7af6613, 0xf21b432c), TOBN(0x22f3acc9, 0xab4953e9)}},\n {{TOBN(0x52934922, 0x8e41d155), TOBN(0x4d024568, 0x3ac059ef),\n TOBN(0xb0201755, 0x4d884411), TOBN(0xce8055cf, 0xa59a178f)},\n {TOBN(0xcd77d1af, 0xf6204549), TOBN(0xa0a00a3e, 0xc7066759),\n TOBN(0x471071ef, 0x0272c229), TOBN(0x009bcf6b, 0xd3c4b6b0)}},\n {{TOBN(0x2a2638a8, 0x22305177), TOBN(0xd51d59df, 0x41645bbf),\n TOBN(0xa81142fd, 0xc0a7a3c0), TOBN(0xa17eca6d, 0x4c7063ee)},\n {TOBN(0x0bb887ed, 0x60d9dcec), TOBN(0xd6d28e51, 0x20ad2455),\n TOBN(0xebed6308, 0xa67102ba), TOBN(0x042c3114, 0x8bffa408)}},\n {{TOBN(0xfd099ac5, 0x8aa68e30), TOBN(0x7a6a3d7c, 0x1483513e),\n TOBN(0xffcc6b75, 0xba2d8f0c), TOBN(0x54dacf96, 0x1e78b954)},\n {TOBN(0xf645696f, 0xa4a9af89), TOBN(0x3a411940, 0x06ac98ec),\n TOBN(0x41b8b3f6, 0x22a67a20), TOBN(0x2d0b1e0f, 0x99dec626)}},\n {{TOBN(0x27c89192, 0x40be34e8), TOBN(0xc7162b37, 0x91907f35),\n TOBN(0x90188ec1, 0xa956702b), TOBN(0xca132f7d, 0xdf93769c)},\n {TOBN(0x3ece44f9, 0x0e2025b4), TOBN(0x67aaec69, 0x0c62f14c),\n TOBN(0xad741418, 0x22e3cc11), TOBN(0xcf9b75c3, 0x7ff9a50e)}},\n {{TOBN(0x02fa2b16, 0x4d348272), TOBN(0xbd99d61a, 0x9959d56d),\n TOBN(0xbc4f19db, 0x18762916), TOBN(0xcc7cce50, 0x49c1ac80)},\n {TOBN(0x4d59ebaa, 0xd846bd83), TOBN(0x8775a9dc, 0xa9202849),\n TOBN(0x07ec4ae1, 0x6e1f4ca9), TOBN(0x27eb5875, 0xba893f11)}},\n {{TOBN(0x00284d51, 0x662cc565), TOBN(0x82353a6b, 0x0db4138d),\n TOBN(0xd9c7aaaa, 0xaa32a594), TOBN(0xf5528b5e, 0xa5669c47)},\n {TOBN(0xf3220231, 0x2f23c5ff), TOBN(0xe3e8147a, 0x6affa3a1),\n TOBN(0xfb423d5c, 0x202ddda0), TOBN(0x3d6414ac, 0x6b871bd4)}},\n {{TOBN(0x586f82e1, 0xa51a168a), TOBN(0xb712c671, 0x48ae5448),\n TOBN(0x9a2e4bd1, 0x76233eb8), TOBN(0x0188223a, 0x78811ca9)},\n {TOBN(0x553c5e21, 0xf7c18de1), TOBN(0x7682e451, 0xb27bb286),\n TOBN(0x3ed036b3, 0x0e51e929), TOBN(0xf487211b, 0xec9cb34f)}},\n {{TOBN(0x0d094277, 0x0c24efc8), TOBN(0x0349fd04, 0xbef737a4),\n TOBN(0x6d1c9dd2, 0x514cdd28), TOBN(0x29c135ff, 0x30da9521)},\n {TOBN(0xea6e4508, 0xf78b0b6f), TOBN(0x176f5dd2, 0x678c143c),\n TOBN(0x08148418, 0x4be21e65), TOBN(0x27f7525c, 0xe7df38c4)}},\n {{TOBN(0x1fb70e09, 0x748ab1a4), TOBN(0x9cba50a0, 0x5efe4433),\n TOBN(0x7846c7a6, 0x15f75af2), TOBN(0x2a7c2c57, 0x5ee73ea8)},\n {TOBN(0x42e566a4, 0x3f0a449a), TOBN(0x45474c3b, 0xad90fc3d),\n TOBN(0x7447be3d, 0x8b61d057), TOBN(0x3e9d1cf1, 0x3a4ec092)}},\n {{TOBN(0x1603e453, 0xf380a6e6), TOBN(0x0b86e431, 0x9b1437c2),\n TOBN(0x7a4173f2, 0xef29610a), TOBN(0x8fa729a7, 0xf03d57f7)},\n {TOBN(0x3e186f6e, 0x6c9c217e), TOBN(0xbe1d3079, 0x91919524),\n TOBN(0x92a62a70, 0x153d4fb1), TOBN(0x32ed3e34, 0xd68c2f71)}},\n {{TOBN(0xd785027f, 0x9eb1a8b7), TOBN(0xbc37eb77, 0xc5b22fe8),\n TOBN(0x466b34f0, 0xb9d6a191), TOBN(0x008a89af, 0x9a05f816)},\n {TOBN(0x19b028fb, 0x7d42c10a), TOBN(0x7fe8c92f, 0x49b3f6b8),\n TOBN(0x58907cc0, 0xa5a0ade3), TOBN(0xb3154f51, 0x559d1a7c)}},\n {{TOBN(0x5066efb6, 0xd9790ed6), TOBN(0xa77a0cbc, 0xa6aa793b),\n TOBN(0x1a915f3c, 0x223e042e), TOBN(0x1c5def04, 0x69c5874b)},\n {TOBN(0x0e830078, 0x73b6c1da), TOBN(0x55cf85d2, 0xfcd8557a),\n TOBN(0x0f7c7c76, 0x0460f3b1), TOBN(0x87052acb, 0x46e58063)}},\n {{TOBN(0x09212b80, 0x907eae66), TOBN(0x3cb068e0, 0x4d721c89),\n TOBN(0xa87941ae, 0xdd45ac1c), TOBN(0xde8d5c0d, 0x0daa0dbb)},\n {TOBN(0xda421fdc, 0xe3502e6e), TOBN(0xc8944201, 0x4d89a084),\n TOBN(0x7307ba5e, 0xf0c24bfb), TOBN(0xda212beb, 0x20bde0ef)}},\n {{TOBN(0xea2da24b, 0xf82ce682), TOBN(0x058d3816, 0x07f71fe4),\n TOBN(0x35a02462, 0x5ffad8de), TOBN(0xcd7b05dc, 0xaadcefab)},\n {TOBN(0xd442f8ed, 0x1d9f54ec), TOBN(0x8be3d618, 0xb2d3b5ca),\n TOBN(0xe2220ed0, 0xe06b2ce2), TOBN(0x82699a5f, 0x1b0da4c0)}},\n {{TOBN(0x3ff106f5, 0x71c0c3a7), TOBN(0x8f580f5a, 0x0d34180c),\n TOBN(0x4ebb120e, 0x22d7d375), TOBN(0x5e5782cc, 0xe9513675)},\n {TOBN(0x2275580c, 0x99c82a70), TOBN(0xe8359fbf, 0x15ea8c4c),\n TOBN(0x53b48db8, 0x7b415e70), TOBN(0xaacf2240, 0x100c6014)}},\n {{TOBN(0x9faaccf5, 0xe4652f1d), TOBN(0xbd6fdd2a, 0xd56157b2),\n TOBN(0xa4f4fb1f, 0x6261ec50), TOBN(0x244e55ad, 0x476bcd52)},\n {TOBN(0x881c9305, 0x047d320b), TOBN(0x1ca983d5, 0x6181263f),\n TOBN(0x354e9a44, 0x278fb8ee), TOBN(0xad2dbc0f, 0x396e4964)}},\n {{TOBN(0x723f3aa2, 0x9268b3de), TOBN(0x0d1ca29a, 0xe6e0609a),\n TOBN(0x794866aa, 0x6cf44252), TOBN(0x0b59f3e3, 0x01af87ed)},\n {TOBN(0xe234e5ff, 0x7f4a6c51), TOBN(0xa8768fd2, 0x61dc2f7e),\n TOBN(0xdafc7332, 0x0a94d81f), TOBN(0xd7f84282, 0x06938ce1)}},\n {{TOBN(0xae0b3c0e, 0x0546063e), TOBN(0x7fbadcb2, 0x5d61abc6),\n TOBN(0xd5d7a2c9, 0x369ac400), TOBN(0xa5978d09, 0xae67d10c)},\n {TOBN(0x290f211e, 0x4f85eaac), TOBN(0xe61e2ad1, 0xfacac681),\n TOBN(0xae125225, 0x388384cd), TOBN(0xa7fb68e9, 0xccfde30f)}},\n {{TOBN(0x7a59b936, 0x3daed4c2), TOBN(0x80a9aa40, 0x2606f789),\n TOBN(0xb40c1ea5, 0xf6a6d90a), TOBN(0x948364d3, 0x514d5885)},\n {TOBN(0x062ebc60, 0x70985182), TOBN(0xa6db5b0e, 0x33310895),\n TOBN(0x64a12175, 0xe329c2f5), TOBN(0xc5f25bd2, 0x90ea237e)}},\n {{TOBN(0x7915c524, 0x2d0a4c23), TOBN(0xeb5d26e4, 0x6bb3cc52),\n TOBN(0x369a9116, 0xc09e2c92), TOBN(0x0c527f92, 0xcf182cf8)},\n {TOBN(0x9e591938, 0x2aede0ac), TOBN(0xb2922208, 0x6cc34939),\n TOBN(0x3c9d8962, 0x99a34361), TOBN(0x3c81836d, 0xc1905fe6)}},\n {{TOBN(0x4bfeb57f, 0xa001ec5a), TOBN(0xe993f5bb, 0xa0dc5dba),\n TOBN(0x47884109, 0x724a1380), TOBN(0x8a0369ab, 0x32fe9a04)},\n {TOBN(0xea068d60, 0x8c927db8), TOBN(0xbf5f37cf, 0x94655741),\n TOBN(0x47d402a2, 0x04b6c7ea), TOBN(0x4551c295, 0x6af259cb)}},\n {{TOBN(0x698b71e7, 0xed77ee8b), TOBN(0xbddf7bd0, 0xf309d5c7),\n TOBN(0x6201c22c, 0x34e780ca), TOBN(0xab04f7d8, 0x4c295ef4)},\n {TOBN(0x1c947294, 0x4313a8ce), TOBN(0xe532e4ac, 0x92ca4cfe),\n TOBN(0x89738f80, 0xd0a7a97a), TOBN(0xec088c88, 0xa580fd5b)}},\n {{TOBN(0x612b1ecc, 0x42ce9e51), TOBN(0x8f9840fd, 0xb25fdd2a),\n TOBN(0x3cda78c0, 0x01e7f839), TOBN(0x546b3d3a, 0xece05480)},\n {TOBN(0x271719a9, 0x80d30916), TOBN(0x45497107, 0x584c20c4),\n TOBN(0xaf8f9478, 0x5bc78608), TOBN(0x28c7d484, 0x277e2a4c)}},\n {{TOBN(0xfce01767, 0x88a2ffe4), TOBN(0xdc506a35, 0x28e169a5),\n TOBN(0x0ea10861, 0x7af9c93a), TOBN(0x1ed24361, 0x03fa0e08)},\n {TOBN(0x96eaaa92, 0xa3d694e7), TOBN(0xc0f43b4d, 0xef50bc74),\n TOBN(0xce6aa58c, 0x64114db4), TOBN(0x8218e8ea, 0x7c000fd4)}},\n {{TOBN(0xac815dfb, 0x185f8844), TOBN(0xcd7e90cb, 0x1557abfb),\n TOBN(0x23d16655, 0xafbfecdf), TOBN(0x80f3271f, 0x085cac4a)},\n {TOBN(0x7fc39aa7, 0xd0e62f47), TOBN(0x88d519d1, 0x460a48e5),\n TOBN(0x59559ac4, 0xd28f101e), TOBN(0x7981d9e9, 0xca9ae816)}},\n {{TOBN(0x5c38652c, 0x9ac38203), TOBN(0x86eaf87f, 0x57657fe5),\n TOBN(0x568fc472, 0xe21f5416), TOBN(0x2afff39c, 0xe7e597b5)},\n {TOBN(0x3adbbb07, 0x256d4eab), TOBN(0x22598692, 0x8285ab89),\n TOBN(0x35f8112a, 0x041caefe), TOBN(0x95df02e3, 0xa5064c8b)}},\n {{TOBN(0x4d63356e, 0xc7004bf3), TOBN(0x230a08f4, 0xdb83c7de),\n TOBN(0xca27b270, 0x8709a7b7), TOBN(0x0d1c4cc4, 0xcb9abd2d)},\n {TOBN(0x8a0bc66e, 0x7550fee8), TOBN(0x369cd4c7, 0x9cf7247e),\n TOBN(0x75562e84, 0x92b5b7e7), TOBN(0x8fed0da0, 0x5802af7b)}},\n {{TOBN(0x6a7091c2, 0xe48fb889), TOBN(0x26882c13, 0x7b8a9d06),\n TOBN(0xa2498663, 0x1b82a0e2), TOBN(0x844ed736, 0x3518152d)},\n {TOBN(0x282f476f, 0xd86e27c7), TOBN(0xa04edaca, 0x04afefdc),\n TOBN(0x8b256ebc, 0x6119e34d), TOBN(0x56a413e9, 0x0787d78b)}}},\n {{{TOBN(0x82ee061d, 0x5a74be50), TOBN(0xe41781c4, 0xdea16ff5),\n TOBN(0xe0b0c81e, 0x99bfc8a2), TOBN(0x624f4d69, 0x0b547e2d)},\n {TOBN(0x3a83545d, 0xbdcc9ae4), TOBN(0x2573dbb6, 0x409b1e8e),\n TOBN(0x482960c4, 0xa6c93539), TOBN(0xf01059ad, 0x5ae18798)}},\n {{TOBN(0x715c9f97, 0x3112795f), TOBN(0xe8244437, 0x984e6ee1),\n TOBN(0x55cb4858, 0xecb66bcd), TOBN(0x7c136735, 0xabaffbee)},\n {TOBN(0x54661595, 0x5dbec38e), TOBN(0x51c0782c, 0x388ad153),\n TOBN(0x9ba4c53a, 0xc6e0952f), TOBN(0x27e6782a, 0x1b21dfa8)}},\n {{TOBN(0x682f903d, 0x4ed2dbc2), TOBN(0x0eba59c8, 0x7c3b2d83),\n TOBN(0x8e9dc84d, 0x9c7e9335), TOBN(0x5f9b21b0, 0x0eb226d7)},\n {TOBN(0xe33bd394, 0xaf267bae), TOBN(0xaa86cc25, 0xbe2e15ae),\n TOBN(0x4f0bf67d, 0x6a8ec500), TOBN(0x5846aa44, 0xf9630658)}},\n {{TOBN(0xfeb09740, 0xe2c2bf15), TOBN(0x627a2205, 0xa9e99704),\n TOBN(0xec8d73d0, 0xc2fbc565), TOBN(0x223eed8f, 0xc20c8de8)},\n {TOBN(0x1ee32583, 0xa8363b49), TOBN(0x1a0b6cb9, 0xc9c2b0a6),\n TOBN(0x49f7c3d2, 0x90dbc85c), TOBN(0xa8dfbb97, 0x1ef4c1ac)}},\n {{TOBN(0xafb34d4c, 0x65c7c2ab), TOBN(0x1d4610e7, 0xe2c5ea84),\n TOBN(0x893f6d1b, 0x973c4ab5), TOBN(0xa3cdd7e9, 0x945ba5c4)},\n {TOBN(0x60514983, 0x064417ee), TOBN(0x1459b23c, 0xad6bdf2b),\n TOBN(0x23b2c341, 0x5cf726c3), TOBN(0x3a829635, 0x32d6354a)}},\n {{TOBN(0x294f901f, 0xab192c18), TOBN(0xec5fcbfe, 0x7030164f),\n TOBN(0xe2e2fcb7, 0xe2246ba6), TOBN(0x1e7c88b3, 0x221a1a0c)},\n {TOBN(0x72c7dd93, 0xc92d88c5), TOBN(0x41c2148e, 0x1106fb59),\n TOBN(0x547dd4f5, 0xa0f60f14), TOBN(0xed9b52b2, 0x63960f31)}},\n {{TOBN(0x6c8349eb, 0xb0a5b358), TOBN(0xb154c5c2, 0x9e7e2ed6),\n TOBN(0xcad5eccf, 0xeda462db), TOBN(0xf2d6dbe4, 0x2de66b69)},\n {TOBN(0x426aedf3, 0x8665e5b2), TOBN(0x488a8513, 0x7b7f5723),\n TOBN(0x15cc43b3, 0x8bcbb386), TOBN(0x27ad0af3, 0xd791d879)}},\n {{TOBN(0xc16c236e, 0x846e364f), TOBN(0x7f33527c, 0xdea50ca0),\n TOBN(0xc4810775, 0x0926b86d), TOBN(0x6c2a3609, 0x0598e70c)},\n {TOBN(0xa6755e52, 0xf024e924), TOBN(0xe0fa07a4, 0x9db4afca),\n TOBN(0x15c3ce7d, 0x66831790), TOBN(0x5b4ef350, 0xa6cbb0d6)}},\n {{TOBN(0x2c4aafc4, 0xb6205969), TOBN(0x42563f02, 0xf6c7854f),\n TOBN(0x016aced5, 0x1d983b48), TOBN(0xfeb356d8, 0x99949755)},\n {TOBN(0x8c2a2c81, 0xd1a39bd7), TOBN(0x8f44340f, 0xe6934ae9),\n TOBN(0x148cf91c, 0x447904da), TOBN(0x7340185f, 0x0f51a926)}},\n {{TOBN(0x2f8f00fb, 0x7409ab46), TOBN(0x057e78e6, 0x80e289b2),\n TOBN(0x03e5022c, 0xa888e5d1), TOBN(0x3c87111a, 0x9dede4e2)},\n {TOBN(0x5b9b0e1c, 0x7809460b), TOBN(0xe751c852, 0x71c9abc7),\n TOBN(0x8b944e28, 0xc7cc1dc9), TOBN(0x4f201ffa, 0x1d3cfa08)}},\n {{TOBN(0x02fc905c, 0x3e6721ce), TOBN(0xd52d70da, 0xd0b3674c),\n TOBN(0x5dc2e5ca, 0x18810da4), TOBN(0xa984b273, 0x5c69dd99)},\n {TOBN(0x63b92527, 0x84de5ca4), TOBN(0x2f1c9872, 0xc852dec4),\n TOBN(0x18b03593, 0xc2e3de09), TOBN(0x19d70b01, 0x9813dc2f)}},\n {{TOBN(0x42806b2d, 0xa6dc1d29), TOBN(0xd3030009, 0xf871e144),\n TOBN(0xa1feb333, 0xaaf49276), TOBN(0xb5583b9e, 0xc70bc04b)},\n {TOBN(0x1db0be78, 0x95695f20), TOBN(0xfc841811, 0x89d012b5),\n TOBN(0x6409f272, 0x05f61643), TOBN(0x40d34174, 0xd5883128)}},\n {{TOBN(0xd79196f5, 0x67419833), TOBN(0x6059e252, 0x863b7b08),\n TOBN(0x84da1817, 0x1c56700c), TOBN(0x5758ee56, 0xb28d3ec4)},\n {TOBN(0x7da2771d, 0x013b0ea6), TOBN(0xfddf524b, 0x54c5e9b9),\n TOBN(0x7df4faf8, 0x24305d80), TOBN(0x58f5c1bf, 0x3a97763f)}},\n {{TOBN(0xa5af37f1, 0x7c696042), TOBN(0xd4cba22c, 0x4a2538de),\n TOBN(0x211cb995, 0x9ea42600), TOBN(0xcd105f41, 0x7b069889)},\n {TOBN(0xb1e1cf19, 0xddb81e74), TOBN(0x472f2d89, 0x5157b8ca),\n TOBN(0x086fb008, 0xee9db885), TOBN(0x365cd570, 0x0f26d131)}},\n {{TOBN(0x284b02bb, 0xa2be7053), TOBN(0xdcbbf7c6, 0x7ab9a6d6),\n TOBN(0x4425559c, 0x20f7a530), TOBN(0x961f2dfa, 0x188767c8)},\n {TOBN(0xe2fd9435, 0x70dc80c4), TOBN(0x104d6b63, 0xf0784120),\n TOBN(0x7f592bc1, 0x53567122), TOBN(0xf6bc1246, 0xf688ad77)}},\n {{TOBN(0x05214c05, 0x0f15dde9), TOBN(0xa47a76a8, 0x0d5f2b82),\n TOBN(0xbb254d30, 0x62e82b62), TOBN(0x11a05fe0, 0x3ec955ee)},\n {TOBN(0x7eaff46e, 0x9d529b36), TOBN(0x55ab1301, 0x8f9e3df6),\n TOBN(0xc463e371, 0x99317698), TOBN(0xfd251438, 0xccda47ad)}},\n {{TOBN(0xca9c3547, 0x23d695ea), TOBN(0x48ce626e, 0x16e589b5),\n TOBN(0x6b5b64c7, 0xb187d086), TOBN(0xd02e1794, 0xb2207948)},\n {TOBN(0x8b58e98f, 0x7198111d), TOBN(0x90ca6305, 0xdcf9c3cc),\n TOBN(0x5691fe72, 0xf34089b0), TOBN(0x60941af1, 0xfc7c80ff)}},\n {{TOBN(0xa09bc0a2, 0x22eb51e5), TOBN(0xc0bb7244, 0xaa9cf09a),\n TOBN(0x36a8077f, 0x80159f06), TOBN(0x8b5c989e, 0xdddc560e)},\n {TOBN(0x19d2f316, 0x512e1f43), TOBN(0x02eac554, 0xad08ff62),\n TOBN(0x012ab84c, 0x07d20b4e), TOBN(0x37d1e115, 0xd6d4e4e1)}},\n {{TOBN(0xb6443e1a, 0xab7b19a8), TOBN(0xf08d067e, 0xdef8cd45),\n TOBN(0x63adf3e9, 0x685e03da), TOBN(0xcf15a10e, 0x4792b916)},\n {TOBN(0xf44bcce5, 0xb738a425), TOBN(0xebe131d5, 0x9636b2fd),\n TOBN(0x94068841, 0x7850d605), TOBN(0x09684eaa, 0xb40d749d)}},\n {{TOBN(0x8c3c669c, 0x72ba075b), TOBN(0x89f78b55, 0xba469015),\n TOBN(0x5706aade, 0x3e9f8ba8), TOBN(0x6d8bd565, 0xb32d7ed7)},\n {TOBN(0x25f4e63b, 0x805f08d6), TOBN(0x7f48200d, 0xc3bcc1b5),\n TOBN(0x4e801968, 0xb025d847), TOBN(0x74afac04, 0x87cbe0a8)}},\n {{TOBN(0x43ed2c2b, 0x7e63d690), TOBN(0xefb6bbf0, 0x0223cdb8),\n TOBN(0x4fec3cae, 0x2884d3fe), TOBN(0x065ecce6, 0xd75e25a4)},\n {TOBN(0x6c2294ce, 0x69f79071), TOBN(0x0d9a8e5f, 0x044b8666),\n TOBN(0x5009f238, 0x17b69d8f), TOBN(0x3c29f8fe, 0xc5dfdaf7)}},\n {{TOBN(0x9067528f, 0xebae68c4), TOBN(0x5b385632, 0x30c5ba21),\n TOBN(0x540df119, 0x1fdd1aec), TOBN(0xcf37825b, 0xcfba4c78)},\n {TOBN(0x77eff980, 0xbeb11454), TOBN(0x40a1a991, 0x60c1b066),\n TOBN(0xe8018980, 0xf889a1c7), TOBN(0xb9c52ae9, 0x76c24be0)}},\n {{TOBN(0x05fbbcce, 0x45650ef4), TOBN(0xae000f10, 0x8aa29ac7),\n TOBN(0x884b7172, 0x4f04c470), TOBN(0x7cd4fde2, 0x19bb5c25)},\n {TOBN(0x6477b22a, 0xe8840869), TOBN(0xa8868859, 0x5fbd0686),\n TOBN(0xf23cc02e, 0x1116dfba), TOBN(0x76cd563f, 0xd87d7776)}},\n {{TOBN(0xe2a37598, 0xa9d82abf), TOBN(0x5f188ccb, 0xe6c170f5),\n TOBN(0x81682200, 0x5066b087), TOBN(0xda22c212, 0xc7155ada)},\n {TOBN(0x151e5d3a, 0xfbddb479), TOBN(0x4b606b84, 0x6d715b99),\n TOBN(0x4a73b54b, 0xf997cb2e), TOBN(0x9a1bfe43, 0x3ecd8b66)}},\n {{TOBN(0x1c312809, 0x2a67d48a), TOBN(0xcd6a671e, 0x031fa9e2),\n TOBN(0xbec3312a, 0x0e43a34a), TOBN(0x1d935639, 0x55ef47d3)},\n {TOBN(0x5ea02489, 0x8fea73ea), TOBN(0x8247b364, 0xa035afb2),\n TOBN(0xb58300a6, 0x5265b54c), TOBN(0x3286662f, 0x722c7148)}},\n {{TOBN(0xb77fd76b, 0xb4ec4c20), TOBN(0xf0a12fa7, 0x0f3fe3fd),\n TOBN(0xf845bbf5, 0x41d8c7e8), TOBN(0xe4d969ca, 0x5ec10aa8)},\n {TOBN(0x4c0053b7, 0x43e232a3), TOBN(0xdc7a3fac, 0x37f8a45a),\n TOBN(0x3c4261c5, 0x20d81c8f), TOBN(0xfd4b3453, 0xb00eab00)}},\n {{TOBN(0x76d48f86, 0xd36e3062), TOBN(0x626c5277, 0xa143ff02),\n TOBN(0x538174de, 0xaf76f42e), TOBN(0x2267aa86, 0x6407ceac)},\n {TOBN(0xfad76351, 0x72e572d5), TOBN(0xab861af7, 0xba7330eb),\n TOBN(0xa0a1c8c7, 0x418d8657), TOBN(0x988821cb, 0x20289a52)}},\n {{TOBN(0x79732522, 0xcccc18ad), TOBN(0xaadf3f8d, 0xf1a6e027),\n TOBN(0xf7382c93, 0x17c2354d), TOBN(0x5ce1680c, 0xd818b689)},\n {TOBN(0x359ebbfc, 0xd9ecbee9), TOBN(0x4330689c, 0x1cae62ac),\n TOBN(0xb55ce5b4, 0xc51ac38a), TOBN(0x7921dfea, 0xfe238ee8)}},\n {{TOBN(0x3972bef8, 0x271d1ca5), TOBN(0x3e423bc7, 0xe8aabd18),\n TOBN(0x57b09f3f, 0x44a3e5e3), TOBN(0x5da886ae, 0x7b444d66)},\n {TOBN(0x68206634, 0xa9964375), TOBN(0x356a2fa3, 0x699cd0ff),\n TOBN(0xaf0faa24, 0xdba515e9), TOBN(0x536e1f5c, 0xb321d79a)}},\n {{TOBN(0xd3b9913a, 0x5c04e4ea), TOBN(0xd549dcfe, 0xd6f11513),\n TOBN(0xee227bf5, 0x79fd1d94), TOBN(0x9f35afee, 0xb43f2c67)},\n {TOBN(0xd2638d24, 0xf1314f53), TOBN(0x62baf948, 0xcabcd822),\n TOBN(0x5542de29, 0x4ef48db0), TOBN(0xb3eb6a04, 0xfc5f6bb2)}},\n {{TOBN(0x23c110ae, 0x1208e16a), TOBN(0x1a4d15b5, 0xf8363e24),\n TOBN(0x30716844, 0x164be00b), TOBN(0xa8e24824, 0xf6f4690d)},\n {TOBN(0x548773a2, 0x90b170cf), TOBN(0xa1bef331, 0x42f191f4),\n TOBN(0x70f418d0, 0x9247aa97), TOBN(0xea06028e, 0x48be9147)}},\n {{TOBN(0xe13122f3, 0xdbfb894e), TOBN(0xbe9b79f6, 0xce274b18),\n TOBN(0x85a49de5, 0xca58aadf), TOBN(0x24957758, 0x11487351)},\n {TOBN(0x111def61, 0xbb939099), TOBN(0x1d6a974a, 0x26d13694),\n TOBN(0x4474b4ce, 0xd3fc253b), TOBN(0x3a1485e6, 0x4c5db15e)}},\n {{TOBN(0xe79667b4, 0x147c15b4), TOBN(0xe34f553b, 0x7bc61301),\n TOBN(0x032b80f8, 0x17094381), TOBN(0x55d8bafd, 0x723eaa21)},\n {TOBN(0x5a987995, 0xf1c0e74e), TOBN(0x5a9b292e, 0xebba289c),\n TOBN(0x413cd4b2, 0xeb4c8251), TOBN(0x98b5d243, 0xd162db0a)}},\n {{TOBN(0xbb47bf66, 0x68342520), TOBN(0x08d68949, 0xbaa862d1),\n TOBN(0x11f349c7, 0xe906abcd), TOBN(0x454ce985, 0xed7bf00e)},\n {TOBN(0xacab5c9e, 0xb55b803b), TOBN(0xb03468ea, 0x31e3c16d),\n TOBN(0x5c24213d, 0xd273bf12), TOBN(0x211538eb, 0x71587887)}},\n {{TOBN(0x198e4a2f, 0x731dea2d), TOBN(0xd5856cf2, 0x74ed7b2a),\n TOBN(0x86a632eb, 0x13a664fe), TOBN(0x932cd909, 0xbda41291)},\n {TOBN(0x850e95d4, 0xc0c4ddc0), TOBN(0xc0f422f8, 0x347fc2c9),\n TOBN(0xe68cbec4, 0x86076bcb), TOBN(0xf9e7c0c0, 0xcd6cd286)}},\n {{TOBN(0x65994ddb, 0x0f5f27ca), TOBN(0xe85461fb, 0xa80d59ff),\n TOBN(0xff05481a, 0x66601023), TOBN(0xc665427a, 0xfc9ebbfb)},\n {TOBN(0xb0571a69, 0x7587fd52), TOBN(0x935289f8, 0x8d49efce),\n TOBN(0x61becc60, 0xea420688), TOBN(0xb22639d9, 0x13a786af)}},\n {{TOBN(0x1a8e6220, 0x361ecf90), TOBN(0x001f23e0, 0x25506463),\n TOBN(0xe4ae9b5d, 0x0a5c2b79), TOBN(0xebc9cdad, 0xd8149db5)},\n {TOBN(0xb33164a1, 0x934aa728), TOBN(0x750eb00e, 0xae9b60f3),\n TOBN(0x5a91615b, 0x9b9cfbfd), TOBN(0x97015cbf, 0xef45f7f6)}},\n {{TOBN(0xb462c4a5, 0xbf5151df), TOBN(0x21adcc41, 0xb07118f2),\n TOBN(0xd60c545b, 0x043fa42c), TOBN(0xfc21aa54, 0xe96be1ab)},\n {TOBN(0xe84bc32f, 0x4e51ea80), TOBN(0x3dae45f0, 0x259b5d8d),\n TOBN(0xbb73c7eb, 0xc38f1b5e), TOBN(0xe405a74a, 0xe8ae617d)}},\n {{TOBN(0xbb1ae9c6, 0x9f1c56bd), TOBN(0x8c176b98, 0x49f196a4),\n TOBN(0xc448f311, 0x6875092b), TOBN(0xb5afe3de, 0x9f976033)},\n {TOBN(0xa8dafd49, 0x145813e5), TOBN(0x687fc4d9, 0xe2b34226),\n TOBN(0xf2dfc92d, 0x4c7ff57f), TOBN(0x004e3fc1, 0x401f1b46)}},\n {{TOBN(0x5afddab6, 0x1430c9ab), TOBN(0x0bdd41d3, 0x2238e997),\n TOBN(0xf0947430, 0x418042ae), TOBN(0x71f9adda, 0xcdddc4cb)},\n {TOBN(0x7090c016, 0xc52dd907), TOBN(0xd9bdf44d, 0x29e2047f),\n TOBN(0xe6f1fe80, 0x1b1011a6), TOBN(0xb63accbc, 0xd9acdc78)}},\n {{TOBN(0xcfc7e235, 0x1272a95b), TOBN(0x0c667717, 0xa6276ac8),\n TOBN(0x3c0d3709, 0xe2d7eef7), TOBN(0x5add2b06, 0x9a685b3e)},\n {TOBN(0x363ad32d, 0x14ea5d65), TOBN(0xf8e01f06, 0x8d7dd506),\n TOBN(0xc9ea2213, 0x75b4aac6), TOBN(0xed2a2bf9, 0x0d353466)}},\n {{TOBN(0x439d79b5, 0xe9d3a7c3), TOBN(0x8e0ee5a6, 0x81b7f34b),\n TOBN(0xcf3dacf5, 0x1dc4ba75), TOBN(0x1d3d1773, 0xeb3310c7)},\n {TOBN(0xa8e67112, 0x7747ae83), TOBN(0x31f43160, 0x197d6b40),\n TOBN(0x0521ccee, 0xcd961400), TOBN(0x67246f11, 0xf6535768)}},\n {{TOBN(0x702fcc5a, 0xef0c3133), TOBN(0x247cc45d, 0x7e16693b),\n TOBN(0xfd484e49, 0xc729b749), TOBN(0x522cef7d, 0xb218320f)},\n {TOBN(0xe56ef405, 0x59ab93b3), TOBN(0x225fba11, 0x9f181071),\n TOBN(0x33bd6595, 0x15330ed0), TOBN(0xc4be69d5, 0x1ddb32f7)}},\n {{TOBN(0x264c7668, 0x0448087c), TOBN(0xac30903f, 0x71432dae),\n TOBN(0x3851b266, 0x00f9bf47), TOBN(0x400ed311, 0x6cdd6d03)},\n {TOBN(0x045e79fe, 0xf8fd2424), TOBN(0xfdfd974a, 0xfa6da98b),\n TOBN(0x45c9f641, 0x0c1e673a), TOBN(0x76f2e733, 0x5b2c5168)}},\n {{TOBN(0x1adaebb5, 0x2a601753), TOBN(0xb286514c, 0xc57c2d49),\n TOBN(0xd8769670, 0x1e0bfd24), TOBN(0x950c547e, 0x04478922)},\n {TOBN(0xd1d41969, 0xe5d32bfe), TOBN(0x30bc1472, 0x750d6c3e),\n TOBN(0x8f3679fe, 0xe0e27f3a), TOBN(0x8f64a7dc, 0xa4a6ee0c)}},\n {{TOBN(0x2fe59937, 0x633dfb1f), TOBN(0xea82c395, 0x977f2547),\n TOBN(0xcbdfdf1a, 0x661ea646), TOBN(0xc7ccc591, 0xb9085451)},\n {TOBN(0x82177962, 0x81761e13), TOBN(0xda57596f, 0x9196885c),\n TOBN(0xbc17e849, 0x28ffbd70), TOBN(0x1e6e0a41, 0x2671d36f)}},\n {{TOBN(0x61ae872c, 0x4152fcf5), TOBN(0x441c87b0, 0x9e77e754),\n TOBN(0xd0799dd5, 0xa34dff09), TOBN(0x766b4e44, 0x88a6b171)},\n {TOBN(0xdc06a512, 0x11f1c792), TOBN(0xea02ae93, 0x4be35c3e),\n TOBN(0xe5ca4d6d, 0xe90c469e), TOBN(0x4df4368e, 0x56e4ff5c)}},\n {{TOBN(0x7817acab, 0x4baef62e), TOBN(0x9f5a2202, 0xa85b91e8),\n TOBN(0x9666ebe6, 0x6ce57610), TOBN(0x32ad31f3, 0xf73bfe03)},\n {TOBN(0x628330a4, 0x25bcf4d6), TOBN(0xea950593, 0x515056e6),\n TOBN(0x59811c89, 0xe1332156), TOBN(0xc89cf1fe, 0x8c11b2d7)}},\n {{TOBN(0x75b63913, 0x04e60cc0), TOBN(0xce811e8d, 0x4625d375),\n TOBN(0x030e43fc, 0x2d26e562), TOBN(0xfbb30b4b, 0x608d36a0)},\n {TOBN(0x634ff82c, 0x48528118), TOBN(0x7c6fe085, 0xcd285911),\n TOBN(0x7f2830c0, 0x99358f28), TOBN(0x2e60a95e, 0x665e6c09)}},\n {{TOBN(0x08407d3d, 0x9b785dbf), TOBN(0x530889ab, 0xa759bce7),\n TOBN(0xf228e0e6, 0x52f61239), TOBN(0x2b6d1461, 0x6879be3c)},\n {TOBN(0xe6902c04, 0x51a7bbf7), TOBN(0x30ad99f0, 0x76f24a64),\n TOBN(0x66d9317a, 0x98bc6da0), TOBN(0xf4f877f3, 0xcb596ac0)}},\n {{TOBN(0xb05ff62d, 0x4c44f119), TOBN(0x4555f536, 0xe9b77416),\n TOBN(0xc7c0d059, 0x8caed63b), TOBN(0x0cd2b7ce, 0xc358b2a9)},\n {TOBN(0x3f33287b, 0x46945fa3), TOBN(0xf8785b20, 0xd67c8791),\n TOBN(0xc54a7a61, 0x9637bd08), TOBN(0x54d4598c, 0x18be79d7)}},\n {{TOBN(0x889e5acb, 0xc46d7ce1), TOBN(0x9a515bb7, 0x8b085877),\n TOBN(0xfac1a03d, 0x0b7a5050), TOBN(0x7d3e738a, 0xf2926035)},\n {TOBN(0x861cc2ce, 0x2a6cb0eb), TOBN(0x6f2e2955, 0x8f7adc79),\n TOBN(0x61c4d451, 0x33016376), TOBN(0xd9fd2c80, 0x5ad59090)}},\n {{TOBN(0xe5a83738, 0xb2b836a1), TOBN(0x855b41a0, 0x7c0d6622),\n TOBN(0x186fe317, 0x7cc19af1), TOBN(0x6465c1ff, 0xfdd99acb)},\n {TOBN(0x46e5c23f, 0x6974b99e), TOBN(0x75a7cf8b, 0xa2717cbe),\n TOBN(0x4d2ebc3f, 0x062be658), TOBN(0x094b4447, 0x5f209c98)}},\n {{TOBN(0x4af285ed, 0xb940cb5a), TOBN(0x6706d792, 0x7cc82f10),\n TOBN(0xc8c8776c, 0x030526fa), TOBN(0xfa8e6f76, 0xa0da9140)},\n {TOBN(0x77ea9d34, 0x591ee4f0), TOBN(0x5f46e337, 0x40274166),\n TOBN(0x1bdf98bb, 0xea671457), TOBN(0xd7c08b46, 0x862a1fe2)}},\n {{TOBN(0x46cc303c, 0x1c08ad63), TOBN(0x99543440, 0x4c845e7b),\n TOBN(0x1b8fbdb5, 0x48f36bf7), TOBN(0x5b82c392, 0x8c8273a7)},\n {TOBN(0x08f712c4, 0x928435d5), TOBN(0x071cf0f1, 0x79330380),\n TOBN(0xc74c2d24, 0xa8da054a), TOBN(0xcb0e7201, 0x43c46b5c)}},\n {{TOBN(0x0ad7337a, 0xc0b7eff3), TOBN(0x8552225e, 0xc5e48b3c),\n TOBN(0xe6f78b0c, 0x73f13a5f), TOBN(0x5e70062e, 0x82349cbe)},\n {TOBN(0x6b8d5048, 0xe7073969), TOBN(0x392d2a29, 0xc33cb3d2),\n TOBN(0xee4f727c, 0x4ecaa20f), TOBN(0xa068c99e, 0x2ccde707)}},\n {{TOBN(0xfcd5651f, 0xb87a2913), TOBN(0xea3e3c15, 0x3cc252f0),\n TOBN(0x777d92df, 0x3b6cd3e4), TOBN(0x7a414143, 0xc5a732e7)},\n {TOBN(0xa895951a, 0xa71ff493), TOBN(0xfe980c92, 0xbbd37cf6),\n TOBN(0x45bd5e64, 0xdecfeeff), TOBN(0x910dc2a9, 0xa44c43e9)}},\n {{TOBN(0xcb403f26, 0xcca9f54d), TOBN(0x928bbdfb, 0x9303f6db),\n TOBN(0x3c37951e, 0xa9eee67c), TOBN(0x3bd61a52, 0xf79961c3)},\n {TOBN(0x09a238e6, 0x395c9a79), TOBN(0x6940ca2d, 0x61eb352d),\n TOBN(0x7d1e5c5e, 0xc1875631), TOBN(0x1e19742c, 0x1e1b20d1)}},\n {{TOBN(0x4633d908, 0x23fc2e6e), TOBN(0xa76e29a9, 0x08959149),\n TOBN(0x61069d9c, 0x84ed7da5), TOBN(0x0baa11cf, 0x5dbcad51)},\n {TOBN(0xd01eec64, 0x961849da), TOBN(0x93b75f1f, 0xaf3d8c28),\n TOBN(0x57bc4f9f, 0x1ca2ee44), TOBN(0x5a26322d, 0x00e00558)}},\n {{TOBN(0x1888d658, 0x61a023ef), TOBN(0x1d72aab4, 0xb9e5246e),\n TOBN(0xa9a26348, 0xe5563ec0), TOBN(0xa0971963, 0xc3439a43)},\n {TOBN(0x567dd54b, 0xadb9b5b7), TOBN(0x73fac1a1, 0xc45a524b),\n TOBN(0x8fe97ef7, 0xfe38e608), TOBN(0x608748d2, 0x3f384f48)}},\n {{TOBN(0xb0571794, 0xc486094f), TOBN(0x869254a3, 0x8bf3a8d6),\n TOBN(0x148a8dd1, 0x310b0e25), TOBN(0x99ab9f3f, 0x9aa3f7d8)},\n {TOBN(0x0927c68a, 0x6706c02e), TOBN(0x22b5e76c, 0x69790e6c),\n TOBN(0x6c325260, 0x6c71376c), TOBN(0x53a57690, 0x09ef6657)}},\n {{TOBN(0x8d63f852, 0xedffcf3a), TOBN(0xb4d2ed04, 0x3c0a6f55),\n TOBN(0xdb3aa8de, 0x12519b9e), TOBN(0x5d38e9c4, 0x1e0a569a)},\n {TOBN(0x871528bf, 0x303747e2), TOBN(0xa208e77c, 0xf5b5c18d),\n TOBN(0x9d129c88, 0xca6bf923), TOBN(0xbcbf197f, 0xbf02839f)}},\n {{TOBN(0x9b9bf030, 0x27323194), TOBN(0x3b055a8b, 0x339ca59d),\n TOBN(0xb46b2312, 0x0f669520), TOBN(0x19789f1f, 0x497e5f24)},\n {TOBN(0x9c499468, 0xaaf01801), TOBN(0x72ee1190, 0x8b69d59c),\n TOBN(0x8bd39595, 0xacf4c079), TOBN(0x3ee11ece, 0x8e0cd048)}},\n {{TOBN(0xebde86ec, 0x1ed66f18), TOBN(0x225d906b, 0xd61fce43),\n TOBN(0x5cab07d6, 0xe8bed74d), TOBN(0x16e4617f, 0x27855ab7)},\n {TOBN(0x6568aadd, 0xb2fbc3dd), TOBN(0xedb5484f, 0x8aeddf5b),\n TOBN(0x878f20e8, 0x6dcf2fad), TOBN(0x3516497c, 0x615f5699)}}},\n {{{TOBN(0xef0a3fec, 0xfa181e69), TOBN(0x9ea02f81, 0x30d69a98),\n TOBN(0xb2e9cf8e, 0x66eab95d), TOBN(0x520f2beb, 0x24720021)},\n {TOBN(0x621c540a, 0x1df84361), TOBN(0x12037721, 0x71fa6d5d),\n TOBN(0x6e3c7b51, 0x0ff5f6ff), TOBN(0x817a069b, 0xabb2bef3)}},\n {{TOBN(0x83572fb6, 0xb294cda6), TOBN(0x6ce9bf75, 0xb9039f34),\n TOBN(0x20e012f0, 0x095cbb21), TOBN(0xa0aecc1b, 0xd063f0da)},\n {TOBN(0x57c21c3a, 0xf02909e5), TOBN(0xc7d59ecf, 0x48ce9cdc),\n TOBN(0x2732b844, 0x8ae336f8), TOBN(0x056e3723, 0x3f4f85f4)}},\n {{TOBN(0x8a10b531, 0x89e800ca), TOBN(0x50fe0c17, 0x145208fd),\n TOBN(0x9e43c0d3, 0xb714ba37), TOBN(0x427d200e, 0x34189acc)},\n {TOBN(0x05dee24f, 0xe616e2c0), TOBN(0x9c25f4c8, 0xee1854c1),\n TOBN(0x4d3222a5, 0x8f342a73), TOBN(0x0807804f, 0xa027c952)}},\n {{TOBN(0xc222653a, 0x4f0d56f3), TOBN(0x961e4047, 0xca28b805),\n TOBN(0x2c03f8b0, 0x4a73434b), TOBN(0x4c966787, 0xab712a19)},\n {TOBN(0xcc196c42, 0x864fee42), TOBN(0xc1be93da, 0x5b0ece5c),\n TOBN(0xa87d9f22, 0xc131c159), TOBN(0x2bb6d593, 0xdce45655)}},\n {{TOBN(0x22c49ec9, 0xb809b7ce), TOBN(0x8a41486b, 0xe2c72c2c),\n TOBN(0x813b9420, 0xfea0bf36), TOBN(0xb3d36ee9, 0xa66dac69)},\n {TOBN(0x6fddc08a, 0x328cc987), TOBN(0x0a3bcd2c, 0x3a326461),\n TOBN(0x7103c49d, 0xd810dbba), TOBN(0xf9d81a28, 0x4b78a4c4)}},\n {{TOBN(0x3de865ad, 0xe4d55941), TOBN(0xdedafa5e, 0x30384087),\n TOBN(0x6f414abb, 0x4ef18b9b), TOBN(0x9ee9ea42, 0xfaee5268)},\n {TOBN(0x260faa16, 0x37a55a4a), TOBN(0xeb19a514, 0x015f93b9),\n TOBN(0x51d7ebd2, 0x9e9c3598), TOBN(0x523fc56d, 0x1932178e)}},\n {{TOBN(0x501d070c, 0xb98fe684), TOBN(0xd60fbe9a, 0x124a1458),\n TOBN(0xa45761c8, 0x92bc6b3f), TOBN(0xf5384858, 0xfe6f27cb)},\n {TOBN(0x4b0271f7, 0xb59e763b), TOBN(0x3d4606a9, 0x5b5a8e5e),\n TOBN(0x1eda5d9b, 0x05a48292), TOBN(0xda7731d0, 0xe6fec446)}},\n {{TOBN(0xa3e33693, 0x90d45871), TOBN(0xe9764040, 0x06166d8d),\n TOBN(0xb5c33682, 0x89a90403), TOBN(0x4bd17983, 0x72f1d637)},\n {TOBN(0xa616679e, 0xd5d2c53a), TOBN(0x5ec4bcd8, 0xfdcf3b87),\n TOBN(0xae6d7613, 0xb66a694e), TOBN(0x7460fc76, 0xe3fc27e5)}},\n {{TOBN(0x70469b82, 0x95caabee), TOBN(0xde024ca5, 0x889501e3),\n TOBN(0x6bdadc06, 0x076ed265), TOBN(0x0cb1236b, 0x5a0ef8b2)},\n {TOBN(0x4065ddbf, 0x0972ebf9), TOBN(0xf1dd3875, 0x22aca432),\n TOBN(0xa88b97cf, 0x744aff76), TOBN(0xd1359afd, 0xfe8e3d24)}},\n {{TOBN(0x52a3ba2b, 0x91502cf3), TOBN(0x2c3832a8, 0x084db75d),\n TOBN(0x04a12ddd, 0xde30b1c9), TOBN(0x7802eabc, 0xe31fd60c)},\n {TOBN(0x33707327, 0xa37fddab), TOBN(0x65d6f2ab, 0xfaafa973),\n TOBN(0x3525c5b8, 0x11e6f91a), TOBN(0x76aeb0c9, 0x5f46530b)}},\n {{TOBN(0xe8815ff6, 0x2f93a675), TOBN(0xa6ec9684, 0x05f48679),\n TOBN(0x6dcbb556, 0x358ae884), TOBN(0x0af61472, 0xe19e3873)},\n {TOBN(0x72334372, 0xa5f696be), TOBN(0xc65e57ea, 0x6f22fb70),\n TOBN(0x268da30c, 0x946cea90), TOBN(0x136a8a87, 0x65681b2a)}},\n {{TOBN(0xad5e81dc, 0x0f9f44d4), TOBN(0xf09a6960, 0x2c46585a),\n TOBN(0xd1649164, 0xc447d1b1), TOBN(0x3b4b36c8, 0x879dc8b1)},\n {TOBN(0x20d4177b, 0x3b6b234c), TOBN(0x096a2505, 0x1730d9d0),\n TOBN(0x0611b9b8, 0xef80531d), TOBN(0xba904b3b, 0x64bb495d)}},\n {{TOBN(0x1192d9d4, 0x93a3147a), TOBN(0x9f30a5dc, 0x9a565545),\n TOBN(0x90b1f9cb, 0x6ef07212), TOBN(0x29958546, 0x0d87fc13)},\n {TOBN(0xd3323eff, 0xc17db9ba), TOBN(0xcb18548c, 0xcb1644a8),\n TOBN(0x18a306d4, 0x4f49ffbc), TOBN(0x28d658f1, 0x4c2e8684)}},\n {{TOBN(0x44ba60cd, 0xa99f8c71), TOBN(0x67b7abdb, 0x4bf742ff),\n TOBN(0x66310f9c, 0x914b3f99), TOBN(0xae430a32, 0xf412c161)},\n {TOBN(0x1e6776d3, 0x88ace52f), TOBN(0x4bc0fa24, 0x52d7067d),\n TOBN(0x03c286aa, 0x8f07cd1b), TOBN(0x4cb8f38c, 0xa985b2c1)}},\n {{TOBN(0x83ccbe80, 0x8c3bff36), TOBN(0x005a0bd2, 0x5263e575),\n TOBN(0x460d7dda, 0x259bdcd1), TOBN(0x4a1c5642, 0xfa5cab6b)},\n {TOBN(0x2b7bdbb9, 0x9fe4fc88), TOBN(0x09418e28, 0xcc97bbb5),\n TOBN(0xd8274fb4, 0xa12321ae), TOBN(0xb137007d, 0x5c87b64e)}},\n {{TOBN(0x80531fe1, 0xc63c4962), TOBN(0x50541e89, 0x981fdb25),\n TOBN(0xdc1291a1, 0xfd4c2b6b), TOBN(0xc0693a17, 0xa6df4fca)},\n {TOBN(0xb2c4604e, 0x0117f203), TOBN(0x245f1963, 0x0a99b8d0),\n TOBN(0xaedc20aa, 0xc6212c44), TOBN(0xb1ed4e56, 0x520f52a8)}},\n {{TOBN(0xfe48f575, 0xf8547be3), TOBN(0x0a7033cd, 0xa9e45f98),\n TOBN(0x4b45d3a9, 0x18c50100), TOBN(0xb2a6cd6a, 0xa61d41da)},\n {TOBN(0x60bbb4f5, 0x57933c6b), TOBN(0xa7538ebd, 0x2b0d7ffc),\n TOBN(0x9ea3ab8d, 0x8cd626b6), TOBN(0x8273a484, 0x3601625a)}},\n {{TOBN(0x88859845, 0x0168e508), TOBN(0x8cbc9bb2, 0x99a94abd),\n TOBN(0x713ac792, 0xfab0a671), TOBN(0xa3995b19, 0x6c9ebffc)},\n {TOBN(0xe711668e, 0x1239e152), TOBN(0x56892558, 0xbbb8dff4),\n TOBN(0x8bfc7dab, 0xdbf17963), TOBN(0x5b59fe5a, 0xb3de1253)}},\n {{TOBN(0x7e3320eb, 0x34a9f7ae), TOBN(0xe5e8cf72, 0xd751efe4),\n TOBN(0x7ea003bc, 0xd9be2f37), TOBN(0xc0f551a0, 0xb6c08ef7)},\n {TOBN(0x56606268, 0x038f6725), TOBN(0x1dd38e35, 0x6d92d3b6),\n TOBN(0x07dfce7c, 0xc3cbd686), TOBN(0x4e549e04, 0x651c5da8)}},\n {{TOBN(0x4058f93b, 0x08b19340), TOBN(0xc2fae6f4, 0xcac6d89d),\n TOBN(0x4bad8a8c, 0x8f159cc7), TOBN(0x0ddba4b3, 0xcb0b601c)},\n {TOBN(0xda4fc7b5, 0x1dd95f8c), TOBN(0x1d163cd7, 0xcea5c255),\n TOBN(0x30707d06, 0x274a8c4c), TOBN(0x79d9e008, 0x2802e9ce)}},\n {{TOBN(0x02a29ebf, 0xe6ddd505), TOBN(0x37064e74, 0xb50bed1a),\n TOBN(0x3f6bae65, 0xa7327d57), TOBN(0x3846f5f1, 0xf83920bc)},\n {TOBN(0x87c37491, 0x60df1b9b), TOBN(0x4cfb2895, 0x2d1da29f),\n TOBN(0x10a478ca, 0x4ed1743c), TOBN(0x390c6030, 0x3edd47c6)}},\n {{TOBN(0x8f3e5312, 0x8c0a78de), TOBN(0xccd02bda, 0x1e85df70),\n TOBN(0xd6c75c03, 0xa61b6582), TOBN(0x0762921c, 0xfc0eebd1)},\n {TOBN(0xd34d0823, 0xd85010c0), TOBN(0xd73aaacb, 0x0044cf1f),\n TOBN(0xfb4159bb, 0xa3b5e78a), TOBN(0x2287c7f7, 0xe5826f3f)}},\n {{TOBN(0x4aeaf742, 0x580b1a01), TOBN(0xf080415d, 0x60423b79),\n TOBN(0xe12622cd, 0xa7dea144), TOBN(0x49ea4996, 0x59d62472)},\n {TOBN(0xb42991ef, 0x571f3913), TOBN(0x0610f214, 0xf5b25a8a),\n TOBN(0x47adc585, 0x30b79e8f), TOBN(0xf90e3df6, 0x07a065a2)}},\n {{TOBN(0x5d0a5deb, 0x43e2e034), TOBN(0x53fb5a34, 0x444024aa),\n TOBN(0xa8628c68, 0x6b0c9f7f), TOBN(0x9c69c29c, 0xac563656)},\n {TOBN(0x5a231feb, 0xbace47b6), TOBN(0xbdce0289, 0x9ea5a2ec),\n TOBN(0x05da1fac, 0x9463853e), TOBN(0x96812c52, 0x509e78aa)}},\n {{TOBN(0xd3fb5771, 0x57151692), TOBN(0xeb2721f8, 0xd98e1c44),\n TOBN(0xc0506087, 0x32399be1), TOBN(0xda5a5511, 0xd979d8b8)},\n {TOBN(0x737ed55d, 0xc6f56780), TOBN(0xe20d3004, 0x0dc7a7f4),\n TOBN(0x02ce7301, 0xf5941a03), TOBN(0x91ef5215, 0xed30f83a)}},\n {{TOBN(0x28727fc1, 0x4092d85f), TOBN(0x72d223c6, 0x5c49e41a),\n TOBN(0xa7cf30a2, 0xba6a4d81), TOBN(0x7c086209, 0xb030d87d)},\n {TOBN(0x04844c7d, 0xfc588b09), TOBN(0x728cd499, 0x5874bbb0),\n TOBN(0xcc1281ee, 0xe84c0495), TOBN(0x0769b5ba, 0xec31958f)}},\n {{TOBN(0x665c228b, 0xf99c2471), TOBN(0xf2d8a11b, 0x191eb110),\n TOBN(0x4594f494, 0xd36d7024), TOBN(0x482ded8b, 0xcdcb25a1)},\n {TOBN(0xc958a9d8, 0xdadd4885), TOBN(0x7004477e, 0xf1d2b547),\n TOBN(0x0a45f6ef, 0x2a0af550), TOBN(0x4fc739d6, 0x2f8d6351)}},\n {{TOBN(0x75cdaf27, 0x786f08a9), TOBN(0x8700bb26, 0x42c2737f),\n TOBN(0x855a7141, 0x1c4e2670), TOBN(0x810188c1, 0x15076fef)},\n {TOBN(0xc251d0c9, 0xabcd3297), TOBN(0xae4c8967, 0xf48108eb),\n TOBN(0xbd146de7, 0x18ceed30), TOBN(0xf9d4f07a, 0xc986bced)}},\n {{TOBN(0x5ad98ed5, 0x83fa1e08), TOBN(0x7780d33e, 0xbeabd1fb),\n TOBN(0xe330513c, 0x903b1196), TOBN(0xba11de9e, 0xa47bc8c4)},\n {TOBN(0x684334da, 0x02c2d064), TOBN(0x7ecf360d, 0xa48de23b),\n TOBN(0x57a1b474, 0x0a9089d8), TOBN(0xf28fa439, 0xff36734c)}},\n {{TOBN(0xf2a482cb, 0xea4570b3), TOBN(0xee65d68b, 0xa5ebcee9),\n TOBN(0x988d0036, 0xb9694cd5), TOBN(0x53edd0e9, 0x37885d32)},\n {TOBN(0xe37e3307, 0xbeb9bc6d), TOBN(0xe9abb907, 0x9f5c6768),\n TOBN(0x4396ccd5, 0x51f2160f), TOBN(0x2500888c, 0x47336da6)}},\n {{TOBN(0x383f9ed9, 0x926fce43), TOBN(0x809dd1c7, 0x04da2930),\n TOBN(0x30f6f596, 0x8a4cb227), TOBN(0x0d700c7f, 0x73a56b38)},\n {TOBN(0x1825ea33, 0xab64a065), TOBN(0xaab9b735, 0x1338df80),\n TOBN(0x1516100d, 0x9b63f57f), TOBN(0x2574395a, 0x27a6a634)}},\n {{TOBN(0xb5560fb6, 0x700a1acd), TOBN(0xe823fd73, 0xfd999681),\n TOBN(0xda915d1f, 0x6cb4e1ba), TOBN(0x0d030118, 0x6ebe00a3)},\n {TOBN(0x744fb0c9, 0x89fca8cd), TOBN(0x970d01db, 0xf9da0e0b),\n TOBN(0x0ad8c564, 0x7931d76f), TOBN(0xb15737bf, 0xf659b96a)}},\n {{TOBN(0xdc9933e8, 0xa8b484e7), TOBN(0xb2fdbdf9, 0x7a26dec7),\n TOBN(0x2349e9a4, 0x9f1f0136), TOBN(0x7860368e, 0x70fddddb)},\n {TOBN(0xd93d2c1c, 0xf9ad3e18), TOBN(0x6d6c5f17, 0x689f4e79),\n TOBN(0x7a544d91, 0xb24ff1b6), TOBN(0x3e12a5eb, 0xfe16cd8c)}},\n {{TOBN(0x543574e9, 0xa56b872f), TOBN(0xa1ad550c, 0xfcf68ea2),\n TOBN(0x689e37d2, 0x3f560ef7), TOBN(0x8c54b9ca, 0xc9d47a8b)},\n {TOBN(0x46d40a4a, 0x088ac342), TOBN(0xec450c7c, 0x1576c6d0),\n TOBN(0xb589e31c, 0x1f9689e9), TOBN(0xdacf2602, 0xb8781718)}},\n {{TOBN(0xa89237c6, 0xc8cb6b42), TOBN(0x1326fc93, 0xb96ef381),\n TOBN(0x55d56c6d, 0xb5f07825), TOBN(0xacba2eea, 0x7449e22d)},\n {TOBN(0x74e0887a, 0x633c3000), TOBN(0xcb6cd172, 0xd7cbcf71),\n TOBN(0x309e81de, 0xc36cf1be), TOBN(0x07a18a6d, 0x60ae399b)}},\n {{TOBN(0xb36c2679, 0x9edce57e), TOBN(0x52b892f4, 0xdf001d41),\n TOBN(0xd884ae5d, 0x16a1f2c6), TOBN(0x9b329424, 0xefcc370a)},\n {TOBN(0x3120daf2, 0xbd2e21df), TOBN(0x55298d2d, 0x02470a99),\n TOBN(0x0b78af6c, 0xa05db32e), TOBN(0x5c76a331, 0x601f5636)}},\n {{TOBN(0xaae861ff, 0xf8a4f29c), TOBN(0x70dc9240, 0xd68f8d49),\n TOBN(0x960e649f, 0x81b1321c), TOBN(0x3d2c801b, 0x8792e4ce)},\n {TOBN(0xf479f772, 0x42521876), TOBN(0x0bed93bc, 0x416c79b1),\n TOBN(0xa67fbc05, 0x263e5bc9), TOBN(0x01e8e630, 0x521db049)}},\n {{TOBN(0x76f26738, 0xc6f3431e), TOBN(0xe609cb02, 0xe3267541),\n TOBN(0xb10cff2d, 0x818c877c), TOBN(0x1f0e75ce, 0x786a13cb)},\n {TOBN(0xf4fdca64, 0x1158544d), TOBN(0x5d777e89, 0x6cb71ed0),\n TOBN(0x3c233737, 0xa9aa4755), TOBN(0x7b453192, 0xe527ab40)}},\n {{TOBN(0xdb59f688, 0x39f05ffe), TOBN(0x8f4f4be0, 0x6d82574e),\n TOBN(0xcce3450c, 0xee292d1b), TOBN(0xaa448a12, 0x61ccd086)},\n {TOBN(0xabce91b3, 0xf7914967), TOBN(0x4537f09b, 0x1908a5ed),\n TOBN(0xa812421e, 0xf51042e7), TOBN(0xfaf5cebc, 0xec0b3a34)}},\n {{TOBN(0x730ffd87, 0x4ca6b39a), TOBN(0x70fb72ed, 0x02efd342),\n TOBN(0xeb4735f9, 0xd75c8edb), TOBN(0xc11f2157, 0xc278aa51)},\n {TOBN(0xc459f635, 0xbf3bfebf), TOBN(0x3a1ff0b4, 0x6bd9601f),\n TOBN(0xc9d12823, 0xc420cb73), TOBN(0x3e9af3e2, 0x3c2915a3)}},\n {{TOBN(0xe0c82c72, 0xb41c3440), TOBN(0x175239e5, 0xe3039a5f),\n TOBN(0xe1084b8a, 0x558795a3), TOBN(0x328d0a1d, 0xd01e5c60)},\n {TOBN(0x0a495f2e, 0xd3788a04), TOBN(0x25d8ff16, 0x66c11a9f),\n TOBN(0xf5155f05, 0x9ed692d6), TOBN(0x954fa107, 0x4f425fe4)}},\n {{TOBN(0xd16aabf2, 0xe98aaa99), TOBN(0x90cd8ba0, 0x96b0f88a),\n TOBN(0x957f4782, 0xc154026a), TOBN(0x54ee0734, 0x52af56d2)},\n {TOBN(0xbcf89e54, 0x45b4147a), TOBN(0x3d102f21, 0x9a52816c),\n TOBN(0x6808517e, 0x39b62e77), TOBN(0x92e25421, 0x69169ad8)}},\n {{TOBN(0xd721d871, 0xbb608558), TOBN(0x60e4ebae, 0xf6d4ff9b),\n TOBN(0x0ba10819, 0x41f2763e), TOBN(0xca2e45be, 0x51ee3247)},\n {TOBN(0x66d172ec, 0x2bfd7a5f), TOBN(0x528a8f2f, 0x74d0b12d),\n TOBN(0xe17f1e38, 0xdabe70dc), TOBN(0x1d5d7316, 0x9f93983c)}},\n {{TOBN(0x51b2184a, 0xdf423e31), TOBN(0xcb417291, 0xaedb1a10),\n TOBN(0x2054ca93, 0x625bcab9), TOBN(0x54396860, 0xa98998f0)},\n {TOBN(0x4e53f6c4, 0xa54ae57e), TOBN(0x0ffeb590, 0xee648e9d),\n TOBN(0xfbbdaadc, 0x6afaf6bc), TOBN(0xf88ae796, 0xaa3bfb8a)}},\n {{TOBN(0x209f1d44, 0xd2359ed9), TOBN(0xac68dd03, 0xf3544ce2),\n TOBN(0xf378da47, 0xfd51e569), TOBN(0xe1abd860, 0x2cc80097)},\n {TOBN(0x23ca18d9, 0x343b6e3a), TOBN(0x480797e8, 0xb40a1bae),\n TOBN(0xd1f0c717, 0x533f3e67), TOBN(0x44896970, 0x06e6cdfc)}},\n {{TOBN(0x8ca21055, 0x52a82e8d), TOBN(0xb2caf785, 0x78460cdc),\n TOBN(0x4c1b7b62, 0xe9037178), TOBN(0xefc09d2c, 0xdb514b58)},\n {TOBN(0x5f2df9ee, 0x9113be5c), TOBN(0x2fbda78f, 0xb3f9271c),\n TOBN(0xe09a81af, 0x8f83fc54), TOBN(0x06b13866, 0x8afb5141)}},\n {{TOBN(0x38f6480f, 0x43e3865d), TOBN(0x72dd77a8, 0x1ddf47d9),\n TOBN(0xf2a8e971, 0x4c205ff7), TOBN(0x46d449d8, 0x9d088ad8)},\n {TOBN(0x926619ea, 0x185d706f), TOBN(0xe47e02eb, 0xc7dd7f62),\n TOBN(0xe7f120a7, 0x8cbc2031), TOBN(0xc18bef00, 0x998d4ac9)}},\n {{TOBN(0x18f37a9c, 0x6bdf22da), TOBN(0xefbc432f, 0x90dc82df),\n TOBN(0xc52cef8e, 0x5d703651), TOBN(0x82887ba0, 0xd99881a5)},\n {TOBN(0x7cec9dda, 0xb920ec1d), TOBN(0xd0d7e8c3, 0xec3e8d3b),\n TOBN(0x445bc395, 0x4ca88747), TOBN(0xedeaa2e0, 0x9fd53535)}},\n {{TOBN(0x461b1d93, 0x6cc87475), TOBN(0xd92a52e2, 0x6d2383bd),\n TOBN(0xfabccb59, 0xd7903546), TOBN(0x6111a761, 0x3d14b112)},\n {TOBN(0x0ae584fe, 0xb3d5f612), TOBN(0x5ea69b8d, 0x60e828ec),\n TOBN(0x6c078985, 0x54087030), TOBN(0x649cab04, 0xac4821fe)}},\n {{TOBN(0x25ecedcf, 0x8bdce214), TOBN(0xb5622f72, 0x86af7361),\n TOBN(0x0e1227aa, 0x7038b9e2), TOBN(0xd0efb273, 0xac20fa77)},\n {TOBN(0x817ff88b, 0x79df975b), TOBN(0x856bf286, 0x1999503e),\n TOBN(0xb4d5351f, 0x5038ec46), TOBN(0x740a52c5, 0xfc42af6e)}},\n {{TOBN(0x2e38bb15, 0x2cbb1a3f), TOBN(0xc3eb99fe, 0x17a83429),\n TOBN(0xca4fcbf1, 0xdd66bb74), TOBN(0x880784d6, 0xcde5e8fc)},\n {TOBN(0xddc84c1c, 0xb4e7a0be), TOBN(0x8780510d, 0xbd15a72f),\n TOBN(0x44bcf1af, 0x81ec30e1), TOBN(0x141e50a8, 0x0a61073e)}},\n {{TOBN(0x0d955718, 0x47be87ae), TOBN(0x68a61417, 0xf76a4372),\n TOBN(0xf57e7e87, 0xc607c3d3), TOBN(0x043afaf8, 0x5252f332)},\n {TOBN(0xcc14e121, 0x1552a4d2), TOBN(0xb6dee692, 0xbb4d4ab4),\n TOBN(0xb6ab74c8, 0xa03816a4), TOBN(0x84001ae4, 0x6f394a29)}},\n {{TOBN(0x5bed8344, 0xd795fb45), TOBN(0x57326e7d, 0xb79f55a5),\n TOBN(0xc9533ce0, 0x4accdffc), TOBN(0x53473caf, 0x3993fa04)},\n {TOBN(0x7906eb93, 0xa13df4c8), TOBN(0xa73e51f6, 0x97cbe46f),\n TOBN(0xd1ab3ae1, 0x0ae4ccf8), TOBN(0x25614508, 0x8a5b3dbc)}},\n {{TOBN(0x61eff962, 0x11a71b27), TOBN(0xdf71412b, 0x6bb7fa39),\n TOBN(0xb31ba6b8, 0x2bd7f3ef), TOBN(0xb0b9c415, 0x69180d29)},\n {TOBN(0xeec14552, 0x014cdde5), TOBN(0x702c624b, 0x227b4bbb),\n TOBN(0x2b15e8c2, 0xd3e988f3), TOBN(0xee3bcc6d, 0xa4f7fd04)}},\n {{TOBN(0x9d00822a, 0x42ac6c85), TOBN(0x2db0cea6, 0x1df9f2b7),\n TOBN(0xd7cad2ab, 0x42de1e58), TOBN(0x346ed526, 0x2d6fbb61)},\n {TOBN(0xb3962995, 0x1a2faf09), TOBN(0x2fa8a580, 0x7c25612e),\n TOBN(0x30ae04da, 0x7cf56490), TOBN(0x75662908, 0x0eea3961)}},\n {{TOBN(0x3609f5c5, 0x3d080847), TOBN(0xcb081d39, 0x5241d4f6),\n TOBN(0xb4fb3810, 0x77961a63), TOBN(0xc20c5984, 0x2abb66fc)},\n {TOBN(0x3d40aa7c, 0xf902f245), TOBN(0x9cb12736, 0x4e536b1e),\n TOBN(0x5eda24da, 0x99b3134f), TOBN(0xafbd9c69, 0x5cd011af)}},\n {{TOBN(0x9a16e30a, 0xc7088c7d), TOBN(0x5ab65710, 0x3207389f),\n TOBN(0x1b09547f, 0xe7407a53), TOBN(0x2322f9d7, 0x4fdc6eab)},\n {TOBN(0xc0f2f22d, 0x7430de4d), TOBN(0x19382696, 0xe68ca9a9),\n TOBN(0x17f1eff1, 0x918e5868), TOBN(0xe3b5b635, 0x586f4204)}},\n {{TOBN(0x146ef980, 0x3fbc4341), TOBN(0x359f2c80, 0x5b5eed4e),\n TOBN(0x9f35744e, 0x7482e41d), TOBN(0x9a9ac3ec, 0xf3b224c2)},\n {TOBN(0x9161a6fe, 0x91fc50ae), TOBN(0x89ccc66b, 0xc613fa7c),\n TOBN(0x89268b14, 0xc732f15a), TOBN(0x7cd6f4e2, 0xb467ed03)}},\n {{TOBN(0xfbf79869, 0xce56b40e), TOBN(0xf93e094c, 0xc02dde98),\n TOBN(0xefe0c3a8, 0xedee2cd7), TOBN(0x90f3ffc0, 0xb268fd42)},\n {TOBN(0x81a7fd56, 0x08241aed), TOBN(0x95ab7ad8, 0x00b1afe8),\n TOBN(0x40127056, 0x3e310d52), TOBN(0xd3ffdeb1, 0x09d9fc43)}},\n {{TOBN(0xc8f85c91, 0xd11a8594), TOBN(0x2e74d258, 0x31cf6db8),\n TOBN(0x829c7ca3, 0x02b5dfd0), TOBN(0xe389cfbe, 0x69143c86)},\n {TOBN(0xd01b6405, 0x941768d8), TOBN(0x45103995, 0x03bf825d),\n TOBN(0xcc4ee166, 0x56cd17e2), TOBN(0xbea3c283, 0xba037e79)}},\n {{TOBN(0x4e1ac06e, 0xd9a47520), TOBN(0xfbfe18aa, 0xaf852404),\n TOBN(0x5615f8e2, 0x8087648a), TOBN(0x7301e47e, 0xb9d150d9)},\n {TOBN(0x79f9f9dd, 0xb299b977), TOBN(0x76697a7b, 0xa5b78314),\n TOBN(0x10d67468, 0x7d7c90e7), TOBN(0x7afffe03, 0x937210b5)}},\n {{TOBN(0x5aef3e4b, 0x28c22cee), TOBN(0xefb0ecd8, 0x09fd55ae),\n TOBN(0x4cea7132, 0x0d2a5d6a), TOBN(0x9cfb5fa1, 0x01db6357)},\n {TOBN(0x395e0b57, 0xf36e1ac5), TOBN(0x008fa9ad, 0x36cafb7d),\n TOBN(0x8f6cdf70, 0x5308c4db), TOBN(0x51527a37, 0x95ed2477)}},\n {{TOBN(0xba0dee30, 0x5bd21311), TOBN(0x6ed41b22, 0x909c90d7),\n TOBN(0xc5f6b758, 0x7c8696d3), TOBN(0x0db8eaa8, 0x3ce83a80)},\n {TOBN(0xd297fe37, 0xb24b4b6f), TOBN(0xfe58afe8, 0x522d1f0d),\n TOBN(0x97358736, 0x8c98dbd9), TOBN(0x6bc226ca, 0x9454a527)}},\n {{TOBN(0xa12b384e, 0xce53c2d0), TOBN(0x779d897d, 0x5e4606da),\n TOBN(0xa53e47b0, 0x73ec12b0), TOBN(0x462dbbba, 0x5756f1ad)},\n {TOBN(0x69fe09f2, 0xcafe37b6), TOBN(0x273d1ebf, 0xecce2e17),\n TOBN(0x8ac1d538, 0x3cf607fd), TOBN(0x8035f7ff, 0x12e10c25)}}},\n {{{TOBN(0x854d34c7, 0x7e6c5520), TOBN(0xc27df9ef, 0xdcb9ea58),\n TOBN(0x405f2369, 0xd686666d), TOBN(0x29d1febf, 0x0417aa85)},\n {TOBN(0x9846819e, 0x93470afe), TOBN(0x3e6a9669, 0xe2a27f9e),\n TOBN(0x24d008a2, 0xe31e6504), TOBN(0xdba7cecf, 0x9cb7680a)}},\n {{TOBN(0xecaff541, 0x338d6e43), TOBN(0x56f7dd73, 0x4541d5cc),\n TOBN(0xb5d426de, 0x96bc88ca), TOBN(0x48d94f6b, 0x9ed3a2c3)},\n {TOBN(0x6354a3bb, 0x2ef8279c), TOBN(0xd575465b, 0x0b1867f2),\n TOBN(0xef99b0ff, 0x95225151), TOBN(0xf3e19d88, 0xf94500d8)}},\n {{TOBN(0x92a83268, 0xe32dd620), TOBN(0x913ec99f, 0x627849a2),\n TOBN(0xedd8fdfa, 0x2c378882), TOBN(0xaf96f33e, 0xee6f8cfe)},\n {TOBN(0xc06737e5, 0xdc3fa8a5), TOBN(0x236bb531, 0xb0b03a1d),\n TOBN(0x33e59f29, 0x89f037b0), TOBN(0x13f9b5a7, 0xd9a12a53)}},\n {{TOBN(0x0d0df6ce, 0x51efb310), TOBN(0xcb5b2eb4, 0x958df5be),\n TOBN(0xd6459e29, 0x36158e59), TOBN(0x82aae2b9, 0x1466e336)},\n {TOBN(0xfb658a39, 0x411aa636), TOBN(0x7152ecc5, 0xd4c0a933),\n TOBN(0xf10c758a, 0x49f026b7), TOBN(0xf4837f97, 0xcb09311f)}},\n {{TOBN(0xddfb02c4, 0xc753c45f), TOBN(0x18ca81b6, 0xf9c840fe),\n TOBN(0x846fd09a, 0xb0f8a3e6), TOBN(0xb1162add, 0xe7733dbc)},\n {TOBN(0x7070ad20, 0x236e3ab6), TOBN(0xf88cdaf5, 0xb2a56326),\n TOBN(0x05fc8719, 0x997cbc7a), TOBN(0x442cd452, 0x4b665272)}},\n {{TOBN(0x7807f364, 0xb71698f5), TOBN(0x6ba418d2, 0x9f7b605e),\n TOBN(0xfd20b00f, 0xa03b2cbb), TOBN(0x883eca37, 0xda54386f)},\n {TOBN(0xff0be43f, 0xf3437f24), TOBN(0xe910b432, 0xa48bb33c),\n TOBN(0x4963a128, 0x329df765), TOBN(0xac1dd556, 0xbe2fe6f7)}},\n {{TOBN(0x557610f9, 0x24a0a3fc), TOBN(0x38e17bf4, 0xe881c3f9),\n TOBN(0x6ba84faf, 0xed0dac99), TOBN(0xd4a222c3, 0x59eeb918)},\n {TOBN(0xc79c1dbe, 0x13f542b6), TOBN(0x1fc65e0d, 0xe425d457),\n TOBN(0xeffb754f, 0x1debb779), TOBN(0x638d8fd0, 0x9e08af60)}},\n {{TOBN(0x994f523a, 0x626332d5), TOBN(0x7bc38833, 0x5561bb44),\n TOBN(0x005ed4b0, 0x3d845ea2), TOBN(0xd39d3ee1, 0xc2a1f08a)},\n {TOBN(0x6561fdd3, 0xe7676b0d), TOBN(0x620e35ff, 0xfb706017),\n TOBN(0x36ce424f, 0xf264f9a8), TOBN(0xc4c3419f, 0xda2681f7)}},\n {{TOBN(0xfb6afd2f, 0x69beb6e8), TOBN(0x3a50b993, 0x6d700d03),\n TOBN(0xc840b2ad, 0x0c83a14f), TOBN(0x573207be, 0x54085bef)},\n {TOBN(0x5af882e3, 0x09fe7e5b), TOBN(0x957678a4, 0x3b40a7e1),\n TOBN(0x172d4bdd, 0x543056e2), TOBN(0x9c1b26b4, 0x0df13c0a)}},\n {{TOBN(0x1c30861c, 0xf405ff06), TOBN(0xebac86bd, 0x486e828b),\n TOBN(0xe791a971, 0x636933fc), TOBN(0x50e7c2be, 0x7aeee947)},\n {TOBN(0xc3d4a095, 0xfa90d767), TOBN(0xae60eb7b, 0xe670ab7b),\n TOBN(0x17633a64, 0x397b056d), TOBN(0x93a21f33, 0x105012aa)}},\n {{TOBN(0x663c370b, 0xabb88643), TOBN(0x91df36d7, 0x22e21599),\n TOBN(0x183ba835, 0x8b761671), TOBN(0x381eea1d, 0x728f3bf1)},\n {TOBN(0xb9b2f1ba, 0x39966e6c), TOBN(0x7c464a28, 0xe7295492),\n TOBN(0x0fd5f70a, 0x09b26b7f), TOBN(0xa9aba1f9, 0xfbe009df)}},\n {{TOBN(0x857c1f22, 0x369b87ad), TOBN(0x3c00e5d9, 0x32fca556),\n TOBN(0x1ad74cab, 0x90b06466), TOBN(0xa7112386, 0x550faaf2)},\n {TOBN(0x7435e198, 0x6d9bd5f5), TOBN(0x2dcc7e38, 0x59c3463f),\n TOBN(0xdc7df748, 0xca7bd4b2), TOBN(0x13cd4c08, 0x9dec2f31)}},\n {{TOBN(0x0d3b5df8, 0xe3237710), TOBN(0x0dadb26e, 0xcbd2f7b0),\n TOBN(0x9f5966ab, 0xe4aa082b), TOBN(0x666ec8de, 0x350e966e)},\n {TOBN(0x1bfd1ed5, 0xee524216), TOBN(0xcd93c59b, 0x41dab0b6),\n TOBN(0x658a8435, 0xd186d6ba), TOBN(0x1b7d34d2, 0x159d1195)}},\n {{TOBN(0x5936e460, 0x22caf46b), TOBN(0x6a45dd8f, 0x9a96fe4f),\n TOBN(0xf7925434, 0xb98f474e), TOBN(0x41410412, 0x0053ef15)},\n {TOBN(0x71cf8d12, 0x41de97bf), TOBN(0xb8547b61, 0xbd80bef4),\n TOBN(0xb47d3970, 0xc4db0037), TOBN(0xf1bcd328, 0xfef20dff)}},\n {{TOBN(0x31a92e09, 0x10caad67), TOBN(0x1f591960, 0x5531a1e1),\n TOBN(0x3bb852e0, 0x5f4fc840), TOBN(0x63e297ca, 0x93a72c6c)},\n {TOBN(0x3c2b0b2e, 0x49abad67), TOBN(0x6ec405fc, 0xed3db0d9),\n TOBN(0xdc14a530, 0x7fef1d40), TOBN(0xccd19846, 0x280896fc)}},\n {{TOBN(0x00f83176, 0x9bb81648), TOBN(0xd69eb485, 0x653120d0),\n TOBN(0xd17d75f4, 0x4ccabc62), TOBN(0x34a07f82, 0xb749fcb1)},\n {TOBN(0x2c3af787, 0xbbfb5554), TOBN(0xb06ed4d0, 0x62e283f8),\n TOBN(0x5722889f, 0xa19213a0), TOBN(0x162b085e, 0xdcf3c7b4)}},\n {{TOBN(0xbcaecb31, 0xe0dd3eca), TOBN(0xc6237fbc, 0xe52f13a5),\n TOBN(0xcc2b6b03, 0x27bac297), TOBN(0x2ae1cac5, 0xb917f54a)},\n {TOBN(0x474807d4, 0x7845ae4f), TOBN(0xfec7dd92, 0xce5972e0),\n TOBN(0xc3bd2541, 0x1d7915bb), TOBN(0x66f85dc4, 0xd94907ca)}},\n {{TOBN(0xd981b888, 0xbdbcf0ca), TOBN(0xd75f5da6, 0xdf279e9f),\n TOBN(0x128bbf24, 0x7054e934), TOBN(0x3c6ff6e5, 0x81db134b)},\n {TOBN(0x795b7cf4, 0x047d26e4), TOBN(0xf370f7b8, 0x5049ec37),\n TOBN(0xc6712d4d, 0xced945af), TOBN(0xdf30b5ec, 0x095642bc)}},\n {{TOBN(0x9b034c62, 0x4896246e), TOBN(0x5652c016, 0xee90bbd1),\n TOBN(0xeb38636f, 0x87fedb73), TOBN(0x5e32f847, 0x0135a613)},\n {TOBN(0x0703b312, 0xcf933c83), TOBN(0xd05bb76e, 0x1a7f47e6),\n TOBN(0x825e4f0c, 0x949c2415), TOBN(0x569e5622, 0x7250d6f8)}},\n {{TOBN(0xbbe9eb3a, 0x6568013e), TOBN(0x8dbd203f, 0x22f243fc),\n TOBN(0x9dbd7694, 0xb342734a), TOBN(0x8f6d12f8, 0x46afa984)},\n {TOBN(0xb98610a2, 0xc9eade29), TOBN(0xbab4f323, 0x47dd0f18),\n TOBN(0x5779737b, 0x671c0d46), TOBN(0x10b6a7c6, 0xd3e0a42a)}},\n {{TOBN(0xfb19ddf3, 0x3035b41c), TOBN(0xd336343f, 0x99c45895),\n TOBN(0x61fe4938, 0x54c857e5), TOBN(0xc4d506be, 0xae4e57d5)},\n {TOBN(0x3cd8c8cb, 0xbbc33f75), TOBN(0x7281f08a, 0x9262c77d),\n TOBN(0x083f4ea6, 0xf11a2823), TOBN(0x8895041e, 0x9fba2e33)}},\n {{TOBN(0xfcdfea49, 0x9c438edf), TOBN(0x7678dcc3, 0x91edba44),\n TOBN(0xf07b3b87, 0xe2ba50f0), TOBN(0xc13888ef, 0x43948c1b)},\n {TOBN(0xc2135ad4, 0x1140af42), TOBN(0x8e5104f3, 0x926ed1a7),\n TOBN(0xf24430cb, 0x88f6695f), TOBN(0x0ce0637b, 0x6d73c120)}},\n {{TOBN(0xb2db01e6, 0xfe631e8f), TOBN(0x1c5563d7, 0xd7bdd24b),\n TOBN(0x8daea3ba, 0x369ad44f), TOBN(0x000c81b6, 0x8187a9f9)},\n {TOBN(0x5f48a951, 0xaae1fd9a), TOBN(0xe35626c7, 0x8d5aed8a),\n TOBN(0x20952763, 0x0498c622), TOBN(0x76d17634, 0x773aa504)}},\n {{TOBN(0x36d90dda, 0xeb300f7a), TOBN(0x9dcf7dfc, 0xedb5e801),\n TOBN(0x645cb268, 0x74d5244c), TOBN(0xa127ee79, 0x348e3aa2)},\n {TOBN(0x488acc53, 0x575f1dbb), TOBN(0x95037e85, 0x80e6161e),\n TOBN(0x57e59283, 0x292650d0), TOBN(0xabe67d99, 0x14938216)}},\n {{TOBN(0x3c7f944b, 0x3f8e1065), TOBN(0xed908cb6, 0x330e8924),\n TOBN(0x08ee8fd5, 0x6f530136), TOBN(0x2227b7d5, 0xd7ffc169)},\n {TOBN(0x4f55c893, 0xb5cd6dd5), TOBN(0x82225e11, 0xa62796e8),\n TOBN(0x5c6cead1, 0xcb18e12c), TOBN(0x4381ae0c, 0x84f5a51a)}},\n {{TOBN(0x345913d3, 0x7fafa4c8), TOBN(0x3d918082, 0x0491aac0),\n TOBN(0x9347871f, 0x3e69264c), TOBN(0xbea9dd3c, 0xb4f4f0cd)},\n {TOBN(0xbda5d067, 0x3eadd3e7), TOBN(0x0033c1b8, 0x0573bcd8),\n TOBN(0x25589379, 0x5da2486c), TOBN(0xcb89ee5b, 0x86abbee7)}},\n {{TOBN(0x8fe0a8f3, 0x22532e5d), TOBN(0xb6410ff0, 0x727dfc4c),\n TOBN(0x619b9d58, 0x226726db), TOBN(0x5ec25669, 0x7a2b2dc7)},\n {TOBN(0xaf4d2e06, 0x4c3beb01), TOBN(0x852123d0, 0x7acea556),\n TOBN(0x0e9470fa, 0xf783487a), TOBN(0x75a7ea04, 0x5664b3eb)}},\n {{TOBN(0x4ad78f35, 0x6798e4ba), TOBN(0x9214e6e5, 0xc7d0e091),\n TOBN(0xc420b488, 0xb1290403), TOBN(0x64049e0a, 0xfc295749)},\n {TOBN(0x03ef5af1, 0x3ae9841f), TOBN(0xdbe4ca19, 0xb0b662a6),\n TOBN(0x46845c5f, 0xfa453458), TOBN(0xf8dabf19, 0x10b66722)}},\n {{TOBN(0xb650f0aa, 0xcce2793b), TOBN(0x71db851e, 0xc5ec47c1),\n TOBN(0x3eb78f3e, 0x3b234fa9), TOBN(0xb0c60f35, 0xfc0106ce)},\n {TOBN(0x05427121, 0x774eadbd), TOBN(0x25367faf, 0xce323863),\n TOBN(0x7541b5c9, 0xcd086976), TOBN(0x4ff069e2, 0xdc507ad1)}},\n {{TOBN(0x74145256, 0x8776e667), TOBN(0x6e76142c, 0xb23c6bb5),\n TOBN(0xdbf30712, 0x1b3a8a87), TOBN(0x60e7363e, 0x98450836)},\n {TOBN(0x5741450e, 0xb7366d80), TOBN(0xe4ee14ca, 0x4837dbdf),\n TOBN(0xa765eb9b, 0x69d4316f), TOBN(0x04548dca, 0x8ef43825)}},\n {{TOBN(0x9c9f4e4c, 0x5ae888eb), TOBN(0x733abb51, 0x56e9ac99),\n TOBN(0xdaad3c20, 0xba6ac029), TOBN(0x9b8dd3d3, 0x2ba3e38e)},\n {TOBN(0xa9bb4c92, 0x0bc5d11a), TOBN(0xf20127a7, 0x9c5f88a3),\n TOBN(0x4f52b06e, 0x161d3cb8), TOBN(0x26c1ff09, 0x6afaf0a6)}},\n {{TOBN(0x32670d2f, 0x7189e71f), TOBN(0xc6438748, 0x5ecf91e7),\n TOBN(0x15758e57, 0xdb757a21), TOBN(0x427d09f8, 0x290a9ce5)},\n {TOBN(0x846a308f, 0x38384a7a), TOBN(0xaac3acb4, 0xb0732b99),\n TOBN(0x9e941009, 0x17845819), TOBN(0x95cba111, 0xa7ce5e03)}},\n {{TOBN(0x6f3d4f7f, 0xb00009c4), TOBN(0xb8396c27, 0x8ff28b5f),\n TOBN(0xb1a9ae43, 0x1c97975d), TOBN(0x9d7ba8af, 0xe5d9fed5)},\n {TOBN(0x338cf09f, 0x34f485b6), TOBN(0xbc0ddacc, 0x64122516),\n TOBN(0xa450da12, 0x05d471fe), TOBN(0x4c3a6250, 0x628dd8c9)}},\n {{TOBN(0x69c7d103, 0xd1295837), TOBN(0xa2893e50, 0x3807eb2f),\n TOBN(0xd6e1e1de, 0xbdb41491), TOBN(0xc630745b, 0x5e138235)},\n {TOBN(0xc892109e, 0x48661ae1), TOBN(0x8d17e7eb, 0xea2b2674),\n TOBN(0x00ec0f87, 0xc328d6b5), TOBN(0x6d858645, 0xf079ff9e)}},\n {{TOBN(0x6cdf243e, 0x19115ead), TOBN(0x1ce1393e, 0x4bac4fcf),\n TOBN(0x2c960ed0, 0x9c29f25b), TOBN(0x59be4d8e, 0x9d388a05)},\n {TOBN(0x0d46e06c, 0xd0def72b), TOBN(0xb923db5d, 0xe0342748),\n TOBN(0xf7d3aacd, 0x936d4a3d), TOBN(0x558519cc, 0x0b0b099e)}},\n {{TOBN(0x3ea8ebf8, 0x827097ef), TOBN(0x259353db, 0xd054f55d),\n TOBN(0x84c89abc, 0x6d2ed089), TOBN(0x5c548b69, 0x8e096a7c)},\n {TOBN(0xd587f616, 0x994b995d), TOBN(0x4d1531f6, 0xa5845601),\n TOBN(0x792ab31e, 0x451fd9f0), TOBN(0xc8b57bb2, 0x65adf6ca)}},\n {{TOBN(0x68440fcb, 0x1cd5ad73), TOBN(0xb9c860e6, 0x6144da4f),\n TOBN(0x2ab286aa, 0x8462beb8), TOBN(0xcc6b8fff, 0xef46797f)},\n {TOBN(0xac820da4, 0x20c8a471), TOBN(0x69ae05a1, 0x77ff7faf),\n TOBN(0xb9163f39, 0xbfb5da77), TOBN(0xbd03e590, 0x2c73ab7a)}},\n {{TOBN(0x7e862b5e, 0xb2940d9e), TOBN(0x3c663d86, 0x4b9af564),\n TOBN(0xd8309031, 0xbde3033d), TOBN(0x298231b2, 0xd42c5bc6)},\n {TOBN(0x42090d2c, 0x552ad093), TOBN(0xa4799d1c, 0xff854695),\n TOBN(0x0a88b5d6, 0xd31f0d00), TOBN(0xf8b40825, 0xa2f26b46)}},\n {{TOBN(0xec29b1ed, 0xf1bd7218), TOBN(0xd491c53b, 0x4b24c86e),\n TOBN(0xd2fe588f, 0x3395ea65), TOBN(0x6f3764f7, 0x4456ef15)},\n {TOBN(0xdb43116d, 0xcdc34800), TOBN(0xcdbcd456, 0xc1e33955),\n TOBN(0xefdb5540, 0x74ab286b), TOBN(0x948c7a51, 0xd18c5d7c)}},\n {{TOBN(0xeb81aa37, 0x7378058e), TOBN(0x41c746a1, 0x04411154),\n TOBN(0xa10c73bc, 0xfb828ac7), TOBN(0x6439be91, 0x9d972b29)},\n {TOBN(0x4bf3b4b0, 0x43a2fbad), TOBN(0x39e6dadf, 0x82b5e840),\n TOBN(0x4f716408, 0x6397bd4c), TOBN(0x0f7de568, 0x7f1eeccb)}},\n {{TOBN(0x5865c5a1, 0xd2ffbfc1), TOBN(0xf74211fa, 0x4ccb6451),\n TOBN(0x66368a88, 0xc0b32558), TOBN(0x5b539dc2, 0x9ad7812e)},\n {TOBN(0x579483d0, 0x2f3af6f6), TOBN(0x52132078, 0x99934ece),\n TOBN(0x50b9650f, 0xdcc9e983), TOBN(0xca989ec9, 0xaee42b8a)}},\n {{TOBN(0x6a44c829, 0xd6f62f99), TOBN(0x8f06a309, 0x4c2a7c0c),\n TOBN(0x4ea2b3a0, 0x98a0cb0a), TOBN(0x5c547b70, 0xbeee8364)},\n {TOBN(0x461d40e1, 0x682afe11), TOBN(0x9e0fc77a, 0x7b41c0a8),\n TOBN(0x79e4aefd, 0xe20d5d36), TOBN(0x2916e520, 0x32dd9f63)}},\n {{TOBN(0xf59e52e8, 0x3f883faf), TOBN(0x396f9639, 0x2b868d35),\n TOBN(0xc902a9df, 0x4ca19881), TOBN(0x0fc96822, 0xdb2401a6)},\n {TOBN(0x41237587, 0x66f1c68d), TOBN(0x10fc6de3, 0xfb476c0d),\n TOBN(0xf8b6b579, 0x841f5d90), TOBN(0x2ba8446c, 0xfa24f44a)}},\n {{TOBN(0xa237b920, 0xef4a9975), TOBN(0x60bb6004, 0x2330435f),\n TOBN(0xd6f4ab5a, 0xcfb7e7b5), TOBN(0xb2ac5097, 0x83435391)},\n {TOBN(0xf036ee2f, 0xb0d1ea67), TOBN(0xae779a6a, 0x74c56230),\n TOBN(0x59bff8c8, 0xab838ae6), TOBN(0xcd83ca99, 0x9b38e6f0)}},\n {{TOBN(0xbb27bef5, 0xe33deed3), TOBN(0xe6356f6f, 0x001892a8),\n TOBN(0xbf3be6cc, 0x7adfbd3e), TOBN(0xaecbc81c, 0x33d1ac9d)},\n {TOBN(0xe4feb909, 0xe6e861dc), TOBN(0x90a247a4, 0x53f5f801),\n TOBN(0x01c50acb, 0x27346e57), TOBN(0xce29242e, 0x461acc1b)}},\n {{TOBN(0x04dd214a, 0x2f998a91), TOBN(0x271ee9b1, 0xd4baf27b),\n TOBN(0x7e3027d1, 0xe8c26722), TOBN(0x21d1645c, 0x1820dce5)},\n {TOBN(0x086f242c, 0x7501779c), TOBN(0xf0061407, 0xfa0e8009),\n TOBN(0xf23ce477, 0x60187129), TOBN(0x05bbdedb, 0x0fde9bd0)}},\n {{TOBN(0x682f4832, 0x25d98473), TOBN(0xf207fe85, 0x5c658427),\n TOBN(0xb6fdd7ba, 0x4166ffa1), TOBN(0x0c314056, 0x9eed799d)},\n {TOBN(0x0db8048f, 0x4107e28f), TOBN(0x74ed3871, 0x41216840),\n TOBN(0x74489f8f, 0x56a3c06e), TOBN(0x1e1c005b, 0x12777134)}},\n {{TOBN(0xdb332a73, 0xf37ec3c3), TOBN(0xc65259bd, 0xdd59eba0),\n TOBN(0x2291709c, 0xdb4d3257), TOBN(0x9a793b25, 0xbd389390)},\n {TOBN(0xf39fe34b, 0xe43756f0), TOBN(0x2f76bdce, 0x9afb56c9),\n TOBN(0x9f37867a, 0x61208b27), TOBN(0xea1d4307, 0x089972c3)}},\n {{TOBN(0x8c595330, 0x8bdf623a), TOBN(0x5f5accda, 0x8441fb7d),\n TOBN(0xfafa9418, 0x32ddfd95), TOBN(0x6ad40c5a, 0x0fde9be7)},\n {TOBN(0x43faba89, 0xaeca8709), TOBN(0xc64a7cf1, 0x2c248a9d),\n TOBN(0x16620252, 0x72637a76), TOBN(0xaee1c791, 0x22b8d1bb)}},\n {{TOBN(0xf0f798fd, 0x21a843b2), TOBN(0x56e4ed4d, 0x8d005cb1),\n TOBN(0x355f7780, 0x1f0d8abe), TOBN(0x197b04cf, 0x34522326)},\n {TOBN(0x41f9b31f, 0xfd42c13f), TOBN(0x5ef7feb2, 0xb40f933d),\n TOBN(0x27326f42, 0x5d60bad4), TOBN(0x027ecdb2, 0x8c92cf89)}},\n {{TOBN(0x04aae4d1, 0x4e3352fe), TOBN(0x08414d2f, 0x73591b90),\n TOBN(0x5ed6124e, 0xb7da7d60), TOBN(0xb985b931, 0x4d13d4ec)},\n {TOBN(0xa592d3ab, 0x96bf36f9), TOBN(0x012dbed5, 0xbbdf51df),\n TOBN(0xa57963c0, 0xdf6c177d), TOBN(0x010ec869, 0x87ca29cf)}},\n {{TOBN(0xba1700f6, 0xbf926dff), TOBN(0x7c9fdbd1, 0xf4bf6bc2),\n TOBN(0xdc18dc8f, 0x64da11f5), TOBN(0xa6074b7a, 0xd938ae75)},\n {TOBN(0x14270066, 0xe84f44a4), TOBN(0x99998d38, 0xd27b954e),\n TOBN(0xc1be8ab2, 0xb4f38e9a), TOBN(0x8bb55bbf, 0x15c01016)}},\n {{TOBN(0xf73472b4, 0x0ea2ab30), TOBN(0xd365a340, 0xf73d68dd),\n TOBN(0xc01a7168, 0x19c2e1eb), TOBN(0x32f49e37, 0x34061719)},\n {TOBN(0xb73c57f1, 0x01d8b4d6), TOBN(0x03c8423c, 0x26b47700),\n TOBN(0x321d0bc8, 0xa4d8826a), TOBN(0x6004213c, 0x4bc0e638)}},\n {{TOBN(0xf78c64a1, 0xc1c06681), TOBN(0x16e0a16f, 0xef018e50),\n TOBN(0x31cbdf91, 0xdb42b2b3), TOBN(0xf8f4ffce, 0xe0d36f58)},\n {TOBN(0xcdcc71cd, 0x4cc5e3e0), TOBN(0xd55c7cfa, 0xa129e3e0),\n TOBN(0xccdb6ba0, 0x0fb2cbf1), TOBN(0x6aba0005, 0xc4bce3cb)}},\n {{TOBN(0x501cdb30, 0xd232cfc4), TOBN(0x9ddcf12e, 0xd58a3cef),\n TOBN(0x02d2cf9c, 0x87e09149), TOBN(0xdc5d7ec7, 0x2c976257)},\n {TOBN(0x6447986e, 0x0b50d7dd), TOBN(0x88fdbaf7, 0x807f112a),\n TOBN(0x58c9822a, 0xb00ae9f6), TOBN(0x6abfb950, 0x6d3d27e0)}},\n {{TOBN(0xd0a74487, 0x8a429f4f), TOBN(0x0649712b, 0xdb516609),\n TOBN(0xb826ba57, 0xe769b5df), TOBN(0x82335df2, 0x1fc7aaf2)},\n {TOBN(0x2389f067, 0x5c93d995), TOBN(0x59ac367a, 0x68677be6),\n TOBN(0xa77985ff, 0x21d9951b), TOBN(0x038956fb, 0x85011cce)}},\n {{TOBN(0x608e48cb, 0xbb734e37), TOBN(0xc08c0bf2, 0x2be5b26f),\n TOBN(0x17bbdd3b, 0xf9b1a0d9), TOBN(0xeac7d898, 0x10483319)},\n {TOBN(0xc95c4baf, 0xbc1a6dea), TOBN(0xfdd0e2bf, 0x172aafdb),\n TOBN(0x40373cbc, 0x8235c41a), TOBN(0x14303f21, 0xfb6f41d5)}},\n {{TOBN(0xba063621, 0x0408f237), TOBN(0xcad3b09a, 0xecd2d1ed),\n TOBN(0x4667855a, 0x52abb6a2), TOBN(0xba9157dc, 0xaa8b417b)},\n {TOBN(0xfe7f3507, 0x4f013efb), TOBN(0x1b112c4b, 0xaa38c4a2),\n TOBN(0xa1406a60, 0x9ba64345), TOBN(0xe53cba33, 0x6993c80b)}},\n {{TOBN(0x45466063, 0xded40d23), TOBN(0x3d5f1f4d, 0x54908e25),\n TOBN(0x9ebefe62, 0x403c3c31), TOBN(0x274ea0b5, 0x0672a624)},\n {TOBN(0xff818d99, 0x451d1b71), TOBN(0x80e82643, 0x8f79cf79),\n TOBN(0xa165df13, 0x73ce37f5), TOBN(0xa744ef4f, 0xfe3a21fd)}},\n {{TOBN(0x73f1e7f5, 0xcf551396), TOBN(0xc616898e, 0x868c676b),\n TOBN(0x671c28c7, 0x8c442c36), TOBN(0xcfe5e558, 0x5e0a317d)},\n {TOBN(0x1242d818, 0x7051f476), TOBN(0x56fad2a6, 0x14f03442),\n TOBN(0x262068bc, 0x0a44d0f6), TOBN(0xdfa2cd6e, 0xce6edf4e)}},\n {{TOBN(0x0f43813a, 0xd15d1517), TOBN(0x61214cb2, 0x377d44f5),\n TOBN(0xd399aa29, 0xc639b35f), TOBN(0x42136d71, 0x54c51c19)},\n {TOBN(0x9774711b, 0x08417221), TOBN(0x0a5546b3, 0x52545a57),\n TOBN(0x80624c41, 0x1150582d), TOBN(0x9ec5c418, 0xfbc555bc)}},\n {{TOBN(0x2c87dcad, 0x771849f1), TOBN(0xb0c932c5, 0x01d7bf6f),\n TOBN(0x6aa5cd3e, 0x89116eb2), TOBN(0xd378c25a, 0x51ca7bd3)},\n {TOBN(0xc612a0da, 0x9e6e3e31), TOBN(0x0417a54d, 0xb68ad5d0),\n TOBN(0x00451e4a, 0x22c6edb8), TOBN(0x9fbfe019, 0xb42827ce)}},\n {{TOBN(0x2fa92505, 0xba9384a2), TOBN(0x21b8596e, 0x64ad69c1),\n TOBN(0x8f4fcc49, 0x983b35a6), TOBN(0xde093760, 0x72754672)},\n {TOBN(0x2f14ccc8, 0xf7bffe6d), TOBN(0x27566bff, 0x5d94263d),\n TOBN(0xb5b4e9c6, 0x2df3ec30), TOBN(0x94f1d7d5, 0x3e6ea6ba)}},\n {{TOBN(0x97b7851a, 0xaaca5e9b), TOBN(0x518aa521, 0x56713b97),\n TOBN(0x3357e8c7, 0x150a61f6), TOBN(0x7842e7e2, 0xec2c2b69)},\n {TOBN(0x8dffaf65, 0x6868a548), TOBN(0xd963bd82, 0xe068fc81),\n TOBN(0x64da5c8b, 0x65917733), TOBN(0x927090ff, 0x7b247328)}}},\n {{{TOBN(0x214bc9a7, 0xd298c241), TOBN(0xe3b697ba, 0x56807cfd),\n TOBN(0xef1c7802, 0x4564eadb), TOBN(0xdde8cdcf, 0xb48149c5)},\n {TOBN(0x946bf0a7, 0x5a4d2604), TOBN(0x27154d7f, 0x6c1538af),\n TOBN(0x95cc9230, 0xde5b1fcc), TOBN(0xd88519e9, 0x66864f82)}},\n {{TOBN(0xb828dd1a, 0x7cb1282c), TOBN(0xa08d7626, 0xbe46973a),\n TOBN(0x6baf8d40, 0xe708d6b2), TOBN(0x72571fa1, 0x4daeb3f3)},\n {TOBN(0x85b1732f, 0xf22dfd98), TOBN(0x87ab01a7, 0x0087108d),\n TOBN(0xaaaafea8, 0x5988207a), TOBN(0xccc832f8, 0x69f00755)}},\n {{TOBN(0x964d950e, 0x36ff3bf0), TOBN(0x8ad20f6f, 0xf0b34638),\n TOBN(0x4d9177b3, 0xb5d7585f), TOBN(0xcf839760, 0xef3f019f)},\n {TOBN(0x582fc5b3, 0x8288c545), TOBN(0x2f8e4e9b, 0x13116bd1),\n TOBN(0xf91e1b2f, 0x332120ef), TOBN(0xcf568724, 0x2a17dd23)}},\n {{TOBN(0x488f1185, 0xca8d9d1a), TOBN(0xadf2c77d, 0xd987ded2),\n TOBN(0x5f3039f0, 0x60c46124), TOBN(0xe5d70b75, 0x71e095f4)},\n {TOBN(0x82d58650, 0x6260e70f), TOBN(0x39d75ea7, 0xf750d105),\n TOBN(0x8cf3d0b1, 0x75bac364), TOBN(0xf3a7564d, 0x21d01329)}},\n {{TOBN(0x182f04cd, 0x2f52d2a7), TOBN(0x4fde149a, 0xe2df565a),\n TOBN(0xb80c5eec, 0xa79fb2f7), TOBN(0xab491d7b, 0x22ddc897)},\n {TOBN(0x99d76c18, 0xc6312c7f), TOBN(0xca0d5f3d, 0x6aa41a57),\n TOBN(0x71207325, 0xd15363a0), TOBN(0xe82aa265, 0xbeb252c2)}},\n {{TOBN(0x94ab4700, 0xec3128c2), TOBN(0x6c76d862, 0x8e383f49),\n TOBN(0xdc36b150, 0xc03024eb), TOBN(0xfb439477, 0x53daac69)},\n {TOBN(0xfc68764a, 0x8dc79623), TOBN(0x5b86995d, 0xb440fbb2),\n TOBN(0xd66879bf, 0xccc5ee0d), TOBN(0x05228942, 0x95aa8bd3)}},\n {{TOBN(0xb51a40a5, 0x1e6a75c1), TOBN(0x24327c76, 0x0ea7d817),\n TOBN(0x06630182, 0x07774597), TOBN(0xd6fdbec3, 0x97fa7164)},\n {TOBN(0x20c99dfb, 0x13c90f48), TOBN(0xd6ac5273, 0x686ef263),\n TOBN(0xc6a50bdc, 0xfef64eeb), TOBN(0xcd87b281, 0x86fdfc32)}},\n {{TOBN(0xb24aa43e, 0x3fcd3efc), TOBN(0xdd26c034, 0xb8088e9a),\n TOBN(0xa5ef4dc9, 0xbd3d46ea), TOBN(0xa2f99d58, 0x8a4c6a6f)},\n {TOBN(0xddabd355, 0x2f1da46c), TOBN(0x72c3f8ce, 0x1afacdd1),\n TOBN(0xd90c4eee, 0x92d40578), TOBN(0xd28bb41f, 0xca623b94)}},\n {{TOBN(0x50fc0711, 0x745edc11), TOBN(0x9dd9ad7d, 0x3dc87558),\n TOBN(0xce6931fb, 0xb49d1e64), TOBN(0x6c77a0a2, 0xc98bd0f9)},\n {TOBN(0x62b9a629, 0x6baf7cb1), TOBN(0xcf065f91, 0xccf72d22),\n TOBN(0x7203cce9, 0x79639071), TOBN(0x09ae4885, 0xf9cb732f)}},\n {{TOBN(0x5e7c3bec, 0xee8314f3), TOBN(0x1c068aed, 0xdbea298f),\n TOBN(0x08d381f1, 0x7c80acec), TOBN(0x03b56be8, 0xe330495b)},\n {TOBN(0xaeffb8f2, 0x9222882d), TOBN(0x95ff38f6, 0xc4af8bf7),\n TOBN(0x50e32d35, 0x1fc57d8c), TOBN(0x6635be52, 0x17b444f0)}},\n {{TOBN(0x04d15276, 0xa5177900), TOBN(0x4e1dbb47, 0xf6858752),\n TOBN(0x5b475622, 0xc615796c), TOBN(0xa6fa0387, 0x691867bf)},\n {TOBN(0xed7f5d56, 0x2844c6d0), TOBN(0xc633cf9b, 0x03a2477d),\n TOBN(0xf6be5c40, 0x2d3721d6), TOBN(0xaf312eb7, 0xe9fd68e6)}},\n {{TOBN(0x242792d2, 0xe7417ce1), TOBN(0xff42bc71, 0x970ee7f5),\n TOBN(0x1ff4dc6d, 0x5c67a41e), TOBN(0x77709b7b, 0x20882a58)},\n {TOBN(0x3554731d, 0xbe217f2c), TOBN(0x2af2a8cd, 0x5bb72177),\n TOBN(0x58eee769, 0x591dd059), TOBN(0xbb2930c9, 0x4bba6477)}},\n {{TOBN(0x863ee047, 0x7d930cfc), TOBN(0x4c262ad1, 0x396fd1f4),\n TOBN(0xf4765bc8, 0x039af7e1), TOBN(0x2519834b, 0x5ba104f6)},\n {TOBN(0x7cd61b4c, 0xd105f961), TOBN(0xa5415da5, 0xd63bca54),\n TOBN(0x778280a0, 0x88a1f17c), TOBN(0xc4968949, 0x2329512c)}},\n {{TOBN(0x174a9126, 0xcecdaa7a), TOBN(0xfc8c7e0e, 0x0b13247b),\n TOBN(0x29c110d2, 0x3484c1c4), TOBN(0xf8eb8757, 0x831dfc3b)},\n {TOBN(0x022f0212, 0xc0067452), TOBN(0x3f6f69ee, 0x7b9b926c),\n TOBN(0x09032da0, 0xef42daf4), TOBN(0x79f00ade, 0x83f80de4)}},\n {{TOBN(0x6210db71, 0x81236c97), TOBN(0x74f7685b, 0x3ee0781f),\n TOBN(0x4df7da7b, 0xa3e41372), TOBN(0x2aae38b1, 0xb1a1553e)},\n {TOBN(0x1688e222, 0xf6dd9d1b), TOBN(0x57695448, 0x5b8b6487),\n TOBN(0x478d2127, 0x4b2edeaa), TOBN(0xb2818fa5, 0x1e85956a)}},\n {{TOBN(0x1e6addda, 0xf176f2c0), TOBN(0x01ca4604, 0xe2572658),\n TOBN(0x0a404ded, 0x85342ffb), TOBN(0x8cf60f96, 0x441838d6)},\n {TOBN(0x9bbc691c, 0xc9071c4a), TOBN(0xfd588744, 0x34442803),\n TOBN(0x97101c85, 0x809c0d81), TOBN(0xa7fb754c, 0x8c456f7f)}},\n {{TOBN(0xc95f3c5c, 0xd51805e1), TOBN(0xab4ccd39, 0xb299dca8),\n TOBN(0x3e03d20b, 0x47eaf500), TOBN(0xfa3165c1, 0xd7b80893)},\n {TOBN(0x005e8b54, 0xe160e552), TOBN(0xdc4972ba, 0x9019d11f),\n TOBN(0x21a6972e, 0x0c9a4a7a), TOBN(0xa52c258f, 0x37840fd7)}},\n {{TOBN(0xf8559ff4, 0xc1e99d81), TOBN(0x08e1a7d6, 0xa3c617c0),\n TOBN(0xb398fd43, 0x248c6ba7), TOBN(0x6ffedd91, 0xd1283794)},\n {TOBN(0x8a6a59d2, 0xd629d208), TOBN(0xa9d141d5, 0x3490530e),\n TOBN(0x42f6fc18, 0x38505989), TOBN(0x09bf250d, 0x479d94ee)}},\n {{TOBN(0x223ad3b1, 0xb3822790), TOBN(0x6c5926c0, 0x93b8971c),\n TOBN(0x609efc7e, 0x75f7fa62), TOBN(0x45d66a6d, 0x1ec2d989)},\n {TOBN(0x4422d663, 0x987d2792), TOBN(0x4a73caad, 0x3eb31d2b),\n TOBN(0xf06c2ac1, 0xa32cb9e6), TOBN(0xd9445c5f, 0x91aeba84)}},\n {{TOBN(0x6af7a1d5, 0xaf71013f), TOBN(0xe68216e5, 0x0bedc946),\n TOBN(0xf4cba30b, 0xd27370a0), TOBN(0x7981afbf, 0x870421cc)},\n {TOBN(0x02496a67, 0x9449f0e1), TOBN(0x86cfc4be, 0x0a47edae),\n TOBN(0x3073c936, 0xb1feca22), TOBN(0xf5694612, 0x03f8f8fb)}},\n {{TOBN(0xd063b723, 0x901515ea), TOBN(0x4c6c77a5, 0x749cf038),\n TOBN(0x6361e360, 0xab9e5059), TOBN(0x596cf171, 0xa76a37c0)},\n {TOBN(0x800f53fa, 0x6530ae7a), TOBN(0x0f5e631e, 0x0792a7a6),\n TOBN(0x5cc29c24, 0xefdb81c9), TOBN(0xa269e868, 0x3f9c40ba)}},\n {{TOBN(0xec14f9e1, 0x2cb7191e), TOBN(0x78ea1bd8, 0xe5b08ea6),\n TOBN(0x3c65aa9b, 0x46332bb9), TOBN(0x84cc22b3, 0xbf80ce25)},\n {TOBN(0x0098e9e9, 0xd49d5bf1), TOBN(0xcd4ec1c6, 0x19087da4),\n TOBN(0x3c9d07c5, 0xaef6e357), TOBN(0x839a0268, 0x9f8f64b8)}},\n {{TOBN(0xc5e9eb62, 0xc6d8607f), TOBN(0x759689f5, 0x6aa995e4),\n TOBN(0x70464669, 0xbbb48317), TOBN(0x921474bf, 0xe402417d)},\n {TOBN(0xcabe135b, 0x2a354c8c), TOBN(0xd51e52d2, 0x812fa4b5),\n TOBN(0xec741096, 0x53311fe8), TOBN(0x4f774535, 0xb864514b)}},\n {{TOBN(0xbcadd671, 0x5bde48f8), TOBN(0xc9703873, 0x2189bc7d),\n TOBN(0x5d45299e, 0xc709ee8a), TOBN(0xd1287ee2, 0x845aaff8)},\n {TOBN(0x7d1f8874, 0xdb1dbf1f), TOBN(0xea46588b, 0x990c88d6),\n TOBN(0x60ba649a, 0x84368313), TOBN(0xd5fdcbce, 0x60d543ae)}},\n {{TOBN(0x90b46d43, 0x810d5ab0), TOBN(0x6739d8f9, 0x04d7e5cc),\n TOBN(0x021c1a58, 0x0d337c33), TOBN(0x00a61162, 0x68e67c40)},\n {TOBN(0x95ef413b, 0x379f0a1f), TOBN(0xfe126605, 0xe9e2ab95),\n TOBN(0x67578b85, 0x2f5f199c), TOBN(0xf5c00329, 0x2cb84913)}},\n {{TOBN(0xf7956430, 0x37577dd8), TOBN(0x83b82af4, 0x29c5fe88),\n TOBN(0x9c1bea26, 0xcdbdc132), TOBN(0x589fa086, 0x9c04339e)},\n {TOBN(0x033e9538, 0xb13799df), TOBN(0x85fa8b21, 0xd295d034),\n TOBN(0xdf17f73f, 0xbd9ddcca), TOBN(0xf32bd122, 0xddb66334)}},\n {{TOBN(0x55ef88a7, 0x858b044c), TOBN(0x1f0d69c2, 0x5aa9e397),\n TOBN(0x55fd9cc3, 0x40d85559), TOBN(0xc774df72, 0x7785ddb2)},\n {TOBN(0x5dcce9f6, 0xd3bd2e1c), TOBN(0xeb30da20, 0xa85dfed0),\n TOBN(0x5ed7f5bb, 0xd3ed09c4), TOBN(0x7d42a35c, 0x82a9c1bd)}},\n {{TOBN(0xcf3de995, 0x9890272d), TOBN(0x75f3432a, 0x3e713a10),\n TOBN(0x5e13479f, 0xe28227b8), TOBN(0xb8561ea9, 0xfefacdc8)},\n {TOBN(0xa6a297a0, 0x8332aafd), TOBN(0x9b0d8bb5, 0x73809b62),\n TOBN(0xd2fa1cfd, 0x0c63036f), TOBN(0x7a16eb55, 0xbd64bda8)}},\n {{TOBN(0x3f5cf5f6, 0x78e62ddc), TOBN(0x2267c454, 0x07fd752b),\n TOBN(0x5e361b6b, 0x5e437bbe), TOBN(0x95c59501, 0x8354e075)},\n {TOBN(0xec725f85, 0xf2b254d9), TOBN(0x844b617d, 0x2cb52b4e),\n TOBN(0xed8554f5, 0xcf425fb5), TOBN(0xab67703e, 0x2af9f312)}},\n {{TOBN(0x4cc34ec1, 0x3cf48283), TOBN(0xb09daa25, 0x9c8a705e),\n TOBN(0xd1e9d0d0, 0x5b7d4f84), TOBN(0x4df6ef64, 0xdb38929d)},\n {TOBN(0xe16b0763, 0xaa21ba46), TOBN(0xc6b1d178, 0xa293f8fb),\n TOBN(0x0ff5b602, 0xd520aabf), TOBN(0x94d671bd, 0xc339397a)}},\n {{TOBN(0x7c7d98cf, 0x4f5792fa), TOBN(0x7c5e0d67, 0x11215261),\n TOBN(0x9b19a631, 0xa7c5a6d4), TOBN(0xc8511a62, 0x7a45274d)},\n {TOBN(0x0c16621c, 0xa5a60d99), TOBN(0xf7fbab88, 0xcf5e48cb),\n TOBN(0xab1e6ca2, 0xf7ddee08), TOBN(0x83bd08ce, 0xe7867f3c)}},\n {{TOBN(0xf7e48e8a, 0x2ac13e27), TOBN(0x4494f6df, 0x4eb1a9f5),\n TOBN(0xedbf84eb, 0x981f0a62), TOBN(0x49badc32, 0x536438f0)},\n {TOBN(0x50bea541, 0x004f7571), TOBN(0xbac67d10, 0xdf1c94ee),\n TOBN(0x253d73a1, 0xb727bc31), TOBN(0xb3d01cf2, 0x30686e28)}},\n {{TOBN(0x51b77b1b, 0x55fd0b8b), TOBN(0xa099d183, 0xfeec3173),\n TOBN(0x202b1fb7, 0x670e72b7), TOBN(0xadc88b33, 0xa8e1635f)},\n {TOBN(0x34e8216a, 0xf989d905), TOBN(0xc2e68d20, 0x29b58d01),\n TOBN(0x11f81c92, 0x6fe55a93), TOBN(0x15f1462a, 0x8f296f40)}},\n {{TOBN(0x1915d375, 0xea3d62f2), TOBN(0xa17765a3, 0x01c8977d),\n TOBN(0x7559710a, 0xe47b26f6), TOBN(0xe0bd29c8, 0x535077a5)},\n {TOBN(0x615f976d, 0x08d84858), TOBN(0x370dfe85, 0x69ced5c1),\n TOBN(0xbbc7503c, 0xa734fa56), TOBN(0xfbb9f1ec, 0x91ac4574)}},\n {{TOBN(0x95d7ec53, 0x060dd7ef), TOBN(0xeef2dacd, 0x6e657979),\n TOBN(0x54511af3, 0xe2a08235), TOBN(0x1e324aa4, 0x1f4aea3d)},\n {TOBN(0x550e7e71, 0xe6e67671), TOBN(0xbccd5190, 0xbf52faf7),\n TOBN(0xf880d316, 0x223cc62a), TOBN(0x0d402c7e, 0x2b32eb5d)}},\n {{TOBN(0xa40bc039, 0x306a5a3b), TOBN(0x4e0a41fd, 0x96783a1b),\n TOBN(0xa1e8d39a, 0x0253cdd4), TOBN(0x6480be26, 0xc7388638)},\n {TOBN(0xee365e1d, 0x2285f382), TOBN(0x188d8d8f, 0xec0b5c36),\n TOBN(0x34ef1a48, 0x1f0f4d82), TOBN(0x1a8f43e1, 0xa487d29a)}},\n {{TOBN(0x8168226d, 0x77aefb3a), TOBN(0xf69a751e, 0x1e72c253),\n TOBN(0x8e04359a, 0xe9594df1), TOBN(0x475ffd7d, 0xd14c0467)},\n {TOBN(0xb5a2c2b1, 0x3844e95c), TOBN(0x85caf647, 0xdd12ef94),\n TOBN(0x1ecd2a9f, 0xf1063d00), TOBN(0x1dd2e229, 0x23843311)}},\n {{TOBN(0x38f0e09d, 0x73d17244), TOBN(0x3ede7746, 0x8fc653f1),\n TOBN(0xae4459f5, 0xdc20e21c), TOBN(0x00db2ffa, 0x6a8599ea)},\n {TOBN(0x11682c39, 0x30cfd905), TOBN(0x4934d074, 0xa5c112a6),\n TOBN(0xbdf063c5, 0x568bfe95), TOBN(0x779a440a, 0x016c441a)}},\n {{TOBN(0x0c23f218, 0x97d6fbdc), TOBN(0xd3a5cd87, 0xe0776aac),\n TOBN(0xcee37f72, 0xd712e8db), TOBN(0xfb28c70d, 0x26f74e8d)},\n {TOBN(0xffe0c728, 0xb61301a0), TOBN(0xa6282168, 0xd3724354),\n TOBN(0x7ff4cb00, 0x768ffedc), TOBN(0xc51b3088, 0x03b02de9)}},\n {{TOBN(0xa5a8147c, 0x3902dda5), TOBN(0x35d2f706, 0xfe6973b4),\n TOBN(0x5ac2efcf, 0xc257457e), TOBN(0x933f48d4, 0x8700611b)},\n {TOBN(0xc365af88, 0x4912beb2), TOBN(0x7f5a4de6, 0x162edf94),\n TOBN(0xc646ba7c, 0x0c32f34b), TOBN(0x632c6af3, 0xb2091074)}},\n {{TOBN(0x58d4f2e3, 0x753e43a9), TOBN(0x70e1d217, 0x24d4e23f),\n TOBN(0xb24bf729, 0xafede6a6), TOBN(0x7f4a94d8, 0x710c8b60)},\n {TOBN(0xaad90a96, 0x8d4faa6a), TOBN(0xd9ed0b32, 0xb066b690),\n TOBN(0x52fcd37b, 0x78b6dbfd), TOBN(0x0b64615e, 0x8bd2b431)}},\n {{TOBN(0x228e2048, 0xcfb9fad5), TOBN(0xbeaa386d, 0x240b76bd),\n TOBN(0x2d6681c8, 0x90dad7bc), TOBN(0x3e553fc3, 0x06d38f5e)},\n {TOBN(0xf27cdb9b, 0x9d5f9750), TOBN(0x3e85c52a, 0xd28c5b0e),\n TOBN(0x190795af, 0x5247c39b), TOBN(0x547831eb, 0xbddd6828)}},\n {{TOBN(0xf327a227, 0x4a82f424), TOBN(0x36919c78, 0x7e47f89d),\n TOBN(0xe4783919, 0x43c7392c), TOBN(0xf101b9aa, 0x2316fefe)},\n {TOBN(0xbcdc9e9c, 0x1c5009d2), TOBN(0xfb55ea13, 0x9cd18345),\n TOBN(0xf5b5e231, 0xa3ce77c7), TOBN(0xde6b4527, 0xd2f2cb3d)}},\n {{TOBN(0x10f6a333, 0x9bb26f5f), TOBN(0x1e85db8e, 0x044d85b6),\n TOBN(0xc3697a08, 0x94197e54), TOBN(0x65e18cc0, 0xa7cb4ea8)},\n {TOBN(0xa38c4f50, 0xa471fe6e), TOBN(0xf031747a, 0x2f13439c),\n TOBN(0x53c4a6ba, 0xc007318b), TOBN(0xa8da3ee5, 0x1deccb3d)}},\n {{TOBN(0x0555b31c, 0x558216b1), TOBN(0x90c7810c, 0x2f79e6c2),\n TOBN(0x9b669f4d, 0xfe8eed3c), TOBN(0x70398ec8, 0xe0fac126)},\n {TOBN(0xa96a449e, 0xf701b235), TOBN(0x0ceecdb3, 0xeb94f395),\n TOBN(0x285fc368, 0xd0cb7431), TOBN(0x0d37bb52, 0x16a18c64)}},\n {{TOBN(0x05110d38, 0xb880d2dd), TOBN(0xa60f177b, 0x65930d57),\n TOBN(0x7da34a67, 0xf36235f5), TOBN(0x47f5e17c, 0x183816b9)},\n {TOBN(0xc7664b57, 0xdb394af4), TOBN(0x39ba215d, 0x7036f789),\n TOBN(0x46d2ca0e, 0x2f27b472), TOBN(0xc42647ee, 0xf73a84b7)}},\n {{TOBN(0x44bc7545, 0x64488f1d), TOBN(0xaa922708, 0xf4cf85d5),\n TOBN(0x721a01d5, 0x53e4df63), TOBN(0x649c0c51, 0x5db46ced)},\n {TOBN(0x6bf0d64e, 0x3cffcb6c), TOBN(0xe3bf93fe, 0x50f71d96),\n TOBN(0x75044558, 0xbcc194a0), TOBN(0x16ae3372, 0x6afdc554)}},\n {{TOBN(0xbfc01adf, 0x5ca48f3f), TOBN(0x64352f06, 0xe22a9b84),\n TOBN(0xcee54da1, 0xc1099e4a), TOBN(0xbbda54e8, 0xfa1b89c0)},\n {TOBN(0x166a3df5, 0x6f6e55fb), TOBN(0x1ca44a24, 0x20176f88),\n TOBN(0x936afd88, 0xdfb7b5ff), TOBN(0xe34c2437, 0x8611d4a0)}},\n {{TOBN(0x7effbb75, 0x86142103), TOBN(0x6704ba1b, 0x1f34fc4d),\n TOBN(0x7c2a468f, 0x10c1b122), TOBN(0x36b3a610, 0x8c6aace9)},\n {TOBN(0xabfcc0a7, 0x75a0d050), TOBN(0x066f9197, 0x3ce33e32),\n TOBN(0xce905ef4, 0x29fe09be), TOBN(0x89ee25ba, 0xa8376351)}},\n {{TOBN(0x2a3ede22, 0xfd29dc76), TOBN(0x7fd32ed9, 0x36f17260),\n TOBN(0x0cadcf68, 0x284b4126), TOBN(0x63422f08, 0xa7951fc8)},\n {TOBN(0x562b24f4, 0x0807e199), TOBN(0xfe9ce5d1, 0x22ad4490),\n TOBN(0xc2f51b10, 0x0db2b1b4), TOBN(0xeb3613ff, 0xe4541d0d)}},\n {{TOBN(0xbd2c4a05, 0x2680813b), TOBN(0x527aa55d, 0x561b08d6),\n TOBN(0xa9f8a40e, 0xa7205558), TOBN(0xe3eea56f, 0x243d0bec)},\n {TOBN(0x7b853817, 0xa0ff58b3), TOBN(0xb67d3f65, 0x1a69e627),\n TOBN(0x0b76bbb9, 0xa869b5d6), TOBN(0xa3afeb82, 0x546723ed)}},\n {{TOBN(0x5f24416d, 0x3e554892), TOBN(0x8413b53d, 0x430e2a45),\n TOBN(0x99c56aee, 0x9032a2a0), TOBN(0x09432bf6, 0xeec367b1)},\n {TOBN(0x552850c6, 0xdaf0ecc1), TOBN(0x49ebce55, 0x5bc92048),\n TOBN(0xdfb66ba6, 0x54811307), TOBN(0x1b84f797, 0x6f298597)}},\n {{TOBN(0x79590481, 0x8d1d7a0d), TOBN(0xd9fabe03, 0x3a6fa556),\n TOBN(0xa40f9c59, 0xba9e5d35), TOBN(0xcb1771c1, 0xf6247577)},\n {TOBN(0x542a47ca, 0xe9a6312b), TOBN(0xa34b3560, 0x552dd8c5),\n TOBN(0xfdf94de0, 0x0d794716), TOBN(0xd46124a9, 0x9c623094)}},\n {{TOBN(0x56b7435d, 0x68afe8b4), TOBN(0x27f20540, 0x6c0d8ea1),\n TOBN(0x12b77e14, 0x73186898), TOBN(0xdbc3dd46, 0x7479490f)},\n {TOBN(0x951a9842, 0xc03b0c05), TOBN(0x8b1b3bb3, 0x7921bc96),\n TOBN(0xa573b346, 0x2b202e0a), TOBN(0x77e4665d, 0x47254d56)}},\n {{TOBN(0x08b70dfc, 0xd23e3984), TOBN(0xab86e8bc, 0xebd14236),\n TOBN(0xaa3e07f8, 0x57114ba7), TOBN(0x5ac71689, 0xab0ef4f2)},\n {TOBN(0x88fca384, 0x0139d9af), TOBN(0x72733f88, 0x76644af0),\n TOBN(0xf122f72a, 0x65d74f4a), TOBN(0x13931577, 0xa5626c7a)}},\n {{TOBN(0xd5b5d9eb, 0x70f8d5a4), TOBN(0x375adde7, 0xd7bbb228),\n TOBN(0x31e88b86, 0x0c1c0b32), TOBN(0xd1f568c4, 0x173edbaa)},\n {TOBN(0x1592fc83, 0x5459df02), TOBN(0x2beac0fb, 0x0fcd9a7e),\n TOBN(0xb0a6fdb8, 0x1b473b0a), TOBN(0xe3224c6f, 0x0fe8fc48)}},\n {{TOBN(0x680bd00e, 0xe87edf5b), TOBN(0x30385f02, 0x20e77cf5),\n TOBN(0xe9ab98c0, 0x4d42d1b2), TOBN(0x72d191d2, 0xd3816d77)},\n {TOBN(0x1564daca, 0x0917d9e5), TOBN(0x394eab59, 0x1f8fed7f),\n TOBN(0xa209aa8d, 0x7fbb3896), TOBN(0x5564f3b9, 0xbe6ac98e)}},\n {{TOBN(0xead21d05, 0xd73654ef), TOBN(0x68d1a9c4, 0x13d78d74),\n TOBN(0x61e01708, 0x6d4973a0), TOBN(0x83da3500, 0x46e6d32a)},\n {TOBN(0x6a3dfca4, 0x68ae0118), TOBN(0xa1b9a4c9, 0xd02da069),\n TOBN(0x0b2ff9c7, 0xebab8302), TOBN(0x98af07c3, 0x944ba436)}},\n {{TOBN(0x85997326, 0x995f0f9f), TOBN(0x467fade0, 0x71b58bc6),\n TOBN(0x47e4495a, 0xbd625a2b), TOBN(0xfdd2d01d, 0x33c3b8cd)},\n {TOBN(0x2c38ae28, 0xc693f9fa), TOBN(0x48622329, 0x348f7999),\n TOBN(0x97bf738e, 0x2161f583), TOBN(0x15ee2fa7, 0x565e8cc9)}},\n {{TOBN(0xa1a5c845, 0x5777e189), TOBN(0xcc10bee0, 0x456f2829),\n TOBN(0x8ad95c56, 0xda762bd5), TOBN(0x152e2214, 0xe9d91da8)},\n {TOBN(0x975b0e72, 0x7cb23c74), TOBN(0xfd5d7670, 0xa90c66df),\n TOBN(0xb5b5b8ad, 0x225ffc53), TOBN(0xab6dff73, 0xfaded2ae)}},\n {{TOBN(0xebd56781, 0x6f4cbe9d), TOBN(0x0ed8b249, 0x6a574bd7),\n TOBN(0x41c246fe, 0x81a881fa), TOBN(0x91564805, 0xc3db9c70)},\n {TOBN(0xd7c12b08, 0x5b862809), TOBN(0x1facd1f1, 0x55858d7b),\n TOBN(0x7693747c, 0xaf09e92a), TOBN(0x3b69dcba, 0x189a425f)}},\n {{TOBN(0x0be28e9f, 0x967365ef), TOBN(0x57300eb2, 0xe801f5c9),\n TOBN(0x93b8ac6a, 0xd583352f), TOBN(0xa2cf1f89, 0xcd05b2b7)},\n {TOBN(0x7c0c9b74, 0x4dcc40cc), TOBN(0xfee38c45, 0xada523fb),\n TOBN(0xb49a4dec, 0x1099cc4d), TOBN(0x325c377f, 0x69f069c6)}},\n {{TOBN(0xe12458ce, 0x476cc9ff), TOBN(0x580e0b6c, 0xc6d4cb63),\n TOBN(0xd561c8b7, 0x9072289b), TOBN(0x0377f264, 0xa619e6da)},\n {TOBN(0x26685362, 0x88e591a5), TOBN(0xa453a7bd, 0x7523ca2b),\n TOBN(0x8a9536d2, 0xc1df4533), TOBN(0xc8e50f2f, 0xbe972f79)}},\n {{TOBN(0xd433e50f, 0x6d3549cf), TOBN(0x6f33696f, 0xfacd665e),\n TOBN(0x695bfdac, 0xce11fcb4), TOBN(0x810ee252, 0xaf7c9860)},\n {TOBN(0x65450fe1, 0x7159bb2c), TOBN(0xf7dfbebe, 0x758b357b),\n TOBN(0x2b057e74, 0xd69fea72), TOBN(0xd485717a, 0x92731745)}}},\n {{{TOBN(0x896c42e8, 0xee36860c), TOBN(0xdaf04dfd, 0x4113c22d),\n TOBN(0x1adbb7b7, 0x44104213), TOBN(0xe5fd5fa1, 0x1fd394ea)},\n {TOBN(0x68235d94, 0x1a4e0551), TOBN(0x6772cfbe, 0x18d10151),\n TOBN(0x276071e3, 0x09984523), TOBN(0xe4e879de, 0x5a56ba98)}},\n {{TOBN(0xaaafafb0, 0x285b9491), TOBN(0x01a0be88, 0x1e4c705e),\n TOBN(0xff1d4f5d, 0x2ad9caab), TOBN(0x6e349a4a, 0xc37a233f)},\n {TOBN(0xcf1c1246, 0x4a1c6a16), TOBN(0xd99e6b66, 0x29383260),\n TOBN(0xea3d4366, 0x5f6d5471), TOBN(0x36974d04, 0xff8cc89b)}},\n {{TOBN(0xc26c49a1, 0xcfe89d80), TOBN(0xb42c026d, 0xda9c8371),\n TOBN(0xca6c013a, 0xdad066d2), TOBN(0xfb8f7228, 0x56a4f3ee)},\n {TOBN(0x08b579ec, 0xd850935b), TOBN(0x34c1a74c, 0xd631e1b3),\n TOBN(0xcb5fe596, 0xac198534), TOBN(0x39ff21f6, 0xe1f24f25)}},\n {{TOBN(0x27f29e14, 0x8f929057), TOBN(0x7a64ae06, 0xc0c853df),\n TOBN(0x256cd183, 0x58e9c5ce), TOBN(0x9d9cce82, 0xded092a5)},\n {TOBN(0xcc6e5979, 0x6e93b7c7), TOBN(0xe1e47092, 0x31bb9e27),\n TOBN(0xb70b3083, 0xaa9e29a0), TOBN(0xbf181a75, 0x3785e644)}},\n {{TOBN(0xf53f2c65, 0x8ead09f7), TOBN(0x1335e1d5, 0x9780d14d),\n TOBN(0x69cc20e0, 0xcd1b66bc), TOBN(0x9b670a37, 0xbbe0bfc8)},\n {TOBN(0xce53dc81, 0x28efbeed), TOBN(0x0c74e77c, 0x8326a6e5),\n TOBN(0x3604e0d2, 0xb88e9a63), TOBN(0xbab38fca, 0x13dc2248)}},\n {{TOBN(0x8ed6e8c8, 0x5c0a3f1e), TOBN(0xbcad2492, 0x7c87c37f),\n TOBN(0xfdfb62bb, 0x9ee3b78d), TOBN(0xeba8e477, 0xcbceba46)},\n {TOBN(0x37d38cb0, 0xeeaede4b), TOBN(0x0bc498e8, 0x7976deb6),\n TOBN(0xb2944c04, 0x6b6147fb), TOBN(0x8b123f35, 0xf71f9609)}},\n {{TOBN(0xa155dcc7, 0xde79dc24), TOBN(0xf1168a32, 0x558f69cd),\n TOBN(0xbac21595, 0x0d1850df), TOBN(0x15c8295b, 0xb204c848)},\n {TOBN(0xf661aa36, 0x7d8184ff), TOBN(0xc396228e, 0x30447bdb),\n TOBN(0x11cd5143, 0xbde4a59e), TOBN(0xe3a26e3b, 0x6beab5e6)}},\n {{TOBN(0xd3b3a13f, 0x1402b9d0), TOBN(0x573441c3, 0x2c7bc863),\n TOBN(0x4b301ec4, 0x578c3e6e), TOBN(0xc26fc9c4, 0x0adaf57e)},\n {TOBN(0x96e71bfd, 0x7493cea3), TOBN(0xd05d4b3f, 0x1af81456),\n TOBN(0xdaca2a8a, 0x6a8c608f), TOBN(0x53ef07f6, 0x0725b276)}},\n {{TOBN(0x07a5fbd2, 0x7824fc56), TOBN(0x34675218, 0x13289077),\n TOBN(0x5bf69fd5, 0xe0c48349), TOBN(0xa613ddd3, 0xb6aa7875)},\n {TOBN(0x7f78c19c, 0x5450d866), TOBN(0x46f4409c, 0x8f84a481),\n TOBN(0x9f1d1928, 0x90fce239), TOBN(0x016c4168, 0xb2ce44b9)}},\n {{TOBN(0xbae023f0, 0xc7435978), TOBN(0xb152c888, 0x20e30e19),\n TOBN(0x9c241645, 0xe3fa6faf), TOBN(0x735d95c1, 0x84823e60)},\n {TOBN(0x03197573, 0x03955317), TOBN(0x0b4b02a9, 0xf03b4995),\n TOBN(0x076bf559, 0x70274600), TOBN(0x32c5cc53, 0xaaf57508)}},\n {{TOBN(0xe8af6d1f, 0x60624129), TOBN(0xb7bc5d64, 0x9a5e2b5e),\n TOBN(0x3814b048, 0x5f082d72), TOBN(0x76f267f2, 0xce19677a)},\n {TOBN(0x626c630f, 0xb36eed93), TOBN(0x55230cd7, 0x3bf56803),\n TOBN(0x78837949, 0xce2736a0), TOBN(0x0d792d60, 0xaa6c55f1)}},\n {{TOBN(0x0318dbfd, 0xd5c7c5d2), TOBN(0xb38f8da7, 0x072b342d),\n TOBN(0x3569bddc, 0x7b8de38a), TOBN(0xf25b5887, 0xa1c94842)},\n {TOBN(0xb2d5b284, 0x2946ad60), TOBN(0x854f29ad, 0xe9d1707e),\n TOBN(0xaa5159dc, 0x2c6a4509), TOBN(0x899f94c0, 0x57189837)}},\n {{TOBN(0xcf6adc51, 0xf4a55b03), TOBN(0x261762de, 0x35e3b2d5),\n TOBN(0x4cc43012, 0x04827b51), TOBN(0xcd22a113, 0xc6021442)},\n {TOBN(0xce2fd61a, 0x247c9569), TOBN(0x59a50973, 0xd152beca),\n TOBN(0x6c835a11, 0x63a716d4), TOBN(0xc26455ed, 0x187dedcf)}},\n {{TOBN(0x27f536e0, 0x49ce89e7), TOBN(0x18908539, 0xcc890cb5),\n TOBN(0x308909ab, 0xd83c2aa1), TOBN(0xecd3142b, 0x1ab73bd3)},\n {TOBN(0x6a85bf59, 0xb3f5ab84), TOBN(0x3c320a68, 0xf2bea4c6),\n TOBN(0xad8dc538, 0x6da4541f), TOBN(0xeaf34eb0, 0xb7c41186)}},\n {{TOBN(0x1c780129, 0x977c97c4), TOBN(0x5ff9beeb, 0xc57eb9fa),\n TOBN(0xa24d0524, 0xc822c478), TOBN(0xfd8eec2a, 0x461cd415)},\n {TOBN(0xfbde194e, 0xf027458c), TOBN(0xb4ff5319, 0x1d1be115),\n TOBN(0x63f874d9, 0x4866d6f4), TOBN(0x35c75015, 0xb21ad0c9)}},\n {{TOBN(0xa6b5c9d6, 0x46ac49d2), TOBN(0x42c77c0b, 0x83137aa9),\n TOBN(0x24d000fc, 0x68225a38), TOBN(0x0f63cfc8, 0x2fe1e907)},\n {TOBN(0x22d1b01b, 0xc6441f95), TOBN(0x7d38f719, 0xec8e448f),\n TOBN(0x9b33fa5f, 0x787fb1ba), TOBN(0x94dcfda1, 0x190158df)}},\n {{TOBN(0xc47cb339, 0x5f6d4a09), TOBN(0x6b4f355c, 0xee52b826),\n TOBN(0x3d100f5d, 0xf51b930a), TOBN(0xf4512fac, 0x9f668f69)},\n {TOBN(0x546781d5, 0x206c4c74), TOBN(0xd021d4d4, 0xcb4d2e48),\n TOBN(0x494a54c2, 0xca085c2d), TOBN(0xf1dbaca4, 0x520850a8)}},\n {{TOBN(0x63c79326, 0x490a1aca), TOBN(0xcb64dd9c, 0x41526b02),\n TOBN(0xbb772591, 0xa2979258), TOBN(0x3f582970, 0x48d97846)},\n {TOBN(0xd66b70d1, 0x7c213ba7), TOBN(0xc28febb5, 0xe8a0ced4),\n TOBN(0x6b911831, 0xc10338c1), TOBN(0x0d54e389, 0xbf0126f3)}},\n {{TOBN(0x7048d460, 0x4af206ee), TOBN(0x786c88f6, 0x77e97cb9),\n TOBN(0xd4375ae1, 0xac64802e), TOBN(0x469bcfe1, 0xd53ec11c)},\n {TOBN(0xfc9b340d, 0x47062230), TOBN(0xe743bb57, 0xc5b4a3ac),\n TOBN(0xfe00b4aa, 0x59ef45ac), TOBN(0x29a4ef23, 0x59edf188)}},\n {{TOBN(0x40242efe, 0xb483689b), TOBN(0x2575d3f6, 0x513ac262),\n TOBN(0xf30037c8, 0x0ca6db72), TOBN(0xc9fcce82, 0x98864be2)},\n {TOBN(0x84a112ff, 0x0149362d), TOBN(0x95e57582, 0x1c4ae971),\n TOBN(0x1fa4b1a8, 0x945cf86c), TOBN(0x4525a734, 0x0b024a2f)}},\n {{TOBN(0xe76c8b62, 0x8f338360), TOBN(0x483ff593, 0x28edf32b),\n TOBN(0x67e8e90a, 0x298b1aec), TOBN(0x9caab338, 0x736d9a21)},\n {TOBN(0x5c09d2fd, 0x66892709), TOBN(0x2496b4dc, 0xb55a1d41),\n TOBN(0x93f5fb1a, 0xe24a4394), TOBN(0x08c75049, 0x6fa8f6c1)}},\n {{TOBN(0xcaead1c2, 0xc905d85f), TOBN(0xe9d7f790, 0x0733ae57),\n TOBN(0x24c9a65c, 0xf07cdd94), TOBN(0x7389359c, 0xa4b55931)},\n {TOBN(0xf58709b7, 0x367e45f7), TOBN(0x1f203067, 0xcb7e7adc),\n TOBN(0x82444bff, 0xc7b72818), TOBN(0x07303b35, 0xbaac8033)}},\n {{TOBN(0x1e1ee4e4, 0xd13b7ea1), TOBN(0xe6489b24, 0xe0e74180),\n TOBN(0xa5f2c610, 0x7e70ef70), TOBN(0xa1655412, 0xbdd10894)},\n {TOBN(0x555ebefb, 0x7af4194e), TOBN(0x533c1c3c, 0x8e89bd9c),\n TOBN(0x735b9b57, 0x89895856), TOBN(0x15fb3cd2, 0x567f5c15)}},\n {{TOBN(0x057fed45, 0x526f09fd), TOBN(0xe8a4f10c, 0x8128240a),\n TOBN(0x9332efc4, 0xff2bfd8d), TOBN(0x214e77a0, 0xbd35aa31)},\n {TOBN(0x32896d73, 0x14faa40e), TOBN(0x767867ec, 0x01e5f186),\n TOBN(0xc9adf8f1, 0x17a1813e), TOBN(0xcb6cda78, 0x54741795)}},\n {{TOBN(0xb7521b6d, 0x349d51aa), TOBN(0xf56b5a9e, 0xe3c7b8e9),\n TOBN(0xc6f1e5c9, 0x32a096df), TOBN(0x083667c4, 0xa3635024)},\n {TOBN(0x365ea135, 0x18087f2f), TOBN(0xf1b8eaac, 0xd136e45d),\n TOBN(0xc8a0e484, 0x73aec989), TOBN(0xd75a324b, 0x142c9259)}},\n {{TOBN(0xb7b4d001, 0x01dae185), TOBN(0x45434e0b, 0x9b7a94bc),\n TOBN(0xf54339af, 0xfbd8cb0b), TOBN(0xdcc4569e, 0xe98ef49e)},\n {TOBN(0x7789318a, 0x09a51299), TOBN(0x81b4d206, 0xb2b025d8),\n TOBN(0xf64aa418, 0xfae85792), TOBN(0x3e50258f, 0xacd7baf7)}},\n {{TOBN(0xdce84cdb, 0x2996864b), TOBN(0xa2e67089, 0x1f485fa4),\n TOBN(0xb28b2bb6, 0x534c6a5a), TOBN(0x31a7ec6b, 0xc94b9d39)},\n {TOBN(0x1d217766, 0xd6bc20da), TOBN(0x4acdb5ec, 0x86761190),\n TOBN(0x68726328, 0x73701063), TOBN(0x4d24ee7c, 0x2128c29b)}},\n {{TOBN(0xc072ebd3, 0xa19fd868), TOBN(0x612e481c, 0xdb8ddd3b),\n TOBN(0xb4e1d754, 0x1a64d852), TOBN(0x00ef95ac, 0xc4c6c4ab)},\n {TOBN(0x1536d2ed, 0xaa0a6c46), TOBN(0x61294086, 0x43774790),\n TOBN(0x54af25e8, 0x343fda10), TOBN(0x9ff9d98d, 0xfd25d6f2)}},\n {{TOBN(0x0746af7c, 0x468b8835), TOBN(0x977a31cb, 0x730ecea7),\n TOBN(0xa5096b80, 0xc2cf4a81), TOBN(0xaa986833, 0x6458c37a)},\n {TOBN(0x6af29bf3, 0xa6bd9d34), TOBN(0x6a62fe9b, 0x33c5d854),\n TOBN(0x50e6c304, 0xb7133b5e), TOBN(0x04b60159, 0x7d6e6848)}},\n {{TOBN(0x4cd296df, 0x5579bea4), TOBN(0x10e35ac8, 0x5ceedaf1),\n TOBN(0x04c4c5fd, 0xe3bcc5b1), TOBN(0x95f9ee8a, 0x89412cf9)},\n {TOBN(0x2c9459ee, 0x82b6eb0f), TOBN(0x2e845765, 0x95c2aadd),\n TOBN(0x774a84ae, 0xd327fcfe), TOBN(0xd8c93722, 0x0368d476)}},\n {{TOBN(0x0dbd5748, 0xf83e8a3b), TOBN(0xa579aa96, 0x8d2495f3),\n TOBN(0x535996a0, 0xae496e9b), TOBN(0x07afbfe9, 0xb7f9bcc2)},\n {TOBN(0x3ac1dc6d, 0x5b7bd293), TOBN(0x3b592cff, 0x7022323d),\n TOBN(0xba0deb98, 0x9c0a3e76), TOBN(0x18e78e9f, 0x4b197acb)}},\n {{TOBN(0x211cde10, 0x296c36ef), TOBN(0x7ee89672, 0x82c4da77),\n TOBN(0xb617d270, 0xa57836da), TOBN(0xf0cd9c31, 0x9cb7560b)},\n {TOBN(0x01fdcbf7, 0xe455fe90), TOBN(0x3fb53cbb, 0x7e7334f3),\n TOBN(0x781e2ea4, 0x4e7de4ec), TOBN(0x8adab3ad, 0x0b384fd0)}},\n {{TOBN(0x129eee2f, 0x53d64829), TOBN(0x7a471e17, 0xa261492b),\n TOBN(0xe4f9adb9, 0xe4cb4a2c), TOBN(0x3d359f6f, 0x97ba2c2d)},\n {TOBN(0x346c6786, 0x0aacd697), TOBN(0x92b444c3, 0x75c2f8a8),\n TOBN(0xc79fa117, 0xd85df44e), TOBN(0x56782372, 0x398ddf31)}},\n {{TOBN(0x60e690f2, 0xbbbab3b8), TOBN(0x4851f8ae, 0x8b04816b),\n TOBN(0xc72046ab, 0x9c92e4d2), TOBN(0x518c74a1, 0x7cf3136b)},\n {TOBN(0xff4eb50a, 0xf9877d4c), TOBN(0x14578d90, 0xa919cabb),\n TOBN(0x8218f8c4, 0xac5eb2b6), TOBN(0xa3ccc547, 0x542016e4)}},\n {{TOBN(0x025bf48e, 0x327f8349), TOBN(0xf3e97346, 0xf43cb641),\n TOBN(0xdc2bafdf, 0x500f1085), TOBN(0x57167876, 0x2f063055)},\n {TOBN(0x5bd914b9, 0x411925a6), TOBN(0x7c078d48, 0xa1123de5),\n TOBN(0xee6bf835, 0x182b165d), TOBN(0xb11b5e5b, 0xba519727)}},\n {{TOBN(0xe33ea76c, 0x1eea7b85), TOBN(0x2352b461, 0x92d4f85e),\n TOBN(0xf101d334, 0xafe115bb), TOBN(0xfabc1294, 0x889175a3)},\n {TOBN(0x7f6bcdc0, 0x5233f925), TOBN(0xe0a802db, 0xe77fec55),\n TOBN(0xbdb47b75, 0x8069b659), TOBN(0x1c5e12de, 0xf98fbd74)}},\n {{TOBN(0x869c58c6, 0x4b8457ee), TOBN(0xa5360f69, 0x4f7ea9f7),\n TOBN(0xe576c09f, 0xf460b38f), TOBN(0x6b70d548, 0x22b7fb36)},\n {TOBN(0x3fd237f1, 0x3bfae315), TOBN(0x33797852, 0xcbdff369),\n TOBN(0x97df25f5, 0x25b516f9), TOBN(0x46f388f2, 0xba38ad2d)}},\n {{TOBN(0x656c4658, 0x89d8ddbb), TOBN(0x8830b26e, 0x70f38ee8),\n TOBN(0x4320fd5c, 0xde1212b0), TOBN(0xc34f30cf, 0xe4a2edb2)},\n {TOBN(0xabb131a3, 0x56ab64b8), TOBN(0x7f77f0cc, 0xd99c5d26),\n TOBN(0x66856a37, 0xbf981d94), TOBN(0x19e76d09, 0x738bd76e)}},\n {{TOBN(0xe76c8ac3, 0x96238f39), TOBN(0xc0a482be, 0xa830b366),\n TOBN(0xb7b8eaff, 0x0b4eb499), TOBN(0x8ecd83bc, 0x4bfb4865)},\n {TOBN(0x971b2cb7, 0xa2f3776f), TOBN(0xb42176a4, 0xf4b88adf),\n TOBN(0xb9617df5, 0xbe1fa446), TOBN(0x8b32d508, 0xcd031bd2)}},\n {{TOBN(0x1c6bd47d, 0x53b618c0), TOBN(0xc424f46c, 0x6a227923),\n TOBN(0x7303ffde, 0xdd92d964), TOBN(0xe9712878, 0x71b5abf2)},\n {TOBN(0x8f48a632, 0xf815561d), TOBN(0x85f48ff5, 0xd3c055d1),\n TOBN(0x222a1427, 0x7525684f), TOBN(0xd0d841a0, 0x67360cc3)}},\n {{TOBN(0x4245a926, 0x0b9267c6), TOBN(0xc78913f1, 0xcf07f863),\n TOBN(0xaa844c8e, 0x4d0d9e24), TOBN(0xa42ad522, 0x3d5f9017)},\n {TOBN(0xbd371749, 0xa2c989d5), TOBN(0x928292df, 0xe1f5e78e),\n TOBN(0x493b383e, 0x0a1ea6da), TOBN(0x5136fd8d, 0x13aee529)}},\n {{TOBN(0x860c44b1, 0xf2c34a99), TOBN(0x3b00aca4, 0xbf5855ac),\n TOBN(0xabf6aaa0, 0xfaaf37be), TOBN(0x65f43682, 0x2a53ec08)},\n {TOBN(0x1d9a5801, 0xa11b12e1), TOBN(0x78a7ab2c, 0xe20ed475),\n TOBN(0x0de1067e, 0x9a41e0d5), TOBN(0x30473f5f, 0x305023ea)}},\n {{TOBN(0xdd3ae09d, 0x169c7d97), TOBN(0x5cd5baa4, 0xcfaef9cd),\n TOBN(0x5cd7440b, 0x65a44803), TOBN(0xdc13966a, 0x47f364de)},\n {TOBN(0x077b2be8, 0x2b8357c1), TOBN(0x0cb1b4c5, 0xe9d57c2a),\n TOBN(0x7a4ceb32, 0x05ff363e), TOBN(0xf310fa4d, 0xca35a9ef)}},\n {{TOBN(0xdbb7b352, 0xf97f68c6), TOBN(0x0c773b50, 0x0b02cf58),\n TOBN(0xea2e4821, 0x3c1f96d9), TOBN(0xffb357b0, 0xeee01815)},\n {TOBN(0xb9c924cd, 0xe0f28039), TOBN(0x0b36c95a, 0x46a3fbe4),\n TOBN(0x1faaaea4, 0x5e46db6c), TOBN(0xcae575c3, 0x1928aaff)}},\n {{TOBN(0x7f671302, 0xa70dab86), TOBN(0xfcbd12a9, 0x71c58cfc),\n TOBN(0xcbef9acf, 0xbee0cb92), TOBN(0x573da0b9, 0xf8c1b583)},\n {TOBN(0x4752fcfe, 0x0d41d550), TOBN(0xe7eec0e3, 0x2155cffe),\n TOBN(0x0fc39fcb, 0x545ae248), TOBN(0x522cb8d1, 0x8065f44e)}},\n {{TOBN(0x263c962a, 0x70cbb96c), TOBN(0xe034362a, 0xbcd124a9),\n TOBN(0xf120db28, 0x3c2ae58d), TOBN(0xb9a38d49, 0xfef6d507)},\n {TOBN(0xb1fd2a82, 0x1ff140fd), TOBN(0xbd162f30, 0x20aee7e0),\n TOBN(0x4e17a5d4, 0xcb251949), TOBN(0x2aebcb83, 0x4f7e1c3d)}},\n {{TOBN(0x608eb25f, 0x937b0527), TOBN(0xf42e1e47, 0xeb7d9997),\n TOBN(0xeba699c4, 0xb8a53a29), TOBN(0x1f921c71, 0xe091b536)},\n {TOBN(0xcce29e7b, 0x5b26bbd5), TOBN(0x7a8ef5ed, 0x3b61a680),\n TOBN(0xe5ef8043, 0xba1f1c7e), TOBN(0x16ea8217, 0x18158dda)}},\n {{TOBN(0x01778a2b, 0x599ff0f9), TOBN(0x68a923d7, 0x8104fc6b),\n TOBN(0x5bfa44df, 0xda694ff3), TOBN(0x4f7199db, 0xf7667f12)},\n {TOBN(0xc06d8ff6, 0xe46f2a79), TOBN(0x08b5dead, 0xe9f8131d),\n TOBN(0x02519a59, 0xabb4ce7c), TOBN(0xc4f710bc, 0xb42aec3e)}},\n {{TOBN(0x3d77b057, 0x78bde41a), TOBN(0x6474bf80, 0xb4186b5a),\n TOBN(0x048b3f67, 0x88c65741), TOBN(0xc64519de, 0x03c7c154)},\n {TOBN(0xdf073846, 0x0edfcc4f), TOBN(0x319aa737, 0x48f1aa6b),\n TOBN(0x8b9f8a02, 0xca909f77), TOBN(0x90258139, 0x7580bfef)}},\n {{TOBN(0xd8bfd3ca, 0xc0c22719), TOBN(0xc60209e4, 0xc9ca151e),\n TOBN(0x7a744ab5, 0xd9a1a69c), TOBN(0x6de5048b, 0x14937f8f)},\n {TOBN(0x171938d8, 0xe115ac04), TOBN(0x7df70940, 0x1c6b16d2),\n TOBN(0xa6aeb663, 0x7f8e94e7), TOBN(0xc130388e, 0x2a2cf094)}},\n {{TOBN(0x1850be84, 0x77f54e6e), TOBN(0x9f258a72, 0x65d60fe5),\n TOBN(0xff7ff0c0, 0x6c9146d6), TOBN(0x039aaf90, 0xe63a830b)},\n {TOBN(0x38f27a73, 0x9460342f), TOBN(0x4703148c, 0x3f795f8a),\n TOBN(0x1bb5467b, 0x9681a97e), TOBN(0x00931ba5, 0xecaeb594)}},\n {{TOBN(0xcdb6719d, 0x786f337c), TOBN(0xd9c01cd2, 0xe704397d),\n TOBN(0x0f4a3f20, 0x555c2fef), TOBN(0x00452509, 0x7c0af223)},\n {TOBN(0x54a58047, 0x84db8e76), TOBN(0x3bacf1aa, 0x93c8aa06),\n TOBN(0x11ca957c, 0xf7919422), TOBN(0x50641053, 0x78cdaa40)}},\n {{TOBN(0x7a303874, 0x9f7144ae), TOBN(0x170c963f, 0x43d4acfd),\n TOBN(0x5e148149, 0x58ddd3ef), TOBN(0xa7bde582, 0x9e72dba8)},\n {TOBN(0x0769da8b, 0x6fa68750), TOBN(0xfa64e532, 0x572e0249),\n TOBN(0xfcaadf9d, 0x2619ad31), TOBN(0x87882daa, 0xa7b349cd)}},\n {{TOBN(0x9f6eb731, 0x6c67a775), TOBN(0xcb10471a, 0xefc5d0b1),\n TOBN(0xb433750c, 0xe1b806b2), TOBN(0x19c5714d, 0x57b1ae7e)},\n {TOBN(0xc0dc8b7b, 0xed03fd3f), TOBN(0xdd03344f, 0x31bc194e),\n TOBN(0xa66c52a7, 0x8c6320b5), TOBN(0x8bc82ce3, 0xd0b6fd93)}},\n {{TOBN(0xf8e13501, 0xb35f1341), TOBN(0xe53156dd, 0x25a43e42),\n TOBN(0xd3adf27e, 0x4daeb85c), TOBN(0xb81d8379, 0xbbeddeb5)},\n {TOBN(0x1b0b546e, 0x2e435867), TOBN(0x9020eb94, 0xeba5dd60),\n TOBN(0x37d91161, 0x8210cb9d), TOBN(0x4c596b31, 0x5c91f1cf)}},\n {{TOBN(0xb228a90f, 0x0e0b040d), TOBN(0xbaf02d82, 0x45ff897f),\n TOBN(0x2aac79e6, 0x00fa6122), TOBN(0x24828817, 0x8e36f557)},\n {TOBN(0xb9521d31, 0x113ec356), TOBN(0x9e48861e, 0x15eff1f8),\n TOBN(0x2aa1d412, 0xe0d41715), TOBN(0x71f86203, 0x53f131b8)}},\n {{TOBN(0xf60da8da, 0x3fd19408), TOBN(0x4aa716dc, 0x278d9d99),\n TOBN(0x394531f7, 0xa8c51c90), TOBN(0xb560b0e8, 0xf59db51c)},\n {TOBN(0xa28fc992, 0xfa34bdad), TOBN(0xf024fa14, 0x9cd4f8bd),\n TOBN(0x5cf530f7, 0x23a9d0d3), TOBN(0x615ca193, 0xe28c9b56)}},\n {{TOBN(0x6d2a483d, 0x6f73c51e), TOBN(0xa4cb2412, 0xea0dc2dd),\n TOBN(0x50663c41, 0x1eb917ff), TOBN(0x3d3a74cf, 0xeade299e)},\n {TOBN(0x29b3990f, 0x4a7a9202), TOBN(0xa9bccf59, 0xa7b15c3d),\n TOBN(0x66a3ccdc, 0xa5df9208), TOBN(0x48027c14, 0x43f2f929)}},\n {{TOBN(0xd385377c, 0x40b557f0), TOBN(0xe001c366, 0xcd684660),\n TOBN(0x1b18ed6b, 0xe2183a27), TOBN(0x879738d8, 0x63210329)},\n {TOBN(0xa687c74b, 0xbda94882), TOBN(0xd1bbcc48, 0xa684b299),\n TOBN(0xaf6f1112, 0x863b3724), TOBN(0x6943d1b4, 0x2c8ce9f8)}},\n {{TOBN(0xe044a3bb, 0x098cafb4), TOBN(0x27ed2310, 0x60d48caf),\n TOBN(0x542b5675, 0x3a31b84d), TOBN(0xcbf3dd50, 0xfcddbed7)},\n {TOBN(0x25031f16, 0x41b1d830), TOBN(0xa7ec851d, 0xcb0c1e27),\n TOBN(0xac1c8fe0, 0xb5ae75db), TOBN(0xb24c7557, 0x08c52120)}},\n {{TOBN(0x57f811dc, 0x1d4636c3), TOBN(0xf8436526, 0x681a9939),\n TOBN(0x1f6bc6d9, 0x9c81adb3), TOBN(0x840f8ac3, 0x5b7d80d4)},\n {TOBN(0x731a9811, 0xf4387f1a), TOBN(0x7c501cd3, 0xb5156880),\n TOBN(0xa5ca4a07, 0xdfe68867), TOBN(0xf123d8f0, 0x5fcea120)}},\n {{TOBN(0x1fbb0e71, 0xd607039e), TOBN(0x2b70e215, 0xcd3a4546),\n TOBN(0x32d2f01d, 0x53324091), TOBN(0xb796ff08, 0x180ab19b)},\n {TOBN(0x32d87a86, 0x3c57c4aa), TOBN(0x2aed9caf, 0xb7c49a27),\n TOBN(0x9fb35eac, 0x31630d98), TOBN(0x338e8cdf, 0x5c3e20a3)}},\n {{TOBN(0x80f16182, 0x66cde8db), TOBN(0x4e159980, 0x2d72fd36),\n TOBN(0xd7b8f13b, 0x9b6e5072), TOBN(0xf5213907, 0x3b7b5dc1)},\n {TOBN(0x4d431f1d, 0x8ce4396e), TOBN(0x37a1a680, 0xa7ed2142),\n TOBN(0xbf375696, 0xd01aaf6b), TOBN(0xaa1c0c54, 0xe63aab66)}},\n {{TOBN(0x3014368b, 0x4ed80940), TOBN(0x67e6d056, 0x7a6fcedd),\n TOBN(0x7c208c49, 0xca97579f), TOBN(0xfe3d7a81, 0xa23597f6)},\n {TOBN(0x5e203202, 0x7e096ae2), TOBN(0xb1f3e1e7, 0x24b39366),\n TOBN(0x26da26f3, 0x2fdcdffc), TOBN(0x79422f1d, 0x6097be83)}}},\n {{{TOBN(0x263a2cfb, 0x9db3b381), TOBN(0x9c3a2dee, 0xd4df0a4b),\n TOBN(0x728d06e9, 0x7d04e61f), TOBN(0x8b1adfbc, 0x42449325)},\n {TOBN(0x6ec1d939, 0x7e053a1b), TOBN(0xee2be5c7, 0x66daf707),\n TOBN(0x80ba1e14, 0x810ac7ab), TOBN(0xdd2ae778, 0xf530f174)}},\n {{TOBN(0x0435d97a, 0x205b9d8b), TOBN(0x6eb8f064, 0x056756d4),\n TOBN(0xd5e88a8b, 0xb6f8210e), TOBN(0x070ef12d, 0xec9fd9ea)},\n {TOBN(0x4d849505, 0x3bcc876a), TOBN(0x12a75338, 0xa7404ce3),\n TOBN(0xd22b49e1, 0xb8a1db5e), TOBN(0xec1f2051, 0x14bfa5ad)}},\n {{TOBN(0xadbaeb79, 0xb6828f36), TOBN(0x9d7a0258, 0x01bd5b9e),\n TOBN(0xeda01e0d, 0x1e844b0c), TOBN(0x4b625175, 0x887edfc9)},\n {TOBN(0x14109fdd, 0x9669b621), TOBN(0x88a2ca56, 0xf6f87b98),\n TOBN(0xfe2eb788, 0x170df6bc), TOBN(0x0cea06f4, 0xffa473f9)}},\n {{TOBN(0x43ed81b5, 0xc4e83d33), TOBN(0xd9f35879, 0x5efd488b),\n TOBN(0x164a620f, 0x9deb4d0f), TOBN(0xc6927bdb, 0xac6a7394)},\n {TOBN(0x45c28df7, 0x9f9e0f03), TOBN(0x2868661e, 0xfcd7e1a9),\n TOBN(0x7cf4e8d0, 0xffa348f1), TOBN(0x6bd4c284, 0x398538e0)}},\n {{TOBN(0x2618a091, 0x289a8619), TOBN(0xef796e60, 0x6671b173),\n TOBN(0x664e46e5, 0x9090c632), TOBN(0xa38062d4, 0x1e66f8fb)},\n {TOBN(0x6c744a20, 0x0573274e), TOBN(0xd07b67e4, 0xa9271394),\n TOBN(0x391223b2, 0x6bdc0e20), TOBN(0xbe2d93f1, 0xeb0a05a7)}},\n {{TOBN(0xf23e2e53, 0x3f36d141), TOBN(0xe84bb3d4, 0x4dfca442),\n TOBN(0xb804a48d, 0x6b7c023a), TOBN(0x1e16a8fa, 0x76431c3b)},\n {TOBN(0x1b5452ad, 0xddd472e0), TOBN(0x7d405ee7, 0x0d1ee127),\n TOBN(0x50fc6f1d, 0xffa27599), TOBN(0x351ac53c, 0xbf391b35)}},\n {{TOBN(0x7efa14b8, 0x4444896b), TOBN(0x64974d2f, 0xf94027fb),\n TOBN(0xefdcd0e8, 0xde84487d), TOBN(0x8c45b260, 0x2b48989b)},\n {TOBN(0xa8fcbbc2, 0xd8463487), TOBN(0xd1b2b3f7, 0x3fbc476c),\n TOBN(0x21d005b7, 0xc8f443c0), TOBN(0x518f2e67, 0x40c0139c)}},\n {{TOBN(0x56036e8c, 0x06d75fc1), TOBN(0x2dcf7bb7, 0x3249a89f),\n TOBN(0x81dd1d3d, 0xe245e7dd), TOBN(0xf578dc4b, 0xebd6e2a7)},\n {TOBN(0x4c028903, 0xdf2ce7a0), TOBN(0xaee36288, 0x9c39afac),\n TOBN(0xdc847c31, 0x146404ab), TOBN(0x6304c0d8, 0xa4e97818)}},\n {{TOBN(0xae51dca2, 0xa91f6791), TOBN(0x2abe4190, 0x9baa9efc),\n TOBN(0xd9d2e2f4, 0x559c7ac1), TOBN(0xe82f4b51, 0xfc9f773a)},\n {TOBN(0xa7713027, 0x4073e81c), TOBN(0xc0276fac, 0xfbb596fc),\n TOBN(0x1d819fc9, 0xa684f70c), TOBN(0x29b47fdd, 0xc9f7b1e0)}},\n {{TOBN(0x358de103, 0x459b1940), TOBN(0xec881c59, 0x5b013e93),\n TOBN(0x51574c93, 0x49532ad3), TOBN(0x2db1d445, 0xb37b46de)},\n {TOBN(0xc6445b87, 0xdf239fd8), TOBN(0xc718af75, 0x151d24ee),\n TOBN(0xaea1c4a4, 0xf43c6259), TOBN(0x40c0e5d7, 0x70be02f7)}},\n {{TOBN(0x6a4590f4, 0x721b33f2), TOBN(0x2124f1fb, 0xfedf04ea),\n TOBN(0xf8e53cde, 0x9745efe7), TOBN(0xe7e10432, 0x65f046d9)},\n {TOBN(0xc3fca28e, 0xe4d0c7e6), TOBN(0x847e339a, 0x87253b1b),\n TOBN(0x9b595348, 0x3743e643), TOBN(0xcb6a0a0b, 0x4fd12fc5)}},\n {{TOBN(0xfb6836c3, 0x27d02dcc), TOBN(0x5ad00982, 0x7a68bcc2),\n TOBN(0x1b24b44c, 0x005e912d), TOBN(0xcc83d20f, 0x811fdcfe)},\n {TOBN(0x36527ec1, 0x666fba0c), TOBN(0x69948197, 0x14754635),\n TOBN(0xfcdcb1a8, 0x556da9c2), TOBN(0xa5934267, 0x81a732b2)}},\n {{TOBN(0xec1214ed, 0xa714181d), TOBN(0x609ac13b, 0x6067b341),\n TOBN(0xff4b4c97, 0xa545df1f), TOBN(0xa1240501, 0x34d2076b)},\n {TOBN(0x6efa0c23, 0x1409ca97), TOBN(0x254cc1a8, 0x20638c43),\n TOBN(0xd4e363af, 0xdcfb46cd), TOBN(0x62c2adc3, 0x03942a27)}},\n {{TOBN(0xc67b9df0, 0x56e46483), TOBN(0xa55abb20, 0x63736356),\n TOBN(0xab93c098, 0xc551bc52), TOBN(0x382b49f9, 0xb15fe64b)},\n {TOBN(0x9ec221ad, 0x4dff8d47), TOBN(0x79caf615, 0x437df4d6),\n TOBN(0x5f13dc64, 0xbb456509), TOBN(0xe4c589d9, 0x191f0714)}},\n {{TOBN(0x27b6a8ab, 0x3fd40e09), TOBN(0xe455842e, 0x77313ea9),\n TOBN(0x8b51d1e2, 0x1f55988b), TOBN(0x5716dd73, 0x062bbbfc)},\n {TOBN(0x633c11e5, 0x4e8bf3de), TOBN(0x9a0e77b6, 0x1b85be3b),\n TOBN(0x56510729, 0x0911cca6), TOBN(0x27e76495, 0xefa6590f)}},\n {{TOBN(0xe4ac8b33, 0x070d3aab), TOBN(0x2643672b, 0x9a2cd5e5),\n TOBN(0x52eff79b, 0x1cfc9173), TOBN(0x665ca49b, 0x90a7c13f)},\n {TOBN(0x5a8dda59, 0xb3efb998), TOBN(0x8a5b922d, 0x052f1341),\n TOBN(0xae9ebbab, 0x3cf9a530), TOBN(0x35986e7b, 0xf56da4d7)}},\n {{TOBN(0x3a636b5c, 0xff3513cc), TOBN(0xbb0cf8ba, 0x3198f7dd),\n TOBN(0xb8d40522, 0x41f16f86), TOBN(0x760575d8, 0xde13a7bf)},\n {TOBN(0x36f74e16, 0x9f7aa181), TOBN(0x163a3ecf, 0xf509ed1c),\n TOBN(0x6aead61f, 0x3c40a491), TOBN(0x158c95fc, 0xdfe8fcaa)}},\n {{TOBN(0xa3991b6e, 0x13cda46f), TOBN(0x79482415, 0x342faed0),\n TOBN(0xf3ba5bde, 0x666b5970), TOBN(0x1d52e6bc, 0xb26ab6dd)},\n {TOBN(0x768ba1e7, 0x8608dd3d), TOBN(0x4930db2a, 0xea076586),\n TOBN(0xd9575714, 0xe7dc1afa), TOBN(0x1fc7bf7d, 0xf7c58817)}},\n {{TOBN(0x6b47accd, 0xd9eee96c), TOBN(0x0ca277fb, 0xe58cec37),\n TOBN(0x113fe413, 0xe702c42a), TOBN(0xdd1764ee, 0xc47cbe51)},\n {TOBN(0x041e7cde, 0x7b3ed739), TOBN(0x50cb7459, 0x5ce9e1c0),\n TOBN(0x35568513, 0x2925b212), TOBN(0x7cff95c4, 0x001b081c)}},\n {{TOBN(0x63ee4cbd, 0x8088b454), TOBN(0xdb7f32f7, 0x9a9e0c8a),\n TOBN(0xb377d418, 0x6b2447cb), TOBN(0xe3e982aa, 0xd370219b)},\n {TOBN(0x06ccc1e4, 0xc2a2a593), TOBN(0x72c36865, 0x0773f24f),\n TOBN(0xa13b4da7, 0x95859423), TOBN(0x8bbf1d33, 0x75040c8f)}},\n {{TOBN(0x726f0973, 0xda50c991), TOBN(0x48afcd5b, 0x822d6ee2),\n TOBN(0xe5fc718b, 0x20fd7771), TOBN(0xb9e8e77d, 0xfd0807a1)},\n {TOBN(0x7f5e0f44, 0x99a7703d), TOBN(0x6972930e, 0x618e36f3),\n TOBN(0x2b7c77b8, 0x23807bbe), TOBN(0xe5b82405, 0xcb27ff50)}},\n {{TOBN(0xba8b8be3, 0xbd379062), TOBN(0xd64b7a1d, 0x2dce4a92),\n TOBN(0x040a73c5, 0xb2952e37), TOBN(0x0a9e252e, 0xd438aeca)},\n {TOBN(0xdd43956b, 0xc39d3bcb), TOBN(0x1a31ca00, 0xb32b2d63),\n TOBN(0xd67133b8, 0x5c417a18), TOBN(0xd08e4790, 0x2ef442c8)}},\n {{TOBN(0x98cb1ae9, 0x255c0980), TOBN(0x4bd86381, 0x2b4a739f),\n TOBN(0x5a5c31e1, 0x1e4a45a1), TOBN(0x1e5d55fe, 0x9cb0db2f)},\n {TOBN(0x74661b06, 0x8ff5cc29), TOBN(0x026b389f, 0x0eb8a4f4),\n TOBN(0x536b21a4, 0x58848c24), TOBN(0x2e5bf8ec, 0x81dc72b0)}},\n {{TOBN(0x03c187d0, 0xad886aac), TOBN(0x5c16878a, 0xb771b645),\n TOBN(0xb07dfc6f, 0xc74045ab), TOBN(0x2c6360bf, 0x7800caed)},\n {TOBN(0x24295bb5, 0xb9c972a3), TOBN(0xc9e6f88e, 0x7c9a6dba),\n TOBN(0x90ffbf24, 0x92a79aa6), TOBN(0xde29d50a, 0x41c26ac2)}},\n {{TOBN(0x9f0af483, 0xd309cbe6), TOBN(0x5b020d8a, 0xe0bced4f),\n TOBN(0x606e986d, 0xb38023e3), TOBN(0xad8f2c9d, 0x1abc6933)},\n {TOBN(0x19292e1d, 0xe7400e93), TOBN(0xfe3e18a9, 0x52be5e4d),\n TOBN(0xe8e9771d, 0x2e0680bf), TOBN(0x8c5bec98, 0xc54db063)}},\n {{TOBN(0x2af9662a, 0x74a55d1f), TOBN(0xe3fbf28f, 0x046f66d8),\n TOBN(0xa3a72ab4, 0xd4dc4794), TOBN(0x09779f45, 0x5c7c2dd8)},\n {TOBN(0xd893bdaf, 0xc3d19d8d), TOBN(0xd5a75094, 0x57d6a6df),\n TOBN(0x8cf8fef9, 0x952e6255), TOBN(0x3da67cfb, 0xda9a8aff)}},\n {{TOBN(0x4c23f62a, 0x2c160dcd), TOBN(0x34e6c5e3, 0x8f90eaef),\n TOBN(0x35865519, 0xa9a65d5a), TOBN(0x07c48aae, 0x8fd38a3d)},\n {TOBN(0xb7e7aeda, 0x50068527), TOBN(0x2c09ef23, 0x1c90936a),\n TOBN(0x31ecfeb6, 0xe879324c), TOBN(0xa0871f6b, 0xfb0ec938)}},\n {{TOBN(0xb1f0fb68, 0xd84d835d), TOBN(0xc90caf39, 0x861dc1e6),\n TOBN(0x12e5b046, 0x7594f8d7), TOBN(0x26897ae2, 0x65012b92)},\n {TOBN(0xbcf68a08, 0xa4d6755d), TOBN(0x403ee41c, 0x0991fbda),\n TOBN(0x733e343e, 0x3bbf17e8), TOBN(0xd2c7980d, 0x679b3d65)}},\n {{TOBN(0x33056232, 0xd2e11305), TOBN(0x966be492, 0xf3c07a6f),\n TOBN(0x6a8878ff, 0xbb15509d), TOBN(0xff221101, 0x0a9b59a4)},\n {TOBN(0x6c9f564a, 0xabe30129), TOBN(0xc6f2c940, 0x336e64cf),\n TOBN(0x0fe75262, 0x8b0c8022), TOBN(0xbe0267e9, 0x6ae8db87)}},\n {{TOBN(0x22e192f1, 0x93bc042b), TOBN(0xf085b534, 0xb237c458),\n TOBN(0xa0d192bd, 0x832c4168), TOBN(0x7a76e9e3, 0xbdf6271d)},\n {TOBN(0x52a882fa, 0xb88911b5), TOBN(0xc85345e4, 0xb4db0eb5),\n TOBN(0xa3be02a6, 0x81a7c3ff), TOBN(0x51889c8c, 0xf0ec0469)}},\n {{TOBN(0x9d031369, 0xa5e829e5), TOBN(0xcbb4c6fc, 0x1607aa41),\n TOBN(0x75ac59a6, 0x241d84c1), TOBN(0xc043f2bf, 0x8829e0ee)},\n {TOBN(0x82a38f75, 0x8ea5e185), TOBN(0x8bda40b9, 0xd87cbd9f),\n TOBN(0x9e65e75e, 0x2d8fc601), TOBN(0x3d515f74, 0xa35690b3)}},\n {{TOBN(0x534acf4f, 0xda79e5ac), TOBN(0x68b83b3a, 0x8630215f),\n TOBN(0x5c748b2e, 0xd085756e), TOBN(0xb0317258, 0xe5d37cb2)},\n {TOBN(0x6735841a, 0xc5ccc2c4), TOBN(0x7d7dc96b, 0x3d9d5069),\n TOBN(0xa147e410, 0xfd1754bd), TOBN(0x65296e94, 0xd399ddd5)}},\n {{TOBN(0xf6b5b2d0, 0xbc8fa5bc), TOBN(0x8a5ead67, 0x500c277b),\n TOBN(0x214625e6, 0xdfa08a5d), TOBN(0x51fdfedc, 0x959cf047)},\n {TOBN(0x6bc9430b, 0x289fca32), TOBN(0xe36ff0cf, 0x9d9bdc3f),\n TOBN(0x2fe187cb, 0x58ea0ede), TOBN(0xed66af20, 0x5a900b3f)}},\n {{TOBN(0x00e0968b, 0x5fa9f4d6), TOBN(0x2d4066ce, 0x37a362e7),\n TOBN(0xa99a9748, 0xbd07e772), TOBN(0x710989c0, 0x06a4f1d0)},\n {TOBN(0xd5dedf35, 0xce40cbd8), TOBN(0xab55c5f0, 0x1743293d),\n TOBN(0x766f1144, 0x8aa24e2c), TOBN(0x94d874f8, 0x605fbcb4)}},\n {{TOBN(0xa365f0e8, 0xa518001b), TOBN(0xee605eb6, 0x9d04ef0f),\n TOBN(0x5a3915cd, 0xba8d4d25), TOBN(0x44c0e1b8, 0xb5113472)},\n {TOBN(0xcbb024e8, 0x8b6740dc), TOBN(0x89087a53, 0xee1d4f0c),\n TOBN(0xa88fa05c, 0x1fc4e372), TOBN(0x8bf395cb, 0xaf8b3af2)}},\n {{TOBN(0x1e71c9a1, 0xdeb8568b), TOBN(0xa35daea0, 0x80fb3d32),\n TOBN(0xe8b6f266, 0x2cf8fb81), TOBN(0x6d51afe8, 0x9490696a)},\n {TOBN(0x81beac6e, 0x51803a19), TOBN(0xe3d24b7f, 0x86219080),\n TOBN(0x727cfd9d, 0xdf6f463c), TOBN(0x8c6865ca, 0x72284ee8)}},\n {{TOBN(0x32c88b7d, 0xb743f4ef), TOBN(0x3793909b, 0xe7d11dce),\n TOBN(0xd398f922, 0x2ff2ebe8), TOBN(0x2c70ca44, 0xe5e49796)},\n {TOBN(0xdf4d9929, 0xcb1131b1), TOBN(0x7826f298, 0x25888e79),\n TOBN(0x4d3a112c, 0xf1d8740a), TOBN(0x00384cb6, 0x270afa8b)}},\n {{TOBN(0xcb64125b, 0x3ab48095), TOBN(0x3451c256, 0x62d05106),\n TOBN(0xd73d577d, 0xa4955845), TOBN(0x39570c16, 0xbf9f4433)},\n {TOBN(0xd7dfaad3, 0xadecf263), TOBN(0xf1c3d8d1, 0xdc76e102),\n TOBN(0x5e774a58, 0x54c6a836), TOBN(0xdad4b672, 0x3e92d47b)}},\n {{TOBN(0xbe7e990f, 0xf0d796a0), TOBN(0x5fc62478, 0xdf0e8b02),\n TOBN(0x8aae8bf4, 0x030c00ad), TOBN(0x3d2db93b, 0x9004ba0f)},\n {TOBN(0xe48c8a79, 0xd85d5ddc), TOBN(0xe907caa7, 0x6bb07f34),\n TOBN(0x58db343a, 0xa39eaed5), TOBN(0x0ea6e007, 0xadaf5724)}},\n {{TOBN(0xe00df169, 0xd23233f3), TOBN(0x3e322796, 0x77cb637f),\n TOBN(0x1f897c0e, 0x1da0cf6c), TOBN(0xa651f5d8, 0x31d6bbdd)},\n {TOBN(0xdd61af19, 0x1a230c76), TOBN(0xbd527272, 0xcdaa5e4a),\n TOBN(0xca753636, 0xd0abcd7e), TOBN(0x78bdd37c, 0x370bd8dc)}},\n {{TOBN(0xc23916c2, 0x17cd93fe), TOBN(0x65b97a4d, 0xdadce6e2),\n TOBN(0xe04ed4eb, 0x174e42f8), TOBN(0x1491ccaa, 0xbb21480a)},\n {TOBN(0x145a8280, 0x23196332), TOBN(0x3c3862d7, 0x587b479a),\n TOBN(0x9f4a88a3, 0x01dcd0ed), TOBN(0x4da2b7ef, 0x3ea12f1f)}},\n {{TOBN(0xf8e7ae33, 0xb126e48e), TOBN(0x404a0b32, 0xf494e237),\n TOBN(0x9beac474, 0xc55acadb), TOBN(0x4ee5cf3b, 0xcbec9fd9)},\n {TOBN(0x336b33b9, 0x7df3c8c3), TOBN(0xbd905fe3, 0xb76808fd),\n TOBN(0x8f436981, 0xaa45c16a), TOBN(0x255c5bfa, 0x3dd27b62)}},\n {{TOBN(0x71965cbf, 0xc3dd9b4d), TOBN(0xce23edbf, 0xfc068a87),\n TOBN(0xb78d4725, 0x745b029b), TOBN(0x74610713, 0xcefdd9bd)},\n {TOBN(0x7116f75f, 0x1266bf52), TOBN(0x02046722, 0x18e49bb6),\n TOBN(0xdf43df9f, 0x3d6f19e3), TOBN(0xef1bc7d0, 0xe685cb2f)}},\n {{TOBN(0xcddb27c1, 0x7078c432), TOBN(0xe1961b9c, 0xb77fedb7),\n TOBN(0x1edc2f5c, 0xc2290570), TOBN(0x2c3fefca, 0x19cbd886)},\n {TOBN(0xcf880a36, 0xc2af389a), TOBN(0x96c610fd, 0xbda71cea),\n TOBN(0xf03977a9, 0x32aa8463), TOBN(0x8eb7763f, 0x8586d90a)}},\n {{TOBN(0x3f342454, 0x2a296e77), TOBN(0xc8718683, 0x42837a35),\n TOBN(0x7dc71090, 0x6a09c731), TOBN(0x54778ffb, 0x51b816db)},\n {TOBN(0x6b33bfec, 0xaf06defd), TOBN(0xfe3c105f, 0x8592b70b),\n TOBN(0xf937fda4, 0x61da6114), TOBN(0x3c13e651, 0x4c266ad7)}},\n {{TOBN(0xe363a829, 0x855938e8), TOBN(0x2eeb5d9e, 0x9de54b72),\n TOBN(0xbeb93b0e, 0x20ccfab9), TOBN(0x3dffbb5f, 0x25e61a25)},\n {TOBN(0x7f655e43, 0x1acc093d), TOBN(0x0cb6cc3d, 0x3964ce61),\n TOBN(0x6ab283a1, 0xe5e9b460), TOBN(0x55d787c5, 0xa1c7e72d)}},\n {{TOBN(0x4d2efd47, 0xdeadbf02), TOBN(0x11e80219, 0xac459068),\n TOBN(0x810c7626, 0x71f311f0), TOBN(0xfa17ef8d, 0x4ab6ef53)},\n {TOBN(0xaf47fd25, 0x93e43bff), TOBN(0x5cb5ff3f, 0x0be40632),\n TOBN(0x54687106, 0x8ee61da3), TOBN(0x7764196e, 0xb08afd0f)}},\n {{TOBN(0x831ab3ed, 0xf0290a8f), TOBN(0xcae81966, 0xcb47c387),\n TOBN(0xaad7dece, 0x184efb4f), TOBN(0xdcfc53b3, 0x4749110e)},\n {TOBN(0x6698f23c, 0x4cb632f9), TOBN(0xc42a1ad6, 0xb91f8067),\n TOBN(0xb116a81d, 0x6284180a), TOBN(0xebedf5f8, 0xe901326f)}},\n {{TOBN(0xf2274c9f, 0x97e3e044), TOBN(0x42018520, 0x11d09fc9),\n TOBN(0x56a65f17, 0xd18e6e23), TOBN(0x2ea61e2a, 0x352b683c)},\n {TOBN(0x27d291bc, 0x575eaa94), TOBN(0x9e7bc721, 0xb8ff522d),\n TOBN(0x5f7268bf, 0xa7f04d6f), TOBN(0x5868c73f, 0xaba41748)}},\n {{TOBN(0x9f85c2db, 0x7be0eead), TOBN(0x511e7842, 0xff719135),\n TOBN(0x5a06b1e9, 0xc5ea90d7), TOBN(0x0c19e283, 0x26fab631)},\n {TOBN(0x8af8f0cf, 0xe9206c55), TOBN(0x89389cb4, 0x3553c06a),\n TOBN(0x39dbed97, 0xf65f8004), TOBN(0x0621b037, 0xc508991d)}},\n {{TOBN(0x1c52e635, 0x96e78cc4), TOBN(0x5385c8b2, 0x0c06b4a8),\n TOBN(0xd84ddfdb, 0xb0e87d03), TOBN(0xc49dfb66, 0x934bafad)},\n {TOBN(0x7071e170, 0x59f70772), TOBN(0x3a073a84, 0x3a1db56b),\n TOBN(0x03494903, 0x3b8af190), TOBN(0x7d882de3, 0xd32920f0)}},\n {{TOBN(0x91633f0a, 0xb2cf8940), TOBN(0x72b0b178, 0x6f948f51),\n TOBN(0x2d28dc30, 0x782653c8), TOBN(0x88829849, 0xdb903a05)},\n {TOBN(0xb8095d0c, 0x6a19d2bb), TOBN(0x4b9e7f0c, 0x86f782cb),\n TOBN(0x7af73988, 0x2d907064), TOBN(0xd12be0fe, 0x8b32643c)}},\n {{TOBN(0x358ed23d, 0x0e165dc3), TOBN(0x3d47ce62, 0x4e2378ce),\n TOBN(0x7e2bb0b9, 0xfeb8a087), TOBN(0x3246e8ae, 0xe29e10b9)},\n {TOBN(0x459f4ec7, 0x03ce2b4d), TOBN(0xe9b4ca1b, 0xbbc077cf),\n TOBN(0x2613b4f2, 0x0e9940c1), TOBN(0xfc598bb9, 0x047d1eb1)}},\n {{TOBN(0x9744c62b, 0x45036099), TOBN(0xa9dee742, 0x167c65d8),\n TOBN(0x0c511525, 0xdabe1943), TOBN(0xda110554, 0x93c6c624)},\n {TOBN(0xae00a52c, 0x651a3be2), TOBN(0xcda5111d, 0x884449a6),\n TOBN(0x063c06f4, 0xff33bed1), TOBN(0x73baaf9a, 0x0d3d76b4)}},\n {{TOBN(0x52fb0c9d, 0x7fc63668), TOBN(0x6886c9dd, 0x0c039cde),\n TOBN(0x602bd599, 0x55b22351), TOBN(0xb00cab02, 0x360c7c13)},\n {TOBN(0x8cb616bc, 0x81b69442), TOBN(0x41486700, 0xb55c3cee),\n TOBN(0x71093281, 0xf49ba278), TOBN(0xad956d9c, 0x64a50710)}},\n {{TOBN(0x9561f28b, 0x638a7e81), TOBN(0x54155cdf, 0x5980ddc3),\n TOBN(0xb2db4a96, 0xd26f247a), TOBN(0x9d774e4e, 0x4787d100)},\n {TOBN(0x1a9e6e2e, 0x078637d2), TOBN(0x1c363e2d, 0x5e0ae06a),\n TOBN(0x7493483e, 0xe9cfa354), TOBN(0x76843cb3, 0x7f74b98d)}},\n {{TOBN(0xbaca6591, 0xd4b66947), TOBN(0xb452ce98, 0x04460a8c),\n TOBN(0x6830d246, 0x43768f55), TOBN(0xf4197ed8, 0x7dff12df)},\n {TOBN(0x6521b472, 0x400dd0f7), TOBN(0x59f5ca8f, 0x4b1e7093),\n TOBN(0x6feff11b, 0x080338ae), TOBN(0x0ada31f6, 0xa29ca3c6)}},\n {{TOBN(0x24794eb6, 0x94a2c215), TOBN(0xd83a43ab, 0x05a57ab4),\n TOBN(0x264a543a, 0x2a6f89fe), TOBN(0x2c2a3868, 0xdd5ec7c2)},\n {TOBN(0xd3373940, 0x8439d9b2), TOBN(0x715ea672, 0x0acd1f11),\n TOBN(0x42c1d235, 0xe7e6cc19), TOBN(0x81ce6e96, 0xb990585c)}},\n {{TOBN(0x04e5dfe0, 0xd809c7bd), TOBN(0xd7b2580c, 0x8f1050ab),\n TOBN(0x6d91ad78, 0xd8a4176f), TOBN(0x0af556ee, 0x4e2e897c)},\n {TOBN(0x162a8b73, 0x921de0ac), TOBN(0x52ac9c22, 0x7ea78400),\n TOBN(0xee2a4eea, 0xefce2174), TOBN(0xbe61844e, 0x6d637f79)}},\n {{TOBN(0x0491f1bc, 0x789a283b), TOBN(0x72d3ac3d, 0x880836f4),\n TOBN(0xaa1c5ea3, 0x88e5402d), TOBN(0x1b192421, 0xd5cc473d)},\n {TOBN(0x5c0b9998, 0x9dc84cac), TOBN(0xb0a8482d, 0x9c6e75b8),\n TOBN(0x639961d0, 0x3a191ce2), TOBN(0xda3bc865, 0x6d837930)}},\n {{TOBN(0xca990653, 0x056e6f8f), TOBN(0x84861c41, 0x64d133a7),\n TOBN(0x8b403276, 0x746abe40), TOBN(0xb7b4d51a, 0xebf8e303)},\n {TOBN(0x05b43211, 0x220a255d), TOBN(0xc997152c, 0x02419e6e),\n TOBN(0x76ff47b6, 0x630c2fea), TOBN(0x50518677, 0x281fdade)}},\n {{TOBN(0x3283b8ba, 0xcf902b0b), TOBN(0x8d4b4eb5, 0x37db303b),\n TOBN(0xcc89f42d, 0x755011bc), TOBN(0xb43d74bb, 0xdd09d19b)},\n {TOBN(0x65746bc9, 0x8adba350), TOBN(0x364eaf8c, 0xb51c1927),\n TOBN(0x13c76596, 0x10ad72ec), TOBN(0x30045121, 0xf8d40c20)}},\n {{TOBN(0x6d2d99b7, 0xea7b979b), TOBN(0xcd78cd74, 0xe6fb3bcd),\n TOBN(0x11e45a9e, 0x86cffbfe), TOBN(0x78a61cf4, 0x637024f6)},\n {TOBN(0xd06bc872, 0x3d502295), TOBN(0xf1376854, 0x458cb288),\n TOBN(0xb9db26a1, 0x342f8586), TOBN(0xf33effcf, 0x4beee09e)}},\n {{TOBN(0xd7e0c4cd, 0xb30cfb3a), TOBN(0x6d09b8c1, 0x6c9db4c8),\n TOBN(0x40ba1a42, 0x07c8d9df), TOBN(0x6fd495f7, 0x1c52c66d)},\n {TOBN(0xfb0e169f, 0x275264da), TOBN(0x80c2b746, 0xe57d8362),\n TOBN(0xedd987f7, 0x49ad7222), TOBN(0xfdc229af, 0x4398ec7b)}}},\n {{{TOBN(0xb0d1ed84, 0x52666a58), TOBN(0x4bcb6e00, 0xe6a9c3c2),\n TOBN(0x3c57411c, 0x26906408), TOBN(0xcfc20755, 0x13556400)},\n {TOBN(0xa08b1c50, 0x5294dba3), TOBN(0xa30ba286, 0x8b7dd31e),\n TOBN(0xd70ba90e, 0x991eca74), TOBN(0x094e142c, 0xe762c2b9)}},\n {{TOBN(0xb81d783e, 0x979f3925), TOBN(0x1efd130a, 0xaf4c89a7),\n TOBN(0x525c2144, 0xfd1bf7fa), TOBN(0x4b296904, 0x1b265a9e)},\n {TOBN(0xed8e9634, 0xb9db65b6), TOBN(0x35c82e32, 0x03599d8a),\n TOBN(0xdaa7a54f, 0x403563f3), TOBN(0x9df088ad, 0x022c38ab)}},\n {{TOBN(0xe5cfb066, 0xbb3fd30a), TOBN(0x429169da, 0xeff0354e),\n TOBN(0x809cf852, 0x3524e36c), TOBN(0x136f4fb3, 0x0155be1d)},\n {TOBN(0x4826af01, 0x1fbba712), TOBN(0x6ef0f0b4, 0x506ba1a1),\n TOBN(0xd9928b31, 0x77aea73e), TOBN(0xe2bf6af2, 0x5eaa244e)}},\n {{TOBN(0x8d084f12, 0x4237b64b), TOBN(0x688ebe99, 0xe3ecfd07),\n TOBN(0x57b8a70c, 0xf6845dd8), TOBN(0x808fc59c, 0x5da4a325)},\n {TOBN(0xa9032b2b, 0xa3585862), TOBN(0xb66825d5, 0xedf29386),\n TOBN(0xb5a5a8db, 0x431ec29b), TOBN(0xbb143a98, 0x3a1e8dc8)}},\n {{TOBN(0x35ee94ce, 0x12ae381b), TOBN(0x3a7f176c, 0x86ccda90),\n TOBN(0xc63a657e, 0x4606eaca), TOBN(0x9ae5a380, 0x43cd04df)},\n {TOBN(0x9bec8d15, 0xed251b46), TOBN(0x1f5d6d30, 0xcaca5e64),\n TOBN(0x347b3b35, 0x9ff20f07), TOBN(0x4d65f034, 0xf7e4b286)}},\n {{TOBN(0x9e93ba24, 0xf111661e), TOBN(0xedced484, 0xb105eb04),\n TOBN(0x96dc9ba1, 0xf424b578), TOBN(0xbf8f66b7, 0xe83e9069)},\n {TOBN(0x872d4df4, 0xd7ed8216), TOBN(0xbf07f377, 0x8e2cbecf),\n TOBN(0x4281d899, 0x98e73754), TOBN(0xfec85fbb, 0x8aab8708)}},\n {{TOBN(0x9a3c0dee, 0xa5ba5b0b), TOBN(0xe6a116ce, 0x42d05299),\n TOBN(0xae9775fe, 0xe9b02d42), TOBN(0x72b05200, 0xa1545cb6)},\n {TOBN(0xbc506f7d, 0x31a3b4ea), TOBN(0xe5893078, 0x8bbd9b32),\n TOBN(0xc8bc5f37, 0xe4b12a97), TOBN(0x6b000c06, 0x4a73b671)}},\n {{TOBN(0x13b5bf22, 0x765fa7d0), TOBN(0x59805bf0, 0x1d6a5370),\n TOBN(0x67a5e29d, 0x4280db98), TOBN(0x4f53916f, 0x776b1ce3)},\n {TOBN(0x714ff61f, 0x33ddf626), TOBN(0x4206238e, 0xa085d103),\n TOBN(0x1c50d4b7, 0xe5809ee3), TOBN(0x999f450d, 0x85f8eb1d)}},\n {{TOBN(0x658a6051, 0xe4c79e9b), TOBN(0x1394cb73, 0xc66a9fea),\n TOBN(0x27f31ed5, 0xc6be7b23), TOBN(0xf4c88f36, 0x5aa6f8fe)},\n {TOBN(0x0fb0721f, 0x4aaa499e), TOBN(0x68b3a7d5, 0xe3fb2a6b),\n TOBN(0xa788097d, 0x3a92851d), TOBN(0x060e7f8a, 0xe96f4913)}},\n {{TOBN(0x82eebe73, 0x1a3a93bc), TOBN(0x42bbf465, 0xa21adc1a),\n TOBN(0xc10b6fa4, 0xef030efd), TOBN(0x247aa4c7, 0x87b097bb)},\n {TOBN(0x8b8dc632, 0xf60c77da), TOBN(0x6ffbc26a, 0xc223523e),\n TOBN(0xa4f6ff11, 0x344579cf), TOBN(0x5825653c, 0x980250f6)}},\n {{TOBN(0xb2dd097e, 0xbc1aa2b9), TOBN(0x07889393, 0x37a0333a),\n TOBN(0x1cf55e71, 0x37a0db38), TOBN(0x2648487f, 0x792c1613)},\n {TOBN(0xdad01336, 0x3fcef261), TOBN(0x6239c81d, 0x0eabf129),\n TOBN(0x8ee761de, 0x9d276be2), TOBN(0x406a7a34, 0x1eda6ad3)}},\n {{TOBN(0x4bf367ba, 0x4a493b31), TOBN(0x54f20a52, 0x9bf7f026),\n TOBN(0xb696e062, 0x9795914b), TOBN(0xcddab96d, 0x8bf236ac)},\n {TOBN(0x4ff2c70a, 0xed25ea13), TOBN(0xfa1d09eb, 0x81cbbbe7),\n TOBN(0x88fc8c87, 0x468544c5), TOBN(0x847a670d, 0x696b3317)}},\n {{TOBN(0xf133421e, 0x64bcb626), TOBN(0xaea638c8, 0x26dee0b5),\n TOBN(0xd6e7680b, 0xb310346c), TOBN(0xe06f4097, 0xd5d4ced3)},\n {TOBN(0x09961452, 0x7512a30b), TOBN(0xf3d867fd, 0xe589a59a),\n TOBN(0x2e73254f, 0x52d0c180), TOBN(0x9063d8a3, 0x333c74ac)}},\n {{TOBN(0xeda6c595, 0xd314e7bc), TOBN(0x2ee7464b, 0x467899ed),\n TOBN(0x1cef423c, 0x0a1ed5d3), TOBN(0x217e76ea, 0x69cc7613)},\n {TOBN(0x27ccce1f, 0xe7cda917), TOBN(0x12d8016b, 0x8a893f16),\n TOBN(0xbcd6de84, 0x9fc74f6b), TOBN(0xfa5817e2, 0xf3144e61)}},\n {{TOBN(0x1f354164, 0x0821ee4c), TOBN(0x1583eab4, 0x0bc61992),\n TOBN(0x7490caf6, 0x1d72879f), TOBN(0x998ad9f3, 0xf76ae7b2)},\n {TOBN(0x1e181950, 0xa41157f7), TOBN(0xa9d7e1e6, 0xe8da3a7e),\n TOBN(0x963784eb, 0x8426b95f), TOBN(0x0ee4ed6e, 0x542e2a10)}},\n {{TOBN(0xb79d4cc5, 0xac751e7b), TOBN(0x93f96472, 0xfd4211bd),\n TOBN(0x8c72d3d2, 0xc8de4fc6), TOBN(0x7b69cbf5, 0xdf44f064)},\n {TOBN(0x3da90ca2, 0xf4bf94e1), TOBN(0x1a5325f8, 0xf12894e2),\n TOBN(0x0a437f6c, 0x7917d60b), TOBN(0x9be70486, 0x96c9cb5d)}},\n {{TOBN(0xb4d880bf, 0xe1dc5c05), TOBN(0xd738adda, 0xeebeeb57),\n TOBN(0x6f0119d3, 0xdf0fe6a3), TOBN(0x5c686e55, 0x66eaaf5a)},\n {TOBN(0x9cb10b50, 0xdfd0b7ec), TOBN(0xbdd0264b, 0x6a497c21),\n TOBN(0xfc093514, 0x8c546c96), TOBN(0x58a947fa, 0x79dbf42a)}},\n {{TOBN(0xc0b48d4e, 0x49ccd6d7), TOBN(0xff8fb02c, 0x88bd5580),\n TOBN(0xc75235e9, 0x07d473b2), TOBN(0x4fab1ac5, 0xa2188af3)},\n {TOBN(0x030fa3bc, 0x97576ec0), TOBN(0xe8c946e8, 0x0b7e7d2f),\n TOBN(0x40a5c9cc, 0x70305600), TOBN(0x6d8260a9, 0xc8b013b4)}},\n {{TOBN(0x0368304f, 0x70bba85c), TOBN(0xad090da1, 0xa4a0d311),\n TOBN(0x7170e870, 0x2415eec1), TOBN(0xbfba35fe, 0x8461ea47)},\n {TOBN(0x6279019a, 0xc1e91938), TOBN(0xa47638f3, 0x1afc415f),\n TOBN(0x36c65cbb, 0xbcba0e0f), TOBN(0x02160efb, 0x034e2c48)}},\n {{TOBN(0xe6c51073, 0x615cd9e4), TOBN(0x498ec047, 0xf1243c06),\n TOBN(0x3e5a8809, 0xb17b3d8c), TOBN(0x5cd99e61, 0x0cc565f1)},\n {TOBN(0x81e312df, 0x7851dafe), TOBN(0xf156f5ba, 0xa79061e2),\n TOBN(0x80d62b71, 0x880c590e), TOBN(0xbec9746f, 0x0a39faa1)}},\n {{TOBN(0x1d98a9c1, 0xc8ed1f7a), TOBN(0x09e43bb5, 0xa81d5ff2),\n TOBN(0xd5f00f68, 0x0da0794a), TOBN(0x412050d9, 0x661aa836)},\n {TOBN(0xa89f7c4e, 0x90747e40), TOBN(0x6dc05ebb, 0xb62a3686),\n TOBN(0xdf4de847, 0x308e3353), TOBN(0x53868fbb, 0x9fb53bb9)}},\n {{TOBN(0x2b09d2c3, 0xcfdcf7dd), TOBN(0x41a9fce3, 0x723fcab4),\n TOBN(0x73d905f7, 0x07f57ca3), TOBN(0x080f9fb1, 0xac8e1555)},\n {TOBN(0x7c088e84, 0x9ba7a531), TOBN(0x07d35586, 0xed9a147f),\n TOBN(0x602846ab, 0xaf48c336), TOBN(0x7320fd32, 0x0ccf0e79)}},\n {{TOBN(0xaa780798, 0xb18bd1ff), TOBN(0x52c2e300, 0xafdd2905),\n TOBN(0xf27ea3d6, 0x434267cd), TOBN(0x8b96d16d, 0x15605b5f)},\n {TOBN(0x7bb31049, 0x4b45706b), TOBN(0xe7f58b8e, 0x743d25f8),\n TOBN(0xe9b5e45b, 0x87f30076), TOBN(0xd19448d6, 0x5d053d5a)}},\n {{TOBN(0x1ecc8cb9, 0xd3210a04), TOBN(0x6bc7d463, 0xdafb5269),\n TOBN(0x3e59b10a, 0x67c3489f), TOBN(0x1769788c, 0x65641e1b)},\n {TOBN(0x8a53b82d, 0xbd6cb838), TOBN(0x7066d6e6, 0x236d5f22),\n TOBN(0x03aa1c61, 0x6908536e), TOBN(0xc971da0d, 0x66ae9809)}},\n {{TOBN(0x01b3a86b, 0xc49a2fac), TOBN(0x3b8420c0, 0x3092e77a),\n TOBN(0x02057300, 0x7d6fb556), TOBN(0x6941b2a1, 0xbff40a87)},\n {TOBN(0x140b6308, 0x0658ff2a), TOBN(0x87804363, 0x3424ab36),\n TOBN(0x0253bd51, 0x5751e299), TOBN(0xc75bcd76, 0x449c3e3a)}},\n {{TOBN(0x92eb4090, 0x7f8f875d), TOBN(0x9c9d754e, 0x56c26bbf),\n TOBN(0x158cea61, 0x8110bbe7), TOBN(0x62a6b802, 0x745f91ea)},\n {TOBN(0xa79c41aa, 0xc6e7394b), TOBN(0x445b6a83, 0xad57ef10),\n TOBN(0x0c5277eb, 0x6ea6f40c), TOBN(0x319fe96b, 0x88633365)}},\n {{TOBN(0x0b0fc61f, 0x385f63cb), TOBN(0x41250c84, 0x22bdd127),\n TOBN(0x67d153f1, 0x09e942c2), TOBN(0x60920d08, 0xc021ad5d)},\n {TOBN(0x229f5746, 0x724d81a5), TOBN(0xb7ffb892, 0x5bba3299),\n TOBN(0x518c51a1, 0xde413032), TOBN(0x2a9bfe77, 0x3c2fd94c)}},\n {{TOBN(0xcbcde239, 0x3191f4fd), TOBN(0x43093e16, 0xd3d6ada1),\n TOBN(0x184579f3, 0x58769606), TOBN(0x2c94a8b3, 0xd236625c)},\n {TOBN(0x6922b9c0, 0x5c437d8e), TOBN(0x3d4ae423, 0xd8d9f3c8),\n TOBN(0xf72c31c1, 0x2e7090a2), TOBN(0x4ac3f5f3, 0xd76a55bd)}},\n {{TOBN(0x342508fc, 0x6b6af991), TOBN(0x0d527100, 0x1b5cebbd),\n TOBN(0xb84740d0, 0xdd440dd7), TOBN(0x748ef841, 0x780162fd)},\n {TOBN(0xa8dbfe0e, 0xdfc6fafb), TOBN(0xeadfdf05, 0xf7300f27),\n TOBN(0x7d06555f, 0xfeba4ec9), TOBN(0x12c56f83, 0x9e25fa97)}},\n {{TOBN(0x77f84203, 0xd39b8c34), TOBN(0xed8b1be6, 0x3125eddb),\n TOBN(0x5bbf2441, 0xf6e39dc5), TOBN(0xb00f6ee6, 0x6a5d678a)},\n {TOBN(0xba456ecf, 0x57d0ea99), TOBN(0xdcae0f58, 0x17e06c43),\n TOBN(0x01643de4, 0x0f5b4baa), TOBN(0x2c324341, 0xd161b9be)}},\n {{TOBN(0x80177f55, 0xe126d468), TOBN(0xed325f1f, 0x76748e09),\n TOBN(0x6116004a, 0xcfa9bdc2), TOBN(0x2d8607e6, 0x3a9fb468)},\n {TOBN(0x0e573e27, 0x6009d660), TOBN(0x3a525d2e, 0x8d10c5a1),\n TOBN(0xd26cb45c, 0x3b9009a0), TOBN(0xb6b0cdc0, 0xde9d7448)}},\n {{TOBN(0x949c9976, 0xe1337c26), TOBN(0x6faadebd, 0xd73d68e5),\n TOBN(0x9e158614, 0xf1b768d9), TOBN(0x22dfa557, 0x9cc4f069)},\n {TOBN(0xccd6da17, 0xbe93c6d6), TOBN(0x24866c61, 0xa504f5b9),\n TOBN(0x2121353c, 0x8d694da1), TOBN(0x1c6ca580, 0x0140b8c6)}},\n {{TOBN(0xc245ad8c, 0xe964021e), TOBN(0xb83bffba, 0x032b82b3),\n TOBN(0xfaa220c6, 0x47ef9898), TOBN(0x7e8d3ac6, 0x982c948a)},\n {TOBN(0x1faa2091, 0xbc2d124a), TOBN(0xbd54c3dd, 0x05b15ff4),\n TOBN(0x386bf3ab, 0xc87c6fb7), TOBN(0xfb2b0563, 0xfdeb6f66)}},\n {{TOBN(0x4e77c557, 0x5b45afb4), TOBN(0xe9ded649, 0xefb8912d),\n TOBN(0x7ec9bbf5, 0x42f6e557), TOBN(0x2570dfff, 0x62671f00)},\n {TOBN(0x2b3bfb78, 0x88e084bd), TOBN(0xa024b238, 0xf37fe5b4),\n TOBN(0x44e7dc04, 0x95649aee), TOBN(0x498ca255, 0x5e7ec1d8)}},\n {{TOBN(0x3bc766ea, 0xaaa07e86), TOBN(0x0db6facb, 0xf3608586),\n TOBN(0xbadd2549, 0xbdc259c8), TOBN(0x95af3c6e, 0x041c649f)},\n {TOBN(0xb36a928c, 0x02e30afb), TOBN(0x9b5356ad, 0x008a88b8),\n TOBN(0x4b67a5f1, 0xcf1d9e9d), TOBN(0xc6542e47, 0xa5d8d8ce)}},\n {{TOBN(0x73061fe8, 0x7adfb6cc), TOBN(0xcc826fd3, 0x98678141),\n TOBN(0x00e758b1, 0x3c80515a), TOBN(0x6afe3247, 0x41485083)},\n {TOBN(0x0fcb08b9, 0xb6ae8a75), TOBN(0xb8cf388d, 0x4acf51e1),\n TOBN(0x344a5560, 0x6961b9d6), TOBN(0x1a6778b8, 0x6a97fd0c)}},\n {{TOBN(0xd840fdc1, 0xecc4c7e3), TOBN(0xde9fe47d, 0x16db68cc),\n TOBN(0xe95f89de, 0xa3e216aa), TOBN(0x84f1a6a4, 0x9594a8be)},\n {TOBN(0x7ddc7d72, 0x5a7b162b), TOBN(0xc5cfda19, 0xadc817a3),\n TOBN(0x80a5d350, 0x78b58d46), TOBN(0x93365b13, 0x82978f19)}},\n {{TOBN(0x2e44d225, 0x26a1fc90), TOBN(0x0d6d10d2, 0x4d70705d),\n TOBN(0xd94b6b10, 0xd70c45f4), TOBN(0x0f201022, 0xb216c079)},\n {TOBN(0xcec966c5, 0x658fde41), TOBN(0xa8d2bc7d, 0x7e27601d),\n TOBN(0xbfcce3e1, 0xff230be7), TOBN(0x3394ff6b, 0x0033ffb5)}},\n {{TOBN(0xd890c509, 0x8132c9af), TOBN(0xaac4b0eb, 0x361e7868),\n TOBN(0x5194ded3, 0xe82d15aa), TOBN(0x4550bd2e, 0x23ae6b7d)},\n {TOBN(0x3fda318e, 0xea5399d4), TOBN(0xd989bffa, 0x91638b80),\n TOBN(0x5ea124d0, 0xa14aa12d), TOBN(0x1fb1b899, 0x3667b944)}},\n {{TOBN(0x95ec7969, 0x44c44d6a), TOBN(0x91df144a, 0x57e86137),\n TOBN(0x915fd620, 0x73adac44), TOBN(0x8f01732d, 0x59a83801)},\n {TOBN(0xec579d25, 0x3aa0a633), TOBN(0x06de5e7c, 0xc9d6d59c),\n TOBN(0xc132f958, 0xb1ef8010), TOBN(0x29476f96, 0xe65c1a02)}},\n {{TOBN(0x336a77c0, 0xd34c3565), TOBN(0xef1105b2, 0x1b9f1e9e),\n TOBN(0x63e6d08b, 0xf9e08002), TOBN(0x9aff2f21, 0xc613809e)},\n {TOBN(0xb5754f85, 0x3a80e75d), TOBN(0xde71853e, 0x6bbda681),\n TOBN(0x86f041df, 0x8197fd7a), TOBN(0x8b332e08, 0x127817fa)}},\n {{TOBN(0x05d99be8, 0xb9c20cda), TOBN(0x89f7aad5, 0xd5cd0c98),\n TOBN(0x7ef936fe, 0x5bb94183), TOBN(0x92ca0753, 0xb05cd7f2)},\n {TOBN(0x9d65db11, 0x74a1e035), TOBN(0x02628cc8, 0x13eaea92),\n TOBN(0xf2d9e242, 0x49e4fbf2), TOBN(0x94fdfd9b, 0xe384f8b7)}},\n {{TOBN(0x65f56054, 0x63428c6b), TOBN(0x2f7205b2, 0x90b409a5),\n TOBN(0xf778bb78, 0xff45ae11), TOBN(0xa13045be, 0xc5ee53b2)},\n {TOBN(0xe00a14ff, 0x03ef77fe), TOBN(0x689cd59f, 0xffef8bef),\n TOBN(0x3578f0ed, 0x1e9ade22), TOBN(0xe99f3ec0, 0x6268b6a8)}},\n {{TOBN(0xa2057d91, 0xea1b3c3e), TOBN(0x2d1a7053, 0xb8823a4a),\n TOBN(0xabbb336a, 0x2cca451e), TOBN(0xcd2466e3, 0x2218bb5d)},\n {TOBN(0x3ac1f42f, 0xc8cb762d), TOBN(0x7e312aae, 0x7690211f),\n TOBN(0xebb9bd73, 0x45d07450), TOBN(0x207c4b82, 0x46c2213f)}},\n {{TOBN(0x99d425c1, 0x375913ec), TOBN(0x94e45e96, 0x67908220),\n TOBN(0xc08f3087, 0xcd67dbf6), TOBN(0xa5670fbe, 0xc0887056)},\n {TOBN(0x6717b64a, 0x66f5b8fc), TOBN(0xd5a56aea, 0x786fec28),\n TOBN(0xa8c3f55f, 0xc0ff4952), TOBN(0xa77fefae, 0x457ac49b)}},\n {{TOBN(0x29882d7c, 0x98379d44), TOBN(0xd000bdfb, 0x509edc8a),\n TOBN(0xc6f95979, 0xe66fe464), TOBN(0x504a6115, 0xfa61bde0)},\n {TOBN(0x56b3b871, 0xeffea31a), TOBN(0x2d3de26d, 0xf0c21a54),\n TOBN(0x21dbff31, 0x834753bf), TOBN(0xe67ecf49, 0x69269d86)}},\n {{TOBN(0x7a176952, 0x151fe690), TOBN(0x03515804, 0x7f2adb5f),\n TOBN(0xee794b15, 0xd1b62a8d), TOBN(0xf004ceec, 0xaae454e6)},\n {TOBN(0x0897ea7c, 0xf0386fac), TOBN(0x3b62ff12, 0xd1fca751),\n TOBN(0x154181df, 0x1b7a04ec), TOBN(0x2008e04a, 0xfb5847ec)}},\n {{TOBN(0xd147148e, 0x41dbd772), TOBN(0x2b419f73, 0x22942654),\n TOBN(0x669f30d3, 0xe9c544f7), TOBN(0x52a2c223, 0xc8540149)},\n {TOBN(0x5da9ee14, 0x634dfb02), TOBN(0x5f074ff0, 0xf47869f3),\n TOBN(0x74ee878d, 0xa3933acc), TOBN(0xe6510651, 0x4fe35ed1)}},\n {{TOBN(0xb3eb9482, 0xf1012e7a), TOBN(0x51013cc0, 0xa8a566ae),\n TOBN(0xdd5e9243, 0x47c00d3b), TOBN(0x7fde089d, 0x946bb0e5)},\n {TOBN(0x030754fe, 0xc731b4b3), TOBN(0x12a136a4, 0x99fda062),\n TOBN(0x7c1064b8, 0x5a1a35bc), TOBN(0xbf1f5763, 0x446c84ef)}},\n {{TOBN(0xed29a56d, 0xa16d4b34), TOBN(0x7fba9d09, 0xdca21c4f),\n TOBN(0x66d7ac00, 0x6d8de486), TOBN(0x60061987, 0x73a2a5e1)},\n {TOBN(0x8b400f86, 0x9da28ff0), TOBN(0x3133f708, 0x43c4599c),\n TOBN(0x9911c9b8, 0xee28cb0d), TOBN(0xcd7e2874, 0x8e0af61d)}},\n {{TOBN(0x5a85f0f2, 0x72ed91fc), TOBN(0x85214f31, 0x9cd4a373),\n TOBN(0x881fe5be, 0x1925253c), TOBN(0xd8dc98e0, 0x91e8bc76)},\n {TOBN(0x7120affe, 0x585cc3a2), TOBN(0x724952ed, 0x735bf97a),\n TOBN(0x5581e7dc, 0x3eb34581), TOBN(0x5cbff4f2, 0xe52ee57d)}},\n {{TOBN(0x8d320a0e, 0x87d8cc7b), TOBN(0x9beaa7f3, 0xf1d280d0),\n TOBN(0x7a0b9571, 0x9beec704), TOBN(0x9126332e, 0x5b7f0057)},\n {TOBN(0x01fbc1b4, 0x8ed3bd6d), TOBN(0x35bb2c12, 0xd945eb24),\n TOBN(0x6404694e, 0x9a8ae255), TOBN(0xb6092eec, 0x8d6abfb3)}},\n {{TOBN(0x4d76143f, 0xcc058865), TOBN(0x7b0a5af2, 0x6e249922),\n TOBN(0x8aef9440, 0x6a50d353), TOBN(0xe11e4bcc, 0x64f0e07a)},\n {TOBN(0x4472993a, 0xa14a90fa), TOBN(0x7706e20c, 0xba0c51d4),\n TOBN(0xf403292f, 0x1532672d), TOBN(0x52573bfa, 0x21829382)}},\n {{TOBN(0x6a7bb6a9, 0x3b5bdb83), TOBN(0x08da65c0, 0xa4a72318),\n TOBN(0xc58d22aa, 0x63eb065f), TOBN(0x1717596c, 0x1b15d685)},\n {TOBN(0x112df0d0, 0xb266d88b), TOBN(0xf688ae97, 0x5941945a),\n TOBN(0x487386e3, 0x7c292cac), TOBN(0x42f3b50d, 0x57d6985c)}},\n {{TOBN(0x6da4f998, 0x6a90fc34), TOBN(0xc8f257d3, 0x65ca8a8d),\n TOBN(0xc2feabca, 0x6951f762), TOBN(0xe1bc81d0, 0x74c323ac)},\n {TOBN(0x1bc68f67, 0x251a2a12), TOBN(0x10d86587, 0xbe8a70dc),\n TOBN(0xd648af7f, 0xf0f84d2e), TOBN(0xf0aa9ebc, 0x6a43ac92)}},\n {{TOBN(0x69e3be04, 0x27596893), TOBN(0xb6bb02a6, 0x45bf452b),\n TOBN(0x0875c11a, 0xf4c698c8), TOBN(0x6652b5c7, 0xbece3794)},\n {TOBN(0x7b3755fd, 0x4f5c0499), TOBN(0x6ea16558, 0xb5532b38),\n TOBN(0xd1c69889, 0xa2e96ef7), TOBN(0x9c773c3a, 0x61ed8f48)}},\n {{TOBN(0x2b653a40, 0x9b323abc), TOBN(0xe26605e1, 0xf0e1d791),\n TOBN(0x45d41064, 0x4a87157a), TOBN(0x8f9a78b7, 0xcbbce616)},\n {TOBN(0xcf1e44aa, 0xc407eddd), TOBN(0x81ddd1d8, 0xa35b964f),\n TOBN(0x473e339e, 0xfd083999), TOBN(0x6c94bdde, 0x8e796802)}},\n {{TOBN(0x5a304ada, 0x8545d185), TOBN(0x82ae44ea, 0x738bb8cb),\n TOBN(0x628a35e3, 0xdf87e10e), TOBN(0xd3624f3d, 0xa15b9fe3)},\n {TOBN(0xcc44209b, 0x14be4254), TOBN(0x7d0efcbc, 0xbdbc2ea5),\n TOBN(0x1f603362, 0x04c37bbe), TOBN(0x21f363f5, 0x56a5852c)}},\n {{TOBN(0xa1503d1c, 0xa8501550), TOBN(0x2251e0e1, 0xd8ab10bb),\n TOBN(0xde129c96, 0x6961c51c), TOBN(0x1f7246a4, 0x81910f68)},\n {TOBN(0x2eb744ee, 0x5f2591f2), TOBN(0x3c47d33f, 0x5e627157),\n TOBN(0x4d6d62c9, 0x22f3bd68), TOBN(0x6120a64b, 0xcb8df856)}},\n {{TOBN(0x3a9ac6c0, 0x7b5d07df), TOBN(0xa92b9558, 0x7ef39783),\n TOBN(0xe128a134, 0xab3a9b4f), TOBN(0x41c18807, 0xb1252f05)},\n {TOBN(0xfc7ed089, 0x80ba9b1c), TOBN(0xac8dc6de, 0xc532a9dd),\n TOBN(0xbf829cef, 0x55246809), TOBN(0x101b784f, 0x5b4ee80f)}},\n {{TOBN(0xc09945bb, 0xb6f11603), TOBN(0x57b09dbe, 0x41d2801e),\n TOBN(0xfba5202f, 0xa97534a8), TOBN(0x7fd8ae5f, 0xc17b9614)},\n {TOBN(0xa50ba666, 0x78308435), TOBN(0x9572f77c, 0xd3868c4d),\n TOBN(0x0cef7bfd, 0x2dd7aab0), TOBN(0xe7958e08, 0x2c7c79ff)}},\n {{TOBN(0x81262e42, 0x25346689), TOBN(0x716da290, 0xb07c7004),\n TOBN(0x35f911ea, 0xb7950ee3), TOBN(0x6fd72969, 0x261d21b5)},\n {TOBN(0x52389803, 0x08b640d3), TOBN(0x5b0026ee, 0x887f12a1),\n TOBN(0x20e21660, 0x742e9311), TOBN(0x0ef6d541, 0x5ff77ff7)}},\n {{TOBN(0x969127f0, 0xf9c41135), TOBN(0xf21d60c9, 0x68a64993),\n TOBN(0x656e5d0c, 0xe541875c), TOBN(0xf1e0f84e, 0xa1d3c233)},\n {TOBN(0x9bcca359, 0x06002d60), TOBN(0xbe2da60c, 0x06191552),\n TOBN(0x5da8bbae, 0x61181ec3), TOBN(0x9f04b823, 0x65806f19)}},\n {{TOBN(0xf1604a7d, 0xd4b79bb8), TOBN(0xaee806fb, 0x52c878c8),\n TOBN(0x34144f11, 0x8d47b8e8), TOBN(0x72edf52b, 0x949f9054)},\n {TOBN(0xebfca84e, 0x2127015a), TOBN(0x9051d0c0, 0x9cb7cef3),\n TOBN(0x86e8fe58, 0x296deec8), TOBN(0x33b28188, 0x41010d74)}}},\n {{{TOBN(0x01079383, 0x171b445f), TOBN(0x9bcf21e3, 0x8131ad4c),\n TOBN(0x8cdfe205, 0xc93987e8), TOBN(0xe63f4152, 0xc92e8c8f)},\n {TOBN(0x729462a9, 0x30add43d), TOBN(0x62ebb143, 0xc980f05a),\n TOBN(0x4f3954e5, 0x3b06e968), TOBN(0xfe1d75ad, 0x242cf6b1)}},\n {{TOBN(0x5f95c6c7, 0xaf8685c8), TOBN(0xd4c1c8ce, 0x2f8f01aa),\n TOBN(0xc44bbe32, 0x2574692a), TOBN(0xb8003478, 0xd4a4a068)},\n {TOBN(0x7c8fc6e5, 0x2eca3cdb), TOBN(0xea1db16b, 0xec04d399),\n TOBN(0xb05bc82e, 0x8f2bc5cf), TOBN(0x763d517f, 0xf44793d2)}},\n {{TOBN(0x4451c1b8, 0x08bd98d0), TOBN(0x644b1cd4, 0x6575f240),\n TOBN(0x6907eb33, 0x7375d270), TOBN(0x56c8bebd, 0xfa2286bd)},\n {TOBN(0xc713d2ac, 0xc4632b46), TOBN(0x17da427a, 0xafd60242),\n TOBN(0x313065b7, 0xc95c7546), TOBN(0xf8239898, 0xbf17a3de)}},\n {{TOBN(0xf3b7963f, 0x4c830320), TOBN(0x842c7aa0, 0x903203e3),\n TOBN(0xaf22ca0a, 0xe7327afb), TOBN(0x38e13092, 0x967609b6)},\n {TOBN(0x73b8fb62, 0x757558f1), TOBN(0x3cc3e831, 0xf7eca8c1),\n TOBN(0xe4174474, 0xf6331627), TOBN(0xa77989ca, 0xc3c40234)}},\n {{TOBN(0xe5fd17a1, 0x44a081e0), TOBN(0xd797fb7d, 0xb70e296a),\n TOBN(0x2b472b30, 0x481f719c), TOBN(0x0e632a98, 0xfe6f8c52)},\n {TOBN(0x89ccd116, 0xc5f0c284), TOBN(0xf51088af, 0x2d987c62),\n TOBN(0x2a2bccda, 0x4c2de6cf), TOBN(0x810f9efe, 0xf679f0f9)}},\n {{TOBN(0xb0f394b9, 0x7ffe4b3e), TOBN(0x0b691d21, 0xe5fa5d21),\n TOBN(0xb0bd7747, 0x9dfbbc75), TOBN(0xd2830fda, 0xfaf78b00)},\n {TOBN(0xf78c249c, 0x52434f57), TOBN(0x4b1f7545, 0x98096dab),\n TOBN(0x73bf6f94, 0x8ff8c0b3), TOBN(0x34aef03d, 0x454e134c)}},\n {{TOBN(0xf8d151f4, 0xb7ac7ec5), TOBN(0xd6ceb95a, 0xe50da7d5),\n TOBN(0xa1b492b0, 0xdc3a0eb8), TOBN(0x75157b69, 0xb3dd2863)},\n {TOBN(0xe2c4c74e, 0xc5413d62), TOBN(0xbe329ff7, 0xbc5fc4c7),\n TOBN(0x835a2aea, 0x60fa9dda), TOBN(0xf117f5ad, 0x7445cb87)}},\n {{TOBN(0xae8317f4, 0xb0166f7a), TOBN(0xfbd3e3f7, 0xceec74e6),\n TOBN(0xfdb516ac, 0xe0874bfd), TOBN(0x3d846019, 0xc681f3a3)},\n {TOBN(0x0b12ee5c, 0x7c1620b0), TOBN(0xba68b4dd, 0x2b63c501),\n TOBN(0xac03cd32, 0x6668c51e), TOBN(0x2a6279f7, 0x4e0bcb5b)}},\n {{TOBN(0x17bd69b0, 0x6ae85c10), TOBN(0x72946979, 0x1dfdd3a6),\n TOBN(0xd9a03268, 0x2c078bec), TOBN(0x41c6a658, 0xbfd68a52)},\n {TOBN(0xcdea1024, 0x0e023900), TOBN(0xbaeec121, 0xb10d144d),\n TOBN(0x5a600e74, 0x058ab8dc), TOBN(0x1333af21, 0xbb89ccdd)}},\n {{TOBN(0xdf25eae0, 0x3aaba1f1), TOBN(0x2cada16e, 0x3b7144cf),\n TOBN(0x657ee27d, 0x71ab98bc), TOBN(0x99088b4c, 0x7a6fc96e)},\n {TOBN(0x05d5c0a0, 0x3549dbd4), TOBN(0x42cbdf8f, 0xf158c3ac),\n TOBN(0x3fb6b3b0, 0x87edd685), TOBN(0x22071cf6, 0x86f064d0)}},\n {{TOBN(0xd2d6721f, 0xff2811e5), TOBN(0xdb81b703, 0xfe7fae8c),\n TOBN(0x3cfb74ef, 0xd3f1f7bb), TOBN(0x0cdbcd76, 0x16cdeb5d)},\n {TOBN(0x4f39642a, 0x566a808c), TOBN(0x02b74454, 0x340064d6),\n TOBN(0xfabbadca, 0x0528fa6f), TOBN(0xe4c3074c, 0xd3fc0bb6)}},\n {{TOBN(0xb32cb8b0, 0xb796d219), TOBN(0xc3e95f4f, 0x34741dd9),\n TOBN(0x87212125, 0x68edf6f5), TOBN(0x7a03aee4, 0xa2b9cb8e)},\n {TOBN(0x0cd3c376, 0xf53a89aa), TOBN(0x0d8af9b1, 0x948a28dc),\n TOBN(0xcf86a3f4, 0x902ab04f), TOBN(0x8aacb62a, 0x7f42002d)}},\n {{TOBN(0x106985eb, 0xf62ffd52), TOBN(0xe670b54e, 0x5797bf10),\n TOBN(0x4b405209, 0xc5e30aef), TOBN(0x12c97a20, 0x4365b5e9)},\n {TOBN(0x104646ce, 0x1fe32093), TOBN(0x13cb4ff6, 0x3907a8c9),\n TOBN(0x8b9f30d1, 0xd46e726b), TOBN(0xe1985e21, 0xaba0f499)}},\n {{TOBN(0xc573dea9, 0x10a230cd), TOBN(0x24f46a93, 0xcd30f947),\n TOBN(0xf2623fcf, 0xabe2010a), TOBN(0x3f278cb2, 0x73f00e4f)},\n {TOBN(0xed55c67d, 0x50b920eb), TOBN(0xf1cb9a2d, 0x8e760571),\n TOBN(0x7c50d109, 0x0895b709), TOBN(0x4207cf07, 0x190d4369)}},\n {{TOBN(0x3b027e81, 0xc4127fe1), TOBN(0xa9f8b9ad, 0x3ae9c566),\n TOBN(0x5ab10851, 0xacbfbba5), TOBN(0xa747d648, 0x569556f5)},\n {TOBN(0xcc172b5c, 0x2ba97bf7), TOBN(0x15e0f77d, 0xbcfa3324),\n TOBN(0xa345b797, 0x7686279d), TOBN(0x5a723480, 0xe38003d3)}},\n {{TOBN(0xfd8e139f, 0x8f5fcda8), TOBN(0xf3e558c4, 0xbdee5bfd),\n TOBN(0xd76cbaf4, 0xe33f9f77), TOBN(0x3a4c97a4, 0x71771969)},\n {TOBN(0xda27e84b, 0xf6dce6a7), TOBN(0xff373d96, 0x13e6c2d1),\n TOBN(0xf115193c, 0xd759a6e9), TOBN(0x3f9b7025, 0x63d2262c)}},\n {{TOBN(0xd9764a31, 0x317cd062), TOBN(0x30779d8e, 0x199f8332),\n TOBN(0xd8074106, 0x16b11b0b), TOBN(0x7917ab9f, 0x78aeaed8)},\n {TOBN(0xb67a9cbe, 0x28fb1d8e), TOBN(0x2e313563, 0x136eda33),\n TOBN(0x010b7069, 0xa371a86c), TOBN(0x44d90fa2, 0x6744e6b7)}},\n {{TOBN(0x68190867, 0xd6b3e243), TOBN(0x9fe6cd9d, 0x59048c48),\n TOBN(0xb900b028, 0x95731538), TOBN(0xa012062f, 0x32cae04f)},\n {TOBN(0x8107c8bc, 0x9399d082), TOBN(0x47e8c54a, 0x41df12e2),\n TOBN(0x14ba5117, 0xb6ef3f73), TOBN(0x22260bea, 0x81362f0b)}},\n {{TOBN(0x90ea261e, 0x1a18cc20), TOBN(0x2192999f, 0x2321d636),\n TOBN(0xef64d314, 0xe311b6a0), TOBN(0xd7401e4c, 0x3b54a1f5)},\n {TOBN(0x19019983, 0x6fbca2ba), TOBN(0x46ad3293, 0x8fbffc4b),\n TOBN(0xa142d3f6, 0x3786bf40), TOBN(0xeb5cbc26, 0xb67039fc)}},\n {{TOBN(0x9cb0ae6c, 0x252bd479), TOBN(0x05e0f88a, 0x12b5848f),\n TOBN(0x78f6d2b2, 0xa5c97663), TOBN(0x6f6e149b, 0xc162225c)},\n {TOBN(0xe602235c, 0xde601a89), TOBN(0xd17bbe98, 0xf373be1f),\n TOBN(0xcaf49a5b, 0xa8471827), TOBN(0x7e1a0a85, 0x18aaa116)}},\n {{TOBN(0x6c833196, 0x270580c3), TOBN(0x1e233839, 0xf1c98a14),\n TOBN(0x67b2f7b4, 0xae34e0a5), TOBN(0x47ac8745, 0xd8ce7289)},\n {TOBN(0x2b74779a, 0x100dd467), TOBN(0x274a4337, 0x4ee50d09),\n TOBN(0x603dcf13, 0x83608bc9), TOBN(0xcd9da6c3, 0xc89e8388)}},\n {{TOBN(0x2660199f, 0x355116ac), TOBN(0xcc38bb59, 0xb6d18eed),\n TOBN(0x3075f31f, 0x2f4bc071), TOBN(0x9774457f, 0x265dc57e)},\n {TOBN(0x06a6a9c8, 0xc6db88bb), TOBN(0x6429d07f, 0x4ec98e04),\n TOBN(0x8d05e57b, 0x05ecaa8b), TOBN(0x20f140b1, 0x7872ea7b)}},\n {{TOBN(0xdf8c0f09, 0xca494693), TOBN(0x48d3a020, 0xf252e909),\n TOBN(0x4c5c29af, 0x57b14b12), TOBN(0x7e6fa37d, 0xbf47ad1c)},\n {TOBN(0x66e7b506, 0x49a0c938), TOBN(0xb72c0d48, 0x6be5f41f),\n TOBN(0x6a6242b8, 0xb2359412), TOBN(0xcd35c774, 0x8e859480)}},\n {{TOBN(0x12536fea, 0x87baa627), TOBN(0x58c1fec1, 0xf72aa680),\n TOBN(0x6c29b637, 0x601e5dc9), TOBN(0x9e3c3c1c, 0xde9e01b9)},\n {TOBN(0xefc8127b, 0x2bcfe0b0), TOBN(0x35107102, 0x2a12f50d),\n TOBN(0x6ccd6cb1, 0x4879b397), TOBN(0xf792f804, 0xf8a82f21)}},\n {{TOBN(0x509d4804, 0xa9b46402), TOBN(0xedddf85d, 0xc10f0850),\n TOBN(0x928410dc, 0x4b6208aa), TOBN(0xf6229c46, 0x391012dc)},\n {TOBN(0xc5a7c41e, 0x7727b9b6), TOBN(0x289e4e4b, 0xaa444842),\n TOBN(0x049ba1d9, 0xe9a947ea), TOBN(0x44f9e47f, 0x83c8debc)}},\n {{TOBN(0xfa77a1fe, 0x611f8b8e), TOBN(0xfd2e416a, 0xf518f427),\n TOBN(0xc5fffa70, 0x114ebac3), TOBN(0xfe57c4e9, 0x5d89697b)},\n {TOBN(0xfdd053ac, 0xb1aaf613), TOBN(0x31df210f, 0xea585a45),\n TOBN(0x318cc10e, 0x24985034), TOBN(0x1a38efd1, 0x5f1d6130)}},\n {{TOBN(0xbf86f237, 0x0b1e9e21), TOBN(0xb258514d, 0x1dbe88aa),\n TOBN(0x1e38a588, 0x90c1baf9), TOBN(0x2936a01e, 0xbdb9b692)},\n {TOBN(0xd576de98, 0x6dd5b20c), TOBN(0xb586bf71, 0x70f98ecf),\n TOBN(0xcccf0f12, 0xc42d2fd7), TOBN(0x8717e61c, 0xfb35bd7b)}},\n {{TOBN(0x8b1e5722, 0x35e6fc06), TOBN(0x3477728f, 0x0b3e13d5),\n TOBN(0x150c294d, 0xaa8a7372), TOBN(0xc0291d43, 0x3bfa528a)},\n {TOBN(0xc6c8bc67, 0xcec5a196), TOBN(0xdeeb31e4, 0x5c2e8a7c),\n TOBN(0xba93e244, 0xfb6e1c51), TOBN(0xb9f8b71b, 0x2e28e156)}},\n {{TOBN(0xce65a287, 0x968a2ab9), TOBN(0xe3c5ce69, 0x46bbcb1f),\n TOBN(0xf8c835b9, 0xe7ae3f30), TOBN(0x16bbee26, 0xff72b82b)},\n {TOBN(0x665e2017, 0xfd42cd22), TOBN(0x1e139970, 0xf8b1d2a0),\n TOBN(0x125cda29, 0x79204932), TOBN(0x7aee94a5, 0x49c3bee5)}},\n {{TOBN(0x68c70160, 0x89821a66), TOBN(0xf7c37678, 0x8f981669),\n TOBN(0xd90829fc, 0x48cc3645), TOBN(0x346af049, 0xd70addfc)},\n {TOBN(0x2057b232, 0x370bf29c), TOBN(0xf90c73ce, 0x42e650ee),\n TOBN(0xe03386ea, 0xa126ab90), TOBN(0x0e266e7e, 0x975a087b)}},\n {{TOBN(0x80578eb9, 0x0fca65d9), TOBN(0x7e2989ea, 0x16af45b8),\n TOBN(0x7438212d, 0xcac75a4e), TOBN(0x38c7ca39, 0x4fef36b8)},\n {TOBN(0x8650c494, 0xd402676a), TOBN(0x26ab5a66, 0xf72c7c48),\n TOBN(0x4e6cb426, 0xce3a464e), TOBN(0xf8f99896, 0x2b72f841)}},\n {{TOBN(0x8c318491, 0x1a335cc8), TOBN(0x563459ba, 0x6a5913e4),\n TOBN(0x1b920d61, 0xc7b32919), TOBN(0x805ab8b6, 0xa02425ad)},\n {TOBN(0x2ac512da, 0x8d006086), TOBN(0x6ca4846a, 0xbcf5c0fd),\n TOBN(0xafea51d8, 0xac2138d7), TOBN(0xcb647545, 0x344cd443)}},\n {{TOBN(0x0429ee8f, 0xbd7d9040), TOBN(0xee66a2de, 0x819b9c96),\n TOBN(0x54f9ec25, 0xdea7d744), TOBN(0x2ffea642, 0x671721bb)},\n {TOBN(0x4f19dbd1, 0x114344ea), TOBN(0x04304536, 0xfd0dbc8b),\n TOBN(0x014b50aa, 0x29ec7f91), TOBN(0xb5fc22fe, 0xbb06014d)}},\n {{TOBN(0x60d963a9, 0x1ee682e0), TOBN(0xdf48abc0, 0xfe85c727),\n TOBN(0x0cadba13, 0x2e707c2d), TOBN(0xde608d3a, 0xa645aeff)},\n {TOBN(0x05f1c28b, 0xedafd883), TOBN(0x3c362ede, 0xbd94de1f),\n TOBN(0x8dd0629d, 0x13593e41), TOBN(0x0a5e736f, 0x766d6eaf)}},\n {{TOBN(0xbfa92311, 0xf68cf9d1), TOBN(0xa4f9ef87, 0xc1797556),\n TOBN(0x10d75a1f, 0x5601c209), TOBN(0x651c374c, 0x09b07361)},\n {TOBN(0x49950b58, 0x88b5cead), TOBN(0x0ef00058, 0x6fa9dbaa),\n TOBN(0xf51ddc26, 0x4e15f33a), TOBN(0x1f8b5ca6, 0x2ef46140)}},\n {{TOBN(0x343ac0a3, 0xee9523f0), TOBN(0xbb75eab2, 0x975ea978),\n TOBN(0x1bccf332, 0x107387f4), TOBN(0x790f9259, 0x9ab0062e)},\n {TOBN(0xf1a363ad, 0x1e4f6a5f), TOBN(0x06e08b84, 0x62519a50),\n TOBN(0x60915187, 0x7265f1ee), TOBN(0x6a80ca34, 0x93ae985e)}},\n {{TOBN(0x81b29768, 0xaaba4864), TOBN(0xb13cabf2, 0x8d52a7d6),\n TOBN(0xb5c36348, 0x8ead03f1), TOBN(0xc932ad95, 0x81c7c1c0)},\n {TOBN(0x5452708e, 0xcae1e27b), TOBN(0x9dac4269, 0x1b0df648),\n TOBN(0x233e3f0c, 0xdfcdb8bc), TOBN(0xe6ceccdf, 0xec540174)}},\n {{TOBN(0xbd0d845e, 0x95081181), TOBN(0xcc8a7920, 0x699355d5),\n TOBN(0x111c0f6d, 0xc3b375a8), TOBN(0xfd95bc6b, 0xfd51e0dc)},\n {TOBN(0x4a106a26, 0x6888523a), TOBN(0x4d142bd6, 0xcb01a06d),\n TOBN(0x79bfd289, 0xadb9b397), TOBN(0x0bdbfb94, 0xe9863914)}},\n {{TOBN(0x29d8a229, 0x1660f6a6), TOBN(0x7f6abcd6, 0x551c042d),\n TOBN(0x13039deb, 0x0ac3ffe8), TOBN(0xa01be628, 0xec8523fb)},\n {TOBN(0x6ea34103, 0x0ca1c328), TOBN(0xc74114bd, 0xb903928e),\n TOBN(0x8aa4ff4e, 0x9e9144b0), TOBN(0x7064091f, 0x7f9a4b17)}},\n {{TOBN(0xa3f4f521, 0xe447f2c4), TOBN(0x81b8da7a, 0x604291f0),\n TOBN(0xd680bc46, 0x7d5926de), TOBN(0x84f21fd5, 0x34a1202f)},\n {TOBN(0x1d1e3181, 0x4e9df3d8), TOBN(0x1ca4861a, 0x39ab8d34),\n TOBN(0x809ddeec, 0x5b19aa4a), TOBN(0x59f72f7e, 0x4d329366)}},\n {{TOBN(0xa2f93f41, 0x386d5087), TOBN(0x40bf739c, 0xdd67d64f),\n TOBN(0xb4494205, 0x66702158), TOBN(0xc33c65be, 0x73b1e178)},\n {TOBN(0xcdcd657c, 0x38ca6153), TOBN(0x97f4519a, 0xdc791976),\n TOBN(0xcc7c7f29, 0xcd6e1f39), TOBN(0x38de9cfb, 0x7e3c3932)}},\n {{TOBN(0xe448eba3, 0x7b793f85), TOBN(0xe9f8dbf9, 0xf067e914),\n TOBN(0xc0390266, 0xf114ae87), TOBN(0x39ed75a7, 0xcd6a8e2a)},\n {TOBN(0xadb14848, 0x7ffba390), TOBN(0x67f8cb8b, 0x6af9bc09),\n TOBN(0x322c3848, 0x9c7476db), TOBN(0xa320fecf, 0x52a538d6)}},\n {{TOBN(0xe0493002, 0xb2aced2b), TOBN(0xdfba1809, 0x616bd430),\n TOBN(0x531c4644, 0xc331be70), TOBN(0xbc04d32e, 0x90d2e450)},\n {TOBN(0x1805a0d1, 0x0f9f142d), TOBN(0x2c44a0c5, 0x47ee5a23),\n TOBN(0x31875a43, 0x3989b4e3), TOBN(0x6b1949fd, 0x0c063481)}},\n {{TOBN(0x2dfb9e08, 0xbe0f4492), TOBN(0x3ff0da03, 0xe9d5e517),\n TOBN(0x03dbe9a1, 0xf79466a8), TOBN(0x0b87bcd0, 0x15ea9932)},\n {TOBN(0xeb64fc83, 0xab1f58ab), TOBN(0x6d9598da, 0x817edc8a),\n TOBN(0x699cff66, 0x1d3b67e5), TOBN(0x645c0f29, 0x92635853)}},\n {{TOBN(0x253cdd82, 0xeabaf21c), TOBN(0x82b9602a, 0x2241659e),\n TOBN(0x2cae07ec, 0x2d9f7091), TOBN(0xbe4c720c, 0x8b48cd9b)},\n {TOBN(0x6ce5bc03, 0x6f08d6c9), TOBN(0x36e8a997, 0xaf10bf40),\n TOBN(0x83422d21, 0x3e10ff12), TOBN(0x7b26d3eb, 0xbcc12494)}},\n {{TOBN(0xb240d2d0, 0xc9469ad6), TOBN(0xc4a11b4d, 0x30afa05b),\n TOBN(0x4b604ace, 0xdd6ba286), TOBN(0x18486600, 0x3ee2864c)},\n {TOBN(0x5869d6ba, 0x8d9ce5be), TOBN(0x0d8f68c5, 0xff4bfb0d),\n TOBN(0xb69f210b, 0x5700cf73), TOBN(0x61f6653a, 0x6d37c135)}},\n {{TOBN(0xff3d432b, 0x5aff5a48), TOBN(0x0d81c4b9, 0x72ba3a69),\n TOBN(0xee879ae9, 0xfa1899ef), TOBN(0xbac7e2a0, 0x2d6acafd)},\n {TOBN(0xd6d93f6c, 0x1c664399), TOBN(0x4c288de1, 0x5bcb135d),\n TOBN(0x83031dab, 0x9dab7cbf), TOBN(0xfe23feb0, 0x3abbf5f0)}},\n {{TOBN(0x9f1b2466, 0xcdedca85), TOBN(0x140bb710, 0x1a09538c),\n TOBN(0xac8ae851, 0x5e11115d), TOBN(0x0d63ff67, 0x6f03f59e)},\n {TOBN(0x755e5551, 0x7d234afb), TOBN(0x61c2db4e, 0x7e208fc1),\n TOBN(0xaa9859ce, 0xf28a4b5d), TOBN(0xbdd6d4fc, 0x34af030f)}},\n {{TOBN(0xd1c4a26d, 0x3be01cb1), TOBN(0x9ba14ffc, 0x243aa07c),\n TOBN(0xf95cd3a9, 0xb2503502), TOBN(0xe379bc06, 0x7d2a93ab)},\n {TOBN(0x3efc18e9, 0xd4ca8d68), TOBN(0x083558ec, 0x80bb412a),\n TOBN(0xd903b940, 0x9645a968), TOBN(0xa499f0b6, 0x9ba6054f)}},\n {{TOBN(0x208b573c, 0xb8349abe), TOBN(0x3baab3e5, 0x30b4fc1c),\n TOBN(0x87e978ba, 0xcb524990), TOBN(0x3524194e, 0xccdf0e80)},\n {TOBN(0x62711725, 0x7d4bcc42), TOBN(0xe90a3d9b, 0xb90109ba),\n TOBN(0x3b1bdd57, 0x1323e1e0), TOBN(0xb78e9bd5, 0x5eae1599)}},\n {{TOBN(0x0794b746, 0x9e03d278), TOBN(0x80178605, 0xd70e6297),\n TOBN(0x171792f8, 0x99c97855), TOBN(0x11b393ee, 0xf5a86b5c)},\n {TOBN(0x48ef6582, 0xd8884f27), TOBN(0xbd44737a, 0xbf19ba5f),\n TOBN(0x8698de4c, 0xa42062c6), TOBN(0x8975eb80, 0x61ce9c54)}},\n {{TOBN(0xd50e57c7, 0xd7fe71f3), TOBN(0x15342190, 0xbc97ce38),\n TOBN(0x51bda2de, 0x4df07b63), TOBN(0xba12aeae, 0x200eb87d)},\n {TOBN(0xabe135d2, 0xa9b4f8f6), TOBN(0x04619d65, 0xfad6d99c),\n TOBN(0x4a6683a7, 0x7994937c), TOBN(0x7a778c8b, 0x6f94f09a)}},\n {{TOBN(0x8c508623, 0x20a71b89), TOBN(0x241a2aed, 0x1c229165),\n TOBN(0x352be595, 0xaaf83a99), TOBN(0x9fbfee7f, 0x1562bac8)},\n {TOBN(0xeaf658b9, 0x5c4017e3), TOBN(0x1dc7f9e0, 0x15120b86),\n TOBN(0xd84f13dd, 0x4c034d6f), TOBN(0x283dd737, 0xeaea3038)}},\n {{TOBN(0x197f2609, 0xcd85d6a2), TOBN(0x6ebbc345, 0xfae60177),\n TOBN(0xb80f031b, 0x4e12fede), TOBN(0xde55d0c2, 0x07a2186b)},\n {TOBN(0x1fb3e37f, 0x24dcdd5a), TOBN(0x8d602da5, 0x7ed191fb),\n TOBN(0x108fb056, 0x76023e0d), TOBN(0x70178c71, 0x459c20c0)}},\n {{TOBN(0xfad5a386, 0x3fe54cf0), TOBN(0xa4a3ec4f, 0x02bbb475),\n TOBN(0x1aa5ec20, 0x919d94d7), TOBN(0x5d3b63b5, 0xa81e4ab3)},\n {TOBN(0x7fa733d8, 0x5ad3d2af), TOBN(0xfbc586dd, 0xd1ac7a37),\n TOBN(0x282925de, 0x40779614), TOBN(0xfe0ffffb, 0xe74a242a)}},\n {{TOBN(0x3f39e67f, 0x906151e5), TOBN(0xcea27f5f, 0x55e10649),\n TOBN(0xdca1d4e1, 0xc17cf7b7), TOBN(0x0c326d12, 0x2fe2362d)},\n {TOBN(0x05f7ac33, 0x7dd35df3), TOBN(0x0c3b7639, 0xc396dbdf),\n TOBN(0x0912f5ac, 0x03b7db1c), TOBN(0x9dea4b70, 0x5c9ed4a9)}},\n {{TOBN(0x475e6e53, 0xaae3f639), TOBN(0xfaba0e7c, 0xfc278bac),\n TOBN(0x16f9e221, 0x9490375f), TOBN(0xaebf9746, 0xa5a7ed0a)},\n {TOBN(0x45f9af3f, 0xf41ad5d6), TOBN(0x03c4623c, 0xb2e99224),\n TOBN(0x82c5bb5c, 0xb3cf56aa), TOBN(0x64311819, 0x34567ed3)}},\n {{TOBN(0xec57f211, 0x8be489ac), TOBN(0x2821895d, 0xb9a1104b),\n TOBN(0x610dc875, 0x6064e007), TOBN(0x8e526f3f, 0x5b20d0fe)},\n {TOBN(0x6e71ca77, 0x5b645aee), TOBN(0x3d1dcb9f, 0x800e10ff),\n TOBN(0x36b51162, 0x189cf6de), TOBN(0x2c5a3e30, 0x6bb17353)}},\n {{TOBN(0xc186cd3e, 0x2a6c6fbf), TOBN(0xa74516fa, 0x4bf97906),\n TOBN(0x5b4b8f4b, 0x279d6901), TOBN(0x0c4e57b4, 0x2b573743)},\n {TOBN(0x75fdb229, 0xb6e386b6), TOBN(0xb46793fd, 0x99deac27),\n TOBN(0xeeec47ea, 0xcf712629), TOBN(0xe965f3c4, 0xcbc3b2dd)}},\n {{TOBN(0x8dd1fb83, 0x425c6559), TOBN(0x7fc00ee6, 0x0af06fda),\n TOBN(0xe98c9225, 0x33d956df), TOBN(0x0f1ef335, 0x4fbdc8a2)},\n {TOBN(0x2abb5145, 0xb79b8ea2), TOBN(0x40fd2945, 0xbdbff288),\n TOBN(0x6a814ac4, 0xd7185db7), TOBN(0xc4329d6f, 0xc084609a)}},\n {{TOBN(0xc9ba7b52, 0xed1be45d), TOBN(0x891dd20d, 0xe4cd2c74),\n TOBN(0x5a4d4a7f, 0x824139b1), TOBN(0x66c17716, 0xb873c710)},\n {TOBN(0x5e5bc141, 0x2843c4e0), TOBN(0xd5ac4817, 0xb97eb5bf),\n TOBN(0xc0f8af54, 0x450c95c7), TOBN(0xc91b3fa0, 0x318406c5)}},\n {{TOBN(0x360c340a, 0xab9d97f8), TOBN(0xfb57bd07, 0x90a2d611),\n TOBN(0x4339ae3c, 0xa6a6f7e5), TOBN(0x9c1fcd2a, 0x2feb8a10)},\n {TOBN(0x972bcca9, 0xc7ea7432), TOBN(0x1b0b924c, 0x308076f6),\n TOBN(0x80b2814a, 0x2a5b4ca5), TOBN(0x2f78f55b, 0x61ef3b29)}},\n {{TOBN(0xf838744a, 0xc18a414f), TOBN(0xc611eaae, 0x903d0a86),\n TOBN(0x94dabc16, 0x2a453f55), TOBN(0xe6f2e3da, 0x14efb279)},\n {TOBN(0x5b7a6017, 0x9320dc3c), TOBN(0x692e382f, 0x8df6b5a4),\n TOBN(0x3f5e15e0, 0x2d40fa90), TOBN(0xc87883ae, 0x643dd318)}},\n {{TOBN(0x511053e4, 0x53544774), TOBN(0x834d0ecc, 0x3adba2bc),\n TOBN(0x4215d7f7, 0xbae371f5), TOBN(0xfcfd57bf, 0x6c8663bc)},\n {TOBN(0xded2383d, 0xd6901b1d), TOBN(0x3b49fbb4, 0xb5587dc3),\n TOBN(0xfd44a08d, 0x07625f62), TOBN(0x3ee4d65b, 0x9de9b762)}}},\n {{{TOBN(0x64e5137d, 0x0d63d1fa), TOBN(0x658fc052, 0x02a9d89f),\n TOBN(0x48894874, 0x50436309), TOBN(0xe9ae30f8, 0xd598da61)},\n {TOBN(0x2ed710d1, 0x818baf91), TOBN(0xe27e9e06, 0x8b6a0c20),\n TOBN(0x1e28dcfb, 0x1c1a6b44), TOBN(0x883acb64, 0xd6ac57dc)}},\n {{TOBN(0x8735728d, 0xc2c6ff70), TOBN(0x79d6122f, 0xc5dc2235),\n TOBN(0x23f5d003, 0x19e277f9), TOBN(0x7ee84e25, 0xdded8cc7)},\n {TOBN(0x91a8afb0, 0x63cd880a), TOBN(0x3f3ea7c6, 0x3574af60),\n TOBN(0x0cfcdc84, 0x02de7f42), TOBN(0x62d0792f, 0xb31aa152)}},\n {{TOBN(0x8e1b4e43, 0x8a5807ce), TOBN(0xad283893, 0xe4109a7e),\n TOBN(0xc30cc9cb, 0xafd59dda), TOBN(0xf65f36c6, 0x3d8d8093)},\n {TOBN(0xdf31469e, 0xa60d32b2), TOBN(0xee93df4b, 0x3e8191c8),\n TOBN(0x9c1017c5, 0x355bdeb5), TOBN(0xd2623185, 0x8616aa28)}},\n {{TOBN(0xb02c83f9, 0xdec31a21), TOBN(0x988c8b23, 0x6ad9d573),\n TOBN(0x53e983ae, 0xa57be365), TOBN(0xe968734d, 0x646f834e)},\n {TOBN(0x9137ea8f, 0x5da6309b), TOBN(0x10f3a624, 0xc1f1ce16),\n TOBN(0x782a9ea2, 0xca440921), TOBN(0xdf94739e, 0x5b46f1b5)}},\n {{TOBN(0x9f9be006, 0xcce85c9b), TOBN(0x360e70d6, 0xa4c7c2d3),\n TOBN(0x2cd5beea, 0xaefa1e60), TOBN(0x64cf63c0, 0x8c3d2b6d)},\n {TOBN(0xfb107fa3, 0xe1cf6f90), TOBN(0xb7e937c6, 0xd5e044e6),\n TOBN(0x74e8ca78, 0xce34db9f), TOBN(0x4f8b36c1, 0x3e210bd0)}},\n {{TOBN(0x1df165a4, 0x34a35ea8), TOBN(0x3418e0f7, 0x4d4412f6),\n TOBN(0x5af1f8af, 0x518836c3), TOBN(0x42ceef4d, 0x130e1965)},\n {TOBN(0x5560ca0b, 0x543a1957), TOBN(0xc33761e5, 0x886cb123),\n TOBN(0x66624b1f, 0xfe98ed30), TOBN(0xf772f4bf, 0x1090997d)}},\n {{TOBN(0xf4e540bb, 0x4885d410), TOBN(0x7287f810, 0x9ba5f8d7),\n TOBN(0x22d0d865, 0xde98dfb1), TOBN(0x49ff51a1, 0xbcfbb8a3)},\n {TOBN(0xb6b6fa53, 0x6bc3012e), TOBN(0x3d31fd72, 0x170d541d),\n TOBN(0x8018724f, 0x4b0f4966), TOBN(0x79e7399f, 0x87dbde07)}},\n {{TOBN(0x56f8410e, 0xf4f8b16a), TOBN(0x97241afe, 0xc47b266a),\n TOBN(0x0a406b8e, 0x6d9c87c1), TOBN(0x803f3e02, 0xcd42ab1b)},\n {TOBN(0x7f0309a8, 0x04dbec69), TOBN(0xa83b85f7, 0x3bbad05f),\n TOBN(0xc6097273, 0xad8e197f), TOBN(0xc097440e, 0x5067adc1)}},\n {{TOBN(0x730eafb6, 0x3524ff16), TOBN(0xd7f9b51e, 0x823fc6ce),\n TOBN(0x27bd0d32, 0x443e4ac0), TOBN(0x40c59ad9, 0x4d66f217)},\n {TOBN(0x6c33136f, 0x17c387a4), TOBN(0x5043b8d5, 0xeb86804d),\n TOBN(0x74970312, 0x675a73c9), TOBN(0x838fdb31, 0xf16669b6)}},\n {{TOBN(0xc507b6dd, 0x418e7ddd), TOBN(0x39888d93, 0x472f19d6),\n TOBN(0x7eae26be, 0x0c27eb4d), TOBN(0x17b53ed3, 0xfbabb884)},\n {TOBN(0xfc27021b, 0x2b01ae4f), TOBN(0x88462e87, 0xcf488682),\n TOBN(0xbee096ec, 0x215e2d87), TOBN(0xeb2fea9a, 0xd242e29b)}},\n {{TOBN(0x5d985b5f, 0xb821fc28), TOBN(0x89d2e197, 0xdc1e2ad2),\n TOBN(0x55b566b8, 0x9030ba62), TOBN(0xe3fd41b5, 0x4f41b1c6)},\n {TOBN(0xb738ac2e, 0xb9a96d61), TOBN(0x7f8567ca, 0x369443f4),\n TOBN(0x8698622d, 0xf803a440), TOBN(0x2b586236, 0x8fe2f4dc)}},\n {{TOBN(0xbbcc00c7, 0x56b95bce), TOBN(0x5ec03906, 0x616da680),\n TOBN(0x79162ee6, 0x72214252), TOBN(0x43132b63, 0x86a892d2)},\n {TOBN(0x4bdd3ff2, 0x2f3263bf), TOBN(0xd5b3733c, 0x9cd0a142),\n TOBN(0x592eaa82, 0x44415ccb), TOBN(0x663e8924, 0x8d5474ea)}},\n {{TOBN(0x8058a25e, 0x5236344e), TOBN(0x82e8df9d, 0xbda76ee6),\n TOBN(0xdcf6efd8, 0x11cc3d22), TOBN(0x00089cda, 0x3b4ab529)},\n {TOBN(0x91d3a071, 0xbd38a3db), TOBN(0x4ea97fc0, 0xef72b925),\n TOBN(0x0c9fc15b, 0xea3edf75), TOBN(0x5a6297cd, 0xa4348ed3)}},\n {{TOBN(0x0d38ab35, 0xce7c42d4), TOBN(0x9fd493ef, 0x82feab10),\n TOBN(0x46056b6d, 0x82111b45), TOBN(0xda11dae1, 0x73efc5c3)},\n {TOBN(0xdc740278, 0x5545a7fb), TOBN(0xbdb2601c, 0x40d507e6),\n TOBN(0x121dfeeb, 0x7066fa58), TOBN(0x214369a8, 0x39ae8c2a)}},\n {{TOBN(0x195709cb, 0x06e0956c), TOBN(0x4c9d254f, 0x010cd34b),\n TOBN(0xf51e13f7, 0x0471a532), TOBN(0xe19d6791, 0x1e73054d)},\n {TOBN(0xf702a628, 0xdb5c7be3), TOBN(0xc7141218, 0xb24dde05),\n TOBN(0xdc18233c, 0xf29b2e2e), TOBN(0x3a6bd1e8, 0x85342dba)}},\n {{TOBN(0x3f747fa0, 0xb311898c), TOBN(0xe2a272e4, 0xcd0eac65),\n TOBN(0x4bba5851, 0xf914d0bc), TOBN(0x7a1a9660, 0xc4a43ee3)},\n {TOBN(0xe5a367ce, 0xa1c8cde9), TOBN(0x9d958ba9, 0x7271abe3),\n TOBN(0xf3ff7eb6, 0x3d1615cd), TOBN(0xa2280dce, 0xf5ae20b0)}},\n {{TOBN(0x56dba5c1, 0xcf640147), TOBN(0xea5a2e3d, 0x5e83d118),\n TOBN(0x04cd6b6d, 0xda24c511), TOBN(0x1c0f4671, 0xe854d214)},\n {TOBN(0x91a6b7a9, 0x69565381), TOBN(0xdc966240, 0xdecf1f5b),\n TOBN(0x1b22d21c, 0xfcf5d009), TOBN(0x2a05f641, 0x9021dbd5)}},\n {{TOBN(0x8c0ed566, 0xd4312483), TOBN(0x5179a95d, 0x643e216f),\n TOBN(0xcc185fec, 0x17044493), TOBN(0xb3063339, 0x54991a21)},\n {TOBN(0xd801ecdb, 0x0081a726), TOBN(0x0149b0c6, 0x4fa89bbb),\n TOBN(0xafe9065a, 0x4391b6b9), TOBN(0xedc92786, 0xd633f3a3)}},\n {{TOBN(0xe408c24a, 0xae6a8e13), TOBN(0x85833fde, 0x9f3897ab),\n TOBN(0x43800e7e, 0xd81a0715), TOBN(0xde08e346, 0xb44ffc5f)},\n {TOBN(0x7094184c, 0xcdeff2e0), TOBN(0x49f9387b, 0x165eaed1),\n TOBN(0x635d6129, 0x777c468a), TOBN(0x8c0dcfd1, 0x538c2dd8)}},\n {{TOBN(0xd6d9d9e3, 0x7a6a308b), TOBN(0x62375830, 0x4c2767d3),\n TOBN(0x874a8bc6, 0xf38cbeb6), TOBN(0xd94d3f1a, 0xccb6fd9e)},\n {TOBN(0x92a9735b, 0xba21f248), TOBN(0x272ad0e5, 0x6cd1efb0),\n TOBN(0x7437b69c, 0x05b03284), TOBN(0xe7f04702, 0x6948c225)}},\n {{TOBN(0x8a56c04a, 0xcba2ecec), TOBN(0x0c181270, 0xe3a73e41),\n TOBN(0x6cb34e9d, 0x03e93725), TOBN(0xf77c8713, 0x496521a9)},\n {TOBN(0x94569183, 0xfa7f9f90), TOBN(0xf2e7aa4c, 0x8c9707ad),\n TOBN(0xced2c9ba, 0x26c1c9a3), TOBN(0x9109fe96, 0x40197507)}},\n {{TOBN(0x9ae868a9, 0xe9adfe1c), TOBN(0x3984403d, 0x314e39bb),\n TOBN(0xb5875720, 0xf2fe378f), TOBN(0x33f901e0, 0xba44a628)},\n {TOBN(0xea1125fe, 0x3652438c), TOBN(0xae9ec4e6, 0x9dd1f20b),\n TOBN(0x1e740d9e, 0xbebf7fbd), TOBN(0x6dbd3ddc, 0x42dbe79c)}},\n {{TOBN(0x62082aec, 0xedd36776), TOBN(0xf612c478, 0xe9859039),\n TOBN(0xa493b201, 0x032f7065), TOBN(0xebd4d8f2, 0x4ff9b211)},\n {TOBN(0x3f23a0aa, 0xaac4cb32), TOBN(0xea3aadb7, 0x15ed4005),\n TOBN(0xacf17ea4, 0xafa27e63), TOBN(0x56125c1a, 0xc11fd66c)}},\n {{TOBN(0x266344a4, 0x3794f8dc), TOBN(0xdcca923a, 0x483c5c36),\n TOBN(0x2d6b6bbf, 0x3f9d10a0), TOBN(0xb320c5ca, 0x81d9bdf3)},\n {TOBN(0x620e28ff, 0x47b50a95), TOBN(0x933e3b01, 0xcef03371),\n TOBN(0xf081bf85, 0x99100153), TOBN(0x183be9a0, 0xc3a8c8d6)}},\n {{TOBN(0x4e3ddc5a, 0xd6bbe24d), TOBN(0xc6c74630, 0x53843795),\n TOBN(0x78193dd7, 0x65ec2d4c), TOBN(0xb8df26cc, 0xcd3c89b2)},\n {TOBN(0x98dbe399, 0x5a483f8d), TOBN(0x72d8a957, 0x7dd3313a),\n TOBN(0x65087294, 0xab0bd375), TOBN(0xfcd89248, 0x7c259d16)}},\n {{TOBN(0x8a9443d7, 0x7613aa81), TOBN(0x80100800, 0x85fe6584),\n TOBN(0x70fc4dbc, 0x7fb10288), TOBN(0xf58280d3, 0xe86beee8)},\n {TOBN(0x14fdd82f, 0x7c978c38), TOBN(0xdf1204c1, 0x0de44d7b),\n TOBN(0xa08a1c84, 0x4160252f), TOBN(0x591554ca, 0xc17646a5)}},\n {{TOBN(0x214a37d6, 0xa05bd525), TOBN(0x48d5f09b, 0x07957b3c),\n TOBN(0x0247cdcb, 0xd7109bc9), TOBN(0x40f9e4bb, 0x30599ce7)},\n {TOBN(0xc325fa03, 0xf46ad2ec), TOBN(0x00f766cf, 0xc3e3f9ee),\n TOBN(0xab556668, 0xd43a4577), TOBN(0x68d30a61, 0x3ee03b93)}},\n {{TOBN(0x7ddc81ea, 0x77b46a08), TOBN(0xcf5a6477, 0xc7480699),\n TOBN(0x43a8cb34, 0x6633f683), TOBN(0x1b867e6b, 0x92363c60)},\n {TOBN(0x43921114, 0x1f60558e), TOBN(0xcdbcdd63, 0x2f41450e),\n TOBN(0x7fc04601, 0xcc630e8b), TOBN(0xea7c66d5, 0x97038b43)}},\n {{TOBN(0x7259b8a5, 0x04e99fd8), TOBN(0x98a8dd12, 0x4785549a),\n TOBN(0x0e459a7c, 0x840552e1), TOBN(0xcdfcf4d0, 0x4bb0909e)},\n {TOBN(0x34a86db2, 0x53758da7), TOBN(0xe643bb83, 0xeac997e1),\n TOBN(0x96400bd7, 0x530c5b7e), TOBN(0x9f97af87, 0xb41c8b52)}},\n {{TOBN(0x34fc8820, 0xfbeee3f9), TOBN(0x93e53490, 0x49091afd),\n TOBN(0x764b9be5, 0x9a31f35c), TOBN(0x71f37864, 0x57e3d924)},\n {TOBN(0x02fb34e0, 0x943aa75e), TOBN(0xa18c9c58, 0xab8ff6e4),\n TOBN(0x080f31b1, 0x33cf0d19), TOBN(0x5c9682db, 0x083518a7)}},\n {{TOBN(0x873d4ca6, 0xb709c3de), TOBN(0x64a84262, 0x3575b8f0),\n TOBN(0x6275da1f, 0x020154bb), TOBN(0x97678caa, 0xd17cf1ab)},\n {TOBN(0x8779795f, 0x951a95c3), TOBN(0xdd35b163, 0x50fccc08),\n TOBN(0x32709627, 0x33d8f031), TOBN(0x3c5ab10a, 0x498dd85c)}},\n {{TOBN(0xb6c185c3, 0x41dca566), TOBN(0x7de7feda, 0xd8622aa3),\n TOBN(0x99e84d92, 0x901b6dfb), TOBN(0x30a02b0e, 0x7c4ad288)},\n {TOBN(0xc7c81daa, 0x2fd3cf36), TOBN(0xd1319547, 0xdf89e59f),\n TOBN(0xb2be8184, 0xcd496733), TOBN(0xd5f449eb, 0x93d3412b)}},\n {{TOBN(0x7ea41b1b, 0x25fe531d), TOBN(0xf9797432, 0x6a1d5646),\n TOBN(0x86067f72, 0x2bde501a), TOBN(0xf91481c0, 0x0c85e89c)},\n {TOBN(0xca8ee465, 0xf8b05bc6), TOBN(0x1844e1cf, 0x02e83cda),\n TOBN(0xca82114a, 0xb4dbe33b), TOBN(0x0f9f8769, 0x4eabfde2)}},\n {{TOBN(0x4936b1c0, 0x38b27fe2), TOBN(0x63b6359b, 0xaba402df),\n TOBN(0x40c0ea2f, 0x656bdbab), TOBN(0x9c992a89, 0x6580c39c)},\n {TOBN(0x600e8f15, 0x2a60aed1), TOBN(0xeb089ca4, 0xe0bf49df),\n TOBN(0x9c233d7d, 0x2d42d99a), TOBN(0x648d3f95, 0x4c6bc2fa)}},\n {{TOBN(0xdcc383a8, 0xe1add3f3), TOBN(0xf42c0c6a, 0x4f64a348),\n TOBN(0x2abd176f, 0x0030dbdb), TOBN(0x4de501a3, 0x7d6c215e)},\n {TOBN(0x4a107c1f, 0x4b9a64bc), TOBN(0xa77f0ad3, 0x2496cd59),\n TOBN(0xfb78ac62, 0x7688dffb), TOBN(0x7025a2ca, 0x67937d8e)}},\n {{TOBN(0xfde8b2d1, 0xd1a8f4e7), TOBN(0xf5b3da47, 0x7354927c),\n TOBN(0xe48606a3, 0xd9205735), TOBN(0xac477cc6, 0xe177b917)},\n {TOBN(0xfb1f73d2, 0xa883239a), TOBN(0xe12572f6, 0xcc8b8357),\n TOBN(0x9d355e9c, 0xfb1f4f86), TOBN(0x89b795f8, 0xd9f3ec6e)}},\n {{TOBN(0x27be56f1, 0xb54398dc), TOBN(0x1890efd7, 0x3fedeed5),\n TOBN(0x62f77f1f, 0x9c6d0140), TOBN(0x7ef0e314, 0x596f0ee4)},\n {TOBN(0x50ca6631, 0xcc61dab3), TOBN(0x4a39801d, 0xf4866e4f),\n TOBN(0x66c8d032, 0xae363b39), TOBN(0x22c591e5, 0x2ead66aa)}},\n {{TOBN(0x954ba308, 0xde02a53e), TOBN(0x2a6c060f, 0xd389f357),\n TOBN(0xe6cfcde8, 0xfbf40b66), TOBN(0x8e02fc56, 0xc6340ce1)},\n {TOBN(0xe4957795, 0x73adb4ba), TOBN(0x7b86122c, 0xa7b03805),\n TOBN(0x63f83512, 0x0c8e6fa6), TOBN(0x83660ea0, 0x057d7804)}},\n {{TOBN(0xbad79105, 0x21ba473c), TOBN(0xb6c50bee, 0xded5389d),\n TOBN(0xee2caf4d, 0xaa7c9bc0), TOBN(0xd97b8de4, 0x8c4e98a7)},\n {TOBN(0xa9f63e70, 0xab3bbddb), TOBN(0x3898aabf, 0x2597815a),\n TOBN(0x7659af89, 0xac15b3d9), TOBN(0xedf7725b, 0x703ce784)}},\n {{TOBN(0x25470fab, 0xe085116b), TOBN(0x04a43375, 0x87285310),\n TOBN(0x4e39187e, 0xe2bfd52f), TOBN(0x36166b44, 0x7d9ebc74)},\n {TOBN(0x92ad433c, 0xfd4b322c), TOBN(0x726aa817, 0xba79ab51),\n TOBN(0xf96eacd8, 0xc1db15eb), TOBN(0xfaf71e91, 0x0476be63)}},\n {{TOBN(0xdd69a640, 0x641fad98), TOBN(0xb7995918, 0x29622559),\n TOBN(0x03c6daa5, 0xde4199dc), TOBN(0x92cadc97, 0xad545eb4)},\n {TOBN(0x1028238b, 0x256534e4), TOBN(0x73e80ce6, 0x8595409a),\n TOBN(0x690d4c66, 0xd05dc59b), TOBN(0xc95f7b8f, 0x981dee80)}},\n {{TOBN(0xf4337014, 0xd856ac25), TOBN(0x441bd9dd, 0xac524dca),\n TOBN(0x640b3d85, 0x5f0499f5), TOBN(0x39cf84a9, 0xd5fda182)},\n {TOBN(0x04e7b055, 0xb2aa95a0), TOBN(0x29e33f0a, 0x0ddf1860),\n TOBN(0x082e74b5, 0x423f6b43), TOBN(0x217edeb9, 0x0aaa2b0f)}},\n {{TOBN(0x58b83f35, 0x83cbea55), TOBN(0xc485ee4d, 0xbc185d70),\n TOBN(0x833ff03b, 0x1e5f6992), TOBN(0xb5b9b9cc, 0xcf0c0dd5)},\n {TOBN(0x7caaee8e, 0x4e9e8a50), TOBN(0x462e907b, 0x6269dafd),\n TOBN(0x6ed5cee9, 0xfbe791c6), TOBN(0x68ca3259, 0xed430790)}},\n {{TOBN(0x2b72bdf2, 0x13b5ba88), TOBN(0x60294c8a, 0x35ef0ac4),\n TOBN(0x9c3230ed, 0x19b99b08), TOBN(0x560fff17, 0x6c2589aa)},\n {TOBN(0x552b8487, 0xd6770374), TOBN(0xa373202d, 0x9a56f685),\n TOBN(0xd3e7f907, 0x45f175d9), TOBN(0x3c2f315f, 0xd080d810)}},\n {{TOBN(0x1130e9dd, 0x7b9520e8), TOBN(0xc078f9e2, 0x0af037b5),\n TOBN(0x38cd2ec7, 0x1e9c104c), TOBN(0x0f684368, 0xc472fe92)},\n {TOBN(0xd3f1b5ed, 0x6247e7ef), TOBN(0xb32d33a9, 0x396dfe21),\n TOBN(0x46f59cf4, 0x4a9aa2c2), TOBN(0x69cd5168, 0xff0f7e41)}},\n {{TOBN(0x3f59da0f, 0x4b3234da), TOBN(0xcf0b0235, 0xb4579ebe),\n TOBN(0x6d1cbb25, 0x6d2476c7), TOBN(0x4f0837e6, 0x9dc30f08)},\n {TOBN(0x9a4075bb, 0x906f6e98), TOBN(0x253bb434, 0xc761e7d1),\n TOBN(0xde2e645f, 0x6e73af10), TOBN(0xb89a4060, 0x0c5f131c)}},\n {{TOBN(0xd12840c5, 0xb8cc037f), TOBN(0x3d093a5b, 0x7405bb47),\n TOBN(0x6202c253, 0x206348b8), TOBN(0xbf5d57fc, 0xc55a3ca7)},\n {TOBN(0x89f6c90c, 0x8c3bef48), TOBN(0x23ac7623, 0x5a0a960a),\n TOBN(0xdfbd3d6b, 0x552b42ab), TOBN(0x3ef22458, 0x132061f6)}},\n {{TOBN(0xd74e9bda, 0xc97e6516), TOBN(0x88779360, 0xc230f49e),\n TOBN(0xa6ec1de3, 0x1e74ea49), TOBN(0x581dcee5, 0x3fb645a2)},\n {TOBN(0xbaef2391, 0x8f483f14), TOBN(0x6d2dddfc, 0xd137d13b),\n TOBN(0x54cde50e, 0xd2743a42), TOBN(0x89a34fc5, 0xe4d97e67)}},\n {{TOBN(0x13f1f5b3, 0x12e08ce5), TOBN(0xa80540b8, 0xa7f0b2ca),\n TOBN(0x854bcf77, 0x01982805), TOBN(0xb8653ffd, 0x233bea04)},\n {TOBN(0x8e7b8787, 0x02b0b4c9), TOBN(0x2675261f, 0x9acb170a),\n TOBN(0x061a9d90, 0x930c14e5), TOBN(0xb59b30e0, 0xdef0abea)}},\n {{TOBN(0x1dc19ea6, 0x0200ec7d), TOBN(0xb6f4a3f9, 0x0bce132b),\n TOBN(0xb8d5de90, 0xf13e27e0), TOBN(0xbaee5ef0, 0x1fade16f)},\n {TOBN(0x6f406aaa, 0xe4c6cf38), TOBN(0xab4cfe06, 0xd1369815),\n TOBN(0x0dcffe87, 0xefd550c6), TOBN(0x9d4f59c7, 0x75ff7d39)}},\n {{TOBN(0xb02553b1, 0x51deb6ad), TOBN(0x812399a4, 0xb1877749),\n TOBN(0xce90f71f, 0xca6006e1), TOBN(0xc32363a6, 0xb02b6e77)},\n {TOBN(0x02284fbe, 0xdc36c64d), TOBN(0x86c81e31, 0xa7e1ae61),\n TOBN(0x2576c7e5, 0xb909d94a), TOBN(0x8b6f7d02, 0x818b2bb0)}},\n {{TOBN(0xeca3ed07, 0x56faa38a), TOBN(0xa3790e6c, 0x9305bb54),\n TOBN(0xd784eeda, 0x7bc73061), TOBN(0xbd56d369, 0x6dd50614)},\n {TOBN(0xd6575949, 0x229a8aa9), TOBN(0xdcca8f47, 0x4595ec28),\n TOBN(0x814305c1, 0x06ab4fe6), TOBN(0xc8c39768, 0x24f43f16)}},\n {{TOBN(0xe2a45f36, 0x523f2b36), TOBN(0x995c6493, 0x920d93bb),\n TOBN(0xf8afdab7, 0x90f1632b), TOBN(0x79ebbecd, 0x1c295954)},\n {TOBN(0xc7bb3ddb, 0x79592f48), TOBN(0x67216a7b, 0x5f88e998),\n TOBN(0xd91f098b, 0xbc01193e), TOBN(0xf7d928a5, 0xb1db83fc)}},\n {{TOBN(0x55e38417, 0xe991f600), TOBN(0x2a91113e, 0x2981a934),\n TOBN(0xcbc9d648, 0x06b13bde), TOBN(0xb011b6ac, 0x0755ff44)},\n {TOBN(0x6f4cb518, 0x045ec613), TOBN(0x522d2d31, 0xc2f5930a),\n TOBN(0x5acae1af, 0x382e65de), TOBN(0x57643067, 0x27bc966f)}},\n {{TOBN(0x5e12705d, 0x1c7193f0), TOBN(0xf0f32f47, 0x3be8858e),\n TOBN(0x785c3d7d, 0x96c6dfc7), TOBN(0xd75b4a20, 0xbf31795d)},\n {TOBN(0x91acf17b, 0x342659d4), TOBN(0xe596ea34, 0x44f0378f),\n TOBN(0x4515708f, 0xce52129d), TOBN(0x17387e1e, 0x79f2f585)}},\n {{TOBN(0x72cfd2e9, 0x49dee168), TOBN(0x1ae05223, 0x3e2af239),\n TOBN(0x009e75be, 0x1d94066a), TOBN(0x6cca31c7, 0x38abf413)},\n {TOBN(0xb50bd61d, 0x9bc49908), TOBN(0x4a9b4a8c, 0xf5e2bc1e),\n TOBN(0xeb6cc5f7, 0x946f83ac), TOBN(0x27da93fc, 0xebffab28)}},\n {{TOBN(0xea314c96, 0x4821c8c5), TOBN(0x8de49ded, 0xa83c15f4),\n TOBN(0x7a64cf20, 0x7af33004), TOBN(0x45f1bfeb, 0xc9627e10)},\n {TOBN(0x878b0626, 0x54b9df60), TOBN(0x5e4fdc3c, 0xa95c0b33),\n TOBN(0xe54a37ca, 0xc2035d8e), TOBN(0x9087cda9, 0x80f20b8c)}},\n {{TOBN(0x36f61c23, 0x8319ade4), TOBN(0x766f287a, 0xde8cfdf8),\n TOBN(0x48821948, 0x346f3705), TOBN(0x49a7b853, 0x16e4f4a2)},\n {TOBN(0xb9b3f8a7, 0x5cedadfd), TOBN(0x8f562815, 0x8db2a815),\n TOBN(0xc0b7d554, 0x01f68f95), TOBN(0x12971e27, 0x688a208e)}},\n {{TOBN(0xc9f8b696, 0xd0ff34fc), TOBN(0x20824de2, 0x1222718c),\n TOBN(0x7213cf9f, 0x0c95284d), TOBN(0xe2ad741b, 0xdc158240)},\n {TOBN(0x0ee3a6df, 0x54043ccf), TOBN(0x16ff479b, 0xd84412b3),\n TOBN(0xf6c74ee0, 0xdfc98af0), TOBN(0xa78a169f, 0x52fcd2fb)}},\n {{TOBN(0xd8ae8746, 0x99c930e9), TOBN(0x1d33e858, 0x49e117a5),\n TOBN(0x7581fcb4, 0x6624759f), TOBN(0xde50644f, 0x5bedc01d)},\n {TOBN(0xbeec5d00, 0xcaf3155e), TOBN(0x672d66ac, 0xbc73e75f),\n TOBN(0x86b9d8c6, 0x270b01db), TOBN(0xd249ef83, 0x50f55b79)}},\n {{TOBN(0x6131d6d4, 0x73978fe3), TOBN(0xcc4e4542, 0x754b00a1),\n TOBN(0x4e05df05, 0x57dfcfe9), TOBN(0x94b29cdd, 0x51ef6bf0)},\n {TOBN(0xe4530cff, 0x9bc7edf2), TOBN(0x8ac236fd, 0xd3da65f3),\n TOBN(0x0faf7d5f, 0xc8eb0b48), TOBN(0x4d2de14c, 0x660eb039)}},\n {{TOBN(0xc006bba7, 0x60430e54), TOBN(0x10a2d0d6, 0xda3289ab),\n TOBN(0x9c037a5d, 0xd7979c59), TOBN(0x04d1f3d3, 0xa116d944)},\n {TOBN(0x9ff22473, 0x8a0983cd), TOBN(0x28e25b38, 0xc883cabb),\n TOBN(0xe968dba5, 0x47a58995), TOBN(0x2c80b505, 0x774eebdf)}},\n {{TOBN(0xee763b71, 0x4a953beb), TOBN(0x502e223f, 0x1642e7f6),\n TOBN(0x6fe4b641, 0x61d5e722), TOBN(0x9d37c5b0, 0xdbef5316)},\n {TOBN(0x0115ed70, 0xf8330bc7), TOBN(0x139850e6, 0x75a72789),\n TOBN(0x27d7faec, 0xffceccc2), TOBN(0x3016a860, 0x4fd9f7f6)}},\n {{TOBN(0xc492ec64, 0x4cd8f64c), TOBN(0x58a2d790, 0x279d7b51),\n TOBN(0x0ced1fc5, 0x1fc75256), TOBN(0x3e658aed, 0x8f433017)},\n {TOBN(0x0b61942e, 0x05da59eb), TOBN(0xba3d60a3, 0x0ddc3722),\n TOBN(0x7c311cd1, 0x742e7f87), TOBN(0x6473ffee, 0xf6b01b6e)}}},\n {{{TOBN(0x8303604f, 0x692ac542), TOBN(0xf079ffe1, 0x227b91d3),\n TOBN(0x19f63e63, 0x15aaf9bd), TOBN(0xf99ee565, 0xf1f344fb)},\n {TOBN(0x8a1d661f, 0xd6219199), TOBN(0x8c883bc6, 0xd48ce41c),\n TOBN(0x1065118f, 0x3c74d904), TOBN(0x713889ee, 0x0faf8b1b)}},\n {{TOBN(0x972b3f8f, 0x81a1b3be), TOBN(0x4f3ce145, 0xce2764a0),\n TOBN(0xe2d0f1cc, 0x28c4f5f7), TOBN(0xdeee0c0d, 0xc7f3985b)},\n {TOBN(0x7df4adc0, 0xd39e25c3), TOBN(0x40619820, 0xc467a080),\n TOBN(0x440ebc93, 0x61cf5a58), TOBN(0x527729a6, 0x422ad600)}},\n {{TOBN(0xca6c0937, 0xb1b76ba6), TOBN(0x1a2eab85, 0x4d2026dc),\n TOBN(0xb1715e15, 0x19d9ae0a), TOBN(0xf1ad9199, 0xbac4a026)},\n {TOBN(0x35b3dfb8, 0x07ea7b0e), TOBN(0xedf5496f, 0x3ed9eb89),\n TOBN(0x8932e5ff, 0x2d6d08ab), TOBN(0xf314874e, 0x25bd2731)}},\n {{TOBN(0xefb26a75, 0x3f73f449), TOBN(0x1d1c94f8, 0x8d44fc79),\n TOBN(0x49f0fbc5, 0x3bc0dc4d), TOBN(0xb747ea0b, 0x3698a0d0)},\n {TOBN(0x5218c3fe, 0x228d291e), TOBN(0x35b804b5, 0x43c129d6),\n TOBN(0xfac859b8, 0xd1acc516), TOBN(0x6c10697d, 0x95d6e668)}},\n {{TOBN(0xc38e438f, 0x0876fd4e), TOBN(0x45f0c307, 0x83d2f383),\n TOBN(0x203cc2ec, 0xb10934cb), TOBN(0x6a8f2439, 0x2c9d46ee)},\n {TOBN(0xf16b431b, 0x65ccde7b), TOBN(0x41e2cd18, 0x27e76a6f),\n TOBN(0xb9c8cf8f, 0x4e3484d7), TOBN(0x64426efd, 0x8315244a)}},\n {{TOBN(0x1c0a8e44, 0xfc94dea3), TOBN(0x34c8cdbf, 0xdad6a0b0),\n TOBN(0x919c3840, 0x04113cef), TOBN(0xfd32fba4, 0x15490ffa)},\n {TOBN(0x58d190f6, 0x795dcfb7), TOBN(0xfef01b03, 0x83588baf),\n TOBN(0x9e6d1d63, 0xca1fc1c0), TOBN(0x53173f96, 0xf0a41ac9)}},\n {{TOBN(0x2b1d402a, 0xba16f73b), TOBN(0x2fb31014, 0x8cf9b9fc),\n TOBN(0x2d51e60e, 0x446ef7bf), TOBN(0xc731021b, 0xb91e1745)},\n {TOBN(0x9d3b4724, 0x4fee99d4), TOBN(0x4bca48b6, 0xfac5c1ea),\n TOBN(0x70f5f514, 0xbbea9af7), TOBN(0x751f55a5, 0x974c283a)}},\n {{TOBN(0x6e30251a, 0xcb452fdb), TOBN(0x31ee6965, 0x50f30650),\n TOBN(0xb0b3e508, 0x933548d9), TOBN(0xb8949a4f, 0xf4b0ef5b)},\n {TOBN(0x208b8326, 0x3c88f3bd), TOBN(0xab147c30, 0xdb1d9989),\n TOBN(0xed6515fd, 0x44d4df03), TOBN(0x17a12f75, 0xe72eb0c5)}},\n {{TOBN(0x3b59796d, 0x36cf69db), TOBN(0x1219eee9, 0x56670c18),\n TOBN(0xfe3341f7, 0x7a070d8e), TOBN(0x9b70130b, 0xa327f90c)},\n {TOBN(0x36a32462, 0x0ae18e0e), TOBN(0x2021a623, 0x46c0a638),\n TOBN(0x251b5817, 0xc62eb0d4), TOBN(0x87bfbcdf, 0x4c762293)}},\n {{TOBN(0xf78ab505, 0xcdd61d64), TOBN(0x8c7a53fc, 0xc8c18857),\n TOBN(0xa653ce6f, 0x16147515), TOBN(0x9c923aa5, 0xea7d52d5)},\n {TOBN(0xc24709cb, 0x5c18871f), TOBN(0x7d53bec8, 0x73b3cc74),\n TOBN(0x59264aff, 0xfdd1d4c4), TOBN(0x5555917e, 0x240da582)}},\n {{TOBN(0xcae8bbda, 0x548f5a0e), TOBN(0x1910eaba, 0x3bbfbbe1),\n TOBN(0xae579685, 0x7677afc3), TOBN(0x49ea61f1, 0x73ff0b5c)},\n {TOBN(0x78655478, 0x4f7c3922), TOBN(0x95d337cd, 0x20c68eef),\n TOBN(0x68f1e1e5, 0xdf779ab9), TOBN(0x14b491b0, 0xb5cf69a8)}},\n {{TOBN(0x7a6cbbe0, 0x28e3fe89), TOBN(0xe7e1fee4, 0xc5aac0eb),\n TOBN(0x7f47eda5, 0x697e5140), TOBN(0x4f450137, 0xb454921f)},\n {TOBN(0xdb625f84, 0x95cd8185), TOBN(0x74be0ba1, 0xcdb2e583),\n TOBN(0xaee4fd7c, 0xdd5e6de4), TOBN(0x4251437d, 0xe8101739)}},\n {{TOBN(0x686d72a0, 0xac620366), TOBN(0x4be3fb9c, 0xb6d59344),\n TOBN(0x6e8b44e7, 0xa1eb75b9), TOBN(0x84e39da3, 0x91a5c10c)},\n {TOBN(0x37cc1490, 0xb38f0409), TOBN(0x02951943, 0x2c2ade82),\n TOBN(0x9b688783, 0x1190a2d8), TOBN(0x25627d14, 0x231182ba)}},\n {{TOBN(0x6eb550aa, 0x658a6d87), TOBN(0x1405aaa7, 0xcf9c7325),\n TOBN(0xd147142e, 0x5c8748c9), TOBN(0x7f637e4f, 0x53ede0e0)},\n {TOBN(0xf8ca2776, 0x14ffad2c), TOBN(0xe58fb1bd, 0xbafb6791),\n TOBN(0x17158c23, 0xbf8f93fc), TOBN(0x7f15b373, 0x0a4a4655)}},\n {{TOBN(0x39d4add2, 0xd842ca72), TOBN(0xa71e4391, 0x3ed96305),\n TOBN(0x5bb09cbe, 0x6700be14), TOBN(0x68d69d54, 0xd8befcf6)},\n {TOBN(0xa45f5367, 0x37183bcf), TOBN(0x7152b7bb, 0x3370dff7),\n TOBN(0xcf887baa, 0xbf12525b), TOBN(0xe7ac7bdd, 0xd6d1e3cd)}},\n {{TOBN(0x25914f78, 0x81fdad90), TOBN(0xcf638f56, 0x0d2cf6ab),\n TOBN(0xb90bc03f, 0xcc054de5), TOBN(0x932811a7, 0x18b06350)},\n {TOBN(0x2f00b330, 0x9bbd11ff), TOBN(0x76108a6f, 0xb4044974),\n TOBN(0x801bb9e0, 0xa851d266), TOBN(0x0dd099be, 0xbf8990c1)}},\n {{TOBN(0x58c5aaaa, 0xabe32986), TOBN(0x0fe9dd2a, 0x50d59c27),\n TOBN(0x84951ff4, 0x8d307305), TOBN(0x6c23f829, 0x86529b78)},\n {TOBN(0x50bb2218, 0x0b136a79), TOBN(0x7e2174de, 0x77a20996),\n TOBN(0x6f00a4b9, 0xc0bb4da6), TOBN(0x89a25a17, 0xefdde8da)}},\n {{TOBN(0xf728a27e, 0xc11ee01d), TOBN(0xf900553a, 0xe5f10dfb),\n TOBN(0x189a83c8, 0x02ec893c), TOBN(0x3ca5bdc1, 0x23f66d77)},\n {TOBN(0x98781537, 0x97eada9f), TOBN(0x59c50ab3, 0x10256230),\n TOBN(0x346042d9, 0x323c69b3), TOBN(0x1b715a6d, 0x2c460449)}},\n {{TOBN(0xa41dd476, 0x6ae06e0b), TOBN(0xcdd7888e, 0x9d42e25f),\n TOBN(0x0f395f74, 0x56b25a20), TOBN(0xeadfe0ae, 0x8700e27e)},\n {TOBN(0xb09d52a9, 0x69950093), TOBN(0x3525d9cb, 0x327f8d40),\n TOBN(0xb8235a94, 0x67df886a), TOBN(0x77e4b0dd, 0x035faec2)}},\n {{TOBN(0x115eb20a, 0x517d7061), TOBN(0x77fe3433, 0x6c2df683),\n TOBN(0x6870ddc7, 0xcdc6fc67), TOBN(0xb1610588, 0x0b87de83)},\n {TOBN(0x343584ca, 0xd9c4ddbe), TOBN(0xb3164f1c, 0x3d754be2),\n TOBN(0x0731ed3a, 0xc1e6c894), TOBN(0x26327dec, 0x4f6b904c)}},\n {{TOBN(0x9d49c6de, 0x97b5cd32), TOBN(0x40835dae, 0xb5eceecd),\n TOBN(0xc66350ed, 0xd9ded7fe), TOBN(0x8aeebb5c, 0x7a678804)},\n {TOBN(0x51d42fb7, 0x5b8ee9ec), TOBN(0xd7a17bdd, 0x8e3ca118),\n TOBN(0x40d7511a, 0x2ef4400e), TOBN(0xc48990ac, 0x875a66f4)}},\n {{TOBN(0x8de07d2a, 0x2199e347), TOBN(0xbee75556, 0x2a39e051),\n TOBN(0x56918786, 0x916e51dc), TOBN(0xeb191313, 0x4a2d89ec)},\n {TOBN(0x6679610d, 0x37d341ed), TOBN(0x434fbb41, 0x56d51c2b),\n TOBN(0xe54b7ee7, 0xd7492dba), TOBN(0xaa33a79a, 0x59021493)}},\n {{TOBN(0x49fc5054, 0xe4bd6d3d), TOBN(0x09540f04, 0x5ab551d0),\n TOBN(0x8acc9085, 0x4942d3a6), TOBN(0x231af02f, 0x2d28323b)},\n {TOBN(0x93458cac, 0x0992c163), TOBN(0x1fef8e71, 0x888e3bb4),\n TOBN(0x27578da5, 0xbe8c268c), TOBN(0xcc8be792, 0xe805ec00)}},\n {{TOBN(0x29267bae, 0xc61c3855), TOBN(0xebff429d, 0x58c1fd3b),\n TOBN(0x22d886c0, 0x8c0b93b8), TOBN(0xca5e00b2, 0x2ddb8953)},\n {TOBN(0xcf330117, 0xc3fed8b7), TOBN(0xd49ac6fa, 0x819c01f6),\n TOBN(0x6ddaa6bd, 0x3c0fbd54), TOBN(0x91743068, 0x8049a2cf)}},\n {{TOBN(0xd67f981e, 0xaff2ef81), TOBN(0xc3654d35, 0x2818ae80),\n TOBN(0x81d05044, 0x1b2aa892), TOBN(0x2db067bf, 0x3d099328)},\n {TOBN(0xe7c79e86, 0x703dcc97), TOBN(0xe66f9b37, 0xe133e215),\n TOBN(0xcdf119a6, 0xe39a7a5c), TOBN(0x47c60de3, 0x876f1b61)}},\n {{TOBN(0x6e405939, 0xd860f1b2), TOBN(0x3e9a1dbc, 0xf5ed4d4a),\n TOBN(0x3f23619e, 0xc9b6bcbd), TOBN(0x5ee790cf, 0x734e4497)},\n {TOBN(0xf0a834b1, 0x5bdaf9bb), TOBN(0x02cedda7, 0x4ca295f0),\n TOBN(0x4619aa2b, 0xcb8e378c), TOBN(0xe5613244, 0xcc987ea4)}},\n {{TOBN(0x0bc022cc, 0x76b23a50), TOBN(0x4a2793ad, 0x0a6c21ce),\n TOBN(0x38328780, 0x89cac3f5), TOBN(0x29176f1b, 0xcba26d56)},\n {TOBN(0x06296187, 0x4f6f59eb), TOBN(0x86e9bca9, 0x8bdc658e),\n TOBN(0x2ca9c4d3, 0x57e30402), TOBN(0x5438b216, 0x516a09bb)}},\n {{TOBN(0x0a6a063c, 0x7672765a), TOBN(0x37a3ce64, 0x0547b9bf),\n TOBN(0x42c099c8, 0x98b1a633), TOBN(0xb5ab800d, 0x05ee6961)},\n {TOBN(0xf1963f59, 0x11a5acd6), TOBN(0xbaee6157, 0x46201063),\n TOBN(0x36d9a649, 0xa596210a), TOBN(0xaed04363, 0x1ba7138c)}},\n {{TOBN(0xcf817d1c, 0xa4a82b76), TOBN(0x5586960e, 0xf3806be9),\n TOBN(0x7ab67c89, 0x09dc6bb5), TOBN(0x52ace7a0, 0x114fe7eb)},\n {TOBN(0xcd987618, 0xcbbc9b70), TOBN(0x4f06fd5a, 0x604ca5e1),\n TOBN(0x90af14ca, 0x6dbde133), TOBN(0x1afe4322, 0x948a3264)}},\n {{TOBN(0xa70d2ca6, 0xc44b2c6c), TOBN(0xab726799, 0x0ef87dfe),\n TOBN(0x310f64dc, 0x2e696377), TOBN(0x49b42e68, 0x4c8126a0)},\n {TOBN(0x0ea444c3, 0xcea0b176), TOBN(0x53a8ddf7, 0xcb269182),\n TOBN(0xf3e674eb, 0xbbba9dcb), TOBN(0x0d2878a8, 0xd8669d33)}},\n {{TOBN(0x04b935d5, 0xd019b6a3), TOBN(0xbb5cf88e, 0x406f1e46),\n TOBN(0xa1912d16, 0x5b57c111), TOBN(0x9803fc21, 0x19ebfd78)},\n {TOBN(0x4f231c9e, 0xc07764a9), TOBN(0xd93286ee, 0xb75bd055),\n TOBN(0x83a9457d, 0x8ee6c9de), TOBN(0x04695915, 0x6087ec90)}},\n {{TOBN(0x14c6dd8a, 0x58d6cd46), TOBN(0x9cb633b5, 0x8e6634d2),\n TOBN(0xc1305047, 0xf81bc328), TOBN(0x12ede0e2, 0x26a177e5)},\n {TOBN(0x332cca62, 0x065a6f4f), TOBN(0xc3a47ecd, 0x67be487b),\n TOBN(0x741eb187, 0x0f47ed1c), TOBN(0x99e66e58, 0xe7598b14)}},\n {{TOBN(0x6f0544ca, 0x63d0ff12), TOBN(0xe5efc784, 0xb610a05f),\n TOBN(0xf72917b1, 0x7cad7b47), TOBN(0x3ff6ea20, 0xf2cac0c0)},\n {TOBN(0xcc23791b, 0xf21db8b7), TOBN(0x7dac70b1, 0xd7d93565),\n TOBN(0x682cda1d, 0x694bdaad), TOBN(0xeb88bb8c, 0x1023516d)}},\n {{TOBN(0xc4c634b4, 0xdfdbeb1b), TOBN(0x22f5ca72, 0xb4ee4dea),\n TOBN(0x1045a368, 0xe6524821), TOBN(0xed9e8a3f, 0x052b18b2)},\n {TOBN(0x9b7f2cb1, 0xb961f49a), TOBN(0x7fee2ec1, 0x7b009670),\n TOBN(0x350d8754, 0x22507a6d), TOBN(0x561bd711, 0x4db55f1d)}},\n {{TOBN(0x4c189ccc, 0x320bbcaf), TOBN(0x568434cf, 0xdf1de48c),\n TOBN(0x6af1b00e, 0x0fa8f128), TOBN(0xf0ba9d02, 0x8907583c)},\n {TOBN(0x735a4004, 0x32ff9f60), TOBN(0x3dd8e4b6, 0xc25dcf33),\n TOBN(0xf2230f16, 0x42c74cef), TOBN(0xd8117623, 0x013fa8ad)}},\n {{TOBN(0x36822876, 0xf51fe76e), TOBN(0x8a6811cc, 0x11d62589),\n TOBN(0xc3fc7e65, 0x46225718), TOBN(0xb7df2c9f, 0xc82fdbcd)},\n {TOBN(0x3b1d4e52, 0xdd7b205b), TOBN(0xb6959478, 0x47a2e414),\n TOBN(0x05e4d793, 0xefa91148), TOBN(0xb47ed446, 0xfd2e9675)}},\n {{TOBN(0x1a7098b9, 0x04c9d9bf), TOBN(0x661e2881, 0x1b793048),\n TOBN(0xb1a16966, 0xb01ee461), TOBN(0xbc521308, 0x2954746f)},\n {TOBN(0xc909a0fc, 0x2477de50), TOBN(0xd80bb41c, 0x7dbd51ef),\n TOBN(0xa85be7ec, 0x53294905), TOBN(0x6d465b18, 0x83958f97)}},\n {{TOBN(0x16f6f330, 0xfb6840fd), TOBN(0xfaaeb214, 0x3401e6c8),\n TOBN(0xaf83d30f, 0xccb5b4f8), TOBN(0x22885739, 0x266dec4b)},\n {TOBN(0x51b4367c, 0x7bc467df), TOBN(0x926562e3, 0xd842d27a),\n TOBN(0xdfcb6614, 0x0fea14a6), TOBN(0xeb394dae, 0xf2734cd9)}},\n {{TOBN(0x3eeae5d2, 0x11c0be98), TOBN(0xb1e6ed11, 0x814e8165),\n TOBN(0x191086bc, 0xe52bce1c), TOBN(0x14b74cc6, 0xa75a04da)},\n {TOBN(0x63cf1186, 0x8c060985), TOBN(0x071047de, 0x2dbd7f7c),\n TOBN(0x4e433b8b, 0xce0942ca), TOBN(0xecbac447, 0xd8fec61d)}},\n {{TOBN(0x8f0ed0e2, 0xebf3232f), TOBN(0xfff80f9e, 0xc52a2edd),\n TOBN(0xad9ab433, 0x75b55fdb), TOBN(0x73ca7820, 0xe42e0c11)},\n {TOBN(0x6dace0a0, 0xe6251b46), TOBN(0x89bc6b5c, 0x4c0d932d),\n TOBN(0x3438cd77, 0x095da19a), TOBN(0x2f24a939, 0x8d48bdfb)}},\n {{TOBN(0x99b47e46, 0x766561b7), TOBN(0x736600e6, 0x0ed0322a),\n TOBN(0x06a47cb1, 0x638e1865), TOBN(0x927c1c2d, 0xcb136000)},\n {TOBN(0x29542337, 0x0cc5df69), TOBN(0x99b37c02, 0x09d649a9),\n TOBN(0xc5f0043c, 0x6aefdb27), TOBN(0x6cdd9987, 0x1be95c27)}},\n {{TOBN(0x69850931, 0x390420d2), TOBN(0x299c40ac, 0x0983efa4),\n TOBN(0x3a05e778, 0xaf39aead), TOBN(0x84274408, 0x43a45193)},\n {TOBN(0x6bcd0fb9, 0x91a711a0), TOBN(0x461592c8, 0x9f52ab17),\n TOBN(0xb49302b4, 0xda3c6ed6), TOBN(0xc51fddc7, 0x330d7067)}},\n {{TOBN(0x94babeb6, 0xda50d531), TOBN(0x521b840d, 0xa6a7b9da),\n TOBN(0x5305151e, 0x404bdc89), TOBN(0x1bcde201, 0xd0d07449)},\n {TOBN(0xf427a78b, 0x3b76a59a), TOBN(0xf84841ce, 0x07791a1b),\n TOBN(0xebd314be, 0xbf91ed1c), TOBN(0x8e61d34c, 0xbf172943)}},\n {{TOBN(0x1d5dc451, 0x5541b892), TOBN(0xb186ee41, 0xfc9d9e54),\n TOBN(0x9d9f345e, 0xd5bf610d), TOBN(0x3e7ba65d, 0xf6acca9f)},\n {TOBN(0x9dda787a, 0xa8369486), TOBN(0x09f9dab7, 0x8eb5ba53),\n TOBN(0x5afb2033, 0xd6481bc3), TOBN(0x76f4ce30, 0xafa62104)}},\n {{TOBN(0xa8fa00cf, 0xf4f066b5), TOBN(0x89ab5143, 0x461dafc2),\n TOBN(0x44339ed7, 0xa3389998), TOBN(0x2ff862f1, 0xbc214903)},\n {TOBN(0x2c88f985, 0xb05556e3), TOBN(0xcd96058e, 0x3467081e),\n TOBN(0x7d6a4176, 0xedc637ea), TOBN(0xe1743d09, 0x36a5acdc)}},\n {{TOBN(0x66fd72e2, 0x7eb37726), TOBN(0xf7fa264e, 0x1481a037),\n TOBN(0x9fbd3bde, 0x45f4aa79), TOBN(0xed1e0147, 0x767c3e22)},\n {TOBN(0x7621f979, 0x82e7abe2), TOBN(0x19eedc72, 0x45f633f8),\n TOBN(0xe69b155e, 0x6137bf3a), TOBN(0xa0ad13ce, 0x414ee94e)}},\n {{TOBN(0x93e3d524, 0x1c0e651a), TOBN(0xab1a6e2a, 0x02ce227e),\n TOBN(0xe7af1797, 0x4ab27eca), TOBN(0x245446de, 0xbd444f39)},\n {TOBN(0x59e22a21, 0x56c07613), TOBN(0x43deafce, 0xf4275498),\n TOBN(0x10834ccb, 0x67fd0946), TOBN(0xa75841e5, 0x47406edf)}},\n {{TOBN(0xebd6a677, 0x7b0ac93d), TOBN(0xa6e37b0d, 0x78f5e0d7),\n TOBN(0x2516c096, 0x76f5492b), TOBN(0x1e4bf888, 0x9ac05f3a)},\n {TOBN(0xcdb42ce0, 0x4df0ba2b), TOBN(0x935d5cfd, 0x5062341b),\n TOBN(0x8a303333, 0x82acac20), TOBN(0x429438c4, 0x5198b00e)}},\n {{TOBN(0x1d083bc9, 0x049d33fa), TOBN(0x58b82dda, 0x946f67ff),\n TOBN(0xac3e2db8, 0x67a1d6a3), TOBN(0x62e6bead, 0x1798aac8)},\n {TOBN(0xfc85980f, 0xde46c58c), TOBN(0xa7f69379, 0x69c8d7be),\n TOBN(0x23557927, 0x837b35ec), TOBN(0x06a933d8, 0xe0790c0c)}},\n {{TOBN(0x827c0e9b, 0x077ff55d), TOBN(0x53977798, 0xbb26e680),\n TOBN(0x59530874, 0x1d9cb54f), TOBN(0xcca3f449, 0x4aac53ef)},\n {TOBN(0x11dc5c87, 0xa07eda0f), TOBN(0xc138bccf, 0xfd6400c8),\n TOBN(0x549680d3, 0x13e5da72), TOBN(0xc93eed82, 0x4540617e)}},\n {{TOBN(0xfd3db157, 0x4d0b75c0), TOBN(0x9716eb42, 0x6386075b),\n TOBN(0x0639605c, 0x817b2c16), TOBN(0x09915109, 0xf1e4f201)},\n {TOBN(0x35c9a928, 0x5cca6c3b), TOBN(0xb25f7d1a, 0x3505c900),\n TOBN(0xeb9f7d20, 0x630480c4), TOBN(0xc3c7b8c6, 0x2a1a501c)}},\n {{TOBN(0x3f99183c, 0x5a1f8e24), TOBN(0xfdb118fa, 0x9dd255f0),\n TOBN(0xb9b18b90, 0xc27f62a6), TOBN(0xe8f732f7, 0x396ec191)},\n {TOBN(0x524a2d91, 0x0be786ab), TOBN(0x5d32adef, 0x0ac5a0f5),\n TOBN(0x9b53d4d6, 0x9725f694), TOBN(0x032a76c6, 0x0510ba89)}},\n {{TOBN(0x840391a3, 0xebeb1544), TOBN(0x44b7b88c, 0x3ed73ac3),\n TOBN(0xd24bae7a, 0x256cb8b3), TOBN(0x7ceb151a, 0xe394cb12)},\n {TOBN(0xbd6b66d0, 0x5bc1e6a8), TOBN(0xec70cecb, 0x090f07bf),\n TOBN(0x270644ed, 0x7d937589), TOBN(0xee9e1a3d, 0x5f1dccfe)}},\n {{TOBN(0xb0d40a84, 0x745b98d2), TOBN(0xda429a21, 0x2556ed40),\n TOBN(0xf676eced, 0x85148cb9), TOBN(0x5a22d40c, 0xded18936)},\n {TOBN(0x3bc4b9e5, 0x70e8a4ce), TOBN(0xbfd1445b, 0x9eae0379),\n TOBN(0xf23f2c0c, 0x1a0bd47e), TOBN(0xa9c0bb31, 0xe1845531)}},\n {{TOBN(0x9ddc4d60, 0x0a4c3f6b), TOBN(0xbdfaad79, 0x2c15ef44),\n TOBN(0xce55a236, 0x7f484acc), TOBN(0x08653ca7, 0x055b1f15)},\n {TOBN(0x2efa8724, 0x538873a3), TOBN(0x09299e5d, 0xace1c7e7),\n TOBN(0x07afab66, 0xade332ba), TOBN(0x9be1fdf6, 0x92dd71b7)}},\n {{TOBN(0xa49b5d59, 0x5758b11c), TOBN(0x0b852893, 0xc8654f40),\n TOBN(0xb63ef6f4, 0x52379447), TOBN(0xd4957d29, 0x105e690c)},\n {TOBN(0x7d484363, 0x646559b0), TOBN(0xf4a8273c, 0x49788a8e),\n TOBN(0xee406cb8, 0x34ce54a9), TOBN(0x1e1c260f, 0xf86fda9b)}},\n {{TOBN(0xe150e228, 0xcf6a4a81), TOBN(0x1fa3b6a3, 0x1b488772),\n TOBN(0x1e6ff110, 0xc5a9c15b), TOBN(0xc6133b91, 0x8ad6aa47)},\n {TOBN(0x8ac5d55c, 0x9dffa978), TOBN(0xba1d1c1d, 0x5f3965f2),\n TOBN(0xf969f4e0, 0x7732b52f), TOBN(0xfceecdb5, 0xa5172a07)}},\n {{TOBN(0xb0120a5f, 0x10f2b8f5), TOBN(0xc83a6cdf, 0x5c4c2f63),\n TOBN(0x4d47a491, 0xf8f9c213), TOBN(0xd9e1cce5, 0xd3f1bbd5)},\n {TOBN(0x0d91bc7c, 0xaba7e372), TOBN(0xfcdc74c8, 0xdfd1a2db),\n TOBN(0x05efa800, 0x374618e5), TOBN(0x11216969, 0x15a7925e)}},\n {{TOBN(0xd4c89823, 0xf6021c5d), TOBN(0x880d5e84, 0xeff14423),\n TOBN(0x6523bc5a, 0x6dcd1396), TOBN(0xd1acfdfc, 0x113c978b)},\n {TOBN(0xb0c164e8, 0xbbb66840), TOBN(0xf7f4301e, 0x72b58459),\n TOBN(0xc29ad4a6, 0xa638e8ec), TOBN(0xf5ab8961, 0x46b78699)}},\n {{TOBN(0x9dbd7974, 0x0e954750), TOBN(0x0121de88, 0x64f9d2c6),\n TOBN(0x2e597b42, 0xd985232e), TOBN(0x55b6c3c5, 0x53451777)},\n {TOBN(0xbb53e547, 0x519cb9fb), TOBN(0xf134019f, 0x8428600d),\n TOBN(0x5a473176, 0xe081791a), TOBN(0x2f3e2263, 0x35fb0c08)}},\n {{TOBN(0xb28c3017, 0x73d273b0), TOBN(0xccd21076, 0x7721ef9a),\n TOBN(0x054cc292, 0xb650dc39), TOBN(0x662246de, 0x6188045e)},\n {TOBN(0x904b52fa, 0x6b83c0d1), TOBN(0xa72df267, 0x97e9cd46),\n TOBN(0x886b43cd, 0x899725e4), TOBN(0x2b651688, 0xd849ff22)}},\n {{TOBN(0x60479b79, 0x02f34533), TOBN(0x5e354c14, 0x0c77c148),\n TOBN(0xb4bb7581, 0xa8537c78), TOBN(0x188043d7, 0xefe1495f)},\n {TOBN(0x9ba12f42, 0x8c1d5026), TOBN(0x2e0c8a26, 0x93d4aaab),\n TOBN(0xbdba7b8b, 0xaa57c450), TOBN(0x140c9ad6, 0x9bbdafef)}},\n {{TOBN(0x2067aa42, 0x25ac0f18), TOBN(0xf7b1295b, 0x04d1fbf3),\n TOBN(0x14829111, 0xa4b04824), TOBN(0x2ce3f192, 0x33bd5e91)},\n {TOBN(0x9c7a1d55, 0x8f2e1b72), TOBN(0xfe932286, 0x302aa243),\n TOBN(0x497ca7b4, 0xd4be9554), TOBN(0xb8e821b8, 0xe0547a6e)}},\n {{TOBN(0xfb2838be, 0x67e573e0), TOBN(0x05891db9, 0x4084c44b),\n TOBN(0x91311373, 0x96c1c2c5), TOBN(0x6aebfa3f, 0xd958444b)},\n {TOBN(0xac9cdce9, 0xe56e55c1), TOBN(0x7148ced3, 0x2caa46d0),\n TOBN(0x2e10c7ef, 0xb61fe8eb), TOBN(0x9fd835da, 0xff97cf4d)}}},\n {{{TOBN(0xa36da109, 0x081e9387), TOBN(0xfb9780d7, 0x8c935828),\n TOBN(0xd5940332, 0xe540b015), TOBN(0xc9d7b51b, 0xe0f466fa)},\n {TOBN(0xfaadcd41, 0xd6d9f671), TOBN(0xba6c1e28, 0xb1a2ac17),\n TOBN(0x066a7833, 0xed201e5f), TOBN(0x19d99719, 0xf90f462b)}},\n {{TOBN(0xf431f462, 0x060b5f61), TOBN(0xa56f46b4, 0x7bd057c2),\n TOBN(0x348dca6c, 0x47e1bf65), TOBN(0x9a38783e, 0x41bcf1ff)},\n {TOBN(0x7a5d33a9, 0xda710718), TOBN(0x5a779987, 0x2e0aeaf6),\n TOBN(0xca87314d, 0x2d29d187), TOBN(0xfa0edc3e, 0xc687d733)}},\n {{TOBN(0x9df33621, 0x6a31e09b), TOBN(0xde89e44d, 0xc1350e35),\n TOBN(0x29214871, 0x4ca0cf52), TOBN(0xdf379672, 0x0b88a538)},\n {TOBN(0xc92a510a, 0x2591d61b), TOBN(0x79aa87d7, 0x585b447b),\n TOBN(0xf67db604, 0xe5287f77), TOBN(0x1697c8bf, 0x5efe7a80)}},\n {{TOBN(0x1c894849, 0xcb198ac7), TOBN(0xa884a93d, 0x0f264665),\n TOBN(0x2da964ef, 0x9b200678), TOBN(0x3c351b87, 0x009834e6)},\n {TOBN(0xafb2ef9f, 0xe2c4b44b), TOBN(0x580f6c47, 0x3326790c),\n TOBN(0xb8480521, 0x0b02264a), TOBN(0x8ba6f9e2, 0x42a194e2)}},\n {{TOBN(0xfc87975f, 0x8fb54738), TOBN(0x35160788, 0x27c3ead3),\n TOBN(0x834116d2, 0xb74a085a), TOBN(0x53c99a73, 0xa62fe996)},\n {TOBN(0x87585be0, 0x5b81c51b), TOBN(0x925bafa8, 0xbe0852b7),\n TOBN(0x76a4fafd, 0xa84d19a7), TOBN(0x39a45982, 0x585206d4)}},\n {{TOBN(0x499b6ab6, 0x5eb03c0e), TOBN(0xf19b7954, 0x72bc3fde),\n TOBN(0xa86b5b9c, 0x6e3a80d2), TOBN(0xe4377508, 0x6d42819f)},\n {TOBN(0xc1663650, 0xbb3ee8a3), TOBN(0x75eb14fc, 0xb132075f),\n TOBN(0xa8ccc906, 0x7ad834f6), TOBN(0xea6a2474, 0xe6e92ffd)}},\n {{TOBN(0x9d72fd95, 0x0f8d6758), TOBN(0xcb84e101, 0x408c07dd),\n TOBN(0xb9114bfd, 0xa5e23221), TOBN(0x358b5fe2, 0xe94e742c)},\n {TOBN(0x1c0577ec, 0x95f40e75), TOBN(0xf0155451, 0x3d73f3d6),\n TOBN(0x9d55cd67, 0xbd1b9b66), TOBN(0x63e86e78, 0xaf8d63c7)}},\n {{TOBN(0x39d934ab, 0xd3c095f1), TOBN(0x04b261be, 0xe4b76d71),\n TOBN(0x1d2e6970, 0xe73e6984), TOBN(0x879fb23b, 0x5e5fcb11)},\n {TOBN(0x11506c72, 0xdfd75490), TOBN(0x3a97d085, 0x61bcf1c1),\n TOBN(0x43201d82, 0xbf5e7007), TOBN(0x7f0ac52f, 0x798232a7)}},\n {{TOBN(0x2715cbc4, 0x6eb564d4), TOBN(0x8d6c752c, 0x9e570e29),\n TOBN(0xf80247c8, 0x9ef5fd5d), TOBN(0xc3c66b46, 0xd53eb514)},\n {TOBN(0x9666b401, 0x0f87de56), TOBN(0xce62c06f, 0xc6c603b5),\n TOBN(0xae7b4c60, 0x7e4fc942), TOBN(0x38ac0b77, 0x663a9c19)}},\n {{TOBN(0xcb4d20ee, 0x4b049136), TOBN(0x8b63bf12, 0x356a4613),\n TOBN(0x1221aef6, 0x70e08128), TOBN(0xe62d8c51, 0x4acb6b16)},\n {TOBN(0x71f64a67, 0x379e7896), TOBN(0xb25237a2, 0xcafd7fa5),\n TOBN(0xf077bd98, 0x3841ba6a), TOBN(0xc4ac0244, 0x3cd16e7e)}},\n {{TOBN(0x548ba869, 0x21fea4ca), TOBN(0xd36d0817, 0xf3dfdac1),\n TOBN(0x09d8d71f, 0xf4685faf), TOBN(0x8eff66be, 0xc52c459a)},\n {TOBN(0x182faee7, 0x0b57235e), TOBN(0xee3c39b1, 0x0106712b),\n TOBN(0x5107331f, 0xc0fcdcb0), TOBN(0x669fb9dc, 0xa51054ba)}},\n {{TOBN(0xb25101fb, 0x319d7682), TOBN(0xb0293129, 0x0a982fee),\n TOBN(0x51c1c9b9, 0x0261b344), TOBN(0x0e008c5b, 0xbfd371fa)},\n {TOBN(0xd866dd1c, 0x0278ca33), TOBN(0x666f76a6, 0xe5aa53b1),\n TOBN(0xe5cfb779, 0x6013a2cf), TOBN(0x1d3a1aad, 0xa3521836)}},\n {{TOBN(0xcedd2531, 0x73faa485), TOBN(0xc8ee6c4f, 0xc0a76878),\n TOBN(0xddbccfc9, 0x2a11667d), TOBN(0x1a418ea9, 0x1c2f695a)},\n {TOBN(0xdb11bd92, 0x51f73971), TOBN(0x3e4b3c82, 0xda2ed89f),\n TOBN(0x9a44f3f4, 0xe73e0319), TOBN(0xd1e3de0f, 0x303431af)}},\n {{TOBN(0x3c5604ff, 0x50f75f9c), TOBN(0x1d8eddf3, 0x7e752b22),\n TOBN(0x0ef074dd, 0x3c9a1118), TOBN(0xd0ffc172, 0xccb86d7b)},\n {TOBN(0xabd1ece3, 0x037d90f2), TOBN(0xe3f307d6, 0x6055856c),\n TOBN(0x422f9328, 0x7e4c6daf), TOBN(0x902aac66, 0x334879a0)}},\n {{TOBN(0xb6a1e7bf, 0x94cdfade), TOBN(0x6c97e1ed, 0x7fc6d634),\n TOBN(0x662ad24d, 0xa2fb63f8), TOBN(0xf81be1b9, 0xa5928405)},\n {TOBN(0x86d765e4, 0xd14b4206), TOBN(0xbecc2e0e, 0x8fa0db65),\n TOBN(0xa28838e0, 0xb17fc76c), TOBN(0xe49a602a, 0xe37cf24e)}},\n {{TOBN(0x76b4131a, 0x567193ec), TOBN(0xaf3c305a, 0xe5f6e70b),\n TOBN(0x9587bd39, 0x031eebdd), TOBN(0x5709def8, 0x71bbe831)},\n {TOBN(0x57059983, 0x0eb2b669), TOBN(0x4d80ce1b, 0x875b7029),\n TOBN(0x838a7da8, 0x0364ac16), TOBN(0x2f431d23, 0xbe1c83ab)}},\n {{TOBN(0xe56812a6, 0xf9294dd3), TOBN(0xb448d01f, 0x9b4b0d77),\n TOBN(0xf3ae6061, 0x04e8305c), TOBN(0x2bead645, 0x94d8c63e)},\n {TOBN(0x0a85434d, 0x84fd8b07), TOBN(0x537b983f, 0xf7a9dee5),\n TOBN(0xedcc5f18, 0xef55bd85), TOBN(0x2041af62, 0x21c6cf8b)}},\n {{TOBN(0x8e52874c, 0xb940c71e), TOBN(0x211935a9, 0xdb5f4b3a),\n TOBN(0x94350492, 0x301b1dc3), TOBN(0x33d2646d, 0x29958620)},\n {TOBN(0x16b0d64b, 0xef911404), TOBN(0x9d1f25ea, 0x9a3c5ef4),\n TOBN(0x20f200eb, 0x4a352c78), TOBN(0x43929f2c, 0x4bd0b428)}},\n {{TOBN(0xa5656667, 0xc7196e29), TOBN(0x7992c2f0, 0x9391be48),\n TOBN(0xaaa97cbd, 0x9ee0cd6e), TOBN(0x51b0310c, 0x3dc8c9bf)},\n {TOBN(0x237f8acf, 0xdd9f22cb), TOBN(0xbb1d81a1, 0xb585d584),\n TOBN(0x8d5d85f5, 0x8c416388), TOBN(0x0d6e5a5a, 0x42fe474f)}},\n {{TOBN(0xe7812766, 0x38235d4e), TOBN(0x1c62bd67, 0x496e3298),\n TOBN(0x8378660c, 0x3f175bc8), TOBN(0x4d04e189, 0x17afdd4d)},\n {TOBN(0x32a81601, 0x85a8068c), TOBN(0xdb58e4e1, 0x92b29a85),\n TOBN(0xe8a65b86, 0xc70d8a3b), TOBN(0x5f0e6f4e, 0x98a0403b)}},\n {{TOBN(0x08129684, 0x69ed2370), TOBN(0x34dc30bd, 0x0871ee26),\n TOBN(0x3a5ce948, 0x7c9c5b05), TOBN(0x7d487b80, 0x43a90c87)},\n {TOBN(0x4089ba37, 0xdd0e7179), TOBN(0x45f80191, 0xb4041811),\n TOBN(0x1c3e1058, 0x98747ba5), TOBN(0x98c4e13a, 0x6e1ae592)}},\n {{TOBN(0xd44636e6, 0xe82c9f9e), TOBN(0x711db87c, 0xc33a1043),\n TOBN(0x6f431263, 0xaa8aec05), TOBN(0x43ff120d, 0x2744a4aa)},\n {TOBN(0xd3bd892f, 0xae77779b), TOBN(0xf0fe0cc9, 0x8cdc9f82),\n TOBN(0xca5f7fe6, 0xf1c5b1bc), TOBN(0xcc63a682, 0x44929a72)}},\n {{TOBN(0xc7eaba0c, 0x09dbe19a), TOBN(0x2f3585ad, 0x6b5c73c2),\n TOBN(0x8ab8924b, 0x0ae50c30), TOBN(0x17fcd27a, 0x638b30ba)},\n {TOBN(0xaf414d34, 0x10b3d5a5), TOBN(0x09c107d2, 0x2a9accf1),\n TOBN(0x15dac49f, 0x946a6242), TOBN(0xaec3df2a, 0xd707d642)}},\n {{TOBN(0x2c2492b7, 0x3f894ae0), TOBN(0xf59df3e5, 0xb75f18ce),\n TOBN(0x7cb740d2, 0x8f53cad0), TOBN(0x3eb585fb, 0xc4f01294)},\n {TOBN(0x17da0c86, 0x32c7f717), TOBN(0xeb8c795b, 0xaf943f4c),\n TOBN(0x4ee23fb5, 0xf67c51d2), TOBN(0xef187575, 0x68889949)}},\n {{TOBN(0xa6b4bdb2, 0x0389168b), TOBN(0xc4ecd258, 0xea577d03),\n TOBN(0x3a63782b, 0x55743082), TOBN(0x6f678f4c, 0xc72f08cd)},\n {TOBN(0x553511cf, 0x65e58dd8), TOBN(0xd53b4e3e, 0xd402c0cd),\n TOBN(0x37de3e29, 0xa037c14c), TOBN(0x86b6c516, 0xc05712aa)}},\n {{TOBN(0x2834da3e, 0xb38dff6f), TOBN(0xbe012c52, 0xea636be8),\n TOBN(0x292d238c, 0x61dd37f8), TOBN(0x0e54523f, 0x8f8142db)},\n {TOBN(0xe31eb436, 0x036a05d8), TOBN(0x83e3cdff, 0x1e93c0ff),\n TOBN(0x3fd2fe0f, 0x50821ddf), TOBN(0xc8e19b0d, 0xff9eb33b)}},\n {{TOBN(0xc8cc943f, 0xb569a5fe), TOBN(0xad0090d4, 0xd4342d75),\n TOBN(0x82090b4b, 0xcaeca000), TOBN(0xca39687f, 0x1bd410eb)},\n {TOBN(0xe7bb0df7, 0x65959d77), TOBN(0x39d78218, 0x9c964999),\n TOBN(0xd87f62e8, 0xb2415451), TOBN(0xe5efb774, 0xbed76108)}},\n {{TOBN(0x3ea011a4, 0xe822f0d0), TOBN(0xbc647ad1, 0x5a8704f8),\n TOBN(0xbb315b35, 0x50c6820f), TOBN(0x863dec3d, 0xb7e76bec)},\n {TOBN(0x01ff5d3a, 0xf017bfc7), TOBN(0x20054439, 0x976b8229),\n TOBN(0x067fca37, 0x0bbd0d3b), TOBN(0xf63dde64, 0x7f5e3d0f)}},\n {{TOBN(0x22dbefb3, 0x2a4c94e9), TOBN(0xafbff0fe, 0x96f8278a),\n TOBN(0x80aea0b1, 0x3503793d), TOBN(0xb2238029, 0x5f06cd29)},\n {TOBN(0x65703e57, 0x8ec3feca), TOBN(0x06c38314, 0x393e7053),\n TOBN(0xa0b751eb, 0x7c6734c4), TOBN(0xd2e8a435, 0xc59f0f1e)}},\n {{TOBN(0x147d9052, 0x5e9ca895), TOBN(0x2f4dd31e, 0x972072df),\n TOBN(0xa16fda8e, 0xe6c6755c), TOBN(0xc66826ff, 0xcf196558)},\n {TOBN(0x1f1a76a3, 0x0cf43895), TOBN(0xa9d604e0, 0x83c3097b),\n TOBN(0xe1908309, 0x66390e0e), TOBN(0xa50bf753, 0xb3c85eff)}},\n {{TOBN(0x0696bdde, 0xf6a70251), TOBN(0x548b801b, 0x3c6ab16a),\n TOBN(0x37fcf704, 0xa4d08762), TOBN(0x090b3def, 0xdff76c4e)},\n {TOBN(0x87e8cb89, 0x69cb9158), TOBN(0x44a90744, 0x995ece43),\n TOBN(0xf85395f4, 0x0ad9fbf5), TOBN(0x49b0f6c5, 0x4fb0c82d)}},\n {{TOBN(0x75d9bc15, 0xadf7cccf), TOBN(0x81a3e5d6, 0xdfa1e1b0),\n TOBN(0x8c39e444, 0x249bc17e), TOBN(0xf37dccb2, 0x8ea7fd43)},\n {TOBN(0xda654873, 0x907fba12), TOBN(0x35daa6da, 0x4a372904),\n TOBN(0x0564cfc6, 0x6283a6c5), TOBN(0xd09fa4f6, 0x4a9395bf)}},\n {{TOBN(0x688e9ec9, 0xaeb19a36), TOBN(0xd913f1ce, 0xc7bfbfb4),\n TOBN(0x797b9a3c, 0x61c2faa6), TOBN(0x2f979bec, 0x6a0a9c12)},\n {TOBN(0xb5969d0f, 0x359679ec), TOBN(0xebcf523d, 0x079b0460),\n TOBN(0xfd6b0008, 0x10fab870), TOBN(0x3f2edcda, 0x9373a39c)}},\n {{TOBN(0x0d64f9a7, 0x6f568431), TOBN(0xf848c27c, 0x02f8898c),\n TOBN(0xf418ade1, 0x260b5bd5), TOBN(0xc1f3e323, 0x6973dee8)},\n {TOBN(0x46e9319c, 0x26c185dd), TOBN(0x6d85b7d8, 0x546f0ac4),\n TOBN(0x427965f2, 0x247f9d57), TOBN(0xb519b636, 0xb0035f48)}},\n {{TOBN(0x6b6163a9, 0xab87d59c), TOBN(0xff9f58c3, 0x39caaa11),\n TOBN(0x4ac39cde, 0x3177387b), TOBN(0x5f6557c2, 0x873e77f9)},\n {TOBN(0x67504006, 0x36a83041), TOBN(0x9b1c96ca, 0x75ef196c),\n TOBN(0xf34283de, 0xb08c7940), TOBN(0x7ea09644, 0x1128c316)}},\n {{TOBN(0xb510b3b5, 0x6aa39dff), TOBN(0x59b43da2, 0x9f8e4d8c),\n TOBN(0xa8ce31fd, 0x9e4c4b9f), TOBN(0x0e20be26, 0xc1303c01)},\n {TOBN(0x18187182, 0xe8ee47c9), TOBN(0xd9687cdb, 0x7db98101),\n TOBN(0x7a520e4d, 0xa1e14ff6), TOBN(0x429808ba, 0x8836d572)}},\n {{TOBN(0xa37ca60d, 0x4944b663), TOBN(0xf901f7a9, 0xa3f91ae5),\n TOBN(0xe4e3e76e, 0x9e36e3b1), TOBN(0x9aa219cf, 0x29d93250)},\n {TOBN(0x347fe275, 0x056a2512), TOBN(0xa4d643d9, 0xde65d95c),\n TOBN(0x9669d396, 0x699fc3ed), TOBN(0xb598dee2, 0xcf8c6bbe)}},\n {{TOBN(0x682ac1e5, 0xdda9e5c6), TOBN(0x4e0d3c72, 0xcaa9fc95),\n TOBN(0x17faaade, 0x772bea44), TOBN(0x5ef8428c, 0xab0009c8)},\n {TOBN(0xcc4ce47a, 0x460ff016), TOBN(0xda6d12bf, 0x725281cb),\n TOBN(0x44c67848, 0x0223aad2), TOBN(0x6e342afa, 0x36256e28)}},\n {{TOBN(0x1400bb0b, 0x93a37c04), TOBN(0x62b1bc9b, 0xdd10bd96),\n TOBN(0x7251adeb, 0x0dac46b7), TOBN(0x7d33b92e, 0x7be4ef51)},\n {TOBN(0x28b2a94b, 0xe61fa29a), TOBN(0x4b2be13f, 0x06422233),\n TOBN(0x36d6d062, 0x330d8d37), TOBN(0x5ef80e1e, 0xb28ca005)}},\n {{TOBN(0x174d4699, 0x6d16768e), TOBN(0x9fc4ff6a, 0x628bf217),\n TOBN(0x77705a94, 0x154e490d), TOBN(0x9d96dd28, 0x8d2d997a)},\n {TOBN(0x77e2d9d8, 0xce5d72c4), TOBN(0x9d06c5a4, 0xc11c714f),\n TOBN(0x02aa5136, 0x79e4a03e), TOBN(0x1386b3c2, 0x030ff28b)}},\n {{TOBN(0xfe82e8a6, 0xfb283f61), TOBN(0x7df203e5, 0xf3abc3fb),\n TOBN(0xeec7c351, 0x3a4d3622), TOBN(0xf7d17dbf, 0xdf762761)},\n {TOBN(0xc3956e44, 0x522055f0), TOBN(0xde3012db, 0x8fa748db),\n TOBN(0xca9fcb63, 0xbf1dcc14), TOBN(0xa56d9dcf, 0xbe4e2f3a)}},\n {{TOBN(0xb86186b6, 0x8bcec9c2), TOBN(0x7cf24df9, 0x680b9f06),\n TOBN(0xc46b45ea, 0xc0d29281), TOBN(0xfff42bc5, 0x07b10e12)},\n {TOBN(0x12263c40, 0x4d289427), TOBN(0x3d5f1899, 0xb4848ec4),\n TOBN(0x11f97010, 0xd040800c), TOBN(0xb4c5f529, 0x300feb20)}},\n {{TOBN(0xcc543f8f, 0xde94fdcb), TOBN(0xe96af739, 0xc7c2f05e),\n TOBN(0xaa5e0036, 0x882692e1), TOBN(0x09c75b68, 0x950d4ae9)},\n {TOBN(0x62f63df2, 0xb5932a7a), TOBN(0x2658252e, 0xde0979ad),\n TOBN(0x2a19343f, 0xb5e69631), TOBN(0x718c7501, 0x525b666b)}},\n {{TOBN(0x26a42d69, 0xea40dc3a), TOBN(0xdc84ad22, 0xaecc018f),\n TOBN(0x25c36c7b, 0x3270f04a), TOBN(0x46ba6d47, 0x50fa72ed)},\n {TOBN(0x6c37d1c5, 0x93e58a8e), TOBN(0xa2394731, 0x120c088c),\n TOBN(0xc3be4263, 0xcb6e86da), TOBN(0x2c417d36, 0x7126d038)}},\n {{TOBN(0x5b70f9c5, 0x8b6f8efa), TOBN(0x671a2faa, 0x37718536),\n TOBN(0xd3ced3c6, 0xb539c92b), TOBN(0xe56f1bd9, 0xa31203c2)},\n {TOBN(0x8b096ec4, 0x9ff3c8eb), TOBN(0x2deae432, 0x43491cea),\n TOBN(0x2465c6eb, 0x17943794), TOBN(0x5d267e66, 0x20586843)}},\n {{TOBN(0x9d3d116d, 0xb07159d0), TOBN(0xae07a67f, 0xc1896210),\n TOBN(0x8fc84d87, 0xbb961579), TOBN(0x30009e49, 0x1c1f8dd6)},\n {TOBN(0x8a8caf22, 0xe3132819), TOBN(0xcffa197c, 0xf23ab4ff),\n TOBN(0x58103a44, 0x205dd687), TOBN(0x57b796c3, 0x0ded67a2)}},\n {{TOBN(0x0b9c3a6c, 0xa1779ad7), TOBN(0xa33cfe2e, 0x357c09c5),\n TOBN(0x2ea29315, 0x3db4a57e), TOBN(0x91959695, 0x8ebeb52e)},\n {TOBN(0x118db9a6, 0xe546c879), TOBN(0x8e996df4, 0x6295c8d6),\n TOBN(0xdd990484, 0x55ec806b), TOBN(0x24f291ca, 0x165c1035)}},\n {{TOBN(0xcca523bb, 0x440e2229), TOBN(0x324673a2, 0x73ef4d04),\n TOBN(0xaf3adf34, 0x3e11ec39), TOBN(0x6136d7f1, 0xdc5968d3)},\n {TOBN(0x7a7b2899, 0xb053a927), TOBN(0x3eaa2661, 0xae067ecd),\n TOBN(0x8549b9c8, 0x02779cd9), TOBN(0x061d7940, 0xc53385ea)}},\n {{TOBN(0x3e0ba883, 0xf06d18bd), TOBN(0x4ba6de53, 0xb2700843),\n TOBN(0xb966b668, 0x591a9e4d), TOBN(0x93f67567, 0x7f4fa0ed)},\n {TOBN(0x5a02711b, 0x4347237b), TOBN(0xbc041e2f, 0xe794608e),\n TOBN(0x55af10f5, 0x70f73d8c), TOBN(0xd2d4d4f7, 0xbb7564f7)}},\n {{TOBN(0xd7d27a89, 0xb3e93ce7), TOBN(0xf7b5a875, 0x5d3a2c1b),\n TOBN(0xb29e68a0, 0x255b218a), TOBN(0xb533837e, 0x8af76754)},\n {TOBN(0xd1b05a73, 0x579fab2e), TOBN(0xb41055a1, 0xecd74385),\n TOBN(0xb2369274, 0x445e9115), TOBN(0x2972a7c4, 0xf520274e)}},\n {{TOBN(0x6c08334e, 0xf678e68a), TOBN(0x4e4160f0, 0x99b057ed),\n TOBN(0x3cfe11b8, 0x52ccb69a), TOBN(0x2fd1823a, 0x21c8f772)},\n {TOBN(0xdf7f072f, 0x3298f055), TOBN(0x8c0566f9, 0xfec74a6e),\n TOBN(0xe549e019, 0x5bb4d041), TOBN(0x7c3930ba, 0x9208d850)}},\n {{TOBN(0xe07141fc, 0xaaa2902b), TOBN(0x539ad799, 0xe4f69ad3),\n TOBN(0xa6453f94, 0x813f9ffd), TOBN(0xc58d3c48, 0x375bc2f7)},\n {TOBN(0xb3326fad, 0x5dc64e96), TOBN(0x3aafcaa9, 0xb240e354),\n TOBN(0x1d1b0903, 0xaca1e7a9), TOBN(0x4ceb9767, 0x1211b8a0)}},\n {{TOBN(0xeca83e49, 0xe32a858e), TOBN(0x4c32892e, 0xae907bad),\n TOBN(0xd5b42ab6, 0x2eb9b494), TOBN(0x7fde3ee2, 0x1eabae1b)},\n {TOBN(0x13b5ab09, 0xcaf54957), TOBN(0xbfb028be, 0xe5f5d5d5),\n TOBN(0x928a0650, 0x2003e2c0), TOBN(0x90793aac, 0x67476843)}},\n {{TOBN(0x5e942e79, 0xc81710a0), TOBN(0x557e4a36, 0x27ccadd4),\n TOBN(0x72a2bc56, 0x4bcf6d0c), TOBN(0x09ee5f43, 0x26d7b80c)},\n {TOBN(0x6b70dbe9, 0xd4292f19), TOBN(0x56f74c26, 0x63f16b18),\n TOBN(0xc23db0f7, 0x35fbb42a), TOBN(0xb606bdf6, 0x6ae10040)}},\n {{TOBN(0x1eb15d4d, 0x044573ac), TOBN(0x7dc3cf86, 0x556b0ba4),\n TOBN(0x97af9a33, 0xc60df6f7), TOBN(0x0b1ef85c, 0xa716ce8c)},\n {TOBN(0x2922f884, 0xc96958be), TOBN(0x7c32fa94, 0x35690963),\n TOBN(0x2d7f667c, 0xeaa00061), TOBN(0xeaaf7c17, 0x3547365c)}},\n {{TOBN(0x1eb4de46, 0x87032d58), TOBN(0xc54f3d83, 0x5e2c79e0),\n TOBN(0x07818df4, 0x5d04ef23), TOBN(0x55faa9c8, 0x673d41b4)},\n {TOBN(0xced64f6f, 0x89b95355), TOBN(0x4860d2ea, 0xb7415c84),\n TOBN(0x5fdb9bd2, 0x050ebad3), TOBN(0xdb53e0cc, 0x6685a5bf)}},\n {{TOBN(0xb830c031, 0x9feb6593), TOBN(0xdd87f310, 0x6accff17),\n TOBN(0x2303ebab, 0x9f555c10), TOBN(0x94603695, 0x287e7065)},\n {TOBN(0xf88311c3, 0x2e83358c), TOBN(0x508dd9b4, 0xeefb0178),\n TOBN(0x7ca23706, 0x2dba8652), TOBN(0x62aac5a3, 0x0047abe5)}},\n {{TOBN(0x9a61d2a0, 0x8b1ea7b3), TOBN(0xd495ab63, 0xae8b1485),\n TOBN(0x38740f84, 0x87052f99), TOBN(0x178ebe5b, 0xb2974eea)},\n {TOBN(0x030bbcca, 0x5b36d17f), TOBN(0xb5e4cce3, 0xaaf86eea),\n TOBN(0xb51a0220, 0x68f8e9e0), TOBN(0xa4348796, 0x09eb3e75)}},\n {{TOBN(0xbe592309, 0xeef1a752), TOBN(0x5d7162d7, 0x6f2aa1ed),\n TOBN(0xaebfb5ed, 0x0f007dd2), TOBN(0x255e14b2, 0xc89edd22)},\n {TOBN(0xba85e072, 0x0303b697), TOBN(0xc5d17e25, 0xf05720ff),\n TOBN(0x02b58d6e, 0x5128ebb6), TOBN(0x2c80242d, 0xd754e113)}},\n {{TOBN(0x919fca5f, 0xabfae1ca), TOBN(0x937afaac, 0x1a21459b),\n TOBN(0x9e0ca91c, 0x1f66a4d2), TOBN(0x194cc7f3, 0x23ec1331)},\n {TOBN(0xad25143a, 0x8aa11690), TOBN(0xbe40ad8d, 0x09b59e08),\n TOBN(0x37d60d9b, 0xe750860a), TOBN(0x6c53b008, 0xc6bf434c)}},\n {{TOBN(0xb572415d, 0x1356eb80), TOBN(0xb8bf9da3, 0x9578ded8),\n TOBN(0x22658e36, 0x5e8fb38b), TOBN(0x9b70ce22, 0x5af8cb22)},\n {TOBN(0x7c00018a, 0x829a8180), TOBN(0x84329f93, 0xb81ed295),\n TOBN(0x7c343ea2, 0x5f3cea83), TOBN(0x38f8655f, 0x67586536)}},\n {{TOBN(0xa661a0d0, 0x1d3ec517), TOBN(0x98744652, 0x512321ae),\n TOBN(0x084ca591, 0xeca92598), TOBN(0xa9bb9dc9, 0x1dcb3feb)},\n {TOBN(0x14c54355, 0x78b4c240), TOBN(0x5ed62a3b, 0x610cafdc),\n TOBN(0x07512f37, 0x1b38846b), TOBN(0x571bb70a, 0xb0e38161)}},\n {{TOBN(0xb556b95b, 0x2da705d2), TOBN(0x3ef8ada6, 0xb1a08f98),\n TOBN(0x85302ca7, 0xddecfbe5), TOBN(0x0e530573, 0x943105cd)},\n {TOBN(0x60554d55, 0x21a9255d), TOBN(0x63a32fa1, 0xf2f3802a),\n TOBN(0x35c8c5b0, 0xcd477875), TOBN(0x97f458ea, 0x6ad42da1)}},\n {{TOBN(0x832d7080, 0xeb6b242d), TOBN(0xd30bd023, 0x3b71e246),\n TOBN(0x7027991b, 0xbe31139d), TOBN(0x68797e91, 0x462e4e53)},\n {TOBN(0x423fe20a, 0x6b4e185a), TOBN(0x82f2c67e, 0x42d9b707),\n TOBN(0x25c81768, 0x4cf7811b), TOBN(0xbd53005e, 0x045bb95d)}}},\n {{{TOBN(0xe5f649be, 0x9d8e68fd), TOBN(0xdb0f0533, 0x1b044320),\n TOBN(0xf6fde9b3, 0xe0c33398), TOBN(0x92f4209b, 0x66c8cfae)},\n {TOBN(0xe9d1afcc, 0x1a739d4b), TOBN(0x09aea75f, 0xa28ab8de),\n TOBN(0x14375fb5, 0xeac6f1d0), TOBN(0x6420b560, 0x708f7aa5)}},\n {{TOBN(0x9eae499c, 0x6254dc41), TOBN(0x7e293924, 0x7a837e7e),\n TOBN(0x74aec08c, 0x090524a7), TOBN(0xf82b9219, 0x8d6f55f2)},\n {TOBN(0x493c962e, 0x1402cec5), TOBN(0x9f17ca17, 0xfa2f30e7),\n TOBN(0xbcd783e8, 0xe9b879cb), TOBN(0xea3d8c14, 0x5a6f145f)}},\n {{TOBN(0xdede15e7, 0x5e0dee6e), TOBN(0x74f24872, 0xdc628aa2),\n TOBN(0xd3e9c4fe, 0x7861bb93), TOBN(0x56d4822a, 0x6187b2e0)},\n {TOBN(0xb66417cf, 0xc59826f9), TOBN(0xca260969, 0x2408169e),\n TOBN(0xedf69d06, 0xc79ef885), TOBN(0x00031f8a, 0xdc7d138f)}},\n {{TOBN(0x103c46e6, 0x0ebcf726), TOBN(0x4482b831, 0x6231470e),\n TOBN(0x6f6dfaca, 0x487c2109), TOBN(0x2e0ace97, 0x62e666ef)},\n {TOBN(0x3246a9d3, 0x1f8d1f42), TOBN(0x1b1e83f1, 0x574944d2),\n TOBN(0x13dfa63a, 0xa57f334b), TOBN(0x0cf8daed, 0x9f025d81)}},\n {{TOBN(0x30d78ea8, 0x00ee11c1), TOBN(0xeb053cd4, 0xb5e3dd75),\n TOBN(0x9b65b13e, 0xd58c43c5), TOBN(0xc3ad49bd, 0xbd151663)},\n {TOBN(0x99fd8e41, 0xb6427990), TOBN(0x12cf15bd, 0x707eae1e),\n TOBN(0x29ad4f1b, 0x1aabb71e), TOBN(0x5143e74d, 0x07545d0e)}},\n {{TOBN(0x30266336, 0xc88bdee1), TOBN(0x25f29306, 0x5876767c),\n TOBN(0x9c078571, 0xc6731996), TOBN(0xc88690b2, 0xed552951)},\n {TOBN(0x274f2c2d, 0x852705b4), TOBN(0xb0bf8d44, 0x4e09552d),\n TOBN(0x7628beeb, 0x986575d1), TOBN(0x407be238, 0x7f864651)}},\n {{TOBN(0x0e5e3049, 0xa639fc6b), TOBN(0xe75c35d9, 0x86003625),\n TOBN(0x0cf35bd8, 0x5dcc1646), TOBN(0x8bcaced2, 0x6c26273a)},\n {TOBN(0xe22ecf1d, 0xb5536742), TOBN(0x013dd897, 0x1a9e068b),\n TOBN(0x17f411cb, 0x8a7909c5), TOBN(0x5757ac98, 0x861dd506)}},\n {{TOBN(0x85de1f0d, 0x1e935abb), TOBN(0xdefd10b4, 0x154de37a),\n TOBN(0xb8d9e392, 0x369cebb5), TOBN(0x54d5ef9b, 0x761324be)},\n {TOBN(0x4d6341ba, 0x74f17e26), TOBN(0xc0a0e3c8, 0x78c1dde4),\n TOBN(0xa6d77581, 0x87d918fd), TOBN(0x66876015, 0x02ca3a13)}},\n {{TOBN(0xc7313e9c, 0xf36658f0), TOBN(0xc433ef1c, 0x71f8057e),\n TOBN(0x85326246, 0x1b6a835a), TOBN(0xc8f05398, 0x7c86394c)},\n {TOBN(0xff398cdf, 0xe983c4a1), TOBN(0xbf5e8162, 0x03b7b931),\n TOBN(0x93193c46, 0xb7b9045b), TOBN(0x1e4ebf5d, 0xa4a6e46b)}},\n {{TOBN(0xf9942a60, 0x43a24fe7), TOBN(0x29c1191e, 0xffb3492b),\n TOBN(0x9f662449, 0x902fde05), TOBN(0xc792a7ac, 0x6713c32d)},\n {TOBN(0x2fd88ad8, 0xb737982c), TOBN(0x7e3a0319, 0xa21e60e3),\n TOBN(0x09b0de44, 0x7383591a), TOBN(0x6df141ee, 0x8310a456)}},\n {{TOBN(0xaec1a039, 0xe6d6f471), TOBN(0x14b2ba0f, 0x1198d12e),\n TOBN(0xebc1a160, 0x3aeee5ac), TOBN(0x401f4836, 0xe0b964ce)},\n {TOBN(0x2ee43796, 0x4fd03f66), TOBN(0x3fdb4e49, 0xdd8f3f12),\n TOBN(0x6ef267f6, 0x29380f18), TOBN(0x3e8e9670, 0x8da64d16)}},\n {{TOBN(0xbc19180c, 0x207674f1), TOBN(0x112e09a7, 0x33ae8fdb),\n TOBN(0x99667554, 0x6aaeb71e), TOBN(0x79432af1, 0xe101b1c7)},\n {TOBN(0xd5eb558f, 0xde2ddec6), TOBN(0x81392d1f, 0x5357753f),\n TOBN(0xa7a76b97, 0x3ae1158a), TOBN(0x416fbbff, 0x4a899991)}},\n {{TOBN(0x9e65fdfd, 0x0d4a9dcf), TOBN(0x7bc29e48, 0x944ddf12),\n TOBN(0xbc1a92d9, 0x3c856866), TOBN(0x273c6905, 0x6e98dfe2)},\n {TOBN(0x69fce418, 0xcdfaa6b8), TOBN(0x606bd823, 0x5061c69f),\n TOBN(0x42d495a0, 0x6af75e27), TOBN(0x8ed3d505, 0x6d873a1f)}},\n {{TOBN(0xaf552841, 0x6ab25b6a), TOBN(0xc6c0ffc7, 0x2b1a4523),\n TOBN(0xab18827b, 0x21c99e03), TOBN(0x060e8648, 0x9034691b)},\n {TOBN(0x5207f90f, 0x93c7f398), TOBN(0x9f4a96cb, 0x82f8d10b),\n TOBN(0xdd71cd79, 0x3ad0f9e3), TOBN(0x84f435d2, 0xfc3a54f5)}},\n {{TOBN(0x4b03c55b, 0x8e33787f), TOBN(0xef42f975, 0xa6384673),\n TOBN(0xff7304f7, 0x5051b9f0), TOBN(0x18aca1dc, 0x741c87c2)},\n {TOBN(0x56f120a7, 0x2d4bfe80), TOBN(0xfd823b3d, 0x053e732c),\n TOBN(0x11bccfe4, 0x7537ca16), TOBN(0xdf6c9c74, 0x1b5a996b)}},\n {{TOBN(0xee7332c7, 0x904fc3fa), TOBN(0x14a23f45, 0xc7e3636a),\n TOBN(0xc38659c3, 0xf091d9aa), TOBN(0x4a995e5d, 0xb12d8540)},\n {TOBN(0x20a53bec, 0xf3a5598a), TOBN(0x56534b17, 0xb1eaa995),\n TOBN(0x9ed3dca4, 0xbf04e03c), TOBN(0x716c563a, 0xd8d56268)}},\n {{TOBN(0x27ba77a4, 0x1d6178e7), TOBN(0xe4c80c40, 0x68a1ff8e),\n TOBN(0x75011099, 0x0a13f63d), TOBN(0x7bf33521, 0xa61d46f3)},\n {TOBN(0x0aff218e, 0x10b365bb), TOBN(0x81021804, 0x0fd7ea75),\n TOBN(0x05a3fd8a, 0xa4b3a925), TOBN(0xb829e75f, 0x9b3db4e6)}},\n {{TOBN(0x6bdc75a5, 0x4d53e5fb), TOBN(0x04a5dc02, 0xd52717e3),\n TOBN(0x86af502f, 0xe9a42ec2), TOBN(0x8867e8fb, 0x2630e382)},\n {TOBN(0xbf845c6e, 0xbec9889b), TOBN(0x54f491f2, 0xcb47c98d),\n TOBN(0xa3091fba, 0x790c2a12), TOBN(0xd7f6fd78, 0xc20f708b)}},\n {{TOBN(0xa569ac30, 0xacde5e17), TOBN(0xd0f996d0, 0x6852b4d7),\n TOBN(0xe51d4bb5, 0x4609ae54), TOBN(0x3fa37d17, 0x0daed061)},\n {TOBN(0x62a88684, 0x34b8fb41), TOBN(0x99a2acbd, 0x9efb64f1),\n TOBN(0xb75c1a5e, 0x6448e1f2), TOBN(0xfa99951a, 0x42b5a069)}},\n {{TOBN(0x6d956e89, 0x2f3b26e7), TOBN(0xf4709860, 0xda875247),\n TOBN(0x3ad15179, 0x2482dda3), TOBN(0xd64110e3, 0x017d82f0)},\n {TOBN(0x14928d2c, 0xfad414e4), TOBN(0x2b155f58, 0x2ed02b24),\n TOBN(0x481a141b, 0xcb821bf1), TOBN(0x12e3c770, 0x4f81f5da)}},\n {{TOBN(0xe49c5de5, 0x9fff8381), TOBN(0x11053232, 0x5bbec894),\n TOBN(0xa0d051cc, 0x454d88c4), TOBN(0x4f6db89c, 0x1f8e531b)},\n {TOBN(0x34fe3fd6, 0xca563a44), TOBN(0x7f5c2215, 0x58da8ab9),\n TOBN(0x8445016d, 0x9474f0a1), TOBN(0x17d34d61, 0xcb7d8a0a)}},\n {{TOBN(0x8e9d3910, 0x1c474019), TOBN(0xcaff2629, 0xd52ceefb),\n TOBN(0xf9cf3e32, 0xc1622c2b), TOBN(0xd4b95e3c, 0xe9071a05)},\n {TOBN(0xfbbca61f, 0x1594438c), TOBN(0x1eb6e6a6, 0x04aadedf),\n TOBN(0x853027f4, 0x68e14940), TOBN(0x221d322a, 0xdfabda9c)}},\n {{TOBN(0xed8ea9f6, 0xb7cb179a), TOBN(0xdc7b764d, 0xb7934dcc),\n TOBN(0xfcb13940, 0x5e09180d), TOBN(0x6629a6bf, 0xb47dc2dd)},\n {TOBN(0xbfc55e4e, 0x9f5a915e), TOBN(0xb1db9d37, 0x6204441e),\n TOBN(0xf82d68cf, 0x930c5f53), TOBN(0x17d3a142, 0xcbb605b1)}},\n {{TOBN(0xdd5944ea, 0x308780f2), TOBN(0xdc8de761, 0x3845f5e4),\n TOBN(0x6beaba7d, 0x7624d7a3), TOBN(0x1e709afd, 0x304df11e)},\n {TOBN(0x95364376, 0x02170456), TOBN(0xbf204b3a, 0xc8f94b64),\n TOBN(0x4e53af7c, 0x5680ca68), TOBN(0x0526074a, 0xe0c67574)}},\n {{TOBN(0x95d8cef8, 0xecd92af6), TOBN(0xe6b9fa7a, 0x6cd1745a),\n TOBN(0x3d546d3d, 0xa325c3e4), TOBN(0x1f57691d, 0x9ae93aae)},\n {TOBN(0xe891f3fe, 0x9d2e1a33), TOBN(0xd430093f, 0xac063d35),\n TOBN(0xeda59b12, 0x5513a327), TOBN(0xdc2134f3, 0x5536f18f)}},\n {{TOBN(0xaa51fe2c, 0x5c210286), TOBN(0x3f68aaee, 0x1cab658c),\n TOBN(0x5a23a00b, 0xf9357292), TOBN(0x9a626f39, 0x7efdabed)},\n {TOBN(0xfe2b3bf3, 0x199d78e3), TOBN(0xb7a2af77, 0x71bbc345),\n TOBN(0x3d19827a, 0x1e59802c), TOBN(0x823bbc15, 0xb487a51c)}},\n {{TOBN(0x856139f2, 0x99d0a422), TOBN(0x9ac3df65, 0xf456c6fb),\n TOBN(0xaddf65c6, 0x701f8bd6), TOBN(0x149f321e, 0x3758df87)},\n {TOBN(0xb1ecf714, 0x721b7eba), TOBN(0xe17df098, 0x31a3312a),\n TOBN(0xdb2fd6ec, 0xd5c4d581), TOBN(0xfd02996f, 0x8fcea1b3)}},\n {{TOBN(0xe29fa63e, 0x7882f14f), TOBN(0xc9f6dc35, 0x07c6cadc),\n TOBN(0x46f22d6f, 0xb882bed0), TOBN(0x1a45755b, 0xd118e52c)},\n {TOBN(0x9f2c7c27, 0x7c4608cf), TOBN(0x7ccbdf32, 0x568012c2),\n TOBN(0xfcb0aedd, 0x61729b0e), TOBN(0x7ca2ca9e, 0xf7d75dbf)}},\n {{TOBN(0xf58fecb1, 0x6f640f62), TOBN(0xe274b92b, 0x39f51946),\n TOBN(0x7f4dfc04, 0x6288af44), TOBN(0x0a91f32a, 0xeac329e5)},\n {TOBN(0x43ad274b, 0xd6aaba31), TOBN(0x719a1640, 0x0f6884f9),\n TOBN(0x685d29f6, 0xdaf91e20), TOBN(0x5ec1cc33, 0x27e49d52)}},\n {{TOBN(0x38f4de96, 0x3b54a059), TOBN(0x0e0015e5, 0xefbcfdb3),\n TOBN(0x177d23d9, 0x4dbb8da6), TOBN(0x98724aa2, 0x97a617ad)},\n {TOBN(0x30f0885b, 0xfdb6558e), TOBN(0xf9f7a28a, 0xc7899a96),\n TOBN(0xd2ae8ac8, 0x872dc112), TOBN(0xfa0642ca, 0x73c3c459)}},\n {{TOBN(0x15296981, 0xe7dfc8d6), TOBN(0x67cd4450, 0x1fb5b94a),\n TOBN(0x0ec71cf1, 0x0eddfd37), TOBN(0xc7e5eeb3, 0x9a8eddc7)},\n {TOBN(0x02ac8e3d, 0x81d95028), TOBN(0x0088f172, 0x70b0e35d),\n TOBN(0xec041fab, 0xe1881fe3), TOBN(0x62cf71b8, 0xd99e7faa)}},\n {{TOBN(0x5043dea7, 0xe0f222c2), TOBN(0x309d42ac, 0x72e65142),\n TOBN(0x94fe9ddd, 0x9216cd30), TOBN(0xd6539c7d, 0x0f87feec)},\n {TOBN(0x03c5a57c, 0x432ac7d7), TOBN(0x72692cf0, 0x327fda10),\n TOBN(0xec28c85f, 0x280698de), TOBN(0x2331fb46, 0x7ec283b1)}},\n {{TOBN(0xd34bfa32, 0x2867e633), TOBN(0x78709a82, 0x0a9cc815),\n TOBN(0xb7fe6964, 0x875e2fa5), TOBN(0x25cc064f, 0x9e98bfb5)},\n {TOBN(0x9eb0151c, 0x493a65c5), TOBN(0x5fb5d941, 0x53182464),\n TOBN(0x69e6f130, 0xf04618e2), TOBN(0xa8ecec22, 0xf89c8ab6)}},\n {{TOBN(0xcd6ac88b, 0xb96209bd), TOBN(0x65fa8cdb, 0xb3e1c9e0),\n TOBN(0xa47d22f5, 0x4a8d8eac), TOBN(0x83895cdf, 0x8d33f963)},\n {TOBN(0xa8adca59, 0xb56cd3d1), TOBN(0x10c8350b, 0xdaf38232),\n TOBN(0x2b161fb3, 0xa5080a9f), TOBN(0xbe7f5c64, 0x3af65b3a)}},\n {{TOBN(0x2c754039, 0x97403a11), TOBN(0x94626cf7, 0x121b96af),\n TOBN(0x431de7c4, 0x6a983ec2), TOBN(0x3780dd3a, 0x52cc3df7)},\n {TOBN(0xe28a0e46, 0x2baf8e3b), TOBN(0xabe68aad, 0x51d299ae),\n TOBN(0x603eb8f9, 0x647a2408), TOBN(0x14c61ed6, 0x5c750981)}},\n {{TOBN(0x88b34414, 0xc53352e7), TOBN(0x5a34889c, 0x1337d46e),\n TOBN(0x612c1560, 0xf95f2bc8), TOBN(0x8a3f8441, 0xd4807a3a)},\n {TOBN(0x680d9e97, 0x5224da68), TOBN(0x60cd6e88, 0xc3eb00e9),\n TOBN(0x3875a98e, 0x9a6bc375), TOBN(0xdc80f924, 0x4fd554c2)}},\n {{TOBN(0x6c4b3415, 0x6ac77407), TOBN(0xa1e5ea8f, 0x25420681),\n TOBN(0x541bfa14, 0x4607a458), TOBN(0x5dbc7e7a, 0x96d7fbf9)},\n {TOBN(0x646a851b, 0x31590a47), TOBN(0x039e85ba, 0x15ee6df8),\n TOBN(0xd19fa231, 0xd7b43fc0), TOBN(0x84bc8be8, 0x299a0e04)}},\n {{TOBN(0x2b9d2936, 0xf20df03a), TOBN(0x24054382, 0x8608d472),\n TOBN(0x76b6ba04, 0x9149202a), TOBN(0xb21c3831, 0x3670e7b7)},\n {TOBN(0xddd93059, 0xd6fdee10), TOBN(0x9da47ad3, 0x78488e71),\n TOBN(0x99cc1dfd, 0xa0fcfb25), TOBN(0x42abde10, 0x64696954)}},\n {{TOBN(0x14cc15fc, 0x17eab9fe), TOBN(0xd6e863e4, 0xd3e70972),\n TOBN(0x29a7765c, 0x6432112c), TOBN(0x88660001, 0x5b0774d8)},\n {TOBN(0x3729175a, 0x2c088eae), TOBN(0x13afbcae, 0x8230b8d4),\n TOBN(0x44768151, 0x915f4379), TOBN(0xf086431a, 0xd8d22812)}},\n {{TOBN(0x37461955, 0xc298b974), TOBN(0x905fb5f0, 0xf8711e04),\n TOBN(0x787abf3a, 0xfe969d18), TOBN(0x392167c2, 0x6f6a494e)},\n {TOBN(0xfc7a0d2d, 0x28c511da), TOBN(0xf127c7dc, 0xb66a262d),\n TOBN(0xf9c4bb95, 0xfd63fdf0), TOBN(0x90016589, 0x3913ef46)}},\n {{TOBN(0x74d2a73c, 0x11aa600d), TOBN(0x2f5379bd, 0x9fb5ab52),\n TOBN(0xe49e53a4, 0x7fb70068), TOBN(0x68dd39e5, 0x404aa9a7)},\n {TOBN(0xb9b0cf57, 0x2ecaa9c3), TOBN(0xba0e103b, 0xe824826b),\n TOBN(0x60c2198b, 0x4631a3c4), TOBN(0xc5ff84ab, 0xfa8966a2)}},\n {{TOBN(0x2d6ebe22, 0xac95aff8), TOBN(0x1c9bb6db, 0xb5a46d09),\n TOBN(0x419062da, 0x53ee4f8d), TOBN(0x7b9042d0, 0xbb97efef)},\n {TOBN(0x0f87f080, 0x830cf6bd), TOBN(0x4861d19a, 0x6ec8a6c6),\n TOBN(0xd3a0daa1, 0x202f01aa), TOBN(0xb0111674, 0xf25afbd5)}},\n {{TOBN(0x6d00d6cf, 0x1afb20d9), TOBN(0x13695000, 0x40671bc5),\n TOBN(0x913ab0dc, 0x2485ea9b), TOBN(0x1f2bed06, 0x9eef61ac)},\n {TOBN(0x850c8217, 0x6d799e20), TOBN(0x93415f37, 0x3271c2de),\n TOBN(0x5afb06e9, 0x6c4f5910), TOBN(0x688a52df, 0xc4e9e421)}},\n {{TOBN(0x30495ba3, 0xe2a9a6db), TOBN(0x4601303d, 0x58f9268b),\n TOBN(0xbe3b0dad, 0x7eb0f04f), TOBN(0x4ea47250, 0x4456936d)},\n {TOBN(0x8caf8798, 0xd33fd3e7), TOBN(0x1ccd8a89, 0xeb433708),\n TOBN(0x9effe3e8, 0x87fd50ad), TOBN(0xbe240a56, 0x6b29c4df)}},\n {{TOBN(0xec4ffd98, 0xca0e7ebd), TOBN(0xf586783a, 0xe748616e),\n TOBN(0xa5b00d8f, 0xc77baa99), TOBN(0x0acada29, 0xb4f34c9c)},\n {TOBN(0x36dad67d, 0x0fe723ac), TOBN(0x1d8e53a5, 0x39c36c1e),\n TOBN(0xe4dd342d, 0x1f4bea41), TOBN(0x64fd5e35, 0xebc9e4e0)}},\n {{TOBN(0x96f01f90, 0x57908805), TOBN(0xb5b9ea3d, 0x5ed480dd),\n TOBN(0x366c5dc2, 0x3efd2dd0), TOBN(0xed2fe305, 0x6e9dfa27)},\n {TOBN(0x4575e892, 0x6e9197e2), TOBN(0x11719c09, 0xab502a5d),\n TOBN(0x264c7bec, 0xe81f213f), TOBN(0x741b9241, 0x55f5c457)}},\n {{TOBN(0x78ac7b68, 0x49a5f4f4), TOBN(0xf91d70a2, 0x9fc45b7d),\n TOBN(0x39b05544, 0xb0f5f355), TOBN(0x11f06bce, 0xeef930d9)},\n {TOBN(0xdb84d25d, 0x038d05e1), TOBN(0x04838ee5, 0xbacc1d51),\n TOBN(0x9da3ce86, 0x9e8ee00b), TOBN(0xc3412057, 0xc36eda1f)}},\n {{TOBN(0xae80b913, 0x64d9c2f4), TOBN(0x7468bac3, 0xa010a8ff),\n TOBN(0xdfd20037, 0x37359d41), TOBN(0x1a0f5ab8, 0x15efeacc)},\n {TOBN(0x7c25ad2f, 0x659d0ce0), TOBN(0x4011bcbb, 0x6785cff1),\n TOBN(0x128b9912, 0x7e2192c7), TOBN(0xa549d8e1, 0x13ccb0e8)}},\n {{TOBN(0x805588d8, 0xc85438b1), TOBN(0x5680332d, 0xbc25cb27),\n TOBN(0xdcd1bc96, 0x1a4bfdf4), TOBN(0x779ff428, 0x706f6566)},\n {TOBN(0x8bbee998, 0xf059987a), TOBN(0xf6ce8cf2, 0xcc686de7),\n TOBN(0xf8ad3c4a, 0x953cfdb2), TOBN(0xd1d426d9, 0x2205da36)}},\n {{TOBN(0xb3c0f13f, 0xc781a241), TOBN(0x3e89360e, 0xd75362a8),\n TOBN(0xccd05863, 0xc8a91184), TOBN(0x9bd0c9b7, 0xefa8a7f4)},\n {TOBN(0x97ee4d53, 0x8a912a4b), TOBN(0xde5e15f8, 0xbcf518fd),\n TOBN(0x6a055bf8, 0xc467e1e0), TOBN(0x10be4b4b, 0x1587e256)}},\n {{TOBN(0xd90c14f2, 0x668621c9), TOBN(0xd5518f51, 0xab9c92c1),\n TOBN(0x8e6a0100, 0xd6d47b3c), TOBN(0xcbe980dd, 0x66716175)},\n {TOBN(0x500d3f10, 0xddd83683), TOBN(0x3b6cb35d, 0x99cac73c),\n TOBN(0x53730c8b, 0x6083d550), TOBN(0xcf159767, 0xdf0a1987)}},\n {{TOBN(0x84bfcf53, 0x43ad73b3), TOBN(0x1b528c20, 0x4f035a94),\n TOBN(0x4294edf7, 0x33eeac69), TOBN(0xb6283e83, 0x817f3240)},\n {TOBN(0xc3fdc959, 0x0a5f25b1), TOBN(0xefaf8aa5, 0x5844ee22),\n TOBN(0xde269ba5, 0xdbdde4de), TOBN(0xe3347160, 0xc56133bf)}},\n {{TOBN(0xc1184219, 0x8d9ea9f8), TOBN(0x090de5db, 0xf3fc1ab5),\n TOBN(0x404c37b1, 0x0bf22cda), TOBN(0x7de20ec8, 0xf5618894)},\n {TOBN(0x754c588e, 0xecdaecab), TOBN(0x6ca4b0ed, 0x88342743),\n TOBN(0x76f08bdd, 0xf4a938ec), TOBN(0xd182de89, 0x91493ccb)}},\n {{TOBN(0xd652c53e, 0xc8a4186a), TOBN(0xb3e878db, 0x946d8e33),\n TOBN(0x088453c0, 0x5f37663c), TOBN(0x5cd9daaa, 0xb407748b)},\n {TOBN(0xa1f5197f, 0x586d5e72), TOBN(0x47500be8, 0xc443ca59),\n TOBN(0x78ef35b2, 0xe2652424), TOBN(0x09c5d26f, 0x6dd7767d)}},\n {{TOBN(0x7175a79a, 0xa74d3f7b), TOBN(0x0428fd8d, 0xcf5ea459),\n TOBN(0x511cb97c, 0xa5d1746d), TOBN(0x36363939, 0xe71d1278)},\n {TOBN(0xcf2df955, 0x10350bf4), TOBN(0xb3817439, 0x60aae782),\n TOBN(0xa748c0e4, 0x3e688809), TOBN(0x98021fbf, 0xd7a5a006)}},\n {{TOBN(0x9076a70c, 0x0e367a98), TOBN(0xbea1bc15, 0x0f62b7c2),\n TOBN(0x2645a68c, 0x30fe0343), TOBN(0xacaffa78, 0x699dc14f)},\n {TOBN(0xf4469964, 0x457bf9c4), TOBN(0x0db6407b, 0x0d2ead83),\n TOBN(0x68d56cad, 0xb2c6f3eb), TOBN(0x3b512e73, 0xf376356c)}},\n {{TOBN(0xe43b0e1f, 0xfce10408), TOBN(0x89ddc003, 0x5a5e257d),\n TOBN(0xb0ae0d12, 0x0362e5b3), TOBN(0x07f983c7, 0xb0519161)},\n {TOBN(0xc2e94d15, 0x5d5231e7), TOBN(0xcff22aed, 0x0b4f9513),\n TOBN(0xb02588dd, 0x6ad0b0b5), TOBN(0xb967d1ac, 0x11d0dcd5)}},\n {{TOBN(0x8dac6bc6, 0xcf777b6c), TOBN(0x0062bdbd, 0x4c6d1959),\n TOBN(0x53da71b5, 0x0ef5cc85), TOBN(0x07012c7d, 0x4006f14f)},\n {TOBN(0x4617f962, 0xac47800d), TOBN(0x53365f2b, 0xc102ed75),\n TOBN(0xb422efcb, 0x4ab8c9d3), TOBN(0x195cb26b, 0x34af31c9)}},\n {{TOBN(0x3a926e29, 0x05f2c4ce), TOBN(0xbd2bdecb, 0x9856966c),\n TOBN(0x5d16ab3a, 0x85527015), TOBN(0x9f81609e, 0x4486c231)},\n {TOBN(0xd8b96b2c, 0xda350002), TOBN(0xbd054690, 0xfa1b7d36),\n TOBN(0xdc90ebf5, 0xe71d79bc), TOBN(0xf241b6f9, 0x08964e4e)}},\n {{TOBN(0x7c838643, 0x2fe3cd4c), TOBN(0xe0f33acb, 0xb4bc633c),\n TOBN(0xb4a9ecec, 0x3d139f1f), TOBN(0x05ce69cd, 0xdc4a1f49)},\n {TOBN(0xa19d1b16, 0xf5f98aaf), TOBN(0x45bb71d6, 0x6f23e0ef),\n TOBN(0x33789fcd, 0x46cdfdd3), TOBN(0x9b8e2978, 0xcee040ca)}},\n {{TOBN(0x9c69b246, 0xae0a6828), TOBN(0xba533d24, 0x7078d5aa),\n TOBN(0x7a2e42c0, 0x7bb4fbdb), TOBN(0xcfb4879a, 0x7035385c)},\n {TOBN(0x8c3dd30b, 0x3281705b), TOBN(0x7e361c6c, 0x404fe081),\n TOBN(0x7b21649c, 0x3f604edf), TOBN(0x5dbf6a3f, 0xe52ffe47)}},\n {{TOBN(0xc41b7c23, 0x4b54d9bf), TOBN(0x1374e681, 0x3511c3d9),\n TOBN(0x1863bf16, 0xc1b2b758), TOBN(0x90e78507, 0x1e9e6a96)},\n {TOBN(0xab4bf98d, 0x5d86f174), TOBN(0xd74e0bd3, 0x85e96fe4),\n TOBN(0x8afde39f, 0xcac5d344), TOBN(0x90946dbc, 0xbd91b847)}},\n {{TOBN(0xf5b42358, 0xfe1a838c), TOBN(0x05aae6c5, 0x620ac9d8),\n TOBN(0x8e193bd8, 0xa1ce5a0b), TOBN(0x8f710571, 0x4dabfd72)},\n {TOBN(0x8d8fdd48, 0x182caaac), TOBN(0x8c4aeefa, 0x040745cf),\n TOBN(0x73c6c30a, 0xf3b93e6d), TOBN(0x991241f3, 0x16f42011)}},\n {{TOBN(0xa0158eea, 0xe457a477), TOBN(0xd19857db, 0xee6ddc05),\n TOBN(0xb3265224, 0x18c41671), TOBN(0x3ffdfc7e, 0x3c2c0d58)},\n {TOBN(0x3a3a5254, 0x26ee7cda), TOBN(0x341b0869, 0xdf02c3a8),\n TOBN(0xa023bf42, 0x723bbfc8), TOBN(0x3d15002a, 0x14452691)}}},\n {{{TOBN(0x5ef7324c, 0x85edfa30), TOBN(0x25976554, 0x87d4f3da),\n TOBN(0x352f5bc0, 0xdcb50c86), TOBN(0x8f6927b0, 0x4832a96c)},\n {TOBN(0xd08ee1ba, 0x55f2f94c), TOBN(0x6a996f99, 0x344b45fa),\n TOBN(0xe133cb8d, 0xa8aa455d), TOBN(0x5d0721ec, 0x758dc1f7)}},\n {{TOBN(0x6ba7a920, 0x79e5fb67), TOBN(0xe1331feb, 0x70aa725e),\n TOBN(0x5080ccf5, 0x7df5d837), TOBN(0xe4cae01d, 0x7ff72e21)},\n {TOBN(0xd9243ee6, 0x0412a77d), TOBN(0x06ff7cac, 0xdf449025),\n TOBN(0xbe75f7cd, 0x23ef5a31), TOBN(0xbc957822, 0x0ddef7a8)}},\n {{TOBN(0x8cf7230c, 0xb0ce1c55), TOBN(0x5b534d05, 0x0bbfb607),\n TOBN(0xee1ef113, 0x0e16363b), TOBN(0x27e0aa7a, 0xb4999e82)},\n {TOBN(0xce1dac2d, 0x79362c41), TOBN(0x67920c90, 0x91bb6cb0),\n TOBN(0x1e648d63, 0x2223df24), TOBN(0x0f7d9eef, 0xe32e8f28)}},\n {{TOBN(0x6943f39a, 0xfa833834), TOBN(0x22951722, 0xa6328562),\n TOBN(0x81d63dd5, 0x4170fc10), TOBN(0x9f5fa58f, 0xaecc2e6d)},\n {TOBN(0xb66c8725, 0xe77d9a3b), TOBN(0x11235cea, 0x6384ebe0),\n TOBN(0x06a8c118, 0x5845e24a), TOBN(0x0137b286, 0xebd093b1)}},\n {{TOBN(0xc589e1ce, 0x44ace150), TOBN(0xe0f8d3d9, 0x4381e97c),\n TOBN(0x59e99b11, 0x62c5a4b8), TOBN(0x90d262f7, 0xfd0ec9f9)},\n {TOBN(0xfbc854c9, 0x283e13c9), TOBN(0x2d04fde7, 0xaedc7085),\n TOBN(0x057d7765, 0x47dcbecb), TOBN(0x8dbdf591, 0x9a76fa5f)}},\n {{TOBN(0xd0150695, 0x0de1e578), TOBN(0x2e1463e7, 0xe9f72bc6),\n TOBN(0xffa68441, 0x1b39eca5), TOBN(0x673c8530, 0x7c037f2f)},\n {TOBN(0xd0d6a600, 0x747f91da), TOBN(0xb08d43e1, 0xc9cb78e9),\n TOBN(0x0fc0c644, 0x27b5cef5), TOBN(0x5c1d160a, 0xa60a2fd6)}},\n {{TOBN(0xf98cae53, 0x28c8e13b), TOBN(0x375f10c4, 0xb2eddcd1),\n TOBN(0xd4eb8b7f, 0x5cce06ad), TOBN(0xb4669f45, 0x80a2e1ef)},\n {TOBN(0xd593f9d0, 0x5bbd8699), TOBN(0x5528a4c9, 0xe7976d13),\n TOBN(0x3923e095, 0x1c7e28d3), TOBN(0xb9293790, 0x3f6bb577)}},\n {{TOBN(0xdb567d6a, 0xc42bd6d2), TOBN(0x6df86468, 0xbb1f96ae),\n TOBN(0x0efe5b1a, 0x4843b28e), TOBN(0x961bbb05, 0x6379b240)},\n {TOBN(0xb6caf5f0, 0x70a6a26b), TOBN(0x70686c0d, 0x328e6e39),\n TOBN(0x80da06cf, 0x895fc8d3), TOBN(0x804d8810, 0xb363fdc9)}},\n {{TOBN(0xbe22877b, 0x207f1670), TOBN(0x9b0dd188, 0x4e615291),\n TOBN(0x625ae8dc, 0x97a3c2bf), TOBN(0x08584ef7, 0x439b86e8)},\n {TOBN(0xde7190a5, 0xdcd898ff), TOBN(0x26286c40, 0x2058ee3d),\n TOBN(0x3db0b217, 0x5f87b1c1), TOBN(0xcc334771, 0x102a6db5)}},\n {{TOBN(0xd99de954, 0x2f770fb1), TOBN(0x97c1c620, 0x4cd7535e),\n TOBN(0xd3b6c448, 0x3f09cefc), TOBN(0xd725af15, 0x5a63b4f8)},\n {TOBN(0x0c95d24f, 0xc01e20ec), TOBN(0xdfd37494, 0x9ae7121f),\n TOBN(0x7d6ddb72, 0xec77b7ec), TOBN(0xfe079d3b, 0x0353a4ae)}},\n {{TOBN(0x3066e70a, 0x2e6ac8d2), TOBN(0x9c6b5a43, 0x106e5c05),\n TOBN(0x52d3c6f5, 0xede59b8c), TOBN(0x30d6a5c3, 0xfccec9ae)},\n {TOBN(0xedec7c22, 0x4fc0a9ef), TOBN(0x190ff083, 0x95c16ced),\n TOBN(0xbe12ec8f, 0x94de0fde), TOBN(0x0d131ab8, 0x852d3433)}},\n {{TOBN(0x42ace07e, 0x85701291), TOBN(0x94793ed9, 0x194061a8),\n TOBN(0x30e83ed6, 0xd7f4a485), TOBN(0x9eec7269, 0xf9eeff4d)},\n {TOBN(0x90acba59, 0x0c9d8005), TOBN(0x5feca458, 0x1e79b9d1),\n TOBN(0x8fbe5427, 0x1d506a1e), TOBN(0xa32b2c8e, 0x2439cfa7)}},\n {{TOBN(0x1671c173, 0x73dd0b4e), TOBN(0x37a28214, 0x44a054c6),\n TOBN(0x81760a1b, 0x4e8b53f1), TOBN(0xa6c04224, 0xf9f93b9e)},\n {TOBN(0x18784b34, 0xcf671e3c), TOBN(0x81bbecd2, 0xcda9b994),\n TOBN(0x38831979, 0xb2ab3848), TOBN(0xef54feb7, 0xf2e03c2d)}},\n {{TOBN(0xcf197ca7, 0xfb8088fa), TOBN(0x01427247, 0x4ddc96c5),\n TOBN(0xa2d2550a, 0x30777176), TOBN(0x53469898, 0x4d0cf71d)},\n {TOBN(0x6ce937b8, 0x3a2aaac6), TOBN(0xe9f91dc3, 0x5af38d9b),\n TOBN(0x2598ad83, 0xc8bf2899), TOBN(0x8e706ac9, 0xb5536c16)}},\n {{TOBN(0x40dc7495, 0xf688dc98), TOBN(0x26490cd7, 0x124c4afc),\n TOBN(0xe651ec84, 0x1f18775c), TOBN(0x393ea6c3, 0xb4fdaf4a)},\n {TOBN(0x1e1f3343, 0x7f338e0d), TOBN(0x39fb832b, 0x6053e7b5),\n TOBN(0x46e702da, 0x619e14d5), TOBN(0x859cacd1, 0xcdeef6e0)}},\n {{TOBN(0x63b99ce7, 0x4462007d), TOBN(0xb8ab48a5, 0x4cb5f5b7),\n TOBN(0x9ec673d2, 0xf55edde7), TOBN(0xd1567f74, 0x8cfaefda)},\n {TOBN(0x46381b6b, 0x0887bcec), TOBN(0x694497ce, 0xe178f3c2),\n TOBN(0x5e6525e3, 0x1e6266cb), TOBN(0x5931de26, 0x697d6413)}},\n {{TOBN(0x87f8df7c, 0x0e58d493), TOBN(0xb1ae5ed0, 0x58b73f12),\n TOBN(0xc368f784, 0xdea0c34d), TOBN(0x9bd0a120, 0x859a91a0)},\n {TOBN(0xb00d88b7, 0xcc863c68), TOBN(0x3a1cc11e, 0x3d1f4d65),\n TOBN(0xea38e0e7, 0x0aa85593), TOBN(0x37f13e98, 0x7dc4aee8)}},\n {{TOBN(0x10d38667, 0xbc947bad), TOBN(0x738e07ce, 0x2a36ee2e),\n TOBN(0xc93470cd, 0xc577fcac), TOBN(0xdee1b616, 0x2782470d)},\n {TOBN(0x36a25e67, 0x2e793d12), TOBN(0xd6aa6cae, 0xe0f186da),\n TOBN(0x474d0fd9, 0x80e07af7), TOBN(0xf7cdc47d, 0xba8a5cd4)}},\n {{TOBN(0x28af6d9d, 0xab15247f), TOBN(0x7c789c10, 0x493a537f),\n TOBN(0x7ac9b110, 0x23a334e7), TOBN(0x0236ac09, 0x12c9c277)},\n {TOBN(0xa7e5bd25, 0x1d7a5144), TOBN(0x098b9c2a, 0xf13ec4ec),\n TOBN(0x3639daca, 0xd3f0abca), TOBN(0x642da81a, 0xa23960f9)}},\n {{TOBN(0x7d2e5c05, 0x4f7269b1), TOBN(0xfcf30777, 0xe287c385),\n TOBN(0x10edc84f, 0xf2a46f21), TOBN(0x35441757, 0x4f43fa36)},\n {TOBN(0xf1327899, 0xfd703431), TOBN(0xa438d7a6, 0x16dd587a),\n TOBN(0x65c34c57, 0xe9c8352d), TOBN(0xa728edab, 0x5cc5a24e)}},\n {{TOBN(0xaed78abc, 0x42531689), TOBN(0x0a51a0e8, 0x010963ef),\n TOBN(0x5776fa0a, 0xd717d9b3), TOBN(0xf356c239, 0x7dd3428b)},\n {TOBN(0x29903fff, 0x8d3a3dac), TOBN(0x409597fa, 0x3d94491f),\n TOBN(0x4cd7a5ff, 0xbf4a56a4), TOBN(0xe5096474, 0x8adab462)}},\n {{TOBN(0xa97b5126, 0x5c3427b0), TOBN(0x6401405c, 0xd282c9bd),\n TOBN(0x3629f8d7, 0x222c5c45), TOBN(0xb1c02c16, 0xe8d50aed)},\n {TOBN(0xbea2ed75, 0xd9635bc9), TOBN(0x226790c7, 0x6e24552f),\n TOBN(0x3c33f2a3, 0x65f1d066), TOBN(0x2a43463e, 0x6dfccc2e)}},\n {{TOBN(0x8cc3453a, 0xdb483761), TOBN(0xe7cc6085, 0x65d5672b),\n TOBN(0x277ed6cb, 0xde3efc87), TOBN(0x19f2f368, 0x69234eaf)},\n {TOBN(0x9aaf4317, 0x5c0b800b), TOBN(0x1f1e7c89, 0x8b6da6e2),\n TOBN(0x6cfb4715, 0xb94ec75e), TOBN(0xd590dd5f, 0x453118c2)}},\n {{TOBN(0x14e49da1, 0x1f17a34c), TOBN(0x5420ab39, 0x235a1456),\n TOBN(0xb7637241, 0x2f50363b), TOBN(0x7b15d623, 0xc3fabb6e)},\n {TOBN(0xa0ef40b1, 0xe274e49c), TOBN(0x5cf50744, 0x96b1860a),\n TOBN(0xd6583fbf, 0x66afe5a4), TOBN(0x44240510, 0xf47e3e9a)}},\n {{TOBN(0x99254343, 0x11b2d595), TOBN(0xf1367499, 0xeec8df57),\n TOBN(0x3cb12c61, 0x3e73dd05), TOBN(0xd248c033, 0x7dac102a)},\n {TOBN(0xcf154f13, 0xa77739f5), TOBN(0xbf4288cb, 0x23d2af42),\n TOBN(0xaa64c9b6, 0x32e4a1cf), TOBN(0xee8c07a8, 0xc8a208f3)}},\n {{TOBN(0xe10d4999, 0x6fe8393f), TOBN(0x0f809a3f, 0xe91f3a32),\n TOBN(0x61096d1c, 0x802f63c8), TOBN(0x289e1462, 0x57750d3d)},\n {TOBN(0xed06167e, 0x9889feea), TOBN(0xd5c9c0e2, 0xe0993909),\n TOBN(0x46fca0d8, 0x56508ac6), TOBN(0x91826047, 0x4f1b8e83)}},\n {{TOBN(0x4f2c877a, 0x9a4a2751), TOBN(0x71bd0072, 0xcae6fead),\n TOBN(0x38df8dcc, 0x06aa1941), TOBN(0x5a074b4c, 0x63beeaa8)},\n {TOBN(0xd6d65934, 0xc1cec8ed), TOBN(0xa6ecb49e, 0xaabc03bd),\n TOBN(0xaade91c2, 0xde8a8415), TOBN(0xcfb0efdf, 0x691136e0)}},\n {{TOBN(0x11af45ee, 0x23ab3495), TOBN(0xa132df88, 0x0b77463d),\n TOBN(0x8923c15c, 0x815d06f4), TOBN(0xc3ceb3f5, 0x0d61a436)},\n {TOBN(0xaf52291d, 0xe88fb1da), TOBN(0xea057974, 0x1da12179),\n TOBN(0xb0d7218c, 0xd2fef720), TOBN(0x6c0899c9, 0x8e1d8845)}},\n {{TOBN(0x98157504, 0x752ddad7), TOBN(0xd60bd74f, 0xa1a68a97),\n TOBN(0x7047a3a9, 0xf658fb99), TOBN(0x1f5d86d6, 0x5f8511e4)},\n {TOBN(0xb8a4bc42, 0x4b5a6d88), TOBN(0x69eb2c33, 0x1abefa7d),\n TOBN(0x95bf39e8, 0x13c9c510), TOBN(0xf571960a, 0xd48aab43)}},\n {{TOBN(0x7e8cfbcf, 0x704e23c6), TOBN(0xc71b7d22, 0x28aaa65b),\n TOBN(0xa041b2bd, 0x245e3c83), TOBN(0x69b98834, 0xd21854ff)},\n {TOBN(0x89d227a3, 0x963bfeec), TOBN(0x99947aaa, 0xde7da7cb),\n TOBN(0x1d9ee9db, 0xee68a9b1), TOBN(0x0a08f003, 0x698ec368)}},\n {{TOBN(0xe9ea4094, 0x78ef2487), TOBN(0xc8d2d415, 0x02cfec26),\n TOBN(0xc52f9a6e, 0xb7dcf328), TOBN(0x0ed489e3, 0x85b6a937)},\n {TOBN(0x9b94986b, 0xbef3366e), TOBN(0x0de59c70, 0xedddddb8),\n TOBN(0xffdb748c, 0xeadddbe2), TOBN(0x9b9784bb, 0x8266ea40)}},\n {{TOBN(0x142b5502, 0x1a93507a), TOBN(0xb4cd1187, 0x8d3c06cf),\n TOBN(0xdf70e76a, 0x91ec3f40), TOBN(0x484e81ad, 0x4e7553c2)},\n {TOBN(0x830f87b5, 0x272e9d6e), TOBN(0xea1c93e5, 0xc6ff514a),\n TOBN(0x67cc2adc, 0xc4192a8e), TOBN(0xc77e27e2, 0x42f4535a)}},\n {{TOBN(0x9cdbab36, 0xd2b713c5), TOBN(0x86274ea0, 0xcf7b0cd3),\n TOBN(0x784680f3, 0x09af826b), TOBN(0xbfcc837a, 0x0c72dea3)},\n {TOBN(0xa8bdfe9d, 0xd6529b73), TOBN(0x708aa228, 0x63a88002),\n TOBN(0x6c7a9a54, 0xc91d45b9), TOBN(0xdf1a38bb, 0xfd004f56)}},\n {{TOBN(0x2e8c9a26, 0xb8bad853), TOBN(0x2d52cea3, 0x3723eae7),\n TOBN(0x054d6d81, 0x56ca2830), TOBN(0xa3317d14, 0x9a8dc411)},\n {TOBN(0xa08662fe, 0xfd4ddeda), TOBN(0xed2a153a, 0xb55d792b),\n TOBN(0x7035c16a, 0xbfc6e944), TOBN(0xb6bc5834, 0x00171cf3)}},\n {{TOBN(0xe27152b3, 0x83d102b6), TOBN(0xfe695a47, 0x0646b848),\n TOBN(0xa5bb09d8, 0x916e6d37), TOBN(0xb4269d64, 0x0d17015e)},\n {TOBN(0x8d8156a1, 0x0a1d2285), TOBN(0xfeef6c51, 0x46d26d72),\n TOBN(0x9dac57c8, 0x4c5434a7), TOBN(0x0282e5be, 0x59d39e31)}},\n {{TOBN(0xedfff181, 0x721c486d), TOBN(0x301baf10, 0xbc58824e),\n TOBN(0x8136a6aa, 0x00570031), TOBN(0x55aaf78c, 0x1cddde68)},\n {TOBN(0x26829371, 0x59c63952), TOBN(0x3a3bd274, 0x8bc25baf),\n TOBN(0xecdf8657, 0xb7e52dc3), TOBN(0x2dd8c087, 0xfd78e6c8)}},\n {{TOBN(0x20553274, 0xf5531461), TOBN(0x8b4a1281, 0x5d95499b),\n TOBN(0xe2c8763a, 0x1a80f9d2), TOBN(0xd1dbe32b, 0x4ddec758)},\n {TOBN(0xaf12210d, 0x30c34169), TOBN(0xba74a953, 0x78baa533),\n TOBN(0x3d133c6e, 0xa438f254), TOBN(0xa431531a, 0x201bef5b)}},\n {{TOBN(0x15295e22, 0xf669d7ec), TOBN(0xca374f64, 0x357fb515),\n TOBN(0x8a8406ff, 0xeaa3fdb3), TOBN(0x106ae448, 0xdf3f2da8)},\n {TOBN(0x8f9b0a90, 0x33c8e9a1), TOBN(0x234645e2, 0x71ad5885),\n TOBN(0x3d083224, 0x1c0aed14), TOBN(0xf10a7d3e, 0x7a942d46)}},\n {{TOBN(0x7c11deee, 0x40d5c9be), TOBN(0xb2bae7ff, 0xba84ed98),\n TOBN(0x93e97139, 0xaad58ddd), TOBN(0x3d872796, 0x3f6d1fa3)},\n {TOBN(0x483aca81, 0x8569ff13), TOBN(0x8b89a5fb, 0x9a600f72),\n TOBN(0x4cbc27c3, 0xc06f2b86), TOBN(0x22130713, 0x63ad9c0b)}},\n {{TOBN(0xb5358b1e, 0x48ac2840), TOBN(0x18311294, 0xecba9477),\n TOBN(0xda58f990, 0xa6946b43), TOBN(0x3098baf9, 0x9ab41819)},\n {TOBN(0x66c4c158, 0x4198da52), TOBN(0xab4fc17c, 0x146bfd1b),\n TOBN(0x2f0a4c3c, 0xbf36a908), TOBN(0x2ae9e34b, 0x58cf7838)}},\n {{TOBN(0xf411529e, 0x3fa11b1f), TOBN(0x21e43677, 0x974af2b4),\n TOBN(0x7c20958e, 0xc230793b), TOBN(0x710ea885, 0x16e840f3)},\n {TOBN(0xfc0b21fc, 0xc5dc67cf), TOBN(0x08d51647, 0x88405718),\n TOBN(0xd955c21f, 0xcfe49eb7), TOBN(0x9722a5d5, 0x56dd4a1f)}},\n {{TOBN(0xc9ef50e2, 0xc861baa5), TOBN(0xc0c21a5d, 0x9505ac3e),\n TOBN(0xaf6b9a33, 0x8b7c063f), TOBN(0xc6370339, 0x2f4779c1)},\n {TOBN(0x22df99c7, 0x638167c3), TOBN(0xfe6ffe76, 0x795db30c),\n TOBN(0x2b822d33, 0xa4854989), TOBN(0xfef031dd, 0x30563aa5)}},\n {{TOBN(0x16b09f82, 0xd57c667f), TOBN(0xc70312ce, 0xcc0b76f1),\n TOBN(0xbf04a9e6, 0xc9118aec), TOBN(0x82fcb419, 0x3409d133)},\n {TOBN(0x1a8ab385, 0xab45d44d), TOBN(0xfba07222, 0x617b83a3),\n TOBN(0xb05f50dd, 0x58e81b52), TOBN(0x1d8db553, 0x21ce5aff)}},\n {{TOBN(0x3097b8d4, 0xe344a873), TOBN(0x7d8d116d, 0xfe36d53e),\n TOBN(0x6db22f58, 0x7875e750), TOBN(0x2dc5e373, 0x43e144ea)},\n {TOBN(0xc05f32e6, 0xe799eb95), TOBN(0xe9e5f4df, 0x6899e6ec),\n TOBN(0xbdc3bd68, 0x1fab23d5), TOBN(0xb72b8ab7, 0x73af60e6)}},\n {{TOBN(0x8db27ae0, 0x2cecc84a), TOBN(0x600016d8, 0x7bdb871c),\n TOBN(0x42a44b13, 0xd7c46f58), TOBN(0xb8919727, 0xc3a77d39)},\n {TOBN(0xcfc6bbbd, 0xdafd6088), TOBN(0x1a740146, 0x6bd20d39),\n TOBN(0x8c747abd, 0x98c41072), TOBN(0x4c91e765, 0xbdf68ea1)}},\n {{TOBN(0x7c95e5ca, 0x08819a78), TOBN(0xcf48b729, 0xc9587921),\n TOBN(0x091c7c5f, 0xdebbcc7d), TOBN(0x6f287404, 0xf0e05149)},\n {TOBN(0xf83b5ac2, 0x26cd44ec), TOBN(0x88ae32a6, 0xcfea250e),\n TOBN(0x6ac5047a, 0x1d06ebc5), TOBN(0xc7e550b4, 0xd434f781)}},\n {{TOBN(0x61ab1cf2, 0x5c727bd2), TOBN(0x2e4badb1, 0x1cf915b0),\n TOBN(0x1b4dadec, 0xf69d3920), TOBN(0xe61b1ca6, 0xf14c1dfe)},\n {TOBN(0x90b479cc, 0xbd6bd51f), TOBN(0x8024e401, 0x8045ec30),\n TOBN(0xcab29ca3, 0x25ef0e62), TOBN(0x4f2e9416, 0x49e4ebc0)}},\n {{TOBN(0x45eb40ec, 0x0ccced58), TOBN(0x25cd4b9c, 0x0da44f98),\n TOBN(0x43e06458, 0x871812c6), TOBN(0x99f80d55, 0x16cef651)},\n {TOBN(0x571340c9, 0xce6dc153), TOBN(0x138d5117, 0xd8665521),\n TOBN(0xacdb45bc, 0x4e07014d), TOBN(0x2f34bb38, 0x84b60b91)}},\n {{TOBN(0xf44a4fd2, 0x2ae8921e), TOBN(0xb039288e, 0x892ba1e2),\n TOBN(0x9da50174, 0xb1c180b2), TOBN(0x6b70ab66, 0x1693dc87)},\n {TOBN(0x7e9babc9, 0xe7057481), TOBN(0x4581ddef, 0x9c80dc41),\n TOBN(0x0c890da9, 0x51294682), TOBN(0x0b5629d3, 0x3f4736e5)}},\n {{TOBN(0x2340c79e, 0xb06f5b41), TOBN(0xa42e84ce, 0x4e243469),\n TOBN(0xf9a20135, 0x045a71a9), TOBN(0xefbfb415, 0xd27b6fb6)},\n {TOBN(0x25ebea23, 0x9d33cd6f), TOBN(0x9caedb88, 0xaa6c0af8),\n TOBN(0x53dc7e9a, 0xd9ce6f96), TOBN(0x3897f9fd, 0x51e0b15a)}},\n {{TOBN(0xf51cb1f8, 0x8e5d788e), TOBN(0x1aec7ba8, 0xe1d490ee),\n TOBN(0x265991e0, 0xcc58cb3c), TOBN(0x9f306e8c, 0x9fc3ad31)},\n {TOBN(0x5fed006e, 0x5040a0ac), TOBN(0xca9d5043, 0xfb476f2e),\n TOBN(0xa19c06e8, 0xbeea7a23), TOBN(0xd2865801, 0x0edabb63)}},\n {{TOBN(0xdb92293f, 0x6967469a), TOBN(0x2894d839, 0x8d8a8ed8),\n TOBN(0x87c9e406, 0xbbc77122), TOBN(0x8671c6f1, 0x2ea3a26a)},\n {TOBN(0xe42df8d6, 0xd7de9853), TOBN(0x2e3ce346, 0xb1f2bcc7),\n TOBN(0xda601dfc, 0x899d50cf), TOBN(0xbfc913de, 0xfb1b598f)}},\n {{TOBN(0x81c4909f, 0xe61f7908), TOBN(0x192e304f, 0x9bbc7b29),\n TOBN(0xc3ed8738, 0xc104b338), TOBN(0xedbe9e47, 0x783f5d61)},\n {TOBN(0x0c06e9be, 0x2db30660), TOBN(0xda3e613f, 0xc0eb7d8e),\n TOBN(0xd8fa3e97, 0x322e096e), TOBN(0xfebd91e8, 0xd336e247)}},\n {{TOBN(0x8f13ccc4, 0xdf655a49), TOBN(0xa9e00dfc, 0x5eb20210),\n TOBN(0x84631d0f, 0xc656b6ea), TOBN(0x93a058cd, 0xd8c0d947)},\n {TOBN(0x6846904a, 0x67bd3448), TOBN(0x4a3d4e1a, 0xf394fd5c),\n TOBN(0xc102c1a5, 0xdb225f52), TOBN(0xe3455bba, 0xfc4f5e9a)}},\n {{TOBN(0x6b36985b, 0x4b9ad1ce), TOBN(0xa9818536, 0x5bb7f793),\n TOBN(0x6c25e1d0, 0x48b1a416), TOBN(0x1381dd53, 0x3c81bee7)},\n {TOBN(0xd2a30d61, 0x7a4a7620), TOBN(0xc8412926, 0x39b8944c),\n TOBN(0x3c1c6fbe, 0x7a97c33a), TOBN(0x941e541d, 0x938664e7)}},\n {{TOBN(0x417499e8, 0x4a34f239), TOBN(0x15fdb83c, 0xb90402d5),\n TOBN(0xb75f46bf, 0x433aa832), TOBN(0xb61e15af, 0x63215db1)},\n {TOBN(0xaabe59d4, 0xa127f89a), TOBN(0x5d541e0c, 0x07e816da),\n TOBN(0xaaba0659, 0xa618b692), TOBN(0x55327733, 0x17266026)}},\n {{TOBN(0xaf53a0fc, 0x95f57552), TOBN(0x32947650, 0x6cacb0c9),\n TOBN(0x253ff58d, 0xc821be01), TOBN(0xb0309531, 0xa06f1146)},\n {TOBN(0x59bbbdf5, 0x05c2e54d), TOBN(0x158f27ad, 0x26e8dd22),\n TOBN(0xcc5b7ffb, 0x397e1e53), TOBN(0xae03f65b, 0x7fc1e50d)}},\n {{TOBN(0xa9784ebd, 0x9c95f0f9), TOBN(0x5ed9deb2, 0x24640771),\n TOBN(0x31244af7, 0x035561c4), TOBN(0x87332f3a, 0x7ee857de)},\n {TOBN(0x09e16e9e, 0x2b9e0d88), TOBN(0x52d910f4, 0x56a06049),\n TOBN(0x507ed477, 0xa9592f48), TOBN(0x85cb917b, 0x2365d678)}},\n {{TOBN(0xf8511c93, 0x4c8998d1), TOBN(0x2186a3f1, 0x730ea58f),\n TOBN(0x50189626, 0xb2029db0), TOBN(0x9137a6d9, 0x02ceb75a)},\n {TOBN(0x2fe17f37, 0x748bc82c), TOBN(0x87c2e931, 0x80469f8c),\n TOBN(0x850f71cd, 0xbf891aa2), TOBN(0x0ca1b89b, 0x75ec3d8d)}},\n {{TOBN(0x516c43aa, 0x5e1cd3cd), TOBN(0x89397808, 0x9a887c28),\n TOBN(0x0059c699, 0xddea1f9f), TOBN(0x7737d6fa, 0x8e6868f7)},\n {TOBN(0x6d93746a, 0x60f1524b), TOBN(0x36985e55, 0xba052aa7),\n TOBN(0x41b1d322, 0xed923ea5), TOBN(0x3429759f, 0x25852a11)}},\n {{TOBN(0xbeca6ec3, 0x092e9f41), TOBN(0x3a238c66, 0x62256bbd),\n TOBN(0xd82958ea, 0x70ad487d), TOBN(0x4ac8aaf9, 0x65610d93)},\n {TOBN(0x3fa101b1, 0x5e4ccab0), TOBN(0x9bf430f2, 0x9de14bfb),\n TOBN(0xa10f5cc6, 0x6531899d), TOBN(0x590005fb, 0xea8ce17d)}},\n {{TOBN(0xc437912f, 0x24544cb6), TOBN(0x9987b71a, 0xd79ac2e3),\n TOBN(0x13e3d9dd, 0xc058a212), TOBN(0x00075aac, 0xd2de9606)},\n {TOBN(0x80ab508b, 0x6cac8369), TOBN(0x87842be7, 0xf54f6c89),\n TOBN(0xa7ad663d, 0x6bc532a4), TOBN(0x67813de7, 0x78a91bc8)}},\n {{TOBN(0x5dcb61ce, 0xc3427239), TOBN(0x5f3c7cf0, 0xc56934d9),\n TOBN(0xc079e0fb, 0xe3191591), TOBN(0xe40896bd, 0xb01aada7)},\n {TOBN(0x8d466791, 0x0492d25f), TOBN(0x8aeb30c9, 0xe7408276),\n TOBN(0xe9437495, 0x9287aacc), TOBN(0x23d4708d, 0x79fe03d4)}},\n {{TOBN(0x8cda9cf2, 0xd0c05199), TOBN(0x502fbc22, 0xfae78454),\n TOBN(0xc0bda9df, 0xf572a182), TOBN(0x5f9b71b8, 0x6158b372)},\n {TOBN(0xe0f33a59, 0x2b82dd07), TOBN(0x76302735, 0x9523032e),\n TOBN(0x7fe1a721, 0xc4505a32), TOBN(0x7b6e3e82, 0xf796409f)}}},\n {{{TOBN(0xe3417bc0, 0x35d0b34a), TOBN(0x440b386b, 0x8327c0a7),\n TOBN(0x8fb7262d, 0xac0362d1), TOBN(0x2c41114c, 0xe0cdf943)},\n {TOBN(0x2ba5cef1, 0xad95a0b1), TOBN(0xc09b37a8, 0x67d54362),\n TOBN(0x26d6cdd2, 0x01e486c9), TOBN(0x20477abf, 0x42ff9297)}},\n {{TOBN(0xa004dcb3, 0x292a9287), TOBN(0xddc15cf6, 0x77b092c7),\n TOBN(0x083a8464, 0x806c0605), TOBN(0x4a68df70, 0x3db997b0)},\n {TOBN(0x9c134e45, 0x05bf7dd0), TOBN(0xa4e63d39, 0x8ccf7f8c),\n TOBN(0xa6e6517f, 0x41b5f8af), TOBN(0xaa8b9342, 0xad7bc1cc)}},\n {{TOBN(0x126f35b5, 0x1e706ad9), TOBN(0xb99cebb4, 0xc3a9ebdf),\n TOBN(0xa75389af, 0xbf608d90), TOBN(0x76113c4f, 0xc6c89858)},\n {TOBN(0x80de8eb0, 0x97e2b5aa), TOBN(0x7e1022cc, 0x63b91304),\n TOBN(0x3bdab605, 0x6ccc066c), TOBN(0x33cbb144, 0xb2edf900)}},\n {{TOBN(0xc4176471, 0x7af715d2), TOBN(0xe2f7f594, 0xd0134a96),\n TOBN(0x2c1873ef, 0xa41ec956), TOBN(0xe4e7b4f6, 0x77821304)},\n {TOBN(0xe5c8ff97, 0x88d5374a), TOBN(0x2b915e63, 0x80823d5b),\n TOBN(0xea6bc755, 0xb2ee8fe2), TOBN(0x6657624c, 0xe7112651)}},\n {{TOBN(0x157af101, 0xdace5aca), TOBN(0xc4fdbcf2, 0x11a6a267),\n TOBN(0xdaddf340, 0xc49c8609), TOBN(0x97e49f52, 0xe9604a65)},\n {TOBN(0x9be8e790, 0x937e2ad5), TOBN(0x846e2508, 0x326e17f1),\n TOBN(0x3f38007a, 0x0bbbc0dc), TOBN(0xcf03603f, 0xb11e16d6)}},\n {{TOBN(0xd6f800e0, 0x7442f1d5), TOBN(0x475607d1, 0x66e0e3ab),\n TOBN(0x82807f16, 0xb7c64047), TOBN(0x8858e1e3, 0xa749883d)},\n {TOBN(0x5859120b, 0x8231ee10), TOBN(0x1b80e7eb, 0x638a1ece),\n TOBN(0xcb72525a, 0xc6aa73a4), TOBN(0xa7cdea3d, 0x844423ac)}},\n {{TOBN(0x5ed0c007, 0xf8ae7c38), TOBN(0x6db07a5c, 0x3d740192),\n TOBN(0xbe5e9c2a, 0x5fe36db3), TOBN(0xd5b9d57a, 0x76e95046)},\n {TOBN(0x54ac32e7, 0x8eba20f2), TOBN(0xef11ca8f, 0x71b9a352),\n TOBN(0x305e373e, 0xff98a658), TOBN(0xffe5a100, 0x823eb667)}},\n {{TOBN(0x57477b11, 0xe51732d2), TOBN(0xdfd6eb28, 0x2538fc0e),\n TOBN(0x5c43b0cc, 0x3b39eec5), TOBN(0x6af12778, 0xcb36cc57)},\n {TOBN(0x70b0852d, 0x06c425ae), TOBN(0x6df92f8c, 0x5c221b9b),\n TOBN(0x6c8d4f9e, 0xce826d9c), TOBN(0xf59aba7b, 0xb49359c3)}},\n {{TOBN(0x5c8ed8d5, 0xda64309d), TOBN(0x61a6de56, 0x91b30704),\n TOBN(0xd6b52f6a, 0x2f9b5808), TOBN(0x0eee4194, 0x98c958a7)},\n {TOBN(0xcddd9aab, 0x771e4caa), TOBN(0x83965dfd, 0x78bc21be),\n TOBN(0x02affce3, 0xb3b504f5), TOBN(0x30847a21, 0x561c8291)}},\n {{TOBN(0xd2eb2cf1, 0x52bfda05), TOBN(0xe0e4c4e9, 0x6197b98c),\n TOBN(0x1d35076c, 0xf8a1726f), TOBN(0x6c06085b, 0x2db11e3d)},\n {TOBN(0x15c0c4d7, 0x4463ba14), TOBN(0x9d292f83, 0x0030238c),\n TOBN(0x1311ee8b, 0x3727536d), TOBN(0xfeea86ef, 0xbeaedc1e)}},\n {{TOBN(0xb9d18cd3, 0x66131e2e), TOBN(0xf31d974f, 0x80fe2682),\n TOBN(0xb6e49e0f, 0xe4160289), TOBN(0x7c48ec0b, 0x08e92799)},\n {TOBN(0x818111d8, 0xd1989aa7), TOBN(0xb34fa0aa, 0xebf926f9),\n TOBN(0xdb5fe2f5, 0xa245474a), TOBN(0xf80a6ebb, 0x3c7ca756)}},\n {{TOBN(0xa7f96054, 0xafa05dd8), TOBN(0x26dfcf21, 0xfcaf119e),\n TOBN(0xe20ef2e3, 0x0564bb59), TOBN(0xef4dca50, 0x61cb02b8)},\n {TOBN(0xcda7838a, 0x65d30672), TOBN(0x8b08d534, 0xfd657e86),\n TOBN(0x4c5b4395, 0x46d595c8), TOBN(0x39b58725, 0x425cb836)}},\n {{TOBN(0x8ea61059, 0x3de9abe3), TOBN(0x40434881, 0x9cdc03be),\n TOBN(0x9b261245, 0xcfedce8c), TOBN(0x78c318b4, 0xcf5234a1)},\n {TOBN(0x510bcf16, 0xfde24c99), TOBN(0x2a77cb75, 0xa2c2ff5d),\n TOBN(0x9c895c2b, 0x27960fb4), TOBN(0xd30ce975, 0xb0eda42b)}},\n {{TOBN(0xfda85393, 0x1a62cc26), TOBN(0x23c69b96, 0x50c0e052),\n TOBN(0xa227df15, 0xbfc633f3), TOBN(0x2ac78848, 0x1bae7d48)},\n {TOBN(0x487878f9, 0x187d073d), TOBN(0x6c2be919, 0x967f807d),\n TOBN(0x765861d8, 0x336e6d8f), TOBN(0x88b8974c, 0xce528a43)}},\n {{TOBN(0x09521177, 0xff57d051), TOBN(0x2ff38037, 0xfb6a1961),\n TOBN(0xfc0aba74, 0xa3d76ad4), TOBN(0x7c764803, 0x25a7ec17)},\n {TOBN(0x7532d75f, 0x48879bc8), TOBN(0xea7eacc0, 0x58ce6bc1),\n TOBN(0xc82176b4, 0x8e896c16), TOBN(0x9a30e0b2, 0x2c750fed)}},\n {{TOBN(0xc37e2c2e, 0x421d3aa4), TOBN(0xf926407c, 0xe84fa840),\n TOBN(0x18abc03d, 0x1454e41c), TOBN(0x26605ecd, 0x3f7af644)},\n {TOBN(0x242341a6, 0xd6a5eabf), TOBN(0x1edb84f4, 0x216b668e),\n TOBN(0xd836edb8, 0x04010102), TOBN(0x5b337ce7, 0x945e1d8c)}},\n {{TOBN(0xd2075c77, 0xc055dc14), TOBN(0x2a0ffa25, 0x81d89cdf),\n TOBN(0x8ce815ea, 0x6ffdcbaf), TOBN(0xa3428878, 0xfb648867)},\n {TOBN(0x277699cf, 0x884655fb), TOBN(0xfa5b5bd6, 0x364d3e41),\n TOBN(0x01f680c6, 0x441e1cb7), TOBN(0x3fd61e66, 0xb70a7d67)}},\n {{TOBN(0x666ba2dc, 0xcc78cf66), TOBN(0xb3018174, 0x6fdbff77),\n TOBN(0x8d4dd0db, 0x168d4668), TOBN(0x259455d0, 0x1dab3a2a)},\n {TOBN(0xf58564c5, 0xcde3acec), TOBN(0x77141925, 0x13adb276),\n TOBN(0x527d725d, 0x8a303f65), TOBN(0x55deb6c9, 0xe6f38f7b)}},\n {{TOBN(0xfd5bb657, 0xb1fa70fb), TOBN(0xfa07f50f, 0xd8073a00),\n TOBN(0xf72e3aa7, 0xbca02500), TOBN(0xf68f895d, 0x9975740d)},\n {TOBN(0x30112060, 0x5cae2a6a), TOBN(0x01bd7218, 0x02874842),\n TOBN(0x3d423891, 0x7ce47bd3), TOBN(0xa66663c1, 0x789544f6)}},\n {{TOBN(0x864d05d7, 0x3272d838), TOBN(0xe22924f9, 0xfa6295c5),\n TOBN(0x8189593f, 0x6c2fda32), TOBN(0x330d7189, 0xb184b544)},\n {TOBN(0x79efa62c, 0xbde1f714), TOBN(0x35771c94, 0xe5cb1a63),\n TOBN(0x2f4826b8, 0x641c8332), TOBN(0x00a894fb, 0xc8cee854)}},\n {{TOBN(0xb4b9a39b, 0x36194d40), TOBN(0xe857a7c5, 0x77612601),\n TOBN(0xf4209dd2, 0x4ecf2f58), TOBN(0x82b9e66d, 0x5a033487)},\n {TOBN(0xc1e36934, 0xe4e8b9dd), TOBN(0xd2372c9d, 0xa42377d7),\n TOBN(0x51dc94c7, 0x0e3ae43b), TOBN(0x4c57761e, 0x04474f6f)}},\n {{TOBN(0xdcdacd0a, 0x1058a318), TOBN(0x369cf3f5, 0x78053a9a),\n TOBN(0xc6c3de50, 0x31c68de2), TOBN(0x4653a576, 0x3c4b6d9f)},\n {TOBN(0x1688dd5a, 0xaa4e5c97), TOBN(0x5be80aa1, 0xb7ab3c74),\n TOBN(0x70cefe7c, 0xbc65c283), TOBN(0x57f95f13, 0x06867091)}},\n {{TOBN(0xa39114e2, 0x4415503b), TOBN(0xc08ff7c6, 0x4cbb17e9),\n TOBN(0x1eff674d, 0xd7dec966), TOBN(0x6d4690af, 0x53376f63)},\n {TOBN(0xff6fe32e, 0xea74237b), TOBN(0xc436d17e, 0xcd57508e),\n TOBN(0x15aa28e1, 0xedcc40fe), TOBN(0x0d769c04, 0x581bbb44)}},\n {{TOBN(0xc240b6de, 0x34eaacda), TOBN(0xd9e116e8, 0x2ba0f1de),\n TOBN(0xcbe45ec7, 0x79438e55), TOBN(0x91787c9d, 0x96f752d7)},\n {TOBN(0x897f532b, 0xf129ac2f), TOBN(0xd307b7c8, 0x5a36e22c),\n TOBN(0x91940675, 0x749fb8f3), TOBN(0xd14f95d0, 0x157fdb28)}},\n {{TOBN(0xfe51d029, 0x6ae55043), TOBN(0x8931e98f, 0x44a87de1),\n TOBN(0xe57f1cc6, 0x09e4fee2), TOBN(0x0d063b67, 0x4e072d92)},\n {TOBN(0x70a998b9, 0xed0e4316), TOBN(0xe74a736b, 0x306aca46),\n TOBN(0xecf0fbf2, 0x4fda97c7), TOBN(0xa40f65cb, 0x3e178d93)}},\n {{TOBN(0x16253604, 0x16df4285), TOBN(0xb0c9babb, 0xd0c56ae2),\n TOBN(0x73032b19, 0xcfc5cfc3), TOBN(0xe497e5c3, 0x09752056)},\n {TOBN(0x12096bb4, 0x164bda96), TOBN(0x1ee42419, 0xa0b74da1),\n TOBN(0x8fc36243, 0x403826ba), TOBN(0x0c8f0069, 0xdc09e660)}},\n {{TOBN(0x8667e981, 0xc27253c9), TOBN(0x05a6aefb, 0x92b36a45),\n TOBN(0xa62c4b36, 0x9cb7bb46), TOBN(0x8394f375, 0x11f7027b)},\n {TOBN(0x747bc79c, 0x5f109d0f), TOBN(0xcad88a76, 0x5b8cc60a),\n TOBN(0x80c5a66b, 0x58f09e68), TOBN(0xe753d451, 0xf6127eac)}},\n {{TOBN(0xc44b74a1, 0x5b0ec6f5), TOBN(0x47989fe4, 0x5289b2b8),\n TOBN(0x745f8484, 0x58d6fc73), TOBN(0xec362a6f, 0xf61c70ab)},\n {TOBN(0x070c98a7, 0xb3a8ad41), TOBN(0x73a20fc0, 0x7b63db51),\n TOBN(0xed2c2173, 0xf44c35f4), TOBN(0x8a56149d, 0x9acc9dca)}},\n {{TOBN(0x98f17881, 0x9ac6e0f4), TOBN(0x360fdeaf, 0xa413b5ed),\n TOBN(0x0625b8f4, 0xa300b0fd), TOBN(0xf1f4d76a, 0x5b3222d3)},\n {TOBN(0x9d6f5109, 0x587f76b8), TOBN(0x8b4ee08d, 0x2317fdb5),\n TOBN(0x88089bb7, 0x8c68b095), TOBN(0x95570e9a, 0x5808d9b9)}},\n {{TOBN(0xa395c36f, 0x35d33ae7), TOBN(0x200ea123, 0x50bb5a94),\n TOBN(0x20c789bd, 0x0bafe84b), TOBN(0x243ef52d, 0x0919276a)},\n {TOBN(0x3934c577, 0xe23ae233), TOBN(0xb93807af, 0xa460d1ec),\n TOBN(0xb72a53b1, 0xf8fa76a4), TOBN(0xd8914cb0, 0xc3ca4491)}},\n {{TOBN(0x2e128494, 0x3fb42622), TOBN(0x3b2700ac, 0x500907d5),\n TOBN(0xf370fb09, 0x1a95ec63), TOBN(0xf8f30be2, 0x31b6dfbd)},\n {TOBN(0xf2b2f8d2, 0x69e55f15), TOBN(0x1fead851, 0xcc1323e9),\n TOBN(0xfa366010, 0xd9e5eef6), TOBN(0x64d487b0, 0xe316107e)}},\n {{TOBN(0x4c076b86, 0xd23ddc82), TOBN(0x03fd344c, 0x7e0143f0),\n TOBN(0xa95362ff, 0x317af2c5), TOBN(0x0add3db7, 0xe18b7a4f)},\n {TOBN(0x9c673e3f, 0x8260e01b), TOBN(0xfbeb49e5, 0x54a1cc91),\n TOBN(0x91351bf2, 0x92f2e433), TOBN(0xc755e7ec, 0x851141eb)}},\n {{TOBN(0xc9a95139, 0x29607745), TOBN(0x0ca07420, 0xa26f2b28),\n TOBN(0xcb2790e7, 0x4bc6f9dd), TOBN(0x345bbb58, 0xadcaffc0)},\n {TOBN(0xc65ea38c, 0xbe0f27a2), TOBN(0x67c24d7c, 0x641fcb56),\n TOBN(0x2c25f0a7, 0xa9e2c757), TOBN(0x93f5cdb0, 0x16f16c49)}},\n {{TOBN(0x2ca5a9d7, 0xc5ee30a1), TOBN(0xd1593635, 0xb909b729),\n TOBN(0x804ce9f3, 0xdadeff48), TOBN(0xec464751, 0xb07c30c3)},\n {TOBN(0x89d65ff3, 0x9e49af6a), TOBN(0xf2d6238a, 0x6f3d01bc),\n TOBN(0x1095561e, 0x0bced843), TOBN(0x51789e12, 0xc8a13fd8)}},\n {{TOBN(0xd633f929, 0x763231df), TOBN(0x46df9f7d, 0xe7cbddef),\n TOBN(0x01c889c0, 0xcb265da8), TOBN(0xfce1ad10, 0xaf4336d2)},\n {TOBN(0x8d110df6, 0xfc6a0a7e), TOBN(0xdd431b98, 0x6da425dc),\n TOBN(0xcdc4aeab, 0x1834aabe), TOBN(0x84deb124, 0x8439b7fc)}},\n {{TOBN(0x8796f169, 0x3c2a5998), TOBN(0x9b9247b4, 0x7947190d),\n TOBN(0x55b9d9a5, 0x11597014), TOBN(0x7e9dd70d, 0x7b1566ee)},\n {TOBN(0x94ad78f7, 0xcbcd5e64), TOBN(0x0359ac17, 0x9bd4c032),\n TOBN(0x3b11baaf, 0x7cc222ae), TOBN(0xa6a6e284, 0xba78e812)}},\n {{TOBN(0x8392053f, 0x24cea1a0), TOBN(0xc97bce4a, 0x33621491),\n TOBN(0x7eb1db34, 0x35399ee9), TOBN(0x473f78ef, 0xece81ad1)},\n {TOBN(0x41d72fe0, 0xf63d3d0d), TOBN(0xe620b880, 0xafab62fc),\n TOBN(0x92096bc9, 0x93158383), TOBN(0x41a21357, 0x8f896f6c)}},\n {{TOBN(0x1b5ee2fa, 0xc7dcfcab), TOBN(0x650acfde, 0x9546e007),\n TOBN(0xc081b749, 0xb1b02e07), TOBN(0xda9e41a0, 0xf9eca03d)},\n {TOBN(0x013ba727, 0x175a54ab), TOBN(0xca0cd190, 0xea5d8d10),\n TOBN(0x85ea52c0, 0x95fd96a9), TOBN(0x2c591b9f, 0xbc5c3940)}},\n {{TOBN(0x6fb4d4e4, 0x2bad4d5f), TOBN(0xfa4c3590, 0xfef0059b),\n TOBN(0x6a10218a, 0xf5122294), TOBN(0x9a78a81a, 0xa85751d1)},\n {TOBN(0x04f20579, 0xa98e84e7), TOBN(0xfe1242c0, 0x4997e5b5),\n TOBN(0xe77a273b, 0xca21e1e4), TOBN(0xfcc8b1ef, 0x9411939d)}},\n {{TOBN(0xe20ea302, 0x92d0487a), TOBN(0x1442dbec, 0x294b91fe),\n TOBN(0x1f7a4afe, 0xbb6b0e8f), TOBN(0x1700ef74, 0x6889c318)},\n {TOBN(0xf5bbffc3, 0x70f1fc62), TOBN(0x3b31d4b6, 0x69c79cca),\n TOBN(0xe8bc2aab, 0xa7f6340d), TOBN(0xb0b08ab4, 0xa725e10a)}},\n {{TOBN(0x44f05701, 0xae340050), TOBN(0xba4b3016, 0x1cf0c569),\n TOBN(0x5aa29f83, 0xfbe19a51), TOBN(0x1b9ed428, 0xb71d752e)},\n {TOBN(0x1666e54e, 0xeb4819f5), TOBN(0x616cdfed, 0x9e18b75b),\n TOBN(0x112ed5be, 0x3ee27b0b), TOBN(0xfbf28319, 0x44c7de4d)}},\n {{TOBN(0xd685ec85, 0xe0e60d84), TOBN(0x68037e30, 0x1db7ee78),\n TOBN(0x5b65bdcd, 0x003c4d6e), TOBN(0x33e7363a, 0x93e29a6a)},\n {TOBN(0x995b3a61, 0x08d0756c), TOBN(0xd727f85c, 0x2faf134b),\n TOBN(0xfac6edf7, 0x1d337823), TOBN(0x99b9aa50, 0x0439b8b4)}},\n {{TOBN(0x722eb104, 0xe2b4e075), TOBN(0x49987295, 0x437c4926),\n TOBN(0xb1e4c0e4, 0x46a9b82d), TOBN(0xd0cb3197, 0x57a006f5)},\n {TOBN(0xf3de0f7d, 0xd7808c56), TOBN(0xb5c54d8f, 0x51f89772),\n TOBN(0x500a114a, 0xadbd31aa), TOBN(0x9afaaaa6, 0x295f6cab)}},\n {{TOBN(0x94705e21, 0x04cf667a), TOBN(0xfc2a811b, 0x9d3935d7),\n TOBN(0x560b0280, 0x6d09267c), TOBN(0xf19ed119, 0xf780e53b)},\n {TOBN(0xf0227c09, 0x067b6269), TOBN(0x967b8533, 0x5caef599),\n TOBN(0x155b9243, 0x68efeebc), TOBN(0xcd6d34f5, 0xc497bae6)}},\n {{TOBN(0x1dd8d5d3, 0x6cceb370), TOBN(0x2aeac579, 0xa78d7bf9),\n TOBN(0x5d65017d, 0x70b67a62), TOBN(0x70c8e44f, 0x17c53f67)},\n {TOBN(0xd1fc0950, 0x86a34d09), TOBN(0xe0fca256, 0xe7134907),\n TOBN(0xe24fa29c, 0x80fdd315), TOBN(0x2c4acd03, 0xd87499ad)}},\n {{TOBN(0xbaaf7517, 0x3b5a9ba6), TOBN(0xb9cbe1f6, 0x12e51a51),\n TOBN(0xd88edae3, 0x5e154897), TOBN(0xe4309c3c, 0x77b66ca0)},\n {TOBN(0xf5555805, 0xf67f3746), TOBN(0x85fc37ba, 0xa36401ff),\n TOBN(0xdf86e2ca, 0xd9499a53), TOBN(0x6270b2a3, 0xecbc955b)}},\n {{TOBN(0xafae64f5, 0x974ad33b), TOBN(0x04d85977, 0xfe7b2df1),\n TOBN(0x2a3db3ff, 0x4ab03f73), TOBN(0x0b87878a, 0x8702740a)},\n {TOBN(0x6d263f01, 0x5a061732), TOBN(0xc25430ce, 0xa32a1901),\n TOBN(0xf7ebab3d, 0xdb155018), TOBN(0x3a86f693, 0x63a9b78e)}},\n {{TOBN(0x349ae368, 0xda9f3804), TOBN(0x470f07fe, 0xa164349c),\n TOBN(0xd52f4cc9, 0x8562baa5), TOBN(0xc74a9e86, 0x2b290df3)},\n {TOBN(0xd3a1aa35, 0x43471a24), TOBN(0x239446be, 0xb8194511),\n TOBN(0xbec2dd00, 0x81dcd44d), TOBN(0xca3d7f0f, 0xc42ac82d)}},\n {{TOBN(0x1f3db085, 0xfdaf4520), TOBN(0xbb6d3e80, 0x4549daf2),\n TOBN(0xf5969d8a, 0x19ad5c42), TOBN(0x7052b13d, 0xdbfd1511)},\n {TOBN(0x11890d1b, 0x682b9060), TOBN(0xa71d3883, 0xac34452c),\n TOBN(0xa438055b, 0x783805b4), TOBN(0x43241277, 0x4725b23e)}},\n {{TOBN(0xf20cf96e, 0x4901bbed), TOBN(0x6419c710, 0xf432a2bb),\n TOBN(0x57a0fbb9, 0xdfa9cd7d), TOBN(0x589111e4, 0x00daa249)},\n {TOBN(0x19809a33, 0x7b60554e), TOBN(0xea5f8887, 0xede283a4),\n TOBN(0x2d713802, 0x503bfd35), TOBN(0x151bb0af, 0x585d2a53)}},\n {{TOBN(0x40b08f74, 0x43b30ca8), TOBN(0xe10b5bba, 0xd9934583),\n TOBN(0xe8a546d6, 0xb51110ad), TOBN(0x1dd50e66, 0x28e0b6c5)},\n {TOBN(0x292e9d54, 0xcff2b821), TOBN(0x3882555d, 0x47281760),\n TOBN(0x134838f8, 0x3724d6e3), TOBN(0xf2c679e0, 0x22ddcda1)}},\n {{TOBN(0x40ee8815, 0x6d2a5768), TOBN(0x7f227bd2, 0x1c1e7e2d),\n TOBN(0x487ba134, 0xd04ff443), TOBN(0x76e2ff3d, 0xc614e54b)},\n {TOBN(0x36b88d6f, 0xa3177ec7), TOBN(0xbf731d51, 0x2328fff5),\n TOBN(0x758caea2, 0x49ba158e), TOBN(0x5ab8ff4c, 0x02938188)}},\n {{TOBN(0x33e16056, 0x35edc56d), TOBN(0x5a69d349, 0x7e940d79),\n TOBN(0x6c4fd001, 0x03866dcb), TOBN(0x20a38f57, 0x4893cdef)},\n {TOBN(0xfbf3e790, 0xfac3a15b), TOBN(0x6ed7ea2e, 0x7a4f8e6b),\n TOBN(0xa663eb4f, 0xbc3aca86), TOBN(0x22061ea5, 0x080d53f7)}},\n {{TOBN(0x2480dfe6, 0xf546783f), TOBN(0xd38bc6da, 0x5a0a641e),\n TOBN(0xfb093cd1, 0x2ede8965), TOBN(0x89654db4, 0xacb455cf)},\n {TOBN(0x413cbf9a, 0x26e1adee), TOBN(0x291f3764, 0x373294d4),\n TOBN(0x00797257, 0x648083fe), TOBN(0x25f504d3, 0x208cc341)}},\n {{TOBN(0x635a8e5e, 0xc3a0ee43), TOBN(0x70aaebca, 0x679898ff),\n TOBN(0x9ee9f547, 0x5dc63d56), TOBN(0xce987966, 0xffb34d00)},\n {TOBN(0xf9f86b19, 0x5e26310a), TOBN(0x9e435484, 0x382a8ca8),\n TOBN(0x253bcb81, 0xc2352fe4), TOBN(0xa4eac8b0, 0x4474b571)}},\n {{TOBN(0xc1b97512, 0xc1ad8cf8), TOBN(0x193b4e9e, 0x99e0b697),\n TOBN(0x939d2716, 0x01e85df0), TOBN(0x4fb265b3, 0xcd44eafd)},\n {TOBN(0x321e7dcd, 0xe51e1ae2), TOBN(0x8e3a8ca6, 0xe3d8b096),\n TOBN(0x8de46cb0, 0x52604998), TOBN(0x91099ad8, 0x39072aa7)}},\n {{TOBN(0x2617f91c, 0x93aa96b8), TOBN(0x0fc8716b, 0x7fca2e13),\n TOBN(0xa7106f5e, 0x95328723), TOBN(0xd1c9c40b, 0x262e6522)},\n {TOBN(0xb9bafe86, 0x42b7c094), TOBN(0x1873439d, 0x1543c021),\n TOBN(0xe1baa5de, 0x5cbefd5d), TOBN(0xa363fc5e, 0x521e8aff)}},\n {{TOBN(0xefe6320d, 0xf862eaac), TOBN(0x14419c63, 0x22c647dc),\n TOBN(0x0e06707c, 0x4e46d428), TOBN(0xcb6c834f, 0x4a178f8f)},\n {TOBN(0x0f993a45, 0xd30f917c), TOBN(0xd4c4b049, 0x9879afee),\n TOBN(0xb6142a1e, 0x70500063), TOBN(0x7c9b41c3, 0xa5d9d605)}},\n {{TOBN(0xbc00fc2f, 0x2f8ba2c7), TOBN(0x0966eb2f, 0x7c67aa28),\n TOBN(0x13f7b516, 0x5a786972), TOBN(0x3bfb7557, 0x8a2fbba0)},\n {TOBN(0x131c4f23, 0x5a2b9620), TOBN(0xbff3ed27, 0x6faf46be),\n TOBN(0x9b4473d1, 0x7e172323), TOBN(0x421e8878, 0x339f6246)}},\n {{TOBN(0x0fa8587a, 0x25a41632), TOBN(0xc0814124, 0xa35b6c93),\n TOBN(0x2b18a9f5, 0x59ebb8db), TOBN(0x264e3357, 0x76edb29c)},\n {TOBN(0xaf245ccd, 0xc87c51e2), TOBN(0x16b3015b, 0x501e6214),\n TOBN(0xbb31c560, 0x0a3882ce), TOBN(0x6961bb94, 0xfec11e04)}},\n {{TOBN(0x3b825b8d, 0xeff7a3a0), TOBN(0xbec33738, 0xb1df7326),\n TOBN(0x68ad747c, 0x99604a1f), TOBN(0xd154c934, 0x9a3bd499)},\n {TOBN(0xac33506f, 0x1cc7a906), TOBN(0x73bb5392, 0x6c560e8f),\n TOBN(0x6428fcbe, 0x263e3944), TOBN(0xc11828d5, 0x1c387434)}},\n {{TOBN(0x3cd04be1, 0x3e4b12ff), TOBN(0xc3aad9f9, 0x2d88667c),\n TOBN(0xc52ddcf8, 0x248120cf), TOBN(0x985a892e, 0x2a389532)},\n {TOBN(0xfbb4b21b, 0x3bb85fa0), TOBN(0xf95375e0, 0x8dfc6269),\n TOBN(0xfb4fb06c, 0x7ee2acea), TOBN(0x6785426e, 0x309c4d1f)}},\n {{TOBN(0x659b17c8, 0xd8ceb147), TOBN(0x9b649eee, 0xb70a5554),\n TOBN(0x6b7fa0b5, 0xac6bc634), TOBN(0xd99fe2c7, 0x1d6e732f)},\n {TOBN(0x30e6e762, 0x8d3abba2), TOBN(0x18fee6e7, 0xa797b799),\n TOBN(0x5c9d360d, 0xc696464d), TOBN(0xe3baeb48, 0x27bfde12)}},\n {{TOBN(0x2bf5db47, 0xf23206d5), TOBN(0x2f6d3420, 0x1d260152),\n TOBN(0x17b87653, 0x3f8ff89a), TOBN(0x5157c30c, 0x378fa458)},\n {TOBN(0x7517c5c5, 0x2d4fb936), TOBN(0xef22f7ac, 0xe6518cdc),\n TOBN(0xdeb483e6, 0xbf847a64), TOBN(0xf5084558, 0x92e0fa89)}}},\n {{{TOBN(0xab9659d8, 0xdf7304d4), TOBN(0xb71bcf1b, 0xff210e8e),\n TOBN(0xa9a2438b, 0xd73fbd60), TOBN(0x4595cd1f, 0x5d11b4de)},\n {TOBN(0x9c0d329a, 0x4835859d), TOBN(0x4a0f0d2d, 0x7dbb6e56),\n TOBN(0xc6038e5e, 0xdf928a4e), TOBN(0xc9429621, 0x8f5ad154)}},\n {{TOBN(0x91213462, 0xf23f2d92), TOBN(0x6cab71bd, 0x60b94078),\n TOBN(0x6bdd0a63, 0x176cde20), TOBN(0x54c9b20c, 0xee4d54bc)},\n {TOBN(0x3cd2d8aa, 0x9f2ac02f), TOBN(0x03f8e617, 0x206eedb0),\n TOBN(0xc7f68e16, 0x93086434), TOBN(0x831469c5, 0x92dd3db9)}},\n {{TOBN(0x8521df24, 0x8f981354), TOBN(0x587e23ec, 0x3588a259),\n TOBN(0xcbedf281, 0xd7a0992c), TOBN(0x06930a55, 0x38961407)},\n {TOBN(0x09320deb, 0xbe5bbe21), TOBN(0xa7ffa5b5, 0x2491817f),\n TOBN(0xe6c8b4d9, 0x09065160), TOBN(0xac4f3992, 0xfff6d2a9)}},\n {{TOBN(0x7aa7a158, 0x3ae9c1bd), TOBN(0xe0af6d98, 0xe37ce240),\n TOBN(0xe54342d9, 0x28ab38b4), TOBN(0xe8b75007, 0x0a1c98ca)},\n {TOBN(0xefce86af, 0xe02358f2), TOBN(0x31b8b856, 0xea921228),\n TOBN(0x052a1912, 0x0a1c67fc), TOBN(0xb4069ea4, 0xe3aead59)}},\n {{TOBN(0x3232d6e2, 0x7fa03cb3), TOBN(0xdb938e5b, 0x0fdd7d88),\n TOBN(0x04c1d2cd, 0x2ccbfc5d), TOBN(0xd2f45c12, 0xaf3a580f)},\n {TOBN(0x592620b5, 0x7883e614), TOBN(0x5fd27e68, 0xbe7c5f26),\n TOBN(0x139e45a9, 0x1567e1e3), TOBN(0x2cc71d2d, 0x44d8aaaf)}},\n {{TOBN(0x4a9090cd, 0xe36d0757), TOBN(0xf722d7b1, 0xd9a29382),\n TOBN(0xfb7fb04c, 0x04b48ddf), TOBN(0x628ad2a7, 0xebe16f43)},\n {TOBN(0xcd3fbfb5, 0x20226040), TOBN(0x6c34ecb1, 0x5104b6c4),\n TOBN(0x30c0754e, 0xc903c188), TOBN(0xec336b08, 0x2d23cab0)}},\n {{TOBN(0x473d62a2, 0x1e206ee5), TOBN(0xf1e27480, 0x8c49a633),\n TOBN(0x87ab956c, 0xe9f6b2c3), TOBN(0x61830b48, 0x62b606ea)},\n {TOBN(0x67cd6846, 0xe78e815f), TOBN(0xfe40139f, 0x4c02082a),\n TOBN(0x52bbbfcb, 0x952ec365), TOBN(0x74c11642, 0x6b9836ab)}},\n {{TOBN(0x9f51439e, 0x558df019), TOBN(0x230da4ba, 0xac712b27),\n TOBN(0x518919e3, 0x55185a24), TOBN(0x4dcefcdd, 0x84b78f50)},\n {TOBN(0xa7d90fb2, 0xa47d4c5a), TOBN(0x55ac9abf, 0xb30e009e),\n TOBN(0xfd2fc359, 0x74eed273), TOBN(0xb72d824c, 0xdbea8faf)}},\n {{TOBN(0xce721a74, 0x4513e2ca), TOBN(0x0b418612, 0x38240b2c),\n TOBN(0x05199968, 0xd5baa450), TOBN(0xeb1757ed, 0x2b0e8c25)},\n {TOBN(0x6ebc3e28, 0x3dfac6d5), TOBN(0xb2431e2e, 0x48a237f5),\n TOBN(0x2acb5e23, 0x52f61499), TOBN(0x5558a2a7, 0xe06c936b)}},\n {{TOBN(0xd213f923, 0xcbb13d1b), TOBN(0x98799f42, 0x5bfb9bfe),\n TOBN(0x1ae8ddc9, 0x701144a9), TOBN(0x0b8b3bb6, 0x4c5595ee)},\n {TOBN(0x0ea9ef2e, 0x3ecebb21), TOBN(0x17cb6c4b, 0x3671f9a7),\n TOBN(0x47ef464f, 0x726f1d1f), TOBN(0x171b9484, 0x6943a276)}},\n {{TOBN(0x51a4ae2d, 0x7ef0329c), TOBN(0x08509222, 0x91c4402a),\n TOBN(0x64a61d35, 0xafd45bbc), TOBN(0x38f096fe, 0x3035a851)},\n {TOBN(0xc7468b74, 0xa1dec027), TOBN(0xe8cf10e7, 0x4fc7dcba),\n TOBN(0xea35ff40, 0xf4a06353), TOBN(0x0b4c0dfa, 0x8b77dd66)}},\n {{TOBN(0x779b8552, 0xde7e5c19), TOBN(0xfab28609, 0xc1c0256c),\n TOBN(0x64f58eee, 0xabd4743d), TOBN(0x4e8ef838, 0x7b6cc93b)},\n {TOBN(0xee650d26, 0x4cb1bf3d), TOBN(0x4c1f9d09, 0x73dedf61),\n TOBN(0xaef7c9d7, 0xbfb70ced), TOBN(0x1ec0507e, 0x1641de1e)}},\n {{TOBN(0xcd7e5cc7, 0xcde45079), TOBN(0xde173c9a, 0x516ac9e4),\n TOBN(0x517a8494, 0xc170315c), TOBN(0x438fd905, 0x91d8e8fb)},\n {TOBN(0x5145c506, 0xc7d9630b), TOBN(0x6457a87b, 0xf47d4d75),\n TOBN(0xd31646bf, 0x0d9a80e8), TOBN(0x453add2b, 0xcef3aabe)}},\n {{TOBN(0xc9941109, 0xa607419d), TOBN(0xfaa71e62, 0xbb6bca80),\n TOBN(0x34158c13, 0x07c431f3), TOBN(0x594abebc, 0x992bc47a)},\n {TOBN(0x6dfea691, 0xeb78399f), TOBN(0x48aafb35, 0x3f42cba4),\n TOBN(0xedcd65af, 0x077c04f0), TOBN(0x1a29a366, 0xe884491a)}},\n {{TOBN(0x023a40e5, 0x1c21f2bf), TOBN(0xf99a513c, 0xa5057aee),\n TOBN(0xa3fe7e25, 0xbcab072e), TOBN(0x8568d2e1, 0x40e32bcf)},\n {TOBN(0x904594eb, 0xd3f69d9f), TOBN(0x181a9733, 0x07affab1),\n TOBN(0xe4d68d76, 0xb6e330f4), TOBN(0x87a6dafb, 0xc75a7fc1)}},\n {{TOBN(0x549db2b5, 0xef7d9289), TOBN(0x2480d4a8, 0x197f015a),\n TOBN(0x61d5590b, 0xc40493b6), TOBN(0x3a55b52e, 0x6f780331)},\n {TOBN(0x40eb8115, 0x309eadb0), TOBN(0xdea7de5a, 0x92e5c625),\n TOBN(0x64d631f0, 0xcc6a3d5a), TOBN(0x9d5e9d7c, 0x93e8dd61)}},\n {{TOBN(0xf297bef5, 0x206d3ffc), TOBN(0x23d5e033, 0x7d808bd4),\n TOBN(0x4a4f6912, 0xd24cf5ba), TOBN(0xe4d8163b, 0x09cdaa8a)},\n {TOBN(0x0e0de9ef, 0xd3082e8e), TOBN(0x4fe1246c, 0x0192f360),\n TOBN(0x1f900150, 0x4b8eee0a), TOBN(0x5219da81, 0xf1da391b)}},\n {{TOBN(0x7bf6a5c1, 0xf7ea25aa), TOBN(0xd165e6bf, 0xfbb07d5f),\n TOBN(0xe3539361, 0x89e78671), TOBN(0xa3fcac89, 0x2bac4219)},\n {TOBN(0xdfab6fd4, 0xf0baa8ab), TOBN(0x5a4adac1, 0xe2c1c2e5),\n TOBN(0x6cd75e31, 0x40d85849), TOBN(0xce263fea, 0x19b39181)}},\n {{TOBN(0xcb6803d3, 0x07032c72), TOBN(0x7f40d5ce, 0x790968c8),\n TOBN(0xa6de86bd, 0xdce978f0), TOBN(0x25547c4f, 0x368f751c)},\n {TOBN(0xb1e685fd, 0x65fb2a9e), TOBN(0xce69336f, 0x1eb9179c),\n TOBN(0xb15d1c27, 0x12504442), TOBN(0xb7df465c, 0xb911a06b)}},\n {{TOBN(0xb8d804a3, 0x315980cd), TOBN(0x693bc492, 0xfa3bebf7),\n TOBN(0x3578aeee, 0x2253c504), TOBN(0x158de498, 0xcd2474a2)},\n {TOBN(0x1331f5c7, 0xcfda8368), TOBN(0xd2d7bbb3, 0x78d7177e),\n TOBN(0xdf61133a, 0xf3c1e46e), TOBN(0x5836ce7d, 0xd30e7be8)}},\n {{TOBN(0x83084f19, 0x94f834cb), TOBN(0xd35653d4, 0x429ed782),\n TOBN(0xa542f16f, 0x59e58243), TOBN(0xc2b52f65, 0x0470a22d)},\n {TOBN(0xe3b6221b, 0x18f23d96), TOBN(0xcb05abac, 0x3f5252b4),\n TOBN(0xca00938b, 0x87d61402), TOBN(0x2f186cdd, 0x411933e4)}},\n {{TOBN(0xe042ece5, 0x9a29a5c5), TOBN(0xb19b3c07, 0x3b6c8402),\n TOBN(0xc97667c7, 0x19d92684), TOBN(0xb5624622, 0xebc66372)},\n {TOBN(0x0cb96e65, 0x3c04fa02), TOBN(0x83a7176c, 0x8eaa39aa),\n TOBN(0x2033561d, 0xeaa1633f), TOBN(0x45a9d086, 0x4533df73)}},\n {{TOBN(0xe0542c1d, 0x3dc090bc), TOBN(0x82c996ef, 0xaa59c167),\n TOBN(0xe3f735e8, 0x0ee7fc4d), TOBN(0x7b179393, 0x7c35db79)},\n {TOBN(0xb6419e25, 0xf8c5dbfd), TOBN(0x4d9d7a1e, 0x1f327b04),\n TOBN(0x979f6f9b, 0x298dfca8), TOBN(0xc7c5dff1, 0x8de9366a)}},\n {{TOBN(0x1b7a588d, 0x04c82bdd), TOBN(0x68005534, 0xf8319dfd),\n TOBN(0xde8a55b5, 0xd8eb9580), TOBN(0x5ea886da, 0x8d5bca81)},\n {TOBN(0xe8530a01, 0x252a0b4d), TOBN(0x1bffb4fe, 0x35eaa0a1),\n TOBN(0x2ad828b1, 0xd8e99563), TOBN(0x7de96ef5, 0x95f9cd87)}},\n {{TOBN(0x4abb2d0c, 0xd77d970c), TOBN(0x03cfb933, 0xd33ef9cb),\n TOBN(0xb0547c01, 0x8b211fe9), TOBN(0x2fe64809, 0xa56ed1c6)},\n {TOBN(0xcb7d5624, 0xc2ac98cc), TOBN(0x2a1372c0, 0x1a393e33),\n TOBN(0xc8d1ec1c, 0x29660521), TOBN(0xf3d31b04, 0xb37ac3e9)}},\n {{TOBN(0xa29ae9df, 0x5ece6e7c), TOBN(0x0603ac8f, 0x0facfb55),\n TOBN(0xcfe85b7a, 0xdda233a5), TOBN(0xe618919f, 0xbd75f0b8)},\n {TOBN(0xf555a3d2, 0x99bf1603), TOBN(0x1f43afc9, 0xf184255a),\n TOBN(0xdcdaf341, 0x319a3e02), TOBN(0xd3b117ef, 0x03903a39)}},\n {{TOBN(0xe095da13, 0x65d1d131), TOBN(0x86f16367, 0xc37ad03e),\n TOBN(0x5f37389e, 0x462cd8dd), TOBN(0xc103fa04, 0xd67a60e6)},\n {TOBN(0x57c34344, 0xf4b478f0), TOBN(0xce91edd8, 0xe117c98d),\n TOBN(0x001777b0, 0x231fc12e), TOBN(0x11ae47f2, 0xb207bccb)}},\n {{TOBN(0xd983cf8d, 0x20f8a242), TOBN(0x7aff5b1d, 0xf22e1ad8),\n TOBN(0x68fd11d0, 0x7fc4feb3), TOBN(0x5d53ae90, 0xb0f1c3e1)},\n {TOBN(0x50fb7905, 0xec041803), TOBN(0x85e3c977, 0x14404888),\n TOBN(0x0e67faed, 0xac628d8f), TOBN(0x2e865150, 0x6668532c)}},\n {{TOBN(0x15acaaa4, 0x6a67a6b0), TOBN(0xf4cdee25, 0xb25cec41),\n TOBN(0x49ee565a, 0xe4c6701e), TOBN(0x2a04ca66, 0xfc7d63d8)},\n {TOBN(0xeb105018, 0xef0543fb), TOBN(0xf709a4f5, 0xd1b0d81d),\n TOBN(0x5b906ee6, 0x2915d333), TOBN(0xf4a87412, 0x96f1f0ab)}},\n {{TOBN(0xb6b82fa7, 0x4d82f4c2), TOBN(0x90725a60, 0x6804efb3),\n TOBN(0xbc82ec46, 0xadc3425e), TOBN(0xb7b80581, 0x2787843e)},\n {TOBN(0xdf46d91c, 0xdd1fc74c), TOBN(0xdc1c62cb, 0xe783a6c4),\n TOBN(0x59d1b9f3, 0x1a04cbba), TOBN(0xd87f6f72, 0x95e40764)}},\n {{TOBN(0x02b4cfc1, 0x317f4a76), TOBN(0x8d2703eb, 0x91036bce),\n TOBN(0x98206cc6, 0xa5e72a56), TOBN(0x57be9ed1, 0xcf53fb0f)},\n {TOBN(0x09374571, 0xef0b17ac), TOBN(0x74b2655e, 0xd9181b38),\n TOBN(0xc8f80ea8, 0x89935d0e), TOBN(0xc0d9e942, 0x91529936)}},\n {{TOBN(0x19686041, 0x1e84e0e5), TOBN(0xa5db84d3, 0xaea34c93),\n TOBN(0xf9d5bb19, 0x7073a732), TOBN(0xb8d2fe56, 0x6bcfd7c0)},\n {TOBN(0x45775f36, 0xf3eb82fa), TOBN(0x8cb20ccc, 0xfdff8b58),\n TOBN(0x1659b65f, 0x8374c110), TOBN(0xb8b4a422, 0x330c789a)}},\n {{TOBN(0x75e3c3ea, 0x6fe8208b), TOBN(0xbd74b9e4, 0x286e78fe),\n TOBN(0x0be2e81b, 0xd7d93a1a), TOBN(0x7ed06e27, 0xdd0a5aae)},\n {TOBN(0x721f5a58, 0x6be8b800), TOBN(0x428299d1, 0xd846db28),\n TOBN(0x95cb8e6b, 0x5be88ed3), TOBN(0xc3186b23, 0x1c034e11)}},\n {{TOBN(0xa6312c9e, 0x8977d99b), TOBN(0xbe944331, 0x83f531e7),\n TOBN(0x8232c0c2, 0x18d3b1d4), TOBN(0x617aae8b, 0xe1247b73)},\n {TOBN(0x40153fc4, 0x282aec3b), TOBN(0xc6063d2f, 0xf7b8f823),\n TOBN(0x68f10e58, 0x3304f94c), TOBN(0x31efae74, 0xee676346)}},\n {{TOBN(0xbadb6c6d, 0x40a9b97c), TOBN(0x14702c63, 0x4f666256),\n TOBN(0xdeb954f1, 0x5184b2e3), TOBN(0x5184a526, 0x94b6ca40)},\n {TOBN(0xfff05337, 0x003c32ea), TOBN(0x5aa374dd, 0x205974c7),\n TOBN(0x9a763854, 0x4b0dd71a), TOBN(0x459cd27f, 0xdeb947ec)}},\n {{TOBN(0xa6e28161, 0x459c2b92), TOBN(0x2f020fa8, 0x75ee8ef5),\n TOBN(0xb132ec2d, 0x30b06310), TOBN(0xc3e15899, 0xbc6a4530)},\n {TOBN(0xdc5f53fe, 0xaa3f451a), TOBN(0x3a3c7f23, 0xc2d9acac),\n TOBN(0x2ec2f892, 0x6b27e58b), TOBN(0x68466ee7, 0xd742799f)}},\n {{TOBN(0x98324dd4, 0x1fa26613), TOBN(0xa2dc6dab, 0xbdc29d63),\n TOBN(0xf9675faa, 0xd712d657), TOBN(0x813994be, 0x21fd8d15)},\n {TOBN(0x5ccbb722, 0xfd4f7553), TOBN(0x5135ff8b, 0xf3a36b20),\n TOBN(0x44be28af, 0x69559df5), TOBN(0x40b65bed, 0x9d41bf30)}},\n {{TOBN(0xd98bf2a4, 0x3734e520), TOBN(0x5e3abbe3, 0x209bdcba),\n TOBN(0x77c76553, 0xbc945b35), TOBN(0x5331c093, 0xc6ef14aa)},\n {TOBN(0x518ffe29, 0x76b60c80), TOBN(0x2285593b, 0x7ace16f8),\n TOBN(0xab1f64cc, 0xbe2b9784), TOBN(0xe8f2c0d9, 0xab2421b6)}},\n {{TOBN(0x617d7174, 0xc1df065c), TOBN(0xafeeb5ab, 0x5f6578fa),\n TOBN(0x16ff1329, 0x263b54a8), TOBN(0x45c55808, 0xc990dce3)},\n {TOBN(0x42eab6c0, 0xecc8c177), TOBN(0x799ea9b5, 0x5982ecaa),\n TOBN(0xf65da244, 0xb607ef8e), TOBN(0x8ab226ce, 0x32a3fc2c)}},\n {{TOBN(0x745741e5, 0x7ea973dc), TOBN(0x5c00ca70, 0x20888f2e),\n TOBN(0x7cdce3cf, 0x45fd9cf1), TOBN(0x8a741ef1, 0x5507f872)},\n {TOBN(0x47c51c2f, 0x196b4cec), TOBN(0x70d08e43, 0xc97ea618),\n TOBN(0x930da15c, 0x15b18a2b), TOBN(0x33b6c678, 0x2f610514)}},\n {{TOBN(0xc662e4f8, 0x07ac9794), TOBN(0x1eccf050, 0xba06cb79),\n TOBN(0x1ff08623, 0xe7d954e5), TOBN(0x6ef2c5fb, 0x24cf71c3)},\n {TOBN(0xb2c063d2, 0x67978453), TOBN(0xa0cf3796, 0x1d654af8),\n TOBN(0x7cb242ea, 0x7ebdaa37), TOBN(0x206e0b10, 0xb86747e0)}},\n {{TOBN(0x481dae5f, 0xd5ecfefc), TOBN(0x07084fd8, 0xc2bff8fc),\n TOBN(0x8040a01a, 0xea324596), TOBN(0x4c646980, 0xd4de4036)},\n {TOBN(0x9eb8ab4e, 0xd65abfc3), TOBN(0xe01cb91f, 0x13541ec7),\n TOBN(0x8f029adb, 0xfd695012), TOBN(0x9ae28483, 0x3c7569ec)}},\n {{TOBN(0xa5614c9e, 0xa66d80a1), TOBN(0x680a3e44, 0x75f5f911),\n TOBN(0x0c07b14d, 0xceba4fc1), TOBN(0x891c285b, 0xa13071c1)},\n {TOBN(0xcac67ceb, 0x799ece3c), TOBN(0x29b910a9, 0x41e07e27),\n TOBN(0x66bdb409, 0xf2e43123), TOBN(0x06f8b137, 0x7ac9ecbe)}},\n {{TOBN(0x5981fafd, 0x38547090), TOBN(0x19ab8b9f, 0x85e3415d),\n TOBN(0xfc28c194, 0xc7e31b27), TOBN(0x843be0aa, 0x6fbcbb42)},\n {TOBN(0xf3b1ed43, 0xa6db836c), TOBN(0x2a1330e4, 0x01a45c05),\n TOBN(0x4f19f3c5, 0x95c1a377), TOBN(0xa85f39d0, 0x44b5ee33)}},\n {{TOBN(0x3da18e6d, 0x4ae52834), TOBN(0x5a403b39, 0x7423dcb0),\n TOBN(0xbb555e0a, 0xf2374aef), TOBN(0x2ad599c4, 0x1e8ca111)},\n {TOBN(0x1b3a2fb9, 0x014b3bf8), TOBN(0x73092684, 0xf66d5007),\n TOBN(0x079f1426, 0xc4340102), TOBN(0x1827cf81, 0x8fddf4de)}},\n {{TOBN(0xc83605f6, 0xf10ff927), TOBN(0xd3871451, 0x23739fc6),\n TOBN(0x6d163450, 0xcac1c2cc), TOBN(0x6b521296, 0xa2ec1ac5)},\n {TOBN(0x0606c4f9, 0x6e3cb4a5), TOBN(0xe47d3f41, 0x778abff7),\n TOBN(0x425a8d5e, 0xbe8e3a45), TOBN(0x53ea9e97, 0xa6102160)}},\n {{TOBN(0x477a106e, 0x39cbb688), TOBN(0x532401d2, 0xf3386d32),\n TOBN(0x8e564f64, 0xb1b9b421), TOBN(0xca9b8388, 0x81dad33f)},\n {TOBN(0xb1422b4e, 0x2093913e), TOBN(0x533d2f92, 0x69bc8112),\n TOBN(0x3fa017be, 0xebe7b2c7), TOBN(0xb2767c4a, 0xcaf197c6)}},\n {{TOBN(0xc925ff87, 0xaedbae9f), TOBN(0x7daf0eb9, 0x36880a54),\n TOBN(0x9284ddf5, 0x9c4d0e71), TOBN(0x1581cf93, 0x316f8cf5)},\n {TOBN(0x3eeca887, 0x3ac1f452), TOBN(0xb417fce9, 0xfb6aeffe),\n TOBN(0xa5918046, 0xeefb8dc3), TOBN(0x73d318ac, 0x02209400)}},\n {{TOBN(0xe800400f, 0x728693e5), TOBN(0xe87d814b, 0x339927ed),\n TOBN(0x93e94d3b, 0x57ea9910), TOBN(0xff8a35b6, 0x2245fb69)},\n {TOBN(0x043853d7, 0x7f200d34), TOBN(0x470f1e68, 0x0f653ce1),\n TOBN(0x81ac05bd, 0x59a06379), TOBN(0xa14052c2, 0x03930c29)}},\n {{TOBN(0x6b72fab5, 0x26bc2797), TOBN(0x13670d16, 0x99f16771),\n TOBN(0x00170052, 0x1e3e48d1), TOBN(0x978fe401, 0xb7adf678)},\n {TOBN(0x55ecfb92, 0xd41c5dd4), TOBN(0x5ff8e247, 0xc7b27da5),\n TOBN(0xe7518272, 0x013fb606), TOBN(0x5768d7e5, 0x2f547a3c)}},\n {{TOBN(0xbb24eaa3, 0x60017a5f), TOBN(0x6b18e6e4, 0x9c64ce9b),\n TOBN(0xc225c655, 0x103dde07), TOBN(0xfc3672ae, 0x7592f7ea)},\n {TOBN(0x9606ad77, 0xd06283a1), TOBN(0x542fc650, 0xe4d59d99),\n TOBN(0xabb57c49, 0x2a40e7c2), TOBN(0xac948f13, 0xa8db9f55)}},\n {{TOBN(0x6d4c9682, 0xb04465c3), TOBN(0xe3d062fa, 0x6468bd15),\n TOBN(0xa51729ac, 0x5f318d7e), TOBN(0x1fc87df6, 0x9eb6fc95)},\n {TOBN(0x63d146a8, 0x0591f652), TOBN(0xa861b8f7, 0x589621aa),\n TOBN(0x59f5f15a, 0xce31348c), TOBN(0x8f663391, 0x440da6da)}},\n {{TOBN(0xcfa778ac, 0xb591ffa3), TOBN(0x027ca9c5, 0x4cdfebce),\n TOBN(0xbe8e05a5, 0x444ea6b3), TOBN(0x8aab4e69, 0xa78d8254)},\n {TOBN(0x2437f04f, 0xb474d6b8), TOBN(0x6597ffd4, 0x045b3855),\n TOBN(0xbb0aea4e, 0xca47ecaa), TOBN(0x568aae83, 0x85c7ebfc)}},\n {{TOBN(0x0e966e64, 0xc73b2383), TOBN(0x49eb3447, 0xd17d8762),\n TOBN(0xde107821, 0x8da05dab), TOBN(0x443d8baa, 0x016b7236)},\n {TOBN(0x163b63a5, 0xea7610d6), TOBN(0xe47e4185, 0xce1ca979),\n TOBN(0xae648b65, 0x80baa132), TOBN(0xebf53de2, 0x0e0d5b64)}},\n {{TOBN(0x8d3bfcb4, 0xd3c8c1ca), TOBN(0x0d914ef3, 0x5d04b309),\n TOBN(0x55ef6415, 0x3de7d395), TOBN(0xbde1666f, 0x26b850e8)},\n {TOBN(0xdbe1ca6e, 0xd449ab19), TOBN(0x8902b322, 0xe89a2672),\n TOBN(0xb1674b7e, 0xdacb7a53), TOBN(0x8e9faf6e, 0xf52523ff)}},\n {{TOBN(0x6ba535da, 0x9a85788b), TOBN(0xd21f03ae, 0xbd0626d4),\n TOBN(0x099f8c47, 0xe873dc64), TOBN(0xcda8564d, 0x018ec97e)},\n {TOBN(0x3e8d7a5c, 0xde92c68c), TOBN(0x78e035a1, 0x73323cc4),\n TOBN(0x3ef26275, 0xf880ff7c), TOBN(0xa4ee3dff, 0x273eedaa)}},\n {{TOBN(0x58823507, 0xaf4e18f8), TOBN(0x967ec9b5, 0x0672f328),\n TOBN(0x9ded19d9, 0x559d3186), TOBN(0x5e2ab3de, 0x6cdce39c)},\n {TOBN(0xabad6e4d, 0x11c226df), TOBN(0xf9783f43, 0x87723014),\n TOBN(0x9a49a0cf, 0x1a885719), TOBN(0xfc0c1a5a, 0x90da9dbf)}},\n {{TOBN(0x8bbaec49, 0x571d92ac), TOBN(0x569e85fe, 0x4692517f),\n TOBN(0x8333b014, 0xa14ea4af), TOBN(0x32f2a62f, 0x12e5c5ad)},\n {TOBN(0x98c2ce3a, 0x06d89b85), TOBN(0xb90741aa, 0x2ff77a08),\n TOBN(0x2530defc, 0x01f795a2), TOBN(0xd6e5ba0b, 0x84b3c199)}},\n {{TOBN(0x7d8e8451, 0x12e4c936), TOBN(0xae419f7d, 0xbd0be17b),\n TOBN(0xa583fc8c, 0x22262bc9), TOBN(0x6b842ac7, 0x91bfe2bd)},\n {TOBN(0x33cef4e9, 0x440d6827), TOBN(0x5f69f4de, 0xef81fb14),\n TOBN(0xf16cf6f6, 0x234fbb92), TOBN(0x76ae3fc3, 0xd9e7e158)}},\n {{TOBN(0x4e89f6c2, 0xe9740b33), TOBN(0x677bc85d, 0x4962d6a1),\n TOBN(0x6c6d8a7f, 0x68d10d15), TOBN(0x5f9a7224, 0x0257b1cd)},\n {TOBN(0x7096b916, 0x4ad85961), TOBN(0x5f8c47f7, 0xe657ab4a),\n TOBN(0xde57d7d0, 0xf7461d7e), TOBN(0x7eb6094d, 0x80ce5ee2)}},\n {{TOBN(0x0b1e1dfd, 0x34190547), TOBN(0x8a394f43, 0xf05dd150),\n TOBN(0x0a9eb24d, 0x97df44e6), TOBN(0x78ca06bf, 0x87675719)},\n {TOBN(0x6f0b3462, 0x6ffeec22), TOBN(0x9d91bcea, 0x36cdd8fb),\n TOBN(0xac83363c, 0xa105be47), TOBN(0x81ba76c1, 0x069710e3)}},\n {{TOBN(0x3d1b24cb, 0x28c682c6), TOBN(0x27f25228, 0x8612575b),\n TOBN(0xb587c779, 0xe8e66e98), TOBN(0x7b0c03e9, 0x405eb1fe)},\n {TOBN(0xfdf0d030, 0x15b548e7), TOBN(0xa8be76e0, 0x38b36af7),\n TOBN(0x4cdab04a, 0x4f310c40), TOBN(0x6287223e, 0xf47ecaec)}},\n {{TOBN(0x678e6055, 0x8b399320), TOBN(0x61fe3fa6, 0xc01e4646),\n TOBN(0xc482866b, 0x03261a5e), TOBN(0xdfcf45b8, 0x5c2f244a)},\n {TOBN(0x8fab9a51, 0x2f684b43), TOBN(0xf796c654, 0xc7220a66),\n TOBN(0x1d90707e, 0xf5afa58f), TOBN(0x2c421d97, 0x4fdbe0de)}},\n {{TOBN(0xc4f4cda3, 0xaf2ebc2f), TOBN(0xa0af843d, 0xcb4efe24),\n TOBN(0x53b857c1, 0x9ccd10b1), TOBN(0xddc9d1eb, 0x914d3e04)},\n {TOBN(0x7bdec8bb, 0x62771deb), TOBN(0x829277aa, 0x91c5aa81),\n TOBN(0x7af18dd6, 0x832391ae), TOBN(0x1740f316, 0xc71a84ca)}}},\n {{{TOBN(0x8928e99a, 0xeeaf8c49), TOBN(0xee7aa73d, 0x6e24d728),\n TOBN(0x4c5007c2, 0xe72b156c), TOBN(0x5fcf57c5, 0xed408a1d)},\n {TOBN(0x9f719e39, 0xb6057604), TOBN(0x7d343c01, 0xc2868bbf),\n TOBN(0x2cca254b, 0x7e103e2d), TOBN(0xe6eb38a9, 0xf131bea2)}},\n {{TOBN(0xb33e624f, 0x8be762b4), TOBN(0x2a9ee4d1, 0x058e3413),\n TOBN(0x968e6369, 0x67d805fa), TOBN(0x9848949b, 0x7db8bfd7)},\n {TOBN(0x5308d7e5, 0xd23a8417), TOBN(0x892f3b1d, 0xf3e29da5),\n TOBN(0xc95c139e, 0x3dee471f), TOBN(0x8631594d, 0xd757e089)}},\n {{TOBN(0xe0c82a3c, 0xde918dcc), TOBN(0x2e7b5994, 0x26fdcf4b),\n TOBN(0x82c50249, 0x32cb1b2d), TOBN(0xea613a9d, 0x7657ae07)},\n {TOBN(0xc2eb5f6c, 0xf1fdc9f7), TOBN(0xb6eae8b8, 0x879fe682),\n TOBN(0x253dfee0, 0x591cbc7f), TOBN(0x000da713, 0x3e1290e6)}},\n {{TOBN(0x1083e2ea, 0x1f095615), TOBN(0x0a28ad77, 0x14e68c33),\n TOBN(0x6bfc0252, 0x3d8818be), TOBN(0xb585113a, 0xf35850cd)},\n {TOBN(0x7d935f0b, 0x30df8aa1), TOBN(0xaddda07c, 0x4ab7e3ac),\n TOBN(0x92c34299, 0x552f00cb), TOBN(0xc33ed1de, 0x2909df6c)}},\n {{TOBN(0x22c2195d, 0x80e87766), TOBN(0x9e99e6d8, 0x9ddf4ac0),\n TOBN(0x09642e4e, 0x65e74934), TOBN(0x2610ffa2, 0xff1ff241)},\n {TOBN(0x4d1d47d4, 0x751c8159), TOBN(0x697b4985, 0xaf3a9363),\n TOBN(0x0318ca46, 0x87477c33), TOBN(0xa90cb565, 0x9441eff3)}},\n {{TOBN(0x58bb3848, 0x36f024cb), TOBN(0x85be1f77, 0x36016168),\n TOBN(0x6c59587c, 0xdc7e07f1), TOBN(0x191be071, 0xaf1d8f02)},\n {TOBN(0xbf169fa5, 0xcca5e55c), TOBN(0x3864ba3c, 0xf7d04eac),\n TOBN(0x915e367f, 0x8d7d05db), TOBN(0xb48a876d, 0xa6549e5d)}},\n {{TOBN(0xef89c656, 0x580e40a2), TOBN(0xf194ed8c, 0x728068bc),\n TOBN(0x74528045, 0xa47990c9), TOBN(0xf53fc7d7, 0x5e1a4649)},\n {TOBN(0xbec5ae9b, 0x78593e7d), TOBN(0x2cac4ee3, 0x41db65d7),\n TOBN(0xa8c1eb24, 0x04a3d39b), TOBN(0x53b7d634, 0x03f8f3ef)}},\n {{TOBN(0x2dc40d48, 0x3e07113c), TOBN(0x6e4a5d39, 0x7d8b63ae),\n TOBN(0x5582a94b, 0x79684c2b), TOBN(0x932b33d4, 0x622da26c)},\n {TOBN(0xf534f651, 0x0dbbf08d), TOBN(0x211d07c9, 0x64c23a52),\n TOBN(0x0eeece0f, 0xee5bdc9b), TOBN(0xdf178168, 0xf7015558)}},\n {{TOBN(0xd4294635, 0x0a712229), TOBN(0x93cbe448, 0x09273f8c),\n TOBN(0x00b095ef, 0x8f13bc83), TOBN(0xbb741972, 0x8798978c)},\n {TOBN(0x9d7309a2, 0x56dbe6e7), TOBN(0xe578ec56, 0x5a5d39ec),\n TOBN(0x3961151b, 0x851f9a31), TOBN(0x2da7715d, 0xe5709eb4)}},\n {{TOBN(0x867f3017, 0x53dfabf0), TOBN(0x728d2078, 0xb8e39259),\n TOBN(0x5c75a0cd, 0x815d9958), TOBN(0xf84867a6, 0x16603be1)},\n {TOBN(0xc865b13d, 0x70e35b1c), TOBN(0x02414468, 0x19b03e2c),\n TOBN(0xe46041da, 0xac1f3121), TOBN(0x7c9017ad, 0x6f028a7c)}},\n {{TOBN(0xabc96de9, 0x0a482873), TOBN(0x4265d6b1, 0xb77e54d4),\n TOBN(0x68c38e79, 0xa57d88e7), TOBN(0xd461d766, 0x9ce82de3)},\n {TOBN(0x817a9ec5, 0x64a7e489), TOBN(0xcc5675cd, 0xa0def5f2),\n TOBN(0x9a00e785, 0x985d494e), TOBN(0xc626833f, 0x1b03514a)}},\n {{TOBN(0xabe7905a, 0x83cdd60e), TOBN(0x50602fb5, 0xa1170184),\n TOBN(0x689886cd, 0xb023642a), TOBN(0xd568d090, 0xa6e1fb00)},\n {TOBN(0x5b1922c7, 0x0259217f), TOBN(0x93831cd9, 0xc43141e4),\n TOBN(0xdfca3587, 0x0c95f86e), TOBN(0xdec2057a, 0x568ae828)}},\n {{TOBN(0xc44ea599, 0xf98a759a), TOBN(0x55a0a7a2, 0xf7c23c1d),\n TOBN(0xd5ffb6e6, 0x94c4f687), TOBN(0x3563cce2, 0x12848478)},\n {TOBN(0x812b3517, 0xe7b1fbe1), TOBN(0x8a7dc979, 0x4f7338e0),\n TOBN(0x211ecee9, 0x52d048db), TOBN(0x2eea4056, 0xc86ea3b8)}},\n {{TOBN(0xd8cb68a7, 0xba772b34), TOBN(0xe16ed341, 0x5f4e2541),\n TOBN(0x9b32f6a6, 0x0fec14db), TOBN(0xeee376f7, 0x391698be)},\n {TOBN(0xe9a7aa17, 0x83674c02), TOBN(0x65832f97, 0x5843022a),\n TOBN(0x29f3a8da, 0x5ba4990f), TOBN(0x79a59c3a, 0xfb8e3216)}},\n {{TOBN(0x9cdc4d2e, 0xbd19bb16), TOBN(0xc6c7cfd0, 0xb3262d86),\n TOBN(0xd4ce14d0, 0x969c0b47), TOBN(0x1fa352b7, 0x13e56128)},\n {TOBN(0x383d55b8, 0x973db6d3), TOBN(0x71836850, 0xe8e5b7bf),\n TOBN(0xc7714596, 0xe6bb571f), TOBN(0x259df31f, 0x2d5b2dd2)}},\n {{TOBN(0x568f8925, 0x913cc16d), TOBN(0x18bc5b6d, 0xe1a26f5a),\n TOBN(0xdfa413be, 0xf5f499ae), TOBN(0xf8835dec, 0xc3f0ae84)},\n {TOBN(0xb6e60bd8, 0x65a40ab0), TOBN(0x65596439, 0x194b377e),\n TOBN(0xbcd85625, 0x92084a69), TOBN(0x5ce433b9, 0x4f23ede0)}},\n {{TOBN(0xe8e8f04f, 0x6ad65143), TOBN(0x11511827, 0xd6e14af6),\n TOBN(0x3d390a10, 0x8295c0c7), TOBN(0x71e29ee4, 0x621eba16)},\n {TOBN(0xa588fc09, 0x63717b46), TOBN(0x02be02fe, 0xe06ad4a2),\n TOBN(0x931558c6, 0x04c22b22), TOBN(0xbb4d4bd6, 0x12f3c849)}},\n {{TOBN(0x54a4f496, 0x20efd662), TOBN(0x92ba6d20, 0xc5952d14),\n TOBN(0x2db8ea1e, 0xcc9784c2), TOBN(0x81cc10ca, 0x4b353644)},\n {TOBN(0x40b570ad, 0x4b4d7f6c), TOBN(0x5c9f1d96, 0x84a1dcd2),\n TOBN(0x01379f81, 0x3147e797), TOBN(0xe5c6097b, 0x2bd499f5)}},\n {{TOBN(0x40dcafa6, 0x328e5e20), TOBN(0xf7b5244a, 0x54815550),\n TOBN(0xb9a4f118, 0x47bfc978), TOBN(0x0ea0e79f, 0xd25825b1)},\n {TOBN(0xa50f96eb, 0x646c7ecf), TOBN(0xeb811493, 0x446dea9d),\n TOBN(0x2af04677, 0xdfabcf69), TOBN(0xbe3a068f, 0xc713f6e8)}},\n {{TOBN(0x860d523d, 0x42e06189), TOBN(0xbf077941, 0x4e3aff13),\n TOBN(0x0b616dca, 0xc1b20650), TOBN(0xe66dd6d1, 0x2131300d)},\n {TOBN(0xd4a0fd67, 0xff99abde), TOBN(0xc9903550, 0xc7aac50d),\n TOBN(0x022ecf8b, 0x7c46b2d7), TOBN(0x3333b1e8, 0x3abf92af)}},\n {{TOBN(0x11cc113c, 0x6c491c14), TOBN(0x05976688, 0x80dd3f88),\n TOBN(0xf5b4d9e7, 0x29d932ed), TOBN(0xe982aad8, 0xa2c38b6d)},\n {TOBN(0x6f925347, 0x8be0dcf0), TOBN(0x700080ae, 0x65ca53f2),\n TOBN(0xd8131156, 0x443ca77f), TOBN(0xe92d6942, 0xec51f984)}},\n {{TOBN(0xd2a08af8, 0x85dfe9ae), TOBN(0xd825d9a5, 0x4d2a86ca),\n TOBN(0x2c53988d, 0x39dff020), TOBN(0xf38b135a, 0x430cdc40)},\n {TOBN(0x0c918ae0, 0x62a7150b), TOBN(0xf31fd8de, 0x0c340e9b),\n TOBN(0xafa0e7ae, 0x4dbbf02e), TOBN(0x5847fb2a, 0x5eba6239)}},\n {{TOBN(0x6b1647dc, 0xdccbac8b), TOBN(0xb642aa78, 0x06f485c8),\n TOBN(0x873f3765, 0x7038ecdf), TOBN(0x2ce5e865, 0xfa49d3fe)},\n {TOBN(0xea223788, 0xc98c4400), TOBN(0x8104a8cd, 0xf1fa5279),\n TOBN(0xbcf7cc7a, 0x06becfd7), TOBN(0x49424316, 0xc8f974ae)}},\n {{TOBN(0xc0da65e7, 0x84d6365d), TOBN(0xbcb7443f, 0x8f759fb8),\n TOBN(0x35c712b1, 0x7ae81930), TOBN(0x80428dff, 0x4c6e08ab)},\n {TOBN(0xf19dafef, 0xa4faf843), TOBN(0xced8538d, 0xffa9855f),\n TOBN(0x20ac409c, 0xbe3ac7ce), TOBN(0x358c1fb6, 0x882da71e)}},\n {{TOBN(0xafa9c0e5, 0xfd349961), TOBN(0x2b2cfa51, 0x8421c2fc),\n TOBN(0x2a80db17, 0xf3a28d38), TOBN(0xa8aba539, 0x5d138e7e)},\n {TOBN(0x52012d1d, 0x6e96eb8d), TOBN(0x65d8dea0, 0xcbaf9622),\n TOBN(0x57735447, 0xb264f56c), TOBN(0xbeebef3f, 0x1b6c8da2)}},\n {{TOBN(0xfc346d98, 0xce785254), TOBN(0xd50e8d72, 0xbb64a161),\n TOBN(0xc03567c7, 0x49794add), TOBN(0x15a76065, 0x752c7ef6)},\n {TOBN(0x59f3a222, 0x961f23d6), TOBN(0x378e4438, 0x73ecc0b0),\n TOBN(0xc74be434, 0x5a82fde4), TOBN(0xae509af2, 0xd8b9cf34)}},\n {{TOBN(0x4a61ee46, 0x577f44a1), TOBN(0xe09b748c, 0xb611deeb),\n TOBN(0xc0481b2c, 0xf5f7b884), TOBN(0x35626678, 0x61acfa6b)},\n {TOBN(0x37f4c518, 0xbf8d21e6), TOBN(0x22d96531, 0xb205a76d),\n TOBN(0x37fb85e1, 0x954073c0), TOBN(0xbceafe4f, 0x65b3a567)}},\n {{TOBN(0xefecdef7, 0xbe42a582), TOBN(0xd3fc6080, 0x65046be6),\n TOBN(0xc9af13c8, 0x09e8dba9), TOBN(0x1e6c9847, 0x641491ff)},\n {TOBN(0x3b574925, 0xd30c31f7), TOBN(0xb7eb72ba, 0xac2a2122),\n TOBN(0x776a0dac, 0xef0859e7), TOBN(0x06fec314, 0x21900942)}},\n {{TOBN(0x2464bc10, 0xf8c22049), TOBN(0x9bfbcce7, 0x875ebf69),\n TOBN(0xd7a88e2a, 0x4336326b), TOBN(0xda05261c, 0x5bc2acfa)},\n {TOBN(0xc29f5bdc, 0xeba7efc8), TOBN(0x471237ca, 0x25dbbf2e),\n TOBN(0xa72773f2, 0x2975f127), TOBN(0xdc744e8e, 0x04d0b326)}},\n {{TOBN(0x38a7ed16, 0xa56edb73), TOBN(0x64357e37, 0x2c007e70),\n TOBN(0xa167d15b, 0x5080b400), TOBN(0x07b41164, 0x23de4be1)},\n {TOBN(0xb2d91e32, 0x74c89883), TOBN(0x3c162821, 0x2882e7ed),\n TOBN(0xad6b36ba, 0x7503e482), TOBN(0x48434e8e, 0x0ea34331)}},\n {{TOBN(0x79f4f24f, 0x2c7ae0b9), TOBN(0xc46fbf81, 0x1939b44a),\n TOBN(0x76fefae8, 0x56595eb1), TOBN(0x417b66ab, 0xcd5f29c7)},\n {TOBN(0x5f2332b2, 0xc5ceec20), TOBN(0xd69661ff, 0xe1a1cae2),\n TOBN(0x5ede7e52, 0x9b0286e6), TOBN(0x9d062529, 0xe276b993)}},\n {{TOBN(0x324794b0, 0x7e50122b), TOBN(0xdd744f8b, 0x4af07ca5),\n TOBN(0x30a12f08, 0xd63fc97b), TOBN(0x39650f1a, 0x76626d9d)},\n {TOBN(0x101b47f7, 0x1fa38477), TOBN(0x3d815f19, 0xd4dc124f),\n TOBN(0x1569ae95, 0xb26eb58a), TOBN(0xc3cde188, 0x95fb1887)}},\n {{TOBN(0x54e9f37b, 0xf9539a48), TOBN(0xb0100e06, 0x7408c1a5),\n TOBN(0x821d9811, 0xea580cbb), TOBN(0x8af52d35, 0x86e50c56)},\n {TOBN(0xdfbd9d47, 0xdbbf698b), TOBN(0x2961a1ea, 0x03dc1c73),\n TOBN(0x203d38f8, 0xe76a5df8), TOBN(0x08a53a68, 0x6def707a)}},\n {{TOBN(0x26eefb48, 0x1bee45d4), TOBN(0xb3cee346, 0x3c688036),\n TOBN(0x463c5315, 0xc42f2469), TOBN(0x19d84d2e, 0x81378162)},\n {TOBN(0x22d7c3c5, 0x1c4d349f), TOBN(0x65965844, 0x163d59c5),\n TOBN(0xcf198c56, 0xb8abceae), TOBN(0x6fb1fb1b, 0x628559d5)}},\n {{TOBN(0x8bbffd06, 0x07bf8fe3), TOBN(0x46259c58, 0x3467734b),\n TOBN(0xd8953cea, 0x35f7f0d3), TOBN(0x1f0bece2, 0xd65b0ff1)},\n {TOBN(0xf7d5b4b3, 0xf3c72914), TOBN(0x29e8ea95, 0x3cb53389),\n TOBN(0x4a365626, 0x836b6d46), TOBN(0xe849f910, 0xea174fde)}},\n {{TOBN(0x7ec62fbb, 0xf4737f21), TOBN(0xd8dba5ab, 0x6209f5ac),\n TOBN(0x24b5d7a9, 0xa5f9adbe), TOBN(0x707d28f7, 0xa61dc768)},\n {TOBN(0x7711460b, 0xcaa999ea), TOBN(0xba7b174d, 0x1c92e4cc),\n TOBN(0x3c4bab66, 0x18d4bf2d), TOBN(0xb8f0c980, 0xeb8bd279)}},\n {{TOBN(0x024bea9a, 0x324b4737), TOBN(0xfba9e423, 0x32a83bca),\n TOBN(0x6e635643, 0xa232dced), TOBN(0x99619367, 0x2571c8ba)},\n {TOBN(0xe8c9f357, 0x54b7032b), TOBN(0xf936b3ba, 0x2442d54a),\n TOBN(0x2263f0f0, 0x8290c65a), TOBN(0x48989780, 0xee2c7fdb)}},\n {{TOBN(0xadc5d55a, 0x13d4f95e), TOBN(0x737cff85, 0xad9b8500),\n TOBN(0x271c557b, 0x8a73f43d), TOBN(0xbed617a4, 0xe18bc476)},\n {TOBN(0x66245401, 0x7dfd8ab2), TOBN(0xae7b89ae, 0x3a2870aa),\n TOBN(0x1b555f53, 0x23a7e545), TOBN(0x6791e247, 0xbe057e4c)}},\n {{TOBN(0x860136ad, 0x324fa34d), TOBN(0xea111447, 0x4cbeae28),\n TOBN(0x023a4270, 0xbedd3299), TOBN(0x3d5c3a7f, 0xc1c35c34)},\n {TOBN(0xb0f6db67, 0x8d0412d2), TOBN(0xd92625e2, 0xfcdc6b9a),\n TOBN(0x92ae5ccc, 0x4e28a982), TOBN(0xea251c36, 0x47a3ce7e)}},\n {{TOBN(0x9d658932, 0x790691bf), TOBN(0xed610589, 0x06b736ae),\n TOBN(0x712c2f04, 0xc0d63b6e), TOBN(0x5cf06fd5, 0xc63d488f)},\n {TOBN(0x97363fac, 0xd9588e41), TOBN(0x1f9bf762, 0x2b93257e),\n TOBN(0xa9d1ffc4, 0x667acace), TOBN(0x1cf4a1aa, 0x0a061ecf)}},\n {{TOBN(0x40e48a49, 0xdc1818d0), TOBN(0x0643ff39, 0xa3621ab0),\n TOBN(0x5768640c, 0xe39ef639), TOBN(0x1fc099ea, 0x04d86854)},\n {TOBN(0x9130b9c3, 0xeccd28fd), TOBN(0xd743cbd2, 0x7eec54ab),\n TOBN(0x052b146f, 0xe5b475b6), TOBN(0x058d9a82, 0x900a7d1f)}},\n {{TOBN(0x65e02292, 0x91262b72), TOBN(0x96f924f9, 0xbb0edf03),\n TOBN(0x5cfa59c8, 0xfe206842), TOBN(0xf6037004, 0x5eafa720)},\n {TOBN(0x5f30699e, 0x18d7dd96), TOBN(0x381e8782, 0xcbab2495),\n TOBN(0x91669b46, 0xdd8be949), TOBN(0xb40606f5, 0x26aae8ef)}},\n {{TOBN(0x2812b839, 0xfc6751a4), TOBN(0x16196214, 0xfba800ef),\n TOBN(0x4398d5ca, 0x4c1a2875), TOBN(0x720c00ee, 0x653d8349)},\n {TOBN(0xc2699eb0, 0xd820007c), TOBN(0x880ee660, 0xa39b5825),\n TOBN(0x70694694, 0x471f6984), TOBN(0xf7d16ea8, 0xe3dda99a)}},\n {{TOBN(0x28d675b2, 0xc0519a23), TOBN(0x9ebf94fe, 0x4f6952e3),\n TOBN(0xf28bb767, 0xa2294a8a), TOBN(0x85512b4d, 0xfe0af3f5)},\n {TOBN(0x18958ba8, 0x99b16a0d), TOBN(0x95c2430c, 0xba7548a7),\n TOBN(0xb30d1b10, 0xa16be615), TOBN(0xe3ebbb97, 0x85bfb74c)}},\n {{TOBN(0xa3273cfe, 0x18549fdb), TOBN(0xf6e200bf, 0x4fcdb792),\n TOBN(0x54a76e18, 0x83aba56c), TOBN(0x73ec66f6, 0x89ef6aa2)},\n {TOBN(0x8d17add7, 0xd1b9a305), TOBN(0xa959c5b9, 0xb7ae1b9d),\n TOBN(0x88643522, 0x6bcc094a), TOBN(0xcc5616c4, 0xd7d429b9)}},\n {{TOBN(0xa6dada01, 0xe6a33f7c), TOBN(0xc6217a07, 0x9d4e70ad),\n TOBN(0xd619a818, 0x09c15b7c), TOBN(0xea06b329, 0x0e80c854)},\n {TOBN(0x174811ce, 0xa5f5e7b9), TOBN(0x66dfc310, 0x787c65f4),\n TOBN(0x4ea7bd69, 0x3316ab54), TOBN(0xc12c4acb, 0x1dcc0f70)}},\n {{TOBN(0xe4308d1a, 0x1e407dd9), TOBN(0xe8a3587c, 0x91afa997),\n TOBN(0xea296c12, 0xab77b7a5), TOBN(0xb5ad49e4, 0x673c0d52)},\n {TOBN(0x40f9b2b2, 0x7006085a), TOBN(0xa88ff340, 0x87bf6ec2),\n TOBN(0x978603b1, 0x4e3066a6), TOBN(0xb3f99fc2, 0xb5e486e2)}},\n {{TOBN(0x07b53f5e, 0xb2e63645), TOBN(0xbe57e547, 0x84c84232),\n TOBN(0xd779c216, 0x7214d5cf), TOBN(0x617969cd, 0x029a3aca)},\n {TOBN(0xd17668cd, 0x8a7017a0), TOBN(0x77b4d19a, 0xbe9b7ee8),\n TOBN(0x58fd0e93, 0x9c161776), TOBN(0xa8c4f4ef, 0xd5968a72)}},\n {{TOBN(0x296071cc, 0x67b3de77), TOBN(0xae3c0b8e, 0x634f7905),\n TOBN(0x67e440c2, 0x8a7100c9), TOBN(0xbb8c3c1b, 0xeb4b9b42)},\n {TOBN(0x6d71e8ea, 0xc51b3583), TOBN(0x7591f5af, 0x9525e642),\n TOBN(0xf73a2f7b, 0x13f509f3), TOBN(0x618487aa, 0x5619ac9b)}},\n {{TOBN(0x3a72e5f7, 0x9d61718a), TOBN(0x00413bcc, 0x7592d28c),\n TOBN(0x7d9b11d3, 0x963c35cf), TOBN(0x77623bcf, 0xb90a46ed)},\n {TOBN(0xdeef273b, 0xdcdd2a50), TOBN(0x4a741f9b, 0x0601846e),\n TOBN(0x33b89e51, 0x0ec6e929), TOBN(0xcb02319f, 0x8b7f22cd)}},\n {{TOBN(0xbbe1500d, 0x084bae24), TOBN(0x2f0ae8d7, 0x343d2693),\n TOBN(0xacffb5f2, 0x7cdef811), TOBN(0xaa0c030a, 0x263fb94f)},\n {TOBN(0x6eef0d61, 0xa0f442de), TOBN(0xf92e1817, 0x27b139d3),\n TOBN(0x1ae6deb7, 0x0ad8bc28), TOBN(0xa89e38dc, 0xc0514130)}},\n {{TOBN(0x81eeb865, 0xd2fdca23), TOBN(0x5a15ee08, 0xcc8ef895),\n TOBN(0x768fa10a, 0x01905614), TOBN(0xeff5b8ef, 0x880ee19b)},\n {TOBN(0xf0c0cabb, 0xcb1c8a0e), TOBN(0x2e1ee9cd, 0xb8c838f9),\n TOBN(0x0587d8b8, 0x8a4a14c0), TOBN(0xf6f27896, 0x2ff698e5)}},\n {{TOBN(0xed38ef1c, 0x89ee6256), TOBN(0xf44ee1fe, 0x6b353b45),\n TOBN(0x9115c0c7, 0x70e903b3), TOBN(0xc78ec0a1, 0x818f31df)},\n {TOBN(0x6c003324, 0xb7dccbc6), TOBN(0xd96dd1f3, 0x163bbc25),\n TOBN(0x33aa82dd, 0x5cedd805), TOBN(0x123aae4f, 0x7f7eb2f1)}},\n {{TOBN(0x1723fcf5, 0xa26262cd), TOBN(0x1f7f4d5d, 0x0060ebd5),\n TOBN(0xf19c5c01, 0xb2eaa3af), TOBN(0x2ccb9b14, 0x9790accf)},\n {TOBN(0x1f9c1cad, 0x52324aa6), TOBN(0x63200526, 0x7247df54),\n TOBN(0x5732fe42, 0xbac96f82), TOBN(0x52fe771f, 0x01a1c384)}},\n {{TOBN(0x546ca13d, 0xb1001684), TOBN(0xb56b4eee, 0xa1709f75),\n TOBN(0x266545a9, 0xd5db8672), TOBN(0xed971c90, 0x1e8f3cfb)},\n {TOBN(0x4e7d8691, 0xe3a07b29), TOBN(0x7570d9ec, 0xe4b696b9),\n TOBN(0xdc5fa067, 0x7bc7e9ae), TOBN(0x68b44caf, 0xc82c4844)}},\n {{TOBN(0x519d34b3, 0xbf44da80), TOBN(0x283834f9, 0x5ab32e66),\n TOBN(0x6e608797, 0x6278a000), TOBN(0x1e62960e, 0x627312f6)},\n {TOBN(0x9b87b27b, 0xe6901c55), TOBN(0x80e78538, 0x24fdbc1f),\n TOBN(0xbbbc0951, 0x2facc27d), TOBN(0x06394239, 0xac143b5a)}},\n {{TOBN(0x35bb4a40, 0x376c1944), TOBN(0x7cb62694, 0x63da1511),\n TOBN(0xafd29161, 0xb7148a3b), TOBN(0xa6f9d9ed, 0x4e2ea2ee)},\n {TOBN(0x15dc2ca2, 0x880dd212), TOBN(0x903c3813, 0xa61139a9),\n TOBN(0x2aa7b46d, 0x6c0f8785), TOBN(0x36ce2871, 0x901c60ff)}},\n {{TOBN(0xc683b028, 0xe10d9c12), TOBN(0x7573baa2, 0x032f33d3),\n TOBN(0x87a9b1f6, 0x67a31b58), TOBN(0xfd3ed11a, 0xf4ffae12)},\n {TOBN(0x83dcaa9a, 0x0cb2748e), TOBN(0x8239f018, 0x5d6fdf16),\n TOBN(0xba67b49c, 0x72753941), TOBN(0x2beec455, 0xc321cb36)}},\n {{TOBN(0x88015606, 0x3f8b84ce), TOBN(0x76417083, 0x8d38c86f),\n TOBN(0x054f1ca7, 0x598953dd), TOBN(0xc939e110, 0x4e8e7429)},\n {TOBN(0x9b1ac2b3, 0x5a914f2f), TOBN(0x39e35ed3, 0xe74b8f9c),\n TOBN(0xd0debdb2, 0x781b2fb0), TOBN(0x1585638f, 0x2d997ba2)}},\n {{TOBN(0x9c4b646e, 0x9e2fce99), TOBN(0x68a21081, 0x1e80857f),\n TOBN(0x06d54e44, 0x3643b52a), TOBN(0xde8d6d63, 0x0d8eb843)},\n {TOBN(0x70321563, 0x42146a0a), TOBN(0x8ba826f2, 0x5eaa3622),\n TOBN(0x227a58bd, 0x86138787), TOBN(0x43b6c03c, 0x10281d37)}},\n {{TOBN(0x6326afbb, 0xb54dde39), TOBN(0x744e5e8a, 0xdb6f2d5f),\n TOBN(0x48b2a99a, 0xcff158e1), TOBN(0xa93c8fa0, 0xef87918f)},\n {TOBN(0x2182f956, 0xde058c5c), TOBN(0x216235d2, 0x936f9e7a),\n TOBN(0xace0c0db, 0xd2e31e67), TOBN(0xc96449bf, 0xf23ac3e7)}},\n {{TOBN(0x7e9a2874, 0x170693bd), TOBN(0xa28e14fd, 0xa45e6335),\n TOBN(0x5757f6b3, 0x56427344), TOBN(0x822e4556, 0xacf8edf9)},\n {TOBN(0x2b7a6ee2, 0xe6a285cd), TOBN(0x5866f211, 0xa9df3af0),\n TOBN(0x40dde2dd, 0xf845b844), TOBN(0x986c3726, 0x110e5e49)}},\n {{TOBN(0x73680c2a, 0xf7172277), TOBN(0x57b94f0f, 0x0cccb244),\n TOBN(0xbdff7267, 0x2d438ca7), TOBN(0xbad1ce11, 0xcf4663fd)},\n {TOBN(0x9813ed9d, 0xd8f71cae), TOBN(0xf43272a6, 0x961fdaa6),\n TOBN(0xbeff0119, 0xbd6d1637), TOBN(0xfebc4f91, 0x30361978)}},\n {{TOBN(0x02b37a95, 0x2f41deff), TOBN(0x0e44a59a, 0xe63b89b7),\n TOBN(0x673257dc, 0x143ff951), TOBN(0x19c02205, 0xd752baf4)},\n {TOBN(0x46c23069, 0xc4b7d692), TOBN(0x2e6392c3, 0xfd1502ac),\n TOBN(0x6057b1a2, 0x1b220846), TOBN(0xe51ff946, 0x0c1b5b63)}}},\n {{{TOBN(0x6e85cb51, 0x566c5c43), TOBN(0xcff9c919, 0x3597f046),\n TOBN(0x9354e90c, 0x4994d94a), TOBN(0xe0a39332, 0x2147927d)},\n {TOBN(0x8427fac1, 0x0dc1eb2b), TOBN(0x88cfd8c2, 0x2ff319fa),\n TOBN(0xe2d4e684, 0x01965274), TOBN(0xfa2e067d, 0x67aaa746)}},\n {{TOBN(0xb6d92a7f, 0x3e5f9f11), TOBN(0x9afe153a, 0xd6cb3b8e),\n TOBN(0x4d1a6dd7, 0xddf800bd), TOBN(0xf6c13cc0, 0xcaf17e19)},\n {TOBN(0x15f6c58e, 0x325fc3ee), TOBN(0x71095400, 0xa31dc3b2),\n TOBN(0x168e7c07, 0xafa3d3e7), TOBN(0x3f8417a1, 0x94c7ae2d)}},\n {{TOBN(0xec234772, 0x813b230d), TOBN(0x634d0f5f, 0x17344427),\n TOBN(0x11548ab1, 0xd77fc56a), TOBN(0x7fab1750, 0xce06af77)},\n {TOBN(0xb62c10a7, 0x4f7c4f83), TOBN(0xa7d2edc4, 0x220a67d9),\n TOBN(0x1c404170, 0x921209a0), TOBN(0x0b9815a0, 0xface59f0)}},\n {{TOBN(0x2842589b, 0x319540c3), TOBN(0x18490f59, 0xa283d6f8),\n TOBN(0xa2731f84, 0xdaae9fcb), TOBN(0x3db6d960, 0xc3683ba0)},\n {TOBN(0xc85c63bb, 0x14611069), TOBN(0xb19436af, 0x0788bf05),\n TOBN(0x905459df, 0x347460d2), TOBN(0x73f6e094, 0xe11a7db1)}},\n {{TOBN(0xdc7f938e, 0xb6357f37), TOBN(0xc5d00f79, 0x2bd8aa62),\n TOBN(0xc878dcb9, 0x2ca979fc), TOBN(0x37e83ed9, 0xeb023a99)},\n {TOBN(0x6b23e273, 0x1560bf3d), TOBN(0x1086e459, 0x1d0fae61),\n TOBN(0x78248316, 0x9a9414bd), TOBN(0x1b956bc0, 0xf0ea9ea1)}},\n {{TOBN(0x7b85bb91, 0xc31b9c38), TOBN(0x0c5aa90b, 0x48ef57b5),\n TOBN(0xdedeb169, 0xaf3bab6f), TOBN(0xe610ad73, 0x2d373685)},\n {TOBN(0xf13870df, 0x02ba8e15), TOBN(0x0337edb6, 0x8ca7f771),\n TOBN(0xe4acf747, 0xb62c036c), TOBN(0xd921d576, 0xb6b94e81)}},\n {{TOBN(0xdbc86439, 0x2c422f7a), TOBN(0xfb635362, 0xed348898),\n TOBN(0x83084668, 0xc45bfcd1), TOBN(0xc357c9e3, 0x2b315e11)},\n {TOBN(0xb173b540, 0x5b2e5b8c), TOBN(0x7e946931, 0xe102b9a4),\n TOBN(0x17c890eb, 0x7b0fb199), TOBN(0xec225a83, 0xd61b662b)}},\n {{TOBN(0xf306a3c8, 0xee3c76cb), TOBN(0x3cf11623, 0xd32a1f6e),\n TOBN(0xe6d5ab64, 0x6863e956), TOBN(0x3b8a4cbe, 0x5c005c26)},\n {TOBN(0xdcd529a5, 0x9ce6bb27), TOBN(0xc4afaa52, 0x04d4b16f),\n TOBN(0xb0624a26, 0x7923798d), TOBN(0x85e56df6, 0x6b307fab)}},\n {{TOBN(0x0281893c, 0x2bf29698), TOBN(0x91fc19a4, 0xd7ce7603),\n TOBN(0x75a5dca3, 0xad9a558f), TOBN(0x40ceb3fa, 0x4d50bf77)},\n {TOBN(0x1baf6060, 0xbc9ba369), TOBN(0x927e1037, 0x597888c2),\n TOBN(0xd936bf19, 0x86a34c07), TOBN(0xd4cf10c1, 0xc34ae980)}},\n {{TOBN(0x3a3e5334, 0x859dd614), TOBN(0x9c475b5b, 0x18d0c8ee),\n TOBN(0x63080d1f, 0x07cd51d5), TOBN(0xc9c0d0a6, 0xb88b4326)},\n {TOBN(0x1ac98691, 0xc234296f), TOBN(0x2a0a83a4, 0x94887fb6),\n TOBN(0x56511427, 0x0cea9cf2), TOBN(0x5230a6e8, 0xa24802f5)}},\n {{TOBN(0xf7a2bf0f, 0x72e3d5c1), TOBN(0x37717446, 0x4f21439e),\n TOBN(0xfedcbf25, 0x9ce30334), TOBN(0xe0030a78, 0x7ce202f9)},\n {TOBN(0x6f2d9ebf, 0x1202e9ca), TOBN(0xe79dde6c, 0x75e6e591),\n TOBN(0xf52072af, 0xf1dac4f8), TOBN(0x6c8d087e, 0xbb9b404d)}},\n {{TOBN(0xad0fc73d, 0xbce913af), TOBN(0x909e587b, 0x458a07cb),\n TOBN(0x1300da84, 0xd4f00c8a), TOBN(0x425cd048, 0xb54466ac)},\n {TOBN(0xb59cb9be, 0x90e9d8bf), TOBN(0x991616db, 0x3e431b0e),\n TOBN(0xd3aa117a, 0x531aecff), TOBN(0x91af92d3, 0x59f4dc3b)}},\n {{TOBN(0x9b1ec292, 0xe93fda29), TOBN(0x76bb6c17, 0xe97d91bc),\n TOBN(0x7509d95f, 0xaface1e6), TOBN(0x3653fe47, 0xbe855ae3)},\n {TOBN(0x73180b28, 0x0f680e75), TOBN(0x75eefd1b, 0xeeb6c26c),\n TOBN(0xa4cdf29f, 0xb66d4236), TOBN(0x2d70a997, 0x6b5821d8)}},\n {{TOBN(0x7a3ee207, 0x20445c36), TOBN(0x71d1ac82, 0x59877174),\n TOBN(0x0fc539f7, 0x949f73e9), TOBN(0xd05cf3d7, 0x982e3081)},\n {TOBN(0x8758e20b, 0x7b1c7129), TOBN(0xffadcc20, 0x569e61f2),\n TOBN(0xb05d3a2f, 0x59544c2d), TOBN(0xbe16f5c1, 0x9fff5e53)}},\n {{TOBN(0x73cf65b8, 0xaad58135), TOBN(0x622c2119, 0x037aa5be),\n TOBN(0x79373b3f, 0x646fd6a0), TOBN(0x0e029db5, 0x0d3978cf)},\n {TOBN(0x8bdfc437, 0x94fba037), TOBN(0xaefbd687, 0x620797a6),\n TOBN(0x3fa5382b, 0xbd30d38e), TOBN(0x7627cfbf, 0x585d7464)}},\n {{TOBN(0xb2330fef, 0x4e4ca463), TOBN(0xbcef7287, 0x3566cc63),\n TOBN(0xd161d2ca, 0xcf780900), TOBN(0x135dc539, 0x5b54827d)},\n {TOBN(0x638f052e, 0x27bf1bc6), TOBN(0x10a224f0, 0x07dfa06c),\n TOBN(0xe973586d, 0x6d3321da), TOBN(0x8b0c5738, 0x26152c8f)}},\n {{TOBN(0x07ef4f2a, 0x34606074), TOBN(0x80fe7fe8, 0xa0f7047a),\n TOBN(0x3d1a8152, 0xe1a0e306), TOBN(0x32cf43d8, 0x88da5222)},\n {TOBN(0xbf89a95f, 0x5f02ffe6), TOBN(0x3d9eb9a4, 0x806ad3ea),\n TOBN(0x012c17bb, 0x79c8e55e), TOBN(0xfdcd1a74, 0x99c81dac)}},\n {{TOBN(0x7043178b, 0xb9556098), TOBN(0x4090a1df, 0x801c3886),\n TOBN(0x759800ff, 0x9b67b912), TOBN(0x3e5c0304, 0x232620c8)},\n {TOBN(0x4b9d3c4b, 0x70dceeca), TOBN(0xbb2d3c15, 0x181f648e),\n TOBN(0xf981d837, 0x6e33345c), TOBN(0xb626289b, 0x0cf2297a)}},\n {{TOBN(0x766ac659, 0x8baebdcf), TOBN(0x1a28ae09, 0x75df01e5),\n TOBN(0xb71283da, 0x375876d8), TOBN(0x4865a96d, 0x607b9800)},\n {TOBN(0x25dd1bcd, 0x237936b2), TOBN(0x332f4f4b, 0x60417494),\n TOBN(0xd0923d68, 0x370a2147), TOBN(0x497f5dfb, 0xdc842203)}},\n {{TOBN(0x9dc74cbd, 0x32be5e0f), TOBN(0x7475bcb7, 0x17a01375),\n TOBN(0x438477c9, 0x50d872b1), TOBN(0xcec67879, 0xffe1d63d)},\n {TOBN(0x9b006014, 0xd8578c70), TOBN(0xc9ad99a8, 0x78bb6b8b),\n TOBN(0x6799008e, 0x11fb3806), TOBN(0xcfe81435, 0xcd44cab3)}},\n {{TOBN(0xa2ee1582, 0x2f4fb344), TOBN(0xb8823450, 0x483fa6eb),\n TOBN(0x622d323d, 0x652c7749), TOBN(0xd8474a98, 0xbeb0a15b)},\n {TOBN(0xe43c154d, 0x5d1c00d0), TOBN(0x7fd581d9, 0x0e3e7aac),\n TOBN(0x2b44c619, 0x2525ddf8), TOBN(0x67a033eb, 0xb8ae9739)}},\n {{TOBN(0x113ffec1, 0x9ef2d2e4), TOBN(0x1bf6767e, 0xd5a0ea7f),\n TOBN(0x57fff75e, 0x03714c0a), TOBN(0xa23c422e, 0x0a23e9ee)},\n {TOBN(0xdd5f6b2d, 0x540f83af), TOBN(0xc2c2c27e, 0x55ea46a7),\n TOBN(0xeb6b4246, 0x672a1208), TOBN(0xd13599f7, 0xae634f7a)}},\n {{TOBN(0xcf914b5c, 0xd7b32c6e), TOBN(0x61a5a640, 0xeaf61814),\n TOBN(0x8dc3df8b, 0x208a1bbb), TOBN(0xef627fd6, 0xb6d79aa5)},\n {TOBN(0x44232ffc, 0xc4c86bc8), TOBN(0xe6f9231b, 0x061539fe),\n TOBN(0x1d04f25a, 0x958b9533), TOBN(0x180cf934, 0x49e8c885)}},\n {{TOBN(0x89689595, 0x9884aaf7), TOBN(0xb1959be3, 0x07b348a6),\n TOBN(0x96250e57, 0x3c147c87), TOBN(0xae0efb3a, 0xdd0c61f8)},\n {TOBN(0xed00745e, 0xca8c325e), TOBN(0x3c911696, 0xecff3f70),\n TOBN(0x73acbc65, 0x319ad41d), TOBN(0x7b01a020, 0xf0b1c7ef)}},\n {{TOBN(0xea32b293, 0x63a1483f), TOBN(0x89eabe71, 0x7a248f96),\n TOBN(0x9c6231d3, 0x343157e5), TOBN(0x93a375e5, 0xdf3c546d)},\n {TOBN(0xe76e9343, 0x6a2afe69), TOBN(0xc4f89100, 0xe166c88e),\n TOBN(0x248efd0d, 0x4f872093), TOBN(0xae0eb3ea, 0x8fe0ea61)}},\n {{TOBN(0xaf89790d, 0x9d79046e), TOBN(0x4d650f2d, 0x6cee0976),\n TOBN(0xa3935d9a, 0x43071eca), TOBN(0x66fcd2c9, 0x283b0bfe)},\n {TOBN(0x0e665eb5, 0x696605f1), TOBN(0xe77e5d07, 0xa54cd38d),\n TOBN(0x90ee050a, 0x43d950cf), TOBN(0x86ddebda, 0xd32e69b5)}},\n {{TOBN(0x6ad94a3d, 0xfddf7415), TOBN(0xf7fa1309, 0x3f6e8d5a),\n TOBN(0xc4831d1d, 0xe9957f75), TOBN(0x7de28501, 0xd5817447)},\n {TOBN(0x6f1d7078, 0x9e2aeb6b), TOBN(0xba2b9ff4, 0xf67a53c2),\n TOBN(0x36963767, 0xdf9defc3), TOBN(0x479deed3, 0x0d38022c)}},\n {{TOBN(0xd2edb89b, 0x3a8631e8), TOBN(0x8de855de, 0x7a213746),\n TOBN(0xb2056cb7, 0xb00c5f11), TOBN(0xdeaefbd0, 0x2c9b85e4)},\n {TOBN(0x03f39a8d, 0xd150892d), TOBN(0x37b84686, 0x218b7985),\n TOBN(0x36296dd8, 0xb7375f1a), TOBN(0x472cd4b1, 0xb78e898e)}},\n {{TOBN(0x15dff651, 0xe9f05de9), TOBN(0xd4045069, 0x2ce98ba9),\n TOBN(0x8466a7ae, 0x9b38024c), TOBN(0xb910e700, 0xe5a6b5ef)},\n {TOBN(0xae1c56ea, 0xb3aa8f0d), TOBN(0xbab2a507, 0x7eee74a6),\n TOBN(0x0dca11e2, 0x4b4c4620), TOBN(0xfd896e2e, 0x4c47d1f4)}},\n {{TOBN(0xeb45ae53, 0x308fbd93), TOBN(0x46cd5a2e, 0x02c36fda),\n TOBN(0x6a3d4e90, 0xbaa48385), TOBN(0xdd55e62e, 0x9dbe9960)},\n {TOBN(0xa1406aa0, 0x2a81ede7), TOBN(0x6860dd14, 0xf9274ea7),\n TOBN(0xcfdcb0c2, 0x80414f86), TOBN(0xff410b10, 0x22f94327)}},\n {{TOBN(0x5a33cc38, 0x49ad467b), TOBN(0xefb48b6c, 0x0a7335f1),\n TOBN(0x14fb54a4, 0xb153a360), TOBN(0x604aa9d2, 0xb52469cc)},\n {TOBN(0x5e9dc486, 0x754e48e9), TOBN(0x693cb455, 0x37471e8e),\n TOBN(0xfb2fd7cd, 0x8d3b37b6), TOBN(0x63345e16, 0xcf09ff07)}},\n {{TOBN(0x9910ba6b, 0x23a5d896), TOBN(0x1fe19e35, 0x7fe4364e),\n TOBN(0x6e1da8c3, 0x9a33c677), TOBN(0x15b4488b, 0x29fd9fd0)},\n {TOBN(0x1f439254, 0x1a1f22bf), TOBN(0x920a8a70, 0xab8163e8),\n TOBN(0x3fd1b249, 0x07e5658e), TOBN(0xf2c4f79c, 0xb6ec839b)}},\n {{TOBN(0x1abbc3d0, 0x4aa38d1b), TOBN(0x3b0db35c, 0xb5d9510e),\n TOBN(0x1754ac78, 0x3e60dec0), TOBN(0x53272fd7, 0xea099b33)},\n {TOBN(0x5fb0494f, 0x07a8e107), TOBN(0x4a89e137, 0x6a8191fa),\n TOBN(0xa113b7f6, 0x3c4ad544), TOBN(0x88a2e909, 0x6cb9897b)}},\n {{TOBN(0x17d55de3, 0xb44a3f84), TOBN(0xacb2f344, 0x17c6c690),\n TOBN(0x32088168, 0x10232390), TOBN(0xf2e8a61f, 0x6c733bf7)},\n {TOBN(0xa774aab6, 0x9c2d7652), TOBN(0xfb5307e3, 0xed95c5bc),\n TOBN(0xa05c73c2, 0x4981f110), TOBN(0x1baae31c, 0xa39458c9)}},\n {{TOBN(0x1def185b, 0xcbea62e7), TOBN(0xe8ac9eae, 0xeaf63059),\n TOBN(0x098a8cfd, 0x9921851c), TOBN(0xd959c3f1, 0x3abe2f5b)},\n {TOBN(0xa4f19525, 0x20e40ae5), TOBN(0x320789e3, 0x07a24aa1),\n TOBN(0x259e6927, 0x7392b2bc), TOBN(0x58f6c667, 0x1918668b)}},\n {{TOBN(0xce1db2bb, 0xc55d2d8b), TOBN(0x41d58bb7, 0xf4f6ca56),\n TOBN(0x7650b680, 0x8f877614), TOBN(0x905e16ba, 0xf4c349ed)},\n {TOBN(0xed415140, 0xf661acac), TOBN(0x3b8784f0, 0xcb2270af),\n TOBN(0x3bc280ac, 0x8a402cba), TOBN(0xd53f7146, 0x0937921a)}},\n {{TOBN(0xc03c8ee5, 0xe5681e83), TOBN(0x62126105, 0xf6ac9e4a),\n TOBN(0x9503a53f, 0x936b1a38), TOBN(0x3d45e2d4, 0x782fecbd)},\n {TOBN(0x69a5c439, 0x76e8ae98), TOBN(0xb53b2eeb, 0xbfb4b00e),\n TOBN(0xf1674712, 0x72386c89), TOBN(0x30ca34a2, 0x4268bce4)}},\n {{TOBN(0x7f1ed86c, 0x78341730), TOBN(0x8ef5beb8, 0xb525e248),\n TOBN(0xbbc489fd, 0xb74fbf38), TOBN(0x38a92a0e, 0x91a0b382)},\n {TOBN(0x7a77ba3f, 0x22433ccf), TOBN(0xde8362d6, 0xa29f05a9),\n TOBN(0x7f6a30ea, 0x61189afc), TOBN(0x693b5505, 0x59ef114f)}},\n {{TOBN(0x50266bc0, 0xcd1797a1), TOBN(0xea17b47e, 0xf4b7af2d),\n TOBN(0xd6c4025c, 0x3df9483e), TOBN(0x8cbb9d9f, 0xa37b18c9)},\n {TOBN(0x91cbfd9c, 0x4d8424cf), TOBN(0xdb7048f1, 0xab1c3506),\n TOBN(0x9eaf641f, 0x028206a3), TOBN(0xf986f3f9, 0x25bdf6ce)}},\n {{TOBN(0x262143b5, 0x224c08dc), TOBN(0x2bbb09b4, 0x81b50c91),\n TOBN(0xc16ed709, 0xaca8c84f), TOBN(0xa6210d9d, 0xb2850ca8)},\n {TOBN(0x6d8df67a, 0x09cb54d6), TOBN(0x91eef6e0, 0x500919a4),\n TOBN(0x90f61381, 0x0f132857), TOBN(0x9acede47, 0xf8d5028b)}},\n {{TOBN(0x844d1b71, 0x90b771c3), TOBN(0x563b71e4, 0xba6426be),\n TOBN(0x2efa2e83, 0xbdb802ff), TOBN(0x3410cbab, 0xab5b4a41)},\n {TOBN(0x555b2d26, 0x30da84dd), TOBN(0xd0711ae9, 0xee1cc29a),\n TOBN(0xcf3e8c60, 0x2f547792), TOBN(0x03d7d5de, 0xdc678b35)}},\n {{TOBN(0x071a2fa8, 0xced806b8), TOBN(0x222e6134, 0x697f1478),\n TOBN(0xdc16fd5d, 0xabfcdbbf), TOBN(0x44912ebf, 0x121b53b8)},\n {TOBN(0xac943674, 0x2496c27c), TOBN(0x8ea3176c, 0x1ffc26b0),\n TOBN(0xb6e224ac, 0x13debf2c), TOBN(0x524cc235, 0xf372a832)}},\n {{TOBN(0xd706e1d8, 0x9f6f1b18), TOBN(0x2552f005, 0x44cce35b),\n TOBN(0x8c8326c2, 0xa88e31fc), TOBN(0xb5468b2c, 0xf9552047)},\n {TOBN(0xce683e88, 0x3ff90f2b), TOBN(0x77947bdf, 0x2f0a5423),\n TOBN(0xd0a1b28b, 0xed56e328), TOBN(0xaee35253, 0xc20134ac)}},\n {{TOBN(0x7e98367d, 0x3567962f), TOBN(0x379ed61f, 0x8188bffb),\n TOBN(0x73bba348, 0xfaf130a1), TOBN(0x6c1f75e1, 0x904ed734)},\n {TOBN(0x18956642, 0x3b4a79fc), TOBN(0xf20bc83d, 0x54ef4493),\n TOBN(0x836d425d, 0x9111eca1), TOBN(0xe5b5c318, 0x009a8dcf)}},\n {{TOBN(0x3360b25d, 0x13221bc5), TOBN(0x707baad2, 0x6b3eeaf7),\n TOBN(0xd7279ed8, 0x743a95a1), TOBN(0x7450a875, 0x969e809f)},\n {TOBN(0x32b6bd53, 0xe5d0338f), TOBN(0x1e77f7af, 0x2b883bbc),\n TOBN(0x90da12cc, 0x1063ecd0), TOBN(0xe2697b58, 0xc315be47)}},\n {{TOBN(0x2771a5bd, 0xda85d534), TOBN(0x53e78c1f, 0xff980eea),\n TOBN(0xadf1cf84, 0x900385e7), TOBN(0x7d3b14f6, 0xc9387b62)},\n {TOBN(0x170e74b0, 0xcb8f2bd2), TOBN(0x2d50b486, 0x827fa993),\n TOBN(0xcdbe8c9a, 0xf6f32bab), TOBN(0x55e906b0, 0xc3b93ab8)}},\n {{TOBN(0x747f22fc, 0x8fe280d1), TOBN(0xcd8e0de5, 0xb2e114ab),\n TOBN(0x5ab7dbeb, 0xe10b68b0), TOBN(0x9dc63a9c, 0xa480d4b2)},\n {TOBN(0x78d4bc3b, 0x4be1495f), TOBN(0x25eb3db8, 0x9359122d),\n TOBN(0x3f8ac05b, 0x0809cbdc), TOBN(0xbf4187bb, 0xd37c702f)}},\n {{TOBN(0x84cea069, 0x1416a6a5), TOBN(0x8f860c79, 0x43ef881c),\n TOBN(0x41311f8a, 0x38038a5d), TOBN(0xe78c2ec0, 0xfc612067)},\n {TOBN(0x494d2e81, 0x5ad73581), TOBN(0xb4cc9e00, 0x59604097),\n TOBN(0xff558aec, 0xf3612cba), TOBN(0x35beef7a, 0x9e36c39e)}},\n {{TOBN(0x1845c7cf, 0xdbcf41b9), TOBN(0x5703662a, 0xaea997c0),\n TOBN(0x8b925afe, 0xe402f6d8), TOBN(0xd0a1b1ae, 0x4dd72162)},\n {TOBN(0x9f47b375, 0x03c41c4b), TOBN(0xa023829b, 0x0391d042),\n TOBN(0x5f5045c3, 0x503b8b0a), TOBN(0x123c2688, 0x98c010e5)}},\n {{TOBN(0x324ec0cc, 0x36ba06ee), TOBN(0xface3115, 0x3dd2cc0c),\n TOBN(0xb364f3be, 0xf333e91f), TOBN(0xef8aff73, 0x28e832b0)},\n {TOBN(0x1e9bad04, 0x2d05841b), TOBN(0x42f0e3df, 0x356a21e2),\n TOBN(0xa3270bcb, 0x4add627e), TOBN(0xb09a8158, 0xd322e711)}},\n {{TOBN(0x86e326a1, 0x0fee104a), TOBN(0xad7788f8, 0x3703f65d),\n TOBN(0x7e765430, 0x47bc4833), TOBN(0x6cee582b, 0x2b9b893a)},\n {TOBN(0x9cd2a167, 0xe8f55a7b), TOBN(0xefbee3c6, 0xd9e4190d),\n TOBN(0x33ee7185, 0xd40c2e9d), TOBN(0x844cc9c5, 0xa380b548)}},\n {{TOBN(0x323f8ecd, 0x66926e04), TOBN(0x0001e38f, 0x8110c1ba),\n TOBN(0x8dbcac12, 0xfc6a7f07), TOBN(0xd65e1d58, 0x0cec0827)},\n {TOBN(0xd2cd4141, 0xbe76ca2d), TOBN(0x7895cf5c, 0xe892f33a),\n TOBN(0x956d230d, 0x367139d2), TOBN(0xa91abd3e, 0xd012c4c1)}},\n {{TOBN(0x34fa4883, 0x87eb36bf), TOBN(0xc5f07102, 0x914b8fb4),\n TOBN(0x90f0e579, 0xadb9c95f), TOBN(0xfe6ea8cb, 0x28888195)},\n {TOBN(0x7b9b5065, 0xedfa9284), TOBN(0x6c510bd2, 0x2b8c8d65),\n TOBN(0xd7b8ebef, 0xcbe8aafd), TOBN(0xedb3af98, 0x96b1da07)}},\n {{TOBN(0x28ff779d, 0x6295d426), TOBN(0x0c4f6ac7, 0x3fa3ad7b),\n TOBN(0xec44d054, 0x8b8e2604), TOBN(0x9b32a66d, 0x8b0050e1)},\n {TOBN(0x1f943366, 0xf0476ce2), TOBN(0x7554d953, 0xa602c7b4),\n TOBN(0xbe35aca6, 0x524f2809), TOBN(0xb6881229, 0xfd4edbea)}},\n {{TOBN(0xe8cd0c8f, 0x508efb63), TOBN(0x9eb5b5c8, 0x6abcefc7),\n TOBN(0xf5621f5f, 0xb441ab4f), TOBN(0x79e6c046, 0xb76a2b22)},\n {TOBN(0x74a4792c, 0xe37a1f69), TOBN(0xcbd252cb, 0x03542b60),\n TOBN(0x785f65d5, 0xb3c20bd3), TOBN(0x8dea6143, 0x4fabc60c)}},\n {{TOBN(0x45e21446, 0xde673629), TOBN(0x57f7aa1e, 0x703c2d21),\n TOBN(0xa0e99b7f, 0x98c868c7), TOBN(0x4e42f66d, 0x8b641676)},\n {TOBN(0x602884dc, 0x91077896), TOBN(0xa0d690cf, 0xc2c9885b),\n TOBN(0xfeb4da33, 0x3b9a5187), TOBN(0x5f789598, 0x153c87ee)}},\n {{TOBN(0x2192dd47, 0x52b16dba), TOBN(0xdeefc0e6, 0x3524c1b1),\n TOBN(0x465ea76e, 0xe4383693), TOBN(0x79401711, 0x361b8d98)},\n {TOBN(0xa5f9ace9, 0xf21a15cb), TOBN(0x73d26163, 0xefee9aeb),\n TOBN(0xcca844b3, 0xe677016c), TOBN(0x6c122b07, 0x57eaee06)}},\n {{TOBN(0xb782dce7, 0x15f09690), TOBN(0x508b9b12, 0x2dfc0fc9),\n TOBN(0x9015ab4b, 0x65d89fc6), TOBN(0x5e79dab7, 0xd6d5bb0f)},\n {TOBN(0x64f021f0, 0x6c775aa2), TOBN(0xdf09d8cc, 0x37c7eca1),\n TOBN(0x9a761367, 0xef2fa506), TOBN(0xed4ca476, 0x5b81eec6)}},\n {{TOBN(0x262ede36, 0x10bbb8b5), TOBN(0x0737ce83, 0x0641ada3),\n TOBN(0x4c94288a, 0xe9831ccc), TOBN(0x487fc1ce, 0x8065e635)},\n {TOBN(0xb13d7ab3, 0xb8bb3659), TOBN(0xdea5df3e, 0x855e4120),\n TOBN(0xb9a18573, 0x85eb0244), TOBN(0x1a1b8ea3, 0xa7cfe0a3)}},\n {{TOBN(0x3b837119, 0x67b0867c), TOBN(0x8d5e0d08, 0x9d364520),\n TOBN(0x52dccc1e, 0xd930f0e3), TOBN(0xefbbcec7, 0xbf20bbaf)},\n {TOBN(0x99cffcab, 0x0263ad10), TOBN(0xd8199e6d, 0xfcd18f8a),\n TOBN(0x64e2773f, 0xe9f10617), TOBN(0x0079e8e1, 0x08704848)}},\n {{TOBN(0x1169989f, 0x8a342283), TOBN(0x8097799c, 0xa83012e6),\n TOBN(0xece966cb, 0x8a6a9001), TOBN(0x93b3afef, 0x072ac7fc)},\n {TOBN(0xe6893a2a, 0x2db3d5ba), TOBN(0x263dc462, 0x89bf4fdc),\n TOBN(0x8852dfc9, 0xe0396673), TOBN(0x7ac70895, 0x3af362b6)}},\n {{TOBN(0xbb9cce4d, 0x5c2f342b), TOBN(0xbf80907a, 0xb52d7aae),\n TOBN(0x97f3d3cd, 0x2161bcd0), TOBN(0xb25b0834, 0x0962744d)},\n {TOBN(0xc5b18ea5, 0x6c3a1dda), TOBN(0xfe4ec7eb, 0x06c92317),\n TOBN(0xb787b890, 0xad1c4afe), TOBN(0xdccd9a92, 0x0ede801a)}},\n {{TOBN(0x9ac6ddda, 0xdb58da1f), TOBN(0x22bbc12f, 0xb8cae6ee),\n TOBN(0xc6f8bced, 0x815c4a43), TOBN(0x8105a92c, 0xf96480c7)},\n {TOBN(0x0dc3dbf3, 0x7a859d51), TOBN(0xe3ec7ce6, 0x3041196b),\n TOBN(0xd9f64b25, 0x0d1067c9), TOBN(0xf2321321, 0x3d1f8dd8)}},\n {{TOBN(0x8b5c619c, 0x76497ee8), TOBN(0x5d2b0ac6, 0xc717370e),\n TOBN(0x98204cb6, 0x4fcf68e1), TOBN(0x0bdec211, 0x62bc6792)},\n {TOBN(0x6973ccef, 0xa63b1011), TOBN(0xf9e3fa97, 0xe0de1ac5),\n TOBN(0x5efb693e, 0x3d0e0c8b), TOBN(0x037248e9, 0xd2d4fcb4)}}},\n {{{TOBN(0x80802dc9, 0x1ec34f9e), TOBN(0xd8772d35, 0x33810603),\n TOBN(0x3f06d66c, 0x530cb4f3), TOBN(0x7be5ed0d, 0xc475c129)},\n {TOBN(0xcb9e3c19, 0x31e82b10), TOBN(0xc63d2857, 0xc9ff6b4c),\n TOBN(0xb92118c6, 0x92a1b45e), TOBN(0x0aec4414, 0x7285bbca)}},\n {{TOBN(0xfc189ae7, 0x1e29a3ef), TOBN(0xcbe906f0, 0x4c93302e),\n TOBN(0xd0107914, 0xceaae10e), TOBN(0xb7a23f34, 0xb68e19f8)},\n {TOBN(0xe9d875c2, 0xefd2119d), TOBN(0x03198c6e, 0xfcadc9c8),\n TOBN(0x65591bf6, 0x4da17113), TOBN(0x3cf0bbf8, 0x3d443038)}},\n {{TOBN(0xae485bb7, 0x2b724759), TOBN(0x945353e1, 0xb2d4c63a),\n TOBN(0x82159d07, 0xde7d6f2c), TOBN(0x389caef3, 0x4ec5b109)},\n {TOBN(0x4a8ebb53, 0xdb65ef14), TOBN(0x2dc2cb7e, 0xdd99de43),\n TOBN(0x816fa3ed, 0x83f2405f), TOBN(0x73429bb9, 0xc14208a3)}},\n {{TOBN(0xb618d590, 0xb01e6e27), TOBN(0x047e2ccd, 0xe180b2dc),\n TOBN(0xd1b299b5, 0x04aea4a9), TOBN(0x412c9e1e, 0x9fa403a4)},\n {TOBN(0x88d28a36, 0x79407552), TOBN(0x49c50136, 0xf332b8e3),\n TOBN(0x3a1b6fcc, 0xe668de19), TOBN(0x178851bc, 0x75122b97)}},\n {{TOBN(0xb1e13752, 0xfb85fa4c), TOBN(0xd61257ce, 0x383c8ce9),\n TOBN(0xd43da670, 0xd2f74dae), TOBN(0xa35aa23f, 0xbf846bbb)},\n {TOBN(0x5e74235d, 0x4421fc83), TOBN(0xf6df8ee0, 0xc363473b),\n TOBN(0x34d7f52a, 0x3c4aa158), TOBN(0x50d05aab, 0x9bc6d22e)}},\n {{TOBN(0x8c56e735, 0xa64785f4), TOBN(0xbc56637b, 0x5f29cd07),\n TOBN(0x53b2bb80, 0x3ee35067), TOBN(0x50235a0f, 0xdc919270)},\n {TOBN(0x191ab6d8, 0xf2c4aa65), TOBN(0xc3475831, 0x8396023b),\n TOBN(0x80400ba5, 0xf0f805ba), TOBN(0x8881065b, 0x5ec0f80f)}},\n {{TOBN(0xc370e522, 0xcc1b5e83), TOBN(0xde2d4ad1, 0x860b8bfb),\n TOBN(0xad364df0, 0x67b256df), TOBN(0x8f12502e, 0xe0138997)},\n {TOBN(0x503fa0dc, 0x7783920a), TOBN(0xe80014ad, 0xc0bc866a),\n TOBN(0x3f89b744, 0xd3064ba6), TOBN(0x03511dcd, 0xcba5dba5)}},\n {{TOBN(0x197dd46d, 0x95a7b1a2), TOBN(0x9c4e7ad6, 0x3c6341fb),\n TOBN(0x426eca29, 0x484c2ece), TOBN(0x9211e489, 0xde7f4f8a)},\n {TOBN(0x14997f6e, 0xc78ef1f4), TOBN(0x2b2c0910, 0x06574586),\n TOBN(0x17286a6e, 0x1c3eede8), TOBN(0x25f92e47, 0x0f60e018)}},\n {{TOBN(0x805c5646, 0x31890a36), TOBN(0x703ef600, 0x57feea5b),\n TOBN(0x389f747c, 0xaf3c3030), TOBN(0xe0e5daeb, 0x54dd3739)},\n {TOBN(0xfe24a4c3, 0xc9c9f155), TOBN(0x7e4bf176, 0xb5393962),\n TOBN(0x37183de2, 0xaf20bf29), TOBN(0x4a1bd7b5, 0xf95a8c3b)}},\n {{TOBN(0xa83b9699, 0x46191d3d), TOBN(0x281fc8dd, 0x7b87f257),\n TOBN(0xb18e2c13, 0x54107588), TOBN(0x6372def7, 0x9b2bafe8)},\n {TOBN(0xdaf4bb48, 0x0d8972ca), TOBN(0x3f2dd4b7, 0x56167a3f),\n TOBN(0x1eace32d, 0x84310cf4), TOBN(0xe3bcefaf, 0xe42700aa)}},\n {{TOBN(0x5fe5691e, 0xd785e73d), TOBN(0xa5db5ab6, 0x2ea60467),\n TOBN(0x02e23d41, 0xdfc6514a), TOBN(0x35e8048e, 0xe03c3665)},\n {TOBN(0x3f8b118f, 0x1adaa0f8), TOBN(0x28ec3b45, 0x84ce1a5a),\n TOBN(0xe8cacc6e, 0x2c6646b8), TOBN(0x1343d185, 0xdbd0e40f)}},\n {{TOBN(0xe5d7f844, 0xcaaa358c), TOBN(0x1a1db7e4, 0x9924182a),\n TOBN(0xd64cd42d, 0x9c875d9a), TOBN(0xb37b515f, 0x042eeec8)},\n {TOBN(0x4d4dd409, 0x7b165fbe), TOBN(0xfc322ed9, 0xe206eff3),\n TOBN(0x7dee4102, 0x59b7e17e), TOBN(0x55a481c0, 0x8236ca00)}},\n {{TOBN(0x8c885312, 0xc23fc975), TOBN(0x15715806, 0x05d6297b),\n TOBN(0xa078868e, 0xf78edd39), TOBN(0x956b31e0, 0x03c45e52)},\n {TOBN(0x470275d5, 0xff7b33a6), TOBN(0xc8d5dc3a, 0x0c7e673f),\n TOBN(0x419227b4, 0x7e2f2598), TOBN(0x8b37b634, 0x4c14a975)}},\n {{TOBN(0xd0667ed6, 0x8b11888c), TOBN(0x5e0e8c3e, 0x803e25dc),\n TOBN(0x34e5d0dc, 0xb987a24a), TOBN(0x9f40ac3b, 0xae920323)},\n {TOBN(0x5463de95, 0x34e0f63a), TOBN(0xa128bf92, 0x6b6328f9),\n TOBN(0x491ccd7c, 0xda64f1b7), TOBN(0x7ef1ec27, 0xc47bde35)}},\n {{TOBN(0xa857240f, 0xa36a2737), TOBN(0x35dc1366, 0x63621bc1),\n TOBN(0x7a3a6453, 0xd4fb6897), TOBN(0x80f1a439, 0xc929319d)},\n {TOBN(0xfc18274b, 0xf8cb0ba0), TOBN(0xb0b53766, 0x8078c5eb),\n TOBN(0xfb0d4924, 0x1e01d0ef), TOBN(0x50d7c67d, 0x372ab09c)}},\n {{TOBN(0xb4e370af, 0x3aeac968), TOBN(0xe4f7fee9, 0xc4b63266),\n TOBN(0xb4acd4c2, 0xe3ac5664), TOBN(0xf8910bd2, 0xceb38cbf)},\n {TOBN(0x1c3ae50c, 0xc9c0726e), TOBN(0x15309569, 0xd97b40bf),\n TOBN(0x70884b7f, 0xfd5a5a1b), TOBN(0x3890896a, 0xef8314cd)}},\n {{TOBN(0x58e1515c, 0xa5618c93), TOBN(0xe665432b, 0x77d942d1),\n TOBN(0xb32181bf, 0xb6f767a8), TOBN(0x753794e8, 0x3a604110)},\n {TOBN(0x09afeb7c, 0xe8c0dbcc), TOBN(0x31e02613, 0x598673a3),\n TOBN(0x5d98e557, 0x7d46db00), TOBN(0xfc21fb8c, 0x9d985b28)}},\n {{TOBN(0xc9040116, 0xb0843e0b), TOBN(0x53b1b3a8, 0x69b04531),\n TOBN(0xdd1649f0, 0x85d7d830), TOBN(0xbb3bcc87, 0xcb7427e8)},\n {TOBN(0x77261100, 0xc93dce83), TOBN(0x7e79da61, 0xa1922a2a),\n TOBN(0x587a2b02, 0xf3149ce8), TOBN(0x147e1384, 0xde92ec83)}},\n {{TOBN(0x484c83d3, 0xaf077f30), TOBN(0xea78f844, 0x0658b53a),\n TOBN(0x912076c2, 0x027aec53), TOBN(0xf34714e3, 0x93c8177d)},\n {TOBN(0x37ef5d15, 0xc2376c84), TOBN(0x8315b659, 0x3d1aa783),\n TOBN(0x3a75c484, 0xef852a90), TOBN(0x0ba0c58a, 0x16086bd4)}},\n {{TOBN(0x29688d7a, 0x529a6d48), TOBN(0x9c7f250d, 0xc2f19203),\n TOBN(0x123042fb, 0x682e2df9), TOBN(0x2b7587e7, 0xad8121bc)},\n {TOBN(0x30fc0233, 0xe0182a65), TOBN(0xb82ecf87, 0xe3e1128a),\n TOBN(0x71682861, 0x93fb098f), TOBN(0x043e21ae, 0x85e9e6a7)}},\n {{TOBN(0xab5b49d6, 0x66c834ea), TOBN(0x3be43e18, 0x47414287),\n TOBN(0xf40fb859, 0x219a2a47), TOBN(0x0e6559e9, 0xcc58df3c)},\n {TOBN(0xfe1dfe8e, 0x0c6615b4), TOBN(0x14abc8fd, 0x56459d70),\n TOBN(0x7be0fa8e, 0x05de0386), TOBN(0x8e63ef68, 0xe9035c7c)}},\n {{TOBN(0x116401b4, 0x53b31e91), TOBN(0x0cba7ad4, 0x4436b4d8),\n TOBN(0x9151f9a0, 0x107afd66), TOBN(0xafaca8d0, 0x1f0ee4c4)},\n {TOBN(0x75fe5c1d, 0x9ee9761c), TOBN(0x3497a16b, 0xf0c0588f),\n TOBN(0x3ee2bebd, 0x0304804c), TOBN(0xa8fb9a60, 0xc2c990b9)}},\n {{TOBN(0xd14d32fe, 0x39251114), TOBN(0x36bf25bc, 0xcac73366),\n TOBN(0xc9562c66, 0xdba7495c), TOBN(0x324d301b, 0x46ad348b)},\n {TOBN(0x9f46620c, 0xd670407e), TOBN(0x0ea8d4f1, 0xe3733a01),\n TOBN(0xd396d532, 0xb0c324e0), TOBN(0x5b211a0e, 0x03c317cd)}},\n {{TOBN(0x090d7d20, 0x5ffe7b37), TOBN(0x3b7f3efb, 0x1747d2da),\n TOBN(0xa2cb525f, 0xb54fc519), TOBN(0x6e220932, 0xf66a971e)},\n {TOBN(0xddc160df, 0xb486d440), TOBN(0x7fcfec46, 0x3fe13465),\n TOBN(0x83da7e4e, 0x76e4c151), TOBN(0xd6fa48a1, 0xd8d302b5)}},\n {{TOBN(0xc6304f26, 0x5872cd88), TOBN(0x806c1d3c, 0x278b90a1),\n TOBN(0x3553e725, 0xcaf0bc1c), TOBN(0xff59e603, 0xbb9d8d5c)},\n {TOBN(0xa4550f32, 0x7a0b85dd), TOBN(0xdec5720a, 0x93ecc217),\n TOBN(0x0b88b741, 0x69d62213), TOBN(0x7212f245, 0x5b365955)}},\n {{TOBN(0x20764111, 0xb5cae787), TOBN(0x13cb7f58, 0x1dfd3124),\n TOBN(0x2dca77da, 0x1175aefb), TOBN(0xeb75466b, 0xffaae775)},\n {TOBN(0x74d76f3b, 0xdb6cff32), TOBN(0x7440f37a, 0x61fcda9a),\n TOBN(0x1bb3ac92, 0xb525028b), TOBN(0x20fbf8f7, 0xa1975f29)}},\n {{TOBN(0x982692e1, 0xdf83097f), TOBN(0x28738f6c, 0x554b0800),\n TOBN(0xdc703717, 0xa2ce2f2f), TOBN(0x7913b93c, 0x40814194)},\n {TOBN(0x04924593, 0x1fe89636), TOBN(0x7b98443f, 0xf78834a6),\n TOBN(0x11c6ab01, 0x5114a5a1), TOBN(0x60deb383, 0xffba5f4c)}},\n {{TOBN(0x4caa54c6, 0x01a982e6), TOBN(0x1dd35e11, 0x3491cd26),\n TOBN(0x973c315f, 0x7cbd6b05), TOBN(0xcab00775, 0x52494724)},\n {TOBN(0x04659b1f, 0x6565e15a), TOBN(0xbf30f529, 0x8c8fb026),\n TOBN(0xfc21641b, 0xa8a0de37), TOBN(0xe9c7a366, 0xfa5e5114)}},\n {{TOBN(0xdb849ca5, 0x52f03ad8), TOBN(0xc7e8dbe9, 0x024e35c0),\n TOBN(0xa1a2bbac, 0xcfc3c789), TOBN(0xbf733e7d, 0x9c26f262)},\n {TOBN(0x882ffbf5, 0xb8444823), TOBN(0xb7224e88, 0x6bf8483b),\n TOBN(0x53023b8b, 0x65bef640), TOBN(0xaabfec91, 0xd4d5f8cd)}},\n {{TOBN(0xa40e1510, 0x079ea1bd), TOBN(0x1ad9addc, 0xd05d5d26),\n TOBN(0xdb3f2eab, 0x13e68d4f), TOBN(0x1cff1ae2, 0x640f803f)},\n {TOBN(0xe0e7b749, 0xd4cee117), TOBN(0x8e9f275b, 0x4036d909),\n TOBN(0xce34e31d, 0x8f4d4c38), TOBN(0x22b37f69, 0xd75130fc)}},\n {{TOBN(0x83e0f1fd, 0xb4014604), TOBN(0xa8ce9919, 0x89415078),\n TOBN(0x82375b75, 0x41792efe), TOBN(0x4f59bf5c, 0x97d4515b)},\n {TOBN(0xac4f324f, 0x923a277d), TOBN(0xd9bc9b7d, 0x650f3406),\n TOBN(0xc6fa87d1, 0x8a39bc51), TOBN(0x82588530, 0x5ccc108f)}},\n {{TOBN(0x5ced3c9f, 0x82e4c634), TOBN(0x8efb8314, 0x3a4464f8),\n TOBN(0xe706381b, 0x7a1dca25), TOBN(0x6cd15a3c, 0x5a2a412b)},\n {TOBN(0x9347a8fd, 0xbfcd8fb5), TOBN(0x31db2eef, 0x6e54cd22),\n TOBN(0xc4aeb11e, 0xf8d8932f), TOBN(0x11e7c1ed, 0x344411af)}},\n {{TOBN(0x2653050c, 0xdc9a151e), TOBN(0x9edbfc08, 0x3bb0a859),\n TOBN(0x926c81c7, 0xfd5691e7), TOBN(0x9c1b2342, 0x6f39019a)},\n {TOBN(0x64a81c8b, 0x7f8474b9), TOBN(0x90657c07, 0x01761819),\n TOBN(0x390b3331, 0x55e0375a), TOBN(0xc676c626, 0xb6ebc47d)}},\n {{TOBN(0x51623247, 0xb7d6dee8), TOBN(0x0948d927, 0x79659313),\n TOBN(0x99700161, 0xe9ab35ed), TOBN(0x06cc32b4, 0x8ddde408)},\n {TOBN(0x6f2fd664, 0x061ef338), TOBN(0x1606fa02, 0xc202e9ed),\n TOBN(0x55388bc1, 0x929ba99b), TOBN(0xc4428c5e, 0x1e81df69)}},\n {{TOBN(0xce2028ae, 0xf91b0b2a), TOBN(0xce870a23, 0xf03dfd3f),\n TOBN(0x66ec2c87, 0x0affe8ed), TOBN(0xb205fb46, 0x284d0c00)},\n {TOBN(0xbf5dffe7, 0x44cefa48), TOBN(0xb6fc37a8, 0xa19876d7),\n TOBN(0xbecfa84c, 0x08b72863), TOBN(0xd7205ff5, 0x2576374f)}},\n {{TOBN(0x80330d32, 0x8887de41), TOBN(0x5de0df0c, 0x869ea534),\n TOBN(0x13f42753, 0x3c56ea17), TOBN(0xeb1f6069, 0x452b1a78)},\n {TOBN(0x50474396, 0xe30ea15c), TOBN(0x575816a1, 0xc1494125),\n TOBN(0xbe1ce55b, 0xfe6bb38f), TOBN(0xb901a948, 0x96ae30f7)}},\n {{TOBN(0xe5af0f08, 0xd8fc3548), TOBN(0x5010b5d0, 0xd73bfd08),\n TOBN(0x993d2880, 0x53fe655a), TOBN(0x99f2630b, 0x1c1309fd)},\n {TOBN(0xd8677baf, 0xb4e3b76f), TOBN(0x14e51ddc, 0xb840784b),\n TOBN(0x326c750c, 0xbf0092ce), TOBN(0xc83d306b, 0xf528320f)}},\n {{TOBN(0xc4456715, 0x77d4715c), TOBN(0xd30019f9, 0x6b703235),\n TOBN(0x207ccb2e, 0xd669e986), TOBN(0x57c824af, 0xf6dbfc28)},\n {TOBN(0xf0eb532f, 0xd8f92a23), TOBN(0x4a557fd4, 0x9bb98fd2),\n TOBN(0xa57acea7, 0xc1e6199a), TOBN(0x0c663820, 0x8b94b1ed)}},\n {{TOBN(0x9b42be8f, 0xf83a9266), TOBN(0xc7741c97, 0x0101bd45),\n TOBN(0x95770c11, 0x07bd9ceb), TOBN(0x1f50250a, 0x8b2e0744)},\n {TOBN(0xf762eec8, 0x1477b654), TOBN(0xc65b900e, 0x15efe59a),\n TOBN(0x88c96148, 0x9546a897), TOBN(0x7e8025b3, 0xc30b4d7c)}},\n {{TOBN(0xae4065ef, 0x12045cf9), TOBN(0x6fcb2caf, 0x9ccce8bd),\n TOBN(0x1fa0ba4e, 0xf2cf6525), TOBN(0xf683125d, 0xcb72c312)},\n {TOBN(0xa01da4ea, 0xe312410e), TOBN(0x67e28677, 0x6cd8e830),\n TOBN(0xabd95752, 0x98fb3f07), TOBN(0x05f11e11, 0xeef649a5)}},\n {{TOBN(0xba47faef, 0x9d3472c2), TOBN(0x3adff697, 0xc77d1345),\n TOBN(0x4761fa04, 0xdd15afee), TOBN(0x64f1f61a, 0xb9e69462)},\n {TOBN(0xfa691fab, 0x9bfb9093), TOBN(0x3df8ae8f, 0xa1133dfe),\n TOBN(0xcd5f8967, 0x58cc710d), TOBN(0xfbb88d50, 0x16c7fe79)}},\n {{TOBN(0x8e011b4c, 0xe88c50d1), TOBN(0x7532e807, 0xa8771c4f),\n TOBN(0x64c78a48, 0xe2278ee4), TOBN(0x0b283e83, 0x3845072a)},\n {TOBN(0x98a6f291, 0x49e69274), TOBN(0xb96e9668, 0x1868b21c),\n TOBN(0x38f0adc2, 0xb1a8908e), TOBN(0x90afcff7, 0x1feb829d)}},\n {{TOBN(0x9915a383, 0x210b0856), TOBN(0xa5a80602, 0xdef04889),\n TOBN(0x800e9af9, 0x7c64d509), TOBN(0x81382d0b, 0xb8996f6f)},\n {TOBN(0x490eba53, 0x81927e27), TOBN(0x46c63b32, 0x4af50182),\n TOBN(0x784c5fd9, 0xd3ad62ce), TOBN(0xe4fa1870, 0xf8ae8736)}},\n {{TOBN(0x4ec9d0bc, 0xd7466b25), TOBN(0x84ddbe1a, 0xdb235c65),\n TOBN(0x5e2645ee, 0x163c1688), TOBN(0x570bd00e, 0x00eba747)},\n {TOBN(0xfa51b629, 0x128bfa0f), TOBN(0x92fce1bd, 0x6c1d3b68),\n TOBN(0x3e7361dc, 0xb66778b1), TOBN(0x9c7d249d, 0x5561d2bb)}},\n {{TOBN(0xa40b28bf, 0x0bbc6229), TOBN(0x1c83c05e, 0xdfd91497),\n TOBN(0x5f9f5154, 0xf083df05), TOBN(0xbac38b3c, 0xeee66c9d)},\n {TOBN(0xf71db7e3, 0xec0dfcfd), TOBN(0xf2ecda8e, 0x8b0a8416),\n TOBN(0x52fddd86, 0x7812aa66), TOBN(0x2896ef10, 0x4e6f4272)}},\n {{TOBN(0xff27186a, 0x0fe9a745), TOBN(0x08249fcd, 0x49ca70db),\n TOBN(0x7425a2e6, 0x441cac49), TOBN(0xf4a0885a, 0xece5ff57)},\n {TOBN(0x6e2cb731, 0x7d7ead58), TOBN(0xf96cf7d6, 0x1898d104),\n TOBN(0xafe67c9d, 0x4f2c9a89), TOBN(0x89895a50, 0x1c7bf5bc)}},\n {{TOBN(0xdc7cb8e5, 0x573cecfa), TOBN(0x66497eae, 0xd15f03e6),\n TOBN(0x6bc0de69, 0x3f084420), TOBN(0x323b9b36, 0xacd532b0)},\n {TOBN(0xcfed390a, 0x0115a3c1), TOBN(0x9414c40b, 0x2d65ca0e),\n TOBN(0x641406bd, 0x2f530c78), TOBN(0x29369a44, 0x833438f2)}},\n {{TOBN(0x996884f5, 0x903fa271), TOBN(0xe6da0fd2, 0xb9da921e),\n TOBN(0xa6f2f269, 0x5db01e54), TOBN(0x1ee3e9bd, 0x6876214e)},\n {TOBN(0xa26e181c, 0xe27a9497), TOBN(0x36d254e4, 0x8e215e04),\n TOBN(0x42f32a6c, 0x252cabca), TOBN(0x99481487, 0x80b57614)}},\n {{TOBN(0x4c4dfe69, 0x40d9cae1), TOBN(0x05869580, 0x11a10f09),\n TOBN(0xca287b57, 0x3491b64b), TOBN(0x77862d5d, 0x3fd4a53b)},\n {TOBN(0xbf94856e, 0x50349126), TOBN(0x2be30bd1, 0x71c5268f),\n TOBN(0x10393f19, 0xcbb650a6), TOBN(0x639531fe, 0x778cf9fd)}},\n {{TOBN(0x02556a11, 0xb2935359), TOBN(0xda38aa96, 0xaf8c126e),\n TOBN(0x47dbe6c2, 0x0960167f), TOBN(0x37bbabb6, 0x501901cd)},\n {TOBN(0xb6e979e0, 0x2c947778), TOBN(0xd69a5175, 0x7a1a1dc6),\n TOBN(0xc3ed5095, 0x9d9faf0c), TOBN(0x4dd9c096, 0x1d5fa5f0)}},\n {{TOBN(0xa0c4304d, 0x64f16ea8), TOBN(0x8b1cac16, 0x7e718623),\n TOBN(0x0b576546, 0x7c67f03e), TOBN(0x559cf5ad, 0xcbd88c01)},\n {TOBN(0x074877bb, 0x0e2af19a), TOBN(0x1f717ec1, 0xa1228c92),\n TOBN(0x70bcb800, 0x326e8920), TOBN(0xec6e2c5c, 0x4f312804)}},\n {{TOBN(0x426aea7d, 0x3fca4752), TOBN(0xf12c0949, 0x2211f62a),\n TOBN(0x24beecd8, 0x7be7b6b5), TOBN(0xb77eaf4c, 0x36d7a27d)},\n {TOBN(0x154c2781, 0xfda78fd3), TOBN(0x848a83b0, 0x264eeabe),\n TOBN(0x81287ef0, 0x4ffe2bc4), TOBN(0x7b6d88c6, 0xb6b6fc2a)}},\n {{TOBN(0x805fb947, 0xce417d99), TOBN(0x4b93dcc3, 0x8b916cc4),\n TOBN(0x72e65bb3, 0x21273323), TOBN(0xbcc1badd, 0x6ea9886e)},\n {TOBN(0x0e223011, 0x4bc5ee85), TOBN(0xa561be74, 0xc18ee1e4),\n TOBN(0x762fd2d4, 0xa6bcf1f1), TOBN(0x50e6a5a4, 0x95231489)}},\n {{TOBN(0xca96001f, 0xa00b500b), TOBN(0x5c098cfc, 0x5d7dcdf5),\n TOBN(0xa64e2d2e, 0x8c446a85), TOBN(0xbae9bcf1, 0x971f3c62)},\n {TOBN(0x4ec22683, 0x8435a2c5), TOBN(0x8ceaed6c, 0x4bad4643),\n TOBN(0xe9f8fb47, 0xccccf4e3), TOBN(0xbd4f3fa4, 0x1ce3b21e)}},\n {{TOBN(0xd79fb110, 0xa3db3292), TOBN(0xe28a37da, 0xb536c66a),\n TOBN(0x279ce87b, 0x8e49e6a9), TOBN(0x70ccfe8d, 0xfdcec8e3)},\n {TOBN(0x2193e4e0, 0x3ba464b2), TOBN(0x0f39d60e, 0xaca9a398),\n TOBN(0x7d7932af, 0xf82c12ab), TOBN(0xd8ff50ed, 0x91e7e0f7)}},\n {{TOBN(0xea961058, 0xfa28a7e0), TOBN(0xc726cf25, 0x0bf5ec74),\n TOBN(0xe74d55c8, 0xdb229666), TOBN(0x0bd9abbf, 0xa57f5799)},\n {TOBN(0x7479ef07, 0x4dfc47b3), TOBN(0xd9c65fc3, 0x0c52f91d),\n TOBN(0x8e0283fe, 0x36a8bde2), TOBN(0xa32a8b5e, 0x7d4b7280)}},\n {{TOBN(0x6a677c61, 0x12e83233), TOBN(0x0fbb3512, 0xdcc9bf28),\n TOBN(0x562e8ea5, 0x0d780f61), TOBN(0x0db8b22b, 0x1dc4e89c)},\n {TOBN(0x0a6fd1fb, 0x89be0144), TOBN(0x8c77d246, 0xca57113b),\n TOBN(0x4639075d, 0xff09c91c), TOBN(0x5b47b17f, 0x5060824c)}},\n {{TOBN(0x58aea2b0, 0x16287b52), TOBN(0xa1343520, 0xd0cd8eb0),\n TOBN(0x6148b4d0, 0xc5d58573), TOBN(0xdd2b6170, 0x291c68ae)},\n {TOBN(0xa61b3929, 0x1da3b3b7), TOBN(0x5f946d79, 0x08c4ac10),\n TOBN(0x4105d4a5, 0x7217d583), TOBN(0x5061da3d, 0x25e6de5e)}},\n {{TOBN(0x3113940d, 0xec1b4991), TOBN(0xf12195e1, 0x36f485ae),\n TOBN(0xa7507fb2, 0x731a2ee0), TOBN(0x95057a8e, 0x6e9e196e)},\n {TOBN(0xa3c2c911, 0x2e130136), TOBN(0x97dfbb36, 0x33c60d15),\n TOBN(0xcaf3c581, 0xb300ee2b), TOBN(0x77f25d90, 0xf4bac8b8)}},\n {{TOBN(0xdb1c4f98, 0x6d840cd6), TOBN(0x471d62c0, 0xe634288c),\n TOBN(0x8ec2f85e, 0xcec8a161), TOBN(0x41f37cbc, 0xfa6f4ae2)},\n {TOBN(0x6793a20f, 0x4b709985), TOBN(0x7a7bd33b, 0xefa8985b),\n TOBN(0x2c6a3fbd, 0x938e6446), TOBN(0x19042619, 0x2a8d47c1)}},\n {{TOBN(0x16848667, 0xcc36975f), TOBN(0x02acf168, 0x9d5f1dfb),\n TOBN(0x62d41ad4, 0x613baa94), TOBN(0xb56fbb92, 0x9f684670)},\n {TOBN(0xce610d0d, 0xe9e40569), TOBN(0x7b99c65f, 0x35489fef),\n TOBN(0x0c88ad1b, 0x3df18b97), TOBN(0x81b7d9be, 0x5d0e9edb)}},\n {{TOBN(0xd85218c0, 0xc716cc0a), TOBN(0xf4b5ff90, 0x85691c49),\n TOBN(0xa4fd666b, 0xce356ac6), TOBN(0x17c72895, 0x4b327a7a)},\n {TOBN(0xf93d5085, 0xda6be7de), TOBN(0xff71530e, 0x3301d34e),\n TOBN(0x4cd96442, 0xd8f448e8), TOBN(0x9283d331, 0x2ed18ffa)}},\n {{TOBN(0x4d33dd99, 0x2a849870), TOBN(0xa716964b, 0x41576335),\n TOBN(0xff5e3a9b, 0x179be0e5), TOBN(0x5b9d6b1b, 0x83b13632)},\n {TOBN(0x3b8bd7d4, 0xa52f313b), TOBN(0xc9dd95a0, 0x637a4660),\n TOBN(0x30035962, 0x0b3e218f), TOBN(0xce1481a3, 0xc7b28a3c)}},\n {{TOBN(0xab41b43a, 0x43228d83), TOBN(0x24ae1c30, 0x4ad63f99),\n TOBN(0x8e525f1a, 0x46a51229), TOBN(0x14af860f, 0xcd26d2b4)},\n {TOBN(0xd6baef61, 0x3f714aa1), TOBN(0xf51865ad, 0xeb78795e),\n TOBN(0xd3e21fce, 0xe6a9d694), TOBN(0x82ceb1dd, 0x8a37b527)}}}};\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.cc.inc", "content": "/*\n * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2014, Intel Corporation. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n *\n * Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1)\n * (1) Intel Corporation, Israel Development Center, Haifa, Israel\n * (2) University of Haifa, Israel\n *\n * Reference:\n * S.Gueron and V.Krasnov, \"Fast Prime Field Elliptic Curve Cryptography with\n * 256 Bit Primes\"\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bn/internal.h\"\n#include \"../delocate.h\"\n#include \"internal.h\"\n#include \"p256-nistz.h\"\n\n#if !defined(OPENSSL_NO_ASM) && \\\n (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \\\n !defined(OPENSSL_SMALL)\n\ntypedef P256_POINT_AFFINE PRECOMP256_ROW[64];\n\n// One converted into the Montgomery domain\nstatic const BN_ULONG ONE_MONT[P256_LIMBS] = {\n TOBN(0x00000000, 0x00000001),\n TOBN(0xffffffff, 0x00000000),\n TOBN(0xffffffff, 0xffffffff),\n TOBN(0x00000000, 0xfffffffe),\n};\n\n// Precomputed tables for the default generator\n#include \"p256-nistz-table.h\"\n\n// Recode window to a signed digit, see |ec_GFp_nistp_recode_scalar_bits| in\n// util.c for details\nstatic crypto_word_t booth_recode_w5(crypto_word_t in) {\n crypto_word_t s, d;\n\n s = ~((in >> 5) - 1);\n d = (1 << 6) - in - 1;\n d = (d & s) | (in & ~s);\n d = (d >> 1) + (d & 1);\n\n return (d << 1) + (s & 1);\n}\n\nstatic crypto_word_t booth_recode_w7(crypto_word_t in) {\n crypto_word_t s, d;\n\n s = ~((in >> 7) - 1);\n d = (1 << 8) - in - 1;\n d = (d & s) | (in & ~s);\n d = (d >> 1) + (d & 1);\n\n return (d << 1) + (s & 1);\n}\n\n// copy_conditional copies |src| to |dst| if |move| is one and leaves it as-is\n// if |move| is zero.\n//\n// WARNING: this breaks the usual convention of constant-time functions\n// returning masks.\nstatic void copy_conditional(BN_ULONG dst[P256_LIMBS],\n const BN_ULONG src[P256_LIMBS], BN_ULONG move) {\n BN_ULONG mask1 = ((BN_ULONG)0) - move;\n BN_ULONG mask2 = ~mask1;\n\n dst[0] = (src[0] & mask1) ^ (dst[0] & mask2);\n dst[1] = (src[1] & mask1) ^ (dst[1] & mask2);\n dst[2] = (src[2] & mask1) ^ (dst[2] & mask2);\n dst[3] = (src[3] & mask1) ^ (dst[3] & mask2);\n if (P256_LIMBS == 8) {\n dst[4] = (src[4] & mask1) ^ (dst[4] & mask2);\n dst[5] = (src[5] & mask1) ^ (dst[5] & mask2);\n dst[6] = (src[6] & mask1) ^ (dst[6] & mask2);\n dst[7] = (src[7] & mask1) ^ (dst[7] & mask2);\n }\n}\n\n// is_not_zero returns one iff in != 0 and zero otherwise.\n//\n// WARNING: this breaks the usual convention of constant-time functions\n// returning masks.\n//\n// (define-fun is_not_zero ((in (_ BitVec 64))) (_ BitVec 64)\n// (bvlshr (bvor in (bvsub #x0000000000000000 in)) #x000000000000003f)\n// )\n//\n// (declare-fun x () (_ BitVec 64))\n//\n// (assert (and (= x #x0000000000000000) (= (is_not_zero x)\n// #x0000000000000001))) (check-sat)\n//\n// (assert (and (not (= x #x0000000000000000)) (= (is_not_zero x)\n// #x0000000000000000))) (check-sat)\n//\nstatic BN_ULONG is_not_zero(BN_ULONG in) {\n in |= (0 - in);\n in >>= BN_BITS2 - 1;\n return in;\n}\n\n#if defined(OPENSSL_X86_64)\n// Dispatch between CPU variations. The \"_adx\" suffixed functions use MULX in\n// addition to ADCX/ADOX. MULX is part of BMI2, not ADX, so we must check both\n// capabilities.\nstatic void ecp_nistz256_mul_mont(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS],\n const BN_ULONG b[P256_LIMBS]) {\n if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) {\n ecp_nistz256_mul_mont_adx(res, a, b);\n } else {\n ecp_nistz256_mul_mont_nohw(res, a, b);\n }\n}\n\nstatic void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS]) {\n if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) {\n ecp_nistz256_sqr_mont_adx(res, a);\n } else {\n ecp_nistz256_sqr_mont_nohw(res, a);\n }\n}\n\nstatic void ecp_nistz256_ord_mul_mont(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS],\n const BN_ULONG b[P256_LIMBS]) {\n if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) {\n ecp_nistz256_ord_mul_mont_adx(res, a, b);\n } else {\n ecp_nistz256_ord_mul_mont_nohw(res, a, b);\n }\n}\n\nstatic void ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS],\n BN_ULONG rep) {\n if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) {\n ecp_nistz256_ord_sqr_mont_adx(res, a, rep);\n } else {\n ecp_nistz256_ord_sqr_mont_nohw(res, a, rep);\n }\n}\n\nstatic void ecp_nistz256_select_w5(P256_POINT *val, const P256_POINT in_t[16],\n int index) {\n if (CRYPTO_is_AVX2_capable()) {\n ecp_nistz256_select_w5_avx2(val, in_t, index);\n } else {\n ecp_nistz256_select_w5_nohw(val, in_t, index);\n }\n}\n\nstatic void ecp_nistz256_select_w7(P256_POINT_AFFINE *val,\n const P256_POINT_AFFINE in_t[64],\n int index) {\n if (CRYPTO_is_AVX2_capable()) {\n ecp_nistz256_select_w7_avx2(val, in_t, index);\n } else {\n ecp_nistz256_select_w7_nohw(val, in_t, index);\n }\n}\n\nstatic void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a) {\n if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) {\n ecp_nistz256_point_double_adx(r, a);\n } else {\n ecp_nistz256_point_double_nohw(r, a);\n }\n}\n\nstatic void ecp_nistz256_point_add(P256_POINT *r, const P256_POINT *a,\n const P256_POINT *b) {\n if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) {\n ecp_nistz256_point_add_adx(r, a, b);\n } else {\n ecp_nistz256_point_add_nohw(r, a, b);\n }\n}\n\nstatic void ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a,\n const P256_POINT_AFFINE *b) {\n if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) {\n ecp_nistz256_point_add_affine_adx(r, a, b);\n } else {\n ecp_nistz256_point_add_affine_nohw(r, a, b);\n }\n}\n#endif // OPENSSL_X86_64\n\n// ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain\n// by multiplying with 1.\nstatic void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS],\n const BN_ULONG in[P256_LIMBS]) {\n static const BN_ULONG ONE[P256_LIMBS] = {1};\n ecp_nistz256_mul_mont(res, in, ONE);\n}\n\n// ecp_nistz256_mod_inverse_sqr_mont sets |r| to (|in| * 2^-256)^-2 * 2^256 mod\n// p. That is, |r| is the modular inverse square of |in| for input and output in\n// the Montgomery domain.\nstatic void ecp_nistz256_mod_inverse_sqr_mont(BN_ULONG r[P256_LIMBS],\n const BN_ULONG in[P256_LIMBS]) {\n // This implements the addition chain described in\n // https://briansmith.org/ecc-inversion-addition-chains-01#p256_field_inversion\n BN_ULONG x2[P256_LIMBS], x3[P256_LIMBS], x6[P256_LIMBS], x12[P256_LIMBS],\n x15[P256_LIMBS], x30[P256_LIMBS], x32[P256_LIMBS];\n ecp_nistz256_sqr_mont(x2, in); // 2^2 - 2^1\n ecp_nistz256_mul_mont(x2, x2, in); // 2^2 - 2^0\n\n ecp_nistz256_sqr_mont(x3, x2); // 2^3 - 2^1\n ecp_nistz256_mul_mont(x3, x3, in); // 2^3 - 2^0\n\n ecp_nistz256_sqr_mont(x6, x3);\n for (int i = 1; i < 3; i++) {\n ecp_nistz256_sqr_mont(x6, x6);\n } // 2^6 - 2^3\n ecp_nistz256_mul_mont(x6, x6, x3); // 2^6 - 2^0\n\n ecp_nistz256_sqr_mont(x12, x6);\n for (int i = 1; i < 6; i++) {\n ecp_nistz256_sqr_mont(x12, x12);\n } // 2^12 - 2^6\n ecp_nistz256_mul_mont(x12, x12, x6); // 2^12 - 2^0\n\n ecp_nistz256_sqr_mont(x15, x12);\n for (int i = 1; i < 3; i++) {\n ecp_nistz256_sqr_mont(x15, x15);\n } // 2^15 - 2^3\n ecp_nistz256_mul_mont(x15, x15, x3); // 2^15 - 2^0\n\n ecp_nistz256_sqr_mont(x30, x15);\n for (int i = 1; i < 15; i++) {\n ecp_nistz256_sqr_mont(x30, x30);\n } // 2^30 - 2^15\n ecp_nistz256_mul_mont(x30, x30, x15); // 2^30 - 2^0\n\n ecp_nistz256_sqr_mont(x32, x30);\n ecp_nistz256_sqr_mont(x32, x32); // 2^32 - 2^2\n ecp_nistz256_mul_mont(x32, x32, x2); // 2^32 - 2^0\n\n BN_ULONG ret[P256_LIMBS];\n ecp_nistz256_sqr_mont(ret, x32);\n for (int i = 1; i < 31 + 1; i++) {\n ecp_nistz256_sqr_mont(ret, ret);\n } // 2^64 - 2^32\n ecp_nistz256_mul_mont(ret, ret, in); // 2^64 - 2^32 + 2^0\n\n for (int i = 0; i < 96 + 32; i++) {\n ecp_nistz256_sqr_mont(ret, ret);\n } // 2^192 - 2^160 + 2^128\n ecp_nistz256_mul_mont(ret, ret, x32); // 2^192 - 2^160 + 2^128 + 2^32 - 2^0\n\n for (int i = 0; i < 32; i++) {\n ecp_nistz256_sqr_mont(ret, ret);\n } // 2^224 - 2^192 + 2^160 + 2^64 - 2^32\n ecp_nistz256_mul_mont(ret, ret, x32); // 2^224 - 2^192 + 2^160 + 2^64 - 2^0\n\n for (int i = 0; i < 30; i++) {\n ecp_nistz256_sqr_mont(ret, ret);\n } // 2^254 - 2^222 + 2^190 + 2^94 - 2^30\n ecp_nistz256_mul_mont(ret, ret, x30); // 2^254 - 2^222 + 2^190 + 2^94 - 2^0\n\n ecp_nistz256_sqr_mont(ret, ret);\n ecp_nistz256_sqr_mont(r, ret); // 2^256 - 2^224 + 2^192 + 2^96 - 2^2\n}\n\n// r = p * p_scalar\nstatic void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r,\n const EC_JACOBIAN *p,\n const EC_SCALAR *p_scalar) {\n assert(p != NULL);\n assert(p_scalar != NULL);\n assert(group->field.N.width == P256_LIMBS);\n\n static const size_t kWindowSize = 5;\n static const crypto_word_t kMask = (1 << (5 /* kWindowSize */ + 1)) - 1;\n\n // A |P256_POINT| is (3 * 32) = 96 bytes, and the 64-byte alignment should\n // add no more than 63 bytes of overhead. Thus, |table| should require\n // ~1599 ((96 * 16) + 63) bytes of stack space.\n alignas(64) P256_POINT table[16];\n uint8_t p_str[33];\n OPENSSL_memcpy(p_str, p_scalar->words, 32);\n p_str[32] = 0;\n\n // table[0] is implicitly (0,0,0) (the point at infinity), therefore it is\n // not stored. All other values are actually stored with an offset of -1 in\n // table.\n P256_POINT *row = table;\n assert(group->field.N.width == P256_LIMBS);\n OPENSSL_memcpy(row[1 - 1].X, p->X.words, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(row[1 - 1].Y, p->Y.words, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(row[1 - 1].Z, p->Z.words, P256_LIMBS * sizeof(BN_ULONG));\n\n ecp_nistz256_point_double(&row[2 - 1], &row[1 - 1]);\n ecp_nistz256_point_add(&row[3 - 1], &row[2 - 1], &row[1 - 1]);\n ecp_nistz256_point_double(&row[4 - 1], &row[2 - 1]);\n ecp_nistz256_point_double(&row[6 - 1], &row[3 - 1]);\n ecp_nistz256_point_double(&row[8 - 1], &row[4 - 1]);\n ecp_nistz256_point_double(&row[12 - 1], &row[6 - 1]);\n ecp_nistz256_point_add(&row[5 - 1], &row[4 - 1], &row[1 - 1]);\n ecp_nistz256_point_add(&row[7 - 1], &row[6 - 1], &row[1 - 1]);\n ecp_nistz256_point_add(&row[9 - 1], &row[8 - 1], &row[1 - 1]);\n ecp_nistz256_point_add(&row[13 - 1], &row[12 - 1], &row[1 - 1]);\n ecp_nistz256_point_double(&row[14 - 1], &row[7 - 1]);\n ecp_nistz256_point_double(&row[10 - 1], &row[5 - 1]);\n ecp_nistz256_point_add(&row[15 - 1], &row[14 - 1], &row[1 - 1]);\n ecp_nistz256_point_add(&row[11 - 1], &row[10 - 1], &row[1 - 1]);\n ecp_nistz256_point_double(&row[16 - 1], &row[8 - 1]);\n\n BN_ULONG tmp[P256_LIMBS];\n alignas(32) P256_POINT h;\n size_t index = 255;\n crypto_word_t wvalue = p_str[(index - 1) / 8];\n wvalue = (wvalue >> ((index - 1) % 8)) & kMask;\n\n ecp_nistz256_select_w5(r, table, booth_recode_w5(wvalue) >> 1);\n\n while (index >= 5) {\n if (index != 255) {\n size_t off = (index - 1) / 8;\n\n wvalue = (crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8;\n wvalue = (wvalue >> ((index - 1) % 8)) & kMask;\n\n wvalue = booth_recode_w5(wvalue);\n\n ecp_nistz256_select_w5(&h, table, wvalue >> 1);\n\n ecp_nistz256_neg(tmp, h.Y);\n copy_conditional(h.Y, tmp, (wvalue & 1));\n\n ecp_nistz256_point_add(r, r, &h);\n }\n\n index -= kWindowSize;\n\n ecp_nistz256_point_double(r, r);\n ecp_nistz256_point_double(r, r);\n ecp_nistz256_point_double(r, r);\n ecp_nistz256_point_double(r, r);\n ecp_nistz256_point_double(r, r);\n }\n\n // Final window\n wvalue = p_str[0];\n wvalue = (wvalue << 1) & kMask;\n\n wvalue = booth_recode_w5(wvalue);\n\n ecp_nistz256_select_w5(&h, table, wvalue >> 1);\n\n ecp_nistz256_neg(tmp, h.Y);\n copy_conditional(h.Y, tmp, wvalue & 1);\n\n ecp_nistz256_point_add(r, r, &h);\n}\n\nstatic crypto_word_t calc_first_wvalue(size_t *index, const uint8_t p_str[33]) {\n static const size_t kWindowSize = 7;\n static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;\n *index = kWindowSize;\n\n crypto_word_t wvalue = (p_str[0] << 1) & kMask;\n return booth_recode_w7(wvalue);\n}\n\nstatic crypto_word_t calc_wvalue(size_t *index, const uint8_t p_str[33]) {\n static const size_t kWindowSize = 7;\n static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1;\n\n const size_t off = (*index - 1) / 8;\n crypto_word_t wvalue =\n (crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8;\n wvalue = (wvalue >> ((*index - 1) % 8)) & kMask;\n *index += kWindowSize;\n\n return booth_recode_w7(wvalue);\n}\n\nstatic void ecp_nistz256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p,\n const EC_SCALAR *scalar) {\n alignas(32) P256_POINT out;\n ecp_nistz256_windowed_mul(group, &out, p, scalar);\n\n assert(group->field.N.width == P256_LIMBS);\n OPENSSL_memcpy(r->X.words, out.X, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(r->Y.words, out.Y, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(r->Z.words, out.Z, P256_LIMBS * sizeof(BN_ULONG));\n}\n\nstatic void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *scalar) {\n uint8_t p_str[33];\n OPENSSL_memcpy(p_str, scalar->words, 32);\n p_str[32] = 0;\n\n // First window\n size_t index = 0;\n crypto_word_t wvalue = calc_first_wvalue(&index, p_str);\n\n alignas(32) P256_POINT_AFFINE t;\n alignas(32) P256_POINT p;\n ecp_nistz256_select_w7(&t, ecp_nistz256_precomputed[0], wvalue >> 1);\n ecp_nistz256_neg(p.Z, t.Y);\n copy_conditional(t.Y, p.Z, wvalue & 1);\n\n // Convert |t| from affine to Jacobian coordinates. We set Z to zero if |t|\n // is infinity and |ONE_MONT| otherwise. |t| was computed from the table, so\n // it is infinity iff |wvalue >> 1| is zero.\n OPENSSL_memcpy(p.X, t.X, sizeof(p.X));\n OPENSSL_memcpy(p.Y, t.Y, sizeof(p.Y));\n OPENSSL_memset(p.Z, 0, sizeof(p.Z));\n copy_conditional(p.Z, ONE_MONT, is_not_zero(wvalue >> 1));\n\n for (int i = 1; i < 37; i++) {\n wvalue = calc_wvalue(&index, p_str);\n\n ecp_nistz256_select_w7(&t, ecp_nistz256_precomputed[i], wvalue >> 1);\n\n alignas(32) BN_ULONG neg_Y[P256_LIMBS];\n ecp_nistz256_neg(neg_Y, t.Y);\n copy_conditional(t.Y, neg_Y, wvalue & 1);\n\n // Note |ecp_nistz256_point_add_affine| does not work if |p| and |t| are the\n // same non-infinity point.\n ecp_nistz256_point_add_affine(&p, &p, &t);\n }\n\n assert(group->field.N.width == P256_LIMBS);\n OPENSSL_memcpy(r->X.words, p.X, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(r->Y.words, p.Y, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(r->Z.words, p.Z, P256_LIMBS * sizeof(BN_ULONG));\n}\n\nstatic void ecp_nistz256_points_mul_public(const EC_GROUP *group,\n EC_JACOBIAN *r,\n const EC_SCALAR *g_scalar,\n const EC_JACOBIAN *p_,\n const EC_SCALAR *p_scalar) {\n assert(p_ != NULL && p_scalar != NULL && g_scalar != NULL);\n\n alignas(32) P256_POINT p;\n uint8_t p_str[33];\n OPENSSL_memcpy(p_str, g_scalar->words, 32);\n p_str[32] = 0;\n\n // First window\n size_t index = 0;\n size_t wvalue = calc_first_wvalue(&index, p_str);\n\n // Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p|\n // is infinity and |ONE_MONT| otherwise. |p| was computed from the table, so\n // it is infinity iff |wvalue >> 1| is zero.\n if ((wvalue >> 1) != 0) {\n OPENSSL_memcpy(p.X, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].X,\n sizeof(p.X));\n OPENSSL_memcpy(p.Y, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].Y,\n sizeof(p.Y));\n OPENSSL_memcpy(p.Z, ONE_MONT, sizeof(p.Z));\n } else {\n OPENSSL_memset(p.X, 0, sizeof(p.X));\n OPENSSL_memset(p.Y, 0, sizeof(p.Y));\n OPENSSL_memset(p.Z, 0, sizeof(p.Z));\n }\n\n if ((wvalue & 1) == 1) {\n ecp_nistz256_neg(p.Y, p.Y);\n }\n\n for (int i = 1; i < 37; i++) {\n wvalue = calc_wvalue(&index, p_str);\n if ((wvalue >> 1) == 0) {\n continue;\n }\n\n alignas(32) P256_POINT_AFFINE t;\n OPENSSL_memcpy(&t, &ecp_nistz256_precomputed[i][(wvalue >> 1) - 1],\n sizeof(t));\n if ((wvalue & 1) == 1) {\n ecp_nistz256_neg(t.Y, t.Y);\n }\n\n // Note |ecp_nistz256_point_add_affine| does not work if |p| and |t| are\n // the same non-infinity point, so it is important that we compute the\n // |g_scalar| term before the |p_scalar| term.\n ecp_nistz256_point_add_affine(&p, &p, &t);\n }\n\n alignas(32) P256_POINT tmp;\n ecp_nistz256_windowed_mul(group, &tmp, p_, p_scalar);\n ecp_nistz256_point_add(&p, &p, &tmp);\n\n assert(group->field.N.width == P256_LIMBS);\n OPENSSL_memcpy(r->X.words, p.X, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(r->Y.words, p.Y, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(r->Z.words, p.Z, P256_LIMBS * sizeof(BN_ULONG));\n}\n\nstatic int ecp_nistz256_get_affine(const EC_GROUP *group,\n const EC_JACOBIAN *point, EC_FELEM *x,\n EC_FELEM *y) {\n if (constant_time_declassify_int(\n ec_GFp_simple_is_at_infinity(group, point))) {\n OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);\n return 0;\n }\n\n BN_ULONG z_inv2[P256_LIMBS];\n assert(group->field.N.width == P256_LIMBS);\n ecp_nistz256_mod_inverse_sqr_mont(z_inv2, point->Z.words);\n\n if (x != NULL) {\n ecp_nistz256_mul_mont(x->words, z_inv2, point->X.words);\n }\n\n if (y != NULL) {\n ecp_nistz256_sqr_mont(z_inv2, z_inv2); // z^-4\n ecp_nistz256_mul_mont(y->words, point->Y.words, point->Z.words); // y * z\n ecp_nistz256_mul_mont(y->words, y->words, z_inv2); // y * z^-3\n }\n\n return 1;\n}\n\nstatic void ecp_nistz256_add(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *a_, const EC_JACOBIAN *b_) {\n P256_POINT a, b;\n OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(a.Z, a_->Z.words, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(b.X, b_->X.words, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(b.Y, b_->Y.words, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(b.Z, b_->Z.words, P256_LIMBS * sizeof(BN_ULONG));\n ecp_nistz256_point_add(&a, &a, &b);\n OPENSSL_memcpy(r->X.words, a.X, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(r->Y.words, a.Y, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(r->Z.words, a.Z, P256_LIMBS * sizeof(BN_ULONG));\n}\n\nstatic void ecp_nistz256_dbl(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *a_) {\n P256_POINT a;\n OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(a.Z, a_->Z.words, P256_LIMBS * sizeof(BN_ULONG));\n ecp_nistz256_point_double(&a, &a);\n OPENSSL_memcpy(r->X.words, a.X, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(r->Y.words, a.Y, P256_LIMBS * sizeof(BN_ULONG));\n OPENSSL_memcpy(r->Z.words, a.Z, P256_LIMBS * sizeof(BN_ULONG));\n}\n\nstatic void ecp_nistz256_inv0_mod_ord(const EC_GROUP *group, EC_SCALAR *out,\n const EC_SCALAR *in) {\n // table[i] stores a power of |in| corresponding to the matching enum value.\n enum {\n // The following indices specify the power in binary.\n i_1 = 0,\n i_10,\n i_11,\n i_101,\n i_111,\n i_1010,\n i_1111,\n i_10101,\n i_101010,\n i_101111,\n // The following indices specify 2^N-1, or N ones in a row.\n i_x6,\n i_x8,\n i_x16,\n i_x32\n };\n BN_ULONG table[15][P256_LIMBS];\n\n // https://briansmith.org/ecc-inversion-addition-chains-01#p256_scalar_inversion\n //\n // Even though this code path spares 12 squarings, 4.5%, and 13\n // multiplications, 25%, the overall sign operation is not that much faster,\n // not more that 2%. Most of the performance of this function comes from the\n // scalar operations.\n\n // Pre-calculate powers.\n OPENSSL_memcpy(table[i_1], in->words, P256_LIMBS * sizeof(BN_ULONG));\n\n ecp_nistz256_ord_sqr_mont(table[i_10], table[i_1], 1);\n\n ecp_nistz256_ord_mul_mont(table[i_11], table[i_1], table[i_10]);\n\n ecp_nistz256_ord_mul_mont(table[i_101], table[i_11], table[i_10]);\n\n ecp_nistz256_ord_mul_mont(table[i_111], table[i_101], table[i_10]);\n\n ecp_nistz256_ord_sqr_mont(table[i_1010], table[i_101], 1);\n\n ecp_nistz256_ord_mul_mont(table[i_1111], table[i_1010], table[i_101]);\n\n ecp_nistz256_ord_sqr_mont(table[i_10101], table[i_1010], 1);\n ecp_nistz256_ord_mul_mont(table[i_10101], table[i_10101], table[i_1]);\n\n ecp_nistz256_ord_sqr_mont(table[i_101010], table[i_10101], 1);\n\n ecp_nistz256_ord_mul_mont(table[i_101111], table[i_101010], table[i_101]);\n\n ecp_nistz256_ord_mul_mont(table[i_x6], table[i_101010], table[i_10101]);\n\n ecp_nistz256_ord_sqr_mont(table[i_x8], table[i_x6], 2);\n ecp_nistz256_ord_mul_mont(table[i_x8], table[i_x8], table[i_11]);\n\n ecp_nistz256_ord_sqr_mont(table[i_x16], table[i_x8], 8);\n ecp_nistz256_ord_mul_mont(table[i_x16], table[i_x16], table[i_x8]);\n\n ecp_nistz256_ord_sqr_mont(table[i_x32], table[i_x16], 16);\n ecp_nistz256_ord_mul_mont(table[i_x32], table[i_x32], table[i_x16]);\n\n // Compute |in| raised to the order-2.\n ecp_nistz256_ord_sqr_mont(out->words, table[i_x32], 64);\n ecp_nistz256_ord_mul_mont(out->words, out->words, table[i_x32]);\n static const struct {\n uint8_t p, i;\n } kChain[27] = {{32, i_x32}, {6, i_101111}, {5, i_111}, {4, i_11},\n {5, i_1111}, {5, i_10101}, {4, i_101}, {3, i_101},\n {3, i_101}, {5, i_111}, {9, i_101111}, {6, i_1111},\n {2, i_1}, {5, i_1}, {6, i_1111}, {5, i_111},\n {4, i_111}, {5, i_111}, {5, i_101}, {3, i_11},\n {10, i_101111}, {2, i_11}, {5, i_11}, {5, i_11},\n {3, i_1}, {7, i_10101}, {6, i_1111}};\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kChain); i++) {\n ecp_nistz256_ord_sqr_mont(out->words, out->words, kChain[i].p);\n ecp_nistz256_ord_mul_mont(out->words, out->words, table[kChain[i].i]);\n }\n}\n\nstatic int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,\n EC_SCALAR *out,\n const EC_SCALAR *in) {\n#if defined(OPENSSL_X86_64)\n if (!CRYPTO_is_AVX_capable()) {\n // No AVX support; fallback to generic code.\n return ec_simple_scalar_to_montgomery_inv_vartime(group, out, in);\n }\n#endif\n\n assert(group->order.N.width == P256_LIMBS);\n if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.N.d)) {\n return 0;\n }\n\n // The result should be returned in the Montgomery domain.\n ec_scalar_to_montgomery(group, out, out);\n return 1;\n}\n\nstatic int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group,\n const EC_JACOBIAN *p,\n const EC_SCALAR *r) {\n if (ec_GFp_simple_is_at_infinity(group, p)) {\n return 0;\n }\n\n assert(group->order.N.width == P256_LIMBS);\n assert(group->field.N.width == P256_LIMBS);\n\n // We wish to compare X/Z^2 with r. This is equivalent to comparing X with\n // r*Z^2. Note that X and Z are represented in Montgomery form, while r is\n // not.\n BN_ULONG r_Z2[P256_LIMBS], Z2_mont[P256_LIMBS], X[P256_LIMBS];\n ecp_nistz256_mul_mont(Z2_mont, p->Z.words, p->Z.words);\n ecp_nistz256_mul_mont(r_Z2, r->words, Z2_mont);\n ecp_nistz256_from_mont(X, p->X.words);\n\n if (OPENSSL_memcmp(r_Z2, X, sizeof(r_Z2)) == 0) {\n return 1;\n }\n\n // During signing the x coefficient is reduced modulo the group order.\n // Therefore there is a small possibility, less than 1/2^128, that group_order\n // < p.x < P. in that case we need not only to compare against |r| but also to\n // compare against r+group_order.\n BN_ULONG carry = bn_add_words(r_Z2, r->words, group->order.N.d, P256_LIMBS);\n if (carry == 0 && bn_less_than_words(r_Z2, group->field.N.d, P256_LIMBS)) {\n // r + group_order < p, so compare (r + group_order) * Z^2 against X.\n ecp_nistz256_mul_mont(r_Z2, r_Z2, Z2_mont);\n if (OPENSSL_memcmp(r_Z2, X, sizeof(r_Z2)) == 0) {\n return 1;\n }\n }\n\n return 0;\n}\n\nDEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistz256_method) {\n out->point_get_affine_coordinates = ecp_nistz256_get_affine;\n out->add = ecp_nistz256_add;\n out->dbl = ecp_nistz256_dbl;\n out->mul = ecp_nistz256_point_mul;\n out->mul_base = ecp_nistz256_point_mul_base;\n out->mul_public = ecp_nistz256_points_mul_public;\n out->felem_mul = ec_GFp_mont_felem_mul;\n out->felem_sqr = ec_GFp_mont_felem_sqr;\n out->felem_to_bytes = ec_GFp_mont_felem_to_bytes;\n out->felem_from_bytes = ec_GFp_mont_felem_from_bytes;\n out->felem_reduce = ec_GFp_mont_felem_reduce;\n // TODO(davidben): This should use the specialized field arithmetic\n // implementation, rather than the generic one.\n out->felem_exp = ec_GFp_mont_felem_exp;\n out->scalar_inv0_montgomery = ecp_nistz256_inv0_mod_ord;\n out->scalar_to_montgomery_inv_vartime =\n ecp_nistz256_scalar_to_montgomery_inv_vartime;\n out->cmp_x_coordinate = ecp_nistz256_cmp_x_coordinate;\n}\n\n#endif /* !defined(OPENSSL_NO_ASM) && \\\n (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \\\n !defined(OPENSSL_SMALL) */\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.h", "content": "/*\n * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2014, Intel Corporation. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n *\n * Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1)\n * (1) Intel Corporation, Israel Development Center, Haifa, Israel\n * (2) University of Haifa, Israel\n *\n * Reference:\n * S.Gueron and V.Krasnov, \"Fast Prime Field Elliptic Curve Cryptography with\n * 256 Bit Primes\"\n */\n\n#ifndef OPENSSL_HEADER_EC_P256_X86_64_H\n#define OPENSSL_HEADER_EC_P256_X86_64_H\n\n#include \n\n#include \n\n#include \"../bn/internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n#if !defined(OPENSSL_NO_ASM) && \\\n (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \\\n !defined(OPENSSL_SMALL)\n\n// P-256 field operations.\n//\n// An element mod P in P-256 is represented as a little-endian array of\n// |P256_LIMBS| |BN_ULONG|s, spanning the full range of values.\n//\n// The following functions take fully-reduced inputs mod P and give\n// fully-reduced outputs. They may be used in-place.\n\n#define P256_LIMBS (256 / BN_BITS2)\n\n// ecp_nistz256_neg sets |res| to -|a| mod P.\nvoid ecp_nistz256_neg(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS]);\n\n// ecp_nistz256_mul_mont sets |res| to |a| * |b| * 2^-256 mod P.\n#if defined(OPENSSL_X86_64)\nvoid ecp_nistz256_mul_mont_nohw(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS],\n const BN_ULONG b[P256_LIMBS]);\nvoid ecp_nistz256_mul_mont_adx(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS],\n const BN_ULONG b[P256_LIMBS]);\n#else\nvoid ecp_nistz256_mul_mont(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS],\n const BN_ULONG b[P256_LIMBS]);\n#endif\n\n// ecp_nistz256_sqr_mont sets |res| to |a| * |a| * 2^-256 mod P.\n#if defined(OPENSSL_X86_64)\nvoid ecp_nistz256_sqr_mont_nohw(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS]);\nvoid ecp_nistz256_sqr_mont_adx(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS]);\n#else\nvoid ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS]);\n#endif\n\n\n// P-256 scalar operations.\n//\n// The following functions compute modulo N, where N is the order of P-256. They\n// take fully-reduced inputs and give fully-reduced outputs.\n\n// ecp_nistz256_ord_mul_mont sets |res| to |a| * |b| where inputs and outputs\n// are in Montgomery form. That is, |res| is |a| * |b| * 2^-256 mod N.\n#if defined(OPENSSL_X86_64)\nvoid ecp_nistz256_ord_mul_mont_nohw(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS],\n const BN_ULONG b[P256_LIMBS]);\nvoid ecp_nistz256_ord_mul_mont_adx(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS],\n const BN_ULONG b[P256_LIMBS]);\n#else\nvoid ecp_nistz256_ord_mul_mont(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS],\n const BN_ULONG b[P256_LIMBS]);\n#endif\n\n// ecp_nistz256_ord_sqr_mont sets |res| to |a|^(2*|rep|) where inputs and\n// outputs are in Montgomery form. That is, |res| is\n// (|a| * 2^-256)^(2*|rep|) * 2^256 mod N.\n#if defined(OPENSSL_X86_64)\nvoid ecp_nistz256_ord_sqr_mont_nohw(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS], BN_ULONG rep);\nvoid ecp_nistz256_ord_sqr_mont_adx(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS], BN_ULONG rep);\n#else\nvoid ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS], BN_ULONG rep);\n#endif\n\n// beeu_mod_inverse_vartime sets out = a^-1 mod p using a Euclidean algorithm.\n// Assumption: 0 < a < p < 2^(256) and p is odd.\nint beeu_mod_inverse_vartime(BN_ULONG out[P256_LIMBS],\n const BN_ULONG a[P256_LIMBS],\n const BN_ULONG p[P256_LIMBS]);\n\n\n// P-256 point operations.\n//\n// The following functions may be used in-place. All coordinates are in the\n// Montgomery domain.\n\n// A P256_POINT represents a P-256 point in Jacobian coordinates.\ntypedef struct {\n BN_ULONG X[P256_LIMBS];\n BN_ULONG Y[P256_LIMBS];\n BN_ULONG Z[P256_LIMBS];\n} P256_POINT;\n\n// A P256_POINT_AFFINE represents a P-256 point in affine coordinates. Infinity\n// is encoded as (0, 0).\ntypedef struct {\n BN_ULONG X[P256_LIMBS];\n BN_ULONG Y[P256_LIMBS];\n} P256_POINT_AFFINE;\n\n// ecp_nistz256_select_w5 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 16\n// and all zeros (the point at infinity) if |index| is 0. This is done in\n// constant time.\n#if defined(OPENSSL_X86_64)\nvoid ecp_nistz256_select_w5_nohw(P256_POINT *val, const P256_POINT in_t[16],\n int index);\nvoid ecp_nistz256_select_w5_avx2(P256_POINT *val, const P256_POINT in_t[16],\n int index);\n#else\nvoid ecp_nistz256_select_w5(P256_POINT *val, const P256_POINT in_t[16],\n int index);\n#endif\n\n// ecp_nistz256_select_w7 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 64\n// and all zeros (the point at infinity) if |index| is 0. This is done in\n// constant time.\n#if defined(OPENSSL_X86_64)\nvoid ecp_nistz256_select_w7_nohw(P256_POINT_AFFINE *val,\n const P256_POINT_AFFINE in_t[64], int index);\nvoid ecp_nistz256_select_w7_avx2(P256_POINT_AFFINE *val,\n const P256_POINT_AFFINE in_t[64], int index);\n#else\nvoid ecp_nistz256_select_w7(P256_POINT_AFFINE *val,\n const P256_POINT_AFFINE in_t[64], int index);\n#endif\n\n// ecp_nistz256_point_double sets |r| to |a| doubled.\n#if defined(OPENSSL_X86_64)\nvoid ecp_nistz256_point_double_nohw(P256_POINT *r, const P256_POINT *a);\nvoid ecp_nistz256_point_double_adx(P256_POINT *r, const P256_POINT *a);\n#else\nvoid ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a);\n#endif\n\n// ecp_nistz256_point_add adds |a| to |b| and places the result in |r|.\n#if defined(OPENSSL_X86_64)\nvoid ecp_nistz256_point_add_nohw(P256_POINT *r, const P256_POINT *a,\n const P256_POINT *b);\nvoid ecp_nistz256_point_add_adx(P256_POINT *r, const P256_POINT *a,\n const P256_POINT *b);\n#else\nvoid ecp_nistz256_point_add(P256_POINT *r, const P256_POINT *a,\n const P256_POINT *b);\n#endif\n\n// ecp_nistz256_point_add_affine adds |a| to |b| and places the result in\n// |r|. |a| and |b| must not represent the same point unless they are both\n// infinity.\n#if defined(OPENSSL_X86_64)\nvoid ecp_nistz256_point_add_affine_adx(P256_POINT *r, const P256_POINT *a,\n const P256_POINT_AFFINE *b);\nvoid ecp_nistz256_point_add_affine_nohw(P256_POINT *r, const P256_POINT *a,\n const P256_POINT_AFFINE *b);\n#else\nvoid ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a,\n const P256_POINT_AFFINE *b);\n#endif\n\n#endif /* !defined(OPENSSL_NO_ASM) && \\\n (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \\\n !defined(OPENSSL_SMALL) */\n\n\n#if defined(__cplusplus)\n} // extern C++\n#endif\n\n#endif // OPENSSL_HEADER_EC_P256_X86_64_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256.cc.inc", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// An implementation of the NIST P-256 elliptic curve point multiplication.\n// 256-bit Montgomery form for 64 and 32-bit. Field operations are generated by\n// Fiat, which lives in //third_party/fiat.\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../delocate.h\"\n#include \"./internal.h\"\n\n#if defined(BORINGSSL_HAS_UINT128)\n#include \"../../../third_party/fiat/p256_64.h\"\n#elif defined(OPENSSL_64_BIT)\n#include \"../../../third_party/fiat/p256_64_msvc.h\"\n#else\n#include \"../../../third_party/fiat/p256_32.h\"\n#endif\n\n\n// utility functions, handwritten\n\n#if defined(OPENSSL_64_BIT)\n#define FIAT_P256_NLIMBS 4\ntypedef uint64_t fiat_p256_limb_t;\ntypedef uint64_t fiat_p256_felem[FIAT_P256_NLIMBS];\nstatic const fiat_p256_felem fiat_p256_one = {0x1, 0xffffffff00000000,\n 0xffffffffffffffff, 0xfffffffe};\n#else // 64BIT; else 32BIT\n#define FIAT_P256_NLIMBS 8\ntypedef uint32_t fiat_p256_limb_t;\ntypedef uint32_t fiat_p256_felem[FIAT_P256_NLIMBS];\nstatic const fiat_p256_felem fiat_p256_one = {\n 0x1, 0x0, 0x0, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0x0};\n#endif // 64BIT\n\n\nstatic fiat_p256_limb_t fiat_p256_nz(\n const fiat_p256_limb_t in1[FIAT_P256_NLIMBS]) {\n fiat_p256_limb_t ret;\n fiat_p256_nonzero(&ret, in1);\n return ret;\n}\n\nstatic void fiat_p256_copy(fiat_p256_limb_t out[FIAT_P256_NLIMBS],\n const fiat_p256_limb_t in1[FIAT_P256_NLIMBS]) {\n for (size_t i = 0; i < FIAT_P256_NLIMBS; i++) {\n out[i] = in1[i];\n }\n}\n\nstatic void fiat_p256_cmovznz(fiat_p256_limb_t out[FIAT_P256_NLIMBS],\n fiat_p256_limb_t t,\n const fiat_p256_limb_t z[FIAT_P256_NLIMBS],\n const fiat_p256_limb_t nz[FIAT_P256_NLIMBS]) {\n fiat_p256_selectznz(out, !!t, z, nz);\n}\n\nstatic void fiat_p256_from_words(fiat_p256_felem out,\n const BN_ULONG in[32 / sizeof(BN_ULONG)]) {\n // Typically, |BN_ULONG| and |fiat_p256_limb_t| will be the same type, but on\n // 64-bit platforms without |uint128_t|, they are different. However, on\n // little-endian systems, |uint64_t[4]| and |uint32_t[8]| have the same\n // layout.\n OPENSSL_memcpy(out, in, 32);\n}\n\nstatic void fiat_p256_from_generic(fiat_p256_felem out, const EC_FELEM *in) {\n fiat_p256_from_words(out, in->words);\n}\n\nstatic void fiat_p256_to_generic(EC_FELEM *out, const fiat_p256_felem in) {\n // See |fiat_p256_from_words|.\n OPENSSL_memcpy(out->words, in, 32);\n}\n\n// fiat_p256_inv_square calculates |out| = |in|^{-2}\n//\n// Based on Fermat's Little Theorem:\n// a^p = a (mod p)\n// a^{p-1} = 1 (mod p)\n// a^{p-3} = a^{-2} (mod p)\nstatic void fiat_p256_inv_square(fiat_p256_felem out,\n const fiat_p256_felem in) {\n // This implements the addition chain described in\n // https://briansmith.org/ecc-inversion-addition-chains-01#p256_field_inversion\n fiat_p256_felem x2, x3, x6, x12, x15, x30, x32;\n fiat_p256_square(x2, in); // 2^2 - 2^1\n fiat_p256_mul(x2, x2, in); // 2^2 - 2^0\n\n fiat_p256_square(x3, x2); // 2^3 - 2^1\n fiat_p256_mul(x3, x3, in); // 2^3 - 2^0\n\n fiat_p256_square(x6, x3);\n for (int i = 1; i < 3; i++) {\n fiat_p256_square(x6, x6);\n } // 2^6 - 2^3\n fiat_p256_mul(x6, x6, x3); // 2^6 - 2^0\n\n fiat_p256_square(x12, x6);\n for (int i = 1; i < 6; i++) {\n fiat_p256_square(x12, x12);\n } // 2^12 - 2^6\n fiat_p256_mul(x12, x12, x6); // 2^12 - 2^0\n\n fiat_p256_square(x15, x12);\n for (int i = 1; i < 3; i++) {\n fiat_p256_square(x15, x15);\n } // 2^15 - 2^3\n fiat_p256_mul(x15, x15, x3); // 2^15 - 2^0\n\n fiat_p256_square(x30, x15);\n for (int i = 1; i < 15; i++) {\n fiat_p256_square(x30, x30);\n } // 2^30 - 2^15\n fiat_p256_mul(x30, x30, x15); // 2^30 - 2^0\n\n fiat_p256_square(x32, x30);\n fiat_p256_square(x32, x32); // 2^32 - 2^2\n fiat_p256_mul(x32, x32, x2); // 2^32 - 2^0\n\n fiat_p256_felem ret;\n fiat_p256_square(ret, x32);\n for (int i = 1; i < 31 + 1; i++) {\n fiat_p256_square(ret, ret);\n } // 2^64 - 2^32\n fiat_p256_mul(ret, ret, in); // 2^64 - 2^32 + 2^0\n\n for (int i = 0; i < 96 + 32; i++) {\n fiat_p256_square(ret, ret);\n } // 2^192 - 2^160 + 2^128\n fiat_p256_mul(ret, ret, x32); // 2^192 - 2^160 + 2^128 + 2^32 - 2^0\n\n for (int i = 0; i < 32; i++) {\n fiat_p256_square(ret, ret);\n } // 2^224 - 2^192 + 2^160 + 2^64 - 2^32\n fiat_p256_mul(ret, ret, x32); // 2^224 - 2^192 + 2^160 + 2^64 - 2^0\n\n for (int i = 0; i < 30; i++) {\n fiat_p256_square(ret, ret);\n } // 2^254 - 2^222 + 2^190 + 2^94 - 2^30\n fiat_p256_mul(ret, ret, x30); // 2^254 - 2^222 + 2^190 + 2^94 - 2^0\n\n fiat_p256_square(ret, ret);\n fiat_p256_square(out, ret); // 2^256 - 2^224 + 2^192 + 2^96 - 2^2\n}\n\n// Group operations\n// ----------------\n//\n// Building on top of the field operations we have the operations on the\n// elliptic curve group itself. Points on the curve are represented in Jacobian\n// coordinates.\n//\n// Both operations were transcribed to Coq and proven to correspond to naive\n// implementations using Affine coordinates, for all suitable fields. In the\n// Coq proofs, issues of constant-time execution and memory layout (aliasing)\n// conventions were not considered. Specification of affine coordinates:\n// \n// As a sanity check, a proof that these points form a commutative group:\n// \n\n// fiat_p256_point_double calculates 2*(x_in, y_in, z_in)\n//\n// The method is taken from:\n// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b\n//\n// Coq transcription and correctness proof:\n// \n// \n//\n// Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.\n// while x_out == y_in is not (maybe this works, but it's not tested).\nstatic void fiat_p256_point_double(fiat_p256_felem x_out, fiat_p256_felem y_out,\n fiat_p256_felem z_out,\n const fiat_p256_felem x_in,\n const fiat_p256_felem y_in,\n const fiat_p256_felem z_in) {\n fiat_p256_felem delta, gamma, beta, ftmp, ftmp2, tmptmp, alpha, fourbeta;\n // delta = z^2\n fiat_p256_square(delta, z_in);\n // gamma = y^2\n fiat_p256_square(gamma, y_in);\n // beta = x*gamma\n fiat_p256_mul(beta, x_in, gamma);\n\n // alpha = 3*(x-delta)*(x+delta)\n fiat_p256_sub(ftmp, x_in, delta);\n fiat_p256_add(ftmp2, x_in, delta);\n\n fiat_p256_add(tmptmp, ftmp2, ftmp2);\n fiat_p256_add(ftmp2, ftmp2, tmptmp);\n fiat_p256_mul(alpha, ftmp, ftmp2);\n\n // x' = alpha^2 - 8*beta\n fiat_p256_square(x_out, alpha);\n fiat_p256_add(fourbeta, beta, beta);\n fiat_p256_add(fourbeta, fourbeta, fourbeta);\n fiat_p256_add(tmptmp, fourbeta, fourbeta);\n fiat_p256_sub(x_out, x_out, tmptmp);\n\n // z' = (y + z)^2 - gamma - delta\n fiat_p256_add(delta, gamma, delta);\n fiat_p256_add(ftmp, y_in, z_in);\n fiat_p256_square(z_out, ftmp);\n fiat_p256_sub(z_out, z_out, delta);\n\n // y' = alpha*(4*beta - x') - 8*gamma^2\n fiat_p256_sub(y_out, fourbeta, x_out);\n fiat_p256_add(gamma, gamma, gamma);\n fiat_p256_square(gamma, gamma);\n fiat_p256_mul(y_out, alpha, y_out);\n fiat_p256_add(gamma, gamma, gamma);\n fiat_p256_sub(y_out, y_out, gamma);\n}\n\n// fiat_p256_point_add calculates (x1, y1, z1) + (x2, y2, z2)\n//\n// The method is taken from:\n// http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,\n// adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).\n//\n// Coq transcription and correctness proof:\n// \n// \n//\n// This function includes a branch for checking whether the two input points\n// are equal, (while not equal to the point at infinity). This case never\n// happens during single point multiplication, so there is no timing leak for\n// ECDH or ECDSA signing.\nstatic void fiat_p256_point_add(fiat_p256_felem x3, fiat_p256_felem y3,\n fiat_p256_felem z3, const fiat_p256_felem x1,\n const fiat_p256_felem y1,\n const fiat_p256_felem z1, const int mixed,\n const fiat_p256_felem x2,\n const fiat_p256_felem y2,\n const fiat_p256_felem z2) {\n fiat_p256_felem x_out, y_out, z_out;\n fiat_p256_limb_t z1nz = fiat_p256_nz(z1);\n fiat_p256_limb_t z2nz = fiat_p256_nz(z2);\n\n // z1z1 = z1z1 = z1**2\n fiat_p256_felem z1z1;\n fiat_p256_square(z1z1, z1);\n\n fiat_p256_felem u1, s1, two_z1z2;\n if (!mixed) {\n // z2z2 = z2**2\n fiat_p256_felem z2z2;\n fiat_p256_square(z2z2, z2);\n\n // u1 = x1*z2z2\n fiat_p256_mul(u1, x1, z2z2);\n\n // two_z1z2 = (z1 + z2)**2 - (z1z1 + z2z2) = 2z1z2\n fiat_p256_add(two_z1z2, z1, z2);\n fiat_p256_square(two_z1z2, two_z1z2);\n fiat_p256_sub(two_z1z2, two_z1z2, z1z1);\n fiat_p256_sub(two_z1z2, two_z1z2, z2z2);\n\n // s1 = y1 * z2**3\n fiat_p256_mul(s1, z2, z2z2);\n fiat_p256_mul(s1, s1, y1);\n } else {\n // We'll assume z2 = 1 (special case z2 = 0 is handled later).\n\n // u1 = x1*z2z2\n fiat_p256_copy(u1, x1);\n // two_z1z2 = 2z1z2\n fiat_p256_add(two_z1z2, z1, z1);\n // s1 = y1 * z2**3\n fiat_p256_copy(s1, y1);\n }\n\n // u2 = x2*z1z1\n fiat_p256_felem u2;\n fiat_p256_mul(u2, x2, z1z1);\n\n // h = u2 - u1\n fiat_p256_felem h;\n fiat_p256_sub(h, u2, u1);\n\n fiat_p256_limb_t xneq = fiat_p256_nz(h);\n\n // z_out = two_z1z2 * h\n fiat_p256_mul(z_out, h, two_z1z2);\n\n // z1z1z1 = z1 * z1z1\n fiat_p256_felem z1z1z1;\n fiat_p256_mul(z1z1z1, z1, z1z1);\n\n // s2 = y2 * z1**3\n fiat_p256_felem s2;\n fiat_p256_mul(s2, y2, z1z1z1);\n\n // r = (s2 - s1)*2\n fiat_p256_felem r;\n fiat_p256_sub(r, s2, s1);\n fiat_p256_add(r, r, r);\n\n fiat_p256_limb_t yneq = fiat_p256_nz(r);\n\n fiat_p256_limb_t is_nontrivial_double = constant_time_is_zero_w(xneq | yneq) &\n ~constant_time_is_zero_w(z1nz) &\n ~constant_time_is_zero_w(z2nz);\n if (constant_time_declassify_w(is_nontrivial_double)) {\n fiat_p256_point_double(x3, y3, z3, x1, y1, z1);\n return;\n }\n\n // I = (2h)**2\n fiat_p256_felem i;\n fiat_p256_add(i, h, h);\n fiat_p256_square(i, i);\n\n // J = h * I\n fiat_p256_felem j;\n fiat_p256_mul(j, h, i);\n\n // V = U1 * I\n fiat_p256_felem v;\n fiat_p256_mul(v, u1, i);\n\n // x_out = r**2 - J - 2V\n fiat_p256_square(x_out, r);\n fiat_p256_sub(x_out, x_out, j);\n fiat_p256_sub(x_out, x_out, v);\n fiat_p256_sub(x_out, x_out, v);\n\n // y_out = r(V-x_out) - 2 * s1 * J\n fiat_p256_sub(y_out, v, x_out);\n fiat_p256_mul(y_out, y_out, r);\n fiat_p256_felem s1j;\n fiat_p256_mul(s1j, s1, j);\n fiat_p256_sub(y_out, y_out, s1j);\n fiat_p256_sub(y_out, y_out, s1j);\n\n fiat_p256_cmovznz(x_out, z1nz, x2, x_out);\n fiat_p256_cmovznz(x3, z2nz, x1, x_out);\n fiat_p256_cmovznz(y_out, z1nz, y2, y_out);\n fiat_p256_cmovznz(y3, z2nz, y1, y_out);\n fiat_p256_cmovznz(z_out, z1nz, z2, z_out);\n fiat_p256_cmovznz(z3, z2nz, z1, z_out);\n}\n\n#include \"./p256_table.h\"\n\n// fiat_p256_select_point_affine selects the |idx-1|th point from a\n// precomputation table and copies it to out. If |idx| is zero, the output is\n// the point at infinity.\nstatic void fiat_p256_select_point_affine(\n const fiat_p256_limb_t idx, size_t size,\n const fiat_p256_felem pre_comp[/*size*/][2], fiat_p256_felem out[3]) {\n OPENSSL_memset(out, 0, sizeof(fiat_p256_felem) * 3);\n for (size_t i = 0; i < size; i++) {\n fiat_p256_limb_t mismatch = i ^ (idx - 1);\n fiat_p256_cmovznz(out[0], mismatch, pre_comp[i][0], out[0]);\n fiat_p256_cmovznz(out[1], mismatch, pre_comp[i][1], out[1]);\n }\n fiat_p256_cmovznz(out[2], idx, out[2], fiat_p256_one);\n}\n\n// fiat_p256_select_point selects the |idx|th point from a precomputation table\n// and copies it to out.\nstatic void fiat_p256_select_point(const fiat_p256_limb_t idx, size_t size,\n const fiat_p256_felem pre_comp[/*size*/][3],\n fiat_p256_felem out[3]) {\n OPENSSL_memset(out, 0, sizeof(fiat_p256_felem) * 3);\n for (size_t i = 0; i < size; i++) {\n fiat_p256_limb_t mismatch = i ^ idx;\n fiat_p256_cmovznz(out[0], mismatch, pre_comp[i][0], out[0]);\n fiat_p256_cmovznz(out[1], mismatch, pre_comp[i][1], out[1]);\n fiat_p256_cmovznz(out[2], mismatch, pre_comp[i][2], out[2]);\n }\n}\n\n// fiat_p256_get_bit returns the |i|th bit in |in|.\nstatic crypto_word_t fiat_p256_get_bit(const EC_SCALAR *in, int i) {\n if (i < 0 || i >= 256) {\n return 0;\n }\n#if defined(OPENSSL_64_BIT)\n static_assert(sizeof(BN_ULONG) == 8, \"BN_ULONG was not 64-bit\");\n return (in->words[i >> 6] >> (i & 63)) & 1;\n#else\n static_assert(sizeof(BN_ULONG) == 4, \"BN_ULONG was not 32-bit\");\n return (in->words[i >> 5] >> (i & 31)) & 1;\n#endif\n}\n\n// OPENSSL EC_METHOD FUNCTIONS\n\n// Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =\n// (X/Z^2, Y/Z^3).\nstatic int ec_GFp_nistp256_point_get_affine_coordinates(\n const EC_GROUP *group, const EC_JACOBIAN *point, EC_FELEM *x_out,\n EC_FELEM *y_out) {\n if (constant_time_declassify_int(\n ec_GFp_simple_is_at_infinity(group, point))) {\n OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY);\n return 0;\n }\n\n fiat_p256_felem z1, z2;\n fiat_p256_from_generic(z1, &point->Z);\n fiat_p256_inv_square(z2, z1);\n\n if (x_out != NULL) {\n fiat_p256_felem x;\n fiat_p256_from_generic(x, &point->X);\n fiat_p256_mul(x, x, z2);\n fiat_p256_to_generic(x_out, x);\n }\n\n if (y_out != NULL) {\n fiat_p256_felem y;\n fiat_p256_from_generic(y, &point->Y);\n fiat_p256_square(z2, z2); // z^-4\n fiat_p256_mul(y, y, z1); // y * z\n fiat_p256_mul(y, y, z2); // y * z^-3\n fiat_p256_to_generic(y_out, y);\n }\n\n return 1;\n}\n\nstatic void ec_GFp_nistp256_add(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *a, const EC_JACOBIAN *b) {\n fiat_p256_felem x1, y1, z1, x2, y2, z2;\n fiat_p256_from_generic(x1, &a->X);\n fiat_p256_from_generic(y1, &a->Y);\n fiat_p256_from_generic(z1, &a->Z);\n fiat_p256_from_generic(x2, &b->X);\n fiat_p256_from_generic(y2, &b->Y);\n fiat_p256_from_generic(z2, &b->Z);\n fiat_p256_point_add(x1, y1, z1, x1, y1, z1, 0 /* both Jacobian */, x2, y2,\n z2);\n fiat_p256_to_generic(&r->X, x1);\n fiat_p256_to_generic(&r->Y, y1);\n fiat_p256_to_generic(&r->Z, z1);\n}\n\nstatic void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *a) {\n fiat_p256_felem x, y, z;\n fiat_p256_from_generic(x, &a->X);\n fiat_p256_from_generic(y, &a->Y);\n fiat_p256_from_generic(z, &a->Z);\n fiat_p256_point_double(x, y, z, x, y, z);\n fiat_p256_to_generic(&r->X, x);\n fiat_p256_to_generic(&r->Y, y);\n fiat_p256_to_generic(&r->Z, z);\n}\n\nstatic void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p,\n const EC_SCALAR *scalar) {\n fiat_p256_felem p_pre_comp[17][3];\n OPENSSL_memset(&p_pre_comp, 0, sizeof(p_pre_comp));\n // Precompute multiples.\n fiat_p256_from_generic(p_pre_comp[1][0], &p->X);\n fiat_p256_from_generic(p_pre_comp[1][1], &p->Y);\n fiat_p256_from_generic(p_pre_comp[1][2], &p->Z);\n for (size_t j = 2; j <= 16; ++j) {\n if (j & 1) {\n fiat_p256_point_add(p_pre_comp[j][0], p_pre_comp[j][1], p_pre_comp[j][2],\n p_pre_comp[1][0], p_pre_comp[1][1], p_pre_comp[1][2],\n 0, p_pre_comp[j - 1][0], p_pre_comp[j - 1][1],\n p_pre_comp[j - 1][2]);\n } else {\n fiat_p256_point_double(p_pre_comp[j][0], p_pre_comp[j][1],\n p_pre_comp[j][2], p_pre_comp[j / 2][0],\n p_pre_comp[j / 2][1], p_pre_comp[j / 2][2]);\n }\n }\n\n // Set nq to the point at infinity.\n fiat_p256_felem nq[3] = {{0}, {0}, {0}}, ftmp, tmp[3];\n\n // Loop over |scalar| msb-to-lsb, incorporating |p_pre_comp| every 5th round.\n int skip = 1; // Save two point operations in the first round.\n for (size_t i = 255; i < 256; i--) {\n // double\n if (!skip) {\n fiat_p256_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);\n }\n\n // do other additions every 5 doublings\n if (i % 5 == 0) {\n crypto_word_t bits = fiat_p256_get_bit(scalar, i + 4) << 5;\n bits |= fiat_p256_get_bit(scalar, i + 3) << 4;\n bits |= fiat_p256_get_bit(scalar, i + 2) << 3;\n bits |= fiat_p256_get_bit(scalar, i + 1) << 2;\n bits |= fiat_p256_get_bit(scalar, i) << 1;\n bits |= fiat_p256_get_bit(scalar, i - 1);\n crypto_word_t sign, digit;\n ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);\n\n // select the point to add or subtract, in constant time.\n fiat_p256_select_point((fiat_p256_limb_t)digit, 17,\n (const fiat_p256_felem(*)[3])p_pre_comp, tmp);\n fiat_p256_opp(ftmp, tmp[1]); // (X, -Y, Z) is the negative point.\n fiat_p256_cmovznz(tmp[1], (fiat_p256_limb_t)sign, tmp[1], ftmp);\n\n if (!skip) {\n fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2],\n 0 /* mixed */, tmp[0], tmp[1], tmp[2]);\n } else {\n fiat_p256_copy(nq[0], tmp[0]);\n fiat_p256_copy(nq[1], tmp[1]);\n fiat_p256_copy(nq[2], tmp[2]);\n skip = 0;\n }\n }\n }\n\n fiat_p256_to_generic(&r->X, nq[0]);\n fiat_p256_to_generic(&r->Y, nq[1]);\n fiat_p256_to_generic(&r->Z, nq[2]);\n}\n\nstatic void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group,\n EC_JACOBIAN *r,\n const EC_SCALAR *scalar) {\n // Set nq to the point at infinity.\n fiat_p256_felem nq[3] = {{0}, {0}, {0}}, tmp[3];\n\n int skip = 1; // Save two point operations in the first round.\n for (size_t i = 31; i < 32; i--) {\n if (!skip) {\n fiat_p256_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);\n }\n\n // First, look 32 bits upwards.\n crypto_word_t bits = fiat_p256_get_bit(scalar, i + 224) << 3;\n bits |= fiat_p256_get_bit(scalar, i + 160) << 2;\n bits |= fiat_p256_get_bit(scalar, i + 96) << 1;\n bits |= fiat_p256_get_bit(scalar, i + 32);\n // Select the point to add, in constant time.\n fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15,\n fiat_p256_g_pre_comp[1], tmp);\n\n if (!skip) {\n fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2],\n 1 /* mixed */, tmp[0], tmp[1], tmp[2]);\n } else {\n fiat_p256_copy(nq[0], tmp[0]);\n fiat_p256_copy(nq[1], tmp[1]);\n fiat_p256_copy(nq[2], tmp[2]);\n skip = 0;\n }\n\n // Second, look at the current position.\n bits = fiat_p256_get_bit(scalar, i + 192) << 3;\n bits |= fiat_p256_get_bit(scalar, i + 128) << 2;\n bits |= fiat_p256_get_bit(scalar, i + 64) << 1;\n bits |= fiat_p256_get_bit(scalar, i);\n // Select the point to add, in constant time.\n fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15,\n fiat_p256_g_pre_comp[0], tmp);\n fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */,\n tmp[0], tmp[1], tmp[2]);\n }\n\n fiat_p256_to_generic(&r->X, nq[0]);\n fiat_p256_to_generic(&r->Y, nq[1]);\n fiat_p256_to_generic(&r->Z, nq[2]);\n}\n\nstatic void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group,\n EC_JACOBIAN *r,\n const EC_SCALAR *g_scalar,\n const EC_JACOBIAN *p,\n const EC_SCALAR *p_scalar) {\n#define P256_WSIZE_PUBLIC 4\n // Precompute multiples of |p|. p_pre_comp[i] is (2*i+1) * |p|.\n fiat_p256_felem p_pre_comp[1 << (P256_WSIZE_PUBLIC - 1)][3];\n fiat_p256_from_generic(p_pre_comp[0][0], &p->X);\n fiat_p256_from_generic(p_pre_comp[0][1], &p->Y);\n fiat_p256_from_generic(p_pre_comp[0][2], &p->Z);\n fiat_p256_felem p2[3];\n fiat_p256_point_double(p2[0], p2[1], p2[2], p_pre_comp[0][0],\n p_pre_comp[0][1], p_pre_comp[0][2]);\n for (size_t i = 1; i < OPENSSL_ARRAY_SIZE(p_pre_comp); i++) {\n fiat_p256_point_add(p_pre_comp[i][0], p_pre_comp[i][1], p_pre_comp[i][2],\n p_pre_comp[i - 1][0], p_pre_comp[i - 1][1],\n p_pre_comp[i - 1][2], 0 /* not mixed */, p2[0], p2[1],\n p2[2]);\n }\n\n // Set up the coefficients for |p_scalar|.\n int8_t p_wNAF[257];\n ec_compute_wNAF(group, p_wNAF, p_scalar, 256, P256_WSIZE_PUBLIC);\n\n // Set |ret| to the point at infinity.\n int skip = 1; // Save some point operations.\n fiat_p256_felem ret[3] = {{0}, {0}, {0}};\n for (int i = 256; i >= 0; i--) {\n if (!skip) {\n fiat_p256_point_double(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2]);\n }\n\n // For the |g_scalar|, we use the precomputed table without the\n // constant-time lookup.\n if (i <= 31) {\n // First, look 32 bits upwards.\n crypto_word_t bits = fiat_p256_get_bit(g_scalar, i + 224) << 3;\n bits |= fiat_p256_get_bit(g_scalar, i + 160) << 2;\n bits |= fiat_p256_get_bit(g_scalar, i + 96) << 1;\n bits |= fiat_p256_get_bit(g_scalar, i + 32);\n if (bits != 0) {\n size_t index = (size_t)(bits - 1);\n fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],\n 1 /* mixed */, fiat_p256_g_pre_comp[1][index][0],\n fiat_p256_g_pre_comp[1][index][1],\n fiat_p256_one);\n skip = 0;\n }\n\n // Second, look at the current position.\n bits = fiat_p256_get_bit(g_scalar, i + 192) << 3;\n bits |= fiat_p256_get_bit(g_scalar, i + 128) << 2;\n bits |= fiat_p256_get_bit(g_scalar, i + 64) << 1;\n bits |= fiat_p256_get_bit(g_scalar, i);\n if (bits != 0) {\n size_t index = (size_t)(bits - 1);\n fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],\n 1 /* mixed */, fiat_p256_g_pre_comp[0][index][0],\n fiat_p256_g_pre_comp[0][index][1],\n fiat_p256_one);\n skip = 0;\n }\n }\n\n int digit = p_wNAF[i];\n if (digit != 0) {\n assert(digit & 1);\n size_t idx = (size_t)(digit < 0 ? (-digit) >> 1 : digit >> 1);\n fiat_p256_felem *y = &p_pre_comp[idx][1], tmp;\n if (digit < 0) {\n fiat_p256_opp(tmp, p_pre_comp[idx][1]);\n y = &tmp;\n }\n if (!skip) {\n fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2],\n 0 /* not mixed */, p_pre_comp[idx][0], *y,\n p_pre_comp[idx][2]);\n } else {\n fiat_p256_copy(ret[0], p_pre_comp[idx][0]);\n fiat_p256_copy(ret[1], *y);\n fiat_p256_copy(ret[2], p_pre_comp[idx][2]);\n skip = 0;\n }\n }\n }\n\n fiat_p256_to_generic(&r->X, ret[0]);\n fiat_p256_to_generic(&r->Y, ret[1]);\n fiat_p256_to_generic(&r->Z, ret[2]);\n}\n\nstatic int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group,\n const EC_JACOBIAN *p,\n const EC_SCALAR *r) {\n if (ec_GFp_simple_is_at_infinity(group, p)) {\n return 0;\n }\n\n // We wish to compare X/Z^2 with r. This is equivalent to comparing X with\n // r*Z^2. Note that X and Z are represented in Montgomery form, while r is\n // not.\n fiat_p256_felem Z2_mont;\n fiat_p256_from_generic(Z2_mont, &p->Z);\n fiat_p256_mul(Z2_mont, Z2_mont, Z2_mont);\n\n fiat_p256_felem r_Z2;\n fiat_p256_from_words(r_Z2, r->words); // r < order < p, so this is valid.\n fiat_p256_mul(r_Z2, r_Z2, Z2_mont);\n\n fiat_p256_felem X;\n fiat_p256_from_generic(X, &p->X);\n fiat_p256_from_montgomery(X, X);\n\n if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {\n return 1;\n }\n\n // During signing the x coefficient is reduced modulo the group order.\n // Therefore there is a small possibility, less than 1/2^128, that group_order\n // < p.x < P. in that case we need not only to compare against |r| but also to\n // compare against r+group_order.\n assert(group->field.N.width == group->order.N.width);\n EC_FELEM tmp;\n BN_ULONG carry =\n bn_add_words(tmp.words, r->words, group->order.N.d, group->field.N.width);\n if (carry == 0 &&\n bn_less_than_words(tmp.words, group->field.N.d, group->field.N.width)) {\n fiat_p256_from_generic(r_Z2, &tmp);\n fiat_p256_mul(r_Z2, r_Z2, Z2_mont);\n if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) {\n return 1;\n }\n }\n\n return 0;\n}\n\nDEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) {\n out->point_get_affine_coordinates =\n ec_GFp_nistp256_point_get_affine_coordinates;\n out->add = ec_GFp_nistp256_add;\n out->dbl = ec_GFp_nistp256_dbl;\n out->mul = ec_GFp_nistp256_point_mul;\n out->mul_base = ec_GFp_nistp256_point_mul_base;\n out->mul_public = ec_GFp_nistp256_point_mul_public;\n out->felem_mul = ec_GFp_mont_felem_mul;\n out->felem_sqr = ec_GFp_mont_felem_sqr;\n out->felem_to_bytes = ec_GFp_mont_felem_to_bytes;\n out->felem_from_bytes = ec_GFp_mont_felem_from_bytes;\n out->felem_reduce = ec_GFp_mont_felem_reduce;\n // TODO(davidben): This should use the specialized field arithmetic\n // implementation, rather than the generic one.\n out->felem_exp = ec_GFp_mont_felem_exp;\n out->scalar_inv0_montgomery = ec_simple_scalar_inv0_montgomery;\n out->scalar_to_montgomery_inv_vartime =\n ec_simple_scalar_to_montgomery_inv_vartime;\n out->cmp_x_coordinate = ec_GFp_nistp256_cmp_x_coordinate;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256_table.h", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// This file is generated by make_tables.go.\n\n// Base point pre computation\n// --------------------------\n//\n// Two different sorts of precomputed tables are used in the following code.\n// Each contain various points on the curve, where each point is three field\n// elements (x, y, z).\n//\n// For the base point table, z is usually 1 (0 for the point at infinity).\n// This table has 2 * 16 elements, starting with the following:\n// index | bits | point\n// ------+---------+------------------------------\n// 0 | 0 0 0 0 | 0G\n// 1 | 0 0 0 1 | 1G\n// 2 | 0 0 1 0 | 2^64G\n// 3 | 0 0 1 1 | (2^64 + 1)G\n// 4 | 0 1 0 0 | 2^128G\n// 5 | 0 1 0 1 | (2^128 + 1)G\n// 6 | 0 1 1 0 | (2^128 + 2^64)G\n// 7 | 0 1 1 1 | (2^128 + 2^64 + 1)G\n// 8 | 1 0 0 0 | 2^192G\n// 9 | 1 0 0 1 | (2^192 + 1)G\n// 10 | 1 0 1 0 | (2^192 + 2^64)G\n// 11 | 1 0 1 1 | (2^192 + 2^64 + 1)G\n// 12 | 1 1 0 0 | (2^192 + 2^128)G\n// 13 | 1 1 0 1 | (2^192 + 2^128 + 1)G\n// 14 | 1 1 1 0 | (2^192 + 2^128 + 2^64)G\n// 15 | 1 1 1 1 | (2^192 + 2^128 + 2^64 + 1)G\n// followed by a copy of this with each element multiplied by 2^32.\n//\n// The reason for this is so that we can clock bits into four different\n// locations when doing simple scalar multiplies against the base point,\n// and then another four locations using the second 16 elements.\n//\n// Tables for other points have table[i] = iG for i in 0 .. 16.\n\n// fiat_p256_g_pre_comp is the table of precomputed base points\n#if defined(OPENSSL_64_BIT)\nstatic const fiat_p256_felem fiat_p256_g_pre_comp[2][15][2] = {\n {{{0x79e730d418a9143c, 0x75ba95fc5fedb601, 0x79fb732b77622510,\n 0x18905f76a53755c6},\n {0xddf25357ce95560a, 0x8b4ab8e4ba19e45c, 0xd2e88688dd21f325,\n 0x8571ff1825885d85}},\n {{0x4f922fc516a0d2bb, 0x0d5cc16c1a623499, 0x9241cf3a57c62c8b,\n 0x2f5e6961fd1b667f},\n {0x5c15c70bf5a01797, 0x3d20b44d60956192, 0x04911b37071fdb52,\n 0xf648f9168d6f0f7b}},\n {{0x9e566847e137bbbc, 0xe434469e8a6a0bec, 0xb1c4276179d73463,\n 0x5abe0285133d0015},\n {0x92aa837cc04c7dab, 0x573d9f4c43260c07, 0x0c93156278e6cc37,\n 0x94bb725b6b6f7383}},\n {{0x62a8c244bfe20925, 0x91c19ac38fdce867, 0x5a96a5d5dd387063,\n 0x61d587d421d324f6},\n {0xe87673a2a37173ea, 0x2384800853778b65, 0x10f8441e05bab43e,\n 0xfa11fe124621efbe}},\n {{0x1c891f2b2cb19ffd, 0x01ba8d5bb1923c23, 0xb6d03d678ac5ca8e,\n 0x586eb04c1f13bedc},\n {0x0c35c6e527e8ed09, 0x1e81a33c1819ede2, 0x278fd6c056c652fa,\n 0x19d5ac0870864f11}},\n {{0x62577734d2b533d5, 0x673b8af6a1bdddc0, 0x577e7c9aa79ec293,\n 0xbb6de651c3b266b1},\n {0xe7e9303ab65259b3, 0xd6a0afd3d03a7480, 0xc5ac83d19b3cfc27,\n 0x60b4619a5d18b99b}},\n {{0xbd6a38e11ae5aa1c, 0xb8b7652b49e73658, 0x0b130014ee5f87ed,\n 0x9d0f27b2aeebffcd},\n {0xca9246317a730a55, 0x9c955b2fddbbc83a, 0x07c1dfe0ac019a71,\n 0x244a566d356ec48d}},\n {{0x56f8410ef4f8b16a, 0x97241afec47b266a, 0x0a406b8e6d9c87c1,\n 0x803f3e02cd42ab1b},\n {0x7f0309a804dbec69, 0xa83b85f73bbad05f, 0xc6097273ad8e197f,\n 0xc097440e5067adc1}},\n {{0x846a56f2c379ab34, 0xa8ee068b841df8d1, 0x20314459176c68ef,\n 0xf1af32d5915f1f30},\n {0x99c375315d75bd50, 0x837cffbaf72f67bc, 0x0613a41848d7723f,\n 0x23d0f130e2d41c8b}},\n {{0xed93e225d5be5a2b, 0x6fe799835934f3c6, 0x4314092622626ffc,\n 0x50bbb4d97990216a},\n {0x378191c6e57ec63e, 0x65422c40181dcdb2, 0x41a8099b0236e0f6,\n 0x2b10011801fe49c3}},\n {{0xfc68b5c59b391593, 0xc385f5a2598270fc, 0x7144f3aad19adcbb,\n 0xdd55899983fbae0c},\n {0x93b88b8e74b82ff4, 0xd2e03c4071e734c9, 0x9a7a9eaf43c0322a,\n 0xe6e4c551149d6041}},\n {{0x5fe14bfe80ec21fe, 0xf6ce116ac255be82, 0x98bc5a072f4a5d67,\n 0xfad27148db7e63af},\n {0x90c0b6ac29ab05b3, 0x37a9a83c4e251ae6, 0x0a7dc875c2aade7d,\n 0x77387de39f0e1a84}},\n {{0x1e9ecc49a56c0dd7, 0xa5cffcd846086c74, 0x8f7a1408f505aece,\n 0xb37b85c0bef0c47e},\n {0x3596b6e4cc0e6a8f, 0xfd6d4bbf6b388f23, 0xaba453fac39cef4e,\n 0x9c135ac8f9f628d5}},\n {{0x0a1c729495c8f8be, 0x2961c4803bf362bf, 0x9e418403df63d4ac,\n 0xc109f9cb91ece900},\n {0xc2d095d058945705, 0xb9083d96ddeb85c0, 0x84692b8d7a40449b,\n 0x9bc3344f2eee1ee1}},\n {{0x0d5ae35642913074, 0x55491b2748a542b1, 0x469ca665b310732a,\n 0x29591d525f1a4cc1},\n {0xe76f5b6bb84f983f, 0xbe7eef419f5f84e1, 0x1200d49680baa189,\n 0x6376551f18ef332c}}},\n {{{0x202886024147519a, 0xd0981eac26b372f0, 0xa9d4a7caa785ebc8,\n 0xd953c50ddbdf58e9},\n {0x9d6361ccfd590f8f, 0x72e9626b44e6c917, 0x7fd9611022eb64cf,\n 0x863ebb7e9eb288f3}},\n {{0x4fe7ee31b0e63d34, 0xf4600572a9e54fab, 0xc0493334d5e7b5a4,\n 0x8589fb9206d54831},\n {0xaa70f5cc6583553a, 0x0879094ae25649e5, 0xcc90450710044652,\n 0xebb0696d02541c4f}},\n {{0xabbaa0c03b89da99, 0xa6f2d79eb8284022, 0x27847862b81c05e8,\n 0x337a4b5905e54d63},\n {0x3c67500d21f7794a, 0x207005b77d6d7f61, 0x0a5a378104cfd6e8,\n 0x0d65e0d5f4c2fbd6}},\n {{0xd433e50f6d3549cf, 0x6f33696ffacd665e, 0x695bfdacce11fcb4,\n 0x810ee252af7c9860},\n {0x65450fe17159bb2c, 0xf7dfbebe758b357b, 0x2b057e74d69fea72,\n 0xd485717a92731745}},\n {{0xce1f69bbe83f7669, 0x09f8ae8272877d6b, 0x9548ae543244278d,\n 0x207755dee3c2c19c},\n {0x87bd61d96fef1945, 0x18813cefb12d28c3, 0x9fbcd1d672df64aa,\n 0x48dc5ee57154b00d}},\n {{0xef0f469ef49a3154, 0x3e85a5956e2b2e9a, 0x45aaec1eaa924a9c,\n 0xaa12dfc8a09e4719},\n {0x26f272274df69f1d, 0xe0e4c82ca2ff5e73, 0xb9d8ce73b7a9dd44,\n 0x6c036e73e48ca901}},\n {{0xe1e421e1a47153f0, 0xb86c3b79920418c9, 0x93bdce87705d7672,\n 0xf25ae793cab79a77},\n {0x1f3194a36d869d0c, 0x9d55c8824986c264, 0x49fb5ea3096e945e,\n 0x39b8e65313db0a3e}},\n {{0xe3417bc035d0b34a, 0x440b386b8327c0a7, 0x8fb7262dac0362d1,\n 0x2c41114ce0cdf943},\n {0x2ba5cef1ad95a0b1, 0xc09b37a867d54362, 0x26d6cdd201e486c9,\n 0x20477abf42ff9297}},\n {{0x0f121b41bc0a67d2, 0x62d4760a444d248a, 0x0e044f1d659b4737,\n 0x08fde365250bb4a8},\n {0xaceec3da848bf287, 0xc2a62182d3369d6e, 0x3582dfdc92449482,\n 0x2f7e2fd2565d6cd7}},\n {{0x0a0122b5178a876b, 0x51ff96ff085104b4, 0x050b31ab14f29f76,\n 0x84abb28b5f87d4e6},\n {0xd5ed439f8270790a, 0x2d6cb59d85e3f46b, 0x75f55c1b6c1e2212,\n 0xe5436f6717655640}},\n {{0xc2965ecc9aeb596d, 0x01ea03e7023c92b4, 0x4704b4b62e013961,\n 0x0ca8fd3f905ea367},\n {0x92523a42551b2b61, 0x1eb7a89c390fcd06, 0xe7f1d2be0392a63e,\n 0x96dca2644ddb0c33}},\n {{0x231c210e15339848, 0xe87a28e870778c8d, 0x9d1de6616956e170,\n 0x4ac3c9382bb09c0b},\n {0x19be05516998987d, 0x8b2376c4ae09f4d6, 0x1de0b7651a3f933d,\n 0x380d94c7e39705f4}},\n {{0x3685954b8c31c31d, 0x68533d005bf21a0c, 0x0bd7626e75c79ec9,\n 0xca17754742c69d54},\n {0xcc6edafff6d2dbb2, 0xfd0d8cbd174a9d18, 0x875e8793aa4578e8,\n 0xa976a7139cab2ce6}},\n {{0xce37ab11b43ea1db, 0x0a7ff1a95259d292, 0x851b02218f84f186,\n 0xa7222beadefaad13},\n {0xa2ac78ec2b0a9144, 0x5a024051f2fa59c5, 0x91d1eca56147ce38,\n 0xbe94d523bc2ac690}},\n {{0x2d8daefd79ec1a0f, 0x3bbcd6fdceb39c97, 0xf5575ffc58f61a95,\n 0xdbd986c4adf7b420},\n {0x81aa881415f39eb7, 0x6ee2fcf5b98d976c, 0x5465475dcf2f717d,\n 0x8e24d3c46860bbd0}}}};\n#else\nstatic const fiat_p256_felem fiat_p256_g_pre_comp[2][15][2] = {\n {{{0x18a9143c, 0x79e730d4, 0x5fedb601, 0x75ba95fc, 0x77622510, 0x79fb732b,\n 0xa53755c6, 0x18905f76},\n {0xce95560a, 0xddf25357, 0xba19e45c, 0x8b4ab8e4, 0xdd21f325, 0xd2e88688,\n 0x25885d85, 0x8571ff18}},\n {{0x16a0d2bb, 0x4f922fc5, 0x1a623499, 0x0d5cc16c, 0x57c62c8b, 0x9241cf3a,\n 0xfd1b667f, 0x2f5e6961},\n {0xf5a01797, 0x5c15c70b, 0x60956192, 0x3d20b44d, 0x071fdb52, 0x04911b37,\n 0x8d6f0f7b, 0xf648f916}},\n {{0xe137bbbc, 0x9e566847, 0x8a6a0bec, 0xe434469e, 0x79d73463, 0xb1c42761,\n 0x133d0015, 0x5abe0285},\n {0xc04c7dab, 0x92aa837c, 0x43260c07, 0x573d9f4c, 0x78e6cc37, 0x0c931562,\n 0x6b6f7383, 0x94bb725b}},\n {{0xbfe20925, 0x62a8c244, 0x8fdce867, 0x91c19ac3, 0xdd387063, 0x5a96a5d5,\n 0x21d324f6, 0x61d587d4},\n {0xa37173ea, 0xe87673a2, 0x53778b65, 0x23848008, 0x05bab43e, 0x10f8441e,\n 0x4621efbe, 0xfa11fe12}},\n {{0x2cb19ffd, 0x1c891f2b, 0xb1923c23, 0x01ba8d5b, 0x8ac5ca8e, 0xb6d03d67,\n 0x1f13bedc, 0x586eb04c},\n {0x27e8ed09, 0x0c35c6e5, 0x1819ede2, 0x1e81a33c, 0x56c652fa, 0x278fd6c0,\n 0x70864f11, 0x19d5ac08}},\n {{0xd2b533d5, 0x62577734, 0xa1bdddc0, 0x673b8af6, 0xa79ec293, 0x577e7c9a,\n 0xc3b266b1, 0xbb6de651},\n {0xb65259b3, 0xe7e9303a, 0xd03a7480, 0xd6a0afd3, 0x9b3cfc27, 0xc5ac83d1,\n 0x5d18b99b, 0x60b4619a}},\n {{0x1ae5aa1c, 0xbd6a38e1, 0x49e73658, 0xb8b7652b, 0xee5f87ed, 0x0b130014,\n 0xaeebffcd, 0x9d0f27b2},\n {0x7a730a55, 0xca924631, 0xddbbc83a, 0x9c955b2f, 0xac019a71, 0x07c1dfe0,\n 0x356ec48d, 0x244a566d}},\n {{0xf4f8b16a, 0x56f8410e, 0xc47b266a, 0x97241afe, 0x6d9c87c1, 0x0a406b8e,\n 0xcd42ab1b, 0x803f3e02},\n {0x04dbec69, 0x7f0309a8, 0x3bbad05f, 0xa83b85f7, 0xad8e197f, 0xc6097273,\n 0x5067adc1, 0xc097440e}},\n {{0xc379ab34, 0x846a56f2, 0x841df8d1, 0xa8ee068b, 0x176c68ef, 0x20314459,\n 0x915f1f30, 0xf1af32d5},\n {0x5d75bd50, 0x99c37531, 0xf72f67bc, 0x837cffba, 0x48d7723f, 0x0613a418,\n 0xe2d41c8b, 0x23d0f130}},\n {{0xd5be5a2b, 0xed93e225, 0x5934f3c6, 0x6fe79983, 0x22626ffc, 0x43140926,\n 0x7990216a, 0x50bbb4d9},\n {0xe57ec63e, 0x378191c6, 0x181dcdb2, 0x65422c40, 0x0236e0f6, 0x41a8099b,\n 0x01fe49c3, 0x2b100118}},\n {{0x9b391593, 0xfc68b5c5, 0x598270fc, 0xc385f5a2, 0xd19adcbb, 0x7144f3aa,\n 0x83fbae0c, 0xdd558999},\n {0x74b82ff4, 0x93b88b8e, 0x71e734c9, 0xd2e03c40, 0x43c0322a, 0x9a7a9eaf,\n 0x149d6041, 0xe6e4c551}},\n {{0x80ec21fe, 0x5fe14bfe, 0xc255be82, 0xf6ce116a, 0x2f4a5d67, 0x98bc5a07,\n 0xdb7e63af, 0xfad27148},\n {0x29ab05b3, 0x90c0b6ac, 0x4e251ae6, 0x37a9a83c, 0xc2aade7d, 0x0a7dc875,\n 0x9f0e1a84, 0x77387de3}},\n {{0xa56c0dd7, 0x1e9ecc49, 0x46086c74, 0xa5cffcd8, 0xf505aece, 0x8f7a1408,\n 0xbef0c47e, 0xb37b85c0},\n {0xcc0e6a8f, 0x3596b6e4, 0x6b388f23, 0xfd6d4bbf, 0xc39cef4e, 0xaba453fa,\n 0xf9f628d5, 0x9c135ac8}},\n {{0x95c8f8be, 0x0a1c7294, 0x3bf362bf, 0x2961c480, 0xdf63d4ac, 0x9e418403,\n 0x91ece900, 0xc109f9cb},\n {0x58945705, 0xc2d095d0, 0xddeb85c0, 0xb9083d96, 0x7a40449b, 0x84692b8d,\n 0x2eee1ee1, 0x9bc3344f}},\n {{0x42913074, 0x0d5ae356, 0x48a542b1, 0x55491b27, 0xb310732a, 0x469ca665,\n 0x5f1a4cc1, 0x29591d52},\n {0xb84f983f, 0xe76f5b6b, 0x9f5f84e1, 0xbe7eef41, 0x80baa189, 0x1200d496,\n 0x18ef332c, 0x6376551f}}},\n {{{0x4147519a, 0x20288602, 0x26b372f0, 0xd0981eac, 0xa785ebc8, 0xa9d4a7ca,\n 0xdbdf58e9, 0xd953c50d},\n {0xfd590f8f, 0x9d6361cc, 0x44e6c917, 0x72e9626b, 0x22eb64cf, 0x7fd96110,\n 0x9eb288f3, 0x863ebb7e}},\n {{0xb0e63d34, 0x4fe7ee31, 0xa9e54fab, 0xf4600572, 0xd5e7b5a4, 0xc0493334,\n 0x06d54831, 0x8589fb92},\n {0x6583553a, 0xaa70f5cc, 0xe25649e5, 0x0879094a, 0x10044652, 0xcc904507,\n 0x02541c4f, 0xebb0696d}},\n {{0x3b89da99, 0xabbaa0c0, 0xb8284022, 0xa6f2d79e, 0xb81c05e8, 0x27847862,\n 0x05e54d63, 0x337a4b59},\n {0x21f7794a, 0x3c67500d, 0x7d6d7f61, 0x207005b7, 0x04cfd6e8, 0x0a5a3781,\n 0xf4c2fbd6, 0x0d65e0d5}},\n {{0x6d3549cf, 0xd433e50f, 0xfacd665e, 0x6f33696f, 0xce11fcb4, 0x695bfdac,\n 0xaf7c9860, 0x810ee252},\n {0x7159bb2c, 0x65450fe1, 0x758b357b, 0xf7dfbebe, 0xd69fea72, 0x2b057e74,\n 0x92731745, 0xd485717a}},\n {{0xe83f7669, 0xce1f69bb, 0x72877d6b, 0x09f8ae82, 0x3244278d, 0x9548ae54,\n 0xe3c2c19c, 0x207755de},\n {0x6fef1945, 0x87bd61d9, 0xb12d28c3, 0x18813cef, 0x72df64aa, 0x9fbcd1d6,\n 0x7154b00d, 0x48dc5ee5}},\n {{0xf49a3154, 0xef0f469e, 0x6e2b2e9a, 0x3e85a595, 0xaa924a9c, 0x45aaec1e,\n 0xa09e4719, 0xaa12dfc8},\n {0x4df69f1d, 0x26f27227, 0xa2ff5e73, 0xe0e4c82c, 0xb7a9dd44, 0xb9d8ce73,\n 0xe48ca901, 0x6c036e73}},\n {{0xa47153f0, 0xe1e421e1, 0x920418c9, 0xb86c3b79, 0x705d7672, 0x93bdce87,\n 0xcab79a77, 0xf25ae793},\n {0x6d869d0c, 0x1f3194a3, 0x4986c264, 0x9d55c882, 0x096e945e, 0x49fb5ea3,\n 0x13db0a3e, 0x39b8e653}},\n {{0x35d0b34a, 0xe3417bc0, 0x8327c0a7, 0x440b386b, 0xac0362d1, 0x8fb7262d,\n 0xe0cdf943, 0x2c41114c},\n {0xad95a0b1, 0x2ba5cef1, 0x67d54362, 0xc09b37a8, 0x01e486c9, 0x26d6cdd2,\n 0x42ff9297, 0x20477abf}},\n {{0xbc0a67d2, 0x0f121b41, 0x444d248a, 0x62d4760a, 0x659b4737, 0x0e044f1d,\n 0x250bb4a8, 0x08fde365},\n {0x848bf287, 0xaceec3da, 0xd3369d6e, 0xc2a62182, 0x92449482, 0x3582dfdc,\n 0x565d6cd7, 0x2f7e2fd2}},\n {{0x178a876b, 0x0a0122b5, 0x085104b4, 0x51ff96ff, 0x14f29f76, 0x050b31ab,\n 0x5f87d4e6, 0x84abb28b},\n {0x8270790a, 0xd5ed439f, 0x85e3f46b, 0x2d6cb59d, 0x6c1e2212, 0x75f55c1b,\n 0x17655640, 0xe5436f67}},\n {{0x9aeb596d, 0xc2965ecc, 0x023c92b4, 0x01ea03e7, 0x2e013961, 0x4704b4b6,\n 0x905ea367, 0x0ca8fd3f},\n {0x551b2b61, 0x92523a42, 0x390fcd06, 0x1eb7a89c, 0x0392a63e, 0xe7f1d2be,\n 0x4ddb0c33, 0x96dca264}},\n {{0x15339848, 0x231c210e, 0x70778c8d, 0xe87a28e8, 0x6956e170, 0x9d1de661,\n 0x2bb09c0b, 0x4ac3c938},\n {0x6998987d, 0x19be0551, 0xae09f4d6, 0x8b2376c4, 0x1a3f933d, 0x1de0b765,\n 0xe39705f4, 0x380d94c7}},\n {{0x8c31c31d, 0x3685954b, 0x5bf21a0c, 0x68533d00, 0x75c79ec9, 0x0bd7626e,\n 0x42c69d54, 0xca177547},\n {0xf6d2dbb2, 0xcc6edaff, 0x174a9d18, 0xfd0d8cbd, 0xaa4578e8, 0x875e8793,\n 0x9cab2ce6, 0xa976a713}},\n {{0xb43ea1db, 0xce37ab11, 0x5259d292, 0x0a7ff1a9, 0x8f84f186, 0x851b0221,\n 0xdefaad13, 0xa7222bea},\n {0x2b0a9144, 0xa2ac78ec, 0xf2fa59c5, 0x5a024051, 0x6147ce38, 0x91d1eca5,\n 0xbc2ac690, 0xbe94d523}},\n {{0x79ec1a0f, 0x2d8daefd, 0xceb39c97, 0x3bbcd6fd, 0x58f61a95, 0xf5575ffc,\n 0xadf7b420, 0xdbd986c4},\n {0x15f39eb7, 0x81aa8814, 0xb98d976c, 0x6ee2fcf5, 0xcf2f717d, 0x5465475d,\n 0x6860bbd0, 0x8e24d3c4}}}};\n#endif\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/scalar.cc.inc", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bn/internal.h\"\n#include \"internal.h\"\n\n\nint ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,\n const BIGNUM *in) {\n // Scalars, which are often secret, must be reduced modulo the order. Those\n // that are not will be discarded, so leaking the result of the comparison is\n // safe.\n if (!bn_copy_words(out->words, group->order.N.width, in) ||\n !constant_time_declassify_int(bn_less_than_words(\n out->words, group->order.N.d, group->order.N.width))) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);\n return 0;\n }\n return 1;\n}\n\nint ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a,\n const EC_SCALAR *b) {\n return OPENSSL_memcmp(a->words, b->words,\n group->order.N.width * sizeof(BN_ULONG)) == 0;\n}\n\nint ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a) {\n BN_ULONG mask = 0;\n for (int i = 0; i < group->order.N.width; i++) {\n mask |= a->words[i];\n }\n return mask == 0;\n}\n\nint ec_random_scalar(const EC_GROUP *group, EC_SCALAR *out,\n const uint8_t additional_data[32]) {\n return bn_rand_range_words(out->words, 0, group->order.N.d,\n group->order.N.width, additional_data);\n}\n\nint ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,\n const uint8_t additional_data[32]) {\n return bn_rand_range_words(out->words, 1, group->order.N.d,\n group->order.N.width, additional_data);\n}\n\nvoid ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len,\n const EC_SCALAR *in) {\n size_t len = BN_num_bytes(&group->order.N);\n bn_words_to_big_endian(out, len, in->words, group->order.N.width);\n *out_len = len;\n}\n\nint ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out,\n const uint8_t *in, size_t len) {\n if (len != BN_num_bytes(&group->order.N)) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);\n return 0;\n }\n\n bn_big_endian_to_words(out->words, group->order.N.width, in, len);\n\n if (!bn_less_than_words(out->words, group->order.N.d, group->order.N.width)) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR);\n return 0;\n }\n\n return 1;\n}\n\nvoid ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out,\n const BN_ULONG *words, size_t num) {\n // Convert \"from\" Montgomery form so the value is reduced modulo the order.\n bn_from_montgomery_small(out->words, group->order.N.width, words, num,\n &group->order);\n // Convert \"to\" Montgomery form to remove the R^-1 factor added.\n ec_scalar_to_montgomery(group, out, out);\n}\n\nvoid ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,\n const EC_SCALAR *b) {\n const BIGNUM *order = &group->order.N;\n BN_ULONG tmp[EC_MAX_WORDS];\n bn_mod_add_words(r->words, a->words, b->words, order->d, tmp, order->width);\n OPENSSL_cleanse(tmp, sizeof(tmp));\n}\n\nvoid ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a,\n const EC_SCALAR *b) {\n const BIGNUM *order = &group->order.N;\n BN_ULONG tmp[EC_MAX_WORDS];\n bn_mod_sub_words(r->words, a->words, b->words, order->d, tmp, order->width);\n OPENSSL_cleanse(tmp, sizeof(tmp));\n}\n\nvoid ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a) {\n EC_SCALAR zero;\n OPENSSL_memset(&zero, 0, sizeof(EC_SCALAR));\n ec_scalar_sub(group, r, &zero, a);\n}\n\nvoid ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask,\n const EC_SCALAR *a, const EC_SCALAR *b) {\n const BIGNUM *order = &group->order.N;\n bn_select_words(out->words, mask, a->words, b->words, order->width);\n}\n\nvoid ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a) {\n const BIGNUM *order = &group->order.N;\n bn_to_montgomery_small(r->words, a->words, order->width, &group->order);\n}\n\nvoid ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a) {\n const BIGNUM *order = &group->order.N;\n bn_from_montgomery_small(r->words, order->width, a->words, order->width,\n &group->order);\n}\n\nvoid ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a, const EC_SCALAR *b) {\n const BIGNUM *order = &group->order.N;\n bn_mod_mul_montgomery_small(r->words, a->words, b->words, order->width,\n &group->order);\n}\n\nvoid ec_simple_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a) {\n const BIGNUM *order = &group->order.N;\n bn_mod_inverse0_prime_mont_small(r->words, a->words, order->width,\n &group->order);\n}\n\nint ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group,\n EC_SCALAR *r,\n const EC_SCALAR *a) {\n if (ec_scalar_is_zero(group, a)) {\n return 0;\n }\n\n // This implementation (in fact) runs in constant time,\n // even though for this interface it is not mandatory.\n\n // r = a^-1 in the Montgomery domain. This is\n // |ec_scalar_to_montgomery| followed by |ec_scalar_inv0_montgomery|, but\n // |ec_scalar_inv0_montgomery| followed by |ec_scalar_from_montgomery| is\n // equivalent and slightly more efficient.\n ec_scalar_inv0_montgomery(group, r, a);\n ec_scalar_from_montgomery(group, r, r);\n return 1;\n}\n\nvoid ec_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a) {\n group->meth->scalar_inv0_montgomery(group, r, a);\n}\n\nint ec_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, EC_SCALAR *r,\n const EC_SCALAR *a) {\n return group->meth->scalar_to_montgomery_inv_vartime(group, r, a);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/simple.cc.inc", "content": "/*\n * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"internal.h\"\n#include \"../../internal.h\"\n\n\n// Most method functions in this file are designed to work with non-trivial\n// representations of field elements if necessary (see ecp_mont.c): while\n// standard modular addition and subtraction are used, the field_mul and\n// field_sqr methods will be used for multiplication, and field_encode and\n// field_decode (if defined) will be used for converting between\n// representations.\n//\n// Functions here specifically assume that if a non-trivial representation is\n// used, it is a Montgomery representation (i.e. 'encoding' means multiplying\n// by some factor R).\n\nint ec_GFp_simple_group_set_curve(EC_GROUP *group, const BIGNUM *p,\n const BIGNUM *a, const BIGNUM *b,\n BN_CTX *ctx) {\n // p must be a prime > 3\n if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_FIELD);\n return 0;\n }\n\n int ret = 0;\n BN_CTX_start(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n if (tmp == NULL) {\n goto err;\n }\n\n if (!BN_MONT_CTX_set(&group->field, p, ctx) ||\n !ec_bignum_to_felem(group, &group->a, a) ||\n !ec_bignum_to_felem(group, &group->b, b) ||\n // Reuse Z from the generator to cache the value one.\n !ec_bignum_to_felem(group, &group->generator.raw.Z, BN_value_one())) {\n goto err;\n }\n\n // group->a_is_minus3\n if (!BN_copy(tmp, a) ||\n !BN_add_word(tmp, 3)) {\n goto err;\n }\n group->a_is_minus3 = (0 == BN_cmp(tmp, &group->field.N));\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nint ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,\n BIGNUM *b) {\n if ((p != NULL && !BN_copy(p, &group->field.N)) ||\n (a != NULL && !ec_felem_to_bignum(group, a, &group->a)) ||\n (b != NULL && !ec_felem_to_bignum(group, b, &group->b))) {\n return 0;\n }\n return 1;\n}\n\nvoid ec_GFp_simple_point_init(EC_JACOBIAN *point) {\n OPENSSL_memset(&point->X, 0, sizeof(EC_FELEM));\n OPENSSL_memset(&point->Y, 0, sizeof(EC_FELEM));\n OPENSSL_memset(&point->Z, 0, sizeof(EC_FELEM));\n}\n\nvoid ec_GFp_simple_point_copy(EC_JACOBIAN *dest, const EC_JACOBIAN *src) {\n OPENSSL_memcpy(&dest->X, &src->X, sizeof(EC_FELEM));\n OPENSSL_memcpy(&dest->Y, &src->Y, sizeof(EC_FELEM));\n OPENSSL_memcpy(&dest->Z, &src->Z, sizeof(EC_FELEM));\n}\n\nvoid ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group,\n EC_JACOBIAN *point) {\n // Although it is strictly only necessary to zero Z, we zero the entire point\n // in case |point| was stack-allocated and yet to be initialized.\n ec_GFp_simple_point_init(point);\n}\n\nvoid ec_GFp_simple_invert(const EC_GROUP *group, EC_JACOBIAN *point) {\n ec_felem_neg(group, &point->Y, &point->Y);\n}\n\nint ec_GFp_simple_is_at_infinity(const EC_GROUP *group,\n const EC_JACOBIAN *point) {\n return ec_felem_non_zero_mask(group, &point->Z) == 0;\n}\n\nint ec_GFp_simple_is_on_curve(const EC_GROUP *group,\n const EC_JACOBIAN *point) {\n // We have a curve defined by a Weierstrass equation\n // y^2 = x^3 + a*x + b.\n // The point to consider is given in Jacobian projective coordinates\n // where (X, Y, Z) represents (x, y) = (X/Z^2, Y/Z^3).\n // Substituting this and multiplying by Z^6 transforms the above equation\n // into\n // Y^2 = X^3 + a*X*Z^4 + b*Z^6.\n // To test this, we add up the right-hand side in 'rh'.\n //\n // This function may be used when double-checking the secret result of a point\n // multiplication, so we proceed in constant-time.\n\n void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,\n const EC_FELEM *b) = group->meth->felem_mul;\n void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) =\n group->meth->felem_sqr;\n\n // rh := X^2\n EC_FELEM rh;\n felem_sqr(group, &rh, &point->X);\n\n EC_FELEM tmp, Z4, Z6;\n felem_sqr(group, &tmp, &point->Z);\n felem_sqr(group, &Z4, &tmp);\n felem_mul(group, &Z6, &Z4, &tmp);\n\n // rh := rh + a*Z^4\n if (group->a_is_minus3) {\n ec_felem_add(group, &tmp, &Z4, &Z4);\n ec_felem_add(group, &tmp, &tmp, &Z4);\n ec_felem_sub(group, &rh, &rh, &tmp);\n } else {\n felem_mul(group, &tmp, &Z4, &group->a);\n ec_felem_add(group, &rh, &rh, &tmp);\n }\n\n // rh := (rh + a*Z^4)*X\n felem_mul(group, &rh, &rh, &point->X);\n\n // rh := rh + b*Z^6\n felem_mul(group, &tmp, &group->b, &Z6);\n ec_felem_add(group, &rh, &rh, &tmp);\n\n // 'lh' := Y^2\n felem_sqr(group, &tmp, &point->Y);\n\n ec_felem_sub(group, &tmp, &tmp, &rh);\n BN_ULONG not_equal = ec_felem_non_zero_mask(group, &tmp);\n\n // If Z = 0, the point is infinity, which is always on the curve.\n BN_ULONG not_infinity = ec_felem_non_zero_mask(group, &point->Z);\n\n return 1 & ~(not_infinity & not_equal);\n}\n\nint ec_GFp_simple_points_equal(const EC_GROUP *group, const EC_JACOBIAN *a,\n const EC_JACOBIAN *b) {\n // This function is implemented in constant-time for two reasons. First,\n // although EC points are usually public, their Jacobian Z coordinates may be\n // secret, or at least are not obviously public. Second, more complex\n // protocols will sometimes manipulate secret points.\n //\n // This does mean that we pay a 6M+2S Jacobian comparison when comparing two\n // publicly affine points costs no field operations at all. If needed, we can\n // restore this optimization by keeping better track of affine vs. Jacobian\n // forms. See https://crbug.com/boringssl/326.\n\n // If neither |a| or |b| is infinity, we have to decide whether\n // (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3),\n // or equivalently, whether\n // (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).\n\n void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,\n const EC_FELEM *b) = group->meth->felem_mul;\n void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) =\n group->meth->felem_sqr;\n\n EC_FELEM tmp1, tmp2, Za23, Zb23;\n felem_sqr(group, &Zb23, &b->Z); // Zb23 = Z_b^2\n felem_mul(group, &tmp1, &a->X, &Zb23); // tmp1 = X_a * Z_b^2\n felem_sqr(group, &Za23, &a->Z); // Za23 = Z_a^2\n felem_mul(group, &tmp2, &b->X, &Za23); // tmp2 = X_b * Z_a^2\n ec_felem_sub(group, &tmp1, &tmp1, &tmp2);\n const BN_ULONG x_not_equal = ec_felem_non_zero_mask(group, &tmp1);\n\n felem_mul(group, &Zb23, &Zb23, &b->Z); // Zb23 = Z_b^3\n felem_mul(group, &tmp1, &a->Y, &Zb23); // tmp1 = Y_a * Z_b^3\n felem_mul(group, &Za23, &Za23, &a->Z); // Za23 = Z_a^3\n felem_mul(group, &tmp2, &b->Y, &Za23); // tmp2 = Y_b * Z_a^3\n ec_felem_sub(group, &tmp1, &tmp1, &tmp2);\n const BN_ULONG y_not_equal = ec_felem_non_zero_mask(group, &tmp1);\n const BN_ULONG x_and_y_equal = ~(x_not_equal | y_not_equal);\n\n const BN_ULONG a_not_infinity = ec_felem_non_zero_mask(group, &a->Z);\n const BN_ULONG b_not_infinity = ec_felem_non_zero_mask(group, &b->Z);\n const BN_ULONG a_and_b_infinity = ~(a_not_infinity | b_not_infinity);\n\n const BN_ULONG equal =\n a_and_b_infinity | (a_not_infinity & b_not_infinity & x_and_y_equal);\n return equal & 1;\n}\n\nint ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a,\n const EC_JACOBIAN *b) {\n // If |b| is not infinity, we have to decide whether\n // (X_a, Y_a) = (X_b/Z_b^2, Y_b/Z_b^3),\n // or equivalently, whether\n // (X_a*Z_b^2, Y_a*Z_b^3) = (X_b, Y_b).\n\n void (*const felem_mul)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a,\n const EC_FELEM *b) = group->meth->felem_mul;\n void (*const felem_sqr)(const EC_GROUP *, EC_FELEM *r, const EC_FELEM *a) =\n group->meth->felem_sqr;\n\n EC_FELEM tmp, Zb2;\n felem_sqr(group, &Zb2, &b->Z); // Zb2 = Z_b^2\n felem_mul(group, &tmp, &a->X, &Zb2); // tmp = X_a * Z_b^2\n ec_felem_sub(group, &tmp, &tmp, &b->X);\n const BN_ULONG x_not_equal = ec_felem_non_zero_mask(group, &tmp);\n\n felem_mul(group, &tmp, &a->Y, &Zb2); // tmp = Y_a * Z_b^2\n felem_mul(group, &tmp, &tmp, &b->Z); // tmp = Y_a * Z_b^3\n ec_felem_sub(group, &tmp, &tmp, &b->Y);\n const BN_ULONG y_not_equal = ec_felem_non_zero_mask(group, &tmp);\n const BN_ULONG x_and_y_equal = ~(x_not_equal | y_not_equal);\n\n const BN_ULONG b_not_infinity = ec_felem_non_zero_mask(group, &b->Z);\n\n const BN_ULONG equal = b_not_infinity & x_and_y_equal;\n return equal & 1;\n}\n\nint ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p,\n const EC_SCALAR *r) {\n if (ec_GFp_simple_is_at_infinity(group, p)) {\n // |ec_get_x_coordinate_as_scalar| will check this internally, but this way\n // we do not push to the error queue.\n return 0;\n }\n\n EC_SCALAR x;\n return ec_get_x_coordinate_as_scalar(group, &x, p) &&\n ec_scalar_equal_vartime(group, &x, r);\n}\n\nvoid ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out,\n size_t *out_len, const EC_FELEM *in) {\n size_t len = BN_num_bytes(&group->field.N);\n bn_words_to_big_endian(out, len, in->words, group->field.N.width);\n *out_len = len;\n}\n\nint ec_GFp_simple_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out,\n const uint8_t *in, size_t len) {\n if (len != BN_num_bytes(&group->field.N)) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n return 0;\n }\n\n bn_big_endian_to_words(out->words, group->field.N.width, in, len);\n\n if (!bn_less_than_words(out->words, group->field.N.d, group->field.N.width)) {\n OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR);\n return 0;\n }\n\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/simple_mul.cc.inc", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"internal.h\"\n#include \"../bn/internal.h\"\n#include \"../../internal.h\"\n\n\nvoid ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p, const EC_SCALAR *scalar) {\n // This is a generic implementation for uncommon curves that not do not\n // warrant a tuned one. It uses unsigned digits so that the doubling case in\n // |ec_GFp_mont_add| is always unreachable, erring on safety and simplicity.\n\n // Compute a table of the first 32 multiples of |p| (including infinity).\n EC_JACOBIAN precomp[32];\n ec_GFp_simple_point_set_to_infinity(group, &precomp[0]);\n ec_GFp_simple_point_copy(&precomp[1], p);\n for (size_t j = 2; j < OPENSSL_ARRAY_SIZE(precomp); j++) {\n if (j & 1) {\n ec_GFp_mont_add(group, &precomp[j], &precomp[1], &precomp[j - 1]);\n } else {\n ec_GFp_mont_dbl(group, &precomp[j], &precomp[j / 2]);\n }\n }\n\n // Divide bits in |scalar| into windows.\n unsigned bits = EC_GROUP_order_bits(group);\n int r_is_at_infinity = 1;\n for (unsigned i = bits - 1; i < bits; i--) {\n if (!r_is_at_infinity) {\n ec_GFp_mont_dbl(group, r, r);\n }\n if (i % 5 == 0) {\n // Compute the next window value.\n const size_t width = group->order.N.width;\n uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 4;\n window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 3;\n window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 2;\n window |= bn_is_bit_set_words(scalar->words, width, i + 1) << 1;\n window |= bn_is_bit_set_words(scalar->words, width, i);\n\n // Select the entry in constant-time.\n EC_JACOBIAN tmp;\n OPENSSL_memset(&tmp, 0, sizeof(EC_JACOBIAN));\n for (size_t j = 0; j < OPENSSL_ARRAY_SIZE(precomp); j++) {\n BN_ULONG mask = constant_time_eq_w(j, window);\n ec_point_select(group, &tmp, mask, &precomp[j], &tmp);\n }\n\n if (r_is_at_infinity) {\n ec_GFp_simple_point_copy(r, &tmp);\n r_is_at_infinity = 0;\n } else {\n ec_GFp_mont_add(group, r, r, &tmp);\n }\n }\n }\n if (r_is_at_infinity) {\n ec_GFp_simple_point_set_to_infinity(group, r);\n }\n}\n\nvoid ec_GFp_mont_mul_base(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *scalar) {\n ec_GFp_mont_mul(group, r, &group->generator.raw, scalar);\n}\n\nstatic void ec_GFp_mont_batch_precomp(const EC_GROUP *group, EC_JACOBIAN *out,\n size_t num, const EC_JACOBIAN *p) {\n assert(num > 1);\n ec_GFp_simple_point_set_to_infinity(group, &out[0]);\n ec_GFp_simple_point_copy(&out[1], p);\n for (size_t j = 2; j < num; j++) {\n if (j & 1) {\n ec_GFp_mont_add(group, &out[j], &out[1], &out[j - 1]);\n } else {\n ec_GFp_mont_dbl(group, &out[j], &out[j / 2]);\n }\n }\n}\n\nstatic void ec_GFp_mont_batch_get_window(const EC_GROUP *group,\n EC_JACOBIAN *out,\n const EC_JACOBIAN precomp[17],\n const EC_SCALAR *scalar, unsigned i) {\n const size_t width = group->order.N.width;\n uint8_t window = bn_is_bit_set_words(scalar->words, width, i + 4) << 5;\n window |= bn_is_bit_set_words(scalar->words, width, i + 3) << 4;\n window |= bn_is_bit_set_words(scalar->words, width, i + 2) << 3;\n window |= bn_is_bit_set_words(scalar->words, width, i + 1) << 2;\n window |= bn_is_bit_set_words(scalar->words, width, i) << 1;\n if (i > 0) {\n window |= bn_is_bit_set_words(scalar->words, width, i - 1);\n }\n crypto_word_t sign, digit;\n ec_GFp_nistp_recode_scalar_bits(&sign, &digit, window);\n\n // Select the entry in constant-time.\n OPENSSL_memset(out, 0, sizeof(EC_JACOBIAN));\n for (size_t j = 0; j < 17; j++) {\n BN_ULONG mask = constant_time_eq_w(j, digit);\n ec_point_select(group, out, mask, &precomp[j], out);\n }\n\n // Negate if necessary.\n EC_FELEM neg_Y;\n ec_felem_neg(group, &neg_Y, &out->Y);\n crypto_word_t sign_mask = sign;\n sign_mask = 0u - sign_mask;\n ec_felem_select(group, &out->Y, sign_mask, &neg_Y, &out->Y);\n}\n\nvoid ec_GFp_mont_mul_batch(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,\n const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,\n const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) {\n EC_JACOBIAN precomp[3][17];\n ec_GFp_mont_batch_precomp(group, precomp[0], 17, p0);\n ec_GFp_mont_batch_precomp(group, precomp[1], 17, p1);\n if (p2 != NULL) {\n ec_GFp_mont_batch_precomp(group, precomp[2], 17, p2);\n }\n\n // Divide bits in |scalar| into windows.\n unsigned bits = EC_GROUP_order_bits(group);\n int r_is_at_infinity = 1;\n for (unsigned i = bits; i <= bits; i--) {\n if (!r_is_at_infinity) {\n ec_GFp_mont_dbl(group, r, r);\n }\n if (i % 5 == 0) {\n EC_JACOBIAN tmp;\n ec_GFp_mont_batch_get_window(group, &tmp, precomp[0], scalar0, i);\n if (r_is_at_infinity) {\n ec_GFp_simple_point_copy(r, &tmp);\n r_is_at_infinity = 0;\n } else {\n ec_GFp_mont_add(group, r, r, &tmp);\n }\n\n ec_GFp_mont_batch_get_window(group, &tmp, precomp[1], scalar1, i);\n ec_GFp_mont_add(group, r, r, &tmp);\n\n if (p2 != NULL) {\n ec_GFp_mont_batch_get_window(group, &tmp, precomp[2], scalar2, i);\n ec_GFp_mont_add(group, r, r, &tmp);\n }\n }\n }\n if (r_is_at_infinity) {\n ec_GFp_simple_point_set_to_infinity(group, r);\n }\n}\n\nstatic unsigned ec_GFp_mont_comb_stride(const EC_GROUP *group) {\n return (EC_GROUP_get_degree(group) + EC_MONT_PRECOMP_COMB_SIZE - 1) /\n EC_MONT_PRECOMP_COMB_SIZE;\n}\n\nint ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out,\n const EC_JACOBIAN *p) {\n // comb[i - 1] stores the ith element of the comb. That is, if i is\n // b4 * 2^4 + b3 * 2^3 + ... + b0 * 2^0, it stores k * |p|, where k is\n // b4 * 2^(4*stride) + b3 * 2^(3*stride) + ... + b0 * 2^(0*stride). stride\n // here is |ec_GFp_mont_comb_stride|. We store at index i - 1 because the 0th\n // comb entry is always infinity.\n EC_JACOBIAN comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1];\n unsigned stride = ec_GFp_mont_comb_stride(group);\n\n // We compute the comb sequentially by the highest set bit. Initially, all\n // entries up to 2^0 are filled.\n comb[(1 << 0) - 1] = *p;\n for (unsigned i = 1; i < EC_MONT_PRECOMP_COMB_SIZE; i++) {\n // Compute entry 2^i by doubling the entry for 2^(i-1) |stride| times.\n unsigned bit = 1 << i;\n ec_GFp_mont_dbl(group, &comb[bit - 1], &comb[bit / 2 - 1]);\n for (unsigned j = 1; j < stride; j++) {\n ec_GFp_mont_dbl(group, &comb[bit - 1], &comb[bit - 1]);\n }\n // Compute entries from 2^i + 1 to 2^i + (2^i - 1) by adding entry 2^i to\n // a previous entry.\n for (unsigned j = 1; j < bit; j++) {\n ec_GFp_mont_add(group, &comb[bit + j - 1], &comb[bit - 1], &comb[j - 1]);\n }\n }\n\n // Store the comb in affine coordinates to shrink the table. (This reduces\n // cache pressure and makes the constant-time selects faster.)\n static_assert(OPENSSL_ARRAY_SIZE(comb) == OPENSSL_ARRAY_SIZE(out->comb),\n \"comb sizes did not match\");\n return ec_jacobian_to_affine_batch(group, out->comb, comb,\n OPENSSL_ARRAY_SIZE(comb));\n}\n\nstatic void ec_GFp_mont_get_comb_window(const EC_GROUP *group,\n EC_JACOBIAN *out,\n const EC_PRECOMP *precomp,\n const EC_SCALAR *scalar, unsigned i) {\n const size_t width = group->order.N.width;\n unsigned stride = ec_GFp_mont_comb_stride(group);\n // Select the bits corresponding to the comb shifted up by |i|.\n unsigned window = 0;\n for (unsigned j = 0; j < EC_MONT_PRECOMP_COMB_SIZE; j++) {\n window |= bn_is_bit_set_words(scalar->words, width, j * stride + i)\n << j;\n }\n\n // Select precomp->comb[window - 1]. If |window| is zero, |match| will always\n // be zero, which will leave |out| at infinity.\n OPENSSL_memset(out, 0, sizeof(EC_JACOBIAN));\n for (unsigned j = 0; j < OPENSSL_ARRAY_SIZE(precomp->comb); j++) {\n BN_ULONG match = constant_time_eq_w(window, j + 1);\n ec_felem_select(group, &out->X, match, &precomp->comb[j].X, &out->X);\n ec_felem_select(group, &out->Y, match, &precomp->comb[j].Y, &out->Y);\n }\n BN_ULONG is_infinity = constant_time_is_zero_w(window);\n ec_felem_select(group, &out->Z, is_infinity, &out->Z, ec_felem_one(group));\n}\n\nvoid ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_PRECOMP *p0, const EC_SCALAR *scalar0,\n const EC_PRECOMP *p1, const EC_SCALAR *scalar1,\n const EC_PRECOMP *p2, const EC_SCALAR *scalar2) {\n unsigned stride = ec_GFp_mont_comb_stride(group);\n int r_is_at_infinity = 1;\n for (unsigned i = stride - 1; i < stride; i--) {\n if (!r_is_at_infinity) {\n ec_GFp_mont_dbl(group, r, r);\n }\n\n EC_JACOBIAN tmp;\n ec_GFp_mont_get_comb_window(group, &tmp, p0, scalar0, i);\n if (r_is_at_infinity) {\n ec_GFp_simple_point_copy(r, &tmp);\n r_is_at_infinity = 0;\n } else {\n ec_GFp_mont_add(group, r, r, &tmp);\n }\n\n if (p1 != NULL) {\n ec_GFp_mont_get_comb_window(group, &tmp, p1, scalar1, i);\n ec_GFp_mont_add(group, r, r, &tmp);\n }\n\n if (p2 != NULL) {\n ec_GFp_mont_get_comb_window(group, &tmp, p2, scalar2, i);\n ec_GFp_mont_add(group, r, r, &tmp);\n }\n }\n if (r_is_at_infinity) {\n ec_GFp_simple_point_set_to_infinity(group, r);\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/util.cc.inc", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"internal.h\"\n\n\n// This function looks at 5+1 scalar bits (5 current, 1 adjacent less\n// significant bit), and recodes them into a signed digit for use in fast point\n// multiplication: the use of signed rather than unsigned digits means that\n// fewer points need to be precomputed, given that point inversion is easy (a\n// precomputed point dP makes -dP available as well).\n//\n// BACKGROUND:\n//\n// Signed digits for multiplication were introduced by Booth (\"A signed binary\n// multiplication technique\", Quart. Journ. Mech. and Applied Math., vol. IV,\n// pt. 2 (1951), pp. 236-240), in that case for multiplication of integers.\n// Booth's original encoding did not generally improve the density of nonzero\n// digits over the binary representation, and was merely meant to simplify the\n// handling of signed factors given in two's complement; but it has since been\n// shown to be the basis of various signed-digit representations that do have\n// further advantages, including the wNAF, using the following general\n// approach:\n//\n// (1) Given a binary representation\n//\n// b_k ... b_2 b_1 b_0,\n//\n// of a nonnegative integer (b_k in {0, 1}), rewrite it in digits 0, 1, -1\n// by using bit-wise subtraction as follows:\n//\n// b_k b_(k-1) ... b_2 b_1 b_0\n// - b_k ... b_3 b_2 b_1 b_0\n// -----------------------------------------\n// s_(k+1) s_k ... s_3 s_2 s_1 s_0\n//\n// A left-shift followed by subtraction of the original value yields a new\n// representation of the same value, using signed bits s_i = b_(i-1) - b_i.\n// This representation from Booth's paper has since appeared in the\n// literature under a variety of different names including \"reversed binary\n// form\", \"alternating greedy expansion\", \"mutual opposite form\", and\n// \"sign-alternating {+-1}-representation\".\n//\n// An interesting property is that among the nonzero bits, values 1 and -1\n// strictly alternate.\n//\n// (2) Various window schemes can be applied to the Booth representation of\n// integers: for example, right-to-left sliding windows yield the wNAF\n// (a signed-digit encoding independently discovered by various researchers\n// in the 1990s), and left-to-right sliding windows yield a left-to-right\n// equivalent of the wNAF (independently discovered by various researchers\n// around 2004).\n//\n// To prevent leaking information through side channels in point multiplication,\n// we need to recode the given integer into a regular pattern: sliding windows\n// as in wNAFs won't do, we need their fixed-window equivalent -- which is a few\n// decades older: we'll be using the so-called \"modified Booth encoding\" due to\n// MacSorley (\"High-speed arithmetic in binary computers\", Proc. IRE, vol. 49\n// (1961), pp. 67-91), in a radix-2^5 setting. That is, we always combine five\n// signed bits into a signed digit:\n//\n// s_(5j + 4) s_(5j + 3) s_(5j + 2) s_(5j + 1) s_(5j)\n//\n// The sign-alternating property implies that the resulting digit values are\n// integers from -16 to 16.\n//\n// Of course, we don't actually need to compute the signed digits s_i as an\n// intermediate step (that's just a nice way to see how this scheme relates\n// to the wNAF): a direct computation obtains the recoded digit from the\n// six bits b_(5j + 4) ... b_(5j - 1).\n//\n// This function takes those six bits as an integer (0 .. 63), writing the\n// recoded digit to *sign (0 for positive, 1 for negative) and *digit (absolute\n// value, in the range 0 .. 16). Note that this integer essentially provides\n// the input bits \"shifted to the left\" by one position: for example, the input\n// to compute the least significant recoded digit, given that there's no bit\n// b_-1, has to be b_4 b_3 b_2 b_1 b_0 0.\n//\n// DOUBLING CASE:\n//\n// Point addition formulas for short Weierstrass curves are often incomplete.\n// Edge cases such as P + P or P + ∞ must be handled separately. This\n// complicates constant-time requirements. P + ∞ cannot be avoided (any window\n// may be zero) and is handled with constant-time selects. P + P (where P is not\n// ∞) usually is not. Instead, windowing strategies are chosen to avoid this\n// case. Whether this happens depends on the group order.\n//\n// Let w be the window width (in this function, w = 5). The non-trivial doubling\n// case in single-point scalar multiplication may occur if and only if the\n// 2^(w-1) bit of the group order is zero.\n//\n// Note the above only holds if the scalar is fully reduced and the group order\n// is a prime that is much larger than 2^w. It also only holds when windows\n// are applied from most significant to least significant, doubling between each\n// window. It does not apply to more complex table strategies such as\n// |EC_GFp_nistz256_method|.\n//\n// PROOF:\n//\n// Let n be the group order. Let l be the number of bits needed to represent n.\n// Assume there exists some 0 <= k < n such that signed w-bit windowed\n// multiplication hits the doubling case.\n//\n// Windowed multiplication consists of iterating over groups of s_i (defined\n// above based on k's binary representation) from most to least significant. At\n// iteration i (for i = ..., 3w, 2w, w, 0, starting from the most significant\n// window), we:\n//\n// 1. Double the accumulator A, w times. Let A_i be the value of A at this\n// point.\n//\n// 2. Set A to T_i + A_i, where T_i is a precomputed multiple of P\n// corresponding to the window s_(i+w-1) ... s_i.\n//\n// Let j be the index such that A_j = T_j ≠ ∞. Looking at A_i and T_i as\n// multiples of P, define a_i and t_i to be scalar coefficients of A_i and T_i.\n// Thus a_j = t_j ≠ 0 (mod n). Note a_i and t_i may not be reduced mod n. t_i is\n// the value of the w signed bits s_(i+w-1) ... s_i. a_i is computed as a_i =\n// 2^w * (a_(i+w) + t_(i+w)).\n//\n// t_i is bounded by -2^(w-1) <= t_i <= 2^(w-1). Additionally, we may write it\n// in terms of unsigned bits b_i. t_i consists of signed bits s_(i+w-1) ... s_i.\n// This is computed as:\n//\n// b_(i+w-2) b_(i+w-3) ... b_i b_(i-1)\n// - b_(i+w-1) b_(i+w-2) ... b_(i+1) b_i\n// --------------------------------------------\n// t_i = s_(i+w-1) s_(i+w-2) ... s_(i+1) s_i\n//\n// Observe that b_(i+w-2) through b_i occur in both terms. Let x be the integer\n// represented by that bit string, i.e. 2^(w-2)*b_(i+w-2) + ... + b_i.\n//\n// t_i = (2*x + b_(i-1)) - (2^(w-1)*b_(i+w-1) + x)\n// = x - 2^(w-1)*b_(i+w-1) + b_(i-1)\n//\n// Or, using C notation for bit operations:\n//\n// t_i = (k>>i) & ((1<<(w-1)) - 1) - (k>>i) & (1<<(w-1)) + (k>>(i-1)) & 1\n//\n// Note b_(i-1) is added in left-shifted by one (or doubled) from its place.\n// This is compensated by t_(i-w)'s subtraction term. Thus, a_i may be computed\n// by adding b_l b_(l-1) ... b_(i+1) b_i and an extra copy of b_(i-1). In C\n// notation, this is:\n//\n// a_i = (k>>(i+w)) << w + ((k>>(i+w-1)) & 1) << w\n//\n// Observe that, while t_i may be positive or negative, a_i is bounded by\n// 0 <= a_i < n + 2^w. Additionally, a_i can only be zero if b_(i+w-1) and up\n// are all zero. (Note this implies a non-trivial P + (-P) is unreachable for\n// all groups. That would imply the subsequent a_i is zero, which means all\n// terms thus far were zero.)\n//\n// Returning to our doubling position, we have a_j = t_j (mod n). We now\n// determine the value of a_j - t_j, which must be divisible by n. Our bounds on\n// a_j and t_j imply a_j - t_j is 0 or n. If it is 0, a_j = t_j. However, 2^w\n// divides a_j and -2^(w-1) <= t_j <= 2^(w-1), so this can only happen if\n// a_j = t_j = 0, which is a trivial doubling. Therefore, a_j - t_j = n.\n//\n// Now we determine j. Suppose j > 0. w divides j, so j >= w. Then,\n//\n// n = a_j - t_j = (k>>(j+w)) << w + ((k>>(j+w-1)) & 1) << w - t_j\n// <= k/2^j + 2^w - t_j\n// < n/2^w + 2^w + 2^(w-1)\n//\n// n is much larger than 2^w, so this is impossible. Thus, j = 0: only the final\n// addition may hit the doubling case.\n//\n// Finally, we consider bit patterns for n and k. Divide k into k_H + k_M + k_L\n// such that k_H is the contribution from b_(l-1) .. b_w, k_M is the\n// contribution from b_(w-1), and k_L is the contribution from b_(w-2) ... b_0.\n// That is:\n//\n// - 2^w divides k_H\n// - k_M is 0 or 2^(w-1)\n// - 0 <= k_L < 2^(w-1)\n//\n// Divide n into n_H + n_M + n_L similarly. We thus have:\n//\n// t_0 = (k>>0) & ((1<<(w-1)) - 1) - (k>>0) & (1<<(w-1)) + (k>>(0-1)) & 1\n// = k & ((1<<(w-1)) - 1) - k & (1<<(w-1))\n// = k_L - k_M\n//\n// a_0 = (k>>(0+w)) << w + ((k>>(0+w-1)) & 1) << w\n// = (k>>w) << w + ((k>>(w-1)) & 1) << w\n// = k_H + 2*k_M\n//\n// n = a_0 - t_0\n// n_H + n_M + n_L = (k_H + 2*k_M) - (k_L - k_M)\n// = k_H + 3*k_M - k_L\n//\n// k_H - k_L < k and k < n, so k_H - k_L ≠ n. Therefore k_M is not 0 and must be\n// 2^(w-1). Now we consider k_H and n_H. We know k_H <= n_H. Suppose k_H = n_H.\n// Then,\n//\n// n_M + n_L = 3*(2^(w-1)) - k_L\n// > 3*(2^(w-1)) - 2^(w-1)\n// = 2^w\n//\n// Contradiction (n_M + n_L is the bottom w bits of n). Thus k_H < n_H. Suppose\n// k_H < n_H - 2*2^w. Then,\n//\n// n_H + n_M + n_L = k_H + 3*(2^(w-1)) - k_L\n// < n_H - 2*2^w + 3*(2^(w-1)) - k_L\n// n_M + n_L < -2^(w-1) - k_L\n//\n// Contradiction. Thus, k_H = n_H - 2^w. (Note 2^w divides n_H and k_H.) Thus,\n//\n// n_H + n_M + n_L = k_H + 3*(2^(w-1)) - k_L\n// = n_H - 2^w + 3*(2^(w-1)) - k_L\n// n_M + n_L = 2^(w-1) - k_L\n// <= 2^(w-1)\n//\n// Equality would mean 2^(w-1) divides n, which is impossible if n is prime.\n// Thus n_M + n_L < 2^(w-1), so n_M is zero, proving our condition.\n//\n// This proof constructs k, so, to show the converse, let k_H = n_H - 2^w,\n// k_M = 2^(w-1), k_L = 2^(w-1) - n_L. This will result in a non-trivial point\n// doubling in the final addition and is the only such scalar.\n//\n// COMMON CURVES:\n//\n// The group orders for common curves end in the following bit patterns:\n//\n// P-521: ...00001001; w = 4 is okay\n// P-384: ...01110011; w = 2, 5, 6, 7 are okay\n// P-256: ...01010001; w = 5, 7 are okay\n// P-224: ...00111101; w = 3, 4, 5, 6 are okay\nvoid ec_GFp_nistp_recode_scalar_bits(crypto_word_t *sign, crypto_word_t *digit,\n crypto_word_t in) {\n crypto_word_t s, d;\n\n s = ~((in >> 5) - 1); /* sets all bits to MSB(in), 'in' seen as\n * 6-bit value */\n d = (1 << 6) - in - 1;\n d = (d & s) | (in & ~s);\n d = (d >> 1) + (d & 1);\n\n *sign = s & 1;\n *digit = d;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ec/wnaf.cc.inc", "content": "/*\n * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bn/internal.h\"\n#include \"internal.h\"\n\n\n// This file implements the wNAF-based interleaving multi-exponentiation method\n// at:\n// http://link.springer.com/chapter/10.1007%2F3-540-45537-X_13\n// http://www.bmoeller.de/pdf/TI-01-08.multiexp.pdf\n\nvoid ec_compute_wNAF(const EC_GROUP *group, int8_t *out,\n const EC_SCALAR *scalar, size_t bits, int w) {\n // 'int8_t' can represent integers with absolute values less than 2^7.\n assert(0 < w && w <= 7);\n assert(bits != 0);\n int bit = 1 << w; // 2^w, at most 128\n int next_bit = bit << 1; // 2^(w+1), at most 256\n int mask = next_bit - 1; // at most 255\n\n int window_val = scalar->words[0] & mask;\n for (size_t j = 0; j < bits + 1; j++) {\n assert(0 <= window_val && window_val <= next_bit);\n int digit = 0;\n if (window_val & 1) {\n assert(0 < window_val && window_val < next_bit);\n if (window_val & bit) {\n digit = window_val - next_bit;\n // We know -next_bit < digit < 0 and window_val - digit = next_bit.\n\n // modified wNAF\n if (j + w + 1 >= bits) {\n // special case for generating modified wNAFs:\n // no new bits will be added into window_val,\n // so using a positive digit here will decrease\n // the total length of the representation\n\n digit = window_val & (mask >> 1);\n // We know 0 < digit < bit and window_val - digit = bit.\n }\n } else {\n digit = window_val;\n // We know 0 < digit < bit and window_val - digit = 0.\n }\n\n window_val -= digit;\n\n // Now window_val is 0 or 2^(w+1) in standard wNAF generation.\n // For modified window NAFs, it may also be 2^w.\n //\n // See the comments above for the derivation of each of these bounds.\n assert(window_val == 0 || window_val == next_bit || window_val == bit);\n assert(-bit < digit && digit < bit);\n\n // window_val was odd, so digit is also odd.\n assert(digit & 1);\n }\n\n out[j] = digit;\n\n // Incorporate the next bit. Previously, |window_val| <= |next_bit|, so if\n // we shift and add at most one copy of |bit|, this will continue to hold\n // afterwards.\n window_val >>= 1;\n window_val += bit * bn_is_bit_set_words(scalar->words, group->order.N.width,\n j + w + 1);\n assert(window_val <= next_bit);\n }\n\n // bits + 1 entries should be sufficient to consume all bits.\n assert(window_val == 0);\n}\n\n// compute_precomp sets |out[i]| to (2*i+1)*p, for i from 0 to |len|.\nstatic void compute_precomp(const EC_GROUP *group, EC_JACOBIAN *out,\n const EC_JACOBIAN *p, size_t len) {\n ec_GFp_simple_point_copy(&out[0], p);\n EC_JACOBIAN two_p;\n ec_GFp_mont_dbl(group, &two_p, p);\n for (size_t i = 1; i < len; i++) {\n ec_GFp_mont_add(group, &out[i], &out[i - 1], &two_p);\n }\n}\n\nstatic void lookup_precomp(const EC_GROUP *group, EC_JACOBIAN *out,\n const EC_JACOBIAN *precomp, int digit) {\n if (digit < 0) {\n digit = -digit;\n ec_GFp_simple_point_copy(out, &precomp[digit >> 1]);\n ec_GFp_simple_invert(group, out);\n } else {\n ec_GFp_simple_point_copy(out, &precomp[digit >> 1]);\n }\n}\n\n// EC_WNAF_WINDOW_BITS is the window size to use for |ec_GFp_mont_mul_public|.\n#define EC_WNAF_WINDOW_BITS 4\n\n// EC_WNAF_TABLE_SIZE is the table size to use for |ec_GFp_mont_mul_public|.\n#define EC_WNAF_TABLE_SIZE (1 << (EC_WNAF_WINDOW_BITS - 1))\n\n// EC_WNAF_STACK is the number of points worth of data to stack-allocate and\n// avoid a malloc.\n#define EC_WNAF_STACK 3\n\nint ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r,\n const EC_SCALAR *g_scalar,\n const EC_JACOBIAN *points,\n const EC_SCALAR *scalars, size_t num) {\n size_t bits = EC_GROUP_order_bits(group);\n size_t wNAF_len = bits + 1;\n\n // Stack-allocated space, which will be used if the task is small enough.\n int8_t wNAF_stack[EC_WNAF_STACK][EC_MAX_BYTES * 8 + 1];\n EC_JACOBIAN precomp_stack[EC_WNAF_STACK][EC_WNAF_TABLE_SIZE];\n\n // Allocated pointers, which will remain NULL unless needed.\n EC_JACOBIAN(*precomp_alloc)[EC_WNAF_TABLE_SIZE] = NULL;\n int8_t(*wNAF_alloc)[EC_MAX_BYTES * 8 + 1] = NULL;\n\n // These fields point either to the stack or heap buffers of the same name.\n int8_t(*wNAF)[EC_MAX_BYTES * 8 + 1];\n EC_JACOBIAN(*precomp)[EC_WNAF_TABLE_SIZE];\n\n if (num <= EC_WNAF_STACK) {\n wNAF = wNAF_stack;\n precomp = precomp_stack;\n } else {\n wNAF_alloc = reinterpret_cast(\n OPENSSL_calloc(num, sizeof(wNAF_alloc[0])));\n if (wNAF_alloc == NULL) {\n return 0;\n }\n precomp_alloc = reinterpret_cast(\n OPENSSL_calloc(num, sizeof(precomp_alloc[0])));\n if (precomp_alloc == NULL) {\n OPENSSL_free(wNAF_alloc);\n return 0;\n }\n\n wNAF = wNAF_alloc;\n precomp = precomp_alloc;\n }\n\n int8_t g_wNAF[EC_MAX_BYTES * 8 + 1];\n EC_JACOBIAN g_precomp[EC_WNAF_TABLE_SIZE];\n assert(wNAF_len <= OPENSSL_ARRAY_SIZE(g_wNAF));\n const EC_JACOBIAN *g = &group->generator.raw;\n if (g_scalar != NULL) {\n ec_compute_wNAF(group, g_wNAF, g_scalar, bits, EC_WNAF_WINDOW_BITS);\n compute_precomp(group, g_precomp, g, EC_WNAF_TABLE_SIZE);\n }\n\n for (size_t i = 0; i < num; i++) {\n assert(wNAF_len <= OPENSSL_ARRAY_SIZE(wNAF[i]));\n ec_compute_wNAF(group, wNAF[i], &scalars[i], bits, EC_WNAF_WINDOW_BITS);\n compute_precomp(group, precomp[i], &points[i], EC_WNAF_TABLE_SIZE);\n }\n\n EC_JACOBIAN tmp;\n int r_is_at_infinity = 1;\n for (size_t k = wNAF_len - 1; k < wNAF_len; k--) {\n if (!r_is_at_infinity) {\n ec_GFp_mont_dbl(group, r, r);\n }\n\n if (g_scalar != NULL && g_wNAF[k] != 0) {\n lookup_precomp(group, &tmp, g_precomp, g_wNAF[k]);\n if (r_is_at_infinity) {\n ec_GFp_simple_point_copy(r, &tmp);\n r_is_at_infinity = 0;\n } else {\n ec_GFp_mont_add(group, r, r, &tmp);\n }\n }\n\n for (size_t i = 0; i < num; i++) {\n if (wNAF[i][k] != 0) {\n lookup_precomp(group, &tmp, precomp[i], wNAF[i][k]);\n if (r_is_at_infinity) {\n ec_GFp_simple_point_copy(r, &tmp);\n r_is_at_infinity = 0;\n } else {\n ec_GFp_mont_add(group, r, r, &tmp);\n }\n }\n }\n }\n\n if (r_is_at_infinity) {\n ec_GFp_simple_point_set_to_infinity(group, r);\n }\n\n OPENSSL_free(wNAF_alloc);\n OPENSSL_free(precomp_alloc);\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ecdh/ecdh.cc.inc", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../ec/internal.h\"\n#include \"../service_indicator/internal.h\"\n\n\nint ECDH_compute_key_fips(uint8_t *out, size_t out_len, const EC_POINT *pub_key,\n const EC_KEY *priv_key) {\n boringssl_ensure_ecc_self_test();\n\n if (priv_key->priv_key == NULL) {\n OPENSSL_PUT_ERROR(ECDH, ECDH_R_NO_PRIVATE_VALUE);\n return 0;\n }\n const EC_SCALAR *const priv = &priv_key->priv_key->scalar;\n const EC_GROUP *const group = EC_KEY_get0_group(priv_key);\n if (EC_GROUP_cmp(group, pub_key->group, NULL) != 0) {\n OPENSSL_PUT_ERROR(EC, EC_R_INCOMPATIBLE_OBJECTS);\n return 0;\n }\n\n EC_JACOBIAN shared_point;\n uint8_t buf[EC_MAX_BYTES];\n size_t buflen;\n if (!ec_point_mul_scalar(group, &shared_point, &pub_key->raw, priv) ||\n !ec_get_x_coordinate_as_bytes(group, buf, &buflen, sizeof(buf),\n &shared_point)) {\n OPENSSL_PUT_ERROR(ECDH, ECDH_R_POINT_ARITHMETIC_FAILURE);\n return 0;\n }\n\n FIPS_service_indicator_lock_state();\n SHA256_CTX ctx;\n SHA512_CTX ctx_512;\n switch (out_len) {\n case SHA224_DIGEST_LENGTH:\n BCM_sha224_init(&ctx);\n BCM_sha224_update(&ctx, buf, buflen);\n BCM_sha224_final(out, &ctx);\n break;\n case SHA256_DIGEST_LENGTH:\n BCM_sha256_init(&ctx);\n BCM_sha256_update(&ctx, buf, buflen);\n BCM_sha256_final(out, &ctx);\n break;\n case SHA384_DIGEST_LENGTH:\n BCM_sha384_init(&ctx_512);\n BCM_sha384_update(&ctx_512, buf, buflen);\n BCM_sha384_final(out, &ctx_512);\n break;\n case SHA512_DIGEST_LENGTH:\n BCM_sha512_init(&ctx_512);\n BCM_sha512_update(&ctx_512, buf, buflen);\n BCM_sha512_final(out, &ctx_512);\n break;\n default:\n OPENSSL_PUT_ERROR(ECDH, ECDH_R_UNKNOWN_DIGEST_LENGTH);\n FIPS_service_indicator_unlock_state();\n return 0;\n }\n FIPS_service_indicator_unlock_state();\n\n ECDH_verify_service_indicator(priv_key);\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.cc.inc", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bn/internal.h\"\n#include \"../ec/internal.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\n// digest_to_scalar interprets |digest_len| bytes from |digest| as a scalar for\n// ECDSA.\nstatic void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out,\n const uint8_t *digest, size_t digest_len) {\n const BIGNUM *order = EC_GROUP_get0_order(group);\n size_t num_bits = BN_num_bits(order);\n // Need to truncate digest if it is too long: first truncate whole bytes.\n size_t num_bytes = (num_bits + 7) / 8;\n if (digest_len > num_bytes) {\n digest_len = num_bytes;\n }\n bn_big_endian_to_words(out->words, order->width, digest, digest_len);\n\n // If it is still too long, truncate remaining bits with a shift.\n if (8 * digest_len > num_bits) {\n bn_rshift_words(out->words, out->words, 8 - (num_bits & 0x7), order->width);\n }\n\n // |out| now has the same bit width as |order|, but this only bounds by\n // 2*|order|. Subtract the order if out of range.\n //\n // Montgomery multiplication accepts the looser bounds, so this isn't strictly\n // necessary, but it is a cleaner abstraction and has no performance impact.\n BN_ULONG tmp[EC_MAX_WORDS];\n bn_reduce_once_in_place(out->words, 0 /* no carry */, order->d, tmp,\n order->width);\n}\n\nint ecdsa_verify_fixed_no_self_test(const uint8_t *digest, size_t digest_len,\n const uint8_t *sig, size_t sig_len,\n const EC_KEY *eckey) {\n const EC_GROUP *group = EC_KEY_get0_group(eckey);\n const EC_POINT *pub_key = EC_KEY_get0_public_key(eckey);\n if (group == NULL || pub_key == NULL || sig == NULL) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_MISSING_PARAMETERS);\n return 0;\n }\n\n size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));\n EC_SCALAR r, s, u1, u2, s_inv_mont, m;\n if (sig_len != 2 * scalar_len ||\n !ec_scalar_from_bytes(group, &r, sig, scalar_len) ||\n ec_scalar_is_zero(group, &r) ||\n !ec_scalar_from_bytes(group, &s, sig + scalar_len, scalar_len) ||\n ec_scalar_is_zero(group, &s)) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);\n return 0;\n }\n\n // s_inv_mont = s^-1 in the Montgomery domain.\n if (!ec_scalar_to_montgomery_inv_vartime(group, &s_inv_mont, &s)) {\n OPENSSL_PUT_ERROR(ECDSA, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n // u1 = m * s^-1 mod order\n // u2 = r * s^-1 mod order\n //\n // |s_inv_mont| is in Montgomery form while |m| and |r| are not, so |u1| and\n // |u2| will be taken out of Montgomery form, as desired.\n digest_to_scalar(group, &m, digest, digest_len);\n ec_scalar_mul_montgomery(group, &u1, &m, &s_inv_mont);\n ec_scalar_mul_montgomery(group, &u2, &r, &s_inv_mont);\n\n EC_JACOBIAN point;\n if (!ec_point_mul_scalar_public(group, &point, &u1, &pub_key->raw, &u2)) {\n OPENSSL_PUT_ERROR(ECDSA, ERR_R_EC_LIB);\n return 0;\n }\n\n if (!ec_cmp_x_coordinate(group, &point, &r)) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE);\n return 0;\n }\n\n return 1;\n}\n\nint ecdsa_verify_fixed(const uint8_t *digest, size_t digest_len,\n const uint8_t *sig, size_t sig_len, const EC_KEY *key) {\n boringssl_ensure_ecc_self_test();\n\n return ecdsa_verify_fixed_no_self_test(digest, digest_len, sig, sig_len, key);\n}\n\nstatic int ecdsa_sign_impl(const EC_GROUP *group, int *out_retry, uint8_t *sig,\n size_t *out_sig_len, size_t max_sig_len,\n const EC_SCALAR *priv_key, const EC_SCALAR *k,\n const uint8_t *digest, size_t digest_len) {\n *out_retry = 0;\n\n // Check that the size of the group order is FIPS compliant (FIPS 186-4\n // B.5.2).\n const BIGNUM *order = EC_GROUP_get0_order(group);\n if (BN_num_bits(order) < 160) {\n OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER);\n return 0;\n }\n\n size_t sig_len = 2 * BN_num_bytes(order);\n if (sig_len > max_sig_len) {\n OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n // Compute r, the x-coordinate of k * generator.\n EC_JACOBIAN tmp_point;\n EC_SCALAR r;\n if (!ec_point_mul_scalar_base(group, &tmp_point, k) ||\n !ec_get_x_coordinate_as_scalar(group, &r, &tmp_point)) {\n return 0;\n }\n\n if (constant_time_declassify_int(ec_scalar_is_zero(group, &r))) {\n *out_retry = 1;\n return 0;\n }\n\n // s = priv_key * r. Note if only one parameter is in the Montgomery domain,\n // |ec_scalar_mod_mul_montgomery| will compute the answer in the normal\n // domain.\n EC_SCALAR s;\n ec_scalar_to_montgomery(group, &s, &r);\n ec_scalar_mul_montgomery(group, &s, priv_key, &s);\n\n // s = m + priv_key * r.\n EC_SCALAR tmp;\n digest_to_scalar(group, &tmp, digest, digest_len);\n ec_scalar_add(group, &s, &s, &tmp);\n\n // s = k^-1 * (m + priv_key * r). First, we compute k^-1 in the Montgomery\n // domain. This is |ec_scalar_to_montgomery| followed by\n // |ec_scalar_inv0_montgomery|, but |ec_scalar_inv0_montgomery| followed by\n // |ec_scalar_from_montgomery| is equivalent and slightly more efficient.\n // Then, as above, only one parameter is in the Montgomery domain, so the\n // result is in the normal domain. Finally, note k is non-zero (or computing r\n // would fail), so the inverse must exist.\n ec_scalar_inv0_montgomery(group, &tmp, k); // tmp = k^-1 R^2\n ec_scalar_from_montgomery(group, &tmp, &tmp); // tmp = k^-1 R\n ec_scalar_mul_montgomery(group, &s, &s, &tmp);\n if (constant_time_declassify_int(ec_scalar_is_zero(group, &s))) {\n *out_retry = 1;\n return 0;\n }\n\n CONSTTIME_DECLASSIFY(r.words, sizeof(r.words));\n CONSTTIME_DECLASSIFY(s.words, sizeof(r.words));\n size_t len;\n ec_scalar_to_bytes(group, sig, &len, &r);\n assert(len == sig_len / 2);\n ec_scalar_to_bytes(group, sig + len, &len, &s);\n assert(len == sig_len / 2);\n *out_sig_len = sig_len;\n return 1;\n}\n\nint ecdsa_sign_fixed_with_nonce_for_known_answer_test(\n const uint8_t *digest, size_t digest_len, uint8_t *sig, size_t *out_sig_len,\n size_t max_sig_len, const EC_KEY *eckey, const uint8_t *nonce,\n size_t nonce_len) {\n if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);\n return 0;\n }\n\n const EC_GROUP *group = EC_KEY_get0_group(eckey);\n if (group == NULL || eckey->priv_key == NULL) {\n OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n const EC_SCALAR *priv_key = &eckey->priv_key->scalar;\n\n EC_SCALAR k;\n if (!ec_scalar_from_bytes(group, &k, nonce, nonce_len)) {\n return 0;\n }\n int retry_ignored;\n return ecdsa_sign_impl(group, &retry_ignored, sig, out_sig_len, max_sig_len,\n priv_key, &k, digest, digest_len);\n}\n\nint ecdsa_sign_fixed(const uint8_t *digest, size_t digest_len, uint8_t *sig,\n size_t *out_sig_len, size_t max_sig_len,\n const EC_KEY *eckey) {\n boringssl_ensure_ecc_self_test();\n\n if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED);\n return 0;\n }\n\n const EC_GROUP *group = EC_KEY_get0_group(eckey);\n if (group == NULL || eckey->priv_key == NULL) {\n OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n const BIGNUM *order = EC_GROUP_get0_order(group);\n const EC_SCALAR *priv_key = &eckey->priv_key->scalar;\n\n // Pass a SHA512 hash of the private key and digest as additional data\n // into the RBG. This is a hardening measure against entropy failure.\n static_assert(BCM_SHA512_DIGEST_LENGTH >= 32,\n \"additional_data is too large for SHA-512\");\n\n FIPS_service_indicator_lock_state();\n\n SHA512_CTX sha;\n uint8_t additional_data[BCM_SHA512_DIGEST_LENGTH];\n BCM_sha512_init(&sha);\n BCM_sha512_update(&sha, priv_key->words, order->width * sizeof(BN_ULONG));\n BCM_sha512_update(&sha, digest, digest_len);\n BCM_sha512_final(additional_data, &sha);\n\n // Cap iterations so callers who supply invalid values as custom groups do not\n // infinite loop. This does not impact valid parameters (e.g. those covered by\n // FIPS) because the probability of requiring even one retry is negligible,\n // let alone 32.\n static const int kMaxIterations = 32;\n int ret = 0;\n int iters = 0;\n for (;;) {\n EC_SCALAR k;\n if (!ec_random_nonzero_scalar(group, &k, additional_data)) {\n goto out;\n }\n\n // TODO(davidben): Move this inside |ec_random_nonzero_scalar| or lower, so\n // that all scalars we generate are, by default, secret.\n CONSTTIME_SECRET(k.words, sizeof(k.words));\n\n int retry;\n ret = ecdsa_sign_impl(group, &retry, sig, out_sig_len, max_sig_len,\n priv_key, &k, digest, digest_len);\n if (ret || !retry) {\n goto out;\n }\n\n iters++;\n if (iters > kMaxIterations) {\n OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_TOO_MANY_ITERATIONS);\n goto out;\n }\n }\n\nout:\n FIPS_service_indicator_unlock_state();\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/internal.h", "content": "/* Copyright 2021 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_ECDSA_INTERNAL_H\n#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_ECDSA_INTERNAL_H\n\n#include \n\n#include \"../ec/internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// ECDSA_MAX_FIXED_LEN is the maximum length of an ECDSA signature in the\n// fixed-width, big-endian format from IEEE P1363.\n#define ECDSA_MAX_FIXED_LEN (2 * EC_MAX_BYTES)\n\n// ecdsa_sign_fixed behaves like |ECDSA_sign| but uses the fixed-width,\n// big-endian format from IEEE P1363.\nint ecdsa_sign_fixed(const uint8_t *digest, size_t digest_len, uint8_t *sig,\n size_t *out_sig_len, size_t max_sig_len,\n const EC_KEY *key);\n\n// ecdsa_sign_fixed_with_nonce_for_known_answer_test behaves like\n// |ecdsa_sign_fixed| but takes a caller-supplied nonce. This function is used\n// as part of known-answer tests in the FIPS module.\nint ecdsa_sign_fixed_with_nonce_for_known_answer_test(\n const uint8_t *digest, size_t digest_len, uint8_t *sig, size_t *out_sig_len,\n size_t max_sig_len, const EC_KEY *key, const uint8_t *nonce,\n size_t nonce_len);\n\n// ecdsa_verify_fixed behaves like |ECDSA_verify| but uses the fixed-width,\n// big-endian format from IEEE P1363.\nint ecdsa_verify_fixed(const uint8_t *digest, size_t digest_len,\n const uint8_t *sig, size_t sig_len, const EC_KEY *key);\n\n// ecdsa_verify_fixed_no_self_test behaves like ecdsa_verify_fixed, but doesn't\n// try to run the self-test first. This is for use in the self tests themselves,\n// to prevent an infinite loop.\nint ecdsa_verify_fixed_no_self_test(const uint8_t *digest, size_t digest_len,\n const uint8_t *sig, size_t sig_len,\n const EC_KEY *key);\n\n\n#if defined(__cplusplus)\n}\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_ECDSA_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/fips_shared_support.cc", "content": "/* Copyright 2019 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n\n#if defined(BORINGSSL_FIPS) && defined(BORINGSSL_SHARED_LIBRARY)\n// BORINGSSL_bcm_text_hash is is default hash value for the FIPS integrity check\n// that must be replaced with the real value during the build process. This\n// value need only be distinct, i.e. so that we can safely search-and-replace it\n// in an object file.\nextern const uint8_t BORINGSSL_bcm_text_hash[32] = {\n 0xae, 0x2c, 0xea, 0x2a, 0xbd, 0xa6, 0xf3, 0xec, 0x97, 0x7f, 0x9b,\n 0xf6, 0x94, 0x9a, 0xfc, 0x83, 0x68, 0x27, 0xcb, 0xa0, 0xa0, 0x9f,\n 0x6b, 0x6f, 0xde, 0x52, 0xcd, 0xe2, 0xcd, 0xff, 0x31, 0x80,\n};\n#endif // FIPS && SHARED_LIBRARY\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/hkdf/hkdf.cc.inc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n\n\nint HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,\n const uint8_t *secret, size_t secret_len, const uint8_t *salt,\n size_t salt_len, const uint8_t *info, size_t info_len) {\n // https://tools.ietf.org/html/rfc5869#section-2\n uint8_t prk[EVP_MAX_MD_SIZE];\n size_t prk_len;\n\n if (!HKDF_extract(prk, &prk_len, digest, secret, secret_len, salt,\n salt_len) ||\n !HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)) {\n return 0;\n }\n\n return 1;\n}\n\nint HKDF_extract(uint8_t *out_key, size_t *out_len, const EVP_MD *digest,\n const uint8_t *secret, size_t secret_len, const uint8_t *salt,\n size_t salt_len) {\n // https://tools.ietf.org/html/rfc5869#section-2.2\n\n // If salt is not given, HashLength zeros are used. However, HMAC does that\n // internally already so we can ignore it.\n unsigned len;\n if (HMAC(digest, salt, salt_len, secret, secret_len, out_key, &len) == NULL) {\n OPENSSL_PUT_ERROR(HKDF, ERR_R_HMAC_LIB);\n return 0;\n }\n *out_len = len;\n assert(*out_len == EVP_MD_size(digest));\n return 1;\n}\n\nint HKDF_expand(uint8_t *out_key, size_t out_len, const EVP_MD *digest,\n const uint8_t *prk, size_t prk_len, const uint8_t *info,\n size_t info_len) {\n // https://tools.ietf.org/html/rfc5869#section-2.3\n const size_t digest_len = EVP_MD_size(digest);\n uint8_t previous[EVP_MAX_MD_SIZE];\n size_t n, done = 0;\n unsigned i;\n int ret = 0;\n HMAC_CTX hmac;\n\n // Expand key material to desired length.\n n = (out_len + digest_len - 1) / digest_len;\n if (out_len + digest_len < out_len || n > 255) {\n OPENSSL_PUT_ERROR(HKDF, HKDF_R_OUTPUT_TOO_LARGE);\n return 0;\n }\n\n HMAC_CTX_init(&hmac);\n if (!HMAC_Init_ex(&hmac, prk, prk_len, digest, NULL)) {\n goto out;\n }\n\n for (i = 0; i < n; i++) {\n uint8_t ctr = i + 1;\n size_t todo;\n\n if (i != 0 && (!HMAC_Init_ex(&hmac, NULL, 0, NULL, NULL) ||\n !HMAC_Update(&hmac, previous, digest_len))) {\n goto out;\n }\n if (!HMAC_Update(&hmac, info, info_len) ||\n !HMAC_Update(&hmac, &ctr, 1) ||\n !HMAC_Final(&hmac, previous, NULL)) {\n goto out;\n }\n\n todo = digest_len;\n if (todo > out_len - done) {\n todo = out_len - done;\n }\n OPENSSL_memcpy(out_key + done, previous, todo);\n done += todo;\n }\n\n ret = 1;\n\nout:\n HMAC_CTX_cleanup(&hmac);\n if (ret != 1) {\n OPENSSL_PUT_ERROR(HKDF, ERR_R_HMAC_LIB);\n }\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/hmac/hmac.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../service_indicator/internal.h\"\n\n\nuint8_t *HMAC(const EVP_MD *evp_md, const void *key, size_t key_len,\n const uint8_t *data, size_t data_len, uint8_t *out,\n unsigned int *out_len) {\n HMAC_CTX ctx;\n HMAC_CTX_init(&ctx);\n\n // The underlying hash functions should not set the FIPS service indicator\n // until all operations have completed.\n FIPS_service_indicator_lock_state();\n const int ok = HMAC_Init_ex(&ctx, key, key_len, evp_md, NULL) &&\n HMAC_Update(&ctx, data, data_len) &&\n HMAC_Final(&ctx, out, out_len);\n FIPS_service_indicator_unlock_state();\n\n HMAC_CTX_cleanup(&ctx);\n\n if (!ok) {\n return NULL;\n }\n\n HMAC_verify_service_indicator(evp_md);\n return out;\n}\n\nvoid HMAC_CTX_init(HMAC_CTX *ctx) {\n ctx->md = NULL;\n EVP_MD_CTX_init(&ctx->i_ctx);\n EVP_MD_CTX_init(&ctx->o_ctx);\n EVP_MD_CTX_init(&ctx->md_ctx);\n}\n\nHMAC_CTX *HMAC_CTX_new(void) {\n HMAC_CTX *ctx =\n reinterpret_cast(OPENSSL_malloc(sizeof(HMAC_CTX)));\n if (ctx != NULL) {\n HMAC_CTX_init(ctx);\n }\n return ctx;\n}\n\nvoid HMAC_CTX_cleanup(HMAC_CTX *ctx) {\n EVP_MD_CTX_cleanup(&ctx->i_ctx);\n EVP_MD_CTX_cleanup(&ctx->o_ctx);\n EVP_MD_CTX_cleanup(&ctx->md_ctx);\n OPENSSL_cleanse(ctx, sizeof(HMAC_CTX));\n}\n\nvoid HMAC_CTX_cleanse(HMAC_CTX *ctx) {\n EVP_MD_CTX_cleanse(&ctx->i_ctx);\n EVP_MD_CTX_cleanse(&ctx->o_ctx);\n EVP_MD_CTX_cleanse(&ctx->md_ctx);\n OPENSSL_cleanse(ctx, sizeof(HMAC_CTX));\n}\n\nvoid HMAC_CTX_free(HMAC_CTX *ctx) {\n if (ctx == NULL) {\n return;\n }\n\n HMAC_CTX_cleanup(ctx);\n OPENSSL_free(ctx);\n}\n\nint HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,\n const EVP_MD *md, ENGINE *impl) {\n int ret = 0;\n FIPS_service_indicator_lock_state();\n\n if (md == NULL) {\n md = ctx->md;\n }\n\n // If either |key| is non-NULL or |md| has changed, initialize with a new key\n // rather than rewinding the previous one.\n //\n // TODO(davidben,eroman): Passing the previous |md| with a NULL |key| is\n // ambiguous between using the empty key and reusing the previous key. There\n // exist callers which intend the latter, but the former is an awkward edge\n // case. Fix to API to avoid this.\n if (md != ctx->md || key != NULL) {\n uint8_t pad[EVP_MAX_MD_BLOCK_SIZE];\n uint8_t key_block[EVP_MAX_MD_BLOCK_SIZE];\n unsigned key_block_len;\n\n size_t block_size = EVP_MD_block_size(md);\n assert(block_size <= sizeof(key_block));\n assert(EVP_MD_size(md) <= block_size);\n if (block_size < key_len) {\n // Long keys are hashed.\n if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl) ||\n !EVP_DigestUpdate(&ctx->md_ctx, key, key_len) ||\n !EVP_DigestFinal_ex(&ctx->md_ctx, key_block, &key_block_len)) {\n goto out;\n }\n } else {\n assert(key_len <= sizeof(key_block));\n OPENSSL_memcpy(key_block, key, key_len);\n key_block_len = (unsigned)key_len;\n }\n // Keys are then padded with zeros.\n OPENSSL_memset(key_block + key_block_len, 0, block_size - key_block_len);\n\n for (size_t i = 0; i < block_size; i++) {\n pad[i] = 0x36 ^ key_block[i];\n }\n if (!EVP_DigestInit_ex(&ctx->i_ctx, md, impl) ||\n !EVP_DigestUpdate(&ctx->i_ctx, pad, block_size)) {\n goto out;\n }\n\n for (size_t i = 0; i < block_size; i++) {\n pad[i] = 0x5c ^ key_block[i];\n }\n if (!EVP_DigestInit_ex(&ctx->o_ctx, md, impl) ||\n !EVP_DigestUpdate(&ctx->o_ctx, pad, block_size)) {\n goto out;\n }\n\n ctx->md = md;\n }\n\n ret = EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->i_ctx);\n\nout:\n FIPS_service_indicator_unlock_state();\n return ret;\n}\n\nint HMAC_Update(HMAC_CTX *ctx, const uint8_t *data, size_t data_len) {\n return EVP_DigestUpdate(&ctx->md_ctx, data, data_len);\n}\n\nint HMAC_Final(HMAC_CTX *ctx, uint8_t *out, unsigned int *out_len) {\n int ret = 0;\n unsigned int i;\n uint8_t buf[EVP_MAX_MD_SIZE];\n\n FIPS_service_indicator_lock_state();\n // TODO(davidben): The only thing that can officially fail here is\n // |EVP_MD_CTX_copy_ex|, but even that should be impossible in this case.\n if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i) ||\n !EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->o_ctx) ||\n !EVP_DigestUpdate(&ctx->md_ctx, buf, i) ||\n !EVP_DigestFinal_ex(&ctx->md_ctx, out, out_len)) {\n *out_len = 0;\n goto out;\n }\n\n ret = 1;\n\nout:\n FIPS_service_indicator_unlock_state();\n if (ret) {\n HMAC_verify_service_indicator(ctx->md);\n }\n return ret;\n}\n\nsize_t HMAC_size(const HMAC_CTX *ctx) { return EVP_MD_size(ctx->md); }\n\nconst EVP_MD *HMAC_CTX_get_md(const HMAC_CTX *ctx) { return ctx->md; }\n\nint HMAC_CTX_copy_ex(HMAC_CTX *dest, const HMAC_CTX *src) {\n if (!EVP_MD_CTX_copy_ex(&dest->i_ctx, &src->i_ctx) ||\n !EVP_MD_CTX_copy_ex(&dest->o_ctx, &src->o_ctx) ||\n !EVP_MD_CTX_copy_ex(&dest->md_ctx, &src->md_ctx)) {\n return 0;\n }\n\n dest->md = src->md;\n return 1;\n}\n\nvoid HMAC_CTX_reset(HMAC_CTX *ctx) {\n HMAC_CTX_cleanup(ctx);\n HMAC_CTX_init(ctx);\n}\n\nint HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len, const EVP_MD *md) {\n if (key && md) {\n HMAC_CTX_init(ctx);\n }\n return HMAC_Init_ex(ctx, key, key_len, md, NULL);\n}\n\nint HMAC_CTX_copy(HMAC_CTX *dest, const HMAC_CTX *src) {\n HMAC_CTX_init(dest);\n return HMAC_CTX_copy_ex(dest, src);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/keccak/internal.h", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_KECCAK_INTERNAL_H\n#define OPENSSL_HEADER_CRYPTO_KECCAK_INTERNAL_H\n\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\nenum boringssl_keccak_config_t {\n boringssl_sha3_256,\n boringssl_sha3_512,\n boringssl_shake128,\n boringssl_shake256,\n};\n\nenum boringssl_keccak_phase_t {\n boringssl_keccak_phase_absorb,\n boringssl_keccak_phase_squeeze,\n};\n\nstruct BORINGSSL_keccak_st {\n enum boringssl_keccak_config_t config;\n enum boringssl_keccak_phase_t phase;\n uint64_t state[25];\n size_t rate_bytes;\n size_t absorb_offset;\n size_t squeeze_offset;\n};\n\n// BORINGSSL_keccak hashes |in_len| bytes from |in| and writes |out_len| bytes\n// of output to |out|. If the |config| specifies a fixed-output function, like\n// SHA3-256, then |out_len| must be the correct length for that function.\nOPENSSL_EXPORT void BORINGSSL_keccak(uint8_t *out, size_t out_len,\n const uint8_t *in, size_t in_len,\n enum boringssl_keccak_config_t config);\n\n// BORINGSSL_keccak_init prepares |ctx| for absorbing. The |config| must specify\n// a SHAKE variant, otherwise callers should use |BORINGSSL_keccak|.\nOPENSSL_EXPORT void BORINGSSL_keccak_init(\n struct BORINGSSL_keccak_st *ctx, enum boringssl_keccak_config_t config);\n\n// BORINGSSL_keccak_absorb absorbs |in_len| bytes from |in|.\nOPENSSL_EXPORT void BORINGSSL_keccak_absorb(struct BORINGSSL_keccak_st *ctx,\n const uint8_t *in, size_t in_len);\n\n// BORINGSSL_keccak_squeeze writes |out_len| bytes to |out| from |ctx|.\nOPENSSL_EXPORT void BORINGSSL_keccak_squeeze(struct BORINGSSL_keccak_st *ctx,\n uint8_t *out, size_t out_len);\n\n#if defined(__cplusplus)\n}\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_KECCAK_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/keccak/keccak.cc.inc", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n#include \"./internal.h\"\n\n\n// keccak_f implements the Keccak-1600 permutation as described at\n// https://keccak.team/keccak_specs_summary.html. Each lane is represented as a\n// 64-bit value and the 5×5 lanes are stored as an array in row-major order.\nstatic void keccak_f(uint64_t state[25]) {\n static const int kNumRounds = 24;\n for (int round = 0; round < kNumRounds; round++) {\n // θ step\n uint64_t c[5];\n for (int x = 0; x < 5; x++) {\n c[x] = state[x] ^ state[x + 5] ^ state[x + 10] ^ state[x + 15] ^\n state[x + 20];\n }\n\n for (int x = 0; x < 5; x++) {\n const uint64_t d = c[(x + 4) % 5] ^ CRYPTO_rotl_u64(c[(x + 1) % 5], 1);\n for (int y = 0; y < 5; y++) {\n state[y * 5 + x] ^= d;\n }\n }\n\n // ρ and π steps.\n //\n // These steps involve a mapping of the state matrix. Each input point,\n // (x,y), is rotated and written to the point (y, 2x + 3y). In the Keccak\n // pseudo-code a separate array is used because an in-place operation would\n // overwrite some values that are subsequently needed. However, the mapping\n // forms a trail through 24 of the 25 values so we can do it in place with\n // only a single temporary variable.\n //\n // Start with (1, 0). The value here will be mapped and end up at (0, 2).\n // That value will end up at (2, 1), then (1, 2), and so on. After 24\n // steps, 24 of the 25 values have been hit (as this mapping is injective)\n // and the sequence will repeat. All that remains is to handle the element\n // at (0, 0), but the rotation for that element is zero, and it goes to (0,\n // 0), so we can ignore it.\n uint64_t prev_value = state[1];\n#define PI_RHO_STEP(index, rotation) \\\n do { \\\n const uint64_t value = CRYPTO_rotl_u64(prev_value, rotation); \\\n prev_value = state[index]; \\\n state[index] = value; \\\n } while (0)\n\n PI_RHO_STEP(10, 1);\n PI_RHO_STEP(7, 3);\n PI_RHO_STEP(11, 6);\n PI_RHO_STEP(17, 10);\n PI_RHO_STEP(18, 15);\n PI_RHO_STEP(3, 21);\n PI_RHO_STEP(5, 28);\n PI_RHO_STEP(16, 36);\n PI_RHO_STEP(8, 45);\n PI_RHO_STEP(21, 55);\n PI_RHO_STEP(24, 2);\n PI_RHO_STEP(4, 14);\n PI_RHO_STEP(15, 27);\n PI_RHO_STEP(23, 41);\n PI_RHO_STEP(19, 56);\n PI_RHO_STEP(13, 8);\n PI_RHO_STEP(12, 25);\n PI_RHO_STEP(2, 43);\n PI_RHO_STEP(20, 62);\n PI_RHO_STEP(14, 18);\n PI_RHO_STEP(22, 39);\n PI_RHO_STEP(9, 61);\n PI_RHO_STEP(6, 20);\n PI_RHO_STEP(1, 44);\n\n#undef PI_RHO_STEP\n\n // χ step\n for (int y = 0; y < 5; y++) {\n const int row_index = 5 * y;\n const uint64_t orig_x0 = state[row_index];\n const uint64_t orig_x1 = state[row_index + 1];\n state[row_index] ^= ~orig_x1 & state[row_index + 2];\n state[row_index + 1] ^= ~state[row_index + 2] & state[row_index + 3];\n state[row_index + 2] ^= ~state[row_index + 3] & state[row_index + 4];\n state[row_index + 3] ^= ~state[row_index + 4] & orig_x0;\n state[row_index + 4] ^= ~orig_x0 & orig_x1;\n }\n\n // ι step\n //\n // From https://keccak.team/files/Keccak-reference-3.0.pdf, section\n // 1.2, the round constants are based on the output of a LFSR. Thus, as\n // suggested in the appendix of of\n // https://keccak.team/keccak_specs_summary.html, the values are\n // simply encoded here.\n static const uint64_t kRoundConstants[24] = {\n 0x0000000000000001, 0x0000000000008082, 0x800000000000808a,\n 0x8000000080008000, 0x000000000000808b, 0x0000000080000001,\n 0x8000000080008081, 0x8000000000008009, 0x000000000000008a,\n 0x0000000000000088, 0x0000000080008009, 0x000000008000000a,\n 0x000000008000808b, 0x800000000000008b, 0x8000000000008089,\n 0x8000000000008003, 0x8000000000008002, 0x8000000000000080,\n 0x000000000000800a, 0x800000008000000a, 0x8000000080008081,\n 0x8000000000008080, 0x0000000080000001, 0x8000000080008008,\n };\n\n state[0] ^= kRoundConstants[round];\n }\n}\n\nstatic void keccak_init(struct BORINGSSL_keccak_st *ctx,\n size_t *out_required_out_len,\n enum boringssl_keccak_config_t config) {\n size_t capacity_bytes;\n switch (config) {\n case boringssl_sha3_256:\n capacity_bytes = 512 / 8;\n *out_required_out_len = 32;\n break;\n case boringssl_sha3_512:\n capacity_bytes = 1024 / 8;\n *out_required_out_len = 64;\n break;\n case boringssl_shake128:\n capacity_bytes = 256 / 8;\n *out_required_out_len = 0;\n break;\n case boringssl_shake256:\n capacity_bytes = 512 / 8;\n *out_required_out_len = 0;\n break;\n default:\n abort();\n }\n\n OPENSSL_memset(ctx, 0, sizeof(*ctx));\n ctx->config = config;\n ctx->phase = boringssl_keccak_phase_absorb;\n ctx->rate_bytes = 200 - capacity_bytes;\n assert(ctx->rate_bytes % 8 == 0);\n}\n\nvoid BORINGSSL_keccak(uint8_t *out, size_t out_len, const uint8_t *in,\n size_t in_len, enum boringssl_keccak_config_t config) {\n struct BORINGSSL_keccak_st ctx;\n size_t required_out_len;\n keccak_init(&ctx, &required_out_len, config);\n if (required_out_len != 0 && out_len != required_out_len) {\n abort();\n }\n BORINGSSL_keccak_absorb(&ctx, in, in_len);\n BORINGSSL_keccak_squeeze(&ctx, out, out_len);\n}\n\nvoid BORINGSSL_keccak_init(struct BORINGSSL_keccak_st *ctx,\n enum boringssl_keccak_config_t config) {\n size_t required_out_len;\n keccak_init(ctx, &required_out_len, config);\n if (required_out_len != 0) {\n abort();\n }\n}\n\nvoid BORINGSSL_keccak_absorb(struct BORINGSSL_keccak_st *ctx, const uint8_t *in,\n size_t in_len) {\n if (ctx->phase == boringssl_keccak_phase_squeeze) {\n // It's illegal to call absorb() again after calling squeeze().\n abort();\n }\n\n const size_t rate_words = ctx->rate_bytes / 8;\n // XOR the input. Accessing |ctx->state| as a |uint8_t*| is allowed by strict\n // aliasing because we require |uint8_t| to be a character type.\n uint8_t *state_bytes = (uint8_t *)ctx->state;\n\n // Absorb partial block.\n if (ctx->absorb_offset != 0) {\n assert(ctx->absorb_offset < ctx->rate_bytes);\n size_t first_block_len = ctx->rate_bytes - ctx->absorb_offset;\n for (size_t i = 0; i < first_block_len && i < in_len; i++) {\n state_bytes[ctx->absorb_offset + i] ^= in[i];\n }\n\n // This input didn't fill the block.\n if (first_block_len > in_len) {\n ctx->absorb_offset += in_len;\n return;\n }\n\n keccak_f(ctx->state);\n in += first_block_len;\n in_len -= first_block_len;\n }\n\n // Absorb full blocks.\n while (in_len >= ctx->rate_bytes) {\n for (size_t i = 0; i < rate_words; i++) {\n ctx->state[i] ^= CRYPTO_load_u64_le(in + 8 * i);\n }\n keccak_f(ctx->state);\n in += ctx->rate_bytes;\n in_len -= ctx->rate_bytes;\n }\n\n // Absorb partial block.\n assert(in_len < ctx->rate_bytes);\n for (size_t i = 0; i < in_len; i++) {\n state_bytes[i] ^= in[i];\n }\n ctx->absorb_offset = in_len;\n}\n\nstatic void keccak_finalize(struct BORINGSSL_keccak_st *ctx) {\n uint8_t terminator;\n switch (ctx->config) {\n case boringssl_sha3_256:\n case boringssl_sha3_512:\n terminator = 0x06;\n break;\n case boringssl_shake128:\n case boringssl_shake256:\n terminator = 0x1f;\n break;\n default:\n abort();\n }\n\n // XOR the terminator. Accessing |ctx->state| as a |uint8_t*| is allowed by\n // strict aliasing because we require |uint8_t| to be a character type.\n uint8_t *state_bytes = (uint8_t *)ctx->state;\n state_bytes[ctx->absorb_offset] ^= terminator;\n state_bytes[ctx->rate_bytes - 1] ^= 0x80;\n keccak_f(ctx->state);\n}\n\nvoid BORINGSSL_keccak_squeeze(struct BORINGSSL_keccak_st *ctx, uint8_t *out,\n size_t out_len) {\n if (ctx->phase == boringssl_keccak_phase_absorb) {\n keccak_finalize(ctx);\n ctx->phase = boringssl_keccak_phase_squeeze;\n }\n\n // Accessing |ctx->state| as a |uint8_t*| is allowed by strict aliasing\n // because we require |uint8_t| to be a character type.\n const uint8_t *state_bytes = (const uint8_t *)ctx->state;\n while (out_len) {\n if (ctx->squeeze_offset == ctx->rate_bytes) {\n keccak_f(ctx->state);\n ctx->squeeze_offset = 0;\n }\n\n size_t remaining = ctx->rate_bytes - ctx->squeeze_offset;\n size_t todo = out_len;\n if (todo > remaining) {\n todo = remaining;\n }\n OPENSSL_memcpy(out, &state_bytes[ctx->squeeze_offset], todo);\n out += todo;\n out_len -= todo;\n ctx->squeeze_offset += todo;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/mldsa/mldsa.cc.inc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bcm_interface.h\"\n#include \"../keccak/internal.h\"\n\nnamespace mldsa {\nnamespace {\n\nconstexpr int kDegree = 256;\nconstexpr int kRhoBytes = 32;\nconstexpr int kSigmaBytes = 64;\nconstexpr int kKBytes = 32;\nconstexpr int kTrBytes = 64;\nconstexpr int kMuBytes = 64;\nconstexpr int kRhoPrimeBytes = 64;\n\n// 2^23 - 2^13 + 1\nconstexpr uint32_t kPrime = 8380417;\n// Inverse of -kPrime modulo 2^32\nconstexpr uint32_t kPrimeNegInverse = 4236238847;\nconstexpr int kDroppedBits = 13;\nconstexpr uint32_t kHalfPrime = (kPrime - 1) / 2;\nconstexpr uint32_t kGamma2 = (kPrime - 1) / 32;\n// 256^-1 mod kPrime, in Montgomery form.\nconstexpr uint32_t kInverseDegreeMontgomery = 41978;\n\n// Constants that vary depending on ML-DSA size.\n//\n// These are implemented as templates which take the K parameter to distinguish\n// the ML-DSA sizes.\n\ntemplate \nconstexpr size_t public_key_bytes() {\n if constexpr (K == 6) {\n return BCM_MLDSA65_PUBLIC_KEY_BYTES;\n } else if constexpr (K == 8) {\n return BCM_MLDSA87_PUBLIC_KEY_BYTES;\n }\n}\n\ntemplate \nconstexpr size_t signature_bytes() {\n if constexpr (K == 6) {\n return BCM_MLDSA65_SIGNATURE_BYTES;\n } else if constexpr (K == 8) {\n return BCM_MLDSA87_SIGNATURE_BYTES;\n }\n}\n\ntemplate \nconstexpr int tau() {\n if constexpr (K == 6) {\n return 49;\n } else if constexpr (K == 8) {\n return 60;\n }\n}\n\ntemplate \nconstexpr int lambda_bytes() {\n if constexpr (K == 6) {\n return 192 / 8;\n } else if constexpr (K == 8) {\n return 256 / 8;\n }\n}\n\ntemplate \nconstexpr int gamma1() {\n if constexpr (K == 6 || K == 8) {\n return 1 << 19;\n }\n}\n\ntemplate \nconstexpr int beta() {\n if constexpr (K == 6) {\n return 196;\n } else if constexpr (K == 8) {\n return 120;\n }\n}\n\ntemplate \nconstexpr int omega() {\n if constexpr (K == 6) {\n return 55;\n } else if constexpr (K == 8) {\n return 75;\n }\n}\n\ntemplate \nconstexpr int eta() {\n if constexpr (K == 6) {\n return 4;\n } else if constexpr (K == 8) {\n return 2;\n }\n}\n\ntemplate \nconstexpr int plus_minus_eta_bitlen() {\n if constexpr (K == 6) {\n return 4;\n } else if constexpr (K == 8) {\n return 3;\n }\n}\n\n// Fundamental types.\n\ntypedef struct scalar {\n uint32_t c[kDegree];\n} scalar;\n\ntemplate \nstruct vector {\n scalar v[K];\n};\n\ntemplate \nstruct matrix {\n scalar v[K][L];\n};\n\n/* Arithmetic */\n\n// This bit of Python will be referenced in some of the following comments:\n//\n// q = 8380417\n// # Inverse of -q modulo 2^32\n// q_neg_inverse = 4236238847\n// # 2^64 modulo q\n// montgomery_square = 2365951\n//\n// def bitreverse(i):\n// ret = 0\n// for n in range(8):\n// bit = i & 1\n// ret <<= 1\n// ret |= bit\n// i >>= 1\n// return ret\n//\n// def montgomery_reduce(x):\n// a = (x * q_neg_inverse) % 2**32\n// b = x + a * q\n// assert b & 0xFFFF_FFFF == 0\n// c = b >> 32\n// assert c < q\n// return c\n//\n// def montgomery_transform(x):\n// return montgomery_reduce(x * montgomery_square)\n\n// kNTTRootsMontgomery = [\n// montgomery_transform(pow(1753, bitreverse(i), q)) for i in range(256)\n// ]\nstatic const uint32_t kNTTRootsMontgomery[256] = {\n 4193792, 25847, 5771523, 7861508, 237124, 7602457, 7504169, 466468,\n 1826347, 2353451, 8021166, 6288512, 3119733, 5495562, 3111497, 2680103,\n 2725464, 1024112, 7300517, 3585928, 7830929, 7260833, 2619752, 6271868,\n 6262231, 4520680, 6980856, 5102745, 1757237, 8360995, 4010497, 280005,\n 2706023, 95776, 3077325, 3530437, 6718724, 4788269, 5842901, 3915439,\n 4519302, 5336701, 3574422, 5512770, 3539968, 8079950, 2348700, 7841118,\n 6681150, 6736599, 3505694, 4558682, 3507263, 6239768, 6779997, 3699596,\n 811944, 531354, 954230, 3881043, 3900724, 5823537, 2071892, 5582638,\n 4450022, 6851714, 4702672, 5339162, 6927966, 3475950, 2176455, 6795196,\n 7122806, 1939314, 4296819, 7380215, 5190273, 5223087, 4747489, 126922,\n 3412210, 7396998, 2147896, 2715295, 5412772, 4686924, 7969390, 5903370,\n 7709315, 7151892, 8357436, 7072248, 7998430, 1349076, 1852771, 6949987,\n 5037034, 264944, 508951, 3097992, 44288, 7280319, 904516, 3958618,\n 4656075, 8371839, 1653064, 5130689, 2389356, 8169440, 759969, 7063561,\n 189548, 4827145, 3159746, 6529015, 5971092, 8202977, 1315589, 1341330,\n 1285669, 6795489, 7567685, 6940675, 5361315, 4499357, 4751448, 3839961,\n 2091667, 3407706, 2316500, 3817976, 5037939, 2244091, 5933984, 4817955,\n 266997, 2434439, 7144689, 3513181, 4860065, 4621053, 7183191, 5187039,\n 900702, 1859098, 909542, 819034, 495491, 6767243, 8337157, 7857917,\n 7725090, 5257975, 2031748, 3207046, 4823422, 7855319, 7611795, 4784579,\n 342297, 286988, 5942594, 4108315, 3437287, 5038140, 1735879, 203044,\n 2842341, 2691481, 5790267, 1265009, 4055324, 1247620, 2486353, 1595974,\n 4613401, 1250494, 2635921, 4832145, 5386378, 1869119, 1903435, 7329447,\n 7047359, 1237275, 5062207, 6950192, 7929317, 1312455, 3306115, 6417775,\n 7100756, 1917081, 5834105, 7005614, 1500165, 777191, 2235880, 3406031,\n 7838005, 5548557, 6709241, 6533464, 5796124, 4656147, 594136, 4603424,\n 6366809, 2432395, 2454455, 8215696, 1957272, 3369112, 185531, 7173032,\n 5196991, 162844, 1616392, 3014001, 810149, 1652634, 4686184, 6581310,\n 5341501, 3523897, 3866901, 269760, 2213111, 7404533, 1717735, 472078,\n 7953734, 1723600, 6577327, 1910376, 6712985, 7276084, 8119771, 4546524,\n 5441381, 6144432, 7959518, 6094090, 183443, 7403526, 1612842, 4834730,\n 7826001, 3919660, 8332111, 7018208, 3937738, 1400424, 7534263, 1976782};\n\n// Reduces x mod kPrime in constant time, where 0 <= x < 2*kPrime.\nuint32_t reduce_once(uint32_t x) {\n declassify_assert(x < 2 * kPrime);\n // return x < kPrime ? x : x - kPrime;\n return constant_time_select_int(constant_time_lt_w(x, kPrime), x, x - kPrime);\n}\n\n// Returns the absolute value in constant time.\nuint32_t abs_signed(uint32_t x) {\n // return is_positive(x) ? x : -x;\n // Note: MSVC doesn't like applying the unary minus operator to unsigned types\n // (warning C4146), so we write the negation as a bitwise not plus one\n // (assuming two's complement representation).\n return constant_time_select_int(constant_time_lt_w(x, 0x80000000), x, 0u - x);\n}\n\n// Returns the absolute value modulo kPrime.\nuint32_t abs_mod_prime(uint32_t x) {\n declassify_assert(x < kPrime);\n // return x > kHalfPrime ? kPrime - x : x;\n return constant_time_select_int(constant_time_lt_w(kHalfPrime, x), kPrime - x,\n x);\n}\n\n// Returns the maximum of two values in constant time.\nuint32_t maximum(uint32_t x, uint32_t y) {\n // return x < y ? y : x;\n return constant_time_select_int(constant_time_lt_w(x, y), y, x);\n}\n\nuint32_t mod_sub(uint32_t a, uint32_t b) {\n declassify_assert(a < kPrime);\n declassify_assert(b < kPrime);\n return reduce_once(kPrime + a - b);\n}\n\nvoid scalar_add(scalar *out, const scalar *lhs, const scalar *rhs) {\n for (int i = 0; i < kDegree; i++) {\n out->c[i] = reduce_once(lhs->c[i] + rhs->c[i]);\n }\n}\n\nvoid scalar_sub(scalar *out, const scalar *lhs, const scalar *rhs) {\n for (int i = 0; i < kDegree; i++) {\n out->c[i] = mod_sub(lhs->c[i], rhs->c[i]);\n }\n}\n\nuint32_t reduce_montgomery(uint64_t x) {\n declassify_assert(x <= ((uint64_t)kPrime << 32));\n uint64_t a = (uint32_t)x * kPrimeNegInverse;\n uint64_t b = x + a * kPrime;\n declassify_assert((b & 0xffffffff) == 0);\n uint32_t c = b >> 32;\n return reduce_once(c);\n}\n\n// Multiply two scalars in the number theoretically transformed state.\nvoid scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs) {\n for (int i = 0; i < kDegree; i++) {\n out->c[i] = reduce_montgomery((uint64_t)lhs->c[i] * (uint64_t)rhs->c[i]);\n }\n}\n\n// In place number theoretic transform of a given scalar.\n//\n// FIPS 204, Algorithm 41 (`NTT`).\nstatic void scalar_ntt(scalar *s) {\n // Step: 1, 2, 4, 8, ..., 128\n // Offset: 128, 64, 32, 16, ..., 1\n int offset = kDegree;\n for (int step = 1; step < kDegree; step <<= 1) {\n offset >>= 1;\n int k = 0;\n for (int i = 0; i < step; i++) {\n assert(k == 2 * offset * i);\n const uint32_t step_root = kNTTRootsMontgomery[step + i];\n for (int j = k; j < k + offset; j++) {\n uint32_t even = s->c[j];\n // |reduce_montgomery| works on values up to kPrime*R and R > 2*kPrime.\n // |step_root| < kPrime because it's static data. |s->c[...]| is <\n // kPrime by the invariants of that struct.\n uint32_t odd =\n reduce_montgomery((uint64_t)step_root * (uint64_t)s->c[j + offset]);\n s->c[j] = reduce_once(odd + even);\n s->c[j + offset] = mod_sub(even, odd);\n }\n k += 2 * offset;\n }\n }\n}\n\n// In place inverse number theoretic transform of a given scalar.\n//\n// FIPS 204, Algorithm 42 (`NTT^-1`).\nvoid scalar_inverse_ntt(scalar *s) {\n // Step: 128, 64, 32, 16, ..., 1\n // Offset: 1, 2, 4, 8, ..., 128\n int step = kDegree;\n for (int offset = 1; offset < kDegree; offset <<= 1) {\n step >>= 1;\n int k = 0;\n for (int i = 0; i < step; i++) {\n assert(k == 2 * offset * i);\n const uint32_t step_root =\n kPrime - kNTTRootsMontgomery[step + (step - 1 - i)];\n for (int j = k; j < k + offset; j++) {\n uint32_t even = s->c[j];\n uint32_t odd = s->c[j + offset];\n s->c[j] = reduce_once(odd + even);\n\n // |reduce_montgomery| works on values up to kPrime*R and R > 2*kPrime.\n // kPrime + even < 2*kPrime because |even| < kPrime, by the invariants\n // of that structure. Thus kPrime + even - odd < 2*kPrime because odd >=\n // 0, because it's unsigned and less than kPrime. Lastly step_root <\n // kPrime, because |kNTTRootsMontgomery| is static data.\n s->c[j + offset] = reduce_montgomery((uint64_t)step_root *\n (uint64_t)(kPrime + even - odd));\n }\n k += 2 * offset;\n }\n }\n for (int i = 0; i < kDegree; i++) {\n s->c[i] = reduce_montgomery((uint64_t)s->c[i] *\n (uint64_t)kInverseDegreeMontgomery);\n }\n}\n\ntemplate \nvoid vector_zero(vector *out) {\n OPENSSL_memset(out, 0, sizeof(*out));\n}\n\ntemplate \nvoid vector_add(vector *out, const vector *lhs, const vector *rhs) {\n for (int i = 0; i < X; i++) {\n scalar_add(&out->v[i], &lhs->v[i], &rhs->v[i]);\n }\n}\n\ntemplate \nvoid vector_sub(vector *out, const vector *lhs, const vector *rhs) {\n for (int i = 0; i < X; i++) {\n scalar_sub(&out->v[i], &lhs->v[i], &rhs->v[i]);\n }\n}\n\ntemplate \nvoid vector_mult_scalar(vector *out, const vector *lhs,\n const scalar *rhs) {\n for (int i = 0; i < X; i++) {\n scalar_mult(&out->v[i], &lhs->v[i], rhs);\n }\n}\n\ntemplate \nvoid vector_ntt(vector *a) {\n for (int i = 0; i < X; i++) {\n scalar_ntt(&a->v[i]);\n }\n}\n\ntemplate \nvoid vector_inverse_ntt(vector *a) {\n for (int i = 0; i < X; i++) {\n scalar_inverse_ntt(&a->v[i]);\n }\n}\n\ntemplate \nvoid matrix_mult(vector *out, const matrix *m, const vector *a) {\n vector_zero(out);\n for (int i = 0; i < K; i++) {\n for (int j = 0; j < L; j++) {\n scalar product;\n scalar_mult(&product, &m->v[i][j], &a->v[j]);\n scalar_add(&out->v[i], &out->v[i], &product);\n }\n }\n}\n\n/* Rounding & hints */\n\n// FIPS 204, Algorithm 35 (`Power2Round`).\nvoid power2_round(uint32_t *r1, uint32_t *r0, uint32_t r) {\n *r1 = r >> kDroppedBits;\n *r0 = r - (*r1 << kDroppedBits);\n\n uint32_t r0_adjusted = mod_sub(*r0, 1 << kDroppedBits);\n uint32_t r1_adjusted = *r1 + 1;\n\n // Mask is set iff r0 > 2^(dropped_bits - 1).\n crypto_word_t mask =\n constant_time_lt_w((uint32_t)(1 << (kDroppedBits - 1)), *r0);\n // r0 = mask ? r0_adjusted : r0\n *r0 = constant_time_select_int(mask, r0_adjusted, *r0);\n // r1 = mask ? r1_adjusted : r1\n *r1 = constant_time_select_int(mask, r1_adjusted, *r1);\n}\n\n// Scale back previously rounded value.\nvoid scale_power2_round(uint32_t *out, uint32_t r1) {\n // Pre-condition: 0 <= r1 <= 2^10 - 1\n assert(r1 < (1u << 10));\n\n *out = r1 << kDroppedBits;\n\n // Post-condition: 0 <= out <= 2^23 - 2^13 = kPrime - 1\n assert(*out < kPrime);\n}\n\n// FIPS 204, Algorithm 37 (`HighBits`).\nuint32_t high_bits(uint32_t x) {\n // Reference description (given 0 <= x < q):\n //\n // ```\n // int32_t r0 = x mod+- (2 * kGamma2);\n // if (x - r0 == q - 1) {\n // return 0;\n // } else {\n // return (x - r0) / (2 * kGamma2);\n // }\n // ```\n //\n // Below is the formula taken from the reference implementation.\n //\n // Here, kGamma2 == 2^18 - 2^8\n // This returns ((ceil(x / 2^7) * (2^10 + 1) + 2^21) / 2^22) mod 2^4\n uint32_t r1 = (x + 127) >> 7;\n r1 = (r1 * 1025 + (1 << 21)) >> 22;\n r1 &= 15;\n return r1;\n}\n\n// FIPS 204, Algorithm 36 (`Decompose`).\nvoid decompose(uint32_t *r1, int32_t *r0, uint32_t r) {\n *r1 = high_bits(r);\n\n *r0 = r;\n *r0 -= *r1 * 2 * (int32_t)kGamma2;\n *r0 -= (((int32_t)kHalfPrime - *r0) >> 31) & (int32_t)kPrime;\n}\n\n// FIPS 204, Algorithm 38 (`LowBits`).\nint32_t low_bits(uint32_t x) {\n uint32_t r1;\n int32_t r0;\n decompose(&r1, &r0, x);\n return r0;\n}\n\n// FIPS 204, Algorithm 39 (`MakeHint`).\n//\n// In the spec this takes two arguments, z and r, and is called with\n// z = -ct0\n// r = w - cs2 + ct0\n//\n// It then computes HighBits (algorithm 37) of z and z+r. But z+r is just w -\n// cs2, so this takes three arguments and saves an addition.\nint32_t make_hint(uint32_t ct0, uint32_t cs2, uint32_t w) {\n uint32_t r_plus_z = mod_sub(w, cs2);\n uint32_t r = reduce_once(r_plus_z + ct0);\n return high_bits(r) != high_bits(r_plus_z);\n}\n\n// FIPS 204, Algorithm 40 (`UseHint`).\nuint32_t use_hint_vartime(uint32_t h, uint32_t r) {\n uint32_t r1;\n int32_t r0;\n decompose(&r1, &r0, r);\n\n if (h) {\n if (r0 > 0) {\n // m = 16, thus |mod m| in the spec turns into |& 15|.\n return (r1 + 1) & 15;\n } else {\n return (r1 - 1) & 15;\n }\n }\n return r1;\n}\n\nvoid scalar_power2_round(scalar *s1, scalar *s0, const scalar *s) {\n for (int i = 0; i < kDegree; i++) {\n power2_round(&s1->c[i], &s0->c[i], s->c[i]);\n }\n}\n\nvoid scalar_scale_power2_round(scalar *out, const scalar *in) {\n for (int i = 0; i < kDegree; i++) {\n scale_power2_round(&out->c[i], in->c[i]);\n }\n}\n\nvoid scalar_high_bits(scalar *out, const scalar *in) {\n for (int i = 0; i < kDegree; i++) {\n out->c[i] = high_bits(in->c[i]);\n }\n}\n\nvoid scalar_low_bits(scalar *out, const scalar *in) {\n for (int i = 0; i < kDegree; i++) {\n out->c[i] = low_bits(in->c[i]);\n }\n}\n\nvoid scalar_max(uint32_t *max, const scalar *s) {\n for (int i = 0; i < kDegree; i++) {\n uint32_t abs = abs_mod_prime(s->c[i]);\n *max = maximum(*max, abs);\n }\n}\n\nvoid scalar_max_signed(uint32_t *max, const scalar *s) {\n for (int i = 0; i < kDegree; i++) {\n uint32_t abs = abs_signed(s->c[i]);\n *max = maximum(*max, abs);\n }\n}\n\nvoid scalar_make_hint(scalar *out, const scalar *ct0, const scalar *cs2,\n const scalar *w) {\n for (int i = 0; i < kDegree; i++) {\n out->c[i] = make_hint(ct0->c[i], cs2->c[i], w->c[i]);\n }\n}\n\nvoid scalar_use_hint_vartime(scalar *out, const scalar *h, const scalar *r) {\n for (int i = 0; i < kDegree; i++) {\n out->c[i] = use_hint_vartime(h->c[i], r->c[i]);\n }\n}\n\ntemplate \nvoid vector_power2_round(vector *t1, vector *t0, const vector *t) {\n for (int i = 0; i < X; i++) {\n scalar_power2_round(&t1->v[i], &t0->v[i], &t->v[i]);\n }\n}\n\ntemplate \nvoid vector_scale_power2_round(vector *out, const vector *in) {\n for (int i = 0; i < X; i++) {\n scalar_scale_power2_round(&out->v[i], &in->v[i]);\n }\n}\n\ntemplate \nvoid vector_high_bits(vector *out, const vector *in) {\n for (int i = 0; i < X; i++) {\n scalar_high_bits(&out->v[i], &in->v[i]);\n }\n}\n\ntemplate \nvoid vector_low_bits(vector *out, const vector *in) {\n for (int i = 0; i < X; i++) {\n scalar_low_bits(&out->v[i], &in->v[i]);\n }\n}\n\ntemplate \nuint32_t vector_max(const vector *a) {\n uint32_t max = 0;\n for (int i = 0; i < X; i++) {\n scalar_max(&max, &a->v[i]);\n }\n return max;\n}\n\ntemplate \nuint32_t vector_max_signed(const vector *a) {\n uint32_t max = 0;\n for (int i = 0; i < X; i++) {\n scalar_max_signed(&max, &a->v[i]);\n }\n return max;\n}\n\n// The input vector contains only zeroes and ones.\ntemplate \nsize_t vector_count_ones(const vector *a) {\n size_t count = 0;\n for (int i = 0; i < X; i++) {\n for (int j = 0; j < kDegree; j++) {\n count += a->v[i].c[j];\n }\n }\n return count;\n}\n\ntemplate \nvoid vector_make_hint(vector *out, const vector *ct0,\n const vector *cs2, const vector *w) {\n for (int i = 0; i < X; i++) {\n scalar_make_hint(&out->v[i], &ct0->v[i], &cs2->v[i], &w->v[i]);\n }\n}\n\ntemplate \nvoid vector_use_hint_vartime(vector *out, const vector *h,\n const vector *r) {\n for (int i = 0; i < X; i++) {\n scalar_use_hint_vartime(&out->v[i], &h->v[i], &r->v[i]);\n }\n}\n\n/* Bit packing */\n\n// FIPS 204, Algorithm 16 (`SimpleBitPack`). Specialized to bitlen(b) = 4.\nstatic void scalar_encode_4(uint8_t out[128], const scalar *s) {\n // Every two elements lands on a byte boundary.\n static_assert(kDegree % 2 == 0, \"kDegree must be a multiple of 2\");\n for (int i = 0; i < kDegree / 2; i++) {\n uint32_t a = s->c[2 * i];\n uint32_t b = s->c[2 * i + 1];\n declassify_assert(a < 16);\n declassify_assert(b < 16);\n out[i] = a | (b << 4);\n }\n}\n\n// FIPS 204, Algorithm 16 (`SimpleBitPack`). Specialized to bitlen(b) = 10.\nvoid scalar_encode_10(uint8_t out[320], const scalar *s) {\n // Every four elements lands on a byte boundary.\n static_assert(kDegree % 4 == 0, \"kDegree must be a multiple of 4\");\n for (int i = 0; i < kDegree / 4; i++) {\n uint32_t a = s->c[4 * i];\n uint32_t b = s->c[4 * i + 1];\n uint32_t c = s->c[4 * i + 2];\n uint32_t d = s->c[4 * i + 3];\n declassify_assert(a < 1024);\n declassify_assert(b < 1024);\n declassify_assert(c < 1024);\n declassify_assert(d < 1024);\n out[5 * i] = (uint8_t)a;\n out[5 * i + 1] = (uint8_t)((a >> 8) | (b << 2));\n out[5 * i + 2] = (uint8_t)((b >> 6) | (c << 4));\n out[5 * i + 3] = (uint8_t)((c >> 4) | (d << 6));\n out[5 * i + 4] = (uint8_t)(d >> 2);\n }\n}\n\n// FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(a+b) = 4 and b = 4.\nvoid scalar_encode_signed_4_4(uint8_t out[128], const scalar *s) {\n // Every two elements lands on a byte boundary.\n static_assert(kDegree % 2 == 0, \"kDegree must be a multiple of 2\");\n for (int i = 0; i < kDegree / 2; i++) {\n uint32_t a = mod_sub(4, s->c[2 * i]);\n uint32_t b = mod_sub(4, s->c[2 * i + 1]);\n declassify_assert(a < 16);\n declassify_assert(b < 16);\n out[i] = a | (b << 4);\n }\n}\n\n// FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(a+b) = 3 and b = 2.\nstatic void scalar_encode_signed_3_2(uint8_t out[96], const scalar *s) {\n static_assert(kDegree % 8 == 0, \"kDegree must be a multiple of 8\");\n for (int i = 0; i < kDegree / 8; i++) {\n uint32_t a = mod_sub(2, s->c[8 * i]);\n uint32_t b = mod_sub(2, s->c[8 * i + 1]);\n uint32_t c = mod_sub(2, s->c[8 * i + 2]);\n uint32_t d = mod_sub(2, s->c[8 * i + 3]);\n uint32_t e = mod_sub(2, s->c[8 * i + 4]);\n uint32_t f = mod_sub(2, s->c[8 * i + 5]);\n uint32_t g = mod_sub(2, s->c[8 * i + 6]);\n uint32_t h = mod_sub(2, s->c[8 * i + 7]);\n uint32_t v = (h << 21) | (g << 18) | (f << 15) | (e << 12) | (d << 9) |\n (c << 6) | (b << 3) | a;\n uint8_t v_bytes[sizeof(v)];\n CRYPTO_store_u32_le(v_bytes, v);\n OPENSSL_memcpy(&out[i * 3], v_bytes, 3);\n }\n}\n\n// FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(a+b) = 13 and b =\n// 2^12.\nvoid scalar_encode_signed_13_12(uint8_t out[416], const scalar *s) {\n static const uint32_t kMax = 1u << 12;\n // Every two elements lands on a byte boundary.\n static_assert(kDegree % 8 == 0, \"kDegree must be a multiple of 8\");\n for (int i = 0; i < kDegree / 8; i++) {\n uint32_t a = mod_sub(kMax, s->c[8 * i]);\n uint32_t b = mod_sub(kMax, s->c[8 * i + 1]);\n uint32_t c = mod_sub(kMax, s->c[8 * i + 2]);\n uint32_t d = mod_sub(kMax, s->c[8 * i + 3]);\n uint32_t e = mod_sub(kMax, s->c[8 * i + 4]);\n uint32_t f = mod_sub(kMax, s->c[8 * i + 5]);\n uint32_t g = mod_sub(kMax, s->c[8 * i + 6]);\n uint32_t h = mod_sub(kMax, s->c[8 * i + 7]);\n declassify_assert(a < (1u << 13));\n declassify_assert(b < (1u << 13));\n declassify_assert(c < (1u << 13));\n declassify_assert(d < (1u << 13));\n declassify_assert(e < (1u << 13));\n declassify_assert(f < (1u << 13));\n declassify_assert(g < (1u << 13));\n declassify_assert(h < (1u << 13));\n a |= b << 13;\n a |= c << 26;\n c >>= 6;\n c |= d << 7;\n c |= e << 20;\n e >>= 12;\n e |= f << 1;\n e |= g << 14;\n e |= h << 27;\n h >>= 5;\n OPENSSL_memcpy(&out[13 * i], &a, sizeof(a));\n OPENSSL_memcpy(&out[13 * i + 4], &c, sizeof(c));\n OPENSSL_memcpy(&out[13 * i + 8], &e, sizeof(e));\n OPENSSL_memcpy(&out[13 * i + 12], &h, 1);\n }\n}\n\n// FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(a+b) = 20 and b =\n// 2^19.\nvoid scalar_encode_signed_20_19(uint8_t out[640], const scalar *s) {\n static const uint32_t kMax = 1u << 19;\n // Every two elements lands on a byte boundary.\n static_assert(kDegree % 4 == 0, \"kDegree must be a multiple of 4\");\n for (int i = 0; i < kDegree / 4; i++) {\n uint32_t a = mod_sub(kMax, s->c[4 * i]);\n uint32_t b = mod_sub(kMax, s->c[4 * i + 1]);\n uint32_t c = mod_sub(kMax, s->c[4 * i + 2]);\n uint32_t d = mod_sub(kMax, s->c[4 * i + 3]);\n declassify_assert(a < (1u << 20));\n declassify_assert(b < (1u << 20));\n declassify_assert(c < (1u << 20));\n declassify_assert(d < (1u << 20));\n a |= b << 20;\n b >>= 12;\n b |= c << 8;\n b |= d << 28;\n d >>= 4;\n OPENSSL_memcpy(&out[10 * i], &a, sizeof(a));\n OPENSSL_memcpy(&out[10 * i + 4], &b, sizeof(b));\n OPENSSL_memcpy(&out[10 * i + 8], &d, 2);\n }\n}\n\n// FIPS 204, Algorithm 17 (`BitPack`).\nvoid scalar_encode_signed(uint8_t *out, const scalar *s, int bits,\n uint32_t max) {\n if (bits == 3) {\n assert(max == 2);\n scalar_encode_signed_3_2(out, s);\n } else if (bits == 4) {\n assert(max == 4);\n scalar_encode_signed_4_4(out, s);\n } else if (bits == 20) {\n assert(max == 1u << 19);\n scalar_encode_signed_20_19(out, s);\n } else {\n assert(bits == 13);\n assert(max == 1u << 12);\n scalar_encode_signed_13_12(out, s);\n }\n}\n\n// FIPS 204, Algorithm 18 (`SimpleBitUnpack`). Specialized for bitlen(b) == 10.\nvoid scalar_decode_10(scalar *out, const uint8_t in[320]) {\n uint32_t v;\n static_assert(kDegree % 4 == 0, \"kDegree must be a multiple of 4\");\n for (int i = 0; i < kDegree / 4; i++) {\n OPENSSL_memcpy(&v, &in[5 * i], sizeof(v));\n out->c[4 * i] = v & 0x3ff;\n out->c[4 * i + 1] = (v >> 10) & 0x3ff;\n out->c[4 * i + 2] = (v >> 20) & 0x3ff;\n out->c[4 * i + 3] = (v >> 30) | (((uint32_t)in[5 * i + 4]) << 2);\n }\n}\n\n// FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 4 and b =\n// 4.\nint scalar_decode_signed_4_4(scalar *out, const uint8_t in[128]) {\n uint32_t v;\n static_assert(kDegree % 8 == 0, \"kDegree must be a multiple of 8\");\n for (int i = 0; i < kDegree / 8; i++) {\n OPENSSL_memcpy(&v, &in[4 * i], sizeof(v));\n // None of the nibbles may be >= 9. So if the MSB of any nibble is set, none\n // of the other bits may be set. First, select all the MSBs.\n const uint32_t msbs = v & 0x88888888u;\n // For each nibble where the MSB is set, form a mask of all the other bits.\n const uint32_t mask = (msbs >> 1) | (msbs >> 2) | (msbs >> 3);\n // A nibble is only out of range in the case of invalid input, in which case\n // it is okay to leak the value.\n if (constant_time_declassify_int((mask & v) != 0)) {\n return 0;\n }\n\n out->c[i * 8] = mod_sub(4, v & 15);\n out->c[i * 8 + 1] = mod_sub(4, (v >> 4) & 15);\n out->c[i * 8 + 2] = mod_sub(4, (v >> 8) & 15);\n out->c[i * 8 + 3] = mod_sub(4, (v >> 12) & 15);\n out->c[i * 8 + 4] = mod_sub(4, (v >> 16) & 15);\n out->c[i * 8 + 5] = mod_sub(4, (v >> 20) & 15);\n out->c[i * 8 + 6] = mod_sub(4, (v >> 24) & 15);\n out->c[i * 8 + 7] = mod_sub(4, v >> 28);\n }\n return 1;\n}\n\n// FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 3 and b =\n// 2.\nstatic int scalar_decode_signed_3_2(scalar *out, const uint8_t in[96]) {\n uint32_t v;\n uint8_t v_bytes[sizeof(v)] = {0};\n static_assert(kDegree % 8 == 0, \"kDegree must be a multiple of 8\");\n for (int i = 0; i < kDegree / 8; i++) {\n OPENSSL_memcpy(v_bytes, &in[3 * i], 3);\n v = CRYPTO_load_u32_le(v_bytes);\n // v contains 8, 3-bit values in the lower 24 bits. None of the values may\n // be >= 5. So if the MSB of any triple is set, none of the other bits may\n // be set. First, select all the MSBs.\n const uint32_t msbs = v & 000044444444u;\n // For each triple where the MSB is set, form a mask of all the other bits.\n const uint32_t mask = (msbs >> 1) | (msbs >> 2);\n // A triple is only out of range in the case of invalid input, in which case\n // it is okay to leak the value.\n if (constant_time_declassify_int((mask & v) != 0)) {\n return 0;\n }\n\n out->c[i * 8 + 0] = mod_sub(2, (v >> 0) & 7);\n out->c[i * 8 + 1] = mod_sub(2, (v >> 3) & 7);\n out->c[i * 8 + 2] = mod_sub(2, (v >> 6) & 7);\n out->c[i * 8 + 3] = mod_sub(2, (v >> 9) & 7);\n out->c[i * 8 + 4] = mod_sub(2, (v >> 12) & 7);\n out->c[i * 8 + 5] = mod_sub(2, (v >> 15) & 7);\n out->c[i * 8 + 6] = mod_sub(2, (v >> 18) & 7);\n out->c[i * 8 + 7] = mod_sub(2, v >> 21);\n }\n return 1;\n}\n\n// FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 13 and b =\n// 2^12.\nvoid scalar_decode_signed_13_12(scalar *out, const uint8_t in[416]) {\n static const uint32_t kMax = 1u << 12;\n static const uint32_t k13Bits = (1u << 13) - 1;\n static const uint32_t k7Bits = (1u << 7) - 1;\n\n uint32_t a, b, c;\n uint8_t d;\n static_assert(kDegree % 8 == 0, \"kDegree must be a multiple of 8\");\n for (int i = 0; i < kDegree / 8; i++) {\n OPENSSL_memcpy(&a, &in[13 * i], sizeof(a));\n OPENSSL_memcpy(&b, &in[13 * i + 4], sizeof(b));\n OPENSSL_memcpy(&c, &in[13 * i + 8], sizeof(c));\n d = in[13 * i + 12];\n\n // It's not possible for a 13-bit number to be out of range when the max is\n // 2^12.\n out->c[i * 8] = mod_sub(kMax, a & k13Bits);\n out->c[i * 8 + 1] = mod_sub(kMax, (a >> 13) & k13Bits);\n out->c[i * 8 + 2] = mod_sub(kMax, (a >> 26) | ((b & k7Bits) << 6));\n out->c[i * 8 + 3] = mod_sub(kMax, (b >> 7) & k13Bits);\n out->c[i * 8 + 4] = mod_sub(kMax, (b >> 20) | ((c & 1) << 12));\n out->c[i * 8 + 5] = mod_sub(kMax, (c >> 1) & k13Bits);\n out->c[i * 8 + 6] = mod_sub(kMax, (c >> 14) & k13Bits);\n out->c[i * 8 + 7] = mod_sub(kMax, (c >> 27) | ((uint32_t)d) << 5);\n }\n}\n\n// FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 20 and b =\n// 2^19.\nvoid scalar_decode_signed_20_19(scalar *out, const uint8_t in[640]) {\n static const uint32_t kMax = 1u << 19;\n static const uint32_t k20Bits = (1u << 20) - 1;\n\n uint32_t a, b;\n uint16_t c;\n static_assert(kDegree % 4 == 0, \"kDegree must be a multiple of 4\");\n for (int i = 0; i < kDegree / 4; i++) {\n OPENSSL_memcpy(&a, &in[10 * i], sizeof(a));\n OPENSSL_memcpy(&b, &in[10 * i + 4], sizeof(b));\n OPENSSL_memcpy(&c, &in[10 * i + 8], sizeof(c));\n\n // It's not possible for a 20-bit number to be out of range when the max is\n // 2^19.\n out->c[i * 4] = mod_sub(kMax, a & k20Bits);\n out->c[i * 4 + 1] = mod_sub(kMax, (a >> 20) | ((b & 0xff) << 12));\n out->c[i * 4 + 2] = mod_sub(kMax, (b >> 8) & k20Bits);\n out->c[i * 4 + 3] = mod_sub(kMax, (b >> 28) | ((uint32_t)c) << 4);\n }\n}\n\n// FIPS 204, Algorithm 19 (`BitUnpack`).\nint scalar_decode_signed(scalar *out, const uint8_t *in, int bits,\n uint32_t max) {\n if (bits == 3) {\n assert(max == 2);\n return scalar_decode_signed_3_2(out, in);\n } else if (bits == 4) {\n assert(max == 4);\n return scalar_decode_signed_4_4(out, in);\n } else if (bits == 13) {\n assert(max == (1u << 12));\n scalar_decode_signed_13_12(out, in);\n return 1;\n } else if (bits == 20) {\n assert(max == (1u << 19));\n scalar_decode_signed_20_19(out, in);\n return 1;\n } else {\n abort();\n }\n}\n\n/* Expansion functions */\n\n// FIPS 204, Algorithm 30 (`RejNTTPoly`).\n//\n// Rejection samples a Keccak stream to get uniformly distributed elements. This\n// is used for matrix expansion and only operates on public inputs.\nvoid scalar_from_keccak_vartime(scalar *out,\n const uint8_t derived_seed[kRhoBytes + 2]) {\n struct BORINGSSL_keccak_st keccak_ctx;\n BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake128);\n BORINGSSL_keccak_absorb(&keccak_ctx, derived_seed, kRhoBytes + 2);\n assert(keccak_ctx.squeeze_offset == 0);\n assert(keccak_ctx.rate_bytes == 168);\n static_assert(168 % 3 == 0, \"block and coefficient boundaries do not align\");\n\n int done = 0;\n while (done < kDegree) {\n uint8_t block[168];\n BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block));\n for (size_t i = 0; i < sizeof(block) && done < kDegree; i += 3) {\n // FIPS 204, Algorithm 14 (`CoeffFromThreeBytes`).\n uint32_t value = (uint32_t)block[i] | ((uint32_t)block[i + 1] << 8) |\n (((uint32_t)block[i + 2] & 0x7f) << 16);\n if (value < kPrime) {\n out->c[done++] = value;\n }\n }\n }\n}\n\ntemplate \nstatic bool coefficient_from_nibble(uint32_t nibble, uint32_t *result);\n\ntemplate <>\nbool coefficient_from_nibble<4>(uint32_t nibble, uint32_t *result) {\n if (constant_time_declassify_int(nibble < 9)) {\n *result = mod_sub(4, nibble);\n return true;\n }\n return false;\n}\n\ntemplate <>\nbool coefficient_from_nibble<2>(uint32_t nibble, uint32_t *result) {\n if (constant_time_declassify_int(nibble < 15)) {\n *result = mod_sub(2, nibble % 5);\n return true;\n }\n return false;\n}\n\n// FIPS 204, Algorithm 31 (`RejBoundedPoly`).\ntemplate \nvoid scalar_uniform(scalar *out, const uint8_t derived_seed[kSigmaBytes + 2]) {\n struct BORINGSSL_keccak_st keccak_ctx;\n BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256);\n BORINGSSL_keccak_absorb(&keccak_ctx, derived_seed, kSigmaBytes + 2);\n assert(keccak_ctx.squeeze_offset == 0);\n assert(keccak_ctx.rate_bytes == 136);\n\n int done = 0;\n while (done < kDegree) {\n uint8_t block[136];\n BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block));\n for (size_t i = 0; i < sizeof(block) && done < kDegree; ++i) {\n uint32_t t0 = block[i] & 0x0F;\n uint32_t t1 = block[i] >> 4;\n // FIPS 204, Algorithm 15 (`CoefFromHalfByte`). Although both the input\n // and output here are secret, it is OK to leak when we rejected a byte.\n // Individual bytes of the SHAKE-256 stream are (indistiguishable from)\n // independent of each other and the original seed, so leaking information\n // about the rejected bytes does not reveal the input or output.\n uint32_t v;\n if (coefficient_from_nibble(t0, &v)) {\n out->c[done++] = v;\n }\n if (done < kDegree && coefficient_from_nibble(t1, &v)) {\n out->c[done++] = v;\n }\n }\n }\n}\n\n// FIPS 204, Algorithm 34 (`ExpandMask`), but just a single step.\nvoid scalar_sample_mask(scalar *out,\n const uint8_t derived_seed[kRhoPrimeBytes + 2]) {\n uint8_t buf[640];\n BORINGSSL_keccak(buf, sizeof(buf), derived_seed, kRhoPrimeBytes + 2,\n boringssl_shake256);\n\n scalar_decode_signed_20_19(out, buf);\n}\n\n// FIPS 204, Algorithm 29 (`SampleInBall`).\nvoid scalar_sample_in_ball_vartime(scalar *out, const uint8_t *seed, int len,\n int tau) {\n struct BORINGSSL_keccak_st keccak_ctx;\n BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256);\n BORINGSSL_keccak_absorb(&keccak_ctx, seed, len);\n assert(keccak_ctx.squeeze_offset == 0);\n assert(keccak_ctx.rate_bytes == 136);\n\n uint8_t block[136];\n BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block));\n\n uint64_t signs = CRYPTO_load_u64_le(block);\n int offset = 8;\n // SampleInBall implements a Fisher–Yates shuffle, which unavoidably leaks\n // where the zeros are by memory access pattern. Although this leak happens\n // before bad signatures are rejected, this is safe. See\n // https://boringssl-review.googlesource.com/c/boringssl/+/67747/comment/8d8f01ac_70af3f21/\n CONSTTIME_DECLASSIFY(block + offset, sizeof(block) - offset);\n\n OPENSSL_memset(out, 0, sizeof(*out));\n for (size_t i = kDegree - tau; i < kDegree; i++) {\n size_t byte;\n for (;;) {\n if (offset == 136) {\n BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block));\n // See above.\n CONSTTIME_DECLASSIFY(block, sizeof(block));\n offset = 0;\n }\n\n byte = block[offset++];\n if (byte <= i) {\n break;\n }\n }\n\n out->c[i] = out->c[byte];\n out->c[byte] = mod_sub(1, 2 * (signs & 1));\n signs >>= 1;\n }\n}\n\n// FIPS 204, Algorithm 32 (`ExpandA`).\ntemplate \nvoid matrix_expand(matrix *out, const uint8_t rho[kRhoBytes]) {\n static_assert(K <= 0x100, \"K must fit in 8 bits\");\n static_assert(L <= 0x100, \"L must fit in 8 bits\");\n\n uint8_t derived_seed[kRhoBytes + 2];\n OPENSSL_memcpy(derived_seed, rho, kRhoBytes);\n for (int i = 0; i < K; i++) {\n for (int j = 0; j < L; j++) {\n derived_seed[kRhoBytes + 1] = (uint8_t)i;\n derived_seed[kRhoBytes] = (uint8_t)j;\n scalar_from_keccak_vartime(&out->v[i][j], derived_seed);\n }\n }\n}\n\n// FIPS 204, Algorithm 33 (`ExpandS`).\ntemplate \nvoid vector_expand_short(vector *s1, vector *s2,\n const uint8_t sigma[kSigmaBytes]) {\n static_assert(K <= 0x100, \"K must fit in 8 bits\");\n static_assert(L <= 0x100, \"L must fit in 8 bits\");\n static_assert(K + L <= 0x100, \"K+L must fit in 8 bits\");\n\n uint8_t derived_seed[kSigmaBytes + 2];\n OPENSSL_memcpy(derived_seed, sigma, kSigmaBytes);\n derived_seed[kSigmaBytes] = 0;\n derived_seed[kSigmaBytes + 1] = 0;\n for (int i = 0; i < L; i++) {\n scalar_uniform()>(&s1->v[i], derived_seed);\n ++derived_seed[kSigmaBytes];\n }\n for (int i = 0; i < K; i++) {\n scalar_uniform()>(&s2->v[i], derived_seed);\n ++derived_seed[kSigmaBytes];\n }\n}\n\n// FIPS 204, Algorithm 34 (`ExpandMask`).\ntemplate \nvoid vector_expand_mask(vector *out, const uint8_t seed[kRhoPrimeBytes],\n size_t kappa) {\n assert(kappa + L <= 0x10000);\n\n uint8_t derived_seed[kRhoPrimeBytes + 2];\n OPENSSL_memcpy(derived_seed, seed, kRhoPrimeBytes);\n for (int i = 0; i < L; i++) {\n size_t index = kappa + i;\n derived_seed[kRhoPrimeBytes] = index & 0xFF;\n derived_seed[kRhoPrimeBytes + 1] = (index >> 8) & 0xFF;\n scalar_sample_mask(&out->v[i], derived_seed);\n }\n}\n\n/* Encoding */\n\n// FIPS 204, Algorithm 16 (`SimpleBitPack`).\n//\n// Encodes an entire vector into 32*K*|bits| bytes. Note that since 256\n// (kDegree) is divisible by 8, the individual vector entries will always fill a\n// whole number of bytes, so we do not need to worry about bit packing here.\ntemplate \nvoid vector_encode(uint8_t *out, const vector *a, int bits) {\n if (bits == 4) {\n for (int i = 0; i < K; i++) {\n scalar_encode_4(out + i * bits * kDegree / 8, &a->v[i]);\n }\n } else {\n assert(bits == 10);\n for (int i = 0; i < K; i++) {\n scalar_encode_10(out + i * bits * kDegree / 8, &a->v[i]);\n }\n }\n}\n\n// FIPS 204, Algorithm 18 (`SimpleBitUnpack`).\ntemplate \nvoid vector_decode_10(vector *out, const uint8_t *in) {\n for (int i = 0; i < K; i++) {\n scalar_decode_10(&out->v[i], in + i * 10 * kDegree / 8);\n }\n}\n\n// FIPS 204, Algorithm 17 (`BitPack`).\n//\n// Encodes an entire vector into 32*L*|bits| bytes. Note that since 256\n// (kDegree) is divisible by 8, the individual vector entries will always fill a\n// whole number of bytes, so we do not need to worry about bit packing here.\ntemplate \nvoid vector_encode_signed(uint8_t *out, const vector *a, int bits,\n uint32_t max) {\n for (int i = 0; i < X; i++) {\n scalar_encode_signed(out + i * bits * kDegree / 8, &a->v[i], bits, max);\n }\n}\n\ntemplate \nint vector_decode_signed(vector *out, const uint8_t *in, int bits,\n uint32_t max) {\n for (int i = 0; i < X; i++) {\n if (!scalar_decode_signed(&out->v[i], in + i * bits * kDegree / 8, bits,\n max)) {\n return 0;\n }\n }\n return 1;\n}\n\n// FIPS 204, Algorithm 28 (`w1Encode`).\ntemplate \nvoid w1_encode(uint8_t out[128 * K], const vector *w1) {\n vector_encode(out, w1, 4);\n}\n\n// FIPS 204, Algorithm 20 (`HintBitPack`).\ntemplate \nvoid hint_bit_pack(uint8_t out[omega() + K], const vector *h) {\n OPENSSL_memset(out, 0, omega() + K);\n int index = 0;\n for (int i = 0; i < K; i++) {\n for (int j = 0; j < kDegree; j++) {\n if (h->v[i].c[j]) {\n // h must have at most omega() non-zero coefficients.\n BSSL_CHECK(index < omega());\n out[index++] = j;\n }\n }\n out[omega() + i] = index;\n }\n}\n\n// FIPS 204, Algorithm 21 (`HintBitUnpack`).\ntemplate \nint hint_bit_unpack(vector *h, const uint8_t in[omega() + K]) {\n vector_zero(h);\n int index = 0;\n for (int i = 0; i < K; i++) {\n const int limit = in[omega() + i];\n if (limit < index || limit > omega()) {\n return 0;\n }\n\n int last = -1;\n while (index < limit) {\n int byte = in[index++];\n if (last >= 0 && byte <= last) {\n return 0;\n }\n last = byte;\n static_assert(kDegree == 256,\n \"kDegree must be 256 for this write to be in bounds\");\n h->v[i].c[byte] = 1;\n }\n }\n for (; index < omega(); index++) {\n if (in[index] != 0) {\n return 0;\n }\n }\n return 1;\n}\n\ntemplate \nstruct public_key {\n uint8_t rho[kRhoBytes];\n vector t1;\n // Pre-cached value(s).\n uint8_t public_key_hash[kTrBytes];\n};\n\ntemplate \nstruct private_key {\n uint8_t rho[kRhoBytes];\n uint8_t k[kKBytes];\n uint8_t public_key_hash[kTrBytes];\n vector s1;\n vector s2;\n vector t0;\n};\n\ntemplate \nstruct signature {\n uint8_t c_tilde[2 * lambda_bytes()];\n vector z;\n vector h;\n};\n\n// FIPS 204, Algorithm 22 (`pkEncode`).\ntemplate \nint mldsa_marshal_public_key(CBB *out, const struct public_key *pub) {\n if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) {\n return 0;\n }\n\n uint8_t *vectork_output;\n if (!CBB_add_space(out, &vectork_output, 320 * K)) {\n return 0;\n }\n vector_encode(vectork_output, &pub->t1, 10);\n\n return 1;\n}\n\n// FIPS 204, Algorithm 23 (`pkDecode`).\ntemplate \nint mldsa_parse_public_key(struct public_key *pub, CBS *in) {\n const CBS orig_in = *in;\n\n if (!CBS_copy_bytes(in, pub->rho, sizeof(pub->rho))) {\n return 0;\n }\n\n CBS t1_bytes;\n if (!CBS_get_bytes(in, &t1_bytes, 320 * K) || CBS_len(in) != 0) {\n return 0;\n }\n vector_decode_10(&pub->t1, CBS_data(&t1_bytes));\n\n // Compute pre-cached values.\n BORINGSSL_keccak(pub->public_key_hash, sizeof(pub->public_key_hash),\n CBS_data(&orig_in), CBS_len(&orig_in), boringssl_shake256);\n\n return 1;\n}\n\n// FIPS 204, Algorithm 24 (`skEncode`).\ntemplate \nint mldsa_marshal_private_key(CBB *out, const struct private_key *priv) {\n if (!CBB_add_bytes(out, priv->rho, sizeof(priv->rho)) ||\n !CBB_add_bytes(out, priv->k, sizeof(priv->k)) ||\n !CBB_add_bytes(out, priv->public_key_hash,\n sizeof(priv->public_key_hash))) {\n return 0;\n }\n\n constexpr size_t scalar_bytes =\n (kDegree * plus_minus_eta_bitlen() + 7) / 8;\n uint8_t *vectorl_output;\n if (!CBB_add_space(out, &vectorl_output, scalar_bytes * L)) {\n return 0;\n }\n vector_encode_signed(vectorl_output, &priv->s1, plus_minus_eta_bitlen(),\n eta());\n\n uint8_t *s2_output;\n if (!CBB_add_space(out, &s2_output, scalar_bytes * K)) {\n return 0;\n }\n vector_encode_signed(s2_output, &priv->s2, plus_minus_eta_bitlen(),\n eta());\n\n uint8_t *t0_output;\n if (!CBB_add_space(out, &t0_output, 416 * K)) {\n return 0;\n }\n vector_encode_signed(t0_output, &priv->t0, 13, 1 << 12);\n\n return 1;\n}\n\n// FIPS 204, Algorithm 25 (`skDecode`).\ntemplate \nint mldsa_parse_private_key(struct private_key *priv, CBS *in) {\n CBS s1_bytes;\n CBS s2_bytes;\n CBS t0_bytes;\n constexpr size_t scalar_bytes =\n (kDegree * plus_minus_eta_bitlen() + 7) / 8;\n if (!CBS_copy_bytes(in, priv->rho, sizeof(priv->rho)) ||\n !CBS_copy_bytes(in, priv->k, sizeof(priv->k)) ||\n !CBS_copy_bytes(in, priv->public_key_hash,\n sizeof(priv->public_key_hash)) ||\n !CBS_get_bytes(in, &s1_bytes, scalar_bytes * L) ||\n !vector_decode_signed(&priv->s1, CBS_data(&s1_bytes),\n plus_minus_eta_bitlen(), eta()) ||\n !CBS_get_bytes(in, &s2_bytes, scalar_bytes * K) ||\n !vector_decode_signed(&priv->s2, CBS_data(&s2_bytes),\n plus_minus_eta_bitlen(), eta()) ||\n !CBS_get_bytes(in, &t0_bytes, 416 * K) ||\n // Note: Decoding 13 bits into (-2^12, 2^12] cannot fail.\n !vector_decode_signed(&priv->t0, CBS_data(&t0_bytes), 13, 1 << 12)) {\n return 0;\n }\n\n return 1;\n}\n\n// FIPS 204, Algorithm 26 (`sigEncode`).\ntemplate \nint mldsa_marshal_signature(CBB *out, const struct signature *sign) {\n if (!CBB_add_bytes(out, sign->c_tilde, sizeof(sign->c_tilde))) {\n return 0;\n }\n\n uint8_t *vectorl_output;\n if (!CBB_add_space(out, &vectorl_output, 640 * L)) {\n return 0;\n }\n vector_encode_signed(vectorl_output, &sign->z, 20, 1 << 19);\n\n uint8_t *hint_output;\n if (!CBB_add_space(out, &hint_output, omega() + K)) {\n return 0;\n }\n hint_bit_pack(hint_output, &sign->h);\n\n return 1;\n}\n\n// FIPS 204, Algorithm 27 (`sigDecode`).\ntemplate \nint mldsa_parse_signature(struct signature *sign, CBS *in) {\n CBS z_bytes;\n CBS hint_bytes;\n if (!CBS_copy_bytes(in, sign->c_tilde, sizeof(sign->c_tilde)) ||\n !CBS_get_bytes(in, &z_bytes, 640 * L) ||\n // Note: Decoding 20 bits into (-2^19, 2^19] cannot fail.\n !vector_decode_signed(&sign->z, CBS_data(&z_bytes), 20, 1 << 19) ||\n !CBS_get_bytes(in, &hint_bytes, omega() + K) ||\n !hint_bit_unpack(&sign->h, CBS_data(&hint_bytes))) {\n return 0;\n };\n\n return 1;\n}\n\ntemplate \nstruct DeleterFree {\n void operator()(T *ptr) { OPENSSL_free(ptr); }\n};\n\n// FIPS 204, Algorithm 6 (`ML-DSA.KeyGen_internal`). Returns 1 on success and 0\n// on failure.\ntemplate \nint mldsa_generate_key_external_entropy(\n uint8_t out_encoded_public_key[public_key_bytes()],\n struct private_key *priv,\n const uint8_t entropy[BCM_MLDSA_SEED_BYTES]) {\n // Intermediate values, allocated on the heap to allow use when there is a\n // limited amount of stack.\n struct values_st {\n struct public_key pub;\n matrix a_ntt;\n vector s1_ntt;\n vector t;\n };\n std::unique_ptr> values(\n reinterpret_cast(OPENSSL_malloc(sizeof(values_st))));\n if (values == NULL) {\n return 0;\n }\n\n uint8_t augmented_entropy[BCM_MLDSA_SEED_BYTES + 2];\n OPENSSL_memcpy(augmented_entropy, entropy, BCM_MLDSA_SEED_BYTES);\n // The k and l parameters are appended to the seed.\n augmented_entropy[BCM_MLDSA_SEED_BYTES] = K;\n augmented_entropy[BCM_MLDSA_SEED_BYTES + 1] = L;\n uint8_t expanded_seed[kRhoBytes + kSigmaBytes + kKBytes];\n BORINGSSL_keccak(expanded_seed, sizeof(expanded_seed), augmented_entropy,\n sizeof(augmented_entropy), boringssl_shake256);\n const uint8_t *const rho = expanded_seed;\n const uint8_t *const sigma = expanded_seed + kRhoBytes;\n const uint8_t *const k = expanded_seed + kRhoBytes + kSigmaBytes;\n // rho is public.\n CONSTTIME_DECLASSIFY(rho, kRhoBytes);\n OPENSSL_memcpy(values->pub.rho, rho, sizeof(values->pub.rho));\n OPENSSL_memcpy(priv->rho, rho, sizeof(priv->rho));\n OPENSSL_memcpy(priv->k, k, sizeof(priv->k));\n\n matrix_expand(&values->a_ntt, rho);\n vector_expand_short(&priv->s1, &priv->s2, sigma);\n\n OPENSSL_memcpy(&values->s1_ntt, &priv->s1, sizeof(values->s1_ntt));\n vector_ntt(&values->s1_ntt);\n\n matrix_mult(&values->t, &values->a_ntt, &values->s1_ntt);\n vector_inverse_ntt(&values->t);\n vector_add(&values->t, &values->t, &priv->s2);\n\n vector_power2_round(&values->pub.t1, &priv->t0, &values->t);\n // t1 is public.\n CONSTTIME_DECLASSIFY(&values->pub.t1, sizeof(values->pub.t1));\n\n CBB cbb;\n CBB_init_fixed(&cbb, out_encoded_public_key, public_key_bytes());\n if (!mldsa_marshal_public_key(&cbb, &values->pub)) {\n return 0;\n }\n assert(CBB_len(&cbb) == public_key_bytes());\n\n BORINGSSL_keccak(priv->public_key_hash, sizeof(priv->public_key_hash),\n out_encoded_public_key, public_key_bytes(),\n boringssl_shake256);\n\n return 1;\n}\n\ntemplate \nint mldsa_public_from_private(struct public_key *pub,\n const struct private_key *priv) {\n // Intermediate values, allocated on the heap to allow use when there is a\n // limited amount of stack.\n struct values_st {\n matrix a_ntt;\n vector s1_ntt;\n vector t;\n vector t0;\n };\n std::unique_ptr> values(\n reinterpret_cast(OPENSSL_malloc(sizeof(values_st))));\n if (values == NULL) {\n return 0;\n }\n\n OPENSSL_memcpy(pub->rho, priv->rho, sizeof(pub->rho));\n OPENSSL_memcpy(pub->public_key_hash, priv->public_key_hash,\n sizeof(pub->public_key_hash));\n\n matrix_expand(&values->a_ntt, priv->rho);\n\n OPENSSL_memcpy(&values->s1_ntt, &priv->s1, sizeof(values->s1_ntt));\n vector_ntt(&values->s1_ntt);\n\n matrix_mult(&values->t, &values->a_ntt, &values->s1_ntt);\n vector_inverse_ntt(&values->t);\n vector_add(&values->t, &values->t, &priv->s2);\n\n vector_power2_round(&pub->t1, &values->t0, &values->t);\n // t1 is part of the public key and thus is public.\n CONSTTIME_DECLASSIFY(&pub->t1, sizeof(pub->t1));\n return 1;\n}\n\n// FIPS 204, Algorithm 7 (`ML-DSA.Sign_internal`). Returns 1 on success and 0\n// on failure.\ntemplate \nint mldsa_sign_internal(\n uint8_t out_encoded_signature[signature_bytes()],\n const struct private_key *priv, const uint8_t *msg, size_t msg_len,\n const uint8_t *context_prefix, size_t context_prefix_len,\n const uint8_t *context, size_t context_len,\n const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]) {\n uint8_t mu[kMuBytes];\n struct BORINGSSL_keccak_st keccak_ctx;\n BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256);\n BORINGSSL_keccak_absorb(&keccak_ctx, priv->public_key_hash,\n sizeof(priv->public_key_hash));\n BORINGSSL_keccak_absorb(&keccak_ctx, context_prefix, context_prefix_len);\n BORINGSSL_keccak_absorb(&keccak_ctx, context, context_len);\n BORINGSSL_keccak_absorb(&keccak_ctx, msg, msg_len);\n BORINGSSL_keccak_squeeze(&keccak_ctx, mu, kMuBytes);\n\n uint8_t rho_prime[kRhoPrimeBytes];\n BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256);\n BORINGSSL_keccak_absorb(&keccak_ctx, priv->k, sizeof(priv->k));\n BORINGSSL_keccak_absorb(&keccak_ctx, randomizer,\n BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES);\n BORINGSSL_keccak_absorb(&keccak_ctx, mu, kMuBytes);\n BORINGSSL_keccak_squeeze(&keccak_ctx, rho_prime, kRhoPrimeBytes);\n\n // Intermediate values, allocated on the heap to allow use when there is a\n // limited amount of stack.\n struct values_st {\n struct signature sign;\n vector s1_ntt;\n vector s2_ntt;\n vector t0_ntt;\n matrix a_ntt;\n vector y;\n vector w;\n vector w1;\n vector cs1;\n vector cs2;\n };\n std::unique_ptr> values(\n reinterpret_cast(OPENSSL_malloc(sizeof(values_st))));\n if (values == NULL) {\n return 0;\n }\n OPENSSL_memcpy(&values->s1_ntt, &priv->s1, sizeof(values->s1_ntt));\n vector_ntt(&values->s1_ntt);\n\n OPENSSL_memcpy(&values->s2_ntt, &priv->s2, sizeof(values->s2_ntt));\n vector_ntt(&values->s2_ntt);\n\n OPENSSL_memcpy(&values->t0_ntt, &priv->t0, sizeof(values->t0_ntt));\n vector_ntt(&values->t0_ntt);\n\n matrix_expand(&values->a_ntt, priv->rho);\n\n // kappa must not exceed 2**16/L = 13107. But the probability of it\n // exceeding even 1000 iterations is vanishingly small.\n for (size_t kappa = 0;; kappa += L) {\n vector_expand_mask(&values->y, rho_prime, kappa);\n\n vector *y_ntt = &values->cs1;\n OPENSSL_memcpy(y_ntt, &values->y, sizeof(*y_ntt));\n vector_ntt(y_ntt);\n\n matrix_mult(&values->w, &values->a_ntt, y_ntt);\n vector_inverse_ntt(&values->w);\n\n vector_high_bits(&values->w1, &values->w);\n uint8_t w1_encoded[128 * K];\n w1_encode(w1_encoded, &values->w1);\n\n BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256);\n BORINGSSL_keccak_absorb(&keccak_ctx, mu, kMuBytes);\n BORINGSSL_keccak_absorb(&keccak_ctx, w1_encoded, 128 * K);\n BORINGSSL_keccak_squeeze(&keccak_ctx, values->sign.c_tilde,\n 2 * lambda_bytes());\n\n scalar c_ntt;\n scalar_sample_in_ball_vartime(&c_ntt, values->sign.c_tilde,\n sizeof(values->sign.c_tilde), tau());\n scalar_ntt(&c_ntt);\n\n vector_mult_scalar(&values->cs1, &values->s1_ntt, &c_ntt);\n vector_inverse_ntt(&values->cs1);\n vector_mult_scalar(&values->cs2, &values->s2_ntt, &c_ntt);\n vector_inverse_ntt(&values->cs2);\n\n vector_add(&values->sign.z, &values->y, &values->cs1);\n\n vector *r0 = &values->w1;\n vector_sub(r0, &values->w, &values->cs2);\n vector_low_bits(r0, r0);\n\n // Leaking the fact that a signature was rejected is fine as the next\n // attempt at a signature will be (indistinguishable from) independent of\n // this one. Note, however, that we additionally leak which of the two\n // branches rejected the signature. Section 5.5 of\n // https://pq-crystals.org/dilithium/data/dilithium-specification-round3.pdf\n // describes this leak as OK. Note we leak less than what is described by\n // the paper; we do not reveal which coefficient violated the bound, and\n // we hide which of the |z_max| or |r0_max| bound failed. See also\n // https://boringssl-review.googlesource.com/c/boringssl/+/67747/comment/2bbab0fa_d241d35a/\n uint32_t z_max = vector_max(&values->sign.z);\n uint32_t r0_max = vector_max_signed(r0);\n if (constant_time_declassify_w(\n constant_time_ge_w(z_max, gamma1() - beta()) |\n constant_time_ge_w(r0_max, kGamma2 - beta()))) {\n continue;\n }\n\n vector *ct0 = &values->w1;\n vector_mult_scalar(ct0, &values->t0_ntt, &c_ntt);\n vector_inverse_ntt(ct0);\n vector_make_hint(&values->sign.h, ct0, &values->cs2, &values->w);\n\n // See above.\n uint32_t ct0_max = vector_max(ct0);\n size_t h_ones = vector_count_ones(&values->sign.h);\n if (constant_time_declassify_w(constant_time_ge_w(ct0_max, kGamma2) |\n constant_time_lt_w(omega(), h_ones))) {\n continue;\n }\n\n // Although computed with the private key, the signature is public.\n CONSTTIME_DECLASSIFY(values->sign.c_tilde, sizeof(values->sign.c_tilde));\n CONSTTIME_DECLASSIFY(&values->sign.z, sizeof(values->sign.z));\n CONSTTIME_DECLASSIFY(&values->sign.h, sizeof(values->sign.h));\n\n CBB cbb;\n CBB_init_fixed(&cbb, out_encoded_signature, signature_bytes());\n if (!mldsa_marshal_signature(&cbb, &values->sign)) {\n return 0;\n }\n\n BSSL_CHECK(CBB_len(&cbb) == signature_bytes());\n return 1;\n }\n}\n\n// FIPS 204, Algorithm 8 (`ML-DSA.Verify_internal`).\ntemplate \nint mldsa_verify_internal(const struct public_key *pub,\n const uint8_t encoded_signature[signature_bytes()],\n const uint8_t *msg, size_t msg_len,\n const uint8_t *context_prefix,\n size_t context_prefix_len, const uint8_t *context,\n size_t context_len) {\n // Intermediate values, allocated on the heap to allow use when there is a\n // limited amount of stack.\n struct values_st {\n struct signature sign;\n matrix a_ntt;\n vector z_ntt;\n vector az_ntt;\n vector ct1_ntt;\n };\n std::unique_ptr> values(\n reinterpret_cast(OPENSSL_malloc(sizeof(values_st))));\n if (values == NULL) {\n return 0;\n }\n\n CBS cbs;\n CBS_init(&cbs, encoded_signature, signature_bytes());\n if (!mldsa_parse_signature(&values->sign, &cbs)) {\n return 0;\n }\n\n matrix_expand(&values->a_ntt, pub->rho);\n\n uint8_t mu[kMuBytes];\n struct BORINGSSL_keccak_st keccak_ctx;\n BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256);\n BORINGSSL_keccak_absorb(&keccak_ctx, pub->public_key_hash,\n sizeof(pub->public_key_hash));\n BORINGSSL_keccak_absorb(&keccak_ctx, context_prefix, context_prefix_len);\n BORINGSSL_keccak_absorb(&keccak_ctx, context, context_len);\n BORINGSSL_keccak_absorb(&keccak_ctx, msg, msg_len);\n BORINGSSL_keccak_squeeze(&keccak_ctx, mu, kMuBytes);\n\n scalar c_ntt;\n scalar_sample_in_ball_vartime(&c_ntt, values->sign.c_tilde,\n sizeof(values->sign.c_tilde), tau());\n scalar_ntt(&c_ntt);\n\n OPENSSL_memcpy(&values->z_ntt, &values->sign.z, sizeof(values->z_ntt));\n vector_ntt(&values->z_ntt);\n\n matrix_mult(&values->az_ntt, &values->a_ntt, &values->z_ntt);\n\n vector_scale_power2_round(&values->ct1_ntt, &pub->t1);\n vector_ntt(&values->ct1_ntt);\n\n vector_mult_scalar(&values->ct1_ntt, &values->ct1_ntt, &c_ntt);\n\n vector *const w1 = &values->az_ntt;\n vector_sub(w1, &values->az_ntt, &values->ct1_ntt);\n vector_inverse_ntt(w1);\n\n vector_use_hint_vartime(w1, &values->sign.h, w1);\n uint8_t w1_encoded[128 * K];\n w1_encode(w1_encoded, w1);\n\n uint8_t c_tilde[2 * lambda_bytes()];\n BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256);\n BORINGSSL_keccak_absorb(&keccak_ctx, mu, kMuBytes);\n BORINGSSL_keccak_absorb(&keccak_ctx, w1_encoded, 128 * K);\n BORINGSSL_keccak_squeeze(&keccak_ctx, c_tilde, 2 * lambda_bytes());\n\n uint32_t z_max = vector_max(&values->sign.z);\n return z_max < static_cast(gamma1() - beta()) &&\n OPENSSL_memcmp(c_tilde, values->sign.c_tilde, 2 * lambda_bytes()) ==\n 0;\n}\n\nstruct private_key<6, 5> *private_key_from_external_65(\n const struct BCM_mldsa65_private_key *external) {\n static_assert(sizeof(struct BCM_mldsa65_private_key) ==\n sizeof(struct private_key<6, 5>),\n \"MLDSA65 private key size incorrect\");\n static_assert(alignof(struct BCM_mldsa65_private_key) ==\n alignof(struct private_key<6, 5>),\n \"MLDSA65 private key align incorrect\");\n return (struct private_key<6, 5> *)external;\n}\n\nstruct public_key<6> *\npublic_key_from_external_65(const struct BCM_mldsa65_public_key *external) {\n static_assert(sizeof(struct BCM_mldsa65_public_key) ==\n sizeof(struct public_key<6>),\n \"MLDSA65 public key size incorrect\");\n static_assert(alignof(struct BCM_mldsa65_public_key) ==\n alignof(struct public_key<6>),\n \"MLDSA65 public key align incorrect\");\n return (struct public_key<6> *)external;\n}\n\nstruct private_key<8, 7> *\nprivate_key_from_external_87(const struct BCM_mldsa87_private_key *external) {\n static_assert(sizeof(struct BCM_mldsa87_private_key) ==\n sizeof(struct private_key<8, 7>),\n \"MLDSA87 private key size incorrect\");\n static_assert(alignof(struct BCM_mldsa87_private_key) ==\n alignof(struct private_key<8, 7>),\n \"MLDSA87 private key align incorrect\");\n return (struct private_key<8, 7> *)external;\n}\n\nstruct public_key<8> *\npublic_key_from_external_87(const struct BCM_mldsa87_public_key *external) {\n static_assert(sizeof(struct BCM_mldsa87_public_key) ==\n sizeof(struct public_key<8>),\n \"MLDSA87 public key size incorrect\");\n static_assert(alignof(struct BCM_mldsa87_public_key) ==\n alignof(struct public_key<8>),\n \"MLDSA87 public key align incorrect\");\n return (struct public_key<8> *)external;\n}\n\n} // namespace\n} // namespace mldsa\n\n\n// ML-DSA-65 specific wrappers.\n\nbcm_status BCM_mldsa65_parse_public_key(\n struct BCM_mldsa65_public_key *public_key, CBS *in) {\n return bcm_as_approved_status(mldsa_parse_public_key(\n mldsa::public_key_from_external_65(public_key), in));\n}\n\nbcm_status BCM_mldsa65_marshal_private_key(\n CBB *out, const struct BCM_mldsa65_private_key *private_key) {\n return bcm_as_approved_status(mldsa_marshal_private_key(\n out, mldsa::private_key_from_external_65(private_key)));\n}\n\nbcm_status BCM_mldsa65_parse_private_key(\n struct BCM_mldsa65_private_key *private_key, CBS *in) {\n return bcm_as_approved_status(\n mldsa_parse_private_key(mldsa::private_key_from_external_65(private_key),\n in) &&\n CBS_len(in) == 0);\n}\n\n// Calls |MLDSA_generate_key_external_entropy| with random bytes from\n// |BCM_rand_bytes|.\nbcm_status BCM_mldsa65_generate_key(\n uint8_t out_encoded_public_key[BCM_MLDSA65_PUBLIC_KEY_BYTES],\n uint8_t out_seed[BCM_MLDSA_SEED_BYTES],\n struct BCM_mldsa65_private_key *out_private_key) {\n BCM_rand_bytes(out_seed, BCM_MLDSA_SEED_BYTES);\n CONSTTIME_SECRET(out_seed, BCM_MLDSA_SEED_BYTES);\n return BCM_mldsa65_generate_key_external_entropy(out_encoded_public_key,\n out_private_key, out_seed);\n}\n\nbcm_status BCM_mldsa65_private_key_from_seed(\n struct BCM_mldsa65_private_key *out_private_key,\n const uint8_t seed[BCM_MLDSA_SEED_BYTES]) {\n uint8_t public_key[BCM_MLDSA65_PUBLIC_KEY_BYTES];\n return BCM_mldsa65_generate_key_external_entropy(public_key, out_private_key,\n seed);\n}\n\nbcm_status BCM_mldsa65_generate_key_external_entropy(\n uint8_t out_encoded_public_key[BCM_MLDSA65_PUBLIC_KEY_BYTES],\n struct BCM_mldsa65_private_key *out_private_key,\n const uint8_t entropy[BCM_MLDSA_SEED_BYTES]) {\n return bcm_as_approved_status(mldsa_generate_key_external_entropy(\n out_encoded_public_key,\n mldsa::private_key_from_external_65(out_private_key), entropy));\n}\n\nbcm_status BCM_mldsa65_public_from_private(\n struct BCM_mldsa65_public_key *out_public_key,\n const struct BCM_mldsa65_private_key *private_key) {\n return bcm_as_approved_status(mldsa_public_from_private(\n mldsa::public_key_from_external_65(out_public_key),\n mldsa::private_key_from_external_65(private_key)));\n}\n\nbcm_status BCM_mldsa65_sign_internal(\n uint8_t out_encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES],\n const struct BCM_mldsa65_private_key *private_key, const uint8_t *msg,\n size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len,\n const uint8_t *context, size_t context_len,\n const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]) {\n return bcm_as_approved_status(mldsa_sign_internal(\n out_encoded_signature, mldsa::private_key_from_external_65(private_key),\n msg, msg_len, context_prefix, context_prefix_len, context, context_len,\n randomizer));\n}\n\n// ML-DSA signature in randomized mode, filling the random bytes with\n// |BCM_rand_bytes|.\nbcm_status BCM_mldsa65_sign(\n uint8_t out_encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES],\n const struct BCM_mldsa65_private_key *private_key, const uint8_t *msg,\n size_t msg_len, const uint8_t *context, size_t context_len) {\n BSSL_CHECK(context_len <= 255);\n uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES];\n BCM_rand_bytes(randomizer, sizeof(randomizer));\n CONSTTIME_SECRET(randomizer, sizeof(randomizer));\n\n const uint8_t context_prefix[2] = {0, static_cast(context_len)};\n return BCM_mldsa65_sign_internal(\n out_encoded_signature, private_key, msg, msg_len, context_prefix,\n sizeof(context_prefix), context, context_len, randomizer);\n}\n\n// FIPS 204, Algorithm 3 (`ML-DSA.Verify`).\nbcm_status BCM_mldsa65_verify(\n const struct BCM_mldsa65_public_key *public_key,\n const uint8_t signature[BCM_MLDSA65_SIGNATURE_BYTES], const uint8_t *msg,\n size_t msg_len, const uint8_t *context, size_t context_len) {\n BSSL_CHECK(context_len <= 255);\n const uint8_t context_prefix[2] = {0, static_cast(context_len)};\n return BCM_mldsa65_verify_internal(public_key, signature, msg, msg_len,\n context_prefix, sizeof(context_prefix),\n context, context_len);\n}\n\nbcm_status BCM_mldsa65_verify_internal(\n const struct BCM_mldsa65_public_key *public_key,\n const uint8_t encoded_signature[BCM_MLDSA65_SIGNATURE_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix,\n size_t context_prefix_len, const uint8_t *context, size_t context_len) {\n return bcm_as_approved_status(mldsa::mldsa_verify_internal<6, 5>(\n mldsa::public_key_from_external_65(public_key), encoded_signature, msg,\n msg_len, context_prefix, context_prefix_len, context, context_len));\n}\n\nbcm_status BCM_mldsa65_marshal_public_key(\n CBB *out, const struct BCM_mldsa65_public_key *public_key) {\n return bcm_as_approved_status(mldsa_marshal_public_key(\n out, mldsa::public_key_from_external_65(public_key)));\n}\n\n\n// ML-DSA-87 specific wrappers.\n\nbcm_status BCM_mldsa87_parse_public_key(\n struct BCM_mldsa87_public_key *public_key, CBS *in) {\n return bcm_as_approved_status(mldsa_parse_public_key(\n mldsa::public_key_from_external_87(public_key), in));\n}\n\nbcm_status BCM_mldsa87_marshal_private_key(\n CBB *out, const struct BCM_mldsa87_private_key *private_key) {\n return bcm_as_approved_status(mldsa_marshal_private_key(\n out, mldsa::private_key_from_external_87(private_key)));\n}\n\nbcm_status BCM_mldsa87_parse_private_key(\n struct BCM_mldsa87_private_key *private_key, CBS *in) {\n return bcm_as_approved_status(\n mldsa_parse_private_key(mldsa::private_key_from_external_87(private_key),\n in) &&\n CBS_len(in) == 0);\n}\n\n// Calls |MLDSA_generate_key_external_entropy| with random bytes from\n// |BCM_rand_bytes|.\nbcm_status BCM_mldsa87_generate_key(\n uint8_t out_encoded_public_key[BCM_MLDSA87_PUBLIC_KEY_BYTES],\n uint8_t out_seed[BCM_MLDSA_SEED_BYTES],\n struct BCM_mldsa87_private_key *out_private_key) {\n BCM_rand_bytes(out_seed, BCM_MLDSA_SEED_BYTES);\n return BCM_mldsa87_generate_key_external_entropy(out_encoded_public_key,\n out_private_key, out_seed);\n}\n\nbcm_status BCM_mldsa87_private_key_from_seed(\n struct BCM_mldsa87_private_key *out_private_key,\n const uint8_t seed[BCM_MLDSA_SEED_BYTES]) {\n uint8_t public_key[BCM_MLDSA87_PUBLIC_KEY_BYTES];\n return BCM_mldsa87_generate_key_external_entropy(public_key, out_private_key,\n seed);\n}\n\nbcm_status BCM_mldsa87_generate_key_external_entropy(\n uint8_t out_encoded_public_key[BCM_MLDSA87_PUBLIC_KEY_BYTES],\n struct BCM_mldsa87_private_key *out_private_key,\n const uint8_t entropy[BCM_MLDSA_SEED_BYTES]) {\n return bcm_as_approved_status(mldsa_generate_key_external_entropy(\n out_encoded_public_key,\n mldsa::private_key_from_external_87(out_private_key), entropy));\n}\n\nbcm_status BCM_mldsa87_public_from_private(\n struct BCM_mldsa87_public_key *out_public_key,\n const struct BCM_mldsa87_private_key *private_key) {\n return bcm_as_approved_status(mldsa_public_from_private(\n mldsa::public_key_from_external_87(out_public_key),\n mldsa::private_key_from_external_87(private_key)));\n}\n\nbcm_status BCM_mldsa87_sign_internal(\n uint8_t out_encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES],\n const struct BCM_mldsa87_private_key *private_key, const uint8_t *msg,\n size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len,\n const uint8_t *context, size_t context_len,\n const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]) {\n return bcm_as_approved_status(mldsa_sign_internal(\n out_encoded_signature, mldsa::private_key_from_external_87(private_key),\n msg, msg_len, context_prefix, context_prefix_len, context, context_len,\n randomizer));\n}\n\n// ML-DSA signature in randomized mode, filling the random bytes with\n// |BCM_rand_bytes|.\nbcm_status BCM_mldsa87_sign(\n uint8_t out_encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES],\n const struct BCM_mldsa87_private_key *private_key, const uint8_t *msg,\n size_t msg_len, const uint8_t *context, size_t context_len) {\n BSSL_CHECK(context_len <= 255);\n uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES];\n BCM_rand_bytes(randomizer, sizeof(randomizer));\n\n const uint8_t context_prefix[2] = {0, static_cast(context_len)};\n return BCM_mldsa87_sign_internal(\n out_encoded_signature, private_key, msg, msg_len, context_prefix,\n sizeof(context_prefix), context, context_len, randomizer);\n}\n\n// FIPS 204, Algorithm 3 (`ML-DSA.Verify`).\nbcm_status BCM_mldsa87_verify(const struct BCM_mldsa87_public_key *public_key,\n const uint8_t *signature, const uint8_t *msg,\n size_t msg_len, const uint8_t *context,\n size_t context_len) {\n BSSL_CHECK(context_len <= 255);\n const uint8_t context_prefix[2] = {0, static_cast(context_len)};\n return BCM_mldsa87_verify_internal(public_key, signature, msg, msg_len,\n context_prefix, sizeof(context_prefix),\n context, context_len);\n}\n\nbcm_status BCM_mldsa87_verify_internal(\n const struct BCM_mldsa87_public_key *public_key,\n const uint8_t encoded_signature[BCM_MLDSA87_SIGNATURE_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix,\n size_t context_prefix_len, const uint8_t *context, size_t context_len) {\n return bcm_as_approved_status(mldsa::mldsa_verify_internal<8, 7>(\n mldsa::public_key_from_external_87(public_key), encoded_signature, msg,\n msg_len, context_prefix, context_prefix_len, context, context_len));\n}\n\nbcm_status BCM_mldsa87_marshal_public_key(\n CBB *out, const struct BCM_mldsa87_public_key *public_key) {\n return bcm_as_approved_status(mldsa_marshal_public_key(\n out, mldsa::public_key_from_external_87(public_key)));\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/mlkem/mlkem.cc.inc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bcm_interface.h\"\n#include \"../keccak/internal.h\"\n\n\nnamespace mlkem {\nnamespace {\n\n// See\n// https://csrc.nist.gov/pubs/fips/203/final\n\nstatic void prf(uint8_t *out, size_t out_len, const uint8_t in[33]) {\n BORINGSSL_keccak(out, out_len, in, 33, boringssl_shake256);\n}\n\n// Section 4.1\nvoid hash_h(uint8_t out[32], const uint8_t *in, size_t len) {\n BORINGSSL_keccak(out, 32, in, len, boringssl_sha3_256);\n}\n\nvoid hash_g(uint8_t out[64], const uint8_t *in, size_t len) {\n BORINGSSL_keccak(out, 64, in, len, boringssl_sha3_512);\n}\n\n// This is called `J` in the spec.\nvoid kdf(uint8_t out[BCM_MLKEM_SHARED_SECRET_BYTES],\n const uint8_t failure_secret[32], const uint8_t *ciphertext,\n size_t ciphertext_len) {\n struct BORINGSSL_keccak_st st;\n BORINGSSL_keccak_init(&st, boringssl_shake256);\n BORINGSSL_keccak_absorb(&st, failure_secret, 32);\n BORINGSSL_keccak_absorb(&st, ciphertext, ciphertext_len);\n BORINGSSL_keccak_squeeze(&st, out, BCM_MLKEM_SHARED_SECRET_BYTES);\n}\n\n// Constants that are common across all sizes.\n#define DEGREE 256\nconst size_t kBarrettMultiplier = 5039;\nconst unsigned kBarrettShift = 24;\nstatic const uint16_t kPrime = 3329;\nconst int kLog2Prime = 12;\nconst uint16_t kHalfPrime = (/*kPrime=*/3329 - 1) / 2;\n// kInverseDegree is 128^-1 mod 3329; 128 because kPrime does not have a 512th\n// root of unity.\nconst uint16_t kInverseDegree = 3303;\n\n// Rank-specific constants.\n#define RANK768 3\nstatic const int kDU768 = 10;\nconst int kDV768 = 4;\n#define RANK1024 4\nstatic const int kDU1024 = 11;\nconst int kDV1024 = 5;\n\nconstexpr size_t encoded_vector_size(int rank) {\n return (kLog2Prime * DEGREE / 8) * static_cast(rank);\n}\n\nconstexpr size_t encoded_public_key_size(int rank) {\n return encoded_vector_size(rank) + /*sizeof(rho)=*/32;\n}\n\nstatic_assert(encoded_public_key_size(RANK768) == BCM_MLKEM768_PUBLIC_KEY_BYTES,\n \"\");\nstatic_assert(encoded_public_key_size(RANK1024) ==\n BCM_MLKEM1024_PUBLIC_KEY_BYTES,\n \"\");\n\nconstexpr size_t compressed_vector_size(int rank) {\n // `if constexpr` isn't available in C++17.\n return (rank == RANK768 ? kDU768 : kDU1024) * static_cast(rank) *\n DEGREE / 8;\n}\n\nconstexpr size_t ciphertext_size(int rank) {\n return compressed_vector_size(rank) +\n (rank == RANK768 ? kDV768 : kDV1024) * DEGREE / 8;\n}\n\nstatic_assert(ciphertext_size(RANK768) == BCM_MLKEM768_CIPHERTEXT_BYTES, \"\");\nstatic_assert(ciphertext_size(RANK1024) == BCM_MLKEM1024_CIPHERTEXT_BYTES, \"\");\n\ntypedef struct scalar {\n // On every function entry and exit, 0 <= c < kPrime.\n uint16_t c[DEGREE];\n} scalar;\n\ntemplate \nstruct vector {\n scalar v[RANK];\n};\n\ntemplate \nstruct matrix {\n scalar v[RANK][RANK];\n};\n\n// This bit of Python will be referenced in some of the following comments:\n//\n// p = 3329\n//\n// def bitreverse(i):\n// ret = 0\n// for n in range(7):\n// bit = i & 1\n// ret <<= 1\n// ret |= bit\n// i >>= 1\n// return ret\n\n// kNTTRoots = [pow(17, bitreverse(i), p) for i in range(128)]\nconst uint16_t kNTTRoots[128] = {\n 1, 1729, 2580, 3289, 2642, 630, 1897, 848, 1062, 1919, 193, 797,\n 2786, 3260, 569, 1746, 296, 2447, 1339, 1476, 3046, 56, 2240, 1333,\n 1426, 2094, 535, 2882, 2393, 2879, 1974, 821, 289, 331, 3253, 1756,\n 1197, 2304, 2277, 2055, 650, 1977, 2513, 632, 2865, 33, 1320, 1915,\n 2319, 1435, 807, 452, 1438, 2868, 1534, 2402, 2647, 2617, 1481, 648,\n 2474, 3110, 1227, 910, 17, 2761, 583, 2649, 1637, 723, 2288, 1100,\n 1409, 2662, 3281, 233, 756, 2156, 3015, 3050, 1703, 1651, 2789, 1789,\n 1847, 952, 1461, 2687, 939, 2308, 2437, 2388, 733, 2337, 268, 641,\n 1584, 2298, 2037, 3220, 375, 2549, 2090, 1645, 1063, 319, 2773, 757,\n 2099, 561, 2466, 2594, 2804, 1092, 403, 1026, 1143, 2150, 2775, 886,\n 1722, 1212, 1874, 1029, 2110, 2935, 885, 2154,\n};\n\n// kInverseNTTRoots = [pow(17, -bitreverse(i), p) for i in range(128)]\nconst uint16_t kInverseNTTRoots[128] = {\n 1, 1600, 40, 749, 2481, 1432, 2699, 687, 1583, 2760, 69, 543,\n 2532, 3136, 1410, 2267, 2508, 1355, 450, 936, 447, 2794, 1235, 1903,\n 1996, 1089, 3273, 283, 1853, 1990, 882, 3033, 2419, 2102, 219, 855,\n 2681, 1848, 712, 682, 927, 1795, 461, 1891, 2877, 2522, 1894, 1010,\n 1414, 2009, 3296, 464, 2697, 816, 1352, 2679, 1274, 1052, 1025, 2132,\n 1573, 76, 2998, 3040, 1175, 2444, 394, 1219, 2300, 1455, 2117, 1607,\n 2443, 554, 1179, 2186, 2303, 2926, 2237, 525, 735, 863, 2768, 1230,\n 2572, 556, 3010, 2266, 1684, 1239, 780, 2954, 109, 1292, 1031, 1745,\n 2688, 3061, 992, 2596, 941, 892, 1021, 2390, 642, 1868, 2377, 1482,\n 1540, 540, 1678, 1626, 279, 314, 1173, 2573, 3096, 48, 667, 1920,\n 2229, 1041, 2606, 1692, 680, 2746, 568, 3312,\n};\n\n// kModRoots = [pow(17, 2*bitreverse(i) + 1, p) for i in range(128)]\nconst uint16_t kModRoots[128] = {\n 17, 3312, 2761, 568, 583, 2746, 2649, 680, 1637, 1692, 723, 2606,\n 2288, 1041, 1100, 2229, 1409, 1920, 2662, 667, 3281, 48, 233, 3096,\n 756, 2573, 2156, 1173, 3015, 314, 3050, 279, 1703, 1626, 1651, 1678,\n 2789, 540, 1789, 1540, 1847, 1482, 952, 2377, 1461, 1868, 2687, 642,\n 939, 2390, 2308, 1021, 2437, 892, 2388, 941, 733, 2596, 2337, 992,\n 268, 3061, 641, 2688, 1584, 1745, 2298, 1031, 2037, 1292, 3220, 109,\n 375, 2954, 2549, 780, 2090, 1239, 1645, 1684, 1063, 2266, 319, 3010,\n 2773, 556, 757, 2572, 2099, 1230, 561, 2768, 2466, 863, 2594, 735,\n 2804, 525, 1092, 2237, 403, 2926, 1026, 2303, 1143, 2186, 2150, 1179,\n 2775, 554, 886, 2443, 1722, 1607, 1212, 2117, 1874, 1455, 1029, 2300,\n 2110, 1219, 2935, 394, 885, 2444, 2154, 1175,\n};\n\n// reduce_once reduces 0 <= x < 2*kPrime, mod kPrime.\nuint16_t reduce_once(uint16_t x) {\n declassify_assert(x < 2 * kPrime);\n const uint16_t subtracted = x - kPrime;\n uint16_t mask = 0u - (subtracted >> 15);\n // Although this is a constant-time select, we omit a value barrier here.\n // Value barriers impede auto-vectorization (likely because it forces the\n // value to transit through a general-purpose register). On AArch64, this is a\n // difference of 2x.\n //\n // We usually add value barriers to selects because Clang turns consecutive\n // selects with the same condition into a branch instead of CMOV/CSEL. This\n // condition does not occur in ML-KEM, so omitting it seems to be safe so far,\n // but see |scalar_centered_binomial_distribution_eta_2_with_prf|.\n return (mask & x) | (~mask & subtracted);\n}\n\n// constant time reduce x mod kPrime using Barrett reduction. x must be less\n// than kPrime + 2×kPrime².\nstatic uint16_t reduce(uint32_t x) {\n declassify_assert(x < kPrime + 2u * kPrime * kPrime);\n uint64_t product = (uint64_t)x * kBarrettMultiplier;\n uint32_t quotient = (uint32_t)(product >> kBarrettShift);\n uint32_t remainder = x - quotient * kPrime;\n return reduce_once(remainder);\n}\n\nvoid scalar_zero(scalar *out) { OPENSSL_memset(out, 0, sizeof(*out)); }\n\ntemplate \nvoid vector_zero(vector *out) {\n OPENSSL_memset(out->v, 0, sizeof(scalar) * RANK);\n}\n\n// In place number theoretic transform of a given scalar.\n// Note that MLKEM's kPrime 3329 does not have a 512th root of unity, so this\n// transform leaves off the last iteration of the usual FFT code, with the 128\n// relevant roots of unity being stored in |kNTTRoots|. This means the output\n// should be seen as 128 elements in GF(3329^2), with the coefficients of the\n// elements being consecutive entries in |s->c|.\nstatic void scalar_ntt(scalar *s) {\n int offset = DEGREE;\n // `int` is used here because using `size_t` throughout caused a ~5% slowdown\n // with Clang 14 on Aarch64.\n for (int step = 1; step < DEGREE / 2; step <<= 1) {\n offset >>= 1;\n int k = 0;\n for (int i = 0; i < step; i++) {\n const uint32_t step_root = kNTTRoots[i + step];\n for (int j = k; j < k + offset; j++) {\n uint16_t odd = reduce(step_root * s->c[j + offset]);\n uint16_t even = s->c[j];\n s->c[j] = reduce_once(odd + even);\n s->c[j + offset] = reduce_once(even - odd + kPrime);\n }\n k += 2 * offset;\n }\n }\n}\n\ntemplate \nstatic void vector_ntt(vector *a) {\n for (int i = 0; i < RANK; i++) {\n scalar_ntt(&a->v[i]);\n }\n}\n\n// In place inverse number theoretic transform of a given scalar, with pairs of\n// entries of s->v being interpreted as elements of GF(3329^2). Just as with the\n// number theoretic transform, this leaves off the first step of the normal iFFT\n// to account for the fact that 3329 does not have a 512th root of unity, using\n// the precomputed 128 roots of unity stored in |kInverseNTTRoots|.\nvoid scalar_inverse_ntt(scalar *s) {\n int step = DEGREE / 2;\n // `int` is used here because using `size_t` throughout caused a ~5% slowdown\n // with Clang 14 on Aarch64.\n for (int offset = 2; offset < DEGREE; offset <<= 1) {\n step >>= 1;\n int k = 0;\n for (int i = 0; i < step; i++) {\n uint32_t step_root = kInverseNTTRoots[i + step];\n for (int j = k; j < k + offset; j++) {\n uint16_t odd = s->c[j + offset];\n uint16_t even = s->c[j];\n s->c[j] = reduce_once(odd + even);\n s->c[j + offset] = reduce(step_root * (even - odd + kPrime));\n }\n k += 2 * offset;\n }\n }\n for (int i = 0; i < DEGREE; i++) {\n s->c[i] = reduce(s->c[i] * kInverseDegree);\n }\n}\n\ntemplate \nvoid vector_inverse_ntt(vector *a) {\n for (int i = 0; i < RANK; i++) {\n scalar_inverse_ntt(&a->v[i]);\n }\n}\n\nvoid scalar_add(scalar *lhs, const scalar *rhs) {\n for (int i = 0; i < DEGREE; i++) {\n lhs->c[i] = reduce_once(lhs->c[i] + rhs->c[i]);\n }\n}\n\nvoid scalar_sub(scalar *lhs, const scalar *rhs) {\n for (int i = 0; i < DEGREE; i++) {\n lhs->c[i] = reduce_once(lhs->c[i] - rhs->c[i] + kPrime);\n }\n}\n\n// Multiplying two scalars in the number theoretically transformed state. Since\n// 3329 does not have a 512th root of unity, this means we have to interpret\n// the 2*ith and (2*i+1)th entries of the scalar as elements of GF(3329)[X]/(X^2\n// - 17^(2*bitreverse(i)+1)) The value of 17^(2*bitreverse(i)+1) mod 3329 is\n// stored in the precomputed |kModRoots| table. Note that our Barrett transform\n// only allows us to multipy two reduced numbers together, so we need some\n// intermediate reduction steps, even if an uint64_t could hold 3 multiplied\n// numbers.\nvoid scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs) {\n for (int i = 0; i < DEGREE / 2; i++) {\n uint32_t real_real = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i];\n uint32_t img_img = (uint32_t)lhs->c[2 * i + 1] * rhs->c[2 * i + 1];\n uint32_t real_img = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i + 1];\n uint32_t img_real = (uint32_t)lhs->c[2 * i + 1] * rhs->c[2 * i];\n out->c[2 * i] =\n reduce(real_real + (uint32_t)reduce(img_img) * kModRoots[i]);\n out->c[2 * i + 1] = reduce(img_real + real_img);\n }\n}\n\ntemplate \nvoid vector_add(vector *lhs, const vector *rhs) {\n for (int i = 0; i < RANK; i++) {\n scalar_add(&lhs->v[i], &rhs->v[i]);\n }\n}\n\ntemplate \nstatic void matrix_mult(vector *out, const matrix *m,\n const vector *a) {\n vector_zero(out);\n for (int i = 0; i < RANK; i++) {\n for (int j = 0; j < RANK; j++) {\n scalar product;\n scalar_mult(&product, &m->v[i][j], &a->v[j]);\n scalar_add(&out->v[i], &product);\n }\n }\n}\n\ntemplate \nvoid matrix_mult_transpose(vector *out, const matrix *m,\n const vector *a) {\n vector_zero(out);\n for (int i = 0; i < RANK; i++) {\n for (int j = 0; j < RANK; j++) {\n scalar product;\n scalar_mult(&product, &m->v[j][i], &a->v[j]);\n scalar_add(&out->v[i], &product);\n }\n }\n}\n\ntemplate \nvoid scalar_inner_product(scalar *out, const vector *lhs,\n const vector *rhs) {\n scalar_zero(out);\n for (int i = 0; i < RANK; i++) {\n scalar product;\n scalar_mult(&product, &lhs->v[i], &rhs->v[i]);\n scalar_add(out, &product);\n }\n}\n\n// Algorithm 6 from the spec. Rejection samples a Keccak stream to get\n// uniformly distributed elements. This is used for matrix expansion and only\n// operates on public inputs.\nstatic void scalar_from_keccak_vartime(scalar *out,\n struct BORINGSSL_keccak_st *keccak_ctx) {\n assert(keccak_ctx->squeeze_offset == 0);\n assert(keccak_ctx->rate_bytes == 168);\n static_assert(168 % 3 == 0, \"block and coefficient boundaries do not align\");\n\n int done = 0;\n while (done < DEGREE) {\n uint8_t block[168];\n BORINGSSL_keccak_squeeze(keccak_ctx, block, sizeof(block));\n for (size_t i = 0; i < sizeof(block) && done < DEGREE; i += 3) {\n uint16_t d1 = block[i] + 256 * (block[i + 1] % 16);\n uint16_t d2 = block[i + 1] / 16 + 16 * block[i + 2];\n if (d1 < kPrime) {\n out->c[done++] = d1;\n }\n if (d2 < kPrime && done < DEGREE) {\n out->c[done++] = d2;\n }\n }\n }\n}\n\n// Algorithm 7 from the spec, with eta fixed to two and the PRF call\n// included. Creates binominally distributed elements by sampling 2*|eta| bits,\n// and setting the coefficient to the count of the first bits minus the count of\n// the second bits, resulting in a centered binomial distribution. Since eta is\n// two this gives -2/2 with a probability of 1/16, -1/1 with probability 1/4,\n// and 0 with probability 3/8.\nvoid scalar_centered_binomial_distribution_eta_2_with_prf(\n scalar *out, const uint8_t input[33]) {\n uint8_t entropy[128];\n static_assert(sizeof(entropy) == 2 * /*kEta=*/2 * DEGREE / 8, \"\");\n prf(entropy, sizeof(entropy), input);\n\n for (int i = 0; i < DEGREE; i += 2) {\n uint8_t byte = entropy[i / 2];\n\n uint16_t value = (byte & 1) + ((byte >> 1) & 1);\n value -= ((byte >> 2) & 1) + ((byte >> 3) & 1);\n // Add |kPrime| if |value| underflowed. See |reduce_once| for a discussion\n // on why the value barrier is omitted. While this could have been written\n // reduce_once(value + kPrime), this is one extra addition and small range\n // of |value| tempts some versions of Clang to emit a branch.\n uint16_t mask = 0u - (value >> 15);\n out->c[i] = ((value + kPrime) & mask) | (value & ~mask);\n\n byte >>= 4;\n value = (byte & 1) + ((byte >> 1) & 1);\n value -= ((byte >> 2) & 1) + ((byte >> 3) & 1);\n // See above.\n mask = 0u - (value >> 15);\n out->c[i + 1] = ((value + kPrime) & mask) | (value & ~mask);\n }\n}\n\n// Generates a secret vector by using\n// |scalar_centered_binomial_distribution_eta_2_with_prf|, using the given seed\n// appending and incrementing |counter| for entry of the vector.\ntemplate \nvoid vector_generate_secret_eta_2(vector *out, uint8_t *counter,\n const uint8_t seed[32]) {\n uint8_t input[33];\n OPENSSL_memcpy(input, seed, 32);\n for (int i = 0; i < RANK; i++) {\n input[32] = (*counter)++;\n scalar_centered_binomial_distribution_eta_2_with_prf(&out->v[i], input);\n }\n}\n\n// Expands the matrix of a seed for key generation and for encaps-CPA.\ntemplate \nvoid matrix_expand(matrix *out, const uint8_t rho[32]) {\n uint8_t input[34];\n OPENSSL_memcpy(input, rho, 32);\n for (int i = 0; i < RANK; i++) {\n for (int j = 0; j < RANK; j++) {\n input[32] = i;\n input[33] = j;\n struct BORINGSSL_keccak_st keccak_ctx;\n BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake128);\n BORINGSSL_keccak_absorb(&keccak_ctx, input, sizeof(input));\n scalar_from_keccak_vartime(&out->v[i][j], &keccak_ctx);\n }\n }\n}\n\nconst uint8_t kMasks[8] = {0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f, 0xff};\n\nvoid scalar_encode(uint8_t *out, const scalar *s, int bits) {\n assert(bits <= (int)sizeof(*s->c) * 8 && bits != 1);\n\n uint8_t out_byte = 0;\n int out_byte_bits = 0;\n\n for (int i = 0; i < DEGREE; i++) {\n uint16_t element = s->c[i];\n int element_bits_done = 0;\n\n while (element_bits_done < bits) {\n int chunk_bits = bits - element_bits_done;\n int out_bits_remaining = 8 - out_byte_bits;\n if (chunk_bits >= out_bits_remaining) {\n chunk_bits = out_bits_remaining;\n out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits;\n *out = out_byte;\n out++;\n out_byte_bits = 0;\n out_byte = 0;\n } else {\n out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits;\n out_byte_bits += chunk_bits;\n }\n\n element_bits_done += chunk_bits;\n element >>= chunk_bits;\n }\n }\n\n if (out_byte_bits > 0) {\n *out = out_byte;\n }\n}\n\n// scalar_encode_1 is |scalar_encode| specialised for |bits| == 1.\nvoid scalar_encode_1(uint8_t out[32], const scalar *s) {\n for (int i = 0; i < DEGREE; i += 8) {\n uint8_t out_byte = 0;\n for (int j = 0; j < 8; j++) {\n out_byte |= (s->c[i + j] & 1) << j;\n }\n *out = out_byte;\n out++;\n }\n}\n\n// Encodes an entire vector into 32*|RANK|*|bits| bytes. Note that since 256\n// (DEGREE) is divisible by 8, the individual vector entries will always fill a\n// whole number of bytes, so we do not need to worry about bit packing here.\ntemplate \nvoid vector_encode(uint8_t *out, const vector *a, int bits) {\n for (int i = 0; i < RANK; i++) {\n scalar_encode(out + i * bits * DEGREE / 8, &a->v[i], bits);\n }\n}\n\n// scalar_decode parses |DEGREE * bits| bits from |in| into |DEGREE| values in\n// |out|. It returns one on success and zero if any parsed value is >=\n// |kPrime|.\nint scalar_decode(scalar *out, const uint8_t *in, int bits) {\n assert(bits <= (int)sizeof(*out->c) * 8 && bits != 1);\n\n uint8_t in_byte = 0;\n int in_byte_bits_left = 0;\n\n for (int i = 0; i < DEGREE; i++) {\n uint16_t element = 0;\n int element_bits_done = 0;\n\n while (element_bits_done < bits) {\n if (in_byte_bits_left == 0) {\n in_byte = *in;\n in++;\n in_byte_bits_left = 8;\n }\n\n int chunk_bits = bits - element_bits_done;\n if (chunk_bits > in_byte_bits_left) {\n chunk_bits = in_byte_bits_left;\n }\n\n element |= (in_byte & kMasks[chunk_bits - 1]) << element_bits_done;\n in_byte_bits_left -= chunk_bits;\n in_byte >>= chunk_bits;\n\n element_bits_done += chunk_bits;\n }\n\n // An element is only out of range in the case of invalid input, in which\n // case it is okay to leak the comparison.\n if (constant_time_declassify_int(element >= kPrime)) {\n return 0;\n }\n out->c[i] = element;\n }\n\n return 1;\n}\n\n// scalar_decode_1 is |scalar_decode| specialised for |bits| == 1.\nvoid scalar_decode_1(scalar *out, const uint8_t in[32]) {\n for (int i = 0; i < DEGREE; i += 8) {\n uint8_t in_byte = *in;\n in++;\n for (int j = 0; j < 8; j++) {\n out->c[i + j] = in_byte & 1;\n in_byte >>= 1;\n }\n }\n}\n\n// Decodes 32*|RANK|*|bits| bytes from |in| into |out|. It returns one on\n// success or zero if any parsed value is >= |kPrime|.\ntemplate \nstatic int vector_decode(vector *out, const uint8_t *in, int bits) {\n for (int i = 0; i < RANK; i++) {\n if (!scalar_decode(&out->v[i], in + i * bits * DEGREE / 8, bits)) {\n return 0;\n }\n }\n return 1;\n}\n\n// Compresses (lossily) an input |x| mod 3329 into |bits| many bits by grouping\n// numbers close to each other together. The formula used is\n// round(2^|bits|/kPrime*x) mod 2^|bits|.\n// Uses Barrett reduction to achieve constant time. Since we need both the\n// remainder (for rounding) and the quotient (as the result), we cannot use\n// |reduce| here, but need to do the Barrett reduction directly.\nstatic uint16_t compress(uint16_t x, int bits) {\n uint32_t shifted = (uint32_t)x << bits;\n uint64_t product = (uint64_t)shifted * kBarrettMultiplier;\n uint32_t quotient = (uint32_t)(product >> kBarrettShift);\n uint32_t remainder = shifted - quotient * kPrime;\n\n // Adjust the quotient to round correctly:\n // 0 <= remainder <= kHalfPrime round to 0\n // kHalfPrime < remainder <= kPrime + kHalfPrime round to 1\n // kPrime + kHalfPrime < remainder < 2 * kPrime round to 2\n declassify_assert(remainder < 2u * kPrime);\n quotient += 1 & constant_time_lt_w(kHalfPrime, remainder);\n quotient += 1 & constant_time_lt_w(kPrime + kHalfPrime, remainder);\n return quotient & ((1 << bits) - 1);\n}\n\n// Decompresses |x| by using an equi-distant representative. The formula is\n// round(kPrime/2^|bits|*x). Note that 2^|bits| being the divisor allows us to\n// implement this logic using only bit operations.\nuint16_t decompress(uint16_t x, int bits) {\n uint32_t product = (uint32_t)x * kPrime;\n uint32_t power = 1 << bits;\n // This is |product| % power, since |power| is a power of 2.\n uint32_t remainder = product & (power - 1);\n // This is |product| / power, since |power| is a power of 2.\n uint32_t lower = product >> bits;\n // The rounding logic works since the first half of numbers mod |power| have a\n // 0 as first bit, and the second half has a 1 as first bit, since |power| is\n // a power of 2. As a 12 bit number, |remainder| is always positive, so we\n // will shift in 0s for a right shift.\n return lower + (remainder >> (bits - 1));\n}\n\nstatic void scalar_compress(scalar *s, int bits) {\n for (int i = 0; i < DEGREE; i++) {\n s->c[i] = compress(s->c[i], bits);\n }\n}\n\nstatic void scalar_decompress(scalar *s, int bits) {\n for (int i = 0; i < DEGREE; i++) {\n s->c[i] = decompress(s->c[i], bits);\n }\n}\n\ntemplate \nvoid vector_compress(vector *a, int bits) {\n for (int i = 0; i < RANK; i++) {\n scalar_compress(&a->v[i], bits);\n }\n}\n\ntemplate \nvoid vector_decompress(vector *a, int bits) {\n for (int i = 0; i < RANK; i++) {\n scalar_decompress(&a->v[i], bits);\n }\n}\n\ntemplate \nstruct public_key {\n vector t;\n uint8_t rho[32];\n uint8_t public_key_hash[32];\n matrix m;\n};\n\ntemplate \nstruct private_key {\n struct public_key pub;\n vector s;\n uint8_t fo_failure_secret[32];\n};\n\ntemplate \nstatic void decrypt_cpa(\n uint8_t out[32], const struct private_key *priv,\n const uint8_t ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES]) {\n constexpr int du = RANK == RANK768 ? kDU768 : kDU1024;\n constexpr int dv = RANK == RANK768 ? kDV768 : kDV1024;\n\n vector u;\n vector_decode(&u, ciphertext, du);\n vector_decompress(&u, du);\n vector_ntt(&u);\n scalar v;\n scalar_decode(&v, ciphertext + compressed_vector_size(RANK), dv);\n scalar_decompress(&v, dv);\n scalar mask;\n scalar_inner_product(&mask, &priv->s, &u);\n scalar_inverse_ntt(&mask);\n scalar_sub(&v, &mask);\n scalar_compress(&v, 1);\n scalar_encode_1(out, &v);\n}\n\ntemplate \nstatic bcm_status mlkem_marshal_public_key(CBB *out,\n const struct public_key *pub) {\n uint8_t *vector_output;\n if (!CBB_add_space(out, &vector_output, encoded_vector_size(RANK))) {\n return bcm_status::failure;\n }\n vector_encode(vector_output, &pub->t, kLog2Prime);\n if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) {\n return bcm_status::failure;\n }\n return bcm_status::approved;\n}\n\ntemplate \nvoid mlkem_generate_key_external_seed(\n uint8_t *out_encoded_public_key, private_key *priv,\n const uint8_t seed[BCM_MLKEM_SEED_BYTES]) {\n uint8_t augmented_seed[33];\n OPENSSL_memcpy(augmented_seed, seed, 32);\n augmented_seed[32] = RANK;\n\n uint8_t hashed[64];\n hash_g(hashed, augmented_seed, sizeof(augmented_seed));\n const uint8_t *const rho = hashed;\n const uint8_t *const sigma = hashed + 32;\n // rho is public.\n CONSTTIME_DECLASSIFY(rho, 32);\n OPENSSL_memcpy(priv->pub.rho, hashed, sizeof(priv->pub.rho));\n matrix_expand(&priv->pub.m, rho);\n uint8_t counter = 0;\n vector_generate_secret_eta_2(&priv->s, &counter, sigma);\n vector_ntt(&priv->s);\n vector error;\n vector_generate_secret_eta_2(&error, &counter, sigma);\n vector_ntt(&error);\n matrix_mult_transpose(&priv->pub.t, &priv->pub.m, &priv->s);\n vector_add(&priv->pub.t, &error);\n // t is part of the public key and thus is public.\n CONSTTIME_DECLASSIFY(&priv->pub.t, sizeof(priv->pub.t));\n\n CBB cbb;\n CBB_init_fixed(&cbb, out_encoded_public_key, encoded_public_key_size(RANK));\n if (!bcm_success(mlkem_marshal_public_key(&cbb, &priv->pub))) {\n abort();\n }\n\n hash_h(priv->pub.public_key_hash, out_encoded_public_key,\n encoded_public_key_size(RANK));\n OPENSSL_memcpy(priv->fo_failure_secret, seed + 32, 32);\n}\n\n// Encrypts a message with given randomness to\n// the ciphertext in |out|. Without applying the Fujisaki-Okamoto transform this\n// would not result in a CCA secure scheme, since lattice schemes are vulnerable\n// to decryption failure oracles.\ntemplate \nvoid encrypt_cpa(uint8_t *out, const struct mlkem::public_key *pub,\n const uint8_t message[32], const uint8_t randomness[32]) {\n constexpr int du = RANK == RANK768 ? mlkem::kDU768 : mlkem::kDU1024;\n constexpr int dv = RANK == RANK768 ? mlkem::kDV768 : mlkem::kDV1024;\n\n uint8_t counter = 0;\n mlkem::vector secret;\n vector_generate_secret_eta_2(&secret, &counter, randomness);\n vector_ntt(&secret);\n mlkem::vector error;\n vector_generate_secret_eta_2(&error, &counter, randomness);\n uint8_t input[33];\n OPENSSL_memcpy(input, randomness, 32);\n input[32] = counter;\n mlkem::scalar scalar_error;\n scalar_centered_binomial_distribution_eta_2_with_prf(&scalar_error, input);\n mlkem::vector u;\n matrix_mult(&u, &pub->m, &secret);\n vector_inverse_ntt(&u);\n vector_add(&u, &error);\n mlkem::scalar v;\n scalar_inner_product(&v, &pub->t, &secret);\n scalar_inverse_ntt(&v);\n scalar_add(&v, &scalar_error);\n mlkem::scalar expanded_message;\n scalar_decode_1(&expanded_message, message);\n scalar_decompress(&expanded_message, 1);\n scalar_add(&v, &expanded_message);\n vector_compress(&u, du);\n vector_encode(out, &u, du);\n scalar_compress(&v, dv);\n scalar_encode(out + mlkem::compressed_vector_size(RANK), &v, dv);\n}\n\n// See section 6.3\ntemplate \nvoid mlkem_decap(uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const uint8_t *ciphertext,\n const struct private_key *priv) {\n uint8_t decrypted[64];\n decrypt_cpa(decrypted, priv, ciphertext);\n OPENSSL_memcpy(decrypted + 32, priv->pub.public_key_hash,\n sizeof(decrypted) - 32);\n uint8_t key_and_randomness[64];\n hash_g(key_and_randomness, decrypted, sizeof(decrypted));\n constexpr size_t ciphertext_len = ciphertext_size(RANK);\n uint8_t expected_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES];\n static_assert(ciphertext_len <= sizeof(expected_ciphertext), \"\");\n encrypt_cpa(expected_ciphertext, &priv->pub, decrypted,\n key_and_randomness + 32);\n\n uint8_t failure_key[32];\n kdf(failure_key, priv->fo_failure_secret, ciphertext, ciphertext_len);\n\n uint8_t mask = constant_time_eq_int_8(\n CRYPTO_memcmp(ciphertext, expected_ciphertext, ciphertext_len), 0);\n for (int i = 0; i < BCM_MLKEM_SHARED_SECRET_BYTES; i++) {\n out_shared_secret[i] =\n constant_time_select_8(mask, key_and_randomness[i], failure_key[i]);\n }\n}\n\n// mlkem_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate\n// the value of |pub->public_key_hash|.\ntemplate \nint mlkem_parse_public_key_no_hash(struct public_key *pub, CBS *in) {\n CBS t_bytes;\n if (!CBS_get_bytes(in, &t_bytes, encoded_vector_size(RANK)) ||\n !vector_decode(&pub->t, CBS_data(&t_bytes), kLog2Prime) ||\n !CBS_copy_bytes(in, pub->rho, sizeof(pub->rho))) {\n return 0;\n }\n matrix_expand(&pub->m, pub->rho);\n return 1;\n}\n\ntemplate \nint mlkem_parse_public_key(struct public_key *pub, CBS *in) {\n CBS orig_in = *in;\n if (!mlkem_parse_public_key_no_hash(pub, in) || //\n CBS_len(in) != 0) {\n return 0;\n }\n hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in));\n return 1;\n}\n\ntemplate \nint mlkem_parse_private_key(struct private_key *priv, CBS *in) {\n CBS s_bytes;\n if (!CBS_get_bytes(in, &s_bytes, encoded_vector_size(RANK)) ||\n !vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime) ||\n !mlkem_parse_public_key_no_hash(&priv->pub, in) ||\n !CBS_copy_bytes(in, priv->pub.public_key_hash,\n sizeof(priv->pub.public_key_hash)) ||\n !CBS_copy_bytes(in, priv->fo_failure_secret,\n sizeof(priv->fo_failure_secret)) ||\n CBS_len(in) != 0) {\n return 0;\n }\n return 1;\n}\n\ntemplate \nint mlkem_marshal_private_key(CBB *out, const struct private_key *priv) {\n uint8_t *s_output;\n if (!CBB_add_space(out, &s_output, encoded_vector_size(RANK))) {\n return 0;\n }\n vector_encode(s_output, &priv->s, kLog2Prime);\n if (!bcm_success(mlkem_marshal_public_key(out, &priv->pub)) ||\n !CBB_add_bytes(out, priv->pub.public_key_hash,\n sizeof(priv->pub.public_key_hash)) ||\n !CBB_add_bytes(out, priv->fo_failure_secret,\n sizeof(priv->fo_failure_secret))) {\n return 0;\n }\n return 1;\n}\n\nstruct public_key *public_key_768_from_external(\n const struct BCM_mlkem768_public_key *external) {\n static_assert(sizeof(struct BCM_mlkem768_public_key) >=\n sizeof(struct public_key),\n \"MLKEM public key is too small\");\n static_assert(alignof(struct BCM_mlkem768_public_key) >=\n alignof(struct public_key),\n \"MLKEM public key alignment incorrect\");\n return (struct public_key *)external;\n}\n\nstatic struct public_key *\npublic_key_1024_from_external(const struct BCM_mlkem1024_public_key *external) {\n static_assert(sizeof(struct BCM_mlkem1024_public_key) >=\n sizeof(struct public_key),\n \"MLKEM1024 public key is too small\");\n static_assert(alignof(struct BCM_mlkem1024_public_key) >=\n alignof(struct public_key),\n \"MLKEM1024 public key alignment incorrect\");\n return (struct public_key *)external;\n}\n\nstruct private_key *\nprivate_key_768_from_external(const struct BCM_mlkem768_private_key *external) {\n static_assert(sizeof(struct BCM_mlkem768_private_key) >=\n sizeof(struct private_key),\n \"MLKEM private key too small\");\n static_assert(alignof(struct BCM_mlkem768_private_key) >=\n alignof(struct private_key),\n \"MLKEM private key alignment incorrect\");\n return (struct private_key *)external;\n}\n\nstruct private_key *\nprivate_key_1024_from_external(\n const struct BCM_mlkem1024_private_key *external) {\n static_assert(sizeof(struct BCM_mlkem1024_private_key) >=\n sizeof(struct private_key),\n \"MLKEM1024 private key too small\");\n static_assert(alignof(struct BCM_mlkem1024_private_key) >=\n alignof(struct private_key),\n \"MLKEM1024 private key alignment incorrect\");\n return (struct private_key *)external;\n}\n\n} // namespace\n} // namespace mlkem\n\nbcm_infallible BCM_mlkem768_generate_key(\n uint8_t out_encoded_public_key[BCM_MLKEM768_PUBLIC_KEY_BYTES],\n uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES],\n struct BCM_mlkem768_private_key *out_private_key) {\n uint8_t seed[BCM_MLKEM_SEED_BYTES];\n BCM_rand_bytes(seed, sizeof(seed));\n CONSTTIME_SECRET(seed, sizeof(seed));\n if (optional_out_seed) {\n OPENSSL_memcpy(optional_out_seed, seed, sizeof(seed));\n }\n BCM_mlkem768_generate_key_external_seed(out_encoded_public_key,\n out_private_key, seed);\n return bcm_infallible::approved;\n}\n\nbcm_status BCM_mlkem768_private_key_from_seed(\n struct BCM_mlkem768_private_key *out_private_key, const uint8_t *seed,\n size_t seed_len) {\n if (seed_len != BCM_MLKEM_SEED_BYTES) {\n return bcm_status::failure;\n }\n uint8_t public_key_bytes[BCM_MLKEM768_PUBLIC_KEY_BYTES];\n BCM_mlkem768_generate_key_external_seed(public_key_bytes, out_private_key,\n seed);\n return bcm_status::approved;\n}\n\nbcm_infallible BCM_mlkem1024_generate_key(\n uint8_t out_encoded_public_key[BCM_MLKEM1024_PUBLIC_KEY_BYTES],\n uint8_t optional_out_seed[BCM_MLKEM_SEED_BYTES],\n struct BCM_mlkem1024_private_key *out_private_key) {\n uint8_t seed[BCM_MLKEM_SEED_BYTES];\n BCM_rand_bytes(seed, sizeof(seed));\n CONSTTIME_SECRET(seed, sizeof(seed));\n if (optional_out_seed) {\n OPENSSL_memcpy(optional_out_seed, seed, sizeof(seed));\n }\n BCM_mlkem1024_generate_key_external_seed(out_encoded_public_key,\n out_private_key, seed);\n return bcm_infallible::approved;\n}\n\nbcm_status BCM_mlkem1024_private_key_from_seed(\n struct BCM_mlkem1024_private_key *out_private_key, const uint8_t *seed,\n size_t seed_len) {\n if (seed_len != BCM_MLKEM_SEED_BYTES) {\n return bcm_status::failure;\n }\n uint8_t public_key_bytes[BCM_MLKEM1024_PUBLIC_KEY_BYTES];\n BCM_mlkem1024_generate_key_external_seed(public_key_bytes, out_private_key,\n seed);\n return bcm_status::approved;\n}\n\nbcm_infallible BCM_mlkem768_generate_key_external_seed(\n uint8_t out_encoded_public_key[BCM_MLKEM768_PUBLIC_KEY_BYTES],\n struct BCM_mlkem768_private_key *out_private_key,\n const uint8_t seed[BCM_MLKEM_SEED_BYTES]) {\n mlkem::private_key *priv =\n mlkem::private_key_768_from_external(out_private_key);\n mlkem_generate_key_external_seed(out_encoded_public_key, priv, seed);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_mlkem1024_generate_key_external_seed(\n uint8_t out_encoded_public_key[BCM_MLKEM1024_PUBLIC_KEY_BYTES],\n struct BCM_mlkem1024_private_key *out_private_key,\n const uint8_t seed[BCM_MLKEM_SEED_BYTES]) {\n mlkem::private_key *priv =\n mlkem::private_key_1024_from_external(out_private_key);\n mlkem_generate_key_external_seed(out_encoded_public_key, priv, seed);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_mlkem768_public_from_private(\n struct BCM_mlkem768_public_key *out_public_key,\n const struct BCM_mlkem768_private_key *private_key) {\n struct mlkem::public_key *const pub =\n mlkem::public_key_768_from_external(out_public_key);\n const struct mlkem::private_key *const priv =\n mlkem::private_key_768_from_external(private_key);\n *pub = priv->pub;\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_mlkem1024_public_from_private(\n struct BCM_mlkem1024_public_key *out_public_key,\n const struct BCM_mlkem1024_private_key *private_key) {\n struct mlkem::public_key *const pub =\n mlkem::public_key_1024_from_external(out_public_key);\n const struct mlkem::private_key *const priv =\n mlkem::private_key_1024_from_external(private_key);\n *pub = priv->pub;\n return bcm_infallible::approved;\n}\n\n// Calls |MLKEM768_encap_external_entropy| with random bytes from\n// |BCM_rand_bytes|\nbcm_infallible BCM_mlkem768_encap(\n uint8_t out_ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const struct BCM_mlkem768_public_key *public_key) {\n uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY];\n BCM_rand_bytes(entropy, BCM_MLKEM_ENCAP_ENTROPY);\n CONSTTIME_SECRET(entropy, BCM_MLKEM_ENCAP_ENTROPY);\n BCM_mlkem768_encap_external_entropy(out_ciphertext, out_shared_secret,\n public_key, entropy);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_mlkem1024_encap(\n uint8_t out_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const struct BCM_mlkem1024_public_key *public_key) {\n uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY];\n BCM_rand_bytes(entropy, BCM_MLKEM_ENCAP_ENTROPY);\n CONSTTIME_SECRET(entropy, BCM_MLKEM_ENCAP_ENTROPY);\n BCM_mlkem1024_encap_external_entropy(out_ciphertext, out_shared_secret,\n public_key, entropy);\n return bcm_infallible::approved;\n}\n\n// See section 6.2.\ntemplate \nvoid mlkem_encap_external_entropy(\n uint8_t *out_ciphertext,\n uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const struct mlkem::public_key *pub,\n const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]) {\n uint8_t input[64];\n OPENSSL_memcpy(input, entropy, BCM_MLKEM_ENCAP_ENTROPY);\n OPENSSL_memcpy(input + BCM_MLKEM_ENCAP_ENTROPY, pub->public_key_hash,\n sizeof(input) - BCM_MLKEM_ENCAP_ENTROPY);\n uint8_t key_and_randomness[64];\n mlkem::hash_g(key_and_randomness, input, sizeof(input));\n encrypt_cpa(out_ciphertext, pub, entropy, key_and_randomness + 32);\n // The ciphertext is public.\n CONSTTIME_DECLASSIFY(out_ciphertext, mlkem::ciphertext_size(RANK));\n static_assert(BCM_MLKEM_SHARED_SECRET_BYTES == 32, \"\");\n memcpy(out_shared_secret, key_and_randomness, 32);\n}\n\nbcm_infallible BCM_mlkem768_encap_external_entropy(\n uint8_t out_ciphertext[BCM_MLKEM768_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const struct BCM_mlkem768_public_key *public_key,\n const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]) {\n const struct mlkem::public_key *pub =\n mlkem::public_key_768_from_external(public_key);\n mlkem_encap_external_entropy(out_ciphertext, out_shared_secret, pub, entropy);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_mlkem1024_encap_external_entropy(\n uint8_t out_ciphertext[BCM_MLKEM1024_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const struct BCM_mlkem1024_public_key *public_key,\n const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]) {\n const struct mlkem::public_key *pub =\n mlkem::public_key_1024_from_external(public_key);\n mlkem_encap_external_entropy(out_ciphertext, out_shared_secret, pub, entropy);\n return bcm_infallible::approved;\n}\n\nbcm_status BCM_mlkem768_decap(\n uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const uint8_t *ciphertext, size_t ciphertext_len,\n const struct BCM_mlkem768_private_key *private_key) {\n if (ciphertext_len != BCM_MLKEM768_CIPHERTEXT_BYTES) {\n BCM_rand_bytes(out_shared_secret, BCM_MLKEM_SHARED_SECRET_BYTES);\n return bcm_status::failure;\n }\n const struct mlkem::private_key *priv =\n mlkem::private_key_768_from_external(private_key);\n mlkem_decap(out_shared_secret, ciphertext, priv);\n return bcm_status::approved;\n}\n\nbcm_status BCM_mlkem1024_decap(\n uint8_t out_shared_secret[BCM_MLKEM_SHARED_SECRET_BYTES],\n const uint8_t *ciphertext, size_t ciphertext_len,\n const struct BCM_mlkem1024_private_key *private_key) {\n if (ciphertext_len != BCM_MLKEM1024_CIPHERTEXT_BYTES) {\n BCM_rand_bytes(out_shared_secret, BCM_MLKEM_SHARED_SECRET_BYTES);\n return bcm_status::failure;\n }\n const struct mlkem::private_key *priv =\n mlkem::private_key_1024_from_external(private_key);\n mlkem_decap(out_shared_secret, ciphertext, priv);\n return bcm_status::approved;\n}\n\nbcm_status BCM_mlkem768_marshal_public_key(\n CBB *out, const struct BCM_mlkem768_public_key *public_key) {\n return mlkem_marshal_public_key(\n out, mlkem::public_key_768_from_external(public_key));\n}\n\nbcm_status BCM_mlkem1024_marshal_public_key(\n CBB *out, const struct BCM_mlkem1024_public_key *public_key) {\n return mlkem_marshal_public_key(\n out, mlkem::public_key_1024_from_external(public_key));\n}\n\nbcm_status BCM_mlkem768_parse_public_key(\n struct BCM_mlkem768_public_key *public_key, CBS *in) {\n struct mlkem::public_key *pub =\n mlkem::public_key_768_from_external(public_key);\n if (!mlkem_parse_public_key(pub, in)) {\n return bcm_status::failure;\n }\n return bcm_status::approved;\n}\n\nbcm_status BCM_mlkem1024_parse_public_key(\n struct BCM_mlkem1024_public_key *public_key, CBS *in) {\n struct mlkem::public_key *pub =\n mlkem::public_key_1024_from_external(public_key);\n if (!mlkem_parse_public_key(pub, in)) {\n return bcm_status::failure;\n }\n return bcm_status::approved;\n}\n\nbcm_status BCM_mlkem768_marshal_private_key(\n CBB *out, const struct BCM_mlkem768_private_key *private_key) {\n const struct mlkem::private_key *const priv =\n mlkem::private_key_768_from_external(private_key);\n if (!mlkem_marshal_private_key(out, priv)) {\n return bcm_status::failure;\n }\n return bcm_status::approved;\n}\n\nbcm_status BCM_mlkem1024_marshal_private_key(\n CBB *out, const struct BCM_mlkem1024_private_key *private_key) {\n const struct mlkem::private_key *const priv =\n mlkem::private_key_1024_from_external(private_key);\n if (!mlkem_marshal_private_key(out, priv)) {\n return bcm_status::failure;\n }\n return bcm_status::approved;\n}\n\nbcm_status BCM_mlkem768_parse_private_key(\n struct BCM_mlkem768_private_key *out_private_key, CBS *in) {\n struct mlkem::private_key *const priv =\n mlkem::private_key_768_from_external(out_private_key);\n if (!mlkem_parse_private_key(priv, in)) {\n return bcm_status::failure;\n }\n return bcm_status::approved;\n}\n\nbcm_status BCM_mlkem1024_parse_private_key(\n struct BCM_mlkem1024_private_key *out_private_key, CBS *in) {\n struct mlkem::private_key *const priv =\n mlkem::private_key_1024_from_external(out_private_key);\n if (!mlkem_parse_private_key(priv, in)) {\n return bcm_status::failure;\n }\n return bcm_status::approved;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/rand/ctrdrbg.cc.inc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \n\n#include \"../aes/internal.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\n// Section references in this file refer to SP 800-90Ar1:\n// http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf\n\n// See table 3.\nstatic const uint64_t kMaxReseedCount = UINT64_C(1) << 48;\n\nCTR_DRBG_STATE *CTR_DRBG_new(const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],\n const uint8_t *personalization,\n size_t personalization_len) {\n CTR_DRBG_STATE *drbg = reinterpret_cast(\n OPENSSL_malloc(sizeof(CTR_DRBG_STATE)));\n if (drbg == NULL ||\n !CTR_DRBG_init(drbg, entropy, personalization, personalization_len)) {\n CTR_DRBG_free(drbg);\n return NULL;\n }\n\n return drbg;\n}\n\nvoid CTR_DRBG_free(CTR_DRBG_STATE *state) { OPENSSL_free(state); }\n\nint CTR_DRBG_init(CTR_DRBG_STATE *drbg,\n const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],\n const uint8_t *personalization, size_t personalization_len) {\n // Section 10.2.1.3.1\n if (personalization_len > CTR_DRBG_ENTROPY_LEN) {\n return 0;\n }\n\n uint8_t seed_material[CTR_DRBG_ENTROPY_LEN];\n OPENSSL_memcpy(seed_material, entropy, CTR_DRBG_ENTROPY_LEN);\n\n for (size_t i = 0; i < personalization_len; i++) {\n seed_material[i] ^= personalization[i];\n }\n\n // Section 10.2.1.2\n\n // kInitMask is the result of encrypting blocks with big-endian value 1, 2\n // and 3 with the all-zero AES-256 key.\n static const uint8_t kInitMask[CTR_DRBG_ENTROPY_LEN] = {\n 0x53, 0x0f, 0x8a, 0xfb, 0xc7, 0x45, 0x36, 0xb9, 0xa9, 0x63, 0xb4, 0xf1,\n 0xc4, 0xcb, 0x73, 0x8b, 0xce, 0xa7, 0x40, 0x3d, 0x4d, 0x60, 0x6b, 0x6e,\n 0x07, 0x4e, 0xc5, 0xd3, 0xba, 0xf3, 0x9d, 0x18, 0x72, 0x60, 0x03, 0xca,\n 0x37, 0xa6, 0x2a, 0x74, 0xd1, 0xa2, 0xf5, 0x8e, 0x75, 0x06, 0x35, 0x8e,\n };\n\n for (size_t i = 0; i < sizeof(kInitMask); i++) {\n seed_material[i] ^= kInitMask[i];\n }\n\n drbg->ctr = aes_ctr_set_key(&drbg->ks, NULL, &drbg->block, seed_material, 32);\n OPENSSL_memcpy(drbg->counter, seed_material + 32, 16);\n drbg->reseed_counter = 1;\n\n return 1;\n}\n\nstatic_assert(CTR_DRBG_ENTROPY_LEN % AES_BLOCK_SIZE == 0,\n \"not a multiple of AES block size\");\n\n// ctr_inc adds |n| to the last four bytes of |drbg->counter|, treated as a\n// big-endian number.\nstatic void ctr32_add(CTR_DRBG_STATE *drbg, uint32_t n) {\n uint32_t ctr = CRYPTO_load_u32_be(drbg->counter + 12);\n CRYPTO_store_u32_be(drbg->counter + 12, ctr + n);\n}\n\nstatic int ctr_drbg_update(CTR_DRBG_STATE *drbg, const uint8_t *data,\n size_t data_len) {\n // Per section 10.2.1.2, |data_len| must be |CTR_DRBG_ENTROPY_LEN|. Here, we\n // allow shorter inputs and right-pad them with zeros. This is equivalent to\n // the specified algorithm but saves a copy in |CTR_DRBG_generate|.\n if (data_len > CTR_DRBG_ENTROPY_LEN) {\n return 0;\n }\n\n uint8_t temp[CTR_DRBG_ENTROPY_LEN];\n for (size_t i = 0; i < CTR_DRBG_ENTROPY_LEN; i += AES_BLOCK_SIZE) {\n ctr32_add(drbg, 1);\n drbg->block(drbg->counter, temp + i, &drbg->ks);\n }\n\n for (size_t i = 0; i < data_len; i++) {\n temp[i] ^= data[i];\n }\n\n drbg->ctr = aes_ctr_set_key(&drbg->ks, NULL, &drbg->block, temp, 32);\n OPENSSL_memcpy(drbg->counter, temp + 32, 16);\n\n return 1;\n}\n\nint CTR_DRBG_reseed(CTR_DRBG_STATE *drbg,\n const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],\n const uint8_t *additional_data,\n size_t additional_data_len) {\n // Section 10.2.1.4\n uint8_t entropy_copy[CTR_DRBG_ENTROPY_LEN];\n\n if (additional_data_len > 0) {\n if (additional_data_len > CTR_DRBG_ENTROPY_LEN) {\n return 0;\n }\n\n OPENSSL_memcpy(entropy_copy, entropy, CTR_DRBG_ENTROPY_LEN);\n for (size_t i = 0; i < additional_data_len; i++) {\n entropy_copy[i] ^= additional_data[i];\n }\n\n entropy = entropy_copy;\n }\n\n if (!ctr_drbg_update(drbg, entropy, CTR_DRBG_ENTROPY_LEN)) {\n return 0;\n }\n\n drbg->reseed_counter = 1;\n\n return 1;\n}\n\nint CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out, size_t out_len,\n const uint8_t *additional_data,\n size_t additional_data_len) {\n // See 9.3.1\n if (out_len > CTR_DRBG_MAX_GENERATE_LENGTH) {\n return 0;\n }\n\n // See 10.2.1.5.1\n if (drbg->reseed_counter > kMaxReseedCount) {\n return 0;\n }\n\n if (additional_data_len != 0 &&\n !ctr_drbg_update(drbg, additional_data, additional_data_len)) {\n return 0;\n }\n\n // kChunkSize is used to interact better with the cache. Since the AES-CTR\n // code assumes that it's encrypting rather than just writing keystream, the\n // buffer has to be zeroed first. Without chunking, large reads would zero\n // the whole buffer, flushing the L1 cache, and then do another pass (missing\n // the cache every time) to “encrypt” it. The code can avoid this by\n // chunking.\n static const size_t kChunkSize = 8 * 1024;\n\n while (out_len >= AES_BLOCK_SIZE) {\n size_t todo = kChunkSize;\n if (todo > out_len) {\n todo = out_len;\n }\n\n todo &= ~(AES_BLOCK_SIZE - 1);\n const size_t num_blocks = todo / AES_BLOCK_SIZE;\n\n OPENSSL_memset(out, 0, todo);\n ctr32_add(drbg, 1);\n drbg->ctr(out, out, num_blocks, &drbg->ks, drbg->counter);\n ctr32_add(drbg, (uint32_t)(num_blocks - 1));\n\n out += todo;\n out_len -= todo;\n }\n\n if (out_len > 0) {\n uint8_t block[AES_BLOCK_SIZE];\n ctr32_add(drbg, 1);\n drbg->block(drbg->counter, block, &drbg->ks);\n\n OPENSSL_memcpy(out, block, out_len);\n }\n\n // Right-padding |additional_data| in step 2.2 is handled implicitly by\n // |ctr_drbg_update|, to save a copy.\n if (!ctr_drbg_update(drbg, additional_data, additional_data_len)) {\n return 0;\n }\n\n drbg->reseed_counter++;\n FIPS_service_indicator_update_state();\n return 1;\n}\n\nvoid CTR_DRBG_clear(CTR_DRBG_STATE *drbg) {\n OPENSSL_cleanse(drbg, sizeof(CTR_DRBG_STATE));\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/rand/internal.h", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H\n#define OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H\n\n#include \n#include \n\n#include \"../../bcm_support.h\"\n#include \"../aes/internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n// rand_fork_unsafe_buffering_enabled returns whether fork-unsafe buffering has\n// been enabled via |RAND_enable_fork_unsafe_buffering|.\nint rand_fork_unsafe_buffering_enabled(void);\n\n// CTR_DRBG_STATE contains the state of a CTR_DRBG based on AES-256. See SP\n// 800-90Ar1.\nstruct ctr_drbg_state_st {\n AES_KEY ks;\n block128_f block;\n ctr128_f ctr;\n uint8_t counter[16];\n uint64_t reseed_counter;\n};\n\n// CTR_DRBG_init initialises |*drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of\n// entropy in |entropy| and, optionally, a personalization string up to\n// |CTR_DRBG_ENTROPY_LEN| bytes in length. It returns one on success and zero\n// on error.\nOPENSSL_EXPORT int CTR_DRBG_init(CTR_DRBG_STATE *drbg,\n const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],\n const uint8_t *personalization,\n size_t personalization_len);\n\n#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM)\n\ninline int have_rdrand(void) { return CRYPTO_is_RDRAND_capable(); }\n\n// have_fast_rdrand returns true if RDRAND is supported and it's reasonably\n// fast. Concretely the latter is defined by whether the chip is Intel (fast) or\n// not (assumed slow).\ninline int have_fast_rdrand(void) {\n return CRYPTO_is_RDRAND_capable() && CRYPTO_is_intel_cpu();\n}\n\n// CRYPTO_rdrand writes eight bytes of random data from the hardware RNG to\n// |out|. It returns one on success or zero on hardware failure.\nint CRYPTO_rdrand(uint8_t out[8]);\n\n// CRYPTO_rdrand_multiple8_buf fills |len| bytes at |buf| with random data from\n// the hardware RNG. The |len| argument must be a multiple of eight. It returns\n// one on success and zero on hardware failure.\nint CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len);\n\n#else // OPENSSL_X86_64 && !OPENSSL_NO_ASM\n\ninline int have_rdrand(void) { return 0; }\n\ninline int have_fast_rdrand(void) { return 0; }\n\n#endif // OPENSSL_X86_64 && !OPENSSL_NO_ASM\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/rand/rand.cc.inc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n#include \n#include \n\n#if defined(BORINGSSL_FIPS)\n#include \n#endif\n\n#include \n#include \n#include \n\n#include \"../../bcm_support.h\"\n#include \"../bcm_interface.h\"\n#include \"../delocate.h\"\n#include \"internal.h\"\n\n\n// It's assumed that the operating system always has an unfailing source of\n// entropy which is accessed via |CRYPTO_sysrand[_for_seed]|. (If the operating\n// system entropy source fails, it's up to |CRYPTO_sysrand| to abort the\n// process—we don't try to handle it.)\n//\n// In addition, the hardware may provide a low-latency RNG. Intel's rdrand\n// instruction is the canonical example of this. When a hardware RNG is\n// available we don't need to worry about an RNG failure arising from fork()ing\n// the process or moving a VM, so we can keep thread-local RNG state and use it\n// as an additional-data input to CTR-DRBG.\n//\n// (We assume that the OS entropy is safe from fork()ing and VM duplication.\n// This might be a bit of a leap of faith, esp on Windows, but there's nothing\n// that we can do about it.)\n\n// kReseedInterval is the number of generate calls made to CTR-DRBG before\n// reseeding.\nstatic const unsigned kReseedInterval = 4096;\n\n// CRNGT_BLOCK_SIZE is the number of bytes in a “block” for the purposes of the\n// continuous random number generator test in FIPS 140-2, section 4.9.2.\n#define CRNGT_BLOCK_SIZE 16\n\nnamespace {\n// rand_thread_state contains the per-thread state for the RNG.\nstruct rand_thread_state {\n CTR_DRBG_STATE drbg;\n uint64_t fork_generation;\n // calls is the number of generate calls made on |drbg| since it was last\n // (re)seeded. This is bound by |kReseedInterval|.\n unsigned calls;\n // last_block_valid is non-zero iff |last_block| contains data from\n // |get_seed_entropy|.\n int last_block_valid;\n // fork_unsafe_buffering is non-zero iff, when |drbg| was last (re)seeded,\n // fork-unsafe buffering was enabled.\n int fork_unsafe_buffering;\n\n#if defined(BORINGSSL_FIPS)\n // last_block contains the previous block from |get_seed_entropy|.\n uint8_t last_block[CRNGT_BLOCK_SIZE];\n // next and prev form a NULL-terminated, double-linked list of all states in\n // a process.\n struct rand_thread_state *next, *prev;\n // clear_drbg_lock synchronizes between uses of |drbg| and\n // |rand_thread_state_clear_all| clearing it. This lock should be uncontended\n // in the common case, except on shutdown.\n CRYPTO_MUTEX clear_drbg_lock;\n#endif\n};\n} // namespace\n\n#if defined(BORINGSSL_FIPS)\n// thread_states_list is the head of a linked-list of all |rand_thread_state|\n// objects in the process, one per thread. This is needed because FIPS requires\n// that they be zeroed on process exit, but thread-local destructors aren't\n// called when the whole process is exiting.\nDEFINE_BSS_GET(struct rand_thread_state *, thread_states_list, nullptr)\nDEFINE_STATIC_MUTEX(thread_states_list_lock)\n\nstatic void rand_thread_state_clear_all(void) __attribute__((destructor));\nstatic void rand_thread_state_clear_all(void) {\n CRYPTO_MUTEX_lock_write(thread_states_list_lock_bss_get());\n for (struct rand_thread_state *cur = *thread_states_list_bss_get();\n cur != NULL; cur = cur->next) {\n CRYPTO_MUTEX_lock_write(&cur->clear_drbg_lock);\n CTR_DRBG_clear(&cur->drbg);\n }\n // The locks are deliberately left locked so that any threads that are still\n // running will hang if they try to call |BCM_rand_bytes|. It also ensures\n // |rand_thread_state_free| cannot free any thread state while we've taken the\n // lock.\n}\n#endif\n\n// rand_thread_state_free frees a |rand_thread_state|. This is called when a\n// thread exits.\nstatic void rand_thread_state_free(void *state_in) {\n struct rand_thread_state *state =\n reinterpret_cast(state_in);\n\n if (state_in == NULL) {\n return;\n }\n\n#if defined(BORINGSSL_FIPS)\n CRYPTO_MUTEX_lock_write(thread_states_list_lock_bss_get());\n\n if (state->prev != NULL) {\n state->prev->next = state->next;\n } else if (*thread_states_list_bss_get() == state) {\n // |state->prev| may be NULL either if it is the head of the list,\n // or if |state| is freed before it was added to the list at all.\n // Compare against the head of the list to distinguish these cases.\n *thread_states_list_bss_get() = state->next;\n }\n\n if (state->next != NULL) {\n state->next->prev = state->prev;\n }\n\n CRYPTO_MUTEX_unlock_write(thread_states_list_lock_bss_get());\n\n CTR_DRBG_clear(&state->drbg);\n#endif\n\n OPENSSL_free(state);\n}\n\n#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \\\n !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)\n// rdrand should only be called if either |have_rdrand| or |have_fast_rdrand|\n// returned true.\nstatic int rdrand(uint8_t *buf, const size_t len) {\n const size_t len_multiple8 = len & ~7;\n if (!CRYPTO_rdrand_multiple8_buf(buf, len_multiple8)) {\n return 0;\n }\n const size_t remainder = len - len_multiple8;\n\n if (remainder != 0) {\n assert(remainder < 8);\n\n uint8_t rand_buf[8];\n if (!CRYPTO_rdrand(rand_buf)) {\n return 0;\n }\n OPENSSL_memcpy(buf + len_multiple8, rand_buf, remainder);\n }\n\n return 1;\n}\n\n#else\n\nstatic int rdrand(uint8_t *buf, size_t len) { return 0; }\n\n#endif\n\nbcm_status BCM_rand_bytes_hwrng(uint8_t *buf, const size_t len) {\n if (!have_rdrand()) {\n return bcm_status::failure;\n }\n if (rdrand(buf, len)) {\n return bcm_status::not_approved;\n }\n return bcm_status::failure;\n}\n\n#if defined(BORINGSSL_FIPS)\n\n// In passive entropy mode, entropy is supplied from outside of the module via\n// |BCM_rand_load_entropy| and is stored in global instance of the following\n// structure.\n\nstruct entropy_buffer {\n // bytes contains entropy suitable for seeding a DRBG.\n uint8_t\n bytes[CRNGT_BLOCK_SIZE + CTR_DRBG_ENTROPY_LEN * BORINGSSL_FIPS_OVERREAD];\n // bytes_valid indicates the number of bytes of |bytes| that contain valid\n // data.\n size_t bytes_valid;\n // want_additional_input is true if any of the contents of |bytes| were\n // obtained via a method other than from the kernel. In these cases entropy\n // from the kernel is also provided via an additional input to the DRBG.\n int want_additional_input;\n};\n\nDEFINE_BSS_GET(struct entropy_buffer, entropy_buffer, {})\nDEFINE_STATIC_MUTEX(entropy_buffer_lock)\n\nbcm_infallible BCM_rand_load_entropy(const uint8_t *entropy, size_t entropy_len,\n int want_additional_input) {\n struct entropy_buffer *const buffer = entropy_buffer_bss_get();\n\n CRYPTO_MUTEX_lock_write(entropy_buffer_lock_bss_get());\n const size_t space = sizeof(buffer->bytes) - buffer->bytes_valid;\n if (entropy_len > space) {\n entropy_len = space;\n }\n\n OPENSSL_memcpy(&buffer->bytes[buffer->bytes_valid], entropy, entropy_len);\n buffer->bytes_valid += entropy_len;\n buffer->want_additional_input |= want_additional_input && (entropy_len != 0);\n CRYPTO_MUTEX_unlock_write(entropy_buffer_lock_bss_get());\n return bcm_infallible::not_approved;\n}\n\n// get_seed_entropy fills |out_entropy_len| bytes of |out_entropy| from the\n// global |entropy_buffer|.\nstatic void get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len,\n int *out_want_additional_input) {\n struct entropy_buffer *const buffer = entropy_buffer_bss_get();\n if (out_entropy_len > sizeof(buffer->bytes)) {\n abort();\n }\n\n CRYPTO_MUTEX_lock_write(entropy_buffer_lock_bss_get());\n while (buffer->bytes_valid < out_entropy_len) {\n CRYPTO_MUTEX_unlock_write(entropy_buffer_lock_bss_get());\n RAND_need_entropy(out_entropy_len - buffer->bytes_valid);\n CRYPTO_MUTEX_lock_write(entropy_buffer_lock_bss_get());\n }\n\n *out_want_additional_input = buffer->want_additional_input;\n OPENSSL_memcpy(out_entropy, buffer->bytes, out_entropy_len);\n OPENSSL_memmove(buffer->bytes, &buffer->bytes[out_entropy_len],\n buffer->bytes_valid - out_entropy_len);\n buffer->bytes_valid -= out_entropy_len;\n if (buffer->bytes_valid == 0) {\n buffer->want_additional_input = 0;\n }\n\n CRYPTO_MUTEX_unlock_write(entropy_buffer_lock_bss_get());\n}\n\n// rand_get_seed fills |seed| with entropy. In some cases, it will additionally\n// fill |additional_input| with entropy to supplement |seed|. It sets\n// |*out_additional_input_len| to the number of extra bytes.\nstatic void rand_get_seed(struct rand_thread_state *state,\n uint8_t seed[CTR_DRBG_ENTROPY_LEN],\n uint8_t additional_input[CTR_DRBG_ENTROPY_LEN],\n size_t *out_additional_input_len) {\n uint8_t entropy_bytes[sizeof(state->last_block) +\n CTR_DRBG_ENTROPY_LEN * BORINGSSL_FIPS_OVERREAD];\n uint8_t *entropy = entropy_bytes;\n size_t entropy_len = sizeof(entropy_bytes);\n\n if (state->last_block_valid) {\n // No need to fill |state->last_block| with entropy from the read.\n entropy += sizeof(state->last_block);\n entropy_len -= sizeof(state->last_block);\n }\n\n int want_additional_input;\n get_seed_entropy(entropy, entropy_len, &want_additional_input);\n\n if (!state->last_block_valid) {\n OPENSSL_memcpy(state->last_block, entropy, sizeof(state->last_block));\n entropy += sizeof(state->last_block);\n entropy_len -= sizeof(state->last_block);\n }\n\n // See FIPS 140-2, section 4.9.2. This is the “continuous random number\n // generator test” which causes the program to randomly abort. Hopefully the\n // rate of failure is small enough not to be a problem in practice.\n if (CRYPTO_memcmp(state->last_block, entropy, sizeof(state->last_block)) ==\n 0) {\n fprintf(CRYPTO_get_stderr(), \"CRNGT failed.\\n\");\n BORINGSSL_FIPS_abort();\n }\n\n assert(entropy_len % CRNGT_BLOCK_SIZE == 0);\n for (size_t i = CRNGT_BLOCK_SIZE; i < entropy_len; i += CRNGT_BLOCK_SIZE) {\n if (CRYPTO_memcmp(entropy + i - CRNGT_BLOCK_SIZE, entropy + i,\n CRNGT_BLOCK_SIZE) == 0) {\n fprintf(CRYPTO_get_stderr(), \"CRNGT failed.\\n\");\n BORINGSSL_FIPS_abort();\n }\n }\n OPENSSL_memcpy(state->last_block, entropy + entropy_len - CRNGT_BLOCK_SIZE,\n CRNGT_BLOCK_SIZE);\n\n assert(entropy_len == BORINGSSL_FIPS_OVERREAD * CTR_DRBG_ENTROPY_LEN);\n OPENSSL_memcpy(seed, entropy, CTR_DRBG_ENTROPY_LEN);\n\n for (size_t i = 1; i < BORINGSSL_FIPS_OVERREAD; i++) {\n for (size_t j = 0; j < CTR_DRBG_ENTROPY_LEN; j++) {\n seed[j] ^= entropy[CTR_DRBG_ENTROPY_LEN * i + j];\n }\n }\n\n // If we used something other than system entropy then also\n // opportunistically read from the system. This avoids solely relying on the\n // hardware once the entropy pool has been initialized.\n *out_additional_input_len = 0;\n if (want_additional_input &&\n CRYPTO_sysrand_if_available(additional_input, CTR_DRBG_ENTROPY_LEN)) {\n *out_additional_input_len = CTR_DRBG_ENTROPY_LEN;\n }\n}\n\n#else\n\n// rand_get_seed fills |seed| with entropy. In some cases, it will additionally\n// fill |additional_input| with entropy to supplement |seed|. It sets\n// |*out_additional_input_len| to the number of extra bytes.\nstatic void rand_get_seed(struct rand_thread_state *state,\n uint8_t seed[CTR_DRBG_ENTROPY_LEN],\n uint8_t additional_input[CTR_DRBG_ENTROPY_LEN],\n size_t *out_additional_input_len) {\n // If not in FIPS mode, we don't overread from the system entropy source and\n // we don't depend only on the hardware RDRAND.\n CRYPTO_sysrand_for_seed(seed, CTR_DRBG_ENTROPY_LEN);\n *out_additional_input_len = 0;\n}\n\n#endif\n\nbcm_infallible BCM_rand_bytes_with_additional_data(\n uint8_t *out, size_t out_len, const uint8_t user_additional_data[32]) {\n if (out_len == 0) {\n return bcm_infallible::approved;\n }\n\n const uint64_t fork_generation = CRYPTO_get_fork_generation();\n const int fork_unsafe_buffering = rand_fork_unsafe_buffering_enabled();\n\n // Additional data is mixed into every CTR-DRBG call to protect, as best we\n // can, against forks & VM clones. We do not over-read this information and\n // don't reseed with it so, from the point of view of FIPS, this doesn't\n // provide “prediction resistance”. But, in practice, it does.\n uint8_t additional_data[32];\n // Intel chips have fast RDRAND instructions while, in other cases, RDRAND can\n // be _slower_ than a system call.\n if (!have_fast_rdrand() ||\n !rdrand(additional_data, sizeof(additional_data))) {\n // Without a hardware RNG to save us from address-space duplication, the OS\n // entropy is used. This can be expensive (one read per |RAND_bytes| call)\n // and so is disabled when we have fork detection, or if the application has\n // promised not to fork.\n if (fork_generation != 0 || fork_unsafe_buffering) {\n OPENSSL_memset(additional_data, 0, sizeof(additional_data));\n } else if (!have_rdrand()) {\n // No alternative so block for OS entropy.\n CRYPTO_sysrand(additional_data, sizeof(additional_data));\n } else if (!CRYPTO_sysrand_if_available(additional_data,\n sizeof(additional_data)) &&\n !rdrand(additional_data, sizeof(additional_data))) {\n // RDRAND failed: block for OS entropy.\n CRYPTO_sysrand(additional_data, sizeof(additional_data));\n }\n }\n\n for (size_t i = 0; i < sizeof(additional_data); i++) {\n additional_data[i] ^= user_additional_data[i];\n }\n\n struct rand_thread_state stack_state;\n struct rand_thread_state *state = reinterpret_cast(\n CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_RAND));\n\n if (state == NULL) {\n state = reinterpret_cast(\n OPENSSL_zalloc(sizeof(struct rand_thread_state)));\n if (state == NULL ||\n !CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_RAND, state,\n rand_thread_state_free)) {\n // If the system is out of memory, use an ephemeral state on the\n // stack.\n state = &stack_state;\n }\n\n state->last_block_valid = 0;\n uint8_t seed[CTR_DRBG_ENTROPY_LEN];\n uint8_t personalization[CTR_DRBG_ENTROPY_LEN] = {0};\n size_t personalization_len = 0;\n rand_get_seed(state, seed, personalization, &personalization_len);\n\n if (!CTR_DRBG_init(&state->drbg, seed, personalization,\n personalization_len)) {\n abort();\n }\n state->calls = 0;\n state->fork_generation = fork_generation;\n state->fork_unsafe_buffering = fork_unsafe_buffering;\n\n#if defined(BORINGSSL_FIPS)\n CRYPTO_MUTEX_init(&state->clear_drbg_lock);\n if (state != &stack_state) {\n CRYPTO_MUTEX_lock_write(thread_states_list_lock_bss_get());\n struct rand_thread_state **states_list = thread_states_list_bss_get();\n state->next = *states_list;\n if (state->next != NULL) {\n state->next->prev = state;\n }\n state->prev = NULL;\n *states_list = state;\n CRYPTO_MUTEX_unlock_write(thread_states_list_lock_bss_get());\n }\n#endif\n }\n\n if (state->calls >= kReseedInterval ||\n // If we've forked since |state| was last seeded, reseed.\n state->fork_generation != fork_generation ||\n // If |state| was seeded from a state with different fork-safety\n // preferences, reseed. Suppose |state| was fork-safe, then forked into\n // two children, but each of the children never fork and disable fork\n // safety. The children must reseed to avoid working from the same PRNG\n // state.\n state->fork_unsafe_buffering != fork_unsafe_buffering) {\n uint8_t seed[CTR_DRBG_ENTROPY_LEN];\n uint8_t reseed_additional_data[CTR_DRBG_ENTROPY_LEN] = {0};\n size_t reseed_additional_data_len = 0;\n rand_get_seed(state, seed, reseed_additional_data,\n &reseed_additional_data_len);\n#if defined(BORINGSSL_FIPS)\n // Take a read lock around accesses to |state->drbg|. This is needed to\n // avoid returning bad entropy if we race with\n // |rand_thread_state_clear_all|.\n CRYPTO_MUTEX_lock_read(&state->clear_drbg_lock);\n#endif\n if (!CTR_DRBG_reseed(&state->drbg, seed, reseed_additional_data,\n reseed_additional_data_len)) {\n abort();\n }\n state->calls = 0;\n state->fork_generation = fork_generation;\n state->fork_unsafe_buffering = fork_unsafe_buffering;\n } else {\n#if defined(BORINGSSL_FIPS)\n CRYPTO_MUTEX_lock_read(&state->clear_drbg_lock);\n#endif\n }\n\n int first_call = 1;\n while (out_len > 0) {\n size_t todo = out_len;\n if (todo > CTR_DRBG_MAX_GENERATE_LENGTH) {\n todo = CTR_DRBG_MAX_GENERATE_LENGTH;\n }\n\n if (!CTR_DRBG_generate(&state->drbg, out, todo, additional_data,\n first_call ? sizeof(additional_data) : 0)) {\n abort();\n }\n\n out += todo;\n out_len -= todo;\n // Though we only check before entering the loop, this cannot add enough to\n // overflow a |size_t|.\n state->calls++;\n first_call = 0;\n }\n\n if (state == &stack_state) {\n CTR_DRBG_clear(&state->drbg);\n }\n\n#if defined(BORINGSSL_FIPS)\n CRYPTO_MUTEX_unlock_read(&state->clear_drbg_lock);\n#endif\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_rand_bytes(uint8_t *out, size_t out_len) {\n static const uint8_t kZeroAdditionalData[32] = {0};\n BCM_rand_bytes_with_additional_data(out, out_len, kZeroAdditionalData);\n return bcm_infallible::approved;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/blinding.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"internal.h\"\n\n\n#define BN_BLINDING_COUNTER 32\n\nstruct bn_blinding_st {\n BIGNUM *A; // The base blinding factor, Montgomery-encoded.\n BIGNUM *Ai; // The inverse of the blinding factor, Montgomery-encoded.\n unsigned counter;\n};\n\nstatic int bn_blinding_create_param(BN_BLINDING *b, const BIGNUM *e,\n const BN_MONT_CTX *mont, BN_CTX *ctx);\n\nBN_BLINDING *BN_BLINDING_new(void) {\n BN_BLINDING *ret =\n reinterpret_cast(OPENSSL_zalloc(sizeof(BN_BLINDING)));\n if (ret == NULL) {\n return NULL;\n }\n\n ret->A = BN_new();\n if (ret->A == NULL) {\n goto err;\n }\n\n ret->Ai = BN_new();\n if (ret->Ai == NULL) {\n goto err;\n }\n\n // The blinding values need to be created before this blinding can be used.\n ret->counter = BN_BLINDING_COUNTER - 1;\n\n return ret;\n\nerr:\n BN_BLINDING_free(ret);\n return NULL;\n}\n\nvoid BN_BLINDING_free(BN_BLINDING *r) {\n if (r == nullptr) {\n return;\n }\n BN_free(r->A);\n BN_free(r->Ai);\n OPENSSL_free(r);\n}\n\nvoid BN_BLINDING_invalidate(BN_BLINDING *b) {\n b->counter = BN_BLINDING_COUNTER - 1;\n}\n\nstatic int bn_blinding_update(BN_BLINDING *b, const BIGNUM *e,\n const BN_MONT_CTX *mont, BN_CTX *ctx) {\n if (++b->counter == BN_BLINDING_COUNTER) {\n // re-create blinding parameters\n if (!bn_blinding_create_param(b, e, mont, ctx)) {\n goto err;\n }\n b->counter = 0;\n } else {\n if (!BN_mod_mul_montgomery(b->A, b->A, b->A, mont, ctx) ||\n !BN_mod_mul_montgomery(b->Ai, b->Ai, b->Ai, mont, ctx)) {\n goto err;\n }\n }\n\n return 1;\n\nerr:\n // |A| and |Ai| may be in an inconsistent state so they both need to be\n // replaced the next time this blinding is used. Note that this is only\n // sufficient because support for |BN_BLINDING_NO_UPDATE| and\n // |BN_BLINDING_NO_RECREATE| was previously dropped.\n b->counter = BN_BLINDING_COUNTER - 1;\n\n return 0;\n}\n\nint BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const BIGNUM *e,\n const BN_MONT_CTX *mont, BN_CTX *ctx) {\n // |n| is not Montgomery-encoded and |b->A| is. |BN_mod_mul_montgomery|\n // cancels one Montgomery factor, so the resulting value of |n| is unencoded.\n if (!bn_blinding_update(b, e, mont, ctx) ||\n !BN_mod_mul_montgomery(n, n, b->A, mont, ctx)) {\n return 0;\n }\n\n return 1;\n}\n\nint BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont,\n BN_CTX *ctx) {\n // |n| is not Montgomery-encoded and |b->A| is. |BN_mod_mul_montgomery|\n // cancels one Montgomery factor, so the resulting value of |n| is unencoded.\n return BN_mod_mul_montgomery(n, n, b->Ai, mont, ctx);\n}\n\nstatic int bn_blinding_create_param(BN_BLINDING *b, const BIGNUM *e,\n const BN_MONT_CTX *mont, BN_CTX *ctx) {\n int no_inverse;\n if (!BN_rand_range_ex(b->A, 1, &mont->N) ||\n // Compute |b->A|^-1 in Montgomery form. Note |BN_from_montgomery| +\n // |BN_mod_inverse_blinded| is equivalent to, but more efficient than,\n // |BN_mod_inverse_blinded| + |BN_to_montgomery|.\n //\n // We do not retry if |b->A| has no inverse. Finding a non-invertible\n // value of |b->A| is equivalent to factoring |mont->N|. There is\n // negligible probability of stumbling on one at random.\n !BN_from_montgomery(b->Ai, b->A, mont, ctx) ||\n !BN_mod_inverse_blinded(b->Ai, &no_inverse, b->Ai, mont, ctx) ||\n // TODO(davidben): |BN_mod_exp_mont| internally computes the result in\n // Montgomery form. Save a pair of Montgomery reductions and a\n // multiplication by returning that value directly.\n !BN_mod_exp_mont(b->A, b->A, e, &mont->N, ctx, mont) ||\n !BN_to_montgomery(b->A, b->A, mont, ctx)) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_RSA_INTERNAL_H\n#define OPENSSL_HEADER_RSA_INTERNAL_H\n\n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\ntypedef struct bn_blinding_st BN_BLINDING;\n\nstruct rsa_st {\n RSA_METHOD *meth;\n\n BIGNUM *n;\n BIGNUM *e;\n BIGNUM *d;\n BIGNUM *p;\n BIGNUM *q;\n BIGNUM *dmp1;\n BIGNUM *dmq1;\n BIGNUM *iqmp;\n\n // be careful using this if the RSA structure is shared\n CRYPTO_EX_DATA ex_data;\n CRYPTO_refcount_t references;\n int flags;\n\n CRYPTO_MUTEX lock;\n\n // Used to cache montgomery values. The creation of these values is protected\n // by |lock|.\n BN_MONT_CTX *mont_n;\n BN_MONT_CTX *mont_p;\n BN_MONT_CTX *mont_q;\n\n // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively,\n // but with the correct widths to prevent side channels. These must use\n // separate copies due to threading concerns caused by OpenSSL's API\n // mistakes. See https://github.com/openssl/openssl/issues/5158 and\n // the |freeze_private_key| implementation.\n BIGNUM *d_fixed, *dmp1_fixed, *dmq1_fixed;\n\n // iqmp_mont is q^-1 mod p in Montgomery form, using |mont_p|.\n BIGNUM *iqmp_mont;\n\n // num_blindings contains the size of the |blindings| and |blindings_inuse|\n // arrays. This member and the |blindings_inuse| array are protected by\n // |lock|.\n size_t num_blindings;\n // blindings is an array of BN_BLINDING structures that can be reserved by a\n // thread by locking |lock| and changing the corresponding element in\n // |blindings_inuse| from 0 to 1.\n BN_BLINDING **blindings;\n unsigned char *blindings_inuse;\n uint64_t blinding_fork_generation;\n\n // private_key_frozen is one if the key has been used for a private key\n // operation and may no longer be mutated.\n unsigned private_key_frozen:1;\n};\n\n\n#define RSA_PKCS1_PADDING_SIZE 11\n\n// Default implementations of RSA operations.\n\nconst RSA_METHOD *RSA_default_method(void);\n\nint rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,\n size_t max_out, const uint8_t *in, size_t in_len,\n int padding);\nint rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,\n size_t len);\n\n\nBN_BLINDING *BN_BLINDING_new(void);\nvoid BN_BLINDING_free(BN_BLINDING *b);\nvoid BN_BLINDING_invalidate(BN_BLINDING *b);\nint BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, const BIGNUM *e,\n const BN_MONT_CTX *mont_ctx, BN_CTX *ctx);\nint BN_BLINDING_invert(BIGNUM *n, const BN_BLINDING *b, BN_MONT_CTX *mont_ctx,\n BN_CTX *ctx);\n\n\nint PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed, size_t seed_len,\n const EVP_MD *md);\nint RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len,\n const uint8_t *from, size_t from_len);\nint RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len,\n size_t max_out, const uint8_t *from,\n size_t from_len);\nint RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,\n size_t from_len);\n\n// rsa_check_public_key checks that |rsa|'s public modulus and exponent are\n// within DoS bounds.\nint rsa_check_public_key(const RSA *rsa);\n\n// rsa_private_transform_no_self_test calls either the method-specific\n// |private_transform| function (if given) or the generic one. See the comment\n// for |private_transform| in |rsa_meth_st|.\nint rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out,\n const uint8_t *in, size_t len);\n\n// rsa_private_transform acts the same as |rsa_private_transform_no_self_test|\n// but, in FIPS mode, performs an RSA self test before calling the default RSA\n// implementation.\nint rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,\n size_t len);\n\n// rsa_invalidate_key is called after |rsa| has been mutated, to invalidate\n// fields derived from the original structure. This function assumes exclusive\n// access to |rsa|. In particular, no other thread may be concurrently signing,\n// etc., with |rsa|.\nvoid rsa_invalidate_key(RSA *rsa);\n\n\n// This constant is exported for test purposes.\nextern const BN_ULONG kBoringSSLRSASqrtTwo[];\nextern const size_t kBoringSSLRSASqrtTwoLen;\n\n\n// Functions that avoid self-tests.\n//\n// Self-tests need to call functions that don't try and ensure that the\n// self-tests have passed. These functions, in turn, need to limit themselves\n// to such functions too.\n//\n// These functions are the same as their public versions, but skip the self-test\n// check.\n\nint rsa_verify_no_self_test(int hash_nid, const uint8_t *digest,\n size_t digest_len, const uint8_t *sig,\n size_t sig_len, RSA *rsa);\n\nint rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out,\n size_t max_out, const uint8_t *in,\n size_t in_len, int padding);\n\nint rsa_sign_no_self_test(int hash_nid, const uint8_t *digest,\n size_t digest_len, uint8_t *out, unsigned *out_len,\n RSA *rsa);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_RSA_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/padding.cc.inc", "content": "/*\n * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bcm_interface.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\nint RSA_padding_add_PKCS1_type_1(uint8_t *to, size_t to_len,\n const uint8_t *from, size_t from_len) {\n // See RFC 8017, section 9.2.\n if (to_len < RSA_PKCS1_PADDING_SIZE) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);\n return 0;\n }\n\n if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);\n return 0;\n }\n\n to[0] = 0;\n to[1] = 1;\n OPENSSL_memset(to + 2, 0xff, to_len - 3 - from_len);\n to[to_len - from_len - 1] = 0;\n OPENSSL_memcpy(to + to_len - from_len, from, from_len);\n return 1;\n}\n\nint RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len,\n size_t max_out, const uint8_t *from,\n size_t from_len) {\n // See RFC 8017, section 9.2. This is part of signature verification and thus\n // does not need to run in constant-time.\n if (from_len < 2) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);\n return 0;\n }\n\n // Check the header.\n if (from[0] != 0 || from[1] != 1) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BLOCK_TYPE_IS_NOT_01);\n return 0;\n }\n\n // Scan over padded data, looking for the 00.\n size_t pad;\n for (pad = 2 /* header */; pad < from_len; pad++) {\n if (from[pad] == 0x00) {\n break;\n }\n\n if (from[pad] != 0xff) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_FIXED_HEADER_DECRYPT);\n return 0;\n }\n }\n\n if (pad == from_len) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_NULL_BEFORE_BLOCK_MISSING);\n return 0;\n }\n\n if (pad < 2 /* header */ + 8) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_PAD_BYTE_COUNT);\n return 0;\n }\n\n // Skip over the 00.\n pad++;\n\n if (from_len - pad > max_out) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);\n return 0;\n }\n\n OPENSSL_memcpy(out, from + pad, from_len - pad);\n *out_len = from_len - pad;\n return 1;\n}\n\nint RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from,\n size_t from_len) {\n if (from_len > to_len) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);\n return 0;\n }\n\n if (from_len < to_len) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_SMALL);\n return 0;\n }\n\n OPENSSL_memcpy(to, from, from_len);\n return 1;\n}\n\nint PKCS1_MGF1(uint8_t *out, size_t len, const uint8_t *seed, size_t seed_len,\n const EVP_MD *md) {\n int ret = 0;\n EVP_MD_CTX ctx;\n EVP_MD_CTX_init(&ctx);\n FIPS_service_indicator_lock_state();\n\n size_t md_len = EVP_MD_size(md);\n\n for (uint32_t i = 0; len > 0; i++) {\n uint8_t counter[4];\n counter[0] = (uint8_t)(i >> 24);\n counter[1] = (uint8_t)(i >> 16);\n counter[2] = (uint8_t)(i >> 8);\n counter[3] = (uint8_t)i;\n if (!EVP_DigestInit_ex(&ctx, md, NULL) ||\n !EVP_DigestUpdate(&ctx, seed, seed_len) ||\n !EVP_DigestUpdate(&ctx, counter, sizeof(counter))) {\n goto err;\n }\n\n if (md_len <= len) {\n if (!EVP_DigestFinal_ex(&ctx, out, NULL)) {\n goto err;\n }\n out += md_len;\n len -= md_len;\n } else {\n uint8_t digest[EVP_MAX_MD_SIZE];\n if (!EVP_DigestFinal_ex(&ctx, digest, NULL)) {\n goto err;\n }\n OPENSSL_memcpy(out, digest, len);\n len = 0;\n }\n }\n\n ret = 1;\n\nerr:\n EVP_MD_CTX_cleanup(&ctx);\n FIPS_service_indicator_unlock_state();\n return ret;\n}\n\nstatic const uint8_t kPSSZeroes[] = {0, 0, 0, 0, 0, 0, 0, 0};\n\nint RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash,\n const EVP_MD *Hash, const EVP_MD *mgf1Hash,\n const uint8_t *EM, int sLen) {\n if (mgf1Hash == NULL) {\n mgf1Hash = Hash;\n }\n\n int ret = 0;\n uint8_t *DB = NULL;\n const uint8_t *H;\n EVP_MD_CTX ctx;\n EVP_MD_CTX_init(&ctx);\n unsigned MSBits;\n size_t emLen, maskedDBLen, salt_start;\n FIPS_service_indicator_lock_state();\n\n // Negative sLen has special meanings:\n // -1 sLen == hLen\n // -2 salt length is autorecovered from signature\n // -N reserved\n size_t hLen = EVP_MD_size(Hash);\n if (sLen == -1) {\n sLen = (int)hLen;\n } else if (sLen == -2) {\n sLen = -2;\n } else if (sLen < -2) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);\n goto err;\n }\n\n MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;\n emLen = RSA_size(rsa);\n if (EM[0] & (0xFF << MSBits)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_FIRST_OCTET_INVALID);\n goto err;\n }\n if (MSBits == 0) {\n EM++;\n emLen--;\n }\n // |sLen| may be -2 for the non-standard salt length recovery mode.\n if (emLen < hLen + 2 || (sLen >= 0 && emLen < hLen + (size_t)sLen + 2)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);\n goto err;\n }\n if (EM[emLen - 1] != 0xbc) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_LAST_OCTET_INVALID);\n goto err;\n }\n maskedDBLen = emLen - hLen - 1;\n H = EM + maskedDBLen;\n DB = reinterpret_cast(OPENSSL_malloc(maskedDBLen));\n if (!DB) {\n goto err;\n }\n if (!PKCS1_MGF1(DB, maskedDBLen, H, hLen, mgf1Hash)) {\n goto err;\n }\n for (size_t i = 0; i < maskedDBLen; i++) {\n DB[i] ^= EM[i];\n }\n if (MSBits) {\n DB[0] &= 0xFF >> (8 - MSBits);\n }\n // This step differs slightly from EMSA-PSS-VERIFY (RFC 8017) step 10 because\n // it accepts a non-standard salt recovery flow. DB should be some number of\n // zeros, a one, then the salt.\n for (salt_start = 0; DB[salt_start] == 0 && salt_start < maskedDBLen - 1;\n salt_start++) {\n ;\n }\n if (DB[salt_start] != 0x1) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_RECOVERY_FAILED);\n goto err;\n }\n salt_start++;\n // If a salt length was specified, check it matches.\n if (sLen >= 0 && maskedDBLen - salt_start != (size_t)sLen) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);\n goto err;\n }\n uint8_t H_[EVP_MAX_MD_SIZE];\n if (!EVP_DigestInit_ex(&ctx, Hash, NULL) ||\n !EVP_DigestUpdate(&ctx, kPSSZeroes, sizeof(kPSSZeroes)) ||\n !EVP_DigestUpdate(&ctx, mHash, hLen) ||\n !EVP_DigestUpdate(&ctx, DB + salt_start, maskedDBLen - salt_start) ||\n !EVP_DigestFinal_ex(&ctx, H_, NULL)) {\n goto err;\n }\n if (OPENSSL_memcmp(H_, H, hLen) != 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);\n goto err;\n }\n\n ret = 1;\n\nerr:\n OPENSSL_free(DB);\n EVP_MD_CTX_cleanup(&ctx);\n FIPS_service_indicator_unlock_state();\n return ret;\n}\n\nint RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, unsigned char *EM,\n const unsigned char *mHash,\n const EVP_MD *Hash, const EVP_MD *mgf1Hash,\n int sLenRequested) {\n int ret = 0, digest_ok;\n size_t maskedDBLen, MSBits, emLen;\n size_t hLen;\n unsigned char *H, *salt = NULL, *p;\n\n if (mgf1Hash == NULL) {\n mgf1Hash = Hash;\n }\n\n FIPS_service_indicator_lock_state();\n hLen = EVP_MD_size(Hash);\n\n if (BN_is_zero(rsa->n)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);\n goto err;\n }\n\n MSBits = (BN_num_bits(rsa->n) - 1) & 0x7;\n emLen = RSA_size(rsa);\n if (MSBits == 0) {\n assert(emLen >= 1);\n *EM++ = 0;\n emLen--;\n }\n\n if (emLen < hLen + 2) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);\n goto err;\n }\n\n // Negative sLenRequested has special meanings:\n // -1 sLen == hLen\n // -2 salt length is maximized\n // -N reserved\n size_t sLen;\n if (sLenRequested == -1) {\n sLen = hLen;\n } else if (sLenRequested == -2) {\n sLen = emLen - hLen - 2;\n } else if (sLenRequested < 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_SLEN_CHECK_FAILED);\n goto err;\n } else {\n sLen = (size_t)sLenRequested;\n }\n\n if (emLen - hLen - 2 < sLen) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);\n goto err;\n }\n\n if (sLen > 0) {\n salt = reinterpret_cast(OPENSSL_malloc(sLen));\n if (!salt) {\n goto err;\n }\n BCM_rand_bytes(salt, sLen);\n }\n maskedDBLen = emLen - hLen - 1;\n H = EM + maskedDBLen;\n\n EVP_MD_CTX ctx;\n EVP_MD_CTX_init(&ctx);\n digest_ok = EVP_DigestInit_ex(&ctx, Hash, NULL) &&\n EVP_DigestUpdate(&ctx, kPSSZeroes, sizeof(kPSSZeroes)) &&\n EVP_DigestUpdate(&ctx, mHash, hLen) &&\n EVP_DigestUpdate(&ctx, salt, sLen) &&\n EVP_DigestFinal_ex(&ctx, H, NULL);\n EVP_MD_CTX_cleanup(&ctx);\n if (!digest_ok) {\n goto err;\n }\n\n // Generate dbMask in place then perform XOR on it\n if (!PKCS1_MGF1(EM, maskedDBLen, H, hLen, mgf1Hash)) {\n goto err;\n }\n\n p = EM;\n // Initial PS XORs with all zeroes which is a NOP so just update\n // pointer. Note from a test above this value is guaranteed to\n // be non-negative.\n p += emLen - sLen - hLen - 2;\n *p++ ^= 0x1;\n if (sLen > 0) {\n for (size_t i = 0; i < sLen; i++) {\n *p++ ^= salt[i];\n }\n }\n if (MSBits) {\n EM[0] &= 0xFF >> (8 - MSBits);\n }\n\n // H is already in place so just set final 0xbc\n\n EM[emLen - 1] = 0xbc;\n\n ret = 1;\n\nerr:\n OPENSSL_free(salt);\n FIPS_service_indicator_unlock_state();\n\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bcm_interface.h\"\n#include \"../bn/internal.h\"\n#include \"../delocate.h\"\n#include \"internal.h\"\n\n\n// RSA_R_BLOCK_TYPE_IS_NOT_02 is part of the legacy SSLv23 padding scheme.\n// Cryptography.io depends on this error code.\nOPENSSL_DECLARE_ERROR_REASON(RSA, BLOCK_TYPE_IS_NOT_02)\n\nDEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class)\n\nstatic int bn_dup_into(BIGNUM **dst, const BIGNUM *src) {\n if (src == NULL) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n BN_free(*dst);\n *dst = BN_dup(src);\n return *dst != NULL;\n}\n\nRSA *RSA_new_public_key(const BIGNUM *n, const BIGNUM *e) {\n RSA *rsa = RSA_new();\n if (rsa == NULL || //\n !bn_dup_into(&rsa->n, n) || //\n !bn_dup_into(&rsa->e, e) || //\n !RSA_check_key(rsa)) {\n RSA_free(rsa);\n return NULL;\n }\n\n return rsa;\n}\n\nRSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e, const BIGNUM *d,\n const BIGNUM *p, const BIGNUM *q, const BIGNUM *dmp1,\n const BIGNUM *dmq1, const BIGNUM *iqmp) {\n RSA *rsa = RSA_new();\n if (rsa == NULL || //\n !bn_dup_into(&rsa->n, n) || //\n !bn_dup_into(&rsa->e, e) || //\n !bn_dup_into(&rsa->d, d) || //\n !bn_dup_into(&rsa->p, p) || //\n !bn_dup_into(&rsa->q, q) || //\n !bn_dup_into(&rsa->dmp1, dmp1) || //\n !bn_dup_into(&rsa->dmq1, dmq1) || //\n !bn_dup_into(&rsa->iqmp, iqmp) || //\n !RSA_check_key(rsa)) {\n RSA_free(rsa);\n return NULL;\n }\n\n return rsa;\n}\n\nRSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e,\n const BIGNUM *d) {\n RSA *rsa = RSA_new();\n if (rsa == NULL || //\n !bn_dup_into(&rsa->n, n) || //\n !bn_dup_into(&rsa->e, e) || //\n !bn_dup_into(&rsa->d, d) || //\n !RSA_check_key(rsa)) {\n RSA_free(rsa);\n return NULL;\n }\n\n return rsa;\n}\n\nRSA *RSA_new_private_key_no_e(const BIGNUM *n, const BIGNUM *d) {\n RSA *rsa = RSA_new();\n if (rsa == NULL) {\n return NULL;\n }\n\n rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT;\n if (!bn_dup_into(&rsa->n, n) || //\n !bn_dup_into(&rsa->d, d) || //\n !RSA_check_key(rsa)) {\n RSA_free(rsa);\n return NULL;\n }\n\n return rsa;\n}\n\nRSA *RSA_new_public_key_large_e(const BIGNUM *n, const BIGNUM *e) {\n RSA *rsa = RSA_new();\n if (rsa == NULL) {\n return NULL;\n }\n\n rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT;\n if (!bn_dup_into(&rsa->n, n) || //\n !bn_dup_into(&rsa->e, e) || //\n !RSA_check_key(rsa)) {\n RSA_free(rsa);\n return NULL;\n }\n\n return rsa;\n}\n\nRSA *RSA_new_private_key_large_e(const BIGNUM *n, const BIGNUM *e,\n const BIGNUM *d, const BIGNUM *p,\n const BIGNUM *q, const BIGNUM *dmp1,\n const BIGNUM *dmq1, const BIGNUM *iqmp) {\n RSA *rsa = RSA_new();\n if (rsa == NULL) {\n return NULL;\n }\n\n rsa->flags |= RSA_FLAG_LARGE_PUBLIC_EXPONENT;\n if (!bn_dup_into(&rsa->n, n) || //\n !bn_dup_into(&rsa->e, e) || //\n !bn_dup_into(&rsa->d, d) || //\n !bn_dup_into(&rsa->p, p) || //\n !bn_dup_into(&rsa->q, q) || //\n !bn_dup_into(&rsa->dmp1, dmp1) || //\n !bn_dup_into(&rsa->dmq1, dmq1) || //\n !bn_dup_into(&rsa->iqmp, iqmp) || //\n !RSA_check_key(rsa)) {\n RSA_free(rsa);\n return NULL;\n }\n\n return rsa;\n}\n\nRSA *RSA_new(void) { return RSA_new_method(NULL); }\n\nRSA *RSA_new_method(const ENGINE *engine) {\n RSA *rsa = reinterpret_cast(OPENSSL_zalloc(sizeof(RSA)));\n if (rsa == NULL) {\n return NULL;\n }\n\n if (engine) {\n rsa->meth = ENGINE_get_RSA_method(engine);\n }\n\n if (rsa->meth == NULL) {\n rsa->meth = (RSA_METHOD *)RSA_default_method();\n }\n METHOD_ref(rsa->meth);\n\n rsa->references = 1;\n rsa->flags = rsa->meth->flags;\n CRYPTO_MUTEX_init(&rsa->lock);\n CRYPTO_new_ex_data(&rsa->ex_data);\n\n if (rsa->meth->init && !rsa->meth->init(rsa)) {\n CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);\n CRYPTO_MUTEX_cleanup(&rsa->lock);\n METHOD_unref(rsa->meth);\n OPENSSL_free(rsa);\n return NULL;\n }\n\n return rsa;\n}\n\nRSA *RSA_new_method_no_e(const ENGINE *engine, const BIGNUM *n) {\n RSA *rsa = RSA_new_method(engine);\n if (rsa == NULL || !bn_dup_into(&rsa->n, n)) {\n RSA_free(rsa);\n return NULL;\n }\n rsa->flags |= RSA_FLAG_NO_PUBLIC_EXPONENT;\n return rsa;\n}\n\nvoid RSA_free(RSA *rsa) {\n if (rsa == NULL) {\n return;\n }\n\n if (!CRYPTO_refcount_dec_and_test_zero(&rsa->references)) {\n return;\n }\n\n if (rsa->meth->finish) {\n rsa->meth->finish(rsa);\n }\n METHOD_unref(rsa->meth);\n\n CRYPTO_free_ex_data(g_rsa_ex_data_class_bss_get(), rsa, &rsa->ex_data);\n\n BN_free(rsa->n);\n BN_free(rsa->e);\n BN_free(rsa->d);\n BN_free(rsa->p);\n BN_free(rsa->q);\n BN_free(rsa->dmp1);\n BN_free(rsa->dmq1);\n BN_free(rsa->iqmp);\n rsa_invalidate_key(rsa);\n CRYPTO_MUTEX_cleanup(&rsa->lock);\n OPENSSL_free(rsa);\n}\n\nint RSA_up_ref(RSA *rsa) {\n CRYPTO_refcount_inc(&rsa->references);\n return 1;\n}\n\nunsigned RSA_bits(const RSA *rsa) { return BN_num_bits(rsa->n); }\n\nconst BIGNUM *RSA_get0_n(const RSA *rsa) { return rsa->n; }\n\nconst BIGNUM *RSA_get0_e(const RSA *rsa) { return rsa->e; }\n\nconst BIGNUM *RSA_get0_d(const RSA *rsa) { return rsa->d; }\n\nconst BIGNUM *RSA_get0_p(const RSA *rsa) { return rsa->p; }\n\nconst BIGNUM *RSA_get0_q(const RSA *rsa) { return rsa->q; }\n\nconst BIGNUM *RSA_get0_dmp1(const RSA *rsa) { return rsa->dmp1; }\n\nconst BIGNUM *RSA_get0_dmq1(const RSA *rsa) { return rsa->dmq1; }\n\nconst BIGNUM *RSA_get0_iqmp(const RSA *rsa) { return rsa->iqmp; }\n\nvoid RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e,\n const BIGNUM **out_d) {\n if (out_n != NULL) {\n *out_n = rsa->n;\n }\n if (out_e != NULL) {\n *out_e = rsa->e;\n }\n if (out_d != NULL) {\n *out_d = rsa->d;\n }\n}\n\nvoid RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,\n const BIGNUM **out_q) {\n if (out_p != NULL) {\n *out_p = rsa->p;\n }\n if (out_q != NULL) {\n *out_q = rsa->q;\n }\n}\n\nconst RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa) {\n // We do not support the id-RSASSA-PSS key encoding. If we add support later,\n // the |maskHash| field should be filled in for OpenSSL compatibility.\n return NULL;\n}\n\nvoid RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,\n const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) {\n if (out_dmp1 != NULL) {\n *out_dmp1 = rsa->dmp1;\n }\n if (out_dmq1 != NULL) {\n *out_dmq1 = rsa->dmq1;\n }\n if (out_iqmp != NULL) {\n *out_iqmp = rsa->iqmp;\n }\n}\n\nint RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) {\n if ((rsa->n == NULL && n == NULL) || (rsa->e == NULL && e == NULL)) {\n return 0;\n }\n\n if (n != NULL) {\n BN_free(rsa->n);\n rsa->n = n;\n }\n if (e != NULL) {\n BN_free(rsa->e);\n rsa->e = e;\n }\n if (d != NULL) {\n BN_free(rsa->d);\n rsa->d = d;\n }\n\n rsa_invalidate_key(rsa);\n return 1;\n}\n\nint RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) {\n if ((rsa->p == NULL && p == NULL) || (rsa->q == NULL && q == NULL)) {\n return 0;\n }\n\n if (p != NULL) {\n BN_free(rsa->p);\n rsa->p = p;\n }\n if (q != NULL) {\n BN_free(rsa->q);\n rsa->q = q;\n }\n\n rsa_invalidate_key(rsa);\n return 1;\n}\n\nint RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {\n if ((rsa->dmp1 == NULL && dmp1 == NULL) ||\n (rsa->dmq1 == NULL && dmq1 == NULL) ||\n (rsa->iqmp == NULL && iqmp == NULL)) {\n return 0;\n }\n\n if (dmp1 != NULL) {\n BN_free(rsa->dmp1);\n rsa->dmp1 = dmp1;\n }\n if (dmq1 != NULL) {\n BN_free(rsa->dmq1);\n rsa->dmq1 = dmq1;\n }\n if (iqmp != NULL) {\n BN_free(rsa->iqmp);\n rsa->iqmp = iqmp;\n }\n\n rsa_invalidate_key(rsa);\n return 1;\n}\n\nstatic int rsa_sign_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out,\n size_t max_out, const uint8_t *in,\n size_t in_len, int padding) {\n if (rsa->meth->sign_raw) {\n return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding);\n }\n\n return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding);\n}\n\nint RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,\n const uint8_t *in, size_t in_len, int padding) {\n boringssl_ensure_rsa_self_test();\n return rsa_sign_raw_no_self_test(rsa, out_len, out, max_out, in, in_len,\n padding);\n}\n\nunsigned RSA_size(const RSA *rsa) { return BN_num_bytes(rsa->n); }\n\nint RSA_is_opaque(const RSA *rsa) {\n return rsa->meth && (rsa->meth->flags & RSA_FLAG_OPAQUE);\n}\n\nint RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {\n return CRYPTO_get_ex_new_index_ex(g_rsa_ex_data_class_bss_get(), argl, argp,\n free_func);\n}\n\nint RSA_set_ex_data(RSA *rsa, int idx, void *arg) {\n return CRYPTO_set_ex_data(&rsa->ex_data, idx, arg);\n}\n\nvoid *RSA_get_ex_data(const RSA *rsa, int idx) {\n return CRYPTO_get_ex_data(&rsa->ex_data, idx);\n}\n\n// SSL_SIG_LENGTH is the size of an SSL/TLS (prior to TLS 1.2) signature: it's\n// the length of an MD5 and SHA1 hash.\nstatic const unsigned SSL_SIG_LENGTH = 36;\n\n// pkcs1_sig_prefix contains the ASN.1, DER encoded prefix for a hash that is\n// to be signed with PKCS#1.\nstruct pkcs1_sig_prefix {\n // nid identifies the hash function.\n int nid;\n // hash_len is the expected length of the hash function.\n uint8_t hash_len;\n // len is the number of bytes of |bytes| which are valid.\n uint8_t len;\n // bytes contains the DER bytes.\n uint8_t bytes[19];\n};\n\n// kPKCS1SigPrefixes contains the ASN.1 prefixes for PKCS#1 signatures with\n// different hash functions.\nstatic const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = {\n {\n NID_md5,\n MD5_DIGEST_LENGTH,\n 18,\n {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,\n 0x02, 0x05, 0x05, 0x00, 0x04, 0x10},\n },\n {\n NID_sha1,\n BCM_SHA_DIGEST_LENGTH,\n 15,\n {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,\n 0x00, 0x04, 0x14},\n },\n {\n NID_sha224,\n BCM_SHA224_DIGEST_LENGTH,\n 19,\n {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,\n 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c},\n },\n {\n NID_sha256,\n BCM_SHA256_DIGEST_LENGTH,\n 19,\n {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,\n 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20},\n },\n {\n NID_sha384,\n BCM_SHA384_DIGEST_LENGTH,\n 19,\n {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,\n 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30},\n },\n {\n NID_sha512,\n BCM_SHA512_DIGEST_LENGTH,\n 19,\n {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,\n 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40},\n },\n {\n NID_undef,\n 0,\n 0,\n {0},\n },\n};\n\nstatic int rsa_check_digest_size(int hash_nid, size_t digest_len) {\n if (hash_nid == NID_md5_sha1) {\n if (digest_len != SSL_SIG_LENGTH) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);\n return 0;\n }\n return 1;\n }\n\n for (size_t i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {\n const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];\n if (sig_prefix->nid == hash_nid) {\n if (digest_len != sig_prefix->hash_len) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);\n return 0;\n }\n return 1;\n }\n }\n\n OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);\n return 0;\n}\n\nint RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,\n int *is_alloced, int hash_nid, const uint8_t *digest,\n size_t digest_len) {\n if (!rsa_check_digest_size(hash_nid, digest_len)) {\n return 0;\n }\n\n if (hash_nid == NID_md5_sha1) {\n // The length should already have been checked.\n assert(digest_len == SSL_SIG_LENGTH);\n *out_msg = (uint8_t *)digest;\n *out_msg_len = digest_len;\n *is_alloced = 0;\n return 1;\n }\n\n for (size_t i = 0; kPKCS1SigPrefixes[i].nid != NID_undef; i++) {\n const struct pkcs1_sig_prefix *sig_prefix = &kPKCS1SigPrefixes[i];\n if (sig_prefix->nid != hash_nid) {\n continue;\n }\n\n // The length should already have been checked.\n assert(digest_len == sig_prefix->hash_len);\n const uint8_t *prefix = sig_prefix->bytes;\n size_t prefix_len = sig_prefix->len;\n size_t signed_msg_len = prefix_len + digest_len;\n if (signed_msg_len < prefix_len) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_LONG);\n return 0;\n }\n\n uint8_t *signed_msg =\n reinterpret_cast(OPENSSL_malloc(signed_msg_len));\n if (!signed_msg) {\n return 0;\n }\n\n OPENSSL_memcpy(signed_msg, prefix, prefix_len);\n OPENSSL_memcpy(signed_msg + prefix_len, digest, digest_len);\n\n *out_msg = signed_msg;\n *out_msg_len = signed_msg_len;\n *is_alloced = 1;\n\n return 1;\n }\n\n OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_ALGORITHM_TYPE);\n return 0;\n}\n\nint rsa_sign_no_self_test(int hash_nid, const uint8_t *digest,\n size_t digest_len, uint8_t *out, unsigned *out_len,\n RSA *rsa) {\n if (rsa->meth->sign) {\n if (!rsa_check_digest_size(hash_nid, digest_len)) {\n return 0;\n }\n // All supported digest lengths fit in |unsigned|.\n assert(digest_len <= EVP_MAX_MD_SIZE);\n static_assert(EVP_MAX_MD_SIZE <= UINT_MAX, \"digest too long\");\n return rsa->meth->sign(hash_nid, digest, (unsigned)digest_len, out, out_len,\n rsa);\n }\n\n const unsigned rsa_size = RSA_size(rsa);\n int ret = 0;\n uint8_t *signed_msg = NULL;\n size_t signed_msg_len = 0;\n int signed_msg_is_alloced = 0;\n size_t size_t_out_len;\n if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,\n &signed_msg_is_alloced, hash_nid, digest,\n digest_len) ||\n !rsa_sign_raw_no_self_test(rsa, &size_t_out_len, out, rsa_size,\n signed_msg, signed_msg_len,\n RSA_PKCS1_PADDING)) {\n goto err;\n }\n\n if (size_t_out_len > UINT_MAX) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);\n goto err;\n }\n\n *out_len = (unsigned)size_t_out_len;\n ret = 1;\n\nerr:\n if (signed_msg_is_alloced) {\n OPENSSL_free(signed_msg);\n }\n return ret;\n}\n\nint RSA_sign(int hash_nid, const uint8_t *digest, size_t digest_len,\n uint8_t *out, unsigned *out_len, RSA *rsa) {\n boringssl_ensure_rsa_self_test();\n\n return rsa_sign_no_self_test(hash_nid, digest, digest_len, out, out_len, rsa);\n}\n\nint RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,\n const uint8_t *digest, size_t digest_len,\n const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len) {\n if (digest_len != EVP_MD_size(md)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);\n return 0;\n }\n\n size_t padded_len = RSA_size(rsa);\n uint8_t *padded = reinterpret_cast(OPENSSL_malloc(padded_len));\n if (padded == NULL) {\n return 0;\n }\n\n int ret = RSA_padding_add_PKCS1_PSS_mgf1(rsa, padded, digest, md, mgf1_md,\n salt_len) &&\n RSA_sign_raw(rsa, out_len, out, max_out, padded, padded_len,\n RSA_NO_PADDING);\n OPENSSL_free(padded);\n return ret;\n}\n\nint rsa_verify_no_self_test(int hash_nid, const uint8_t *digest,\n size_t digest_len, const uint8_t *sig,\n size_t sig_len, RSA *rsa) {\n if (rsa->n == NULL || rsa->e == NULL) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);\n return 0;\n }\n\n const size_t rsa_size = RSA_size(rsa);\n uint8_t *buf = NULL;\n int ret = 0;\n uint8_t *signed_msg = NULL;\n size_t signed_msg_len = 0, len;\n int signed_msg_is_alloced = 0;\n\n if (hash_nid == NID_md5_sha1 && digest_len != SSL_SIG_LENGTH) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);\n return 0;\n }\n\n buf = reinterpret_cast(OPENSSL_malloc(rsa_size));\n if (!buf) {\n return 0;\n }\n\n if (!rsa_verify_raw_no_self_test(rsa, &len, buf, rsa_size, sig, sig_len,\n RSA_PKCS1_PADDING) ||\n !RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len,\n &signed_msg_is_alloced, hash_nid, digest,\n digest_len)) {\n goto out;\n }\n\n // Check that no other information follows the hash value (FIPS 186-4 Section\n // 5.5) and it matches the expected hash.\n if (len != signed_msg_len || OPENSSL_memcmp(buf, signed_msg, len) != 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_SIGNATURE);\n goto out;\n }\n\n ret = 1;\n\nout:\n OPENSSL_free(buf);\n if (signed_msg_is_alloced) {\n OPENSSL_free(signed_msg);\n }\n return ret;\n}\n\nint RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len,\n const uint8_t *sig, size_t sig_len, RSA *rsa) {\n boringssl_ensure_rsa_self_test();\n return rsa_verify_no_self_test(hash_nid, digest, digest_len, sig, sig_len,\n rsa);\n}\n\nint RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len,\n const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len,\n const uint8_t *sig, size_t sig_len) {\n if (digest_len != EVP_MD_size(md)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_INVALID_MESSAGE_LENGTH);\n return 0;\n }\n\n size_t em_len = RSA_size(rsa);\n uint8_t *em = reinterpret_cast(OPENSSL_malloc(em_len));\n if (em == NULL) {\n return 0;\n }\n\n int ret = 0;\n if (!RSA_verify_raw(rsa, &em_len, em, em_len, sig, sig_len, RSA_NO_PADDING)) {\n goto err;\n }\n\n if (em_len != RSA_size(rsa)) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n\n ret = RSA_verify_PKCS1_PSS_mgf1(rsa, digest, md, mgf1_md, em, salt_len);\n\nerr:\n OPENSSL_free(em);\n return ret;\n}\n\nstatic int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv,\n const BIGNUM *m, unsigned m_min_bits,\n BN_CTX *ctx) {\n if (BN_is_negative(ainv) ||\n constant_time_declassify_int(BN_cmp(ainv, m) >= 0)) {\n *out_ok = 0;\n return 1;\n }\n\n // Note |bn_mul_consttime| and |bn_div_consttime| do not scale linearly, but\n // checking |ainv| is in range bounds the running time, assuming |m|'s bounds\n // were checked by the caller.\n BN_CTX_start(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n int ret = tmp != NULL && bn_mul_consttime(tmp, a, ainv, ctx) &&\n bn_div_consttime(NULL, tmp, tmp, m, m_min_bits, ctx);\n if (ret) {\n *out_ok = constant_time_declassify_int(BN_is_one(tmp));\n }\n BN_CTX_end(ctx);\n return ret;\n}\n\nint RSA_check_key(const RSA *key) {\n // TODO(davidben): RSA key initialization is spread across\n // |rsa_check_public_key|, |RSA_check_key|, |freeze_private_key|, and\n // |BN_MONT_CTX_set_locked| as a result of API issues. See\n // https://crbug.com/boringssl/316. As a result, we inconsistently check RSA\n // invariants. We should fix this and integrate that logic.\n\n if (!rsa_check_public_key(key)) {\n return 0;\n }\n\n if ((key->p != NULL) != (key->q != NULL)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_ONLY_ONE_OF_P_Q_GIVEN);\n return 0;\n }\n\n // |key->d| must be bounded by |key->n|. This ensures bounds on |RSA_bits|\n // translate to bounds on the running time of private key operations.\n if (key->d != NULL &&\n (BN_is_negative(key->d) || BN_cmp(key->d, key->n) >= 0)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_D_OUT_OF_RANGE);\n return 0;\n }\n\n if (key->d == NULL || key->p == NULL) {\n // For a public key, or without p and q, there's nothing that can be\n // checked.\n return 1;\n }\n\n BN_CTX *ctx = BN_CTX_new();\n if (ctx == NULL) {\n return 0;\n }\n\n BIGNUM tmp, de, pm1, qm1, dmp1, dmq1;\n int ok = 0, has_crt_values;\n unsigned pm1_bits, qm1_bits;\n BN_init(&tmp);\n BN_init(&de);\n BN_init(&pm1);\n BN_init(&qm1);\n BN_init(&dmp1);\n BN_init(&dmq1);\n\n // Check that p * q == n. Before we multiply, we check that p and q are in\n // bounds, to avoid a DoS vector in |bn_mul_consttime| below. Note that\n // n was bound by |rsa_check_public_key|. This also implicitly checks p and q\n // are odd, which is a necessary condition for Montgomery reduction.\n if (BN_is_negative(key->p) ||\n constant_time_declassify_int(BN_cmp(key->p, key->n) >= 0) ||\n BN_is_negative(key->q) ||\n constant_time_declassify_int(BN_cmp(key->q, key->n) >= 0)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);\n goto out;\n }\n if (!bn_mul_consttime(&tmp, key->p, key->q, ctx)) {\n OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);\n goto out;\n }\n if (BN_cmp(&tmp, key->n) != 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q);\n goto out;\n }\n\n // d must be an inverse of e mod the Carmichael totient, lcm(p-1, q-1), but it\n // may be unreduced because other implementations use the Euler totient. We\n // simply check that d * e is one mod p-1 and mod q-1. Note d and e were bound\n // by earlier checks in this function.\n if (!bn_usub_consttime(&pm1, key->p, BN_value_one()) ||\n !bn_usub_consttime(&qm1, key->q, BN_value_one())) {\n OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);\n goto out;\n }\n pm1_bits = BN_num_bits(&pm1);\n qm1_bits = BN_num_bits(&qm1);\n if (!bn_mul_consttime(&de, key->d, key->e, ctx) ||\n !bn_div_consttime(NULL, &tmp, &de, &pm1, pm1_bits, ctx) ||\n !bn_div_consttime(NULL, &de, &de, &qm1, qm1_bits, ctx)) {\n OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);\n goto out;\n }\n\n if (constant_time_declassify_int(!BN_is_one(&tmp)) ||\n constant_time_declassify_int(!BN_is_one(&de))) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1);\n goto out;\n }\n\n has_crt_values = key->dmp1 != NULL;\n if (has_crt_values != (key->dmq1 != NULL) ||\n has_crt_values != (key->iqmp != NULL)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_INCONSISTENT_SET_OF_CRT_VALUES);\n goto out;\n }\n\n if (has_crt_values) {\n int dmp1_ok, dmq1_ok, iqmp_ok;\n if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, pm1_bits, ctx) ||\n !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, qm1_bits, ctx) ||\n // |p| is odd, so |pm1| and |p| have the same bit width. If they didn't,\n // we only need a lower bound anyway.\n !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, pm1_bits,\n ctx)) {\n OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);\n goto out;\n }\n\n if (!dmp1_ok || !dmq1_ok || !iqmp_ok) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_CRT_VALUES_INCORRECT);\n goto out;\n }\n }\n\n ok = 1;\n\nout:\n BN_free(&tmp);\n BN_free(&de);\n BN_free(&pm1);\n BN_free(&qm1);\n BN_free(&dmp1);\n BN_free(&dmq1);\n BN_CTX_free(ctx);\n\n return ok;\n}\n\n\n// This is the product of the 132 smallest odd primes, from 3 to 751.\nstatic const BN_ULONG kSmallFactorsLimbs[] = {TOBN(0xc4309333, 0x3ef4e3e1),\n TOBN(0x71161eb6, 0xcd2d655f),\n TOBN(0x95e2238c, 0x0bf94862),\n TOBN(0x3eb233d3, 0x24f7912b),\n TOBN(0x6b55514b, 0xbf26c483),\n TOBN(0x0a84d817, 0x5a144871),\n TOBN(0x77d12fee, 0x9b82210a),\n TOBN(0xdb5b93c2, 0x97f050b3),\n TOBN(0x4acad6b9, 0x4d6c026b),\n TOBN(0xeb7751f3, 0x54aec893),\n TOBN(0xdba53368, 0x36bc85c4),\n TOBN(0xd85a1b28, 0x7f5ec78e),\n TOBN(0x2eb072d8, 0x6b322244),\n TOBN(0xbba51112, 0x5e2b3aea),\n TOBN(0x36ed1a6c, 0x0e2486bf),\n TOBN(0x5f270460, 0xec0c5727),\n 0x000017b1};\n\nDEFINE_LOCAL_DATA(BIGNUM, g_small_factors) {\n out->d = (BN_ULONG *)kSmallFactorsLimbs;\n out->width = OPENSSL_ARRAY_SIZE(kSmallFactorsLimbs);\n out->dmax = out->width;\n out->neg = 0;\n out->flags = BN_FLG_STATIC_DATA;\n}\n\nint RSA_check_fips(RSA *key) {\n if (!RSA_check_key(key)) {\n return 0;\n }\n\n BN_CTX *ctx = BN_CTX_new();\n if (ctx == NULL) {\n return 0;\n }\n\n BIGNUM small_gcd;\n BN_init(&small_gcd);\n\n int ret = 1;\n\n // Perform partial public key validation of RSA keys (SP 800-89 5.3.3).\n // Although this is not for primality testing, SP 800-89 cites an RSA\n // primality testing algorithm, so we use |BN_prime_checks_for_generation| to\n // match. This is only a plausibility test and we expect the value to be\n // composite, so too few iterations will cause us to reject the key, not use\n // an implausible one.\n //\n // |key->e| may be nullptr if created with |RSA_new_private_key_no_e|.\n enum bn_primality_result_t primality_result;\n if (key->e == nullptr || //\n BN_num_bits(key->e) <= 16 || //\n BN_num_bits(key->e) > 256 || //\n !BN_is_odd(key->n) || //\n !BN_is_odd(key->e) ||\n !BN_gcd(&small_gcd, key->n, g_small_factors(), ctx) ||\n !BN_is_one(&small_gcd) ||\n !BN_enhanced_miller_rabin_primality_test(&primality_result, key->n,\n BN_prime_checks_for_generation,\n ctx, NULL) ||\n primality_result != bn_non_prime_power_composite) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_PUBLIC_KEY_VALIDATION_FAILED);\n ret = 0;\n }\n\n BN_free(&small_gcd);\n BN_CTX_free(ctx);\n\n if (!ret || key->d == NULL || key->p == NULL) {\n // On a failure or on only a public key, there's nothing else can be\n // checked.\n return ret;\n }\n\n // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG,\n // section 9.9, it is not known whether |rsa| will be used for signing or\n // encryption, so either pair-wise consistency self-test is acceptable. We\n // perform a signing test.\n uint8_t data[32] = {0};\n unsigned sig_len = RSA_size(key);\n uint8_t *sig = reinterpret_cast(OPENSSL_malloc(sig_len));\n if (sig == NULL) {\n return 0;\n }\n\n if (!RSA_sign(NID_sha256, data, sizeof(data), sig, &sig_len, key)) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n ret = 0;\n goto cleanup;\n }\n if (boringssl_fips_break_test(\"RSA_PWCT\")) {\n data[0] = ~data[0];\n }\n if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n ret = 0;\n }\n\ncleanup:\n OPENSSL_free(sig);\n\n return ret;\n}\n\nint rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out,\n const uint8_t *in, size_t len) {\n if (rsa->meth->private_transform) {\n return rsa->meth->private_transform(rsa, out, in, len);\n }\n\n return rsa_default_private_transform(rsa, out, in, len);\n}\n\nint rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,\n size_t len) {\n boringssl_ensure_rsa_self_test();\n return rsa_private_transform_no_self_test(rsa, out, in, len);\n}\n\nint RSA_flags(const RSA *rsa) { return rsa->flags; }\n\nint RSA_test_flags(const RSA *rsa, int flags) { return rsa->flags & flags; }\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa_impl.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../../bcm_support.h\"\n#include \"../../internal.h\"\n#include \"../bn/internal.h\"\n#include \"../delocate.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\nint rsa_check_public_key(const RSA *rsa) {\n if (rsa->n == NULL) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);\n return 0;\n }\n\n unsigned n_bits = BN_num_bits(rsa->n);\n if (n_bits > OPENSSL_RSA_MAX_MODULUS_BITS) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);\n return 0;\n }\n\n // TODO(crbug.com/boringssl/607): Raise this limit. 512-bit RSA was factored\n // in 1999.\n if (n_bits < 512) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);\n return 0;\n }\n\n // RSA moduli must be positive and odd. In addition to being necessary for RSA\n // in general, we cannot setup Montgomery reduction with even moduli.\n if (!BN_is_odd(rsa->n) || BN_is_negative(rsa->n)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);\n return 0;\n }\n\n static const unsigned kMaxExponentBits = 33;\n if (rsa->e != NULL) {\n // Reject e = 1, negative e, and even e. e must be odd to be relatively\n // prime with phi(n).\n unsigned e_bits = BN_num_bits(rsa->e);\n if (e_bits < 2 || BN_is_negative(rsa->e) || !BN_is_odd(rsa->e)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);\n return 0;\n }\n if (rsa->flags & RSA_FLAG_LARGE_PUBLIC_EXPONENT) {\n // The caller has requested disabling DoS protections. Still, e must be\n // less than n.\n if (BN_ucmp(rsa->n, rsa->e) <= 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);\n return 0;\n }\n } else {\n // Mitigate DoS attacks by limiting the exponent size. 33 bits was chosen\n // as the limit based on the recommendations in [1] and [2]. Windows\n // CryptoAPI doesn't support values larger than 32 bits [3], so it is\n // unlikely that exponents larger than 32 bits are being used for anything\n // Windows commonly does.\n //\n // [1] https://www.imperialviolet.org/2012/03/16/rsae.html\n // [2] https://www.imperialviolet.org/2012/03/17/rsados.html\n // [3] https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx\n if (e_bits > kMaxExponentBits) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);\n return 0;\n }\n\n // The upper bound on |e_bits| and lower bound on |n_bits| imply e is\n // bounded by n.\n assert(BN_ucmp(rsa->n, rsa->e) > 0);\n }\n } else if (!(rsa->flags & RSA_FLAG_NO_PUBLIC_EXPONENT)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);\n return 0;\n }\n\n return 1;\n}\n\nstatic int ensure_fixed_copy(BIGNUM **out, const BIGNUM *in, int width) {\n if (*out != NULL) {\n return 1;\n }\n BIGNUM *copy = BN_dup(in);\n if (copy == NULL || !bn_resize_words(copy, width)) {\n BN_free(copy);\n return 0;\n }\n *out = copy;\n bn_secret(copy);\n\n return 1;\n}\n\n// freeze_private_key finishes initializing |rsa|'s private key components.\n// After this function has returned, |rsa| may not be changed. This is needed\n// because |RSA| is a public struct and, additionally, OpenSSL 1.1.0 opaquified\n// it wrong (see https://github.com/openssl/openssl/issues/5158).\nstatic int freeze_private_key(RSA *rsa, BN_CTX *ctx) {\n CRYPTO_MUTEX_lock_read(&rsa->lock);\n int frozen = rsa->private_key_frozen;\n CRYPTO_MUTEX_unlock_read(&rsa->lock);\n if (frozen) {\n return 1;\n }\n\n int ret = 0;\n const BIGNUM *n_fixed;\n CRYPTO_MUTEX_lock_write(&rsa->lock);\n if (rsa->private_key_frozen) {\n ret = 1;\n goto err;\n }\n\n // Check the public components are within DoS bounds.\n if (!rsa_check_public_key(rsa)) {\n goto err;\n }\n\n // Pre-compute various intermediate values, as well as copies of private\n // exponents with correct widths. Note that other threads may concurrently\n // read from |rsa->n|, |rsa->e|, etc., so any fixes must be in separate\n // copies. We use |mont_n->N|, |mont_p->N|, and |mont_q->N| as copies of |n|,\n // |p|, and |q| with the correct minimal widths.\n\n if (rsa->mont_n == NULL) {\n rsa->mont_n = BN_MONT_CTX_new_for_modulus(rsa->n, ctx);\n if (rsa->mont_n == NULL) {\n goto err;\n }\n }\n n_fixed = &rsa->mont_n->N;\n\n // The only public upper-bound of |rsa->d| is the bit length of |rsa->n|. The\n // ASN.1 serialization of RSA private keys unfortunately leaks the byte length\n // of |rsa->d|, but normalize it so we only leak it once, rather than per\n // operation.\n if (rsa->d != NULL &&\n !ensure_fixed_copy(&rsa->d_fixed, rsa->d, n_fixed->width)) {\n goto err;\n }\n\n if (rsa->e != NULL && rsa->p != NULL && rsa->q != NULL) {\n // TODO: p and q are also CONSTTIME_SECRET but not yet marked as such\n // because the Montgomery code does things like test whether or not values\n // are zero. So the secret marking probably needs to happen inside that\n // code.\n\n if (rsa->mont_p == NULL) {\n rsa->mont_p = BN_MONT_CTX_new_consttime(rsa->p, ctx);\n if (rsa->mont_p == NULL) {\n goto err;\n }\n }\n\n if (rsa->mont_q == NULL) {\n rsa->mont_q = BN_MONT_CTX_new_consttime(rsa->q, ctx);\n if (rsa->mont_q == NULL) {\n goto err;\n }\n }\n\n if (rsa->dmp1 != NULL && rsa->dmq1 != NULL && rsa->iqmp != NULL) {\n // CRT components are only publicly bounded by their corresponding\n // moduli's bit lengths.\n const BIGNUM *p_fixed = &rsa->mont_p->N;\n const BIGNUM *q_fixed = &rsa->mont_q->N;\n if (!ensure_fixed_copy(&rsa->dmp1_fixed, rsa->dmp1, p_fixed->width) ||\n !ensure_fixed_copy(&rsa->dmq1_fixed, rsa->dmq1, q_fixed->width)) {\n goto err;\n }\n\n // Compute |iqmp_mont|, which is |iqmp| in Montgomery form and with the\n // correct bit width.\n if (rsa->iqmp_mont == NULL) {\n BIGNUM *iqmp_mont = BN_new();\n if (iqmp_mont == NULL ||\n !BN_to_montgomery(iqmp_mont, rsa->iqmp, rsa->mont_p, ctx)) {\n BN_free(iqmp_mont);\n goto err;\n }\n rsa->iqmp_mont = iqmp_mont;\n bn_secret(rsa->iqmp_mont);\n }\n }\n }\n\n rsa->private_key_frozen = 1;\n ret = 1;\n\nerr:\n CRYPTO_MUTEX_unlock_write(&rsa->lock);\n return ret;\n}\n\nvoid rsa_invalidate_key(RSA *rsa) {\n rsa->private_key_frozen = 0;\n\n BN_MONT_CTX_free(rsa->mont_n);\n rsa->mont_n = NULL;\n BN_MONT_CTX_free(rsa->mont_p);\n rsa->mont_p = NULL;\n BN_MONT_CTX_free(rsa->mont_q);\n rsa->mont_q = NULL;\n\n BN_free(rsa->d_fixed);\n rsa->d_fixed = NULL;\n BN_free(rsa->dmp1_fixed);\n rsa->dmp1_fixed = NULL;\n BN_free(rsa->dmq1_fixed);\n rsa->dmq1_fixed = NULL;\n BN_free(rsa->iqmp_mont);\n rsa->iqmp_mont = NULL;\n\n for (size_t i = 0; i < rsa->num_blindings; i++) {\n BN_BLINDING_free(rsa->blindings[i]);\n }\n OPENSSL_free(rsa->blindings);\n rsa->blindings = NULL;\n rsa->num_blindings = 0;\n OPENSSL_free(rsa->blindings_inuse);\n rsa->blindings_inuse = NULL;\n rsa->blinding_fork_generation = 0;\n}\n\n// MAX_BLINDINGS_PER_RSA defines the maximum number of cached BN_BLINDINGs per\n// RSA*. Then this limit is exceeded, BN_BLINDING objects will be created and\n// destroyed as needed.\n#if defined(OPENSSL_TSAN)\n// Smaller under TSAN so that the edge case can be hit with fewer threads.\n#define MAX_BLINDINGS_PER_RSA 2\n#else\n#define MAX_BLINDINGS_PER_RSA 1024\n#endif\n\n// rsa_blinding_get returns a BN_BLINDING to use with |rsa|. It does this by\n// allocating one of the cached BN_BLINDING objects in |rsa->blindings|. If\n// none are free, the cache will be extended by a extra element and the new\n// BN_BLINDING is returned.\n//\n// On success, the index of the assigned BN_BLINDING is written to\n// |*index_used| and must be passed to |rsa_blinding_release| when finished.\nstatic BN_BLINDING *rsa_blinding_get(RSA *rsa, size_t *index_used,\n BN_CTX *ctx) {\n assert(ctx != NULL);\n assert(rsa->mont_n != NULL);\n\n BN_BLINDING *ret = NULL;\n const uint64_t fork_generation = CRYPTO_get_fork_generation();\n CRYPTO_MUTEX_lock_write(&rsa->lock);\n\n // Wipe the blinding cache on |fork|.\n if (rsa->blinding_fork_generation != fork_generation) {\n for (size_t i = 0; i < rsa->num_blindings; i++) {\n // The inuse flag must be zero unless we were forked from a\n // multi-threaded process, in which case calling back into BoringSSL is\n // forbidden.\n assert(rsa->blindings_inuse[i] == 0);\n BN_BLINDING_invalidate(rsa->blindings[i]);\n }\n rsa->blinding_fork_generation = fork_generation;\n }\n\n uint8_t *const free_inuse_flag = reinterpret_cast(\n OPENSSL_memchr(rsa->blindings_inuse, 0, rsa->num_blindings));\n size_t new_num_blindings;\n BN_BLINDING **new_blindings;\n uint8_t *new_blindings_inuse;\n if (free_inuse_flag != NULL) {\n *free_inuse_flag = 1;\n *index_used = free_inuse_flag - rsa->blindings_inuse;\n ret = rsa->blindings[*index_used];\n goto out;\n }\n\n if (rsa->num_blindings >= MAX_BLINDINGS_PER_RSA) {\n // No |BN_BLINDING| is free and nor can the cache be extended. This index\n // value is magic and indicates to |rsa_blinding_release| that a\n // |BN_BLINDING| was not inserted into the array.\n *index_used = MAX_BLINDINGS_PER_RSA;\n ret = BN_BLINDING_new();\n goto out;\n }\n\n // Double the length of the cache.\n static_assert(MAX_BLINDINGS_PER_RSA < UINT_MAX / 2,\n \"MAX_BLINDINGS_PER_RSA too large\");\n new_num_blindings = rsa->num_blindings * 2;\n if (new_num_blindings == 0) {\n new_num_blindings = 1;\n }\n if (new_num_blindings > MAX_BLINDINGS_PER_RSA) {\n new_num_blindings = MAX_BLINDINGS_PER_RSA;\n }\n assert(new_num_blindings > rsa->num_blindings);\n\n new_blindings = reinterpret_cast(\n OPENSSL_calloc(new_num_blindings, sizeof(BN_BLINDING *)));\n new_blindings_inuse =\n reinterpret_cast(OPENSSL_malloc(new_num_blindings));\n if (new_blindings == NULL || new_blindings_inuse == NULL) {\n goto err;\n }\n\n OPENSSL_memcpy(new_blindings, rsa->blindings,\n sizeof(BN_BLINDING *) * rsa->num_blindings);\n OPENSSL_memcpy(new_blindings_inuse, rsa->blindings_inuse, rsa->num_blindings);\n\n for (size_t i = rsa->num_blindings; i < new_num_blindings; i++) {\n new_blindings[i] = BN_BLINDING_new();\n if (new_blindings[i] == NULL) {\n for (size_t j = rsa->num_blindings; j < i; j++) {\n BN_BLINDING_free(new_blindings[j]);\n }\n goto err;\n }\n }\n memset(&new_blindings_inuse[rsa->num_blindings], 0,\n new_num_blindings - rsa->num_blindings);\n\n new_blindings_inuse[rsa->num_blindings] = 1;\n *index_used = rsa->num_blindings;\n assert(*index_used != MAX_BLINDINGS_PER_RSA);\n ret = new_blindings[rsa->num_blindings];\n\n OPENSSL_free(rsa->blindings);\n rsa->blindings = new_blindings;\n OPENSSL_free(rsa->blindings_inuse);\n rsa->blindings_inuse = new_blindings_inuse;\n rsa->num_blindings = new_num_blindings;\n\n goto out;\n\nerr:\n OPENSSL_free(new_blindings_inuse);\n OPENSSL_free(new_blindings);\n\nout:\n CRYPTO_MUTEX_unlock_write(&rsa->lock);\n return ret;\n}\n\n// rsa_blinding_release marks the cached BN_BLINDING at the given index as free\n// for other threads to use.\nstatic void rsa_blinding_release(RSA *rsa, BN_BLINDING *blinding,\n size_t blinding_index) {\n if (blinding_index == MAX_BLINDINGS_PER_RSA) {\n // This blinding wasn't cached.\n BN_BLINDING_free(blinding);\n return;\n }\n\n CRYPTO_MUTEX_lock_write(&rsa->lock);\n rsa->blindings_inuse[blinding_index] = 0;\n CRYPTO_MUTEX_unlock_write(&rsa->lock);\n}\n\n// signing\nint rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,\n size_t max_out, const uint8_t *in, size_t in_len,\n int padding) {\n const unsigned rsa_size = RSA_size(rsa);\n uint8_t *buf = NULL;\n int i, ret = 0;\n\n if (max_out < rsa_size) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);\n return 0;\n }\n\n buf = reinterpret_cast(OPENSSL_malloc(rsa_size));\n if (buf == NULL) {\n goto err;\n }\n\n switch (padding) {\n case RSA_PKCS1_PADDING:\n i = RSA_padding_add_PKCS1_type_1(buf, rsa_size, in, in_len);\n break;\n case RSA_NO_PADDING:\n i = RSA_padding_add_none(buf, rsa_size, in, in_len);\n break;\n default:\n OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);\n goto err;\n }\n\n if (i <= 0) {\n goto err;\n }\n\n if (!rsa_private_transform_no_self_test(rsa, out, buf, rsa_size)) {\n goto err;\n }\n\n CONSTTIME_DECLASSIFY(out, rsa_size);\n *out_len = rsa_size;\n ret = 1;\n\nerr:\n OPENSSL_free(buf);\n\n return ret;\n}\n\n\nstatic int rsa_mod_exp_crt(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx);\n\nint rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out,\n size_t max_out, const uint8_t *in,\n size_t in_len, int padding) {\n if (rsa->n == NULL || rsa->e == NULL) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);\n return 0;\n }\n\n if (!rsa_check_public_key(rsa)) {\n return 0;\n }\n\n const unsigned rsa_size = RSA_size(rsa);\n BIGNUM *f, *result;\n\n if (max_out < rsa_size) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (in_len != rsa_size) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);\n return 0;\n }\n\n BN_CTX *ctx = BN_CTX_new();\n if (ctx == NULL) {\n return 0;\n }\n\n int ret = 0;\n uint8_t *buf = NULL;\n\n BN_CTX_start(ctx);\n f = BN_CTX_get(ctx);\n result = BN_CTX_get(ctx);\n if (f == NULL || result == NULL) {\n goto err;\n }\n\n if (padding == RSA_NO_PADDING) {\n buf = out;\n } else {\n // Allocate a temporary buffer to hold the padded plaintext.\n buf = reinterpret_cast(OPENSSL_malloc(rsa_size));\n if (buf == NULL) {\n goto err;\n }\n }\n\n if (BN_bin2bn(in, in_len, f) == NULL) {\n goto err;\n }\n\n if (BN_ucmp(f, rsa->n) >= 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);\n goto err;\n }\n\n if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||\n !BN_mod_exp_mont(result, f, rsa->e, &rsa->mont_n->N, ctx, rsa->mont_n)) {\n goto err;\n }\n\n if (!BN_bn2bin_padded(buf, rsa_size, result)) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n\n switch (padding) {\n case RSA_PKCS1_PADDING:\n ret =\n RSA_padding_check_PKCS1_type_1(out, out_len, rsa_size, buf, rsa_size);\n break;\n case RSA_NO_PADDING:\n ret = 1;\n *out_len = rsa_size;\n break;\n default:\n OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);\n goto err;\n }\n\n if (!ret) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);\n goto err;\n }\n\nerr:\n BN_CTX_end(ctx);\n BN_CTX_free(ctx);\n if (buf != out) {\n OPENSSL_free(buf);\n }\n return ret;\n}\n\nint RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,\n const uint8_t *in, size_t in_len, int padding) {\n boringssl_ensure_rsa_self_test();\n return rsa_verify_raw_no_self_test(rsa, out_len, out, max_out, in, in_len,\n padding);\n}\n\nint rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in,\n size_t len) {\n if (rsa->n == NULL || rsa->d == NULL) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);\n return 0;\n }\n\n BIGNUM *f, *result;\n BN_CTX *ctx = NULL;\n size_t blinding_index = 0;\n BN_BLINDING *blinding = NULL;\n int ret = 0, do_blinding;\n\n ctx = BN_CTX_new();\n if (ctx == NULL) {\n goto err;\n }\n BN_CTX_start(ctx);\n f = BN_CTX_get(ctx);\n result = BN_CTX_get(ctx);\n\n if (f == NULL || result == NULL) {\n goto err;\n }\n\n // The caller should have ensured this.\n assert(len == BN_num_bytes(rsa->n));\n if (BN_bin2bn(in, len, f) == NULL) {\n goto err;\n }\n\n // The input to the RSA private transform may be secret, but padding is\n // expected to construct a value within range, so we can leak this comparison.\n if (constant_time_declassify_int(BN_ucmp(f, rsa->n) >= 0)) {\n // Usually the padding functions would catch this.\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);\n goto err;\n }\n\n if (!freeze_private_key(rsa, ctx)) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n\n do_blinding =\n (rsa->flags & (RSA_FLAG_NO_BLINDING | RSA_FLAG_NO_PUBLIC_EXPONENT)) == 0;\n\n if (rsa->e == NULL && do_blinding) {\n // We cannot do blinding or verification without |e|, and continuing without\n // those countermeasures is dangerous. However, the Java/Android RSA API\n // requires support for keys where only |d| and |n| (and not |e|) are known.\n // The callers that require that bad behavior must set\n // |RSA_FLAG_NO_BLINDING| or use |RSA_new_private_key_no_e|.\n //\n // TODO(davidben): Update this comment when Conscrypt is updated to use\n // |RSA_new_private_key_no_e|.\n OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT);\n goto err;\n }\n\n if (do_blinding) {\n blinding = rsa_blinding_get(rsa, &blinding_index, ctx);\n if (blinding == NULL) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n if (!BN_BLINDING_convert(f, blinding, rsa->e, rsa->mont_n, ctx)) {\n goto err;\n }\n }\n\n if (rsa->p != NULL && rsa->q != NULL && rsa->e != NULL && rsa->dmp1 != NULL &&\n rsa->dmq1 != NULL && rsa->iqmp != NULL &&\n // Require that we can reduce |f| by |rsa->p| and |rsa->q| in constant\n // time, which requires primes be the same size, rounded to the Montgomery\n // coefficient. (See |mod_montgomery|.) This is not required by RFC 8017,\n // but it is true for keys generated by us and all common implementations.\n bn_less_than_montgomery_R(rsa->q, rsa->mont_p) &&\n bn_less_than_montgomery_R(rsa->p, rsa->mont_q)) {\n if (!rsa_mod_exp_crt(result, f, rsa, ctx)) {\n goto err;\n }\n } else if (!BN_mod_exp_mont_consttime(result, f, rsa->d_fixed, rsa->n, ctx,\n rsa->mont_n)) {\n goto err;\n }\n\n // Verify the result to protect against fault attacks as described in the\n // 1997 paper \"On the Importance of Checking Cryptographic Protocols for\n // Faults\" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some\n // implementations do this only when the CRT is used, but we do it in all\n // cases. Section 6 of the aforementioned paper describes an attack that\n // works when the CRT isn't used. That attack is much less likely to succeed\n // than the CRT attack, but there have likely been improvements since 1997.\n //\n // This check is cheap assuming |e| is small, which we require in\n // |rsa_check_public_key|.\n if (rsa->e != NULL) {\n BIGNUM *vrfy = BN_CTX_get(ctx);\n if (vrfy == NULL ||\n !BN_mod_exp_mont(vrfy, result, rsa->e, rsa->n, ctx, rsa->mont_n) ||\n !constant_time_declassify_int(BN_equal_consttime(vrfy, f))) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n }\n\n if (do_blinding && !BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) {\n goto err;\n }\n\n // The computation should have left |result| as a maximally-wide number, so\n // that it and serializing does not leak information about the magnitude of\n // the result.\n //\n // See Falko Strenzke, \"Manger's Attack revisited\", ICICS 2010.\n assert(result->width == rsa->mont_n->N.width);\n bn_assert_fits_in_bytes(result, len);\n if (!BN_bn2bin_padded(out, len, result)) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n\n ret = 1;\n\nerr:\n if (ctx != NULL) {\n BN_CTX_end(ctx);\n BN_CTX_free(ctx);\n }\n if (blinding != NULL) {\n rsa_blinding_release(rsa, blinding, blinding_index);\n }\n\n return ret;\n}\n\n// mod_montgomery sets |r| to |I| mod |p|. |I| must already be fully reduced\n// modulo |p| times |q|. It returns one on success and zero on error.\nstatic int mod_montgomery(BIGNUM *r, const BIGNUM *I, const BIGNUM *p,\n const BN_MONT_CTX *mont_p, const BIGNUM *q,\n BN_CTX *ctx) {\n // Reducing in constant-time with Montgomery reduction requires I <= p * R. We\n // have I < p * q, so this follows if q < R. The caller should have checked\n // this already.\n if (!bn_less_than_montgomery_R(q, mont_p)) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n if ( // Reduce mod p with Montgomery reduction. This computes I * R^-1 mod p.\n !BN_from_montgomery(r, I, mont_p, ctx) ||\n // Multiply by R^2 and do another Montgomery reduction to compute\n // I * R^-1 * R^2 * R^-1 = I mod p.\n !BN_to_montgomery(r, r, mont_p, ctx)) {\n return 0;\n }\n\n // By precomputing R^3 mod p (normally |BN_MONT_CTX| only uses R^2 mod p) and\n // adjusting the API for |BN_mod_exp_mont_consttime|, we could instead compute\n // I * R mod p here and save a reduction per prime. But this would require\n // changing the RSAZ code and may not be worth it. Note that the RSAZ code\n // uses a different radix, so it uses R' = 2^1044. There we'd actually want\n // R^2 * R', and would futher benefit from a precomputed R'^2. It currently\n // converts |mont_p->RR| to R'^2.\n return 1;\n}\n\nstatic int rsa_mod_exp_crt(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) {\n assert(ctx != NULL);\n\n assert(rsa->n != NULL);\n assert(rsa->e != NULL);\n assert(rsa->d != NULL);\n assert(rsa->p != NULL);\n assert(rsa->q != NULL);\n assert(rsa->dmp1 != NULL);\n assert(rsa->dmq1 != NULL);\n assert(rsa->iqmp != NULL);\n\n BIGNUM *r1, *m1;\n int ret = 0;\n\n BN_CTX_start(ctx);\n r1 = BN_CTX_get(ctx);\n m1 = BN_CTX_get(ctx);\n BIGNUM *n, *p, *q;\n if (r1 == NULL || m1 == NULL) {\n goto err;\n }\n\n // Use the minimal-width versions of |n|, |p|, and |q|. Either works, but if\n // someone gives us non-minimal values, these will be slightly more efficient\n // on the non-Montgomery operations.\n n = &rsa->mont_n->N;\n p = &rsa->mont_p->N;\n q = &rsa->mont_q->N;\n\n // This is a pre-condition for |mod_montgomery|. It was already checked by the\n // caller.\n declassify_assert(BN_ucmp(I, n) < 0);\n\n if ( // |m1| is the result modulo |q|.\n !mod_montgomery(r1, I, q, rsa->mont_q, p, ctx) ||\n !BN_mod_exp_mont_consttime(m1, r1, rsa->dmq1_fixed, q, ctx,\n rsa->mont_q) ||\n // |r0| is the result modulo |p|.\n !mod_montgomery(r1, I, p, rsa->mont_p, q, ctx) ||\n !BN_mod_exp_mont_consttime(r0, r1, rsa->dmp1_fixed, p, ctx,\n rsa->mont_p) ||\n // Compute r0 = r0 - m1 mod p. |m1| is reduced mod |q|, not |p|, so we\n // just run |mod_montgomery| again for simplicity. This could be more\n // efficient with more cases: if |p > q|, |m1| is already reduced. If\n // |p < q| but they have the same bit width, |bn_reduce_once| suffices.\n // However, compared to over 2048 Montgomery multiplications above, this\n // difference is not measurable.\n !mod_montgomery(r1, m1, p, rsa->mont_p, q, ctx) ||\n !bn_mod_sub_consttime(r0, r0, r1, p, ctx) ||\n // r0 = r0 * iqmp mod p. We use Montgomery multiplication to compute this\n // in constant time. |iqmp_mont| is in Montgomery form and r0 is not, so\n // the result is taken out of Montgomery form.\n !BN_mod_mul_montgomery(r0, r0, rsa->iqmp_mont, rsa->mont_p, ctx) ||\n // r0 = r0 * q + m1 gives the final result. Reducing modulo q gives m1, so\n // it is correct mod p. Reducing modulo p gives (r0-m1)*iqmp*q + m1 = r0,\n // so it is correct mod q. Finally, the result is bounded by [m1, n + m1),\n // and the result is at least |m1|, so this must be the unique answer in\n // [0, n).\n !bn_mul_consttime(r0, r0, q, ctx) || //\n !bn_uadd_consttime(r0, r0, m1)) {\n goto err;\n }\n\n // The result should be bounded by |n|, but fixed-width operations may\n // bound the width slightly higher, so fix it. This trips constant-time checks\n // because a naive data flow analysis does not realize the excess words are\n // publicly zero.\n declassify_assert(BN_cmp(r0, n) < 0);\n bn_assert_fits_in_bytes(r0, BN_num_bytes(n));\n if (!bn_resize_words(r0, n->width)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\nstatic int ensure_bignum(BIGNUM **out) {\n if (*out == NULL) {\n *out = BN_new();\n }\n return *out != NULL;\n}\n\n// kBoringSSLRSASqrtTwo is the BIGNUM representation of ⌊2²⁰⁴⁷×√2⌋. This is\n// chosen to give enough precision for 4096-bit RSA, the largest key size FIPS\n// specifies. Key sizes beyond this will round up.\n//\n// To calculate, use the following Haskell code:\n//\n// import Text.Printf (printf)\n// import Data.List (intercalate)\n//\n// pow2 = 4095\n// target = 2^pow2\n//\n// f x = x*x - (toRational target)\n//\n// fprime x = 2*x\n//\n// newtonIteration x = x - (f x) / (fprime x)\n//\n// converge x =\n// let n = floor x in\n// if n*n - target < 0 && (n+1)*(n+1) - target > 0\n// then n\n// else converge (newtonIteration x)\n//\n// divrem bits x = (x `div` (2^bits), x `rem` (2^bits))\n//\n// bnWords :: Integer -> [Integer]\n// bnWords x =\n// if x == 0\n// then []\n// else let (high, low) = divrem 64 x in low : bnWords high\n//\n// showWord x = let (high, low) = divrem 32 x in printf \"TOBN(0x%08x, 0x%08x)\"\n// high low\n//\n// output :: String\n// output = intercalate \", \" $ map showWord $ bnWords $ converge (2 ^ (pow2\n// `div` 2))\n//\n// To verify this number, check that n² < 2⁴⁰⁹⁵ < (n+1)², where n is value\n// represented here. Note the components are listed in little-endian order. Here\n// is some sample Python code to check:\n//\n// >>> TOBN = lambda a, b: a << 32 | b\n// >>> l = [ ]\n// >>> n = sum(a * 2**(64*i) for i, a in enumerate(l))\n// >>> n**2 < 2**4095 < (n+1)**2\n// True\nconst BN_ULONG kBoringSSLRSASqrtTwo[] = {\n TOBN(0x4d7c60a5, 0xe633e3e1), TOBN(0x5fcf8f7b, 0xca3ea33b),\n TOBN(0xc246785e, 0x92957023), TOBN(0xf9acce41, 0x797f2805),\n TOBN(0xfdfe170f, 0xd3b1f780), TOBN(0xd24f4a76, 0x3facb882),\n TOBN(0x18838a2e, 0xaff5f3b2), TOBN(0xc1fcbdde, 0xa2f7dc33),\n TOBN(0xdea06241, 0xf7aa81c2), TOBN(0xf6a1be3f, 0xca221307),\n TOBN(0x332a5e9f, 0x7bda1ebf), TOBN(0x0104dc01, 0xfe32352f),\n TOBN(0xb8cf341b, 0x6f8236c7), TOBN(0x4264dabc, 0xd528b651),\n TOBN(0xf4d3a02c, 0xebc93e0c), TOBN(0x81394ab6, 0xd8fd0efd),\n TOBN(0xeaa4a089, 0x9040ca4a), TOBN(0xf52f120f, 0x836e582e),\n TOBN(0xcb2a6343, 0x31f3c84d), TOBN(0xc6d5a8a3, 0x8bb7e9dc),\n TOBN(0x460abc72, 0x2f7c4e33), TOBN(0xcab1bc91, 0x1688458a),\n TOBN(0x53059c60, 0x11bc337b), TOBN(0xd2202e87, 0x42af1f4e),\n TOBN(0x78048736, 0x3dfa2768), TOBN(0x0f74a85e, 0x439c7b4a),\n TOBN(0xa8b1fe6f, 0xdc83db39), TOBN(0x4afc8304, 0x3ab8a2c3),\n TOBN(0xed17ac85, 0x83339915), TOBN(0x1d6f60ba, 0x893ba84c),\n TOBN(0x597d89b3, 0x754abe9f), TOBN(0xb504f333, 0xf9de6484),\n};\nconst size_t kBoringSSLRSASqrtTwoLen = OPENSSL_ARRAY_SIZE(kBoringSSLRSASqrtTwo);\n\n// generate_prime sets |out| to a prime with length |bits| such that |out|-1 is\n// relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to\n// |p|. |sqrt2| must be ⌊2^(bits-1)×√2⌋ (or a slightly overestimate for large\n// sizes), and |pow2_bits_100| must be 2^(bits-100).\n//\n// This function fails with probability around 2^-21.\nstatic int generate_prime(BIGNUM *out, int bits, const BIGNUM *e,\n const BIGNUM *p, const BIGNUM *sqrt2,\n const BIGNUM *pow2_bits_100, BN_CTX *ctx,\n BN_GENCB *cb) {\n if (bits < 128 || (bits % BN_BITS2) != 0) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n assert(BN_is_pow2(pow2_bits_100));\n assert(BN_is_bit_set(pow2_bits_100, bits - 100));\n\n // See FIPS 186-4 appendix B.3.3, steps 4 and 5. Note |bits| here is nlen/2.\n\n // Use the limit from steps 4.7 and 5.8 for most values of |e|. When |e| is 3,\n // the 186-4 limit is too low, so we use a higher one. Note this case is not\n // reachable from |RSA_generate_key_fips|.\n //\n // |limit| determines the failure probability. We must find a prime that is\n // not 1 mod |e|. By the prime number theorem, we'll find one with probability\n // p = (e-1)/e * 2/(ln(2)*bits). Note the second term is doubled because we\n // discard even numbers.\n //\n // The failure probability is thus (1-p)^limit. To convert that to a power of\n // two, we take logs. -log_2((1-p)^limit) = -limit * ln(1-p) / ln(2).\n //\n // >>> def f(bits, e, limit):\n // ... p = (e-1.0)/e * 2.0/(math.log(2)*bits)\n // ... return -limit * math.log(1 - p) / math.log(2)\n // ...\n // >>> f(1024, 65537, 5*1024)\n // 20.842750558272634\n // >>> f(1536, 65537, 5*1536)\n // 20.83294549602474\n // >>> f(2048, 65537, 5*2048)\n // 20.828047576234948\n // >>> f(1024, 3, 8*1024)\n // 22.222147925962307\n // >>> f(1536, 3, 8*1536)\n // 22.21518251065506\n // >>> f(2048, 3, 8*2048)\n // 22.211701985875937\n if (bits >= INT_MAX / 32) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE);\n return 0;\n }\n int limit = BN_is_word(e, 3) ? bits * 8 : bits * 5;\n\n int ret = 0, tries = 0, rand_tries = 0;\n BN_CTX_start(ctx);\n BIGNUM *tmp = BN_CTX_get(ctx);\n if (tmp == NULL) {\n goto err;\n }\n\n for (;;) {\n // Generate a random number of length |bits| where the bottom bit is set\n // (steps 4.2, 4.3, 5.2 and 5.3) and the top bit is set (implied by the\n // bound checked below in steps 4.4 and 5.5).\n if (!BN_rand(out, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ODD) ||\n !BN_GENCB_call(cb, BN_GENCB_GENERATED, rand_tries++)) {\n goto err;\n }\n\n if (p != NULL) {\n // If |p| and |out| are too close, try again (step 5.4).\n if (!bn_abs_sub_consttime(tmp, out, p, ctx)) {\n goto err;\n }\n if (BN_cmp(tmp, pow2_bits_100) <= 0) {\n continue;\n }\n }\n\n // If out < 2^(bits-1)×√2, try again (steps 4.4 and 5.5). This is equivalent\n // to out <= ⌊2^(bits-1)×√2⌋, or out <= sqrt2 for FIPS key sizes.\n //\n // For larger keys, the comparison is approximate, leaning towards\n // retrying. That is, we reject a negligible fraction of primes that are\n // within the FIPS bound, but we will never accept a prime outside the\n // bound, ensuring the resulting RSA key is the right size.\n //\n // Values over the threshold are discarded, so it is safe to leak this\n // comparison.\n if (constant_time_declassify_int(BN_cmp(out, sqrt2) <= 0)) {\n continue;\n }\n\n // RSA key generation's bottleneck is discarding composites. If it fails\n // trial division, do not bother computing a GCD or performing Miller-Rabin.\n if (!bn_odd_number_is_obviously_composite(out)) {\n // Check gcd(out-1, e) is one (steps 4.5 and 5.6). Leaking the final\n // result of this comparison is safe because, if not relatively prime, the\n // value will be discarded.\n int relatively_prime;\n if (!bn_usub_consttime(tmp, out, BN_value_one()) ||\n !bn_is_relatively_prime(&relatively_prime, tmp, e, ctx)) {\n goto err;\n }\n if (constant_time_declassify_int(relatively_prime)) {\n // Test |out| for primality (steps 4.5.1 and 5.6.1).\n int is_probable_prime;\n if (!BN_primality_test(&is_probable_prime, out,\n BN_prime_checks_for_generation, ctx, 0, cb)) {\n goto err;\n }\n if (is_probable_prime) {\n ret = 1;\n goto err;\n }\n }\n }\n\n // If we've tried too many times to find a prime, abort (steps 4.7 and\n // 5.8).\n tries++;\n if (tries >= limit) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_TOO_MANY_ITERATIONS);\n goto err;\n }\n if (!BN_GENCB_call(cb, 2, tries)) {\n goto err;\n }\n }\n\nerr:\n BN_CTX_end(ctx);\n return ret;\n}\n\n// rsa_generate_key_impl generates an RSA key using a generalized version of\n// FIPS 186-4 appendix B.3. |RSA_generate_key_fips| performs additional checks\n// for FIPS-compliant key generation.\n//\n// This function returns one on success and zero on failure. It has a failure\n// probability of about 2^-20.\nstatic int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value,\n BN_GENCB *cb) {\n // See FIPS 186-4 appendix B.3. This function implements a generalized version\n // of the FIPS algorithm. |RSA_generate_key_fips| performs additional checks\n // for FIPS-compliant key generation.\n\n // Always generate RSA keys which are a multiple of 128 bits. Round |bits|\n // down as needed.\n bits &= ~127;\n\n // Reject excessively small keys.\n if (bits < 256) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);\n return 0;\n }\n\n // Reject excessively large public exponents. Windows CryptoAPI and Go don't\n // support values larger than 32 bits, so match their limits for generating\n // keys. (|rsa_check_public_key| uses a slightly more conservative value, but\n // we don't need to support generating such keys.)\n // https://github.com/golang/go/issues/3161\n // https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx\n if (BN_num_bits(e_value) > 32) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE);\n return 0;\n }\n\n int ret = 0;\n int prime_bits = bits / 2;\n BN_CTX *ctx = BN_CTX_new();\n BIGNUM *totient, *pm1, *qm1, *sqrt2, *pow2_prime_bits_100, *pow2_prime_bits;\n int sqrt2_bits;\n if (ctx == NULL) {\n goto bn_err;\n }\n BN_CTX_start(ctx);\n totient = BN_CTX_get(ctx);\n pm1 = BN_CTX_get(ctx);\n qm1 = BN_CTX_get(ctx);\n sqrt2 = BN_CTX_get(ctx);\n pow2_prime_bits_100 = BN_CTX_get(ctx);\n pow2_prime_bits = BN_CTX_get(ctx);\n if (totient == NULL || pm1 == NULL || qm1 == NULL || sqrt2 == NULL ||\n pow2_prime_bits_100 == NULL || pow2_prime_bits == NULL ||\n !BN_set_bit(pow2_prime_bits_100, prime_bits - 100) ||\n !BN_set_bit(pow2_prime_bits, prime_bits)) {\n goto bn_err;\n }\n\n // We need the RSA components non-NULL.\n if (!ensure_bignum(&rsa->n) || //\n !ensure_bignum(&rsa->d) || //\n !ensure_bignum(&rsa->e) || //\n !ensure_bignum(&rsa->p) || //\n !ensure_bignum(&rsa->q) || //\n !ensure_bignum(&rsa->dmp1) || //\n !ensure_bignum(&rsa->dmq1) || //\n !ensure_bignum(&rsa->iqmp)) {\n goto bn_err;\n }\n\n if (!BN_copy(rsa->e, e_value)) {\n goto bn_err;\n }\n\n // Compute sqrt2 >= ⌊2^(prime_bits-1)×√2⌋.\n if (!bn_set_words(sqrt2, kBoringSSLRSASqrtTwo, kBoringSSLRSASqrtTwoLen)) {\n goto bn_err;\n }\n sqrt2_bits = kBoringSSLRSASqrtTwoLen * BN_BITS2;\n assert(sqrt2_bits == (int)BN_num_bits(sqrt2));\n if (sqrt2_bits > prime_bits) {\n // For key sizes up to 4096 (prime_bits = 2048), this is exactly\n // ⌊2^(prime_bits-1)×√2⌋.\n if (!BN_rshift(sqrt2, sqrt2, sqrt2_bits - prime_bits)) {\n goto bn_err;\n }\n } else if (prime_bits > sqrt2_bits) {\n // For key sizes beyond 4096, this is approximate. We err towards retrying\n // to ensure our key is the right size and round up.\n if (!BN_add_word(sqrt2, 1) ||\n !BN_lshift(sqrt2, sqrt2, prime_bits - sqrt2_bits)) {\n goto bn_err;\n }\n }\n assert(prime_bits == (int)BN_num_bits(sqrt2));\n\n do {\n // Generate p and q, each of size |prime_bits|, using the steps outlined in\n // appendix FIPS 186-4 appendix B.3.3.\n //\n // Each call to |generate_prime| fails with probability p = 2^-21. The\n // probability that either call fails is 1 - (1-p)^2, which is around 2^-20.\n if (!generate_prime(rsa->p, prime_bits, rsa->e, NULL, sqrt2,\n pow2_prime_bits_100, ctx, cb) ||\n !BN_GENCB_call(cb, 3, 0) ||\n !generate_prime(rsa->q, prime_bits, rsa->e, rsa->p, sqrt2,\n pow2_prime_bits_100, ctx, cb) ||\n !BN_GENCB_call(cb, 3, 1)) {\n goto bn_err;\n }\n\n if (BN_cmp(rsa->p, rsa->q) < 0) {\n BIGNUM *tmp = rsa->p;\n rsa->p = rsa->q;\n rsa->q = tmp;\n }\n\n // Calculate d = e^(-1) (mod lcm(p-1, q-1)), per FIPS 186-4. This differs\n // from typical RSA implementations which use (p-1)*(q-1).\n //\n // Note this means the size of d might reveal information about p-1 and\n // q-1. However, we do operations with Chinese Remainder Theorem, so we only\n // use d (mod p-1) and d (mod q-1) as exponents. Using a minimal totient\n // does not affect those two values.\n int no_inverse;\n if (!bn_usub_consttime(pm1, rsa->p, BN_value_one()) ||\n !bn_usub_consttime(qm1, rsa->q, BN_value_one()) ||\n !bn_lcm_consttime(totient, pm1, qm1, ctx) ||\n !bn_mod_inverse_consttime(rsa->d, &no_inverse, rsa->e, totient, ctx)) {\n goto bn_err;\n }\n\n // Retry if |rsa->d| <= 2^|prime_bits|. See appendix B.3.1's guidance on\n // values for d. When we retry, p and q are discarded, so it is safe to leak\n // this comparison.\n } while (constant_time_declassify_int(BN_cmp(rsa->d, pow2_prime_bits) <= 0));\n\n assert(BN_num_bits(pm1) == (unsigned)prime_bits);\n assert(BN_num_bits(qm1) == (unsigned)prime_bits);\n if ( // Calculate n.\n !bn_mul_consttime(rsa->n, rsa->p, rsa->q, ctx) ||\n // Calculate d mod (p-1).\n !bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, prime_bits, ctx) ||\n // Calculate d mod (q-1)\n !bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, prime_bits, ctx)) {\n goto bn_err;\n }\n bn_set_minimal_width(rsa->n);\n\n // |rsa->n| is computed from the private key, but is public.\n bn_declassify(rsa->n);\n\n // Calculate q^-1 mod p.\n rsa->mont_p = BN_MONT_CTX_new_consttime(rsa->p, ctx);\n if (rsa->mont_p == NULL || //\n !bn_mod_inverse_secret_prime(rsa->iqmp, rsa->q, rsa->p, ctx,\n rsa->mont_p)) {\n goto bn_err;\n }\n\n // Sanity-check that |rsa->n| has the specified size. This is implied by\n // |generate_prime|'s bounds.\n if (BN_num_bits(rsa->n) != (unsigned)bits) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n\n // The key generation process is complex and thus error-prone. It could be\n // disastrous to generate and then use a bad key so double-check that the key\n // makes sense. Also, while |rsa| is mutable, fill in the cached components.\n if (!RSA_check_key(rsa) ||\n !freeze_private_key(rsa, ctx)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR);\n goto err;\n }\n\n ret = 1;\n\nbn_err:\n if (!ret) {\n OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN);\n }\nerr:\n if (ctx != NULL) {\n BN_CTX_end(ctx);\n BN_CTX_free(ctx);\n }\n return ret;\n}\n\nstatic void replace_bignum(BIGNUM **out, BIGNUM **in) {\n BN_free(*out);\n *out = *in;\n *in = NULL;\n}\n\nstatic void replace_bn_mont_ctx(BN_MONT_CTX **out, BN_MONT_CTX **in) {\n BN_MONT_CTX_free(*out);\n *out = *in;\n *in = NULL;\n}\n\nstatic int RSA_generate_key_ex_maybe_fips(RSA *rsa, int bits,\n const BIGNUM *e_value, BN_GENCB *cb,\n int check_fips) {\n boringssl_ensure_rsa_self_test();\n\n if (rsa == NULL) {\n OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n RSA *tmp = NULL;\n uint32_t err;\n int ret = 0;\n\n // |rsa_generate_key_impl|'s 2^-20 failure probability is too high at scale,\n // so we run the FIPS algorithm four times, bringing it down to 2^-80. We\n // should just adjust the retry limit, but FIPS 186-4 prescribes that value\n // and thus results in unnecessary complexity.\n int failures = 0;\n do {\n ERR_clear_error();\n // Generate into scratch space, to avoid leaving partial work on failure.\n tmp = RSA_new();\n if (tmp == NULL) {\n goto out;\n }\n\n if (rsa_generate_key_impl(tmp, bits, e_value, cb)) {\n break;\n }\n\n err = ERR_peek_error();\n RSA_free(tmp);\n tmp = NULL;\n failures++;\n\n // Only retry on |RSA_R_TOO_MANY_ITERATIONS|. This is so a caller-induced\n // failure in |BN_GENCB_call| is still fatal.\n } while (failures < 4 && ERR_GET_LIB(err) == ERR_LIB_RSA &&\n ERR_GET_REASON(err) == RSA_R_TOO_MANY_ITERATIONS);\n\n if (tmp == NULL || (check_fips && !RSA_check_fips(tmp))) {\n goto out;\n }\n\n rsa_invalidate_key(rsa);\n replace_bignum(&rsa->n, &tmp->n);\n replace_bignum(&rsa->e, &tmp->e);\n replace_bignum(&rsa->d, &tmp->d);\n replace_bignum(&rsa->p, &tmp->p);\n replace_bignum(&rsa->q, &tmp->q);\n replace_bignum(&rsa->dmp1, &tmp->dmp1);\n replace_bignum(&rsa->dmq1, &tmp->dmq1);\n replace_bignum(&rsa->iqmp, &tmp->iqmp);\n replace_bn_mont_ctx(&rsa->mont_n, &tmp->mont_n);\n replace_bn_mont_ctx(&rsa->mont_p, &tmp->mont_p);\n replace_bn_mont_ctx(&rsa->mont_q, &tmp->mont_q);\n replace_bignum(&rsa->d_fixed, &tmp->d_fixed);\n replace_bignum(&rsa->dmp1_fixed, &tmp->dmp1_fixed);\n replace_bignum(&rsa->dmq1_fixed, &tmp->dmq1_fixed);\n replace_bignum(&rsa->iqmp_mont, &tmp->iqmp_mont);\n rsa->private_key_frozen = tmp->private_key_frozen;\n ret = 1;\n\nout:\n RSA_free(tmp);\n return ret;\n}\n\nint RSA_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e_value,\n BN_GENCB *cb) {\n return RSA_generate_key_ex_maybe_fips(rsa, bits, e_value, cb,\n /*check_fips=*/0);\n}\n\nint RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb) {\n // FIPS 186-4 allows 2048-bit and 3072-bit RSA keys (1024-bit and 1536-bit\n // primes, respectively) with the prime generation method we use.\n // Subsequently, IG A.14 stated that larger modulus sizes can be used and ACVP\n // testing supports 4096 bits.\n if (bits != 2048 && bits != 3072 && bits != 4096) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);\n return 0;\n }\n\n BIGNUM *e = BN_new();\n int ret = e != NULL && BN_set_word(e, RSA_F4) &&\n RSA_generate_key_ex_maybe_fips(rsa, bits, e, cb, /*check_fips=*/1);\n BN_free(e);\n\n if (ret) {\n FIPS_service_indicator_update_state();\n }\n return ret;\n}\n\nDEFINE_METHOD_FUNCTION(RSA_METHOD, RSA_default_method) {\n // All of the methods are NULL to make it easier for the compiler/linker to\n // drop unused functions. The wrapper functions will select the appropriate\n // |rsa_default_*| implementation.\n OPENSSL_memset(out, 0, sizeof(RSA_METHOD));\n out->common.is_static = 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/fips.cc.inc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \"../../internal.h\"\n#include \"../delocate.h\"\n\n\nint FIPS_mode(void) {\n#if defined(BORINGSSL_FIPS) && !defined(OPENSSL_ASAN)\n return 1;\n#else\n return 0;\n#endif\n}\n\nint FIPS_mode_set(int on) { return on == FIPS_mode(); }\n\nconst char *FIPS_module_name(void) { return \"BoringCrypto\"; }\n\nint CRYPTO_has_asm(void) {\n#if defined(OPENSSL_NO_ASM)\n return 0;\n#else\n return 1;\n#endif\n}\n\nuint32_t FIPS_version(void) {\n return 0;\n}\n\nint FIPS_query_algorithm_status(const char *algorithm) {\n#if defined(BORINGSSL_FIPS)\n static const char kApprovedAlgorithms[][13] = {\n \"AES-CBC\",\n \"AES-CCM\",\n \"AES-CTR\",\n \"AES-ECB\",\n \"AES-GCM\",\n \"AES-KW\",\n \"AES-KWP\",\n \"ctrDRBG\",\n \"ECC-SSC\",\n \"ECDSA-sign\",\n \"ECDSA-verify\",\n \"FFC-SSC\",\n \"HMAC\",\n \"RSA-sign\",\n \"RSA-verify\",\n \"SHA-1\",\n \"SHA2-224\",\n \"SHA2-256\",\n \"SHA2-384\",\n \"SHA2-512\",\n \"SHA2-512/256\",\n };\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kApprovedAlgorithms); i++) {\n if (strcmp(algorithm, kApprovedAlgorithms[i]) == 0) {\n return 1;\n }\n }\n#endif // BORINGSSL_FIPS\n\n return 0;\n}\n\n#if defined(BORINGSSL_FIPS_COUNTERS)\n\nsize_t FIPS_read_counter(enum fips_counter_t counter) {\n size_t index = (size_t)counter;\n if (index > fips_counter_max) {\n abort();\n }\n\n const size_t *array = reinterpret_cast(\n CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS));\n if (!array) {\n return 0;\n }\n\n return array[index];\n}\n\nvoid boringssl_fips_inc_counter(enum fips_counter_t counter) {\n size_t index = (size_t)counter;\n if (index > fips_counter_max) {\n abort();\n }\n\n size_t *array = reinterpret_cast(\n CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS));\n if (!array) {\n const size_t num_bytes = sizeof(size_t) * (fips_counter_max + 1);\n array = reinterpret_cast(OPENSSL_zalloc(num_bytes));\n if (!array) {\n return;\n }\n\n if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS, array,\n OPENSSL_free)) {\n // |OPENSSL_free| has already been called by |CRYPTO_set_thread_local|.\n return;\n }\n }\n\n array[index]++;\n}\n\n#else\n\nsize_t FIPS_read_counter(enum fips_counter_t counter) { return 0; }\n\n// boringssl_fips_inc_counter is a no-op, inline function in internal.h in this\n// case. That should let the compiler optimise away the callsites.\n\n#endif\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/self_check.cc.inc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../../bcm_support.h\"\n#include \"../../internal.h\"\n#include \"../delocate.h\"\n#include \"../dh/internal.h\"\n#include \"../ec/internal.h\"\n#include \"../ecdsa/internal.h\"\n#include \"../rand/internal.h\"\n#include \"../rsa/internal.h\"\n#include \"../service_indicator/internal.h\"\n#include \"../tls/internal.h\"\n\n\n// MSVC wants to put a NUL byte at the end of non-char arrays and so cannot\n// compile the real logic.\n#if defined(_MSC_VER)\n\nint BORINGSSL_self_test(void) { return 0; }\n\n#else\n\nstatic void hexdump(FILE *out, const void *in, size_t len) {\n const uint8_t *in8 = reinterpret_cast(in);\n for (size_t i = 0; i < len; i++) {\n fprintf(out, \"%02x\", in8[i]);\n }\n}\n\nstatic int check_test(const void *expected, const void *actual,\n size_t expected_len, const char *name) {\n if (OPENSSL_memcmp(actual, expected, expected_len) != 0) {\n FILE *err = CRYPTO_get_stderr();\n fprintf(err, \"%s failed.\\nExpected: \", name);\n hexdump(err, expected, expected_len);\n fprintf(err, \"\\nCalculated: \");\n hexdump(err, actual, expected_len);\n fprintf(err, \"\\n\");\n fflush(err);\n return 0;\n }\n return 1;\n}\n\nstatic int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) {\n *out = BN_bin2bn(in, len, NULL);\n return *out != NULL;\n}\n\nstatic RSA *self_test_rsa_key(void) {\n static const uint8_t kN[] = {\n 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc,\n 0xc9, 0xa2, 0xc2, 0x3a, 0xa6, 0x1d, 0xd8, 0xf0, 0x26, 0x5b, 0x38, 0x90,\n 0x17, 0x48, 0x15, 0xce, 0x21, 0xcd, 0xd6, 0x62, 0x99, 0xe2, 0xd7, 0xda,\n 0x40, 0x80, 0x3c, 0xad, 0x18, 0xb7, 0x26, 0xe9, 0x30, 0x8a, 0x23, 0x3f,\n 0x68, 0x9a, 0x9c, 0x31, 0x34, 0x91, 0x99, 0x06, 0x11, 0x36, 0xb2, 0x9e,\n 0x3a, 0xd0, 0xbc, 0xb9, 0x93, 0x4e, 0xb8, 0x72, 0xa1, 0x9f, 0xb6, 0x8c,\n 0xd5, 0x17, 0x1f, 0x7e, 0xaa, 0x75, 0xbb, 0xdf, 0xa1, 0x70, 0x48, 0xc4,\n 0xec, 0x9a, 0x51, 0xed, 0x41, 0xc9, 0x74, 0xc0, 0x3e, 0x1e, 0x85, 0x2f,\n 0xbe, 0x34, 0xc7, 0x65, 0x34, 0x8b, 0x4d, 0x55, 0x4b, 0xe1, 0x45, 0x54,\n 0x0d, 0x75, 0x7e, 0x89, 0x4d, 0x0c, 0xf6, 0x33, 0xe5, 0xfc, 0xfb, 0x56,\n 0x1b, 0xf2, 0x39, 0x9d, 0xe0, 0xff, 0x55, 0xcf, 0x02, 0x05, 0xb9, 0x74,\n 0xd2, 0x91, 0xfc, 0x87, 0xe1, 0xbb, 0x97, 0x2a, 0xe4, 0xdd, 0x20, 0xc0,\n 0x38, 0x47, 0xc0, 0x76, 0x3f, 0xa1, 0x9b, 0x5c, 0x20, 0xff, 0xff, 0xc7,\n 0x49, 0x3b, 0x4c, 0xaf, 0x99, 0xa6, 0x3e, 0x82, 0x5c, 0x58, 0x27, 0xce,\n 0x01, 0x03, 0xc3, 0x16, 0x35, 0x20, 0xe9, 0xf0, 0x15, 0x7a, 0x41, 0xd5,\n 0x1f, 0x52, 0xea, 0xdf, 0xad, 0x4c, 0xbb, 0x0d, 0xcb, 0x04, 0x91, 0xb0,\n 0x95, 0xa8, 0xce, 0x25, 0xfd, 0xd2, 0x62, 0x47, 0x77, 0xee, 0x13, 0xf1,\n 0x48, 0x72, 0x9e, 0xd9, 0x2d, 0xe6, 0x5f, 0xa4, 0xc6, 0x9e, 0x5a, 0xb2,\n 0xc6, 0xa2, 0xf7, 0x0a, 0x16, 0x17, 0xae, 0x6b, 0x1c, 0x30, 0x7c, 0x63,\n 0x08, 0x83, 0xe7, 0x43, 0xec, 0x54, 0x5e, 0x2c, 0x08, 0x0b, 0x5e, 0x46,\n 0xa7, 0x10, 0x93, 0x43, 0x53, 0x4e, 0xe3, 0x16, 0x73, 0x55, 0xce, 0xf2,\n 0x94, 0xc0, 0xbe, 0xb3,\n };\n static const uint8_t kE[] = {0x01, 0x00, 0x01}; // 65537\n static const uint8_t kD[] = {\n 0x2f, 0x2c, 0x1e, 0xd2, 0x3d, 0x2c, 0xb1, 0x9b, 0x21, 0x02, 0xce, 0xb8,\n 0x95, 0x5f, 0x4f, 0xd9, 0x21, 0x38, 0x11, 0x36, 0xb0, 0x9a, 0x36, 0xab,\n 0x97, 0x47, 0x75, 0xf7, 0x2e, 0xfd, 0x75, 0x1f, 0x58, 0x16, 0x9c, 0xf6,\n 0x14, 0xe9, 0x8e, 0xa3, 0x69, 0x9d, 0x9d, 0x86, 0xfe, 0x5c, 0x1b, 0x3b,\n 0x11, 0xf5, 0x55, 0x64, 0x77, 0xc4, 0xfc, 0x53, 0xaa, 0x8c, 0x78, 0x9f,\n 0x75, 0xab, 0x20, 0x3a, 0xa1, 0x77, 0x37, 0x22, 0x02, 0x8e, 0x54, 0x8a,\n 0x67, 0x1c, 0x5e, 0xe0, 0x3e, 0xd9, 0x44, 0x37, 0xd1, 0x29, 0xee, 0x56,\n 0x6c, 0x30, 0x9a, 0x93, 0x4d, 0xd9, 0xdb, 0xc5, 0x03, 0x1a, 0x75, 0xcc,\n 0x0f, 0xc2, 0x61, 0xb5, 0x6c, 0x62, 0x9f, 0xc6, 0xa8, 0xc7, 0x8a, 0x60,\n 0x17, 0x11, 0x62, 0x4c, 0xef, 0x74, 0x31, 0x97, 0xad, 0x89, 0x2d, 0xe8,\n 0x31, 0x1d, 0x8b, 0x58, 0x82, 0xe3, 0x03, 0x1a, 0x6b, 0xdf, 0x3f, 0x3e,\n 0xa4, 0x27, 0x19, 0xef, 0x46, 0x7a, 0x90, 0xdf, 0xa7, 0xe7, 0xc9, 0x66,\n 0xab, 0x41, 0x1d, 0x65, 0x78, 0x1c, 0x18, 0x40, 0x5c, 0xd6, 0x87, 0xb5,\n 0xea, 0x29, 0x44, 0xb3, 0xf5, 0xb3, 0xd2, 0x4f, 0xce, 0x88, 0x78, 0x49,\n 0x27, 0x4e, 0x0b, 0x30, 0x85, 0xfb, 0x73, 0xfd, 0x8b, 0x32, 0x15, 0xee,\n 0x1f, 0xc9, 0x0e, 0x89, 0xb9, 0x43, 0x2f, 0xe9, 0x60, 0x8d, 0xda, 0xae,\n 0x2b, 0x30, 0x99, 0xee, 0x88, 0x81, 0x20, 0x7b, 0x4a, 0xc3, 0x18, 0xf2,\n 0x94, 0x02, 0x79, 0x94, 0xaa, 0x65, 0xd9, 0x1b, 0x45, 0x2a, 0xac, 0x6e,\n 0x30, 0x48, 0x57, 0xea, 0xbe, 0x79, 0x7d, 0xfc, 0x67, 0xaa, 0x47, 0xc0,\n 0xf7, 0x52, 0xfd, 0x0b, 0x63, 0x4e, 0x3d, 0x2e, 0xcc, 0x36, 0xa0, 0xdb,\n 0x92, 0x0b, 0xa9, 0x1b, 0xeb, 0xc2, 0xd5, 0x08, 0xd3, 0x85, 0x87, 0xf8,\n 0x5d, 0x1a, 0xf6, 0xc1,\n };\n static const uint8_t kP[] = {\n 0xf7, 0x06, 0xa3, 0x98, 0x8a, 0x52, 0xf8, 0x63, 0x68, 0x27, 0x4f, 0x68,\n 0x7f, 0x34, 0xec, 0x8e, 0x5d, 0xf8, 0x30, 0x92, 0xb3, 0x62, 0x4c, 0xeb,\n 0xdb, 0x19, 0x6b, 0x09, 0xc5, 0xa3, 0xf0, 0xbb, 0xff, 0x0f, 0xc2, 0xd4,\n 0x9b, 0xc9, 0x54, 0x4f, 0xb9, 0xf9, 0xe1, 0x4c, 0xf0, 0xe3, 0x4c, 0x90,\n 0xda, 0x7a, 0x01, 0xc2, 0x9f, 0xc4, 0xc8, 0x8e, 0xb1, 0x1e, 0x93, 0x75,\n 0x75, 0xc6, 0x13, 0x25, 0xc3, 0xee, 0x3b, 0xcc, 0xb8, 0x72, 0x6c, 0x49,\n 0xb0, 0x09, 0xfb, 0xab, 0x44, 0xeb, 0x4d, 0x40, 0xf0, 0x61, 0x6b, 0xe5,\n 0xe6, 0xfe, 0x3e, 0x0a, 0x77, 0x26, 0x39, 0x76, 0x3d, 0x4c, 0x3e, 0x9b,\n 0x5b, 0xc0, 0xaf, 0xa2, 0x58, 0x76, 0xb0, 0xe9, 0xda, 0x7f, 0x0e, 0x78,\n 0xc9, 0x76, 0x49, 0x5c, 0xfa, 0xb3, 0xb0, 0x15, 0x4b, 0x41, 0xc7, 0x27,\n 0xa4, 0x75, 0x28, 0x5c, 0x30, 0x69, 0x50, 0x29,\n };\n static const uint8_t kQ[] = {\n 0xda, 0xe6, 0xd2, 0xbb, 0x44, 0xff, 0x4f, 0xdf, 0x57, 0xc1, 0x11, 0xa3,\n 0x51, 0xba, 0x17, 0x89, 0x4c, 0x01, 0xc0, 0x0c, 0x97, 0x34, 0x50, 0xcf,\n 0x32, 0x1e, 0xc0, 0xbd, 0x7b, 0x35, 0xb5, 0x6a, 0x26, 0xcc, 0xea, 0x4c,\n 0x8e, 0x87, 0x4a, 0x67, 0x8b, 0xd3, 0xe5, 0x4f, 0x3a, 0x60, 0x48, 0x59,\n 0x04, 0x93, 0x39, 0xd7, 0x7c, 0xfb, 0x19, 0x1a, 0x34, 0xd5, 0xe8, 0xaf,\n 0xe7, 0x22, 0x2c, 0x0d, 0xc2, 0x91, 0x69, 0xb6, 0xe9, 0x2a, 0xe9, 0x1c,\n 0x4c, 0x6e, 0x8f, 0x40, 0xf5, 0xa8, 0x3e, 0x82, 0x69, 0x69, 0xbe, 0x9f,\n 0x7d, 0x5c, 0x7f, 0x92, 0x78, 0x17, 0xa3, 0x6d, 0x41, 0x2d, 0x72, 0xed,\n 0x3f, 0x71, 0xfa, 0x97, 0xb4, 0x63, 0xe4, 0x4f, 0xd9, 0x46, 0x03, 0xfb,\n 0x00, 0xeb, 0x30, 0x70, 0xb9, 0x51, 0xd9, 0x0a, 0xd2, 0xf8, 0x50, 0xd4,\n 0xfb, 0x43, 0x84, 0xf8, 0xac, 0x58, 0xc3, 0x7b,\n };\n static const uint8_t kDModPMinusOne[] = {\n 0xf5, 0x50, 0x8f, 0x88, 0x7d, 0xdd, 0xb5, 0xb4, 0x2a, 0x8b, 0xd7, 0x4d,\n 0x23, 0xfe, 0xaf, 0xe9, 0x16, 0x22, 0xd2, 0x41, 0xed, 0x88, 0xf2, 0x70,\n 0xcb, 0x4d, 0xeb, 0xc1, 0x71, 0x97, 0xc4, 0x0b, 0x3e, 0x5a, 0x2d, 0x96,\n 0xab, 0xfa, 0xfd, 0x12, 0x8b, 0xd3, 0x3e, 0x4e, 0x05, 0x6f, 0x04, 0xeb,\n 0x59, 0x3c, 0x0e, 0xa1, 0x73, 0xbe, 0x9d, 0x99, 0x2f, 0x05, 0xf9, 0x54,\n 0x8d, 0x98, 0x1e, 0x0d, 0xc4, 0x0c, 0xc3, 0x30, 0x23, 0xff, 0xe5, 0xd0,\n 0x2b, 0xd5, 0x4e, 0x2b, 0xa0, 0xae, 0xb8, 0x32, 0x84, 0x45, 0x8b, 0x3c,\n 0x6d, 0xf0, 0x10, 0x36, 0x9e, 0x6a, 0xc4, 0x67, 0xca, 0xa9, 0xfc, 0x06,\n 0x96, 0xd0, 0xbc, 0xda, 0xd1, 0x55, 0x55, 0x8d, 0x77, 0x21, 0xf4, 0x82,\n 0x39, 0x37, 0x91, 0xd5, 0x97, 0x56, 0x78, 0xc8, 0x3c, 0xcb, 0x5e, 0xf6,\n 0xdc, 0x58, 0x48, 0xb3, 0x7c, 0x94, 0x29, 0x39,\n };\n static const uint8_t kDModQMinusOne[] = {\n 0x64, 0x65, 0xbd, 0x7d, 0x1a, 0x96, 0x26, 0xa1, 0xfe, 0xf3, 0x94, 0x0d,\n 0x5d, 0xec, 0x85, 0xe2, 0xf8, 0xb3, 0x4c, 0xcb, 0xf9, 0x85, 0x8b, 0x12,\n 0x9c, 0xa0, 0x32, 0x32, 0x35, 0x92, 0x5a, 0x94, 0x47, 0x1b, 0x70, 0xd2,\n 0x90, 0x04, 0x49, 0x01, 0xd8, 0xc5, 0xe4, 0xc4, 0x43, 0xb7, 0xe9, 0x36,\n 0xba, 0xbc, 0x73, 0xa8, 0xfb, 0xaf, 0x86, 0xc1, 0xd8, 0x3d, 0xcb, 0xac,\n 0xf1, 0xcb, 0x60, 0x7d, 0x27, 0x21, 0xde, 0x64, 0x7f, 0xe8, 0xa8, 0x65,\n 0xcc, 0x40, 0x60, 0xff, 0xa0, 0x2b, 0xfc, 0x0f, 0x80, 0x1d, 0x79, 0xca,\n 0x58, 0x8a, 0xd6, 0x0f, 0xed, 0x78, 0x9a, 0x02, 0x00, 0x04, 0xc2, 0x53,\n 0x41, 0xe8, 0x1a, 0xd0, 0xfd, 0x71, 0x5b, 0x43, 0xac, 0x19, 0x4a, 0xb6,\n 0x12, 0xa3, 0xcb, 0xe1, 0xc7, 0x7d, 0x5c, 0x98, 0x74, 0x4e, 0x63, 0x74,\n 0x6b, 0x91, 0x7a, 0x29, 0x3b, 0x92, 0xb2, 0x85,\n };\n static const uint8_t kQInverseModP[] = {\n 0xd0, 0xde, 0x19, 0xda, 0x1e, 0xa2, 0xd8, 0x8f, 0x1c, 0x92, 0x73, 0xb0,\n 0xc9, 0x90, 0xc7, 0xf5, 0xec, 0xc5, 0x89, 0x01, 0x05, 0x78, 0x11, 0x2d,\n 0x74, 0x34, 0x44, 0xad, 0xd5, 0xf7, 0xa4, 0xfe, 0x9f, 0x25, 0x4d, 0x0b,\n 0x92, 0xe3, 0xb8, 0x7d, 0xd3, 0xfd, 0xa5, 0xca, 0x95, 0x60, 0xa3, 0xf9,\n 0x55, 0x42, 0x14, 0xb2, 0x45, 0x51, 0x9f, 0x73, 0x88, 0x43, 0x8a, 0xd1,\n 0x65, 0x9e, 0xd1, 0xf7, 0x82, 0x2a, 0x2a, 0x8d, 0x70, 0x56, 0xe3, 0xef,\n 0xc9, 0x0e, 0x2a, 0x2c, 0x15, 0xaf, 0x7f, 0x97, 0x81, 0x66, 0xf3, 0xb5,\n 0x00, 0xa9, 0x26, 0xcc, 0x1e, 0xc2, 0x98, 0xdd, 0xd3, 0x37, 0x06, 0x79,\n 0xb3, 0x60, 0x58, 0x79, 0x99, 0x3f, 0xa3, 0x15, 0x1f, 0x31, 0xe3, 0x11,\n 0x88, 0x4c, 0x35, 0x57, 0xfa, 0x79, 0xd7, 0xd8, 0x72, 0xee, 0x73, 0x95,\n 0x89, 0x29, 0xc7, 0x05, 0x27, 0x68, 0x90, 0x15,\n };\n\n RSA *rsa = RSA_new();\n if (rsa == NULL || //\n !set_bignum(&rsa->n, kN, sizeof(kN)) ||\n !set_bignum(&rsa->e, kE, sizeof(kE)) ||\n !set_bignum(&rsa->d, kD, sizeof(kD)) ||\n !set_bignum(&rsa->p, kP, sizeof(kP)) ||\n !set_bignum(&rsa->q, kQ, sizeof(kQ)) ||\n !set_bignum(&rsa->dmp1, kDModPMinusOne, sizeof(kDModPMinusOne)) ||\n !set_bignum(&rsa->dmq1, kDModQMinusOne, sizeof(kDModQMinusOne)) ||\n !set_bignum(&rsa->iqmp, kQInverseModP, sizeof(kQInverseModP))) {\n RSA_free(rsa);\n return NULL;\n }\n\n return rsa;\n}\n\nstatic EC_KEY *self_test_ecdsa_key(void) {\n static const uint8_t kQx[] = {\n 0xc8, 0x15, 0x61, 0xec, 0xf2, 0xe5, 0x4e, 0xde, 0xfe, 0x66, 0x17,\n 0xdb, 0x1c, 0x7a, 0x34, 0xa7, 0x07, 0x44, 0xdd, 0xb2, 0x61, 0xf2,\n 0x69, 0xb8, 0x3d, 0xac, 0xfc, 0xd2, 0xad, 0xe5, 0xa6, 0x81,\n };\n static const uint8_t kQy[] = {\n 0xe0, 0xe2, 0xaf, 0xa3, 0xf9, 0xb6, 0xab, 0xe4, 0xc6, 0x98, 0xef,\n 0x64, 0x95, 0xf1, 0xbe, 0x49, 0xa3, 0x19, 0x6c, 0x50, 0x56, 0xac,\n 0xb3, 0x76, 0x3f, 0xe4, 0x50, 0x7e, 0xec, 0x59, 0x6e, 0x88,\n };\n static const uint8_t kD[] = {\n 0xc6, 0xc1, 0xaa, 0xda, 0x15, 0xb0, 0x76, 0x61, 0xf8, 0x14, 0x2c,\n 0x6c, 0xaf, 0x0f, 0xdb, 0x24, 0x1a, 0xff, 0x2e, 0xfe, 0x46, 0xc0,\n 0x93, 0x8b, 0x74, 0xf2, 0xbc, 0xc5, 0x30, 0x52, 0xb0, 0x77,\n };\n\n EC_KEY *ec_key = EC_KEY_new();\n BIGNUM *qx = BN_bin2bn(kQx, sizeof(kQx), NULL);\n BIGNUM *qy = BN_bin2bn(kQy, sizeof(kQy), NULL);\n BIGNUM *d = BN_bin2bn(kD, sizeof(kD), NULL);\n if (ec_key == NULL || qx == NULL || qy == NULL || d == NULL ||\n !EC_KEY_set_group(ec_key, EC_group_p256()) ||\n !EC_KEY_set_public_key_affine_coordinates(ec_key, qx, qy) ||\n !EC_KEY_set_private_key(ec_key, d)) {\n EC_KEY_free(ec_key);\n ec_key = NULL;\n }\n\n BN_free(qx);\n BN_free(qy);\n BN_free(d);\n return ec_key;\n}\n\nstatic DH *self_test_dh(void) {\n DH *dh = DH_get_rfc7919_2048();\n if (!dh) {\n return NULL;\n }\n\n BIGNUM *priv = BN_new();\n if (!priv) {\n goto err;\n }\n\n // kFFDHE2048PrivateKeyData is a 225-bit value. (225 because that's the\n // minimum private key size in\n // https://tools.ietf.org/html/rfc7919#appendix-A.1.)\n static const BN_ULONG kFFDHE2048PrivateKeyData[] = {\n TOBN(0x187be36b, 0xd38a4fa1),\n TOBN(0x0a152f39, 0x6458f3b8),\n TOBN(0x0570187e, 0xc422eeb7),\n TOBN(0x00000001, 0x91173f2a),\n };\n\n bn_set_static_words(priv, kFFDHE2048PrivateKeyData,\n OPENSSL_ARRAY_SIZE(kFFDHE2048PrivateKeyData));\n\n if (!DH_set0_key(dh, NULL, priv)) {\n goto err;\n }\n return dh;\n\nerr:\n BN_free(priv);\n DH_free(dh);\n return NULL;\n}\n\n\n// Lazy self-tests\n//\n// Self tests that are slow are deferred until the corresponding algorithm is\n// actually exercised, in FIPS mode. (In non-FIPS mode these tests are only run\n// when requested by |BORINGSSL_self_test|.)\n\nstatic int boringssl_self_test_rsa(void) {\n int ret = 0;\n uint8_t output[256];\n\n RSA *const rsa_key = self_test_rsa_key();\n if (rsa_key == NULL) {\n fprintf(CRYPTO_get_stderr(), \"RSA key construction failed\\n\");\n goto err;\n }\n // Disable blinding for the power-on tests because it's not needed and\n // triggers an entropy draw.\n rsa_key->flags |= RSA_FLAG_NO_BLINDING;\n\n // RSA Sign KAT\n\n static const uint8_t kRSASignDigest[32] = {\n 0xd2, 0xb5, 0x6e, 0x53, 0x30, 0x6f, 0x72, 0x0d, 0x79, 0x29, 0xd8,\n 0x70, 0x8b, 0xf4, 0x6f, 0x1c, 0x22, 0x30, 0x03, 0x05, 0x58, 0x2b,\n 0x11, 0x5b, 0xed, 0xca, 0xc7, 0x22, 0xd8, 0xaa, 0x5a, 0xb2,\n };\n static const uint8_t kRSASignSignature[256] = {\n 0x64, 0xce, 0xdd, 0x91, 0x27, 0xb0, 0x4f, 0xb9, 0x14, 0xea, 0xc0, 0xb4,\n 0xa2, 0x06, 0xc5, 0xd8, 0x40, 0x0f, 0x6c, 0x54, 0xac, 0xf7, 0x02, 0xde,\n 0x26, 0xbb, 0xfd, 0x33, 0xe5, 0x2f, 0x4d, 0xb1, 0x53, 0xc4, 0xff, 0xd0,\n 0x5f, 0xea, 0x15, 0x89, 0x83, 0x4c, 0xe3, 0x80, 0x0b, 0xe9, 0x13, 0x82,\n 0x1d, 0x71, 0x92, 0x1a, 0x03, 0x60, 0x2c, 0xaf, 0xe2, 0x16, 0xc7, 0x43,\n 0x3f, 0xde, 0x6b, 0x94, 0xfd, 0x6e, 0x08, 0x7b, 0x11, 0xf1, 0x34, 0x52,\n 0xe5, 0xc0, 0x97, 0x66, 0x4a, 0xe0, 0x91, 0x45, 0xc8, 0xb1, 0x3d, 0x6a,\n 0x54, 0xc1, 0x32, 0x0f, 0x32, 0xad, 0x25, 0x11, 0x3e, 0x49, 0xad, 0x41,\n 0xce, 0x7b, 0xca, 0x95, 0x6b, 0x54, 0x5e, 0x86, 0x1b, 0xce, 0xfa, 0x2a,\n 0x60, 0xe8, 0xfa, 0xbb, 0x23, 0xb2, 0x41, 0xbc, 0x7c, 0x98, 0xec, 0x73,\n 0x20, 0xed, 0xb3, 0xcf, 0xab, 0x07, 0x24, 0x85, 0x6a, 0x2a, 0x61, 0x76,\n 0x28, 0xf8, 0x00, 0x80, 0xeb, 0xd9, 0x3a, 0x63, 0xe2, 0x01, 0xb1, 0xee,\n 0x6d, 0xe9, 0x73, 0xe9, 0xb6, 0x75, 0x2e, 0xf9, 0x81, 0xd9, 0xa8, 0x79,\n 0xf6, 0x8f, 0xe3, 0x02, 0x7d, 0xf6, 0xea, 0xdc, 0x35, 0xe4, 0x62, 0x0d,\n 0x91, 0xba, 0x3e, 0x7d, 0x8b, 0x82, 0xbf, 0x15, 0x74, 0x6a, 0x4e, 0x29,\n 0xf8, 0x9b, 0x2c, 0x94, 0x8d, 0xa7, 0x00, 0x4d, 0x7b, 0xbf, 0x35, 0x07,\n 0xeb, 0xdd, 0x10, 0xef, 0xd5, 0x2f, 0xe6, 0x98, 0x4b, 0x7e, 0x24, 0x80,\n 0xe2, 0x01, 0xf2, 0x66, 0xb7, 0xd3, 0x93, 0xfe, 0x2a, 0xb3, 0x74, 0xed,\n 0xec, 0x4b, 0xb1, 0x5f, 0x5f, 0xee, 0x85, 0x44, 0xa7, 0x26, 0xdf, 0xc1,\n 0x2e, 0x7a, 0xf3, 0xa5, 0x8f, 0xf8, 0x64, 0xda, 0x65, 0xad, 0x91, 0xe2,\n 0x90, 0x94, 0x20, 0x16, 0xb8, 0x61, 0xa5, 0x0a, 0x7d, 0xb4, 0xbf, 0xc0,\n 0x10, 0xaf, 0x72, 0x67,\n };\n\n unsigned sig_len;\n if (!rsa_sign_no_self_test(NID_sha256, kRSASignDigest, sizeof(kRSASignDigest),\n output, &sig_len, rsa_key) ||\n !check_test(kRSASignSignature, output, sizeof(kRSASignSignature),\n \"RSA-sign KAT\")) {\n fprintf(CRYPTO_get_stderr(), \"RSA signing test failed.\\n\");\n goto err;\n }\n\n // RSA Verify KAT\n\n static const uint8_t kRSAVerifyDigest[32] = {\n 0x09, 0x65, 0x2f, 0xd8, 0xed, 0x9d, 0xc2, 0x6d, 0xbc, 0xbf, 0xf2,\n 0xa7, 0xa5, 0xed, 0xe1, 0x37, 0x13, 0x78, 0x21, 0x36, 0xcf, 0x8d,\n 0x22, 0x3d, 0xab, 0x93, 0xb4, 0x12, 0xa8, 0xb5, 0x15, 0x53,\n };\n static const uint8_t kRSAVerifySignature[256] = {\n 0xab, 0xe2, 0xcb, 0xc1, 0x3d, 0x6b, 0xd3, 0x9d, 0x48, 0xdb, 0x53, 0x34,\n 0xdd, 0xbf, 0x8d, 0x07, 0x0a, 0x93, 0xbd, 0xcb, 0x10, 0x4e, 0x2c, 0xc5,\n 0xd0, 0xee, 0x48, 0x6e, 0xe2, 0x95, 0xf6, 0xb3, 0x1b, 0xda, 0x12, 0x6c,\n 0x41, 0x89, 0x0b, 0x98, 0xb7, 0x3e, 0x70, 0xe6, 0xb6, 0x5d, 0x82, 0xf9,\n 0x5c, 0x66, 0x31, 0x21, 0x75, 0x5a, 0x90, 0x74, 0x4c, 0x8d, 0x1c, 0x21,\n 0x14, 0x8a, 0x19, 0x60, 0xbe, 0x0e, 0xca, 0x44, 0x6e, 0x9f, 0xf4, 0x97,\n 0xf1, 0x34, 0x5c, 0x53, 0x7e, 0xf8, 0x11, 0x9b, 0x9a, 0x43, 0x98, 0xe9,\n 0x5c, 0x5c, 0x6d, 0xe2, 0xb1, 0xc9, 0x55, 0x90, 0x5c, 0x52, 0x99, 0xd8,\n 0xce, 0x7a, 0x3b, 0x6a, 0xb7, 0x63, 0x80, 0xd9, 0xba, 0xbd, 0xd1, 0x5f,\n 0x61, 0x02, 0x37, 0xe1, 0xf3, 0xf2, 0xaa, 0x1c, 0x1f, 0x1e, 0x77, 0x0b,\n 0x62, 0xfb, 0xb5, 0x96, 0x38, 0x1b, 0x2e, 0xbd, 0xd7, 0x7e, 0xce, 0xf9,\n 0xc9, 0x0d, 0x4c, 0x92, 0xf7, 0xb6, 0xb0, 0x5f, 0xed, 0x29, 0x36, 0x28,\n 0x5f, 0xa9, 0x48, 0x26, 0xe6, 0x20, 0x55, 0x32, 0x2a, 0x33, 0xb6, 0xf0,\n 0x4c, 0x74, 0xce, 0x69, 0xe5, 0xd8, 0xd7, 0x37, 0xfb, 0x83, 0x8b, 0x79,\n 0xd2, 0xd4, 0x8e, 0x3d, 0xaf, 0x71, 0x38, 0x75, 0x31, 0x88, 0x25, 0x31,\n 0xa9, 0x5a, 0xc9, 0x64, 0xd0, 0x2e, 0xa4, 0x13, 0xbf, 0x85, 0x95, 0x29,\n 0x82, 0xbb, 0xc0, 0x89, 0x52, 0x7d, 0xaf, 0xf5, 0xb8, 0x45, 0xc9, 0xa0,\n 0xf4, 0xd1, 0x4e, 0xf1, 0x95, 0x6d, 0x9c, 0x3a, 0xca, 0xe8, 0x82, 0xd1,\n 0x2d, 0xa6, 0x6d, 0xa0, 0xf3, 0x57, 0x94, 0xf5, 0xee, 0x32, 0x23, 0x23,\n 0x33, 0x51, 0x7d, 0xb9, 0x31, 0x52, 0x32, 0xa1, 0x83, 0xb9, 0x91, 0x65,\n 0x4d, 0xbe, 0xa4, 0x16, 0x15, 0x34, 0x5c, 0x88, 0x53, 0x25, 0x92, 0x67,\n 0x44, 0xa5, 0x39, 0x15,\n };\n if (!rsa_verify_no_self_test(NID_sha256, kRSAVerifyDigest,\n sizeof(kRSAVerifyDigest), kRSAVerifySignature,\n sizeof(kRSAVerifySignature), rsa_key)) {\n fprintf(CRYPTO_get_stderr(), \"RSA-verify KAT failed.\\n\");\n goto err;\n }\n\n ret = 1;\n\nerr:\n RSA_free(rsa_key);\n\n return ret;\n}\n\nstatic int boringssl_self_test_ecc(void) {\n int ret = 0;\n EC_KEY *ec_key = NULL;\n EC_POINT *ec_point_in = NULL;\n EC_POINT *ec_point_out = NULL;\n BIGNUM *ec_scalar = NULL;\n const EC_GROUP *ec_group = NULL;\n\n // The 'k' value for ECDSA is fixed to avoid an entropy draw.\n uint8_t ecdsa_k[32] = {0};\n ecdsa_k[31] = 42;\n\n ec_key = self_test_ecdsa_key();\n if (ec_key == NULL) {\n fprintf(CRYPTO_get_stderr(), \"ECDSA KeyGen failed\\n\");\n goto err;\n }\n\n // ECDSA Sign/Verify KAT\n\n static const uint8_t kECDSASignDigest[32] = {\n 0x1e, 0x35, 0x93, 0x0b, 0xe8, 0x60, 0xd0, 0x94, 0x2c, 0xa7, 0xbb,\n 0xd6, 0xf6, 0xde, 0xd8, 0x7f, 0x15, 0x7e, 0x4d, 0xe2, 0x4f, 0x81,\n 0xed, 0x4b, 0x87, 0x5c, 0x0e, 0x01, 0x8e, 0x89, 0xa8, 0x1f,\n };\n static const uint8_t kECDSASignSig[64] = {\n 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0,\n 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02,\n 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, 0x0c, 0x68,\n 0x04, 0x73, 0x40, 0x94, 0xb2, 0xd1, 0x90, 0xac, 0x2d, 0x0c, 0xd7,\n 0xa5, 0x7f, 0x2f, 0x2e, 0xb2, 0x62, 0xb0, 0x09, 0x16, 0xe1, 0xa6,\n 0x70, 0xb5, 0xbb, 0x0d, 0xfd, 0x8e, 0x0c, 0x02, 0x3f,\n };\n\n uint8_t ecdsa_sign_output[64];\n size_t ecdsa_sign_output_len;\n if (!ecdsa_sign_fixed_with_nonce_for_known_answer_test(\n kECDSASignDigest, sizeof(kECDSASignDigest), ecdsa_sign_output,\n &ecdsa_sign_output_len, sizeof(ecdsa_sign_output), ec_key, ecdsa_k,\n sizeof(ecdsa_k)) ||\n !check_test(kECDSASignSig, ecdsa_sign_output, sizeof(ecdsa_sign_output),\n \"ECDSA-sign signature\")) {\n fprintf(CRYPTO_get_stderr(), \"ECDSA-sign KAT failed.\\n\");\n goto err;\n }\n\n static const uint8_t kECDSAVerifyDigest[32] = {\n 0x78, 0x7c, 0x50, 0x5c, 0x60, 0xc9, 0xe4, 0x13, 0x6c, 0xe4, 0x48,\n 0xba, 0x93, 0xff, 0x71, 0xfa, 0x9c, 0x18, 0xf4, 0x17, 0x09, 0x4f,\n 0xdf, 0x5a, 0xe2, 0x75, 0xc0, 0xcc, 0xd2, 0x67, 0x97, 0xad,\n };\n static const uint8_t kECDSAVerifySig[64] = {\n 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0,\n 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02,\n 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, 0x0c, 0x2d,\n 0x36, 0xe5, 0x79, 0x97, 0x90, 0xbf, 0xbe, 0x21, 0x83, 0xd3, 0x3e,\n 0x96, 0xf3, 0xc5, 0x1f, 0x6a, 0x23, 0x2f, 0x2a, 0x24, 0x48, 0x8c,\n 0x8e, 0x5f, 0x64, 0xc3, 0x7e, 0xa2, 0xcf, 0x05, 0x29,\n };\n\n if (!ecdsa_verify_fixed_no_self_test(\n kECDSAVerifyDigest, sizeof(kECDSAVerifyDigest), kECDSAVerifySig,\n sizeof(kECDSAVerifySig), ec_key)) {\n fprintf(CRYPTO_get_stderr(), \"ECDSA-verify KAT failed.\\n\");\n goto err;\n }\n\n // Primitive Z Computation KAT (IG 9.6).\n\n // kP256Point is SHA256(\"Primitive Z Computation KAT\")×G within P-256.\n static const uint8_t kP256Point[65] = {\n 0x04, 0x4e, 0xc1, 0x94, 0x8c, 0x5c, 0xf4, 0x37, 0x35, 0x0d, 0xa3,\n 0xf9, 0x55, 0xf9, 0x8b, 0x26, 0x23, 0x5c, 0x43, 0xe0, 0x83, 0x51,\n 0x2b, 0x0d, 0x4b, 0x56, 0x24, 0xc3, 0xe4, 0xa5, 0xa8, 0xe2, 0xe9,\n 0x95, 0xf2, 0xc4, 0xb9, 0xb7, 0x48, 0x7d, 0x2a, 0xae, 0xc5, 0xc0,\n 0x0a, 0xcc, 0x1b, 0xd0, 0xec, 0xb8, 0xdc, 0xbe, 0x0c, 0xbe, 0x52,\n 0x79, 0x93, 0x7c, 0x0b, 0x92, 0x2b, 0x7f, 0x17, 0xa5, 0x80,\n };\n // kP256Scalar is SHA256(\"Primitive Z Computation KAT scalar\").\n static const uint8_t kP256Scalar[32] = {\n 0xe7, 0x60, 0x44, 0x91, 0x26, 0x9a, 0xfb, 0x5b, 0x10, 0x2d, 0x6e,\n 0xa5, 0x2c, 0xb5, 0x9f, 0xeb, 0x70, 0xae, 0xde, 0x6c, 0xe3, 0xbf,\n 0xb3, 0xe0, 0x10, 0x54, 0x85, 0xab, 0xd8, 0x61, 0xd7, 0x7b,\n };\n // kP256PointResult is |kP256Scalar|×|kP256Point|.\n static const uint8_t kP256PointResult[65] = {\n 0x04, 0xf1, 0x63, 0x00, 0x88, 0xc5, 0xd5, 0xe9, 0x05, 0x52, 0xac,\n 0xb6, 0xec, 0x68, 0x76, 0xb8, 0x73, 0x7f, 0x0f, 0x72, 0x34, 0xe6,\n 0xbb, 0x30, 0x32, 0x22, 0x37, 0xb6, 0x2a, 0x80, 0xe8, 0x9e, 0x6e,\n 0x6f, 0x36, 0x02, 0xe7, 0x21, 0xd2, 0x31, 0xdb, 0x94, 0x63, 0xb7,\n 0xd8, 0x19, 0x0e, 0xc2, 0xc0, 0xa7, 0x2f, 0x15, 0x49, 0x1a, 0xa2,\n 0x7c, 0x41, 0x8f, 0xaf, 0x9c, 0x40, 0xaf, 0x2e, 0x4a, 0x0c,\n };\n\n ec_group = EC_group_p256();\n ec_point_in = EC_POINT_new(ec_group);\n ec_point_out = EC_POINT_new(ec_group);\n ec_scalar = BN_new();\n uint8_t z_comp_result[65];\n if (ec_point_in == NULL || ec_point_out == NULL || ec_scalar == NULL ||\n !EC_POINT_oct2point(ec_group, ec_point_in, kP256Point, sizeof(kP256Point),\n NULL) ||\n !BN_bin2bn(kP256Scalar, sizeof(kP256Scalar), ec_scalar) ||\n !ec_point_mul_no_self_test(ec_group, ec_point_out, NULL, ec_point_in,\n ec_scalar, NULL) ||\n !EC_POINT_point2oct(ec_group, ec_point_out, POINT_CONVERSION_UNCOMPRESSED,\n z_comp_result, sizeof(z_comp_result), NULL) ||\n !check_test(kP256PointResult, z_comp_result, sizeof(z_comp_result),\n \"Z Computation Result\")) {\n fprintf(CRYPTO_get_stderr(), \"Z-computation KAT failed.\\n\");\n goto err;\n }\n\n ret = 1;\n\nerr:\n EC_KEY_free(ec_key);\n EC_POINT_free(ec_point_in);\n EC_POINT_free(ec_point_out);\n BN_free(ec_scalar);\n\n return ret;\n}\n\nstatic int boringssl_self_test_ffdh(void) {\n int ret = 0;\n DH *dh = NULL;\n BIGNUM *ffdhe2048_value = NULL;\n\n // FFC Diffie-Hellman KAT\n\n // kFFDHE2048PublicValueData is an arbitrary public value, mod\n // kFFDHE2048Data. (The private key happens to be 4096.)\n static const BN_ULONG kFFDHE2048PublicValueData[] = {\n TOBN(0x187be36b, 0xd38a4fa1), TOBN(0x0a152f39, 0x6458f3b8),\n TOBN(0x0570187e, 0xc422eeb7), TOBN(0x18af7482, 0x91173f2a),\n TOBN(0xe9fdac6a, 0xcff4eaaa), TOBN(0xf6afebb7, 0x6e589d6c),\n TOBN(0xf92f8e9a, 0xb7e33fb0), TOBN(0x70acf2aa, 0x4cf36ddd),\n TOBN(0x561ab426, 0xd07137fd), TOBN(0x5f57d037, 0x430ee91e),\n TOBN(0xe3e768c8, 0x60d10b8a), TOBN(0xb14884d8, 0xa18af8ce),\n TOBN(0xf8a98014, 0xa12b74e4), TOBN(0x748d407c, 0x3437b7a8),\n TOBN(0x627588c4, 0x9875d5a7), TOBN(0xdd24a127, 0x53c8f09d),\n TOBN(0x85a997d5, 0x0cd51aec), TOBN(0x44f0c619, 0xce348458),\n TOBN(0x9b894b24, 0x5f6b69a1), TOBN(0xae1302f2, 0xf6d4777e),\n TOBN(0xe6678eeb, 0x375db18e), TOBN(0x2674e1d6, 0x4fbcbdc8),\n TOBN(0xb297a823, 0x6fa93d28), TOBN(0x6a12fb70, 0x7c8c0510),\n TOBN(0x5c6d1aeb, 0xdb06f65b), TOBN(0xe8c2954e, 0x4c1804ca),\n TOBN(0x06bdeac1, 0xf5500fa7), TOBN(0x6a315604, 0x189cd76b),\n TOBN(0xbae7b0b3, 0x6e362dc0), TOBN(0xa57c73bd, 0xdc70fb82),\n TOBN(0xfaff50d2, 0x9d573457), TOBN(0x352bd399, 0xbe84058e),\n };\n static const uint8_t kDHOutput[2048 / 8] = {\n 0x2a, 0xe6, 0xd3, 0xa6, 0x13, 0x58, 0x8e, 0xce, 0x53, 0xaa, 0xf6, 0x5d,\n 0x9a, 0xae, 0x02, 0x12, 0xf5, 0x80, 0x3d, 0x06, 0x09, 0x76, 0xac, 0x57,\n 0x37, 0x9e, 0xab, 0x38, 0x62, 0x25, 0x05, 0x1d, 0xf3, 0xa9, 0x39, 0x60,\n 0xf6, 0xae, 0x90, 0xed, 0x1e, 0xad, 0x6e, 0xe9, 0xe3, 0xba, 0x27, 0xf6,\n 0xdb, 0x54, 0xdf, 0xe2, 0xbd, 0xbb, 0x7f, 0xf1, 0x81, 0xac, 0x1a, 0xfa,\n 0xdb, 0x87, 0x07, 0x98, 0x76, 0x90, 0x21, 0xf2, 0xae, 0xda, 0x0d, 0x84,\n 0x97, 0x64, 0x0b, 0xbf, 0xb8, 0x8d, 0x10, 0x46, 0xe2, 0xd5, 0xca, 0x1b,\n 0xbb, 0xe5, 0x37, 0xb2, 0x3b, 0x35, 0xd3, 0x1b, 0x65, 0xea, 0xae, 0xf2,\n 0x03, 0xe2, 0xb6, 0xde, 0x22, 0xb7, 0x86, 0x49, 0x79, 0xfe, 0xd7, 0x16,\n 0xf7, 0xdc, 0x9c, 0x59, 0xf5, 0xb7, 0x70, 0xc0, 0x53, 0x42, 0x6f, 0xb1,\n 0xd2, 0x4e, 0x00, 0x25, 0x4b, 0x2d, 0x5a, 0x9b, 0xd0, 0xe9, 0x27, 0x43,\n 0xcc, 0x00, 0x66, 0xea, 0x94, 0x7a, 0x0b, 0xb9, 0x89, 0x0c, 0x5e, 0x94,\n 0xb8, 0x3a, 0x78, 0x9c, 0x4d, 0x84, 0xe6, 0x32, 0x2c, 0x38, 0x7c, 0xf7,\n 0x43, 0x9c, 0xd8, 0xb8, 0x1c, 0xce, 0x24, 0x91, 0x20, 0x67, 0x7a, 0x54,\n 0x1f, 0x7e, 0x86, 0x7f, 0xa1, 0xc1, 0x03, 0x4e, 0x2c, 0x26, 0x71, 0xb2,\n 0x06, 0x30, 0xb3, 0x6c, 0x15, 0xcc, 0xac, 0x25, 0xe5, 0x37, 0x3f, 0x24,\n 0x8f, 0x2a, 0x89, 0x5e, 0x3d, 0x43, 0x94, 0xc9, 0x36, 0xae, 0x40, 0x00,\n 0x6a, 0x0d, 0xb0, 0x6e, 0x8b, 0x2e, 0x70, 0x57, 0xe1, 0x88, 0x53, 0xd6,\n 0x06, 0x80, 0x2a, 0x4e, 0x5a, 0xf0, 0x1e, 0xaa, 0xcb, 0xab, 0x06, 0x0e,\n 0x27, 0x0f, 0xd9, 0x88, 0xd9, 0x01, 0xe3, 0x07, 0xeb, 0xdf, 0xc3, 0x12,\n 0xe3, 0x40, 0x88, 0x7b, 0x5f, 0x59, 0x78, 0x6e, 0x26, 0x20, 0xc3, 0xdf,\n 0xc8, 0xe4, 0x5e, 0xb8,\n };\n\n ffdhe2048_value = BN_new();\n if (ffdhe2048_value) {\n bn_set_static_words(ffdhe2048_value, kFFDHE2048PublicValueData,\n OPENSSL_ARRAY_SIZE(kFFDHE2048PublicValueData));\n }\n\n dh = self_test_dh();\n uint8_t dh_out[sizeof(kDHOutput)];\n if (dh == NULL || ffdhe2048_value == NULL || sizeof(dh_out) != DH_size(dh) ||\n dh_compute_key_padded_no_self_test(dh_out, ffdhe2048_value, dh) !=\n sizeof(dh_out) ||\n !check_test(kDHOutput, dh_out, sizeof(dh_out), \"FFC DH\")) {\n fprintf(CRYPTO_get_stderr(), \"FFDH failed.\\n\");\n goto err;\n }\n\n ret = 1;\n\nerr:\n DH_free(dh);\n BN_free(ffdhe2048_value);\n\n return ret;\n}\n\n#if defined(BORINGSSL_FIPS)\n\nstatic void run_self_test_rsa(void) {\n FIPS_service_indicator_lock_state();\n if (!boringssl_self_test_rsa()) {\n BORINGSSL_FIPS_abort();\n }\n FIPS_service_indicator_unlock_state();\n}\n\nDEFINE_STATIC_ONCE(g_self_test_once_rsa)\n\nvoid boringssl_ensure_rsa_self_test(void) {\n CRYPTO_once(g_self_test_once_rsa_bss_get(), run_self_test_rsa);\n}\n\nstatic void run_self_test_ecc(void) {\n FIPS_service_indicator_lock_state();\n if (!boringssl_self_test_ecc()) {\n BORINGSSL_FIPS_abort();\n }\n FIPS_service_indicator_unlock_state();\n}\n\nDEFINE_STATIC_ONCE(g_self_test_once_ecc)\n\nvoid boringssl_ensure_ecc_self_test(void) {\n CRYPTO_once(g_self_test_once_ecc_bss_get(), run_self_test_ecc);\n}\n\nstatic void run_self_test_ffdh(void) {\n FIPS_service_indicator_lock_state();\n if (!boringssl_self_test_ffdh()) {\n BORINGSSL_FIPS_abort();\n }\n FIPS_service_indicator_unlock_state();\n}\n\nDEFINE_STATIC_ONCE(g_self_test_once_ffdh)\n\nvoid boringssl_ensure_ffdh_self_test(void) {\n CRYPTO_once(g_self_test_once_ffdh_bss_get(), run_self_test_ffdh);\n}\n\n#endif // BORINGSSL_FIPS\n\n\n// Startup self tests.\n//\n// These tests are run at process start when in FIPS mode.\n\nint boringssl_self_test_sha256(void) {\n static const uint8_t kInput[16] = {\n 0xff, 0x3b, 0x85, 0x7d, 0xa7, 0x23, 0x6a, 0x2b,\n 0xaa, 0x0f, 0x39, 0x6b, 0x51, 0x52, 0x22, 0x17,\n };\n static const uint8_t kPlaintextSHA256[32] = {\n 0x7f, 0xe4, 0xd5, 0xf1, 0xa1, 0xe3, 0x82, 0x87, 0xd9, 0x58, 0xf5,\n 0x11, 0xc7, 0x1d, 0x5e, 0x27, 0x5e, 0xcc, 0xd2, 0x66, 0xcf, 0xb9,\n 0xc8, 0xc6, 0x60, 0xd8, 0x92, 0x1e, 0x57, 0xfd, 0x46, 0x75,\n };\n uint8_t output[SHA256_DIGEST_LENGTH];\n\n // SHA-256 KAT\n SHA256(kInput, sizeof(kInput), output);\n return check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256),\n \"SHA-256 KAT\");\n}\n\nint boringssl_self_test_sha512(void) {\n static const uint8_t kInput[16] = {\n 0x21, 0x25, 0x12, 0xf8, 0xd2, 0xad, 0x83, 0x22,\n 0x78, 0x1c, 0x6c, 0x4d, 0x69, 0xa9, 0xda, 0xa1,\n };\n static const uint8_t kPlaintextSHA512[64] = {\n 0x29, 0x3c, 0x94, 0x35, 0x4e, 0x98, 0x83, 0xe5, 0xc2, 0x78, 0x36,\n 0x7a, 0xe5, 0x18, 0x90, 0xbf, 0x35, 0x41, 0x01, 0x64, 0x19, 0x8d,\n 0x26, 0xeb, 0xe1, 0xf8, 0x2f, 0x04, 0x8e, 0xfa, 0x8b, 0x2b, 0xc6,\n 0xb2, 0x9d, 0x5d, 0x46, 0x76, 0x5a, 0xc8, 0xb5, 0x25, 0xa3, 0xea,\n 0x52, 0x84, 0x47, 0x6d, 0x6d, 0xf4, 0xc9, 0x71, 0xf3, 0x3d, 0x89,\n 0x4c, 0x3b, 0x20, 0x8c, 0x5b, 0x75, 0xe8, 0xf8, 0x7c,\n };\n uint8_t output[SHA512_DIGEST_LENGTH];\n\n // SHA-512 KAT\n SHA512(kInput, sizeof(kInput), output);\n return check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512),\n \"SHA-512 KAT\");\n}\n\nint boringssl_self_test_hmac_sha256(void) {\n static const uint8_t kInput[16] = {\n 0xda, 0xd9, 0x12, 0x93, 0xdf, 0xcf, 0x2a, 0x7c,\n 0x8e, 0xcd, 0x13, 0xfe, 0x35, 0x3f, 0xa7, 0x5b,\n };\n static const uint8_t kPlaintextHMACSHA256[32] = {\n 0x36, 0x5f, 0x5b, 0xd5, 0xf5, 0xeb, 0xfd, 0xc7, 0x6e, 0x53, 0xa5,\n 0x73, 0x6d, 0x73, 0x20, 0x13, 0xaa, 0xd3, 0xbc, 0x86, 0x4b, 0xb8,\n 0x84, 0x94, 0x16, 0x46, 0x88, 0x9c, 0x48, 0xee, 0xa9, 0x0e,\n };\n uint8_t output[EVP_MAX_MD_SIZE];\n\n unsigned output_len;\n HMAC(EVP_sha256(), kInput, sizeof(kInput), kInput, sizeof(kInput), output,\n &output_len);\n return output_len == sizeof(kPlaintextHMACSHA256) &&\n check_test(kPlaintextHMACSHA256, output, sizeof(kPlaintextHMACSHA256),\n \"HMAC-SHA-256 KAT\");\n}\n\nstatic int boringssl_self_test_fast(void) {\n static const uint8_t kAESKey[16] = {\n 'B', 'o', 'r', 'i', 'n', 'g', 'C', 'r',\n 'y', 'p', 't', 'o', ' ', 'K', 'e', 'y',\n };\n static const uint8_t kAESIV[16] = {0};\n\n EVP_AEAD_CTX aead_ctx;\n EVP_AEAD_CTX_zero(&aead_ctx);\n int ret = 0;\n\n AES_KEY aes_key;\n uint8_t aes_iv[16];\n uint8_t output[256];\n\n // AES-CBC Encryption KAT\n static const uint8_t kAESCBCEncPlaintext[32] = {\n 0x07, 0x86, 0x09, 0xa6, 0xc5, 0xac, 0x25, 0x44, 0x69, 0x9a, 0xdf,\n 0x68, 0x2f, 0xa3, 0x77, 0xf9, 0xbe, 0x8a, 0xb6, 0xae, 0xf5, 0x63,\n 0xe8, 0xc5, 0x6a, 0x36, 0xb8, 0x4f, 0x55, 0x7f, 0xad, 0xd3,\n };\n static const uint8_t kAESCBCEncCiphertext[sizeof(kAESCBCEncPlaintext)] = {\n 0x56, 0x46, 0xc1, 0x41, 0xf4, 0x13, 0xd6, 0xff, 0x62, 0x92, 0x41,\n 0x7a, 0x26, 0xc6, 0x86, 0xbd, 0x30, 0x5f, 0xb6, 0x57, 0xa7, 0xd2,\n 0x50, 0x3a, 0xc5, 0x5e, 0x8e, 0x93, 0x40, 0xf2, 0x10, 0xd8,\n };\n memcpy(aes_iv, kAESIV, sizeof(kAESIV));\n if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {\n fprintf(CRYPTO_get_stderr(), \"AES_set_encrypt_key failed.\\n\");\n goto err;\n }\n AES_cbc_encrypt(kAESCBCEncPlaintext, output, sizeof(kAESCBCEncPlaintext),\n &aes_key, aes_iv, AES_ENCRYPT);\n if (!check_test(kAESCBCEncCiphertext, output, sizeof(kAESCBCEncCiphertext),\n \"AES-CBC-encrypt KAT\")) {\n goto err;\n }\n\n // AES-CBC Decryption KAT\n static const uint8_t kAESCBCDecCiphertext[32] = {\n 0x34, 0x7a, 0xa5, 0xa0, 0x24, 0xb2, 0x82, 0x57, 0xb3, 0x65, 0x10,\n 0xbe, 0x58, 0x3d, 0x4f, 0x47, 0xad, 0xb7, 0xbb, 0xee, 0xdc, 0x60,\n 0x05, 0xbb, 0xbd, 0x0d, 0x0a, 0x9f, 0x06, 0xbb, 0x7b, 0x10,\n };\n static const uint8_t kAESCBCDecPlaintext[sizeof(kAESCBCDecCiphertext)] = {\n 0x51, 0xa7, 0xa0, 0x1f, 0x6b, 0x79, 0x6c, 0xcd, 0x48, 0x03, 0xa1,\n 0x41, 0xdc, 0x56, 0xa6, 0xc2, 0x16, 0xb5, 0xd1, 0xd3, 0xb7, 0x06,\n 0xb2, 0x25, 0x6f, 0xa6, 0xd0, 0xd2, 0x0e, 0x6f, 0x19, 0xb5,\n };\n memcpy(aes_iv, kAESIV, sizeof(kAESIV));\n if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) {\n fprintf(CRYPTO_get_stderr(), \"AES_set_decrypt_key failed.\\n\");\n goto err;\n }\n AES_cbc_encrypt(kAESCBCDecCiphertext, output, sizeof(kAESCBCDecCiphertext),\n &aes_key, aes_iv, AES_DECRYPT);\n if (!check_test(kAESCBCDecPlaintext, output, sizeof(kAESCBCDecPlaintext),\n \"AES-CBC-decrypt KAT\")) {\n goto err;\n }\n\n size_t out_len;\n uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];\n OPENSSL_memset(nonce, 0, sizeof(nonce));\n if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey,\n sizeof(kAESKey), 0, NULL)) {\n fprintf(CRYPTO_get_stderr(), \"EVP_AEAD_CTX_init for AES-128-GCM failed.\\n\");\n goto err;\n }\n\n // AES-GCM Encryption KAT\n static const uint8_t kAESGCMEncPlaintext[32] = {\n 0x8f, 0xcc, 0x40, 0x99, 0x80, 0x8e, 0x75, 0xca, 0xaf, 0xf5, 0x82,\n 0x89, 0x88, 0x48, 0xa8, 0x8d, 0x80, 0x8b, 0x55, 0xab, 0x4e, 0x93,\n 0x70, 0x79, 0x7d, 0x94, 0x0b, 0xe8, 0xcc, 0x1d, 0x78, 0x84,\n };\n static const uint8_t kAESGCMCiphertext[sizeof(kAESGCMEncPlaintext) + 16] = {\n 0x87, 0x7b, 0xd5, 0x8d, 0x96, 0x3e, 0x4b, 0xe6, 0x64, 0x94, 0x40, 0x2f,\n 0x61, 0x9b, 0x7e, 0x56, 0x52, 0x7d, 0xa4, 0x5a, 0xf9, 0xa6, 0xe2, 0xdb,\n 0x1c, 0x63, 0x2e, 0x97, 0x93, 0x0f, 0xfb, 0xed, 0xb5, 0x9e, 0x1c, 0x20,\n 0xb2, 0xb0, 0x58, 0xda, 0x48, 0x07, 0x2d, 0xbd, 0x96, 0x0d, 0x34, 0xc6,\n };\n if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce,\n EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),\n kAESGCMEncPlaintext, sizeof(kAESGCMEncPlaintext), NULL,\n 0) ||\n !check_test(kAESGCMCiphertext, output, sizeof(kAESGCMCiphertext),\n \"AES-GCM-encrypt KAT\")) {\n fprintf(CRYPTO_get_stderr(), \"EVP_AEAD_CTX_seal for AES-128-GCM failed.\\n\");\n goto err;\n }\n\n // AES-GCM Decryption KAT\n static const uint8_t kAESGCMDecCiphertext[48] = {\n 0x35, 0xf3, 0x05, 0x8f, 0x87, 0x57, 0x60, 0xff, 0x09, 0xd3, 0x12, 0x0f,\n 0x70, 0xc4, 0xbc, 0x9e, 0xd7, 0xa8, 0x68, 0x72, 0xe1, 0x34, 0x52, 0x20,\n 0x21, 0x76, 0xf7, 0x37, 0x1a, 0xe0, 0x4f, 0xaa, 0xe1, 0xdd, 0x39, 0x19,\n 0x20, 0xf5, 0xd1, 0x39, 0x53, 0xd8, 0x96, 0x78, 0x59, 0x94, 0x82, 0x3c,\n };\n static const uint8_t kAESGCMDecPlaintext[sizeof(kAESGCMDecCiphertext) - 16] =\n {\n 0x3d, 0x44, 0x90, 0x9b, 0x91, 0xe7, 0x5e, 0xd3, 0xc2, 0xb2, 0xd0,\n 0xa9, 0x99, 0x17, 0x6a, 0x45, 0x05, 0x5e, 0x99, 0x83, 0x56, 0x01,\n 0xc0, 0x82, 0x40, 0x81, 0xd2, 0x48, 0x45, 0xf2, 0xcc, 0xc3,\n };\n if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce,\n EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()),\n kAESGCMDecCiphertext, sizeof(kAESGCMDecCiphertext),\n NULL, 0) ||\n !check_test(kAESGCMDecPlaintext, output, sizeof(kAESGCMDecPlaintext),\n \"AES-GCM-decrypt KAT\")) {\n fprintf(CRYPTO_get_stderr(),\n \"AES-GCM-decrypt KAT failed because EVP_AEAD_CTX_open failed.\\n\");\n goto err;\n }\n\n // SHA-1 KAT\n static const uint8_t kSHA1Input[16] = {\n 0x13, 0x2f, 0xd9, 0xba, 0xd5, 0xc1, 0x82, 0x62,\n 0x63, 0xba, 0xfb, 0xb6, 0x99, 0xf7, 0x07, 0xa5,\n };\n static const uint8_t kSHA1Digest[20] = {\n 0x94, 0x19, 0x55, 0x93, 0x0a, 0x58, 0x29, 0x38, 0xeb, 0xf5,\n 0x09, 0x11, 0x6d, 0x1a, 0xfd, 0x0f, 0x1e, 0x11, 0xe3, 0xcb,\n };\n SHA1(kSHA1Input, sizeof(kSHA1Input), output);\n if (!check_test(kSHA1Digest, output, sizeof(kSHA1Digest), \"SHA-1 KAT\")) {\n goto err;\n }\n\n if (!boringssl_self_test_sha256() || !boringssl_self_test_sha512() ||\n !boringssl_self_test_hmac_sha256()) {\n goto err;\n }\n\n // DBRG KAT\n static const uint8_t kDRBGEntropy[48] = {\n 0xc4, 0xda, 0x07, 0x40, 0xd5, 0x05, 0xf1, 0xee, 0x28, 0x0b, 0x95, 0xe5,\n 0x8c, 0x49, 0x31, 0xac, 0x6d, 0xe8, 0x46, 0xa0, 0x15, 0x2f, 0xbb, 0x4a,\n 0x3f, 0x17, 0x4c, 0xf4, 0x78, 0x7a, 0x4f, 0x1a, 0x40, 0xc2, 0xb5, 0x0b,\n 0xab, 0xe1, 0x4a, 0xae, 0x53, 0x0b, 0xe5, 0x88, 0x6d, 0x91, 0x0a, 0x27,\n };\n static const uint8_t kDRBGPersonalization[18] = {\n 'B', 'C', 'M', 'P', 'e', 'r', 's', 'o', 'n',\n 'a', 'l', 'i', 'z', 'a', 't', 'i', 'o', 'n'};\n static const uint8_t kDRBGAD[16] = {'B', 'C', 'M', ' ', 'D', 'R', 'B', 'G',\n ' ', 'K', 'A', 'T', ' ', 'A', 'D', ' '};\n static const uint8_t kDRBGOutput[64] = {\n 0x19, 0x1f, 0x2b, 0x49, 0x76, 0x85, 0xfd, 0x51, 0xb6, 0x56, 0xbc,\n 0x1c, 0x7d, 0xd5, 0xdd, 0x44, 0x76, 0xa3, 0x5e, 0x17, 0x9b, 0x8e,\n 0xb8, 0x98, 0x65, 0x12, 0xca, 0x35, 0x6c, 0xa0, 0x6f, 0xa0, 0x22,\n 0xe4, 0xf6, 0xd8, 0x43, 0xed, 0x4e, 0x2d, 0x97, 0x39, 0x43, 0x3b,\n 0x57, 0xfc, 0x23, 0x3f, 0x71, 0x0a, 0xe0, 0xed, 0xfe, 0xd5, 0xb8,\n 0x67, 0x7a, 0x00, 0x39, 0xb2, 0x6e, 0xa9, 0x25, 0x97,\n };\n static const uint8_t kDRBGEntropy2[48] = {\n 0xc7, 0x16, 0x1c, 0xa3, 0x6c, 0x23, 0x09, 0xb7, 0x16, 0xe9, 0x85, 0x9b,\n 0xb9, 0x6c, 0x6d, 0x49, 0xbd, 0xc8, 0x35, 0x21, 0x03, 0xa1, 0x8c, 0xd2,\n 0x4e, 0xf4, 0x2e, 0xc9, 0x7e, 0xf4, 0x6b, 0xf4, 0x46, 0xeb, 0x1a, 0x45,\n 0x76, 0xc1, 0x86, 0xe9, 0x35, 0x18, 0x03, 0x76, 0x3a, 0x79, 0x12, 0xfe,\n };\n static const uint8_t kDRBGReseedOutput[64] = {\n 0x00, 0xf2, 0x05, 0xaa, 0xfd, 0x11, 0x6c, 0x77, 0xbc, 0x81, 0x86,\n 0x99, 0xca, 0x51, 0xcf, 0x80, 0x15, 0x9f, 0x02, 0x9e, 0x0b, 0xcd,\n 0x26, 0xc8, 0x4b, 0x87, 0x8a, 0x15, 0x1a, 0xdd, 0xf2, 0xf3, 0xeb,\n 0x94, 0x0b, 0x08, 0xc8, 0xc9, 0x57, 0xa4, 0x0b, 0x4b, 0x0f, 0x13,\n 0xde, 0x7c, 0x0c, 0x6a, 0xac, 0x34, 0x4a, 0x9a, 0xf2, 0xd0, 0x83,\n 0x02, 0x05, 0x17, 0xc9, 0x81, 0x8f, 0x2a, 0x81, 0x92,\n };\n CTR_DRBG_STATE drbg;\n if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization,\n sizeof(kDRBGPersonalization)) ||\n !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD,\n sizeof(kDRBGAD)) ||\n !check_test(kDRBGOutput, output, sizeof(kDRBGOutput),\n \"DRBG Generate KAT\") ||\n !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) ||\n !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD,\n sizeof(kDRBGAD)) ||\n !check_test(kDRBGReseedOutput, output, sizeof(kDRBGReseedOutput),\n \"DRBG-reseed KAT\")) {\n fprintf(CRYPTO_get_stderr(), \"CTR-DRBG failed.\\n\");\n goto err;\n }\n CTR_DRBG_clear(&drbg);\n\n CTR_DRBG_STATE kZeroDRBG;\n memset(&kZeroDRBG, 0, sizeof(kZeroDRBG));\n if (!check_test(&kZeroDRBG, &drbg, sizeof(drbg), \"DRBG Clear KAT\")) {\n goto err;\n }\n\n // TLS KDF KAT\n static const char kTLSLabel[] = \"FIPS self test\";\n static const uint8_t kTLSSeed1[16] = {\n 0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2,\n 0x6d, 0x51, 0xf4, 0x79, 0x18, 0x63, 0x51, 0x65,\n };\n static const uint8_t kTLSSeed2[16] = {\n 0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c,\n 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81,\n };\n\n static const uint8_t kTLS10Secret[32] = {\n 0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82,\n 0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e,\n 0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31,\n };\n static const uint8_t kTLS10Output[32] = {\n 0x69, 0x7c, 0x4e, 0x2c, 0xee, 0x82, 0xb1, 0xd2, 0x8b, 0xac, 0x90,\n 0x7a, 0xa1, 0x8a, 0x81, 0xfe, 0xc5, 0x58, 0x45, 0x57, 0x61, 0x2f,\n 0x7a, 0x8d, 0x80, 0xfb, 0x44, 0xd8, 0x81, 0x60, 0xe5, 0xf8,\n };\n uint8_t tls10_output[sizeof(kTLS10Output)];\n if (!CRYPTO_tls1_prf(EVP_md5_sha1(), tls10_output, sizeof(tls10_output),\n kTLS10Secret, sizeof(kTLS10Secret), kTLSLabel,\n sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1),\n kTLSSeed2, sizeof(kTLSSeed2)) ||\n !check_test(kTLS10Output, tls10_output, sizeof(kTLS10Output),\n \"TLS10-KDF KAT\")) {\n fprintf(CRYPTO_get_stderr(), \"TLS KDF failed.\\n\");\n goto err;\n }\n\n static const uint8_t kTLS12Secret[32] = {\n 0xc5, 0x43, 0x8e, 0xe2, 0x6f, 0xd4, 0xac, 0xbd, 0x25, 0x9f, 0xc9,\n 0x18, 0x55, 0xdc, 0x69, 0xbf, 0x88, 0x4e, 0xe2, 0x93, 0x22, 0xfc,\n 0xbf, 0xd2, 0x96, 0x6a, 0x46, 0x23, 0xd4, 0x2e, 0xc7, 0x81,\n };\n static const uint8_t kTLS12Output[32] = {\n 0xee, 0x4a, 0xcd, 0x3f, 0xa3, 0xd3, 0x55, 0x89, 0x9e, 0x6f, 0xf1,\n 0x38, 0x46, 0x9d, 0x2b, 0x33, 0xaa, 0x7f, 0xc4, 0x7f, 0x51, 0x85,\n 0x8a, 0xf3, 0x13, 0x84, 0xbf, 0x53, 0x6a, 0x65, 0x37, 0x51,\n };\n uint8_t tls12_output[sizeof(kTLS12Output)];\n if (!CRYPTO_tls1_prf(EVP_sha256(), tls12_output, sizeof(tls12_output),\n kTLS12Secret, sizeof(kTLS12Secret), kTLSLabel,\n sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1),\n kTLSSeed2, sizeof(kTLSSeed2)) ||\n !check_test(kTLS12Output, tls12_output, sizeof(kTLS12Output),\n \"TLS12-KDF KAT\")) {\n fprintf(CRYPTO_get_stderr(), \"TLS KDF failed.\\n\");\n goto err;\n }\n\n // TLS v1.3: derives a dummy client-early-traffic secret.\n static const uint8_t kTLS13Secret[32] = {\n 0x02, 0x4a, 0x0d, 0x80, 0xf3, 0x57, 0xf2, 0x49, 0x9a, 0x12, 0x44,\n 0xda, 0xc2, 0x6d, 0xab, 0x66, 0xfc, 0x13, 0xed, 0x85, 0xfc, 0xa7,\n 0x1d, 0xac, 0xe1, 0x46, 0x21, 0x11, 0x19, 0x52, 0x58, 0x74,\n };\n static const uint8_t kTLS13Salt[16] = {\n 0x54, 0x61, 0x11, 0x36, 0x75, 0x91, 0xf0, 0xf8,\n 0x92, 0xec, 0x70, 0xbd, 0x78, 0x2a, 0xef, 0x61,\n };\n static const uint8_t kTLS13Label[] = \"c e traffic\";\n static const uint8_t kTLS13ClientHelloHash[32] = {\n 0x1d, 0xe8, 0x67, 0xed, 0x93, 0x6a, 0x73, 0x65, 0x9b, 0x05, 0xcf,\n 0x8a, 0x22, 0x77, 0xb7, 0x37, 0x29, 0xf2, 0x44, 0x94, 0x81, 0x6a,\n 0x83, 0x33, 0x7f, 0x09, 0xbb, 0x6c, 0xc2, 0x6f, 0x48, 0x9c,\n };\n static const uint8_t kTLS13ExpandLabelOutput[32] = {\n 0x62, 0x91, 0x52, 0x90, 0x2e, 0xc9, 0xcf, 0x9c, 0x5f, 0x1e, 0x0a,\n 0xb7, 0x00, 0x33, 0x42, 0x24, 0xc4, 0xe3, 0xba, 0x01, 0x40, 0x32,\n 0x06, 0xab, 0x09, 0x23, 0x8a, 0xdd, 0x01, 0xa4, 0x05, 0xcd,\n };\n uint8_t tls13_extract_output[32];\n size_t tls13_extract_output_len;\n uint8_t tls13_expand_label_output[32];\n if (!HKDF_extract(tls13_extract_output, &tls13_extract_output_len,\n EVP_sha256(), kTLS13Secret, sizeof(kTLS13Secret),\n kTLS13Salt, sizeof(kTLS13Salt)) ||\n tls13_extract_output_len != sizeof(tls13_extract_output) ||\n !CRYPTO_tls13_hkdf_expand_label(\n tls13_expand_label_output, sizeof(tls13_expand_label_output),\n EVP_sha256(), tls13_extract_output, sizeof(tls13_extract_output),\n kTLS13Label, sizeof(kTLS13Label) - 1, kTLS13ClientHelloHash,\n sizeof(kTLS13ClientHelloHash)) ||\n !check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output,\n sizeof(kTLS13ExpandLabelOutput),\n \"CRYPTO_tls13_hkdf_expand_label\")) {\n fprintf(CRYPTO_get_stderr(), \"TLS13-KDF failed.\\n\");\n goto err;\n }\n\n // HKDF\n static const uint8_t kHKDFSecret[32] = {\n 0x68, 0x67, 0x85, 0x04, 0xb9, 0xb3, 0xad, 0xd1, 0x7d, 0x59, 0x67,\n 0xa1, 0xa7, 0xbd, 0x37, 0x99, 0x3f, 0xd8, 0xa3, 0x3c, 0xe7, 0x30,\n 0x30, 0x71, 0xf3, 0x9c, 0x09, 0x6d, 0x16, 0x35, 0xb3, 0xc9,\n };\n static const uint8_t kHKDFSalt[32] = {\n 0x8a, 0xab, 0x18, 0xb4, 0x9b, 0x0a, 0x17, 0xf9, 0xe8, 0xe6, 0x97,\n 0x1a, 0x3d, 0xff, 0xda, 0x9b, 0x26, 0x8b, 0x3d, 0x17, 0x78, 0x0a,\n 0xb3, 0xea, 0x65, 0xdb, 0x2a, 0xc0, 0x29, 0x9c, 0xfa, 0x72,\n };\n static const uint8_t kHKDFInfo[32] = {\n 0xe5, 0x6f, 0xf9, 0xe1, 0x18, 0x5e, 0x64, 0x8c, 0x6c, 0x8f, 0xee,\n 0xc6, 0x93, 0x5a, 0xc5, 0x14, 0x8c, 0xf3, 0xd9, 0x78, 0xd2, 0x3a,\n 0x86, 0xdd, 0x01, 0xdf, 0xb9, 0xe9, 0x5e, 0xe5, 0x1a, 0x56,\n };\n static const uint8_t kHKDFOutput[32] = {\n 0xa6, 0x29, 0xb4, 0xd7, 0xf4, 0xc1, 0x16, 0x64, 0x71, 0x5e, 0xa4,\n 0xa8, 0xe6, 0x60, 0x8c, 0xf3, 0xc1, 0xa5, 0x03, 0xe2, 0x22, 0xf9,\n 0x89, 0xe2, 0x12, 0x18, 0xbe, 0xef, 0x16, 0x86, 0xe0, 0xec,\n };\n uint8_t hkdf_output[sizeof(kHKDFOutput)];\n if (!HKDF(hkdf_output, sizeof(hkdf_output), EVP_sha256(), kHKDFSecret,\n sizeof(kHKDFSecret), kHKDFSalt, sizeof(kHKDFSalt), kHKDFInfo,\n sizeof(kHKDFInfo)) ||\n !check_test(kHKDFOutput, hkdf_output, sizeof(kHKDFOutput), \"HKDF\")) {\n fprintf(CRYPTO_get_stderr(), \"HKDF failed.\\n\");\n goto err;\n }\n\n ret = 1;\n\nerr:\n EVP_AEAD_CTX_cleanup(&aead_ctx);\n\n return ret;\n}\n\nint BORINGSSL_self_test(void) {\n if (!boringssl_self_test_fast() ||\n // When requested to run self tests, also run the lazy tests.\n !boringssl_self_test_rsa() || //\n !boringssl_self_test_ecc() || //\n !boringssl_self_test_ffdh()) {\n return 0;\n }\n\n return 1;\n}\n\n#if defined(BORINGSSL_FIPS)\nint boringssl_self_test_startup(void) { return boringssl_self_test_fast(); }\n#endif\n\n#endif // !_MSC_VER\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/internal.h", "content": "/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_SERVICE_INDICATOR_INTERNAL_H\n#define OPENSSL_HEADER_SERVICE_INDICATOR_INTERNAL_H\n\n#include \n#include \n\n#if defined(BORINGSSL_FIPS)\n\n// FIPS_service_indicator_update_state records that an approved service has been\n// invoked.\nvoid FIPS_service_indicator_update_state(void);\n\n// FIPS_service_indicator_lock_state and |FIPS_service_indicator_unlock_state|\n// stop |FIPS_service_indicator_update_state| from actually updating the service\n// indicator. This is used when a primitive calls a potentially approved\n// primitive to avoid false positives. For example, just because a key\n// generation calls |BCM_rand_bytes| (and thus the approved DRBG) doesn't mean\n// that the key generation operation itself is approved.\n//\n// This lock nests: i.e. locking twice is fine so long as each lock is paired\n// with an unlock. If the (64-bit) counter overflows, the process aborts.\nvoid FIPS_service_indicator_lock_state(void);\nvoid FIPS_service_indicator_unlock_state(void);\n\n// The following functions may call |FIPS_service_indicator_update_state| if\n// their parameter specifies an approved operation.\n\nvoid AEAD_GCM_verify_service_indicator(const EVP_AEAD_CTX *ctx);\nvoid AEAD_CCM_verify_service_indicator(const EVP_AEAD_CTX *ctx);\nvoid EC_KEY_keygen_verify_service_indicator(const EC_KEY *eckey);\nvoid ECDH_verify_service_indicator(const EC_KEY *ec_key);\nvoid EVP_Cipher_verify_service_indicator(const EVP_CIPHER_CTX *ctx);\nvoid EVP_DigestSign_verify_service_indicator(const EVP_MD_CTX *ctx);\nvoid EVP_DigestVerify_verify_service_indicator(const EVP_MD_CTX *ctx);\nvoid HMAC_verify_service_indicator(const EVP_MD *evp_md);\nvoid TLSKDF_verify_service_indicator(const EVP_MD *dgst);\n\n#else\n\n// Service indicator functions are no-ops in non-FIPS builds.\n\ninline void FIPS_service_indicator_update_state(void) {}\ninline void FIPS_service_indicator_lock_state(void) {}\ninline void FIPS_service_indicator_unlock_state(void) {}\n\ninline void AEAD_GCM_verify_service_indicator(\n [[maybe_unused]] const EVP_AEAD_CTX *ctx) {}\n\ninline void AEAD_CCM_verify_service_indicator(\n [[maybe_unused]] const EVP_AEAD_CTX *ctx) {}\n\ninline void EC_KEY_keygen_verify_service_indicator(\n [[maybe_unused]] const EC_KEY *eckey) {}\n\ninline void ECDH_verify_service_indicator(\n [[maybe_unused]] const EC_KEY *ec_key) {}\n\ninline void EVP_Cipher_verify_service_indicator(\n [[maybe_unused]] const EVP_CIPHER_CTX *ctx) {}\n\ninline void EVP_DigestSign_verify_service_indicator(\n [[maybe_unused]] const EVP_MD_CTX *ctx) {}\n\ninline void EVP_DigestVerify_verify_service_indicator(\n [[maybe_unused]] const EVP_MD_CTX *ctx) {}\n\ninline void HMAC_verify_service_indicator(\n [[maybe_unused]] const EVP_MD *evp_md) {}\n\ninline void TLSKDF_verify_service_indicator(\n [[maybe_unused]] const EVP_MD *dgst) {}\n\n#endif // BORINGSSL_FIPS\n\n#endif // OPENSSL_HEADER_SERVICE_INDICATOR_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/service_indicator.cc.inc", "content": "/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../../evp/internal.h\"\n#include \"../../internal.h\"\n#include \"internal.h\"\n\n#if defined(BORINGSSL_FIPS)\n\n#define STATE_UNLOCKED 0\n\n// fips_service_indicator_state is a thread-local structure that stores the\n// state of the FIPS service indicator.\nstruct fips_service_indicator_state {\n // lock_state records the number of times the indicator has been locked.\n // When it is zero (i.e. |STATE_UNLOCKED|) then the indicator can be updated.\n uint64_t lock_state;\n // counter is the indicator state. It is incremented when an approved service\n // completes.\n uint64_t counter;\n};\n\n// service_indicator_get returns a pointer to the |fips_service_indicator_state|\n// for the current thread. It returns NULL on error.\n//\n// FIPS 140-3 requires that the module should provide the service indicator\n// for approved services irrespective of whether the user queries it or not.\n// Hence, it is lazily initialized in any call to an approved service.\nstatic struct fips_service_indicator_state *service_indicator_get(void) {\n struct fips_service_indicator_state *indicator =\n reinterpret_cast(CRYPTO_get_thread_local(\n OPENSSL_THREAD_LOCAL_FIPS_SERVICE_INDICATOR_STATE));\n\n if (indicator == NULL) {\n indicator = reinterpret_cast(\n OPENSSL_malloc(sizeof(struct fips_service_indicator_state)));\n if (indicator == NULL) {\n return NULL;\n }\n\n indicator->lock_state = STATE_UNLOCKED;\n indicator->counter = 0;\n\n if (!CRYPTO_set_thread_local(\n OPENSSL_THREAD_LOCAL_FIPS_SERVICE_INDICATOR_STATE, indicator,\n OPENSSL_free)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return NULL;\n }\n }\n\n return indicator;\n}\n\nstatic uint64_t service_indicator_get_counter(void) {\n struct fips_service_indicator_state *indicator = service_indicator_get();\n if (indicator == NULL) {\n return 0;\n }\n return indicator->counter;\n}\n\nuint64_t FIPS_service_indicator_before_call(void) {\n return service_indicator_get_counter();\n}\n\nuint64_t FIPS_service_indicator_after_call(void) {\n return service_indicator_get_counter();\n}\n\nvoid FIPS_service_indicator_update_state(void) {\n struct fips_service_indicator_state *indicator = service_indicator_get();\n if (indicator && indicator->lock_state == STATE_UNLOCKED) {\n indicator->counter++;\n }\n}\n\nvoid FIPS_service_indicator_lock_state(void) {\n struct fips_service_indicator_state *indicator = service_indicator_get();\n if (indicator == NULL) {\n return;\n }\n\n // |FIPS_service_indicator_lock_state| and\n // |FIPS_service_indicator_unlock_state| should not under/overflow in normal\n // operation. They are still checked and errors added to facilitate testing in\n // service_indicator_test.cc. This should only happen if lock/unlock are\n // called in an incorrect order or multiple times in the same function.\n const uint64_t new_state = indicator->lock_state + 1;\n if (new_state < indicator->lock_state) {\n // Overflow. This would imply that our call stack length has exceeded a\n // |uint64_t| which impossible on a 64-bit system.\n abort();\n }\n\n indicator->lock_state = new_state;\n}\n\nvoid FIPS_service_indicator_unlock_state(void) {\n struct fips_service_indicator_state *indicator = service_indicator_get();\n if (indicator == NULL) {\n return;\n }\n\n if (indicator->lock_state == 0) {\n abort();\n }\n\n indicator->lock_state--;\n}\n\nvoid AEAD_GCM_verify_service_indicator(const EVP_AEAD_CTX *ctx) {\n const size_t key_len = EVP_AEAD_key_length(ctx->aead);\n if (key_len == 16 || key_len == 32) {\n FIPS_service_indicator_update_state();\n }\n}\n\nvoid AEAD_CCM_verify_service_indicator(const EVP_AEAD_CTX *ctx) {\n if (EVP_AEAD_key_length(ctx->aead) == 16 && ctx->tag_len == 4) {\n FIPS_service_indicator_update_state();\n }\n}\n\n// is_ec_fips_approved returns one if the curve corresponding to the given NID\n// is FIPS approved, and zero otherwise.\nstatic int is_ec_fips_approved(int curve_nid) {\n switch (curve_nid) {\n case NID_secp224r1:\n case NID_X9_62_prime256v1:\n case NID_secp384r1:\n case NID_secp521r1:\n return 1;\n default:\n return 0;\n }\n}\n\n// is_md_fips_approved_for_signing returns one if the given message digest type\n// is FIPS approved for signing, and zero otherwise.\nstatic int is_md_fips_approved_for_signing(int md_type) {\n switch (md_type) {\n case NID_sha224:\n case NID_sha256:\n case NID_sha384:\n case NID_sha512:\n case NID_sha512_256:\n return 1;\n default:\n return 0;\n }\n}\n\n// is_md_fips_approved_for_verifying returns one if the given message digest\n// type is FIPS approved for verifying, and zero otherwise.\nstatic int is_md_fips_approved_for_verifying(int md_type) {\n switch (md_type) {\n case NID_sha224:\n case NID_sha256:\n case NID_sha384:\n case NID_sha512:\n case NID_sha512_256:\n return 1;\n default:\n return 0;\n }\n}\n\nstatic void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx,\n int (*md_ok)(int md_type)) {\n if (EVP_MD_CTX_get0_md(ctx) == NULL) {\n // Signature schemes without a prehash are currently never FIPS approved.\n return;\n }\n\n EVP_PKEY_CTX *const pctx = ctx->pctx;\n const EVP_PKEY *const pkey = EVP_PKEY_CTX_get0_pkey(pctx);\n const int pkey_type = EVP_PKEY_id(pkey);\n const int md_type = EVP_MD_CTX_type(ctx);\n\n // EVP_PKEY_RSA_PSS SPKIs aren't supported.\n if (pkey_type == EVP_PKEY_RSA) {\n // Message digest used in the private key should be of the same type\n // as the given one, so we extract the MD type from the |EVP_PKEY|\n // and compare it with the type in |ctx|.\n const EVP_MD *pctx_md;\n if (!EVP_PKEY_CTX_get_signature_md(pctx, &pctx_md)) {\n goto err;\n }\n if (EVP_MD_type(pctx_md) != md_type) {\n goto err;\n }\n\n int padding;\n if (!EVP_PKEY_CTX_get_rsa_padding(pctx, &padding)) {\n goto err;\n }\n if (padding == RSA_PKCS1_PSS_PADDING) {\n int salt_len;\n const EVP_MD *mgf1_md;\n if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pctx, &salt_len) ||\n !EVP_PKEY_CTX_get_rsa_mgf1_md(pctx, &mgf1_md) ||\n (salt_len != -1 && salt_len != (int)EVP_MD_size(pctx_md)) ||\n EVP_MD_type(mgf1_md) != md_type) {\n // Only PSS where saltLen == hashLen is tested with ACVP. Cases with\n // non-standard padding functions are also excluded.\n goto err;\n }\n }\n\n // The approved RSA key sizes for signing are 2048, 3072 and 4096 bits.\n // Note: |EVP_PKEY_size| returns the size in bytes.\n size_t pkey_size = EVP_PKEY_size(ctx->pctx->pkey);\n\n // Check if the MD type and the RSA key size are approved.\n if (md_ok(md_type) &&\n (pkey_size == 256 || pkey_size == 384 || pkey_size == 512)) {\n FIPS_service_indicator_update_state();\n }\n } else if (pkey_type == EVP_PKEY_EC) {\n // Check if the MD type and the elliptic curve are approved.\n if (md_ok(md_type) &&\n is_ec_fips_approved(EC_GROUP_get_curve_name(\n EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(ctx->pctx->pkey))))) {\n FIPS_service_indicator_update_state();\n }\n }\n\nerr:\n // Ensure that junk errors aren't left on the queue.\n ERR_clear_error();\n}\n\nvoid EC_KEY_keygen_verify_service_indicator(const EC_KEY *eckey) {\n if (is_ec_fips_approved(EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)))) {\n FIPS_service_indicator_update_state();\n }\n}\n\nvoid ECDH_verify_service_indicator(const EC_KEY *ec_key) {\n if (is_ec_fips_approved(EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)))) {\n FIPS_service_indicator_update_state();\n }\n}\n\nvoid EVP_Cipher_verify_service_indicator(const EVP_CIPHER_CTX *ctx) {\n switch (EVP_CIPHER_CTX_nid(ctx)) {\n case NID_aes_128_ecb:\n case NID_aes_192_ecb:\n case NID_aes_256_ecb:\n\n case NID_aes_128_cbc:\n case NID_aes_192_cbc:\n case NID_aes_256_cbc:\n\n case NID_aes_128_ctr:\n case NID_aes_192_ctr:\n case NID_aes_256_ctr:\n FIPS_service_indicator_update_state();\n }\n}\n\nvoid EVP_DigestVerify_verify_service_indicator(const EVP_MD_CTX *ctx) {\n return evp_md_ctx_verify_service_indicator(ctx,\n is_md_fips_approved_for_verifying);\n}\n\nvoid EVP_DigestSign_verify_service_indicator(const EVP_MD_CTX *ctx) {\n return evp_md_ctx_verify_service_indicator(ctx,\n is_md_fips_approved_for_signing);\n}\n\nvoid HMAC_verify_service_indicator(const EVP_MD *evp_md) {\n switch (EVP_MD_type(evp_md)) {\n case NID_sha1:\n case NID_sha224:\n case NID_sha256:\n case NID_sha384:\n case NID_sha512:\n case NID_sha512_256:\n FIPS_service_indicator_update_state();\n break;\n }\n}\n\nvoid TLSKDF_verify_service_indicator(const EVP_MD *md) {\n // HMAC-SHA{256, 384, 512} are approved for use in the KDF in TLS 1.2. These\n // Key Derivation functions are to be used in the context of the TLS protocol.\n switch (EVP_MD_type(md)) {\n case NID_sha256:\n case NID_sha384:\n case NID_sha512:\n FIPS_service_indicator_update_state();\n break;\n }\n}\n\n#else\n\nuint64_t FIPS_service_indicator_before_call(void) { return 0; }\n\nuint64_t FIPS_service_indicator_after_call(void) {\n // One is returned so that the return value is always greater than zero, the\n // return value of |FIPS_service_indicator_before_call|. This makes everything\n // report as \"approved\" in non-FIPS builds.\n return 1;\n}\n\n#endif // BORINGSSL_FIPS\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/sha/internal.h", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_SHA_INTERNAL_H\n#define OPENSSL_HEADER_SHA_INTERNAL_H\n\n#include \n\n#include \"../../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n// Define SHA{n}[_{variant}]_ASM if sha{n}_block_data_order[_{variant}] is\n// defined in assembly.\n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM)\n\n#define SHA1_ASM_NOHW\n#define SHA256_ASM_NOHW\n#define SHA512_ASM_NOHW\n\n#define SHA1_ASM_HW\ninline int sha1_hw_capable(void) { return CRYPTO_is_ARMv8_SHA1_capable(); }\n\n#define SHA1_ASM_NEON\nvoid sha1_block_data_order_neon(uint32_t state[5], const uint8_t *data,\n size_t num);\n\n#define SHA256_ASM_HW\ninline int sha256_hw_capable(void) { return CRYPTO_is_ARMv8_SHA256_capable(); }\n\n#define SHA256_ASM_NEON\nvoid sha256_block_data_order_neon(uint32_t state[8], const uint8_t *data,\n size_t num);\n\n// Armv8.2 SHA-512 instructions are not available in 32-bit.\n#define SHA512_ASM_NEON\nvoid sha512_block_data_order_neon(uint64_t state[8], const uint8_t *data,\n size_t num);\n\n#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64)\n\n#define SHA1_ASM_NOHW\n#define SHA256_ASM_NOHW\n#define SHA512_ASM_NOHW\n\n#define SHA1_ASM_HW\ninline int sha1_hw_capable(void) { return CRYPTO_is_ARMv8_SHA1_capable(); }\n\n#define SHA256_ASM_HW\ninline int sha256_hw_capable(void) { return CRYPTO_is_ARMv8_SHA256_capable(); }\n\n#define SHA512_ASM_HW\ninline int sha512_hw_capable(void) { return CRYPTO_is_ARMv8_SHA512_capable(); }\n\n#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86)\n\n#define SHA1_ASM_NOHW\n#define SHA256_ASM_NOHW\n#define SHA512_ASM_NOHW\n\n#define SHA1_ASM_SSSE3\ninline int sha1_ssse3_capable(void) {\n // TODO(davidben): Do we need to check the FXSR bit? The Intel manual does not\n // say to.\n return CRYPTO_is_SSSE3_capable() && CRYPTO_is_FXSR_capable();\n}\nvoid sha1_block_data_order_ssse3(uint32_t state[5], const uint8_t *data,\n size_t num);\n\n#define SHA1_ASM_AVX\ninline int sha1_avx_capable(void) {\n // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the\n // discussion in sha1-586.pl.\n //\n // TODO(davidben): Should we enable SHAEXT on 32-bit x86?\n // TODO(davidben): Do we need to check the FXSR bit? The Intel manual does not\n // say to.\n return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu() &&\n CRYPTO_is_FXSR_capable();\n}\nvoid sha1_block_data_order_avx(uint32_t state[5], const uint8_t *data,\n size_t num);\n\n#define SHA256_ASM_SSSE3\ninline int sha256_ssse3_capable(void) {\n // TODO(davidben): Do we need to check the FXSR bit? The Intel manual does not\n // say to.\n return CRYPTO_is_SSSE3_capable() && CRYPTO_is_FXSR_capable();\n}\nvoid sha256_block_data_order_ssse3(uint32_t state[8], const uint8_t *data,\n size_t num);\n\n#define SHA256_ASM_AVX\ninline int sha256_avx_capable(void) {\n // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the\n // discussion in sha1-586.pl.\n //\n // TODO(davidben): Should we enable SHAEXT on 32-bit x86?\n // TODO(davidben): Do we need to check the FXSR bit? The Intel manual does not\n // say to.\n return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu() &&\n CRYPTO_is_FXSR_capable();\n}\nvoid sha256_block_data_order_avx(uint32_t state[8], const uint8_t *data,\n size_t num);\n\n#define SHA512_ASM_SSSE3\ninline int sha512_ssse3_capable(void) {\n // TODO(davidben): Do we need to check the FXSR bit? The Intel manual does not\n // say to.\n return CRYPTO_is_SSSE3_capable() && CRYPTO_is_FXSR_capable();\n}\nvoid sha512_block_data_order_ssse3(uint64_t state[8], const uint8_t *data,\n size_t num);\n\n#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64)\n\n#define SHA1_ASM_NOHW\n#define SHA256_ASM_NOHW\n#define SHA512_ASM_NOHW\n\n#define SHA1_ASM_HW\ninline int sha1_hw_capable(void) {\n return CRYPTO_is_x86_SHA_capable() && CRYPTO_is_SSSE3_capable();\n}\n\n#define SHA1_ASM_AVX2\ninline int sha1_avx2_capable(void) {\n return CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable() &&\n CRYPTO_is_BMI1_capable();\n}\nvoid sha1_block_data_order_avx2(uint32_t state[5], const uint8_t *data,\n size_t num);\n\n#define SHA1_ASM_AVX\ninline int sha1_avx_capable(void) {\n // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the\n // discussion in sha1-586.pl.\n return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu();\n}\nvoid sha1_block_data_order_avx(uint32_t state[5], const uint8_t *data,\n size_t num);\n\n#define SHA1_ASM_SSSE3\ninline int sha1_ssse3_capable(void) { return CRYPTO_is_SSSE3_capable(); }\nvoid sha1_block_data_order_ssse3(uint32_t state[5], const uint8_t *data,\n size_t num);\n\n#define SHA256_ASM_HW\ninline int sha256_hw_capable(void) {\n // Note that the original assembly did not check SSSE3.\n return CRYPTO_is_x86_SHA_capable() && CRYPTO_is_SSSE3_capable();\n}\n\n#define SHA256_ASM_AVX\ninline int sha256_avx_capable(void) {\n // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the\n // discussion in sha1-586.pl.\n return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu();\n}\nvoid sha256_block_data_order_avx(uint32_t state[8], const uint8_t *data,\n size_t num);\n\n#define SHA256_ASM_SSSE3\ninline int sha256_ssse3_capable(void) { return CRYPTO_is_SSSE3_capable(); }\nvoid sha256_block_data_order_ssse3(uint32_t state[8], const uint8_t *data,\n size_t num);\n\n#define SHA512_ASM_AVX\ninline int sha512_avx_capable(void) { return CRYPTO_is_AVX_capable(); }\nvoid sha512_block_data_order_avx(uint64_t state[8], const uint8_t *data,\n size_t num);\n\n#endif\n\n#if defined(SHA1_ASM_HW)\nvoid sha1_block_data_order_hw(uint32_t state[5], const uint8_t *data,\n size_t num);\n#endif\n#if defined(SHA1_ASM_NOHW)\nvoid sha1_block_data_order_nohw(uint32_t state[5], const uint8_t *data,\n size_t num);\n#endif\n\n#if defined(SHA256_ASM_HW)\nvoid sha256_block_data_order_hw(uint32_t state[8], const uint8_t *data,\n size_t num);\n#endif\n#if defined(SHA256_ASM_NOHW)\nvoid sha256_block_data_order_nohw(uint32_t state[8], const uint8_t *data,\n size_t num);\n#endif\n\n#if defined(SHA512_ASM_HW)\nvoid sha512_block_data_order_hw(uint64_t state[8], const uint8_t *data,\n size_t num);\n#endif\n\n#if defined(SHA512_ASM_NOHW)\nvoid sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *data,\n size_t num);\n#endif\n\n#if defined(__cplusplus)\n} // extern \"C\"\n#endif\n\n#endif // OPENSSL_HEADER_SHA_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha1.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"../../internal.h\"\n#include \"../bcm_interface.h\"\n#include \"../digest/md32_common.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\nbcm_infallible BCM_sha1_init(SHA_CTX *sha) {\n OPENSSL_memset(sha, 0, sizeof(SHA_CTX));\n sha->h[0] = 0x67452301UL;\n sha->h[1] = 0xefcdab89UL;\n sha->h[2] = 0x98badcfeUL;\n sha->h[3] = 0x10325476UL;\n sha->h[4] = 0xc3d2e1f0UL;\n return bcm_infallible::approved;\n}\n\n#if !defined(SHA1_ASM)\nstatic void sha1_block_data_order(uint32_t state[5], const uint8_t *data,\n size_t num);\n#endif\n\nbcm_infallible BCM_sha1_transform(SHA_CTX *c, const uint8_t data[SHA_CBLOCK]) {\n sha1_block_data_order(c->h, data, 1);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_sha1_update(SHA_CTX *c, const void *data, size_t len) {\n crypto_md32_update(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num,\n &c->Nh, &c->Nl, reinterpret_cast(data),\n len);\n return bcm_infallible::approved;\n}\n\nstatic void sha1_output_state(uint8_t out[SHA_DIGEST_LENGTH],\n const SHA_CTX *ctx) {\n CRYPTO_store_u32_be(out, ctx->h[0]);\n CRYPTO_store_u32_be(out + 4, ctx->h[1]);\n CRYPTO_store_u32_be(out + 8, ctx->h[2]);\n CRYPTO_store_u32_be(out + 12, ctx->h[3]);\n CRYPTO_store_u32_be(out + 16, ctx->h[4]);\n}\n\nbcm_infallible BCM_sha1_final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) {\n crypto_md32_final(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num,\n c->Nh, c->Nl, /*is_big_endian=*/1);\n\n sha1_output_state(out, c);\n FIPS_service_indicator_update_state();\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_fips_186_2_prf(uint8_t *out, size_t out_len,\n const uint8_t xkey[SHA_DIGEST_LENGTH]) {\n // XKEY and XVAL are 160-bit values, but are internally right-padded up to\n // block size. See FIPS 186-2, Appendix 3.3. This buffer maintains both the\n // current value of XKEY and the padding.\n uint8_t block[SHA_CBLOCK] = {0};\n OPENSSL_memcpy(block, xkey, SHA_DIGEST_LENGTH);\n\n while (out_len != 0) {\n // We always use a zero XSEED, so we can merge the inner and outer loops.\n // XVAL is also always equal to XKEY.\n SHA_CTX ctx;\n BCM_sha1_init(&ctx);\n BCM_sha1_transform(&ctx, block);\n\n // XKEY = (1 + XKEY + w_i) mod 2^b\n uint32_t carry = 1;\n for (int i = 4; i >= 0; i--) {\n uint32_t tmp = CRYPTO_load_u32_be(block + i * 4);\n tmp = CRYPTO_addc_u32(tmp, ctx.h[i], carry, &carry);\n CRYPTO_store_u32_be(block + i * 4, tmp);\n }\n\n // Output w_i.\n if (out_len < SHA_DIGEST_LENGTH) {\n uint8_t buf[SHA_DIGEST_LENGTH];\n sha1_output_state(buf, &ctx);\n OPENSSL_memcpy(out, buf, out_len);\n break;\n }\n sha1_output_state(out, &ctx);\n out += SHA_DIGEST_LENGTH;\n out_len -= SHA_DIGEST_LENGTH;\n }\n return bcm_infallible::not_approved;\n}\n\n#define Xupdate(a, ix, ia, ib, ic, id) \\\n do { \\\n (a) = ((ia) ^ (ib) ^ (ic) ^ (id)); \\\n (ix) = (a) = CRYPTO_rotl_u32((a), 1); \\\n } while (0)\n\n#define K_00_19 0x5a827999UL\n#define K_20_39 0x6ed9eba1UL\n#define K_40_59 0x8f1bbcdcUL\n#define K_60_79 0xca62c1d6UL\n\n// As pointed out by Wei Dai , F() below can be simplified\n// to the code in F_00_19. Wei attributes these optimisations to Peter\n// Gutmann's SHS code, and he attributes it to Rich Schroeppel. #define\n// F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) I've just become aware of another\n// tweak to be made, again from Wei Dai, in F_40_59, (x&a)|(y&a) -> (x|y)&a\n#define F_00_19(b, c, d) ((((c) ^ (d)) & (b)) ^ (d))\n#define F_20_39(b, c, d) ((b) ^ (c) ^ (d))\n#define F_40_59(b, c, d) (((b) & (c)) | (((b) | (c)) & (d)))\n#define F_60_79(b, c, d) F_20_39(b, c, d)\n\n#define BODY_00_15(i, a, b, c, d, e, f, xi) \\\n do { \\\n (f) = (xi) + (e) + K_00_19 + CRYPTO_rotl_u32((a), 5) + \\\n F_00_19((b), (c), (d)); \\\n (b) = CRYPTO_rotl_u32((b), 30); \\\n } while (0)\n\n#define BODY_16_19(i, a, b, c, d, e, f, xi, xa, xb, xc, xd) \\\n do { \\\n Xupdate(f, xi, xa, xb, xc, xd); \\\n (f) += (e) + K_00_19 + CRYPTO_rotl_u32((a), 5) + F_00_19((b), (c), (d)); \\\n (b) = CRYPTO_rotl_u32((b), 30); \\\n } while (0)\n\n#define BODY_20_31(i, a, b, c, d, e, f, xi, xa, xb, xc, xd) \\\n do { \\\n Xupdate(f, xi, xa, xb, xc, xd); \\\n (f) += (e) + K_20_39 + CRYPTO_rotl_u32((a), 5) + F_20_39((b), (c), (d)); \\\n (b) = CRYPTO_rotl_u32((b), 30); \\\n } while (0)\n\n#define BODY_32_39(i, a, b, c, d, e, f, xa, xb, xc, xd) \\\n do { \\\n Xupdate(f, xa, xa, xb, xc, xd); \\\n (f) += (e) + K_20_39 + CRYPTO_rotl_u32((a), 5) + F_20_39((b), (c), (d)); \\\n (b) = CRYPTO_rotl_u32((b), 30); \\\n } while (0)\n\n#define BODY_40_59(i, a, b, c, d, e, f, xa, xb, xc, xd) \\\n do { \\\n Xupdate(f, xa, xa, xb, xc, xd); \\\n (f) += (e) + K_40_59 + CRYPTO_rotl_u32((a), 5) + F_40_59((b), (c), (d)); \\\n (b) = CRYPTO_rotl_u32((b), 30); \\\n } while (0)\n\n#define BODY_60_79(i, a, b, c, d, e, f, xa, xb, xc, xd) \\\n do { \\\n Xupdate(f, xa, xa, xb, xc, xd); \\\n (f) = (xa) + (e) + K_60_79 + CRYPTO_rotl_u32((a), 5) + \\\n F_60_79((b), (c), (d)); \\\n (b) = CRYPTO_rotl_u32((b), 30); \\\n } while (0)\n\n#ifdef X\n#undef X\n#endif\n\n/* Originally X was an array. As it's automatic it's natural\n * to expect RISC compiler to accomodate at least part of it in\n * the register bank, isn't it? Unfortunately not all compilers\n * \"find\" this expectation reasonable:-( On order to make such\n * compilers generate better code I replace X[] with a bunch of\n * X0, X1, etc. See the function body below...\n * */\n#define X(i) XX##i\n\n#if !defined(SHA1_ASM)\n\n#if !defined(SHA1_ASM_NOHW)\nstatic void sha1_block_data_order_nohw(uint32_t state[5], const uint8_t *data,\n size_t num) {\n uint32_t A, B, C, D, E, T;\n uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12,\n XX13, XX14, XX15;\n\n A = state[0];\n B = state[1];\n C = state[2];\n D = state[3];\n E = state[4];\n\n for (;;) {\n X(0) = CRYPTO_load_u32_be(data);\n data += 4;\n X(1) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(0, A, B, C, D, E, T, X(0));\n X(2) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(1, T, A, B, C, D, E, X(1));\n X(3) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(2, E, T, A, B, C, D, X(2));\n X(4) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(3, D, E, T, A, B, C, X(3));\n X(5) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(4, C, D, E, T, A, B, X(4));\n X(6) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(5, B, C, D, E, T, A, X(5));\n X(7) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(6, A, B, C, D, E, T, X(6));\n X(8) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(7, T, A, B, C, D, E, X(7));\n X(9) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(8, E, T, A, B, C, D, X(8));\n X(10) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(9, D, E, T, A, B, C, X(9));\n X(11) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(10, C, D, E, T, A, B, X(10));\n X(12) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(11, B, C, D, E, T, A, X(11));\n X(13) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(12, A, B, C, D, E, T, X(12));\n X(14) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(13, T, A, B, C, D, E, X(13));\n X(15) = CRYPTO_load_u32_be(data);\n data += 4;\n BODY_00_15(14, E, T, A, B, C, D, X(14));\n BODY_00_15(15, D, E, T, A, B, C, X(15));\n\n BODY_16_19(16, C, D, E, T, A, B, X(0), X(0), X(2), X(8), X(13));\n BODY_16_19(17, B, C, D, E, T, A, X(1), X(1), X(3), X(9), X(14));\n BODY_16_19(18, A, B, C, D, E, T, X(2), X(2), X(4), X(10), X(15));\n BODY_16_19(19, T, A, B, C, D, E, X(3), X(3), X(5), X(11), X(0));\n\n BODY_20_31(20, E, T, A, B, C, D, X(4), X(4), X(6), X(12), X(1));\n BODY_20_31(21, D, E, T, A, B, C, X(5), X(5), X(7), X(13), X(2));\n BODY_20_31(22, C, D, E, T, A, B, X(6), X(6), X(8), X(14), X(3));\n BODY_20_31(23, B, C, D, E, T, A, X(7), X(7), X(9), X(15), X(4));\n BODY_20_31(24, A, B, C, D, E, T, X(8), X(8), X(10), X(0), X(5));\n BODY_20_31(25, T, A, B, C, D, E, X(9), X(9), X(11), X(1), X(6));\n BODY_20_31(26, E, T, A, B, C, D, X(10), X(10), X(12), X(2), X(7));\n BODY_20_31(27, D, E, T, A, B, C, X(11), X(11), X(13), X(3), X(8));\n BODY_20_31(28, C, D, E, T, A, B, X(12), X(12), X(14), X(4), X(9));\n BODY_20_31(29, B, C, D, E, T, A, X(13), X(13), X(15), X(5), X(10));\n BODY_20_31(30, A, B, C, D, E, T, X(14), X(14), X(0), X(6), X(11));\n BODY_20_31(31, T, A, B, C, D, E, X(15), X(15), X(1), X(7), X(12));\n\n BODY_32_39(32, E, T, A, B, C, D, X(0), X(2), X(8), X(13));\n BODY_32_39(33, D, E, T, A, B, C, X(1), X(3), X(9), X(14));\n BODY_32_39(34, C, D, E, T, A, B, X(2), X(4), X(10), X(15));\n BODY_32_39(35, B, C, D, E, T, A, X(3), X(5), X(11), X(0));\n BODY_32_39(36, A, B, C, D, E, T, X(4), X(6), X(12), X(1));\n BODY_32_39(37, T, A, B, C, D, E, X(5), X(7), X(13), X(2));\n BODY_32_39(38, E, T, A, B, C, D, X(6), X(8), X(14), X(3));\n BODY_32_39(39, D, E, T, A, B, C, X(7), X(9), X(15), X(4));\n\n BODY_40_59(40, C, D, E, T, A, B, X(8), X(10), X(0), X(5));\n BODY_40_59(41, B, C, D, E, T, A, X(9), X(11), X(1), X(6));\n BODY_40_59(42, A, B, C, D, E, T, X(10), X(12), X(2), X(7));\n BODY_40_59(43, T, A, B, C, D, E, X(11), X(13), X(3), X(8));\n BODY_40_59(44, E, T, A, B, C, D, X(12), X(14), X(4), X(9));\n BODY_40_59(45, D, E, T, A, B, C, X(13), X(15), X(5), X(10));\n BODY_40_59(46, C, D, E, T, A, B, X(14), X(0), X(6), X(11));\n BODY_40_59(47, B, C, D, E, T, A, X(15), X(1), X(7), X(12));\n BODY_40_59(48, A, B, C, D, E, T, X(0), X(2), X(8), X(13));\n BODY_40_59(49, T, A, B, C, D, E, X(1), X(3), X(9), X(14));\n BODY_40_59(50, E, T, A, B, C, D, X(2), X(4), X(10), X(15));\n BODY_40_59(51, D, E, T, A, B, C, X(3), X(5), X(11), X(0));\n BODY_40_59(52, C, D, E, T, A, B, X(4), X(6), X(12), X(1));\n BODY_40_59(53, B, C, D, E, T, A, X(5), X(7), X(13), X(2));\n BODY_40_59(54, A, B, C, D, E, T, X(6), X(8), X(14), X(3));\n BODY_40_59(55, T, A, B, C, D, E, X(7), X(9), X(15), X(4));\n BODY_40_59(56, E, T, A, B, C, D, X(8), X(10), X(0), X(5));\n BODY_40_59(57, D, E, T, A, B, C, X(9), X(11), X(1), X(6));\n BODY_40_59(58, C, D, E, T, A, B, X(10), X(12), X(2), X(7));\n BODY_40_59(59, B, C, D, E, T, A, X(11), X(13), X(3), X(8));\n\n BODY_60_79(60, A, B, C, D, E, T, X(12), X(14), X(4), X(9));\n BODY_60_79(61, T, A, B, C, D, E, X(13), X(15), X(5), X(10));\n BODY_60_79(62, E, T, A, B, C, D, X(14), X(0), X(6), X(11));\n BODY_60_79(63, D, E, T, A, B, C, X(15), X(1), X(7), X(12));\n BODY_60_79(64, C, D, E, T, A, B, X(0), X(2), X(8), X(13));\n BODY_60_79(65, B, C, D, E, T, A, X(1), X(3), X(9), X(14));\n BODY_60_79(66, A, B, C, D, E, T, X(2), X(4), X(10), X(15));\n BODY_60_79(67, T, A, B, C, D, E, X(3), X(5), X(11), X(0));\n BODY_60_79(68, E, T, A, B, C, D, X(4), X(6), X(12), X(1));\n BODY_60_79(69, D, E, T, A, B, C, X(5), X(7), X(13), X(2));\n BODY_60_79(70, C, D, E, T, A, B, X(6), X(8), X(14), X(3));\n BODY_60_79(71, B, C, D, E, T, A, X(7), X(9), X(15), X(4));\n BODY_60_79(72, A, B, C, D, E, T, X(8), X(10), X(0), X(5));\n BODY_60_79(73, T, A, B, C, D, E, X(9), X(11), X(1), X(6));\n BODY_60_79(74, E, T, A, B, C, D, X(10), X(12), X(2), X(7));\n BODY_60_79(75, D, E, T, A, B, C, X(11), X(13), X(3), X(8));\n BODY_60_79(76, C, D, E, T, A, B, X(12), X(14), X(4), X(9));\n BODY_60_79(77, B, C, D, E, T, A, X(13), X(15), X(5), X(10));\n BODY_60_79(78, A, B, C, D, E, T, X(14), X(0), X(6), X(11));\n BODY_60_79(79, T, A, B, C, D, E, X(15), X(1), X(7), X(12));\n\n state[0] = (state[0] + E) & 0xffffffffL;\n state[1] = (state[1] + T) & 0xffffffffL;\n state[2] = (state[2] + A) & 0xffffffffL;\n state[3] = (state[3] + B) & 0xffffffffL;\n state[4] = (state[4] + C) & 0xffffffffL;\n\n if (--num == 0) {\n break;\n }\n\n A = state[0];\n B = state[1];\n C = state[2];\n D = state[3];\n E = state[4];\n }\n}\n#endif // !SHA1_ASM_NOHW\n\nstatic void sha1_block_data_order(uint32_t state[5], const uint8_t *data,\n size_t num) {\n#if defined(SHA1_ASM_HW)\n if (sha1_hw_capable()) {\n sha1_block_data_order_hw(state, data, num);\n return;\n }\n#endif\n#if defined(SHA1_ASM_AVX2)\n if (sha1_avx2_capable()) {\n sha1_block_data_order_avx2(state, data, num);\n return;\n }\n#endif\n#if defined(SHA1_ASM_AVX)\n if (sha1_avx_capable()) {\n sha1_block_data_order_avx(state, data, num);\n return;\n }\n#endif\n#if defined(SHA1_ASM_SSSE3)\n if (sha1_ssse3_capable()) {\n sha1_block_data_order_ssse3(state, data, num);\n return;\n }\n#endif\n#if defined(SHA1_ASM_NEON)\n if (CRYPTO_is_NEON_capable()) {\n sha1_block_data_order_neon(state, data, num);\n return;\n }\n#endif\n sha1_block_data_order_nohw(state, data, num);\n}\n\n#endif // !SHA1_ASM\n\n#undef Xupdate\n#undef K_00_19\n#undef K_20_39\n#undef K_40_59\n#undef K_60_79\n#undef F_00_19\n#undef F_20_39\n#undef F_40_59\n#undef F_60_79\n#undef BODY_00_15\n#undef BODY_16_19\n#undef BODY_20_31\n#undef BODY_32_39\n#undef BODY_40_59\n#undef BODY_60_79\n#undef X\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha256.cc.inc", "content": "/*\n * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"../../internal.h\"\n#include \"../bcm_interface.h\"\n#include \"../digest/md32_common.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\nbcm_infallible BCM_sha224_init(SHA256_CTX *sha) {\n OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));\n sha->h[0] = 0xc1059ed8UL;\n sha->h[1] = 0x367cd507UL;\n sha->h[2] = 0x3070dd17UL;\n sha->h[3] = 0xf70e5939UL;\n sha->h[4] = 0xffc00b31UL;\n sha->h[5] = 0x68581511UL;\n sha->h[6] = 0x64f98fa7UL;\n sha->h[7] = 0xbefa4fa4UL;\n sha->md_len = BCM_SHA224_DIGEST_LENGTH;\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_sha256_init(SHA256_CTX *sha) {\n OPENSSL_memset(sha, 0, sizeof(SHA256_CTX));\n sha->h[0] = 0x6a09e667UL;\n sha->h[1] = 0xbb67ae85UL;\n sha->h[2] = 0x3c6ef372UL;\n sha->h[3] = 0xa54ff53aUL;\n sha->h[4] = 0x510e527fUL;\n sha->h[5] = 0x9b05688cUL;\n sha->h[6] = 0x1f83d9abUL;\n sha->h[7] = 0x5be0cd19UL;\n sha->md_len = BCM_SHA256_DIGEST_LENGTH;\n return bcm_infallible::approved;\n}\n\n#if !defined(SHA256_ASM)\nstatic void sha256_block_data_order(uint32_t state[8], const uint8_t *in,\n size_t num);\n#endif\n\nbcm_infallible BCM_sha256_transform(SHA256_CTX *c,\n const uint8_t data[BCM_SHA256_CBLOCK]) {\n sha256_block_data_order(c->h, data, 1);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_sha256_update(SHA256_CTX *c, const void *data, size_t len) {\n crypto_md32_update(&sha256_block_data_order, c->h, c->data, BCM_SHA256_CBLOCK,\n &c->num, &c->Nh, &c->Nl,\n reinterpret_cast(data), len);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_sha224_update(SHA256_CTX *ctx, const void *data,\n size_t len) {\n return BCM_sha256_update(ctx, data, len);\n}\n\nstatic void sha256_final_impl(uint8_t *out, size_t md_len, SHA256_CTX *c) {\n crypto_md32_final(&sha256_block_data_order, c->h, c->data, BCM_SHA256_CBLOCK,\n &c->num, c->Nh, c->Nl, /*is_big_endian=*/1);\n\n BSSL_CHECK(md_len <= BCM_SHA256_DIGEST_LENGTH);\n\n assert(md_len % 4 == 0);\n const size_t out_words = md_len / 4;\n for (size_t i = 0; i < out_words; i++) {\n CRYPTO_store_u32_be(out, c->h[i]);\n out += 4;\n }\n\n FIPS_service_indicator_update_state();\n}\n\nbcm_infallible BCM_sha256_final(uint8_t out[BCM_SHA256_DIGEST_LENGTH],\n SHA256_CTX *c) {\n // Ideally we would assert |sha->md_len| is |BCM_SHA256_DIGEST_LENGTH| to\n // match the size hint, but calling code often pairs |SHA224_Init| with\n // |SHA256_Final| and expects |sha->md_len| to carry the size over.\n //\n // TODO(davidben): Add an assert and fix code to match them up.\n sha256_final_impl(out, c->md_len, c);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_sha224_final(uint8_t out[BCM_SHA224_DIGEST_LENGTH],\n SHA256_CTX *ctx) {\n // This function must be paired with |SHA224_Init|, which sets |ctx->md_len|\n // to |BCM_SHA224_DIGEST_LENGTH|.\n assert(ctx->md_len == BCM_SHA224_DIGEST_LENGTH);\n sha256_final_impl(out, BCM_SHA224_DIGEST_LENGTH, ctx);\n return bcm_infallible::approved;\n}\n\n#if !defined(SHA256_ASM)\n\n#if !defined(SHA256_ASM_NOHW)\nstatic const uint32_t K256[64] = {\n 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,\n 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,\n 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,\n 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,\n 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,\n 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,\n 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,\n 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,\n 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,\n 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,\n 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,\n 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,\n 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL};\n\n// See FIPS 180-4, section 4.1.2.\n#define Sigma0(x) \\\n (CRYPTO_rotr_u32((x), 2) ^ CRYPTO_rotr_u32((x), 13) ^ \\\n CRYPTO_rotr_u32((x), 22))\n#define Sigma1(x) \\\n (CRYPTO_rotr_u32((x), 6) ^ CRYPTO_rotr_u32((x), 11) ^ \\\n CRYPTO_rotr_u32((x), 25))\n#define sigma0(x) \\\n (CRYPTO_rotr_u32((x), 7) ^ CRYPTO_rotr_u32((x), 18) ^ ((x) >> 3))\n#define sigma1(x) \\\n (CRYPTO_rotr_u32((x), 17) ^ CRYPTO_rotr_u32((x), 19) ^ ((x) >> 10))\n\n#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))\n#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))\n\n#define ROUND_00_15(i, a, b, c, d, e, f, g, h) \\\n do { \\\n T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \\\n h = Sigma0(a) + Maj(a, b, c); \\\n d += T1; \\\n h += T1; \\\n } while (0)\n\n#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) \\\n do { \\\n s0 = X[(i + 1) & 0x0f]; \\\n s0 = sigma0(s0); \\\n s1 = X[(i + 14) & 0x0f]; \\\n s1 = sigma1(s1); \\\n T1 = X[(i) & 0x0f] += s0 + s1 + X[(i + 9) & 0x0f]; \\\n ROUND_00_15(i, a, b, c, d, e, f, g, h); \\\n } while (0)\n\nstatic void sha256_block_data_order_nohw(uint32_t state[8], const uint8_t *data,\n size_t num) {\n uint32_t a, b, c, d, e, f, g, h, s0, s1, T1;\n uint32_t X[16];\n int i;\n\n while (num--) {\n a = state[0];\n b = state[1];\n c = state[2];\n d = state[3];\n e = state[4];\n f = state[5];\n g = state[6];\n h = state[7];\n\n T1 = X[0] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(0, a, b, c, d, e, f, g, h);\n T1 = X[1] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(1, h, a, b, c, d, e, f, g);\n T1 = X[2] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(2, g, h, a, b, c, d, e, f);\n T1 = X[3] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(3, f, g, h, a, b, c, d, e);\n T1 = X[4] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(4, e, f, g, h, a, b, c, d);\n T1 = X[5] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(5, d, e, f, g, h, a, b, c);\n T1 = X[6] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(6, c, d, e, f, g, h, a, b);\n T1 = X[7] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(7, b, c, d, e, f, g, h, a);\n T1 = X[8] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(8, a, b, c, d, e, f, g, h);\n T1 = X[9] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(9, h, a, b, c, d, e, f, g);\n T1 = X[10] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(10, g, h, a, b, c, d, e, f);\n T1 = X[11] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(11, f, g, h, a, b, c, d, e);\n T1 = X[12] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(12, e, f, g, h, a, b, c, d);\n T1 = X[13] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(13, d, e, f, g, h, a, b, c);\n T1 = X[14] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(14, c, d, e, f, g, h, a, b);\n T1 = X[15] = CRYPTO_load_u32_be(data);\n data += 4;\n ROUND_00_15(15, b, c, d, e, f, g, h, a);\n\n for (i = 16; i < 64; i += 8) {\n ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X);\n ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X);\n ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X);\n ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X);\n ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X);\n ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X);\n ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X);\n ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X);\n }\n\n state[0] += a;\n state[1] += b;\n state[2] += c;\n state[3] += d;\n state[4] += e;\n state[5] += f;\n state[6] += g;\n state[7] += h;\n }\n}\n\n#endif // !defined(SHA256_ASM_NOHW)\n\nstatic void sha256_block_data_order(uint32_t state[8], const uint8_t *data,\n size_t num) {\n#if defined(SHA256_ASM_HW)\n if (sha256_hw_capable()) {\n sha256_block_data_order_hw(state, data, num);\n return;\n }\n#endif\n#if defined(SHA256_ASM_AVX)\n if (sha256_avx_capable()) {\n sha256_block_data_order_avx(state, data, num);\n return;\n }\n#endif\n#if defined(SHA256_ASM_SSSE3)\n if (sha256_ssse3_capable()) {\n sha256_block_data_order_ssse3(state, data, num);\n return;\n }\n#endif\n#if defined(SHA256_ASM_NEON)\n if (CRYPTO_is_NEON_capable()) {\n sha256_block_data_order_neon(state, data, num);\n return;\n }\n#endif\n sha256_block_data_order_nohw(state, data, num);\n}\n\n#endif // !defined(SHA256_ASM)\n\n\nbcm_infallible BCM_sha256_transform_blocks(uint32_t state[8],\n const uint8_t *data,\n size_t num_blocks) {\n sha256_block_data_order(state, data, num_blocks);\n return bcm_infallible::approved;\n}\n\n#undef Sigma0\n#undef Sigma1\n#undef sigma0\n#undef sigma1\n#undef Ch\n#undef Maj\n#undef ROUND_00_15\n#undef ROUND_16_63\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha512.cc.inc", "content": "/*\n * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"../../internal.h\"\n#include \"../bcm_interface.h\"\n#include \"../service_indicator/internal.h\"\n#include \"internal.h\"\n\n\n// The 32-bit hash algorithms share a common byte-order neutral collector and\n// padding function implementations that operate on unaligned data,\n// ../digest/md32_common.h. SHA-512 is the only 64-bit hash algorithm, as of\n// this writing, so there is no need for a common collector/padding\n// implementation yet.\n\nstatic void sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha);\n\nbcm_infallible BCM_sha384_init(SHA512_CTX *sha) {\n sha->h[0] = UINT64_C(0xcbbb9d5dc1059ed8);\n sha->h[1] = UINT64_C(0x629a292a367cd507);\n sha->h[2] = UINT64_C(0x9159015a3070dd17);\n sha->h[3] = UINT64_C(0x152fecd8f70e5939);\n sha->h[4] = UINT64_C(0x67332667ffc00b31);\n sha->h[5] = UINT64_C(0x8eb44a8768581511);\n sha->h[6] = UINT64_C(0xdb0c2e0d64f98fa7);\n sha->h[7] = UINT64_C(0x47b5481dbefa4fa4);\n\n sha->Nl = 0;\n sha->Nh = 0;\n sha->num = 0;\n sha->md_len = BCM_SHA384_DIGEST_LENGTH;\n return bcm_infallible::approved;\n}\n\n\nbcm_infallible BCM_sha512_init(SHA512_CTX *sha) {\n sha->h[0] = UINT64_C(0x6a09e667f3bcc908);\n sha->h[1] = UINT64_C(0xbb67ae8584caa73b);\n sha->h[2] = UINT64_C(0x3c6ef372fe94f82b);\n sha->h[3] = UINT64_C(0xa54ff53a5f1d36f1);\n sha->h[4] = UINT64_C(0x510e527fade682d1);\n sha->h[5] = UINT64_C(0x9b05688c2b3e6c1f);\n sha->h[6] = UINT64_C(0x1f83d9abfb41bd6b);\n sha->h[7] = UINT64_C(0x5be0cd19137e2179);\n\n sha->Nl = 0;\n sha->Nh = 0;\n sha->num = 0;\n sha->md_len = BCM_SHA512_DIGEST_LENGTH;\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_sha512_256_init(SHA512_CTX *sha) {\n sha->h[0] = UINT64_C(0x22312194fc2bf72c);\n sha->h[1] = UINT64_C(0x9f555fa3c84c64c2);\n sha->h[2] = UINT64_C(0x2393b86b6f53b151);\n sha->h[3] = UINT64_C(0x963877195940eabd);\n sha->h[4] = UINT64_C(0x96283ee2a88effe3);\n sha->h[5] = UINT64_C(0xbe5e1e2553863992);\n sha->h[6] = UINT64_C(0x2b0199fc2c85b8aa);\n sha->h[7] = UINT64_C(0x0eb72ddc81c52ca2);\n\n sha->Nl = 0;\n sha->Nh = 0;\n sha->num = 0;\n sha->md_len = BCM_SHA512_256_DIGEST_LENGTH;\n return bcm_infallible::approved;\n}\n\n#if !defined(SHA512_ASM)\nstatic void sha512_block_data_order(uint64_t state[8], const uint8_t *in,\n size_t num_blocks);\n#endif\n\n\nbcm_infallible BCM_sha384_final(uint8_t out[BCM_SHA384_DIGEST_LENGTH],\n SHA512_CTX *sha) {\n // This function must be paired with |BCM_sha384_init|, which sets\n // |sha->md_len| to |BCM_SHA384_DIGEST_LENGTH|.\n assert(sha->md_len == BCM_SHA384_DIGEST_LENGTH);\n sha512_final_impl(out, BCM_SHA384_DIGEST_LENGTH, sha);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_sha384_update(SHA512_CTX *sha, const void *data,\n size_t len) {\n return BCM_sha512_update(sha, data, len);\n}\n\nbcm_infallible BCM_sha512_256_update(SHA512_CTX *sha, const void *data,\n size_t len) {\n return BCM_sha512_update(sha, data, len);\n}\n\nbcm_infallible BCM_sha512_256_final(uint8_t out[BCM_SHA512_256_DIGEST_LENGTH],\n SHA512_CTX *sha) {\n // This function must be paired with |BCM_sha512_256_init|, which sets\n // |sha->md_len| to |BCM_SHA512_256_DIGEST_LENGTH|.\n assert(sha->md_len == BCM_SHA512_256_DIGEST_LENGTH);\n sha512_final_impl(out, BCM_SHA512_256_DIGEST_LENGTH, sha);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_sha512_transform(SHA512_CTX *c,\n const uint8_t block[SHA512_CBLOCK]) {\n sha512_block_data_order(c->h, block, 1);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_sha512_update(SHA512_CTX *c, const void *in_data,\n size_t len) {\n uint64_t l;\n uint8_t *p = c->p;\n const uint8_t *data = reinterpret_cast(in_data);\n\n if (len == 0) {\n return bcm_infallible::approved;\n }\n\n l = (c->Nl + (((uint64_t)len) << 3)) & UINT64_C(0xffffffffffffffff);\n if (l < c->Nl) {\n c->Nh++;\n }\n if (sizeof(len) >= 8) {\n c->Nh += (((uint64_t)len) >> 61);\n }\n c->Nl = l;\n\n if (c->num != 0) {\n size_t n = sizeof(c->p) - c->num;\n\n if (len < n) {\n OPENSSL_memcpy(p + c->num, data, len);\n c->num += (unsigned int)len;\n return bcm_infallible::approved;\n } else {\n OPENSSL_memcpy(p + c->num, data, n), c->num = 0;\n len -= n;\n data += n;\n sha512_block_data_order(c->h, p, 1);\n }\n }\n\n if (len >= sizeof(c->p)) {\n sha512_block_data_order(c->h, data, len / sizeof(c->p));\n data += len;\n len %= sizeof(c->p);\n data -= len;\n }\n\n if (len != 0) {\n OPENSSL_memcpy(p, data, len);\n c->num = (int)len;\n }\n\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_sha512_final(uint8_t out[BCM_SHA512_DIGEST_LENGTH],\n SHA512_CTX *sha) {\n // Ideally we would assert |sha->md_len| is |BCM_SHA512_DIGEST_LENGTH| to\n // match the size hint, but calling code often pairs |BCM_sha384_init| with\n // |BCM_sha512_final| and expects |sha->md_len| to carry the size over.\n //\n // TODO(davidben): Add an assert and fix code to match them up.\n sha512_final_impl(out, sha->md_len, sha);\n return bcm_infallible::approved;\n}\n\nstatic void sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) {\n uint8_t *p = sha->p;\n size_t n = sha->num;\n\n p[n] = 0x80; // There always is a room for one\n n++;\n if (n > (sizeof(sha->p) - 16)) {\n OPENSSL_memset(p + n, 0, sizeof(sha->p) - n);\n n = 0;\n sha512_block_data_order(sha->h, p, 1);\n }\n\n OPENSSL_memset(p + n, 0, sizeof(sha->p) - 16 - n);\n CRYPTO_store_u64_be(p + sizeof(sha->p) - 16, sha->Nh);\n CRYPTO_store_u64_be(p + sizeof(sha->p) - 8, sha->Nl);\n\n sha512_block_data_order(sha->h, p, 1);\n\n assert(md_len % 8 == 0);\n const size_t out_words = md_len / 8;\n for (size_t i = 0; i < out_words; i++) {\n CRYPTO_store_u64_be(out, sha->h[i]);\n out += 8;\n }\n\n FIPS_service_indicator_update_state();\n}\n\n#if !defined(SHA512_ASM)\n\n#if !defined(SHA512_ASM_NOHW)\nstatic const uint64_t K512[80] = {\n UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd),\n UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc),\n UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019),\n UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118),\n UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe),\n UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2),\n UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1),\n UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694),\n UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3),\n UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65),\n UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483),\n UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5),\n UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210),\n UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4),\n UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725),\n UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70),\n UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926),\n UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df),\n UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8),\n UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b),\n UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001),\n UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30),\n UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910),\n UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8),\n UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53),\n UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8),\n UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb),\n UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3),\n UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60),\n UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec),\n UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9),\n UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b),\n UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207),\n UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178),\n UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6),\n UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b),\n UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493),\n UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c),\n UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a),\n UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817),\n};\n\n#define Sigma0(x) \\\n (CRYPTO_rotr_u64((x), 28) ^ CRYPTO_rotr_u64((x), 34) ^ \\\n CRYPTO_rotr_u64((x), 39))\n#define Sigma1(x) \\\n (CRYPTO_rotr_u64((x), 14) ^ CRYPTO_rotr_u64((x), 18) ^ \\\n CRYPTO_rotr_u64((x), 41))\n#define sigma0(x) \\\n (CRYPTO_rotr_u64((x), 1) ^ CRYPTO_rotr_u64((x), 8) ^ ((x) >> 7))\n#define sigma1(x) \\\n (CRYPTO_rotr_u64((x), 19) ^ CRYPTO_rotr_u64((x), 61) ^ ((x) >> 6))\n\n#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))\n#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))\n\n\n#if defined(__i386) || defined(__i386__) || defined(_M_IX86)\n// This code should give better results on 32-bit CPU with less than\n// ~24 registers, both size and performance wise...\nstatic void sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *in,\n size_t num) {\n uint64_t A, E, T;\n uint64_t X[9 + 80], *F;\n int i;\n\n while (num--) {\n F = X + 80;\n A = state[0];\n F[1] = state[1];\n F[2] = state[2];\n F[3] = state[3];\n E = state[4];\n F[5] = state[5];\n F[6] = state[6];\n F[7] = state[7];\n\n for (i = 0; i < 16; i++, F--) {\n T = CRYPTO_load_u64_be(in + i * 8);\n F[0] = A;\n F[4] = E;\n F[8] = T;\n T += F[7] + Sigma1(E) + Ch(E, F[5], F[6]) + K512[i];\n E = F[3] + T;\n A = T + Sigma0(A) + Maj(A, F[1], F[2]);\n }\n\n for (; i < 80; i++, F--) {\n T = sigma0(F[8 + 16 - 1]);\n T += sigma1(F[8 + 16 - 14]);\n T += F[8 + 16] + F[8 + 16 - 9];\n\n F[0] = A;\n F[4] = E;\n F[8] = T;\n T += F[7] + Sigma1(E) + Ch(E, F[5], F[6]) + K512[i];\n E = F[3] + T;\n A = T + Sigma0(A) + Maj(A, F[1], F[2]);\n }\n\n state[0] += A;\n state[1] += F[1];\n state[2] += F[2];\n state[3] += F[3];\n state[4] += E;\n state[5] += F[5];\n state[6] += F[6];\n state[7] += F[7];\n\n in += 16 * 8;\n }\n}\n\n#else\n\n#define ROUND_00_15(i, a, b, c, d, e, f, g, h) \\\n do { \\\n T1 += h + Sigma1(e) + Ch(e, f, g) + K512[i]; \\\n h = Sigma0(a) + Maj(a, b, c); \\\n d += T1; \\\n h += T1; \\\n } while (0)\n\n#define ROUND_16_80(i, j, a, b, c, d, e, f, g, h, X) \\\n do { \\\n s0 = X[(j + 1) & 0x0f]; \\\n s0 = sigma0(s0); \\\n s1 = X[(j + 14) & 0x0f]; \\\n s1 = sigma1(s1); \\\n T1 = X[(j) & 0x0f] += s0 + s1 + X[(j + 9) & 0x0f]; \\\n ROUND_00_15(i + j, a, b, c, d, e, f, g, h); \\\n } while (0)\n\nstatic void sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *in,\n size_t num) {\n uint64_t a, b, c, d, e, f, g, h, s0, s1, T1;\n uint64_t X[16];\n int i;\n\n while (num--) {\n a = state[0];\n b = state[1];\n c = state[2];\n d = state[3];\n e = state[4];\n f = state[5];\n g = state[6];\n h = state[7];\n\n T1 = X[0] = CRYPTO_load_u64_be(in);\n ROUND_00_15(0, a, b, c, d, e, f, g, h);\n T1 = X[1] = CRYPTO_load_u64_be(in + 8);\n ROUND_00_15(1, h, a, b, c, d, e, f, g);\n T1 = X[2] = CRYPTO_load_u64_be(in + 2 * 8);\n ROUND_00_15(2, g, h, a, b, c, d, e, f);\n T1 = X[3] = CRYPTO_load_u64_be(in + 3 * 8);\n ROUND_00_15(3, f, g, h, a, b, c, d, e);\n T1 = X[4] = CRYPTO_load_u64_be(in + 4 * 8);\n ROUND_00_15(4, e, f, g, h, a, b, c, d);\n T1 = X[5] = CRYPTO_load_u64_be(in + 5 * 8);\n ROUND_00_15(5, d, e, f, g, h, a, b, c);\n T1 = X[6] = CRYPTO_load_u64_be(in + 6 * 8);\n ROUND_00_15(6, c, d, e, f, g, h, a, b);\n T1 = X[7] = CRYPTO_load_u64_be(in + 7 * 8);\n ROUND_00_15(7, b, c, d, e, f, g, h, a);\n T1 = X[8] = CRYPTO_load_u64_be(in + 8 * 8);\n ROUND_00_15(8, a, b, c, d, e, f, g, h);\n T1 = X[9] = CRYPTO_load_u64_be(in + 9 * 8);\n ROUND_00_15(9, h, a, b, c, d, e, f, g);\n T1 = X[10] = CRYPTO_load_u64_be(in + 10 * 8);\n ROUND_00_15(10, g, h, a, b, c, d, e, f);\n T1 = X[11] = CRYPTO_load_u64_be(in + 11 * 8);\n ROUND_00_15(11, f, g, h, a, b, c, d, e);\n T1 = X[12] = CRYPTO_load_u64_be(in + 12 * 8);\n ROUND_00_15(12, e, f, g, h, a, b, c, d);\n T1 = X[13] = CRYPTO_load_u64_be(in + 13 * 8);\n ROUND_00_15(13, d, e, f, g, h, a, b, c);\n T1 = X[14] = CRYPTO_load_u64_be(in + 14 * 8);\n ROUND_00_15(14, c, d, e, f, g, h, a, b);\n T1 = X[15] = CRYPTO_load_u64_be(in + 15 * 8);\n ROUND_00_15(15, b, c, d, e, f, g, h, a);\n\n for (i = 16; i < 80; i += 16) {\n ROUND_16_80(i, 0, a, b, c, d, e, f, g, h, X);\n ROUND_16_80(i, 1, h, a, b, c, d, e, f, g, X);\n ROUND_16_80(i, 2, g, h, a, b, c, d, e, f, X);\n ROUND_16_80(i, 3, f, g, h, a, b, c, d, e, X);\n ROUND_16_80(i, 4, e, f, g, h, a, b, c, d, X);\n ROUND_16_80(i, 5, d, e, f, g, h, a, b, c, X);\n ROUND_16_80(i, 6, c, d, e, f, g, h, a, b, X);\n ROUND_16_80(i, 7, b, c, d, e, f, g, h, a, X);\n ROUND_16_80(i, 8, a, b, c, d, e, f, g, h, X);\n ROUND_16_80(i, 9, h, a, b, c, d, e, f, g, X);\n ROUND_16_80(i, 10, g, h, a, b, c, d, e, f, X);\n ROUND_16_80(i, 11, f, g, h, a, b, c, d, e, X);\n ROUND_16_80(i, 12, e, f, g, h, a, b, c, d, X);\n ROUND_16_80(i, 13, d, e, f, g, h, a, b, c, X);\n ROUND_16_80(i, 14, c, d, e, f, g, h, a, b, X);\n ROUND_16_80(i, 15, b, c, d, e, f, g, h, a, X);\n }\n\n state[0] += a;\n state[1] += b;\n state[2] += c;\n state[3] += d;\n state[4] += e;\n state[5] += f;\n state[6] += g;\n state[7] += h;\n\n in += 16 * 8;\n }\n}\n\n#endif\n\n#endif // !SHA512_ASM_NOHW\n\nstatic void sha512_block_data_order(uint64_t state[8], const uint8_t *data,\n size_t num) {\n#if defined(SHA512_ASM_HW)\n if (sha512_hw_capable()) {\n sha512_block_data_order_hw(state, data, num);\n return;\n }\n#endif\n#if defined(SHA512_ASM_AVX)\n if (sha512_avx_capable()) {\n sha512_block_data_order_avx(state, data, num);\n return;\n }\n#endif\n#if defined(SHA512_ASM_SSSE3)\n if (sha512_ssse3_capable()) {\n sha512_block_data_order_ssse3(state, data, num);\n return;\n }\n#endif\n#if defined(SHA512_ASM_NEON)\n if (CRYPTO_is_NEON_capable()) {\n sha512_block_data_order_neon(state, data, num);\n return;\n }\n#endif\n sha512_block_data_order_nohw(state, data, num);\n}\n\n#endif // !SHA512_ASM\n\n#undef Sigma0\n#undef Sigma1\n#undef sigma0\n#undef sigma1\n#undef Ch\n#undef Maj\n#undef ROUND_00_15\n#undef ROUND_16_80\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/slhdsa/address.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_ADDRESS_H\n#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_ADDRESS_H\n\n#include \n\n#include \"../../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Offsets of various fields in the address structure for SLH-DSA-SHA2-128s.\n\n// The byte used to specify the Merkle tree layer.\n#define SLHDSA_SHA2_128S_OFFSET_LAYER 0\n\n// The start of the 8 byte field used to specify the tree.\n#define SLHDSA_SHA2_128S_OFFSET_TREE 1\n\n// The byte used to specify the hash type (reason).\n#define SLHDSA_SHA2_128S_OFFSET_TYPE 9\n\n// The high byte used to specify the key pair (which one-time signature).\n#define SLHDSA_SHA2_128S_OFFSET_KP_ADDR2 12\n\n// The low byte used to specific the key pair.\n#define SLHDSA_SHA2_128S_OFFSET_KP_ADDR1 13\n\n// The byte used to specify the chain address (which Winternitz chain).\n#define SLHDSA_SHA2_128S_OFFSET_CHAIN_ADDR 17\n\n// The byte used to specify the hash address (where in the Winternitz chain).\n#define SLHDSA_SHA2_128S_OFFSET_HASH_ADDR 21\n\n// The byte used to specify the height of this node in the FORS or Merkle tree.\n#define SLHDSA_SHA2_128S_OFFSET_TREE_HGT 17\n\n// The start of the 4 byte field used to specify the node in the FORS or Merkle\n// tree.\n#define SLHDSA_SHA2_128S_OFFSET_TREE_INDEX 18\n\n\ninline void slhdsa_set_chain_addr(uint8_t addr[32], uint32_t chain) {\n addr[SLHDSA_SHA2_128S_OFFSET_CHAIN_ADDR] = (uint8_t)chain;\n}\n\ninline void slhdsa_set_hash_addr(uint8_t addr[32], uint32_t hash) {\n addr[SLHDSA_SHA2_128S_OFFSET_HASH_ADDR] = (uint8_t)hash;\n}\n\ninline void slhdsa_set_keypair_addr(uint8_t addr[32], uint32_t keypair) {\n addr[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2] = (uint8_t)(keypair >> 8);\n addr[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1] = (uint8_t)keypair;\n}\n\ninline void slhdsa_copy_keypair_addr(uint8_t out[32], const uint8_t in[32]) {\n OPENSSL_memcpy(out, in, SLHDSA_SHA2_128S_OFFSET_TREE + 8);\n out[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2] = in[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2];\n out[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1] = in[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1];\n}\n\ninline void slhdsa_set_layer_addr(uint8_t addr[32], uint32_t layer) {\n addr[SLHDSA_SHA2_128S_OFFSET_LAYER] = (uint8_t)layer;\n}\n\ninline void slhdsa_set_tree_addr(uint8_t addr[32], uint64_t tree) {\n CRYPTO_store_u64_be(&addr[SLHDSA_SHA2_128S_OFFSET_TREE], tree);\n}\n\n#define SLHDSA_SHA2_128S_ADDR_TYPE_WOTS 0\n#define SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPK 1\n#define SLHDSA_SHA2_128S_ADDR_TYPE_HASHTREE 2\n#define SLHDSA_SHA2_128S_ADDR_TYPE_FORSTREE 3\n#define SLHDSA_SHA2_128S_ADDR_TYPE_FORSPK 4\n#define SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPRF 5\n#define SLHDSA_SHA2_128S_ADDR_TYPE_FORSPRF 6\n\ninline void slhdsa_set_type(uint8_t addr[32], uint32_t type) {\n // FIPS 205 relies on this setting parts of the address to 0, so we do it\n // here to avoid confusion.\n //\n // The behavior here is only correct for the SHA-2 instantiations.\n OPENSSL_memset(addr + 10, 0, 12);\n addr[SLHDSA_SHA2_128S_OFFSET_TYPE] = (uint8_t)type;\n}\n\ninline void slhdsa_set_tree_height(uint8_t addr[32], uint32_t tree_height) {\n addr[SLHDSA_SHA2_128S_OFFSET_TREE_HGT] = (uint8_t)tree_height;\n}\n\ninline void slhdsa_set_tree_index(uint8_t addr[32], uint32_t tree_index) {\n CRYPTO_store_u32_be(&addr[SLHDSA_SHA2_128S_OFFSET_TREE_INDEX], tree_index);\n}\n\ninline uint32_t slhdsa_get_tree_index(uint8_t addr[32]) {\n return CRYPTO_load_u32_be(addr + SLHDSA_SHA2_128S_OFFSET_TREE_INDEX);\n}\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_ADDRESS_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/slhdsa/fors.cc.inc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \"../../internal.h\"\n#include \"./address.h\"\n#include \"./fors.h\"\n#include \"./params.h\"\n#include \"./thash.h\"\n\n// Compute the base 2^12 representation of `message` (algorithm 4, page 16).\nstatic void fors_base_b(\n uint16_t indices[SLHDSA_SHA2_128S_FORS_TREES],\n const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES]) {\n static_assert(SLHDSA_SHA2_128S_FORS_HEIGHT == 12, \"\");\n static_assert((SLHDSA_SHA2_128S_FORS_TREES & 1) == 0, \"\");\n\n const uint8_t *msg = message;\n for (size_t i = 0; i < SLHDSA_SHA2_128S_FORS_TREES; i += 2) {\n uint32_t val = ((uint32_t)msg[0] << 16) | ((uint32_t)msg[1] << 8) | msg[2];\n indices[i] = (val >> 12) & 0xFFF;\n indices[i + 1] = val & 0xFFF;\n msg += 3;\n }\n}\n\n// Implements Algorithm 14: fors_skGen function (page 29)\nvoid slhdsa_fors_sk_gen(uint8_t fors_sk[BCM_SLHDSA_SHA2_128S_N], uint32_t idx,\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n uint8_t sk_addr[32];\n OPENSSL_memcpy(sk_addr, addr, sizeof(sk_addr));\n\n slhdsa_set_type(sk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSPRF);\n slhdsa_copy_keypair_addr(sk_addr, addr);\n slhdsa_set_tree_index(sk_addr, idx);\n slhdsa_thash_prf(fors_sk, pk_seed, sk_seed, sk_addr);\n}\n\n// Implements Algorithm 15: fors_node function (page 30)\nvoid slhdsa_fors_treehash(uint8_t root_node[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint32_t i /*target node index*/,\n uint32_t z /*target node height*/,\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n BSSL_CHECK(z <= SLHDSA_SHA2_128S_FORS_HEIGHT);\n BSSL_CHECK(i < (uint32_t)(SLHDSA_SHA2_128S_FORS_TREES *\n (1 << (SLHDSA_SHA2_128S_FORS_HEIGHT - z))));\n\n if (z == 0) {\n uint8_t sk[BCM_SLHDSA_SHA2_128S_N];\n slhdsa_set_tree_height(addr, 0);\n slhdsa_set_tree_index(addr, i);\n slhdsa_fors_sk_gen(sk, i, sk_seed, pk_seed, addr);\n slhdsa_thash_f(root_node, sk, pk_seed, addr);\n } else {\n // Stores left node and right node.\n uint8_t nodes[2 * BCM_SLHDSA_SHA2_128S_N];\n slhdsa_fors_treehash(nodes, sk_seed, 2 * i, z - 1, pk_seed, addr);\n slhdsa_fors_treehash(nodes + BCM_SLHDSA_SHA2_128S_N, sk_seed, 2 * i + 1, z - 1,\n pk_seed, addr);\n slhdsa_set_tree_height(addr, z);\n slhdsa_set_tree_index(addr, i);\n slhdsa_thash_h(root_node, nodes, pk_seed, addr);\n }\n}\n\n// Implements Algorithm 16: fors_sign function (page 31)\nvoid slhdsa_fors_sign(uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES],\n const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n uint16_t indices[SLHDSA_SHA2_128S_FORS_TREES];\n\n // Derive FORS indices compatible with the NIST changes.\n fors_base_b(indices, message);\n\n for (size_t i = 0; i < SLHDSA_SHA2_128S_FORS_TREES; ++i) {\n slhdsa_set_tree_height(addr, 0);\n // Write the FORS secret key element to the correct position.\n slhdsa_fors_sk_gen(\n fors_sig + i * BCM_SLHDSA_SHA2_128S_N * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1),\n i * (1 << SLHDSA_SHA2_128S_FORS_HEIGHT) + indices[i], sk_seed, pk_seed,\n addr);\n for (size_t j = 0; j < SLHDSA_SHA2_128S_FORS_HEIGHT; ++j) {\n size_t s = (indices[i] / (1 << j)) ^ 1;\n // Write the FORS auth path element to the correct position.\n slhdsa_fors_treehash(\n fors_sig + BCM_SLHDSA_SHA2_128S_N *\n (i * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1) + j + 1),\n sk_seed, i * (1ULL << (SLHDSA_SHA2_128S_FORS_HEIGHT - j)) + s, j,\n pk_seed, addr);\n }\n }\n}\n\n// Implements Algorithm 17: fors_pkFromSig function (page 32)\nvoid slhdsa_fors_pk_from_sig(\n uint8_t fors_pk[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES],\n const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N], uint8_t addr[32]) {\n uint16_t indices[SLHDSA_SHA2_128S_FORS_TREES];\n uint8_t tmp[2 * BCM_SLHDSA_SHA2_128S_N];\n uint8_t roots[SLHDSA_SHA2_128S_FORS_TREES * BCM_SLHDSA_SHA2_128S_N];\n\n // Derive FORS indices compatible with the NIST changes.\n fors_base_b(indices, message);\n\n for (size_t i = 0; i < SLHDSA_SHA2_128S_FORS_TREES; ++i) {\n // Pointer to current sk and authentication path\n const uint8_t *sk =\n fors_sig + i * BCM_SLHDSA_SHA2_128S_N * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1);\n const uint8_t *auth =\n fors_sig + i * BCM_SLHDSA_SHA2_128S_N * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1) +\n BCM_SLHDSA_SHA2_128S_N;\n uint8_t nodes[2 * BCM_SLHDSA_SHA2_128S_N];\n\n slhdsa_set_tree_height(addr, 0);\n slhdsa_set_tree_index(\n addr, (i * (1 << SLHDSA_SHA2_128S_FORS_HEIGHT)) + indices[i]);\n\n slhdsa_thash_f(nodes, sk, pk_seed, addr);\n\n for (size_t j = 0; j < SLHDSA_SHA2_128S_FORS_HEIGHT; ++j) {\n slhdsa_set_tree_height(addr, j + 1);\n\n // Even node\n if (((indices[i] / (1 << j)) % 2) == 0) {\n slhdsa_set_tree_index(addr, slhdsa_get_tree_index(addr) / 2);\n OPENSSL_memcpy(tmp, nodes, BCM_SLHDSA_SHA2_128S_N);\n OPENSSL_memcpy(tmp + BCM_SLHDSA_SHA2_128S_N, auth + j * BCM_SLHDSA_SHA2_128S_N,\n BCM_SLHDSA_SHA2_128S_N);\n slhdsa_thash_h(nodes + BCM_SLHDSA_SHA2_128S_N, tmp, pk_seed, addr);\n } else {\n slhdsa_set_tree_index(addr, (slhdsa_get_tree_index(addr) - 1) / 2);\n OPENSSL_memcpy(tmp, auth + j * BCM_SLHDSA_SHA2_128S_N, BCM_SLHDSA_SHA2_128S_N);\n OPENSSL_memcpy(tmp + BCM_SLHDSA_SHA2_128S_N, nodes, BCM_SLHDSA_SHA2_128S_N);\n slhdsa_thash_h(nodes + BCM_SLHDSA_SHA2_128S_N, tmp, pk_seed, addr);\n }\n OPENSSL_memcpy(nodes, nodes + BCM_SLHDSA_SHA2_128S_N, BCM_SLHDSA_SHA2_128S_N);\n }\n OPENSSL_memcpy(roots + i * BCM_SLHDSA_SHA2_128S_N, nodes, BCM_SLHDSA_SHA2_128S_N);\n }\n\n uint8_t forspk_addr[32];\n OPENSSL_memcpy(forspk_addr, addr, sizeof(forspk_addr));\n slhdsa_set_type(forspk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSPK);\n slhdsa_copy_keypair_addr(forspk_addr, addr);\n slhdsa_thash_tk(fors_pk, roots, pk_seed, forspk_addr);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/slhdsa/fors.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_FORS_H\n#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_FORS_H\n\n#include \"./params.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Implements Algorithm 14: fors_skGen function (page 29)\nvoid slhdsa_fors_sk_gen(uint8_t fors_sk[BCM_SLHDSA_SHA2_128S_N], uint32_t idx,\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n// Implements Algorithm 15: fors_node function (page 30)\nvoid slhdsa_fors_treehash(uint8_t root_node[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint32_t i /*target node index*/,\n uint32_t z /*target node height*/,\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n// Implements Algorithm 16: fors_sign function (page 31)\nvoid slhdsa_fors_sign(uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES],\n const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n// Implements Algorithm 17: fors_pkFromSig function (page 32)\nvoid slhdsa_fors_pk_from_sig(\n uint8_t fors_pk[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES],\n const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N], uint8_t addr[32]);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_FORS_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/slhdsa/merkle.cc.inc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"../../internal.h\"\n#include \"./address.h\"\n#include \"./merkle.h\"\n#include \"./params.h\"\n#include \"./thash.h\"\n#include \"./wots.h\"\n\n\n// Implements Algorithm 9: xmss_node function (page 23)\nvoid slhdsa_treehash(uint8_t out_pk[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint32_t i /*target node index*/,\n uint32_t z /*target node height*/,\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n BSSL_CHECK(z <= SLHDSA_SHA2_128S_TREE_HEIGHT);\n BSSL_CHECK(i < (uint32_t)(1 << (SLHDSA_SHA2_128S_TREE_HEIGHT - z)));\n\n if (z == 0) {\n slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTS);\n slhdsa_set_keypair_addr(addr, i);\n slhdsa_wots_pk_gen(out_pk, sk_seed, pk_seed, addr);\n } else {\n // Stores left node and right node.\n uint8_t nodes[2 * BCM_SLHDSA_SHA2_128S_N];\n slhdsa_treehash(nodes, sk_seed, 2 * i, z - 1, pk_seed, addr);\n slhdsa_treehash(nodes + BCM_SLHDSA_SHA2_128S_N, sk_seed, 2 * i + 1, z - 1,\n pk_seed, addr);\n slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_HASHTREE);\n slhdsa_set_tree_height(addr, z);\n slhdsa_set_tree_index(addr, i);\n slhdsa_thash_h(out_pk, nodes, pk_seed, addr);\n }\n}\n\n// Implements Algorithm 10: xmss_sign function (page 24)\nvoid slhdsa_xmss_sign(uint8_t sig[SLHDSA_SHA2_128S_XMSS_BYTES],\n const uint8_t msg[BCM_SLHDSA_SHA2_128S_N], unsigned int idx,\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n // Build authentication path\n for (size_t j = 0; j < SLHDSA_SHA2_128S_TREE_HEIGHT; ++j) {\n unsigned int k = (idx >> j) ^ 1;\n slhdsa_treehash(sig + SLHDSA_SHA2_128S_WOTS_BYTES + j * BCM_SLHDSA_SHA2_128S_N,\n sk_seed, k, j, pk_seed, addr);\n }\n\n // Compute WOTS+ signature\n slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTS);\n slhdsa_set_keypair_addr(addr, idx);\n slhdsa_wots_sign(sig, msg, sk_seed, pk_seed, addr);\n}\n\n// Implements Algorithm 11: xmss_pkFromSig function (page 25)\nvoid slhdsa_xmss_pk_from_sig(\n uint8_t root[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t xmss_sig[SLHDSA_SHA2_128S_XMSS_BYTES], unsigned int idx,\n const uint8_t msg[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N], uint8_t addr[32]) {\n // Stores node[0] and node[1] from Algorithm 11\n slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTS);\n slhdsa_set_keypair_addr(addr, idx);\n uint8_t node[2 * BCM_SLHDSA_SHA2_128S_N];\n slhdsa_wots_pk_from_sig(node, xmss_sig, msg, pk_seed, addr);\n\n slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_HASHTREE);\n slhdsa_set_tree_index(addr, idx);\n\n uint8_t tmp[2 * BCM_SLHDSA_SHA2_128S_N];\n const uint8_t *const auth = xmss_sig + SLHDSA_SHA2_128S_WOTS_BYTES;\n for (size_t k = 0; k < SLHDSA_SHA2_128S_TREE_HEIGHT; ++k) {\n slhdsa_set_tree_height(addr, k + 1);\n if (((idx >> k) & 1) == 0) {\n slhdsa_set_tree_index(addr, slhdsa_get_tree_index(addr) >> 1);\n OPENSSL_memcpy(tmp, node, BCM_SLHDSA_SHA2_128S_N);\n OPENSSL_memcpy(tmp + BCM_SLHDSA_SHA2_128S_N, auth + k * BCM_SLHDSA_SHA2_128S_N,\n BCM_SLHDSA_SHA2_128S_N);\n slhdsa_thash_h(node + BCM_SLHDSA_SHA2_128S_N, tmp, pk_seed, addr);\n } else {\n slhdsa_set_tree_index(addr, (slhdsa_get_tree_index(addr) - 1) >> 1);\n OPENSSL_memcpy(tmp, auth + k * BCM_SLHDSA_SHA2_128S_N, BCM_SLHDSA_SHA2_128S_N);\n OPENSSL_memcpy(tmp + BCM_SLHDSA_SHA2_128S_N, node, BCM_SLHDSA_SHA2_128S_N);\n slhdsa_thash_h(node + BCM_SLHDSA_SHA2_128S_N, tmp, pk_seed, addr);\n }\n OPENSSL_memcpy(node, node + BCM_SLHDSA_SHA2_128S_N, BCM_SLHDSA_SHA2_128S_N);\n }\n OPENSSL_memcpy(root, node, BCM_SLHDSA_SHA2_128S_N);\n}\n\n// Implements Algorithm 12: ht_sign function (page 27)\nvoid slhdsa_ht_sign(\n uint8_t sig[SLHDSA_SHA2_128S_XMSS_BYTES * SLHDSA_SHA2_128S_D],\n const uint8_t message[BCM_SLHDSA_SHA2_128S_N], uint64_t idx_tree,\n uint32_t idx_leaf, const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N]) {\n uint8_t addr[32] = {0};\n slhdsa_set_tree_addr(addr, idx_tree);\n\n // Layer 0\n slhdsa_xmss_sign(sig, message, idx_leaf, sk_seed, pk_seed, addr);\n uint8_t root[BCM_SLHDSA_SHA2_128S_N];\n slhdsa_xmss_pk_from_sig(root, sig, idx_leaf, message, pk_seed, addr);\n sig += SLHDSA_SHA2_128S_XMSS_BYTES;\n\n // All other layers\n for (size_t j = 1; j < SLHDSA_SHA2_128S_D; ++j) {\n idx_leaf = idx_tree % (1 << SLHDSA_SHA2_128S_TREE_HEIGHT);\n idx_tree = idx_tree >> SLHDSA_SHA2_128S_TREE_HEIGHT;\n slhdsa_set_layer_addr(addr, j);\n slhdsa_set_tree_addr(addr, idx_tree);\n slhdsa_xmss_sign(sig, root, idx_leaf, sk_seed, pk_seed, addr);\n if (j < (SLHDSA_SHA2_128S_D - 1)) {\n slhdsa_xmss_pk_from_sig(root, sig, idx_leaf, root, pk_seed, addr);\n }\n\n sig += SLHDSA_SHA2_128S_XMSS_BYTES;\n }\n}\n\n// Implements Algorithm 13: ht_verify function (page 28)\nint slhdsa_ht_verify(\n const uint8_t sig[SLHDSA_SHA2_128S_D * SLHDSA_SHA2_128S_XMSS_BYTES],\n const uint8_t message[BCM_SLHDSA_SHA2_128S_N], uint64_t idx_tree,\n uint32_t idx_leaf, const uint8_t pk_root[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N]) {\n uint8_t addr[32] = {0};\n slhdsa_set_tree_addr(addr, idx_tree);\n\n uint8_t node[BCM_SLHDSA_SHA2_128S_N];\n slhdsa_xmss_pk_from_sig(node, sig, idx_leaf, message, pk_seed, addr);\n\n for (size_t j = 1; j < SLHDSA_SHA2_128S_D; ++j) {\n idx_leaf = idx_tree % (1 << SLHDSA_SHA2_128S_TREE_HEIGHT);\n idx_tree = idx_tree >> SLHDSA_SHA2_128S_TREE_HEIGHT;\n slhdsa_set_layer_addr(addr, j);\n slhdsa_set_tree_addr(addr, idx_tree);\n\n slhdsa_xmss_pk_from_sig(node, sig + j * SLHDSA_SHA2_128S_XMSS_BYTES,\n idx_leaf, node, pk_seed, addr);\n }\n return memcmp(node, pk_root, BCM_SLHDSA_SHA2_128S_N) == 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/slhdsa/merkle.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_MERKLE_H\n#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_MERKLE_H\n\n#include \n\n#include \n\n#include \"./params.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Implements Algorithm 9: xmss_node function (page 23)\nvoid slhdsa_treehash(uint8_t out_pk[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint32_t i /*target node index*/,\n uint32_t z /*target node height*/,\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n// Implements Algorithm 10: xmss_sign function (page 24)\nvoid slhdsa_xmss_sign(uint8_t sig[SLHDSA_SHA2_128S_XMSS_BYTES],\n const uint8_t msg[BCM_SLHDSA_SHA2_128S_N], unsigned int idx,\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n// Implements Algorithm 11: xmss_pkFromSig function (page 25)\nvoid slhdsa_xmss_pk_from_sig(\n uint8_t root[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t xmss_sig[SLHDSA_SHA2_128S_XMSS_BYTES], unsigned int idx,\n const uint8_t msg[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N], uint8_t addr[32]);\n\n// Implements Algorithm 12: ht_sign function (page 27)\nvoid slhdsa_ht_sign(\n uint8_t sig[SLHDSA_SHA2_128S_D * SLHDSA_SHA2_128S_XMSS_BYTES],\n const uint8_t message[BCM_SLHDSA_SHA2_128S_N], uint64_t idx_tree,\n uint32_t idx_leaf, const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N]);\n\n// Implements Algorithm 13: ht_verify function (page 28)\nint slhdsa_ht_verify(\n const uint8_t sig[SLHDSA_SHA2_128S_D * SLHDSA_SHA2_128S_XMSS_BYTES],\n const uint8_t message[BCM_SLHDSA_SHA2_128S_N], uint64_t idx_tree,\n uint32_t idx_leaf, const uint8_t pk_root[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N]);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_MERKLE_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/slhdsa/params.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_PARAMS_H\n#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_PARAMS_H\n\n#include \n#include \"../bcm_interface.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n// Total height of the tree structure.\n#define SLHDSA_SHA2_128S_FULL_HEIGHT 63\n// Number of subtree layers.\n#define SLHDSA_SHA2_128S_D 7\n// Height of the trees on each layer\n#define SLHDSA_SHA2_128S_TREE_HEIGHT 9\n// Height of each individual FORS tree.\n#define SLHDSA_SHA2_128S_FORS_HEIGHT 12\n// Total number of FORS tree used.\n#define SLHDSA_SHA2_128S_FORS_TREES 14\n// Size of a FORS signature\n#define SLHDSA_SHA2_128S_FORS_BYTES \\\n ((SLHDSA_SHA2_128S_FORS_HEIGHT + 1) * SLHDSA_SHA2_128S_FORS_TREES * \\\n BCM_SLHDSA_SHA2_128S_N)\n\n// Winternitz parameter and derived values\n#define SLHDSA_SHA2_128S_WOTS_W 16\n#define SLHDSA_SHA2_128S_WOTS_LOG_W 4\n#define SLHDSA_SHA2_128S_WOTS_LEN1 32\n#define SLHDSA_SHA2_128S_WOTS_LEN2 3\n#define SLHDSA_SHA2_128S_WOTS_LEN 35\n#define SLHDSA_SHA2_128S_WOTS_BYTES \\\n (BCM_SLHDSA_SHA2_128S_N * SLHDSA_SHA2_128S_WOTS_LEN)\n\n// XMSS sizes\n#define SLHDSA_SHA2_128S_XMSS_BYTES \\\n (SLHDSA_SHA2_128S_WOTS_BYTES + \\\n (BCM_SLHDSA_SHA2_128S_N * SLHDSA_SHA2_128S_TREE_HEIGHT))\n\n// Size of the message digest (NOTE: This is only correct for the SHA-256 params\n// here)\n#define SLHDSA_SHA2_128S_DIGEST_SIZE \\\n (((SLHDSA_SHA2_128S_FORS_TREES * SLHDSA_SHA2_128S_FORS_HEIGHT) / 8) + \\\n (((SLHDSA_SHA2_128S_FULL_HEIGHT - SLHDSA_SHA2_128S_TREE_HEIGHT) / 8) + 1) + \\\n (SLHDSA_SHA2_128S_TREE_HEIGHT / 8) + 1)\n\n// Compressed address size when using SHA-256\n#define SLHDSA_SHA2_128S_SHA256_ADDR_BYTES 22\n\n// Size of the FORS message hash\n#define SLHDSA_SHA2_128S_FORS_MSG_BYTES \\\n ((SLHDSA_SHA2_128S_FORS_HEIGHT * SLHDSA_SHA2_128S_FORS_TREES + 7) / 8)\n#define SLHDSA_SHA2_128S_TREE_BITS \\\n (SLHDSA_SHA2_128S_TREE_HEIGHT * (SLHDSA_SHA2_128S_D - 1))\n#define SLHDSA_SHA2_128S_TREE_BYTES ((SLHDSA_SHA2_128S_TREE_BITS + 7) / 8)\n#define SLHDSA_SHA2_128S_LEAF_BITS SLHDSA_SHA2_128S_TREE_HEIGHT\n#define SLHDSA_SHA2_128S_LEAF_BYTES ((SLHDSA_SHA2_128S_LEAF_BITS + 7) / 8)\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_PARAMS_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/slhdsa/slhdsa.cc.inc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"../bcm_interface.h\"\n#include \"address.h\"\n#include \"fors.h\"\n#include \"merkle.h\"\n#include \"params.h\"\n#include \"thash.h\"\n\n\n// The OBJECT IDENTIFIER header is also included in these values, per the spec.\nstatic const uint8_t kSHA256OID[] = {0x06, 0x09, 0x60, 0x86, 0x48, 0x01,\n 0x65, 0x03, 0x04, 0x02, 0x01};\nstatic const uint8_t kSHA384OID[] = {0x06, 0x09, 0x60, 0x86, 0x48, 0x01,\n 0x65, 0x03, 0x04, 0x02, 0x02};\n#define MAX_OID_LENGTH 11\n#define MAX_CONTEXT_LENGTH 255\n\nbcm_infallible BCM_slhdsa_sha2_128s_generate_key_from_seed(\n uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n uint8_t out_secret_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t seed[3 * BCM_SLHDSA_SHA2_128S_N]) {\n // Initialize SK.seed || SK.prf || PK.seed from seed.\n OPENSSL_memcpy(out_secret_key, seed, 3 * BCM_SLHDSA_SHA2_128S_N);\n\n // Initialize PK.seed from seed.\n OPENSSL_memcpy(out_public_key, seed + 2 * BCM_SLHDSA_SHA2_128S_N,\n BCM_SLHDSA_SHA2_128S_N);\n\n uint8_t addr[32] = {0};\n slhdsa_set_layer_addr(addr, SLHDSA_SHA2_128S_D - 1);\n\n // Set PK.root\n slhdsa_treehash(out_public_key + BCM_SLHDSA_SHA2_128S_N, out_secret_key, 0,\n SLHDSA_SHA2_128S_TREE_HEIGHT, out_public_key, addr);\n OPENSSL_memcpy(out_secret_key + 3 * BCM_SLHDSA_SHA2_128S_N,\n out_public_key + BCM_SLHDSA_SHA2_128S_N,\n BCM_SLHDSA_SHA2_128S_N);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_slhdsa_sha2_128s_generate_key(\n uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n uint8_t out_private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]) {\n uint8_t seed[3 * BCM_SLHDSA_SHA2_128S_N];\n RAND_bytes(seed, 3 * BCM_SLHDSA_SHA2_128S_N);\n BCM_slhdsa_sha2_128s_generate_key_from_seed(out_public_key, out_private_key,\n seed);\n return bcm_infallible::approved;\n}\n\nbcm_infallible BCM_slhdsa_sha2_128s_public_from_private(\n uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]) {\n OPENSSL_memcpy(out_public_key, private_key + 2 * BCM_SLHDSA_SHA2_128S_N,\n BCM_SLHDSA_SHA2_128S_N * 2);\n return bcm_infallible::approved;\n}\n\n// Note that this overreads by a byte. This is fine in the context that it's\n// used.\nstatic uint64_t load_tree_index(const uint8_t in[8]) {\n static_assert(SLHDSA_SHA2_128S_TREE_BYTES == 7,\n \"This code needs to be updated\");\n uint64_t index = CRYPTO_load_u64_be(in);\n index >>= 8;\n index &= (~(uint64_t)0) >> (64 - SLHDSA_SHA2_128S_TREE_BITS);\n return index;\n}\n\n// Implements Algorithm 22: slh_sign function (Section 10.2.1, page 39)\nbcm_infallible BCM_slhdsa_sha2_128s_sign_internal(\n uint8_t out_signature[BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t secret_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context,\n size_t context_len, const uint8_t *msg, size_t msg_len,\n const uint8_t entropy[BCM_SLHDSA_SHA2_128S_N]) {\n const uint8_t *sk_seed = secret_key;\n const uint8_t *sk_prf = secret_key + BCM_SLHDSA_SHA2_128S_N;\n const uint8_t *pk_seed = secret_key + 2 * BCM_SLHDSA_SHA2_128S_N;\n const uint8_t *pk_root = secret_key + 3 * BCM_SLHDSA_SHA2_128S_N;\n\n // Derive randomizer R and copy it to signature\n uint8_t R[BCM_SLHDSA_SHA2_128S_N];\n slhdsa_thash_prfmsg(R, sk_prf, entropy, header, context, context_len, msg,\n msg_len);\n OPENSSL_memcpy(out_signature, R, BCM_SLHDSA_SHA2_128S_N);\n\n // Compute message digest\n uint8_t digest[SLHDSA_SHA2_128S_DIGEST_SIZE];\n slhdsa_thash_hmsg(digest, R, pk_seed, pk_root, header, context, context_len,\n msg, msg_len);\n\n uint8_t fors_digest[SLHDSA_SHA2_128S_FORS_MSG_BYTES];\n OPENSSL_memcpy(fors_digest, digest, SLHDSA_SHA2_128S_FORS_MSG_BYTES);\n\n const uint64_t idx_tree =\n load_tree_index(digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES);\n uint32_t idx_leaf = CRYPTO_load_u16_be(\n digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES + SLHDSA_SHA2_128S_TREE_BYTES);\n idx_leaf &= (~(uint32_t)0) >> (32 - SLHDSA_SHA2_128S_LEAF_BITS);\n\n uint8_t addr[32] = {0};\n slhdsa_set_tree_addr(addr, idx_tree);\n slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSTREE);\n slhdsa_set_keypair_addr(addr, idx_leaf);\n\n slhdsa_fors_sign(out_signature + BCM_SLHDSA_SHA2_128S_N, fors_digest, sk_seed,\n pk_seed, addr);\n\n uint8_t pk_fors[BCM_SLHDSA_SHA2_128S_N];\n slhdsa_fors_pk_from_sig(pk_fors, out_signature + BCM_SLHDSA_SHA2_128S_N,\n fors_digest, pk_seed, addr);\n\n slhdsa_ht_sign(\n out_signature + BCM_SLHDSA_SHA2_128S_N + SLHDSA_SHA2_128S_FORS_BYTES,\n pk_fors, idx_tree, idx_leaf, sk_seed, pk_seed);\n return bcm_infallible::approved;\n}\n\nbcm_status BCM_slhdsa_sha2_128s_sign(\n uint8_t out_signature[BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context,\n size_t context_len) {\n if (context_len > MAX_CONTEXT_LENGTH) {\n return bcm_status::failure;\n }\n\n // Construct header for M' as specified in Algorithm 22\n uint8_t M_prime_header[2];\n M_prime_header[0] = 0; // domain separator for pure signing\n M_prime_header[1] = (uint8_t)context_len;\n\n uint8_t entropy[BCM_SLHDSA_SHA2_128S_N];\n RAND_bytes(entropy, sizeof(entropy));\n BCM_slhdsa_sha2_128s_sign_internal(out_signature, private_key, M_prime_header,\n context, context_len, msg, msg_len,\n entropy);\n return bcm_status::approved;\n}\n\nstatic int slhdsa_get_context_and_oid(uint8_t *out_context_and_oid,\n size_t *out_context_and_oid_len,\n size_t max_out_context_and_oid,\n const uint8_t *context,\n size_t context_len, int hash_nid,\n size_t hashed_msg_len) {\n const uint8_t *oid;\n size_t oid_len;\n size_t expected_hash_len;\n switch (hash_nid) {\n case NID_sha256:\n oid = kSHA256OID;\n oid_len = sizeof(kSHA256OID);\n static_assert(sizeof(kSHA256OID) <= MAX_OID_LENGTH, \"\");\n expected_hash_len = 32;\n break;\n\n // The SLH-DSA spec only lists SHA-256 and SHA-512. This function also\n // supports SHA-384, which is non-standard.\n case NID_sha384:\n oid = kSHA384OID;\n oid_len = sizeof(kSHA384OID);\n static_assert(sizeof(kSHA384OID) <= MAX_OID_LENGTH, \"\");\n expected_hash_len = 48;\n break;\n\n // If adding a hash function with a larger `oid_len`, update the size of\n // `context_and_oid` in the callers.\n default:\n return 0;\n }\n\n if (hashed_msg_len != expected_hash_len) {\n return 0;\n }\n\n *out_context_and_oid_len = context_len + oid_len;\n if (*out_context_and_oid_len > max_out_context_and_oid) {\n return 0;\n }\n\n OPENSSL_memcpy(out_context_and_oid, context, context_len);\n OPENSSL_memcpy(out_context_and_oid + context_len, oid, oid_len);\n\n return 1;\n}\n\n\nbcm_status BCM_slhdsa_sha2_128s_prehash_sign(\n uint8_t out_signature[BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t private_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len) {\n if (context_len > MAX_CONTEXT_LENGTH) {\n return bcm_status::failure;\n }\n\n uint8_t M_prime_header[2];\n M_prime_header[0] = 1; // domain separator for prehashed signing\n M_prime_header[1] = (uint8_t)context_len;\n\n uint8_t context_and_oid[MAX_CONTEXT_LENGTH + MAX_OID_LENGTH];\n size_t context_and_oid_len;\n if (!slhdsa_get_context_and_oid(context_and_oid, &context_and_oid_len,\n sizeof(context_and_oid), context, context_len,\n hash_nid, hashed_msg_len)) {\n return bcm_status::failure;\n }\n\n uint8_t entropy[BCM_SLHDSA_SHA2_128S_N];\n RAND_bytes(entropy, sizeof(entropy));\n BCM_slhdsa_sha2_128s_sign_internal(out_signature, private_key, M_prime_header,\n context_and_oid, context_and_oid_len,\n hashed_msg, hashed_msg_len, entropy);\n return bcm_status::approved;\n}\n\n// Implements Algorithm 24: slh_verify function (Section 10.3, page 41)\nbcm_status BCM_slhdsa_sha2_128s_verify(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context,\n size_t context_len) {\n if (context_len > MAX_CONTEXT_LENGTH) {\n return bcm_status::failure;\n }\n\n // Construct header for M' as specified in Algorithm 24\n uint8_t M_prime_header[2];\n M_prime_header[0] = 0; // domain separator for pure verification\n M_prime_header[1] = (uint8_t)context_len;\n\n return BCM_slhdsa_sha2_128s_verify_internal(\n signature, signature_len, public_key, M_prime_header, context,\n context_len, msg, msg_len);\n}\n\nbcm_status BCM_slhdsa_sha2_128s_prehash_verify(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len) {\n if (context_len > MAX_CONTEXT_LENGTH) {\n return bcm_status::failure;\n }\n\n uint8_t M_prime_header[2];\n M_prime_header[0] = 1; // domain separator for prehashed verification\n M_prime_header[1] = (uint8_t)context_len;\n\n uint8_t context_and_oid[MAX_CONTEXT_LENGTH + MAX_OID_LENGTH];\n size_t context_and_oid_len;\n if (!slhdsa_get_context_and_oid(context_and_oid, &context_and_oid_len,\n sizeof(context_and_oid), context, context_len,\n hash_nid, hashed_msg_len)) {\n return bcm_status::failure;\n }\n\n return BCM_slhdsa_sha2_128s_verify_internal(\n signature, signature_len, public_key, M_prime_header, context_and_oid,\n context_and_oid_len, hashed_msg, hashed_msg_len);\n}\n\nbcm_status BCM_slhdsa_sha2_128s_verify_internal(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context,\n size_t context_len, const uint8_t *msg, size_t msg_len) {\n if (signature_len != BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES) {\n return bcm_status::failure;\n }\n const uint8_t *pk_seed = public_key;\n const uint8_t *pk_root = public_key + BCM_SLHDSA_SHA2_128S_N;\n\n const uint8_t *r = signature;\n const uint8_t *sig_fors = signature + BCM_SLHDSA_SHA2_128S_N;\n const uint8_t *sig_ht = sig_fors + SLHDSA_SHA2_128S_FORS_BYTES;\n\n uint8_t digest[SLHDSA_SHA2_128S_DIGEST_SIZE];\n slhdsa_thash_hmsg(digest, r, pk_seed, pk_root, header, context, context_len,\n msg, msg_len);\n\n uint8_t fors_digest[SLHDSA_SHA2_128S_FORS_MSG_BYTES];\n OPENSSL_memcpy(fors_digest, digest, SLHDSA_SHA2_128S_FORS_MSG_BYTES);\n\n const uint64_t idx_tree =\n load_tree_index(digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES);\n uint32_t idx_leaf = CRYPTO_load_u16_be(\n digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES + SLHDSA_SHA2_128S_TREE_BYTES);\n idx_leaf &= (~(uint32_t)0) >> (32 - SLHDSA_SHA2_128S_LEAF_BITS);\n\n uint8_t addr[32] = {0};\n slhdsa_set_tree_addr(addr, idx_tree);\n slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSTREE);\n slhdsa_set_keypair_addr(addr, idx_leaf);\n\n uint8_t pk_fors[BCM_SLHDSA_SHA2_128S_N];\n slhdsa_fors_pk_from_sig(pk_fors, sig_fors, fors_digest, pk_seed, addr);\n\n if (!slhdsa_ht_verify(sig_ht, pk_fors, idx_tree, idx_leaf, pk_root,\n pk_seed)) {\n return bcm_status::failure;\n }\n\n return bcm_status::approved;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/slhdsa/thash.cc.inc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n\n#include \"../../internal.h\"\n#include \"./params.h\"\n#include \"./thash.h\"\n\n\n// Internal thash function used by F, H, and T_l (Section 11.2, pages 44-46)\nstatic void slhdsa_thash(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t *input, size_t input_blocks,\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n SHA256_CTX sha256;\n SHA256_Init(&sha256);\n\n // Process pubseed with padding to full block.\n static const uint8_t kZeros[64 - BCM_SLHDSA_SHA2_128S_N] = {0};\n SHA256_Update(&sha256, pk_seed, BCM_SLHDSA_SHA2_128S_N);\n SHA256_Update(&sha256, kZeros, sizeof(kZeros));\n SHA256_Update(&sha256, addr, SLHDSA_SHA2_128S_SHA256_ADDR_BYTES);\n SHA256_Update(&sha256, input, input_blocks * BCM_SLHDSA_SHA2_128S_N);\n\n uint8_t hash[32];\n SHA256_Final(hash, &sha256);\n OPENSSL_memcpy(output, hash, BCM_SLHDSA_SHA2_128S_N);\n}\n\n// Implements PRF_msg function (Section 4.1, page 11 and Section 11.2, pages\n// 44-46)\nvoid slhdsa_thash_prfmsg(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_prf[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t entropy[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN],\n const uint8_t *ctx, size_t ctx_len, const uint8_t *msg,\n size_t msg_len) {\n // Compute HMAC-SHA256(sk_prf, entropy || header || ctx || msg). We inline\n // HMAC to avoid an allocation.\n uint8_t hmac_key[SHA256_CBLOCK];\n static_assert(BCM_SLHDSA_SHA2_128S_N <= SHA256_CBLOCK,\n \"HMAC key is larger than block size\");\n OPENSSL_memcpy(hmac_key, sk_prf, BCM_SLHDSA_SHA2_128S_N);\n for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; i++) {\n hmac_key[i] ^= 0x36;\n }\n OPENSSL_memset(hmac_key + BCM_SLHDSA_SHA2_128S_N, 0x36,\n sizeof(hmac_key) - BCM_SLHDSA_SHA2_128S_N);\n\n SHA256_CTX sha_ctx;\n SHA256_Init(&sha_ctx);\n SHA256_Update(&sha_ctx, hmac_key, sizeof(hmac_key));\n SHA256_Update(&sha_ctx, entropy, BCM_SLHDSA_SHA2_128S_N);\n if (header) {\n SHA256_Update(&sha_ctx, header, BCM_SLHDSA_M_PRIME_HEADER_LEN);\n }\n SHA256_Update(&sha_ctx, ctx, ctx_len);\n SHA256_Update(&sha_ctx, msg, msg_len);\n uint8_t hash[SHA256_DIGEST_LENGTH];\n SHA256_Final(hash, &sha_ctx);\n\n for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; i++) {\n hmac_key[i] ^= 0x36 ^ 0x5c;\n }\n OPENSSL_memset(hmac_key + BCM_SLHDSA_SHA2_128S_N, 0x5c,\n sizeof(hmac_key) - BCM_SLHDSA_SHA2_128S_N);\n\n SHA256_Init(&sha_ctx);\n SHA256_Update(&sha_ctx, hmac_key, sizeof(hmac_key));\n SHA256_Update(&sha_ctx, hash, sizeof(hash));\n SHA256_Final(hash, &sha_ctx);\n\n // Truncate to BCM_SLHDSA_SHA2_128S_N bytes\n OPENSSL_memcpy(output, hash, BCM_SLHDSA_SHA2_128S_N);\n}\n\n// Implements H_msg function (Section 4.1, page 11 and Section 11.2, pages\n// 44-46)\nvoid slhdsa_thash_hmsg(uint8_t output[SLHDSA_SHA2_128S_DIGEST_SIZE],\n const uint8_t r[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_root[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN],\n const uint8_t *ctx, size_t ctx_len, const uint8_t *msg,\n size_t msg_len) {\n // MGF1-SHA-256(R || PK.seed || SHA-256(R || PK.seed || PK.root || header ||\n // ctx || M), m) input_buffer stores R || PK_SEED || SHA256(..) || 4-byte\n // index\n uint8_t input_buffer[2 * BCM_SLHDSA_SHA2_128S_N + 32 + 4] = {0};\n OPENSSL_memcpy(input_buffer, r, BCM_SLHDSA_SHA2_128S_N);\n OPENSSL_memcpy(input_buffer + BCM_SLHDSA_SHA2_128S_N, pk_seed,\n BCM_SLHDSA_SHA2_128S_N);\n\n // Inner hash\n SHA256_CTX sha_ctx;\n SHA256_Init(&sha_ctx);\n SHA256_Update(&sha_ctx, r, BCM_SLHDSA_SHA2_128S_N);\n SHA256_Update(&sha_ctx, pk_seed, BCM_SLHDSA_SHA2_128S_N);\n SHA256_Update(&sha_ctx, pk_root, BCM_SLHDSA_SHA2_128S_N);\n if (header) {\n SHA256_Update(&sha_ctx, header, BCM_SLHDSA_M_PRIME_HEADER_LEN);\n }\n SHA256_Update(&sha_ctx, ctx, ctx_len);\n SHA256_Update(&sha_ctx, msg, msg_len);\n // Write directly into the input buffer\n SHA256_Final(input_buffer + 2 * BCM_SLHDSA_SHA2_128S_N, &sha_ctx);\n\n // MGF1-SHA-256\n uint8_t hash[32];\n static_assert(SLHDSA_SHA2_128S_DIGEST_SIZE < sizeof(hash),\n \"More MGF1 iterations required\");\n SHA256(input_buffer, sizeof(input_buffer), hash);\n OPENSSL_memcpy(output, hash, SLHDSA_SHA2_128S_DIGEST_SIZE);\n}\n\n// Implements PRF function (Section 4.1, page 11 and Section 11.2, pages 44-46)\nvoid slhdsa_thash_prf(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n slhdsa_thash(output, sk_seed, 1, pk_seed, addr);\n}\n\n// Implements T_l function for WOTS+ public key compression (Section 4.1, page\n// 11 and Section 11.2, pages 44-46)\nvoid slhdsa_thash_tl(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t input[SLHDSA_SHA2_128S_WOTS_BYTES],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n slhdsa_thash(output, input, SLHDSA_SHA2_128S_WOTS_LEN, pk_seed, addr);\n}\n\n// Implements H function (Section 4.1, page 11 and Section 11.2, pages 44-46)\nvoid slhdsa_thash_h(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t input[2 * BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n slhdsa_thash(output, input, 2, pk_seed, addr);\n}\n\n// Implements F function (Section 4.1, page 11 and Section 11.2, pages 44-46)\nvoid slhdsa_thash_f(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t input[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n slhdsa_thash(output, input, 1, pk_seed, addr);\n}\n\n// Implements T_k function for FORS public key compression (Section 4.1, page 11\n// and Section 11.2, pages 44-46)\nvoid slhdsa_thash_tk(\n uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t input[SLHDSA_SHA2_128S_FORS_TREES * BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N], uint8_t addr[32]) {\n slhdsa_thash(output, input, SLHDSA_SHA2_128S_FORS_TREES, pk_seed, addr);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/slhdsa/thash.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_THASH_H\n#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_THASH_H\n\n#include \"./params.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Implements PRF_msg: a pseudo-random function that is used to generate the\n// randomizer r for the randomized hashing of the message to be signed.\n// (Section 4.1, page 11)\nvoid slhdsa_thash_prfmsg(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_prf[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t opt_rand[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN],\n const uint8_t *ctx, size_t ctx_len, const uint8_t *msg,\n size_t msg_len);\n\n// Implements H_msg: a hash function used to generate the digest of the message\n// to be signed. (Section 4.1, page 11)\nvoid slhdsa_thash_hmsg(uint8_t output[SLHDSA_SHA2_128S_DIGEST_SIZE],\n const uint8_t r[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_root[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t header[BCM_SLHDSA_M_PRIME_HEADER_LEN],\n const uint8_t *ctx, size_t ctx_len, const uint8_t *msg,\n size_t msg_len);\n\n// Implements PRF: a pseudo-random function that is used to generate the secret\n// values in WOTS+ and FORS private keys. (Section 4.1, page 11)\nvoid slhdsa_thash_prf(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n// Implements T_l: a hash function that maps an l*n-byte message to an n-byte\n// message. Used for WOTS+ public key compression. (Section 4.1, page 11)\nvoid slhdsa_thash_tl(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t input[SLHDSA_SHA2_128S_WOTS_BYTES],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n// Implements H: a hash function that takes a 2*n-byte message as input and\n// produces an n-byte output. (Section 4.1, page 11)\nvoid slhdsa_thash_h(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t input[2 * BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n// Implements F: a hash function that takes an n-byte message as input and\n// produces an n-byte output. (Section 4.1, page 11)\nvoid slhdsa_thash_f(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t input[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n// Implements T_k: a hash function that maps a k*n-byte message to an n-byte\n// message. Used for FORS public key compression. (Section 4.1, page 11)\nvoid slhdsa_thash_tk(\n uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t input[SLHDSA_SHA2_128S_FORS_TREES * BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pk_seed[BCM_SLHDSA_SHA2_128S_N], uint8_t addr[32]);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_THASH_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/slhdsa/wots.cc.inc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n\n#include \"../../internal.h\"\n#include \"./address.h\"\n#include \"./params.h\"\n#include \"./thash.h\"\n#include \"./wots.h\"\n\n\n// Implements Algorithm 5: chain function, page 18\nstatic void chain(uint8_t output[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t input[BCM_SLHDSA_SHA2_128S_N], uint32_t start,\n uint32_t steps, const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n assert(start < SLHDSA_SHA2_128S_WOTS_W);\n assert(steps < SLHDSA_SHA2_128S_WOTS_W);\n\n OPENSSL_memcpy(output, input, BCM_SLHDSA_SHA2_128S_N);\n\n for (size_t i = start; i < (start + steps) && i < SLHDSA_SHA2_128S_WOTS_W;\n ++i) {\n slhdsa_set_hash_addr(addr, i);\n slhdsa_thash_f(output, output, pub_seed, addr);\n }\n}\n\nstatic void slhdsa_wots_do_chain(uint8_t out[BCM_SLHDSA_SHA2_128S_N],\n uint8_t sk_addr[32], uint8_t addr[32],\n uint8_t value,\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],\n uint32_t chain_index) {\n uint8_t tmp_sk[BCM_SLHDSA_SHA2_128S_N];\n slhdsa_set_chain_addr(sk_addr, chain_index);\n slhdsa_thash_prf(tmp_sk, pub_seed, sk_seed, sk_addr);\n slhdsa_set_chain_addr(addr, chain_index);\n chain(out, tmp_sk, 0, value, pub_seed, addr);\n}\n\n// Implements Algorithm 6: wots_pkGen function, page 18\nvoid slhdsa_wots_pk_gen(uint8_t pk[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n uint8_t wots_pk_addr[32], sk_addr[32];\n OPENSSL_memcpy(wots_pk_addr, addr, sizeof(wots_pk_addr));\n OPENSSL_memcpy(sk_addr, addr, sizeof(sk_addr));\n slhdsa_set_type(sk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPRF);\n slhdsa_copy_keypair_addr(sk_addr, addr);\n\n uint8_t tmp[SLHDSA_SHA2_128S_WOTS_BYTES];\n for (size_t i = 0; i < SLHDSA_SHA2_128S_WOTS_LEN; ++i) {\n slhdsa_wots_do_chain(tmp + i * BCM_SLHDSA_SHA2_128S_N, sk_addr, addr,\n SLHDSA_SHA2_128S_WOTS_W - 1, sk_seed, pub_seed, i);\n }\n\n // Compress pk\n slhdsa_set_type(wots_pk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPK);\n slhdsa_copy_keypair_addr(wots_pk_addr, addr);\n slhdsa_thash_tl(pk, tmp, pub_seed, wots_pk_addr);\n}\n\n// Implements Algorithm 7: wots_sign function, page 20\nvoid slhdsa_wots_sign(uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES],\n const uint8_t msg[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n // Compute checksum\n static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == BCM_SLHDSA_SHA2_128S_N * 2, \"\");\n uint16_t csum = 0;\n for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; ++i) {\n csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] >> 4);\n csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] & 15);\n }\n\n // Compute chains\n uint8_t sk_addr[32];\n OPENSSL_memcpy(sk_addr, addr, sizeof(sk_addr));\n slhdsa_set_type(sk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPRF);\n slhdsa_copy_keypair_addr(sk_addr, addr);\n\n uint32_t chain_index = 0;\n for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; ++i) {\n slhdsa_wots_do_chain(sig, sk_addr, addr, msg[i] >> 4, sk_seed, pub_seed,\n chain_index++);\n sig += BCM_SLHDSA_SHA2_128S_N;\n\n slhdsa_wots_do_chain(sig, sk_addr, addr, msg[i] & 15, sk_seed, pub_seed,\n chain_index++);\n sig += BCM_SLHDSA_SHA2_128S_N;\n }\n\n // Include the SLHDSA_SHA2_128S_WOTS_LEN2 checksum values.\n slhdsa_wots_do_chain(sig, sk_addr, addr, (csum >> 8) & 15, sk_seed, pub_seed,\n chain_index++);\n sig += BCM_SLHDSA_SHA2_128S_N;\n slhdsa_wots_do_chain(sig, sk_addr, addr, (csum >> 4) & 15, sk_seed, pub_seed,\n chain_index++);\n sig += BCM_SLHDSA_SHA2_128S_N;\n slhdsa_wots_do_chain(sig, sk_addr, addr, csum & 15, sk_seed, pub_seed,\n chain_index++);\n}\n\nstatic void slhdsa_wots_pk_from_sig_do_chain(\n uint8_t out[SLHDSA_SHA2_128S_WOTS_BYTES], uint8_t addr[32],\n const uint8_t in[SLHDSA_SHA2_128S_WOTS_BYTES], uint8_t value,\n const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N], uint32_t chain_index) {\n slhdsa_set_chain_addr(addr, chain_index);\n chain(out + chain_index * BCM_SLHDSA_SHA2_128S_N,\n in + chain_index * BCM_SLHDSA_SHA2_128S_N, value,\n SLHDSA_SHA2_128S_WOTS_W - 1 - value, pub_seed, addr);\n}\n\n// Implements Algorithm 8: wots_pkFromSig function, page 21\nvoid slhdsa_wots_pk_from_sig(uint8_t pk[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES],\n const uint8_t msg[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]) {\n // Compute checksum\n static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == BCM_SLHDSA_SHA2_128S_N * 2, \"\");\n uint16_t csum = 0;\n for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; ++i) {\n csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] >> 4);\n csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] & 15);\n }\n\n uint8_t tmp[SLHDSA_SHA2_128S_WOTS_BYTES];\n uint8_t wots_pk_addr[32];\n OPENSSL_memcpy(wots_pk_addr, addr, sizeof(wots_pk_addr));\n\n uint32_t chain_index = 0;\n static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == BCM_SLHDSA_SHA2_128S_N * 2, \"\");\n for (size_t i = 0; i < BCM_SLHDSA_SHA2_128S_N; ++i) {\n slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, msg[i] >> 4, pub_seed,\n chain_index++);\n slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, msg[i] & 15, pub_seed,\n chain_index++);\n }\n\n slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, csum >> 8, pub_seed,\n chain_index++);\n slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, (csum >> 4) & 15, pub_seed,\n chain_index++);\n slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, csum & 15, pub_seed,\n chain_index++);\n\n // Compress pk\n slhdsa_set_type(wots_pk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPK);\n slhdsa_copy_keypair_addr(wots_pk_addr, addr);\n slhdsa_thash_tl(pk, tmp, pub_seed, wots_pk_addr);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/slhdsa/wots.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_WOTS_H\n#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_WOTS_H\n\n#include \"./params.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Implements Algorithm 6: wots_pkGen function, page 18\nvoid slhdsa_wots_pk_gen(uint8_t pk[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n// Implements Algorithm 7: wots_sign function, page 20\nvoid slhdsa_wots_sign(uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES],\n const uint8_t msg[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sk_seed[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n// Implements Algorithm 8: wots_pkFromSig function, page 21\nvoid slhdsa_wots_pk_from_sig(uint8_t pk[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES],\n const uint8_t msg[BCM_SLHDSA_SHA2_128S_N],\n const uint8_t pub_seed[BCM_SLHDSA_SHA2_128S_N],\n uint8_t addr[32]);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_SLHDSA_WOTS_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/tls/internal.h", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H\n#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H\n\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// tls1_prf calculates |out_len| bytes of the TLS PDF, using |digest|, and\n// writes them to |out|. It returns one on success and zero on error.\nOPENSSL_EXPORT int CRYPTO_tls1_prf(const EVP_MD *digest,\n uint8_t *out, size_t out_len,\n const uint8_t *secret, size_t secret_len,\n const char *label, size_t label_len,\n const uint8_t *seed1, size_t seed1_len,\n const uint8_t *seed2, size_t seed2_len);\n\n// CRYPTO_tls13_hkdf_expand_label computes the TLS 1.3 KDF function of the same\n// name. See https://www.rfc-editor.org/rfc/rfc8446#section-7.1.\nOPENSSL_EXPORT int CRYPTO_tls13_hkdf_expand_label(\n uint8_t *out, size_t out_len, const EVP_MD *digest, //\n const uint8_t *secret, size_t secret_len, //\n const uint8_t *label, size_t label_len, //\n const uint8_t *hash, size_t hash_len);\n\n\n#if defined(__cplusplus)\n}\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_TLS_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/fipsmodule/tls/kdf.cc.inc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n#include \"../../internal.h\"\n#include \"../service_indicator/internal.h\"\n\n\n// tls1_P_hash computes the TLS P_ function as described in RFC 5246,\n// section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and\n// |secret| as the secret. |label|, |seed1|, and |seed2| are concatenated to\n// form the seed parameter. It returns true on success and false on failure.\nstatic int tls1_P_hash(uint8_t *out, size_t out_len,\n const EVP_MD *md,\n const uint8_t *secret, size_t secret_len,\n const char *label, size_t label_len,\n const uint8_t *seed1, size_t seed1_len,\n const uint8_t *seed2, size_t seed2_len) {\n HMAC_CTX ctx, ctx_tmp, ctx_init;\n uint8_t A1[EVP_MAX_MD_SIZE];\n unsigned A1_len;\n int ret = 0;\n\n const size_t chunk = EVP_MD_size(md);\n HMAC_CTX_init(&ctx);\n HMAC_CTX_init(&ctx_tmp);\n HMAC_CTX_init(&ctx_init);\n\n if (!HMAC_Init_ex(&ctx_init, secret, secret_len, md, NULL) ||\n !HMAC_CTX_copy_ex(&ctx, &ctx_init) ||\n !HMAC_Update(&ctx, (const uint8_t *) label, label_len) ||\n !HMAC_Update(&ctx, seed1, seed1_len) ||\n !HMAC_Update(&ctx, seed2, seed2_len) ||\n !HMAC_Final(&ctx, A1, &A1_len)) {\n goto err;\n }\n\n for (;;) {\n unsigned len_u;\n uint8_t hmac[EVP_MAX_MD_SIZE];\n if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) ||\n !HMAC_Update(&ctx, A1, A1_len) ||\n // Save a copy of |ctx| to compute the next A1 value below.\n (out_len > chunk && !HMAC_CTX_copy_ex(&ctx_tmp, &ctx)) ||\n !HMAC_Update(&ctx, (const uint8_t *) label, label_len) ||\n !HMAC_Update(&ctx, seed1, seed1_len) ||\n !HMAC_Update(&ctx, seed2, seed2_len) ||\n !HMAC_Final(&ctx, hmac, &len_u)) {\n goto err;\n }\n size_t len = len_u;\n assert(len == chunk);\n\n // XOR the result into |out|.\n if (len > out_len) {\n len = out_len;\n }\n for (size_t i = 0; i < len; i++) {\n out[i] ^= hmac[i];\n }\n out += len;\n out_len -= len;\n\n if (out_len == 0) {\n break;\n }\n\n // Calculate the next A1 value.\n if (!HMAC_Final(&ctx_tmp, A1, &A1_len)) {\n goto err;\n }\n }\n\n ret = 1;\n\nerr:\n OPENSSL_cleanse(A1, sizeof(A1));\n HMAC_CTX_cleanup(&ctx);\n HMAC_CTX_cleanup(&ctx_tmp);\n HMAC_CTX_cleanup(&ctx_init);\n return ret;\n}\n\nint CRYPTO_tls1_prf(const EVP_MD *digest,\n uint8_t *out, size_t out_len,\n const uint8_t *secret, size_t secret_len,\n const char *label, size_t label_len,\n const uint8_t *seed1, size_t seed1_len,\n const uint8_t *seed2, size_t seed2_len) {\n if (out_len == 0) {\n return 1;\n }\n\n OPENSSL_memset(out, 0, out_len);\n\n const EVP_MD *const original_digest = digest;\n FIPS_service_indicator_lock_state();\n int ret = 0;\n\n if (digest == EVP_md5_sha1()) {\n // If using the MD5/SHA1 PRF, |secret| is partitioned between MD5 and SHA-1.\n size_t secret_half = secret_len - (secret_len / 2);\n if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half, label,\n label_len, seed1, seed1_len, seed2, seed2_len)) {\n goto end;\n }\n\n // Note that, if |secret_len| is odd, the two halves share a byte.\n secret += secret_len - secret_half;\n secret_len = secret_half;\n digest = EVP_sha1();\n }\n\n ret = tls1_P_hash(out, out_len, digest, secret, secret_len, label, label_len,\n seed1, seed1_len, seed2, seed2_len);\n\nend:\n FIPS_service_indicator_unlock_state();\n if (ret) {\n TLSKDF_verify_service_indicator(original_digest);\n }\n return ret;\n}\n\nint CRYPTO_tls13_hkdf_expand_label(uint8_t *out, size_t out_len,\n const EVP_MD *digest, //\n const uint8_t *secret, size_t secret_len,\n const uint8_t *label, size_t label_len,\n const uint8_t *hash, size_t hash_len) {\n static const uint8_t kProtocolLabel[] = \"tls13 \";\n CBB cbb, child;\n uint8_t *hkdf_label = NULL;\n size_t hkdf_label_len;\n\n FIPS_service_indicator_lock_state();\n CBB_zero(&cbb);\n if (!CBB_init(&cbb, 2 + 1 + sizeof(kProtocolLabel) - 1 + label_len + 1 +\n hash_len) ||\n !CBB_add_u16(&cbb, out_len) ||\n !CBB_add_u8_length_prefixed(&cbb, &child) ||\n !CBB_add_bytes(&child, kProtocolLabel, sizeof(kProtocolLabel) - 1) ||\n !CBB_add_bytes(&child, label, label_len) ||\n !CBB_add_u8_length_prefixed(&cbb, &child) ||\n !CBB_add_bytes(&child, hash, hash_len) ||\n !CBB_finish(&cbb, &hkdf_label, &hkdf_label_len)) {\n CBB_cleanup(&cbb);\n FIPS_service_indicator_unlock_state();\n return 0;\n }\n\n const int ret = HKDF_expand(out, out_len, digest, secret, secret_len,\n hkdf_label, hkdf_label_len);\n OPENSSL_free(hkdf_label);\n\n FIPS_service_indicator_unlock_state();\n if (ret) {\n TLSKDF_verify_service_indicator(digest);\n }\n return ret;\n}\n\n" }, { "path": "Sources/CNIOBoringSSL/crypto/hpke/hpke.cc", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/ec/internal.h\"\n#include \"../internal.h\"\n\n\n// This file implements RFC 9180.\n\n#define MAX_SEED_LEN X25519_PRIVATE_KEY_LEN\n#define MAX_SHARED_SECRET_LEN SHA256_DIGEST_LENGTH\n\nstruct evp_hpke_kem_st {\n uint16_t id;\n size_t public_key_len;\n size_t private_key_len;\n size_t seed_len;\n size_t enc_len;\n int (*init_key)(EVP_HPKE_KEY *key, const uint8_t *priv_key,\n size_t priv_key_len);\n int (*generate_key)(EVP_HPKE_KEY *key);\n int (*encap_with_seed)(const EVP_HPKE_KEM *kem, uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, uint8_t *out_enc,\n size_t *out_enc_len, size_t max_enc,\n const uint8_t *peer_public_key,\n size_t peer_public_key_len, const uint8_t *seed,\n size_t seed_len);\n int (*decap)(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, const uint8_t *enc,\n size_t enc_len);\n int (*auth_encap_with_seed)(const EVP_HPKE_KEY *key,\n uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, uint8_t *out_enc,\n size_t *out_enc_len, size_t max_enc,\n const uint8_t *peer_public_key,\n size_t peer_public_key_len, const uint8_t *seed,\n size_t seed_len);\n int (*auth_decap)(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, const uint8_t *enc,\n size_t enc_len, const uint8_t *peer_public_key,\n size_t peer_public_key_len);\n};\n\nstruct evp_hpke_kdf_st {\n uint16_t id;\n // We only support HKDF-based KDFs.\n const EVP_MD *(*hkdf_md_func)(void);\n};\n\nstruct evp_hpke_aead_st {\n uint16_t id;\n const EVP_AEAD *(*aead_func)(void);\n};\n\n\n// Low-level labeled KDF functions.\n\nstatic const char kHpkeVersionId[] = \"HPKE-v1\";\n\nstatic int add_label_string(CBB *cbb, const char *label) {\n return CBB_add_bytes(cbb, (const uint8_t *)label, strlen(label));\n}\n\nstatic int hpke_labeled_extract(const EVP_MD *hkdf_md, uint8_t *out_key,\n size_t *out_len, const uint8_t *salt,\n size_t salt_len, const uint8_t *suite_id,\n size_t suite_id_len, const char *label,\n const uint8_t *ikm, size_t ikm_len) {\n // labeledIKM = concat(\"HPKE-v1\", suite_id, label, IKM)\n CBB labeled_ikm;\n int ok = CBB_init(&labeled_ikm, 0) &&\n add_label_string(&labeled_ikm, kHpkeVersionId) &&\n CBB_add_bytes(&labeled_ikm, suite_id, suite_id_len) &&\n add_label_string(&labeled_ikm, label) &&\n CBB_add_bytes(&labeled_ikm, ikm, ikm_len) &&\n HKDF_extract(out_key, out_len, hkdf_md, CBB_data(&labeled_ikm),\n CBB_len(&labeled_ikm), salt, salt_len);\n CBB_cleanup(&labeled_ikm);\n return ok;\n}\n\nstatic int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key,\n size_t out_len, const uint8_t *prk,\n size_t prk_len, const uint8_t *suite_id,\n size_t suite_id_len, const char *label,\n const uint8_t *info, size_t info_len) {\n // labeledInfo = concat(I2OSP(L, 2), \"HPKE-v1\", suite_id, label, info)\n CBB labeled_info;\n int ok = CBB_init(&labeled_info, 0) && //\n CBB_add_u16(&labeled_info, out_len) &&\n add_label_string(&labeled_info, kHpkeVersionId) &&\n CBB_add_bytes(&labeled_info, suite_id, suite_id_len) &&\n add_label_string(&labeled_info, label) &&\n CBB_add_bytes(&labeled_info, info, info_len) &&\n HKDF_expand(out_key, out_len, hkdf_md, prk, prk_len,\n CBB_data(&labeled_info), CBB_len(&labeled_info));\n CBB_cleanup(&labeled_info);\n return ok;\n}\n\n\n// KEM implementations.\n\n// dhkem_extract_and_expand implements the ExtractAndExpand operation in the\n// DHKEM construction. See section 4.1 of RFC 9180.\nstatic int dhkem_extract_and_expand(uint16_t kem_id, const EVP_MD *hkdf_md,\n uint8_t *out_key, size_t out_len,\n const uint8_t *dh, size_t dh_len,\n const uint8_t *kem_context,\n size_t kem_context_len) {\n // concat(\"KEM\", I2OSP(kem_id, 2))\n uint8_t suite_id[5] = {'K', 'E', 'M', static_cast(kem_id >> 8),\n static_cast(kem_id & 0xff)};\n uint8_t prk[EVP_MAX_MD_SIZE];\n size_t prk_len;\n return hpke_labeled_extract(hkdf_md, prk, &prk_len, NULL, 0, suite_id,\n sizeof(suite_id), \"eae_prk\", dh, dh_len) &&\n hpke_labeled_expand(hkdf_md, out_key, out_len, prk, prk_len, suite_id,\n sizeof(suite_id), \"shared_secret\", kem_context,\n kem_context_len);\n}\n\nstatic int x25519_init_key(EVP_HPKE_KEY *key, const uint8_t *priv_key,\n size_t priv_key_len) {\n if (priv_key_len != X25519_PRIVATE_KEY_LEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n OPENSSL_memcpy(key->private_key, priv_key, priv_key_len);\n X25519_public_from_private(key->public_key, priv_key);\n return 1;\n}\n\nstatic int x25519_generate_key(EVP_HPKE_KEY *key) {\n X25519_keypair(key->public_key, key->private_key);\n return 1;\n}\n\nstatic int x25519_encap_with_seed(\n const EVP_HPKE_KEM *kem, uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, uint8_t *out_enc, size_t *out_enc_len,\n size_t max_enc, const uint8_t *peer_public_key, size_t peer_public_key_len,\n const uint8_t *seed, size_t seed_len) {\n if (max_enc < X25519_PUBLIC_VALUE_LEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);\n return 0;\n }\n if (seed_len != X25519_PRIVATE_KEY_LEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n X25519_public_from_private(out_enc, seed);\n\n uint8_t dh[X25519_SHARED_KEY_LEN];\n if (peer_public_key_len != X25519_PUBLIC_VALUE_LEN ||\n !X25519(dh, seed, peer_public_key)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);\n return 0;\n }\n\n uint8_t kem_context[2 * X25519_PUBLIC_VALUE_LEN];\n OPENSSL_memcpy(kem_context, out_enc, X25519_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, peer_public_key,\n X25519_PUBLIC_VALUE_LEN);\n if (!dhkem_extract_and_expand(kem->id, EVP_sha256(), out_shared_secret,\n SHA256_DIGEST_LENGTH, dh, sizeof(dh),\n kem_context, sizeof(kem_context))) {\n return 0;\n }\n\n *out_enc_len = X25519_PUBLIC_VALUE_LEN;\n *out_shared_secret_len = SHA256_DIGEST_LENGTH;\n return 1;\n}\n\nstatic int x25519_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, const uint8_t *enc,\n size_t enc_len) {\n uint8_t dh[X25519_SHARED_KEY_LEN];\n if (enc_len != X25519_PUBLIC_VALUE_LEN ||\n !X25519(dh, key->private_key, enc)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);\n return 0;\n }\n\n uint8_t kem_context[2 * X25519_PUBLIC_VALUE_LEN];\n OPENSSL_memcpy(kem_context, enc, X25519_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, key->public_key,\n X25519_PUBLIC_VALUE_LEN);\n if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,\n SHA256_DIGEST_LENGTH, dh, sizeof(dh),\n kem_context, sizeof(kem_context))) {\n return 0;\n }\n\n *out_shared_secret_len = SHA256_DIGEST_LENGTH;\n return 1;\n}\n\nstatic int x25519_auth_encap_with_seed(\n const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, uint8_t *out_enc, size_t *out_enc_len,\n size_t max_enc, const uint8_t *peer_public_key, size_t peer_public_key_len,\n const uint8_t *seed, size_t seed_len) {\n if (max_enc < X25519_PUBLIC_VALUE_LEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);\n return 0;\n }\n if (seed_len != X25519_PRIVATE_KEY_LEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n X25519_public_from_private(out_enc, seed);\n\n uint8_t dh[2 * X25519_SHARED_KEY_LEN];\n if (peer_public_key_len != X25519_PUBLIC_VALUE_LEN ||\n !X25519(dh, seed, peer_public_key) ||\n !X25519(dh + X25519_SHARED_KEY_LEN, key->private_key, peer_public_key)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);\n return 0;\n }\n\n uint8_t kem_context[3 * X25519_PUBLIC_VALUE_LEN];\n OPENSSL_memcpy(kem_context, out_enc, X25519_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, peer_public_key,\n X25519_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + 2 * X25519_PUBLIC_VALUE_LEN, key->public_key,\n X25519_PUBLIC_VALUE_LEN);\n if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,\n SHA256_DIGEST_LENGTH, dh, sizeof(dh),\n kem_context, sizeof(kem_context))) {\n return 0;\n }\n\n *out_enc_len = X25519_PUBLIC_VALUE_LEN;\n *out_shared_secret_len = SHA256_DIGEST_LENGTH;\n return 1;\n}\n\nstatic int x25519_auth_decap(const EVP_HPKE_KEY *key,\n uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, const uint8_t *enc,\n size_t enc_len, const uint8_t *peer_public_key,\n size_t peer_public_key_len) {\n uint8_t dh[2 * X25519_SHARED_KEY_LEN];\n if (enc_len != X25519_PUBLIC_VALUE_LEN ||\n peer_public_key_len != X25519_PUBLIC_VALUE_LEN ||\n !X25519(dh, key->private_key, enc) ||\n !X25519(dh + X25519_SHARED_KEY_LEN, key->private_key, peer_public_key)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);\n return 0;\n }\n\n uint8_t kem_context[3 * X25519_PUBLIC_VALUE_LEN];\n OPENSSL_memcpy(kem_context, enc, X25519_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + X25519_PUBLIC_VALUE_LEN, key->public_key,\n X25519_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + 2 * X25519_PUBLIC_VALUE_LEN, peer_public_key,\n X25519_PUBLIC_VALUE_LEN);\n if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,\n SHA256_DIGEST_LENGTH, dh, sizeof(dh),\n kem_context, sizeof(kem_context))) {\n return 0;\n }\n\n *out_shared_secret_len = SHA256_DIGEST_LENGTH;\n return 1;\n}\n\nconst EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void) {\n static const EVP_HPKE_KEM kKEM = {\n /*id=*/EVP_HPKE_DHKEM_X25519_HKDF_SHA256,\n /*public_key_len=*/X25519_PUBLIC_VALUE_LEN,\n /*private_key_len=*/X25519_PRIVATE_KEY_LEN,\n /*seed_len=*/X25519_PRIVATE_KEY_LEN,\n /*enc_len=*/X25519_PUBLIC_VALUE_LEN,\n x25519_init_key,\n x25519_generate_key,\n x25519_encap_with_seed,\n x25519_decap,\n x25519_auth_encap_with_seed,\n x25519_auth_decap,\n };\n return &kKEM;\n}\n\n#define P256_PRIVATE_KEY_LEN 32\n#define P256_PUBLIC_KEY_LEN 65\n#define P256_PUBLIC_VALUE_LEN 65\n#define P256_SEED_LEN 32\n#define P256_SHARED_KEY_LEN 32\n\nstatic int p256_public_from_private(uint8_t out_pub[P256_PUBLIC_VALUE_LEN],\n const uint8_t priv[P256_PRIVATE_KEY_LEN]) {\n const EC_GROUP *const group = EC_group_p256();\n const uint8_t kAllZeros[P256_PRIVATE_KEY_LEN] = {0};\n EC_SCALAR private_scalar;\n EC_JACOBIAN public_point;\n EC_AFFINE public_point_affine;\n\n if (CRYPTO_memcmp(kAllZeros, priv, sizeof(kAllZeros)) == 0) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n if (!ec_scalar_from_bytes(group, &private_scalar, priv,\n P256_PRIVATE_KEY_LEN) ||\n !ec_point_mul_scalar_base(group, &public_point, &private_scalar) ||\n !ec_jacobian_to_affine(group, &public_point_affine, &public_point)) {\n return 0;\n }\n\n size_t out_len_x, out_len_y;\n out_pub[0] = POINT_CONVERSION_UNCOMPRESSED;\n ec_felem_to_bytes(group, &out_pub[1], &out_len_x, &public_point_affine.X);\n ec_felem_to_bytes(group, &out_pub[33], &out_len_y, &public_point_affine.Y);\n return 1;\n}\n\nstatic int p256_init_key(EVP_HPKE_KEY *key, const uint8_t *priv_key,\n size_t priv_key_len) {\n if (priv_key_len != P256_PRIVATE_KEY_LEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n\n if (!p256_public_from_private(key->public_key, priv_key)) {\n return 0;\n }\n\n OPENSSL_memcpy(key->private_key, priv_key, priv_key_len);\n return 1;\n}\n\nstatic int p256_private_key_from_seed(uint8_t out_priv[P256_PRIVATE_KEY_LEN],\n const uint8_t seed[P256_SEED_LEN]) {\n // https://www.rfc-editor.org/rfc/rfc9180.html#name-derivekeypair\n const uint8_t suite_id[5] = {'K', 'E', 'M',\n EVP_HPKE_DHKEM_P256_HKDF_SHA256 >> 8,\n EVP_HPKE_DHKEM_P256_HKDF_SHA256 & 0xff};\n\n uint8_t dkp_prk[32];\n size_t dkp_prk_len;\n if (!hpke_labeled_extract(EVP_sha256(), dkp_prk, &dkp_prk_len, NULL, 0,\n suite_id, sizeof(suite_id), \"dkp_prk\", seed,\n P256_SEED_LEN)) {\n return 0;\n }\n assert(dkp_prk_len == sizeof(dkp_prk));\n\n const EC_GROUP *const group = EC_group_p256();\n EC_SCALAR private_scalar;\n\n for (unsigned counter = 0; counter < 256; counter++) {\n const uint8_t counter_byte = counter & 0xff;\n if (!hpke_labeled_expand(EVP_sha256(), out_priv, P256_PRIVATE_KEY_LEN,\n dkp_prk, sizeof(dkp_prk), suite_id,\n sizeof(suite_id), \"candidate\", &counter_byte,\n sizeof(counter_byte))) {\n return 0;\n }\n\n // This checks that the scalar is less than the order.\n if (ec_scalar_from_bytes(group, &private_scalar, out_priv,\n P256_PRIVATE_KEY_LEN)) {\n return 1;\n }\n }\n\n // This happens with probability of 2^-(32*256).\n OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);\n return 0;\n}\n\nstatic int p256_generate_key(EVP_HPKE_KEY *key) {\n uint8_t seed[P256_SEED_LEN];\n RAND_bytes(seed, sizeof(seed));\n if (!p256_private_key_from_seed(key->private_key, seed) ||\n !p256_public_from_private(key->public_key, key->private_key)) {\n return 0;\n }\n return 1;\n}\n\nstatic int p256(uint8_t out_dh[P256_SHARED_KEY_LEN],\n const uint8_t my_private[P256_PRIVATE_KEY_LEN],\n const uint8_t their_public[P256_PUBLIC_VALUE_LEN]) {\n const EC_GROUP *const group = EC_group_p256();\n EC_SCALAR private_scalar;\n EC_FELEM x, y;\n EC_JACOBIAN shared_point, their_point;\n EC_AFFINE their_point_affine, shared_point_affine;\n\n if (their_public[0] != POINT_CONVERSION_UNCOMPRESSED ||\n !ec_felem_from_bytes(group, &x, &their_public[1], 32) ||\n !ec_felem_from_bytes(group, &y, &their_public[33], 32) ||\n !ec_point_set_affine_coordinates(group, &their_point_affine, &x, &y) ||\n !ec_scalar_from_bytes(group, &private_scalar, my_private,\n P256_PRIVATE_KEY_LEN)) {\n OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n ec_affine_to_jacobian(group, &their_point, &their_point_affine);\n if (!ec_point_mul_scalar(group, &shared_point, &their_point,\n &private_scalar) ||\n !ec_jacobian_to_affine(group, &shared_point_affine, &shared_point)) {\n OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n size_t out_len;\n ec_felem_to_bytes(group, out_dh, &out_len, &shared_point_affine.X);\n assert(out_len == P256_SHARED_KEY_LEN);\n return 1;\n}\n\nstatic int p256_encap_with_seed(const EVP_HPKE_KEM *kem,\n uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, uint8_t *out_enc,\n size_t *out_enc_len, size_t max_enc,\n const uint8_t *peer_public_key,\n size_t peer_public_key_len, const uint8_t *seed,\n size_t seed_len) {\n if (max_enc < P256_PUBLIC_VALUE_LEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);\n return 0;\n }\n if (seed_len != P256_SEED_LEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n uint8_t private_key[P256_PRIVATE_KEY_LEN];\n if (!p256_private_key_from_seed(private_key, seed)) {\n return 0;\n }\n p256_public_from_private(out_enc, private_key);\n\n uint8_t dh[P256_SHARED_KEY_LEN];\n if (peer_public_key_len != P256_PUBLIC_VALUE_LEN ||\n !p256(dh, private_key, peer_public_key)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);\n return 0;\n }\n\n uint8_t kem_context[2 * P256_PUBLIC_VALUE_LEN];\n OPENSSL_memcpy(kem_context, out_enc, P256_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, peer_public_key,\n P256_PUBLIC_VALUE_LEN);\n if (!dhkem_extract_and_expand(kem->id, EVP_sha256(), out_shared_secret,\n SHA256_DIGEST_LENGTH, dh, sizeof(dh),\n kem_context, sizeof(kem_context))) {\n return 0;\n }\n\n *out_enc_len = P256_PUBLIC_VALUE_LEN;\n *out_shared_secret_len = SHA256_DIGEST_LENGTH;\n return 1;\n}\n\nstatic int p256_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, const uint8_t *enc,\n size_t enc_len) {\n uint8_t dh[P256_SHARED_KEY_LEN];\n if (enc_len != P256_PUBLIC_VALUE_LEN || //\n !p256(dh, key->private_key, enc)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);\n return 0;\n }\n\n uint8_t kem_context[2 * P256_PUBLIC_VALUE_LEN];\n OPENSSL_memcpy(kem_context, enc, P256_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, key->public_key,\n P256_PUBLIC_VALUE_LEN);\n if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,\n SHA256_DIGEST_LENGTH, dh, sizeof(dh),\n kem_context, sizeof(kem_context))) {\n return 0;\n }\n\n *out_shared_secret_len = SHA256_DIGEST_LENGTH;\n return 1;\n}\n\nstatic int p256_auth_encap_with_seed(\n const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, uint8_t *out_enc, size_t *out_enc_len,\n size_t max_enc, const uint8_t *peer_public_key, size_t peer_public_key_len,\n const uint8_t *seed, size_t seed_len) {\n if (max_enc < P256_PUBLIC_VALUE_LEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);\n return 0;\n }\n if (seed_len != P256_SEED_LEN) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR);\n return 0;\n }\n uint8_t private_key[P256_PRIVATE_KEY_LEN];\n if (!p256_private_key_from_seed(private_key, seed)) {\n return 0;\n }\n p256_public_from_private(out_enc, private_key);\n\n uint8_t dh[2 * P256_SHARED_KEY_LEN];\n if (peer_public_key_len != P256_PUBLIC_VALUE_LEN ||\n !p256(dh, private_key, peer_public_key) ||\n !p256(dh + P256_SHARED_KEY_LEN, key->private_key, peer_public_key)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);\n return 0;\n }\n\n uint8_t kem_context[3 * P256_PUBLIC_VALUE_LEN];\n OPENSSL_memcpy(kem_context, out_enc, P256_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, peer_public_key,\n P256_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + 2 * P256_PUBLIC_VALUE_LEN, key->public_key,\n P256_PUBLIC_VALUE_LEN);\n if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,\n SHA256_DIGEST_LENGTH, dh, sizeof(dh),\n kem_context, sizeof(kem_context))) {\n return 0;\n }\n\n *out_enc_len = P256_PUBLIC_VALUE_LEN;\n *out_shared_secret_len = SHA256_DIGEST_LENGTH;\n return 1;\n}\n\nstatic int p256_auth_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret,\n size_t *out_shared_secret_len, const uint8_t *enc,\n size_t enc_len, const uint8_t *peer_public_key,\n size_t peer_public_key_len) {\n uint8_t dh[2 * P256_SHARED_KEY_LEN];\n if (enc_len != P256_PUBLIC_VALUE_LEN ||\n peer_public_key_len != P256_PUBLIC_VALUE_LEN ||\n !p256(dh, key->private_key, enc) ||\n !p256(dh + P256_SHARED_KEY_LEN, key->private_key, peer_public_key)) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY);\n return 0;\n }\n\n uint8_t kem_context[3 * P256_PUBLIC_VALUE_LEN];\n OPENSSL_memcpy(kem_context, enc, P256_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, key->public_key,\n P256_PUBLIC_VALUE_LEN);\n OPENSSL_memcpy(kem_context + 2 * P256_PUBLIC_VALUE_LEN, peer_public_key,\n P256_PUBLIC_VALUE_LEN);\n if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret,\n SHA256_DIGEST_LENGTH, dh, sizeof(dh),\n kem_context, sizeof(kem_context))) {\n return 0;\n }\n\n *out_shared_secret_len = SHA256_DIGEST_LENGTH;\n return 1;\n}\n\nconst EVP_HPKE_KEM *EVP_hpke_p256_hkdf_sha256(void) {\n static const EVP_HPKE_KEM kKEM = {\n /*id=*/EVP_HPKE_DHKEM_P256_HKDF_SHA256,\n /*public_key_len=*/P256_PUBLIC_KEY_LEN,\n /*private_key_len=*/P256_PRIVATE_KEY_LEN,\n /*seed_len=*/P256_SEED_LEN,\n /*enc_len=*/P256_PUBLIC_VALUE_LEN,\n p256_init_key,\n p256_generate_key,\n p256_encap_with_seed,\n p256_decap,\n p256_auth_encap_with_seed,\n p256_auth_decap,\n };\n return &kKEM;\n}\n\nuint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem) { return kem->id; }\n\nsize_t EVP_HPKE_KEM_public_key_len(const EVP_HPKE_KEM *kem) {\n return kem->public_key_len;\n}\n\nsize_t EVP_HPKE_KEM_private_key_len(const EVP_HPKE_KEM *kem) {\n return kem->private_key_len;\n}\n\nsize_t EVP_HPKE_KEM_enc_len(const EVP_HPKE_KEM *kem) { return kem->enc_len; }\n\nvoid EVP_HPKE_KEY_zero(EVP_HPKE_KEY *key) {\n OPENSSL_memset(key, 0, sizeof(EVP_HPKE_KEY));\n}\n\nvoid EVP_HPKE_KEY_cleanup(EVP_HPKE_KEY *key) {\n // Nothing to clean up for now, but we may introduce a cleanup process in the\n // future.\n}\n\nEVP_HPKE_KEY *EVP_HPKE_KEY_new(void) {\n EVP_HPKE_KEY *key =\n reinterpret_cast(OPENSSL_malloc(sizeof(EVP_HPKE_KEY)));\n if (key == NULL) {\n return NULL;\n }\n EVP_HPKE_KEY_zero(key);\n return key;\n}\n\nvoid EVP_HPKE_KEY_free(EVP_HPKE_KEY *key) {\n if (key != NULL) {\n EVP_HPKE_KEY_cleanup(key);\n OPENSSL_free(key);\n }\n}\n\nint EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src) {\n // For now, |EVP_HPKE_KEY| is trivially copyable.\n OPENSSL_memcpy(dst, src, sizeof(EVP_HPKE_KEY));\n return 1;\n}\n\nvoid EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in) {\n EVP_HPKE_KEY_cleanup(out);\n // For now, |EVP_HPKE_KEY| is trivially movable.\n // Note that Rust may move this structure. See\n // bssl-crypto/src/scoped.rs:EvpHpkeKey.\n OPENSSL_memcpy(out, in, sizeof(EVP_HPKE_KEY));\n EVP_HPKE_KEY_zero(in);\n}\n\nint EVP_HPKE_KEY_init(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem,\n const uint8_t *priv_key, size_t priv_key_len) {\n EVP_HPKE_KEY_zero(key);\n key->kem = kem;\n if (!kem->init_key(key, priv_key, priv_key_len)) {\n key->kem = NULL;\n return 0;\n }\n return 1;\n}\n\nint EVP_HPKE_KEY_generate(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem) {\n EVP_HPKE_KEY_zero(key);\n key->kem = kem;\n if (!kem->generate_key(key)) {\n key->kem = NULL;\n return 0;\n }\n return 1;\n}\n\nconst EVP_HPKE_KEM *EVP_HPKE_KEY_kem(const EVP_HPKE_KEY *key) {\n return key->kem;\n}\n\nint EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY *key, uint8_t *out,\n size_t *out_len, size_t max_out) {\n if (max_out < key->kem->public_key_len) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);\n return 0;\n }\n OPENSSL_memcpy(out, key->public_key, key->kem->public_key_len);\n *out_len = key->kem->public_key_len;\n return 1;\n}\n\nint EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key, uint8_t *out,\n size_t *out_len, size_t max_out) {\n if (max_out < key->kem->private_key_len) {\n OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE);\n return 0;\n }\n OPENSSL_memcpy(out, key->private_key, key->kem->private_key_len);\n *out_len = key->kem->private_key_len;\n return 1;\n}\n\n\n// Supported KDFs and AEADs.\n\nconst EVP_HPKE_KDF *EVP_hpke_hkdf_sha256(void) {\n static const EVP_HPKE_KDF kKDF = {EVP_HPKE_HKDF_SHA256, &EVP_sha256};\n return &kKDF;\n}\n\nuint16_t EVP_HPKE_KDF_id(const EVP_HPKE_KDF *kdf) { return kdf->id; }\n\nconst EVP_MD *EVP_HPKE_KDF_hkdf_md(const EVP_HPKE_KDF *kdf) {\n return kdf->hkdf_md_func();\n}\n\nconst EVP_HPKE_AEAD *EVP_hpke_aes_128_gcm(void) {\n static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_AES_128_GCM,\n &EVP_aead_aes_128_gcm};\n return &kAEAD;\n}\n\nconst EVP_HPKE_AEAD *EVP_hpke_aes_256_gcm(void) {\n static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_AES_256_GCM,\n &EVP_aead_aes_256_gcm};\n return &kAEAD;\n}\n\nconst EVP_HPKE_AEAD *EVP_hpke_chacha20_poly1305(void) {\n static const EVP_HPKE_AEAD kAEAD = {EVP_HPKE_CHACHA20_POLY1305,\n &EVP_aead_chacha20_poly1305};\n return &kAEAD;\n}\n\nuint16_t EVP_HPKE_AEAD_id(const EVP_HPKE_AEAD *aead) { return aead->id; }\n\nconst EVP_AEAD *EVP_HPKE_AEAD_aead(const EVP_HPKE_AEAD *aead) {\n return aead->aead_func();\n}\n\n\n// HPKE implementation.\n\n// This is strlen(\"HPKE\") + 3 * sizeof(uint16_t).\n#define HPKE_SUITE_ID_LEN 10\n\n// The suite_id for non-KEM pieces of HPKE is defined as concat(\"HPKE\",\n// I2OSP(kem_id, 2), I2OSP(kdf_id, 2), I2OSP(aead_id, 2)).\nstatic int hpke_build_suite_id(const EVP_HPKE_CTX *ctx,\n uint8_t out[HPKE_SUITE_ID_LEN]) {\n CBB cbb;\n CBB_init_fixed(&cbb, out, HPKE_SUITE_ID_LEN);\n return add_label_string(&cbb, \"HPKE\") && //\n CBB_add_u16(&cbb, ctx->kem->id) && //\n CBB_add_u16(&cbb, ctx->kdf->id) && //\n CBB_add_u16(&cbb, ctx->aead->id);\n}\n\n#define HPKE_MODE_BASE 0\n#define HPKE_MODE_AUTH 2\n\nstatic int hpke_key_schedule(EVP_HPKE_CTX *ctx, uint8_t mode,\n const uint8_t *shared_secret,\n size_t shared_secret_len, const uint8_t *info,\n size_t info_len) {\n uint8_t suite_id[HPKE_SUITE_ID_LEN];\n if (!hpke_build_suite_id(ctx, suite_id)) {\n return 0;\n }\n\n // psk_id_hash = LabeledExtract(\"\", \"psk_id_hash\", psk_id)\n // TODO(davidben): Precompute this value and store it with the EVP_HPKE_KDF.\n const EVP_MD *hkdf_md = ctx->kdf->hkdf_md_func();\n uint8_t psk_id_hash[EVP_MAX_MD_SIZE];\n size_t psk_id_hash_len;\n if (!hpke_labeled_extract(hkdf_md, psk_id_hash, &psk_id_hash_len, NULL, 0,\n suite_id, sizeof(suite_id), \"psk_id_hash\", NULL,\n 0)) {\n return 0;\n }\n\n // info_hash = LabeledExtract(\"\", \"info_hash\", info)\n uint8_t info_hash[EVP_MAX_MD_SIZE];\n size_t info_hash_len;\n if (!hpke_labeled_extract(hkdf_md, info_hash, &info_hash_len, NULL, 0,\n suite_id, sizeof(suite_id), \"info_hash\", info,\n info_len)) {\n return 0;\n }\n\n // key_schedule_context = concat(mode, psk_id_hash, info_hash)\n uint8_t context[sizeof(uint8_t) + 2 * EVP_MAX_MD_SIZE];\n size_t context_len;\n CBB context_cbb;\n CBB_init_fixed(&context_cbb, context, sizeof(context));\n if (!CBB_add_u8(&context_cbb, mode) ||\n !CBB_add_bytes(&context_cbb, psk_id_hash, psk_id_hash_len) ||\n !CBB_add_bytes(&context_cbb, info_hash, info_hash_len) ||\n !CBB_finish(&context_cbb, NULL, &context_len)) {\n return 0;\n }\n\n // secret = LabeledExtract(shared_secret, \"secret\", psk)\n uint8_t secret[EVP_MAX_MD_SIZE];\n size_t secret_len;\n if (!hpke_labeled_extract(hkdf_md, secret, &secret_len, shared_secret,\n shared_secret_len, suite_id, sizeof(suite_id),\n \"secret\", NULL, 0)) {\n return 0;\n }\n\n // key = LabeledExpand(secret, \"key\", key_schedule_context, Nk)\n const EVP_AEAD *aead = EVP_HPKE_AEAD_aead(ctx->aead);\n uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];\n const size_t kKeyLen = EVP_AEAD_key_length(aead);\n if (!hpke_labeled_expand(hkdf_md, key, kKeyLen, secret, secret_len, suite_id,\n sizeof(suite_id), \"key\", context, context_len) ||\n !EVP_AEAD_CTX_init(&ctx->aead_ctx, aead, key, kKeyLen,\n EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) {\n return 0;\n }\n\n // base_nonce = LabeledExpand(secret, \"base_nonce\", key_schedule_context, Nn)\n if (!hpke_labeled_expand(hkdf_md, ctx->base_nonce,\n EVP_AEAD_nonce_length(aead), secret, secret_len,\n suite_id, sizeof(suite_id), \"base_nonce\", context,\n context_len)) {\n return 0;\n }\n\n // exporter_secret = LabeledExpand(secret, \"exp\", key_schedule_context, Nh)\n if (!hpke_labeled_expand(hkdf_md, ctx->exporter_secret, EVP_MD_size(hkdf_md),\n secret, secret_len, suite_id, sizeof(suite_id),\n \"exp\", context, context_len)) {\n return 0;\n }\n\n return 1;\n}\n\nvoid EVP_HPKE_CTX_zero(EVP_HPKE_CTX *ctx) {\n OPENSSL_memset(ctx, 0, sizeof(EVP_HPKE_CTX));\n EVP_AEAD_CTX_zero(&ctx->aead_ctx);\n}\n\nvoid EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX *ctx) {\n EVP_AEAD_CTX_cleanup(&ctx->aead_ctx);\n}\n\nEVP_HPKE_CTX *EVP_HPKE_CTX_new(void) {\n EVP_HPKE_CTX *ctx =\n reinterpret_cast(OPENSSL_malloc(sizeof(EVP_HPKE_CTX)));\n if (ctx == NULL) {\n return NULL;\n }\n EVP_HPKE_CTX_zero(ctx);\n return ctx;\n}\n\nvoid EVP_HPKE_CTX_free(EVP_HPKE_CTX *ctx) {\n if (ctx != NULL) {\n EVP_HPKE_CTX_cleanup(ctx);\n OPENSSL_free(ctx);\n }\n}\n\nint EVP_HPKE_CTX_setup_sender(EVP_HPKE_CTX *ctx, uint8_t *out_enc,\n size_t *out_enc_len, size_t max_enc,\n const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf,\n const EVP_HPKE_AEAD *aead,\n const uint8_t *peer_public_key,\n size_t peer_public_key_len, const uint8_t *info,\n size_t info_len) {\n uint8_t seed[MAX_SEED_LEN];\n RAND_bytes(seed, kem->seed_len);\n return EVP_HPKE_CTX_setup_sender_with_seed_for_testing(\n ctx, out_enc, out_enc_len, max_enc, kem, kdf, aead, peer_public_key,\n peer_public_key_len, info, info_len, seed, kem->seed_len);\n}\n\nint EVP_HPKE_CTX_setup_sender_with_seed_for_testing(\n EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,\n const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,\n const uint8_t *peer_public_key, size_t peer_public_key_len,\n const uint8_t *info, size_t info_len, const uint8_t *seed,\n size_t seed_len) {\n EVP_HPKE_CTX_zero(ctx);\n ctx->is_sender = 1;\n ctx->kem = kem;\n ctx->kdf = kdf;\n ctx->aead = aead;\n uint8_t shared_secret[MAX_SHARED_SECRET_LEN];\n size_t shared_secret_len;\n if (!kem->encap_with_seed(kem, shared_secret, &shared_secret_len, out_enc,\n out_enc_len, max_enc, peer_public_key,\n peer_public_key_len, seed, seed_len) ||\n !hpke_key_schedule(ctx, HPKE_MODE_BASE, shared_secret, shared_secret_len,\n info, info_len)) {\n EVP_HPKE_CTX_cleanup(ctx);\n return 0;\n }\n return 1;\n}\n\nint EVP_HPKE_CTX_setup_recipient(EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key,\n const EVP_HPKE_KDF *kdf,\n const EVP_HPKE_AEAD *aead, const uint8_t *enc,\n size_t enc_len, const uint8_t *info,\n size_t info_len) {\n EVP_HPKE_CTX_zero(ctx);\n ctx->is_sender = 0;\n ctx->kem = key->kem;\n ctx->kdf = kdf;\n ctx->aead = aead;\n uint8_t shared_secret[MAX_SHARED_SECRET_LEN];\n size_t shared_secret_len;\n if (!key->kem->decap(key, shared_secret, &shared_secret_len, enc, enc_len) ||\n !hpke_key_schedule(ctx, HPKE_MODE_BASE, shared_secret, shared_secret_len,\n info, info_len)) {\n EVP_HPKE_CTX_cleanup(ctx);\n return 0;\n }\n return 1;\n}\n\n\nint EVP_HPKE_CTX_setup_auth_sender(\n EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,\n const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,\n const uint8_t *peer_public_key, size_t peer_public_key_len,\n const uint8_t *info, size_t info_len) {\n uint8_t seed[MAX_SEED_LEN];\n RAND_bytes(seed, key->kem->seed_len);\n return EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing(\n ctx, out_enc, out_enc_len, max_enc, key, kdf, aead, peer_public_key,\n peer_public_key_len, info, info_len, seed, key->kem->seed_len);\n}\n\nint EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing(\n EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,\n const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,\n const uint8_t *peer_public_key, size_t peer_public_key_len,\n const uint8_t *info, size_t info_len, const uint8_t *seed,\n size_t seed_len) {\n if (key->kem->auth_encap_with_seed == NULL) {\n // Not all HPKE KEMs support AuthEncap.\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n EVP_HPKE_CTX_zero(ctx);\n ctx->is_sender = 1;\n ctx->kem = key->kem;\n ctx->kdf = kdf;\n ctx->aead = aead;\n uint8_t shared_secret[MAX_SHARED_SECRET_LEN];\n size_t shared_secret_len;\n if (!key->kem->auth_encap_with_seed(\n key, shared_secret, &shared_secret_len, out_enc, out_enc_len, max_enc,\n peer_public_key, peer_public_key_len, seed, seed_len) ||\n !hpke_key_schedule(ctx, HPKE_MODE_AUTH, shared_secret, shared_secret_len,\n info, info_len)) {\n EVP_HPKE_CTX_cleanup(ctx);\n return 0;\n }\n return 1;\n}\n\nint EVP_HPKE_CTX_setup_auth_recipient(\n EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf,\n const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len,\n const uint8_t *info, size_t info_len, const uint8_t *peer_public_key,\n size_t peer_public_key_len) {\n if (key->kem->auth_decap == NULL) {\n // Not all HPKE KEMs support AuthDecap.\n OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE);\n return 0;\n }\n\n EVP_HPKE_CTX_zero(ctx);\n ctx->is_sender = 0;\n ctx->kem = key->kem;\n ctx->kdf = kdf;\n ctx->aead = aead;\n uint8_t shared_secret[MAX_SHARED_SECRET_LEN];\n size_t shared_secret_len;\n if (!key->kem->auth_decap(key, shared_secret, &shared_secret_len, enc,\n enc_len, peer_public_key, peer_public_key_len) ||\n !hpke_key_schedule(ctx, HPKE_MODE_AUTH, shared_secret, shared_secret_len,\n info, info_len)) {\n EVP_HPKE_CTX_cleanup(ctx);\n return 0;\n }\n return 1;\n}\n\nstatic void hpke_nonce(const EVP_HPKE_CTX *ctx, uint8_t *out_nonce,\n size_t nonce_len) {\n assert(nonce_len >= 8);\n\n // Write padded big-endian bytes of |ctx->seq| to |out_nonce|.\n OPENSSL_memset(out_nonce, 0, nonce_len);\n uint64_t seq_copy = ctx->seq;\n for (size_t i = 0; i < 8; i++) {\n out_nonce[nonce_len - i - 1] = seq_copy & 0xff;\n seq_copy >>= 8;\n }\n\n // XOR the encoded sequence with the |ctx->base_nonce|.\n for (size_t i = 0; i < nonce_len; i++) {\n out_nonce[i] ^= ctx->base_nonce[i];\n }\n}\n\nint EVP_HPKE_CTX_open(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len,\n size_t max_out_len, const uint8_t *in, size_t in_len,\n const uint8_t *ad, size_t ad_len) {\n if (ctx->is_sender) {\n OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n if (ctx->seq == UINT64_MAX) {\n OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);\n return 0;\n }\n\n uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];\n const size_t nonce_len = EVP_AEAD_nonce_length(ctx->aead_ctx.aead);\n hpke_nonce(ctx, nonce, nonce_len);\n\n if (!EVP_AEAD_CTX_open(&ctx->aead_ctx, out, out_len, max_out_len, nonce,\n nonce_len, in, in_len, ad, ad_len)) {\n return 0;\n }\n ctx->seq++;\n return 1;\n}\n\nint EVP_HPKE_CTX_seal(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len,\n size_t max_out_len, const uint8_t *in, size_t in_len,\n const uint8_t *ad, size_t ad_len) {\n if (!ctx->is_sender) {\n OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n if (ctx->seq == UINT64_MAX) {\n OPENSSL_PUT_ERROR(EVP, ERR_R_OVERFLOW);\n return 0;\n }\n\n uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];\n const size_t nonce_len = EVP_AEAD_nonce_length(ctx->aead_ctx.aead);\n hpke_nonce(ctx, nonce, nonce_len);\n\n if (!EVP_AEAD_CTX_seal(&ctx->aead_ctx, out, out_len, max_out_len, nonce,\n nonce_len, in, in_len, ad, ad_len)) {\n return 0;\n }\n ctx->seq++;\n return 1;\n}\n\nint EVP_HPKE_CTX_export(const EVP_HPKE_CTX *ctx, uint8_t *out,\n size_t secret_len, const uint8_t *context,\n size_t context_len) {\n uint8_t suite_id[HPKE_SUITE_ID_LEN];\n if (!hpke_build_suite_id(ctx, suite_id)) {\n return 0;\n }\n const EVP_MD *hkdf_md = ctx->kdf->hkdf_md_func();\n if (!hpke_labeled_expand(hkdf_md, out, secret_len, ctx->exporter_secret,\n EVP_MD_size(hkdf_md), suite_id, sizeof(suite_id),\n \"sec\", context, context_len)) {\n return 0;\n }\n return 1;\n}\n\nsize_t EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX *ctx) {\n assert(ctx->is_sender);\n return EVP_AEAD_max_overhead(EVP_AEAD_CTX_aead(&ctx->aead_ctx));\n}\n\nconst EVP_HPKE_KEM *EVP_HPKE_CTX_kem(const EVP_HPKE_CTX *ctx) {\n return ctx->kem;\n}\n\nconst EVP_HPKE_AEAD *EVP_HPKE_CTX_aead(const EVP_HPKE_CTX *ctx) {\n return ctx->aead;\n}\n\nconst EVP_HPKE_KDF *EVP_HPKE_CTX_kdf(const EVP_HPKE_CTX *ctx) {\n return ctx->kdf;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/hrss/asm/poly_rq_mul.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n#if defined(__x86_64__) && defined(__linux__)\n// Copyright (c) 2017, the HRSS authors.\n//\n// Permission to use, copy, modify, and/or distribute this software for any\n// purpose with or without fee is hereby granted, provided that the above\n// copyright notice and this permission notice appear in all copies.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SMALL) && defined(OPENSSL_LINUX) && defined(OPENSSL_X86_64)\n\n// This is the polynomial multiplication function from [HRSS], provided by kind\n// permission of the authors.\n//\n// HRSS: https://eprint.iacr.org/2017/1005\n\n# This file was generated by poly_rq_mul.py\n.text\n.align 32\nconst3:\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\n.word 3\nconst9:\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\n.word 9\nconst0:\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\nconst729:\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\n.word 729\nconst3_inv:\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\n.word 43691\nconst5_inv:\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\n.word 52429\nshuf48_16:\n.byte 10\n.byte 11\n.byte 12\n.byte 13\n.byte 14\n.byte 15\n.byte 0\n.byte 1\n.byte 2\n.byte 3\n.byte 4\n.byte 5\n.byte 6\n.byte 7\n.byte 8\n.byte 9\n.byte 10\n.byte 11\n.byte 12\n.byte 13\n.byte 14\n.byte 15\n.byte 0\n.byte 1\n.byte 2\n.byte 3\n.byte 4\n.byte 5\n.byte 6\n.byte 7\n.byte 8\n.byte 9\nshufmin1_mask3:\n.byte 2\n.byte 3\n.byte 4\n.byte 5\n.byte 6\n.byte 7\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\n.byte 255\nmask32_to_16:\n.word 0xffff\n.word 0x0\n.word 0xffff\n.word 0x0\n.word 0xffff\n.word 0x0\n.word 0xffff\n.word 0x0\n.word 0xffff\n.word 0x0\n.word 0xffff\n.word 0x0\n.word 0xffff\n.word 0x0\n.word 0xffff\n.word 0x0\nmask5_3_5_3:\n.word 0\n.word 0\n.word 0\n.word 65535\n.word 65535\n.word 65535\n.word 65535\n.word 65535\n.word 0\n.word 0\n.word 0\n.word 65535\n.word 65535\n.word 65535\n.word 65535\n.word 65535\nmask3_5_3_5:\n.word 65535\n.word 65535\n.word 65535\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 65535\n.word 65535\n.word 65535\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\nmask3_5_4_3_1:\n.word 65535\n.word 65535\n.word 65535\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 65535\n.word 65535\n.word 65535\n.word 0\nmask_keephigh:\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 0\n.word 65535\n.word 65535\n.word 65535\n.word 65535\n.word 65535\n.word 65535\n.word 65535\n.word 65535\nmask_mod8192:\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.word 8191\n.text\n.global poly_Rq_mul\n.hidden poly_Rq_mul\n.type poly_Rq_mul, @function\n.att_syntax prefix\npoly_Rq_mul:\n.cfi_startproc\n_CET_ENDBR\npush %rbp\n.cfi_adjust_cfa_offset 8\n.cfi_offset rbp, -16\nmovq %rsp, %rbp\n.cfi_def_cfa_register rbp\npush %r12\n.cfi_offset r12, -24\n# This function originally used a significant amount of stack space. As an\n# alternative, the needed scratch space is now passed in as the 4th argument.\n# The amount of scratch space used must thus be kept in sync with\n# POLY_MUL_RQ_SCRATCH_SPACE in internal.h.\n#\n# Setting RSP to point into the given scratch space upsets the ABI tests\n# therefore all references to RSP are switched to R8.\nmov %rcx, %r8\naddq $6144+12288+512+9408+32, %r8\nmov %r8, %rax\nsubq $6144, %r8\nmov %r8, %r11\nsubq $12288, %r8\nmov %r8, %r12\nsubq $512, %r8\nvmovdqa const3(%rip), %ymm3\nvmovdqu 0(%rsi), %ymm0\nvmovdqu 88(%rsi), %ymm1\nvmovdqu 176(%rsi), %ymm2\nvmovdqu 264(%rsi), %ymm12\nvmovdqu 1056(%rsi), %ymm4\nvmovdqu 1144(%rsi), %ymm5\nvmovdqu 1232(%rsi), %ymm6\nvmovdqu 1320(%rsi), %ymm7\nvmovdqu 352(%rsi), %ymm8\nvmovdqu 440(%rsi), %ymm9\nvmovdqu 528(%rsi), %ymm10\nvmovdqu 616(%rsi), %ymm11\nvmovdqa %ymm0, 0(%rax)\nvmovdqa %ymm1, 96(%rax)\nvpaddw %ymm0, %ymm1, %ymm14\nvmovdqa %ymm14, 192(%rax)\nvmovdqa %ymm2, 288(%rax)\nvmovdqa %ymm12, 384(%rax)\nvpaddw %ymm2, %ymm12, %ymm14\nvmovdqa %ymm14, 480(%rax)\nvpaddw %ymm0, %ymm2, %ymm14\nvmovdqa %ymm14, 576(%rax)\nvpaddw %ymm1, %ymm12, %ymm15\nvmovdqa %ymm15, 672(%rax)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 768(%rax)\nvmovdqa %ymm4, 5184(%rax)\nvmovdqa %ymm5, 5280(%rax)\nvpaddw %ymm4, %ymm5, %ymm14\nvmovdqa %ymm14, 5376(%rax)\nvmovdqa %ymm6, 5472(%rax)\nvmovdqa %ymm7, 5568(%rax)\nvpaddw %ymm6, %ymm7, %ymm14\nvmovdqa %ymm14, 5664(%rax)\nvpaddw %ymm4, %ymm6, %ymm14\nvmovdqa %ymm14, 5760(%rax)\nvpaddw %ymm5, %ymm7, %ymm15\nvmovdqa %ymm15, 5856(%rax)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 5952(%rax)\nvmovdqa %ymm0, 0(%r8)\nvmovdqa %ymm1, 32(%r8)\nvmovdqa %ymm2, 64(%r8)\nvmovdqa %ymm12, 96(%r8)\nvmovdqa %ymm8, 128(%r8)\nvmovdqa %ymm9, 160(%r8)\nvmovdqa %ymm10, 192(%r8)\nvmovdqa %ymm11, 224(%r8)\nvmovdqu 704(%rsi), %ymm0\nvpaddw 0(%r8), %ymm0, %ymm1\nvpaddw 128(%r8), %ymm4, %ymm2\nvpaddw %ymm2, %ymm1, %ymm8\nvpsubw %ymm2, %ymm1, %ymm12\nvmovdqa %ymm0, 256(%r8)\nvmovdqu 792(%rsi), %ymm0\nvpaddw 32(%r8), %ymm0, %ymm1\nvpaddw 160(%r8), %ymm5, %ymm2\nvpaddw %ymm2, %ymm1, %ymm9\nvpsubw %ymm2, %ymm1, %ymm13\nvmovdqa %ymm0, 288(%r8)\nvmovdqu 880(%rsi), %ymm0\nvpaddw 64(%r8), %ymm0, %ymm1\nvpaddw 192(%r8), %ymm6, %ymm2\nvpaddw %ymm2, %ymm1, %ymm10\nvpsubw %ymm2, %ymm1, %ymm14\nvmovdqa %ymm0, 320(%r8)\nvmovdqu 968(%rsi), %ymm0\nvpaddw 96(%r8), %ymm0, %ymm1\nvpaddw 224(%r8), %ymm7, %ymm2\nvpaddw %ymm2, %ymm1, %ymm11\nvpsubw %ymm2, %ymm1, %ymm15\nvmovdqa %ymm0, 352(%r8)\nvmovdqa %ymm8, 864(%rax)\nvmovdqa %ymm9, 960(%rax)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 1056(%rax)\nvmovdqa %ymm10, 1152(%rax)\nvmovdqa %ymm11, 1248(%rax)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 1344(%rax)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 1440(%rax)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 1536(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 1632(%rax)\nvmovdqa %ymm12, 1728(%rax)\nvmovdqa %ymm13, 1824(%rax)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 1920(%rax)\nvmovdqa %ymm14, 2016(%rax)\nvmovdqa %ymm15, 2112(%rax)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 2208(%rax)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 2304(%rax)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 2400(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 2496(%rax)\nvmovdqa 256(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm4, %ymm1\nvpaddw 128(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm8\nvpsubw %ymm1, %ymm0, %ymm12\nvmovdqa 288(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm5, %ymm1\nvpaddw 160(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm9\nvpsubw %ymm1, %ymm0, %ymm13\nvmovdqa 320(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm6, %ymm1\nvpaddw 192(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm10\nvpsubw %ymm1, %ymm0, %ymm14\nvmovdqa 352(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm7, %ymm1\nvpaddw 224(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm11\nvpsubw %ymm1, %ymm0, %ymm15\nvmovdqa %ymm8, 2592(%rax)\nvmovdqa %ymm9, 2688(%rax)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 2784(%rax)\nvmovdqa %ymm10, 2880(%rax)\nvmovdqa %ymm11, 2976(%rax)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 3072(%rax)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 3168(%rax)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 3264(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 3360(%rax)\nvmovdqa %ymm12, 3456(%rax)\nvmovdqa %ymm13, 3552(%rax)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 3648(%rax)\nvmovdqa %ymm14, 3744(%rax)\nvmovdqa %ymm15, 3840(%rax)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 3936(%rax)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4032(%rax)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 4128(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 4224(%rax)\nvpmullw %ymm3, %ymm4, %ymm0\nvpaddw 256(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 128(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm12\nvpmullw %ymm3, %ymm5, %ymm0\nvpaddw 288(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 160(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm13\nvpmullw %ymm3, %ymm6, %ymm0\nvpaddw 320(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 192(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm14\nvpmullw %ymm3, %ymm7, %ymm0\nvpaddw 352(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 224(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm15\nvmovdqa %ymm12, 4320(%rax)\nvmovdqa %ymm13, 4416(%rax)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 4512(%rax)\nvmovdqa %ymm14, 4608(%rax)\nvmovdqa %ymm15, 4704(%rax)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 4800(%rax)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4896(%rax)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 4992(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 5088(%rax)\nvmovdqu 32(%rsi), %ymm0\nvmovdqu 120(%rsi), %ymm1\nvmovdqu 208(%rsi), %ymm2\nvmovdqu 296(%rsi), %ymm12\nvmovdqu 1088(%rsi), %ymm4\nvmovdqu 1176(%rsi), %ymm5\nvmovdqu 1264(%rsi), %ymm6\nvmovdqu 1352(%rsi), %ymm7\nvmovdqu 384(%rsi), %ymm8\nvmovdqu 472(%rsi), %ymm9\nvmovdqu 560(%rsi), %ymm10\nvmovdqu 648(%rsi), %ymm11\nvmovdqa %ymm0, 32(%rax)\nvmovdqa %ymm1, 128(%rax)\nvpaddw %ymm0, %ymm1, %ymm14\nvmovdqa %ymm14, 224(%rax)\nvmovdqa %ymm2, 320(%rax)\nvmovdqa %ymm12, 416(%rax)\nvpaddw %ymm2, %ymm12, %ymm14\nvmovdqa %ymm14, 512(%rax)\nvpaddw %ymm0, %ymm2, %ymm14\nvmovdqa %ymm14, 608(%rax)\nvpaddw %ymm1, %ymm12, %ymm15\nvmovdqa %ymm15, 704(%rax)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 800(%rax)\nvmovdqa %ymm4, 5216(%rax)\nvmovdqa %ymm5, 5312(%rax)\nvpaddw %ymm4, %ymm5, %ymm14\nvmovdqa %ymm14, 5408(%rax)\nvmovdqa %ymm6, 5504(%rax)\nvmovdqa %ymm7, 5600(%rax)\nvpaddw %ymm6, %ymm7, %ymm14\nvmovdqa %ymm14, 5696(%rax)\nvpaddw %ymm4, %ymm6, %ymm14\nvmovdqa %ymm14, 5792(%rax)\nvpaddw %ymm5, %ymm7, %ymm15\nvmovdqa %ymm15, 5888(%rax)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 5984(%rax)\nvmovdqa %ymm0, 0(%r8)\nvmovdqa %ymm1, 32(%r8)\nvmovdqa %ymm2, 64(%r8)\nvmovdqa %ymm12, 96(%r8)\nvmovdqa %ymm8, 128(%r8)\nvmovdqa %ymm9, 160(%r8)\nvmovdqa %ymm10, 192(%r8)\nvmovdqa %ymm11, 224(%r8)\nvmovdqu 736(%rsi), %ymm0\nvpaddw 0(%r8), %ymm0, %ymm1\nvpaddw 128(%r8), %ymm4, %ymm2\nvpaddw %ymm2, %ymm1, %ymm8\nvpsubw %ymm2, %ymm1, %ymm12\nvmovdqa %ymm0, 256(%r8)\nvmovdqu 824(%rsi), %ymm0\nvpaddw 32(%r8), %ymm0, %ymm1\nvpaddw 160(%r8), %ymm5, %ymm2\nvpaddw %ymm2, %ymm1, %ymm9\nvpsubw %ymm2, %ymm1, %ymm13\nvmovdqa %ymm0, 288(%r8)\nvmovdqu 912(%rsi), %ymm0\nvpaddw 64(%r8), %ymm0, %ymm1\nvpaddw 192(%r8), %ymm6, %ymm2\nvpaddw %ymm2, %ymm1, %ymm10\nvpsubw %ymm2, %ymm1, %ymm14\nvmovdqa %ymm0, 320(%r8)\nvmovdqu 1000(%rsi), %ymm0\nvpaddw 96(%r8), %ymm0, %ymm1\nvpaddw 224(%r8), %ymm7, %ymm2\nvpaddw %ymm2, %ymm1, %ymm11\nvpsubw %ymm2, %ymm1, %ymm15\nvmovdqa %ymm0, 352(%r8)\nvmovdqa %ymm8, 896(%rax)\nvmovdqa %ymm9, 992(%rax)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 1088(%rax)\nvmovdqa %ymm10, 1184(%rax)\nvmovdqa %ymm11, 1280(%rax)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 1376(%rax)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 1472(%rax)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 1568(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 1664(%rax)\nvmovdqa %ymm12, 1760(%rax)\nvmovdqa %ymm13, 1856(%rax)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 1952(%rax)\nvmovdqa %ymm14, 2048(%rax)\nvmovdqa %ymm15, 2144(%rax)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 2240(%rax)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 2336(%rax)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 2432(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 2528(%rax)\nvmovdqa 256(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm4, %ymm1\nvpaddw 128(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm8\nvpsubw %ymm1, %ymm0, %ymm12\nvmovdqa 288(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm5, %ymm1\nvpaddw 160(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm9\nvpsubw %ymm1, %ymm0, %ymm13\nvmovdqa 320(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm6, %ymm1\nvpaddw 192(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm10\nvpsubw %ymm1, %ymm0, %ymm14\nvmovdqa 352(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm7, %ymm1\nvpaddw 224(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm11\nvpsubw %ymm1, %ymm0, %ymm15\nvmovdqa %ymm8, 2624(%rax)\nvmovdqa %ymm9, 2720(%rax)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 2816(%rax)\nvmovdqa %ymm10, 2912(%rax)\nvmovdqa %ymm11, 3008(%rax)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 3104(%rax)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 3200(%rax)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 3296(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 3392(%rax)\nvmovdqa %ymm12, 3488(%rax)\nvmovdqa %ymm13, 3584(%rax)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 3680(%rax)\nvmovdqa %ymm14, 3776(%rax)\nvmovdqa %ymm15, 3872(%rax)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 3968(%rax)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4064(%rax)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 4160(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 4256(%rax)\nvpmullw %ymm3, %ymm4, %ymm0\nvpaddw 256(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 128(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm12\nvpmullw %ymm3, %ymm5, %ymm0\nvpaddw 288(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 160(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm13\nvpmullw %ymm3, %ymm6, %ymm0\nvpaddw 320(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 192(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm14\nvpmullw %ymm3, %ymm7, %ymm0\nvpaddw 352(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 224(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm15\nvmovdqa %ymm12, 4352(%rax)\nvmovdqa %ymm13, 4448(%rax)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 4544(%rax)\nvmovdqa %ymm14, 4640(%rax)\nvmovdqa %ymm15, 4736(%rax)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 4832(%rax)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4928(%rax)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 5024(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 5120(%rax)\nvmovdqu 64(%rsi), %ymm0\nvmovdqu 152(%rsi), %ymm1\nvmovdqu 240(%rsi), %ymm2\nvmovdqu 328(%rsi), %ymm12\nvmovdqu 1120(%rsi), %ymm4\nvmovdqu 1208(%rsi), %ymm5\nvmovdqu 1296(%rsi), %ymm6\n\n# Only 18 bytes more can be read, but vmovdqu reads 32.\n# Copy 18 bytes to the red zone and zero pad to 32 bytes.\nxor %r9, %r9\nmovq %r9, -16(%rsp)\nmovq %r9, -8(%rsp)\nmovq 1384(%rsi), %r9\nmovq %r9, -32(%rsp)\nmovq 1384+8(%rsi), %r9\nmovq %r9, -24(%rsp)\nmovw 1384+16(%rsi), %r9w\nmovw %r9w, -16(%rsp)\nvmovdqu -32(%rsp), %ymm7\n\nvmovdqu 416(%rsi), %ymm8\nvmovdqu 504(%rsi), %ymm9\nvmovdqu 592(%rsi), %ymm10\nvmovdqu 680(%rsi), %ymm11\nvmovdqa %ymm0, 64(%rax)\nvmovdqa %ymm1, 160(%rax)\nvpaddw %ymm0, %ymm1, %ymm14\nvmovdqa %ymm14, 256(%rax)\nvmovdqa %ymm2, 352(%rax)\nvmovdqa %ymm12, 448(%rax)\nvpaddw %ymm2, %ymm12, %ymm14\nvmovdqa %ymm14, 544(%rax)\nvpaddw %ymm0, %ymm2, %ymm14\nvmovdqa %ymm14, 640(%rax)\nvpaddw %ymm1, %ymm12, %ymm15\nvmovdqa %ymm15, 736(%rax)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 832(%rax)\nvmovdqa %ymm4, 5248(%rax)\nvmovdqa %ymm5, 5344(%rax)\nvpaddw %ymm4, %ymm5, %ymm14\nvmovdqa %ymm14, 5440(%rax)\nvmovdqa %ymm6, 5536(%rax)\nvmovdqa %ymm7, 5632(%rax)\nvpaddw %ymm6, %ymm7, %ymm14\nvmovdqa %ymm14, 5728(%rax)\nvpaddw %ymm4, %ymm6, %ymm14\nvmovdqa %ymm14, 5824(%rax)\nvpaddw %ymm5, %ymm7, %ymm15\nvmovdqa %ymm15, 5920(%rax)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 6016(%rax)\nvmovdqa %ymm0, 0(%r8)\nvmovdqa %ymm1, 32(%r8)\nvmovdqa %ymm2, 64(%r8)\nvmovdqa %ymm12, 96(%r8)\nvmovdqa %ymm8, 128(%r8)\nvmovdqa %ymm9, 160(%r8)\nvmovdqa %ymm10, 192(%r8)\nvmovdqa %ymm11, 224(%r8)\nvmovdqu 768(%rsi), %ymm0\nvpaddw 0(%r8), %ymm0, %ymm1\nvpaddw 128(%r8), %ymm4, %ymm2\nvpaddw %ymm2, %ymm1, %ymm8\nvpsubw %ymm2, %ymm1, %ymm12\nvmovdqa %ymm0, 256(%r8)\nvmovdqu 856(%rsi), %ymm0\nvpaddw 32(%r8), %ymm0, %ymm1\nvpaddw 160(%r8), %ymm5, %ymm2\nvpaddw %ymm2, %ymm1, %ymm9\nvpsubw %ymm2, %ymm1, %ymm13\nvmovdqa %ymm0, 288(%r8)\nvmovdqu 944(%rsi), %ymm0\nvpaddw 64(%r8), %ymm0, %ymm1\nvpaddw 192(%r8), %ymm6, %ymm2\nvpaddw %ymm2, %ymm1, %ymm10\nvpsubw %ymm2, %ymm1, %ymm14\nvmovdqa %ymm0, 320(%r8)\nvmovdqu 1032(%rsi), %ymm0\nvpaddw 96(%r8), %ymm0, %ymm1\nvpaddw 224(%r8), %ymm7, %ymm2\nvpaddw %ymm2, %ymm1, %ymm11\nvpsubw %ymm2, %ymm1, %ymm15\nvmovdqa %ymm0, 352(%r8)\nvmovdqa %ymm8, 928(%rax)\nvmovdqa %ymm9, 1024(%rax)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 1120(%rax)\nvmovdqa %ymm10, 1216(%rax)\nvmovdqa %ymm11, 1312(%rax)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 1408(%rax)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 1504(%rax)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 1600(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 1696(%rax)\nvmovdqa %ymm12, 1792(%rax)\nvmovdqa %ymm13, 1888(%rax)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 1984(%rax)\nvmovdqa %ymm14, 2080(%rax)\nvmovdqa %ymm15, 2176(%rax)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 2272(%rax)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 2368(%rax)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 2464(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 2560(%rax)\nvmovdqa 256(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm4, %ymm1\nvpaddw 128(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm8\nvpsubw %ymm1, %ymm0, %ymm12\nvmovdqa 288(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm5, %ymm1\nvpaddw 160(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm9\nvpsubw %ymm1, %ymm0, %ymm13\nvmovdqa 320(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm6, %ymm1\nvpaddw 192(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm10\nvpsubw %ymm1, %ymm0, %ymm14\nvmovdqa 352(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm7, %ymm1\nvpaddw 224(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm11\nvpsubw %ymm1, %ymm0, %ymm15\nvmovdqa %ymm8, 2656(%rax)\nvmovdqa %ymm9, 2752(%rax)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 2848(%rax)\nvmovdqa %ymm10, 2944(%rax)\nvmovdqa %ymm11, 3040(%rax)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 3136(%rax)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 3232(%rax)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 3328(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 3424(%rax)\nvmovdqa %ymm12, 3520(%rax)\nvmovdqa %ymm13, 3616(%rax)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 3712(%rax)\nvmovdqa %ymm14, 3808(%rax)\nvmovdqa %ymm15, 3904(%rax)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 4000(%rax)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4096(%rax)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 4192(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 4288(%rax)\nvpmullw %ymm3, %ymm4, %ymm0\nvpaddw 256(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 128(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm12\nvpmullw %ymm3, %ymm5, %ymm0\nvpaddw 288(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 160(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm13\nvpmullw %ymm3, %ymm6, %ymm0\nvpaddw 320(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 192(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm14\nvpmullw %ymm3, %ymm7, %ymm0\nvpaddw 352(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 224(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm15\nvmovdqa %ymm12, 4384(%rax)\nvmovdqa %ymm13, 4480(%rax)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 4576(%rax)\nvmovdqa %ymm14, 4672(%rax)\nvmovdqa %ymm15, 4768(%rax)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 4864(%rax)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4960(%rax)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 5056(%rax)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 5152(%rax)\nvmovdqu 0(%rdx), %ymm0\nvmovdqu 88(%rdx), %ymm1\nvmovdqu 176(%rdx), %ymm2\nvmovdqu 264(%rdx), %ymm12\nvmovdqu 1056(%rdx), %ymm4\nvmovdqu 1144(%rdx), %ymm5\nvmovdqu 1232(%rdx), %ymm6\nvmovdqu 1320(%rdx), %ymm7\nvmovdqu 352(%rdx), %ymm8\nvmovdqu 440(%rdx), %ymm9\nvmovdqu 528(%rdx), %ymm10\nvmovdqu 616(%rdx), %ymm11\nvmovdqa %ymm0, 0(%r11)\nvmovdqa %ymm1, 96(%r11)\nvpaddw %ymm0, %ymm1, %ymm14\nvmovdqa %ymm14, 192(%r11)\nvmovdqa %ymm2, 288(%r11)\nvmovdqa %ymm12, 384(%r11)\nvpaddw %ymm2, %ymm12, %ymm14\nvmovdqa %ymm14, 480(%r11)\nvpaddw %ymm0, %ymm2, %ymm14\nvmovdqa %ymm14, 576(%r11)\nvpaddw %ymm1, %ymm12, %ymm15\nvmovdqa %ymm15, 672(%r11)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 768(%r11)\nvmovdqa %ymm4, 5184(%r11)\nvmovdqa %ymm5, 5280(%r11)\nvpaddw %ymm4, %ymm5, %ymm14\nvmovdqa %ymm14, 5376(%r11)\nvmovdqa %ymm6, 5472(%r11)\nvmovdqa %ymm7, 5568(%r11)\nvpaddw %ymm6, %ymm7, %ymm14\nvmovdqa %ymm14, 5664(%r11)\nvpaddw %ymm4, %ymm6, %ymm14\nvmovdqa %ymm14, 5760(%r11)\nvpaddw %ymm5, %ymm7, %ymm15\nvmovdqa %ymm15, 5856(%r11)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 5952(%r11)\nvmovdqa %ymm0, 0(%r8)\nvmovdqa %ymm1, 32(%r8)\nvmovdqa %ymm2, 64(%r8)\nvmovdqa %ymm12, 96(%r8)\nvmovdqa %ymm8, 128(%r8)\nvmovdqa %ymm9, 160(%r8)\nvmovdqa %ymm10, 192(%r8)\nvmovdqa %ymm11, 224(%r8)\nvmovdqu 704(%rdx), %ymm0\nvpaddw 0(%r8), %ymm0, %ymm1\nvpaddw 128(%r8), %ymm4, %ymm2\nvpaddw %ymm2, %ymm1, %ymm8\nvpsubw %ymm2, %ymm1, %ymm12\nvmovdqa %ymm0, 256(%r8)\nvmovdqu 792(%rdx), %ymm0\nvpaddw 32(%r8), %ymm0, %ymm1\nvpaddw 160(%r8), %ymm5, %ymm2\nvpaddw %ymm2, %ymm1, %ymm9\nvpsubw %ymm2, %ymm1, %ymm13\nvmovdqa %ymm0, 288(%r8)\nvmovdqu 880(%rdx), %ymm0\nvpaddw 64(%r8), %ymm0, %ymm1\nvpaddw 192(%r8), %ymm6, %ymm2\nvpaddw %ymm2, %ymm1, %ymm10\nvpsubw %ymm2, %ymm1, %ymm14\nvmovdqa %ymm0, 320(%r8)\nvmovdqu 968(%rdx), %ymm0\nvpaddw 96(%r8), %ymm0, %ymm1\nvpaddw 224(%r8), %ymm7, %ymm2\nvpaddw %ymm2, %ymm1, %ymm11\nvpsubw %ymm2, %ymm1, %ymm15\nvmovdqa %ymm0, 352(%r8)\nvmovdqa %ymm8, 864(%r11)\nvmovdqa %ymm9, 960(%r11)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 1056(%r11)\nvmovdqa %ymm10, 1152(%r11)\nvmovdqa %ymm11, 1248(%r11)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 1344(%r11)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 1440(%r11)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 1536(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 1632(%r11)\nvmovdqa %ymm12, 1728(%r11)\nvmovdqa %ymm13, 1824(%r11)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 1920(%r11)\nvmovdqa %ymm14, 2016(%r11)\nvmovdqa %ymm15, 2112(%r11)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 2208(%r11)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 2304(%r11)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 2400(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 2496(%r11)\nvmovdqa 256(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm4, %ymm1\nvpaddw 128(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm8\nvpsubw %ymm1, %ymm0, %ymm12\nvmovdqa 288(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm5, %ymm1\nvpaddw 160(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm9\nvpsubw %ymm1, %ymm0, %ymm13\nvmovdqa 320(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm6, %ymm1\nvpaddw 192(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm10\nvpsubw %ymm1, %ymm0, %ymm14\nvmovdqa 352(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm7, %ymm1\nvpaddw 224(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm11\nvpsubw %ymm1, %ymm0, %ymm15\nvmovdqa %ymm8, 2592(%r11)\nvmovdqa %ymm9, 2688(%r11)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 2784(%r11)\nvmovdqa %ymm10, 2880(%r11)\nvmovdqa %ymm11, 2976(%r11)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 3072(%r11)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 3168(%r11)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 3264(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 3360(%r11)\nvmovdqa %ymm12, 3456(%r11)\nvmovdqa %ymm13, 3552(%r11)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 3648(%r11)\nvmovdqa %ymm14, 3744(%r11)\nvmovdqa %ymm15, 3840(%r11)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 3936(%r11)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4032(%r11)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 4128(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 4224(%r11)\nvpmullw %ymm3, %ymm4, %ymm0\nvpaddw 256(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 128(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm12\nvpmullw %ymm3, %ymm5, %ymm0\nvpaddw 288(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 160(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm13\nvpmullw %ymm3, %ymm6, %ymm0\nvpaddw 320(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 192(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm14\nvpmullw %ymm3, %ymm7, %ymm0\nvpaddw 352(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 224(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm15\nvmovdqa %ymm12, 4320(%r11)\nvmovdqa %ymm13, 4416(%r11)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 4512(%r11)\nvmovdqa %ymm14, 4608(%r11)\nvmovdqa %ymm15, 4704(%r11)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 4800(%r11)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4896(%r11)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 4992(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 5088(%r11)\nvmovdqu 32(%rdx), %ymm0\nvmovdqu 120(%rdx), %ymm1\nvmovdqu 208(%rdx), %ymm2\nvmovdqu 296(%rdx), %ymm12\nvmovdqu 1088(%rdx), %ymm4\nvmovdqu 1176(%rdx), %ymm5\nvmovdqu 1264(%rdx), %ymm6\nvmovdqu 1352(%rdx), %ymm7\nvmovdqu 384(%rdx), %ymm8\nvmovdqu 472(%rdx), %ymm9\nvmovdqu 560(%rdx), %ymm10\nvmovdqu 648(%rdx), %ymm11\nvmovdqa %ymm0, 32(%r11)\nvmovdqa %ymm1, 128(%r11)\nvpaddw %ymm0, %ymm1, %ymm14\nvmovdqa %ymm14, 224(%r11)\nvmovdqa %ymm2, 320(%r11)\nvmovdqa %ymm12, 416(%r11)\nvpaddw %ymm2, %ymm12, %ymm14\nvmovdqa %ymm14, 512(%r11)\nvpaddw %ymm0, %ymm2, %ymm14\nvmovdqa %ymm14, 608(%r11)\nvpaddw %ymm1, %ymm12, %ymm15\nvmovdqa %ymm15, 704(%r11)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 800(%r11)\nvmovdqa %ymm4, 5216(%r11)\nvmovdqa %ymm5, 5312(%r11)\nvpaddw %ymm4, %ymm5, %ymm14\nvmovdqa %ymm14, 5408(%r11)\nvmovdqa %ymm6, 5504(%r11)\nvmovdqa %ymm7, 5600(%r11)\nvpaddw %ymm6, %ymm7, %ymm14\nvmovdqa %ymm14, 5696(%r11)\nvpaddw %ymm4, %ymm6, %ymm14\nvmovdqa %ymm14, 5792(%r11)\nvpaddw %ymm5, %ymm7, %ymm15\nvmovdqa %ymm15, 5888(%r11)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 5984(%r11)\nvmovdqa %ymm0, 0(%r8)\nvmovdqa %ymm1, 32(%r8)\nvmovdqa %ymm2, 64(%r8)\nvmovdqa %ymm12, 96(%r8)\nvmovdqa %ymm8, 128(%r8)\nvmovdqa %ymm9, 160(%r8)\nvmovdqa %ymm10, 192(%r8)\nvmovdqa %ymm11, 224(%r8)\nvmovdqu 736(%rdx), %ymm0\nvpaddw 0(%r8), %ymm0, %ymm1\nvpaddw 128(%r8), %ymm4, %ymm2\nvpaddw %ymm2, %ymm1, %ymm8\nvpsubw %ymm2, %ymm1, %ymm12\nvmovdqa %ymm0, 256(%r8)\nvmovdqu 824(%rdx), %ymm0\nvpaddw 32(%r8), %ymm0, %ymm1\nvpaddw 160(%r8), %ymm5, %ymm2\nvpaddw %ymm2, %ymm1, %ymm9\nvpsubw %ymm2, %ymm1, %ymm13\nvmovdqa %ymm0, 288(%r8)\nvmovdqu 912(%rdx), %ymm0\nvpaddw 64(%r8), %ymm0, %ymm1\nvpaddw 192(%r8), %ymm6, %ymm2\nvpaddw %ymm2, %ymm1, %ymm10\nvpsubw %ymm2, %ymm1, %ymm14\nvmovdqa %ymm0, 320(%r8)\nvmovdqu 1000(%rdx), %ymm0\nvpaddw 96(%r8), %ymm0, %ymm1\nvpaddw 224(%r8), %ymm7, %ymm2\nvpaddw %ymm2, %ymm1, %ymm11\nvpsubw %ymm2, %ymm1, %ymm15\nvmovdqa %ymm0, 352(%r8)\nvmovdqa %ymm8, 896(%r11)\nvmovdqa %ymm9, 992(%r11)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 1088(%r11)\nvmovdqa %ymm10, 1184(%r11)\nvmovdqa %ymm11, 1280(%r11)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 1376(%r11)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 1472(%r11)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 1568(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 1664(%r11)\nvmovdqa %ymm12, 1760(%r11)\nvmovdqa %ymm13, 1856(%r11)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 1952(%r11)\nvmovdqa %ymm14, 2048(%r11)\nvmovdqa %ymm15, 2144(%r11)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 2240(%r11)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 2336(%r11)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 2432(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 2528(%r11)\nvmovdqa 256(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm4, %ymm1\nvpaddw 128(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm8\nvpsubw %ymm1, %ymm0, %ymm12\nvmovdqa 288(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm5, %ymm1\nvpaddw 160(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm9\nvpsubw %ymm1, %ymm0, %ymm13\nvmovdqa 320(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm6, %ymm1\nvpaddw 192(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm10\nvpsubw %ymm1, %ymm0, %ymm14\nvmovdqa 352(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm7, %ymm1\nvpaddw 224(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm11\nvpsubw %ymm1, %ymm0, %ymm15\nvmovdqa %ymm8, 2624(%r11)\nvmovdqa %ymm9, 2720(%r11)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 2816(%r11)\nvmovdqa %ymm10, 2912(%r11)\nvmovdqa %ymm11, 3008(%r11)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 3104(%r11)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 3200(%r11)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 3296(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 3392(%r11)\nvmovdqa %ymm12, 3488(%r11)\nvmovdqa %ymm13, 3584(%r11)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 3680(%r11)\nvmovdqa %ymm14, 3776(%r11)\nvmovdqa %ymm15, 3872(%r11)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 3968(%r11)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4064(%r11)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 4160(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 4256(%r11)\nvpmullw %ymm3, %ymm4, %ymm0\nvpaddw 256(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 128(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm12\nvpmullw %ymm3, %ymm5, %ymm0\nvpaddw 288(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 160(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm13\nvpmullw %ymm3, %ymm6, %ymm0\nvpaddw 320(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 192(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm14\nvpmullw %ymm3, %ymm7, %ymm0\nvpaddw 352(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 224(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm15\nvmovdqa %ymm12, 4352(%r11)\nvmovdqa %ymm13, 4448(%r11)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 4544(%r11)\nvmovdqa %ymm14, 4640(%r11)\nvmovdqa %ymm15, 4736(%r11)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 4832(%r11)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4928(%r11)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 5024(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 5120(%r11)\nvmovdqu 64(%rdx), %ymm0\nvmovdqu 152(%rdx), %ymm1\nvmovdqu 240(%rdx), %ymm2\nvmovdqu 328(%rdx), %ymm12\nvmovdqu 1120(%rdx), %ymm4\nvmovdqu 1208(%rdx), %ymm5\nvmovdqu 1296(%rdx), %ymm6\n\n# Only 18 bytes more can be read, but vmovdqu reads 32.\n# Copy 18 bytes to the red zone and zero pad to 32 bytes.\nxor %r9, %r9\nmovq %r9, -16(%rsp)\nmovq %r9, -8(%rsp)\nmovq 1384(%rdx), %r9\nmovq %r9, -32(%rsp)\nmovq 1384+8(%rdx), %r9\nmovq %r9, -24(%rsp)\nmovw 1384+16(%rdx), %r9w\nmovw %r9w, -16(%rsp)\nvmovdqu -32(%rsp), %ymm7\n\nvmovdqu 416(%rdx), %ymm8\nvmovdqu 504(%rdx), %ymm9\nvmovdqu 592(%rdx), %ymm10\nvmovdqu 680(%rdx), %ymm11\nvmovdqa %ymm0, 64(%r11)\nvmovdqa %ymm1, 160(%r11)\nvpaddw %ymm0, %ymm1, %ymm14\nvmovdqa %ymm14, 256(%r11)\nvmovdqa %ymm2, 352(%r11)\nvmovdqa %ymm12, 448(%r11)\nvpaddw %ymm2, %ymm12, %ymm14\nvmovdqa %ymm14, 544(%r11)\nvpaddw %ymm0, %ymm2, %ymm14\nvmovdqa %ymm14, 640(%r11)\nvpaddw %ymm1, %ymm12, %ymm15\nvmovdqa %ymm15, 736(%r11)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 832(%r11)\nvmovdqa %ymm4, 5248(%r11)\nvmovdqa %ymm5, 5344(%r11)\nvpaddw %ymm4, %ymm5, %ymm14\nvmovdqa %ymm14, 5440(%r11)\nvmovdqa %ymm6, 5536(%r11)\nvmovdqa %ymm7, 5632(%r11)\nvpaddw %ymm6, %ymm7, %ymm14\nvmovdqa %ymm14, 5728(%r11)\nvpaddw %ymm4, %ymm6, %ymm14\nvmovdqa %ymm14, 5824(%r11)\nvpaddw %ymm5, %ymm7, %ymm15\nvmovdqa %ymm15, 5920(%r11)\nvpaddw %ymm14, %ymm15, %ymm14\nvmovdqa %ymm14, 6016(%r11)\nvmovdqa %ymm0, 0(%r8)\nvmovdqa %ymm1, 32(%r8)\nvmovdqa %ymm2, 64(%r8)\nvmovdqa %ymm12, 96(%r8)\nvmovdqa %ymm8, 128(%r8)\nvmovdqa %ymm9, 160(%r8)\nvmovdqa %ymm10, 192(%r8)\nvmovdqa %ymm11, 224(%r8)\nvmovdqu 768(%rdx), %ymm0\nvpaddw 0(%r8), %ymm0, %ymm1\nvpaddw 128(%r8), %ymm4, %ymm2\nvpaddw %ymm2, %ymm1, %ymm8\nvpsubw %ymm2, %ymm1, %ymm12\nvmovdqa %ymm0, 256(%r8)\nvmovdqu 856(%rdx), %ymm0\nvpaddw 32(%r8), %ymm0, %ymm1\nvpaddw 160(%r8), %ymm5, %ymm2\nvpaddw %ymm2, %ymm1, %ymm9\nvpsubw %ymm2, %ymm1, %ymm13\nvmovdqa %ymm0, 288(%r8)\nvmovdqu 944(%rdx), %ymm0\nvpaddw 64(%r8), %ymm0, %ymm1\nvpaddw 192(%r8), %ymm6, %ymm2\nvpaddw %ymm2, %ymm1, %ymm10\nvpsubw %ymm2, %ymm1, %ymm14\nvmovdqa %ymm0, 320(%r8)\nvmovdqu 1032(%rdx), %ymm0\nvpaddw 96(%r8), %ymm0, %ymm1\nvpaddw 224(%r8), %ymm7, %ymm2\nvpaddw %ymm2, %ymm1, %ymm11\nvpsubw %ymm2, %ymm1, %ymm15\nvmovdqa %ymm0, 352(%r8)\nvmovdqa %ymm8, 928(%r11)\nvmovdqa %ymm9, 1024(%r11)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 1120(%r11)\nvmovdqa %ymm10, 1216(%r11)\nvmovdqa %ymm11, 1312(%r11)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 1408(%r11)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 1504(%r11)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 1600(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 1696(%r11)\nvmovdqa %ymm12, 1792(%r11)\nvmovdqa %ymm13, 1888(%r11)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 1984(%r11)\nvmovdqa %ymm14, 2080(%r11)\nvmovdqa %ymm15, 2176(%r11)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 2272(%r11)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 2368(%r11)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 2464(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 2560(%r11)\nvmovdqa 256(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm4, %ymm1\nvpaddw 128(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm8\nvpsubw %ymm1, %ymm0, %ymm12\nvmovdqa 288(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm5, %ymm1\nvpaddw 160(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm9\nvpsubw %ymm1, %ymm0, %ymm13\nvmovdqa 320(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm6, %ymm1\nvpaddw 192(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm10\nvpsubw %ymm1, %ymm0, %ymm14\nvmovdqa 352(%r8), %ymm0\nvpsllw $2, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm0\nvpsllw $2, %ymm7, %ymm1\nvpaddw 224(%r8), %ymm1, %ymm1\nvpsllw $1, %ymm1, %ymm1\nvpaddw %ymm1, %ymm0, %ymm11\nvpsubw %ymm1, %ymm0, %ymm15\nvmovdqa %ymm8, 2656(%r11)\nvmovdqa %ymm9, 2752(%r11)\nvpaddw %ymm8, %ymm9, %ymm0\nvmovdqa %ymm0, 2848(%r11)\nvmovdqa %ymm10, 2944(%r11)\nvmovdqa %ymm11, 3040(%r11)\nvpaddw %ymm10, %ymm11, %ymm0\nvmovdqa %ymm0, 3136(%r11)\nvpaddw %ymm8, %ymm10, %ymm0\nvmovdqa %ymm0, 3232(%r11)\nvpaddw %ymm9, %ymm11, %ymm1\nvmovdqa %ymm1, 3328(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 3424(%r11)\nvmovdqa %ymm12, 3520(%r11)\nvmovdqa %ymm13, 3616(%r11)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 3712(%r11)\nvmovdqa %ymm14, 3808(%r11)\nvmovdqa %ymm15, 3904(%r11)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 4000(%r11)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4096(%r11)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 4192(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 4288(%r11)\nvpmullw %ymm3, %ymm4, %ymm0\nvpaddw 256(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 128(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 0(%r8), %ymm0, %ymm12\nvpmullw %ymm3, %ymm5, %ymm0\nvpaddw 288(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 160(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 32(%r8), %ymm0, %ymm13\nvpmullw %ymm3, %ymm6, %ymm0\nvpaddw 320(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 192(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 64(%r8), %ymm0, %ymm14\nvpmullw %ymm3, %ymm7, %ymm0\nvpaddw 352(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 224(%r8), %ymm0, %ymm0\nvpmullw %ymm3, %ymm0, %ymm0\nvpaddw 96(%r8), %ymm0, %ymm15\nvmovdqa %ymm12, 4384(%r11)\nvmovdqa %ymm13, 4480(%r11)\nvpaddw %ymm12, %ymm13, %ymm0\nvmovdqa %ymm0, 4576(%r11)\nvmovdqa %ymm14, 4672(%r11)\nvmovdqa %ymm15, 4768(%r11)\nvpaddw %ymm14, %ymm15, %ymm0\nvmovdqa %ymm0, 4864(%r11)\nvpaddw %ymm12, %ymm14, %ymm0\nvmovdqa %ymm0, 4960(%r11)\nvpaddw %ymm13, %ymm15, %ymm1\nvmovdqa %ymm1, 5056(%r11)\nvpaddw %ymm0, %ymm1, %ymm0\nvmovdqa %ymm0, 5152(%r11)\nsubq $9408, %r8\nmov $4, %ecx\nkaratsuba_loop_4eced63f144beffcb0247f9c6f67d165:\nmov %r8, %r9\nmov %r8, %r10\nsubq $32, %r8\nvmovdqa 0(%rax), %ymm0\nvmovdqa 192(%rax), %ymm1\nvmovdqa 384(%rax), %ymm2\nvmovdqa 576(%rax), %ymm3\nvpunpcklwd 96(%rax), %ymm0, %ymm4\nvpunpckhwd 96(%rax), %ymm0, %ymm5\nvpunpcklwd 288(%rax), %ymm1, %ymm6\nvpunpckhwd 288(%rax), %ymm1, %ymm7\nvpunpcklwd 480(%rax), %ymm2, %ymm8\nvpunpckhwd 480(%rax), %ymm2, %ymm9\nvpunpcklwd 672(%rax), %ymm3, %ymm10\nvpunpckhwd 672(%rax), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 768(%rax), %ymm0\nvmovdqa 960(%rax), %ymm1\nvmovdqa 1152(%rax), %ymm2\nvmovdqa 1344(%rax), %ymm3\nvpunpcklwd 864(%rax), %ymm0, %ymm12\nvpunpckhwd 864(%rax), %ymm0, %ymm13\nvpunpcklwd 1056(%rax), %ymm1, %ymm14\nvpunpckhwd 1056(%rax), %ymm1, %ymm15\nvpunpcklwd 1248(%rax), %ymm2, %ymm0\nvpunpckhwd 1248(%rax), %ymm2, %ymm1\nvpunpcklwd 1440(%rax), %ymm3, %ymm2\nvpunpckhwd 1440(%rax), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 0(%r9)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 32(%r9)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 64(%r9)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 96(%r9)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 128(%r9)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 160(%r9)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 192(%r9)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 256(%r9)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 288(%r9)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 320(%r9)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 352(%r9)\nvinserti128 $0, %xmm8, %ymm12, %ymm15\nvmovdqa %ymm15, 384(%r9)\nvinserti128 $0, %xmm9, %ymm2, %ymm15\nvmovdqa %ymm15, 416(%r9)\nvinserti128 $0, %xmm10, %ymm14, %ymm15\nvmovdqa %ymm15, 448(%r9)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 224(%r9)\nvpermq $78, %ymm11, %ymm11\nvinserti128 $0, %xmm11, %ymm1, %ymm1\nvmovdqa %ymm1, 480(%r9)\nvmovdqa 32(%rax), %ymm0\nvmovdqa 224(%rax), %ymm1\nvmovdqa 416(%rax), %ymm2\nvmovdqa 608(%rax), %ymm3\nvpunpcklwd 128(%rax), %ymm0, %ymm4\nvpunpckhwd 128(%rax), %ymm0, %ymm5\nvpunpcklwd 320(%rax), %ymm1, %ymm6\nvpunpckhwd 320(%rax), %ymm1, %ymm7\nvpunpcklwd 512(%rax), %ymm2, %ymm8\nvpunpckhwd 512(%rax), %ymm2, %ymm9\nvpunpcklwd 704(%rax), %ymm3, %ymm10\nvpunpckhwd 704(%rax), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 800(%rax), %ymm0\nvmovdqa 992(%rax), %ymm1\nvmovdqa 1184(%rax), %ymm2\nvmovdqa 1376(%rax), %ymm3\nvpunpcklwd 896(%rax), %ymm0, %ymm12\nvpunpckhwd 896(%rax), %ymm0, %ymm13\nvpunpcklwd 1088(%rax), %ymm1, %ymm14\nvpunpckhwd 1088(%rax), %ymm1, %ymm15\nvpunpcklwd 1280(%rax), %ymm2, %ymm0\nvpunpckhwd 1280(%rax), %ymm2, %ymm1\nvpunpcklwd 1472(%rax), %ymm3, %ymm2\nvpunpckhwd 1472(%rax), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 512(%r9)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 544(%r9)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 576(%r9)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 608(%r9)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 640(%r9)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 672(%r9)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 704(%r9)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 768(%r9)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 800(%r9)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 832(%r9)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 864(%r9)\nvinserti128 $0, %xmm8, %ymm12, %ymm15\nvmovdqa %ymm15, 896(%r9)\nvinserti128 $0, %xmm9, %ymm2, %ymm15\nvmovdqa %ymm15, 928(%r9)\nvinserti128 $0, %xmm10, %ymm14, %ymm15\nvmovdqa %ymm15, 960(%r9)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 736(%r9)\nvpermq $78, %ymm11, %ymm11\nvinserti128 $0, %xmm11, %ymm1, %ymm1\nvmovdqa %ymm1, 992(%r9)\nvmovdqa 64(%rax), %ymm0\nvmovdqa 256(%rax), %ymm1\nvmovdqa 448(%rax), %ymm2\nvmovdqa 640(%rax), %ymm3\nvpunpcklwd 160(%rax), %ymm0, %ymm4\nvpunpckhwd 160(%rax), %ymm0, %ymm5\nvpunpcklwd 352(%rax), %ymm1, %ymm6\nvpunpckhwd 352(%rax), %ymm1, %ymm7\nvpunpcklwd 544(%rax), %ymm2, %ymm8\nvpunpckhwd 544(%rax), %ymm2, %ymm9\nvpunpcklwd 736(%rax), %ymm3, %ymm10\nvpunpckhwd 736(%rax), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 832(%rax), %ymm0\nvmovdqa 1024(%rax), %ymm1\nvmovdqa 1216(%rax), %ymm2\nvmovdqa 1408(%rax), %ymm3\nvpunpcklwd 928(%rax), %ymm0, %ymm12\nvpunpckhwd 928(%rax), %ymm0, %ymm13\nvpunpcklwd 1120(%rax), %ymm1, %ymm14\nvpunpckhwd 1120(%rax), %ymm1, %ymm15\nvpunpcklwd 1312(%rax), %ymm2, %ymm0\nvpunpckhwd 1312(%rax), %ymm2, %ymm1\nvpunpcklwd 1504(%rax), %ymm3, %ymm2\nvpunpckhwd 1504(%rax), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 1024(%r9)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 1056(%r9)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 1088(%r9)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 1120(%r9)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 1152(%r9)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 1184(%r9)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 1216(%r9)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 1280(%r9)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 1312(%r9)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 1344(%r9)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 1376(%r9)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 1248(%r9)\nvmovdqa 0(%r11), %ymm0\nvmovdqa 192(%r11), %ymm1\nvmovdqa 384(%r11), %ymm2\nvmovdqa 576(%r11), %ymm3\nvpunpcklwd 96(%r11), %ymm0, %ymm4\nvpunpckhwd 96(%r11), %ymm0, %ymm5\nvpunpcklwd 288(%r11), %ymm1, %ymm6\nvpunpckhwd 288(%r11), %ymm1, %ymm7\nvpunpcklwd 480(%r11), %ymm2, %ymm8\nvpunpckhwd 480(%r11), %ymm2, %ymm9\nvpunpcklwd 672(%r11), %ymm3, %ymm10\nvpunpckhwd 672(%r11), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 768(%r11), %ymm0\nvmovdqa 960(%r11), %ymm1\nvmovdqa 1152(%r11), %ymm2\nvmovdqa 1344(%r11), %ymm3\nvpunpcklwd 864(%r11), %ymm0, %ymm12\nvpunpckhwd 864(%r11), %ymm0, %ymm13\nvpunpcklwd 1056(%r11), %ymm1, %ymm14\nvpunpckhwd 1056(%r11), %ymm1, %ymm15\nvpunpcklwd 1248(%r11), %ymm2, %ymm0\nvpunpckhwd 1248(%r11), %ymm2, %ymm1\nvpunpcklwd 1440(%r11), %ymm3, %ymm2\nvpunpckhwd 1440(%r11), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 1408(%r9)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 1440(%r9)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 1472(%r9)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 1504(%r9)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 1536(%r9)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 1568(%r9)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 1600(%r9)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 1664(%r9)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 1696(%r9)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 1728(%r9)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 1760(%r9)\nvinserti128 $0, %xmm8, %ymm12, %ymm15\nvmovdqa %ymm15, 1792(%r9)\nvinserti128 $0, %xmm9, %ymm2, %ymm15\nvmovdqa %ymm15, 1824(%r9)\nvinserti128 $0, %xmm10, %ymm14, %ymm15\nvmovdqa %ymm15, 1856(%r9)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 1632(%r9)\nvpermq $78, %ymm11, %ymm11\nvinserti128 $0, %xmm11, %ymm1, %ymm1\nvmovdqa %ymm1, 1888(%r9)\nvmovdqa 32(%r11), %ymm0\nvmovdqa 224(%r11), %ymm1\nvmovdqa 416(%r11), %ymm2\nvmovdqa 608(%r11), %ymm3\nvpunpcklwd 128(%r11), %ymm0, %ymm4\nvpunpckhwd 128(%r11), %ymm0, %ymm5\nvpunpcklwd 320(%r11), %ymm1, %ymm6\nvpunpckhwd 320(%r11), %ymm1, %ymm7\nvpunpcklwd 512(%r11), %ymm2, %ymm8\nvpunpckhwd 512(%r11), %ymm2, %ymm9\nvpunpcklwd 704(%r11), %ymm3, %ymm10\nvpunpckhwd 704(%r11), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 800(%r11), %ymm0\nvmovdqa 992(%r11), %ymm1\nvmovdqa 1184(%r11), %ymm2\nvmovdqa 1376(%r11), %ymm3\nvpunpcklwd 896(%r11), %ymm0, %ymm12\nvpunpckhwd 896(%r11), %ymm0, %ymm13\nvpunpcklwd 1088(%r11), %ymm1, %ymm14\nvpunpckhwd 1088(%r11), %ymm1, %ymm15\nvpunpcklwd 1280(%r11), %ymm2, %ymm0\nvpunpckhwd 1280(%r11), %ymm2, %ymm1\nvpunpcklwd 1472(%r11), %ymm3, %ymm2\nvpunpckhwd 1472(%r11), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 1920(%r9)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 1952(%r9)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 1984(%r9)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 2016(%r9)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 2048(%r9)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 2080(%r9)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 2112(%r9)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 2176(%r9)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 2208(%r9)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 2240(%r9)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 2272(%r9)\nvinserti128 $0, %xmm8, %ymm12, %ymm15\nvmovdqa %ymm15, 2304(%r9)\nvinserti128 $0, %xmm9, %ymm2, %ymm15\nvmovdqa %ymm15, 2336(%r9)\nvinserti128 $0, %xmm10, %ymm14, %ymm15\nvmovdqa %ymm15, 2368(%r9)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 2144(%r9)\nvpermq $78, %ymm11, %ymm11\nvinserti128 $0, %xmm11, %ymm1, %ymm1\nvmovdqa %ymm1, 2400(%r9)\nvmovdqa 64(%r11), %ymm0\nvmovdqa 256(%r11), %ymm1\nvmovdqa 448(%r11), %ymm2\nvmovdqa 640(%r11), %ymm3\nvpunpcklwd 160(%r11), %ymm0, %ymm4\nvpunpckhwd 160(%r11), %ymm0, %ymm5\nvpunpcklwd 352(%r11), %ymm1, %ymm6\nvpunpckhwd 352(%r11), %ymm1, %ymm7\nvpunpcklwd 544(%r11), %ymm2, %ymm8\nvpunpckhwd 544(%r11), %ymm2, %ymm9\nvpunpcklwd 736(%r11), %ymm3, %ymm10\nvpunpckhwd 736(%r11), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 832(%r11), %ymm0\nvmovdqa 1024(%r11), %ymm1\nvmovdqa 1216(%r11), %ymm2\nvmovdqa 1408(%r11), %ymm3\nvpunpcklwd 928(%r11), %ymm0, %ymm12\nvpunpckhwd 928(%r11), %ymm0, %ymm13\nvpunpcklwd 1120(%r11), %ymm1, %ymm14\nvpunpckhwd 1120(%r11), %ymm1, %ymm15\nvpunpcklwd 1312(%r11), %ymm2, %ymm0\nvpunpckhwd 1312(%r11), %ymm2, %ymm1\nvpunpcklwd 1504(%r11), %ymm3, %ymm2\nvpunpckhwd 1504(%r11), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 2432(%r9)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 2464(%r9)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 2496(%r9)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 2528(%r9)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 2560(%r9)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 2592(%r9)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 2624(%r9)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 2688(%r9)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 2720(%r9)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 2752(%r9)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 2784(%r9)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 2656(%r9)\naddq $32, %r8\ninnerloop_4eced63f144beffcb0247f9c6f67d165:\nvmovdqa 0(%r9), %ymm0\nvmovdqa 1408(%r9), %ymm6\nvmovdqa 32(%r9), %ymm1\nvmovdqa 1440(%r9), %ymm7\nvmovdqa 64(%r9), %ymm2\nvmovdqa 1472(%r9), %ymm8\nvmovdqa 96(%r9), %ymm3\nvmovdqa 1504(%r9), %ymm9\nvmovdqa 128(%r9), %ymm4\nvmovdqa 1536(%r9), %ymm10\nvmovdqa 160(%r9), %ymm5\nvmovdqa 1568(%r9), %ymm11\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 2816(%r10)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 2848(%r10)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 2880(%r10)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 2912(%r10)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 2944(%r10)\nvpmullw %ymm0, %ymm11, %ymm13\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 2976(%r10)\nvpmullw %ymm1, %ymm11, %ymm12\nvpmullw %ymm2, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 3008(%r10)\nvpmullw %ymm2, %ymm11, %ymm13\nvpmullw %ymm3, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3040(%r10)\nvpmullw %ymm3, %ymm11, %ymm12\nvpmullw %ymm4, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 3072(%r10)\nvpmullw %ymm4, %ymm11, %ymm13\nvpmullw %ymm5, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3104(%r10)\nvpmullw %ymm5, %ymm11, %ymm12\nvmovdqa %ymm12, 3136(%r10)\nvmovdqa 192(%r9), %ymm0\nvmovdqa 1600(%r9), %ymm6\nvmovdqa 224(%r9), %ymm1\nvmovdqa 1632(%r9), %ymm7\nvmovdqa 256(%r9), %ymm2\nvmovdqa 1664(%r9), %ymm8\nvmovdqa 288(%r9), %ymm3\nvmovdqa 1696(%r9), %ymm9\nvmovdqa 320(%r9), %ymm4\nvmovdqa 1728(%r9), %ymm10\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 3200(%r10)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3232(%r10)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 3264(%r10)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3296(%r10)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 3328(%r10)\nvpmullw %ymm1, %ymm10, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3360(%r10)\nvpmullw %ymm2, %ymm10, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 3392(%r10)\nvpmullw %ymm3, %ymm10, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3424(%r10)\nvpmullw %ymm4, %ymm10, %ymm12\nvmovdqa %ymm12, 3456(%r10)\nvpaddw 0(%r9), %ymm0, %ymm0\nvpaddw 1408(%r9), %ymm6, %ymm6\nvpaddw 32(%r9), %ymm1, %ymm1\nvpaddw 1440(%r9), %ymm7, %ymm7\nvpaddw 64(%r9), %ymm2, %ymm2\nvpaddw 1472(%r9), %ymm8, %ymm8\nvpaddw 96(%r9), %ymm3, %ymm3\nvpaddw 1504(%r9), %ymm9, %ymm9\nvpaddw 128(%r9), %ymm4, %ymm4\nvpaddw 1536(%r9), %ymm10, %ymm10\nvpmullw %ymm0, %ymm11, %ymm12\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpsubw 2976(%r10), %ymm12, %ymm12\nvpsubw 3360(%r10), %ymm12, %ymm12\nvmovdqa %ymm12, 3168(%r10)\nvpmullw %ymm5, %ymm7, %ymm12\nvpmullw %ymm5, %ymm8, %ymm13\nvpmullw %ymm5, %ymm9, %ymm14\nvpmullw %ymm5, %ymm10, %ymm15\nvpmullw %ymm1, %ymm11, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm10, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm3, %ymm9, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm4, %ymm8, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm11, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm10, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm4, %ymm9, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm11, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm10, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm11, %ymm5\nvpaddw %ymm5, %ymm15, %ymm15\nvpmullw %ymm0, %ymm10, %ymm11\nvpmullw %ymm1, %ymm9, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm2, %ymm8, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm3, %ymm7, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm4, %ymm6, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm0, %ymm9, %ymm10\nvpmullw %ymm1, %ymm8, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm2, %ymm7, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm3, %ymm6, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm0, %ymm8, %ymm9\nvpmullw %ymm1, %ymm7, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm2, %ymm6, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm0, %ymm7, %ymm8\nvpmullw %ymm1, %ymm6, %ymm5\nvpaddw %ymm5, %ymm8, %ymm8\nvpmullw %ymm0, %ymm6, %ymm7\nvmovdqa 3008(%r10), %ymm0\nvpsubw 3200(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm12, %ymm6\nvpsubw 3392(%r10), %ymm6, %ymm6\nvmovdqa %ymm6, 3200(%r10)\nvpaddw %ymm7, %ymm0, %ymm0\nvpsubw 2816(%r10), %ymm0, %ymm0\nvmovdqa %ymm0, 3008(%r10)\nvmovdqa 3040(%r10), %ymm1\nvpsubw 3232(%r10), %ymm1, %ymm1\nvpsubw %ymm1, %ymm13, %ymm7\nvpsubw 3424(%r10), %ymm7, %ymm7\nvmovdqa %ymm7, 3232(%r10)\nvpaddw %ymm8, %ymm1, %ymm1\nvpsubw 2848(%r10), %ymm1, %ymm1\nvmovdqa %ymm1, 3040(%r10)\nvmovdqa 3072(%r10), %ymm2\nvpsubw 3264(%r10), %ymm2, %ymm2\nvpsubw %ymm2, %ymm14, %ymm8\nvpsubw 3456(%r10), %ymm8, %ymm8\nvmovdqa %ymm8, 3264(%r10)\nvpaddw %ymm9, %ymm2, %ymm2\nvpsubw 2880(%r10), %ymm2, %ymm2\nvmovdqa %ymm2, 3072(%r10)\nvmovdqa 3104(%r10), %ymm3\nvpsubw 3296(%r10), %ymm3, %ymm3\nvpsubw %ymm3, %ymm15, %ymm9\nvmovdqa %ymm9, 3296(%r10)\nvpaddw %ymm10, %ymm3, %ymm3\nvpsubw 2912(%r10), %ymm3, %ymm3\nvmovdqa %ymm3, 3104(%r10)\nvmovdqa 3136(%r10), %ymm4\nvpsubw 3328(%r10), %ymm4, %ymm4\nvpaddw %ymm11, %ymm4, %ymm4\nvpsubw 2944(%r10), %ymm4, %ymm4\nvmovdqa %ymm4, 3136(%r10)\nvmovdqa 352(%r9), %ymm0\nvmovdqa 1760(%r9), %ymm6\nvmovdqa 384(%r9), %ymm1\nvmovdqa 1792(%r9), %ymm7\nvmovdqa 416(%r9), %ymm2\nvmovdqa 1824(%r9), %ymm8\nvmovdqa 448(%r9), %ymm3\nvmovdqa 1856(%r9), %ymm9\nvmovdqa 480(%r9), %ymm4\nvmovdqa 1888(%r9), %ymm10\nvmovdqa 512(%r9), %ymm5\nvmovdqa 1920(%r9), %ymm11\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 3520(%r10)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3552(%r10)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 3584(%r10)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3616(%r10)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 3648(%r10)\nvpmullw %ymm0, %ymm11, %ymm13\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3680(%r10)\nvpmullw %ymm1, %ymm11, %ymm12\nvpmullw %ymm2, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 3712(%r10)\nvpmullw %ymm2, %ymm11, %ymm13\nvpmullw %ymm3, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3744(%r10)\nvpmullw %ymm3, %ymm11, %ymm12\nvpmullw %ymm4, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 3776(%r10)\nvpmullw %ymm4, %ymm11, %ymm13\nvpmullw %ymm5, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3808(%r10)\nvpmullw %ymm5, %ymm11, %ymm12\nvmovdqa %ymm12, 3840(%r10)\nvmovdqa 544(%r9), %ymm0\nvmovdqa 1952(%r9), %ymm6\nvmovdqa 576(%r9), %ymm1\nvmovdqa 1984(%r9), %ymm7\nvmovdqa 608(%r9), %ymm2\nvmovdqa 2016(%r9), %ymm8\nvmovdqa 640(%r9), %ymm3\nvmovdqa 2048(%r9), %ymm9\nvmovdqa 672(%r9), %ymm4\nvmovdqa 2080(%r9), %ymm10\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 3904(%r10)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 3936(%r10)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 3968(%r10)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 4000(%r10)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 4032(%r10)\nvpmullw %ymm1, %ymm10, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 4064(%r10)\nvpmullw %ymm2, %ymm10, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 4096(%r10)\nvpmullw %ymm3, %ymm10, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 4128(%r10)\nvpmullw %ymm4, %ymm10, %ymm12\nvmovdqa %ymm12, 4160(%r10)\nvpaddw 352(%r9), %ymm0, %ymm0\nvpaddw 1760(%r9), %ymm6, %ymm6\nvpaddw 384(%r9), %ymm1, %ymm1\nvpaddw 1792(%r9), %ymm7, %ymm7\nvpaddw 416(%r9), %ymm2, %ymm2\nvpaddw 1824(%r9), %ymm8, %ymm8\nvpaddw 448(%r9), %ymm3, %ymm3\nvpaddw 1856(%r9), %ymm9, %ymm9\nvpaddw 480(%r9), %ymm4, %ymm4\nvpaddw 1888(%r9), %ymm10, %ymm10\nvpmullw %ymm0, %ymm11, %ymm12\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpsubw 3680(%r10), %ymm12, %ymm12\nvpsubw 4064(%r10), %ymm12, %ymm12\nvmovdqa %ymm12, 3872(%r10)\nvpmullw %ymm5, %ymm7, %ymm12\nvpmullw %ymm5, %ymm8, %ymm13\nvpmullw %ymm5, %ymm9, %ymm14\nvpmullw %ymm5, %ymm10, %ymm15\nvpmullw %ymm1, %ymm11, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm10, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm3, %ymm9, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm4, %ymm8, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm11, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm10, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm4, %ymm9, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm11, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm10, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm11, %ymm5\nvpaddw %ymm5, %ymm15, %ymm15\nvpmullw %ymm0, %ymm10, %ymm11\nvpmullw %ymm1, %ymm9, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm2, %ymm8, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm3, %ymm7, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm4, %ymm6, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm0, %ymm9, %ymm10\nvpmullw %ymm1, %ymm8, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm2, %ymm7, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm3, %ymm6, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm0, %ymm8, %ymm9\nvpmullw %ymm1, %ymm7, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm2, %ymm6, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm0, %ymm7, %ymm8\nvpmullw %ymm1, %ymm6, %ymm5\nvpaddw %ymm5, %ymm8, %ymm8\nvpmullw %ymm0, %ymm6, %ymm7\nvmovdqa 3712(%r10), %ymm0\nvpsubw 3904(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm12, %ymm6\nvpsubw 4096(%r10), %ymm6, %ymm6\nvmovdqa %ymm6, 3904(%r10)\nvpaddw %ymm7, %ymm0, %ymm0\nvpsubw 3520(%r10), %ymm0, %ymm0\nvmovdqa %ymm0, 3712(%r10)\nvmovdqa 3744(%r10), %ymm1\nvpsubw 3936(%r10), %ymm1, %ymm1\nvpsubw %ymm1, %ymm13, %ymm7\nvpsubw 4128(%r10), %ymm7, %ymm7\nvmovdqa %ymm7, 3936(%r10)\nvpaddw %ymm8, %ymm1, %ymm1\nvpsubw 3552(%r10), %ymm1, %ymm1\nvmovdqa %ymm1, 3744(%r10)\nvmovdqa 3776(%r10), %ymm2\nvpsubw 3968(%r10), %ymm2, %ymm2\nvpsubw %ymm2, %ymm14, %ymm8\nvpsubw 4160(%r10), %ymm8, %ymm8\nvmovdqa %ymm8, 3968(%r10)\nvpaddw %ymm9, %ymm2, %ymm2\nvpsubw 3584(%r10), %ymm2, %ymm2\nvmovdqa %ymm2, 3776(%r10)\nvmovdqa 3808(%r10), %ymm3\nvpsubw 4000(%r10), %ymm3, %ymm3\nvpsubw %ymm3, %ymm15, %ymm9\nvmovdqa %ymm9, 4000(%r10)\nvpaddw %ymm10, %ymm3, %ymm3\nvpsubw 3616(%r10), %ymm3, %ymm3\nvmovdqa %ymm3, 3808(%r10)\nvmovdqa 3840(%r10), %ymm4\nvpsubw 4032(%r10), %ymm4, %ymm4\nvpaddw %ymm11, %ymm4, %ymm4\nvpsubw 3648(%r10), %ymm4, %ymm4\nvmovdqa %ymm4, 3840(%r10)\nvmovdqa 0(%r9), %ymm0\nvmovdqa 1408(%r9), %ymm6\nvpaddw 352(%r9), %ymm0, %ymm0\nvpaddw 1760(%r9), %ymm6, %ymm6\nvmovdqa 32(%r9), %ymm1\nvmovdqa 1440(%r9), %ymm7\nvpaddw 384(%r9), %ymm1, %ymm1\nvpaddw 1792(%r9), %ymm7, %ymm7\nvmovdqa 64(%r9), %ymm2\nvmovdqa 1472(%r9), %ymm8\nvpaddw 416(%r9), %ymm2, %ymm2\nvpaddw 1824(%r9), %ymm8, %ymm8\nvmovdqa 96(%r9), %ymm3\nvmovdqa 1504(%r9), %ymm9\nvpaddw 448(%r9), %ymm3, %ymm3\nvpaddw 1856(%r9), %ymm9, %ymm9\nvmovdqa 128(%r9), %ymm4\nvmovdqa 1536(%r9), %ymm10\nvpaddw 480(%r9), %ymm4, %ymm4\nvpaddw 1888(%r9), %ymm10, %ymm10\nvmovdqa 160(%r9), %ymm5\nvmovdqa 1568(%r9), %ymm11\nvpaddw 512(%r9), %ymm5, %ymm5\nvpaddw 1920(%r9), %ymm11, %ymm11\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 5888(%r8)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 5920(%r8)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 5952(%r8)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 5984(%r8)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6016(%r8)\nvpmullw %ymm0, %ymm11, %ymm13\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6048(%r8)\nvpmullw %ymm1, %ymm11, %ymm12\nvpmullw %ymm2, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6080(%r8)\nvpmullw %ymm2, %ymm11, %ymm13\nvpmullw %ymm3, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6112(%r8)\nvpmullw %ymm3, %ymm11, %ymm12\nvpmullw %ymm4, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6144(%r8)\nvpmullw %ymm4, %ymm11, %ymm13\nvpmullw %ymm5, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6176(%r8)\nvpmullw %ymm5, %ymm11, %ymm12\nvmovdqa %ymm12, 6208(%r8)\nvmovdqa 192(%r9), %ymm0\nvmovdqa 1600(%r9), %ymm6\nvpaddw 544(%r9), %ymm0, %ymm0\nvpaddw 1952(%r9), %ymm6, %ymm6\nvmovdqa 224(%r9), %ymm1\nvmovdqa 1632(%r9), %ymm7\nvpaddw 576(%r9), %ymm1, %ymm1\nvpaddw 1984(%r9), %ymm7, %ymm7\nvmovdqa 256(%r9), %ymm2\nvmovdqa 1664(%r9), %ymm8\nvpaddw 608(%r9), %ymm2, %ymm2\nvpaddw 2016(%r9), %ymm8, %ymm8\nvmovdqa 288(%r9), %ymm3\nvmovdqa 1696(%r9), %ymm9\nvpaddw 640(%r9), %ymm3, %ymm3\nvpaddw 2048(%r9), %ymm9, %ymm9\nvmovdqa 320(%r9), %ymm4\nvmovdqa 1728(%r9), %ymm10\nvpaddw 672(%r9), %ymm4, %ymm4\nvpaddw 2080(%r9), %ymm10, %ymm10\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 6272(%r8)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6304(%r8)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6336(%r8)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6368(%r8)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6400(%r8)\nvpmullw %ymm1, %ymm10, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6432(%r8)\nvpmullw %ymm2, %ymm10, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6464(%r8)\nvpmullw %ymm3, %ymm10, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6496(%r8)\nvpmullw %ymm4, %ymm10, %ymm12\nvmovdqa %ymm12, 6528(%r8)\nvpaddw 0(%r9), %ymm0, %ymm0\nvpaddw 1408(%r9), %ymm6, %ymm6\nvpaddw 352(%r9), %ymm0, %ymm0\nvpaddw 1760(%r9), %ymm6, %ymm6\nvpaddw 32(%r9), %ymm1, %ymm1\nvpaddw 1440(%r9), %ymm7, %ymm7\nvpaddw 384(%r9), %ymm1, %ymm1\nvpaddw 1792(%r9), %ymm7, %ymm7\nvpaddw 64(%r9), %ymm2, %ymm2\nvpaddw 1472(%r9), %ymm8, %ymm8\nvpaddw 416(%r9), %ymm2, %ymm2\nvpaddw 1824(%r9), %ymm8, %ymm8\nvpaddw 96(%r9), %ymm3, %ymm3\nvpaddw 1504(%r9), %ymm9, %ymm9\nvpaddw 448(%r9), %ymm3, %ymm3\nvpaddw 1856(%r9), %ymm9, %ymm9\nvpaddw 128(%r9), %ymm4, %ymm4\nvpaddw 1536(%r9), %ymm10, %ymm10\nvpaddw 480(%r9), %ymm4, %ymm4\nvpaddw 1888(%r9), %ymm10, %ymm10\nvpmullw %ymm0, %ymm11, %ymm12\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpsubw 6048(%r8), %ymm12, %ymm12\nvpsubw 6432(%r8), %ymm12, %ymm12\nvmovdqa %ymm12, 6240(%r8)\nvpmullw %ymm5, %ymm7, %ymm12\nvpmullw %ymm5, %ymm8, %ymm13\nvpmullw %ymm5, %ymm9, %ymm14\nvpmullw %ymm5, %ymm10, %ymm15\nvpmullw %ymm1, %ymm11, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm10, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm3, %ymm9, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm4, %ymm8, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm11, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm10, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm4, %ymm9, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm11, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm10, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm11, %ymm5\nvpaddw %ymm5, %ymm15, %ymm15\nvpmullw %ymm0, %ymm10, %ymm11\nvpmullw %ymm1, %ymm9, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm2, %ymm8, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm3, %ymm7, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm4, %ymm6, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm0, %ymm9, %ymm10\nvpmullw %ymm1, %ymm8, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm2, %ymm7, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm3, %ymm6, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm0, %ymm8, %ymm9\nvpmullw %ymm1, %ymm7, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm2, %ymm6, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm0, %ymm7, %ymm8\nvpmullw %ymm1, %ymm6, %ymm5\nvpaddw %ymm5, %ymm8, %ymm8\nvpmullw %ymm0, %ymm6, %ymm7\nvmovdqa 6080(%r8), %ymm0\nvpsubw 6272(%r8), %ymm0, %ymm0\nvpsubw %ymm0, %ymm12, %ymm6\nvpsubw 6464(%r8), %ymm6, %ymm6\nvmovdqa %ymm6, 6272(%r8)\nvpaddw %ymm7, %ymm0, %ymm0\nvpsubw 5888(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 6080(%r8)\nvmovdqa 6112(%r8), %ymm1\nvpsubw 6304(%r8), %ymm1, %ymm1\nvpsubw %ymm1, %ymm13, %ymm7\nvpsubw 6496(%r8), %ymm7, %ymm7\nvmovdqa %ymm7, 6304(%r8)\nvpaddw %ymm8, %ymm1, %ymm1\nvpsubw 5920(%r8), %ymm1, %ymm1\nvmovdqa %ymm1, 6112(%r8)\nvmovdqa 6144(%r8), %ymm2\nvpsubw 6336(%r8), %ymm2, %ymm2\nvpsubw %ymm2, %ymm14, %ymm8\nvpsubw 6528(%r8), %ymm8, %ymm8\nvmovdqa %ymm8, 6336(%r8)\nvpaddw %ymm9, %ymm2, %ymm2\nvpsubw 5952(%r8), %ymm2, %ymm2\nvmovdqa %ymm2, 6144(%r8)\nvmovdqa 6176(%r8), %ymm3\nvpsubw 6368(%r8), %ymm3, %ymm3\nvpsubw %ymm3, %ymm15, %ymm9\nvmovdqa %ymm9, 6368(%r8)\nvpaddw %ymm10, %ymm3, %ymm3\nvpsubw 5984(%r8), %ymm3, %ymm3\nvmovdqa %ymm3, 6176(%r8)\nvmovdqa 6208(%r8), %ymm4\nvpsubw 6400(%r8), %ymm4, %ymm4\nvpaddw %ymm11, %ymm4, %ymm4\nvpsubw 6016(%r8), %ymm4, %ymm4\nvmovdqa %ymm4, 6208(%r8)\nvmovdqa 6208(%r8), %ymm0\nvpsubw 3136(%r10), %ymm0, %ymm0\nvpsubw 3840(%r10), %ymm0, %ymm0\nvmovdqa %ymm0, 3488(%r10)\nvmovdqa 3168(%r10), %ymm0\nvpsubw 3520(%r10), %ymm0, %ymm0\nvmovdqa 6240(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 3872(%r10), %ymm1, %ymm1\nvpsubw 2816(%r10), %ymm0, %ymm0\nvpaddw 5888(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3168(%r10)\nvmovdqa %ymm1, 3520(%r10)\nvmovdqa 3200(%r10), %ymm0\nvpsubw 3552(%r10), %ymm0, %ymm0\nvmovdqa 6272(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 3904(%r10), %ymm1, %ymm1\nvpsubw 2848(%r10), %ymm0, %ymm0\nvpaddw 5920(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3200(%r10)\nvmovdqa %ymm1, 3552(%r10)\nvmovdqa 3232(%r10), %ymm0\nvpsubw 3584(%r10), %ymm0, %ymm0\nvmovdqa 6304(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 3936(%r10), %ymm1, %ymm1\nvpsubw 2880(%r10), %ymm0, %ymm0\nvpaddw 5952(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3232(%r10)\nvmovdqa %ymm1, 3584(%r10)\nvmovdqa 3264(%r10), %ymm0\nvpsubw 3616(%r10), %ymm0, %ymm0\nvmovdqa 6336(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 3968(%r10), %ymm1, %ymm1\nvpsubw 2912(%r10), %ymm0, %ymm0\nvpaddw 5984(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3264(%r10)\nvmovdqa %ymm1, 3616(%r10)\nvmovdqa 3296(%r10), %ymm0\nvpsubw 3648(%r10), %ymm0, %ymm0\nvmovdqa 6368(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 4000(%r10), %ymm1, %ymm1\nvpsubw 2944(%r10), %ymm0, %ymm0\nvpaddw 6016(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3296(%r10)\nvmovdqa %ymm1, 3648(%r10)\nvmovdqa 3328(%r10), %ymm0\nvpsubw 3680(%r10), %ymm0, %ymm0\nvmovdqa 6400(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 4032(%r10), %ymm1, %ymm1\nvpsubw 2976(%r10), %ymm0, %ymm0\nvpaddw 6048(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3328(%r10)\nvmovdqa %ymm1, 3680(%r10)\nvmovdqa 3360(%r10), %ymm0\nvpsubw 3712(%r10), %ymm0, %ymm0\nvmovdqa 6432(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 4064(%r10), %ymm1, %ymm1\nvpsubw 3008(%r10), %ymm0, %ymm0\nvpaddw 6080(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3360(%r10)\nvmovdqa %ymm1, 3712(%r10)\nvmovdqa 3392(%r10), %ymm0\nvpsubw 3744(%r10), %ymm0, %ymm0\nvmovdqa 6464(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 4096(%r10), %ymm1, %ymm1\nvpsubw 3040(%r10), %ymm0, %ymm0\nvpaddw 6112(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3392(%r10)\nvmovdqa %ymm1, 3744(%r10)\nvmovdqa 3424(%r10), %ymm0\nvpsubw 3776(%r10), %ymm0, %ymm0\nvmovdqa 6496(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 4128(%r10), %ymm1, %ymm1\nvpsubw 3072(%r10), %ymm0, %ymm0\nvpaddw 6144(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3424(%r10)\nvmovdqa %ymm1, 3776(%r10)\nvmovdqa 3456(%r10), %ymm0\nvpsubw 3808(%r10), %ymm0, %ymm0\nvmovdqa 6528(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 4160(%r10), %ymm1, %ymm1\nvpsubw 3104(%r10), %ymm0, %ymm0\nvpaddw 6176(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3456(%r10)\nvmovdqa %ymm1, 3808(%r10)\nneg %ecx\njns done_4eced63f144beffcb0247f9c6f67d165\nadd $704, %r9\nadd $1408, %r10\njmp innerloop_4eced63f144beffcb0247f9c6f67d165\ndone_4eced63f144beffcb0247f9c6f67d165:\nsub $704, %r9\nsub $1408, %r10\nvmovdqa 0(%r9), %ymm0\nvpaddw 704(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6592(%r8)\nvmovdqa 1408(%r9), %ymm0\nvpaddw 2112(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7296(%r8)\nvmovdqa 32(%r9), %ymm0\nvpaddw 736(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6624(%r8)\nvmovdqa 1440(%r9), %ymm0\nvpaddw 2144(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7328(%r8)\nvmovdqa 64(%r9), %ymm0\nvpaddw 768(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6656(%r8)\nvmovdqa 1472(%r9), %ymm0\nvpaddw 2176(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7360(%r8)\nvmovdqa 96(%r9), %ymm0\nvpaddw 800(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6688(%r8)\nvmovdqa 1504(%r9), %ymm0\nvpaddw 2208(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7392(%r8)\nvmovdqa 128(%r9), %ymm0\nvpaddw 832(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6720(%r8)\nvmovdqa 1536(%r9), %ymm0\nvpaddw 2240(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7424(%r8)\nvmovdqa 160(%r9), %ymm0\nvpaddw 864(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6752(%r8)\nvmovdqa 1568(%r9), %ymm0\nvpaddw 2272(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7456(%r8)\nvmovdqa 192(%r9), %ymm0\nvpaddw 896(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6784(%r8)\nvmovdqa 1600(%r9), %ymm0\nvpaddw 2304(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7488(%r8)\nvmovdqa 224(%r9), %ymm0\nvpaddw 928(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6816(%r8)\nvmovdqa 1632(%r9), %ymm0\nvpaddw 2336(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7520(%r8)\nvmovdqa 256(%r9), %ymm0\nvpaddw 960(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6848(%r8)\nvmovdqa 1664(%r9), %ymm0\nvpaddw 2368(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7552(%r8)\nvmovdqa 288(%r9), %ymm0\nvpaddw 992(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6880(%r8)\nvmovdqa 1696(%r9), %ymm0\nvpaddw 2400(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7584(%r8)\nvmovdqa 320(%r9), %ymm0\nvpaddw 1024(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6912(%r8)\nvmovdqa 1728(%r9), %ymm0\nvpaddw 2432(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7616(%r8)\nvmovdqa 352(%r9), %ymm0\nvpaddw 1056(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6944(%r8)\nvmovdqa 1760(%r9), %ymm0\nvpaddw 2464(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7648(%r8)\nvmovdqa 384(%r9), %ymm0\nvpaddw 1088(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 6976(%r8)\nvmovdqa 1792(%r9), %ymm0\nvpaddw 2496(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7680(%r8)\nvmovdqa 416(%r9), %ymm0\nvpaddw 1120(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7008(%r8)\nvmovdqa 1824(%r9), %ymm0\nvpaddw 2528(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7712(%r8)\nvmovdqa 448(%r9), %ymm0\nvpaddw 1152(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7040(%r8)\nvmovdqa 1856(%r9), %ymm0\nvpaddw 2560(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7744(%r8)\nvmovdqa 480(%r9), %ymm0\nvpaddw 1184(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7072(%r8)\nvmovdqa 1888(%r9), %ymm0\nvpaddw 2592(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7776(%r8)\nvmovdqa 512(%r9), %ymm0\nvpaddw 1216(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7104(%r8)\nvmovdqa 1920(%r9), %ymm0\nvpaddw 2624(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7808(%r8)\nvmovdqa 544(%r9), %ymm0\nvpaddw 1248(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7136(%r8)\nvmovdqa 1952(%r9), %ymm0\nvpaddw 2656(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7840(%r8)\nvmovdqa 576(%r9), %ymm0\nvpaddw 1280(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7168(%r8)\nvmovdqa 1984(%r9), %ymm0\nvpaddw 2688(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7872(%r8)\nvmovdqa 608(%r9), %ymm0\nvpaddw 1312(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7200(%r8)\nvmovdqa 2016(%r9), %ymm0\nvpaddw 2720(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7904(%r8)\nvmovdqa 640(%r9), %ymm0\nvpaddw 1344(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7232(%r8)\nvmovdqa 2048(%r9), %ymm0\nvpaddw 2752(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7936(%r8)\nvmovdqa 672(%r9), %ymm0\nvpaddw 1376(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7264(%r8)\nvmovdqa 2080(%r9), %ymm0\nvpaddw 2784(%r9), %ymm0, %ymm0\nvmovdqa %ymm0, 7968(%r8)\nvmovdqa 6592(%r8), %ymm0\nvmovdqa 7296(%r8), %ymm6\nvmovdqa 6624(%r8), %ymm1\nvmovdqa 7328(%r8), %ymm7\nvmovdqa 6656(%r8), %ymm2\nvmovdqa 7360(%r8), %ymm8\nvmovdqa 6688(%r8), %ymm3\nvmovdqa 7392(%r8), %ymm9\nvmovdqa 6720(%r8), %ymm4\nvmovdqa 7424(%r8), %ymm10\nvmovdqa 6752(%r8), %ymm5\nvmovdqa 7456(%r8), %ymm11\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 8000(%r8)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8032(%r8)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 8064(%r8)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8096(%r8)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 8128(%r8)\nvpmullw %ymm0, %ymm11, %ymm13\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8160(%r8)\nvpmullw %ymm1, %ymm11, %ymm12\nvpmullw %ymm2, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 8192(%r8)\nvpmullw %ymm2, %ymm11, %ymm13\nvpmullw %ymm3, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8224(%r8)\nvpmullw %ymm3, %ymm11, %ymm12\nvpmullw %ymm4, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 8256(%r8)\nvpmullw %ymm4, %ymm11, %ymm13\nvpmullw %ymm5, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8288(%r8)\nvpmullw %ymm5, %ymm11, %ymm12\nvmovdqa %ymm12, 8320(%r8)\nvmovdqa 6784(%r8), %ymm0\nvmovdqa 7488(%r8), %ymm6\nvmovdqa 6816(%r8), %ymm1\nvmovdqa 7520(%r8), %ymm7\nvmovdqa 6848(%r8), %ymm2\nvmovdqa 7552(%r8), %ymm8\nvmovdqa 6880(%r8), %ymm3\nvmovdqa 7584(%r8), %ymm9\nvmovdqa 6912(%r8), %ymm4\nvmovdqa 7616(%r8), %ymm10\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 8384(%r8)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8416(%r8)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 8448(%r8)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8480(%r8)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 8512(%r8)\nvpmullw %ymm1, %ymm10, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8544(%r8)\nvpmullw %ymm2, %ymm10, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 8576(%r8)\nvpmullw %ymm3, %ymm10, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8608(%r8)\nvpmullw %ymm4, %ymm10, %ymm12\nvmovdqa %ymm12, 8640(%r8)\nvpaddw 6592(%r8), %ymm0, %ymm0\nvpaddw 7296(%r8), %ymm6, %ymm6\nvpaddw 6624(%r8), %ymm1, %ymm1\nvpaddw 7328(%r8), %ymm7, %ymm7\nvpaddw 6656(%r8), %ymm2, %ymm2\nvpaddw 7360(%r8), %ymm8, %ymm8\nvpaddw 6688(%r8), %ymm3, %ymm3\nvpaddw 7392(%r8), %ymm9, %ymm9\nvpaddw 6720(%r8), %ymm4, %ymm4\nvpaddw 7424(%r8), %ymm10, %ymm10\nvpmullw %ymm0, %ymm11, %ymm12\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpsubw 8160(%r8), %ymm12, %ymm12\nvpsubw 8544(%r8), %ymm12, %ymm12\nvmovdqa %ymm12, 8352(%r8)\nvpmullw %ymm5, %ymm7, %ymm12\nvpmullw %ymm5, %ymm8, %ymm13\nvpmullw %ymm5, %ymm9, %ymm14\nvpmullw %ymm5, %ymm10, %ymm15\nvpmullw %ymm1, %ymm11, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm10, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm3, %ymm9, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm4, %ymm8, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm11, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm10, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm4, %ymm9, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm11, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm10, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm11, %ymm5\nvpaddw %ymm5, %ymm15, %ymm15\nvpmullw %ymm0, %ymm10, %ymm11\nvpmullw %ymm1, %ymm9, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm2, %ymm8, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm3, %ymm7, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm4, %ymm6, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm0, %ymm9, %ymm10\nvpmullw %ymm1, %ymm8, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm2, %ymm7, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm3, %ymm6, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm0, %ymm8, %ymm9\nvpmullw %ymm1, %ymm7, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm2, %ymm6, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm0, %ymm7, %ymm8\nvpmullw %ymm1, %ymm6, %ymm5\nvpaddw %ymm5, %ymm8, %ymm8\nvpmullw %ymm0, %ymm6, %ymm7\nvmovdqa 8192(%r8), %ymm0\nvpsubw 8384(%r8), %ymm0, %ymm0\nvpsubw %ymm0, %ymm12, %ymm6\nvpsubw 8576(%r8), %ymm6, %ymm6\nvmovdqa %ymm6, 8384(%r8)\nvpaddw %ymm7, %ymm0, %ymm0\nvpsubw 8000(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8192(%r8)\nvmovdqa 8224(%r8), %ymm1\nvpsubw 8416(%r8), %ymm1, %ymm1\nvpsubw %ymm1, %ymm13, %ymm7\nvpsubw 8608(%r8), %ymm7, %ymm7\nvmovdqa %ymm7, 8416(%r8)\nvpaddw %ymm8, %ymm1, %ymm1\nvpsubw 8032(%r8), %ymm1, %ymm1\nvmovdqa %ymm1, 8224(%r8)\nvmovdqa 8256(%r8), %ymm2\nvpsubw 8448(%r8), %ymm2, %ymm2\nvpsubw %ymm2, %ymm14, %ymm8\nvpsubw 8640(%r8), %ymm8, %ymm8\nvmovdqa %ymm8, 8448(%r8)\nvpaddw %ymm9, %ymm2, %ymm2\nvpsubw 8064(%r8), %ymm2, %ymm2\nvmovdqa %ymm2, 8256(%r8)\nvmovdqa 8288(%r8), %ymm3\nvpsubw 8480(%r8), %ymm3, %ymm3\nvpsubw %ymm3, %ymm15, %ymm9\nvmovdqa %ymm9, 8480(%r8)\nvpaddw %ymm10, %ymm3, %ymm3\nvpsubw 8096(%r8), %ymm3, %ymm3\nvmovdqa %ymm3, 8288(%r8)\nvmovdqa 8320(%r8), %ymm4\nvpsubw 8512(%r8), %ymm4, %ymm4\nvpaddw %ymm11, %ymm4, %ymm4\nvpsubw 8128(%r8), %ymm4, %ymm4\nvmovdqa %ymm4, 8320(%r8)\nvmovdqa 6944(%r8), %ymm0\nvmovdqa 7648(%r8), %ymm6\nvmovdqa 6976(%r8), %ymm1\nvmovdqa 7680(%r8), %ymm7\nvmovdqa 7008(%r8), %ymm2\nvmovdqa 7712(%r8), %ymm8\nvmovdqa 7040(%r8), %ymm3\nvmovdqa 7744(%r8), %ymm9\nvmovdqa 7072(%r8), %ymm4\nvmovdqa 7776(%r8), %ymm10\nvmovdqa 7104(%r8), %ymm5\nvmovdqa 7808(%r8), %ymm11\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 8704(%r8)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8736(%r8)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 8768(%r8)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8800(%r8)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 8832(%r8)\nvpmullw %ymm0, %ymm11, %ymm13\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8864(%r8)\nvpmullw %ymm1, %ymm11, %ymm12\nvpmullw %ymm2, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 8896(%r8)\nvpmullw %ymm2, %ymm11, %ymm13\nvpmullw %ymm3, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8928(%r8)\nvpmullw %ymm3, %ymm11, %ymm12\nvpmullw %ymm4, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 8960(%r8)\nvpmullw %ymm4, %ymm11, %ymm13\nvpmullw %ymm5, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 8992(%r8)\nvpmullw %ymm5, %ymm11, %ymm12\nvmovdqa %ymm12, 9024(%r8)\nvmovdqa 7136(%r8), %ymm0\nvmovdqa 7840(%r8), %ymm6\nvmovdqa 7168(%r8), %ymm1\nvmovdqa 7872(%r8), %ymm7\nvmovdqa 7200(%r8), %ymm2\nvmovdqa 7904(%r8), %ymm8\nvmovdqa 7232(%r8), %ymm3\nvmovdqa 7936(%r8), %ymm9\nvmovdqa 7264(%r8), %ymm4\nvmovdqa 7968(%r8), %ymm10\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 9088(%r8)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 9120(%r8)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 9152(%r8)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 9184(%r8)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 9216(%r8)\nvpmullw %ymm1, %ymm10, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 9248(%r8)\nvpmullw %ymm2, %ymm10, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 9280(%r8)\nvpmullw %ymm3, %ymm10, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 9312(%r8)\nvpmullw %ymm4, %ymm10, %ymm12\nvmovdqa %ymm12, 9344(%r8)\nvpaddw 6944(%r8), %ymm0, %ymm0\nvpaddw 7648(%r8), %ymm6, %ymm6\nvpaddw 6976(%r8), %ymm1, %ymm1\nvpaddw 7680(%r8), %ymm7, %ymm7\nvpaddw 7008(%r8), %ymm2, %ymm2\nvpaddw 7712(%r8), %ymm8, %ymm8\nvpaddw 7040(%r8), %ymm3, %ymm3\nvpaddw 7744(%r8), %ymm9, %ymm9\nvpaddw 7072(%r8), %ymm4, %ymm4\nvpaddw 7776(%r8), %ymm10, %ymm10\nvpmullw %ymm0, %ymm11, %ymm12\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpsubw 8864(%r8), %ymm12, %ymm12\nvpsubw 9248(%r8), %ymm12, %ymm12\nvmovdqa %ymm12, 9056(%r8)\nvpmullw %ymm5, %ymm7, %ymm12\nvpmullw %ymm5, %ymm8, %ymm13\nvpmullw %ymm5, %ymm9, %ymm14\nvpmullw %ymm5, %ymm10, %ymm15\nvpmullw %ymm1, %ymm11, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm10, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm3, %ymm9, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm4, %ymm8, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm11, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm10, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm4, %ymm9, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm11, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm10, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm11, %ymm5\nvpaddw %ymm5, %ymm15, %ymm15\nvpmullw %ymm0, %ymm10, %ymm11\nvpmullw %ymm1, %ymm9, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm2, %ymm8, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm3, %ymm7, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm4, %ymm6, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm0, %ymm9, %ymm10\nvpmullw %ymm1, %ymm8, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm2, %ymm7, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm3, %ymm6, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm0, %ymm8, %ymm9\nvpmullw %ymm1, %ymm7, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm2, %ymm6, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm0, %ymm7, %ymm8\nvpmullw %ymm1, %ymm6, %ymm5\nvpaddw %ymm5, %ymm8, %ymm8\nvpmullw %ymm0, %ymm6, %ymm7\nvmovdqa 8896(%r8), %ymm0\nvpsubw 9088(%r8), %ymm0, %ymm0\nvpsubw %ymm0, %ymm12, %ymm6\nvpsubw 9280(%r8), %ymm6, %ymm6\nvmovdqa %ymm6, 9088(%r8)\nvpaddw %ymm7, %ymm0, %ymm0\nvpsubw 8704(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8896(%r8)\nvmovdqa 8928(%r8), %ymm1\nvpsubw 9120(%r8), %ymm1, %ymm1\nvpsubw %ymm1, %ymm13, %ymm7\nvpsubw 9312(%r8), %ymm7, %ymm7\nvmovdqa %ymm7, 9120(%r8)\nvpaddw %ymm8, %ymm1, %ymm1\nvpsubw 8736(%r8), %ymm1, %ymm1\nvmovdqa %ymm1, 8928(%r8)\nvmovdqa 8960(%r8), %ymm2\nvpsubw 9152(%r8), %ymm2, %ymm2\nvpsubw %ymm2, %ymm14, %ymm8\nvpsubw 9344(%r8), %ymm8, %ymm8\nvmovdqa %ymm8, 9152(%r8)\nvpaddw %ymm9, %ymm2, %ymm2\nvpsubw 8768(%r8), %ymm2, %ymm2\nvmovdqa %ymm2, 8960(%r8)\nvmovdqa 8992(%r8), %ymm3\nvpsubw 9184(%r8), %ymm3, %ymm3\nvpsubw %ymm3, %ymm15, %ymm9\nvmovdqa %ymm9, 9184(%r8)\nvpaddw %ymm10, %ymm3, %ymm3\nvpsubw 8800(%r8), %ymm3, %ymm3\nvmovdqa %ymm3, 8992(%r8)\nvmovdqa 9024(%r8), %ymm4\nvpsubw 9216(%r8), %ymm4, %ymm4\nvpaddw %ymm11, %ymm4, %ymm4\nvpsubw 8832(%r8), %ymm4, %ymm4\nvmovdqa %ymm4, 9024(%r8)\nvmovdqa 6592(%r8), %ymm0\nvmovdqa 7296(%r8), %ymm6\nvpaddw 6944(%r8), %ymm0, %ymm0\nvpaddw 7648(%r8), %ymm6, %ymm6\nvmovdqa 6624(%r8), %ymm1\nvmovdqa 7328(%r8), %ymm7\nvpaddw 6976(%r8), %ymm1, %ymm1\nvpaddw 7680(%r8), %ymm7, %ymm7\nvmovdqa 6656(%r8), %ymm2\nvmovdqa 7360(%r8), %ymm8\nvpaddw 7008(%r8), %ymm2, %ymm2\nvpaddw 7712(%r8), %ymm8, %ymm8\nvmovdqa 6688(%r8), %ymm3\nvmovdqa 7392(%r8), %ymm9\nvpaddw 7040(%r8), %ymm3, %ymm3\nvpaddw 7744(%r8), %ymm9, %ymm9\nvmovdqa 6720(%r8), %ymm4\nvmovdqa 7424(%r8), %ymm10\nvpaddw 7072(%r8), %ymm4, %ymm4\nvpaddw 7776(%r8), %ymm10, %ymm10\nvmovdqa 6752(%r8), %ymm5\nvmovdqa 7456(%r8), %ymm11\nvpaddw 7104(%r8), %ymm5, %ymm5\nvpaddw 7808(%r8), %ymm11, %ymm11\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 5888(%r8)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 5920(%r8)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 5952(%r8)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 5984(%r8)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6016(%r8)\nvpmullw %ymm0, %ymm11, %ymm13\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6048(%r8)\nvpmullw %ymm1, %ymm11, %ymm12\nvpmullw %ymm2, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6080(%r8)\nvpmullw %ymm2, %ymm11, %ymm13\nvpmullw %ymm3, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm5, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6112(%r8)\nvpmullw %ymm3, %ymm11, %ymm12\nvpmullw %ymm4, %ymm10, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm5, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6144(%r8)\nvpmullw %ymm4, %ymm11, %ymm13\nvpmullw %ymm5, %ymm10, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6176(%r8)\nvpmullw %ymm5, %ymm11, %ymm12\nvmovdqa %ymm12, 6208(%r8)\nvmovdqa 6784(%r8), %ymm0\nvmovdqa 7488(%r8), %ymm6\nvpaddw 7136(%r8), %ymm0, %ymm0\nvpaddw 7840(%r8), %ymm6, %ymm6\nvmovdqa 6816(%r8), %ymm1\nvmovdqa 7520(%r8), %ymm7\nvpaddw 7168(%r8), %ymm1, %ymm1\nvpaddw 7872(%r8), %ymm7, %ymm7\nvmovdqa 6848(%r8), %ymm2\nvmovdqa 7552(%r8), %ymm8\nvpaddw 7200(%r8), %ymm2, %ymm2\nvpaddw 7904(%r8), %ymm8, %ymm8\nvmovdqa 6880(%r8), %ymm3\nvmovdqa 7584(%r8), %ymm9\nvpaddw 7232(%r8), %ymm3, %ymm3\nvpaddw 7936(%r8), %ymm9, %ymm9\nvmovdqa 6912(%r8), %ymm4\nvmovdqa 7616(%r8), %ymm10\nvpaddw 7264(%r8), %ymm4, %ymm4\nvpaddw 7968(%r8), %ymm10, %ymm10\nvpmullw %ymm0, %ymm6, %ymm12\nvmovdqa %ymm12, 6272(%r8)\nvpmullw %ymm0, %ymm7, %ymm13\nvpmullw %ymm1, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6304(%r8)\nvpmullw %ymm0, %ymm8, %ymm12\nvpmullw %ymm1, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6336(%r8)\nvpmullw %ymm0, %ymm9, %ymm13\nvpmullw %ymm1, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm2, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm6, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6368(%r8)\nvpmullw %ymm0, %ymm10, %ymm12\nvpmullw %ymm1, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm2, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm3, %ymm7, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm6, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6400(%r8)\nvpmullw %ymm1, %ymm10, %ymm13\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6432(%r8)\nvpmullw %ymm2, %ymm10, %ymm12\nvpmullw %ymm3, %ymm9, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvpmullw %ymm4, %ymm8, %ymm15\nvpaddw %ymm12, %ymm15, %ymm12\nvmovdqa %ymm12, 6464(%r8)\nvpmullw %ymm3, %ymm10, %ymm13\nvpmullw %ymm4, %ymm9, %ymm15\nvpaddw %ymm13, %ymm15, %ymm13\nvmovdqa %ymm13, 6496(%r8)\nvpmullw %ymm4, %ymm10, %ymm12\nvmovdqa %ymm12, 6528(%r8)\nvpaddw 6592(%r8), %ymm0, %ymm0\nvpaddw 7296(%r8), %ymm6, %ymm6\nvpaddw 6944(%r8), %ymm0, %ymm0\nvpaddw 7648(%r8), %ymm6, %ymm6\nvpaddw 6624(%r8), %ymm1, %ymm1\nvpaddw 7328(%r8), %ymm7, %ymm7\nvpaddw 6976(%r8), %ymm1, %ymm1\nvpaddw 7680(%r8), %ymm7, %ymm7\nvpaddw 6656(%r8), %ymm2, %ymm2\nvpaddw 7360(%r8), %ymm8, %ymm8\nvpaddw 7008(%r8), %ymm2, %ymm2\nvpaddw 7712(%r8), %ymm8, %ymm8\nvpaddw 6688(%r8), %ymm3, %ymm3\nvpaddw 7392(%r8), %ymm9, %ymm9\nvpaddw 7040(%r8), %ymm3, %ymm3\nvpaddw 7744(%r8), %ymm9, %ymm9\nvpaddw 6720(%r8), %ymm4, %ymm4\nvpaddw 7424(%r8), %ymm10, %ymm10\nvpaddw 7072(%r8), %ymm4, %ymm4\nvpaddw 7776(%r8), %ymm10, %ymm10\nvpmullw %ymm0, %ymm11, %ymm12\nvpmullw %ymm1, %ymm10, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm2, %ymm9, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm3, %ymm8, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm4, %ymm7, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpmullw %ymm5, %ymm6, %ymm15\nvpaddw %ymm15, %ymm12, %ymm12\nvpsubw 6048(%r8), %ymm12, %ymm12\nvpsubw 6432(%r8), %ymm12, %ymm12\nvmovdqa %ymm12, 6240(%r8)\nvpmullw %ymm5, %ymm7, %ymm12\nvpmullw %ymm5, %ymm8, %ymm13\nvpmullw %ymm5, %ymm9, %ymm14\nvpmullw %ymm5, %ymm10, %ymm15\nvpmullw %ymm1, %ymm11, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm10, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm3, %ymm9, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm4, %ymm8, %ymm5\nvpaddw %ymm5, %ymm12, %ymm12\nvpmullw %ymm2, %ymm11, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm10, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm4, %ymm9, %ymm5\nvpaddw %ymm5, %ymm13, %ymm13\nvpmullw %ymm3, %ymm11, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm10, %ymm5\nvpaddw %ymm5, %ymm14, %ymm14\nvpmullw %ymm4, %ymm11, %ymm5\nvpaddw %ymm5, %ymm15, %ymm15\nvpmullw %ymm0, %ymm10, %ymm11\nvpmullw %ymm1, %ymm9, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm2, %ymm8, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm3, %ymm7, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm4, %ymm6, %ymm5\nvpaddw %ymm5, %ymm11, %ymm11\nvpmullw %ymm0, %ymm9, %ymm10\nvpmullw %ymm1, %ymm8, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm2, %ymm7, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm3, %ymm6, %ymm5\nvpaddw %ymm5, %ymm10, %ymm10\nvpmullw %ymm0, %ymm8, %ymm9\nvpmullw %ymm1, %ymm7, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm2, %ymm6, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvpmullw %ymm0, %ymm7, %ymm8\nvpmullw %ymm1, %ymm6, %ymm5\nvpaddw %ymm5, %ymm8, %ymm8\nvpmullw %ymm0, %ymm6, %ymm7\nvmovdqa 6080(%r8), %ymm0\nvpsubw 6272(%r8), %ymm0, %ymm0\nvpsubw %ymm0, %ymm12, %ymm6\nvpsubw 6464(%r8), %ymm6, %ymm6\nvmovdqa %ymm6, 6272(%r8)\nvpaddw %ymm7, %ymm0, %ymm0\nvpsubw 5888(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 6080(%r8)\nvmovdqa 6112(%r8), %ymm1\nvpsubw 6304(%r8), %ymm1, %ymm1\nvpsubw %ymm1, %ymm13, %ymm7\nvpsubw 6496(%r8), %ymm7, %ymm7\nvmovdqa %ymm7, 6304(%r8)\nvpaddw %ymm8, %ymm1, %ymm1\nvpsubw 5920(%r8), %ymm1, %ymm1\nvmovdqa %ymm1, 6112(%r8)\nvmovdqa 6144(%r8), %ymm2\nvpsubw 6336(%r8), %ymm2, %ymm2\nvpsubw %ymm2, %ymm14, %ymm8\nvpsubw 6528(%r8), %ymm8, %ymm8\nvmovdqa %ymm8, 6336(%r8)\nvpaddw %ymm9, %ymm2, %ymm2\nvpsubw 5952(%r8), %ymm2, %ymm2\nvmovdqa %ymm2, 6144(%r8)\nvmovdqa 6176(%r8), %ymm3\nvpsubw 6368(%r8), %ymm3, %ymm3\nvpsubw %ymm3, %ymm15, %ymm9\nvmovdqa %ymm9, 6368(%r8)\nvpaddw %ymm10, %ymm3, %ymm3\nvpsubw 5984(%r8), %ymm3, %ymm3\nvmovdqa %ymm3, 6176(%r8)\nvmovdqa 6208(%r8), %ymm4\nvpsubw 6400(%r8), %ymm4, %ymm4\nvpaddw %ymm11, %ymm4, %ymm4\nvpsubw 6016(%r8), %ymm4, %ymm4\nvmovdqa %ymm4, 6208(%r8)\nvmovdqa 8352(%r8), %ymm0\nvpsubw 8704(%r8), %ymm0, %ymm0\nvmovdqa 6240(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 9056(%r8), %ymm1, %ymm6\nvpsubw 8000(%r8), %ymm0, %ymm0\nvpaddw 5888(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8352(%r8)\nvmovdqa 8384(%r8), %ymm0\nvpsubw 8736(%r8), %ymm0, %ymm0\nvmovdqa 6272(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 9088(%r8), %ymm1, %ymm7\nvpsubw 8032(%r8), %ymm0, %ymm0\nvpaddw 5920(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8384(%r8)\nvmovdqa 8416(%r8), %ymm0\nvpsubw 8768(%r8), %ymm0, %ymm0\nvmovdqa 6304(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 9120(%r8), %ymm1, %ymm8\nvpsubw 8064(%r8), %ymm0, %ymm0\nvpaddw 5952(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8416(%r8)\nvmovdqa 8448(%r8), %ymm0\nvpsubw 8800(%r8), %ymm0, %ymm0\nvmovdqa 6336(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 9152(%r8), %ymm1, %ymm9\nvpsubw 8096(%r8), %ymm0, %ymm0\nvpaddw 5984(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8448(%r8)\nvmovdqa 8480(%r8), %ymm0\nvpsubw 8832(%r8), %ymm0, %ymm0\nvmovdqa 6368(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 9184(%r8), %ymm1, %ymm10\nvpsubw 8128(%r8), %ymm0, %ymm0\nvpaddw 6016(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8480(%r8)\nvmovdqa 8512(%r8), %ymm0\nvpsubw 8864(%r8), %ymm0, %ymm0\nvmovdqa 6400(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 9216(%r8), %ymm1, %ymm11\nvpsubw 8160(%r8), %ymm0, %ymm0\nvpaddw 6048(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8512(%r8)\nvmovdqa 8544(%r8), %ymm0\nvpsubw 8896(%r8), %ymm0, %ymm0\nvmovdqa 6432(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 9248(%r8), %ymm1, %ymm12\nvpsubw 8192(%r8), %ymm0, %ymm0\nvpaddw 6080(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8544(%r8)\nvmovdqa 8576(%r8), %ymm0\nvpsubw 8928(%r8), %ymm0, %ymm0\nvmovdqa 6464(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 9280(%r8), %ymm1, %ymm13\nvpsubw 8224(%r8), %ymm0, %ymm0\nvpaddw 6112(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8576(%r8)\nvmovdqa 8608(%r8), %ymm0\nvpsubw 8960(%r8), %ymm0, %ymm0\nvmovdqa 6496(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 9312(%r8), %ymm1, %ymm14\nvpsubw 8256(%r8), %ymm0, %ymm0\nvpaddw 6144(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8608(%r8)\nvmovdqa 8640(%r8), %ymm0\nvpsubw 8992(%r8), %ymm0, %ymm0\nvmovdqa 6528(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 9344(%r8), %ymm1, %ymm15\nvpsubw 8288(%r8), %ymm0, %ymm0\nvpaddw 6176(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 8640(%r8)\nvmovdqa 6208(%r8), %ymm0\nvpsubw 8320(%r8), %ymm0, %ymm0\nvpsubw 9024(%r8), %ymm0, %ymm0\nvpsubw 3488(%r10), %ymm0, %ymm0\nvpsubw 4896(%r10), %ymm0, %ymm0\nvmovdqa %ymm0, 4192(%r10)\nvmovdqa 3520(%r10), %ymm0\nvpsubw 4224(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm6, %ymm6\nvpsubw 4928(%r10), %ymm6, %ymm6\nvpsubw 2816(%r10), %ymm0, %ymm0\nvpaddw 8000(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3520(%r10)\nvmovdqa %ymm6, 4224(%r10)\nvmovdqa 3552(%r10), %ymm0\nvpsubw 4256(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm7, %ymm7\nvpsubw 4960(%r10), %ymm7, %ymm7\nvpsubw 2848(%r10), %ymm0, %ymm0\nvpaddw 8032(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3552(%r10)\nvmovdqa %ymm7, 4256(%r10)\nvmovdqa 3584(%r10), %ymm0\nvpsubw 4288(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm8, %ymm8\nvpsubw 4992(%r10), %ymm8, %ymm8\nvpsubw 2880(%r10), %ymm0, %ymm0\nvpaddw 8064(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3584(%r10)\nvmovdqa %ymm8, 4288(%r10)\nvmovdqa 3616(%r10), %ymm0\nvpsubw 4320(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm9, %ymm9\nvpsubw 5024(%r10), %ymm9, %ymm9\nvpsubw 2912(%r10), %ymm0, %ymm0\nvpaddw 8096(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3616(%r10)\nvmovdqa %ymm9, 4320(%r10)\nvmovdqa 3648(%r10), %ymm0\nvpsubw 4352(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm10, %ymm10\nvpsubw 5056(%r10), %ymm10, %ymm10\nvpsubw 2944(%r10), %ymm0, %ymm0\nvpaddw 8128(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3648(%r10)\nvmovdqa %ymm10, 4352(%r10)\nvmovdqa 3680(%r10), %ymm0\nvpsubw 4384(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm11, %ymm11\nvpsubw 5088(%r10), %ymm11, %ymm11\nvpsubw 2976(%r10), %ymm0, %ymm0\nvpaddw 8160(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3680(%r10)\nvmovdqa %ymm11, 4384(%r10)\nvmovdqa 3712(%r10), %ymm0\nvpsubw 4416(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm12, %ymm12\nvpsubw 5120(%r10), %ymm12, %ymm12\nvpsubw 3008(%r10), %ymm0, %ymm0\nvpaddw 8192(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3712(%r10)\nvmovdqa %ymm12, 4416(%r10)\nvmovdqa 3744(%r10), %ymm0\nvpsubw 4448(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm13, %ymm13\nvpsubw 5152(%r10), %ymm13, %ymm13\nvpsubw 3040(%r10), %ymm0, %ymm0\nvpaddw 8224(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3744(%r10)\nvmovdqa %ymm13, 4448(%r10)\nvmovdqa 3776(%r10), %ymm0\nvpsubw 4480(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm14, %ymm14\nvpsubw 5184(%r10), %ymm14, %ymm14\nvpsubw 3072(%r10), %ymm0, %ymm0\nvpaddw 8256(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3776(%r10)\nvmovdqa %ymm14, 4480(%r10)\nvmovdqa 3808(%r10), %ymm0\nvpsubw 4512(%r10), %ymm0, %ymm0\nvpsubw %ymm0, %ymm15, %ymm15\nvpsubw 5216(%r10), %ymm15, %ymm15\nvpsubw 3104(%r10), %ymm0, %ymm0\nvpaddw 8288(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3808(%r10)\nvmovdqa %ymm15, 4512(%r10)\nvmovdqa 3840(%r10), %ymm0\nvpsubw 4544(%r10), %ymm0, %ymm0\nvmovdqa 9024(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5248(%r10), %ymm1, %ymm1\nvpsubw 3136(%r10), %ymm0, %ymm0\nvpaddw 8320(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3840(%r10)\nvmovdqa %ymm1, 4544(%r10)\nvmovdqa 3872(%r10), %ymm0\nvpsubw 4576(%r10), %ymm0, %ymm0\nvmovdqa 9056(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5280(%r10), %ymm1, %ymm1\nvpsubw 3168(%r10), %ymm0, %ymm0\nvpaddw 8352(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3872(%r10)\nvmovdqa %ymm1, 4576(%r10)\nvmovdqa 3904(%r10), %ymm0\nvpsubw 4608(%r10), %ymm0, %ymm0\nvmovdqa 9088(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5312(%r10), %ymm1, %ymm1\nvpsubw 3200(%r10), %ymm0, %ymm0\nvpaddw 8384(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3904(%r10)\nvmovdqa %ymm1, 4608(%r10)\nvmovdqa 3936(%r10), %ymm0\nvpsubw 4640(%r10), %ymm0, %ymm0\nvmovdqa 9120(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5344(%r10), %ymm1, %ymm1\nvpsubw 3232(%r10), %ymm0, %ymm0\nvpaddw 8416(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3936(%r10)\nvmovdqa %ymm1, 4640(%r10)\nvmovdqa 3968(%r10), %ymm0\nvpsubw 4672(%r10), %ymm0, %ymm0\nvmovdqa 9152(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5376(%r10), %ymm1, %ymm1\nvpsubw 3264(%r10), %ymm0, %ymm0\nvpaddw 8448(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 3968(%r10)\nvmovdqa %ymm1, 4672(%r10)\nvmovdqa 4000(%r10), %ymm0\nvpsubw 4704(%r10), %ymm0, %ymm0\nvmovdqa 9184(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5408(%r10), %ymm1, %ymm1\nvpsubw 3296(%r10), %ymm0, %ymm0\nvpaddw 8480(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 4000(%r10)\nvmovdqa %ymm1, 4704(%r10)\nvmovdqa 4032(%r10), %ymm0\nvpsubw 4736(%r10), %ymm0, %ymm0\nvmovdqa 9216(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5440(%r10), %ymm1, %ymm1\nvpsubw 3328(%r10), %ymm0, %ymm0\nvpaddw 8512(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 4032(%r10)\nvmovdqa %ymm1, 4736(%r10)\nvmovdqa 4064(%r10), %ymm0\nvpsubw 4768(%r10), %ymm0, %ymm0\nvmovdqa 9248(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5472(%r10), %ymm1, %ymm1\nvpsubw 3360(%r10), %ymm0, %ymm0\nvpaddw 8544(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 4064(%r10)\nvmovdqa %ymm1, 4768(%r10)\nvmovdqa 4096(%r10), %ymm0\nvpsubw 4800(%r10), %ymm0, %ymm0\nvmovdqa 9280(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5504(%r10), %ymm1, %ymm1\nvpsubw 3392(%r10), %ymm0, %ymm0\nvpaddw 8576(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 4096(%r10)\nvmovdqa %ymm1, 4800(%r10)\nvmovdqa 4128(%r10), %ymm0\nvpsubw 4832(%r10), %ymm0, %ymm0\nvmovdqa 9312(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5536(%r10), %ymm1, %ymm1\nvpsubw 3424(%r10), %ymm0, %ymm0\nvpaddw 8608(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 4128(%r10)\nvmovdqa %ymm1, 4832(%r10)\nvmovdqa 4160(%r10), %ymm0\nvpsubw 4864(%r10), %ymm0, %ymm0\nvmovdqa 9344(%r8), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5568(%r10), %ymm1, %ymm1\nvpsubw 3456(%r10), %ymm0, %ymm0\nvpaddw 8640(%r8), %ymm0, %ymm0\nvmovdqa %ymm0, 4160(%r10)\nvmovdqa %ymm1, 4864(%r10)\nvpxor %ymm1, %ymm1, %ymm1\nvmovdqa %ymm1, 5600(%r10)\nsubq $32, %r8\nvmovdqa 2816(%r10), %ymm0\nvmovdqa 2880(%r10), %ymm1\nvmovdqa 2944(%r10), %ymm2\nvmovdqa 3008(%r10), %ymm3\nvpunpcklwd 2848(%r10), %ymm0, %ymm4\nvpunpckhwd 2848(%r10), %ymm0, %ymm5\nvpunpcklwd 2912(%r10), %ymm1, %ymm6\nvpunpckhwd 2912(%r10), %ymm1, %ymm7\nvpunpcklwd 2976(%r10), %ymm2, %ymm8\nvpunpckhwd 2976(%r10), %ymm2, %ymm9\nvpunpcklwd 3040(%r10), %ymm3, %ymm10\nvpunpckhwd 3040(%r10), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 3072(%r10), %ymm0\nvmovdqa 3136(%r10), %ymm1\nvmovdqa 3200(%r10), %ymm2\nvmovdqa 3264(%r10), %ymm3\nvpunpcklwd 3104(%r10), %ymm0, %ymm12\nvpunpckhwd 3104(%r10), %ymm0, %ymm13\nvpunpcklwd 3168(%r10), %ymm1, %ymm14\nvpunpckhwd 3168(%r10), %ymm1, %ymm15\nvpunpcklwd 3232(%r10), %ymm2, %ymm0\nvpunpckhwd 3232(%r10), %ymm2, %ymm1\nvpunpcklwd 3296(%r10), %ymm3, %ymm2\nvpunpckhwd 3296(%r10), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 0(%r12)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 192(%r12)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 384(%r12)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 576(%r12)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 768(%r12)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 960(%r12)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 1152(%r12)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 1536(%r12)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 1728(%r12)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 1920(%r12)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 2112(%r12)\nvinserti128 $0, %xmm8, %ymm12, %ymm15\nvmovdqa %ymm15, 2304(%r12)\nvinserti128 $0, %xmm9, %ymm2, %ymm15\nvmovdqa %ymm15, 2496(%r12)\nvinserti128 $0, %xmm10, %ymm14, %ymm15\nvmovdqa %ymm15, 2688(%r12)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 1344(%r12)\nvpermq $78, %ymm11, %ymm11\nvinserti128 $0, %xmm11, %ymm1, %ymm1\nvmovdqa %ymm1, 2880(%r12)\nvmovdqa 3328(%r10), %ymm0\nvmovdqa 3392(%r10), %ymm1\nvmovdqa 3456(%r10), %ymm2\nvmovdqa 3520(%r10), %ymm3\nvpunpcklwd 3360(%r10), %ymm0, %ymm4\nvpunpckhwd 3360(%r10), %ymm0, %ymm5\nvpunpcklwd 3424(%r10), %ymm1, %ymm6\nvpunpckhwd 3424(%r10), %ymm1, %ymm7\nvpunpcklwd 3488(%r10), %ymm2, %ymm8\nvpunpckhwd 3488(%r10), %ymm2, %ymm9\nvpunpcklwd 3552(%r10), %ymm3, %ymm10\nvpunpckhwd 3552(%r10), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 3584(%r10), %ymm0\nvmovdqa 3648(%r10), %ymm1\nvmovdqa 3712(%r10), %ymm2\nvmovdqa 3776(%r10), %ymm3\nvpunpcklwd 3616(%r10), %ymm0, %ymm12\nvpunpckhwd 3616(%r10), %ymm0, %ymm13\nvpunpcklwd 3680(%r10), %ymm1, %ymm14\nvpunpckhwd 3680(%r10), %ymm1, %ymm15\nvpunpcklwd 3744(%r10), %ymm2, %ymm0\nvpunpckhwd 3744(%r10), %ymm2, %ymm1\nvpunpcklwd 3808(%r10), %ymm3, %ymm2\nvpunpckhwd 3808(%r10), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 32(%r12)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 224(%r12)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 416(%r12)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 608(%r12)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 800(%r12)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 992(%r12)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 1184(%r12)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 1568(%r12)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 1760(%r12)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 1952(%r12)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 2144(%r12)\nvinserti128 $0, %xmm8, %ymm12, %ymm15\nvmovdqa %ymm15, 2336(%r12)\nvinserti128 $0, %xmm9, %ymm2, %ymm15\nvmovdqa %ymm15, 2528(%r12)\nvinserti128 $0, %xmm10, %ymm14, %ymm15\nvmovdqa %ymm15, 2720(%r12)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 1376(%r12)\nvpermq $78, %ymm11, %ymm11\nvinserti128 $0, %xmm11, %ymm1, %ymm1\nvmovdqa %ymm1, 2912(%r12)\nvmovdqa 3840(%r10), %ymm0\nvmovdqa 3904(%r10), %ymm1\nvmovdqa 3968(%r10), %ymm2\nvmovdqa 4032(%r10), %ymm3\nvpunpcklwd 3872(%r10), %ymm0, %ymm4\nvpunpckhwd 3872(%r10), %ymm0, %ymm5\nvpunpcklwd 3936(%r10), %ymm1, %ymm6\nvpunpckhwd 3936(%r10), %ymm1, %ymm7\nvpunpcklwd 4000(%r10), %ymm2, %ymm8\nvpunpckhwd 4000(%r10), %ymm2, %ymm9\nvpunpcklwd 4064(%r10), %ymm3, %ymm10\nvpunpckhwd 4064(%r10), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 4096(%r10), %ymm0\nvmovdqa 4160(%r10), %ymm1\nvmovdqa 4224(%r10), %ymm2\nvmovdqa 4288(%r10), %ymm3\nvpunpcklwd 4128(%r10), %ymm0, %ymm12\nvpunpckhwd 4128(%r10), %ymm0, %ymm13\nvpunpcklwd 4192(%r10), %ymm1, %ymm14\nvpunpckhwd 4192(%r10), %ymm1, %ymm15\nvpunpcklwd 4256(%r10), %ymm2, %ymm0\nvpunpckhwd 4256(%r10), %ymm2, %ymm1\nvpunpcklwd 4320(%r10), %ymm3, %ymm2\nvpunpckhwd 4320(%r10), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 64(%r12)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 256(%r12)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 448(%r12)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 640(%r12)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 832(%r12)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 1024(%r12)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 1216(%r12)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 1600(%r12)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 1792(%r12)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 1984(%r12)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 2176(%r12)\nvinserti128 $0, %xmm8, %ymm12, %ymm15\nvmovdqa %ymm15, 2368(%r12)\nvinserti128 $0, %xmm9, %ymm2, %ymm15\nvmovdqa %ymm15, 2560(%r12)\nvinserti128 $0, %xmm10, %ymm14, %ymm15\nvmovdqa %ymm15, 2752(%r12)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 1408(%r12)\nvpermq $78, %ymm11, %ymm11\nvinserti128 $0, %xmm11, %ymm1, %ymm1\nvmovdqa %ymm1, 2944(%r12)\nvmovdqa 4224(%r10), %ymm0\nvmovdqa 4288(%r10), %ymm1\nvmovdqa 4352(%r10), %ymm2\nvmovdqa 4416(%r10), %ymm3\nvpunpcklwd 4256(%r10), %ymm0, %ymm4\nvpunpckhwd 4256(%r10), %ymm0, %ymm5\nvpunpcklwd 4320(%r10), %ymm1, %ymm6\nvpunpckhwd 4320(%r10), %ymm1, %ymm7\nvpunpcklwd 4384(%r10), %ymm2, %ymm8\nvpunpckhwd 4384(%r10), %ymm2, %ymm9\nvpunpcklwd 4448(%r10), %ymm3, %ymm10\nvpunpckhwd 4448(%r10), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 4480(%r10), %ymm0\nvmovdqa 4544(%r10), %ymm1\nvmovdqa 4608(%r10), %ymm2\nvmovdqa 4672(%r10), %ymm3\nvpunpcklwd 4512(%r10), %ymm0, %ymm12\nvpunpckhwd 4512(%r10), %ymm0, %ymm13\nvpunpcklwd 4576(%r10), %ymm1, %ymm14\nvpunpckhwd 4576(%r10), %ymm1, %ymm15\nvpunpcklwd 4640(%r10), %ymm2, %ymm0\nvpunpckhwd 4640(%r10), %ymm2, %ymm1\nvpunpcklwd 4704(%r10), %ymm3, %ymm2\nvpunpckhwd 4704(%r10), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 96(%r12)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 288(%r12)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 480(%r12)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 672(%r12)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 864(%r12)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 1056(%r12)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 1248(%r12)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 1632(%r12)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 1824(%r12)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 2016(%r12)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 2208(%r12)\nvinserti128 $0, %xmm8, %ymm12, %ymm15\nvmovdqa %ymm15, 2400(%r12)\nvinserti128 $0, %xmm9, %ymm2, %ymm15\nvmovdqa %ymm15, 2592(%r12)\nvinserti128 $0, %xmm10, %ymm14, %ymm15\nvmovdqa %ymm15, 2784(%r12)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 1440(%r12)\nvpermq $78, %ymm11, %ymm11\nvinserti128 $0, %xmm11, %ymm1, %ymm1\nvmovdqa %ymm1, 2976(%r12)\nvmovdqa 4736(%r10), %ymm0\nvmovdqa 4800(%r10), %ymm1\nvmovdqa 4864(%r10), %ymm2\nvmovdqa 4928(%r10), %ymm3\nvpunpcklwd 4768(%r10), %ymm0, %ymm4\nvpunpckhwd 4768(%r10), %ymm0, %ymm5\nvpunpcklwd 4832(%r10), %ymm1, %ymm6\nvpunpckhwd 4832(%r10), %ymm1, %ymm7\nvpunpcklwd 4896(%r10), %ymm2, %ymm8\nvpunpckhwd 4896(%r10), %ymm2, %ymm9\nvpunpcklwd 4960(%r10), %ymm3, %ymm10\nvpunpckhwd 4960(%r10), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 4992(%r10), %ymm0\nvmovdqa 5056(%r10), %ymm1\nvmovdqa 5120(%r10), %ymm2\nvmovdqa 5184(%r10), %ymm3\nvpunpcklwd 5024(%r10), %ymm0, %ymm12\nvpunpckhwd 5024(%r10), %ymm0, %ymm13\nvpunpcklwd 5088(%r10), %ymm1, %ymm14\nvpunpckhwd 5088(%r10), %ymm1, %ymm15\nvpunpcklwd 5152(%r10), %ymm2, %ymm0\nvpunpckhwd 5152(%r10), %ymm2, %ymm1\nvpunpcklwd 5216(%r10), %ymm3, %ymm2\nvpunpckhwd 5216(%r10), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 128(%r12)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 320(%r12)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 512(%r12)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 704(%r12)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 896(%r12)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 1088(%r12)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 1280(%r12)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 1664(%r12)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 1856(%r12)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 2048(%r12)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 2240(%r12)\nvinserti128 $0, %xmm8, %ymm12, %ymm15\nvmovdqa %ymm15, 2432(%r12)\nvinserti128 $0, %xmm9, %ymm2, %ymm15\nvmovdqa %ymm15, 2624(%r12)\nvinserti128 $0, %xmm10, %ymm14, %ymm15\nvmovdqa %ymm15, 2816(%r12)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 1472(%r12)\nvpermq $78, %ymm11, %ymm11\nvinserti128 $0, %xmm11, %ymm1, %ymm1\nvmovdqa %ymm1, 3008(%r12)\nvmovdqa 5248(%r10), %ymm0\nvmovdqa 5312(%r10), %ymm1\nvmovdqa 5376(%r10), %ymm2\nvmovdqa 5440(%r10), %ymm3\nvpunpcklwd 5280(%r10), %ymm0, %ymm4\nvpunpckhwd 5280(%r10), %ymm0, %ymm5\nvpunpcklwd 5344(%r10), %ymm1, %ymm6\nvpunpckhwd 5344(%r10), %ymm1, %ymm7\nvpunpcklwd 5408(%r10), %ymm2, %ymm8\nvpunpckhwd 5408(%r10), %ymm2, %ymm9\nvpunpcklwd 5472(%r10), %ymm3, %ymm10\nvpunpckhwd 5472(%r10), %ymm3, %ymm11\nvpunpckldq %ymm6, %ymm4, %ymm0\nvpunpckhdq %ymm6, %ymm4, %ymm1\nvpunpckldq %ymm7, %ymm5, %ymm2\nvpunpckhdq %ymm7, %ymm5, %ymm3\nvpunpckldq %ymm10, %ymm8, %ymm12\nvpunpckhdq %ymm10, %ymm8, %ymm13\nvpunpckldq %ymm11, %ymm9, %ymm14\nvpunpckhdq %ymm11, %ymm9, %ymm15\nvpunpcklqdq %ymm12, %ymm0, %ymm4\nvpunpckhqdq %ymm12, %ymm0, %ymm5\nvpunpcklqdq %ymm13, %ymm1, %ymm6\nvpunpckhqdq %ymm13, %ymm1, %ymm7\nvpunpcklqdq %ymm14, %ymm2, %ymm8\nvpunpckhqdq %ymm14, %ymm2, %ymm9\nvpunpcklqdq %ymm15, %ymm3, %ymm10\nvpunpckhqdq %ymm15, %ymm3, %ymm11\nvmovdqa 5504(%r10), %ymm0\nvmovdqa 5568(%r10), %ymm1\nvmovdqa 5632(%r10), %ymm2\nvmovdqa 5696(%r10), %ymm3\nvpunpcklwd 5536(%r10), %ymm0, %ymm12\nvpunpckhwd 5536(%r10), %ymm0, %ymm13\nvpunpcklwd 5600(%r10), %ymm1, %ymm14\nvpunpckhwd 5600(%r10), %ymm1, %ymm15\nvpunpcklwd 5664(%r10), %ymm2, %ymm0\nvpunpckhwd 5664(%r10), %ymm2, %ymm1\nvpunpcklwd 5728(%r10), %ymm3, %ymm2\nvpunpckhwd 5728(%r10), %ymm3, %ymm3\nvmovdqa %ymm11, 0(%r8)\nvpunpckldq %ymm14, %ymm12, %ymm11\nvpunpckhdq %ymm14, %ymm12, %ymm12\nvpunpckldq %ymm15, %ymm13, %ymm14\nvpunpckhdq %ymm15, %ymm13, %ymm15\nvpunpckldq %ymm2, %ymm0, %ymm13\nvpunpckhdq %ymm2, %ymm0, %ymm0\nvpunpckldq %ymm3, %ymm1, %ymm2\nvpunpckhdq %ymm3, %ymm1, %ymm1\nvpunpcklqdq %ymm13, %ymm11, %ymm3\nvpunpckhqdq %ymm13, %ymm11, %ymm13\nvpunpcklqdq %ymm0, %ymm12, %ymm11\nvpunpckhqdq %ymm0, %ymm12, %ymm0\nvpunpcklqdq %ymm2, %ymm14, %ymm12\nvpunpckhqdq %ymm2, %ymm14, %ymm2\nvpunpcklqdq %ymm1, %ymm15, %ymm14\nvpunpckhqdq %ymm1, %ymm15, %ymm1\nvinserti128 $1, %xmm3, %ymm4, %ymm15\nvmovdqa %ymm15, 160(%r12)\nvinserti128 $1, %xmm13, %ymm5, %ymm15\nvmovdqa %ymm15, 352(%r12)\nvinserti128 $1, %xmm11, %ymm6, %ymm15\nvmovdqa %ymm15, 544(%r12)\nvinserti128 $1, %xmm0, %ymm7, %ymm15\nvmovdqa %ymm15, 736(%r12)\nvinserti128 $1, %xmm12, %ymm8, %ymm15\nvmovdqa %ymm15, 928(%r12)\nvinserti128 $1, %xmm2, %ymm9, %ymm15\nvmovdqa %ymm15, 1120(%r12)\nvinserti128 $1, %xmm14, %ymm10, %ymm15\nvmovdqa %ymm15, 1312(%r12)\nvpermq $78, %ymm4, %ymm4\nvpermq $78, %ymm5, %ymm5\nvpermq $78, %ymm6, %ymm6\nvpermq $78, %ymm7, %ymm7\nvpermq $78, %ymm8, %ymm8\nvpermq $78, %ymm9, %ymm9\nvpermq $78, %ymm10, %ymm10\nvinserti128 $0, %xmm4, %ymm3, %ymm15\nvmovdqa %ymm15, 1696(%r12)\nvinserti128 $0, %xmm5, %ymm13, %ymm15\nvmovdqa %ymm15, 1888(%r12)\nvinserti128 $0, %xmm6, %ymm11, %ymm15\nvmovdqa %ymm15, 2080(%r12)\nvinserti128 $0, %xmm7, %ymm0, %ymm15\nvmovdqa %ymm15, 2272(%r12)\nvinserti128 $0, %xmm8, %ymm12, %ymm15\nvmovdqa %ymm15, 2464(%r12)\nvinserti128 $0, %xmm9, %ymm2, %ymm15\nvmovdqa %ymm15, 2656(%r12)\nvinserti128 $0, %xmm10, %ymm14, %ymm15\nvmovdqa %ymm15, 2848(%r12)\nvmovdqa 0(%r8), %ymm11\nvinserti128 $1, %xmm1, %ymm11, %ymm14\nvmovdqa %ymm14, 1504(%r12)\nvpermq $78, %ymm11, %ymm11\nvinserti128 $0, %xmm11, %ymm1, %ymm1\nvmovdqa %ymm1, 3040(%r12)\naddq $32, %r8\nadd $1536, %rax\nadd $1536, %r11\nadd $3072, %r12\ndec %ecx\njnz karatsuba_loop_4eced63f144beffcb0247f9c6f67d165\nsub $12288, %r12\nadd $9408-2400, %r8\nvpxor %ymm0, %ymm0, %ymm0\nvmovdqa %ymm0, 1792(%r8)\nvmovdqa %ymm0, 1824(%r8)\nvmovdqa %ymm0, 1856(%r8)\nvmovdqa %ymm0, 1888(%r8)\nvmovdqa %ymm0, 1920(%r8)\nvmovdqa %ymm0, 1952(%r8)\nvmovdqa %ymm0, 1984(%r8)\nvmovdqa %ymm0, 2016(%r8)\nvmovdqa %ymm0, 2048(%r8)\nvmovdqa %ymm0, 2080(%r8)\nvmovdqa %ymm0, 2112(%r8)\nvmovdqa %ymm0, 2144(%r8)\nvmovdqa %ymm0, 2176(%r8)\nvmovdqa %ymm0, 2208(%r8)\nvmovdqa %ymm0, 2240(%r8)\nvmovdqa %ymm0, 2272(%r8)\nvmovdqa %ymm0, 2304(%r8)\nvmovdqa %ymm0, 2336(%r8)\nvmovdqa %ymm0, 2368(%r8)\nvmovdqa %ymm0, 2400(%r8)\nvmovdqa %ymm0, 2432(%r8)\nvmovdqa %ymm0, 2464(%r8)\nvmovdqa %ymm0, 2496(%r8)\nvmovdqa %ymm0, 2528(%r8)\nvmovdqa %ymm0, 2560(%r8)\nvmovdqa %ymm0, 2592(%r8)\nvmovdqa %ymm0, 2624(%r8)\nvmovdqa %ymm0, 2656(%r8)\nvmovdqa %ymm0, 2688(%r8)\nvmovdqa %ymm0, 2720(%r8)\nvmovdqa %ymm0, 2752(%r8)\nvmovdqa %ymm0, 2784(%r8)\nvmovdqa const729(%rip), %ymm15\nvmovdqa const3_inv(%rip), %ymm14\nvmovdqa const5_inv(%rip), %ymm13\nvmovdqa const9(%rip), %ymm12\nvmovdqa 96(%r12), %ymm0\nvpsubw 192(%r12), %ymm0, %ymm0\nvmovdqa 480(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 288(%r12), %ymm1, %ymm1\nvpsubw 0(%r12), %ymm0, %ymm0\nvpaddw 384(%r12), %ymm0, %ymm0\nvmovdqa 672(%r12), %ymm2\nvpsubw 768(%r12), %ymm2, %ymm2\nvmovdqa 1056(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 864(%r12), %ymm3, %ymm3\nvpsubw 576(%r12), %ymm2, %ymm2\nvpaddw 960(%r12), %ymm2, %ymm2\nvmovdqa 1248(%r12), %ymm4\nvpsubw 1344(%r12), %ymm4, %ymm4\nvmovdqa 1632(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 1440(%r12), %ymm5, %ymm5\nvpsubw 1152(%r12), %ymm4, %ymm4\nvpaddw 1536(%r12), %ymm4, %ymm4\nvpsubw 576(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 0(%r12), %ymm1, %ymm1\nvpaddw 1152(%r12), %ymm1, %ymm1\nvmovdqa 288(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 1440(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 864(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 0(%r12), %ymm8\nvmovdqa 864(%r12), %ymm9\nvmovdqa %ymm8, 0(%r8)\nvmovdqa %ymm0, 32(%r8)\nvmovdqa %ymm1, 64(%r8)\nvmovdqa %ymm7, 96(%r8)\nvmovdqa %ymm5, 128(%r8)\nvmovdqa %ymm2, 160(%r8)\nvmovdqa %ymm3, 192(%r8)\nvmovdqa %ymm9, 224(%r8)\nvmovdqa 1824(%r12), %ymm0\nvpsubw 1920(%r12), %ymm0, %ymm0\nvmovdqa 2208(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 2016(%r12), %ymm1, %ymm1\nvpsubw 1728(%r12), %ymm0, %ymm0\nvpaddw 2112(%r12), %ymm0, %ymm0\nvmovdqa 2400(%r12), %ymm2\nvpsubw 2496(%r12), %ymm2, %ymm2\nvmovdqa 2784(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 2592(%r12), %ymm3, %ymm3\nvpsubw 2304(%r12), %ymm2, %ymm2\nvpaddw 2688(%r12), %ymm2, %ymm2\nvmovdqa 2976(%r12), %ymm4\nvpsubw 3072(%r12), %ymm4, %ymm4\nvmovdqa 3360(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 3168(%r12), %ymm5, %ymm5\nvpsubw 2880(%r12), %ymm4, %ymm4\nvpaddw 3264(%r12), %ymm4, %ymm4\nvpsubw 2304(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 1728(%r12), %ymm1, %ymm1\nvpaddw 2880(%r12), %ymm1, %ymm1\nvmovdqa 2016(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 3168(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 2592(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 1728(%r12), %ymm8\nvmovdqa 2592(%r12), %ymm9\nvmovdqa %ymm8, 256(%r8)\nvmovdqa %ymm0, 288(%r8)\nvmovdqa %ymm1, 320(%r8)\nvmovdqa %ymm7, 352(%r8)\nvmovdqa %ymm5, 384(%r8)\nvmovdqa %ymm2, 416(%r8)\nvmovdqa %ymm3, 448(%r8)\nvmovdqa %ymm9, 480(%r8)\nvmovdqa 3552(%r12), %ymm0\nvpsubw 3648(%r12), %ymm0, %ymm0\nvmovdqa 3936(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 3744(%r12), %ymm1, %ymm1\nvpsubw 3456(%r12), %ymm0, %ymm0\nvpaddw 3840(%r12), %ymm0, %ymm0\nvmovdqa 4128(%r12), %ymm2\nvpsubw 4224(%r12), %ymm2, %ymm2\nvmovdqa 4512(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 4320(%r12), %ymm3, %ymm3\nvpsubw 4032(%r12), %ymm2, %ymm2\nvpaddw 4416(%r12), %ymm2, %ymm2\nvmovdqa 4704(%r12), %ymm4\nvpsubw 4800(%r12), %ymm4, %ymm4\nvmovdqa 5088(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 4896(%r12), %ymm5, %ymm5\nvpsubw 4608(%r12), %ymm4, %ymm4\nvpaddw 4992(%r12), %ymm4, %ymm4\nvpsubw 4032(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 3456(%r12), %ymm1, %ymm1\nvpaddw 4608(%r12), %ymm1, %ymm1\nvmovdqa 3744(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 4896(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 4320(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 3456(%r12), %ymm8\nvmovdqa 4320(%r12), %ymm9\nvmovdqa %ymm8, 512(%r8)\nvmovdqa %ymm0, 544(%r8)\nvmovdqa %ymm1, 576(%r8)\nvmovdqa %ymm7, 608(%r8)\nvmovdqa %ymm5, 640(%r8)\nvmovdqa %ymm2, 672(%r8)\nvmovdqa %ymm3, 704(%r8)\nvmovdqa %ymm9, 736(%r8)\nvmovdqa 5280(%r12), %ymm0\nvpsubw 5376(%r12), %ymm0, %ymm0\nvmovdqa 5664(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5472(%r12), %ymm1, %ymm1\nvpsubw 5184(%r12), %ymm0, %ymm0\nvpaddw 5568(%r12), %ymm0, %ymm0\nvmovdqa 5856(%r12), %ymm2\nvpsubw 5952(%r12), %ymm2, %ymm2\nvmovdqa 6240(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 6048(%r12), %ymm3, %ymm3\nvpsubw 5760(%r12), %ymm2, %ymm2\nvpaddw 6144(%r12), %ymm2, %ymm2\nvmovdqa 6432(%r12), %ymm4\nvpsubw 6528(%r12), %ymm4, %ymm4\nvmovdqa 6816(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 6624(%r12), %ymm5, %ymm5\nvpsubw 6336(%r12), %ymm4, %ymm4\nvpaddw 6720(%r12), %ymm4, %ymm4\nvpsubw 5760(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 5184(%r12), %ymm1, %ymm1\nvpaddw 6336(%r12), %ymm1, %ymm1\nvmovdqa 5472(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 6624(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 6048(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 5184(%r12), %ymm8\nvmovdqa 6048(%r12), %ymm9\nvmovdqa %ymm8, 768(%r8)\nvmovdqa %ymm0, 800(%r8)\nvmovdqa %ymm1, 832(%r8)\nvmovdqa %ymm7, 864(%r8)\nvmovdqa %ymm5, 896(%r8)\nvmovdqa %ymm2, 928(%r8)\nvmovdqa %ymm3, 960(%r8)\nvmovdqa %ymm9, 992(%r8)\nvmovdqa 7008(%r12), %ymm0\nvpsubw 7104(%r12), %ymm0, %ymm0\nvmovdqa 7392(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 7200(%r12), %ymm1, %ymm1\nvpsubw 6912(%r12), %ymm0, %ymm0\nvpaddw 7296(%r12), %ymm0, %ymm0\nvmovdqa 7584(%r12), %ymm2\nvpsubw 7680(%r12), %ymm2, %ymm2\nvmovdqa 7968(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 7776(%r12), %ymm3, %ymm3\nvpsubw 7488(%r12), %ymm2, %ymm2\nvpaddw 7872(%r12), %ymm2, %ymm2\nvmovdqa 8160(%r12), %ymm4\nvpsubw 8256(%r12), %ymm4, %ymm4\nvmovdqa 8544(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 8352(%r12), %ymm5, %ymm5\nvpsubw 8064(%r12), %ymm4, %ymm4\nvpaddw 8448(%r12), %ymm4, %ymm4\nvpsubw 7488(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 6912(%r12), %ymm1, %ymm1\nvpaddw 8064(%r12), %ymm1, %ymm1\nvmovdqa 7200(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 8352(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 7776(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 6912(%r12), %ymm8\nvmovdqa 7776(%r12), %ymm9\nvmovdqa %ymm8, 1024(%r8)\nvmovdqa %ymm0, 1056(%r8)\nvmovdqa %ymm1, 1088(%r8)\nvmovdqa %ymm7, 1120(%r8)\nvmovdqa %ymm5, 1152(%r8)\nvmovdqa %ymm2, 1184(%r8)\nvmovdqa %ymm3, 1216(%r8)\nvmovdqa %ymm9, 1248(%r8)\nvmovdqa 8736(%r12), %ymm0\nvpsubw 8832(%r12), %ymm0, %ymm0\nvmovdqa 9120(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 8928(%r12), %ymm1, %ymm1\nvpsubw 8640(%r12), %ymm0, %ymm0\nvpaddw 9024(%r12), %ymm0, %ymm0\nvmovdqa 9312(%r12), %ymm2\nvpsubw 9408(%r12), %ymm2, %ymm2\nvmovdqa 9696(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 9504(%r12), %ymm3, %ymm3\nvpsubw 9216(%r12), %ymm2, %ymm2\nvpaddw 9600(%r12), %ymm2, %ymm2\nvmovdqa 9888(%r12), %ymm4\nvpsubw 9984(%r12), %ymm4, %ymm4\nvmovdqa 10272(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 10080(%r12), %ymm5, %ymm5\nvpsubw 9792(%r12), %ymm4, %ymm4\nvpaddw 10176(%r12), %ymm4, %ymm4\nvpsubw 9216(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 8640(%r12), %ymm1, %ymm1\nvpaddw 9792(%r12), %ymm1, %ymm1\nvmovdqa 8928(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 10080(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 9504(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 8640(%r12), %ymm8\nvmovdqa 9504(%r12), %ymm9\nvmovdqa %ymm8, 1280(%r8)\nvmovdqa %ymm0, 1312(%r8)\nvmovdqa %ymm1, 1344(%r8)\nvmovdqa %ymm7, 1376(%r8)\nvmovdqa %ymm5, 1408(%r8)\nvmovdqa %ymm2, 1440(%r8)\nvmovdqa %ymm3, 1472(%r8)\nvmovdqa %ymm9, 1504(%r8)\nvmovdqa 10464(%r12), %ymm0\nvpsubw 10560(%r12), %ymm0, %ymm0\nvmovdqa 10848(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 10656(%r12), %ymm1, %ymm1\nvpsubw 10368(%r12), %ymm0, %ymm0\nvpaddw 10752(%r12), %ymm0, %ymm0\nvmovdqa 11040(%r12), %ymm2\nvpsubw 11136(%r12), %ymm2, %ymm2\nvmovdqa 11424(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 11232(%r12), %ymm3, %ymm3\nvpsubw 10944(%r12), %ymm2, %ymm2\nvpaddw 11328(%r12), %ymm2, %ymm2\nvmovdqa 11616(%r12), %ymm4\nvpsubw 11712(%r12), %ymm4, %ymm4\nvmovdqa 12000(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 11808(%r12), %ymm5, %ymm5\nvpsubw 11520(%r12), %ymm4, %ymm4\nvpaddw 11904(%r12), %ymm4, %ymm4\nvpsubw 10944(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 10368(%r12), %ymm1, %ymm1\nvpaddw 11520(%r12), %ymm1, %ymm1\nvmovdqa 10656(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 11808(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 11232(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 10368(%r12), %ymm8\nvmovdqa 11232(%r12), %ymm9\nvmovdqa %ymm8, 1536(%r8)\nvmovdqa %ymm0, 1568(%r8)\nvmovdqa %ymm1, 1600(%r8)\nvmovdqa %ymm7, 1632(%r8)\nvmovdqa %ymm5, 1664(%r8)\nvmovdqa %ymm2, 1696(%r8)\nvmovdqa %ymm3, 1728(%r8)\nvmovdqa %ymm9, 1760(%r8)\nvmovdqa 0(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm10\nvpunpckhwd const0(%rip), %ymm11, %ymm9\nvpslld $1, %ymm10, %ymm10\nvpslld $1, %ymm9, %ymm9\nvmovdqa 256(%r8), %ymm8\nvpunpcklwd const0(%rip), %ymm8, %ymm7\nvpunpckhwd const0(%rip), %ymm8, %ymm8\nvmovdqa 512(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm7, %ymm4\nvpaddd %ymm6, %ymm8, %ymm3\nvpsubd %ymm10, %ymm4, %ymm4\nvpsubd %ymm9, %ymm3, %ymm3\nvpsubd %ymm5, %ymm7, %ymm5\nvpsubd %ymm6, %ymm8, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1536(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm8\nvpunpckhwd const0(%rip), %ymm5, %ymm7\nvpslld $1, %ymm8, %ymm8\nvpslld $1, %ymm7, %ymm7\nvpsubd %ymm8, %ymm4, %ymm4\nvpsubd %ymm7, %ymm3, %ymm3\nvpsrld $1, %ymm4, %ymm4\nvpsrld $1, %ymm3, %ymm3\nvpand mask32_to_16(%rip), %ymm4, %ymm4\nvpand mask32_to_16(%rip), %ymm3, %ymm3\nvpackusdw %ymm3, %ymm4, %ymm3\nvmovdqa 768(%r8), %ymm4\nvpaddw 1024(%r8), %ymm4, %ymm7\nvpsubw 1024(%r8), %ymm4, %ymm4\nvpsrlw $2, %ymm4, %ymm4\nvpsubw %ymm6, %ymm4, %ymm4\nvpmullw %ymm14, %ymm4, %ymm4\nvpsllw $1, %ymm11, %ymm8\nvpsubw %ymm8, %ymm7, %ymm8\nvpsllw $7, %ymm5, %ymm7\nvpsubw %ymm7, %ymm8, %ymm7\nvpsrlw $3, %ymm7, %ymm7\nvpsubw %ymm3, %ymm7, %ymm7\nvmovdqa 1280(%r8), %ymm8\nvpsubw %ymm11, %ymm8, %ymm8\nvpmullw %ymm15, %ymm5, %ymm9\nvpsubw %ymm9, %ymm8, %ymm9\nvpmullw %ymm14, %ymm7, %ymm7\nvpsubw %ymm7, %ymm3, %ymm3\nvpmullw %ymm12, %ymm7, %ymm8\nvpaddw %ymm8, %ymm3, %ymm8\nvpmullw %ymm12, %ymm8, %ymm8\nvpsubw %ymm8, %ymm9, %ymm8\nvpmullw %ymm14, %ymm8, %ymm8\nvpsubw %ymm6, %ymm8, %ymm8\nvpsrlw $3, %ymm8, %ymm8\nvpsubw %ymm4, %ymm8, %ymm8\nvpsubw %ymm8, %ymm4, %ymm4\nvpsubw %ymm4, %ymm6, %ymm6\nvpmullw %ymm13, %ymm8, %ymm8\nvpsubw %ymm8, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm7, %ymm7\nvpand mask3_5_3_5(%rip), %ymm7, %ymm9\nvpand mask5_3_5_3(%rip), %ymm7, %ymm7\nvpermq $206, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm10\nvpor %ymm10, %ymm7, %ymm7\nvpaddw %ymm7, %ymm11, %ymm11\nvmovdqa %xmm9, 2048(%r8)\nvpshufb shuf48_16(%rip), %ymm8, %ymm8\nvpand mask3_5_3_5(%rip), %ymm8, %ymm9\nvpand mask5_3_5_3(%rip), %ymm8, %ymm8\nvpermq $206, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm10\nvpor %ymm10, %ymm8, %ymm8\nvpaddw %ymm8, %ymm6, %ymm6\nvmovdqa %xmm9, 2304(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_3_5(%rip), %ymm5, %ymm9\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $206, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm10\nvpor %ymm10, %ymm5, %ymm5\nvpaddw %ymm5, %ymm3, %ymm3\nvmovdqa %xmm9, 2560(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 0(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 352(%rdi)\nvpand mask_mod8192(%rip), %ymm3, %ymm3\nvmovdqu %ymm3, 704(%rdi)\nvpand mask_mod8192(%rip), %ymm4, %ymm4\nvmovdqu %ymm4, 1056(%rdi)\nvmovdqa 32(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm8\nvpunpckhwd const0(%rip), %ymm5, %ymm7\nvpslld $1, %ymm8, %ymm8\nvpslld $1, %ymm7, %ymm7\nvmovdqa 288(%r8), %ymm4\nvpunpcklwd const0(%rip), %ymm4, %ymm3\nvpunpckhwd const0(%rip), %ymm4, %ymm4\nvmovdqa 544(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm3, %ymm9\nvpaddd %ymm6, %ymm4, %ymm10\nvpsubd %ymm8, %ymm9, %ymm9\nvpsubd %ymm7, %ymm10, %ymm10\nvpsubd %ymm11, %ymm3, %ymm11\nvpsubd %ymm6, %ymm4, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1568(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm4\nvpunpckhwd const0(%rip), %ymm11, %ymm3\nvpslld $1, %ymm4, %ymm4\nvpslld $1, %ymm3, %ymm3\nvpsubd %ymm4, %ymm9, %ymm9\nvpsubd %ymm3, %ymm10, %ymm10\nvpsrld $1, %ymm9, %ymm9\nvpsrld $1, %ymm10, %ymm10\nvpand mask32_to_16(%rip), %ymm9, %ymm9\nvpand mask32_to_16(%rip), %ymm10, %ymm10\nvpackusdw %ymm10, %ymm9, %ymm10\nvmovdqa 800(%r8), %ymm9\nvpaddw 1056(%r8), %ymm9, %ymm3\nvpsubw 1056(%r8), %ymm9, %ymm9\nvpsrlw $2, %ymm9, %ymm9\nvpsubw %ymm6, %ymm9, %ymm9\nvpmullw %ymm14, %ymm9, %ymm9\nvpsllw $1, %ymm5, %ymm4\nvpsubw %ymm4, %ymm3, %ymm4\nvpsllw $7, %ymm11, %ymm3\nvpsubw %ymm3, %ymm4, %ymm3\nvpsrlw $3, %ymm3, %ymm3\nvpsubw %ymm10, %ymm3, %ymm3\nvmovdqa 1312(%r8), %ymm4\nvpsubw %ymm5, %ymm4, %ymm4\nvpmullw %ymm15, %ymm11, %ymm7\nvpsubw %ymm7, %ymm4, %ymm7\nvpmullw %ymm14, %ymm3, %ymm3\nvpsubw %ymm3, %ymm10, %ymm10\nvpmullw %ymm12, %ymm3, %ymm4\nvpaddw %ymm4, %ymm10, %ymm4\nvpmullw %ymm12, %ymm4, %ymm4\nvpsubw %ymm4, %ymm7, %ymm4\nvpmullw %ymm14, %ymm4, %ymm4\nvpsubw %ymm6, %ymm4, %ymm4\nvpsrlw $3, %ymm4, %ymm4\nvpsubw %ymm9, %ymm4, %ymm4\nvpsubw %ymm4, %ymm9, %ymm9\nvpsubw %ymm9, %ymm6, %ymm6\nvpmullw %ymm13, %ymm4, %ymm4\nvpsubw %ymm4, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm3, %ymm3\nvpand mask3_5_3_5(%rip), %ymm3, %ymm7\nvpand mask5_3_5_3(%rip), %ymm3, %ymm3\nvpermq $206, %ymm7, %ymm7\nvpand mask_keephigh(%rip), %ymm7, %ymm8\nvpor %ymm8, %ymm3, %ymm3\nvpaddw %ymm3, %ymm5, %ymm5\nvmovdqa %xmm7, 2080(%r8)\nvpshufb shuf48_16(%rip), %ymm4, %ymm4\nvpand mask3_5_3_5(%rip), %ymm4, %ymm7\nvpand mask5_3_5_3(%rip), %ymm4, %ymm4\nvpermq $206, %ymm7, %ymm7\nvpand mask_keephigh(%rip), %ymm7, %ymm8\nvpor %ymm8, %ymm4, %ymm4\nvpaddw %ymm4, %ymm6, %ymm6\nvmovdqa %xmm7, 2336(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_3_5(%rip), %ymm11, %ymm7\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $206, %ymm7, %ymm7\nvpand mask_keephigh(%rip), %ymm7, %ymm8\nvpor %ymm8, %ymm11, %ymm11\nvpaddw %ymm11, %ymm10, %ymm10\nvmovdqa %xmm7, 2592(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %ymm5, 88(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 440(%rdi)\nvpand mask_mod8192(%rip), %ymm10, %ymm10\nvmovdqu %ymm10, 792(%rdi)\nvpand mask_mod8192(%rip), %ymm9, %ymm9\nvmovdqu %ymm9, 1144(%rdi)\nvmovdqa 64(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm4\nvpunpckhwd const0(%rip), %ymm11, %ymm3\nvpslld $1, %ymm4, %ymm4\nvpslld $1, %ymm3, %ymm3\nvmovdqa 320(%r8), %ymm9\nvpunpcklwd const0(%rip), %ymm9, %ymm10\nvpunpckhwd const0(%rip), %ymm9, %ymm9\nvmovdqa 576(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm10, %ymm7\nvpaddd %ymm6, %ymm9, %ymm8\nvpsubd %ymm4, %ymm7, %ymm7\nvpsubd %ymm3, %ymm8, %ymm8\nvpsubd %ymm5, %ymm10, %ymm5\nvpsubd %ymm6, %ymm9, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1600(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm9\nvpunpckhwd const0(%rip), %ymm5, %ymm10\nvpslld $1, %ymm9, %ymm9\nvpslld $1, %ymm10, %ymm10\nvpsubd %ymm9, %ymm7, %ymm7\nvpsubd %ymm10, %ymm8, %ymm8\nvpsrld $1, %ymm7, %ymm7\nvpsrld $1, %ymm8, %ymm8\nvpand mask32_to_16(%rip), %ymm7, %ymm7\nvpand mask32_to_16(%rip), %ymm8, %ymm8\nvpackusdw %ymm8, %ymm7, %ymm8\nvmovdqa 832(%r8), %ymm7\nvpaddw 1088(%r8), %ymm7, %ymm10\nvpsubw 1088(%r8), %ymm7, %ymm7\nvpsrlw $2, %ymm7, %ymm7\nvpsubw %ymm6, %ymm7, %ymm7\nvpmullw %ymm14, %ymm7, %ymm7\nvpsllw $1, %ymm11, %ymm9\nvpsubw %ymm9, %ymm10, %ymm9\nvpsllw $7, %ymm5, %ymm10\nvpsubw %ymm10, %ymm9, %ymm10\nvpsrlw $3, %ymm10, %ymm10\nvpsubw %ymm8, %ymm10, %ymm10\nvmovdqa 1344(%r8), %ymm9\nvpsubw %ymm11, %ymm9, %ymm9\nvpmullw %ymm15, %ymm5, %ymm3\nvpsubw %ymm3, %ymm9, %ymm3\nvpmullw %ymm14, %ymm10, %ymm10\nvpsubw %ymm10, %ymm8, %ymm8\nvpmullw %ymm12, %ymm10, %ymm9\nvpaddw %ymm9, %ymm8, %ymm9\nvpmullw %ymm12, %ymm9, %ymm9\nvpsubw %ymm9, %ymm3, %ymm9\nvpmullw %ymm14, %ymm9, %ymm9\nvpsubw %ymm6, %ymm9, %ymm9\nvpsrlw $3, %ymm9, %ymm9\nvpsubw %ymm7, %ymm9, %ymm9\nvpsubw %ymm9, %ymm7, %ymm7\nvpsubw %ymm7, %ymm6, %ymm6\nvpmullw %ymm13, %ymm9, %ymm9\nvpsubw %ymm9, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm10, %ymm10\nvpand mask3_5_3_5(%rip), %ymm10, %ymm3\nvpand mask5_3_5_3(%rip), %ymm10, %ymm10\nvpermq $206, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm4\nvpor %ymm4, %ymm10, %ymm10\nvpaddw %ymm10, %ymm11, %ymm11\nvmovdqa %xmm3, 2112(%r8)\nvpshufb shuf48_16(%rip), %ymm9, %ymm9\nvpand mask3_5_3_5(%rip), %ymm9, %ymm3\nvpand mask5_3_5_3(%rip), %ymm9, %ymm9\nvpermq $206, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm4\nvpor %ymm4, %ymm9, %ymm9\nvpaddw %ymm9, %ymm6, %ymm6\nvmovdqa %xmm3, 2368(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_3_5(%rip), %ymm5, %ymm3\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $206, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm4\nvpor %ymm4, %ymm5, %ymm5\nvpaddw %ymm5, %ymm8, %ymm8\nvmovdqa %xmm3, 2624(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 176(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 528(%rdi)\nvpand mask_mod8192(%rip), %ymm8, %ymm8\nvmovdqu %ymm8, 880(%rdi)\nvpand mask_mod8192(%rip), %ymm7, %ymm7\nvmovdqu %ymm7, 1232(%rdi)\nvmovdqa 96(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm9\nvpunpckhwd const0(%rip), %ymm5, %ymm10\nvpslld $1, %ymm9, %ymm9\nvpslld $1, %ymm10, %ymm10\nvmovdqa 352(%r8), %ymm7\nvpunpcklwd const0(%rip), %ymm7, %ymm8\nvpunpckhwd const0(%rip), %ymm7, %ymm7\nvmovdqa 608(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm8, %ymm3\nvpaddd %ymm6, %ymm7, %ymm4\nvpsubd %ymm9, %ymm3, %ymm3\nvpsubd %ymm10, %ymm4, %ymm4\nvpsubd %ymm11, %ymm8, %ymm11\nvpsubd %ymm6, %ymm7, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1632(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm7\nvpunpckhwd const0(%rip), %ymm11, %ymm8\nvpslld $1, %ymm7, %ymm7\nvpslld $1, %ymm8, %ymm8\nvpsubd %ymm7, %ymm3, %ymm3\nvpsubd %ymm8, %ymm4, %ymm4\nvpsrld $1, %ymm3, %ymm3\nvpsrld $1, %ymm4, %ymm4\nvpand mask32_to_16(%rip), %ymm3, %ymm3\nvpand mask32_to_16(%rip), %ymm4, %ymm4\nvpackusdw %ymm4, %ymm3, %ymm4\nvmovdqa 864(%r8), %ymm3\nvpaddw 1120(%r8), %ymm3, %ymm8\nvpsubw 1120(%r8), %ymm3, %ymm3\nvpsrlw $2, %ymm3, %ymm3\nvpsubw %ymm6, %ymm3, %ymm3\nvpmullw %ymm14, %ymm3, %ymm3\nvpsllw $1, %ymm5, %ymm7\nvpsubw %ymm7, %ymm8, %ymm7\nvpsllw $7, %ymm11, %ymm8\nvpsubw %ymm8, %ymm7, %ymm8\nvpsrlw $3, %ymm8, %ymm8\nvpsubw %ymm4, %ymm8, %ymm8\nvmovdqa 1376(%r8), %ymm7\nvpsubw %ymm5, %ymm7, %ymm7\nvpmullw %ymm15, %ymm11, %ymm10\nvpsubw %ymm10, %ymm7, %ymm10\nvpmullw %ymm14, %ymm8, %ymm8\nvpsubw %ymm8, %ymm4, %ymm4\nvpmullw %ymm12, %ymm8, %ymm7\nvpaddw %ymm7, %ymm4, %ymm7\nvpmullw %ymm12, %ymm7, %ymm7\nvpsubw %ymm7, %ymm10, %ymm7\nvpmullw %ymm14, %ymm7, %ymm7\nvpsubw %ymm6, %ymm7, %ymm7\nvpsrlw $3, %ymm7, %ymm7\nvpsubw %ymm3, %ymm7, %ymm7\nvpsubw %ymm7, %ymm3, %ymm3\nvpsubw %ymm3, %ymm6, %ymm6\nvpmullw %ymm13, %ymm7, %ymm7\nvpsubw %ymm7, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm8, %ymm8\nvpand mask3_5_3_5(%rip), %ymm8, %ymm10\nvpand mask5_3_5_3(%rip), %ymm8, %ymm8\nvpermq $206, %ymm10, %ymm10\nvpand mask_keephigh(%rip), %ymm10, %ymm9\nvpor %ymm9, %ymm8, %ymm8\nvpaddw %ymm8, %ymm5, %ymm5\nvmovdqa %xmm10, 2144(%r8)\nvpshufb shuf48_16(%rip), %ymm7, %ymm7\nvpand mask3_5_3_5(%rip), %ymm7, %ymm10\nvpand mask5_3_5_3(%rip), %ymm7, %ymm7\nvpermq $206, %ymm10, %ymm10\nvpand mask_keephigh(%rip), %ymm10, %ymm9\nvpor %ymm9, %ymm7, %ymm7\nvpaddw %ymm7, %ymm6, %ymm6\nvmovdqa %xmm10, 2400(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_3_5(%rip), %ymm11, %ymm10\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $206, %ymm10, %ymm10\nvpand mask_keephigh(%rip), %ymm10, %ymm9\nvpor %ymm9, %ymm11, %ymm11\nvpaddw %ymm11, %ymm4, %ymm4\nvmovdqa %xmm10, 2656(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %ymm5, 264(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 616(%rdi)\nvpand mask_mod8192(%rip), %ymm4, %ymm4\nvmovdqu %ymm4, 968(%rdi)\nvpand mask_mod8192(%rip), %ymm3, %ymm3\nvmovdqu %ymm3, 1320(%rdi)\nvmovdqa 128(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm7\nvpunpckhwd const0(%rip), %ymm11, %ymm8\nvpslld $1, %ymm7, %ymm7\nvpslld $1, %ymm8, %ymm8\nvmovdqa 384(%r8), %ymm3\nvpunpcklwd const0(%rip), %ymm3, %ymm4\nvpunpckhwd const0(%rip), %ymm3, %ymm3\nvmovdqa 640(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm4, %ymm10\nvpaddd %ymm6, %ymm3, %ymm9\nvpsubd %ymm7, %ymm10, %ymm10\nvpsubd %ymm8, %ymm9, %ymm9\nvpsubd %ymm5, %ymm4, %ymm5\nvpsubd %ymm6, %ymm3, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1664(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm3\nvpunpckhwd const0(%rip), %ymm5, %ymm4\nvpslld $1, %ymm3, %ymm3\nvpslld $1, %ymm4, %ymm4\nvpsubd %ymm3, %ymm10, %ymm10\nvpsubd %ymm4, %ymm9, %ymm9\nvpsrld $1, %ymm10, %ymm10\nvpsrld $1, %ymm9, %ymm9\nvpand mask32_to_16(%rip), %ymm10, %ymm10\nvpand mask32_to_16(%rip), %ymm9, %ymm9\nvpackusdw %ymm9, %ymm10, %ymm9\nvmovdqa 896(%r8), %ymm10\nvpaddw 1152(%r8), %ymm10, %ymm4\nvpsubw 1152(%r8), %ymm10, %ymm10\nvpsrlw $2, %ymm10, %ymm10\nvpsubw %ymm6, %ymm10, %ymm10\nvpmullw %ymm14, %ymm10, %ymm10\nvpsllw $1, %ymm11, %ymm3\nvpsubw %ymm3, %ymm4, %ymm3\nvpsllw $7, %ymm5, %ymm4\nvpsubw %ymm4, %ymm3, %ymm4\nvpsrlw $3, %ymm4, %ymm4\nvpsubw %ymm9, %ymm4, %ymm4\nvmovdqa 1408(%r8), %ymm3\nvpsubw %ymm11, %ymm3, %ymm3\nvpmullw %ymm15, %ymm5, %ymm8\nvpsubw %ymm8, %ymm3, %ymm8\nvpmullw %ymm14, %ymm4, %ymm4\nvpsubw %ymm4, %ymm9, %ymm9\nvpmullw %ymm12, %ymm4, %ymm3\nvpaddw %ymm3, %ymm9, %ymm3\nvpmullw %ymm12, %ymm3, %ymm3\nvpsubw %ymm3, %ymm8, %ymm3\nvpmullw %ymm14, %ymm3, %ymm3\nvpsubw %ymm6, %ymm3, %ymm3\nvpsrlw $3, %ymm3, %ymm3\nvpsubw %ymm10, %ymm3, %ymm3\nvpsubw %ymm3, %ymm10, %ymm10\nvpsubw %ymm10, %ymm6, %ymm6\nvpmullw %ymm13, %ymm3, %ymm3\nvpsubw %ymm3, %ymm6, %ymm6\nvmovdqu 352(%rdi), %ymm8\nvmovdqu 704(%rdi), %ymm7\nvmovdqu 1056(%rdi), %ymm2\nvpaddw %ymm11, %ymm8, %ymm11\nvpaddw %ymm6, %ymm7, %ymm6\nvpaddw %ymm9, %ymm2, %ymm9\nvpshufb shuf48_16(%rip), %ymm10, %ymm10\nvpand mask3_5_3_5(%rip), %ymm10, %ymm2\nvpand mask5_3_5_3(%rip), %ymm10, %ymm10\nvpermq $206, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm7\nvpor %ymm7, %ymm10, %ymm10\nvmovdqu 0(%rdi), %ymm7\nvpaddw %ymm10, %ymm7, %ymm7\nvpand mask_mod8192(%rip), %ymm7, %ymm7\nvmovdqu %ymm7, 0(%rdi)\nvmovdqa %xmm2, 1920(%r8)\nvpshufb shuf48_16(%rip), %ymm4, %ymm4\nvpand mask3_5_3_5(%rip), %ymm4, %ymm2\nvpand mask5_3_5_3(%rip), %ymm4, %ymm4\nvpermq $206, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm7\nvpor %ymm7, %ymm4, %ymm4\nvpaddw %ymm4, %ymm11, %ymm11\nvmovdqa %xmm2, 2176(%r8)\nvpshufb shuf48_16(%rip), %ymm3, %ymm3\nvpand mask3_5_3_5(%rip), %ymm3, %ymm2\nvpand mask5_3_5_3(%rip), %ymm3, %ymm3\nvpermq $206, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm7\nvpor %ymm7, %ymm3, %ymm3\nvpaddw %ymm3, %ymm6, %ymm6\nvmovdqa %xmm2, 2432(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_3_5(%rip), %ymm5, %ymm2\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $206, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm7\nvpor %ymm7, %ymm5, %ymm5\nvpaddw %ymm5, %ymm9, %ymm9\nvmovdqa %xmm2, 2688(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 352(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 704(%rdi)\nvpand mask_mod8192(%rip), %ymm9, %ymm9\nvmovdqu %ymm9, 1056(%rdi)\nvmovdqa 160(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm3\nvpunpckhwd const0(%rip), %ymm5, %ymm4\nvpslld $1, %ymm3, %ymm3\nvpslld $1, %ymm4, %ymm4\nvmovdqa 416(%r8), %ymm10\nvpunpcklwd const0(%rip), %ymm10, %ymm9\nvpunpckhwd const0(%rip), %ymm10, %ymm10\nvmovdqa 672(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm9, %ymm2\nvpaddd %ymm6, %ymm10, %ymm7\nvpsubd %ymm3, %ymm2, %ymm2\nvpsubd %ymm4, %ymm7, %ymm7\nvpsubd %ymm11, %ymm9, %ymm11\nvpsubd %ymm6, %ymm10, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1696(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm10\nvpunpckhwd const0(%rip), %ymm11, %ymm9\nvpslld $1, %ymm10, %ymm10\nvpslld $1, %ymm9, %ymm9\nvpsubd %ymm10, %ymm2, %ymm2\nvpsubd %ymm9, %ymm7, %ymm7\nvpsrld $1, %ymm2, %ymm2\nvpsrld $1, %ymm7, %ymm7\nvpand mask32_to_16(%rip), %ymm2, %ymm2\nvpand mask32_to_16(%rip), %ymm7, %ymm7\nvpackusdw %ymm7, %ymm2, %ymm7\nvmovdqa 928(%r8), %ymm2\nvpaddw 1184(%r8), %ymm2, %ymm9\nvpsubw 1184(%r8), %ymm2, %ymm2\nvpsrlw $2, %ymm2, %ymm2\nvpsubw %ymm6, %ymm2, %ymm2\nvpmullw %ymm14, %ymm2, %ymm2\nvpsllw $1, %ymm5, %ymm10\nvpsubw %ymm10, %ymm9, %ymm10\nvpsllw $7, %ymm11, %ymm9\nvpsubw %ymm9, %ymm10, %ymm9\nvpsrlw $3, %ymm9, %ymm9\nvpsubw %ymm7, %ymm9, %ymm9\nvmovdqa 1440(%r8), %ymm10\nvpsubw %ymm5, %ymm10, %ymm10\nvpmullw %ymm15, %ymm11, %ymm4\nvpsubw %ymm4, %ymm10, %ymm4\nvpmullw %ymm14, %ymm9, %ymm9\nvpsubw %ymm9, %ymm7, %ymm7\nvpmullw %ymm12, %ymm9, %ymm10\nvpaddw %ymm10, %ymm7, %ymm10\nvpmullw %ymm12, %ymm10, %ymm10\nvpsubw %ymm10, %ymm4, %ymm10\nvpmullw %ymm14, %ymm10, %ymm10\nvpsubw %ymm6, %ymm10, %ymm10\nvpsrlw $3, %ymm10, %ymm10\nvpsubw %ymm2, %ymm10, %ymm10\nvpsubw %ymm10, %ymm2, %ymm2\nvpsubw %ymm2, %ymm6, %ymm6\nvpmullw %ymm13, %ymm10, %ymm10\nvpsubw %ymm10, %ymm6, %ymm6\nvmovdqu 440(%rdi), %ymm4\nvmovdqu 792(%rdi), %ymm3\nvmovdqu 1144(%rdi), %ymm8\nvpaddw %ymm5, %ymm4, %ymm5\nvpaddw %ymm6, %ymm3, %ymm6\nvpaddw %ymm7, %ymm8, %ymm7\nvpshufb shuf48_16(%rip), %ymm2, %ymm2\nvpand mask3_5_3_5(%rip), %ymm2, %ymm8\nvpand mask5_3_5_3(%rip), %ymm2, %ymm2\nvpermq $206, %ymm8, %ymm8\nvpand mask_keephigh(%rip), %ymm8, %ymm3\nvpor %ymm3, %ymm2, %ymm2\nvmovdqu 88(%rdi), %ymm3\nvpaddw %ymm2, %ymm3, %ymm3\nvpand mask_mod8192(%rip), %ymm3, %ymm3\nvmovdqu %ymm3, 88(%rdi)\nvmovdqa %xmm8, 1952(%r8)\nvpshufb shuf48_16(%rip), %ymm9, %ymm9\nvpand mask3_5_3_5(%rip), %ymm9, %ymm8\nvpand mask5_3_5_3(%rip), %ymm9, %ymm9\nvpermq $206, %ymm8, %ymm8\nvpand mask_keephigh(%rip), %ymm8, %ymm3\nvpor %ymm3, %ymm9, %ymm9\nvpaddw %ymm9, %ymm5, %ymm5\nvmovdqa %xmm8, 2208(%r8)\nvpshufb shuf48_16(%rip), %ymm10, %ymm10\nvpand mask3_5_3_5(%rip), %ymm10, %ymm8\nvpand mask5_3_5_3(%rip), %ymm10, %ymm10\nvpermq $206, %ymm8, %ymm8\nvpand mask_keephigh(%rip), %ymm8, %ymm3\nvpor %ymm3, %ymm10, %ymm10\nvpaddw %ymm10, %ymm6, %ymm6\nvmovdqa %xmm8, 2464(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_3_5(%rip), %ymm11, %ymm8\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $206, %ymm8, %ymm8\nvpand mask_keephigh(%rip), %ymm8, %ymm3\nvpor %ymm3, %ymm11, %ymm11\nvpaddw %ymm11, %ymm7, %ymm7\nvmovdqa %xmm8, 2720(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %ymm5, 440(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 792(%rdi)\nvpand mask_mod8192(%rip), %ymm7, %ymm7\nvmovdqu %ymm7, 1144(%rdi)\nvmovdqa 192(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm10\nvpunpckhwd const0(%rip), %ymm11, %ymm9\nvpslld $1, %ymm10, %ymm10\nvpslld $1, %ymm9, %ymm9\nvmovdqa 448(%r8), %ymm2\nvpunpcklwd const0(%rip), %ymm2, %ymm7\nvpunpckhwd const0(%rip), %ymm2, %ymm2\nvmovdqa 704(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm7, %ymm8\nvpaddd %ymm6, %ymm2, %ymm3\nvpsubd %ymm10, %ymm8, %ymm8\nvpsubd %ymm9, %ymm3, %ymm3\nvpsubd %ymm5, %ymm7, %ymm5\nvpsubd %ymm6, %ymm2, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1728(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm2\nvpunpckhwd const0(%rip), %ymm5, %ymm7\nvpslld $1, %ymm2, %ymm2\nvpslld $1, %ymm7, %ymm7\nvpsubd %ymm2, %ymm8, %ymm8\nvpsubd %ymm7, %ymm3, %ymm3\nvpsrld $1, %ymm8, %ymm8\nvpsrld $1, %ymm3, %ymm3\nvpand mask32_to_16(%rip), %ymm8, %ymm8\nvpand mask32_to_16(%rip), %ymm3, %ymm3\nvpackusdw %ymm3, %ymm8, %ymm3\nvmovdqa 960(%r8), %ymm8\nvpaddw 1216(%r8), %ymm8, %ymm7\nvpsubw 1216(%r8), %ymm8, %ymm8\nvpsrlw $2, %ymm8, %ymm8\nvpsubw %ymm6, %ymm8, %ymm8\nvpmullw %ymm14, %ymm8, %ymm8\nvpsllw $1, %ymm11, %ymm2\nvpsubw %ymm2, %ymm7, %ymm2\nvpsllw $7, %ymm5, %ymm7\nvpsubw %ymm7, %ymm2, %ymm7\nvpsrlw $3, %ymm7, %ymm7\nvpsubw %ymm3, %ymm7, %ymm7\nvmovdqa 1472(%r8), %ymm2\nvpsubw %ymm11, %ymm2, %ymm2\nvpmullw %ymm15, %ymm5, %ymm9\nvpsubw %ymm9, %ymm2, %ymm9\nvpmullw %ymm14, %ymm7, %ymm7\nvpsubw %ymm7, %ymm3, %ymm3\nvpmullw %ymm12, %ymm7, %ymm2\nvpaddw %ymm2, %ymm3, %ymm2\nvpmullw %ymm12, %ymm2, %ymm2\nvpsubw %ymm2, %ymm9, %ymm2\nvpmullw %ymm14, %ymm2, %ymm2\nvpsubw %ymm6, %ymm2, %ymm2\nvpsrlw $3, %ymm2, %ymm2\nvpsubw %ymm8, %ymm2, %ymm2\nvpsubw %ymm2, %ymm8, %ymm8\nvpsubw %ymm8, %ymm6, %ymm6\nvpmullw %ymm13, %ymm2, %ymm2\nvpsubw %ymm2, %ymm6, %ymm6\nvmovdqu 528(%rdi), %ymm9\nvmovdqu 880(%rdi), %ymm10\nvmovdqu 1232(%rdi), %ymm4\nvpaddw %ymm11, %ymm9, %ymm11\nvpaddw %ymm6, %ymm10, %ymm6\nvpaddw %ymm3, %ymm4, %ymm3\nvpshufb shuf48_16(%rip), %ymm8, %ymm8\nvpand mask3_5_3_5(%rip), %ymm8, %ymm4\nvpand mask5_3_5_3(%rip), %ymm8, %ymm8\nvpermq $206, %ymm4, %ymm4\nvpand mask_keephigh(%rip), %ymm4, %ymm10\nvpor %ymm10, %ymm8, %ymm8\nvmovdqu 176(%rdi), %ymm10\nvpaddw %ymm8, %ymm10, %ymm10\nvpand mask_mod8192(%rip), %ymm10, %ymm10\nvmovdqu %ymm10, 176(%rdi)\nvmovdqa %xmm4, 1984(%r8)\nvpshufb shuf48_16(%rip), %ymm7, %ymm7\nvpand mask3_5_3_5(%rip), %ymm7, %ymm4\nvpand mask5_3_5_3(%rip), %ymm7, %ymm7\nvpermq $206, %ymm4, %ymm4\nvpand mask_keephigh(%rip), %ymm4, %ymm10\nvpor %ymm10, %ymm7, %ymm7\nvpaddw %ymm7, %ymm11, %ymm11\nvmovdqa %xmm4, 2240(%r8)\nvpshufb shuf48_16(%rip), %ymm2, %ymm2\nvpand mask3_5_3_5(%rip), %ymm2, %ymm4\nvpand mask5_3_5_3(%rip), %ymm2, %ymm2\nvpermq $206, %ymm4, %ymm4\nvpand mask_keephigh(%rip), %ymm4, %ymm10\nvpor %ymm10, %ymm2, %ymm2\nvpaddw %ymm2, %ymm6, %ymm6\nvmovdqa %xmm4, 2496(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_3_5(%rip), %ymm5, %ymm4\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $206, %ymm4, %ymm4\nvpand mask_keephigh(%rip), %ymm4, %ymm10\nvpor %ymm10, %ymm5, %ymm5\nvpaddw %ymm5, %ymm3, %ymm3\nvmovdqa %xmm4, 2752(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 528(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 880(%rdi)\nvpand mask_mod8192(%rip), %ymm3, %ymm3\nvmovdqu %ymm3, 1232(%rdi)\nvmovdqa 224(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm2\nvpunpckhwd const0(%rip), %ymm5, %ymm7\nvpslld $1, %ymm2, %ymm2\nvpslld $1, %ymm7, %ymm7\nvmovdqa 480(%r8), %ymm8\nvpunpcklwd const0(%rip), %ymm8, %ymm3\nvpunpckhwd const0(%rip), %ymm8, %ymm8\nvmovdqa 736(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm3, %ymm4\nvpaddd %ymm6, %ymm8, %ymm10\nvpsubd %ymm2, %ymm4, %ymm4\nvpsubd %ymm7, %ymm10, %ymm10\nvpsubd %ymm11, %ymm3, %ymm11\nvpsubd %ymm6, %ymm8, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1760(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm8\nvpunpckhwd const0(%rip), %ymm11, %ymm3\nvpslld $1, %ymm8, %ymm8\nvpslld $1, %ymm3, %ymm3\nvpsubd %ymm8, %ymm4, %ymm4\nvpsubd %ymm3, %ymm10, %ymm10\nvpsrld $1, %ymm4, %ymm4\nvpsrld $1, %ymm10, %ymm10\nvpand mask32_to_16(%rip), %ymm4, %ymm4\nvpand mask32_to_16(%rip), %ymm10, %ymm10\nvpackusdw %ymm10, %ymm4, %ymm10\nvmovdqa 992(%r8), %ymm4\nvpaddw 1248(%r8), %ymm4, %ymm3\nvpsubw 1248(%r8), %ymm4, %ymm4\nvpsrlw $2, %ymm4, %ymm4\nvpsubw %ymm6, %ymm4, %ymm4\nvpmullw %ymm14, %ymm4, %ymm4\nvpsllw $1, %ymm5, %ymm8\nvpsubw %ymm8, %ymm3, %ymm8\nvpsllw $7, %ymm11, %ymm3\nvpsubw %ymm3, %ymm8, %ymm3\nvpsrlw $3, %ymm3, %ymm3\nvpsubw %ymm10, %ymm3, %ymm3\nvmovdqa 1504(%r8), %ymm8\nvpsubw %ymm5, %ymm8, %ymm8\nvpmullw %ymm15, %ymm11, %ymm7\nvpsubw %ymm7, %ymm8, %ymm7\nvpmullw %ymm14, %ymm3, %ymm3\nvpsubw %ymm3, %ymm10, %ymm10\nvpmullw %ymm12, %ymm3, %ymm8\nvpaddw %ymm8, %ymm10, %ymm8\nvpmullw %ymm12, %ymm8, %ymm8\nvpsubw %ymm8, %ymm7, %ymm8\nvpmullw %ymm14, %ymm8, %ymm8\nvpsubw %ymm6, %ymm8, %ymm8\nvpsrlw $3, %ymm8, %ymm8\nvpsubw %ymm4, %ymm8, %ymm8\nvpsubw %ymm8, %ymm4, %ymm4\nvpsubw %ymm4, %ymm6, %ymm6\nvpmullw %ymm13, %ymm8, %ymm8\nvpsubw %ymm8, %ymm6, %ymm6\nvmovdqu 616(%rdi), %ymm7\nvmovdqu 968(%rdi), %ymm2\nvmovdqu 1320(%rdi), %ymm9\nvpaddw %ymm5, %ymm7, %ymm5\nvpaddw %ymm6, %ymm2, %ymm6\nvpaddw %ymm10, %ymm9, %ymm10\nvpshufb shuf48_16(%rip), %ymm4, %ymm4\nvpand mask3_5_3_5(%rip), %ymm4, %ymm9\nvpand mask5_3_5_3(%rip), %ymm4, %ymm4\nvpermq $206, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm2\nvpor %ymm2, %ymm4, %ymm4\nvmovdqu 264(%rdi), %ymm2\nvpaddw %ymm4, %ymm2, %ymm2\nvpand mask_mod8192(%rip), %ymm2, %ymm2\nvmovdqu %ymm2, 264(%rdi)\nvmovdqa %xmm9, 2016(%r8)\nvpshufb shuf48_16(%rip), %ymm3, %ymm3\nvpand mask3_5_3_5(%rip), %ymm3, %ymm9\nvpand mask5_3_5_3(%rip), %ymm3, %ymm3\nvpermq $206, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm2\nvpor %ymm2, %ymm3, %ymm3\nvpaddw %ymm3, %ymm5, %ymm5\nvmovdqa %xmm9, 2272(%r8)\nvpshufb shuf48_16(%rip), %ymm8, %ymm8\nvpand mask3_5_3_5(%rip), %ymm8, %ymm9\nvpand mask5_3_5_3(%rip), %ymm8, %ymm8\nvpermq $206, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm2\nvpor %ymm2, %ymm8, %ymm8\nvpaddw %ymm8, %ymm6, %ymm6\nvmovdqa %xmm9, 2528(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_3_5(%rip), %ymm11, %ymm9\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $206, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm2\nvpor %ymm2, %ymm11, %ymm11\nvpaddw %ymm11, %ymm10, %ymm10\nvmovdqa %xmm9, 2784(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %ymm5, 616(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 968(%rdi)\nvpand mask_mod8192(%rip), %ymm10, %ymm10\nvmovdqu %ymm10, 1320(%rdi)\nvmovdqa 128(%r12), %ymm0\nvpsubw 224(%r12), %ymm0, %ymm0\nvmovdqa 512(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 320(%r12), %ymm1, %ymm1\nvpsubw 32(%r12), %ymm0, %ymm0\nvpaddw 416(%r12), %ymm0, %ymm0\nvmovdqa 704(%r12), %ymm2\nvpsubw 800(%r12), %ymm2, %ymm2\nvmovdqa 1088(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 896(%r12), %ymm3, %ymm3\nvpsubw 608(%r12), %ymm2, %ymm2\nvpaddw 992(%r12), %ymm2, %ymm2\nvmovdqa 1280(%r12), %ymm4\nvpsubw 1376(%r12), %ymm4, %ymm4\nvmovdqa 1664(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 1472(%r12), %ymm5, %ymm5\nvpsubw 1184(%r12), %ymm4, %ymm4\nvpaddw 1568(%r12), %ymm4, %ymm4\nvpsubw 608(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 32(%r12), %ymm1, %ymm1\nvpaddw 1184(%r12), %ymm1, %ymm1\nvmovdqa 320(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 1472(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 896(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 32(%r12), %ymm8\nvmovdqa 896(%r12), %ymm9\nvmovdqa %ymm8, 0(%r8)\nvmovdqa %ymm0, 32(%r8)\nvmovdqa %ymm1, 64(%r8)\nvmovdqa %ymm7, 96(%r8)\nvmovdqa %ymm5, 128(%r8)\nvmovdqa %ymm2, 160(%r8)\nvmovdqa %ymm3, 192(%r8)\nvmovdqa %ymm9, 224(%r8)\nvmovdqa 1856(%r12), %ymm0\nvpsubw 1952(%r12), %ymm0, %ymm0\nvmovdqa 2240(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 2048(%r12), %ymm1, %ymm1\nvpsubw 1760(%r12), %ymm0, %ymm0\nvpaddw 2144(%r12), %ymm0, %ymm0\nvmovdqa 2432(%r12), %ymm2\nvpsubw 2528(%r12), %ymm2, %ymm2\nvmovdqa 2816(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 2624(%r12), %ymm3, %ymm3\nvpsubw 2336(%r12), %ymm2, %ymm2\nvpaddw 2720(%r12), %ymm2, %ymm2\nvmovdqa 3008(%r12), %ymm4\nvpsubw 3104(%r12), %ymm4, %ymm4\nvmovdqa 3392(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 3200(%r12), %ymm5, %ymm5\nvpsubw 2912(%r12), %ymm4, %ymm4\nvpaddw 3296(%r12), %ymm4, %ymm4\nvpsubw 2336(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 1760(%r12), %ymm1, %ymm1\nvpaddw 2912(%r12), %ymm1, %ymm1\nvmovdqa 2048(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 3200(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 2624(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 1760(%r12), %ymm8\nvmovdqa 2624(%r12), %ymm9\nvmovdqa %ymm8, 256(%r8)\nvmovdqa %ymm0, 288(%r8)\nvmovdqa %ymm1, 320(%r8)\nvmovdqa %ymm7, 352(%r8)\nvmovdqa %ymm5, 384(%r8)\nvmovdqa %ymm2, 416(%r8)\nvmovdqa %ymm3, 448(%r8)\nvmovdqa %ymm9, 480(%r8)\nvmovdqa 3584(%r12), %ymm0\nvpsubw 3680(%r12), %ymm0, %ymm0\nvmovdqa 3968(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 3776(%r12), %ymm1, %ymm1\nvpsubw 3488(%r12), %ymm0, %ymm0\nvpaddw 3872(%r12), %ymm0, %ymm0\nvmovdqa 4160(%r12), %ymm2\nvpsubw 4256(%r12), %ymm2, %ymm2\nvmovdqa 4544(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 4352(%r12), %ymm3, %ymm3\nvpsubw 4064(%r12), %ymm2, %ymm2\nvpaddw 4448(%r12), %ymm2, %ymm2\nvmovdqa 4736(%r12), %ymm4\nvpsubw 4832(%r12), %ymm4, %ymm4\nvmovdqa 5120(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 4928(%r12), %ymm5, %ymm5\nvpsubw 4640(%r12), %ymm4, %ymm4\nvpaddw 5024(%r12), %ymm4, %ymm4\nvpsubw 4064(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 3488(%r12), %ymm1, %ymm1\nvpaddw 4640(%r12), %ymm1, %ymm1\nvmovdqa 3776(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 4928(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 4352(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 3488(%r12), %ymm8\nvmovdqa 4352(%r12), %ymm9\nvmovdqa %ymm8, 512(%r8)\nvmovdqa %ymm0, 544(%r8)\nvmovdqa %ymm1, 576(%r8)\nvmovdqa %ymm7, 608(%r8)\nvmovdqa %ymm5, 640(%r8)\nvmovdqa %ymm2, 672(%r8)\nvmovdqa %ymm3, 704(%r8)\nvmovdqa %ymm9, 736(%r8)\nvmovdqa 5312(%r12), %ymm0\nvpsubw 5408(%r12), %ymm0, %ymm0\nvmovdqa 5696(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5504(%r12), %ymm1, %ymm1\nvpsubw 5216(%r12), %ymm0, %ymm0\nvpaddw 5600(%r12), %ymm0, %ymm0\nvmovdqa 5888(%r12), %ymm2\nvpsubw 5984(%r12), %ymm2, %ymm2\nvmovdqa 6272(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 6080(%r12), %ymm3, %ymm3\nvpsubw 5792(%r12), %ymm2, %ymm2\nvpaddw 6176(%r12), %ymm2, %ymm2\nvmovdqa 6464(%r12), %ymm4\nvpsubw 6560(%r12), %ymm4, %ymm4\nvmovdqa 6848(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 6656(%r12), %ymm5, %ymm5\nvpsubw 6368(%r12), %ymm4, %ymm4\nvpaddw 6752(%r12), %ymm4, %ymm4\nvpsubw 5792(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 5216(%r12), %ymm1, %ymm1\nvpaddw 6368(%r12), %ymm1, %ymm1\nvmovdqa 5504(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 6656(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 6080(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 5216(%r12), %ymm8\nvmovdqa 6080(%r12), %ymm9\nvmovdqa %ymm8, 768(%r8)\nvmovdqa %ymm0, 800(%r8)\nvmovdqa %ymm1, 832(%r8)\nvmovdqa %ymm7, 864(%r8)\nvmovdqa %ymm5, 896(%r8)\nvmovdqa %ymm2, 928(%r8)\nvmovdqa %ymm3, 960(%r8)\nvmovdqa %ymm9, 992(%r8)\nvmovdqa 7040(%r12), %ymm0\nvpsubw 7136(%r12), %ymm0, %ymm0\nvmovdqa 7424(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 7232(%r12), %ymm1, %ymm1\nvpsubw 6944(%r12), %ymm0, %ymm0\nvpaddw 7328(%r12), %ymm0, %ymm0\nvmovdqa 7616(%r12), %ymm2\nvpsubw 7712(%r12), %ymm2, %ymm2\nvmovdqa 8000(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 7808(%r12), %ymm3, %ymm3\nvpsubw 7520(%r12), %ymm2, %ymm2\nvpaddw 7904(%r12), %ymm2, %ymm2\nvmovdqa 8192(%r12), %ymm4\nvpsubw 8288(%r12), %ymm4, %ymm4\nvmovdqa 8576(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 8384(%r12), %ymm5, %ymm5\nvpsubw 8096(%r12), %ymm4, %ymm4\nvpaddw 8480(%r12), %ymm4, %ymm4\nvpsubw 7520(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 6944(%r12), %ymm1, %ymm1\nvpaddw 8096(%r12), %ymm1, %ymm1\nvmovdqa 7232(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 8384(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 7808(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 6944(%r12), %ymm8\nvmovdqa 7808(%r12), %ymm9\nvmovdqa %ymm8, 1024(%r8)\nvmovdqa %ymm0, 1056(%r8)\nvmovdqa %ymm1, 1088(%r8)\nvmovdqa %ymm7, 1120(%r8)\nvmovdqa %ymm5, 1152(%r8)\nvmovdqa %ymm2, 1184(%r8)\nvmovdqa %ymm3, 1216(%r8)\nvmovdqa %ymm9, 1248(%r8)\nvmovdqa 8768(%r12), %ymm0\nvpsubw 8864(%r12), %ymm0, %ymm0\nvmovdqa 9152(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 8960(%r12), %ymm1, %ymm1\nvpsubw 8672(%r12), %ymm0, %ymm0\nvpaddw 9056(%r12), %ymm0, %ymm0\nvmovdqa 9344(%r12), %ymm2\nvpsubw 9440(%r12), %ymm2, %ymm2\nvmovdqa 9728(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 9536(%r12), %ymm3, %ymm3\nvpsubw 9248(%r12), %ymm2, %ymm2\nvpaddw 9632(%r12), %ymm2, %ymm2\nvmovdqa 9920(%r12), %ymm4\nvpsubw 10016(%r12), %ymm4, %ymm4\nvmovdqa 10304(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 10112(%r12), %ymm5, %ymm5\nvpsubw 9824(%r12), %ymm4, %ymm4\nvpaddw 10208(%r12), %ymm4, %ymm4\nvpsubw 9248(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 8672(%r12), %ymm1, %ymm1\nvpaddw 9824(%r12), %ymm1, %ymm1\nvmovdqa 8960(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 10112(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 9536(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 8672(%r12), %ymm8\nvmovdqa 9536(%r12), %ymm9\nvmovdqa %ymm8, 1280(%r8)\nvmovdqa %ymm0, 1312(%r8)\nvmovdqa %ymm1, 1344(%r8)\nvmovdqa %ymm7, 1376(%r8)\nvmovdqa %ymm5, 1408(%r8)\nvmovdqa %ymm2, 1440(%r8)\nvmovdqa %ymm3, 1472(%r8)\nvmovdqa %ymm9, 1504(%r8)\nvmovdqa 10496(%r12), %ymm0\nvpsubw 10592(%r12), %ymm0, %ymm0\nvmovdqa 10880(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 10688(%r12), %ymm1, %ymm1\nvpsubw 10400(%r12), %ymm0, %ymm0\nvpaddw 10784(%r12), %ymm0, %ymm0\nvmovdqa 11072(%r12), %ymm2\nvpsubw 11168(%r12), %ymm2, %ymm2\nvmovdqa 11456(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 11264(%r12), %ymm3, %ymm3\nvpsubw 10976(%r12), %ymm2, %ymm2\nvpaddw 11360(%r12), %ymm2, %ymm2\nvmovdqa 11648(%r12), %ymm4\nvpsubw 11744(%r12), %ymm4, %ymm4\nvmovdqa 12032(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 11840(%r12), %ymm5, %ymm5\nvpsubw 11552(%r12), %ymm4, %ymm4\nvpaddw 11936(%r12), %ymm4, %ymm4\nvpsubw 10976(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 10400(%r12), %ymm1, %ymm1\nvpaddw 11552(%r12), %ymm1, %ymm1\nvmovdqa 10688(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 11840(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 11264(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 10400(%r12), %ymm8\nvmovdqa 11264(%r12), %ymm9\nvmovdqa %ymm8, 1536(%r8)\nvmovdqa %ymm0, 1568(%r8)\nvmovdqa %ymm1, 1600(%r8)\nvmovdqa %ymm7, 1632(%r8)\nvmovdqa %ymm5, 1664(%r8)\nvmovdqa %ymm2, 1696(%r8)\nvmovdqa %ymm3, 1728(%r8)\nvmovdqa %ymm9, 1760(%r8)\nvmovdqa 0(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm8\nvpunpckhwd const0(%rip), %ymm11, %ymm3\nvpslld $1, %ymm8, %ymm8\nvpslld $1, %ymm3, %ymm3\nvmovdqa 256(%r8), %ymm4\nvpunpcklwd const0(%rip), %ymm4, %ymm10\nvpunpckhwd const0(%rip), %ymm4, %ymm4\nvmovdqa 512(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm10, %ymm9\nvpaddd %ymm6, %ymm4, %ymm2\nvpsubd %ymm8, %ymm9, %ymm9\nvpsubd %ymm3, %ymm2, %ymm2\nvpsubd %ymm5, %ymm10, %ymm5\nvpsubd %ymm6, %ymm4, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1536(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm4\nvpunpckhwd const0(%rip), %ymm5, %ymm10\nvpslld $1, %ymm4, %ymm4\nvpslld $1, %ymm10, %ymm10\nvpsubd %ymm4, %ymm9, %ymm9\nvpsubd %ymm10, %ymm2, %ymm2\nvpsrld $1, %ymm9, %ymm9\nvpsrld $1, %ymm2, %ymm2\nvpand mask32_to_16(%rip), %ymm9, %ymm9\nvpand mask32_to_16(%rip), %ymm2, %ymm2\nvpackusdw %ymm2, %ymm9, %ymm2\nvmovdqa 768(%r8), %ymm9\nvpaddw 1024(%r8), %ymm9, %ymm10\nvpsubw 1024(%r8), %ymm9, %ymm9\nvpsrlw $2, %ymm9, %ymm9\nvpsubw %ymm6, %ymm9, %ymm9\nvpmullw %ymm14, %ymm9, %ymm9\nvpsllw $1, %ymm11, %ymm4\nvpsubw %ymm4, %ymm10, %ymm4\nvpsllw $7, %ymm5, %ymm10\nvpsubw %ymm10, %ymm4, %ymm10\nvpsrlw $3, %ymm10, %ymm10\nvpsubw %ymm2, %ymm10, %ymm10\nvmovdqa 1280(%r8), %ymm4\nvpsubw %ymm11, %ymm4, %ymm4\nvpmullw %ymm15, %ymm5, %ymm3\nvpsubw %ymm3, %ymm4, %ymm3\nvpmullw %ymm14, %ymm10, %ymm10\nvpsubw %ymm10, %ymm2, %ymm2\nvpmullw %ymm12, %ymm10, %ymm4\nvpaddw %ymm4, %ymm2, %ymm4\nvpmullw %ymm12, %ymm4, %ymm4\nvpsubw %ymm4, %ymm3, %ymm4\nvpmullw %ymm14, %ymm4, %ymm4\nvpsubw %ymm6, %ymm4, %ymm4\nvpsrlw $3, %ymm4, %ymm4\nvpsubw %ymm9, %ymm4, %ymm4\nvpsubw %ymm4, %ymm9, %ymm9\nvpsubw %ymm9, %ymm6, %ymm6\nvpmullw %ymm13, %ymm4, %ymm4\nvpsubw %ymm4, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm10, %ymm10\nvpand mask3_5_3_5(%rip), %ymm10, %ymm3\nvpand mask5_3_5_3(%rip), %ymm10, %ymm10\nvpermq $206, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm8\nvpor %ymm8, %ymm10, %ymm10\nvpaddw 2048(%r8), %ymm11, %ymm11\nvpaddw %ymm10, %ymm11, %ymm11\nvmovdqa %xmm3, 2048(%r8)\nvpshufb shuf48_16(%rip), %ymm4, %ymm4\nvpand mask3_5_3_5(%rip), %ymm4, %ymm3\nvpand mask5_3_5_3(%rip), %ymm4, %ymm4\nvpermq $206, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm8\nvpor %ymm8, %ymm4, %ymm4\nvpaddw 2304(%r8), %ymm6, %ymm6\nvpaddw %ymm4, %ymm6, %ymm6\nvmovdqa %xmm3, 2304(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_3_5(%rip), %ymm5, %ymm3\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $206, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm8\nvpor %ymm8, %ymm5, %ymm5\nvpaddw 2560(%r8), %ymm2, %ymm2\nvpaddw %ymm5, %ymm2, %ymm2\nvmovdqa %xmm3, 2560(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 32(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 384(%rdi)\nvpand mask_mod8192(%rip), %ymm2, %ymm2\nvmovdqu %ymm2, 736(%rdi)\nvpand mask_mod8192(%rip), %ymm9, %ymm9\nvmovdqu %ymm9, 1088(%rdi)\nvmovdqa 32(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm4\nvpunpckhwd const0(%rip), %ymm5, %ymm10\nvpslld $1, %ymm4, %ymm4\nvpslld $1, %ymm10, %ymm10\nvmovdqa 288(%r8), %ymm9\nvpunpcklwd const0(%rip), %ymm9, %ymm2\nvpunpckhwd const0(%rip), %ymm9, %ymm9\nvmovdqa 544(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm2, %ymm3\nvpaddd %ymm6, %ymm9, %ymm8\nvpsubd %ymm4, %ymm3, %ymm3\nvpsubd %ymm10, %ymm8, %ymm8\nvpsubd %ymm11, %ymm2, %ymm11\nvpsubd %ymm6, %ymm9, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1568(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm9\nvpunpckhwd const0(%rip), %ymm11, %ymm2\nvpslld $1, %ymm9, %ymm9\nvpslld $1, %ymm2, %ymm2\nvpsubd %ymm9, %ymm3, %ymm3\nvpsubd %ymm2, %ymm8, %ymm8\nvpsrld $1, %ymm3, %ymm3\nvpsrld $1, %ymm8, %ymm8\nvpand mask32_to_16(%rip), %ymm3, %ymm3\nvpand mask32_to_16(%rip), %ymm8, %ymm8\nvpackusdw %ymm8, %ymm3, %ymm8\nvmovdqa 800(%r8), %ymm3\nvpaddw 1056(%r8), %ymm3, %ymm2\nvpsubw 1056(%r8), %ymm3, %ymm3\nvpsrlw $2, %ymm3, %ymm3\nvpsubw %ymm6, %ymm3, %ymm3\nvpmullw %ymm14, %ymm3, %ymm3\nvpsllw $1, %ymm5, %ymm9\nvpsubw %ymm9, %ymm2, %ymm9\nvpsllw $7, %ymm11, %ymm2\nvpsubw %ymm2, %ymm9, %ymm2\nvpsrlw $3, %ymm2, %ymm2\nvpsubw %ymm8, %ymm2, %ymm2\nvmovdqa 1312(%r8), %ymm9\nvpsubw %ymm5, %ymm9, %ymm9\nvpmullw %ymm15, %ymm11, %ymm10\nvpsubw %ymm10, %ymm9, %ymm10\nvpmullw %ymm14, %ymm2, %ymm2\nvpsubw %ymm2, %ymm8, %ymm8\nvpmullw %ymm12, %ymm2, %ymm9\nvpaddw %ymm9, %ymm8, %ymm9\nvpmullw %ymm12, %ymm9, %ymm9\nvpsubw %ymm9, %ymm10, %ymm9\nvpmullw %ymm14, %ymm9, %ymm9\nvpsubw %ymm6, %ymm9, %ymm9\nvpsrlw $3, %ymm9, %ymm9\nvpsubw %ymm3, %ymm9, %ymm9\nvpsubw %ymm9, %ymm3, %ymm3\nvpsubw %ymm3, %ymm6, %ymm6\nvpmullw %ymm13, %ymm9, %ymm9\nvpsubw %ymm9, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm2, %ymm2\nvpand mask3_5_3_5(%rip), %ymm2, %ymm10\nvpand mask5_3_5_3(%rip), %ymm2, %ymm2\nvpermq $206, %ymm10, %ymm10\nvpand mask_keephigh(%rip), %ymm10, %ymm4\nvpor %ymm4, %ymm2, %ymm2\nvpaddw 2080(%r8), %ymm5, %ymm5\nvpaddw %ymm2, %ymm5, %ymm5\nvmovdqa %xmm10, 2080(%r8)\nvpshufb shuf48_16(%rip), %ymm9, %ymm9\nvpand mask3_5_3_5(%rip), %ymm9, %ymm10\nvpand mask5_3_5_3(%rip), %ymm9, %ymm9\nvpermq $206, %ymm10, %ymm10\nvpand mask_keephigh(%rip), %ymm10, %ymm4\nvpor %ymm4, %ymm9, %ymm9\nvpaddw 2336(%r8), %ymm6, %ymm6\nvpaddw %ymm9, %ymm6, %ymm6\nvmovdqa %xmm10, 2336(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_3_5(%rip), %ymm11, %ymm10\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $206, %ymm10, %ymm10\nvpand mask_keephigh(%rip), %ymm10, %ymm4\nvpor %ymm4, %ymm11, %ymm11\nvpaddw 2592(%r8), %ymm8, %ymm8\nvpaddw %ymm11, %ymm8, %ymm8\nvmovdqa %xmm10, 2592(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %ymm5, 120(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 472(%rdi)\nvpand mask_mod8192(%rip), %ymm8, %ymm8\nvmovdqu %ymm8, 824(%rdi)\nvpand mask_mod8192(%rip), %ymm3, %ymm3\nvmovdqu %ymm3, 1176(%rdi)\nvmovdqa 64(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm9\nvpunpckhwd const0(%rip), %ymm11, %ymm2\nvpslld $1, %ymm9, %ymm9\nvpslld $1, %ymm2, %ymm2\nvmovdqa 320(%r8), %ymm3\nvpunpcklwd const0(%rip), %ymm3, %ymm8\nvpunpckhwd const0(%rip), %ymm3, %ymm3\nvmovdqa 576(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm8, %ymm10\nvpaddd %ymm6, %ymm3, %ymm4\nvpsubd %ymm9, %ymm10, %ymm10\nvpsubd %ymm2, %ymm4, %ymm4\nvpsubd %ymm5, %ymm8, %ymm5\nvpsubd %ymm6, %ymm3, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1600(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm3\nvpunpckhwd const0(%rip), %ymm5, %ymm8\nvpslld $1, %ymm3, %ymm3\nvpslld $1, %ymm8, %ymm8\nvpsubd %ymm3, %ymm10, %ymm10\nvpsubd %ymm8, %ymm4, %ymm4\nvpsrld $1, %ymm10, %ymm10\nvpsrld $1, %ymm4, %ymm4\nvpand mask32_to_16(%rip), %ymm10, %ymm10\nvpand mask32_to_16(%rip), %ymm4, %ymm4\nvpackusdw %ymm4, %ymm10, %ymm4\nvmovdqa 832(%r8), %ymm10\nvpaddw 1088(%r8), %ymm10, %ymm8\nvpsubw 1088(%r8), %ymm10, %ymm10\nvpsrlw $2, %ymm10, %ymm10\nvpsubw %ymm6, %ymm10, %ymm10\nvpmullw %ymm14, %ymm10, %ymm10\nvpsllw $1, %ymm11, %ymm3\nvpsubw %ymm3, %ymm8, %ymm3\nvpsllw $7, %ymm5, %ymm8\nvpsubw %ymm8, %ymm3, %ymm8\nvpsrlw $3, %ymm8, %ymm8\nvpsubw %ymm4, %ymm8, %ymm8\nvmovdqa 1344(%r8), %ymm3\nvpsubw %ymm11, %ymm3, %ymm3\nvpmullw %ymm15, %ymm5, %ymm2\nvpsubw %ymm2, %ymm3, %ymm2\nvpmullw %ymm14, %ymm8, %ymm8\nvpsubw %ymm8, %ymm4, %ymm4\nvpmullw %ymm12, %ymm8, %ymm3\nvpaddw %ymm3, %ymm4, %ymm3\nvpmullw %ymm12, %ymm3, %ymm3\nvpsubw %ymm3, %ymm2, %ymm3\nvpmullw %ymm14, %ymm3, %ymm3\nvpsubw %ymm6, %ymm3, %ymm3\nvpsrlw $3, %ymm3, %ymm3\nvpsubw %ymm10, %ymm3, %ymm3\nvpsubw %ymm3, %ymm10, %ymm10\nvpsubw %ymm10, %ymm6, %ymm6\nvpmullw %ymm13, %ymm3, %ymm3\nvpsubw %ymm3, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm8, %ymm8\nvpand mask3_5_3_5(%rip), %ymm8, %ymm2\nvpand mask5_3_5_3(%rip), %ymm8, %ymm8\nvpermq $206, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm9\nvpor %ymm9, %ymm8, %ymm8\nvpaddw 2112(%r8), %ymm11, %ymm11\nvpaddw %ymm8, %ymm11, %ymm11\nvmovdqa %xmm2, 2112(%r8)\nvpshufb shuf48_16(%rip), %ymm3, %ymm3\nvpand mask3_5_3_5(%rip), %ymm3, %ymm2\nvpand mask5_3_5_3(%rip), %ymm3, %ymm3\nvpermq $206, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm9\nvpor %ymm9, %ymm3, %ymm3\nvpaddw 2368(%r8), %ymm6, %ymm6\nvpaddw %ymm3, %ymm6, %ymm6\nvmovdqa %xmm2, 2368(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_3_5(%rip), %ymm5, %ymm2\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $206, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm9\nvpor %ymm9, %ymm5, %ymm5\nvpaddw 2624(%r8), %ymm4, %ymm4\nvpaddw %ymm5, %ymm4, %ymm4\nvmovdqa %xmm2, 2624(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 208(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 560(%rdi)\nvpand mask_mod8192(%rip), %ymm4, %ymm4\nvmovdqu %ymm4, 912(%rdi)\nvpand mask_mod8192(%rip), %ymm10, %ymm10\nvmovdqu %ymm10, 1264(%rdi)\nvmovdqa 96(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm3\nvpunpckhwd const0(%rip), %ymm5, %ymm8\nvpslld $1, %ymm3, %ymm3\nvpslld $1, %ymm8, %ymm8\nvmovdqa 352(%r8), %ymm10\nvpunpcklwd const0(%rip), %ymm10, %ymm4\nvpunpckhwd const0(%rip), %ymm10, %ymm10\nvmovdqa 608(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm4, %ymm2\nvpaddd %ymm6, %ymm10, %ymm9\nvpsubd %ymm3, %ymm2, %ymm2\nvpsubd %ymm8, %ymm9, %ymm9\nvpsubd %ymm11, %ymm4, %ymm11\nvpsubd %ymm6, %ymm10, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1632(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm10\nvpunpckhwd const0(%rip), %ymm11, %ymm4\nvpslld $1, %ymm10, %ymm10\nvpslld $1, %ymm4, %ymm4\nvpsubd %ymm10, %ymm2, %ymm2\nvpsubd %ymm4, %ymm9, %ymm9\nvpsrld $1, %ymm2, %ymm2\nvpsrld $1, %ymm9, %ymm9\nvpand mask32_to_16(%rip), %ymm2, %ymm2\nvpand mask32_to_16(%rip), %ymm9, %ymm9\nvpackusdw %ymm9, %ymm2, %ymm9\nvmovdqa 864(%r8), %ymm2\nvpaddw 1120(%r8), %ymm2, %ymm4\nvpsubw 1120(%r8), %ymm2, %ymm2\nvpsrlw $2, %ymm2, %ymm2\nvpsubw %ymm6, %ymm2, %ymm2\nvpmullw %ymm14, %ymm2, %ymm2\nvpsllw $1, %ymm5, %ymm10\nvpsubw %ymm10, %ymm4, %ymm10\nvpsllw $7, %ymm11, %ymm4\nvpsubw %ymm4, %ymm10, %ymm4\nvpsrlw $3, %ymm4, %ymm4\nvpsubw %ymm9, %ymm4, %ymm4\nvmovdqa 1376(%r8), %ymm10\nvpsubw %ymm5, %ymm10, %ymm10\nvpmullw %ymm15, %ymm11, %ymm8\nvpsubw %ymm8, %ymm10, %ymm8\nvpmullw %ymm14, %ymm4, %ymm4\nvpsubw %ymm4, %ymm9, %ymm9\nvpmullw %ymm12, %ymm4, %ymm10\nvpaddw %ymm10, %ymm9, %ymm10\nvpmullw %ymm12, %ymm10, %ymm10\nvpsubw %ymm10, %ymm8, %ymm10\nvpmullw %ymm14, %ymm10, %ymm10\nvpsubw %ymm6, %ymm10, %ymm10\nvpsrlw $3, %ymm10, %ymm10\nvpsubw %ymm2, %ymm10, %ymm10\nvpsubw %ymm10, %ymm2, %ymm2\nvpsubw %ymm2, %ymm6, %ymm6\nvpmullw %ymm13, %ymm10, %ymm10\nvpsubw %ymm10, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm4, %ymm4\nvpand mask3_5_3_5(%rip), %ymm4, %ymm8\nvpand mask5_3_5_3(%rip), %ymm4, %ymm4\nvpermq $206, %ymm8, %ymm8\nvpand mask_keephigh(%rip), %ymm8, %ymm3\nvpor %ymm3, %ymm4, %ymm4\nvpaddw 2144(%r8), %ymm5, %ymm5\nvpaddw %ymm4, %ymm5, %ymm5\nvmovdqa %xmm8, 2144(%r8)\nvpshufb shuf48_16(%rip), %ymm10, %ymm10\nvpand mask3_5_3_5(%rip), %ymm10, %ymm8\nvpand mask5_3_5_3(%rip), %ymm10, %ymm10\nvpermq $206, %ymm8, %ymm8\nvpand mask_keephigh(%rip), %ymm8, %ymm3\nvpor %ymm3, %ymm10, %ymm10\nvpaddw 2400(%r8), %ymm6, %ymm6\nvpaddw %ymm10, %ymm6, %ymm6\nvmovdqa %xmm8, 2400(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_3_5(%rip), %ymm11, %ymm8\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $206, %ymm8, %ymm8\nvpand mask_keephigh(%rip), %ymm8, %ymm3\nvpor %ymm3, %ymm11, %ymm11\nvpaddw 2656(%r8), %ymm9, %ymm9\nvpaddw %ymm11, %ymm9, %ymm9\nvmovdqa %xmm8, 2656(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %ymm5, 296(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 648(%rdi)\nvpand mask_mod8192(%rip), %ymm9, %ymm9\nvmovdqu %ymm9, 1000(%rdi)\nvpand mask_mod8192(%rip), %ymm2, %ymm2\nvmovdqu %ymm2, 1352(%rdi)\nvmovdqa 128(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm10\nvpunpckhwd const0(%rip), %ymm11, %ymm4\nvpslld $1, %ymm10, %ymm10\nvpslld $1, %ymm4, %ymm4\nvmovdqa 384(%r8), %ymm2\nvpunpcklwd const0(%rip), %ymm2, %ymm9\nvpunpckhwd const0(%rip), %ymm2, %ymm2\nvmovdqa 640(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm9, %ymm8\nvpaddd %ymm6, %ymm2, %ymm3\nvpsubd %ymm10, %ymm8, %ymm8\nvpsubd %ymm4, %ymm3, %ymm3\nvpsubd %ymm5, %ymm9, %ymm5\nvpsubd %ymm6, %ymm2, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1664(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm2\nvpunpckhwd const0(%rip), %ymm5, %ymm9\nvpslld $1, %ymm2, %ymm2\nvpslld $1, %ymm9, %ymm9\nvpsubd %ymm2, %ymm8, %ymm8\nvpsubd %ymm9, %ymm3, %ymm3\nvpsrld $1, %ymm8, %ymm8\nvpsrld $1, %ymm3, %ymm3\nvpand mask32_to_16(%rip), %ymm8, %ymm8\nvpand mask32_to_16(%rip), %ymm3, %ymm3\nvpackusdw %ymm3, %ymm8, %ymm3\nvmovdqa 896(%r8), %ymm8\nvpaddw 1152(%r8), %ymm8, %ymm9\nvpsubw 1152(%r8), %ymm8, %ymm8\nvpsrlw $2, %ymm8, %ymm8\nvpsubw %ymm6, %ymm8, %ymm8\nvpmullw %ymm14, %ymm8, %ymm8\nvpsllw $1, %ymm11, %ymm2\nvpsubw %ymm2, %ymm9, %ymm2\nvpsllw $7, %ymm5, %ymm9\nvpsubw %ymm9, %ymm2, %ymm9\nvpsrlw $3, %ymm9, %ymm9\nvpsubw %ymm3, %ymm9, %ymm9\nvmovdqa 1408(%r8), %ymm2\nvpsubw %ymm11, %ymm2, %ymm2\nvpmullw %ymm15, %ymm5, %ymm4\nvpsubw %ymm4, %ymm2, %ymm4\nvpmullw %ymm14, %ymm9, %ymm9\nvpsubw %ymm9, %ymm3, %ymm3\nvpmullw %ymm12, %ymm9, %ymm2\nvpaddw %ymm2, %ymm3, %ymm2\nvpmullw %ymm12, %ymm2, %ymm2\nvpsubw %ymm2, %ymm4, %ymm2\nvpmullw %ymm14, %ymm2, %ymm2\nvpsubw %ymm6, %ymm2, %ymm2\nvpsrlw $3, %ymm2, %ymm2\nvpsubw %ymm8, %ymm2, %ymm2\nvpsubw %ymm2, %ymm8, %ymm8\nvpsubw %ymm8, %ymm6, %ymm6\nvpmullw %ymm13, %ymm2, %ymm2\nvpsubw %ymm2, %ymm6, %ymm6\nvmovdqu 384(%rdi), %ymm4\nvmovdqu 736(%rdi), %ymm10\nvmovdqu 1088(%rdi), %ymm7\nvpaddw %ymm11, %ymm4, %ymm11\nvpaddw %ymm6, %ymm10, %ymm6\nvpaddw %ymm3, %ymm7, %ymm3\nvpshufb shuf48_16(%rip), %ymm8, %ymm8\nvpand mask3_5_3_5(%rip), %ymm8, %ymm7\nvpand mask5_3_5_3(%rip), %ymm8, %ymm8\nvpermq $206, %ymm7, %ymm7\nvpand mask_keephigh(%rip), %ymm7, %ymm10\nvpor %ymm10, %ymm8, %ymm8\nvmovdqu 32(%rdi), %ymm10\nvpaddw 1920(%r8), %ymm10, %ymm10\nvpaddw %ymm8, %ymm10, %ymm10\nvpand mask_mod8192(%rip), %ymm10, %ymm10\nvmovdqu %ymm10, 32(%rdi)\nvmovdqa %xmm7, 1920(%r8)\nvpshufb shuf48_16(%rip), %ymm9, %ymm9\nvpand mask3_5_3_5(%rip), %ymm9, %ymm7\nvpand mask5_3_5_3(%rip), %ymm9, %ymm9\nvpermq $206, %ymm7, %ymm7\nvpand mask_keephigh(%rip), %ymm7, %ymm10\nvpor %ymm10, %ymm9, %ymm9\nvpaddw 2176(%r8), %ymm11, %ymm11\nvpaddw %ymm9, %ymm11, %ymm11\nvmovdqa %xmm7, 2176(%r8)\nvpshufb shuf48_16(%rip), %ymm2, %ymm2\nvpand mask3_5_3_5(%rip), %ymm2, %ymm7\nvpand mask5_3_5_3(%rip), %ymm2, %ymm2\nvpermq $206, %ymm7, %ymm7\nvpand mask_keephigh(%rip), %ymm7, %ymm10\nvpor %ymm10, %ymm2, %ymm2\nvpaddw 2432(%r8), %ymm6, %ymm6\nvpaddw %ymm2, %ymm6, %ymm6\nvmovdqa %xmm7, 2432(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_3_5(%rip), %ymm5, %ymm7\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $206, %ymm7, %ymm7\nvpand mask_keephigh(%rip), %ymm7, %ymm10\nvpor %ymm10, %ymm5, %ymm5\nvpaddw 2688(%r8), %ymm3, %ymm3\nvpaddw %ymm5, %ymm3, %ymm3\nvmovdqa %xmm7, 2688(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 384(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 736(%rdi)\nvpand mask_mod8192(%rip), %ymm3, %ymm3\nvmovdqu %ymm3, 1088(%rdi)\nvmovdqa 160(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm2\nvpunpckhwd const0(%rip), %ymm5, %ymm9\nvpslld $1, %ymm2, %ymm2\nvpslld $1, %ymm9, %ymm9\nvmovdqa 416(%r8), %ymm8\nvpunpcklwd const0(%rip), %ymm8, %ymm3\nvpunpckhwd const0(%rip), %ymm8, %ymm8\nvmovdqa 672(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm3, %ymm7\nvpaddd %ymm6, %ymm8, %ymm10\nvpsubd %ymm2, %ymm7, %ymm7\nvpsubd %ymm9, %ymm10, %ymm10\nvpsubd %ymm11, %ymm3, %ymm11\nvpsubd %ymm6, %ymm8, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1696(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm8\nvpunpckhwd const0(%rip), %ymm11, %ymm3\nvpslld $1, %ymm8, %ymm8\nvpslld $1, %ymm3, %ymm3\nvpsubd %ymm8, %ymm7, %ymm7\nvpsubd %ymm3, %ymm10, %ymm10\nvpsrld $1, %ymm7, %ymm7\nvpsrld $1, %ymm10, %ymm10\nvpand mask32_to_16(%rip), %ymm7, %ymm7\nvpand mask32_to_16(%rip), %ymm10, %ymm10\nvpackusdw %ymm10, %ymm7, %ymm10\nvmovdqa 928(%r8), %ymm7\nvpaddw 1184(%r8), %ymm7, %ymm3\nvpsubw 1184(%r8), %ymm7, %ymm7\nvpsrlw $2, %ymm7, %ymm7\nvpsubw %ymm6, %ymm7, %ymm7\nvpmullw %ymm14, %ymm7, %ymm7\nvpsllw $1, %ymm5, %ymm8\nvpsubw %ymm8, %ymm3, %ymm8\nvpsllw $7, %ymm11, %ymm3\nvpsubw %ymm3, %ymm8, %ymm3\nvpsrlw $3, %ymm3, %ymm3\nvpsubw %ymm10, %ymm3, %ymm3\nvmovdqa 1440(%r8), %ymm8\nvpsubw %ymm5, %ymm8, %ymm8\nvpmullw %ymm15, %ymm11, %ymm9\nvpsubw %ymm9, %ymm8, %ymm9\nvpmullw %ymm14, %ymm3, %ymm3\nvpsubw %ymm3, %ymm10, %ymm10\nvpmullw %ymm12, %ymm3, %ymm8\nvpaddw %ymm8, %ymm10, %ymm8\nvpmullw %ymm12, %ymm8, %ymm8\nvpsubw %ymm8, %ymm9, %ymm8\nvpmullw %ymm14, %ymm8, %ymm8\nvpsubw %ymm6, %ymm8, %ymm8\nvpsrlw $3, %ymm8, %ymm8\nvpsubw %ymm7, %ymm8, %ymm8\nvpsubw %ymm8, %ymm7, %ymm7\nvpsubw %ymm7, %ymm6, %ymm6\nvpmullw %ymm13, %ymm8, %ymm8\nvpsubw %ymm8, %ymm6, %ymm6\nvmovdqu 472(%rdi), %ymm9\nvmovdqu 824(%rdi), %ymm2\nvmovdqu 1176(%rdi), %ymm4\nvpaddw %ymm5, %ymm9, %ymm5\nvpaddw %ymm6, %ymm2, %ymm6\nvpaddw %ymm10, %ymm4, %ymm10\nvpshufb shuf48_16(%rip), %ymm7, %ymm7\nvpand mask3_5_3_5(%rip), %ymm7, %ymm4\nvpand mask5_3_5_3(%rip), %ymm7, %ymm7\nvpermq $206, %ymm4, %ymm4\nvpand mask_keephigh(%rip), %ymm4, %ymm2\nvpor %ymm2, %ymm7, %ymm7\nvmovdqu 120(%rdi), %ymm2\nvpaddw 1952(%r8), %ymm2, %ymm2\nvpaddw %ymm7, %ymm2, %ymm2\nvpand mask_mod8192(%rip), %ymm2, %ymm2\nvmovdqu %ymm2, 120(%rdi)\nvmovdqa %xmm4, 1952(%r8)\nvpshufb shuf48_16(%rip), %ymm3, %ymm3\nvpand mask3_5_3_5(%rip), %ymm3, %ymm4\nvpand mask5_3_5_3(%rip), %ymm3, %ymm3\nvpermq $206, %ymm4, %ymm4\nvpand mask_keephigh(%rip), %ymm4, %ymm2\nvpor %ymm2, %ymm3, %ymm3\nvpaddw 2208(%r8), %ymm5, %ymm5\nvpaddw %ymm3, %ymm5, %ymm5\nvmovdqa %xmm4, 2208(%r8)\nvpshufb shuf48_16(%rip), %ymm8, %ymm8\nvpand mask3_5_3_5(%rip), %ymm8, %ymm4\nvpand mask5_3_5_3(%rip), %ymm8, %ymm8\nvpermq $206, %ymm4, %ymm4\nvpand mask_keephigh(%rip), %ymm4, %ymm2\nvpor %ymm2, %ymm8, %ymm8\nvpaddw 2464(%r8), %ymm6, %ymm6\nvpaddw %ymm8, %ymm6, %ymm6\nvmovdqa %xmm4, 2464(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_3_5(%rip), %ymm11, %ymm4\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $206, %ymm4, %ymm4\nvpand mask_keephigh(%rip), %ymm4, %ymm2\nvpor %ymm2, %ymm11, %ymm11\nvpaddw 2720(%r8), %ymm10, %ymm10\nvpaddw %ymm11, %ymm10, %ymm10\nvmovdqa %xmm4, 2720(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %ymm5, 472(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 824(%rdi)\nvpand mask_mod8192(%rip), %ymm10, %ymm10\nvmovdqu %ymm10, 1176(%rdi)\nvmovdqa 192(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm8\nvpunpckhwd const0(%rip), %ymm11, %ymm3\nvpslld $1, %ymm8, %ymm8\nvpslld $1, %ymm3, %ymm3\nvmovdqa 448(%r8), %ymm7\nvpunpcklwd const0(%rip), %ymm7, %ymm10\nvpunpckhwd const0(%rip), %ymm7, %ymm7\nvmovdqa 704(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm10, %ymm4\nvpaddd %ymm6, %ymm7, %ymm2\nvpsubd %ymm8, %ymm4, %ymm4\nvpsubd %ymm3, %ymm2, %ymm2\nvpsubd %ymm5, %ymm10, %ymm5\nvpsubd %ymm6, %ymm7, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1728(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm7\nvpunpckhwd const0(%rip), %ymm5, %ymm10\nvpslld $1, %ymm7, %ymm7\nvpslld $1, %ymm10, %ymm10\nvpsubd %ymm7, %ymm4, %ymm4\nvpsubd %ymm10, %ymm2, %ymm2\nvpsrld $1, %ymm4, %ymm4\nvpsrld $1, %ymm2, %ymm2\nvpand mask32_to_16(%rip), %ymm4, %ymm4\nvpand mask32_to_16(%rip), %ymm2, %ymm2\nvpackusdw %ymm2, %ymm4, %ymm2\nvmovdqa 960(%r8), %ymm4\nvpaddw 1216(%r8), %ymm4, %ymm10\nvpsubw 1216(%r8), %ymm4, %ymm4\nvpsrlw $2, %ymm4, %ymm4\nvpsubw %ymm6, %ymm4, %ymm4\nvpmullw %ymm14, %ymm4, %ymm4\nvpsllw $1, %ymm11, %ymm7\nvpsubw %ymm7, %ymm10, %ymm7\nvpsllw $7, %ymm5, %ymm10\nvpsubw %ymm10, %ymm7, %ymm10\nvpsrlw $3, %ymm10, %ymm10\nvpsubw %ymm2, %ymm10, %ymm10\nvmovdqa 1472(%r8), %ymm7\nvpsubw %ymm11, %ymm7, %ymm7\nvpmullw %ymm15, %ymm5, %ymm3\nvpsubw %ymm3, %ymm7, %ymm3\nvpmullw %ymm14, %ymm10, %ymm10\nvpsubw %ymm10, %ymm2, %ymm2\nvpmullw %ymm12, %ymm10, %ymm7\nvpaddw %ymm7, %ymm2, %ymm7\nvpmullw %ymm12, %ymm7, %ymm7\nvpsubw %ymm7, %ymm3, %ymm7\nvpmullw %ymm14, %ymm7, %ymm7\nvpsubw %ymm6, %ymm7, %ymm7\nvpsrlw $3, %ymm7, %ymm7\nvpsubw %ymm4, %ymm7, %ymm7\nvpsubw %ymm7, %ymm4, %ymm4\nvpsubw %ymm4, %ymm6, %ymm6\nvpmullw %ymm13, %ymm7, %ymm7\nvpsubw %ymm7, %ymm6, %ymm6\nvmovdqu 560(%rdi), %ymm3\nvmovdqu 912(%rdi), %ymm8\nvmovdqu 1264(%rdi), %ymm9\nvpaddw %ymm11, %ymm3, %ymm11\nvpaddw %ymm6, %ymm8, %ymm6\nvpaddw %ymm2, %ymm9, %ymm2\nvpshufb shuf48_16(%rip), %ymm4, %ymm4\nvpand mask3_5_3_5(%rip), %ymm4, %ymm9\nvpand mask5_3_5_3(%rip), %ymm4, %ymm4\nvpermq $206, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm8\nvpor %ymm8, %ymm4, %ymm4\nvmovdqu 208(%rdi), %ymm8\nvpaddw 1984(%r8), %ymm8, %ymm8\nvpaddw %ymm4, %ymm8, %ymm8\nvpand mask_mod8192(%rip), %ymm8, %ymm8\nvmovdqu %ymm8, 208(%rdi)\nvmovdqa %xmm9, 1984(%r8)\nvpshufb shuf48_16(%rip), %ymm10, %ymm10\nvpand mask3_5_3_5(%rip), %ymm10, %ymm9\nvpand mask5_3_5_3(%rip), %ymm10, %ymm10\nvpermq $206, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm8\nvpor %ymm8, %ymm10, %ymm10\nvpaddw 2240(%r8), %ymm11, %ymm11\nvpaddw %ymm10, %ymm11, %ymm11\nvmovdqa %xmm9, 2240(%r8)\nvpshufb shuf48_16(%rip), %ymm7, %ymm7\nvpand mask3_5_3_5(%rip), %ymm7, %ymm9\nvpand mask5_3_5_3(%rip), %ymm7, %ymm7\nvpermq $206, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm8\nvpor %ymm8, %ymm7, %ymm7\nvpaddw 2496(%r8), %ymm6, %ymm6\nvpaddw %ymm7, %ymm6, %ymm6\nvmovdqa %xmm9, 2496(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_3_5(%rip), %ymm5, %ymm9\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $206, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm8\nvpor %ymm8, %ymm5, %ymm5\nvpaddw 2752(%r8), %ymm2, %ymm2\nvpaddw %ymm5, %ymm2, %ymm2\nvmovdqa %xmm9, 2752(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 560(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 912(%rdi)\nvpand mask_mod8192(%rip), %ymm2, %ymm2\nvmovdqu %ymm2, 1264(%rdi)\nvmovdqa 224(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm7\nvpunpckhwd const0(%rip), %ymm5, %ymm10\nvpslld $1, %ymm7, %ymm7\nvpslld $1, %ymm10, %ymm10\nvmovdqa 480(%r8), %ymm4\nvpunpcklwd const0(%rip), %ymm4, %ymm2\nvpunpckhwd const0(%rip), %ymm4, %ymm4\nvmovdqa 736(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm2, %ymm9\nvpaddd %ymm6, %ymm4, %ymm8\nvpsubd %ymm7, %ymm9, %ymm9\nvpsubd %ymm10, %ymm8, %ymm8\nvpsubd %ymm11, %ymm2, %ymm11\nvpsubd %ymm6, %ymm4, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1760(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm4\nvpunpckhwd const0(%rip), %ymm11, %ymm2\nvpslld $1, %ymm4, %ymm4\nvpslld $1, %ymm2, %ymm2\nvpsubd %ymm4, %ymm9, %ymm9\nvpsubd %ymm2, %ymm8, %ymm8\nvpsrld $1, %ymm9, %ymm9\nvpsrld $1, %ymm8, %ymm8\nvpand mask32_to_16(%rip), %ymm9, %ymm9\nvpand mask32_to_16(%rip), %ymm8, %ymm8\nvpackusdw %ymm8, %ymm9, %ymm8\nvmovdqa 992(%r8), %ymm9\nvpaddw 1248(%r8), %ymm9, %ymm2\nvpsubw 1248(%r8), %ymm9, %ymm9\nvpsrlw $2, %ymm9, %ymm9\nvpsubw %ymm6, %ymm9, %ymm9\nvpmullw %ymm14, %ymm9, %ymm9\nvpsllw $1, %ymm5, %ymm4\nvpsubw %ymm4, %ymm2, %ymm4\nvpsllw $7, %ymm11, %ymm2\nvpsubw %ymm2, %ymm4, %ymm2\nvpsrlw $3, %ymm2, %ymm2\nvpsubw %ymm8, %ymm2, %ymm2\nvmovdqa 1504(%r8), %ymm4\nvpsubw %ymm5, %ymm4, %ymm4\nvpmullw %ymm15, %ymm11, %ymm10\nvpsubw %ymm10, %ymm4, %ymm10\nvpmullw %ymm14, %ymm2, %ymm2\nvpsubw %ymm2, %ymm8, %ymm8\nvpmullw %ymm12, %ymm2, %ymm4\nvpaddw %ymm4, %ymm8, %ymm4\nvpmullw %ymm12, %ymm4, %ymm4\nvpsubw %ymm4, %ymm10, %ymm4\nvpmullw %ymm14, %ymm4, %ymm4\nvpsubw %ymm6, %ymm4, %ymm4\nvpsrlw $3, %ymm4, %ymm4\nvpsubw %ymm9, %ymm4, %ymm4\nvpsubw %ymm4, %ymm9, %ymm9\nvpsubw %ymm9, %ymm6, %ymm6\nvpmullw %ymm13, %ymm4, %ymm4\nvpsubw %ymm4, %ymm6, %ymm6\nvmovdqu 648(%rdi), %ymm10\nvmovdqu 1000(%rdi), %ymm7\nvmovdqu 1352(%rdi), %ymm3\nvpaddw %ymm5, %ymm10, %ymm5\nvpaddw %ymm6, %ymm7, %ymm6\nvpaddw %ymm8, %ymm3, %ymm8\nvpshufb shuf48_16(%rip), %ymm9, %ymm9\nvpand mask3_5_3_5(%rip), %ymm9, %ymm3\nvpand mask5_3_5_3(%rip), %ymm9, %ymm9\nvpermq $206, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm7\nvpor %ymm7, %ymm9, %ymm9\nvmovdqu 296(%rdi), %ymm7\nvpaddw 2016(%r8), %ymm7, %ymm7\nvpaddw %ymm9, %ymm7, %ymm7\nvpand mask_mod8192(%rip), %ymm7, %ymm7\nvmovdqu %ymm7, 296(%rdi)\nvmovdqa %xmm3, 2016(%r8)\nvpshufb shuf48_16(%rip), %ymm2, %ymm2\nvpand mask3_5_3_5(%rip), %ymm2, %ymm3\nvpand mask5_3_5_3(%rip), %ymm2, %ymm2\nvpermq $206, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm7\nvpor %ymm7, %ymm2, %ymm2\nvpaddw 2272(%r8), %ymm5, %ymm5\nvpaddw %ymm2, %ymm5, %ymm5\nvmovdqa %xmm3, 2272(%r8)\nvpshufb shuf48_16(%rip), %ymm4, %ymm4\nvpand mask3_5_3_5(%rip), %ymm4, %ymm3\nvpand mask5_3_5_3(%rip), %ymm4, %ymm4\nvpermq $206, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm7\nvpor %ymm7, %ymm4, %ymm4\nvpaddw 2528(%r8), %ymm6, %ymm6\nvpaddw %ymm4, %ymm6, %ymm6\nvmovdqa %xmm3, 2528(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_3_5(%rip), %ymm11, %ymm3\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $206, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm7\nvpor %ymm7, %ymm11, %ymm11\nvpaddw 2784(%r8), %ymm8, %ymm8\nvpaddw %ymm11, %ymm8, %ymm8\nvmovdqa %xmm3, 2784(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %ymm5, 648(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %ymm6, 1000(%rdi)\nvpand mask_mod8192(%rip), %ymm8, %ymm8\nvmovdqu %ymm8, 1352(%rdi)\nvmovdqa 160(%r12), %ymm0\nvpsubw 256(%r12), %ymm0, %ymm0\nvmovdqa 544(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 352(%r12), %ymm1, %ymm1\nvpsubw 64(%r12), %ymm0, %ymm0\nvpaddw 448(%r12), %ymm0, %ymm0\nvmovdqa 736(%r12), %ymm2\nvpsubw 832(%r12), %ymm2, %ymm2\nvmovdqa 1120(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 928(%r12), %ymm3, %ymm3\nvpsubw 640(%r12), %ymm2, %ymm2\nvpaddw 1024(%r12), %ymm2, %ymm2\nvmovdqa 1312(%r12), %ymm4\nvpsubw 1408(%r12), %ymm4, %ymm4\nvmovdqa 1696(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 1504(%r12), %ymm5, %ymm5\nvpsubw 1216(%r12), %ymm4, %ymm4\nvpaddw 1600(%r12), %ymm4, %ymm4\nvpsubw 640(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 64(%r12), %ymm1, %ymm1\nvpaddw 1216(%r12), %ymm1, %ymm1\nvmovdqa 352(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 1504(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 928(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 64(%r12), %ymm8\nvmovdqa 928(%r12), %ymm9\nvmovdqa %ymm8, 0(%r8)\nvmovdqa %ymm0, 32(%r8)\nvmovdqa %ymm1, 64(%r8)\nvmovdqa %ymm7, 96(%r8)\nvmovdqa %ymm5, 128(%r8)\nvmovdqa %ymm2, 160(%r8)\nvmovdqa %ymm3, 192(%r8)\nvmovdqa %ymm9, 224(%r8)\nvmovdqa 1888(%r12), %ymm0\nvpsubw 1984(%r12), %ymm0, %ymm0\nvmovdqa 2272(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 2080(%r12), %ymm1, %ymm1\nvpsubw 1792(%r12), %ymm0, %ymm0\nvpaddw 2176(%r12), %ymm0, %ymm0\nvmovdqa 2464(%r12), %ymm2\nvpsubw 2560(%r12), %ymm2, %ymm2\nvmovdqa 2848(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 2656(%r12), %ymm3, %ymm3\nvpsubw 2368(%r12), %ymm2, %ymm2\nvpaddw 2752(%r12), %ymm2, %ymm2\nvmovdqa 3040(%r12), %ymm4\nvpsubw 3136(%r12), %ymm4, %ymm4\nvmovdqa 3424(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 3232(%r12), %ymm5, %ymm5\nvpsubw 2944(%r12), %ymm4, %ymm4\nvpaddw 3328(%r12), %ymm4, %ymm4\nvpsubw 2368(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 1792(%r12), %ymm1, %ymm1\nvpaddw 2944(%r12), %ymm1, %ymm1\nvmovdqa 2080(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 3232(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 2656(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 1792(%r12), %ymm8\nvmovdqa 2656(%r12), %ymm9\nvmovdqa %ymm8, 256(%r8)\nvmovdqa %ymm0, 288(%r8)\nvmovdqa %ymm1, 320(%r8)\nvmovdqa %ymm7, 352(%r8)\nvmovdqa %ymm5, 384(%r8)\nvmovdqa %ymm2, 416(%r8)\nvmovdqa %ymm3, 448(%r8)\nvmovdqa %ymm9, 480(%r8)\nvmovdqa 3616(%r12), %ymm0\nvpsubw 3712(%r12), %ymm0, %ymm0\nvmovdqa 4000(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 3808(%r12), %ymm1, %ymm1\nvpsubw 3520(%r12), %ymm0, %ymm0\nvpaddw 3904(%r12), %ymm0, %ymm0\nvmovdqa 4192(%r12), %ymm2\nvpsubw 4288(%r12), %ymm2, %ymm2\nvmovdqa 4576(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 4384(%r12), %ymm3, %ymm3\nvpsubw 4096(%r12), %ymm2, %ymm2\nvpaddw 4480(%r12), %ymm2, %ymm2\nvmovdqa 4768(%r12), %ymm4\nvpsubw 4864(%r12), %ymm4, %ymm4\nvmovdqa 5152(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 4960(%r12), %ymm5, %ymm5\nvpsubw 4672(%r12), %ymm4, %ymm4\nvpaddw 5056(%r12), %ymm4, %ymm4\nvpsubw 4096(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 3520(%r12), %ymm1, %ymm1\nvpaddw 4672(%r12), %ymm1, %ymm1\nvmovdqa 3808(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 4960(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 4384(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 3520(%r12), %ymm8\nvmovdqa 4384(%r12), %ymm9\nvmovdqa %ymm8, 512(%r8)\nvmovdqa %ymm0, 544(%r8)\nvmovdqa %ymm1, 576(%r8)\nvmovdqa %ymm7, 608(%r8)\nvmovdqa %ymm5, 640(%r8)\nvmovdqa %ymm2, 672(%r8)\nvmovdqa %ymm3, 704(%r8)\nvmovdqa %ymm9, 736(%r8)\nvmovdqa 5344(%r12), %ymm0\nvpsubw 5440(%r12), %ymm0, %ymm0\nvmovdqa 5728(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 5536(%r12), %ymm1, %ymm1\nvpsubw 5248(%r12), %ymm0, %ymm0\nvpaddw 5632(%r12), %ymm0, %ymm0\nvmovdqa 5920(%r12), %ymm2\nvpsubw 6016(%r12), %ymm2, %ymm2\nvmovdqa 6304(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 6112(%r12), %ymm3, %ymm3\nvpsubw 5824(%r12), %ymm2, %ymm2\nvpaddw 6208(%r12), %ymm2, %ymm2\nvmovdqa 6496(%r12), %ymm4\nvpsubw 6592(%r12), %ymm4, %ymm4\nvmovdqa 6880(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 6688(%r12), %ymm5, %ymm5\nvpsubw 6400(%r12), %ymm4, %ymm4\nvpaddw 6784(%r12), %ymm4, %ymm4\nvpsubw 5824(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 5248(%r12), %ymm1, %ymm1\nvpaddw 6400(%r12), %ymm1, %ymm1\nvmovdqa 5536(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 6688(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 6112(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 5248(%r12), %ymm8\nvmovdqa 6112(%r12), %ymm9\nvmovdqa %ymm8, 768(%r8)\nvmovdqa %ymm0, 800(%r8)\nvmovdqa %ymm1, 832(%r8)\nvmovdqa %ymm7, 864(%r8)\nvmovdqa %ymm5, 896(%r8)\nvmovdqa %ymm2, 928(%r8)\nvmovdqa %ymm3, 960(%r8)\nvmovdqa %ymm9, 992(%r8)\nvmovdqa 7072(%r12), %ymm0\nvpsubw 7168(%r12), %ymm0, %ymm0\nvmovdqa 7456(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 7264(%r12), %ymm1, %ymm1\nvpsubw 6976(%r12), %ymm0, %ymm0\nvpaddw 7360(%r12), %ymm0, %ymm0\nvmovdqa 7648(%r12), %ymm2\nvpsubw 7744(%r12), %ymm2, %ymm2\nvmovdqa 8032(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 7840(%r12), %ymm3, %ymm3\nvpsubw 7552(%r12), %ymm2, %ymm2\nvpaddw 7936(%r12), %ymm2, %ymm2\nvmovdqa 8224(%r12), %ymm4\nvpsubw 8320(%r12), %ymm4, %ymm4\nvmovdqa 8608(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 8416(%r12), %ymm5, %ymm5\nvpsubw 8128(%r12), %ymm4, %ymm4\nvpaddw 8512(%r12), %ymm4, %ymm4\nvpsubw 7552(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 6976(%r12), %ymm1, %ymm1\nvpaddw 8128(%r12), %ymm1, %ymm1\nvmovdqa 7264(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 8416(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 7840(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 6976(%r12), %ymm8\nvmovdqa 7840(%r12), %ymm9\nvmovdqa %ymm8, 1024(%r8)\nvmovdqa %ymm0, 1056(%r8)\nvmovdqa %ymm1, 1088(%r8)\nvmovdqa %ymm7, 1120(%r8)\nvmovdqa %ymm5, 1152(%r8)\nvmovdqa %ymm2, 1184(%r8)\nvmovdqa %ymm3, 1216(%r8)\nvmovdqa %ymm9, 1248(%r8)\nvmovdqa 8800(%r12), %ymm0\nvpsubw 8896(%r12), %ymm0, %ymm0\nvmovdqa 9184(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 8992(%r12), %ymm1, %ymm1\nvpsubw 8704(%r12), %ymm0, %ymm0\nvpaddw 9088(%r12), %ymm0, %ymm0\nvmovdqa 9376(%r12), %ymm2\nvpsubw 9472(%r12), %ymm2, %ymm2\nvmovdqa 9760(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 9568(%r12), %ymm3, %ymm3\nvpsubw 9280(%r12), %ymm2, %ymm2\nvpaddw 9664(%r12), %ymm2, %ymm2\nvmovdqa 9952(%r12), %ymm4\nvpsubw 10048(%r12), %ymm4, %ymm4\nvmovdqa 10336(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 10144(%r12), %ymm5, %ymm5\nvpsubw 9856(%r12), %ymm4, %ymm4\nvpaddw 10240(%r12), %ymm4, %ymm4\nvpsubw 9280(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 8704(%r12), %ymm1, %ymm1\nvpaddw 9856(%r12), %ymm1, %ymm1\nvmovdqa 8992(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 10144(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 9568(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 8704(%r12), %ymm8\nvmovdqa 9568(%r12), %ymm9\nvmovdqa %ymm8, 1280(%r8)\nvmovdqa %ymm0, 1312(%r8)\nvmovdqa %ymm1, 1344(%r8)\nvmovdqa %ymm7, 1376(%r8)\nvmovdqa %ymm5, 1408(%r8)\nvmovdqa %ymm2, 1440(%r8)\nvmovdqa %ymm3, 1472(%r8)\nvmovdqa %ymm9, 1504(%r8)\nvmovdqa 10528(%r12), %ymm0\nvpsubw 10624(%r12), %ymm0, %ymm0\nvmovdqa 10912(%r12), %ymm1\nvpsubw %ymm0, %ymm1, %ymm1\nvpsubw 10720(%r12), %ymm1, %ymm1\nvpsubw 10432(%r12), %ymm0, %ymm0\nvpaddw 10816(%r12), %ymm0, %ymm0\nvmovdqa 11104(%r12), %ymm2\nvpsubw 11200(%r12), %ymm2, %ymm2\nvmovdqa 11488(%r12), %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw 11296(%r12), %ymm3, %ymm3\nvpsubw 11008(%r12), %ymm2, %ymm2\nvpaddw 11392(%r12), %ymm2, %ymm2\nvmovdqa 11680(%r12), %ymm4\nvpsubw 11776(%r12), %ymm4, %ymm4\nvmovdqa 12064(%r12), %ymm5\nvpsubw %ymm4, %ymm5, %ymm5\nvpsubw 11872(%r12), %ymm5, %ymm5\nvpsubw 11584(%r12), %ymm4, %ymm4\nvpaddw 11968(%r12), %ymm4, %ymm4\nvpsubw 11008(%r12), %ymm1, %ymm1\nvpsubw %ymm1, %ymm5, %ymm5\nvpsubw %ymm3, %ymm5, %ymm5\nvpsubw 10432(%r12), %ymm1, %ymm1\nvpaddw 11584(%r12), %ymm1, %ymm1\nvmovdqa 10720(%r12), %ymm6\nvpsubw %ymm2, %ymm6, %ymm7\nvmovdqa 11872(%r12), %ymm2\nvpsubw %ymm7, %ymm2, %ymm2\nvpsubw 11296(%r12), %ymm2, %ymm2\nvpsubw %ymm0, %ymm7, %ymm7\nvpaddw %ymm4, %ymm7, %ymm7\nvmovdqa 10432(%r12), %ymm8\nvmovdqa 11296(%r12), %ymm9\nvmovdqa %ymm8, 1536(%r8)\nvmovdqa %ymm0, 1568(%r8)\nvmovdqa %ymm1, 1600(%r8)\nvmovdqa %ymm7, 1632(%r8)\nvmovdqa %ymm5, 1664(%r8)\nvmovdqa %ymm2, 1696(%r8)\nvmovdqa %ymm3, 1728(%r8)\nvmovdqa %ymm9, 1760(%r8)\nvmovdqa 0(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm4\nvpunpckhwd const0(%rip), %ymm11, %ymm2\nvpslld $1, %ymm4, %ymm4\nvpslld $1, %ymm2, %ymm2\nvmovdqa 256(%r8), %ymm9\nvpunpcklwd const0(%rip), %ymm9, %ymm8\nvpunpckhwd const0(%rip), %ymm9, %ymm9\nvmovdqa 512(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm8, %ymm3\nvpaddd %ymm6, %ymm9, %ymm7\nvpsubd %ymm4, %ymm3, %ymm3\nvpsubd %ymm2, %ymm7, %ymm7\nvpsubd %ymm5, %ymm8, %ymm5\nvpsubd %ymm6, %ymm9, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1536(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm9\nvpunpckhwd const0(%rip), %ymm5, %ymm8\nvpslld $1, %ymm9, %ymm9\nvpslld $1, %ymm8, %ymm8\nvpsubd %ymm9, %ymm3, %ymm3\nvpsubd %ymm8, %ymm7, %ymm7\nvpsrld $1, %ymm3, %ymm3\nvpsrld $1, %ymm7, %ymm7\nvpand mask32_to_16(%rip), %ymm3, %ymm3\nvpand mask32_to_16(%rip), %ymm7, %ymm7\nvpackusdw %ymm7, %ymm3, %ymm7\nvmovdqa 768(%r8), %ymm3\nvpaddw 1024(%r8), %ymm3, %ymm8\nvpsubw 1024(%r8), %ymm3, %ymm3\nvpsrlw $2, %ymm3, %ymm3\nvpsubw %ymm6, %ymm3, %ymm3\nvpmullw %ymm14, %ymm3, %ymm3\nvpsllw $1, %ymm11, %ymm9\nvpsubw %ymm9, %ymm8, %ymm9\nvpsllw $7, %ymm5, %ymm8\nvpsubw %ymm8, %ymm9, %ymm8\nvpsrlw $3, %ymm8, %ymm8\nvpsubw %ymm7, %ymm8, %ymm8\nvmovdqa 1280(%r8), %ymm9\nvpsubw %ymm11, %ymm9, %ymm9\nvpmullw %ymm15, %ymm5, %ymm2\nvpsubw %ymm2, %ymm9, %ymm2\nvpmullw %ymm14, %ymm8, %ymm8\nvpsubw %ymm8, %ymm7, %ymm7\nvpmullw %ymm12, %ymm8, %ymm9\nvpaddw %ymm9, %ymm7, %ymm9\nvpmullw %ymm12, %ymm9, %ymm9\nvpsubw %ymm9, %ymm2, %ymm9\nvpmullw %ymm14, %ymm9, %ymm9\nvpsubw %ymm6, %ymm9, %ymm9\nvpsrlw $3, %ymm9, %ymm9\nvpsubw %ymm3, %ymm9, %ymm9\nvpsubw %ymm9, %ymm3, %ymm3\nvpsubw %ymm3, %ymm6, %ymm6\nvpmullw %ymm13, %ymm9, %ymm9\nvpsubw %ymm9, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm8, %ymm8\nvpand mask3_5_4_3_1(%rip), %ymm8, %ymm2\nvpand mask5_3_5_3(%rip), %ymm8, %ymm8\nvpermq $139, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm4\nvpor %ymm4, %ymm8, %ymm8\nvpaddw 2048(%r8), %ymm11, %ymm11\nvpaddw %ymm8, %ymm11, %ymm11\nvmovdqa %xmm2, 2048(%r8)\nvpshufb shuf48_16(%rip), %ymm9, %ymm9\nvpand mask3_5_4_3_1(%rip), %ymm9, %ymm2\nvpand mask5_3_5_3(%rip), %ymm9, %ymm9\nvpermq $139, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm4\nvpor %ymm4, %ymm9, %ymm9\nvpaddw 2304(%r8), %ymm6, %ymm6\nvpaddw %ymm9, %ymm6, %ymm6\nvmovdqa %xmm2, 2304(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_4_3_1(%rip), %ymm5, %ymm2\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $139, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm4\nvpor %ymm4, %ymm5, %ymm5\nvpaddw 2560(%r8), %ymm7, %ymm7\nvpaddw %ymm5, %ymm7, %ymm7\nvmovdqa %xmm2, 2560(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %xmm11, 64(%rdi)\nvextracti128 $1, %ymm11, %xmm11\nvmovq %xmm11, 80(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %xmm6, 416(%rdi)\nvextracti128 $1, %ymm6, %xmm6\nvmovq %xmm6, 432(%rdi)\nvpand mask_mod8192(%rip), %ymm7, %ymm7\nvmovdqu %xmm7, 768(%rdi)\nvextracti128 $1, %ymm7, %xmm7\nvmovq %xmm7, 784(%rdi)\nvpand mask_mod8192(%rip), %ymm3, %ymm3\nvmovdqu %xmm3, 1120(%rdi)\nvextracti128 $1, %ymm3, %xmm3\nvmovq %xmm3, 1136(%rdi)\nvmovdqa 32(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm9\nvpunpckhwd const0(%rip), %ymm5, %ymm8\nvpslld $1, %ymm9, %ymm9\nvpslld $1, %ymm8, %ymm8\nvmovdqa 288(%r8), %ymm3\nvpunpcklwd const0(%rip), %ymm3, %ymm7\nvpunpckhwd const0(%rip), %ymm3, %ymm3\nvmovdqa 544(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm7, %ymm2\nvpaddd %ymm6, %ymm3, %ymm4\nvpsubd %ymm9, %ymm2, %ymm2\nvpsubd %ymm8, %ymm4, %ymm4\nvpsubd %ymm11, %ymm7, %ymm11\nvpsubd %ymm6, %ymm3, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1568(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm3\nvpunpckhwd const0(%rip), %ymm11, %ymm7\nvpslld $1, %ymm3, %ymm3\nvpslld $1, %ymm7, %ymm7\nvpsubd %ymm3, %ymm2, %ymm2\nvpsubd %ymm7, %ymm4, %ymm4\nvpsrld $1, %ymm2, %ymm2\nvpsrld $1, %ymm4, %ymm4\nvpand mask32_to_16(%rip), %ymm2, %ymm2\nvpand mask32_to_16(%rip), %ymm4, %ymm4\nvpackusdw %ymm4, %ymm2, %ymm4\nvmovdqa 800(%r8), %ymm2\nvpaddw 1056(%r8), %ymm2, %ymm7\nvpsubw 1056(%r8), %ymm2, %ymm2\nvpsrlw $2, %ymm2, %ymm2\nvpsubw %ymm6, %ymm2, %ymm2\nvpmullw %ymm14, %ymm2, %ymm2\nvpsllw $1, %ymm5, %ymm3\nvpsubw %ymm3, %ymm7, %ymm3\nvpsllw $7, %ymm11, %ymm7\nvpsubw %ymm7, %ymm3, %ymm7\nvpsrlw $3, %ymm7, %ymm7\nvpsubw %ymm4, %ymm7, %ymm7\nvmovdqa 1312(%r8), %ymm3\nvpsubw %ymm5, %ymm3, %ymm3\nvpmullw %ymm15, %ymm11, %ymm8\nvpsubw %ymm8, %ymm3, %ymm8\nvpmullw %ymm14, %ymm7, %ymm7\nvpsubw %ymm7, %ymm4, %ymm4\nvpmullw %ymm12, %ymm7, %ymm3\nvpaddw %ymm3, %ymm4, %ymm3\nvpmullw %ymm12, %ymm3, %ymm3\nvpsubw %ymm3, %ymm8, %ymm3\nvpmullw %ymm14, %ymm3, %ymm3\nvpsubw %ymm6, %ymm3, %ymm3\nvpsrlw $3, %ymm3, %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvpsubw %ymm3, %ymm2, %ymm2\nvpsubw %ymm2, %ymm6, %ymm6\nvpmullw %ymm13, %ymm3, %ymm3\nvpsubw %ymm3, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm7, %ymm7\nvpand mask3_5_4_3_1(%rip), %ymm7, %ymm8\nvpand mask5_3_5_3(%rip), %ymm7, %ymm7\nvpermq $139, %ymm8, %ymm8\nvpand mask_keephigh(%rip), %ymm8, %ymm9\nvpor %ymm9, %ymm7, %ymm7\nvpaddw 2080(%r8), %ymm5, %ymm5\nvpaddw %ymm7, %ymm5, %ymm5\nvmovdqa %xmm8, 2080(%r8)\nvpshufb shuf48_16(%rip), %ymm3, %ymm3\nvpand mask3_5_4_3_1(%rip), %ymm3, %ymm8\nvpand mask5_3_5_3(%rip), %ymm3, %ymm3\nvpermq $139, %ymm8, %ymm8\nvpand mask_keephigh(%rip), %ymm8, %ymm9\nvpor %ymm9, %ymm3, %ymm3\nvpaddw 2336(%r8), %ymm6, %ymm6\nvpaddw %ymm3, %ymm6, %ymm6\nvmovdqa %xmm8, 2336(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_4_3_1(%rip), %ymm11, %ymm8\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $139, %ymm8, %ymm8\nvpand mask_keephigh(%rip), %ymm8, %ymm9\nvpor %ymm9, %ymm11, %ymm11\nvpaddw 2592(%r8), %ymm4, %ymm4\nvpaddw %ymm11, %ymm4, %ymm4\nvmovdqa %xmm8, 2592(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %xmm5, 152(%rdi)\nvextracti128 $1, %ymm5, %xmm5\nvmovq %xmm5, 168(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %xmm6, 504(%rdi)\nvextracti128 $1, %ymm6, %xmm6\nvmovq %xmm6, 520(%rdi)\nvpand mask_mod8192(%rip), %ymm4, %ymm4\nvmovdqu %xmm4, 856(%rdi)\nvextracti128 $1, %ymm4, %xmm4\nvmovq %xmm4, 872(%rdi)\nvpand mask_mod8192(%rip), %ymm2, %ymm2\nvmovdqu %xmm2, 1208(%rdi)\nvextracti128 $1, %ymm2, %xmm2\nvmovq %xmm2, 1224(%rdi)\nvmovdqa 64(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm3\nvpunpckhwd const0(%rip), %ymm11, %ymm7\nvpslld $1, %ymm3, %ymm3\nvpslld $1, %ymm7, %ymm7\nvmovdqa 320(%r8), %ymm2\nvpunpcklwd const0(%rip), %ymm2, %ymm4\nvpunpckhwd const0(%rip), %ymm2, %ymm2\nvmovdqa 576(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm4, %ymm8\nvpaddd %ymm6, %ymm2, %ymm9\nvpsubd %ymm3, %ymm8, %ymm8\nvpsubd %ymm7, %ymm9, %ymm9\nvpsubd %ymm5, %ymm4, %ymm5\nvpsubd %ymm6, %ymm2, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1600(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm2\nvpunpckhwd const0(%rip), %ymm5, %ymm4\nvpslld $1, %ymm2, %ymm2\nvpslld $1, %ymm4, %ymm4\nvpsubd %ymm2, %ymm8, %ymm8\nvpsubd %ymm4, %ymm9, %ymm9\nvpsrld $1, %ymm8, %ymm8\nvpsrld $1, %ymm9, %ymm9\nvpand mask32_to_16(%rip), %ymm8, %ymm8\nvpand mask32_to_16(%rip), %ymm9, %ymm9\nvpackusdw %ymm9, %ymm8, %ymm9\nvmovdqa 832(%r8), %ymm8\nvpaddw 1088(%r8), %ymm8, %ymm4\nvpsubw 1088(%r8), %ymm8, %ymm8\nvpsrlw $2, %ymm8, %ymm8\nvpsubw %ymm6, %ymm8, %ymm8\nvpmullw %ymm14, %ymm8, %ymm8\nvpsllw $1, %ymm11, %ymm2\nvpsubw %ymm2, %ymm4, %ymm2\nvpsllw $7, %ymm5, %ymm4\nvpsubw %ymm4, %ymm2, %ymm4\nvpsrlw $3, %ymm4, %ymm4\nvpsubw %ymm9, %ymm4, %ymm4\nvmovdqa 1344(%r8), %ymm2\nvpsubw %ymm11, %ymm2, %ymm2\nvpmullw %ymm15, %ymm5, %ymm7\nvpsubw %ymm7, %ymm2, %ymm7\nvpmullw %ymm14, %ymm4, %ymm4\nvpsubw %ymm4, %ymm9, %ymm9\nvpmullw %ymm12, %ymm4, %ymm2\nvpaddw %ymm2, %ymm9, %ymm2\nvpmullw %ymm12, %ymm2, %ymm2\nvpsubw %ymm2, %ymm7, %ymm2\nvpmullw %ymm14, %ymm2, %ymm2\nvpsubw %ymm6, %ymm2, %ymm2\nvpsrlw $3, %ymm2, %ymm2\nvpsubw %ymm8, %ymm2, %ymm2\nvpsubw %ymm2, %ymm8, %ymm8\nvpsubw %ymm8, %ymm6, %ymm6\nvpmullw %ymm13, %ymm2, %ymm2\nvpsubw %ymm2, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm4, %ymm4\nvpand mask3_5_4_3_1(%rip), %ymm4, %ymm7\nvpand mask5_3_5_3(%rip), %ymm4, %ymm4\nvpermq $139, %ymm7, %ymm7\nvpand mask_keephigh(%rip), %ymm7, %ymm3\nvpor %ymm3, %ymm4, %ymm4\nvpaddw 2112(%r8), %ymm11, %ymm11\nvpaddw %ymm4, %ymm11, %ymm11\nvmovdqa %xmm7, 2112(%r8)\nvpshufb shuf48_16(%rip), %ymm2, %ymm2\nvpand mask3_5_4_3_1(%rip), %ymm2, %ymm7\nvpand mask5_3_5_3(%rip), %ymm2, %ymm2\nvpermq $139, %ymm7, %ymm7\nvpand mask_keephigh(%rip), %ymm7, %ymm3\nvpor %ymm3, %ymm2, %ymm2\nvpaddw 2368(%r8), %ymm6, %ymm6\nvpaddw %ymm2, %ymm6, %ymm6\nvmovdqa %xmm7, 2368(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_4_3_1(%rip), %ymm5, %ymm7\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $139, %ymm7, %ymm7\nvpand mask_keephigh(%rip), %ymm7, %ymm3\nvpor %ymm3, %ymm5, %ymm5\nvpaddw 2624(%r8), %ymm9, %ymm9\nvpaddw %ymm5, %ymm9, %ymm9\nvmovdqa %xmm7, 2624(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %xmm11, 240(%rdi)\nvextracti128 $1, %ymm11, %xmm11\nvmovq %xmm11, 256(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %xmm6, 592(%rdi)\nvextracti128 $1, %ymm6, %xmm6\nvmovq %xmm6, 608(%rdi)\nvpand mask_mod8192(%rip), %ymm9, %ymm9\nvmovdqu %xmm9, 944(%rdi)\nvextracti128 $1, %ymm9, %xmm9\nvmovq %xmm9, 960(%rdi)\nvpand mask_mod8192(%rip), %ymm8, %ymm8\nvmovdqu %xmm8, 1296(%rdi)\nvextracti128 $1, %ymm8, %xmm8\nvmovq %xmm8, 1312(%rdi)\nvmovdqa 96(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm2\nvpunpckhwd const0(%rip), %ymm5, %ymm4\nvpslld $1, %ymm2, %ymm2\nvpslld $1, %ymm4, %ymm4\nvmovdqa 352(%r8), %ymm8\nvpunpcklwd const0(%rip), %ymm8, %ymm9\nvpunpckhwd const0(%rip), %ymm8, %ymm8\nvmovdqa 608(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm9, %ymm7\nvpaddd %ymm6, %ymm8, %ymm3\nvpsubd %ymm2, %ymm7, %ymm7\nvpsubd %ymm4, %ymm3, %ymm3\nvpsubd %ymm11, %ymm9, %ymm11\nvpsubd %ymm6, %ymm8, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1632(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm8\nvpunpckhwd const0(%rip), %ymm11, %ymm9\nvpslld $1, %ymm8, %ymm8\nvpslld $1, %ymm9, %ymm9\nvpsubd %ymm8, %ymm7, %ymm7\nvpsubd %ymm9, %ymm3, %ymm3\nvpsrld $1, %ymm7, %ymm7\nvpsrld $1, %ymm3, %ymm3\nvpand mask32_to_16(%rip), %ymm7, %ymm7\nvpand mask32_to_16(%rip), %ymm3, %ymm3\nvpackusdw %ymm3, %ymm7, %ymm3\nvmovdqa 864(%r8), %ymm7\nvpaddw 1120(%r8), %ymm7, %ymm9\nvpsubw 1120(%r8), %ymm7, %ymm7\nvpsrlw $2, %ymm7, %ymm7\nvpsubw %ymm6, %ymm7, %ymm7\nvpmullw %ymm14, %ymm7, %ymm7\nvpsllw $1, %ymm5, %ymm8\nvpsubw %ymm8, %ymm9, %ymm8\nvpsllw $7, %ymm11, %ymm9\nvpsubw %ymm9, %ymm8, %ymm9\nvpsrlw $3, %ymm9, %ymm9\nvpsubw %ymm3, %ymm9, %ymm9\nvmovdqa 1376(%r8), %ymm8\nvpsubw %ymm5, %ymm8, %ymm8\nvpmullw %ymm15, %ymm11, %ymm4\nvpsubw %ymm4, %ymm8, %ymm4\nvpmullw %ymm14, %ymm9, %ymm9\nvpsubw %ymm9, %ymm3, %ymm3\nvpmullw %ymm12, %ymm9, %ymm8\nvpaddw %ymm8, %ymm3, %ymm8\nvpmullw %ymm12, %ymm8, %ymm8\nvpsubw %ymm8, %ymm4, %ymm8\nvpmullw %ymm14, %ymm8, %ymm8\nvpsubw %ymm6, %ymm8, %ymm8\nvpsrlw $3, %ymm8, %ymm8\nvpsubw %ymm7, %ymm8, %ymm8\nvpsubw %ymm8, %ymm7, %ymm7\nvpsubw %ymm7, %ymm6, %ymm6\nvpmullw %ymm13, %ymm8, %ymm8\nvpsubw %ymm8, %ymm6, %ymm6\nvpshufb shuf48_16(%rip), %ymm9, %ymm9\nvpand mask3_5_4_3_1(%rip), %ymm9, %ymm4\nvpand mask5_3_5_3(%rip), %ymm9, %ymm9\nvpermq $139, %ymm4, %ymm4\nvpand mask_keephigh(%rip), %ymm4, %ymm2\nvpor %ymm2, %ymm9, %ymm9\nvpaddw 2144(%r8), %ymm5, %ymm5\nvpaddw %ymm9, %ymm5, %ymm5\nvmovdqa %xmm4, 2144(%r8)\nvpshufb shuf48_16(%rip), %ymm8, %ymm8\nvpand mask3_5_4_3_1(%rip), %ymm8, %ymm4\nvpand mask5_3_5_3(%rip), %ymm8, %ymm8\nvpermq $139, %ymm4, %ymm4\nvpand mask_keephigh(%rip), %ymm4, %ymm2\nvpor %ymm2, %ymm8, %ymm8\nvpaddw 2400(%r8), %ymm6, %ymm6\nvpaddw %ymm8, %ymm6, %ymm6\nvmovdqa %xmm4, 2400(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_4_3_1(%rip), %ymm11, %ymm4\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $139, %ymm4, %ymm4\nvpand mask_keephigh(%rip), %ymm4, %ymm2\nvpor %ymm2, %ymm11, %ymm11\nvpaddw 2656(%r8), %ymm3, %ymm3\nvpaddw %ymm11, %ymm3, %ymm3\nvmovdqa %xmm4, 2656(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %xmm5, 328(%rdi)\nvextracti128 $1, %ymm5, %xmm5\nvmovq %xmm5, 344(%rdi)\nvpshufb shufmin1_mask3(%rip), %ymm5, %ymm5\nvmovdqa %xmm5, 1792(%r8)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %xmm6, 680(%rdi)\nvextracti128 $1, %ymm6, %xmm6\nvmovq %xmm6, 696(%rdi)\nvpshufb shufmin1_mask3(%rip), %ymm6, %ymm6\nvmovdqa %xmm6, 1824(%r8)\nvpand mask_mod8192(%rip), %ymm3, %ymm3\nvmovdqu %xmm3, 1032(%rdi)\nvextracti128 $1, %ymm3, %xmm3\nvmovq %xmm3, 1048(%rdi)\nvpshufb shufmin1_mask3(%rip), %ymm3, %ymm3\nvmovdqa %xmm3, 1856(%r8)\nvpand mask_mod8192(%rip), %ymm7, %ymm7\nvmovdqu %xmm7, 1384(%rdi)\nvextracti128 $1, %ymm7, %xmm7\nvpextrw $0, %xmm7, 1400(%rdi)\nvpshufb shufmin1_mask3(%rip), %ymm7, %ymm7\nvmovdqa %xmm7, 1888(%r8)\nvmovdqa 128(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm8\nvpunpckhwd const0(%rip), %ymm11, %ymm9\nvpslld $1, %ymm8, %ymm8\nvpslld $1, %ymm9, %ymm9\nvmovdqa 384(%r8), %ymm7\nvpunpcklwd const0(%rip), %ymm7, %ymm3\nvpunpckhwd const0(%rip), %ymm7, %ymm7\nvmovdqa 640(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm3, %ymm4\nvpaddd %ymm6, %ymm7, %ymm2\nvpsubd %ymm8, %ymm4, %ymm4\nvpsubd %ymm9, %ymm2, %ymm2\nvpsubd %ymm5, %ymm3, %ymm5\nvpsubd %ymm6, %ymm7, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1664(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm7\nvpunpckhwd const0(%rip), %ymm5, %ymm3\nvpslld $1, %ymm7, %ymm7\nvpslld $1, %ymm3, %ymm3\nvpsubd %ymm7, %ymm4, %ymm4\nvpsubd %ymm3, %ymm2, %ymm2\nvpsrld $1, %ymm4, %ymm4\nvpsrld $1, %ymm2, %ymm2\nvpand mask32_to_16(%rip), %ymm4, %ymm4\nvpand mask32_to_16(%rip), %ymm2, %ymm2\nvpackusdw %ymm2, %ymm4, %ymm2\nvmovdqa 896(%r8), %ymm4\nvpaddw 1152(%r8), %ymm4, %ymm3\nvpsubw 1152(%r8), %ymm4, %ymm4\nvpsrlw $2, %ymm4, %ymm4\nvpsubw %ymm6, %ymm4, %ymm4\nvpmullw %ymm14, %ymm4, %ymm4\nvpsllw $1, %ymm11, %ymm7\nvpsubw %ymm7, %ymm3, %ymm7\nvpsllw $7, %ymm5, %ymm3\nvpsubw %ymm3, %ymm7, %ymm3\nvpsrlw $3, %ymm3, %ymm3\nvpsubw %ymm2, %ymm3, %ymm3\nvmovdqa 1408(%r8), %ymm7\nvpsubw %ymm11, %ymm7, %ymm7\nvpmullw %ymm15, %ymm5, %ymm9\nvpsubw %ymm9, %ymm7, %ymm9\nvpmullw %ymm14, %ymm3, %ymm3\nvpsubw %ymm3, %ymm2, %ymm2\nvpmullw %ymm12, %ymm3, %ymm7\nvpaddw %ymm7, %ymm2, %ymm7\nvpmullw %ymm12, %ymm7, %ymm7\nvpsubw %ymm7, %ymm9, %ymm7\nvpmullw %ymm14, %ymm7, %ymm7\nvpsubw %ymm6, %ymm7, %ymm7\nvpsrlw $3, %ymm7, %ymm7\nvpsubw %ymm4, %ymm7, %ymm7\nvpsubw %ymm7, %ymm4, %ymm4\nvpsubw %ymm4, %ymm6, %ymm6\nvpmullw %ymm13, %ymm7, %ymm7\nvpsubw %ymm7, %ymm6, %ymm6\nvmovdqu 416(%rdi), %ymm9\nvmovdqu 768(%rdi), %ymm8\nvmovdqu 1120(%rdi), %ymm10\nvpaddw %ymm11, %ymm9, %ymm11\nvpaddw %ymm6, %ymm8, %ymm6\nvpaddw %ymm2, %ymm10, %ymm2\nvpshufb shuf48_16(%rip), %ymm4, %ymm4\nvpand mask3_5_4_3_1(%rip), %ymm4, %ymm10\nvpand mask5_3_5_3(%rip), %ymm4, %ymm4\nvpermq $139, %ymm10, %ymm10\nvpand mask_keephigh(%rip), %ymm10, %ymm8\nvpor %ymm8, %ymm4, %ymm4\nvmovdqu 64(%rdi), %ymm8\nvpaddw 1920(%r8), %ymm8, %ymm8\nvpaddw %ymm4, %ymm8, %ymm8\nvpand mask_mod8192(%rip), %ymm8, %ymm8\nvmovdqu %xmm8, 64(%rdi)\nvextracti128 $1, %ymm8, %xmm8\nvmovq %xmm8, 80(%rdi)\nvmovdqa %xmm10, 1920(%r8)\nvpshufb shuf48_16(%rip), %ymm3, %ymm3\nvpand mask3_5_4_3_1(%rip), %ymm3, %ymm10\nvpand mask5_3_5_3(%rip), %ymm3, %ymm3\nvpermq $139, %ymm10, %ymm10\nvpand mask_keephigh(%rip), %ymm10, %ymm8\nvpor %ymm8, %ymm3, %ymm3\nvpaddw 2176(%r8), %ymm11, %ymm11\nvpaddw %ymm3, %ymm11, %ymm11\nvmovdqa %xmm10, 2176(%r8)\nvpshufb shuf48_16(%rip), %ymm7, %ymm7\nvpand mask3_5_4_3_1(%rip), %ymm7, %ymm10\nvpand mask5_3_5_3(%rip), %ymm7, %ymm7\nvpermq $139, %ymm10, %ymm10\nvpand mask_keephigh(%rip), %ymm10, %ymm8\nvpor %ymm8, %ymm7, %ymm7\nvpaddw 2432(%r8), %ymm6, %ymm6\nvpaddw %ymm7, %ymm6, %ymm6\nvmovdqa %xmm10, 2432(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_4_3_1(%rip), %ymm5, %ymm10\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $139, %ymm10, %ymm10\nvpand mask_keephigh(%rip), %ymm10, %ymm8\nvpor %ymm8, %ymm5, %ymm5\nvpaddw 2688(%r8), %ymm2, %ymm2\nvpaddw %ymm5, %ymm2, %ymm2\nvmovdqa %xmm10, 2688(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %xmm11, 416(%rdi)\nvextracti128 $1, %ymm11, %xmm11\nvmovq %xmm11, 432(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %xmm6, 768(%rdi)\nvextracti128 $1, %ymm6, %xmm6\nvmovq %xmm6, 784(%rdi)\nvpand mask_mod8192(%rip), %ymm2, %ymm2\nvmovdqu %xmm2, 1120(%rdi)\nvextracti128 $1, %ymm2, %xmm2\nvmovq %xmm2, 1136(%rdi)\nvmovdqa 160(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm7\nvpunpckhwd const0(%rip), %ymm5, %ymm3\nvpslld $1, %ymm7, %ymm7\nvpslld $1, %ymm3, %ymm3\nvmovdqa 416(%r8), %ymm4\nvpunpcklwd const0(%rip), %ymm4, %ymm2\nvpunpckhwd const0(%rip), %ymm4, %ymm4\nvmovdqa 672(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm2, %ymm10\nvpaddd %ymm6, %ymm4, %ymm8\nvpsubd %ymm7, %ymm10, %ymm10\nvpsubd %ymm3, %ymm8, %ymm8\nvpsubd %ymm11, %ymm2, %ymm11\nvpsubd %ymm6, %ymm4, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1696(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm4\nvpunpckhwd const0(%rip), %ymm11, %ymm2\nvpslld $1, %ymm4, %ymm4\nvpslld $1, %ymm2, %ymm2\nvpsubd %ymm4, %ymm10, %ymm10\nvpsubd %ymm2, %ymm8, %ymm8\nvpsrld $1, %ymm10, %ymm10\nvpsrld $1, %ymm8, %ymm8\nvpand mask32_to_16(%rip), %ymm10, %ymm10\nvpand mask32_to_16(%rip), %ymm8, %ymm8\nvpackusdw %ymm8, %ymm10, %ymm8\nvmovdqa 928(%r8), %ymm10\nvpaddw 1184(%r8), %ymm10, %ymm2\nvpsubw 1184(%r8), %ymm10, %ymm10\nvpsrlw $2, %ymm10, %ymm10\nvpsubw %ymm6, %ymm10, %ymm10\nvpmullw %ymm14, %ymm10, %ymm10\nvpsllw $1, %ymm5, %ymm4\nvpsubw %ymm4, %ymm2, %ymm4\nvpsllw $7, %ymm11, %ymm2\nvpsubw %ymm2, %ymm4, %ymm2\nvpsrlw $3, %ymm2, %ymm2\nvpsubw %ymm8, %ymm2, %ymm2\nvmovdqa 1440(%r8), %ymm4\nvpsubw %ymm5, %ymm4, %ymm4\nvpmullw %ymm15, %ymm11, %ymm3\nvpsubw %ymm3, %ymm4, %ymm3\nvpmullw %ymm14, %ymm2, %ymm2\nvpsubw %ymm2, %ymm8, %ymm8\nvpmullw %ymm12, %ymm2, %ymm4\nvpaddw %ymm4, %ymm8, %ymm4\nvpmullw %ymm12, %ymm4, %ymm4\nvpsubw %ymm4, %ymm3, %ymm4\nvpmullw %ymm14, %ymm4, %ymm4\nvpsubw %ymm6, %ymm4, %ymm4\nvpsrlw $3, %ymm4, %ymm4\nvpsubw %ymm10, %ymm4, %ymm4\nvpsubw %ymm4, %ymm10, %ymm10\nvpsubw %ymm10, %ymm6, %ymm6\nvpmullw %ymm13, %ymm4, %ymm4\nvpsubw %ymm4, %ymm6, %ymm6\nvmovdqu 504(%rdi), %ymm3\nvmovdqu 856(%rdi), %ymm7\nvmovdqu 1208(%rdi), %ymm9\nvpaddw %ymm5, %ymm3, %ymm5\nvpaddw %ymm6, %ymm7, %ymm6\nvpaddw %ymm8, %ymm9, %ymm8\nvpshufb shuf48_16(%rip), %ymm10, %ymm10\nvpand mask3_5_4_3_1(%rip), %ymm10, %ymm9\nvpand mask5_3_5_3(%rip), %ymm10, %ymm10\nvpermq $139, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm7\nvpor %ymm7, %ymm10, %ymm10\nvmovdqu 152(%rdi), %ymm7\nvpaddw 1952(%r8), %ymm7, %ymm7\nvpaddw %ymm10, %ymm7, %ymm7\nvpand mask_mod8192(%rip), %ymm7, %ymm7\nvmovdqu %xmm7, 152(%rdi)\nvextracti128 $1, %ymm7, %xmm7\nvmovq %xmm7, 168(%rdi)\nvmovdqa %xmm9, 1952(%r8)\nvpshufb shuf48_16(%rip), %ymm2, %ymm2\nvpand mask3_5_4_3_1(%rip), %ymm2, %ymm9\nvpand mask5_3_5_3(%rip), %ymm2, %ymm2\nvpermq $139, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm7\nvpor %ymm7, %ymm2, %ymm2\nvpaddw 2208(%r8), %ymm5, %ymm5\nvpaddw %ymm2, %ymm5, %ymm5\nvmovdqa %xmm9, 2208(%r8)\nvpshufb shuf48_16(%rip), %ymm4, %ymm4\nvpand mask3_5_4_3_1(%rip), %ymm4, %ymm9\nvpand mask5_3_5_3(%rip), %ymm4, %ymm4\nvpermq $139, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm7\nvpor %ymm7, %ymm4, %ymm4\nvpaddw 2464(%r8), %ymm6, %ymm6\nvpaddw %ymm4, %ymm6, %ymm6\nvmovdqa %xmm9, 2464(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_4_3_1(%rip), %ymm11, %ymm9\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $139, %ymm9, %ymm9\nvpand mask_keephigh(%rip), %ymm9, %ymm7\nvpor %ymm7, %ymm11, %ymm11\nvpaddw 2720(%r8), %ymm8, %ymm8\nvpaddw %ymm11, %ymm8, %ymm8\nvmovdqa %xmm9, 2720(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %xmm5, 504(%rdi)\nvextracti128 $1, %ymm5, %xmm5\nvmovq %xmm5, 520(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %xmm6, 856(%rdi)\nvextracti128 $1, %ymm6, %xmm6\nvmovq %xmm6, 872(%rdi)\nvpand mask_mod8192(%rip), %ymm8, %ymm8\nvmovdqu %xmm8, 1208(%rdi)\nvextracti128 $1, %ymm8, %xmm8\nvmovq %xmm8, 1224(%rdi)\nvmovdqa 192(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm4\nvpunpckhwd const0(%rip), %ymm11, %ymm2\nvpslld $1, %ymm4, %ymm4\nvpslld $1, %ymm2, %ymm2\nvmovdqa 448(%r8), %ymm10\nvpunpcklwd const0(%rip), %ymm10, %ymm8\nvpunpckhwd const0(%rip), %ymm10, %ymm10\nvmovdqa 704(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm5\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm5, %ymm8, %ymm9\nvpaddd %ymm6, %ymm10, %ymm7\nvpsubd %ymm4, %ymm9, %ymm9\nvpsubd %ymm2, %ymm7, %ymm7\nvpsubd %ymm5, %ymm8, %ymm5\nvpsubd %ymm6, %ymm10, %ymm6\nvpsrld $1, %ymm5, %ymm5\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm5, %ymm5\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm5, %ymm6\nvmovdqa 1728(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm10\nvpunpckhwd const0(%rip), %ymm5, %ymm8\nvpslld $1, %ymm10, %ymm10\nvpslld $1, %ymm8, %ymm8\nvpsubd %ymm10, %ymm9, %ymm9\nvpsubd %ymm8, %ymm7, %ymm7\nvpsrld $1, %ymm9, %ymm9\nvpsrld $1, %ymm7, %ymm7\nvpand mask32_to_16(%rip), %ymm9, %ymm9\nvpand mask32_to_16(%rip), %ymm7, %ymm7\nvpackusdw %ymm7, %ymm9, %ymm7\nvmovdqa 960(%r8), %ymm9\nvpaddw 1216(%r8), %ymm9, %ymm8\nvpsubw 1216(%r8), %ymm9, %ymm9\nvpsrlw $2, %ymm9, %ymm9\nvpsubw %ymm6, %ymm9, %ymm9\nvpmullw %ymm14, %ymm9, %ymm9\nvpsllw $1, %ymm11, %ymm10\nvpsubw %ymm10, %ymm8, %ymm10\nvpsllw $7, %ymm5, %ymm8\nvpsubw %ymm8, %ymm10, %ymm8\nvpsrlw $3, %ymm8, %ymm8\nvpsubw %ymm7, %ymm8, %ymm8\nvmovdqa 1472(%r8), %ymm10\nvpsubw %ymm11, %ymm10, %ymm10\nvpmullw %ymm15, %ymm5, %ymm2\nvpsubw %ymm2, %ymm10, %ymm2\nvpmullw %ymm14, %ymm8, %ymm8\nvpsubw %ymm8, %ymm7, %ymm7\nvpmullw %ymm12, %ymm8, %ymm10\nvpaddw %ymm10, %ymm7, %ymm10\nvpmullw %ymm12, %ymm10, %ymm10\nvpsubw %ymm10, %ymm2, %ymm10\nvpmullw %ymm14, %ymm10, %ymm10\nvpsubw %ymm6, %ymm10, %ymm10\nvpsrlw $3, %ymm10, %ymm10\nvpsubw %ymm9, %ymm10, %ymm10\nvpsubw %ymm10, %ymm9, %ymm9\nvpsubw %ymm9, %ymm6, %ymm6\nvpmullw %ymm13, %ymm10, %ymm10\nvpsubw %ymm10, %ymm6, %ymm6\nvmovdqu 592(%rdi), %ymm2\nvmovdqu 944(%rdi), %ymm4\nvmovdqu 1296(%rdi), %ymm3\nvpaddw %ymm11, %ymm2, %ymm11\nvpaddw %ymm6, %ymm4, %ymm6\nvpaddw %ymm7, %ymm3, %ymm7\nvpshufb shuf48_16(%rip), %ymm9, %ymm9\nvpand mask3_5_4_3_1(%rip), %ymm9, %ymm3\nvpand mask5_3_5_3(%rip), %ymm9, %ymm9\nvpermq $139, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm4\nvpor %ymm4, %ymm9, %ymm9\nvmovdqu 240(%rdi), %ymm4\nvpaddw 1984(%r8), %ymm4, %ymm4\nvpaddw %ymm9, %ymm4, %ymm4\nvpand mask_mod8192(%rip), %ymm4, %ymm4\nvmovdqu %xmm4, 240(%rdi)\nvextracti128 $1, %ymm4, %xmm4\nvmovq %xmm4, 256(%rdi)\nvmovdqa %xmm3, 1984(%r8)\nvpshufb shuf48_16(%rip), %ymm8, %ymm8\nvpand mask3_5_4_3_1(%rip), %ymm8, %ymm3\nvpand mask5_3_5_3(%rip), %ymm8, %ymm8\nvpermq $139, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm4\nvpor %ymm4, %ymm8, %ymm8\nvpaddw 2240(%r8), %ymm11, %ymm11\nvpaddw %ymm8, %ymm11, %ymm11\nvmovdqa %xmm3, 2240(%r8)\nvpshufb shuf48_16(%rip), %ymm10, %ymm10\nvpand mask3_5_4_3_1(%rip), %ymm10, %ymm3\nvpand mask5_3_5_3(%rip), %ymm10, %ymm10\nvpermq $139, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm4\nvpor %ymm4, %ymm10, %ymm10\nvpaddw 2496(%r8), %ymm6, %ymm6\nvpaddw %ymm10, %ymm6, %ymm6\nvmovdqa %xmm3, 2496(%r8)\nvpshufb shuf48_16(%rip), %ymm5, %ymm5\nvpand mask3_5_4_3_1(%rip), %ymm5, %ymm3\nvpand mask5_3_5_3(%rip), %ymm5, %ymm5\nvpermq $139, %ymm3, %ymm3\nvpand mask_keephigh(%rip), %ymm3, %ymm4\nvpor %ymm4, %ymm5, %ymm5\nvpaddw 2752(%r8), %ymm7, %ymm7\nvpaddw %ymm5, %ymm7, %ymm7\nvmovdqa %xmm3, 2752(%r8)\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %xmm11, 592(%rdi)\nvextracti128 $1, %ymm11, %xmm11\nvmovq %xmm11, 608(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %xmm6, 944(%rdi)\nvextracti128 $1, %ymm6, %xmm6\nvmovq %xmm6, 960(%rdi)\nvpand mask_mod8192(%rip), %ymm7, %ymm7\nvmovdqu %xmm7, 1296(%rdi)\nvextracti128 $1, %ymm7, %xmm7\nvmovq %xmm7, 1312(%rdi)\nvmovdqa 224(%r8), %ymm5\nvpunpcklwd const0(%rip), %ymm5, %ymm10\nvpunpckhwd const0(%rip), %ymm5, %ymm8\nvpslld $1, %ymm10, %ymm10\nvpslld $1, %ymm8, %ymm8\nvmovdqa 480(%r8), %ymm9\nvpunpcklwd const0(%rip), %ymm9, %ymm7\nvpunpckhwd const0(%rip), %ymm9, %ymm9\nvmovdqa 736(%r8), %ymm6\nvpunpcklwd const0(%rip), %ymm6, %ymm11\nvpunpckhwd const0(%rip), %ymm6, %ymm6\nvpaddd %ymm11, %ymm7, %ymm3\nvpaddd %ymm6, %ymm9, %ymm4\nvpsubd %ymm10, %ymm3, %ymm3\nvpsubd %ymm8, %ymm4, %ymm4\nvpsubd %ymm11, %ymm7, %ymm11\nvpsubd %ymm6, %ymm9, %ymm6\nvpsrld $1, %ymm11, %ymm11\nvpsrld $1, %ymm6, %ymm6\nvpand mask32_to_16(%rip), %ymm11, %ymm11\nvpand mask32_to_16(%rip), %ymm6, %ymm6\nvpackusdw %ymm6, %ymm11, %ymm6\nvmovdqa 1760(%r8), %ymm11\nvpunpcklwd const0(%rip), %ymm11, %ymm9\nvpunpckhwd const0(%rip), %ymm11, %ymm7\nvpslld $1, %ymm9, %ymm9\nvpslld $1, %ymm7, %ymm7\nvpsubd %ymm9, %ymm3, %ymm3\nvpsubd %ymm7, %ymm4, %ymm4\nvpsrld $1, %ymm3, %ymm3\nvpsrld $1, %ymm4, %ymm4\nvpand mask32_to_16(%rip), %ymm3, %ymm3\nvpand mask32_to_16(%rip), %ymm4, %ymm4\nvpackusdw %ymm4, %ymm3, %ymm4\nvmovdqa 992(%r8), %ymm3\nvpaddw 1248(%r8), %ymm3, %ymm7\nvpsubw 1248(%r8), %ymm3, %ymm3\nvpsrlw $2, %ymm3, %ymm3\nvpsubw %ymm6, %ymm3, %ymm3\nvpmullw %ymm14, %ymm3, %ymm3\nvpsllw $1, %ymm5, %ymm9\nvpsubw %ymm9, %ymm7, %ymm9\nvpsllw $7, %ymm11, %ymm7\nvpsubw %ymm7, %ymm9, %ymm7\nvpsrlw $3, %ymm7, %ymm7\nvpsubw %ymm4, %ymm7, %ymm7\nvmovdqa 1504(%r8), %ymm9\nvpsubw %ymm5, %ymm9, %ymm9\nvpmullw %ymm15, %ymm11, %ymm8\nvpsubw %ymm8, %ymm9, %ymm8\nvpmullw %ymm14, %ymm7, %ymm7\nvpsubw %ymm7, %ymm4, %ymm4\nvpmullw %ymm12, %ymm7, %ymm9\nvpaddw %ymm9, %ymm4, %ymm9\nvpmullw %ymm12, %ymm9, %ymm9\nvpsubw %ymm9, %ymm8, %ymm9\nvpmullw %ymm14, %ymm9, %ymm9\nvpsubw %ymm6, %ymm9, %ymm9\nvpsrlw $3, %ymm9, %ymm9\nvpsubw %ymm3, %ymm9, %ymm9\nvpsubw %ymm9, %ymm3, %ymm3\nvpsubw %ymm3, %ymm6, %ymm6\nvpmullw %ymm13, %ymm9, %ymm9\nvpsubw %ymm9, %ymm6, %ymm6\nvextracti128 $1, %ymm4, %xmm8\nvpshufb shufmin1_mask3(%rip), %ymm8, %ymm8\nvmovdqa %ymm8, 2816(%r8)\nvextracti128 $1, %ymm3, %xmm8\nvpshufb shufmin1_mask3(%rip), %ymm8, %ymm8\nvmovdqa %ymm8, 2848(%r8)\nvextracti128 $1, %ymm7, %xmm8\nvpshufb shufmin1_mask3(%rip), %ymm8, %ymm8\nvmovdqa %ymm8, 2880(%r8)\nvmovdqu 680(%rdi), %ymm8\nvmovdqu 1032(%rdi), %ymm10\n\n# Only 18 bytes can be read at 1384, but vmovdqu reads 32.\n# Copy 18 bytes to the red zone and zero pad to 32 bytes.\nxor %r9, %r9\nmovq %r9, -16(%rsp)\nmovq %r9, -8(%rsp)\nmovq 1384(%rdi), %r9\nmovq %r9, -32(%rsp)\nmovq 1384+8(%rdi), %r9\nmovq %r9, -24(%rsp)\nmovw 1384+16(%rdi), %r9w\nmovw %r9w, -16(%rsp)\nvmovdqu -32(%rsp), %ymm2\n\nvpaddw %ymm5, %ymm8, %ymm5\nvpaddw %ymm6, %ymm10, %ymm6\nvpaddw %ymm4, %ymm2, %ymm4\nvpshufb shuf48_16(%rip), %ymm3, %ymm3\nvpand mask3_5_4_3_1(%rip), %ymm3, %ymm2\nvpand mask5_3_5_3(%rip), %ymm3, %ymm3\nvpermq $139, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm10\nvpor %ymm10, %ymm3, %ymm3\nvmovdqu 328(%rdi), %ymm10\nvpaddw 2016(%r8), %ymm10, %ymm10\nvpaddw %ymm3, %ymm10, %ymm10\nvpand mask_mod8192(%rip), %ymm10, %ymm10\nvmovdqu %xmm10, 328(%rdi)\nvextracti128 $1, %ymm10, %xmm10\nvmovq %xmm10, 344(%rdi)\nvpshufb shufmin1_mask3(%rip), %ymm10, %ymm10\nvmovdqa %xmm10, 1792(%r8)\nvmovdqa %xmm2, 2016(%r8)\nvpshufb shuf48_16(%rip), %ymm7, %ymm7\nvpand mask3_5_4_3_1(%rip), %ymm7, %ymm2\nvpand mask5_3_5_3(%rip), %ymm7, %ymm7\nvpermq $139, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm10\nvpor %ymm10, %ymm7, %ymm7\nvpaddw 2272(%r8), %ymm5, %ymm5\nvpaddw %ymm7, %ymm5, %ymm5\nvmovdqa %xmm2, 2272(%r8)\nvpshufb shuf48_16(%rip), %ymm9, %ymm9\nvpand mask3_5_4_3_1(%rip), %ymm9, %ymm2\nvpand mask5_3_5_3(%rip), %ymm9, %ymm9\nvpermq $139, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm10\nvpor %ymm10, %ymm9, %ymm9\nvpaddw 2528(%r8), %ymm6, %ymm6\nvpaddw %ymm9, %ymm6, %ymm6\nvmovdqa %xmm2, 2528(%r8)\nvpshufb shuf48_16(%rip), %ymm11, %ymm11\nvpand mask3_5_4_3_1(%rip), %ymm11, %ymm2\nvpand mask5_3_5_3(%rip), %ymm11, %ymm11\nvpermq $139, %ymm2, %ymm2\nvpand mask_keephigh(%rip), %ymm2, %ymm10\nvpor %ymm10, %ymm11, %ymm11\nvpaddw 2784(%r8), %ymm4, %ymm4\nvpaddw %ymm11, %ymm4, %ymm4\nvmovdqa %xmm2, 2784(%r8)\nvpand mask_mod8192(%rip), %ymm5, %ymm5\nvmovdqu %xmm5, 680(%rdi)\nvextracti128 $1, %ymm5, %xmm5\nvmovq %xmm5, 696(%rdi)\nvpand mask_mod8192(%rip), %ymm6, %ymm6\nvmovdqu %xmm6, 1032(%rdi)\nvextracti128 $1, %ymm6, %xmm6\nvmovq %xmm6, 1048(%rdi)\nvpand mask_mod8192(%rip), %ymm4, %ymm4\nvmovdqu %xmm4, 1384(%rdi)\nvextracti128 $1, %ymm4, %xmm4\nvpextrw $0, %xmm4, 1400(%rdi)\nvmovdqu 0(%rdi), %ymm11\nvpaddw 1888(%r8), %ymm11, %ymm11\nvpaddw 2816(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 0(%rdi)\nvmovdqu 352(%rdi), %ymm11\nvpaddw 2528(%r8), %ymm11, %ymm11\nvpaddw 2848(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 352(%rdi)\nvmovdqu 704(%rdi), %ymm11\nvpaddw 2784(%r8), %ymm11, %ymm11\nvpaddw 2880(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 704(%rdi)\nvmovdqu 88(%rdi), %ymm11\nvpaddw 2048(%r8), %ymm11, %ymm11\nvpaddw 1920(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 88(%rdi)\nvmovdqu 440(%rdi), %ymm11\nvpaddw 2304(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 440(%rdi)\nvmovdqu 792(%rdi), %ymm11\nvpaddw 2560(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 792(%rdi)\nvmovdqu 176(%rdi), %ymm11\nvpaddw 2080(%r8), %ymm11, %ymm11\nvpaddw 1952(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 176(%rdi)\nvmovdqu 528(%rdi), %ymm11\nvpaddw 2336(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 528(%rdi)\nvmovdqu 880(%rdi), %ymm11\nvpaddw 2592(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 880(%rdi)\nvmovdqu 264(%rdi), %ymm11\nvpaddw 2112(%r8), %ymm11, %ymm11\nvpaddw 1984(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 264(%rdi)\nvmovdqu 616(%rdi), %ymm11\nvpaddw 2368(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 616(%rdi)\nvmovdqu 968(%rdi), %ymm11\nvpaddw 2624(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 968(%rdi)\nvmovdqu 352(%rdi), %ymm11\nvpaddw 2144(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 352(%rdi)\nvmovdqu 704(%rdi), %ymm11\nvpaddw 2400(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 704(%rdi)\nvmovdqu 1056(%rdi), %ymm11\nvpaddw 2656(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 1056(%rdi)\nvmovdqu 440(%rdi), %ymm11\nvpaddw 2176(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 440(%rdi)\nvmovdqu 792(%rdi), %ymm11\nvpaddw 2432(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 792(%rdi)\nvmovdqu 1144(%rdi), %ymm11\nvpaddw 2688(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 1144(%rdi)\nvmovdqu 528(%rdi), %ymm11\nvpaddw 2208(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 528(%rdi)\nvmovdqu 880(%rdi), %ymm11\nvpaddw 2464(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 880(%rdi)\nvmovdqu 1232(%rdi), %ymm11\nvpaddw 2720(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 1232(%rdi)\nvmovdqu 616(%rdi), %ymm11\nvpaddw 2240(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 616(%rdi)\nvmovdqu 968(%rdi), %ymm11\nvpaddw 2496(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 968(%rdi)\nvmovdqu 1320(%rdi), %ymm11\nvpaddw 2752(%r8), %ymm11, %ymm11\nvpand mask_mod8192(%rip), %ymm11, %ymm11\nvmovdqu %ymm11, 1320(%rdi)\npop %r12\n.cfi_restore r12\npop %rbp\n.cfi_restore rbp\n.cfi_def_cfa_register rsp\n.cfi_adjust_cfa_offset -8\nret\n.cfi_endproc\n.size poly_Rq_mul,.-poly_Rq_mul\n\n#endif\n#endif // defined(__x86_64__) && defined(__linux__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/crypto/hrss/hrss.cc", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n#if defined(OPENSSL_SSE2)\n#include \n#endif\n\n#if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && defined(__ARM_NEON)\n#include \n#endif\n\n// This is an implementation of [HRSS], but with a KEM transformation based on\n// [SXY]. The primary references are:\n\n// HRSS: https://eprint.iacr.org/2017/667.pdf\n// HRSSNIST:\n// https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/submissions/NTRU_HRSS_KEM.zip\n// SXY: https://eprint.iacr.org/2017/1005.pdf\n// NTRUTN14:\n// https://assets.onboardsecurity.com/static/downloads/NTRU/resources/NTRUTech014.pdf\n// NTRUCOMP: https://eprint.iacr.org/2018/1174\n// SAFEGCD: https://gcd.cr.yp.to/papers.html#safegcd\n\n\n// Vector operations.\n//\n// A couple of functions in this file can use vector operations to meaningful\n// effect. If we're building for a target that has a supported vector unit,\n// |HRSS_HAVE_VECTOR_UNIT| will be defined and |vec_t| will be typedefed to a\n// 128-bit vector. The following functions abstract over the differences between\n// NEON and SSE2 for implementing some vector operations.\n\n// TODO: MSVC can likely also be made to work with vector operations, but ^ must\n// be replaced with _mm_xor_si128, etc.\n#if defined(OPENSSL_SSE2) && (defined(__clang__) || !defined(_MSC_VER))\n\n#define HRSS_HAVE_VECTOR_UNIT\ntypedef __m128i vec_t;\n\n// vec_capable returns one iff the current platform supports SSE2.\nstatic int vec_capable(void) { return 1; }\n\n// vec_add performs a pair-wise addition of four uint16s from |a| and |b|.\nstatic inline vec_t vec_add(vec_t a, vec_t b) { return _mm_add_epi16(a, b); }\n\n// vec_sub performs a pair-wise subtraction of four uint16s from |a| and |b|.\nstatic inline vec_t vec_sub(vec_t a, vec_t b) { return _mm_sub_epi16(a, b); }\n\n// vec_mul multiplies each uint16_t in |a| by |b| and returns the resulting\n// vector.\nstatic inline vec_t vec_mul(vec_t a, uint16_t b) {\n return _mm_mullo_epi16(a, _mm_set1_epi16(b));\n}\n\n// vec_fma multiplies each uint16_t in |b| by |c|, adds the result to |a|, and\n// returns the resulting vector.\nstatic inline vec_t vec_fma(vec_t a, vec_t b, uint16_t c) {\n return _mm_add_epi16(a, _mm_mullo_epi16(b, _mm_set1_epi16(c)));\n}\n\n// vec3_rshift_word right-shifts the 24 uint16_t's in |v| by one uint16.\nstatic inline void vec3_rshift_word(vec_t v[3]) {\n // Intel's left and right shifting is backwards compared to the order in\n // memory because they're based on little-endian order of words (and not just\n // bytes). So the shifts in this function will be backwards from what one\n // might expect.\n const __m128i carry0 = _mm_srli_si128(v[0], 14);\n v[0] = _mm_slli_si128(v[0], 2);\n\n const __m128i carry1 = _mm_srli_si128(v[1], 14);\n v[1] = _mm_slli_si128(v[1], 2);\n v[1] |= carry0;\n\n v[2] = _mm_slli_si128(v[2], 2);\n v[2] |= carry1;\n}\n\n// vec4_rshift_word right-shifts the 32 uint16_t's in |v| by one uint16.\nstatic inline void vec4_rshift_word(vec_t v[4]) {\n // Intel's left and right shifting is backwards compared to the order in\n // memory because they're based on little-endian order of words (and not just\n // bytes). So the shifts in this function will be backwards from what one\n // might expect.\n const __m128i carry0 = _mm_srli_si128(v[0], 14);\n v[0] = _mm_slli_si128(v[0], 2);\n\n const __m128i carry1 = _mm_srli_si128(v[1], 14);\n v[1] = _mm_slli_si128(v[1], 2);\n v[1] |= carry0;\n\n const __m128i carry2 = _mm_srli_si128(v[2], 14);\n v[2] = _mm_slli_si128(v[2], 2);\n v[2] |= carry1;\n\n v[3] = _mm_slli_si128(v[3], 2);\n v[3] |= carry2;\n}\n\n// vec_merge_3_5 takes the final three uint16_t's from |left|, appends the first\n// five from |right|, and returns the resulting vector.\nstatic inline vec_t vec_merge_3_5(vec_t left, vec_t right) {\n return _mm_srli_si128(left, 10) | _mm_slli_si128(right, 6);\n}\n\n// poly3_vec_lshift1 left-shifts the 768 bits in |a_s|, and in |a_a|, by one\n// bit.\nstatic inline void poly3_vec_lshift1(vec_t a_s[6], vec_t a_a[6]) {\n vec_t carry_s = {0};\n vec_t carry_a = {0};\n\n for (int i = 0; i < 6; i++) {\n vec_t next_carry_s = _mm_srli_epi64(a_s[i], 63);\n a_s[i] = _mm_slli_epi64(a_s[i], 1);\n a_s[i] |= _mm_slli_si128(next_carry_s, 8);\n a_s[i] |= carry_s;\n carry_s = _mm_srli_si128(next_carry_s, 8);\n\n vec_t next_carry_a = _mm_srli_epi64(a_a[i], 63);\n a_a[i] = _mm_slli_epi64(a_a[i], 1);\n a_a[i] |= _mm_slli_si128(next_carry_a, 8);\n a_a[i] |= carry_a;\n carry_a = _mm_srli_si128(next_carry_a, 8);\n }\n}\n\n// poly3_vec_rshift1 right-shifts the 768 bits in |a_s|, and in |a_a|, by one\n// bit.\nstatic inline void poly3_vec_rshift1(vec_t a_s[6], vec_t a_a[6]) {\n vec_t carry_s = {0};\n vec_t carry_a = {0};\n\n for (int i = 5; i >= 0; i--) {\n const vec_t next_carry_s = _mm_slli_epi64(a_s[i], 63);\n a_s[i] = _mm_srli_epi64(a_s[i], 1);\n a_s[i] |= _mm_srli_si128(next_carry_s, 8);\n a_s[i] |= carry_s;\n carry_s = _mm_slli_si128(next_carry_s, 8);\n\n const vec_t next_carry_a = _mm_slli_epi64(a_a[i], 63);\n a_a[i] = _mm_srli_epi64(a_a[i], 1);\n a_a[i] |= _mm_srli_si128(next_carry_a, 8);\n a_a[i] |= carry_a;\n carry_a = _mm_slli_si128(next_carry_a, 8);\n }\n}\n\n// vec_broadcast_bit duplicates the least-significant bit in |a| to all bits in\n// a vector and returns the result.\nstatic inline vec_t vec_broadcast_bit(vec_t a) {\n return _mm_shuffle_epi32(_mm_srai_epi32(_mm_slli_epi64(a, 63), 31),\n 0b01010101);\n}\n\n// vec_get_word returns the |i|th uint16_t in |v|. (This is a macro because the\n// compiler requires that |i| be a compile-time constant.)\n#define vec_get_word(v, i) _mm_extract_epi16(v, i)\n\n#elif (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && defined(__ARM_NEON)\n\n#define HRSS_HAVE_VECTOR_UNIT\ntypedef uint16x8_t vec_t;\n\n// These functions perform the same actions as the SSE2 function of the same\n// name, above.\n\nstatic int vec_capable(void) { return CRYPTO_is_NEON_capable(); }\n\nstatic inline vec_t vec_add(vec_t a, vec_t b) { return a + b; }\n\nstatic inline vec_t vec_sub(vec_t a, vec_t b) { return a - b; }\n\nstatic inline vec_t vec_mul(vec_t a, uint16_t b) { return vmulq_n_u16(a, b); }\n\nstatic inline vec_t vec_fma(vec_t a, vec_t b, uint16_t c) {\n return vmlaq_n_u16(a, b, c);\n}\n\nstatic inline void vec3_rshift_word(vec_t v[3]) {\n const uint16x8_t kZero = {0};\n v[2] = vextq_u16(v[1], v[2], 7);\n v[1] = vextq_u16(v[0], v[1], 7);\n v[0] = vextq_u16(kZero, v[0], 7);\n}\n\nstatic inline void vec4_rshift_word(vec_t v[4]) {\n const uint16x8_t kZero = {0};\n v[3] = vextq_u16(v[2], v[3], 7);\n v[2] = vextq_u16(v[1], v[2], 7);\n v[1] = vextq_u16(v[0], v[1], 7);\n v[0] = vextq_u16(kZero, v[0], 7);\n}\n\nstatic inline vec_t vec_merge_3_5(vec_t left, vec_t right) {\n return vextq_u16(left, right, 5);\n}\n\nstatic inline uint16_t vec_get_word(vec_t v, unsigned i) { return v[i]; }\n\n#if !defined(OPENSSL_AARCH64)\n\nstatic inline vec_t vec_broadcast_bit(vec_t a) {\n a = (vec_t)vshrq_n_s16(((int16x8_t)a) << 15, 15);\n return vdupq_lane_u16(vget_low_u16(a), 0);\n}\n\nstatic inline void poly3_vec_lshift1(vec_t a_s[6], vec_t a_a[6]) {\n vec_t carry_s = {0};\n vec_t carry_a = {0};\n const vec_t kZero = {0};\n\n for (int i = 0; i < 6; i++) {\n vec_t next_carry_s = a_s[i] >> 15;\n a_s[i] <<= 1;\n a_s[i] |= vextq_u16(kZero, next_carry_s, 7);\n a_s[i] |= carry_s;\n carry_s = vextq_u16(next_carry_s, kZero, 7);\n\n vec_t next_carry_a = a_a[i] >> 15;\n a_a[i] <<= 1;\n a_a[i] |= vextq_u16(kZero, next_carry_a, 7);\n a_a[i] |= carry_a;\n carry_a = vextq_u16(next_carry_a, kZero, 7);\n }\n}\n\nstatic inline void poly3_vec_rshift1(vec_t a_s[6], vec_t a_a[6]) {\n vec_t carry_s = {0};\n vec_t carry_a = {0};\n const vec_t kZero = {0};\n\n for (int i = 5; i >= 0; i--) {\n vec_t next_carry_s = a_s[i] << 15;\n a_s[i] >>= 1;\n a_s[i] |= vextq_u16(next_carry_s, kZero, 1);\n a_s[i] |= carry_s;\n carry_s = vextq_u16(kZero, next_carry_s, 1);\n\n vec_t next_carry_a = a_a[i] << 15;\n a_a[i] >>= 1;\n a_a[i] |= vextq_u16(next_carry_a, kZero, 1);\n a_a[i] |= carry_a;\n carry_a = vextq_u16(kZero, next_carry_a, 1);\n }\n}\n\n#endif // !OPENSSL_AARCH64\n\n#endif // (ARM || AARCH64) && NEON\n\n// Polynomials in this scheme have N terms.\n// #define N 701\n\n// Underlying data types and arithmetic operations.\n// ------------------------------------------------\n\n// Binary polynomials.\n\n// poly2 represents a degree-N polynomial over GF(2). The words are in little-\n// endian order, i.e. the coefficient of x^0 is the LSB of the first word. The\n// final word is only partially used since N is not a multiple of the word size.\n\n// Defined in internal.h:\n// struct poly2 {\n// crypto_word_t v[WORDS_PER_POLY];\n// };\n\nstatic void poly2_zero(struct poly2 *p) {\n OPENSSL_memset(&p->v[0], 0, sizeof(crypto_word_t) * WORDS_PER_POLY);\n}\n\n// word_reverse returns |in| with the bits in reverse order.\nstatic crypto_word_t word_reverse(crypto_word_t in) {\n#if defined(OPENSSL_64_BIT)\n static const crypto_word_t kMasks[6] = {\n UINT64_C(0x5555555555555555), UINT64_C(0x3333333333333333),\n UINT64_C(0x0f0f0f0f0f0f0f0f), UINT64_C(0x00ff00ff00ff00ff),\n UINT64_C(0x0000ffff0000ffff), UINT64_C(0x00000000ffffffff),\n };\n#else\n static const crypto_word_t kMasks[5] = {\n 0x55555555, 0x33333333, 0x0f0f0f0f, 0x00ff00ff, 0x0000ffff,\n };\n#endif\n\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kMasks); i++) {\n in = ((in >> (1 << i)) & kMasks[i]) | ((in & kMasks[i]) << (1 << i));\n }\n\n return in;\n}\n\n// lsb_to_all replicates the least-significant bit of |v| to all bits of the\n// word. This is used in bit-slicing operations to make a vector from a fixed\n// value.\nstatic crypto_word_t lsb_to_all(crypto_word_t v) { return 0u - (v & 1); }\n\n// poly2_mod_phiN reduces |p| by Φ(N).\nstatic void poly2_mod_phiN(struct poly2 *p) {\n // m is the term at x^700, replicated to every bit.\n const crypto_word_t m =\n lsb_to_all(p->v[WORDS_PER_POLY - 1] >> (BITS_IN_LAST_WORD - 1));\n for (size_t i = 0; i < WORDS_PER_POLY; i++) {\n p->v[i] ^= m;\n }\n p->v[WORDS_PER_POLY - 1] &= (UINT64_C(1) << (BITS_IN_LAST_WORD - 1)) - 1;\n}\n\n// poly2_reverse_700 reverses the order of the first 700 bits of |in| and writes\n// the result to |out|.\nstatic void poly2_reverse_700(struct poly2 *out, const struct poly2 *in) {\n struct poly2 t;\n for (size_t i = 0; i < WORDS_PER_POLY; i++) {\n t.v[i] = word_reverse(in->v[i]);\n }\n\n static const size_t shift = BITS_PER_WORD - ((N - 1) % BITS_PER_WORD);\n for (size_t i = 0; i < WORDS_PER_POLY - 1; i++) {\n out->v[i] = t.v[WORDS_PER_POLY - 1 - i] >> shift;\n out->v[i] |= t.v[WORDS_PER_POLY - 2 - i] << (BITS_PER_WORD - shift);\n }\n out->v[WORDS_PER_POLY - 1] = t.v[0] >> shift;\n}\n\n// poly2_cswap exchanges the values of |a| and |b| if |swap| is all ones.\nstatic void poly2_cswap(struct poly2 *a, struct poly2 *b, crypto_word_t swap) {\n for (size_t i = 0; i < WORDS_PER_POLY; i++) {\n const crypto_word_t sum = swap & (a->v[i] ^ b->v[i]);\n a->v[i] ^= sum;\n b->v[i] ^= sum;\n }\n}\n\n// poly2_fmadd sets |out| to |out| + |in| * m, where m is either\n// |CONSTTIME_TRUE_W| or |CONSTTIME_FALSE_W|.\nstatic void poly2_fmadd(struct poly2 *out, const struct poly2 *in,\n crypto_word_t m) {\n for (size_t i = 0; i < WORDS_PER_POLY; i++) {\n out->v[i] ^= in->v[i] & m;\n }\n}\n\n// poly2_lshift1 left-shifts |p| by one bit.\nstatic void poly2_lshift1(struct poly2 *p) {\n crypto_word_t carry = 0;\n for (size_t i = 0; i < WORDS_PER_POLY; i++) {\n const crypto_word_t next_carry = p->v[i] >> (BITS_PER_WORD - 1);\n p->v[i] <<= 1;\n p->v[i] |= carry;\n carry = next_carry;\n }\n}\n\n// poly2_rshift1 right-shifts |p| by one bit.\nstatic void poly2_rshift1(struct poly2 *p) {\n crypto_word_t carry = 0;\n for (size_t i = WORDS_PER_POLY - 1; i < WORDS_PER_POLY; i--) {\n const crypto_word_t next_carry = p->v[i] & 1;\n p->v[i] >>= 1;\n p->v[i] |= carry << (BITS_PER_WORD - 1);\n carry = next_carry;\n }\n}\n\n// poly2_clear_top_bits clears the bits in the final word that are only for\n// alignment.\nstatic void poly2_clear_top_bits(struct poly2 *p) {\n p->v[WORDS_PER_POLY - 1] &= (UINT64_C(1) << BITS_IN_LAST_WORD) - 1;\n}\n\n// Ternary polynomials.\n\n// poly3 represents a degree-N polynomial over GF(3). Each coefficient is\n// bitsliced across the |s| and |a| arrays, like this:\n//\n// s | a | value\n// -----------------\n// 0 | 0 | 0\n// 0 | 1 | 1\n// 1 | 1 | -1 (aka 2)\n// 1 | 0 | \n//\n// ('s' is for sign, and 'a' is the absolute value.)\n//\n// Once bitsliced as such, the following circuits can be used to implement\n// addition and multiplication mod 3:\n//\n// (s3, a3) = (s1, a1) × (s2, a2)\n// a3 = a1 ∧ a2\n// s3 = (s1 ⊕ s2) ∧ a3\n//\n// (s3, a3) = (s1, a1) + (s2, a2)\n// t = s1 ⊕ a2\n// s3 = t ∧ (s2 ⊕ a1)\n// a3 = (a1 ⊕ a2) ∨ (t ⊕ s2)\n//\n// (s3, a3) = (s1, a1) - (s2, a2)\n// t = a1 ⊕ a2\n// s3 = (s1 ⊕ a2) ∧ (t ⊕ s2)\n// a3 = t ∨ (s1 ⊕ s2)\n//\n// Negating a value just involves XORing s by a.\n//\n// struct poly3 {\n// struct poly2 s, a;\n// };\n\nstatic void poly3_zero(struct poly3 *p) {\n poly2_zero(&p->s);\n poly2_zero(&p->a);\n}\n\n// poly3_reverse_700 reverses the order of the first 700 terms of |in| and\n// writes them to |out|.\nstatic void poly3_reverse_700(struct poly3 *out, const struct poly3 *in) {\n poly2_reverse_700(&out->a, &in->a);\n poly2_reverse_700(&out->s, &in->s);\n}\n\n// poly3_word_mul sets (|out_s|, |out_a|) to (|s1|, |a1|) × (|s2|, |a2|).\nstatic void poly3_word_mul(crypto_word_t *out_s, crypto_word_t *out_a,\n const crypto_word_t s1, const crypto_word_t a1,\n const crypto_word_t s2, const crypto_word_t a2) {\n *out_a = a1 & a2;\n *out_s = (s1 ^ s2) & *out_a;\n}\n\n// poly3_word_add sets (|out_s|, |out_a|) to (|s1|, |a1|) + (|s2|, |a2|).\nstatic void poly3_word_add(crypto_word_t *out_s, crypto_word_t *out_a,\n const crypto_word_t s1, const crypto_word_t a1,\n const crypto_word_t s2, const crypto_word_t a2) {\n const crypto_word_t t = s1 ^ a2;\n *out_s = t & (s2 ^ a1);\n *out_a = (a1 ^ a2) | (t ^ s2);\n}\n\n// poly3_word_sub sets (|out_s|, |out_a|) to (|s1|, |a1|) - (|s2|, |a2|).\nstatic void poly3_word_sub(crypto_word_t *out_s, crypto_word_t *out_a,\n const crypto_word_t s1, const crypto_word_t a1,\n const crypto_word_t s2, const crypto_word_t a2) {\n const crypto_word_t t = a1 ^ a2;\n *out_s = (s1 ^ a2) & (t ^ s2);\n *out_a = t | (s1 ^ s2);\n}\n\n// poly3_mul_const sets |p| to |p|×m, where m = (ms, ma).\nstatic void poly3_mul_const(struct poly3 *p, crypto_word_t ms,\n crypto_word_t ma) {\n ms = lsb_to_all(ms);\n ma = lsb_to_all(ma);\n\n for (size_t i = 0; i < WORDS_PER_POLY; i++) {\n poly3_word_mul(&p->s.v[i], &p->a.v[i], p->s.v[i], p->a.v[i], ms, ma);\n }\n}\n\n// poly3_fmadd sets |out| to |out| - |in|×m, where m is (ms, ma).\nstatic void poly3_fmsub(struct poly3 *out, const struct poly3 *in,\n crypto_word_t ms, crypto_word_t ma) {\n crypto_word_t product_s, product_a;\n for (size_t i = 0; i < WORDS_PER_POLY; i++) {\n poly3_word_mul(&product_s, &product_a, in->s.v[i], in->a.v[i], ms, ma);\n poly3_word_sub(&out->s.v[i], &out->a.v[i], out->s.v[i], out->a.v[i],\n product_s, product_a);\n }\n}\n\n// final_bit_to_all replicates the bit in the final position of the last word to\n// all the bits in the word.\nstatic crypto_word_t final_bit_to_all(crypto_word_t v) {\n return lsb_to_all(v >> (BITS_IN_LAST_WORD - 1));\n}\n\n// poly3_mod_phiN reduces |p| by Φ(N).\nstatic void poly3_mod_phiN(struct poly3 *p) {\n // In order to reduce by Φ(N) we subtract by the value of the greatest\n // coefficient.\n const crypto_word_t factor_s = final_bit_to_all(p->s.v[WORDS_PER_POLY - 1]);\n const crypto_word_t factor_a = final_bit_to_all(p->a.v[WORDS_PER_POLY - 1]);\n\n for (size_t i = 0; i < WORDS_PER_POLY; i++) {\n poly3_word_sub(&p->s.v[i], &p->a.v[i], p->s.v[i], p->a.v[i], factor_s,\n factor_a);\n }\n\n poly2_clear_top_bits(&p->s);\n poly2_clear_top_bits(&p->a);\n}\n\nstatic void poly3_cswap(struct poly3 *a, struct poly3 *b, crypto_word_t swap) {\n poly2_cswap(&a->s, &b->s, swap);\n poly2_cswap(&a->a, &b->a, swap);\n}\n\nstatic void poly3_lshift1(struct poly3 *p) {\n poly2_lshift1(&p->s);\n poly2_lshift1(&p->a);\n}\n\nstatic void poly3_rshift1(struct poly3 *p) {\n poly2_rshift1(&p->s);\n poly2_rshift1(&p->a);\n}\n\n// poly3_span represents a pointer into a poly3.\nstruct poly3_span {\n crypto_word_t *s;\n crypto_word_t *a;\n};\n\n// poly3_span_add adds |n| words of values from |a| and |b| and writes the\n// result to |out|.\nstatic void poly3_span_add(const struct poly3_span *out,\n const struct poly3_span *a,\n const struct poly3_span *b, size_t n) {\n for (size_t i = 0; i < n; i++) {\n poly3_word_add(&out->s[i], &out->a[i], a->s[i], a->a[i], b->s[i], b->a[i]);\n }\n}\n\n// poly3_span_sub subtracts |n| words of |b| from |n| words of |a|.\nstatic void poly3_span_sub(const struct poly3_span *a,\n const struct poly3_span *b, size_t n) {\n for (size_t i = 0; i < n; i++) {\n poly3_word_sub(&a->s[i], &a->a[i], a->s[i], a->a[i], b->s[i], b->a[i]);\n }\n}\n\n// poly3_mul_aux is a recursive function that multiplies |n| words from |a| and\n// |b| and writes 2×|n| words to |out|. Each call uses 2*ceil(n/2) elements of\n// |scratch| and the function recurses, except if |n| == 1, when |scratch| isn't\n// used and the recursion stops. For |n| in {11, 22}, the transitive total\n// amount of |scratch| needed happens to be 2n+2.\nstatic void poly3_mul_aux(const struct poly3_span *out,\n const struct poly3_span *scratch,\n const struct poly3_span *a,\n const struct poly3_span *b, size_t n) {\n if (n == 1) {\n crypto_word_t r_s_low = 0, r_s_high = 0, r_a_low = 0, r_a_high = 0;\n crypto_word_t b_s = b->s[0], b_a = b->a[0];\n const crypto_word_t a_s = a->s[0], a_a = a->a[0];\n\n for (size_t i = 0; i < BITS_PER_WORD; i++) {\n // Multiply (s, a) by the next value from (b_s, b_a).\n crypto_word_t m_s, m_a;\n poly3_word_mul(&m_s, &m_a, a_s, a_a, lsb_to_all(b_s), lsb_to_all(b_a));\n b_s >>= 1;\n b_a >>= 1;\n\n if (i == 0) {\n // Special case otherwise the code tries to shift by BITS_PER_WORD\n // below, which is undefined.\n r_s_low = m_s;\n r_a_low = m_a;\n continue;\n }\n\n // Shift the multiplication result to the correct position.\n const crypto_word_t m_s_low = m_s << i;\n const crypto_word_t m_s_high = m_s >> (BITS_PER_WORD - i);\n const crypto_word_t m_a_low = m_a << i;\n const crypto_word_t m_a_high = m_a >> (BITS_PER_WORD - i);\n\n // Add into the result.\n poly3_word_add(&r_s_low, &r_a_low, r_s_low, r_a_low, m_s_low, m_a_low);\n poly3_word_add(&r_s_high, &r_a_high, r_s_high, r_a_high, m_s_high,\n m_a_high);\n }\n\n out->s[0] = r_s_low;\n out->s[1] = r_s_high;\n out->a[0] = r_a_low;\n out->a[1] = r_a_high;\n return;\n }\n\n // Karatsuba multiplication.\n // https://en.wikipedia.org/wiki/Karatsuba_algorithm\n\n // When |n| is odd, the two \"halves\" will have different lengths. The first\n // is always the smaller.\n const size_t low_len = n / 2;\n const size_t high_len = n - low_len;\n const struct poly3_span a_high = {&a->s[low_len], &a->a[low_len]};\n const struct poly3_span b_high = {&b->s[low_len], &b->a[low_len]};\n\n // Store a_1 + a_0 in the first half of |out| and b_1 + b_0 in the second\n // half.\n const struct poly3_span a_cross_sum = *out;\n const struct poly3_span b_cross_sum = {&out->s[high_len], &out->a[high_len]};\n poly3_span_add(&a_cross_sum, a, &a_high, low_len);\n poly3_span_add(&b_cross_sum, b, &b_high, low_len);\n if (high_len != low_len) {\n a_cross_sum.s[low_len] = a_high.s[low_len];\n a_cross_sum.a[low_len] = a_high.a[low_len];\n b_cross_sum.s[low_len] = b_high.s[low_len];\n b_cross_sum.a[low_len] = b_high.a[low_len];\n }\n\n const struct poly3_span child_scratch = {&scratch->s[2 * high_len],\n &scratch->a[2 * high_len]};\n const struct poly3_span out_mid = {&out->s[low_len], &out->a[low_len]};\n const struct poly3_span out_high = {&out->s[2 * low_len],\n &out->a[2 * low_len]};\n\n // Calculate (a_1 + a_0) × (b_1 + b_0) and write to scratch buffer.\n poly3_mul_aux(scratch, &child_scratch, &a_cross_sum, &b_cross_sum, high_len);\n // Calculate a_1 × b_1.\n poly3_mul_aux(&out_high, &child_scratch, &a_high, &b_high, high_len);\n // Calculate a_0 × b_0.\n poly3_mul_aux(out, &child_scratch, a, b, low_len);\n\n // Subtract those last two products from the first.\n poly3_span_sub(scratch, out, low_len * 2);\n poly3_span_sub(scratch, &out_high, high_len * 2);\n\n // Add the middle product into the output.\n poly3_span_add(&out_mid, &out_mid, scratch, high_len * 2);\n}\n\n// HRSS_poly3_mul sets |*out| to |x|×|y| mod Φ(N).\nvoid HRSS_poly3_mul(struct poly3 *out, const struct poly3 *x,\n const struct poly3 *y) {\n crypto_word_t prod_s[WORDS_PER_POLY * 2];\n crypto_word_t prod_a[WORDS_PER_POLY * 2];\n crypto_word_t scratch_s[WORDS_PER_POLY * 2 + 2];\n crypto_word_t scratch_a[WORDS_PER_POLY * 2 + 2];\n const struct poly3_span prod_span = {prod_s, prod_a};\n const struct poly3_span scratch_span = {scratch_s, scratch_a};\n const struct poly3_span x_span = {(crypto_word_t *)x->s.v,\n (crypto_word_t *)x->a.v};\n const struct poly3_span y_span = {(crypto_word_t *)y->s.v,\n (crypto_word_t *)y->a.v};\n\n poly3_mul_aux(&prod_span, &scratch_span, &x_span, &y_span, WORDS_PER_POLY);\n\n // |prod| needs to be reduced mod (𝑥^n - 1), which just involves adding the\n // upper-half to the lower-half. However, N is 701, which isn't a multiple of\n // BITS_PER_WORD, so the upper-half vectors all have to be shifted before\n // being added to the lower-half.\n for (size_t i = 0; i < WORDS_PER_POLY; i++) {\n crypto_word_t v_s = prod_s[WORDS_PER_POLY + i - 1] >> BITS_IN_LAST_WORD;\n v_s |= prod_s[WORDS_PER_POLY + i] << (BITS_PER_WORD - BITS_IN_LAST_WORD);\n crypto_word_t v_a = prod_a[WORDS_PER_POLY + i - 1] >> BITS_IN_LAST_WORD;\n v_a |= prod_a[WORDS_PER_POLY + i] << (BITS_PER_WORD - BITS_IN_LAST_WORD);\n\n poly3_word_add(&out->s.v[i], &out->a.v[i], prod_s[i], prod_a[i], v_s, v_a);\n }\n\n poly3_mod_phiN(out);\n}\n\n#if defined(HRSS_HAVE_VECTOR_UNIT) && !defined(OPENSSL_AARCH64)\n\n// poly3_vec_cswap swaps (|a_s|, |a_a|) and (|b_s|, |b_a|) if |swap| is\n// |0xff..ff|. Otherwise, |swap| must be zero.\nstatic inline void poly3_vec_cswap(vec_t a_s[6], vec_t a_a[6], vec_t b_s[6],\n vec_t b_a[6], const vec_t swap) {\n for (int i = 0; i < 6; i++) {\n const vec_t sum_s = swap & (a_s[i] ^ b_s[i]);\n a_s[i] ^= sum_s;\n b_s[i] ^= sum_s;\n\n const vec_t sum_a = swap & (a_a[i] ^ b_a[i]);\n a_a[i] ^= sum_a;\n b_a[i] ^= sum_a;\n }\n}\n\n// poly3_vec_fmsub subtracts (|ms|, |ma|) × (|b_s|, |b_a|) from (|a_s|, |a_a|).\nstatic inline void poly3_vec_fmsub(vec_t a_s[6], vec_t a_a[6], vec_t b_s[6],\n vec_t b_a[6], const vec_t ms,\n const vec_t ma) {\n for (int i = 0; i < 6; i++) {\n // See the bitslice formula, above.\n const vec_t s = b_s[i];\n const vec_t a = b_a[i];\n const vec_t product_a = a & ma;\n const vec_t product_s = (s ^ ms) & product_a;\n\n const vec_t out_s = a_s[i];\n const vec_t out_a = a_a[i];\n const vec_t t = out_a ^ product_a;\n a_s[i] = (out_s ^ product_a) & (t ^ product_s);\n a_a[i] = t | (out_s ^ product_s);\n }\n}\n\n// poly3_invert_vec sets |*out| to |in|^-1, i.e. such that |out|×|in| == 1 mod\n// Φ(N).\nstatic void poly3_invert_vec(struct poly3 *out, const struct poly3 *in) {\n // This algorithm is taken from section 7.1 of [SAFEGCD].\n const vec_t kZero = {0};\n const vec_t kOne = {1};\n static const uint8_t kBottomSixtyOne[sizeof(vec_t)] = {\n 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f};\n\n vec_t v_s[6], v_a[6], r_s[6], r_a[6], f_s[6], f_a[6], g_s[6], g_a[6];\n // v = 0\n memset(&v_s, 0, sizeof(v_s));\n memset(&v_a, 0, sizeof(v_a));\n // r = 1\n memset(&r_s, 0, sizeof(r_s));\n memset(&r_a, 0, sizeof(r_a));\n r_a[0] = kOne;\n // f = all ones.\n memset(f_s, 0, sizeof(f_s));\n memset(f_a, 0xff, 5 * sizeof(vec_t));\n memcpy(&f_a[5], kBottomSixtyOne, sizeof(kBottomSixtyOne));\n // g is the reversal of |in|.\n struct poly3 in_reversed;\n poly3_reverse_700(&in_reversed, in);\n g_s[5] = kZero;\n memcpy(&g_s, &in_reversed.s.v, WORDS_PER_POLY * sizeof(crypto_word_t));\n g_a[5] = kZero;\n memcpy(&g_a, &in_reversed.a.v, WORDS_PER_POLY * sizeof(crypto_word_t));\n\n int delta = 1;\n\n for (size_t i = 0; i < (2 * (N - 1)) - 1; i++) {\n poly3_vec_lshift1(v_s, v_a);\n\n const crypto_word_t delta_sign_bit = (delta >> (sizeof(delta) * 8 - 1)) & 1;\n const crypto_word_t delta_is_non_negative = delta_sign_bit - 1;\n const crypto_word_t delta_is_non_zero = ~constant_time_is_zero_w(delta);\n const vec_t g_has_constant_term = vec_broadcast_bit(g_a[0]);\n const vec_t mask_w = {\n static_cast::type>(\n delta_is_non_negative & delta_is_non_zero)};\n const vec_t mask = vec_broadcast_bit(mask_w) & g_has_constant_term;\n\n const vec_t c_a = vec_broadcast_bit(f_a[0] & g_a[0]);\n const vec_t c_s = vec_broadcast_bit((f_s[0] ^ g_s[0]) & c_a);\n\n delta = constant_time_select_int(lsb_to_all(mask[0]), -delta, delta);\n delta++;\n\n poly3_vec_cswap(f_s, f_a, g_s, g_a, mask);\n poly3_vec_fmsub(g_s, g_a, f_s, f_a, c_s, c_a);\n poly3_vec_rshift1(g_s, g_a);\n\n poly3_vec_cswap(v_s, v_a, r_s, r_a, mask);\n poly3_vec_fmsub(r_s, r_a, v_s, v_a, c_s, c_a);\n }\n\n assert(delta == 0);\n memcpy(out->s.v, v_s, WORDS_PER_POLY * sizeof(crypto_word_t));\n memcpy(out->a.v, v_a, WORDS_PER_POLY * sizeof(crypto_word_t));\n poly3_mul_const(out, vec_get_word(f_s[0], 0), vec_get_word(f_a[0], 0));\n poly3_reverse_700(out, out);\n}\n\n#endif // HRSS_HAVE_VECTOR_UNIT\n\n// HRSS_poly3_invert sets |*out| to |in|^-1, i.e. such that |out|×|in| == 1 mod\n// Φ(N).\nvoid HRSS_poly3_invert(struct poly3 *out, const struct poly3 *in) {\n // The vector version of this function seems slightly slower on AArch64, but\n // is useful on ARMv7 and x86-64.\n#if defined(HRSS_HAVE_VECTOR_UNIT) && !defined(OPENSSL_AARCH64)\n if (vec_capable()) {\n poly3_invert_vec(out, in);\n return;\n }\n#endif\n\n // This algorithm is taken from section 7.1 of [SAFEGCD].\n struct poly3 v, r, f, g;\n // v = 0\n poly3_zero(&v);\n // r = 1\n poly3_zero(&r);\n r.a.v[0] = 1;\n // f = all ones.\n OPENSSL_memset(&f.s, 0, sizeof(struct poly2));\n OPENSSL_memset(&f.a, 0xff, sizeof(struct poly2));\n f.a.v[WORDS_PER_POLY - 1] >>= BITS_PER_WORD - BITS_IN_LAST_WORD;\n // g is the reversal of |in|.\n poly3_reverse_700(&g, in);\n int delta = 1;\n\n for (size_t i = 0; i < (2 * (N - 1)) - 1; i++) {\n poly3_lshift1(&v);\n\n const crypto_word_t delta_sign_bit = (delta >> (sizeof(delta) * 8 - 1)) & 1;\n const crypto_word_t delta_is_non_negative = delta_sign_bit - 1;\n const crypto_word_t delta_is_non_zero = ~constant_time_is_zero_w(delta);\n const crypto_word_t g_has_constant_term = lsb_to_all(g.a.v[0]);\n const crypto_word_t mask =\n g_has_constant_term & delta_is_non_negative & delta_is_non_zero;\n\n crypto_word_t c_s, c_a;\n poly3_word_mul(&c_s, &c_a, f.s.v[0], f.a.v[0], g.s.v[0], g.a.v[0]);\n c_s = lsb_to_all(c_s);\n c_a = lsb_to_all(c_a);\n\n delta = constant_time_select_int(mask, -delta, delta);\n delta++;\n\n poly3_cswap(&f, &g, mask);\n poly3_fmsub(&g, &f, c_s, c_a);\n poly3_rshift1(&g);\n\n poly3_cswap(&v, &r, mask);\n poly3_fmsub(&r, &v, c_s, c_a);\n }\n\n assert(delta == 0);\n poly3_mul_const(&v, f.s.v[0], f.a.v[0]);\n poly3_reverse_700(out, &v);\n}\n\n// Polynomials in Q.\n\n// Coefficients are reduced mod Q. (Q is clearly not prime, therefore the\n// coefficients do not form a field.)\n#define Q 8192\n\n// VECS_PER_POLY is the number of 128-bit vectors needed to represent a\n// polynomial.\n#define COEFFICIENTS_PER_VEC (sizeof(vec_t) / sizeof(uint16_t))\n#define VECS_PER_POLY ((N + COEFFICIENTS_PER_VEC - 1) / COEFFICIENTS_PER_VEC)\n\nnamespace {\n// poly represents a polynomial with coefficients mod Q. Note that, while Q is a\n// power of two, this does not operate in GF(Q). That would be a binary field\n// but this is simply mod Q. Thus the coefficients are not a field.\n//\n// Coefficients are ordered little-endian, thus the coefficient of x^0 is the\n// first element of the array.\nstruct poly {\n#if defined(HRSS_HAVE_VECTOR_UNIT)\n union {\n // N + 3 = 704, which is a multiple of 64 and thus aligns things, esp for\n // the vector code.\n uint16_t v[N + 3];\n vec_t vectors[VECS_PER_POLY];\n };\n#else\n // Even if !HRSS_HAVE_VECTOR_UNIT, external assembly may be called that\n // requires alignment.\n alignas(16) uint16_t v[N + 3];\n#endif\n};\n} // namespace\n\n// poly_normalize zeros out the excess elements of |x| which are included only\n// for alignment.\nstatic void poly_normalize(struct poly *x) {\n OPENSSL_memset(&x->v[N], 0, 3 * sizeof(uint16_t));\n}\n\n// poly_assert_normalized asserts that the excess elements of |x| are zeroed out\n// for the cases that case. (E.g. |poly_mul_vec|.)\nstatic void poly_assert_normalized(const struct poly *x) {\n assert(x->v[N] == 0);\n assert(x->v[N + 1] == 0);\n assert(x->v[N + 2] == 0);\n}\n\nnamespace {\n// POLY_MUL_SCRATCH contains space for the working variables needed by\n// |poly_mul|. The contents afterwards may be discarded, but the object may also\n// be reused with future |poly_mul| calls to save heap allocations.\n//\n// This object must have 32-byte alignment.\nstruct POLY_MUL_SCRATCH {\n union {\n // This is used by |poly_mul_novec|.\n struct {\n uint16_t prod[2 * N];\n uint16_t scratch[1318];\n } novec;\n\n#if defined(HRSS_HAVE_VECTOR_UNIT)\n // This is used by |poly_mul_vec|.\n struct {\n vec_t prod[VECS_PER_POLY * 2];\n vec_t scratch[172];\n } vec;\n#endif\n\n#if defined(POLY_RQ_MUL_ASM)\n // This is the space used by |poly_Rq_mul|.\n uint8_t rq[POLY_MUL_RQ_SCRATCH_SPACE];\n#endif\n } u;\n};\n} // namespace\n\n#if defined(HRSS_HAVE_VECTOR_UNIT)\n\n// poly_mul_vec_aux is a recursive function that multiplies |n| words from |a|\n// and |b| and writes 2×|n| words to |out|. Each call uses 2*ceil(n/2) elements\n// of |scratch| and the function recurses, except if |n| < 3, when |scratch|\n// isn't used and the recursion stops. If |n| == |VECS_PER_POLY| then |scratch|\n// needs 172 elements.\nstatic void poly_mul_vec_aux(vec_t *out, vec_t *scratch, const vec_t *a,\n const vec_t *b, const size_t n) {\n // In [HRSS], the technique they used for polynomial multiplication is\n // described: they start with Toom-4 at the top level and then two layers of\n // Karatsuba. Karatsuba is a specific instance of the general Toom–Cook\n // decomposition, which splits an input n-ways and produces 2n-1\n // multiplications of those parts. So, starting with 704 coefficients (rounded\n // up from 701 to have more factors of two), Toom-4 gives seven\n // multiplications of degree-174 polynomials. Each round of Karatsuba (which\n // is Toom-2) increases the number of multiplications by a factor of three\n // while halving the size of the values being multiplied. So two rounds gives\n // 63 multiplications of degree-44 polynomials. Then they (I think) form\n // vectors by gathering all 63 coefficients of each power together, for each\n // input, and doing more rounds of Karatsuba on the vectors until they bottom-\n // out somewhere with schoolbook multiplication.\n //\n // I tried something like that for NEON. NEON vectors are 128 bits so hold\n // eight coefficients. I wrote a function that did Karatsuba on eight\n // multiplications at the same time, using such vectors, and a Go script that\n // decomposed from degree-704, with Karatsuba in non-transposed form, until it\n // reached multiplications of degree-44. It batched up those 81\n // multiplications into lots of eight with a single one left over (which was\n // handled directly).\n //\n // It worked, but it was significantly slower than the dumb algorithm used\n // below. Potentially that was because I misunderstood how [HRSS] did it, or\n // because Clang is bad at generating good code from NEON intrinsics on ARMv7.\n // (Which is true: the code generated by Clang for the below is pretty crap.)\n //\n // This algorithm is much simpler. It just does Karatsuba decomposition all\n // the way down and never transposes. When it gets down to degree-16 or\n // degree-24 values, they are multiplied using schoolbook multiplication and\n // vector intrinsics. The vector operations form each of the eight phase-\n // shifts of one of the inputs, point-wise multiply, and then add into the\n // result at the correct place. This means that 33% (degree-16) or 25%\n // (degree-24) of the multiplies and adds are wasted, but it does ok.\n if (n == 2) {\n vec_t result[4];\n vec_t vec_a[3];\n static const vec_t kZero = {0};\n vec_a[0] = a[0];\n vec_a[1] = a[1];\n vec_a[2] = kZero;\n\n result[0] = vec_mul(vec_a[0], vec_get_word(b[0], 0));\n result[1] = vec_mul(vec_a[1], vec_get_word(b[0], 0));\n\n result[1] = vec_fma(result[1], vec_a[0], vec_get_word(b[1], 0));\n result[2] = vec_mul(vec_a[1], vec_get_word(b[1], 0));\n result[3] = kZero;\n\n vec3_rshift_word(vec_a);\n\n#define BLOCK(x, y) \\\n do { \\\n result[x + 0] = \\\n vec_fma(result[x + 0], vec_a[0], vec_get_word(b[y / 8], y % 8)); \\\n result[x + 1] = \\\n vec_fma(result[x + 1], vec_a[1], vec_get_word(b[y / 8], y % 8)); \\\n result[x + 2] = \\\n vec_fma(result[x + 2], vec_a[2], vec_get_word(b[y / 8], y % 8)); \\\n } while (0)\n\n BLOCK(0, 1);\n BLOCK(1, 9);\n\n vec3_rshift_word(vec_a);\n\n BLOCK(0, 2);\n BLOCK(1, 10);\n\n vec3_rshift_word(vec_a);\n\n BLOCK(0, 3);\n BLOCK(1, 11);\n\n vec3_rshift_word(vec_a);\n\n BLOCK(0, 4);\n BLOCK(1, 12);\n\n vec3_rshift_word(vec_a);\n\n BLOCK(0, 5);\n BLOCK(1, 13);\n\n vec3_rshift_word(vec_a);\n\n BLOCK(0, 6);\n BLOCK(1, 14);\n\n vec3_rshift_word(vec_a);\n\n BLOCK(0, 7);\n BLOCK(1, 15);\n\n#undef BLOCK\n\n memcpy(out, result, sizeof(result));\n return;\n }\n\n if (n == 3) {\n vec_t result[6];\n vec_t vec_a[4];\n static const vec_t kZero = {0};\n vec_a[0] = a[0];\n vec_a[1] = a[1];\n vec_a[2] = a[2];\n vec_a[3] = kZero;\n\n result[0] = vec_mul(a[0], vec_get_word(b[0], 0));\n result[1] = vec_mul(a[1], vec_get_word(b[0], 0));\n result[2] = vec_mul(a[2], vec_get_word(b[0], 0));\n\n#define BLOCK_PRE(x, y) \\\n do { \\\n result[x + 0] = \\\n vec_fma(result[x + 0], vec_a[0], vec_get_word(b[y / 8], y % 8)); \\\n result[x + 1] = \\\n vec_fma(result[x + 1], vec_a[1], vec_get_word(b[y / 8], y % 8)); \\\n result[x + 2] = vec_mul(vec_a[2], vec_get_word(b[y / 8], y % 8)); \\\n } while (0)\n\n BLOCK_PRE(1, 8);\n BLOCK_PRE(2, 16);\n\n result[5] = kZero;\n\n vec4_rshift_word(vec_a);\n\n#define BLOCK(x, y) \\\n do { \\\n result[x + 0] = \\\n vec_fma(result[x + 0], vec_a[0], vec_get_word(b[y / 8], y % 8)); \\\n result[x + 1] = \\\n vec_fma(result[x + 1], vec_a[1], vec_get_word(b[y / 8], y % 8)); \\\n result[x + 2] = \\\n vec_fma(result[x + 2], vec_a[2], vec_get_word(b[y / 8], y % 8)); \\\n result[x + 3] = \\\n vec_fma(result[x + 3], vec_a[3], vec_get_word(b[y / 8], y % 8)); \\\n } while (0)\n\n BLOCK(0, 1);\n BLOCK(1, 9);\n BLOCK(2, 17);\n\n vec4_rshift_word(vec_a);\n\n BLOCK(0, 2);\n BLOCK(1, 10);\n BLOCK(2, 18);\n\n vec4_rshift_word(vec_a);\n\n BLOCK(0, 3);\n BLOCK(1, 11);\n BLOCK(2, 19);\n\n vec4_rshift_word(vec_a);\n\n BLOCK(0, 4);\n BLOCK(1, 12);\n BLOCK(2, 20);\n\n vec4_rshift_word(vec_a);\n\n BLOCK(0, 5);\n BLOCK(1, 13);\n BLOCK(2, 21);\n\n vec4_rshift_word(vec_a);\n\n BLOCK(0, 6);\n BLOCK(1, 14);\n BLOCK(2, 22);\n\n vec4_rshift_word(vec_a);\n\n BLOCK(0, 7);\n BLOCK(1, 15);\n BLOCK(2, 23);\n\n#undef BLOCK\n#undef BLOCK_PRE\n\n memcpy(out, result, sizeof(result));\n\n return;\n }\n\n // Karatsuba multiplication.\n // https://en.wikipedia.org/wiki/Karatsuba_algorithm\n\n // When |n| is odd, the two \"halves\" will have different lengths. The first is\n // always the smaller.\n const size_t low_len = n / 2;\n const size_t high_len = n - low_len;\n const vec_t *a_high = &a[low_len];\n const vec_t *b_high = &b[low_len];\n\n // Store a_1 + a_0 in the first half of |out| and b_1 + b_0 in the second\n // half.\n for (size_t i = 0; i < low_len; i++) {\n out[i] = vec_add(a_high[i], a[i]);\n out[high_len + i] = vec_add(b_high[i], b[i]);\n }\n if (high_len != low_len) {\n out[low_len] = a_high[low_len];\n out[high_len + low_len] = b_high[low_len];\n }\n\n vec_t *const child_scratch = &scratch[2 * high_len];\n // Calculate (a_1 + a_0) × (b_1 + b_0) and write to scratch buffer.\n poly_mul_vec_aux(scratch, child_scratch, out, &out[high_len], high_len);\n // Calculate a_1 × b_1.\n poly_mul_vec_aux(&out[low_len * 2], child_scratch, a_high, b_high, high_len);\n // Calculate a_0 × b_0.\n poly_mul_vec_aux(out, child_scratch, a, b, low_len);\n\n // Subtract those last two products from the first.\n for (size_t i = 0; i < low_len * 2; i++) {\n scratch[i] = vec_sub(scratch[i], vec_add(out[i], out[low_len * 2 + i]));\n }\n if (low_len != high_len) {\n scratch[low_len * 2] = vec_sub(scratch[low_len * 2], out[low_len * 4]);\n scratch[low_len * 2 + 1] =\n vec_sub(scratch[low_len * 2 + 1], out[low_len * 4 + 1]);\n }\n\n // Add the middle product into the output.\n for (size_t i = 0; i < high_len * 2; i++) {\n out[low_len + i] = vec_add(out[low_len + i], scratch[i]);\n }\n}\n\n// poly_mul_vec sets |*out| to |x|×|y| mod (𝑥^n - 1).\nstatic void poly_mul_vec(struct POLY_MUL_SCRATCH *scratch, struct poly *out,\n const struct poly *x, const struct poly *y) {\n static_assert(sizeof(out->v) == sizeof(vec_t) * VECS_PER_POLY,\n \"struct poly is the wrong size\");\n static_assert(alignof(struct poly) == alignof(vec_t),\n \"struct poly has incorrect alignment\");\n poly_assert_normalized(x);\n poly_assert_normalized(y);\n\n vec_t *const prod = scratch->u.vec.prod;\n vec_t *const aux_scratch = scratch->u.vec.scratch;\n poly_mul_vec_aux(prod, aux_scratch, x->vectors, y->vectors, VECS_PER_POLY);\n\n // |prod| needs to be reduced mod (𝑥^n - 1), which just involves adding the\n // upper-half to the lower-half. However, N is 701, which isn't a multiple of\n // the vector size, so the upper-half vectors all have to be shifted before\n // being added to the lower-half.\n vec_t *out_vecs = (vec_t *)out->v;\n\n for (size_t i = 0; i < VECS_PER_POLY; i++) {\n const vec_t prev = prod[VECS_PER_POLY - 1 + i];\n const vec_t this_vec = prod[VECS_PER_POLY + i];\n out_vecs[i] = vec_add(prod[i], vec_merge_3_5(prev, this_vec));\n }\n\n OPENSSL_memset(&out->v[N], 0, 3 * sizeof(uint16_t));\n}\n\n#endif // HRSS_HAVE_VECTOR_UNIT\n\n// poly_mul_novec_aux writes the product of |a| and |b| to |out|, using\n// |scratch| as scratch space. It'll use Karatsuba if the inputs are large\n// enough to warrant it. Each call uses 2*ceil(n/2) elements of |scratch| and\n// the function recurses, except if |n| < 64, when |scratch| isn't used and the\n// recursion stops. If |n| == |N| then |scratch| needs 1318 elements.\nstatic void poly_mul_novec_aux(uint16_t *out, uint16_t *scratch,\n const uint16_t *a, const uint16_t *b, size_t n) {\n static const size_t kSchoolbookLimit = 64;\n if (n < kSchoolbookLimit) {\n OPENSSL_memset(out, 0, sizeof(uint16_t) * n * 2);\n for (size_t i = 0; i < n; i++) {\n for (size_t j = 0; j < n; j++) {\n out[i + j] += (unsigned)a[i] * b[j];\n }\n }\n\n return;\n }\n\n // Karatsuba multiplication.\n // https://en.wikipedia.org/wiki/Karatsuba_algorithm\n\n // When |n| is odd, the two \"halves\" will have different lengths. The\n // first is always the smaller.\n const size_t low_len = n / 2;\n const size_t high_len = n - low_len;\n const uint16_t *const a_high = &a[low_len];\n const uint16_t *const b_high = &b[low_len];\n\n for (size_t i = 0; i < low_len; i++) {\n out[i] = a_high[i] + a[i];\n out[high_len + i] = b_high[i] + b[i];\n }\n if (high_len != low_len) {\n out[low_len] = a_high[low_len];\n out[high_len + low_len] = b_high[low_len];\n }\n\n uint16_t *const child_scratch = &scratch[2 * high_len];\n poly_mul_novec_aux(scratch, child_scratch, out, &out[high_len], high_len);\n poly_mul_novec_aux(&out[low_len * 2], child_scratch, a_high, b_high,\n high_len);\n poly_mul_novec_aux(out, child_scratch, a, b, low_len);\n\n for (size_t i = 0; i < low_len * 2; i++) {\n scratch[i] -= out[i] + out[low_len * 2 + i];\n }\n if (low_len != high_len) {\n scratch[low_len * 2] -= out[low_len * 4];\n assert(out[low_len * 4 + 1] == 0);\n }\n\n for (size_t i = 0; i < high_len * 2; i++) {\n out[low_len + i] += scratch[i];\n }\n}\n\n// poly_mul_novec sets |*out| to |x|×|y| mod (𝑥^n - 1).\nstatic void poly_mul_novec(struct POLY_MUL_SCRATCH *scratch, struct poly *out,\n const struct poly *x, const struct poly *y) {\n uint16_t *const prod = scratch->u.novec.prod;\n uint16_t *const aux_scratch = scratch->u.novec.scratch;\n poly_mul_novec_aux(prod, aux_scratch, x->v, y->v, N);\n\n for (size_t i = 0; i < N; i++) {\n out->v[i] = prod[i] + prod[i + N];\n }\n OPENSSL_memset(&out->v[N], 0, 3 * sizeof(uint16_t));\n}\n\nstatic void poly_mul(struct POLY_MUL_SCRATCH *scratch, struct poly *r,\n const struct poly *a, const struct poly *b) {\n#if defined(POLY_RQ_MUL_ASM)\n if (CRYPTO_is_AVX2_capable()) {\n poly_Rq_mul(r->v, a->v, b->v, scratch->u.rq);\n poly_normalize(r);\n } else\n#endif\n\n#if defined(HRSS_HAVE_VECTOR_UNIT)\n if (vec_capable()) {\n poly_mul_vec(scratch, r, a, b);\n } else\n#endif\n\n // Fallback, non-vector case.\n {\n poly_mul_novec(scratch, r, a, b);\n }\n\n poly_assert_normalized(r);\n}\n\n// poly_mul_x_minus_1 sets |p| to |p|×(𝑥 - 1) mod (𝑥^n - 1).\nstatic void poly_mul_x_minus_1(struct poly *p) {\n // Multiplying by (𝑥 - 1) means negating each coefficient and adding in\n // the value of the previous one.\n const uint16_t orig_final_coefficient = p->v[N - 1];\n\n for (size_t i = N - 1; i > 0; i--) {\n p->v[i] = p->v[i - 1] - p->v[i];\n }\n p->v[0] = orig_final_coefficient - p->v[0];\n}\n\n// poly_mod_phiN sets |p| to |p| mod Φ(N).\nstatic void poly_mod_phiN(struct poly *p) {\n const uint16_t coeff700 = p->v[N - 1];\n\n for (unsigned i = 0; i < N; i++) {\n p->v[i] -= coeff700;\n }\n}\n\n// poly_clamp reduces each coefficient mod Q.\nstatic void poly_clamp(struct poly *p) {\n for (unsigned i = 0; i < N; i++) {\n p->v[i] &= Q - 1;\n }\n}\n\n\n// Conversion functions\n// --------------------\n\n// poly2_from_poly sets |*out| to |in| mod 2.\nstatic void poly2_from_poly(struct poly2 *out, const struct poly *in) {\n crypto_word_t *words = out->v;\n unsigned shift = 0;\n crypto_word_t word = 0;\n\n for (unsigned i = 0; i < N; i++) {\n word >>= 1;\n word |= (crypto_word_t)(in->v[i] & 1) << (BITS_PER_WORD - 1);\n shift++;\n\n if (shift == BITS_PER_WORD) {\n *words = word;\n words++;\n word = 0;\n shift = 0;\n }\n }\n\n word >>= BITS_PER_WORD - shift;\n *words = word;\n}\n\n// mod3 treats |a| as a signed number and returns |a| mod 3.\nstatic uint16_t mod3(int16_t a) {\n const int16_t q = ((int32_t)a * 21845) >> 16;\n int16_t ret = a - 3 * q;\n // At this point, |ret| is in {0, 1, 2, 3} and that needs to be mapped to {0,\n // 1, 2, 0}.\n return ret & ((ret & (ret >> 1)) - 1);\n}\n\n// poly3_from_poly sets |*out| to |in|.\nstatic void poly3_from_poly(struct poly3 *out, const struct poly *in) {\n crypto_word_t *words_s = out->s.v;\n crypto_word_t *words_a = out->a.v;\n crypto_word_t s = 0;\n crypto_word_t a = 0;\n unsigned shift = 0;\n\n for (unsigned i = 0; i < N; i++) {\n // This duplicates the 13th bit upwards to the top of the uint16,\n // essentially treating it as a sign bit and converting into a signed int16.\n // The signed value is reduced mod 3, yielding {0, 1, 2}.\n const uint16_t v = mod3((int16_t)(in->v[i] << 3) >> 3);\n s >>= 1;\n const crypto_word_t s_bit = (crypto_word_t)(v & 2) << (BITS_PER_WORD - 2);\n s |= s_bit;\n a >>= 1;\n a |= s_bit | (crypto_word_t)(v & 1) << (BITS_PER_WORD - 1);\n shift++;\n\n if (shift == BITS_PER_WORD) {\n *words_s = s;\n words_s++;\n *words_a = a;\n words_a++;\n s = a = 0;\n shift = 0;\n }\n }\n\n s >>= BITS_PER_WORD - shift;\n a >>= BITS_PER_WORD - shift;\n *words_s = s;\n *words_a = a;\n}\n\n// poly3_from_poly_checked sets |*out| to |in|, which has coefficients in {0, 1,\n// Q-1}. It returns a mask indicating whether all coefficients were found to be\n// in that set.\nstatic crypto_word_t poly3_from_poly_checked(struct poly3 *out,\n const struct poly *in) {\n crypto_word_t *words_s = out->s.v;\n crypto_word_t *words_a = out->a.v;\n crypto_word_t s = 0;\n crypto_word_t a = 0;\n unsigned shift = 0;\n crypto_word_t ok = CONSTTIME_TRUE_W;\n\n for (unsigned i = 0; i < N; i++) {\n const uint16_t v = in->v[i];\n // Maps {0, 1, Q-1} to {0, 1, 2}.\n uint16_t mod3 = v & 3;\n mod3 ^= mod3 >> 1;\n const uint16_t expected = (uint16_t)((~((mod3 >> 1) - 1)) | mod3) % Q;\n ok &= constant_time_eq_w(v, expected);\n\n s >>= 1;\n const crypto_word_t s_bit = (crypto_word_t)(mod3 & 2)\n << (BITS_PER_WORD - 2);\n s |= s_bit;\n a >>= 1;\n a |= s_bit | (crypto_word_t)(mod3 & 1) << (BITS_PER_WORD - 1);\n shift++;\n\n if (shift == BITS_PER_WORD) {\n *words_s = s;\n words_s++;\n *words_a = a;\n words_a++;\n s = a = 0;\n shift = 0;\n }\n }\n\n s >>= BITS_PER_WORD - shift;\n a >>= BITS_PER_WORD - shift;\n *words_s = s;\n *words_a = a;\n\n return ok;\n}\n\nstatic void poly_from_poly2(struct poly *out, const struct poly2 *in) {\n const crypto_word_t *words = in->v;\n unsigned shift = 0;\n crypto_word_t word = *words;\n\n for (unsigned i = 0; i < N; i++) {\n out->v[i] = word & 1;\n word >>= 1;\n shift++;\n\n if (shift == BITS_PER_WORD) {\n words++;\n word = *words;\n shift = 0;\n }\n }\n\n poly_normalize(out);\n}\n\nstatic void poly_from_poly3(struct poly *out, const struct poly3 *in) {\n const crypto_word_t *words_s = in->s.v;\n const crypto_word_t *words_a = in->a.v;\n crypto_word_t word_s = ~(*words_s);\n crypto_word_t word_a = *words_a;\n unsigned shift = 0;\n\n for (unsigned i = 0; i < N; i++) {\n out->v[i] = (uint16_t)(word_s & 1) - 1;\n out->v[i] |= word_a & 1;\n word_s >>= 1;\n word_a >>= 1;\n shift++;\n\n if (shift == BITS_PER_WORD) {\n words_s++;\n words_a++;\n word_s = ~(*words_s);\n word_a = *words_a;\n shift = 0;\n }\n }\n\n poly_normalize(out);\n}\n\n// Polynomial inversion\n// --------------------\n\n// poly_invert_mod2 sets |*out| to |in^-1| (i.e. such that |*out|×|in| = 1 mod\n// Φ(N)), all mod 2. This isn't useful in itself, but is part of doing inversion\n// mod Q.\nstatic void poly_invert_mod2(struct poly *out, const struct poly *in) {\n // This algorithm is taken from section 7.1 of [SAFEGCD].\n struct poly2 v, r, f, g;\n\n // v = 0\n poly2_zero(&v);\n // r = 1\n poly2_zero(&r);\n r.v[0] = 1;\n // f = all ones.\n OPENSSL_memset(&f, 0xff, sizeof(struct poly2));\n f.v[WORDS_PER_POLY - 1] >>= BITS_PER_WORD - BITS_IN_LAST_WORD;\n // g is the reversal of |in|.\n poly2_from_poly(&g, in);\n poly2_mod_phiN(&g);\n poly2_reverse_700(&g, &g);\n int delta = 1;\n\n for (size_t i = 0; i < (2 * (N - 1)) - 1; i++) {\n poly2_lshift1(&v);\n\n const crypto_word_t delta_sign_bit = (delta >> (sizeof(delta) * 8 - 1)) & 1;\n const crypto_word_t delta_is_non_negative = delta_sign_bit - 1;\n const crypto_word_t delta_is_non_zero = ~constant_time_is_zero_w(delta);\n const crypto_word_t g_has_constant_term = lsb_to_all(g.v[0]);\n const crypto_word_t mask =\n g_has_constant_term & delta_is_non_negative & delta_is_non_zero;\n\n const crypto_word_t c = lsb_to_all(f.v[0] & g.v[0]);\n\n delta = constant_time_select_int(mask, -delta, delta);\n delta++;\n\n poly2_cswap(&f, &g, mask);\n poly2_fmadd(&g, &f, c);\n poly2_rshift1(&g);\n\n poly2_cswap(&v, &r, mask);\n poly2_fmadd(&r, &v, c);\n }\n\n assert(delta == 0);\n assert(f.v[0] & 1);\n poly2_reverse_700(&v, &v);\n poly_from_poly2(out, &v);\n poly_assert_normalized(out);\n}\n\n// poly_invert sets |*out| to |in^-1| (i.e. such that |*out|×|in| = 1 mod Φ(N)).\nstatic void poly_invert(struct POLY_MUL_SCRATCH *scratch, struct poly *out,\n const struct poly *in) {\n // Inversion mod Q, which is done based on the result of inverting mod\n // 2. See [NTRUTN14] paper, bottom of page two.\n struct poly a, *b, tmp;\n\n // a = -in.\n for (unsigned i = 0; i < N; i++) {\n a.v[i] = -in->v[i];\n }\n poly_normalize(&a);\n\n // b = in^-1 mod 2.\n b = out;\n poly_invert_mod2(b, in);\n\n // We are working mod Q=2**13 and we need to iterate ceil(log_2(13))\n // times, which is four.\n for (unsigned i = 0; i < 4; i++) {\n poly_mul(scratch, &tmp, &a, b);\n tmp.v[0] += 2;\n poly_mul(scratch, b, b, &tmp);\n }\n\n poly_assert_normalized(out);\n}\n\n// Marshal and unmarshal functions for various basic types.\n// --------------------------------------------------------\n\n#define POLY_BYTES 1138\n\n// poly_marshal serialises all but the final coefficient of |in| to |out|.\nstatic void poly_marshal(uint8_t out[POLY_BYTES], const struct poly *in) {\n const uint16_t *p = in->v;\n\n for (size_t i = 0; i < N / 8; i++) {\n out[0] = p[0];\n out[1] = (0x1f & (p[0] >> 8)) | ((p[1] & 0x07) << 5);\n out[2] = p[1] >> 3;\n out[3] = (3 & (p[1] >> 11)) | ((p[2] & 0x3f) << 2);\n out[4] = (0x7f & (p[2] >> 6)) | ((p[3] & 0x01) << 7);\n out[5] = p[3] >> 1;\n out[6] = (0xf & (p[3] >> 9)) | ((p[4] & 0x0f) << 4);\n out[7] = p[4] >> 4;\n out[8] = (1 & (p[4] >> 12)) | ((p[5] & 0x7f) << 1);\n out[9] = (0x3f & (p[5] >> 7)) | ((p[6] & 0x03) << 6);\n out[10] = p[6] >> 2;\n out[11] = (7 & (p[6] >> 10)) | ((p[7] & 0x1f) << 3);\n out[12] = p[7] >> 5;\n\n p += 8;\n out += 13;\n }\n\n // There are four remaining values.\n out[0] = p[0];\n out[1] = (0x1f & (p[0] >> 8)) | ((p[1] & 0x07) << 5);\n out[2] = p[1] >> 3;\n out[3] = (3 & (p[1] >> 11)) | ((p[2] & 0x3f) << 2);\n out[4] = (0x7f & (p[2] >> 6)) | ((p[3] & 0x01) << 7);\n out[5] = p[3] >> 1;\n out[6] = 0xf & (p[3] >> 9);\n}\n\n// poly_unmarshal parses the output of |poly_marshal| and sets |out| such that\n// all but the final coefficients match, and the final coefficient is calculated\n// such that evaluating |out| at one results in zero. It returns one on success\n// or zero if |in| is an invalid encoding.\nstatic int poly_unmarshal(struct poly *out, const uint8_t in[POLY_BYTES]) {\n uint16_t *p = out->v;\n\n for (size_t i = 0; i < N / 8; i++) {\n p[0] = (uint16_t)(in[0]) | (uint16_t)(in[1] & 0x1f) << 8;\n p[1] = (uint16_t)(in[1] >> 5) | (uint16_t)(in[2]) << 3 |\n (uint16_t)(in[3] & 3) << 11;\n p[2] = (uint16_t)(in[3] >> 2) | (uint16_t)(in[4] & 0x7f) << 6;\n p[3] = (uint16_t)(in[4] >> 7) | (uint16_t)(in[5]) << 1 |\n (uint16_t)(in[6] & 0xf) << 9;\n p[4] = (uint16_t)(in[6] >> 4) | (uint16_t)(in[7]) << 4 |\n (uint16_t)(in[8] & 1) << 12;\n p[5] = (uint16_t)(in[8] >> 1) | (uint16_t)(in[9] & 0x3f) << 7;\n p[6] = (uint16_t)(in[9] >> 6) | (uint16_t)(in[10]) << 2 |\n (uint16_t)(in[11] & 7) << 10;\n p[7] = (uint16_t)(in[11] >> 3) | (uint16_t)(in[12]) << 5;\n\n p += 8;\n in += 13;\n }\n\n // There are four coefficients remaining.\n p[0] = (uint16_t)(in[0]) | (uint16_t)(in[1] & 0x1f) << 8;\n p[1] = (uint16_t)(in[1] >> 5) | (uint16_t)(in[2]) << 3 |\n (uint16_t)(in[3] & 3) << 11;\n p[2] = (uint16_t)(in[3] >> 2) | (uint16_t)(in[4] & 0x7f) << 6;\n p[3] = (uint16_t)(in[4] >> 7) | (uint16_t)(in[5]) << 1 |\n (uint16_t)(in[6] & 0xf) << 9;\n\n for (unsigned i = 0; i < N - 1; i++) {\n out->v[i] = (int16_t)(out->v[i] << 3) >> 3;\n }\n\n // There are four unused bits in the last byte. We require them to be zero.\n if ((in[6] & 0xf0) != 0) {\n return 0;\n }\n\n // Set the final coefficient as specifed in [HRSSNIST] 1.9.2 step 6.\n uint32_t sum = 0;\n for (size_t i = 0; i < N - 1; i++) {\n sum += out->v[i];\n }\n\n out->v[N - 1] = (uint16_t)(0u - sum);\n poly_normalize(out);\n\n return 1;\n}\n\n// mod3_from_modQ maps {0, 1, Q-1, 65535} -> {0, 1, 2, 2}. Note that |v| may\n// have an invalid value when processing attacker-controlled inputs.\nstatic uint16_t mod3_from_modQ(uint16_t v) {\n v &= 3;\n return v ^ (v >> 1);\n}\n\n// poly_marshal_mod3 marshals |in| to |out| where the coefficients of |in| are\n// all in {0, 1, Q-1, 65535} and |in| is mod Φ(N). (Note that coefficients may\n// have invalid values when processing attacker-controlled inputs.)\nstatic void poly_marshal_mod3(uint8_t out[HRSS_POLY3_BYTES],\n const struct poly *in) {\n const uint16_t *coeffs = in->v;\n\n // Only 700 coefficients are marshaled because in[700] must be zero.\n assert(coeffs[N - 1] == 0);\n\n for (size_t i = 0; i < HRSS_POLY3_BYTES; i++) {\n const uint16_t coeffs0 = mod3_from_modQ(coeffs[0]);\n const uint16_t coeffs1 = mod3_from_modQ(coeffs[1]);\n const uint16_t coeffs2 = mod3_from_modQ(coeffs[2]);\n const uint16_t coeffs3 = mod3_from_modQ(coeffs[3]);\n const uint16_t coeffs4 = mod3_from_modQ(coeffs[4]);\n out[i] = coeffs0 + coeffs1 * 3 + coeffs2 * 9 + coeffs3 * 27 + coeffs4 * 81;\n coeffs += 5;\n }\n}\n\n// HRSS-specific functions\n// -----------------------\n\n// poly_short_sample samples a vector of values in {0xffff (i.e. -1), 0, 1}.\n// This is the same action as the algorithm in [HRSSNIST] section 1.8.1, but\n// with HRSS-SXY the sampling algorithm is now a private detail of the\n// implementation (previously it had to match between two parties). This\n// function uses that freedom to implement a flatter distribution of values.\nstatic void poly_short_sample(struct poly *out,\n const uint8_t in[HRSS_SAMPLE_BYTES]) {\n static_assert(HRSS_SAMPLE_BYTES == N - 1, \"HRSS_SAMPLE_BYTES incorrect\");\n for (size_t i = 0; i < N - 1; i++) {\n uint16_t v = mod3(in[i]);\n // Map {0, 1, 2} -> {0, 1, 0xffff}\n v |= ((v >> 1) ^ 1) - 1;\n out->v[i] = v;\n }\n out->v[N - 1] = 0;\n poly_normalize(out);\n}\n\n// poly_short_sample_plus performs the T+ sample as defined in [HRSSNIST],\n// section 1.8.2.\nstatic void poly_short_sample_plus(struct poly *out,\n const uint8_t in[HRSS_SAMPLE_BYTES]) {\n poly_short_sample(out, in);\n\n // sum (and the product in the for loop) will overflow. But that's fine\n // because |sum| is bound by +/- (N-2), and N < 2^15 so it works out.\n uint16_t sum = 0;\n for (unsigned i = 0; i < N - 2; i++) {\n sum += (unsigned)out->v[i] * out->v[i + 1];\n }\n\n // If the sum is negative, flip the sign of even-positioned coefficients. (See\n // page 8 of [HRSS].)\n sum = ((int16_t)sum) >> 15;\n const uint16_t scale = sum | (~sum & 1);\n for (unsigned i = 0; i < N; i += 2) {\n out->v[i] = (unsigned)out->v[i] * scale;\n }\n poly_assert_normalized(out);\n}\n\n// poly_lift computes the function discussed in [HRSS], appendix B.\nstatic void poly_lift(struct poly *out, const struct poly *a) {\n // We wish to calculate a/(𝑥-1) mod Φ(N) over GF(3), where Φ(N) is the\n // Nth cyclotomic polynomial, i.e. 1 + 𝑥 + … + 𝑥^700 (since N is prime).\n\n // 1/(𝑥-1) has a fairly basic structure that we can exploit to speed this up:\n //\n // R. = PolynomialRing(GF(3)…)\n // inv = R.cyclotomic_polynomial(1).inverse_mod(R.cyclotomic_polynomial(n))\n // list(inv)[:15]\n // [1, 0, 2, 1, 0, 2, 1, 0, 2, 1, 0, 2, 1, 0, 2]\n //\n // This three-element pattern of coefficients repeats for the whole\n // polynomial.\n //\n // Next define the overbar operator such that z̅ = z[0] +\n // reverse(z[1:]). (Index zero of a polynomial here is the coefficient\n // of the constant term. So index one is the coefficient of 𝑥 and so\n // on.)\n //\n // A less odd way to define this is to see that z̅ negates the indexes,\n // so z̅[0] = z[-0], z̅[1] = z[-1] and so on.\n //\n // The use of z̅ is that, when working mod (𝑥^701 - 1), vz[0] = , vz[1] = , …. (Where is the inner product: the sum\n // of the point-wise products.) Although we calculated the inverse mod\n // Φ(N), we can work mod (𝑥^N - 1) and reduce mod Φ(N) at the end.\n // (That's because (𝑥^N - 1) is a multiple of Φ(N).)\n //\n // When working mod (𝑥^N - 1), multiplication by 𝑥 is a right-rotation\n // of the list of coefficients.\n //\n // Thus we can consider what the pattern of z̅, 𝑥z̅, 𝑥^2z̅, … looks like:\n //\n // def reverse(xs):\n // suffix = list(xs[1:])\n // suffix.reverse()\n // return [xs[0]] + suffix\n //\n // def rotate(xs):\n // return [xs[-1]] + xs[:-1]\n //\n // zoverbar = reverse(list(inv) + [0])\n // xzoverbar = rotate(reverse(list(inv) + [0]))\n // x2zoverbar = rotate(rotate(reverse(list(inv) + [0])))\n //\n // zoverbar[:15]\n // [1, 0, 1, 2, 0, 1, 2, 0, 1, 2, 0, 1, 2, 0, 1]\n // xzoverbar[:15]\n // [0, 1, 0, 1, 2, 0, 1, 2, 0, 1, 2, 0, 1, 2, 0]\n // x2zoverbar[:15]\n // [2, 0, 1, 0, 1, 2, 0, 1, 2, 0, 1, 2, 0, 1, 2]\n //\n // (For a formula for z̅, see lemma two of appendix B.)\n //\n // After the first three elements have been taken care of, all then have\n // a repeating three-element cycle. The next value (𝑥^3z̅) involves\n // three rotations of the first pattern, thus the three-element cycle\n // lines up. However, the discontinuity in the first three elements\n // obviously moves to a different position. Consider the difference\n // between 𝑥^3z̅ and z̅:\n //\n // [x-y for (x,y) in zip(zoverbar, x3zoverbar)][:15]\n // [0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]\n //\n // This pattern of differences is the same for all elements, although it\n // obviously moves right with the rotations.\n //\n // From this, we reach algorithm eight of appendix B.\n\n // Handle the first three elements of the inner products.\n out->v[0] = a->v[0] + a->v[2];\n out->v[1] = a->v[1];\n out->v[2] = -a->v[0] + a->v[2];\n\n // s0, s1, s2 are added into out->v[0], out->v[1], and out->v[2],\n // respectively. We do not compute s1 because it's just -(s0 + s1).\n uint16_t s0 = 0, s2 = 0;\n for (size_t i = 3; i < 699; i += 3) {\n s0 += -a->v[i] + a->v[i + 2];\n // s1 += a->v[i] - a->v[i + 1];\n s2 += a->v[i + 1] - a->v[i + 2];\n }\n\n // Handle the fact that the three-element pattern doesn't fill the\n // polynomial exactly (since 701 isn't a multiple of three).\n s0 -= a->v[699];\n // s1 += a->v[699] - a->v[700];\n s2 += a->v[700];\n\n // Note that s0 + s1 + s2 = 0.\n out->v[0] += s0;\n out->v[1] -= (s0 + s2); // = s1\n out->v[2] += s2;\n\n // Calculate the remaining inner products by taking advantage of the\n // fact that the pattern repeats every three cycles and the pattern of\n // differences moves with the rotation.\n for (size_t i = 3; i < N; i++) {\n out->v[i] = (out->v[i - 3] - (a->v[i - 2] + a->v[i - 1] + a->v[i]));\n }\n\n // Reduce mod Φ(N) by subtracting a multiple of out[700] from every\n // element and convert to mod Q. (See above about adding twice as\n // subtraction.)\n const crypto_word_t v = out->v[700];\n for (unsigned i = 0; i < N; i++) {\n const uint16_t vi_mod3 = mod3(out->v[i] - v);\n // Map {0, 1, 2} to {0, 1, 0xffff}.\n out->v[i] = (~((vi_mod3 >> 1) - 1)) | vi_mod3;\n }\n\n poly_mul_x_minus_1(out);\n poly_normalize(out);\n}\n\nnamespace {\n\nstruct public_key {\n struct poly ph;\n};\n\nstruct private_key {\n struct poly3 f, f_inverse;\n struct poly ph_inverse;\n uint8_t hmac_key[32];\n};\n\n} // namespace\n\n// public_key_from_external converts an external public key pointer into an\n// internal one. Externally the alignment is only specified to be eight bytes\n// but we need 16-byte alignment. We could annotate the external struct with\n// that alignment but we can only assume that malloced pointers are 8-byte\n// aligned in any case. (Even if the underlying malloc returns values with\n// 16-byte alignment, |OPENSSL_malloc| will store an 8-byte size prefix and mess\n// that up.)\nstatic struct public_key *public_key_from_external(\n struct HRSS_public_key *ext) {\n static_assert(\n sizeof(struct HRSS_public_key) >= sizeof(struct public_key) + 15,\n \"HRSS public key too small\");\n\n return reinterpret_cast(align_pointer(ext->opaque, 16));\n}\n\n// private_key_from_external does the same thing as |public_key_from_external|,\n// but for private keys. See the comment on that function about alignment\n// issues.\nstatic struct private_key *private_key_from_external(\n struct HRSS_private_key *ext) {\n static_assert(\n sizeof(struct HRSS_private_key) >= sizeof(struct private_key) + 15,\n \"HRSS private key too small\");\n\n return reinterpret_cast(align_pointer(ext->opaque, 16));\n}\n\n// malloc_align32 returns a pointer to |size| bytes of 32-byte-aligned heap and\n// sets |*out_ptr| to a value that can be passed to |OPENSSL_free| to release\n// it. It returns NULL if out of memory.\nstatic void *malloc_align32(void **out_ptr, size_t size) {\n void *ptr = OPENSSL_malloc(size + 31);\n if (!ptr) {\n *out_ptr = NULL;\n return NULL;\n }\n\n *out_ptr = ptr;\n return align_pointer(ptr, 32);\n}\n\nint HRSS_generate_key(\n struct HRSS_public_key *out_pub, struct HRSS_private_key *out_priv,\n const uint8_t in[HRSS_SAMPLE_BYTES + HRSS_SAMPLE_BYTES + 32]) {\n struct public_key *pub = public_key_from_external(out_pub);\n struct private_key *priv = private_key_from_external(out_priv);\n\n struct vars {\n struct POLY_MUL_SCRATCH scratch;\n struct poly f;\n struct poly pg_phi1;\n struct poly pfg_phi1;\n struct poly pfg_phi1_inverse;\n };\n\n void *malloc_ptr;\n struct vars *const vars = reinterpret_cast(\n malloc_align32(&malloc_ptr, sizeof(struct vars)));\n if (!vars) {\n // If the caller ignores the return value the output will still be safe.\n // The private key output is randomised in case it's later passed to\n // |HRSS_encap|.\n memset(out_pub, 0, sizeof(struct HRSS_public_key));\n RAND_bytes((uint8_t *)out_priv, sizeof(struct HRSS_private_key));\n return 0;\n }\n\n#if !defined(NDEBUG)\n OPENSSL_memset(vars, 0xff, sizeof(struct vars));\n#endif\n\n OPENSSL_memcpy(priv->hmac_key, in + 2 * HRSS_SAMPLE_BYTES,\n sizeof(priv->hmac_key));\n\n poly_short_sample_plus(&vars->f, in);\n poly3_from_poly(&priv->f, &vars->f);\n HRSS_poly3_invert(&priv->f_inverse, &priv->f);\n\n // pg_phi1 is p (i.e. 3) × g × Φ(1) (i.e. 𝑥-1).\n poly_short_sample_plus(&vars->pg_phi1, in + HRSS_SAMPLE_BYTES);\n for (unsigned i = 0; i < N; i++) {\n vars->pg_phi1.v[i] *= 3;\n }\n poly_mul_x_minus_1(&vars->pg_phi1);\n\n poly_mul(&vars->scratch, &vars->pfg_phi1, &vars->f, &vars->pg_phi1);\n\n poly_invert(&vars->scratch, &vars->pfg_phi1_inverse, &vars->pfg_phi1);\n\n poly_mul(&vars->scratch, &pub->ph, &vars->pfg_phi1_inverse, &vars->pg_phi1);\n poly_mul(&vars->scratch, &pub->ph, &pub->ph, &vars->pg_phi1);\n poly_clamp(&pub->ph);\n\n poly_mul(&vars->scratch, &priv->ph_inverse, &vars->pfg_phi1_inverse,\n &vars->f);\n poly_mul(&vars->scratch, &priv->ph_inverse, &priv->ph_inverse, &vars->f);\n poly_clamp(&priv->ph_inverse);\n\n OPENSSL_free(malloc_ptr);\n return 1;\n}\n\nstatic const char kSharedKey[] = \"shared key\";\n\nint HRSS_encap(uint8_t out_ciphertext[POLY_BYTES], uint8_t out_shared_key[32],\n const struct HRSS_public_key *in_pub,\n const uint8_t in[HRSS_SAMPLE_BYTES + HRSS_SAMPLE_BYTES]) {\n const struct public_key *pub =\n public_key_from_external((struct HRSS_public_key *)in_pub);\n\n struct vars {\n struct POLY_MUL_SCRATCH scratch;\n struct poly m, r, m_lifted;\n struct poly prh_plus_m;\n SHA256_CTX hash_ctx;\n uint8_t m_bytes[HRSS_POLY3_BYTES];\n uint8_t r_bytes[HRSS_POLY3_BYTES];\n };\n\n void *malloc_ptr;\n struct vars *const vars = reinterpret_cast(\n malloc_align32(&malloc_ptr, sizeof(struct vars)));\n if (!vars) {\n // If the caller ignores the return value the output will still be safe.\n // The private key output is randomised in case it's used to encrypt and\n // transmit something.\n memset(out_ciphertext, 0, POLY_BYTES);\n RAND_bytes(out_shared_key, 32);\n return 0;\n }\n\n#if !defined(NDEBUG)\n OPENSSL_memset(vars, 0xff, sizeof(struct vars));\n#endif\n\n poly_short_sample(&vars->m, in);\n poly_short_sample(&vars->r, in + HRSS_SAMPLE_BYTES);\n poly_lift(&vars->m_lifted, &vars->m);\n\n poly_mul(&vars->scratch, &vars->prh_plus_m, &vars->r, &pub->ph);\n for (unsigned i = 0; i < N; i++) {\n vars->prh_plus_m.v[i] += vars->m_lifted.v[i];\n }\n\n poly_marshal(out_ciphertext, &vars->prh_plus_m);\n\n poly_marshal_mod3(vars->m_bytes, &vars->m);\n poly_marshal_mod3(vars->r_bytes, &vars->r);\n\n SHA256_Init(&vars->hash_ctx);\n SHA256_Update(&vars->hash_ctx, kSharedKey, sizeof(kSharedKey));\n SHA256_Update(&vars->hash_ctx, vars->m_bytes, sizeof(vars->m_bytes));\n SHA256_Update(&vars->hash_ctx, vars->r_bytes, sizeof(vars->r_bytes));\n SHA256_Update(&vars->hash_ctx, out_ciphertext, POLY_BYTES);\n SHA256_Final(out_shared_key, &vars->hash_ctx);\n\n OPENSSL_free(malloc_ptr);\n return 1;\n}\n\nint HRSS_decap(uint8_t out_shared_key[HRSS_KEY_BYTES],\n const struct HRSS_private_key *in_priv,\n const uint8_t *ciphertext, size_t ciphertext_len) {\n const struct private_key *priv =\n private_key_from_external((struct HRSS_private_key *)in_priv);\n\n#if defined(_MSC_VER)\n // MSVC will produce this useless warning:\n // warning C4324: structure was padded due to alignment specifier\n#pragma warning(push)\n#pragma warning(disable : 4324)\n#endif\n struct vars {\n struct POLY_MUL_SCRATCH scratch;\n uint8_t masked_key[SHA256_CBLOCK];\n SHA256_CTX hash_ctx;\n struct poly c;\n struct poly f, cf;\n struct poly3 cf3, m3;\n struct poly m, m_lifted;\n struct poly r;\n struct poly3 r3;\n uint8_t expected_ciphertext[HRSS_CIPHERTEXT_BYTES];\n uint8_t m_bytes[HRSS_POLY3_BYTES];\n uint8_t r_bytes[HRSS_POLY3_BYTES];\n uint8_t shared_key[32];\n };\n#if defined(_MSC_VER)\n#pragma warning(pop)\n#endif\n\n void *malloc_ptr;\n struct vars *const vars = reinterpret_cast(\n malloc_align32(&malloc_ptr, sizeof(struct vars)));\n if (!vars) {\n // If the caller ignores the return value the output will still be safe.\n // The private key output is randomised in case it's used to encrypt and\n // transmit something.\n RAND_bytes(out_shared_key, HRSS_KEY_BYTES);\n return 0;\n }\n\n#if !defined(NDEBUG)\n OPENSSL_memset(vars, 0xff, sizeof(struct vars));\n#endif\n\n // This is HMAC, expanded inline rather than using the |HMAC| function so that\n // we can avoid dealing with possible allocation failures and so keep this\n // function infallible.\n static_assert(sizeof(priv->hmac_key) <= sizeof(vars->masked_key),\n \"HRSS HMAC key larger than SHA-256 block size\");\n for (size_t i = 0; i < sizeof(priv->hmac_key); i++) {\n vars->masked_key[i] = priv->hmac_key[i] ^ 0x36;\n }\n OPENSSL_memset(vars->masked_key + sizeof(priv->hmac_key), 0x36,\n sizeof(vars->masked_key) - sizeof(priv->hmac_key));\n\n SHA256_Init(&vars->hash_ctx);\n SHA256_Update(&vars->hash_ctx, vars->masked_key, sizeof(vars->masked_key));\n SHA256_Update(&vars->hash_ctx, ciphertext, ciphertext_len);\n uint8_t inner_digest[SHA256_DIGEST_LENGTH];\n SHA256_Final(inner_digest, &vars->hash_ctx);\n\n for (size_t i = 0; i < sizeof(priv->hmac_key); i++) {\n vars->masked_key[i] ^= (0x5c ^ 0x36);\n }\n OPENSSL_memset(vars->masked_key + sizeof(priv->hmac_key), 0x5c,\n sizeof(vars->masked_key) - sizeof(priv->hmac_key));\n\n SHA256_Init(&vars->hash_ctx);\n SHA256_Update(&vars->hash_ctx, vars->masked_key, sizeof(vars->masked_key));\n SHA256_Update(&vars->hash_ctx, inner_digest, sizeof(inner_digest));\n static_assert(HRSS_KEY_BYTES == SHA256_DIGEST_LENGTH,\n \"HRSS shared key length incorrect\");\n SHA256_Final(out_shared_key, &vars->hash_ctx);\n\n // If the ciphertext is publicly invalid then a random shared key is still\n // returned to simply the logic of the caller, but this path is not constant\n // time.\n crypto_word_t ok = 0;\n if (ciphertext_len != HRSS_CIPHERTEXT_BYTES ||\n !poly_unmarshal(&vars->c, ciphertext)) {\n goto out;\n }\n\n poly_from_poly3(&vars->f, &priv->f);\n poly_mul(&vars->scratch, &vars->cf, &vars->c, &vars->f);\n poly3_from_poly(&vars->cf3, &vars->cf);\n // Note that cf3 is not reduced mod Φ(N). That reduction is deferred.\n HRSS_poly3_mul(&vars->m3, &vars->cf3, &priv->f_inverse);\n\n poly_from_poly3(&vars->m, &vars->m3);\n poly_lift(&vars->m_lifted, &vars->m);\n\n for (unsigned i = 0; i < N; i++) {\n vars->r.v[i] = vars->c.v[i] - vars->m_lifted.v[i];\n }\n poly_normalize(&vars->r);\n poly_mul(&vars->scratch, &vars->r, &vars->r, &priv->ph_inverse);\n poly_mod_phiN(&vars->r);\n poly_clamp(&vars->r);\n\n ok = poly3_from_poly_checked(&vars->r3, &vars->r);\n\n // [NTRUCOMP] section 5.1 includes ReEnc2 and a proof that it's valid. Rather\n // than do an expensive |poly_mul|, it rebuilds |c'| from |c - lift(m)|\n // (called |b|) with:\n // t = (−b(1)/N) mod Q\n // c' = b + tΦ(N) + lift(m) mod Q\n //\n // When polynomials are transmitted, the final coefficient is omitted and\n // |poly_unmarshal| sets it such that f(1) == 0. Thus c(1) == 0. Also,\n // |poly_lift| multiplies the result by (x-1) and therefore evaluating a\n // lifted polynomial at 1 is also zero. Thus lift(m)(1) == 0 and so\n // (c - lift(m))(1) == 0.\n //\n // Although we defer the reduction above, |b| is conceptually reduced mod\n // Φ(N). In order to do that reduction one subtracts |c[N-1]| from every\n // coefficient. Therefore b(1) = -c[N-1]×N. The value of |t|, above, then is\n // just recovering |c[N-1]|, and adding tΦ(N) is simply undoing the reduction.\n // Therefore b + tΦ(N) + lift(m) = c by construction and we don't need to\n // recover |c| at all so long as we do the checks in\n // |poly3_from_poly_checked|.\n //\n // The |poly_marshal| here then is just confirming that |poly_unmarshal| is\n // strict and could be omitted.\n\n static_assert(HRSS_CIPHERTEXT_BYTES == POLY_BYTES,\n \"ciphertext is the wrong size\");\n assert(ciphertext_len == sizeof(vars->expected_ciphertext));\n poly_marshal(vars->expected_ciphertext, &vars->c);\n\n poly_marshal_mod3(vars->m_bytes, &vars->m);\n poly_marshal_mod3(vars->r_bytes, &vars->r);\n\n ok &= constant_time_is_zero_w(\n CRYPTO_memcmp(ciphertext, vars->expected_ciphertext,\n sizeof(vars->expected_ciphertext)));\n\n SHA256_Init(&vars->hash_ctx);\n SHA256_Update(&vars->hash_ctx, kSharedKey, sizeof(kSharedKey));\n SHA256_Update(&vars->hash_ctx, vars->m_bytes, sizeof(vars->m_bytes));\n SHA256_Update(&vars->hash_ctx, vars->r_bytes, sizeof(vars->r_bytes));\n SHA256_Update(&vars->hash_ctx, vars->expected_ciphertext,\n sizeof(vars->expected_ciphertext));\n SHA256_Final(vars->shared_key, &vars->hash_ctx);\n\n for (unsigned i = 0; i < sizeof(vars->shared_key); i++) {\n out_shared_key[i] =\n constant_time_select_8(ok, vars->shared_key[i], out_shared_key[i]);\n }\n\nout:\n OPENSSL_free(malloc_ptr);\n return 1;\n}\n\nvoid HRSS_marshal_public_key(uint8_t out[HRSS_PUBLIC_KEY_BYTES],\n const struct HRSS_public_key *in_pub) {\n const struct public_key *pub =\n public_key_from_external((struct HRSS_public_key *)in_pub);\n poly_marshal(out, &pub->ph);\n}\n\nint HRSS_parse_public_key(struct HRSS_public_key *out,\n const uint8_t in[HRSS_PUBLIC_KEY_BYTES]) {\n struct public_key *pub = public_key_from_external(out);\n if (!poly_unmarshal(&pub->ph, in)) {\n return 0;\n }\n OPENSSL_memset(&pub->ph.v[N], 0, 3 * sizeof(uint16_t));\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/hrss/internal.h", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_HRSS_INTERNAL_H\n#define OPENSSL_HEADER_HRSS_INTERNAL_H\n\n#include \n#include \"../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n#define N 701\n#define BITS_PER_WORD (sizeof(crypto_word_t) * 8)\n#define WORDS_PER_POLY ((N + BITS_PER_WORD - 1) / BITS_PER_WORD)\n#define BITS_IN_LAST_WORD (N % BITS_PER_WORD)\n\nstruct poly2 {\n crypto_word_t v[WORDS_PER_POLY];\n};\n\nstruct poly3 {\n struct poly2 s, a;\n};\n\nOPENSSL_EXPORT void HRSS_poly3_mul(struct poly3 *out, const struct poly3 *x,\n const struct poly3 *y);\nOPENSSL_EXPORT void HRSS_poly3_invert(struct poly3 *out,\n const struct poly3 *in);\n\n// On x86-64, we can use the AVX2 code from [HRSS]. (The authors have given\n// explicit permission for this and signed a CLA.) However it's 57KB of object\n// code, so it's not used if |OPENSSL_SMALL| is defined.\n#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SMALL) && \\\n defined(OPENSSL_X86_64) && defined(OPENSSL_LINUX)\n#define POLY_RQ_MUL_ASM\n// POLY_MUL_RQ_SCRATCH_SPACE is the number of bytes of scratch space needed\n// by the assembly function poly_Rq_mul.\n#define POLY_MUL_RQ_SCRATCH_SPACE (6144 + 6144 + 12288 + 512 + 9408 + 32)\n\n// poly_Rq_mul is defined in assembly. Inputs and outputs must be 16-byte-\n// aligned.\nextern void poly_Rq_mul(\n uint16_t r[N + 3], const uint16_t a[N + 3], const uint16_t b[N + 3],\n // The following should be `scratch[POLY_MUL_RQ_SCRATCH_SPACE]` but\n // GCC 11.1 has a bug with unions that breaks that.\n uint8_t scratch[]);\n#endif\n\n\n#if defined(__cplusplus)\n} // extern \"C\"\n#endif\n\n#endif // !OPENSSL_HEADER_HRSS_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_CRYPTO_INTERNAL_H\n#define OPENSSL_HEADER_CRYPTO_INTERNAL_H\n\n#include \n#include \n#include \n#include \n#include \n\n#include \n#include \n\n#if defined(BORINGSSL_CONSTANT_TIME_VALIDATION)\n#include \n#endif\n\n#if defined(BORINGSSL_FIPS_BREAK_TESTS)\n#include \n#endif\n\n#if defined(OPENSSL_THREADS) && \\\n (!defined(OPENSSL_WINDOWS) || defined(__MINGW32__))\n#include \n#define OPENSSL_PTHREADS\n#endif\n\n#if defined(OPENSSL_THREADS) && !defined(OPENSSL_PTHREADS) && \\\n defined(OPENSSL_WINDOWS)\n#define OPENSSL_WINDOWS_THREADS\n#endif\n\n#if defined(OPENSSL_THREADS)\n#include \n#endif\n\n#if defined(OPENSSL_WINDOWS_THREADS)\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\n#endif\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_STATIC_ARMCAP) && \\\n (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \\\n defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))\n// x86, x86_64, and the ARMs need to record the result of a cpuid/getauxval call\n// for the asm to work correctly, unless compiled without asm code.\n#define NEED_CPUID\n\n// OPENSSL_cpuid_setup initializes the platform-specific feature cache. This\n// function should not be called directly. Call |OPENSSL_init_cpuid| instead.\nvoid OPENSSL_cpuid_setup(void);\n\n// OPENSSL_init_cpuid initializes the platform-specific feature cache, if\n// needed. This function is idempotent and may be called concurrently.\nvoid OPENSSL_init_cpuid(void);\n#else\ninline void OPENSSL_init_cpuid(void) {}\n#endif\n\n#if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \\\n !defined(OPENSSL_STATIC_ARMCAP)\n// OPENSSL_get_armcap_pointer_for_test returns a pointer to |OPENSSL_armcap_P|\n// for unit tests. Any modifications to the value must be made before any other\n// function call in BoringSSL.\nOPENSSL_EXPORT uint32_t *OPENSSL_get_armcap_pointer_for_test(void);\n#endif\n\n\n// On non-MSVC 64-bit targets, we expect __uint128_t support. This includes\n// clang-cl, which defines both __clang__ and _MSC_VER.\n#if (!defined(_MSC_VER) || defined(__clang__)) && defined(OPENSSL_64_BIT)\n#define BORINGSSL_HAS_UINT128\ntypedef __int128_t int128_t;\ntypedef __uint128_t uint128_t;\n\n// __uint128_t division depends on intrinsics in the compiler runtime. Those\n// intrinsics are missing in clang-cl (https://crbug.com/787617) and nanolibc.\n// These may be bugs in the toolchain definition, but just disable it for now.\n// EDK2's toolchain is missing __udivti3 (b/339380897) so cannot support\n// 128-bit division currently.\n#if !defined(_MSC_VER) && !defined(OPENSSL_NANOLIBC) && \\\n !defined(__EDK2_BORINGSSL__)\n#define BORINGSSL_CAN_DIVIDE_UINT128\n#endif\n#endif\n\n#define OPENSSL_ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0]))\n\n#if defined(__clang__) && __clang_major__ >= 5\n#if __has_attribute(fallthrough)\n#define OPENSSL_CAN_USE_ATTR_FALLTHROUGH\n#endif\n#endif\n\n// GCC-like compilers indicate SSE2 with |__SSE2__|. MSVC leaves the caller to\n// know that x86_64 has SSE2, and uses _M_IX86_FP to indicate SSE2 on x86.\n// https://learn.microsoft.com/en-us/cpp/preprocessor/predefined-macros?view=msvc-170\n#if defined(__SSE2__) || defined(_M_AMD64) || defined(_M_X64) || \\\n (defined(_M_IX86_FP) && _M_IX86_FP >= 2)\n#define OPENSSL_SSE2\n#endif\n\n#if defined(OPENSSL_X86) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SSE2)\n#error \\\n \"x86 assembly requires SSE2. Build with -msse2 (recommended), or disable assembly optimizations with -DOPENSSL_NO_ASM.\"\n#endif\n\n// For convenience in testing the fallback code, we allow disabling SSE2\n// intrinsics via |OPENSSL_NO_SSE2_FOR_TESTING|. We require SSE2 on x86 and\n// x86_64, so we would otherwise need to test such code on a non-x86 platform.\n//\n// This does not remove the above requirement for SSE2 support with assembly\n// optimizations. It only disables some intrinsics-based optimizations so that\n// we can test the fallback code on CI.\n#if defined(OPENSSL_SSE2) && defined(OPENSSL_NO_SSE2_FOR_TESTING)\n#undef OPENSSL_SSE2\n#endif\n\n#if defined(__GNUC__) || defined(__clang__)\n#define OPENSSL_ATTR_CONST __attribute__((const))\n#else\n#define OPENSSL_ATTR_CONST\n#endif\n\n#if defined(BORINGSSL_MALLOC_FAILURE_TESTING)\n// OPENSSL_reset_malloc_counter_for_testing, when malloc testing is enabled,\n// resets the internal malloc counter, to simulate further malloc failures. This\n// should be called in between independent tests, at a point where failure from\n// a previous test will not impact subsequent ones.\nOPENSSL_EXPORT void OPENSSL_reset_malloc_counter_for_testing(void);\n\n// OPENSSL_disable_malloc_failures_for_testing, when malloc testing is enabled,\n// disables simulated malloc failures. Calls to |OPENSSL_malloc| will not\n// increment the malloc counter or synthesize failures. This may be used to skip\n// simulating malloc failures in some region of code.\nOPENSSL_EXPORT void OPENSSL_disable_malloc_failures_for_testing(void);\n\n// OPENSSL_enable_malloc_failures_for_testing, when malloc testing is enabled,\n// re-enables simulated malloc failures.\nOPENSSL_EXPORT void OPENSSL_enable_malloc_failures_for_testing(void);\n#else\ninline void OPENSSL_reset_malloc_counter_for_testing(void) {}\ninline void OPENSSL_disable_malloc_failures_for_testing(void) {}\ninline void OPENSSL_enable_malloc_failures_for_testing(void) {}\n#endif\n\n#if defined(__has_builtin)\n#define OPENSSL_HAS_BUILTIN(x) __has_builtin(x)\n#else\n#define OPENSSL_HAS_BUILTIN(x) 0\n#endif\n\n\n// Pointer utility functions.\n\n// buffers_alias returns one if |a| and |b| alias and zero otherwise.\nstatic inline int buffers_alias(const void *a, size_t a_bytes, const void *b,\n size_t b_bytes) {\n // Cast |a| and |b| to integers. In C, pointer comparisons between unrelated\n // objects are undefined whereas pointer to integer conversions are merely\n // implementation-defined. We assume the implementation defined it in a sane\n // way.\n uintptr_t a_u = (uintptr_t)a;\n uintptr_t b_u = (uintptr_t)b;\n return a_u + a_bytes > b_u && b_u + b_bytes > a_u;\n}\n\n// align_pointer returns |ptr|, advanced to |alignment|. |alignment| must be a\n// power of two, and |ptr| must have at least |alignment - 1| bytes of scratch\n// space.\nstatic inline void *align_pointer(void *ptr, size_t alignment) {\n // |alignment| must be a power of two.\n assert(alignment != 0 && (alignment & (alignment - 1)) == 0);\n // Instead of aligning |ptr| as a |uintptr_t| and casting back, compute the\n // offset and advance in pointer space. C guarantees that casting from pointer\n // to |uintptr_t| and back gives the same pointer, but general\n // integer-to-pointer conversions are implementation-defined. GCC does define\n // it in the useful way, but this makes fewer assumptions.\n uintptr_t offset = (0u - (uintptr_t)ptr) & (alignment - 1);\n ptr = (char *)ptr + offset;\n assert(((uintptr_t)ptr & (alignment - 1)) == 0);\n return ptr;\n}\n\n\n// Constant-time utility functions.\n//\n// The following methods return a bitmask of all ones (0xff...f) for true and 0\n// for false. This is useful for choosing a value based on the result of a\n// conditional in constant time. For example,\n//\n// if (a < b) {\n// c = a;\n// } else {\n// c = b;\n// }\n//\n// can be written as\n//\n// crypto_word_t lt = constant_time_lt_w(a, b);\n// c = constant_time_select_w(lt, a, b);\n\n// crypto_word_t is the type that most constant-time functions use. Ideally we\n// would like it to be |size_t|, but NaCl builds in 64-bit mode with 32-bit\n// pointers, which means that |size_t| can be 32 bits when |BN_ULONG| is 64\n// bits. Since we want to be able to do constant-time operations on a\n// |BN_ULONG|, |crypto_word_t| is defined as an unsigned value with the native\n// word length.\n#if defined(OPENSSL_64_BIT)\ntypedef uint64_t crypto_word_t;\n#elif defined(OPENSSL_32_BIT)\ntypedef uint32_t crypto_word_t;\n#else\n#error \"Must define either OPENSSL_32_BIT or OPENSSL_64_BIT\"\n#endif\n\n#define CONSTTIME_TRUE_W ~((crypto_word_t)0)\n#define CONSTTIME_FALSE_W ((crypto_word_t)0)\n#define CONSTTIME_TRUE_8 ((uint8_t)0xff)\n#define CONSTTIME_FALSE_8 ((uint8_t)0)\n\n// value_barrier_w returns |a|, but prevents GCC and Clang from reasoning about\n// the returned value. This is used to mitigate compilers undoing constant-time\n// code, until we can express our requirements directly in the language.\n//\n// Note the compiler is aware that |value_barrier_w| has no side effects and\n// always has the same output for a given input. This allows it to eliminate\n// dead code, move computations across loops, and vectorize.\nstatic inline crypto_word_t value_barrier_w(crypto_word_t a) {\n#if defined(__GNUC__) || defined(__clang__)\n __asm__(\"\" : \"+r\"(a) : /* no inputs */);\n#endif\n return a;\n}\n\n// value_barrier_u32 behaves like |value_barrier_w| but takes a |uint32_t|.\nstatic inline uint32_t value_barrier_u32(uint32_t a) {\n#if defined(__GNUC__) || defined(__clang__)\n __asm__(\"\" : \"+r\"(a) : /* no inputs */);\n#endif\n return a;\n}\n\n// value_barrier_u64 behaves like |value_barrier_w| but takes a |uint64_t|.\nstatic inline uint64_t value_barrier_u64(uint64_t a) {\n#if defined(__GNUC__) || defined(__clang__)\n __asm__(\"\" : \"+r\"(a) : /* no inputs */);\n#endif\n return a;\n}\n\n// |value_barrier_u8| could be defined as above, but compilers other than\n// clang seem to still materialize 0x00..00MM instead of reusing 0x??..??MM.\n\n// constant_time_msb_w returns the given value with the MSB copied to all the\n// other bits.\nstatic inline crypto_word_t constant_time_msb_w(crypto_word_t a) {\n return 0u - (a >> (sizeof(a) * 8 - 1));\n}\n\n// constant_time_lt_w returns 0xff..f if a < b and 0 otherwise.\nstatic inline crypto_word_t constant_time_lt_w(crypto_word_t a,\n crypto_word_t b) {\n // Consider the two cases of the problem:\n // msb(a) == msb(b): a < b iff the MSB of a - b is set.\n // msb(a) != msb(b): a < b iff the MSB of b is set.\n //\n // If msb(a) == msb(b) then the following evaluates as:\n // msb(a^((a^b)|((a-b)^a))) ==\n // msb(a^((a-b) ^ a)) == (because msb(a^b) == 0)\n // msb(a^a^(a-b)) == (rearranging)\n // msb(a-b) (because ∀x. x^x == 0)\n //\n // Else, if msb(a) != msb(b) then the following evaluates as:\n // msb(a^((a^b)|((a-b)^a))) ==\n // msb(a^(𝟙 | ((a-b)^a))) == (because msb(a^b) == 1 and 𝟙\n // represents a value s.t. msb(𝟙) = 1)\n // msb(a^𝟙) == (because ORing with 1 results in 1)\n // msb(b)\n //\n //\n // Here is an SMT-LIB verification of this formula:\n //\n // (define-fun lt ((a (_ BitVec 32)) (b (_ BitVec 32))) (_ BitVec 32)\n // (bvxor a (bvor (bvxor a b) (bvxor (bvsub a b) a)))\n // )\n //\n // (declare-fun a () (_ BitVec 32))\n // (declare-fun b () (_ BitVec 32))\n //\n // (assert (not (= (= #x00000001 (bvlshr (lt a b) #x0000001f)) (bvult a b))))\n // (check-sat)\n // (get-model)\n return constant_time_msb_w(a ^ ((a ^ b) | ((a - b) ^ a)));\n}\n\n// constant_time_lt_8 acts like |constant_time_lt_w| but returns an 8-bit\n// mask.\nstatic inline uint8_t constant_time_lt_8(crypto_word_t a, crypto_word_t b) {\n return (uint8_t)(constant_time_lt_w(a, b));\n}\n\n// constant_time_ge_w returns 0xff..f if a >= b and 0 otherwise.\nstatic inline crypto_word_t constant_time_ge_w(crypto_word_t a,\n crypto_word_t b) {\n return ~constant_time_lt_w(a, b);\n}\n\n// constant_time_ge_8 acts like |constant_time_ge_w| but returns an 8-bit\n// mask.\nstatic inline uint8_t constant_time_ge_8(crypto_word_t a, crypto_word_t b) {\n return (uint8_t)(constant_time_ge_w(a, b));\n}\n\n// constant_time_is_zero returns 0xff..f if a == 0 and 0 otherwise.\nstatic inline crypto_word_t constant_time_is_zero_w(crypto_word_t a) {\n // Here is an SMT-LIB verification of this formula:\n //\n // (define-fun is_zero ((a (_ BitVec 32))) (_ BitVec 32)\n // (bvand (bvnot a) (bvsub a #x00000001))\n // )\n //\n // (declare-fun a () (_ BitVec 32))\n //\n // (assert (not (= (= #x00000001 (bvlshr (is_zero a) #x0000001f)) (= a\n // #x00000000)))) (check-sat) (get-model)\n return constant_time_msb_w(~a & (a - 1));\n}\n\n// constant_time_is_zero_8 acts like |constant_time_is_zero_w| but returns an\n// 8-bit mask.\nstatic inline uint8_t constant_time_is_zero_8(crypto_word_t a) {\n return (uint8_t)(constant_time_is_zero_w(a));\n}\n\n// constant_time_eq_w returns 0xff..f if a == b and 0 otherwise.\nstatic inline crypto_word_t constant_time_eq_w(crypto_word_t a,\n crypto_word_t b) {\n return constant_time_is_zero_w(a ^ b);\n}\n\n// constant_time_eq_8 acts like |constant_time_eq_w| but returns an 8-bit\n// mask.\nstatic inline uint8_t constant_time_eq_8(crypto_word_t a, crypto_word_t b) {\n return (uint8_t)(constant_time_eq_w(a, b));\n}\n\n// constant_time_eq_int acts like |constant_time_eq_w| but works on int\n// values.\nstatic inline crypto_word_t constant_time_eq_int(int a, int b) {\n return constant_time_eq_w((crypto_word_t)(a), (crypto_word_t)(b));\n}\n\n// constant_time_eq_int_8 acts like |constant_time_eq_int| but returns an 8-bit\n// mask.\nstatic inline uint8_t constant_time_eq_int_8(int a, int b) {\n return constant_time_eq_8((crypto_word_t)(a), (crypto_word_t)(b));\n}\n\n// constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all\n// 1s or all 0s (as returned by the methods above), the select methods return\n// either |a| (if |mask| is nonzero) or |b| (if |mask| is zero).\nstatic inline crypto_word_t constant_time_select_w(crypto_word_t mask,\n crypto_word_t a,\n crypto_word_t b) {\n // Clang recognizes this pattern as a select. While it usually transforms it\n // to a cmov, it sometimes further transforms it into a branch, which we do\n // not want.\n //\n // Hiding the value of the mask from the compiler evades this transformation.\n mask = value_barrier_w(mask);\n return (mask & a) | (~mask & b);\n}\n\n// constant_time_select_8 acts like |constant_time_select| but operates on\n// 8-bit values.\nstatic inline uint8_t constant_time_select_8(crypto_word_t mask, uint8_t a,\n uint8_t b) {\n // |mask| is a word instead of |uint8_t| to avoid materializing 0x000..0MM\n // Making both |mask| and its value barrier |uint8_t| would allow the compiler\n // to materialize 0x????..?MM instead, but only clang is that clever.\n // However, vectorization of bitwise operations seems to work better on\n // |uint8_t| than a mix of |uint64_t| and |uint8_t|, so |m| is cast to\n // |uint8_t| after the value barrier but before the bitwise operations.\n uint8_t m = value_barrier_w(mask);\n return (m & a) | (~m & b);\n}\n\n// constant_time_select_int acts like |constant_time_select| but operates on\n// ints.\nstatic inline int constant_time_select_int(crypto_word_t mask, int a, int b) {\n return (int)(constant_time_select_w(mask, (crypto_word_t)(a),\n (crypto_word_t)(b)));\n}\n\n// constant_time_conditional_memcpy copies |n| bytes from |src| to |dst| if\n// |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory\n// ranges at |dst| and |src| must not overlap, as when calling |memcpy|.\nstatic inline void constant_time_conditional_memcpy(void *dst, const void *src,\n const size_t n,\n const crypto_word_t mask) {\n assert(!buffers_alias(dst, n, src, n));\n uint8_t *out = (uint8_t *)dst;\n const uint8_t *in = (const uint8_t *)src;\n for (size_t i = 0; i < n; i++) {\n out[i] = constant_time_select_8(mask, in[i], out[i]);\n }\n}\n\n// constant_time_conditional_memxor xors |n| bytes from |src| to |dst| if\n// |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory\n// ranges at |dst| and |src| must not overlap, as when calling |memcpy|.\nstatic inline void constant_time_conditional_memxor(void *dst, const void *src,\n size_t n,\n const crypto_word_t mask) {\n assert(!buffers_alias(dst, n, src, n));\n uint8_t *out = (uint8_t *)dst;\n const uint8_t *in = (const uint8_t *)src;\n#if defined(__GNUC__) && !defined(__clang__)\n // gcc 13.2.0 doesn't automatically vectorize this loop regardless of barrier\n typedef uint8_t v32u8 __attribute__((vector_size(32), aligned(1), may_alias));\n size_t n_vec = n & ~(size_t)31;\n v32u8 masks = ((uint8_t)mask - (v32u8){}); // broadcast\n for (size_t i = 0; i < n_vec; i += 32) {\n *(v32u8 *)&out[i] ^= masks & *(v32u8 *)&in[i];\n }\n out += n_vec;\n n -= n_vec;\n#endif\n for (size_t i = 0; i < n; i++) {\n out[i] ^= value_barrier_w(mask) & in[i];\n }\n}\n\n#if defined(BORINGSSL_CONSTANT_TIME_VALIDATION)\n\n// CONSTTIME_SECRET takes a pointer and a number of bytes and marks that region\n// of memory as secret. Secret data is tracked as it flows to registers and\n// other parts of a memory. If secret data is used as a condition for a branch,\n// or as a memory index, it will trigger warnings in valgrind.\n#define CONSTTIME_SECRET(ptr, len) VALGRIND_MAKE_MEM_UNDEFINED(ptr, len)\n\n// CONSTTIME_DECLASSIFY takes a pointer and a number of bytes and marks that\n// region of memory as public. Public data is not subject to constant-time\n// rules.\n#define CONSTTIME_DECLASSIFY(ptr, len) VALGRIND_MAKE_MEM_DEFINED(ptr, len)\n\n#else\n\n#define CONSTTIME_SECRET(ptr, len)\n#define CONSTTIME_DECLASSIFY(ptr, len)\n\n#endif // BORINGSSL_CONSTANT_TIME_VALIDATION\n\nstatic inline crypto_word_t constant_time_declassify_w(crypto_word_t v) {\n // Return |v| through a value barrier to be safe. Valgrind-based constant-time\n // validation is partly to check the compiler has not undone any constant-time\n // work. Any place |BORINGSSL_CONSTANT_TIME_VALIDATION| influences\n // optimizations, this validation is inaccurate.\n //\n // However, by sending pointers through valgrind, we likely inhibit escape\n // analysis. On local variables, particularly booleans, we likely\n // significantly impact optimizations.\n //\n // Thus, to be safe, stick a value barrier, in hopes of comparably inhibiting\n // compiler analysis.\n CONSTTIME_DECLASSIFY(&v, sizeof(v));\n return value_barrier_w(v);\n}\n\nstatic inline int constant_time_declassify_int(int v) {\n static_assert(sizeof(uint32_t) == sizeof(int),\n \"int is not the same size as uint32_t\");\n // See comment above.\n CONSTTIME_DECLASSIFY(&v, sizeof(v));\n return value_barrier_u32(v);\n}\n\n// declassify_assert behaves like |assert| but declassifies the result of\n// evaluating |expr|. This allows the assertion to branch on the (presumably\n// public) result, but still ensures that values leading up to the computation\n// were secret.\n#define declassify_assert(expr) assert(constant_time_declassify_int(expr))\n\n\n// Thread-safe initialisation.\n\n#if !defined(OPENSSL_THREADS)\ntypedef uint32_t CRYPTO_once_t;\n#define CRYPTO_ONCE_INIT 0\n#elif defined(OPENSSL_WINDOWS_THREADS)\ntypedef INIT_ONCE CRYPTO_once_t;\n#define CRYPTO_ONCE_INIT INIT_ONCE_STATIC_INIT\n#elif defined(OPENSSL_PTHREADS)\ntypedef pthread_once_t CRYPTO_once_t;\n#define CRYPTO_ONCE_INIT PTHREAD_ONCE_INIT\n#else\n#error \"Unknown threading library\"\n#endif\n\n// CRYPTO_once calls |init| exactly once per process. This is thread-safe: if\n// concurrent threads call |CRYPTO_once| with the same |CRYPTO_once_t| argument\n// then they will block until |init| completes, but |init| will have only been\n// called once.\n//\n// The |once| argument must be a |CRYPTO_once_t| that has been initialised with\n// the value |CRYPTO_ONCE_INIT|.\nOPENSSL_EXPORT void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void));\n\n\n// Atomics.\n//\n// The following functions provide an API analogous to from C11\n// and abstract between a few variations on atomics we need to support.\n\n#if defined(OPENSSL_THREADS)\n\nusing CRYPTO_atomic_u32 = std::atomic;\n\nstatic_assert(sizeof(CRYPTO_atomic_u32) == sizeof(uint32_t), \"\");\n\ninline uint32_t CRYPTO_atomic_load_u32(const CRYPTO_atomic_u32 *val) {\n return val->load(std::memory_order_seq_cst);\n}\n\ninline bool CRYPTO_atomic_compare_exchange_weak_u32(CRYPTO_atomic_u32 *val,\n uint32_t *expected,\n uint32_t desired) {\n return val->compare_exchange_weak(\n *expected, desired, std::memory_order_seq_cst, std::memory_order_seq_cst);\n}\n\ninline void CRYPTO_atomic_store_u32(CRYPTO_atomic_u32 *val, uint32_t desired) {\n val->store(desired, std::memory_order_seq_cst);\n}\n\n#else\n\ntypedef uint32_t CRYPTO_atomic_u32;\n\ninline uint32_t CRYPTO_atomic_load_u32(CRYPTO_atomic_u32 *val) { return *val; }\n\ninline int CRYPTO_atomic_compare_exchange_weak_u32(CRYPTO_atomic_u32 *val,\n uint32_t *expected,\n uint32_t desired) {\n if (*val != *expected) {\n *expected = *val;\n return 0;\n }\n *val = desired;\n return 1;\n}\n\ninline void CRYPTO_atomic_store_u32(CRYPTO_atomic_u32 *val, uint32_t desired) {\n *val = desired;\n}\n\n#endif\n\n// See the comment in the |__cplusplus| section above.\nstatic_assert(sizeof(CRYPTO_atomic_u32) == sizeof(uint32_t),\n \"CRYPTO_atomic_u32 does not match uint32_t size\");\nstatic_assert(alignof(CRYPTO_atomic_u32) == alignof(uint32_t),\n \"CRYPTO_atomic_u32 does not match uint32_t alignment\");\n\n\n// Reference counting.\n\n// CRYPTO_REFCOUNT_MAX is the value at which the reference count saturates.\n#define CRYPTO_REFCOUNT_MAX 0xffffffff\n\n// CRYPTO_refcount_inc atomically increments the value at |*count| unless the\n// value would overflow. It's safe for multiple threads to concurrently call\n// this or |CRYPTO_refcount_dec_and_test_zero| on the same\n// |CRYPTO_refcount_t|.\nOPENSSL_EXPORT void CRYPTO_refcount_inc(CRYPTO_refcount_t *count);\n\n// CRYPTO_refcount_dec_and_test_zero tests the value at |*count|:\n// if it's zero, it crashes the address space.\n// if it's the maximum value, it returns zero.\n// otherwise, it atomically decrements it and returns one iff the resulting\n// value is zero.\n//\n// It's safe for multiple threads to concurrently call this or\n// |CRYPTO_refcount_inc| on the same |CRYPTO_refcount_t|.\nOPENSSL_EXPORT int CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *count);\n\n\n// Locks.\n\n#if !defined(OPENSSL_THREADS)\ntypedef struct crypto_mutex_st {\n char padding; // Empty structs have different sizes in C and C++.\n} CRYPTO_MUTEX;\n#define CRYPTO_MUTEX_INIT \\\n { 0 }\n#elif defined(OPENSSL_WINDOWS_THREADS)\ntypedef SRWLOCK CRYPTO_MUTEX;\n#define CRYPTO_MUTEX_INIT SRWLOCK_INIT\n#elif defined(OPENSSL_PTHREADS)\ntypedef pthread_rwlock_t CRYPTO_MUTEX;\n#define CRYPTO_MUTEX_INIT PTHREAD_RWLOCK_INITIALIZER\n#else\n#error \"Unknown threading library\"\n#endif\n\n// CRYPTO_MUTEX_init initialises |lock|. If |lock| is a static variable, use a\n// |CRYPTO_MUTEX_INIT|.\nOPENSSL_EXPORT void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock);\n\n// CRYPTO_MUTEX_lock_read locks |lock| such that other threads may also have a\n// read lock, but none may have a write lock.\nOPENSSL_EXPORT void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock);\n\n// CRYPTO_MUTEX_lock_write locks |lock| such that no other thread has any type\n// of lock on it.\nOPENSSL_EXPORT void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock);\n\n// CRYPTO_MUTEX_unlock_read unlocks |lock| for reading.\nOPENSSL_EXPORT void CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock);\n\n// CRYPTO_MUTEX_unlock_write unlocks |lock| for writing.\nOPENSSL_EXPORT void CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock);\n\n// CRYPTO_MUTEX_cleanup releases all resources held by |lock|.\nOPENSSL_EXPORT void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock);\n\n#if defined(__cplusplus)\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nnamespace internal {\n\n// MutexLockBase is a RAII helper for CRYPTO_MUTEX locking.\ntemplate \nclass MutexLockBase {\n public:\n explicit MutexLockBase(CRYPTO_MUTEX *mu) : mu_(mu) {\n assert(mu_ != nullptr);\n LockFunc(mu_);\n }\n ~MutexLockBase() { ReleaseFunc(mu_); }\n MutexLockBase(const MutexLockBase &) = delete;\n MutexLockBase &operator=(const MutexLockBase &) =\n delete;\n\n private:\n CRYPTO_MUTEX *const mu_;\n};\n\n} // namespace internal\n\nusing MutexWriteLock =\n internal::MutexLockBase;\nusing MutexReadLock =\n internal::MutexLockBase;\n\nBSSL_NAMESPACE_END\n\n} // extern \"C++\"\n#endif // defined(__cplusplus)\n\n\n// Thread local storage.\n\n// thread_local_data_t enumerates the types of thread-local data that can be\n// stored.\ntypedef enum {\n OPENSSL_THREAD_LOCAL_ERR = 0,\n OPENSSL_THREAD_LOCAL_RAND,\n OPENSSL_THREAD_LOCAL_FIPS_COUNTERS,\n OPENSSL_THREAD_LOCAL_FIPS_SERVICE_INDICATOR_STATE,\n OPENSSL_THREAD_LOCAL_TEST,\n NUM_OPENSSL_THREAD_LOCALS,\n} thread_local_data_t;\n\n// thread_local_destructor_t is the type of a destructor function that will be\n// called when a thread exits and its thread-local storage needs to be freed.\ntypedef void (*thread_local_destructor_t)(void *);\n\n// CRYPTO_get_thread_local gets the pointer value that is stored for the\n// current thread for the given index, or NULL if none has been set.\nOPENSSL_EXPORT void *CRYPTO_get_thread_local(thread_local_data_t value);\n\n// CRYPTO_set_thread_local sets a pointer value for the current thread at the\n// given index. This function should only be called once per thread for a given\n// |index|: rather than update the pointer value itself, update the data that\n// is pointed to.\n//\n// The destructor function will be called when a thread exits to free this\n// thread-local data. All calls to |CRYPTO_set_thread_local| with the same\n// |index| should have the same |destructor| argument. The destructor may be\n// called with a NULL argument if a thread that never set a thread-local\n// pointer for |index|, exits. The destructor may be called concurrently with\n// different arguments.\n//\n// This function returns one on success or zero on error. If it returns zero\n// then |destructor| has been called with |value| already.\nOPENSSL_EXPORT int CRYPTO_set_thread_local(\n thread_local_data_t index, void *value,\n thread_local_destructor_t destructor);\n\n\n// ex_data\n\ntypedef struct crypto_ex_data_func_st CRYPTO_EX_DATA_FUNCS;\n\n// CRYPTO_EX_DATA_CLASS tracks the ex_indices registered for a type which\n// supports ex_data. It should defined as a static global within the module\n// which defines that type.\ntypedef struct {\n CRYPTO_MUTEX lock;\n // funcs is a linked list of |CRYPTO_EX_DATA_FUNCS| structures. It may be\n // traversed without serialization only up to |num_funcs|. last points to the\n // final entry of |funcs|, or NULL if empty.\n CRYPTO_EX_DATA_FUNCS *funcs, *last;\n // num_funcs is the number of entries in |funcs|.\n CRYPTO_atomic_u32 num_funcs;\n // num_reserved is one if the ex_data index zero is reserved for legacy\n // |TYPE_get_app_data| functions.\n uint8_t num_reserved;\n} CRYPTO_EX_DATA_CLASS;\n\n#define CRYPTO_EX_DATA_CLASS_INIT \\\n { CRYPTO_MUTEX_INIT, NULL, NULL, {}, 0 }\n#define CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA \\\n { CRYPTO_MUTEX_INIT, NULL, NULL, {}, 1 }\n\n// CRYPTO_get_ex_new_index_ex allocates a new index for |ex_data_class|. Each\n// class of object should provide a wrapper function that uses the correct\n// |CRYPTO_EX_DATA_CLASS|. It returns the new index on success and -1 on error.\nOPENSSL_EXPORT int CRYPTO_get_ex_new_index_ex(\n CRYPTO_EX_DATA_CLASS *ex_data_class, long argl, void *argp,\n CRYPTO_EX_free *free_func);\n\n// CRYPTO_set_ex_data sets an extra data pointer on a given object. Each class\n// of object should provide a wrapper function.\nOPENSSL_EXPORT int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val);\n\n// CRYPTO_get_ex_data returns an extra data pointer for a given object, or NULL\n// if no such index exists. Each class of object should provide a wrapper\n// function.\nOPENSSL_EXPORT void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int index);\n\n// CRYPTO_new_ex_data initialises a newly allocated |CRYPTO_EX_DATA|.\nOPENSSL_EXPORT void CRYPTO_new_ex_data(CRYPTO_EX_DATA *ad);\n\n// CRYPTO_free_ex_data frees |ad|, which is embedded inside |obj|, which is an\n// object of the given class.\nOPENSSL_EXPORT void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class,\n void *obj, CRYPTO_EX_DATA *ad);\n\n\n// Endianness conversions.\n\n#if defined(__GNUC__) && __GNUC__ >= 2\nstatic inline uint16_t CRYPTO_bswap2(uint16_t x) {\n return __builtin_bswap16(x);\n}\n\nstatic inline uint32_t CRYPTO_bswap4(uint32_t x) {\n return __builtin_bswap32(x);\n}\n\nstatic inline uint64_t CRYPTO_bswap8(uint64_t x) {\n return __builtin_bswap64(x);\n}\n#elif defined(_MSC_VER)\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\n#pragma intrinsic(_byteswap_uint64, _byteswap_ulong, _byteswap_ushort)\nstatic inline uint16_t CRYPTO_bswap2(uint16_t x) { return _byteswap_ushort(x); }\n\nstatic inline uint32_t CRYPTO_bswap4(uint32_t x) { return _byteswap_ulong(x); }\n\nstatic inline uint64_t CRYPTO_bswap8(uint64_t x) { return _byteswap_uint64(x); }\n#else\nstatic inline uint16_t CRYPTO_bswap2(uint16_t x) { return (x >> 8) | (x << 8); }\n\nstatic inline uint32_t CRYPTO_bswap4(uint32_t x) {\n x = (x >> 16) | (x << 16);\n x = ((x & 0xff00ff00) >> 8) | ((x & 0x00ff00ff) << 8);\n return x;\n}\n\nstatic inline uint64_t CRYPTO_bswap8(uint64_t x) {\n return CRYPTO_bswap4(x >> 32) | (((uint64_t)CRYPTO_bswap4(x)) << 32);\n}\n#endif\n\n\n// Language bug workarounds.\n//\n// Most C standard library functions are undefined if passed NULL, even when the\n// corresponding length is zero. This gives them (and, in turn, all functions\n// which call them) surprising behavior on empty arrays. Some compilers will\n// miscompile code due to this rule. See also\n// https://www.imperialviolet.org/2016/06/26/nonnull.html\n//\n// These wrapper functions behave the same as the corresponding C standard\n// functions, but behave as expected when passed NULL if the length is zero.\n//\n// Note |OPENSSL_memcmp| is a different function from |CRYPTO_memcmp|.\n\n// C++ defines |memchr| as a const-correct overload.\n#if defined(__cplusplus)\nextern \"C++\" {\n\nstatic inline const void *OPENSSL_memchr(const void *s, int c, size_t n) {\n if (n == 0) {\n return NULL;\n }\n\n return memchr(s, c, n);\n}\n\nstatic inline void *OPENSSL_memchr(void *s, int c, size_t n) {\n if (n == 0) {\n return NULL;\n }\n\n return memchr(s, c, n);\n}\n\n} // extern \"C++\"\n#else // __cplusplus\n\nstatic inline void *OPENSSL_memchr(const void *s, int c, size_t n) {\n if (n == 0) {\n return NULL;\n }\n\n return memchr(s, c, n);\n}\n\n#endif // __cplusplus\n\nstatic inline int OPENSSL_memcmp(const void *s1, const void *s2, size_t n) {\n if (n == 0) {\n return 0;\n }\n\n return memcmp(s1, s2, n);\n}\n\nstatic inline void *OPENSSL_memcpy(void *dst, const void *src, size_t n) {\n if (n == 0) {\n return dst;\n }\n\n return memcpy(dst, src, n);\n}\n\nstatic inline void *OPENSSL_memmove(void *dst, const void *src, size_t n) {\n if (n == 0) {\n return dst;\n }\n\n return memmove(dst, src, n);\n}\n\nstatic inline void *OPENSSL_memset(void *dst, int c, size_t n) {\n if (n == 0) {\n return dst;\n }\n\n return memset(dst, c, n);\n}\n\n\n// Loads and stores.\n//\n// The following functions load and store sized integers with the specified\n// endianness. They use |memcpy|, and so avoid alignment or strict aliasing\n// requirements on the input and output pointers.\n\nstatic inline uint16_t CRYPTO_load_u16_be(const void *in) {\n uint16_t v;\n OPENSSL_memcpy(&v, in, sizeof(v));\n return CRYPTO_bswap2(v);\n}\n\nstatic inline void CRYPTO_store_u16_be(void *out, uint16_t v) {\n v = CRYPTO_bswap2(v);\n OPENSSL_memcpy(out, &v, sizeof(v));\n}\n\nstatic inline uint32_t CRYPTO_load_u32_le(const void *in) {\n uint32_t v;\n OPENSSL_memcpy(&v, in, sizeof(v));\n return v;\n}\n\nstatic inline void CRYPTO_store_u32_le(void *out, uint32_t v) {\n OPENSSL_memcpy(out, &v, sizeof(v));\n}\n\nstatic inline uint32_t CRYPTO_load_u32_be(const void *in) {\n uint32_t v;\n OPENSSL_memcpy(&v, in, sizeof(v));\n return CRYPTO_bswap4(v);\n}\n\nstatic inline void CRYPTO_store_u32_be(void *out, uint32_t v) {\n v = CRYPTO_bswap4(v);\n OPENSSL_memcpy(out, &v, sizeof(v));\n}\n\nstatic inline uint64_t CRYPTO_load_u64_le(const void *in) {\n uint64_t v;\n OPENSSL_memcpy(&v, in, sizeof(v));\n return v;\n}\n\nstatic inline void CRYPTO_store_u64_le(void *out, uint64_t v) {\n OPENSSL_memcpy(out, &v, sizeof(v));\n}\n\nstatic inline uint64_t CRYPTO_load_u64_be(const void *ptr) {\n uint64_t ret;\n OPENSSL_memcpy(&ret, ptr, sizeof(ret));\n return CRYPTO_bswap8(ret);\n}\n\nstatic inline void CRYPTO_store_u64_be(void *out, uint64_t v) {\n v = CRYPTO_bswap8(v);\n OPENSSL_memcpy(out, &v, sizeof(v));\n}\n\nstatic inline crypto_word_t CRYPTO_load_word_le(const void *in) {\n crypto_word_t v;\n OPENSSL_memcpy(&v, in, sizeof(v));\n return v;\n}\n\nstatic inline void CRYPTO_store_word_le(void *out, crypto_word_t v) {\n OPENSSL_memcpy(out, &v, sizeof(v));\n}\n\nstatic inline crypto_word_t CRYPTO_load_word_be(const void *in) {\n crypto_word_t v;\n OPENSSL_memcpy(&v, in, sizeof(v));\n#if defined(OPENSSL_64_BIT)\n static_assert(sizeof(v) == 8, \"crypto_word_t has unexpected size\");\n return CRYPTO_bswap8(v);\n#else\n static_assert(sizeof(v) == 4, \"crypto_word_t has unexpected size\");\n return CRYPTO_bswap4(v);\n#endif\n}\n\n\n// Bit rotation functions.\n//\n// Note these functions use |(-shift) & 31|, etc., because shifting by the bit\n// width is undefined. Both Clang and GCC recognize this pattern as a rotation,\n// but MSVC does not. Instead, we call MSVC's built-in functions.\n\nstatic inline uint32_t CRYPTO_rotl_u32(uint32_t value, int shift) {\n#if defined(_MSC_VER)\n return _rotl(value, shift);\n#else\n return (value << shift) | (value >> ((-shift) & 31));\n#endif\n}\n\nstatic inline uint32_t CRYPTO_rotr_u32(uint32_t value, int shift) {\n#if defined(_MSC_VER)\n return _rotr(value, shift);\n#else\n return (value >> shift) | (value << ((-shift) & 31));\n#endif\n}\n\nstatic inline uint64_t CRYPTO_rotl_u64(uint64_t value, int shift) {\n#if defined(_MSC_VER)\n return _rotl64(value, shift);\n#else\n return (value << shift) | (value >> ((-shift) & 63));\n#endif\n}\n\nstatic inline uint64_t CRYPTO_rotr_u64(uint64_t value, int shift) {\n#if defined(_MSC_VER)\n return _rotr64(value, shift);\n#else\n return (value >> shift) | (value << ((-shift) & 63));\n#endif\n}\n\n\n// FIPS functions.\n\n#if defined(BORINGSSL_FIPS)\n\n// BORINGSSL_FIPS_abort is called when a FIPS power-on or continuous test\n// fails. It prevents any further cryptographic operations by the current\n// process.\nvoid BORINGSSL_FIPS_abort(void) __attribute__((noreturn));\n\n// boringssl_self_test_startup runs all startup self tests and returns one on\n// success or zero on error. Startup self tests do not include lazy tests.\n// Call |BORINGSSL_self_test| to run every self test.\nint boringssl_self_test_startup(void);\n\n// boringssl_ensure_rsa_self_test checks whether the RSA self-test has been run\n// in this address space. If not, it runs it and crashes the address space if\n// unsuccessful.\nvoid boringssl_ensure_rsa_self_test(void);\n\n// boringssl_ensure_ecc_self_test checks whether the ECDSA and ECDH self-test\n// has been run in this address space. If not, it runs it and crashes the\n// address space if unsuccessful.\nvoid boringssl_ensure_ecc_self_test(void);\n\n// boringssl_ensure_ffdh_self_test checks whether the FFDH self-test has been\n// run in this address space. If not, it runs it and crashes the address space\n// if unsuccessful.\nvoid boringssl_ensure_ffdh_self_test(void);\n\n#else\n\n// Outside of FIPS mode, the lazy tests are no-ops.\n\ninline void boringssl_ensure_rsa_self_test(void) {}\ninline void boringssl_ensure_ecc_self_test(void) {}\ninline void boringssl_ensure_ffdh_self_test(void) {}\n\n#endif // FIPS\n\n// boringssl_self_test_sha256 performs a SHA-256 KAT.\nint boringssl_self_test_sha256(void);\n\n// boringssl_self_test_sha512 performs a SHA-512 KAT.\nint boringssl_self_test_sha512(void);\n\n// boringssl_self_test_hmac_sha256 performs an HMAC-SHA-256 KAT.\nint boringssl_self_test_hmac_sha256(void);\n\n#if defined(BORINGSSL_FIPS_COUNTERS)\nvoid boringssl_fips_inc_counter(enum fips_counter_t counter);\n#else\ninline void boringssl_fips_inc_counter(enum fips_counter_t counter) {}\n#endif\n\n#if defined(BORINGSSL_FIPS_BREAK_TESTS)\ninline int boringssl_fips_break_test(const char *test) {\n const char *const value = getenv(\"BORINGSSL_FIPS_BREAK_TEST\");\n return value != NULL && strcmp(value, test) == 0;\n}\n#else\ninline int boringssl_fips_break_test(const char *test) { return 0; }\n#endif // BORINGSSL_FIPS_BREAK_TESTS\n\n\n// Runtime CPU feature support\n\n#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)\n// OPENSSL_ia32cap_P contains the Intel CPUID bits when running on an x86 or\n// x86-64 system.\n//\n// Index 0:\n// EDX for CPUID where EAX = 1\n// Bit 20 is always zero\n// Bit 28 is adjusted to reflect whether the data cache is shared between\n// multiple logical cores\n// Bit 30 is used to indicate an Intel CPU\n// Index 1:\n// ECX for CPUID where EAX = 1\n// Bit 11 is used to indicate AMD XOP support, not SDBG\n// Index 2:\n// EBX for CPUID where EAX = 7, ECX = 0\n// Bit 14 (for removed feature MPX) is used to indicate a preference for ymm\n// registers over zmm even when zmm registers are supported\n// Index 3:\n// ECX for CPUID where EAX = 7, ECX = 0\n//\n// Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the XMM, YMM,\n// and AVX512 bits in XCR0, so it is not necessary to check those. (WARNING: See\n// caveats in cpu_intel.c.)\n//\n// From C, this symbol should only be accessed with |OPENSSL_get_ia32cap|.\nextern uint32_t OPENSSL_ia32cap_P[4];\n\n// OPENSSL_get_ia32cap initializes the library if needed and returns the |idx|th\n// entry of |OPENSSL_ia32cap_P|. It is marked as a const function so duplicate\n// calls can be merged by the compiler, at least when indices match.\nOPENSSL_ATTR_CONST uint32_t OPENSSL_get_ia32cap(int idx);\n\n// See Intel manual, volume 2A, table 3-11.\n\ninline int CRYPTO_is_FXSR_capable(void) {\n#if defined(__FXSR__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(0) & (1u << 24)) != 0;\n#endif\n}\n\ninline int CRYPTO_is_intel_cpu(void) {\n // The reserved bit 30 is used to indicate an Intel CPU.\n return (OPENSSL_get_ia32cap(0) & (1u << 30)) != 0;\n}\n\n// See Intel manual, volume 2A, table 3-10.\n\ninline int CRYPTO_is_PCLMUL_capable(void) {\n#if defined(__PCLMUL__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(1) & (1u << 1)) != 0;\n#endif\n}\n\ninline int CRYPTO_is_SSSE3_capable(void) {\n#if defined(__SSSE3__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(1) & (1u << 9)) != 0;\n#endif\n}\n\ninline int CRYPTO_is_SSE4_1_capable(void) {\n#if defined(__SSE4_1__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(1) & (1u << 19)) != 0;\n#endif\n}\n\ninline int CRYPTO_is_MOVBE_capable(void) {\n#if defined(__MOVBE__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(1) & (1u << 22)) != 0;\n#endif\n}\n\ninline int CRYPTO_is_AESNI_capable(void) {\n#if defined(__AES__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(1) & (1u << 25)) != 0;\n#endif\n}\n\n// We intentionally avoid defining a |CRYPTO_is_XSAVE_capable| function. See\n// |CRYPTO_cpu_perf_is_like_silvermont|.\n\ninline int CRYPTO_is_AVX_capable(void) {\n#if defined(__AVX__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(1) & (1u << 28)) != 0;\n#endif\n}\n\ninline int CRYPTO_is_RDRAND_capable(void) {\n // We intentionally do not check |__RDRND__| here. On some AMD processors, we\n // will act as if the hardware is RDRAND-incapable, even it actually supports\n // it. See cpu_intel.c.\n return (OPENSSL_get_ia32cap(1) & (1u << 30)) != 0;\n}\n\n// See Intel manual, volume 2A, table 3-8.\n\ninline int CRYPTO_is_BMI1_capable(void) {\n#if defined(__BMI__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(2) & (1u << 3)) != 0;\n#endif\n}\n\ninline int CRYPTO_is_AVX2_capable(void) {\n#if defined(__AVX2__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(2) & (1u << 5)) != 0;\n#endif\n}\n\ninline int CRYPTO_is_BMI2_capable(void) {\n#if defined(__BMI2__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(2) & (1u << 8)) != 0;\n#endif\n}\n\ninline int CRYPTO_is_ADX_capable(void) {\n#if defined(__ADX__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(2) & (1u << 19)) != 0;\n#endif\n}\n\n// SHA-1 and SHA-256 are defined as a single extension.\ninline int CRYPTO_is_x86_SHA_capable(void) {\n // We should check __SHA__ here, but for now we ignore it. We've run into a\n // few places where projects build with -march=goldmont, but need a build that\n // does not require SHA extensions:\n //\n // - Some CrOS toolchain definitions are incorrect and build with\n // -march=goldmont when targetting boards that are not Goldmont. b/320482539\n // tracks fixing this.\n //\n // - Sometimes projects build with -march=goldmont as a rough optimized\n // baseline. However, Intel CPU capabilities are not strictly linear, so\n // this does not quite work. Some combination of -mtune and\n // -march=x86-64-v{1,2,3,4} would be a better strategy here.\n //\n // - QEMU versions before 8.2 do not support SHA extensions and disable it\n // with a warning. Projects that target Goldmont and test on QEMU will\n // break. The long-term fix is to update to 8.2. A principled short-term fix\n // would be -march=goldmont -mno-sha, to reflect that the binary needs to\n // run on both QEMU-8.1-Goldmont and actual-Goldmont.\n //\n // TODO(b/320482539): Once the CrOS toolchain is fixed, try this again.\n return (OPENSSL_get_ia32cap(2) & (1u << 29)) != 0;\n}\n\n// CRYPTO_cpu_perf_is_like_silvermont returns one if, based on a heuristic, the\n// CPU has Silvermont-like performance characteristics. It is often faster to\n// run different codepaths on these CPUs than the available instructions would\n// otherwise select. See chacha-x86_64.pl.\n//\n// Bonnell, Silvermont's predecessor in the Atom lineup, will also be matched by\n// this. Goldmont (Silvermont's successor in the Atom lineup) added XSAVE so it\n// isn't matched by this. Various sources indicate AMD first implemented MOVBE\n// and XSAVE at the same time in Jaguar, so it seems like AMD chips will not be\n// matched by this. That seems to be the case for other x86(-64) CPUs.\ninline int CRYPTO_cpu_perf_is_like_silvermont(void) {\n // WARNING: This MUST NOT be used to guard the execution of the XSAVE\n // instruction. This is the \"hardware supports XSAVE\" bit, not the OSXSAVE bit\n // that indicates whether we can safely execute XSAVE. This bit may be set\n // even when XSAVE is disabled (by the operating system). See how the users of\n // this bit use it.\n //\n // Historically, the XSAVE bit was artificially cleared on Knights Landing\n // and Knights Mill chips, but as Intel has removed all support from GCC,\n // LLVM, and SDE, we assume they are no longer worth special-casing.\n int hardware_supports_xsave = (OPENSSL_get_ia32cap(1) & (1u << 26)) != 0;\n return !hardware_supports_xsave && CRYPTO_is_MOVBE_capable();\n}\n\ninline int CRYPTO_is_AVX512BW_capable(void) {\n#if defined(__AVX512BW__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(2) & (1u << 30)) != 0;\n#endif\n}\n\ninline int CRYPTO_is_AVX512VL_capable(void) {\n#if defined(__AVX512VL__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(2) & (1u << 31)) != 0;\n#endif\n}\n\n// CRYPTO_cpu_avoid_zmm_registers returns 1 if zmm registers (512-bit vectors)\n// should not be used even if the CPU supports them.\n//\n// Note that this reuses the bit for the removed MPX feature.\ninline int CRYPTO_cpu_avoid_zmm_registers(void) {\n return (OPENSSL_get_ia32cap(2) & (1u << 14)) != 0;\n}\n\ninline int CRYPTO_is_VAES_capable(void) {\n#if defined(__VAES__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(3) & (1u << 9)) != 0;\n#endif\n}\n\ninline int CRYPTO_is_VPCLMULQDQ_capable(void) {\n#if defined(__VPCLMULQDQ__)\n return 1;\n#else\n return (OPENSSL_get_ia32cap(3) & (1u << 10)) != 0;\n#endif\n}\n\n#endif // OPENSSL_X86 || OPENSSL_X86_64\n\n#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)\n\n// OPENSSL_armcap_P contains ARM CPU capabilities. From C, this should only be\n// accessed with |OPENSSL_get_armcap|.\nextern uint32_t OPENSSL_armcap_P;\n\n// OPENSSL_get_armcap initializes the library if needed and returns ARM CPU\n// capabilities. It is marked as a const function so duplicate calls can be\n// merged by the compiler.\nOPENSSL_ATTR_CONST uint32_t OPENSSL_get_armcap(void);\n\n// Normalize some older feature flags to their modern ACLE values.\n// https://developer.arm.com/architectures/system-architectures/software-standards/acle\n#if defined(__ARM_NEON__) && !defined(__ARM_NEON)\n#define __ARM_NEON 1\n#endif\n#if defined(__ARM_FEATURE_CRYPTO)\n#if !defined(__ARM_FEATURE_AES)\n#define __ARM_FEATURE_AES 1\n#endif\n#if !defined(__ARM_FEATURE_SHA2)\n#define __ARM_FEATURE_SHA2 1\n#endif\n#endif\n\n// CRYPTO_is_NEON_capable returns true if the current CPU has a NEON unit. If\n// this is known statically, it is a constant inline function.\ninline int CRYPTO_is_NEON_capable(void) {\n#if defined(OPENSSL_STATIC_ARMCAP_NEON) || defined(__ARM_NEON)\n return 1;\n#elif defined(OPENSSL_STATIC_ARMCAP)\n return 0;\n#else\n return (OPENSSL_get_armcap() & ARMV7_NEON) != 0;\n#endif\n}\n\ninline int CRYPTO_is_ARMv8_AES_capable(void) {\n#if defined(OPENSSL_STATIC_ARMCAP_AES) || defined(__ARM_FEATURE_AES)\n return 1;\n#elif defined(OPENSSL_STATIC_ARMCAP)\n return 0;\n#else\n return (OPENSSL_get_armcap() & ARMV8_AES) != 0;\n#endif\n}\n\ninline int CRYPTO_is_ARMv8_PMULL_capable(void) {\n#if defined(OPENSSL_STATIC_ARMCAP_PMULL) || defined(__ARM_FEATURE_AES)\n return 1;\n#elif defined(OPENSSL_STATIC_ARMCAP)\n return 0;\n#else\n return (OPENSSL_get_armcap() & ARMV8_PMULL) != 0;\n#endif\n}\n\ninline int CRYPTO_is_ARMv8_SHA1_capable(void) {\n // SHA-1 and SHA-2 (only) share |__ARM_FEATURE_SHA2| but otherwise\n // are dealt with independently.\n#if defined(OPENSSL_STATIC_ARMCAP_SHA1) || defined(__ARM_FEATURE_SHA2)\n return 1;\n#elif defined(OPENSSL_STATIC_ARMCAP)\n return 0;\n#else\n return (OPENSSL_get_armcap() & ARMV8_SHA1) != 0;\n#endif\n}\n\ninline int CRYPTO_is_ARMv8_SHA256_capable(void) {\n // SHA-1 and SHA-2 (only) share |__ARM_FEATURE_SHA2| but otherwise\n // are dealt with independently.\n#if defined(OPENSSL_STATIC_ARMCAP_SHA256) || defined(__ARM_FEATURE_SHA2)\n return 1;\n#elif defined(OPENSSL_STATIC_ARMCAP)\n return 0;\n#else\n return (OPENSSL_get_armcap() & ARMV8_SHA256) != 0;\n#endif\n}\n\ninline int CRYPTO_is_ARMv8_SHA512_capable(void) {\n // There is no |OPENSSL_STATIC_ARMCAP_SHA512|.\n#if defined(__ARM_FEATURE_SHA512)\n return 1;\n#elif defined(OPENSSL_STATIC_ARMCAP)\n return 0;\n#else\n return (OPENSSL_get_armcap() & ARMV8_SHA512) != 0;\n#endif\n}\n\n#endif // OPENSSL_ARM || OPENSSL_AARCH64\n\n#if defined(BORINGSSL_DISPATCH_TEST)\n// Runtime CPU dispatch testing support\n\n// BORINGSSL_function_hit is an array of flags. The following functions will\n// set these flags if BORINGSSL_DISPATCH_TEST is defined.\n// 0: aes_hw_ctr32_encrypt_blocks\n// 1: aes_hw_encrypt\n// 2: aesni_gcm_encrypt\n// 3: aes_hw_set_encrypt_key\n// 4: vpaes_encrypt\n// 5: vpaes_set_encrypt_key\n// 6: aes_gcm_enc_update_vaes_avx10_256 [reserved]\n// 7: aes_gcm_enc_update_vaes_avx10_512\n// 8: aes_gcm_enc_update_vaes_avx2\nextern uint8_t BORINGSSL_function_hit[9];\n#endif // BORINGSSL_DISPATCH_TEST\n\n// OPENSSL_vasprintf_internal is just like |vasprintf(3)|. If |system_malloc| is\n// 0, memory will be allocated with |OPENSSL_malloc| and must be freed with\n// |OPENSSL_free|. Otherwise the system |malloc| function is used and the memory\n// must be freed with the system |free| function.\nOPENSSL_EXPORT int OPENSSL_vasprintf_internal(char **str, const char *format,\n va_list args, int system_malloc)\n OPENSSL_PRINTF_FORMAT_FUNC(2, 0);\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n// Arithmetic functions.\n\n// CRYPTO_addc_* returns |x + y + carry|, and sets |*out_carry| to the carry\n// bit. |carry| must be zero or one.\n#if OPENSSL_HAS_BUILTIN(__builtin_addc)\n\ninline unsigned int CRYPTO_addc_impl(unsigned int x, unsigned int y,\n unsigned int carry,\n unsigned int *out_carry) {\n return __builtin_addc(x, y, carry, out_carry);\n}\n\ninline unsigned long CRYPTO_addc_impl(unsigned long x, unsigned long y,\n unsigned long carry,\n unsigned long *out_carry) {\n return __builtin_addcl(x, y, carry, out_carry);\n}\n\ninline unsigned long long CRYPTO_addc_impl(unsigned long long x,\n unsigned long long y,\n unsigned long long carry,\n unsigned long long *out_carry) {\n return __builtin_addcll(x, y, carry, out_carry);\n}\n\ninline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry,\n uint32_t *out_carry) {\n return CRYPTO_addc_impl(x, y, carry, out_carry);\n}\n\ninline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry,\n uint64_t *out_carry) {\n return CRYPTO_addc_impl(x, y, carry, out_carry);\n}\n\n#else\n\nstatic inline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry,\n uint32_t *out_carry) {\n declassify_assert(carry <= 1);\n uint64_t ret = carry;\n ret += (uint64_t)x + y;\n *out_carry = (uint32_t)(ret >> 32);\n return (uint32_t)ret;\n}\n\nstatic inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry,\n uint64_t *out_carry) {\n declassify_assert(carry <= 1);\n#if defined(BORINGSSL_HAS_UINT128)\n uint128_t ret = carry;\n ret += (uint128_t)x + y;\n *out_carry = (uint64_t)(ret >> 64);\n return (uint64_t)ret;\n#else\n x += carry;\n carry = x < carry;\n uint64_t ret = x + y;\n carry += ret < x;\n *out_carry = carry;\n return ret;\n#endif\n}\n#endif\n\n\n// CRYPTO_subc_* returns |x - y - borrow|, and sets |*out_borrow| to the borrow\n// bit. |borrow| must be zero or one.\n#if OPENSSL_HAS_BUILTIN(__builtin_subc)\n\ninline unsigned int CRYPTO_subc_impl(unsigned int x, unsigned int y,\n unsigned int borrow,\n unsigned int *out_borrow) {\n return __builtin_subc(x, y, borrow, out_borrow);\n}\n\ninline unsigned long CRYPTO_subc_impl(unsigned long x, unsigned long y,\n unsigned long borrow,\n unsigned long *out_borrow) {\n return __builtin_subcl(x, y, borrow, out_borrow);\n}\n\ninline unsigned long long CRYPTO_subc_impl(unsigned long long x,\n unsigned long long y,\n unsigned long long borrow,\n unsigned long long *out_borrow) {\n return __builtin_subcll(x, y, borrow, out_borrow);\n}\n\ninline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow,\n uint32_t *out_borrow) {\n return CRYPTO_subc_impl(x, y, borrow, out_borrow);\n}\n\ninline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow,\n uint64_t *out_borrow) {\n return CRYPTO_subc_impl(x, y, borrow, out_borrow);\n}\n\n#else\n\nstatic inline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow,\n uint32_t *out_borrow) {\n declassify_assert(borrow <= 1);\n uint32_t ret = x - y - borrow;\n *out_borrow = (x < y) | ((x == y) & borrow);\n return ret;\n}\n\nstatic inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow,\n uint64_t *out_borrow) {\n declassify_assert(borrow <= 1);\n uint64_t ret = x - y - borrow;\n *out_borrow = (x < y) | ((x == y) & borrow);\n return ret;\n}\n#endif\n\n#if defined(OPENSSL_64_BIT)\n#define CRYPTO_addc_w CRYPTO_addc_u64\n#define CRYPTO_subc_w CRYPTO_subc_u64\n#else\n#define CRYPTO_addc_w CRYPTO_addc_u32\n#define CRYPTO_subc_w CRYPTO_subc_u32\n#endif\n\n\n#endif // OPENSSL_HEADER_CRYPTO_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/kyber/internal.h", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_KYBER_INTERNAL_H\n#define OPENSSL_HEADER_CRYPTO_KYBER_INTERNAL_H\n\n#include \n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// KYBER_ENCAP_ENTROPY is the number of bytes of uniformly random entropy\n// necessary to encapsulate a secret. The entropy will be leaked to the\n// decapsulating party.\n#define KYBER_ENCAP_ENTROPY 32\n\n// KYBER_GENERATE_KEY_ENTROPY is the number of bytes of uniformly random entropy\n// necessary to generate a key.\n#define KYBER_GENERATE_KEY_ENTROPY 64\n\n// KYBER_generate_key_external_entropy is a deterministic function to create a\n// pair of Kyber768 keys, using the supplied entropy. The entropy needs to be\n// uniformly random generated. This function is should only be used for tests,\n// regular callers should use the non-deterministic |KYBER_generate_key|\n// directly.\nOPENSSL_EXPORT void KYBER_generate_key_external_entropy(\n uint8_t out_encoded_public_key[KYBER_PUBLIC_KEY_BYTES],\n struct KYBER_private_key *out_private_key,\n const uint8_t entropy[KYBER_GENERATE_KEY_ENTROPY]);\n\n// KYBER_encap_external_entropy behaves like |KYBER_encap|, but uses\n// |KYBER_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating\n// side will be able to recover |entropy| in full. This function should only be\n// used for tests, regular callers should use the non-deterministic\n// |KYBER_encap| directly.\nOPENSSL_EXPORT void KYBER_encap_external_entropy(\n uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES],\n const struct KYBER_public_key *public_key,\n const uint8_t entropy[KYBER_ENCAP_ENTROPY]);\n\n#if defined(__cplusplus)\n}\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_KYBER_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/kyber/kyber.cc", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#define OPENSSL_UNSTABLE_EXPERIMENTAL_KYBER\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \"../fipsmodule/keccak/internal.h\"\n#include \"../internal.h\"\n#include \"./internal.h\"\n\n\n// See\n// https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf\n\nstatic void prf(uint8_t *out, size_t out_len, const uint8_t in[33]) {\n BORINGSSL_keccak(out, out_len, in, 33, boringssl_shake256);\n}\n\nstatic void hash_h(uint8_t out[32], const uint8_t *in, size_t len) {\n BORINGSSL_keccak(out, 32, in, len, boringssl_sha3_256);\n}\n\nstatic void hash_g(uint8_t out[64], const uint8_t *in, size_t len) {\n BORINGSSL_keccak(out, 64, in, len, boringssl_sha3_512);\n}\n\nstatic void kdf(uint8_t *out, size_t out_len, const uint8_t *in, size_t len) {\n BORINGSSL_keccak(out, out_len, in, len, boringssl_shake256);\n}\n\n#define DEGREE 256\n#define RANK 3\n\nstatic const size_t kBarrettMultiplier = 5039;\nstatic const unsigned kBarrettShift = 24;\nstatic const uint16_t kPrime = 3329;\nstatic const int kLog2Prime = 12;\nstatic const uint16_t kHalfPrime = (/*kPrime=*/3329 - 1) / 2;\nstatic const int kDU = 10;\nstatic const int kDV = 4;\n// kInverseDegree is 128^-1 mod 3329; 128 because kPrime does not have a 512th\n// root of unity.\nstatic const uint16_t kInverseDegree = 3303;\nstatic const size_t kEncodedVectorSize =\n (/*kLog2Prime=*/12 * DEGREE / 8) * RANK;\nstatic const size_t kCompressedVectorSize = /*kDU=*/10 * RANK * DEGREE / 8;\n\ntypedef struct scalar {\n // On every function entry and exit, 0 <= c < kPrime.\n uint16_t c[DEGREE];\n} scalar;\n\ntypedef struct vector {\n scalar v[RANK];\n} vector;\n\ntypedef struct matrix {\n scalar v[RANK][RANK];\n} matrix;\n\n// This bit of Python will be referenced in some of the following comments:\n//\n// p = 3329\n//\n// def bitreverse(i):\n// ret = 0\n// for n in range(7):\n// bit = i & 1\n// ret <<= 1\n// ret |= bit\n// i >>= 1\n// return ret\n\n// kNTTRoots = [pow(17, bitreverse(i), p) for i in range(128)]\nstatic const uint16_t kNTTRoots[128] = {\n 1, 1729, 2580, 3289, 2642, 630, 1897, 848, 1062, 1919, 193, 797,\n 2786, 3260, 569, 1746, 296, 2447, 1339, 1476, 3046, 56, 2240, 1333,\n 1426, 2094, 535, 2882, 2393, 2879, 1974, 821, 289, 331, 3253, 1756,\n 1197, 2304, 2277, 2055, 650, 1977, 2513, 632, 2865, 33, 1320, 1915,\n 2319, 1435, 807, 452, 1438, 2868, 1534, 2402, 2647, 2617, 1481, 648,\n 2474, 3110, 1227, 910, 17, 2761, 583, 2649, 1637, 723, 2288, 1100,\n 1409, 2662, 3281, 233, 756, 2156, 3015, 3050, 1703, 1651, 2789, 1789,\n 1847, 952, 1461, 2687, 939, 2308, 2437, 2388, 733, 2337, 268, 641,\n 1584, 2298, 2037, 3220, 375, 2549, 2090, 1645, 1063, 319, 2773, 757,\n 2099, 561, 2466, 2594, 2804, 1092, 403, 1026, 1143, 2150, 2775, 886,\n 1722, 1212, 1874, 1029, 2110, 2935, 885, 2154,\n};\n\n// kInverseNTTRoots = [pow(17, -bitreverse(i), p) for i in range(128)]\nstatic const uint16_t kInverseNTTRoots[128] = {\n 1, 1600, 40, 749, 2481, 1432, 2699, 687, 1583, 2760, 69, 543,\n 2532, 3136, 1410, 2267, 2508, 1355, 450, 936, 447, 2794, 1235, 1903,\n 1996, 1089, 3273, 283, 1853, 1990, 882, 3033, 2419, 2102, 219, 855,\n 2681, 1848, 712, 682, 927, 1795, 461, 1891, 2877, 2522, 1894, 1010,\n 1414, 2009, 3296, 464, 2697, 816, 1352, 2679, 1274, 1052, 1025, 2132,\n 1573, 76, 2998, 3040, 1175, 2444, 394, 1219, 2300, 1455, 2117, 1607,\n 2443, 554, 1179, 2186, 2303, 2926, 2237, 525, 735, 863, 2768, 1230,\n 2572, 556, 3010, 2266, 1684, 1239, 780, 2954, 109, 1292, 1031, 1745,\n 2688, 3061, 992, 2596, 941, 892, 1021, 2390, 642, 1868, 2377, 1482,\n 1540, 540, 1678, 1626, 279, 314, 1173, 2573, 3096, 48, 667, 1920,\n 2229, 1041, 2606, 1692, 680, 2746, 568, 3312,\n};\n\n// kModRoots = [pow(17, 2*bitreverse(i) + 1, p) for i in range(128)]\nstatic const uint16_t kModRoots[128] = {\n 17, 3312, 2761, 568, 583, 2746, 2649, 680, 1637, 1692, 723, 2606,\n 2288, 1041, 1100, 2229, 1409, 1920, 2662, 667, 3281, 48, 233, 3096,\n 756, 2573, 2156, 1173, 3015, 314, 3050, 279, 1703, 1626, 1651, 1678,\n 2789, 540, 1789, 1540, 1847, 1482, 952, 2377, 1461, 1868, 2687, 642,\n 939, 2390, 2308, 1021, 2437, 892, 2388, 941, 733, 2596, 2337, 992,\n 268, 3061, 641, 2688, 1584, 1745, 2298, 1031, 2037, 1292, 3220, 109,\n 375, 2954, 2549, 780, 2090, 1239, 1645, 1684, 1063, 2266, 319, 3010,\n 2773, 556, 757, 2572, 2099, 1230, 561, 2768, 2466, 863, 2594, 735,\n 2804, 525, 1092, 2237, 403, 2926, 1026, 2303, 1143, 2186, 2150, 1179,\n 2775, 554, 886, 2443, 1722, 1607, 1212, 2117, 1874, 1455, 1029, 2300,\n 2110, 1219, 2935, 394, 885, 2444, 2154, 1175,\n};\n\n// reduce_once reduces 0 <= x < 2*kPrime, mod kPrime.\nstatic uint16_t reduce_once(uint16_t x) {\n declassify_assert(x < 2 * kPrime);\n const uint16_t subtracted = x - kPrime;\n uint16_t mask = 0u - (subtracted >> 15);\n // Although this is a constant-time select, we omit a value barrier here.\n // Value barriers impede auto-vectorization (likely because it forces the\n // value to transit through a general-purpose register). On AArch64, this is a\n // difference of 2x.\n //\n // We usually add value barriers to selects because Clang turns consecutive\n // selects with the same condition into a branch instead of CMOV/CSEL. This\n // condition does not occur in Kyber, so omitting it seems to be safe so far,\n // but see |scalar_centered_binomial_distribution_eta_2_with_prf|.\n return (mask & x) | (~mask & subtracted);\n}\n\n// constant time reduce x mod kPrime using Barrett reduction. x must be less\n// than kPrime + 2×kPrime².\nstatic uint16_t reduce(uint32_t x) {\n declassify_assert(x < kPrime + 2u * kPrime * kPrime);\n uint64_t product = (uint64_t)x * kBarrettMultiplier;\n uint32_t quotient = (uint32_t)(product >> kBarrettShift);\n uint32_t remainder = x - quotient * kPrime;\n return reduce_once(remainder);\n}\n\nstatic void scalar_zero(scalar *out) { OPENSSL_memset(out, 0, sizeof(*out)); }\n\nstatic void vector_zero(vector *out) { OPENSSL_memset(out, 0, sizeof(*out)); }\n\n// In place number theoretic transform of a given scalar.\n// Note that Kyber's kPrime 3329 does not have a 512th root of unity, so this\n// transform leaves off the last iteration of the usual FFT code, with the 128\n// relevant roots of unity being stored in |kNTTRoots|. This means the output\n// should be seen as 128 elements in GF(3329^2), with the coefficients of the\n// elements being consecutive entries in |s->c|.\nstatic void scalar_ntt(scalar *s) {\n int offset = DEGREE;\n // `int` is used here because using `size_t` throughout caused a ~5% slowdown\n // with Clang 14 on Aarch64.\n for (int step = 1; step < DEGREE / 2; step <<= 1) {\n offset >>= 1;\n int k = 0;\n for (int i = 0; i < step; i++) {\n const uint32_t step_root = kNTTRoots[i + step];\n for (int j = k; j < k + offset; j++) {\n uint16_t odd = reduce(step_root * s->c[j + offset]);\n uint16_t even = s->c[j];\n s->c[j] = reduce_once(odd + even);\n s->c[j + offset] = reduce_once(even - odd + kPrime);\n }\n k += 2 * offset;\n }\n }\n}\n\nstatic void vector_ntt(vector *a) {\n for (int i = 0; i < RANK; i++) {\n scalar_ntt(&a->v[i]);\n }\n}\n\n// In place inverse number theoretic transform of a given scalar, with pairs of\n// entries of s->v being interpreted as elements of GF(3329^2). Just as with the\n// number theoretic transform, this leaves off the first step of the normal iFFT\n// to account for the fact that 3329 does not have a 512th root of unity, using\n// the precomputed 128 roots of unity stored in |kInverseNTTRoots|.\nstatic void scalar_inverse_ntt(scalar *s) {\n int step = DEGREE / 2;\n // `int` is used here because using `size_t` throughout caused a ~5% slowdown\n // with Clang 14 on Aarch64.\n for (int offset = 2; offset < DEGREE; offset <<= 1) {\n step >>= 1;\n int k = 0;\n for (int i = 0; i < step; i++) {\n uint32_t step_root = kInverseNTTRoots[i + step];\n for (int j = k; j < k + offset; j++) {\n uint16_t odd = s->c[j + offset];\n uint16_t even = s->c[j];\n s->c[j] = reduce_once(odd + even);\n s->c[j + offset] = reduce(step_root * (even - odd + kPrime));\n }\n k += 2 * offset;\n }\n }\n for (int i = 0; i < DEGREE; i++) {\n s->c[i] = reduce(s->c[i] * kInverseDegree);\n }\n}\n\nstatic void vector_inverse_ntt(vector *a) {\n for (int i = 0; i < RANK; i++) {\n scalar_inverse_ntt(&a->v[i]);\n }\n}\n\nstatic void scalar_add(scalar *lhs, const scalar *rhs) {\n for (int i = 0; i < DEGREE; i++) {\n lhs->c[i] = reduce_once(lhs->c[i] + rhs->c[i]);\n }\n}\n\nstatic void scalar_sub(scalar *lhs, const scalar *rhs) {\n for (int i = 0; i < DEGREE; i++) {\n lhs->c[i] = reduce_once(lhs->c[i] - rhs->c[i] + kPrime);\n }\n}\n\n// Multiplying two scalars in the number theoretically transformed state. Since\n// 3329 does not have a 512th root of unity, this means we have to interpret\n// the 2*ith and (2*i+1)th entries of the scalar as elements of GF(3329)[X]/(X^2\n// - 17^(2*bitreverse(i)+1)) The value of 17^(2*bitreverse(i)+1) mod 3329 is\n// stored in the precomputed |kModRoots| table. Note that our Barrett transform\n// only allows us to multipy two reduced numbers together, so we need some\n// intermediate reduction steps, even if an uint64_t could hold 3 multiplied\n// numbers.\nstatic void scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs) {\n for (int i = 0; i < DEGREE / 2; i++) {\n uint32_t real_real = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i];\n uint32_t img_img = (uint32_t)lhs->c[2 * i + 1] * rhs->c[2 * i + 1];\n uint32_t real_img = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i + 1];\n uint32_t img_real = (uint32_t)lhs->c[2 * i + 1] * rhs->c[2 * i];\n out->c[2 * i] =\n reduce(real_real + (uint32_t)reduce(img_img) * kModRoots[i]);\n out->c[2 * i + 1] = reduce(img_real + real_img);\n }\n}\n\nstatic void vector_add(vector *lhs, const vector *rhs) {\n for (int i = 0; i < RANK; i++) {\n scalar_add(&lhs->v[i], &rhs->v[i]);\n }\n}\n\nstatic void matrix_mult(vector *out, const matrix *m, const vector *a) {\n vector_zero(out);\n for (int i = 0; i < RANK; i++) {\n for (int j = 0; j < RANK; j++) {\n scalar product;\n scalar_mult(&product, &m->v[i][j], &a->v[j]);\n scalar_add(&out->v[i], &product);\n }\n }\n}\n\nstatic void matrix_mult_transpose(vector *out, const matrix *m,\n const vector *a) {\n vector_zero(out);\n for (int i = 0; i < RANK; i++) {\n for (int j = 0; j < RANK; j++) {\n scalar product;\n scalar_mult(&product, &m->v[j][i], &a->v[j]);\n scalar_add(&out->v[i], &product);\n }\n }\n}\n\nstatic void scalar_inner_product(scalar *out, const vector *lhs,\n const vector *rhs) {\n scalar_zero(out);\n for (int i = 0; i < RANK; i++) {\n scalar product;\n scalar_mult(&product, &lhs->v[i], &rhs->v[i]);\n scalar_add(out, &product);\n }\n}\n\n// Algorithm 1 of the Kyber spec. Rejection samples a Keccak stream to get\n// uniformly distributed elements. This is used for matrix expansion and only\n// operates on public inputs.\nstatic void scalar_from_keccak_vartime(scalar *out,\n struct BORINGSSL_keccak_st *keccak_ctx) {\n assert(keccak_ctx->squeeze_offset == 0);\n assert(keccak_ctx->rate_bytes == 168);\n static_assert(168 % 3 == 0, \"block and coefficient boundaries do not align\");\n\n int done = 0;\n while (done < DEGREE) {\n uint8_t block[168];\n BORINGSSL_keccak_squeeze(keccak_ctx, block, sizeof(block));\n for (size_t i = 0; i < sizeof(block) && done < DEGREE; i += 3) {\n uint16_t d1 = block[i] + 256 * (block[i + 1] % 16);\n uint16_t d2 = block[i + 1] / 16 + 16 * block[i + 2];\n if (d1 < kPrime) {\n out->c[done++] = d1;\n }\n if (d2 < kPrime && done < DEGREE) {\n out->c[done++] = d2;\n }\n }\n }\n}\n\n// Algorithm 2 of the Kyber spec, with eta fixed to two and the PRF call\n// included. Creates binominally distributed elements by sampling 2*|eta| bits,\n// and setting the coefficient to the count of the first bits minus the count of\n// the second bits, resulting in a centered binomial distribution. Since eta is\n// two this gives -2/2 with a probability of 1/16, -1/1 with probability 1/4,\n// and 0 with probability 3/8.\nstatic void scalar_centered_binomial_distribution_eta_2_with_prf(\n scalar *out, const uint8_t input[33]) {\n uint8_t entropy[128];\n static_assert(sizeof(entropy) == 2 * /*kEta=*/2 * DEGREE / 8, \"\");\n prf(entropy, sizeof(entropy), input);\n\n for (int i = 0; i < DEGREE; i += 2) {\n uint8_t byte = entropy[i / 2];\n\n uint16_t value = (byte & 1) + ((byte >> 1) & 1);\n value -= ((byte >> 2) & 1) + ((byte >> 3) & 1);\n // Add |kPrime| if |value| underflowed. See |reduce_once| for a discussion\n // on why the value barrier is omitted. While this could have been written\n // reduce_once(value + kPrime), this is one extra addition and small range\n // of |value| tempts some versions of Clang to emit a branch.\n uint16_t mask = 0u - (value >> 15);\n out->c[i] = value + (kPrime & mask);\n\n byte >>= 4;\n value = (byte & 1) + ((byte >> 1) & 1);\n value -= ((byte >> 2) & 1) + ((byte >> 3) & 1);\n // See above.\n mask = 0u - (value >> 15);\n out->c[i + 1] = value + (kPrime & mask);\n }\n}\n\n// Generates a secret vector by using\n// |scalar_centered_binomial_distribution_eta_2_with_prf|, using the given seed\n// appending and incrementing |counter| for entry of the vector.\nstatic void vector_generate_secret_eta_2(vector *out, uint8_t *counter,\n const uint8_t seed[32]) {\n uint8_t input[33];\n OPENSSL_memcpy(input, seed, 32);\n for (int i = 0; i < RANK; i++) {\n input[32] = (*counter)++;\n scalar_centered_binomial_distribution_eta_2_with_prf(&out->v[i], input);\n }\n}\n\n// Expands the matrix of a seed for key generation and for encaps-CPA.\nstatic void matrix_expand(matrix *out, const uint8_t rho[32]) {\n uint8_t input[34];\n OPENSSL_memcpy(input, rho, 32);\n for (int i = 0; i < RANK; i++) {\n for (int j = 0; j < RANK; j++) {\n input[32] = i;\n input[33] = j;\n struct BORINGSSL_keccak_st keccak_ctx;\n BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake128);\n BORINGSSL_keccak_absorb(&keccak_ctx, input, sizeof(input));\n scalar_from_keccak_vartime(&out->v[i][j], &keccak_ctx);\n }\n }\n}\n\nstatic const uint8_t kMasks[8] = {0x01, 0x03, 0x07, 0x0f,\n 0x1f, 0x3f, 0x7f, 0xff};\n\nstatic void scalar_encode(uint8_t *out, const scalar *s, int bits) {\n assert(bits <= (int)sizeof(*s->c) * 8 && bits != 1);\n\n uint8_t out_byte = 0;\n int out_byte_bits = 0;\n\n for (int i = 0; i < DEGREE; i++) {\n uint16_t element = s->c[i];\n int element_bits_done = 0;\n\n while (element_bits_done < bits) {\n int chunk_bits = bits - element_bits_done;\n int out_bits_remaining = 8 - out_byte_bits;\n if (chunk_bits >= out_bits_remaining) {\n chunk_bits = out_bits_remaining;\n out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits;\n *out = out_byte;\n out++;\n out_byte_bits = 0;\n out_byte = 0;\n } else {\n out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits;\n out_byte_bits += chunk_bits;\n }\n\n element_bits_done += chunk_bits;\n element >>= chunk_bits;\n }\n }\n\n if (out_byte_bits > 0) {\n *out = out_byte;\n }\n}\n\n// scalar_encode_1 is |scalar_encode| specialised for |bits| == 1.\nstatic void scalar_encode_1(uint8_t out[32], const scalar *s) {\n for (int i = 0; i < DEGREE; i += 8) {\n uint8_t out_byte = 0;\n for (int j = 0; j < 8; j++) {\n out_byte |= (s->c[i + j] & 1) << j;\n }\n *out = out_byte;\n out++;\n }\n}\n\n// Encodes an entire vector into 32*|RANK|*|bits| bytes. Note that since 256\n// (DEGREE) is divisible by 8, the individual vector entries will always fill a\n// whole number of bytes, so we do not need to worry about bit packing here.\nstatic void vector_encode(uint8_t *out, const vector *a, int bits) {\n for (int i = 0; i < RANK; i++) {\n scalar_encode(out + i * bits * DEGREE / 8, &a->v[i], bits);\n }\n}\n\n// scalar_decode parses |DEGREE * bits| bits from |in| into |DEGREE| values in\n// |out|. It returns one on success and zero if any parsed value is >=\n// |kPrime|.\nstatic int scalar_decode(scalar *out, const uint8_t *in, int bits) {\n assert(bits <= (int)sizeof(*out->c) * 8 && bits != 1);\n\n uint8_t in_byte = 0;\n int in_byte_bits_left = 0;\n\n for (int i = 0; i < DEGREE; i++) {\n uint16_t element = 0;\n int element_bits_done = 0;\n\n while (element_bits_done < bits) {\n if (in_byte_bits_left == 0) {\n in_byte = *in;\n in++;\n in_byte_bits_left = 8;\n }\n\n int chunk_bits = bits - element_bits_done;\n if (chunk_bits > in_byte_bits_left) {\n chunk_bits = in_byte_bits_left;\n }\n\n element |= (in_byte & kMasks[chunk_bits - 1]) << element_bits_done;\n in_byte_bits_left -= chunk_bits;\n in_byte >>= chunk_bits;\n\n element_bits_done += chunk_bits;\n }\n\n // An element is only out of range in the case of invalid input, in which\n // case it is okay to leak the comparison.\n if (constant_time_declassify_int(element >= kPrime)) {\n return 0;\n }\n out->c[i] = element;\n }\n\n return 1;\n}\n\n// scalar_decode_1 is |scalar_decode| specialised for |bits| == 1.\nstatic void scalar_decode_1(scalar *out, const uint8_t in[32]) {\n for (int i = 0; i < DEGREE; i += 8) {\n uint8_t in_byte = *in;\n in++;\n for (int j = 0; j < 8; j++) {\n out->c[i + j] = in_byte & 1;\n in_byte >>= 1;\n }\n }\n}\n\n// Decodes 32*|RANK|*|bits| bytes from |in| into |out|. It returns one on\n// success or zero if any parsed value is >= |kPrime|.\nstatic int vector_decode(vector *out, const uint8_t *in, int bits) {\n for (int i = 0; i < RANK; i++) {\n if (!scalar_decode(&out->v[i], in + i * bits * DEGREE / 8, bits)) {\n return 0;\n }\n }\n return 1;\n}\n\n// Compresses (lossily) an input |x| mod 3329 into |bits| many bits by grouping\n// numbers close to each other together. The formula used is\n// round(2^|bits|/kPrime*x) mod 2^|bits|.\n// Uses Barrett reduction to achieve constant time. Since we need both the\n// remainder (for rounding) and the quotient (as the result), we cannot use\n// |reduce| here, but need to do the Barrett reduction directly.\nstatic uint16_t compress(uint16_t x, int bits) {\n uint32_t shifted = (uint32_t)x << bits;\n uint64_t product = (uint64_t)shifted * kBarrettMultiplier;\n uint32_t quotient = (uint32_t)(product >> kBarrettShift);\n uint32_t remainder = shifted - quotient * kPrime;\n\n // Adjust the quotient to round correctly:\n // 0 <= remainder <= kHalfPrime round to 0\n // kHalfPrime < remainder <= kPrime + kHalfPrime round to 1\n // kPrime + kHalfPrime < remainder < 2 * kPrime round to 2\n declassify_assert(remainder < 2u * kPrime);\n quotient += 1 & constant_time_lt_w(kHalfPrime, remainder);\n quotient += 1 & constant_time_lt_w(kPrime + kHalfPrime, remainder);\n return quotient & ((1 << bits) - 1);\n}\n\n// Decompresses |x| by using an equi-distant representative. The formula is\n// round(kPrime/2^|bits|*x). Note that 2^|bits| being the divisor allows us to\n// implement this logic using only bit operations.\nstatic uint16_t decompress(uint16_t x, int bits) {\n uint32_t product = (uint32_t)x * kPrime;\n uint32_t power = 1 << bits;\n // This is |product| % power, since |power| is a power of 2.\n uint32_t remainder = product & (power - 1);\n // This is |product| / power, since |power| is a power of 2.\n uint32_t lower = product >> bits;\n // The rounding logic works since the first half of numbers mod |power| have a\n // 0 as first bit, and the second half has a 1 as first bit, since |power| is\n // a power of 2. As a 12 bit number, |remainder| is always positive, so we\n // will shift in 0s for a right shift.\n return lower + (remainder >> (bits - 1));\n}\n\nstatic void scalar_compress(scalar *s, int bits) {\n for (int i = 0; i < DEGREE; i++) {\n s->c[i] = compress(s->c[i], bits);\n }\n}\n\nstatic void scalar_decompress(scalar *s, int bits) {\n for (int i = 0; i < DEGREE; i++) {\n s->c[i] = decompress(s->c[i], bits);\n }\n}\n\nstatic void vector_compress(vector *a, int bits) {\n for (int i = 0; i < RANK; i++) {\n scalar_compress(&a->v[i], bits);\n }\n}\n\nstatic void vector_decompress(vector *a, int bits) {\n for (int i = 0; i < RANK; i++) {\n scalar_decompress(&a->v[i], bits);\n }\n}\n\nnamespace {\n\nstruct public_key {\n vector t;\n uint8_t rho[32];\n uint8_t public_key_hash[32];\n matrix m;\n};\n\nstatic struct public_key *public_key_from_external(\n const struct KYBER_public_key *external) {\n static_assert(sizeof(struct KYBER_public_key) >= sizeof(struct public_key),\n \"Kyber public key is too small\");\n static_assert(alignof(struct KYBER_public_key) >= alignof(struct public_key),\n \"Kyber public key align incorrect\");\n return (struct public_key *)external;\n}\n\nstruct private_key {\n struct public_key pub;\n vector s;\n uint8_t fo_failure_secret[32];\n};\n\nstatic struct private_key *private_key_from_external(\n const struct KYBER_private_key *external) {\n static_assert(sizeof(struct KYBER_private_key) >= sizeof(struct private_key),\n \"Kyber private key too small\");\n static_assert(\n alignof(struct KYBER_private_key) >= alignof(struct private_key),\n \"Kyber private key align incorrect\");\n return (struct private_key *)external;\n}\n\n} // namespace\n\n// Calls |KYBER_generate_key_external_entropy| with random bytes from\n// |RAND_bytes|.\nvoid KYBER_generate_key(uint8_t out_encoded_public_key[KYBER_PUBLIC_KEY_BYTES],\n struct KYBER_private_key *out_private_key) {\n uint8_t entropy[KYBER_GENERATE_KEY_ENTROPY];\n RAND_bytes(entropy, sizeof(entropy));\n CONSTTIME_SECRET(entropy, sizeof(entropy));\n KYBER_generate_key_external_entropy(out_encoded_public_key, out_private_key,\n entropy);\n}\n\nstatic int kyber_marshal_public_key(CBB *out, const struct public_key *pub) {\n uint8_t *vector_output;\n if (!CBB_add_space(out, &vector_output, kEncodedVectorSize)) {\n return 0;\n }\n vector_encode(vector_output, &pub->t, kLog2Prime);\n if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) {\n return 0;\n }\n return 1;\n}\n\n// Algorithms 4 and 7 of the Kyber spec. Algorithms are combined since key\n// generation is not part of the FO transform, and the spec uses Algorithm 7 to\n// specify the actual key format.\nvoid KYBER_generate_key_external_entropy(\n uint8_t out_encoded_public_key[KYBER_PUBLIC_KEY_BYTES],\n struct KYBER_private_key *out_private_key,\n const uint8_t entropy[KYBER_GENERATE_KEY_ENTROPY]) {\n struct private_key *priv = private_key_from_external(out_private_key);\n uint8_t hashed[64];\n hash_g(hashed, entropy, 32);\n const uint8_t *const rho = hashed;\n const uint8_t *const sigma = hashed + 32;\n // rho is public.\n CONSTTIME_DECLASSIFY(rho, 32);\n OPENSSL_memcpy(priv->pub.rho, hashed, sizeof(priv->pub.rho));\n matrix_expand(&priv->pub.m, rho);\n uint8_t counter = 0;\n vector_generate_secret_eta_2(&priv->s, &counter, sigma);\n vector_ntt(&priv->s);\n vector error;\n vector_generate_secret_eta_2(&error, &counter, sigma);\n vector_ntt(&error);\n matrix_mult_transpose(&priv->pub.t, &priv->pub.m, &priv->s);\n vector_add(&priv->pub.t, &error);\n // t is part of the public key and thus is public.\n CONSTTIME_DECLASSIFY(&priv->pub.t, sizeof(priv->pub.t));\n\n CBB cbb;\n CBB_init_fixed(&cbb, out_encoded_public_key, KYBER_PUBLIC_KEY_BYTES);\n if (!kyber_marshal_public_key(&cbb, &priv->pub)) {\n abort();\n }\n\n hash_h(priv->pub.public_key_hash, out_encoded_public_key,\n KYBER_PUBLIC_KEY_BYTES);\n OPENSSL_memcpy(priv->fo_failure_secret, entropy + 32, 32);\n}\n\nvoid KYBER_public_from_private(struct KYBER_public_key *out_public_key,\n const struct KYBER_private_key *private_key) {\n struct public_key *const pub = public_key_from_external(out_public_key);\n const struct private_key *const priv = private_key_from_external(private_key);\n *pub = priv->pub;\n}\n\n// Algorithm 5 of the Kyber spec. Encrypts a message with given randomness to\n// the ciphertext in |out|. Without applying the Fujisaki-Okamoto transform this\n// would not result in a CCA secure scheme, since lattice schemes are vulnerable\n// to decryption failure oracles.\nstatic void encrypt_cpa(uint8_t out[KYBER_CIPHERTEXT_BYTES],\n const struct public_key *pub, const uint8_t message[32],\n const uint8_t randomness[32]) {\n uint8_t counter = 0;\n vector secret;\n vector_generate_secret_eta_2(&secret, &counter, randomness);\n vector_ntt(&secret);\n vector error;\n vector_generate_secret_eta_2(&error, &counter, randomness);\n uint8_t input[33];\n OPENSSL_memcpy(input, randomness, 32);\n input[32] = counter;\n scalar scalar_error;\n scalar_centered_binomial_distribution_eta_2_with_prf(&scalar_error, input);\n vector u;\n matrix_mult(&u, &pub->m, &secret);\n vector_inverse_ntt(&u);\n vector_add(&u, &error);\n scalar v;\n scalar_inner_product(&v, &pub->t, &secret);\n scalar_inverse_ntt(&v);\n scalar_add(&v, &scalar_error);\n scalar expanded_message;\n scalar_decode_1(&expanded_message, message);\n scalar_decompress(&expanded_message, 1);\n scalar_add(&v, &expanded_message);\n vector_compress(&u, kDU);\n vector_encode(out, &u, kDU);\n scalar_compress(&v, kDV);\n scalar_encode(out + kCompressedVectorSize, &v, kDV);\n}\n\n// Calls KYBER_encap_external_entropy| with random bytes from |RAND_bytes|\nvoid KYBER_encap(uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES],\n const struct KYBER_public_key *public_key) {\n uint8_t entropy[KYBER_ENCAP_ENTROPY];\n RAND_bytes(entropy, KYBER_ENCAP_ENTROPY);\n CONSTTIME_SECRET(entropy, KYBER_ENCAP_ENTROPY);\n KYBER_encap_external_entropy(out_ciphertext, out_shared_secret, public_key,\n entropy);\n}\n\n// Algorithm 8 of the Kyber spec, safe for line 2 of the spec. The spec there\n// hashes the output of the system's random number generator, since the FO\n// transform will reveal it to the decrypting party. There is no reason to do\n// this when a secure random number generator is used. When an insecure random\n// number generator is used, the caller should switch to a secure one before\n// calling this method.\nvoid KYBER_encap_external_entropy(\n uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES],\n const struct KYBER_public_key *public_key,\n const uint8_t entropy[KYBER_ENCAP_ENTROPY]) {\n const struct public_key *pub = public_key_from_external(public_key);\n uint8_t input[64];\n OPENSSL_memcpy(input, entropy, KYBER_ENCAP_ENTROPY);\n OPENSSL_memcpy(input + KYBER_ENCAP_ENTROPY, pub->public_key_hash,\n sizeof(input) - KYBER_ENCAP_ENTROPY);\n uint8_t prekey_and_randomness[64];\n hash_g(prekey_and_randomness, input, sizeof(input));\n encrypt_cpa(out_ciphertext, pub, entropy, prekey_and_randomness + 32);\n // The ciphertext is public.\n CONSTTIME_DECLASSIFY(out_ciphertext, KYBER_CIPHERTEXT_BYTES);\n hash_h(prekey_and_randomness + 32, out_ciphertext, KYBER_CIPHERTEXT_BYTES);\n kdf(out_shared_secret, KYBER_SHARED_SECRET_BYTES, prekey_and_randomness,\n sizeof(prekey_and_randomness));\n}\n\n// Algorithm 6 of the Kyber spec.\nstatic void decrypt_cpa(uint8_t out[32], const struct private_key *priv,\n const uint8_t ciphertext[KYBER_CIPHERTEXT_BYTES]) {\n vector u;\n vector_decode(&u, ciphertext, kDU);\n vector_decompress(&u, kDU);\n vector_ntt(&u);\n scalar v;\n scalar_decode(&v, ciphertext + kCompressedVectorSize, kDV);\n scalar_decompress(&v, kDV);\n scalar mask;\n scalar_inner_product(&mask, &priv->s, &u);\n scalar_inverse_ntt(&mask);\n scalar_sub(&v, &mask);\n scalar_compress(&v, 1);\n scalar_encode_1(out, &v);\n}\n\n// Algorithm 9 of the Kyber spec, performing the FO transform by running\n// encrypt_cpa on the decrypted message. The spec does not allow the decryption\n// failure to be passed on to the caller, and instead returns a result that is\n// deterministic but unpredictable to anyone without knowledge of the private\n// key.\nvoid KYBER_decap(uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES],\n const uint8_t ciphertext[KYBER_CIPHERTEXT_BYTES],\n const struct KYBER_private_key *private_key) {\n const struct private_key *priv = private_key_from_external(private_key);\n uint8_t decrypted[64];\n decrypt_cpa(decrypted, priv, ciphertext);\n OPENSSL_memcpy(decrypted + 32, priv->pub.public_key_hash,\n sizeof(decrypted) - 32);\n uint8_t prekey_and_randomness[64];\n hash_g(prekey_and_randomness, decrypted, sizeof(decrypted));\n uint8_t expected_ciphertext[KYBER_CIPHERTEXT_BYTES];\n encrypt_cpa(expected_ciphertext, &priv->pub, decrypted,\n prekey_and_randomness + 32);\n uint8_t mask =\n constant_time_eq_int_8(CRYPTO_memcmp(ciphertext, expected_ciphertext,\n sizeof(expected_ciphertext)),\n 0);\n uint8_t input[64];\n for (int i = 0; i < 32; i++) {\n input[i] = constant_time_select_8(mask, prekey_and_randomness[i],\n priv->fo_failure_secret[i]);\n }\n hash_h(input + 32, ciphertext, KYBER_CIPHERTEXT_BYTES);\n kdf(out_shared_secret, KYBER_SHARED_SECRET_BYTES, input, sizeof(input));\n}\n\nint KYBER_marshal_public_key(CBB *out,\n const struct KYBER_public_key *public_key) {\n return kyber_marshal_public_key(out, public_key_from_external(public_key));\n}\n\n// kyber_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate\n// the value of |pub->public_key_hash|.\nstatic int kyber_parse_public_key_no_hash(struct public_key *pub, CBS *in) {\n CBS t_bytes;\n if (!CBS_get_bytes(in, &t_bytes, kEncodedVectorSize) ||\n !vector_decode(&pub->t, CBS_data(&t_bytes), kLog2Prime) ||\n !CBS_copy_bytes(in, pub->rho, sizeof(pub->rho))) {\n return 0;\n }\n matrix_expand(&pub->m, pub->rho);\n return 1;\n}\n\nint KYBER_parse_public_key(struct KYBER_public_key *public_key, CBS *in) {\n struct public_key *pub = public_key_from_external(public_key);\n CBS orig_in = *in;\n if (!kyber_parse_public_key_no_hash(pub, in) || //\n CBS_len(in) != 0) {\n return 0;\n }\n hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in));\n return 1;\n}\n\nint KYBER_marshal_private_key(CBB *out,\n const struct KYBER_private_key *private_key) {\n const struct private_key *const priv = private_key_from_external(private_key);\n uint8_t *s_output;\n if (!CBB_add_space(out, &s_output, kEncodedVectorSize)) {\n return 0;\n }\n vector_encode(s_output, &priv->s, kLog2Prime);\n if (!kyber_marshal_public_key(out, &priv->pub) ||\n !CBB_add_bytes(out, priv->pub.public_key_hash,\n sizeof(priv->pub.public_key_hash)) ||\n !CBB_add_bytes(out, priv->fo_failure_secret,\n sizeof(priv->fo_failure_secret))) {\n return 0;\n }\n return 1;\n}\n\nint KYBER_parse_private_key(struct KYBER_private_key *out_private_key,\n CBS *in) {\n struct private_key *const priv = private_key_from_external(out_private_key);\n\n CBS s_bytes;\n if (!CBS_get_bytes(in, &s_bytes, kEncodedVectorSize) ||\n !vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime) ||\n !kyber_parse_public_key_no_hash(&priv->pub, in) ||\n !CBS_copy_bytes(in, priv->pub.public_key_hash,\n sizeof(priv->pub.public_key_hash)) ||\n !CBS_copy_bytes(in, priv->fo_failure_secret,\n sizeof(priv->fo_failure_secret)) ||\n CBS_len(in) != 0) {\n return 0;\n }\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/lhash/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_LHASH_INTERNAL_H\n#define OPENSSL_HEADER_LHASH_INTERNAL_H\n\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// lhash is a traditional, chaining hash table that automatically expands and\n// contracts as needed. One should not use the lh_* functions directly, rather\n// use the type-safe macro wrappers:\n//\n// A hash table of a specific type of object has type |LHASH_OF(type)|. This\n// can be defined (once) with |DEFINE_LHASH_OF(type)| and declared where needed\n// with |DECLARE_LHASH_OF(type)|. For example:\n//\n// struct foo {\n// int bar;\n// };\n//\n// DEFINE_LHASH_OF(struct foo)\n//\n// Although note that the hash table will contain /pointers/ to |foo|.\n//\n// A macro will be defined for each of the |OPENSSL_lh_*| functions below. For\n// |LHASH_OF(foo)|, the macros would be |lh_foo_new|, |lh_foo_num_items| etc.\n\n\n// lhash_cmp_func is a comparison function that returns a value equal, or not\n// equal, to zero depending on whether |*a| is equal, or not equal to |*b|,\n// respectively. Note the difference between this and |stack_cmp_func| in that\n// this takes pointers to the objects directly.\n//\n// This function's actual type signature is int (*)(const T*, const T*). The\n// low-level |lh_*| functions will be passed a type-specific wrapper to call it\n// correctly.\ntypedef int (*lhash_cmp_func)(const void *a, const void *b);\ntypedef int (*lhash_cmp_func_helper)(lhash_cmp_func func, const void *a,\n const void *b);\n\n// lhash_hash_func is a function that maps an object to a uniformly distributed\n// uint32_t.\n//\n// This function's actual type signature is uint32_t (*)(const T*). The\n// low-level |lh_*| functions will be passed a type-specific wrapper to call it\n// correctly.\ntypedef uint32_t (*lhash_hash_func)(const void *a);\ntypedef uint32_t (*lhash_hash_func_helper)(lhash_hash_func func, const void *a);\n\ntypedef struct lhash_st _LHASH;\n\n// OPENSSL_lh_new returns a new, empty hash table or NULL on error.\nOPENSSL_EXPORT _LHASH *OPENSSL_lh_new(lhash_hash_func hash,\n lhash_cmp_func comp);\n\n// OPENSSL_lh_free frees the hash table itself but none of the elements. See\n// |OPENSSL_lh_doall|.\nOPENSSL_EXPORT void OPENSSL_lh_free(_LHASH *lh);\n\n// OPENSSL_lh_num_items returns the number of items in |lh|.\nOPENSSL_EXPORT size_t OPENSSL_lh_num_items(const _LHASH *lh);\n\n// OPENSSL_lh_retrieve finds an element equal to |data| in the hash table and\n// returns it. If no such element exists, it returns NULL.\nOPENSSL_EXPORT void *OPENSSL_lh_retrieve(const _LHASH *lh, const void *data,\n lhash_hash_func_helper call_hash_func,\n lhash_cmp_func_helper call_cmp_func);\n\n// OPENSSL_lh_retrieve_key finds an element matching |key|, given the specified\n// hash and comparison function. This differs from |OPENSSL_lh_retrieve| in that\n// the key may be a different type than the values stored in |lh|. |key_hash|\n// and |cmp_key| must be compatible with the functions passed into\n// |OPENSSL_lh_new|.\nOPENSSL_EXPORT void *OPENSSL_lh_retrieve_key(const _LHASH *lh, const void *key,\n uint32_t key_hash,\n int (*cmp_key)(const void *key,\n const void *value));\n\n// OPENSSL_lh_insert inserts |data| into the hash table. If an existing element\n// is equal to |data| (with respect to the comparison function) then |*old_data|\n// will be set to that value and it will be replaced. Otherwise, or in the\n// event of an error, |*old_data| will be set to NULL. It returns one on\n// success or zero in the case of an allocation error.\nOPENSSL_EXPORT int OPENSSL_lh_insert(_LHASH *lh, void **old_data, void *data,\n lhash_hash_func_helper call_hash_func,\n lhash_cmp_func_helper call_cmp_func);\n\n// OPENSSL_lh_delete removes an element equal to |data| from the hash table and\n// returns it. If no such element is found, it returns NULL.\nOPENSSL_EXPORT void *OPENSSL_lh_delete(_LHASH *lh, const void *data,\n lhash_hash_func_helper call_hash_func,\n lhash_cmp_func_helper call_cmp_func);\n\n// OPENSSL_lh_doall_arg calls |func| on each element of the hash table and also\n// passes |arg| as the second argument.\n// TODO(fork): rename this\nOPENSSL_EXPORT void OPENSSL_lh_doall_arg(_LHASH *lh,\n void (*func)(void *, void *),\n void *arg);\n\n#define DEFINE_LHASH_OF(type) \\\n /* We disable MSVC C4191 in this macro, which warns when pointers are cast \\\n * to the wrong type. While the cast itself is valid, it is often a bug \\\n * because calling it through the cast is UB. However, we never actually \\\n * call functions as |lhash_cmp_func|. The type is just a type-erased \\\n * function pointer. (C does not guarantee function pointers fit in \\\n * |void*|, and GCC will warn on this.) Thus we just disable the false \\\n * positive warning. */ \\\n OPENSSL_MSVC_PRAGMA(warning(push)) \\\n OPENSSL_MSVC_PRAGMA(warning(disable : 4191)) \\\n \\\n DECLARE_LHASH_OF(type) \\\n \\\n typedef int (*lhash_##type##_cmp_func)(const type *, const type *); \\\n typedef uint32_t (*lhash_##type##_hash_func)(const type *); \\\n \\\n inline int lh_##type##_call_cmp_func(lhash_cmp_func func, const void *a, \\\n const void *b) { \\\n return ((lhash_##type##_cmp_func)func)((const type *)a, (const type *)b); \\\n } \\\n \\\n inline uint32_t lh_##type##_call_hash_func(lhash_hash_func func, \\\n const void *a) { \\\n return ((lhash_##type##_hash_func)func)((const type *)a); \\\n } \\\n \\\n inline LHASH_OF(type) *lh_##type##_new(lhash_##type##_hash_func hash, \\\n lhash_##type##_cmp_func comp) { \\\n return (LHASH_OF(type) *)OPENSSL_lh_new((lhash_hash_func)hash, \\\n (lhash_cmp_func)comp); \\\n } \\\n \\\n inline void lh_##type##_free(LHASH_OF(type) *lh) { \\\n OPENSSL_lh_free((_LHASH *)lh); \\\n } \\\n \\\n inline size_t lh_##type##_num_items(const LHASH_OF(type) *lh) { \\\n return OPENSSL_lh_num_items((const _LHASH *)lh); \\\n } \\\n \\\n inline type *lh_##type##_retrieve(const LHASH_OF(type) *lh, \\\n const type *data) { \\\n return (type *)OPENSSL_lh_retrieve((const _LHASH *)lh, data, \\\n lh_##type##_call_hash_func, \\\n lh_##type##_call_cmp_func); \\\n } \\\n \\\n typedef struct { \\\n int (*cmp_key)(const void *key, const type *value); \\\n const void *key; \\\n } LHASH_CMP_KEY_##type; \\\n \\\n inline int lh_##type##_call_cmp_key(const void *key, const void *value) { \\\n const LHASH_CMP_KEY_##type *cb = (const LHASH_CMP_KEY_##type *)key; \\\n return cb->cmp_key(cb->key, (const type *)value); \\\n } \\\n \\\n inline type *lh_##type##_retrieve_key( \\\n const LHASH_OF(type) *lh, const void *key, uint32_t key_hash, \\\n int (*cmp_key)(const void *key, const type *value)) { \\\n LHASH_CMP_KEY_##type cb = {cmp_key, key}; \\\n return (type *)OPENSSL_lh_retrieve_key((const _LHASH *)lh, &cb, key_hash, \\\n lh_##type##_call_cmp_key); \\\n } \\\n \\\n inline int lh_##type##_insert(LHASH_OF(type) *lh, type **old_data, \\\n type *data) { \\\n void *old_data_void = NULL; \\\n int ret = OPENSSL_lh_insert((_LHASH *)lh, &old_data_void, data, \\\n lh_##type##_call_hash_func, \\\n lh_##type##_call_cmp_func); \\\n *old_data = (type *)old_data_void; \\\n return ret; \\\n } \\\n \\\n inline type *lh_##type##_delete(LHASH_OF(type) *lh, const type *data) { \\\n return (type *)OPENSSL_lh_delete((_LHASH *)lh, data, \\\n lh_##type##_call_hash_func, \\\n lh_##type##_call_cmp_func); \\\n } \\\n \\\n typedef struct { \\\n void (*doall_arg)(type *, void *); \\\n void *arg; \\\n } LHASH_DOALL_##type; \\\n \\\n inline void lh_##type##_call_doall_arg(void *value, void *arg) { \\\n const LHASH_DOALL_##type *cb = (const LHASH_DOALL_##type *)arg; \\\n cb->doall_arg((type *)value, cb->arg); \\\n } \\\n \\\n inline void lh_##type##_doall_arg(LHASH_OF(type) *lh, \\\n void (*func)(type *, void *), void *arg) { \\\n LHASH_DOALL_##type cb = {func, arg}; \\\n OPENSSL_lh_doall_arg((_LHASH *)lh, lh_##type##_call_doall_arg, &cb); \\\n } \\\n \\\n OPENSSL_MSVC_PRAGMA(warning(pop))\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_LHASH_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/lhash/lhash.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n// kMinNumBuckets is the minimum size of the buckets array in an |_LHASH|.\nstatic const size_t kMinNumBuckets = 16;\n\n// kMaxAverageChainLength contains the maximum, average chain length. When the\n// average chain length exceeds this value, the hash table will be resized.\nstatic const size_t kMaxAverageChainLength = 2;\nstatic const size_t kMinAverageChainLength = 1;\n\n// lhash_item_st is an element of a hash chain. It points to the opaque data\n// for this element and to the next item in the chain. The linked-list is NULL\n// terminated.\ntypedef struct lhash_item_st {\n void *data;\n struct lhash_item_st *next;\n // hash contains the cached, hash value of |data|.\n uint32_t hash;\n} LHASH_ITEM;\n\nstruct lhash_st {\n // num_items contains the total number of items in the hash table.\n size_t num_items;\n // buckets is an array of |num_buckets| pointers. Each points to the head of\n // a chain of LHASH_ITEM objects that have the same hash value, mod\n // |num_buckets|.\n LHASH_ITEM **buckets;\n // num_buckets contains the length of |buckets|. This value is always >=\n // kMinNumBuckets.\n size_t num_buckets;\n // callback_depth contains the current depth of |lh_doall| or |lh_doall_arg|\n // calls. If non-zero then this suppresses resizing of the |buckets| array,\n // which would otherwise disrupt the iteration.\n unsigned callback_depth;\n\n lhash_cmp_func comp;\n lhash_hash_func hash;\n};\n\n_LHASH *OPENSSL_lh_new(lhash_hash_func hash, lhash_cmp_func comp) {\n _LHASH *ret = reinterpret_cast<_LHASH *>(OPENSSL_zalloc(sizeof(_LHASH)));\n if (ret == NULL) {\n return NULL;\n }\n\n ret->num_buckets = kMinNumBuckets;\n ret->buckets = reinterpret_cast(\n OPENSSL_calloc(ret->num_buckets, sizeof(LHASH_ITEM *)));\n if (ret->buckets == NULL) {\n OPENSSL_free(ret);\n return NULL;\n }\n\n ret->comp = comp;\n ret->hash = hash;\n return ret;\n}\n\nvoid OPENSSL_lh_free(_LHASH *lh) {\n if (lh == NULL) {\n return;\n }\n\n for (size_t i = 0; i < lh->num_buckets; i++) {\n LHASH_ITEM *next;\n for (LHASH_ITEM *n = lh->buckets[i]; n != NULL; n = next) {\n next = n->next;\n OPENSSL_free(n);\n }\n }\n\n OPENSSL_free(lh->buckets);\n OPENSSL_free(lh);\n}\n\nsize_t OPENSSL_lh_num_items(const _LHASH *lh) { return lh->num_items; }\n\n// get_next_ptr_and_hash returns a pointer to the pointer that points to the\n// item equal to |data|. In other words, it searches for an item equal to |data|\n// and, if it's at the start of a chain, then it returns a pointer to an\n// element of |lh->buckets|, otherwise it returns a pointer to the |next|\n// element of the previous item in the chain. If an element equal to |data| is\n// not found, it returns a pointer that points to a NULL pointer. If |out_hash|\n// is not NULL, then it also puts the hash value of |data| in |*out_hash|.\nstatic LHASH_ITEM **get_next_ptr_and_hash(const _LHASH *lh, uint32_t *out_hash,\n const void *data,\n lhash_hash_func_helper call_hash_func,\n lhash_cmp_func_helper call_cmp_func) {\n const uint32_t hash = call_hash_func(lh->hash, data);\n if (out_hash != NULL) {\n *out_hash = hash;\n }\n\n LHASH_ITEM **ret = &lh->buckets[hash % lh->num_buckets];\n for (LHASH_ITEM *cur = *ret; cur != NULL; cur = *ret) {\n if (call_cmp_func(lh->comp, cur->data, data) == 0) {\n break;\n }\n ret = &cur->next;\n }\n\n return ret;\n}\n\n// get_next_ptr_by_key behaves like |get_next_ptr_and_hash| but takes a key\n// which may be a different type from the values stored in |lh|.\nstatic LHASH_ITEM **get_next_ptr_by_key(const _LHASH *lh, const void *key,\n uint32_t key_hash,\n int (*cmp_key)(const void *key,\n const void *value)) {\n LHASH_ITEM **ret = &lh->buckets[key_hash % lh->num_buckets];\n for (LHASH_ITEM *cur = *ret; cur != NULL; cur = *ret) {\n if (cmp_key(key, cur->data) == 0) {\n break;\n }\n ret = &cur->next;\n }\n\n return ret;\n}\n\nvoid *OPENSSL_lh_retrieve(const _LHASH *lh, const void *data,\n lhash_hash_func_helper call_hash_func,\n lhash_cmp_func_helper call_cmp_func) {\n LHASH_ITEM **next_ptr =\n get_next_ptr_and_hash(lh, NULL, data, call_hash_func, call_cmp_func);\n return *next_ptr == NULL ? NULL : (*next_ptr)->data;\n}\n\nvoid *OPENSSL_lh_retrieve_key(const _LHASH *lh, const void *key,\n uint32_t key_hash,\n int (*cmp_key)(const void *key,\n const void *value)) {\n LHASH_ITEM **next_ptr = get_next_ptr_by_key(lh, key, key_hash, cmp_key);\n return *next_ptr == NULL ? NULL : (*next_ptr)->data;\n}\n\n// lh_rebucket allocates a new array of |new_num_buckets| pointers and\n// redistributes the existing items into it before making it |lh->buckets| and\n// freeing the old array.\nstatic void lh_rebucket(_LHASH *lh, const size_t new_num_buckets) {\n LHASH_ITEM **new_buckets, *cur, *next;\n size_t i, alloc_size;\n\n alloc_size = sizeof(LHASH_ITEM *) * new_num_buckets;\n if (alloc_size / sizeof(LHASH_ITEM *) != new_num_buckets) {\n return;\n }\n\n new_buckets = reinterpret_cast(OPENSSL_zalloc(alloc_size));\n if (new_buckets == NULL) {\n return;\n }\n\n for (i = 0; i < lh->num_buckets; i++) {\n for (cur = lh->buckets[i]; cur != NULL; cur = next) {\n const size_t new_bucket = cur->hash % new_num_buckets;\n next = cur->next;\n cur->next = new_buckets[new_bucket];\n new_buckets[new_bucket] = cur;\n }\n }\n\n OPENSSL_free(lh->buckets);\n\n lh->num_buckets = new_num_buckets;\n lh->buckets = new_buckets;\n}\n\n// lh_maybe_resize resizes the |buckets| array if needed.\nstatic void lh_maybe_resize(_LHASH *lh) {\n size_t avg_chain_length;\n\n if (lh->callback_depth > 0) {\n // Don't resize the hash if we are currently iterating over it.\n return;\n }\n\n assert(lh->num_buckets >= kMinNumBuckets);\n avg_chain_length = lh->num_items / lh->num_buckets;\n\n if (avg_chain_length > kMaxAverageChainLength) {\n const size_t new_num_buckets = lh->num_buckets * 2;\n\n if (new_num_buckets > lh->num_buckets) {\n lh_rebucket(lh, new_num_buckets);\n }\n } else if (avg_chain_length < kMinAverageChainLength &&\n lh->num_buckets > kMinNumBuckets) {\n size_t new_num_buckets = lh->num_buckets / 2;\n\n if (new_num_buckets < kMinNumBuckets) {\n new_num_buckets = kMinNumBuckets;\n }\n\n lh_rebucket(lh, new_num_buckets);\n }\n}\n\nint OPENSSL_lh_insert(_LHASH *lh, void **old_data, void *data,\n lhash_hash_func_helper call_hash_func,\n lhash_cmp_func_helper call_cmp_func) {\n uint32_t hash;\n LHASH_ITEM **next_ptr, *item;\n\n *old_data = NULL;\n next_ptr =\n get_next_ptr_and_hash(lh, &hash, data, call_hash_func, call_cmp_func);\n\n\n if (*next_ptr != NULL) {\n // An element equal to |data| already exists in the hash table. It will be\n // replaced.\n *old_data = (*next_ptr)->data;\n (*next_ptr)->data = data;\n return 1;\n }\n\n // An element equal to |data| doesn't exist in the hash table yet.\n item = reinterpret_cast(OPENSSL_malloc(sizeof(LHASH_ITEM)));\n if (item == NULL) {\n return 0;\n }\n\n item->data = data;\n item->hash = hash;\n item->next = NULL;\n *next_ptr = item;\n lh->num_items++;\n lh_maybe_resize(lh);\n\n return 1;\n}\n\nvoid *OPENSSL_lh_delete(_LHASH *lh, const void *data,\n lhash_hash_func_helper call_hash_func,\n lhash_cmp_func_helper call_cmp_func) {\n LHASH_ITEM **next_ptr, *item, *ret;\n\n next_ptr =\n get_next_ptr_and_hash(lh, NULL, data, call_hash_func, call_cmp_func);\n\n if (*next_ptr == NULL) {\n // No such element.\n return NULL;\n }\n\n item = *next_ptr;\n *next_ptr = item->next;\n ret = reinterpret_cast(item->data);\n OPENSSL_free(item);\n\n lh->num_items--;\n lh_maybe_resize(lh);\n\n return ret;\n}\n\nvoid OPENSSL_lh_doall_arg(_LHASH *lh, void (*func)(void *, void *), void *arg) {\n if (lh == NULL) {\n return;\n }\n\n if (lh->callback_depth < UINT_MAX) {\n // |callback_depth| is a saturating counter.\n lh->callback_depth++;\n }\n\n for (size_t i = 0; i < lh->num_buckets; i++) {\n LHASH_ITEM *next;\n for (LHASH_ITEM *cur = lh->buckets[i]; cur != NULL; cur = next) {\n next = cur->next;\n func(cur->data, arg);\n }\n }\n\n if (lh->callback_depth < UINT_MAX) {\n lh->callback_depth--;\n }\n\n // The callback may have added or removed elements and the non-zero value of\n // |callback_depth| will have suppressed any resizing. Thus any needed\n // resizing is done here.\n lh_maybe_resize(lh);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/md4/md4.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \"../fipsmodule/digest/md32_common.h\"\n#include \"../internal.h\"\n\n\nuint8_t *MD4(const uint8_t *data, size_t len, uint8_t out[MD4_DIGEST_LENGTH]) {\n MD4_CTX ctx;\n MD4_Init(&ctx);\n MD4_Update(&ctx, data, len);\n MD4_Final(out, &ctx);\n\n return out;\n}\n\n// Implemented from RFC 1186 The MD4 Message-Digest Algorithm.\n\nint MD4_Init(MD4_CTX *md4) {\n OPENSSL_memset(md4, 0, sizeof(MD4_CTX));\n md4->h[0] = 0x67452301UL;\n md4->h[1] = 0xefcdab89UL;\n md4->h[2] = 0x98badcfeUL;\n md4->h[3] = 0x10325476UL;\n return 1;\n}\n\nstatic void md4_block_data_order(uint32_t *state, const uint8_t *data,\n size_t num);\n\nvoid MD4_Transform(MD4_CTX *c, const uint8_t data[MD4_CBLOCK]) {\n md4_block_data_order(c->h, data, 1);\n}\n\nint MD4_Update(MD4_CTX *c, const void *data, size_t len) {\n crypto_md32_update(&md4_block_data_order, c->h, c->data, MD4_CBLOCK, &c->num,\n &c->Nh, &c->Nl, reinterpret_cast(data),\n len);\n return 1;\n}\n\nint MD4_Final(uint8_t out[MD4_DIGEST_LENGTH], MD4_CTX *c) {\n crypto_md32_final(&md4_block_data_order, c->h, c->data, MD4_CBLOCK, &c->num,\n c->Nh, c->Nl, /*is_big_endian=*/0);\n\n CRYPTO_store_u32_le(out, c->h[0]);\n CRYPTO_store_u32_le(out + 4, c->h[1]);\n CRYPTO_store_u32_le(out + 8, c->h[2]);\n CRYPTO_store_u32_le(out + 12, c->h[3]);\n return 1;\n}\n\n// As pointed out by Wei Dai , the above can be\n// simplified to the code below. Wei attributes these optimizations\n// to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.\n#define F(b, c, d) ((((c) ^ (d)) & (b)) ^ (d))\n#define G(b, c, d) (((b) & (c)) | ((b) & (d)) | ((c) & (d)))\n#define H(b, c, d) ((b) ^ (c) ^ (d))\n\n#define R0(a, b, c, d, k, s, t) \\\n do { \\\n (a) += ((k) + (t) + F((b), (c), (d))); \\\n (a) = CRYPTO_rotl_u32(a, s); \\\n } while (0)\n\n#define R1(a, b, c, d, k, s, t) \\\n do { \\\n (a) += ((k) + (t) + G((b), (c), (d))); \\\n (a) = CRYPTO_rotl_u32(a, s); \\\n } while (0)\n\n#define R2(a, b, c, d, k, s, t) \\\n do { \\\n (a) += ((k) + (t) + H((b), (c), (d))); \\\n (a) = CRYPTO_rotl_u32(a, s); \\\n } while (0)\n\nstatic void md4_block_data_order(uint32_t *state, const uint8_t *data,\n size_t num) {\n uint32_t A, B, C, D;\n uint32_t X0, X1, X2, X3, X4, X5, X6, X7, X8, X9, X10, X11, X12, X13, X14, X15;\n\n A = state[0];\n B = state[1];\n C = state[2];\n D = state[3];\n\n for (; num--;) {\n X0 = CRYPTO_load_u32_le(data);\n data += 4;\n X1 = CRYPTO_load_u32_le(data);\n data += 4;\n // Round 0\n R0(A, B, C, D, X0, 3, 0);\n X2 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(D, A, B, C, X1, 7, 0);\n X3 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(C, D, A, B, X2, 11, 0);\n X4 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(B, C, D, A, X3, 19, 0);\n X5 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(A, B, C, D, X4, 3, 0);\n X6 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(D, A, B, C, X5, 7, 0);\n X7 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(C, D, A, B, X6, 11, 0);\n X8 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(B, C, D, A, X7, 19, 0);\n X9 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(A, B, C, D, X8, 3, 0);\n X10 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(D, A, B, C, X9, 7, 0);\n X11 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(C, D, A, B, X10, 11, 0);\n X12 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(B, C, D, A, X11, 19, 0);\n X13 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(A, B, C, D, X12, 3, 0);\n X14 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(D, A, B, C, X13, 7, 0);\n X15 = CRYPTO_load_u32_le(data);\n data += 4;\n R0(C, D, A, B, X14, 11, 0);\n R0(B, C, D, A, X15, 19, 0);\n // Round 1\n R1(A, B, C, D, X0, 3, 0x5A827999L);\n R1(D, A, B, C, X4, 5, 0x5A827999L);\n R1(C, D, A, B, X8, 9, 0x5A827999L);\n R1(B, C, D, A, X12, 13, 0x5A827999L);\n R1(A, B, C, D, X1, 3, 0x5A827999L);\n R1(D, A, B, C, X5, 5, 0x5A827999L);\n R1(C, D, A, B, X9, 9, 0x5A827999L);\n R1(B, C, D, A, X13, 13, 0x5A827999L);\n R1(A, B, C, D, X2, 3, 0x5A827999L);\n R1(D, A, B, C, X6, 5, 0x5A827999L);\n R1(C, D, A, B, X10, 9, 0x5A827999L);\n R1(B, C, D, A, X14, 13, 0x5A827999L);\n R1(A, B, C, D, X3, 3, 0x5A827999L);\n R1(D, A, B, C, X7, 5, 0x5A827999L);\n R1(C, D, A, B, X11, 9, 0x5A827999L);\n R1(B, C, D, A, X15, 13, 0x5A827999L);\n // Round 2\n R2(A, B, C, D, X0, 3, 0x6ED9EBA1L);\n R2(D, A, B, C, X8, 9, 0x6ED9EBA1L);\n R2(C, D, A, B, X4, 11, 0x6ED9EBA1L);\n R2(B, C, D, A, X12, 15, 0x6ED9EBA1L);\n R2(A, B, C, D, X2, 3, 0x6ED9EBA1L);\n R2(D, A, B, C, X10, 9, 0x6ED9EBA1L);\n R2(C, D, A, B, X6, 11, 0x6ED9EBA1L);\n R2(B, C, D, A, X14, 15, 0x6ED9EBA1L);\n R2(A, B, C, D, X1, 3, 0x6ED9EBA1L);\n R2(D, A, B, C, X9, 9, 0x6ED9EBA1L);\n R2(C, D, A, B, X5, 11, 0x6ED9EBA1L);\n R2(B, C, D, A, X13, 15, 0x6ED9EBA1L);\n R2(A, B, C, D, X3, 3, 0x6ED9EBA1L);\n R2(D, A, B, C, X11, 9, 0x6ED9EBA1L);\n R2(C, D, A, B, X7, 11, 0x6ED9EBA1L);\n R2(B, C, D, A, X15, 15, 0x6ED9EBA1L);\n\n A = state[0] += A;\n B = state[1] += B;\n C = state[2] += C;\n D = state[3] += D;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/md5/internal.h", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_MD5_INTERNAL_H\n#define OPENSSL_HEADER_MD5_INTERNAL_H\n\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n#if !defined(OPENSSL_NO_ASM) && \\\n (defined(OPENSSL_X86_64) || defined(OPENSSL_X86))\n#define MD5_ASM\nextern void md5_block_asm_data_order(uint32_t *state, const uint8_t *data,\n size_t num);\n#endif\n\n\n#if defined(__cplusplus)\n} // extern \"C\"\n#endif\n\n#endif // OPENSSL_HEADER_MD5_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/md5/md5.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n\n#include \"../fipsmodule/digest/md32_common.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nuint8_t *MD5(const uint8_t *data, size_t len, uint8_t out[MD5_DIGEST_LENGTH]) {\n MD5_CTX ctx;\n MD5_Init(&ctx);\n MD5_Update(&ctx, data, len);\n MD5_Final(out, &ctx);\n\n return out;\n}\n\nint MD5_Init(MD5_CTX *md5) {\n OPENSSL_memset(md5, 0, sizeof(MD5_CTX));\n md5->h[0] = 0x67452301UL;\n md5->h[1] = 0xefcdab89UL;\n md5->h[2] = 0x98badcfeUL;\n md5->h[3] = 0x10325476UL;\n return 1;\n}\n\n#if defined(MD5_ASM)\n#define md5_block_data_order md5_block_asm_data_order\n#else\nstatic void md5_block_data_order(uint32_t *state, const uint8_t *data,\n size_t num);\n#endif\n\nvoid MD5_Transform(MD5_CTX *c, const uint8_t data[MD5_CBLOCK]) {\n md5_block_data_order(c->h, data, 1);\n}\n\nint MD5_Update(MD5_CTX *c, const void *data, size_t len) {\n crypto_md32_update(&md5_block_data_order, c->h, c->data, MD5_CBLOCK, &c->num,\n &c->Nh, &c->Nl, reinterpret_cast(data),\n len);\n return 1;\n}\n\nint MD5_Final(uint8_t out[MD5_DIGEST_LENGTH], MD5_CTX *c) {\n crypto_md32_final(&md5_block_data_order, c->h, c->data, MD5_CBLOCK, &c->num,\n c->Nh, c->Nl, /*is_big_endian=*/0);\n\n CRYPTO_store_u32_le(out, c->h[0]);\n CRYPTO_store_u32_le(out + 4, c->h[1]);\n CRYPTO_store_u32_le(out + 8, c->h[2]);\n CRYPTO_store_u32_le(out + 12, c->h[3]);\n return 1;\n}\n\n// As pointed out by Wei Dai , the above can be\n// simplified to the code below. Wei attributes these optimizations\n// to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.\n#define F(b, c, d) ((((c) ^ (d)) & (b)) ^ (d))\n#define G(b, c, d) ((((b) ^ (c)) & (d)) ^ (c))\n#define H(b, c, d) ((b) ^ (c) ^ (d))\n#define I(b, c, d) (((~(d)) | (b)) ^ (c))\n\n#define R0(a, b, c, d, k, s, t) \\\n do { \\\n (a) += ((k) + (t) + F((b), (c), (d))); \\\n (a) = CRYPTO_rotl_u32(a, s); \\\n (a) += (b); \\\n } while (0)\n\n#define R1(a, b, c, d, k, s, t) \\\n do { \\\n (a) += ((k) + (t) + G((b), (c), (d))); \\\n (a) = CRYPTO_rotl_u32(a, s); \\\n (a) += (b); \\\n } while (0)\n\n#define R2(a, b, c, d, k, s, t) \\\n do { \\\n (a) += ((k) + (t) + H((b), (c), (d))); \\\n (a) = CRYPTO_rotl_u32(a, s); \\\n (a) += (b); \\\n } while (0)\n\n#define R3(a, b, c, d, k, s, t) \\\n do { \\\n (a) += ((k) + (t) + I((b), (c), (d))); \\\n (a) = CRYPTO_rotl_u32(a, s); \\\n (a) += (b); \\\n } while (0)\n\n#ifndef MD5_ASM\n#ifdef X\n#undef X\n#endif\nstatic void md5_block_data_order(uint32_t *state, const uint8_t *data,\n size_t num) {\n uint32_t A, B, C, D;\n uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12,\n XX13, XX14, XX15;\n#define X(i) XX##i\n\n A = state[0];\n B = state[1];\n C = state[2];\n D = state[3];\n\n for (; num--;) {\n X(0) = CRYPTO_load_u32_le(data);\n data += 4;\n X(1) = CRYPTO_load_u32_le(data);\n data += 4;\n // Round 0\n R0(A, B, C, D, X(0), 7, 0xd76aa478L);\n X(2) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(D, A, B, C, X(1), 12, 0xe8c7b756L);\n X(3) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(C, D, A, B, X(2), 17, 0x242070dbL);\n X(4) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(B, C, D, A, X(3), 22, 0xc1bdceeeL);\n X(5) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(A, B, C, D, X(4), 7, 0xf57c0fafL);\n X(6) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(D, A, B, C, X(5), 12, 0x4787c62aL);\n X(7) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(C, D, A, B, X(6), 17, 0xa8304613L);\n X(8) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(B, C, D, A, X(7), 22, 0xfd469501L);\n X(9) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(A, B, C, D, X(8), 7, 0x698098d8L);\n X(10) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(D, A, B, C, X(9), 12, 0x8b44f7afL);\n X(11) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(C, D, A, B, X(10), 17, 0xffff5bb1L);\n X(12) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(B, C, D, A, X(11), 22, 0x895cd7beL);\n X(13) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(A, B, C, D, X(12), 7, 0x6b901122L);\n X(14) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(D, A, B, C, X(13), 12, 0xfd987193L);\n X(15) = CRYPTO_load_u32_le(data);\n data += 4;\n R0(C, D, A, B, X(14), 17, 0xa679438eL);\n R0(B, C, D, A, X(15), 22, 0x49b40821L);\n // Round 1\n R1(A, B, C, D, X(1), 5, 0xf61e2562L);\n R1(D, A, B, C, X(6), 9, 0xc040b340L);\n R1(C, D, A, B, X(11), 14, 0x265e5a51L);\n R1(B, C, D, A, X(0), 20, 0xe9b6c7aaL);\n R1(A, B, C, D, X(5), 5, 0xd62f105dL);\n R1(D, A, B, C, X(10), 9, 0x02441453L);\n R1(C, D, A, B, X(15), 14, 0xd8a1e681L);\n R1(B, C, D, A, X(4), 20, 0xe7d3fbc8L);\n R1(A, B, C, D, X(9), 5, 0x21e1cde6L);\n R1(D, A, B, C, X(14), 9, 0xc33707d6L);\n R1(C, D, A, B, X(3), 14, 0xf4d50d87L);\n R1(B, C, D, A, X(8), 20, 0x455a14edL);\n R1(A, B, C, D, X(13), 5, 0xa9e3e905L);\n R1(D, A, B, C, X(2), 9, 0xfcefa3f8L);\n R1(C, D, A, B, X(7), 14, 0x676f02d9L);\n R1(B, C, D, A, X(12), 20, 0x8d2a4c8aL);\n // Round 2\n R2(A, B, C, D, X(5), 4, 0xfffa3942L);\n R2(D, A, B, C, X(8), 11, 0x8771f681L);\n R2(C, D, A, B, X(11), 16, 0x6d9d6122L);\n R2(B, C, D, A, X(14), 23, 0xfde5380cL);\n R2(A, B, C, D, X(1), 4, 0xa4beea44L);\n R2(D, A, B, C, X(4), 11, 0x4bdecfa9L);\n R2(C, D, A, B, X(7), 16, 0xf6bb4b60L);\n R2(B, C, D, A, X(10), 23, 0xbebfbc70L);\n R2(A, B, C, D, X(13), 4, 0x289b7ec6L);\n R2(D, A, B, C, X(0), 11, 0xeaa127faL);\n R2(C, D, A, B, X(3), 16, 0xd4ef3085L);\n R2(B, C, D, A, X(6), 23, 0x04881d05L);\n R2(A, B, C, D, X(9), 4, 0xd9d4d039L);\n R2(D, A, B, C, X(12), 11, 0xe6db99e5L);\n R2(C, D, A, B, X(15), 16, 0x1fa27cf8L);\n R2(B, C, D, A, X(2), 23, 0xc4ac5665L);\n // Round 3\n R3(A, B, C, D, X(0), 6, 0xf4292244L);\n R3(D, A, B, C, X(7), 10, 0x432aff97L);\n R3(C, D, A, B, X(14), 15, 0xab9423a7L);\n R3(B, C, D, A, X(5), 21, 0xfc93a039L);\n R3(A, B, C, D, X(12), 6, 0x655b59c3L);\n R3(D, A, B, C, X(3), 10, 0x8f0ccc92L);\n R3(C, D, A, B, X(10), 15, 0xffeff47dL);\n R3(B, C, D, A, X(1), 21, 0x85845dd1L);\n R3(A, B, C, D, X(8), 6, 0x6fa87e4fL);\n R3(D, A, B, C, X(15), 10, 0xfe2ce6e0L);\n R3(C, D, A, B, X(6), 15, 0xa3014314L);\n R3(B, C, D, A, X(13), 21, 0x4e0811a1L);\n R3(A, B, C, D, X(4), 6, 0xf7537e82L);\n R3(D, A, B, C, X(11), 10, 0xbd3af235L);\n R3(C, D, A, B, X(2), 15, 0x2ad7d2bbL);\n R3(B, C, D, A, X(9), 21, 0xeb86d391L);\n\n A = state[0] += A;\n B = state[1] += B;\n C = state[2] += C;\n D = state[3] += D;\n }\n}\n#undef X\n#endif\n\n#undef F\n#undef G\n#undef H\n#undef I\n#undef R0\n#undef R1\n#undef R2\n#undef R3\n" }, { "path": "Sources/CNIOBoringSSL/crypto/mem.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n\n#if defined(OPENSSL_WINDOWS)\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\n#endif\n\n#if defined(BORINGSSL_MALLOC_FAILURE_TESTING)\n#include \n#include \n#include \n#endif\n\n#include \"internal.h\"\n\n\n#define OPENSSL_MALLOC_PREFIX 8\nstatic_assert(OPENSSL_MALLOC_PREFIX >= sizeof(size_t), \"size_t too large\");\n\n#if defined(OPENSSL_ASAN)\nextern \"C\" {\nvoid __asan_poison_memory_region(const volatile void *addr, size_t size);\nvoid __asan_unpoison_memory_region(const volatile void *addr, size_t size);\n}\n#else\nstatic void __asan_poison_memory_region(const void *addr, size_t size) {}\nstatic void __asan_unpoison_memory_region(const void *addr, size_t size) {}\n#endif\n\n// Windows doesn't really support weak symbols as of May 2019, and Clang on\n// Windows will emit strong symbols instead. See\n// https://bugs.llvm.org/show_bug.cgi?id=37598\n//\n// EDK2 targets UEFI but builds as ELF and then translates the binary to\n// COFF(!). Thus it builds with __ELF__ defined but cannot actually cope with\n// weak symbols.\n#if !defined(__EDK2_BORINGSSL__) && defined(__ELF__) && defined(__GNUC__)\n#define WEAK_SYMBOL_FUNC(rettype, name, args) \\\n extern \"C\" { \\\n rettype name args __attribute__((weak)); \\\n }\n#else\n#define WEAK_SYMBOL_FUNC(rettype, name, args) \\\n static rettype(*const name) args = NULL;\n#endif\n\n#if defined(BORINGSSL_DETECT_SDALLOCX)\n// sdallocx is a sized |free| function. By passing the size (which we happen to\n// always know in BoringSSL), the malloc implementation can save work. We cannot\n// depend on |sdallocx| being available, however, so it's a weak symbol.\n//\n// This mechanism is kept opt-in because it assumes that, when |sdallocx| is\n// defined, it is part of the same allocator as |malloc|. This is usually true\n// but may break if |malloc| does not implement |sdallocx|, but some other\n// allocator with |sdallocx| is imported which does.\nWEAK_SYMBOL_FUNC(void, sdallocx, (void *ptr, size_t size, int flags))\n#else\nstatic void (*const sdallocx)(void *ptr, size_t size, int flags) = NULL;\n#endif\n\n// The following three functions can be defined to override default heap\n// allocation and freeing. If defined, it is the responsibility of\n// |OPENSSL_memory_free| to zero out the memory before returning it to the\n// system. |OPENSSL_memory_free| will not be passed NULL pointers.\n//\n// WARNING: These functions are called on every allocation and free in\n// BoringSSL across the entire process. They may be called by any code in the\n// process which calls BoringSSL, including in process initializers and thread\n// destructors. When called, BoringSSL may hold pthreads locks. Any other code\n// in the process which, directly or indirectly, calls BoringSSL may be on the\n// call stack and may itself be using arbitrary synchronization primitives.\n//\n// As a result, these functions may not have the usual programming environment\n// available to most C or C++ code. In particular, they may not call into\n// BoringSSL, or any library which depends on BoringSSL. Any synchronization\n// primitives used must tolerate every other synchronization primitive linked\n// into the process, including pthreads locks. Failing to meet these constraints\n// may result in deadlocks, crashes, or memory corruption.\nWEAK_SYMBOL_FUNC(void *, OPENSSL_memory_alloc, (size_t size))\nWEAK_SYMBOL_FUNC(void, OPENSSL_memory_free, (void *ptr))\nWEAK_SYMBOL_FUNC(size_t, OPENSSL_memory_get_size, (void *ptr))\n\n#if defined(BORINGSSL_MALLOC_FAILURE_TESTING)\nstatic CRYPTO_MUTEX malloc_failure_lock = CRYPTO_MUTEX_INIT;\nstatic uint64_t current_malloc_count = 0;\nstatic uint64_t malloc_number_to_fail = 0;\nstatic int malloc_failure_enabled = 0, break_on_malloc_fail = 0,\n any_malloc_failed = 0, disable_malloc_failures = 0;\n\nstatic void malloc_exit_handler(void) {\n CRYPTO_MUTEX_lock_read(&malloc_failure_lock);\n if (any_malloc_failed) {\n // Signal to the test driver that some allocation failed, so it knows to\n // increment the counter and continue.\n _exit(88);\n }\n CRYPTO_MUTEX_unlock_read(&malloc_failure_lock);\n}\n\nstatic void init_malloc_failure(void) {\n const char *env = getenv(\"MALLOC_NUMBER_TO_FAIL\");\n if (env != NULL && env[0] != 0) {\n char *endptr;\n malloc_number_to_fail = strtoull(env, &endptr, 10);\n if (*endptr == 0) {\n malloc_failure_enabled = 1;\n atexit(malloc_exit_handler);\n }\n }\n break_on_malloc_fail = getenv(\"MALLOC_BREAK_ON_FAIL\") != NULL;\n}\n\n// should_fail_allocation returns one if the current allocation should fail and\n// zero otherwise.\nstatic int should_fail_allocation() {\n static CRYPTO_once_t once = CRYPTO_ONCE_INIT;\n CRYPTO_once(&once, init_malloc_failure);\n if (!malloc_failure_enabled || disable_malloc_failures) {\n return 0;\n }\n\n // We lock just so multi-threaded tests are still correct, but we won't test\n // every malloc exhaustively.\n CRYPTO_MUTEX_lock_write(&malloc_failure_lock);\n int should_fail = current_malloc_count == malloc_number_to_fail;\n current_malloc_count++;\n any_malloc_failed = any_malloc_failed || should_fail;\n CRYPTO_MUTEX_unlock_write(&malloc_failure_lock);\n\n if (should_fail && break_on_malloc_fail) {\n raise(SIGTRAP);\n }\n if (should_fail) {\n errno = ENOMEM;\n }\n return should_fail;\n}\n\nvoid OPENSSL_reset_malloc_counter_for_testing(void) {\n CRYPTO_MUTEX_lock_write(&malloc_failure_lock);\n current_malloc_count = 0;\n CRYPTO_MUTEX_unlock_write(&malloc_failure_lock);\n}\n\nvoid OPENSSL_disable_malloc_failures_for_testing(void) {\n CRYPTO_MUTEX_lock_write(&malloc_failure_lock);\n BSSL_CHECK(!disable_malloc_failures);\n disable_malloc_failures = 1;\n CRYPTO_MUTEX_unlock_write(&malloc_failure_lock);\n}\n\nvoid OPENSSL_enable_malloc_failures_for_testing(void) {\n CRYPTO_MUTEX_lock_write(&malloc_failure_lock);\n BSSL_CHECK(disable_malloc_failures);\n disable_malloc_failures = 0;\n CRYPTO_MUTEX_unlock_write(&malloc_failure_lock);\n}\n\n#else\nstatic int should_fail_allocation(void) { return 0; }\n#endif\n\nvoid *OPENSSL_malloc(size_t size) {\n void *ptr = nullptr;\n if (should_fail_allocation()) {\n goto err;\n }\n\n if (OPENSSL_memory_alloc != NULL) {\n assert(OPENSSL_memory_free != NULL);\n assert(OPENSSL_memory_get_size != NULL);\n void *ptr2 = OPENSSL_memory_alloc(size);\n if (ptr2 == NULL && size != 0) {\n goto err;\n }\n return ptr2;\n }\n\n if (size + OPENSSL_MALLOC_PREFIX < size) {\n goto err;\n }\n\n ptr = malloc(size + OPENSSL_MALLOC_PREFIX);\n if (ptr == NULL) {\n goto err;\n }\n\n *(size_t *)ptr = size;\n\n __asan_poison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);\n return ((uint8_t *)ptr) + OPENSSL_MALLOC_PREFIX;\n\nerr:\n // This only works because ERR does not call OPENSSL_malloc.\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE);\n return NULL;\n}\n\nvoid *OPENSSL_zalloc(size_t size) {\n void *ret = OPENSSL_malloc(size);\n if (ret != NULL) {\n OPENSSL_memset(ret, 0, size);\n }\n return ret;\n}\n\nvoid *OPENSSL_calloc(size_t num, size_t size) {\n if (size != 0 && num > SIZE_MAX / size) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW);\n return NULL;\n }\n\n return OPENSSL_zalloc(num * size);\n}\n\nvoid OPENSSL_free(void *orig_ptr) {\n if (orig_ptr == NULL) {\n return;\n }\n\n if (OPENSSL_memory_free != NULL) {\n OPENSSL_memory_free(orig_ptr);\n return;\n }\n\n void *ptr = ((uint8_t *)orig_ptr) - OPENSSL_MALLOC_PREFIX;\n __asan_unpoison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);\n\n size_t size = *(size_t *)ptr;\n OPENSSL_cleanse(ptr, size + OPENSSL_MALLOC_PREFIX);\n\n// ASan knows to intercept malloc and free, but not sdallocx.\n#if defined(OPENSSL_ASAN)\n (void)sdallocx;\n free(ptr);\n#else\n if (sdallocx) {\n sdallocx(ptr, size + OPENSSL_MALLOC_PREFIX, 0 /* flags */);\n } else {\n free(ptr);\n }\n#endif\n}\n\nvoid *OPENSSL_realloc(void *orig_ptr, size_t new_size) {\n if (orig_ptr == NULL) {\n return OPENSSL_malloc(new_size);\n }\n\n size_t old_size;\n if (OPENSSL_memory_get_size != NULL) {\n old_size = OPENSSL_memory_get_size(orig_ptr);\n } else {\n void *ptr = ((uint8_t *)orig_ptr) - OPENSSL_MALLOC_PREFIX;\n __asan_unpoison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);\n old_size = *(size_t *)ptr;\n __asan_poison_memory_region(ptr, OPENSSL_MALLOC_PREFIX);\n }\n\n void *ret = OPENSSL_malloc(new_size);\n if (ret == NULL) {\n return NULL;\n }\n\n size_t to_copy = new_size;\n if (old_size < to_copy) {\n to_copy = old_size;\n }\n\n memcpy(ret, orig_ptr, to_copy);\n OPENSSL_free(orig_ptr);\n\n return ret;\n}\n\nvoid OPENSSL_cleanse(void *ptr, size_t len) {\n#if defined(OPENSSL_WINDOWS)\n SecureZeroMemory(ptr, len);\n#else\n OPENSSL_memset(ptr, 0, len);\n\n#if !defined(OPENSSL_NO_ASM)\n /* As best as we can tell, this is sufficient to break any optimisations that\n might try to eliminate \"superfluous\" memsets. If there's an easy way to\n detect memset_s, it would be better to use that. */\n __asm__ __volatile__(\"\" : : \"r\"(ptr) : \"memory\");\n#endif\n#endif // !OPENSSL_NO_ASM\n}\n\nvoid OPENSSL_clear_free(void *ptr, size_t unused) { OPENSSL_free(ptr); }\n\nint CRYPTO_secure_malloc_init(size_t size, size_t min_size) { return 0; }\n\nint CRYPTO_secure_malloc_initialized(void) { return 0; }\n\nsize_t CRYPTO_secure_used(void) { return 0; }\n\nvoid *OPENSSL_secure_malloc(size_t size) { return OPENSSL_malloc(size); }\n\nvoid OPENSSL_secure_clear_free(void *ptr, size_t len) {\n OPENSSL_clear_free(ptr, len);\n}\n\nint CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) {\n const uint8_t *a = reinterpret_cast(in_a);\n const uint8_t *b = reinterpret_cast(in_b);\n uint8_t x = 0;\n\n for (size_t i = 0; i < len; i++) {\n x |= a[i] ^ b[i];\n }\n\n return x;\n}\n\nuint32_t OPENSSL_hash32(const void *ptr, size_t len) {\n // These are the FNV-1a parameters for 32 bits.\n static const uint32_t kPrime = 16777619u;\n static const uint32_t kOffsetBasis = 2166136261u;\n\n const uint8_t *in = reinterpret_cast(ptr);\n uint32_t h = kOffsetBasis;\n\n for (size_t i = 0; i < len; i++) {\n h ^= in[i];\n h *= kPrime;\n }\n\n return h;\n}\n\nuint32_t OPENSSL_strhash(const char *s) { return OPENSSL_hash32(s, strlen(s)); }\n\nsize_t OPENSSL_strnlen(const char *s, size_t len) {\n for (size_t i = 0; i < len; i++) {\n if (s[i] == 0) {\n return i;\n }\n }\n\n return len;\n}\n\nchar *OPENSSL_strdup(const char *s) {\n if (s == NULL) {\n return NULL;\n }\n // Copy the NUL terminator.\n return reinterpret_cast(OPENSSL_memdup(s, strlen(s) + 1));\n}\n\nint OPENSSL_isalpha(int c) {\n return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z');\n}\n\nint OPENSSL_isdigit(int c) { return c >= '0' && c <= '9'; }\n\nint OPENSSL_isxdigit(int c) {\n return OPENSSL_isdigit(c) || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F');\n}\n\nint OPENSSL_fromxdigit(uint8_t *out, int c) {\n if (OPENSSL_isdigit(c)) {\n *out = c - '0';\n return 1;\n }\n if ('a' <= c && c <= 'f') {\n *out = c - 'a' + 10;\n return 1;\n }\n if ('A' <= c && c <= 'F') {\n *out = c - 'A' + 10;\n return 1;\n }\n return 0;\n}\n\nint OPENSSL_isalnum(int c) { return OPENSSL_isalpha(c) || OPENSSL_isdigit(c); }\n\nint OPENSSL_tolower(int c) {\n if (c >= 'A' && c <= 'Z') {\n return c + ('a' - 'A');\n }\n return c;\n}\n\nint OPENSSL_isspace(int c) {\n return c == '\\t' || c == '\\n' || c == '\\v' || c == '\\f' || c == '\\r' ||\n c == ' ';\n}\n\nint OPENSSL_strcasecmp(const char *a, const char *b) {\n for (size_t i = 0;; i++) {\n const int aa = OPENSSL_tolower(a[i]);\n const int bb = OPENSSL_tolower(b[i]);\n\n if (aa < bb) {\n return -1;\n } else if (aa > bb) {\n return 1;\n } else if (aa == 0) {\n return 0;\n }\n }\n}\n\nint OPENSSL_strncasecmp(const char *a, const char *b, size_t n) {\n for (size_t i = 0; i < n; i++) {\n const int aa = OPENSSL_tolower(a[i]);\n const int bb = OPENSSL_tolower(b[i]);\n\n if (aa < bb) {\n return -1;\n } else if (aa > bb) {\n return 1;\n } else if (aa == 0) {\n return 0;\n }\n }\n\n return 0;\n}\n\nint BIO_snprintf(char *buf, size_t n, const char *format, ...) {\n va_list args;\n va_start(args, format);\n int ret = BIO_vsnprintf(buf, n, format, args);\n va_end(args);\n return ret;\n}\n\nint BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) {\n return vsnprintf(buf, n, format, args);\n}\n\nint OPENSSL_vasprintf_internal(char **str, const char *format, va_list args,\n int system_malloc) {\n void *(*allocate)(size_t) = system_malloc ? malloc : OPENSSL_malloc;\n void (*deallocate)(void *) = system_malloc ? free : OPENSSL_free;\n void *(*reallocate)(void *, size_t) =\n system_malloc ? realloc : OPENSSL_realloc;\n char *candidate = NULL;\n size_t candidate_len = 64; // TODO(bbe) what's the best initial size?\n int ret;\n\n if ((candidate = reinterpret_cast(allocate(candidate_len))) == NULL) {\n goto err;\n }\n va_list args_copy;\n va_copy(args_copy, args);\n ret = vsnprintf(candidate, candidate_len, format, args_copy);\n va_end(args_copy);\n if (ret < 0) {\n goto err;\n }\n if ((size_t)ret >= candidate_len) {\n // Too big to fit in allocation.\n char *tmp;\n\n candidate_len = (size_t)ret + 1;\n if ((tmp = reinterpret_cast(\n reallocate(candidate, candidate_len))) == NULL) {\n goto err;\n }\n candidate = tmp;\n ret = vsnprintf(candidate, candidate_len, format, args);\n }\n // At this point this should not happen unless vsnprintf is insane.\n if (ret < 0 || (size_t)ret >= candidate_len) {\n goto err;\n }\n *str = candidate;\n return ret;\n\nerr:\n deallocate(candidate);\n *str = NULL;\n errno = ENOMEM;\n return -1;\n}\n\nint OPENSSL_vasprintf(char **str, const char *format, va_list args) {\n return OPENSSL_vasprintf_internal(str, format, args, /*system_malloc=*/0);\n}\n\nint OPENSSL_asprintf(char **str, const char *format, ...) {\n va_list args;\n va_start(args, format);\n int ret = OPENSSL_vasprintf(str, format, args);\n va_end(args);\n return ret;\n}\n\nchar *OPENSSL_strndup(const char *str, size_t size) {\n size = OPENSSL_strnlen(str, size);\n\n size_t alloc_size = size + 1;\n if (alloc_size < size) {\n // overflow\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE);\n return NULL;\n }\n char *ret = reinterpret_cast(OPENSSL_malloc(alloc_size));\n if (ret == NULL) {\n return NULL;\n }\n\n OPENSSL_memcpy(ret, str, size);\n ret[size] = '\\0';\n return ret;\n}\n\nsize_t OPENSSL_strlcpy(char *dst, const char *src, size_t dst_size) {\n size_t l = 0;\n\n for (; dst_size > 1 && *src; dst_size--) {\n *dst++ = *src++;\n l++;\n }\n\n if (dst_size) {\n *dst = 0;\n }\n\n return l + strlen(src);\n}\n\nsize_t OPENSSL_strlcat(char *dst, const char *src, size_t dst_size) {\n size_t l = 0;\n for (; dst_size > 0 && *dst; dst_size--, dst++) {\n l++;\n }\n return l + OPENSSL_strlcpy(dst, src, dst_size);\n}\n\nvoid *OPENSSL_memdup(const void *data, size_t size) {\n if (size == 0) {\n return NULL;\n }\n\n void *ret = OPENSSL_malloc(size);\n if (ret == NULL) {\n return NULL;\n }\n\n OPENSSL_memcpy(ret, data, size);\n return ret;\n}\n\nvoid *CRYPTO_malloc(size_t size, const char *file, int line) {\n return OPENSSL_malloc(size);\n}\n\nvoid *CRYPTO_realloc(void *ptr, size_t new_size, const char *file, int line) {\n return OPENSSL_realloc(ptr, new_size);\n}\n\nvoid CRYPTO_free(void *ptr, const char *file, int line) { OPENSSL_free(ptr); }\n" }, { "path": "Sources/CNIOBoringSSL/crypto/mldsa/mldsa.cc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \"../fipsmodule/bcm_interface.h\"\n\nstatic_assert(sizeof(BCM_mldsa65_private_key) == sizeof(MLDSA65_private_key),\n \"\");\nstatic_assert(alignof(BCM_mldsa65_private_key) == alignof(MLDSA65_private_key),\n \"\");\nstatic_assert(sizeof(BCM_mldsa65_public_key) == sizeof(MLDSA65_public_key), \"\");\nstatic_assert(alignof(BCM_mldsa65_public_key) == alignof(MLDSA65_public_key),\n \"\");\nstatic_assert(MLDSA_SEED_BYTES == BCM_MLDSA_SEED_BYTES, \"\");\nstatic_assert(MLDSA65_PRIVATE_KEY_BYTES == BCM_MLDSA65_PRIVATE_KEY_BYTES, \"\");\nstatic_assert(MLDSA65_PUBLIC_KEY_BYTES == BCM_MLDSA65_PUBLIC_KEY_BYTES, \"\");\nstatic_assert(MLDSA65_SIGNATURE_BYTES == BCM_MLDSA65_SIGNATURE_BYTES, \"\");\n\nint MLDSA65_generate_key(\n uint8_t out_encoded_public_key[MLDSA65_PUBLIC_KEY_BYTES],\n uint8_t out_seed[MLDSA_SEED_BYTES],\n struct MLDSA65_private_key *out_private_key) {\n return bcm_success(BCM_mldsa65_generate_key(\n out_encoded_public_key, out_seed,\n reinterpret_cast(out_private_key)));\n}\n\nint MLDSA65_private_key_from_seed(struct MLDSA65_private_key *out_private_key,\n const uint8_t *seed, size_t seed_len) {\n if (seed_len != BCM_MLDSA_SEED_BYTES) {\n return 0;\n }\n return bcm_success(BCM_mldsa65_private_key_from_seed(\n reinterpret_cast(out_private_key), seed));\n}\n\nint MLDSA65_public_from_private(struct MLDSA65_public_key *out_public_key,\n const struct MLDSA65_private_key *private_key) {\n return bcm_success(BCM_mldsa65_public_from_private(\n reinterpret_cast(out_public_key),\n reinterpret_cast(private_key)));\n}\n\nint MLDSA65_sign(uint8_t out_encoded_signature[MLDSA65_SIGNATURE_BYTES],\n const struct MLDSA65_private_key *private_key,\n const uint8_t *msg, size_t msg_len, const uint8_t *context,\n size_t context_len) {\n if (context_len > 255) {\n return 0;\n }\n return bcm_success(BCM_mldsa65_sign(\n out_encoded_signature,\n reinterpret_cast(private_key), msg,\n msg_len, context, context_len));\n}\n\nint MLDSA65_verify(const struct MLDSA65_public_key *public_key,\n const uint8_t *signature, size_t signature_len,\n const uint8_t *msg, size_t msg_len, const uint8_t *context,\n size_t context_len) {\n if (context_len > 255 || signature_len != BCM_MLDSA65_SIGNATURE_BYTES) {\n return 0;\n }\n return bcm_success(BCM_mldsa65_verify(\n reinterpret_cast(public_key), signature,\n msg, msg_len, context, context_len));\n}\n\nint MLDSA65_marshal_public_key(CBB *out,\n const struct MLDSA65_public_key *public_key) {\n return bcm_success(BCM_mldsa65_marshal_public_key(\n out, reinterpret_cast(public_key)));\n}\n\nint MLDSA65_parse_public_key(struct MLDSA65_public_key *public_key, CBS *in) {\n return bcm_success(BCM_mldsa65_parse_public_key(\n reinterpret_cast(public_key), in));\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/mlkem/mlkem.cc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \"../fipsmodule/bcm_interface.h\"\n\n\nstatic_assert(sizeof(BCM_mlkem768_private_key) <= sizeof(MLKEM768_private_key),\n \"\");\nstatic_assert(alignof(BCM_mlkem768_private_key) <=\n alignof(MLKEM768_private_key),\n \"\");\nstatic_assert(sizeof(BCM_mlkem768_public_key) <= sizeof(MLKEM768_public_key),\n \"\");\nstatic_assert(alignof(BCM_mlkem768_public_key) <= alignof(MLKEM768_public_key),\n \"\");\nstatic_assert(MLKEM768_PUBLIC_KEY_BYTES == BCM_MLKEM768_PUBLIC_KEY_BYTES, \"\");\nstatic_assert(MLKEM_SEED_BYTES == BCM_MLKEM_SEED_BYTES, \"\");\nstatic_assert(MLKEM768_CIPHERTEXT_BYTES == BCM_MLKEM768_CIPHERTEXT_BYTES, \"\");\nstatic_assert(MLKEM_SHARED_SECRET_BYTES == BCM_MLKEM_SHARED_SECRET_BYTES, \"\");\nstatic_assert(MLKEM1024_PUBLIC_KEY_BYTES == BCM_MLKEM1024_PUBLIC_KEY_BYTES, \"\");\nstatic_assert(MLKEM1024_CIPHERTEXT_BYTES == BCM_MLKEM1024_CIPHERTEXT_BYTES, \"\");\n\nvoid MLKEM768_generate_key(\n uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],\n uint8_t optional_out_seed[MLKEM_SEED_BYTES],\n struct MLKEM768_private_key *out_private_key) {\n BCM_mlkem768_generate_key(\n out_encoded_public_key, optional_out_seed,\n reinterpret_cast(out_private_key));\n}\n\nint MLKEM768_private_key_from_seed(struct MLKEM768_private_key *out_private_key,\n const uint8_t *seed, size_t seed_len) {\n return bcm_success(BCM_mlkem768_private_key_from_seed(\n reinterpret_cast(out_private_key), seed,\n seed_len));\n}\n\nvoid MLKEM768_public_from_private(\n struct MLKEM768_public_key *out_public_key,\n const struct MLKEM768_private_key *private_key) {\n (void)BCM_mlkem768_public_from_private(\n reinterpret_cast(out_public_key),\n reinterpret_cast(private_key));\n}\n\nvoid MLKEM768_encap(uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],\n const struct MLKEM768_public_key *public_key) {\n (void)BCM_mlkem768_encap(\n out_ciphertext, out_shared_secret,\n reinterpret_cast(public_key));\n}\n\nint MLKEM768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],\n const uint8_t *ciphertext, size_t ciphertext_len,\n const struct MLKEM768_private_key *private_key) {\n return bcm_success(BCM_mlkem768_decap(\n out_shared_secret, ciphertext, ciphertext_len,\n reinterpret_cast(private_key)));\n}\n\nint MLKEM768_marshal_public_key(CBB *out,\n const struct MLKEM768_public_key *public_key) {\n return bcm_success(BCM_mlkem768_marshal_public_key(\n out, reinterpret_cast(public_key)));\n}\n\nint MLKEM768_parse_public_key(struct MLKEM768_public_key *out_public_key,\n CBS *in) {\n return bcm_success(BCM_mlkem768_parse_public_key(\n reinterpret_cast(out_public_key), in));\n}\n\n\nstatic_assert(sizeof(BCM_mlkem1024_private_key) <=\n sizeof(MLKEM1024_private_key),\n \"\");\nstatic_assert(alignof(BCM_mlkem1024_private_key) <=\n alignof(MLKEM1024_private_key),\n \"\");\nstatic_assert(sizeof(BCM_mlkem1024_public_key) <= sizeof(MLKEM1024_public_key),\n \"\");\nstatic_assert(alignof(BCM_mlkem1024_public_key) <=\n alignof(MLKEM1024_public_key),\n \"\");\n\nvoid MLKEM1024_generate_key(\n uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],\n uint8_t optional_out_seed[MLKEM_SEED_BYTES],\n struct MLKEM1024_private_key *out_private_key) {\n (void)BCM_mlkem1024_generate_key(\n out_encoded_public_key, optional_out_seed,\n reinterpret_cast(out_private_key));\n}\n\nint MLKEM1024_private_key_from_seed(\n struct MLKEM1024_private_key *out_private_key, const uint8_t *seed,\n size_t seed_len) {\n return bcm_success(BCM_mlkem1024_private_key_from_seed(\n reinterpret_cast(out_private_key), seed,\n seed_len));\n}\n\nvoid MLKEM1024_public_from_private(\n struct MLKEM1024_public_key *out_public_key,\n const struct MLKEM1024_private_key *private_key) {\n (void)BCM_mlkem1024_public_from_private(\n reinterpret_cast(out_public_key),\n reinterpret_cast(private_key));\n}\n\nvoid MLKEM1024_encap(uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],\n const struct MLKEM1024_public_key *public_key) {\n (void)BCM_mlkem1024_encap(\n out_ciphertext, out_shared_secret,\n reinterpret_cast(public_key));\n}\n\nint MLKEM1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],\n const uint8_t *ciphertext, size_t ciphertext_len,\n const struct MLKEM1024_private_key *private_key) {\n return bcm_success(BCM_mlkem1024_decap(\n out_shared_secret, ciphertext, ciphertext_len,\n reinterpret_cast(private_key)));\n}\n\nint MLKEM1024_marshal_public_key(\n CBB *out, const struct MLKEM1024_public_key *public_key) {\n return bcm_success(BCM_mlkem1024_marshal_public_key(\n out, reinterpret_cast(public_key)));\n}\n\nint MLKEM1024_parse_public_key(struct MLKEM1024_public_key *out_public_key,\n CBS *in) {\n return bcm_success(BCM_mlkem1024_parse_public_key(\n reinterpret_cast(out_public_key), in));\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/obj/obj.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../asn1/internal.h\"\n#include \"../internal.h\"\n#include \"../lhash/internal.h\"\n\n// obj_data.h must be included after the definition of |ASN1_OBJECT|.\n#include \"obj_dat.h\"\n\n\nDEFINE_LHASH_OF(ASN1_OBJECT)\n\nstatic CRYPTO_MUTEX global_added_lock = CRYPTO_MUTEX_INIT;\n// These globals are protected by |global_added_lock|.\nstatic LHASH_OF(ASN1_OBJECT) *global_added_by_data = NULL;\nstatic LHASH_OF(ASN1_OBJECT) *global_added_by_nid = NULL;\nstatic LHASH_OF(ASN1_OBJECT) *global_added_by_short_name = NULL;\nstatic LHASH_OF(ASN1_OBJECT) *global_added_by_long_name = NULL;\n\nstatic CRYPTO_MUTEX global_next_nid_lock = CRYPTO_MUTEX_INIT;\nstatic unsigned global_next_nid = NUM_NID;\n\nstatic int obj_next_nid(void) {\n CRYPTO_MUTEX_lock_write(&global_next_nid_lock);\n int ret = global_next_nid++;\n CRYPTO_MUTEX_unlock_write(&global_next_nid_lock);\n return ret;\n}\n\nASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o) {\n ASN1_OBJECT *r;\n unsigned char *data = NULL;\n char *sn = NULL, *ln = NULL;\n\n if (o == NULL) {\n return NULL;\n }\n\n if (!(o->flags & ASN1_OBJECT_FLAG_DYNAMIC)) {\n // TODO(fork): this is a little dangerous.\n return (ASN1_OBJECT *)o;\n }\n\n r = ASN1_OBJECT_new();\n if (r == NULL) {\n OPENSSL_PUT_ERROR(OBJ, ERR_R_ASN1_LIB);\n return NULL;\n }\n r->ln = r->sn = NULL;\n\n // once data is attached to an object, it remains const\n r->data = reinterpret_cast(OPENSSL_memdup(o->data, o->length));\n if (o->length != 0 && r->data == NULL) {\n goto err;\n }\n\n r->length = o->length;\n r->nid = o->nid;\n\n if (o->ln != NULL) {\n ln = OPENSSL_strdup(o->ln);\n if (ln == NULL) {\n goto err;\n }\n }\n\n if (o->sn != NULL) {\n sn = OPENSSL_strdup(o->sn);\n if (sn == NULL) {\n goto err;\n }\n }\n\n r->sn = sn;\n r->ln = ln;\n\n r->flags =\n o->flags | (ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |\n ASN1_OBJECT_FLAG_DYNAMIC_DATA);\n return r;\n\nerr:\n OPENSSL_free(ln);\n OPENSSL_free(sn);\n OPENSSL_free(data);\n OPENSSL_free(r);\n return NULL;\n}\n\nint OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b) {\n if (a->length < b->length) {\n return -1;\n } else if (a->length > b->length) {\n return 1;\n }\n return OPENSSL_memcmp(a->data, b->data, a->length);\n}\n\nconst uint8_t *OBJ_get0_data(const ASN1_OBJECT *obj) {\n if (obj == NULL) {\n return NULL;\n }\n\n return obj->data;\n}\n\nsize_t OBJ_length(const ASN1_OBJECT *obj) {\n if (obj == NULL || obj->length < 0) {\n return 0;\n }\n\n return (size_t)obj->length;\n}\n\nstatic const ASN1_OBJECT *get_builtin_object(int nid) {\n // |NID_undef| is stored separately, so all the indices are off by one. The\n // caller of this function must have a valid built-in, non-undef NID.\n BSSL_CHECK(nid > 0 && nid < NUM_NID);\n return &kObjects[nid - 1];\n}\n\n// obj_cmp is called to search the kNIDsInOIDOrder array. The |key| argument is\n// an |ASN1_OBJECT|* that we're looking for and |element| is a pointer to an\n// unsigned int in the array.\nstatic int obj_cmp(const void *key, const void *element) {\n uint16_t nid = *((const uint16_t *)element);\n return OBJ_cmp(reinterpret_cast(key),\n get_builtin_object(nid));\n}\n\nint OBJ_obj2nid(const ASN1_OBJECT *obj) {\n if (obj == NULL) {\n return NID_undef;\n }\n\n if (obj->nid != 0) {\n return obj->nid;\n }\n\n CRYPTO_MUTEX_lock_read(&global_added_lock);\n if (global_added_by_data != NULL) {\n ASN1_OBJECT *match;\n\n match = lh_ASN1_OBJECT_retrieve(global_added_by_data, obj);\n if (match != NULL) {\n CRYPTO_MUTEX_unlock_read(&global_added_lock);\n return match->nid;\n }\n }\n CRYPTO_MUTEX_unlock_read(&global_added_lock);\n\n const uint16_t *nid_ptr = reinterpret_cast(\n bsearch(obj, kNIDsInOIDOrder, OPENSSL_ARRAY_SIZE(kNIDsInOIDOrder),\n sizeof(kNIDsInOIDOrder[0]), obj_cmp));\n if (nid_ptr == NULL) {\n return NID_undef;\n }\n\n return get_builtin_object(*nid_ptr)->nid;\n}\n\nint OBJ_cbs2nid(const CBS *cbs) {\n if (CBS_len(cbs) > INT_MAX) {\n return NID_undef;\n }\n\n ASN1_OBJECT obj;\n OPENSSL_memset(&obj, 0, sizeof(obj));\n obj.data = CBS_data(cbs);\n obj.length = (int)CBS_len(cbs);\n\n return OBJ_obj2nid(&obj);\n}\n\n// short_name_cmp is called to search the kNIDsInShortNameOrder array. The\n// |key| argument is name that we're looking for and |element| is a pointer to\n// an unsigned int in the array.\nstatic int short_name_cmp(const void *key, const void *element) {\n const char *name = (const char *)key;\n uint16_t nid = *((const uint16_t *)element);\n\n return strcmp(name, get_builtin_object(nid)->sn);\n}\n\nint OBJ_sn2nid(const char *short_name) {\n CRYPTO_MUTEX_lock_read(&global_added_lock);\n if (global_added_by_short_name != NULL) {\n ASN1_OBJECT *match, templ;\n\n templ.sn = short_name;\n match = lh_ASN1_OBJECT_retrieve(global_added_by_short_name, &templ);\n if (match != NULL) {\n CRYPTO_MUTEX_unlock_read(&global_added_lock);\n return match->nid;\n }\n }\n CRYPTO_MUTEX_unlock_read(&global_added_lock);\n\n const uint16_t *nid_ptr = reinterpret_cast(\n bsearch(short_name, kNIDsInShortNameOrder,\n OPENSSL_ARRAY_SIZE(kNIDsInShortNameOrder),\n sizeof(kNIDsInShortNameOrder[0]), short_name_cmp));\n if (nid_ptr == NULL) {\n return NID_undef;\n }\n\n return get_builtin_object(*nid_ptr)->nid;\n}\n\n// long_name_cmp is called to search the kNIDsInLongNameOrder array. The\n// |key| argument is name that we're looking for and |element| is a pointer to\n// an unsigned int in the array.\nstatic int long_name_cmp(const void *key, const void *element) {\n const char *name = (const char *)key;\n uint16_t nid = *((const uint16_t *)element);\n\n return strcmp(name, get_builtin_object(nid)->ln);\n}\n\nint OBJ_ln2nid(const char *long_name) {\n CRYPTO_MUTEX_lock_read(&global_added_lock);\n if (global_added_by_long_name != NULL) {\n ASN1_OBJECT *match, templ;\n\n templ.ln = long_name;\n match = lh_ASN1_OBJECT_retrieve(global_added_by_long_name, &templ);\n if (match != NULL) {\n CRYPTO_MUTEX_unlock_read(&global_added_lock);\n return match->nid;\n }\n }\n CRYPTO_MUTEX_unlock_read(&global_added_lock);\n\n const uint16_t *nid_ptr = reinterpret_cast(bsearch(\n long_name, kNIDsInLongNameOrder, OPENSSL_ARRAY_SIZE(kNIDsInLongNameOrder),\n sizeof(kNIDsInLongNameOrder[0]), long_name_cmp));\n if (nid_ptr == NULL) {\n return NID_undef;\n }\n\n return get_builtin_object(*nid_ptr)->nid;\n}\n\nint OBJ_txt2nid(const char *s) {\n ASN1_OBJECT *obj;\n int nid;\n\n obj = OBJ_txt2obj(s, 0 /* search names */);\n nid = OBJ_obj2nid(obj);\n ASN1_OBJECT_free(obj);\n return nid;\n}\n\nOPENSSL_EXPORT int OBJ_nid2cbb(CBB *out, int nid) {\n const ASN1_OBJECT *obj = OBJ_nid2obj(nid);\n CBB oid;\n\n if (obj == NULL || !CBB_add_asn1(out, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, obj->data, obj->length) || !CBB_flush(out)) {\n return 0;\n }\n\n return 1;\n}\n\nconst ASN1_OBJECT *OBJ_get_undef(void) {\n static const ASN1_OBJECT kUndef = {\n /*sn=*/SN_undef,\n /*ln=*/LN_undef,\n /*nid=*/NID_undef,\n /*length=*/0,\n /*data=*/NULL,\n /*flags=*/0,\n };\n return &kUndef;\n}\n\nASN1_OBJECT *OBJ_nid2obj(int nid) {\n if (nid == NID_undef) {\n return (ASN1_OBJECT *)OBJ_get_undef();\n }\n\n if (nid > 0 && nid < NUM_NID) {\n const ASN1_OBJECT *obj = get_builtin_object(nid);\n if (nid != NID_undef && obj->nid == NID_undef) {\n goto err;\n }\n return (ASN1_OBJECT *)obj;\n }\n\n CRYPTO_MUTEX_lock_read(&global_added_lock);\n if (global_added_by_nid != NULL) {\n ASN1_OBJECT *match, templ;\n\n templ.nid = nid;\n match = lh_ASN1_OBJECT_retrieve(global_added_by_nid, &templ);\n if (match != NULL) {\n CRYPTO_MUTEX_unlock_read(&global_added_lock);\n return match;\n }\n }\n CRYPTO_MUTEX_unlock_read(&global_added_lock);\n\nerr:\n OPENSSL_PUT_ERROR(OBJ, OBJ_R_UNKNOWN_NID);\n return NULL;\n}\n\nconst char *OBJ_nid2sn(int nid) {\n const ASN1_OBJECT *obj = OBJ_nid2obj(nid);\n if (obj == NULL) {\n return NULL;\n }\n\n return obj->sn;\n}\n\nconst char *OBJ_nid2ln(int nid) {\n const ASN1_OBJECT *obj = OBJ_nid2obj(nid);\n if (obj == NULL) {\n return NULL;\n }\n\n return obj->ln;\n}\n\nstatic ASN1_OBJECT *create_object_with_text_oid(int (*get_nid)(void),\n const char *oid,\n const char *short_name,\n const char *long_name) {\n uint8_t *buf;\n size_t len;\n CBB cbb;\n if (!CBB_init(&cbb, 32) ||\n !CBB_add_asn1_oid_from_text(&cbb, oid, strlen(oid)) ||\n !CBB_finish(&cbb, &buf, &len)) {\n OPENSSL_PUT_ERROR(OBJ, OBJ_R_INVALID_OID_STRING);\n CBB_cleanup(&cbb);\n return NULL;\n }\n\n ASN1_OBJECT *ret = ASN1_OBJECT_create(get_nid ? get_nid() : NID_undef, buf,\n len, short_name, long_name);\n OPENSSL_free(buf);\n return ret;\n}\n\nASN1_OBJECT *OBJ_txt2obj(const char *s, int dont_search_names) {\n if (!dont_search_names) {\n int nid = OBJ_sn2nid(s);\n if (nid == NID_undef) {\n nid = OBJ_ln2nid(s);\n }\n\n if (nid != NID_undef) {\n return OBJ_nid2obj(nid);\n }\n }\n\n return create_object_with_text_oid(NULL, s, NULL, NULL);\n}\n\nstatic int strlcpy_int(char *dst, const char *src, int dst_size) {\n size_t ret = OPENSSL_strlcpy(dst, src, dst_size < 0 ? 0 : (size_t)dst_size);\n if (ret > INT_MAX) {\n OPENSSL_PUT_ERROR(OBJ, ERR_R_OVERFLOW);\n return -1;\n }\n return (int)ret;\n}\n\nint OBJ_obj2txt(char *out, int out_len, const ASN1_OBJECT *obj,\n int always_return_oid) {\n // Python depends on the empty OID successfully encoding as the empty\n // string.\n if (obj == NULL || obj->length == 0) {\n return strlcpy_int(out, \"\", out_len);\n }\n\n if (!always_return_oid) {\n int nid = OBJ_obj2nid(obj);\n if (nid != NID_undef) {\n const char *name = OBJ_nid2ln(nid);\n if (name == NULL) {\n name = OBJ_nid2sn(nid);\n }\n if (name != NULL) {\n return strlcpy_int(out, name, out_len);\n }\n }\n }\n\n CBS cbs;\n CBS_init(&cbs, obj->data, obj->length);\n char *txt = CBS_asn1_oid_to_text(&cbs);\n if (txt == NULL) {\n if (out_len > 0) {\n out[0] = '\\0';\n }\n return -1;\n }\n\n int ret = strlcpy_int(out, txt, out_len);\n OPENSSL_free(txt);\n return ret;\n}\n\nstatic uint32_t hash_nid(const ASN1_OBJECT *obj) { return obj->nid; }\n\nstatic int cmp_nid(const ASN1_OBJECT *a, const ASN1_OBJECT *b) {\n return a->nid - b->nid;\n}\n\nstatic uint32_t hash_data(const ASN1_OBJECT *obj) {\n return OPENSSL_hash32(obj->data, obj->length);\n}\n\nstatic uint32_t hash_short_name(const ASN1_OBJECT *obj) {\n return OPENSSL_strhash(obj->sn);\n}\n\nstatic int cmp_short_name(const ASN1_OBJECT *a, const ASN1_OBJECT *b) {\n return strcmp(a->sn, b->sn);\n}\n\nstatic uint32_t hash_long_name(const ASN1_OBJECT *obj) {\n return OPENSSL_strhash(obj->ln);\n}\n\nstatic int cmp_long_name(const ASN1_OBJECT *a, const ASN1_OBJECT *b) {\n return strcmp(a->ln, b->ln);\n}\n\n// obj_add_object inserts |obj| into the various global hashes for run-time\n// added objects. It returns one on success or zero otherwise.\nstatic int obj_add_object(ASN1_OBJECT *obj) {\n obj->flags &= ~(ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS |\n ASN1_OBJECT_FLAG_DYNAMIC_DATA);\n\n CRYPTO_MUTEX_lock_write(&global_added_lock);\n if (global_added_by_nid == NULL) {\n global_added_by_nid = lh_ASN1_OBJECT_new(hash_nid, cmp_nid);\n }\n if (global_added_by_data == NULL) {\n global_added_by_data = lh_ASN1_OBJECT_new(hash_data, OBJ_cmp);\n }\n if (global_added_by_short_name == NULL) {\n global_added_by_short_name =\n lh_ASN1_OBJECT_new(hash_short_name, cmp_short_name);\n }\n if (global_added_by_long_name == NULL) {\n global_added_by_long_name =\n lh_ASN1_OBJECT_new(hash_long_name, cmp_long_name);\n }\n\n int ok = 0;\n if (global_added_by_nid == NULL || //\n global_added_by_data == NULL || //\n global_added_by_short_name == NULL || //\n global_added_by_long_name == NULL) {\n goto err;\n }\n\n // We don't pay attention to |old_object| (which contains any previous object\n // that was evicted from the hashes) because we don't have a reference count\n // on ASN1_OBJECT values. Also, we should never have duplicates nids and so\n // should always have objects in |global_added_by_nid|.\n ASN1_OBJECT *old_object;\n ok = lh_ASN1_OBJECT_insert(global_added_by_nid, &old_object, obj);\n if (obj->length != 0 && obj->data != NULL) {\n ok &= lh_ASN1_OBJECT_insert(global_added_by_data, &old_object, obj);\n }\n if (obj->sn != NULL) {\n ok &= lh_ASN1_OBJECT_insert(global_added_by_short_name, &old_object, obj);\n }\n if (obj->ln != NULL) {\n ok &= lh_ASN1_OBJECT_insert(global_added_by_long_name, &old_object, obj);\n }\n\nerr:\n CRYPTO_MUTEX_unlock_write(&global_added_lock);\n return ok;\n}\n\nint OBJ_create(const char *oid, const char *short_name, const char *long_name) {\n ASN1_OBJECT *op =\n create_object_with_text_oid(obj_next_nid, oid, short_name, long_name);\n if (op == NULL || !obj_add_object(op)) {\n return NID_undef;\n }\n return op->nid;\n}\n\nvoid OBJ_cleanup(void) {}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/obj/obj_dat.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n/* This file is generated by crypto/obj/objects.go. */\n\n\n#define NUM_NID 966\n\nstatic const uint8_t kObjectData[] = {\n /* NID_rsadsi */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n /* NID_pkcs */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n /* NID_md2 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x02,\n 0x02,\n /* NID_md5 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x02,\n 0x05,\n /* NID_rc4 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x03,\n 0x04,\n /* NID_rsaEncryption */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x01,\n /* NID_md2WithRSAEncryption */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x02,\n /* NID_md5WithRSAEncryption */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x04,\n /* NID_pbeWithMD2AndDES_CBC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x05,\n 0x01,\n /* NID_pbeWithMD5AndDES_CBC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x05,\n 0x03,\n /* NID_X500 */\n 0x55,\n /* NID_X509 */\n 0x55,\n 0x04,\n /* NID_commonName */\n 0x55,\n 0x04,\n 0x03,\n /* NID_countryName */\n 0x55,\n 0x04,\n 0x06,\n /* NID_localityName */\n 0x55,\n 0x04,\n 0x07,\n /* NID_stateOrProvinceName */\n 0x55,\n 0x04,\n 0x08,\n /* NID_organizationName */\n 0x55,\n 0x04,\n 0x0a,\n /* NID_organizationalUnitName */\n 0x55,\n 0x04,\n 0x0b,\n /* NID_rsa */\n 0x55,\n 0x08,\n 0x01,\n 0x01,\n /* NID_pkcs7 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x07,\n /* NID_pkcs7_data */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x07,\n 0x01,\n /* NID_pkcs7_signed */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x07,\n 0x02,\n /* NID_pkcs7_enveloped */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x07,\n 0x03,\n /* NID_pkcs7_signedAndEnveloped */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x07,\n 0x04,\n /* NID_pkcs7_digest */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x07,\n 0x05,\n /* NID_pkcs7_encrypted */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x07,\n 0x06,\n /* NID_pkcs3 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x03,\n /* NID_dhKeyAgreement */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x03,\n 0x01,\n /* NID_des_ecb */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x06,\n /* NID_des_cfb64 */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x09,\n /* NID_des_cbc */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x07,\n /* NID_des_ede_ecb */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x11,\n /* NID_idea_cbc */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x81,\n 0x3c,\n 0x07,\n 0x01,\n 0x01,\n 0x02,\n /* NID_rc2_cbc */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x03,\n 0x02,\n /* NID_sha */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x12,\n /* NID_shaWithRSAEncryption */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x0f,\n /* NID_des_ede3_cbc */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x03,\n 0x07,\n /* NID_des_ofb64 */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x08,\n /* NID_pkcs9 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n /* NID_pkcs9_emailAddress */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x01,\n /* NID_pkcs9_unstructuredName */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x02,\n /* NID_pkcs9_contentType */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x03,\n /* NID_pkcs9_messageDigest */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x04,\n /* NID_pkcs9_signingTime */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x05,\n /* NID_pkcs9_countersignature */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x06,\n /* NID_pkcs9_challengePassword */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x07,\n /* NID_pkcs9_unstructuredAddress */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x08,\n /* NID_pkcs9_extCertAttributes */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x09,\n /* NID_netscape */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n /* NID_netscape_cert_extension */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x01,\n /* NID_netscape_data_type */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x02,\n /* NID_sha1 */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x1a,\n /* NID_sha1WithRSAEncryption */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x05,\n /* NID_dsaWithSHA */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x0d,\n /* NID_dsa_2 */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x0c,\n /* NID_pbeWithSHA1AndRC2_CBC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x05,\n 0x0b,\n /* NID_id_pbkdf2 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x05,\n 0x0c,\n /* NID_dsaWithSHA1_2 */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x1b,\n /* NID_netscape_cert_type */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x01,\n 0x01,\n /* NID_netscape_base_url */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x01,\n 0x02,\n /* NID_netscape_revocation_url */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x01,\n 0x03,\n /* NID_netscape_ca_revocation_url */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x01,\n 0x04,\n /* NID_netscape_renewal_url */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x01,\n 0x07,\n /* NID_netscape_ca_policy_url */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x01,\n 0x08,\n /* NID_netscape_ssl_server_name */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x01,\n 0x0c,\n /* NID_netscape_comment */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x01,\n 0x0d,\n /* NID_netscape_cert_sequence */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x02,\n 0x05,\n /* NID_id_ce */\n 0x55,\n 0x1d,\n /* NID_subject_key_identifier */\n 0x55,\n 0x1d,\n 0x0e,\n /* NID_key_usage */\n 0x55,\n 0x1d,\n 0x0f,\n /* NID_private_key_usage_period */\n 0x55,\n 0x1d,\n 0x10,\n /* NID_subject_alt_name */\n 0x55,\n 0x1d,\n 0x11,\n /* NID_issuer_alt_name */\n 0x55,\n 0x1d,\n 0x12,\n /* NID_basic_constraints */\n 0x55,\n 0x1d,\n 0x13,\n /* NID_crl_number */\n 0x55,\n 0x1d,\n 0x14,\n /* NID_certificate_policies */\n 0x55,\n 0x1d,\n 0x20,\n /* NID_authority_key_identifier */\n 0x55,\n 0x1d,\n 0x23,\n /* NID_bf_cbc */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x97,\n 0x55,\n 0x01,\n 0x02,\n /* NID_mdc2 */\n 0x55,\n 0x08,\n 0x03,\n 0x65,\n /* NID_mdc2WithRSA */\n 0x55,\n 0x08,\n 0x03,\n 0x64,\n /* NID_givenName */\n 0x55,\n 0x04,\n 0x2a,\n /* NID_surname */\n 0x55,\n 0x04,\n 0x04,\n /* NID_initials */\n 0x55,\n 0x04,\n 0x2b,\n /* NID_crl_distribution_points */\n 0x55,\n 0x1d,\n 0x1f,\n /* NID_md5WithRSA */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x03,\n /* NID_serialNumber */\n 0x55,\n 0x04,\n 0x05,\n /* NID_title */\n 0x55,\n 0x04,\n 0x0c,\n /* NID_description */\n 0x55,\n 0x04,\n 0x0d,\n /* NID_cast5_cbc */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf6,\n 0x7d,\n 0x07,\n 0x42,\n 0x0a,\n /* NID_pbeWithMD5AndCast5_CBC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf6,\n 0x7d,\n 0x07,\n 0x42,\n 0x0c,\n /* NID_dsaWithSHA1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x38,\n 0x04,\n 0x03,\n /* NID_sha1WithRSA */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x1d,\n /* NID_dsa */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x38,\n 0x04,\n 0x01,\n /* NID_ripemd160 */\n 0x2b,\n 0x24,\n 0x03,\n 0x02,\n 0x01,\n /* NID_ripemd160WithRSA */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x01,\n 0x02,\n /* NID_rc5_cbc */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x03,\n 0x08,\n /* NID_zlib_compression */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x03,\n 0x08,\n /* NID_ext_key_usage */\n 0x55,\n 0x1d,\n 0x25,\n /* NID_id_pkix */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n /* NID_id_kp */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x03,\n /* NID_server_auth */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x03,\n 0x01,\n /* NID_client_auth */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x03,\n 0x02,\n /* NID_code_sign */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x03,\n 0x03,\n /* NID_email_protect */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x03,\n 0x04,\n /* NID_time_stamp */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x03,\n 0x08,\n /* NID_ms_code_ind */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x82,\n 0x37,\n 0x02,\n 0x01,\n 0x15,\n /* NID_ms_code_com */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x82,\n 0x37,\n 0x02,\n 0x01,\n 0x16,\n /* NID_ms_ctl_sign */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x82,\n 0x37,\n 0x0a,\n 0x03,\n 0x01,\n /* NID_ms_sgc */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x82,\n 0x37,\n 0x0a,\n 0x03,\n 0x03,\n /* NID_ms_efs */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x82,\n 0x37,\n 0x0a,\n 0x03,\n 0x04,\n /* NID_ns_sgc */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x86,\n 0xf8,\n 0x42,\n 0x04,\n 0x01,\n /* NID_delta_crl */\n 0x55,\n 0x1d,\n 0x1b,\n /* NID_crl_reason */\n 0x55,\n 0x1d,\n 0x15,\n /* NID_invalidity_date */\n 0x55,\n 0x1d,\n 0x18,\n /* NID_sxnet */\n 0x2b,\n 0x65,\n 0x01,\n 0x04,\n 0x01,\n /* NID_pbe_WithSHA1And128BitRC4 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x01,\n 0x01,\n /* NID_pbe_WithSHA1And40BitRC4 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x01,\n 0x02,\n /* NID_pbe_WithSHA1And3_Key_TripleDES_CBC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x01,\n 0x03,\n /* NID_pbe_WithSHA1And2_Key_TripleDES_CBC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x01,\n 0x04,\n /* NID_pbe_WithSHA1And128BitRC2_CBC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x01,\n 0x05,\n /* NID_pbe_WithSHA1And40BitRC2_CBC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x01,\n 0x06,\n /* NID_keyBag */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x0a,\n 0x01,\n 0x01,\n /* NID_pkcs8ShroudedKeyBag */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x0a,\n 0x01,\n 0x02,\n /* NID_certBag */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x0a,\n 0x01,\n 0x03,\n /* NID_crlBag */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x0a,\n 0x01,\n 0x04,\n /* NID_secretBag */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x0a,\n 0x01,\n 0x05,\n /* NID_safeContentsBag */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x0c,\n 0x0a,\n 0x01,\n 0x06,\n /* NID_friendlyName */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x14,\n /* NID_localKeyID */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x15,\n /* NID_x509Certificate */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x16,\n 0x01,\n /* NID_sdsiCertificate */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x16,\n 0x02,\n /* NID_x509Crl */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x17,\n 0x01,\n /* NID_pbes2 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x05,\n 0x0d,\n /* NID_pbmac1 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x05,\n 0x0e,\n /* NID_hmacWithSHA1 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x02,\n 0x07,\n /* NID_id_qt_cps */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x02,\n 0x01,\n /* NID_id_qt_unotice */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x02,\n 0x02,\n /* NID_SMIMECapabilities */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x0f,\n /* NID_pbeWithMD2AndRC2_CBC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x05,\n 0x04,\n /* NID_pbeWithMD5AndRC2_CBC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x05,\n 0x06,\n /* NID_pbeWithSHA1AndDES_CBC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x05,\n 0x0a,\n /* NID_ms_ext_req */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x82,\n 0x37,\n 0x02,\n 0x01,\n 0x0e,\n /* NID_ext_req */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x0e,\n /* NID_name */\n 0x55,\n 0x04,\n 0x29,\n /* NID_dnQualifier */\n 0x55,\n 0x04,\n 0x2e,\n /* NID_id_pe */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n /* NID_id_ad */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n /* NID_info_access */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x01,\n /* NID_ad_OCSP */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n /* NID_ad_ca_issuers */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x02,\n /* NID_OCSP_sign */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x03,\n 0x09,\n /* NID_member_body */\n 0x2a,\n /* NID_ISO_US */\n 0x2a,\n 0x86,\n 0x48,\n /* NID_X9_57 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x38,\n /* NID_X9cm */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x38,\n 0x04,\n /* NID_pkcs1 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n /* NID_pkcs5 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x05,\n /* NID_SMIME */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n /* NID_id_smime_mod */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x00,\n /* NID_id_smime_ct */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x01,\n /* NID_id_smime_aa */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n /* NID_id_smime_alg */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x03,\n /* NID_id_smime_cd */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x04,\n /* NID_id_smime_spq */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x05,\n /* NID_id_smime_cti */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x06,\n /* NID_id_smime_mod_cms */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x00,\n 0x01,\n /* NID_id_smime_mod_ess */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x00,\n 0x02,\n /* NID_id_smime_mod_oid */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x00,\n 0x03,\n /* NID_id_smime_mod_msg_v3 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x00,\n 0x04,\n /* NID_id_smime_mod_ets_eSignature_88 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x00,\n 0x05,\n /* NID_id_smime_mod_ets_eSignature_97 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x00,\n 0x06,\n /* NID_id_smime_mod_ets_eSigPolicy_88 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x00,\n 0x07,\n /* NID_id_smime_mod_ets_eSigPolicy_97 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x00,\n 0x08,\n /* NID_id_smime_ct_receipt */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x01,\n 0x01,\n /* NID_id_smime_ct_authData */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x01,\n 0x02,\n /* NID_id_smime_ct_publishCert */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x01,\n 0x03,\n /* NID_id_smime_ct_TSTInfo */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x01,\n 0x04,\n /* NID_id_smime_ct_TDTInfo */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x01,\n 0x05,\n /* NID_id_smime_ct_contentInfo */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x01,\n 0x06,\n /* NID_id_smime_ct_DVCSRequestData */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x01,\n 0x07,\n /* NID_id_smime_ct_DVCSResponseData */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x01,\n 0x08,\n /* NID_id_smime_aa_receiptRequest */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x01,\n /* NID_id_smime_aa_securityLabel */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x02,\n /* NID_id_smime_aa_mlExpandHistory */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x03,\n /* NID_id_smime_aa_contentHint */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x04,\n /* NID_id_smime_aa_msgSigDigest */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x05,\n /* NID_id_smime_aa_encapContentType */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x06,\n /* NID_id_smime_aa_contentIdentifier */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x07,\n /* NID_id_smime_aa_macValue */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x08,\n /* NID_id_smime_aa_equivalentLabels */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x09,\n /* NID_id_smime_aa_contentReference */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x0a,\n /* NID_id_smime_aa_encrypKeyPref */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x0b,\n /* NID_id_smime_aa_signingCertificate */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x0c,\n /* NID_id_smime_aa_smimeEncryptCerts */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x0d,\n /* NID_id_smime_aa_timeStampToken */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x0e,\n /* NID_id_smime_aa_ets_sigPolicyId */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x0f,\n /* NID_id_smime_aa_ets_commitmentType */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x10,\n /* NID_id_smime_aa_ets_signerLocation */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x11,\n /* NID_id_smime_aa_ets_signerAttr */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x12,\n /* NID_id_smime_aa_ets_otherSigCert */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x13,\n /* NID_id_smime_aa_ets_contentTimestamp */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x14,\n /* NID_id_smime_aa_ets_CertificateRefs */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x15,\n /* NID_id_smime_aa_ets_RevocationRefs */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x16,\n /* NID_id_smime_aa_ets_certValues */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x17,\n /* NID_id_smime_aa_ets_revocationValues */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x18,\n /* NID_id_smime_aa_ets_escTimeStamp */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x19,\n /* NID_id_smime_aa_ets_certCRLTimestamp */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x1a,\n /* NID_id_smime_aa_ets_archiveTimeStamp */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x1b,\n /* NID_id_smime_aa_signatureType */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x1c,\n /* NID_id_smime_aa_dvcs_dvc */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x02,\n 0x1d,\n /* NID_id_smime_alg_ESDHwith3DES */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x03,\n 0x01,\n /* NID_id_smime_alg_ESDHwithRC2 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x03,\n 0x02,\n /* NID_id_smime_alg_3DESwrap */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x03,\n 0x03,\n /* NID_id_smime_alg_RC2wrap */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x03,\n 0x04,\n /* NID_id_smime_alg_ESDH */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x03,\n 0x05,\n /* NID_id_smime_alg_CMS3DESwrap */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x03,\n 0x06,\n /* NID_id_smime_alg_CMSRC2wrap */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x03,\n 0x07,\n /* NID_id_smime_cd_ldap */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x04,\n 0x01,\n /* NID_id_smime_spq_ets_sqt_uri */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x05,\n 0x01,\n /* NID_id_smime_spq_ets_sqt_unotice */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x05,\n 0x02,\n /* NID_id_smime_cti_ets_proofOfOrigin */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x06,\n 0x01,\n /* NID_id_smime_cti_ets_proofOfReceipt */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x06,\n 0x02,\n /* NID_id_smime_cti_ets_proofOfDelivery */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x06,\n 0x03,\n /* NID_id_smime_cti_ets_proofOfSender */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x06,\n 0x04,\n /* NID_id_smime_cti_ets_proofOfApproval */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x06,\n 0x05,\n /* NID_id_smime_cti_ets_proofOfCreation */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x06,\n 0x06,\n /* NID_md4 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x02,\n 0x04,\n /* NID_id_pkix_mod */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n /* NID_id_qt */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x02,\n /* NID_id_it */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n /* NID_id_pkip */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x05,\n /* NID_id_alg */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x06,\n /* NID_id_cmc */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n /* NID_id_on */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x08,\n /* NID_id_pda */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x09,\n /* NID_id_aca */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0a,\n /* NID_id_qcs */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0b,\n /* NID_id_cct */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0c,\n /* NID_id_pkix1_explicit_88 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x01,\n /* NID_id_pkix1_implicit_88 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x02,\n /* NID_id_pkix1_explicit_93 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x03,\n /* NID_id_pkix1_implicit_93 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x04,\n /* NID_id_mod_crmf */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x05,\n /* NID_id_mod_cmc */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x06,\n /* NID_id_mod_kea_profile_88 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x07,\n /* NID_id_mod_kea_profile_93 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x08,\n /* NID_id_mod_cmp */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x09,\n /* NID_id_mod_qualified_cert_88 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x0a,\n /* NID_id_mod_qualified_cert_93 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x0b,\n /* NID_id_mod_attribute_cert */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x0c,\n /* NID_id_mod_timestamp_protocol */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x0d,\n /* NID_id_mod_ocsp */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x0e,\n /* NID_id_mod_dvcs */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x0f,\n /* NID_id_mod_cmp2000 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x00,\n 0x10,\n /* NID_biometricInfo */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x02,\n /* NID_qcStatements */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x03,\n /* NID_ac_auditEntity */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x04,\n /* NID_ac_targeting */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x05,\n /* NID_aaControls */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x06,\n /* NID_sbgp_ipAddrBlock */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x07,\n /* NID_sbgp_autonomousSysNum */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x08,\n /* NID_sbgp_routerIdentifier */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x09,\n /* NID_textNotice */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x02,\n 0x03,\n /* NID_ipsecEndSystem */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x03,\n 0x05,\n /* NID_ipsecTunnel */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x03,\n 0x06,\n /* NID_ipsecUser */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x03,\n 0x07,\n /* NID_dvcs */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x03,\n 0x0a,\n /* NID_id_it_caProtEncCert */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x01,\n /* NID_id_it_signKeyPairTypes */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x02,\n /* NID_id_it_encKeyPairTypes */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x03,\n /* NID_id_it_preferredSymmAlg */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x04,\n /* NID_id_it_caKeyUpdateInfo */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x05,\n /* NID_id_it_currentCRL */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x06,\n /* NID_id_it_unsupportedOIDs */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x07,\n /* NID_id_it_subscriptionRequest */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x08,\n /* NID_id_it_subscriptionResponse */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x09,\n /* NID_id_it_keyPairParamReq */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x0a,\n /* NID_id_it_keyPairParamRep */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x0b,\n /* NID_id_it_revPassphrase */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x0c,\n /* NID_id_it_implicitConfirm */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x0d,\n /* NID_id_it_confirmWaitTime */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x0e,\n /* NID_id_it_origPKIMessage */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x0f,\n /* NID_id_regCtrl */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x05,\n 0x01,\n /* NID_id_regInfo */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x05,\n 0x02,\n /* NID_id_regCtrl_regToken */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x05,\n 0x01,\n 0x01,\n /* NID_id_regCtrl_authenticator */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x05,\n 0x01,\n 0x02,\n /* NID_id_regCtrl_pkiPublicationInfo */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x05,\n 0x01,\n 0x03,\n /* NID_id_regCtrl_pkiArchiveOptions */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x05,\n 0x01,\n 0x04,\n /* NID_id_regCtrl_oldCertID */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x05,\n 0x01,\n 0x05,\n /* NID_id_regCtrl_protocolEncrKey */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x05,\n 0x01,\n 0x06,\n /* NID_id_regInfo_utf8Pairs */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x05,\n 0x02,\n 0x01,\n /* NID_id_regInfo_certReq */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x05,\n 0x02,\n 0x02,\n /* NID_id_alg_des40 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x06,\n 0x01,\n /* NID_id_alg_noSignature */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x06,\n 0x02,\n /* NID_id_alg_dh_sig_hmac_sha1 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x06,\n 0x03,\n /* NID_id_alg_dh_pop */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x06,\n 0x04,\n /* NID_id_cmc_statusInfo */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x01,\n /* NID_id_cmc_identification */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x02,\n /* NID_id_cmc_identityProof */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x03,\n /* NID_id_cmc_dataReturn */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x04,\n /* NID_id_cmc_transactionId */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x05,\n /* NID_id_cmc_senderNonce */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x06,\n /* NID_id_cmc_recipientNonce */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x07,\n /* NID_id_cmc_addExtensions */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x08,\n /* NID_id_cmc_encryptedPOP */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x09,\n /* NID_id_cmc_decryptedPOP */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x0a,\n /* NID_id_cmc_lraPOPWitness */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x0b,\n /* NID_id_cmc_getCert */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x0f,\n /* NID_id_cmc_getCRL */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x10,\n /* NID_id_cmc_revokeRequest */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x11,\n /* NID_id_cmc_regInfo */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x12,\n /* NID_id_cmc_responseInfo */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x13,\n /* NID_id_cmc_queryPending */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x15,\n /* NID_id_cmc_popLinkRandom */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x16,\n /* NID_id_cmc_popLinkWitness */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x17,\n /* NID_id_cmc_confirmCertAcceptance */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x07,\n 0x18,\n /* NID_id_on_personalData */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x08,\n 0x01,\n /* NID_id_pda_dateOfBirth */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x09,\n 0x01,\n /* NID_id_pda_placeOfBirth */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x09,\n 0x02,\n /* NID_id_pda_gender */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x09,\n 0x03,\n /* NID_id_pda_countryOfCitizenship */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x09,\n 0x04,\n /* NID_id_pda_countryOfResidence */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x09,\n 0x05,\n /* NID_id_aca_authenticationInfo */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0a,\n 0x01,\n /* NID_id_aca_accessIdentity */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0a,\n 0x02,\n /* NID_id_aca_chargingIdentity */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0a,\n 0x03,\n /* NID_id_aca_group */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0a,\n 0x04,\n /* NID_id_aca_role */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0a,\n 0x05,\n /* NID_id_qcs_pkixQCSyntax_v1 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0b,\n 0x01,\n /* NID_id_cct_crs */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0c,\n 0x01,\n /* NID_id_cct_PKIData */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0c,\n 0x02,\n /* NID_id_cct_PKIResponse */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0c,\n 0x03,\n /* NID_ad_timeStamping */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x03,\n /* NID_ad_dvcs */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x04,\n /* NID_id_pkix_OCSP_basic */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n 0x01,\n /* NID_id_pkix_OCSP_Nonce */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n 0x02,\n /* NID_id_pkix_OCSP_CrlID */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n 0x03,\n /* NID_id_pkix_OCSP_acceptableResponses */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n 0x04,\n /* NID_id_pkix_OCSP_noCheck */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n 0x05,\n /* NID_id_pkix_OCSP_archiveCutoff */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n 0x06,\n /* NID_id_pkix_OCSP_serviceLocator */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n 0x07,\n /* NID_id_pkix_OCSP_extendedStatus */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n 0x08,\n /* NID_id_pkix_OCSP_valid */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n 0x09,\n /* NID_id_pkix_OCSP_path */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n 0x0a,\n /* NID_id_pkix_OCSP_trustRoot */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x01,\n 0x0b,\n /* NID_algorithm */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n /* NID_rsaSignature */\n 0x2b,\n 0x0e,\n 0x03,\n 0x02,\n 0x0b,\n /* NID_X500algorithms */\n 0x55,\n 0x08,\n /* NID_org */\n 0x2b,\n /* NID_dod */\n 0x2b,\n 0x06,\n /* NID_iana */\n 0x2b,\n 0x06,\n 0x01,\n /* NID_Directory */\n 0x2b,\n 0x06,\n 0x01,\n 0x01,\n /* NID_Management */\n 0x2b,\n 0x06,\n 0x01,\n 0x02,\n /* NID_Experimental */\n 0x2b,\n 0x06,\n 0x01,\n 0x03,\n /* NID_Private */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n /* NID_Security */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n /* NID_SNMPv2 */\n 0x2b,\n 0x06,\n 0x01,\n 0x06,\n /* NID_Mail */\n 0x2b,\n 0x06,\n 0x01,\n 0x07,\n /* NID_Enterprises */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n /* NID_dcObject */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x8b,\n 0x3a,\n 0x82,\n 0x58,\n /* NID_domainComponent */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x19,\n /* NID_Domain */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x0d,\n /* NID_selected_attribute_types */\n 0x55,\n 0x01,\n 0x05,\n /* NID_clearance */\n 0x55,\n 0x01,\n 0x05,\n 0x37,\n /* NID_md4WithRSAEncryption */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x03,\n /* NID_ac_proxying */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x0a,\n /* NID_sinfo_access */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x0b,\n /* NID_id_aca_encAttrs */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x0a,\n 0x06,\n /* NID_role */\n 0x55,\n 0x04,\n 0x48,\n /* NID_policy_constraints */\n 0x55,\n 0x1d,\n 0x24,\n /* NID_target_information */\n 0x55,\n 0x1d,\n 0x37,\n /* NID_no_rev_avail */\n 0x55,\n 0x1d,\n 0x38,\n /* NID_ansi_X9_62 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n /* NID_X9_62_prime_field */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x01,\n 0x01,\n /* NID_X9_62_characteristic_two_field */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x01,\n 0x02,\n /* NID_X9_62_id_ecPublicKey */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x02,\n 0x01,\n /* NID_X9_62_prime192v1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x01,\n 0x01,\n /* NID_X9_62_prime192v2 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x01,\n 0x02,\n /* NID_X9_62_prime192v3 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x01,\n 0x03,\n /* NID_X9_62_prime239v1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x01,\n 0x04,\n /* NID_X9_62_prime239v2 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x01,\n 0x05,\n /* NID_X9_62_prime239v3 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x01,\n 0x06,\n /* NID_X9_62_prime256v1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x01,\n 0x07,\n /* NID_ecdsa_with_SHA1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x04,\n 0x01,\n /* NID_ms_csp_name */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x82,\n 0x37,\n 0x11,\n 0x01,\n /* NID_aes_128_ecb */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x01,\n /* NID_aes_128_cbc */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x02,\n /* NID_aes_128_ofb128 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x03,\n /* NID_aes_128_cfb128 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x04,\n /* NID_aes_192_ecb */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x15,\n /* NID_aes_192_cbc */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x16,\n /* NID_aes_192_ofb128 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x17,\n /* NID_aes_192_cfb128 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x18,\n /* NID_aes_256_ecb */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x29,\n /* NID_aes_256_cbc */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x2a,\n /* NID_aes_256_ofb128 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x2b,\n /* NID_aes_256_cfb128 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x2c,\n /* NID_hold_instruction_code */\n 0x55,\n 0x1d,\n 0x17,\n /* NID_hold_instruction_none */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x38,\n 0x02,\n 0x01,\n /* NID_hold_instruction_call_issuer */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x38,\n 0x02,\n 0x02,\n /* NID_hold_instruction_reject */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x38,\n 0x02,\n 0x03,\n /* NID_data */\n 0x09,\n /* NID_pss */\n 0x09,\n 0x92,\n 0x26,\n /* NID_ucl */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n /* NID_pilot */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n /* NID_pilotAttributeType */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n /* NID_pilotAttributeSyntax */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x03,\n /* NID_pilotObjectClass */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n /* NID_pilotGroups */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x0a,\n /* NID_iA5StringSyntax */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x03,\n 0x04,\n /* NID_caseIgnoreIA5StringSyntax */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x03,\n 0x05,\n /* NID_pilotObject */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x03,\n /* NID_pilotPerson */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x04,\n /* NID_account */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x05,\n /* NID_document */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x06,\n /* NID_room */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x07,\n /* NID_documentSeries */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x09,\n /* NID_rFC822localPart */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x0e,\n /* NID_dNSDomain */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x0f,\n /* NID_domainRelatedObject */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x11,\n /* NID_friendlyCountry */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x12,\n /* NID_simpleSecurityObject */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x13,\n /* NID_pilotOrganization */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x14,\n /* NID_pilotDSA */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x15,\n /* NID_qualityLabelledData */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x04,\n 0x16,\n /* NID_userId */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x01,\n /* NID_textEncodedORAddress */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x02,\n /* NID_rfc822Mailbox */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x03,\n /* NID_info */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x04,\n /* NID_favouriteDrink */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x05,\n /* NID_roomNumber */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x06,\n /* NID_photo */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x07,\n /* NID_userClass */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x08,\n /* NID_host */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x09,\n /* NID_manager */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x0a,\n /* NID_documentIdentifier */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x0b,\n /* NID_documentTitle */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x0c,\n /* NID_documentVersion */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x0d,\n /* NID_documentAuthor */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x0e,\n /* NID_documentLocation */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x0f,\n /* NID_homeTelephoneNumber */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x14,\n /* NID_secretary */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x15,\n /* NID_otherMailbox */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x16,\n /* NID_lastModifiedTime */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x17,\n /* NID_lastModifiedBy */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x18,\n /* NID_aRecord */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x1a,\n /* NID_pilotAttributeType27 */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x1b,\n /* NID_mXRecord */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x1c,\n /* NID_nSRecord */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x1d,\n /* NID_sOARecord */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x1e,\n /* NID_cNAMERecord */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x1f,\n /* NID_associatedDomain */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x25,\n /* NID_associatedName */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x26,\n /* NID_homePostalAddress */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x27,\n /* NID_personalTitle */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x28,\n /* NID_mobileTelephoneNumber */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x29,\n /* NID_pagerTelephoneNumber */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x2a,\n /* NID_friendlyCountryName */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x2b,\n /* NID_organizationalStatus */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x2d,\n /* NID_janetMailbox */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x2e,\n /* NID_mailPreferenceOption */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x2f,\n /* NID_buildingName */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x30,\n /* NID_dSAQuality */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x31,\n /* NID_singleLevelQuality */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x32,\n /* NID_subtreeMinimumQuality */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x33,\n /* NID_subtreeMaximumQuality */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x34,\n /* NID_personalSignature */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x35,\n /* NID_dITRedirect */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x36,\n /* NID_audio */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x37,\n /* NID_documentPublisher */\n 0x09,\n 0x92,\n 0x26,\n 0x89,\n 0x93,\n 0xf2,\n 0x2c,\n 0x64,\n 0x01,\n 0x38,\n /* NID_x500UniqueIdentifier */\n 0x55,\n 0x04,\n 0x2d,\n /* NID_mime_mhs */\n 0x2b,\n 0x06,\n 0x01,\n 0x07,\n 0x01,\n /* NID_mime_mhs_headings */\n 0x2b,\n 0x06,\n 0x01,\n 0x07,\n 0x01,\n 0x01,\n /* NID_mime_mhs_bodies */\n 0x2b,\n 0x06,\n 0x01,\n 0x07,\n 0x01,\n 0x02,\n /* NID_id_hex_partial_message */\n 0x2b,\n 0x06,\n 0x01,\n 0x07,\n 0x01,\n 0x01,\n 0x01,\n /* NID_id_hex_multipart_message */\n 0x2b,\n 0x06,\n 0x01,\n 0x07,\n 0x01,\n 0x01,\n 0x02,\n /* NID_generationQualifier */\n 0x55,\n 0x04,\n 0x2c,\n /* NID_pseudonym */\n 0x55,\n 0x04,\n 0x41,\n /* NID_id_set */\n 0x67,\n 0x2a,\n /* NID_set_ctype */\n 0x67,\n 0x2a,\n 0x00,\n /* NID_set_msgExt */\n 0x67,\n 0x2a,\n 0x01,\n /* NID_set_attr */\n 0x67,\n 0x2a,\n 0x03,\n /* NID_set_policy */\n 0x67,\n 0x2a,\n 0x05,\n /* NID_set_certExt */\n 0x67,\n 0x2a,\n 0x07,\n /* NID_set_brand */\n 0x67,\n 0x2a,\n 0x08,\n /* NID_setct_PANData */\n 0x67,\n 0x2a,\n 0x00,\n 0x00,\n /* NID_setct_PANToken */\n 0x67,\n 0x2a,\n 0x00,\n 0x01,\n /* NID_setct_PANOnly */\n 0x67,\n 0x2a,\n 0x00,\n 0x02,\n /* NID_setct_OIData */\n 0x67,\n 0x2a,\n 0x00,\n 0x03,\n /* NID_setct_PI */\n 0x67,\n 0x2a,\n 0x00,\n 0x04,\n /* NID_setct_PIData */\n 0x67,\n 0x2a,\n 0x00,\n 0x05,\n /* NID_setct_PIDataUnsigned */\n 0x67,\n 0x2a,\n 0x00,\n 0x06,\n /* NID_setct_HODInput */\n 0x67,\n 0x2a,\n 0x00,\n 0x07,\n /* NID_setct_AuthResBaggage */\n 0x67,\n 0x2a,\n 0x00,\n 0x08,\n /* NID_setct_AuthRevReqBaggage */\n 0x67,\n 0x2a,\n 0x00,\n 0x09,\n /* NID_setct_AuthRevResBaggage */\n 0x67,\n 0x2a,\n 0x00,\n 0x0a,\n /* NID_setct_CapTokenSeq */\n 0x67,\n 0x2a,\n 0x00,\n 0x0b,\n /* NID_setct_PInitResData */\n 0x67,\n 0x2a,\n 0x00,\n 0x0c,\n /* NID_setct_PI_TBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x0d,\n /* NID_setct_PResData */\n 0x67,\n 0x2a,\n 0x00,\n 0x0e,\n /* NID_setct_AuthReqTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x10,\n /* NID_setct_AuthResTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x11,\n /* NID_setct_AuthResTBSX */\n 0x67,\n 0x2a,\n 0x00,\n 0x12,\n /* NID_setct_AuthTokenTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x13,\n /* NID_setct_CapTokenData */\n 0x67,\n 0x2a,\n 0x00,\n 0x14,\n /* NID_setct_CapTokenTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x15,\n /* NID_setct_AcqCardCodeMsg */\n 0x67,\n 0x2a,\n 0x00,\n 0x16,\n /* NID_setct_AuthRevReqTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x17,\n /* NID_setct_AuthRevResData */\n 0x67,\n 0x2a,\n 0x00,\n 0x18,\n /* NID_setct_AuthRevResTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x19,\n /* NID_setct_CapReqTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x1a,\n /* NID_setct_CapReqTBSX */\n 0x67,\n 0x2a,\n 0x00,\n 0x1b,\n /* NID_setct_CapResData */\n 0x67,\n 0x2a,\n 0x00,\n 0x1c,\n /* NID_setct_CapRevReqTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x1d,\n /* NID_setct_CapRevReqTBSX */\n 0x67,\n 0x2a,\n 0x00,\n 0x1e,\n /* NID_setct_CapRevResData */\n 0x67,\n 0x2a,\n 0x00,\n 0x1f,\n /* NID_setct_CredReqTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x20,\n /* NID_setct_CredReqTBSX */\n 0x67,\n 0x2a,\n 0x00,\n 0x21,\n /* NID_setct_CredResData */\n 0x67,\n 0x2a,\n 0x00,\n 0x22,\n /* NID_setct_CredRevReqTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x23,\n /* NID_setct_CredRevReqTBSX */\n 0x67,\n 0x2a,\n 0x00,\n 0x24,\n /* NID_setct_CredRevResData */\n 0x67,\n 0x2a,\n 0x00,\n 0x25,\n /* NID_setct_PCertReqData */\n 0x67,\n 0x2a,\n 0x00,\n 0x26,\n /* NID_setct_PCertResTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x27,\n /* NID_setct_BatchAdminReqData */\n 0x67,\n 0x2a,\n 0x00,\n 0x28,\n /* NID_setct_BatchAdminResData */\n 0x67,\n 0x2a,\n 0x00,\n 0x29,\n /* NID_setct_CardCInitResTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x2a,\n /* NID_setct_MeAqCInitResTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x2b,\n /* NID_setct_RegFormResTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x2c,\n /* NID_setct_CertReqData */\n 0x67,\n 0x2a,\n 0x00,\n 0x2d,\n /* NID_setct_CertReqTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x2e,\n /* NID_setct_CertResData */\n 0x67,\n 0x2a,\n 0x00,\n 0x2f,\n /* NID_setct_CertInqReqTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x30,\n /* NID_setct_ErrorTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x31,\n /* NID_setct_PIDualSignedTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x32,\n /* NID_setct_PIUnsignedTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x33,\n /* NID_setct_AuthReqTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x34,\n /* NID_setct_AuthResTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x35,\n /* NID_setct_AuthResTBEX */\n 0x67,\n 0x2a,\n 0x00,\n 0x36,\n /* NID_setct_AuthTokenTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x37,\n /* NID_setct_CapTokenTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x38,\n /* NID_setct_CapTokenTBEX */\n 0x67,\n 0x2a,\n 0x00,\n 0x39,\n /* NID_setct_AcqCardCodeMsgTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x3a,\n /* NID_setct_AuthRevReqTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x3b,\n /* NID_setct_AuthRevResTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x3c,\n /* NID_setct_AuthRevResTBEB */\n 0x67,\n 0x2a,\n 0x00,\n 0x3d,\n /* NID_setct_CapReqTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x3e,\n /* NID_setct_CapReqTBEX */\n 0x67,\n 0x2a,\n 0x00,\n 0x3f,\n /* NID_setct_CapResTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x40,\n /* NID_setct_CapRevReqTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x41,\n /* NID_setct_CapRevReqTBEX */\n 0x67,\n 0x2a,\n 0x00,\n 0x42,\n /* NID_setct_CapRevResTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x43,\n /* NID_setct_CredReqTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x44,\n /* NID_setct_CredReqTBEX */\n 0x67,\n 0x2a,\n 0x00,\n 0x45,\n /* NID_setct_CredResTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x46,\n /* NID_setct_CredRevReqTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x47,\n /* NID_setct_CredRevReqTBEX */\n 0x67,\n 0x2a,\n 0x00,\n 0x48,\n /* NID_setct_CredRevResTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x49,\n /* NID_setct_BatchAdminReqTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x4a,\n /* NID_setct_BatchAdminResTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x4b,\n /* NID_setct_RegFormReqTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x4c,\n /* NID_setct_CertReqTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x4d,\n /* NID_setct_CertReqTBEX */\n 0x67,\n 0x2a,\n 0x00,\n 0x4e,\n /* NID_setct_CertResTBE */\n 0x67,\n 0x2a,\n 0x00,\n 0x4f,\n /* NID_setct_CRLNotificationTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x50,\n /* NID_setct_CRLNotificationResTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x51,\n /* NID_setct_BCIDistributionTBS */\n 0x67,\n 0x2a,\n 0x00,\n 0x52,\n /* NID_setext_genCrypt */\n 0x67,\n 0x2a,\n 0x01,\n 0x01,\n /* NID_setext_miAuth */\n 0x67,\n 0x2a,\n 0x01,\n 0x03,\n /* NID_setext_pinSecure */\n 0x67,\n 0x2a,\n 0x01,\n 0x04,\n /* NID_setext_pinAny */\n 0x67,\n 0x2a,\n 0x01,\n 0x05,\n /* NID_setext_track2 */\n 0x67,\n 0x2a,\n 0x01,\n 0x07,\n /* NID_setext_cv */\n 0x67,\n 0x2a,\n 0x01,\n 0x08,\n /* NID_set_policy_root */\n 0x67,\n 0x2a,\n 0x05,\n 0x00,\n /* NID_setCext_hashedRoot */\n 0x67,\n 0x2a,\n 0x07,\n 0x00,\n /* NID_setCext_certType */\n 0x67,\n 0x2a,\n 0x07,\n 0x01,\n /* NID_setCext_merchData */\n 0x67,\n 0x2a,\n 0x07,\n 0x02,\n /* NID_setCext_cCertRequired */\n 0x67,\n 0x2a,\n 0x07,\n 0x03,\n /* NID_setCext_tunneling */\n 0x67,\n 0x2a,\n 0x07,\n 0x04,\n /* NID_setCext_setExt */\n 0x67,\n 0x2a,\n 0x07,\n 0x05,\n /* NID_setCext_setQualf */\n 0x67,\n 0x2a,\n 0x07,\n 0x06,\n /* NID_setCext_PGWYcapabilities */\n 0x67,\n 0x2a,\n 0x07,\n 0x07,\n /* NID_setCext_TokenIdentifier */\n 0x67,\n 0x2a,\n 0x07,\n 0x08,\n /* NID_setCext_Track2Data */\n 0x67,\n 0x2a,\n 0x07,\n 0x09,\n /* NID_setCext_TokenType */\n 0x67,\n 0x2a,\n 0x07,\n 0x0a,\n /* NID_setCext_IssuerCapabilities */\n 0x67,\n 0x2a,\n 0x07,\n 0x0b,\n /* NID_setAttr_Cert */\n 0x67,\n 0x2a,\n 0x03,\n 0x00,\n /* NID_setAttr_PGWYcap */\n 0x67,\n 0x2a,\n 0x03,\n 0x01,\n /* NID_setAttr_TokenType */\n 0x67,\n 0x2a,\n 0x03,\n 0x02,\n /* NID_setAttr_IssCap */\n 0x67,\n 0x2a,\n 0x03,\n 0x03,\n /* NID_set_rootKeyThumb */\n 0x67,\n 0x2a,\n 0x03,\n 0x00,\n 0x00,\n /* NID_set_addPolicy */\n 0x67,\n 0x2a,\n 0x03,\n 0x00,\n 0x01,\n /* NID_setAttr_Token_EMV */\n 0x67,\n 0x2a,\n 0x03,\n 0x02,\n 0x01,\n /* NID_setAttr_Token_B0Prime */\n 0x67,\n 0x2a,\n 0x03,\n 0x02,\n 0x02,\n /* NID_setAttr_IssCap_CVM */\n 0x67,\n 0x2a,\n 0x03,\n 0x03,\n 0x03,\n /* NID_setAttr_IssCap_T2 */\n 0x67,\n 0x2a,\n 0x03,\n 0x03,\n 0x04,\n /* NID_setAttr_IssCap_Sig */\n 0x67,\n 0x2a,\n 0x03,\n 0x03,\n 0x05,\n /* NID_setAttr_GenCryptgrm */\n 0x67,\n 0x2a,\n 0x03,\n 0x03,\n 0x03,\n 0x01,\n /* NID_setAttr_T2Enc */\n 0x67,\n 0x2a,\n 0x03,\n 0x03,\n 0x04,\n 0x01,\n /* NID_setAttr_T2cleartxt */\n 0x67,\n 0x2a,\n 0x03,\n 0x03,\n 0x04,\n 0x02,\n /* NID_setAttr_TokICCsig */\n 0x67,\n 0x2a,\n 0x03,\n 0x03,\n 0x05,\n 0x01,\n /* NID_setAttr_SecDevSig */\n 0x67,\n 0x2a,\n 0x03,\n 0x03,\n 0x05,\n 0x02,\n /* NID_set_brand_IATA_ATA */\n 0x67,\n 0x2a,\n 0x08,\n 0x01,\n /* NID_set_brand_Diners */\n 0x67,\n 0x2a,\n 0x08,\n 0x1e,\n /* NID_set_brand_AmericanExpress */\n 0x67,\n 0x2a,\n 0x08,\n 0x22,\n /* NID_set_brand_JCB */\n 0x67,\n 0x2a,\n 0x08,\n 0x23,\n /* NID_set_brand_Visa */\n 0x67,\n 0x2a,\n 0x08,\n 0x04,\n /* NID_set_brand_MasterCard */\n 0x67,\n 0x2a,\n 0x08,\n 0x05,\n /* NID_set_brand_Novus */\n 0x67,\n 0x2a,\n 0x08,\n 0xae,\n 0x7b,\n /* NID_des_cdmf */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x03,\n 0x0a,\n /* NID_rsaOAEPEncryptionSET */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x06,\n /* NID_international_organizations */\n 0x67,\n /* NID_ms_smartcard_login */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x82,\n 0x37,\n 0x14,\n 0x02,\n 0x02,\n /* NID_ms_upn */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x82,\n 0x37,\n 0x14,\n 0x02,\n 0x03,\n /* NID_streetAddress */\n 0x55,\n 0x04,\n 0x09,\n /* NID_postalCode */\n 0x55,\n 0x04,\n 0x11,\n /* NID_id_ppl */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x15,\n /* NID_proxyCertInfo */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x01,\n 0x0e,\n /* NID_id_ppl_anyLanguage */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x15,\n 0x00,\n /* NID_id_ppl_inheritAll */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x15,\n 0x01,\n /* NID_name_constraints */\n 0x55,\n 0x1d,\n 0x1e,\n /* NID_Independent */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x15,\n 0x02,\n /* NID_sha256WithRSAEncryption */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x0b,\n /* NID_sha384WithRSAEncryption */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x0c,\n /* NID_sha512WithRSAEncryption */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x0d,\n /* NID_sha224WithRSAEncryption */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x0e,\n /* NID_sha256 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x02,\n 0x01,\n /* NID_sha384 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x02,\n 0x02,\n /* NID_sha512 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x02,\n 0x03,\n /* NID_sha224 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x02,\n 0x04,\n /* NID_identified_organization */\n 0x2b,\n /* NID_certicom_arc */\n 0x2b,\n 0x81,\n 0x04,\n /* NID_wap */\n 0x67,\n 0x2b,\n /* NID_wap_wsg */\n 0x67,\n 0x2b,\n 0x01,\n /* NID_X9_62_id_characteristic_two_basis */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x01,\n 0x02,\n 0x03,\n /* NID_X9_62_onBasis */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x01,\n 0x02,\n 0x03,\n 0x01,\n /* NID_X9_62_tpBasis */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x01,\n 0x02,\n 0x03,\n 0x02,\n /* NID_X9_62_ppBasis */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x01,\n 0x02,\n 0x03,\n 0x03,\n /* NID_X9_62_c2pnb163v1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x01,\n /* NID_X9_62_c2pnb163v2 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x02,\n /* NID_X9_62_c2pnb163v3 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x03,\n /* NID_X9_62_c2pnb176v1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x04,\n /* NID_X9_62_c2tnb191v1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x05,\n /* NID_X9_62_c2tnb191v2 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x06,\n /* NID_X9_62_c2tnb191v3 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x07,\n /* NID_X9_62_c2onb191v4 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x08,\n /* NID_X9_62_c2onb191v5 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x09,\n /* NID_X9_62_c2pnb208w1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x0a,\n /* NID_X9_62_c2tnb239v1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x0b,\n /* NID_X9_62_c2tnb239v2 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x0c,\n /* NID_X9_62_c2tnb239v3 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x0d,\n /* NID_X9_62_c2onb239v4 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x0e,\n /* NID_X9_62_c2onb239v5 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x0f,\n /* NID_X9_62_c2pnb272w1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x10,\n /* NID_X9_62_c2pnb304w1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x11,\n /* NID_X9_62_c2tnb359v1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x12,\n /* NID_X9_62_c2pnb368w1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x13,\n /* NID_X9_62_c2tnb431r1 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x03,\n 0x00,\n 0x14,\n /* NID_secp112r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x06,\n /* NID_secp112r2 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x07,\n /* NID_secp128r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x1c,\n /* NID_secp128r2 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x1d,\n /* NID_secp160k1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x09,\n /* NID_secp160r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x08,\n /* NID_secp160r2 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x1e,\n /* NID_secp192k1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x1f,\n /* NID_secp224k1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x20,\n /* NID_secp224r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x21,\n /* NID_secp256k1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x0a,\n /* NID_secp384r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x22,\n /* NID_secp521r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x23,\n /* NID_sect113r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x04,\n /* NID_sect113r2 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x05,\n /* NID_sect131r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x16,\n /* NID_sect131r2 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x17,\n /* NID_sect163k1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x01,\n /* NID_sect163r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x02,\n /* NID_sect163r2 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x0f,\n /* NID_sect193r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x18,\n /* NID_sect193r2 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x19,\n /* NID_sect233k1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x1a,\n /* NID_sect233r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x1b,\n /* NID_sect239k1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x03,\n /* NID_sect283k1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x10,\n /* NID_sect283r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x11,\n /* NID_sect409k1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x24,\n /* NID_sect409r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x25,\n /* NID_sect571k1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x26,\n /* NID_sect571r1 */\n 0x2b,\n 0x81,\n 0x04,\n 0x00,\n 0x27,\n /* NID_wap_wsg_idm_ecid_wtls1 */\n 0x67,\n 0x2b,\n 0x01,\n 0x04,\n 0x01,\n /* NID_wap_wsg_idm_ecid_wtls3 */\n 0x67,\n 0x2b,\n 0x01,\n 0x04,\n 0x03,\n /* NID_wap_wsg_idm_ecid_wtls4 */\n 0x67,\n 0x2b,\n 0x01,\n 0x04,\n 0x04,\n /* NID_wap_wsg_idm_ecid_wtls5 */\n 0x67,\n 0x2b,\n 0x01,\n 0x04,\n 0x05,\n /* NID_wap_wsg_idm_ecid_wtls6 */\n 0x67,\n 0x2b,\n 0x01,\n 0x04,\n 0x06,\n /* NID_wap_wsg_idm_ecid_wtls7 */\n 0x67,\n 0x2b,\n 0x01,\n 0x04,\n 0x07,\n /* NID_wap_wsg_idm_ecid_wtls8 */\n 0x67,\n 0x2b,\n 0x01,\n 0x04,\n 0x08,\n /* NID_wap_wsg_idm_ecid_wtls9 */\n 0x67,\n 0x2b,\n 0x01,\n 0x04,\n 0x09,\n /* NID_wap_wsg_idm_ecid_wtls10 */\n 0x67,\n 0x2b,\n 0x01,\n 0x04,\n 0x0a,\n /* NID_wap_wsg_idm_ecid_wtls11 */\n 0x67,\n 0x2b,\n 0x01,\n 0x04,\n 0x0b,\n /* NID_wap_wsg_idm_ecid_wtls12 */\n 0x67,\n 0x2b,\n 0x01,\n 0x04,\n 0x0c,\n /* NID_any_policy */\n 0x55,\n 0x1d,\n 0x20,\n 0x00,\n /* NID_policy_mappings */\n 0x55,\n 0x1d,\n 0x21,\n /* NID_inhibit_any_policy */\n 0x55,\n 0x1d,\n 0x36,\n /* NID_camellia_128_cbc */\n 0x2a,\n 0x83,\n 0x08,\n 0x8c,\n 0x9a,\n 0x4b,\n 0x3d,\n 0x01,\n 0x01,\n 0x01,\n 0x02,\n /* NID_camellia_192_cbc */\n 0x2a,\n 0x83,\n 0x08,\n 0x8c,\n 0x9a,\n 0x4b,\n 0x3d,\n 0x01,\n 0x01,\n 0x01,\n 0x03,\n /* NID_camellia_256_cbc */\n 0x2a,\n 0x83,\n 0x08,\n 0x8c,\n 0x9a,\n 0x4b,\n 0x3d,\n 0x01,\n 0x01,\n 0x01,\n 0x04,\n /* NID_camellia_128_ecb */\n 0x03,\n 0xa2,\n 0x31,\n 0x05,\n 0x03,\n 0x01,\n 0x09,\n 0x01,\n /* NID_camellia_192_ecb */\n 0x03,\n 0xa2,\n 0x31,\n 0x05,\n 0x03,\n 0x01,\n 0x09,\n 0x15,\n /* NID_camellia_256_ecb */\n 0x03,\n 0xa2,\n 0x31,\n 0x05,\n 0x03,\n 0x01,\n 0x09,\n 0x29,\n /* NID_camellia_128_cfb128 */\n 0x03,\n 0xa2,\n 0x31,\n 0x05,\n 0x03,\n 0x01,\n 0x09,\n 0x04,\n /* NID_camellia_192_cfb128 */\n 0x03,\n 0xa2,\n 0x31,\n 0x05,\n 0x03,\n 0x01,\n 0x09,\n 0x18,\n /* NID_camellia_256_cfb128 */\n 0x03,\n 0xa2,\n 0x31,\n 0x05,\n 0x03,\n 0x01,\n 0x09,\n 0x2c,\n /* NID_camellia_128_ofb128 */\n 0x03,\n 0xa2,\n 0x31,\n 0x05,\n 0x03,\n 0x01,\n 0x09,\n 0x03,\n /* NID_camellia_192_ofb128 */\n 0x03,\n 0xa2,\n 0x31,\n 0x05,\n 0x03,\n 0x01,\n 0x09,\n 0x17,\n /* NID_camellia_256_ofb128 */\n 0x03,\n 0xa2,\n 0x31,\n 0x05,\n 0x03,\n 0x01,\n 0x09,\n 0x2b,\n /* NID_subject_directory_attributes */\n 0x55,\n 0x1d,\n 0x09,\n /* NID_issuing_distribution_point */\n 0x55,\n 0x1d,\n 0x1c,\n /* NID_certificate_issuer */\n 0x55,\n 0x1d,\n 0x1d,\n /* NID_kisa */\n 0x2a,\n 0x83,\n 0x1a,\n 0x8c,\n 0x9a,\n 0x44,\n /* NID_seed_ecb */\n 0x2a,\n 0x83,\n 0x1a,\n 0x8c,\n 0x9a,\n 0x44,\n 0x01,\n 0x03,\n /* NID_seed_cbc */\n 0x2a,\n 0x83,\n 0x1a,\n 0x8c,\n 0x9a,\n 0x44,\n 0x01,\n 0x04,\n /* NID_seed_ofb128 */\n 0x2a,\n 0x83,\n 0x1a,\n 0x8c,\n 0x9a,\n 0x44,\n 0x01,\n 0x06,\n /* NID_seed_cfb128 */\n 0x2a,\n 0x83,\n 0x1a,\n 0x8c,\n 0x9a,\n 0x44,\n 0x01,\n 0x05,\n /* NID_hmac_md5 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x08,\n 0x01,\n 0x01,\n /* NID_hmac_sha1 */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x08,\n 0x01,\n 0x02,\n /* NID_id_PasswordBasedMAC */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf6,\n 0x7d,\n 0x07,\n 0x42,\n 0x0d,\n /* NID_id_DHBasedMac */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf6,\n 0x7d,\n 0x07,\n 0x42,\n 0x1e,\n /* NID_id_it_suppLangTags */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x04,\n 0x10,\n /* NID_caRepository */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x30,\n 0x05,\n /* NID_id_smime_ct_compressedData */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x01,\n 0x09,\n /* NID_id_ct_asciiTextWithCRLF */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x01,\n 0x1b,\n /* NID_id_aes128_wrap */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x05,\n /* NID_id_aes192_wrap */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x19,\n /* NID_id_aes256_wrap */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x2d,\n /* NID_ecdsa_with_Recommended */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x04,\n 0x02,\n /* NID_ecdsa_with_Specified */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x04,\n 0x03,\n /* NID_ecdsa_with_SHA224 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x04,\n 0x03,\n 0x01,\n /* NID_ecdsa_with_SHA256 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x04,\n 0x03,\n 0x02,\n /* NID_ecdsa_with_SHA384 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x04,\n 0x03,\n 0x03,\n /* NID_ecdsa_with_SHA512 */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3d,\n 0x04,\n 0x03,\n 0x04,\n /* NID_hmacWithMD5 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x02,\n 0x06,\n /* NID_hmacWithSHA224 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x02,\n 0x08,\n /* NID_hmacWithSHA256 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x02,\n 0x09,\n /* NID_hmacWithSHA384 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x02,\n 0x0a,\n /* NID_hmacWithSHA512 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x02,\n 0x0b,\n /* NID_dsa_with_SHA224 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x03,\n 0x01,\n /* NID_dsa_with_SHA256 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x03,\n 0x02,\n /* NID_whirlpool */\n 0x28,\n 0xcf,\n 0x06,\n 0x03,\n 0x00,\n 0x37,\n /* NID_cryptopro */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n /* NID_cryptocom */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x09,\n /* NID_id_GostR3411_94_with_GostR3410_2001 */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x03,\n /* NID_id_GostR3411_94_with_GostR3410_94 */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x04,\n /* NID_id_GostR3411_94 */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x09,\n /* NID_id_HMACGostR3411_94 */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x0a,\n /* NID_id_GostR3410_2001 */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x13,\n /* NID_id_GostR3410_94 */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x14,\n /* NID_id_Gost28147_89 */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x15,\n /* NID_id_Gost28147_89_MAC */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x16,\n /* NID_id_GostR3411_94_prf */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x17,\n /* NID_id_GostR3410_2001DH */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x62,\n /* NID_id_GostR3410_94DH */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x63,\n /* NID_id_Gost28147_89_CryptoPro_KeyMeshing */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x0e,\n 0x01,\n /* NID_id_Gost28147_89_None_KeyMeshing */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x0e,\n 0x00,\n /* NID_id_GostR3411_94_TestParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x1e,\n 0x00,\n /* NID_id_GostR3411_94_CryptoProParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x1e,\n 0x01,\n /* NID_id_Gost28147_89_TestParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x1f,\n 0x00,\n /* NID_id_Gost28147_89_CryptoPro_A_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x1f,\n 0x01,\n /* NID_id_Gost28147_89_CryptoPro_B_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x1f,\n 0x02,\n /* NID_id_Gost28147_89_CryptoPro_C_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x1f,\n 0x03,\n /* NID_id_Gost28147_89_CryptoPro_D_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x1f,\n 0x04,\n /* NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x1f,\n 0x05,\n /* NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x1f,\n 0x06,\n /* NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x1f,\n 0x07,\n /* NID_id_GostR3410_94_TestParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x20,\n 0x00,\n /* NID_id_GostR3410_94_CryptoPro_A_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x20,\n 0x02,\n /* NID_id_GostR3410_94_CryptoPro_B_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x20,\n 0x03,\n /* NID_id_GostR3410_94_CryptoPro_C_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x20,\n 0x04,\n /* NID_id_GostR3410_94_CryptoPro_D_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x20,\n 0x05,\n /* NID_id_GostR3410_94_CryptoPro_XchA_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x21,\n 0x01,\n /* NID_id_GostR3410_94_CryptoPro_XchB_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x21,\n 0x02,\n /* NID_id_GostR3410_94_CryptoPro_XchC_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x21,\n 0x03,\n /* NID_id_GostR3410_2001_TestParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x23,\n 0x00,\n /* NID_id_GostR3410_2001_CryptoPro_A_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x23,\n 0x01,\n /* NID_id_GostR3410_2001_CryptoPro_B_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x23,\n 0x02,\n /* NID_id_GostR3410_2001_CryptoPro_C_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x23,\n 0x03,\n /* NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x24,\n 0x00,\n /* NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x24,\n 0x01,\n /* NID_id_GostR3410_94_a */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x14,\n 0x01,\n /* NID_id_GostR3410_94_aBis */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x14,\n 0x02,\n /* NID_id_GostR3410_94_b */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x14,\n 0x03,\n /* NID_id_GostR3410_94_bBis */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x02,\n 0x14,\n 0x04,\n /* NID_id_Gost28147_89_cc */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x09,\n 0x01,\n 0x06,\n 0x01,\n /* NID_id_GostR3410_94_cc */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x09,\n 0x01,\n 0x05,\n 0x03,\n /* NID_id_GostR3410_2001_cc */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x09,\n 0x01,\n 0x05,\n 0x04,\n /* NID_id_GostR3411_94_with_GostR3410_94_cc */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x09,\n 0x01,\n 0x03,\n 0x03,\n /* NID_id_GostR3411_94_with_GostR3410_2001_cc */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x09,\n 0x01,\n 0x03,\n 0x04,\n /* NID_id_GostR3410_2001_ParamSet_cc */\n 0x2a,\n 0x85,\n 0x03,\n 0x02,\n 0x09,\n 0x01,\n 0x08,\n 0x01,\n /* NID_LocalKeySet */\n 0x2b,\n 0x06,\n 0x01,\n 0x04,\n 0x01,\n 0x82,\n 0x37,\n 0x11,\n 0x02,\n /* NID_freshest_crl */\n 0x55,\n 0x1d,\n 0x2e,\n /* NID_id_on_permanentIdentifier */\n 0x2b,\n 0x06,\n 0x01,\n 0x05,\n 0x05,\n 0x07,\n 0x08,\n 0x03,\n /* NID_searchGuide */\n 0x55,\n 0x04,\n 0x0e,\n /* NID_businessCategory */\n 0x55,\n 0x04,\n 0x0f,\n /* NID_postalAddress */\n 0x55,\n 0x04,\n 0x10,\n /* NID_postOfficeBox */\n 0x55,\n 0x04,\n 0x12,\n /* NID_physicalDeliveryOfficeName */\n 0x55,\n 0x04,\n 0x13,\n /* NID_telephoneNumber */\n 0x55,\n 0x04,\n 0x14,\n /* NID_telexNumber */\n 0x55,\n 0x04,\n 0x15,\n /* NID_teletexTerminalIdentifier */\n 0x55,\n 0x04,\n 0x16,\n /* NID_facsimileTelephoneNumber */\n 0x55,\n 0x04,\n 0x17,\n /* NID_x121Address */\n 0x55,\n 0x04,\n 0x18,\n /* NID_internationaliSDNNumber */\n 0x55,\n 0x04,\n 0x19,\n /* NID_registeredAddress */\n 0x55,\n 0x04,\n 0x1a,\n /* NID_destinationIndicator */\n 0x55,\n 0x04,\n 0x1b,\n /* NID_preferredDeliveryMethod */\n 0x55,\n 0x04,\n 0x1c,\n /* NID_presentationAddress */\n 0x55,\n 0x04,\n 0x1d,\n /* NID_supportedApplicationContext */\n 0x55,\n 0x04,\n 0x1e,\n /* NID_member */\n 0x55,\n 0x04,\n 0x1f,\n /* NID_owner */\n 0x55,\n 0x04,\n 0x20,\n /* NID_roleOccupant */\n 0x55,\n 0x04,\n 0x21,\n /* NID_seeAlso */\n 0x55,\n 0x04,\n 0x22,\n /* NID_userPassword */\n 0x55,\n 0x04,\n 0x23,\n /* NID_userCertificate */\n 0x55,\n 0x04,\n 0x24,\n /* NID_cACertificate */\n 0x55,\n 0x04,\n 0x25,\n /* NID_authorityRevocationList */\n 0x55,\n 0x04,\n 0x26,\n /* NID_certificateRevocationList */\n 0x55,\n 0x04,\n 0x27,\n /* NID_crossCertificatePair */\n 0x55,\n 0x04,\n 0x28,\n /* NID_enhancedSearchGuide */\n 0x55,\n 0x04,\n 0x2f,\n /* NID_protocolInformation */\n 0x55,\n 0x04,\n 0x30,\n /* NID_distinguishedName */\n 0x55,\n 0x04,\n 0x31,\n /* NID_uniqueMember */\n 0x55,\n 0x04,\n 0x32,\n /* NID_houseIdentifier */\n 0x55,\n 0x04,\n 0x33,\n /* NID_supportedAlgorithms */\n 0x55,\n 0x04,\n 0x34,\n /* NID_deltaRevocationList */\n 0x55,\n 0x04,\n 0x35,\n /* NID_dmdName */\n 0x55,\n 0x04,\n 0x36,\n /* NID_id_alg_PWRI_KEK */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x09,\n 0x10,\n 0x03,\n 0x09,\n /* NID_aes_128_gcm */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x06,\n /* NID_aes_128_ccm */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x07,\n /* NID_id_aes128_wrap_pad */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x08,\n /* NID_aes_192_gcm */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x1a,\n /* NID_aes_192_ccm */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x1b,\n /* NID_id_aes192_wrap_pad */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x1c,\n /* NID_aes_256_gcm */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x2e,\n /* NID_aes_256_ccm */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x2f,\n /* NID_id_aes256_wrap_pad */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x01,\n 0x30,\n /* NID_id_camellia128_wrap */\n 0x2a,\n 0x83,\n 0x08,\n 0x8c,\n 0x9a,\n 0x4b,\n 0x3d,\n 0x01,\n 0x01,\n 0x03,\n 0x02,\n /* NID_id_camellia192_wrap */\n 0x2a,\n 0x83,\n 0x08,\n 0x8c,\n 0x9a,\n 0x4b,\n 0x3d,\n 0x01,\n 0x01,\n 0x03,\n 0x03,\n /* NID_id_camellia256_wrap */\n 0x2a,\n 0x83,\n 0x08,\n 0x8c,\n 0x9a,\n 0x4b,\n 0x3d,\n 0x01,\n 0x01,\n 0x03,\n 0x04,\n /* NID_anyExtendedKeyUsage */\n 0x55,\n 0x1d,\n 0x25,\n 0x00,\n /* NID_mgf1 */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x08,\n /* NID_rsassaPss */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x0a,\n /* NID_rsaesOaep */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x07,\n /* NID_dhpublicnumber */\n 0x2a,\n 0x86,\n 0x48,\n 0xce,\n 0x3e,\n 0x02,\n 0x01,\n /* NID_brainpoolP160r1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x01,\n /* NID_brainpoolP160t1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x02,\n /* NID_brainpoolP192r1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x03,\n /* NID_brainpoolP192t1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x04,\n /* NID_brainpoolP224r1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x05,\n /* NID_brainpoolP224t1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x06,\n /* NID_brainpoolP256r1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x07,\n /* NID_brainpoolP256t1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x08,\n /* NID_brainpoolP320r1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x09,\n /* NID_brainpoolP320t1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x0a,\n /* NID_brainpoolP384r1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x0b,\n /* NID_brainpoolP384t1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x0c,\n /* NID_brainpoolP512r1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x0d,\n /* NID_brainpoolP512t1 */\n 0x2b,\n 0x24,\n 0x03,\n 0x03,\n 0x02,\n 0x08,\n 0x01,\n 0x01,\n 0x0e,\n /* NID_pSpecified */\n 0x2a,\n 0x86,\n 0x48,\n 0x86,\n 0xf7,\n 0x0d,\n 0x01,\n 0x01,\n 0x09,\n /* NID_dhSinglePass_stdDH_sha1kdf_scheme */\n 0x2b,\n 0x81,\n 0x05,\n 0x10,\n 0x86,\n 0x48,\n 0x3f,\n 0x00,\n 0x02,\n /* NID_dhSinglePass_stdDH_sha224kdf_scheme */\n 0x2b,\n 0x81,\n 0x04,\n 0x01,\n 0x0b,\n 0x00,\n /* NID_dhSinglePass_stdDH_sha256kdf_scheme */\n 0x2b,\n 0x81,\n 0x04,\n 0x01,\n 0x0b,\n 0x01,\n /* NID_dhSinglePass_stdDH_sha384kdf_scheme */\n 0x2b,\n 0x81,\n 0x04,\n 0x01,\n 0x0b,\n 0x02,\n /* NID_dhSinglePass_stdDH_sha512kdf_scheme */\n 0x2b,\n 0x81,\n 0x04,\n 0x01,\n 0x0b,\n 0x03,\n /* NID_dhSinglePass_cofactorDH_sha1kdf_scheme */\n 0x2b,\n 0x81,\n 0x05,\n 0x10,\n 0x86,\n 0x48,\n 0x3f,\n 0x00,\n 0x03,\n /* NID_dhSinglePass_cofactorDH_sha224kdf_scheme */\n 0x2b,\n 0x81,\n 0x04,\n 0x01,\n 0x0e,\n 0x00,\n /* NID_dhSinglePass_cofactorDH_sha256kdf_scheme */\n 0x2b,\n 0x81,\n 0x04,\n 0x01,\n 0x0e,\n 0x01,\n /* NID_dhSinglePass_cofactorDH_sha384kdf_scheme */\n 0x2b,\n 0x81,\n 0x04,\n 0x01,\n 0x0e,\n 0x02,\n /* NID_dhSinglePass_cofactorDH_sha512kdf_scheme */\n 0x2b,\n 0x81,\n 0x04,\n 0x01,\n 0x0e,\n 0x03,\n /* NID_X25519 */\n 0x2b,\n 0x65,\n 0x6e,\n /* NID_ED25519 */\n 0x2b,\n 0x65,\n 0x70,\n /* NID_ED448 */\n 0x2b,\n 0x65,\n 0x71,\n /* NID_X448 */\n 0x2b,\n 0x65,\n 0x6f,\n /* NID_sha512_256 */\n 0x60,\n 0x86,\n 0x48,\n 0x01,\n 0x65,\n 0x03,\n 0x04,\n 0x02,\n 0x06,\n};\n\nstatic const ASN1_OBJECT kObjects[NUM_NID] = {\n {\"rsadsi\", \"RSA Data Security, Inc.\", NID_rsadsi, 6, &kObjectData[0], 0},\n {\"pkcs\", \"RSA Data Security, Inc. PKCS\", NID_pkcs, 7, &kObjectData[6], 0},\n {\"MD2\", \"md2\", NID_md2, 8, &kObjectData[13], 0},\n {\"MD5\", \"md5\", NID_md5, 8, &kObjectData[21], 0},\n {\"RC4\", \"rc4\", NID_rc4, 8, &kObjectData[29], 0},\n {\"rsaEncryption\", \"rsaEncryption\", NID_rsaEncryption, 9, &kObjectData[37],\n 0},\n {\"RSA-MD2\", \"md2WithRSAEncryption\", NID_md2WithRSAEncryption, 9,\n &kObjectData[46], 0},\n {\"RSA-MD5\", \"md5WithRSAEncryption\", NID_md5WithRSAEncryption, 9,\n &kObjectData[55], 0},\n {\"PBE-MD2-DES\", \"pbeWithMD2AndDES-CBC\", NID_pbeWithMD2AndDES_CBC, 9,\n &kObjectData[64], 0},\n {\"PBE-MD5-DES\", \"pbeWithMD5AndDES-CBC\", NID_pbeWithMD5AndDES_CBC, 9,\n &kObjectData[73], 0},\n {\"X500\", \"directory services (X.500)\", NID_X500, 1, &kObjectData[82], 0},\n {\"X509\", \"X509\", NID_X509, 2, &kObjectData[83], 0},\n {\"CN\", \"commonName\", NID_commonName, 3, &kObjectData[85], 0},\n {\"C\", \"countryName\", NID_countryName, 3, &kObjectData[88], 0},\n {\"L\", \"localityName\", NID_localityName, 3, &kObjectData[91], 0},\n {\"ST\", \"stateOrProvinceName\", NID_stateOrProvinceName, 3, &kObjectData[94],\n 0},\n {\"O\", \"organizationName\", NID_organizationName, 3, &kObjectData[97], 0},\n {\"OU\", \"organizationalUnitName\", NID_organizationalUnitName, 3,\n &kObjectData[100], 0},\n {\"RSA\", \"rsa\", NID_rsa, 4, &kObjectData[103], 0},\n {\"pkcs7\", \"pkcs7\", NID_pkcs7, 8, &kObjectData[107], 0},\n {\"pkcs7-data\", \"pkcs7-data\", NID_pkcs7_data, 9, &kObjectData[115], 0},\n {\"pkcs7-signedData\", \"pkcs7-signedData\", NID_pkcs7_signed, 9,\n &kObjectData[124], 0},\n {\"pkcs7-envelopedData\", \"pkcs7-envelopedData\", NID_pkcs7_enveloped, 9,\n &kObjectData[133], 0},\n {\"pkcs7-signedAndEnvelopedData\", \"pkcs7-signedAndEnvelopedData\",\n NID_pkcs7_signedAndEnveloped, 9, &kObjectData[142], 0},\n {\"pkcs7-digestData\", \"pkcs7-digestData\", NID_pkcs7_digest, 9,\n &kObjectData[151], 0},\n {\"pkcs7-encryptedData\", \"pkcs7-encryptedData\", NID_pkcs7_encrypted, 9,\n &kObjectData[160], 0},\n {\"pkcs3\", \"pkcs3\", NID_pkcs3, 8, &kObjectData[169], 0},\n {\"dhKeyAgreement\", \"dhKeyAgreement\", NID_dhKeyAgreement, 9,\n &kObjectData[177], 0},\n {\"DES-ECB\", \"des-ecb\", NID_des_ecb, 5, &kObjectData[186], 0},\n {\"DES-CFB\", \"des-cfb\", NID_des_cfb64, 5, &kObjectData[191], 0},\n {\"DES-CBC\", \"des-cbc\", NID_des_cbc, 5, &kObjectData[196], 0},\n {\"DES-EDE\", \"des-ede\", NID_des_ede_ecb, 5, &kObjectData[201], 0},\n {\"DES-EDE3\", \"des-ede3\", NID_des_ede3_ecb, 0, NULL, 0},\n {\"IDEA-CBC\", \"idea-cbc\", NID_idea_cbc, 11, &kObjectData[206], 0},\n {\"IDEA-CFB\", \"idea-cfb\", NID_idea_cfb64, 0, NULL, 0},\n {\"IDEA-ECB\", \"idea-ecb\", NID_idea_ecb, 0, NULL, 0},\n {\"RC2-CBC\", \"rc2-cbc\", NID_rc2_cbc, 8, &kObjectData[217], 0},\n {\"RC2-ECB\", \"rc2-ecb\", NID_rc2_ecb, 0, NULL, 0},\n {\"RC2-CFB\", \"rc2-cfb\", NID_rc2_cfb64, 0, NULL, 0},\n {\"RC2-OFB\", \"rc2-ofb\", NID_rc2_ofb64, 0, NULL, 0},\n {\"SHA\", \"sha\", NID_sha, 5, &kObjectData[225], 0},\n {\"RSA-SHA\", \"shaWithRSAEncryption\", NID_shaWithRSAEncryption, 5,\n &kObjectData[230], 0},\n {\"DES-EDE-CBC\", \"des-ede-cbc\", NID_des_ede_cbc, 0, NULL, 0},\n {\"DES-EDE3-CBC\", \"des-ede3-cbc\", NID_des_ede3_cbc, 8, &kObjectData[235], 0},\n {\"DES-OFB\", \"des-ofb\", NID_des_ofb64, 5, &kObjectData[243], 0},\n {\"IDEA-OFB\", \"idea-ofb\", NID_idea_ofb64, 0, NULL, 0},\n {\"pkcs9\", \"pkcs9\", NID_pkcs9, 8, &kObjectData[248], 0},\n {\"emailAddress\", \"emailAddress\", NID_pkcs9_emailAddress, 9,\n &kObjectData[256], 0},\n {\"unstructuredName\", \"unstructuredName\", NID_pkcs9_unstructuredName, 9,\n &kObjectData[265], 0},\n {\"contentType\", \"contentType\", NID_pkcs9_contentType, 9, &kObjectData[274],\n 0},\n {\"messageDigest\", \"messageDigest\", NID_pkcs9_messageDigest, 9,\n &kObjectData[283], 0},\n {\"signingTime\", \"signingTime\", NID_pkcs9_signingTime, 9, &kObjectData[292],\n 0},\n {\"countersignature\", \"countersignature\", NID_pkcs9_countersignature, 9,\n &kObjectData[301], 0},\n {\"challengePassword\", \"challengePassword\", NID_pkcs9_challengePassword, 9,\n &kObjectData[310], 0},\n {\"unstructuredAddress\", \"unstructuredAddress\",\n NID_pkcs9_unstructuredAddress, 9, &kObjectData[319], 0},\n {\"extendedCertificateAttributes\", \"extendedCertificateAttributes\",\n NID_pkcs9_extCertAttributes, 9, &kObjectData[328], 0},\n {\"Netscape\", \"Netscape Communications Corp.\", NID_netscape, 7,\n &kObjectData[337], 0},\n {\"nsCertExt\", \"Netscape Certificate Extension\", NID_netscape_cert_extension,\n 8, &kObjectData[344], 0},\n {\"nsDataType\", \"Netscape Data Type\", NID_netscape_data_type, 8,\n &kObjectData[352], 0},\n {\"DES-EDE-CFB\", \"des-ede-cfb\", NID_des_ede_cfb64, 0, NULL, 0},\n {\"DES-EDE3-CFB\", \"des-ede3-cfb\", NID_des_ede3_cfb64, 0, NULL, 0},\n {\"DES-EDE-OFB\", \"des-ede-ofb\", NID_des_ede_ofb64, 0, NULL, 0},\n {\"DES-EDE3-OFB\", \"des-ede3-ofb\", NID_des_ede3_ofb64, 0, NULL, 0},\n {\"SHA1\", \"sha1\", NID_sha1, 5, &kObjectData[360], 0},\n {\"RSA-SHA1\", \"sha1WithRSAEncryption\", NID_sha1WithRSAEncryption, 9,\n &kObjectData[365], 0},\n {\"DSA-SHA\", \"dsaWithSHA\", NID_dsaWithSHA, 5, &kObjectData[374], 0},\n {\"DSA-old\", \"dsaEncryption-old\", NID_dsa_2, 5, &kObjectData[379], 0},\n {\"PBE-SHA1-RC2-64\", \"pbeWithSHA1AndRC2-CBC\", NID_pbeWithSHA1AndRC2_CBC, 9,\n &kObjectData[384], 0},\n {\"PBKDF2\", \"PBKDF2\", NID_id_pbkdf2, 9, &kObjectData[393], 0},\n {\"DSA-SHA1-old\", \"dsaWithSHA1-old\", NID_dsaWithSHA1_2, 5, &kObjectData[402],\n 0},\n {\"nsCertType\", \"Netscape Cert Type\", NID_netscape_cert_type, 9,\n &kObjectData[407], 0},\n {\"nsBaseUrl\", \"Netscape Base Url\", NID_netscape_base_url, 9,\n &kObjectData[416], 0},\n {\"nsRevocationUrl\", \"Netscape Revocation Url\", NID_netscape_revocation_url,\n 9, &kObjectData[425], 0},\n {\"nsCaRevocationUrl\", \"Netscape CA Revocation Url\",\n NID_netscape_ca_revocation_url, 9, &kObjectData[434], 0},\n {\"nsRenewalUrl\", \"Netscape Renewal Url\", NID_netscape_renewal_url, 9,\n &kObjectData[443], 0},\n {\"nsCaPolicyUrl\", \"Netscape CA Policy Url\", NID_netscape_ca_policy_url, 9,\n &kObjectData[452], 0},\n {\"nsSslServerName\", \"Netscape SSL Server Name\",\n NID_netscape_ssl_server_name, 9, &kObjectData[461], 0},\n {\"nsComment\", \"Netscape Comment\", NID_netscape_comment, 9,\n &kObjectData[470], 0},\n {\"nsCertSequence\", \"Netscape Certificate Sequence\",\n NID_netscape_cert_sequence, 9, &kObjectData[479], 0},\n {\"DESX-CBC\", \"desx-cbc\", NID_desx_cbc, 0, NULL, 0},\n {\"id-ce\", \"id-ce\", NID_id_ce, 2, &kObjectData[488], 0},\n {\"subjectKeyIdentifier\", \"X509v3 Subject Key Identifier\",\n NID_subject_key_identifier, 3, &kObjectData[490], 0},\n {\"keyUsage\", \"X509v3 Key Usage\", NID_key_usage, 3, &kObjectData[493], 0},\n {\"privateKeyUsagePeriod\", \"X509v3 Private Key Usage Period\",\n NID_private_key_usage_period, 3, &kObjectData[496], 0},\n {\"subjectAltName\", \"X509v3 Subject Alternative Name\", NID_subject_alt_name,\n 3, &kObjectData[499], 0},\n {\"issuerAltName\", \"X509v3 Issuer Alternative Name\", NID_issuer_alt_name, 3,\n &kObjectData[502], 0},\n {\"basicConstraints\", \"X509v3 Basic Constraints\", NID_basic_constraints, 3,\n &kObjectData[505], 0},\n {\"crlNumber\", \"X509v3 CRL Number\", NID_crl_number, 3, &kObjectData[508], 0},\n {\"certificatePolicies\", \"X509v3 Certificate Policies\",\n NID_certificate_policies, 3, &kObjectData[511], 0},\n {\"authorityKeyIdentifier\", \"X509v3 Authority Key Identifier\",\n NID_authority_key_identifier, 3, &kObjectData[514], 0},\n {\"BF-CBC\", \"bf-cbc\", NID_bf_cbc, 9, &kObjectData[517], 0},\n {\"BF-ECB\", \"bf-ecb\", NID_bf_ecb, 0, NULL, 0},\n {\"BF-CFB\", \"bf-cfb\", NID_bf_cfb64, 0, NULL, 0},\n {\"BF-OFB\", \"bf-ofb\", NID_bf_ofb64, 0, NULL, 0},\n {\"MDC2\", \"mdc2\", NID_mdc2, 4, &kObjectData[526], 0},\n {\"RSA-MDC2\", \"mdc2WithRSA\", NID_mdc2WithRSA, 4, &kObjectData[530], 0},\n {\"RC4-40\", \"rc4-40\", NID_rc4_40, 0, NULL, 0},\n {\"RC2-40-CBC\", \"rc2-40-cbc\", NID_rc2_40_cbc, 0, NULL, 0},\n {\"GN\", \"givenName\", NID_givenName, 3, &kObjectData[534], 0},\n {\"SN\", \"surname\", NID_surname, 3, &kObjectData[537], 0},\n {\"initials\", \"initials\", NID_initials, 3, &kObjectData[540], 0},\n {NULL, NULL, NID_undef, 0, NULL, 0},\n {\"crlDistributionPoints\", \"X509v3 CRL Distribution Points\",\n NID_crl_distribution_points, 3, &kObjectData[543], 0},\n {\"RSA-NP-MD5\", \"md5WithRSA\", NID_md5WithRSA, 5, &kObjectData[546], 0},\n {\"serialNumber\", \"serialNumber\", NID_serialNumber, 3, &kObjectData[551], 0},\n {\"title\", \"title\", NID_title, 3, &kObjectData[554], 0},\n {\"description\", \"description\", NID_description, 3, &kObjectData[557], 0},\n {\"CAST5-CBC\", \"cast5-cbc\", NID_cast5_cbc, 9, &kObjectData[560], 0},\n {\"CAST5-ECB\", \"cast5-ecb\", NID_cast5_ecb, 0, NULL, 0},\n {\"CAST5-CFB\", \"cast5-cfb\", NID_cast5_cfb64, 0, NULL, 0},\n {\"CAST5-OFB\", \"cast5-ofb\", NID_cast5_ofb64, 0, NULL, 0},\n {\"pbeWithMD5AndCast5CBC\", \"pbeWithMD5AndCast5CBC\",\n NID_pbeWithMD5AndCast5_CBC, 9, &kObjectData[569], 0},\n {\"DSA-SHA1\", \"dsaWithSHA1\", NID_dsaWithSHA1, 7, &kObjectData[578], 0},\n {\"MD5-SHA1\", \"md5-sha1\", NID_md5_sha1, 0, NULL, 0},\n {\"RSA-SHA1-2\", \"sha1WithRSA\", NID_sha1WithRSA, 5, &kObjectData[585], 0},\n {\"DSA\", \"dsaEncryption\", NID_dsa, 7, &kObjectData[590], 0},\n {\"RIPEMD160\", \"ripemd160\", NID_ripemd160, 5, &kObjectData[597], 0},\n {NULL, NULL, NID_undef, 0, NULL, 0},\n {\"RSA-RIPEMD160\", \"ripemd160WithRSA\", NID_ripemd160WithRSA, 6,\n &kObjectData[602], 0},\n {\"RC5-CBC\", \"rc5-cbc\", NID_rc5_cbc, 8, &kObjectData[608], 0},\n {\"RC5-ECB\", \"rc5-ecb\", NID_rc5_ecb, 0, NULL, 0},\n {\"RC5-CFB\", \"rc5-cfb\", NID_rc5_cfb64, 0, NULL, 0},\n {\"RC5-OFB\", \"rc5-ofb\", NID_rc5_ofb64, 0, NULL, 0},\n {NULL, NULL, NID_undef, 0, NULL, 0},\n {\"ZLIB\", \"zlib compression\", NID_zlib_compression, 11, &kObjectData[616],\n 0},\n {\"extendedKeyUsage\", \"X509v3 Extended Key Usage\", NID_ext_key_usage, 3,\n &kObjectData[627], 0},\n {\"PKIX\", \"PKIX\", NID_id_pkix, 6, &kObjectData[630], 0},\n {\"id-kp\", \"id-kp\", NID_id_kp, 7, &kObjectData[636], 0},\n {\"serverAuth\", \"TLS Web Server Authentication\", NID_server_auth, 8,\n &kObjectData[643], 0},\n {\"clientAuth\", \"TLS Web Client Authentication\", NID_client_auth, 8,\n &kObjectData[651], 0},\n {\"codeSigning\", \"Code Signing\", NID_code_sign, 8, &kObjectData[659], 0},\n {\"emailProtection\", \"E-mail Protection\", NID_email_protect, 8,\n &kObjectData[667], 0},\n {\"timeStamping\", \"Time Stamping\", NID_time_stamp, 8, &kObjectData[675], 0},\n {\"msCodeInd\", \"Microsoft Individual Code Signing\", NID_ms_code_ind, 10,\n &kObjectData[683], 0},\n {\"msCodeCom\", \"Microsoft Commercial Code Signing\", NID_ms_code_com, 10,\n &kObjectData[693], 0},\n {\"msCTLSign\", \"Microsoft Trust List Signing\", NID_ms_ctl_sign, 10,\n &kObjectData[703], 0},\n {\"msSGC\", \"Microsoft Server Gated Crypto\", NID_ms_sgc, 10,\n &kObjectData[713], 0},\n {\"msEFS\", \"Microsoft Encrypted File System\", NID_ms_efs, 10,\n &kObjectData[723], 0},\n {\"nsSGC\", \"Netscape Server Gated Crypto\", NID_ns_sgc, 9, &kObjectData[733],\n 0},\n {\"deltaCRL\", \"X509v3 Delta CRL Indicator\", NID_delta_crl, 3,\n &kObjectData[742], 0},\n {\"CRLReason\", \"X509v3 CRL Reason Code\", NID_crl_reason, 3,\n &kObjectData[745], 0},\n {\"invalidityDate\", \"Invalidity Date\", NID_invalidity_date, 3,\n &kObjectData[748], 0},\n {\"SXNetID\", \"Strong Extranet ID\", NID_sxnet, 5, &kObjectData[751], 0},\n {\"PBE-SHA1-RC4-128\", \"pbeWithSHA1And128BitRC4\",\n NID_pbe_WithSHA1And128BitRC4, 10, &kObjectData[756], 0},\n {\"PBE-SHA1-RC4-40\", \"pbeWithSHA1And40BitRC4\", NID_pbe_WithSHA1And40BitRC4,\n 10, &kObjectData[766], 0},\n {\"PBE-SHA1-3DES\", \"pbeWithSHA1And3-KeyTripleDES-CBC\",\n NID_pbe_WithSHA1And3_Key_TripleDES_CBC, 10, &kObjectData[776], 0},\n {\"PBE-SHA1-2DES\", \"pbeWithSHA1And2-KeyTripleDES-CBC\",\n NID_pbe_WithSHA1And2_Key_TripleDES_CBC, 10, &kObjectData[786], 0},\n {\"PBE-SHA1-RC2-128\", \"pbeWithSHA1And128BitRC2-CBC\",\n NID_pbe_WithSHA1And128BitRC2_CBC, 10, &kObjectData[796], 0},\n {\"PBE-SHA1-RC2-40\", \"pbeWithSHA1And40BitRC2-CBC\",\n NID_pbe_WithSHA1And40BitRC2_CBC, 10, &kObjectData[806], 0},\n {\"keyBag\", \"keyBag\", NID_keyBag, 11, &kObjectData[816], 0},\n {\"pkcs8ShroudedKeyBag\", \"pkcs8ShroudedKeyBag\", NID_pkcs8ShroudedKeyBag, 11,\n &kObjectData[827], 0},\n {\"certBag\", \"certBag\", NID_certBag, 11, &kObjectData[838], 0},\n {\"crlBag\", \"crlBag\", NID_crlBag, 11, &kObjectData[849], 0},\n {\"secretBag\", \"secretBag\", NID_secretBag, 11, &kObjectData[860], 0},\n {\"safeContentsBag\", \"safeContentsBag\", NID_safeContentsBag, 11,\n &kObjectData[871], 0},\n {\"friendlyName\", \"friendlyName\", NID_friendlyName, 9, &kObjectData[882], 0},\n {\"localKeyID\", \"localKeyID\", NID_localKeyID, 9, &kObjectData[891], 0},\n {\"x509Certificate\", \"x509Certificate\", NID_x509Certificate, 10,\n &kObjectData[900], 0},\n {\"sdsiCertificate\", \"sdsiCertificate\", NID_sdsiCertificate, 10,\n &kObjectData[910], 0},\n {\"x509Crl\", \"x509Crl\", NID_x509Crl, 10, &kObjectData[920], 0},\n {\"PBES2\", \"PBES2\", NID_pbes2, 9, &kObjectData[930], 0},\n {\"PBMAC1\", \"PBMAC1\", NID_pbmac1, 9, &kObjectData[939], 0},\n {\"hmacWithSHA1\", \"hmacWithSHA1\", NID_hmacWithSHA1, 8, &kObjectData[948], 0},\n {\"id-qt-cps\", \"Policy Qualifier CPS\", NID_id_qt_cps, 8, &kObjectData[956],\n 0},\n {\"id-qt-unotice\", \"Policy Qualifier User Notice\", NID_id_qt_unotice, 8,\n &kObjectData[964], 0},\n {\"RC2-64-CBC\", \"rc2-64-cbc\", NID_rc2_64_cbc, 0, NULL, 0},\n {\"SMIME-CAPS\", \"S/MIME Capabilities\", NID_SMIMECapabilities, 9,\n &kObjectData[972], 0},\n {\"PBE-MD2-RC2-64\", \"pbeWithMD2AndRC2-CBC\", NID_pbeWithMD2AndRC2_CBC, 9,\n &kObjectData[981], 0},\n {\"PBE-MD5-RC2-64\", \"pbeWithMD5AndRC2-CBC\", NID_pbeWithMD5AndRC2_CBC, 9,\n &kObjectData[990], 0},\n {\"PBE-SHA1-DES\", \"pbeWithSHA1AndDES-CBC\", NID_pbeWithSHA1AndDES_CBC, 9,\n &kObjectData[999], 0},\n {\"msExtReq\", \"Microsoft Extension Request\", NID_ms_ext_req, 10,\n &kObjectData[1008], 0},\n {\"extReq\", \"Extension Request\", NID_ext_req, 9, &kObjectData[1018], 0},\n {\"name\", \"name\", NID_name, 3, &kObjectData[1027], 0},\n {\"dnQualifier\", \"dnQualifier\", NID_dnQualifier, 3, &kObjectData[1030], 0},\n {\"id-pe\", \"id-pe\", NID_id_pe, 7, &kObjectData[1033], 0},\n {\"id-ad\", \"id-ad\", NID_id_ad, 7, &kObjectData[1040], 0},\n {\"authorityInfoAccess\", \"Authority Information Access\", NID_info_access, 8,\n &kObjectData[1047], 0},\n {\"OCSP\", \"OCSP\", NID_ad_OCSP, 8, &kObjectData[1055], 0},\n {\"caIssuers\", \"CA Issuers\", NID_ad_ca_issuers, 8, &kObjectData[1063], 0},\n {\"OCSPSigning\", \"OCSP Signing\", NID_OCSP_sign, 8, &kObjectData[1071], 0},\n {\"ISO\", \"iso\", NID_iso, 0, NULL, 0},\n {\"member-body\", \"ISO Member Body\", NID_member_body, 1, &kObjectData[1079],\n 0},\n {\"ISO-US\", \"ISO US Member Body\", NID_ISO_US, 3, &kObjectData[1080], 0},\n {\"X9-57\", \"X9.57\", NID_X9_57, 5, &kObjectData[1083], 0},\n {\"X9cm\", \"X9.57 CM ?\", NID_X9cm, 6, &kObjectData[1088], 0},\n {\"pkcs1\", \"pkcs1\", NID_pkcs1, 8, &kObjectData[1094], 0},\n {\"pkcs5\", \"pkcs5\", NID_pkcs5, 8, &kObjectData[1102], 0},\n {\"SMIME\", \"S/MIME\", NID_SMIME, 9, &kObjectData[1110], 0},\n {\"id-smime-mod\", \"id-smime-mod\", NID_id_smime_mod, 10, &kObjectData[1119],\n 0},\n {\"id-smime-ct\", \"id-smime-ct\", NID_id_smime_ct, 10, &kObjectData[1129], 0},\n {\"id-smime-aa\", \"id-smime-aa\", NID_id_smime_aa, 10, &kObjectData[1139], 0},\n {\"id-smime-alg\", \"id-smime-alg\", NID_id_smime_alg, 10, &kObjectData[1149],\n 0},\n {\"id-smime-cd\", \"id-smime-cd\", NID_id_smime_cd, 10, &kObjectData[1159], 0},\n {\"id-smime-spq\", \"id-smime-spq\", NID_id_smime_spq, 10, &kObjectData[1169],\n 0},\n {\"id-smime-cti\", \"id-smime-cti\", NID_id_smime_cti, 10, &kObjectData[1179],\n 0},\n {\"id-smime-mod-cms\", \"id-smime-mod-cms\", NID_id_smime_mod_cms, 11,\n &kObjectData[1189], 0},\n {\"id-smime-mod-ess\", \"id-smime-mod-ess\", NID_id_smime_mod_ess, 11,\n &kObjectData[1200], 0},\n {\"id-smime-mod-oid\", \"id-smime-mod-oid\", NID_id_smime_mod_oid, 11,\n &kObjectData[1211], 0},\n {\"id-smime-mod-msg-v3\", \"id-smime-mod-msg-v3\", NID_id_smime_mod_msg_v3, 11,\n &kObjectData[1222], 0},\n {\"id-smime-mod-ets-eSignature-88\", \"id-smime-mod-ets-eSignature-88\",\n NID_id_smime_mod_ets_eSignature_88, 11, &kObjectData[1233], 0},\n {\"id-smime-mod-ets-eSignature-97\", \"id-smime-mod-ets-eSignature-97\",\n NID_id_smime_mod_ets_eSignature_97, 11, &kObjectData[1244], 0},\n {\"id-smime-mod-ets-eSigPolicy-88\", \"id-smime-mod-ets-eSigPolicy-88\",\n NID_id_smime_mod_ets_eSigPolicy_88, 11, &kObjectData[1255], 0},\n {\"id-smime-mod-ets-eSigPolicy-97\", \"id-smime-mod-ets-eSigPolicy-97\",\n NID_id_smime_mod_ets_eSigPolicy_97, 11, &kObjectData[1266], 0},\n {\"id-smime-ct-receipt\", \"id-smime-ct-receipt\", NID_id_smime_ct_receipt, 11,\n &kObjectData[1277], 0},\n {\"id-smime-ct-authData\", \"id-smime-ct-authData\", NID_id_smime_ct_authData,\n 11, &kObjectData[1288], 0},\n {\"id-smime-ct-publishCert\", \"id-smime-ct-publishCert\",\n NID_id_smime_ct_publishCert, 11, &kObjectData[1299], 0},\n {\"id-smime-ct-TSTInfo\", \"id-smime-ct-TSTInfo\", NID_id_smime_ct_TSTInfo, 11,\n &kObjectData[1310], 0},\n {\"id-smime-ct-TDTInfo\", \"id-smime-ct-TDTInfo\", NID_id_smime_ct_TDTInfo, 11,\n &kObjectData[1321], 0},\n {\"id-smime-ct-contentInfo\", \"id-smime-ct-contentInfo\",\n NID_id_smime_ct_contentInfo, 11, &kObjectData[1332], 0},\n {\"id-smime-ct-DVCSRequestData\", \"id-smime-ct-DVCSRequestData\",\n NID_id_smime_ct_DVCSRequestData, 11, &kObjectData[1343], 0},\n {\"id-smime-ct-DVCSResponseData\", \"id-smime-ct-DVCSResponseData\",\n NID_id_smime_ct_DVCSResponseData, 11, &kObjectData[1354], 0},\n {\"id-smime-aa-receiptRequest\", \"id-smime-aa-receiptRequest\",\n NID_id_smime_aa_receiptRequest, 11, &kObjectData[1365], 0},\n {\"id-smime-aa-securityLabel\", \"id-smime-aa-securityLabel\",\n NID_id_smime_aa_securityLabel, 11, &kObjectData[1376], 0},\n {\"id-smime-aa-mlExpandHistory\", \"id-smime-aa-mlExpandHistory\",\n NID_id_smime_aa_mlExpandHistory, 11, &kObjectData[1387], 0},\n {\"id-smime-aa-contentHint\", \"id-smime-aa-contentHint\",\n NID_id_smime_aa_contentHint, 11, &kObjectData[1398], 0},\n {\"id-smime-aa-msgSigDigest\", \"id-smime-aa-msgSigDigest\",\n NID_id_smime_aa_msgSigDigest, 11, &kObjectData[1409], 0},\n {\"id-smime-aa-encapContentType\", \"id-smime-aa-encapContentType\",\n NID_id_smime_aa_encapContentType, 11, &kObjectData[1420], 0},\n {\"id-smime-aa-contentIdentifier\", \"id-smime-aa-contentIdentifier\",\n NID_id_smime_aa_contentIdentifier, 11, &kObjectData[1431], 0},\n {\"id-smime-aa-macValue\", \"id-smime-aa-macValue\", NID_id_smime_aa_macValue,\n 11, &kObjectData[1442], 0},\n {\"id-smime-aa-equivalentLabels\", \"id-smime-aa-equivalentLabels\",\n NID_id_smime_aa_equivalentLabels, 11, &kObjectData[1453], 0},\n {\"id-smime-aa-contentReference\", \"id-smime-aa-contentReference\",\n NID_id_smime_aa_contentReference, 11, &kObjectData[1464], 0},\n {\"id-smime-aa-encrypKeyPref\", \"id-smime-aa-encrypKeyPref\",\n NID_id_smime_aa_encrypKeyPref, 11, &kObjectData[1475], 0},\n {\"id-smime-aa-signingCertificate\", \"id-smime-aa-signingCertificate\",\n NID_id_smime_aa_signingCertificate, 11, &kObjectData[1486], 0},\n {\"id-smime-aa-smimeEncryptCerts\", \"id-smime-aa-smimeEncryptCerts\",\n NID_id_smime_aa_smimeEncryptCerts, 11, &kObjectData[1497], 0},\n {\"id-smime-aa-timeStampToken\", \"id-smime-aa-timeStampToken\",\n NID_id_smime_aa_timeStampToken, 11, &kObjectData[1508], 0},\n {\"id-smime-aa-ets-sigPolicyId\", \"id-smime-aa-ets-sigPolicyId\",\n NID_id_smime_aa_ets_sigPolicyId, 11, &kObjectData[1519], 0},\n {\"id-smime-aa-ets-commitmentType\", \"id-smime-aa-ets-commitmentType\",\n NID_id_smime_aa_ets_commitmentType, 11, &kObjectData[1530], 0},\n {\"id-smime-aa-ets-signerLocation\", \"id-smime-aa-ets-signerLocation\",\n NID_id_smime_aa_ets_signerLocation, 11, &kObjectData[1541], 0},\n {\"id-smime-aa-ets-signerAttr\", \"id-smime-aa-ets-signerAttr\",\n NID_id_smime_aa_ets_signerAttr, 11, &kObjectData[1552], 0},\n {\"id-smime-aa-ets-otherSigCert\", \"id-smime-aa-ets-otherSigCert\",\n NID_id_smime_aa_ets_otherSigCert, 11, &kObjectData[1563], 0},\n {\"id-smime-aa-ets-contentTimestamp\", \"id-smime-aa-ets-contentTimestamp\",\n NID_id_smime_aa_ets_contentTimestamp, 11, &kObjectData[1574], 0},\n {\"id-smime-aa-ets-CertificateRefs\", \"id-smime-aa-ets-CertificateRefs\",\n NID_id_smime_aa_ets_CertificateRefs, 11, &kObjectData[1585], 0},\n {\"id-smime-aa-ets-RevocationRefs\", \"id-smime-aa-ets-RevocationRefs\",\n NID_id_smime_aa_ets_RevocationRefs, 11, &kObjectData[1596], 0},\n {\"id-smime-aa-ets-certValues\", \"id-smime-aa-ets-certValues\",\n NID_id_smime_aa_ets_certValues, 11, &kObjectData[1607], 0},\n {\"id-smime-aa-ets-revocationValues\", \"id-smime-aa-ets-revocationValues\",\n NID_id_smime_aa_ets_revocationValues, 11, &kObjectData[1618], 0},\n {\"id-smime-aa-ets-escTimeStamp\", \"id-smime-aa-ets-escTimeStamp\",\n NID_id_smime_aa_ets_escTimeStamp, 11, &kObjectData[1629], 0},\n {\"id-smime-aa-ets-certCRLTimestamp\", \"id-smime-aa-ets-certCRLTimestamp\",\n NID_id_smime_aa_ets_certCRLTimestamp, 11, &kObjectData[1640], 0},\n {\"id-smime-aa-ets-archiveTimeStamp\", \"id-smime-aa-ets-archiveTimeStamp\",\n NID_id_smime_aa_ets_archiveTimeStamp, 11, &kObjectData[1651], 0},\n {\"id-smime-aa-signatureType\", \"id-smime-aa-signatureType\",\n NID_id_smime_aa_signatureType, 11, &kObjectData[1662], 0},\n {\"id-smime-aa-dvcs-dvc\", \"id-smime-aa-dvcs-dvc\", NID_id_smime_aa_dvcs_dvc,\n 11, &kObjectData[1673], 0},\n {\"id-smime-alg-ESDHwith3DES\", \"id-smime-alg-ESDHwith3DES\",\n NID_id_smime_alg_ESDHwith3DES, 11, &kObjectData[1684], 0},\n {\"id-smime-alg-ESDHwithRC2\", \"id-smime-alg-ESDHwithRC2\",\n NID_id_smime_alg_ESDHwithRC2, 11, &kObjectData[1695], 0},\n {\"id-smime-alg-3DESwrap\", \"id-smime-alg-3DESwrap\",\n NID_id_smime_alg_3DESwrap, 11, &kObjectData[1706], 0},\n {\"id-smime-alg-RC2wrap\", \"id-smime-alg-RC2wrap\", NID_id_smime_alg_RC2wrap,\n 11, &kObjectData[1717], 0},\n {\"id-smime-alg-ESDH\", \"id-smime-alg-ESDH\", NID_id_smime_alg_ESDH, 11,\n &kObjectData[1728], 0},\n {\"id-smime-alg-CMS3DESwrap\", \"id-smime-alg-CMS3DESwrap\",\n NID_id_smime_alg_CMS3DESwrap, 11, &kObjectData[1739], 0},\n {\"id-smime-alg-CMSRC2wrap\", \"id-smime-alg-CMSRC2wrap\",\n NID_id_smime_alg_CMSRC2wrap, 11, &kObjectData[1750], 0},\n {\"id-smime-cd-ldap\", \"id-smime-cd-ldap\", NID_id_smime_cd_ldap, 11,\n &kObjectData[1761], 0},\n {\"id-smime-spq-ets-sqt-uri\", \"id-smime-spq-ets-sqt-uri\",\n NID_id_smime_spq_ets_sqt_uri, 11, &kObjectData[1772], 0},\n {\"id-smime-spq-ets-sqt-unotice\", \"id-smime-spq-ets-sqt-unotice\",\n NID_id_smime_spq_ets_sqt_unotice, 11, &kObjectData[1783], 0},\n {\"id-smime-cti-ets-proofOfOrigin\", \"id-smime-cti-ets-proofOfOrigin\",\n NID_id_smime_cti_ets_proofOfOrigin, 11, &kObjectData[1794], 0},\n {\"id-smime-cti-ets-proofOfReceipt\", \"id-smime-cti-ets-proofOfReceipt\",\n NID_id_smime_cti_ets_proofOfReceipt, 11, &kObjectData[1805], 0},\n {\"id-smime-cti-ets-proofOfDelivery\", \"id-smime-cti-ets-proofOfDelivery\",\n NID_id_smime_cti_ets_proofOfDelivery, 11, &kObjectData[1816], 0},\n {\"id-smime-cti-ets-proofOfSender\", \"id-smime-cti-ets-proofOfSender\",\n NID_id_smime_cti_ets_proofOfSender, 11, &kObjectData[1827], 0},\n {\"id-smime-cti-ets-proofOfApproval\", \"id-smime-cti-ets-proofOfApproval\",\n NID_id_smime_cti_ets_proofOfApproval, 11, &kObjectData[1838], 0},\n {\"id-smime-cti-ets-proofOfCreation\", \"id-smime-cti-ets-proofOfCreation\",\n NID_id_smime_cti_ets_proofOfCreation, 11, &kObjectData[1849], 0},\n {\"MD4\", \"md4\", NID_md4, 8, &kObjectData[1860], 0},\n {\"id-pkix-mod\", \"id-pkix-mod\", NID_id_pkix_mod, 7, &kObjectData[1868], 0},\n {\"id-qt\", \"id-qt\", NID_id_qt, 7, &kObjectData[1875], 0},\n {\"id-it\", \"id-it\", NID_id_it, 7, &kObjectData[1882], 0},\n {\"id-pkip\", \"id-pkip\", NID_id_pkip, 7, &kObjectData[1889], 0},\n {\"id-alg\", \"id-alg\", NID_id_alg, 7, &kObjectData[1896], 0},\n {\"id-cmc\", \"id-cmc\", NID_id_cmc, 7, &kObjectData[1903], 0},\n {\"id-on\", \"id-on\", NID_id_on, 7, &kObjectData[1910], 0},\n {\"id-pda\", \"id-pda\", NID_id_pda, 7, &kObjectData[1917], 0},\n {\"id-aca\", \"id-aca\", NID_id_aca, 7, &kObjectData[1924], 0},\n {\"id-qcs\", \"id-qcs\", NID_id_qcs, 7, &kObjectData[1931], 0},\n {\"id-cct\", \"id-cct\", NID_id_cct, 7, &kObjectData[1938], 0},\n {\"id-pkix1-explicit-88\", \"id-pkix1-explicit-88\", NID_id_pkix1_explicit_88,\n 8, &kObjectData[1945], 0},\n {\"id-pkix1-implicit-88\", \"id-pkix1-implicit-88\", NID_id_pkix1_implicit_88,\n 8, &kObjectData[1953], 0},\n {\"id-pkix1-explicit-93\", \"id-pkix1-explicit-93\", NID_id_pkix1_explicit_93,\n 8, &kObjectData[1961], 0},\n {\"id-pkix1-implicit-93\", \"id-pkix1-implicit-93\", NID_id_pkix1_implicit_93,\n 8, &kObjectData[1969], 0},\n {\"id-mod-crmf\", \"id-mod-crmf\", NID_id_mod_crmf, 8, &kObjectData[1977], 0},\n {\"id-mod-cmc\", \"id-mod-cmc\", NID_id_mod_cmc, 8, &kObjectData[1985], 0},\n {\"id-mod-kea-profile-88\", \"id-mod-kea-profile-88\",\n NID_id_mod_kea_profile_88, 8, &kObjectData[1993], 0},\n {\"id-mod-kea-profile-93\", \"id-mod-kea-profile-93\",\n NID_id_mod_kea_profile_93, 8, &kObjectData[2001], 0},\n {\"id-mod-cmp\", \"id-mod-cmp\", NID_id_mod_cmp, 8, &kObjectData[2009], 0},\n {\"id-mod-qualified-cert-88\", \"id-mod-qualified-cert-88\",\n NID_id_mod_qualified_cert_88, 8, &kObjectData[2017], 0},\n {\"id-mod-qualified-cert-93\", \"id-mod-qualified-cert-93\",\n NID_id_mod_qualified_cert_93, 8, &kObjectData[2025], 0},\n {\"id-mod-attribute-cert\", \"id-mod-attribute-cert\",\n NID_id_mod_attribute_cert, 8, &kObjectData[2033], 0},\n {\"id-mod-timestamp-protocol\", \"id-mod-timestamp-protocol\",\n NID_id_mod_timestamp_protocol, 8, &kObjectData[2041], 0},\n {\"id-mod-ocsp\", \"id-mod-ocsp\", NID_id_mod_ocsp, 8, &kObjectData[2049], 0},\n {\"id-mod-dvcs\", \"id-mod-dvcs\", NID_id_mod_dvcs, 8, &kObjectData[2057], 0},\n {\"id-mod-cmp2000\", \"id-mod-cmp2000\", NID_id_mod_cmp2000, 8,\n &kObjectData[2065], 0},\n {\"biometricInfo\", \"Biometric Info\", NID_biometricInfo, 8,\n &kObjectData[2073], 0},\n {\"qcStatements\", \"qcStatements\", NID_qcStatements, 8, &kObjectData[2081],\n 0},\n {\"ac-auditEntity\", \"ac-auditEntity\", NID_ac_auditEntity, 8,\n &kObjectData[2089], 0},\n {\"ac-targeting\", \"ac-targeting\", NID_ac_targeting, 8, &kObjectData[2097],\n 0},\n {\"aaControls\", \"aaControls\", NID_aaControls, 8, &kObjectData[2105], 0},\n {\"sbgp-ipAddrBlock\", \"sbgp-ipAddrBlock\", NID_sbgp_ipAddrBlock, 8,\n &kObjectData[2113], 0},\n {\"sbgp-autonomousSysNum\", \"sbgp-autonomousSysNum\",\n NID_sbgp_autonomousSysNum, 8, &kObjectData[2121], 0},\n {\"sbgp-routerIdentifier\", \"sbgp-routerIdentifier\",\n NID_sbgp_routerIdentifier, 8, &kObjectData[2129], 0},\n {\"textNotice\", \"textNotice\", NID_textNotice, 8, &kObjectData[2137], 0},\n {\"ipsecEndSystem\", \"IPSec End System\", NID_ipsecEndSystem, 8,\n &kObjectData[2145], 0},\n {\"ipsecTunnel\", \"IPSec Tunnel\", NID_ipsecTunnel, 8, &kObjectData[2153], 0},\n {\"ipsecUser\", \"IPSec User\", NID_ipsecUser, 8, &kObjectData[2161], 0},\n {\"DVCS\", \"dvcs\", NID_dvcs, 8, &kObjectData[2169], 0},\n {\"id-it-caProtEncCert\", \"id-it-caProtEncCert\", NID_id_it_caProtEncCert, 8,\n &kObjectData[2177], 0},\n {\"id-it-signKeyPairTypes\", \"id-it-signKeyPairTypes\",\n NID_id_it_signKeyPairTypes, 8, &kObjectData[2185], 0},\n {\"id-it-encKeyPairTypes\", \"id-it-encKeyPairTypes\",\n NID_id_it_encKeyPairTypes, 8, &kObjectData[2193], 0},\n {\"id-it-preferredSymmAlg\", \"id-it-preferredSymmAlg\",\n NID_id_it_preferredSymmAlg, 8, &kObjectData[2201], 0},\n {\"id-it-caKeyUpdateInfo\", \"id-it-caKeyUpdateInfo\",\n NID_id_it_caKeyUpdateInfo, 8, &kObjectData[2209], 0},\n {\"id-it-currentCRL\", \"id-it-currentCRL\", NID_id_it_currentCRL, 8,\n &kObjectData[2217], 0},\n {\"id-it-unsupportedOIDs\", \"id-it-unsupportedOIDs\",\n NID_id_it_unsupportedOIDs, 8, &kObjectData[2225], 0},\n {\"id-it-subscriptionRequest\", \"id-it-subscriptionRequest\",\n NID_id_it_subscriptionRequest, 8, &kObjectData[2233], 0},\n {\"id-it-subscriptionResponse\", \"id-it-subscriptionResponse\",\n NID_id_it_subscriptionResponse, 8, &kObjectData[2241], 0},\n {\"id-it-keyPairParamReq\", \"id-it-keyPairParamReq\",\n NID_id_it_keyPairParamReq, 8, &kObjectData[2249], 0},\n {\"id-it-keyPairParamRep\", \"id-it-keyPairParamRep\",\n NID_id_it_keyPairParamRep, 8, &kObjectData[2257], 0},\n {\"id-it-revPassphrase\", \"id-it-revPassphrase\", NID_id_it_revPassphrase, 8,\n &kObjectData[2265], 0},\n {\"id-it-implicitConfirm\", \"id-it-implicitConfirm\",\n NID_id_it_implicitConfirm, 8, &kObjectData[2273], 0},\n {\"id-it-confirmWaitTime\", \"id-it-confirmWaitTime\",\n NID_id_it_confirmWaitTime, 8, &kObjectData[2281], 0},\n {\"id-it-origPKIMessage\", \"id-it-origPKIMessage\", NID_id_it_origPKIMessage,\n 8, &kObjectData[2289], 0},\n {\"id-regCtrl\", \"id-regCtrl\", NID_id_regCtrl, 8, &kObjectData[2297], 0},\n {\"id-regInfo\", \"id-regInfo\", NID_id_regInfo, 8, &kObjectData[2305], 0},\n {\"id-regCtrl-regToken\", \"id-regCtrl-regToken\", NID_id_regCtrl_regToken, 9,\n &kObjectData[2313], 0},\n {\"id-regCtrl-authenticator\", \"id-regCtrl-authenticator\",\n NID_id_regCtrl_authenticator, 9, &kObjectData[2322], 0},\n {\"id-regCtrl-pkiPublicationInfo\", \"id-regCtrl-pkiPublicationInfo\",\n NID_id_regCtrl_pkiPublicationInfo, 9, &kObjectData[2331], 0},\n {\"id-regCtrl-pkiArchiveOptions\", \"id-regCtrl-pkiArchiveOptions\",\n NID_id_regCtrl_pkiArchiveOptions, 9, &kObjectData[2340], 0},\n {\"id-regCtrl-oldCertID\", \"id-regCtrl-oldCertID\", NID_id_regCtrl_oldCertID,\n 9, &kObjectData[2349], 0},\n {\"id-regCtrl-protocolEncrKey\", \"id-regCtrl-protocolEncrKey\",\n NID_id_regCtrl_protocolEncrKey, 9, &kObjectData[2358], 0},\n {\"id-regInfo-utf8Pairs\", \"id-regInfo-utf8Pairs\", NID_id_regInfo_utf8Pairs,\n 9, &kObjectData[2367], 0},\n {\"id-regInfo-certReq\", \"id-regInfo-certReq\", NID_id_regInfo_certReq, 9,\n &kObjectData[2376], 0},\n {\"id-alg-des40\", \"id-alg-des40\", NID_id_alg_des40, 8, &kObjectData[2385],\n 0},\n {\"id-alg-noSignature\", \"id-alg-noSignature\", NID_id_alg_noSignature, 8,\n &kObjectData[2393], 0},\n {\"id-alg-dh-sig-hmac-sha1\", \"id-alg-dh-sig-hmac-sha1\",\n NID_id_alg_dh_sig_hmac_sha1, 8, &kObjectData[2401], 0},\n {\"id-alg-dh-pop\", \"id-alg-dh-pop\", NID_id_alg_dh_pop, 8, &kObjectData[2409],\n 0},\n {\"id-cmc-statusInfo\", \"id-cmc-statusInfo\", NID_id_cmc_statusInfo, 8,\n &kObjectData[2417], 0},\n {\"id-cmc-identification\", \"id-cmc-identification\",\n NID_id_cmc_identification, 8, &kObjectData[2425], 0},\n {\"id-cmc-identityProof\", \"id-cmc-identityProof\", NID_id_cmc_identityProof,\n 8, &kObjectData[2433], 0},\n {\"id-cmc-dataReturn\", \"id-cmc-dataReturn\", NID_id_cmc_dataReturn, 8,\n &kObjectData[2441], 0},\n {\"id-cmc-transactionId\", \"id-cmc-transactionId\", NID_id_cmc_transactionId,\n 8, &kObjectData[2449], 0},\n {\"id-cmc-senderNonce\", \"id-cmc-senderNonce\", NID_id_cmc_senderNonce, 8,\n &kObjectData[2457], 0},\n {\"id-cmc-recipientNonce\", \"id-cmc-recipientNonce\",\n NID_id_cmc_recipientNonce, 8, &kObjectData[2465], 0},\n {\"id-cmc-addExtensions\", \"id-cmc-addExtensions\", NID_id_cmc_addExtensions,\n 8, &kObjectData[2473], 0},\n {\"id-cmc-encryptedPOP\", \"id-cmc-encryptedPOP\", NID_id_cmc_encryptedPOP, 8,\n &kObjectData[2481], 0},\n {\"id-cmc-decryptedPOP\", \"id-cmc-decryptedPOP\", NID_id_cmc_decryptedPOP, 8,\n &kObjectData[2489], 0},\n {\"id-cmc-lraPOPWitness\", \"id-cmc-lraPOPWitness\", NID_id_cmc_lraPOPWitness,\n 8, &kObjectData[2497], 0},\n {\"id-cmc-getCert\", \"id-cmc-getCert\", NID_id_cmc_getCert, 8,\n &kObjectData[2505], 0},\n {\"id-cmc-getCRL\", \"id-cmc-getCRL\", NID_id_cmc_getCRL, 8, &kObjectData[2513],\n 0},\n {\"id-cmc-revokeRequest\", \"id-cmc-revokeRequest\", NID_id_cmc_revokeRequest,\n 8, &kObjectData[2521], 0},\n {\"id-cmc-regInfo\", \"id-cmc-regInfo\", NID_id_cmc_regInfo, 8,\n &kObjectData[2529], 0},\n {\"id-cmc-responseInfo\", \"id-cmc-responseInfo\", NID_id_cmc_responseInfo, 8,\n &kObjectData[2537], 0},\n {\"id-cmc-queryPending\", \"id-cmc-queryPending\", NID_id_cmc_queryPending, 8,\n &kObjectData[2545], 0},\n {\"id-cmc-popLinkRandom\", \"id-cmc-popLinkRandom\", NID_id_cmc_popLinkRandom,\n 8, &kObjectData[2553], 0},\n {\"id-cmc-popLinkWitness\", \"id-cmc-popLinkWitness\",\n NID_id_cmc_popLinkWitness, 8, &kObjectData[2561], 0},\n {\"id-cmc-confirmCertAcceptance\", \"id-cmc-confirmCertAcceptance\",\n NID_id_cmc_confirmCertAcceptance, 8, &kObjectData[2569], 0},\n {\"id-on-personalData\", \"id-on-personalData\", NID_id_on_personalData, 8,\n &kObjectData[2577], 0},\n {\"id-pda-dateOfBirth\", \"id-pda-dateOfBirth\", NID_id_pda_dateOfBirth, 8,\n &kObjectData[2585], 0},\n {\"id-pda-placeOfBirth\", \"id-pda-placeOfBirth\", NID_id_pda_placeOfBirth, 8,\n &kObjectData[2593], 0},\n {NULL, NULL, NID_undef, 0, NULL, 0},\n {\"id-pda-gender\", \"id-pda-gender\", NID_id_pda_gender, 8, &kObjectData[2601],\n 0},\n {\"id-pda-countryOfCitizenship\", \"id-pda-countryOfCitizenship\",\n NID_id_pda_countryOfCitizenship, 8, &kObjectData[2609], 0},\n {\"id-pda-countryOfResidence\", \"id-pda-countryOfResidence\",\n NID_id_pda_countryOfResidence, 8, &kObjectData[2617], 0},\n {\"id-aca-authenticationInfo\", \"id-aca-authenticationInfo\",\n NID_id_aca_authenticationInfo, 8, &kObjectData[2625], 0},\n {\"id-aca-accessIdentity\", \"id-aca-accessIdentity\",\n NID_id_aca_accessIdentity, 8, &kObjectData[2633], 0},\n {\"id-aca-chargingIdentity\", \"id-aca-chargingIdentity\",\n NID_id_aca_chargingIdentity, 8, &kObjectData[2641], 0},\n {\"id-aca-group\", \"id-aca-group\", NID_id_aca_group, 8, &kObjectData[2649],\n 0},\n {\"id-aca-role\", \"id-aca-role\", NID_id_aca_role, 8, &kObjectData[2657], 0},\n {\"id-qcs-pkixQCSyntax-v1\", \"id-qcs-pkixQCSyntax-v1\",\n NID_id_qcs_pkixQCSyntax_v1, 8, &kObjectData[2665], 0},\n {\"id-cct-crs\", \"id-cct-crs\", NID_id_cct_crs, 8, &kObjectData[2673], 0},\n {\"id-cct-PKIData\", \"id-cct-PKIData\", NID_id_cct_PKIData, 8,\n &kObjectData[2681], 0},\n {\"id-cct-PKIResponse\", \"id-cct-PKIResponse\", NID_id_cct_PKIResponse, 8,\n &kObjectData[2689], 0},\n {\"ad_timestamping\", \"AD Time Stamping\", NID_ad_timeStamping, 8,\n &kObjectData[2697], 0},\n {\"AD_DVCS\", \"ad dvcs\", NID_ad_dvcs, 8, &kObjectData[2705], 0},\n {\"basicOCSPResponse\", \"Basic OCSP Response\", NID_id_pkix_OCSP_basic, 9,\n &kObjectData[2713], 0},\n {\"Nonce\", \"OCSP Nonce\", NID_id_pkix_OCSP_Nonce, 9, &kObjectData[2722], 0},\n {\"CrlID\", \"OCSP CRL ID\", NID_id_pkix_OCSP_CrlID, 9, &kObjectData[2731], 0},\n {\"acceptableResponses\", \"Acceptable OCSP Responses\",\n NID_id_pkix_OCSP_acceptableResponses, 9, &kObjectData[2740], 0},\n {\"noCheck\", \"OCSP No Check\", NID_id_pkix_OCSP_noCheck, 9,\n &kObjectData[2749], 0},\n {\"archiveCutoff\", \"OCSP Archive Cutoff\", NID_id_pkix_OCSP_archiveCutoff, 9,\n &kObjectData[2758], 0},\n {\"serviceLocator\", \"OCSP Service Locator\", NID_id_pkix_OCSP_serviceLocator,\n 9, &kObjectData[2767], 0},\n {\"extendedStatus\", \"Extended OCSP Status\", NID_id_pkix_OCSP_extendedStatus,\n 9, &kObjectData[2776], 0},\n {\"valid\", \"valid\", NID_id_pkix_OCSP_valid, 9, &kObjectData[2785], 0},\n {\"path\", \"path\", NID_id_pkix_OCSP_path, 9, &kObjectData[2794], 0},\n {\"trustRoot\", \"Trust Root\", NID_id_pkix_OCSP_trustRoot, 9,\n &kObjectData[2803], 0},\n {\"algorithm\", \"algorithm\", NID_algorithm, 4, &kObjectData[2812], 0},\n {\"rsaSignature\", \"rsaSignature\", NID_rsaSignature, 5, &kObjectData[2816],\n 0},\n {\"X500algorithms\", \"directory services - algorithms\", NID_X500algorithms, 2,\n &kObjectData[2821], 0},\n {\"ORG\", \"org\", NID_org, 1, &kObjectData[2823], 0},\n {\"DOD\", \"dod\", NID_dod, 2, &kObjectData[2824], 0},\n {\"IANA\", \"iana\", NID_iana, 3, &kObjectData[2826], 0},\n {\"directory\", \"Directory\", NID_Directory, 4, &kObjectData[2829], 0},\n {\"mgmt\", \"Management\", NID_Management, 4, &kObjectData[2833], 0},\n {\"experimental\", \"Experimental\", NID_Experimental, 4, &kObjectData[2837],\n 0},\n {\"private\", \"Private\", NID_Private, 4, &kObjectData[2841], 0},\n {\"security\", \"Security\", NID_Security, 4, &kObjectData[2845], 0},\n {\"snmpv2\", \"SNMPv2\", NID_SNMPv2, 4, &kObjectData[2849], 0},\n {\"Mail\", \"Mail\", NID_Mail, 4, &kObjectData[2853], 0},\n {\"enterprises\", \"Enterprises\", NID_Enterprises, 5, &kObjectData[2857], 0},\n {\"dcobject\", \"dcObject\", NID_dcObject, 9, &kObjectData[2862], 0},\n {\"DC\", \"domainComponent\", NID_domainComponent, 10, &kObjectData[2871], 0},\n {\"domain\", \"Domain\", NID_Domain, 10, &kObjectData[2881], 0},\n {NULL, NULL, NID_undef, 0, NULL, 0},\n {\"selected-attribute-types\", \"Selected Attribute Types\",\n NID_selected_attribute_types, 3, &kObjectData[2891], 0},\n {\"clearance\", \"clearance\", NID_clearance, 4, &kObjectData[2894], 0},\n {\"RSA-MD4\", \"md4WithRSAEncryption\", NID_md4WithRSAEncryption, 9,\n &kObjectData[2898], 0},\n {\"ac-proxying\", \"ac-proxying\", NID_ac_proxying, 8, &kObjectData[2907], 0},\n {\"subjectInfoAccess\", \"Subject Information Access\", NID_sinfo_access, 8,\n &kObjectData[2915], 0},\n {\"id-aca-encAttrs\", \"id-aca-encAttrs\", NID_id_aca_encAttrs, 8,\n &kObjectData[2923], 0},\n {\"role\", \"role\", NID_role, 3, &kObjectData[2931], 0},\n {\"policyConstraints\", \"X509v3 Policy Constraints\", NID_policy_constraints,\n 3, &kObjectData[2934], 0},\n {\"targetInformation\", \"X509v3 AC Targeting\", NID_target_information, 3,\n &kObjectData[2937], 0},\n {\"noRevAvail\", \"X509v3 No Revocation Available\", NID_no_rev_avail, 3,\n &kObjectData[2940], 0},\n {NULL, NULL, NID_undef, 0, NULL, 0},\n {\"ansi-X9-62\", \"ANSI X9.62\", NID_ansi_X9_62, 5, &kObjectData[2943], 0},\n {\"prime-field\", \"prime-field\", NID_X9_62_prime_field, 7, &kObjectData[2948],\n 0},\n {\"characteristic-two-field\", \"characteristic-two-field\",\n NID_X9_62_characteristic_two_field, 7, &kObjectData[2955], 0},\n {\"id-ecPublicKey\", \"id-ecPublicKey\", NID_X9_62_id_ecPublicKey, 7,\n &kObjectData[2962], 0},\n {\"prime192v1\", \"prime192v1\", NID_X9_62_prime192v1, 8, &kObjectData[2969],\n 0},\n {\"prime192v2\", \"prime192v2\", NID_X9_62_prime192v2, 8, &kObjectData[2977],\n 0},\n {\"prime192v3\", \"prime192v3\", NID_X9_62_prime192v3, 8, &kObjectData[2985],\n 0},\n {\"prime239v1\", \"prime239v1\", NID_X9_62_prime239v1, 8, &kObjectData[2993],\n 0},\n {\"prime239v2\", \"prime239v2\", NID_X9_62_prime239v2, 8, &kObjectData[3001],\n 0},\n {\"prime239v3\", \"prime239v3\", NID_X9_62_prime239v3, 8, &kObjectData[3009],\n 0},\n {\"prime256v1\", \"prime256v1\", NID_X9_62_prime256v1, 8, &kObjectData[3017],\n 0},\n {\"ecdsa-with-SHA1\", \"ecdsa-with-SHA1\", NID_ecdsa_with_SHA1, 7,\n &kObjectData[3025], 0},\n {\"CSPName\", \"Microsoft CSP Name\", NID_ms_csp_name, 9, &kObjectData[3032],\n 0},\n {\"AES-128-ECB\", \"aes-128-ecb\", NID_aes_128_ecb, 9, &kObjectData[3041], 0},\n {\"AES-128-CBC\", \"aes-128-cbc\", NID_aes_128_cbc, 9, &kObjectData[3050], 0},\n {\"AES-128-OFB\", \"aes-128-ofb\", NID_aes_128_ofb128, 9, &kObjectData[3059],\n 0},\n {\"AES-128-CFB\", \"aes-128-cfb\", NID_aes_128_cfb128, 9, &kObjectData[3068],\n 0},\n {\"AES-192-ECB\", \"aes-192-ecb\", NID_aes_192_ecb, 9, &kObjectData[3077], 0},\n {\"AES-192-CBC\", \"aes-192-cbc\", NID_aes_192_cbc, 9, &kObjectData[3086], 0},\n {\"AES-192-OFB\", \"aes-192-ofb\", NID_aes_192_ofb128, 9, &kObjectData[3095],\n 0},\n {\"AES-192-CFB\", \"aes-192-cfb\", NID_aes_192_cfb128, 9, &kObjectData[3104],\n 0},\n {\"AES-256-ECB\", \"aes-256-ecb\", NID_aes_256_ecb, 9, &kObjectData[3113], 0},\n {\"AES-256-CBC\", \"aes-256-cbc\", NID_aes_256_cbc, 9, &kObjectData[3122], 0},\n {\"AES-256-OFB\", \"aes-256-ofb\", NID_aes_256_ofb128, 9, &kObjectData[3131],\n 0},\n {\"AES-256-CFB\", \"aes-256-cfb\", NID_aes_256_cfb128, 9, &kObjectData[3140],\n 0},\n {\"holdInstructionCode\", \"Hold Instruction Code\", NID_hold_instruction_code,\n 3, &kObjectData[3149], 0},\n {\"holdInstructionNone\", \"Hold Instruction None\", NID_hold_instruction_none,\n 7, &kObjectData[3152], 0},\n {\"holdInstructionCallIssuer\", \"Hold Instruction Call Issuer\",\n NID_hold_instruction_call_issuer, 7, &kObjectData[3159], 0},\n {\"holdInstructionReject\", \"Hold Instruction Reject\",\n NID_hold_instruction_reject, 7, &kObjectData[3166], 0},\n {\"data\", \"data\", NID_data, 1, &kObjectData[3173], 0},\n {\"pss\", \"pss\", NID_pss, 3, &kObjectData[3174], 0},\n {\"ucl\", \"ucl\", NID_ucl, 7, &kObjectData[3177], 0},\n {\"pilot\", \"pilot\", NID_pilot, 8, &kObjectData[3184], 0},\n {\"pilotAttributeType\", \"pilotAttributeType\", NID_pilotAttributeType, 9,\n &kObjectData[3192], 0},\n {\"pilotAttributeSyntax\", \"pilotAttributeSyntax\", NID_pilotAttributeSyntax,\n 9, &kObjectData[3201], 0},\n {\"pilotObjectClass\", \"pilotObjectClass\", NID_pilotObjectClass, 9,\n &kObjectData[3210], 0},\n {\"pilotGroups\", \"pilotGroups\", NID_pilotGroups, 9, &kObjectData[3219], 0},\n {\"iA5StringSyntax\", \"iA5StringSyntax\", NID_iA5StringSyntax, 10,\n &kObjectData[3228], 0},\n {\"caseIgnoreIA5StringSyntax\", \"caseIgnoreIA5StringSyntax\",\n NID_caseIgnoreIA5StringSyntax, 10, &kObjectData[3238], 0},\n {\"pilotObject\", \"pilotObject\", NID_pilotObject, 10, &kObjectData[3248], 0},\n {\"pilotPerson\", \"pilotPerson\", NID_pilotPerson, 10, &kObjectData[3258], 0},\n {\"account\", \"account\", NID_account, 10, &kObjectData[3268], 0},\n {\"document\", \"document\", NID_document, 10, &kObjectData[3278], 0},\n {\"room\", \"room\", NID_room, 10, &kObjectData[3288], 0},\n {\"documentSeries\", \"documentSeries\", NID_documentSeries, 10,\n &kObjectData[3298], 0},\n {\"rFC822localPart\", \"rFC822localPart\", NID_rFC822localPart, 10,\n &kObjectData[3308], 0},\n {\"dNSDomain\", \"dNSDomain\", NID_dNSDomain, 10, &kObjectData[3318], 0},\n {\"domainRelatedObject\", \"domainRelatedObject\", NID_domainRelatedObject, 10,\n &kObjectData[3328], 0},\n {\"friendlyCountry\", \"friendlyCountry\", NID_friendlyCountry, 10,\n &kObjectData[3338], 0},\n {\"simpleSecurityObject\", \"simpleSecurityObject\", NID_simpleSecurityObject,\n 10, &kObjectData[3348], 0},\n {\"pilotOrganization\", \"pilotOrganization\", NID_pilotOrganization, 10,\n &kObjectData[3358], 0},\n {\"pilotDSA\", \"pilotDSA\", NID_pilotDSA, 10, &kObjectData[3368], 0},\n {\"qualityLabelledData\", \"qualityLabelledData\", NID_qualityLabelledData, 10,\n &kObjectData[3378], 0},\n {\"UID\", \"userId\", NID_userId, 10, &kObjectData[3388], 0},\n {\"textEncodedORAddress\", \"textEncodedORAddress\", NID_textEncodedORAddress,\n 10, &kObjectData[3398], 0},\n {\"mail\", \"rfc822Mailbox\", NID_rfc822Mailbox, 10, &kObjectData[3408], 0},\n {\"info\", \"info\", NID_info, 10, &kObjectData[3418], 0},\n {\"favouriteDrink\", \"favouriteDrink\", NID_favouriteDrink, 10,\n &kObjectData[3428], 0},\n {\"roomNumber\", \"roomNumber\", NID_roomNumber, 10, &kObjectData[3438], 0},\n {\"photo\", \"photo\", NID_photo, 10, &kObjectData[3448], 0},\n {\"userClass\", \"userClass\", NID_userClass, 10, &kObjectData[3458], 0},\n {\"host\", \"host\", NID_host, 10, &kObjectData[3468], 0},\n {\"manager\", \"manager\", NID_manager, 10, &kObjectData[3478], 0},\n {\"documentIdentifier\", \"documentIdentifier\", NID_documentIdentifier, 10,\n &kObjectData[3488], 0},\n {\"documentTitle\", \"documentTitle\", NID_documentTitle, 10,\n &kObjectData[3498], 0},\n {\"documentVersion\", \"documentVersion\", NID_documentVersion, 10,\n &kObjectData[3508], 0},\n {\"documentAuthor\", \"documentAuthor\", NID_documentAuthor, 10,\n &kObjectData[3518], 0},\n {\"documentLocation\", \"documentLocation\", NID_documentLocation, 10,\n &kObjectData[3528], 0},\n {\"homeTelephoneNumber\", \"homeTelephoneNumber\", NID_homeTelephoneNumber, 10,\n &kObjectData[3538], 0},\n {\"secretary\", \"secretary\", NID_secretary, 10, &kObjectData[3548], 0},\n {\"otherMailbox\", \"otherMailbox\", NID_otherMailbox, 10, &kObjectData[3558],\n 0},\n {\"lastModifiedTime\", \"lastModifiedTime\", NID_lastModifiedTime, 10,\n &kObjectData[3568], 0},\n {\"lastModifiedBy\", \"lastModifiedBy\", NID_lastModifiedBy, 10,\n &kObjectData[3578], 0},\n {\"aRecord\", \"aRecord\", NID_aRecord, 10, &kObjectData[3588], 0},\n {\"pilotAttributeType27\", \"pilotAttributeType27\", NID_pilotAttributeType27,\n 10, &kObjectData[3598], 0},\n {\"mXRecord\", \"mXRecord\", NID_mXRecord, 10, &kObjectData[3608], 0},\n {\"nSRecord\", \"nSRecord\", NID_nSRecord, 10, &kObjectData[3618], 0},\n {\"sOARecord\", \"sOARecord\", NID_sOARecord, 10, &kObjectData[3628], 0},\n {\"cNAMERecord\", \"cNAMERecord\", NID_cNAMERecord, 10, &kObjectData[3638], 0},\n {\"associatedDomain\", \"associatedDomain\", NID_associatedDomain, 10,\n &kObjectData[3648], 0},\n {\"associatedName\", \"associatedName\", NID_associatedName, 10,\n &kObjectData[3658], 0},\n {\"homePostalAddress\", \"homePostalAddress\", NID_homePostalAddress, 10,\n &kObjectData[3668], 0},\n {\"personalTitle\", \"personalTitle\", NID_personalTitle, 10,\n &kObjectData[3678], 0},\n {\"mobileTelephoneNumber\", \"mobileTelephoneNumber\",\n NID_mobileTelephoneNumber, 10, &kObjectData[3688], 0},\n {\"pagerTelephoneNumber\", \"pagerTelephoneNumber\", NID_pagerTelephoneNumber,\n 10, &kObjectData[3698], 0},\n {\"friendlyCountryName\", \"friendlyCountryName\", NID_friendlyCountryName, 10,\n &kObjectData[3708], 0},\n {\"organizationalStatus\", \"organizationalStatus\", NID_organizationalStatus,\n 10, &kObjectData[3718], 0},\n {\"janetMailbox\", \"janetMailbox\", NID_janetMailbox, 10, &kObjectData[3728],\n 0},\n {\"mailPreferenceOption\", \"mailPreferenceOption\", NID_mailPreferenceOption,\n 10, &kObjectData[3738], 0},\n {\"buildingName\", \"buildingName\", NID_buildingName, 10, &kObjectData[3748],\n 0},\n {\"dSAQuality\", \"dSAQuality\", NID_dSAQuality, 10, &kObjectData[3758], 0},\n {\"singleLevelQuality\", \"singleLevelQuality\", NID_singleLevelQuality, 10,\n &kObjectData[3768], 0},\n {\"subtreeMinimumQuality\", \"subtreeMinimumQuality\",\n NID_subtreeMinimumQuality, 10, &kObjectData[3778], 0},\n {\"subtreeMaximumQuality\", \"subtreeMaximumQuality\",\n NID_subtreeMaximumQuality, 10, &kObjectData[3788], 0},\n {\"personalSignature\", \"personalSignature\", NID_personalSignature, 10,\n &kObjectData[3798], 0},\n {\"dITRedirect\", \"dITRedirect\", NID_dITRedirect, 10, &kObjectData[3808], 0},\n {\"audio\", \"audio\", NID_audio, 10, &kObjectData[3818], 0},\n {\"documentPublisher\", \"documentPublisher\", NID_documentPublisher, 10,\n &kObjectData[3828], 0},\n {\"x500UniqueIdentifier\", \"x500UniqueIdentifier\", NID_x500UniqueIdentifier,\n 3, &kObjectData[3838], 0},\n {\"mime-mhs\", \"MIME MHS\", NID_mime_mhs, 5, &kObjectData[3841], 0},\n {\"mime-mhs-headings\", \"mime-mhs-headings\", NID_mime_mhs_headings, 6,\n &kObjectData[3846], 0},\n {\"mime-mhs-bodies\", \"mime-mhs-bodies\", NID_mime_mhs_bodies, 6,\n &kObjectData[3852], 0},\n {\"id-hex-partial-message\", \"id-hex-partial-message\",\n NID_id_hex_partial_message, 7, &kObjectData[3858], 0},\n {\"id-hex-multipart-message\", \"id-hex-multipart-message\",\n NID_id_hex_multipart_message, 7, &kObjectData[3865], 0},\n {\"generationQualifier\", \"generationQualifier\", NID_generationQualifier, 3,\n &kObjectData[3872], 0},\n {\"pseudonym\", \"pseudonym\", NID_pseudonym, 3, &kObjectData[3875], 0},\n {NULL, NULL, NID_undef, 0, NULL, 0},\n {\"id-set\", \"Secure Electronic Transactions\", NID_id_set, 2,\n &kObjectData[3878], 0},\n {\"set-ctype\", \"content types\", NID_set_ctype, 3, &kObjectData[3880], 0},\n {\"set-msgExt\", \"message extensions\", NID_set_msgExt, 3, &kObjectData[3883],\n 0},\n {\"set-attr\", \"set-attr\", NID_set_attr, 3, &kObjectData[3886], 0},\n {\"set-policy\", \"set-policy\", NID_set_policy, 3, &kObjectData[3889], 0},\n {\"set-certExt\", \"certificate extensions\", NID_set_certExt, 3,\n &kObjectData[3892], 0},\n {\"set-brand\", \"set-brand\", NID_set_brand, 3, &kObjectData[3895], 0},\n {\"setct-PANData\", \"setct-PANData\", NID_setct_PANData, 4, &kObjectData[3898],\n 0},\n {\"setct-PANToken\", \"setct-PANToken\", NID_setct_PANToken, 4,\n &kObjectData[3902], 0},\n {\"setct-PANOnly\", \"setct-PANOnly\", NID_setct_PANOnly, 4, &kObjectData[3906],\n 0},\n {\"setct-OIData\", \"setct-OIData\", NID_setct_OIData, 4, &kObjectData[3910],\n 0},\n {\"setct-PI\", \"setct-PI\", NID_setct_PI, 4, &kObjectData[3914], 0},\n {\"setct-PIData\", \"setct-PIData\", NID_setct_PIData, 4, &kObjectData[3918],\n 0},\n {\"setct-PIDataUnsigned\", \"setct-PIDataUnsigned\", NID_setct_PIDataUnsigned,\n 4, &kObjectData[3922], 0},\n {\"setct-HODInput\", \"setct-HODInput\", NID_setct_HODInput, 4,\n &kObjectData[3926], 0},\n {\"setct-AuthResBaggage\", \"setct-AuthResBaggage\", NID_setct_AuthResBaggage,\n 4, &kObjectData[3930], 0},\n {\"setct-AuthRevReqBaggage\", \"setct-AuthRevReqBaggage\",\n NID_setct_AuthRevReqBaggage, 4, &kObjectData[3934], 0},\n {\"setct-AuthRevResBaggage\", \"setct-AuthRevResBaggage\",\n NID_setct_AuthRevResBaggage, 4, &kObjectData[3938], 0},\n {\"setct-CapTokenSeq\", \"setct-CapTokenSeq\", NID_setct_CapTokenSeq, 4,\n &kObjectData[3942], 0},\n {\"setct-PInitResData\", \"setct-PInitResData\", NID_setct_PInitResData, 4,\n &kObjectData[3946], 0},\n {\"setct-PI-TBS\", \"setct-PI-TBS\", NID_setct_PI_TBS, 4, &kObjectData[3950],\n 0},\n {\"setct-PResData\", \"setct-PResData\", NID_setct_PResData, 4,\n &kObjectData[3954], 0},\n {\"setct-AuthReqTBS\", \"setct-AuthReqTBS\", NID_setct_AuthReqTBS, 4,\n &kObjectData[3958], 0},\n {\"setct-AuthResTBS\", \"setct-AuthResTBS\", NID_setct_AuthResTBS, 4,\n &kObjectData[3962], 0},\n {\"setct-AuthResTBSX\", \"setct-AuthResTBSX\", NID_setct_AuthResTBSX, 4,\n &kObjectData[3966], 0},\n {\"setct-AuthTokenTBS\", \"setct-AuthTokenTBS\", NID_setct_AuthTokenTBS, 4,\n &kObjectData[3970], 0},\n {\"setct-CapTokenData\", \"setct-CapTokenData\", NID_setct_CapTokenData, 4,\n &kObjectData[3974], 0},\n {\"setct-CapTokenTBS\", \"setct-CapTokenTBS\", NID_setct_CapTokenTBS, 4,\n &kObjectData[3978], 0},\n {\"setct-AcqCardCodeMsg\", \"setct-AcqCardCodeMsg\", NID_setct_AcqCardCodeMsg,\n 4, &kObjectData[3982], 0},\n {\"setct-AuthRevReqTBS\", \"setct-AuthRevReqTBS\", NID_setct_AuthRevReqTBS, 4,\n &kObjectData[3986], 0},\n {\"setct-AuthRevResData\", \"setct-AuthRevResData\", NID_setct_AuthRevResData,\n 4, &kObjectData[3990], 0},\n {\"setct-AuthRevResTBS\", \"setct-AuthRevResTBS\", NID_setct_AuthRevResTBS, 4,\n &kObjectData[3994], 0},\n {\"setct-CapReqTBS\", \"setct-CapReqTBS\", NID_setct_CapReqTBS, 4,\n &kObjectData[3998], 0},\n {\"setct-CapReqTBSX\", \"setct-CapReqTBSX\", NID_setct_CapReqTBSX, 4,\n &kObjectData[4002], 0},\n {\"setct-CapResData\", \"setct-CapResData\", NID_setct_CapResData, 4,\n &kObjectData[4006], 0},\n {\"setct-CapRevReqTBS\", \"setct-CapRevReqTBS\", NID_setct_CapRevReqTBS, 4,\n &kObjectData[4010], 0},\n {\"setct-CapRevReqTBSX\", \"setct-CapRevReqTBSX\", NID_setct_CapRevReqTBSX, 4,\n &kObjectData[4014], 0},\n {\"setct-CapRevResData\", \"setct-CapRevResData\", NID_setct_CapRevResData, 4,\n &kObjectData[4018], 0},\n {\"setct-CredReqTBS\", \"setct-CredReqTBS\", NID_setct_CredReqTBS, 4,\n &kObjectData[4022], 0},\n {\"setct-CredReqTBSX\", \"setct-CredReqTBSX\", NID_setct_CredReqTBSX, 4,\n &kObjectData[4026], 0},\n {\"setct-CredResData\", \"setct-CredResData\", NID_setct_CredResData, 4,\n &kObjectData[4030], 0},\n {\"setct-CredRevReqTBS\", \"setct-CredRevReqTBS\", NID_setct_CredRevReqTBS, 4,\n &kObjectData[4034], 0},\n {\"setct-CredRevReqTBSX\", \"setct-CredRevReqTBSX\", NID_setct_CredRevReqTBSX,\n 4, &kObjectData[4038], 0},\n {\"setct-CredRevResData\", \"setct-CredRevResData\", NID_setct_CredRevResData,\n 4, &kObjectData[4042], 0},\n {\"setct-PCertReqData\", \"setct-PCertReqData\", NID_setct_PCertReqData, 4,\n &kObjectData[4046], 0},\n {\"setct-PCertResTBS\", \"setct-PCertResTBS\", NID_setct_PCertResTBS, 4,\n &kObjectData[4050], 0},\n {\"setct-BatchAdminReqData\", \"setct-BatchAdminReqData\",\n NID_setct_BatchAdminReqData, 4, &kObjectData[4054], 0},\n {\"setct-BatchAdminResData\", \"setct-BatchAdminResData\",\n NID_setct_BatchAdminResData, 4, &kObjectData[4058], 0},\n {\"setct-CardCInitResTBS\", \"setct-CardCInitResTBS\",\n NID_setct_CardCInitResTBS, 4, &kObjectData[4062], 0},\n {\"setct-MeAqCInitResTBS\", \"setct-MeAqCInitResTBS\",\n NID_setct_MeAqCInitResTBS, 4, &kObjectData[4066], 0},\n {\"setct-RegFormResTBS\", \"setct-RegFormResTBS\", NID_setct_RegFormResTBS, 4,\n &kObjectData[4070], 0},\n {\"setct-CertReqData\", \"setct-CertReqData\", NID_setct_CertReqData, 4,\n &kObjectData[4074], 0},\n {\"setct-CertReqTBS\", \"setct-CertReqTBS\", NID_setct_CertReqTBS, 4,\n &kObjectData[4078], 0},\n {\"setct-CertResData\", \"setct-CertResData\", NID_setct_CertResData, 4,\n &kObjectData[4082], 0},\n {\"setct-CertInqReqTBS\", \"setct-CertInqReqTBS\", NID_setct_CertInqReqTBS, 4,\n &kObjectData[4086], 0},\n {\"setct-ErrorTBS\", \"setct-ErrorTBS\", NID_setct_ErrorTBS, 4,\n &kObjectData[4090], 0},\n {\"setct-PIDualSignedTBE\", \"setct-PIDualSignedTBE\",\n NID_setct_PIDualSignedTBE, 4, &kObjectData[4094], 0},\n {\"setct-PIUnsignedTBE\", \"setct-PIUnsignedTBE\", NID_setct_PIUnsignedTBE, 4,\n &kObjectData[4098], 0},\n {\"setct-AuthReqTBE\", \"setct-AuthReqTBE\", NID_setct_AuthReqTBE, 4,\n &kObjectData[4102], 0},\n {\"setct-AuthResTBE\", \"setct-AuthResTBE\", NID_setct_AuthResTBE, 4,\n &kObjectData[4106], 0},\n {\"setct-AuthResTBEX\", \"setct-AuthResTBEX\", NID_setct_AuthResTBEX, 4,\n &kObjectData[4110], 0},\n {\"setct-AuthTokenTBE\", \"setct-AuthTokenTBE\", NID_setct_AuthTokenTBE, 4,\n &kObjectData[4114], 0},\n {\"setct-CapTokenTBE\", \"setct-CapTokenTBE\", NID_setct_CapTokenTBE, 4,\n &kObjectData[4118], 0},\n {\"setct-CapTokenTBEX\", \"setct-CapTokenTBEX\", NID_setct_CapTokenTBEX, 4,\n &kObjectData[4122], 0},\n {\"setct-AcqCardCodeMsgTBE\", \"setct-AcqCardCodeMsgTBE\",\n NID_setct_AcqCardCodeMsgTBE, 4, &kObjectData[4126], 0},\n {\"setct-AuthRevReqTBE\", \"setct-AuthRevReqTBE\", NID_setct_AuthRevReqTBE, 4,\n &kObjectData[4130], 0},\n {\"setct-AuthRevResTBE\", \"setct-AuthRevResTBE\", NID_setct_AuthRevResTBE, 4,\n &kObjectData[4134], 0},\n {\"setct-AuthRevResTBEB\", \"setct-AuthRevResTBEB\", NID_setct_AuthRevResTBEB,\n 4, &kObjectData[4138], 0},\n {\"setct-CapReqTBE\", \"setct-CapReqTBE\", NID_setct_CapReqTBE, 4,\n &kObjectData[4142], 0},\n {\"setct-CapReqTBEX\", \"setct-CapReqTBEX\", NID_setct_CapReqTBEX, 4,\n &kObjectData[4146], 0},\n {\"setct-CapResTBE\", \"setct-CapResTBE\", NID_setct_CapResTBE, 4,\n &kObjectData[4150], 0},\n {\"setct-CapRevReqTBE\", \"setct-CapRevReqTBE\", NID_setct_CapRevReqTBE, 4,\n &kObjectData[4154], 0},\n {\"setct-CapRevReqTBEX\", \"setct-CapRevReqTBEX\", NID_setct_CapRevReqTBEX, 4,\n &kObjectData[4158], 0},\n {\"setct-CapRevResTBE\", \"setct-CapRevResTBE\", NID_setct_CapRevResTBE, 4,\n &kObjectData[4162], 0},\n {\"setct-CredReqTBE\", \"setct-CredReqTBE\", NID_setct_CredReqTBE, 4,\n &kObjectData[4166], 0},\n {\"setct-CredReqTBEX\", \"setct-CredReqTBEX\", NID_setct_CredReqTBEX, 4,\n &kObjectData[4170], 0},\n {\"setct-CredResTBE\", \"setct-CredResTBE\", NID_setct_CredResTBE, 4,\n &kObjectData[4174], 0},\n {\"setct-CredRevReqTBE\", \"setct-CredRevReqTBE\", NID_setct_CredRevReqTBE, 4,\n &kObjectData[4178], 0},\n {\"setct-CredRevReqTBEX\", \"setct-CredRevReqTBEX\", NID_setct_CredRevReqTBEX,\n 4, &kObjectData[4182], 0},\n {\"setct-CredRevResTBE\", \"setct-CredRevResTBE\", NID_setct_CredRevResTBE, 4,\n &kObjectData[4186], 0},\n {\"setct-BatchAdminReqTBE\", \"setct-BatchAdminReqTBE\",\n NID_setct_BatchAdminReqTBE, 4, &kObjectData[4190], 0},\n {\"setct-BatchAdminResTBE\", \"setct-BatchAdminResTBE\",\n NID_setct_BatchAdminResTBE, 4, &kObjectData[4194], 0},\n {\"setct-RegFormReqTBE\", \"setct-RegFormReqTBE\", NID_setct_RegFormReqTBE, 4,\n &kObjectData[4198], 0},\n {\"setct-CertReqTBE\", \"setct-CertReqTBE\", NID_setct_CertReqTBE, 4,\n &kObjectData[4202], 0},\n {\"setct-CertReqTBEX\", \"setct-CertReqTBEX\", NID_setct_CertReqTBEX, 4,\n &kObjectData[4206], 0},\n {\"setct-CertResTBE\", \"setct-CertResTBE\", NID_setct_CertResTBE, 4,\n &kObjectData[4210], 0},\n {\"setct-CRLNotificationTBS\", \"setct-CRLNotificationTBS\",\n NID_setct_CRLNotificationTBS, 4, &kObjectData[4214], 0},\n {\"setct-CRLNotificationResTBS\", \"setct-CRLNotificationResTBS\",\n NID_setct_CRLNotificationResTBS, 4, &kObjectData[4218], 0},\n {\"setct-BCIDistributionTBS\", \"setct-BCIDistributionTBS\",\n NID_setct_BCIDistributionTBS, 4, &kObjectData[4222], 0},\n {\"setext-genCrypt\", \"generic cryptogram\", NID_setext_genCrypt, 4,\n &kObjectData[4226], 0},\n {\"setext-miAuth\", \"merchant initiated auth\", NID_setext_miAuth, 4,\n &kObjectData[4230], 0},\n {\"setext-pinSecure\", \"setext-pinSecure\", NID_setext_pinSecure, 4,\n &kObjectData[4234], 0},\n {\"setext-pinAny\", \"setext-pinAny\", NID_setext_pinAny, 4, &kObjectData[4238],\n 0},\n {\"setext-track2\", \"setext-track2\", NID_setext_track2, 4, &kObjectData[4242],\n 0},\n {\"setext-cv\", \"additional verification\", NID_setext_cv, 4,\n &kObjectData[4246], 0},\n {\"set-policy-root\", \"set-policy-root\", NID_set_policy_root, 4,\n &kObjectData[4250], 0},\n {\"setCext-hashedRoot\", \"setCext-hashedRoot\", NID_setCext_hashedRoot, 4,\n &kObjectData[4254], 0},\n {\"setCext-certType\", \"setCext-certType\", NID_setCext_certType, 4,\n &kObjectData[4258], 0},\n {\"setCext-merchData\", \"setCext-merchData\", NID_setCext_merchData, 4,\n &kObjectData[4262], 0},\n {\"setCext-cCertRequired\", \"setCext-cCertRequired\",\n NID_setCext_cCertRequired, 4, &kObjectData[4266], 0},\n {\"setCext-tunneling\", \"setCext-tunneling\", NID_setCext_tunneling, 4,\n &kObjectData[4270], 0},\n {\"setCext-setExt\", \"setCext-setExt\", NID_setCext_setExt, 4,\n &kObjectData[4274], 0},\n {\"setCext-setQualf\", \"setCext-setQualf\", NID_setCext_setQualf, 4,\n &kObjectData[4278], 0},\n {\"setCext-PGWYcapabilities\", \"setCext-PGWYcapabilities\",\n NID_setCext_PGWYcapabilities, 4, &kObjectData[4282], 0},\n {\"setCext-TokenIdentifier\", \"setCext-TokenIdentifier\",\n NID_setCext_TokenIdentifier, 4, &kObjectData[4286], 0},\n {\"setCext-Track2Data\", \"setCext-Track2Data\", NID_setCext_Track2Data, 4,\n &kObjectData[4290], 0},\n {\"setCext-TokenType\", \"setCext-TokenType\", NID_setCext_TokenType, 4,\n &kObjectData[4294], 0},\n {\"setCext-IssuerCapabilities\", \"setCext-IssuerCapabilities\",\n NID_setCext_IssuerCapabilities, 4, &kObjectData[4298], 0},\n {\"setAttr-Cert\", \"setAttr-Cert\", NID_setAttr_Cert, 4, &kObjectData[4302],\n 0},\n {\"setAttr-PGWYcap\", \"payment gateway capabilities\", NID_setAttr_PGWYcap, 4,\n &kObjectData[4306], 0},\n {\"setAttr-TokenType\", \"setAttr-TokenType\", NID_setAttr_TokenType, 4,\n &kObjectData[4310], 0},\n {\"setAttr-IssCap\", \"issuer capabilities\", NID_setAttr_IssCap, 4,\n &kObjectData[4314], 0},\n {\"set-rootKeyThumb\", \"set-rootKeyThumb\", NID_set_rootKeyThumb, 5,\n &kObjectData[4318], 0},\n {\"set-addPolicy\", \"set-addPolicy\", NID_set_addPolicy, 5, &kObjectData[4323],\n 0},\n {\"setAttr-Token-EMV\", \"setAttr-Token-EMV\", NID_setAttr_Token_EMV, 5,\n &kObjectData[4328], 0},\n {\"setAttr-Token-B0Prime\", \"setAttr-Token-B0Prime\",\n NID_setAttr_Token_B0Prime, 5, &kObjectData[4333], 0},\n {\"setAttr-IssCap-CVM\", \"setAttr-IssCap-CVM\", NID_setAttr_IssCap_CVM, 5,\n &kObjectData[4338], 0},\n {\"setAttr-IssCap-T2\", \"setAttr-IssCap-T2\", NID_setAttr_IssCap_T2, 5,\n &kObjectData[4343], 0},\n {\"setAttr-IssCap-Sig\", \"setAttr-IssCap-Sig\", NID_setAttr_IssCap_Sig, 5,\n &kObjectData[4348], 0},\n {\"setAttr-GenCryptgrm\", \"generate cryptogram\", NID_setAttr_GenCryptgrm, 6,\n &kObjectData[4353], 0},\n {\"setAttr-T2Enc\", \"encrypted track 2\", NID_setAttr_T2Enc, 6,\n &kObjectData[4359], 0},\n {\"setAttr-T2cleartxt\", \"cleartext track 2\", NID_setAttr_T2cleartxt, 6,\n &kObjectData[4365], 0},\n {\"setAttr-TokICCsig\", \"ICC or token signature\", NID_setAttr_TokICCsig, 6,\n &kObjectData[4371], 0},\n {\"setAttr-SecDevSig\", \"secure device signature\", NID_setAttr_SecDevSig, 6,\n &kObjectData[4377], 0},\n {\"set-brand-IATA-ATA\", \"set-brand-IATA-ATA\", NID_set_brand_IATA_ATA, 4,\n &kObjectData[4383], 0},\n {\"set-brand-Diners\", \"set-brand-Diners\", NID_set_brand_Diners, 4,\n &kObjectData[4387], 0},\n {\"set-brand-AmericanExpress\", \"set-brand-AmericanExpress\",\n NID_set_brand_AmericanExpress, 4, &kObjectData[4391], 0},\n {\"set-brand-JCB\", \"set-brand-JCB\", NID_set_brand_JCB, 4, &kObjectData[4395],\n 0},\n {\"set-brand-Visa\", \"set-brand-Visa\", NID_set_brand_Visa, 4,\n &kObjectData[4399], 0},\n {\"set-brand-MasterCard\", \"set-brand-MasterCard\", NID_set_brand_MasterCard,\n 4, &kObjectData[4403], 0},\n {\"set-brand-Novus\", \"set-brand-Novus\", NID_set_brand_Novus, 5,\n &kObjectData[4407], 0},\n {\"DES-CDMF\", \"des-cdmf\", NID_des_cdmf, 8, &kObjectData[4412], 0},\n {\"rsaOAEPEncryptionSET\", \"rsaOAEPEncryptionSET\", NID_rsaOAEPEncryptionSET,\n 9, &kObjectData[4420], 0},\n {\"ITU-T\", \"itu-t\", NID_itu_t, 0, NULL, 0},\n {\"JOINT-ISO-ITU-T\", \"joint-iso-itu-t\", NID_joint_iso_itu_t, 0, NULL, 0},\n {\"international-organizations\", \"International Organizations\",\n NID_international_organizations, 1, &kObjectData[4429], 0},\n {\"msSmartcardLogin\", \"Microsoft Smartcardlogin\", NID_ms_smartcard_login, 10,\n &kObjectData[4430], 0},\n {\"msUPN\", \"Microsoft Universal Principal Name\", NID_ms_upn, 10,\n &kObjectData[4440], 0},\n {\"AES-128-CFB1\", \"aes-128-cfb1\", NID_aes_128_cfb1, 0, NULL, 0},\n {\"AES-192-CFB1\", \"aes-192-cfb1\", NID_aes_192_cfb1, 0, NULL, 0},\n {\"AES-256-CFB1\", \"aes-256-cfb1\", NID_aes_256_cfb1, 0, NULL, 0},\n {\"AES-128-CFB8\", \"aes-128-cfb8\", NID_aes_128_cfb8, 0, NULL, 0},\n {\"AES-192-CFB8\", \"aes-192-cfb8\", NID_aes_192_cfb8, 0, NULL, 0},\n {\"AES-256-CFB8\", \"aes-256-cfb8\", NID_aes_256_cfb8, 0, NULL, 0},\n {\"DES-CFB1\", \"des-cfb1\", NID_des_cfb1, 0, NULL, 0},\n {\"DES-CFB8\", \"des-cfb8\", NID_des_cfb8, 0, NULL, 0},\n {\"DES-EDE3-CFB1\", \"des-ede3-cfb1\", NID_des_ede3_cfb1, 0, NULL, 0},\n {\"DES-EDE3-CFB8\", \"des-ede3-cfb8\", NID_des_ede3_cfb8, 0, NULL, 0},\n {\"street\", \"streetAddress\", NID_streetAddress, 3, &kObjectData[4450], 0},\n {\"postalCode\", \"postalCode\", NID_postalCode, 3, &kObjectData[4453], 0},\n {\"id-ppl\", \"id-ppl\", NID_id_ppl, 7, &kObjectData[4456], 0},\n {\"proxyCertInfo\", \"Proxy Certificate Information\", NID_proxyCertInfo, 8,\n &kObjectData[4463], 0},\n {\"id-ppl-anyLanguage\", \"Any language\", NID_id_ppl_anyLanguage, 8,\n &kObjectData[4471], 0},\n {\"id-ppl-inheritAll\", \"Inherit all\", NID_id_ppl_inheritAll, 8,\n &kObjectData[4479], 0},\n {\"nameConstraints\", \"X509v3 Name Constraints\", NID_name_constraints, 3,\n &kObjectData[4487], 0},\n {\"id-ppl-independent\", \"Independent\", NID_Independent, 8,\n &kObjectData[4490], 0},\n {\"RSA-SHA256\", \"sha256WithRSAEncryption\", NID_sha256WithRSAEncryption, 9,\n &kObjectData[4498], 0},\n {\"RSA-SHA384\", \"sha384WithRSAEncryption\", NID_sha384WithRSAEncryption, 9,\n &kObjectData[4507], 0},\n {\"RSA-SHA512\", \"sha512WithRSAEncryption\", NID_sha512WithRSAEncryption, 9,\n &kObjectData[4516], 0},\n {\"RSA-SHA224\", \"sha224WithRSAEncryption\", NID_sha224WithRSAEncryption, 9,\n &kObjectData[4525], 0},\n {\"SHA256\", \"sha256\", NID_sha256, 9, &kObjectData[4534], 0},\n {\"SHA384\", \"sha384\", NID_sha384, 9, &kObjectData[4543], 0},\n {\"SHA512\", \"sha512\", NID_sha512, 9, &kObjectData[4552], 0},\n {\"SHA224\", \"sha224\", NID_sha224, 9, &kObjectData[4561], 0},\n {\"identified-organization\", \"identified-organization\",\n NID_identified_organization, 1, &kObjectData[4570], 0},\n {\"certicom-arc\", \"certicom-arc\", NID_certicom_arc, 3, &kObjectData[4571],\n 0},\n {\"wap\", \"wap\", NID_wap, 2, &kObjectData[4574], 0},\n {\"wap-wsg\", \"wap-wsg\", NID_wap_wsg, 3, &kObjectData[4576], 0},\n {\"id-characteristic-two-basis\", \"id-characteristic-two-basis\",\n NID_X9_62_id_characteristic_two_basis, 8, &kObjectData[4579], 0},\n {\"onBasis\", \"onBasis\", NID_X9_62_onBasis, 9, &kObjectData[4587], 0},\n {\"tpBasis\", \"tpBasis\", NID_X9_62_tpBasis, 9, &kObjectData[4596], 0},\n {\"ppBasis\", \"ppBasis\", NID_X9_62_ppBasis, 9, &kObjectData[4605], 0},\n {\"c2pnb163v1\", \"c2pnb163v1\", NID_X9_62_c2pnb163v1, 8, &kObjectData[4614],\n 0},\n {\"c2pnb163v2\", \"c2pnb163v2\", NID_X9_62_c2pnb163v2, 8, &kObjectData[4622],\n 0},\n {\"c2pnb163v3\", \"c2pnb163v3\", NID_X9_62_c2pnb163v3, 8, &kObjectData[4630],\n 0},\n {\"c2pnb176v1\", \"c2pnb176v1\", NID_X9_62_c2pnb176v1, 8, &kObjectData[4638],\n 0},\n {\"c2tnb191v1\", \"c2tnb191v1\", NID_X9_62_c2tnb191v1, 8, &kObjectData[4646],\n 0},\n {\"c2tnb191v2\", \"c2tnb191v2\", NID_X9_62_c2tnb191v2, 8, &kObjectData[4654],\n 0},\n {\"c2tnb191v3\", \"c2tnb191v3\", NID_X9_62_c2tnb191v3, 8, &kObjectData[4662],\n 0},\n {\"c2onb191v4\", \"c2onb191v4\", NID_X9_62_c2onb191v4, 8, &kObjectData[4670],\n 0},\n {\"c2onb191v5\", \"c2onb191v5\", NID_X9_62_c2onb191v5, 8, &kObjectData[4678],\n 0},\n {\"c2pnb208w1\", \"c2pnb208w1\", NID_X9_62_c2pnb208w1, 8, &kObjectData[4686],\n 0},\n {\"c2tnb239v1\", \"c2tnb239v1\", NID_X9_62_c2tnb239v1, 8, &kObjectData[4694],\n 0},\n {\"c2tnb239v2\", \"c2tnb239v2\", NID_X9_62_c2tnb239v2, 8, &kObjectData[4702],\n 0},\n {\"c2tnb239v3\", \"c2tnb239v3\", NID_X9_62_c2tnb239v3, 8, &kObjectData[4710],\n 0},\n {\"c2onb239v4\", \"c2onb239v4\", NID_X9_62_c2onb239v4, 8, &kObjectData[4718],\n 0},\n {\"c2onb239v5\", \"c2onb239v5\", NID_X9_62_c2onb239v5, 8, &kObjectData[4726],\n 0},\n {\"c2pnb272w1\", \"c2pnb272w1\", NID_X9_62_c2pnb272w1, 8, &kObjectData[4734],\n 0},\n {\"c2pnb304w1\", \"c2pnb304w1\", NID_X9_62_c2pnb304w1, 8, &kObjectData[4742],\n 0},\n {\"c2tnb359v1\", \"c2tnb359v1\", NID_X9_62_c2tnb359v1, 8, &kObjectData[4750],\n 0},\n {\"c2pnb368w1\", \"c2pnb368w1\", NID_X9_62_c2pnb368w1, 8, &kObjectData[4758],\n 0},\n {\"c2tnb431r1\", \"c2tnb431r1\", NID_X9_62_c2tnb431r1, 8, &kObjectData[4766],\n 0},\n {\"secp112r1\", \"secp112r1\", NID_secp112r1, 5, &kObjectData[4774], 0},\n {\"secp112r2\", \"secp112r2\", NID_secp112r2, 5, &kObjectData[4779], 0},\n {\"secp128r1\", \"secp128r1\", NID_secp128r1, 5, &kObjectData[4784], 0},\n {\"secp128r2\", \"secp128r2\", NID_secp128r2, 5, &kObjectData[4789], 0},\n {\"secp160k1\", \"secp160k1\", NID_secp160k1, 5, &kObjectData[4794], 0},\n {\"secp160r1\", \"secp160r1\", NID_secp160r1, 5, &kObjectData[4799], 0},\n {\"secp160r2\", \"secp160r2\", NID_secp160r2, 5, &kObjectData[4804], 0},\n {\"secp192k1\", \"secp192k1\", NID_secp192k1, 5, &kObjectData[4809], 0},\n {\"secp224k1\", \"secp224k1\", NID_secp224k1, 5, &kObjectData[4814], 0},\n {\"secp224r1\", \"secp224r1\", NID_secp224r1, 5, &kObjectData[4819], 0},\n {\"secp256k1\", \"secp256k1\", NID_secp256k1, 5, &kObjectData[4824], 0},\n {\"secp384r1\", \"secp384r1\", NID_secp384r1, 5, &kObjectData[4829], 0},\n {\"secp521r1\", \"secp521r1\", NID_secp521r1, 5, &kObjectData[4834], 0},\n {\"sect113r1\", \"sect113r1\", NID_sect113r1, 5, &kObjectData[4839], 0},\n {\"sect113r2\", \"sect113r2\", NID_sect113r2, 5, &kObjectData[4844], 0},\n {\"sect131r1\", \"sect131r1\", NID_sect131r1, 5, &kObjectData[4849], 0},\n {\"sect131r2\", \"sect131r2\", NID_sect131r2, 5, &kObjectData[4854], 0},\n {\"sect163k1\", \"sect163k1\", NID_sect163k1, 5, &kObjectData[4859], 0},\n {\"sect163r1\", \"sect163r1\", NID_sect163r1, 5, &kObjectData[4864], 0},\n {\"sect163r2\", \"sect163r2\", NID_sect163r2, 5, &kObjectData[4869], 0},\n {\"sect193r1\", \"sect193r1\", NID_sect193r1, 5, &kObjectData[4874], 0},\n {\"sect193r2\", \"sect193r2\", NID_sect193r2, 5, &kObjectData[4879], 0},\n {\"sect233k1\", \"sect233k1\", NID_sect233k1, 5, &kObjectData[4884], 0},\n {\"sect233r1\", \"sect233r1\", NID_sect233r1, 5, &kObjectData[4889], 0},\n {\"sect239k1\", \"sect239k1\", NID_sect239k1, 5, &kObjectData[4894], 0},\n {\"sect283k1\", \"sect283k1\", NID_sect283k1, 5, &kObjectData[4899], 0},\n {\"sect283r1\", \"sect283r1\", NID_sect283r1, 5, &kObjectData[4904], 0},\n {\"sect409k1\", \"sect409k1\", NID_sect409k1, 5, &kObjectData[4909], 0},\n {\"sect409r1\", \"sect409r1\", NID_sect409r1, 5, &kObjectData[4914], 0},\n {\"sect571k1\", \"sect571k1\", NID_sect571k1, 5, &kObjectData[4919], 0},\n {\"sect571r1\", \"sect571r1\", NID_sect571r1, 5, &kObjectData[4924], 0},\n {\"wap-wsg-idm-ecid-wtls1\", \"wap-wsg-idm-ecid-wtls1\",\n NID_wap_wsg_idm_ecid_wtls1, 5, &kObjectData[4929], 0},\n {\"wap-wsg-idm-ecid-wtls3\", \"wap-wsg-idm-ecid-wtls3\",\n NID_wap_wsg_idm_ecid_wtls3, 5, &kObjectData[4934], 0},\n {\"wap-wsg-idm-ecid-wtls4\", \"wap-wsg-idm-ecid-wtls4\",\n NID_wap_wsg_idm_ecid_wtls4, 5, &kObjectData[4939], 0},\n {\"wap-wsg-idm-ecid-wtls5\", \"wap-wsg-idm-ecid-wtls5\",\n NID_wap_wsg_idm_ecid_wtls5, 5, &kObjectData[4944], 0},\n {\"wap-wsg-idm-ecid-wtls6\", \"wap-wsg-idm-ecid-wtls6\",\n NID_wap_wsg_idm_ecid_wtls6, 5, &kObjectData[4949], 0},\n {\"wap-wsg-idm-ecid-wtls7\", \"wap-wsg-idm-ecid-wtls7\",\n NID_wap_wsg_idm_ecid_wtls7, 5, &kObjectData[4954], 0},\n {\"wap-wsg-idm-ecid-wtls8\", \"wap-wsg-idm-ecid-wtls8\",\n NID_wap_wsg_idm_ecid_wtls8, 5, &kObjectData[4959], 0},\n {\"wap-wsg-idm-ecid-wtls9\", \"wap-wsg-idm-ecid-wtls9\",\n NID_wap_wsg_idm_ecid_wtls9, 5, &kObjectData[4964], 0},\n {\"wap-wsg-idm-ecid-wtls10\", \"wap-wsg-idm-ecid-wtls10\",\n NID_wap_wsg_idm_ecid_wtls10, 5, &kObjectData[4969], 0},\n {\"wap-wsg-idm-ecid-wtls11\", \"wap-wsg-idm-ecid-wtls11\",\n NID_wap_wsg_idm_ecid_wtls11, 5, &kObjectData[4974], 0},\n {\"wap-wsg-idm-ecid-wtls12\", \"wap-wsg-idm-ecid-wtls12\",\n NID_wap_wsg_idm_ecid_wtls12, 5, &kObjectData[4979], 0},\n {\"anyPolicy\", \"X509v3 Any Policy\", NID_any_policy, 4, &kObjectData[4984],\n 0},\n {\"policyMappings\", \"X509v3 Policy Mappings\", NID_policy_mappings, 3,\n &kObjectData[4988], 0},\n {\"inhibitAnyPolicy\", \"X509v3 Inhibit Any Policy\", NID_inhibit_any_policy, 3,\n &kObjectData[4991], 0},\n {\"Oakley-EC2N-3\", \"ipsec3\", NID_ipsec3, 0, NULL, 0},\n {\"Oakley-EC2N-4\", \"ipsec4\", NID_ipsec4, 0, NULL, 0},\n {\"CAMELLIA-128-CBC\", \"camellia-128-cbc\", NID_camellia_128_cbc, 11,\n &kObjectData[4994], 0},\n {\"CAMELLIA-192-CBC\", \"camellia-192-cbc\", NID_camellia_192_cbc, 11,\n &kObjectData[5005], 0},\n {\"CAMELLIA-256-CBC\", \"camellia-256-cbc\", NID_camellia_256_cbc, 11,\n &kObjectData[5016], 0},\n {\"CAMELLIA-128-ECB\", \"camellia-128-ecb\", NID_camellia_128_ecb, 8,\n &kObjectData[5027], 0},\n {\"CAMELLIA-192-ECB\", \"camellia-192-ecb\", NID_camellia_192_ecb, 8,\n &kObjectData[5035], 0},\n {\"CAMELLIA-256-ECB\", \"camellia-256-ecb\", NID_camellia_256_ecb, 8,\n &kObjectData[5043], 0},\n {\"CAMELLIA-128-CFB\", \"camellia-128-cfb\", NID_camellia_128_cfb128, 8,\n &kObjectData[5051], 0},\n {\"CAMELLIA-192-CFB\", \"camellia-192-cfb\", NID_camellia_192_cfb128, 8,\n &kObjectData[5059], 0},\n {\"CAMELLIA-256-CFB\", \"camellia-256-cfb\", NID_camellia_256_cfb128, 8,\n &kObjectData[5067], 0},\n {\"CAMELLIA-128-CFB1\", \"camellia-128-cfb1\", NID_camellia_128_cfb1, 0, NULL,\n 0},\n {\"CAMELLIA-192-CFB1\", \"camellia-192-cfb1\", NID_camellia_192_cfb1, 0, NULL,\n 0},\n {\"CAMELLIA-256-CFB1\", \"camellia-256-cfb1\", NID_camellia_256_cfb1, 0, NULL,\n 0},\n {\"CAMELLIA-128-CFB8\", \"camellia-128-cfb8\", NID_camellia_128_cfb8, 0, NULL,\n 0},\n {\"CAMELLIA-192-CFB8\", \"camellia-192-cfb8\", NID_camellia_192_cfb8, 0, NULL,\n 0},\n {\"CAMELLIA-256-CFB8\", \"camellia-256-cfb8\", NID_camellia_256_cfb8, 0, NULL,\n 0},\n {\"CAMELLIA-128-OFB\", \"camellia-128-ofb\", NID_camellia_128_ofb128, 8,\n &kObjectData[5075], 0},\n {\"CAMELLIA-192-OFB\", \"camellia-192-ofb\", NID_camellia_192_ofb128, 8,\n &kObjectData[5083], 0},\n {\"CAMELLIA-256-OFB\", \"camellia-256-ofb\", NID_camellia_256_ofb128, 8,\n &kObjectData[5091], 0},\n {\"subjectDirectoryAttributes\", \"X509v3 Subject Directory Attributes\",\n NID_subject_directory_attributes, 3, &kObjectData[5099], 0},\n {\"issuingDistributionPoint\", \"X509v3 Issuing Distribution Point\",\n NID_issuing_distribution_point, 3, &kObjectData[5102], 0},\n {\"certificateIssuer\", \"X509v3 Certificate Issuer\", NID_certificate_issuer,\n 3, &kObjectData[5105], 0},\n {NULL, NULL, NID_undef, 0, NULL, 0},\n {\"KISA\", \"kisa\", NID_kisa, 6, &kObjectData[5108], 0},\n {NULL, NULL, NID_undef, 0, NULL, 0},\n {NULL, NULL, NID_undef, 0, NULL, 0},\n {\"SEED-ECB\", \"seed-ecb\", NID_seed_ecb, 8, &kObjectData[5114], 0},\n {\"SEED-CBC\", \"seed-cbc\", NID_seed_cbc, 8, &kObjectData[5122], 0},\n {\"SEED-OFB\", \"seed-ofb\", NID_seed_ofb128, 8, &kObjectData[5130], 0},\n {\"SEED-CFB\", \"seed-cfb\", NID_seed_cfb128, 8, &kObjectData[5138], 0},\n {\"HMAC-MD5\", \"hmac-md5\", NID_hmac_md5, 8, &kObjectData[5146], 0},\n {\"HMAC-SHA1\", \"hmac-sha1\", NID_hmac_sha1, 8, &kObjectData[5154], 0},\n {\"id-PasswordBasedMAC\", \"password based MAC\", NID_id_PasswordBasedMAC, 9,\n &kObjectData[5162], 0},\n {\"id-DHBasedMac\", \"Diffie-Hellman based MAC\", NID_id_DHBasedMac, 9,\n &kObjectData[5171], 0},\n {\"id-it-suppLangTags\", \"id-it-suppLangTags\", NID_id_it_suppLangTags, 8,\n &kObjectData[5180], 0},\n {\"caRepository\", \"CA Repository\", NID_caRepository, 8, &kObjectData[5188],\n 0},\n {\"id-smime-ct-compressedData\", \"id-smime-ct-compressedData\",\n NID_id_smime_ct_compressedData, 11, &kObjectData[5196], 0},\n {\"id-ct-asciiTextWithCRLF\", \"id-ct-asciiTextWithCRLF\",\n NID_id_ct_asciiTextWithCRLF, 11, &kObjectData[5207], 0},\n {\"id-aes128-wrap\", \"id-aes128-wrap\", NID_id_aes128_wrap, 9,\n &kObjectData[5218], 0},\n {\"id-aes192-wrap\", \"id-aes192-wrap\", NID_id_aes192_wrap, 9,\n &kObjectData[5227], 0},\n {\"id-aes256-wrap\", \"id-aes256-wrap\", NID_id_aes256_wrap, 9,\n &kObjectData[5236], 0},\n {\"ecdsa-with-Recommended\", \"ecdsa-with-Recommended\",\n NID_ecdsa_with_Recommended, 7, &kObjectData[5245], 0},\n {\"ecdsa-with-Specified\", \"ecdsa-with-Specified\", NID_ecdsa_with_Specified,\n 7, &kObjectData[5252], 0},\n {\"ecdsa-with-SHA224\", \"ecdsa-with-SHA224\", NID_ecdsa_with_SHA224, 8,\n &kObjectData[5259], 0},\n {\"ecdsa-with-SHA256\", \"ecdsa-with-SHA256\", NID_ecdsa_with_SHA256, 8,\n &kObjectData[5267], 0},\n {\"ecdsa-with-SHA384\", \"ecdsa-with-SHA384\", NID_ecdsa_with_SHA384, 8,\n &kObjectData[5275], 0},\n {\"ecdsa-with-SHA512\", \"ecdsa-with-SHA512\", NID_ecdsa_with_SHA512, 8,\n &kObjectData[5283], 0},\n {\"hmacWithMD5\", \"hmacWithMD5\", NID_hmacWithMD5, 8, &kObjectData[5291], 0},\n {\"hmacWithSHA224\", \"hmacWithSHA224\", NID_hmacWithSHA224, 8,\n &kObjectData[5299], 0},\n {\"hmacWithSHA256\", \"hmacWithSHA256\", NID_hmacWithSHA256, 8,\n &kObjectData[5307], 0},\n {\"hmacWithSHA384\", \"hmacWithSHA384\", NID_hmacWithSHA384, 8,\n &kObjectData[5315], 0},\n {\"hmacWithSHA512\", \"hmacWithSHA512\", NID_hmacWithSHA512, 8,\n &kObjectData[5323], 0},\n {\"dsa_with_SHA224\", \"dsa_with_SHA224\", NID_dsa_with_SHA224, 9,\n &kObjectData[5331], 0},\n {\"dsa_with_SHA256\", \"dsa_with_SHA256\", NID_dsa_with_SHA256, 9,\n &kObjectData[5340], 0},\n {\"whirlpool\", \"whirlpool\", NID_whirlpool, 6, &kObjectData[5349], 0},\n {\"cryptopro\", \"cryptopro\", NID_cryptopro, 5, &kObjectData[5355], 0},\n {\"cryptocom\", \"cryptocom\", NID_cryptocom, 5, &kObjectData[5360], 0},\n {\"id-GostR3411-94-with-GostR3410-2001\",\n \"GOST R 34.11-94 with GOST R 34.10-2001\",\n NID_id_GostR3411_94_with_GostR3410_2001, 6, &kObjectData[5365], 0},\n {\"id-GostR3411-94-with-GostR3410-94\",\n \"GOST R 34.11-94 with GOST R 34.10-94\",\n NID_id_GostR3411_94_with_GostR3410_94, 6, &kObjectData[5371], 0},\n {\"md_gost94\", \"GOST R 34.11-94\", NID_id_GostR3411_94, 6, &kObjectData[5377],\n 0},\n {\"id-HMACGostR3411-94\", \"HMAC GOST 34.11-94\", NID_id_HMACGostR3411_94, 6,\n &kObjectData[5383], 0},\n {\"gost2001\", \"GOST R 34.10-2001\", NID_id_GostR3410_2001, 6,\n &kObjectData[5389], 0},\n {\"gost94\", \"GOST R 34.10-94\", NID_id_GostR3410_94, 6, &kObjectData[5395],\n 0},\n {\"gost89\", \"GOST 28147-89\", NID_id_Gost28147_89, 6, &kObjectData[5401], 0},\n {\"gost89-cnt\", \"gost89-cnt\", NID_gost89_cnt, 0, NULL, 0},\n {\"gost-mac\", \"GOST 28147-89 MAC\", NID_id_Gost28147_89_MAC, 6,\n &kObjectData[5407], 0},\n {\"prf-gostr3411-94\", \"GOST R 34.11-94 PRF\", NID_id_GostR3411_94_prf, 6,\n &kObjectData[5413], 0},\n {\"id-GostR3410-2001DH\", \"GOST R 34.10-2001 DH\", NID_id_GostR3410_2001DH, 6,\n &kObjectData[5419], 0},\n {\"id-GostR3410-94DH\", \"GOST R 34.10-94 DH\", NID_id_GostR3410_94DH, 6,\n &kObjectData[5425], 0},\n {\"id-Gost28147-89-CryptoPro-KeyMeshing\",\n \"id-Gost28147-89-CryptoPro-KeyMeshing\",\n NID_id_Gost28147_89_CryptoPro_KeyMeshing, 7, &kObjectData[5431], 0},\n {\"id-Gost28147-89-None-KeyMeshing\", \"id-Gost28147-89-None-KeyMeshing\",\n NID_id_Gost28147_89_None_KeyMeshing, 7, &kObjectData[5438], 0},\n {\"id-GostR3411-94-TestParamSet\", \"id-GostR3411-94-TestParamSet\",\n NID_id_GostR3411_94_TestParamSet, 7, &kObjectData[5445], 0},\n {\"id-GostR3411-94-CryptoProParamSet\", \"id-GostR3411-94-CryptoProParamSet\",\n NID_id_GostR3411_94_CryptoProParamSet, 7, &kObjectData[5452], 0},\n {\"id-Gost28147-89-TestParamSet\", \"id-Gost28147-89-TestParamSet\",\n NID_id_Gost28147_89_TestParamSet, 7, &kObjectData[5459], 0},\n {\"id-Gost28147-89-CryptoPro-A-ParamSet\",\n \"id-Gost28147-89-CryptoPro-A-ParamSet\",\n NID_id_Gost28147_89_CryptoPro_A_ParamSet, 7, &kObjectData[5466], 0},\n {\"id-Gost28147-89-CryptoPro-B-ParamSet\",\n \"id-Gost28147-89-CryptoPro-B-ParamSet\",\n NID_id_Gost28147_89_CryptoPro_B_ParamSet, 7, &kObjectData[5473], 0},\n {\"id-Gost28147-89-CryptoPro-C-ParamSet\",\n \"id-Gost28147-89-CryptoPro-C-ParamSet\",\n NID_id_Gost28147_89_CryptoPro_C_ParamSet, 7, &kObjectData[5480], 0},\n {\"id-Gost28147-89-CryptoPro-D-ParamSet\",\n \"id-Gost28147-89-CryptoPro-D-ParamSet\",\n NID_id_Gost28147_89_CryptoPro_D_ParamSet, 7, &kObjectData[5487], 0},\n {\"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet\",\n \"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet\",\n NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet, 7, &kObjectData[5494],\n 0},\n {\"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet\",\n \"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet\",\n NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet, 7, &kObjectData[5501],\n 0},\n {\"id-Gost28147-89-CryptoPro-RIC-1-ParamSet\",\n \"id-Gost28147-89-CryptoPro-RIC-1-ParamSet\",\n NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet, 7, &kObjectData[5508], 0},\n {\"id-GostR3410-94-TestParamSet\", \"id-GostR3410-94-TestParamSet\",\n NID_id_GostR3410_94_TestParamSet, 7, &kObjectData[5515], 0},\n {\"id-GostR3410-94-CryptoPro-A-ParamSet\",\n \"id-GostR3410-94-CryptoPro-A-ParamSet\",\n NID_id_GostR3410_94_CryptoPro_A_ParamSet, 7, &kObjectData[5522], 0},\n {\"id-GostR3410-94-CryptoPro-B-ParamSet\",\n \"id-GostR3410-94-CryptoPro-B-ParamSet\",\n NID_id_GostR3410_94_CryptoPro_B_ParamSet, 7, &kObjectData[5529], 0},\n {\"id-GostR3410-94-CryptoPro-C-ParamSet\",\n \"id-GostR3410-94-CryptoPro-C-ParamSet\",\n NID_id_GostR3410_94_CryptoPro_C_ParamSet, 7, &kObjectData[5536], 0},\n {\"id-GostR3410-94-CryptoPro-D-ParamSet\",\n \"id-GostR3410-94-CryptoPro-D-ParamSet\",\n NID_id_GostR3410_94_CryptoPro_D_ParamSet, 7, &kObjectData[5543], 0},\n {\"id-GostR3410-94-CryptoPro-XchA-ParamSet\",\n \"id-GostR3410-94-CryptoPro-XchA-ParamSet\",\n NID_id_GostR3410_94_CryptoPro_XchA_ParamSet, 7, &kObjectData[5550], 0},\n {\"id-GostR3410-94-CryptoPro-XchB-ParamSet\",\n \"id-GostR3410-94-CryptoPro-XchB-ParamSet\",\n NID_id_GostR3410_94_CryptoPro_XchB_ParamSet, 7, &kObjectData[5557], 0},\n {\"id-GostR3410-94-CryptoPro-XchC-ParamSet\",\n \"id-GostR3410-94-CryptoPro-XchC-ParamSet\",\n NID_id_GostR3410_94_CryptoPro_XchC_ParamSet, 7, &kObjectData[5564], 0},\n {\"id-GostR3410-2001-TestParamSet\", \"id-GostR3410-2001-TestParamSet\",\n NID_id_GostR3410_2001_TestParamSet, 7, &kObjectData[5571], 0},\n {\"id-GostR3410-2001-CryptoPro-A-ParamSet\",\n \"id-GostR3410-2001-CryptoPro-A-ParamSet\",\n NID_id_GostR3410_2001_CryptoPro_A_ParamSet, 7, &kObjectData[5578], 0},\n {\"id-GostR3410-2001-CryptoPro-B-ParamSet\",\n \"id-GostR3410-2001-CryptoPro-B-ParamSet\",\n NID_id_GostR3410_2001_CryptoPro_B_ParamSet, 7, &kObjectData[5585], 0},\n {\"id-GostR3410-2001-CryptoPro-C-ParamSet\",\n \"id-GostR3410-2001-CryptoPro-C-ParamSet\",\n NID_id_GostR3410_2001_CryptoPro_C_ParamSet, 7, &kObjectData[5592], 0},\n {\"id-GostR3410-2001-CryptoPro-XchA-ParamSet\",\n \"id-GostR3410-2001-CryptoPro-XchA-ParamSet\",\n NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet, 7, &kObjectData[5599], 0},\n {\"id-GostR3410-2001-CryptoPro-XchB-ParamSet\",\n \"id-GostR3410-2001-CryptoPro-XchB-ParamSet\",\n NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet, 7, &kObjectData[5606], 0},\n {\"id-GostR3410-94-a\", \"id-GostR3410-94-a\", NID_id_GostR3410_94_a, 7,\n &kObjectData[5613], 0},\n {\"id-GostR3410-94-aBis\", \"id-GostR3410-94-aBis\", NID_id_GostR3410_94_aBis,\n 7, &kObjectData[5620], 0},\n {\"id-GostR3410-94-b\", \"id-GostR3410-94-b\", NID_id_GostR3410_94_b, 7,\n &kObjectData[5627], 0},\n {\"id-GostR3410-94-bBis\", \"id-GostR3410-94-bBis\", NID_id_GostR3410_94_bBis,\n 7, &kObjectData[5634], 0},\n {\"id-Gost28147-89-cc\", \"GOST 28147-89 Cryptocom ParamSet\",\n NID_id_Gost28147_89_cc, 8, &kObjectData[5641], 0},\n {\"gost94cc\", \"GOST 34.10-94 Cryptocom\", NID_id_GostR3410_94_cc, 8,\n &kObjectData[5649], 0},\n {\"gost2001cc\", \"GOST 34.10-2001 Cryptocom\", NID_id_GostR3410_2001_cc, 8,\n &kObjectData[5657], 0},\n {\"id-GostR3411-94-with-GostR3410-94-cc\",\n \"GOST R 34.11-94 with GOST R 34.10-94 Cryptocom\",\n NID_id_GostR3411_94_with_GostR3410_94_cc, 8, &kObjectData[5665], 0},\n {\"id-GostR3411-94-with-GostR3410-2001-cc\",\n \"GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom\",\n NID_id_GostR3411_94_with_GostR3410_2001_cc, 8, &kObjectData[5673], 0},\n {\"id-GostR3410-2001-ParamSet-cc\",\n \"GOST R 3410-2001 Parameter Set Cryptocom\",\n NID_id_GostR3410_2001_ParamSet_cc, 8, &kObjectData[5681], 0},\n {\"HMAC\", \"hmac\", NID_hmac, 0, NULL, 0},\n {\"LocalKeySet\", \"Microsoft Local Key set\", NID_LocalKeySet, 9,\n &kObjectData[5689], 0},\n {\"freshestCRL\", \"X509v3 Freshest CRL\", NID_freshest_crl, 3,\n &kObjectData[5698], 0},\n {\"id-on-permanentIdentifier\", \"Permanent Identifier\",\n NID_id_on_permanentIdentifier, 8, &kObjectData[5701], 0},\n {\"searchGuide\", \"searchGuide\", NID_searchGuide, 3, &kObjectData[5709], 0},\n {\"businessCategory\", \"businessCategory\", NID_businessCategory, 3,\n &kObjectData[5712], 0},\n {\"postalAddress\", \"postalAddress\", NID_postalAddress, 3, &kObjectData[5715],\n 0},\n {\"postOfficeBox\", \"postOfficeBox\", NID_postOfficeBox, 3, &kObjectData[5718],\n 0},\n {\"physicalDeliveryOfficeName\", \"physicalDeliveryOfficeName\",\n NID_physicalDeliveryOfficeName, 3, &kObjectData[5721], 0},\n {\"telephoneNumber\", \"telephoneNumber\", NID_telephoneNumber, 3,\n &kObjectData[5724], 0},\n {\"telexNumber\", \"telexNumber\", NID_telexNumber, 3, &kObjectData[5727], 0},\n {\"teletexTerminalIdentifier\", \"teletexTerminalIdentifier\",\n NID_teletexTerminalIdentifier, 3, &kObjectData[5730], 0},\n {\"facsimileTelephoneNumber\", \"facsimileTelephoneNumber\",\n NID_facsimileTelephoneNumber, 3, &kObjectData[5733], 0},\n {\"x121Address\", \"x121Address\", NID_x121Address, 3, &kObjectData[5736], 0},\n {\"internationaliSDNNumber\", \"internationaliSDNNumber\",\n NID_internationaliSDNNumber, 3, &kObjectData[5739], 0},\n {\"registeredAddress\", \"registeredAddress\", NID_registeredAddress, 3,\n &kObjectData[5742], 0},\n {\"destinationIndicator\", \"destinationIndicator\", NID_destinationIndicator,\n 3, &kObjectData[5745], 0},\n {\"preferredDeliveryMethod\", \"preferredDeliveryMethod\",\n NID_preferredDeliveryMethod, 3, &kObjectData[5748], 0},\n {\"presentationAddress\", \"presentationAddress\", NID_presentationAddress, 3,\n &kObjectData[5751], 0},\n {\"supportedApplicationContext\", \"supportedApplicationContext\",\n NID_supportedApplicationContext, 3, &kObjectData[5754], 0},\n {\"member\", \"member\", NID_member, 3, &kObjectData[5757], 0},\n {\"owner\", \"owner\", NID_owner, 3, &kObjectData[5760], 0},\n {\"roleOccupant\", \"roleOccupant\", NID_roleOccupant, 3, &kObjectData[5763],\n 0},\n {\"seeAlso\", \"seeAlso\", NID_seeAlso, 3, &kObjectData[5766], 0},\n {\"userPassword\", \"userPassword\", NID_userPassword, 3, &kObjectData[5769],\n 0},\n {\"userCertificate\", \"userCertificate\", NID_userCertificate, 3,\n &kObjectData[5772], 0},\n {\"cACertificate\", \"cACertificate\", NID_cACertificate, 3, &kObjectData[5775],\n 0},\n {\"authorityRevocationList\", \"authorityRevocationList\",\n NID_authorityRevocationList, 3, &kObjectData[5778], 0},\n {\"certificateRevocationList\", \"certificateRevocationList\",\n NID_certificateRevocationList, 3, &kObjectData[5781], 0},\n {\"crossCertificatePair\", \"crossCertificatePair\", NID_crossCertificatePair,\n 3, &kObjectData[5784], 0},\n {\"enhancedSearchGuide\", \"enhancedSearchGuide\", NID_enhancedSearchGuide, 3,\n &kObjectData[5787], 0},\n {\"protocolInformation\", \"protocolInformation\", NID_protocolInformation, 3,\n &kObjectData[5790], 0},\n {\"distinguishedName\", \"distinguishedName\", NID_distinguishedName, 3,\n &kObjectData[5793], 0},\n {\"uniqueMember\", \"uniqueMember\", NID_uniqueMember, 3, &kObjectData[5796],\n 0},\n {\"houseIdentifier\", \"houseIdentifier\", NID_houseIdentifier, 3,\n &kObjectData[5799], 0},\n {\"supportedAlgorithms\", \"supportedAlgorithms\", NID_supportedAlgorithms, 3,\n &kObjectData[5802], 0},\n {\"deltaRevocationList\", \"deltaRevocationList\", NID_deltaRevocationList, 3,\n &kObjectData[5805], 0},\n {\"dmdName\", \"dmdName\", NID_dmdName, 3, &kObjectData[5808], 0},\n {\"id-alg-PWRI-KEK\", \"id-alg-PWRI-KEK\", NID_id_alg_PWRI_KEK, 11,\n &kObjectData[5811], 0},\n {\"CMAC\", \"cmac\", NID_cmac, 0, NULL, 0},\n {\"id-aes128-GCM\", \"aes-128-gcm\", NID_aes_128_gcm, 9, &kObjectData[5822], 0},\n {\"id-aes128-CCM\", \"aes-128-ccm\", NID_aes_128_ccm, 9, &kObjectData[5831], 0},\n {\"id-aes128-wrap-pad\", \"id-aes128-wrap-pad\", NID_id_aes128_wrap_pad, 9,\n &kObjectData[5840], 0},\n {\"id-aes192-GCM\", \"aes-192-gcm\", NID_aes_192_gcm, 9, &kObjectData[5849], 0},\n {\"id-aes192-CCM\", \"aes-192-ccm\", NID_aes_192_ccm, 9, &kObjectData[5858], 0},\n {\"id-aes192-wrap-pad\", \"id-aes192-wrap-pad\", NID_id_aes192_wrap_pad, 9,\n &kObjectData[5867], 0},\n {\"id-aes256-GCM\", \"aes-256-gcm\", NID_aes_256_gcm, 9, &kObjectData[5876], 0},\n {\"id-aes256-CCM\", \"aes-256-ccm\", NID_aes_256_ccm, 9, &kObjectData[5885], 0},\n {\"id-aes256-wrap-pad\", \"id-aes256-wrap-pad\", NID_id_aes256_wrap_pad, 9,\n &kObjectData[5894], 0},\n {\"AES-128-CTR\", \"aes-128-ctr\", NID_aes_128_ctr, 0, NULL, 0},\n {\"AES-192-CTR\", \"aes-192-ctr\", NID_aes_192_ctr, 0, NULL, 0},\n {\"AES-256-CTR\", \"aes-256-ctr\", NID_aes_256_ctr, 0, NULL, 0},\n {\"id-camellia128-wrap\", \"id-camellia128-wrap\", NID_id_camellia128_wrap, 11,\n &kObjectData[5903], 0},\n {\"id-camellia192-wrap\", \"id-camellia192-wrap\", NID_id_camellia192_wrap, 11,\n &kObjectData[5914], 0},\n {\"id-camellia256-wrap\", \"id-camellia256-wrap\", NID_id_camellia256_wrap, 11,\n &kObjectData[5925], 0},\n {\"anyExtendedKeyUsage\", \"Any Extended Key Usage\", NID_anyExtendedKeyUsage,\n 4, &kObjectData[5936], 0},\n {\"MGF1\", \"mgf1\", NID_mgf1, 9, &kObjectData[5940], 0},\n {\"RSASSA-PSS\", \"rsassaPss\", NID_rsassaPss, 9, &kObjectData[5949], 0},\n {\"AES-128-XTS\", \"aes-128-xts\", NID_aes_128_xts, 0, NULL, 0},\n {\"AES-256-XTS\", \"aes-256-xts\", NID_aes_256_xts, 0, NULL, 0},\n {\"RC4-HMAC-MD5\", \"rc4-hmac-md5\", NID_rc4_hmac_md5, 0, NULL, 0},\n {\"AES-128-CBC-HMAC-SHA1\", \"aes-128-cbc-hmac-sha1\",\n NID_aes_128_cbc_hmac_sha1, 0, NULL, 0},\n {\"AES-192-CBC-HMAC-SHA1\", \"aes-192-cbc-hmac-sha1\",\n NID_aes_192_cbc_hmac_sha1, 0, NULL, 0},\n {\"AES-256-CBC-HMAC-SHA1\", \"aes-256-cbc-hmac-sha1\",\n NID_aes_256_cbc_hmac_sha1, 0, NULL, 0},\n {\"RSAES-OAEP\", \"rsaesOaep\", NID_rsaesOaep, 9, &kObjectData[5958], 0},\n {\"dhpublicnumber\", \"X9.42 DH\", NID_dhpublicnumber, 7, &kObjectData[5967],\n 0},\n {\"brainpoolP160r1\", \"brainpoolP160r1\", NID_brainpoolP160r1, 9,\n &kObjectData[5974], 0},\n {\"brainpoolP160t1\", \"brainpoolP160t1\", NID_brainpoolP160t1, 9,\n &kObjectData[5983], 0},\n {\"brainpoolP192r1\", \"brainpoolP192r1\", NID_brainpoolP192r1, 9,\n &kObjectData[5992], 0},\n {\"brainpoolP192t1\", \"brainpoolP192t1\", NID_brainpoolP192t1, 9,\n &kObjectData[6001], 0},\n {\"brainpoolP224r1\", \"brainpoolP224r1\", NID_brainpoolP224r1, 9,\n &kObjectData[6010], 0},\n {\"brainpoolP224t1\", \"brainpoolP224t1\", NID_brainpoolP224t1, 9,\n &kObjectData[6019], 0},\n {\"brainpoolP256r1\", \"brainpoolP256r1\", NID_brainpoolP256r1, 9,\n &kObjectData[6028], 0},\n {\"brainpoolP256t1\", \"brainpoolP256t1\", NID_brainpoolP256t1, 9,\n &kObjectData[6037], 0},\n {\"brainpoolP320r1\", \"brainpoolP320r1\", NID_brainpoolP320r1, 9,\n &kObjectData[6046], 0},\n {\"brainpoolP320t1\", \"brainpoolP320t1\", NID_brainpoolP320t1, 9,\n &kObjectData[6055], 0},\n {\"brainpoolP384r1\", \"brainpoolP384r1\", NID_brainpoolP384r1, 9,\n &kObjectData[6064], 0},\n {\"brainpoolP384t1\", \"brainpoolP384t1\", NID_brainpoolP384t1, 9,\n &kObjectData[6073], 0},\n {\"brainpoolP512r1\", \"brainpoolP512r1\", NID_brainpoolP512r1, 9,\n &kObjectData[6082], 0},\n {\"brainpoolP512t1\", \"brainpoolP512t1\", NID_brainpoolP512t1, 9,\n &kObjectData[6091], 0},\n {\"PSPECIFIED\", \"pSpecified\", NID_pSpecified, 9, &kObjectData[6100], 0},\n {\"dhSinglePass-stdDH-sha1kdf-scheme\", \"dhSinglePass-stdDH-sha1kdf-scheme\",\n NID_dhSinglePass_stdDH_sha1kdf_scheme, 9, &kObjectData[6109], 0},\n {\"dhSinglePass-stdDH-sha224kdf-scheme\",\n \"dhSinglePass-stdDH-sha224kdf-scheme\",\n NID_dhSinglePass_stdDH_sha224kdf_scheme, 6, &kObjectData[6118], 0},\n {\"dhSinglePass-stdDH-sha256kdf-scheme\",\n \"dhSinglePass-stdDH-sha256kdf-scheme\",\n NID_dhSinglePass_stdDH_sha256kdf_scheme, 6, &kObjectData[6124], 0},\n {\"dhSinglePass-stdDH-sha384kdf-scheme\",\n \"dhSinglePass-stdDH-sha384kdf-scheme\",\n NID_dhSinglePass_stdDH_sha384kdf_scheme, 6, &kObjectData[6130], 0},\n {\"dhSinglePass-stdDH-sha512kdf-scheme\",\n \"dhSinglePass-stdDH-sha512kdf-scheme\",\n NID_dhSinglePass_stdDH_sha512kdf_scheme, 6, &kObjectData[6136], 0},\n {\"dhSinglePass-cofactorDH-sha1kdf-scheme\",\n \"dhSinglePass-cofactorDH-sha1kdf-scheme\",\n NID_dhSinglePass_cofactorDH_sha1kdf_scheme, 9, &kObjectData[6142], 0},\n {\"dhSinglePass-cofactorDH-sha224kdf-scheme\",\n \"dhSinglePass-cofactorDH-sha224kdf-scheme\",\n NID_dhSinglePass_cofactorDH_sha224kdf_scheme, 6, &kObjectData[6151], 0},\n {\"dhSinglePass-cofactorDH-sha256kdf-scheme\",\n \"dhSinglePass-cofactorDH-sha256kdf-scheme\",\n NID_dhSinglePass_cofactorDH_sha256kdf_scheme, 6, &kObjectData[6157], 0},\n {\"dhSinglePass-cofactorDH-sha384kdf-scheme\",\n \"dhSinglePass-cofactorDH-sha384kdf-scheme\",\n NID_dhSinglePass_cofactorDH_sha384kdf_scheme, 6, &kObjectData[6163], 0},\n {\"dhSinglePass-cofactorDH-sha512kdf-scheme\",\n \"dhSinglePass-cofactorDH-sha512kdf-scheme\",\n NID_dhSinglePass_cofactorDH_sha512kdf_scheme, 6, &kObjectData[6169], 0},\n {\"dh-std-kdf\", \"dh-std-kdf\", NID_dh_std_kdf, 0, NULL, 0},\n {\"dh-cofactor-kdf\", \"dh-cofactor-kdf\", NID_dh_cofactor_kdf, 0, NULL, 0},\n {\"X25519\", \"X25519\", NID_X25519, 3, &kObjectData[6175], 0},\n {\"ED25519\", \"ED25519\", NID_ED25519, 3, &kObjectData[6178], 0},\n {\"ChaCha20-Poly1305\", \"chacha20-poly1305\", NID_chacha20_poly1305, 0, NULL,\n 0},\n {\"KxRSA\", \"kx-rsa\", NID_kx_rsa, 0, NULL, 0},\n {\"KxECDHE\", \"kx-ecdhe\", NID_kx_ecdhe, 0, NULL, 0},\n {\"KxPSK\", \"kx-psk\", NID_kx_psk, 0, NULL, 0},\n {\"AuthRSA\", \"auth-rsa\", NID_auth_rsa, 0, NULL, 0},\n {\"AuthECDSA\", \"auth-ecdsa\", NID_auth_ecdsa, 0, NULL, 0},\n {\"AuthPSK\", \"auth-psk\", NID_auth_psk, 0, NULL, 0},\n {\"KxANY\", \"kx-any\", NID_kx_any, 0, NULL, 0},\n {\"AuthANY\", \"auth-any\", NID_auth_any, 0, NULL, 0},\n {NULL, NULL, NID_undef, 0, NULL, 0},\n {\"ED448\", \"ED448\", NID_ED448, 3, &kObjectData[6181], 0},\n {\"X448\", \"X448\", NID_X448, 3, &kObjectData[6184], 0},\n {\"SHA512-256\", \"sha512-256\", NID_sha512_256, 9, &kObjectData[6187], 0},\n {\"HKDF\", \"hkdf\", NID_hkdf, 0, NULL, 0},\n {\"X25519Kyber768Draft00\", \"X25519Kyber768Draft00\",\n NID_X25519Kyber768Draft00, 0, NULL, 0},\n {\"X25519MLKEM768\", \"X25519MLKEM768\", NID_X25519MLKEM768, 0, NULL, 0},\n};\n\nstatic const uint16_t kNIDsInShortNameOrder[] = {\n 364 /* AD_DVCS */,\n 419 /* AES-128-CBC */,\n 916 /* AES-128-CBC-HMAC-SHA1 */,\n 421 /* AES-128-CFB */,\n 650 /* AES-128-CFB1 */,\n 653 /* AES-128-CFB8 */,\n 904 /* AES-128-CTR */,\n 418 /* AES-128-ECB */,\n 420 /* AES-128-OFB */,\n 913 /* AES-128-XTS */,\n 423 /* AES-192-CBC */,\n 917 /* AES-192-CBC-HMAC-SHA1 */,\n 425 /* AES-192-CFB */,\n 651 /* AES-192-CFB1 */,\n 654 /* AES-192-CFB8 */,\n 905 /* AES-192-CTR */,\n 422 /* AES-192-ECB */,\n 424 /* AES-192-OFB */,\n 427 /* AES-256-CBC */,\n 918 /* AES-256-CBC-HMAC-SHA1 */,\n 429 /* AES-256-CFB */,\n 652 /* AES-256-CFB1 */,\n 655 /* AES-256-CFB8 */,\n 906 /* AES-256-CTR */,\n 426 /* AES-256-ECB */,\n 428 /* AES-256-OFB */,\n 914 /* AES-256-XTS */,\n 958 /* AuthANY */,\n 955 /* AuthECDSA */,\n 956 /* AuthPSK */,\n 954 /* AuthRSA */,\n 91 /* BF-CBC */,\n 93 /* BF-CFB */,\n 92 /* BF-ECB */,\n 94 /* BF-OFB */,\n 14 /* C */,\n 751 /* CAMELLIA-128-CBC */,\n 757 /* CAMELLIA-128-CFB */,\n 760 /* CAMELLIA-128-CFB1 */,\n 763 /* CAMELLIA-128-CFB8 */,\n 754 /* CAMELLIA-128-ECB */,\n 766 /* CAMELLIA-128-OFB */,\n 752 /* CAMELLIA-192-CBC */,\n 758 /* CAMELLIA-192-CFB */,\n 761 /* CAMELLIA-192-CFB1 */,\n 764 /* CAMELLIA-192-CFB8 */,\n 755 /* CAMELLIA-192-ECB */,\n 767 /* CAMELLIA-192-OFB */,\n 753 /* CAMELLIA-256-CBC */,\n 759 /* CAMELLIA-256-CFB */,\n 762 /* CAMELLIA-256-CFB1 */,\n 765 /* CAMELLIA-256-CFB8 */,\n 756 /* CAMELLIA-256-ECB */,\n 768 /* CAMELLIA-256-OFB */,\n 108 /* CAST5-CBC */,\n 110 /* CAST5-CFB */,\n 109 /* CAST5-ECB */,\n 111 /* CAST5-OFB */,\n 894 /* CMAC */,\n 13 /* CN */,\n 141 /* CRLReason */,\n 417 /* CSPName */,\n 950 /* ChaCha20-Poly1305 */,\n 367 /* CrlID */,\n 391 /* DC */,\n 31 /* DES-CBC */,\n 643 /* DES-CDMF */,\n 30 /* DES-CFB */,\n 656 /* DES-CFB1 */,\n 657 /* DES-CFB8 */,\n 29 /* DES-ECB */,\n 32 /* DES-EDE */,\n 43 /* DES-EDE-CBC */,\n 60 /* DES-EDE-CFB */,\n 62 /* DES-EDE-OFB */,\n 33 /* DES-EDE3 */,\n 44 /* DES-EDE3-CBC */,\n 61 /* DES-EDE3-CFB */,\n 658 /* DES-EDE3-CFB1 */,\n 659 /* DES-EDE3-CFB8 */,\n 63 /* DES-EDE3-OFB */,\n 45 /* DES-OFB */,\n 80 /* DESX-CBC */,\n 380 /* DOD */,\n 116 /* DSA */,\n 66 /* DSA-SHA */,\n 113 /* DSA-SHA1 */,\n 70 /* DSA-SHA1-old */,\n 67 /* DSA-old */,\n 297 /* DVCS */,\n 949 /* ED25519 */,\n 960 /* ED448 */,\n 99 /* GN */,\n 963 /* HKDF */,\n 855 /* HMAC */,\n 780 /* HMAC-MD5 */,\n 781 /* HMAC-SHA1 */,\n 381 /* IANA */,\n 34 /* IDEA-CBC */,\n 35 /* IDEA-CFB */,\n 36 /* IDEA-ECB */,\n 46 /* IDEA-OFB */,\n 181 /* ISO */,\n 183 /* ISO-US */,\n 645 /* ITU-T */,\n 646 /* JOINT-ISO-ITU-T */,\n 773 /* KISA */,\n 957 /* KxANY */,\n 952 /* KxECDHE */,\n 953 /* KxPSK */,\n 951 /* KxRSA */,\n 15 /* L */,\n 856 /* LocalKeySet */,\n 3 /* MD2 */,\n 257 /* MD4 */,\n 4 /* MD5 */,\n 114 /* MD5-SHA1 */,\n 95 /* MDC2 */,\n 911 /* MGF1 */,\n 388 /* Mail */,\n 57 /* Netscape */,\n 366 /* Nonce */,\n 17 /* O */,\n 178 /* OCSP */,\n 180 /* OCSPSigning */,\n 379 /* ORG */,\n 18 /* OU */,\n 749 /* Oakley-EC2N-3 */,\n 750 /* Oakley-EC2N-4 */,\n 9 /* PBE-MD2-DES */,\n 168 /* PBE-MD2-RC2-64 */,\n 10 /* PBE-MD5-DES */,\n 169 /* PBE-MD5-RC2-64 */,\n 147 /* PBE-SHA1-2DES */,\n 146 /* PBE-SHA1-3DES */,\n 170 /* PBE-SHA1-DES */,\n 148 /* PBE-SHA1-RC2-128 */,\n 149 /* PBE-SHA1-RC2-40 */,\n 68 /* PBE-SHA1-RC2-64 */,\n 144 /* PBE-SHA1-RC4-128 */,\n 145 /* PBE-SHA1-RC4-40 */,\n 161 /* PBES2 */,\n 69 /* PBKDF2 */,\n 162 /* PBMAC1 */,\n 127 /* PKIX */,\n 935 /* PSPECIFIED */,\n 98 /* RC2-40-CBC */,\n 166 /* RC2-64-CBC */,\n 37 /* RC2-CBC */,\n 39 /* RC2-CFB */,\n 38 /* RC2-ECB */,\n 40 /* RC2-OFB */,\n 5 /* RC4 */,\n 97 /* RC4-40 */,\n 915 /* RC4-HMAC-MD5 */,\n 120 /* RC5-CBC */,\n 122 /* RC5-CFB */,\n 121 /* RC5-ECB */,\n 123 /* RC5-OFB */,\n 117 /* RIPEMD160 */,\n 19 /* RSA */,\n 7 /* RSA-MD2 */,\n 396 /* RSA-MD4 */,\n 8 /* RSA-MD5 */,\n 96 /* RSA-MDC2 */,\n 104 /* RSA-NP-MD5 */,\n 119 /* RSA-RIPEMD160 */,\n 42 /* RSA-SHA */,\n 65 /* RSA-SHA1 */,\n 115 /* RSA-SHA1-2 */,\n 671 /* RSA-SHA224 */,\n 668 /* RSA-SHA256 */,\n 669 /* RSA-SHA384 */,\n 670 /* RSA-SHA512 */,\n 919 /* RSAES-OAEP */,\n 912 /* RSASSA-PSS */,\n 777 /* SEED-CBC */,\n 779 /* SEED-CFB */,\n 776 /* SEED-ECB */,\n 778 /* SEED-OFB */,\n 41 /* SHA */,\n 64 /* SHA1 */,\n 675 /* SHA224 */,\n 672 /* SHA256 */,\n 673 /* SHA384 */,\n 674 /* SHA512 */,\n 962 /* SHA512-256 */,\n 188 /* SMIME */,\n 167 /* SMIME-CAPS */,\n 100 /* SN */,\n 16 /* ST */,\n 143 /* SXNetID */,\n 458 /* UID */,\n 948 /* X25519 */,\n 964 /* X25519Kyber768Draft00 */,\n 965 /* X25519MLKEM768 */,\n 961 /* X448 */,\n 11 /* X500 */,\n 378 /* X500algorithms */,\n 12 /* X509 */,\n 184 /* X9-57 */,\n 185 /* X9cm */,\n 125 /* ZLIB */,\n 478 /* aRecord */,\n 289 /* aaControls */,\n 287 /* ac-auditEntity */,\n 397 /* ac-proxying */,\n 288 /* ac-targeting */,\n 368 /* acceptableResponses */,\n 446 /* account */,\n 363 /* ad_timestamping */,\n 376 /* algorithm */,\n 405 /* ansi-X9-62 */,\n 910 /* anyExtendedKeyUsage */,\n 746 /* anyPolicy */,\n 370 /* archiveCutoff */,\n 484 /* associatedDomain */,\n 485 /* associatedName */,\n 501 /* audio */,\n 177 /* authorityInfoAccess */,\n 90 /* authorityKeyIdentifier */,\n 882 /* authorityRevocationList */,\n 87 /* basicConstraints */,\n 365 /* basicOCSPResponse */,\n 285 /* biometricInfo */,\n 921 /* brainpoolP160r1 */,\n 922 /* brainpoolP160t1 */,\n 923 /* brainpoolP192r1 */,\n 924 /* brainpoolP192t1 */,\n 925 /* brainpoolP224r1 */,\n 926 /* brainpoolP224t1 */,\n 927 /* brainpoolP256r1 */,\n 928 /* brainpoolP256t1 */,\n 929 /* brainpoolP320r1 */,\n 930 /* brainpoolP320t1 */,\n 931 /* brainpoolP384r1 */,\n 932 /* brainpoolP384t1 */,\n 933 /* brainpoolP512r1 */,\n 934 /* brainpoolP512t1 */,\n 494 /* buildingName */,\n 860 /* businessCategory */,\n 691 /* c2onb191v4 */,\n 692 /* c2onb191v5 */,\n 697 /* c2onb239v4 */,\n 698 /* c2onb239v5 */,\n 684 /* c2pnb163v1 */,\n 685 /* c2pnb163v2 */,\n 686 /* c2pnb163v3 */,\n 687 /* c2pnb176v1 */,\n 693 /* c2pnb208w1 */,\n 699 /* c2pnb272w1 */,\n 700 /* c2pnb304w1 */,\n 702 /* c2pnb368w1 */,\n 688 /* c2tnb191v1 */,\n 689 /* c2tnb191v2 */,\n 690 /* c2tnb191v3 */,\n 694 /* c2tnb239v1 */,\n 695 /* c2tnb239v2 */,\n 696 /* c2tnb239v3 */,\n 701 /* c2tnb359v1 */,\n 703 /* c2tnb431r1 */,\n 881 /* cACertificate */,\n 483 /* cNAMERecord */,\n 179 /* caIssuers */,\n 785 /* caRepository */,\n 443 /* caseIgnoreIA5StringSyntax */,\n 152 /* certBag */,\n 677 /* certicom-arc */,\n 771 /* certificateIssuer */,\n 89 /* certificatePolicies */,\n 883 /* certificateRevocationList */,\n 54 /* challengePassword */,\n 407 /* characteristic-two-field */,\n 395 /* clearance */,\n 130 /* clientAuth */,\n 131 /* codeSigning */,\n 50 /* contentType */,\n 53 /* countersignature */,\n 153 /* crlBag */,\n 103 /* crlDistributionPoints */,\n 88 /* crlNumber */,\n 884 /* crossCertificatePair */,\n 806 /* cryptocom */,\n 805 /* cryptopro */,\n 500 /* dITRedirect */,\n 451 /* dNSDomain */,\n 495 /* dSAQuality */,\n 434 /* data */,\n 390 /* dcobject */,\n 140 /* deltaCRL */,\n 891 /* deltaRevocationList */,\n 107 /* description */,\n 871 /* destinationIndicator */,\n 947 /* dh-cofactor-kdf */,\n 946 /* dh-std-kdf */,\n 28 /* dhKeyAgreement */,\n 941 /* dhSinglePass-cofactorDH-sha1kdf-scheme */,\n 942 /* dhSinglePass-cofactorDH-sha224kdf-scheme */,\n 943 /* dhSinglePass-cofactorDH-sha256kdf-scheme */,\n 944 /* dhSinglePass-cofactorDH-sha384kdf-scheme */,\n 945 /* dhSinglePass-cofactorDH-sha512kdf-scheme */,\n 936 /* dhSinglePass-stdDH-sha1kdf-scheme */,\n 937 /* dhSinglePass-stdDH-sha224kdf-scheme */,\n 938 /* dhSinglePass-stdDH-sha256kdf-scheme */,\n 939 /* dhSinglePass-stdDH-sha384kdf-scheme */,\n 940 /* dhSinglePass-stdDH-sha512kdf-scheme */,\n 920 /* dhpublicnumber */,\n 382 /* directory */,\n 887 /* distinguishedName */,\n 892 /* dmdName */,\n 174 /* dnQualifier */,\n 447 /* document */,\n 471 /* documentAuthor */,\n 468 /* documentIdentifier */,\n 472 /* documentLocation */,\n 502 /* documentPublisher */,\n 449 /* documentSeries */,\n 469 /* documentTitle */,\n 470 /* documentVersion */,\n 392 /* domain */,\n 452 /* domainRelatedObject */,\n 802 /* dsa_with_SHA224 */,\n 803 /* dsa_with_SHA256 */,\n 791 /* ecdsa-with-Recommended */,\n 416 /* ecdsa-with-SHA1 */,\n 793 /* ecdsa-with-SHA224 */,\n 794 /* ecdsa-with-SHA256 */,\n 795 /* ecdsa-with-SHA384 */,\n 796 /* ecdsa-with-SHA512 */,\n 792 /* ecdsa-with-Specified */,\n 48 /* emailAddress */,\n 132 /* emailProtection */,\n 885 /* enhancedSearchGuide */,\n 389 /* enterprises */,\n 384 /* experimental */,\n 172 /* extReq */,\n 56 /* extendedCertificateAttributes */,\n 126 /* extendedKeyUsage */,\n 372 /* extendedStatus */,\n 867 /* facsimileTelephoneNumber */,\n 462 /* favouriteDrink */,\n 857 /* freshestCRL */,\n 453 /* friendlyCountry */,\n 490 /* friendlyCountryName */,\n 156 /* friendlyName */,\n 509 /* generationQualifier */,\n 815 /* gost-mac */,\n 811 /* gost2001 */,\n 851 /* gost2001cc */,\n 813 /* gost89 */,\n 814 /* gost89-cnt */,\n 812 /* gost94 */,\n 850 /* gost94cc */,\n 797 /* hmacWithMD5 */,\n 163 /* hmacWithSHA1 */,\n 798 /* hmacWithSHA224 */,\n 799 /* hmacWithSHA256 */,\n 800 /* hmacWithSHA384 */,\n 801 /* hmacWithSHA512 */,\n 432 /* holdInstructionCallIssuer */,\n 430 /* holdInstructionCode */,\n 431 /* holdInstructionNone */,\n 433 /* holdInstructionReject */,\n 486 /* homePostalAddress */,\n 473 /* homeTelephoneNumber */,\n 466 /* host */,\n 889 /* houseIdentifier */,\n 442 /* iA5StringSyntax */,\n 783 /* id-DHBasedMac */,\n 824 /* id-Gost28147-89-CryptoPro-A-ParamSet */,\n 825 /* id-Gost28147-89-CryptoPro-B-ParamSet */,\n 826 /* id-Gost28147-89-CryptoPro-C-ParamSet */,\n 827 /* id-Gost28147-89-CryptoPro-D-ParamSet */,\n 819 /* id-Gost28147-89-CryptoPro-KeyMeshing */,\n 829 /* id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet */,\n 828 /* id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet */,\n 830 /* id-Gost28147-89-CryptoPro-RIC-1-ParamSet */,\n 820 /* id-Gost28147-89-None-KeyMeshing */,\n 823 /* id-Gost28147-89-TestParamSet */,\n 849 /* id-Gost28147-89-cc */,\n 840 /* id-GostR3410-2001-CryptoPro-A-ParamSet */,\n 841 /* id-GostR3410-2001-CryptoPro-B-ParamSet */,\n 842 /* id-GostR3410-2001-CryptoPro-C-ParamSet */,\n 843 /* id-GostR3410-2001-CryptoPro-XchA-ParamSet */,\n 844 /* id-GostR3410-2001-CryptoPro-XchB-ParamSet */,\n 854 /* id-GostR3410-2001-ParamSet-cc */,\n 839 /* id-GostR3410-2001-TestParamSet */,\n 817 /* id-GostR3410-2001DH */,\n 832 /* id-GostR3410-94-CryptoPro-A-ParamSet */,\n 833 /* id-GostR3410-94-CryptoPro-B-ParamSet */,\n 834 /* id-GostR3410-94-CryptoPro-C-ParamSet */,\n 835 /* id-GostR3410-94-CryptoPro-D-ParamSet */,\n 836 /* id-GostR3410-94-CryptoPro-XchA-ParamSet */,\n 837 /* id-GostR3410-94-CryptoPro-XchB-ParamSet */,\n 838 /* id-GostR3410-94-CryptoPro-XchC-ParamSet */,\n 831 /* id-GostR3410-94-TestParamSet */,\n 845 /* id-GostR3410-94-a */,\n 846 /* id-GostR3410-94-aBis */,\n 847 /* id-GostR3410-94-b */,\n 848 /* id-GostR3410-94-bBis */,\n 818 /* id-GostR3410-94DH */,\n 822 /* id-GostR3411-94-CryptoProParamSet */,\n 821 /* id-GostR3411-94-TestParamSet */,\n 807 /* id-GostR3411-94-with-GostR3410-2001 */,\n 853 /* id-GostR3411-94-with-GostR3410-2001-cc */,\n 808 /* id-GostR3411-94-with-GostR3410-94 */,\n 852 /* id-GostR3411-94-with-GostR3410-94-cc */,\n 810 /* id-HMACGostR3411-94 */,\n 782 /* id-PasswordBasedMAC */,\n 266 /* id-aca */,\n 355 /* id-aca-accessIdentity */,\n 354 /* id-aca-authenticationInfo */,\n 356 /* id-aca-chargingIdentity */,\n 399 /* id-aca-encAttrs */,\n 357 /* id-aca-group */,\n 358 /* id-aca-role */,\n 176 /* id-ad */,\n 896 /* id-aes128-CCM */,\n 895 /* id-aes128-GCM */,\n 788 /* id-aes128-wrap */,\n 897 /* id-aes128-wrap-pad */,\n 899 /* id-aes192-CCM */,\n 898 /* id-aes192-GCM */,\n 789 /* id-aes192-wrap */,\n 900 /* id-aes192-wrap-pad */,\n 902 /* id-aes256-CCM */,\n 901 /* id-aes256-GCM */,\n 790 /* id-aes256-wrap */,\n 903 /* id-aes256-wrap-pad */,\n 262 /* id-alg */,\n 893 /* id-alg-PWRI-KEK */,\n 323 /* id-alg-des40 */,\n 326 /* id-alg-dh-pop */,\n 325 /* id-alg-dh-sig-hmac-sha1 */,\n 324 /* id-alg-noSignature */,\n 907 /* id-camellia128-wrap */,\n 908 /* id-camellia192-wrap */,\n 909 /* id-camellia256-wrap */,\n 268 /* id-cct */,\n 361 /* id-cct-PKIData */,\n 362 /* id-cct-PKIResponse */,\n 360 /* id-cct-crs */,\n 81 /* id-ce */,\n 680 /* id-characteristic-two-basis */,\n 263 /* id-cmc */,\n 334 /* id-cmc-addExtensions */,\n 346 /* id-cmc-confirmCertAcceptance */,\n 330 /* id-cmc-dataReturn */,\n 336 /* id-cmc-decryptedPOP */,\n 335 /* id-cmc-encryptedPOP */,\n 339 /* id-cmc-getCRL */,\n 338 /* id-cmc-getCert */,\n 328 /* id-cmc-identification */,\n 329 /* id-cmc-identityProof */,\n 337 /* id-cmc-lraPOPWitness */,\n 344 /* id-cmc-popLinkRandom */,\n 345 /* id-cmc-popLinkWitness */,\n 343 /* id-cmc-queryPending */,\n 333 /* id-cmc-recipientNonce */,\n 341 /* id-cmc-regInfo */,\n 342 /* id-cmc-responseInfo */,\n 340 /* id-cmc-revokeRequest */,\n 332 /* id-cmc-senderNonce */,\n 327 /* id-cmc-statusInfo */,\n 331 /* id-cmc-transactionId */,\n 787 /* id-ct-asciiTextWithCRLF */,\n 408 /* id-ecPublicKey */,\n 508 /* id-hex-multipart-message */,\n 507 /* id-hex-partial-message */,\n 260 /* id-it */,\n 302 /* id-it-caKeyUpdateInfo */,\n 298 /* id-it-caProtEncCert */,\n 311 /* id-it-confirmWaitTime */,\n 303 /* id-it-currentCRL */,\n 300 /* id-it-encKeyPairTypes */,\n 310 /* id-it-implicitConfirm */,\n 308 /* id-it-keyPairParamRep */,\n 307 /* id-it-keyPairParamReq */,\n 312 /* id-it-origPKIMessage */,\n 301 /* id-it-preferredSymmAlg */,\n 309 /* id-it-revPassphrase */,\n 299 /* id-it-signKeyPairTypes */,\n 305 /* id-it-subscriptionRequest */,\n 306 /* id-it-subscriptionResponse */,\n 784 /* id-it-suppLangTags */,\n 304 /* id-it-unsupportedOIDs */,\n 128 /* id-kp */,\n 280 /* id-mod-attribute-cert */,\n 274 /* id-mod-cmc */,\n 277 /* id-mod-cmp */,\n 284 /* id-mod-cmp2000 */,\n 273 /* id-mod-crmf */,\n 283 /* id-mod-dvcs */,\n 275 /* id-mod-kea-profile-88 */,\n 276 /* id-mod-kea-profile-93 */,\n 282 /* id-mod-ocsp */,\n 278 /* id-mod-qualified-cert-88 */,\n 279 /* id-mod-qualified-cert-93 */,\n 281 /* id-mod-timestamp-protocol */,\n 264 /* id-on */,\n 858 /* id-on-permanentIdentifier */,\n 347 /* id-on-personalData */,\n 265 /* id-pda */,\n 352 /* id-pda-countryOfCitizenship */,\n 353 /* id-pda-countryOfResidence */,\n 348 /* id-pda-dateOfBirth */,\n 351 /* id-pda-gender */,\n 349 /* id-pda-placeOfBirth */,\n 175 /* id-pe */,\n 261 /* id-pkip */,\n 258 /* id-pkix-mod */,\n 269 /* id-pkix1-explicit-88 */,\n 271 /* id-pkix1-explicit-93 */,\n 270 /* id-pkix1-implicit-88 */,\n 272 /* id-pkix1-implicit-93 */,\n 662 /* id-ppl */,\n 664 /* id-ppl-anyLanguage */,\n 667 /* id-ppl-independent */,\n 665 /* id-ppl-inheritAll */,\n 267 /* id-qcs */,\n 359 /* id-qcs-pkixQCSyntax-v1 */,\n 259 /* id-qt */,\n 164 /* id-qt-cps */,\n 165 /* id-qt-unotice */,\n 313 /* id-regCtrl */,\n 316 /* id-regCtrl-authenticator */,\n 319 /* id-regCtrl-oldCertID */,\n 318 /* id-regCtrl-pkiArchiveOptions */,\n 317 /* id-regCtrl-pkiPublicationInfo */,\n 320 /* id-regCtrl-protocolEncrKey */,\n 315 /* id-regCtrl-regToken */,\n 314 /* id-regInfo */,\n 322 /* id-regInfo-certReq */,\n 321 /* id-regInfo-utf8Pairs */,\n 512 /* id-set */,\n 191 /* id-smime-aa */,\n 215 /* id-smime-aa-contentHint */,\n 218 /* id-smime-aa-contentIdentifier */,\n 221 /* id-smime-aa-contentReference */,\n 240 /* id-smime-aa-dvcs-dvc */,\n 217 /* id-smime-aa-encapContentType */,\n 222 /* id-smime-aa-encrypKeyPref */,\n 220 /* id-smime-aa-equivalentLabels */,\n 232 /* id-smime-aa-ets-CertificateRefs */,\n 233 /* id-smime-aa-ets-RevocationRefs */,\n 238 /* id-smime-aa-ets-archiveTimeStamp */,\n 237 /* id-smime-aa-ets-certCRLTimestamp */,\n 234 /* id-smime-aa-ets-certValues */,\n 227 /* id-smime-aa-ets-commitmentType */,\n 231 /* id-smime-aa-ets-contentTimestamp */,\n 236 /* id-smime-aa-ets-escTimeStamp */,\n 230 /* id-smime-aa-ets-otherSigCert */,\n 235 /* id-smime-aa-ets-revocationValues */,\n 226 /* id-smime-aa-ets-sigPolicyId */,\n 229 /* id-smime-aa-ets-signerAttr */,\n 228 /* id-smime-aa-ets-signerLocation */,\n 219 /* id-smime-aa-macValue */,\n 214 /* id-smime-aa-mlExpandHistory */,\n 216 /* id-smime-aa-msgSigDigest */,\n 212 /* id-smime-aa-receiptRequest */,\n 213 /* id-smime-aa-securityLabel */,\n 239 /* id-smime-aa-signatureType */,\n 223 /* id-smime-aa-signingCertificate */,\n 224 /* id-smime-aa-smimeEncryptCerts */,\n 225 /* id-smime-aa-timeStampToken */,\n 192 /* id-smime-alg */,\n 243 /* id-smime-alg-3DESwrap */,\n 246 /* id-smime-alg-CMS3DESwrap */,\n 247 /* id-smime-alg-CMSRC2wrap */,\n 245 /* id-smime-alg-ESDH */,\n 241 /* id-smime-alg-ESDHwith3DES */,\n 242 /* id-smime-alg-ESDHwithRC2 */,\n 244 /* id-smime-alg-RC2wrap */,\n 193 /* id-smime-cd */,\n 248 /* id-smime-cd-ldap */,\n 190 /* id-smime-ct */,\n 210 /* id-smime-ct-DVCSRequestData */,\n 211 /* id-smime-ct-DVCSResponseData */,\n 208 /* id-smime-ct-TDTInfo */,\n 207 /* id-smime-ct-TSTInfo */,\n 205 /* id-smime-ct-authData */,\n 786 /* id-smime-ct-compressedData */,\n 209 /* id-smime-ct-contentInfo */,\n 206 /* id-smime-ct-publishCert */,\n 204 /* id-smime-ct-receipt */,\n 195 /* id-smime-cti */,\n 255 /* id-smime-cti-ets-proofOfApproval */,\n 256 /* id-smime-cti-ets-proofOfCreation */,\n 253 /* id-smime-cti-ets-proofOfDelivery */,\n 251 /* id-smime-cti-ets-proofOfOrigin */,\n 252 /* id-smime-cti-ets-proofOfReceipt */,\n 254 /* id-smime-cti-ets-proofOfSender */,\n 189 /* id-smime-mod */,\n 196 /* id-smime-mod-cms */,\n 197 /* id-smime-mod-ess */,\n 202 /* id-smime-mod-ets-eSigPolicy-88 */,\n 203 /* id-smime-mod-ets-eSigPolicy-97 */,\n 200 /* id-smime-mod-ets-eSignature-88 */,\n 201 /* id-smime-mod-ets-eSignature-97 */,\n 199 /* id-smime-mod-msg-v3 */,\n 198 /* id-smime-mod-oid */,\n 194 /* id-smime-spq */,\n 250 /* id-smime-spq-ets-sqt-unotice */,\n 249 /* id-smime-spq-ets-sqt-uri */,\n 676 /* identified-organization */,\n 461 /* info */,\n 748 /* inhibitAnyPolicy */,\n 101 /* initials */,\n 647 /* international-organizations */,\n 869 /* internationaliSDNNumber */,\n 142 /* invalidityDate */,\n 294 /* ipsecEndSystem */,\n 295 /* ipsecTunnel */,\n 296 /* ipsecUser */,\n 86 /* issuerAltName */,\n 770 /* issuingDistributionPoint */,\n 492 /* janetMailbox */,\n 150 /* keyBag */,\n 83 /* keyUsage */,\n 477 /* lastModifiedBy */,\n 476 /* lastModifiedTime */,\n 157 /* localKeyID */,\n 480 /* mXRecord */,\n 460 /* mail */,\n 493 /* mailPreferenceOption */,\n 467 /* manager */,\n 809 /* md_gost94 */,\n 875 /* member */,\n 182 /* member-body */,\n 51 /* messageDigest */,\n 383 /* mgmt */,\n 504 /* mime-mhs */,\n 506 /* mime-mhs-bodies */,\n 505 /* mime-mhs-headings */,\n 488 /* mobileTelephoneNumber */,\n 136 /* msCTLSign */,\n 135 /* msCodeCom */,\n 134 /* msCodeInd */,\n 138 /* msEFS */,\n 171 /* msExtReq */,\n 137 /* msSGC */,\n 648 /* msSmartcardLogin */,\n 649 /* msUPN */,\n 481 /* nSRecord */,\n 173 /* name */,\n 666 /* nameConstraints */,\n 369 /* noCheck */,\n 403 /* noRevAvail */,\n 72 /* nsBaseUrl */,\n 76 /* nsCaPolicyUrl */,\n 74 /* nsCaRevocationUrl */,\n 58 /* nsCertExt */,\n 79 /* nsCertSequence */,\n 71 /* nsCertType */,\n 78 /* nsComment */,\n 59 /* nsDataType */,\n 75 /* nsRenewalUrl */,\n 73 /* nsRevocationUrl */,\n 139 /* nsSGC */,\n 77 /* nsSslServerName */,\n 681 /* onBasis */,\n 491 /* organizationalStatus */,\n 475 /* otherMailbox */,\n 876 /* owner */,\n 489 /* pagerTelephoneNumber */,\n 374 /* path */,\n 112 /* pbeWithMD5AndCast5CBC */,\n 499 /* personalSignature */,\n 487 /* personalTitle */,\n 464 /* photo */,\n 863 /* physicalDeliveryOfficeName */,\n 437 /* pilot */,\n 439 /* pilotAttributeSyntax */,\n 438 /* pilotAttributeType */,\n 479 /* pilotAttributeType27 */,\n 456 /* pilotDSA */,\n 441 /* pilotGroups */,\n 444 /* pilotObject */,\n 440 /* pilotObjectClass */,\n 455 /* pilotOrganization */,\n 445 /* pilotPerson */,\n 2 /* pkcs */,\n 186 /* pkcs1 */,\n 27 /* pkcs3 */,\n 187 /* pkcs5 */,\n 20 /* pkcs7 */,\n 21 /* pkcs7-data */,\n 25 /* pkcs7-digestData */,\n 26 /* pkcs7-encryptedData */,\n 23 /* pkcs7-envelopedData */,\n 24 /* pkcs7-signedAndEnvelopedData */,\n 22 /* pkcs7-signedData */,\n 151 /* pkcs8ShroudedKeyBag */,\n 47 /* pkcs9 */,\n 401 /* policyConstraints */,\n 747 /* policyMappings */,\n 862 /* postOfficeBox */,\n 861 /* postalAddress */,\n 661 /* postalCode */,\n 683 /* ppBasis */,\n 872 /* preferredDeliveryMethod */,\n 873 /* presentationAddress */,\n 816 /* prf-gostr3411-94 */,\n 406 /* prime-field */,\n 409 /* prime192v1 */,\n 410 /* prime192v2 */,\n 411 /* prime192v3 */,\n 412 /* prime239v1 */,\n 413 /* prime239v2 */,\n 414 /* prime239v3 */,\n 415 /* prime256v1 */,\n 385 /* private */,\n 84 /* privateKeyUsagePeriod */,\n 886 /* protocolInformation */,\n 663 /* proxyCertInfo */,\n 510 /* pseudonym */,\n 435 /* pss */,\n 286 /* qcStatements */,\n 457 /* qualityLabelledData */,\n 450 /* rFC822localPart */,\n 870 /* registeredAddress */,\n 400 /* role */,\n 877 /* roleOccupant */,\n 448 /* room */,\n 463 /* roomNumber */,\n 6 /* rsaEncryption */,\n 644 /* rsaOAEPEncryptionSET */,\n 377 /* rsaSignature */,\n 1 /* rsadsi */,\n 482 /* sOARecord */,\n 155 /* safeContentsBag */,\n 291 /* sbgp-autonomousSysNum */,\n 290 /* sbgp-ipAddrBlock */,\n 292 /* sbgp-routerIdentifier */,\n 159 /* sdsiCertificate */,\n 859 /* searchGuide */,\n 704 /* secp112r1 */,\n 705 /* secp112r2 */,\n 706 /* secp128r1 */,\n 707 /* secp128r2 */,\n 708 /* secp160k1 */,\n 709 /* secp160r1 */,\n 710 /* secp160r2 */,\n 711 /* secp192k1 */,\n 712 /* secp224k1 */,\n 713 /* secp224r1 */,\n 714 /* secp256k1 */,\n 715 /* secp384r1 */,\n 716 /* secp521r1 */,\n 154 /* secretBag */,\n 474 /* secretary */,\n 717 /* sect113r1 */,\n 718 /* sect113r2 */,\n 719 /* sect131r1 */,\n 720 /* sect131r2 */,\n 721 /* sect163k1 */,\n 722 /* sect163r1 */,\n 723 /* sect163r2 */,\n 724 /* sect193r1 */,\n 725 /* sect193r2 */,\n 726 /* sect233k1 */,\n 727 /* sect233r1 */,\n 728 /* sect239k1 */,\n 729 /* sect283k1 */,\n 730 /* sect283r1 */,\n 731 /* sect409k1 */,\n 732 /* sect409r1 */,\n 733 /* sect571k1 */,\n 734 /* sect571r1 */,\n 386 /* security */,\n 878 /* seeAlso */,\n 394 /* selected-attribute-types */,\n 105 /* serialNumber */,\n 129 /* serverAuth */,\n 371 /* serviceLocator */,\n 625 /* set-addPolicy */,\n 515 /* set-attr */,\n 518 /* set-brand */,\n 638 /* set-brand-AmericanExpress */,\n 637 /* set-brand-Diners */,\n 636 /* set-brand-IATA-ATA */,\n 639 /* set-brand-JCB */,\n 641 /* set-brand-MasterCard */,\n 642 /* set-brand-Novus */,\n 640 /* set-brand-Visa */,\n 517 /* set-certExt */,\n 513 /* set-ctype */,\n 514 /* set-msgExt */,\n 516 /* set-policy */,\n 607 /* set-policy-root */,\n 624 /* set-rootKeyThumb */,\n 620 /* setAttr-Cert */,\n 631 /* setAttr-GenCryptgrm */,\n 623 /* setAttr-IssCap */,\n 628 /* setAttr-IssCap-CVM */,\n 630 /* setAttr-IssCap-Sig */,\n 629 /* setAttr-IssCap-T2 */,\n 621 /* setAttr-PGWYcap */,\n 635 /* setAttr-SecDevSig */,\n 632 /* setAttr-T2Enc */,\n 633 /* setAttr-T2cleartxt */,\n 634 /* setAttr-TokICCsig */,\n 627 /* setAttr-Token-B0Prime */,\n 626 /* setAttr-Token-EMV */,\n 622 /* setAttr-TokenType */,\n 619 /* setCext-IssuerCapabilities */,\n 615 /* setCext-PGWYcapabilities */,\n 616 /* setCext-TokenIdentifier */,\n 618 /* setCext-TokenType */,\n 617 /* setCext-Track2Data */,\n 611 /* setCext-cCertRequired */,\n 609 /* setCext-certType */,\n 608 /* setCext-hashedRoot */,\n 610 /* setCext-merchData */,\n 613 /* setCext-setExt */,\n 614 /* setCext-setQualf */,\n 612 /* setCext-tunneling */,\n 540 /* setct-AcqCardCodeMsg */,\n 576 /* setct-AcqCardCodeMsgTBE */,\n 570 /* setct-AuthReqTBE */,\n 534 /* setct-AuthReqTBS */,\n 527 /* setct-AuthResBaggage */,\n 571 /* setct-AuthResTBE */,\n 572 /* setct-AuthResTBEX */,\n 535 /* setct-AuthResTBS */,\n 536 /* setct-AuthResTBSX */,\n 528 /* setct-AuthRevReqBaggage */,\n 577 /* setct-AuthRevReqTBE */,\n 541 /* setct-AuthRevReqTBS */,\n 529 /* setct-AuthRevResBaggage */,\n 542 /* setct-AuthRevResData */,\n 578 /* setct-AuthRevResTBE */,\n 579 /* setct-AuthRevResTBEB */,\n 543 /* setct-AuthRevResTBS */,\n 573 /* setct-AuthTokenTBE */,\n 537 /* setct-AuthTokenTBS */,\n 600 /* setct-BCIDistributionTBS */,\n 558 /* setct-BatchAdminReqData */,\n 592 /* setct-BatchAdminReqTBE */,\n 559 /* setct-BatchAdminResData */,\n 593 /* setct-BatchAdminResTBE */,\n 599 /* setct-CRLNotificationResTBS */,\n 598 /* setct-CRLNotificationTBS */,\n 580 /* setct-CapReqTBE */,\n 581 /* setct-CapReqTBEX */,\n 544 /* setct-CapReqTBS */,\n 545 /* setct-CapReqTBSX */,\n 546 /* setct-CapResData */,\n 582 /* setct-CapResTBE */,\n 583 /* setct-CapRevReqTBE */,\n 584 /* setct-CapRevReqTBEX */,\n 547 /* setct-CapRevReqTBS */,\n 548 /* setct-CapRevReqTBSX */,\n 549 /* setct-CapRevResData */,\n 585 /* setct-CapRevResTBE */,\n 538 /* setct-CapTokenData */,\n 530 /* setct-CapTokenSeq */,\n 574 /* setct-CapTokenTBE */,\n 575 /* setct-CapTokenTBEX */,\n 539 /* setct-CapTokenTBS */,\n 560 /* setct-CardCInitResTBS */,\n 566 /* setct-CertInqReqTBS */,\n 563 /* setct-CertReqData */,\n 595 /* setct-CertReqTBE */,\n 596 /* setct-CertReqTBEX */,\n 564 /* setct-CertReqTBS */,\n 565 /* setct-CertResData */,\n 597 /* setct-CertResTBE */,\n 586 /* setct-CredReqTBE */,\n 587 /* setct-CredReqTBEX */,\n 550 /* setct-CredReqTBS */,\n 551 /* setct-CredReqTBSX */,\n 552 /* setct-CredResData */,\n 588 /* setct-CredResTBE */,\n 589 /* setct-CredRevReqTBE */,\n 590 /* setct-CredRevReqTBEX */,\n 553 /* setct-CredRevReqTBS */,\n 554 /* setct-CredRevReqTBSX */,\n 555 /* setct-CredRevResData */,\n 591 /* setct-CredRevResTBE */,\n 567 /* setct-ErrorTBS */,\n 526 /* setct-HODInput */,\n 561 /* setct-MeAqCInitResTBS */,\n 522 /* setct-OIData */,\n 519 /* setct-PANData */,\n 521 /* setct-PANOnly */,\n 520 /* setct-PANToken */,\n 556 /* setct-PCertReqData */,\n 557 /* setct-PCertResTBS */,\n 523 /* setct-PI */,\n 532 /* setct-PI-TBS */,\n 524 /* setct-PIData */,\n 525 /* setct-PIDataUnsigned */,\n 568 /* setct-PIDualSignedTBE */,\n 569 /* setct-PIUnsignedTBE */,\n 531 /* setct-PInitResData */,\n 533 /* setct-PResData */,\n 594 /* setct-RegFormReqTBE */,\n 562 /* setct-RegFormResTBS */,\n 606 /* setext-cv */,\n 601 /* setext-genCrypt */,\n 602 /* setext-miAuth */,\n 604 /* setext-pinAny */,\n 603 /* setext-pinSecure */,\n 605 /* setext-track2 */,\n 52 /* signingTime */,\n 454 /* simpleSecurityObject */,\n 496 /* singleLevelQuality */,\n 387 /* snmpv2 */,\n 660 /* street */,\n 85 /* subjectAltName */,\n 769 /* subjectDirectoryAttributes */,\n 398 /* subjectInfoAccess */,\n 82 /* subjectKeyIdentifier */,\n 498 /* subtreeMaximumQuality */,\n 497 /* subtreeMinimumQuality */,\n 890 /* supportedAlgorithms */,\n 874 /* supportedApplicationContext */,\n 402 /* targetInformation */,\n 864 /* telephoneNumber */,\n 866 /* teletexTerminalIdentifier */,\n 865 /* telexNumber */,\n 459 /* textEncodedORAddress */,\n 293 /* textNotice */,\n 133 /* timeStamping */,\n 106 /* title */,\n 682 /* tpBasis */,\n 375 /* trustRoot */,\n 436 /* ucl */,\n 888 /* uniqueMember */,\n 55 /* unstructuredAddress */,\n 49 /* unstructuredName */,\n 880 /* userCertificate */,\n 465 /* userClass */,\n 879 /* userPassword */,\n 373 /* valid */,\n 678 /* wap */,\n 679 /* wap-wsg */,\n 735 /* wap-wsg-idm-ecid-wtls1 */,\n 743 /* wap-wsg-idm-ecid-wtls10 */,\n 744 /* wap-wsg-idm-ecid-wtls11 */,\n 745 /* wap-wsg-idm-ecid-wtls12 */,\n 736 /* wap-wsg-idm-ecid-wtls3 */,\n 737 /* wap-wsg-idm-ecid-wtls4 */,\n 738 /* wap-wsg-idm-ecid-wtls5 */,\n 739 /* wap-wsg-idm-ecid-wtls6 */,\n 740 /* wap-wsg-idm-ecid-wtls7 */,\n 741 /* wap-wsg-idm-ecid-wtls8 */,\n 742 /* wap-wsg-idm-ecid-wtls9 */,\n 804 /* whirlpool */,\n 868 /* x121Address */,\n 503 /* x500UniqueIdentifier */,\n 158 /* x509Certificate */,\n 160 /* x509Crl */,\n};\n\nstatic const uint16_t kNIDsInLongNameOrder[] = {\n 363 /* AD Time Stamping */,\n 405 /* ANSI X9.62 */,\n 368 /* Acceptable OCSP Responses */,\n 910 /* Any Extended Key Usage */,\n 664 /* Any language */,\n 177 /* Authority Information Access */,\n 365 /* Basic OCSP Response */,\n 285 /* Biometric Info */,\n 179 /* CA Issuers */,\n 785 /* CA Repository */,\n 131 /* Code Signing */,\n 783 /* Diffie-Hellman based MAC */,\n 382 /* Directory */,\n 392 /* Domain */,\n 132 /* E-mail Protection */,\n 949 /* ED25519 */,\n 960 /* ED448 */,\n 389 /* Enterprises */,\n 384 /* Experimental */,\n 372 /* Extended OCSP Status */,\n 172 /* Extension Request */,\n 813 /* GOST 28147-89 */,\n 849 /* GOST 28147-89 Cryptocom ParamSet */,\n 815 /* GOST 28147-89 MAC */,\n 851 /* GOST 34.10-2001 Cryptocom */,\n 850 /* GOST 34.10-94 Cryptocom */,\n 811 /* GOST R 34.10-2001 */,\n 817 /* GOST R 34.10-2001 DH */,\n 812 /* GOST R 34.10-94 */,\n 818 /* GOST R 34.10-94 DH */,\n 809 /* GOST R 34.11-94 */,\n 816 /* GOST R 34.11-94 PRF */,\n 807 /* GOST R 34.11-94 with GOST R 34.10-2001 */,\n 853 /* GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom */,\n 808 /* GOST R 34.11-94 with GOST R 34.10-94 */,\n 852 /* GOST R 34.11-94 with GOST R 34.10-94 Cryptocom */,\n 854 /* GOST R 3410-2001 Parameter Set Cryptocom */,\n 810 /* HMAC GOST 34.11-94 */,\n 432 /* Hold Instruction Call Issuer */,\n 430 /* Hold Instruction Code */,\n 431 /* Hold Instruction None */,\n 433 /* Hold Instruction Reject */,\n 634 /* ICC or token signature */,\n 294 /* IPSec End System */,\n 295 /* IPSec Tunnel */,\n 296 /* IPSec User */,\n 182 /* ISO Member Body */,\n 183 /* ISO US Member Body */,\n 667 /* Independent */,\n 665 /* Inherit all */,\n 647 /* International Organizations */,\n 142 /* Invalidity Date */,\n 504 /* MIME MHS */,\n 388 /* Mail */,\n 383 /* Management */,\n 417 /* Microsoft CSP Name */,\n 135 /* Microsoft Commercial Code Signing */,\n 138 /* Microsoft Encrypted File System */,\n 171 /* Microsoft Extension Request */,\n 134 /* Microsoft Individual Code Signing */,\n 856 /* Microsoft Local Key set */,\n 137 /* Microsoft Server Gated Crypto */,\n 648 /* Microsoft Smartcardlogin */,\n 136 /* Microsoft Trust List Signing */,\n 649 /* Microsoft Universal Principal Name */,\n 72 /* Netscape Base Url */,\n 76 /* Netscape CA Policy Url */,\n 74 /* Netscape CA Revocation Url */,\n 71 /* Netscape Cert Type */,\n 58 /* Netscape Certificate Extension */,\n 79 /* Netscape Certificate Sequence */,\n 78 /* Netscape Comment */,\n 57 /* Netscape Communications Corp. */,\n 59 /* Netscape Data Type */,\n 75 /* Netscape Renewal Url */,\n 73 /* Netscape Revocation Url */,\n 77 /* Netscape SSL Server Name */,\n 139 /* Netscape Server Gated Crypto */,\n 178 /* OCSP */,\n 370 /* OCSP Archive Cutoff */,\n 367 /* OCSP CRL ID */,\n 369 /* OCSP No Check */,\n 366 /* OCSP Nonce */,\n 371 /* OCSP Service Locator */,\n 180 /* OCSP Signing */,\n 161 /* PBES2 */,\n 69 /* PBKDF2 */,\n 162 /* PBMAC1 */,\n 127 /* PKIX */,\n 858 /* Permanent Identifier */,\n 164 /* Policy Qualifier CPS */,\n 165 /* Policy Qualifier User Notice */,\n 385 /* Private */,\n 663 /* Proxy Certificate Information */,\n 1 /* RSA Data Security, Inc. */,\n 2 /* RSA Data Security, Inc. PKCS */,\n 188 /* S/MIME */,\n 167 /* S/MIME Capabilities */,\n 387 /* SNMPv2 */,\n 512 /* Secure Electronic Transactions */,\n 386 /* Security */,\n 394 /* Selected Attribute Types */,\n 143 /* Strong Extranet ID */,\n 398 /* Subject Information Access */,\n 130 /* TLS Web Client Authentication */,\n 129 /* TLS Web Server Authentication */,\n 133 /* Time Stamping */,\n 375 /* Trust Root */,\n 948 /* X25519 */,\n 964 /* X25519Kyber768Draft00 */,\n 965 /* X25519MLKEM768 */,\n 961 /* X448 */,\n 12 /* X509 */,\n 402 /* X509v3 AC Targeting */,\n 746 /* X509v3 Any Policy */,\n 90 /* X509v3 Authority Key Identifier */,\n 87 /* X509v3 Basic Constraints */,\n 103 /* X509v3 CRL Distribution Points */,\n 88 /* X509v3 CRL Number */,\n 141 /* X509v3 CRL Reason Code */,\n 771 /* X509v3 Certificate Issuer */,\n 89 /* X509v3 Certificate Policies */,\n 140 /* X509v3 Delta CRL Indicator */,\n 126 /* X509v3 Extended Key Usage */,\n 857 /* X509v3 Freshest CRL */,\n 748 /* X509v3 Inhibit Any Policy */,\n 86 /* X509v3 Issuer Alternative Name */,\n 770 /* X509v3 Issuing Distribution Point */,\n 83 /* X509v3 Key Usage */,\n 666 /* X509v3 Name Constraints */,\n 403 /* X509v3 No Revocation Available */,\n 401 /* X509v3 Policy Constraints */,\n 747 /* X509v3 Policy Mappings */,\n 84 /* X509v3 Private Key Usage Period */,\n 85 /* X509v3 Subject Alternative Name */,\n 769 /* X509v3 Subject Directory Attributes */,\n 82 /* X509v3 Subject Key Identifier */,\n 920 /* X9.42 DH */,\n 184 /* X9.57 */,\n 185 /* X9.57 CM ? */,\n 478 /* aRecord */,\n 289 /* aaControls */,\n 287 /* ac-auditEntity */,\n 397 /* ac-proxying */,\n 288 /* ac-targeting */,\n 446 /* account */,\n 364 /* ad dvcs */,\n 606 /* additional verification */,\n 419 /* aes-128-cbc */,\n 916 /* aes-128-cbc-hmac-sha1 */,\n 896 /* aes-128-ccm */,\n 421 /* aes-128-cfb */,\n 650 /* aes-128-cfb1 */,\n 653 /* aes-128-cfb8 */,\n 904 /* aes-128-ctr */,\n 418 /* aes-128-ecb */,\n 895 /* aes-128-gcm */,\n 420 /* aes-128-ofb */,\n 913 /* aes-128-xts */,\n 423 /* aes-192-cbc */,\n 917 /* aes-192-cbc-hmac-sha1 */,\n 899 /* aes-192-ccm */,\n 425 /* aes-192-cfb */,\n 651 /* aes-192-cfb1 */,\n 654 /* aes-192-cfb8 */,\n 905 /* aes-192-ctr */,\n 422 /* aes-192-ecb */,\n 898 /* aes-192-gcm */,\n 424 /* aes-192-ofb */,\n 427 /* aes-256-cbc */,\n 918 /* aes-256-cbc-hmac-sha1 */,\n 902 /* aes-256-ccm */,\n 429 /* aes-256-cfb */,\n 652 /* aes-256-cfb1 */,\n 655 /* aes-256-cfb8 */,\n 906 /* aes-256-ctr */,\n 426 /* aes-256-ecb */,\n 901 /* aes-256-gcm */,\n 428 /* aes-256-ofb */,\n 914 /* aes-256-xts */,\n 376 /* algorithm */,\n 484 /* associatedDomain */,\n 485 /* associatedName */,\n 501 /* audio */,\n 958 /* auth-any */,\n 955 /* auth-ecdsa */,\n 956 /* auth-psk */,\n 954 /* auth-rsa */,\n 882 /* authorityRevocationList */,\n 91 /* bf-cbc */,\n 93 /* bf-cfb */,\n 92 /* bf-ecb */,\n 94 /* bf-ofb */,\n 921 /* brainpoolP160r1 */,\n 922 /* brainpoolP160t1 */,\n 923 /* brainpoolP192r1 */,\n 924 /* brainpoolP192t1 */,\n 925 /* brainpoolP224r1 */,\n 926 /* brainpoolP224t1 */,\n 927 /* brainpoolP256r1 */,\n 928 /* brainpoolP256t1 */,\n 929 /* brainpoolP320r1 */,\n 930 /* brainpoolP320t1 */,\n 931 /* brainpoolP384r1 */,\n 932 /* brainpoolP384t1 */,\n 933 /* brainpoolP512r1 */,\n 934 /* brainpoolP512t1 */,\n 494 /* buildingName */,\n 860 /* businessCategory */,\n 691 /* c2onb191v4 */,\n 692 /* c2onb191v5 */,\n 697 /* c2onb239v4 */,\n 698 /* c2onb239v5 */,\n 684 /* c2pnb163v1 */,\n 685 /* c2pnb163v2 */,\n 686 /* c2pnb163v3 */,\n 687 /* c2pnb176v1 */,\n 693 /* c2pnb208w1 */,\n 699 /* c2pnb272w1 */,\n 700 /* c2pnb304w1 */,\n 702 /* c2pnb368w1 */,\n 688 /* c2tnb191v1 */,\n 689 /* c2tnb191v2 */,\n 690 /* c2tnb191v3 */,\n 694 /* c2tnb239v1 */,\n 695 /* c2tnb239v2 */,\n 696 /* c2tnb239v3 */,\n 701 /* c2tnb359v1 */,\n 703 /* c2tnb431r1 */,\n 881 /* cACertificate */,\n 483 /* cNAMERecord */,\n 751 /* camellia-128-cbc */,\n 757 /* camellia-128-cfb */,\n 760 /* camellia-128-cfb1 */,\n 763 /* camellia-128-cfb8 */,\n 754 /* camellia-128-ecb */,\n 766 /* camellia-128-ofb */,\n 752 /* camellia-192-cbc */,\n 758 /* camellia-192-cfb */,\n 761 /* camellia-192-cfb1 */,\n 764 /* camellia-192-cfb8 */,\n 755 /* camellia-192-ecb */,\n 767 /* camellia-192-ofb */,\n 753 /* camellia-256-cbc */,\n 759 /* camellia-256-cfb */,\n 762 /* camellia-256-cfb1 */,\n 765 /* camellia-256-cfb8 */,\n 756 /* camellia-256-ecb */,\n 768 /* camellia-256-ofb */,\n 443 /* caseIgnoreIA5StringSyntax */,\n 108 /* cast5-cbc */,\n 110 /* cast5-cfb */,\n 109 /* cast5-ecb */,\n 111 /* cast5-ofb */,\n 152 /* certBag */,\n 677 /* certicom-arc */,\n 517 /* certificate extensions */,\n 883 /* certificateRevocationList */,\n 950 /* chacha20-poly1305 */,\n 54 /* challengePassword */,\n 407 /* characteristic-two-field */,\n 395 /* clearance */,\n 633 /* cleartext track 2 */,\n 894 /* cmac */,\n 13 /* commonName */,\n 513 /* content types */,\n 50 /* contentType */,\n 53 /* countersignature */,\n 14 /* countryName */,\n 153 /* crlBag */,\n 884 /* crossCertificatePair */,\n 806 /* cryptocom */,\n 805 /* cryptopro */,\n 500 /* dITRedirect */,\n 451 /* dNSDomain */,\n 495 /* dSAQuality */,\n 434 /* data */,\n 390 /* dcObject */,\n 891 /* deltaRevocationList */,\n 31 /* des-cbc */,\n 643 /* des-cdmf */,\n 30 /* des-cfb */,\n 656 /* des-cfb1 */,\n 657 /* des-cfb8 */,\n 29 /* des-ecb */,\n 32 /* des-ede */,\n 43 /* des-ede-cbc */,\n 60 /* des-ede-cfb */,\n 62 /* des-ede-ofb */,\n 33 /* des-ede3 */,\n 44 /* des-ede3-cbc */,\n 61 /* des-ede3-cfb */,\n 658 /* des-ede3-cfb1 */,\n 659 /* des-ede3-cfb8 */,\n 63 /* des-ede3-ofb */,\n 45 /* des-ofb */,\n 107 /* description */,\n 871 /* destinationIndicator */,\n 80 /* desx-cbc */,\n 947 /* dh-cofactor-kdf */,\n 946 /* dh-std-kdf */,\n 28 /* dhKeyAgreement */,\n 941 /* dhSinglePass-cofactorDH-sha1kdf-scheme */,\n 942 /* dhSinglePass-cofactorDH-sha224kdf-scheme */,\n 943 /* dhSinglePass-cofactorDH-sha256kdf-scheme */,\n 944 /* dhSinglePass-cofactorDH-sha384kdf-scheme */,\n 945 /* dhSinglePass-cofactorDH-sha512kdf-scheme */,\n 936 /* dhSinglePass-stdDH-sha1kdf-scheme */,\n 937 /* dhSinglePass-stdDH-sha224kdf-scheme */,\n 938 /* dhSinglePass-stdDH-sha256kdf-scheme */,\n 939 /* dhSinglePass-stdDH-sha384kdf-scheme */,\n 940 /* dhSinglePass-stdDH-sha512kdf-scheme */,\n 11 /* directory services (X.500) */,\n 378 /* directory services - algorithms */,\n 887 /* distinguishedName */,\n 892 /* dmdName */,\n 174 /* dnQualifier */,\n 447 /* document */,\n 471 /* documentAuthor */,\n 468 /* documentIdentifier */,\n 472 /* documentLocation */,\n 502 /* documentPublisher */,\n 449 /* documentSeries */,\n 469 /* documentTitle */,\n 470 /* documentVersion */,\n 380 /* dod */,\n 391 /* domainComponent */,\n 452 /* domainRelatedObject */,\n 116 /* dsaEncryption */,\n 67 /* dsaEncryption-old */,\n 66 /* dsaWithSHA */,\n 113 /* dsaWithSHA1 */,\n 70 /* dsaWithSHA1-old */,\n 802 /* dsa_with_SHA224 */,\n 803 /* dsa_with_SHA256 */,\n 297 /* dvcs */,\n 791 /* ecdsa-with-Recommended */,\n 416 /* ecdsa-with-SHA1 */,\n 793 /* ecdsa-with-SHA224 */,\n 794 /* ecdsa-with-SHA256 */,\n 795 /* ecdsa-with-SHA384 */,\n 796 /* ecdsa-with-SHA512 */,\n 792 /* ecdsa-with-Specified */,\n 48 /* emailAddress */,\n 632 /* encrypted track 2 */,\n 885 /* enhancedSearchGuide */,\n 56 /* extendedCertificateAttributes */,\n 867 /* facsimileTelephoneNumber */,\n 462 /* favouriteDrink */,\n 453 /* friendlyCountry */,\n 490 /* friendlyCountryName */,\n 156 /* friendlyName */,\n 631 /* generate cryptogram */,\n 509 /* generationQualifier */,\n 601 /* generic cryptogram */,\n 99 /* givenName */,\n 814 /* gost89-cnt */,\n 963 /* hkdf */,\n 855 /* hmac */,\n 780 /* hmac-md5 */,\n 781 /* hmac-sha1 */,\n 797 /* hmacWithMD5 */,\n 163 /* hmacWithSHA1 */,\n 798 /* hmacWithSHA224 */,\n 799 /* hmacWithSHA256 */,\n 800 /* hmacWithSHA384 */,\n 801 /* hmacWithSHA512 */,\n 486 /* homePostalAddress */,\n 473 /* homeTelephoneNumber */,\n 466 /* host */,\n 889 /* houseIdentifier */,\n 442 /* iA5StringSyntax */,\n 381 /* iana */,\n 824 /* id-Gost28147-89-CryptoPro-A-ParamSet */,\n 825 /* id-Gost28147-89-CryptoPro-B-ParamSet */,\n 826 /* id-Gost28147-89-CryptoPro-C-ParamSet */,\n 827 /* id-Gost28147-89-CryptoPro-D-ParamSet */,\n 819 /* id-Gost28147-89-CryptoPro-KeyMeshing */,\n 829 /* id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet */,\n 828 /* id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet */,\n 830 /* id-Gost28147-89-CryptoPro-RIC-1-ParamSet */,\n 820 /* id-Gost28147-89-None-KeyMeshing */,\n 823 /* id-Gost28147-89-TestParamSet */,\n 840 /* id-GostR3410-2001-CryptoPro-A-ParamSet */,\n 841 /* id-GostR3410-2001-CryptoPro-B-ParamSet */,\n 842 /* id-GostR3410-2001-CryptoPro-C-ParamSet */,\n 843 /* id-GostR3410-2001-CryptoPro-XchA-ParamSet */,\n 844 /* id-GostR3410-2001-CryptoPro-XchB-ParamSet */,\n 839 /* id-GostR3410-2001-TestParamSet */,\n 832 /* id-GostR3410-94-CryptoPro-A-ParamSet */,\n 833 /* id-GostR3410-94-CryptoPro-B-ParamSet */,\n 834 /* id-GostR3410-94-CryptoPro-C-ParamSet */,\n 835 /* id-GostR3410-94-CryptoPro-D-ParamSet */,\n 836 /* id-GostR3410-94-CryptoPro-XchA-ParamSet */,\n 837 /* id-GostR3410-94-CryptoPro-XchB-ParamSet */,\n 838 /* id-GostR3410-94-CryptoPro-XchC-ParamSet */,\n 831 /* id-GostR3410-94-TestParamSet */,\n 845 /* id-GostR3410-94-a */,\n 846 /* id-GostR3410-94-aBis */,\n 847 /* id-GostR3410-94-b */,\n 848 /* id-GostR3410-94-bBis */,\n 822 /* id-GostR3411-94-CryptoProParamSet */,\n 821 /* id-GostR3411-94-TestParamSet */,\n 266 /* id-aca */,\n 355 /* id-aca-accessIdentity */,\n 354 /* id-aca-authenticationInfo */,\n 356 /* id-aca-chargingIdentity */,\n 399 /* id-aca-encAttrs */,\n 357 /* id-aca-group */,\n 358 /* id-aca-role */,\n 176 /* id-ad */,\n 788 /* id-aes128-wrap */,\n 897 /* id-aes128-wrap-pad */,\n 789 /* id-aes192-wrap */,\n 900 /* id-aes192-wrap-pad */,\n 790 /* id-aes256-wrap */,\n 903 /* id-aes256-wrap-pad */,\n 262 /* id-alg */,\n 893 /* id-alg-PWRI-KEK */,\n 323 /* id-alg-des40 */,\n 326 /* id-alg-dh-pop */,\n 325 /* id-alg-dh-sig-hmac-sha1 */,\n 324 /* id-alg-noSignature */,\n 907 /* id-camellia128-wrap */,\n 908 /* id-camellia192-wrap */,\n 909 /* id-camellia256-wrap */,\n 268 /* id-cct */,\n 361 /* id-cct-PKIData */,\n 362 /* id-cct-PKIResponse */,\n 360 /* id-cct-crs */,\n 81 /* id-ce */,\n 680 /* id-characteristic-two-basis */,\n 263 /* id-cmc */,\n 334 /* id-cmc-addExtensions */,\n 346 /* id-cmc-confirmCertAcceptance */,\n 330 /* id-cmc-dataReturn */,\n 336 /* id-cmc-decryptedPOP */,\n 335 /* id-cmc-encryptedPOP */,\n 339 /* id-cmc-getCRL */,\n 338 /* id-cmc-getCert */,\n 328 /* id-cmc-identification */,\n 329 /* id-cmc-identityProof */,\n 337 /* id-cmc-lraPOPWitness */,\n 344 /* id-cmc-popLinkRandom */,\n 345 /* id-cmc-popLinkWitness */,\n 343 /* id-cmc-queryPending */,\n 333 /* id-cmc-recipientNonce */,\n 341 /* id-cmc-regInfo */,\n 342 /* id-cmc-responseInfo */,\n 340 /* id-cmc-revokeRequest */,\n 332 /* id-cmc-senderNonce */,\n 327 /* id-cmc-statusInfo */,\n 331 /* id-cmc-transactionId */,\n 787 /* id-ct-asciiTextWithCRLF */,\n 408 /* id-ecPublicKey */,\n 508 /* id-hex-multipart-message */,\n 507 /* id-hex-partial-message */,\n 260 /* id-it */,\n 302 /* id-it-caKeyUpdateInfo */,\n 298 /* id-it-caProtEncCert */,\n 311 /* id-it-confirmWaitTime */,\n 303 /* id-it-currentCRL */,\n 300 /* id-it-encKeyPairTypes */,\n 310 /* id-it-implicitConfirm */,\n 308 /* id-it-keyPairParamRep */,\n 307 /* id-it-keyPairParamReq */,\n 312 /* id-it-origPKIMessage */,\n 301 /* id-it-preferredSymmAlg */,\n 309 /* id-it-revPassphrase */,\n 299 /* id-it-signKeyPairTypes */,\n 305 /* id-it-subscriptionRequest */,\n 306 /* id-it-subscriptionResponse */,\n 784 /* id-it-suppLangTags */,\n 304 /* id-it-unsupportedOIDs */,\n 128 /* id-kp */,\n 280 /* id-mod-attribute-cert */,\n 274 /* id-mod-cmc */,\n 277 /* id-mod-cmp */,\n 284 /* id-mod-cmp2000 */,\n 273 /* id-mod-crmf */,\n 283 /* id-mod-dvcs */,\n 275 /* id-mod-kea-profile-88 */,\n 276 /* id-mod-kea-profile-93 */,\n 282 /* id-mod-ocsp */,\n 278 /* id-mod-qualified-cert-88 */,\n 279 /* id-mod-qualified-cert-93 */,\n 281 /* id-mod-timestamp-protocol */,\n 264 /* id-on */,\n 347 /* id-on-personalData */,\n 265 /* id-pda */,\n 352 /* id-pda-countryOfCitizenship */,\n 353 /* id-pda-countryOfResidence */,\n 348 /* id-pda-dateOfBirth */,\n 351 /* id-pda-gender */,\n 349 /* id-pda-placeOfBirth */,\n 175 /* id-pe */,\n 261 /* id-pkip */,\n 258 /* id-pkix-mod */,\n 269 /* id-pkix1-explicit-88 */,\n 271 /* id-pkix1-explicit-93 */,\n 270 /* id-pkix1-implicit-88 */,\n 272 /* id-pkix1-implicit-93 */,\n 662 /* id-ppl */,\n 267 /* id-qcs */,\n 359 /* id-qcs-pkixQCSyntax-v1 */,\n 259 /* id-qt */,\n 313 /* id-regCtrl */,\n 316 /* id-regCtrl-authenticator */,\n 319 /* id-regCtrl-oldCertID */,\n 318 /* id-regCtrl-pkiArchiveOptions */,\n 317 /* id-regCtrl-pkiPublicationInfo */,\n 320 /* id-regCtrl-protocolEncrKey */,\n 315 /* id-regCtrl-regToken */,\n 314 /* id-regInfo */,\n 322 /* id-regInfo-certReq */,\n 321 /* id-regInfo-utf8Pairs */,\n 191 /* id-smime-aa */,\n 215 /* id-smime-aa-contentHint */,\n 218 /* id-smime-aa-contentIdentifier */,\n 221 /* id-smime-aa-contentReference */,\n 240 /* id-smime-aa-dvcs-dvc */,\n 217 /* id-smime-aa-encapContentType */,\n 222 /* id-smime-aa-encrypKeyPref */,\n 220 /* id-smime-aa-equivalentLabels */,\n 232 /* id-smime-aa-ets-CertificateRefs */,\n 233 /* id-smime-aa-ets-RevocationRefs */,\n 238 /* id-smime-aa-ets-archiveTimeStamp */,\n 237 /* id-smime-aa-ets-certCRLTimestamp */,\n 234 /* id-smime-aa-ets-certValues */,\n 227 /* id-smime-aa-ets-commitmentType */,\n 231 /* id-smime-aa-ets-contentTimestamp */,\n 236 /* id-smime-aa-ets-escTimeStamp */,\n 230 /* id-smime-aa-ets-otherSigCert */,\n 235 /* id-smime-aa-ets-revocationValues */,\n 226 /* id-smime-aa-ets-sigPolicyId */,\n 229 /* id-smime-aa-ets-signerAttr */,\n 228 /* id-smime-aa-ets-signerLocation */,\n 219 /* id-smime-aa-macValue */,\n 214 /* id-smime-aa-mlExpandHistory */,\n 216 /* id-smime-aa-msgSigDigest */,\n 212 /* id-smime-aa-receiptRequest */,\n 213 /* id-smime-aa-securityLabel */,\n 239 /* id-smime-aa-signatureType */,\n 223 /* id-smime-aa-signingCertificate */,\n 224 /* id-smime-aa-smimeEncryptCerts */,\n 225 /* id-smime-aa-timeStampToken */,\n 192 /* id-smime-alg */,\n 243 /* id-smime-alg-3DESwrap */,\n 246 /* id-smime-alg-CMS3DESwrap */,\n 247 /* id-smime-alg-CMSRC2wrap */,\n 245 /* id-smime-alg-ESDH */,\n 241 /* id-smime-alg-ESDHwith3DES */,\n 242 /* id-smime-alg-ESDHwithRC2 */,\n 244 /* id-smime-alg-RC2wrap */,\n 193 /* id-smime-cd */,\n 248 /* id-smime-cd-ldap */,\n 190 /* id-smime-ct */,\n 210 /* id-smime-ct-DVCSRequestData */,\n 211 /* id-smime-ct-DVCSResponseData */,\n 208 /* id-smime-ct-TDTInfo */,\n 207 /* id-smime-ct-TSTInfo */,\n 205 /* id-smime-ct-authData */,\n 786 /* id-smime-ct-compressedData */,\n 209 /* id-smime-ct-contentInfo */,\n 206 /* id-smime-ct-publishCert */,\n 204 /* id-smime-ct-receipt */,\n 195 /* id-smime-cti */,\n 255 /* id-smime-cti-ets-proofOfApproval */,\n 256 /* id-smime-cti-ets-proofOfCreation */,\n 253 /* id-smime-cti-ets-proofOfDelivery */,\n 251 /* id-smime-cti-ets-proofOfOrigin */,\n 252 /* id-smime-cti-ets-proofOfReceipt */,\n 254 /* id-smime-cti-ets-proofOfSender */,\n 189 /* id-smime-mod */,\n 196 /* id-smime-mod-cms */,\n 197 /* id-smime-mod-ess */,\n 202 /* id-smime-mod-ets-eSigPolicy-88 */,\n 203 /* id-smime-mod-ets-eSigPolicy-97 */,\n 200 /* id-smime-mod-ets-eSignature-88 */,\n 201 /* id-smime-mod-ets-eSignature-97 */,\n 199 /* id-smime-mod-msg-v3 */,\n 198 /* id-smime-mod-oid */,\n 194 /* id-smime-spq */,\n 250 /* id-smime-spq-ets-sqt-unotice */,\n 249 /* id-smime-spq-ets-sqt-uri */,\n 34 /* idea-cbc */,\n 35 /* idea-cfb */,\n 36 /* idea-ecb */,\n 46 /* idea-ofb */,\n 676 /* identified-organization */,\n 461 /* info */,\n 101 /* initials */,\n 869 /* internationaliSDNNumber */,\n 749 /* ipsec3 */,\n 750 /* ipsec4 */,\n 181 /* iso */,\n 623 /* issuer capabilities */,\n 645 /* itu-t */,\n 492 /* janetMailbox */,\n 646 /* joint-iso-itu-t */,\n 150 /* keyBag */,\n 773 /* kisa */,\n 957 /* kx-any */,\n 952 /* kx-ecdhe */,\n 953 /* kx-psk */,\n 951 /* kx-rsa */,\n 477 /* lastModifiedBy */,\n 476 /* lastModifiedTime */,\n 157 /* localKeyID */,\n 15 /* localityName */,\n 480 /* mXRecord */,\n 493 /* mailPreferenceOption */,\n 467 /* manager */,\n 3 /* md2 */,\n 7 /* md2WithRSAEncryption */,\n 257 /* md4 */,\n 396 /* md4WithRSAEncryption */,\n 4 /* md5 */,\n 114 /* md5-sha1 */,\n 104 /* md5WithRSA */,\n 8 /* md5WithRSAEncryption */,\n 95 /* mdc2 */,\n 96 /* mdc2WithRSA */,\n 875 /* member */,\n 602 /* merchant initiated auth */,\n 514 /* message extensions */,\n 51 /* messageDigest */,\n 911 /* mgf1 */,\n 506 /* mime-mhs-bodies */,\n 505 /* mime-mhs-headings */,\n 488 /* mobileTelephoneNumber */,\n 481 /* nSRecord */,\n 173 /* name */,\n 681 /* onBasis */,\n 379 /* org */,\n 17 /* organizationName */,\n 491 /* organizationalStatus */,\n 18 /* organizationalUnitName */,\n 475 /* otherMailbox */,\n 876 /* owner */,\n 935 /* pSpecified */,\n 489 /* pagerTelephoneNumber */,\n 782 /* password based MAC */,\n 374 /* path */,\n 621 /* payment gateway capabilities */,\n 9 /* pbeWithMD2AndDES-CBC */,\n 168 /* pbeWithMD2AndRC2-CBC */,\n 112 /* pbeWithMD5AndCast5CBC */,\n 10 /* pbeWithMD5AndDES-CBC */,\n 169 /* pbeWithMD5AndRC2-CBC */,\n 148 /* pbeWithSHA1And128BitRC2-CBC */,\n 144 /* pbeWithSHA1And128BitRC4 */,\n 147 /* pbeWithSHA1And2-KeyTripleDES-CBC */,\n 146 /* pbeWithSHA1And3-KeyTripleDES-CBC */,\n 149 /* pbeWithSHA1And40BitRC2-CBC */,\n 145 /* pbeWithSHA1And40BitRC4 */,\n 170 /* pbeWithSHA1AndDES-CBC */,\n 68 /* pbeWithSHA1AndRC2-CBC */,\n 499 /* personalSignature */,\n 487 /* personalTitle */,\n 464 /* photo */,\n 863 /* physicalDeliveryOfficeName */,\n 437 /* pilot */,\n 439 /* pilotAttributeSyntax */,\n 438 /* pilotAttributeType */,\n 479 /* pilotAttributeType27 */,\n 456 /* pilotDSA */,\n 441 /* pilotGroups */,\n 444 /* pilotObject */,\n 440 /* pilotObjectClass */,\n 455 /* pilotOrganization */,\n 445 /* pilotPerson */,\n 186 /* pkcs1 */,\n 27 /* pkcs3 */,\n 187 /* pkcs5 */,\n 20 /* pkcs7 */,\n 21 /* pkcs7-data */,\n 25 /* pkcs7-digestData */,\n 26 /* pkcs7-encryptedData */,\n 23 /* pkcs7-envelopedData */,\n 24 /* pkcs7-signedAndEnvelopedData */,\n 22 /* pkcs7-signedData */,\n 151 /* pkcs8ShroudedKeyBag */,\n 47 /* pkcs9 */,\n 862 /* postOfficeBox */,\n 861 /* postalAddress */,\n 661 /* postalCode */,\n 683 /* ppBasis */,\n 872 /* preferredDeliveryMethod */,\n 873 /* presentationAddress */,\n 406 /* prime-field */,\n 409 /* prime192v1 */,\n 410 /* prime192v2 */,\n 411 /* prime192v3 */,\n 412 /* prime239v1 */,\n 413 /* prime239v2 */,\n 414 /* prime239v3 */,\n 415 /* prime256v1 */,\n 886 /* protocolInformation */,\n 510 /* pseudonym */,\n 435 /* pss */,\n 286 /* qcStatements */,\n 457 /* qualityLabelledData */,\n 450 /* rFC822localPart */,\n 98 /* rc2-40-cbc */,\n 166 /* rc2-64-cbc */,\n 37 /* rc2-cbc */,\n 39 /* rc2-cfb */,\n 38 /* rc2-ecb */,\n 40 /* rc2-ofb */,\n 5 /* rc4 */,\n 97 /* rc4-40 */,\n 915 /* rc4-hmac-md5 */,\n 120 /* rc5-cbc */,\n 122 /* rc5-cfb */,\n 121 /* rc5-ecb */,\n 123 /* rc5-ofb */,\n 870 /* registeredAddress */,\n 460 /* rfc822Mailbox */,\n 117 /* ripemd160 */,\n 119 /* ripemd160WithRSA */,\n 400 /* role */,\n 877 /* roleOccupant */,\n 448 /* room */,\n 463 /* roomNumber */,\n 19 /* rsa */,\n 6 /* rsaEncryption */,\n 644 /* rsaOAEPEncryptionSET */,\n 377 /* rsaSignature */,\n 919 /* rsaesOaep */,\n 912 /* rsassaPss */,\n 482 /* sOARecord */,\n 155 /* safeContentsBag */,\n 291 /* sbgp-autonomousSysNum */,\n 290 /* sbgp-ipAddrBlock */,\n 292 /* sbgp-routerIdentifier */,\n 159 /* sdsiCertificate */,\n 859 /* searchGuide */,\n 704 /* secp112r1 */,\n 705 /* secp112r2 */,\n 706 /* secp128r1 */,\n 707 /* secp128r2 */,\n 708 /* secp160k1 */,\n 709 /* secp160r1 */,\n 710 /* secp160r2 */,\n 711 /* secp192k1 */,\n 712 /* secp224k1 */,\n 713 /* secp224r1 */,\n 714 /* secp256k1 */,\n 715 /* secp384r1 */,\n 716 /* secp521r1 */,\n 154 /* secretBag */,\n 474 /* secretary */,\n 717 /* sect113r1 */,\n 718 /* sect113r2 */,\n 719 /* sect131r1 */,\n 720 /* sect131r2 */,\n 721 /* sect163k1 */,\n 722 /* sect163r1 */,\n 723 /* sect163r2 */,\n 724 /* sect193r1 */,\n 725 /* sect193r2 */,\n 726 /* sect233k1 */,\n 727 /* sect233r1 */,\n 728 /* sect239k1 */,\n 729 /* sect283k1 */,\n 730 /* sect283r1 */,\n 731 /* sect409k1 */,\n 732 /* sect409r1 */,\n 733 /* sect571k1 */,\n 734 /* sect571r1 */,\n 635 /* secure device signature */,\n 878 /* seeAlso */,\n 777 /* seed-cbc */,\n 779 /* seed-cfb */,\n 776 /* seed-ecb */,\n 778 /* seed-ofb */,\n 105 /* serialNumber */,\n 625 /* set-addPolicy */,\n 515 /* set-attr */,\n 518 /* set-brand */,\n 638 /* set-brand-AmericanExpress */,\n 637 /* set-brand-Diners */,\n 636 /* set-brand-IATA-ATA */,\n 639 /* set-brand-JCB */,\n 641 /* set-brand-MasterCard */,\n 642 /* set-brand-Novus */,\n 640 /* set-brand-Visa */,\n 516 /* set-policy */,\n 607 /* set-policy-root */,\n 624 /* set-rootKeyThumb */,\n 620 /* setAttr-Cert */,\n 628 /* setAttr-IssCap-CVM */,\n 630 /* setAttr-IssCap-Sig */,\n 629 /* setAttr-IssCap-T2 */,\n 627 /* setAttr-Token-B0Prime */,\n 626 /* setAttr-Token-EMV */,\n 622 /* setAttr-TokenType */,\n 619 /* setCext-IssuerCapabilities */,\n 615 /* setCext-PGWYcapabilities */,\n 616 /* setCext-TokenIdentifier */,\n 618 /* setCext-TokenType */,\n 617 /* setCext-Track2Data */,\n 611 /* setCext-cCertRequired */,\n 609 /* setCext-certType */,\n 608 /* setCext-hashedRoot */,\n 610 /* setCext-merchData */,\n 613 /* setCext-setExt */,\n 614 /* setCext-setQualf */,\n 612 /* setCext-tunneling */,\n 540 /* setct-AcqCardCodeMsg */,\n 576 /* setct-AcqCardCodeMsgTBE */,\n 570 /* setct-AuthReqTBE */,\n 534 /* setct-AuthReqTBS */,\n 527 /* setct-AuthResBaggage */,\n 571 /* setct-AuthResTBE */,\n 572 /* setct-AuthResTBEX */,\n 535 /* setct-AuthResTBS */,\n 536 /* setct-AuthResTBSX */,\n 528 /* setct-AuthRevReqBaggage */,\n 577 /* setct-AuthRevReqTBE */,\n 541 /* setct-AuthRevReqTBS */,\n 529 /* setct-AuthRevResBaggage */,\n 542 /* setct-AuthRevResData */,\n 578 /* setct-AuthRevResTBE */,\n 579 /* setct-AuthRevResTBEB */,\n 543 /* setct-AuthRevResTBS */,\n 573 /* setct-AuthTokenTBE */,\n 537 /* setct-AuthTokenTBS */,\n 600 /* setct-BCIDistributionTBS */,\n 558 /* setct-BatchAdminReqData */,\n 592 /* setct-BatchAdminReqTBE */,\n 559 /* setct-BatchAdminResData */,\n 593 /* setct-BatchAdminResTBE */,\n 599 /* setct-CRLNotificationResTBS */,\n 598 /* setct-CRLNotificationTBS */,\n 580 /* setct-CapReqTBE */,\n 581 /* setct-CapReqTBEX */,\n 544 /* setct-CapReqTBS */,\n 545 /* setct-CapReqTBSX */,\n 546 /* setct-CapResData */,\n 582 /* setct-CapResTBE */,\n 583 /* setct-CapRevReqTBE */,\n 584 /* setct-CapRevReqTBEX */,\n 547 /* setct-CapRevReqTBS */,\n 548 /* setct-CapRevReqTBSX */,\n 549 /* setct-CapRevResData */,\n 585 /* setct-CapRevResTBE */,\n 538 /* setct-CapTokenData */,\n 530 /* setct-CapTokenSeq */,\n 574 /* setct-CapTokenTBE */,\n 575 /* setct-CapTokenTBEX */,\n 539 /* setct-CapTokenTBS */,\n 560 /* setct-CardCInitResTBS */,\n 566 /* setct-CertInqReqTBS */,\n 563 /* setct-CertReqData */,\n 595 /* setct-CertReqTBE */,\n 596 /* setct-CertReqTBEX */,\n 564 /* setct-CertReqTBS */,\n 565 /* setct-CertResData */,\n 597 /* setct-CertResTBE */,\n 586 /* setct-CredReqTBE */,\n 587 /* setct-CredReqTBEX */,\n 550 /* setct-CredReqTBS */,\n 551 /* setct-CredReqTBSX */,\n 552 /* setct-CredResData */,\n 588 /* setct-CredResTBE */,\n 589 /* setct-CredRevReqTBE */,\n 590 /* setct-CredRevReqTBEX */,\n 553 /* setct-CredRevReqTBS */,\n 554 /* setct-CredRevReqTBSX */,\n 555 /* setct-CredRevResData */,\n 591 /* setct-CredRevResTBE */,\n 567 /* setct-ErrorTBS */,\n 526 /* setct-HODInput */,\n 561 /* setct-MeAqCInitResTBS */,\n 522 /* setct-OIData */,\n 519 /* setct-PANData */,\n 521 /* setct-PANOnly */,\n 520 /* setct-PANToken */,\n 556 /* setct-PCertReqData */,\n 557 /* setct-PCertResTBS */,\n 523 /* setct-PI */,\n 532 /* setct-PI-TBS */,\n 524 /* setct-PIData */,\n 525 /* setct-PIDataUnsigned */,\n 568 /* setct-PIDualSignedTBE */,\n 569 /* setct-PIUnsignedTBE */,\n 531 /* setct-PInitResData */,\n 533 /* setct-PResData */,\n 594 /* setct-RegFormReqTBE */,\n 562 /* setct-RegFormResTBS */,\n 604 /* setext-pinAny */,\n 603 /* setext-pinSecure */,\n 605 /* setext-track2 */,\n 41 /* sha */,\n 64 /* sha1 */,\n 115 /* sha1WithRSA */,\n 65 /* sha1WithRSAEncryption */,\n 675 /* sha224 */,\n 671 /* sha224WithRSAEncryption */,\n 672 /* sha256 */,\n 668 /* sha256WithRSAEncryption */,\n 673 /* sha384 */,\n 669 /* sha384WithRSAEncryption */,\n 674 /* sha512 */,\n 962 /* sha512-256 */,\n 670 /* sha512WithRSAEncryption */,\n 42 /* shaWithRSAEncryption */,\n 52 /* signingTime */,\n 454 /* simpleSecurityObject */,\n 496 /* singleLevelQuality */,\n 16 /* stateOrProvinceName */,\n 660 /* streetAddress */,\n 498 /* subtreeMaximumQuality */,\n 497 /* subtreeMinimumQuality */,\n 890 /* supportedAlgorithms */,\n 874 /* supportedApplicationContext */,\n 100 /* surname */,\n 864 /* telephoneNumber */,\n 866 /* teletexTerminalIdentifier */,\n 865 /* telexNumber */,\n 459 /* textEncodedORAddress */,\n 293 /* textNotice */,\n 106 /* title */,\n 682 /* tpBasis */,\n 436 /* ucl */,\n 888 /* uniqueMember */,\n 55 /* unstructuredAddress */,\n 49 /* unstructuredName */,\n 880 /* userCertificate */,\n 465 /* userClass */,\n 458 /* userId */,\n 879 /* userPassword */,\n 373 /* valid */,\n 678 /* wap */,\n 679 /* wap-wsg */,\n 735 /* wap-wsg-idm-ecid-wtls1 */,\n 743 /* wap-wsg-idm-ecid-wtls10 */,\n 744 /* wap-wsg-idm-ecid-wtls11 */,\n 745 /* wap-wsg-idm-ecid-wtls12 */,\n 736 /* wap-wsg-idm-ecid-wtls3 */,\n 737 /* wap-wsg-idm-ecid-wtls4 */,\n 738 /* wap-wsg-idm-ecid-wtls5 */,\n 739 /* wap-wsg-idm-ecid-wtls6 */,\n 740 /* wap-wsg-idm-ecid-wtls7 */,\n 741 /* wap-wsg-idm-ecid-wtls8 */,\n 742 /* wap-wsg-idm-ecid-wtls9 */,\n 804 /* whirlpool */,\n 868 /* x121Address */,\n 503 /* x500UniqueIdentifier */,\n 158 /* x509Certificate */,\n 160 /* x509Crl */,\n 125 /* zlib compression */,\n};\n\nstatic const uint16_t kNIDsInOIDOrder[] = {\n 434 /* 0.9 (OBJ_data) */,\n 182 /* 1.2 (OBJ_member_body) */,\n 379 /* 1.3 (OBJ_org) */,\n 676 /* 1.3 (OBJ_identified_organization) */,\n 11 /* 2.5 (OBJ_X500) */,\n 647 /* 2.23 (OBJ_international_organizations) */,\n 380 /* 1.3.6 (OBJ_dod) */,\n 12 /* 2.5.4 (OBJ_X509) */,\n 378 /* 2.5.8 (OBJ_X500algorithms) */,\n 81 /* 2.5.29 (OBJ_id_ce) */,\n 512 /* 2.23.42 (OBJ_id_set) */,\n 678 /* 2.23.43 (OBJ_wap) */,\n 435 /* 0.9.2342 (OBJ_pss) */,\n 183 /* 1.2.840 (OBJ_ISO_US) */,\n 381 /* 1.3.6.1 (OBJ_iana) */,\n 948 /* 1.3.101.110 (OBJ_X25519) */,\n 961 /* 1.3.101.111 (OBJ_X448) */,\n 949 /* 1.3.101.112 (OBJ_ED25519) */,\n 960 /* 1.3.101.113 (OBJ_ED448) */,\n 677 /* 1.3.132 (OBJ_certicom_arc) */,\n 394 /* 2.5.1.5 (OBJ_selected_attribute_types) */,\n 13 /* 2.5.4.3 (OBJ_commonName) */,\n 100 /* 2.5.4.4 (OBJ_surname) */,\n 105 /* 2.5.4.5 (OBJ_serialNumber) */,\n 14 /* 2.5.4.6 (OBJ_countryName) */,\n 15 /* 2.5.4.7 (OBJ_localityName) */,\n 16 /* 2.5.4.8 (OBJ_stateOrProvinceName) */,\n 660 /* 2.5.4.9 (OBJ_streetAddress) */,\n 17 /* 2.5.4.10 (OBJ_organizationName) */,\n 18 /* 2.5.4.11 (OBJ_organizationalUnitName) */,\n 106 /* 2.5.4.12 (OBJ_title) */,\n 107 /* 2.5.4.13 (OBJ_description) */,\n 859 /* 2.5.4.14 (OBJ_searchGuide) */,\n 860 /* 2.5.4.15 (OBJ_businessCategory) */,\n 861 /* 2.5.4.16 (OBJ_postalAddress) */,\n 661 /* 2.5.4.17 (OBJ_postalCode) */,\n 862 /* 2.5.4.18 (OBJ_postOfficeBox) */,\n 863 /* 2.5.4.19 (OBJ_physicalDeliveryOfficeName) */,\n 864 /* 2.5.4.20 (OBJ_telephoneNumber) */,\n 865 /* 2.5.4.21 (OBJ_telexNumber) */,\n 866 /* 2.5.4.22 (OBJ_teletexTerminalIdentifier) */,\n 867 /* 2.5.4.23 (OBJ_facsimileTelephoneNumber) */,\n 868 /* 2.5.4.24 (OBJ_x121Address) */,\n 869 /* 2.5.4.25 (OBJ_internationaliSDNNumber) */,\n 870 /* 2.5.4.26 (OBJ_registeredAddress) */,\n 871 /* 2.5.4.27 (OBJ_destinationIndicator) */,\n 872 /* 2.5.4.28 (OBJ_preferredDeliveryMethod) */,\n 873 /* 2.5.4.29 (OBJ_presentationAddress) */,\n 874 /* 2.5.4.30 (OBJ_supportedApplicationContext) */,\n 875 /* 2.5.4.31 (OBJ_member) */,\n 876 /* 2.5.4.32 (OBJ_owner) */,\n 877 /* 2.5.4.33 (OBJ_roleOccupant) */,\n 878 /* 2.5.4.34 (OBJ_seeAlso) */,\n 879 /* 2.5.4.35 (OBJ_userPassword) */,\n 880 /* 2.5.4.36 (OBJ_userCertificate) */,\n 881 /* 2.5.4.37 (OBJ_cACertificate) */,\n 882 /* 2.5.4.38 (OBJ_authorityRevocationList) */,\n 883 /* 2.5.4.39 (OBJ_certificateRevocationList) */,\n 884 /* 2.5.4.40 (OBJ_crossCertificatePair) */,\n 173 /* 2.5.4.41 (OBJ_name) */,\n 99 /* 2.5.4.42 (OBJ_givenName) */,\n 101 /* 2.5.4.43 (OBJ_initials) */,\n 509 /* 2.5.4.44 (OBJ_generationQualifier) */,\n 503 /* 2.5.4.45 (OBJ_x500UniqueIdentifier) */,\n 174 /* 2.5.4.46 (OBJ_dnQualifier) */,\n 885 /* 2.5.4.47 (OBJ_enhancedSearchGuide) */,\n 886 /* 2.5.4.48 (OBJ_protocolInformation) */,\n 887 /* 2.5.4.49 (OBJ_distinguishedName) */,\n 888 /* 2.5.4.50 (OBJ_uniqueMember) */,\n 889 /* 2.5.4.51 (OBJ_houseIdentifier) */,\n 890 /* 2.5.4.52 (OBJ_supportedAlgorithms) */,\n 891 /* 2.5.4.53 (OBJ_deltaRevocationList) */,\n 892 /* 2.5.4.54 (OBJ_dmdName) */,\n 510 /* 2.5.4.65 (OBJ_pseudonym) */,\n 400 /* 2.5.4.72 (OBJ_role) */,\n 769 /* 2.5.29.9 (OBJ_subject_directory_attributes) */,\n 82 /* 2.5.29.14 (OBJ_subject_key_identifier) */,\n 83 /* 2.5.29.15 (OBJ_key_usage) */,\n 84 /* 2.5.29.16 (OBJ_private_key_usage_period) */,\n 85 /* 2.5.29.17 (OBJ_subject_alt_name) */,\n 86 /* 2.5.29.18 (OBJ_issuer_alt_name) */,\n 87 /* 2.5.29.19 (OBJ_basic_constraints) */,\n 88 /* 2.5.29.20 (OBJ_crl_number) */,\n 141 /* 2.5.29.21 (OBJ_crl_reason) */,\n 430 /* 2.5.29.23 (OBJ_hold_instruction_code) */,\n 142 /* 2.5.29.24 (OBJ_invalidity_date) */,\n 140 /* 2.5.29.27 (OBJ_delta_crl) */,\n 770 /* 2.5.29.28 (OBJ_issuing_distribution_point) */,\n 771 /* 2.5.29.29 (OBJ_certificate_issuer) */,\n 666 /* 2.5.29.30 (OBJ_name_constraints) */,\n 103 /* 2.5.29.31 (OBJ_crl_distribution_points) */,\n 89 /* 2.5.29.32 (OBJ_certificate_policies) */,\n 747 /* 2.5.29.33 (OBJ_policy_mappings) */,\n 90 /* 2.5.29.35 (OBJ_authority_key_identifier) */,\n 401 /* 2.5.29.36 (OBJ_policy_constraints) */,\n 126 /* 2.5.29.37 (OBJ_ext_key_usage) */,\n 857 /* 2.5.29.46 (OBJ_freshest_crl) */,\n 748 /* 2.5.29.54 (OBJ_inhibit_any_policy) */,\n 402 /* 2.5.29.55 (OBJ_target_information) */,\n 403 /* 2.5.29.56 (OBJ_no_rev_avail) */,\n 513 /* 2.23.42.0 (OBJ_set_ctype) */,\n 514 /* 2.23.42.1 (OBJ_set_msgExt) */,\n 515 /* 2.23.42.3 (OBJ_set_attr) */,\n 516 /* 2.23.42.5 (OBJ_set_policy) */,\n 517 /* 2.23.42.7 (OBJ_set_certExt) */,\n 518 /* 2.23.42.8 (OBJ_set_brand) */,\n 679 /* 2.23.43.1 (OBJ_wap_wsg) */,\n 382 /* 1.3.6.1.1 (OBJ_Directory) */,\n 383 /* 1.3.6.1.2 (OBJ_Management) */,\n 384 /* 1.3.6.1.3 (OBJ_Experimental) */,\n 385 /* 1.3.6.1.4 (OBJ_Private) */,\n 386 /* 1.3.6.1.5 (OBJ_Security) */,\n 387 /* 1.3.6.1.6 (OBJ_SNMPv2) */,\n 388 /* 1.3.6.1.7 (OBJ_Mail) */,\n 376 /* 1.3.14.3.2 (OBJ_algorithm) */,\n 395 /* 2.5.1.5.55 (OBJ_clearance) */,\n 19 /* 2.5.8.1.1 (OBJ_rsa) */,\n 96 /* 2.5.8.3.100 (OBJ_mdc2WithRSA) */,\n 95 /* 2.5.8.3.101 (OBJ_mdc2) */,\n 746 /* 2.5.29.32.0 (OBJ_any_policy) */,\n 910 /* 2.5.29.37.0 (OBJ_anyExtendedKeyUsage) */,\n 519 /* 2.23.42.0.0 (OBJ_setct_PANData) */,\n 520 /* 2.23.42.0.1 (OBJ_setct_PANToken) */,\n 521 /* 2.23.42.0.2 (OBJ_setct_PANOnly) */,\n 522 /* 2.23.42.0.3 (OBJ_setct_OIData) */,\n 523 /* 2.23.42.0.4 (OBJ_setct_PI) */,\n 524 /* 2.23.42.0.5 (OBJ_setct_PIData) */,\n 525 /* 2.23.42.0.6 (OBJ_setct_PIDataUnsigned) */,\n 526 /* 2.23.42.0.7 (OBJ_setct_HODInput) */,\n 527 /* 2.23.42.0.8 (OBJ_setct_AuthResBaggage) */,\n 528 /* 2.23.42.0.9 (OBJ_setct_AuthRevReqBaggage) */,\n 529 /* 2.23.42.0.10 (OBJ_setct_AuthRevResBaggage) */,\n 530 /* 2.23.42.0.11 (OBJ_setct_CapTokenSeq) */,\n 531 /* 2.23.42.0.12 (OBJ_setct_PInitResData) */,\n 532 /* 2.23.42.0.13 (OBJ_setct_PI_TBS) */,\n 533 /* 2.23.42.0.14 (OBJ_setct_PResData) */,\n 534 /* 2.23.42.0.16 (OBJ_setct_AuthReqTBS) */,\n 535 /* 2.23.42.0.17 (OBJ_setct_AuthResTBS) */,\n 536 /* 2.23.42.0.18 (OBJ_setct_AuthResTBSX) */,\n 537 /* 2.23.42.0.19 (OBJ_setct_AuthTokenTBS) */,\n 538 /* 2.23.42.0.20 (OBJ_setct_CapTokenData) */,\n 539 /* 2.23.42.0.21 (OBJ_setct_CapTokenTBS) */,\n 540 /* 2.23.42.0.22 (OBJ_setct_AcqCardCodeMsg) */,\n 541 /* 2.23.42.0.23 (OBJ_setct_AuthRevReqTBS) */,\n 542 /* 2.23.42.0.24 (OBJ_setct_AuthRevResData) */,\n 543 /* 2.23.42.0.25 (OBJ_setct_AuthRevResTBS) */,\n 544 /* 2.23.42.0.26 (OBJ_setct_CapReqTBS) */,\n 545 /* 2.23.42.0.27 (OBJ_setct_CapReqTBSX) */,\n 546 /* 2.23.42.0.28 (OBJ_setct_CapResData) */,\n 547 /* 2.23.42.0.29 (OBJ_setct_CapRevReqTBS) */,\n 548 /* 2.23.42.0.30 (OBJ_setct_CapRevReqTBSX) */,\n 549 /* 2.23.42.0.31 (OBJ_setct_CapRevResData) */,\n 550 /* 2.23.42.0.32 (OBJ_setct_CredReqTBS) */,\n 551 /* 2.23.42.0.33 (OBJ_setct_CredReqTBSX) */,\n 552 /* 2.23.42.0.34 (OBJ_setct_CredResData) */,\n 553 /* 2.23.42.0.35 (OBJ_setct_CredRevReqTBS) */,\n 554 /* 2.23.42.0.36 (OBJ_setct_CredRevReqTBSX) */,\n 555 /* 2.23.42.0.37 (OBJ_setct_CredRevResData) */,\n 556 /* 2.23.42.0.38 (OBJ_setct_PCertReqData) */,\n 557 /* 2.23.42.0.39 (OBJ_setct_PCertResTBS) */,\n 558 /* 2.23.42.0.40 (OBJ_setct_BatchAdminReqData) */,\n 559 /* 2.23.42.0.41 (OBJ_setct_BatchAdminResData) */,\n 560 /* 2.23.42.0.42 (OBJ_setct_CardCInitResTBS) */,\n 561 /* 2.23.42.0.43 (OBJ_setct_MeAqCInitResTBS) */,\n 562 /* 2.23.42.0.44 (OBJ_setct_RegFormResTBS) */,\n 563 /* 2.23.42.0.45 (OBJ_setct_CertReqData) */,\n 564 /* 2.23.42.0.46 (OBJ_setct_CertReqTBS) */,\n 565 /* 2.23.42.0.47 (OBJ_setct_CertResData) */,\n 566 /* 2.23.42.0.48 (OBJ_setct_CertInqReqTBS) */,\n 567 /* 2.23.42.0.49 (OBJ_setct_ErrorTBS) */,\n 568 /* 2.23.42.0.50 (OBJ_setct_PIDualSignedTBE) */,\n 569 /* 2.23.42.0.51 (OBJ_setct_PIUnsignedTBE) */,\n 570 /* 2.23.42.0.52 (OBJ_setct_AuthReqTBE) */,\n 571 /* 2.23.42.0.53 (OBJ_setct_AuthResTBE) */,\n 572 /* 2.23.42.0.54 (OBJ_setct_AuthResTBEX) */,\n 573 /* 2.23.42.0.55 (OBJ_setct_AuthTokenTBE) */,\n 574 /* 2.23.42.0.56 (OBJ_setct_CapTokenTBE) */,\n 575 /* 2.23.42.0.57 (OBJ_setct_CapTokenTBEX) */,\n 576 /* 2.23.42.0.58 (OBJ_setct_AcqCardCodeMsgTBE) */,\n 577 /* 2.23.42.0.59 (OBJ_setct_AuthRevReqTBE) */,\n 578 /* 2.23.42.0.60 (OBJ_setct_AuthRevResTBE) */,\n 579 /* 2.23.42.0.61 (OBJ_setct_AuthRevResTBEB) */,\n 580 /* 2.23.42.0.62 (OBJ_setct_CapReqTBE) */,\n 581 /* 2.23.42.0.63 (OBJ_setct_CapReqTBEX) */,\n 582 /* 2.23.42.0.64 (OBJ_setct_CapResTBE) */,\n 583 /* 2.23.42.0.65 (OBJ_setct_CapRevReqTBE) */,\n 584 /* 2.23.42.0.66 (OBJ_setct_CapRevReqTBEX) */,\n 585 /* 2.23.42.0.67 (OBJ_setct_CapRevResTBE) */,\n 586 /* 2.23.42.0.68 (OBJ_setct_CredReqTBE) */,\n 587 /* 2.23.42.0.69 (OBJ_setct_CredReqTBEX) */,\n 588 /* 2.23.42.0.70 (OBJ_setct_CredResTBE) */,\n 589 /* 2.23.42.0.71 (OBJ_setct_CredRevReqTBE) */,\n 590 /* 2.23.42.0.72 (OBJ_setct_CredRevReqTBEX) */,\n 591 /* 2.23.42.0.73 (OBJ_setct_CredRevResTBE) */,\n 592 /* 2.23.42.0.74 (OBJ_setct_BatchAdminReqTBE) */,\n 593 /* 2.23.42.0.75 (OBJ_setct_BatchAdminResTBE) */,\n 594 /* 2.23.42.0.76 (OBJ_setct_RegFormReqTBE) */,\n 595 /* 2.23.42.0.77 (OBJ_setct_CertReqTBE) */,\n 596 /* 2.23.42.0.78 (OBJ_setct_CertReqTBEX) */,\n 597 /* 2.23.42.0.79 (OBJ_setct_CertResTBE) */,\n 598 /* 2.23.42.0.80 (OBJ_setct_CRLNotificationTBS) */,\n 599 /* 2.23.42.0.81 (OBJ_setct_CRLNotificationResTBS) */,\n 600 /* 2.23.42.0.82 (OBJ_setct_BCIDistributionTBS) */,\n 601 /* 2.23.42.1.1 (OBJ_setext_genCrypt) */,\n 602 /* 2.23.42.1.3 (OBJ_setext_miAuth) */,\n 603 /* 2.23.42.1.4 (OBJ_setext_pinSecure) */,\n 604 /* 2.23.42.1.5 (OBJ_setext_pinAny) */,\n 605 /* 2.23.42.1.7 (OBJ_setext_track2) */,\n 606 /* 2.23.42.1.8 (OBJ_setext_cv) */,\n 620 /* 2.23.42.3.0 (OBJ_setAttr_Cert) */,\n 621 /* 2.23.42.3.1 (OBJ_setAttr_PGWYcap) */,\n 622 /* 2.23.42.3.2 (OBJ_setAttr_TokenType) */,\n 623 /* 2.23.42.3.3 (OBJ_setAttr_IssCap) */,\n 607 /* 2.23.42.5.0 (OBJ_set_policy_root) */,\n 608 /* 2.23.42.7.0 (OBJ_setCext_hashedRoot) */,\n 609 /* 2.23.42.7.1 (OBJ_setCext_certType) */,\n 610 /* 2.23.42.7.2 (OBJ_setCext_merchData) */,\n 611 /* 2.23.42.7.3 (OBJ_setCext_cCertRequired) */,\n 612 /* 2.23.42.7.4 (OBJ_setCext_tunneling) */,\n 613 /* 2.23.42.7.5 (OBJ_setCext_setExt) */,\n 614 /* 2.23.42.7.6 (OBJ_setCext_setQualf) */,\n 615 /* 2.23.42.7.7 (OBJ_setCext_PGWYcapabilities) */,\n 616 /* 2.23.42.7.8 (OBJ_setCext_TokenIdentifier) */,\n 617 /* 2.23.42.7.9 (OBJ_setCext_Track2Data) */,\n 618 /* 2.23.42.7.10 (OBJ_setCext_TokenType) */,\n 619 /* 2.23.42.7.11 (OBJ_setCext_IssuerCapabilities) */,\n 636 /* 2.23.42.8.1 (OBJ_set_brand_IATA_ATA) */,\n 640 /* 2.23.42.8.4 (OBJ_set_brand_Visa) */,\n 641 /* 2.23.42.8.5 (OBJ_set_brand_MasterCard) */,\n 637 /* 2.23.42.8.30 (OBJ_set_brand_Diners) */,\n 638 /* 2.23.42.8.34 (OBJ_set_brand_AmericanExpress) */,\n 639 /* 2.23.42.8.35 (OBJ_set_brand_JCB) */,\n 805 /* 1.2.643.2.2 (OBJ_cryptopro) */,\n 806 /* 1.2.643.2.9 (OBJ_cryptocom) */,\n 184 /* 1.2.840.10040 (OBJ_X9_57) */,\n 405 /* 1.2.840.10045 (OBJ_ansi_X9_62) */,\n 389 /* 1.3.6.1.4.1 (OBJ_Enterprises) */,\n 504 /* 1.3.6.1.7.1 (OBJ_mime_mhs) */,\n 104 /* 1.3.14.3.2.3 (OBJ_md5WithRSA) */,\n 29 /* 1.3.14.3.2.6 (OBJ_des_ecb) */,\n 31 /* 1.3.14.3.2.7 (OBJ_des_cbc) */,\n 45 /* 1.3.14.3.2.8 (OBJ_des_ofb64) */,\n 30 /* 1.3.14.3.2.9 (OBJ_des_cfb64) */,\n 377 /* 1.3.14.3.2.11 (OBJ_rsaSignature) */,\n 67 /* 1.3.14.3.2.12 (OBJ_dsa_2) */,\n 66 /* 1.3.14.3.2.13 (OBJ_dsaWithSHA) */,\n 42 /* 1.3.14.3.2.15 (OBJ_shaWithRSAEncryption) */,\n 32 /* 1.3.14.3.2.17 (OBJ_des_ede_ecb) */,\n 41 /* 1.3.14.3.2.18 (OBJ_sha) */,\n 64 /* 1.3.14.3.2.26 (OBJ_sha1) */,\n 70 /* 1.3.14.3.2.27 (OBJ_dsaWithSHA1_2) */,\n 115 /* 1.3.14.3.2.29 (OBJ_sha1WithRSA) */,\n 117 /* 1.3.36.3.2.1 (OBJ_ripemd160) */,\n 143 /* 1.3.101.1.4.1 (OBJ_sxnet) */,\n 721 /* 1.3.132.0.1 (OBJ_sect163k1) */,\n 722 /* 1.3.132.0.2 (OBJ_sect163r1) */,\n 728 /* 1.3.132.0.3 (OBJ_sect239k1) */,\n 717 /* 1.3.132.0.4 (OBJ_sect113r1) */,\n 718 /* 1.3.132.0.5 (OBJ_sect113r2) */,\n 704 /* 1.3.132.0.6 (OBJ_secp112r1) */,\n 705 /* 1.3.132.0.7 (OBJ_secp112r2) */,\n 709 /* 1.3.132.0.8 (OBJ_secp160r1) */,\n 708 /* 1.3.132.0.9 (OBJ_secp160k1) */,\n 714 /* 1.3.132.0.10 (OBJ_secp256k1) */,\n 723 /* 1.3.132.0.15 (OBJ_sect163r2) */,\n 729 /* 1.3.132.0.16 (OBJ_sect283k1) */,\n 730 /* 1.3.132.0.17 (OBJ_sect283r1) */,\n 719 /* 1.3.132.0.22 (OBJ_sect131r1) */,\n 720 /* 1.3.132.0.23 (OBJ_sect131r2) */,\n 724 /* 1.3.132.0.24 (OBJ_sect193r1) */,\n 725 /* 1.3.132.0.25 (OBJ_sect193r2) */,\n 726 /* 1.3.132.0.26 (OBJ_sect233k1) */,\n 727 /* 1.3.132.0.27 (OBJ_sect233r1) */,\n 706 /* 1.3.132.0.28 (OBJ_secp128r1) */,\n 707 /* 1.3.132.0.29 (OBJ_secp128r2) */,\n 710 /* 1.3.132.0.30 (OBJ_secp160r2) */,\n 711 /* 1.3.132.0.31 (OBJ_secp192k1) */,\n 712 /* 1.3.132.0.32 (OBJ_secp224k1) */,\n 713 /* 1.3.132.0.33 (OBJ_secp224r1) */,\n 715 /* 1.3.132.0.34 (OBJ_secp384r1) */,\n 716 /* 1.3.132.0.35 (OBJ_secp521r1) */,\n 731 /* 1.3.132.0.36 (OBJ_sect409k1) */,\n 732 /* 1.3.132.0.37 (OBJ_sect409r1) */,\n 733 /* 1.3.132.0.38 (OBJ_sect571k1) */,\n 734 /* 1.3.132.0.39 (OBJ_sect571r1) */,\n 624 /* 2.23.42.3.0.0 (OBJ_set_rootKeyThumb) */,\n 625 /* 2.23.42.3.0.1 (OBJ_set_addPolicy) */,\n 626 /* 2.23.42.3.2.1 (OBJ_setAttr_Token_EMV) */,\n 627 /* 2.23.42.3.2.2 (OBJ_setAttr_Token_B0Prime) */,\n 628 /* 2.23.42.3.3.3 (OBJ_setAttr_IssCap_CVM) */,\n 629 /* 2.23.42.3.3.4 (OBJ_setAttr_IssCap_T2) */,\n 630 /* 2.23.42.3.3.5 (OBJ_setAttr_IssCap_Sig) */,\n 642 /* 2.23.42.8.6011 (OBJ_set_brand_Novus) */,\n 735 /* 2.23.43.1.4.1 (OBJ_wap_wsg_idm_ecid_wtls1) */,\n 736 /* 2.23.43.1.4.3 (OBJ_wap_wsg_idm_ecid_wtls3) */,\n 737 /* 2.23.43.1.4.4 (OBJ_wap_wsg_idm_ecid_wtls4) */,\n 738 /* 2.23.43.1.4.5 (OBJ_wap_wsg_idm_ecid_wtls5) */,\n 739 /* 2.23.43.1.4.6 (OBJ_wap_wsg_idm_ecid_wtls6) */,\n 740 /* 2.23.43.1.4.7 (OBJ_wap_wsg_idm_ecid_wtls7) */,\n 741 /* 2.23.43.1.4.8 (OBJ_wap_wsg_idm_ecid_wtls8) */,\n 742 /* 2.23.43.1.4.9 (OBJ_wap_wsg_idm_ecid_wtls9) */,\n 743 /* 2.23.43.1.4.10 (OBJ_wap_wsg_idm_ecid_wtls10) */,\n 744 /* 2.23.43.1.4.11 (OBJ_wap_wsg_idm_ecid_wtls11) */,\n 745 /* 2.23.43.1.4.12 (OBJ_wap_wsg_idm_ecid_wtls12) */,\n 804 /* 1.0.10118.3.0.55 (OBJ_whirlpool) */,\n 773 /* 1.2.410.200004 (OBJ_kisa) */,\n 807 /* 1.2.643.2.2.3 (OBJ_id_GostR3411_94_with_GostR3410_2001) */,\n 808 /* 1.2.643.2.2.4 (OBJ_id_GostR3411_94_with_GostR3410_94) */,\n 809 /* 1.2.643.2.2.9 (OBJ_id_GostR3411_94) */,\n 810 /* 1.2.643.2.2.10 (OBJ_id_HMACGostR3411_94) */,\n 811 /* 1.2.643.2.2.19 (OBJ_id_GostR3410_2001) */,\n 812 /* 1.2.643.2.2.20 (OBJ_id_GostR3410_94) */,\n 813 /* 1.2.643.2.2.21 (OBJ_id_Gost28147_89) */,\n 815 /* 1.2.643.2.2.22 (OBJ_id_Gost28147_89_MAC) */,\n 816 /* 1.2.643.2.2.23 (OBJ_id_GostR3411_94_prf) */,\n 817 /* 1.2.643.2.2.98 (OBJ_id_GostR3410_2001DH) */,\n 818 /* 1.2.643.2.2.99 (OBJ_id_GostR3410_94DH) */,\n 1 /* 1.2.840.113549 (OBJ_rsadsi) */,\n 185 /* 1.2.840.10040.4 (OBJ_X9cm) */,\n 127 /* 1.3.6.1.5.5.7 (OBJ_id_pkix) */,\n 505 /* 1.3.6.1.7.1.1 (OBJ_mime_mhs_headings) */,\n 506 /* 1.3.6.1.7.1.2 (OBJ_mime_mhs_bodies) */,\n 119 /* 1.3.36.3.3.1.2 (OBJ_ripemd160WithRSA) */,\n 937 /* 1.3.132.1.11.0 (OBJ_dhSinglePass_stdDH_sha224kdf_scheme) */,\n 938 /* 1.3.132.1.11.1 (OBJ_dhSinglePass_stdDH_sha256kdf_scheme) */,\n 939 /* 1.3.132.1.11.2 (OBJ_dhSinglePass_stdDH_sha384kdf_scheme) */,\n 940 /* 1.3.132.1.11.3 (OBJ_dhSinglePass_stdDH_sha512kdf_scheme) */,\n 942 /* 1.3.132.1.14.0 (OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme) */,\n 943 /* 1.3.132.1.14.1 (OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme) */,\n 944 /* 1.3.132.1.14.2 (OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme) */,\n 945 /* 1.3.132.1.14.3 (OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme) */,\n 631 /* 2.23.42.3.3.3.1 (OBJ_setAttr_GenCryptgrm) */,\n 632 /* 2.23.42.3.3.4.1 (OBJ_setAttr_T2Enc) */,\n 633 /* 2.23.42.3.3.4.2 (OBJ_setAttr_T2cleartxt) */,\n 634 /* 2.23.42.3.3.5.1 (OBJ_setAttr_TokICCsig) */,\n 635 /* 2.23.42.3.3.5.2 (OBJ_setAttr_SecDevSig) */,\n 436 /* 0.9.2342.19200300 (OBJ_ucl) */,\n 820 /* 1.2.643.2.2.14.0 (OBJ_id_Gost28147_89_None_KeyMeshing) */,\n 819 /* 1.2.643.2.2.14.1 (OBJ_id_Gost28147_89_CryptoPro_KeyMeshing) */,\n 845 /* 1.2.643.2.2.20.1 (OBJ_id_GostR3410_94_a) */,\n 846 /* 1.2.643.2.2.20.2 (OBJ_id_GostR3410_94_aBis) */,\n 847 /* 1.2.643.2.2.20.3 (OBJ_id_GostR3410_94_b) */,\n 848 /* 1.2.643.2.2.20.4 (OBJ_id_GostR3410_94_bBis) */,\n 821 /* 1.2.643.2.2.30.0 (OBJ_id_GostR3411_94_TestParamSet) */,\n 822 /* 1.2.643.2.2.30.1 (OBJ_id_GostR3411_94_CryptoProParamSet) */,\n 823 /* 1.2.643.2.2.31.0 (OBJ_id_Gost28147_89_TestParamSet) */,\n 824 /* 1.2.643.2.2.31.1 (OBJ_id_Gost28147_89_CryptoPro_A_ParamSet) */,\n 825 /* 1.2.643.2.2.31.2 (OBJ_id_Gost28147_89_CryptoPro_B_ParamSet) */,\n 826 /* 1.2.643.2.2.31.3 (OBJ_id_Gost28147_89_CryptoPro_C_ParamSet) */,\n 827 /* 1.2.643.2.2.31.4 (OBJ_id_Gost28147_89_CryptoPro_D_ParamSet) */,\n 828 /* 1.2.643.2.2.31.5 (OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet)\n */\n ,\n 829 /* 1.2.643.2.2.31.6 (OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet)\n */\n ,\n 830 /* 1.2.643.2.2.31.7 (OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet) */,\n 831 /* 1.2.643.2.2.32.0 (OBJ_id_GostR3410_94_TestParamSet) */,\n 832 /* 1.2.643.2.2.32.2 (OBJ_id_GostR3410_94_CryptoPro_A_ParamSet) */,\n 833 /* 1.2.643.2.2.32.3 (OBJ_id_GostR3410_94_CryptoPro_B_ParamSet) */,\n 834 /* 1.2.643.2.2.32.4 (OBJ_id_GostR3410_94_CryptoPro_C_ParamSet) */,\n 835 /* 1.2.643.2.2.32.5 (OBJ_id_GostR3410_94_CryptoPro_D_ParamSet) */,\n 836 /* 1.2.643.2.2.33.1 (OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet) */,\n 837 /* 1.2.643.2.2.33.2 (OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet) */,\n 838 /* 1.2.643.2.2.33.3 (OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet) */,\n 839 /* 1.2.643.2.2.35.0 (OBJ_id_GostR3410_2001_TestParamSet) */,\n 840 /* 1.2.643.2.2.35.1 (OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet) */,\n 841 /* 1.2.643.2.2.35.2 (OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet) */,\n 842 /* 1.2.643.2.2.35.3 (OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet) */,\n 843 /* 1.2.643.2.2.36.0 (OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet) */,\n 844 /* 1.2.643.2.2.36.1 (OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet) */,\n 2 /* 1.2.840.113549.1 (OBJ_pkcs) */,\n 431 /* 1.2.840.10040.2.1 (OBJ_hold_instruction_none) */,\n 432 /* 1.2.840.10040.2.2 (OBJ_hold_instruction_call_issuer) */,\n 433 /* 1.2.840.10040.2.3 (OBJ_hold_instruction_reject) */,\n 116 /* 1.2.840.10040.4.1 (OBJ_dsa) */,\n 113 /* 1.2.840.10040.4.3 (OBJ_dsaWithSHA1) */,\n 406 /* 1.2.840.10045.1.1 (OBJ_X9_62_prime_field) */,\n 407 /* 1.2.840.10045.1.2 (OBJ_X9_62_characteristic_two_field) */,\n 408 /* 1.2.840.10045.2.1 (OBJ_X9_62_id_ecPublicKey) */,\n 416 /* 1.2.840.10045.4.1 (OBJ_ecdsa_with_SHA1) */,\n 791 /* 1.2.840.10045.4.2 (OBJ_ecdsa_with_Recommended) */,\n 792 /* 1.2.840.10045.4.3 (OBJ_ecdsa_with_Specified) */,\n 920 /* 1.2.840.10046.2.1 (OBJ_dhpublicnumber) */,\n 258 /* 1.3.6.1.5.5.7.0 (OBJ_id_pkix_mod) */,\n 175 /* 1.3.6.1.5.5.7.1 (OBJ_id_pe) */,\n 259 /* 1.3.6.1.5.5.7.2 (OBJ_id_qt) */,\n 128 /* 1.3.6.1.5.5.7.3 (OBJ_id_kp) */,\n 260 /* 1.3.6.1.5.5.7.4 (OBJ_id_it) */,\n 261 /* 1.3.6.1.5.5.7.5 (OBJ_id_pkip) */,\n 262 /* 1.3.6.1.5.5.7.6 (OBJ_id_alg) */,\n 263 /* 1.3.6.1.5.5.7.7 (OBJ_id_cmc) */,\n 264 /* 1.3.6.1.5.5.7.8 (OBJ_id_on) */,\n 265 /* 1.3.6.1.5.5.7.9 (OBJ_id_pda) */,\n 266 /* 1.3.6.1.5.5.7.10 (OBJ_id_aca) */,\n 267 /* 1.3.6.1.5.5.7.11 (OBJ_id_qcs) */,\n 268 /* 1.3.6.1.5.5.7.12 (OBJ_id_cct) */,\n 662 /* 1.3.6.1.5.5.7.21 (OBJ_id_ppl) */,\n 176 /* 1.3.6.1.5.5.7.48 (OBJ_id_ad) */,\n 507 /* 1.3.6.1.7.1.1.1 (OBJ_id_hex_partial_message) */,\n 508 /* 1.3.6.1.7.1.1.2 (OBJ_id_hex_multipart_message) */,\n 57 /* 2.16.840.1.113730 (OBJ_netscape) */,\n 754 /* 0.3.4401.5.3.1.9.1 (OBJ_camellia_128_ecb) */,\n 766 /* 0.3.4401.5.3.1.9.3 (OBJ_camellia_128_ofb128) */,\n 757 /* 0.3.4401.5.3.1.9.4 (OBJ_camellia_128_cfb128) */,\n 755 /* 0.3.4401.5.3.1.9.21 (OBJ_camellia_192_ecb) */,\n 767 /* 0.3.4401.5.3.1.9.23 (OBJ_camellia_192_ofb128) */,\n 758 /* 0.3.4401.5.3.1.9.24 (OBJ_camellia_192_cfb128) */,\n 756 /* 0.3.4401.5.3.1.9.41 (OBJ_camellia_256_ecb) */,\n 768 /* 0.3.4401.5.3.1.9.43 (OBJ_camellia_256_ofb128) */,\n 759 /* 0.3.4401.5.3.1.9.44 (OBJ_camellia_256_cfb128) */,\n 437 /* 0.9.2342.19200300.100 (OBJ_pilot) */,\n 776 /* 1.2.410.200004.1.3 (OBJ_seed_ecb) */,\n 777 /* 1.2.410.200004.1.4 (OBJ_seed_cbc) */,\n 779 /* 1.2.410.200004.1.5 (OBJ_seed_cfb128) */,\n 778 /* 1.2.410.200004.1.6 (OBJ_seed_ofb128) */,\n 852 /* 1.2.643.2.9.1.3.3 (OBJ_id_GostR3411_94_with_GostR3410_94_cc) */,\n 853 /* 1.2.643.2.9.1.3.4 (OBJ_id_GostR3411_94_with_GostR3410_2001_cc) */,\n 850 /* 1.2.643.2.9.1.5.3 (OBJ_id_GostR3410_94_cc) */,\n 851 /* 1.2.643.2.9.1.5.4 (OBJ_id_GostR3410_2001_cc) */,\n 849 /* 1.2.643.2.9.1.6.1 (OBJ_id_Gost28147_89_cc) */,\n 854 /* 1.2.643.2.9.1.8.1 (OBJ_id_GostR3410_2001_ParamSet_cc) */,\n 186 /* 1.2.840.113549.1.1 (OBJ_pkcs1) */,\n 27 /* 1.2.840.113549.1.3 (OBJ_pkcs3) */,\n 187 /* 1.2.840.113549.1.5 (OBJ_pkcs5) */,\n 20 /* 1.2.840.113549.1.7 (OBJ_pkcs7) */,\n 47 /* 1.2.840.113549.1.9 (OBJ_pkcs9) */,\n 3 /* 1.2.840.113549.2.2 (OBJ_md2) */,\n 257 /* 1.2.840.113549.2.4 (OBJ_md4) */,\n 4 /* 1.2.840.113549.2.5 (OBJ_md5) */,\n 797 /* 1.2.840.113549.2.6 (OBJ_hmacWithMD5) */,\n 163 /* 1.2.840.113549.2.7 (OBJ_hmacWithSHA1) */,\n 798 /* 1.2.840.113549.2.8 (OBJ_hmacWithSHA224) */,\n 799 /* 1.2.840.113549.2.9 (OBJ_hmacWithSHA256) */,\n 800 /* 1.2.840.113549.2.10 (OBJ_hmacWithSHA384) */,\n 801 /* 1.2.840.113549.2.11 (OBJ_hmacWithSHA512) */,\n 37 /* 1.2.840.113549.3.2 (OBJ_rc2_cbc) */,\n 5 /* 1.2.840.113549.3.4 (OBJ_rc4) */,\n 44 /* 1.2.840.113549.3.7 (OBJ_des_ede3_cbc) */,\n 120 /* 1.2.840.113549.3.8 (OBJ_rc5_cbc) */,\n 643 /* 1.2.840.113549.3.10 (OBJ_des_cdmf) */,\n 680 /* 1.2.840.10045.1.2.3 (OBJ_X9_62_id_characteristic_two_basis) */,\n 684 /* 1.2.840.10045.3.0.1 (OBJ_X9_62_c2pnb163v1) */,\n 685 /* 1.2.840.10045.3.0.2 (OBJ_X9_62_c2pnb163v2) */,\n 686 /* 1.2.840.10045.3.0.3 (OBJ_X9_62_c2pnb163v3) */,\n 687 /* 1.2.840.10045.3.0.4 (OBJ_X9_62_c2pnb176v1) */,\n 688 /* 1.2.840.10045.3.0.5 (OBJ_X9_62_c2tnb191v1) */,\n 689 /* 1.2.840.10045.3.0.6 (OBJ_X9_62_c2tnb191v2) */,\n 690 /* 1.2.840.10045.3.0.7 (OBJ_X9_62_c2tnb191v3) */,\n 691 /* 1.2.840.10045.3.0.8 (OBJ_X9_62_c2onb191v4) */,\n 692 /* 1.2.840.10045.3.0.9 (OBJ_X9_62_c2onb191v5) */,\n 693 /* 1.2.840.10045.3.0.10 (OBJ_X9_62_c2pnb208w1) */,\n 694 /* 1.2.840.10045.3.0.11 (OBJ_X9_62_c2tnb239v1) */,\n 695 /* 1.2.840.10045.3.0.12 (OBJ_X9_62_c2tnb239v2) */,\n 696 /* 1.2.840.10045.3.0.13 (OBJ_X9_62_c2tnb239v3) */,\n 697 /* 1.2.840.10045.3.0.14 (OBJ_X9_62_c2onb239v4) */,\n 698 /* 1.2.840.10045.3.0.15 (OBJ_X9_62_c2onb239v5) */,\n 699 /* 1.2.840.10045.3.0.16 (OBJ_X9_62_c2pnb272w1) */,\n 700 /* 1.2.840.10045.3.0.17 (OBJ_X9_62_c2pnb304w1) */,\n 701 /* 1.2.840.10045.3.0.18 (OBJ_X9_62_c2tnb359v1) */,\n 702 /* 1.2.840.10045.3.0.19 (OBJ_X9_62_c2pnb368w1) */,\n 703 /* 1.2.840.10045.3.0.20 (OBJ_X9_62_c2tnb431r1) */,\n 409 /* 1.2.840.10045.3.1.1 (OBJ_X9_62_prime192v1) */,\n 410 /* 1.2.840.10045.3.1.2 (OBJ_X9_62_prime192v2) */,\n 411 /* 1.2.840.10045.3.1.3 (OBJ_X9_62_prime192v3) */,\n 412 /* 1.2.840.10045.3.1.4 (OBJ_X9_62_prime239v1) */,\n 413 /* 1.2.840.10045.3.1.5 (OBJ_X9_62_prime239v2) */,\n 414 /* 1.2.840.10045.3.1.6 (OBJ_X9_62_prime239v3) */,\n 415 /* 1.2.840.10045.3.1.7 (OBJ_X9_62_prime256v1) */,\n 793 /* 1.2.840.10045.4.3.1 (OBJ_ecdsa_with_SHA224) */,\n 794 /* 1.2.840.10045.4.3.2 (OBJ_ecdsa_with_SHA256) */,\n 795 /* 1.2.840.10045.4.3.3 (OBJ_ecdsa_with_SHA384) */,\n 796 /* 1.2.840.10045.4.3.4 (OBJ_ecdsa_with_SHA512) */,\n 269 /* 1.3.6.1.5.5.7.0.1 (OBJ_id_pkix1_explicit_88) */,\n 270 /* 1.3.6.1.5.5.7.0.2 (OBJ_id_pkix1_implicit_88) */,\n 271 /* 1.3.6.1.5.5.7.0.3 (OBJ_id_pkix1_explicit_93) */,\n 272 /* 1.3.6.1.5.5.7.0.4 (OBJ_id_pkix1_implicit_93) */,\n 273 /* 1.3.6.1.5.5.7.0.5 (OBJ_id_mod_crmf) */,\n 274 /* 1.3.6.1.5.5.7.0.6 (OBJ_id_mod_cmc) */,\n 275 /* 1.3.6.1.5.5.7.0.7 (OBJ_id_mod_kea_profile_88) */,\n 276 /* 1.3.6.1.5.5.7.0.8 (OBJ_id_mod_kea_profile_93) */,\n 277 /* 1.3.6.1.5.5.7.0.9 (OBJ_id_mod_cmp) */,\n 278 /* 1.3.6.1.5.5.7.0.10 (OBJ_id_mod_qualified_cert_88) */,\n 279 /* 1.3.6.1.5.5.7.0.11 (OBJ_id_mod_qualified_cert_93) */,\n 280 /* 1.3.6.1.5.5.7.0.12 (OBJ_id_mod_attribute_cert) */,\n 281 /* 1.3.6.1.5.5.7.0.13 (OBJ_id_mod_timestamp_protocol) */,\n 282 /* 1.3.6.1.5.5.7.0.14 (OBJ_id_mod_ocsp) */,\n 283 /* 1.3.6.1.5.5.7.0.15 (OBJ_id_mod_dvcs) */,\n 284 /* 1.3.6.1.5.5.7.0.16 (OBJ_id_mod_cmp2000) */,\n 177 /* 1.3.6.1.5.5.7.1.1 (OBJ_info_access) */,\n 285 /* 1.3.6.1.5.5.7.1.2 (OBJ_biometricInfo) */,\n 286 /* 1.3.6.1.5.5.7.1.3 (OBJ_qcStatements) */,\n 287 /* 1.3.6.1.5.5.7.1.4 (OBJ_ac_auditEntity) */,\n 288 /* 1.3.6.1.5.5.7.1.5 (OBJ_ac_targeting) */,\n 289 /* 1.3.6.1.5.5.7.1.6 (OBJ_aaControls) */,\n 290 /* 1.3.6.1.5.5.7.1.7 (OBJ_sbgp_ipAddrBlock) */,\n 291 /* 1.3.6.1.5.5.7.1.8 (OBJ_sbgp_autonomousSysNum) */,\n 292 /* 1.3.6.1.5.5.7.1.9 (OBJ_sbgp_routerIdentifier) */,\n 397 /* 1.3.6.1.5.5.7.1.10 (OBJ_ac_proxying) */,\n 398 /* 1.3.6.1.5.5.7.1.11 (OBJ_sinfo_access) */,\n 663 /* 1.3.6.1.5.5.7.1.14 (OBJ_proxyCertInfo) */,\n 164 /* 1.3.6.1.5.5.7.2.1 (OBJ_id_qt_cps) */,\n 165 /* 1.3.6.1.5.5.7.2.2 (OBJ_id_qt_unotice) */,\n 293 /* 1.3.6.1.5.5.7.2.3 (OBJ_textNotice) */,\n 129 /* 1.3.6.1.5.5.7.3.1 (OBJ_server_auth) */,\n 130 /* 1.3.6.1.5.5.7.3.2 (OBJ_client_auth) */,\n 131 /* 1.3.6.1.5.5.7.3.3 (OBJ_code_sign) */,\n 132 /* 1.3.6.1.5.5.7.3.4 (OBJ_email_protect) */,\n 294 /* 1.3.6.1.5.5.7.3.5 (OBJ_ipsecEndSystem) */,\n 295 /* 1.3.6.1.5.5.7.3.6 (OBJ_ipsecTunnel) */,\n 296 /* 1.3.6.1.5.5.7.3.7 (OBJ_ipsecUser) */,\n 133 /* 1.3.6.1.5.5.7.3.8 (OBJ_time_stamp) */,\n 180 /* 1.3.6.1.5.5.7.3.9 (OBJ_OCSP_sign) */,\n 297 /* 1.3.6.1.5.5.7.3.10 (OBJ_dvcs) */,\n 298 /* 1.3.6.1.5.5.7.4.1 (OBJ_id_it_caProtEncCert) */,\n 299 /* 1.3.6.1.5.5.7.4.2 (OBJ_id_it_signKeyPairTypes) */,\n 300 /* 1.3.6.1.5.5.7.4.3 (OBJ_id_it_encKeyPairTypes) */,\n 301 /* 1.3.6.1.5.5.7.4.4 (OBJ_id_it_preferredSymmAlg) */,\n 302 /* 1.3.6.1.5.5.7.4.5 (OBJ_id_it_caKeyUpdateInfo) */,\n 303 /* 1.3.6.1.5.5.7.4.6 (OBJ_id_it_currentCRL) */,\n 304 /* 1.3.6.1.5.5.7.4.7 (OBJ_id_it_unsupportedOIDs) */,\n 305 /* 1.3.6.1.5.5.7.4.8 (OBJ_id_it_subscriptionRequest) */,\n 306 /* 1.3.6.1.5.5.7.4.9 (OBJ_id_it_subscriptionResponse) */,\n 307 /* 1.3.6.1.5.5.7.4.10 (OBJ_id_it_keyPairParamReq) */,\n 308 /* 1.3.6.1.5.5.7.4.11 (OBJ_id_it_keyPairParamRep) */,\n 309 /* 1.3.6.1.5.5.7.4.12 (OBJ_id_it_revPassphrase) */,\n 310 /* 1.3.6.1.5.5.7.4.13 (OBJ_id_it_implicitConfirm) */,\n 311 /* 1.3.6.1.5.5.7.4.14 (OBJ_id_it_confirmWaitTime) */,\n 312 /* 1.3.6.1.5.5.7.4.15 (OBJ_id_it_origPKIMessage) */,\n 784 /* 1.3.6.1.5.5.7.4.16 (OBJ_id_it_suppLangTags) */,\n 313 /* 1.3.6.1.5.5.7.5.1 (OBJ_id_regCtrl) */,\n 314 /* 1.3.6.1.5.5.7.5.2 (OBJ_id_regInfo) */,\n 323 /* 1.3.6.1.5.5.7.6.1 (OBJ_id_alg_des40) */,\n 324 /* 1.3.6.1.5.5.7.6.2 (OBJ_id_alg_noSignature) */,\n 325 /* 1.3.6.1.5.5.7.6.3 (OBJ_id_alg_dh_sig_hmac_sha1) */,\n 326 /* 1.3.6.1.5.5.7.6.4 (OBJ_id_alg_dh_pop) */,\n 327 /* 1.3.6.1.5.5.7.7.1 (OBJ_id_cmc_statusInfo) */,\n 328 /* 1.3.6.1.5.5.7.7.2 (OBJ_id_cmc_identification) */,\n 329 /* 1.3.6.1.5.5.7.7.3 (OBJ_id_cmc_identityProof) */,\n 330 /* 1.3.6.1.5.5.7.7.4 (OBJ_id_cmc_dataReturn) */,\n 331 /* 1.3.6.1.5.5.7.7.5 (OBJ_id_cmc_transactionId) */,\n 332 /* 1.3.6.1.5.5.7.7.6 (OBJ_id_cmc_senderNonce) */,\n 333 /* 1.3.6.1.5.5.7.7.7 (OBJ_id_cmc_recipientNonce) */,\n 334 /* 1.3.6.1.5.5.7.7.8 (OBJ_id_cmc_addExtensions) */,\n 335 /* 1.3.6.1.5.5.7.7.9 (OBJ_id_cmc_encryptedPOP) */,\n 336 /* 1.3.6.1.5.5.7.7.10 (OBJ_id_cmc_decryptedPOP) */,\n 337 /* 1.3.6.1.5.5.7.7.11 (OBJ_id_cmc_lraPOPWitness) */,\n 338 /* 1.3.6.1.5.5.7.7.15 (OBJ_id_cmc_getCert) */,\n 339 /* 1.3.6.1.5.5.7.7.16 (OBJ_id_cmc_getCRL) */,\n 340 /* 1.3.6.1.5.5.7.7.17 (OBJ_id_cmc_revokeRequest) */,\n 341 /* 1.3.6.1.5.5.7.7.18 (OBJ_id_cmc_regInfo) */,\n 342 /* 1.3.6.1.5.5.7.7.19 (OBJ_id_cmc_responseInfo) */,\n 343 /* 1.3.6.1.5.5.7.7.21 (OBJ_id_cmc_queryPending) */,\n 344 /* 1.3.6.1.5.5.7.7.22 (OBJ_id_cmc_popLinkRandom) */,\n 345 /* 1.3.6.1.5.5.7.7.23 (OBJ_id_cmc_popLinkWitness) */,\n 346 /* 1.3.6.1.5.5.7.7.24 (OBJ_id_cmc_confirmCertAcceptance) */,\n 347 /* 1.3.6.1.5.5.7.8.1 (OBJ_id_on_personalData) */,\n 858 /* 1.3.6.1.5.5.7.8.3 (OBJ_id_on_permanentIdentifier) */,\n 348 /* 1.3.6.1.5.5.7.9.1 (OBJ_id_pda_dateOfBirth) */,\n 349 /* 1.3.6.1.5.5.7.9.2 (OBJ_id_pda_placeOfBirth) */,\n 351 /* 1.3.6.1.5.5.7.9.3 (OBJ_id_pda_gender) */,\n 352 /* 1.3.6.1.5.5.7.9.4 (OBJ_id_pda_countryOfCitizenship) */,\n 353 /* 1.3.6.1.5.5.7.9.5 (OBJ_id_pda_countryOfResidence) */,\n 354 /* 1.3.6.1.5.5.7.10.1 (OBJ_id_aca_authenticationInfo) */,\n 355 /* 1.3.6.1.5.5.7.10.2 (OBJ_id_aca_accessIdentity) */,\n 356 /* 1.3.6.1.5.5.7.10.3 (OBJ_id_aca_chargingIdentity) */,\n 357 /* 1.3.6.1.5.5.7.10.4 (OBJ_id_aca_group) */,\n 358 /* 1.3.6.1.5.5.7.10.5 (OBJ_id_aca_role) */,\n 399 /* 1.3.6.1.5.5.7.10.6 (OBJ_id_aca_encAttrs) */,\n 359 /* 1.3.6.1.5.5.7.11.1 (OBJ_id_qcs_pkixQCSyntax_v1) */,\n 360 /* 1.3.6.1.5.5.7.12.1 (OBJ_id_cct_crs) */,\n 361 /* 1.3.6.1.5.5.7.12.2 (OBJ_id_cct_PKIData) */,\n 362 /* 1.3.6.1.5.5.7.12.3 (OBJ_id_cct_PKIResponse) */,\n 664 /* 1.3.6.1.5.5.7.21.0 (OBJ_id_ppl_anyLanguage) */,\n 665 /* 1.3.6.1.5.5.7.21.1 (OBJ_id_ppl_inheritAll) */,\n 667 /* 1.3.6.1.5.5.7.21.2 (OBJ_Independent) */,\n 178 /* 1.3.6.1.5.5.7.48.1 (OBJ_ad_OCSP) */,\n 179 /* 1.3.6.1.5.5.7.48.2 (OBJ_ad_ca_issuers) */,\n 363 /* 1.3.6.1.5.5.7.48.3 (OBJ_ad_timeStamping) */,\n 364 /* 1.3.6.1.5.5.7.48.4 (OBJ_ad_dvcs) */,\n 785 /* 1.3.6.1.5.5.7.48.5 (OBJ_caRepository) */,\n 780 /* 1.3.6.1.5.5.8.1.1 (OBJ_hmac_md5) */,\n 781 /* 1.3.6.1.5.5.8.1.2 (OBJ_hmac_sha1) */,\n 58 /* 2.16.840.1.113730.1 (OBJ_netscape_cert_extension) */,\n 59 /* 2.16.840.1.113730.2 (OBJ_netscape_data_type) */,\n 438 /* 0.9.2342.19200300.100.1 (OBJ_pilotAttributeType) */,\n 439 /* 0.9.2342.19200300.100.3 (OBJ_pilotAttributeSyntax) */,\n 440 /* 0.9.2342.19200300.100.4 (OBJ_pilotObjectClass) */,\n 441 /* 0.9.2342.19200300.100.10 (OBJ_pilotGroups) */,\n 108 /* 1.2.840.113533.7.66.10 (OBJ_cast5_cbc) */,\n 112 /* 1.2.840.113533.7.66.12 (OBJ_pbeWithMD5AndCast5_CBC) */,\n 782 /* 1.2.840.113533.7.66.13 (OBJ_id_PasswordBasedMAC) */,\n 783 /* 1.2.840.113533.7.66.30 (OBJ_id_DHBasedMac) */,\n 6 /* 1.2.840.113549.1.1.1 (OBJ_rsaEncryption) */,\n 7 /* 1.2.840.113549.1.1.2 (OBJ_md2WithRSAEncryption) */,\n 396 /* 1.2.840.113549.1.1.3 (OBJ_md4WithRSAEncryption) */,\n 8 /* 1.2.840.113549.1.1.4 (OBJ_md5WithRSAEncryption) */,\n 65 /* 1.2.840.113549.1.1.5 (OBJ_sha1WithRSAEncryption) */,\n 644 /* 1.2.840.113549.1.1.6 (OBJ_rsaOAEPEncryptionSET) */,\n 919 /* 1.2.840.113549.1.1.7 (OBJ_rsaesOaep) */,\n 911 /* 1.2.840.113549.1.1.8 (OBJ_mgf1) */,\n 935 /* 1.2.840.113549.1.1.9 (OBJ_pSpecified) */,\n 912 /* 1.2.840.113549.1.1.10 (OBJ_rsassaPss) */,\n 668 /* 1.2.840.113549.1.1.11 (OBJ_sha256WithRSAEncryption) */,\n 669 /* 1.2.840.113549.1.1.12 (OBJ_sha384WithRSAEncryption) */,\n 670 /* 1.2.840.113549.1.1.13 (OBJ_sha512WithRSAEncryption) */,\n 671 /* 1.2.840.113549.1.1.14 (OBJ_sha224WithRSAEncryption) */,\n 28 /* 1.2.840.113549.1.3.1 (OBJ_dhKeyAgreement) */,\n 9 /* 1.2.840.113549.1.5.1 (OBJ_pbeWithMD2AndDES_CBC) */,\n 10 /* 1.2.840.113549.1.5.3 (OBJ_pbeWithMD5AndDES_CBC) */,\n 168 /* 1.2.840.113549.1.5.4 (OBJ_pbeWithMD2AndRC2_CBC) */,\n 169 /* 1.2.840.113549.1.5.6 (OBJ_pbeWithMD5AndRC2_CBC) */,\n 170 /* 1.2.840.113549.1.5.10 (OBJ_pbeWithSHA1AndDES_CBC) */,\n 68 /* 1.2.840.113549.1.5.11 (OBJ_pbeWithSHA1AndRC2_CBC) */,\n 69 /* 1.2.840.113549.1.5.12 (OBJ_id_pbkdf2) */,\n 161 /* 1.2.840.113549.1.5.13 (OBJ_pbes2) */,\n 162 /* 1.2.840.113549.1.5.14 (OBJ_pbmac1) */,\n 21 /* 1.2.840.113549.1.7.1 (OBJ_pkcs7_data) */,\n 22 /* 1.2.840.113549.1.7.2 (OBJ_pkcs7_signed) */,\n 23 /* 1.2.840.113549.1.7.3 (OBJ_pkcs7_enveloped) */,\n 24 /* 1.2.840.113549.1.7.4 (OBJ_pkcs7_signedAndEnveloped) */,\n 25 /* 1.2.840.113549.1.7.5 (OBJ_pkcs7_digest) */,\n 26 /* 1.2.840.113549.1.7.6 (OBJ_pkcs7_encrypted) */,\n 48 /* 1.2.840.113549.1.9.1 (OBJ_pkcs9_emailAddress) */,\n 49 /* 1.2.840.113549.1.9.2 (OBJ_pkcs9_unstructuredName) */,\n 50 /* 1.2.840.113549.1.9.3 (OBJ_pkcs9_contentType) */,\n 51 /* 1.2.840.113549.1.9.4 (OBJ_pkcs9_messageDigest) */,\n 52 /* 1.2.840.113549.1.9.5 (OBJ_pkcs9_signingTime) */,\n 53 /* 1.2.840.113549.1.9.6 (OBJ_pkcs9_countersignature) */,\n 54 /* 1.2.840.113549.1.9.7 (OBJ_pkcs9_challengePassword) */,\n 55 /* 1.2.840.113549.1.9.8 (OBJ_pkcs9_unstructuredAddress) */,\n 56 /* 1.2.840.113549.1.9.9 (OBJ_pkcs9_extCertAttributes) */,\n 172 /* 1.2.840.113549.1.9.14 (OBJ_ext_req) */,\n 167 /* 1.2.840.113549.1.9.15 (OBJ_SMIMECapabilities) */,\n 188 /* 1.2.840.113549.1.9.16 (OBJ_SMIME) */,\n 156 /* 1.2.840.113549.1.9.20 (OBJ_friendlyName) */,\n 157 /* 1.2.840.113549.1.9.21 (OBJ_localKeyID) */,\n 681 /* 1.2.840.10045.1.2.3.1 (OBJ_X9_62_onBasis) */,\n 682 /* 1.2.840.10045.1.2.3.2 (OBJ_X9_62_tpBasis) */,\n 683 /* 1.2.840.10045.1.2.3.3 (OBJ_X9_62_ppBasis) */,\n 417 /* 1.3.6.1.4.1.311.17.1 (OBJ_ms_csp_name) */,\n 856 /* 1.3.6.1.4.1.311.17.2 (OBJ_LocalKeySet) */,\n 390 /* 1.3.6.1.4.1.1466.344 (OBJ_dcObject) */,\n 91 /* 1.3.6.1.4.1.3029.1.2 (OBJ_bf_cbc) */,\n 315 /* 1.3.6.1.5.5.7.5.1.1 (OBJ_id_regCtrl_regToken) */,\n 316 /* 1.3.6.1.5.5.7.5.1.2 (OBJ_id_regCtrl_authenticator) */,\n 317 /* 1.3.6.1.5.5.7.5.1.3 (OBJ_id_regCtrl_pkiPublicationInfo) */,\n 318 /* 1.3.6.1.5.5.7.5.1.4 (OBJ_id_regCtrl_pkiArchiveOptions) */,\n 319 /* 1.3.6.1.5.5.7.5.1.5 (OBJ_id_regCtrl_oldCertID) */,\n 320 /* 1.3.6.1.5.5.7.5.1.6 (OBJ_id_regCtrl_protocolEncrKey) */,\n 321 /* 1.3.6.1.5.5.7.5.2.1 (OBJ_id_regInfo_utf8Pairs) */,\n 322 /* 1.3.6.1.5.5.7.5.2.2 (OBJ_id_regInfo_certReq) */,\n 365 /* 1.3.6.1.5.5.7.48.1.1 (OBJ_id_pkix_OCSP_basic) */,\n 366 /* 1.3.6.1.5.5.7.48.1.2 (OBJ_id_pkix_OCSP_Nonce) */,\n 367 /* 1.3.6.1.5.5.7.48.1.3 (OBJ_id_pkix_OCSP_CrlID) */,\n 368 /* 1.3.6.1.5.5.7.48.1.4 (OBJ_id_pkix_OCSP_acceptableResponses) */,\n 369 /* 1.3.6.1.5.5.7.48.1.5 (OBJ_id_pkix_OCSP_noCheck) */,\n 370 /* 1.3.6.1.5.5.7.48.1.6 (OBJ_id_pkix_OCSP_archiveCutoff) */,\n 371 /* 1.3.6.1.5.5.7.48.1.7 (OBJ_id_pkix_OCSP_serviceLocator) */,\n 372 /* 1.3.6.1.5.5.7.48.1.8 (OBJ_id_pkix_OCSP_extendedStatus) */,\n 373 /* 1.3.6.1.5.5.7.48.1.9 (OBJ_id_pkix_OCSP_valid) */,\n 374 /* 1.3.6.1.5.5.7.48.1.10 (OBJ_id_pkix_OCSP_path) */,\n 375 /* 1.3.6.1.5.5.7.48.1.11 (OBJ_id_pkix_OCSP_trustRoot) */,\n 921 /* 1.3.36.3.3.2.8.1.1.1 (OBJ_brainpoolP160r1) */,\n 922 /* 1.3.36.3.3.2.8.1.1.2 (OBJ_brainpoolP160t1) */,\n 923 /* 1.3.36.3.3.2.8.1.1.3 (OBJ_brainpoolP192r1) */,\n 924 /* 1.3.36.3.3.2.8.1.1.4 (OBJ_brainpoolP192t1) */,\n 925 /* 1.3.36.3.3.2.8.1.1.5 (OBJ_brainpoolP224r1) */,\n 926 /* 1.3.36.3.3.2.8.1.1.6 (OBJ_brainpoolP224t1) */,\n 927 /* 1.3.36.3.3.2.8.1.1.7 (OBJ_brainpoolP256r1) */,\n 928 /* 1.3.36.3.3.2.8.1.1.8 (OBJ_brainpoolP256t1) */,\n 929 /* 1.3.36.3.3.2.8.1.1.9 (OBJ_brainpoolP320r1) */,\n 930 /* 1.3.36.3.3.2.8.1.1.10 (OBJ_brainpoolP320t1) */,\n 931 /* 1.3.36.3.3.2.8.1.1.11 (OBJ_brainpoolP384r1) */,\n 932 /* 1.3.36.3.3.2.8.1.1.12 (OBJ_brainpoolP384t1) */,\n 933 /* 1.3.36.3.3.2.8.1.1.13 (OBJ_brainpoolP512r1) */,\n 934 /* 1.3.36.3.3.2.8.1.1.14 (OBJ_brainpoolP512t1) */,\n 936 /* 1.3.133.16.840.63.0.2 (OBJ_dhSinglePass_stdDH_sha1kdf_scheme) */,\n 941 /* 1.3.133.16.840.63.0.3 (OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme) */\n ,\n 418 /* 2.16.840.1.101.3.4.1.1 (OBJ_aes_128_ecb) */,\n 419 /* 2.16.840.1.101.3.4.1.2 (OBJ_aes_128_cbc) */,\n 420 /* 2.16.840.1.101.3.4.1.3 (OBJ_aes_128_ofb128) */,\n 421 /* 2.16.840.1.101.3.4.1.4 (OBJ_aes_128_cfb128) */,\n 788 /* 2.16.840.1.101.3.4.1.5 (OBJ_id_aes128_wrap) */,\n 895 /* 2.16.840.1.101.3.4.1.6 (OBJ_aes_128_gcm) */,\n 896 /* 2.16.840.1.101.3.4.1.7 (OBJ_aes_128_ccm) */,\n 897 /* 2.16.840.1.101.3.4.1.8 (OBJ_id_aes128_wrap_pad) */,\n 422 /* 2.16.840.1.101.3.4.1.21 (OBJ_aes_192_ecb) */,\n 423 /* 2.16.840.1.101.3.4.1.22 (OBJ_aes_192_cbc) */,\n 424 /* 2.16.840.1.101.3.4.1.23 (OBJ_aes_192_ofb128) */,\n 425 /* 2.16.840.1.101.3.4.1.24 (OBJ_aes_192_cfb128) */,\n 789 /* 2.16.840.1.101.3.4.1.25 (OBJ_id_aes192_wrap) */,\n 898 /* 2.16.840.1.101.3.4.1.26 (OBJ_aes_192_gcm) */,\n 899 /* 2.16.840.1.101.3.4.1.27 (OBJ_aes_192_ccm) */,\n 900 /* 2.16.840.1.101.3.4.1.28 (OBJ_id_aes192_wrap_pad) */,\n 426 /* 2.16.840.1.101.3.4.1.41 (OBJ_aes_256_ecb) */,\n 427 /* 2.16.840.1.101.3.4.1.42 (OBJ_aes_256_cbc) */,\n 428 /* 2.16.840.1.101.3.4.1.43 (OBJ_aes_256_ofb128) */,\n 429 /* 2.16.840.1.101.3.4.1.44 (OBJ_aes_256_cfb128) */,\n 790 /* 2.16.840.1.101.3.4.1.45 (OBJ_id_aes256_wrap) */,\n 901 /* 2.16.840.1.101.3.4.1.46 (OBJ_aes_256_gcm) */,\n 902 /* 2.16.840.1.101.3.4.1.47 (OBJ_aes_256_ccm) */,\n 903 /* 2.16.840.1.101.3.4.1.48 (OBJ_id_aes256_wrap_pad) */,\n 672 /* 2.16.840.1.101.3.4.2.1 (OBJ_sha256) */,\n 673 /* 2.16.840.1.101.3.4.2.2 (OBJ_sha384) */,\n 674 /* 2.16.840.1.101.3.4.2.3 (OBJ_sha512) */,\n 675 /* 2.16.840.1.101.3.4.2.4 (OBJ_sha224) */,\n 962 /* 2.16.840.1.101.3.4.2.6 (OBJ_sha512_256) */,\n 802 /* 2.16.840.1.101.3.4.3.1 (OBJ_dsa_with_SHA224) */,\n 803 /* 2.16.840.1.101.3.4.3.2 (OBJ_dsa_with_SHA256) */,\n 71 /* 2.16.840.1.113730.1.1 (OBJ_netscape_cert_type) */,\n 72 /* 2.16.840.1.113730.1.2 (OBJ_netscape_base_url) */,\n 73 /* 2.16.840.1.113730.1.3 (OBJ_netscape_revocation_url) */,\n 74 /* 2.16.840.1.113730.1.4 (OBJ_netscape_ca_revocation_url) */,\n 75 /* 2.16.840.1.113730.1.7 (OBJ_netscape_renewal_url) */,\n 76 /* 2.16.840.1.113730.1.8 (OBJ_netscape_ca_policy_url) */,\n 77 /* 2.16.840.1.113730.1.12 (OBJ_netscape_ssl_server_name) */,\n 78 /* 2.16.840.1.113730.1.13 (OBJ_netscape_comment) */,\n 79 /* 2.16.840.1.113730.2.5 (OBJ_netscape_cert_sequence) */,\n 139 /* 2.16.840.1.113730.4.1 (OBJ_ns_sgc) */,\n 458 /* 0.9.2342.19200300.100.1.1 (OBJ_userId) */,\n 459 /* 0.9.2342.19200300.100.1.2 (OBJ_textEncodedORAddress) */,\n 460 /* 0.9.2342.19200300.100.1.3 (OBJ_rfc822Mailbox) */,\n 461 /* 0.9.2342.19200300.100.1.4 (OBJ_info) */,\n 462 /* 0.9.2342.19200300.100.1.5 (OBJ_favouriteDrink) */,\n 463 /* 0.9.2342.19200300.100.1.6 (OBJ_roomNumber) */,\n 464 /* 0.9.2342.19200300.100.1.7 (OBJ_photo) */,\n 465 /* 0.9.2342.19200300.100.1.8 (OBJ_userClass) */,\n 466 /* 0.9.2342.19200300.100.1.9 (OBJ_host) */,\n 467 /* 0.9.2342.19200300.100.1.10 (OBJ_manager) */,\n 468 /* 0.9.2342.19200300.100.1.11 (OBJ_documentIdentifier) */,\n 469 /* 0.9.2342.19200300.100.1.12 (OBJ_documentTitle) */,\n 470 /* 0.9.2342.19200300.100.1.13 (OBJ_documentVersion) */,\n 471 /* 0.9.2342.19200300.100.1.14 (OBJ_documentAuthor) */,\n 472 /* 0.9.2342.19200300.100.1.15 (OBJ_documentLocation) */,\n 473 /* 0.9.2342.19200300.100.1.20 (OBJ_homeTelephoneNumber) */,\n 474 /* 0.9.2342.19200300.100.1.21 (OBJ_secretary) */,\n 475 /* 0.9.2342.19200300.100.1.22 (OBJ_otherMailbox) */,\n 476 /* 0.9.2342.19200300.100.1.23 (OBJ_lastModifiedTime) */,\n 477 /* 0.9.2342.19200300.100.1.24 (OBJ_lastModifiedBy) */,\n 391 /* 0.9.2342.19200300.100.1.25 (OBJ_domainComponent) */,\n 478 /* 0.9.2342.19200300.100.1.26 (OBJ_aRecord) */,\n 479 /* 0.9.2342.19200300.100.1.27 (OBJ_pilotAttributeType27) */,\n 480 /* 0.9.2342.19200300.100.1.28 (OBJ_mXRecord) */,\n 481 /* 0.9.2342.19200300.100.1.29 (OBJ_nSRecord) */,\n 482 /* 0.9.2342.19200300.100.1.30 (OBJ_sOARecord) */,\n 483 /* 0.9.2342.19200300.100.1.31 (OBJ_cNAMERecord) */,\n 484 /* 0.9.2342.19200300.100.1.37 (OBJ_associatedDomain) */,\n 485 /* 0.9.2342.19200300.100.1.38 (OBJ_associatedName) */,\n 486 /* 0.9.2342.19200300.100.1.39 (OBJ_homePostalAddress) */,\n 487 /* 0.9.2342.19200300.100.1.40 (OBJ_personalTitle) */,\n 488 /* 0.9.2342.19200300.100.1.41 (OBJ_mobileTelephoneNumber) */,\n 489 /* 0.9.2342.19200300.100.1.42 (OBJ_pagerTelephoneNumber) */,\n 490 /* 0.9.2342.19200300.100.1.43 (OBJ_friendlyCountryName) */,\n 491 /* 0.9.2342.19200300.100.1.45 (OBJ_organizationalStatus) */,\n 492 /* 0.9.2342.19200300.100.1.46 (OBJ_janetMailbox) */,\n 493 /* 0.9.2342.19200300.100.1.47 (OBJ_mailPreferenceOption) */,\n 494 /* 0.9.2342.19200300.100.1.48 (OBJ_buildingName) */,\n 495 /* 0.9.2342.19200300.100.1.49 (OBJ_dSAQuality) */,\n 496 /* 0.9.2342.19200300.100.1.50 (OBJ_singleLevelQuality) */,\n 497 /* 0.9.2342.19200300.100.1.51 (OBJ_subtreeMinimumQuality) */,\n 498 /* 0.9.2342.19200300.100.1.52 (OBJ_subtreeMaximumQuality) */,\n 499 /* 0.9.2342.19200300.100.1.53 (OBJ_personalSignature) */,\n 500 /* 0.9.2342.19200300.100.1.54 (OBJ_dITRedirect) */,\n 501 /* 0.9.2342.19200300.100.1.55 (OBJ_audio) */,\n 502 /* 0.9.2342.19200300.100.1.56 (OBJ_documentPublisher) */,\n 442 /* 0.9.2342.19200300.100.3.4 (OBJ_iA5StringSyntax) */,\n 443 /* 0.9.2342.19200300.100.3.5 (OBJ_caseIgnoreIA5StringSyntax) */,\n 444 /* 0.9.2342.19200300.100.4.3 (OBJ_pilotObject) */,\n 445 /* 0.9.2342.19200300.100.4.4 (OBJ_pilotPerson) */,\n 446 /* 0.9.2342.19200300.100.4.5 (OBJ_account) */,\n 447 /* 0.9.2342.19200300.100.4.6 (OBJ_document) */,\n 448 /* 0.9.2342.19200300.100.4.7 (OBJ_room) */,\n 449 /* 0.9.2342.19200300.100.4.9 (OBJ_documentSeries) */,\n 392 /* 0.9.2342.19200300.100.4.13 (OBJ_Domain) */,\n 450 /* 0.9.2342.19200300.100.4.14 (OBJ_rFC822localPart) */,\n 451 /* 0.9.2342.19200300.100.4.15 (OBJ_dNSDomain) */,\n 452 /* 0.9.2342.19200300.100.4.17 (OBJ_domainRelatedObject) */,\n 453 /* 0.9.2342.19200300.100.4.18 (OBJ_friendlyCountry) */,\n 454 /* 0.9.2342.19200300.100.4.19 (OBJ_simpleSecurityObject) */,\n 455 /* 0.9.2342.19200300.100.4.20 (OBJ_pilotOrganization) */,\n 456 /* 0.9.2342.19200300.100.4.21 (OBJ_pilotDSA) */,\n 457 /* 0.9.2342.19200300.100.4.22 (OBJ_qualityLabelledData) */,\n 189 /* 1.2.840.113549.1.9.16.0 (OBJ_id_smime_mod) */,\n 190 /* 1.2.840.113549.1.9.16.1 (OBJ_id_smime_ct) */,\n 191 /* 1.2.840.113549.1.9.16.2 (OBJ_id_smime_aa) */,\n 192 /* 1.2.840.113549.1.9.16.3 (OBJ_id_smime_alg) */,\n 193 /* 1.2.840.113549.1.9.16.4 (OBJ_id_smime_cd) */,\n 194 /* 1.2.840.113549.1.9.16.5 (OBJ_id_smime_spq) */,\n 195 /* 1.2.840.113549.1.9.16.6 (OBJ_id_smime_cti) */,\n 158 /* 1.2.840.113549.1.9.22.1 (OBJ_x509Certificate) */,\n 159 /* 1.2.840.113549.1.9.22.2 (OBJ_sdsiCertificate) */,\n 160 /* 1.2.840.113549.1.9.23.1 (OBJ_x509Crl) */,\n 144 /* 1.2.840.113549.1.12.1.1 (OBJ_pbe_WithSHA1And128BitRC4) */,\n 145 /* 1.2.840.113549.1.12.1.2 (OBJ_pbe_WithSHA1And40BitRC4) */,\n 146 /* 1.2.840.113549.1.12.1.3 (OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC) */,\n 147 /* 1.2.840.113549.1.12.1.4 (OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC) */,\n 148 /* 1.2.840.113549.1.12.1.5 (OBJ_pbe_WithSHA1And128BitRC2_CBC) */,\n 149 /* 1.2.840.113549.1.12.1.6 (OBJ_pbe_WithSHA1And40BitRC2_CBC) */,\n 171 /* 1.3.6.1.4.1.311.2.1.14 (OBJ_ms_ext_req) */,\n 134 /* 1.3.6.1.4.1.311.2.1.21 (OBJ_ms_code_ind) */,\n 135 /* 1.3.6.1.4.1.311.2.1.22 (OBJ_ms_code_com) */,\n 136 /* 1.3.6.1.4.1.311.10.3.1 (OBJ_ms_ctl_sign) */,\n 137 /* 1.3.6.1.4.1.311.10.3.3 (OBJ_ms_sgc) */,\n 138 /* 1.3.6.1.4.1.311.10.3.4 (OBJ_ms_efs) */,\n 648 /* 1.3.6.1.4.1.311.20.2.2 (OBJ_ms_smartcard_login) */,\n 649 /* 1.3.6.1.4.1.311.20.2.3 (OBJ_ms_upn) */,\n 751 /* 1.2.392.200011.61.1.1.1.2 (OBJ_camellia_128_cbc) */,\n 752 /* 1.2.392.200011.61.1.1.1.3 (OBJ_camellia_192_cbc) */,\n 753 /* 1.2.392.200011.61.1.1.1.4 (OBJ_camellia_256_cbc) */,\n 907 /* 1.2.392.200011.61.1.1.3.2 (OBJ_id_camellia128_wrap) */,\n 908 /* 1.2.392.200011.61.1.1.3.3 (OBJ_id_camellia192_wrap) */,\n 909 /* 1.2.392.200011.61.1.1.3.4 (OBJ_id_camellia256_wrap) */,\n 196 /* 1.2.840.113549.1.9.16.0.1 (OBJ_id_smime_mod_cms) */,\n 197 /* 1.2.840.113549.1.9.16.0.2 (OBJ_id_smime_mod_ess) */,\n 198 /* 1.2.840.113549.1.9.16.0.3 (OBJ_id_smime_mod_oid) */,\n 199 /* 1.2.840.113549.1.9.16.0.4 (OBJ_id_smime_mod_msg_v3) */,\n 200 /* 1.2.840.113549.1.9.16.0.5 (OBJ_id_smime_mod_ets_eSignature_88) */,\n 201 /* 1.2.840.113549.1.9.16.0.6 (OBJ_id_smime_mod_ets_eSignature_97) */,\n 202 /* 1.2.840.113549.1.9.16.0.7 (OBJ_id_smime_mod_ets_eSigPolicy_88) */,\n 203 /* 1.2.840.113549.1.9.16.0.8 (OBJ_id_smime_mod_ets_eSigPolicy_97) */,\n 204 /* 1.2.840.113549.1.9.16.1.1 (OBJ_id_smime_ct_receipt) */,\n 205 /* 1.2.840.113549.1.9.16.1.2 (OBJ_id_smime_ct_authData) */,\n 206 /* 1.2.840.113549.1.9.16.1.3 (OBJ_id_smime_ct_publishCert) */,\n 207 /* 1.2.840.113549.1.9.16.1.4 (OBJ_id_smime_ct_TSTInfo) */,\n 208 /* 1.2.840.113549.1.9.16.1.5 (OBJ_id_smime_ct_TDTInfo) */,\n 209 /* 1.2.840.113549.1.9.16.1.6 (OBJ_id_smime_ct_contentInfo) */,\n 210 /* 1.2.840.113549.1.9.16.1.7 (OBJ_id_smime_ct_DVCSRequestData) */,\n 211 /* 1.2.840.113549.1.9.16.1.8 (OBJ_id_smime_ct_DVCSResponseData) */,\n 786 /* 1.2.840.113549.1.9.16.1.9 (OBJ_id_smime_ct_compressedData) */,\n 787 /* 1.2.840.113549.1.9.16.1.27 (OBJ_id_ct_asciiTextWithCRLF) */,\n 212 /* 1.2.840.113549.1.9.16.2.1 (OBJ_id_smime_aa_receiptRequest) */,\n 213 /* 1.2.840.113549.1.9.16.2.2 (OBJ_id_smime_aa_securityLabel) */,\n 214 /* 1.2.840.113549.1.9.16.2.3 (OBJ_id_smime_aa_mlExpandHistory) */,\n 215 /* 1.2.840.113549.1.9.16.2.4 (OBJ_id_smime_aa_contentHint) */,\n 216 /* 1.2.840.113549.1.9.16.2.5 (OBJ_id_smime_aa_msgSigDigest) */,\n 217 /* 1.2.840.113549.1.9.16.2.6 (OBJ_id_smime_aa_encapContentType) */,\n 218 /* 1.2.840.113549.1.9.16.2.7 (OBJ_id_smime_aa_contentIdentifier) */,\n 219 /* 1.2.840.113549.1.9.16.2.8 (OBJ_id_smime_aa_macValue) */,\n 220 /* 1.2.840.113549.1.9.16.2.9 (OBJ_id_smime_aa_equivalentLabels) */,\n 221 /* 1.2.840.113549.1.9.16.2.10 (OBJ_id_smime_aa_contentReference) */,\n 222 /* 1.2.840.113549.1.9.16.2.11 (OBJ_id_smime_aa_encrypKeyPref) */,\n 223 /* 1.2.840.113549.1.9.16.2.12 (OBJ_id_smime_aa_signingCertificate) */,\n 224 /* 1.2.840.113549.1.9.16.2.13 (OBJ_id_smime_aa_smimeEncryptCerts) */,\n 225 /* 1.2.840.113549.1.9.16.2.14 (OBJ_id_smime_aa_timeStampToken) */,\n 226 /* 1.2.840.113549.1.9.16.2.15 (OBJ_id_smime_aa_ets_sigPolicyId) */,\n 227 /* 1.2.840.113549.1.9.16.2.16 (OBJ_id_smime_aa_ets_commitmentType) */,\n 228 /* 1.2.840.113549.1.9.16.2.17 (OBJ_id_smime_aa_ets_signerLocation) */,\n 229 /* 1.2.840.113549.1.9.16.2.18 (OBJ_id_smime_aa_ets_signerAttr) */,\n 230 /* 1.2.840.113549.1.9.16.2.19 (OBJ_id_smime_aa_ets_otherSigCert) */,\n 231 /* 1.2.840.113549.1.9.16.2.20 (OBJ_id_smime_aa_ets_contentTimestamp) */,\n 232 /* 1.2.840.113549.1.9.16.2.21 (OBJ_id_smime_aa_ets_CertificateRefs) */,\n 233 /* 1.2.840.113549.1.9.16.2.22 (OBJ_id_smime_aa_ets_RevocationRefs) */,\n 234 /* 1.2.840.113549.1.9.16.2.23 (OBJ_id_smime_aa_ets_certValues) */,\n 235 /* 1.2.840.113549.1.9.16.2.24 (OBJ_id_smime_aa_ets_revocationValues) */,\n 236 /* 1.2.840.113549.1.9.16.2.25 (OBJ_id_smime_aa_ets_escTimeStamp) */,\n 237 /* 1.2.840.113549.1.9.16.2.26 (OBJ_id_smime_aa_ets_certCRLTimestamp) */,\n 238 /* 1.2.840.113549.1.9.16.2.27 (OBJ_id_smime_aa_ets_archiveTimeStamp) */,\n 239 /* 1.2.840.113549.1.9.16.2.28 (OBJ_id_smime_aa_signatureType) */,\n 240 /* 1.2.840.113549.1.9.16.2.29 (OBJ_id_smime_aa_dvcs_dvc) */,\n 241 /* 1.2.840.113549.1.9.16.3.1 (OBJ_id_smime_alg_ESDHwith3DES) */,\n 242 /* 1.2.840.113549.1.9.16.3.2 (OBJ_id_smime_alg_ESDHwithRC2) */,\n 243 /* 1.2.840.113549.1.9.16.3.3 (OBJ_id_smime_alg_3DESwrap) */,\n 244 /* 1.2.840.113549.1.9.16.3.4 (OBJ_id_smime_alg_RC2wrap) */,\n 245 /* 1.2.840.113549.1.9.16.3.5 (OBJ_id_smime_alg_ESDH) */,\n 246 /* 1.2.840.113549.1.9.16.3.6 (OBJ_id_smime_alg_CMS3DESwrap) */,\n 247 /* 1.2.840.113549.1.9.16.3.7 (OBJ_id_smime_alg_CMSRC2wrap) */,\n 125 /* 1.2.840.113549.1.9.16.3.8 (OBJ_zlib_compression) */,\n 893 /* 1.2.840.113549.1.9.16.3.9 (OBJ_id_alg_PWRI_KEK) */,\n 248 /* 1.2.840.113549.1.9.16.4.1 (OBJ_id_smime_cd_ldap) */,\n 249 /* 1.2.840.113549.1.9.16.5.1 (OBJ_id_smime_spq_ets_sqt_uri) */,\n 250 /* 1.2.840.113549.1.9.16.5.2 (OBJ_id_smime_spq_ets_sqt_unotice) */,\n 251 /* 1.2.840.113549.1.9.16.6.1 (OBJ_id_smime_cti_ets_proofOfOrigin) */,\n 252 /* 1.2.840.113549.1.9.16.6.2 (OBJ_id_smime_cti_ets_proofOfReceipt) */,\n 253 /* 1.2.840.113549.1.9.16.6.3 (OBJ_id_smime_cti_ets_proofOfDelivery) */,\n 254 /* 1.2.840.113549.1.9.16.6.4 (OBJ_id_smime_cti_ets_proofOfSender) */,\n 255 /* 1.2.840.113549.1.9.16.6.5 (OBJ_id_smime_cti_ets_proofOfApproval) */,\n 256 /* 1.2.840.113549.1.9.16.6.6 (OBJ_id_smime_cti_ets_proofOfCreation) */,\n 150 /* 1.2.840.113549.1.12.10.1.1 (OBJ_keyBag) */,\n 151 /* 1.2.840.113549.1.12.10.1.2 (OBJ_pkcs8ShroudedKeyBag) */,\n 152 /* 1.2.840.113549.1.12.10.1.3 (OBJ_certBag) */,\n 153 /* 1.2.840.113549.1.12.10.1.4 (OBJ_crlBag) */,\n 154 /* 1.2.840.113549.1.12.10.1.5 (OBJ_secretBag) */,\n 155 /* 1.2.840.113549.1.12.10.1.6 (OBJ_safeContentsBag) */,\n 34 /* 1.3.6.1.4.1.188.7.1.1.2 (OBJ_idea_cbc) */,\n};\n" }, { "path": "Sources/CNIOBoringSSL/crypto/obj/obj_xref.cc", "content": "/*\n * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \"../internal.h\"\n\n\ntypedef struct {\n int sign_nid;\n int digest_nid;\n int pkey_nid;\n} nid_triple;\n\nstatic const nid_triple kTriples[] = {\n // RSA PKCS#1.\n {NID_md4WithRSAEncryption, NID_md4, NID_rsaEncryption},\n {NID_md5WithRSAEncryption, NID_md5, NID_rsaEncryption},\n {NID_sha1WithRSAEncryption, NID_sha1, NID_rsaEncryption},\n {NID_sha224WithRSAEncryption, NID_sha224, NID_rsaEncryption},\n {NID_sha256WithRSAEncryption, NID_sha256, NID_rsaEncryption},\n {NID_sha384WithRSAEncryption, NID_sha384, NID_rsaEncryption},\n {NID_sha512WithRSAEncryption, NID_sha512, NID_rsaEncryption},\n // DSA.\n {NID_dsaWithSHA1, NID_sha1, NID_dsa},\n {NID_dsaWithSHA1_2, NID_sha1, NID_dsa_2},\n {NID_dsa_with_SHA224, NID_sha224, NID_dsa},\n {NID_dsa_with_SHA256, NID_sha256, NID_dsa},\n // ECDSA.\n {NID_ecdsa_with_SHA1, NID_sha1, NID_X9_62_id_ecPublicKey},\n {NID_ecdsa_with_SHA224, NID_sha224, NID_X9_62_id_ecPublicKey},\n {NID_ecdsa_with_SHA256, NID_sha256, NID_X9_62_id_ecPublicKey},\n {NID_ecdsa_with_SHA384, NID_sha384, NID_X9_62_id_ecPublicKey},\n {NID_ecdsa_with_SHA512, NID_sha512, NID_X9_62_id_ecPublicKey},\n // The following algorithms use more complex (or simpler) parameters. The\n // digest \"undef\" indicates the caller should handle this explicitly.\n {NID_rsassaPss, NID_undef, NID_rsaEncryption},\n {NID_ED25519, NID_undef, NID_ED25519},\n};\n\nint OBJ_find_sigid_algs(int sign_nid, int *out_digest_nid, int *out_pkey_nid) {\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTriples); i++) {\n if (kTriples[i].sign_nid == sign_nid) {\n if (out_digest_nid != NULL) {\n *out_digest_nid = kTriples[i].digest_nid;\n }\n if (out_pkey_nid != NULL) {\n *out_pkey_nid = kTriples[i].pkey_nid;\n }\n return 1;\n }\n }\n\n return 0;\n}\n\nint OBJ_find_sigid_by_algs(int *out_sign_nid, int digest_nid, int pkey_nid) {\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTriples); i++) {\n if (kTriples[i].digest_nid == digest_nid &&\n kTriples[i].pkey_nid == pkey_nid) {\n if (out_sign_nid != NULL) {\n *out_sign_nid = kTriples[i].sign_nid;\n }\n return 1;\n }\n }\n\n return 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pem/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_PEM_INTERNAL_H\n#define OPENSSL_HEADER_PEM_INTERNAL_H\n\n#include \n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n\n// PEM_get_EVP_CIPHER_INFO decodes |header| as a PEM header block and writes the\n// specified cipher and IV to |cipher|. It returns one on success and zero on\n// error. |header| must be a NUL-terminated string. If |header| does not\n// specify encryption, this function will return success and set\n// |cipher->cipher| to NULL.\nint PEM_get_EVP_CIPHER_INFO(const char *header, EVP_CIPHER_INFO *cipher);\n\n// PEM_do_header decrypts |*len| bytes from |data| in-place according to the\n// information in |cipher|. On success, it returns one and sets |*len| to the\n// length of the plaintext. Otherwise, it returns zero. If |cipher| specifies\n// encryption, the key is derived from a password returned from |callback|.\nint PEM_do_header(const EVP_CIPHER_INFO *cipher, uint8_t *data, long *len,\n pem_password_cb *callback, void *u);\n\n\n#ifdef __cplusplus\n} // extern \"C\"\n#endif\n\n#endif // OPENSSL_HEADER_PEM_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pem/pem_all.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\nstatic RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa);\nstatic DSA *pkey_get_dsa(EVP_PKEY *key, DSA **dsa);\nstatic EC_KEY *pkey_get_eckey(EVP_PKEY *key, EC_KEY **eckey);\n\nIMPLEMENT_PEM_rw(X509_REQ, X509_REQ, PEM_STRING_X509_REQ, X509_REQ)\n\nIMPLEMENT_PEM_write(X509_REQ_NEW, X509_REQ, PEM_STRING_X509_REQ_OLD, X509_REQ)\nIMPLEMENT_PEM_rw(X509_CRL, X509_CRL, PEM_STRING_X509_CRL, X509_CRL)\nIMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRING_PKCS7, PKCS7)\n\n// We treat RSA or DSA private keys as a special case. For private keys we\n// read in an EVP_PKEY structure with PEM_read_bio_PrivateKey() and extract\n// the relevant private key: this means can handle \"traditional\" and PKCS#8\n// formats transparently.\nstatic RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa) {\n RSA *rtmp;\n if (!key) {\n return NULL;\n }\n rtmp = EVP_PKEY_get1_RSA(key);\n EVP_PKEY_free(key);\n if (!rtmp) {\n return NULL;\n }\n if (rsa) {\n RSA_free(*rsa);\n *rsa = rtmp;\n }\n return rtmp;\n}\n\nRSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **rsa, pem_password_cb *cb,\n void *u) {\n EVP_PKEY *pktmp;\n pktmp = PEM_read_bio_PrivateKey(bp, NULL, cb, u);\n return pkey_get_rsa(pktmp, rsa);\n}\n\nRSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, void *u) {\n EVP_PKEY *pktmp;\n pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);\n return pkey_get_rsa(pktmp, rsa);\n}\n\nIMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)\n\n\nIMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)\nIMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)\n#ifndef OPENSSL_NO_DSA\nstatic DSA *pkey_get_dsa(EVP_PKEY *key, DSA **dsa) {\n DSA *dtmp;\n if (!key) {\n return NULL;\n }\n dtmp = EVP_PKEY_get1_DSA(key);\n EVP_PKEY_free(key);\n if (!dtmp) {\n return NULL;\n }\n if (dsa) {\n DSA_free(*dsa);\n *dsa = dtmp;\n }\n return dtmp;\n}\n\nDSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,\n void *u) {\n EVP_PKEY *pktmp;\n pktmp = PEM_read_bio_PrivateKey(bp, NULL, cb, u);\n return pkey_get_dsa(pktmp, dsa); // will free pktmp\n}\n\nIMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)\n\nIMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)\nDSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb, void *u) {\n EVP_PKEY *pktmp;\n pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);\n return pkey_get_dsa(pktmp, dsa); // will free pktmp\n}\n\nIMPLEMENT_PEM_rw_const(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams)\n#endif\nstatic EC_KEY *pkey_get_eckey(EVP_PKEY *key, EC_KEY **eckey) {\n EC_KEY *dtmp;\n if (!key) {\n return NULL;\n }\n dtmp = EVP_PKEY_get1_EC_KEY(key);\n EVP_PKEY_free(key);\n if (!dtmp) {\n return NULL;\n }\n if (eckey) {\n EC_KEY_free(*eckey);\n *eckey = dtmp;\n }\n return dtmp;\n}\n\nEC_KEY *PEM_read_bio_ECPrivateKey(BIO *bp, EC_KEY **key, pem_password_cb *cb,\n void *u) {\n EVP_PKEY *pktmp;\n pktmp = PEM_read_bio_PrivateKey(bp, NULL, cb, u);\n return pkey_get_eckey(pktmp, key); // will free pktmp\n}\n\nIMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY,\n ECPrivateKey)\n\nIMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)\nEC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb,\n void *u) {\n EVP_PKEY *pktmp;\n pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);\n return pkey_get_eckey(pktmp, eckey); // will free pktmp\n}\n\n\nIMPLEMENT_PEM_rw_const(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)\n\nIMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pem/pem_info.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nstatic X509_PKEY *X509_PKEY_new(void) {\n return reinterpret_cast(OPENSSL_zalloc(sizeof(X509_PKEY)));\n}\n\nstatic void X509_PKEY_free(X509_PKEY *x) {\n if (x == NULL) {\n return;\n }\n\n EVP_PKEY_free(x->dec_pkey);\n OPENSSL_free(x);\n}\n\nstatic X509_INFO *X509_INFO_new(void) {\n return reinterpret_cast(OPENSSL_zalloc(sizeof(X509_INFO)));\n}\n\nvoid X509_INFO_free(X509_INFO *x) {\n if (x == NULL) {\n return;\n }\n\n X509_free(x->x509);\n X509_CRL_free(x->crl);\n X509_PKEY_free(x->x_pkey);\n OPENSSL_free(x->enc_data);\n OPENSSL_free(x);\n}\n\n\nSTACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,\n pem_password_cb *cb, void *u) {\n BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);\n if (b == NULL) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);\n return 0;\n }\n STACK_OF(X509_INFO) *ret = PEM_X509_INFO_read_bio(b, sk, cb, u);\n BIO_free(b);\n return ret;\n}\n\nenum parse_result_t {\n parse_ok,\n parse_error,\n parse_new_entry,\n};\n\nstatic enum parse_result_t parse_x509(X509_INFO *info, const uint8_t *data,\n size_t len, int key_type) {\n if (info->x509 != NULL) {\n return parse_new_entry;\n }\n info->x509 = d2i_X509(NULL, &data, len);\n return info->x509 != NULL ? parse_ok : parse_error;\n}\n\nstatic enum parse_result_t parse_x509_aux(X509_INFO *info, const uint8_t *data,\n size_t len, int key_type) {\n if (info->x509 != NULL) {\n return parse_new_entry;\n }\n info->x509 = d2i_X509_AUX(NULL, &data, len);\n return info->x509 != NULL ? parse_ok : parse_error;\n}\n\nstatic enum parse_result_t parse_crl(X509_INFO *info, const uint8_t *data,\n size_t len, int key_type) {\n if (info->crl != NULL) {\n return parse_new_entry;\n }\n info->crl = d2i_X509_CRL(NULL, &data, len);\n return info->crl != NULL ? parse_ok : parse_error;\n}\n\nstatic enum parse_result_t parse_key(X509_INFO *info, const uint8_t *data,\n size_t len, int key_type) {\n if (info->x_pkey != NULL) {\n return parse_new_entry;\n }\n info->x_pkey = X509_PKEY_new();\n if (info->x_pkey == NULL) {\n return parse_error;\n }\n info->x_pkey->dec_pkey = d2i_PrivateKey(key_type, NULL, &data, len);\n return info->x_pkey->dec_pkey != NULL ? parse_ok : parse_error;\n}\n\nSTACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk,\n pem_password_cb *cb, void *u) {\n X509_INFO *info = NULL;\n char *name = NULL, *header = NULL;\n unsigned char *data = NULL;\n long len;\n int ok = 0;\n STACK_OF(X509_INFO) *ret = NULL;\n\n if (sk == NULL) {\n ret = sk_X509_INFO_new_null();\n if (ret == NULL) {\n return NULL;\n }\n } else {\n ret = sk;\n }\n size_t orig_num = sk_X509_INFO_num(ret);\n\n info = X509_INFO_new();\n if (info == NULL) {\n goto err;\n }\n\n for (;;) {\n if (!PEM_read_bio(bp, &name, &header, &data, &len)) {\n uint32_t error = ERR_peek_last_error();\n if (ERR_GET_LIB(error) == ERR_LIB_PEM &&\n ERR_GET_REASON(error) == PEM_R_NO_START_LINE) {\n ERR_clear_error();\n break;\n }\n goto err;\n }\n\n enum parse_result_t (*parse_function)(X509_INFO *, const uint8_t *, size_t,\n int) = NULL;\n int key_type = EVP_PKEY_NONE;\n if (strcmp(name, PEM_STRING_X509) == 0 ||\n strcmp(name, PEM_STRING_X509_OLD) == 0) {\n parse_function = parse_x509;\n } else if (strcmp(name, PEM_STRING_X509_TRUSTED) == 0) {\n parse_function = parse_x509_aux;\n } else if (strcmp(name, PEM_STRING_X509_CRL) == 0) {\n parse_function = parse_crl;\n } else if (strcmp(name, PEM_STRING_RSA) == 0) {\n parse_function = parse_key;\n key_type = EVP_PKEY_RSA;\n } else if (strcmp(name, PEM_STRING_DSA) == 0) {\n parse_function = parse_key;\n key_type = EVP_PKEY_DSA;\n } else if (strcmp(name, PEM_STRING_ECPRIVATEKEY) == 0) {\n parse_function = parse_key;\n key_type = EVP_PKEY_EC;\n }\n\n // If a private key has a header, assume it is encrypted. This function does\n // not decrypt private keys.\n if (key_type != EVP_PKEY_NONE && strlen(header) > 10) {\n if (info->x_pkey != NULL) {\n if (!sk_X509_INFO_push(ret, info)) {\n goto err;\n }\n info = X509_INFO_new();\n if (info == NULL) {\n goto err;\n }\n }\n // Use an empty key as a placeholder.\n info->x_pkey = X509_PKEY_new();\n if (info->x_pkey == NULL ||\n !PEM_get_EVP_CIPHER_INFO(header, &info->enc_cipher)) {\n goto err;\n }\n info->enc_data = (char *)data;\n info->enc_len = (int)len;\n data = NULL;\n } else if (parse_function != NULL) {\n EVP_CIPHER_INFO cipher;\n if (!PEM_get_EVP_CIPHER_INFO(header, &cipher) ||\n !PEM_do_header(&cipher, data, &len, cb, u)) {\n goto err;\n }\n enum parse_result_t result = parse_function(info, data, len, key_type);\n if (result == parse_new_entry) {\n if (!sk_X509_INFO_push(ret, info)) {\n goto err;\n }\n info = X509_INFO_new();\n if (info == NULL) {\n goto err;\n }\n result = parse_function(info, data, len, key_type);\n }\n if (result != parse_ok) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_ASN1_LIB);\n goto err;\n }\n }\n OPENSSL_free(name);\n OPENSSL_free(header);\n OPENSSL_free(data);\n name = NULL;\n header = NULL;\n data = NULL;\n }\n\n // Push the last entry on the stack if not empty.\n if (info->x509 != NULL || info->crl != NULL || info->x_pkey != NULL ||\n info->enc_data != NULL) {\n if (!sk_X509_INFO_push(ret, info)) {\n goto err;\n }\n info = NULL;\n }\n\n ok = 1;\n\nerr:\n X509_INFO_free(info);\n if (!ok) {\n while (sk_X509_INFO_num(ret) > orig_num) {\n X509_INFO_free(sk_X509_INFO_pop(ret));\n }\n if (ret != sk) {\n sk_X509_INFO_free(ret);\n }\n ret = NULL;\n }\n\n OPENSSL_free(name);\n OPENSSL_free(header);\n OPENSSL_free(data);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pem/pem_lib.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n#define MIN_LENGTH 4\n\nstatic int load_iv(const char **fromp, unsigned char *to, size_t num);\nstatic int check_pem(const char *nm, const char *name);\n\n// PEM_proc_type appends a Proc-Type header to |buf|, determined by |type|.\nstatic void PEM_proc_type(char buf[PEM_BUFSIZE], int type) {\n const char *str;\n\n if (type == PEM_TYPE_ENCRYPTED) {\n str = \"ENCRYPTED\";\n } else if (type == PEM_TYPE_MIC_CLEAR) {\n str = \"MIC-CLEAR\";\n } else if (type == PEM_TYPE_MIC_ONLY) {\n str = \"MIC-ONLY\";\n } else {\n str = \"BAD-TYPE\";\n }\n\n OPENSSL_strlcat(buf, \"Proc-Type: 4,\", PEM_BUFSIZE);\n OPENSSL_strlcat(buf, str, PEM_BUFSIZE);\n OPENSSL_strlcat(buf, \"\\n\", PEM_BUFSIZE);\n}\n\n// PEM_dek_info appends a DEK-Info header to |buf|, with an algorithm of |type|\n// and a single parameter, specified by hex-encoding |len| bytes from |str|.\nstatic void PEM_dek_info(char buf[PEM_BUFSIZE], const char *type, size_t len,\n char *str) {\n static const unsigned char map[17] = \"0123456789ABCDEF\";\n\n OPENSSL_strlcat(buf, \"DEK-Info: \", PEM_BUFSIZE);\n OPENSSL_strlcat(buf, type, PEM_BUFSIZE);\n OPENSSL_strlcat(buf, \",\", PEM_BUFSIZE);\n\n const size_t used = strlen(buf);\n const size_t available = PEM_BUFSIZE - used;\n if (len * 2 < len || len * 2 + 2 < len || available < len * 2 + 2) {\n return;\n }\n\n for (size_t i = 0; i < len; i++) {\n buf[used + i * 2] = map[(str[i] >> 4) & 0x0f];\n buf[used + i * 2 + 1] = map[(str[i]) & 0x0f];\n }\n buf[used + len * 2] = '\\n';\n buf[used + len * 2 + 1] = '\\0';\n}\n\nvoid *PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,\n pem_password_cb *cb, void *u) {\n BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);\n if (b == NULL) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);\n return NULL;\n }\n void *ret = PEM_ASN1_read_bio(d2i, name, b, x, cb, u);\n BIO_free(b);\n return ret;\n}\n\nstatic int check_pem(const char *nm, const char *name) {\n // Normal matching nm and name\n if (!strcmp(nm, name)) {\n return 1;\n }\n\n // Make PEM_STRING_EVP_PKEY match any private key\n\n if (!strcmp(name, PEM_STRING_EVP_PKEY)) {\n return !strcmp(nm, PEM_STRING_PKCS8) || !strcmp(nm, PEM_STRING_PKCS8INF) ||\n !strcmp(nm, PEM_STRING_RSA) || !strcmp(nm, PEM_STRING_EC) ||\n !strcmp(nm, PEM_STRING_DSA);\n }\n\n // Permit older strings\n\n if (!strcmp(nm, PEM_STRING_X509_OLD) && !strcmp(name, PEM_STRING_X509)) {\n return 1;\n }\n\n if (!strcmp(nm, PEM_STRING_X509_REQ_OLD) &&\n !strcmp(name, PEM_STRING_X509_REQ)) {\n return 1;\n }\n\n // Allow normal certs to be read as trusted certs\n if (!strcmp(nm, PEM_STRING_X509) && !strcmp(name, PEM_STRING_X509_TRUSTED)) {\n return 1;\n }\n\n if (!strcmp(nm, PEM_STRING_X509_OLD) &&\n !strcmp(name, PEM_STRING_X509_TRUSTED)) {\n return 1;\n }\n\n // Some CAs use PKCS#7 with CERTIFICATE headers\n if (!strcmp(nm, PEM_STRING_X509) && !strcmp(name, PEM_STRING_PKCS7)) {\n return 1;\n }\n\n if (!strcmp(nm, PEM_STRING_PKCS7_SIGNED) && !strcmp(name, PEM_STRING_PKCS7)) {\n return 1;\n }\n\n#ifndef OPENSSL_NO_CMS\n if (!strcmp(nm, PEM_STRING_X509) && !strcmp(name, PEM_STRING_CMS)) {\n return 1;\n }\n // Allow CMS to be read from PKCS#7 headers\n if (!strcmp(nm, PEM_STRING_PKCS7) && !strcmp(name, PEM_STRING_CMS)) {\n return 1;\n }\n#endif\n\n return 0;\n}\n\nstatic const EVP_CIPHER *cipher_by_name(std::string_view name) {\n // This is similar to the (deprecated) function |EVP_get_cipherbyname|. Note\n // the PEM code assumes that ciphers have at least 8 bytes of IV, at most 20\n // bytes of overhead and generally behave like CBC mode.\n if (name == SN_des_cbc) {\n return EVP_des_cbc();\n } else if (name == SN_des_ede3_cbc) {\n return EVP_des_ede3_cbc();\n } else if (name == SN_aes_128_cbc) {\n return EVP_aes_128_cbc();\n } else if (name == SN_aes_192_cbc) {\n return EVP_aes_192_cbc();\n } else if (name == SN_aes_256_cbc) {\n return EVP_aes_256_cbc();\n } else {\n return NULL;\n }\n}\n\nint PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm,\n const char *name, BIO *bp, pem_password_cb *cb,\n void *u) {\n EVP_CIPHER_INFO cipher;\n char *nm = NULL, *header = NULL;\n unsigned char *data = NULL;\n long len;\n int ret = 0;\n\n for (;;) {\n if (!PEM_read_bio(bp, &nm, &header, &data, &len)) {\n uint32_t error = ERR_peek_error();\n if (ERR_GET_LIB(error) == ERR_LIB_PEM &&\n ERR_GET_REASON(error) == PEM_R_NO_START_LINE) {\n ERR_add_error_data(2, \"Expecting: \", name);\n }\n return 0;\n }\n if (check_pem(nm, name)) {\n break;\n }\n OPENSSL_free(nm);\n OPENSSL_free(header);\n OPENSSL_free(data);\n }\n if (!PEM_get_EVP_CIPHER_INFO(header, &cipher)) {\n goto err;\n }\n if (!PEM_do_header(&cipher, data, &len, cb, u)) {\n goto err;\n }\n\n *pdata = data;\n *plen = len;\n\n if (pnm) {\n *pnm = nm;\n }\n\n ret = 1;\n\nerr:\n if (!ret || !pnm) {\n OPENSSL_free(nm);\n }\n OPENSSL_free(header);\n if (!ret) {\n OPENSSL_free(data);\n }\n return ret;\n}\n\nint PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp, void *x,\n const EVP_CIPHER *enc, const unsigned char *pass,\n int pass_len, pem_password_cb *callback, void *u) {\n BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);\n if (b == NULL) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);\n return 0;\n }\n int ret =\n PEM_ASN1_write_bio(i2d, name, b, x, enc, pass, pass_len, callback, u);\n BIO_free(b);\n return ret;\n}\n\nint PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,\n const EVP_CIPHER *enc, const unsigned char *pass,\n int pass_len, pem_password_cb *callback, void *u) {\n EVP_CIPHER_CTX ctx;\n int dsize = 0, i, j, ret = 0;\n unsigned char *p, *data = NULL;\n const char *objstr = NULL;\n char buf[PEM_BUFSIZE];\n unsigned char key[EVP_MAX_KEY_LENGTH];\n unsigned char iv[EVP_MAX_IV_LENGTH];\n\n if (enc != NULL) {\n objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));\n if (objstr == NULL || cipher_by_name(objstr) == NULL ||\n EVP_CIPHER_iv_length(enc) < 8) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_UNSUPPORTED_CIPHER);\n goto err;\n }\n }\n\n if ((dsize = i2d(x, NULL)) < 0) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_ASN1_LIB);\n dsize = 0;\n goto err;\n }\n // dzise + 8 bytes are needed\n // actually it needs the cipher block size extra...\n data = (unsigned char *)OPENSSL_malloc((unsigned int)dsize + 20);\n if (data == NULL) {\n goto err;\n }\n p = data;\n i = i2d(x, &p);\n\n if (enc != NULL) {\n const unsigned iv_len = EVP_CIPHER_iv_length(enc);\n\n if (pass == NULL) {\n if (!callback) {\n callback = PEM_def_callback;\n }\n pass_len = (*callback)(buf, PEM_BUFSIZE, 1, u);\n if (pass_len < 0) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY);\n goto err;\n }\n pass = (const unsigned char *)buf;\n }\n assert(iv_len <= sizeof(iv));\n if (!RAND_bytes(iv, iv_len)) { // Generate a salt\n goto err;\n }\n // The 'iv' is used as the iv and as a salt. It is NOT taken from\n // the BytesToKey function\n if (!EVP_BytesToKey(enc, EVP_md5(), iv, pass, pass_len, 1, key, NULL)) {\n goto err;\n }\n\n if (pass == (const unsigned char *)buf) {\n OPENSSL_cleanse(buf, PEM_BUFSIZE);\n }\n\n assert(strlen(objstr) + 23 + 2 * iv_len + 13 <= sizeof(buf));\n\n buf[0] = '\\0';\n PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);\n PEM_dek_info(buf, objstr, iv_len, (char *)iv);\n // k=strlen(buf);\n\n EVP_CIPHER_CTX_init(&ctx);\n ret = 1;\n if (!EVP_EncryptInit_ex(&ctx, enc, NULL, key, iv) ||\n !EVP_EncryptUpdate(&ctx, data, &j, data, i) ||\n !EVP_EncryptFinal_ex(&ctx, &(data[j]), &i)) {\n ret = 0;\n } else {\n i += j;\n }\n EVP_CIPHER_CTX_cleanup(&ctx);\n if (ret == 0) {\n goto err;\n }\n } else {\n ret = 1;\n buf[0] = '\\0';\n }\n i = PEM_write_bio(bp, name, buf, data, i);\n if (i <= 0) {\n ret = 0;\n }\nerr:\n OPENSSL_cleanse(key, sizeof(key));\n OPENSSL_cleanse(iv, sizeof(iv));\n OPENSSL_cleanse((char *)&ctx, sizeof(ctx));\n OPENSSL_cleanse(buf, PEM_BUFSIZE);\n OPENSSL_free(data);\n return ret;\n}\n\nint PEM_do_header(const EVP_CIPHER_INFO *cipher, unsigned char *data,\n long *plen, pem_password_cb *callback, void *u) {\n int i = 0, j, o, pass_len;\n long len;\n EVP_CIPHER_CTX ctx;\n unsigned char key[EVP_MAX_KEY_LENGTH];\n char buf[PEM_BUFSIZE];\n\n len = *plen;\n\n if (cipher->cipher == NULL) {\n return 1;\n }\n\n pass_len = 0;\n if (!callback) {\n callback = PEM_def_callback;\n }\n pass_len = callback(buf, PEM_BUFSIZE, 0, u);\n if (pass_len < 0) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ);\n return 0;\n }\n\n if (!EVP_BytesToKey(cipher->cipher, EVP_md5(), cipher->iv,\n (unsigned char *)buf, pass_len, 1, key, NULL)) {\n return 0;\n }\n\n j = (int)len;\n EVP_CIPHER_CTX_init(&ctx);\n o = EVP_DecryptInit_ex(&ctx, cipher->cipher, NULL, key, cipher->iv);\n if (o) {\n o = EVP_DecryptUpdate(&ctx, data, &i, data, j);\n }\n if (o) {\n o = EVP_DecryptFinal_ex(&ctx, &(data[i]), &j);\n }\n EVP_CIPHER_CTX_cleanup(&ctx);\n OPENSSL_cleanse((char *)buf, sizeof(buf));\n OPENSSL_cleanse((char *)key, sizeof(key));\n if (!o) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_DECRYPT);\n return 0;\n }\n j += i;\n *plen = j;\n return 1;\n}\n\nint PEM_get_EVP_CIPHER_INFO(const char *header, EVP_CIPHER_INFO *cipher) {\n cipher->cipher = NULL;\n OPENSSL_memset(cipher->iv, 0, sizeof(cipher->iv));\n if ((header == NULL) || (*header == '\\0') || (*header == '\\n')) {\n return 1;\n }\n if (strncmp(header, \"Proc-Type: \", 11) != 0) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_NOT_PROC_TYPE);\n return 0;\n }\n header += 11;\n if (header[0] != '4' || header[1] != ',') {\n OPENSSL_PUT_ERROR(PEM, PEM_R_UNSUPPORTED_PROC_TYPE_VERSION);\n return 0;\n }\n header += 2;\n if (strncmp(header, \"ENCRYPTED\", 9) != 0) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_NOT_ENCRYPTED);\n return 0;\n }\n for (; (*header != '\\n') && (*header != '\\0'); header++) {\n ;\n }\n if (*header == '\\0') {\n OPENSSL_PUT_ERROR(PEM, PEM_R_SHORT_HEADER);\n return 0;\n }\n header++;\n if (strncmp(header, \"DEK-Info: \", 10) != 0) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_NOT_DEK_INFO);\n return 0;\n }\n header += 10;\n\n const char *p = header;\n for (;;) {\n char c = *header;\n if (!((c >= 'A' && c <= 'Z') || c == '-' || OPENSSL_isdigit(c))) {\n break;\n }\n header++;\n }\n cipher->cipher = cipher_by_name(std::string_view(p, header - p));\n header++;\n if (cipher->cipher == NULL) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_UNSUPPORTED_ENCRYPTION);\n return 0;\n }\n // The IV parameter must be at least 8 bytes long to be used as the salt in\n // the KDF. (This should not happen given |cipher_by_name|.)\n if (EVP_CIPHER_iv_length(cipher->cipher) < 8) {\n assert(0);\n OPENSSL_PUT_ERROR(PEM, PEM_R_UNSUPPORTED_ENCRYPTION);\n return 0;\n }\n const char **header_pp = &header;\n if (!load_iv(header_pp, cipher->iv, EVP_CIPHER_iv_length(cipher->cipher))) {\n return 0;\n }\n\n return 1;\n}\n\nstatic int load_iv(const char **fromp, unsigned char *to, size_t num) {\n uint8_t v;\n const char *from;\n\n from = *fromp;\n for (size_t i = 0; i < num; i++) {\n to[i] = 0;\n }\n num *= 2;\n for (size_t i = 0; i < num; i++) {\n if (!OPENSSL_fromxdigit(&v, *from)) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_IV_CHARS);\n return 0;\n }\n from++;\n to[i / 2] |= v << (!(i & 1)) * 4;\n }\n\n *fromp = from;\n return 1;\n}\n\nint PEM_write(FILE *fp, const char *name, const char *header,\n const unsigned char *data, long len) {\n BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);\n if (b == NULL) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);\n return 0;\n }\n int ret = PEM_write_bio(b, name, header, data, len);\n BIO_free(b);\n return ret;\n}\n\nint PEM_write_bio(BIO *bp, const char *name, const char *header,\n const unsigned char *data, long len) {\n int nlen, n, i, j, outl;\n unsigned char *buf = NULL;\n EVP_ENCODE_CTX ctx;\n int reason = ERR_R_BUF_LIB;\n int retval = 0;\n\n EVP_EncodeInit(&ctx);\n nlen = strlen(name);\n\n if ((BIO_write(bp, \"-----BEGIN \", 11) != 11) ||\n (BIO_write(bp, name, nlen) != nlen) ||\n (BIO_write(bp, \"-----\\n\", 6) != 6)) {\n goto err;\n }\n\n i = strlen(header);\n if (i > 0) {\n if ((BIO_write(bp, header, i) != i) || (BIO_write(bp, \"\\n\", 1) != 1)) {\n goto err;\n }\n }\n\n buf = reinterpret_cast(OPENSSL_malloc(PEM_BUFSIZE * 8));\n if (buf == NULL) {\n goto err;\n }\n\n i = j = 0;\n while (len > 0) {\n n = (int)((len > (PEM_BUFSIZE * 5)) ? (PEM_BUFSIZE * 5) : len);\n EVP_EncodeUpdate(&ctx, buf, &outl, &(data[j]), n);\n if ((outl) && (BIO_write(bp, (char *)buf, outl) != outl)) {\n goto err;\n }\n i += outl;\n len -= n;\n j += n;\n }\n EVP_EncodeFinal(&ctx, buf, &outl);\n if ((outl > 0) && (BIO_write(bp, (char *)buf, outl) != outl)) {\n goto err;\n }\n if ((BIO_write(bp, \"-----END \", 9) != 9) ||\n (BIO_write(bp, name, nlen) != nlen) ||\n (BIO_write(bp, \"-----\\n\", 6) != 6)) {\n goto err;\n }\n retval = i + outl;\n\nerr:\n if (retval == 0) {\n OPENSSL_PUT_ERROR(PEM, reason);\n }\n OPENSSL_free(buf);\n return retval;\n}\n\nint PEM_read(FILE *fp, char **name, char **header, unsigned char **data,\n long *len) {\n BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);\n if (b == NULL) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);\n return 0;\n }\n int ret = PEM_read_bio(b, name, header, data, len);\n BIO_free(b);\n return ret;\n}\n\nint PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,\n long *len) {\n EVP_ENCODE_CTX ctx;\n int end = 0, i, k, bl = 0, hl = 0, nohead = 0;\n char buf[256];\n BUF_MEM *nameB;\n BUF_MEM *headerB;\n BUF_MEM *dataB, *tmpB;\n\n nameB = BUF_MEM_new();\n headerB = BUF_MEM_new();\n dataB = BUF_MEM_new();\n if ((nameB == NULL) || (headerB == NULL) || (dataB == NULL)) {\n BUF_MEM_free(nameB);\n BUF_MEM_free(headerB);\n BUF_MEM_free(dataB);\n return 0;\n }\n\n buf[254] = '\\0';\n for (;;) {\n i = BIO_gets(bp, buf, 254);\n\n if (i <= 0) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_NO_START_LINE);\n goto err;\n }\n\n while ((i >= 0) && (buf[i] <= ' ')) {\n i--;\n }\n buf[++i] = '\\n';\n buf[++i] = '\\0';\n\n if (strncmp(buf, \"-----BEGIN \", 11) == 0) {\n i = strlen(&(buf[11]));\n\n if (strncmp(&(buf[11 + i - 6]), \"-----\\n\", 6) != 0) {\n continue;\n }\n if (!BUF_MEM_grow(nameB, i + 9)) {\n goto err;\n }\n OPENSSL_memcpy(nameB->data, &(buf[11]), i - 6);\n nameB->data[i - 6] = '\\0';\n break;\n }\n }\n hl = 0;\n if (!BUF_MEM_grow(headerB, 256)) {\n goto err;\n }\n headerB->data[0] = '\\0';\n for (;;) {\n i = BIO_gets(bp, buf, 254);\n if (i <= 0) {\n break;\n }\n\n while ((i >= 0) && (buf[i] <= ' ')) {\n i--;\n }\n buf[++i] = '\\n';\n buf[++i] = '\\0';\n\n if (buf[0] == '\\n') {\n break;\n }\n if (!BUF_MEM_grow(headerB, hl + i + 9)) {\n goto err;\n }\n if (strncmp(buf, \"-----END \", 9) == 0) {\n nohead = 1;\n break;\n }\n OPENSSL_memcpy(&(headerB->data[hl]), buf, i);\n headerB->data[hl + i] = '\\0';\n hl += i;\n }\n\n bl = 0;\n if (!BUF_MEM_grow(dataB, 1024)) {\n goto err;\n }\n dataB->data[0] = '\\0';\n if (!nohead) {\n for (;;) {\n i = BIO_gets(bp, buf, 254);\n if (i <= 0) {\n break;\n }\n\n while ((i >= 0) && (buf[i] <= ' ')) {\n i--;\n }\n buf[++i] = '\\n';\n buf[++i] = '\\0';\n\n if (i != 65) {\n end = 1;\n }\n if (strncmp(buf, \"-----END \", 9) == 0) {\n break;\n }\n if (i > 65) {\n break;\n }\n if (!BUF_MEM_grow_clean(dataB, i + bl + 9)) {\n goto err;\n }\n OPENSSL_memcpy(&(dataB->data[bl]), buf, i);\n dataB->data[bl + i] = '\\0';\n bl += i;\n if (end) {\n buf[0] = '\\0';\n i = BIO_gets(bp, buf, 254);\n if (i <= 0) {\n break;\n }\n\n while ((i >= 0) && (buf[i] <= ' ')) {\n i--;\n }\n buf[++i] = '\\n';\n buf[++i] = '\\0';\n\n break;\n }\n }\n } else {\n tmpB = headerB;\n headerB = dataB;\n dataB = tmpB;\n bl = hl;\n }\n i = strlen(nameB->data);\n if ((strncmp(buf, \"-----END \", 9) != 0) ||\n (strncmp(nameB->data, &(buf[9]), i) != 0) ||\n (strncmp(&(buf[9 + i]), \"-----\\n\", 6) != 0)) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_END_LINE);\n goto err;\n }\n\n EVP_DecodeInit(&ctx);\n i = EVP_DecodeUpdate(&ctx, (unsigned char *)dataB->data, &bl,\n (unsigned char *)dataB->data, bl);\n if (i < 0) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_BASE64_DECODE);\n goto err;\n }\n i = EVP_DecodeFinal(&ctx, (unsigned char *)&(dataB->data[bl]), &k);\n if (i < 0) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_BASE64_DECODE);\n goto err;\n }\n bl += k;\n\n if (bl == 0) {\n goto err;\n }\n *name = nameB->data;\n *header = headerB->data;\n *data = (unsigned char *)dataB->data;\n *len = bl;\n OPENSSL_free(nameB);\n OPENSSL_free(headerB);\n OPENSSL_free(dataB);\n return 1;\nerr:\n BUF_MEM_free(nameB);\n BUF_MEM_free(headerB);\n BUF_MEM_free(dataB);\n return 0;\n}\n\nint PEM_def_callback(char *buf, int size, int rwflag, void *userdata) {\n if (!buf || !userdata || size < 0) {\n return -1;\n }\n size_t len = strlen((char *)userdata);\n if (len >= (size_t)size) {\n return -1;\n }\n OPENSSL_strlcpy(buf, reinterpret_cast(userdata), (size_t)size);\n return (int)len;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pem/pem_oth.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n// Handle 'other' PEMs: not private keys\n\nvoid *PEM_ASN1_read_bio(d2i_of_void *d2i, const char *name, BIO *bp, void **x,\n pem_password_cb *cb, void *u) {\n const unsigned char *p = NULL;\n unsigned char *data = NULL;\n long len;\n char *ret = NULL;\n\n if (!PEM_bytes_read_bio(&data, &len, NULL, name, bp, cb, u)) {\n return NULL;\n }\n p = data;\n ret = reinterpret_cast(d2i(x, &p, len));\n if (ret == NULL) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_ASN1_LIB);\n }\n OPENSSL_free(data);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pem/pem_pk8.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\nstatic int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid,\n const EVP_CIPHER *enc, const char *pass, int pass_len,\n pem_password_cb *cb, void *u);\nstatic int do_pk8pkey_fp(FILE *bp, const EVP_PKEY *x, int isder, int nid,\n const EVP_CIPHER *enc, const char *pass, int pass_len,\n pem_password_cb *cb, void *u);\n\n// These functions write a private key in PKCS#8 format: it is a \"drop in\"\n// replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc'\n// is NULL then it uses the unencrypted private key form. The 'nid' versions\n// uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0.\n\nint PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, const EVP_PKEY *x, int nid,\n const char *pass, int pass_len,\n pem_password_cb *cb, void *u) {\n return do_pk8pkey(bp, x, 0, nid, NULL, pass, pass_len, cb, u);\n}\n\nint PEM_write_bio_PKCS8PrivateKey(BIO *bp, const EVP_PKEY *x,\n const EVP_CIPHER *enc, const char *pass,\n int pass_len, pem_password_cb *cb, void *u) {\n return do_pk8pkey(bp, x, 0, -1, enc, pass, pass_len, cb, u);\n}\n\nint i2d_PKCS8PrivateKey_bio(BIO *bp, const EVP_PKEY *x, const EVP_CIPHER *enc,\n const char *pass, int pass_len, pem_password_cb *cb,\n void *u) {\n return do_pk8pkey(bp, x, 1, -1, enc, pass, pass_len, cb, u);\n}\n\nint i2d_PKCS8PrivateKey_nid_bio(BIO *bp, const EVP_PKEY *x, int nid,\n const char *pass, int pass_len,\n pem_password_cb *cb, void *u) {\n return do_pk8pkey(bp, x, 1, nid, NULL, pass, pass_len, cb, u);\n}\n\nstatic int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid,\n const EVP_CIPHER *enc, const char *pass, int pass_len,\n pem_password_cb *cb, void *u) {\n X509_SIG *p8;\n PKCS8_PRIV_KEY_INFO *p8inf;\n char buf[PEM_BUFSIZE];\n int ret;\n if (!(p8inf = EVP_PKEY2PKCS8(x))) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_ERROR_CONVERTING_PRIVATE_KEY);\n return 0;\n }\n if (enc || (nid != -1)) {\n if (!pass) {\n if (!cb) {\n cb = PEM_def_callback;\n }\n pass_len = cb(buf, PEM_BUFSIZE, 1, u);\n if (pass_len < 0) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY);\n PKCS8_PRIV_KEY_INFO_free(p8inf);\n return 0;\n }\n\n pass = buf;\n }\n p8 = PKCS8_encrypt(nid, enc, pass, pass_len, NULL, 0, 0, p8inf);\n if (pass == buf) {\n OPENSSL_cleanse(buf, pass_len);\n }\n PKCS8_PRIV_KEY_INFO_free(p8inf);\n if (isder) {\n ret = i2d_PKCS8_bio(bp, p8);\n } else {\n ret = PEM_write_bio_PKCS8(bp, p8);\n }\n X509_SIG_free(p8);\n return ret;\n } else {\n if (isder) {\n ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);\n } else {\n ret = PEM_write_bio_PKCS8_PRIV_KEY_INFO(bp, p8inf);\n }\n PKCS8_PRIV_KEY_INFO_free(p8inf);\n return ret;\n }\n}\n\nEVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,\n void *u) {\n PKCS8_PRIV_KEY_INFO *p8inf = NULL;\n X509_SIG *p8 = NULL;\n int pass_len;\n EVP_PKEY *ret;\n char psbuf[PEM_BUFSIZE];\n p8 = d2i_PKCS8_bio(bp, NULL);\n if (!p8) {\n return NULL;\n }\n\n pass_len = 0;\n if (!cb) {\n cb = PEM_def_callback;\n }\n pass_len = cb(psbuf, PEM_BUFSIZE, 0, u);\n if (pass_len < 0) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ);\n X509_SIG_free(p8);\n return NULL;\n }\n p8inf = PKCS8_decrypt(p8, psbuf, pass_len);\n X509_SIG_free(p8);\n OPENSSL_cleanse(psbuf, pass_len);\n if (!p8inf) {\n return NULL;\n }\n ret = EVP_PKCS82PKEY(p8inf);\n PKCS8_PRIV_KEY_INFO_free(p8inf);\n if (!ret) {\n return NULL;\n }\n if (x) {\n if (*x) {\n EVP_PKEY_free(*x);\n }\n *x = ret;\n }\n return ret;\n}\n\n\nint i2d_PKCS8PrivateKey_fp(FILE *fp, const EVP_PKEY *x, const EVP_CIPHER *enc,\n const char *pass, int pass_len, pem_password_cb *cb,\n void *u) {\n return do_pk8pkey_fp(fp, x, 1, -1, enc, pass, pass_len, cb, u);\n}\n\nint i2d_PKCS8PrivateKey_nid_fp(FILE *fp, const EVP_PKEY *x, int nid,\n const char *pass, int pass_len,\n pem_password_cb *cb, void *u) {\n return do_pk8pkey_fp(fp, x, 1, nid, NULL, pass, pass_len, cb, u);\n}\n\nint PEM_write_PKCS8PrivateKey_nid(FILE *fp, const EVP_PKEY *x, int nid,\n const char *pass, int pass_len,\n pem_password_cb *cb, void *u) {\n return do_pk8pkey_fp(fp, x, 0, nid, NULL, pass, pass_len, cb, u);\n}\n\nint PEM_write_PKCS8PrivateKey(FILE *fp, const EVP_PKEY *x,\n const EVP_CIPHER *enc, const char *pass,\n int pass_len, pem_password_cb *cb, void *u) {\n return do_pk8pkey_fp(fp, x, 0, -1, enc, pass, pass_len, cb, u);\n}\n\nstatic int do_pk8pkey_fp(FILE *fp, const EVP_PKEY *x, int isder, int nid,\n const EVP_CIPHER *enc, const char *pass, int pass_len,\n pem_password_cb *cb, void *u) {\n BIO *bp;\n int ret;\n if (!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);\n return 0;\n }\n ret = do_pk8pkey(bp, x, isder, nid, enc, pass, pass_len, cb, u);\n BIO_free(bp);\n return ret;\n}\n\nEVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,\n void *u) {\n BIO *bp;\n EVP_PKEY *ret;\n if (!(bp = BIO_new_fp(fp, BIO_NOCLOSE))) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);\n return NULL;\n }\n ret = d2i_PKCS8PrivateKey_bio(bp, x, cb, u);\n BIO_free(bp);\n return ret;\n}\n\n\nIMPLEMENT_PEM_rw(PKCS8, X509_SIG, PEM_STRING_PKCS8, X509_SIG)\n\n\nIMPLEMENT_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO, PEM_STRING_PKCS8INF,\n PKCS8_PRIV_KEY_INFO)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pem/pem_pkey.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\nEVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb,\n void *u) {\n char *nm = NULL;\n const unsigned char *p = NULL;\n unsigned char *data = NULL;\n long len;\n EVP_PKEY *ret = NULL;\n\n if (!PEM_bytes_read_bio(&data, &len, &nm, PEM_STRING_EVP_PKEY, bp, cb, u)) {\n return NULL;\n }\n p = data;\n\n if (strcmp(nm, PEM_STRING_PKCS8INF) == 0) {\n PKCS8_PRIV_KEY_INFO *p8inf;\n p8inf = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len);\n if (!p8inf) {\n goto p8err;\n }\n ret = EVP_PKCS82PKEY(p8inf);\n if (x) {\n if (*x) {\n EVP_PKEY_free((EVP_PKEY *)*x);\n }\n *x = ret;\n }\n PKCS8_PRIV_KEY_INFO_free(p8inf);\n } else if (strcmp(nm, PEM_STRING_PKCS8) == 0) {\n PKCS8_PRIV_KEY_INFO *p8inf;\n X509_SIG *p8;\n int pass_len;\n char psbuf[PEM_BUFSIZE];\n p8 = d2i_X509_SIG(NULL, &p, len);\n if (!p8) {\n goto p8err;\n }\n\n pass_len = 0;\n if (!cb) {\n cb = PEM_def_callback;\n }\n pass_len = cb(psbuf, PEM_BUFSIZE, 0, u);\n if (pass_len < 0) {\n OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ);\n X509_SIG_free(p8);\n goto err;\n }\n p8inf = PKCS8_decrypt(p8, psbuf, pass_len);\n X509_SIG_free(p8);\n OPENSSL_cleanse(psbuf, pass_len);\n if (!p8inf) {\n goto p8err;\n }\n ret = EVP_PKCS82PKEY(p8inf);\n if (x) {\n if (*x) {\n EVP_PKEY_free((EVP_PKEY *)*x);\n }\n *x = ret;\n }\n PKCS8_PRIV_KEY_INFO_free(p8inf);\n } else if (strcmp(nm, PEM_STRING_RSA) == 0) {\n // TODO(davidben): d2i_PrivateKey parses PKCS#8 along with the\n // standalone format. This and the cases below probably should not\n // accept PKCS#8.\n ret = d2i_PrivateKey(EVP_PKEY_RSA, x, &p, len);\n } else if (strcmp(nm, PEM_STRING_EC) == 0) {\n ret = d2i_PrivateKey(EVP_PKEY_EC, x, &p, len);\n } else if (strcmp(nm, PEM_STRING_DSA) == 0) {\n ret = d2i_PrivateKey(EVP_PKEY_DSA, x, &p, len);\n }\np8err:\n if (ret == NULL) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_ASN1_LIB);\n }\n\nerr:\n OPENSSL_free(nm);\n OPENSSL_free(data);\n return ret;\n}\n\nint PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,\n const unsigned char *pass, int pass_len,\n pem_password_cb *cb, void *u) {\n return PEM_write_bio_PKCS8PrivateKey(bp, x, enc, (const char *)pass, pass_len,\n cb, u);\n}\n\nEVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb,\n void *u) {\n BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);\n if (b == NULL) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);\n return NULL;\n }\n EVP_PKEY *ret = PEM_read_bio_PrivateKey(b, x, cb, u);\n BIO_free(b);\n return ret;\n}\n\nint PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,\n const unsigned char *pass, int pass_len,\n pem_password_cb *cb, void *u) {\n BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);\n if (b == NULL) {\n OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB);\n return 0;\n }\n int ret = PEM_write_bio_PrivateKey(b, x, enc, pass, pass_len, cb, u);\n BIO_free(b);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pem/pem_x509.cc", "content": "/*\n * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\nIMPLEMENT_PEM_rw(X509, X509, PEM_STRING_X509, X509)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pem/pem_xaux.cc", "content": "/*\n * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\nIMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pkcs7/internal.h", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_PKCS7_INTERNAL_H\n#define OPENSSL_HEADER_PKCS7_INTERNAL_H\n\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7\n// SignedData blob from |cbs| and sets |*out| to point to the rest of the\n// input. If the input is in BER format, then |*der_bytes| will be set to a\n// pointer that needs to be freed by the caller once they have finished\n// processing |*out| (which will be pointing into |*der_bytes|).\n//\n// It returns one on success or zero on error. On error, |*der_bytes| is\n// NULL.\nint pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs);\n\n// pkcs7_add_signed_data writes a PKCS#7, SignedData structure to |out|. While\n// doing so it makes callbacks to let the caller fill in parts of the structure.\n// All callbacks are ignored if NULL and return one on success or zero on error.\n//\n// digest_algos_cb: may write AlgorithmIdentifiers into the given CBB, which\n// is a SET of digest algorithms.\n// cert_crl_cb: may write the |certificates| or |crls| fields.\n// (See https://datatracker.ietf.org/doc/html/rfc2315#section-9.1)\n// signer_infos_cb: may write the contents of the |signerInfos| field.\n// (See https://datatracker.ietf.org/doc/html/rfc2315#section-9.1)\n//\n// pkcs7_add_signed_data returns one on success or zero on error.\nint pkcs7_add_signed_data(CBB *out,\n int (*digest_algos_cb)(CBB *out, const void *arg),\n int (*cert_crl_cb)(CBB *out, const void *arg),\n int (*signer_infos_cb)(CBB *out, const void *arg),\n const void *arg);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_PKCS7_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pkcs7/pkcs7.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../bytestring/internal.h\"\n#include \"internal.h\"\n\n\n// 1.2.840.113549.1.7.1\nstatic const uint8_t kPKCS7Data[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,\n 0x0d, 0x01, 0x07, 0x01};\n\n// 1.2.840.113549.1.7.2\nstatic const uint8_t kPKCS7SignedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,\n 0x0d, 0x01, 0x07, 0x02};\n\n// pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7\n// SignedData blob from |cbs| and sets |*out| to point to the rest of the\n// input. If the input is in BER format, then |*der_bytes| will be set to a\n// pointer that needs to be freed by the caller once they have finished\n// processing |*out| (which will be pointing into |*der_bytes|).\n//\n// It returns one on success or zero on error. On error, |*der_bytes| is\n// NULL.\nint pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) {\n CBS in, content_info, content_type, wrapped_signed_data, signed_data;\n uint64_t version;\n\n // The input may be in BER format.\n *der_bytes = NULL;\n if (!CBS_asn1_ber_to_der(cbs, &in, der_bytes) ||\n // See https://tools.ietf.org/html/rfc2315#section-7\n !CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&content_info, &content_type, CBS_ASN1_OBJECT)) {\n goto err;\n }\n\n if (!CBS_mem_equal(&content_type, kPKCS7SignedData,\n sizeof(kPKCS7SignedData))) {\n OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NOT_PKCS7_SIGNED_DATA);\n goto err;\n }\n\n // See https://tools.ietf.org/html/rfc2315#section-9.1\n if (!CBS_get_asn1(&content_info, &wrapped_signed_data,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||\n !CBS_get_asn1(&wrapped_signed_data, &signed_data, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1_uint64(&signed_data, &version) ||\n !CBS_get_asn1(&signed_data, NULL /* digests */, CBS_ASN1_SET) ||\n !CBS_get_asn1(&signed_data, NULL /* content */, CBS_ASN1_SEQUENCE)) {\n goto err;\n }\n\n if (version < 1) {\n OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_BAD_PKCS7_VERSION);\n goto err;\n }\n\n CBS_init(out, CBS_data(&signed_data), CBS_len(&signed_data));\n return 1;\n\nerr:\n OPENSSL_free(*der_bytes);\n *der_bytes = NULL;\n return 0;\n}\n\nint PKCS7_get_raw_certificates(STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs,\n CRYPTO_BUFFER_POOL *pool) {\n CBS signed_data, certificates;\n uint8_t *der_bytes = NULL;\n int ret = 0, has_certificates;\n const size_t initial_certs_len = sk_CRYPTO_BUFFER_num(out_certs);\n\n // See https://tools.ietf.org/html/rfc2315#section-9.1\n if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs) ||\n !CBS_get_optional_asn1(\n &signed_data, &certificates, &has_certificates,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {\n goto err;\n }\n\n if (!has_certificates) {\n CBS_init(&certificates, NULL, 0);\n }\n\n while (CBS_len(&certificates) > 0) {\n CBS cert;\n if (!CBS_get_asn1_element(&certificates, &cert, CBS_ASN1_SEQUENCE)) {\n goto err;\n }\n\n CRYPTO_BUFFER *buf = CRYPTO_BUFFER_new_from_CBS(&cert, pool);\n if (buf == NULL || !sk_CRYPTO_BUFFER_push(out_certs, buf)) {\n CRYPTO_BUFFER_free(buf);\n goto err;\n }\n }\n\n ret = 1;\n\nerr:\n OPENSSL_free(der_bytes);\n\n if (!ret) {\n while (sk_CRYPTO_BUFFER_num(out_certs) != initial_certs_len) {\n CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_pop(out_certs);\n CRYPTO_BUFFER_free(buf);\n }\n }\n\n return ret;\n}\n\nstatic int pkcs7_bundle_raw_certificates_cb(CBB *out, const void *arg) {\n const STACK_OF(CRYPTO_BUFFER) *certs =\n reinterpret_cast(arg);\n CBB certificates;\n\n // See https://tools.ietf.org/html/rfc2315#section-9.1\n if (!CBB_add_asn1(out, &certificates,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {\n return 0;\n }\n\n for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(certs); i++) {\n CRYPTO_BUFFER *cert = sk_CRYPTO_BUFFER_value(certs, i);\n if (!CBB_add_bytes(&certificates, CRYPTO_BUFFER_data(cert),\n CRYPTO_BUFFER_len(cert))) {\n return 0;\n }\n }\n\n // |certificates| is a implicitly-tagged SET OF.\n return CBB_flush_asn1_set_of(&certificates) && CBB_flush(out);\n}\n\nint PKCS7_bundle_raw_certificates(CBB *out,\n const STACK_OF(CRYPTO_BUFFER) *certs) {\n return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL,\n pkcs7_bundle_raw_certificates_cb,\n /*signer_infos_cb=*/NULL, certs);\n}\n\nint pkcs7_add_signed_data(CBB *out,\n int (*digest_algos_cb)(CBB *out, const void *arg),\n int (*cert_crl_cb)(CBB *out, const void *arg),\n int (*signer_infos_cb)(CBB *out, const void *arg),\n const void *arg) {\n CBB outer_seq, oid, wrapped_seq, seq, version_bytes, digest_algos_set,\n content_info, signer_infos;\n\n // See https://tools.ietf.org/html/rfc2315#section-7\n if (!CBB_add_asn1(out, &outer_seq, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&outer_seq, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, kPKCS7SignedData, sizeof(kPKCS7SignedData)) ||\n !CBB_add_asn1(&outer_seq, &wrapped_seq,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||\n // See https://tools.ietf.org/html/rfc2315#section-9.1\n !CBB_add_asn1(&wrapped_seq, &seq, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&seq, &version_bytes, CBS_ASN1_INTEGER) ||\n !CBB_add_u8(&version_bytes, 1) ||\n !CBB_add_asn1(&seq, &digest_algos_set, CBS_ASN1_SET) ||\n (digest_algos_cb != NULL && !digest_algos_cb(&digest_algos_set, arg)) ||\n !CBB_add_asn1(&seq, &content_info, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&content_info, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, kPKCS7Data, sizeof(kPKCS7Data)) ||\n (cert_crl_cb != NULL && !cert_crl_cb(&seq, arg)) ||\n !CBB_add_asn1(&seq, &signer_infos, CBS_ASN1_SET) ||\n (signer_infos_cb != NULL && !signer_infos_cb(&signer_infos, arg))) {\n return 0;\n }\n\n return CBB_flush(out);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pkcs7/pkcs7_x509.cc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nint PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {\n int ret = 0;\n const size_t initial_certs_len = sk_X509_num(out_certs);\n STACK_OF(CRYPTO_BUFFER) *raw = sk_CRYPTO_BUFFER_new_null();\n if (raw == NULL || !PKCS7_get_raw_certificates(raw, cbs, NULL)) {\n goto err;\n }\n\n for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(raw); i++) {\n CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_value(raw, i);\n X509 *x509 = X509_parse_from_buffer(buf);\n if (x509 == NULL || !sk_X509_push(out_certs, x509)) {\n X509_free(x509);\n goto err;\n }\n }\n\n ret = 1;\n\nerr:\n sk_CRYPTO_BUFFER_pop_free(raw, CRYPTO_BUFFER_free);\n if (!ret) {\n while (sk_X509_num(out_certs) != initial_certs_len) {\n X509 *x509 = sk_X509_pop(out_certs);\n X509_free(x509);\n }\n }\n\n return ret;\n}\n\nint PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs) {\n CBS signed_data, crls;\n uint8_t *der_bytes = NULL;\n int ret = 0, has_crls;\n const size_t initial_crls_len = sk_X509_CRL_num(out_crls);\n\n // See https://tools.ietf.org/html/rfc2315#section-9.1\n if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs) ||\n // Even if only CRLs are included, there may be an empty certificates\n // block. OpenSSL does this, for example.\n !CBS_get_optional_asn1(\n &signed_data, NULL, NULL,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||\n !CBS_get_optional_asn1(\n &signed_data, &crls, &has_crls,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {\n goto err;\n }\n\n if (!has_crls) {\n CBS_init(&crls, NULL, 0);\n }\n\n while (CBS_len(&crls) > 0) {\n CBS crl_data;\n X509_CRL *crl;\n const uint8_t *inp;\n\n if (!CBS_get_asn1_element(&crls, &crl_data, CBS_ASN1_SEQUENCE)) {\n goto err;\n }\n\n if (CBS_len(&crl_data) > LONG_MAX) {\n goto err;\n }\n inp = CBS_data(&crl_data);\n crl = d2i_X509_CRL(NULL, &inp, (long)CBS_len(&crl_data));\n if (!crl) {\n goto err;\n }\n\n assert(inp == CBS_data(&crl_data) + CBS_len(&crl_data));\n\n if (sk_X509_CRL_push(out_crls, crl) == 0) {\n X509_CRL_free(crl);\n goto err;\n }\n }\n\n ret = 1;\n\nerr:\n OPENSSL_free(der_bytes);\n\n if (!ret) {\n while (sk_X509_CRL_num(out_crls) != initial_crls_len) {\n X509_CRL_free(sk_X509_CRL_pop(out_crls));\n }\n }\n\n return ret;\n}\n\nint PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, BIO *pem_bio) {\n uint8_t *data;\n long len;\n int ret;\n\n // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM\n // internally will actually allow several other values too, including\n // \"CERTIFICATE\".\n if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,\n PEM_STRING_PKCS7, pem_bio,\n NULL /* password callback */,\n NULL /* password callback argument */)) {\n return 0;\n }\n\n CBS cbs;\n CBS_init(&cbs, data, len);\n ret = PKCS7_get_certificates(out_certs, &cbs);\n OPENSSL_free(data);\n return ret;\n}\n\nint PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, BIO *pem_bio) {\n uint8_t *data;\n long len;\n int ret;\n\n // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM\n // internally will actually allow several other values too, including\n // \"CERTIFICATE\".\n if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,\n PEM_STRING_PKCS7, pem_bio,\n NULL /* password callback */,\n NULL /* password callback argument */)) {\n return 0;\n }\n\n CBS cbs;\n CBS_init(&cbs, data, len);\n ret = PKCS7_get_CRLs(out_crls, &cbs);\n OPENSSL_free(data);\n return ret;\n}\n\nstatic int pkcs7_bundle_certificates_cb(CBB *out, const void *arg) {\n const STACK_OF(X509) *certs = reinterpret_cast(arg);\n size_t i;\n CBB certificates;\n\n // See https://tools.ietf.org/html/rfc2315#section-9.1\n if (!CBB_add_asn1(out, &certificates,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {\n return 0;\n }\n\n for (i = 0; i < sk_X509_num(certs); i++) {\n X509 *x509 = sk_X509_value(certs, i);\n uint8_t *buf;\n int len = i2d_X509(x509, NULL);\n\n if (len < 0 || !CBB_add_space(&certificates, &buf, len) ||\n i2d_X509(x509, &buf) < 0) {\n return 0;\n }\n }\n\n // |certificates| is a implicitly-tagged SET OF.\n return CBB_flush_asn1_set_of(&certificates) && CBB_flush(out);\n}\n\nint PKCS7_bundle_certificates(CBB *out, const STACK_OF(X509) *certs) {\n return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL,\n pkcs7_bundle_certificates_cb,\n /*signer_infos_cb=*/NULL, certs);\n}\n\nstatic int pkcs7_bundle_crls_cb(CBB *out, const void *arg) {\n const STACK_OF(X509_CRL) *crls =\n reinterpret_cast(arg);\n size_t i;\n CBB crl_data;\n\n // See https://tools.ietf.org/html/rfc2315#section-9.1\n if (!CBB_add_asn1(out, &crl_data,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {\n return 0;\n }\n\n for (i = 0; i < sk_X509_CRL_num(crls); i++) {\n X509_CRL *crl = sk_X509_CRL_value(crls, i);\n uint8_t *buf;\n int len = i2d_X509_CRL(crl, NULL);\n\n if (len < 0 || !CBB_add_space(&crl_data, &buf, len) ||\n i2d_X509_CRL(crl, &buf) < 0) {\n return 0;\n }\n }\n\n // |crl_data| is a implicitly-tagged SET OF.\n return CBB_flush_asn1_set_of(&crl_data) && CBB_flush(out);\n}\n\nint PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) {\n return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL,\n pkcs7_bundle_crls_cb,\n /*signer_infos_cb=*/NULL, crls);\n}\n\nstatic PKCS7 *pkcs7_new(CBS *cbs) {\n CBS copy = *cbs, copy2 = *cbs;\n PKCS7 *ret = reinterpret_cast(OPENSSL_zalloc(sizeof(PKCS7)));\n if (ret == NULL) {\n return NULL;\n }\n ret->type = OBJ_nid2obj(NID_pkcs7_signed);\n ret->d.sign =\n reinterpret_cast(OPENSSL_malloc(sizeof(PKCS7_SIGNED)));\n if (ret->d.sign == NULL) {\n goto err;\n }\n ret->d.sign->cert = sk_X509_new_null();\n ret->d.sign->crl = sk_X509_CRL_new_null();\n if (ret->d.sign->cert == NULL || ret->d.sign->crl == NULL ||\n !PKCS7_get_certificates(ret->d.sign->cert, ©) ||\n !PKCS7_get_CRLs(ret->d.sign->crl, cbs)) {\n goto err;\n }\n\n if (sk_X509_num(ret->d.sign->cert) == 0) {\n sk_X509_free(ret->d.sign->cert);\n ret->d.sign->cert = NULL;\n }\n\n if (sk_X509_CRL_num(ret->d.sign->crl) == 0) {\n sk_X509_CRL_free(ret->d.sign->crl);\n ret->d.sign->crl = NULL;\n }\n\n ret->ber_len = CBS_len(©2) - CBS_len(cbs);\n ret->ber_bytes = reinterpret_cast(\n OPENSSL_memdup(CBS_data(©2), ret->ber_len));\n if (ret->ber_bytes == NULL) {\n goto err;\n }\n\n return ret;\n\nerr:\n PKCS7_free(ret);\n return NULL;\n}\n\nPKCS7 *d2i_PKCS7(PKCS7 **out, const uint8_t **inp, size_t len) {\n CBS cbs;\n CBS_init(&cbs, *inp, len);\n PKCS7 *ret = pkcs7_new(&cbs);\n if (ret == NULL) {\n return NULL;\n }\n *inp = CBS_data(&cbs);\n if (out != NULL) {\n PKCS7_free(*out);\n *out = ret;\n }\n return ret;\n}\n\nPKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out) {\n // Use a generous bound, to allow for PKCS#7 files containing large root sets.\n static const size_t kMaxSize = 4 * 1024 * 1024;\n uint8_t *data;\n size_t len;\n if (!BIO_read_asn1(bio, &data, &len, kMaxSize)) {\n return NULL;\n }\n\n CBS cbs;\n CBS_init(&cbs, data, len);\n PKCS7 *ret = pkcs7_new(&cbs);\n OPENSSL_free(data);\n if (out != NULL && ret != NULL) {\n PKCS7_free(*out);\n *out = ret;\n }\n return ret;\n}\n\nint i2d_PKCS7(const PKCS7 *p7, uint8_t **out) {\n if (p7->ber_len > INT_MAX) {\n OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);\n return -1;\n }\n\n if (out == NULL) {\n return (int)p7->ber_len;\n }\n\n if (*out == NULL) {\n *out =\n reinterpret_cast(OPENSSL_memdup(p7->ber_bytes, p7->ber_len));\n if (*out == NULL) {\n return -1;\n }\n } else {\n OPENSSL_memcpy(*out, p7->ber_bytes, p7->ber_len);\n *out += p7->ber_len;\n }\n return (int)p7->ber_len;\n}\n\nint i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7) {\n return BIO_write_all(bio, p7->ber_bytes, p7->ber_len);\n}\n\nvoid PKCS7_free(PKCS7 *p7) {\n if (p7 == NULL) {\n return;\n }\n\n OPENSSL_free(p7->ber_bytes);\n ASN1_OBJECT_free(p7->type);\n // We only supported signed data.\n if (p7->d.sign != NULL) {\n sk_X509_pop_free(p7->d.sign->cert, X509_free);\n sk_X509_CRL_pop_free(p7->d.sign->crl, X509_CRL_free);\n OPENSSL_free(p7->d.sign);\n }\n OPENSSL_free(p7);\n}\n\n// We only support signed data, so these getters are no-ops.\nint PKCS7_type_is_data(const PKCS7 *p7) { return 0; }\nint PKCS7_type_is_digest(const PKCS7 *p7) { return 0; }\nint PKCS7_type_is_encrypted(const PKCS7 *p7) { return 0; }\nint PKCS7_type_is_enveloped(const PKCS7 *p7) { return 0; }\nint PKCS7_type_is_signed(const PKCS7 *p7) { return 1; }\nint PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7) { return 0; }\n\n// write_sha256_ai writes an AlgorithmIdentifier for SHA-256 to\n// |digest_algos_set|.\nstatic int write_sha256_ai(CBB *digest_algos_set, const void *arg) {\n CBB seq;\n return CBB_add_asn1(digest_algos_set, &seq, CBS_ASN1_SEQUENCE) &&\n OBJ_nid2cbb(&seq, NID_sha256) && //\n // https://datatracker.ietf.org/doc/html/rfc5754#section-2\n // \"Implementations MUST generate SHA2 AlgorithmIdentifiers with absent\n // parameters.\"\n CBB_flush(digest_algos_set);\n}\n\n// sign_sha256 writes at most |max_out_sig| bytes of the signature of |data| by\n// |pkey| to |out_sig| and sets |*out_sig_len| to the number of bytes written.\n// It returns one on success or zero on error.\nstatic int sign_sha256(uint8_t *out_sig, size_t *out_sig_len,\n size_t max_out_sig, EVP_PKEY *pkey, BIO *data) {\n static const size_t kBufSize = 4096;\n uint8_t *buffer = reinterpret_cast(OPENSSL_malloc(kBufSize));\n if (!buffer) {\n return 0;\n }\n\n EVP_MD_CTX ctx;\n EVP_MD_CTX_init(&ctx);\n\n int ret = 0;\n if (!EVP_DigestSignInit(&ctx, NULL, EVP_sha256(), NULL, pkey)) {\n goto out;\n }\n\n for (;;) {\n const int n = BIO_read(data, buffer, kBufSize);\n if (n == 0) {\n break;\n } else if (n < 0 || !EVP_DigestSignUpdate(&ctx, buffer, n)) {\n goto out;\n }\n }\n\n *out_sig_len = max_out_sig;\n if (!EVP_DigestSignFinal(&ctx, out_sig, out_sig_len)) {\n goto out;\n }\n\n ret = 1;\n\nout:\n EVP_MD_CTX_cleanup(&ctx);\n OPENSSL_free(buffer);\n return ret;\n}\n\nnamespace {\nstruct signer_info_data {\n const X509 *sign_cert;\n uint8_t *signature;\n size_t signature_len;\n};\n} // namespace\n\n// write_signer_info writes the SignerInfo structure from\n// https://datatracker.ietf.org/doc/html/rfc2315#section-9.2 to |out|. It\n// returns one on success or zero on error.\nstatic int write_signer_info(CBB *out, const void *arg) {\n const struct signer_info_data *const si_data =\n reinterpret_cast(arg);\n\n int ret = 0;\n uint8_t *subject_bytes = NULL;\n uint8_t *serial_bytes = NULL;\n\n const int subject_len =\n i2d_X509_NAME(X509_get_subject_name(si_data->sign_cert), &subject_bytes);\n const int serial_len = i2d_ASN1_INTEGER(\n (ASN1_INTEGER *)X509_get0_serialNumber(si_data->sign_cert),\n &serial_bytes);\n\n CBB seq, issuer_and_serial, signing_algo, null, signature;\n if (subject_len < 0 || serial_len < 0 ||\n !CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||\n // version\n !CBB_add_asn1_uint64(&seq, 1) ||\n !CBB_add_asn1(&seq, &issuer_and_serial, CBS_ASN1_SEQUENCE) ||\n !CBB_add_bytes(&issuer_and_serial, subject_bytes, subject_len) ||\n !CBB_add_bytes(&issuer_and_serial, serial_bytes, serial_len) ||\n !write_sha256_ai(&seq, NULL) ||\n !CBB_add_asn1(&seq, &signing_algo, CBS_ASN1_SEQUENCE) ||\n !OBJ_nid2cbb(&signing_algo, NID_rsaEncryption) ||\n !CBB_add_asn1(&signing_algo, &null, CBS_ASN1_NULL) ||\n !CBB_add_asn1(&seq, &signature, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_bytes(&signature, si_data->signature, si_data->signature_len) ||\n !CBB_flush(out)) {\n goto out;\n }\n\n ret = 1;\n\nout:\n OPENSSL_free(subject_bytes);\n OPENSSL_free(serial_bytes);\n return ret;\n}\n\nPKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey, STACK_OF(X509) *certs,\n BIO *data, int flags) {\n CBB cbb;\n if (!CBB_init(&cbb, 2048)) {\n return NULL;\n }\n\n uint8_t *der = NULL;\n size_t len;\n PKCS7 *ret = NULL;\n\n if (sign_cert == NULL && pkey == NULL && flags == PKCS7_DETACHED) {\n // Caller just wants to bundle certificates.\n if (!PKCS7_bundle_certificates(&cbb, certs)) {\n goto out;\n }\n } else if (sign_cert != NULL && pkey != NULL && certs == NULL &&\n data != NULL &&\n flags == (PKCS7_NOATTR | PKCS7_BINARY | PKCS7_NOCERTS |\n PKCS7_DETACHED) &&\n EVP_PKEY_id(pkey) == NID_rsaEncryption) {\n // sign-file.c from the Linux kernel.\n const size_t signature_max_len = EVP_PKEY_size(pkey);\n struct signer_info_data si_data = {\n /*sign_cert=*/sign_cert,\n /*signature=*/\n reinterpret_cast(OPENSSL_malloc(signature_max_len)),\n /*signature_len=*/0,\n };\n\n if (!si_data.signature ||\n !sign_sha256(si_data.signature, &si_data.signature_len,\n signature_max_len, pkey, data) ||\n !pkcs7_add_signed_data(&cbb, write_sha256_ai, /*cert_crl_cb=*/NULL,\n write_signer_info, &si_data)) {\n OPENSSL_free(si_data.signature);\n goto out;\n }\n OPENSSL_free(si_data.signature);\n } else {\n OPENSSL_PUT_ERROR(PKCS7, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n goto out;\n }\n\n if (!CBB_finish(&cbb, &der, &len)) {\n goto out;\n }\n\n CBS cbs;\n CBS_init(&cbs, der, len);\n ret = pkcs7_new(&cbs);\n\nout:\n CBB_cleanup(&cbb);\n OPENSSL_free(der);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pkcs8/internal.h", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_PKCS8_INTERNAL_H\n#define OPENSSL_HEADER_PKCS8_INTERNAL_H\n\n#include \n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\nstruct pkcs8_priv_key_info_st {\n ASN1_INTEGER *version;\n X509_ALGOR *pkeyalg;\n ASN1_OCTET_STRING *pkey;\n STACK_OF(X509_ATTRIBUTE) *attributes;\n};\n\n// pkcs8_pbe_decrypt decrypts |in| using the PBE scheme described by\n// |algorithm|, which should be a serialized AlgorithmIdentifier structure. On\n// success, it sets |*out| to a newly-allocated buffer containing the decrypted\n// result and returns one. Otherwise, it returns zero.\nint pkcs8_pbe_decrypt(uint8_t **out, size_t *out_len, CBS *algorithm,\n const char *pass, size_t pass_len, const uint8_t *in,\n size_t in_len);\n\n#define PKCS12_KEY_ID 1\n#define PKCS12_IV_ID 2\n#define PKCS12_MAC_ID 3\n\n// pkcs12_key_gen runs the PKCS#12 key derivation function as specified in\n// RFC 7292, appendix B. On success, it writes the resulting |out_len| bytes of\n// key material to |out| and returns one. Otherwise, it returns zero. |id|\n// should be one of the |PKCS12_*_ID| values.\nint pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt,\n size_t salt_len, uint8_t id, uint32_t iterations,\n size_t out_len, uint8_t *out, const EVP_MD *md);\n\n// pkcs12_pbe_encrypt_init configures |ctx| for encrypting with a PBES1 scheme\n// defined in PKCS#12. It writes the corresponding AlgorithmIdentifier to |out|.\nint pkcs12_pbe_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, int alg,\n uint32_t iterations, const char *pass,\n size_t pass_len, const uint8_t *salt,\n size_t salt_len);\n\nstruct pbe_suite {\n int pbe_nid;\n uint8_t oid[10];\n uint8_t oid_len;\n const EVP_CIPHER *(*cipher_func)(void);\n const EVP_MD *(*md_func)(void);\n // decrypt_init initialize |ctx| for decrypting. The password is specified by\n // |pass| and |pass_len|. |param| contains the serialized parameters field of\n // the AlgorithmIdentifier.\n //\n // It returns one on success and zero on error.\n int (*decrypt_init)(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,\n const char *pass, size_t pass_len, CBS *param);\n};\n\n#define PKCS5_SALT_LEN 8\n\nint PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,\n const char *pass, size_t pass_len, CBS *param);\n\n// PKCS5_pbe2_encrypt_init configures |ctx| for encrypting with PKCS #5 PBES2,\n// as defined in RFC 2998, with the specified parameters. It writes the\n// corresponding AlgorithmIdentifier to |out|.\nint PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx,\n const EVP_CIPHER *cipher, uint32_t iterations,\n const char *pass, size_t pass_len,\n const uint8_t *salt, size_t salt_len);\n\n// pkcs12_iterations_acceptable returns one if |iterations| is a reasonable\n// number of PBKDF2 iterations and zero otherwise.\nint pkcs12_iterations_acceptable(uint64_t iterations);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_PKCS8_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pkcs8/p5_pbev2.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n#include \"../internal.h\"\n\n\n// 1.2.840.113549.1.5.12\nstatic const uint8_t kPBKDF2[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,\n 0x0d, 0x01, 0x05, 0x0c};\n\n// 1.2.840.113549.1.5.13\nstatic const uint8_t kPBES2[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,\n 0x0d, 0x01, 0x05, 0x0d};\n\n// 1.2.840.113549.2.7\nstatic const uint8_t kHMACWithSHA1[] = {0x2a, 0x86, 0x48, 0x86,\n 0xf7, 0x0d, 0x02, 0x07};\n\n// 1.2.840.113549.2.9\nstatic const uint8_t kHMACWithSHA256[] = {0x2a, 0x86, 0x48, 0x86,\n 0xf7, 0x0d, 0x02, 0x09};\n\nstatic const struct {\n uint8_t oid[9];\n uint8_t oid_len;\n int nid;\n const EVP_CIPHER *(*cipher_func)(void);\n} kCipherOIDs[] = {\n // 1.2.840.113549.3.2\n {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x02},\n 8,\n NID_rc2_cbc,\n &EVP_rc2_cbc},\n // 1.2.840.113549.3.7\n {{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07},\n 8,\n NID_des_ede3_cbc,\n &EVP_des_ede3_cbc},\n // 2.16.840.1.101.3.4.1.2\n {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x02},\n 9,\n NID_aes_128_cbc,\n &EVP_aes_128_cbc},\n // 2.16.840.1.101.3.4.1.22\n {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x16},\n 9,\n NID_aes_192_cbc,\n &EVP_aes_192_cbc},\n // 2.16.840.1.101.3.4.1.42\n {{0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2a},\n 9,\n NID_aes_256_cbc,\n &EVP_aes_256_cbc},\n};\n\nstatic const EVP_CIPHER *cbs_to_cipher(const CBS *cbs) {\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCipherOIDs); i++) {\n if (CBS_mem_equal(cbs, kCipherOIDs[i].oid, kCipherOIDs[i].oid_len)) {\n return kCipherOIDs[i].cipher_func();\n }\n }\n\n return NULL;\n}\n\nstatic int add_cipher_oid(CBB *out, int nid) {\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCipherOIDs); i++) {\n if (kCipherOIDs[i].nid == nid) {\n CBB child;\n return CBB_add_asn1(out, &child, CBS_ASN1_OBJECT) &&\n CBB_add_bytes(&child, kCipherOIDs[i].oid,\n kCipherOIDs[i].oid_len) &&\n CBB_flush(out);\n }\n }\n\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_CIPHER);\n return 0;\n}\n\nstatic int pkcs5_pbe2_cipher_init(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,\n const EVP_MD *pbkdf2_md, uint32_t iterations,\n const char *pass, size_t pass_len,\n const uint8_t *salt, size_t salt_len,\n const uint8_t *iv, size_t iv_len, int enc) {\n if (iv_len != EVP_CIPHER_iv_length(cipher)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ERROR_SETTING_CIPHER_PARAMS);\n return 0;\n }\n\n uint8_t key[EVP_MAX_KEY_LENGTH];\n int ret = PKCS5_PBKDF2_HMAC(pass, pass_len, salt, salt_len, iterations,\n pbkdf2_md, EVP_CIPHER_key_length(cipher), key) &&\n EVP_CipherInit_ex(ctx, cipher, NULL /* engine */, key, iv, enc);\n OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);\n return ret;\n}\n\nint PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx,\n const EVP_CIPHER *cipher, uint32_t iterations,\n const char *pass, size_t pass_len,\n const uint8_t *salt, size_t salt_len) {\n int cipher_nid = EVP_CIPHER_nid(cipher);\n if (cipher_nid == NID_undef) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);\n return 0;\n }\n\n // Generate a random IV.\n uint8_t iv[EVP_MAX_IV_LENGTH];\n if (!RAND_bytes(iv, EVP_CIPHER_iv_length(cipher))) {\n return 0;\n }\n\n // See RFC 2898, appendix A.\n CBB algorithm, oid, param, kdf, kdf_oid, kdf_param, salt_cbb, cipher_cbb,\n iv_cbb;\n if (!CBB_add_asn1(out, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, kPBES2, sizeof(kPBES2)) ||\n !CBB_add_asn1(&algorithm, ¶m, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(¶m, &kdf, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&kdf, &kdf_oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&kdf_oid, kPBKDF2, sizeof(kPBKDF2)) ||\n !CBB_add_asn1(&kdf, &kdf_param, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&kdf_param, &salt_cbb, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_bytes(&salt_cbb, salt, salt_len) ||\n !CBB_add_asn1_uint64(&kdf_param, iterations) ||\n // Specify a key length for RC2.\n (cipher_nid == NID_rc2_cbc &&\n !CBB_add_asn1_uint64(&kdf_param, EVP_CIPHER_key_length(cipher))) ||\n // Omit the PRF. We use the default hmacWithSHA1.\n !CBB_add_asn1(¶m, &cipher_cbb, CBS_ASN1_SEQUENCE) ||\n !add_cipher_oid(&cipher_cbb, cipher_nid) ||\n // RFC 2898 says RC2-CBC and RC5-CBC-Pad use a SEQUENCE with version and\n // IV, but OpenSSL always uses an OCTET STRING IV, so we do the same.\n !CBB_add_asn1(&cipher_cbb, &iv_cbb, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_bytes(&iv_cbb, iv, EVP_CIPHER_iv_length(cipher)) ||\n !CBB_flush(out)) {\n return 0;\n }\n\n return pkcs5_pbe2_cipher_init(ctx, cipher, EVP_sha1(), iterations, pass,\n pass_len, salt, salt_len, iv,\n EVP_CIPHER_iv_length(cipher), 1 /* encrypt */);\n}\n\nint PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx,\n const char *pass, size_t pass_len, CBS *param) {\n CBS pbe_param, kdf, kdf_obj, enc_scheme, enc_obj;\n if (!CBS_get_asn1(param, &pbe_param, CBS_ASN1_SEQUENCE) ||\n CBS_len(param) != 0 ||\n !CBS_get_asn1(&pbe_param, &kdf, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&pbe_param, &enc_scheme, CBS_ASN1_SEQUENCE) ||\n CBS_len(&pbe_param) != 0 ||\n !CBS_get_asn1(&kdf, &kdf_obj, CBS_ASN1_OBJECT) ||\n !CBS_get_asn1(&enc_scheme, &enc_obj, CBS_ASN1_OBJECT)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);\n return 0;\n }\n\n // Only PBKDF2 is supported.\n if (!CBS_mem_equal(&kdf_obj, kPBKDF2, sizeof(kPBKDF2))) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION);\n return 0;\n }\n\n // See if we recognise the encryption algorithm.\n const EVP_CIPHER *cipher = cbs_to_cipher(&enc_obj);\n if (cipher == NULL) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_CIPHER);\n return 0;\n }\n\n // Parse the KDF parameters. See RFC 8018, appendix A.2.\n CBS pbkdf2_params, salt;\n uint64_t iterations;\n if (!CBS_get_asn1(&kdf, &pbkdf2_params, CBS_ASN1_SEQUENCE) ||\n CBS_len(&kdf) != 0 ||\n !CBS_get_asn1(&pbkdf2_params, &salt, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1_uint64(&pbkdf2_params, &iterations)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);\n return 0;\n }\n\n if (!pkcs12_iterations_acceptable(iterations)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_ITERATION_COUNT);\n return 0;\n }\n\n // The optional keyLength parameter, if present, must match the key length of\n // the cipher.\n if (CBS_peek_asn1_tag(&pbkdf2_params, CBS_ASN1_INTEGER)) {\n uint64_t key_len;\n if (!CBS_get_asn1_uint64(&pbkdf2_params, &key_len)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);\n return 0;\n }\n\n if (key_len != EVP_CIPHER_key_length(cipher)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_KEYLENGTH);\n return 0;\n }\n }\n\n const EVP_MD *md = EVP_sha1();\n if (CBS_len(&pbkdf2_params) != 0) {\n CBS alg_id, prf;\n if (!CBS_get_asn1(&pbkdf2_params, &alg_id, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&alg_id, &prf, CBS_ASN1_OBJECT) ||\n CBS_len(&pbkdf2_params) != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);\n return 0;\n }\n\n if (CBS_mem_equal(&prf, kHMACWithSHA1, sizeof(kHMACWithSHA1))) {\n // hmacWithSHA1 is the DEFAULT, so DER requires it be omitted, but we\n // match OpenSSL in tolerating it being present.\n md = EVP_sha1();\n } else if (CBS_mem_equal(&prf, kHMACWithSHA256, sizeof(kHMACWithSHA256))) {\n md = EVP_sha256();\n } else {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRF);\n return 0;\n }\n\n // All supported PRFs use a NULL parameter.\n CBS null;\n if (!CBS_get_asn1(&alg_id, &null, CBS_ASN1_NULL) ||\n CBS_len(&null) != 0 ||\n CBS_len(&alg_id) != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);\n return 0;\n }\n }\n\n // Parse the encryption scheme parameters. Note OpenSSL does not match the\n // specification. Per RFC 2898, this should depend on the encryption scheme.\n // In particular, RC2-CBC uses a SEQUENCE with version and IV. We align with\n // OpenSSL.\n CBS iv;\n if (!CBS_get_asn1(&enc_scheme, &iv, CBS_ASN1_OCTETSTRING) ||\n CBS_len(&enc_scheme) != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRF);\n return 0;\n }\n\n return pkcs5_pbe2_cipher_init(ctx, cipher, md, (uint32_t)iterations, pass,\n pass_len, CBS_data(&salt), CBS_len(&salt),\n CBS_data(&iv), CBS_len(&iv), 0 /* decrypt */);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pkcs8/pkcs8.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../bytestring/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic int pkcs12_encode_password(const char *in, size_t in_len, uint8_t **out,\n size_t *out_len) {\n CBB cbb;\n if (!CBB_init(&cbb, in_len * 2)) {\n return 0;\n }\n\n // Convert the password to BMPString, or UCS-2. See\n // https://tools.ietf.org/html/rfc7292#appendix-B.1.\n CBS cbs;\n CBS_init(&cbs, (const uint8_t *)in, in_len);\n while (CBS_len(&cbs) != 0) {\n uint32_t c;\n if (!CBS_get_utf8(&cbs, &c) || !CBB_add_ucs2_be(&cbb, c)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS);\n goto err;\n }\n }\n\n // Terminate the result with a UCS-2 NUL.\n if (!CBB_add_ucs2_be(&cbb, 0) || !CBB_finish(&cbb, out, out_len)) {\n goto err;\n }\n\n return 1;\n\nerr:\n CBB_cleanup(&cbb);\n return 0;\n}\n\nint pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt,\n size_t salt_len, uint8_t id, uint32_t iterations,\n size_t out_len, uint8_t *out, const EVP_MD *md) {\n // See https://tools.ietf.org/html/rfc7292#appendix-B. Quoted parts of the\n // specification have errata applied and other typos fixed.\n\n if (iterations < 1) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_ITERATION_COUNT);\n return 0;\n }\n\n int ret = 0;\n EVP_MD_CTX ctx;\n EVP_MD_CTX_init(&ctx);\n uint8_t *pass_raw = NULL, *I = NULL;\n size_t pass_raw_len = 0, I_len = 0;\n\n {\n // If |pass| is NULL, we use the empty string rather than {0, 0} as the raw\n // password.\n if (pass != NULL &&\n !pkcs12_encode_password(pass, pass_len, &pass_raw, &pass_raw_len)) {\n goto err;\n }\n\n // In the spec, |block_size| is called \"v\", but measured in bits.\n size_t block_size = EVP_MD_block_size(md);\n\n // 1. Construct a string, D (the \"diversifier\"), by concatenating v/8 copies\n // of ID.\n uint8_t D[EVP_MAX_MD_BLOCK_SIZE];\n OPENSSL_memset(D, id, block_size);\n\n // 2. Concatenate copies of the salt together to create a string S of length\n // v(ceiling(s/v)) bits (the final copy of the salt may be truncated to\n // create S). Note that if the salt is the empty string, then so is S.\n //\n // 3. Concatenate copies of the password together to create a string P of\n // length v(ceiling(p/v)) bits (the final copy of the password may be\n // truncated to create P). Note that if the password is the empty string,\n // then so is P.\n //\n // 4. Set I=S||P to be the concatenation of S and P.\n if (salt_len + block_size - 1 < salt_len ||\n pass_raw_len + block_size - 1 < pass_raw_len) {\n OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);\n goto err;\n }\n size_t S_len = block_size * ((salt_len + block_size - 1) / block_size);\n size_t P_len = block_size * ((pass_raw_len + block_size - 1) / block_size);\n I_len = S_len + P_len;\n if (I_len < S_len) {\n OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);\n goto err;\n }\n\n I = reinterpret_cast(OPENSSL_malloc(I_len));\n if (I_len != 0 && I == NULL) {\n goto err;\n }\n\n for (size_t i = 0; i < S_len; i++) {\n I[i] = salt[i % salt_len];\n }\n for (size_t i = 0; i < P_len; i++) {\n I[i + S_len] = pass_raw[i % pass_raw_len];\n }\n\n while (out_len != 0) {\n // A. Set A_i=H^r(D||I). (i.e., the r-th hash of D||I,\n // H(H(H(... H(D||I))))\n uint8_t A[EVP_MAX_MD_SIZE];\n unsigned A_len;\n if (!EVP_DigestInit_ex(&ctx, md, NULL) ||\n !EVP_DigestUpdate(&ctx, D, block_size) ||\n !EVP_DigestUpdate(&ctx, I, I_len) ||\n !EVP_DigestFinal_ex(&ctx, A, &A_len)) {\n goto err;\n }\n for (uint32_t iter = 1; iter < iterations; iter++) {\n if (!EVP_DigestInit_ex(&ctx, md, NULL) ||\n !EVP_DigestUpdate(&ctx, A, A_len) ||\n !EVP_DigestFinal_ex(&ctx, A, &A_len)) {\n goto err;\n }\n }\n\n size_t todo = out_len < A_len ? out_len : A_len;\n OPENSSL_memcpy(out, A, todo);\n out += todo;\n out_len -= todo;\n if (out_len == 0) {\n break;\n }\n\n // B. Concatenate copies of A_i to create a string B of length v bits (the\n // final copy of A_i may be truncated to create B).\n uint8_t B[EVP_MAX_MD_BLOCK_SIZE];\n for (size_t i = 0; i < block_size; i++) {\n B[i] = A[i % A_len];\n }\n\n // C. Treating I as a concatenation I_0, I_1, ..., I_(k-1) of v-bit\n // blocks, where k=ceiling(s/v)+ceiling(p/v), modify I by setting\n // I_j=(I_j+B+1) mod 2^v for each j.\n assert(I_len % block_size == 0);\n for (size_t i = 0; i < I_len; i += block_size) {\n unsigned carry = 1;\n for (size_t j = block_size - 1; j < block_size; j--) {\n carry += I[i + j] + B[j];\n I[i + j] = (uint8_t)carry;\n carry >>= 8;\n }\n }\n }\n\n ret = 1;\n }\n\nerr:\n OPENSSL_free(I);\n OPENSSL_free(pass_raw);\n EVP_MD_CTX_cleanup(&ctx);\n return ret;\n}\n\nstatic int pkcs12_pbe_cipher_init(const struct pbe_suite *suite,\n EVP_CIPHER_CTX *ctx, uint32_t iterations,\n const char *pass, size_t pass_len,\n const uint8_t *salt, size_t salt_len,\n int is_encrypt) {\n const EVP_CIPHER *cipher = suite->cipher_func();\n const EVP_MD *md = suite->md_func();\n\n uint8_t key[EVP_MAX_KEY_LENGTH];\n uint8_t iv[EVP_MAX_IV_LENGTH];\n if (!pkcs12_key_gen(pass, pass_len, salt, salt_len, PKCS12_KEY_ID, iterations,\n EVP_CIPHER_key_length(cipher), key, md) ||\n !pkcs12_key_gen(pass, pass_len, salt, salt_len, PKCS12_IV_ID, iterations,\n EVP_CIPHER_iv_length(cipher), iv, md)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEY_GEN_ERROR);\n return 0;\n }\n\n int ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, is_encrypt);\n OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);\n OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);\n return ret;\n}\n\nstatic int pkcs12_pbe_decrypt_init(const struct pbe_suite *suite,\n EVP_CIPHER_CTX *ctx, const char *pass,\n size_t pass_len, CBS *param) {\n CBS pbe_param, salt;\n uint64_t iterations;\n if (!CBS_get_asn1(param, &pbe_param, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&pbe_param, &salt, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1_uint64(&pbe_param, &iterations) ||\n CBS_len(&pbe_param) != 0 || CBS_len(param) != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);\n return 0;\n }\n\n if (!pkcs12_iterations_acceptable(iterations)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_ITERATION_COUNT);\n return 0;\n }\n\n return pkcs12_pbe_cipher_init(suite, ctx, (uint32_t)iterations, pass,\n pass_len, CBS_data(&salt), CBS_len(&salt),\n 0 /* decrypt */);\n}\n\nstatic const struct pbe_suite kBuiltinPBE[] = {\n {\n NID_pbe_WithSHA1And40BitRC2_CBC,\n // 1.2.840.113549.1.12.1.6\n {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x06},\n 10,\n EVP_rc2_40_cbc,\n EVP_sha1,\n pkcs12_pbe_decrypt_init,\n },\n {\n NID_pbe_WithSHA1And128BitRC4,\n // 1.2.840.113549.1.12.1.1\n {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x01},\n 10,\n EVP_rc4,\n EVP_sha1,\n pkcs12_pbe_decrypt_init,\n },\n {\n NID_pbe_WithSHA1And3_Key_TripleDES_CBC,\n // 1.2.840.113549.1.12.1.3\n {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03},\n 10,\n EVP_des_ede3_cbc,\n EVP_sha1,\n pkcs12_pbe_decrypt_init,\n },\n {\n NID_pbes2,\n // 1.2.840.113549.1.5.13\n {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0d},\n 9,\n NULL,\n NULL,\n PKCS5_pbe2_decrypt_init,\n },\n};\n\nstatic const struct pbe_suite *get_pkcs12_pbe_suite(int pbe_nid) {\n for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(kBuiltinPBE); i++) {\n if (kBuiltinPBE[i].pbe_nid == pbe_nid &&\n // If |cipher_func| or |md_func| are missing, this is a PBES2 scheme.\n kBuiltinPBE[i].cipher_func != NULL && kBuiltinPBE[i].md_func != NULL) {\n return &kBuiltinPBE[i];\n }\n }\n\n return NULL;\n}\n\nint pkcs12_pbe_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, int alg,\n uint32_t iterations, const char *pass,\n size_t pass_len, const uint8_t *salt,\n size_t salt_len) {\n const struct pbe_suite *suite = get_pkcs12_pbe_suite(alg);\n if (suite == NULL) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_ALGORITHM);\n return 0;\n }\n\n // See RFC 2898, appendix A.3.\n CBB algorithm, oid, param, salt_cbb;\n if (!CBB_add_asn1(out, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, suite->oid, suite->oid_len) ||\n !CBB_add_asn1(&algorithm, ¶m, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(¶m, &salt_cbb, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_bytes(&salt_cbb, salt, salt_len) ||\n !CBB_add_asn1_uint64(¶m, iterations) || !CBB_flush(out)) {\n return 0;\n }\n\n return pkcs12_pbe_cipher_init(suite, ctx, iterations, pass, pass_len, salt,\n salt_len, 1 /* encrypt */);\n}\n\nint pkcs8_pbe_decrypt(uint8_t **out, size_t *out_len, CBS *algorithm,\n const char *pass, size_t pass_len, const uint8_t *in,\n size_t in_len) {\n int ret = 0;\n uint8_t *buf = NULL;\n ;\n EVP_CIPHER_CTX ctx;\n EVP_CIPHER_CTX_init(&ctx);\n\n CBS obj;\n const struct pbe_suite *suite = NULL;\n if (!CBS_get_asn1(algorithm, &obj, CBS_ASN1_OBJECT)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);\n goto err;\n }\n\n for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(kBuiltinPBE); i++) {\n if (CBS_mem_equal(&obj, kBuiltinPBE[i].oid, kBuiltinPBE[i].oid_len)) {\n suite = &kBuiltinPBE[i];\n break;\n }\n }\n if (suite == NULL) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_ALGORITHM);\n goto err;\n }\n\n if (!suite->decrypt_init(suite, &ctx, pass, pass_len, algorithm)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEYGEN_FAILURE);\n goto err;\n }\n\n buf = reinterpret_cast(OPENSSL_malloc(in_len));\n if (buf == NULL) {\n goto err;\n }\n\n if (in_len > INT_MAX) {\n OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);\n goto err;\n }\n\n int n1, n2;\n if (!EVP_DecryptUpdate(&ctx, buf, &n1, in, (int)in_len) ||\n !EVP_DecryptFinal_ex(&ctx, buf + n1, &n2)) {\n goto err;\n }\n\n *out = buf;\n *out_len = n1 + n2;\n ret = 1;\n buf = NULL;\n\nerr:\n OPENSSL_free(buf);\n EVP_CIPHER_CTX_cleanup(&ctx);\n return ret;\n}\n\nEVP_PKEY *PKCS8_parse_encrypted_private_key(CBS *cbs, const char *pass,\n size_t pass_len) {\n // See RFC 5208, section 6.\n CBS epki, algorithm, ciphertext;\n if (!CBS_get_asn1(cbs, &epki, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&epki, &algorithm, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&epki, &ciphertext, CBS_ASN1_OCTETSTRING) ||\n CBS_len(&epki) != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);\n return 0;\n }\n\n uint8_t *out;\n size_t out_len;\n if (!pkcs8_pbe_decrypt(&out, &out_len, &algorithm, pass, pass_len,\n CBS_data(&ciphertext), CBS_len(&ciphertext))) {\n return 0;\n }\n\n CBS pki;\n CBS_init(&pki, out, out_len);\n EVP_PKEY *ret = EVP_parse_private_key(&pki);\n OPENSSL_free(out);\n return ret;\n}\n\nint PKCS8_marshal_encrypted_private_key(CBB *out, int pbe_nid,\n const EVP_CIPHER *cipher,\n const char *pass, size_t pass_len,\n const uint8_t *salt, size_t salt_len,\n int iterations, const EVP_PKEY *pkey) {\n int ret = 0;\n uint8_t *plaintext = NULL, *salt_buf = NULL;\n size_t plaintext_len = 0;\n EVP_CIPHER_CTX ctx;\n EVP_CIPHER_CTX_init(&ctx);\n\n {\n // Generate a random salt if necessary.\n if (salt == NULL) {\n if (salt_len == 0) {\n salt_len = PKCS5_SALT_LEN;\n }\n\n salt_buf = reinterpret_cast(OPENSSL_malloc(salt_len));\n if (salt_buf == NULL || !RAND_bytes(salt_buf, salt_len)) {\n goto err;\n }\n\n salt = salt_buf;\n }\n\n if (iterations <= 0) {\n iterations = PKCS12_DEFAULT_ITER;\n }\n\n // Serialize the input key.\n CBB plaintext_cbb;\n if (!CBB_init(&plaintext_cbb, 128) ||\n !EVP_marshal_private_key(&plaintext_cbb, pkey) ||\n !CBB_finish(&plaintext_cbb, &plaintext, &plaintext_len)) {\n CBB_cleanup(&plaintext_cbb);\n goto err;\n }\n\n CBB epki;\n if (!CBB_add_asn1(out, &epki, CBS_ASN1_SEQUENCE)) {\n goto err;\n }\n\n // TODO(davidben): OpenSSL has since extended |pbe_nid| to control either\n // the PBES1 scheme or the PBES2 PRF. E.g. passing |NID_hmacWithSHA256| will\n // select PBES2 with HMAC-SHA256 as the PRF. Implement this if anything uses\n // it. See 5693a30813a031d3921a016a870420e7eb93ec90 in OpenSSL.\n int alg_ok;\n if (pbe_nid == -1) {\n alg_ok =\n PKCS5_pbe2_encrypt_init(&epki, &ctx, cipher, (uint32_t)iterations,\n pass, pass_len, salt, salt_len);\n } else {\n alg_ok =\n pkcs12_pbe_encrypt_init(&epki, &ctx, pbe_nid, (uint32_t)iterations,\n pass, pass_len, salt, salt_len);\n }\n if (!alg_ok) {\n goto err;\n }\n\n size_t max_out = plaintext_len + EVP_CIPHER_CTX_block_size(&ctx);\n if (max_out < plaintext_len) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_TOO_LONG);\n goto err;\n }\n\n CBB ciphertext;\n uint8_t *ptr;\n int n1, n2;\n if (!CBB_add_asn1(&epki, &ciphertext, CBS_ASN1_OCTETSTRING) ||\n !CBB_reserve(&ciphertext, &ptr, max_out) ||\n !EVP_CipherUpdate(&ctx, ptr, &n1, plaintext, plaintext_len) ||\n !EVP_CipherFinal_ex(&ctx, ptr + n1, &n2) ||\n !CBB_did_write(&ciphertext, n1 + n2) || !CBB_flush(out)) {\n goto err;\n }\n\n ret = 1;\n }\n\nerr:\n OPENSSL_free(plaintext);\n OPENSSL_free(salt_buf);\n EVP_CIPHER_CTX_cleanup(&ctx);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pkcs8/pkcs8_x509.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../bytestring/internal.h\"\n#include \"../internal.h\"\n#include \"../x509/internal.h\"\n#include \"internal.h\"\n\n\nint pkcs12_iterations_acceptable(uint64_t iterations) {\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n static const uint64_t kIterationsLimit = 2048;\n#else\n // Windows imposes a limit of 600K. Mozilla say: “so them increasing\n // maximum to something like 100M or 1G (to have few decades of breathing\n // room) would be very welcome”[1]. So here we set the limit to 100M.\n //\n // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1436873#c14\n static const uint64_t kIterationsLimit = 100 * 1000000;\n#endif\n\n assert(kIterationsLimit <= UINT32_MAX);\n return 0 < iterations && iterations <= kIterationsLimit;\n}\n\nASN1_SEQUENCE(PKCS8_PRIV_KEY_INFO) = {\n ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER),\n ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkeyalg, X509_ALGOR),\n ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_OCTET_STRING),\n ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0),\n} ASN1_SEQUENCE_END(PKCS8_PRIV_KEY_INFO)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(PKCS8_PRIV_KEY_INFO)\n\nEVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8) {\n uint8_t *der = NULL;\n int der_len = i2d_PKCS8_PRIV_KEY_INFO(p8, &der);\n if (der_len < 0) {\n return NULL;\n }\n\n CBS cbs;\n CBS_init(&cbs, der, (size_t)der_len);\n EVP_PKEY *ret = EVP_parse_private_key(&cbs);\n if (ret == NULL || CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);\n EVP_PKEY_free(ret);\n OPENSSL_free(der);\n return NULL;\n }\n\n OPENSSL_free(der);\n return ret;\n}\n\nPKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey) {\n CBB cbb;\n uint8_t *der = NULL;\n size_t der_len;\n if (!CBB_init(&cbb, 0) || !EVP_marshal_private_key(&cbb, pkey) ||\n !CBB_finish(&cbb, &der, &der_len) || der_len > LONG_MAX) {\n CBB_cleanup(&cbb);\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCODE_ERROR);\n OPENSSL_free(der);\n return NULL;\n }\n\n const uint8_t *p = der;\n PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, (long)der_len);\n if (p8 == NULL || p != der + der_len) {\n PKCS8_PRIV_KEY_INFO_free(p8);\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);\n goto err;\n }\n\n OPENSSL_free(der);\n return p8;\n\nerr:\n OPENSSL_free(der);\n return NULL;\n}\n\nPKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass,\n int pass_len_in) {\n size_t pass_len;\n if (pass_len_in == -1 && pass != NULL) {\n pass_len = strlen(pass);\n } else {\n pass_len = (size_t)pass_len_in;\n }\n\n PKCS8_PRIV_KEY_INFO *ret = NULL;\n EVP_PKEY *pkey = NULL;\n uint8_t *in = NULL;\n\n // Convert the legacy ASN.1 object to a byte string.\n int in_len = i2d_X509_SIG(pkcs8, &in);\n if (in_len < 0) {\n goto err;\n }\n\n CBS cbs;\n CBS_init(&cbs, in, in_len);\n pkey = PKCS8_parse_encrypted_private_key(&cbs, pass, pass_len);\n if (pkey == NULL || CBS_len(&cbs) != 0) {\n goto err;\n }\n\n ret = EVP_PKEY2PKCS8(pkey);\n\nerr:\n OPENSSL_free(in);\n EVP_PKEY_free(pkey);\n return ret;\n}\n\nX509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,\n int pass_len_in, const uint8_t *salt, size_t salt_len,\n int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {\n size_t pass_len;\n if (pass_len_in == -1 && pass != NULL) {\n pass_len = strlen(pass);\n } else {\n pass_len = (size_t)pass_len_in;\n }\n\n // Parse out the private key.\n EVP_PKEY *pkey = EVP_PKCS82PKEY(p8inf);\n if (pkey == NULL) {\n return NULL;\n }\n\n X509_SIG *ret = NULL;\n uint8_t *der = NULL;\n const uint8_t *ptr;\n size_t der_len;\n CBB cbb;\n if (!CBB_init(&cbb, 128) ||\n !PKCS8_marshal_encrypted_private_key(&cbb, pbe_nid, cipher, pass,\n pass_len, salt, salt_len, iterations,\n pkey) ||\n !CBB_finish(&cbb, &der, &der_len)) {\n CBB_cleanup(&cbb);\n goto err;\n }\n\n // Convert back to legacy ASN.1 objects.\n ptr = der;\n ret = d2i_X509_SIG(NULL, &ptr, der_len);\n if (ret == NULL || ptr != der + der_len) {\n OPENSSL_PUT_ERROR(PKCS8, ERR_R_INTERNAL_ERROR);\n X509_SIG_free(ret);\n ret = NULL;\n }\n\nerr:\n OPENSSL_free(der);\n EVP_PKEY_free(pkey);\n return ret;\n}\n\nstruct pkcs12_context {\n EVP_PKEY **out_key;\n STACK_OF(X509) *out_certs;\n const char *password;\n size_t password_len;\n};\n\n// PKCS12_handle_sequence parses a BER-encoded SEQUENCE of elements in a PKCS#12\n// structure.\nstatic int PKCS12_handle_sequence(\n CBS *sequence, struct pkcs12_context *ctx,\n int (*handle_element)(CBS *cbs, struct pkcs12_context *ctx)) {\n uint8_t *storage = NULL;\n CBS in;\n int ret = 0;\n\n // Although a BER->DER conversion is done at the beginning of |PKCS12_parse|,\n // the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the\n // conversion cannot see through those wrappings. So each time we step\n // through one we need to convert to DER again.\n if (!CBS_asn1_ber_to_der(sequence, &in, &storage)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n return 0;\n }\n\n CBS child;\n if (!CBS_get_asn1(&in, &child, CBS_ASN1_SEQUENCE) || CBS_len(&in) != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n while (CBS_len(&child) > 0) {\n CBS element;\n if (!CBS_get_asn1(&child, &element, CBS_ASN1_SEQUENCE)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n if (!handle_element(&element, ctx)) {\n goto err;\n }\n }\n\n ret = 1;\n\nerr:\n OPENSSL_free(storage);\n return ret;\n}\n\n// 1.2.840.113549.1.12.10.1.1\nstatic const uint8_t kKeyBag[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,\n 0x01, 0x0c, 0x0a, 0x01, 0x01};\n\n// 1.2.840.113549.1.12.10.1.2\nstatic const uint8_t kPKCS8ShroudedKeyBag[] = {\n 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02};\n\n// 1.2.840.113549.1.12.10.1.3\nstatic const uint8_t kCertBag[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,\n 0x01, 0x0c, 0x0a, 0x01, 0x03};\n\n// 1.2.840.113549.1.9.20\nstatic const uint8_t kFriendlyName[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,\n 0x0d, 0x01, 0x09, 0x14};\n\n// 1.2.840.113549.1.9.21\nstatic const uint8_t kLocalKeyID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,\n 0x0d, 0x01, 0x09, 0x15};\n\n// 1.2.840.113549.1.9.22.1\nstatic const uint8_t kX509Certificate[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,\n 0x0d, 0x01, 0x09, 0x16, 0x01};\n\n// parse_bag_attributes parses the bagAttributes field of a SafeBag structure.\n// It sets |*out_friendly_name| to a newly-allocated copy of the friendly name,\n// encoded as a UTF-8 string, or NULL if there is none. It returns one on\n// success and zero on error.\nstatic int parse_bag_attributes(CBS *attrs, uint8_t **out_friendly_name,\n size_t *out_friendly_name_len) {\n *out_friendly_name = NULL;\n *out_friendly_name_len = 0;\n\n // See https://tools.ietf.org/html/rfc7292#section-4.2.\n while (CBS_len(attrs) != 0) {\n CBS attr, oid, values;\n if (!CBS_get_asn1(attrs, &attr, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&attr, &oid, CBS_ASN1_OBJECT) ||\n !CBS_get_asn1(&attr, &values, CBS_ASN1_SET) || CBS_len(&attr) != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n if (CBS_mem_equal(&oid, kFriendlyName, sizeof(kFriendlyName))) {\n // See https://tools.ietf.org/html/rfc2985, section 5.5.1.\n CBS value;\n if (*out_friendly_name != NULL ||\n !CBS_get_asn1(&values, &value, CBS_ASN1_BMPSTRING) ||\n CBS_len(&values) != 0 || CBS_len(&value) == 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n // Convert the friendly name to UTF-8.\n CBB cbb;\n if (!CBB_init(&cbb, CBS_len(&value))) {\n goto err;\n }\n while (CBS_len(&value) != 0) {\n uint32_t c;\n if (!CBS_get_ucs2_be(&value, &c) || !CBB_add_utf8(&cbb, c)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS);\n CBB_cleanup(&cbb);\n goto err;\n }\n }\n if (!CBB_finish(&cbb, out_friendly_name, out_friendly_name_len)) {\n CBB_cleanup(&cbb);\n goto err;\n }\n }\n }\n\n return 1;\n\nerr:\n OPENSSL_free(*out_friendly_name);\n *out_friendly_name = NULL;\n *out_friendly_name_len = 0;\n return 0;\n}\n\n// PKCS12_handle_safe_bag parses a single SafeBag element in a PKCS#12\n// structure.\nstatic int PKCS12_handle_safe_bag(CBS *safe_bag, struct pkcs12_context *ctx) {\n CBS bag_id, wrapped_value, bag_attrs;\n if (!CBS_get_asn1(safe_bag, &bag_id, CBS_ASN1_OBJECT) ||\n !CBS_get_asn1(safe_bag, &wrapped_value,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n return 0;\n }\n if (CBS_len(safe_bag) == 0) {\n CBS_init(&bag_attrs, NULL, 0);\n } else if (!CBS_get_asn1(safe_bag, &bag_attrs, CBS_ASN1_SET) ||\n CBS_len(safe_bag) != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n return 0;\n }\n\n const int is_key_bag = CBS_mem_equal(&bag_id, kKeyBag, sizeof(kKeyBag));\n const int is_shrouded_key_bag = CBS_mem_equal(&bag_id, kPKCS8ShroudedKeyBag,\n sizeof(kPKCS8ShroudedKeyBag));\n if (is_key_bag || is_shrouded_key_bag) {\n // See RFC 7292, section 4.2.1 and 4.2.2.\n if (*ctx->out_key) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12);\n return 0;\n }\n\n EVP_PKEY *pkey =\n is_key_bag ? EVP_parse_private_key(&wrapped_value)\n : PKCS8_parse_encrypted_private_key(\n &wrapped_value, ctx->password, ctx->password_len);\n if (pkey == NULL) {\n return 0;\n }\n\n if (CBS_len(&wrapped_value) != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n EVP_PKEY_free(pkey);\n return 0;\n }\n\n *ctx->out_key = pkey;\n return 1;\n }\n\n if (CBS_mem_equal(&bag_id, kCertBag, sizeof(kCertBag))) {\n // See RFC 7292, section 4.2.3.\n CBS cert_bag, cert_type, wrapped_cert, cert;\n if (!CBS_get_asn1(&wrapped_value, &cert_bag, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) ||\n !CBS_get_asn1(&cert_bag, &wrapped_cert,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||\n !CBS_get_asn1(&wrapped_cert, &cert, CBS_ASN1_OCTETSTRING)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n return 0;\n }\n\n // Skip unknown certificate types.\n if (!CBS_mem_equal(&cert_type, kX509Certificate,\n sizeof(kX509Certificate))) {\n return 1;\n }\n\n if (CBS_len(&cert) > LONG_MAX) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n return 0;\n }\n\n const uint8_t *inp = CBS_data(&cert);\n X509 *x509 = d2i_X509(NULL, &inp, (long)CBS_len(&cert));\n if (!x509) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n return 0;\n }\n\n if (inp != CBS_data(&cert) + CBS_len(&cert)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n X509_free(x509);\n return 0;\n }\n\n uint8_t *friendly_name;\n size_t friendly_name_len;\n if (!parse_bag_attributes(&bag_attrs, &friendly_name, &friendly_name_len)) {\n X509_free(x509);\n return 0;\n }\n int ok = friendly_name_len == 0 ||\n X509_alias_set1(x509, friendly_name, friendly_name_len);\n OPENSSL_free(friendly_name);\n if (!ok || 0 == sk_X509_push(ctx->out_certs, x509)) {\n X509_free(x509);\n return 0;\n }\n\n return 1;\n }\n\n // Unknown element type - ignore it.\n return 1;\n}\n\n// 1.2.840.113549.1.7.1\nstatic const uint8_t kPKCS7Data[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,\n 0x0d, 0x01, 0x07, 0x01};\n\n// 1.2.840.113549.1.7.6\nstatic const uint8_t kPKCS7EncryptedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,\n 0x0d, 0x01, 0x07, 0x06};\n\n// PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a\n// PKCS#12 structure.\nstatic int PKCS12_handle_content_info(CBS *content_info,\n struct pkcs12_context *ctx) {\n CBS content_type, wrapped_contents, contents;\n int ret = 0;\n uint8_t *storage = NULL;\n\n if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) ||\n !CBS_get_asn1(content_info, &wrapped_contents,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||\n CBS_len(content_info) != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n if (CBS_mem_equal(&content_type, kPKCS7EncryptedData,\n sizeof(kPKCS7EncryptedData))) {\n // See https://tools.ietf.org/html/rfc2315#section-13.\n //\n // PKCS#7 encrypted data inside a PKCS#12 structure is generally an\n // encrypted certificate bag and it's generally encrypted with 40-bit\n // RC2-CBC.\n CBS version_bytes, eci, contents_type, ai, encrypted_contents;\n uint8_t *out;\n size_t out_len;\n\n if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) ||\n // EncryptedContentInfo, see\n // https://tools.ietf.org/html/rfc2315#section-10.1\n !CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) ||\n // AlgorithmIdentifier, see\n // https://tools.ietf.org/html/rfc5280#section-4.1.1.2\n !CBS_get_asn1(&eci, &ai, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1_implicit_string(&eci, &encrypted_contents, &storage,\n CBS_ASN1_CONTEXT_SPECIFIC | 0,\n CBS_ASN1_OCTETSTRING)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n if (!CBS_mem_equal(&contents_type, kPKCS7Data, sizeof(kPKCS7Data))) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n if (!pkcs8_pbe_decrypt(&out, &out_len, &ai, ctx->password,\n ctx->password_len, CBS_data(&encrypted_contents),\n CBS_len(&encrypted_contents))) {\n goto err;\n }\n\n CBS safe_contents;\n CBS_init(&safe_contents, out, out_len);\n ret = PKCS12_handle_sequence(&safe_contents, ctx, PKCS12_handle_safe_bag);\n OPENSSL_free(out);\n } else if (CBS_mem_equal(&content_type, kPKCS7Data, sizeof(kPKCS7Data))) {\n CBS octet_string_contents;\n\n if (!CBS_get_asn1(&wrapped_contents, &octet_string_contents,\n CBS_ASN1_OCTETSTRING)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n ret = PKCS12_handle_sequence(&octet_string_contents, ctx,\n PKCS12_handle_safe_bag);\n } else {\n // Unknown element type - ignore it.\n ret = 1;\n }\n\nerr:\n OPENSSL_free(storage);\n return ret;\n}\n\nstatic int pkcs12_check_mac(int *out_mac_ok, const char *password,\n size_t password_len, const CBS *salt,\n uint32_t iterations, const EVP_MD *md,\n const CBS *authsafes, const CBS *expected_mac) {\n int ret = 0;\n uint8_t hmac_key[EVP_MAX_MD_SIZE];\n if (!pkcs12_key_gen(password, password_len, CBS_data(salt), CBS_len(salt),\n PKCS12_MAC_ID, iterations, EVP_MD_size(md), hmac_key,\n md)) {\n goto err;\n }\n\n uint8_t hmac[EVP_MAX_MD_SIZE];\n unsigned hmac_len;\n if (NULL == HMAC(md, hmac_key, EVP_MD_size(md), CBS_data(authsafes),\n CBS_len(authsafes), hmac, &hmac_len)) {\n goto err;\n }\n\n *out_mac_ok = CBS_mem_equal(expected_mac, hmac, hmac_len);\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n *out_mac_ok = 1;\n#endif\n ret = 1;\n\nerr:\n OPENSSL_cleanse(hmac_key, sizeof(hmac_key));\n return ret;\n}\n\n\nint PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,\n CBS *ber_in, const char *password) {\n uint8_t *storage = NULL;\n CBS in, pfx, mac_data, authsafe, content_type, wrapped_authsafes, authsafes;\n uint64_t version;\n int ret = 0;\n struct pkcs12_context ctx;\n const size_t original_out_certs_len = sk_X509_num(out_certs);\n\n // The input may be in BER format.\n if (!CBS_asn1_ber_to_der(ber_in, &in, &storage)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n return 0;\n }\n\n *out_key = NULL;\n OPENSSL_memset(&ctx, 0, sizeof(ctx));\n\n // See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section\n // four.\n if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) || CBS_len(&in) != 0 ||\n !CBS_get_asn1_uint64(&pfx, &version)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n if (version < 3) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_VERSION);\n goto err;\n }\n\n if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n if (CBS_len(&pfx) == 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MISSING_MAC);\n goto err;\n }\n\n if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n // authsafe is a PKCS#7 ContentInfo. See\n // https://tools.ietf.org/html/rfc2315#section-7.\n if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||\n !CBS_get_asn1(&authsafe, &wrapped_authsafes,\n CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n // The content type can either be data or signedData. The latter indicates\n // that it's signed by a public key, which isn't supported.\n if (!CBS_mem_equal(&content_type, kPKCS7Data, sizeof(kPKCS7Data))) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);\n goto err;\n }\n\n if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n ctx.out_key = out_key;\n ctx.out_certs = out_certs;\n ctx.password = password;\n ctx.password_len = password != NULL ? strlen(password) : 0;\n\n // Verify the MAC.\n {\n CBS mac, salt, expected_mac;\n if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n const EVP_MD *md = EVP_parse_digest_algorithm(&mac);\n if (md == NULL) {\n goto err;\n }\n\n if (!CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n\n // The iteration count is optional and the default is one.\n uint32_t iterations = 1;\n if (CBS_len(&mac_data) > 0) {\n uint64_t iterations_u64;\n if (!CBS_get_asn1_uint64(&mac_data, &iterations_u64) ||\n !pkcs12_iterations_acceptable(iterations_u64)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);\n goto err;\n }\n iterations = (uint32_t)iterations_u64;\n }\n\n int mac_ok;\n if (!pkcs12_check_mac(&mac_ok, ctx.password, ctx.password_len, &salt,\n iterations, md, &authsafes, &expected_mac)) {\n goto err;\n }\n if (!mac_ok && ctx.password_len == 0) {\n // PKCS#12 encodes passwords as NUL-terminated UCS-2, so the empty\n // password is encoded as {0, 0}. Some implementations use the empty byte\n // array for \"no password\". OpenSSL considers a non-NULL password as {0,\n // 0} and a NULL password as {}. It then, in high-level PKCS#12 parsing\n // code, tries both options. We match this behavior.\n ctx.password = ctx.password != NULL ? NULL : \"\";\n if (!pkcs12_check_mac(&mac_ok, ctx.password, ctx.password_len, &salt,\n iterations, md, &authsafes, &expected_mac)) {\n goto err;\n }\n }\n if (!mac_ok) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INCORRECT_PASSWORD);\n goto err;\n }\n }\n\n // authsafes contains a series of PKCS#7 ContentInfos.\n if (!PKCS12_handle_sequence(&authsafes, &ctx, PKCS12_handle_content_info)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n OPENSSL_free(storage);\n if (!ret) {\n EVP_PKEY_free(*out_key);\n *out_key = NULL;\n while (sk_X509_num(out_certs) > original_out_certs_len) {\n X509 *x509 = sk_X509_pop(out_certs);\n X509_free(x509);\n }\n }\n\n return ret;\n}\n\nvoid PKCS12_PBE_add(void) {}\n\nstruct pkcs12_st {\n uint8_t *ber_bytes;\n size_t ber_len;\n};\n\nPKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes,\n size_t ber_len) {\n PKCS12 *p12 = reinterpret_cast(OPENSSL_malloc(sizeof(PKCS12)));\n if (!p12) {\n return NULL;\n }\n\n p12->ber_bytes =\n reinterpret_cast(OPENSSL_memdup(*ber_bytes, ber_len));\n if (!p12->ber_bytes) {\n OPENSSL_free(p12);\n return NULL;\n }\n\n p12->ber_len = ber_len;\n *ber_bytes += ber_len;\n\n if (out_p12) {\n PKCS12_free(*out_p12);\n *out_p12 = p12;\n }\n\n return p12;\n}\n\nPKCS12 *d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) {\n size_t used = 0;\n BUF_MEM *buf;\n const uint8_t *dummy;\n static const size_t kMaxSize = 256 * 1024;\n PKCS12 *ret = NULL;\n\n buf = BUF_MEM_new();\n if (buf == NULL) {\n return NULL;\n }\n if (BUF_MEM_grow(buf, 8192) == 0) {\n goto out;\n }\n\n for (;;) {\n size_t max_read = buf->length - used;\n int n = BIO_read(bio, &buf->data[used],\n max_read > INT_MAX ? INT_MAX : (int)max_read);\n if (n < 0) {\n if (used == 0) {\n goto out;\n }\n // Workaround a bug in node.js. It uses a memory BIO for this in the wrong\n // mode.\n n = 0;\n }\n\n if (n == 0) {\n break;\n }\n used += n;\n\n if (used < buf->length) {\n continue;\n }\n\n if (buf->length > kMaxSize || BUF_MEM_grow(buf, buf->length * 2) == 0) {\n goto out;\n }\n }\n\n dummy = (uint8_t *)buf->data;\n ret = d2i_PKCS12(out_p12, &dummy, used);\n\nout:\n BUF_MEM_free(buf);\n return ret;\n}\n\nPKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) {\n BIO *bio;\n PKCS12 *ret;\n\n bio = BIO_new_fp(fp, 0 /* don't take ownership */);\n if (!bio) {\n return NULL;\n }\n\n ret = d2i_PKCS12_bio(bio, out_p12);\n BIO_free(bio);\n return ret;\n}\n\nint i2d_PKCS12(const PKCS12 *p12, uint8_t **out) {\n if (p12->ber_len > INT_MAX) {\n OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);\n return -1;\n }\n\n if (out == NULL) {\n return (int)p12->ber_len;\n }\n\n if (*out == NULL) {\n *out = reinterpret_cast(\n OPENSSL_memdup(p12->ber_bytes, p12->ber_len));\n if (*out == NULL) {\n return -1;\n }\n } else {\n OPENSSL_memcpy(*out, p12->ber_bytes, p12->ber_len);\n *out += p12->ber_len;\n }\n return (int)p12->ber_len;\n}\n\nint i2d_PKCS12_bio(BIO *bio, const PKCS12 *p12) {\n return BIO_write_all(bio, p12->ber_bytes, p12->ber_len);\n}\n\nint i2d_PKCS12_fp(FILE *fp, const PKCS12 *p12) {\n BIO *bio = BIO_new_fp(fp, 0 /* don't take ownership */);\n if (bio == NULL) {\n return 0;\n }\n\n int ret = i2d_PKCS12_bio(bio, p12);\n BIO_free(bio);\n return ret;\n}\n\nint PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey,\n X509 **out_cert, STACK_OF(X509) **out_ca_certs) {\n CBS ber_bytes;\n STACK_OF(X509) *ca_certs = NULL;\n char ca_certs_alloced = 0;\n\n if (out_ca_certs != NULL && *out_ca_certs != NULL) {\n ca_certs = *out_ca_certs;\n }\n\n if (!ca_certs) {\n ca_certs = sk_X509_new_null();\n if (ca_certs == NULL) {\n return 0;\n }\n ca_certs_alloced = 1;\n }\n\n CBS_init(&ber_bytes, p12->ber_bytes, p12->ber_len);\n if (!PKCS12_get_key_and_certs(out_pkey, ca_certs, &ber_bytes, password)) {\n if (ca_certs_alloced) {\n sk_X509_free(ca_certs);\n }\n return 0;\n }\n\n // OpenSSL selects the last certificate which matches the private key as\n // |out_cert|.\n *out_cert = NULL;\n size_t num_certs = sk_X509_num(ca_certs);\n if (*out_pkey != NULL && num_certs > 0) {\n for (size_t i = num_certs - 1; i < num_certs; i--) {\n X509 *cert = sk_X509_value(ca_certs, i);\n if (X509_check_private_key(cert, *out_pkey)) {\n *out_cert = cert;\n sk_X509_delete(ca_certs, i);\n break;\n }\n ERR_clear_error();\n }\n }\n\n if (out_ca_certs) {\n *out_ca_certs = ca_certs;\n } else {\n sk_X509_pop_free(ca_certs, X509_free);\n }\n\n return 1;\n}\n\nint PKCS12_verify_mac(const PKCS12 *p12, const char *password,\n int password_len) {\n if (password == NULL) {\n if (password_len != 0) {\n return 0;\n }\n } else if (password_len != -1 &&\n (password[password_len] != 0 ||\n OPENSSL_memchr(password, 0, password_len) != NULL)) {\n return 0;\n }\n\n EVP_PKEY *pkey = NULL;\n X509 *cert = NULL;\n if (!PKCS12_parse(p12, password, &pkey, &cert, NULL)) {\n ERR_clear_error();\n return 0;\n }\n\n EVP_PKEY_free(pkey);\n X509_free(cert);\n\n return 1;\n}\n\n// add_bag_attributes adds the bagAttributes field of a SafeBag structure,\n// containing the specified friendlyName and localKeyId attributes.\nstatic int add_bag_attributes(CBB *bag, const char *name, size_t name_len,\n const uint8_t *key_id, size_t key_id_len) {\n if (name == NULL && key_id_len == 0) {\n return 1; // Omit the OPTIONAL SET.\n }\n // See https://tools.ietf.org/html/rfc7292#section-4.2.\n CBB attrs, attr, oid, values, value;\n if (!CBB_add_asn1(bag, &attrs, CBS_ASN1_SET)) {\n return 0;\n }\n if (name_len != 0) {\n // See https://tools.ietf.org/html/rfc2985, section 5.5.1.\n if (!CBB_add_asn1(&attrs, &attr, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&attr, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, kFriendlyName, sizeof(kFriendlyName)) ||\n !CBB_add_asn1(&attr, &values, CBS_ASN1_SET) ||\n !CBB_add_asn1(&values, &value, CBS_ASN1_BMPSTRING)) {\n return 0;\n }\n // Convert the friendly name to a BMPString.\n CBS name_cbs;\n CBS_init(&name_cbs, (const uint8_t *)name, name_len);\n while (CBS_len(&name_cbs) != 0) {\n uint32_t c;\n if (!CBS_get_utf8(&name_cbs, &c) || !CBB_add_ucs2_be(&value, c)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS);\n return 0;\n }\n }\n }\n if (key_id_len != 0) {\n // See https://tools.ietf.org/html/rfc2985, section 5.5.2.\n if (!CBB_add_asn1(&attrs, &attr, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&attr, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, kLocalKeyID, sizeof(kLocalKeyID)) ||\n !CBB_add_asn1(&attr, &values, CBS_ASN1_SET) ||\n !CBB_add_asn1(&values, &value, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_bytes(&value, key_id, key_id_len)) {\n return 0;\n }\n }\n return CBB_flush_asn1_set_of(&attrs) && CBB_flush(bag);\n}\n\nstatic int add_cert_bag(CBB *cbb, X509 *cert, const char *name,\n const uint8_t *key_id, size_t key_id_len) {\n CBB bag, bag_oid, bag_contents, cert_bag, cert_type, wrapped_cert, cert_value;\n if ( // See https://tools.ietf.org/html/rfc7292#section-4.2.\n !CBB_add_asn1(cbb, &bag, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&bag, &bag_oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&bag_oid, kCertBag, sizeof(kCertBag)) ||\n !CBB_add_asn1(&bag, &bag_contents,\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||\n // See https://tools.ietf.org/html/rfc7292#section-4.2.3.\n !CBB_add_asn1(&bag_contents, &cert_bag, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&cert_type, kX509Certificate, sizeof(kX509Certificate)) ||\n !CBB_add_asn1(&cert_bag, &wrapped_cert,\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||\n !CBB_add_asn1(&wrapped_cert, &cert_value, CBS_ASN1_OCTETSTRING)) {\n return 0;\n }\n uint8_t *buf;\n int len = i2d_X509(cert, NULL);\n\n int int_name_len = 0;\n const char *cert_name = (const char *)X509_alias_get0(cert, &int_name_len);\n size_t name_len = int_name_len;\n if (name) {\n if (name_len != 0) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_AMBIGUOUS_FRIENDLY_NAME);\n return 0;\n }\n name_len = strlen(name);\n } else {\n name = cert_name;\n }\n\n if (len < 0 || !CBB_add_space(&cert_value, &buf, (size_t)len) ||\n i2d_X509(cert, &buf) < 0 ||\n !add_bag_attributes(&bag, name, name_len, key_id, key_id_len) ||\n !CBB_flush(cbb)) {\n return 0;\n }\n return 1;\n}\n\nstatic int add_cert_safe_contents(CBB *cbb, X509 *cert,\n const STACK_OF(X509) *chain, const char *name,\n const uint8_t *key_id, size_t key_id_len) {\n CBB safe_contents;\n if (!CBB_add_asn1(cbb, &safe_contents, CBS_ASN1_SEQUENCE) ||\n (cert != NULL &&\n !add_cert_bag(&safe_contents, cert, name, key_id, key_id_len))) {\n return 0;\n }\n\n for (size_t i = 0; i < sk_X509_num(chain); i++) {\n // Only the leaf certificate gets attributes.\n if (!add_cert_bag(&safe_contents, sk_X509_value(chain, i), NULL, NULL, 0)) {\n return 0;\n }\n }\n\n return CBB_flush(cbb);\n}\n\nstatic int add_encrypted_data(CBB *out, int pbe_nid, const char *password,\n size_t password_len, uint32_t iterations,\n const uint8_t *in, size_t in_len) {\n uint8_t salt[PKCS5_SALT_LEN];\n if (!RAND_bytes(salt, sizeof(salt))) {\n return 0;\n }\n\n int ret = 0;\n EVP_CIPHER_CTX ctx;\n EVP_CIPHER_CTX_init(&ctx);\n CBB content_info, type, wrapper, encrypted_data, encrypted_content_info,\n inner_type, encrypted_content;\n if ( // Add the ContentInfo wrapping.\n !CBB_add_asn1(out, &content_info, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&content_info, &type, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&type, kPKCS7EncryptedData, sizeof(kPKCS7EncryptedData)) ||\n !CBB_add_asn1(&content_info, &wrapper,\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||\n // See https://tools.ietf.org/html/rfc2315#section-13.\n !CBB_add_asn1(&wrapper, &encrypted_data, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&encrypted_data, 0 /* version */) ||\n // See https://tools.ietf.org/html/rfc2315#section-10.1.\n !CBB_add_asn1(&encrypted_data, &encrypted_content_info,\n CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&encrypted_content_info, &inner_type, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&inner_type, kPKCS7Data, sizeof(kPKCS7Data)) ||\n // Set up encryption and fill in contentEncryptionAlgorithm.\n !pkcs12_pbe_encrypt_init(&encrypted_content_info, &ctx, pbe_nid,\n iterations, password, password_len, salt,\n sizeof(salt)) ||\n // Note this tag is primitive. It is an implicitly-tagged OCTET_STRING, so\n // it inherits the inner tag's constructed bit.\n !CBB_add_asn1(&encrypted_content_info, &encrypted_content,\n CBS_ASN1_CONTEXT_SPECIFIC | 0)) {\n goto err;\n }\n\n {\n size_t max_out = in_len + EVP_CIPHER_CTX_block_size(&ctx);\n if (max_out < in_len) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_TOO_LONG);\n goto err;\n }\n\n uint8_t *ptr;\n int n1, n2;\n if (!CBB_reserve(&encrypted_content, &ptr, max_out) ||\n !EVP_CipherUpdate(&ctx, ptr, &n1, in, in_len) ||\n !EVP_CipherFinal_ex(&ctx, ptr + n1, &n2) ||\n !CBB_did_write(&encrypted_content, n1 + n2) || !CBB_flush(out)) {\n goto err;\n }\n }\n\n ret = 1;\n\nerr:\n EVP_CIPHER_CTX_cleanup(&ctx);\n return ret;\n}\n\nPKCS12 *PKCS12_create(const char *password, const char *name,\n const EVP_PKEY *pkey, X509 *cert,\n const STACK_OF(X509) *chain, int key_nid, int cert_nid,\n int iterations, int mac_iterations, int key_type) {\n if (key_nid == 0) {\n key_nid = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;\n }\n if (cert_nid == 0) {\n cert_nid = NID_pbe_WithSHA1And40BitRC2_CBC;\n }\n if (iterations == 0) {\n iterations = PKCS12_DEFAULT_ITER;\n }\n if (mac_iterations == 0) {\n mac_iterations = 1;\n }\n if ( // In OpenSSL, this specifies a non-standard Microsoft key usage\n // extension which we do not currently support.\n key_type != 0 ||\n // In OpenSSL, -1 here means to omit the MAC, which we do not\n // currently support. Omitting it is also invalid for a password-based\n // PKCS#12 file.\n mac_iterations < 0 ||\n // Don't encode empty objects.\n (pkey == NULL && cert == NULL && sk_X509_num(chain) == 0)) {\n OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_OPTIONS);\n return 0;\n }\n\n // PKCS#12 is a very confusing recursive data format, built out of another\n // recursive data format. Section 5.1 of RFC 7292 describes the encoding\n // algorithm, but there is no clear overview. A quick summary:\n //\n // PKCS#7 defines a ContentInfo structure, which is a overgeneralized typed\n // combinator structure for applying cryptography. We care about two types. A\n // data ContentInfo contains an OCTET STRING and is a leaf node of the\n // combinator tree. An encrypted-data ContentInfo contains encryption\n // parameters (key derivation and encryption) and wraps another ContentInfo,\n // usually data.\n //\n // A PKCS#12 file is a PFX structure (section 4), which contains a single data\n // ContentInfo and a MAC over it. This root ContentInfo is the\n // AuthenticatedSafe and its payload is a SEQUENCE of other ContentInfos, so\n // that different parts of the PKCS#12 file can by differently protected.\n //\n // Each ContentInfo in the AuthenticatedSafe, after undoing all the PKCS#7\n // combinators, has SafeContents payload. A SafeContents is a SEQUENCE of\n // SafeBag. SafeBag is PKCS#12's typed structure, with subtypes such as KeyBag\n // and CertBag. Confusingly, there is a SafeContents bag type which itself\n // recursively contains more SafeBags, but we do not implement this. Bags also\n // can have attributes.\n //\n // The grouping of SafeBags into intermediate ContentInfos does not appear to\n // be significant, except that all SafeBags sharing a ContentInfo have the\n // same level of protection. Additionally, while keys may be encrypted by\n // placing a KeyBag in an encrypted-data ContentInfo, PKCS#12 also defines a\n // key-specific encryption container, PKCS8ShroudedKeyBag, which is used\n // instead.\n\n // Note that |password| may be NULL to specify no password, rather than the\n // empty string. They are encoded differently in PKCS#12. (One is the empty\n // byte array and the other is NUL-terminated UCS-2.)\n size_t password_len = password != NULL ? strlen(password) : 0;\n\n uint8_t key_id[EVP_MAX_MD_SIZE];\n unsigned key_id_len = 0;\n if (cert != NULL && pkey != NULL) {\n if (!X509_check_private_key(cert, pkey) ||\n // Matching OpenSSL, use the SHA-1 hash of the certificate as the local\n // key ID. Some PKCS#12 consumers require one to connect the private key\n // and certificate.\n !X509_digest(cert, EVP_sha1(), key_id, &key_id_len)) {\n return 0;\n }\n }\n\n // See https://tools.ietf.org/html/rfc7292#section-4.\n PKCS12 *ret = NULL;\n CBB cbb, pfx, auth_safe, auth_safe_oid, auth_safe_wrapper, auth_safe_data,\n content_infos;\n uint8_t mac_key[EVP_MAX_MD_SIZE];\n if (!CBB_init(&cbb, 0) || !CBB_add_asn1(&cbb, &pfx, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&pfx, 3) ||\n // auth_safe is a data ContentInfo.\n !CBB_add_asn1(&pfx, &auth_safe, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&auth_safe, &auth_safe_oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&auth_safe_oid, kPKCS7Data, sizeof(kPKCS7Data)) ||\n !CBB_add_asn1(&auth_safe, &auth_safe_wrapper,\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||\n !CBB_add_asn1(&auth_safe_wrapper, &auth_safe_data,\n CBS_ASN1_OCTETSTRING) ||\n // See https://tools.ietf.org/html/rfc7292#section-4.1. |auth_safe|'s\n // contains a SEQUENCE of ContentInfos.\n !CBB_add_asn1(&auth_safe_data, &content_infos, CBS_ASN1_SEQUENCE)) {\n goto err;\n }\n\n // If there are any certificates, place them in CertBags wrapped in a single\n // encrypted ContentInfo.\n if (cert != NULL || sk_X509_num(chain) > 0) {\n if (cert_nid < 0) {\n // Place the certificates in an unencrypted ContentInfo. This could be\n // more compactly-encoded by reusing the same ContentInfo as the key, but\n // OpenSSL does not do this. We keep them separate for consistency. (Keys,\n // even when encrypted, are always placed in unencrypted ContentInfos.\n // PKCS#12 defines bag-level encryption for keys.)\n CBB content_info, oid, wrapper, data;\n if (!CBB_add_asn1(&content_infos, &content_info, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&content_info, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, kPKCS7Data, sizeof(kPKCS7Data)) ||\n !CBB_add_asn1(&content_info, &wrapper,\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||\n !CBB_add_asn1(&wrapper, &data, CBS_ASN1_OCTETSTRING) ||\n !add_cert_safe_contents(&data, cert, chain, name, key_id,\n key_id_len) ||\n !CBB_flush(&content_infos)) {\n goto err;\n }\n } else {\n CBB plaintext_cbb;\n int ok = CBB_init(&plaintext_cbb, 0) &&\n add_cert_safe_contents(&plaintext_cbb, cert, chain, name, key_id,\n key_id_len) &&\n add_encrypted_data(\n &content_infos, cert_nid, password, password_len, iterations,\n CBB_data(&plaintext_cbb), CBB_len(&plaintext_cbb));\n CBB_cleanup(&plaintext_cbb);\n if (!ok) {\n goto err;\n }\n }\n }\n\n // If there is a key, place it in a single KeyBag or PKCS8ShroudedKeyBag\n // wrapped in an unencrypted ContentInfo. (One could also place it in a KeyBag\n // inside an encrypted ContentInfo, but OpenSSL does not do this and some\n // PKCS#12 consumers do not support KeyBags.)\n if (pkey != NULL) {\n CBB content_info, oid, wrapper, data, safe_contents, bag, bag_oid,\n bag_contents;\n if ( // Add another data ContentInfo.\n !CBB_add_asn1(&content_infos, &content_info, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&content_info, &oid, CBS_ASN1_OBJECT) ||\n !CBB_add_bytes(&oid, kPKCS7Data, sizeof(kPKCS7Data)) ||\n !CBB_add_asn1(&content_info, &wrapper,\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||\n !CBB_add_asn1(&wrapper, &data, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_asn1(&data, &safe_contents, CBS_ASN1_SEQUENCE) ||\n // Add a SafeBag containing a PKCS8ShroudedKeyBag.\n !CBB_add_asn1(&safe_contents, &bag, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&bag, &bag_oid, CBS_ASN1_OBJECT)) {\n goto err;\n }\n if (key_nid < 0) {\n if (!CBB_add_bytes(&bag_oid, kKeyBag, sizeof(kKeyBag)) ||\n !CBB_add_asn1(&bag, &bag_contents,\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||\n !EVP_marshal_private_key(&bag_contents, pkey)) {\n goto err;\n }\n } else {\n if (!CBB_add_bytes(&bag_oid, kPKCS8ShroudedKeyBag,\n sizeof(kPKCS8ShroudedKeyBag)) ||\n !CBB_add_asn1(&bag, &bag_contents,\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||\n !PKCS8_marshal_encrypted_private_key(\n &bag_contents, key_nid, NULL, password, password_len,\n NULL /* generate a random salt */,\n 0 /* use default salt length */, iterations, pkey)) {\n goto err;\n }\n }\n size_t name_len = 0;\n if (name) {\n name_len = strlen(name);\n }\n if (!add_bag_attributes(&bag, name, name_len, key_id, key_id_len) ||\n !CBB_flush(&content_infos)) {\n goto err;\n }\n }\n\n {\n // Compute the MAC. Match OpenSSL in using SHA-1 as the hash function. The\n // MAC covers |auth_safe_data|.\n const EVP_MD *mac_md = EVP_sha1();\n uint8_t mac_salt[PKCS5_SALT_LEN];\n uint8_t mac[EVP_MAX_MD_SIZE];\n unsigned mac_len;\n if (!CBB_flush(&auth_safe_data) ||\n !RAND_bytes(mac_salt, sizeof(mac_salt)) ||\n !pkcs12_key_gen(password, password_len, mac_salt, sizeof(mac_salt),\n PKCS12_MAC_ID, mac_iterations, EVP_MD_size(mac_md),\n mac_key, mac_md) ||\n !HMAC(mac_md, mac_key, EVP_MD_size(mac_md), CBB_data(&auth_safe_data),\n CBB_len(&auth_safe_data), mac, &mac_len)) {\n goto err;\n }\n\n CBB mac_data, digest_info, mac_cbb, mac_salt_cbb;\n if (!CBB_add_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1(&mac_data, &digest_info, CBS_ASN1_SEQUENCE) ||\n !EVP_marshal_digest_algorithm(&digest_info, mac_md) ||\n !CBB_add_asn1(&digest_info, &mac_cbb, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_bytes(&mac_cbb, mac, mac_len) ||\n !CBB_add_asn1(&mac_data, &mac_salt_cbb, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_bytes(&mac_salt_cbb, mac_salt, sizeof(mac_salt)) ||\n // The iteration count has a DEFAULT of 1, but RFC 7292 says \"The\n // default is for historical reasons and its use is deprecated.\" Thus we\n // explicitly encode the iteration count, though it is not valid DER.\n !CBB_add_asn1_uint64(&mac_data, mac_iterations)) {\n goto err;\n }\n\n ret = reinterpret_cast(OPENSSL_malloc(sizeof(PKCS12)));\n if (ret == NULL || !CBB_finish(&cbb, &ret->ber_bytes, &ret->ber_len)) {\n OPENSSL_free(ret);\n ret = NULL;\n goto err;\n }\n }\n\nerr:\n OPENSSL_cleanse(mac_key, sizeof(mac_key));\n CBB_cleanup(&cbb);\n return ret;\n}\n\nvoid PKCS12_free(PKCS12 *p12) {\n if (p12 == NULL) {\n return;\n }\n OPENSSL_free(p12->ber_bytes);\n OPENSSL_free(p12);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/poly1305/internal.h", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_POLY1305_INTERNAL_H\n#define OPENSSL_HEADER_POLY1305_INTERNAL_H\n\n#include \n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n#if defined(OPENSSL_ARM) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_APPLE)\n#define OPENSSL_POLY1305_NEON\n\nvoid CRYPTO_poly1305_init_neon(poly1305_state *state, const uint8_t key[32]);\n\nvoid CRYPTO_poly1305_update_neon(poly1305_state *state, const uint8_t *in,\n size_t in_len);\n\nvoid CRYPTO_poly1305_finish_neon(poly1305_state *state, uint8_t mac[16]);\n#endif\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_POLY1305_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/poly1305/poly1305.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// This implementation of poly1305 is by Andrew Moon\n// (https://github.com/floodyberry/poly1305-donna) and released as public\n// domain.\n\n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n#if !defined(BORINGSSL_HAS_UINT128) || !defined(OPENSSL_X86_64)\n\nstatic uint64_t mul32x32_64(uint32_t a, uint32_t b) { return (uint64_t)a * b; }\n\nstruct poly1305_state_st {\n uint32_t r0, r1, r2, r3, r4;\n uint32_t s1, s2, s3, s4;\n uint32_t h0, h1, h2, h3, h4;\n uint8_t buf[16];\n size_t buf_used;\n uint8_t key[16];\n};\n\nstatic_assert(\n sizeof(struct poly1305_state_st) + 63 <= sizeof(poly1305_state),\n \"poly1305_state isn't large enough to hold aligned poly1305_state_st\");\n\nstatic inline struct poly1305_state_st *poly1305_aligned_state(\n poly1305_state *state) {\n return reinterpret_cast(align_pointer(state, 64));\n}\n\n// poly1305_blocks updates |state| given some amount of input data. This\n// function may only be called with a |len| that is not a multiple of 16 at the\n// end of the data. Otherwise the input must be buffered into 16 byte blocks.\nstatic void poly1305_update(struct poly1305_state_st *state, const uint8_t *in,\n size_t len) {\n uint32_t t0, t1, t2, t3;\n uint64_t t[5];\n uint32_t b;\n uint64_t c;\n size_t j;\n uint8_t mp[16];\n\n if (len < 16) {\n goto poly1305_donna_atmost15bytes;\n }\n\npoly1305_donna_16bytes:\n t0 = CRYPTO_load_u32_le(in);\n t1 = CRYPTO_load_u32_le(in + 4);\n t2 = CRYPTO_load_u32_le(in + 8);\n t3 = CRYPTO_load_u32_le(in + 12);\n\n in += 16;\n len -= 16;\n\n state->h0 += t0 & 0x3ffffff;\n state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;\n state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;\n state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;\n state->h4 += (t3 >> 8) | (1 << 24);\n\npoly1305_donna_mul:\n t[0] = mul32x32_64(state->h0, state->r0) + mul32x32_64(state->h1, state->s4) +\n mul32x32_64(state->h2, state->s3) + mul32x32_64(state->h3, state->s2) +\n mul32x32_64(state->h4, state->s1);\n t[1] = mul32x32_64(state->h0, state->r1) + mul32x32_64(state->h1, state->r0) +\n mul32x32_64(state->h2, state->s4) + mul32x32_64(state->h3, state->s3) +\n mul32x32_64(state->h4, state->s2);\n t[2] = mul32x32_64(state->h0, state->r2) + mul32x32_64(state->h1, state->r1) +\n mul32x32_64(state->h2, state->r0) + mul32x32_64(state->h3, state->s4) +\n mul32x32_64(state->h4, state->s3);\n t[3] = mul32x32_64(state->h0, state->r3) + mul32x32_64(state->h1, state->r2) +\n mul32x32_64(state->h2, state->r1) + mul32x32_64(state->h3, state->r0) +\n mul32x32_64(state->h4, state->s4);\n t[4] = mul32x32_64(state->h0, state->r4) + mul32x32_64(state->h1, state->r3) +\n mul32x32_64(state->h2, state->r2) + mul32x32_64(state->h3, state->r1) +\n mul32x32_64(state->h4, state->r0);\n\n state->h0 = (uint32_t)t[0] & 0x3ffffff;\n c = (t[0] >> 26);\n t[1] += c;\n state->h1 = (uint32_t)t[1] & 0x3ffffff;\n b = (uint32_t)(t[1] >> 26);\n t[2] += b;\n state->h2 = (uint32_t)t[2] & 0x3ffffff;\n b = (uint32_t)(t[2] >> 26);\n t[3] += b;\n state->h3 = (uint32_t)t[3] & 0x3ffffff;\n b = (uint32_t)(t[3] >> 26);\n t[4] += b;\n state->h4 = (uint32_t)t[4] & 0x3ffffff;\n b = (uint32_t)(t[4] >> 26);\n state->h0 += b * 5;\n\n if (len >= 16) {\n goto poly1305_donna_16bytes;\n }\n\n// final bytes\npoly1305_donna_atmost15bytes:\n if (!len) {\n return;\n }\n\n for (j = 0; j < len; j++) {\n mp[j] = in[j];\n }\n mp[j++] = 1;\n for (; j < 16; j++) {\n mp[j] = 0;\n }\n len = 0;\n\n t0 = CRYPTO_load_u32_le(mp + 0);\n t1 = CRYPTO_load_u32_le(mp + 4);\n t2 = CRYPTO_load_u32_le(mp + 8);\n t3 = CRYPTO_load_u32_le(mp + 12);\n\n state->h0 += t0 & 0x3ffffff;\n state->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;\n state->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;\n state->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;\n state->h4 += (t3 >> 8);\n\n goto poly1305_donna_mul;\n}\n\nvoid CRYPTO_poly1305_init(poly1305_state *statep, const uint8_t key[32]) {\n struct poly1305_state_st *state = poly1305_aligned_state(statep);\n uint32_t t0, t1, t2, t3;\n\n#if defined(OPENSSL_POLY1305_NEON)\n if (CRYPTO_is_NEON_capable()) {\n CRYPTO_poly1305_init_neon(statep, key);\n return;\n }\n#endif\n\n t0 = CRYPTO_load_u32_le(key + 0);\n t1 = CRYPTO_load_u32_le(key + 4);\n t2 = CRYPTO_load_u32_le(key + 8);\n t3 = CRYPTO_load_u32_le(key + 12);\n\n // precompute multipliers\n state->r0 = t0 & 0x3ffffff;\n t0 >>= 26;\n t0 |= t1 << 6;\n state->r1 = t0 & 0x3ffff03;\n t1 >>= 20;\n t1 |= t2 << 12;\n state->r2 = t1 & 0x3ffc0ff;\n t2 >>= 14;\n t2 |= t3 << 18;\n state->r3 = t2 & 0x3f03fff;\n t3 >>= 8;\n state->r4 = t3 & 0x00fffff;\n\n state->s1 = state->r1 * 5;\n state->s2 = state->r2 * 5;\n state->s3 = state->r3 * 5;\n state->s4 = state->r4 * 5;\n\n // init state\n state->h0 = 0;\n state->h1 = 0;\n state->h2 = 0;\n state->h3 = 0;\n state->h4 = 0;\n\n state->buf_used = 0;\n OPENSSL_memcpy(state->key, key + 16, sizeof(state->key));\n}\n\nvoid CRYPTO_poly1305_update(poly1305_state *statep, const uint8_t *in,\n size_t in_len) {\n struct poly1305_state_st *state = poly1305_aligned_state(statep);\n\n // Work around a C language bug. See https://crbug.com/1019588.\n if (in_len == 0) {\n return;\n }\n\n#if defined(OPENSSL_POLY1305_NEON)\n if (CRYPTO_is_NEON_capable()) {\n CRYPTO_poly1305_update_neon(statep, in, in_len);\n return;\n }\n#endif\n\n if (state->buf_used) {\n size_t todo = 16 - state->buf_used;\n if (todo > in_len) {\n todo = in_len;\n }\n for (size_t i = 0; i < todo; i++) {\n state->buf[state->buf_used + i] = in[i];\n }\n state->buf_used += todo;\n in_len -= todo;\n in += todo;\n\n if (state->buf_used == 16) {\n poly1305_update(state, state->buf, 16);\n state->buf_used = 0;\n }\n }\n\n if (in_len >= 16) {\n size_t todo = in_len & ~0xf;\n poly1305_update(state, in, todo);\n in += todo;\n in_len &= 0xf;\n }\n\n if (in_len) {\n for (size_t i = 0; i < in_len; i++) {\n state->buf[i] = in[i];\n }\n state->buf_used = in_len;\n }\n}\n\nvoid CRYPTO_poly1305_finish(poly1305_state *statep, uint8_t mac[16]) {\n struct poly1305_state_st *state = poly1305_aligned_state(statep);\n uint32_t g0, g1, g2, g3, g4;\n uint32_t b, nb;\n\n#if defined(OPENSSL_POLY1305_NEON)\n if (CRYPTO_is_NEON_capable()) {\n CRYPTO_poly1305_finish_neon(statep, mac);\n return;\n }\n#endif\n\n if (state->buf_used) {\n poly1305_update(state, state->buf, state->buf_used);\n }\n\n b = state->h0 >> 26;\n state->h0 = state->h0 & 0x3ffffff;\n state->h1 += b;\n b = state->h1 >> 26;\n state->h1 = state->h1 & 0x3ffffff;\n state->h2 += b;\n b = state->h2 >> 26;\n state->h2 = state->h2 & 0x3ffffff;\n state->h3 += b;\n b = state->h3 >> 26;\n state->h3 = state->h3 & 0x3ffffff;\n state->h4 += b;\n b = state->h4 >> 26;\n state->h4 = state->h4 & 0x3ffffff;\n state->h0 += b * 5;\n\n g0 = state->h0 + 5;\n b = g0 >> 26;\n g0 &= 0x3ffffff;\n g1 = state->h1 + b;\n b = g1 >> 26;\n g1 &= 0x3ffffff;\n g2 = state->h2 + b;\n b = g2 >> 26;\n g2 &= 0x3ffffff;\n g3 = state->h3 + b;\n b = g3 >> 26;\n g3 &= 0x3ffffff;\n g4 = state->h4 + b - (1 << 26);\n\n b = (g4 >> 31) - 1;\n nb = ~b;\n state->h0 = (state->h0 & nb) | (g0 & b);\n state->h1 = (state->h1 & nb) | (g1 & b);\n state->h2 = (state->h2 & nb) | (g2 & b);\n state->h3 = (state->h3 & nb) | (g3 & b);\n state->h4 = (state->h4 & nb) | (g4 & b);\n\n uint64_t f0 = ((state->h0) | (state->h1 << 26)) +\n (uint64_t)CRYPTO_load_u32_le(&state->key[0]);\n uint64_t f1 = ((state->h1 >> 6) | (state->h2 << 20)) +\n (uint64_t)CRYPTO_load_u32_le(&state->key[4]);\n uint64_t f2 = ((state->h2 >> 12) | (state->h3 << 14)) +\n (uint64_t)CRYPTO_load_u32_le(&state->key[8]);\n uint64_t f3 = ((state->h3 >> 18) | (state->h4 << 8)) +\n (uint64_t)CRYPTO_load_u32_le(&state->key[12]);\n\n CRYPTO_store_u32_le(&mac[0], (uint32_t)f0);\n f1 += (f0 >> 32);\n CRYPTO_store_u32_le(&mac[4], (uint32_t)f1);\n f2 += (f1 >> 32);\n CRYPTO_store_u32_le(&mac[8], (uint32_t)f2);\n f3 += (f2 >> 32);\n CRYPTO_store_u32_le(&mac[12], (uint32_t)f3);\n}\n\n#endif // !BORINGSSL_HAS_UINT128 || !OPENSSL_X86_64\n" }, { "path": "Sources/CNIOBoringSSL/crypto/poly1305/poly1305_arm.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// This implementation was taken from the public domain, neon2 version in\n// SUPERCOP by D. J. Bernstein and Peter Schwabe.\n\n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n#if defined(OPENSSL_POLY1305_NEON)\n\ntypedef struct {\n uint32_t v[12]; // for alignment; only using 10\n} fe1305x2;\n\n#define addmulmod openssl_poly1305_neon2_addmulmod\n#define blocks openssl_poly1305_neon2_blocks\n\nextern \"C\" {\nextern void addmulmod(fe1305x2 *r, const fe1305x2 *x, const fe1305x2 *y,\n const fe1305x2 *c);\n\nextern int blocks(fe1305x2 *h, const fe1305x2 *precomp, const uint8_t *in,\n size_t inlen);\n}\n\nstatic void freeze(fe1305x2 *r) {\n int i;\n\n uint32_t x0 = r->v[0];\n uint32_t x1 = r->v[2];\n uint32_t x2 = r->v[4];\n uint32_t x3 = r->v[6];\n uint32_t x4 = r->v[8];\n uint32_t y0;\n uint32_t y1;\n uint32_t y2;\n uint32_t y3;\n uint32_t y4;\n uint32_t swap;\n\n for (i = 0; i < 3; ++i) {\n x1 += x0 >> 26;\n x0 &= 0x3ffffff;\n x2 += x1 >> 26;\n x1 &= 0x3ffffff;\n x3 += x2 >> 26;\n x2 &= 0x3ffffff;\n x4 += x3 >> 26;\n x3 &= 0x3ffffff;\n x0 += 5 * (x4 >> 26);\n x4 &= 0x3ffffff;\n }\n\n y0 = x0 + 5;\n y1 = x1 + (y0 >> 26);\n y0 &= 0x3ffffff;\n y2 = x2 + (y1 >> 26);\n y1 &= 0x3ffffff;\n y3 = x3 + (y2 >> 26);\n y2 &= 0x3ffffff;\n y4 = x4 + (y3 >> 26);\n y3 &= 0x3ffffff;\n swap = -(y4 >> 26);\n y4 &= 0x3ffffff;\n\n y0 ^= x0;\n y1 ^= x1;\n y2 ^= x2;\n y3 ^= x3;\n y4 ^= x4;\n\n y0 &= swap;\n y1 &= swap;\n y2 &= swap;\n y3 &= swap;\n y4 &= swap;\n\n y0 ^= x0;\n y1 ^= x1;\n y2 ^= x2;\n y3 ^= x3;\n y4 ^= x4;\n\n r->v[0] = y0;\n r->v[2] = y1;\n r->v[4] = y2;\n r->v[6] = y3;\n r->v[8] = y4;\n}\n\nstatic void store32(uint8_t out[4], uint32_t v) { OPENSSL_memcpy(out, &v, 4); }\n\n// load32 exists to avoid breaking strict aliasing rules in\n// fe1305x2_frombytearray.\nstatic uint32_t load32(const uint8_t t[4]) {\n uint32_t tmp;\n OPENSSL_memcpy(&tmp, t, sizeof(tmp));\n return tmp;\n}\n\nstatic void fe1305x2_tobytearray(uint8_t r[16], fe1305x2 *x) {\n uint32_t x0 = x->v[0];\n uint32_t x1 = x->v[2];\n uint32_t x2 = x->v[4];\n uint32_t x3 = x->v[6];\n uint32_t x4 = x->v[8];\n\n x1 += x0 >> 26;\n x0 &= 0x3ffffff;\n x2 += x1 >> 26;\n x1 &= 0x3ffffff;\n x3 += x2 >> 26;\n x2 &= 0x3ffffff;\n x4 += x3 >> 26;\n x3 &= 0x3ffffff;\n\n store32(r, x0 + (x1 << 26));\n store32(r + 4, (x1 >> 6) + (x2 << 20));\n store32(r + 8, (x2 >> 12) + (x3 << 14));\n store32(r + 12, (x3 >> 18) + (x4 << 8));\n}\n\nstatic void fe1305x2_frombytearray(fe1305x2 *r, const uint8_t *x, size_t xlen) {\n size_t i;\n uint8_t t[17];\n\n for (i = 0; (i < 16) && (i < xlen); i++) {\n t[i] = x[i];\n }\n xlen -= i;\n x += i;\n t[i++] = 1;\n for (; i < 17; i++) {\n t[i] = 0;\n }\n\n r->v[0] = 0x3ffffff & load32(t);\n r->v[2] = 0x3ffffff & (load32(t + 3) >> 2);\n r->v[4] = 0x3ffffff & (load32(t + 6) >> 4);\n r->v[6] = 0x3ffffff & (load32(t + 9) >> 6);\n r->v[8] = load32(t + 13);\n\n if (xlen) {\n for (i = 0; (i < 16) && (i < xlen); i++) {\n t[i] = x[i];\n }\n t[i++] = 1;\n for (; i < 17; i++) {\n t[i] = 0;\n }\n\n r->v[1] = 0x3ffffff & load32(t);\n r->v[3] = 0x3ffffff & (load32(t + 3) >> 2);\n r->v[5] = 0x3ffffff & (load32(t + 6) >> 4);\n r->v[7] = 0x3ffffff & (load32(t + 9) >> 6);\n r->v[9] = load32(t + 13);\n } else {\n r->v[1] = r->v[3] = r->v[5] = r->v[7] = r->v[9] = 0;\n }\n}\n\nstatic const fe1305x2 zero alignas(16) = {0};\n\nstruct poly1305_state_st {\n uint8_t data[sizeof(fe1305x2[5]) + 128];\n uint8_t buf[32];\n size_t buf_used;\n uint8_t key[16];\n};\n\nstatic_assert(\n sizeof(struct poly1305_state_st) + 63 <= sizeof(poly1305_state),\n \"poly1305_state isn't large enough to hold aligned poly1305_state_st.\");\n\nvoid CRYPTO_poly1305_init_neon(poly1305_state *state, const uint8_t key[32]) {\n struct poly1305_state_st *st = (struct poly1305_state_st *)(state);\n fe1305x2 *const r = (fe1305x2 *)(st->data + (15 & (-(int)st->data)));\n fe1305x2 *const h = r + 1;\n fe1305x2 *const c = h + 1;\n fe1305x2 *const precomp = c + 1;\n\n r->v[1] = r->v[0] = 0x3ffffff & load32(key);\n r->v[3] = r->v[2] = 0x3ffff03 & (load32(key + 3) >> 2);\n r->v[5] = r->v[4] = 0x3ffc0ff & (load32(key + 6) >> 4);\n r->v[7] = r->v[6] = 0x3f03fff & (load32(key + 9) >> 6);\n r->v[9] = r->v[8] = 0x00fffff & (load32(key + 12) >> 8);\n\n for (size_t j = 0; j < 10; j++) {\n h->v[j] = 0; // XXX: should fast-forward a bit\n }\n\n addmulmod(precomp, r, r, &zero); // precompute r^2\n addmulmod(precomp + 1, precomp, precomp, &zero); // precompute r^4\n\n OPENSSL_memcpy(st->key, key + 16, 16);\n st->buf_used = 0;\n}\n\nvoid CRYPTO_poly1305_update_neon(poly1305_state *state, const uint8_t *in,\n size_t in_len) {\n struct poly1305_state_st *st = (struct poly1305_state_st *)(state);\n fe1305x2 *const r = (fe1305x2 *)(st->data + (15 & (-(int)st->data)));\n fe1305x2 *const h = r + 1;\n fe1305x2 *const c = h + 1;\n fe1305x2 *const precomp = c + 1;\n\n if (st->buf_used) {\n size_t todo = 32 - st->buf_used;\n if (todo > in_len) {\n todo = in_len;\n }\n for (size_t i = 0; i < todo; i++) {\n st->buf[st->buf_used + i] = in[i];\n }\n st->buf_used += todo;\n in_len -= todo;\n in += todo;\n\n if (st->buf_used == sizeof(st->buf) && in_len) {\n addmulmod(h, h, precomp, &zero);\n fe1305x2_frombytearray(c, st->buf, sizeof(st->buf));\n for (size_t i = 0; i < 10; i++) {\n h->v[i] += c->v[i];\n }\n st->buf_used = 0;\n }\n }\n\n while (in_len > 32) {\n size_t tlen = 1048576;\n if (in_len < tlen) {\n tlen = in_len;\n }\n tlen -= blocks(h, precomp, in, tlen);\n in_len -= tlen;\n in += tlen;\n }\n\n if (in_len) {\n for (size_t i = 0; i < in_len; i++) {\n st->buf[i] = in[i];\n }\n st->buf_used = in_len;\n }\n}\n\nvoid CRYPTO_poly1305_finish_neon(poly1305_state *state, uint8_t mac[16]) {\n struct poly1305_state_st *st = (struct poly1305_state_st *)(state);\n fe1305x2 *const r = (fe1305x2 *)(st->data + (15 & (-(int)st->data)));\n fe1305x2 *const h = r + 1;\n fe1305x2 *const c = h + 1;\n fe1305x2 *const precomp = c + 1;\n\n addmulmod(h, h, precomp, &zero);\n\n if (st->buf_used > 16) {\n fe1305x2_frombytearray(c, st->buf, st->buf_used);\n precomp->v[1] = r->v[1];\n precomp->v[3] = r->v[3];\n precomp->v[5] = r->v[5];\n precomp->v[7] = r->v[7];\n precomp->v[9] = r->v[9];\n addmulmod(h, h, precomp, c);\n } else if (st->buf_used > 0) {\n fe1305x2_frombytearray(c, st->buf, st->buf_used);\n r->v[1] = 1;\n r->v[3] = 0;\n r->v[5] = 0;\n r->v[7] = 0;\n r->v[9] = 0;\n addmulmod(h, h, r, c);\n }\n\n h->v[0] += h->v[1];\n h->v[2] += h->v[3];\n h->v[4] += h->v[5];\n h->v[6] += h->v[7];\n h->v[8] += h->v[9];\n freeze(h);\n\n fe1305x2_frombytearray(c, st->key, 16);\n c->v[8] ^= (1 << 24);\n\n h->v[0] += c->v[0];\n h->v[2] += c->v[2];\n h->v[4] += c->v[4];\n h->v[6] += c->v[6];\n h->v[8] += c->v[8];\n fe1305x2_tobytearray(mac, h);\n}\n\n#endif // OPENSSL_POLY1305_NEON\n" }, { "path": "Sources/CNIOBoringSSL/crypto/poly1305/poly1305_arm_asm.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n#if defined(__arm__) && defined(__linux__)\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n\n# This implementation was taken from the public domain, neon2 version in\n# SUPERCOP by D. J. Bernstein and Peter Schwabe.\n\n# qhasm: int32 input_0\n\n# qhasm: int32 input_1\n\n# qhasm: int32 input_2\n\n# qhasm: int32 input_3\n\n# qhasm: stack32 input_4\n\n# qhasm: stack32 input_5\n\n# qhasm: stack32 input_6\n\n# qhasm: stack32 input_7\n\n# qhasm: int32 caller_r4\n\n# qhasm: int32 caller_r5\n\n# qhasm: int32 caller_r6\n\n# qhasm: int32 caller_r7\n\n# qhasm: int32 caller_r8\n\n# qhasm: int32 caller_r9\n\n# qhasm: int32 caller_r10\n\n# qhasm: int32 caller_r11\n\n# qhasm: int32 caller_r12\n\n# qhasm: int32 caller_r14\n\n# qhasm: reg128 caller_q4\n\n# qhasm: reg128 caller_q5\n\n# qhasm: reg128 caller_q6\n\n# qhasm: reg128 caller_q7\n\n# qhasm: startcode\n.fpu neon\n.text\n\n# qhasm: reg128 r0\n\n# qhasm: reg128 r1\n\n# qhasm: reg128 r2\n\n# qhasm: reg128 r3\n\n# qhasm: reg128 r4\n\n# qhasm: reg128 x01\n\n# qhasm: reg128 x23\n\n# qhasm: reg128 x4\n\n# qhasm: reg128 y0\n\n# qhasm: reg128 y12\n\n# qhasm: reg128 y34\n\n# qhasm: reg128 5y12\n\n# qhasm: reg128 5y34\n\n# qhasm: stack128 y0_stack\n\n# qhasm: stack128 y12_stack\n\n# qhasm: stack128 y34_stack\n\n# qhasm: stack128 5y12_stack\n\n# qhasm: stack128 5y34_stack\n\n# qhasm: reg128 z0\n\n# qhasm: reg128 z12\n\n# qhasm: reg128 z34\n\n# qhasm: reg128 5z12\n\n# qhasm: reg128 5z34\n\n# qhasm: stack128 z0_stack\n\n# qhasm: stack128 z12_stack\n\n# qhasm: stack128 z34_stack\n\n# qhasm: stack128 5z12_stack\n\n# qhasm: stack128 5z34_stack\n\n# qhasm: stack128 two24\n\n# qhasm: int32 ptr\n\n# qhasm: reg128 c01\n\n# qhasm: reg128 c23\n\n# qhasm: reg128 d01\n\n# qhasm: reg128 d23\n\n# qhasm: reg128 t0\n\n# qhasm: reg128 t1\n\n# qhasm: reg128 t2\n\n# qhasm: reg128 t3\n\n# qhasm: reg128 t4\n\n# qhasm: reg128 mask\n\n# qhasm: reg128 u0\n\n# qhasm: reg128 u1\n\n# qhasm: reg128 u2\n\n# qhasm: reg128 u3\n\n# qhasm: reg128 u4\n\n# qhasm: reg128 v01\n\n# qhasm: reg128 mid\n\n# qhasm: reg128 v23\n\n# qhasm: reg128 v4\n\n# qhasm: int32 len\n\n# qhasm: qpushenter crypto_onetimeauth_poly1305_neon2_blocks\n.align 4\n.global openssl_poly1305_neon2_blocks\n.hidden openssl_poly1305_neon2_blocks\n.type openssl_poly1305_neon2_blocks STT_FUNC\nopenssl_poly1305_neon2_blocks:\nvpush {q4,q5,q6,q7}\nmov r12,sp\nsub sp,sp,#192\nbic sp,sp,#31\n\n# qhasm: len = input_3\n# asm 1: mov >len=int32#4,len=r3,y12=reg128#2%bot->y12=reg128#2%top},[y12=d2->y12=d3},[y34=reg128#3%bot->y34=reg128#3%top},[y34=d4->y34=d5},[input_1=int32#2,input_1=r1,z12=reg128#5%bot->z12=reg128#5%top},[z12=d8->z12=d9},[z34=reg128#6%bot->z34=reg128#6%top},[z34=d10->z34=d11},[mask=reg128#7,#0xffffffff\n# asm 2: vmov.i64 >mask=q6,#0xffffffff\nvmov.i64 q6,#0xffffffff\n\n# qhasm: 2x u4 = 0xff\n# asm 1: vmov.i64 >u4=reg128#8,#0xff\n# asm 2: vmov.i64 >u4=q7,#0xff\nvmov.i64 q7,#0xff\n\n# qhasm: x01 aligned= mem128[input_0];input_0+=16\n# asm 1: vld1.8 {>x01=reg128#9%bot->x01=reg128#9%top},[x01=d16->x01=d17},[x23=reg128#10%bot->x23=reg128#10%top},[x23=d18->x23=d19},[input_0=int32#1,input_0=r0,>=6\n# asm 1: vshr.u64 >mask=reg128#7,mask=q6,>= 7\n# asm 1: vshr.u64 >u4=reg128#8,u4=q7,5y12=reg128#12,5y12=q11,5y34=reg128#13,5y34=q12,5y12=reg128#12,<5y12=reg128#12,5y12=q11,<5y12=q11,5y34=reg128#13,<5y34=reg128#13,5y34=q12,<5y34=q12,u4=reg128#8,u4=q7,5z12=reg128#14,5z12=q13,5z34=reg128#15,5z34=q14,5z12=reg128#14,<5z12=reg128#14,5z12=q13,<5z12=q13,5z34=reg128#15,<5z34=reg128#15,5z34=q14,<5z34=q14,ptr=int32#2,ptr=r1,r4=reg128#16,r4=q15,r0=reg128#8,r0=q7,ptr=int32#2,ptr=r1,ptr=int32#2,ptr=r1,ptr=int32#2,ptr=r1,ptr=int32#2,ptr=r1,ptr=int32#2,ptr=r1,ptr=int32#2,ptr=r1,ptr=int32#2,<5y12_stack=stack128#5\n# asm 2: lea >ptr=r1,<5y12_stack=[sp,#64]\nadd r1,sp,#64\n\n# qhasm: mem128[ptr] aligned= 5y12\n# asm 1: vst1.8 {<5y12=reg128#12%bot-<5y12=reg128#12%top},[ptr=int32#2,<5y34_stack=stack128#6\n# asm 2: lea >ptr=r1,<5y34_stack=[sp,#80]\nadd r1,sp,#80\n\n# qhasm: mem128[ptr] aligned= 5y34\n# asm 1: vst1.8 {<5y34=reg128#13%bot-<5y34=reg128#13%top},[ptr=int32#2,<5z12_stack=stack128#10\n# asm 2: lea >ptr=r1,<5z12_stack=[sp,#144]\nadd r1,sp,#144\n\n# qhasm: mem128[ptr] aligned= 5z12\n# asm 1: vst1.8 {<5z12=reg128#14%bot-<5z12=reg128#14%top},[ptr=int32#2,<5z34_stack=stack128#11\n# asm 2: lea >ptr=r1,<5z34_stack=[sp,#160]\nadd r1,sp,#160\n\n# qhasm: mem128[ptr] aligned= 5z34\n# asm 1: vst1.8 {<5z34=reg128#15%bot-<5z34=reg128#15%top},[? len - 64\n# asm 1: cmp \nbls ._below64bytes\n\n# qhasm: input_2 += 32\n# asm 1: add >input_2=int32#2,input_2=r1,c01=reg128#1%bot->c01=reg128#1%top},[c01=d0->c01=d1},[c23=reg128#2%bot->c23=reg128#2%top},[c23=d2->c23=d3},[ptr=int32#3,ptr=r2,z12=reg128#3%bot->z12=reg128#3%top},[z12=d4->z12=d5},[ptr=int32#3,ptr=r2,z0=reg128#4%bot->z0=reg128#4%top},[z0=d6->z0=d7},[r3=reg128#5,r3=q4,input_2=int32#2,input_2=r1,ptr=int32#3,<5z34_stack=stack128#11\n# asm 2: lea >ptr=r2,<5z34_stack=[sp,#160]\nadd r2,sp,#160\n\n# qhasm: 5z34 aligned= mem128[ptr]\n# asm 1: vld1.8 {>5z34=reg128#6%bot->5z34=reg128#6%top},[5z34=d10->5z34=d11},[r0=reg128#8,r0=q7,r2=reg128#14,r2=q13,d01=reg128#12%bot->d01=reg128#12%top},[d01=d22->d01=d23},[r1=reg128#15,r1=q14,ptr=int32#3,<5z12_stack=stack128#10\n# asm 2: lea >ptr=r2,<5z12_stack=[sp,#144]\nadd r2,sp,#144\n\n# qhasm: 5z12 aligned= mem128[ptr]\n# asm 1: vld1.8 {>5z12=reg128#1%bot->5z12=reg128#1%top},[5z12=d0->5z12=d1},[d23=reg128#2%bot->d23=reg128#2%top},[d23=d2->d23=d3},[input_2=int32#2,input_2=r1,> 40 \n# asm 1: vshr.u64 >v4=reg128#4,v4=q3,> 14; v23[3] = d23[2,3] unsigned>> 14\n# asm 1: vshrn.u64 > 26; v01[3] = d01[2,3] unsigned>> 26\n# asm 1: vshrn.u64 > 20; v23[1] = mid[2,3] unsigned>> 20\n# asm 1: vshrn.u64 ptr=int32#3,ptr=r2,y34=reg128#3%bot->y34=reg128#3%top},[y34=d4->y34=d5},[ptr=int32#3,ptr=r2,y12=reg128#2%bot->y12=reg128#2%top},[y12=d2->y12=d3},[ptr=int32#3,ptr=r2,y0=reg128#1%bot->y0=reg128#1%top},[y0=d0->y0=d1},[ptr=int32#3,<5y34_stack=stack128#6\n# asm 2: lea >ptr=r2,<5y34_stack=[sp,#80]\nadd r2,sp,#80\n\n# qhasm: 5y34 aligned= mem128[ptr]\n# asm 1: vld1.8 {>5y34=reg128#13%bot->5y34=reg128#13%top},[5y34=d24->5y34=d25},[ptr=int32#3,<5y12_stack=stack128#5\n# asm 2: lea >ptr=r2,<5y12_stack=[sp,#64]\nadd r2,sp,#64\n\n# qhasm: 5y12 aligned= mem128[ptr]\n# asm 1: vld1.8 {>5y12=reg128#12%bot->5y12=reg128#12%top},[5y12=d22->5y12=d23},[ptr=int32#3,ptr=r2,> 26\n# asm 1: vshr.u64 >t1=reg128#4,t1=q3,len=int32#4,len=r3,r0=reg128#6,r0=q5,r1=reg128#4,r1=q3,> 26\n# asm 1: vshr.u64 >t4=reg128#8,t4=q7,r3=reg128#5,r3=q4,x4=reg128#8,x4=q7,r4=reg128#16%bot->r4=reg128#16%top},[r4=d30->r4=d31},[> 26\n# asm 1: vshr.u64 >t2=reg128#9,t2=q8,r1=reg128#4,r1=q3,> 26\n# asm 1: vshr.u64 >t0=reg128#10,t0=q9,r2=reg128#9,r2=q8,x4=reg128#11,x4=q10,x01=reg128#6,x01=q5,r0=reg128#8%bot->r0=reg128#8%top},[r0=d14->r0=d15},[ptr=int32#3,ptr=r2,t0=reg128#10,t0=q9,> 26\n# asm 1: vshr.u64 >t3=reg128#14,t3=q13,x01=reg128#15,x01=q14,z34=reg128#6%bot->z34=reg128#6%top},[z34=d10->z34=d11},[x23=reg128#10,x23=q9,r3=reg128#5,r3=q4,input_2=int32#2,input_2=r1,> 26\n# asm 1: vshr.u64 >t1=reg128#14,t1=q13,x01=reg128#9,x01=q8,r1=reg128#4,r1=q3,> 26\n# asm 1: vshr.u64 >t4=reg128#14,t4=q13,r3=reg128#5,r3=q4,x4=reg128#11,x4=q10,? len - 64\n# asm 1: cmp \nbhi ._mainloop2\n\n# qhasm: input_2 -= 32\n# asm 1: sub >input_2=int32#3,input_2=r2,? len - 32\n# asm 1: cmp \nbls ._end\n\n# qhasm: mainloop:\n._mainloop:\n\n# qhasm: new r0\n\n# qhasm: ptr = &two24\n# asm 1: lea >ptr=int32#2,ptr=r1,r4=reg128#5%bot->r4=reg128#5%top},[r4=d8->r4=d9},[u4=reg128#6%bot->u4=reg128#6%top},[u4=d10->u4=d11},[c01=reg128#8%bot->c01=reg128#8%top},[c01=d14->c01=d15},[c23=reg128#14%bot->c23=reg128#14%top},[c23=d26->c23=d27},[r0=reg128#4,r0=q3,r3=reg128#6,r3=q5,r1=reg128#14,r1=q13,r2=reg128#8,r2=q7,> 26\n# asm 1: vshr.u64 >t1=reg128#9,t1=q8,r0=reg128#4,r0=q3,r1=reg128#9,r1=q8,> 26\n# asm 1: vshr.u64 >t4=reg128#10,t4=q9,r3=reg128#6,r3=q5,r4=reg128#5,r4=q4,> 26\n# asm 1: vshr.u64 >t2=reg128#10,t2=q9,r1=reg128#11,r1=q10,> 26\n# asm 1: vshr.u64 >t0=reg128#9,t0=q8,r2=reg128#8,r2=q7,r4=reg128#5,r4=q4,r0=reg128#4,r0=q3,t0=reg128#9,t0=q8,> 26\n# asm 1: vshr.u64 >t3=reg128#14,t3=q13,r0=reg128#4,r0=q3,x23=reg128#10,x23=q9,r3=reg128#6,r3=q5,> 26\n# asm 1: vshr.u64 >t1=reg128#8,t1=q7,x01=reg128#9,x01=q8,r1=reg128#4,r1=q3,> 26\n# asm 1: vshr.u64 >t4=reg128#8,t4=q7,r3=reg128#6,r3=q5,x4=reg128#11,x4=q10,len=int32#4,len=r3,? len - 32\n# asm 1: cmp \nbhi ._mainloop\n\n# qhasm: end:\n._end:\n\n# qhasm: mem128[input_0] = x01;input_0+=16\n# asm 1: vst1.8 {len=int32#1,len=r0,mask=reg128#1,#0xffffffff\n# asm 2: vmov.i64 >mask=q0,#0xffffffff\nvmov.i64 q0,#0xffffffff\n\n# qhasm: y01 aligned= mem128[input_2];input_2+=16\n# asm 1: vld1.8 {>y01=reg128#2%bot->y01=reg128#2%top},[y01=d2->y01=d3},[_5y01=reg128#3,_5y01=q2,y23=reg128#4%bot->y23=reg128#4%top},[y23=d6->y23=d7},[_5y23=reg128#9,_5y23=q8,_5y4=reg128#11,_5y4=q10,x01=reg128#12%bot->x01=reg128#12%top},[x01=d22->x01=d23},[_5y01=reg128#3,<_5y01=reg128#3,_5y01=q2,<_5y01=q2,x23=reg128#13%bot->x23=reg128#13%top},[x23=d24->x23=d25},[_5y23=reg128#9,<_5y23=reg128#9,_5y23=q8,<_5y23=q8,_5y4=reg128#11,<_5y4=reg128#11,_5y4=q10,<_5y4=q10,c01=reg128#14%bot->c01=reg128#14%top},[c01=d26->c01=d27},[x01=reg128#12,x01=q11,c23=reg128#14%bot->c23=reg128#14%top},[c23=d26->c23=d27},[x23=reg128#13,x23=q12,>=6\n# asm 1: vshr.u64 >mask=reg128#1,mask=q0,x4=reg128#14,x4=q13,r0=reg128#15,r0=q14,r1=reg128#3,r1=q2,r2=reg128#16,r2=q15,r3=reg128#9,r3=q8,r4=reg128#10,r4=q9,> 26\n# asm 1: vshr.u64 >t1=reg128#2,t1=q1,r0=reg128#4,r0=q3,r1=reg128#2,r1=q1,> 26\n# asm 1: vshr.u64 >t4=reg128#3,t4=q2,r3=reg128#9,r3=q8,r4=reg128#3,r4=q2,> 26\n# asm 1: vshr.u64 >t2=reg128#10,t2=q9,r1=reg128#2,r1=q1,> 26\n# asm 1: vshr.u64 >t0=reg128#11,t0=q10,r2=reg128#10,r2=q9,r4=reg128#3,r4=q2,r0=reg128#4,r0=q3,t0=reg128#11,t0=q10,> 26\n# asm 1: vshr.u64 >t3=reg128#12,t3=q11,r0=reg128#4,r0=q3,x23=reg128#10,x23=q9,r3=reg128#9,r3=q8,> 26\n# asm 1: vshr.u64 >t1=reg128#11,t1=q10,x01=reg128#4,x01=q3,r1=reg128#2,r1=q1,> 26\n# asm 1: vshr.u64 >t4=reg128#11,t4=q10,r3=reg128#1,r3=q0,x4=reg128#3,x4=q2,\n\n#include \n\n#include \"../internal.h\"\n\n\n#if defined(BORINGSSL_HAS_UINT128) && defined(OPENSSL_X86_64)\n\n#include \n\ntypedef __m128i xmmi;\n\nalignas(16) static const uint32_t poly1305_x64_sse2_message_mask[4] = {\n (1 << 26) - 1, 0, (1 << 26) - 1, 0};\nalignas(16) static const uint32_t poly1305_x64_sse2_5[4] = {5, 0, 5, 0};\nalignas(16) static const uint32_t poly1305_x64_sse2_1shl128[4] = {(1 << 24), 0,\n (1 << 24), 0};\n\nstatic inline uint128_t add128(uint128_t a, uint128_t b) { return a + b; }\n\nstatic inline uint128_t add128_64(uint128_t a, uint64_t b) { return a + b; }\n\nstatic inline uint128_t mul64x64_128(uint64_t a, uint64_t b) {\n return (uint128_t)a * b;\n}\n\nstatic inline uint64_t lo128(uint128_t a) { return (uint64_t)a; }\n\nstatic inline uint64_t shr128(uint128_t v, const int shift) {\n return (uint64_t)(v >> shift);\n}\n\nstatic inline uint64_t shr128_pair(uint64_t hi, uint64_t lo, const int shift) {\n return (uint64_t)((((uint128_t)hi << 64) | lo) >> shift);\n}\n\ntypedef struct poly1305_power_t {\n union {\n xmmi v;\n uint64_t u[2];\n uint32_t d[4];\n } R20, R21, R22, R23, R24, S21, S22, S23, S24;\n} poly1305_power;\n\ntypedef struct poly1305_state_internal_t {\n poly1305_power P[2]; /* 288 bytes, top 32 bit halves unused = 144\n bytes of free storage */\n union {\n xmmi H[5]; // 80 bytes\n uint64_t HH[10];\n };\n // uint64_t r0,r1,r2; [24 bytes]\n // uint64_t pad0,pad1; [16 bytes]\n uint64_t started; // 8 bytes\n uint64_t leftover; // 8 bytes\n uint8_t buffer[64]; // 64 bytes\n} poly1305_state_internal; /* 448 bytes total + 63 bytes for\n alignment = 511 bytes raw */\n\nstatic_assert(sizeof(struct poly1305_state_internal_t) + 63 <=\n sizeof(poly1305_state),\n \"poly1305_state isn't large enough to hold aligned \"\n \"poly1305_state_internal_t\");\n\nstatic inline poly1305_state_internal *poly1305_aligned_state(\n poly1305_state *state) {\n return (poly1305_state_internal *)(((uint64_t)state + 63) & ~63);\n}\n\nstatic inline size_t poly1305_min(size_t a, size_t b) {\n return (a < b) ? a : b;\n}\n\nvoid CRYPTO_poly1305_init(poly1305_state *state, const uint8_t key[32]) {\n poly1305_state_internal *st = poly1305_aligned_state(state);\n poly1305_power *p;\n uint64_t r0, r1, r2;\n uint64_t t0, t1;\n\n // clamp key\n t0 = CRYPTO_load_u64_le(key + 0);\n t1 = CRYPTO_load_u64_le(key + 8);\n r0 = t0 & 0xffc0fffffff;\n t0 >>= 44;\n t0 |= t1 << 20;\n r1 = t0 & 0xfffffc0ffff;\n t1 >>= 24;\n r2 = t1 & 0x00ffffffc0f;\n\n // store r in un-used space of st->P[1]\n p = &st->P[1];\n p->R20.d[1] = (uint32_t)(r0);\n p->R20.d[3] = (uint32_t)(r0 >> 32);\n p->R21.d[1] = (uint32_t)(r1);\n p->R21.d[3] = (uint32_t)(r1 >> 32);\n p->R22.d[1] = (uint32_t)(r2);\n p->R22.d[3] = (uint32_t)(r2 >> 32);\n\n // store pad\n p->R23.d[1] = CRYPTO_load_u32_le(key + 16);\n p->R23.d[3] = CRYPTO_load_u32_le(key + 20);\n p->R24.d[1] = CRYPTO_load_u32_le(key + 24);\n p->R24.d[3] = CRYPTO_load_u32_le(key + 28);\n\n // H = 0\n st->H[0] = _mm_setzero_si128();\n st->H[1] = _mm_setzero_si128();\n st->H[2] = _mm_setzero_si128();\n st->H[3] = _mm_setzero_si128();\n st->H[4] = _mm_setzero_si128();\n\n st->started = 0;\n st->leftover = 0;\n}\n\nstatic void poly1305_first_block(poly1305_state_internal *st,\n const uint8_t *m) {\n const xmmi MMASK =\n _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask);\n const xmmi FIVE = _mm_load_si128((const xmmi *)poly1305_x64_sse2_5);\n const xmmi HIBIT = _mm_load_si128((const xmmi *)poly1305_x64_sse2_1shl128);\n xmmi T5, T6;\n poly1305_power *p;\n uint128_t d[3];\n uint64_t r0, r1, r2;\n uint64_t r20, r21, r22, s22;\n uint64_t pad0, pad1;\n uint64_t c;\n uint64_t i;\n\n // pull out stored info\n p = &st->P[1];\n\n r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];\n r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];\n r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];\n pad0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];\n pad1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];\n\n // compute powers r^2,r^4\n r20 = r0;\n r21 = r1;\n r22 = r2;\n for (i = 0; i < 2; i++) {\n s22 = r22 * (5 << 2);\n\n d[0] = add128(mul64x64_128(r20, r20), mul64x64_128(r21 * 2, s22));\n d[1] = add128(mul64x64_128(r22, s22), mul64x64_128(r20 * 2, r21));\n d[2] = add128(mul64x64_128(r21, r21), mul64x64_128(r22 * 2, r20));\n\n r20 = lo128(d[0]) & 0xfffffffffff;\n c = shr128(d[0], 44);\n d[1] = add128_64(d[1], c);\n r21 = lo128(d[1]) & 0xfffffffffff;\n c = shr128(d[1], 44);\n d[2] = add128_64(d[2], c);\n r22 = lo128(d[2]) & 0x3ffffffffff;\n c = shr128(d[2], 42);\n r20 += c * 5;\n c = (r20 >> 44);\n r20 = r20 & 0xfffffffffff;\n r21 += c;\n\n p->R20.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)(r20) & 0x3ffffff),\n _MM_SHUFFLE(1, 0, 1, 0));\n p->R21.v = _mm_shuffle_epi32(\n _mm_cvtsi32_si128((uint32_t)((r20 >> 26) | (r21 << 18)) & 0x3ffffff),\n _MM_SHUFFLE(1, 0, 1, 0));\n p->R22.v =\n _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r21 >> 8)) & 0x3ffffff),\n _MM_SHUFFLE(1, 0, 1, 0));\n p->R23.v = _mm_shuffle_epi32(\n _mm_cvtsi32_si128((uint32_t)((r21 >> 34) | (r22 << 10)) & 0x3ffffff),\n _MM_SHUFFLE(1, 0, 1, 0));\n p->R24.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)((r22 >> 16))),\n _MM_SHUFFLE(1, 0, 1, 0));\n p->S21.v = _mm_mul_epu32(p->R21.v, FIVE);\n p->S22.v = _mm_mul_epu32(p->R22.v, FIVE);\n p->S23.v = _mm_mul_epu32(p->R23.v, FIVE);\n p->S24.v = _mm_mul_epu32(p->R24.v, FIVE);\n p--;\n }\n\n // put saved info back\n p = &st->P[1];\n p->R20.d[1] = (uint32_t)(r0);\n p->R20.d[3] = (uint32_t)(r0 >> 32);\n p->R21.d[1] = (uint32_t)(r1);\n p->R21.d[3] = (uint32_t)(r1 >> 32);\n p->R22.d[1] = (uint32_t)(r2);\n p->R22.d[3] = (uint32_t)(r2 >> 32);\n p->R23.d[1] = (uint32_t)(pad0);\n p->R23.d[3] = (uint32_t)(pad0 >> 32);\n p->R24.d[1] = (uint32_t)(pad1);\n p->R24.d[3] = (uint32_t)(pad1 >> 32);\n\n // H = [Mx,My]\n T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 0)),\n _mm_loadl_epi64((const xmmi *)(m + 16)));\n T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 8)),\n _mm_loadl_epi64((const xmmi *)(m + 24)));\n st->H[0] = _mm_and_si128(MMASK, T5);\n st->H[1] = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));\n T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));\n st->H[2] = _mm_and_si128(MMASK, T5);\n st->H[3] = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));\n st->H[4] = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);\n}\n\nstatic void poly1305_blocks(poly1305_state_internal *st, const uint8_t *m,\n size_t bytes) {\n const xmmi MMASK =\n _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask);\n const xmmi FIVE = _mm_load_si128((const xmmi *)poly1305_x64_sse2_5);\n const xmmi HIBIT = _mm_load_si128((const xmmi *)poly1305_x64_sse2_1shl128);\n\n poly1305_power *p;\n xmmi H0, H1, H2, H3, H4;\n xmmi T0, T1, T2, T3, T4, T5, T6;\n xmmi M0, M1, M2, M3, M4;\n xmmi C1, C2;\n\n H0 = st->H[0];\n H1 = st->H[1];\n H2 = st->H[2];\n H3 = st->H[3];\n H4 = st->H[4];\n\n while (bytes >= 64) {\n // H *= [r^4,r^4]\n p = &st->P[0];\n T0 = _mm_mul_epu32(H0, p->R20.v);\n T1 = _mm_mul_epu32(H0, p->R21.v);\n T2 = _mm_mul_epu32(H0, p->R22.v);\n T3 = _mm_mul_epu32(H0, p->R23.v);\n T4 = _mm_mul_epu32(H0, p->R24.v);\n T5 = _mm_mul_epu32(H1, p->S24.v);\n T6 = _mm_mul_epu32(H1, p->R20.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H2, p->S23.v);\n T6 = _mm_mul_epu32(H2, p->S24.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H3, p->S22.v);\n T6 = _mm_mul_epu32(H3, p->S23.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H4, p->S21.v);\n T6 = _mm_mul_epu32(H4, p->S22.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H1, p->R21.v);\n T6 = _mm_mul_epu32(H1, p->R22.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H2, p->R20.v);\n T6 = _mm_mul_epu32(H2, p->R21.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H3, p->S24.v);\n T6 = _mm_mul_epu32(H3, p->R20.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H4, p->S23.v);\n T6 = _mm_mul_epu32(H4, p->S24.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H1, p->R23.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(H2, p->R22.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(H3, p->R21.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(H4, p->R20.v);\n T4 = _mm_add_epi64(T4, T5);\n\n // H += [Mx,My]*[r^2,r^2]\n T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 0)),\n _mm_loadl_epi64((const xmmi *)(m + 16)));\n T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 8)),\n _mm_loadl_epi64((const xmmi *)(m + 24)));\n M0 = _mm_and_si128(MMASK, T5);\n M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));\n T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));\n M2 = _mm_and_si128(MMASK, T5);\n M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));\n M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);\n\n p = &st->P[1];\n T5 = _mm_mul_epu32(M0, p->R20.v);\n T6 = _mm_mul_epu32(M0, p->R21.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(M1, p->S24.v);\n T6 = _mm_mul_epu32(M1, p->R20.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(M2, p->S23.v);\n T6 = _mm_mul_epu32(M2, p->S24.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(M3, p->S22.v);\n T6 = _mm_mul_epu32(M3, p->S23.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(M4, p->S21.v);\n T6 = _mm_mul_epu32(M4, p->S22.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(M0, p->R22.v);\n T6 = _mm_mul_epu32(M0, p->R23.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(M1, p->R21.v);\n T6 = _mm_mul_epu32(M1, p->R22.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(M2, p->R20.v);\n T6 = _mm_mul_epu32(M2, p->R21.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(M3, p->S24.v);\n T6 = _mm_mul_epu32(M3, p->R20.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(M4, p->S23.v);\n T6 = _mm_mul_epu32(M4, p->S24.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(M0, p->R24.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(M1, p->R23.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(M2, p->R22.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(M3, p->R21.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(M4, p->R20.v);\n T4 = _mm_add_epi64(T4, T5);\n\n // H += [Mx,My]\n T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 32)),\n _mm_loadl_epi64((const xmmi *)(m + 48)));\n T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 40)),\n _mm_loadl_epi64((const xmmi *)(m + 56)));\n M0 = _mm_and_si128(MMASK, T5);\n M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));\n T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));\n M2 = _mm_and_si128(MMASK, T5);\n M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));\n M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);\n\n T0 = _mm_add_epi64(T0, M0);\n T1 = _mm_add_epi64(T1, M1);\n T2 = _mm_add_epi64(T2, M2);\n T3 = _mm_add_epi64(T3, M3);\n T4 = _mm_add_epi64(T4, M4);\n\n // reduce\n C1 = _mm_srli_epi64(T0, 26);\n C2 = _mm_srli_epi64(T3, 26);\n T0 = _mm_and_si128(T0, MMASK);\n T3 = _mm_and_si128(T3, MMASK);\n T1 = _mm_add_epi64(T1, C1);\n T4 = _mm_add_epi64(T4, C2);\n C1 = _mm_srli_epi64(T1, 26);\n C2 = _mm_srli_epi64(T4, 26);\n T1 = _mm_and_si128(T1, MMASK);\n T4 = _mm_and_si128(T4, MMASK);\n T2 = _mm_add_epi64(T2, C1);\n T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));\n C1 = _mm_srli_epi64(T2, 26);\n C2 = _mm_srli_epi64(T0, 26);\n T2 = _mm_and_si128(T2, MMASK);\n T0 = _mm_and_si128(T0, MMASK);\n T3 = _mm_add_epi64(T3, C1);\n T1 = _mm_add_epi64(T1, C2);\n C1 = _mm_srli_epi64(T3, 26);\n T3 = _mm_and_si128(T3, MMASK);\n T4 = _mm_add_epi64(T4, C1);\n\n // H = (H*[r^4,r^4] + [Mx,My]*[r^2,r^2] + [Mx,My])\n H0 = T0;\n H1 = T1;\n H2 = T2;\n H3 = T3;\n H4 = T4;\n\n m += 64;\n bytes -= 64;\n }\n\n st->H[0] = H0;\n st->H[1] = H1;\n st->H[2] = H2;\n st->H[3] = H3;\n st->H[4] = H4;\n}\n\nstatic size_t poly1305_combine(poly1305_state_internal *st, const uint8_t *m,\n size_t bytes) {\n const xmmi MMASK =\n _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask);\n const xmmi HIBIT = _mm_load_si128((const xmmi *)poly1305_x64_sse2_1shl128);\n const xmmi FIVE = _mm_load_si128((const xmmi *)poly1305_x64_sse2_5);\n\n poly1305_power *p;\n xmmi H0, H1, H2, H3, H4;\n xmmi M0, M1, M2, M3, M4;\n xmmi T0, T1, T2, T3, T4, T5, T6;\n xmmi C1, C2;\n\n uint64_t r0, r1, r2;\n uint64_t t0, t1, t2, t3, t4;\n uint64_t c;\n size_t consumed = 0;\n\n H0 = st->H[0];\n H1 = st->H[1];\n H2 = st->H[2];\n H3 = st->H[3];\n H4 = st->H[4];\n\n // p = [r^2,r^2]\n p = &st->P[1];\n\n if (bytes >= 32) {\n // H *= [r^2,r^2]\n T0 = _mm_mul_epu32(H0, p->R20.v);\n T1 = _mm_mul_epu32(H0, p->R21.v);\n T2 = _mm_mul_epu32(H0, p->R22.v);\n T3 = _mm_mul_epu32(H0, p->R23.v);\n T4 = _mm_mul_epu32(H0, p->R24.v);\n T5 = _mm_mul_epu32(H1, p->S24.v);\n T6 = _mm_mul_epu32(H1, p->R20.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H2, p->S23.v);\n T6 = _mm_mul_epu32(H2, p->S24.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H3, p->S22.v);\n T6 = _mm_mul_epu32(H3, p->S23.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H4, p->S21.v);\n T6 = _mm_mul_epu32(H4, p->S22.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H1, p->R21.v);\n T6 = _mm_mul_epu32(H1, p->R22.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H2, p->R20.v);\n T6 = _mm_mul_epu32(H2, p->R21.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H3, p->S24.v);\n T6 = _mm_mul_epu32(H3, p->R20.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H4, p->S23.v);\n T6 = _mm_mul_epu32(H4, p->S24.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H1, p->R23.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(H2, p->R22.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(H3, p->R21.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(H4, p->R20.v);\n T4 = _mm_add_epi64(T4, T5);\n\n // H += [Mx,My]\n T5 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 0)),\n _mm_loadl_epi64((const xmmi *)(m + 16)));\n T6 = _mm_unpacklo_epi64(_mm_loadl_epi64((const xmmi *)(m + 8)),\n _mm_loadl_epi64((const xmmi *)(m + 24)));\n M0 = _mm_and_si128(MMASK, T5);\n M1 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));\n T5 = _mm_or_si128(_mm_srli_epi64(T5, 52), _mm_slli_epi64(T6, 12));\n M2 = _mm_and_si128(MMASK, T5);\n M3 = _mm_and_si128(MMASK, _mm_srli_epi64(T5, 26));\n M4 = _mm_or_si128(_mm_srli_epi64(T6, 40), HIBIT);\n\n T0 = _mm_add_epi64(T0, M0);\n T1 = _mm_add_epi64(T1, M1);\n T2 = _mm_add_epi64(T2, M2);\n T3 = _mm_add_epi64(T3, M3);\n T4 = _mm_add_epi64(T4, M4);\n\n // reduce\n C1 = _mm_srli_epi64(T0, 26);\n C2 = _mm_srli_epi64(T3, 26);\n T0 = _mm_and_si128(T0, MMASK);\n T3 = _mm_and_si128(T3, MMASK);\n T1 = _mm_add_epi64(T1, C1);\n T4 = _mm_add_epi64(T4, C2);\n C1 = _mm_srli_epi64(T1, 26);\n C2 = _mm_srli_epi64(T4, 26);\n T1 = _mm_and_si128(T1, MMASK);\n T4 = _mm_and_si128(T4, MMASK);\n T2 = _mm_add_epi64(T2, C1);\n T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));\n C1 = _mm_srli_epi64(T2, 26);\n C2 = _mm_srli_epi64(T0, 26);\n T2 = _mm_and_si128(T2, MMASK);\n T0 = _mm_and_si128(T0, MMASK);\n T3 = _mm_add_epi64(T3, C1);\n T1 = _mm_add_epi64(T1, C2);\n C1 = _mm_srli_epi64(T3, 26);\n T3 = _mm_and_si128(T3, MMASK);\n T4 = _mm_add_epi64(T4, C1);\n\n // H = (H*[r^2,r^2] + [Mx,My])\n H0 = T0;\n H1 = T1;\n H2 = T2;\n H3 = T3;\n H4 = T4;\n\n consumed = 32;\n }\n\n // finalize, H *= [r^2,r]\n r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];\n r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];\n r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];\n\n p->R20.d[2] = (uint32_t)(r0) & 0x3ffffff;\n p->R21.d[2] = (uint32_t)((r0 >> 26) | (r1 << 18)) & 0x3ffffff;\n p->R22.d[2] = (uint32_t)((r1 >> 8)) & 0x3ffffff;\n p->R23.d[2] = (uint32_t)((r1 >> 34) | (r2 << 10)) & 0x3ffffff;\n p->R24.d[2] = (uint32_t)((r2 >> 16));\n p->S21.d[2] = p->R21.d[2] * 5;\n p->S22.d[2] = p->R22.d[2] * 5;\n p->S23.d[2] = p->R23.d[2] * 5;\n p->S24.d[2] = p->R24.d[2] * 5;\n\n // H *= [r^2,r]\n T0 = _mm_mul_epu32(H0, p->R20.v);\n T1 = _mm_mul_epu32(H0, p->R21.v);\n T2 = _mm_mul_epu32(H0, p->R22.v);\n T3 = _mm_mul_epu32(H0, p->R23.v);\n T4 = _mm_mul_epu32(H0, p->R24.v);\n T5 = _mm_mul_epu32(H1, p->S24.v);\n T6 = _mm_mul_epu32(H1, p->R20.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H2, p->S23.v);\n T6 = _mm_mul_epu32(H2, p->S24.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H3, p->S22.v);\n T6 = _mm_mul_epu32(H3, p->S23.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H4, p->S21.v);\n T6 = _mm_mul_epu32(H4, p->S22.v);\n T0 = _mm_add_epi64(T0, T5);\n T1 = _mm_add_epi64(T1, T6);\n T5 = _mm_mul_epu32(H1, p->R21.v);\n T6 = _mm_mul_epu32(H1, p->R22.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H2, p->R20.v);\n T6 = _mm_mul_epu32(H2, p->R21.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H3, p->S24.v);\n T6 = _mm_mul_epu32(H3, p->R20.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H4, p->S23.v);\n T6 = _mm_mul_epu32(H4, p->S24.v);\n T2 = _mm_add_epi64(T2, T5);\n T3 = _mm_add_epi64(T3, T6);\n T5 = _mm_mul_epu32(H1, p->R23.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(H2, p->R22.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(H3, p->R21.v);\n T4 = _mm_add_epi64(T4, T5);\n T5 = _mm_mul_epu32(H4, p->R20.v);\n T4 = _mm_add_epi64(T4, T5);\n\n C1 = _mm_srli_epi64(T0, 26);\n C2 = _mm_srli_epi64(T3, 26);\n T0 = _mm_and_si128(T0, MMASK);\n T3 = _mm_and_si128(T3, MMASK);\n T1 = _mm_add_epi64(T1, C1);\n T4 = _mm_add_epi64(T4, C2);\n C1 = _mm_srli_epi64(T1, 26);\n C2 = _mm_srli_epi64(T4, 26);\n T1 = _mm_and_si128(T1, MMASK);\n T4 = _mm_and_si128(T4, MMASK);\n T2 = _mm_add_epi64(T2, C1);\n T0 = _mm_add_epi64(T0, _mm_mul_epu32(C2, FIVE));\n C1 = _mm_srli_epi64(T2, 26);\n C2 = _mm_srli_epi64(T0, 26);\n T2 = _mm_and_si128(T2, MMASK);\n T0 = _mm_and_si128(T0, MMASK);\n T3 = _mm_add_epi64(T3, C1);\n T1 = _mm_add_epi64(T1, C2);\n C1 = _mm_srli_epi64(T3, 26);\n T3 = _mm_and_si128(T3, MMASK);\n T4 = _mm_add_epi64(T4, C1);\n\n // H = H[0]+H[1]\n H0 = _mm_add_epi64(T0, _mm_srli_si128(T0, 8));\n H1 = _mm_add_epi64(T1, _mm_srli_si128(T1, 8));\n H2 = _mm_add_epi64(T2, _mm_srli_si128(T2, 8));\n H3 = _mm_add_epi64(T3, _mm_srli_si128(T3, 8));\n H4 = _mm_add_epi64(T4, _mm_srli_si128(T4, 8));\n\n t0 = _mm_cvtsi128_si32(H0);\n c = (t0 >> 26);\n t0 &= 0x3ffffff;\n t1 = _mm_cvtsi128_si32(H1) + c;\n c = (t1 >> 26);\n t1 &= 0x3ffffff;\n t2 = _mm_cvtsi128_si32(H2) + c;\n c = (t2 >> 26);\n t2 &= 0x3ffffff;\n t3 = _mm_cvtsi128_si32(H3) + c;\n c = (t3 >> 26);\n t3 &= 0x3ffffff;\n t4 = _mm_cvtsi128_si32(H4) + c;\n c = (t4 >> 26);\n t4 &= 0x3ffffff;\n t0 = t0 + (c * 5);\n c = (t0 >> 26);\n t0 &= 0x3ffffff;\n t1 = t1 + c;\n\n st->HH[0] = ((t0) | (t1 << 26)) & UINT64_C(0xfffffffffff);\n st->HH[1] = ((t1 >> 18) | (t2 << 8) | (t3 << 34)) & UINT64_C(0xfffffffffff);\n st->HH[2] = ((t3 >> 10) | (t4 << 16)) & UINT64_C(0x3ffffffffff);\n\n return consumed;\n}\n\nvoid CRYPTO_poly1305_update(poly1305_state *state, const uint8_t *m,\n size_t bytes) {\n poly1305_state_internal *st = poly1305_aligned_state(state);\n size_t want;\n\n // Work around a C language bug. See https://crbug.com/1019588.\n if (bytes == 0) {\n return;\n }\n\n // need at least 32 initial bytes to start the accelerated branch\n if (!st->started) {\n if ((st->leftover == 0) && (bytes > 32)) {\n poly1305_first_block(st, m);\n m += 32;\n bytes -= 32;\n } else {\n want = poly1305_min(32 - st->leftover, bytes);\n OPENSSL_memcpy(st->buffer + st->leftover, m, want);\n bytes -= want;\n m += want;\n st->leftover += want;\n if ((st->leftover < 32) || (bytes == 0)) {\n return;\n }\n poly1305_first_block(st, st->buffer);\n st->leftover = 0;\n }\n st->started = 1;\n }\n\n // handle leftover\n if (st->leftover) {\n want = poly1305_min(64 - st->leftover, bytes);\n OPENSSL_memcpy(st->buffer + st->leftover, m, want);\n bytes -= want;\n m += want;\n st->leftover += want;\n if (st->leftover < 64) {\n return;\n }\n poly1305_blocks(st, st->buffer, 64);\n st->leftover = 0;\n }\n\n // process 64 byte blocks\n if (bytes >= 64) {\n want = (bytes & ~63);\n poly1305_blocks(st, m, want);\n m += want;\n bytes -= want;\n }\n\n if (bytes) {\n OPENSSL_memcpy(st->buffer + st->leftover, m, bytes);\n st->leftover += bytes;\n }\n}\n\nvoid CRYPTO_poly1305_finish(poly1305_state *state, uint8_t mac[16]) {\n poly1305_state_internal *st = poly1305_aligned_state(state);\n size_t leftover = st->leftover;\n uint8_t *m = st->buffer;\n uint128_t d[3];\n uint64_t h0, h1, h2;\n uint64_t t0, t1;\n uint64_t g0, g1, g2, c, nc;\n uint64_t r0, r1, r2, s1, s2;\n poly1305_power *p;\n\n if (st->started) {\n size_t consumed = poly1305_combine(st, m, leftover);\n leftover -= consumed;\n m += consumed;\n }\n\n // st->HH will either be 0 or have the combined result\n h0 = st->HH[0];\n h1 = st->HH[1];\n h2 = st->HH[2];\n\n p = &st->P[1];\n r0 = ((uint64_t)p->R20.d[3] << 32) | (uint64_t)p->R20.d[1];\n r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1];\n r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1];\n s1 = r1 * (5 << 2);\n s2 = r2 * (5 << 2);\n\n if (leftover < 16) {\n goto poly1305_donna_atmost15bytes;\n }\n\npoly1305_donna_atleast16bytes:\n t0 = CRYPTO_load_u64_le(m + 0);\n t1 = CRYPTO_load_u64_le(m + 8);\n h0 += t0 & 0xfffffffffff;\n t0 = shr128_pair(t1, t0, 44);\n h1 += t0 & 0xfffffffffff;\n h2 += (t1 >> 24) | ((uint64_t)1 << 40);\n\npoly1305_donna_mul:\n d[0] = add128(add128(mul64x64_128(h0, r0), mul64x64_128(h1, s2)),\n mul64x64_128(h2, s1));\n d[1] = add128(add128(mul64x64_128(h0, r1), mul64x64_128(h1, r0)),\n mul64x64_128(h2, s2));\n d[2] = add128(add128(mul64x64_128(h0, r2), mul64x64_128(h1, r1)),\n mul64x64_128(h2, r0));\n h0 = lo128(d[0]) & 0xfffffffffff;\n c = shr128(d[0], 44);\n d[1] = add128_64(d[1], c);\n h1 = lo128(d[1]) & 0xfffffffffff;\n c = shr128(d[1], 44);\n d[2] = add128_64(d[2], c);\n h2 = lo128(d[2]) & 0x3ffffffffff;\n c = shr128(d[2], 42);\n h0 += c * 5;\n\n m += 16;\n leftover -= 16;\n if (leftover >= 16) {\n goto poly1305_donna_atleast16bytes;\n }\n\n// final bytes\npoly1305_donna_atmost15bytes:\n if (!leftover) {\n goto poly1305_donna_finish;\n }\n\n m[leftover++] = 1;\n OPENSSL_memset(m + leftover, 0, 16 - leftover);\n leftover = 16;\n\n t0 = CRYPTO_load_u64_le(m + 0);\n t1 = CRYPTO_load_u64_le(m + 8);\n h0 += t0 & 0xfffffffffff;\n t0 = shr128_pair(t1, t0, 44);\n h1 += t0 & 0xfffffffffff;\n h2 += (t1 >> 24);\n\n goto poly1305_donna_mul;\n\npoly1305_donna_finish:\n c = (h0 >> 44);\n h0 &= 0xfffffffffff;\n h1 += c;\n c = (h1 >> 44);\n h1 &= 0xfffffffffff;\n h2 += c;\n c = (h2 >> 42);\n h2 &= 0x3ffffffffff;\n h0 += c * 5;\n\n g0 = h0 + 5;\n c = (g0 >> 44);\n g0 &= 0xfffffffffff;\n g1 = h1 + c;\n c = (g1 >> 44);\n g1 &= 0xfffffffffff;\n g2 = h2 + c - ((uint64_t)1 << 42);\n\n c = (g2 >> 63) - 1;\n nc = ~c;\n h0 = (h0 & nc) | (g0 & c);\n h1 = (h1 & nc) | (g1 & c);\n h2 = (h2 & nc) | (g2 & c);\n\n // pad\n t0 = ((uint64_t)p->R23.d[3] << 32) | (uint64_t)p->R23.d[1];\n t1 = ((uint64_t)p->R24.d[3] << 32) | (uint64_t)p->R24.d[1];\n h0 += (t0 & 0xfffffffffff);\n c = (h0 >> 44);\n h0 &= 0xfffffffffff;\n t0 = shr128_pair(t1, t0, 44);\n h1 += (t0 & 0xfffffffffff) + c;\n c = (h1 >> 44);\n h1 &= 0xfffffffffff;\n t1 = (t1 >> 24);\n h2 += (t1) + c;\n\n CRYPTO_store_u64_le(mac + 0, ((h0) | (h1 << 44)));\n CRYPTO_store_u64_le(mac + 8, ((h1 >> 20) | (h2 << 24)));\n}\n\n#endif // BORINGSSL_HAS_UINT128 && OPENSSL_X86_64\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pool/internal.h", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_POOL_INTERNAL_H\n#define OPENSSL_HEADER_POOL_INTERNAL_H\n\n#include \n#include \n\n#include \"../internal.h\"\n#include \"../lhash/internal.h\"\n\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\nDEFINE_LHASH_OF(CRYPTO_BUFFER)\n\nstruct crypto_buffer_st {\n CRYPTO_BUFFER_POOL *pool;\n uint8_t *data;\n size_t len;\n CRYPTO_refcount_t references;\n int data_is_static;\n};\n\nstruct crypto_buffer_pool_st {\n LHASH_OF(CRYPTO_BUFFER) *bufs;\n CRYPTO_MUTEX lock;\n const uint64_t hash_key[2];\n};\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_POOL_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/pool/pool.cc", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic uint32_t CRYPTO_BUFFER_hash(const CRYPTO_BUFFER *buf) {\n return (uint32_t)SIPHASH_24(buf->pool->hash_key, buf->data, buf->len);\n}\n\nstatic int CRYPTO_BUFFER_cmp(const CRYPTO_BUFFER *a, const CRYPTO_BUFFER *b) {\n // Only |CRYPTO_BUFFER|s from the same pool have compatible hashes.\n assert(a->pool != NULL);\n assert(a->pool == b->pool);\n if (a->len != b->len) {\n return 1;\n }\n return OPENSSL_memcmp(a->data, b->data, a->len);\n}\n\nCRYPTO_BUFFER_POOL *CRYPTO_BUFFER_POOL_new(void) {\n CRYPTO_BUFFER_POOL *pool = reinterpret_cast(\n OPENSSL_zalloc(sizeof(CRYPTO_BUFFER_POOL)));\n if (pool == NULL) {\n return NULL;\n }\n\n pool->bufs = lh_CRYPTO_BUFFER_new(CRYPTO_BUFFER_hash, CRYPTO_BUFFER_cmp);\n if (pool->bufs == NULL) {\n OPENSSL_free(pool);\n return NULL;\n }\n\n CRYPTO_MUTEX_init(&pool->lock);\n RAND_bytes((uint8_t *)&pool->hash_key, sizeof(pool->hash_key));\n\n return pool;\n}\n\nvoid CRYPTO_BUFFER_POOL_free(CRYPTO_BUFFER_POOL *pool) {\n if (pool == NULL) {\n return;\n }\n\n#if !defined(NDEBUG)\n CRYPTO_MUTEX_lock_write(&pool->lock);\n assert(lh_CRYPTO_BUFFER_num_items(pool->bufs) == 0);\n CRYPTO_MUTEX_unlock_write(&pool->lock);\n#endif\n\n lh_CRYPTO_BUFFER_free(pool->bufs);\n CRYPTO_MUTEX_cleanup(&pool->lock);\n OPENSSL_free(pool);\n}\n\nstatic void crypto_buffer_free_object(CRYPTO_BUFFER *buf) {\n if (!buf->data_is_static) {\n OPENSSL_free(buf->data);\n }\n OPENSSL_free(buf);\n}\n\nstatic CRYPTO_BUFFER *crypto_buffer_new(const uint8_t *data, size_t len,\n int data_is_static,\n CRYPTO_BUFFER_POOL *pool) {\n if (pool != NULL) {\n CRYPTO_BUFFER tmp;\n tmp.data = (uint8_t *)data;\n tmp.len = len;\n tmp.pool = pool;\n\n CRYPTO_MUTEX_lock_read(&pool->lock);\n CRYPTO_BUFFER *duplicate = lh_CRYPTO_BUFFER_retrieve(pool->bufs, &tmp);\n if (data_is_static && duplicate != NULL && !duplicate->data_is_static) {\n // If the new |CRYPTO_BUFFER| would have static data, but the duplicate\n // does not, we replace the old one with the new static version.\n duplicate = NULL;\n }\n if (duplicate != NULL) {\n CRYPTO_refcount_inc(&duplicate->references);\n }\n CRYPTO_MUTEX_unlock_read(&pool->lock);\n\n if (duplicate != NULL) {\n return duplicate;\n }\n }\n\n CRYPTO_BUFFER *const buf =\n reinterpret_cast(OPENSSL_zalloc(sizeof(CRYPTO_BUFFER)));\n if (buf == NULL) {\n return NULL;\n }\n\n if (data_is_static) {\n buf->data = (uint8_t *)data;\n buf->data_is_static = 1;\n } else {\n buf->data = reinterpret_cast(OPENSSL_memdup(data, len));\n if (len != 0 && buf->data == NULL) {\n OPENSSL_free(buf);\n return NULL;\n }\n }\n\n buf->len = len;\n buf->references = 1;\n\n if (pool == NULL) {\n return buf;\n }\n\n buf->pool = pool;\n\n CRYPTO_MUTEX_lock_write(&pool->lock);\n CRYPTO_BUFFER *duplicate = lh_CRYPTO_BUFFER_retrieve(pool->bufs, buf);\n if (data_is_static && duplicate != NULL && !duplicate->data_is_static) {\n // If the new |CRYPTO_BUFFER| would have static data, but the duplicate does\n // not, we replace the old one with the new static version.\n duplicate = NULL;\n }\n int inserted = 0;\n if (duplicate == NULL) {\n CRYPTO_BUFFER *old = NULL;\n inserted = lh_CRYPTO_BUFFER_insert(pool->bufs, &old, buf);\n // |old| may be non-NULL if a match was found but ignored. |pool->bufs| does\n // not increment refcounts, so there is no need to clean up after the\n // replacement.\n } else {\n CRYPTO_refcount_inc(&duplicate->references);\n }\n CRYPTO_MUTEX_unlock_write(&pool->lock);\n\n if (!inserted) {\n // We raced to insert |buf| into the pool and lost, or else there was an\n // error inserting.\n crypto_buffer_free_object(buf);\n return duplicate;\n }\n\n return buf;\n}\n\nCRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len,\n CRYPTO_BUFFER_POOL *pool) {\n return crypto_buffer_new(data, len, /*data_is_static=*/0, pool);\n}\n\nCRYPTO_BUFFER *CRYPTO_BUFFER_alloc(uint8_t **out_data, size_t len) {\n CRYPTO_BUFFER *const buf =\n reinterpret_cast(OPENSSL_zalloc(sizeof(CRYPTO_BUFFER)));\n if (buf == NULL) {\n return NULL;\n }\n\n buf->data = reinterpret_cast(OPENSSL_malloc(len));\n if (len != 0 && buf->data == NULL) {\n OPENSSL_free(buf);\n return NULL;\n }\n buf->len = len;\n buf->references = 1;\n\n *out_data = buf->data;\n return buf;\n}\n\nCRYPTO_BUFFER *CRYPTO_BUFFER_new_from_CBS(const CBS *cbs,\n CRYPTO_BUFFER_POOL *pool) {\n return CRYPTO_BUFFER_new(CBS_data(cbs), CBS_len(cbs), pool);\n}\n\nCRYPTO_BUFFER *CRYPTO_BUFFER_new_from_static_data_unsafe(\n const uint8_t *data, size_t len, CRYPTO_BUFFER_POOL *pool) {\n return crypto_buffer_new(data, len, /*data_is_static=*/1, pool);\n}\n\nvoid CRYPTO_BUFFER_free(CRYPTO_BUFFER *buf) {\n if (buf == NULL) {\n return;\n }\n\n CRYPTO_BUFFER_POOL *const pool = buf->pool;\n if (pool == NULL) {\n if (CRYPTO_refcount_dec_and_test_zero(&buf->references)) {\n // If a reference count of zero is observed, there cannot be a reference\n // from any pool to this buffer and thus we are able to free this\n // buffer.\n crypto_buffer_free_object(buf);\n }\n\n return;\n }\n\n CRYPTO_MUTEX_lock_write(&pool->lock);\n if (!CRYPTO_refcount_dec_and_test_zero(&buf->references)) {\n CRYPTO_MUTEX_unlock_write(&buf->pool->lock);\n return;\n }\n\n // We have an exclusive lock on the pool, therefore no concurrent lookups can\n // find this buffer and increment the reference count. Thus, if the count is\n // zero there are and can never be any more references and thus we can free\n // this buffer.\n //\n // Note it is possible |buf| is no longer in the pool, if it was replaced by a\n // static version. If that static version was since removed, it is even\n // possible for |found| to be NULL.\n CRYPTO_BUFFER *found = lh_CRYPTO_BUFFER_retrieve(pool->bufs, buf);\n if (found == buf) {\n found = lh_CRYPTO_BUFFER_delete(pool->bufs, buf);\n assert(found == buf);\n (void)found;\n }\n\n CRYPTO_MUTEX_unlock_write(&buf->pool->lock);\n crypto_buffer_free_object(buf);\n}\n\nint CRYPTO_BUFFER_up_ref(CRYPTO_BUFFER *buf) {\n // This is safe in the case that |buf->pool| is NULL because it's just\n // standard reference counting in that case.\n //\n // This is also safe if |buf->pool| is non-NULL because, if it were racing\n // with |CRYPTO_BUFFER_free| then the two callers must have independent\n // references already and so the reference count will never hit zero.\n CRYPTO_refcount_inc(&buf->references);\n return 1;\n}\n\nconst uint8_t *CRYPTO_BUFFER_data(const CRYPTO_BUFFER *buf) {\n return buf->data;\n}\n\nsize_t CRYPTO_BUFFER_len(const CRYPTO_BUFFER *buf) { return buf->len; }\n\nvoid CRYPTO_BUFFER_init_CBS(const CRYPTO_BUFFER *buf, CBS *out) {\n CBS_init(out, buf->data, buf->len);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/deterministic.cc", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \"../bcm_support.h\"\n#include \"sysrand_internal.h\"\n\n#if defined(OPENSSL_RAND_DETERMINISTIC)\n\n#include \n\n#include \n\n#include \"../internal.h\"\n\n\n// g_num_calls is the number of calls to |CRYPTO_sysrand| that have occurred.\n//\n// This is intentionally not thread-safe. If the fuzzer mode is ever used in a\n// multi-threaded program, replace this with a thread-local. (A mutex would not\n// be deterministic.)\nstatic uint64_t g_num_calls = 0;\nstatic CRYPTO_MUTEX g_num_calls_lock = CRYPTO_MUTEX_INIT;\n\nvoid RAND_reset_for_fuzzing(void) { g_num_calls = 0; }\n\nvoid CRYPTO_init_sysrand(void) {}\n\nvoid CRYPTO_sysrand(uint8_t *out, size_t requested) {\n static const uint8_t kZeroKey[32] = {0};\n\n CRYPTO_MUTEX_lock_write(&g_num_calls_lock);\n uint64_t num_calls = g_num_calls++;\n CRYPTO_MUTEX_unlock_write(&g_num_calls_lock);\n\n uint8_t nonce[12];\n OPENSSL_memset(nonce, 0, sizeof(nonce));\n OPENSSL_memcpy(nonce, &num_calls, sizeof(num_calls));\n\n OPENSSL_memset(out, 0, requested);\n CRYPTO_chacha_20(out, out, requested, kZeroKey, nonce, 0);\n}\n\nint CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {\n CRYPTO_sysrand(buf, len);\n return 1;\n}\n\nvoid CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {\n CRYPTO_sysrand(out, requested);\n}\n\n#endif // OPENSSL_RAND_DETERMINISTIC\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/fork_detect.cc", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#if !defined(_GNU_SOURCE)\n#define _GNU_SOURCE // needed for madvise() and MAP_ANONYMOUS on Linux.\n#endif\n\n#include \"../bcm_support.h\"\n\n#if defined(OPENSSL_FORK_DETECTION_MADVISE)\n#include \n#include \n#include \n#include \n#if defined(MADV_WIPEONFORK)\nstatic_assert(MADV_WIPEONFORK == 18, \"MADV_WIPEONFORK is not 18\");\n#else\n#define MADV_WIPEONFORK 18\n#endif\n#elif defined(OPENSSL_FORK_DETECTION_PTHREAD_ATFORK)\n#include \n#include \n#include \n#endif // OPENSSL_FORK_DETECTION_PTHREAD_ATFORK\n\n#include \"../internal.h\"\n\n#if defined(OPENSSL_FORK_DETECTION_MADVISE)\nstatic int g_force_madv_wipeonfork;\nstatic int g_force_madv_wipeonfork_enabled;\nstatic CRYPTO_once_t g_fork_detect_once = CRYPTO_ONCE_INIT;\nstatic CRYPTO_MUTEX g_fork_detect_lock = CRYPTO_MUTEX_INIT;\nstatic CRYPTO_atomic_u32 *g_fork_detect_addr;\nstatic uint64_t g_fork_generation;\n\nstatic void init_fork_detect(void) {\n if (g_force_madv_wipeonfork) {\n return;\n }\n\n long page_size = sysconf(_SC_PAGESIZE);\n if (page_size <= 0) {\n return;\n }\n\n void *addr = mmap(NULL, (size_t)page_size, PROT_READ | PROT_WRITE,\n MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);\n if (addr == MAP_FAILED) {\n return;\n }\n\n // Some versions of qemu (up to at least 5.0.0-rc4, see linux-user/syscall.c)\n // ignore |madvise| calls and just return zero (i.e. success). But we need to\n // know whether MADV_WIPEONFORK actually took effect. Therefore try an invalid\n // call to check that the implementation of |madvise| is actually rejecting\n // unknown |advice| values.\n if (madvise(addr, (size_t)page_size, -1) == 0 ||\n madvise(addr, (size_t)page_size, MADV_WIPEONFORK) != 0) {\n munmap(addr, (size_t)page_size);\n return;\n }\n\n CRYPTO_atomic_u32 *const atomic = reinterpret_cast(addr);\n CRYPTO_atomic_store_u32(atomic, 1);\n g_fork_detect_addr = atomic;\n g_fork_generation = 1;\n}\n\nuint64_t CRYPTO_get_fork_generation(void) {\n CRYPTO_once(&g_fork_detect_once, init_fork_detect);\n\n // In a single-threaded process, there are obviously no races because there's\n // only a single mutator in the address space.\n //\n // In a multi-threaded environment, |CRYPTO_once| ensures that the flag byte\n // is initialised atomically, even if multiple threads enter this function\n // concurrently.\n //\n // Additionally, while the kernel will only clear WIPEONFORK at a point when a\n // child process is single-threaded, the child may become multi-threaded\n // before it observes this. Therefore, we must synchronize the logic below.\n\n CRYPTO_atomic_u32 *const flag_ptr = g_fork_detect_addr;\n if (flag_ptr == NULL) {\n // Our kernel is too old to support |MADV_WIPEONFORK| or\n // |g_force_madv_wipeonfork| is set.\n if (g_force_madv_wipeonfork && g_force_madv_wipeonfork_enabled) {\n // A constant generation number to simulate support, even if the kernel\n // doesn't support it.\n return 42;\n }\n // With Linux and clone(), we do not believe that pthread_atfork() is\n // sufficient for detecting all forms of address space duplication. At this\n // point we have a kernel that does not support MADV_WIPEONFORK. We could\n // return the generation number from pthread_atfork() here and it would\n // probably be safe in almost any situation, but to ensure safety we return\n // 0 and force an entropy draw on every call.\n return 0;\n }\n\n // In the common case, try to observe the flag without taking a lock. This\n // avoids cacheline contention in the PRNG.\n uint64_t *const generation_ptr = &g_fork_generation;\n if (CRYPTO_atomic_load_u32(flag_ptr) != 0) {\n // If we observe a non-zero flag, it is safe to read |generation_ptr|\n // without a lock. The flag and generation number are fixed for this copy of\n // the address space.\n return *generation_ptr;\n }\n\n // The flag was zero. The generation number must be incremented, but other\n // threads may have concurrently observed the zero, so take a lock before\n // incrementing.\n CRYPTO_MUTEX *const lock = &g_fork_detect_lock;\n CRYPTO_MUTEX_lock_write(lock);\n uint64_t current_generation = *generation_ptr;\n if (CRYPTO_atomic_load_u32(flag_ptr) == 0) {\n // A fork has occurred.\n current_generation++;\n if (current_generation == 0) {\n // Zero means fork detection isn't supported, so skip that value.\n current_generation = 1;\n }\n\n // We must update |generation_ptr| before |flag_ptr|. Other threads may\n // observe |flag_ptr| without taking a lock.\n *generation_ptr = current_generation;\n CRYPTO_atomic_store_u32(flag_ptr, 1);\n }\n CRYPTO_MUTEX_unlock_write(lock);\n\n return current_generation;\n}\n\nvoid CRYPTO_fork_detect_force_madv_wipeonfork_for_testing(int on) {\n g_force_madv_wipeonfork = 1;\n g_force_madv_wipeonfork_enabled = on;\n}\n\n#elif defined(OPENSSL_FORK_DETECTION_PTHREAD_ATFORK)\n\nstatic CRYPTO_once_t g_pthread_fork_detection_once = CRYPTO_ONCE_INIT;\nstatic uint64_t g_atfork_fork_generation;\n\nstatic void we_are_forked(void) {\n // Immediately after a fork, the process must be single-threaded.\n uint64_t value = g_atfork_fork_generation + 1;\n if (value == 0) {\n value = 1;\n }\n g_atfork_fork_generation = value;\n}\n\nstatic void init_pthread_fork_detection(void) {\n if (pthread_atfork(NULL, NULL, we_are_forked) != 0) {\n abort();\n }\n g_atfork_fork_generation = 1;\n}\n\nuint64_t CRYPTO_get_fork_generation(void) {\n CRYPTO_once(&g_pthread_fork_detection_once, init_pthread_fork_detection);\n\n return g_atfork_fork_generation;\n}\n\n#elif defined(OPENSSL_DOES_NOT_FORK)\n\n// These platforms are guaranteed not to fork, and therefore do not require\n// fork detection support. Returning a constant non zero value makes BoringSSL\n// assume address space duplication is not a concern and adding entropy to\n// every RAND_bytes call is not needed.\nuint64_t CRYPTO_get_fork_generation(void) { return 0xc0ffee; }\n\n#else\n\n// These platforms may fork, but we do not have a mitigation mechanism in\n// place. Returning a constant zero value makes BoringSSL assume that address\n// space duplication could have occured on any call entropy must be added to\n// every RAND_bytes call.\nuint64_t CRYPTO_get_fork_generation(void) { return 0; }\n\n#endif\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/forkunsafe.cc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"../fipsmodule/rand/internal.h\"\n#include \"../internal.h\"\n\n\n// g_buffering_enabled is one if fork-unsafe buffering has been enabled and zero\n// otherwise.\nstatic CRYPTO_atomic_u32 g_buffering_enabled;\n\n#if !defined(OPENSSL_WINDOWS)\nvoid RAND_enable_fork_unsafe_buffering(int fd) {\n // We no longer support setting the file-descriptor with this function.\n if (fd != -1) {\n abort();\n }\n\n CRYPTO_atomic_store_u32(&g_buffering_enabled, 1);\n}\n\nvoid RAND_disable_fork_unsafe_buffering(void) {\n CRYPTO_atomic_store_u32(&g_buffering_enabled, 0);\n}\n#endif\n\nint rand_fork_unsafe_buffering_enabled(void) {\n return CRYPTO_atomic_load_u32(&g_buffering_enabled) != 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/getentropy.cc", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#if !defined(_DEFAULT_SOURCE)\n#define _DEFAULT_SOURCE // Needed for getentropy on musl and glibc\n#endif\n\n#include \n\n#include \"../bcm_support.h\"\n#include \"sysrand_internal.h\"\n\n#if defined(OPENSSL_RAND_GETENTROPY)\n\n#include \n#include \n#include \n\n#if defined(OPENSSL_MACOS) || defined(OPENSSL_FUCHSIA)\n#include \n#endif\n\nvoid CRYPTO_init_sysrand(void) {}\n\n// CRYPTO_sysrand puts |requested| random bytes into |out|.\nvoid CRYPTO_sysrand(uint8_t *out, size_t requested) {\n while (requested > 0) {\n // |getentropy| can only request 256 bytes at a time.\n size_t todo = requested <= 256 ? requested : 256;\n if (getentropy(out, todo) != 0) {\n perror(\"getentropy() failed\");\n abort();\n }\n\n out += todo;\n requested -= todo;\n }\n}\n\nint CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {\n CRYPTO_sysrand(buf, len);\n return 1;\n}\n\nvoid CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {\n CRYPTO_sysrand(out, requested);\n}\n\n#endif // OPENSSL_RAND_GETENTROPY\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/getrandom_fillin.h", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_RAND_GETRANDOM_FILLIN_H\n#define OPENSSL_HEADER_CRYPTO_RAND_GETRANDOM_FILLIN_H\n\n#include \n\n\n#if defined(OPENSSL_LINUX)\n\n#include \n\n#if defined(OPENSSL_X86_64)\n#define EXPECTED_NR_getrandom 318\n#elif defined(OPENSSL_X86)\n#define EXPECTED_NR_getrandom 355\n#elif defined(OPENSSL_AARCH64)\n#define EXPECTED_NR_getrandom 278\n#elif defined(OPENSSL_ARM)\n#define EXPECTED_NR_getrandom 384\n#elif defined(OPENSSL_RISCV64)\n#define EXPECTED_NR_getrandom 278\n#endif\n\n#if defined(EXPECTED_NR_getrandom)\n#define USE_NR_getrandom\n\n#if defined(__NR_getrandom)\n\n#if __NR_getrandom != EXPECTED_NR_getrandom\n#error \"system call number for getrandom is not the expected value\"\n#endif\n\n#else // __NR_getrandom\n\n#define __NR_getrandom EXPECTED_NR_getrandom\n\n#endif // __NR_getrandom\n\n#endif // EXPECTED_NR_getrandom\n\n#if !defined(GRND_NONBLOCK)\n#define GRND_NONBLOCK 1\n#endif\n#if !defined(GRND_RANDOM)\n#define GRND_RANDOM 2\n#endif\n\n#endif // OPENSSL_LINUX\n\n\n#endif // OPENSSL_HEADER_CRYPTO_RAND_GETRANDOM_FILLIN_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/ios.cc", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \"../bcm_support.h\"\n#include \"sysrand_internal.h\"\n\n#if defined(OPENSSL_RAND_IOS)\n#include \n\n#include \n\nvoid CRYPTO_init_sysrand(void) {}\n\nvoid CRYPTO_sysrand(uint8_t *out, size_t requested) {\n if (CCRandomGenerateBytes(out, requested) != kCCSuccess) {\n abort();\n }\n}\n\nint CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {\n CRYPTO_sysrand(buf, len);\n return 1;\n}\n\nvoid CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {\n CRYPTO_sysrand(out, requested);\n}\n\n#endif // OPENSSL_RAND_IOS\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/passive.cc", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \"../bcm_support.h\"\n#include \"../fipsmodule/bcm_interface.h\"\n#include \"../internal.h\"\n\n#if defined(BORINGSSL_FIPS)\n\n#include \n\n// passive_get_seed_entropy writes |out_entropy_len| bytes of entropy, suitable\n// for seeding a DRBG, to |out_entropy|. It sets |*out_used_cpu| to one if the\n// entropy came directly from the CPU and zero if it came from the OS. It\n// actively obtains entropy from the CPU/OS\nstatic void passive_get_seed_entropy(uint8_t *out_entropy,\n size_t out_entropy_len,\n int *out_want_additional_input) {\n *out_want_additional_input = 0;\n if (bcm_success(BCM_rand_bytes_hwrng(out_entropy, out_entropy_len))) {\n *out_want_additional_input = 1;\n } else {\n CRYPTO_sysrand_for_seed(out_entropy, out_entropy_len);\n }\n}\n\n#define ENTROPY_READ_LEN \\\n (/* last_block size */ 16 + CTR_DRBG_ENTROPY_LEN * BORINGSSL_FIPS_OVERREAD)\n\n#if defined(OPENSSL_ANDROID)\n\n#include \n#include \n#include \n#include \n#include \n\n// socket_history_t enumerates whether the entropy daemon should be contacted\n// for a given entropy request. Values other than socket_not_yet_attempted are\n// sticky so if the first attempt to read from the daemon fails it's assumed\n// that the daemon is not present and no more attempts will be made. If the\n// first attempt is successful then attempts will be made forever more.\nenum class socket_history_t {\n // initial value, no connections to the entropy daemon have been made yet.\n socket_not_yet_attempted = 0,\n // reading from the entropy daemon was successful\n socket_success,\n // reading from the entropy daemon failed.\n socket_failed,\n};\n\nstatic std::atomic g_socket_history{\n socket_history_t::socket_not_yet_attempted};\n\n// DAEMON_RESPONSE_LEN is the number of bytes that the entropy daemon replies\n// with.\n#define DAEMON_RESPONSE_LEN 496\n\nstatic_assert(ENTROPY_READ_LEN == DAEMON_RESPONSE_LEN,\n \"entropy daemon response length mismatch\");\n\nstatic int get_seed_from_daemon(uint8_t *out_entropy, size_t out_entropy_len) {\n // |RAND_need_entropy| should never call this function for more than\n // |DAEMON_RESPONSE_LEN| bytes.\n if (out_entropy_len > DAEMON_RESPONSE_LEN) {\n abort();\n }\n\n const socket_history_t socket_history =\n g_socket_history.load(std::memory_order_acquire);\n if (socket_history == socket_history_t::socket_failed) {\n return 0;\n }\n\n int ret = 0;\n static const char kSocketPath[] = \"/dev/socket/prng_seeder\";\n struct sockaddr_un sun;\n uint8_t buffer[DAEMON_RESPONSE_LEN];\n size_t done = 0;\n const int sock = socket(AF_UNIX, SOCK_STREAM, 0);\n if (sock < 0) {\n goto out;\n }\n\n memset(&sun, 0, sizeof(sun));\n sun.sun_family = AF_UNIX;\n static_assert(sizeof(kSocketPath) <= UNIX_PATH_MAX, \"kSocketPath too long\");\n OPENSSL_memcpy(sun.sun_path, kSocketPath, sizeof(kSocketPath));\n\n if (connect(sock, (struct sockaddr *)&sun, sizeof(sun))) {\n goto out;\n }\n\n while (done < sizeof(buffer)) {\n ssize_t n;\n do {\n n = read(sock, buffer + done, sizeof(buffer) - done);\n } while (n == -1 && errno == EINTR);\n\n if (n < 1) {\n goto out;\n }\n done += n;\n }\n\n if (done != DAEMON_RESPONSE_LEN) {\n // The daemon should always write |DAEMON_RESPONSE_LEN| bytes on every\n // connection.\n goto out;\n }\n\n assert(out_entropy_len <= DAEMON_RESPONSE_LEN);\n OPENSSL_memcpy(out_entropy, buffer, out_entropy_len);\n ret = 1;\n\nout:\n if (socket_history == socket_history_t::socket_not_yet_attempted) {\n socket_history_t expected = socket_history_t::socket_not_yet_attempted;\n // If another thread has already updated |g_socket_history| then we defer\n // to their value.\n g_socket_history.compare_exchange_strong(\n expected,\n (ret == 0) ? socket_history_t::socket_failed\n : socket_history_t::socket_success,\n std::memory_order_release, std::memory_order_relaxed);\n }\n\n close(sock);\n return ret;\n}\n\n#else\n\nstatic int get_seed_from_daemon(uint8_t *out_entropy, size_t out_entropy_len) {\n return 0;\n}\n\n#endif // OPENSSL_ANDROID\n\n// RAND_need_entropy is called by the FIPS module when it has blocked because of\n// a lack of entropy. This signal is used as an indication to feed it more.\nvoid RAND_need_entropy(size_t bytes_needed) {\n uint8_t buf[ENTROPY_READ_LEN];\n size_t todo = sizeof(buf);\n if (todo > bytes_needed) {\n todo = bytes_needed;\n }\n\n int want_additional_input;\n if (get_seed_from_daemon(buf, todo)) {\n want_additional_input = 1;\n } else {\n passive_get_seed_entropy(buf, todo, &want_additional_input);\n }\n\n if (boringssl_fips_break_test(\"CRNG\")) {\n // This breaks the \"continuous random number generator test\" defined in FIPS\n // 140-2, section 4.9.2, and implemented in |rand_get_seed|.\n OPENSSL_memset(buf, 0, todo);\n }\n\n BCM_rand_load_entropy(buf, todo, want_additional_input);\n}\n\n#endif // FIPS\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/rand.cc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"../bcm_support.h\"\n#include \"../fipsmodule/bcm_interface.h\"\n\n\nint RAND_bytes(uint8_t *buf, size_t len) {\n BCM_rand_bytes(buf, len);\n return 1;\n}\n\nint RAND_pseudo_bytes(uint8_t *buf, size_t len) { return RAND_bytes(buf, len); }\n\nvoid RAND_seed(const void *buf, int num) {\n // OpenSSH calls |RAND_seed| before jailing on the assumption that any needed\n // file descriptors etc will be opened.\n uint8_t unused;\n RAND_bytes(&unused, sizeof(unused));\n}\n\nint RAND_load_file(const char *path, long num) {\n if (num < 0) { // read the \"whole file\"\n return 1;\n } else if (num <= INT_MAX) {\n return (int)num;\n } else {\n return INT_MAX;\n }\n}\n\nconst char *RAND_file_name(char *buf, size_t num) { return NULL; }\n\nvoid RAND_add(const void *buf, int num, double entropy) {}\n\nint RAND_egd(const char *path) { return 255; }\n\nint RAND_poll(void) { return 1; }\n\nint RAND_status(void) { return 1; }\n\nstatic const struct rand_meth_st kSSLeayMethod = {\n RAND_seed, RAND_bytes, RAND_cleanup,\n RAND_add, RAND_pseudo_bytes, RAND_status,\n};\n\nRAND_METHOD *RAND_SSLeay(void) { return (RAND_METHOD *)&kSSLeayMethod; }\n\nRAND_METHOD *RAND_OpenSSL(void) { return RAND_SSLeay(); }\n\nconst RAND_METHOD *RAND_get_rand_method(void) { return RAND_SSLeay(); }\n\nint RAND_set_rand_method(const RAND_METHOD *method) { return 1; }\n\nvoid RAND_cleanup(void) {}\n\nvoid RAND_get_system_entropy_for_custom_prng(uint8_t *buf, size_t len) {\n if (len > 256) {\n abort();\n }\n CRYPTO_sysrand_for_seed(buf, len);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/sysrand_internal.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_SYSRAND_INTERNAL_H\n#define OPENSSL_HEADER_CRYPTO_SYSRAND_INTERNAL_H\n\n#include \n\n#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)\n#define OPENSSL_RAND_DETERMINISTIC\n#elif defined(OPENSSL_TRUSTY)\n#define OPENSSL_RAND_TRUSTY\n#elif defined(OPENSSL_WINDOWS)\n#define OPENSSL_RAND_WINDOWS\n#elif defined(OPENSSL_LINUX)\n#define OPENSSL_RAND_URANDOM\n#elif defined(OPENSSL_APPLE) && !defined(OPENSSL_MACOS)\n// Unlike macOS, iOS and similar hide away getentropy().\n#define OPENSSL_RAND_IOS\n#else\n// By default if you are integrating BoringSSL we expect you to\n// provide getentropy from the header file.\n#define OPENSSL_RAND_GETENTROPY\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO__SYSRAND_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/trusty.cc", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \"../bcm_support.h\"\n#include \"sysrand_internal.h\"\n\n#if defined(OPENSSL_RAND_TRUSTY)\n#include \n#include \n\n#include \n#include \n\n#include \n\nvoid CRYPTO_init_sysrand(void) {}\n\nvoid CRYPTO_sysrand(uint8_t *out, size_t requested) {\n if (trusty_rng_hw_rand(out, requested) != NO_ERROR) {\n abort();\n }\n}\n\nint CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {\n CRYPTO_sysrand(buf, len);\n return 1;\n}\n\nvoid CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {\n CRYPTO_sysrand(out, requested);\n}\n\n#endif // OPENSSL_RAND_TRUSTY\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/urandom.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#if !defined(_GNU_SOURCE)\n#define _GNU_SOURCE // needed for syscall() on Linux.\n#endif\n\n#include \n\n#include \"../bcm_support.h\"\n#include \"sysrand_internal.h\"\n\n#if defined(OPENSSL_RAND_URANDOM)\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#if defined(OPENSSL_LINUX)\n#if defined(BORINGSSL_FIPS)\n#include \n#include \n#endif\n#include \n\n#if defined(OPENSSL_ANDROID)\n#include \n#endif\n\n#if !defined(OPENSSL_ANDROID)\n#define OPENSSL_HAS_GETAUXVAL\n#endif\n// glibc prior to 2.16 does not have getauxval and sys/auxv.h. Android has some\n// host builds (i.e. not building for Android itself, so |OPENSSL_ANDROID| is\n// unset) which are still using a 2.15 sysroot.\n//\n// TODO(davidben): Remove this once Android updates their sysroot.\n#if defined(__GLIBC_PREREQ)\n#if !__GLIBC_PREREQ(2, 16)\n#undef OPENSSL_HAS_GETAUXVAL\n#endif\n#endif\n#if defined(OPENSSL_HAS_GETAUXVAL)\n#include \n#endif\n#endif // OPENSSL_LINUX\n\n#include \n#include \n\n#include \"../internal.h\"\n#include \"getrandom_fillin.h\"\n\n\n#if defined(USE_NR_getrandom)\n\n#if defined(OPENSSL_MSAN)\nextern \"C\" {\nvoid __msan_unpoison(void *, size_t);\n}\n#endif\n\nstatic ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) {\n ssize_t ret;\n do {\n ret = syscall(__NR_getrandom, buf, buf_len, flags);\n } while (ret == -1 && errno == EINTR);\n\n#if defined(OPENSSL_MSAN)\n if (ret > 0) {\n // MSAN doesn't recognise |syscall| and thus doesn't notice that we have\n // initialised the output buffer.\n __msan_unpoison(buf, ret);\n }\n#endif // OPENSSL_MSAN\n\n return ret;\n}\n\n#endif // USE_NR_getrandom\n\n// kHaveGetrandom in |urandom_fd| signals that |getrandom| or |getentropy| is\n// available and should be used instead.\nstatic const int kHaveGetrandom = -3;\n\n// urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|.\nstatic int urandom_fd;\n\n#if defined(USE_NR_getrandom)\n\n// getrandom_ready is one if |getrandom| had been initialized by the time\n// |init_once| was called and zero otherwise.\nstatic int getrandom_ready;\n\n// extra_getrandom_flags_for_seed contains a value that is ORed into the flags\n// for getrandom() when reading entropy for a seed.\nstatic int extra_getrandom_flags_for_seed;\n\n// On Android, check a system property to decide whether to set\n// |extra_getrandom_flags_for_seed| otherwise they will default to zero. If\n// ro.oem_boringcrypto_hwrand is true then |extra_getrandom_flags_for_seed| will\n// be set to GRND_RANDOM, causing all random data to be drawn from the same\n// source as /dev/random.\nstatic void maybe_set_extra_getrandom_flags(void) {\n#if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID)\n char value[PROP_VALUE_MAX + 1];\n int length = __system_property_get(\"ro.boringcrypto.hwrand\", value);\n if (length < 0 || length > PROP_VALUE_MAX) {\n return;\n }\n\n value[length] = 0;\n if (OPENSSL_strcasecmp(value, \"true\") == 0) {\n extra_getrandom_flags_for_seed = GRND_RANDOM;\n }\n#endif\n}\n\n#endif // USE_NR_getrandom\n\nstatic CRYPTO_once_t rand_once = CRYPTO_ONCE_INIT;\n\n// init_once initializes the state of this module to values previously\n// requested. This is the only function that modifies |urandom_fd|, which may be\n// read safely after calling the once.\nstatic void init_once(void) {\n#if defined(USE_NR_getrandom)\n int have_getrandom;\n uint8_t dummy;\n ssize_t getrandom_ret =\n boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK);\n if (getrandom_ret == 1) {\n getrandom_ready = 1;\n have_getrandom = 1;\n } else if (getrandom_ret == -1 && errno == EAGAIN) {\n // We have getrandom, but the entropy pool has not been initialized yet.\n have_getrandom = 1;\n } else if (getrandom_ret == -1 && errno == ENOSYS) {\n // Fallthrough to using /dev/urandom, below.\n have_getrandom = 0;\n } else {\n // Other errors are fatal.\n perror(\"getrandom\");\n abort();\n }\n\n if (have_getrandom) {\n urandom_fd = kHaveGetrandom;\n maybe_set_extra_getrandom_flags();\n return;\n }\n#endif // USE_NR_getrandom\n\n // FIPS builds must support getrandom.\n //\n // Historically, only Android FIPS builds required getrandom, while Linux FIPS\n // builds had a /dev/urandom fallback which used RNDGETENTCNT as a poor\n // approximation for getrandom's blocking behavior. This is now removed, but\n // avoid making assumptions on this removal until March 2023, in case it needs\n // to be restored. This comment can be deleted after March 2023.\n#if defined(BORINGSSL_FIPS)\n perror(\"getrandom not found\");\n abort();\n#endif\n\n int fd;\n do {\n fd = open(\"/dev/urandom\", O_RDONLY | O_CLOEXEC);\n } while (fd == -1 && errno == EINTR);\n\n if (fd < 0) {\n perror(\"failed to open /dev/urandom\");\n abort();\n }\n\n urandom_fd = fd;\n}\n\nstatic CRYPTO_once_t wait_for_entropy_once = CRYPTO_ONCE_INIT;\n\nstatic void wait_for_entropy(void) {\n int fd = urandom_fd;\n if (fd == kHaveGetrandom) {\n // |getrandom| and |getentropy| support blocking in |fill_with_entropy|\n // directly. For |getrandom|, we first probe with a non-blocking call to aid\n // debugging.\n#if defined(USE_NR_getrandom)\n if (getrandom_ready) {\n // The entropy pool was already initialized in |init_once|.\n return;\n }\n\n uint8_t dummy;\n ssize_t getrandom_ret =\n boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK);\n if (getrandom_ret == -1 && errno == EAGAIN) {\n // Attempt to get the path of the current process to aid in debugging when\n // something blocks.\n const char *current_process = \"\";\n#if defined(OPENSSL_HAS_GETAUXVAL)\n const unsigned long getauxval_ret = getauxval(AT_EXECFN);\n if (getauxval_ret != 0) {\n current_process = (const char *)getauxval_ret;\n }\n#endif\n\n fprintf(\n stderr,\n \"%s: getrandom indicates that the entropy pool has not been \"\n \"initialized. Rather than continue with poor entropy, this process \"\n \"will block until entropy is available.\\n\",\n current_process);\n\n getrandom_ret =\n boringssl_getrandom(&dummy, sizeof(dummy), 0 /* no flags */);\n }\n\n if (getrandom_ret != 1) {\n perror(\"getrandom\");\n abort();\n }\n#endif // USE_NR_getrandom\n return;\n }\n}\n\n// fill_with_entropy writes |len| bytes of entropy into |out|. It returns one\n// on success and zero on error. If |block| is one, this function will block\n// until the entropy pool is initialized. Otherwise, this function may fail,\n// setting |errno| to |EAGAIN| if the entropy pool has not yet been initialized.\n// If |seed| is one, this function will OR in the value of\n// |*extra_getrandom_flags_for_seed()| when using |getrandom|.\nstatic int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) {\n if (len == 0) {\n return 1;\n }\n\n#if defined(USE_NR_getrandom) || defined(FREEBSD_GETRANDOM)\n int getrandom_flags = 0;\n if (!block) {\n getrandom_flags |= GRND_NONBLOCK;\n }\n#endif\n\n#if defined(USE_NR_getrandom)\n if (seed) {\n getrandom_flags |= extra_getrandom_flags_for_seed;\n }\n#endif\n\n CRYPTO_init_sysrand();\n if (block) {\n CRYPTO_once(&wait_for_entropy_once, wait_for_entropy);\n }\n\n // Clear |errno| so it has defined value if |read| or |getrandom|\n // \"successfully\" returns zero.\n errno = 0;\n while (len > 0) {\n ssize_t r;\n\n if (urandom_fd == kHaveGetrandom) {\n#if defined(USE_NR_getrandom)\n r = boringssl_getrandom(out, len, getrandom_flags);\n#else // USE_NR_getrandom\n fprintf(stderr, \"urandom fd corrupt.\\n\");\n abort();\n#endif\n } else {\n do {\n r = read(urandom_fd, out, len);\n } while (r == -1 && errno == EINTR);\n }\n\n if (r <= 0) {\n return 0;\n }\n out += r;\n len -= r;\n }\n\n return 1;\n}\n\nvoid CRYPTO_init_sysrand(void) { CRYPTO_once(&rand_once, init_once); }\n\n// CRYPTO_sysrand puts |requested| random bytes into |out|.\nvoid CRYPTO_sysrand(uint8_t *out, size_t requested) {\n if (!fill_with_entropy(out, requested, /*block=*/1, /*seed=*/0)) {\n perror(\"entropy fill failed\");\n abort();\n }\n}\n\nvoid CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {\n if (!fill_with_entropy(out, requested, /*block=*/1, /*seed=*/1)) {\n perror(\"entropy fill failed\");\n abort();\n }\n}\n\nint CRYPTO_sysrand_if_available(uint8_t *out, size_t requested) {\n if (fill_with_entropy(out, requested, /*block=*/0, /*seed=*/0)) {\n return 1;\n } else if (errno == EAGAIN) {\n OPENSSL_memset(out, 0, requested);\n return 0;\n } else {\n perror(\"opportunistic entropy fill failed\");\n abort();\n }\n}\n\n#endif // OPENSSL_RAND_URANDOM\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rand/windows.cc", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \"../bcm_support.h\"\n#include \"../internal.h\"\n#include \"sysrand_internal.h\"\n\n#if defined(OPENSSL_RAND_WINDOWS)\n\n#include \n#include \n\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n\n#include \n\n#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) && \\\n !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)\n#include \nOPENSSL_MSVC_PRAGMA(comment(lib, \"bcrypt.lib\"))\n#endif // WINAPI_PARTITION_APP && !WINAPI_PARTITION_DESKTOP\n\nOPENSSL_MSVC_PRAGMA(warning(pop))\n\n#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) && \\\n !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)\n\nvoid CRYPTO_init_sysrand(void) {}\n\nvoid CRYPTO_sysrand(uint8_t *out, size_t requested) {\n while (requested > 0) {\n ULONG output_bytes_this_pass = ULONG_MAX;\n if (requested < output_bytes_this_pass) {\n output_bytes_this_pass = (ULONG)requested;\n }\n if (!BCRYPT_SUCCESS(BCryptGenRandom(\n /*hAlgorithm=*/NULL, out, output_bytes_this_pass,\n BCRYPT_USE_SYSTEM_PREFERRED_RNG))) {\n abort();\n }\n requested -= output_bytes_this_pass;\n out += output_bytes_this_pass;\n }\n}\n\n#else\n\n// See: https://learn.microsoft.com/en-us/windows/win32/seccng/processprng\ntypedef BOOL (WINAPI *ProcessPrngFunction)(PBYTE pbData, SIZE_T cbData);\nstatic ProcessPrngFunction g_processprng_fn = NULL;\n\nstatic void init_processprng(void) {\n HMODULE hmod = LoadLibraryW(L\"bcryptprimitives\");\n if (hmod == NULL) {\n abort();\n }\n g_processprng_fn = (ProcessPrngFunction)GetProcAddress(hmod, \"ProcessPrng\");\n if (g_processprng_fn == NULL) {\n abort();\n }\n}\n\nvoid CRYPTO_init_sysrand(void) {\n static CRYPTO_once_t once = CRYPTO_ONCE_INIT;\n CRYPTO_once(&once, init_processprng);\n}\n\nvoid CRYPTO_sysrand(uint8_t *out, size_t requested) {\n CRYPTO_init_sysrand();\n // On non-UWP configurations, use ProcessPrng instead of BCryptGenRandom\n // to avoid accessing resources that may be unavailable inside the\n // Chromium sandbox. See https://crbug.com/74242\n if (!g_processprng_fn(out, requested)) {\n abort();\n }\n}\n\n#endif // WINAPI_PARTITION_APP && !WINAPI_PARTITION_DESKTOP\n\nint CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) {\n CRYPTO_sysrand(buf, len);\n return 1;\n}\n\nvoid CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) {\n CRYPTO_sysrand(out, requested);\n}\n\n#endif // OPENSSL_RAND_WINDOWS\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rc4/rc4.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n\nvoid RC4(RC4_KEY *key, size_t len, const uint8_t *in, uint8_t *out) {\n uint32_t x = key->x;\n uint32_t y = key->y;\n uint32_t *d = key->data;\n\n for (size_t i = 0; i < len; i++) {\n x = (x + 1) & 0xff;\n uint32_t tx = d[x];\n y = (tx + y) & 0xff;\n uint32_t ty = d[y];\n d[x] = ty;\n d[y] = tx;\n out[i] = d[(tx + ty) & 0xff] ^ in[i];\n }\n\n key->x = x;\n key->y = y;\n}\n\nvoid RC4_set_key(RC4_KEY *rc4key, unsigned len, const uint8_t *key) {\n uint32_t *d = &rc4key->data[0];\n rc4key->x = 0;\n rc4key->y = 0;\n\n for (unsigned i = 0; i < 256; i++) {\n d[i] = i;\n }\n\n unsigned id1 = 0, id2 = 0;\n for (unsigned i = 0; i < 256; i++) {\n uint32_t tmp = d[i];\n id2 = (key[id1] + tmp + id2) & 0xff;\n if (++id1 == len) {\n id1 = 0;\n }\n d[i] = d[id2];\n d[id2] = tmp;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/refcount.cc", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \"internal.h\"\n\n#include \n#include \n\n\n// See comment above the typedef of CRYPTO_refcount_t about these tests.\nstatic_assert(alignof(CRYPTO_refcount_t) == alignof(CRYPTO_atomic_u32),\n \"CRYPTO_refcount_t does not match CRYPTO_atomic_u32 alignment\");\nstatic_assert(sizeof(CRYPTO_refcount_t) == sizeof(CRYPTO_atomic_u32),\n \"CRYPTO_refcount_t does not match CRYPTO_atomic_u32 size\");\n\nstatic_assert((CRYPTO_refcount_t)-1 == CRYPTO_REFCOUNT_MAX,\n \"CRYPTO_REFCOUNT_MAX is incorrect\");\n\nvoid CRYPTO_refcount_inc(CRYPTO_refcount_t *in_count) {\n CRYPTO_atomic_u32 *count = (CRYPTO_atomic_u32 *)in_count;\n uint32_t expected = CRYPTO_atomic_load_u32(count);\n\n while (expected != CRYPTO_REFCOUNT_MAX) {\n uint32_t new_value = expected + 1;\n if (CRYPTO_atomic_compare_exchange_weak_u32(count, &expected, new_value)) {\n break;\n }\n }\n}\n\nint CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *in_count) {\n CRYPTO_atomic_u32 *count = (CRYPTO_atomic_u32 *)in_count;\n uint32_t expected = CRYPTO_atomic_load_u32(count);\n\n for (;;) {\n if (expected == 0) {\n abort();\n } else if (expected == CRYPTO_REFCOUNT_MAX) {\n return 0;\n } else {\n const uint32_t new_value = expected - 1;\n if (CRYPTO_atomic_compare_exchange_weak_u32(count, &expected,\n new_value)) {\n return new_value == 0;\n }\n }\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rsa/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_RSA_EXTRA_INTERNAL_H\n#define OPENSSL_HEADER_RSA_EXTRA_INTERNAL_H\n\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\nint RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len,\n size_t max_out, const uint8_t *from,\n size_t from_len, const uint8_t *param,\n size_t param_len, const EVP_MD *md,\n const EVP_MD *mgf1md);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_RSA_EXTRA_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rsa/rsa_asn1.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/rsa/internal.h\"\n#include \"../bytestring/internal.h\"\n#include \"../internal.h\"\n\n\nstatic int parse_integer(CBS *cbs, BIGNUM **out) {\n assert(*out == NULL);\n *out = BN_new();\n if (*out == NULL) {\n return 0;\n }\n return BN_parse_asn1_unsigned(cbs, *out);\n}\n\nstatic int marshal_integer(CBB *cbb, BIGNUM *bn) {\n if (bn == NULL) {\n // An RSA object may be missing some components.\n OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);\n return 0;\n }\n return BN_marshal_asn1(cbb, bn);\n}\n\nRSA *RSA_parse_public_key(CBS *cbs) {\n RSA *ret = RSA_new();\n if (ret == NULL) {\n return NULL;\n }\n CBS child;\n if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||\n !parse_integer(&child, &ret->n) ||\n !parse_integer(&child, &ret->e) ||\n CBS_len(&child) != 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);\n RSA_free(ret);\n return NULL;\n }\n\n if (!RSA_check_key(ret)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);\n RSA_free(ret);\n return NULL;\n }\n\n return ret;\n}\n\nRSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len) {\n CBS cbs;\n CBS_init(&cbs, in, in_len);\n RSA *ret = RSA_parse_public_key(&cbs);\n if (ret == NULL || CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);\n RSA_free(ret);\n return NULL;\n }\n return ret;\n}\n\nint RSA_marshal_public_key(CBB *cbb, const RSA *rsa) {\n CBB child;\n if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||\n !marshal_integer(&child, rsa->n) ||\n !marshal_integer(&child, rsa->e) ||\n !CBB_flush(cbb)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);\n return 0;\n }\n return 1;\n}\n\nint RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,\n const RSA *rsa) {\n CBB cbb;\n CBB_zero(&cbb);\n if (!CBB_init(&cbb, 0) ||\n !RSA_marshal_public_key(&cbb, rsa) ||\n !CBB_finish(&cbb, out_bytes, out_len)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);\n CBB_cleanup(&cbb);\n return 0;\n }\n return 1;\n}\n\n// kVersionTwoPrime is the value of the version field for a two-prime\n// RSAPrivateKey structure (RFC 3447).\nstatic const uint64_t kVersionTwoPrime = 0;\n\nRSA *RSA_parse_private_key(CBS *cbs) {\n RSA *ret = RSA_new();\n if (ret == NULL) {\n return NULL;\n }\n\n CBS child;\n uint64_t version;\n if (!CBS_get_asn1(cbs, &child, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1_uint64(&child, &version)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);\n goto err;\n }\n\n if (version != kVersionTwoPrime) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_VERSION);\n goto err;\n }\n\n if (!parse_integer(&child, &ret->n) ||\n !parse_integer(&child, &ret->e) ||\n !parse_integer(&child, &ret->d) ||\n !parse_integer(&child, &ret->p) ||\n !parse_integer(&child, &ret->q) ||\n !parse_integer(&child, &ret->dmp1) ||\n !parse_integer(&child, &ret->dmq1) ||\n !parse_integer(&child, &ret->iqmp)) {\n goto err;\n }\n\n if (CBS_len(&child) != 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);\n goto err;\n }\n\n if (!RSA_check_key(ret)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_RSA_PARAMETERS);\n goto err;\n }\n\n return ret;\n\nerr:\n RSA_free(ret);\n return NULL;\n}\n\nRSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len) {\n CBS cbs;\n CBS_init(&cbs, in, in_len);\n RSA *ret = RSA_parse_private_key(&cbs);\n if (ret == NULL || CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_ENCODING);\n RSA_free(ret);\n return NULL;\n }\n return ret;\n}\n\nint RSA_marshal_private_key(CBB *cbb, const RSA *rsa) {\n CBB child;\n if (!CBB_add_asn1(cbb, &child, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&child, kVersionTwoPrime) ||\n !marshal_integer(&child, rsa->n) ||\n !marshal_integer(&child, rsa->e) ||\n !marshal_integer(&child, rsa->d) ||\n !marshal_integer(&child, rsa->p) ||\n !marshal_integer(&child, rsa->q) ||\n !marshal_integer(&child, rsa->dmp1) ||\n !marshal_integer(&child, rsa->dmq1) ||\n !marshal_integer(&child, rsa->iqmp) ||\n !CBB_flush(cbb)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);\n return 0;\n }\n return 1;\n}\n\nint RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len,\n const RSA *rsa) {\n CBB cbb;\n CBB_zero(&cbb);\n if (!CBB_init(&cbb, 0) ||\n !RSA_marshal_private_key(&cbb, rsa) ||\n !CBB_finish(&cbb, out_bytes, out_len)) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_ENCODE_ERROR);\n CBB_cleanup(&cbb);\n return 0;\n }\n return 1;\n}\n\nRSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return NULL;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n RSA *ret = RSA_parse_public_key(&cbs);\n if (ret == NULL) {\n return NULL;\n }\n if (out != NULL) {\n RSA_free(*out);\n *out = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n\nint i2d_RSAPublicKey(const RSA *in, uint8_t **outp) {\n CBB cbb;\n if (!CBB_init(&cbb, 0) ||\n !RSA_marshal_public_key(&cbb, in)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n\nRSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len) {\n if (len < 0) {\n return NULL;\n }\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n RSA *ret = RSA_parse_private_key(&cbs);\n if (ret == NULL) {\n return NULL;\n }\n if (out != NULL) {\n RSA_free(*out);\n *out = ret;\n }\n *inp = CBS_data(&cbs);\n return ret;\n}\n\nint i2d_RSAPrivateKey(const RSA *in, uint8_t **outp) {\n CBB cbb;\n if (!CBB_init(&cbb, 0) ||\n !RSA_marshal_private_key(&cbb, in)) {\n CBB_cleanup(&cbb);\n return -1;\n }\n return CBB_finish_i2d(&cbb, outp);\n}\n\nRSA *RSAPublicKey_dup(const RSA *rsa) {\n uint8_t *der;\n size_t der_len;\n if (!RSA_public_key_to_bytes(&der, &der_len, rsa)) {\n return NULL;\n }\n RSA *ret = RSA_public_key_from_bytes(der, der_len);\n OPENSSL_free(der);\n return ret;\n}\n\nRSA *RSAPrivateKey_dup(const RSA *rsa) {\n uint8_t *der;\n size_t der_len;\n if (!RSA_private_key_to_bytes(&der, &der_len, rsa)) {\n return NULL;\n }\n RSA *ret = RSA_private_key_from_bytes(der, der_len);\n OPENSSL_free(der);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rsa/rsa_crypt.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/bn/internal.h\"\n#include \"../fipsmodule/rsa/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic void rand_nonzero(uint8_t *out, size_t len) {\n RAND_bytes(out, len);\n\n for (size_t i = 0; i < len; i++) {\n // Zero values are replaced, and the distribution of zero and non-zero bytes\n // is public, so leaking this is safe.\n while (constant_time_declassify_int(out[i] == 0)) {\n RAND_bytes(out + i, 1);\n }\n }\n}\n\nint RSA_padding_add_PKCS1_OAEP_mgf1(uint8_t *to, size_t to_len,\n const uint8_t *from, size_t from_len,\n const uint8_t *param, size_t param_len,\n const EVP_MD *md, const EVP_MD *mgf1md) {\n if (md == NULL) {\n md = EVP_sha1();\n }\n if (mgf1md == NULL) {\n mgf1md = md;\n }\n\n size_t mdlen = EVP_MD_size(md);\n\n if (to_len < 2 * mdlen + 2) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);\n return 0;\n }\n\n size_t emlen = to_len - 1;\n if (from_len > emlen - 2 * mdlen - 1) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);\n return 0;\n }\n\n if (emlen < 2 * mdlen + 1) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);\n return 0;\n }\n\n to[0] = 0;\n uint8_t *seed = to + 1;\n uint8_t *db = to + mdlen + 1;\n\n uint8_t *dbmask = NULL;\n int ret = 0;\n if (!EVP_Digest(param, param_len, db, NULL, md, NULL)) {\n goto out;\n }\n OPENSSL_memset(db + mdlen, 0, emlen - from_len - 2 * mdlen - 1);\n db[emlen - from_len - mdlen - 1] = 0x01;\n OPENSSL_memcpy(db + emlen - from_len - mdlen, from, from_len);\n if (!RAND_bytes(seed, mdlen)) {\n goto out;\n }\n\n dbmask = reinterpret_cast(OPENSSL_malloc(emlen - mdlen));\n if (dbmask == NULL) {\n goto out;\n }\n\n if (!PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md)) {\n goto out;\n }\n for (size_t i = 0; i < emlen - mdlen; i++) {\n db[i] ^= dbmask[i];\n }\n\n uint8_t seedmask[EVP_MAX_MD_SIZE];\n if (!PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md)) {\n goto out;\n }\n for (size_t i = 0; i < mdlen; i++) {\n seed[i] ^= seedmask[i];\n }\n ret = 1;\n\nout:\n OPENSSL_free(dbmask);\n return ret;\n}\n\nint RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len,\n size_t max_out, const uint8_t *from,\n size_t from_len, const uint8_t *param,\n size_t param_len, const EVP_MD *md,\n const EVP_MD *mgf1md) {\n uint8_t *db = NULL;\n\n {\n if (md == NULL) {\n md = EVP_sha1();\n }\n if (mgf1md == NULL) {\n mgf1md = md;\n }\n\n size_t mdlen = EVP_MD_size(md);\n\n // The encoded message is one byte smaller than the modulus to ensure that\n // it doesn't end up greater than the modulus. Thus there's an extra \"+1\"\n // here compared to https://tools.ietf.org/html/rfc2437#section-9.1.1.2.\n if (from_len < 1 + 2 * mdlen + 1) {\n // 'from_len' is the length of the modulus, i.e. does not depend on the\n // particular ciphertext.\n goto decoding_err;\n }\n\n size_t dblen = from_len - mdlen - 1;\n db = reinterpret_cast(OPENSSL_malloc(dblen));\n if (db == NULL) {\n goto err;\n }\n\n const uint8_t *maskedseed = from + 1;\n const uint8_t *maskeddb = from + 1 + mdlen;\n\n uint8_t seed[EVP_MAX_MD_SIZE];\n if (!PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) {\n goto err;\n }\n for (size_t i = 0; i < mdlen; i++) {\n seed[i] ^= maskedseed[i];\n }\n\n if (!PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) {\n goto err;\n }\n for (size_t i = 0; i < dblen; i++) {\n db[i] ^= maskeddb[i];\n }\n\n uint8_t phash[EVP_MAX_MD_SIZE];\n if (!EVP_Digest(param, param_len, phash, NULL, md, NULL)) {\n goto err;\n }\n\n crypto_word_t bad =\n ~constant_time_is_zero_w(CRYPTO_memcmp(db, phash, mdlen));\n bad |= ~constant_time_is_zero_w(from[0]);\n\n crypto_word_t looking_for_one_byte = CONSTTIME_TRUE_W;\n size_t one_index = 0;\n for (size_t i = mdlen; i < dblen; i++) {\n crypto_word_t equals1 = constant_time_eq_w(db[i], 1);\n crypto_word_t equals0 = constant_time_eq_w(db[i], 0);\n one_index =\n constant_time_select_w(looking_for_one_byte & equals1, i, one_index);\n looking_for_one_byte =\n constant_time_select_w(equals1, 0, looking_for_one_byte);\n bad |= looking_for_one_byte & ~equals0;\n }\n\n bad |= looking_for_one_byte;\n\n // Whether the overall padding was valid or not in OAEP is public.\n if (constant_time_declassify_w(bad)) {\n goto decoding_err;\n }\n\n // Once the padding is known to be valid, the output length is also public.\n static_assert(sizeof(size_t) <= sizeof(crypto_word_t),\n \"size_t does not fit in crypto_word_t\");\n one_index = constant_time_declassify_w(one_index);\n\n one_index++;\n size_t mlen = dblen - one_index;\n if (max_out < mlen) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE);\n goto err;\n }\n\n OPENSSL_memcpy(out, db + one_index, mlen);\n *out_len = mlen;\n OPENSSL_free(db);\n return 1;\n }\n\ndecoding_err:\n // To avoid chosen ciphertext attacks, the error message should not reveal\n // which kind of decoding error happened.\n OPENSSL_PUT_ERROR(RSA, RSA_R_OAEP_DECODING_ERROR);\nerr:\n OPENSSL_free(db);\n return 0;\n}\n\nstatic int rsa_padding_add_PKCS1_type_2(uint8_t *to, size_t to_len,\n const uint8_t *from, size_t from_len) {\n // See RFC 8017, section 7.2.1.\n if (to_len < RSA_PKCS1_PADDING_SIZE) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);\n return 0;\n }\n\n if (from_len > to_len - RSA_PKCS1_PADDING_SIZE) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);\n return 0;\n }\n\n to[0] = 0;\n to[1] = 2;\n\n size_t padding_len = to_len - 3 - from_len;\n rand_nonzero(to + 2, padding_len);\n to[2 + padding_len] = 0;\n OPENSSL_memcpy(to + to_len - from_len, from, from_len);\n return 1;\n}\n\nstatic int rsa_padding_check_PKCS1_type_2(uint8_t *out, size_t *out_len,\n size_t max_out, const uint8_t *from,\n size_t from_len) {\n if (from_len == 0) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_EMPTY_PUBLIC_KEY);\n return 0;\n }\n\n // PKCS#1 v1.5 decryption. See \"PKCS #1 v2.2: RSA Cryptography\n // Standard\", section 7.2.2.\n if (from_len < RSA_PKCS1_PADDING_SIZE) {\n // |from| is zero-padded to the size of the RSA modulus, a public value, so\n // this can be rejected in non-constant time.\n OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL);\n return 0;\n }\n\n crypto_word_t first_byte_is_zero = constant_time_eq_w(from[0], 0);\n crypto_word_t second_byte_is_two = constant_time_eq_w(from[1], 2);\n\n crypto_word_t zero_index = 0, looking_for_index = CONSTTIME_TRUE_W;\n for (size_t i = 2; i < from_len; i++) {\n crypto_word_t equals0 = constant_time_is_zero_w(from[i]);\n zero_index =\n constant_time_select_w(looking_for_index & equals0, i, zero_index);\n looking_for_index = constant_time_select_w(equals0, 0, looking_for_index);\n }\n\n // The input must begin with 00 02.\n crypto_word_t valid_index = first_byte_is_zero;\n valid_index &= second_byte_is_two;\n\n // We must have found the end of PS.\n valid_index &= ~looking_for_index;\n\n // PS must be at least 8 bytes long, and it starts two bytes into |from|.\n valid_index &= constant_time_ge_w(zero_index, 2 + 8);\n\n // Skip the zero byte.\n zero_index++;\n\n // NOTE: Although this logic attempts to be constant time, the API contracts\n // of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it\n // impossible to completely avoid Bleichenbacher's attack. Consumers should\n // use |RSA_PADDING_NONE| and perform the padding check in constant-time\n // combined with a swap to a random session key or other mitigation.\n CONSTTIME_DECLASSIFY(&valid_index, sizeof(valid_index));\n CONSTTIME_DECLASSIFY(&zero_index, sizeof(zero_index));\n\n if (!valid_index) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);\n return 0;\n }\n\n const size_t msg_len = from_len - zero_index;\n if (msg_len > max_out) {\n // This shouldn't happen because this function is always called with\n // |max_out| as the key size and |from_len| is bounded by the key size.\n OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR);\n return 0;\n }\n\n OPENSSL_memcpy(out, &from[zero_index], msg_len);\n *out_len = msg_len;\n return 1;\n}\n\nint RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,\n int padding) {\n size_t out_len;\n\n if (!RSA_encrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {\n return -1;\n }\n\n if (out_len > INT_MAX) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);\n return -1;\n }\n return (int)out_len;\n}\n\nint RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,\n int padding) {\n size_t out_len;\n\n if (!RSA_sign_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {\n return -1;\n }\n\n if (out_len > INT_MAX) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);\n return -1;\n }\n return (int)out_len;\n}\n\nint RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,\n const uint8_t *in, size_t in_len, int padding) {\n if (rsa->n == NULL || rsa->e == NULL) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING);\n return 0;\n }\n\n if (!rsa_check_public_key(rsa)) {\n return 0;\n }\n\n const unsigned rsa_size = RSA_size(rsa);\n BIGNUM *f, *result;\n uint8_t *buf = NULL;\n BN_CTX *ctx = NULL;\n int i, ret = 0;\n\n if (max_out < rsa_size) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);\n return 0;\n }\n\n ctx = BN_CTX_new();\n if (ctx == NULL) {\n goto err;\n }\n\n BN_CTX_start(ctx);\n f = BN_CTX_get(ctx);\n result = BN_CTX_get(ctx);\n buf = reinterpret_cast(OPENSSL_malloc(rsa_size));\n if (!f || !result || !buf) {\n goto err;\n }\n\n switch (padding) {\n case RSA_PKCS1_PADDING:\n i = rsa_padding_add_PKCS1_type_2(buf, rsa_size, in, in_len);\n break;\n case RSA_PKCS1_OAEP_PADDING:\n // Use the default parameters: SHA-1 for both hashes and no label.\n i = RSA_padding_add_PKCS1_OAEP_mgf1(buf, rsa_size, in, in_len, NULL, 0,\n NULL, NULL);\n break;\n case RSA_NO_PADDING:\n i = RSA_padding_add_none(buf, rsa_size, in, in_len);\n break;\n default:\n OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);\n goto err;\n }\n\n if (i <= 0) {\n goto err;\n }\n\n if (BN_bin2bn(buf, rsa_size, f) == NULL) {\n goto err;\n }\n\n if (BN_ucmp(f, rsa->n) >= 0) {\n // usually the padding functions would catch this\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS);\n goto err;\n }\n\n if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||\n !BN_mod_exp_mont(result, f, rsa->e, &rsa->mont_n->N, ctx, rsa->mont_n)) {\n goto err;\n }\n\n // put in leading 0 bytes if the number is less than the length of the\n // modulus\n if (!BN_bn2bin_padded(out, rsa_size, result)) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n\n *out_len = rsa_size;\n ret = 1;\n\nerr:\n if (ctx != NULL) {\n BN_CTX_end(ctx);\n BN_CTX_free(ctx);\n }\n OPENSSL_free(buf);\n\n return ret;\n}\n\nstatic int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out,\n size_t max_out, const uint8_t *in, size_t in_len,\n int padding) {\n const unsigned rsa_size = RSA_size(rsa);\n uint8_t *buf = NULL;\n int ret = 0;\n\n if (max_out < rsa_size) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_OUTPUT_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (padding == RSA_NO_PADDING) {\n buf = out;\n } else {\n // Allocate a temporary buffer to hold the padded plaintext.\n buf = reinterpret_cast(OPENSSL_malloc(rsa_size));\n if (buf == NULL) {\n goto err;\n }\n }\n\n if (in_len != rsa_size) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN);\n goto err;\n }\n\n if (!rsa_private_transform(rsa, buf, in, rsa_size)) {\n goto err;\n }\n\n switch (padding) {\n case RSA_PKCS1_PADDING:\n ret =\n rsa_padding_check_PKCS1_type_2(out, out_len, rsa_size, buf, rsa_size);\n break;\n case RSA_PKCS1_OAEP_PADDING:\n // Use the default parameters: SHA-1 for both hashes and no label.\n ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, out_len, rsa_size, buf,\n rsa_size, NULL, 0, NULL, NULL);\n break;\n case RSA_NO_PADDING:\n *out_len = rsa_size;\n ret = 1;\n break;\n default:\n OPENSSL_PUT_ERROR(RSA, RSA_R_UNKNOWN_PADDING_TYPE);\n goto err;\n }\n\n CONSTTIME_DECLASSIFY(&ret, sizeof(ret));\n if (!ret) {\n OPENSSL_PUT_ERROR(RSA, RSA_R_PADDING_CHECK_FAILED);\n } else {\n CONSTTIME_DECLASSIFY(out, *out_len);\n }\n\nerr:\n if (padding != RSA_NO_PADDING) {\n OPENSSL_free(buf);\n }\n\n return ret;\n}\n\nint RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,\n const uint8_t *in, size_t in_len, int padding) {\n if (rsa->meth->decrypt) {\n return rsa->meth->decrypt(rsa, out_len, out, max_out, in, in_len, padding);\n }\n\n return rsa_default_decrypt(rsa, out_len, out, max_out, in, in_len, padding);\n}\n\nint RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,\n int padding) {\n size_t out_len;\n if (!RSA_decrypt(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {\n return -1;\n }\n\n if (out_len > INT_MAX) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);\n return -1;\n }\n return (int)out_len;\n}\n\nint RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa,\n int padding) {\n size_t out_len;\n if (!RSA_verify_raw(rsa, &out_len, to, RSA_size(rsa), from, flen, padding)) {\n return -1;\n }\n\n if (out_len > INT_MAX) {\n OPENSSL_PUT_ERROR(RSA, ERR_R_OVERFLOW);\n return -1;\n }\n return (int)out_len;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rsa/rsa_extra.cc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\nint RSA_blinding_on(RSA *rsa, BN_CTX *ctx) { return 1; }\n\nvoid RSA_blinding_off(RSA *rsa) {}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/rsa/rsa_print.cc", "content": "/*\n * Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n\nint RSA_print(BIO *bio, const RSA *rsa, int indent) {\n EVP_PKEY *pkey = EVP_PKEY_new();\n int ret = pkey != NULL &&\n EVP_PKEY_set1_RSA(pkey, (RSA *)rsa) &&\n EVP_PKEY_print_private(bio, pkey, indent, NULL);\n EVP_PKEY_free(pkey);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/sha/sha1.cc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"../fipsmodule/bcm_interface.h\"\n\nint SHA1_Init(SHA_CTX *sha) {\n BCM_sha1_init(sha);\n return 1;\n}\n\nint SHA1_Update(SHA_CTX *sha, const void *data, size_t len) {\n BCM_sha1_update(sha, data, len);\n return 1;\n}\n\nint SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *sha) {\n BCM_sha1_final(out, sha);\n return 1;\n}\n\nuint8_t *SHA1(const uint8_t *data, size_t len, uint8_t out[SHA_DIGEST_LENGTH]) {\n SHA_CTX ctx;\n BCM_sha1_init(&ctx);\n BCM_sha1_update(&ctx, data, len);\n BCM_sha1_final(out, &ctx);\n OPENSSL_cleanse(&ctx, sizeof(ctx));\n return out;\n}\n\nvoid SHA1_Transform(SHA_CTX *sha, const uint8_t block[SHA_CBLOCK]) {\n BCM_sha1_transform(sha, block);\n}\n\nvoid CRYPTO_fips_186_2_prf(uint8_t *out, size_t out_len,\n const uint8_t xkey[SHA_DIGEST_LENGTH]) {\n BCM_fips_186_2_prf(out, out_len, xkey);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/sha/sha256.cc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"../fipsmodule/bcm_interface.h\"\n\n\nint SHA224_Init(SHA256_CTX *sha) {\n BCM_sha224_init(sha);\n return 1;\n}\n\nint SHA224_Update(SHA256_CTX *sha, const void *data, size_t len) {\n BCM_sha224_update(sha, data, len);\n return 1;\n}\n\nint SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *sha) {\n BCM_sha224_final(out, sha);\n return 1;\n}\n\nuint8_t *SHA224(const uint8_t *data, size_t len,\n uint8_t out[SHA224_DIGEST_LENGTH]) {\n SHA256_CTX ctx;\n BCM_sha224_init(&ctx);\n BCM_sha224_update(&ctx, data, len);\n BCM_sha224_final(out, &ctx);\n OPENSSL_cleanse(&ctx, sizeof(ctx));\n return out;\n}\n\nint SHA256_Init(SHA256_CTX *sha) {\n BCM_sha256_init(sha);\n return 1;\n}\n\nint SHA256_Update(SHA256_CTX *sha, const void *data, size_t len) {\n BCM_sha256_update(sha, data, len);\n return 1;\n}\n\nint SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *sha) {\n // TODO(bbe): This overflow check one of the few places a low-level hash\n // 'final' function can fail. SHA-512 does not have a corresponding check.\n // The BCM function is infallible and will abort if this is done incorrectly.\n // we should verify nothing crashes with this removed and eliminate the 0\n // return.\n if (sha->md_len > SHA256_DIGEST_LENGTH) {\n return 0;\n }\n BCM_sha256_final(out, sha);\n return 1;\n}\n\nuint8_t *SHA256(const uint8_t *data, size_t len,\n uint8_t out[SHA256_DIGEST_LENGTH]) {\n SHA256_CTX ctx;\n BCM_sha256_init(&ctx);\n BCM_sha256_update(&ctx, data, len);\n BCM_sha256_final(out, &ctx);\n OPENSSL_cleanse(&ctx, sizeof(ctx));\n return out;\n}\n\nvoid SHA256_Transform(SHA256_CTX *sha, const uint8_t block[SHA256_CBLOCK]) {\n BCM_sha256_transform(sha, block);\n}\n\nvoid SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data,\n size_t num_blocks) {\n BCM_sha256_transform_blocks(state, data, num_blocks);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/sha/sha512.cc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"../fipsmodule/bcm_interface.h\"\n\n\nint SHA384_Init(SHA512_CTX *sha) {\n BCM_sha384_init(sha);\n return 1;\n}\n\nint SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) {\n BCM_sha384_update(sha, data, len);\n return 1;\n}\n\nint SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) {\n BCM_sha384_final(out, sha);\n return 1;\n}\n\nuint8_t *SHA384(const uint8_t *data, size_t len,\n uint8_t out[SHA384_DIGEST_LENGTH]) {\n SHA512_CTX ctx;\n BCM_sha384_init(&ctx);\n BCM_sha384_update(&ctx, data, len);\n BCM_sha384_final(out, &ctx);\n OPENSSL_cleanse(&ctx, sizeof(ctx));\n return out;\n}\n\nint SHA512_256_Init(SHA512_CTX *sha) {\n BCM_sha512_256_init(sha);\n return 1;\n}\n\nint SHA512_256_Update(SHA512_CTX *sha, const void *data, size_t len) {\n BCM_sha512_256_update(sha, data, len);\n return 1;\n}\n\nint SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) {\n BCM_sha512_256_final(out, sha);\n return 1;\n}\n\nuint8_t *SHA512_256(const uint8_t *data, size_t len,\n uint8_t out[SHA512_256_DIGEST_LENGTH]) {\n SHA512_CTX ctx;\n BCM_sha512_256_init(&ctx);\n BCM_sha512_256_update(&ctx, data, len);\n BCM_sha512_256_final(out, &ctx);\n OPENSSL_cleanse(&ctx, sizeof(ctx));\n return out;\n}\n\nint SHA512_Init(SHA512_CTX *sha) {\n BCM_sha512_init(sha);\n return 1;\n}\n\nint SHA512_Update(SHA512_CTX *sha, const void *data, size_t len) {\n BCM_sha512_update(sha, data, len);\n return 1;\n}\n\nint SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) {\n // Historically this function retured failure if passed NULL, even\n // though other final functions do not.\n if (out == NULL) {\n return 0;\n }\n BCM_sha512_final(out, sha);\n return 1;\n}\n\nuint8_t *SHA512(const uint8_t *data, size_t len,\n uint8_t out[SHA512_DIGEST_LENGTH]) {\n SHA512_CTX ctx;\n BCM_sha512_init(&ctx);\n BCM_sha512_update(&ctx, data, len);\n BCM_sha512_final(out, &ctx);\n OPENSSL_cleanse(&ctx, sizeof(ctx));\n return out;\n}\n\nvoid SHA512_Transform(SHA512_CTX *sha, const uint8_t block[SHA512_CBLOCK]) {\n BCM_sha512_transform(sha, block);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/siphash/siphash.cc", "content": "/* Copyright 2019 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n#include \n\n#include \n\n#include \"../internal.h\"\n\n\nstatic void siphash_round(uint64_t v[4]) {\n v[0] += v[1];\n v[2] += v[3];\n v[1] = CRYPTO_rotl_u64(v[1], 13);\n v[3] = CRYPTO_rotl_u64(v[3], 16);\n v[1] ^= v[0];\n v[3] ^= v[2];\n v[0] = CRYPTO_rotl_u64(v[0], 32);\n v[2] += v[1];\n v[0] += v[3];\n v[1] = CRYPTO_rotl_u64(v[1], 17);\n v[3] = CRYPTO_rotl_u64(v[3], 21);\n v[1] ^= v[2];\n v[3] ^= v[0];\n v[2] = CRYPTO_rotl_u64(v[2], 32);\n}\n\nuint64_t SIPHASH_24(const uint64_t key[2], const uint8_t *input,\n size_t input_len) {\n const size_t orig_input_len = input_len;\n\n uint64_t v[4];\n v[0] = key[0] ^ UINT64_C(0x736f6d6570736575);\n v[1] = key[1] ^ UINT64_C(0x646f72616e646f6d);\n v[2] = key[0] ^ UINT64_C(0x6c7967656e657261);\n v[3] = key[1] ^ UINT64_C(0x7465646279746573);\n\n while (input_len >= sizeof(uint64_t)) {\n uint64_t m = CRYPTO_load_u64_le(input);\n v[3] ^= m;\n siphash_round(v);\n siphash_round(v);\n v[0] ^= m;\n\n input += sizeof(uint64_t);\n input_len -= sizeof(uint64_t);\n }\n\n uint8_t last_block[8];\n OPENSSL_memset(last_block, 0, sizeof(last_block));\n OPENSSL_memcpy(last_block, input, input_len);\n last_block[7] = orig_input_len & 0xff;\n\n uint64_t last_block_word = CRYPTO_load_u64_le(last_block);\n v[3] ^= last_block_word;\n siphash_round(v);\n siphash_round(v);\n v[0] ^= last_block_word;\n\n v[2] ^= 0xff;\n siphash_round(v);\n siphash_round(v);\n siphash_round(v);\n siphash_round(v);\n\n return v[0] ^ v[1] ^ v[2] ^ v[3];\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/slhdsa/slhdsa.cc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \"../fipsmodule/bcm_interface.h\"\n\n\nstatic_assert(SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES ==\n BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES,\n \"\");\nstatic_assert(SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES ==\n BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES,\n \"\");\nstatic_assert(SLHDSA_SHA2_128S_SIGNATURE_BYTES ==\n BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES,\n \"\");\n\nvoid SLHDSA_SHA2_128S_generate_key(\n uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n uint8_t out_private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]) {\n BCM_slhdsa_sha2_128s_generate_key(out_public_key, out_private_key);\n}\n\nvoid SLHDSA_SHA2_128S_public_from_private(\n uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]) {\n BCM_slhdsa_sha2_128s_public_from_private(out_public_key, private_key);\n}\n\nint SLHDSA_SHA2_128S_sign(\n uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context,\n size_t context_len) {\n return bcm_success(BCM_slhdsa_sha2_128s_sign(out_signature, private_key, msg,\n msg_len, context, context_len));\n}\n\nint SLHDSA_SHA2_128S_verify(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context,\n size_t context_len) {\n return bcm_success(BCM_slhdsa_sha2_128s_verify(signature, signature_len,\n public_key, msg, msg_len,\n context, context_len));\n}\n\nint SLHDSA_SHA2_128S_prehash_sign(\n uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len) {\n if (hash_nid != NID_sha256) {\n return 0;\n }\n return bcm_success(BCM_slhdsa_sha2_128s_prehash_sign(\n out_signature, private_key, hashed_msg, hashed_msg_len, hash_nid, context,\n context_len));\n}\n\nint SLHDSA_SHA2_128S_prehash_verify(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len) {\n if (hash_nid != NID_sha256) {\n return 0;\n }\n return bcm_success(BCM_slhdsa_sha2_128s_prehash_verify(\n signature, signature_len, public_key, hashed_msg, hashed_msg_len,\n hash_nid, context, context_len));\n}\n\nint SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign(\n uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len) {\n if (hash_nid != NID_sha384) {\n return 0;\n }\n return bcm_success(BCM_slhdsa_sha2_128s_prehash_sign(\n out_signature, private_key, hashed_msg, hashed_msg_len, hash_nid, context,\n context_len));\n}\n\nint SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len) {\n if (hash_nid != NID_sha384) {\n return 0;\n }\n return bcm_success(BCM_slhdsa_sha2_128s_prehash_verify(\n signature, signature_len, public_key, hashed_msg, hashed_msg_len,\n hash_nid, context, context_len));\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/spake2plus/internal.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H\n#define OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H\n\n#include \n\n#include \n\n#include \n#include \n\n#include \"../fipsmodule/ec/internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\n// SPAKE2+.\n//\n// SPAKE2+ is an augmented password-authenticated key-exchange. It allows\n// two parties, a prover and verifier, to derive a strong shared key with no\n// risk of disclosing the password, known only to the prover, to the verifier.\n// (But note that the verifier can still attempt an offline, brute-force attack\n// to recover the password.)\n//\n// This is an implementation of SPAKE2+ using P-256 as the group, SHA-256 as\n// the hash function, HKDF-SHA256 as the key derivation function, and\n// HMAC-SHA256 as the message authentication code.\n//\n// See https://www.rfc-editor.org/rfc/rfc9383.html\n\nnamespace spake2plus {\n\n// kShareSize is the size of a SPAKE2+ key share.\nconstexpr size_t kShareSize = 65;\n\n// kConfirmSize is the size of a SPAKE2+ key confirmation message.\nconstexpr size_t kConfirmSize = 32;\n\n// kVerifierSize is the size of the w0 and w1 values in the SPAKE2+ protocol.\nconstexpr size_t kVerifierSize = 32;\n\n// kRegistrationRecordSize is the number of bytes in a registration record,\n// which is provided to the verifier.\nconstexpr size_t kRegistrationRecordSize = 65;\n\n// kSecretSize is the number of bytes of shared secret that the SPAKE2+ protocol\n// generates.\nconstexpr size_t kSecretSize = 32;\n\n// Register computes the values needed in the offline registration\n// step of the SPAKE2+ protocol. See the following for more details:\n// https://www.rfc-editor.org/rfc/rfc9383.html#section-3.2\n//\n// The |password| argument is the mandatory prover password. The |out_w0|,\n// |out_w1|, and |out_registration_record| arguments are where the password\n// verifiers (w0 and w1) and registration record (L) are stored, respectively.\n// The prover is given |out_w0| and |out_w1| while the verifier is given\n// |out_w0| and |out_registration_record|.\n//\n// To ensure success, |out_w0| and |out_w1| must be of length |kVerifierSize|,\n// and |out_registration_record| of size |kRegistrationRecordSize|.\n[[nodiscard]] OPENSSL_EXPORT bool Register(\n Span out_w0, Span out_w1,\n Span out_registration_record, Span password,\n Span id_prover, Span id_verifier);\n\nclass OPENSSL_EXPORT Prover {\n public:\n static constexpr bool kAllowUniquePtr = true;\n\n Prover();\n ~Prover();\n\n // Init creates a new prover, which can only be used for a single execution of\n // the protocol.\n //\n // The |context| argument is an application-specific value meant to constrain\n // the protocol execution. The |w0| and |w1| arguments are password verifier\n // values computed during the offline registration phase of the protocol. The\n // |id_prover| and |id_verifier| arguments allow optional, opaque names to be\n // bound into the protocol. See the following for more information about how\n // these identities may be chosen:\n // https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2\n [[nodiscard]] bool Init(Span context,\n Span id_prover,\n Span id_verifier,\n Span w0, Span w1,\n Span x = Span());\n\n // GenerateShare computes a SPAKE2+ share and writes it to |out_share|.\n //\n // This function can only be called once for a given |Prover|. To ensure\n // success, |out_share| must be |kShareSize| bytes.\n [[nodiscard]] bool GenerateShare(Span out_share);\n\n // ComputeConfirmation computes a SPAKE2+ key confirmation\n // message and writes it to |out_confirm|. It also computes the shared secret\n // and writes it to |out_secret|.\n //\n // This function can only be called once for a given |Prover|.\n //\n // To ensure success, |out_confirm| must be |kConfirmSize| bytes\n // and |out_secret| must be |kSecretSize| bytes.\n [[nodiscard]] bool ComputeConfirmation(Span out_confirm,\n Span out_secret,\n Span peer_share,\n Span peer_confirm);\n\n private:\n enum class State {\n kInit,\n kShareGenerated,\n kConfirmGenerated,\n kDone,\n };\n\n State state_ = State::kInit;\n SHA256_CTX transcript_hash_;\n EC_SCALAR w0_;\n EC_SCALAR w1_;\n EC_SCALAR x_;\n EC_AFFINE X_;\n uint8_t share_[kShareSize];\n};\n\nclass OPENSSL_EXPORT Verifier {\n public:\n static constexpr bool kAllowUniquePtr = true;\n\n Verifier();\n ~Verifier();\n\n // Init creates a new verifier, which can only be used for a single execution\n // of the protocol.\n //\n // The |context| argument is an application-specific value meant to constrain\n // the protocol execution. The |w0| and |registration_record| arguments are\n // required, and are computed by the prover via |Register|. Only the prover\n // can produce |w0| and |registration_record|, as they require\n // knowledge of the password. The prover must securely transmit this to the\n // verifier out-of-band. The |id_prover| and |id_verifier| arguments allow\n // optional, opaque names to be bound into the protocol. See the following for\n // more information about how these identities may be chosen:\n // https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2\n [[nodiscard]] bool Init(Span context,\n Span id_prover,\n Span id_verifier,\n Span w0,\n Span registration_record,\n Span y = Span());\n\n // ProcessProverShare computes a SPAKE2+ share from an input share,\n // |prover_share|, and writes it to |out_share|. It also computes the key\n // confirmation message and writes it to |out_confirm|. Finally, it computes\n // the shared secret and writes it to |out_secret|.\n //\n // This function can only be called once for a given |Verifier|.\n //\n // To ensure success, |out_share| must be |kShareSize| bytes, |out_confirm|\n // must be |kConfirmSize| bytes, and |out_secret| must be |kSecretSize| bytes.\n [[nodiscard]] bool ProcessProverShare(Span out_share,\n Span out_confirm,\n Span out_secret,\n Span prover_share);\n\n // VerifyProverConfirmation verifies a SPAKE2+ key confirmation message,\n // |prover_confirm|.\n //\n // This function can only be called once for a given |Verifier|.\n [[nodiscard]] bool VerifyProverConfirmation(Span peer_confirm);\n\n private:\n enum class State {\n kInit,\n kProverShareSeen,\n kDone,\n };\n\n State state_ = State::kInit;\n SHA256_CTX transcript_hash_;\n EC_SCALAR w0_;\n EC_AFFINE L_;\n EC_SCALAR y_;\n uint8_t confirm_[kConfirmSize];\n};\n\n} // namespace spake2plus\n\nBSSL_NAMESPACE_END\n\n#endif // OPENSSL_HEADER_SPAKE2PLUS_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/spake2plus/spake2plus.cc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/bn/internal.h\"\n#include \"../fipsmodule/ec/internal.h\"\n#include \"../internal.h\"\n#include \"./internal.h\"\n#include \"CNIOBoringSSL_err.h\"\n\nBSSL_NAMESPACE_BEGIN\nnamespace spake2plus {\nnamespace {\n\nconst uint8_t kDefaultAdditionalData[32] = {0};\n\n// https://www.rfc-editor.org/rfc/rfc9383.html#appendix-B\n// seed: 1.2.840.10045.3.1.7 point generation seed (M)\n// M =\n// 02886e2f97ace46e55ba9dd7242579f2993b64e16ef3dcab95afd497333d8fa12f\n//\n// `M` is interpreted as a X9.62-format compressed point. This is then the\n// uncompressed form:\nconst uint8_t kM_bytes[] = {\n 0x04, 0x88, 0x6e, 0x2f, 0x97, 0xac, 0xe4, 0x6e, 0x55, 0xba, 0x9d,\n 0xd7, 0x24, 0x25, 0x79, 0xf2, 0x99, 0x3b, 0x64, 0xe1, 0x6e, 0xf3,\n 0xdc, 0xab, 0x95, 0xaf, 0xd4, 0x97, 0x33, 0x3d, 0x8f, 0xa1, 0x2f,\n 0x5f, 0xf3, 0x55, 0x16, 0x3e, 0x43, 0xce, 0x22, 0x4e, 0x0b, 0x0e,\n 0x65, 0xff, 0x02, 0xac, 0x8e, 0x5c, 0x7b, 0xe0, 0x94, 0x19, 0xc7,\n 0x85, 0xe0, 0xca, 0x54, 0x7d, 0x55, 0xa1, 0x2e, 0x2d, 0x20};\n\n// https://www.rfc-editor.org/rfc/rfc9383.html#appendix-B\n// seed: 1.2.840.10045.3.1.7 point generation seed (N)\n// N =\n// 03d8bbd6c639c62937b04d997f38c3770719c629d7014d49a24b4f98baa1292b49\n//\n// `N` is interpreted as a X9.62-format compressed point. This is then the\n// uncompressed form:\nconst uint8_t kN_bytes[] = {\n 0x04, 0xd8, 0xbb, 0xd6, 0xc6, 0x39, 0xc6, 0x29, 0x37, 0xb0, 0x4d,\n 0x99, 0x7f, 0x38, 0xc3, 0x77, 0x07, 0x19, 0xc6, 0x29, 0xd7, 0x01,\n 0x4d, 0x49, 0xa2, 0x4b, 0x4f, 0x98, 0xba, 0xa1, 0x29, 0x2b, 0x49,\n 0x07, 0xd6, 0x0a, 0xa6, 0xbf, 0xad, 0xe4, 0x50, 0x08, 0xa6, 0x36,\n 0x33, 0x7f, 0x51, 0x68, 0xc6, 0x4d, 0x9b, 0xd3, 0x60, 0x34, 0x80,\n 0x8c, 0xd5, 0x64, 0x49, 0x0b, 0x1e, 0x65, 0x6e, 0xdb, 0xe7};\n\nvoid UpdateWithLengthPrefix(SHA256_CTX *sha, Span data) {\n uint8_t len_le[8];\n CRYPTO_store_u64_le(len_le, data.size());\n SHA256_Update(sha, len_le, sizeof(len_le));\n SHA256_Update(sha, data.data(), data.size());\n}\n\nvoid ConstantToJacobian(const EC_GROUP *group, EC_JACOBIAN *out,\n bssl::Span in) {\n EC_AFFINE point;\n BSSL_CHECK(ec_point_from_uncompressed(group, &point, in.data(), in.size()));\n ec_affine_to_jacobian(group, out, &point);\n}\n\nvoid ScalarToSizedBuffer(const EC_GROUP *group, const EC_SCALAR *s,\n Span out_buf) {\n size_t out_bytes;\n ec_scalar_to_bytes(group, out_buf.data(), &out_bytes, s);\n BSSL_CHECK(out_bytes == out_buf.size());\n}\n\nbool AddLengthPrefixed(CBB *cbb, Span bytes) {\n return CBB_add_u64le(cbb, bytes.size()) &&\n CBB_add_bytes(cbb, bytes.data(), bytes.size());\n}\n\nvoid InitTranscriptHash(SHA256_CTX *sha, Span context,\n Span id_prover,\n Span id_verifier) {\n SHA256_Init(sha);\n UpdateWithLengthPrefix(sha, context);\n UpdateWithLengthPrefix(sha, id_prover);\n UpdateWithLengthPrefix(sha, id_verifier);\n UpdateWithLengthPrefix(sha, kM_bytes);\n UpdateWithLengthPrefix(sha, kN_bytes);\n}\n\nbool ComputeTranscript(uint8_t out_prover_confirm[kConfirmSize],\n uint8_t out_verifier_confirm[kConfirmSize],\n uint8_t out_secret[kSecretSize],\n const uint8_t prover_share[kShareSize],\n const uint8_t verifier_share[kShareSize],\n SHA256_CTX *sha, const EC_AFFINE *Z, const EC_AFFINE *V,\n const EC_SCALAR *w0) {\n const EC_GROUP *group = EC_group_p256();\n\n uint8_t Z_enc[kShareSize];\n size_t Z_enc_len = ec_point_to_bytes(group, Z, POINT_CONVERSION_UNCOMPRESSED,\n Z_enc, sizeof(Z_enc));\n BSSL_CHECK(Z_enc_len == sizeof(Z_enc));\n\n uint8_t V_enc[kShareSize];\n size_t V_enc_len = ec_point_to_bytes(group, V, POINT_CONVERSION_UNCOMPRESSED,\n V_enc, sizeof(V_enc));\n BSSL_CHECK(V_enc_len == sizeof(V_enc));\n\n uint8_t w0_enc[kVerifierSize];\n ScalarToSizedBuffer(group, w0, w0_enc);\n\n uint8_t K_main[SHA256_DIGEST_LENGTH];\n UpdateWithLengthPrefix(sha, Span(prover_share, kShareSize));\n UpdateWithLengthPrefix(sha, Span(verifier_share, kShareSize));\n UpdateWithLengthPrefix(sha, Z_enc);\n UpdateWithLengthPrefix(sha, V_enc);\n UpdateWithLengthPrefix(sha, w0_enc);\n SHA256_Final(K_main, sha);\n\n auto confirmation_str = StringAsBytes(\"ConfirmationKeys\");\n uint8_t keys[kSecretSize * 2];\n if (!HKDF(keys, sizeof(keys), EVP_sha256(), K_main, sizeof(K_main), nullptr,\n 0, confirmation_str.data(), confirmation_str.size())) {\n return false;\n }\n\n auto secret_info_str = StringAsBytes(\"SharedKey\");\n if (!HKDF(out_secret, kSecretSize, EVP_sha256(), K_main, sizeof(K_main),\n nullptr, 0, secret_info_str.data(), secret_info_str.size())) {\n return false;\n }\n\n unsigned prover_confirm_len;\n if (HMAC(EVP_sha256(), keys, kSecretSize, verifier_share, kShareSize,\n out_prover_confirm, &prover_confirm_len) == nullptr) {\n return false;\n }\n BSSL_CHECK(prover_confirm_len == kConfirmSize);\n\n unsigned verifier_confirm_len;\n if (HMAC(EVP_sha256(), keys + kSecretSize, kSecretSize, prover_share,\n kShareSize, out_verifier_confirm,\n &verifier_confirm_len) == nullptr) {\n return false;\n }\n BSSL_CHECK(verifier_confirm_len == kConfirmSize);\n\n return true;\n}\n\n} // namespace\n\nbool Register(Span out_w0, Span out_w1,\n Span out_registration_record,\n Span password, Span id_prover,\n Span id_verifier) {\n if (out_w0.size() != kVerifierSize || out_w1.size() != kVerifierSize ||\n out_registration_record.size() != kRegistrationRecordSize) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n // Offline registration format from:\n // https://www.rfc-editor.org/rfc/rfc9383.html#section-3.2\n ScopedCBB mhf_input;\n if (!CBB_init(mhf_input.get(), password.size() + id_prover.size() +\n id_verifier.size() +\n 3 * sizeof(uint64_t)) || //\n !AddLengthPrefixed(mhf_input.get(), password) ||\n !AddLengthPrefixed(mhf_input.get(), id_prover) ||\n !AddLengthPrefixed(mhf_input.get(), id_verifier) ||\n !CBB_flush(mhf_input.get())) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n // https://neuromancer.sk/std/nist/P-256\n // sage: p =\n // 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff\n // ....: K = GF(p)\n // ....: a =\n // K(0xffffffff00000001000000000000000000000000fffffffffffffffffffffffc)\n // ....: b =\n // K(0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b)\n // ....: E = EllipticCurve(K, (a, b))\n // ....: G =\n // E(0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296,\n // ....: 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5)\n // ....:\n // E.set_order(0xffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc63\n // ....: 2551 * 0x1)\n // sage: k = 64\n // sage: L = (2 * (ceil(log(p)/log(2)) + k)) / 8\n\n // RFC 9383 Section 3.2\n constexpr size_t kKDFOutputSize = 80;\n constexpr size_t kKDFOutputWords = kKDFOutputSize / BN_BYTES;\n\n uint8_t key[kKDFOutputSize];\n if (!EVP_PBE_scrypt((const char *)CBB_data(mhf_input.get()),\n CBB_len(mhf_input.get()), nullptr, 0,\n /*N=*/32768, /*r=*/8, /*p=*/1,\n /*max_mem=*/1024 * 1024 * 33, key, kKDFOutputSize)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n const EC_GROUP *group = EC_group_p256();\n BN_ULONG w0_words[kKDFOutputWords / 2];\n bn_big_endian_to_words(w0_words, kKDFOutputWords / 2, key,\n kKDFOutputSize / 2);\n EC_SCALAR w0;\n ec_scalar_reduce(group, &w0, w0_words, kKDFOutputWords / 2);\n ScalarToSizedBuffer(group, &w0, out_w0);\n\n BN_ULONG w1_words[kKDFOutputWords / 2];\n bn_big_endian_to_words(w1_words, kKDFOutputWords / 2,\n key + kKDFOutputSize / 2, kKDFOutputSize / 2);\n EC_SCALAR w1;\n ec_scalar_reduce(group, &w1, w1_words, kKDFOutputWords / 2);\n ScalarToSizedBuffer(group, &w1, out_w1);\n\n EC_JACOBIAN L_j;\n EC_AFFINE L;\n if (!ec_point_mul_scalar_base(group, &L_j, &w1) || //\n !ec_jacobian_to_affine(group, &L, &L_j) || //\n !ec_point_to_bytes(group, &L, POINT_CONVERSION_UNCOMPRESSED,\n out_registration_record.data(),\n kRegistrationRecordSize)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n return true;\n}\n\nProver::Prover() = default;\nProver::~Prover() = default;\n\nbool Prover::Init(Span context, Span id_prover,\n Span id_verifier, Span w0,\n Span w1, Span x) {\n const EC_GROUP *group = EC_group_p256();\n\n if (!ec_scalar_from_bytes(group, &w0_, w0.data(), w0.size()) ||\n !ec_scalar_from_bytes(group, &w1_, w1.data(), w1.size()) ||\n (!x.empty() &&\n !ec_scalar_from_bytes(group, &x_, x.data(), x.size())) || //\n (x.empty() && !ec_random_scalar(group, &x_, kDefaultAdditionalData))) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n InitTranscriptHash(&transcript_hash_, context, id_prover, id_verifier);\n\n return true;\n}\n\nbool Prover::GenerateShare(Span out_share) {\n if (state_ != State::kInit || out_share.size() != kShareSize) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n // Compute X = x×P + w0×M.\n // TODO(crbug.com/383778231): This could be sped up with a constant-time,\n // two-point multiplication.\n const EC_GROUP *group = EC_group_p256();\n EC_JACOBIAN l;\n if (!ec_point_mul_scalar_base(group, &l, &x_)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n EC_JACOBIAN M_j;\n ConstantToJacobian(group, &M_j, kM_bytes);\n\n EC_JACOBIAN r;\n if (!ec_point_mul_scalar(group, &r, &M_j, &w0_)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n EC_JACOBIAN X_j;\n group->meth->add(group, &X_j, &l, &r);\n if (!ec_jacobian_to_affine(group, &X_, &X_j)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n size_t written = ec_point_to_bytes(group, &X_, POINT_CONVERSION_UNCOMPRESSED,\n out_share.data(), kShareSize);\n BSSL_CHECK(written == kShareSize);\n\n memcpy(share_, out_share.data(), kShareSize);\n state_ = State::kShareGenerated;\n return true;\n}\n\nbool Prover::ComputeConfirmation(Span out_confirm,\n Span out_secret,\n Span peer_share,\n Span peer_confirm) {\n if (state_ != State::kShareGenerated || out_confirm.size() != kConfirmSize ||\n out_secret.size() != kSecretSize || peer_share.size() != kShareSize ||\n peer_confirm.size() != kConfirmSize) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n const EC_GROUP *group = EC_group_p256();\n EC_AFFINE Y;\n if (!ec_point_from_uncompressed(group, &Y, peer_share.data(),\n peer_share.size())) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n EC_JACOBIAN N_j;\n ConstantToJacobian(group, &N_j, kN_bytes);\n\n EC_JACOBIAN r;\n if (!ec_point_mul_scalar(group, &r, &N_j, &w0_)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n ec_felem_neg(group, &r.Y, &r.Y);\n\n EC_JACOBIAN Y_j;\n ec_affine_to_jacobian(group, &Y_j, &Y);\n\n EC_JACOBIAN t;\n group->meth->add(group, &t, &Y_j, &r);\n\n EC_JACOBIAN tmp;\n EC_AFFINE Z, V;\n // TODO(crbug.com/383778231): The two affine conversions could be batched\n // together.\n if (!ec_point_mul_scalar(group, &tmp, &t, &x_) || //\n !ec_jacobian_to_affine(group, &Z, &tmp) || //\n !ec_point_mul_scalar(group, &tmp, &t, &w1_) || //\n !ec_jacobian_to_affine(group, &V, &tmp)) {\n return 0;\n }\n\n uint8_t verifier_confirm[kConfirmSize];\n if (!ComputeTranscript(out_confirm.data(), verifier_confirm,\n out_secret.data(), share_, peer_share.data(),\n &transcript_hash_, &Z, &V, &w0_) ||\n CRYPTO_memcmp(verifier_confirm, peer_confirm.data(),\n sizeof(verifier_confirm)) != 0) {\n return 0;\n }\n\n state_ = State::kDone;\n return true;\n}\n\nVerifier::Verifier() = default;\nVerifier::~Verifier() = default;\n\nbool Verifier::Init(Span context, Span id_prover,\n Span id_verifier, Span w0,\n Span registration_record,\n Span y) {\n const EC_GROUP *group = EC_group_p256();\n\n if (!ec_scalar_from_bytes(group, &w0_, w0.data(), w0.size()) ||\n !ec_point_from_uncompressed(group, &L_, registration_record.data(),\n registration_record.size()) || //\n (!y.empty() &&\n !ec_scalar_from_bytes(group, &y_, y.data(), y.size())) || //\n (y.empty() && !ec_random_scalar(group, &y_, kDefaultAdditionalData))) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n InitTranscriptHash(&transcript_hash_, context, id_prover, id_verifier);\n\n return true;\n}\n\n\nbool Verifier::ProcessProverShare(Span out_share,\n Span out_confirm,\n Span out_secret,\n Span prover_share) {\n if (state_ != State::kInit || //\n out_share.size() != kShareSize || out_confirm.size() != kConfirmSize ||\n out_secret.size() != kSecretSize || prover_share.size() != kShareSize) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n const EC_GROUP *group = EC_group_p256();\n EC_JACOBIAN l, r, M_j, N_j;\n ConstantToJacobian(group, &M_j, kM_bytes);\n ConstantToJacobian(group, &N_j, kN_bytes);\n\n // Compute Y = y×P + w0×M.\n // TODO(crbug.com/383778231): This could be sped up with a constant-time,\n // two-point multiplication.\n if (!ec_point_mul_scalar_base(group, &l, &y_) ||\n !ec_point_mul_scalar(group, &r, &N_j, &w0_)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n EC_JACOBIAN Y_j;\n EC_AFFINE Y;\n group->meth->add(group, &Y_j, &l, &r);\n if (!ec_jacobian_to_affine(group, &Y, &Y_j)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n const size_t written = ec_point_to_bytes(\n group, &Y, POINT_CONVERSION_UNCOMPRESSED, out_share.data(), kShareSize);\n BSSL_CHECK(written == kShareSize);\n\n EC_JACOBIAN r2;\n EC_AFFINE X;\n if (!ec_point_from_uncompressed(group, &X, prover_share.data(),\n prover_share.size()) ||\n !ec_point_mul_scalar(group, &r2, &M_j, &w0_)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n ec_felem_neg(group, &r2.Y, &r2.Y);\n\n EC_JACOBIAN X_j, T;\n ec_affine_to_jacobian(group, &X_j, &X);\n group->meth->add(group, &T, &X_j, &r2);\n\n // TODO(crbug.com/383778231): The two affine conversions could be batched\n // together.\n EC_JACOBIAN tmp;\n EC_AFFINE Z;\n if (!ec_point_mul_scalar(group, &tmp, &T, &y_) || //\n !ec_jacobian_to_affine(group, &Z, &tmp)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n EC_JACOBIAN L_j;\n EC_AFFINE V;\n ec_affine_to_jacobian(group, &L_j, &L_);\n if (!ec_point_mul_scalar(group, &tmp, &L_j, &y_) || //\n !ec_jacobian_to_affine(group, &V, &tmp)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n if (!ComputeTranscript(confirm_, out_confirm.data(), out_secret.data(),\n prover_share.data(), out_share.data(),\n &transcript_hash_, &Z, &V, &w0_)) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n state_ = State::kProverShareSeen;\n return true;\n}\n\nbool Verifier::VerifyProverConfirmation(Span peer_confirm) {\n if (state_ != State::kProverShareSeen || //\n peer_confirm.size() != kConfirmSize || //\n CRYPTO_memcmp(confirm_, peer_confirm.data(), sizeof(confirm_)) != 0) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n state_ = State::kDone;\n return true;\n}\n\n} // namespace spake2plus\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/crypto/stack/stack.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \"../internal.h\"\n\n\nstruct stack_st {\n // num contains the number of valid pointers in |data|.\n size_t num;\n void **data;\n // sorted is non-zero if the values pointed to by |data| are in ascending\n // order, based on |comp|.\n int sorted;\n // num_alloc contains the number of pointers allocated in the buffer pointed\n // to by |data|, which may be larger than |num|.\n size_t num_alloc;\n // comp is an optional comparison function.\n OPENSSL_sk_cmp_func comp;\n};\n\n// kMinSize is the number of pointers that will be initially allocated in a new\n// stack.\nstatic const size_t kMinSize = 4;\n\nOPENSSL_STACK *OPENSSL_sk_new(OPENSSL_sk_cmp_func comp) {\n OPENSSL_STACK *ret =\n reinterpret_cast(OPENSSL_zalloc(sizeof(OPENSSL_STACK)));\n if (ret == NULL) {\n return NULL;\n }\n\n ret->data =\n reinterpret_cast(OPENSSL_calloc(kMinSize, sizeof(void *)));\n if (ret->data == NULL) {\n goto err;\n }\n\n ret->comp = comp;\n ret->num_alloc = kMinSize;\n\n return ret;\n\nerr:\n OPENSSL_free(ret);\n return NULL;\n}\n\nOPENSSL_STACK *OPENSSL_sk_new_null(void) { return OPENSSL_sk_new(NULL); }\n\nsize_t OPENSSL_sk_num(const OPENSSL_STACK *sk) {\n if (sk == NULL) {\n return 0;\n }\n return sk->num;\n}\n\nvoid OPENSSL_sk_zero(OPENSSL_STACK *sk) {\n if (sk == NULL || sk->num == 0) {\n return;\n }\n OPENSSL_memset(sk->data, 0, sizeof(void *) * sk->num);\n sk->num = 0;\n sk->sorted = 0;\n}\n\nvoid *OPENSSL_sk_value(const OPENSSL_STACK *sk, size_t i) {\n if (!sk || i >= sk->num) {\n return NULL;\n }\n return sk->data[i];\n}\n\nvoid *OPENSSL_sk_set(OPENSSL_STACK *sk, size_t i, void *value) {\n if (!sk || i >= sk->num) {\n return NULL;\n }\n return sk->data[i] = value;\n}\n\nvoid OPENSSL_sk_free(OPENSSL_STACK *sk) {\n if (sk == NULL) {\n return;\n }\n OPENSSL_free(sk->data);\n OPENSSL_free(sk);\n}\n\nvoid OPENSSL_sk_pop_free_ex(OPENSSL_STACK *sk,\n OPENSSL_sk_call_free_func call_free_func,\n OPENSSL_sk_free_func free_func) {\n if (sk == NULL) {\n return;\n }\n\n for (size_t i = 0; i < sk->num; i++) {\n if (sk->data[i] != NULL) {\n call_free_func(free_func, sk->data[i]);\n }\n }\n OPENSSL_sk_free(sk);\n}\n\n// Historically, |sk_pop_free| called the function as |OPENSSL_sk_free_func|\n// directly. This is undefined in C. Some callers called |sk_pop_free| directly,\n// so we must maintain a compatibility version for now.\nstatic void call_free_func_legacy(OPENSSL_sk_free_func func, void *ptr) {\n func(ptr);\n}\n\nvoid sk_pop_free(OPENSSL_STACK *sk, OPENSSL_sk_free_func free_func) {\n OPENSSL_sk_pop_free_ex(sk, call_free_func_legacy, free_func);\n}\n\nsize_t OPENSSL_sk_insert(OPENSSL_STACK *sk, void *p, size_t where) {\n if (sk == NULL) {\n return 0;\n }\n\n if (sk->num >= INT_MAX) {\n OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW);\n return 0;\n }\n\n if (sk->num_alloc <= sk->num + 1) {\n // Attempt to double the size of the array.\n size_t new_alloc = sk->num_alloc << 1;\n size_t alloc_size = new_alloc * sizeof(void *);\n void **data;\n\n // If the doubling overflowed, try to increment.\n if (new_alloc < sk->num_alloc || alloc_size / sizeof(void *) != new_alloc) {\n new_alloc = sk->num_alloc + 1;\n alloc_size = new_alloc * sizeof(void *);\n }\n\n // If the increment also overflowed, fail.\n if (new_alloc < sk->num_alloc || alloc_size / sizeof(void *) != new_alloc) {\n return 0;\n }\n\n data = reinterpret_cast(OPENSSL_realloc(sk->data, alloc_size));\n if (data == NULL) {\n return 0;\n }\n\n sk->data = data;\n sk->num_alloc = new_alloc;\n }\n\n if (where >= sk->num) {\n sk->data[sk->num] = p;\n } else {\n OPENSSL_memmove(&sk->data[where + 1], &sk->data[where],\n sizeof(void *) * (sk->num - where));\n sk->data[where] = p;\n }\n\n sk->num++;\n sk->sorted = 0;\n\n return sk->num;\n}\n\nvoid *OPENSSL_sk_delete(OPENSSL_STACK *sk, size_t where) {\n void *ret;\n\n if (!sk || where >= sk->num) {\n return NULL;\n }\n\n ret = sk->data[where];\n\n if (where != sk->num - 1) {\n OPENSSL_memmove(&sk->data[where], &sk->data[where + 1],\n sizeof(void *) * (sk->num - where - 1));\n }\n\n sk->num--;\n return ret;\n}\n\nvoid *OPENSSL_sk_delete_ptr(OPENSSL_STACK *sk, const void *p) {\n if (sk == NULL) {\n return NULL;\n }\n\n for (size_t i = 0; i < sk->num; i++) {\n if (sk->data[i] == p) {\n return OPENSSL_sk_delete(sk, i);\n }\n }\n\n return NULL;\n}\n\nvoid OPENSSL_sk_delete_if(OPENSSL_STACK *sk,\n OPENSSL_sk_call_delete_if_func call_func,\n OPENSSL_sk_delete_if_func func, void *data) {\n if (sk == NULL) {\n return;\n }\n\n size_t new_num = 0;\n for (size_t i = 0; i < sk->num; i++) {\n if (!call_func(func, sk->data[i], data)) {\n sk->data[new_num] = sk->data[i];\n new_num++;\n }\n }\n sk->num = new_num;\n}\n\nint OPENSSL_sk_find(const OPENSSL_STACK *sk, size_t *out_index, const void *p,\n OPENSSL_sk_call_cmp_func call_cmp_func) {\n if (sk == NULL) {\n return 0;\n }\n\n if (sk->comp == NULL) {\n // Use pointer equality when no comparison function has been set.\n for (size_t i = 0; i < sk->num; i++) {\n if (sk->data[i] == p) {\n if (out_index) {\n *out_index = i;\n }\n return 1;\n }\n }\n return 0;\n }\n\n if (p == NULL) {\n return 0;\n }\n\n if (!OPENSSL_sk_is_sorted(sk)) {\n for (size_t i = 0; i < sk->num; i++) {\n if (call_cmp_func(sk->comp, p, sk->data[i]) == 0) {\n if (out_index) {\n *out_index = i;\n }\n return 1;\n }\n }\n return 0;\n }\n\n // The stack is sorted, so binary search to find the element.\n //\n // |lo| and |hi| maintain a half-open interval of where the answer may be. All\n // indices such that |lo <= idx < hi| are candidates.\n size_t lo = 0, hi = sk->num;\n while (lo < hi) {\n // Bias |mid| towards |lo|. See the |r == 0| case below.\n size_t mid = lo + (hi - lo - 1) / 2;\n assert(lo <= mid && mid < hi);\n int r = call_cmp_func(sk->comp, p, sk->data[mid]);\n if (r > 0) {\n lo = mid + 1; // |mid| is too low.\n } else if (r < 0) {\n hi = mid; // |mid| is too high.\n } else {\n // |mid| matches. However, this function returns the earliest match, so we\n // can only return if the range has size one.\n if (hi - lo == 1) {\n if (out_index != NULL) {\n *out_index = mid;\n }\n return 1;\n }\n // The sample is biased towards |lo|. |mid| can only be |hi - 1| if\n // |hi - lo| was one, so this makes forward progress.\n assert(mid + 1 < hi);\n hi = mid + 1;\n }\n }\n\n assert(lo == hi);\n return 0; // Not found.\n}\n\nvoid *OPENSSL_sk_shift(OPENSSL_STACK *sk) {\n if (sk == NULL) {\n return NULL;\n }\n if (sk->num == 0) {\n return NULL;\n }\n return OPENSSL_sk_delete(sk, 0);\n}\n\nsize_t OPENSSL_sk_push(OPENSSL_STACK *sk, void *p) {\n return OPENSSL_sk_insert(sk, p, sk->num);\n}\n\nvoid *OPENSSL_sk_pop(OPENSSL_STACK *sk) {\n if (sk == NULL) {\n return NULL;\n }\n if (sk->num == 0) {\n return NULL;\n }\n return OPENSSL_sk_delete(sk, sk->num - 1);\n}\n\nOPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *sk) {\n if (sk == NULL) {\n return NULL;\n }\n\n OPENSSL_STACK *ret =\n reinterpret_cast(OPENSSL_zalloc(sizeof(OPENSSL_STACK)));\n if (ret == NULL) {\n return NULL;\n }\n\n ret->data = reinterpret_cast(\n OPENSSL_memdup(sk->data, sizeof(void *) * sk->num_alloc));\n if (ret->data == NULL) {\n goto err;\n }\n\n ret->num = sk->num;\n ret->sorted = sk->sorted;\n ret->num_alloc = sk->num_alloc;\n ret->comp = sk->comp;\n return ret;\n\nerr:\n OPENSSL_sk_free(ret);\n return NULL;\n}\n\nstatic size_t parent_idx(size_t idx) {\n assert(idx > 0);\n return (idx - 1) / 2;\n}\n\nstatic size_t left_idx(size_t idx) {\n // The largest possible index is |PTRDIFF_MAX|, not |SIZE_MAX|. If\n // |ptrdiff_t|, a signed type, is the same size as |size_t|, this cannot\n // overflow.\n assert(idx <= PTRDIFF_MAX);\n static_assert(PTRDIFF_MAX <= (SIZE_MAX - 1) / 2, \"2 * idx + 1 may oveflow\");\n return 2 * idx + 1;\n}\n\n// down_heap fixes the subtree rooted at |i|. |i|'s children must each satisfy\n// the heap property. Only the first |num| elements of |sk| are considered.\nstatic void down_heap(OPENSSL_STACK *sk, OPENSSL_sk_call_cmp_func call_cmp_func,\n size_t i, size_t num) {\n assert(i < num && num <= sk->num);\n for (;;) {\n size_t left = left_idx(i);\n if (left >= num) {\n break; // No left child.\n }\n\n // Swap |i| with the largest of its children.\n size_t next = i;\n if (call_cmp_func(sk->comp, sk->data[next], sk->data[left]) < 0) {\n next = left;\n }\n size_t right = left + 1; // Cannot overflow because |left < num|.\n if (right < num &&\n call_cmp_func(sk->comp, sk->data[next], sk->data[right]) < 0) {\n next = right;\n }\n\n if (i == next) {\n break; // |i| is already larger than its children.\n }\n\n void *tmp = sk->data[i];\n sk->data[i] = sk->data[next];\n sk->data[next] = tmp;\n i = next;\n }\n}\n\nvoid OPENSSL_sk_sort(OPENSSL_STACK *sk,\n OPENSSL_sk_call_cmp_func call_cmp_func) {\n if (sk == NULL || sk->comp == NULL || sk->sorted) {\n return;\n }\n\n if (sk->num >= 2) {\n // |qsort| lacks a context parameter in the comparison function for us to\n // pass in |call_cmp_func| and |sk->comp|. While we could cast |sk->comp| to\n // the expected type, it is undefined behavior in C can trip sanitizers.\n // |qsort_r| and |qsort_s| avoid this, but using them is impractical. See\n // https://stackoverflow.com/a/39561369\n //\n // Use our own heap sort instead. This is not performance-sensitive, so we\n // optimize for simplicity and size. First, build a max-heap in place.\n for (size_t i = parent_idx(sk->num - 1); i < sk->num; i--) {\n down_heap(sk, call_cmp_func, i, sk->num);\n }\n\n // Iteratively remove the maximum element to populate the result in reverse.\n for (size_t i = sk->num - 1; i > 0; i--) {\n void *tmp = sk->data[0];\n sk->data[0] = sk->data[i];\n sk->data[i] = tmp;\n down_heap(sk, call_cmp_func, 0, i);\n }\n }\n sk->sorted = 1;\n}\n\nint OPENSSL_sk_is_sorted(const OPENSSL_STACK *sk) {\n if (!sk) {\n return 1;\n }\n // Zero- and one-element lists are always sorted.\n return sk->sorted || (sk->comp != NULL && sk->num < 2);\n}\n\nOPENSSL_sk_cmp_func OPENSSL_sk_set_cmp_func(OPENSSL_STACK *sk,\n OPENSSL_sk_cmp_func comp) {\n OPENSSL_sk_cmp_func old = sk->comp;\n\n if (sk->comp != comp) {\n sk->sorted = 0;\n }\n sk->comp = comp;\n\n return old;\n}\n\nOPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *sk,\n OPENSSL_sk_call_copy_func call_copy_func,\n OPENSSL_sk_copy_func copy_func,\n OPENSSL_sk_call_free_func call_free_func,\n OPENSSL_sk_free_func free_func) {\n OPENSSL_STACK *ret = OPENSSL_sk_dup(sk);\n if (ret == NULL) {\n return NULL;\n }\n\n for (size_t i = 0; i < ret->num; i++) {\n if (ret->data[i] == NULL) {\n continue;\n }\n ret->data[i] = call_copy_func(copy_func, ret->data[i]);\n if (ret->data[i] == NULL) {\n for (size_t j = 0; j < i; j++) {\n if (ret->data[j] != NULL) {\n call_free_func(free_func, ret->data[j]);\n }\n }\n OPENSSL_sk_free(ret);\n return NULL;\n }\n }\n\n return ret;\n}\n\nOPENSSL_STACK *sk_new_null(void) { return OPENSSL_sk_new_null(); }\n\nsize_t sk_num(const OPENSSL_STACK *sk) { return OPENSSL_sk_num(sk); }\n\nvoid *sk_value(const OPENSSL_STACK *sk, size_t i) {\n return OPENSSL_sk_value(sk, i);\n}\n\nvoid sk_free(OPENSSL_STACK *sk) { OPENSSL_sk_free(sk); }\n\nsize_t sk_push(OPENSSL_STACK *sk, void *p) { return OPENSSL_sk_push(sk, p); }\n\nvoid *sk_pop(OPENSSL_STACK *sk) { return OPENSSL_sk_pop(sk); }\n\nvoid sk_pop_free_ex(OPENSSL_STACK *sk, OPENSSL_sk_call_free_func call_free_func,\n OPENSSL_sk_free_func free_func) {\n OPENSSL_sk_pop_free_ex(sk, call_free_func, free_func);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/thread.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n\nint CRYPTO_num_locks(void) { return 1; }\n\nvoid CRYPTO_set_locking_callback(void (*func)(int mode, int lock_num,\n const char *file, int line)) {}\n\nvoid (*CRYPTO_get_locking_callback(void))(int mode, int lock_num,\n const char *file, int line) {\n return NULL;\n}\n\nvoid CRYPTO_set_add_lock_callback(int (*func)(int *num, int mount, int lock_num,\n const char *file, int line)) {}\n\nconst char *CRYPTO_get_lock_name(int lock_num) {\n return \"No old-style OpenSSL locks anymore\";\n}\n\nint CRYPTO_THREADID_set_callback(void (*func)(CRYPTO_THREADID *)) { return 1; }\n\nvoid CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val) {}\n\nvoid CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr) {}\n\nvoid CRYPTO_THREADID_current(CRYPTO_THREADID *id) {}\n\nvoid CRYPTO_set_id_callback(unsigned long (*func)(void)) {}\n\nvoid CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(\n *dyn_create_function)(const char *file, int line)) {}\n\nvoid CRYPTO_set_dynlock_lock_callback(void (*dyn_lock_function)(\n int mode, struct CRYPTO_dynlock_value *l, const char *file, int line)) {}\n\nvoid CRYPTO_set_dynlock_destroy_callback(void (*dyn_destroy_function)(\n struct CRYPTO_dynlock_value *l, const char *file, int line)) {}\n\nstruct CRYPTO_dynlock_value *(*CRYPTO_get_dynlock_create_callback(void))(\n const char *file, int line) {\n return NULL;\n}\n\nvoid (*CRYPTO_get_dynlock_lock_callback(void))(int mode,\n struct CRYPTO_dynlock_value *l,\n const char *file, int line) {\n return NULL;\n}\n\nvoid (*CRYPTO_get_dynlock_destroy_callback(void))(\n struct CRYPTO_dynlock_value *l, const char *file, int line) {\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/thread_none.cc", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \"internal.h\"\n\n#if !defined(OPENSSL_THREADS)\n\nvoid CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) {}\n\nvoid CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) {}\n\nvoid CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) {}\n\nvoid CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock) {}\n\nvoid CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock) {}\n\nvoid CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) {}\n\nvoid CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) {\n if (*once) {\n return;\n }\n *once = 1;\n init();\n}\n\nstatic void *g_thread_locals[NUM_OPENSSL_THREAD_LOCALS];\n\nvoid *CRYPTO_get_thread_local(thread_local_data_t index) {\n return g_thread_locals[index];\n}\n\nint CRYPTO_set_thread_local(thread_local_data_t index, void *value,\n thread_local_destructor_t destructor) {\n g_thread_locals[index] = value;\n return 1;\n}\n\n#endif // !OPENSSL_THREADS\n" }, { "path": "Sources/CNIOBoringSSL/crypto/thread_pthread.cc", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// Ensure we can't call OPENSSL_malloc circularly.\n#define _BORINGSSL_PROHIBIT_OPENSSL_MALLOC\n#include \"internal.h\"\n\n#if defined(OPENSSL_PTHREADS)\n\n#include \n#include \n#include \n#include \n\nvoid CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) {\n if (pthread_rwlock_init(lock, NULL) != 0) {\n abort();\n }\n}\n\nvoid CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) {\n if (pthread_rwlock_rdlock(lock) != 0) {\n abort();\n }\n}\n\nvoid CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) {\n if (pthread_rwlock_wrlock(lock) != 0) {\n abort();\n }\n}\n\nvoid CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock) {\n if (pthread_rwlock_unlock(lock) != 0) {\n abort();\n }\n}\n\nvoid CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock) {\n if (pthread_rwlock_unlock(lock) != 0) {\n abort();\n }\n}\n\nvoid CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) { pthread_rwlock_destroy(lock); }\n\nvoid CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) {\n if (pthread_once(once, init) != 0) {\n abort();\n }\n}\n\nstatic pthread_mutex_t g_destructors_lock = PTHREAD_MUTEX_INITIALIZER;\nstatic thread_local_destructor_t g_destructors[NUM_OPENSSL_THREAD_LOCALS];\n\n// thread_local_destructor is called when a thread exits. It releases thread\n// local data for that thread only.\nstatic void thread_local_destructor(void *arg) {\n if (arg == NULL) {\n return;\n }\n\n thread_local_destructor_t destructors[NUM_OPENSSL_THREAD_LOCALS];\n if (pthread_mutex_lock(&g_destructors_lock) != 0) {\n return;\n }\n OPENSSL_memcpy(destructors, g_destructors, sizeof(destructors));\n pthread_mutex_unlock(&g_destructors_lock);\n\n unsigned i;\n void **pointers = reinterpret_cast(arg);\n for (i = 0; i < NUM_OPENSSL_THREAD_LOCALS; i++) {\n if (destructors[i] != NULL) {\n destructors[i](pointers[i]);\n }\n }\n\n free(pointers);\n}\n\nstatic pthread_once_t g_thread_local_init_once = PTHREAD_ONCE_INIT;\nstatic pthread_key_t g_thread_local_key;\nstatic int g_thread_local_key_created = 0;\n\nstatic void thread_local_init(void) {\n g_thread_local_key_created =\n pthread_key_create(&g_thread_local_key, thread_local_destructor) == 0;\n}\n\nvoid *CRYPTO_get_thread_local(thread_local_data_t index) {\n CRYPTO_once(&g_thread_local_init_once, thread_local_init);\n if (!g_thread_local_key_created) {\n return NULL;\n }\n\n void **pointers =\n reinterpret_cast(pthread_getspecific(g_thread_local_key));\n if (pointers == NULL) {\n return NULL;\n }\n return pointers[index];\n}\n\nint CRYPTO_set_thread_local(thread_local_data_t index, void *value,\n thread_local_destructor_t destructor) {\n CRYPTO_once(&g_thread_local_init_once, thread_local_init);\n if (!g_thread_local_key_created) {\n destructor(value);\n return 0;\n }\n\n void **pointers =\n reinterpret_cast(pthread_getspecific(g_thread_local_key));\n if (pointers == NULL) {\n pointers = reinterpret_cast(\n malloc(sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS));\n if (pointers == NULL) {\n destructor(value);\n return 0;\n }\n OPENSSL_memset(pointers, 0, sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);\n if (pthread_setspecific(g_thread_local_key, pointers) != 0) {\n free(pointers);\n destructor(value);\n return 0;\n }\n }\n\n if (pthread_mutex_lock(&g_destructors_lock) != 0) {\n destructor(value);\n return 0;\n }\n g_destructors[index] = destructor;\n pthread_mutex_unlock(&g_destructors_lock);\n\n pointers[index] = value;\n return 1;\n}\n\n#endif // OPENSSL_PTHREADS\n" }, { "path": "Sources/CNIOBoringSSL/crypto/thread_win.cc", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// Ensure we can't call OPENSSL_malloc circularly.\n#define _BORINGSSL_PROHIBIT_OPENSSL_MALLOC\n#include \"internal.h\"\n\n#if defined(OPENSSL_WINDOWS_THREADS)\n\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\n\n#include \n#include \n#include \n\nstatic BOOL CALLBACK call_once_init(INIT_ONCE *once, void *arg, void **out) {\n void (**init)(void) = (void (**)(void))arg;\n (**init)();\n return TRUE;\n}\n\nvoid CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)) {\n if (!InitOnceExecuteOnce(once, call_once_init, &init, NULL)) {\n abort();\n }\n}\n\nvoid CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock) { InitializeSRWLock(lock); }\n\nvoid CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock) { AcquireSRWLockShared(lock); }\n\nvoid CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock) {\n AcquireSRWLockExclusive(lock);\n}\n\nvoid CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock) {\n ReleaseSRWLockShared(lock);\n}\n\nvoid CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock) {\n ReleaseSRWLockExclusive(lock);\n}\n\nvoid CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock) {\n // SRWLOCKs require no cleanup.\n}\n\nstatic SRWLOCK g_destructors_lock = SRWLOCK_INIT;\nstatic thread_local_destructor_t g_destructors[NUM_OPENSSL_THREAD_LOCALS];\n\nstatic CRYPTO_once_t g_thread_local_init_once = CRYPTO_ONCE_INIT;\nstatic DWORD g_thread_local_key;\nstatic int g_thread_local_failed;\n\nstatic void thread_local_init(void) {\n g_thread_local_key = TlsAlloc();\n g_thread_local_failed = (g_thread_local_key == TLS_OUT_OF_INDEXES);\n}\n\nstatic void NTAPI thread_local_destructor(PVOID module, DWORD reason,\n PVOID reserved) {\n // Only free memory on |DLL_THREAD_DETACH|, not |DLL_PROCESS_DETACH|. In\n // VS2015's debug runtime, the C runtime has been unloaded by the time\n // |DLL_PROCESS_DETACH| runs. See https://crbug.com/575795. This is consistent\n // with |pthread_key_create| which does not call destructors on process exit,\n // only thread exit.\n if (reason != DLL_THREAD_DETACH) {\n return;\n }\n\n CRYPTO_once(&g_thread_local_init_once, thread_local_init);\n if (g_thread_local_failed) {\n return;\n }\n\n void **pointers = (void **)TlsGetValue(g_thread_local_key);\n if (pointers == NULL) {\n return;\n }\n\n thread_local_destructor_t destructors[NUM_OPENSSL_THREAD_LOCALS];\n\n AcquireSRWLockExclusive(&g_destructors_lock);\n OPENSSL_memcpy(destructors, g_destructors, sizeof(destructors));\n ReleaseSRWLockExclusive(&g_destructors_lock);\n\n for (unsigned i = 0; i < NUM_OPENSSL_THREAD_LOCALS; i++) {\n if (destructors[i] != NULL) {\n destructors[i](pointers[i]);\n }\n }\n\n free(pointers);\n}\n\n// Thread Termination Callbacks.\n//\n// Windows doesn't support a per-thread destructor with its TLS primitives.\n// So, we build it manually by inserting a function to be called on each\n// thread's exit. This magic is from http://www.codeproject.com/threads/tls.asp\n// and it works for VC++ 7.0 and later.\n//\n// Force a reference to _tls_used to make the linker create the TLS directory\n// if it's not already there. (E.g. if __declspec(thread) is not used). Force\n// a reference to p_thread_callback_boringssl to prevent whole program\n// optimization from discarding the variable.\n//\n// Note, in the prefixed build, |p_thread_callback_boringssl| may be a macro.\n#define STRINGIFY(x) #x\n#define EXPAND_AND_STRINGIFY(x) STRINGIFY(x)\n#ifdef _WIN64\n__pragma(comment(linker, \"/INCLUDE:_tls_used\")) __pragma(comment(\n linker, \"/INCLUDE:\" EXPAND_AND_STRINGIFY(p_thread_callback_boringssl)))\n#else\n__pragma(comment(linker, \"/INCLUDE:__tls_used\")) __pragma(comment(\n linker, \"/INCLUDE:_\" EXPAND_AND_STRINGIFY(p_thread_callback_boringssl)))\n#endif\n\n// .CRT$XLA to .CRT$XLZ is an array of PIMAGE_TLS_CALLBACK pointers that are\n// called automatically by the OS loader code (not the CRT) when the module is\n// loaded and on thread creation. They are NOT called if the module has been\n// loaded by a LoadLibrary() call. It must have implicitly been loaded at\n// process startup.\n//\n// By implicitly loaded, I mean that it is directly referenced by the main EXE\n// or by one of its dependent DLLs. Delay-loaded DLL doesn't count as being\n// implicitly loaded.\n//\n// See VC\\crt\\src\\tlssup.c for reference.\n\n// The linker must not discard p_thread_callback_boringssl. (We force a\n// reference to this variable with a linker /INCLUDE:symbol pragma to ensure\n// that.) If this variable is discarded, the OnThreadExit function will never\n// be called.\n#ifdef _WIN64\n\n// .CRT section is merged with .rdata on x64 so it must be constant data.\n#pragma const_seg(\".CRT$XLC\")\n // clang-format off\n // When defining a const variable, it must have external linkage to be sure\n // the linker doesn't discard it.\nextern \"C\" {\n extern const PIMAGE_TLS_CALLBACK p_thread_callback_boringssl;\n}\n// clang-format on\nconst PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor;\n// Reset the default section.\n#pragma const_seg()\n\n#else\n\n#pragma data_seg(\".CRT$XLC\")\n // clang-format off\nextern \"C\" {\n extern PIMAGE_TLS_CALLBACK p_thread_callback_boringssl;\n}\n// clang-format on\nPIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor;\n// Reset the default section.\n#pragma data_seg()\n\n#endif // _WIN64\n\nstatic void **get_thread_locals(void) {\n // |TlsGetValue| clears the last error even on success, so that callers may\n // distinguish it successfully returning NULL or failing. It is documented to\n // never fail if the argument is a valid index from |TlsAlloc|, so we do not\n // need to handle this.\n //\n // However, this error-mangling behavior interferes with the caller's use of\n // |GetLastError|. In particular |SSL_get_error| queries the error queue to\n // determine whether the caller should look at the OS's errors. To avoid\n // destroying state, save and restore the Windows error.\n //\n // https://msdn.microsoft.com/en-us/library/windows/desktop/ms686812(v=vs.85).aspx\n DWORD last_error = GetLastError();\n void **ret = reinterpret_cast(TlsGetValue(g_thread_local_key));\n SetLastError(last_error);\n return ret;\n}\n\nvoid *CRYPTO_get_thread_local(thread_local_data_t index) {\n CRYPTO_once(&g_thread_local_init_once, thread_local_init);\n if (g_thread_local_failed) {\n return NULL;\n }\n\n void **pointers = get_thread_locals();\n if (pointers == NULL) {\n return NULL;\n }\n return pointers[index];\n}\n\nint CRYPTO_set_thread_local(thread_local_data_t index, void *value,\n thread_local_destructor_t destructor) {\n CRYPTO_once(&g_thread_local_init_once, thread_local_init);\n if (g_thread_local_failed) {\n destructor(value);\n return 0;\n }\n\n void **pointers = get_thread_locals();\n if (pointers == NULL) {\n pointers = reinterpret_cast(\n malloc(sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS));\n if (pointers == NULL) {\n destructor(value);\n return 0;\n }\n OPENSSL_memset(pointers, 0, sizeof(void *) * NUM_OPENSSL_THREAD_LOCALS);\n if (TlsSetValue(g_thread_local_key, pointers) == 0) {\n free(pointers);\n destructor(value);\n return 0;\n }\n }\n\n AcquireSRWLockExclusive(&g_destructors_lock);\n g_destructors[index] = destructor;\n ReleaseSRWLockExclusive(&g_destructors_lock);\n\n pointers[index] = value;\n return 1;\n}\n\n#endif // OPENSSL_WINDOWS_THREADS\n" }, { "path": "Sources/CNIOBoringSSL/crypto/trust_token/internal.h", "content": "/* Copyright 2019 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H\n#define OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H\n\n#include \n#include \n#include \n#include \n\n#include \"../fipsmodule/ec/internal.h\"\n\n#include \n\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// For the following cryptographic schemes, we use P-384 instead of our usual\n// choice of P-256. See Appendix I of\n// https://eprint.iacr.org/2020/072/20200324:214215 which describes two attacks\n// which may affect smaller curves. In particular, p-1 for P-256 is smooth,\n// giving a low complexity for the p-1 attack. P-384's p-1 has a 281-bit prime\n// factor,\n// 3055465788140352002733946906144561090641249606160407884365391979704929268480326390471.\n// This lower-bounds the p-1 attack at O(2^140). The p+1 attack is lower-bounded\n// by O(p^(1/3)) or O(2^128), so we do not need to check the smoothness of p+1.\n\n\n// TRUST_TOKEN_NONCE_SIZE is the size of nonces used as part of the Trust_Token\n// protocol.\n#define TRUST_TOKEN_NONCE_SIZE 64\n\ntypedef struct {\n // TODO(https://crbug.com/boringssl/334): These should store |EC_PRECOMP| so\n // that |TRUST_TOKEN_finish_issuance| can use |ec_point_mul_scalar_precomp|.\n EC_AFFINE pub0;\n EC_AFFINE pub1;\n EC_AFFINE pubs;\n} TRUST_TOKEN_CLIENT_KEY;\n\ntypedef struct {\n EC_SCALAR x0;\n EC_SCALAR y0;\n EC_SCALAR x1;\n EC_SCALAR y1;\n EC_SCALAR xs;\n EC_SCALAR ys;\n EC_AFFINE pub0;\n EC_PRECOMP pub0_precomp;\n EC_AFFINE pub1;\n EC_PRECOMP pub1_precomp;\n EC_AFFINE pubs;\n EC_PRECOMP pubs_precomp;\n} TRUST_TOKEN_ISSUER_KEY;\n\n// TRUST_TOKEN_PRETOKEN represents the intermediate state a client keeps during\n// a Trust_Token issuance operation.\ntypedef struct pmb_pretoken_st {\n uint8_t salt[TRUST_TOKEN_NONCE_SIZE];\n uint8_t t[TRUST_TOKEN_NONCE_SIZE];\n EC_SCALAR r;\n EC_AFFINE Tp;\n} TRUST_TOKEN_PRETOKEN;\n\n// TRUST_TOKEN_PRETOKEN_free releases the memory associated with |token|.\nOPENSSL_EXPORT void TRUST_TOKEN_PRETOKEN_free(TRUST_TOKEN_PRETOKEN *token);\n\nDEFINE_STACK_OF(TRUST_TOKEN_PRETOKEN)\n\n\n// PMBTokens.\n//\n// PMBTokens is described in https://eprint.iacr.org/2020/072/20200324:214215\n// and provides anonymous tokens with private metadata. We implement the\n// construction with validity verification, described in appendix H,\n// construction 6.\n\n// The following functions implement the corresponding |TRUST_TOKENS_METHOD|\n// functions for |TRUST_TOKENS_experiment_v1|'s PMBTokens construction which\n// uses P-384.\nint pmbtoken_exp1_generate_key(CBB *out_private, CBB *out_public);\nint pmbtoken_exp1_derive_key_from_secret(CBB *out_private, CBB *out_public,\n const uint8_t *secret,\n size_t secret_len);\nint pmbtoken_exp1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len);\nint pmbtoken_exp1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len);\nSTACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_exp1_blind(CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg,\n size_t msg_len);\nint pmbtoken_exp1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata);\nSTACK_OF(TRUST_TOKEN) *pmbtoken_exp1_unblind(\n const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id);\nint pmbtoken_exp1_read(const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message,\n const uint8_t *msg, size_t msg_len);\n\n// pmbtoken_exp1_get_h_for_testing returns H in uncompressed coordinates. This\n// function is used to confirm H was computed as expected.\nOPENSSL_EXPORT int pmbtoken_exp1_get_h_for_testing(uint8_t out[97]);\n\n// The following functions implement the corresponding |TRUST_TOKENS_METHOD|\n// functions for |TRUST_TOKENS_experiment_v2|'s PMBTokens construction which\n// uses P-384.\nint pmbtoken_exp2_generate_key(CBB *out_private, CBB *out_public);\nint pmbtoken_exp2_derive_key_from_secret(CBB *out_private, CBB *out_public,\n const uint8_t *secret,\n size_t secret_len);\nint pmbtoken_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len);\nint pmbtoken_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len);\nSTACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_exp2_blind(CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg,\n size_t msg_len);\nint pmbtoken_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata);\nSTACK_OF(TRUST_TOKEN) *pmbtoken_exp2_unblind(\n const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id);\nint pmbtoken_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message,\n const uint8_t *msg, size_t msg_len);\n\n// pmbtoken_exp2_get_h_for_testing returns H in uncompressed coordinates. This\n// function is used to confirm H was computed as expected.\nOPENSSL_EXPORT int pmbtoken_exp2_get_h_for_testing(uint8_t out[97]);\n\n// The following functions implement the corresponding |TRUST_TOKENS_METHOD|\n// functions for |TRUST_TOKENS_pst_v1|'s PMBTokens construction which uses\n// P-384.\nint pmbtoken_pst1_generate_key(CBB *out_private, CBB *out_public);\nint pmbtoken_pst1_derive_key_from_secret(CBB *out_private, CBB *out_public,\n const uint8_t *secret,\n size_t secret_len);\nint pmbtoken_pst1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len);\nint pmbtoken_pst1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len);\nSTACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_pst1_blind(CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg,\n size_t msg_len);\nint pmbtoken_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata);\nSTACK_OF(TRUST_TOKEN) *pmbtoken_pst1_unblind(\n const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id);\nint pmbtoken_pst1_read(const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message,\n const uint8_t *msg, size_t msg_len);\n\n// pmbtoken_pst1_get_h_for_testing returns H in uncompressed coordinates. This\n// function is used to confirm H was computed as expected.\nOPENSSL_EXPORT int pmbtoken_pst1_get_h_for_testing(uint8_t out[97]);\n\n\n// VOPRF.\n//\n// VOPRFs are described in https://tools.ietf.org/html/draft-irtf-cfrg-voprf-04\n// and provide anonymous tokens. This implementation uses TrustToken DSTs and\n// the DLEQ batching primitive from\n// https://eprint.iacr.org/2020/072/20200324:214215.\n// VOPRF only uses the |pub|' field of the TRUST_TOKEN_CLIENT_KEY and\n// |xs|/|pubs| fields of the TRUST_TOKEN_ISSUER_KEY.\n\n// The following functions implement the corresponding |TRUST_TOKENS_METHOD|\n// functions for |TRUST_TOKENS_experiment_v2|'s VOPRF construction which uses\n// P-384.\nint voprf_exp2_generate_key(CBB *out_private, CBB *out_public);\nint voprf_exp2_derive_key_from_secret(CBB *out_private, CBB *out_public,\n const uint8_t *secret, size_t secret_len);\nint voprf_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len);\nint voprf_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len);\nSTACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_exp2_blind(CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg,\n size_t msg_len);\nint voprf_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata);\nSTACK_OF(TRUST_TOKEN) *voprf_exp2_unblind(\n const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id);\nint voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message, const uint8_t *msg,\n size_t msg_len);\n\n// The following functions implement the corresponding |TRUST_TOKENS_METHOD|\n// functions for |TRUST_TOKENS_pst_v1|'s VOPRF construction which uses P-384.\nint voprf_pst1_generate_key(CBB *out_private, CBB *out_public);\nint voprf_pst1_derive_key_from_secret(CBB *out_private, CBB *out_public,\n const uint8_t *secret, size_t secret_len);\nint voprf_pst1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len);\nint voprf_pst1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len);\nSTACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_pst1_blind(CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg,\n size_t msg_len);\nint voprf_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata);\nOPENSSL_EXPORT int voprf_pst1_sign_with_proof_scalar_for_testing(\n const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested,\n size_t num_to_issue, uint8_t private_metadata,\n const uint8_t *proof_scalar_buf, size_t proof_scalar_len);\nSTACK_OF(TRUST_TOKEN) *voprf_pst1_unblind(\n const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id);\nint voprf_pst1_read(const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message, const uint8_t *msg,\n size_t msg_len);\n\n\n// Trust Tokens internals.\n\nstruct trust_token_method_st {\n // generate_key generates a fresh keypair and writes their serialized\n // forms into |out_private| and |out_public|. It returns one on success and\n // zero on failure.\n int (*generate_key)(CBB *out_private, CBB *out_public);\n\n // derive_key_from_secret deterministically derives a keypair based on\n // |secret| and writes their serialized forms into |out_private| and\n // |out_public|. It returns one on success and zero on failure.\n int (*derive_key_from_secret)(CBB *out_private, CBB *out_public,\n const uint8_t *secret, size_t secret_len);\n\n // client_key_from_bytes decodes a client key from |in| and sets |key|\n // to the resulting key. It returns one on success and zero\n // on failure.\n int (*client_key_from_bytes)(TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in,\n size_t len);\n\n // issuer_key_from_bytes decodes a issuer key from |in| and sets |key|\n // to the resulting key. It returns one on success and zero\n // on failure.\n int (*issuer_key_from_bytes)(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in,\n size_t len);\n\n // blind generates a new issuance request for |count| tokens. If\n // |include_message| is set, then |msg| is used to derive the token nonces. On\n // success, it returns a newly-allocated |STACK_OF(TRUST_TOKEN_PRETOKEN)| and\n // writes a request to the issuer to |cbb|. On failure, it returns NULL. The\n // |STACK_OF(TRUST_TOKEN_PRETOKEN)|s should be passed to |pmbtoken_unblind|\n // when the server responds.\n //\n // This function implements the AT.Usr0 operation.\n STACK_OF(TRUST_TOKEN_PRETOKEN) *(*blind)(CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg, size_t msg_len);\n\n // sign parses a request for |num_requested| tokens from |cbs| and\n // issues |num_to_issue| tokens with |key| and a private metadata value of\n // |private_metadata|. It then writes the response to |cbb|. It returns one on\n // success and zero on failure.\n //\n // This function implements the AT.Sig operation.\n int (*sign)(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata);\n\n // unblind processes an issuance response for |count| tokens from |cbs|\n // and unblinds the signed tokens. |pretokens| are the pre-tokens returned\n // from the corresponding |blind| call. On success, the function returns a\n // newly-allocated |STACK_OF(TRUST_TOKEN)| containing the resulting tokens.\n // Each token's serialization will have |key_id| prepended. Otherwise, it\n // returns NULL.\n //\n // This function implements the AT.Usr1 operation.\n STACK_OF(TRUST_TOKEN) *(*unblind)(\n const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id);\n\n // read parses a token from |token| and verifies it using |key|. If\n // |include_message| is set, then the nonce is derived from |msg| and the salt\n // in the token. On success, it returns one and stores the nonce and private\n // metadata bit in |out_nonce| and |*out_private_metadata|. Otherwise, it\n // returns zero. Note that, unlike the output of |unblind|, |token| does not\n // have a four-byte key ID prepended.\n int (*read)(const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message, const uint8_t *msg,\n size_t msg_len);\n\n // whether the construction supports private metadata.\n int has_private_metadata;\n\n // max keys that can be configured.\n size_t max_keys;\n\n // whether the SRR is part of the protocol.\n int has_srr;\n};\n\n// Structure representing a single Trust Token public key with the specified ID.\nstruct trust_token_client_key_st {\n uint32_t id;\n TRUST_TOKEN_CLIENT_KEY key;\n};\n\n// Structure representing a single Trust Token private key with the specified\n// ID.\nstruct trust_token_issuer_key_st {\n uint32_t id;\n TRUST_TOKEN_ISSUER_KEY key;\n};\n\nstruct trust_token_client_st {\n const TRUST_TOKEN_METHOD *method;\n\n // max_batchsize is the maximum supported batchsize.\n uint16_t max_batchsize;\n\n // keys is the set of public keys that are supported by the client for\n // issuance/redemptions.\n struct trust_token_client_key_st keys[6];\n\n // num_keys is the number of keys currently configured.\n size_t num_keys;\n\n // pretokens is the intermediate state during an active issuance.\n STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens;\n\n // srr_key is the public key used to verify the signature of the SRR.\n EVP_PKEY *srr_key;\n};\n\n\nstruct trust_token_issuer_st {\n const TRUST_TOKEN_METHOD *method;\n\n // max_batchsize is the maximum supported batchsize.\n uint16_t max_batchsize;\n\n // keys is the set of private keys that are supported by the issuer for\n // issuance/redemptions. The public metadata is an index into this list of\n // keys.\n struct trust_token_issuer_key_st keys[6];\n\n // num_keys is the number of keys currently configured.\n size_t num_keys;\n\n // srr_key is the private key used to sign the SRR.\n EVP_PKEY *srr_key;\n\n // metadata_key is the secret material used to encode the private metadata bit\n // in the SRR.\n uint8_t *metadata_key;\n size_t metadata_key_len;\n};\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(TRUST_TOKEN_PRETOKEN, TRUST_TOKEN_PRETOKEN_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n#endif\n\n#endif // OPENSSL_HEADER_TRUST_TOKEN_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/trust_token/pmbtoken.cc", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../ec/internal.h\"\n#include \"../fipsmodule/bn/internal.h\"\n#include \"../fipsmodule/ec/internal.h\"\n\n#include \"internal.h\"\n\n\ntypedef int (*hash_t_func_t)(const EC_GROUP *group, EC_JACOBIAN *out,\n const uint8_t t[TRUST_TOKEN_NONCE_SIZE]);\ntypedef int (*hash_s_func_t)(const EC_GROUP *group, EC_JACOBIAN *out,\n const EC_AFFINE *t,\n const uint8_t s[TRUST_TOKEN_NONCE_SIZE]);\ntypedef int (*hash_c_func_t)(const EC_GROUP *group, EC_SCALAR *out,\n uint8_t *buf, size_t len);\ntypedef int (*hash_to_scalar_func_t)(const EC_GROUP *group, EC_SCALAR *out,\n uint8_t *buf, size_t len);\n\ntypedef struct {\n const EC_GROUP *group;\n EC_PRECOMP g_precomp;\n EC_PRECOMP h_precomp;\n EC_JACOBIAN h;\n // hash_t implements the H_t operation in PMBTokens. It returns one on success\n // and zero on error.\n hash_t_func_t hash_t;\n // hash_s implements the H_s operation in PMBTokens. It returns one on success\n // and zero on error.\n hash_s_func_t hash_s;\n // hash_c implements the H_c operation in PMBTokens. It returns one on success\n // and zero on error.\n hash_c_func_t hash_c;\n // hash_to_scalar implements the HashToScalar operation for PMBTokens. It\n // returns one on success and zero on error.\n hash_to_scalar_func_t hash_to_scalar;\n int prefix_point : 1;\n} PMBTOKEN_METHOD;\n\nstatic const uint8_t kDefaultAdditionalData[32] = {0};\n\nstatic int pmbtoken_init_method(PMBTOKEN_METHOD *method, const EC_GROUP *group,\n const uint8_t *h_bytes, size_t h_len,\n hash_t_func_t hash_t, hash_s_func_t hash_s,\n hash_c_func_t hash_c,\n hash_to_scalar_func_t hash_to_scalar,\n int prefix_point) {\n method->group = group;\n method->hash_t = hash_t;\n method->hash_s = hash_s;\n method->hash_c = hash_c;\n method->hash_to_scalar = hash_to_scalar;\n method->prefix_point = prefix_point;\n\n EC_AFFINE h;\n if (!ec_point_from_uncompressed(method->group, &h, h_bytes, h_len)) {\n return 0;\n }\n ec_affine_to_jacobian(method->group, &method->h, &h);\n\n if (!ec_init_precomp(method->group, &method->g_precomp,\n &method->group->generator.raw) ||\n !ec_init_precomp(method->group, &method->h_precomp, &method->h)) {\n return 0;\n }\n return 1;\n}\n\nstatic int derive_scalar_from_secret(const PMBTOKEN_METHOD *method,\n EC_SCALAR *out, const uint8_t *secret,\n size_t secret_len, uint8_t scalar_id) {\n static const uint8_t kKeygenLabel[] = \"TrustTokenPMBTokenKeyGen\";\n\n int ok = 0;\n CBB cbb;\n CBB_zero(&cbb);\n uint8_t *buf = NULL;\n size_t len;\n if (!CBB_init(&cbb, 0) ||\n !CBB_add_bytes(&cbb, kKeygenLabel, sizeof(kKeygenLabel)) ||\n !CBB_add_u8(&cbb, scalar_id) ||\n !CBB_add_bytes(&cbb, secret, secret_len) ||\n !CBB_finish(&cbb, &buf, &len) ||\n !method->hash_to_scalar(method->group, out, buf, len)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE);\n goto err;\n }\n\n ok = 1;\n\nerr:\n CBB_cleanup(&cbb);\n OPENSSL_free(buf);\n return ok;\n}\n\nstatic int point_to_cbb(CBB *out, const EC_GROUP *group,\n const EC_AFFINE *point) {\n size_t len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED);\n if (len == 0) {\n return 0;\n }\n uint8_t *p;\n return CBB_add_space(out, &p, len) &&\n ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, p,\n len) == len;\n}\n\nstatic int cbb_add_prefixed_point(CBB *out, const EC_GROUP *group,\n const EC_AFFINE *point, int prefix_point) {\n if (prefix_point) {\n CBB child;\n if (!CBB_add_u16_length_prefixed(out, &child) ||\n !point_to_cbb(&child, group, point) || !CBB_flush(out)) {\n return 0;\n }\n } else {\n if (!point_to_cbb(out, group, point) || !CBB_flush(out)) {\n return 0;\n }\n }\n\n return 1;\n}\n\nstatic int cbs_get_prefixed_point(CBS *cbs, const EC_GROUP *group,\n EC_AFFINE *out, int prefix_point) {\n CBS child;\n if (prefix_point) {\n if (!CBS_get_u16_length_prefixed(cbs, &child)) {\n return 0;\n }\n } else {\n size_t plen = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED);\n if (!CBS_get_bytes(cbs, &child, plen)) {\n return 0;\n }\n }\n\n if (!ec_point_from_uncompressed(group, out, CBS_data(&child),\n CBS_len(&child))) {\n return 0;\n }\n return 1;\n}\n\nstatic int mul_public_3(const EC_GROUP *group, EC_JACOBIAN *out,\n const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,\n const EC_JACOBIAN *p1, const EC_SCALAR *scalar1,\n const EC_JACOBIAN *p2, const EC_SCALAR *scalar2) {\n EC_JACOBIAN points[3] = {*p0, *p1, *p2};\n EC_SCALAR scalars[3] = {*scalar0, *scalar1, *scalar2};\n return ec_point_mul_scalar_public_batch(group, out, /*g_scalar=*/NULL, points,\n scalars, 3);\n}\n\nstatic int pmbtoken_compute_keys(const PMBTOKEN_METHOD *method,\n CBB *out_private, CBB *out_public,\n const EC_SCALAR *x0, const EC_SCALAR *y0,\n const EC_SCALAR *x1, const EC_SCALAR *y1,\n const EC_SCALAR *xs, const EC_SCALAR *ys) {\n const EC_GROUP *group = method->group;\n EC_JACOBIAN pub[3];\n if (!ec_point_mul_scalar_precomp(group, &pub[0], &method->g_precomp, x0,\n &method->h_precomp, y0, NULL, NULL) ||\n !ec_point_mul_scalar_precomp(group, &pub[1], &method->g_precomp, x1,\n &method->h_precomp, y1, NULL, NULL) ||\n !ec_point_mul_scalar_precomp(method->group, &pub[2], &method->g_precomp,\n xs, &method->h_precomp, ys, NULL, NULL)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE);\n return 0;\n }\n\n const EC_SCALAR *scalars[] = {x0, y0, x1, y1, xs, ys};\n size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) {\n uint8_t *buf;\n if (!CBB_add_space(out_private, &buf, scalar_len)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);\n return 0;\n }\n ec_scalar_to_bytes(group, buf, &scalar_len, scalars[i]);\n }\n\n EC_AFFINE pub_affine[3];\n if (!ec_jacobian_to_affine_batch(group, pub_affine, pub, 3)) {\n return 0;\n }\n\n if (!cbb_add_prefixed_point(out_public, group, &pub_affine[0],\n method->prefix_point) ||\n !cbb_add_prefixed_point(out_public, group, &pub_affine[1],\n method->prefix_point) ||\n !cbb_add_prefixed_point(out_public, group, &pub_affine[2],\n method->prefix_point)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n return 1;\n}\n\nstatic int pmbtoken_generate_key(const PMBTOKEN_METHOD *method,\n CBB *out_private, CBB *out_public) {\n EC_SCALAR x0, y0, x1, y1, xs, ys;\n if (!ec_random_nonzero_scalar(method->group, &x0, kDefaultAdditionalData) ||\n !ec_random_nonzero_scalar(method->group, &y0, kDefaultAdditionalData) ||\n !ec_random_nonzero_scalar(method->group, &x1, kDefaultAdditionalData) ||\n !ec_random_nonzero_scalar(method->group, &y1, kDefaultAdditionalData) ||\n !ec_random_nonzero_scalar(method->group, &xs, kDefaultAdditionalData) ||\n !ec_random_nonzero_scalar(method->group, &ys, kDefaultAdditionalData)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE);\n return 0;\n }\n\n return pmbtoken_compute_keys(method, out_private, out_public, &x0, &y0, &x1,\n &y1, &xs, &ys);\n}\n\nstatic int pmbtoken_derive_key_from_secret(const PMBTOKEN_METHOD *method,\n CBB *out_private, CBB *out_public,\n const uint8_t *secret,\n size_t secret_len) {\n EC_SCALAR x0, y0, x1, y1, xs, ys;\n if (!derive_scalar_from_secret(method, &x0, secret, secret_len, 0) ||\n !derive_scalar_from_secret(method, &y0, secret, secret_len, 1) ||\n !derive_scalar_from_secret(method, &x1, secret, secret_len, 2) ||\n !derive_scalar_from_secret(method, &y1, secret, secret_len, 3) ||\n !derive_scalar_from_secret(method, &xs, secret, secret_len, 4) ||\n !derive_scalar_from_secret(method, &ys, secret, secret_len, 5)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE);\n return 0;\n }\n\n return pmbtoken_compute_keys(method, out_private, out_public, &x0, &y0, &x1,\n &y1, &xs, &ys);\n}\n\nstatic int pmbtoken_client_key_from_bytes(const PMBTOKEN_METHOD *method,\n TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len) {\n CBS cbs;\n CBS_init(&cbs, in, len);\n if (!cbs_get_prefixed_point(&cbs, method->group, &key->pub0,\n method->prefix_point) ||\n !cbs_get_prefixed_point(&cbs, method->group, &key->pub1,\n method->prefix_point) ||\n !cbs_get_prefixed_point(&cbs, method->group, &key->pubs,\n method->prefix_point) ||\n CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n\n return 1;\n}\n\nstatic int pmbtoken_issuer_key_from_bytes(const PMBTOKEN_METHOD *method,\n TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len) {\n const EC_GROUP *group = method->group;\n CBS cbs, tmp;\n CBS_init(&cbs, in, len);\n size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));\n EC_SCALAR *scalars[] = {&key->x0, &key->y0, &key->x1,\n &key->y1, &key->xs, &key->ys};\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) {\n if (!CBS_get_bytes(&cbs, &tmp, scalar_len) ||\n !ec_scalar_from_bytes(group, scalars[i], CBS_data(&tmp),\n CBS_len(&tmp))) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n }\n\n // Recompute the public key.\n EC_JACOBIAN pub[3];\n EC_AFFINE pub_affine[3];\n if (!ec_point_mul_scalar_precomp(group, &pub[0], &method->g_precomp, &key->x0,\n &method->h_precomp, &key->y0, NULL, NULL) ||\n !ec_init_precomp(group, &key->pub0_precomp, &pub[0]) ||\n !ec_point_mul_scalar_precomp(group, &pub[1], &method->g_precomp, &key->x1,\n &method->h_precomp, &key->y1, NULL, NULL) ||\n !ec_init_precomp(group, &key->pub1_precomp, &pub[1]) ||\n !ec_point_mul_scalar_precomp(group, &pub[2], &method->g_precomp, &key->xs,\n &method->h_precomp, &key->ys, NULL, NULL) ||\n !ec_init_precomp(group, &key->pubs_precomp, &pub[2]) ||\n !ec_jacobian_to_affine_batch(group, pub_affine, pub, 3)) {\n return 0;\n }\n\n key->pub0 = pub_affine[0];\n key->pub1 = pub_affine[1];\n key->pubs = pub_affine[2];\n return 1;\n}\n\nstatic STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_blind(\n const PMBTOKEN_METHOD *method, CBB *cbb, size_t count, int include_message,\n const uint8_t *msg, size_t msg_len) {\n SHA512_CTX hash_ctx;\n\n const EC_GROUP *group = method->group;\n STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens =\n sk_TRUST_TOKEN_PRETOKEN_new_null();\n if (pretokens == NULL) {\n goto err;\n }\n\n for (size_t i = 0; i < count; i++) {\n // Insert |pretoken| into |pretokens| early to simplify error-handling.\n TRUST_TOKEN_PRETOKEN *pretoken = reinterpret_cast(\n OPENSSL_malloc(sizeof(TRUST_TOKEN_PRETOKEN)));\n if (pretoken == NULL ||\n !sk_TRUST_TOKEN_PRETOKEN_push(pretokens, pretoken)) {\n TRUST_TOKEN_PRETOKEN_free(pretoken);\n goto err;\n }\n\n RAND_bytes(pretoken->salt, sizeof(pretoken->salt));\n if (include_message) {\n assert(SHA512_DIGEST_LENGTH == TRUST_TOKEN_NONCE_SIZE);\n SHA512_Init(&hash_ctx);\n SHA512_Update(&hash_ctx, pretoken->salt, sizeof(pretoken->salt));\n SHA512_Update(&hash_ctx, msg, msg_len);\n SHA512_Final(pretoken->t, &hash_ctx);\n } else {\n OPENSSL_memcpy(pretoken->t, pretoken->salt, TRUST_TOKEN_NONCE_SIZE);\n }\n\n // We sample |pretoken->r| in Montgomery form to simplify inverting.\n if (!ec_random_nonzero_scalar(group, &pretoken->r,\n kDefaultAdditionalData)) {\n goto err;\n }\n\n EC_SCALAR rinv;\n ec_scalar_inv0_montgomery(group, &rinv, &pretoken->r);\n // Convert both out of Montgomery form.\n ec_scalar_from_montgomery(group, &pretoken->r, &pretoken->r);\n ec_scalar_from_montgomery(group, &rinv, &rinv);\n\n EC_JACOBIAN T, Tp;\n if (!method->hash_t(group, &T, pretoken->t) ||\n !ec_point_mul_scalar(group, &Tp, &T, &rinv) ||\n !ec_jacobian_to_affine(group, &pretoken->Tp, &Tp)) {\n goto err;\n }\n\n if (!cbb_add_prefixed_point(cbb, group, &pretoken->Tp,\n method->prefix_point)) {\n goto err;\n }\n }\n\n return pretokens;\n\nerr:\n sk_TRUST_TOKEN_PRETOKEN_pop_free(pretokens, TRUST_TOKEN_PRETOKEN_free);\n return NULL;\n}\n\nstatic int scalar_to_cbb(CBB *out, const EC_GROUP *group,\n const EC_SCALAR *scalar) {\n uint8_t *buf;\n size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));\n if (!CBB_add_space(out, &buf, scalar_len)) {\n return 0;\n }\n ec_scalar_to_bytes(group, buf, &scalar_len, scalar);\n return 1;\n}\n\nstatic int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) {\n size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));\n CBS tmp;\n if (!CBS_get_bytes(cbs, &tmp, scalar_len)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n\n ec_scalar_from_bytes(group, out, CBS_data(&tmp), CBS_len(&tmp));\n return 1;\n}\n\nstatic int hash_c_dleq(const PMBTOKEN_METHOD *method, EC_SCALAR *out,\n const EC_AFFINE *X, const EC_AFFINE *T,\n const EC_AFFINE *S, const EC_AFFINE *W,\n const EC_AFFINE *K0, const EC_AFFINE *K1) {\n static const uint8_t kDLEQ2Label[] = \"DLEQ2\";\n\n int ok = 0;\n CBB cbb;\n CBB_zero(&cbb);\n uint8_t *buf = NULL;\n size_t len;\n if (!CBB_init(&cbb, 0) ||\n !CBB_add_bytes(&cbb, kDLEQ2Label, sizeof(kDLEQ2Label)) ||\n !point_to_cbb(&cbb, method->group, X) ||\n !point_to_cbb(&cbb, method->group, T) ||\n !point_to_cbb(&cbb, method->group, S) ||\n !point_to_cbb(&cbb, method->group, W) ||\n !point_to_cbb(&cbb, method->group, K0) ||\n !point_to_cbb(&cbb, method->group, K1) || !CBB_finish(&cbb, &buf, &len) ||\n !method->hash_c(method->group, out, buf, len)) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n CBB_cleanup(&cbb);\n OPENSSL_free(buf);\n return ok;\n}\n\nstatic int hash_c_dleqor(const PMBTOKEN_METHOD *method, EC_SCALAR *out,\n const EC_AFFINE *X0, const EC_AFFINE *X1,\n const EC_AFFINE *T, const EC_AFFINE *S,\n const EC_AFFINE *W, const EC_AFFINE *K00,\n const EC_AFFINE *K01, const EC_AFFINE *K10,\n const EC_AFFINE *K11) {\n static const uint8_t kDLEQOR2Label[] = \"DLEQOR2\";\n\n int ok = 0;\n CBB cbb;\n CBB_zero(&cbb);\n uint8_t *buf = NULL;\n size_t len;\n if (!CBB_init(&cbb, 0) ||\n !CBB_add_bytes(&cbb, kDLEQOR2Label, sizeof(kDLEQOR2Label)) ||\n !point_to_cbb(&cbb, method->group, X0) ||\n !point_to_cbb(&cbb, method->group, X1) ||\n !point_to_cbb(&cbb, method->group, T) ||\n !point_to_cbb(&cbb, method->group, S) ||\n !point_to_cbb(&cbb, method->group, W) ||\n !point_to_cbb(&cbb, method->group, K00) ||\n !point_to_cbb(&cbb, method->group, K01) ||\n !point_to_cbb(&cbb, method->group, K10) ||\n !point_to_cbb(&cbb, method->group, K11) ||\n !CBB_finish(&cbb, &buf, &len) ||\n !method->hash_c(method->group, out, buf, len)) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n CBB_cleanup(&cbb);\n OPENSSL_free(buf);\n return ok;\n}\n\nstatic int hash_c_batch(const PMBTOKEN_METHOD *method, EC_SCALAR *out,\n const CBB *points, size_t index) {\n static const uint8_t kDLEQBatchLabel[] = \"DLEQ BATCH\";\n if (index > 0xffff) {\n // The protocol supports only two-byte batches.\n OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);\n return 0;\n }\n\n int ok = 0;\n CBB cbb;\n CBB_zero(&cbb);\n uint8_t *buf = NULL;\n size_t len;\n if (!CBB_init(&cbb, 0) ||\n !CBB_add_bytes(&cbb, kDLEQBatchLabel, sizeof(kDLEQBatchLabel)) ||\n !CBB_add_bytes(&cbb, CBB_data(points), CBB_len(points)) ||\n !CBB_add_u16(&cbb, (uint16_t)index) || !CBB_finish(&cbb, &buf, &len) ||\n !method->hash_c(method->group, out, buf, len)) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n CBB_cleanup(&cbb);\n OPENSSL_free(buf);\n return ok;\n}\n\n// The DLEQ2 and DLEQOR2 constructions are described in appendix B of\n// https://eprint.iacr.org/2020/072/20200324:214215. DLEQ2 is an instance of\n// DLEQOR2 with only one value (n=1).\n\nstatic int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb,\n const TRUST_TOKEN_ISSUER_KEY *priv,\n const EC_JACOBIAN *T, const EC_JACOBIAN *S,\n const EC_JACOBIAN *W, const EC_JACOBIAN *Ws,\n uint8_t private_metadata) {\n const EC_GROUP *group = method->group;\n\n // We generate a DLEQ proof for the validity token and a DLEQOR2 proof for the\n // private metadata token. To allow amortizing Jacobian-to-affine conversions,\n // we compute Ki for both proofs first.\n enum {\n idx_T,\n idx_S,\n idx_W,\n idx_Ws,\n idx_Ks0,\n idx_Ks1,\n idx_Kb0,\n idx_Kb1,\n idx_Ko0,\n idx_Ko1,\n num_idx,\n };\n EC_JACOBIAN jacobians[num_idx];\n\n // Setup the DLEQ proof.\n EC_SCALAR ks0, ks1;\n if ( // ks0, ks1 <- Zp\n !ec_random_nonzero_scalar(group, &ks0, kDefaultAdditionalData) ||\n !ec_random_nonzero_scalar(group, &ks1, kDefaultAdditionalData) ||\n // Ks = ks0*(G;T) + ks1*(H;S)\n !ec_point_mul_scalar_precomp(group, &jacobians[idx_Ks0],\n &method->g_precomp, &ks0, &method->h_precomp,\n &ks1, NULL, NULL) ||\n !ec_point_mul_scalar_batch(group, &jacobians[idx_Ks1], T, &ks0, S, &ks1,\n NULL, NULL)) {\n return 0;\n }\n\n // Setup the DLEQOR proof. First, select values of xb, yb (keys corresponding\n // to the private metadata value) and pubo (public key corresponding to the\n // other value) in constant time.\n BN_ULONG mask = ((BN_ULONG)0) - (private_metadata & 1);\n EC_PRECOMP pubo_precomp;\n EC_SCALAR xb, yb;\n ec_scalar_select(group, &xb, mask, &priv->x1, &priv->x0);\n ec_scalar_select(group, &yb, mask, &priv->y1, &priv->y0);\n ec_precomp_select(group, &pubo_precomp, mask, &priv->pub0_precomp,\n &priv->pub1_precomp);\n\n EC_SCALAR k0, k1, minus_co, uo, vo;\n if ( // k0, k1 <- Zp\n !ec_random_nonzero_scalar(group, &k0, kDefaultAdditionalData) ||\n !ec_random_nonzero_scalar(group, &k1, kDefaultAdditionalData) ||\n // Kb = k0*(G;T) + k1*(H;S)\n !ec_point_mul_scalar_precomp(group, &jacobians[idx_Kb0],\n &method->g_precomp, &k0, &method->h_precomp,\n &k1, NULL, NULL) ||\n !ec_point_mul_scalar_batch(group, &jacobians[idx_Kb1], T, &k0, S, &k1,\n NULL, NULL) ||\n // co, uo, vo <- Zp\n !ec_random_nonzero_scalar(group, &minus_co, kDefaultAdditionalData) ||\n !ec_random_nonzero_scalar(group, &uo, kDefaultAdditionalData) ||\n !ec_random_nonzero_scalar(group, &vo, kDefaultAdditionalData) ||\n // Ko = uo*(G;T) + vo*(H;S) - co*(pubo;W)\n !ec_point_mul_scalar_precomp(group, &jacobians[idx_Ko0],\n &method->g_precomp, &uo, &method->h_precomp,\n &vo, &pubo_precomp, &minus_co) ||\n !ec_point_mul_scalar_batch(group, &jacobians[idx_Ko1], T, &uo, S, &vo, W,\n &minus_co)) {\n return 0;\n }\n\n EC_AFFINE affines[num_idx];\n jacobians[idx_T] = *T;\n jacobians[idx_S] = *S;\n jacobians[idx_W] = *W;\n jacobians[idx_Ws] = *Ws;\n if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {\n return 0;\n }\n\n // Select the K corresponding to K0 and K1 in constant-time.\n EC_AFFINE K00, K01, K10, K11;\n ec_affine_select(group, &K00, mask, &affines[idx_Ko0], &affines[idx_Kb0]);\n ec_affine_select(group, &K01, mask, &affines[idx_Ko1], &affines[idx_Kb1]);\n ec_affine_select(group, &K10, mask, &affines[idx_Kb0], &affines[idx_Ko0]);\n ec_affine_select(group, &K11, mask, &affines[idx_Kb1], &affines[idx_Ko1]);\n\n // Compute c = Hc(...) for the two proofs.\n EC_SCALAR cs, c;\n if (!hash_c_dleq(method, &cs, &priv->pubs, &affines[idx_T], &affines[idx_S],\n &affines[idx_Ws], &affines[idx_Ks0], &affines[idx_Ks1]) ||\n !hash_c_dleqor(method, &c, &priv->pub0, &priv->pub1, &affines[idx_T],\n &affines[idx_S], &affines[idx_W], &K00, &K01, &K10,\n &K11)) {\n return 0;\n }\n\n // Compute cb, ub, and ub for the two proofs. In each of these products, only\n // one operand is in Montgomery form, so the product does not need to be\n // converted.\n\n EC_SCALAR cs_mont;\n ec_scalar_to_montgomery(group, &cs_mont, &cs);\n\n // us = ks0 + cs*xs\n EC_SCALAR us, vs;\n ec_scalar_mul_montgomery(group, &us, &priv->xs, &cs_mont);\n ec_scalar_add(group, &us, &ks0, &us);\n\n // vs = ks1 + cs*ys\n ec_scalar_mul_montgomery(group, &vs, &priv->ys, &cs_mont);\n ec_scalar_add(group, &vs, &ks1, &vs);\n\n // Store DLEQ2 proof in transcript.\n if (!scalar_to_cbb(cbb, group, &cs) || !scalar_to_cbb(cbb, group, &us) ||\n !scalar_to_cbb(cbb, group, &vs)) {\n return 0;\n }\n\n // cb = c - co\n EC_SCALAR cb, ub, vb;\n ec_scalar_add(group, &cb, &c, &minus_co);\n\n EC_SCALAR cb_mont;\n ec_scalar_to_montgomery(group, &cb_mont, &cb);\n\n // ub = k0 + cb*xb\n ec_scalar_mul_montgomery(group, &ub, &xb, &cb_mont);\n ec_scalar_add(group, &ub, &k0, &ub);\n\n // vb = k1 + cb*yb\n ec_scalar_mul_montgomery(group, &vb, &yb, &cb_mont);\n ec_scalar_add(group, &vb, &k1, &vb);\n\n // Select c, u, v in constant-time.\n EC_SCALAR co, c0, c1, u0, u1, v0, v1;\n ec_scalar_neg(group, &co, &minus_co);\n ec_scalar_select(group, &c0, mask, &co, &cb);\n ec_scalar_select(group, &u0, mask, &uo, &ub);\n ec_scalar_select(group, &v0, mask, &vo, &vb);\n ec_scalar_select(group, &c1, mask, &cb, &co);\n ec_scalar_select(group, &u1, mask, &ub, &uo);\n ec_scalar_select(group, &v1, mask, &vb, &vo);\n\n // Store DLEQOR2 proof in transcript.\n if (!scalar_to_cbb(cbb, group, &c0) || !scalar_to_cbb(cbb, group, &c1) ||\n !scalar_to_cbb(cbb, group, &u0) || !scalar_to_cbb(cbb, group, &u1) ||\n !scalar_to_cbb(cbb, group, &v0) || !scalar_to_cbb(cbb, group, &v1)) {\n return 0;\n }\n\n return 1;\n}\n\nstatic int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs,\n const TRUST_TOKEN_CLIENT_KEY *pub, const EC_JACOBIAN *T,\n const EC_JACOBIAN *S, const EC_JACOBIAN *W,\n const EC_JACOBIAN *Ws) {\n const EC_GROUP *group = method->group;\n const EC_JACOBIAN *g = &group->generator.raw;\n\n // We verify a DLEQ proof for the validity token and a DLEQOR2 proof for the\n // private metadata token. To allow amortizing Jacobian-to-affine conversions,\n // we compute Ki for both proofs first. Additionally, all inputs to this\n // function are public, so we can use the faster variable-time\n // multiplications.\n enum {\n idx_T,\n idx_S,\n idx_W,\n idx_Ws,\n idx_Ks0,\n idx_Ks1,\n idx_K00,\n idx_K01,\n idx_K10,\n idx_K11,\n num_idx,\n };\n EC_JACOBIAN jacobians[num_idx];\n\n // Decode the DLEQ proof.\n EC_SCALAR cs, us, vs;\n if (!scalar_from_cbs(cbs, group, &cs) || !scalar_from_cbs(cbs, group, &us) ||\n !scalar_from_cbs(cbs, group, &vs)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n\n // Ks = us*(G;T) + vs*(H;S) - cs*(pubs;Ws)\n EC_JACOBIAN pubs;\n ec_affine_to_jacobian(group, &pubs, &pub->pubs);\n EC_SCALAR minus_cs;\n ec_scalar_neg(group, &minus_cs, &cs);\n if (!mul_public_3(group, &jacobians[idx_Ks0], g, &us, &method->h, &vs, &pubs,\n &minus_cs) ||\n !mul_public_3(group, &jacobians[idx_Ks1], T, &us, S, &vs, Ws,\n &minus_cs)) {\n return 0;\n }\n\n // Decode the DLEQOR proof.\n EC_SCALAR c0, c1, u0, u1, v0, v1;\n if (!scalar_from_cbs(cbs, group, &c0) || !scalar_from_cbs(cbs, group, &c1) ||\n !scalar_from_cbs(cbs, group, &u0) || !scalar_from_cbs(cbs, group, &u1) ||\n !scalar_from_cbs(cbs, group, &v0) || !scalar_from_cbs(cbs, group, &v1)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n\n EC_JACOBIAN pub0, pub1;\n ec_affine_to_jacobian(group, &pub0, &pub->pub0);\n ec_affine_to_jacobian(group, &pub1, &pub->pub1);\n EC_SCALAR minus_c0, minus_c1;\n ec_scalar_neg(group, &minus_c0, &c0);\n ec_scalar_neg(group, &minus_c1, &c1);\n if ( // K0 = u0*(G;T) + v0*(H;S) - c0*(pub0;W)\n !mul_public_3(group, &jacobians[idx_K00], g, &u0, &method->h, &v0, &pub0,\n &minus_c0) ||\n !mul_public_3(group, &jacobians[idx_K01], T, &u0, S, &v0, W, &minus_c0) ||\n // K1 = u1*(G;T) + v1*(H;S) - c1*(pub1;W)\n !mul_public_3(group, &jacobians[idx_K10], g, &u1, &method->h, &v1, &pub1,\n &minus_c1) ||\n !mul_public_3(group, &jacobians[idx_K11], T, &u1, S, &v1, W, &minus_c1)) {\n return 0;\n }\n\n EC_AFFINE affines[num_idx];\n jacobians[idx_T] = *T;\n jacobians[idx_S] = *S;\n jacobians[idx_W] = *W;\n jacobians[idx_Ws] = *Ws;\n if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {\n return 0;\n }\n\n // Check the DLEQ proof.\n EC_SCALAR calculated;\n if (!hash_c_dleq(method, &calculated, &pub->pubs, &affines[idx_T],\n &affines[idx_S], &affines[idx_Ws], &affines[idx_Ks0],\n &affines[idx_Ks1])) {\n return 0;\n }\n\n // cs == calculated\n if (!ec_scalar_equal_vartime(group, &cs, &calculated)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_PROOF);\n return 0;\n }\n\n // Check the DLEQOR proof.\n if (!hash_c_dleqor(method, &calculated, &pub->pub0, &pub->pub1,\n &affines[idx_T], &affines[idx_S], &affines[idx_W],\n &affines[idx_K00], &affines[idx_K01], &affines[idx_K10],\n &affines[idx_K11])) {\n return 0;\n }\n\n // c0 + c1 == calculated\n EC_SCALAR c;\n ec_scalar_add(group, &c, &c0, &c1);\n if (!ec_scalar_equal_vartime(group, &c, &calculated)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_PROOF);\n return 0;\n }\n\n return 1;\n}\n\nstatic int pmbtoken_sign(const PMBTOKEN_METHOD *method,\n const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata) {\n const EC_GROUP *group = method->group;\n if (num_requested < num_to_issue) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n int ret = 0;\n EC_JACOBIAN *Tps = reinterpret_cast(\n OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)));\n EC_JACOBIAN *Sps = reinterpret_cast(\n OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)));\n EC_JACOBIAN *Wps = reinterpret_cast(\n OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)));\n EC_JACOBIAN *Wsps = reinterpret_cast(\n OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)));\n EC_SCALAR *es = reinterpret_cast(\n OPENSSL_calloc(num_to_issue, sizeof(EC_SCALAR)));\n CBB batch_cbb;\n CBB_zero(&batch_cbb);\n\n {\n if (!Tps || !Sps || !Wps || !Wsps || !es || !CBB_init(&batch_cbb, 0) ||\n !point_to_cbb(&batch_cbb, method->group, &key->pubs) ||\n !point_to_cbb(&batch_cbb, method->group, &key->pub0) ||\n !point_to_cbb(&batch_cbb, method->group, &key->pub1)) {\n goto err;\n }\n\n for (size_t i = 0; i < num_to_issue; i++) {\n EC_AFFINE Tp_affine;\n EC_JACOBIAN Tp;\n if (!cbs_get_prefixed_point(cbs, group, &Tp_affine,\n method->prefix_point)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n goto err;\n }\n ec_affine_to_jacobian(group, &Tp, &Tp_affine);\n\n EC_SCALAR xb, yb;\n BN_ULONG mask = ((BN_ULONG)0) - (private_metadata & 1);\n ec_scalar_select(group, &xb, mask, &key->x1, &key->x0);\n ec_scalar_select(group, &yb, mask, &key->y1, &key->y0);\n\n uint8_t s[TRUST_TOKEN_NONCE_SIZE];\n RAND_bytes(s, TRUST_TOKEN_NONCE_SIZE);\n // The |jacobians| and |affines| contain Sp, Wp, and Wsp.\n EC_JACOBIAN jacobians[3];\n EC_AFFINE affines[3];\n if (!method->hash_s(group, &jacobians[0], &Tp_affine, s) ||\n !ec_point_mul_scalar_batch(group, &jacobians[1], &Tp, &xb,\n &jacobians[0], &yb, NULL, NULL) ||\n !ec_point_mul_scalar_batch(group, &jacobians[2], &Tp, &key->xs,\n &jacobians[0], &key->ys, NULL, NULL) ||\n !ec_jacobian_to_affine_batch(group, affines, jacobians, 3) ||\n !CBB_add_bytes(cbb, s, TRUST_TOKEN_NONCE_SIZE) ||\n !cbb_add_prefixed_point(cbb, group, &affines[1],\n method->prefix_point) ||\n !cbb_add_prefixed_point(cbb, group, &affines[2],\n method->prefix_point)) {\n goto err;\n }\n\n if (!point_to_cbb(&batch_cbb, group, &Tp_affine) ||\n !point_to_cbb(&batch_cbb, group, &affines[0]) ||\n !point_to_cbb(&batch_cbb, group, &affines[1]) ||\n !point_to_cbb(&batch_cbb, group, &affines[2])) {\n goto err;\n }\n Tps[i] = Tp;\n Sps[i] = jacobians[0];\n Wps[i] = jacobians[1];\n Wsps[i] = jacobians[2];\n\n if (!CBB_flush(cbb)) {\n goto err;\n }\n }\n\n // The DLEQ batching construction is described in appendix B of\n // https://eprint.iacr.org/2020/072/20200324:214215. Note the additional\n // computations all act on public inputs.\n for (size_t i = 0; i < num_to_issue; i++) {\n if (!hash_c_batch(method, &es[i], &batch_cbb, i)) {\n goto err;\n }\n }\n\n EC_JACOBIAN Tp_batch, Sp_batch, Wp_batch, Wsp_batch;\n if (!ec_point_mul_scalar_public_batch(group, &Tp_batch,\n /*g_scalar=*/NULL, Tps, es,\n num_to_issue) ||\n !ec_point_mul_scalar_public_batch(group, &Sp_batch,\n /*g_scalar=*/NULL, Sps, es,\n num_to_issue) ||\n !ec_point_mul_scalar_public_batch(group, &Wp_batch,\n /*g_scalar=*/NULL, Wps, es,\n num_to_issue) ||\n !ec_point_mul_scalar_public_batch(group, &Wsp_batch,\n /*g_scalar=*/NULL, Wsps, es,\n num_to_issue)) {\n goto err;\n }\n\n CBB proof;\n if (!CBB_add_u16_length_prefixed(cbb, &proof) ||\n !dleq_generate(method, &proof, key, &Tp_batch, &Sp_batch, &Wp_batch,\n &Wsp_batch, private_metadata) ||\n !CBB_flush(cbb)) {\n goto err;\n }\n\n // Skip over any unused requests.\n size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED);\n size_t token_len = point_len;\n if (method->prefix_point) {\n token_len += 2;\n }\n if (!CBS_skip(cbs, token_len * (num_requested - num_to_issue))) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n goto err;\n }\n\n ret = 1;\n }\n\nerr:\n OPENSSL_free(Tps);\n OPENSSL_free(Sps);\n OPENSSL_free(Wps);\n OPENSSL_free(Wsps);\n OPENSSL_free(es);\n CBB_cleanup(&batch_cbb);\n return ret;\n}\n\nstatic STACK_OF(TRUST_TOKEN) *pmbtoken_unblind(\n const PMBTOKEN_METHOD *method, const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id) {\n const EC_GROUP *group = method->group;\n if (count > sk_TRUST_TOKEN_PRETOKEN_num(pretokens)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return NULL;\n }\n\n int ok = 0;\n STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();\n EC_JACOBIAN *Tps = reinterpret_cast(\n OPENSSL_calloc(count, sizeof(EC_JACOBIAN)));\n EC_JACOBIAN *Sps = reinterpret_cast(\n OPENSSL_calloc(count, sizeof(EC_JACOBIAN)));\n EC_JACOBIAN *Wps = reinterpret_cast(\n OPENSSL_calloc(count, sizeof(EC_JACOBIAN)));\n EC_JACOBIAN *Wsps = reinterpret_cast(\n OPENSSL_calloc(count, sizeof(EC_JACOBIAN)));\n EC_SCALAR *es =\n reinterpret_cast(OPENSSL_calloc(count, sizeof(EC_SCALAR)));\n CBB batch_cbb;\n CBB_zero(&batch_cbb);\n if (ret == NULL || Tps == NULL || Sps == NULL || Wps == NULL ||\n Wsps == NULL || es == NULL || !CBB_init(&batch_cbb, 0) ||\n !point_to_cbb(&batch_cbb, method->group, &key->pubs) ||\n !point_to_cbb(&batch_cbb, method->group, &key->pub0) ||\n !point_to_cbb(&batch_cbb, method->group, &key->pub1)) {\n goto err;\n }\n\n for (size_t i = 0; i < count; i++) {\n const TRUST_TOKEN_PRETOKEN *pretoken =\n sk_TRUST_TOKEN_PRETOKEN_value(pretokens, i);\n\n uint8_t s[TRUST_TOKEN_NONCE_SIZE];\n EC_AFFINE Wp_affine, Wsp_affine;\n if (!CBS_copy_bytes(cbs, s, TRUST_TOKEN_NONCE_SIZE) ||\n !cbs_get_prefixed_point(cbs, group, &Wp_affine, method->prefix_point) ||\n !cbs_get_prefixed_point(cbs, group, &Wsp_affine,\n method->prefix_point)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n goto err;\n }\n\n ec_affine_to_jacobian(group, &Tps[i], &pretoken->Tp);\n ec_affine_to_jacobian(group, &Wps[i], &Wp_affine);\n ec_affine_to_jacobian(group, &Wsps[i], &Wsp_affine);\n if (!method->hash_s(group, &Sps[i], &pretoken->Tp, s)) {\n goto err;\n }\n\n EC_AFFINE Sp_affine;\n if (!point_to_cbb(&batch_cbb, group, &pretoken->Tp) ||\n !ec_jacobian_to_affine(group, &Sp_affine, &Sps[i]) ||\n !point_to_cbb(&batch_cbb, group, &Sp_affine) ||\n !point_to_cbb(&batch_cbb, group, &Wp_affine) ||\n !point_to_cbb(&batch_cbb, group, &Wsp_affine)) {\n goto err;\n }\n\n // Unblind the token.\n EC_JACOBIAN jacobians[3];\n EC_AFFINE affines[3];\n if (!ec_point_mul_scalar(group, &jacobians[0], &Sps[i], &pretoken->r) ||\n !ec_point_mul_scalar(group, &jacobians[1], &Wps[i], &pretoken->r) ||\n !ec_point_mul_scalar(group, &jacobians[2], &Wsps[i], &pretoken->r) ||\n !ec_jacobian_to_affine_batch(group, affines, jacobians, 3)) {\n goto err;\n }\n\n // Serialize the token. Include |key_id| to avoid an extra copy in the layer\n // above.\n CBB token_cbb;\n size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED);\n if (!CBB_init(&token_cbb,\n 4 + TRUST_TOKEN_NONCE_SIZE + 3 * (2 + point_len)) ||\n !CBB_add_u32(&token_cbb, key_id) ||\n !CBB_add_bytes(&token_cbb, pretoken->salt, TRUST_TOKEN_NONCE_SIZE) ||\n !cbb_add_prefixed_point(&token_cbb, group, &affines[0],\n method->prefix_point) ||\n !cbb_add_prefixed_point(&token_cbb, group, &affines[1],\n method->prefix_point) ||\n !cbb_add_prefixed_point(&token_cbb, group, &affines[2],\n method->prefix_point) ||\n !CBB_flush(&token_cbb)) {\n CBB_cleanup(&token_cbb);\n goto err;\n }\n\n TRUST_TOKEN *token =\n TRUST_TOKEN_new(CBB_data(&token_cbb), CBB_len(&token_cbb));\n CBB_cleanup(&token_cbb);\n if (token == NULL || !sk_TRUST_TOKEN_push(ret, token)) {\n TRUST_TOKEN_free(token);\n goto err;\n }\n }\n\n // The DLEQ batching construction is described in appendix B of\n // https://eprint.iacr.org/2020/072/20200324:214215. Note the additional\n // computations all act on public inputs.\n for (size_t i = 0; i < count; i++) {\n if (!hash_c_batch(method, &es[i], &batch_cbb, i)) {\n goto err;\n }\n }\n\n EC_JACOBIAN Tp_batch, Sp_batch, Wp_batch, Wsp_batch;\n if (!ec_point_mul_scalar_public_batch(group, &Tp_batch,\n /*g_scalar=*/NULL, Tps, es, count) ||\n !ec_point_mul_scalar_public_batch(group, &Sp_batch,\n /*g_scalar=*/NULL, Sps, es, count) ||\n !ec_point_mul_scalar_public_batch(group, &Wp_batch,\n /*g_scalar=*/NULL, Wps, es, count) ||\n !ec_point_mul_scalar_public_batch(group, &Wsp_batch,\n /*g_scalar=*/NULL, Wsps, es, count)) {\n goto err;\n }\n\n CBS proof;\n if (!CBS_get_u16_length_prefixed(cbs, &proof) ||\n !dleq_verify(method, &proof, key, &Tp_batch, &Sp_batch, &Wp_batch,\n &Wsp_batch) ||\n CBS_len(&proof) != 0) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n OPENSSL_free(Tps);\n OPENSSL_free(Sps);\n OPENSSL_free(Wps);\n OPENSSL_free(Wsps);\n OPENSSL_free(es);\n CBB_cleanup(&batch_cbb);\n if (!ok) {\n sk_TRUST_TOKEN_pop_free(ret, TRUST_TOKEN_free);\n ret = NULL;\n }\n return ret;\n}\n\nstatic int pmbtoken_read(const PMBTOKEN_METHOD *method,\n const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message,\n const uint8_t *msg, size_t msg_len) {\n const EC_GROUP *group = method->group;\n CBS cbs, salt;\n CBS_init(&cbs, token, token_len);\n EC_AFFINE S, W, Ws;\n if (!CBS_get_bytes(&cbs, &salt, TRUST_TOKEN_NONCE_SIZE) ||\n !cbs_get_prefixed_point(&cbs, group, &S, method->prefix_point) ||\n !cbs_get_prefixed_point(&cbs, group, &W, method->prefix_point) ||\n !cbs_get_prefixed_point(&cbs, group, &Ws, method->prefix_point) ||\n CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_TOKEN);\n return 0;\n }\n\n if (include_message) {\n SHA512_CTX hash_ctx;\n assert(SHA512_DIGEST_LENGTH == TRUST_TOKEN_NONCE_SIZE);\n SHA512_Init(&hash_ctx);\n SHA512_Update(&hash_ctx, CBS_data(&salt), CBS_len(&salt));\n SHA512_Update(&hash_ctx, msg, msg_len);\n SHA512_Final(out_nonce, &hash_ctx);\n } else {\n OPENSSL_memcpy(out_nonce, CBS_data(&salt), CBS_len(&salt));\n }\n\n EC_JACOBIAN T;\n if (!method->hash_t(group, &T, out_nonce)) {\n return 0;\n }\n\n // We perform three multiplications with S and T. This is enough that it is\n // worth using |ec_point_mul_scalar_precomp|.\n EC_JACOBIAN S_jacobian;\n EC_PRECOMP S_precomp, T_precomp;\n ec_affine_to_jacobian(group, &S_jacobian, &S);\n if (!ec_init_precomp(group, &S_precomp, &S_jacobian) ||\n !ec_init_precomp(group, &T_precomp, &T)) {\n return 0;\n }\n\n EC_JACOBIAN Ws_calculated;\n // Check the validity of the token.\n if (!ec_point_mul_scalar_precomp(group, &Ws_calculated, &T_precomp, &key->xs,\n &S_precomp, &key->ys, NULL, NULL) ||\n !ec_affine_jacobian_equal(group, &Ws, &Ws_calculated)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BAD_VALIDITY_CHECK);\n return 0;\n }\n\n EC_JACOBIAN W0, W1;\n if (!ec_point_mul_scalar_precomp(group, &W0, &T_precomp, &key->x0, &S_precomp,\n &key->y0, NULL, NULL) ||\n !ec_point_mul_scalar_precomp(group, &W1, &T_precomp, &key->x1, &S_precomp,\n &key->y1, NULL, NULL)) {\n return 0;\n }\n\n const int is_W0 = ec_affine_jacobian_equal(group, &W, &W0);\n const int is_W1 = ec_affine_jacobian_equal(group, &W, &W1);\n const int is_valid = is_W0 ^ is_W1;\n if (!is_valid) {\n // Invalid tokens will fail the validity check above.\n OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n *out_private_metadata = is_W1;\n return 1;\n}\n\n\n// PMBTokens experiment v1.\n\nstatic int pmbtoken_exp1_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,\n const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {\n const uint8_t kHashTLabel[] = \"PMBTokens Experiment V1 HashT\";\n return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(\n group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);\n}\n\nstatic int pmbtoken_exp1_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,\n const EC_AFFINE *t,\n const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {\n const uint8_t kHashSLabel[] = \"PMBTokens Experiment V1 HashS\";\n int ret = 0;\n CBB cbb;\n uint8_t *buf = NULL;\n size_t len;\n if (!CBB_init(&cbb, 0) || !point_to_cbb(&cbb, group, t) ||\n !CBB_add_bytes(&cbb, s, TRUST_TOKEN_NONCE_SIZE) ||\n !CBB_finish(&cbb, &buf, &len) ||\n !ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(\n group, out, kHashSLabel, sizeof(kHashSLabel), buf, len)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n OPENSSL_free(buf);\n CBB_cleanup(&cbb);\n return ret;\n}\n\nstatic int pmbtoken_exp1_hash_c(const EC_GROUP *group, EC_SCALAR *out,\n uint8_t *buf, size_t len) {\n const uint8_t kHashCLabel[] = \"PMBTokens Experiment V1 HashC\";\n return ec_hash_to_scalar_p384_xmd_sha512_draft07(\n group, out, kHashCLabel, sizeof(kHashCLabel), buf, len);\n}\n\nstatic int pmbtoken_exp1_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out,\n uint8_t *buf, size_t len) {\n const uint8_t kHashLabel[] = \"PMBTokens Experiment V1 HashToScalar\";\n return ec_hash_to_scalar_p384_xmd_sha512_draft07(\n group, out, kHashLabel, sizeof(kHashLabel), buf, len);\n}\n\nstatic int pmbtoken_exp1_ok = 0;\nstatic PMBTOKEN_METHOD pmbtoken_exp1_method;\nstatic CRYPTO_once_t pmbtoken_exp1_method_once = CRYPTO_ONCE_INIT;\n\nstatic void pmbtoken_exp1_init_method_impl(void) {\n // This is the output of |ec_hash_to_scalar_p384_xmd_sha512_draft07| with DST\n // \"PMBTokens Experiment V1 HashH\" and message \"generator\".\n static const uint8_t kH[] = {\n 0x04, 0x82, 0xd5, 0x68, 0xf5, 0x39, 0xf6, 0x08, 0x19, 0xa1, 0x75,\n 0x9f, 0x98, 0xb5, 0x10, 0xf5, 0x0b, 0x9d, 0x2b, 0xe1, 0x64, 0x4d,\n 0x02, 0x76, 0x18, 0x11, 0xf8, 0x2f, 0xd3, 0x33, 0x25, 0x1f, 0x2c,\n 0xb8, 0xf6, 0xf1, 0x9e, 0x93, 0x85, 0x79, 0xb3, 0xb7, 0x81, 0xa3,\n 0xe6, 0x23, 0xc3, 0x1c, 0xff, 0x03, 0xd9, 0x40, 0x6c, 0xec, 0xe0,\n 0x4d, 0xea, 0xdf, 0x9d, 0x94, 0xd1, 0x87, 0xab, 0x27, 0xf7, 0x4f,\n 0x53, 0xea, 0xa3, 0x18, 0x72, 0xb9, 0xd1, 0x56, 0xa0, 0x4e, 0x81,\n 0xaa, 0xeb, 0x1c, 0x22, 0x6d, 0x39, 0x1c, 0x5e, 0xb1, 0x27, 0xfc,\n 0x87, 0xc3, 0x95, 0xd0, 0x13, 0xb7, 0x0b, 0x5c, 0xc7,\n };\n\n pmbtoken_exp1_ok = pmbtoken_init_method(\n &pmbtoken_exp1_method, EC_group_p384(), kH, sizeof(kH),\n pmbtoken_exp1_hash_t, pmbtoken_exp1_hash_s, pmbtoken_exp1_hash_c,\n pmbtoken_exp1_hash_to_scalar, 1);\n}\n\nstatic int pmbtoken_exp1_init_method(void) {\n CRYPTO_once(&pmbtoken_exp1_method_once, pmbtoken_exp1_init_method_impl);\n if (!pmbtoken_exp1_ok) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n return 1;\n}\n\nint pmbtoken_exp1_generate_key(CBB *out_private, CBB *out_public) {\n if (!pmbtoken_exp1_init_method()) {\n return 0;\n }\n\n return pmbtoken_generate_key(&pmbtoken_exp1_method, out_private, out_public);\n}\n\nint pmbtoken_exp1_derive_key_from_secret(CBB *out_private, CBB *out_public,\n const uint8_t *secret,\n size_t secret_len) {\n if (!pmbtoken_exp1_init_method()) {\n return 0;\n }\n\n return pmbtoken_derive_key_from_secret(&pmbtoken_exp1_method, out_private,\n out_public, secret, secret_len);\n}\n\nint pmbtoken_exp1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len) {\n if (!pmbtoken_exp1_init_method()) {\n return 0;\n }\n return pmbtoken_client_key_from_bytes(&pmbtoken_exp1_method, key, in, len);\n}\n\nint pmbtoken_exp1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len) {\n if (!pmbtoken_exp1_init_method()) {\n return 0;\n }\n return pmbtoken_issuer_key_from_bytes(&pmbtoken_exp1_method, key, in, len);\n}\n\nSTACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_exp1_blind(CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg,\n size_t msg_len) {\n if (!pmbtoken_exp1_init_method()) {\n return NULL;\n }\n return pmbtoken_blind(&pmbtoken_exp1_method, cbb, count, include_message, msg,\n msg_len);\n}\n\nint pmbtoken_exp1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata) {\n if (!pmbtoken_exp1_init_method()) {\n return 0;\n }\n return pmbtoken_sign(&pmbtoken_exp1_method, key, cbb, cbs, num_requested,\n num_to_issue, private_metadata);\n}\n\nSTACK_OF(TRUST_TOKEN) *pmbtoken_exp1_unblind(\n const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id) {\n if (!pmbtoken_exp1_init_method()) {\n return NULL;\n }\n return pmbtoken_unblind(&pmbtoken_exp1_method, key, pretokens, cbs, count,\n key_id);\n}\n\nint pmbtoken_exp1_read(const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message,\n const uint8_t *msg, size_t msg_len) {\n if (!pmbtoken_exp1_init_method()) {\n return 0;\n }\n return pmbtoken_read(&pmbtoken_exp1_method, key, out_nonce,\n out_private_metadata, token, token_len, include_message,\n msg, msg_len);\n}\n\nint pmbtoken_exp1_get_h_for_testing(uint8_t out[97]) {\n if (!pmbtoken_exp1_init_method()) {\n return 0;\n }\n EC_AFFINE h;\n return ec_jacobian_to_affine(pmbtoken_exp1_method.group, &h,\n &pmbtoken_exp1_method.h) &&\n ec_point_to_bytes(pmbtoken_exp1_method.group, &h,\n POINT_CONVERSION_UNCOMPRESSED, out, 97) == 97;\n}\n\n// PMBTokens experiment v2.\n\nstatic int pmbtoken_exp2_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,\n const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {\n const uint8_t kHashTLabel[] = \"PMBTokens Experiment V2 HashT\";\n return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(\n group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);\n}\n\nstatic int pmbtoken_exp2_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,\n const EC_AFFINE *t,\n const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {\n const uint8_t kHashSLabel[] = \"PMBTokens Experiment V2 HashS\";\n int ret = 0;\n CBB cbb;\n uint8_t *buf = NULL;\n size_t len;\n if (!CBB_init(&cbb, 0) || !point_to_cbb(&cbb, group, t) ||\n !CBB_add_bytes(&cbb, s, TRUST_TOKEN_NONCE_SIZE) ||\n !CBB_finish(&cbb, &buf, &len) ||\n !ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(\n group, out, kHashSLabel, sizeof(kHashSLabel), buf, len)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n OPENSSL_free(buf);\n CBB_cleanup(&cbb);\n return ret;\n}\n\nstatic int pmbtoken_exp2_hash_c(const EC_GROUP *group, EC_SCALAR *out,\n uint8_t *buf, size_t len) {\n const uint8_t kHashCLabel[] = \"PMBTokens Experiment V2 HashC\";\n return ec_hash_to_scalar_p384_xmd_sha512_draft07(\n group, out, kHashCLabel, sizeof(kHashCLabel), buf, len);\n}\n\nstatic int pmbtoken_exp2_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out,\n uint8_t *buf, size_t len) {\n const uint8_t kHashLabel[] = \"PMBTokens Experiment V2 HashToScalar\";\n return ec_hash_to_scalar_p384_xmd_sha512_draft07(\n group, out, kHashLabel, sizeof(kHashLabel), buf, len);\n}\n\nstatic int pmbtoken_exp2_ok = 0;\nstatic PMBTOKEN_METHOD pmbtoken_exp2_method;\nstatic CRYPTO_once_t pmbtoken_exp2_method_once = CRYPTO_ONCE_INIT;\n\nstatic void pmbtoken_exp2_init_method_impl(void) {\n // This is the output of |ec_hash_to_scalar_p384_xmd_sha512_draft07| with DST\n // \"PMBTokens Experiment V2 HashH\" and message \"generator\".\n static const uint8_t kH[] = {\n 0x04, 0xbc, 0x27, 0x24, 0x99, 0xfa, 0xc9, 0xa4, 0x74, 0x6f, 0xf9,\n 0x07, 0x81, 0x55, 0xf8, 0x1f, 0x6f, 0xda, 0x09, 0xe7, 0x8c, 0x5d,\n 0x9e, 0x4e, 0x14, 0x7c, 0x53, 0x14, 0xbc, 0x7e, 0x29, 0x57, 0x92,\n 0x17, 0x94, 0x6e, 0xd2, 0xdf, 0xa5, 0x31, 0x1b, 0x4e, 0xb7, 0xfc,\n 0x93, 0xe3, 0x6e, 0x14, 0x1f, 0x4f, 0x14, 0xf3, 0xe5, 0x47, 0x61,\n 0x1c, 0x2c, 0x72, 0x25, 0xf0, 0x4a, 0x45, 0x23, 0x2d, 0x57, 0x93,\n 0x0e, 0xb2, 0x55, 0xb8, 0x57, 0x25, 0x4c, 0x1e, 0xdb, 0xfd, 0x58,\n 0x70, 0x17, 0x9a, 0xbb, 0x9e, 0x5e, 0x93, 0x9e, 0x92, 0xd3, 0xe8,\n 0x25, 0x62, 0xbf, 0x59, 0xb2, 0xd2, 0x3d, 0x71, 0xff};\n\n pmbtoken_exp2_ok = pmbtoken_init_method(\n &pmbtoken_exp2_method, EC_group_p384(), kH, sizeof(kH),\n pmbtoken_exp2_hash_t, pmbtoken_exp2_hash_s, pmbtoken_exp2_hash_c,\n pmbtoken_exp2_hash_to_scalar, 0);\n}\n\nstatic int pmbtoken_exp2_init_method(void) {\n CRYPTO_once(&pmbtoken_exp2_method_once, pmbtoken_exp2_init_method_impl);\n if (!pmbtoken_exp2_ok) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n return 1;\n}\n\nint pmbtoken_exp2_generate_key(CBB *out_private, CBB *out_public) {\n if (!pmbtoken_exp2_init_method()) {\n return 0;\n }\n\n return pmbtoken_generate_key(&pmbtoken_exp2_method, out_private, out_public);\n}\n\n\nint pmbtoken_exp2_derive_key_from_secret(CBB *out_private, CBB *out_public,\n const uint8_t *secret,\n size_t secret_len) {\n if (!pmbtoken_exp2_init_method()) {\n return 0;\n }\n\n return pmbtoken_derive_key_from_secret(&pmbtoken_exp2_method, out_private,\n out_public, secret, secret_len);\n}\n\nint pmbtoken_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len) {\n if (!pmbtoken_exp2_init_method()) {\n return 0;\n }\n return pmbtoken_client_key_from_bytes(&pmbtoken_exp2_method, key, in, len);\n}\n\nint pmbtoken_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len) {\n if (!pmbtoken_exp2_init_method()) {\n return 0;\n }\n return pmbtoken_issuer_key_from_bytes(&pmbtoken_exp2_method, key, in, len);\n}\n\nSTACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_exp2_blind(CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg,\n size_t msg_len) {\n if (!pmbtoken_exp2_init_method()) {\n return NULL;\n }\n return pmbtoken_blind(&pmbtoken_exp2_method, cbb, count, include_message, msg,\n msg_len);\n}\n\nint pmbtoken_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata) {\n if (!pmbtoken_exp2_init_method()) {\n return 0;\n }\n return pmbtoken_sign(&pmbtoken_exp2_method, key, cbb, cbs, num_requested,\n num_to_issue, private_metadata);\n}\n\nSTACK_OF(TRUST_TOKEN) *pmbtoken_exp2_unblind(\n const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id) {\n if (!pmbtoken_exp2_init_method()) {\n return NULL;\n }\n return pmbtoken_unblind(&pmbtoken_exp2_method, key, pretokens, cbs, count,\n key_id);\n}\n\nint pmbtoken_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message,\n const uint8_t *msg, size_t msg_len) {\n if (!pmbtoken_exp2_init_method()) {\n return 0;\n }\n return pmbtoken_read(&pmbtoken_exp2_method, key, out_nonce,\n out_private_metadata, token, token_len, include_message,\n msg, msg_len);\n}\n\nint pmbtoken_exp2_get_h_for_testing(uint8_t out[97]) {\n if (!pmbtoken_exp2_init_method()) {\n return 0;\n }\n EC_AFFINE h;\n return ec_jacobian_to_affine(pmbtoken_exp2_method.group, &h,\n &pmbtoken_exp2_method.h) &&\n ec_point_to_bytes(pmbtoken_exp2_method.group, &h,\n POINT_CONVERSION_UNCOMPRESSED, out, 97) == 97;\n}\n\n// PMBTokens PST v1.\n\nstatic int pmbtoken_pst1_hash_t(const EC_GROUP *group, EC_JACOBIAN *out,\n const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {\n const uint8_t kHashTLabel[] = \"PMBTokens PST V1 HashT\";\n return ec_hash_to_curve_p384_xmd_sha384_sswu(\n group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);\n}\n\nstatic int pmbtoken_pst1_hash_s(const EC_GROUP *group, EC_JACOBIAN *out,\n const EC_AFFINE *t,\n const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) {\n const uint8_t kHashSLabel[] = \"PMBTokens PST V1 HashS\";\n int ret = 0;\n CBB cbb;\n uint8_t *buf = NULL;\n size_t len;\n if (!CBB_init(&cbb, 0) || !point_to_cbb(&cbb, group, t) ||\n !CBB_add_bytes(&cbb, s, TRUST_TOKEN_NONCE_SIZE) ||\n !CBB_finish(&cbb, &buf, &len) ||\n !ec_hash_to_curve_p384_xmd_sha384_sswu(group, out, kHashSLabel,\n sizeof(kHashSLabel), buf, len)) {\n goto err;\n }\n\n ret = 1;\n\nerr:\n OPENSSL_free(buf);\n CBB_cleanup(&cbb);\n return ret;\n}\n\nstatic int pmbtoken_pst1_hash_c(const EC_GROUP *group, EC_SCALAR *out,\n uint8_t *buf, size_t len) {\n const uint8_t kHashCLabel[] = \"PMBTokens PST V1 HashC\";\n return ec_hash_to_scalar_p384_xmd_sha384(group, out, kHashCLabel,\n sizeof(kHashCLabel), buf, len);\n}\n\nstatic int pmbtoken_pst1_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out,\n uint8_t *buf, size_t len) {\n const uint8_t kHashLabel[] = \"PMBTokens PST V1 HashToScalar\";\n return ec_hash_to_scalar_p384_xmd_sha384(group, out, kHashLabel,\n sizeof(kHashLabel), buf, len);\n}\n\nstatic int pmbtoken_pst1_ok = 0;\nstatic PMBTOKEN_METHOD pmbtoken_pst1_method;\nstatic CRYPTO_once_t pmbtoken_pst1_method_once = CRYPTO_ONCE_INIT;\n\nstatic void pmbtoken_pst1_init_method_impl(void) {\n // This is the output of |ec_hash_to_scalar_p384_xmd_sha384| with DST\n // \"PMBTokens PST V1 HashH\" and message \"generator\".\n static const uint8_t kH[] = {\n 0x04, 0x4c, 0xfa, 0xd4, 0x33, 0x6d, 0x8c, 0x4e, 0x18, 0xce, 0x1a,\n 0x82, 0x7b, 0x53, 0x8c, 0xf8, 0x63, 0x18, 0xe5, 0xa3, 0x96, 0x0d,\n 0x05, 0xde, 0xf4, 0x83, 0xa7, 0xd8, 0xde, 0x9c, 0x50, 0x81, 0x38,\n 0xc9, 0x38, 0x25, 0xa3, 0x70, 0x97, 0xc1, 0x1c, 0x33, 0x2e, 0x83,\n 0x68, 0x64, 0x9c, 0x53, 0x73, 0xc3, 0x03, 0xc1, 0xa9, 0xd8, 0x92,\n 0xa2, 0x32, 0xf4, 0x22, 0x40, 0x07, 0x2d, 0x9b, 0x6f, 0xab, 0xff,\n 0x2a, 0x92, 0x03, 0xb1, 0x73, 0x09, 0x1a, 0x6a, 0x4a, 0xc2, 0x4c,\n 0xac, 0x13, 0x59, 0xf4, 0x28, 0x0e, 0x78, 0x69, 0xa5, 0xdf, 0x0d,\n 0x74, 0xeb, 0x14, 0xca, 0x8a, 0x32, 0xbb, 0xd3, 0x91};\n\n pmbtoken_pst1_ok = pmbtoken_init_method(\n &pmbtoken_pst1_method, EC_group_p384(), kH, sizeof(kH),\n pmbtoken_pst1_hash_t, pmbtoken_pst1_hash_s, pmbtoken_pst1_hash_c,\n pmbtoken_pst1_hash_to_scalar, 0);\n}\n\nstatic int pmbtoken_pst1_init_method(void) {\n CRYPTO_once(&pmbtoken_pst1_method_once, pmbtoken_pst1_init_method_impl);\n if (!pmbtoken_pst1_ok) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n return 1;\n}\n\nint pmbtoken_pst1_generate_key(CBB *out_private, CBB *out_public) {\n if (!pmbtoken_pst1_init_method()) {\n return 0;\n }\n\n return pmbtoken_generate_key(&pmbtoken_pst1_method, out_private, out_public);\n}\n\n\nint pmbtoken_pst1_derive_key_from_secret(CBB *out_private, CBB *out_public,\n const uint8_t *secret,\n size_t secret_len) {\n if (!pmbtoken_pst1_init_method()) {\n return 0;\n }\n\n return pmbtoken_derive_key_from_secret(&pmbtoken_pst1_method, out_private,\n out_public, secret, secret_len);\n}\n\nint pmbtoken_pst1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len) {\n if (!pmbtoken_pst1_init_method()) {\n return 0;\n }\n return pmbtoken_client_key_from_bytes(&pmbtoken_pst1_method, key, in, len);\n}\n\nint pmbtoken_pst1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len) {\n if (!pmbtoken_pst1_init_method()) {\n return 0;\n }\n return pmbtoken_issuer_key_from_bytes(&pmbtoken_pst1_method, key, in, len);\n}\n\nSTACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_pst1_blind(CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg,\n size_t msg_len) {\n if (!pmbtoken_pst1_init_method()) {\n return NULL;\n }\n return pmbtoken_blind(&pmbtoken_pst1_method, cbb, count, include_message, msg,\n msg_len);\n}\n\nint pmbtoken_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata) {\n if (!pmbtoken_pst1_init_method()) {\n return 0;\n }\n return pmbtoken_sign(&pmbtoken_pst1_method, key, cbb, cbs, num_requested,\n num_to_issue, private_metadata);\n}\n\nSTACK_OF(TRUST_TOKEN) *pmbtoken_pst1_unblind(\n const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id) {\n if (!pmbtoken_pst1_init_method()) {\n return NULL;\n }\n return pmbtoken_unblind(&pmbtoken_pst1_method, key, pretokens, cbs, count,\n key_id);\n}\n\nint pmbtoken_pst1_read(const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message,\n const uint8_t *msg, size_t msg_len) {\n if (!pmbtoken_pst1_init_method()) {\n return 0;\n }\n return pmbtoken_read(&pmbtoken_pst1_method, key, out_nonce,\n out_private_metadata, token, token_len, include_message,\n msg, msg_len);\n}\n\nint pmbtoken_pst1_get_h_for_testing(uint8_t out[97]) {\n if (!pmbtoken_pst1_init_method()) {\n return 0;\n }\n EC_AFFINE h;\n return ec_jacobian_to_affine(pmbtoken_pst1_method.group, &h,\n &pmbtoken_pst1_method.h) &&\n ec_point_to_bytes(pmbtoken_pst1_method.group, &h,\n POINT_CONVERSION_UNCOMPRESSED, out, 97) == 97;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/trust_token/trust_token.cc", "content": "/* Copyright 2019 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\n// The Trust Token API is described in\n// https://github.com/WICG/trust-token-api/blob/main/README.md and provides a\n// protocol for issuing and redeeming tokens built on top of the PMBTokens\n// construction.\n\nconst TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v1(void) {\n static const TRUST_TOKEN_METHOD kMethod = {\n pmbtoken_exp1_generate_key,\n pmbtoken_exp1_derive_key_from_secret,\n pmbtoken_exp1_client_key_from_bytes,\n pmbtoken_exp1_issuer_key_from_bytes,\n pmbtoken_exp1_blind,\n pmbtoken_exp1_sign,\n pmbtoken_exp1_unblind,\n pmbtoken_exp1_read,\n 1, /* has_private_metadata */\n 3, /* max_keys */\n 1, /* has_srr */\n };\n return &kMethod;\n}\n\nconst TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_voprf(void) {\n static const TRUST_TOKEN_METHOD kMethod = {\n voprf_exp2_generate_key,\n voprf_exp2_derive_key_from_secret,\n voprf_exp2_client_key_from_bytes,\n voprf_exp2_issuer_key_from_bytes,\n voprf_exp2_blind,\n voprf_exp2_sign,\n voprf_exp2_unblind,\n voprf_exp2_read,\n 0, /* has_private_metadata */\n 6, /* max_keys */\n 0, /* has_srr */\n };\n return &kMethod;\n}\n\nconst TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_pmb(void) {\n static const TRUST_TOKEN_METHOD kMethod = {\n pmbtoken_exp2_generate_key,\n pmbtoken_exp2_derive_key_from_secret,\n pmbtoken_exp2_client_key_from_bytes,\n pmbtoken_exp2_issuer_key_from_bytes,\n pmbtoken_exp2_blind,\n pmbtoken_exp2_sign,\n pmbtoken_exp2_unblind,\n pmbtoken_exp2_read,\n 1, /* has_private_metadata */\n 3, /* max_keys */\n 0, /* has_srr */\n };\n return &kMethod;\n}\n\nconst TRUST_TOKEN_METHOD *TRUST_TOKEN_pst_v1_voprf(void) {\n static const TRUST_TOKEN_METHOD kMethod = {\n voprf_pst1_generate_key,\n voprf_pst1_derive_key_from_secret,\n voprf_pst1_client_key_from_bytes,\n voprf_pst1_issuer_key_from_bytes,\n voprf_pst1_blind,\n voprf_pst1_sign,\n voprf_pst1_unblind,\n voprf_pst1_read,\n 0, /* has_private_metadata */\n 6, /* max_keys */\n 0, /* has_srr */\n };\n return &kMethod;\n}\n\nconst TRUST_TOKEN_METHOD *TRUST_TOKEN_pst_v1_pmb(void) {\n static const TRUST_TOKEN_METHOD kMethod = {\n pmbtoken_pst1_generate_key,\n pmbtoken_pst1_derive_key_from_secret,\n pmbtoken_pst1_client_key_from_bytes,\n pmbtoken_pst1_issuer_key_from_bytes,\n pmbtoken_pst1_blind,\n pmbtoken_pst1_sign,\n pmbtoken_pst1_unblind,\n pmbtoken_pst1_read,\n 1, /* has_private_metadata */\n 3, /* max_keys */\n 0, /* has_srr */\n };\n return &kMethod;\n}\n\n\nvoid TRUST_TOKEN_PRETOKEN_free(TRUST_TOKEN_PRETOKEN *pretoken) {\n OPENSSL_free(pretoken);\n}\n\nTRUST_TOKEN *TRUST_TOKEN_new(const uint8_t *data, size_t len) {\n TRUST_TOKEN *ret =\n reinterpret_cast(OPENSSL_zalloc(sizeof(TRUST_TOKEN)));\n if (ret == NULL) {\n return NULL;\n }\n ret->data = reinterpret_cast(OPENSSL_memdup(data, len));\n if (len != 0 && ret->data == NULL) {\n OPENSSL_free(ret);\n return NULL;\n }\n ret->len = len;\n return ret;\n}\n\nvoid TRUST_TOKEN_free(TRUST_TOKEN *token) {\n if (token == NULL) {\n return;\n }\n OPENSSL_free(token->data);\n OPENSSL_free(token);\n}\n\nint TRUST_TOKEN_generate_key(const TRUST_TOKEN_METHOD *method,\n uint8_t *out_priv_key, size_t *out_priv_key_len,\n size_t max_priv_key_len, uint8_t *out_pub_key,\n size_t *out_pub_key_len, size_t max_pub_key_len,\n uint32_t id) {\n // Prepend the key ID in front of the PMBTokens format.\n CBB priv_cbb, pub_cbb;\n CBB_init_fixed(&priv_cbb, out_priv_key, max_priv_key_len);\n CBB_init_fixed(&pub_cbb, out_pub_key, max_pub_key_len);\n if (!CBB_add_u32(&priv_cbb, id) || //\n !CBB_add_u32(&pub_cbb, id)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (!method->generate_key(&priv_cbb, &pub_cbb)) {\n return 0;\n }\n\n if (!CBB_finish(&priv_cbb, NULL, out_priv_key_len) ||\n !CBB_finish(&pub_cbb, NULL, out_pub_key_len)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n return 1;\n}\n\nint TRUST_TOKEN_derive_key_from_secret(\n const TRUST_TOKEN_METHOD *method, uint8_t *out_priv_key,\n size_t *out_priv_key_len, size_t max_priv_key_len, uint8_t *out_pub_key,\n size_t *out_pub_key_len, size_t max_pub_key_len, uint32_t id,\n const uint8_t *secret, size_t secret_len) {\n // Prepend the key ID in front of the PMBTokens format.\n CBB priv_cbb, pub_cbb;\n CBB_init_fixed(&priv_cbb, out_priv_key, max_priv_key_len);\n CBB_init_fixed(&pub_cbb, out_pub_key, max_pub_key_len);\n if (!CBB_add_u32(&priv_cbb, id) || //\n !CBB_add_u32(&pub_cbb, id)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n if (!method->derive_key_from_secret(&priv_cbb, &pub_cbb, secret,\n secret_len)) {\n return 0;\n }\n\n if (!CBB_finish(&priv_cbb, NULL, out_priv_key_len) ||\n !CBB_finish(&pub_cbb, NULL, out_pub_key_len)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n return 1;\n}\n\nTRUST_TOKEN_CLIENT *TRUST_TOKEN_CLIENT_new(const TRUST_TOKEN_METHOD *method,\n size_t max_batchsize) {\n if (max_batchsize > 0xffff) {\n // The protocol supports only two-byte token counts.\n OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);\n return NULL;\n }\n\n TRUST_TOKEN_CLIENT *ret = reinterpret_cast(\n OPENSSL_zalloc(sizeof(TRUST_TOKEN_CLIENT)));\n if (ret == NULL) {\n return NULL;\n }\n ret->method = method;\n ret->max_batchsize = (uint16_t)max_batchsize;\n return ret;\n}\n\nvoid TRUST_TOKEN_CLIENT_free(TRUST_TOKEN_CLIENT *ctx) {\n if (ctx == NULL) {\n return;\n }\n EVP_PKEY_free(ctx->srr_key);\n sk_TRUST_TOKEN_PRETOKEN_pop_free(ctx->pretokens, TRUST_TOKEN_PRETOKEN_free);\n OPENSSL_free(ctx);\n}\n\nint TRUST_TOKEN_CLIENT_add_key(TRUST_TOKEN_CLIENT *ctx, size_t *out_key_index,\n const uint8_t *key, size_t key_len) {\n if (ctx->num_keys == OPENSSL_ARRAY_SIZE(ctx->keys) ||\n ctx->num_keys >= ctx->method->max_keys) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_TOO_MANY_KEYS);\n return 0;\n }\n\n struct trust_token_client_key_st *key_s = &ctx->keys[ctx->num_keys];\n CBS cbs;\n CBS_init(&cbs, key, key_len);\n uint32_t key_id;\n if (!CBS_get_u32(&cbs, &key_id) ||\n !ctx->method->client_key_from_bytes(&key_s->key, CBS_data(&cbs),\n CBS_len(&cbs))) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n key_s->id = key_id;\n *out_key_index = ctx->num_keys;\n ctx->num_keys += 1;\n return 1;\n}\n\nint TRUST_TOKEN_CLIENT_set_srr_key(TRUST_TOKEN_CLIENT *ctx, EVP_PKEY *key) {\n if (!ctx->method->has_srr) {\n return 1;\n }\n EVP_PKEY_free(ctx->srr_key);\n EVP_PKEY_up_ref(key);\n ctx->srr_key = key;\n return 1;\n}\n\nstatic int trust_token_client_begin_issuance_impl(\n TRUST_TOKEN_CLIENT *ctx, uint8_t **out, size_t *out_len, size_t count,\n int include_message, const uint8_t *msg, size_t msg_len) {\n if (count > ctx->max_batchsize) {\n count = ctx->max_batchsize;\n }\n\n int ret = 0;\n CBB request;\n STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens = NULL;\n if (!CBB_init(&request, 0) || !CBB_add_u16(&request, count)) {\n goto err;\n }\n\n pretokens =\n ctx->method->blind(&request, count, include_message, msg, msg_len);\n if (pretokens == NULL) {\n goto err;\n }\n\n if (!CBB_finish(&request, out, out_len)) {\n goto err;\n }\n\n sk_TRUST_TOKEN_PRETOKEN_pop_free(ctx->pretokens, TRUST_TOKEN_PRETOKEN_free);\n ctx->pretokens = pretokens;\n pretokens = NULL;\n ret = 1;\n\nerr:\n CBB_cleanup(&request);\n sk_TRUST_TOKEN_PRETOKEN_pop_free(pretokens, TRUST_TOKEN_PRETOKEN_free);\n return ret;\n}\n\nint TRUST_TOKEN_CLIENT_begin_issuance(TRUST_TOKEN_CLIENT *ctx, uint8_t **out,\n size_t *out_len, size_t count) {\n return trust_token_client_begin_issuance_impl(ctx, out, out_len, count,\n /*include_message=*/0, NULL, 0);\n}\n\nint TRUST_TOKEN_CLIENT_begin_issuance_over_message(\n TRUST_TOKEN_CLIENT *ctx, uint8_t **out, size_t *out_len, size_t count,\n const uint8_t *msg, size_t msg_len) {\n return trust_token_client_begin_issuance_impl(\n ctx, out, out_len, count, /*include_message=*/1, msg, msg_len);\n}\n\n\nSTACK_OF(TRUST_TOKEN) *TRUST_TOKEN_CLIENT_finish_issuance(\n TRUST_TOKEN_CLIENT *ctx, size_t *out_key_index, const uint8_t *response,\n size_t response_len) {\n CBS in;\n CBS_init(&in, response, response_len);\n uint16_t count;\n uint32_t key_id;\n if (!CBS_get_u16(&in, &count) || !CBS_get_u32(&in, &key_id)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return NULL;\n }\n\n size_t key_index = 0;\n const struct trust_token_client_key_st *key = NULL;\n for (size_t i = 0; i < ctx->num_keys; i++) {\n if (ctx->keys[i].id == key_id) {\n key_index = i;\n key = &ctx->keys[i];\n break;\n }\n }\n\n if (key == NULL) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_KEY_ID);\n return NULL;\n }\n\n if (count > sk_TRUST_TOKEN_PRETOKEN_num(ctx->pretokens)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return NULL;\n }\n\n STACK_OF(TRUST_TOKEN) *tokens =\n ctx->method->unblind(&key->key, ctx->pretokens, &in, count, key_id);\n if (tokens == NULL) {\n return NULL;\n }\n\n if (CBS_len(&in) != 0) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n sk_TRUST_TOKEN_pop_free(tokens, TRUST_TOKEN_free);\n return NULL;\n }\n\n sk_TRUST_TOKEN_PRETOKEN_pop_free(ctx->pretokens, TRUST_TOKEN_PRETOKEN_free);\n ctx->pretokens = NULL;\n\n *out_key_index = key_index;\n return tokens;\n}\n\nint TRUST_TOKEN_CLIENT_begin_redemption(TRUST_TOKEN_CLIENT *ctx, uint8_t **out,\n size_t *out_len,\n const TRUST_TOKEN *token,\n const uint8_t *data, size_t data_len,\n uint64_t time) {\n CBB request, token_inner, inner;\n if (!CBB_init(&request, 0) ||\n !CBB_add_u16_length_prefixed(&request, &token_inner) ||\n !CBB_add_bytes(&token_inner, token->data, token->len) ||\n !CBB_add_u16_length_prefixed(&request, &inner) ||\n !CBB_add_bytes(&inner, data, data_len) ||\n (ctx->method->has_srr && !CBB_add_u64(&request, time)) ||\n !CBB_finish(&request, out, out_len)) {\n CBB_cleanup(&request);\n return 0;\n }\n return 1;\n}\n\nint TRUST_TOKEN_CLIENT_finish_redemption(TRUST_TOKEN_CLIENT *ctx,\n uint8_t **out_rr, size_t *out_rr_len,\n uint8_t **out_sig, size_t *out_sig_len,\n const uint8_t *response,\n size_t response_len) {\n CBS in, srr, sig;\n CBS_init(&in, response, response_len);\n if (!ctx->method->has_srr) {\n if (!CBS_stow(&in, out_rr, out_rr_len)) {\n return 0;\n }\n\n *out_sig = NULL;\n *out_sig_len = 0;\n return 1;\n }\n\n if (!CBS_get_u16_length_prefixed(&in, &srr) ||\n !CBS_get_u16_length_prefixed(&in, &sig) || CBS_len(&in) != 0) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_ERROR);\n return 0;\n }\n\n if (ctx->srr_key == NULL) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_NO_SRR_KEY_CONFIGURED);\n return 0;\n }\n\n EVP_MD_CTX md_ctx;\n EVP_MD_CTX_init(&md_ctx);\n int sig_ok = EVP_DigestVerifyInit(&md_ctx, NULL, NULL, NULL, ctx->srr_key) &&\n EVP_DigestVerify(&md_ctx, CBS_data(&sig), CBS_len(&sig),\n CBS_data(&srr), CBS_len(&srr));\n EVP_MD_CTX_cleanup(&md_ctx);\n\n if (!sig_ok) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_SRR_SIGNATURE_ERROR);\n return 0;\n }\n\n uint8_t *srr_buf = NULL, *sig_buf = NULL;\n size_t srr_len, sig_len;\n if (!CBS_stow(&srr, &srr_buf, &srr_len) ||\n !CBS_stow(&sig, &sig_buf, &sig_len)) {\n OPENSSL_free(srr_buf);\n OPENSSL_free(sig_buf);\n return 0;\n }\n\n *out_rr = srr_buf;\n *out_rr_len = srr_len;\n *out_sig = sig_buf;\n *out_sig_len = sig_len;\n return 1;\n}\n\nTRUST_TOKEN_ISSUER *TRUST_TOKEN_ISSUER_new(const TRUST_TOKEN_METHOD *method,\n size_t max_batchsize) {\n if (max_batchsize > 0xffff) {\n // The protocol supports only two-byte token counts.\n OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);\n return NULL;\n }\n\n TRUST_TOKEN_ISSUER *ret = reinterpret_cast(\n OPENSSL_zalloc(sizeof(TRUST_TOKEN_ISSUER)));\n if (ret == NULL) {\n return NULL;\n }\n ret->method = method;\n ret->max_batchsize = (uint16_t)max_batchsize;\n return ret;\n}\n\nvoid TRUST_TOKEN_ISSUER_free(TRUST_TOKEN_ISSUER *ctx) {\n if (ctx == NULL) {\n return;\n }\n EVP_PKEY_free(ctx->srr_key);\n OPENSSL_free(ctx->metadata_key);\n OPENSSL_free(ctx);\n}\n\nint TRUST_TOKEN_ISSUER_add_key(TRUST_TOKEN_ISSUER *ctx, const uint8_t *key,\n size_t key_len) {\n if (ctx->num_keys == OPENSSL_ARRAY_SIZE(ctx->keys) ||\n ctx->num_keys >= ctx->method->max_keys) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_TOO_MANY_KEYS);\n return 0;\n }\n\n struct trust_token_issuer_key_st *key_s = &ctx->keys[ctx->num_keys];\n CBS cbs;\n CBS_init(&cbs, key, key_len);\n uint32_t key_id;\n if (!CBS_get_u32(&cbs, &key_id) ||\n !ctx->method->issuer_key_from_bytes(&key_s->key, CBS_data(&cbs),\n CBS_len(&cbs))) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n\n key_s->id = key_id;\n ctx->num_keys += 1;\n return 1;\n}\n\nint TRUST_TOKEN_ISSUER_set_srr_key(TRUST_TOKEN_ISSUER *ctx, EVP_PKEY *key) {\n EVP_PKEY_free(ctx->srr_key);\n EVP_PKEY_up_ref(key);\n ctx->srr_key = key;\n return 1;\n}\n\nint TRUST_TOKEN_ISSUER_set_metadata_key(TRUST_TOKEN_ISSUER *ctx,\n const uint8_t *key, size_t len) {\n if (len < 32) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_METADATA_KEY);\n }\n OPENSSL_free(ctx->metadata_key);\n ctx->metadata_key_len = 0;\n ctx->metadata_key = reinterpret_cast(OPENSSL_memdup(key, len));\n if (ctx->metadata_key == NULL) {\n return 0;\n }\n ctx->metadata_key_len = len;\n return 1;\n}\n\nstatic const struct trust_token_issuer_key_st *trust_token_issuer_get_key(\n const TRUST_TOKEN_ISSUER *ctx, uint32_t key_id) {\n for (size_t i = 0; i < ctx->num_keys; i++) {\n if (ctx->keys[i].id == key_id) {\n return &ctx->keys[i];\n }\n }\n return NULL;\n}\n\nint TRUST_TOKEN_ISSUER_issue(const TRUST_TOKEN_ISSUER *ctx, uint8_t **out,\n size_t *out_len, size_t *out_tokens_issued,\n const uint8_t *request, size_t request_len,\n uint32_t public_metadata, uint8_t private_metadata,\n size_t max_issuance) {\n if (max_issuance > ctx->max_batchsize) {\n max_issuance = ctx->max_batchsize;\n }\n\n const struct trust_token_issuer_key_st *key =\n trust_token_issuer_get_key(ctx, public_metadata);\n if (key == NULL || private_metadata > 1 ||\n (!ctx->method->has_private_metadata && private_metadata != 0)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_METADATA);\n return 0;\n }\n\n CBS in;\n uint16_t num_requested;\n CBS_init(&in, request, request_len);\n if (!CBS_get_u16(&in, &num_requested)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n\n size_t num_to_issue = num_requested;\n if (num_to_issue > max_issuance) {\n num_to_issue = max_issuance;\n }\n\n int ret = 0;\n CBB response;\n if (!CBB_init(&response, 0) || !CBB_add_u16(&response, num_to_issue) ||\n !CBB_add_u32(&response, public_metadata)) {\n goto err;\n }\n\n if (!ctx->method->sign(&key->key, &response, &in, num_requested, num_to_issue,\n private_metadata)) {\n goto err;\n }\n\n if (CBS_len(&in) != 0) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n goto err;\n }\n\n if (!CBB_finish(&response, out, out_len)) {\n goto err;\n }\n\n *out_tokens_issued = num_to_issue;\n ret = 1;\n\nerr:\n CBB_cleanup(&response);\n return ret;\n}\n\nstatic int trust_token_issuer_redeem_impl(\n const TRUST_TOKEN_ISSUER *ctx, uint32_t *out_public, uint8_t *out_private,\n TRUST_TOKEN **out_token, uint8_t **out_client_data,\n size_t *out_client_data_len, const uint8_t *request, size_t request_len,\n int include_message, const uint8_t *msg, size_t msg_len) {\n CBS request_cbs, token_cbs;\n CBS_init(&request_cbs, request, request_len);\n if (!CBS_get_u16_length_prefixed(&request_cbs, &token_cbs)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_ERROR);\n return 0;\n }\n\n uint32_t public_metadata = 0;\n uint8_t private_metadata = 0;\n\n // Parse the token. If there is an error, treat it as an invalid token.\n if (!CBS_get_u32(&token_cbs, &public_metadata)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_TOKEN);\n return 0;\n }\n\n const struct trust_token_issuer_key_st *key =\n trust_token_issuer_get_key(ctx, public_metadata);\n uint8_t nonce[TRUST_TOKEN_NONCE_SIZE];\n if (key == NULL ||\n !ctx->method->read(&key->key, nonce, &private_metadata,\n CBS_data(&token_cbs), CBS_len(&token_cbs),\n include_message, msg, msg_len)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_TOKEN);\n return 0;\n }\n\n CBS client_data;\n if (!CBS_get_u16_length_prefixed(&request_cbs, &client_data) ||\n (ctx->method->has_srr && !CBS_skip(&request_cbs, 8)) ||\n CBS_len(&request_cbs) != 0) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_ERROR);\n return 0;\n }\n\n uint8_t *client_data_buf = NULL;\n size_t client_data_len = 0;\n TRUST_TOKEN *token;\n if (!CBS_stow(&client_data, &client_data_buf, &client_data_len)) {\n goto err;\n }\n\n token = TRUST_TOKEN_new(nonce, TRUST_TOKEN_NONCE_SIZE);\n if (token == NULL) {\n goto err;\n }\n *out_public = public_metadata;\n *out_private = private_metadata;\n *out_token = token;\n *out_client_data = client_data_buf;\n *out_client_data_len = client_data_len;\n\n return 1;\n\nerr:\n OPENSSL_free(client_data_buf);\n return 0;\n}\n\n\nint TRUST_TOKEN_ISSUER_redeem(const TRUST_TOKEN_ISSUER *ctx,\n uint32_t *out_public, uint8_t *out_private,\n TRUST_TOKEN **out_token,\n uint8_t **out_client_data,\n size_t *out_client_data_len,\n const uint8_t *request, size_t request_len) {\n return trust_token_issuer_redeem_impl(ctx, out_public, out_private, out_token,\n out_client_data, out_client_data_len,\n request, request_len, 0, NULL, 0);\n}\n\nint TRUST_TOKEN_ISSUER_redeem_over_message(\n const TRUST_TOKEN_ISSUER *ctx, uint32_t *out_public, uint8_t *out_private,\n TRUST_TOKEN **out_token, uint8_t **out_client_data,\n size_t *out_client_data_len, const uint8_t *request, size_t request_len,\n const uint8_t *msg, size_t msg_len) {\n return trust_token_issuer_redeem_impl(ctx, out_public, out_private, out_token,\n out_client_data, out_client_data_len,\n request, request_len, 1, msg, msg_len);\n}\n\nstatic uint8_t get_metadata_obfuscator(const uint8_t *key, size_t key_len,\n const uint8_t *client_data,\n size_t client_data_len) {\n uint8_t metadata_obfuscator[SHA256_DIGEST_LENGTH];\n SHA256_CTX sha_ctx;\n SHA256_Init(&sha_ctx);\n SHA256_Update(&sha_ctx, key, key_len);\n SHA256_Update(&sha_ctx, client_data, client_data_len);\n SHA256_Final(metadata_obfuscator, &sha_ctx);\n return metadata_obfuscator[0] >> 7;\n}\n\nint TRUST_TOKEN_decode_private_metadata(const TRUST_TOKEN_METHOD *method,\n uint8_t *out_value, const uint8_t *key,\n size_t key_len, const uint8_t *nonce,\n size_t nonce_len,\n uint8_t encrypted_bit) {\n uint8_t metadata_obfuscator =\n get_metadata_obfuscator(key, key_len, nonce, nonce_len);\n *out_value = encrypted_bit ^ metadata_obfuscator;\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/trust_token/voprf.cc", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../ec/internal.h\"\n#include \"../fipsmodule/ec/internal.h\"\n\n#include \"internal.h\"\n\n\ntypedef int (*hash_to_group_func_t)(const EC_GROUP *group, EC_JACOBIAN *out,\n const uint8_t t[TRUST_TOKEN_NONCE_SIZE]);\ntypedef int (*hash_to_scalar_func_t)(const EC_GROUP *group, EC_SCALAR *out,\n uint8_t *buf, size_t len);\n\ntypedef struct {\n const EC_GROUP *(*group_func)(void);\n\n // hash_to_group implements the HashToGroup operation for VOPRFs. It returns\n // one on success and zero on error.\n hash_to_group_func_t hash_to_group;\n // hash_to_scalar implements the HashToScalar operation for VOPRFs. It returns\n // one on success and zero on error.\n hash_to_scalar_func_t hash_to_scalar;\n} VOPRF_METHOD;\n\nstatic const uint8_t kDefaultAdditionalData[32] = {0};\n\nstatic int cbb_add_point(CBB *out, const EC_GROUP *group,\n const EC_AFFINE *point) {\n uint8_t *p;\n size_t len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED);\n return CBB_add_space(out, &p, len) &&\n ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, p,\n len) == len &&\n CBB_flush(out);\n}\n\nstatic int cbb_serialize_point(CBB *out, const EC_GROUP *group,\n const EC_AFFINE *point) {\n uint8_t *p;\n size_t len = ec_point_byte_len(group, POINT_CONVERSION_COMPRESSED);\n return CBB_add_u16(out, len) && CBB_add_space(out, &p, len) &&\n ec_point_to_bytes(group, point, POINT_CONVERSION_COMPRESSED, p, len) ==\n len &&\n CBB_flush(out);\n}\n\nstatic int cbs_get_point(CBS *cbs, const EC_GROUP *group, EC_AFFINE *out) {\n CBS child;\n size_t plen = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED);\n if (!CBS_get_bytes(cbs, &child, plen) ||\n !ec_point_from_uncompressed(group, out, CBS_data(&child),\n CBS_len(&child))) {\n return 0;\n }\n return 1;\n}\n\nstatic int scalar_to_cbb(CBB *out, const EC_GROUP *group,\n const EC_SCALAR *scalar) {\n uint8_t *buf;\n size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));\n if (!CBB_add_space(out, &buf, scalar_len)) {\n return 0;\n }\n ec_scalar_to_bytes(group, buf, &scalar_len, scalar);\n return 1;\n}\n\nstatic int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) {\n size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group));\n CBS tmp;\n if (!CBS_get_bytes(cbs, &tmp, scalar_len)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n\n ec_scalar_from_bytes(group, out, CBS_data(&tmp), CBS_len(&tmp));\n return 1;\n}\n\nstatic int voprf_calculate_key(const VOPRF_METHOD *method, CBB *out_private,\n CBB *out_public, const EC_SCALAR *priv) {\n const EC_GROUP *group = method->group_func();\n EC_JACOBIAN pub;\n EC_AFFINE pub_affine;\n if (!ec_point_mul_scalar_base(group, &pub, priv) ||\n !ec_jacobian_to_affine(group, &pub_affine, &pub)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE);\n return 0;\n }\n\n if (!scalar_to_cbb(out_private, group, priv) ||\n !cbb_add_point(out_public, group, &pub_affine)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n return 1;\n}\n\n\nstatic int voprf_generate_key(const VOPRF_METHOD *method, CBB *out_private,\n CBB *out_public) {\n EC_SCALAR priv;\n if (!ec_random_nonzero_scalar(method->group_func(), &priv,\n kDefaultAdditionalData)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE);\n return 0;\n }\n return voprf_calculate_key(method, out_private, out_public, &priv);\n}\n\nstatic int voprf_derive_key_from_secret(const VOPRF_METHOD *method,\n CBB *out_private, CBB *out_public,\n const uint8_t *secret,\n size_t secret_len) {\n static const uint8_t kKeygenLabel[] = \"TrustTokenVOPRFKeyGen\";\n\n EC_SCALAR priv;\n int ok = 0;\n CBB cbb;\n CBB_zero(&cbb);\n uint8_t *buf = NULL;\n size_t len;\n if (!CBB_init(&cbb, 0) ||\n !CBB_add_bytes(&cbb, kKeygenLabel, sizeof(kKeygenLabel)) ||\n !CBB_add_bytes(&cbb, secret, secret_len) ||\n !CBB_finish(&cbb, &buf, &len) ||\n !method->hash_to_scalar(method->group_func(), &priv, buf, len)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE);\n goto err;\n }\n\n ok = voprf_calculate_key(method, out_private, out_public, &priv);\n\nerr:\n CBB_cleanup(&cbb);\n OPENSSL_free(buf);\n return ok;\n}\n\nstatic int voprf_client_key_from_bytes(const VOPRF_METHOD *method,\n TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len) {\n const EC_GROUP *group = method->group_func();\n if (!ec_point_from_uncompressed(group, &key->pubs, in, len)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n\n return 1;\n}\n\nstatic int voprf_issuer_key_from_bytes(const VOPRF_METHOD *method,\n TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len) {\n const EC_GROUP *group = method->group_func();\n if (!ec_scalar_from_bytes(group, &key->xs, in, len)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n\n // Recompute the public key.\n EC_JACOBIAN pub;\n if (!ec_point_mul_scalar_base(group, &pub, &key->xs) ||\n !ec_jacobian_to_affine(group, &key->pubs, &pub)) {\n return 0;\n }\n\n return 1;\n}\n\nstatic STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_blind(const VOPRF_METHOD *method,\n CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg,\n size_t msg_len) {\n SHA512_CTX hash_ctx;\n\n const EC_GROUP *group = method->group_func();\n STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens =\n sk_TRUST_TOKEN_PRETOKEN_new_null();\n if (pretokens == NULL) {\n goto err;\n }\n\n for (size_t i = 0; i < count; i++) {\n // Insert |pretoken| into |pretokens| early to simplify error-handling.\n TRUST_TOKEN_PRETOKEN *pretoken = reinterpret_cast(\n OPENSSL_malloc(sizeof(TRUST_TOKEN_PRETOKEN)));\n if (pretoken == NULL ||\n !sk_TRUST_TOKEN_PRETOKEN_push(pretokens, pretoken)) {\n TRUST_TOKEN_PRETOKEN_free(pretoken);\n goto err;\n }\n\n RAND_bytes(pretoken->salt, sizeof(pretoken->salt));\n if (include_message) {\n assert(SHA512_DIGEST_LENGTH == TRUST_TOKEN_NONCE_SIZE);\n SHA512_Init(&hash_ctx);\n SHA512_Update(&hash_ctx, pretoken->salt, sizeof(pretoken->salt));\n SHA512_Update(&hash_ctx, msg, msg_len);\n SHA512_Final(pretoken->t, &hash_ctx);\n } else {\n OPENSSL_memcpy(pretoken->t, pretoken->salt, TRUST_TOKEN_NONCE_SIZE);\n }\n\n // We sample r in Montgomery form to simplify inverting.\n EC_SCALAR r;\n if (!ec_random_nonzero_scalar(group, &r, kDefaultAdditionalData)) {\n goto err;\n }\n\n // pretoken->r is rinv.\n ec_scalar_inv0_montgomery(group, &pretoken->r, &r);\n // Convert both out of Montgomery form.\n ec_scalar_from_montgomery(group, &r, &r);\n ec_scalar_from_montgomery(group, &pretoken->r, &pretoken->r);\n\n // Tp is the blinded token in the VOPRF protocol.\n EC_JACOBIAN P, Tp;\n if (!method->hash_to_group(group, &P, pretoken->t) ||\n !ec_point_mul_scalar(group, &Tp, &P, &r) ||\n !ec_jacobian_to_affine(group, &pretoken->Tp, &Tp)) {\n goto err;\n }\n\n if (!cbb_add_point(cbb, group, &pretoken->Tp)) {\n goto err;\n }\n }\n\n return pretokens;\n\nerr:\n sk_TRUST_TOKEN_PRETOKEN_pop_free(pretokens, TRUST_TOKEN_PRETOKEN_free);\n return NULL;\n}\n\nstatic int hash_to_scalar_dleq(const VOPRF_METHOD *method, EC_SCALAR *out,\n const EC_AFFINE *X, const EC_AFFINE *T,\n const EC_AFFINE *W, const EC_AFFINE *K0,\n const EC_AFFINE *K1) {\n static const uint8_t kDLEQLabel[] = \"DLEQ\";\n\n const EC_GROUP *group = method->group_func();\n int ok = 0;\n CBB cbb;\n CBB_zero(&cbb);\n uint8_t *buf = NULL;\n size_t len;\n if (!CBB_init(&cbb, 0) ||\n !CBB_add_bytes(&cbb, kDLEQLabel, sizeof(kDLEQLabel)) ||\n !cbb_add_point(&cbb, group, X) || !cbb_add_point(&cbb, group, T) ||\n !cbb_add_point(&cbb, group, W) || !cbb_add_point(&cbb, group, K0) ||\n !cbb_add_point(&cbb, group, K1) || !CBB_finish(&cbb, &buf, &len) ||\n !method->hash_to_scalar(group, out, buf, len)) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n CBB_cleanup(&cbb);\n OPENSSL_free(buf);\n return ok;\n}\n\nstatic int hash_to_scalar_challenge(const VOPRF_METHOD *method, EC_SCALAR *out,\n const EC_AFFINE *Bm, const EC_AFFINE *a0,\n const EC_AFFINE *a1, const EC_AFFINE *a2,\n const EC_AFFINE *a3) {\n static const uint8_t kChallengeLabel[] = \"Challenge\";\n\n const EC_GROUP *group = method->group_func();\n CBB cbb;\n uint8_t transcript[5 * EC_MAX_COMPRESSED + 2 + sizeof(kChallengeLabel) - 1];\n size_t len;\n if (!CBB_init_fixed(&cbb, transcript, sizeof(transcript)) ||\n !cbb_serialize_point(&cbb, group, Bm) ||\n !cbb_serialize_point(&cbb, group, a0) ||\n !cbb_serialize_point(&cbb, group, a1) ||\n !cbb_serialize_point(&cbb, group, a2) ||\n !cbb_serialize_point(&cbb, group, a3) ||\n !CBB_add_bytes(&cbb, kChallengeLabel, sizeof(kChallengeLabel) - 1) ||\n !CBB_finish(&cbb, NULL, &len) ||\n !method->hash_to_scalar(group, out, transcript, len)) {\n return 0;\n }\n\n return 1;\n}\n\nstatic int hash_to_scalar_batch(const VOPRF_METHOD *method, EC_SCALAR *out,\n const CBB *points, size_t index) {\n static const uint8_t kDLEQBatchLabel[] = \"DLEQ BATCH\";\n if (index > 0xffff) {\n // The protocol supports only two-byte batches.\n OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW);\n return 0;\n }\n\n int ok = 0;\n CBB cbb;\n CBB_zero(&cbb);\n uint8_t *buf = NULL;\n size_t len;\n if (!CBB_init(&cbb, 0) ||\n !CBB_add_bytes(&cbb, kDLEQBatchLabel, sizeof(kDLEQBatchLabel)) ||\n !CBB_add_bytes(&cbb, CBB_data(points), CBB_len(points)) ||\n !CBB_add_u16(&cbb, (uint16_t)index) || !CBB_finish(&cbb, &buf, &len) ||\n !method->hash_to_scalar(method->group_func(), out, buf, len)) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n CBB_cleanup(&cbb);\n OPENSSL_free(buf);\n return ok;\n}\n\nstatic int dleq_generate(const VOPRF_METHOD *method, CBB *cbb,\n const TRUST_TOKEN_ISSUER_KEY *priv,\n const EC_JACOBIAN *T, const EC_JACOBIAN *W) {\n const EC_GROUP *group = method->group_func();\n\n enum {\n idx_T,\n idx_W,\n idx_k0,\n idx_k1,\n num_idx,\n };\n EC_JACOBIAN jacobians[num_idx];\n\n // Setup the DLEQ proof.\n EC_SCALAR r;\n if ( // r <- Zp\n !ec_random_nonzero_scalar(group, &r, kDefaultAdditionalData) ||\n // k0;k1 = r*(G;T)\n !ec_point_mul_scalar_base(group, &jacobians[idx_k0], &r) ||\n !ec_point_mul_scalar(group, &jacobians[idx_k1], T, &r)) {\n return 0;\n }\n\n EC_AFFINE affines[num_idx];\n jacobians[idx_T] = *T;\n jacobians[idx_W] = *W;\n if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {\n return 0;\n }\n\n // Compute c = Hc(...).\n EC_SCALAR c;\n if (!hash_to_scalar_dleq(method, &c, &priv->pubs, &affines[idx_T],\n &affines[idx_W], &affines[idx_k0],\n &affines[idx_k1])) {\n return 0;\n }\n\n\n EC_SCALAR c_mont;\n ec_scalar_to_montgomery(group, &c_mont, &c);\n\n // u = r + c*xs\n EC_SCALAR u;\n ec_scalar_mul_montgomery(group, &u, &priv->xs, &c_mont);\n ec_scalar_add(group, &u, &r, &u);\n\n // Store DLEQ proof in transcript.\n if (!scalar_to_cbb(cbb, group, &c) || !scalar_to_cbb(cbb, group, &u)) {\n return 0;\n }\n\n return 1;\n}\n\nstatic int mul_public_2(const EC_GROUP *group, EC_JACOBIAN *out,\n const EC_JACOBIAN *p0, const EC_SCALAR *scalar0,\n const EC_JACOBIAN *p1, const EC_SCALAR *scalar1) {\n EC_JACOBIAN points[2] = {*p0, *p1};\n EC_SCALAR scalars[2] = {*scalar0, *scalar1};\n return ec_point_mul_scalar_public_batch(group, out, /*g_scalar=*/NULL, points,\n scalars, 2);\n}\n\nstatic int dleq_verify(const VOPRF_METHOD *method, CBS *cbs,\n const TRUST_TOKEN_CLIENT_KEY *pub, const EC_JACOBIAN *T,\n const EC_JACOBIAN *W) {\n const EC_GROUP *group = method->group_func();\n\n\n enum {\n idx_T,\n idx_W,\n idx_k0,\n idx_k1,\n num_idx,\n };\n EC_JACOBIAN jacobians[num_idx];\n\n // Decode the DLEQ proof.\n EC_SCALAR c, u;\n if (!scalar_from_cbs(cbs, group, &c) || !scalar_from_cbs(cbs, group, &u)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n\n // k0;k1 = u*(G;T) - c*(pub;W)\n EC_JACOBIAN pubs;\n ec_affine_to_jacobian(group, &pubs, &pub->pubs);\n EC_SCALAR minus_c;\n ec_scalar_neg(group, &minus_c, &c);\n if (!ec_point_mul_scalar_public(group, &jacobians[idx_k0], &u, &pubs,\n &minus_c) ||\n !mul_public_2(group, &jacobians[idx_k1], T, &u, W, &minus_c)) {\n return 0;\n }\n\n // Check the DLEQ proof.\n EC_AFFINE affines[num_idx];\n jacobians[idx_T] = *T;\n jacobians[idx_W] = *W;\n if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {\n return 0;\n }\n\n // Compute c = Hc(...).\n EC_SCALAR calculated;\n if (!hash_to_scalar_dleq(method, &calculated, &pub->pubs, &affines[idx_T],\n &affines[idx_W], &affines[idx_k0],\n &affines[idx_k1])) {\n return 0;\n }\n\n // c == calculated\n if (!ec_scalar_equal_vartime(group, &c, &calculated)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_PROOF);\n return 0;\n }\n\n return 1;\n}\n\nstatic int voprf_sign_tt(const VOPRF_METHOD *method,\n const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue) {\n const EC_GROUP *group = method->group_func();\n if (num_requested < num_to_issue) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n int ret = 0;\n EC_JACOBIAN *BTs = reinterpret_cast(\n OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)));\n EC_JACOBIAN *Zs = reinterpret_cast(\n OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)));\n EC_SCALAR *es = reinterpret_cast(\n OPENSSL_calloc(num_to_issue, sizeof(EC_SCALAR)));\n CBB batch_cbb;\n CBB_zero(&batch_cbb);\n\n {\n if (!BTs || !Zs || !es || !CBB_init(&batch_cbb, 0) ||\n !cbb_add_point(&batch_cbb, group, &key->pubs)) {\n goto err;\n }\n\n for (size_t i = 0; i < num_to_issue; i++) {\n EC_AFFINE BT_affine, Z_affine;\n EC_JACOBIAN BT, Z;\n if (!cbs_get_point(cbs, group, &BT_affine)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n goto err;\n }\n ec_affine_to_jacobian(group, &BT, &BT_affine);\n if (!ec_point_mul_scalar(group, &Z, &BT, &key->xs) ||\n !ec_jacobian_to_affine(group, &Z_affine, &Z) ||\n !cbb_add_point(cbb, group, &Z_affine)) {\n goto err;\n }\n\n if (!cbb_add_point(&batch_cbb, group, &BT_affine) ||\n !cbb_add_point(&batch_cbb, group, &Z_affine)) {\n goto err;\n }\n BTs[i] = BT;\n Zs[i] = Z;\n\n if (!CBB_flush(cbb)) {\n goto err;\n }\n }\n\n // The DLEQ batching construction is described in appendix B of\n // https://eprint.iacr.org/2020/072/20200324:214215. Note the additional\n // computations all act on public inputs.\n for (size_t i = 0; i < num_to_issue; i++) {\n if (!hash_to_scalar_batch(method, &es[i], &batch_cbb, i)) {\n goto err;\n }\n }\n\n EC_JACOBIAN BT_batch, Z_batch;\n if (!ec_point_mul_scalar_public_batch(group, &BT_batch,\n /*g_scalar=*/NULL, BTs, es,\n num_to_issue) ||\n !ec_point_mul_scalar_public_batch(group, &Z_batch,\n /*g_scalar=*/NULL, Zs, es,\n num_to_issue)) {\n goto err;\n }\n\n CBB proof;\n if (!CBB_add_u16_length_prefixed(cbb, &proof) ||\n !dleq_generate(method, &proof, key, &BT_batch, &Z_batch) ||\n !CBB_flush(cbb)) {\n goto err;\n }\n\n // Skip over any unused requests.\n size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED);\n if (!CBS_skip(cbs, point_len * (num_requested - num_to_issue))) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n goto err;\n }\n\n ret = 1;\n }\n\nerr:\n OPENSSL_free(BTs);\n OPENSSL_free(Zs);\n OPENSSL_free(es);\n CBB_cleanup(&batch_cbb);\n return ret;\n}\n\nstatic STACK_OF(TRUST_TOKEN) *voprf_unblind_tt(\n const VOPRF_METHOD *method, const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id) {\n const EC_GROUP *group = method->group_func();\n if (count > sk_TRUST_TOKEN_PRETOKEN_num(pretokens)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return NULL;\n }\n\n int ok = 0;\n STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();\n EC_JACOBIAN *BTs = reinterpret_cast(\n OPENSSL_calloc(count, sizeof(EC_JACOBIAN)));\n EC_JACOBIAN *Zs = reinterpret_cast(\n OPENSSL_calloc(count, sizeof(EC_JACOBIAN)));\n EC_SCALAR *es =\n reinterpret_cast(OPENSSL_calloc(count, sizeof(EC_SCALAR)));\n CBB batch_cbb;\n CBB_zero(&batch_cbb);\n if (ret == NULL || BTs == NULL || Zs == NULL || es == NULL ||\n !CBB_init(&batch_cbb, 0) ||\n !cbb_add_point(&batch_cbb, group, &key->pubs)) {\n goto err;\n }\n\n for (size_t i = 0; i < count; i++) {\n const TRUST_TOKEN_PRETOKEN *pretoken =\n sk_TRUST_TOKEN_PRETOKEN_value(pretokens, i);\n\n EC_AFFINE Z_affine;\n if (!cbs_get_point(cbs, group, &Z_affine)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n goto err;\n }\n\n ec_affine_to_jacobian(group, &BTs[i], &pretoken->Tp);\n ec_affine_to_jacobian(group, &Zs[i], &Z_affine);\n\n if (!cbb_add_point(&batch_cbb, group, &pretoken->Tp) ||\n !cbb_add_point(&batch_cbb, group, &Z_affine)) {\n goto err;\n }\n\n // Unblind the token.\n // pretoken->r is rinv.\n EC_JACOBIAN N;\n EC_AFFINE N_affine;\n if (!ec_point_mul_scalar(group, &N, &Zs[i], &pretoken->r) ||\n !ec_jacobian_to_affine(group, &N_affine, &N)) {\n goto err;\n }\n\n // Serialize the token. Include |key_id| to avoid an extra copy in the layer\n // above.\n CBB token_cbb;\n size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED);\n if (!CBB_init(&token_cbb, 4 + TRUST_TOKEN_NONCE_SIZE + (2 + point_len)) ||\n !CBB_add_u32(&token_cbb, key_id) ||\n !CBB_add_bytes(&token_cbb, pretoken->salt, TRUST_TOKEN_NONCE_SIZE) ||\n !cbb_add_point(&token_cbb, group, &N_affine) ||\n !CBB_flush(&token_cbb)) {\n CBB_cleanup(&token_cbb);\n goto err;\n }\n\n TRUST_TOKEN *token =\n TRUST_TOKEN_new(CBB_data(&token_cbb), CBB_len(&token_cbb));\n CBB_cleanup(&token_cbb);\n if (token == NULL || !sk_TRUST_TOKEN_push(ret, token)) {\n TRUST_TOKEN_free(token);\n goto err;\n }\n }\n\n // The DLEQ batching construction is described in appendix B of\n // https://eprint.iacr.org/2020/072/20200324:214215. Note the additional\n // computations all act on public inputs.\n for (size_t i = 0; i < count; i++) {\n if (!hash_to_scalar_batch(method, &es[i], &batch_cbb, i)) {\n goto err;\n }\n }\n\n EC_JACOBIAN BT_batch, Z_batch;\n if (!ec_point_mul_scalar_public_batch(group, &BT_batch,\n /*g_scalar=*/NULL, BTs, es, count) ||\n !ec_point_mul_scalar_public_batch(group, &Z_batch,\n /*g_scalar=*/NULL, Zs, es, count)) {\n goto err;\n }\n\n CBS proof;\n if (!CBS_get_u16_length_prefixed(cbs, &proof) ||\n !dleq_verify(method, &proof, key, &BT_batch, &Z_batch) ||\n CBS_len(&proof) != 0) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n OPENSSL_free(BTs);\n OPENSSL_free(Zs);\n OPENSSL_free(es);\n CBB_cleanup(&batch_cbb);\n if (!ok) {\n sk_TRUST_TOKEN_pop_free(ret, TRUST_TOKEN_free);\n ret = NULL;\n }\n return ret;\n}\n\nstatic void sha384_update_u16(SHA512_CTX *ctx, uint16_t v) {\n uint8_t buf[2] = {static_cast(v >> 8),\n static_cast(v & 0xff)};\n SHA384_Update(ctx, buf, 2);\n}\n\nstatic void sha384_update_point_with_length(SHA512_CTX *ctx,\n const EC_GROUP *group,\n const EC_AFFINE *point) {\n uint8_t buf[EC_MAX_COMPRESSED];\n size_t len = ec_point_to_bytes(group, point, POINT_CONVERSION_COMPRESSED, buf,\n sizeof(buf));\n assert(len > 0);\n sha384_update_u16(ctx, (uint16_t)len);\n SHA384_Update(ctx, buf, len);\n}\n\nstatic int compute_composite_seed(const VOPRF_METHOD *method,\n uint8_t out[SHA384_DIGEST_LENGTH],\n const EC_AFFINE *pub) {\n const EC_GROUP *group = method->group_func();\n static const uint8_t kSeedDST[] = \"Seed-OPRFV1-\\x01-P384-SHA384\";\n\n SHA512_CTX hash_ctx;\n SHA384_Init(&hash_ctx);\n sha384_update_point_with_length(&hash_ctx, group, pub);\n sha384_update_u16(&hash_ctx, sizeof(kSeedDST) - 1);\n SHA384_Update(&hash_ctx, kSeedDST, sizeof(kSeedDST) - 1);\n SHA384_Final(out, &hash_ctx);\n\n return 1;\n}\n\nstatic int compute_composite_element(const VOPRF_METHOD *method,\n uint8_t seed[SHA384_DIGEST_LENGTH],\n EC_SCALAR *di, size_t index,\n const EC_AFFINE *C, const EC_AFFINE *D) {\n static const uint8_t kCompositeLabel[] = \"Composite\";\n const EC_GROUP *group = method->group_func();\n\n if (index > UINT16_MAX) {\n return 0;\n }\n\n CBB cbb;\n uint8_t transcript[2 + SHA384_DIGEST_LENGTH + 2 + 2 * EC_MAX_COMPRESSED +\n sizeof(kCompositeLabel) - 1];\n size_t len;\n if (!CBB_init_fixed(&cbb, transcript, sizeof(transcript)) ||\n !CBB_add_u16(&cbb, SHA384_DIGEST_LENGTH) ||\n !CBB_add_bytes(&cbb, seed, SHA384_DIGEST_LENGTH) ||\n !CBB_add_u16(&cbb, index) || !cbb_serialize_point(&cbb, group, C) ||\n !cbb_serialize_point(&cbb, group, D) ||\n !CBB_add_bytes(&cbb, kCompositeLabel, sizeof(kCompositeLabel) - 1) ||\n !CBB_finish(&cbb, NULL, &len) ||\n !method->hash_to_scalar(group, di, transcript, len)) {\n return 0;\n }\n\n return 1;\n}\n\nstatic int generate_proof(const VOPRF_METHOD *method, CBB *cbb,\n const TRUST_TOKEN_ISSUER_KEY *priv,\n const EC_SCALAR *r, const EC_JACOBIAN *M,\n const EC_JACOBIAN *Z) {\n const EC_GROUP *group = method->group_func();\n\n enum {\n idx_M,\n idx_Z,\n idx_t2,\n idx_t3,\n num_idx,\n };\n EC_JACOBIAN jacobians[num_idx];\n\n if (!ec_point_mul_scalar_base(group, &jacobians[idx_t2], r) ||\n !ec_point_mul_scalar(group, &jacobians[idx_t3], M, r)) {\n return 0;\n }\n\n\n EC_AFFINE affines[num_idx];\n jacobians[idx_M] = *M;\n jacobians[idx_Z] = *Z;\n if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {\n return 0;\n }\n\n EC_SCALAR c;\n if (!hash_to_scalar_challenge(method, &c, &priv->pubs, &affines[idx_M],\n &affines[idx_Z], &affines[idx_t2],\n &affines[idx_t3])) {\n return 0;\n }\n\n EC_SCALAR c_mont;\n ec_scalar_to_montgomery(group, &c_mont, &c);\n\n // s = r - c*xs\n EC_SCALAR s;\n ec_scalar_mul_montgomery(group, &s, &priv->xs, &c_mont);\n ec_scalar_sub(group, &s, r, &s);\n\n // Store DLEQ proof in transcript.\n if (!scalar_to_cbb(cbb, group, &c) || !scalar_to_cbb(cbb, group, &s)) {\n return 0;\n }\n\n return 1;\n}\n\nstatic int verify_proof(const VOPRF_METHOD *method, CBS *cbs,\n const TRUST_TOKEN_CLIENT_KEY *pub, const EC_JACOBIAN *M,\n const EC_JACOBIAN *Z) {\n const EC_GROUP *group = method->group_func();\n\n enum {\n idx_M,\n idx_Z,\n idx_t2,\n idx_t3,\n num_idx,\n };\n EC_JACOBIAN jacobians[num_idx];\n\n EC_SCALAR c, s;\n if (!scalar_from_cbs(cbs, group, &c) || !scalar_from_cbs(cbs, group, &s)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return 0;\n }\n\n EC_JACOBIAN pubs;\n ec_affine_to_jacobian(group, &pubs, &pub->pubs);\n if (!ec_point_mul_scalar_public(group, &jacobians[idx_t2], &s, &pubs, &c) ||\n !mul_public_2(group, &jacobians[idx_t3], M, &s, Z, &c)) {\n return 0;\n }\n\n EC_AFFINE affines[num_idx];\n jacobians[idx_M] = *M;\n jacobians[idx_Z] = *Z;\n if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) {\n return 0;\n }\n\n EC_SCALAR expected_c;\n if (!hash_to_scalar_challenge(method, &expected_c, &pub->pubs,\n &affines[idx_M], &affines[idx_Z],\n &affines[idx_t2], &affines[idx_t3])) {\n return 0;\n }\n\n // c == expected_c\n if (!ec_scalar_equal_vartime(group, &c, &expected_c)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_PROOF);\n return 0;\n }\n\n return 1;\n}\n\nstatic int voprf_sign_impl(const VOPRF_METHOD *method,\n const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb,\n CBS *cbs, size_t num_requested, size_t num_to_issue,\n const EC_SCALAR *proof_scalar) {\n const EC_GROUP *group = method->group_func();\n if (num_requested < num_to_issue) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n\n int ret = 0;\n EC_JACOBIAN *BTs = reinterpret_cast(\n OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)));\n EC_JACOBIAN *Zs = reinterpret_cast(\n OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)));\n EC_SCALAR *dis = reinterpret_cast(\n OPENSSL_calloc(num_to_issue, sizeof(EC_SCALAR)));\n\n {\n if (!BTs || !Zs || !dis) {\n goto err;\n }\n\n uint8_t seed[SHA384_DIGEST_LENGTH];\n if (!compute_composite_seed(method, seed, &key->pubs)) {\n goto err;\n }\n\n // This implements the BlindEvaluateBatch as defined in section 4 of\n // draft-robert-privacypass-batched-tokens-01, based on the constructions\n // in draft-irtf-cfrg-voprf-21. To optimize the computation of the proof,\n // the computation of di is done during the token signing and passed into\n // the proof generation.\n for (size_t i = 0; i < num_to_issue; i++) {\n EC_AFFINE BT_affine, Z_affine;\n EC_JACOBIAN BT, Z;\n if (!cbs_get_point(cbs, group, &BT_affine)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n goto err;\n }\n ec_affine_to_jacobian(group, &BT, &BT_affine);\n if (!ec_point_mul_scalar(group, &Z, &BT, &key->xs) ||\n !ec_jacobian_to_affine(group, &Z_affine, &Z) ||\n !cbb_add_point(cbb, group, &Z_affine)) {\n goto err;\n }\n BTs[i] = BT;\n Zs[i] = Z;\n if (!compute_composite_element(method, seed, &dis[i], i, &BT_affine,\n &Z_affine)) {\n goto err;\n }\n\n if (!CBB_flush(cbb)) {\n goto err;\n }\n }\n\n EC_JACOBIAN M, Z;\n if (!ec_point_mul_scalar_public_batch(group, &M,\n /*g_scalar=*/NULL, BTs, dis,\n num_to_issue) ||\n !ec_point_mul_scalar(group, &Z, &M, &key->xs)) {\n goto err;\n }\n\n CBB proof;\n if (!CBB_add_u16_length_prefixed(cbb, &proof) ||\n !generate_proof(method, &proof, key, proof_scalar, &M, &Z) ||\n !CBB_flush(cbb)) {\n goto err;\n }\n\n // Skip over any unused requests.\n size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED);\n if (!CBS_skip(cbs, point_len * (num_requested - num_to_issue))) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n goto err;\n }\n\n ret = 1;\n }\n\nerr:\n OPENSSL_free(BTs);\n OPENSSL_free(Zs);\n OPENSSL_free(dis);\n return ret;\n}\n\nstatic int voprf_sign(const VOPRF_METHOD *method,\n const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue) {\n EC_SCALAR proof_scalar;\n if (!ec_random_nonzero_scalar(method->group_func(), &proof_scalar,\n kDefaultAdditionalData)) {\n return 0;\n }\n\n return voprf_sign_impl(method, key, cbb, cbs, num_requested, num_to_issue,\n &proof_scalar);\n}\n\nstatic int voprf_sign_with_proof_scalar_for_testing(\n const VOPRF_METHOD *method, const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb,\n CBS *cbs, size_t num_requested, size_t num_to_issue,\n const uint8_t *proof_scalar_buf, size_t proof_scalar_len) {\n EC_SCALAR proof_scalar;\n if (!ec_scalar_from_bytes(method->group_func(), &proof_scalar,\n proof_scalar_buf, proof_scalar_len)) {\n return 0;\n }\n return voprf_sign_impl(method, key, cbb, cbs, num_requested, num_to_issue,\n &proof_scalar);\n}\n\nstatic STACK_OF(TRUST_TOKEN) *voprf_unblind(\n const VOPRF_METHOD *method, const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id) {\n const EC_GROUP *group = method->group_func();\n if (count > sk_TRUST_TOKEN_PRETOKEN_num(pretokens)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n return NULL;\n }\n\n int ok = 0;\n STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null();\n EC_JACOBIAN *BTs = reinterpret_cast(\n OPENSSL_calloc(count, sizeof(EC_JACOBIAN)));\n EC_JACOBIAN *Zs = reinterpret_cast(\n OPENSSL_calloc(count, sizeof(EC_JACOBIAN)));\n EC_SCALAR *dis =\n reinterpret_cast(OPENSSL_calloc(count, sizeof(EC_SCALAR)));\n if (ret == NULL || !BTs || !Zs || !dis) {\n goto err;\n }\n\n uint8_t seed[SHA384_DIGEST_LENGTH];\n if (!compute_composite_seed(method, seed, &key->pubs)) {\n goto err;\n }\n\n for (size_t i = 0; i < count; i++) {\n const TRUST_TOKEN_PRETOKEN *pretoken =\n sk_TRUST_TOKEN_PRETOKEN_value(pretokens, i);\n\n EC_AFFINE Z_affine;\n if (!cbs_get_point(cbs, group, &Z_affine)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE);\n goto err;\n }\n\n ec_affine_to_jacobian(group, &BTs[i], &pretoken->Tp);\n ec_affine_to_jacobian(group, &Zs[i], &Z_affine);\n if (!compute_composite_element(method, seed, &dis[i], i, &pretoken->Tp,\n &Z_affine)) {\n goto err;\n }\n\n // Unblind the token.\n // pretoken->r is rinv.\n EC_JACOBIAN N;\n EC_AFFINE N_affine;\n if (!ec_point_mul_scalar(group, &N, &Zs[i], &pretoken->r) ||\n !ec_jacobian_to_affine(group, &N_affine, &N)) {\n goto err;\n }\n\n // Serialize the token. Include |key_id| to avoid an extra copy in the layer\n // above.\n CBB token_cbb;\n size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED);\n if (!CBB_init(&token_cbb, 4 + TRUST_TOKEN_NONCE_SIZE + (2 + point_len)) ||\n !CBB_add_u32(&token_cbb, key_id) ||\n !CBB_add_bytes(&token_cbb, pretoken->salt, TRUST_TOKEN_NONCE_SIZE) ||\n !cbb_add_point(&token_cbb, group, &N_affine) ||\n !CBB_flush(&token_cbb)) {\n CBB_cleanup(&token_cbb);\n goto err;\n }\n\n TRUST_TOKEN *token =\n TRUST_TOKEN_new(CBB_data(&token_cbb), CBB_len(&token_cbb));\n CBB_cleanup(&token_cbb);\n if (token == NULL || !sk_TRUST_TOKEN_push(ret, token)) {\n TRUST_TOKEN_free(token);\n goto err;\n }\n }\n\n EC_JACOBIAN M, Z;\n if (!ec_point_mul_scalar_public_batch(group, &M,\n /*g_scalar=*/NULL, BTs, dis, count) ||\n !ec_point_mul_scalar_public_batch(group, &Z,\n /*g_scalar=*/NULL, Zs, dis, count)) {\n goto err;\n }\n\n CBS proof;\n if (!CBS_get_u16_length_prefixed(cbs, &proof) ||\n !verify_proof(method, &proof, key, &M, &Z) || CBS_len(&proof) != 0) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n OPENSSL_free(BTs);\n OPENSSL_free(Zs);\n OPENSSL_free(dis);\n if (!ok) {\n sk_TRUST_TOKEN_pop_free(ret, TRUST_TOKEN_free);\n ret = NULL;\n }\n return ret;\n}\n\nstatic int voprf_read(const VOPRF_METHOD *method,\n const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n const uint8_t *token, size_t token_len,\n int include_message, const uint8_t *msg, size_t msg_len) {\n const EC_GROUP *group = method->group_func();\n CBS cbs, salt;\n CBS_init(&cbs, token, token_len);\n EC_AFFINE Ws;\n if (!CBS_get_bytes(&cbs, &salt, TRUST_TOKEN_NONCE_SIZE) ||\n !cbs_get_point(&cbs, group, &Ws) || CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_TOKEN);\n return 0;\n }\n\n if (include_message) {\n SHA512_CTX hash_ctx;\n assert(SHA512_DIGEST_LENGTH == TRUST_TOKEN_NONCE_SIZE);\n SHA512_Init(&hash_ctx);\n SHA512_Update(&hash_ctx, CBS_data(&salt), CBS_len(&salt));\n SHA512_Update(&hash_ctx, msg, msg_len);\n SHA512_Final(out_nonce, &hash_ctx);\n } else {\n OPENSSL_memcpy(out_nonce, CBS_data(&salt), CBS_len(&salt));\n }\n\n\n EC_JACOBIAN T;\n if (!method->hash_to_group(group, &T, out_nonce)) {\n return 0;\n }\n\n EC_JACOBIAN Ws_calculated;\n if (!ec_point_mul_scalar(group, &Ws_calculated, &T, &key->xs) ||\n !ec_affine_jacobian_equal(group, &Ws, &Ws_calculated)) {\n OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BAD_VALIDITY_CHECK);\n return 0;\n }\n\n return 1;\n}\n\n\n// VOPRF experiment v2.\n\nstatic int voprf_exp2_hash_to_group(const EC_GROUP *group, EC_JACOBIAN *out,\n const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {\n const uint8_t kHashTLabel[] = \"TrustToken VOPRF Experiment V2 HashToGroup\";\n return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07(\n group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE);\n}\n\nstatic int voprf_exp2_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out,\n uint8_t *buf, size_t len) {\n const uint8_t kHashCLabel[] = \"TrustToken VOPRF Experiment V2 HashToScalar\";\n return ec_hash_to_scalar_p384_xmd_sha512_draft07(\n group, out, kHashCLabel, sizeof(kHashCLabel), buf, len);\n}\n\nstatic VOPRF_METHOD voprf_exp2_method = {\n EC_group_p384, voprf_exp2_hash_to_group, voprf_exp2_hash_to_scalar};\n\nint voprf_exp2_generate_key(CBB *out_private, CBB *out_public) {\n return voprf_generate_key(&voprf_exp2_method, out_private, out_public);\n}\n\nint voprf_exp2_derive_key_from_secret(CBB *out_private, CBB *out_public,\n const uint8_t *secret,\n size_t secret_len) {\n return voprf_derive_key_from_secret(&voprf_exp2_method, out_private,\n out_public, secret, secret_len);\n}\n\nint voprf_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len) {\n return voprf_client_key_from_bytes(&voprf_exp2_method, key, in, len);\n}\n\nint voprf_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len) {\n return voprf_issuer_key_from_bytes(&voprf_exp2_method, key, in, len);\n}\n\nSTACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_exp2_blind(CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg,\n size_t msg_len) {\n return voprf_blind(&voprf_exp2_method, cbb, count, include_message, msg,\n msg_len);\n}\n\nint voprf_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata) {\n if (private_metadata != 0) {\n return 0;\n }\n return voprf_sign_tt(&voprf_exp2_method, key, cbb, cbs, num_requested,\n num_to_issue);\n}\n\nSTACK_OF(TRUST_TOKEN) *voprf_exp2_unblind(\n const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id) {\n return voprf_unblind_tt(&voprf_exp2_method, key, pretokens, cbs, count,\n key_id);\n}\n\nint voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message, const uint8_t *msg,\n size_t msg_len) {\n return voprf_read(&voprf_exp2_method, key, out_nonce, token, token_len,\n include_message, msg, msg_len);\n}\n\n// VOPRF PST v1.\n\nstatic int voprf_pst1_hash_to_group(const EC_GROUP *group, EC_JACOBIAN *out,\n const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) {\n const uint8_t kHashTLabel[] = \"HashToGroup-OPRFV1-\\x01-P384-SHA384\";\n return ec_hash_to_curve_p384_xmd_sha384_sswu(group, out, kHashTLabel,\n sizeof(kHashTLabel) - 1, t,\n TRUST_TOKEN_NONCE_SIZE);\n}\n\nstatic int voprf_pst1_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out,\n uint8_t *buf, size_t len) {\n const uint8_t kHashCLabel[] = \"HashToScalar-OPRFV1-\\x01-P384-SHA384\";\n return ec_hash_to_scalar_p384_xmd_sha384(group, out, kHashCLabel,\n sizeof(kHashCLabel) - 1, buf, len);\n}\n\nstatic VOPRF_METHOD voprf_pst1_method = {\n EC_group_p384, voprf_pst1_hash_to_group, voprf_pst1_hash_to_scalar};\n\nint voprf_pst1_generate_key(CBB *out_private, CBB *out_public) {\n return voprf_generate_key(&voprf_pst1_method, out_private, out_public);\n}\n\nint voprf_pst1_derive_key_from_secret(CBB *out_private, CBB *out_public,\n const uint8_t *secret,\n size_t secret_len) {\n return voprf_derive_key_from_secret(&voprf_pst1_method, out_private,\n out_public, secret, secret_len);\n}\n\nint voprf_pst1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key,\n const uint8_t *in, size_t len) {\n return voprf_client_key_from_bytes(&voprf_pst1_method, key, in, len);\n}\n\nint voprf_pst1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key,\n const uint8_t *in, size_t len) {\n return voprf_issuer_key_from_bytes(&voprf_pst1_method, key, in, len);\n}\n\nSTACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_pst1_blind(CBB *cbb, size_t count,\n int include_message,\n const uint8_t *msg,\n size_t msg_len) {\n return voprf_blind(&voprf_pst1_method, cbb, count, include_message, msg,\n msg_len);\n}\n\nint voprf_pst1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs,\n size_t num_requested, size_t num_to_issue,\n uint8_t private_metadata) {\n if (private_metadata != 0) {\n return 0;\n }\n return voprf_sign(&voprf_pst1_method, key, cbb, cbs, num_requested,\n num_to_issue);\n}\n\n\nint voprf_pst1_sign_with_proof_scalar_for_testing(\n const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested,\n size_t num_to_issue, uint8_t private_metadata,\n const uint8_t *proof_scalar_buf, size_t proof_scalar_len) {\n if (private_metadata != 0) {\n return 0;\n }\n return voprf_sign_with_proof_scalar_for_testing(\n &voprf_pst1_method, key, cbb, cbs, num_requested, num_to_issue,\n proof_scalar_buf, proof_scalar_len);\n}\n\nSTACK_OF(TRUST_TOKEN) *voprf_pst1_unblind(\n const TRUST_TOKEN_CLIENT_KEY *key,\n const STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens, CBS *cbs, size_t count,\n uint32_t key_id) {\n return voprf_unblind(&voprf_pst1_method, key, pretokens, cbs, count, key_id);\n}\n\nint voprf_pst1_read(const TRUST_TOKEN_ISSUER_KEY *key,\n uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE],\n uint8_t *out_private_metadata, const uint8_t *token,\n size_t token_len, int include_message, const uint8_t *msg,\n size_t msg_len) {\n return voprf_read(&voprf_pst1_method, key, out_nonce, token, token_len,\n include_message, msg, msg_len);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/a_digest.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\nint ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data,\n unsigned char *md, unsigned int *len) {\n int i, ret;\n unsigned char *str, *p;\n\n i = i2d(data, NULL);\n if ((str = (unsigned char *)OPENSSL_malloc(i)) == NULL) {\n return 0;\n }\n p = str;\n i2d(data, &p);\n\n ret = EVP_Digest(str, i, md, len, type, NULL);\n OPENSSL_free(str);\n return ret;\n}\n\nint ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *asn,\n unsigned char *md, unsigned int *len) {\n int i, ret;\n unsigned char *str = NULL;\n\n i = ASN1_item_i2d(reinterpret_cast(asn), &str, it);\n if (!str) {\n return 0;\n }\n\n ret = EVP_Digest(str, i, md, len, type, NULL);\n OPENSSL_free(str);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/a_sign.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n\n#include \"internal.h\"\n\nint ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,\n ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey,\n const EVP_MD *type) {\n if (signature->type != V_ASN1_BIT_STRING) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE);\n return 0;\n }\n EVP_MD_CTX ctx;\n EVP_MD_CTX_init(&ctx);\n if (!EVP_DigestSignInit(&ctx, NULL, type, NULL, pkey)) {\n EVP_MD_CTX_cleanup(&ctx);\n return 0;\n }\n return ASN1_item_sign_ctx(it, algor1, algor2, signature, asn, &ctx);\n}\n\nint ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,\n X509_ALGOR *algor2, ASN1_BIT_STRING *signature,\n void *asn, EVP_MD_CTX *ctx) {\n int ret = 0;\n uint8_t *in = NULL, *out = NULL;\n\n {\n if (signature->type != V_ASN1_BIT_STRING) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE);\n goto err;\n }\n\n // Write out the requested copies of the AlgorithmIdentifier.\n if (algor1 && !x509_digest_sign_algorithm(ctx, algor1)) {\n goto err;\n }\n if (algor2 && !x509_digest_sign_algorithm(ctx, algor2)) {\n goto err;\n }\n\n int in_len = ASN1_item_i2d(reinterpret_cast(asn), &in, it);\n if (in_len < 0) {\n goto err;\n }\n\n EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx->pctx);\n size_t out_len = EVP_PKEY_size(pkey);\n if (out_len > INT_MAX) {\n OPENSSL_PUT_ERROR(X509, ERR_R_OVERFLOW);\n goto err;\n }\n\n out = reinterpret_cast(OPENSSL_malloc(out_len));\n if (out == NULL) {\n goto err;\n }\n\n if (!EVP_DigestSign(ctx, out, &out_len, in, in_len)) {\n OPENSSL_PUT_ERROR(X509, ERR_R_EVP_LIB);\n goto err;\n }\n\n ASN1_STRING_set0(signature, out, (int)out_len);\n out = NULL;\n signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);\n signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;\n ret = (int)out_len;\n }\n\nerr:\n EVP_MD_CTX_cleanup(ctx);\n OPENSSL_free(in);\n OPENSSL_free(out);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/a_verify.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\nint ASN1_item_verify(const ASN1_ITEM *it, const X509_ALGOR *a,\n const ASN1_BIT_STRING *signature, void *asn,\n EVP_PKEY *pkey) {\n if (!pkey) {\n OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n size_t sig_len;\n if (signature->type == V_ASN1_BIT_STRING) {\n if (!ASN1_BIT_STRING_num_bytes(signature, &sig_len)) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_BIT_STRING_BITS_LEFT);\n return 0;\n }\n } else {\n sig_len = (size_t)ASN1_STRING_length(signature);\n }\n\n EVP_MD_CTX ctx;\n uint8_t *buf_in = NULL;\n int ret = 0, inl = 0;\n EVP_MD_CTX_init(&ctx);\n\n if (!x509_digest_verify_init(&ctx, a, pkey)) {\n goto err;\n }\n\n inl = ASN1_item_i2d(reinterpret_cast(asn), &buf_in, it);\n\n if (buf_in == NULL) {\n goto err;\n }\n\n if (!EVP_DigestVerify(&ctx, ASN1_STRING_get0_data(signature), sig_len, buf_in,\n inl)) {\n OPENSSL_PUT_ERROR(X509, ERR_R_EVP_LIB);\n goto err;\n }\n\n ret = 1;\n\nerr:\n OPENSSL_free(buf_in);\n EVP_MD_CTX_cleanup(&ctx);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/algorithm.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n// Restrict the digests that are allowed in X509 certificates\nstatic int x509_digest_nid_ok(const int digest_nid) {\n switch (digest_nid) {\n case NID_md4:\n case NID_md5:\n return 0;\n }\n return 1;\n}\n\nint x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor) {\n EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx->pctx);\n if (pkey == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_CONTEXT_NOT_INITIALISED);\n return 0;\n }\n\n if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {\n int pad_mode;\n if (!EVP_PKEY_CTX_get_rsa_padding(ctx->pctx, &pad_mode)) {\n return 0;\n }\n // RSA-PSS has special signature algorithm logic.\n if (pad_mode == RSA_PKCS1_PSS_PADDING) {\n return x509_rsa_ctx_to_pss(ctx, algor);\n }\n }\n\n if (EVP_PKEY_id(pkey) == EVP_PKEY_ED25519) {\n return X509_ALGOR_set0(algor, OBJ_nid2obj(NID_ED25519), V_ASN1_UNDEF, NULL);\n }\n\n // Default behavior: look up the OID for the algorithm/hash pair and encode\n // that.\n const EVP_MD *digest = EVP_MD_CTX_get0_md(ctx);\n if (digest == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_CONTEXT_NOT_INITIALISED);\n return 0;\n }\n\n const int digest_nid = EVP_MD_type(digest);\n int sign_nid;\n if (!x509_digest_nid_ok(digest_nid) ||\n !OBJ_find_sigid_by_algs(&sign_nid, digest_nid, EVP_PKEY_id(pkey))) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);\n return 0;\n }\n\n // RSA signature algorithms include an explicit NULL parameter. Others omit\n // it.\n int paramtype =\n (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) ? V_ASN1_NULL : V_ASN1_UNDEF;\n return X509_ALGOR_set0(algor, OBJ_nid2obj(sign_nid), paramtype, NULL);\n}\n\nint x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,\n EVP_PKEY *pkey) {\n // Convert the signature OID into digest and public key OIDs.\n int sigalg_nid = OBJ_obj2nid(sigalg->algorithm);\n int digest_nid, pkey_nid;\n if (!OBJ_find_sigid_algs(sigalg_nid, &digest_nid, &pkey_nid)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);\n return 0;\n }\n\n // Check the public key OID matches the public key type.\n if (pkey_nid != EVP_PKEY_id(pkey)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_PUBLIC_KEY_TYPE);\n return 0;\n }\n\n // Check for permitted digest algorithms\n if (!x509_digest_nid_ok(digest_nid)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);\n return 0;\n }\n\n // NID_undef signals that there are custom parameters to set.\n if (digest_nid == NID_undef) {\n if (sigalg_nid == NID_rsassaPss) {\n return x509_rsa_pss_to_ctx(ctx, sigalg, pkey);\n }\n if (sigalg_nid == NID_ED25519) {\n if (sigalg->parameter != NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PARAMETER);\n return 0;\n }\n return EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey);\n }\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);\n return 0;\n }\n\n // The parameter should be an explicit NULL for RSA and omitted for ECDSA. For\n // compatibility, we allow either for both algorithms. See b/167375496.\n //\n // TODO(davidben): Chromium's verifier allows both forms for RSA, but enforces\n // ECDSA more strictly. Align with Chromium and add a flag for b/167375496.\n if (sigalg->parameter != NULL && sigalg->parameter->type != V_ASN1_NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PARAMETER);\n return 0;\n }\n\n // Otherwise, initialize with the digest from the OID.\n const EVP_MD *digest = EVP_get_digestbynid(digest_nid);\n if (digest == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);\n return 0;\n }\n\n return EVP_DigestVerifyInit(ctx, NULL, digest, NULL, pkey);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/asn1_gen.cc", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../conf/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n// Although this file is in crypto/x509 for layering purposes, it emits\n// errors from the ASN.1 module for OpenSSL compatibility.\n\n// ASN1_GEN_MAX_DEPTH is the maximum number of nested TLVs allowed.\n#define ASN1_GEN_MAX_DEPTH 50\n\n// ASN1_GEN_MAX_OUTPUT is the maximum output, in bytes, allowed. This limit is\n// necessary because the SEQUENCE and SET section reference mechanism allows the\n// output length to grow super-linearly with the input length.\n#define ASN1_GEN_MAX_OUTPUT (64 * 1024)\n\n// ASN1_GEN_FORMAT_* are the values for the format modifiers.\n#define ASN1_GEN_FORMAT_ASCII 1\n#define ASN1_GEN_FORMAT_UTF8 2\n#define ASN1_GEN_FORMAT_HEX 3\n#define ASN1_GEN_FORMAT_BITLIST 4\n\n// generate_v3 converts |str| into an ASN.1 structure and writes the result to\n// |cbb|. It returns one on success and zero on error. |depth| bounds recursion,\n// and |format| specifies the current format modifier.\n//\n// If |tag| is non-zero, the structure is implicitly tagged with |tag|. |tag|\n// must not have the constructed bit set.\nstatic int generate_v3(CBB *cbb, const char *str, const X509V3_CTX *cnf,\n CBS_ASN1_TAG tag, int format, int depth);\n\nstatic int bitstr_cb(const char *elem, size_t len, void *bitstr);\n\nASN1_TYPE *ASN1_generate_v3(const char *str, const X509V3_CTX *cnf) {\n CBB cbb;\n if (!CBB_init(&cbb, 0) || //\n !generate_v3(&cbb, str, cnf, /*tag=*/0, ASN1_GEN_FORMAT_ASCII,\n /*depth=*/0)) {\n CBB_cleanup(&cbb);\n return NULL;\n }\n\n // While not strictly necessary to avoid a DoS (we rely on any super-linear\n // checks being performed internally), cap the overall output to\n // |ASN1_GEN_MAX_OUTPUT| so the externally-visible behavior is consistent.\n if (CBB_len(&cbb) > ASN1_GEN_MAX_OUTPUT) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);\n CBB_cleanup(&cbb);\n return NULL;\n }\n\n const uint8_t *der = CBB_data(&cbb);\n ASN1_TYPE *ret = d2i_ASN1_TYPE(NULL, &der, CBB_len(&cbb));\n CBB_cleanup(&cbb);\n return ret;\n}\n\nstatic int cbs_str_equal(const CBS *cbs, const char *str) {\n return CBS_len(cbs) == strlen(str) &&\n OPENSSL_memcmp(CBS_data(cbs), str, strlen(str)) == 0;\n}\n\n// parse_tag decodes a tag specifier in |cbs|. It returns the tag on success or\n// zero on error.\nstatic CBS_ASN1_TAG parse_tag(const CBS *cbs) {\n CBS copy = *cbs;\n uint64_t num;\n if (!CBS_get_u64_decimal(©, &num) || num > CBS_ASN1_TAG_NUMBER_MASK) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_NUMBER);\n return 0;\n }\n\n CBS_ASN1_TAG tag_class = CBS_ASN1_CONTEXT_SPECIFIC;\n // The tag may be suffixed by a class.\n uint8_t c;\n if (CBS_get_u8(©, &c)) {\n switch (c) {\n case 'U':\n tag_class = CBS_ASN1_UNIVERSAL;\n break;\n case 'A':\n tag_class = CBS_ASN1_APPLICATION;\n break;\n case 'P':\n tag_class = CBS_ASN1_PRIVATE;\n break;\n case 'C':\n tag_class = CBS_ASN1_CONTEXT_SPECIFIC;\n break;\n default: {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_MODIFIER);\n return 0;\n }\n }\n if (CBS_len(©) != 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_MODIFIER);\n return 0;\n }\n }\n\n // Tag [UNIVERSAL 0] is reserved for indefinite-length end-of-contents. We\n // also use zero in this file to indicator no explicit tagging.\n if (tag_class == CBS_ASN1_UNIVERSAL && num == 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_NUMBER);\n return 0;\n }\n\n return tag_class | (CBS_ASN1_TAG)num;\n}\n\nstatic int generate_wrapped(CBB *cbb, const char *str, const X509V3_CTX *cnf,\n CBS_ASN1_TAG tag, int padding, int format,\n int depth) {\n CBB child;\n return CBB_add_asn1(cbb, &child, tag) &&\n (!padding || CBB_add_u8(&child, 0)) &&\n generate_v3(&child, str, cnf, /*tag=*/0, format, depth + 1) &&\n CBB_flush(cbb);\n}\n\nstatic int generate_v3(CBB *cbb, const char *str, const X509V3_CTX *cnf,\n CBS_ASN1_TAG tag, int format, int depth) {\n assert((tag & CBS_ASN1_CONSTRUCTED) == 0);\n if (depth > ASN1_GEN_MAX_DEPTH) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NESTED_TAGGING);\n return 0;\n }\n\n // Process modifiers. This function uses a mix of NUL-terminated strings and\n // |CBS|. Several functions only work with NUL-terminated strings, so we need\n // to keep track of when a slice spans the whole buffer.\n for (;;) {\n // Skip whitespace.\n while (*str != '\\0' && OPENSSL_isspace((unsigned char)*str)) {\n str++;\n }\n\n // Modifiers end at commas.\n const char *comma = strchr(str, ',');\n if (comma == NULL) {\n break;\n }\n\n // Remove trailing whitespace.\n CBS modifier;\n CBS_init(&modifier, (const uint8_t *)str, comma - str);\n for (;;) {\n uint8_t v;\n CBS copy = modifier;\n if (!CBS_get_last_u8(©, &v) || !OPENSSL_isspace(v)) {\n break;\n }\n modifier = copy;\n }\n\n // Advance the string past the modifier, but save the original value. We\n // will need to rewind if this is not a recognized modifier.\n const char *str_old = str;\n str = comma + 1;\n\n // Each modifier is either NAME:VALUE or NAME.\n CBS name;\n int has_value = CBS_get_until_first(&modifier, &name, ':');\n if (has_value) {\n CBS_skip(&modifier, 1); // Skip the colon.\n } else {\n name = modifier;\n CBS_init(&modifier, NULL, 0);\n }\n\n if (cbs_str_equal(&name, \"FORMAT\") || cbs_str_equal(&name, \"FORM\")) {\n if (cbs_str_equal(&modifier, \"ASCII\")) {\n format = ASN1_GEN_FORMAT_ASCII;\n } else if (cbs_str_equal(&modifier, \"UTF8\")) {\n format = ASN1_GEN_FORMAT_UTF8;\n } else if (cbs_str_equal(&modifier, \"HEX\")) {\n format = ASN1_GEN_FORMAT_HEX;\n } else if (cbs_str_equal(&modifier, \"BITLIST\")) {\n format = ASN1_GEN_FORMAT_BITLIST;\n } else {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_FORMAT);\n return 0;\n }\n } else if (cbs_str_equal(&name, \"IMP\") ||\n cbs_str_equal(&name, \"IMPLICIT\")) {\n if (tag != 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NESTED_TAGGING);\n return 0;\n }\n tag = parse_tag(&modifier);\n if (tag == 0) {\n return 0;\n }\n } else if (cbs_str_equal(&name, \"EXP\") ||\n cbs_str_equal(&name, \"EXPLICIT\")) {\n // It would actually be supportable, but OpenSSL does not allow wrapping\n // an explicit tag in an implicit tag.\n if (tag != 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NESTED_TAGGING);\n return 0;\n }\n tag = parse_tag(&modifier);\n return tag != 0 &&\n generate_wrapped(cbb, str, cnf, tag | CBS_ASN1_CONSTRUCTED,\n /*padding=*/0, format, depth);\n } else if (cbs_str_equal(&name, \"OCTWRAP\")) {\n tag = tag == 0 ? CBS_ASN1_OCTETSTRING : tag;\n return generate_wrapped(cbb, str, cnf, tag, /*padding=*/0, format, depth);\n } else if (cbs_str_equal(&name, \"BITWRAP\")) {\n tag = tag == 0 ? CBS_ASN1_BITSTRING : tag;\n return generate_wrapped(cbb, str, cnf, tag, /*padding=*/1, format, depth);\n } else if (cbs_str_equal(&name, \"SEQWRAP\")) {\n tag = tag == 0 ? CBS_ASN1_SEQUENCE : (tag | CBS_ASN1_CONSTRUCTED);\n tag |= CBS_ASN1_CONSTRUCTED;\n return generate_wrapped(cbb, str, cnf, tag, /*padding=*/0, format, depth);\n } else if (cbs_str_equal(&name, \"SETWRAP\")) {\n tag = tag == 0 ? CBS_ASN1_SET : (tag | CBS_ASN1_CONSTRUCTED);\n return generate_wrapped(cbb, str, cnf, tag, /*padding=*/0, format, depth);\n } else {\n // If this was not a recognized modifier, rewind |str| to before splitting\n // on the comma. The type itself consumes all remaining input.\n str = str_old;\n break;\n }\n }\n\n // The final element is, like modifiers, NAME:VALUE or NAME, but VALUE spans\n // the length of the string, including any commas.\n const char *colon = strchr(str, ':');\n CBS name;\n const char *value;\n int has_value = colon != NULL;\n if (has_value) {\n CBS_init(&name, (const uint8_t *)str, colon - str);\n value = colon + 1;\n } else {\n CBS_init(&name, (const uint8_t *)str, strlen(str));\n value = \"\"; // Most types treat missing and empty value equivalently.\n }\n\n static const struct {\n const char *name;\n CBS_ASN1_TAG type;\n } kTypes[] = {\n {\"BOOL\", CBS_ASN1_BOOLEAN},\n {\"BOOLEAN\", CBS_ASN1_BOOLEAN},\n {\"NULL\", CBS_ASN1_NULL},\n {\"INT\", CBS_ASN1_INTEGER},\n {\"INTEGER\", CBS_ASN1_INTEGER},\n {\"ENUM\", CBS_ASN1_ENUMERATED},\n {\"ENUMERATED\", CBS_ASN1_ENUMERATED},\n {\"OID\", CBS_ASN1_OBJECT},\n {\"OBJECT\", CBS_ASN1_OBJECT},\n {\"UTCTIME\", CBS_ASN1_UTCTIME},\n {\"UTC\", CBS_ASN1_UTCTIME},\n {\"GENERALIZEDTIME\", CBS_ASN1_GENERALIZEDTIME},\n {\"GENTIME\", CBS_ASN1_GENERALIZEDTIME},\n {\"OCT\", CBS_ASN1_OCTETSTRING},\n {\"OCTETSTRING\", CBS_ASN1_OCTETSTRING},\n {\"BITSTR\", CBS_ASN1_BITSTRING},\n {\"BITSTRING\", CBS_ASN1_BITSTRING},\n {\"UNIVERSALSTRING\", CBS_ASN1_UNIVERSALSTRING},\n {\"UNIV\", CBS_ASN1_UNIVERSALSTRING},\n {\"IA5\", CBS_ASN1_IA5STRING},\n {\"IA5STRING\", CBS_ASN1_IA5STRING},\n {\"UTF8\", CBS_ASN1_UTF8STRING},\n {\"UTF8String\", CBS_ASN1_UTF8STRING},\n {\"BMP\", CBS_ASN1_BMPSTRING},\n {\"BMPSTRING\", CBS_ASN1_BMPSTRING},\n {\"PRINTABLESTRING\", CBS_ASN1_PRINTABLESTRING},\n {\"PRINTABLE\", CBS_ASN1_PRINTABLESTRING},\n {\"T61\", CBS_ASN1_T61STRING},\n {\"T61STRING\", CBS_ASN1_T61STRING},\n {\"TELETEXSTRING\", CBS_ASN1_T61STRING},\n {\"SEQUENCE\", CBS_ASN1_SEQUENCE},\n {\"SEQ\", CBS_ASN1_SEQUENCE},\n {\"SET\", CBS_ASN1_SET},\n };\n CBS_ASN1_TAG type = 0;\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kTypes); i++) {\n if (cbs_str_equal(&name, kTypes[i].name)) {\n type = kTypes[i].type;\n break;\n }\n }\n if (type == 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_TAG);\n return 0;\n }\n\n // If there is an implicit tag, use the constructed bit from the base type.\n tag = tag == 0 ? type : (tag | (type & CBS_ASN1_CONSTRUCTED));\n CBB child;\n if (!CBB_add_asn1(cbb, &child, tag)) {\n return 0;\n }\n\n switch (type) {\n case CBS_ASN1_NULL:\n if (*value != '\\0') {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_NULL_VALUE);\n return 0;\n }\n return CBB_flush(cbb);\n\n case CBS_ASN1_BOOLEAN: {\n if (format != ASN1_GEN_FORMAT_ASCII) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ASCII_FORMAT);\n return 0;\n }\n ASN1_BOOLEAN boolean;\n if (!X509V3_bool_from_string(value, &boolean)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_BOOLEAN);\n return 0;\n }\n return CBB_add_u8(&child, boolean ? 0xff : 0x00) && CBB_flush(cbb);\n }\n\n case CBS_ASN1_INTEGER:\n case CBS_ASN1_ENUMERATED: {\n if (format != ASN1_GEN_FORMAT_ASCII) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INTEGER_NOT_ASCII_FORMAT);\n return 0;\n }\n ASN1_INTEGER *obj = s2i_ASN1_INTEGER(NULL, value);\n if (obj == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_INTEGER);\n return 0;\n }\n int len = i2c_ASN1_INTEGER(obj, NULL);\n uint8_t *out;\n int ok = len > 0 && //\n CBB_add_space(&child, &out, len) &&\n i2c_ASN1_INTEGER(obj, &out) == len && CBB_flush(cbb);\n ASN1_INTEGER_free(obj);\n return ok;\n }\n\n case CBS_ASN1_OBJECT: {\n if (format != ASN1_GEN_FORMAT_ASCII) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_OBJECT_NOT_ASCII_FORMAT);\n return 0;\n }\n ASN1_OBJECT *obj = OBJ_txt2obj(value, /*dont_search_names=*/0);\n if (obj == NULL || obj->length == 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OBJECT);\n return 0;\n }\n int ok = CBB_add_bytes(&child, obj->data, obj->length) && CBB_flush(cbb);\n ASN1_OBJECT_free(obj);\n return ok;\n }\n\n case CBS_ASN1_UTCTIME:\n case CBS_ASN1_GENERALIZEDTIME: {\n if (format != ASN1_GEN_FORMAT_ASCII) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_TIME_NOT_ASCII_FORMAT);\n return 0;\n }\n CBS value_cbs;\n CBS_init(&value_cbs, (const uint8_t *)value, strlen(value));\n int ok = type == CBS_ASN1_UTCTIME\n ? CBS_parse_utc_time(&value_cbs, NULL,\n /*allow_timezone_offset=*/0)\n : CBS_parse_generalized_time(&value_cbs, NULL,\n /*allow_timezone_offset=*/0);\n if (!ok) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_TIME_VALUE);\n return 0;\n }\n return CBB_add_bytes(&child, (const uint8_t *)value, strlen(value)) &&\n CBB_flush(cbb);\n }\n\n case CBS_ASN1_UNIVERSALSTRING:\n case CBS_ASN1_IA5STRING:\n case CBS_ASN1_UTF8STRING:\n case CBS_ASN1_BMPSTRING:\n case CBS_ASN1_PRINTABLESTRING:\n case CBS_ASN1_T61STRING: {\n int encoding;\n if (format == ASN1_GEN_FORMAT_ASCII) {\n encoding = MBSTRING_ASC;\n } else if (format == ASN1_GEN_FORMAT_UTF8) {\n encoding = MBSTRING_UTF8;\n } else {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_FORMAT);\n return 0;\n }\n\n // |maxsize| is measured in code points, rather than bytes, but pass it in\n // as a loose cap so fuzzers can exit from excessively long inputs\n // earlier. This limit is not load-bearing because |ASN1_mbstring_ncopy|'s\n // output is already linear in the input.\n ASN1_STRING *obj = NULL;\n if (ASN1_mbstring_ncopy(&obj, (const uint8_t *)value, -1, encoding,\n ASN1_tag2bit(type), /*minsize=*/0,\n /*maxsize=*/ASN1_GEN_MAX_OUTPUT) <= 0) {\n return 0;\n }\n int ok = CBB_add_bytes(&child, obj->data, obj->length) && CBB_flush(cbb);\n ASN1_STRING_free(obj);\n return ok;\n }\n\n case CBS_ASN1_BITSTRING:\n if (format == ASN1_GEN_FORMAT_BITLIST) {\n ASN1_BIT_STRING *obj = ASN1_BIT_STRING_new();\n if (obj == NULL) {\n return 0;\n }\n if (!CONF_parse_list(value, ',', 1, bitstr_cb, obj)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_LIST_ERROR);\n ASN1_BIT_STRING_free(obj);\n return 0;\n }\n int len = i2c_ASN1_BIT_STRING(obj, NULL);\n uint8_t *out;\n int ok = len > 0 && //\n CBB_add_space(&child, &out, len) &&\n i2c_ASN1_BIT_STRING(obj, &out) == len && //\n CBB_flush(cbb);\n ASN1_BIT_STRING_free(obj);\n return ok;\n }\n\n // The other formats are the same as OCTET STRING, but with the leading\n // zero bytes.\n if (!CBB_add_u8(&child, 0)) {\n return 0;\n }\n [[fallthrough]];\n\n case CBS_ASN1_OCTETSTRING:\n if (format == ASN1_GEN_FORMAT_ASCII) {\n return CBB_add_bytes(&child, (const uint8_t *)value, strlen(value)) &&\n CBB_flush(cbb);\n }\n if (format == ASN1_GEN_FORMAT_HEX) {\n size_t len;\n uint8_t *data = x509v3_hex_to_bytes(value, &len);\n if (data == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_HEX);\n return 0;\n }\n int ok = CBB_add_bytes(&child, data, len) && CBB_flush(cbb);\n OPENSSL_free(data);\n return ok;\n }\n\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_BITSTRING_FORMAT);\n return 0;\n\n case CBS_ASN1_SEQUENCE:\n case CBS_ASN1_SET:\n if (has_value) {\n if (cnf == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG);\n return 0;\n }\n const STACK_OF(CONF_VALUE) *section = X509V3_get_section(cnf, value);\n if (section == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG);\n return 0;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(section); i++) {\n const CONF_VALUE *conf = sk_CONF_VALUE_value(section, i);\n if (!generate_v3(&child, conf->value, cnf, /*tag=*/0,\n ASN1_GEN_FORMAT_ASCII, depth + 1)) {\n return 0;\n }\n // This recursive call, by referencing |section|, is the one place\n // where |generate_v3|'s output can be super-linear in the input.\n // Check bounds here.\n if (CBB_len(&child) > ASN1_GEN_MAX_OUTPUT) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG);\n return 0;\n }\n }\n }\n if (type == CBS_ASN1_SET) {\n // The SET type here is a SET OF and must be sorted.\n return CBB_flush_asn1_set_of(&child) && CBB_flush(cbb);\n }\n return CBB_flush(cbb);\n\n default:\n OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n}\n\nstatic int bitstr_cb(const char *elem, size_t len, void *bitstr) {\n CBS cbs;\n CBS_init(&cbs, (const uint8_t *)elem, len);\n uint64_t bitnum;\n if (!CBS_get_u64_decimal(&cbs, &bitnum) || CBS_len(&cbs) != 0 ||\n // Cap the highest allowed bit so this mechanism cannot be used to create\n // extremely large allocations with short inputs. The highest named bit in\n // RFC 5280 is 8, so 256 should give comfortable margin but still only\n // allow a 32-byte allocation.\n //\n // We do not consider this function to be safe with untrusted inputs (even\n // without bugs, it is prone to string injection vulnerabilities), so DoS\n // is not truly a concern, but the limit is necessary to keep fuzzing\n // effective.\n bitnum > 256) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_NUMBER);\n return 0;\n }\n if (!ASN1_BIT_STRING_set_bit(reinterpret_cast(bitstr),\n (int)bitnum, 1)) {\n return 0;\n }\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/by_dir.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\ntypedef struct lookup_dir_hashes_st {\n uint32_t hash;\n int suffix;\n} BY_DIR_HASH;\n\ntypedef struct lookup_dir_entry_st {\n CRYPTO_MUTEX lock;\n char *dir;\n int dir_type;\n STACK_OF(BY_DIR_HASH) *hashes;\n} BY_DIR_ENTRY;\n\ntypedef struct lookup_dir_st {\n STACK_OF(BY_DIR_ENTRY) *dirs;\n} BY_DIR;\n\nDEFINE_STACK_OF(BY_DIR_HASH)\nDEFINE_STACK_OF(BY_DIR_ENTRY)\n\nstatic int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,\n char **ret);\nstatic int new_dir(X509_LOOKUP *lu);\nstatic void free_dir(X509_LOOKUP *lu);\nstatic int add_cert_dir(BY_DIR *ctx, const char *dir, int type);\nstatic int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,\n X509_OBJECT *ret);\nstatic const X509_LOOKUP_METHOD x509_dir_lookup = {\n new_dir, // new\n free_dir, // free\n dir_ctrl, // ctrl\n get_cert_by_subject, // get_by_subject\n};\n\nconst X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void) {\n return &x509_dir_lookup;\n}\n\nstatic int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,\n char **retp) {\n int ret = 0;\n char *dir = NULL;\n\n BY_DIR *ld = reinterpret_cast(ctx->method_data);\n\n switch (cmd) {\n case X509_L_ADD_DIR:\n if (argl == X509_FILETYPE_DEFAULT) {\n dir = (char *)getenv(X509_get_default_cert_dir_env());\n if (dir) {\n ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);\n } else {\n ret =\n add_cert_dir(ld, X509_get_default_cert_dir(), X509_FILETYPE_PEM);\n }\n if (!ret) {\n OPENSSL_PUT_ERROR(X509, X509_R_LOADING_CERT_DIR);\n }\n } else {\n ret = add_cert_dir(ld, argp, (int)argl);\n }\n break;\n }\n return ret;\n}\n\nstatic int new_dir(X509_LOOKUP *lu) {\n BY_DIR *a;\n\n if ((a = (BY_DIR *)OPENSSL_malloc(sizeof(BY_DIR))) == NULL) {\n return 0;\n }\n a->dirs = NULL;\n lu->method_data = a;\n return 1;\n}\n\nstatic void by_dir_hash_free(BY_DIR_HASH *hash) { OPENSSL_free(hash); }\n\nstatic int by_dir_hash_cmp(const BY_DIR_HASH *const *a,\n const BY_DIR_HASH *const *b) {\n if ((*a)->hash > (*b)->hash) {\n return 1;\n }\n if ((*a)->hash < (*b)->hash) {\n return -1;\n }\n return 0;\n}\n\nstatic void by_dir_entry_free(BY_DIR_ENTRY *ent) {\n if (ent != NULL) {\n CRYPTO_MUTEX_cleanup(&ent->lock);\n OPENSSL_free(ent->dir);\n sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free);\n OPENSSL_free(ent);\n }\n}\n\nstatic void free_dir(X509_LOOKUP *lu) {\n BY_DIR *a = reinterpret_cast(lu->method_data);\n if (a != NULL) {\n sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free);\n OPENSSL_free(a);\n }\n}\n\n#if defined(OPENSSL_WINDOWS)\n#define DIR_HASH_SEPARATOR ';'\n#else\n#define DIR_HASH_SEPARATOR ':'\n#endif\n\nstatic int add_cert_dir(BY_DIR *ctx, const char *dir, int type) {\n size_t j, len;\n const char *s, *ss, *p;\n\n if (dir == NULL || !*dir) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_DIRECTORY);\n return 0;\n }\n\n s = dir;\n p = s;\n do {\n if (*p == DIR_HASH_SEPARATOR || *p == '\\0') {\n BY_DIR_ENTRY *ent;\n ss = s;\n s = p + 1;\n len = p - ss;\n if (len == 0) {\n continue;\n }\n for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) {\n ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);\n if (strlen(ent->dir) == len && strncmp(ent->dir, ss, len) == 0) {\n break;\n }\n }\n if (j < sk_BY_DIR_ENTRY_num(ctx->dirs)) {\n continue;\n }\n if (ctx->dirs == NULL) {\n ctx->dirs = sk_BY_DIR_ENTRY_new_null();\n if (!ctx->dirs) {\n return 0;\n }\n }\n ent = reinterpret_cast(\n OPENSSL_malloc(sizeof(BY_DIR_ENTRY)));\n if (!ent) {\n return 0;\n }\n CRYPTO_MUTEX_init(&ent->lock);\n ent->dir_type = type;\n ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp);\n ent->dir = OPENSSL_strndup(ss, len);\n if (ent->dir == NULL || ent->hashes == NULL ||\n !sk_BY_DIR_ENTRY_push(ctx->dirs, ent)) {\n by_dir_entry_free(ent);\n return 0;\n }\n }\n } while (*p++ != '\\0');\n return 1;\n}\n\nstatic int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,\n X509_OBJECT *ret) {\n union {\n struct {\n X509 st_x509;\n X509_CINF st_x509_cinf;\n } x509;\n struct {\n X509_CRL st_crl;\n X509_CRL_INFO st_crl_info;\n } crl;\n } data;\n int ok = 0;\n size_t i;\n int k;\n uint32_t h;\n uint32_t hash_array[2];\n int hash_index;\n char *b = NULL;\n X509_OBJECT stmp, *tmp;\n const char *postfix = \"\";\n\n if (name == NULL) {\n return 0;\n }\n\n stmp.type = type;\n BY_DIR *ctx = reinterpret_cast(xl->method_data);\n if (type == X509_LU_X509) {\n data.x509.st_x509.cert_info = &data.x509.st_x509_cinf;\n data.x509.st_x509_cinf.subject = name;\n stmp.data.x509 = &data.x509.st_x509;\n postfix = \"\";\n } else if (type == X509_LU_CRL) {\n data.crl.st_crl.crl = &data.crl.st_crl_info;\n data.crl.st_crl_info.issuer = name;\n stmp.data.crl = &data.crl.st_crl;\n postfix = \"r\";\n } else {\n OPENSSL_PUT_ERROR(X509, X509_R_WRONG_LOOKUP_TYPE);\n goto finish;\n }\n\n hash_array[0] = X509_NAME_hash(name);\n hash_array[1] = X509_NAME_hash_old(name);\n for (hash_index = 0; hash_index < 2; ++hash_index) {\n h = hash_array[hash_index];\n for (i = 0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++) {\n BY_DIR_ENTRY *ent;\n size_t idx;\n BY_DIR_HASH htmp, *hent;\n ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i);\n if (type == X509_LU_CRL && ent->hashes) {\n htmp.hash = h;\n CRYPTO_MUTEX_lock_read(&ent->lock);\n if (sk_BY_DIR_HASH_find(ent->hashes, &idx, &htmp)) {\n hent = sk_BY_DIR_HASH_value(ent->hashes, idx);\n k = hent->suffix;\n } else {\n hent = NULL;\n k = 0;\n }\n CRYPTO_MUTEX_unlock_read(&ent->lock);\n } else {\n k = 0;\n hent = NULL;\n }\n for (;;) {\n OPENSSL_free(b);\n if (OPENSSL_asprintf(&b, \"%s/%08\" PRIx32 \".%s%d\", ent->dir, h, postfix,\n k) == -1) {\n OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB);\n b = nullptr;\n goto finish;\n }\n if (type == X509_LU_X509) {\n if ((X509_load_cert_file(xl, b, ent->dir_type)) == 0) {\n // Don't expose the lower level error, All of these boil\n // down to \"we could not find a CA\".\n ERR_clear_error();\n break;\n }\n } else if (type == X509_LU_CRL) {\n if ((X509_load_crl_file(xl, b, ent->dir_type)) == 0) {\n // Don't expose the lower level error, All of these boil\n // down to \"we could not find a CRL\".\n ERR_clear_error();\n break;\n }\n }\n // The lack of a CA or CRL will be caught higher up\n k++;\n }\n\n // we have added it to the cache so now pull it out again\n CRYPTO_MUTEX_lock_write(&xl->store_ctx->objs_lock);\n tmp = NULL;\n sk_X509_OBJECT_sort(xl->store_ctx->objs);\n if (sk_X509_OBJECT_find(xl->store_ctx->objs, &idx, &stmp)) {\n tmp = sk_X509_OBJECT_value(xl->store_ctx->objs, idx);\n }\n CRYPTO_MUTEX_unlock_write(&xl->store_ctx->objs_lock);\n\n // If a CRL, update the last file suffix added for this\n\n if (type == X509_LU_CRL) {\n CRYPTO_MUTEX_lock_write(&ent->lock);\n // Look for entry again in case another thread added an entry\n // first.\n if (!hent) {\n htmp.hash = h;\n sk_BY_DIR_HASH_sort(ent->hashes);\n if (sk_BY_DIR_HASH_find(ent->hashes, &idx, &htmp)) {\n hent = sk_BY_DIR_HASH_value(ent->hashes, idx);\n }\n }\n if (!hent) {\n hent = reinterpret_cast(\n OPENSSL_malloc(sizeof(BY_DIR_HASH)));\n if (hent == NULL) {\n CRYPTO_MUTEX_unlock_write(&ent->lock);\n ok = 0;\n goto finish;\n }\n hent->hash = h;\n hent->suffix = k;\n if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) {\n CRYPTO_MUTEX_unlock_write(&ent->lock);\n OPENSSL_free(hent);\n ok = 0;\n goto finish;\n }\n sk_BY_DIR_HASH_sort(ent->hashes);\n } else if (hent->suffix < k) {\n hent->suffix = k;\n }\n\n CRYPTO_MUTEX_unlock_write(&ent->lock);\n }\n\n if (tmp != NULL) {\n ok = 1;\n ret->type = tmp->type;\n OPENSSL_memcpy(&ret->data, &tmp->data, sizeof(ret->data));\n\n // Clear any errors that might have been raised processing empty\n // or malformed files.\n ERR_clear_error();\n\n // If we were going to up the reference count, we would need\n // to do it on a perl 'type' basis\n goto finish;\n }\n }\n }\nfinish:\n OPENSSL_free(b);\n return ok;\n}\n\nint X509_LOOKUP_add_dir(X509_LOOKUP *lookup, const char *name, int type) {\n return X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, name, type, NULL);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/by_file.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nstatic int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,\n char **ret);\nstatic const X509_LOOKUP_METHOD x509_file_lookup = {\n NULL, // new\n NULL, // free\n by_file_ctrl, // ctrl\n NULL, // get_by_subject\n};\n\nconst X509_LOOKUP_METHOD *X509_LOOKUP_file(void) { return &x509_file_lookup; }\n\nstatic int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,\n char **ret) {\n if (cmd != X509_L_FILE_LOAD) {\n return 0;\n }\n const char *file = argp;\n int type = argl;\n if (argl == X509_FILETYPE_DEFAULT) {\n if ((file = getenv(X509_get_default_cert_file_env())) == NULL) {\n file = X509_get_default_cert_file();\n }\n type = X509_FILETYPE_PEM;\n }\n if (X509_load_cert_crl_file(ctx, file, type) != 0) {\n return 1;\n }\n if (argl == X509_FILETYPE_DEFAULT) {\n OPENSSL_PUT_ERROR(X509, X509_R_LOADING_DEFAULTS);\n }\n return 0;\n}\n\nint X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type) {\n int ret = 0;\n BIO *in = NULL;\n int i, count = 0;\n X509 *x = NULL;\n\n in = BIO_new(BIO_s_file());\n\n if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) {\n OPENSSL_PUT_ERROR(X509, ERR_R_SYS_LIB);\n goto err;\n }\n\n if (type == X509_FILETYPE_PEM) {\n for (;;) {\n x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);\n if (x == NULL) {\n uint32_t error = ERR_peek_last_error();\n if (ERR_GET_LIB(error) == ERR_LIB_PEM &&\n ERR_GET_REASON(error) == PEM_R_NO_START_LINE && count > 0) {\n ERR_clear_error();\n break;\n }\n OPENSSL_PUT_ERROR(X509, ERR_R_PEM_LIB);\n goto err;\n }\n i = X509_STORE_add_cert(ctx->store_ctx, x);\n if (!i) {\n goto err;\n }\n count++;\n X509_free(x);\n x = NULL;\n }\n ret = count;\n } else if (type == X509_FILETYPE_ASN1) {\n x = d2i_X509_bio(in, NULL);\n if (x == NULL) {\n OPENSSL_PUT_ERROR(X509, ERR_R_ASN1_LIB);\n goto err;\n }\n i = X509_STORE_add_cert(ctx->store_ctx, x);\n if (!i) {\n goto err;\n }\n ret = i;\n } else {\n OPENSSL_PUT_ERROR(X509, X509_R_BAD_X509_FILETYPE);\n goto err;\n }\n\n if (ret == 0) {\n OPENSSL_PUT_ERROR(X509, X509_R_NO_CERTIFICATE_FOUND);\n }\n\nerr:\n X509_free(x);\n BIO_free(in);\n return ret;\n}\n\nint X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) {\n int ret = 0;\n BIO *in = NULL;\n int i, count = 0;\n X509_CRL *x = NULL;\n\n in = BIO_new(BIO_s_file());\n\n if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) {\n OPENSSL_PUT_ERROR(X509, ERR_R_SYS_LIB);\n goto err;\n }\n\n if (type == X509_FILETYPE_PEM) {\n for (;;) {\n x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);\n if (x == NULL) {\n uint32_t error = ERR_peek_last_error();\n if (ERR_GET_LIB(error) == ERR_LIB_PEM &&\n ERR_GET_REASON(error) == PEM_R_NO_START_LINE && count > 0) {\n ERR_clear_error();\n break;\n }\n OPENSSL_PUT_ERROR(X509, ERR_R_PEM_LIB);\n goto err;\n }\n i = X509_STORE_add_crl(ctx->store_ctx, x);\n if (!i) {\n goto err;\n }\n count++;\n X509_CRL_free(x);\n x = NULL;\n }\n ret = count;\n } else if (type == X509_FILETYPE_ASN1) {\n x = d2i_X509_CRL_bio(in, NULL);\n if (x == NULL) {\n OPENSSL_PUT_ERROR(X509, ERR_R_ASN1_LIB);\n goto err;\n }\n i = X509_STORE_add_crl(ctx->store_ctx, x);\n if (!i) {\n goto err;\n }\n ret = i;\n } else {\n OPENSSL_PUT_ERROR(X509, X509_R_BAD_X509_FILETYPE);\n goto err;\n }\n\n if (ret == 0) {\n OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_FOUND);\n }\n\nerr:\n X509_CRL_free(x);\n BIO_free(in);\n return ret;\n}\n\nint X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) {\n STACK_OF(X509_INFO) *inf;\n X509_INFO *itmp;\n BIO *in;\n size_t i;\n int count = 0;\n\n if (type != X509_FILETYPE_PEM) {\n return X509_load_cert_file(ctx, file, type);\n }\n in = BIO_new_file(file, \"rb\");\n if (!in) {\n OPENSSL_PUT_ERROR(X509, ERR_R_SYS_LIB);\n return 0;\n }\n inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);\n BIO_free(in);\n if (!inf) {\n OPENSSL_PUT_ERROR(X509, ERR_R_PEM_LIB);\n return 0;\n }\n for (i = 0; i < sk_X509_INFO_num(inf); i++) {\n itmp = sk_X509_INFO_value(inf, i);\n if (itmp->x509) {\n if (!X509_STORE_add_cert(ctx->store_ctx, itmp->x509)) {\n goto err;\n }\n count++;\n }\n if (itmp->crl) {\n if (!X509_STORE_add_crl(ctx->store_ctx, itmp->crl)) {\n goto err;\n }\n count++;\n }\n }\n\n if (count == 0) {\n OPENSSL_PUT_ERROR(X509, X509_R_NO_CERTIFICATE_OR_CRL_FOUND);\n }\n\nerr:\n sk_X509_INFO_pop_free(inf, X509_INFO_free);\n return count;\n}\n\nint X509_LOOKUP_load_file(X509_LOOKUP *lookup, const char *name, int type) {\n return X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, name, type, NULL);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/ext_dat.h", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n// This file contains a table of \"standard\" extensions\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\nextern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;\nextern const X509V3_EXT_METHOD v3_info, v3_sinfo;\nextern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id,\n v3_akey_id;\nextern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;\nextern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;\nextern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;\nextern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck,\n v3_ocsp_serviceloc;\nextern const X509V3_EXT_METHOD v3_crl_hold;\nextern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;\nextern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;\nextern const X509V3_EXT_METHOD v3_addr, v3_asid;\n\n// This table will be searched using OBJ_bsearch so it *must* kept in order\n// of the ext_nid values.\n\n// TODO(fork): OCSP support\n#define OPENSSL_NO_OCSP\n\nstatic const X509V3_EXT_METHOD *const standard_exts[] = {\n &v3_nscert,\n &v3_ns_ia5_list[0],\n &v3_ns_ia5_list[1],\n &v3_ns_ia5_list[2],\n &v3_ns_ia5_list[3],\n &v3_ns_ia5_list[4],\n &v3_ns_ia5_list[5],\n &v3_ns_ia5_list[6],\n &v3_skey_id,\n &v3_key_usage,\n &v3_alt[0],\n &v3_alt[1],\n &v3_bcons,\n &v3_crl_num,\n &v3_cpols,\n &v3_akey_id,\n &v3_crld,\n &v3_ext_ku,\n &v3_delta_crl,\n &v3_crl_reason,\n &v3_crl_invdate,\n &v3_info,\n#ifndef OPENSSL_NO_OCSP\n &v3_ocsp_nonce,\n &v3_ocsp_crlid,\n &v3_ocsp_accresp,\n &v3_ocsp_acutoff,\n &v3_ocsp_serviceloc,\n#endif\n &v3_ocsp_nocheck,\n &v3_sinfo,\n &v3_policy_constraints,\n#ifndef OPENSSL_NO_OCSP\n &v3_crl_hold,\n#endif\n &v3_name_constraints,\n &v3_policy_mappings,\n &v3_inhibit_anyp,\n &v3_idp,\n &v3_alt[2],\n &v3_freshest_crl,\n};\n\n// Number of standard extensions\n\n#define STANDARD_EXTENSION_COUNT \\\n (sizeof(standard_exts) / sizeof(X509V3_EXT_METHOD *))\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/i2d_pr.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n\nint i2d_PrivateKey(const EVP_PKEY *a, uint8_t **pp) {\n switch (EVP_PKEY_id(a)) {\n case EVP_PKEY_RSA:\n return i2d_RSAPrivateKey(EVP_PKEY_get0_RSA(a), pp);\n case EVP_PKEY_EC:\n return i2d_ECPrivateKey(EVP_PKEY_get0_EC_KEY(a), pp);\n case EVP_PKEY_DSA:\n return i2d_DSAPrivateKey(EVP_PKEY_get0_DSA(a), pp);\n default:\n // Although this file is in crypto/x509 for layering reasons, it emits\n // an error code from ASN1 for OpenSSL compatibility.\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);\n return -1;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/internal.h", "content": "/*\n * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_X509_INTERNAL_H\n#define OPENSSL_HEADER_X509_INTERNAL_H\n\n#include \n#include \n#include \n\n#include \"../asn1/internal.h\"\n#include \"../internal.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Internal structures.\n\ntypedef struct X509_val_st {\n ASN1_TIME *notBefore;\n ASN1_TIME *notAfter;\n} X509_VAL;\n\nDECLARE_ASN1_FUNCTIONS_const(X509_VAL)\n\nstruct X509_pubkey_st {\n X509_ALGOR *algor;\n ASN1_BIT_STRING *public_key;\n EVP_PKEY *pkey;\n} /* X509_PUBKEY */;\n\n// X509_PUBKEY is an |ASN1_ITEM| whose ASN.1 type is SubjectPublicKeyInfo and C\n// type is |X509_PUBKEY*|.\nDECLARE_ASN1_ITEM(X509_PUBKEY)\n\nstruct X509_name_entry_st {\n ASN1_OBJECT *object;\n ASN1_STRING *value;\n int set;\n} /* X509_NAME_ENTRY */;\n\n// X509_NAME_ENTRY is an |ASN1_ITEM| whose ASN.1 type is AttributeTypeAndValue\n// (RFC 5280) and C type is |X509_NAME_ENTRY*|.\nDECLARE_ASN1_ITEM(X509_NAME_ENTRY)\n\n// we always keep X509_NAMEs in 2 forms.\nstruct X509_name_st {\n STACK_OF(X509_NAME_ENTRY) *entries;\n int modified; // true if 'bytes' needs to be built\n BUF_MEM *bytes;\n unsigned char *canon_enc;\n int canon_enclen;\n} /* X509_NAME */;\n\nstruct x509_attributes_st {\n ASN1_OBJECT *object;\n STACK_OF(ASN1_TYPE) *set;\n} /* X509_ATTRIBUTE */;\n\n// X509_ATTRIBUTE is an |ASN1_ITEM| whose ASN.1 type is Attribute (RFC 2986) and\n// C type is |X509_ATTRIBUTE*|.\nDECLARE_ASN1_ITEM(X509_ATTRIBUTE)\n\ntypedef struct x509_cert_aux_st {\n STACK_OF(ASN1_OBJECT) *trust; // trusted uses\n STACK_OF(ASN1_OBJECT) *reject; // rejected uses\n ASN1_UTF8STRING *alias; // \"friendly name\"\n ASN1_OCTET_STRING *keyid; // key id of private key\n} X509_CERT_AUX;\n\nDECLARE_ASN1_FUNCTIONS_const(X509_CERT_AUX)\n\nstruct X509_extension_st {\n ASN1_OBJECT *object;\n ASN1_BOOLEAN critical;\n ASN1_OCTET_STRING *value;\n} /* X509_EXTENSION */;\n\n// X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC\n// 5280) and C type is |X509_EXTENSION*|.\nDECLARE_ASN1_ITEM(X509_EXTENSION)\n\n// X509_EXTENSIONS is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE of Extension\n// (RFC 5280) and C type is |STACK_OF(X509_EXTENSION)*|.\nDECLARE_ASN1_ITEM(X509_EXTENSIONS)\n\ntypedef struct {\n ASN1_INTEGER *version; // [ 0 ] default of v1\n ASN1_INTEGER *serialNumber;\n X509_ALGOR *signature;\n X509_NAME *issuer;\n X509_VAL *validity;\n X509_NAME *subject;\n X509_PUBKEY *key;\n ASN1_BIT_STRING *issuerUID; // [ 1 ] optional in v2\n ASN1_BIT_STRING *subjectUID; // [ 2 ] optional in v2\n STACK_OF(X509_EXTENSION) *extensions; // [ 3 ] optional in v3\n ASN1_ENCODING enc;\n} X509_CINF;\n\n// TODO(https://crbug.com/boringssl/407): This is not const because it contains\n// an |X509_NAME|.\nDECLARE_ASN1_FUNCTIONS(X509_CINF)\n\nstruct x509_st {\n X509_CINF *cert_info;\n X509_ALGOR *sig_alg;\n ASN1_BIT_STRING *signature;\n CRYPTO_refcount_t references;\n CRYPTO_EX_DATA ex_data;\n // These contain copies of various extension values\n long ex_pathlen;\n uint32_t ex_flags;\n uint32_t ex_kusage;\n uint32_t ex_xkusage;\n ASN1_OCTET_STRING *skid;\n AUTHORITY_KEYID *akid;\n STACK_OF(DIST_POINT) *crldp;\n STACK_OF(GENERAL_NAME) *altname;\n NAME_CONSTRAINTS *nc;\n unsigned char cert_hash[SHA256_DIGEST_LENGTH];\n X509_CERT_AUX *aux;\n CRYPTO_MUTEX lock;\n} /* X509 */;\n\n// X509 is an |ASN1_ITEM| whose ASN.1 type is X.509 Certificate (RFC 5280) and C\n// type is |X509*|.\nDECLARE_ASN1_ITEM(X509)\n\ntypedef struct {\n ASN1_ENCODING enc;\n ASN1_INTEGER *version;\n X509_NAME *subject;\n X509_PUBKEY *pubkey;\n // d=2 hl=2 l= 0 cons: cont: 00\n STACK_OF(X509_ATTRIBUTE) *attributes; // [ 0 ]\n} X509_REQ_INFO;\n\n// TODO(https://crbug.com/boringssl/407): This is not const because it contains\n// an |X509_NAME|.\nDECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)\n\nstruct X509_req_st {\n X509_REQ_INFO *req_info;\n X509_ALGOR *sig_alg;\n ASN1_BIT_STRING *signature;\n} /* X509_REQ */;\n\n// X509_REQ is an |ASN1_ITEM| whose ASN.1 type is CertificateRequest (RFC 2986)\n// and C type is |X509_REQ*|.\nDECLARE_ASN1_ITEM(X509_REQ)\n\nstruct x509_revoked_st {\n ASN1_INTEGER *serialNumber;\n ASN1_TIME *revocationDate;\n STACK_OF(X509_EXTENSION) /* optional */ *extensions;\n // Revocation reason\n int reason;\n} /* X509_REVOKED */;\n\n// X509_REVOKED is an |ASN1_ITEM| whose ASN.1 type is an element of the\n// revokedCertificates field of TBSCertList (RFC 5280) and C type is\n// |X509_REVOKED*|.\nDECLARE_ASN1_ITEM(X509_REVOKED)\n\ntypedef struct {\n ASN1_INTEGER *version;\n X509_ALGOR *sig_alg;\n X509_NAME *issuer;\n ASN1_TIME *lastUpdate;\n ASN1_TIME *nextUpdate;\n STACK_OF(X509_REVOKED) *revoked;\n STACK_OF(X509_EXTENSION) /* [0] */ *extensions;\n ASN1_ENCODING enc;\n} X509_CRL_INFO;\n\n// TODO(https://crbug.com/boringssl/407): This is not const because it contains\n// an |X509_NAME|.\nDECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)\n\n// Values in idp_flags field\n// IDP present\n#define IDP_PRESENT 0x1\n// IDP values inconsistent\n#define IDP_INVALID 0x2\n// onlyuser true\n#define IDP_ONLYUSER 0x4\n// onlyCA true\n#define IDP_ONLYCA 0x8\n// onlyattr true\n#define IDP_ONLYATTR 0x10\n// indirectCRL true\n#define IDP_INDIRECT 0x20\n// onlysomereasons present\n#define IDP_REASONS 0x40\n\nstruct X509_crl_st {\n // actual signature\n X509_CRL_INFO *crl;\n X509_ALGOR *sig_alg;\n ASN1_BIT_STRING *signature;\n CRYPTO_refcount_t references;\n int flags;\n // Copies of various extensions\n AUTHORITY_KEYID *akid;\n ISSUING_DIST_POINT *idp;\n // Convenient breakdown of IDP\n int idp_flags;\n unsigned char crl_hash[SHA256_DIGEST_LENGTH];\n} /* X509_CRL */;\n\n// X509_CRL is an |ASN1_ITEM| whose ASN.1 type is X.509 CertificateList (RFC\n// 5280) and C type is |X509_CRL*|.\nDECLARE_ASN1_ITEM(X509_CRL)\n\n// GENERAL_NAME is an |ASN1_ITEM| whose ASN.1 type is GeneralName and C type is\n// |GENERAL_NAME*|.\nDECLARE_ASN1_ITEM(GENERAL_NAME)\n\n// GENERAL_NAMES is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE OF GeneralName\n// and C type is |GENERAL_NAMES*|, aka |STACK_OF(GENERAL_NAME)*|.\nDECLARE_ASN1_ITEM(GENERAL_NAMES)\n\nstruct X509_VERIFY_PARAM_st {\n int64_t check_time; // POSIX time to use\n unsigned long flags; // Various verify flags\n int purpose; // purpose to check untrusted certificates\n int trust; // trust setting to check\n int depth; // Verify depth\n STACK_OF(ASN1_OBJECT) *policies; // Permissible policies\n // The following fields specify acceptable peer identities.\n STACK_OF(OPENSSL_STRING) *hosts; // Set of acceptable names\n unsigned int hostflags; // Flags to control matching features\n char *email; // If not NULL email address to match\n size_t emaillen;\n unsigned char *ip; // If not NULL IP address to match\n size_t iplen; // Length of IP address\n unsigned char poison; // Fail all verifications at name checking\n} /* X509_VERIFY_PARAM */;\n\nstruct x509_object_st {\n // one of the above types\n int type;\n union {\n char *ptr;\n X509 *x509;\n X509_CRL *crl;\n EVP_PKEY *pkey;\n } data;\n} /* X509_OBJECT */;\n\n// NETSCAPE_SPKI is an |ASN1_ITEM| whose ASN.1 type is\n// SignedPublicKeyAndChallenge and C type is |NETSCAPE_SPKI*|.\nDECLARE_ASN1_ITEM(NETSCAPE_SPKI)\n\n// NETSCAPE_SPKAC is an |ASN1_ITEM| whose ASN.1 type is PublicKeyAndChallenge\n// and C type is |NETSCAPE_SPKAC*|.\nDECLARE_ASN1_ITEM(NETSCAPE_SPKAC)\n\n// This is a static that defines the function interface\nstruct x509_lookup_method_st {\n int (*new_item)(X509_LOOKUP *ctx);\n void (*free)(X509_LOOKUP *ctx);\n int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,\n char **ret);\n int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name,\n X509_OBJECT *ret);\n} /* X509_LOOKUP_METHOD */;\n\nDEFINE_STACK_OF(X509_LOOKUP)\n\n// This is used to hold everything. It is used for all certificate\n// validation. Once we have a certificate chain, the 'verify'\n// function is then called to actually check the cert chain.\nstruct x509_store_st {\n // The following is a cache of trusted certs\n STACK_OF(X509_OBJECT) *objs; // Cache of all objects\n CRYPTO_MUTEX objs_lock;\n\n // These are external lookup methods\n STACK_OF(X509_LOOKUP) *get_cert_methods;\n\n X509_VERIFY_PARAM *param;\n\n // Callbacks for various operations\n X509_STORE_CTX_verify_cb verify_cb; // error callback\n\n CRYPTO_refcount_t references;\n} /* X509_STORE */;\n\n// This is the functions plus an instance of the local variables.\nstruct x509_lookup_st {\n const X509_LOOKUP_METHOD *method; // the functions\n void *method_data; // method data\n\n X509_STORE *store_ctx; // who owns us\n} /* X509_LOOKUP */;\n\n// This is a used when verifying cert chains. Since the\n// gathering of the cert chain can take some time (and have to be\n// 'retried', this needs to be kept and passed around.\nstruct x509_store_ctx_st {\n X509_STORE *ctx;\n\n // The following are set by the caller\n X509 *cert; // The cert to check\n STACK_OF(X509) *untrusted; // chain of X509s - untrusted - passed in\n STACK_OF(X509_CRL) *crls; // set of CRLs passed in\n\n X509_VERIFY_PARAM *param;\n\n // trusted_stack, if non-NULL, is a set of trusted certificates to consider\n // instead of those from |X509_STORE|.\n STACK_OF(X509) *trusted_stack;\n\n // Callbacks for various operations\n X509_STORE_CTX_verify_cb verify_cb; // error callback\n\n // The following is built up\n int last_untrusted; // index of last untrusted cert\n STACK_OF(X509) *chain; // chain of X509s - built up and trusted\n\n // When something goes wrong, this is why\n int error_depth;\n int error;\n X509 *current_cert;\n X509_CRL *current_crl; // current CRL\n\n X509 *current_crl_issuer; // issuer of current CRL\n int current_crl_score; // score of current CRL\n\n CRYPTO_EX_DATA ex_data;\n} /* X509_STORE_CTX */;\n\nASN1_TYPE *ASN1_generate_v3(const char *str, const X509V3_CTX *cnf);\n\nint X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent);\n\n\n// RSA-PSS functions.\n\n// x509_rsa_pss_to_ctx configures |ctx| for an RSA-PSS operation based on\n// signature algorithm parameters in |sigalg| (which must have type\n// |NID_rsassaPss|) and key |pkey|. It returns one on success and zero on\n// error.\nint x509_rsa_pss_to_ctx(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,\n EVP_PKEY *pkey);\n\n// x509_rsa_pss_to_ctx sets |algor| to the signature algorithm parameters for\n// |ctx|, which must have been configured for an RSA-PSS signing operation. It\n// returns one on success and zero on error.\nint x509_rsa_ctx_to_pss(EVP_MD_CTX *ctx, X509_ALGOR *algor);\n\n// x509_print_rsa_pss_params prints a human-readable representation of RSA-PSS\n// parameters in |sigalg| to |bp|. It returns one on success and zero on\n// error.\nint x509_print_rsa_pss_params(BIO *bp, const X509_ALGOR *sigalg, int indent,\n ASN1_PCTX *pctx);\n\n\n// Signature algorithm functions.\n\n// x509_digest_sign_algorithm encodes the signing parameters of |ctx| as an\n// AlgorithmIdentifier and saves the result in |algor|. It returns one on\n// success, or zero on error.\nint x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor);\n\n// x509_digest_verify_init sets up |ctx| for a signature verification operation\n// with public key |pkey| and parameters from |algor|. The |ctx| argument must\n// have been initialised with |EVP_MD_CTX_init|. It returns one on success, or\n// zero on error.\nint x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,\n EVP_PKEY *pkey);\n\n\n// Path-building functions.\n\n// X509_policy_check checks certificate policies in |certs|. |user_policies| is\n// the user-initial-policy-set. If |user_policies| is NULL or empty, it is\n// interpreted as anyPolicy. |flags| is a set of |X509_V_FLAG_*| values to\n// apply. It returns |X509_V_OK| on success and |X509_V_ERR_*| on error. It\n// additionally sets |*out_current_cert| to the certificate where the error\n// occurred. If the function succeeded, or the error applies to the entire\n// chain, it sets |*out_current_cert| to NULL.\nint X509_policy_check(const STACK_OF(X509) *certs,\n const STACK_OF(ASN1_OBJECT) *user_policies,\n unsigned long flags, X509 **out_current_cert);\n\n// x509_check_issued_with_callback calls |X509_check_issued|, but allows the\n// verify callback to override the result. It returns one on success and zero on\n// error.\n//\n// TODO(davidben): Reduce the scope of the verify callback and remove this. The\n// callback only runs with |X509_V_FLAG_CB_ISSUER_CHECK|, which is only used by\n// one internal project and rust-openssl, who use it by mistake.\nint x509_check_issued_with_callback(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);\n\n// x509v3_bytes_to_hex encodes |len| bytes from |in| to hex and returns a\n// newly-allocated NUL-terminated string containing the result, or NULL on\n// allocation error.\n//\n// This function was historically named |hex_to_string| in OpenSSL. Despite the\n// name, |hex_to_string| converted to hex.\nOPENSSL_EXPORT char *x509v3_bytes_to_hex(const uint8_t *in, size_t len);\n\n// x509v3_hex_string_to_bytes decodes |str| in hex and returns a newly-allocated\n// array containing the result, or NULL on error. On success, it sets |*len| to\n// the length of the result. Colon separators between bytes in the input are\n// allowed and ignored.\n//\n// This function was historically named |string_to_hex| in OpenSSL. Despite the\n// name, |string_to_hex| converted from hex.\nunsigned char *x509v3_hex_to_bytes(const char *str, size_t *len);\n\n// x509v3_conf_name_matches returns one if |name| is equal to |cmp| or begins\n// with |cmp| followed by '.', and zero otherwise.\nint x509v3_conf_name_matches(const char *name, const char *cmp);\n\n// x509v3_looks_like_dns_name returns one if |in| looks like a DNS name and zero\n// otherwise.\nOPENSSL_EXPORT int x509v3_looks_like_dns_name(const unsigned char *in,\n size_t len);\n\n// x509v3_cache_extensions fills in a number of fields relating to X.509\n// extensions in |x|. It returns one on success and zero if some extensions were\n// invalid.\nOPENSSL_EXPORT int x509v3_cache_extensions(X509 *x);\n\n// x509v3_a2i_ipadd decodes |ipasc| as an IPv4 or IPv6 address. IPv6 addresses\n// use colon-separated syntax while IPv4 addresses use dotted decimal syntax. If\n// it decodes an IPv4 address, it writes the result to the first four bytes of\n// |ipout| and returns four. If it decodes an IPv6 address, it writes the result\n// to all 16 bytes of |ipout| and returns 16. Otherwise, it returns zero.\nint x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc);\n\n// A |BIT_STRING_BITNAME| is used to contain a list of bit names.\ntypedef struct {\n int bitnum;\n const char *lname;\n const char *sname;\n} BIT_STRING_BITNAME;\n\n// x509V3_add_value_asn1_string appends a |CONF_VALUE| with the specified name\n// and value to |*extlist|. if |*extlist| is NULL, it sets |*extlist| to a\n// newly-allocated |STACK_OF(CONF_VALUE)| first. It returns one on success and\n// zero on error.\nint x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value,\n STACK_OF(CONF_VALUE) **extlist);\n\n// X509V3_NAME_from_section adds attributes to |nm| by interpreting the\n// key/value pairs in |dn_sk|. It returns one on success and zero on error.\n// |chtype|, which should be one of |MBSTRING_*| constants, determines the\n// character encoding used to interpret values.\nint X509V3_NAME_from_section(X509_NAME *nm, const STACK_OF(CONF_VALUE) *dn_sk,\n int chtype);\n\n// X509V3_bool_from_string decodes |str| as a boolean. On success, it returns\n// one and sets |*out_bool| to resulting value. Otherwise, it returns zero.\nint X509V3_bool_from_string(const char *str, ASN1_BOOLEAN *out_bool);\n\n// X509V3_get_value_bool decodes |value| as a boolean. On success, it returns\n// one and sets |*out_bool| to the resulting value. Otherwise, it returns zero.\nint X509V3_get_value_bool(const CONF_VALUE *value, ASN1_BOOLEAN *out_bool);\n\n// X509V3_get_value_int decodes |value| as an integer. On success, it returns\n// one and sets |*aint| to the resulting value. Otherwise, it returns zero. If\n// |*aint| was non-NULL at the start of the function, it frees the previous\n// value before writing a new one.\nint X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint);\n\n// X509V3_get_section behaves like |NCONF_get_section| but queries |ctx|'s\n// config database.\nconst STACK_OF(CONF_VALUE) *X509V3_get_section(const X509V3_CTX *ctx,\n const char *section);\n\n// X509V3_add_value appends a |CONF_VALUE| containing |name| and |value| to\n// |*extlist|. It returns one on success and zero on error. If |*extlist| is\n// NULL, it sets |*extlist| to a newly-allocated |STACK_OF(CONF_VALUE)|\n// containing the result. Either |name| or |value| may be NULL to omit the\n// field.\n//\n// On failure, if |*extlist| was NULL, |*extlist| will remain NULL when the\n// function returns.\nint X509V3_add_value(const char *name, const char *value,\n STACK_OF(CONF_VALUE) **extlist);\n\n// X509V3_add_value_bool behaves like |X509V3_add_value| but stores the value\n// \"TRUE\" if |asn1_bool| is non-zero and \"FALSE\" otherwise.\nint X509V3_add_value_bool(const char *name, int asn1_bool,\n STACK_OF(CONF_VALUE) **extlist);\n\n// X509V3_add_value_bool behaves like |X509V3_add_value| but stores a string\n// representation of |aint|. Note this string representation may be decimal or\n// hexadecimal, depending on the size of |aint|.\nint X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,\n STACK_OF(CONF_VALUE) **extlist);\n\nSTACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);\n\n#define X509V3_conf_err(val) \\\n ERR_add_error_data(6, \"section:\", (val)->section, \",name:\", (val)->name, \\\n \",value:\", (val)->value);\n\n// GENERAL_NAME_cmp returns zero if |a| and |b| are equal and a non-zero\n// value otherwise. Note this function does not provide a comparison suitable\n// for sorting.\n//\n// This function is exported for testing.\nOPENSSL_EXPORT int GENERAL_NAME_cmp(const GENERAL_NAME *a,\n const GENERAL_NAME *b);\n\n// X509_VERIFY_PARAM_lookup returns a pre-defined |X509_VERIFY_PARAM| named by\n// |name|, or NULL if no such name is defined.\nconst X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);\n\nGENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx, const CONF_VALUE *cnf);\nGENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,\n const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx, const CONF_VALUE *cnf,\n int is_nc);\nGENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval);\n\n// TODO(https://crbug.com/boringssl/407): Make |issuer| const once the\n// |X509_NAME| issue is resolved.\nint X509_check_akid(X509 *issuer, const AUTHORITY_KEYID *akid);\n\nint X509_is_valid_trust_id(int trust);\n\nint X509_PURPOSE_get_trust(const X509_PURPOSE *xp);\n\n// TODO(https://crbug.com/boringssl/695): Remove this.\nint DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_X509_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/name_print.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n\n\nstatic int maybe_write(BIO *out, const void *buf, int len) {\n // If |out| is NULL, ignore the output but report the length.\n return out == NULL || BIO_write(out, buf, len) == len;\n}\n\n// do_indent prints |indent| spaces to |out|.\nstatic int do_indent(BIO *out, int indent) {\n for (int i = 0; i < indent; i++) {\n if (!maybe_write(out, \" \", 1)) {\n return 0;\n }\n }\n return 1;\n}\n\n#define FN_WIDTH_LN 25\n#define FN_WIDTH_SN 10\n\nstatic int do_name_ex(BIO *out, const X509_NAME *n, int indent,\n unsigned long flags) {\n int prev = -1, orflags;\n char objtmp[80];\n const char *objbuf;\n int outlen, len;\n const char *sep_dn, *sep_mv, *sep_eq;\n int sep_dn_len, sep_mv_len, sep_eq_len;\n if (indent < 0) {\n indent = 0;\n }\n outlen = indent;\n if (!do_indent(out, indent)) {\n return -1;\n }\n switch (flags & XN_FLAG_SEP_MASK) {\n case XN_FLAG_SEP_MULTILINE:\n sep_dn = \"\\n\";\n sep_dn_len = 1;\n sep_mv = \" + \";\n sep_mv_len = 3;\n break;\n\n case XN_FLAG_SEP_COMMA_PLUS:\n sep_dn = \",\";\n sep_dn_len = 1;\n sep_mv = \"+\";\n sep_mv_len = 1;\n indent = 0;\n break;\n\n case XN_FLAG_SEP_CPLUS_SPC:\n sep_dn = \", \";\n sep_dn_len = 2;\n sep_mv = \" + \";\n sep_mv_len = 3;\n indent = 0;\n break;\n\n case XN_FLAG_SEP_SPLUS_SPC:\n sep_dn = \"; \";\n sep_dn_len = 2;\n sep_mv = \" + \";\n sep_mv_len = 3;\n indent = 0;\n break;\n\n default:\n return -1;\n }\n\n if (flags & XN_FLAG_SPC_EQ) {\n sep_eq = \" = \";\n sep_eq_len = 3;\n } else {\n sep_eq = \"=\";\n sep_eq_len = 1;\n }\n\n int cnt = X509_NAME_entry_count(n);\n for (int i = 0; i < cnt; i++) {\n const X509_NAME_ENTRY *ent;\n if (flags & XN_FLAG_DN_REV) {\n ent = X509_NAME_get_entry(n, cnt - i - 1);\n } else {\n ent = X509_NAME_get_entry(n, i);\n }\n if (prev != -1) {\n if (prev == X509_NAME_ENTRY_set(ent)) {\n if (!maybe_write(out, sep_mv, sep_mv_len)) {\n return -1;\n }\n outlen += sep_mv_len;\n } else {\n if (!maybe_write(out, sep_dn, sep_dn_len)) {\n return -1;\n }\n outlen += sep_dn_len;\n if (!do_indent(out, indent)) {\n return -1;\n }\n outlen += indent;\n }\n }\n prev = X509_NAME_ENTRY_set(ent);\n const ASN1_OBJECT *fn = X509_NAME_ENTRY_get_object(ent);\n const ASN1_STRING *val = X509_NAME_ENTRY_get_data(ent);\n assert((flags & XN_FLAG_FN_MASK) == XN_FLAG_FN_SN);\n int fn_nid = OBJ_obj2nid(fn);\n if (fn_nid == NID_undef) {\n OBJ_obj2txt(objtmp, sizeof(objtmp), fn, 1);\n objbuf = objtmp;\n } else {\n objbuf = OBJ_nid2sn(fn_nid);\n }\n int objlen = strlen(objbuf);\n if (!maybe_write(out, objbuf, objlen) ||\n !maybe_write(out, sep_eq, sep_eq_len)) {\n return -1;\n }\n outlen += objlen + sep_eq_len;\n // If the field name is unknown then fix up the DER dump flag. We\n // might want to limit this further so it will DER dump on anything\n // other than a few 'standard' fields.\n if ((fn_nid == NID_undef) && (flags & XN_FLAG_DUMP_UNKNOWN_FIELDS)) {\n orflags = ASN1_STRFLGS_DUMP_ALL;\n } else {\n orflags = 0;\n }\n\n len = ASN1_STRING_print_ex(out, val, flags | orflags);\n if (len < 0) {\n return -1;\n }\n outlen += len;\n }\n return outlen;\n}\n\nint X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent,\n unsigned long flags) {\n if (flags == XN_FLAG_COMPAT) {\n return X509_NAME_print(out, nm, indent);\n }\n return do_name_ex(out, nm, indent, flags);\n}\n\nint X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent,\n unsigned long flags) {\n BIO *bio = NULL;\n if (fp != NULL) {\n // If |fp| is NULL, this function returns the number of bytes without\n // writing.\n bio = BIO_new_fp(fp, BIO_NOCLOSE);\n if (bio == NULL) {\n return -1;\n }\n }\n int ret = X509_NAME_print_ex(bio, nm, indent, flags);\n BIO_free(bio);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/policy.cc", "content": "/* Copyright 2022 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n// This file computes the X.509 policy tree, as described in RFC 5280, section\n// 6.1. It differs in that:\n//\n// (1) It does not track \"qualifier_set\". This is not needed as it is not\n// output by this implementation.\n//\n// (2) It builds a directed acyclic graph, rather than a tree. When a given\n// policy matches multiple parents, RFC 5280 makes a separate node for\n// each parent. This representation condenses them into one node with\n// multiple parents. Thus we refer to this structure as a \"policy graph\",\n// rather than a \"policy tree\".\n//\n// (3) \"expected_policy_set\" is not tracked explicitly and built temporarily\n// as part of building the graph.\n//\n// (4) anyPolicy nodes are not tracked explicitly.\n//\n// (5) Some pruning steps are deferred to when policies are evaluated, as a\n// reachability pass.\n\n// An X509_POLICY_NODE is a node in the policy graph. It corresponds to a node\n// from RFC 5280, section 6.1.2, step (a), but we store some fields differently.\ntypedef struct x509_policy_node_st {\n // policy is the \"valid_policy\" field from RFC 5280.\n ASN1_OBJECT *policy;\n\n // parent_policies, if non-empty, is the list of \"valid_policy\" values for all\n // nodes which are a parent of this node. In this case, no entry in this list\n // will be anyPolicy. This list is in no particular order and may contain\n // duplicates if the corresponding certificate had duplicate mappings.\n //\n // If empty, this node has a single parent, anyPolicy. The node is then a root\n // policies, and is in authorities-constrained-policy-set if it has a path to\n // a leaf node.\n //\n // Note it is not possible for a policy to have both anyPolicy and a\n // concrete policy as a parent. Section 6.1.3, step (d.1.ii) only runs if\n // there was no match in step (d.1.i). We do not need to represent a parent\n // list of, say, {anyPolicy, OID1, OID2}.\n STACK_OF(ASN1_OBJECT) *parent_policies;\n\n // mapped is one if this node matches a policy mapping in the certificate and\n // zero otherwise.\n int mapped;\n\n // reachable is one if this node is reachable from some valid policy in the\n // end-entity certificate. It is computed during |has_explicit_policy|.\n int reachable;\n} X509_POLICY_NODE;\n\nDEFINE_STACK_OF(X509_POLICY_NODE)\n\n// An X509_POLICY_LEVEL is the collection of nodes at the same depth in the\n// policy graph. This structure can also be used to represent a level's\n// \"expected_policy_set\" values. See |process_policy_mappings|.\ntypedef struct x509_policy_level_st {\n // nodes is the list of nodes at this depth, except for the anyPolicy node, if\n // any. This list is sorted by policy OID for efficient lookup.\n STACK_OF(X509_POLICY_NODE) *nodes;\n\n // has_any_policy is one if there is an anyPolicy node at this depth, and zero\n // otherwise.\n int has_any_policy;\n} X509_POLICY_LEVEL;\n\nDEFINE_STACK_OF(X509_POLICY_LEVEL)\n\nstatic int is_any_policy(const ASN1_OBJECT *obj) {\n return OBJ_obj2nid(obj) == NID_any_policy;\n}\n\nstatic void x509_policy_node_free(X509_POLICY_NODE *node) {\n if (node != NULL) {\n ASN1_OBJECT_free(node->policy);\n sk_ASN1_OBJECT_pop_free(node->parent_policies, ASN1_OBJECT_free);\n OPENSSL_free(node);\n }\n}\n\nstatic X509_POLICY_NODE *x509_policy_node_new(const ASN1_OBJECT *policy) {\n assert(!is_any_policy(policy));\n X509_POLICY_NODE *node = reinterpret_cast(\n OPENSSL_zalloc(sizeof(X509_POLICY_NODE)));\n if (node == NULL) {\n return NULL;\n }\n node->policy = OBJ_dup(policy);\n node->parent_policies = sk_ASN1_OBJECT_new_null();\n if (node->policy == NULL || node->parent_policies == NULL) {\n x509_policy_node_free(node);\n return NULL;\n }\n return node;\n}\n\nstatic int x509_policy_node_cmp(const X509_POLICY_NODE *const *a,\n const X509_POLICY_NODE *const *b) {\n return OBJ_cmp((*a)->policy, (*b)->policy);\n}\n\nstatic void x509_policy_level_free(X509_POLICY_LEVEL *level) {\n if (level != NULL) {\n sk_X509_POLICY_NODE_pop_free(level->nodes, x509_policy_node_free);\n OPENSSL_free(level);\n }\n}\n\nstatic X509_POLICY_LEVEL *x509_policy_level_new(void) {\n X509_POLICY_LEVEL *level = reinterpret_cast(\n OPENSSL_zalloc(sizeof(X509_POLICY_LEVEL)));\n if (level == NULL) {\n return NULL;\n }\n level->nodes = sk_X509_POLICY_NODE_new(x509_policy_node_cmp);\n if (level->nodes == NULL) {\n x509_policy_level_free(level);\n return NULL;\n }\n return level;\n}\n\nstatic int x509_policy_level_is_empty(const X509_POLICY_LEVEL *level) {\n return !level->has_any_policy && sk_X509_POLICY_NODE_num(level->nodes) == 0;\n}\n\nstatic void x509_policy_level_clear(X509_POLICY_LEVEL *level) {\n level->has_any_policy = 0;\n for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {\n x509_policy_node_free(sk_X509_POLICY_NODE_value(level->nodes, i));\n }\n sk_X509_POLICY_NODE_zero(level->nodes);\n}\n\n// x509_policy_level_find returns the node in |level| corresponding to |policy|,\n// or NULL if none exists.\nstatic X509_POLICY_NODE *x509_policy_level_find(X509_POLICY_LEVEL *level,\n const ASN1_OBJECT *policy) {\n assert(sk_X509_POLICY_NODE_is_sorted(level->nodes));\n X509_POLICY_NODE node;\n node.policy = (ASN1_OBJECT *)policy;\n size_t idx;\n if (!sk_X509_POLICY_NODE_find(level->nodes, &idx, &node)) {\n return NULL;\n }\n return sk_X509_POLICY_NODE_value(level->nodes, idx);\n}\n\n// x509_policy_level_add_nodes adds the nodes in |nodes| to |level|. It returns\n// one on success and zero on error. No policy in |nodes| may already be present\n// in |level|. This function modifies |nodes| to avoid making a copy, but the\n// caller is still responsible for releasing |nodes| itself.\n//\n// This function is used to add nodes to |level| in bulk, and avoid resorting\n// |level| after each addition.\nstatic int x509_policy_level_add_nodes(X509_POLICY_LEVEL *level,\n STACK_OF(X509_POLICY_NODE) *nodes) {\n for (size_t i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {\n X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(nodes, i);\n if (!sk_X509_POLICY_NODE_push(level->nodes, node)) {\n return 0;\n }\n sk_X509_POLICY_NODE_set(nodes, i, NULL);\n }\n sk_X509_POLICY_NODE_sort(level->nodes);\n\n#if !defined(NDEBUG)\n // There should be no duplicate nodes.\n for (size_t i = 1; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {\n assert(OBJ_cmp(sk_X509_POLICY_NODE_value(level->nodes, i - 1)->policy,\n sk_X509_POLICY_NODE_value(level->nodes, i)->policy) != 0);\n }\n#endif\n return 1;\n}\n\nstatic int policyinfo_cmp(const POLICYINFO *const *a,\n const POLICYINFO *const *b) {\n return OBJ_cmp((*a)->policyid, (*b)->policyid);\n}\n\nstatic int delete_if_not_in_policies(X509_POLICY_NODE *node, void *data) {\n const CERTIFICATEPOLICIES *policies =\n reinterpret_cast(data);\n assert(sk_POLICYINFO_is_sorted(policies));\n POLICYINFO info;\n info.policyid = node->policy;\n if (sk_POLICYINFO_find(policies, NULL, &info)) {\n return 0;\n }\n x509_policy_node_free(node);\n return 1;\n}\n\n// process_certificate_policies updates |level| to incorporate |x509|'s\n// certificate policies extension. This implements steps (d) and (e) of RFC\n// 5280, section 6.1.3. |level| must contain the previous level's\n// \"expected_policy_set\" information. For all but the top-most level, this is\n// the output of |process_policy_mappings|. |any_policy_allowed| specifies\n// whether anyPolicy is allowed or inhibited, taking into account the exception\n// for self-issued certificates.\nstatic int process_certificate_policies(const X509 *x509,\n X509_POLICY_LEVEL *level,\n int any_policy_allowed) {\n int ret = 0;\n int critical;\n STACK_OF(X509_POLICY_NODE) *new_nodes = NULL;\n CERTIFICATEPOLICIES *policies = reinterpret_cast(\n X509_get_ext_d2i(x509, NID_certificate_policies, &critical, NULL));\n\n {\n if (policies == NULL) {\n if (critical != -1) {\n return 0; // Syntax error in the extension.\n }\n\n // RFC 5280, section 6.1.3, step (e).\n x509_policy_level_clear(level);\n return 1;\n }\n\n // certificatePolicies may not be empty. See RFC 5280, section 4.2.1.4.\n // TODO(https://crbug.com/boringssl/443): Move this check into the parser.\n if (sk_POLICYINFO_num(policies) == 0) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_POLICY_EXTENSION);\n goto err;\n }\n\n sk_POLICYINFO_set_cmp_func(policies, policyinfo_cmp);\n sk_POLICYINFO_sort(policies);\n int cert_has_any_policy = 0;\n for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) {\n const POLICYINFO *policy = sk_POLICYINFO_value(policies, i);\n if (is_any_policy(policy->policyid)) {\n cert_has_any_policy = 1;\n }\n if (i > 0 && OBJ_cmp(sk_POLICYINFO_value(policies, i - 1)->policyid,\n policy->policyid) == 0) {\n // Per RFC 5280, section 4.2.1.4, |policies| may not have duplicates.\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_POLICY_EXTENSION);\n goto err;\n }\n }\n\n // This does the same thing as RFC 5280, section 6.1.3, step (d), though in\n // a slighty different order. |level| currently contains\n // \"expected_policy_set\" values of the previous level. See\n // |process_policy_mappings| for details.\n const int previous_level_has_any_policy = level->has_any_policy;\n\n // First, we handle steps (d.1.i) and (d.2). The net effect of these two\n // steps is to intersect |level| with |policies|, ignoring anyPolicy if it\n // is inhibited.\n if (!cert_has_any_policy || !any_policy_allowed) {\n sk_X509_POLICY_NODE_delete_if(level->nodes, delete_if_not_in_policies,\n policies);\n level->has_any_policy = 0;\n }\n\n // Step (d.1.ii) may attach new nodes to the previous level's anyPolicy\n // node.\n if (previous_level_has_any_policy) {\n new_nodes = sk_X509_POLICY_NODE_new_null();\n if (new_nodes == NULL) {\n goto err;\n }\n for (size_t i = 0; i < sk_POLICYINFO_num(policies); i++) {\n const POLICYINFO *policy = sk_POLICYINFO_value(policies, i);\n // Though we've reordered the steps slightly, |policy| is in |level| if\n // and only if it would have been a match in step (d.1.ii).\n if (!is_any_policy(policy->policyid) &&\n x509_policy_level_find(level, policy->policyid) == NULL) {\n X509_POLICY_NODE *node = x509_policy_node_new(policy->policyid);\n if (node == NULL || //\n !sk_X509_POLICY_NODE_push(new_nodes, node)) {\n x509_policy_node_free(node);\n goto err;\n }\n }\n }\n if (!x509_policy_level_add_nodes(level, new_nodes)) {\n goto err;\n }\n }\n\n ret = 1;\n }\n\nerr:\n sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free);\n CERTIFICATEPOLICIES_free(policies);\n return ret;\n}\n\nstatic int compare_issuer_policy(const POLICY_MAPPING *const *a,\n const POLICY_MAPPING *const *b) {\n return OBJ_cmp((*a)->issuerDomainPolicy, (*b)->issuerDomainPolicy);\n}\n\nstatic int compare_subject_policy(const POLICY_MAPPING *const *a,\n const POLICY_MAPPING *const *b) {\n return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy);\n}\n\nstatic int delete_if_mapped(X509_POLICY_NODE *node, void *data) {\n const POLICY_MAPPINGS *mappings = reinterpret_cast(data);\n // |mappings| must have been sorted by |compare_issuer_policy|.\n assert(sk_POLICY_MAPPING_is_sorted(mappings));\n POLICY_MAPPING mapping;\n mapping.issuerDomainPolicy = node->policy;\n if (!sk_POLICY_MAPPING_find(mappings, /*out_index=*/NULL, &mapping)) {\n return 0;\n }\n x509_policy_node_free(node);\n return 1;\n}\n\n// process_policy_mappings processes the policy mappings extension of |cert|,\n// whose corresponding graph level is |level|. |mapping_allowed| specifies\n// whether policy mapping is inhibited at this point. On success, it returns an\n// |X509_POLICY_LEVEL| containing the \"expected_policy_set\" for |level|. On\n// error, it returns NULL. This implements steps (a) and (b) of RFC 5280,\n// section 6.1.4.\n//\n// We represent the \"expected_policy_set\" as an |X509_POLICY_LEVEL|.\n// |has_any_policy| indicates whether there is an anyPolicy node with\n// \"expected_policy_set\" of {anyPolicy}. If a node with policy oid P1 contains\n// P2 in its \"expected_policy_set\", the level will contain a node of policy P2\n// with P1 in |parent_policies|.\n//\n// This is equivalent to the |X509_POLICY_LEVEL| that would result if the next\n// certificats contained anyPolicy. |process_certificate_policies| will filter\n// this result down to compute the actual level.\nstatic X509_POLICY_LEVEL *process_policy_mappings(const X509 *cert,\n X509_POLICY_LEVEL *level,\n int mapping_allowed) {\n int ok = 0;\n STACK_OF(X509_POLICY_NODE) *new_nodes = NULL;\n X509_POLICY_LEVEL *next = NULL;\n int critical;\n POLICY_MAPPINGS *mappings = reinterpret_cast(\n X509_get_ext_d2i(cert, NID_policy_mappings, &critical, NULL));\n\n {\n if (mappings == NULL && critical != -1) {\n // Syntax error in the policy mappings extension.\n goto err;\n }\n\n if (mappings != NULL) {\n // PolicyMappings may not be empty. See RFC 5280, section 4.2.1.5.\n // TODO(https://crbug.com/boringssl/443): Move this check into the parser.\n if (sk_POLICY_MAPPING_num(mappings) == 0) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_POLICY_EXTENSION);\n goto err;\n }\n\n // RFC 5280, section 6.1.4, step (a).\n for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) {\n POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i);\n if (is_any_policy(mapping->issuerDomainPolicy) ||\n is_any_policy(mapping->subjectDomainPolicy)) {\n goto err;\n }\n }\n\n // Sort to group by issuerDomainPolicy.\n sk_POLICY_MAPPING_set_cmp_func(mappings, compare_issuer_policy);\n sk_POLICY_MAPPING_sort(mappings);\n\n if (mapping_allowed) {\n // Mark nodes as mapped, and add any nodes to |level| which may be\n // needed as part of RFC 5280, section 6.1.4, step (b.1).\n new_nodes = sk_X509_POLICY_NODE_new_null();\n if (new_nodes == NULL) {\n goto err;\n }\n const ASN1_OBJECT *last_policy = NULL;\n for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) {\n const POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i);\n // There may be multiple mappings with the same |issuerDomainPolicy|.\n if (last_policy != NULL &&\n OBJ_cmp(mapping->issuerDomainPolicy, last_policy) == 0) {\n continue;\n }\n last_policy = mapping->issuerDomainPolicy;\n\n X509_POLICY_NODE *node =\n x509_policy_level_find(level, mapping->issuerDomainPolicy);\n if (node == NULL) {\n if (!level->has_any_policy) {\n continue;\n }\n node = x509_policy_node_new(mapping->issuerDomainPolicy);\n if (node == NULL || //\n !sk_X509_POLICY_NODE_push(new_nodes, node)) {\n x509_policy_node_free(node);\n goto err;\n }\n }\n node->mapped = 1;\n }\n if (!x509_policy_level_add_nodes(level, new_nodes)) {\n goto err;\n }\n } else {\n // RFC 5280, section 6.1.4, step (b.2). If mapping is inhibited, delete\n // all mapped nodes.\n sk_X509_POLICY_NODE_delete_if(level->nodes, delete_if_mapped, mappings);\n sk_POLICY_MAPPING_pop_free(mappings, POLICY_MAPPING_free);\n mappings = NULL;\n }\n }\n\n // If a node was not mapped, it retains the original \"explicit_policy_set\"\n // value, itself. Add those to |mappings|.\n if (mappings == NULL) {\n mappings = sk_POLICY_MAPPING_new_null();\n if (mappings == NULL) {\n goto err;\n }\n }\n for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {\n X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, i);\n if (!node->mapped) {\n POLICY_MAPPING *mapping = POLICY_MAPPING_new();\n if (mapping == NULL) {\n goto err;\n }\n mapping->issuerDomainPolicy = OBJ_dup(node->policy);\n mapping->subjectDomainPolicy = OBJ_dup(node->policy);\n if (mapping->issuerDomainPolicy == NULL ||\n mapping->subjectDomainPolicy == NULL ||\n !sk_POLICY_MAPPING_push(mappings, mapping)) {\n POLICY_MAPPING_free(mapping);\n goto err;\n }\n }\n }\n\n // Sort to group by subjectDomainPolicy.\n sk_POLICY_MAPPING_set_cmp_func(mappings, compare_subject_policy);\n sk_POLICY_MAPPING_sort(mappings);\n\n // Convert |mappings| to our \"expected_policy_set\" representation.\n next = x509_policy_level_new();\n if (next == NULL) {\n goto err;\n }\n next->has_any_policy = level->has_any_policy;\n\n X509_POLICY_NODE *last_node = NULL;\n for (size_t i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) {\n POLICY_MAPPING *mapping = sk_POLICY_MAPPING_value(mappings, i);\n // Skip mappings where |issuerDomainPolicy| does not appear in the graph.\n if (!level->has_any_policy &&\n x509_policy_level_find(level, mapping->issuerDomainPolicy) == NULL) {\n continue;\n }\n\n if (last_node == NULL ||\n OBJ_cmp(last_node->policy, mapping->subjectDomainPolicy) != 0) {\n last_node = x509_policy_node_new(mapping->subjectDomainPolicy);\n if (last_node == NULL ||\n !sk_X509_POLICY_NODE_push(next->nodes, last_node)) {\n x509_policy_node_free(last_node);\n goto err;\n }\n }\n\n if (!sk_ASN1_OBJECT_push(last_node->parent_policies,\n mapping->issuerDomainPolicy)) {\n goto err;\n }\n mapping->issuerDomainPolicy = NULL;\n }\n\n sk_X509_POLICY_NODE_sort(next->nodes);\n ok = 1;\n }\n\nerr:\n if (!ok) {\n x509_policy_level_free(next);\n next = NULL;\n }\n\n sk_POLICY_MAPPING_pop_free(mappings, POLICY_MAPPING_free);\n sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free);\n return next;\n}\n\n// apply_skip_certs, if |skip_certs| is non-NULL, sets |*value| to the minimum\n// of its current value and |skip_certs|. It returns one on success and zero if\n// |skip_certs| is negative.\nstatic int apply_skip_certs(const ASN1_INTEGER *skip_certs, size_t *value) {\n if (skip_certs == NULL) {\n return 1;\n }\n\n // TODO(https://crbug.com/boringssl/443): Move this check into the parser.\n if (skip_certs->type & V_ASN1_NEG) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_POLICY_EXTENSION);\n return 0;\n }\n\n // If |skip_certs| does not fit in |uint64_t|, it must exceed |*value|.\n uint64_t u64;\n if (ASN1_INTEGER_get_uint64(&u64, skip_certs) && u64 < *value) {\n *value = (size_t)u64;\n }\n ERR_clear_error();\n return 1;\n}\n\n// process_policy_constraints updates |*explicit_policy|, |*policy_mapping|, and\n// |*inhibit_any_policy| according to |x509|'s policy constraints and inhibit\n// anyPolicy extensions. It returns one on success and zero on error. This\n// implements steps (i) and (j) of RFC 5280, section 6.1.4.\nstatic int process_policy_constraints(const X509 *x509, size_t *explicit_policy,\n size_t *policy_mapping,\n size_t *inhibit_any_policy) {\n int critical;\n POLICY_CONSTRAINTS *constraints = reinterpret_cast(\n X509_get_ext_d2i(x509, NID_policy_constraints, &critical, NULL));\n if (constraints == NULL && critical != -1) {\n return 0;\n }\n if (constraints != NULL) {\n if (constraints->requireExplicitPolicy == NULL &&\n constraints->inhibitPolicyMapping == NULL) {\n // Per RFC 5280, section 4.2.1.11, at least one of the fields must be\n // present.\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_POLICY_EXTENSION);\n POLICY_CONSTRAINTS_free(constraints);\n return 0;\n }\n int ok =\n apply_skip_certs(constraints->requireExplicitPolicy, explicit_policy) &&\n apply_skip_certs(constraints->inhibitPolicyMapping, policy_mapping);\n POLICY_CONSTRAINTS_free(constraints);\n if (!ok) {\n return 0;\n }\n }\n\n ASN1_INTEGER *inhibit_any_policy_ext = reinterpret_cast(\n X509_get_ext_d2i(x509, NID_inhibit_any_policy, &critical, NULL));\n if (inhibit_any_policy_ext == NULL && critical != -1) {\n return 0;\n }\n int ok = apply_skip_certs(inhibit_any_policy_ext, inhibit_any_policy);\n ASN1_INTEGER_free(inhibit_any_policy_ext);\n return ok;\n}\n\n// has_explicit_policy returns one if the set of authority-space policy OIDs\n// |levels| has some non-empty intersection with |user_policies|, and zero\n// otherwise. This mirrors the logic in RFC 5280, section 6.1.5, step (g). This\n// function modifies |levels| and should only be called at the end of policy\n// evaluation.\nstatic int has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels,\n const STACK_OF(ASN1_OBJECT) *user_policies) {\n assert(user_policies == NULL || sk_ASN1_OBJECT_is_sorted(user_policies));\n\n // Step (g.i). If the policy graph is empty, the intersection is empty.\n size_t num_levels = sk_X509_POLICY_LEVEL_num(levels);\n X509_POLICY_LEVEL *level = sk_X509_POLICY_LEVEL_value(levels, num_levels - 1);\n if (x509_policy_level_is_empty(level)) {\n return 0;\n }\n\n // If |user_policies| is empty, we interpret it as having a single anyPolicy\n // value. The caller may also have supplied anyPolicy explicitly.\n int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) == 0;\n for (size_t i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) {\n if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) {\n user_has_any_policy = 1;\n break;\n }\n }\n\n // Step (g.ii). If the policy graph is not empty and the user set contains\n // anyPolicy, the intersection is the entire (non-empty) graph.\n if (user_has_any_policy) {\n return 1;\n }\n\n // Step (g.iii) does not delete anyPolicy nodes, so if the graph has\n // anyPolicy, some explicit policy will survive. The actual intersection may\n // synthesize some nodes in step (g.iii.3), but we do not return the policy\n // list itself, so we skip actually computing this.\n if (level->has_any_policy) {\n return 1;\n }\n\n // We defer pruning the tree, so as we look for nodes with parent anyPolicy,\n // step (g.iii.1), we must limit to nodes reachable from the bottommost level.\n // Start by marking each of those nodes as reachable.\n for (size_t i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {\n sk_X509_POLICY_NODE_value(level->nodes, i)->reachable = 1;\n }\n\n for (size_t i = num_levels - 1; i < num_levels; i--) {\n level = sk_X509_POLICY_LEVEL_value(levels, i);\n for (size_t j = 0; j < sk_X509_POLICY_NODE_num(level->nodes); j++) {\n X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(level->nodes, j);\n if (!node->reachable) {\n continue;\n }\n if (sk_ASN1_OBJECT_num(node->parent_policies) == 0) {\n // |node|'s parent is anyPolicy and is part of \"valid_policy_node_set\".\n // If it exists in |user_policies|, the intersection is non-empty and we\n // can return immediately.\n if (sk_ASN1_OBJECT_find(user_policies, /*out_index=*/NULL,\n node->policy)) {\n return 1;\n }\n } else if (i > 0) {\n // |node|'s parents are concrete policies. Mark the parents reachable,\n // to be inspected by the next loop iteration.\n X509_POLICY_LEVEL *prev = sk_X509_POLICY_LEVEL_value(levels, i - 1);\n for (size_t k = 0; k < sk_ASN1_OBJECT_num(node->parent_policies); k++) {\n X509_POLICY_NODE *parent = x509_policy_level_find(\n prev, sk_ASN1_OBJECT_value(node->parent_policies, k));\n if (parent != NULL) {\n parent->reachable = 1;\n }\n }\n }\n }\n }\n\n return 0;\n}\n\nstatic int asn1_object_cmp(const ASN1_OBJECT *const *a,\n const ASN1_OBJECT *const *b) {\n return OBJ_cmp(*a, *b);\n}\n\nint X509_policy_check(const STACK_OF(X509) *certs,\n const STACK_OF(ASN1_OBJECT) *user_policies,\n unsigned long flags, X509 **out_current_cert) {\n *out_current_cert = NULL;\n int ret = X509_V_ERR_OUT_OF_MEM;\n X509_POLICY_LEVEL *level = NULL;\n STACK_OF(X509_POLICY_LEVEL) *levels = NULL;\n STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL;\n size_t num_certs = sk_X509_num(certs);\n\n // Skip policy checking if the chain is just the trust anchor.\n if (num_certs <= 1) {\n return X509_V_OK;\n }\n\n // See RFC 5280, section 6.1.2, steps (d) through (f).\n size_t explicit_policy =\n (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : num_certs + 1;\n size_t inhibit_any_policy =\n (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : num_certs + 1;\n size_t policy_mapping = (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : num_certs + 1;\n\n levels = sk_X509_POLICY_LEVEL_new_null();\n if (levels == NULL) {\n goto err;\n }\n\n for (size_t i = num_certs - 2; i < num_certs; i--) {\n X509 *cert = sk_X509_value(certs, i);\n if (!x509v3_cache_extensions(cert)) {\n goto err;\n }\n const int is_self_issued = (cert->ex_flags & EXFLAG_SI) != 0;\n\n if (level == NULL) {\n assert(i == num_certs - 2);\n level = x509_policy_level_new();\n if (level == NULL) {\n goto err;\n }\n level->has_any_policy = 1;\n }\n\n // RFC 5280, section 6.1.3, steps (d) and (e). |any_policy_allowed| is\n // computed as in step (d.2).\n const int any_policy_allowed =\n inhibit_any_policy > 0 || (i > 0 && is_self_issued);\n if (!process_certificate_policies(cert, level, any_policy_allowed)) {\n ret = X509_V_ERR_INVALID_POLICY_EXTENSION;\n *out_current_cert = cert;\n goto err;\n }\n\n // RFC 5280, section 6.1.3, step (f).\n if (explicit_policy == 0 && x509_policy_level_is_empty(level)) {\n ret = X509_V_ERR_NO_EXPLICIT_POLICY;\n goto err;\n }\n\n // Insert into the list.\n if (!sk_X509_POLICY_LEVEL_push(levels, level)) {\n goto err;\n }\n X509_POLICY_LEVEL *current_level = level;\n level = NULL;\n\n // If this is not the leaf certificate, we go to section 6.1.4. If it\n // is the leaf certificate, we go to section 6.1.5 instead.\n if (i != 0) {\n // RFC 5280, section 6.1.4, steps (a) and (b).\n level = process_policy_mappings(cert, current_level, policy_mapping > 0);\n if (level == NULL) {\n ret = X509_V_ERR_INVALID_POLICY_EXTENSION;\n *out_current_cert = cert;\n goto err;\n }\n }\n\n // RFC 5280, section 6.1.4, step (h-j) for non-leaves, and section 6.1.5,\n // step (a-b) for leaves. In the leaf case, RFC 5280 says only to update\n // |explicit_policy|, but |policy_mapping| and |inhibit_any_policy| are no\n // longer read at this point, so we use the same process.\n if (i == 0 || !is_self_issued) {\n if (explicit_policy > 0) {\n explicit_policy--;\n }\n if (policy_mapping > 0) {\n policy_mapping--;\n }\n if (inhibit_any_policy > 0) {\n inhibit_any_policy--;\n }\n }\n if (!process_policy_constraints(cert, &explicit_policy, &policy_mapping,\n &inhibit_any_policy)) {\n ret = X509_V_ERR_INVALID_POLICY_EXTENSION;\n *out_current_cert = cert;\n goto err;\n }\n }\n\n // RFC 5280, section 6.1.5, step (g). We do not output the policy set, so it\n // is only necessary to check if the user-constrained-policy-set is not empty.\n if (explicit_policy == 0) {\n // Build a sorted copy of |user_policies| for more efficient lookup.\n if (user_policies != NULL) {\n user_policies_sorted = sk_ASN1_OBJECT_dup(user_policies);\n if (user_policies_sorted == NULL) {\n goto err;\n }\n sk_ASN1_OBJECT_set_cmp_func(user_policies_sorted, asn1_object_cmp);\n sk_ASN1_OBJECT_sort(user_policies_sorted);\n }\n\n if (!has_explicit_policy(levels, user_policies_sorted)) {\n ret = X509_V_ERR_NO_EXPLICIT_POLICY;\n goto err;\n }\n }\n\n ret = X509_V_OK;\n\nerr:\n x509_policy_level_free(level);\n // |user_policies_sorted|'s contents are owned by |user_policies|, so we do\n // not use |sk_ASN1_OBJECT_pop_free|.\n sk_ASN1_OBJECT_free(user_policies_sorted);\n sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/rsa_pss.cc", "content": "/*\n * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nstatic int rsa_pss_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,\n void *exarg) {\n if (operation == ASN1_OP_FREE_PRE) {\n RSA_PSS_PARAMS *pss = (RSA_PSS_PARAMS *)*pval;\n X509_ALGOR_free(pss->maskHash);\n }\n return 1;\n}\n\nASN1_SEQUENCE_cb(RSA_PSS_PARAMS, rsa_pss_cb) = {\n ASN1_EXP_OPT(RSA_PSS_PARAMS, hashAlgorithm, X509_ALGOR, 0),\n ASN1_EXP_OPT(RSA_PSS_PARAMS, maskGenAlgorithm, X509_ALGOR, 1),\n ASN1_EXP_OPT(RSA_PSS_PARAMS, saltLength, ASN1_INTEGER, 2),\n ASN1_EXP_OPT(RSA_PSS_PARAMS, trailerField, ASN1_INTEGER, 3),\n} ASN1_SEQUENCE_END_cb(RSA_PSS_PARAMS, RSA_PSS_PARAMS)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(RSA_PSS_PARAMS)\n\n\n// Given an MGF1 Algorithm ID decode to an Algorithm Identifier\nstatic X509_ALGOR *rsa_mgf1_decode(const X509_ALGOR *alg) {\n if (OBJ_obj2nid(alg->algorithm) != NID_mgf1 || alg->parameter == NULL ||\n alg->parameter->type != V_ASN1_SEQUENCE) {\n return NULL;\n }\n\n const uint8_t *p = alg->parameter->value.sequence->data;\n int plen = alg->parameter->value.sequence->length;\n return d2i_X509_ALGOR(NULL, &p, plen);\n}\n\nstatic RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg) {\n if (alg->parameter == NULL || alg->parameter->type != V_ASN1_SEQUENCE) {\n return NULL;\n }\n\n const uint8_t *p = alg->parameter->value.sequence->data;\n int plen = alg->parameter->value.sequence->length;\n return d2i_RSA_PSS_PARAMS(NULL, &p, plen);\n}\n\nstatic int is_allowed_pss_md(const EVP_MD *md) {\n int md_type = EVP_MD_type(md);\n return md_type == NID_sha256 || md_type == NID_sha384 ||\n md_type == NID_sha512;\n}\n\n// rsa_md_to_algor sets |*palg| to an |X509_ALGOR| describing the digest |md|,\n// which must be an allowed PSS digest.\nstatic int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) {\n // SHA-1 should be omitted (DEFAULT), but we do not allow SHA-1.\n assert(is_allowed_pss_md(md));\n *palg = X509_ALGOR_new();\n if (*palg == NULL) {\n return 0;\n }\n if (!X509_ALGOR_set_md(*palg, md)) {\n X509_ALGOR_free(*palg);\n *palg = NULL;\n return 0;\n }\n return 1;\n}\n\n// rsa_md_to_mgf1 sets |*palg| to an |X509_ALGOR| describing MGF-1 with the\n// digest |mgf1md|, which must be an allowed PSS digest.\nstatic int rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) {\n // SHA-1 should be omitted (DEFAULT), but we do not allow SHA-1.\n assert(is_allowed_pss_md(mgf1md));\n X509_ALGOR *algtmp = NULL;\n ASN1_STRING *stmp = NULL;\n // need to embed algorithm ID inside another\n if (!rsa_md_to_algor(&algtmp, mgf1md) ||\n !ASN1_item_pack(algtmp, ASN1_ITEM_rptr(X509_ALGOR), &stmp)) {\n goto err;\n }\n *palg = X509_ALGOR_new();\n if (!*palg) {\n goto err;\n }\n if (!X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp)) {\n goto err;\n }\n stmp = NULL;\n\nerr:\n ASN1_STRING_free(stmp);\n X509_ALGOR_free(algtmp);\n if (*palg) {\n return 1;\n }\n\n return 0;\n}\n\nstatic const EVP_MD *rsa_algor_to_md(const X509_ALGOR *alg) {\n if (!alg) {\n // If omitted, PSS defaults to SHA-1, which we do not allow.\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);\n return NULL;\n }\n const EVP_MD *md = EVP_get_digestbyobj(alg->algorithm);\n if (md == NULL || !is_allowed_pss_md(md)) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);\n return NULL;\n }\n return md;\n}\n\nstatic const EVP_MD *rsa_mgf1_to_md(const X509_ALGOR *alg) {\n if (!alg) {\n // If omitted, PSS defaults to MGF-1 with SHA-1, which we do not allow.\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);\n return NULL;\n }\n // Check mask and lookup mask hash algorithm.\n X509_ALGOR *maskHash = rsa_mgf1_decode(alg);\n if (maskHash == NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);\n return NULL;\n }\n const EVP_MD *ret = rsa_algor_to_md(maskHash);\n X509_ALGOR_free(maskHash);\n return ret;\n}\n\nint x509_rsa_ctx_to_pss(EVP_MD_CTX *ctx, X509_ALGOR *algor) {\n const EVP_MD *sigmd, *mgf1md;\n int saltlen;\n if (!EVP_PKEY_CTX_get_signature_md(ctx->pctx, &sigmd) ||\n !EVP_PKEY_CTX_get_rsa_mgf1_md(ctx->pctx, &mgf1md) ||\n !EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx->pctx, &saltlen)) {\n return 0;\n }\n\n if (sigmd != mgf1md || !is_allowed_pss_md(sigmd)) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);\n return 0;\n }\n int md_len = (int)EVP_MD_size(sigmd);\n if (saltlen == -1) {\n saltlen = md_len;\n } else if (saltlen != md_len) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);\n return 0;\n }\n\n int ret = 0;\n ASN1_STRING *os = NULL;\n RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new();\n if (!pss) {\n goto err;\n }\n\n // The DEFAULT value is 20, but this does not match any supported digest.\n assert(saltlen != 20);\n pss->saltLength = ASN1_INTEGER_new();\n if (!pss->saltLength || //\n !ASN1_INTEGER_set_int64(pss->saltLength, saltlen)) {\n goto err;\n }\n\n if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd) ||\n !rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) {\n goto err;\n }\n\n // Finally create string with pss parameter encoding.\n if (!ASN1_item_pack(pss, ASN1_ITEM_rptr(RSA_PSS_PARAMS), &os)) {\n goto err;\n }\n\n if (!X509_ALGOR_set0(algor, OBJ_nid2obj(NID_rsassaPss), V_ASN1_SEQUENCE,\n os)) {\n goto err;\n }\n os = NULL;\n ret = 1;\n\nerr:\n RSA_PSS_PARAMS_free(pss);\n ASN1_STRING_free(os);\n return ret;\n}\n\nint x509_rsa_pss_to_ctx(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,\n EVP_PKEY *pkey) {\n assert(OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss);\n\n // Decode PSS parameters\n int ret = 0;\n RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);\n\n {\n if (pss == NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);\n goto err;\n }\n\n const EVP_MD *mgf1md = rsa_mgf1_to_md(pss->maskGenAlgorithm);\n const EVP_MD *md = rsa_algor_to_md(pss->hashAlgorithm);\n if (mgf1md == NULL || md == NULL) {\n goto err;\n }\n\n // We require the MGF-1 and signing hashes to match.\n if (mgf1md != md) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);\n goto err;\n }\n\n // We require the salt length be the hash length. The DEFAULT value is 20,\n // but this does not match any supported salt length.\n uint64_t salt_len = 0;\n if (pss->saltLength == NULL ||\n !ASN1_INTEGER_get_uint64(&salt_len, pss->saltLength) ||\n salt_len != EVP_MD_size(md)) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);\n goto err;\n }\n assert(salt_len <= INT_MAX);\n\n // The trailer field must be 1 (0xbc). This value is DEFAULT, so the\n // structure is required to omit it in DER. Although a syntax error, we also\n // tolerate an explicitly-encoded value. See the certificates in\n // cl/362617931.\n if (pss->trailerField != NULL && ASN1_INTEGER_get(pss->trailerField) != 1) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_PSS_PARAMETERS);\n goto err;\n }\n\n EVP_PKEY_CTX *pctx;\n if (!EVP_DigestVerifyInit(ctx, &pctx, md, NULL, pkey) ||\n !EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||\n !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, (int)salt_len) ||\n !EVP_PKEY_CTX_set_rsa_mgf1_md(pctx, mgf1md)) {\n goto err;\n }\n\n ret = 1;\n }\n\nerr:\n RSA_PSS_PARAMS_free(pss);\n return ret;\n}\n\nint x509_print_rsa_pss_params(BIO *bp, const X509_ALGOR *sigalg, int indent,\n ASN1_PCTX *pctx) {\n assert(OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss);\n\n int rv = 0;\n X509_ALGOR *maskHash = NULL;\n RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg);\n if (!pss) {\n if (BIO_puts(bp, \" (INVALID PSS PARAMETERS)\\n\") <= 0) {\n goto err;\n }\n rv = 1;\n goto err;\n }\n\n if (BIO_puts(bp, \"\\n\") <= 0 || //\n !BIO_indent(bp, indent, 128) || //\n BIO_puts(bp, \"Hash Algorithm: \") <= 0) {\n goto err;\n }\n\n if (pss->hashAlgorithm) {\n if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) {\n goto err;\n }\n } else if (BIO_puts(bp, \"sha1 (default)\") <= 0) {\n goto err;\n }\n\n if (BIO_puts(bp, \"\\n\") <= 0 || //\n !BIO_indent(bp, indent, 128) || //\n BIO_puts(bp, \"Mask Algorithm: \") <= 0) {\n goto err;\n }\n\n if (pss->maskGenAlgorithm) {\n maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm);\n if (maskHash == NULL) {\n if (BIO_puts(bp, \"INVALID\") <= 0) {\n goto err;\n }\n } else {\n if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0 ||\n BIO_puts(bp, \" with \") <= 0 ||\n i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) {\n goto err;\n }\n }\n } else if (BIO_puts(bp, \"mgf1 with sha1 (default)\") <= 0) {\n goto err;\n }\n BIO_puts(bp, \"\\n\");\n\n if (!BIO_indent(bp, indent, 128) || //\n BIO_puts(bp, \"Salt Length: 0x\") <= 0) {\n goto err;\n }\n\n if (pss->saltLength) {\n if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) {\n goto err;\n }\n } else if (BIO_puts(bp, \"14 (default)\") <= 0) {\n goto err;\n }\n BIO_puts(bp, \"\\n\");\n\n if (!BIO_indent(bp, indent, 128) || //\n BIO_puts(bp, \"Trailer Field: 0x\") <= 0) {\n goto err;\n }\n\n if (pss->trailerField) {\n if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) {\n goto err;\n }\n } else if (BIO_puts(bp, \"BC (default)\") <= 0) {\n goto err;\n }\n BIO_puts(bp, \"\\n\");\n\n rv = 1;\n\nerr:\n RSA_PSS_PARAMS_free(pss);\n X509_ALGOR_free(maskHash);\n return rv;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/t_crl.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n\nint X509_CRL_print_fp(FILE *fp, X509_CRL *x) {\n BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);\n if (b == NULL) {\n OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB);\n return 0;\n }\n int ret = X509_CRL_print(b, x);\n BIO_free(b);\n return ret;\n}\n\nint X509_CRL_print(BIO *out, X509_CRL *x) {\n long version = X509_CRL_get_version(x);\n assert(X509_CRL_VERSION_1 <= version && version <= X509_CRL_VERSION_2);\n const X509_ALGOR *sig_alg;\n const ASN1_BIT_STRING *signature;\n X509_CRL_get0_signature(x, &signature, &sig_alg);\n if (BIO_printf(out, \"Certificate Revocation List (CRL):\\n\") <= 0 ||\n BIO_printf(out, \"%8sVersion %ld (0x%lx)\\n\", \"\", version + 1,\n (unsigned long)version) <= 0 ||\n // Note this and the other |X509_signature_print| call both print the\n // outer signature algorithm, rather than printing the inner and outer\n // ones separately. This matches OpenSSL, though it was probably a bug.\n !X509_signature_print(out, sig_alg, NULL)) {\n return 0;\n }\n\n char *issuer = X509_NAME_oneline(X509_CRL_get_issuer(x), NULL, 0);\n int ok = issuer != NULL && BIO_printf(out, \"%8sIssuer: %s\\n\", \"\", issuer) > 0;\n OPENSSL_free(issuer);\n if (!ok) {\n return 0;\n }\n\n if (BIO_printf(out, \"%8sLast Update: \", \"\") <= 0 ||\n !ASN1_TIME_print(out, X509_CRL_get0_lastUpdate(x)) ||\n BIO_printf(out, \"\\n%8sNext Update: \", \"\") <= 0) {\n return 0;\n }\n if (X509_CRL_get0_nextUpdate(x)) {\n if (!ASN1_TIME_print(out, X509_CRL_get0_nextUpdate(x))) {\n return 0;\n }\n } else {\n if (BIO_printf(out, \"NONE\") <= 0) {\n return 0;\n }\n }\n\n if (BIO_printf(out, \"\\n\") <= 0 ||\n !X509V3_extensions_print(out, \"CRL extensions\",\n X509_CRL_get0_extensions(x), 0, 8)) {\n return 0;\n }\n\n const STACK_OF(X509_REVOKED) *rev = X509_CRL_get_REVOKED(x);\n if (sk_X509_REVOKED_num(rev) > 0) {\n if (BIO_printf(out, \"Revoked Certificates:\\n\") <= 0) {\n return 0;\n }\n } else {\n if (BIO_printf(out, \"No Revoked Certificates.\\n\") <= 0) {\n return 0;\n }\n }\n\n for (size_t i = 0; i < sk_X509_REVOKED_num(rev); i++) {\n const X509_REVOKED *r = sk_X509_REVOKED_value(rev, i);\n if (BIO_printf(out, \" Serial Number: \") <= 0 ||\n i2a_ASN1_INTEGER(out, X509_REVOKED_get0_serialNumber(r)) <= 0 ||\n BIO_printf(out, \"\\n Revocation Date: \") <= 0 ||\n !ASN1_TIME_print(out, X509_REVOKED_get0_revocationDate(r)) ||\n BIO_printf(out, \"\\n\") <= 0 ||\n !X509V3_extensions_print(out, \"CRL entry extensions\",\n X509_REVOKED_get0_extensions(r), 0, 8)) {\n }\n }\n\n return X509_signature_print(out, sig_alg, signature);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/t_req.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nint X509_REQ_print_fp(FILE *fp, X509_REQ *x) {\n BIO *bio = BIO_new_fp(fp, BIO_NOCLOSE);\n if (bio == NULL) {\n OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB);\n return 0;\n }\n int ret = X509_REQ_print(bio, x);\n BIO_free(bio);\n return ret;\n}\n\nint X509_REQ_print_ex(BIO *bio, X509_REQ *x, unsigned long nmflags,\n unsigned long cflag) {\n long l;\n STACK_OF(X509_ATTRIBUTE) *sk;\n char mlch = ' ';\n\n int nmindent = 0;\n\n if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {\n mlch = '\\n';\n nmindent = 12;\n }\n\n if (nmflags == X509_FLAG_COMPAT) {\n nmindent = 16;\n }\n\n X509_REQ_INFO *ri = x->req_info;\n if (!(cflag & X509_FLAG_NO_HEADER)) {\n if (BIO_write(bio, \"Certificate Request:\\n\", 21) <= 0 ||\n BIO_write(bio, \" Data:\\n\", 10) <= 0) {\n goto err;\n }\n }\n if (!(cflag & X509_FLAG_NO_VERSION)) {\n l = X509_REQ_get_version(x);\n // Only zero, |X509_REQ_VERSION_1|, is valid but our parser accepts some\n // invalid values for compatibility.\n assert(0 <= l && l <= 2);\n if (BIO_printf(bio, \"%8sVersion: %ld (0x%lx)\\n\", \"\", l + 1,\n (unsigned long)l) <= 0) {\n goto err;\n }\n }\n if (!(cflag & X509_FLAG_NO_SUBJECT)) {\n if (BIO_printf(bio, \" Subject:%c\", mlch) <= 0 ||\n X509_NAME_print_ex(bio, ri->subject, nmindent, nmflags) < 0 ||\n BIO_write(bio, \"\\n\", 1) <= 0) {\n goto err;\n }\n }\n if (!(cflag & X509_FLAG_NO_PUBKEY)) {\n if (BIO_write(bio, \" Subject Public Key Info:\\n\", 33) <= 0 ||\n BIO_printf(bio, \"%12sPublic Key Algorithm: \", \"\") <= 0 ||\n i2a_ASN1_OBJECT(bio, ri->pubkey->algor->algorithm) <= 0 ||\n BIO_puts(bio, \"\\n\") <= 0) {\n goto err;\n }\n\n const EVP_PKEY *pkey = X509_REQ_get0_pubkey(x);\n if (pkey == NULL) {\n BIO_printf(bio, \"%12sUnable to load Public Key\\n\", \"\");\n ERR_print_errors(bio);\n } else {\n EVP_PKEY_print_public(bio, pkey, 16, NULL);\n }\n }\n\n if (!(cflag & X509_FLAG_NO_ATTRIBUTES)) {\n if (BIO_printf(bio, \"%8sAttributes:\\n\", \"\") <= 0) {\n goto err;\n }\n\n sk = x->req_info->attributes;\n if (sk_X509_ATTRIBUTE_num(sk) == 0) {\n if (BIO_printf(bio, \"%12sa0:00\\n\", \"\") <= 0) {\n goto err;\n }\n } else {\n size_t i;\n for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {\n X509_ATTRIBUTE *a = sk_X509_ATTRIBUTE_value(sk, i);\n ASN1_OBJECT *aobj = X509_ATTRIBUTE_get0_object(a);\n\n if (X509_REQ_extension_nid(OBJ_obj2nid(aobj))) {\n continue;\n }\n\n if (BIO_printf(bio, \"%12s\", \"\") <= 0) {\n goto err;\n }\n\n const int num_attrs = X509_ATTRIBUTE_count(a);\n const int obj_str_len = i2a_ASN1_OBJECT(bio, aobj);\n if (obj_str_len <= 0) {\n if (BIO_puts(bio, \"(Unable to print attribute ID.)\\n\") < 0) {\n goto err;\n } else {\n continue;\n }\n }\n\n int j;\n for (j = 0; j < num_attrs; j++) {\n const ASN1_TYPE *at = X509_ATTRIBUTE_get0_type(a, j);\n const int type = at->type;\n ASN1_BIT_STRING *bs = at->value.asn1_string;\n\n int k;\n for (k = 25 - obj_str_len; k > 0; k--) {\n if (BIO_write(bio, \" \", 1) != 1) {\n goto err;\n }\n }\n\n if (BIO_puts(bio, \":\") <= 0) {\n goto err;\n }\n\n if (type == V_ASN1_PRINTABLESTRING || type == V_ASN1_UTF8STRING ||\n type == V_ASN1_IA5STRING || type == V_ASN1_T61STRING) {\n if (BIO_write(bio, (char *)bs->data, bs->length) != bs->length) {\n goto err;\n }\n BIO_puts(bio, \"\\n\");\n } else {\n BIO_puts(bio, \"unable to print attribute\\n\");\n }\n }\n }\n }\n }\n\n if (!(cflag & X509_FLAG_NO_EXTENSIONS)) {\n STACK_OF(X509_EXTENSION) *exts = X509_REQ_get_extensions(x);\n if (exts) {\n BIO_printf(bio, \"%8sRequested Extensions:\\n\", \"\");\n\n for (size_t i = 0; i < sk_X509_EXTENSION_num(exts); i++) {\n const X509_EXTENSION *ex = sk_X509_EXTENSION_value(exts, i);\n if (BIO_printf(bio, \"%12s\", \"\") <= 0) {\n goto err;\n }\n const ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex);\n i2a_ASN1_OBJECT(bio, obj);\n const int is_critical = X509_EXTENSION_get_critical(ex);\n if (BIO_printf(bio, \": %s\\n\", is_critical ? \"critical\" : \"\") <= 0) {\n goto err;\n }\n if (!X509V3_EXT_print(bio, ex, cflag, 16)) {\n BIO_printf(bio, \"%16s\", \"\");\n ASN1_STRING_print(bio, X509_EXTENSION_get_data(ex));\n }\n if (BIO_write(bio, \"\\n\", 1) <= 0) {\n goto err;\n }\n }\n sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);\n }\n }\n\n if (!(cflag & X509_FLAG_NO_SIGDUMP) &&\n !X509_signature_print(bio, x->sig_alg, x->signature)) {\n goto err;\n }\n\n return 1;\n\nerr:\n OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB);\n return 0;\n}\n\nint X509_REQ_print(BIO *bio, X509_REQ *req) {\n return X509_REQ_print_ex(bio, req, XN_FLAG_COMPAT, X509_FLAG_COMPAT);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/t_x509.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include // for PRIu64 and friends\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nint X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag,\n unsigned long cflag) {\n BIO *b = BIO_new_fp(fp, BIO_NOCLOSE);\n if (b == NULL) {\n OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB);\n return 0;\n }\n int ret = X509_print_ex(b, x, nmflag, cflag);\n BIO_free(b);\n return ret;\n}\n\nint X509_print_fp(FILE *fp, X509 *x) {\n return X509_print_ex_fp(fp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);\n}\n\nint X509_print(BIO *bp, X509 *x) {\n return X509_print_ex(bp, x, XN_FLAG_COMPAT, X509_FLAG_COMPAT);\n}\n\nint X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,\n unsigned long cflag) {\n char mlch = ' ';\n int nmindent = 0;\n if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {\n mlch = '\\n';\n nmindent = 12;\n }\n\n if (nmflags == X509_FLAG_COMPAT) {\n nmindent = 16;\n }\n\n const X509_CINF *ci = x->cert_info;\n if (!(cflag & X509_FLAG_NO_HEADER)) {\n if (BIO_write(bp, \"Certificate:\\n\", 13) <= 0) {\n return 0;\n }\n if (BIO_write(bp, \" Data:\\n\", 10) <= 0) {\n return 0;\n }\n }\n if (!(cflag & X509_FLAG_NO_VERSION)) {\n long l = X509_get_version(x);\n assert(X509_VERSION_1 <= l && l <= X509_VERSION_3);\n if (BIO_printf(bp, \"%8sVersion: %ld (0x%lx)\\n\", \"\", l + 1,\n (unsigned long)l) <= 0) {\n return 0;\n }\n }\n if (!(cflag & X509_FLAG_NO_SERIAL)) {\n if (BIO_write(bp, \" Serial Number:\", 22) <= 0) {\n return 0;\n }\n\n const ASN1_INTEGER *serial = X509_get0_serialNumber(x);\n uint64_t serial_u64;\n if (ASN1_INTEGER_get_uint64(&serial_u64, serial)) {\n assert(serial->type != V_ASN1_NEG_INTEGER);\n if (BIO_printf(bp, \" %\" PRIu64 \" (0x%\" PRIx64 \")\\n\", serial_u64,\n serial_u64) <= 0) {\n return 0;\n }\n } else {\n ERR_clear_error(); // Clear |ASN1_INTEGER_get_uint64|'s error.\n const char *neg =\n (serial->type == V_ASN1_NEG_INTEGER) ? \" (Negative)\" : \"\";\n if (BIO_printf(bp, \"\\n%12s%s\", \"\", neg) <= 0) {\n return 0;\n }\n\n for (int i = 0; i < serial->length; i++) {\n if (BIO_printf(bp, \"%02x%c\", serial->data[i],\n ((i + 1 == serial->length) ? '\\n' : ':')) <= 0) {\n return 0;\n }\n }\n }\n }\n\n if (!(cflag & X509_FLAG_NO_SIGNAME)) {\n if (X509_signature_print(bp, ci->signature, NULL) <= 0) {\n return 0;\n }\n }\n\n if (!(cflag & X509_FLAG_NO_ISSUER)) {\n if (BIO_printf(bp, \" Issuer:%c\", mlch) <= 0) {\n return 0;\n }\n if (X509_NAME_print_ex(bp, X509_get_issuer_name(x), nmindent, nmflags) <\n 0) {\n return 0;\n }\n if (BIO_write(bp, \"\\n\", 1) <= 0) {\n return 0;\n }\n }\n if (!(cflag & X509_FLAG_NO_VALIDITY)) {\n if (BIO_write(bp, \" Validity\\n\", 17) <= 0) {\n return 0;\n }\n if (BIO_write(bp, \" Not Before: \", 24) <= 0) {\n return 0;\n }\n if (!ASN1_TIME_print(bp, X509_get_notBefore(x))) {\n return 0;\n }\n if (BIO_write(bp, \"\\n Not After : \", 25) <= 0) {\n return 0;\n }\n if (!ASN1_TIME_print(bp, X509_get_notAfter(x))) {\n return 0;\n }\n if (BIO_write(bp, \"\\n\", 1) <= 0) {\n return 0;\n }\n }\n if (!(cflag & X509_FLAG_NO_SUBJECT)) {\n if (BIO_printf(bp, \" Subject:%c\", mlch) <= 0) {\n return 0;\n }\n if (X509_NAME_print_ex(bp, X509_get_subject_name(x), nmindent, nmflags) <\n 0) {\n return 0;\n }\n if (BIO_write(bp, \"\\n\", 1) <= 0) {\n return 0;\n }\n }\n if (!(cflag & X509_FLAG_NO_PUBKEY)) {\n if (BIO_write(bp, \" Subject Public Key Info:\\n\", 33) <= 0) {\n return 0;\n }\n if (BIO_printf(bp, \"%12sPublic Key Algorithm: \", \"\") <= 0) {\n return 0;\n }\n if (i2a_ASN1_OBJECT(bp, ci->key->algor->algorithm) <= 0) {\n return 0;\n }\n if (BIO_puts(bp, \"\\n\") <= 0) {\n return 0;\n }\n\n const EVP_PKEY *pkey = X509_get0_pubkey(x);\n if (pkey == NULL) {\n BIO_printf(bp, \"%12sUnable to load Public Key\\n\", \"\");\n ERR_print_errors(bp);\n } else {\n EVP_PKEY_print_public(bp, pkey, 16, NULL);\n }\n }\n\n if (!(cflag & X509_FLAG_NO_IDS)) {\n if (ci->issuerUID) {\n if (BIO_printf(bp, \"%8sIssuer Unique ID: \", \"\") <= 0) {\n return 0;\n }\n if (!X509_signature_dump(bp, ci->issuerUID, 12)) {\n return 0;\n }\n }\n if (ci->subjectUID) {\n if (BIO_printf(bp, \"%8sSubject Unique ID: \", \"\") <= 0) {\n return 0;\n }\n if (!X509_signature_dump(bp, ci->subjectUID, 12)) {\n return 0;\n }\n }\n }\n\n if (!(cflag & X509_FLAG_NO_EXTENSIONS)) {\n X509V3_extensions_print(bp, \"X509v3 extensions\", ci->extensions, cflag, 8);\n }\n\n if (!(cflag & X509_FLAG_NO_SIGDUMP)) {\n if (X509_signature_print(bp, x->sig_alg, x->signature) <= 0) {\n return 0;\n }\n }\n if (!(cflag & X509_FLAG_NO_AUX)) {\n if (!X509_CERT_AUX_print(bp, x->aux, 0)) {\n return 0;\n }\n }\n\n return 1;\n}\n\nint X509_signature_print(BIO *bp, const X509_ALGOR *sigalg,\n const ASN1_STRING *sig) {\n if (BIO_puts(bp, \" Signature Algorithm: \") <= 0) {\n return 0;\n }\n if (i2a_ASN1_OBJECT(bp, sigalg->algorithm) <= 0) {\n return 0;\n }\n\n // RSA-PSS signatures have parameters to print.\n int sig_nid = OBJ_obj2nid(sigalg->algorithm);\n if (sig_nid == NID_rsassaPss &&\n !x509_print_rsa_pss_params(bp, sigalg, 9, 0)) {\n return 0;\n }\n\n if (sig) {\n return X509_signature_dump(bp, sig, 9);\n } else if (BIO_puts(bp, \"\\n\") <= 0) {\n return 0;\n }\n return 1;\n}\n\nint X509_NAME_print(BIO *bp, const X509_NAME *name, int obase) {\n char *s, *c, *b;\n int ret = 0, i;\n\n b = X509_NAME_oneline(name, NULL, 0);\n if (!b) {\n return 0;\n }\n if (!*b) {\n OPENSSL_free(b);\n return 1;\n }\n s = b + 1; // skip the first slash\n\n c = s;\n for (;;) {\n if (((*s == '/') && ((s[1] >= 'A') && (s[1] <= 'Z') &&\n ((s[2] == '=') || ((s[2] >= 'A') && (s[2] <= 'Z') &&\n (s[3] == '='))))) ||\n (*s == '\\0')) {\n i = s - c;\n if (BIO_write(bp, c, i) != i) {\n goto err;\n }\n c = s + 1; // skip following slash\n if (*s != '\\0') {\n if (BIO_write(bp, \", \", 2) != 2) {\n goto err;\n }\n }\n }\n if (*s == '\\0') {\n break;\n }\n s++;\n }\n\n ret = 1;\n if (0) {\n err:\n OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB);\n }\n OPENSSL_free(b);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/t_x509a.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\n// X509_CERT_AUX and string set routines\n\nint X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) {\n char oidstr[80], first;\n size_t i;\n int j;\n if (!aux) {\n return 1;\n }\n if (aux->trust) {\n first = 1;\n BIO_printf(out, \"%*sTrusted Uses:\\n%*s\", indent, \"\", indent + 2, \"\");\n for (i = 0; i < sk_ASN1_OBJECT_num(aux->trust); i++) {\n if (!first) {\n BIO_puts(out, \", \");\n } else {\n first = 0;\n }\n OBJ_obj2txt(oidstr, sizeof oidstr, sk_ASN1_OBJECT_value(aux->trust, i),\n 0);\n BIO_puts(out, oidstr);\n }\n BIO_puts(out, \"\\n\");\n } else {\n BIO_printf(out, \"%*sNo Trusted Uses.\\n\", indent, \"\");\n }\n if (aux->reject) {\n first = 1;\n BIO_printf(out, \"%*sRejected Uses:\\n%*s\", indent, \"\", indent + 2, \"\");\n for (i = 0; i < sk_ASN1_OBJECT_num(aux->reject); i++) {\n if (!first) {\n BIO_puts(out, \", \");\n } else {\n first = 0;\n }\n OBJ_obj2txt(oidstr, sizeof oidstr, sk_ASN1_OBJECT_value(aux->reject, i),\n 0);\n BIO_puts(out, oidstr);\n }\n BIO_puts(out, \"\\n\");\n } else {\n BIO_printf(out, \"%*sNo Rejected Uses.\\n\", indent, \"\");\n }\n if (aux->alias) {\n BIO_printf(out, \"%*sAlias: %.*s\\n\", indent, \"\", aux->alias->length,\n aux->alias->data);\n }\n if (aux->keyid) {\n BIO_printf(out, \"%*sKey Id: \", indent, \"\");\n for (j = 0; j < aux->keyid->length; j++) {\n BIO_printf(out, \"%s%02X\", j ? \":\" : \"\", aux->keyid->data[j]);\n }\n BIO_write(out, \"\\n\", 1);\n }\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_akey.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\nstatic STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(\n const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *extlist);\nstatic void *v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *values);\n\nconst X509V3_EXT_METHOD v3_akey_id = {\n NID_authority_key_identifier,\n X509V3_EXT_MULTILINE,\n ASN1_ITEM_ref(AUTHORITY_KEYID),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n i2v_AUTHORITY_KEYID,\n v2i_AUTHORITY_KEYID,\n 0,\n 0,\n NULL,\n};\n\nstatic STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(\n const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *extlist) {\n const AUTHORITY_KEYID *akeyid =\n reinterpret_cast(ext);\n int extlist_was_null = extlist == NULL;\n if (akeyid->keyid) {\n char *tmp = x509v3_bytes_to_hex(akeyid->keyid->data, akeyid->keyid->length);\n int ok = tmp != NULL && X509V3_add_value(\"keyid\", tmp, &extlist);\n OPENSSL_free(tmp);\n if (!ok) {\n goto err;\n }\n }\n if (akeyid->issuer) {\n STACK_OF(CONF_VALUE) *tmpextlist =\n i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist);\n if (tmpextlist == NULL) {\n goto err;\n }\n extlist = tmpextlist;\n }\n if (akeyid->serial) {\n if (!X509V3_add_value_int(\"serial\", akeyid->serial, &extlist)) {\n goto err;\n }\n }\n return extlist;\n\nerr:\n if (extlist_was_null) {\n sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free);\n }\n return NULL;\n}\n\n// Currently two options: keyid: use the issuers subject keyid, the value\n// 'always' means its is an error if the issuer certificate doesn't have a\n// key id. issuer: use the issuers cert issuer and serial number. The default\n// is to only use this if keyid is not present. With the option 'always' this\n// is always included.\n\nstatic void *v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *values) {\n char keyid = 0, issuer = 0;\n int j;\n ASN1_OCTET_STRING *ikeyid = NULL;\n X509_NAME *isname = NULL;\n GENERAL_NAMES *gens = NULL;\n GENERAL_NAME *gen = NULL;\n ASN1_INTEGER *serial = NULL;\n const X509 *cert;\n AUTHORITY_KEYID *akeyid;\n\n for (size_t i = 0; i < sk_CONF_VALUE_num(values); i++) {\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(values, i);\n if (!strcmp(cnf->name, \"keyid\")) {\n keyid = 1;\n if (cnf->value && !strcmp(cnf->value, \"always\")) {\n keyid = 2;\n }\n } else if (!strcmp(cnf->name, \"issuer\")) {\n issuer = 1;\n if (cnf->value && !strcmp(cnf->value, \"always\")) {\n issuer = 2;\n }\n } else {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_OPTION);\n ERR_add_error_data(2, \"name=\", cnf->name);\n return NULL;\n }\n }\n\n if (!ctx || !ctx->issuer_cert) {\n if (ctx && (ctx->flags == X509V3_CTX_TEST)) {\n return AUTHORITY_KEYID_new();\n }\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_ISSUER_CERTIFICATE);\n return NULL;\n }\n\n cert = ctx->issuer_cert;\n\n if (keyid) {\n j = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);\n const X509_EXTENSION *ext;\n if ((j >= 0) && (ext = X509_get_ext(cert, j))) {\n ikeyid = reinterpret_cast(X509V3_EXT_d2i(ext));\n }\n if (keyid == 2 && !ikeyid) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);\n return NULL;\n }\n }\n\n if ((issuer && !ikeyid) || (issuer == 2)) {\n isname = X509_NAME_dup(X509_get_issuer_name(cert));\n serial = ASN1_INTEGER_dup(X509_get0_serialNumber(cert));\n if (!isname || !serial) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);\n goto err;\n }\n }\n\n if (!(akeyid = AUTHORITY_KEYID_new())) {\n goto err;\n }\n\n if (isname) {\n if (!(gens = sk_GENERAL_NAME_new_null()) || !(gen = GENERAL_NAME_new()) ||\n !sk_GENERAL_NAME_push(gens, gen)) {\n goto err;\n }\n gen->type = GEN_DIRNAME;\n gen->d.dirn = isname;\n }\n\n akeyid->issuer = gens;\n akeyid->serial = serial;\n akeyid->keyid = ikeyid;\n\n return akeyid;\n\nerr:\n X509_NAME_free(isname);\n ASN1_INTEGER_free(serial);\n ASN1_OCTET_STRING_free(ikeyid);\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_akeya.cc", "content": "/*\n * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nASN1_SEQUENCE(AUTHORITY_KEYID) = {\n ASN1_IMP_OPT(AUTHORITY_KEYID, keyid, ASN1_OCTET_STRING, 0),\n ASN1_IMP_SEQUENCE_OF_OPT(AUTHORITY_KEYID, issuer, GENERAL_NAME, 1),\n ASN1_IMP_OPT(AUTHORITY_KEYID, serial, ASN1_INTEGER, 2),\n} ASN1_SEQUENCE_END(AUTHORITY_KEYID)\n\nIMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_KEYID)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_alt.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\nstatic void *v2i_subject_alt(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval);\nstatic void *v2i_issuer_alt(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval);\nstatic int copy_email(const X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);\nstatic int copy_issuer(const X509V3_CTX *ctx, GENERAL_NAMES *gens);\nstatic int do_othername(GENERAL_NAME *gen, const char *value,\n const X509V3_CTX *ctx);\nstatic int do_dirname(GENERAL_NAME *gen, const char *value,\n const X509V3_CTX *ctx);\n\nstatic STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES_cb(\n const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *ret) {\n return i2v_GENERAL_NAMES(method, reinterpret_cast(ext), ret);\n}\n\nconst X509V3_EXT_METHOD v3_alt[] = {\n {NID_subject_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES), 0, 0, 0, 0, 0, 0,\n i2v_GENERAL_NAMES_cb, v2i_subject_alt, NULL, NULL, NULL},\n\n {NID_issuer_alt_name, 0, ASN1_ITEM_ref(GENERAL_NAMES), 0, 0, 0, 0, 0, 0,\n i2v_GENERAL_NAMES_cb, v2i_issuer_alt, NULL, NULL, NULL},\n\n {NID_certificate_issuer, 0, ASN1_ITEM_ref(GENERAL_NAMES), 0, 0, 0, 0, 0, 0,\n i2v_GENERAL_NAMES_cb, NULL, NULL, NULL, NULL},\n};\n\nSTACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(const X509V3_EXT_METHOD *method,\n const GENERAL_NAMES *gens,\n STACK_OF(CONF_VALUE) *ret) {\n int ret_was_null = ret == NULL;\n for (size_t i = 0; i < sk_GENERAL_NAME_num(gens); i++) {\n const GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);\n STACK_OF(CONF_VALUE) *tmp = i2v_GENERAL_NAME(method, gen, ret);\n if (tmp == NULL) {\n if (ret_was_null) {\n sk_CONF_VALUE_pop_free(ret, X509V3_conf_free);\n }\n return NULL;\n }\n ret = tmp;\n }\n if (!ret) {\n return sk_CONF_VALUE_new_null();\n }\n return ret;\n}\n\nSTACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(const X509V3_EXT_METHOD *method,\n const GENERAL_NAME *gen,\n STACK_OF(CONF_VALUE) *ret) {\n // Note the error-handling for this function relies on there being at most\n // one |X509V3_add_value| call. If there were two and the second failed, we\n // would need to sometimes free the first call's result.\n unsigned char *p;\n char oline[256], htmp[5];\n int i;\n switch (gen->type) {\n case GEN_OTHERNAME:\n if (!X509V3_add_value(\"othername\", \"\", &ret)) {\n return NULL;\n }\n break;\n\n case GEN_X400:\n if (!X509V3_add_value(\"X400Name\", \"\", &ret)) {\n return NULL;\n }\n break;\n\n case GEN_EDIPARTY:\n if (!X509V3_add_value(\"EdiPartyName\", \"\", &ret)) {\n return NULL;\n }\n break;\n\n case GEN_EMAIL:\n if (!x509V3_add_value_asn1_string(\"email\", gen->d.ia5, &ret)) {\n return NULL;\n }\n break;\n\n case GEN_DNS:\n if (!x509V3_add_value_asn1_string(\"DNS\", gen->d.ia5, &ret)) {\n return NULL;\n }\n break;\n\n case GEN_URI:\n if (!x509V3_add_value_asn1_string(\"URI\", gen->d.ia5, &ret)) {\n return NULL;\n }\n break;\n\n case GEN_DIRNAME:\n if (X509_NAME_oneline(gen->d.dirn, oline, 256) == NULL ||\n !X509V3_add_value(\"DirName\", oline, &ret)) {\n return NULL;\n }\n break;\n\n case GEN_IPADD:\n p = gen->d.ip->data;\n if (gen->d.ip->length == 4) {\n snprintf(oline, sizeof(oline), \"%d.%d.%d.%d\", p[0], p[1], p[2], p[3]);\n } else if (gen->d.ip->length == 16) {\n oline[0] = 0;\n for (i = 0; i < 8; i++) {\n uint16_t v = ((uint16_t)p[0] << 8) | p[1];\n snprintf(htmp, sizeof(htmp), \"%X\", v);\n p += 2;\n OPENSSL_strlcat(oline, htmp, sizeof(oline));\n if (i != 7) {\n OPENSSL_strlcat(oline, \":\", sizeof(oline));\n }\n }\n } else {\n if (!X509V3_add_value(\"IP Address\", \"\", &ret)) {\n return NULL;\n }\n break;\n }\n if (!X509V3_add_value(\"IP Address\", oline, &ret)) {\n return NULL;\n }\n break;\n\n case GEN_RID:\n i2t_ASN1_OBJECT(oline, 256, gen->d.rid);\n if (!X509V3_add_value(\"Registered ID\", oline, &ret)) {\n return NULL;\n }\n break;\n }\n return ret;\n}\n\nint GENERAL_NAME_print(BIO *out, const GENERAL_NAME *gen) {\n switch (gen->type) {\n case GEN_OTHERNAME:\n BIO_printf(out, \"othername:\");\n break;\n\n case GEN_X400:\n BIO_printf(out, \"X400Name:\");\n break;\n\n case GEN_EDIPARTY:\n // Maybe fix this: it is supported now\n BIO_printf(out, \"EdiPartyName:\");\n break;\n\n case GEN_EMAIL:\n BIO_printf(out, \"email:\");\n ASN1_STRING_print(out, gen->d.ia5);\n break;\n\n case GEN_DNS:\n BIO_printf(out, \"DNS:\");\n ASN1_STRING_print(out, gen->d.ia5);\n break;\n\n case GEN_URI:\n BIO_printf(out, \"URI:\");\n ASN1_STRING_print(out, gen->d.ia5);\n break;\n\n case GEN_DIRNAME:\n BIO_printf(out, \"DirName: \");\n X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);\n break;\n\n case GEN_IPADD: {\n const unsigned char *p = gen->d.ip->data;\n if (gen->d.ip->length == 4) {\n BIO_printf(out, \"IP Address:%d.%d.%d.%d\", p[0], p[1], p[2], p[3]);\n } else if (gen->d.ip->length == 16) {\n BIO_printf(out, \"IP Address\");\n for (int i = 0; i < 8; i++) {\n uint16_t v = ((uint16_t)p[0] << 8) | p[1];\n BIO_printf(out, \":%X\", v);\n p += 2;\n }\n BIO_puts(out, \"\\n\");\n } else {\n BIO_printf(out, \"IP Address:\");\n break;\n }\n break;\n }\n\n case GEN_RID:\n BIO_printf(out, \"Registered ID\");\n i2a_ASN1_OBJECT(out, gen->d.rid);\n break;\n }\n return 1;\n}\n\nstatic void *v2i_issuer_alt(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval) {\n GENERAL_NAMES *gens = sk_GENERAL_NAME_new_null();\n if (gens == NULL) {\n return NULL;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);\n if (x509v3_conf_name_matches(cnf->name, \"issuer\") && cnf->value &&\n !strcmp(cnf->value, \"copy\")) {\n if (!copy_issuer(ctx, gens)) {\n goto err;\n }\n } else {\n GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);\n if (gen == NULL || !sk_GENERAL_NAME_push(gens, gen)) {\n GENERAL_NAME_free(gen);\n goto err;\n }\n }\n }\n return gens;\nerr:\n sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);\n return NULL;\n}\n\n// Append subject altname of issuer to issuer alt name of subject\n\nstatic int copy_issuer(const X509V3_CTX *ctx, GENERAL_NAMES *gens) {\n if (ctx && (ctx->flags == X509V3_CTX_TEST)) {\n return 1;\n }\n if (!ctx || !ctx->issuer_cert) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_ISSUER_DETAILS);\n return 0;\n }\n int i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);\n if (i < 0) {\n return 1;\n }\n\n int ret = 0;\n GENERAL_NAMES *ialt = NULL;\n X509_EXTENSION *ext;\n if (!(ext = X509_get_ext(ctx->issuer_cert, i)) ||\n !(ialt = reinterpret_cast(X509V3_EXT_d2i(ext)))) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_ISSUER_DECODE_ERROR);\n goto err;\n }\n\n for (size_t j = 0; j < sk_GENERAL_NAME_num(ialt); j++) {\n GENERAL_NAME *gen = sk_GENERAL_NAME_value(ialt, j);\n if (!sk_GENERAL_NAME_push(gens, gen)) {\n goto err;\n }\n // Ownership of |gen| has moved from |ialt| to |gens|.\n sk_GENERAL_NAME_set(ialt, j, NULL);\n }\n\n ret = 1;\n\nerr:\n GENERAL_NAMES_free(ialt);\n return ret;\n}\n\nstatic void *v2i_subject_alt(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval) {\n GENERAL_NAMES *gens = sk_GENERAL_NAME_new_null();\n if (gens == NULL) {\n return NULL;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);\n if (x509v3_conf_name_matches(cnf->name, \"email\") && cnf->value &&\n !strcmp(cnf->value, \"copy\")) {\n if (!copy_email(ctx, gens, 0)) {\n goto err;\n }\n } else if (x509v3_conf_name_matches(cnf->name, \"email\") && cnf->value &&\n !strcmp(cnf->value, \"move\")) {\n if (!copy_email(ctx, gens, 1)) {\n goto err;\n }\n } else {\n GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);\n if (gen == NULL || !sk_GENERAL_NAME_push(gens, gen)) {\n GENERAL_NAME_free(gen);\n goto err;\n }\n }\n }\n return gens;\nerr:\n sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);\n return NULL;\n}\n\n// Copy any email addresses in a certificate or request to GENERAL_NAMES\n\nstatic int copy_email(const X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p) {\n X509_NAME *nm;\n ASN1_IA5STRING *email = NULL;\n X509_NAME_ENTRY *ne;\n GENERAL_NAME *gen = NULL;\n int i;\n if (ctx != NULL && ctx->flags == X509V3_CTX_TEST) {\n return 1;\n }\n if (!ctx || (!ctx->subject_cert && !ctx->subject_req)) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_SUBJECT_DETAILS);\n goto err;\n }\n // Find the subject name\n if (ctx->subject_cert) {\n nm = X509_get_subject_name(ctx->subject_cert);\n } else {\n nm = X509_REQ_get_subject_name(ctx->subject_req);\n }\n\n // Now add any email address(es) to STACK\n i = -1;\n while ((i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i)) >= 0) {\n ne = X509_NAME_get_entry(nm, i);\n email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));\n if (move_p) {\n X509_NAME_delete_entry(nm, i);\n X509_NAME_ENTRY_free(ne);\n i--;\n }\n if (!email || !(gen = GENERAL_NAME_new())) {\n goto err;\n }\n gen->d.ia5 = email;\n email = NULL;\n gen->type = GEN_EMAIL;\n if (!sk_GENERAL_NAME_push(gens, gen)) {\n goto err;\n }\n gen = NULL;\n }\n\n return 1;\n\nerr:\n GENERAL_NAME_free(gen);\n ASN1_IA5STRING_free(email);\n return 0;\n}\n\nGENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval) {\n GENERAL_NAMES *gens = sk_GENERAL_NAME_new_null();\n if (gens == NULL) {\n return NULL;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);\n GENERAL_NAME *gen = v2i_GENERAL_NAME(method, ctx, cnf);\n if (gen == NULL || !sk_GENERAL_NAME_push(gens, gen)) {\n GENERAL_NAME_free(gen);\n goto err;\n }\n }\n return gens;\nerr:\n sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);\n return NULL;\n}\n\nGENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx, const CONF_VALUE *cnf) {\n return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);\n}\n\nstatic GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,\n const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx, int gen_type,\n const char *value, int is_nc) {\n if (!value) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE);\n return NULL;\n }\n\n GENERAL_NAME *gen = NULL;\n if (out) {\n gen = out;\n } else {\n gen = GENERAL_NAME_new();\n if (gen == NULL) {\n return NULL;\n }\n }\n\n switch (gen_type) {\n case GEN_URI:\n case GEN_EMAIL:\n case GEN_DNS: {\n ASN1_IA5STRING *str = ASN1_IA5STRING_new();\n if (str == NULL || !ASN1_STRING_set(str, value, strlen(value))) {\n ASN1_STRING_free(str);\n goto err;\n }\n gen->type = gen_type;\n gen->d.ia5 = str;\n break;\n }\n\n case GEN_RID: {\n ASN1_OBJECT *obj;\n if (!(obj = OBJ_txt2obj(value, 0))) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_BAD_OBJECT);\n ERR_add_error_data(2, \"value=\", value);\n goto err;\n }\n gen->type = GEN_RID;\n gen->d.rid = obj;\n break;\n }\n\n case GEN_IPADD:\n gen->type = GEN_IPADD;\n if (is_nc) {\n gen->d.ip = a2i_IPADDRESS_NC(value);\n } else {\n gen->d.ip = a2i_IPADDRESS(value);\n }\n if (gen->d.ip == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_BAD_IP_ADDRESS);\n ERR_add_error_data(2, \"value=\", value);\n goto err;\n }\n break;\n\n case GEN_DIRNAME:\n if (!do_dirname(gen, value, ctx)) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_DIRNAME_ERROR);\n goto err;\n }\n break;\n\n case GEN_OTHERNAME:\n if (!do_othername(gen, value, ctx)) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_OTHERNAME_ERROR);\n goto err;\n }\n break;\n default:\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNSUPPORTED_TYPE);\n goto err;\n }\n\n return gen;\n\nerr:\n if (!out) {\n GENERAL_NAME_free(gen);\n }\n return NULL;\n}\n\nGENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,\n const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx, const CONF_VALUE *cnf,\n int is_nc) {\n const char *name = cnf->name;\n const char *value = cnf->value;\n if (!value) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE);\n return NULL;\n }\n\n int type;\n if (x509v3_conf_name_matches(name, \"email\")) {\n type = GEN_EMAIL;\n } else if (x509v3_conf_name_matches(name, \"URI\")) {\n type = GEN_URI;\n } else if (x509v3_conf_name_matches(name, \"DNS\")) {\n type = GEN_DNS;\n } else if (x509v3_conf_name_matches(name, \"RID\")) {\n type = GEN_RID;\n } else if (x509v3_conf_name_matches(name, \"IP\")) {\n type = GEN_IPADD;\n } else if (x509v3_conf_name_matches(name, \"dirName\")) {\n type = GEN_DIRNAME;\n } else if (x509v3_conf_name_matches(name, \"otherName\")) {\n type = GEN_OTHERNAME;\n } else {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNSUPPORTED_OPTION);\n ERR_add_error_data(2, \"name=\", name);\n return NULL;\n }\n\n return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);\n}\n\nstatic int do_othername(GENERAL_NAME *gen, const char *value,\n const X509V3_CTX *ctx) {\n const char *semicolon = strchr(value, ';');\n if (semicolon == NULL) {\n return 0;\n }\n\n OTHERNAME *name = OTHERNAME_new();\n if (name == NULL) {\n return 0;\n }\n\n char *objtmp = OPENSSL_strndup(value, semicolon - value);\n if (objtmp == NULL) {\n goto err;\n }\n ASN1_OBJECT_free(name->type_id);\n name->type_id = OBJ_txt2obj(objtmp, /*dont_search_names=*/0);\n OPENSSL_free(objtmp);\n if (name->type_id == NULL) {\n goto err;\n }\n\n ASN1_TYPE_free(name->value);\n name->value = ASN1_generate_v3(semicolon + 1, ctx);\n if (name->value == NULL) {\n goto err;\n }\n\n gen->type = GEN_OTHERNAME;\n gen->d.otherName = name;\n return 1;\n\nerr:\n OTHERNAME_free(name);\n return 0;\n}\n\nstatic int do_dirname(GENERAL_NAME *gen, const char *value,\n const X509V3_CTX *ctx) {\n int ret = 0;\n const STACK_OF(CONF_VALUE) *sk = X509V3_get_section(ctx, value);\n X509_NAME *nm = X509_NAME_new();\n if (nm == NULL) {\n goto err;\n }\n if (sk == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);\n ERR_add_error_data(2, \"section=\", value);\n goto err;\n }\n // FIXME: should allow other character types...\n if (!X509V3_NAME_from_section(nm, sk, MBSTRING_ASC)) {\n goto err;\n }\n gen->type = GEN_DIRNAME;\n gen->d.dirn = nm;\n ret = 1;\n\nerr:\n if (!ret) {\n X509_NAME_free(nm);\n }\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_bcons.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\nstatic STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(\n const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *extlist);\nstatic void *v2i_BASIC_CONSTRAINTS(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *values);\n\nconst X509V3_EXT_METHOD v3_bcons = {\n NID_basic_constraints,\n 0,\n ASN1_ITEM_ref(BASIC_CONSTRAINTS),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n i2v_BASIC_CONSTRAINTS,\n v2i_BASIC_CONSTRAINTS,\n NULL,\n NULL,\n NULL,\n};\n\nASN1_SEQUENCE(BASIC_CONSTRAINTS) = {\n ASN1_OPT(BASIC_CONSTRAINTS, ca, ASN1_FBOOLEAN),\n ASN1_OPT(BASIC_CONSTRAINTS, pathlen, ASN1_INTEGER),\n} ASN1_SEQUENCE_END(BASIC_CONSTRAINTS)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(BASIC_CONSTRAINTS)\n\nstatic STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(\n const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *extlist) {\n const BASIC_CONSTRAINTS *bcons =\n reinterpret_cast(ext);\n X509V3_add_value_bool(\"CA\", bcons->ca, &extlist);\n X509V3_add_value_int(\"pathlen\", bcons->pathlen, &extlist);\n return extlist;\n}\n\nstatic void *v2i_BASIC_CONSTRAINTS(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *values) {\n BASIC_CONSTRAINTS *bcons = NULL;\n if (!(bcons = BASIC_CONSTRAINTS_new())) {\n return NULL;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(values); i++) {\n const CONF_VALUE *val = sk_CONF_VALUE_value(values, i);\n if (!strcmp(val->name, \"CA\")) {\n if (!X509V3_get_value_bool(val, &bcons->ca)) {\n goto err;\n }\n } else if (!strcmp(val->name, \"pathlen\")) {\n if (!X509V3_get_value_int(val, &bcons->pathlen)) {\n goto err;\n }\n } else {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NAME);\n X509V3_conf_err(val);\n goto err;\n }\n }\n return bcons;\nerr:\n BASIC_CONSTRAINTS_free(bcons);\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_bitst.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\nstatic const BIT_STRING_BITNAME ns_cert_type_table[] = {\n {0, \"SSL Client\", \"client\"},\n {1, \"SSL Server\", \"server\"},\n {2, \"S/MIME\", \"email\"},\n {3, \"Object Signing\", \"objsign\"},\n {4, \"Unused\", \"reserved\"},\n {5, \"SSL CA\", \"sslCA\"},\n {6, \"S/MIME CA\", \"emailCA\"},\n {7, \"Object Signing CA\", \"objCA\"},\n {-1, NULL, NULL}};\n\nstatic const BIT_STRING_BITNAME key_usage_type_table[] = {\n {0, \"Digital Signature\", \"digitalSignature\"},\n {1, \"Non Repudiation\", \"nonRepudiation\"},\n {2, \"Key Encipherment\", \"keyEncipherment\"},\n {3, \"Data Encipherment\", \"dataEncipherment\"},\n {4, \"Key Agreement\", \"keyAgreement\"},\n {5, \"Certificate Sign\", \"keyCertSign\"},\n {6, \"CRL Sign\", \"cRLSign\"},\n {7, \"Encipher Only\", \"encipherOnly\"},\n {8, \"Decipher Only\", \"decipherOnly\"},\n {-1, NULL, NULL}};\n\nstatic STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(\n const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *ret) {\n const ASN1_BIT_STRING *bits = reinterpret_cast(ext);\n const BIT_STRING_BITNAME *bnam;\n for (bnam = reinterpret_cast(method->usr_data);\n bnam->lname; bnam++) {\n if (ASN1_BIT_STRING_get_bit(bits, bnam->bitnum)) {\n X509V3_add_value(bnam->lname, NULL, &ret);\n }\n }\n return ret;\n}\n\nstatic void *v2i_ASN1_BIT_STRING(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval) {\n ASN1_BIT_STRING *bs;\n if (!(bs = ASN1_BIT_STRING_new())) {\n return NULL;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i);\n const BIT_STRING_BITNAME *bnam;\n for (bnam = reinterpret_cast(method->usr_data);\n bnam->lname; bnam++) {\n if (!strcmp(bnam->sname, val->name) || !strcmp(bnam->lname, val->name)) {\n if (!ASN1_BIT_STRING_set_bit(bs, bnam->bitnum, 1)) {\n ASN1_BIT_STRING_free(bs);\n return NULL;\n }\n break;\n }\n }\n if (!bnam->lname) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);\n X509V3_conf_err(val);\n ASN1_BIT_STRING_free(bs);\n return NULL;\n }\n }\n return bs;\n}\n\n#define EXT_BITSTRING(nid, table) \\\n { \\\n nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), 0, 0, 0, 0, 0, 0, \\\n i2v_ASN1_BIT_STRING, v2i_ASN1_BIT_STRING, NULL, NULL, (void *)(table) \\\n }\n\nconst X509V3_EXT_METHOD v3_nscert =\n EXT_BITSTRING(NID_netscape_cert_type, ns_cert_type_table);\nconst X509V3_EXT_METHOD v3_key_usage =\n EXT_BITSTRING(NID_key_usage, key_usage_type_table);\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_conf.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n// extension creation utilities\n\n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\nstatic int v3_check_critical(const char **value);\nstatic int v3_check_generic(const char **value);\nstatic X509_EXTENSION *do_ext_nconf(const CONF *conf, const X509V3_CTX *ctx,\n int ext_nid, int crit, const char *value);\nstatic X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,\n int crit, int type,\n const X509V3_CTX *ctx);\nstatic X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,\n int crit, void *ext_struc);\nstatic unsigned char *generic_asn1(const char *value, const X509V3_CTX *ctx,\n size_t *ext_len);\n\nX509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, const X509V3_CTX *ctx,\n const char *name, const char *value) {\n // If omitted, fill in an empty |X509V3_CTX|.\n X509V3_CTX ctx_tmp;\n if (ctx == NULL) {\n X509V3_set_ctx(&ctx_tmp, NULL, NULL, NULL, NULL, 0);\n X509V3_set_nconf(&ctx_tmp, conf);\n ctx = &ctx_tmp;\n }\n\n int crit = v3_check_critical(&value);\n int ext_type = v3_check_generic(&value);\n if (ext_type != 0) {\n return v3_generic_extension(name, value, crit, ext_type, ctx);\n }\n X509_EXTENSION *ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);\n if (!ret) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_ERROR_IN_EXTENSION);\n ERR_add_error_data(4, \"name=\", name, \", value=\", value);\n }\n return ret;\n}\n\nX509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf, const X509V3_CTX *ctx,\n int ext_nid, const char *value) {\n // If omitted, fill in an empty |X509V3_CTX|.\n X509V3_CTX ctx_tmp;\n if (ctx == NULL) {\n X509V3_set_ctx(&ctx_tmp, NULL, NULL, NULL, NULL, 0);\n X509V3_set_nconf(&ctx_tmp, conf);\n ctx = &ctx_tmp;\n }\n\n int crit = v3_check_critical(&value);\n int ext_type = v3_check_generic(&value);\n if (ext_type != 0) {\n return v3_generic_extension(OBJ_nid2sn(ext_nid), value, crit, ext_type,\n ctx);\n }\n return do_ext_nconf(conf, ctx, ext_nid, crit, value);\n}\n\n// CONF *conf: Config file\n// char *value: Value\nstatic X509_EXTENSION *do_ext_nconf(const CONF *conf, const X509V3_CTX *ctx,\n int ext_nid, int crit, const char *value) {\n const X509V3_EXT_METHOD *method;\n X509_EXTENSION *ext;\n const STACK_OF(CONF_VALUE) *nval;\n STACK_OF(CONF_VALUE) *nval_owned = NULL;\n void *ext_struc;\n if (ext_nid == NID_undef) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_EXTENSION_NAME);\n return NULL;\n }\n if (!(method = X509V3_EXT_get_nid(ext_nid))) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_EXTENSION);\n return NULL;\n }\n // Now get internal extension representation based on type\n if (method->v2i) {\n if (*value == '@') {\n // TODO(davidben): This is the only place where |X509V3_EXT_nconf|'s\n // |conf| parameter is used. All other codepaths use the copy inside\n // |ctx|. Should this be switched and then the parameter ignored?\n if (conf == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_CONFIG_DATABASE);\n return NULL;\n }\n nval = NCONF_get_section(conf, value + 1);\n } else {\n nval_owned = X509V3_parse_list(value);\n nval = nval_owned;\n }\n if (nval == NULL || sk_CONF_VALUE_num(nval) <= 0) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_EXTENSION_STRING);\n ERR_add_error_data(4, \"name=\", OBJ_nid2sn(ext_nid), \",section=\", value);\n sk_CONF_VALUE_pop_free(nval_owned, X509V3_conf_free);\n return NULL;\n }\n ext_struc = method->v2i(method, ctx, nval);\n sk_CONF_VALUE_pop_free(nval_owned, X509V3_conf_free);\n if (!ext_struc) {\n return NULL;\n }\n } else if (method->s2i) {\n if (!(ext_struc = method->s2i(method, ctx, value))) {\n return NULL;\n }\n } else if (method->r2i) {\n // TODO(davidben): Should this check be removed? This matches OpenSSL, but\n // r2i-based extensions do not necessarily require a config database. The\n // two built-in extensions only use it some of the time, and already handle\n // |X509V3_get_section| returning NULL.\n if (!ctx->db) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_CONFIG_DATABASE);\n return NULL;\n }\n if (!(ext_struc = method->r2i(method, ctx, value))) {\n return NULL;\n }\n } else {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);\n ERR_add_error_data(2, \"name=\", OBJ_nid2sn(ext_nid));\n return NULL;\n }\n\n ext = do_ext_i2d(method, ext_nid, crit, ext_struc);\n ASN1_item_free(reinterpret_cast(ext_struc),\n ASN1_ITEM_ptr(method->it));\n return ext;\n}\n\nstatic X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,\n int crit, void *ext_struc) {\n // Convert the extension's internal representation to DER.\n unsigned char *ext_der = NULL;\n int ext_len = ASN1_item_i2d(reinterpret_cast(ext_struc),\n &ext_der, ASN1_ITEM_ptr(method->it));\n if (ext_len < 0) {\n return NULL;\n }\n\n ASN1_OCTET_STRING *ext_oct = ASN1_OCTET_STRING_new();\n if (ext_oct == NULL) {\n OPENSSL_free(ext_der);\n return NULL;\n }\n ASN1_STRING_set0(ext_oct, ext_der, ext_len);\n\n X509_EXTENSION *ext =\n X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);\n ASN1_OCTET_STRING_free(ext_oct);\n return ext;\n}\n\n// Given an internal structure, nid and critical flag create an extension\n\nX509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc) {\n const X509V3_EXT_METHOD *method;\n if (!(method = X509V3_EXT_get_nid(ext_nid))) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_EXTENSION);\n return NULL;\n }\n return do_ext_i2d(method, ext_nid, crit, ext_struc);\n}\n\n// Check the extension string for critical flag\nstatic int v3_check_critical(const char **value) {\n const char *p = *value;\n if ((strlen(p) < 9) || strncmp(p, \"critical,\", 9)) {\n return 0;\n }\n p += 9;\n while (OPENSSL_isspace((unsigned char)*p)) {\n p++;\n }\n *value = p;\n return 1;\n}\n\n// Check extension string for generic extension and return the type\nstatic int v3_check_generic(const char **value) {\n int gen_type = 0;\n const char *p = *value;\n if ((strlen(p) >= 4) && !strncmp(p, \"DER:\", 4)) {\n p += 4;\n gen_type = 1;\n } else if ((strlen(p) >= 5) && !strncmp(p, \"ASN1:\", 5)) {\n p += 5;\n gen_type = 2;\n } else {\n return 0;\n }\n\n while (OPENSSL_isspace((unsigned char)*p)) {\n p++;\n }\n *value = p;\n return gen_type;\n}\n\n// Create a generic extension: for now just handle DER type\nstatic X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,\n int crit, int gen_type,\n const X509V3_CTX *ctx) {\n unsigned char *ext_der = NULL;\n size_t ext_len = 0;\n ASN1_OBJECT *obj = NULL;\n ASN1_OCTET_STRING *oct = NULL;\n X509_EXTENSION *extension = NULL;\n if (!(obj = OBJ_txt2obj(ext, 0))) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXTENSION_NAME_ERROR);\n ERR_add_error_data(2, \"name=\", ext);\n goto err;\n }\n\n if (gen_type == 1) {\n ext_der = x509v3_hex_to_bytes(value, &ext_len);\n } else if (gen_type == 2) {\n ext_der = generic_asn1(value, ctx, &ext_len);\n }\n\n if (ext_der == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXTENSION_VALUE_ERROR);\n ERR_add_error_data(2, \"value=\", value);\n goto err;\n }\n\n if (ext_len > INT_MAX) {\n OPENSSL_PUT_ERROR(X509V3, ERR_R_OVERFLOW);\n goto err;\n }\n\n oct = ASN1_OCTET_STRING_new();\n if (oct == NULL) {\n goto err;\n }\n\n ASN1_STRING_set0(oct, ext_der, (int)ext_len);\n ext_der = NULL;\n\n extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);\n\nerr:\n ASN1_OBJECT_free(obj);\n ASN1_OCTET_STRING_free(oct);\n OPENSSL_free(ext_der);\n return extension;\n}\n\nstatic unsigned char *generic_asn1(const char *value, const X509V3_CTX *ctx,\n size_t *ext_len) {\n ASN1_TYPE *typ = ASN1_generate_v3(value, ctx);\n if (typ == NULL) {\n return NULL;\n }\n unsigned char *ext_der = NULL;\n int len = i2d_ASN1_TYPE(typ, &ext_der);\n ASN1_TYPE_free(typ);\n if (len < 0) {\n return NULL;\n }\n *ext_len = len;\n return ext_der;\n}\n\n// This is the main function: add a bunch of extensions based on a config\n// file section to an extension STACK.\n\nint X509V3_EXT_add_nconf_sk(const CONF *conf, const X509V3_CTX *ctx,\n const char *section,\n STACK_OF(X509_EXTENSION) **sk) {\n const STACK_OF(CONF_VALUE) *nval = NCONF_get_section(conf, section);\n if (nval == NULL) {\n return 0;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i);\n X509_EXTENSION *ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value);\n int ok = ext != NULL && //\n (sk == NULL || X509v3_add_ext(sk, ext, -1) != NULL);\n X509_EXTENSION_free(ext);\n if (!ok) {\n return 0;\n }\n }\n return 1;\n}\n\n// Convenience functions to add extensions to a certificate, CRL and request\n\nint X509V3_EXT_add_nconf(const CONF *conf, const X509V3_CTX *ctx,\n const char *section, X509 *cert) {\n STACK_OF(X509_EXTENSION) **sk = NULL;\n if (cert) {\n sk = &cert->cert_info->extensions;\n }\n return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);\n}\n\n// Same as above but for a CRL\n\nint X509V3_EXT_CRL_add_nconf(const CONF *conf, const X509V3_CTX *ctx,\n const char *section, X509_CRL *crl) {\n STACK_OF(X509_EXTENSION) **sk = NULL;\n if (crl) {\n sk = &crl->crl->extensions;\n }\n return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);\n}\n\n// Add extensions to certificate request\n\nint X509V3_EXT_REQ_add_nconf(const CONF *conf, const X509V3_CTX *ctx,\n const char *section, X509_REQ *req) {\n STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;\n int i;\n if (req) {\n sk = &extlist;\n }\n i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);\n if (!i || !sk) {\n return i;\n }\n i = X509_REQ_add_extensions(req, extlist);\n sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);\n return i;\n}\n\n// Config database functions\n\nconst STACK_OF(CONF_VALUE) *X509V3_get_section(const X509V3_CTX *ctx,\n const char *section) {\n if (ctx->db == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_OPERATION_NOT_DEFINED);\n return NULL;\n }\n return NCONF_get_section(ctx->db, section);\n}\n\nvoid X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf) { ctx->db = conf; }\n\nvoid X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer, const X509 *subj,\n const X509_REQ *req, const X509_CRL *crl, int flags) {\n OPENSSL_memset(ctx, 0, sizeof(*ctx));\n ctx->issuer_cert = issuer;\n ctx->subject_cert = subj;\n ctx->crl = crl;\n ctx->subject_req = req;\n ctx->flags = flags;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_cpols.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n// Certificate policies extension support: this one is a bit complex...\n\nstatic int i2r_certpol(const X509V3_EXT_METHOD *method, void *ext, BIO *out,\n int indent);\nstatic void *r2i_certpol(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,\n const char *value);\nstatic void print_qualifiers(BIO *out, const STACK_OF(POLICYQUALINFO) *quals,\n int indent);\nstatic void print_notice(BIO *out, const USERNOTICE *notice, int indent);\nstatic POLICYINFO *policy_section(const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *polstrs,\n int ia5org);\nstatic POLICYQUALINFO *notice_section(const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *unot,\n int ia5org);\nstatic int nref_nos(STACK_OF(ASN1_INTEGER) *nnums,\n const STACK_OF(CONF_VALUE) *nos);\n\nconst X509V3_EXT_METHOD v3_cpols = {\n NID_certificate_policies,\n 0,\n ASN1_ITEM_ref(CERTIFICATEPOLICIES),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n i2r_certpol,\n r2i_certpol,\n NULL,\n};\n\nDECLARE_ASN1_ITEM(POLICYINFO)\nDECLARE_ASN1_ITEM(POLICYQUALINFO)\nDECLARE_ASN1_ITEM(USERNOTICE)\nDECLARE_ASN1_ITEM(NOTICEREF)\n\nASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) = ASN1_EX_TEMPLATE_TYPE(\n ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO)\nASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(CERTIFICATEPOLICIES)\n\nASN1_SEQUENCE(POLICYINFO) = {\n ASN1_SIMPLE(POLICYINFO, policyid, ASN1_OBJECT),\n ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO),\n} ASN1_SEQUENCE_END(POLICYINFO)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICYINFO)\n\nASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other,\n ASN1_ANY);\n\nASN1_ADB(POLICYQUALINFO) = {\n ADB_ENTRY(NID_id_qt_cps,\n ASN1_SIMPLE(POLICYQUALINFO, d.cpsuri, ASN1_IA5STRING)),\n ADB_ENTRY(NID_id_qt_unotice,\n ASN1_SIMPLE(POLICYQUALINFO, d.usernotice, USERNOTICE)),\n} ASN1_ADB_END(POLICYQUALINFO, 0, pqualid, 0, &policydefault_tt, NULL);\n\nASN1_SEQUENCE(POLICYQUALINFO) = {\n ASN1_SIMPLE(POLICYQUALINFO, pqualid, ASN1_OBJECT),\n ASN1_ADB_OBJECT(POLICYQUALINFO),\n} ASN1_SEQUENCE_END(POLICYQUALINFO)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICYQUALINFO)\n\nASN1_SEQUENCE(USERNOTICE) = {\n ASN1_OPT(USERNOTICE, noticeref, NOTICEREF),\n ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT),\n} ASN1_SEQUENCE_END(USERNOTICE)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(USERNOTICE)\n\nASN1_SEQUENCE(NOTICEREF) = {\n ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT),\n ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER),\n} ASN1_SEQUENCE_END(NOTICEREF)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(NOTICEREF)\n\nstatic void *r2i_certpol(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,\n const char *value) {\n STACK_OF(POLICYINFO) *pols = sk_POLICYINFO_new_null();\n if (pols == NULL) {\n return NULL;\n }\n STACK_OF(CONF_VALUE) *vals = X509V3_parse_list(value);\n\n {\n if (vals == NULL) {\n OPENSSL_PUT_ERROR(X509V3, ERR_R_X509V3_LIB);\n goto err;\n }\n int ia5org = 0;\n for (size_t i = 0; i < sk_CONF_VALUE_num(vals); i++) {\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);\n if (cnf->value || !cnf->name) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_POLICY_IDENTIFIER);\n X509V3_conf_err(cnf);\n goto err;\n }\n POLICYINFO *pol;\n const char *pstr = cnf->name;\n if (!strcmp(pstr, \"ia5org\")) {\n ia5org = 1;\n continue;\n } else if (*pstr == '@') {\n const STACK_OF(CONF_VALUE) *polsect = X509V3_get_section(ctx, pstr + 1);\n if (!polsect) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION);\n\n X509V3_conf_err(cnf);\n goto err;\n }\n pol = policy_section(ctx, polsect, ia5org);\n if (!pol) {\n goto err;\n }\n } else {\n ASN1_OBJECT *pobj = OBJ_txt2obj(cnf->name, 0);\n if (pobj == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);\n X509V3_conf_err(cnf);\n goto err;\n }\n pol = POLICYINFO_new();\n if (pol == NULL) {\n ASN1_OBJECT_free(pobj);\n goto err;\n }\n pol->policyid = pobj;\n }\n if (!sk_POLICYINFO_push(pols, pol)) {\n POLICYINFO_free(pol);\n goto err;\n }\n }\n sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);\n return pols;\n }\n\nerr:\n sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);\n sk_POLICYINFO_pop_free(pols, POLICYINFO_free);\n return NULL;\n}\n\nstatic POLICYINFO *policy_section(const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *polstrs,\n int ia5org) {\n POLICYINFO *pol;\n POLICYQUALINFO *qual;\n if (!(pol = POLICYINFO_new())) {\n goto err;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(polstrs, i);\n if (!strcmp(cnf->name, \"policyIdentifier\")) {\n ASN1_OBJECT *pobj;\n if (!(pobj = OBJ_txt2obj(cnf->value, 0))) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);\n X509V3_conf_err(cnf);\n goto err;\n }\n pol->policyid = pobj;\n\n } else if (x509v3_conf_name_matches(cnf->name, \"CPS\")) {\n if (!pol->qualifiers) {\n pol->qualifiers = sk_POLICYQUALINFO_new_null();\n }\n if (!(qual = POLICYQUALINFO_new())) {\n goto err;\n }\n if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) {\n goto err;\n }\n qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);\n if (qual->pqualid == NULL) {\n OPENSSL_PUT_ERROR(X509V3, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n qual->d.cpsuri = ASN1_IA5STRING_new();\n if (qual->d.cpsuri == NULL) {\n goto err;\n }\n if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value, strlen(cnf->value))) {\n goto err;\n }\n } else if (x509v3_conf_name_matches(cnf->name, \"userNotice\")) {\n if (*cnf->value != '@') {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXPECTED_A_SECTION_NAME);\n X509V3_conf_err(cnf);\n goto err;\n }\n const STACK_OF(CONF_VALUE) *unot =\n X509V3_get_section(ctx, cnf->value + 1);\n if (!unot) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION);\n X509V3_conf_err(cnf);\n goto err;\n }\n qual = notice_section(ctx, unot, ia5org);\n if (!qual) {\n goto err;\n }\n if (!pol->qualifiers) {\n pol->qualifiers = sk_POLICYQUALINFO_new_null();\n }\n if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) {\n goto err;\n }\n } else {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OPTION);\n\n X509V3_conf_err(cnf);\n goto err;\n }\n }\n if (!pol->policyid) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_POLICY_IDENTIFIER);\n goto err;\n }\n\n return pol;\n\nerr:\n POLICYINFO_free(pol);\n return NULL;\n}\n\nstatic POLICYQUALINFO *notice_section(const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *unot,\n int ia5org) {\n USERNOTICE *notice;\n POLICYQUALINFO *qual;\n if (!(qual = POLICYQUALINFO_new())) {\n goto err;\n }\n qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);\n if (qual->pqualid == NULL) {\n OPENSSL_PUT_ERROR(X509V3, ERR_R_INTERNAL_ERROR);\n goto err;\n }\n if (!(notice = USERNOTICE_new())) {\n goto err;\n }\n qual->d.usernotice = notice;\n for (size_t i = 0; i < sk_CONF_VALUE_num(unot); i++) {\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(unot, i);\n if (!strcmp(cnf->name, \"explicitText\")) {\n notice->exptext = ASN1_VISIBLESTRING_new();\n if (notice->exptext == NULL) {\n goto err;\n }\n if (!ASN1_STRING_set(notice->exptext, cnf->value, strlen(cnf->value))) {\n goto err;\n }\n } else if (!strcmp(cnf->name, \"organization\")) {\n NOTICEREF *nref;\n if (!notice->noticeref) {\n if (!(nref = NOTICEREF_new())) {\n goto err;\n }\n notice->noticeref = nref;\n } else {\n nref = notice->noticeref;\n }\n if (ia5org) {\n nref->organization->type = V_ASN1_IA5STRING;\n } else {\n nref->organization->type = V_ASN1_VISIBLESTRING;\n }\n if (!ASN1_STRING_set(nref->organization, cnf->value,\n strlen(cnf->value))) {\n goto err;\n }\n } else if (!strcmp(cnf->name, \"noticeNumbers\")) {\n NOTICEREF *nref;\n STACK_OF(CONF_VALUE) *nos;\n if (!notice->noticeref) {\n if (!(nref = NOTICEREF_new())) {\n goto err;\n }\n notice->noticeref = nref;\n } else {\n nref = notice->noticeref;\n }\n nos = X509V3_parse_list(cnf->value);\n if (!nos || !sk_CONF_VALUE_num(nos)) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBERS);\n X509V3_conf_err(cnf);\n sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);\n goto err;\n }\n int ret = nref_nos(nref->noticenos, nos);\n sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);\n if (!ret) {\n goto err;\n }\n } else {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OPTION);\n X509V3_conf_err(cnf);\n goto err;\n }\n }\n\n if (notice->noticeref &&\n (!notice->noticeref->noticenos || !notice->noticeref->organization)) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);\n goto err;\n }\n\n return qual;\n\nerr:\n POLICYQUALINFO_free(qual);\n return NULL;\n}\n\nstatic int nref_nos(STACK_OF(ASN1_INTEGER) *nnums,\n const STACK_OF(CONF_VALUE) *nos) {\n for (size_t i = 0; i < sk_CONF_VALUE_num(nos); i++) {\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(nos, i);\n ASN1_INTEGER *aint = s2i_ASN1_INTEGER(NULL, cnf->name);\n if (aint == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBER);\n return 0;\n }\n if (!sk_ASN1_INTEGER_push(nnums, aint)) {\n ASN1_INTEGER_free(aint);\n return 0;\n }\n }\n return 1;\n}\n\nstatic int i2r_certpol(const X509V3_EXT_METHOD *method, void *ext, BIO *out,\n int indent) {\n const STACK_OF(POLICYINFO) *pol =\n reinterpret_cast(ext);\n // First print out the policy OIDs\n for (size_t i = 0; i < sk_POLICYINFO_num(pol); i++) {\n const POLICYINFO *pinfo = sk_POLICYINFO_value(pol, i);\n BIO_printf(out, \"%*sPolicy: \", indent, \"\");\n i2a_ASN1_OBJECT(out, pinfo->policyid);\n BIO_puts(out, \"\\n\");\n if (pinfo->qualifiers) {\n print_qualifiers(out, pinfo->qualifiers, indent + 2);\n }\n }\n return 1;\n}\n\nstatic void print_qualifiers(BIO *out, const STACK_OF(POLICYQUALINFO) *quals,\n int indent) {\n for (size_t i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {\n const POLICYQUALINFO *qualinfo = sk_POLICYQUALINFO_value(quals, i);\n switch (OBJ_obj2nid(qualinfo->pqualid)) {\n case NID_id_qt_cps:\n BIO_printf(out, \"%*sCPS: %.*s\\n\", indent, \"\",\n qualinfo->d.cpsuri->length, qualinfo->d.cpsuri->data);\n break;\n\n case NID_id_qt_unotice:\n BIO_printf(out, \"%*sUser Notice:\\n\", indent, \"\");\n print_notice(out, qualinfo->d.usernotice, indent + 2);\n break;\n\n default:\n BIO_printf(out, \"%*sUnknown Qualifier: \", indent + 2, \"\");\n\n i2a_ASN1_OBJECT(out, qualinfo->pqualid);\n BIO_puts(out, \"\\n\");\n break;\n }\n }\n}\n\nstatic void print_notice(BIO *out, const USERNOTICE *notice, int indent) {\n if (notice->noticeref) {\n NOTICEREF *ref;\n ref = notice->noticeref;\n BIO_printf(out, \"%*sOrganization: %.*s\\n\", indent, \"\",\n ref->organization->length, ref->organization->data);\n BIO_printf(out, \"%*sNumber%s: \", indent, \"\",\n sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? \"s\" : \"\");\n for (size_t i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {\n ASN1_INTEGER *num;\n char *tmp;\n num = sk_ASN1_INTEGER_value(ref->noticenos, i);\n if (i) {\n BIO_puts(out, \", \");\n }\n if (num == NULL) {\n BIO_puts(out, \"(null)\");\n } else {\n tmp = i2s_ASN1_INTEGER(NULL, num);\n if (tmp == NULL) {\n return;\n }\n BIO_puts(out, tmp);\n OPENSSL_free(tmp);\n }\n }\n BIO_puts(out, \"\\n\");\n }\n if (notice->exptext) {\n BIO_printf(out, \"%*sExplicit Text: %.*s\\n\", indent, \"\",\n notice->exptext->length, notice->exptext->data);\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_crld.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\nstatic void *v2i_crld(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval);\nstatic int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,\n int indent);\n\nconst X509V3_EXT_METHOD v3_crld = {\n NID_crl_distribution_points,\n 0,\n ASN1_ITEM_ref(CRL_DIST_POINTS),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n v2i_crld,\n i2r_crldp,\n 0,\n NULL,\n};\n\nconst X509V3_EXT_METHOD v3_freshest_crl = {\n NID_freshest_crl,\n 0,\n ASN1_ITEM_ref(CRL_DIST_POINTS),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n v2i_crld,\n i2r_crldp,\n 0,\n NULL,\n};\n\nstatic STACK_OF(GENERAL_NAME) *gnames_from_sectname(const X509V3_CTX *ctx,\n char *sect) {\n const STACK_OF(CONF_VALUE) *gnsect;\n STACK_OF(CONF_VALUE) *gnsect_owned = NULL;\n if (*sect == '@') {\n gnsect = X509V3_get_section(ctx, sect + 1);\n } else {\n gnsect_owned = X509V3_parse_list(sect);\n gnsect = gnsect_owned;\n }\n if (!gnsect) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);\n return NULL;\n }\n STACK_OF(GENERAL_NAME) *gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);\n sk_CONF_VALUE_pop_free(gnsect_owned, X509V3_conf_free);\n return gens;\n}\n\n// set_dist_point_name decodes a DistributionPointName from |cnf| and writes the\n// result in |*pdp|. It returns 1 on success, -1 on error, and 0 if |cnf| used\n// an unrecognized input type. The zero return can be used by callers to support\n// additional syntax.\nstatic int set_dist_point_name(DIST_POINT_NAME **pdp, const X509V3_CTX *ctx,\n const CONF_VALUE *cnf) {\n STACK_OF(GENERAL_NAME) *fnm = NULL;\n STACK_OF(X509_NAME_ENTRY) *rnm = NULL;\n if (!strncmp(cnf->name, \"fullname\", 9)) {\n // If |cnf| comes from |X509V3_parse_list|, which is possible for a v2i\n // function, |cnf->value| may be NULL.\n if (cnf->value == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE);\n return -1;\n }\n fnm = gnames_from_sectname(ctx, cnf->value);\n if (!fnm) {\n goto err;\n }\n } else if (!strcmp(cnf->name, \"relativename\")) {\n // If |cnf| comes from |X509V3_parse_list|, which is possible for a v2i\n // function, |cnf->value| may be NULL.\n if (cnf->value == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE);\n return -1;\n }\n const STACK_OF(CONF_VALUE) *dnsect = X509V3_get_section(ctx, cnf->value);\n if (!dnsect) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_SECTION_NOT_FOUND);\n return -1;\n }\n X509_NAME *nm = X509_NAME_new();\n if (!nm) {\n return -1;\n }\n int ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);\n rnm = nm->entries;\n nm->entries = NULL;\n X509_NAME_free(nm);\n if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0) {\n goto err;\n }\n // There can only be one RDN in nameRelativeToCRLIssuer.\n if (sk_X509_NAME_ENTRY_value(rnm, sk_X509_NAME_ENTRY_num(rnm) - 1)->set) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_MULTIPLE_RDNS);\n goto err;\n }\n } else {\n return 0;\n }\n\n if (*pdp) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_DISTPOINT_ALREADY_SET);\n goto err;\n }\n\n *pdp = DIST_POINT_NAME_new();\n if (!*pdp) {\n goto err;\n }\n if (fnm) {\n (*pdp)->type = 0;\n (*pdp)->name.fullname = fnm;\n } else {\n (*pdp)->type = 1;\n (*pdp)->name.relativename = rnm;\n }\n\n return 1;\n\nerr:\n sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);\n sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);\n return -1;\n}\n\nstatic const BIT_STRING_BITNAME reason_flags[] = {\n {0, \"Unused\", \"unused\"},\n {1, \"Key Compromise\", \"keyCompromise\"},\n {2, \"CA Compromise\", \"CACompromise\"},\n {3, \"Affiliation Changed\", \"affiliationChanged\"},\n {4, \"Superseded\", \"superseded\"},\n {5, \"Cessation Of Operation\", \"cessationOfOperation\"},\n {6, \"Certificate Hold\", \"certificateHold\"},\n {7, \"Privilege Withdrawn\", \"privilegeWithdrawn\"},\n {8, \"AA Compromise\", \"AACompromise\"},\n {-1, NULL, NULL}};\n\nstatic int set_reasons(ASN1_BIT_STRING **preas, const char *value) {\n if (*preas) {\n // Duplicate \"reasons\" or \"onlysomereasons\" key.\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_VALUE);\n return 0;\n }\n int ret = 0;\n STACK_OF(CONF_VALUE) *rsk = X509V3_parse_list(value);\n if (!rsk) {\n return 0;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(rsk); i++) {\n const char *bnam = sk_CONF_VALUE_value(rsk, i)->name;\n if (!*preas) {\n *preas = ASN1_BIT_STRING_new();\n if (!*preas) {\n goto err;\n }\n }\n const BIT_STRING_BITNAME *pbn;\n for (pbn = reason_flags; pbn->lname; pbn++) {\n if (!strcmp(pbn->sname, bnam)) {\n if (!ASN1_BIT_STRING_set_bit(*preas, pbn->bitnum, 1)) {\n goto err;\n }\n break;\n }\n }\n if (!pbn->lname) {\n goto err;\n }\n }\n ret = 1;\n\nerr:\n sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);\n return ret;\n}\n\nstatic int print_reasons(BIO *out, const char *rname, ASN1_BIT_STRING *rflags,\n int indent) {\n int first = 1;\n const BIT_STRING_BITNAME *pbn;\n BIO_printf(out, \"%*s%s:\\n%*s\", indent, \"\", rname, indent + 2, \"\");\n for (pbn = reason_flags; pbn->lname; pbn++) {\n if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum)) {\n if (first) {\n first = 0;\n } else {\n BIO_puts(out, \", \");\n }\n BIO_puts(out, pbn->lname);\n }\n }\n if (first) {\n BIO_puts(out, \"\\n\");\n } else {\n BIO_puts(out, \"\\n\");\n }\n return 1;\n}\n\nstatic DIST_POINT *crldp_from_section(const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval) {\n DIST_POINT *point = NULL;\n point = DIST_POINT_new();\n if (!point) {\n goto err;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);\n int ret = set_dist_point_name(&point->distpoint, ctx, cnf);\n if (ret > 0) {\n continue;\n }\n if (ret < 0) {\n goto err;\n }\n if (!strcmp(cnf->name, \"reasons\")) {\n if (!set_reasons(&point->reasons, cnf->value)) {\n goto err;\n }\n } else if (!strcmp(cnf->name, \"CRLissuer\")) {\n GENERAL_NAMES_free(point->CRLissuer);\n point->CRLissuer = gnames_from_sectname(ctx, cnf->value);\n if (!point->CRLissuer) {\n goto err;\n }\n }\n }\n\n return point;\n\nerr:\n DIST_POINT_free(point);\n return NULL;\n}\n\nstatic void *v2i_crld(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval) {\n STACK_OF(DIST_POINT) *crld = NULL;\n GENERAL_NAMES *gens = NULL;\n GENERAL_NAME *gen = NULL;\n if (!(crld = sk_DIST_POINT_new_null())) {\n goto err;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n DIST_POINT *point;\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);\n if (!cnf->value) {\n const STACK_OF(CONF_VALUE) *dpsect = X509V3_get_section(ctx, cnf->name);\n if (!dpsect) {\n goto err;\n }\n point = crldp_from_section(ctx, dpsect);\n if (!point) {\n goto err;\n }\n if (!sk_DIST_POINT_push(crld, point)) {\n DIST_POINT_free(point);\n goto err;\n }\n } else {\n if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf))) {\n goto err;\n }\n if (!(gens = GENERAL_NAMES_new())) {\n goto err;\n }\n if (!sk_GENERAL_NAME_push(gens, gen)) {\n goto err;\n }\n gen = NULL;\n if (!(point = DIST_POINT_new())) {\n goto err;\n }\n if (!sk_DIST_POINT_push(crld, point)) {\n DIST_POINT_free(point);\n goto err;\n }\n if (!(point->distpoint = DIST_POINT_NAME_new())) {\n goto err;\n }\n point->distpoint->name.fullname = gens;\n point->distpoint->type = 0;\n gens = NULL;\n }\n }\n return crld;\n\nerr:\n GENERAL_NAME_free(gen);\n GENERAL_NAMES_free(gens);\n sk_DIST_POINT_pop_free(crld, DIST_POINT_free);\n return NULL;\n}\n\nstatic int dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,\n void *exarg) {\n DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;\n\n switch (operation) {\n case ASN1_OP_NEW_POST:\n dpn->dpname = NULL;\n break;\n\n case ASN1_OP_FREE_POST:\n X509_NAME_free(dpn->dpname);\n break;\n }\n return 1;\n}\n\n\nASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = {\n ASN1_IMP_SEQUENCE_OF(DIST_POINT_NAME, name.fullname, GENERAL_NAME, 0),\n ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1),\n} ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(DIST_POINT_NAME)\n\nASN1_SEQUENCE(DIST_POINT) = {\n ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0),\n ASN1_IMP_OPT(DIST_POINT, reasons, ASN1_BIT_STRING, 1),\n ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2),\n} ASN1_SEQUENCE_END(DIST_POINT)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(DIST_POINT)\n\nASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) = ASN1_EX_TEMPLATE_TYPE(\n ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT)\nASN1_ITEM_TEMPLATE_END(CRL_DIST_POINTS)\n\nIMPLEMENT_ASN1_FUNCTIONS(CRL_DIST_POINTS)\n\nASN1_SEQUENCE(ISSUING_DIST_POINT) = {\n ASN1_EXP_OPT(ISSUING_DIST_POINT, distpoint, DIST_POINT_NAME, 0),\n ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyuser, ASN1_FBOOLEAN, 1),\n ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyCA, ASN1_FBOOLEAN, 2),\n ASN1_IMP_OPT(ISSUING_DIST_POINT, onlysomereasons, ASN1_BIT_STRING, 3),\n ASN1_IMP_OPT(ISSUING_DIST_POINT, indirectCRL, ASN1_FBOOLEAN, 4),\n ASN1_IMP_OPT(ISSUING_DIST_POINT, onlyattr, ASN1_FBOOLEAN, 5),\n} ASN1_SEQUENCE_END(ISSUING_DIST_POINT)\n\nIMPLEMENT_ASN1_FUNCTIONS(ISSUING_DIST_POINT)\n\nstatic int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,\n int indent);\nstatic void *v2i_idp(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval);\n\nconst X509V3_EXT_METHOD v3_idp = {\n NID_issuing_distribution_point,\n X509V3_EXT_MULTILINE,\n ASN1_ITEM_ref(ISSUING_DIST_POINT),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n v2i_idp,\n i2r_idp,\n 0,\n NULL,\n};\n\nstatic void *v2i_idp(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval) {\n ISSUING_DIST_POINT *idp = ISSUING_DIST_POINT_new();\n if (!idp) {\n goto err;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);\n const char *name = cnf->name;\n const char *val = cnf->value;\n int ret = set_dist_point_name(&idp->distpoint, ctx, cnf);\n if (ret > 0) {\n continue;\n }\n if (ret < 0) {\n goto err;\n }\n if (!strcmp(name, \"onlyuser\")) {\n if (!X509V3_get_value_bool(cnf, &idp->onlyuser)) {\n goto err;\n }\n } else if (!strcmp(name, \"onlyCA\")) {\n if (!X509V3_get_value_bool(cnf, &idp->onlyCA)) {\n goto err;\n }\n } else if (!strcmp(name, \"onlyAA\")) {\n if (!X509V3_get_value_bool(cnf, &idp->onlyattr)) {\n goto err;\n }\n } else if (!strcmp(name, \"indirectCRL\")) {\n if (!X509V3_get_value_bool(cnf, &idp->indirectCRL)) {\n goto err;\n }\n } else if (!strcmp(name, \"onlysomereasons\")) {\n if (!set_reasons(&idp->onlysomereasons, val)) {\n goto err;\n }\n } else {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NAME);\n X509V3_conf_err(cnf);\n goto err;\n }\n }\n return idp;\n\nerr:\n ISSUING_DIST_POINT_free(idp);\n return NULL;\n}\n\nstatic int print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent) {\n size_t i;\n for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {\n BIO_printf(out, \"%*s\", indent + 2, \"\");\n GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));\n BIO_puts(out, \"\\n\");\n }\n return 1;\n}\n\nstatic int print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent) {\n if (dpn->type == 0) {\n BIO_printf(out, \"%*sFull Name:\\n\", indent, \"\");\n print_gens(out, dpn->name.fullname, indent);\n } else {\n X509_NAME ntmp;\n ntmp.entries = dpn->name.relativename;\n BIO_printf(out, \"%*sRelative Name:\\n%*s\", indent, \"\", indent + 2, \"\");\n X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);\n BIO_puts(out, \"\\n\");\n }\n return 1;\n}\n\nstatic int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,\n int indent) {\n ISSUING_DIST_POINT *idp = reinterpret_cast(pidp);\n if (idp->distpoint) {\n print_distpoint(out, idp->distpoint, indent);\n }\n if (idp->onlyuser > 0) {\n BIO_printf(out, \"%*sOnly User Certificates\\n\", indent, \"\");\n }\n if (idp->onlyCA > 0) {\n BIO_printf(out, \"%*sOnly CA Certificates\\n\", indent, \"\");\n }\n if (idp->indirectCRL > 0) {\n BIO_printf(out, \"%*sIndirect CRL\\n\", indent, \"\");\n }\n if (idp->onlysomereasons) {\n print_reasons(out, \"Only Some Reasons\", idp->onlysomereasons, indent);\n }\n if (idp->onlyattr > 0) {\n BIO_printf(out, \"%*sOnly Attribute Certificates\\n\", indent, \"\");\n }\n if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0) &&\n (idp->indirectCRL <= 0) && !idp->onlysomereasons &&\n (idp->onlyattr <= 0)) {\n BIO_printf(out, \"%*s\\n\", indent, \"\");\n }\n\n return 1;\n}\n\nstatic int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,\n int indent) {\n STACK_OF(DIST_POINT) *crld = reinterpret_cast(pcrldp);\n DIST_POINT *point;\n size_t i;\n for (i = 0; i < sk_DIST_POINT_num(crld); i++) {\n BIO_puts(out, \"\\n\");\n point = sk_DIST_POINT_value(crld, i);\n if (point->distpoint) {\n print_distpoint(out, point->distpoint, indent);\n }\n if (point->reasons) {\n print_reasons(out, \"Reasons\", point->reasons, indent);\n }\n if (point->CRLissuer) {\n BIO_printf(out, \"%*sCRL Issuer:\\n\", indent, \"\");\n print_gens(out, point->CRLissuer, indent);\n }\n }\n return 1;\n}\n\nint DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname) {\n size_t i;\n STACK_OF(X509_NAME_ENTRY) *frag;\n X509_NAME_ENTRY *ne;\n if (!dpn || (dpn->type != 1)) {\n return 1;\n }\n frag = dpn->name.relativename;\n dpn->dpname = X509_NAME_dup(iname);\n if (!dpn->dpname) {\n return 0;\n }\n for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++) {\n ne = sk_X509_NAME_ENTRY_value(frag, i);\n if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1)) {\n X509_NAME_free(dpn->dpname);\n dpn->dpname = NULL;\n return 0;\n }\n }\n // generate cached encoding of name\n if (i2d_X509_NAME(dpn->dpname, NULL) < 0) {\n X509_NAME_free(dpn->dpname);\n dpn->dpname = NULL;\n return 0;\n }\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_enum.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\ntypedef BIT_STRING_BITNAME ENUMERATED_NAMES;\n\nstatic const ENUMERATED_NAMES crl_reasons[] = {\n {CRL_REASON_UNSPECIFIED, \"Unspecified\", \"unspecified\"},\n {CRL_REASON_KEY_COMPROMISE, \"Key Compromise\", \"keyCompromise\"},\n {CRL_REASON_CA_COMPROMISE, \"CA Compromise\", \"CACompromise\"},\n {CRL_REASON_AFFILIATION_CHANGED, \"Affiliation Changed\",\n \"affiliationChanged\"},\n {CRL_REASON_SUPERSEDED, \"Superseded\", \"superseded\"},\n {CRL_REASON_CESSATION_OF_OPERATION, \"Cessation Of Operation\",\n \"cessationOfOperation\"},\n {CRL_REASON_CERTIFICATE_HOLD, \"Certificate Hold\", \"certificateHold\"},\n {CRL_REASON_REMOVE_FROM_CRL, \"Remove From CRL\", \"removeFromCRL\"},\n {CRL_REASON_PRIVILEGE_WITHDRAWN, \"Privilege Withdrawn\",\n \"privilegeWithdrawn\"},\n {CRL_REASON_AA_COMPROMISE, \"AA Compromise\", \"AACompromise\"},\n {-1, NULL, NULL}};\n\nstatic char *i2s_ASN1_ENUMERATED_TABLE(const X509V3_EXT_METHOD *method,\n void *ext) {\n const ASN1_ENUMERATED *e = reinterpret_cast(ext);\n long strval = ASN1_ENUMERATED_get(e);\n for (const ENUMERATED_NAMES *enam =\n reinterpret_cast(method->usr_data);\n enam->lname; enam++) {\n if (strval == enam->bitnum) {\n return OPENSSL_strdup(enam->lname);\n }\n }\n return i2s_ASN1_ENUMERATED(method, e);\n}\n\nconst X509V3_EXT_METHOD v3_crl_reason = {\n NID_crl_reason,\n 0,\n ASN1_ITEM_ref(ASN1_ENUMERATED),\n 0,\n 0,\n 0,\n 0,\n i2s_ASN1_ENUMERATED_TABLE,\n 0,\n 0,\n 0,\n 0,\n 0,\n (void *)crl_reasons,\n};\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_extku.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\nstatic void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval);\nstatic STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(\n const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist);\n\nconst X509V3_EXT_METHOD v3_ext_ku = {\n NID_ext_key_usage,\n 0,\n ASN1_ITEM_ref(EXTENDED_KEY_USAGE),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n i2v_EXTENDED_KEY_USAGE,\n v2i_EXTENDED_KEY_USAGE,\n 0,\n 0,\n NULL,\n};\n\n// NB OCSP acceptable responses also is a SEQUENCE OF OBJECT\nconst X509V3_EXT_METHOD v3_ocsp_accresp = {\n NID_id_pkix_OCSP_acceptableResponses,\n 0,\n ASN1_ITEM_ref(EXTENDED_KEY_USAGE),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n i2v_EXTENDED_KEY_USAGE,\n v2i_EXTENDED_KEY_USAGE,\n 0,\n 0,\n NULL,\n};\n\nASN1_ITEM_TEMPLATE(EXTENDED_KEY_USAGE) = ASN1_EX_TEMPLATE_TYPE(\n ASN1_TFLG_SEQUENCE_OF, 0, EXTENDED_KEY_USAGE, ASN1_OBJECT)\nASN1_ITEM_TEMPLATE_END(EXTENDED_KEY_USAGE)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(EXTENDED_KEY_USAGE)\n\nstatic STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(\n const X509V3_EXT_METHOD *method, void *a, STACK_OF(CONF_VALUE) *ext_list) {\n const EXTENDED_KEY_USAGE *eku =\n reinterpret_cast(a);\n for (size_t i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {\n const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(eku, i);\n char obj_tmp[80];\n i2t_ASN1_OBJECT(obj_tmp, 80, obj);\n X509V3_add_value(NULL, obj_tmp, &ext_list);\n }\n return ext_list;\n}\n\nstatic void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval) {\n EXTENDED_KEY_USAGE *extku = sk_ASN1_OBJECT_new_null();\n if (extku == NULL) {\n return NULL;\n }\n\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i);\n const char *extval;\n if (val->value) {\n extval = val->value;\n } else {\n extval = val->name;\n }\n ASN1_OBJECT *obj = OBJ_txt2obj(extval, 0);\n if (obj == NULL || !sk_ASN1_OBJECT_push(extku, obj)) {\n ASN1_OBJECT_free(obj);\n sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);\n X509V3_conf_err(val);\n return NULL;\n }\n }\n\n return extku;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_genn.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nASN1_SEQUENCE(OTHERNAME) = {\n ASN1_SIMPLE(OTHERNAME, type_id, ASN1_OBJECT),\n // Maybe have a true ANY DEFINED BY later\n ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0),\n} ASN1_SEQUENCE_END(OTHERNAME)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(OTHERNAME)\n\nASN1_SEQUENCE(EDIPARTYNAME) = {\n // DirectoryString is a CHOICE type, so use explicit tagging.\n ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),\n ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1),\n} ASN1_SEQUENCE_END(EDIPARTYNAME)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(EDIPARTYNAME)\n\nASN1_CHOICE(GENERAL_NAME) = {\n ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME),\n ASN1_IMP(GENERAL_NAME, d.rfc822Name, ASN1_IA5STRING, GEN_EMAIL),\n ASN1_IMP(GENERAL_NAME, d.dNSName, ASN1_IA5STRING, GEN_DNS),\n // Don't decode this\n ASN1_IMP(GENERAL_NAME, d.x400Address, ASN1_SEQUENCE, GEN_X400),\n // X509_NAME is a CHOICE type so use EXPLICIT\n ASN1_EXP(GENERAL_NAME, d.directoryName, X509_NAME, GEN_DIRNAME),\n ASN1_IMP(GENERAL_NAME, d.ediPartyName, EDIPARTYNAME, GEN_EDIPARTY),\n ASN1_IMP(GENERAL_NAME, d.uniformResourceIdentifier, ASN1_IA5STRING,\n GEN_URI),\n ASN1_IMP(GENERAL_NAME, d.iPAddress, ASN1_OCTET_STRING, GEN_IPADD),\n ASN1_IMP(GENERAL_NAME, d.registeredID, ASN1_OBJECT, GEN_RID),\n} ASN1_CHOICE_END(GENERAL_NAME)\n\nIMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAME)\n\nASN1_ITEM_TEMPLATE(GENERAL_NAMES) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF,\n 0, GeneralNames,\n GENERAL_NAME)\nASN1_ITEM_TEMPLATE_END(GENERAL_NAMES)\n\nIMPLEMENT_ASN1_FUNCTIONS(GENERAL_NAMES)\n\nIMPLEMENT_ASN1_DUP_FUNCTION(GENERAL_NAME)\n\nstatic int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) {\n // nameAssigner is optional and may be NULL.\n if (a->nameAssigner == NULL) {\n if (b->nameAssigner != NULL) {\n return -1;\n }\n } else {\n if (b->nameAssigner == NULL ||\n ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner) != 0) {\n return -1;\n }\n }\n\n // partyName may not be NULL.\n return ASN1_STRING_cmp(a->partyName, b->partyName);\n}\n\n// Returns 0 if they are equal, != 0 otherwise.\nstatic int othername_cmp(const OTHERNAME *a, const OTHERNAME *b) {\n int result = -1;\n\n if (!a || !b) {\n return -1;\n }\n // Check their type first.\n if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0) {\n return result;\n }\n // Check the value.\n result = ASN1_TYPE_cmp(a->value, b->value);\n return result;\n}\n\n// Returns 0 if they are equal, != 0 otherwise.\nint GENERAL_NAME_cmp(const GENERAL_NAME *a, const GENERAL_NAME *b) {\n if (!a || !b || a->type != b->type) {\n return -1;\n }\n\n switch (a->type) {\n case GEN_X400:\n return ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);\n\n case GEN_EDIPARTY:\n return edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);\n\n case GEN_OTHERNAME:\n return othername_cmp(a->d.otherName, b->d.otherName);\n\n case GEN_EMAIL:\n case GEN_DNS:\n case GEN_URI:\n return ASN1_STRING_cmp(a->d.ia5, b->d.ia5);\n\n case GEN_DIRNAME:\n return X509_NAME_cmp(a->d.dirn, b->d.dirn);\n\n case GEN_IPADD:\n return ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);\n\n case GEN_RID:\n return OBJ_cmp(a->d.rid, b->d.rid);\n }\n\n return -1;\n}\n\nvoid GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) {\n switch (type) {\n case GEN_X400:\n a->d.x400Address = reinterpret_cast(value);\n break;\n\n case GEN_EDIPARTY:\n a->d.ediPartyName = reinterpret_cast(value);\n break;\n\n case GEN_OTHERNAME:\n a->d.otherName = reinterpret_cast(value);\n break;\n\n case GEN_EMAIL:\n case GEN_DNS:\n case GEN_URI:\n a->d.ia5 = reinterpret_cast(value);\n break;\n\n case GEN_DIRNAME:\n a->d.dirn = reinterpret_cast(value);\n break;\n\n case GEN_IPADD:\n a->d.ip = reinterpret_cast(value);\n break;\n\n case GEN_RID:\n a->d.rid = reinterpret_cast(value);\n break;\n }\n a->type = type;\n}\n\nvoid *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *out_type) {\n if (out_type) {\n *out_type = a->type;\n }\n switch (a->type) {\n case GEN_X400:\n return a->d.x400Address;\n\n case GEN_EDIPARTY:\n return a->d.ediPartyName;\n\n case GEN_OTHERNAME:\n return a->d.otherName;\n\n case GEN_EMAIL:\n case GEN_DNS:\n case GEN_URI:\n return a->d.ia5;\n\n case GEN_DIRNAME:\n return a->d.dirn;\n\n case GEN_IPADD:\n return a->d.ip;\n\n case GEN_RID:\n return a->d.rid;\n\n default:\n return NULL;\n }\n}\n\nint GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid,\n ASN1_TYPE *value) {\n OTHERNAME *oth;\n oth = OTHERNAME_new();\n if (!oth) {\n return 0;\n }\n ASN1_TYPE_free(oth->value);\n oth->type_id = oid;\n oth->value = value;\n GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);\n return 1;\n}\n\nint GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, ASN1_OBJECT **out_oid,\n ASN1_TYPE **out_value) {\n if (gen->type != GEN_OTHERNAME) {\n return 0;\n }\n if (out_oid != NULL) {\n *out_oid = gen->d.otherName->type_id;\n }\n if (out_value != NULL) {\n *out_value = gen->d.otherName->value;\n }\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_ia5.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"ext_dat.h\"\n\n\nstatic char *i2s_ASN1_IA5STRING(const X509V3_EXT_METHOD *method, void *ext) {\n const ASN1_IA5STRING *ia5 = reinterpret_cast(ext);\n char *tmp;\n if (!ia5 || !ia5->length) {\n return NULL;\n }\n if (!(tmp = reinterpret_cast(OPENSSL_malloc(ia5->length + 1)))) {\n return NULL;\n }\n OPENSSL_memcpy(tmp, ia5->data, ia5->length);\n tmp[ia5->length] = 0;\n return tmp;\n}\n\nstatic void *s2i_ASN1_IA5STRING(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx, const char *str) {\n ASN1_IA5STRING *ia5;\n if (!str) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_ARGUMENT);\n return NULL;\n }\n if (!(ia5 = ASN1_IA5STRING_new())) {\n goto err;\n }\n if (!ASN1_STRING_set(ia5, str, strlen(str))) {\n ASN1_IA5STRING_free(ia5);\n goto err;\n }\n return ia5;\nerr:\n return NULL;\n}\n\n#define EXT_IA5STRING(nid) \\\n { \\\n nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), 0, 0, 0, 0, i2s_ASN1_IA5STRING, \\\n s2i_ASN1_IA5STRING, 0, 0, 0, 0, NULL \\\n }\n\n#define EXT_END \\\n { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }\n\nconst X509V3_EXT_METHOD v3_ns_ia5_list[] = {\n EXT_IA5STRING(NID_netscape_base_url),\n EXT_IA5STRING(NID_netscape_revocation_url),\n EXT_IA5STRING(NID_netscape_ca_revocation_url),\n EXT_IA5STRING(NID_netscape_renewal_url),\n EXT_IA5STRING(NID_netscape_ca_policy_url),\n EXT_IA5STRING(NID_netscape_ssl_server_name),\n EXT_IA5STRING(NID_netscape_comment),\n EXT_END};\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_info.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\nstatic STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(\n const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *ret);\nstatic void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval);\n\nconst X509V3_EXT_METHOD v3_info = {\n NID_info_access,\n X509V3_EXT_MULTILINE,\n ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n i2v_AUTHORITY_INFO_ACCESS,\n v2i_AUTHORITY_INFO_ACCESS,\n 0,\n 0,\n NULL,\n};\n\nconst X509V3_EXT_METHOD v3_sinfo = {\n NID_sinfo_access,\n X509V3_EXT_MULTILINE,\n ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n i2v_AUTHORITY_INFO_ACCESS,\n v2i_AUTHORITY_INFO_ACCESS,\n 0,\n 0,\n NULL,\n};\n\nASN1_SEQUENCE(ACCESS_DESCRIPTION) = {\n ASN1_SIMPLE(ACCESS_DESCRIPTION, method, ASN1_OBJECT),\n ASN1_SIMPLE(ACCESS_DESCRIPTION, location, GENERAL_NAME),\n} ASN1_SEQUENCE_END(ACCESS_DESCRIPTION)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(ACCESS_DESCRIPTION)\n\nASN1_ITEM_TEMPLATE(AUTHORITY_INFO_ACCESS) = ASN1_EX_TEMPLATE_TYPE(\n ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, ACCESS_DESCRIPTION)\nASN1_ITEM_TEMPLATE_END(AUTHORITY_INFO_ACCESS)\n\nIMPLEMENT_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)\n\nstatic STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(\n const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *ret) {\n const AUTHORITY_INFO_ACCESS *ainfo =\n reinterpret_cast(ext);\n ACCESS_DESCRIPTION *desc;\n char objtmp[80], *name;\n CONF_VALUE *vtmp;\n STACK_OF(CONF_VALUE) *tret = ret;\n\n for (size_t i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {\n STACK_OF(CONF_VALUE) *tmp;\n\n desc = sk_ACCESS_DESCRIPTION_value(ainfo, i);\n tmp = i2v_GENERAL_NAME(method, desc->location, tret);\n if (tmp == NULL) {\n goto err;\n }\n tret = tmp;\n vtmp = sk_CONF_VALUE_value(tret, i);\n i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method);\n\n if (OPENSSL_asprintf(&name, \"%s - %s\", objtmp, vtmp->name) == -1) {\n goto err;\n }\n OPENSSL_free(vtmp->name);\n vtmp->name = name;\n }\n if (ret == NULL && tret == NULL) {\n return sk_CONF_VALUE_new_null();\n }\n\n return tret;\nerr:\n if (ret == NULL && tret != NULL) {\n sk_CONF_VALUE_pop_free(tret, X509V3_conf_free);\n }\n return NULL;\n}\n\nstatic void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval) {\n AUTHORITY_INFO_ACCESS *ainfo = NULL;\n ACCESS_DESCRIPTION *acc;\n if (!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {\n return NULL;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n const CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);\n if (!(acc = ACCESS_DESCRIPTION_new()) ||\n !sk_ACCESS_DESCRIPTION_push(ainfo, acc)) {\n goto err;\n }\n char *ptmp = strchr(cnf->name, ';');\n if (!ptmp) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SYNTAX);\n goto err;\n }\n CONF_VALUE ctmp;\n ctmp.name = ptmp + 1;\n ctmp.value = cnf->value;\n if (!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0)) {\n goto err;\n }\n char *objtmp = OPENSSL_strndup(cnf->name, ptmp - cnf->name);\n if (objtmp == NULL) {\n goto err;\n }\n acc->method = OBJ_txt2obj(objtmp, 0);\n if (!acc->method) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_BAD_OBJECT);\n ERR_add_error_data(2, \"value=\", objtmp);\n OPENSSL_free(objtmp);\n goto err;\n }\n OPENSSL_free(objtmp);\n }\n return ainfo;\nerr:\n sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_int.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \"ext_dat.h\"\n\n\nstatic char *i2s_ASN1_INTEGER_cb(const X509V3_EXT_METHOD *method, void *ext) {\n return i2s_ASN1_INTEGER(method, reinterpret_cast(ext));\n}\n\nstatic void *s2i_asn1_int(const X509V3_EXT_METHOD *meth, const X509V3_CTX *ctx,\n const char *value) {\n return s2i_ASN1_INTEGER(meth, value);\n}\n\nconst X509V3_EXT_METHOD v3_crl_num = {\n NID_crl_number,\n 0,\n ASN1_ITEM_ref(ASN1_INTEGER),\n 0,\n 0,\n 0,\n 0,\n i2s_ASN1_INTEGER_cb,\n 0,\n 0,\n 0,\n 0,\n 0,\n NULL,\n};\n\nconst X509V3_EXT_METHOD v3_delta_crl = {\n NID_delta_crl,\n 0,\n ASN1_ITEM_ref(ASN1_INTEGER),\n 0,\n 0,\n 0,\n 0,\n i2s_ASN1_INTEGER_cb,\n 0,\n 0,\n 0,\n 0,\n 0,\n NULL,\n};\n\nconst X509V3_EXT_METHOD v3_inhibit_anyp = {\n NID_inhibit_any_policy,\n 0,\n ASN1_ITEM_ref(ASN1_INTEGER),\n 0,\n 0,\n 0,\n 0,\n i2s_ASN1_INTEGER_cb,\n s2i_asn1_int,\n 0,\n 0,\n 0,\n 0,\n NULL,\n};\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_lib.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n/* X509 v3 extension utilities */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n#include \"ext_dat.h\"\n\nDEFINE_STACK_OF(X509V3_EXT_METHOD)\n\nstatic STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;\n\nstatic int ext_stack_cmp(const X509V3_EXT_METHOD *const *a,\n const X509V3_EXT_METHOD *const *b) {\n return ((*a)->ext_nid - (*b)->ext_nid);\n}\n\nint X509V3_EXT_add(X509V3_EXT_METHOD *ext) {\n // We only support |ASN1_ITEM|-based extensions.\n assert(ext->it != NULL);\n\n // TODO(davidben): This should be locked. Also check for duplicates.\n if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_stack_cmp))) {\n return 0;\n }\n if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {\n return 0;\n }\n sk_X509V3_EXT_METHOD_sort(ext_list);\n return 1;\n}\n\nstatic int ext_cmp(const void *void_a, const void *void_b) {\n const X509V3_EXT_METHOD **a = (const X509V3_EXT_METHOD **)void_a;\n const X509V3_EXT_METHOD **b = (const X509V3_EXT_METHOD **)void_b;\n return ext_stack_cmp(a, b);\n}\n\nconst X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid) {\n X509V3_EXT_METHOD tmp;\n const X509V3_EXT_METHOD *t = &tmp, *const * ret;\n size_t idx;\n\n if (nid < 0) {\n return NULL;\n }\n tmp.ext_nid = nid;\n ret = reinterpret_cast(\n bsearch(&t, standard_exts, STANDARD_EXTENSION_COUNT,\n sizeof(X509V3_EXT_METHOD *), ext_cmp));\n if (ret) {\n return *ret;\n }\n if (!ext_list) {\n return NULL;\n }\n\n if (!sk_X509V3_EXT_METHOD_find(ext_list, &idx, &tmp)) {\n return NULL;\n }\n return sk_X509V3_EXT_METHOD_value(ext_list, idx);\n}\n\nconst X509V3_EXT_METHOD *X509V3_EXT_get(const X509_EXTENSION *ext) {\n int nid;\n if ((nid = OBJ_obj2nid(ext->object)) == NID_undef) {\n return NULL;\n }\n return X509V3_EXT_get_nid(nid);\n}\n\nint X509V3_EXT_free(int nid, void *ext_data) {\n const X509V3_EXT_METHOD *ext_method = X509V3_EXT_get_nid(nid);\n if (ext_method == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_CANNOT_FIND_FREE_FUNCTION);\n return 0;\n }\n\n ASN1_item_free(reinterpret_cast(ext_data),\n ASN1_ITEM_ptr(ext_method->it));\n return 1;\n}\n\nint X509V3_EXT_add_alias(int nid_to, int nid_from) {\n OPENSSL_BEGIN_ALLOW_DEPRECATED\n const X509V3_EXT_METHOD *ext;\n X509V3_EXT_METHOD *tmpext;\n\n if (!(ext = X509V3_EXT_get_nid(nid_from))) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXTENSION_NOT_FOUND);\n return 0;\n }\n if (!(tmpext =\n (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)))) {\n return 0;\n }\n *tmpext = *ext;\n tmpext->ext_nid = nid_to;\n if (!X509V3_EXT_add(tmpext)) {\n OPENSSL_free(tmpext);\n return 0;\n }\n return 1;\n OPENSSL_END_ALLOW_DEPRECATED\n}\n\n// Legacy function: we don't need to add standard extensions any more because\n// they are now kept in ext_dat.h.\n\nint X509V3_add_standard_extensions(void) { return 1; }\n\n// Return an extension internal structure\n\nvoid *X509V3_EXT_d2i(const X509_EXTENSION *ext) {\n const X509V3_EXT_METHOD *method;\n const unsigned char *p;\n\n if (!(method = X509V3_EXT_get(ext))) {\n return NULL;\n }\n p = ext->value->data;\n void *ret =\n ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it));\n if (ret == NULL) {\n return NULL;\n }\n // Check for trailing data.\n if (p != ext->value->data + ext->value->length) {\n ASN1_item_free(reinterpret_cast(ret),\n ASN1_ITEM_ptr(method->it));\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_TRAILING_DATA_IN_EXTENSION);\n return NULL;\n }\n return ret;\n}\n\nvoid *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions, int nid,\n int *out_critical, int *out_idx) {\n int lastpos;\n X509_EXTENSION *ex, *found_ex = NULL;\n if (!extensions) {\n if (out_idx) {\n *out_idx = -1;\n }\n if (out_critical) {\n *out_critical = -1;\n }\n return NULL;\n }\n if (out_idx) {\n lastpos = *out_idx + 1;\n } else {\n lastpos = 0;\n }\n if (lastpos < 0) {\n lastpos = 0;\n }\n for (size_t i = lastpos; i < sk_X509_EXTENSION_num(extensions); i++) {\n ex = sk_X509_EXTENSION_value(extensions, i);\n if (OBJ_obj2nid(ex->object) == nid) {\n if (out_idx) {\n // TODO(https://crbug.com/boringssl/379): Consistently reject\n // duplicate extensions.\n *out_idx = (int)i;\n found_ex = ex;\n break;\n } else if (found_ex) {\n // Found more than one\n if (out_critical) {\n *out_critical = -2;\n }\n return NULL;\n }\n found_ex = ex;\n }\n }\n if (found_ex) {\n // Found it\n if (out_critical) {\n *out_critical = X509_EXTENSION_get_critical(found_ex);\n }\n return X509V3_EXT_d2i(found_ex);\n }\n\n // Extension not found\n if (out_idx) {\n *out_idx = -1;\n }\n if (out_critical) {\n *out_critical = -1;\n }\n return NULL;\n}\n\n// This function is a general extension append, replace and delete utility.\n// The precise operation is governed by the 'flags' value. The 'crit' and\n// 'value' arguments (if relevant) are the extensions internal structure.\n\nint X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,\n int crit, unsigned long flags) {\n int errcode, extidx = -1;\n X509_EXTENSION *ext = NULL, *extmp;\n STACK_OF(X509_EXTENSION) *ret = NULL;\n unsigned long ext_op = flags & X509V3_ADD_OP_MASK;\n\n // If appending we don't care if it exists, otherwise look for existing\n // extension.\n if (ext_op != X509V3_ADD_APPEND) {\n extidx = X509v3_get_ext_by_NID(*x, nid, -1);\n }\n\n // See if extension exists\n if (extidx >= 0) {\n // If keep existing, nothing to do\n if (ext_op == X509V3_ADD_KEEP_EXISTING) {\n return 1;\n }\n // If default then its an error\n if (ext_op == X509V3_ADD_DEFAULT) {\n errcode = X509V3_R_EXTENSION_EXISTS;\n goto err;\n }\n // If delete, just delete it\n if (ext_op == X509V3_ADD_DELETE) {\n X509_EXTENSION *prev_ext = sk_X509_EXTENSION_delete(*x, extidx);\n if (prev_ext == NULL) {\n return -1;\n }\n X509_EXTENSION_free(prev_ext);\n return 1;\n }\n } else {\n // If replace existing or delete, error since extension must exist\n if ((ext_op == X509V3_ADD_REPLACE_EXISTING) ||\n (ext_op == X509V3_ADD_DELETE)) {\n errcode = X509V3_R_EXTENSION_NOT_FOUND;\n goto err;\n }\n }\n\n // If we get this far then we have to create an extension: could have\n // some flags for alternative encoding schemes...\n\n ext = X509V3_EXT_i2d(nid, crit, value);\n\n if (!ext) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_ERROR_CREATING_EXTENSION);\n return 0;\n }\n\n // If extension exists replace it..\n if (extidx >= 0) {\n extmp = sk_X509_EXTENSION_value(*x, extidx);\n X509_EXTENSION_free(extmp);\n if (!sk_X509_EXTENSION_set(*x, extidx, ext)) {\n return -1;\n }\n return 1;\n }\n\n if ((ret = *x) == NULL && (ret = sk_X509_EXTENSION_new_null()) == NULL) {\n goto m_fail;\n }\n if (!sk_X509_EXTENSION_push(ret, ext)) {\n goto m_fail;\n }\n\n *x = ret;\n return 1;\n\nm_fail:\n if (ret != *x) {\n sk_X509_EXTENSION_free(ret);\n }\n X509_EXTENSION_free(ext);\n return -1;\n\nerr:\n if (!(flags & X509V3_ADD_SILENT)) {\n OPENSSL_PUT_ERROR(X509V3, errcode);\n }\n return 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_ncons.cc", "content": "/*\n * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\nstatic void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval);\nstatic int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,\n BIO *bp, int ind);\nstatic int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,\n STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp,\n int ind, const char *name);\nstatic int print_nc_ipadd(BIO *bp, const ASN1_OCTET_STRING *ip);\n\nstatic int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);\nstatic int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);\nstatic int nc_dn(X509_NAME *sub, X509_NAME *nm);\nstatic int nc_dns(const ASN1_IA5STRING *sub, const ASN1_IA5STRING *dns);\nstatic int nc_email(const ASN1_IA5STRING *sub, const ASN1_IA5STRING *eml);\nstatic int nc_uri(const ASN1_IA5STRING *uri, const ASN1_IA5STRING *base);\n\nconst X509V3_EXT_METHOD v3_name_constraints = {\n NID_name_constraints,\n 0,\n ASN1_ITEM_ref(NAME_CONSTRAINTS),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n v2i_NAME_CONSTRAINTS,\n i2r_NAME_CONSTRAINTS,\n 0,\n NULL,\n};\n\nASN1_SEQUENCE(GENERAL_SUBTREE) = {\n ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),\n ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),\n ASN1_IMP_OPT(GENERAL_SUBTREE, maximum, ASN1_INTEGER, 1),\n} ASN1_SEQUENCE_END(GENERAL_SUBTREE)\n\nASN1_SEQUENCE(NAME_CONSTRAINTS) = {\n ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, permittedSubtrees,\n GENERAL_SUBTREE, 0),\n ASN1_IMP_SEQUENCE_OF_OPT(NAME_CONSTRAINTS, excludedSubtrees,\n GENERAL_SUBTREE, 1),\n} ASN1_SEQUENCE_END(NAME_CONSTRAINTS)\n\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)\n\nstatic void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval) {\n STACK_OF(GENERAL_SUBTREE) **ptree = NULL;\n NAME_CONSTRAINTS *ncons = NULL;\n GENERAL_SUBTREE *sub = NULL;\n ncons = NAME_CONSTRAINTS_new();\n if (!ncons) {\n goto err;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i);\n CONF_VALUE tval;\n if (!strncmp(val->name, \"permitted\", 9) && val->name[9]) {\n ptree = &ncons->permittedSubtrees;\n tval.name = val->name + 10;\n } else if (!strncmp(val->name, \"excluded\", 8) && val->name[8]) {\n ptree = &ncons->excludedSubtrees;\n tval.name = val->name + 9;\n } else {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SYNTAX);\n goto err;\n }\n tval.value = val->value;\n sub = GENERAL_SUBTREE_new();\n if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1)) {\n goto err;\n }\n if (!*ptree) {\n *ptree = sk_GENERAL_SUBTREE_new_null();\n }\n if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub)) {\n goto err;\n }\n sub = NULL;\n }\n\n return ncons;\n\nerr:\n NAME_CONSTRAINTS_free(ncons);\n GENERAL_SUBTREE_free(sub);\n return NULL;\n}\n\nstatic int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,\n BIO *bp, int ind) {\n NAME_CONSTRAINTS *ncons = reinterpret_cast(a);\n do_i2r_name_constraints(method, ncons->permittedSubtrees, bp, ind,\n \"Permitted\");\n do_i2r_name_constraints(method, ncons->excludedSubtrees, bp, ind, \"Excluded\");\n return 1;\n}\n\nstatic int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,\n STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp,\n int ind, const char *name) {\n GENERAL_SUBTREE *tree;\n size_t i;\n if (sk_GENERAL_SUBTREE_num(trees) > 0) {\n BIO_printf(bp, \"%*s%s:\\n\", ind, \"\", name);\n }\n for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {\n tree = sk_GENERAL_SUBTREE_value(trees, i);\n BIO_printf(bp, \"%*s\", ind + 2, \"\");\n if (tree->base->type == GEN_IPADD) {\n print_nc_ipadd(bp, tree->base->d.ip);\n } else {\n GENERAL_NAME_print(bp, tree->base);\n }\n BIO_puts(bp, \"\\n\");\n }\n return 1;\n}\n\nstatic int print_nc_ipadd(BIO *bp, const ASN1_OCTET_STRING *ip) {\n int i, len;\n unsigned char *p;\n p = ip->data;\n len = ip->length;\n BIO_puts(bp, \"IP:\");\n if (len == 8) {\n BIO_printf(bp, \"%d.%d.%d.%d/%d.%d.%d.%d\", p[0], p[1], p[2], p[3], p[4],\n p[5], p[6], p[7]);\n } else if (len == 32) {\n for (i = 0; i < 16; i++) {\n uint16_t v = ((uint16_t)p[0] << 8) | p[1];\n BIO_printf(bp, \"%X\", v);\n p += 2;\n if (i == 7) {\n BIO_puts(bp, \"/\");\n } else if (i != 15) {\n BIO_puts(bp, \":\");\n }\n }\n } else {\n BIO_printf(bp, \"IP Address:\");\n }\n return 1;\n}\n\n//-\n// Check a certificate conforms to a specified set of constraints.\n// Return values:\n// X509_V_OK: All constraints obeyed.\n// X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.\n// X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.\n// X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.\n// X509_V_ERR_UNSPECIFIED: Unspecified error.\n// X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: Unsupported constraint type.\n// X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: Bad or unsupported constraint\n// syntax.\n// X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: Bad or unsupported syntax of name.\n\nint NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) {\n int r, i;\n size_t j;\n X509_NAME *nm;\n\n nm = X509_get_subject_name(x);\n\n // Guard against certificates with an excessive number of names or\n // constraints causing a computationally expensive name constraints\n // check.\n size_t name_count =\n X509_NAME_entry_count(nm) + sk_GENERAL_NAME_num(x->altname);\n size_t constraint_count = sk_GENERAL_SUBTREE_num(nc->permittedSubtrees) +\n sk_GENERAL_SUBTREE_num(nc->excludedSubtrees);\n size_t check_count = constraint_count * name_count;\n if (name_count < (size_t)X509_NAME_entry_count(nm) ||\n constraint_count < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees) ||\n (constraint_count && check_count / constraint_count != name_count) ||\n check_count > 1 << 20) {\n return X509_V_ERR_UNSPECIFIED;\n }\n\n if (X509_NAME_entry_count(nm) > 0) {\n GENERAL_NAME gntmp;\n gntmp.type = GEN_DIRNAME;\n gntmp.d.directoryName = nm;\n\n r = nc_match(&gntmp, nc);\n\n if (r != X509_V_OK) {\n return r;\n }\n\n gntmp.type = GEN_EMAIL;\n\n // Process any email address attributes in subject name\n\n for (i = -1;;) {\n i = X509_NAME_get_index_by_NID(nm, NID_pkcs9_emailAddress, i);\n if (i == -1) {\n break;\n }\n const X509_NAME_ENTRY *ne = X509_NAME_get_entry(nm, i);\n gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);\n if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING) {\n return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;\n }\n\n r = nc_match(&gntmp, nc);\n\n if (r != X509_V_OK) {\n return r;\n }\n }\n }\n\n for (j = 0; j < sk_GENERAL_NAME_num(x->altname); j++) {\n GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, j);\n r = nc_match(gen, nc);\n if (r != X509_V_OK) {\n return r;\n }\n }\n\n return X509_V_OK;\n}\n\nstatic int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) {\n GENERAL_SUBTREE *sub;\n int r, match = 0;\n size_t i;\n\n // Permitted subtrees: if any subtrees exist of matching the type at\n // least one subtree must match.\n\n for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {\n sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);\n if (gen->type != sub->base->type) {\n continue;\n }\n if (sub->minimum || sub->maximum) {\n return X509_V_ERR_SUBTREE_MINMAX;\n }\n // If we already have a match don't bother trying any more\n if (match == 2) {\n continue;\n }\n if (match == 0) {\n match = 1;\n }\n r = nc_match_single(gen, sub->base);\n if (r == X509_V_OK) {\n match = 2;\n } else if (r != X509_V_ERR_PERMITTED_VIOLATION) {\n return r;\n }\n }\n\n if (match == 1) {\n return X509_V_ERR_PERMITTED_VIOLATION;\n }\n\n // Excluded subtrees: must not match any of these\n\n for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {\n sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);\n if (gen->type != sub->base->type) {\n continue;\n }\n if (sub->minimum || sub->maximum) {\n return X509_V_ERR_SUBTREE_MINMAX;\n }\n\n r = nc_match_single(gen, sub->base);\n if (r == X509_V_OK) {\n return X509_V_ERR_EXCLUDED_VIOLATION;\n } else if (r != X509_V_ERR_PERMITTED_VIOLATION) {\n return r;\n }\n }\n\n return X509_V_OK;\n}\n\nstatic int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base) {\n switch (base->type) {\n case GEN_DIRNAME:\n return nc_dn(gen->d.directoryName, base->d.directoryName);\n\n case GEN_DNS:\n return nc_dns(gen->d.dNSName, base->d.dNSName);\n\n case GEN_EMAIL:\n return nc_email(gen->d.rfc822Name, base->d.rfc822Name);\n\n case GEN_URI:\n return nc_uri(gen->d.uniformResourceIdentifier,\n base->d.uniformResourceIdentifier);\n\n default:\n return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;\n }\n}\n\n// directoryName name constraint matching. The canonical encoding of\n// X509_NAME makes this comparison easy. It is matched if the subtree is a\n// subset of the name.\n\nstatic int nc_dn(X509_NAME *nm, X509_NAME *base) {\n // Ensure canonical encodings are up to date.\n if (nm->modified && i2d_X509_NAME(nm, NULL) < 0) {\n return X509_V_ERR_OUT_OF_MEM;\n }\n if (base->modified && i2d_X509_NAME(base, NULL) < 0) {\n return X509_V_ERR_OUT_OF_MEM;\n }\n if (base->canon_enclen > nm->canon_enclen) {\n return X509_V_ERR_PERMITTED_VIOLATION;\n }\n if (OPENSSL_memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen)) {\n return X509_V_ERR_PERMITTED_VIOLATION;\n }\n return X509_V_OK;\n}\n\nstatic int starts_with(const CBS *cbs, uint8_t c) {\n return CBS_len(cbs) > 0 && CBS_data(cbs)[0] == c;\n}\n\nstatic int equal_case(const CBS *a, const CBS *b) {\n if (CBS_len(a) != CBS_len(b)) {\n return 0;\n }\n // Note we cannot use |OPENSSL_strncasecmp| because that would stop\n // iterating at NUL.\n const uint8_t *a_data = CBS_data(a), *b_data = CBS_data(b);\n for (size_t i = 0; i < CBS_len(a); i++) {\n if (OPENSSL_tolower(a_data[i]) != OPENSSL_tolower(b_data[i])) {\n return 0;\n }\n }\n return 1;\n}\n\nstatic int has_suffix_case(const CBS *a, const CBS *b) {\n if (CBS_len(a) < CBS_len(b)) {\n return 0;\n }\n CBS copy = *a;\n CBS_skip(©, CBS_len(a) - CBS_len(b));\n return equal_case(©, b);\n}\n\nstatic int nc_dns(const ASN1_IA5STRING *dns, const ASN1_IA5STRING *base) {\n CBS dns_cbs, base_cbs;\n CBS_init(&dns_cbs, dns->data, dns->length);\n CBS_init(&base_cbs, base->data, base->length);\n\n // Empty matches everything\n if (CBS_len(&base_cbs) == 0) {\n return X509_V_OK;\n }\n\n // If |base_cbs| begins with a '.', do a simple suffix comparison. This is\n // not part of RFC5280, but is part of OpenSSL's original behavior.\n if (starts_with(&base_cbs, '.')) {\n if (has_suffix_case(&dns_cbs, &base_cbs)) {\n return X509_V_OK;\n }\n return X509_V_ERR_PERMITTED_VIOLATION;\n }\n\n // Otherwise can add zero or more components on the left so compare RHS\n // and if dns is longer and expect '.' as preceding character.\n if (CBS_len(&dns_cbs) > CBS_len(&base_cbs)) {\n uint8_t dot;\n if (!CBS_skip(&dns_cbs, CBS_len(&dns_cbs) - CBS_len(&base_cbs) - 1) ||\n !CBS_get_u8(&dns_cbs, &dot) || dot != '.') {\n return X509_V_ERR_PERMITTED_VIOLATION;\n }\n }\n\n if (!equal_case(&dns_cbs, &base_cbs)) {\n return X509_V_ERR_PERMITTED_VIOLATION;\n }\n\n return X509_V_OK;\n}\n\nstatic int nc_email(const ASN1_IA5STRING *eml, const ASN1_IA5STRING *base) {\n CBS eml_cbs, base_cbs;\n CBS_init(&eml_cbs, eml->data, eml->length);\n CBS_init(&base_cbs, base->data, base->length);\n\n // TODO(davidben): In OpenSSL 1.1.1, this switched from the first '@' to the\n // last one. Match them here, or perhaps do an actual parse. Looks like\n // multiple '@'s may be allowed in quoted strings.\n CBS eml_local, base_local;\n if (!CBS_get_until_first(&eml_cbs, &eml_local, '@')) {\n return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;\n }\n int base_has_at = CBS_get_until_first(&base_cbs, &base_local, '@');\n\n // Special case: initial '.' is RHS match\n if (!base_has_at && starts_with(&base_cbs, '.')) {\n if (has_suffix_case(&eml_cbs, &base_cbs)) {\n return X509_V_OK;\n }\n return X509_V_ERR_PERMITTED_VIOLATION;\n }\n\n // If we have anything before '@' match local part\n if (base_has_at) {\n // TODO(davidben): This interprets a constraint of \"@example.com\" as\n // \"example.com\", which is not part of RFC5280.\n if (CBS_len(&base_local) > 0) {\n // Case sensitive match of local part\n if (!CBS_mem_equal(&base_local, CBS_data(&eml_local),\n CBS_len(&eml_local))) {\n return X509_V_ERR_PERMITTED_VIOLATION;\n }\n }\n // Position base after '@'\n assert(starts_with(&base_cbs, '@'));\n CBS_skip(&base_cbs, 1);\n }\n\n // Just have hostname left to match: case insensitive\n assert(starts_with(&eml_cbs, '@'));\n CBS_skip(&eml_cbs, 1);\n if (!equal_case(&base_cbs, &eml_cbs)) {\n return X509_V_ERR_PERMITTED_VIOLATION;\n }\n\n return X509_V_OK;\n}\n\nstatic int nc_uri(const ASN1_IA5STRING *uri, const ASN1_IA5STRING *base) {\n CBS uri_cbs, base_cbs;\n CBS_init(&uri_cbs, uri->data, uri->length);\n CBS_init(&base_cbs, base->data, base->length);\n\n // Check for foo:// and skip past it\n CBS scheme;\n uint8_t byte;\n if (!CBS_get_until_first(&uri_cbs, &scheme, ':') ||\n !CBS_skip(&uri_cbs, 1) || // Skip the colon\n !CBS_get_u8(&uri_cbs, &byte) || byte != '/' ||\n !CBS_get_u8(&uri_cbs, &byte) || byte != '/') {\n return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;\n }\n\n // Look for a port indicator as end of hostname first. Otherwise look for\n // trailing slash, or the end of the string.\n // TODO(davidben): This is not a correct URI parser and mishandles IPv6\n // literals.\n CBS host;\n if (!CBS_get_until_first(&uri_cbs, &host, ':') &&\n !CBS_get_until_first(&uri_cbs, &host, '/')) {\n host = uri_cbs;\n }\n\n if (CBS_len(&host) == 0) {\n return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;\n }\n\n // Special case: initial '.' is RHS match\n if (starts_with(&base_cbs, '.')) {\n if (has_suffix_case(&host, &base_cbs)) {\n return X509_V_OK;\n }\n return X509_V_ERR_PERMITTED_VIOLATION;\n }\n\n if (!equal_case(&base_cbs, &host)) {\n return X509_V_ERR_PERMITTED_VIOLATION;\n }\n\n return X509_V_OK;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_ocsp.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n\n// OCSP extensions and a couple of CRL entry extensions\n\nstatic int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,\n BIO *out, int indent);\n\nstatic int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,\n BIO *out, int indent);\nstatic void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx, const char *str);\n\nconst X509V3_EXT_METHOD v3_crl_invdate = {\n NID_invalidity_date,\n 0,\n ASN1_ITEM_ref(ASN1_GENERALIZEDTIME),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n i2r_ocsp_acutoff,\n 0,\n NULL,\n};\n\nconst X509V3_EXT_METHOD v3_ocsp_nocheck = {\n NID_id_pkix_OCSP_noCheck,\n 0,\n ASN1_ITEM_ref(ASN1_NULL),\n 0,\n 0,\n 0,\n 0,\n 0,\n s2i_ocsp_nocheck,\n 0,\n 0,\n i2r_ocsp_nocheck,\n 0,\n NULL,\n};\n\nstatic int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff,\n BIO *bp, int ind) {\n if (BIO_printf(bp, \"%*s\", ind, \"\") <= 0) {\n return 0;\n }\n if (!ASN1_GENERALIZEDTIME_print(\n bp, reinterpret_cast(cutoff))) {\n return 0;\n }\n return 1;\n}\n\n// Nocheck is just a single NULL. Don't print anything and always set it\n\nstatic int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck,\n BIO *out, int indent) {\n return 1;\n}\n\nstatic void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx, const char *str) {\n return ASN1_NULL_new();\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_pcons.cc", "content": "/*\n * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\nstatic STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(\n const X509V3_EXT_METHOD *method, void *bcons,\n STACK_OF(CONF_VALUE) *extlist);\nstatic void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *values);\n\nconst X509V3_EXT_METHOD v3_policy_constraints = {\n NID_policy_constraints,\n 0,\n ASN1_ITEM_ref(POLICY_CONSTRAINTS),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n i2v_POLICY_CONSTRAINTS,\n v2i_POLICY_CONSTRAINTS,\n NULL,\n NULL,\n NULL};\n\nASN1_SEQUENCE(POLICY_CONSTRAINTS) = {\n ASN1_IMP_OPT(POLICY_CONSTRAINTS, requireExplicitPolicy, ASN1_INTEGER, 0),\n ASN1_IMP_OPT(POLICY_CONSTRAINTS, inhibitPolicyMapping, ASN1_INTEGER, 1),\n} ASN1_SEQUENCE_END(POLICY_CONSTRAINTS)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)\n\nstatic STACK_OF(CONF_VALUE) *i2v_POLICY_CONSTRAINTS(\n const X509V3_EXT_METHOD *method, void *a, STACK_OF(CONF_VALUE) *extlist) {\n const POLICY_CONSTRAINTS *pcons = reinterpret_cast(a);\n X509V3_add_value_int(\"Require Explicit Policy\", pcons->requireExplicitPolicy,\n &extlist);\n X509V3_add_value_int(\"Inhibit Policy Mapping\", pcons->inhibitPolicyMapping,\n &extlist);\n return extlist;\n}\n\nstatic void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *values) {\n POLICY_CONSTRAINTS *pcons = NULL;\n if (!(pcons = POLICY_CONSTRAINTS_new())) {\n return NULL;\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(values); i++) {\n const CONF_VALUE *val = sk_CONF_VALUE_value(values, i);\n if (!strcmp(val->name, \"requireExplicitPolicy\")) {\n if (!X509V3_get_value_int(val, &pcons->requireExplicitPolicy)) {\n goto err;\n }\n } else if (!strcmp(val->name, \"inhibitPolicyMapping\")) {\n if (!X509V3_get_value_int(val, &pcons->inhibitPolicyMapping)) {\n goto err;\n }\n } else {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NAME);\n X509V3_conf_err(val);\n goto err;\n }\n }\n if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_ILLEGAL_EMPTY_EXTENSION);\n goto err;\n }\n\n return pcons;\nerr:\n POLICY_CONSTRAINTS_free(pcons);\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_pmaps.cc", "content": "/*\n * Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\nstatic void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval);\nstatic STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(\n const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);\n\nconst X509V3_EXT_METHOD v3_policy_mappings = {\n NID_policy_mappings,\n 0,\n ASN1_ITEM_ref(POLICY_MAPPINGS),\n 0,\n 0,\n 0,\n 0,\n 0,\n 0,\n i2v_POLICY_MAPPINGS,\n v2i_POLICY_MAPPINGS,\n 0,\n 0,\n NULL,\n};\n\nASN1_SEQUENCE(POLICY_MAPPING) = {\n ASN1_SIMPLE(POLICY_MAPPING, issuerDomainPolicy, ASN1_OBJECT),\n ASN1_SIMPLE(POLICY_MAPPING, subjectDomainPolicy, ASN1_OBJECT),\n} ASN1_SEQUENCE_END(POLICY_MAPPING)\n\nASN1_ITEM_TEMPLATE(POLICY_MAPPINGS) = ASN1_EX_TEMPLATE_TYPE(\n ASN1_TFLG_SEQUENCE_OF, 0, POLICY_MAPPINGS, POLICY_MAPPING)\nASN1_ITEM_TEMPLATE_END(POLICY_MAPPINGS)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)\n\nstatic STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(\n const X509V3_EXT_METHOD *method, void *a, STACK_OF(CONF_VALUE) *ext_list) {\n const POLICY_MAPPINGS *pmaps = reinterpret_cast(a);\n for (size_t i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {\n const POLICY_MAPPING *pmap = sk_POLICY_MAPPING_value(pmaps, i);\n char obj_tmp1[80], obj_tmp2[80];\n i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy);\n i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy);\n X509V3_add_value(obj_tmp1, obj_tmp2, &ext_list);\n }\n return ext_list;\n}\n\nstatic void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *nval) {\n POLICY_MAPPINGS *pmaps = sk_POLICY_MAPPING_new_null();\n if (pmaps == NULL) {\n return NULL;\n }\n\n for (size_t i = 0; i < sk_CONF_VALUE_num(nval); i++) {\n const CONF_VALUE *val = sk_CONF_VALUE_value(nval, i);\n if (!val->value || !val->name) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);\n X509V3_conf_err(val);\n goto err;\n }\n\n POLICY_MAPPING *pmap = POLICY_MAPPING_new();\n if (pmap == NULL || !sk_POLICY_MAPPING_push(pmaps, pmap)) {\n POLICY_MAPPING_free(pmap);\n goto err;\n }\n\n pmap->issuerDomainPolicy = OBJ_txt2obj(val->name, 0);\n pmap->subjectDomainPolicy = OBJ_txt2obj(val->value, 0);\n if (!pmap->issuerDomainPolicy || !pmap->subjectDomainPolicy) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER);\n X509V3_conf_err(val);\n goto err;\n }\n }\n return pmaps;\n\nerr:\n sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_prn.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n// X509 v3 extension utilities\n\n#include \n\n#include \n#include \n#include \n#include \n\n// Extension printing routines\n\nstatic int unknown_ext_print(BIO *out, const X509_EXTENSION *ext,\n unsigned long flag, int indent, int supported);\n\n// Print out a name+value stack\nstatic void X509V3_EXT_val_prn(BIO *out, const STACK_OF(CONF_VALUE) *val,\n int indent, int ml) {\n if (!val) {\n return;\n }\n if (!ml || !sk_CONF_VALUE_num(val)) {\n BIO_printf(out, \"%*s\", indent, \"\");\n if (!sk_CONF_VALUE_num(val)) {\n BIO_puts(out, \"\\n\");\n }\n }\n for (size_t i = 0; i < sk_CONF_VALUE_num(val); i++) {\n if (ml) {\n BIO_printf(out, \"%*s\", indent, \"\");\n } else if (i > 0) {\n BIO_printf(out, \", \");\n }\n const CONF_VALUE *nval = sk_CONF_VALUE_value(val, i);\n if (!nval->name) {\n BIO_puts(out, nval->value);\n } else if (!nval->value) {\n BIO_puts(out, nval->name);\n } else {\n BIO_printf(out, \"%s:%s\", nval->name, nval->value);\n }\n if (ml) {\n BIO_puts(out, \"\\n\");\n }\n }\n}\n\n// Main routine: print out a general extension\n\nint X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext, unsigned long flag,\n int indent) {\n const X509V3_EXT_METHOD *method = X509V3_EXT_get(ext);\n if (method == NULL) {\n return unknown_ext_print(out, ext, flag, indent, 0);\n }\n const ASN1_STRING *ext_data = X509_EXTENSION_get_data(ext);\n const unsigned char *p = ASN1_STRING_get0_data(ext_data);\n void *ext_str = ASN1_item_d2i(NULL, &p, ASN1_STRING_length(ext_data),\n ASN1_ITEM_ptr(method->it));\n if (!ext_str) {\n return unknown_ext_print(out, ext, flag, indent, 1);\n }\n\n char *value = NULL;\n STACK_OF(CONF_VALUE) *nval = NULL;\n int ok = 0;\n if (method->i2s) {\n if (!(value = method->i2s(method, ext_str))) {\n goto err;\n }\n BIO_printf(out, \"%*s%s\", indent, \"\", value);\n } else if (method->i2v) {\n if (!(nval = method->i2v(method, ext_str, NULL))) {\n goto err;\n }\n X509V3_EXT_val_prn(out, nval, indent,\n method->ext_flags & X509V3_EXT_MULTILINE);\n } else if (method->i2r) {\n if (!method->i2r(method, ext_str, out, indent)) {\n goto err;\n }\n } else {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_OPERATION_NOT_DEFINED);\n goto err;\n }\n\n ok = 1;\n\nerr:\n sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);\n OPENSSL_free(value);\n ASN1_item_free(reinterpret_cast(ext_str),\n ASN1_ITEM_ptr(method->it));\n return ok;\n}\n\nint X509V3_extensions_print(BIO *bp, const char *title,\n const STACK_OF(X509_EXTENSION) *exts,\n unsigned long flag, int indent) {\n size_t i;\n int j;\n\n if (sk_X509_EXTENSION_num(exts) <= 0) {\n return 1;\n }\n\n if (title) {\n BIO_printf(bp, \"%*s%s:\\n\", indent, \"\", title);\n indent += 4;\n }\n\n for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {\n const X509_EXTENSION *ex = sk_X509_EXTENSION_value(exts, i);\n if (indent && BIO_printf(bp, \"%*s\", indent, \"\") <= 0) {\n return 0;\n }\n const ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex);\n i2a_ASN1_OBJECT(bp, obj);\n j = X509_EXTENSION_get_critical(ex);\n if (BIO_printf(bp, \": %s\\n\", j ? \"critical\" : \"\") <= 0) {\n return 0;\n }\n if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {\n BIO_printf(bp, \"%*s\", indent + 4, \"\");\n ASN1_STRING_print(bp, X509_EXTENSION_get_data(ex));\n }\n if (BIO_write(bp, \"\\n\", 1) <= 0) {\n return 0;\n }\n }\n return 1;\n}\n\nstatic int unknown_ext_print(BIO *out, const X509_EXTENSION *ext,\n unsigned long flag, int indent, int supported) {\n switch (flag & X509V3_EXT_UNKNOWN_MASK) {\n case X509V3_EXT_DEFAULT:\n return 0;\n\n case X509V3_EXT_ERROR_UNKNOWN:\n if (supported) {\n BIO_printf(out, \"%*s\", indent, \"\");\n } else {\n BIO_printf(out, \"%*s\", indent, \"\");\n }\n return 1;\n\n case X509V3_EXT_PARSE_UNKNOWN:\n case X509V3_EXT_DUMP_UNKNOWN: {\n const ASN1_STRING *data = X509_EXTENSION_get_data(ext);\n return BIO_hexdump(out, ASN1_STRING_get0_data(data),\n ASN1_STRING_length(data), indent);\n }\n\n default:\n return 1;\n }\n}\n\nint X509V3_EXT_print_fp(FILE *fp, const X509_EXTENSION *ext, int flag,\n int indent) {\n BIO *bio_tmp;\n int ret;\n if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE))) {\n return 0;\n }\n ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);\n BIO_free(bio_tmp);\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_purp.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstruct x509_purpose_st {\n int purpose;\n int trust; // Default trust ID\n int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int);\n const char *sname;\n} /* X509_PURPOSE */;\n\n#define V1_ROOT (EXFLAG_V1 | EXFLAG_SS)\n#define ku_reject(x, usage) \\\n (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))\n#define xku_reject(x, usage) \\\n (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))\n\nstatic int check_ca(const X509 *x);\nstatic int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,\n int ca);\nstatic int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,\n int ca);\nstatic int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,\n int ca);\nstatic int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,\n int ca);\nstatic int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,\n int ca);\nstatic int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,\n int ca);\nstatic int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,\n int ca);\nstatic int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);\n\n// X509_TRUST_NONE is not a valid |X509_TRUST_*| constant. It is used by\n// |X509_PURPOSE_ANY| to indicate that it has no corresponding trust type and\n// cannot be used with |X509_STORE_CTX_set_purpose|.\n#define X509_TRUST_NONE (-1)\n\nstatic const X509_PURPOSE xstandard[] = {\n {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, check_purpose_ssl_client,\n \"sslclient\"},\n {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, check_purpose_ssl_server,\n \"sslserver\"},\n {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER,\n check_purpose_ns_ssl_server, \"nssslserver\"},\n {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, check_purpose_smime_sign,\n \"smimesign\"},\n {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, check_purpose_smime_encrypt,\n \"smimeencrypt\"},\n {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, check_purpose_crl_sign,\n \"crlsign\"},\n {X509_PURPOSE_ANY, X509_TRUST_NONE, no_check, \"any\"},\n // |X509_PURPOSE_OCSP_HELPER| performs no actual checks. OpenSSL's OCSP\n // implementation relied on the caller performing EKU and KU checks.\n {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, no_check, \"ocsphelper\"},\n {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, check_purpose_timestamp_sign,\n \"timestampsign\"},\n};\n\nint X509_check_purpose(X509 *x, int id, int ca) {\n // This differs from OpenSSL, which uses -1 to indicate a fatal error and 0 to\n // indicate an invalid certificate. BoringSSL uses 0 for both.\n if (!x509v3_cache_extensions(x)) {\n return 0;\n }\n\n if (id == -1) {\n return 1;\n }\n const X509_PURPOSE *pt = X509_PURPOSE_get0(id);\n if (pt == NULL) {\n return 0;\n }\n // Historically, |check_purpose| implementations other than |X509_PURPOSE_ANY|\n // called |check_ca|. This is redundant with the |X509_V_ERR_INVALID_CA|\n // logic, but |X509_check_purpose| is public API, so we preserve this\n // behavior.\n if (ca && id != X509_PURPOSE_ANY && !check_ca(x)) {\n return 0;\n }\n return pt->check_purpose(pt, x, ca);\n}\n\nconst X509_PURPOSE *X509_PURPOSE_get0(int id) {\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(xstandard); i++) {\n if (xstandard[i].purpose == id) {\n return &xstandard[i];\n }\n }\n return NULL;\n}\n\nint X509_PURPOSE_get_by_sname(const char *sname) {\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(xstandard); i++) {\n if (strcmp(xstandard[i].sname, sname) == 0) {\n return xstandard[i].purpose;\n }\n }\n return -1;\n}\n\nint X509_PURPOSE_get_id(const X509_PURPOSE *xp) { return xp->purpose; }\n\nint X509_PURPOSE_get_trust(const X509_PURPOSE *xp) { return xp->trust; }\n\nint X509_supported_extension(const X509_EXTENSION *ex) {\n int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));\n return nid == NID_key_usage || //\n nid == NID_subject_alt_name || //\n nid == NID_basic_constraints || //\n nid == NID_certificate_policies || //\n nid == NID_ext_key_usage || //\n nid == NID_policy_constraints || //\n nid == NID_name_constraints || //\n nid == NID_policy_mappings || //\n nid == NID_inhibit_any_policy;\n}\n\nstatic int setup_dp(X509 *x, DIST_POINT *dp) {\n if (!dp->distpoint || (dp->distpoint->type != 1)) {\n return 1;\n }\n X509_NAME *iname = NULL;\n for (size_t i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {\n GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);\n if (gen->type == GEN_DIRNAME) {\n iname = gen->d.directoryName;\n break;\n }\n }\n if (!iname) {\n iname = X509_get_issuer_name(x);\n }\n\n return DIST_POINT_set_dpname(dp->distpoint, iname);\n}\n\nstatic int setup_crldp(X509 *x) {\n int j;\n x->crldp = reinterpret_cast(\n X509_get_ext_d2i(x, NID_crl_distribution_points, &j, NULL));\n if (x->crldp == NULL && j != -1) {\n return 0;\n }\n for (size_t i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {\n if (!setup_dp(x, sk_DIST_POINT_value(x->crldp, i))) {\n return 0;\n }\n }\n return 1;\n}\n\nint x509v3_cache_extensions(X509 *x) {\n BASIC_CONSTRAINTS *bs;\n ASN1_BIT_STRING *usage;\n EXTENDED_KEY_USAGE *extusage;\n size_t i;\n int j;\n\n CRYPTO_MUTEX_lock_read(&x->lock);\n const int is_set = x->ex_flags & EXFLAG_SET;\n CRYPTO_MUTEX_unlock_read(&x->lock);\n\n if (is_set) {\n return (x->ex_flags & EXFLAG_INVALID) == 0;\n }\n\n CRYPTO_MUTEX_lock_write(&x->lock);\n if (x->ex_flags & EXFLAG_SET) {\n CRYPTO_MUTEX_unlock_write(&x->lock);\n return (x->ex_flags & EXFLAG_INVALID) == 0;\n }\n\n if (!X509_digest(x, EVP_sha256(), x->cert_hash, NULL)) {\n x->ex_flags |= EXFLAG_INVALID;\n }\n // V1 should mean no extensions ...\n if (X509_get_version(x) == X509_VERSION_1) {\n x->ex_flags |= EXFLAG_V1;\n }\n // Handle basic constraints\n if ((bs = reinterpret_cast(\n X509_get_ext_d2i(x, NID_basic_constraints, &j, NULL)))) {\n if (bs->ca) {\n x->ex_flags |= EXFLAG_CA;\n }\n if (bs->pathlen) {\n if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) || !bs->ca) {\n x->ex_flags |= EXFLAG_INVALID;\n x->ex_pathlen = 0;\n } else {\n // TODO(davidben): |ASN1_INTEGER_get| returns -1 on overflow,\n // which currently acts as if the constraint isn't present. This\n // works (an overflowing path length constraint may as well be\n // infinity), but Chromium's verifier simply treats values above\n // 255 as an error.\n x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);\n }\n } else {\n x->ex_pathlen = -1;\n }\n BASIC_CONSTRAINTS_free(bs);\n x->ex_flags |= EXFLAG_BCONS;\n } else if (j != -1) {\n x->ex_flags |= EXFLAG_INVALID;\n }\n // Handle key usage\n if ((usage = reinterpret_cast(\n X509_get_ext_d2i(x, NID_key_usage, &j, NULL)))) {\n if (usage->length > 0) {\n x->ex_kusage = usage->data[0];\n if (usage->length > 1) {\n x->ex_kusage |= usage->data[1] << 8;\n }\n } else {\n x->ex_kusage = 0;\n }\n x->ex_flags |= EXFLAG_KUSAGE;\n ASN1_BIT_STRING_free(usage);\n } else if (j != -1) {\n x->ex_flags |= EXFLAG_INVALID;\n }\n x->ex_xkusage = 0;\n if ((extusage = reinterpret_cast(\n X509_get_ext_d2i(x, NID_ext_key_usage, &j, NULL)))) {\n x->ex_flags |= EXFLAG_XKUSAGE;\n for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {\n switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {\n case NID_server_auth:\n x->ex_xkusage |= XKU_SSL_SERVER;\n break;\n\n case NID_client_auth:\n x->ex_xkusage |= XKU_SSL_CLIENT;\n break;\n\n case NID_email_protect:\n x->ex_xkusage |= XKU_SMIME;\n break;\n\n case NID_code_sign:\n x->ex_xkusage |= XKU_CODE_SIGN;\n break;\n\n case NID_ms_sgc:\n case NID_ns_sgc:\n x->ex_xkusage |= XKU_SGC;\n break;\n\n case NID_OCSP_sign:\n x->ex_xkusage |= XKU_OCSP_SIGN;\n break;\n\n case NID_time_stamp:\n x->ex_xkusage |= XKU_TIMESTAMP;\n break;\n\n case NID_dvcs:\n x->ex_xkusage |= XKU_DVCS;\n break;\n\n case NID_anyExtendedKeyUsage:\n x->ex_xkusage |= XKU_ANYEKU;\n break;\n }\n }\n sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);\n } else if (j != -1) {\n x->ex_flags |= EXFLAG_INVALID;\n }\n\n x->skid = reinterpret_cast(\n X509_get_ext_d2i(x, NID_subject_key_identifier, &j, NULL));\n if (x->skid == NULL && j != -1) {\n x->ex_flags |= EXFLAG_INVALID;\n }\n x->akid = reinterpret_cast(\n X509_get_ext_d2i(x, NID_authority_key_identifier, &j, NULL));\n if (x->akid == NULL && j != -1) {\n x->ex_flags |= EXFLAG_INVALID;\n }\n // Does subject name match issuer ?\n if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {\n x->ex_flags |= EXFLAG_SI;\n // If SKID matches AKID also indicate self signed\n if (X509_check_akid(x, x->akid) == X509_V_OK &&\n !ku_reject(x, X509v3_KU_KEY_CERT_SIGN)) {\n x->ex_flags |= EXFLAG_SS;\n }\n }\n x->altname = reinterpret_cast(\n X509_get_ext_d2i(x, NID_subject_alt_name, &j, NULL));\n if (x->altname == NULL && j != -1) {\n x->ex_flags |= EXFLAG_INVALID;\n }\n x->nc = reinterpret_cast(\n X509_get_ext_d2i(x, NID_name_constraints, &j, NULL));\n if (x->nc == NULL && j != -1) {\n x->ex_flags |= EXFLAG_INVALID;\n }\n if (!setup_crldp(x)) {\n x->ex_flags |= EXFLAG_INVALID;\n }\n\n for (j = 0; j < X509_get_ext_count(x); j++) {\n const X509_EXTENSION *ex = X509_get_ext(x, j);\n if (!X509_EXTENSION_get_critical(ex)) {\n continue;\n }\n if (!X509_supported_extension(ex)) {\n x->ex_flags |= EXFLAG_CRITICAL;\n break;\n }\n }\n x->ex_flags |= EXFLAG_SET;\n\n CRYPTO_MUTEX_unlock_write(&x->lock);\n return (x->ex_flags & EXFLAG_INVALID) == 0;\n}\n\n// check_ca returns one if |x| should be considered a CA certificate and zero\n// otherwise.\nstatic int check_ca(const X509 *x) {\n // keyUsage if present should allow cert signing\n if (ku_reject(x, X509v3_KU_KEY_CERT_SIGN)) {\n return 0;\n }\n // Version 1 certificates are considered CAs and don't have extensions.\n if ((x->ex_flags & V1_ROOT) == V1_ROOT) {\n return 1;\n }\n // Otherwise, it's only a CA if basicConstraints says so.\n return ((x->ex_flags & EXFLAG_BCONS) && (x->ex_flags & EXFLAG_CA));\n}\n\nint X509_check_ca(X509 *x) {\n if (!x509v3_cache_extensions(x)) {\n return 0;\n }\n return check_ca(x);\n}\n\n// check_purpose returns one if |x| is a valid part of a certificate path for\n// extended key usage |required_xku| and at least one of key usages in\n// |required_kus|. |ca| indicates whether |x| is a CA or end-entity certificate.\nstatic int check_purpose(const X509 *x, int ca, int required_xku,\n int required_kus) {\n // Check extended key usage on the entire chain.\n if (required_xku != 0 && xku_reject(x, required_xku)) {\n return 0;\n }\n\n // Check key usages only on the end-entity certificate.\n return ca || !ku_reject(x, required_kus);\n}\n\nstatic int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,\n int ca) {\n // We need to do digital signatures or key agreement.\n //\n // TODO(davidben): We do not implement any TLS client certificate modes based\n // on key agreement.\n return check_purpose(x, ca, XKU_SSL_CLIENT,\n X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_KEY_AGREEMENT);\n}\n\n// Key usage needed for TLS/SSL server: digital signature, encipherment or\n// key agreement. The ssl code can check this more thoroughly for individual\n// key types.\n#define X509v3_KU_TLS \\\n (X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_KEY_ENCIPHERMENT | \\\n X509v3_KU_KEY_AGREEMENT)\n\nstatic int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,\n int ca) {\n return check_purpose(x, ca, XKU_SSL_SERVER, X509v3_KU_TLS);\n}\n\nstatic int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,\n int ca) {\n // We need to encipher or Netscape complains.\n return check_purpose(x, ca, XKU_SSL_SERVER, X509v3_KU_KEY_ENCIPHERMENT);\n}\n\nstatic int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,\n int ca) {\n return check_purpose(x, ca, XKU_SMIME,\n X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_NON_REPUDIATION);\n}\n\nstatic int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,\n int ca) {\n return check_purpose(x, ca, XKU_SMIME, X509v3_KU_KEY_ENCIPHERMENT);\n}\n\nstatic int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,\n int ca) {\n return check_purpose(x, ca, /*required_xku=*/0, X509v3_KU_CRL_SIGN);\n}\n\nstatic int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,\n int ca) {\n if (ca) {\n return 1;\n }\n\n // Check the optional key usage field:\n // if Key Usage is present, it must be one of digitalSignature\n // and/or nonRepudiation (other values are not consistent and shall\n // be rejected).\n if ((x->ex_flags & EXFLAG_KUSAGE) &&\n ((x->ex_kusage &\n ~(X509v3_KU_NON_REPUDIATION | X509v3_KU_DIGITAL_SIGNATURE)) ||\n !(x->ex_kusage &\n (X509v3_KU_NON_REPUDIATION | X509v3_KU_DIGITAL_SIGNATURE)))) {\n return 0;\n }\n\n // Only time stamp key usage is permitted and it's required.\n //\n // TODO(davidben): Should we check EKUs up the chain like the other cases?\n if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP) {\n return 0;\n }\n\n // Extended Key Usage MUST be critical\n int i_ext = X509_get_ext_by_NID(x, NID_ext_key_usage, -1);\n if (i_ext >= 0) {\n const X509_EXTENSION *ext = X509_get_ext(x, i_ext);\n if (!X509_EXTENSION_get_critical(ext)) {\n return 0;\n }\n }\n\n return 1;\n}\n\nstatic int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) { return 1; }\n\nint X509_check_issued(X509 *issuer, X509 *subject) {\n if (X509_NAME_cmp(X509_get_subject_name(issuer),\n X509_get_issuer_name(subject))) {\n return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;\n }\n if (!x509v3_cache_extensions(issuer) || !x509v3_cache_extensions(subject)) {\n return X509_V_ERR_UNSPECIFIED;\n }\n\n if (subject->akid) {\n int ret = X509_check_akid(issuer, subject->akid);\n if (ret != X509_V_OK) {\n return ret;\n }\n }\n\n if (ku_reject(issuer, X509v3_KU_KEY_CERT_SIGN)) {\n return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;\n }\n return X509_V_OK;\n}\n\nint X509_check_akid(X509 *issuer, const AUTHORITY_KEYID *akid) {\n if (!akid) {\n return X509_V_OK;\n }\n\n // Check key ids (if present)\n if (akid->keyid && issuer->skid &&\n ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid)) {\n return X509_V_ERR_AKID_SKID_MISMATCH;\n }\n // Check serial number\n if (akid->serial &&\n ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial)) {\n return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;\n }\n // Check issuer name\n if (akid->issuer) {\n // Ugh, for some peculiar reason AKID includes SEQUENCE OF\n // GeneralName. So look for a DirName. There may be more than one but\n // we only take any notice of the first.\n GENERAL_NAMES *gens;\n GENERAL_NAME *gen;\n X509_NAME *nm = NULL;\n size_t i;\n gens = akid->issuer;\n for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {\n gen = sk_GENERAL_NAME_value(gens, i);\n if (gen->type == GEN_DIRNAME) {\n nm = gen->d.dirn;\n break;\n }\n }\n if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer))) {\n return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;\n }\n }\n return X509_V_OK;\n}\n\nuint32_t X509_get_extension_flags(X509 *x) {\n // Ignore the return value. On failure, |x->ex_flags| will include\n // |EXFLAG_INVALID|.\n x509v3_cache_extensions(x);\n return x->ex_flags;\n}\n\nuint32_t X509_get_key_usage(X509 *x) {\n if (!x509v3_cache_extensions(x)) {\n return 0;\n }\n if (x->ex_flags & EXFLAG_KUSAGE) {\n return x->ex_kusage;\n }\n // If there is no extension, key usage is unconstrained, so set all bits to\n // one. Note that, although we use |UINT32_MAX|, |ex_kusage| only contains the\n // first 16 bits when the extension is present.\n return UINT32_MAX;\n}\n\nuint32_t X509_get_extended_key_usage(X509 *x) {\n if (!x509v3_cache_extensions(x)) {\n return 0;\n }\n if (x->ex_flags & EXFLAG_XKUSAGE) {\n return x->ex_xkusage;\n }\n // If there is no extension, extended key usage is unconstrained, so set all\n // bits to one.\n return UINT32_MAX;\n}\n\nconst ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509) {\n if (!x509v3_cache_extensions(x509)) {\n return NULL;\n }\n return x509->skid;\n}\n\nconst ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509) {\n if (!x509v3_cache_extensions(x509)) {\n return NULL;\n }\n return x509->akid != NULL ? x509->akid->keyid : NULL;\n}\n\nconst GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509) {\n if (!x509v3_cache_extensions(x509)) {\n return NULL;\n }\n return x509->akid != NULL ? x509->akid->issuer : NULL;\n}\n\nconst ASN1_INTEGER *X509_get0_authority_serial(X509 *x509) {\n if (!x509v3_cache_extensions(x509)) {\n return NULL;\n }\n return x509->akid != NULL ? x509->akid->serial : NULL;\n}\n\nlong X509_get_pathlen(X509 *x509) {\n if (!x509v3_cache_extensions(x509) || (x509->ex_flags & EXFLAG_BCONS) == 0) {\n return -1;\n }\n return x509->ex_pathlen;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_skey.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"ext_dat.h\"\n#include \"internal.h\"\n\n\nchar *i2s_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method,\n const ASN1_OCTET_STRING *oct) {\n return x509v3_bytes_to_hex(oct->data, oct->length);\n}\n\nASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const char *str) {\n size_t len;\n uint8_t *data = x509v3_hex_to_bytes(str, &len);\n ASN1_OCTET_STRING *oct;\n if (data == NULL) {\n return NULL;\n }\n if (len > INT_MAX) {\n OPENSSL_PUT_ERROR(X509V3, ERR_R_OVERFLOW);\n goto err;\n }\n\n oct = ASN1_OCTET_STRING_new();\n if (oct == NULL) {\n goto err;\n }\n ASN1_STRING_set0(oct, data, (int)len);\n return oct;\n\nerr:\n OPENSSL_free(data);\n return NULL;\n}\n\nstatic char *i2s_ASN1_OCTET_STRING_cb(const X509V3_EXT_METHOD *method,\n void *ext) {\n return i2s_ASN1_OCTET_STRING(method,\n reinterpret_cast(ext));\n}\n\nstatic void *s2i_skey_id(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx,\n const char *str) {\n ASN1_OCTET_STRING *oct;\n ASN1_BIT_STRING *pk;\n unsigned char pkey_dig[EVP_MAX_MD_SIZE];\n unsigned int diglen;\n\n if (strcmp(str, \"hash\")) {\n return s2i_ASN1_OCTET_STRING(method, ctx, str);\n }\n\n if (!(oct = ASN1_OCTET_STRING_new())) {\n return NULL;\n }\n\n if (ctx && (ctx->flags == X509V3_CTX_TEST)) {\n return oct;\n }\n\n if (!ctx || (!ctx->subject_req && !ctx->subject_cert)) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_PUBLIC_KEY);\n goto err;\n }\n\n if (ctx->subject_req) {\n pk = ctx->subject_req->req_info->pubkey->public_key;\n } else {\n pk = ctx->subject_cert->cert_info->key->public_key;\n }\n\n if (!pk) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_PUBLIC_KEY);\n goto err;\n }\n\n if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL)) {\n goto err;\n }\n\n if (!ASN1_OCTET_STRING_set(oct, pkey_dig, diglen)) {\n goto err;\n }\n\n return oct;\n\nerr:\n ASN1_OCTET_STRING_free(oct);\n return NULL;\n}\n\nconst X509V3_EXT_METHOD v3_skey_id = {\n NID_subject_key_identifier,\n 0,\n ASN1_ITEM_ref(ASN1_OCTET_STRING),\n 0,\n 0,\n 0,\n 0,\n i2s_ASN1_OCTET_STRING_cb,\n s2i_skey_id,\n 0,\n 0,\n 0,\n 0,\n NULL,\n};\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/v3_utl.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n/* X509 v3 extension utilities */\n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../conf/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic char *strip_spaces(char *name);\nstatic int sk_strcmp(const char *const *a, const char *const *b);\nstatic STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,\n const GENERAL_NAMES *gens);\nstatic void str_free(OPENSSL_STRING str);\nstatic int append_ia5(STACK_OF(OPENSSL_STRING) **sk,\n const ASN1_IA5STRING *email);\n\nstatic int ipv4_from_asc(uint8_t v4[4], const char *in);\nstatic int ipv6_from_asc(uint8_t v6[16], const char *in);\nstatic int ipv6_cb(const char *elem, size_t len, void *usr);\nstatic int ipv6_hex(uint8_t *out, const char *in, size_t inlen);\n\n// Add a CONF_VALUE name value pair to stack\n\nstatic int x509V3_add_len_value(const char *name, const char *value,\n size_t value_len, int omit_value,\n STACK_OF(CONF_VALUE) **extlist) {\n CONF_VALUE *vtmp = NULL;\n char *tname = NULL, *tvalue = NULL;\n int extlist_was_null = *extlist == NULL;\n if (name && !(tname = OPENSSL_strdup(name))) {\n goto err;\n }\n if (!omit_value) {\n // |CONF_VALUE| cannot represent strings with NULs.\n if (OPENSSL_memchr(value, 0, value_len)) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_VALUE);\n goto err;\n }\n tvalue = OPENSSL_strndup(value, value_len);\n if (tvalue == NULL) {\n goto err;\n }\n }\n if (!(vtmp = CONF_VALUE_new())) {\n goto err;\n }\n if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) {\n goto err;\n }\n vtmp->section = NULL;\n vtmp->name = tname;\n vtmp->value = tvalue;\n if (!sk_CONF_VALUE_push(*extlist, vtmp)) {\n goto err;\n }\n return 1;\nerr:\n if (extlist_was_null) {\n sk_CONF_VALUE_free(*extlist);\n *extlist = NULL;\n }\n OPENSSL_free(vtmp);\n OPENSSL_free(tname);\n OPENSSL_free(tvalue);\n return 0;\n}\n\nint X509V3_add_value(const char *name, const char *value,\n STACK_OF(CONF_VALUE) **extlist) {\n return x509V3_add_len_value(name, value, value != NULL ? strlen(value) : 0,\n /*omit_value=*/value == NULL, extlist);\n}\n\nint x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value,\n STACK_OF(CONF_VALUE) **extlist) {\n return x509V3_add_len_value(name, (const char *)value->data, value->length,\n /*omit_value=*/0, extlist);\n}\n\n// Free function for STACK_OF(CONF_VALUE)\n\nvoid X509V3_conf_free(CONF_VALUE *conf) {\n if (!conf) {\n return;\n }\n OPENSSL_free(conf->name);\n OPENSSL_free(conf->value);\n OPENSSL_free(conf->section);\n OPENSSL_free(conf);\n}\n\nint X509V3_add_value_bool(const char *name, int asn1_bool,\n STACK_OF(CONF_VALUE) **extlist) {\n if (asn1_bool) {\n return X509V3_add_value(name, \"TRUE\", extlist);\n }\n return X509V3_add_value(name, \"FALSE\", extlist);\n}\n\nstatic char *bignum_to_string(const BIGNUM *bn) {\n char *tmp, *ret;\n\n // Display large numbers in hex and small numbers in decimal. Converting to\n // decimal takes quadratic time and is no more useful than hex for large\n // numbers.\n if (BN_num_bits(bn) < 32) {\n return BN_bn2dec(bn);\n }\n\n tmp = BN_bn2hex(bn);\n if (tmp == NULL) {\n return NULL;\n }\n\n // Prepend \"0x\", but place it after the \"-\" if negative.\n if (OPENSSL_asprintf(&ret, \"%s0x%s\", (tmp[0] == '-') ? \"-\" : \"\",\n (tmp[0] == '-') ? tmp + 1 : tmp) == -1) {\n ret = nullptr;\n }\n OPENSSL_free(tmp);\n return ret;\n}\n\nchar *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *method,\n const ASN1_ENUMERATED *a) {\n BIGNUM *bntmp = NULL;\n char *strtmp = NULL;\n if (!a) {\n return NULL;\n }\n if (!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) ||\n !(strtmp = bignum_to_string(bntmp))) {\n }\n BN_free(bntmp);\n return strtmp;\n}\n\nchar *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *method, const ASN1_INTEGER *a) {\n BIGNUM *bntmp = NULL;\n char *strtmp = NULL;\n if (!a) {\n return NULL;\n }\n if (!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) ||\n !(strtmp = bignum_to_string(bntmp))) {\n }\n BN_free(bntmp);\n return strtmp;\n}\n\nASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *method,\n const char *value) {\n BIGNUM *bn = NULL;\n ASN1_INTEGER *aint;\n int isneg, ishex;\n int ret;\n if (!value) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);\n return 0;\n }\n bn = BN_new();\n if (value[0] == '-') {\n value++;\n isneg = 1;\n } else {\n isneg = 0;\n }\n\n if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {\n value += 2;\n ishex = 1;\n } else {\n ishex = 0;\n }\n\n if (ishex) {\n ret = BN_hex2bn(&bn, value);\n } else {\n // Decoding from decimal scales quadratically in the input length. Bound the\n // largest decimal input we accept in the config parser. 8,192 decimal\n // digits allows values up to 27,213 bits. Ths exceeds the largest RSA, DSA,\n // or DH modulus we support, and those are not usefully represented in\n // decimal.\n if (strlen(value) > 8192) {\n BN_free(bn);\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBER);\n return 0;\n }\n ret = BN_dec2bn(&bn, value);\n }\n\n if (!ret || value[ret]) {\n BN_free(bn);\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_BN_DEC2BN_ERROR);\n return 0;\n }\n\n if (isneg && BN_is_zero(bn)) {\n isneg = 0;\n }\n\n aint = BN_to_ASN1_INTEGER(bn, NULL);\n BN_free(bn);\n if (!aint) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_BN_TO_ASN1_INTEGER_ERROR);\n return 0;\n }\n if (isneg) {\n aint->type |= V_ASN1_NEG;\n }\n return aint;\n}\n\nint X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,\n STACK_OF(CONF_VALUE) **extlist) {\n char *strtmp;\n int ret;\n if (!aint) {\n return 1;\n }\n if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint))) {\n return 0;\n }\n ret = X509V3_add_value(name, strtmp, extlist);\n OPENSSL_free(strtmp);\n return ret;\n}\n\nint X509V3_bool_from_string(const char *str, ASN1_BOOLEAN *out_bool) {\n if (!strcmp(str, \"TRUE\") || !strcmp(str, \"true\") || !strcmp(str, \"Y\") ||\n !strcmp(str, \"y\") || !strcmp(str, \"YES\") || !strcmp(str, \"yes\")) {\n *out_bool = ASN1_BOOLEAN_TRUE;\n return 1;\n }\n if (!strcmp(str, \"FALSE\") || !strcmp(str, \"false\") || !strcmp(str, \"N\") ||\n !strcmp(str, \"n\") || !strcmp(str, \"NO\") || !strcmp(str, \"no\")) {\n *out_bool = ASN1_BOOLEAN_FALSE;\n return 1;\n }\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_BOOLEAN_STRING);\n return 0;\n}\n\nint X509V3_get_value_bool(const CONF_VALUE *value, ASN1_BOOLEAN *out_bool) {\n const char *btmp = value->value;\n if (btmp == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_BOOLEAN_STRING);\n goto err;\n }\n if (!X509V3_bool_from_string(btmp, out_bool)) {\n goto err;\n }\n return 1;\n\nerr:\n X509V3_conf_err(value);\n return 0;\n}\n\nint X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint) {\n ASN1_INTEGER *itmp;\n if (!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {\n X509V3_conf_err(value);\n return 0;\n }\n ASN1_INTEGER_free(*aint);\n *aint = itmp;\n return 1;\n}\n\n#define HDR_NAME 1\n#define HDR_VALUE 2\n\n// #define DEBUG\n\nSTACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line) {\n char *p, *q, c;\n char *ntmp, *vtmp;\n STACK_OF(CONF_VALUE) *values = NULL;\n char *linebuf;\n int state;\n // We are going to modify the line so copy it first\n linebuf = OPENSSL_strdup(line);\n if (linebuf == NULL) {\n goto err;\n }\n state = HDR_NAME;\n ntmp = NULL;\n // Go through all characters\n for (p = linebuf, q = linebuf; (c = *p) && (c != '\\r') && (c != '\\n'); p++) {\n switch (state) {\n case HDR_NAME:\n if (c == ':') {\n state = HDR_VALUE;\n *p = 0;\n ntmp = strip_spaces(q);\n if (!ntmp) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);\n goto err;\n }\n q = p + 1;\n } else if (c == ',') {\n *p = 0;\n ntmp = strip_spaces(q);\n q = p + 1;\n#if 0\n printf(\"%s\\n\", ntmp);\n#endif\n if (!ntmp) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);\n goto err;\n }\n X509V3_add_value(ntmp, NULL, &values);\n }\n break;\n\n case HDR_VALUE:\n if (c == ',') {\n state = HDR_NAME;\n *p = 0;\n vtmp = strip_spaces(q);\n#if 0\n printf(\"%s\\n\", ntmp);\n#endif\n if (!vtmp) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);\n goto err;\n }\n X509V3_add_value(ntmp, vtmp, &values);\n ntmp = NULL;\n q = p + 1;\n }\n }\n }\n\n if (state == HDR_VALUE) {\n vtmp = strip_spaces(q);\n#if 0\n printf(\"%s=%s\\n\", ntmp, vtmp);\n#endif\n if (!vtmp) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_VALUE);\n goto err;\n }\n X509V3_add_value(ntmp, vtmp, &values);\n } else {\n ntmp = strip_spaces(q);\n#if 0\n printf(\"%s\\n\", ntmp);\n#endif\n if (!ntmp) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_NAME);\n goto err;\n }\n X509V3_add_value(ntmp, NULL, &values);\n }\n OPENSSL_free(linebuf);\n return values;\n\nerr:\n OPENSSL_free(linebuf);\n sk_CONF_VALUE_pop_free(values, X509V3_conf_free);\n return NULL;\n}\n\n// Delete leading and trailing spaces from a string\nstatic char *strip_spaces(char *name) {\n char *p, *q;\n // Skip over leading spaces\n p = name;\n while (*p && OPENSSL_isspace((unsigned char)*p)) {\n p++;\n }\n if (!*p) {\n return NULL;\n }\n q = p + strlen(p) - 1;\n while ((q != p) && OPENSSL_isspace((unsigned char)*q)) {\n q--;\n }\n if (p != q) {\n q[1] = 0;\n }\n if (!*p) {\n return NULL;\n }\n return p;\n}\n\n// hex string utilities\n\nchar *x509v3_bytes_to_hex(const uint8_t *in, size_t len) {\n CBB cbb;\n if (!CBB_init(&cbb, len * 3 + 1)) {\n goto err;\n }\n for (size_t i = 0; i < len; i++) {\n static const char hex[] = \"0123456789ABCDEF\";\n if ((i > 0 && !CBB_add_u8(&cbb, ':')) ||\n !CBB_add_u8(&cbb, hex[in[i] >> 4]) ||\n !CBB_add_u8(&cbb, hex[in[i] & 0xf])) {\n goto err;\n }\n }\n uint8_t *ret;\n size_t unused_len;\n if (!CBB_add_u8(&cbb, 0) || !CBB_finish(&cbb, &ret, &unused_len)) {\n goto err;\n }\n\n return (char *)ret;\n\nerr:\n CBB_cleanup(&cbb);\n return NULL;\n}\n\nunsigned char *x509v3_hex_to_bytes(const char *str, size_t *len) {\n unsigned char *hexbuf, *q;\n unsigned char ch, cl, *p;\n uint8_t high, low;\n if (!str) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NULL_ARGUMENT);\n return NULL;\n }\n if (!(hexbuf =\n reinterpret_cast(OPENSSL_malloc(strlen(str) >> 1)))) {\n goto err;\n }\n for (p = (unsigned char *)str, q = hexbuf; *p;) {\n ch = *p++;\n if (ch == ':') {\n continue;\n }\n cl = *p++;\n if (!cl) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_ODD_NUMBER_OF_DIGITS);\n OPENSSL_free(hexbuf);\n return NULL;\n }\n if (!OPENSSL_fromxdigit(&high, ch)) {\n goto badhex;\n }\n if (!OPENSSL_fromxdigit(&low, cl)) {\n goto badhex;\n }\n *q++ = (high << 4) | low;\n }\n\n if (len) {\n *len = q - hexbuf;\n }\n\n return hexbuf;\n\nerr:\n OPENSSL_free(hexbuf);\n return NULL;\n\nbadhex:\n OPENSSL_free(hexbuf);\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_ILLEGAL_HEX_DIGIT);\n return NULL;\n}\n\nint x509v3_conf_name_matches(const char *name, const char *cmp) {\n // |name| must begin with |cmp|.\n size_t len = strlen(cmp);\n if (strncmp(name, cmp, len) != 0) {\n return 0;\n }\n // |name| must either be equal to |cmp| or begin with |cmp|, followed by '.'.\n return name[len] == '\\0' || name[len] == '.';\n}\n\nstatic int sk_strcmp(const char *const *a, const char *const *b) {\n return strcmp(*a, *b);\n}\n\nSTACK_OF(OPENSSL_STRING) *X509_get1_email(const X509 *x) {\n GENERAL_NAMES *gens;\n STACK_OF(OPENSSL_STRING) *ret;\n\n gens = reinterpret_cast(\n X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL));\n ret = get_email(X509_get_subject_name(x), gens);\n sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);\n return ret;\n}\n\nSTACK_OF(OPENSSL_STRING) *X509_get1_ocsp(const X509 *x) {\n AUTHORITY_INFO_ACCESS *info;\n STACK_OF(OPENSSL_STRING) *ret = NULL;\n size_t i;\n\n info = reinterpret_cast(\n X509_get_ext_d2i(x, NID_info_access, NULL, NULL));\n if (!info) {\n return NULL;\n }\n for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {\n ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);\n if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {\n if (ad->location->type == GEN_URI) {\n if (!append_ia5(&ret, ad->location->d.uniformResourceIdentifier)) {\n break;\n }\n }\n }\n }\n AUTHORITY_INFO_ACCESS_free(info);\n return ret;\n}\n\nSTACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(const X509_REQ *x) {\n GENERAL_NAMES *gens;\n STACK_OF(X509_EXTENSION) *exts;\n STACK_OF(OPENSSL_STRING) *ret;\n\n exts = X509_REQ_get_extensions(x);\n gens = reinterpret_cast(\n X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL));\n ret = get_email(X509_REQ_get_subject_name(x), gens);\n sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);\n sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);\n return ret;\n}\n\nstatic STACK_OF(OPENSSL_STRING) *get_email(const X509_NAME *name,\n const GENERAL_NAMES *gens) {\n STACK_OF(OPENSSL_STRING) *ret = NULL;\n // Now add any email address(es) to STACK\n int i = -1;\n // First supplied X509_NAME\n while ((i = X509_NAME_get_index_by_NID(name, NID_pkcs9_emailAddress, i)) >=\n 0) {\n const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, i);\n const ASN1_IA5STRING *email = X509_NAME_ENTRY_get_data(ne);\n if (!append_ia5(&ret, email)) {\n return NULL;\n }\n }\n for (size_t j = 0; j < sk_GENERAL_NAME_num(gens); j++) {\n const GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, j);\n if (gen->type != GEN_EMAIL) {\n continue;\n }\n if (!append_ia5(&ret, gen->d.ia5)) {\n return NULL;\n }\n }\n return ret;\n}\n\nstatic void str_free(OPENSSL_STRING str) { OPENSSL_free(str); }\n\nstatic int append_ia5(STACK_OF(OPENSSL_STRING) **sk,\n const ASN1_IA5STRING *email) {\n // First some sanity checks\n if (email->type != V_ASN1_IA5STRING) {\n return 1;\n }\n if (email->data == NULL || email->length == 0) {\n return 1;\n }\n // |OPENSSL_STRING| cannot represent strings with embedded NULs. Do not\n // report them as outputs.\n if (OPENSSL_memchr(email->data, 0, email->length) != NULL) {\n return 1;\n }\n\n char *emtmp = NULL;\n if (!*sk) {\n *sk = sk_OPENSSL_STRING_new(sk_strcmp);\n }\n if (!*sk) {\n goto err;\n }\n\n emtmp = OPENSSL_strndup((char *)email->data, email->length);\n if (emtmp == NULL) {\n goto err;\n }\n\n // Don't add duplicates\n sk_OPENSSL_STRING_sort(*sk);\n if (sk_OPENSSL_STRING_find(*sk, NULL, emtmp)) {\n OPENSSL_free(emtmp);\n return 1;\n }\n if (!sk_OPENSSL_STRING_push(*sk, emtmp)) {\n goto err;\n }\n return 1;\n\nerr:\n // TODO(davidben): Fix the error-handling in this file. It currently relies\n // on |append_ia5| leaving |*sk| at NULL on error.\n OPENSSL_free(emtmp);\n X509_email_free(*sk);\n *sk = NULL;\n return 0;\n}\n\nvoid X509_email_free(STACK_OF(OPENSSL_STRING) *sk) {\n sk_OPENSSL_STRING_pop_free(sk, str_free);\n}\n\ntypedef int (*equal_fn)(const unsigned char *pattern, size_t pattern_len,\n const unsigned char *subject, size_t subject_len,\n unsigned int flags);\n\n// Compare while ASCII ignoring case.\nstatic int equal_nocase(const unsigned char *pattern, size_t pattern_len,\n const unsigned char *subject, size_t subject_len,\n unsigned int flags) {\n if (pattern_len != subject_len) {\n return 0;\n }\n while (pattern_len) {\n unsigned char l = *pattern;\n unsigned char r = *subject;\n // The pattern must not contain NUL characters.\n if (l == 0) {\n return 0;\n }\n if (l != r) {\n if (OPENSSL_tolower(l) != OPENSSL_tolower(r)) {\n return 0;\n }\n }\n ++pattern;\n ++subject;\n --pattern_len;\n }\n return 1;\n}\n\n// Compare using OPENSSL_memcmp.\nstatic int equal_case(const unsigned char *pattern, size_t pattern_len,\n const unsigned char *subject, size_t subject_len,\n unsigned int flags) {\n if (pattern_len != subject_len) {\n return 0;\n }\n return !OPENSSL_memcmp(pattern, subject, pattern_len);\n}\n\n// RFC 5280, section 7.5, requires that only the domain is compared in a\n// case-insensitive manner.\nstatic int equal_email(const unsigned char *a, size_t a_len,\n const unsigned char *b, size_t b_len,\n unsigned int unused_flags) {\n size_t i = a_len;\n if (a_len != b_len) {\n return 0;\n }\n // We search backwards for the '@' character, so that we do not have to\n // deal with quoted local-parts. The domain part is compared in a\n // case-insensitive manner.\n while (i > 0) {\n --i;\n if (a[i] == '@' || b[i] == '@') {\n if (!equal_nocase(a + i, a_len - i, b + i, a_len - i, 0)) {\n return 0;\n }\n break;\n }\n }\n if (i == 0) {\n i = a_len;\n }\n return equal_case(a, i, b, i, 0);\n}\n\n// Compare the prefix and suffix with the subject, and check that the\n// characters in-between are valid.\nstatic int wildcard_match(const unsigned char *prefix, size_t prefix_len,\n const unsigned char *suffix, size_t suffix_len,\n const unsigned char *subject, size_t subject_len,\n unsigned int flags) {\n const unsigned char *wildcard_start;\n const unsigned char *wildcard_end;\n const unsigned char *p;\n int allow_idna = 0;\n\n if (subject_len < prefix_len + suffix_len) {\n return 0;\n }\n if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags)) {\n return 0;\n }\n wildcard_start = subject + prefix_len;\n wildcard_end = subject + (subject_len - suffix_len);\n if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags)) {\n return 0;\n }\n // If the wildcard makes up the entire first label, it must match at\n // least one character.\n if (prefix_len == 0 && *suffix == '.') {\n if (wildcard_start == wildcard_end) {\n return 0;\n }\n allow_idna = 1;\n }\n // IDNA labels cannot match partial wildcards\n if (!allow_idna && subject_len >= 4 &&\n OPENSSL_strncasecmp((char *)subject, \"xn--\", 4) == 0) {\n return 0;\n }\n // The wildcard may match a literal '*'\n if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*') {\n return 1;\n }\n // Check that the part matched by the wildcard contains only\n // permitted characters and only matches a single label.\n for (p = wildcard_start; p != wildcard_end; ++p) {\n if (!OPENSSL_isalnum(*p) && *p != '-') {\n return 0;\n }\n }\n return 1;\n}\n\n#define LABEL_START (1 << 0)\n#define LABEL_END (1 << 1)\n#define LABEL_HYPHEN (1 << 2)\n#define LABEL_IDNA (1 << 3)\n\nstatic const unsigned char *valid_star(const unsigned char *p, size_t len,\n unsigned int flags) {\n const unsigned char *star = 0;\n size_t i;\n int state = LABEL_START;\n int dots = 0;\n for (i = 0; i < len; ++i) {\n // Locate first and only legal wildcard, either at the start\n // or end of a non-IDNA first and not final label.\n if (p[i] == '*') {\n int atstart = (state & LABEL_START);\n int atend = (i == len - 1 || p[i + 1] == '.');\n // At most one wildcard per pattern.\n // No wildcards in IDNA labels.\n // No wildcards after the first label.\n if (star != NULL || (state & LABEL_IDNA) != 0 || dots) {\n return NULL;\n }\n // Only full-label '*.example.com' wildcards.\n if (!atstart || !atend) {\n return NULL;\n }\n star = &p[i];\n state &= ~LABEL_START;\n } else if (OPENSSL_isalnum(p[i])) {\n if ((state & LABEL_START) != 0 && len - i >= 4 &&\n OPENSSL_strncasecmp((char *)&p[i], \"xn--\", 4) == 0) {\n state |= LABEL_IDNA;\n }\n state &= ~(LABEL_HYPHEN | LABEL_START);\n } else if (p[i] == '.') {\n if ((state & (LABEL_HYPHEN | LABEL_START)) != 0) {\n return NULL;\n }\n state = LABEL_START;\n ++dots;\n } else if (p[i] == '-') {\n // no domain/subdomain starts with '-'\n if ((state & LABEL_START) != 0) {\n return NULL;\n }\n state |= LABEL_HYPHEN;\n } else {\n return NULL;\n }\n }\n\n // The final label must not end in a hyphen or \".\", and\n // there must be at least two dots after the star.\n if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2) {\n return NULL;\n }\n return star;\n}\n\n// Compare using wildcards.\nstatic int equal_wildcard(const unsigned char *pattern, size_t pattern_len,\n const unsigned char *subject, size_t subject_len,\n unsigned int flags) {\n const unsigned char *star = NULL;\n\n // Subject names starting with '.' can only match a wildcard pattern\n // via a subject sub-domain pattern suffix match.\n if (!(subject_len > 1 && subject[0] == '.')) {\n star = valid_star(pattern, pattern_len, flags);\n }\n if (star == NULL) {\n return equal_nocase(pattern, pattern_len, subject, subject_len, flags);\n }\n return wildcard_match(pattern, star - pattern, star + 1,\n (pattern + pattern_len) - star - 1, subject,\n subject_len, flags);\n}\n\nint x509v3_looks_like_dns_name(const unsigned char *in, size_t len) {\n // This function is used as a heuristic for whether a common name is a\n // hostname to be matched, or merely a decorative name to describe the\n // subject. This heuristic must be applied to both name constraints and the\n // common name fallback, so it must be loose enough to accept hostname\n // common names, and tight enough to reject decorative common names.\n\n if (len > 0 && in[len - 1] == '.') {\n len--;\n }\n\n // Wildcards are allowed in front.\n if (len >= 2 && in[0] == '*' && in[1] == '.') {\n in += 2;\n len -= 2;\n }\n\n if (len == 0) {\n return 0;\n }\n\n size_t label_start = 0;\n for (size_t i = 0; i < len; i++) {\n unsigned char c = in[i];\n if (OPENSSL_isalnum(c) || (c == '-' && i > label_start) ||\n // These are not valid characters in hostnames, but commonly found\n // in deployments outside the Web PKI.\n c == '_' || c == ':') {\n continue;\n }\n\n // Labels must not be empty.\n if (c == '.' && i > label_start && i < len - 1) {\n label_start = i + 1;\n continue;\n }\n\n return 0;\n }\n\n return 1;\n}\n\n// Compare an ASN1_STRING to a supplied string. If they match return 1. If\n// cmp_type > 0 only compare if string matches the type, otherwise convert it\n// to UTF8.\n\nstatic int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal,\n unsigned int flags, int check_type, const char *b,\n size_t blen, char **peername) {\n int rv = 0;\n\n if (!a->data || !a->length) {\n return 0;\n }\n if (cmp_type > 0) {\n if (cmp_type != a->type) {\n return 0;\n }\n if (cmp_type == V_ASN1_IA5STRING) {\n rv = equal(a->data, a->length, (unsigned char *)b, blen, flags);\n } else if (a->length == (int)blen && !OPENSSL_memcmp(a->data, b, blen)) {\n rv = 1;\n }\n if (rv > 0 && peername) {\n *peername = OPENSSL_strndup((char *)a->data, a->length);\n if (*peername == NULL) {\n return -1;\n }\n }\n } else {\n int astrlen;\n unsigned char *astr;\n astrlen = ASN1_STRING_to_UTF8(&astr, a);\n if (astrlen < 0) {\n return -1;\n }\n // We check the common name against DNS name constraints if it passes\n // |x509v3_looks_like_dns_name|. Thus we must not consider common names\n // for DNS fallbacks if they fail this check.\n if (check_type == GEN_DNS && !x509v3_looks_like_dns_name(astr, astrlen)) {\n rv = 0;\n } else {\n rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);\n }\n if (rv > 0 && peername) {\n *peername = OPENSSL_strndup((char *)astr, astrlen);\n if (*peername == NULL) {\n return -1;\n }\n }\n OPENSSL_free(astr);\n }\n return rv;\n}\n\nstatic int do_x509_check(const X509 *x, const char *chk, size_t chklen,\n unsigned int flags, int check_type, char **peername) {\n int cnid = NID_undef;\n int alt_type;\n int rv = 0;\n equal_fn equal;\n if (check_type == GEN_EMAIL) {\n cnid = NID_pkcs9_emailAddress;\n alt_type = V_ASN1_IA5STRING;\n equal = equal_email;\n } else if (check_type == GEN_DNS) {\n cnid = NID_commonName;\n alt_type = V_ASN1_IA5STRING;\n if (flags & X509_CHECK_FLAG_NO_WILDCARDS) {\n equal = equal_nocase;\n } else {\n equal = equal_wildcard;\n }\n } else {\n alt_type = V_ASN1_OCTET_STRING;\n equal = equal_case;\n }\n\n GENERAL_NAMES *gens = reinterpret_cast(\n X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL));\n if (gens) {\n for (size_t i = 0; i < sk_GENERAL_NAME_num(gens); i++) {\n const GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i);\n if (gen->type != check_type) {\n continue;\n }\n const ASN1_STRING *cstr;\n if (check_type == GEN_EMAIL) {\n cstr = gen->d.rfc822Name;\n } else if (check_type == GEN_DNS) {\n cstr = gen->d.dNSName;\n } else {\n cstr = gen->d.iPAddress;\n }\n // Positive on success, negative on error!\n if ((rv = do_check_string(cstr, alt_type, equal, flags, check_type, chk,\n chklen, peername)) != 0) {\n break;\n }\n }\n GENERAL_NAMES_free(gens);\n return rv;\n }\n\n // We're done if CN-ID is not pertinent\n if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT)) {\n return 0;\n }\n\n int j = -1;\n const X509_NAME *name = X509_get_subject_name(x);\n while ((j = X509_NAME_get_index_by_NID(name, cnid, j)) >= 0) {\n const X509_NAME_ENTRY *ne = X509_NAME_get_entry(name, j);\n const ASN1_STRING *str = X509_NAME_ENTRY_get_data(ne);\n // Positive on success, negative on error!\n if ((rv = do_check_string(str, -1, equal, flags, check_type, chk, chklen,\n peername)) != 0) {\n return rv;\n }\n }\n return 0;\n}\n\nint X509_check_host(const X509 *x, const char *chk, size_t chklen,\n unsigned int flags, char **peername) {\n if (chk == NULL) {\n return -2;\n }\n if (OPENSSL_memchr(chk, '\\0', chklen)) {\n return -2;\n }\n return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);\n}\n\nint X509_check_email(const X509 *x, const char *chk, size_t chklen,\n unsigned int flags) {\n if (chk == NULL) {\n return -2;\n }\n if (OPENSSL_memchr(chk, '\\0', chklen)) {\n return -2;\n }\n return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);\n}\n\nint X509_check_ip(const X509 *x, const unsigned char *chk, size_t chklen,\n unsigned int flags) {\n if (chk == NULL) {\n return -2;\n }\n return do_x509_check(x, (const char *)chk, chklen, flags, GEN_IPADD, NULL);\n}\n\nint X509_check_ip_asc(const X509 *x, const char *ipasc, unsigned int flags) {\n unsigned char ipout[16];\n size_t iplen;\n\n if (ipasc == NULL) {\n return -2;\n }\n iplen = (size_t)x509v3_a2i_ipadd(ipout, ipasc);\n if (iplen == 0) {\n return -2;\n }\n return do_x509_check(x, (const char *)ipout, iplen, flags, GEN_IPADD, NULL);\n}\n\n// Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible\n// with RFC 3280.\n\nASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc) {\n unsigned char ipout[16];\n ASN1_OCTET_STRING *ret;\n int iplen;\n\n iplen = x509v3_a2i_ipadd(ipout, ipasc);\n if (!iplen) {\n return NULL;\n }\n\n ret = ASN1_OCTET_STRING_new();\n if (!ret) {\n return NULL;\n }\n if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {\n ASN1_OCTET_STRING_free(ret);\n return NULL;\n }\n return ret;\n}\n\nASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc) {\n ASN1_OCTET_STRING *ret = NULL;\n unsigned char ipout[32];\n char *iptmp = NULL, *p;\n int iplen1, iplen2;\n // FIXME: yes, this function takes a const pointer and writes to it!\n p = const_cast(strchr(ipasc, '/'));\n if (!p) {\n return NULL;\n }\n iptmp = OPENSSL_strdup(ipasc);\n if (!iptmp) {\n return NULL;\n }\n p = iptmp + (p - ipasc);\n *p++ = 0;\n\n iplen1 = x509v3_a2i_ipadd(ipout, iptmp);\n\n if (!iplen1) {\n goto err;\n }\n\n iplen2 = x509v3_a2i_ipadd(ipout + iplen1, p);\n\n OPENSSL_free(iptmp);\n iptmp = NULL;\n\n if (!iplen2 || (iplen1 != iplen2)) {\n goto err;\n }\n\n ret = ASN1_OCTET_STRING_new();\n if (!ret) {\n goto err;\n }\n if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2)) {\n goto err;\n }\n\n return ret;\n\nerr:\n OPENSSL_free(iptmp);\n ASN1_OCTET_STRING_free(ret);\n return NULL;\n}\n\nint x509v3_a2i_ipadd(uint8_t ipout[16], const char *ipasc) {\n // If string contains a ':' assume IPv6\n\n if (strchr(ipasc, ':')) {\n if (!ipv6_from_asc(ipout, ipasc)) {\n return 0;\n }\n return 16;\n } else {\n if (!ipv4_from_asc(ipout, ipasc)) {\n return 0;\n }\n return 4;\n }\n}\n\n// get_ipv4_component consumes one IPv4 component, terminated by either '.' or\n// the end of the string, from |*str|. On success, it returns one, sets |*out|\n// to the component, and advances |*str| to the first unconsumed character. On\n// invalid input, it returns zero.\nstatic int get_ipv4_component(uint8_t *out_byte, const char **str) {\n // Store a slightly larger intermediary so the overflow check is easier.\n uint32_t out = 0;\n for (;;) {\n if (!OPENSSL_isdigit(**str)) {\n return 0;\n }\n out = (out * 10) + (**str - '0');\n if (out > 255) {\n // Components must be 8-bit.\n return 0;\n }\n (*str)++;\n if ((**str) == '.' || (**str) == '\\0') {\n *out_byte = (uint8_t)out;\n return 1;\n }\n if (out == 0) {\n // Reject extra leading zeros. Parsers sometimes treat them as octal, so\n // accepting them would misinterpret input.\n return 0;\n }\n }\n}\n\n// get_ipv4_dot consumes a '.' from |*str| and advances it. It returns one on\n// success and zero if |*str| does not point to a '.'.\nstatic int get_ipv4_dot(const char **str) {\n if (**str != '.') {\n return 0;\n }\n (*str)++;\n return 1;\n}\n\nstatic int ipv4_from_asc(uint8_t v4[4], const char *in) {\n if (!get_ipv4_component(&v4[0], &in) || !get_ipv4_dot(&in) ||\n !get_ipv4_component(&v4[1], &in) || !get_ipv4_dot(&in) ||\n !get_ipv4_component(&v4[2], &in) || !get_ipv4_dot(&in) ||\n !get_ipv4_component(&v4[3], &in) || *in != '\\0') {\n return 0;\n }\n return 1;\n}\n\ntypedef struct {\n // Temporary store for IPV6 output\n uint8_t tmp[16];\n // Total number of bytes in tmp\n int total;\n // The position of a zero (corresponding to '::')\n int zero_pos;\n // Number of zeroes\n int zero_cnt;\n} IPV6_STAT;\n\nstatic int ipv6_from_asc(uint8_t v6[16], const char *in) {\n IPV6_STAT v6stat;\n v6stat.total = 0;\n v6stat.zero_pos = -1;\n v6stat.zero_cnt = 0;\n // Treat the IPv6 representation as a list of values separated by ':'.\n // The presence of a '::' will parse as one, two or three zero length\n // elements.\n if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat)) {\n return 0;\n }\n\n if (v6stat.zero_pos == -1) {\n // If no '::' must have exactly 16 bytes\n if (v6stat.total != 16) {\n return 0;\n }\n } else {\n // If '::' must have less than 16 bytes\n if (v6stat.total >= 16) {\n return 0;\n }\n if (v6stat.zero_cnt > 3) {\n // More than three zeroes is an error\n return 0;\n } else if (v6stat.zero_cnt == 3) {\n // Can only have three zeroes if nothing else present\n if (v6stat.total > 0) {\n return 0;\n }\n } else if (v6stat.zero_cnt == 2) {\n // Can only have two zeroes if at start or end\n if (v6stat.zero_pos != 0 && v6stat.zero_pos != v6stat.total) {\n return 0;\n }\n } else {\n // Can only have one zero if *not* start or end\n if (v6stat.zero_pos == 0 || v6stat.zero_pos == v6stat.total) {\n return 0;\n }\n }\n }\n\n // Format the result.\n if (v6stat.zero_pos >= 0) {\n // Copy initial part\n OPENSSL_memcpy(v6, v6stat.tmp, v6stat.zero_pos);\n // Zero middle\n OPENSSL_memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);\n // Copy final part\n if (v6stat.total != v6stat.zero_pos) {\n OPENSSL_memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,\n v6stat.tmp + v6stat.zero_pos,\n v6stat.total - v6stat.zero_pos);\n }\n } else {\n OPENSSL_memcpy(v6, v6stat.tmp, 16);\n }\n\n return 1;\n}\n\nstatic int ipv6_cb(const char *elem, size_t len, void *usr) {\n IPV6_STAT *s = reinterpret_cast(usr);\n // Error if 16 bytes written\n if (s->total == 16) {\n return 0;\n }\n if (len == 0) {\n // Zero length element, corresponds to '::'\n if (s->zero_pos == -1) {\n s->zero_pos = s->total;\n } else if (s->zero_pos != s->total) {\n // If we've already got a :: its an error\n return 0;\n }\n if (s->zero_cnt >= 3) {\n // More than three zeros is an error.\n return 0;\n }\n s->zero_cnt++;\n } else {\n // If more than 4 characters could be final a.b.c.d form\n if (len > 4) {\n // Need at least 4 bytes left\n if (s->total > 12) {\n return 0;\n }\n // Must be end of string\n if (elem[len]) {\n return 0;\n }\n if (!ipv4_from_asc(s->tmp + s->total, elem)) {\n return 0;\n }\n s->total += 4;\n } else {\n if (!ipv6_hex(s->tmp + s->total, elem, len)) {\n return 0;\n }\n s->total += 2;\n }\n }\n return 1;\n}\n\n// Convert a string of up to 4 hex digits into the corresponding IPv6 form.\n\nstatic int ipv6_hex(uint8_t *out, const char *in, size_t inlen) {\n if (inlen > 4) {\n return 0;\n }\n uint16_t num = 0;\n while (inlen--) {\n uint8_t val;\n if (!OPENSSL_fromxdigit(&val, *in++)) {\n return 0;\n }\n num = (num << 4) | val;\n }\n out[0] = num >> 8;\n out[1] = num & 0xff;\n return 1;\n}\n\nint X509V3_NAME_from_section(X509_NAME *nm, const STACK_OF(CONF_VALUE) *dn_sk,\n int chtype) {\n if (!nm) {\n return 0;\n }\n\n for (size_t i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {\n const CONF_VALUE *v = sk_CONF_VALUE_value(dn_sk, i);\n const char *type = v->name;\n // Skip past any leading X. X: X, etc to allow for multiple instances\n for (const char *p = type; *p; p++) {\n if ((*p == ':') || (*p == ',') || (*p == '.')) {\n p++;\n if (*p) {\n type = p;\n }\n break;\n }\n }\n int mval;\n if (*type == '+') {\n mval = -1;\n type++;\n } else {\n mval = 0;\n }\n if (!X509_NAME_add_entry_by_txt(nm, type, chtype, (unsigned char *)v->value,\n -1, -1, mval)) {\n return 0;\n }\n }\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n\n// |X509_R_UNSUPPORTED_ALGORITHM| is no longer emitted, but continue to define\n// it to avoid downstream churn.\nOPENSSL_DECLARE_ERROR_REASON(X509, UNSUPPORTED_ALGORITHM)\n\nint X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent) {\n const uint8_t *s;\n int i, n;\n\n n = sig->length;\n s = sig->data;\n for (i = 0; i < n; i++) {\n if ((i % 18) == 0) {\n if (BIO_write(bp, \"\\n\", 1) <= 0 || BIO_indent(bp, indent, indent) <= 0) {\n return 0;\n }\n }\n if (BIO_printf(bp, \"%02x%s\", s[i], ((i + 1) == n) ? \"\" : \":\") <= 0) {\n return 0;\n }\n }\n if (BIO_write(bp, \"\\n\", 1) != 1) {\n return 0;\n }\n\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_att.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n\n#include \"../asn1/internal.h\"\n#include \"internal.h\"\n\n\nX509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,\n int attrtype, const void *data,\n int len) {\n const ASN1_OBJECT *obj;\n\n obj = OBJ_nid2obj(nid);\n if (obj == NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_NID);\n return NULL;\n }\n return X509_ATTRIBUTE_create_by_OBJ(attr, obj, attrtype, data, len);\n}\n\nX509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,\n const ASN1_OBJECT *obj,\n int attrtype, const void *data,\n int len) {\n X509_ATTRIBUTE *ret;\n\n if ((attr == NULL) || (*attr == NULL)) {\n if ((ret = X509_ATTRIBUTE_new()) == NULL) {\n return NULL;\n }\n } else {\n ret = *attr;\n }\n\n if (!X509_ATTRIBUTE_set1_object(ret, obj)) {\n goto err;\n }\n if (!X509_ATTRIBUTE_set1_data(ret, attrtype, data, len)) {\n goto err;\n }\n\n if ((attr != NULL) && (*attr == NULL)) {\n *attr = ret;\n }\n return ret;\nerr:\n if ((attr == NULL) || (ret != *attr)) {\n X509_ATTRIBUTE_free(ret);\n }\n return NULL;\n}\n\nX509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,\n const char *attrname, int type,\n const unsigned char *bytes,\n int len) {\n ASN1_OBJECT *obj;\n X509_ATTRIBUTE *nattr;\n\n obj = OBJ_txt2obj(attrname, 0);\n if (obj == NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_NAME);\n ERR_add_error_data(2, \"name=\", attrname);\n return NULL;\n }\n nattr = X509_ATTRIBUTE_create_by_OBJ(attr, obj, type, bytes, len);\n ASN1_OBJECT_free(obj);\n return nattr;\n}\n\nint X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj) {\n if ((attr == NULL) || (obj == NULL)) {\n return 0;\n }\n ASN1_OBJECT_free(attr->object);\n attr->object = OBJ_dup(obj);\n return attr->object != NULL;\n}\n\nint X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,\n const void *data, int len) {\n if (!attr) {\n return 0;\n }\n\n if (attrtype == 0) {\n // Do nothing. This is used to create an empty value set in\n // |X509_ATTRIBUTE_create_by_*|. This is invalid, but supported by OpenSSL.\n return 1;\n }\n\n ASN1_TYPE *typ = ASN1_TYPE_new();\n if (typ == NULL) {\n return 0;\n }\n\n // This function is several functions in one.\n if (attrtype & MBSTRING_FLAG) {\n // |data| is an encoded string. We must decode and re-encode it to |attr|'s\n // preferred ASN.1 type. Note |len| may be -1, in which case\n // |ASN1_STRING_set_by_NID| calls |strlen| automatically.\n ASN1_STRING *str =\n ASN1_STRING_set_by_NID(NULL, reinterpret_cast(data),\n len, attrtype, OBJ_obj2nid(attr->object));\n if (str == NULL) {\n OPENSSL_PUT_ERROR(X509, ERR_R_ASN1_LIB);\n goto err;\n }\n asn1_type_set0_string(typ, str);\n } else if (len != -1) {\n // |attrtype| must be a valid |ASN1_STRING| type. |data| and |len| is a\n // value in the corresponding |ASN1_STRING| representation.\n ASN1_STRING *str = ASN1_STRING_type_new(attrtype);\n if (str == NULL || !ASN1_STRING_set(str, data, len)) {\n ASN1_STRING_free(str);\n goto err;\n }\n asn1_type_set0_string(typ, str);\n } else {\n // |attrtype| must be a valid |ASN1_TYPE| type. |data| is a pointer to an\n // object of the corresponding type.\n if (!ASN1_TYPE_set1(typ, attrtype, data)) {\n goto err;\n }\n }\n\n if (!sk_ASN1_TYPE_push(attr->set, typ)) {\n goto err;\n }\n return 1;\n\nerr:\n ASN1_TYPE_free(typ);\n return 0;\n}\n\nint X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr) {\n return (int)sk_ASN1_TYPE_num(attr->set);\n}\n\nASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr) {\n if (attr == NULL) {\n return NULL;\n }\n return attr->object;\n}\n\nvoid *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int attrtype,\n void *unused) {\n ASN1_TYPE *ttmp;\n ttmp = X509_ATTRIBUTE_get0_type(attr, idx);\n if (!ttmp) {\n return NULL;\n }\n if (attrtype != ASN1_TYPE_get(ttmp)) {\n OPENSSL_PUT_ERROR(X509, X509_R_WRONG_TYPE);\n return NULL;\n }\n return (void *)asn1_type_value_as_pointer(ttmp);\n}\n\nASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx) {\n if (attr == NULL) {\n return NULL;\n }\n if (idx >= X509_ATTRIBUTE_count(attr)) {\n return NULL;\n }\n return sk_ASN1_TYPE_value(attr->set, idx);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_cmp.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nint X509_issuer_name_cmp(const X509 *a, const X509 *b) {\n return (X509_NAME_cmp(a->cert_info->issuer, b->cert_info->issuer));\n}\n\nint X509_subject_name_cmp(const X509 *a, const X509 *b) {\n return (X509_NAME_cmp(a->cert_info->subject, b->cert_info->subject));\n}\n\nint X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) {\n return (X509_NAME_cmp(a->crl->issuer, b->crl->issuer));\n}\n\nint X509_CRL_match(const X509_CRL *a, const X509_CRL *b) {\n return OPENSSL_memcmp(a->crl_hash, b->crl_hash, SHA256_DIGEST_LENGTH);\n}\n\nX509_NAME *X509_get_issuer_name(const X509 *a) {\n return a->cert_info->issuer;\n}\n\nuint32_t X509_issuer_name_hash(X509 *x) {\n return X509_NAME_hash(x->cert_info->issuer);\n}\n\nuint32_t X509_issuer_name_hash_old(X509 *x) {\n return (X509_NAME_hash_old(x->cert_info->issuer));\n}\n\nX509_NAME *X509_get_subject_name(const X509 *a) {\n return a->cert_info->subject;\n}\n\nASN1_INTEGER *X509_get_serialNumber(X509 *a) {\n return a->cert_info->serialNumber;\n}\n\nconst ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509) {\n return x509->cert_info->serialNumber;\n}\n\nuint32_t X509_subject_name_hash(X509 *x) {\n return X509_NAME_hash(x->cert_info->subject);\n}\n\nuint32_t X509_subject_name_hash_old(X509 *x) {\n return X509_NAME_hash_old(x->cert_info->subject);\n}\n\n// Compare two certificates: they must be identical for this to work. NB:\n// Although \"cmp\" operations are generally prototyped to take \"const\"\n// arguments (eg. for use in STACKs), the way X509 handling is - these\n// operations may involve ensuring the hashes are up-to-date and ensuring\n// certain cert information is cached. So this is the point where the\n// \"depth-first\" constification tree has to halt with an evil cast.\nint X509_cmp(const X509 *a, const X509 *b) {\n // Fill in the |cert_hash| fields.\n //\n // TODO(davidben): This may fail, in which case the the hash will be all\n // zeros. This produces a consistent comparison (failures are sticky), but\n // not a good one. OpenSSL now returns -2, but this is not a consistent\n // comparison and may cause misbehaving sorts by transitivity. For now, we\n // retain the old OpenSSL behavior, which was to ignore the error. See\n // https://crbug.com/boringssl/355.\n x509v3_cache_extensions((X509 *)a);\n x509v3_cache_extensions((X509 *)b);\n\n return OPENSSL_memcmp(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH);\n}\n\nint X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) {\n int ret;\n\n // Ensure canonical encoding is present and up to date\n\n if (!a->canon_enc || a->modified) {\n ret = i2d_X509_NAME((X509_NAME *)a, NULL);\n if (ret < 0) {\n return -2;\n }\n }\n\n if (!b->canon_enc || b->modified) {\n ret = i2d_X509_NAME((X509_NAME *)b, NULL);\n if (ret < 0) {\n return -2;\n }\n }\n\n ret = a->canon_enclen - b->canon_enclen;\n\n if (ret) {\n return ret;\n }\n\n return OPENSSL_memcmp(a->canon_enc, b->canon_enc, a->canon_enclen);\n}\n\nuint32_t X509_NAME_hash(X509_NAME *x) {\n // Make sure the X509_NAME structure contains a valid cached encoding.\n if (i2d_X509_NAME(x, NULL) < 0) {\n return 0;\n }\n\n uint8_t md[SHA_DIGEST_LENGTH];\n SHA1(x->canon_enc, x->canon_enclen, md);\n return CRYPTO_load_u32_le(md);\n}\n\n// I now DER encode the name and hash it. Since I cache the DER encoding,\n// this is reasonably efficient.\n\nuint32_t X509_NAME_hash_old(X509_NAME *x) {\n // Make sure the X509_NAME structure contains a valid cached encoding.\n if (i2d_X509_NAME(x, NULL) < 0) {\n return 0;\n }\n\n uint8_t md[SHA_DIGEST_LENGTH];\n MD5((const uint8_t *)x->bytes->data, x->bytes->length, md);\n return CRYPTO_load_u32_le(md);\n}\n\nX509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, X509_NAME *name,\n const ASN1_INTEGER *serial) {\n if (serial->type != V_ASN1_INTEGER && serial->type != V_ASN1_NEG_INTEGER) {\n return NULL;\n }\n\n for (size_t i = 0; i < sk_X509_num(sk); i++) {\n X509 *x509 = sk_X509_value(sk, i);\n if (ASN1_INTEGER_cmp(X509_get0_serialNumber(x509), serial) == 0 &&\n X509_NAME_cmp(X509_get_issuer_name(x509), name) == 0) {\n return x509;\n }\n }\n return NULL;\n}\n\nX509 *X509_find_by_subject(const STACK_OF(X509) *sk, X509_NAME *name) {\n for (size_t i = 0; i < sk_X509_num(sk); i++) {\n X509 *x509 = sk_X509_value(sk, i);\n if (X509_NAME_cmp(X509_get_subject_name(x509), name) == 0) {\n return x509;\n }\n }\n return NULL;\n}\n\nEVP_PKEY *X509_get0_pubkey(const X509 *x) {\n if (x == NULL) {\n return NULL;\n }\n return X509_PUBKEY_get0(x->cert_info->key);\n}\n\nEVP_PKEY *X509_get_pubkey(const X509 *x) {\n if (x == NULL) {\n return NULL;\n }\n return X509_PUBKEY_get(x->cert_info->key);\n}\n\nASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) {\n if (!x) {\n return NULL;\n }\n return x->cert_info->key->public_key;\n}\n\nint X509_check_private_key(const X509 *x, const EVP_PKEY *k) {\n const EVP_PKEY *xk = X509_get0_pubkey(x);\n if (xk == NULL) {\n return 0;\n }\n\n int ret = EVP_PKEY_cmp(xk, k);\n if (ret > 0) {\n return 1;\n }\n\n switch (ret) {\n case 0:\n OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH);\n return 0;\n case -1:\n OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH);\n return 0;\n case -2:\n OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);\n return 0;\n }\n\n return 0;\n}\n\n// Not strictly speaking an \"up_ref\" as a STACK doesn't have a reference\n// count but it has the same effect by duping the STACK and upping the ref of\n// each X509 structure.\nSTACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain) {\n STACK_OF(X509) *ret = sk_X509_dup(chain);\n if (ret == NULL) {\n return NULL;\n }\n for (size_t i = 0; i < sk_X509_num(ret); i++) {\n X509_up_ref(sk_X509_value(ret, i));\n }\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_d2.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n\nint X509_STORE_set_default_paths(X509_STORE *ctx) {\n X509_LOOKUP *lookup;\n\n lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_file());\n if (lookup == NULL) {\n return 0;\n }\n X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);\n\n lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_hash_dir());\n if (lookup == NULL) {\n return 0;\n }\n X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);\n\n // clear any errors\n ERR_clear_error();\n\n return 1;\n}\n\nint X509_STORE_load_locations(X509_STORE *ctx, const char *file,\n const char *path) {\n X509_LOOKUP *lookup;\n\n if (file != NULL) {\n lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_file());\n if (lookup == NULL) {\n return 0;\n }\n if (X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM) != 1) {\n return 0;\n }\n }\n if (path != NULL) {\n lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_hash_dir());\n if (lookup == NULL) {\n return 0;\n }\n if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1) {\n return 0;\n }\n }\n if ((path == NULL) && (file == NULL)) {\n return 0;\n }\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_def.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n// TODO(fork): cleanup\n\n#if defined(OPENSSL_FUCHSIA)\n#define OPENSSLDIR \"/config/ssl\"\n#else\n#define OPENSSLDIR \"/etc/ssl\"\n#endif\n\n#define X509_CERT_AREA OPENSSLDIR\n#define X509_CERT_DIR OPENSSLDIR \"/certs\"\n#define X509_CERT_FILE OPENSSLDIR \"/cert.pem\"\n#define X509_PRIVATE_DIR OPENSSLDIR \"/private\"\n#define X509_CERT_DIR_EVP \"SSL_CERT_DIR\"\n#define X509_CERT_FILE_EVP \"SSL_CERT_FILE\"\n\nconst char *X509_get_default_private_dir(void) { return X509_PRIVATE_DIR; }\n\nconst char *X509_get_default_cert_area(void) { return X509_CERT_AREA; }\n\nconst char *X509_get_default_cert_dir(void) { return X509_CERT_DIR; }\n\nconst char *X509_get_default_cert_file(void) { return X509_CERT_FILE; }\n\nconst char *X509_get_default_cert_dir_env(void) { return X509_CERT_DIR_EVP; }\n\nconst char *X509_get_default_cert_file_env(void) {\n return X509_CERT_FILE_EVP;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_ext.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\nint X509_CRL_get_ext_count(const X509_CRL *x) {\n return (X509v3_get_ext_count(x->crl->extensions));\n}\n\nint X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos) {\n return (X509v3_get_ext_by_NID(x->crl->extensions, nid, lastpos));\n}\n\nint X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj,\n int lastpos) {\n return (X509v3_get_ext_by_OBJ(x->crl->extensions, obj, lastpos));\n}\n\nint X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos) {\n return (X509v3_get_ext_by_critical(x->crl->extensions, crit, lastpos));\n}\n\nX509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc) {\n return (X509v3_get_ext(x->crl->extensions, loc));\n}\n\nX509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc) {\n return (X509v3_delete_ext(x->crl->extensions, loc));\n}\n\nvoid *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *out_critical,\n int *out_idx) {\n return X509V3_get_d2i(crl->crl->extensions, nid, out_critical, out_idx);\n}\n\nint X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,\n unsigned long flags) {\n return X509V3_add1_i2d(&x->crl->extensions, nid, value, crit, flags);\n}\n\nint X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex, int loc) {\n return (X509v3_add_ext(&(x->crl->extensions), ex, loc) != NULL);\n}\n\nint X509_get_ext_count(const X509 *x) {\n return (X509v3_get_ext_count(x->cert_info->extensions));\n}\n\nint X509_get_ext_by_NID(const X509 *x, int nid, int lastpos) {\n return (X509v3_get_ext_by_NID(x->cert_info->extensions, nid, lastpos));\n}\n\nint X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, int lastpos) {\n return (X509v3_get_ext_by_OBJ(x->cert_info->extensions, obj, lastpos));\n}\n\nint X509_get_ext_by_critical(const X509 *x, int crit, int lastpos) {\n return (X509v3_get_ext_by_critical(x->cert_info->extensions, crit, lastpos));\n}\n\nX509_EXTENSION *X509_get_ext(const X509 *x, int loc) {\n return (X509v3_get_ext(x->cert_info->extensions, loc));\n}\n\nX509_EXTENSION *X509_delete_ext(X509 *x, int loc) {\n return (X509v3_delete_ext(x->cert_info->extensions, loc));\n}\n\nint X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc) {\n return (X509v3_add_ext(&(x->cert_info->extensions), ex, loc) != NULL);\n}\n\nvoid *X509_get_ext_d2i(const X509 *x509, int nid, int *out_critical,\n int *out_idx) {\n return X509V3_get_d2i(x509->cert_info->extensions, nid, out_critical,\n out_idx);\n}\n\nint X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,\n unsigned long flags) {\n return X509V3_add1_i2d(&x->cert_info->extensions, nid, value, crit, flags);\n}\n\nint X509_REVOKED_get_ext_count(const X509_REVOKED *x) {\n return (X509v3_get_ext_count(x->extensions));\n}\n\nint X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, int lastpos) {\n return (X509v3_get_ext_by_NID(x->extensions, nid, lastpos));\n}\n\nint X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj,\n int lastpos) {\n return (X509v3_get_ext_by_OBJ(x->extensions, obj, lastpos));\n}\n\nint X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit,\n int lastpos) {\n return (X509v3_get_ext_by_critical(x->extensions, crit, lastpos));\n}\n\nX509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc) {\n return (X509v3_get_ext(x->extensions, loc));\n}\n\nX509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc) {\n return (X509v3_delete_ext(x->extensions, loc));\n}\n\nint X509_REVOKED_add_ext(X509_REVOKED *x, const X509_EXTENSION *ex, int loc) {\n return (X509v3_add_ext(&(x->extensions), ex, loc) != NULL);\n}\n\nvoid *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked, int nid,\n int *out_critical, int *out_idx) {\n return X509V3_get_d2i(revoked->extensions, nid, out_critical, out_idx);\n}\n\nint X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,\n unsigned long flags) {\n return X509V3_add1_i2d(&x->extensions, nid, value, crit, flags);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_lu.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,\n X509_NAME *name);\nstatic X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,\n int type, X509_NAME *name);\nstatic X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,\n X509_OBJECT *x);\nstatic int X509_OBJECT_up_ref_count(X509_OBJECT *a);\n\nstatic X509_LOOKUP *X509_LOOKUP_new(const X509_LOOKUP_METHOD *method,\n X509_STORE *store);\nstatic int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,\n X509_OBJECT *ret);\n\nstatic X509_LOOKUP *X509_LOOKUP_new(const X509_LOOKUP_METHOD *method,\n X509_STORE *store) {\n X509_LOOKUP *ret =\n reinterpret_cast(OPENSSL_zalloc(sizeof(X509_LOOKUP)));\n if (ret == NULL) {\n return NULL;\n }\n\n ret->method = method;\n ret->store_ctx = store;\n if (method->new_item != NULL && !method->new_item(ret)) {\n OPENSSL_free(ret);\n return NULL;\n }\n return ret;\n}\n\nvoid X509_LOOKUP_free(X509_LOOKUP *ctx) {\n if (ctx == NULL) {\n return;\n }\n if (ctx->method != NULL && ctx->method->free != NULL) {\n (*ctx->method->free)(ctx);\n }\n OPENSSL_free(ctx);\n}\n\nint X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,\n char **ret) {\n if (ctx->method == NULL) {\n return -1;\n }\n if (ctx->method->ctrl != NULL) {\n return ctx->method->ctrl(ctx, cmd, argc, argl, ret);\n } else {\n return 1;\n }\n}\n\nstatic int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name,\n X509_OBJECT *ret) {\n if (ctx->method == NULL || ctx->method->get_by_subject == NULL) {\n return 0;\n }\n // Note |get_by_subject| leaves |ret| in an inconsistent state. It has\n // pointers to an |X509| or |X509_CRL|, but has not bumped the refcount yet.\n // For now, the caller is expected to fix this, but ideally we'd fix the\n // |X509_LOOKUP| convention itself.\n return ctx->method->get_by_subject(ctx, type, name, ret) > 0;\n}\n\nstatic int x509_object_cmp(const X509_OBJECT *a, const X509_OBJECT *b) {\n int ret = a->type - b->type;\n if (ret) {\n return ret;\n }\n switch (a->type) {\n case X509_LU_X509:\n return X509_subject_name_cmp(a->data.x509, b->data.x509);\n case X509_LU_CRL:\n return X509_CRL_cmp(a->data.crl, b->data.crl);\n default:\n // abort();\n return 0;\n }\n}\n\nstatic int x509_object_cmp_sk(const X509_OBJECT *const *a,\n const X509_OBJECT *const *b) {\n return x509_object_cmp(*a, *b);\n}\n\nX509_STORE *X509_STORE_new(void) {\n X509_STORE *ret =\n reinterpret_cast(OPENSSL_zalloc(sizeof(X509_STORE)));\n if (ret == NULL) {\n return NULL;\n }\n\n ret->references = 1;\n CRYPTO_MUTEX_init(&ret->objs_lock);\n ret->objs = sk_X509_OBJECT_new(x509_object_cmp_sk);\n ret->get_cert_methods = sk_X509_LOOKUP_new_null();\n ret->param = X509_VERIFY_PARAM_new();\n if (ret->objs == NULL || ret->get_cert_methods == NULL ||\n ret->param == NULL) {\n X509_STORE_free(ret);\n return NULL;\n }\n\n return ret;\n}\n\nint X509_STORE_up_ref(X509_STORE *store) {\n CRYPTO_refcount_inc(&store->references);\n return 1;\n}\n\nvoid X509_STORE_free(X509_STORE *vfy) {\n if (vfy == nullptr || !CRYPTO_refcount_dec_and_test_zero(&vfy->references)) {\n return;\n }\n\n CRYPTO_MUTEX_cleanup(&vfy->objs_lock);\n sk_X509_LOOKUP_pop_free(vfy->get_cert_methods, X509_LOOKUP_free);\n sk_X509_OBJECT_pop_free(vfy->objs, X509_OBJECT_free);\n X509_VERIFY_PARAM_free(vfy->param);\n OPENSSL_free(vfy);\n}\n\nX509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, const X509_LOOKUP_METHOD *m) {\n STACK_OF(X509_LOOKUP) *sk = v->get_cert_methods;\n for (size_t i = 0; i < sk_X509_LOOKUP_num(sk); i++) {\n X509_LOOKUP *lu = sk_X509_LOOKUP_value(sk, i);\n if (m == lu->method) {\n return lu;\n }\n }\n\n X509_LOOKUP *lu = X509_LOOKUP_new(m, v);\n if (lu == NULL || !sk_X509_LOOKUP_push(v->get_cert_methods, lu)) {\n X509_LOOKUP_free(lu);\n return NULL;\n }\n\n return lu;\n}\n\nint X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,\n X509_OBJECT *ret) {\n X509_STORE *ctx = vs->ctx;\n X509_OBJECT stmp;\n CRYPTO_MUTEX_lock_write(&ctx->objs_lock);\n X509_OBJECT *tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);\n CRYPTO_MUTEX_unlock_write(&ctx->objs_lock);\n\n if (tmp == NULL || type == X509_LU_CRL) {\n for (size_t i = 0; i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) {\n X509_LOOKUP *lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i);\n if (X509_LOOKUP_by_subject(lu, type, name, &stmp)) {\n tmp = &stmp;\n break;\n }\n }\n if (tmp == NULL) {\n return 0;\n }\n }\n\n // TODO(crbug.com/boringssl/685): This should call\n // |X509_OBJECT_free_contents|.\n ret->type = tmp->type;\n ret->data = tmp->data;\n X509_OBJECT_up_ref_count(ret);\n return 1;\n}\n\nstatic int x509_store_add(X509_STORE *ctx, void *x, int is_crl) {\n if (x == NULL) {\n return 0;\n }\n\n X509_OBJECT *const obj = X509_OBJECT_new();\n if (obj == NULL) {\n return 0;\n }\n\n if (is_crl) {\n obj->type = X509_LU_CRL;\n obj->data.crl = (X509_CRL *)x;\n } else {\n obj->type = X509_LU_X509;\n obj->data.x509 = (X509 *)x;\n }\n X509_OBJECT_up_ref_count(obj);\n\n CRYPTO_MUTEX_lock_write(&ctx->objs_lock);\n\n int ret = 1;\n int added = 0;\n // Duplicates are silently ignored\n if (!X509_OBJECT_retrieve_match(ctx->objs, obj)) {\n ret = added = (sk_X509_OBJECT_push(ctx->objs, obj) != 0);\n }\n\n CRYPTO_MUTEX_unlock_write(&ctx->objs_lock);\n\n if (!added) {\n X509_OBJECT_free(obj);\n }\n\n return ret;\n}\n\nint X509_STORE_add_cert(X509_STORE *ctx, X509 *x) {\n return x509_store_add(ctx, x, /*is_crl=*/0);\n}\n\nint X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) {\n return x509_store_add(ctx, x, /*is_crl=*/1);\n}\n\nX509_OBJECT *X509_OBJECT_new(void) {\n return reinterpret_cast(OPENSSL_zalloc(sizeof(X509_OBJECT)));\n}\n\nvoid X509_OBJECT_free(X509_OBJECT *obj) {\n if (obj == NULL) {\n return;\n }\n X509_OBJECT_free_contents(obj);\n OPENSSL_free(obj);\n}\n\nstatic int X509_OBJECT_up_ref_count(X509_OBJECT *a) {\n switch (a->type) {\n case X509_LU_X509:\n X509_up_ref(a->data.x509);\n break;\n case X509_LU_CRL:\n X509_CRL_up_ref(a->data.crl);\n break;\n }\n return 1;\n}\n\nvoid X509_OBJECT_free_contents(X509_OBJECT *a) {\n switch (a->type) {\n case X509_LU_X509:\n X509_free(a->data.x509);\n break;\n case X509_LU_CRL:\n X509_CRL_free(a->data.crl);\n break;\n }\n\n OPENSSL_memset(a, 0, sizeof(X509_OBJECT));\n}\n\nint X509_OBJECT_get_type(const X509_OBJECT *a) { return a->type; }\n\nX509 *X509_OBJECT_get0_X509(const X509_OBJECT *a) {\n if (a == NULL || a->type != X509_LU_X509) {\n return NULL;\n }\n return a->data.x509;\n}\n\nstatic int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type,\n X509_NAME *name, int *pnmatch) {\n X509_OBJECT stmp;\n X509 x509_s;\n X509_CINF cinf_s;\n X509_CRL crl_s;\n X509_CRL_INFO crl_info_s;\n\n stmp.type = type;\n switch (type) {\n case X509_LU_X509:\n stmp.data.x509 = &x509_s;\n x509_s.cert_info = &cinf_s;\n cinf_s.subject = name;\n break;\n case X509_LU_CRL:\n stmp.data.crl = &crl_s;\n crl_s.crl = &crl_info_s;\n crl_info_s.issuer = name;\n break;\n default:\n // abort();\n return -1;\n }\n\n size_t idx;\n sk_X509_OBJECT_sort(h);\n if (!sk_X509_OBJECT_find(h, &idx, &stmp)) {\n return -1;\n }\n\n if (pnmatch != NULL) {\n *pnmatch = 1;\n for (size_t tidx = idx + 1; tidx < sk_X509_OBJECT_num(h); tidx++) {\n const X509_OBJECT *tobj = sk_X509_OBJECT_value(h, tidx);\n if (x509_object_cmp(tobj, &stmp)) {\n break;\n }\n (*pnmatch)++;\n }\n }\n\n return (int)idx;\n}\n\nstatic int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,\n X509_NAME *name) {\n return x509_object_idx_cnt(h, type, name, NULL);\n}\n\nstatic X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,\n int type, X509_NAME *name) {\n int idx;\n idx = X509_OBJECT_idx_by_subject(h, type, name);\n if (idx == -1) {\n return NULL;\n }\n return sk_X509_OBJECT_value(h, idx);\n}\n\nstatic X509_OBJECT *x509_object_dup(const X509_OBJECT *obj) {\n X509_OBJECT *ret = X509_OBJECT_new();\n if (ret == NULL) {\n return NULL;\n }\n ret->type = obj->type;\n ret->data = obj->data;\n X509_OBJECT_up_ref_count(ret);\n return ret;\n}\n\nSTACK_OF(X509_OBJECT) *X509_STORE_get1_objects(X509_STORE *store) {\n CRYPTO_MUTEX_lock_read(&store->objs_lock);\n STACK_OF(X509_OBJECT) *ret =\n sk_X509_OBJECT_deep_copy(store->objs, x509_object_dup, X509_OBJECT_free);\n CRYPTO_MUTEX_unlock_read(&store->objs_lock);\n return ret;\n}\n\nSTACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *store) {\n return store->objs;\n}\n\nSTACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) {\n int cnt;\n STACK_OF(X509) *sk = sk_X509_new_null();\n if (sk == NULL) {\n return NULL;\n }\n CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock);\n int idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);\n if (idx < 0) {\n // Nothing found in cache: do lookup to possibly add new objects to\n // cache\n X509_OBJECT xobj;\n CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);\n if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) {\n sk_X509_free(sk);\n return NULL;\n }\n X509_OBJECT_free_contents(&xobj);\n CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock);\n idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);\n if (idx < 0) {\n CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);\n sk_X509_free(sk);\n return NULL;\n }\n }\n for (int i = 0; i < cnt; i++, idx++) {\n X509_OBJECT *obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);\n X509 *x = obj->data.x509;\n if (!sk_X509_push(sk, x)) {\n CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);\n sk_X509_pop_free(sk, X509_free);\n return NULL;\n }\n X509_up_ref(x);\n }\n CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);\n return sk;\n}\n\nSTACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx,\n X509_NAME *nm) {\n int cnt;\n X509_OBJECT xobj;\n STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null();\n if (sk == NULL) {\n return NULL;\n }\n\n // Always do lookup to possibly add new CRLs to cache.\n if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) {\n sk_X509_CRL_free(sk);\n return NULL;\n }\n X509_OBJECT_free_contents(&xobj);\n CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock);\n int idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);\n if (idx < 0) {\n CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);\n sk_X509_CRL_free(sk);\n return NULL;\n }\n\n for (int i = 0; i < cnt; i++, idx++) {\n X509_OBJECT *obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx);\n X509_CRL *x = obj->data.crl;\n X509_CRL_up_ref(x);\n if (!sk_X509_CRL_push(sk, x)) {\n CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);\n X509_CRL_free(x);\n sk_X509_CRL_pop_free(sk, X509_CRL_free);\n return NULL;\n }\n }\n CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);\n return sk;\n}\n\nstatic X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,\n X509_OBJECT *x) {\n sk_X509_OBJECT_sort(h);\n size_t idx;\n if (!sk_X509_OBJECT_find(h, &idx, x)) {\n return NULL;\n }\n if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL)) {\n return sk_X509_OBJECT_value(h, idx);\n }\n for (size_t i = idx; i < sk_X509_OBJECT_num(h); i++) {\n X509_OBJECT *obj = sk_X509_OBJECT_value(h, i);\n if (x509_object_cmp(obj, x)) {\n return NULL;\n }\n if (x->type == X509_LU_X509) {\n if (!X509_cmp(obj->data.x509, x->data.x509)) {\n return obj;\n }\n } else if (x->type == X509_LU_CRL) {\n if (!X509_CRL_match(obj->data.crl, x->data.crl)) {\n return obj;\n }\n } else {\n return obj;\n }\n }\n return NULL;\n}\n\nint X509_STORE_CTX_get1_issuer(X509 **out_issuer, X509_STORE_CTX *ctx,\n X509 *x) {\n X509_NAME *xn;\n X509_OBJECT obj, *pobj;\n int idx, ret;\n size_t i;\n xn = X509_get_issuer_name(x);\n if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, &obj)) {\n return 0;\n }\n // If certificate matches all OK\n if (x509_check_issued_with_callback(ctx, x, obj.data.x509)) {\n *out_issuer = obj.data.x509;\n return 1;\n }\n X509_OBJECT_free_contents(&obj);\n\n // Else find index of first cert accepted by\n // |x509_check_issued_with_callback|.\n ret = 0;\n CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock);\n idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);\n if (idx != -1) { // should be true as we've had at least one\n // match\n // Look through all matching certs for suitable issuer\n for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++) {\n pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);\n // See if we've run past the matches\n if (pobj->type != X509_LU_X509) {\n break;\n }\n if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) {\n break;\n }\n if (x509_check_issued_with_callback(ctx, x, pobj->data.x509)) {\n *out_issuer = pobj->data.x509;\n X509_OBJECT_up_ref_count(pobj);\n ret = 1;\n break;\n }\n }\n }\n CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock);\n return ret;\n}\n\nint X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags) {\n return X509_VERIFY_PARAM_set_flags(ctx->param, flags);\n}\n\nint X509_STORE_set_depth(X509_STORE *ctx, int depth) {\n X509_VERIFY_PARAM_set_depth(ctx->param, depth);\n return 1;\n}\n\nint X509_STORE_set_purpose(X509_STORE *ctx, int purpose) {\n return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);\n}\n\nint X509_STORE_set_trust(X509_STORE *ctx, int trust) {\n return X509_VERIFY_PARAM_set_trust(ctx->param, trust);\n}\n\nint X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *param) {\n return X509_VERIFY_PARAM_set1(ctx->param, param);\n}\n\nX509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx) { return ctx->param; }\n\nvoid X509_STORE_set_verify_cb(X509_STORE *ctx,\n X509_STORE_CTX_verify_cb verify_cb) {\n ctx->verify_cb = verify_cb;\n}\n\nX509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx) {\n return ctx->ctx;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_obj.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n// Limit to ensure we don't overflow: much greater than\n// anything enountered in practice.\n\n#define NAME_ONELINE_MAX (1024 * 1024)\n\nchar *X509_NAME_oneline(const X509_NAME *a, char *buf, int len) {\n X509_NAME_ENTRY *ne;\n size_t i;\n int n, lold, l, l1, l2, num, j, type;\n const char *s;\n char *p;\n unsigned char *q;\n BUF_MEM *b = NULL;\n static const char hex[17] = \"0123456789ABCDEF\";\n int gs_doit[4];\n char tmp_buf[80];\n\n if (buf == NULL) {\n if ((b = BUF_MEM_new()) == NULL) {\n goto err;\n }\n if (!BUF_MEM_grow(b, 200)) {\n goto err;\n }\n b->data[0] = '\\0';\n len = 200;\n } else if (len <= 0) {\n return NULL;\n }\n if (a == NULL) {\n if (b) {\n buf = b->data;\n OPENSSL_free(b);\n }\n OPENSSL_strlcpy(buf, \"NO X509_NAME\", len);\n return buf;\n }\n\n len--; // space for '\\0'\n l = 0;\n for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {\n ne = sk_X509_NAME_ENTRY_value(a->entries, i);\n n = OBJ_obj2nid(ne->object);\n if ((n == NID_undef) || ((s = OBJ_nid2sn(n)) == NULL)) {\n i2t_ASN1_OBJECT(tmp_buf, sizeof(tmp_buf), ne->object);\n s = tmp_buf;\n }\n l1 = strlen(s);\n\n type = ne->value->type;\n num = ne->value->length;\n if (num > NAME_ONELINE_MAX) {\n OPENSSL_PUT_ERROR(X509, X509_R_NAME_TOO_LONG);\n goto err;\n }\n q = ne->value->data;\n\n if ((type == V_ASN1_GENERALSTRING) && ((num % 4) == 0)) {\n gs_doit[0] = gs_doit[1] = gs_doit[2] = gs_doit[3] = 0;\n for (j = 0; j < num; j++) {\n if (q[j] != 0) {\n gs_doit[j & 3] = 1;\n }\n }\n\n if (gs_doit[0] | gs_doit[1] | gs_doit[2]) {\n gs_doit[0] = gs_doit[1] = gs_doit[2] = gs_doit[3] = 1;\n } else {\n gs_doit[0] = gs_doit[1] = gs_doit[2] = 0;\n gs_doit[3] = 1;\n }\n } else {\n gs_doit[0] = gs_doit[1] = gs_doit[2] = gs_doit[3] = 1;\n }\n\n for (l2 = j = 0; j < num; j++) {\n if (!gs_doit[j & 3]) {\n continue;\n }\n l2++;\n if ((q[j] < ' ') || (q[j] > '~')) {\n l2 += 3;\n }\n }\n\n lold = l;\n l += 1 + l1 + 1 + l2;\n if (l > NAME_ONELINE_MAX) {\n OPENSSL_PUT_ERROR(X509, X509_R_NAME_TOO_LONG);\n goto err;\n }\n if (b != NULL) {\n if (!BUF_MEM_grow(b, l + 1)) {\n goto err;\n }\n p = &(b->data[lold]);\n } else if (l > len) {\n break;\n } else {\n p = &(buf[lold]);\n }\n *(p++) = '/';\n OPENSSL_memcpy(p, s, (unsigned int)l1);\n p += l1;\n *(p++) = '=';\n\n q = ne->value->data;\n\n for (j = 0; j < num; j++) {\n if (!gs_doit[j & 3]) {\n continue;\n }\n n = q[j];\n if ((n < ' ') || (n > '~')) {\n *(p++) = '\\\\';\n *(p++) = 'x';\n *(p++) = hex[(n >> 4) & 0x0f];\n *(p++) = hex[n & 0x0f];\n } else {\n *(p++) = n;\n }\n }\n *p = '\\0';\n }\n if (b != NULL) {\n p = b->data;\n OPENSSL_free(b);\n } else {\n p = buf;\n }\n if (i == 0) {\n *p = '\\0';\n }\n return p;\nerr:\n BUF_MEM_free(b);\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_req.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../asn1/internal.h\"\n#include \"internal.h\"\n\n\nlong X509_REQ_get_version(const X509_REQ *req) {\n return ASN1_INTEGER_get(req->req_info->version);\n}\n\nX509_NAME *X509_REQ_get_subject_name(const X509_REQ *req) {\n return req->req_info->subject;\n}\n\nEVP_PKEY *X509_REQ_get_pubkey(const X509_REQ *req) {\n if (req == NULL) {\n return NULL;\n }\n return X509_PUBKEY_get(req->req_info->pubkey);\n}\n\nEVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req) {\n if (req == NULL) {\n return NULL;\n }\n return X509_PUBKEY_get0(req->req_info->pubkey);\n}\n\nint X509_REQ_check_private_key(const X509_REQ *x, const EVP_PKEY *k) {\n const EVP_PKEY *xk = X509_REQ_get0_pubkey(x);\n if (xk == NULL) {\n return 0;\n }\n\n int ret = EVP_PKEY_cmp(xk, k);\n if (ret > 0) {\n return 1;\n }\n\n switch (ret) {\n case 0:\n OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH);\n return 0;\n case -1:\n OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH);\n return 0;\n case -2:\n if (EVP_PKEY_id(k) == EVP_PKEY_EC) {\n OPENSSL_PUT_ERROR(X509, ERR_R_EC_LIB);\n } else {\n OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);\n }\n return 0;\n }\n\n return 0;\n}\n\nint X509_REQ_extension_nid(int req_nid) {\n return req_nid == NID_ext_req || req_nid == NID_ms_ext_req;\n}\n\nSTACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(const X509_REQ *req) {\n if (req == NULL || req->req_info == NULL) {\n return NULL;\n }\n\n int idx = X509_REQ_get_attr_by_NID(req, NID_ext_req, -1);\n if (idx == -1) {\n idx = X509_REQ_get_attr_by_NID(req, NID_ms_ext_req, -1);\n }\n if (idx == -1) {\n return NULL;\n }\n\n const X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx);\n // TODO(davidben): |X509_ATTRIBUTE_get0_type| is not const-correct. It should\n // take and return a const pointer.\n const ASN1_TYPE *ext = X509_ATTRIBUTE_get0_type((X509_ATTRIBUTE *)attr, 0);\n if (!ext || ext->type != V_ASN1_SEQUENCE) {\n return NULL;\n }\n const unsigned char *p = ext->value.sequence->data;\n return (STACK_OF(X509_EXTENSION) *)ASN1_item_d2i(\n NULL, &p, ext->value.sequence->length, ASN1_ITEM_rptr(X509_EXTENSIONS));\n}\n\n// Add a STACK_OF extensions to a certificate request: allow alternative OIDs\n// in case we want to create a non standard one.\n\nint X509_REQ_add_extensions_nid(X509_REQ *req,\n const STACK_OF(X509_EXTENSION) *exts, int nid) {\n // Generate encoding of extensions\n unsigned char *ext = NULL;\n int ext_len =\n ASN1_item_i2d((ASN1_VALUE *)exts, &ext, ASN1_ITEM_rptr(X509_EXTENSIONS));\n if (ext_len <= 0) {\n return 0;\n }\n int ret = X509_REQ_add1_attr_by_NID(req, nid, V_ASN1_SEQUENCE, ext, ext_len);\n OPENSSL_free(ext);\n return ret;\n}\n\n// This is the normal usage: use the \"official\" OID\nint X509_REQ_add_extensions(X509_REQ *req,\n const STACK_OF(X509_EXTENSION) *exts) {\n return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);\n}\n\nint X509_REQ_get_attr_count(const X509_REQ *req) {\n return (int)sk_X509_ATTRIBUTE_num(req->req_info->attributes);\n}\n\nint X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos) {\n const ASN1_OBJECT *obj = OBJ_nid2obj(nid);\n if (obj == NULL) {\n return -1;\n }\n return X509_REQ_get_attr_by_OBJ(req, obj, lastpos);\n}\n\nint X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj,\n int lastpos) {\n if (req->req_info->attributes == NULL) {\n return -1;\n }\n lastpos++;\n if (lastpos < 0) {\n lastpos = 0;\n }\n int n = (int)sk_X509_ATTRIBUTE_num(req->req_info->attributes);\n for (; lastpos < n; lastpos++) {\n const X509_ATTRIBUTE *attr =\n sk_X509_ATTRIBUTE_value(req->req_info->attributes, lastpos);\n if (OBJ_cmp(attr->object, obj) == 0) {\n return lastpos;\n }\n }\n return -1;\n}\n\nX509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc) {\n if (req->req_info->attributes == NULL || loc < 0 ||\n sk_X509_ATTRIBUTE_num(req->req_info->attributes) <= (size_t)loc) {\n return NULL;\n }\n return sk_X509_ATTRIBUTE_value(req->req_info->attributes, loc);\n}\n\nX509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc) {\n if (req->req_info->attributes == NULL || loc < 0 ||\n sk_X509_ATTRIBUTE_num(req->req_info->attributes) <= (size_t)loc) {\n return NULL;\n }\n return sk_X509_ATTRIBUTE_delete(req->req_info->attributes, loc);\n}\n\nstatic int X509_REQ_add0_attr(X509_REQ *req, X509_ATTRIBUTE *attr) {\n if (req->req_info->attributes == NULL) {\n req->req_info->attributes = sk_X509_ATTRIBUTE_new_null();\n }\n if (req->req_info->attributes == NULL ||\n !sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr)) {\n return 0;\n }\n\n return 1;\n}\n\nint X509_REQ_add1_attr(X509_REQ *req, const X509_ATTRIBUTE *attr) {\n X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_dup(attr);\n if (new_attr == NULL || !X509_REQ_add0_attr(req, new_attr)) {\n X509_ATTRIBUTE_free(new_attr);\n return 0;\n }\n\n return 1;\n}\n\nint X509_REQ_add1_attr_by_OBJ(X509_REQ *req, const ASN1_OBJECT *obj,\n int attrtype, const unsigned char *data,\n int len) {\n X509_ATTRIBUTE *attr =\n X509_ATTRIBUTE_create_by_OBJ(NULL, obj, attrtype, data, len);\n if (attr == NULL || !X509_REQ_add0_attr(req, attr)) {\n X509_ATTRIBUTE_free(attr);\n return 0;\n }\n\n return 1;\n}\n\nint X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, int attrtype,\n const unsigned char *data, int len) {\n X509_ATTRIBUTE *attr =\n X509_ATTRIBUTE_create_by_NID(NULL, nid, attrtype, data, len);\n if (attr == NULL || !X509_REQ_add0_attr(req, attr)) {\n X509_ATTRIBUTE_free(attr);\n return 0;\n }\n\n return 1;\n}\n\nint X509_REQ_add1_attr_by_txt(X509_REQ *req, const char *attrname, int attrtype,\n const unsigned char *data, int len) {\n X509_ATTRIBUTE *attr =\n X509_ATTRIBUTE_create_by_txt(NULL, attrname, attrtype, data, len);\n if (attr == NULL || !X509_REQ_add0_attr(req, attr)) {\n X509_ATTRIBUTE_free(attr);\n return 0;\n }\n\n return 1;\n}\n\nvoid X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,\n const X509_ALGOR **palg) {\n if (psig != NULL) {\n *psig = req->signature;\n }\n if (palg != NULL) {\n *palg = req->sig_alg;\n }\n}\n\nint X509_REQ_get_signature_nid(const X509_REQ *req) {\n return OBJ_obj2nid(req->sig_alg->algorithm);\n}\n\nint i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) {\n asn1_encoding_clear(&req->req_info->enc);\n return i2d_X509_REQ_INFO(req->req_info, pp);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_set.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nlong X509_get_version(const X509 *x509) {\n // The default version is v1(0).\n if (x509->cert_info->version == NULL) {\n return X509_VERSION_1;\n }\n return ASN1_INTEGER_get(x509->cert_info->version);\n}\n\nint X509_set_version(X509 *x, long version) {\n if (x == NULL) {\n return 0;\n }\n\n if (version < X509_VERSION_1 || version > X509_VERSION_3) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);\n return 0;\n }\n\n // v1(0) is default and is represented by omitting the version.\n if (version == X509_VERSION_1) {\n ASN1_INTEGER_free(x->cert_info->version);\n x->cert_info->version = NULL;\n return 1;\n }\n\n if (x->cert_info->version == NULL) {\n x->cert_info->version = ASN1_INTEGER_new();\n if (x->cert_info->version == NULL) {\n return 0;\n }\n }\n return ASN1_INTEGER_set_int64(x->cert_info->version, version);\n}\n\nint X509_set_serialNumber(X509 *x, const ASN1_INTEGER *serial) {\n if (serial->type != V_ASN1_INTEGER && serial->type != V_ASN1_NEG_INTEGER) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE);\n return 0;\n }\n\n ASN1_INTEGER *in;\n if (x == NULL) {\n return 0;\n }\n in = x->cert_info->serialNumber;\n if (in != serial) {\n in = ASN1_INTEGER_dup(serial);\n if (in != NULL) {\n ASN1_INTEGER_free(x->cert_info->serialNumber);\n x->cert_info->serialNumber = in;\n }\n }\n return in != NULL;\n}\n\nint X509_set_issuer_name(X509 *x, X509_NAME *name) {\n if ((x == NULL) || (x->cert_info == NULL)) {\n return 0;\n }\n return (X509_NAME_set(&x->cert_info->issuer, name));\n}\n\nint X509_set_subject_name(X509 *x, X509_NAME *name) {\n if ((x == NULL) || (x->cert_info == NULL)) {\n return 0;\n }\n return (X509_NAME_set(&x->cert_info->subject, name));\n}\n\nint X509_set1_notBefore(X509 *x, const ASN1_TIME *tm) {\n ASN1_TIME *in;\n\n if ((x == NULL) || (x->cert_info->validity == NULL)) {\n return 0;\n }\n in = x->cert_info->validity->notBefore;\n if (in != tm) {\n in = ASN1_STRING_dup(tm);\n if (in != NULL) {\n ASN1_TIME_free(x->cert_info->validity->notBefore);\n x->cert_info->validity->notBefore = in;\n }\n }\n return in != NULL;\n}\n\nint X509_set_notBefore(X509 *x, const ASN1_TIME *tm) {\n return X509_set1_notBefore(x, tm);\n}\n\nconst ASN1_TIME *X509_get0_notBefore(const X509 *x) {\n return x->cert_info->validity->notBefore;\n}\n\nASN1_TIME *X509_getm_notBefore(X509 *x) {\n // Note this function takes a const |X509| pointer in OpenSSL. We require\n // non-const as this allows mutating |x|. If it comes up for compatibility,\n // we can relax this.\n return x->cert_info->validity->notBefore;\n}\n\nASN1_TIME *X509_get_notBefore(const X509 *x509) {\n // In OpenSSL, this function is an alias for |X509_getm_notBefore|, but our\n // |X509_getm_notBefore| is const-correct. |X509_get_notBefore| was\n // originally a macro, so it needs to capture both get0 and getm use cases.\n return x509->cert_info->validity->notBefore;\n}\n\nint X509_set1_notAfter(X509 *x, const ASN1_TIME *tm) {\n ASN1_TIME *in;\n\n if ((x == NULL) || (x->cert_info->validity == NULL)) {\n return 0;\n }\n in = x->cert_info->validity->notAfter;\n if (in != tm) {\n in = ASN1_STRING_dup(tm);\n if (in != NULL) {\n ASN1_TIME_free(x->cert_info->validity->notAfter);\n x->cert_info->validity->notAfter = in;\n }\n }\n return in != NULL;\n}\n\nint X509_set_notAfter(X509 *x, const ASN1_TIME *tm) {\n return X509_set1_notAfter(x, tm);\n}\n\nconst ASN1_TIME *X509_get0_notAfter(const X509 *x) {\n return x->cert_info->validity->notAfter;\n}\n\nASN1_TIME *X509_getm_notAfter(X509 *x) {\n // Note this function takes a const |X509| pointer in OpenSSL. We require\n // non-const as this allows mutating |x|. If it comes up for compatibility,\n // we can relax this.\n return x->cert_info->validity->notAfter;\n}\n\nASN1_TIME *X509_get_notAfter(const X509 *x509) {\n // In OpenSSL, this function is an alias for |X509_getm_notAfter|, but our\n // |X509_getm_notAfter| is const-correct. |X509_get_notAfter| was\n // originally a macro, so it needs to capture both get0 and getm use cases.\n return x509->cert_info->validity->notAfter;\n}\n\nvoid X509_get0_uids(const X509 *x509, const ASN1_BIT_STRING **out_issuer_uid,\n const ASN1_BIT_STRING **out_subject_uid) {\n if (out_issuer_uid != NULL) {\n *out_issuer_uid = x509->cert_info->issuerUID;\n }\n if (out_subject_uid != NULL) {\n *out_subject_uid = x509->cert_info->subjectUID;\n }\n}\n\nint X509_set_pubkey(X509 *x, EVP_PKEY *pkey) {\n if ((x == NULL) || (x->cert_info == NULL)) {\n return 0;\n }\n return (X509_PUBKEY_set(&(x->cert_info->key), pkey));\n}\n\nconst STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x) {\n return x->cert_info->extensions;\n}\n\nconst X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x) {\n return x->cert_info->signature;\n}\n\nX509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509) {\n return x509->cert_info->key;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_trs.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\ntypedef struct x509_trust_st X509_TRUST;\n\nstruct x509_trust_st {\n int trust;\n int (*check_trust)(const X509_TRUST *, X509 *);\n int nid;\n} /* X509_TRUST */;\n\nstatic int trust_1oidany(const X509_TRUST *trust, X509 *x);\nstatic int trust_compat(const X509_TRUST *trust, X509 *x);\n\nstatic int obj_trust(int id, X509 *x);\n\nstatic const X509_TRUST trstandard[] = {\n {X509_TRUST_COMPAT, trust_compat, 0},\n {X509_TRUST_SSL_CLIENT, trust_1oidany, NID_client_auth},\n {X509_TRUST_SSL_SERVER, trust_1oidany, NID_server_auth},\n {X509_TRUST_EMAIL, trust_1oidany, NID_email_protect},\n {X509_TRUST_OBJECT_SIGN, trust_1oidany, NID_code_sign},\n {X509_TRUST_TSA, trust_1oidany, NID_time_stamp}};\n\nstatic const X509_TRUST *X509_TRUST_get0(int id) {\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(trstandard); i++) {\n if (trstandard[i].trust == id) {\n return &trstandard[i];\n }\n }\n return NULL;\n}\n\nint X509_check_trust(X509 *x, int id, int flags) {\n if (id == -1) {\n return X509_TRUST_TRUSTED;\n }\n // We get this as a default value\n if (id == 0) {\n int rv = obj_trust(NID_anyExtendedKeyUsage, x);\n if (rv != X509_TRUST_UNTRUSTED) {\n return rv;\n }\n return trust_compat(NULL, x);\n }\n const X509_TRUST *pt = X509_TRUST_get0(id);\n if (pt == NULL) {\n // Unknown trust IDs are silently reintrepreted as NIDs. This is unreachable\n // from the certificate verifier itself, but wpa_supplicant relies on it.\n // Note this relies on commonly-used NIDs and trust IDs not colliding.\n return obj_trust(id, x);\n }\n return pt->check_trust(pt, x);\n}\n\nint X509_is_valid_trust_id(int trust) {\n return X509_TRUST_get0(trust) != NULL;\n}\n\nstatic int trust_1oidany(const X509_TRUST *trust, X509 *x) {\n if (x->aux && (x->aux->trust || x->aux->reject)) {\n return obj_trust(trust->nid, x);\n }\n // we don't have any trust settings: for compatibility we return trusted\n // if it is self signed\n return trust_compat(trust, x);\n}\n\nstatic int trust_compat(const X509_TRUST *trust, X509 *x) {\n if (!x509v3_cache_extensions(x)) {\n return X509_TRUST_UNTRUSTED;\n }\n if (x->ex_flags & EXFLAG_SS) {\n return X509_TRUST_TRUSTED;\n } else {\n return X509_TRUST_UNTRUSTED;\n }\n}\n\nstatic int obj_trust(int id, X509 *x) {\n X509_CERT_AUX *ax = x->aux;\n if (!ax) {\n return X509_TRUST_UNTRUSTED;\n }\n for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) {\n const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->reject, i);\n if (OBJ_obj2nid(obj) == id) {\n return X509_TRUST_REJECTED;\n }\n }\n for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) {\n const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i);\n if (OBJ_obj2nid(obj) == id) {\n return X509_TRUST_TRUSTED;\n }\n }\n return X509_TRUST_UNTRUSTED;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_txt.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\nconst char *X509_verify_cert_error_string(long err) {\n switch (err) {\n case X509_V_OK:\n return \"ok\";\n case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:\n return \"unable to get issuer certificate\";\n case X509_V_ERR_UNABLE_TO_GET_CRL:\n return \"unable to get certificate CRL\";\n case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:\n return \"unable to decrypt certificate's signature\";\n case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:\n return \"unable to decrypt CRL's signature\";\n case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:\n return \"unable to decode issuer public key\";\n case X509_V_ERR_CERT_SIGNATURE_FAILURE:\n return \"certificate signature failure\";\n case X509_V_ERR_CRL_SIGNATURE_FAILURE:\n return \"CRL signature failure\";\n case X509_V_ERR_CERT_NOT_YET_VALID:\n return \"certificate is not yet valid\";\n case X509_V_ERR_CRL_NOT_YET_VALID:\n return \"CRL is not yet valid\";\n case X509_V_ERR_CERT_HAS_EXPIRED:\n return \"certificate has expired\";\n case X509_V_ERR_CRL_HAS_EXPIRED:\n return \"CRL has expired\";\n case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:\n return \"format error in certificate's notBefore field\";\n case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:\n return \"format error in certificate's notAfter field\";\n case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:\n return \"format error in CRL's lastUpdate field\";\n case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:\n return \"format error in CRL's nextUpdate field\";\n case X509_V_ERR_OUT_OF_MEM:\n return \"out of memory\";\n case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:\n return \"self signed certificate\";\n case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:\n return \"self signed certificate in certificate chain\";\n case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:\n return \"unable to get local issuer certificate\";\n case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:\n return \"unable to verify the first certificate\";\n case X509_V_ERR_CERT_CHAIN_TOO_LONG:\n return \"certificate chain too long\";\n case X509_V_ERR_CERT_REVOKED:\n return \"certificate revoked\";\n case X509_V_ERR_INVALID_CA:\n return \"invalid CA certificate\";\n case X509_V_ERR_INVALID_NON_CA:\n return \"invalid non-CA certificate (has CA markings)\";\n case X509_V_ERR_PATH_LENGTH_EXCEEDED:\n return \"path length constraint exceeded\";\n case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:\n return \"proxy path length constraint exceeded\";\n case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:\n return \"proxy certificates not allowed, please set the appropriate flag\";\n case X509_V_ERR_INVALID_PURPOSE:\n return \"unsupported certificate purpose\";\n case X509_V_ERR_CERT_UNTRUSTED:\n return \"certificate not trusted\";\n case X509_V_ERR_CERT_REJECTED:\n return \"certificate rejected\";\n case X509_V_ERR_APPLICATION_VERIFICATION:\n return \"application verification failure\";\n case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:\n return \"subject issuer mismatch\";\n case X509_V_ERR_AKID_SKID_MISMATCH:\n return \"authority and subject key identifier mismatch\";\n case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:\n return \"authority and issuer serial number mismatch\";\n case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:\n return \"key usage does not include certificate signing\";\n case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:\n return \"unable to get CRL issuer certificate\";\n case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:\n return \"unhandled critical extension\";\n case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:\n return \"key usage does not include CRL signing\";\n case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:\n return \"key usage does not include digital signature\";\n case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:\n return \"unhandled critical CRL extension\";\n case X509_V_ERR_INVALID_EXTENSION:\n return \"invalid or inconsistent certificate extension\";\n case X509_V_ERR_INVALID_POLICY_EXTENSION:\n return \"invalid or inconsistent certificate policy extension\";\n case X509_V_ERR_NO_EXPLICIT_POLICY:\n return \"no explicit policy\";\n case X509_V_ERR_DIFFERENT_CRL_SCOPE:\n return \"Different CRL scope\";\n case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE:\n return \"Unsupported extension feature\";\n case X509_V_ERR_UNNESTED_RESOURCE:\n return \"RFC 3779 resource not subset of parent's resources\";\n\n case X509_V_ERR_PERMITTED_VIOLATION:\n return \"permitted subtree violation\";\n case X509_V_ERR_EXCLUDED_VIOLATION:\n return \"excluded subtree violation\";\n case X509_V_ERR_SUBTREE_MINMAX:\n return \"name constraints minimum and maximum not supported\";\n case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:\n return \"unsupported name constraint type\";\n case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX:\n return \"unsupported or invalid name constraint syntax\";\n case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX:\n return \"unsupported or invalid name syntax\";\n case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:\n return \"CRL path validation error\";\n\n case X509_V_ERR_HOSTNAME_MISMATCH:\n return \"Hostname mismatch\";\n case X509_V_ERR_EMAIL_MISMATCH:\n return \"Email address mismatch\";\n case X509_V_ERR_IP_ADDRESS_MISMATCH:\n return \"IP address mismatch\";\n\n case X509_V_ERR_INVALID_CALL:\n return \"Invalid certificate verification context\";\n case X509_V_ERR_STORE_LOOKUP:\n return \"Issuer certificate lookup error\";\n\n case X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS:\n return \"Issuer has name constraints but leaf has no SANs\";\n\n default:\n return \"unknown certificate verification error\";\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_v3.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nint X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) {\n if (x == NULL) {\n return 0;\n }\n return (int)sk_X509_EXTENSION_num(x);\n}\n\nint X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,\n int lastpos) {\n const ASN1_OBJECT *obj = OBJ_nid2obj(nid);\n if (obj == NULL) {\n return -1;\n }\n return X509v3_get_ext_by_OBJ(x, obj, lastpos);\n}\n\nint X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk,\n const ASN1_OBJECT *obj, int lastpos) {\n if (sk == NULL) {\n return -1;\n }\n lastpos++;\n if (lastpos < 0) {\n lastpos = 0;\n }\n int n = (int)sk_X509_EXTENSION_num(sk);\n for (; lastpos < n; lastpos++) {\n const X509_EXTENSION *ex = sk_X509_EXTENSION_value(sk, lastpos);\n if (OBJ_cmp(ex->object, obj) == 0) {\n return lastpos;\n }\n }\n return -1;\n}\n\nint X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,\n int lastpos) {\n if (sk == NULL) {\n return -1;\n }\n\n lastpos++;\n if (lastpos < 0) {\n lastpos = 0;\n }\n\n crit = !!crit;\n int n = (int)sk_X509_EXTENSION_num(sk);\n for (; lastpos < n; lastpos++) {\n const X509_EXTENSION *ex = sk_X509_EXTENSION_value(sk, lastpos);\n if (X509_EXTENSION_get_critical(ex) == crit) {\n return lastpos;\n }\n }\n return -1;\n}\n\nX509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) {\n if (x == NULL || loc < 0 || sk_X509_EXTENSION_num(x) <= (size_t)loc) {\n return NULL;\n } else {\n return sk_X509_EXTENSION_value(x, loc);\n }\n}\n\nX509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) {\n X509_EXTENSION *ret;\n\n if (x == NULL || loc < 0 || sk_X509_EXTENSION_num(x) <= (size_t)loc) {\n return NULL;\n }\n ret = sk_X509_EXTENSION_delete(x, loc);\n return ret;\n}\n\nSTACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,\n const X509_EXTENSION *ex, int loc) {\n X509_EXTENSION *new_ex = NULL;\n STACK_OF(X509_EXTENSION) *sk = NULL;\n int free_sk = 0, n;\n\n if (x == NULL) {\n OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);\n goto err;\n }\n\n if (*x == NULL) {\n if ((sk = sk_X509_EXTENSION_new_null()) == NULL) {\n goto err;\n }\n free_sk = 1;\n } else {\n sk = *x;\n }\n\n n = (int)sk_X509_EXTENSION_num(sk);\n if (loc > n) {\n loc = n;\n } else if (loc < 0) {\n loc = n;\n }\n\n if ((new_ex = X509_EXTENSION_dup(ex)) == NULL) {\n goto err;\n }\n if (!sk_X509_EXTENSION_insert(sk, new_ex, loc)) {\n goto err;\n }\n if (*x == NULL) {\n *x = sk;\n }\n return sk;\n\nerr:\n X509_EXTENSION_free(new_ex);\n if (free_sk) {\n sk_X509_EXTENSION_free(sk);\n }\n return NULL;\n}\n\nX509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid,\n int crit,\n const ASN1_OCTET_STRING *data) {\n const ASN1_OBJECT *obj;\n X509_EXTENSION *ret;\n\n obj = OBJ_nid2obj(nid);\n if (obj == NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_NID);\n return NULL;\n }\n ret = X509_EXTENSION_create_by_OBJ(ex, obj, crit, data);\n return ret;\n}\n\nX509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,\n const ASN1_OBJECT *obj, int crit,\n const ASN1_OCTET_STRING *data) {\n X509_EXTENSION *ret;\n\n if ((ex == NULL) || (*ex == NULL)) {\n if ((ret = X509_EXTENSION_new()) == NULL) {\n return NULL;\n }\n } else {\n ret = *ex;\n }\n\n if (!X509_EXTENSION_set_object(ret, obj)) {\n goto err;\n }\n if (!X509_EXTENSION_set_critical(ret, crit)) {\n goto err;\n }\n if (!X509_EXTENSION_set_data(ret, data)) {\n goto err;\n }\n\n if ((ex != NULL) && (*ex == NULL)) {\n *ex = ret;\n }\n return ret;\nerr:\n if ((ex == NULL) || (ret != *ex)) {\n X509_EXTENSION_free(ret);\n }\n return NULL;\n}\n\nint X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj) {\n if ((ex == NULL) || (obj == NULL)) {\n return 0;\n }\n ASN1_OBJECT_free(ex->object);\n ex->object = OBJ_dup(obj);\n return ex->object != NULL;\n}\n\nint X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) {\n if (ex == NULL) {\n return 0;\n }\n // The critical field is DEFAULT FALSE, so non-critical extensions should omit\n // the value.\n ex->critical = crit ? ASN1_BOOLEAN_TRUE : ASN1_BOOLEAN_NONE;\n return 1;\n}\n\nint X509_EXTENSION_set_data(X509_EXTENSION *ex, const ASN1_OCTET_STRING *data) {\n int i;\n\n if (ex == NULL) {\n return 0;\n }\n i = ASN1_OCTET_STRING_set(ex->value, data->data, data->length);\n if (!i) {\n return 0;\n }\n return 1;\n}\n\nASN1_OBJECT *X509_EXTENSION_get_object(const X509_EXTENSION *ex) {\n if (ex == NULL) {\n return NULL;\n }\n return ex->object;\n}\n\nASN1_OCTET_STRING *X509_EXTENSION_get_data(const X509_EXTENSION *ex) {\n if (ex == NULL) {\n return NULL;\n }\n return ex->value;\n}\n\nint X509_EXTENSION_get_critical(const X509_EXTENSION *ex) {\n if (ex == NULL) {\n return 0;\n }\n if (ex->critical > 0) {\n return 1;\n }\n return 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_vfy.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\nstatic CRYPTO_EX_DATA_CLASS g_ex_data_class =\n CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;\n\n// CRL score values\n\n// No unhandled critical extensions\n#define CRL_SCORE_NOCRITICAL 0x100\n\n// certificate is within CRL scope\n#define CRL_SCORE_SCOPE 0x080\n\n// CRL times valid\n#define CRL_SCORE_TIME 0x040\n\n// Issuer name matches certificate\n#define CRL_SCORE_ISSUER_NAME 0x020\n\n// If this score or above CRL is probably valid\n#define CRL_SCORE_VALID \\\n (CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE)\n\n// CRL issuer is certificate issuer\n#define CRL_SCORE_ISSUER_CERT 0x018\n\n// CRL issuer is on certificate path\n#define CRL_SCORE_SAME_PATH 0x008\n\n// CRL issuer matches CRL AKID\n#define CRL_SCORE_AKID 0x004\n\nstatic int null_callback(int ok, X509_STORE_CTX *e);\nstatic X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);\nstatic int check_chain_extensions(X509_STORE_CTX *ctx);\nstatic int check_name_constraints(X509_STORE_CTX *ctx);\nstatic int check_id(X509_STORE_CTX *ctx);\nstatic int check_trust(X509_STORE_CTX *ctx);\nstatic int check_revocation(X509_STORE_CTX *ctx);\nstatic int check_cert(X509_STORE_CTX *ctx);\nstatic int check_policy(X509_STORE_CTX *ctx);\n\nstatic X509 *get_trusted_issuer(X509_STORE_CTX *ctx, X509 *x);\nstatic int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, X509_CRL *crl,\n X509 *x);\nstatic int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x);\nstatic int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,\n int *pcrl_score);\nstatic int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score);\nstatic int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl);\nstatic int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);\n\nstatic int internal_verify(X509_STORE_CTX *ctx);\n\nstatic int null_callback(int ok, X509_STORE_CTX *e) { return ok; }\n\n// cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns\n// one and sets |*out_is_self_signed| to the result. If |x| is invalid, it\n// returns zero.\nstatic int cert_self_signed(X509 *x, int *out_is_self_signed) {\n if (!x509v3_cache_extensions(x)) {\n return 0;\n }\n *out_is_self_signed = (x->ex_flags & EXFLAG_SS) != 0;\n return 1;\n}\n\nstatic int call_verify_cb(int ok, X509_STORE_CTX *ctx) {\n ok = ctx->verify_cb(ok, ctx);\n // Historically, callbacks returning values like -1 would be treated as a mix\n // of success or failure. Insert that callers check correctly.\n //\n // TODO(davidben): Also use this wrapper to constrain which errors may be\n // suppressed, and ensure all |verify_cb| calls remember to fill in an error.\n BSSL_CHECK(ok == 0 || ok == 1);\n return ok;\n}\n\n// Given a certificate try and find an exact match in the store\nstatic X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) {\n STACK_OF(X509) *certs;\n X509 *xtmp = NULL;\n size_t i;\n // Lookup all certs with matching subject name\n certs = X509_STORE_CTX_get1_certs(ctx, X509_get_subject_name(x));\n if (certs == NULL) {\n return NULL;\n }\n // Look for exact match\n for (i = 0; i < sk_X509_num(certs); i++) {\n xtmp = sk_X509_value(certs, i);\n if (!X509_cmp(xtmp, x)) {\n break;\n }\n }\n if (i < sk_X509_num(certs)) {\n X509_up_ref(xtmp);\n } else {\n xtmp = NULL;\n }\n sk_X509_pop_free(certs, X509_free);\n return xtmp;\n}\n\nint X509_verify_cert(X509_STORE_CTX *ctx) {\n X509 *chain_ss = NULL;\n int bad_chain = 0;\n X509_VERIFY_PARAM *param = ctx->param;\n int i, ok = 0;\n int j, retry, trust;\n STACK_OF(X509) *sktmp = NULL;\n\n {\n if (ctx->cert == NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);\n ctx->error = X509_V_ERR_INVALID_CALL;\n return 0;\n }\n\n if (ctx->chain != NULL) {\n // This X509_STORE_CTX has already been used to verify a cert. We\n // cannot do another one.\n OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n ctx->error = X509_V_ERR_INVALID_CALL;\n return 0;\n }\n\n if (ctx->param->flags &\n (X509_V_FLAG_EXTENDED_CRL_SUPPORT | X509_V_FLAG_USE_DELTAS)) {\n // We do not support indirect or delta CRLs. The flags still exist for\n // compatibility with bindings libraries, but to ensure we do not\n // inadvertently skip a CRL check that the caller expects, fail closed.\n OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n ctx->error = X509_V_ERR_INVALID_CALL;\n return 0;\n }\n\n // first we make sure the chain we are going to build is present and that\n // the first entry is in place\n ctx->chain = sk_X509_new_null();\n if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {\n ctx->error = X509_V_ERR_OUT_OF_MEM;\n goto end;\n }\n X509_up_ref(ctx->cert);\n ctx->last_untrusted = 1;\n\n // We use a temporary STACK so we can chop and hack at it.\n if (ctx->untrusted != NULL &&\n (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {\n ctx->error = X509_V_ERR_OUT_OF_MEM;\n goto end;\n }\n\n int num = (int)sk_X509_num(ctx->chain);\n X509 *x = sk_X509_value(ctx->chain, num - 1);\n // |param->depth| does not include the leaf certificate or the trust anchor,\n // so the maximum size is 2 more.\n int max_chain = param->depth >= INT_MAX - 2 ? INT_MAX : param->depth + 2;\n\n for (;;) {\n if (num >= max_chain) {\n // FIXME: If this happens, we should take note of it and, if\n // appropriate, use the X509_V_ERR_CERT_CHAIN_TOO_LONG error code later.\n break;\n }\n\n int is_self_signed;\n if (!cert_self_signed(x, &is_self_signed)) {\n ctx->error = X509_V_ERR_INVALID_EXTENSION;\n goto end;\n }\n\n // If we are self signed, we break\n if (is_self_signed) {\n break;\n }\n // If asked see if we can find issuer in trusted store first\n if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {\n X509 *issuer = get_trusted_issuer(ctx, x);\n if (issuer != NULL) {\n // Free the certificate. It will be picked up again later.\n X509_free(issuer);\n break;\n }\n }\n\n // If we were passed a cert chain, use it first\n if (sktmp != NULL) {\n X509 *issuer = find_issuer(ctx, sktmp, x);\n if (issuer != NULL) {\n if (!sk_X509_push(ctx->chain, issuer)) {\n ctx->error = X509_V_ERR_OUT_OF_MEM;\n goto end;\n }\n X509_up_ref(issuer);\n (void)sk_X509_delete_ptr(sktmp, issuer);\n ctx->last_untrusted++;\n x = issuer;\n num++;\n // reparse the full chain for the next one\n continue;\n }\n }\n break;\n }\n\n // Remember how many untrusted certs we have\n j = num;\n // at this point, chain should contain a list of untrusted certificates.\n // We now need to add at least one trusted one, if possible, otherwise we\n // complain.\n\n do {\n // Examine last certificate in chain and see if it is self signed.\n i = (int)sk_X509_num(ctx->chain);\n x = sk_X509_value(ctx->chain, i - 1);\n\n int is_self_signed;\n if (!cert_self_signed(x, &is_self_signed)) {\n ctx->error = X509_V_ERR_INVALID_EXTENSION;\n goto end;\n }\n\n if (is_self_signed) {\n // we have a self signed certificate\n if (sk_X509_num(ctx->chain) == 1) {\n // We have a single self signed certificate: see if we can\n // find it in the store. We must have an exact match to avoid\n // possible impersonation.\n X509 *issuer = get_trusted_issuer(ctx, x);\n if (issuer == NULL || X509_cmp(x, issuer) != 0) {\n X509_free(issuer);\n ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;\n ctx->current_cert = x;\n ctx->error_depth = i - 1;\n bad_chain = 1;\n if (!call_verify_cb(0, ctx)) {\n goto end;\n }\n } else {\n // We have a match: replace certificate with store\n // version so we get any trust settings.\n X509_free(x);\n x = issuer;\n (void)sk_X509_set(ctx->chain, i - 1, x);\n ctx->last_untrusted = 0;\n }\n } else {\n // extract and save self signed certificate for later use\n chain_ss = sk_X509_pop(ctx->chain);\n ctx->last_untrusted--;\n num--;\n j--;\n x = sk_X509_value(ctx->chain, num - 1);\n }\n }\n // We now lookup certs from the certificate store\n for (;;) {\n if (num >= max_chain) {\n // FIXME: If this happens, we should take note of it and, if\n // appropriate, use the X509_V_ERR_CERT_CHAIN_TOO_LONG error code\n // later.\n break;\n }\n if (!cert_self_signed(x, &is_self_signed)) {\n ctx->error = X509_V_ERR_INVALID_EXTENSION;\n goto end;\n }\n // If we are self signed, we break\n if (is_self_signed) {\n break;\n }\n X509 *issuer = get_trusted_issuer(ctx, x);\n if (issuer == NULL) {\n break;\n }\n x = issuer;\n if (!sk_X509_push(ctx->chain, x)) {\n X509_free(issuer);\n ctx->error = X509_V_ERR_OUT_OF_MEM;\n goto end;\n }\n num++;\n }\n\n // we now have our chain, lets check it...\n trust = check_trust(ctx);\n\n // If explicitly rejected error\n if (trust == X509_TRUST_REJECTED) {\n goto end;\n }\n // If it's not explicitly trusted then check if there is an alternative\n // chain that could be used. We only do this if we haven't already\n // checked via TRUSTED_FIRST and the user hasn't switched off alternate\n // chain checking\n retry = 0;\n if (trust != X509_TRUST_TRUSTED &&\n !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) &&\n !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {\n while (j-- > 1) {\n X509 *issuer =\n get_trusted_issuer(ctx, sk_X509_value(ctx->chain, j - 1));\n // Check if we found an alternate chain\n if (issuer != NULL) {\n // Free up the found cert we'll add it again later\n X509_free(issuer);\n\n // Dump all the certs above this point - we've found an\n // alternate chain\n while (num > j) {\n X509_free(sk_X509_pop(ctx->chain));\n num--;\n }\n ctx->last_untrusted = (int)sk_X509_num(ctx->chain);\n retry = 1;\n break;\n }\n }\n }\n } while (retry);\n\n // If not explicitly trusted then indicate error unless it's a single\n // self signed certificate in which case we've indicated an error already\n // and set bad_chain == 1\n if (trust != X509_TRUST_TRUSTED && !bad_chain) {\n if (chain_ss == NULL ||\n !x509_check_issued_with_callback(ctx, x, chain_ss)) {\n if (ctx->last_untrusted >= num) {\n ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;\n } else {\n ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;\n }\n ctx->current_cert = x;\n } else {\n if (!sk_X509_push(ctx->chain, chain_ss)) {\n ctx->error = X509_V_ERR_OUT_OF_MEM;\n goto end;\n }\n num++;\n ctx->last_untrusted = num;\n ctx->current_cert = chain_ss;\n ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;\n chain_ss = NULL;\n }\n\n ctx->error_depth = num - 1;\n bad_chain = 1;\n if (!call_verify_cb(0, ctx)) {\n goto end;\n }\n }\n\n // We have the chain complete: now we need to check its purpose\n if (!check_chain_extensions(ctx) || //\n !check_id(ctx) ||\n // We check revocation status after copying parameters because they may\n // be needed for CRL signature verification.\n !check_revocation(ctx) || //\n !internal_verify(ctx) || //\n !check_name_constraints(ctx) ||\n // TODO(davidben): Does |check_policy| still need to be conditioned on\n // |!bad_chain|? DoS concerns have been resolved.\n (!bad_chain && !check_policy(ctx))) {\n goto end;\n }\n\n ok = 1;\n }\n\nend:\n sk_X509_free(sktmp);\n X509_free(chain_ss);\n\n // Safety net, error returns must set ctx->error\n if (!ok && ctx->error == X509_V_OK) {\n ctx->error = X509_V_ERR_UNSPECIFIED;\n }\n return ok;\n}\n\n// Given a STACK_OF(X509) find the issuer of cert (if any)\n\nstatic X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) {\n size_t i;\n X509 *issuer;\n for (i = 0; i < sk_X509_num(sk); i++) {\n issuer = sk_X509_value(sk, i);\n if (x509_check_issued_with_callback(ctx, x, issuer)) {\n return issuer;\n }\n }\n return NULL;\n}\n\n// Given a possible certificate and issuer check them\n\nint x509_check_issued_with_callback(X509_STORE_CTX *ctx, X509 *x,\n X509 *issuer) {\n int ret;\n ret = X509_check_issued(issuer, x);\n if (ret == X509_V_OK) {\n return 1;\n }\n // If we haven't asked for issuer errors don't set ctx\n if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) {\n return 0;\n }\n\n ctx->error = ret;\n ctx->current_cert = x;\n return call_verify_cb(0, ctx);\n}\n\nstatic X509 *get_trusted_issuer(X509_STORE_CTX *ctx, X509 *x) {\n X509 *issuer;\n if (ctx->trusted_stack != NULL) {\n // Ignore the store and use the configured stack instead.\n issuer = find_issuer(ctx, ctx->trusted_stack, x);\n if (issuer != NULL) {\n X509_up_ref(issuer);\n }\n return issuer;\n }\n\n if (!X509_STORE_CTX_get1_issuer(&issuer, ctx, x)) {\n return NULL;\n }\n return issuer;\n}\n\n// Check a certificate chains extensions for consistency with the supplied\n// purpose\n\nstatic int check_chain_extensions(X509_STORE_CTX *ctx) {\n int plen = 0;\n int purpose = ctx->param->purpose;\n\n // Check all untrusted certificates\n for (int i = 0; i < ctx->last_untrusted; i++) {\n X509 *x = sk_X509_value(ctx->chain, i);\n if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&\n (x->ex_flags & EXFLAG_CRITICAL)) {\n ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;\n ctx->error_depth = i;\n ctx->current_cert = x;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n\n int must_be_ca = i > 0;\n if (must_be_ca && !X509_check_ca(x)) {\n ctx->error = X509_V_ERR_INVALID_CA;\n ctx->error_depth = i;\n ctx->current_cert = x;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n if (ctx->param->purpose > 0 &&\n X509_check_purpose(x, purpose, must_be_ca) != 1) {\n ctx->error = X509_V_ERR_INVALID_PURPOSE;\n ctx->error_depth = i;\n ctx->current_cert = x;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n // Check pathlen if not self issued\n if (i > 1 && !(x->ex_flags & EXFLAG_SI) && x->ex_pathlen != -1 &&\n plen > x->ex_pathlen + 1) {\n ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;\n ctx->error_depth = i;\n ctx->current_cert = x;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n // Increment path length if not self issued\n if (!(x->ex_flags & EXFLAG_SI)) {\n plen++;\n }\n }\n\n return 1;\n}\n\nstatic int reject_dns_name_in_common_name(X509 *x509) {\n const X509_NAME *name = X509_get_subject_name(x509);\n int i = -1;\n for (;;) {\n i = X509_NAME_get_index_by_NID(name, NID_commonName, i);\n if (i == -1) {\n return X509_V_OK;\n }\n\n const X509_NAME_ENTRY *entry = X509_NAME_get_entry(name, i);\n const ASN1_STRING *common_name = X509_NAME_ENTRY_get_data(entry);\n unsigned char *idval;\n int idlen = ASN1_STRING_to_UTF8(&idval, common_name);\n if (idlen < 0) {\n return X509_V_ERR_OUT_OF_MEM;\n }\n // Only process attributes that look like host names. Note it is\n // important that this check be mirrored in |X509_check_host|.\n int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen);\n OPENSSL_free(idval);\n if (looks_like_dns) {\n return X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS;\n }\n }\n}\n\nstatic int check_name_constraints(X509_STORE_CTX *ctx) {\n int i, j, rv;\n int has_name_constraints = 0;\n // Check name constraints for all certificates\n for (i = (int)sk_X509_num(ctx->chain) - 1; i >= 0; i--) {\n X509 *x = sk_X509_value(ctx->chain, i);\n // Ignore self issued certs unless last in chain\n if (i && (x->ex_flags & EXFLAG_SI)) {\n continue;\n }\n // Check against constraints for all certificates higher in chain\n // including trust anchor. Trust anchor not strictly speaking needed\n // but if it includes constraints it is to be assumed it expects them\n // to be obeyed.\n for (j = (int)sk_X509_num(ctx->chain) - 1; j > i; j--) {\n NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;\n if (nc) {\n has_name_constraints = 1;\n rv = NAME_CONSTRAINTS_check(x, nc);\n switch (rv) {\n case X509_V_OK:\n continue;\n case X509_V_ERR_OUT_OF_MEM:\n ctx->error = rv;\n return 0;\n default:\n ctx->error = rv;\n ctx->error_depth = i;\n ctx->current_cert = x;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n break;\n }\n }\n }\n }\n\n // Name constraints do not match against the common name, but\n // |X509_check_host| still implements the legacy behavior where, on\n // certificates lacking a SAN list, DNS-like names in the common name are\n // checked instead.\n //\n // While we could apply the name constraints to the common name, name\n // constraints are rare enough that can hold such certificates to a higher\n // standard. Note this does not make \"DNS-like\" heuristic failures any\n // worse. A decorative common-name misidentified as a DNS name would fail\n // the name constraint anyway.\n X509 *leaf = sk_X509_value(ctx->chain, 0);\n if (has_name_constraints && leaf->altname == NULL) {\n rv = reject_dns_name_in_common_name(leaf);\n switch (rv) {\n case X509_V_OK:\n break;\n case X509_V_ERR_OUT_OF_MEM:\n ctx->error = rv;\n return 0;\n default:\n ctx->error = rv;\n ctx->error_depth = i;\n ctx->current_cert = leaf;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n break;\n }\n }\n\n return 1;\n}\n\nstatic int check_id_error(X509_STORE_CTX *ctx, int errcode) {\n ctx->error = errcode;\n ctx->current_cert = ctx->cert;\n ctx->error_depth = 0;\n return call_verify_cb(0, ctx);\n}\n\nstatic int check_hosts(X509 *x, X509_VERIFY_PARAM *param) {\n size_t i;\n size_t n = sk_OPENSSL_STRING_num(param->hosts);\n char *name;\n\n for (i = 0; i < n; ++i) {\n name = sk_OPENSSL_STRING_value(param->hosts, i);\n if (X509_check_host(x, name, strlen(name), param->hostflags, NULL) > 0) {\n return 1;\n }\n }\n return n == 0;\n}\n\nstatic int check_id(X509_STORE_CTX *ctx) {\n X509_VERIFY_PARAM *vpm = ctx->param;\n X509 *x = ctx->cert;\n if (vpm->poison) {\n if (!check_id_error(ctx, X509_V_ERR_INVALID_CALL)) {\n return 0;\n }\n }\n if (vpm->hosts && check_hosts(x, vpm) <= 0) {\n if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH)) {\n return 0;\n }\n }\n if (vpm->email && X509_check_email(x, vpm->email, vpm->emaillen, 0) <= 0) {\n if (!check_id_error(ctx, X509_V_ERR_EMAIL_MISMATCH)) {\n return 0;\n }\n }\n if (vpm->ip && X509_check_ip(x, vpm->ip, vpm->iplen, 0) <= 0) {\n if (!check_id_error(ctx, X509_V_ERR_IP_ADDRESS_MISMATCH)) {\n return 0;\n }\n }\n return 1;\n}\n\nstatic int check_trust(X509_STORE_CTX *ctx) {\n X509 *x = NULL;\n // Check all trusted certificates in chain\n for (size_t i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {\n x = sk_X509_value(ctx->chain, i);\n int trust = X509_check_trust(x, ctx->param->trust, 0);\n // If explicitly trusted return trusted\n if (trust == X509_TRUST_TRUSTED) {\n return X509_TRUST_TRUSTED;\n }\n // If explicitly rejected notify callback and reject if not\n // overridden.\n if (trust == X509_TRUST_REJECTED) {\n ctx->error_depth = (int)i;\n ctx->current_cert = x;\n ctx->error = X509_V_ERR_CERT_REJECTED;\n if (!call_verify_cb(0, ctx)) {\n return X509_TRUST_REJECTED;\n }\n }\n }\n // If we accept partial chains and have at least one trusted certificate\n // return success.\n if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {\n X509 *mx;\n if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain)) {\n return X509_TRUST_TRUSTED;\n }\n x = sk_X509_value(ctx->chain, 0);\n mx = lookup_cert_match(ctx, x);\n if (mx) {\n (void)sk_X509_set(ctx->chain, 0, mx);\n X509_free(x);\n ctx->last_untrusted = 0;\n return X509_TRUST_TRUSTED;\n }\n }\n\n // If no trusted certs in chain at all return untrusted and allow\n // standard (no issuer cert) etc errors to be indicated.\n return X509_TRUST_UNTRUSTED;\n}\n\nstatic int check_revocation(X509_STORE_CTX *ctx) {\n if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) {\n return 1;\n }\n int last;\n if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) {\n last = (int)sk_X509_num(ctx->chain) - 1;\n } else {\n last = 0;\n }\n for (int i = 0; i <= last; i++) {\n ctx->error_depth = i;\n if (!check_cert(ctx)) {\n return 0;\n }\n }\n return 1;\n}\n\nstatic int check_cert(X509_STORE_CTX *ctx) {\n X509_CRL *crl = NULL;\n int ok = 0, cnum = ctx->error_depth;\n X509 *x = sk_X509_value(ctx->chain, cnum);\n ctx->current_cert = x;\n ctx->current_crl_issuer = NULL;\n ctx->current_crl_score = 0;\n\n // Try to retrieve the relevant CRL. Note that |get_crl| sets\n // |current_crl_issuer| and |current_crl_score|, which |check_crl| then reads.\n //\n // TODO(davidben): The awkward internal calling convention is a historical\n // artifact of when these functions were user-overridable callbacks, even\n // though there was no way to set them correctly. These callbacks have since\n // been removed, so we can pass input and output parameters more directly.\n if (!get_crl(ctx, &crl, x)) {\n ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;\n ok = call_verify_cb(0, ctx);\n goto err;\n }\n\n ctx->current_crl = crl;\n if (!check_crl(ctx, crl) || //\n !cert_crl(ctx, crl, x)) {\n goto err;\n }\n\n ok = 1;\n\nerr:\n X509_CRL_free(crl);\n ctx->current_crl = NULL;\n return ok;\n}\n\n// Check CRL times against values in X509_STORE_CTX\nstatic int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) {\n if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {\n return 1;\n }\n\n if (notify) {\n ctx->current_crl = crl;\n }\n int64_t ptime;\n if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {\n ptime = ctx->param->check_time;\n } else {\n ptime = time(NULL);\n }\n\n int i = X509_cmp_time_posix(X509_CRL_get0_lastUpdate(crl), ptime);\n if (i == 0) {\n if (!notify) {\n return 0;\n }\n ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n\n if (i > 0) {\n if (!notify) {\n return 0;\n }\n ctx->error = X509_V_ERR_CRL_NOT_YET_VALID;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n\n if (X509_CRL_get0_nextUpdate(crl)) {\n i = X509_cmp_time_posix(X509_CRL_get0_nextUpdate(crl), ptime);\n\n if (i == 0) {\n if (!notify) {\n return 0;\n }\n ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n if (i < 0) {\n if (!notify) {\n return 0;\n }\n ctx->error = X509_V_ERR_CRL_HAS_EXPIRED;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n }\n\n if (notify) {\n ctx->current_crl = NULL;\n }\n\n return 1;\n}\n\nstatic int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 **pissuer,\n int *pscore, STACK_OF(X509_CRL) *crls) {\n int crl_score, best_score = *pscore;\n X509 *x = ctx->current_cert;\n X509_CRL *best_crl = NULL;\n X509 *crl_issuer = NULL, *best_crl_issuer = NULL;\n\n for (size_t i = 0; i < sk_X509_CRL_num(crls); i++) {\n X509_CRL *crl = sk_X509_CRL_value(crls, i);\n crl_score = get_crl_score(ctx, &crl_issuer, crl, x);\n if (crl_score < best_score || crl_score == 0) {\n continue;\n }\n // If current CRL is equivalent use it if it is newer\n if (crl_score == best_score && best_crl != NULL) {\n int day, sec;\n if (ASN1_TIME_diff(&day, &sec, X509_CRL_get0_lastUpdate(best_crl),\n X509_CRL_get0_lastUpdate(crl)) == 0) {\n continue;\n }\n // ASN1_TIME_diff never returns inconsistent signs for |day|\n // and |sec|.\n if (day <= 0 && sec <= 0) {\n continue;\n }\n }\n best_crl = crl;\n best_crl_issuer = crl_issuer;\n best_score = crl_score;\n }\n\n if (best_crl) {\n if (*pcrl) {\n X509_CRL_free(*pcrl);\n }\n *pcrl = best_crl;\n *pissuer = best_crl_issuer;\n *pscore = best_score;\n X509_CRL_up_ref(best_crl);\n }\n\n if (best_score >= CRL_SCORE_VALID) {\n return 1;\n }\n\n return 0;\n}\n\n// For a given CRL return how suitable it is for the supplied certificate\n// 'x'. The return value is a mask of several criteria. If the issuer is not\n// the certificate issuer this is returned in *pissuer.\nstatic int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, X509_CRL *crl,\n X509 *x) {\n int crl_score = 0;\n\n // First see if we can reject CRL straight away\n\n // Invalid IDP cannot be processed\n if (crl->idp_flags & IDP_INVALID) {\n return 0;\n }\n // Reason codes and indirect CRLs are not supported.\n if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) {\n return 0;\n }\n // We do not support indirect CRLs, so the issuer names must match.\n if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) {\n return 0;\n }\n crl_score |= CRL_SCORE_ISSUER_NAME;\n\n if (!(crl->flags & EXFLAG_CRITICAL)) {\n crl_score |= CRL_SCORE_NOCRITICAL;\n }\n\n // Check expiry\n if (check_crl_time(ctx, crl, 0)) {\n crl_score |= CRL_SCORE_TIME;\n }\n\n // Check authority key ID and locate certificate issuer\n if (!crl_akid_check(ctx, crl, pissuer, &crl_score)) {\n // If we can't locate certificate issuer at this point forget it\n return 0;\n }\n\n // Check cert for matching CRL distribution points\n if (crl_crldp_check(x, crl, crl_score)) {\n crl_score |= CRL_SCORE_SCOPE;\n }\n\n return crl_score;\n}\n\nstatic int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer,\n int *pcrl_score) {\n X509 *crl_issuer = NULL;\n X509_NAME *cnm = X509_CRL_get_issuer(crl);\n int cidx = ctx->error_depth;\n\n if ((size_t)cidx != sk_X509_num(ctx->chain) - 1) {\n cidx++;\n }\n\n crl_issuer = sk_X509_value(ctx->chain, cidx);\n\n if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {\n *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT;\n *pissuer = crl_issuer;\n return 1;\n }\n\n for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) {\n crl_issuer = sk_X509_value(ctx->chain, cidx);\n if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) {\n continue;\n }\n if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) {\n *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH;\n *pissuer = crl_issuer;\n return 1;\n }\n }\n\n return 0;\n}\n\n// Check for match between two dist point names: three separate cases. 1.\n// Both are relative names and compare X509_NAME types. 2. One full, one\n// relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and\n// compare two GENERAL_NAMES. 4. One is NULL: automatic match.\nstatic int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) {\n X509_NAME *nm = NULL;\n GENERAL_NAMES *gens = NULL;\n GENERAL_NAME *gena, *genb;\n size_t i, j;\n if (!a || !b) {\n return 1;\n }\n if (a->type == 1) {\n if (!a->dpname) {\n return 0;\n }\n // Case 1: two X509_NAME\n if (b->type == 1) {\n if (!b->dpname) {\n return 0;\n }\n if (!X509_NAME_cmp(a->dpname, b->dpname)) {\n return 1;\n } else {\n return 0;\n }\n }\n // Case 2: set name and GENERAL_NAMES appropriately\n nm = a->dpname;\n gens = b->name.fullname;\n } else if (b->type == 1) {\n if (!b->dpname) {\n return 0;\n }\n // Case 2: set name and GENERAL_NAMES appropriately\n gens = a->name.fullname;\n nm = b->dpname;\n }\n\n // Handle case 2 with one GENERAL_NAMES and one X509_NAME\n if (nm) {\n for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {\n gena = sk_GENERAL_NAME_value(gens, i);\n if (gena->type != GEN_DIRNAME) {\n continue;\n }\n if (!X509_NAME_cmp(nm, gena->d.directoryName)) {\n return 1;\n }\n }\n return 0;\n }\n\n // Else case 3: two GENERAL_NAMES\n\n for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) {\n gena = sk_GENERAL_NAME_value(a->name.fullname, i);\n for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) {\n genb = sk_GENERAL_NAME_value(b->name.fullname, j);\n if (!GENERAL_NAME_cmp(gena, genb)) {\n return 1;\n }\n }\n }\n\n return 0;\n}\n\n// Check CRLDP and IDP\nstatic int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score) {\n if (crl->idp_flags & IDP_ONLYATTR) {\n return 0;\n }\n if (x->ex_flags & EXFLAG_CA) {\n if (crl->idp_flags & IDP_ONLYUSER) {\n return 0;\n }\n } else {\n if (crl->idp_flags & IDP_ONLYCA) {\n return 0;\n }\n }\n for (size_t i = 0; i < sk_DIST_POINT_num(x->crldp); i++) {\n DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);\n // Skip distribution points with a reasons field or a CRL issuer:\n //\n // We do not support CRLs partitioned by reason code. RFC 5280 requires CAs\n // include at least one DistributionPoint that covers all reasons.\n //\n // We also do not support indirect CRLs, and a CRL issuer can only match\n // indirect CRLs (RFC 5280, section 6.3.3, step b.1).\n // support.\n if (dp->reasons != NULL && dp->CRLissuer != NULL &&\n (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint))) {\n return 1;\n }\n }\n\n // If the CRL does not specify an issuing distribution point, allow it to\n // match anything.\n //\n // TODO(davidben): Does this match RFC 5280? It's hard to follow because RFC\n // 5280 starts from distribution points, while this starts from CRLs.\n return !crl->idp || !crl->idp->distpoint;\n}\n\n// Retrieve CRL corresponding to current certificate.\nstatic int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) {\n X509 *issuer = NULL;\n int crl_score = 0;\n X509_CRL *crl = NULL;\n STACK_OF(X509_CRL) *skcrl = NULL;\n if (get_crl_sk(ctx, &crl, &issuer, &crl_score, ctx->crls)) {\n goto done;\n }\n\n // Lookup CRLs from store\n skcrl = X509_STORE_CTX_get1_crls(ctx, X509_get_issuer_name(x));\n\n // If no CRLs found and a near match from get_crl_sk use that\n if (!skcrl && crl) {\n goto done;\n }\n\n get_crl_sk(ctx, &crl, &issuer, &crl_score, skcrl);\n\n sk_X509_CRL_pop_free(skcrl, X509_CRL_free);\n\ndone:\n // If we got any kind of CRL use it and return success\n if (crl) {\n ctx->current_crl_issuer = issuer;\n ctx->current_crl_score = crl_score;\n *pcrl = crl;\n return 1;\n }\n\n return 0;\n}\n\n// Check CRL validity\nstatic int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) {\n X509 *issuer = NULL;\n int cnum = ctx->error_depth;\n int chnum = (int)sk_X509_num(ctx->chain) - 1;\n // If we have an alternative CRL issuer cert use that. Otherwise, it is the\n // issuer of the current certificate.\n if (ctx->current_crl_issuer) {\n issuer = ctx->current_crl_issuer;\n } else if (cnum < chnum) {\n issuer = sk_X509_value(ctx->chain, cnum + 1);\n } else {\n issuer = sk_X509_value(ctx->chain, chnum);\n // If not self signed, can't check signature\n if (!x509_check_issued_with_callback(ctx, issuer, issuer)) {\n ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n }\n\n if (issuer) {\n // Check for cRLSign bit if keyUsage present\n if ((issuer->ex_flags & EXFLAG_KUSAGE) &&\n !(issuer->ex_kusage & X509v3_KU_CRL_SIGN)) {\n ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n\n if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) {\n ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n\n if (crl->idp_flags & IDP_INVALID) {\n ctx->error = X509_V_ERR_INVALID_EXTENSION;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n\n if (!(ctx->current_crl_score & CRL_SCORE_TIME)) {\n if (!check_crl_time(ctx, crl, 1)) {\n return 0;\n }\n }\n\n // Attempt to get issuer certificate public key\n EVP_PKEY *ikey = X509_get0_pubkey(issuer);\n if (!ikey) {\n ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n } else {\n // Verify CRL signature\n if (X509_CRL_verify(crl, ikey) <= 0) {\n ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n }\n }\n\n return 1;\n}\n\n// Check certificate against CRL\nstatic int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) {\n // The rules changed for this... previously if a CRL contained unhandled\n // critical extensions it could still be used to indicate a certificate\n // was revoked. This has since been changed since critical extension can\n // change the meaning of CRL entries.\n if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&\n (crl->flags & EXFLAG_CRITICAL)) {\n ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n // Look for serial number of certificate in CRL.\n X509_REVOKED *rev;\n if (X509_CRL_get0_by_cert(crl, &rev, x)) {\n ctx->error = X509_V_ERR_CERT_REVOKED;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n\n return 1;\n}\n\nstatic int check_policy(X509_STORE_CTX *ctx) {\n X509 *current_cert = NULL;\n int ret = X509_policy_check(ctx->chain, ctx->param->policies,\n ctx->param->flags, ¤t_cert);\n if (ret != X509_V_OK) {\n ctx->current_cert = current_cert;\n ctx->error = ret;\n if (ret == X509_V_ERR_OUT_OF_MEM) {\n return 0;\n }\n return call_verify_cb(0, ctx);\n }\n\n return 1;\n}\n\nstatic int check_cert_time(X509_STORE_CTX *ctx, X509 *x) {\n if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) {\n return 1;\n }\n\n int64_t ptime;\n if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {\n ptime = ctx->param->check_time;\n } else {\n ptime = time(NULL);\n }\n\n int i = X509_cmp_time_posix(X509_get_notBefore(x), ptime);\n if (i == 0) {\n ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;\n ctx->current_cert = x;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n\n if (i > 0) {\n ctx->error = X509_V_ERR_CERT_NOT_YET_VALID;\n ctx->current_cert = x;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n\n i = X509_cmp_time_posix(X509_get_notAfter(x), ptime);\n if (i == 0) {\n ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;\n ctx->current_cert = x;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n\n if (i < 0) {\n ctx->error = X509_V_ERR_CERT_HAS_EXPIRED;\n ctx->current_cert = x;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n\n return 1;\n}\n\nstatic int internal_verify(X509_STORE_CTX *ctx) {\n // TODO(davidben): This logic is incredibly confusing. Rewrite this:\n //\n // First, don't allow the verify callback to suppress\n // X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, which will simplify the\n // signature check. Then replace jumping into the middle of the loop. It's\n // trying to ensure that all certificates see |check_cert_time|, then checking\n // the root's self signature when requested, but not breaking partial chains\n // in the process.\n int n = (int)sk_X509_num(ctx->chain);\n ctx->error_depth = n - 1;\n n--;\n X509 *xi = sk_X509_value(ctx->chain, n);\n X509 *xs;\n if (x509_check_issued_with_callback(ctx, xi, xi)) {\n xs = xi;\n } else {\n if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {\n xs = xi;\n goto check_cert;\n }\n if (n <= 0) {\n ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;\n ctx->current_cert = xi;\n return call_verify_cb(0, ctx);\n }\n n--;\n ctx->error_depth = n;\n xs = sk_X509_value(ctx->chain, n);\n }\n\n // ctx->error=0; not needed\n while (n >= 0) {\n ctx->error_depth = n;\n\n // Skip signature check for self signed certificates unless\n // explicitly asked for. It doesn't add any security and just wastes\n // time.\n if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {\n EVP_PKEY *pkey = X509_get0_pubkey(xi);\n if (pkey == NULL) {\n ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;\n ctx->current_cert = xi;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n } else if (X509_verify(xs, pkey) <= 0) {\n ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;\n ctx->current_cert = xs;\n if (!call_verify_cb(0, ctx)) {\n return 0;\n }\n }\n }\n\n check_cert:\n if (!check_cert_time(ctx, xs)) {\n return 0;\n }\n\n // The last error (if any) is still in the error value\n ctx->current_cert = xs;\n if (!call_verify_cb(1, ctx)) {\n return 0;\n }\n\n n--;\n if (n >= 0) {\n xi = xs;\n xs = sk_X509_value(ctx->chain, n);\n }\n }\n\n return 1;\n}\n\nint X509_cmp_current_time(const ASN1_TIME *ctm) {\n return X509_cmp_time_posix(ctm, time(NULL));\n}\n\nint X509_cmp_time(const ASN1_TIME *ctm, const time_t *cmp_time) {\n int64_t compare_time = (cmp_time == NULL) ? time(NULL) : *cmp_time;\n return X509_cmp_time_posix(ctm, compare_time);\n}\n\nint X509_cmp_time_posix(const ASN1_TIME *ctm, int64_t cmp_time) {\n int64_t ctm_time;\n if (!ASN1_TIME_to_posix(ctm, &ctm_time)) {\n return 0;\n }\n // The return value 0 is reserved for errors.\n return (ctm_time - cmp_time <= 0) ? -1 : 1;\n}\n\nASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec) {\n return X509_time_adj(s, offset_sec, NULL);\n}\n\nASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, const time_t *in_tm) {\n return X509_time_adj_ex(s, 0, offset_sec, in_tm);\n}\n\nASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec,\n const time_t *in_tm) {\n int64_t t = 0;\n\n if (in_tm) {\n t = *in_tm;\n } else {\n t = time(NULL);\n }\n\n return ASN1_TIME_adj(s, t, offset_day, offset_sec);\n}\n\nint X509_STORE_CTX_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func) {\n return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func);\n}\n\nint X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) {\n return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);\n}\n\nvoid *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) {\n return CRYPTO_get_ex_data(&ctx->ex_data, idx);\n}\n\nint X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx) { return ctx->error; }\n\nvoid X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) {\n ctx->error = err;\n}\n\nint X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx) {\n return ctx->error_depth;\n}\n\nX509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx) {\n return ctx->current_cert;\n}\n\nSTACK_OF(X509) *X509_STORE_CTX_get_chain(const X509_STORE_CTX *ctx) {\n return ctx->chain;\n}\n\nSTACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx) {\n return ctx->chain;\n}\n\nSTACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx) {\n if (!ctx->chain) {\n return NULL;\n }\n return X509_chain_up_ref(ctx->chain);\n}\n\nX509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx) {\n return ctx->current_crl;\n}\n\nX509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx) {\n // In OpenSSL, an |X509_STORE_CTX| sometimes has a parent context during CRL\n // path validation for indirect CRLs. We require the CRL to be issued\n // somewhere along the certificate path, so this is always NULL.\n return NULL;\n}\n\nvoid X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {\n ctx->untrusted = sk;\n}\n\nSTACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx) {\n return ctx->untrusted;\n}\n\nvoid X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) {\n ctx->crls = sk;\n}\n\nint X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) {\n // If |purpose| is zero, this function historically silently did nothing.\n if (purpose == 0) {\n return 1;\n }\n\n const X509_PURPOSE *pobj = X509_PURPOSE_get0(purpose);\n if (pobj == NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID);\n return 0;\n }\n\n int trust = X509_PURPOSE_get_trust(pobj);\n if (!X509_STORE_CTX_set_trust(ctx, trust)) {\n return 0;\n }\n\n if (ctx->param->purpose == 0) {\n ctx->param->purpose = purpose;\n }\n return 1;\n}\n\nint X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) {\n // If |trust| is zero, this function historically silently did nothing.\n if (trust == 0) {\n return 1;\n }\n\n if (!X509_is_valid_trust_id(trust)) {\n OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);\n return 0;\n }\n\n if (ctx->param->trust == 0) {\n ctx->param->trust = trust;\n }\n return 1;\n}\n\nX509_STORE_CTX *X509_STORE_CTX_new(void) {\n return reinterpret_cast(\n OPENSSL_zalloc(sizeof(X509_STORE_CTX)));\n}\n\nvoid X509_STORE_CTX_free(X509_STORE_CTX *ctx) {\n if (ctx == NULL) {\n return;\n }\n X509_STORE_CTX_cleanup(ctx);\n OPENSSL_free(ctx);\n}\n\nint X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,\n STACK_OF(X509) *chain) {\n X509_STORE_CTX_cleanup(ctx);\n\n ctx->ctx = store;\n ctx->cert = x509;\n ctx->untrusted = chain;\n\n CRYPTO_new_ex_data(&ctx->ex_data);\n\n if (store == NULL) {\n OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);\n goto err;\n }\n\n ctx->param = X509_VERIFY_PARAM_new();\n if (!ctx->param) {\n goto err;\n }\n\n // Inherit callbacks and flags from X509_STORE.\n\n ctx->verify_cb = store->verify_cb;\n\n if (!X509_VERIFY_PARAM_inherit(ctx->param, store->param) ||\n !X509_VERIFY_PARAM_inherit(ctx->param,\n X509_VERIFY_PARAM_lookup(\"default\"))) {\n goto err;\n }\n\n if (store->verify_cb) {\n ctx->verify_cb = store->verify_cb;\n } else {\n ctx->verify_cb = null_callback;\n }\n\n return 1;\n\nerr:\n CRYPTO_free_ex_data(&g_ex_data_class, ctx, &ctx->ex_data);\n if (ctx->param != NULL) {\n X509_VERIFY_PARAM_free(ctx->param);\n }\n\n OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));\n return 0;\n}\n\n// Set alternative lookup method: just a STACK of trusted certificates. This\n// avoids X509_STORE nastiness where it isn't needed.\n\nvoid X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx,\n STACK_OF(X509) *sk) {\n ctx->trusted_stack = sk;\n}\n\nvoid X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) {\n X509_STORE_CTX_set0_trusted_stack(ctx, sk);\n}\n\nvoid X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) {\n CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data));\n X509_VERIFY_PARAM_free(ctx->param);\n sk_X509_pop_free(ctx->chain, X509_free);\n OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX));\n}\n\nvoid X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) {\n X509_VERIFY_PARAM_set_depth(ctx->param, depth);\n}\n\nvoid X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) {\n X509_VERIFY_PARAM_set_flags(ctx->param, flags);\n}\n\nvoid X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, unsigned long flags,\n int64_t t) {\n X509_VERIFY_PARAM_set_time_posix(ctx->param, t);\n}\n\nvoid X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,\n time_t t) {\n X509_STORE_CTX_set_time_posix(ctx, flags, t);\n}\n\nX509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx) { return ctx->cert; }\n\nvoid X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,\n int (*verify_cb)(int, X509_STORE_CTX *)) {\n ctx->verify_cb = verify_cb;\n}\n\nint X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) {\n const X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_lookup(name);\n if (!param) {\n return 0;\n }\n return X509_VERIFY_PARAM_inherit(ctx->param, param);\n}\n\nX509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) {\n return ctx->param;\n}\n\nvoid X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) {\n if (ctx->param) {\n X509_VERIFY_PARAM_free(ctx->param);\n }\n ctx->param = param;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509_vpm.cc", "content": "/*\n * Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\n// X509_VERIFY_PARAM functions\n\n#define SET_HOST 0\n#define ADD_HOST 1\n\nstatic void str_free(char *s) { OPENSSL_free(s); }\n\nstatic int int_x509_param_set_hosts(X509_VERIFY_PARAM *param, int mode,\n const char *name, size_t namelen) {\n char *copy;\n\n if (name == NULL || namelen == 0) {\n // Unlike OpenSSL, we reject trying to set or add an empty name.\n return 0;\n }\n\n // Refuse names with embedded NUL bytes.\n // XXX: Do we need to push an error onto the error stack?\n if (name && OPENSSL_memchr(name, '\\0', namelen)) {\n return 0;\n }\n\n if (mode == SET_HOST && param->hosts) {\n sk_OPENSSL_STRING_pop_free(param->hosts, str_free);\n param->hosts = NULL;\n }\n\n copy = OPENSSL_strndup(name, namelen);\n if (copy == NULL) {\n return 0;\n }\n\n if (param->hosts == NULL &&\n (param->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {\n OPENSSL_free(copy);\n return 0;\n }\n\n if (!sk_OPENSSL_STRING_push(param->hosts, copy)) {\n OPENSSL_free(copy);\n if (sk_OPENSSL_STRING_num(param->hosts) == 0) {\n sk_OPENSSL_STRING_free(param->hosts);\n param->hosts = NULL;\n }\n return 0;\n }\n\n return 1;\n}\n\nX509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) {\n X509_VERIFY_PARAM *param = reinterpret_cast(\n OPENSSL_zalloc(sizeof(X509_VERIFY_PARAM)));\n if (!param) {\n return NULL;\n }\n param->depth = -1;\n return param;\n}\n\nvoid X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) {\n if (param == NULL) {\n return;\n }\n sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);\n sk_OPENSSL_STRING_pop_free(param->hosts, str_free);\n OPENSSL_free(param->email);\n OPENSSL_free(param->ip);\n OPENSSL_free(param);\n}\n\nstatic int should_copy(int dest_is_set, int src_is_set, int prefer_src) {\n if (prefer_src) {\n // We prefer the source, so as long as there is a value to copy, copy it.\n return src_is_set;\n }\n\n // We prefer the destination, so only copy if the destination is unset.\n return src_is_set && !dest_is_set;\n}\n\nstatic void copy_int_param(int *dest, const int *src, int default_val,\n int prefer_src) {\n if (should_copy(*dest != default_val, *src != default_val, prefer_src)) {\n *dest = *src;\n }\n}\n\n// x509_verify_param_copy copies fields from |src| to |dest|. If both |src| and\n// |dest| have some field set, |prefer_src| determines whether |src| or |dest|'s\n// version is used.\nstatic int x509_verify_param_copy(X509_VERIFY_PARAM *dest,\n const X509_VERIFY_PARAM *src,\n int prefer_src) {\n if (src == NULL) {\n return 1;\n }\n\n copy_int_param(&dest->purpose, &src->purpose, /*default_val=*/0, prefer_src);\n copy_int_param(&dest->trust, &src->trust, /*default_val=*/0, prefer_src);\n copy_int_param(&dest->depth, &src->depth, /*default_val=*/-1, prefer_src);\n\n // |check_time|, unlike all other parameters, does not honor |prefer_src|.\n // This means |X509_VERIFY_PARAM_set1| will not overwrite it. This behavior\n // comes from OpenSSL but may have been a bug.\n if (!(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) {\n dest->check_time = src->check_time;\n // The source |X509_V_FLAG_USE_CHECK_TIME| flag, if set, is copied below.\n }\n\n dest->flags |= src->flags;\n\n if (should_copy(dest->policies != NULL, src->policies != NULL, prefer_src)) {\n if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies)) {\n return 0;\n }\n }\n\n if (should_copy(dest->hosts != NULL, src->hosts != NULL, prefer_src)) {\n sk_OPENSSL_STRING_pop_free(dest->hosts, str_free);\n dest->hosts = NULL;\n if (src->hosts) {\n dest->hosts =\n sk_OPENSSL_STRING_deep_copy(src->hosts, OPENSSL_strdup, str_free);\n if (dest->hosts == NULL) {\n return 0;\n }\n // Copy the host flags if and only if we're copying the host list. Note\n // this means mechanisms like |X509_STORE_CTX_set_default| cannot be used\n // to set host flags. E.g. we cannot change the defaults using\n // |kDefaultParam| below.\n dest->hostflags = src->hostflags;\n }\n }\n\n if (should_copy(dest->email != NULL, src->email != NULL, prefer_src)) {\n if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen)) {\n return 0;\n }\n }\n\n if (should_copy(dest->ip != NULL, src->ip != NULL, prefer_src)) {\n if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen)) {\n return 0;\n }\n }\n\n dest->poison = src->poison;\n return 1;\n}\n\nint X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest,\n const X509_VERIFY_PARAM *src) {\n // Prefer the destination. That is, this function only changes unset\n // parameters in |dest|.\n return x509_verify_param_copy(dest, src, /*prefer_src=*/0);\n}\n\nint X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,\n const X509_VERIFY_PARAM *from) {\n // Prefer the source. That is, values in |to| are only preserved if they were\n // unset in |from|.\n return x509_verify_param_copy(to, from, /*prefer_src=*/1);\n}\n\nstatic int int_x509_param_set1(char **pdest, size_t *pdestlen, const char *src,\n size_t srclen) {\n void *tmp;\n if (src == NULL || srclen == 0) {\n // Unlike OpenSSL, we do not allow an empty string to disable previously\n // configured checks.\n return 0;\n }\n\n tmp = OPENSSL_memdup(src, srclen);\n if (!tmp) {\n return 0;\n }\n\n if (*pdest) {\n OPENSSL_free(*pdest);\n }\n *pdest = reinterpret_cast(tmp);\n if (pdestlen) {\n *pdestlen = srclen;\n }\n return 1;\n}\n\nint X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) {\n param->flags |= flags;\n return 1;\n}\n\nint X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,\n unsigned long flags) {\n param->flags &= ~flags;\n return 1;\n}\n\nunsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param) {\n return param->flags;\n}\n\nint X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) {\n if (X509_PURPOSE_get0(purpose) == NULL) {\n OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_PURPOSE);\n return 0;\n }\n param->purpose = purpose;\n return 1;\n}\n\nint X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) {\n if (!X509_is_valid_trust_id(trust)) {\n OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID);\n return 0;\n }\n\n param->trust = trust;\n return 1;\n}\n\nvoid X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) {\n param->depth = depth;\n}\n\nvoid X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param, int64_t t) {\n param->check_time = t;\n param->flags |= X509_V_FLAG_USE_CHECK_TIME;\n}\n\nvoid X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) {\n X509_VERIFY_PARAM_set_time_posix(param, t);\n}\n\nint X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,\n ASN1_OBJECT *policy) {\n if (!param->policies) {\n param->policies = sk_ASN1_OBJECT_new_null();\n if (!param->policies) {\n return 0;\n }\n }\n if (!sk_ASN1_OBJECT_push(param->policies, policy)) {\n return 0;\n }\n return 1;\n}\n\nint X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,\n const STACK_OF(ASN1_OBJECT) *policies) {\n if (!param) {\n return 0;\n }\n\n sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);\n if (!policies) {\n param->policies = NULL;\n return 1;\n }\n\n param->policies =\n sk_ASN1_OBJECT_deep_copy(policies, OBJ_dup, ASN1_OBJECT_free);\n if (!param->policies) {\n return 0;\n }\n\n return 1;\n}\n\nint X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name,\n size_t namelen) {\n if (!int_x509_param_set_hosts(param, SET_HOST, name, namelen)) {\n param->poison = 1;\n return 0;\n }\n return 1;\n}\n\nint X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, const char *name,\n size_t namelen) {\n if (!int_x509_param_set_hosts(param, ADD_HOST, name, namelen)) {\n param->poison = 1;\n return 0;\n }\n return 1;\n}\n\nvoid X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,\n unsigned int flags) {\n param->hostflags = flags;\n}\n\nint X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email,\n size_t emaillen) {\n if (OPENSSL_memchr(email, '\\0', emaillen) != NULL ||\n !int_x509_param_set1(¶m->email, ¶m->emaillen, email, emaillen)) {\n param->poison = 1;\n return 0;\n }\n\n return 1;\n}\n\nint X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const unsigned char *ip,\n size_t iplen) {\n if ((iplen != 4 && iplen != 16) ||\n !int_x509_param_set1((char **)¶m->ip, ¶m->iplen, (char *)ip,\n iplen)) {\n param->poison = 1;\n return 0;\n }\n\n return 1;\n}\n\nint X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc) {\n unsigned char ipout[16];\n size_t iplen;\n\n iplen = (size_t)x509v3_a2i_ipadd(ipout, ipasc);\n if (iplen == 0) {\n return 0;\n }\n return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen);\n}\n\nint X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) {\n return param->depth;\n}\n\nstatic const X509_VERIFY_PARAM kDefaultParam = {\n /*check_time=*/0,\n /*flags=*/X509_V_FLAG_TRUSTED_FIRST,\n /*purpose=*/0,\n /*trust=*/0,\n /*depth=*/100,\n /*policies=*/nullptr,\n /*hosts=*/nullptr,\n /*hostflags=*/0,\n /*email=*/nullptr,\n /*emaillen=*/0,\n /*ip=*/nullptr,\n /*iplen=*/0,\n /*poison=*/0,\n};\n\nstatic const X509_VERIFY_PARAM kSMIMESignParam = {\n /*check_time=*/0,\n /*flags=*/0,\n /*purpose=*/X509_PURPOSE_SMIME_SIGN,\n /*trust=*/X509_TRUST_EMAIL,\n /*depth=*/-1,\n /*policies=*/nullptr,\n /*hosts=*/nullptr,\n /*hostflags=*/0,\n /*email=*/nullptr,\n /*emaillen=*/0,\n /*ip=*/nullptr,\n /*iplen=*/0,\n /*poison=*/0,\n};\n\nstatic const X509_VERIFY_PARAM kSSLClientParam = {\n /*check_time=*/0,\n /*flags=*/0,\n /*purpose=*/X509_PURPOSE_SSL_CLIENT,\n /*trust=*/X509_TRUST_SSL_CLIENT,\n /*depth=*/-1,\n /*policies=*/nullptr,\n /*hosts=*/nullptr,\n /*hostflags=*/0,\n /*email=*/nullptr,\n /*emaillen=*/0,\n /*ip=*/nullptr,\n /*iplen=*/0,\n /*poison=*/0,\n};\n\nstatic const X509_VERIFY_PARAM kSSLServerParam = {\n /*check_time=*/0,\n /*flags=*/0,\n /*purpose=*/X509_PURPOSE_SSL_SERVER,\n /*trust=*/X509_TRUST_SSL_SERVER,\n /*depth=*/-1,\n /*policies=*/nullptr,\n /*hosts=*/nullptr,\n /*hostflags=*/0,\n /*email=*/nullptr,\n /*emaillen=*/0,\n /*ip=*/nullptr,\n /*iplen=*/0,\n /*poison=*/0,\n};\n\nconst X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) {\n if (strcmp(name, \"default\") == 0) {\n return &kDefaultParam;\n }\n if (strcmp(name, \"pkcs7\") == 0) {\n // PKCS#7 and S/MIME signing use the same defaults.\n return &kSMIMESignParam;\n }\n if (strcmp(name, \"smime_sign\") == 0) {\n return &kSMIMESignParam;\n }\n if (strcmp(name, \"ssl_client\") == 0) {\n return &kSSLClientParam;\n }\n if (strcmp(name, \"ssl_server\") == 0) {\n return &kSSLServerParam;\n }\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509cset.cc", "content": "/*\n * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n\n#include \"../asn1/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\nint X509_CRL_set_version(X509_CRL *x, long version) {\n if (x == NULL) {\n return 0;\n }\n\n if (version < X509_CRL_VERSION_1 || version > X509_CRL_VERSION_2) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);\n return 0;\n }\n\n // v1(0) is default and is represented by omitting the version.\n if (version == X509_CRL_VERSION_1) {\n ASN1_INTEGER_free(x->crl->version);\n x->crl->version = NULL;\n return 1;\n }\n\n if (x->crl->version == NULL) {\n x->crl->version = ASN1_INTEGER_new();\n if (x->crl->version == NULL) {\n return 0;\n }\n }\n return ASN1_INTEGER_set_int64(x->crl->version, version);\n}\n\nint X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name) {\n if ((x == NULL) || (x->crl == NULL)) {\n return 0;\n }\n return (X509_NAME_set(&x->crl->issuer, name));\n}\n\nint X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) {\n ASN1_TIME *in;\n\n if (x == NULL) {\n return 0;\n }\n in = x->crl->lastUpdate;\n if (in != tm) {\n in = ASN1_STRING_dup(tm);\n if (in != NULL) {\n ASN1_TIME_free(x->crl->lastUpdate);\n x->crl->lastUpdate = in;\n }\n }\n return in != NULL;\n}\n\nint X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) {\n ASN1_TIME *in;\n\n if (x == NULL) {\n return 0;\n }\n in = x->crl->nextUpdate;\n if (in != tm) {\n in = ASN1_STRING_dup(tm);\n if (in != NULL) {\n ASN1_TIME_free(x->crl->nextUpdate);\n x->crl->nextUpdate = in;\n }\n }\n return in != NULL;\n}\n\nint X509_CRL_sort(X509_CRL *c) {\n // Sort the data so it will be written in serial number order.\n sk_X509_REVOKED_sort(c->crl->revoked);\n asn1_encoding_clear(&c->crl->enc);\n return 1;\n}\n\nint X509_CRL_up_ref(X509_CRL *crl) {\n CRYPTO_refcount_inc(&crl->references);\n return 1;\n}\n\nlong X509_CRL_get_version(const X509_CRL *crl) {\n return ASN1_INTEGER_get(crl->crl->version);\n}\n\nconst ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl) {\n return crl->crl->lastUpdate;\n}\n\nconst ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl) {\n return crl->crl->nextUpdate;\n}\n\nASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl) {\n return crl->crl->lastUpdate;\n}\n\nASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl) {\n return crl->crl->nextUpdate;\n}\n\nX509_NAME *X509_CRL_get_issuer(const X509_CRL *crl) { return crl->crl->issuer; }\n\nSTACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl) {\n return crl->crl->revoked;\n}\n\nconst STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl) {\n return crl->crl->extensions;\n}\n\nvoid X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,\n const X509_ALGOR **palg) {\n if (psig != NULL) {\n *psig = crl->signature;\n }\n if (palg != NULL) {\n *palg = crl->sig_alg;\n }\n}\n\nint X509_CRL_get_signature_nid(const X509_CRL *crl) {\n return OBJ_obj2nid(crl->sig_alg->algorithm);\n}\n\nconst ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *revoked) {\n return revoked->revocationDate;\n}\n\nint X509_REVOKED_set_revocationDate(X509_REVOKED *revoked,\n const ASN1_TIME *tm) {\n ASN1_TIME *in;\n\n if (revoked == NULL) {\n return 0;\n }\n in = revoked->revocationDate;\n if (in != tm) {\n in = ASN1_STRING_dup(tm);\n if (in != NULL) {\n ASN1_TIME_free(revoked->revocationDate);\n revoked->revocationDate = in;\n }\n }\n return in != NULL;\n}\n\nconst ASN1_INTEGER *X509_REVOKED_get0_serialNumber(\n const X509_REVOKED *revoked) {\n return revoked->serialNumber;\n}\n\nint X509_REVOKED_set_serialNumber(X509_REVOKED *revoked,\n const ASN1_INTEGER *serial) {\n ASN1_INTEGER *in;\n\n if (serial->type != V_ASN1_INTEGER && serial->type != V_ASN1_NEG_INTEGER) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE);\n return 0;\n }\n\n if (revoked == NULL) {\n return 0;\n }\n in = revoked->serialNumber;\n if (in != serial) {\n in = ASN1_INTEGER_dup(serial);\n if (in != NULL) {\n ASN1_INTEGER_free(revoked->serialNumber);\n revoked->serialNumber = in;\n }\n }\n return in != NULL;\n}\n\nconst STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(\n const X509_REVOKED *r) {\n return r->extensions;\n}\n\nint i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp) {\n asn1_encoding_clear(&crl->crl->enc);\n return i2d_X509_CRL_INFO(crl->crl, outp);\n}\n\nint i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp) {\n return i2d_X509_CRL_INFO(crl->crl, outp);\n}\n\nint X509_CRL_set1_signature_algo(X509_CRL *crl, const X509_ALGOR *algo) {\n X509_ALGOR *copy1 = X509_ALGOR_dup(algo);\n X509_ALGOR *copy2 = X509_ALGOR_dup(algo);\n if (copy1 == NULL || copy2 == NULL) {\n X509_ALGOR_free(copy1);\n X509_ALGOR_free(copy2);\n return 0;\n }\n\n X509_ALGOR_free(crl->sig_alg);\n crl->sig_alg = copy1;\n X509_ALGOR_free(crl->crl->sig_alg);\n crl->crl->sig_alg = copy2;\n return 1;\n}\n\nint X509_CRL_set1_signature_value(X509_CRL *crl, const uint8_t *sig,\n size_t sig_len) {\n if (!ASN1_STRING_set(crl->signature, sig, sig_len)) {\n return 0;\n }\n crl->signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);\n crl->signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509name.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nint X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, char *buf,\n int len) {\n const ASN1_OBJECT *obj;\n\n obj = OBJ_nid2obj(nid);\n if (obj == NULL) {\n return -1;\n }\n return (X509_NAME_get_text_by_OBJ(name, obj, buf, len));\n}\n\nint X509_NAME_get_text_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj,\n char *buf, int len) {\n int i = X509_NAME_get_index_by_OBJ(name, obj, -1);\n if (i < 0) {\n return -1;\n }\n const ASN1_STRING *data =\n X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));\n unsigned char *text = NULL;\n int ret = -1;\n int text_len = ASN1_STRING_to_UTF8(&text, data);\n // Fail if we could not encode as UTF-8.\n if (text_len < 0) {\n goto out;\n }\n CBS cbs;\n CBS_init(&cbs, text, text_len);\n // Fail if the UTF-8 encoding constains a 0 byte because this is\n // returned as a C string and callers very often do not check.\n if (CBS_contains_zero_byte(&cbs)) {\n goto out;\n }\n // We still support the \"pass NULL to find out how much\" API\n if (buf != NULL) {\n if (text_len >= len || len <= 0 ||\n !CBS_copy_bytes(&cbs, (uint8_t *)buf, text_len)) {\n goto out;\n }\n // It must be a C string\n buf[text_len] = '\\0';\n }\n ret = text_len;\n\nout:\n OPENSSL_free(text);\n return ret;\n}\n\nint X509_NAME_entry_count(const X509_NAME *name) {\n if (name == NULL) {\n return 0;\n }\n return (int)sk_X509_NAME_ENTRY_num(name->entries);\n}\n\nint X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos) {\n const ASN1_OBJECT *obj;\n\n obj = OBJ_nid2obj(nid);\n if (obj == NULL) {\n return -2;\n }\n return X509_NAME_get_index_by_OBJ(name, obj, lastpos);\n}\n\n// NOTE: you should be passsing -1, not 0 as lastpos\nint X509_NAME_get_index_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj,\n int lastpos) {\n if (name == NULL) {\n return -1;\n }\n if (lastpos < 0) {\n lastpos = -1;\n }\n const STACK_OF(X509_NAME_ENTRY) *sk = name->entries;\n int n = (int)sk_X509_NAME_ENTRY_num(sk);\n for (lastpos++; lastpos < n; lastpos++) {\n const X509_NAME_ENTRY *ne = sk_X509_NAME_ENTRY_value(sk, lastpos);\n if (OBJ_cmp(ne->object, obj) == 0) {\n return lastpos;\n }\n }\n return -1;\n}\n\nX509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc) {\n if (name == NULL || loc < 0 ||\n sk_X509_NAME_ENTRY_num(name->entries) <= (size_t)loc) {\n return NULL;\n } else {\n return (sk_X509_NAME_ENTRY_value(name->entries, loc));\n }\n}\n\nX509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc) {\n if (name == NULL || loc < 0 ||\n sk_X509_NAME_ENTRY_num(name->entries) <= (size_t)loc) {\n return NULL;\n }\n\n STACK_OF(X509_NAME_ENTRY) *sk = name->entries;\n X509_NAME_ENTRY *ret = sk_X509_NAME_ENTRY_delete(sk, loc);\n size_t n = sk_X509_NAME_ENTRY_num(sk);\n name->modified = 1;\n if ((size_t)loc == n) {\n return ret;\n }\n\n int set_prev;\n if (loc != 0) {\n set_prev = sk_X509_NAME_ENTRY_value(sk, loc - 1)->set;\n } else {\n set_prev = ret->set - 1;\n }\n int set_next = sk_X509_NAME_ENTRY_value(sk, loc)->set;\n\n // If we removed a singleton RDN, update the RDN indices so they are\n // consecutive again.\n if (set_prev + 1 < set_next) {\n for (size_t i = loc; i < n; i++) {\n sk_X509_NAME_ENTRY_value(sk, i)->set--;\n }\n }\n return ret;\n}\n\nint X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj,\n int type, const unsigned char *bytes,\n ossl_ssize_t len, int loc, int set) {\n X509_NAME_ENTRY *ne =\n X509_NAME_ENTRY_create_by_OBJ(NULL, obj, type, bytes, len);\n if (!ne) {\n return 0;\n }\n int ret = X509_NAME_add_entry(name, ne, loc, set);\n X509_NAME_ENTRY_free(ne);\n return ret;\n}\n\nint X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,\n const unsigned char *bytes, ossl_ssize_t len,\n int loc, int set) {\n X509_NAME_ENTRY *ne =\n X509_NAME_ENTRY_create_by_NID(NULL, nid, type, bytes, len);\n if (!ne) {\n return 0;\n }\n int ret = X509_NAME_add_entry(name, ne, loc, set);\n X509_NAME_ENTRY_free(ne);\n return ret;\n}\n\nint X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,\n const unsigned char *bytes, ossl_ssize_t len,\n int loc, int set) {\n X509_NAME_ENTRY *ne =\n X509_NAME_ENTRY_create_by_txt(NULL, field, type, bytes, len);\n if (!ne) {\n return 0;\n }\n int ret = X509_NAME_add_entry(name, ne, loc, set);\n X509_NAME_ENTRY_free(ne);\n return ret;\n}\n\n// if set is -1, append to previous set, 0 'a new one', and 1, prepend to the\n// guy we are about to stomp on.\nint X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *entry, int loc,\n int set) {\n X509_NAME_ENTRY *new_name = NULL;\n int i, inc;\n STACK_OF(X509_NAME_ENTRY) *sk;\n\n if (name == NULL) {\n return 0;\n }\n sk = name->entries;\n int n = (int)sk_X509_NAME_ENTRY_num(sk);\n if (loc > n) {\n loc = n;\n } else if (loc < 0) {\n loc = n;\n }\n\n inc = (set == 0);\n name->modified = 1;\n\n if (set == -1) {\n if (loc == 0) {\n set = 0;\n inc = 1;\n } else {\n set = sk_X509_NAME_ENTRY_value(sk, loc - 1)->set;\n }\n } else { // if (set >= 0)\n\n if (loc >= n) {\n if (loc != 0) {\n set = sk_X509_NAME_ENTRY_value(sk, loc - 1)->set + 1;\n } else {\n set = 0;\n }\n } else {\n set = sk_X509_NAME_ENTRY_value(sk, loc)->set;\n }\n }\n\n if ((new_name = X509_NAME_ENTRY_dup(entry)) == NULL) {\n goto err;\n }\n new_name->set = set;\n if (!sk_X509_NAME_ENTRY_insert(sk, new_name, loc)) {\n goto err;\n }\n if (inc) {\n n = (int)sk_X509_NAME_ENTRY_num(sk);\n for (i = loc + 1; i < n; i++) {\n sk_X509_NAME_ENTRY_value(sk, i)->set += 1;\n }\n }\n return 1;\nerr:\n if (new_name != NULL) {\n X509_NAME_ENTRY_free(new_name);\n }\n return 0;\n}\n\nX509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,\n const char *field, int type,\n const unsigned char *bytes,\n ossl_ssize_t len) {\n ASN1_OBJECT *obj;\n X509_NAME_ENTRY *nentry;\n\n obj = OBJ_txt2obj(field, 0);\n if (obj == NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_NAME);\n ERR_add_error_data(2, \"name=\", field);\n return NULL;\n }\n nentry = X509_NAME_ENTRY_create_by_OBJ(ne, obj, type, bytes, len);\n ASN1_OBJECT_free(obj);\n return nentry;\n}\n\nX509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,\n int type,\n const unsigned char *bytes,\n ossl_ssize_t len) {\n const ASN1_OBJECT *obj = OBJ_nid2obj(nid);\n if (obj == NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_NID);\n return NULL;\n }\n return X509_NAME_ENTRY_create_by_OBJ(ne, obj, type, bytes, len);\n}\n\nX509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,\n const ASN1_OBJECT *obj, int type,\n const unsigned char *bytes,\n ossl_ssize_t len) {\n X509_NAME_ENTRY *ret;\n\n if ((ne == NULL) || (*ne == NULL)) {\n if ((ret = X509_NAME_ENTRY_new()) == NULL) {\n return NULL;\n }\n } else {\n ret = *ne;\n }\n\n if (!X509_NAME_ENTRY_set_object(ret, obj)) {\n goto err;\n }\n if (!X509_NAME_ENTRY_set_data(ret, type, bytes, len)) {\n goto err;\n }\n\n if ((ne != NULL) && (*ne == NULL)) {\n *ne = ret;\n }\n return ret;\nerr:\n if ((ne == NULL) || (ret != *ne)) {\n X509_NAME_ENTRY_free(ret);\n }\n return NULL;\n}\n\nint X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, const ASN1_OBJECT *obj) {\n if ((ne == NULL) || (obj == NULL)) {\n OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n ASN1_OBJECT_free(ne->object);\n ne->object = OBJ_dup(obj);\n return ((ne->object == NULL) ? 0 : 1);\n}\n\nint X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,\n const unsigned char *bytes, ossl_ssize_t len) {\n if ((ne == NULL) || ((bytes == NULL) && (len != 0))) {\n return 0;\n }\n if ((type > 0) && (type & MBSTRING_FLAG)) {\n return ASN1_STRING_set_by_NID(&ne->value, bytes, len, type,\n OBJ_obj2nid(ne->object))\n ? 1\n : 0;\n }\n if (len < 0) {\n len = strlen((const char *)bytes);\n }\n if (!ASN1_STRING_set(ne->value, bytes, len)) {\n return 0;\n }\n if (type != V_ASN1_UNDEF) {\n ne->value->type = type;\n }\n return 1;\n}\n\nASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne) {\n if (ne == NULL) {\n return NULL;\n }\n return ne->object;\n}\n\nASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne) {\n if (ne == NULL) {\n return NULL;\n }\n return ne->value;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509rset.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nint X509_REQ_set_version(X509_REQ *x, long version) {\n if (x == NULL) {\n return 0;\n }\n if (version != X509_REQ_VERSION_1) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);\n return 0;\n }\n return ASN1_INTEGER_set_int64(x->req_info->version, version);\n}\n\nint X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name) {\n if ((x == NULL) || (x->req_info == NULL)) {\n return 0;\n }\n return (X509_NAME_set(&x->req_info->subject, name));\n}\n\nint X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey) {\n if ((x == NULL) || (x->req_info == NULL)) {\n return 0;\n }\n return (X509_PUBKEY_set(&x->req_info->pubkey, pkey));\n}\n\nint X509_REQ_set1_signature_algo(X509_REQ *req, const X509_ALGOR *algo) {\n X509_ALGOR *copy = X509_ALGOR_dup(algo);\n if (copy == NULL) {\n return 0;\n }\n\n X509_ALGOR_free(req->sig_alg);\n req->sig_alg = copy;\n return 1;\n}\n\nint X509_REQ_set1_signature_value(X509_REQ *req, const uint8_t *sig,\n size_t sig_len) {\n if (!ASN1_STRING_set(req->signature, sig, sig_len)) {\n return 0;\n }\n req->signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);\n req->signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x509spki.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\nint NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey) {\n if ((x == NULL) || (x->spkac == NULL)) {\n return 0;\n }\n return (X509_PUBKEY_set(&(x->spkac->pubkey), pkey));\n}\n\nEVP_PKEY *NETSCAPE_SPKI_get_pubkey(const NETSCAPE_SPKI *x) {\n if ((x == NULL) || (x->spkac == NULL)) {\n return NULL;\n }\n return (X509_PUBKEY_get(x->spkac->pubkey));\n}\n\n// Load a Netscape SPKI from a base64 encoded string\n\nNETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, ossl_ssize_t len) {\n unsigned char *spki_der;\n const unsigned char *p;\n size_t spki_len;\n NETSCAPE_SPKI *spki;\n if (len <= 0) {\n len = strlen(str);\n }\n if (!EVP_DecodedLength(&spki_len, len)) {\n OPENSSL_PUT_ERROR(X509, X509_R_BASE64_DECODE_ERROR);\n return NULL;\n }\n if (!(spki_der = reinterpret_cast(OPENSSL_malloc(spki_len)))) {\n return NULL;\n }\n if (!EVP_DecodeBase64(spki_der, &spki_len, spki_len, (const uint8_t *)str,\n len)) {\n OPENSSL_PUT_ERROR(X509, X509_R_BASE64_DECODE_ERROR);\n OPENSSL_free(spki_der);\n return NULL;\n }\n p = spki_der;\n spki = d2i_NETSCAPE_SPKI(NULL, &p, spki_len);\n OPENSSL_free(spki_der);\n return spki;\n}\n\n// Generate a base64 encoded string from an SPKI\n\nchar *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki) {\n unsigned char *der_spki, *p;\n char *b64_str;\n size_t b64_len;\n int der_len;\n der_len = i2d_NETSCAPE_SPKI(spki, NULL);\n if (!EVP_EncodedLength(&b64_len, der_len)) {\n OPENSSL_PUT_ERROR(X509, ERR_R_OVERFLOW);\n return NULL;\n }\n der_spki = reinterpret_cast(OPENSSL_malloc(der_len));\n if (der_spki == NULL) {\n return NULL;\n }\n b64_str = reinterpret_cast(OPENSSL_malloc(b64_len));\n if (b64_str == NULL) {\n OPENSSL_free(der_spki);\n return NULL;\n }\n p = der_spki;\n i2d_NETSCAPE_SPKI(spki, &p);\n EVP_EncodeBlock((unsigned char *)b64_str, der_spki, der_len);\n OPENSSL_free(der_spki);\n return b64_str;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_algor.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../asn1/internal.h\"\n\n\nASN1_SEQUENCE(X509_ALGOR) = {\n ASN1_SIMPLE(X509_ALGOR, algorithm, ASN1_OBJECT),\n ASN1_OPT(X509_ALGOR, parameter, ASN1_ANY),\n} ASN1_SEQUENCE_END(X509_ALGOR)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(X509_ALGOR)\nIMPLEMENT_ASN1_DUP_FUNCTION_const(X509_ALGOR)\n\nint X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval) {\n if (!alg) {\n return 0;\n }\n if (ptype != V_ASN1_UNDEF) {\n if (alg->parameter == NULL) {\n alg->parameter = ASN1_TYPE_new();\n }\n if (alg->parameter == NULL) {\n return 0;\n }\n }\n if (alg) {\n ASN1_OBJECT_free(alg->algorithm);\n alg->algorithm = aobj;\n }\n if (ptype == 0) {\n return 1;\n }\n if (ptype == V_ASN1_UNDEF) {\n if (alg->parameter) {\n ASN1_TYPE_free(alg->parameter);\n alg->parameter = NULL;\n }\n } else {\n ASN1_TYPE_set(alg->parameter, ptype, pval);\n }\n return 1;\n}\n\nvoid X509_ALGOR_get0(const ASN1_OBJECT **out_obj, int *out_param_type,\n const void **out_param_value, const X509_ALGOR *alg) {\n if (out_obj != NULL) {\n *out_obj = alg->algorithm;\n }\n if (out_param_type != NULL) {\n int type = V_ASN1_UNDEF;\n const void *value = NULL;\n if (alg->parameter != NULL) {\n type = alg->parameter->type;\n value = asn1_type_value_as_pointer(alg->parameter);\n }\n *out_param_type = type;\n if (out_param_value != NULL) {\n *out_param_value = value;\n }\n }\n}\n\n// Set up an X509_ALGOR DigestAlgorithmIdentifier from an EVP_MD\n\nint X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md) {\n int param_type;\n\n if (EVP_MD_flags(md) & EVP_MD_FLAG_DIGALGID_ABSENT) {\n param_type = V_ASN1_UNDEF;\n } else {\n param_type = V_ASN1_NULL;\n }\n\n return X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL);\n}\n\n// X509_ALGOR_cmp returns 0 if |a| and |b| are equal and non-zero otherwise.\nint X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b) {\n int rv;\n rv = OBJ_cmp(a->algorithm, b->algorithm);\n if (rv) {\n return rv;\n }\n if (!a->parameter && !b->parameter) {\n return 0;\n }\n return ASN1_TYPE_cmp(a->parameter, b->parameter);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_all.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../asn1/internal.h\"\n#include \"internal.h\"\n\n\nint X509_verify(X509 *x509, EVP_PKEY *pkey) {\n if (X509_ALGOR_cmp(x509->sig_alg, x509->cert_info->signature)) {\n OPENSSL_PUT_ERROR(X509, X509_R_SIGNATURE_ALGORITHM_MISMATCH);\n return 0;\n }\n return ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF), x509->sig_alg,\n x509->signature, x509->cert_info, pkey);\n}\n\nint X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey) {\n return ASN1_item_verify(ASN1_ITEM_rptr(X509_REQ_INFO), req->sig_alg,\n req->signature, req->req_info, pkey);\n}\n\nint X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) {\n asn1_encoding_clear(&x->cert_info->enc);\n return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,\n x->sig_alg, x->signature, x->cert_info, pkey, md));\n}\n\nint X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) {\n asn1_encoding_clear(&x->cert_info->enc);\n return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,\n x->sig_alg, x->signature, x->cert_info, ctx);\n}\n\nint X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) {\n asn1_encoding_clear(&x->req_info->enc);\n return (ASN1_item_sign(ASN1_ITEM_rptr(X509_REQ_INFO), x->sig_alg, NULL,\n x->signature, x->req_info, pkey, md));\n}\n\nint X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) {\n asn1_encoding_clear(&x->req_info->enc);\n return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), x->sig_alg, NULL,\n x->signature, x->req_info, ctx);\n}\n\nint X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) {\n asn1_encoding_clear(&x->crl->enc);\n return (ASN1_item_sign(ASN1_ITEM_rptr(X509_CRL_INFO), x->crl->sig_alg,\n x->sig_alg, x->signature, x->crl, pkey, md));\n}\n\nint X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) {\n asn1_encoding_clear(&x->crl->enc);\n return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO), x->crl->sig_alg,\n x->sig_alg, x->signature, x->crl, ctx);\n}\n\nint NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) {\n return (ASN1_item_sign(ASN1_ITEM_rptr(NETSCAPE_SPKAC), x->sig_algor, NULL,\n x->signature, x->spkac, pkey, md));\n}\n\nint NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey) {\n return (ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC), spki->sig_algor,\n spki->signature, spki->spkac, pkey));\n}\n\nX509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl) {\n return reinterpret_cast(\n ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl));\n}\n\nint i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl) {\n return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl);\n}\n\nX509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl) {\n return reinterpret_cast(\n ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl));\n}\n\nint i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl) {\n return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl);\n}\n\nX509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req) {\n return reinterpret_cast(\n ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req));\n}\n\nint i2d_X509_REQ_fp(FILE *fp, X509_REQ *req) {\n return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_REQ), fp, req);\n}\n\nX509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req) {\n return reinterpret_cast(\n ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_REQ), bp, req));\n}\n\nint i2d_X509_REQ_bio(BIO *bp, X509_REQ *req) {\n return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_REQ), bp, req);\n}\n\n\n#define IMPLEMENT_D2I_FP(type, name, bio_func) \\\n type *name(FILE *fp, type **obj) { \\\n BIO *bio = BIO_new_fp(fp, BIO_NOCLOSE); \\\n if (bio == NULL) { \\\n return NULL; \\\n } \\\n type *ret = bio_func(bio, obj); \\\n BIO_free(bio); \\\n return ret; \\\n }\n\n#define IMPLEMENT_I2D_FP(type, name, bio_func) \\\n int name(FILE *fp, type *obj) { \\\n BIO *bio = BIO_new_fp(fp, BIO_NOCLOSE); \\\n if (bio == NULL) { \\\n return 0; \\\n } \\\n int ret = bio_func(bio, obj); \\\n BIO_free(bio); \\\n return ret; \\\n }\n\nIMPLEMENT_D2I_FP(X509, d2i_X509_fp, d2i_X509_bio)\nIMPLEMENT_I2D_FP(X509, i2d_X509_fp, i2d_X509_bio)\n\nIMPLEMENT_D2I_FP(RSA, d2i_RSAPrivateKey_fp, d2i_RSAPrivateKey_bio)\nIMPLEMENT_I2D_FP(RSA, i2d_RSAPrivateKey_fp, i2d_RSAPrivateKey_bio)\n\nIMPLEMENT_D2I_FP(RSA, d2i_RSAPublicKey_fp, d2i_RSAPublicKey_bio)\nIMPLEMENT_I2D_FP(RSA, i2d_RSAPublicKey_fp, i2d_RSAPublicKey_bio)\n\nIMPLEMENT_D2I_FP(RSA, d2i_RSA_PUBKEY_fp, d2i_RSA_PUBKEY_bio)\nIMPLEMENT_I2D_FP(RSA, i2d_RSA_PUBKEY_fp, i2d_RSA_PUBKEY_bio)\n\n#define IMPLEMENT_D2I_BIO(type, name, d2i_func) \\\n type *name(BIO *bio, type **obj) { \\\n uint8_t *data; \\\n size_t len; \\\n if (!BIO_read_asn1(bio, &data, &len, 100 * 1024)) { \\\n return NULL; \\\n } \\\n const uint8_t *ptr = data; \\\n type *ret = d2i_func(obj, &ptr, (long)len); \\\n OPENSSL_free(data); \\\n return ret; \\\n }\n\n#define IMPLEMENT_I2D_BIO(type, name, i2d_func) \\\n int name(BIO *bio, type *obj) { \\\n uint8_t *data = NULL; \\\n int len = i2d_func(obj, &data); \\\n if (len < 0) { \\\n return 0; \\\n } \\\n int ret = BIO_write_all(bio, data, len); \\\n OPENSSL_free(data); \\\n return ret; \\\n }\n\nIMPLEMENT_D2I_BIO(X509, d2i_X509_bio, d2i_X509)\nIMPLEMENT_I2D_BIO(X509, i2d_X509_bio, i2d_X509)\n\nIMPLEMENT_D2I_BIO(RSA, d2i_RSAPrivateKey_bio, d2i_RSAPrivateKey)\nIMPLEMENT_I2D_BIO(RSA, i2d_RSAPrivateKey_bio, i2d_RSAPrivateKey)\n\nIMPLEMENT_D2I_BIO(RSA, d2i_RSAPublicKey_bio, d2i_RSAPublicKey)\nIMPLEMENT_I2D_BIO(RSA, i2d_RSAPublicKey_bio, i2d_RSAPublicKey)\n\nIMPLEMENT_D2I_BIO(RSA, d2i_RSA_PUBKEY_bio, d2i_RSA_PUBKEY)\nIMPLEMENT_I2D_BIO(RSA, i2d_RSA_PUBKEY_bio, i2d_RSA_PUBKEY)\n\nIMPLEMENT_D2I_FP(DSA, d2i_DSAPrivateKey_fp, d2i_DSAPrivateKey_bio)\nIMPLEMENT_I2D_FP(DSA, i2d_DSAPrivateKey_fp, i2d_DSAPrivateKey_bio)\n\nIMPLEMENT_D2I_FP(DSA, d2i_DSA_PUBKEY_fp, d2i_DSA_PUBKEY_bio)\nIMPLEMENT_I2D_FP(DSA, i2d_DSA_PUBKEY_fp, i2d_DSA_PUBKEY_bio)\n\nIMPLEMENT_D2I_BIO(DSA, d2i_DSAPrivateKey_bio, d2i_DSAPrivateKey)\nIMPLEMENT_I2D_BIO(DSA, i2d_DSAPrivateKey_bio, i2d_DSAPrivateKey)\n\nIMPLEMENT_D2I_BIO(DSA, d2i_DSA_PUBKEY_bio, d2i_DSA_PUBKEY)\nIMPLEMENT_I2D_BIO(DSA, i2d_DSA_PUBKEY_bio, i2d_DSA_PUBKEY)\n\nIMPLEMENT_D2I_FP(EC_KEY, d2i_ECPrivateKey_fp, d2i_ECPrivateKey_bio)\nIMPLEMENT_I2D_FP(EC_KEY, i2d_ECPrivateKey_fp, i2d_ECPrivateKey_bio)\n\nIMPLEMENT_D2I_FP(EC_KEY, d2i_EC_PUBKEY_fp, d2i_EC_PUBKEY_bio)\nIMPLEMENT_I2D_FP(EC_KEY, i2d_EC_PUBKEY_fp, i2d_EC_PUBKEY_bio)\n\nIMPLEMENT_D2I_BIO(EC_KEY, d2i_ECPrivateKey_bio, d2i_ECPrivateKey)\nIMPLEMENT_I2D_BIO(EC_KEY, i2d_ECPrivateKey_bio, i2d_ECPrivateKey)\n\nIMPLEMENT_D2I_BIO(EC_KEY, d2i_EC_PUBKEY_bio, d2i_EC_PUBKEY)\nIMPLEMENT_I2D_BIO(EC_KEY, i2d_EC_PUBKEY_bio, i2d_EC_PUBKEY)\n\nint X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md,\n unsigned int *len) {\n ASN1_BIT_STRING *key;\n key = X509_get0_pubkey_bitstr(data);\n if (!key) {\n return 0;\n }\n return EVP_Digest(key->data, key->length, md, len, type, NULL);\n}\n\nint X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out,\n unsigned *out_len) {\n uint8_t *der = NULL;\n // TODO(https://crbug.com/boringssl/407): This function is not const-correct.\n int der_len = i2d_X509((X509 *)x509, &der);\n if (der_len < 0) {\n return 0;\n }\n\n int ret = EVP_Digest(der, der_len, out, out_len, md, NULL);\n OPENSSL_free(der);\n return ret;\n}\n\nint X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md,\n unsigned int *len) {\n return (\n ASN1_item_digest(ASN1_ITEM_rptr(X509_CRL), type, (char *)data, md, len));\n}\n\nint X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md,\n unsigned int *len) {\n return (\n ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ), type, (char *)data, md, len));\n}\n\nint X509_NAME_digest(const X509_NAME *data, const EVP_MD *type,\n unsigned char *md, unsigned int *len) {\n return (\n ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME), type, (char *)data, md, len));\n}\n\nIMPLEMENT_D2I_FP(X509_SIG, d2i_PKCS8_fp, d2i_PKCS8_bio)\nIMPLEMENT_I2D_FP(X509_SIG, i2d_PKCS8_fp, i2d_PKCS8_bio)\n\nIMPLEMENT_D2I_BIO(X509_SIG, d2i_PKCS8_bio, d2i_X509_SIG)\nIMPLEMENT_I2D_BIO(X509_SIG, i2d_PKCS8_bio, i2d_X509_SIG)\n\nIMPLEMENT_D2I_FP(PKCS8_PRIV_KEY_INFO, d2i_PKCS8_PRIV_KEY_INFO_fp,\n d2i_PKCS8_PRIV_KEY_INFO_bio)\nIMPLEMENT_I2D_FP(PKCS8_PRIV_KEY_INFO, i2d_PKCS8_PRIV_KEY_INFO_fp,\n i2d_PKCS8_PRIV_KEY_INFO_bio)\n\nint i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key) {\n PKCS8_PRIV_KEY_INFO *p8inf;\n int ret;\n p8inf = EVP_PKEY2PKCS8(key);\n if (!p8inf) {\n return 0;\n }\n ret = i2d_PKCS8_PRIV_KEY_INFO_fp(fp, p8inf);\n PKCS8_PRIV_KEY_INFO_free(p8inf);\n return ret;\n}\n\nIMPLEMENT_D2I_FP(EVP_PKEY, d2i_PrivateKey_fp, d2i_PrivateKey_bio)\nIMPLEMENT_I2D_FP(EVP_PKEY, i2d_PrivateKey_fp, i2d_PrivateKey_bio)\n\nIMPLEMENT_D2I_FP(EVP_PKEY, d2i_PUBKEY_fp, d2i_PUBKEY_bio)\nIMPLEMENT_I2D_FP(EVP_PKEY, i2d_PUBKEY_fp, i2d_PUBKEY_bio)\n\nIMPLEMENT_D2I_BIO(PKCS8_PRIV_KEY_INFO, d2i_PKCS8_PRIV_KEY_INFO_bio,\n d2i_PKCS8_PRIV_KEY_INFO)\nIMPLEMENT_I2D_BIO(PKCS8_PRIV_KEY_INFO, i2d_PKCS8_PRIV_KEY_INFO_bio,\n i2d_PKCS8_PRIV_KEY_INFO)\n\nint i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key) {\n PKCS8_PRIV_KEY_INFO *p8inf;\n int ret;\n p8inf = EVP_PKEY2PKCS8(key);\n if (!p8inf) {\n return 0;\n }\n ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf);\n PKCS8_PRIV_KEY_INFO_free(p8inf);\n return ret;\n}\n\nIMPLEMENT_D2I_BIO(EVP_PKEY, d2i_PrivateKey_bio, d2i_AutoPrivateKey)\nIMPLEMENT_I2D_BIO(EVP_PKEY, i2d_PrivateKey_bio, i2d_PrivateKey)\n\nIMPLEMENT_D2I_BIO(EVP_PKEY, d2i_PUBKEY_bio, d2i_PUBKEY)\nIMPLEMENT_I2D_BIO(EVP_PKEY, i2d_PUBKEY_bio, i2d_PUBKEY)\n\nIMPLEMENT_D2I_BIO(DH, d2i_DHparams_bio, d2i_DHparams)\nIMPLEMENT_I2D_BIO(const DH, i2d_DHparams_bio, i2d_DHparams)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_attrib.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nASN1_SEQUENCE(X509_ATTRIBUTE) = {\n ASN1_SIMPLE(X509_ATTRIBUTE, object, ASN1_OBJECT),\n ASN1_SET_OF(X509_ATTRIBUTE, set, ASN1_ANY),\n} ASN1_SEQUENCE_END(X509_ATTRIBUTE)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(X509_ATTRIBUTE)\nIMPLEMENT_ASN1_DUP_FUNCTION_const(X509_ATTRIBUTE)\n\nX509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype, void *value) {\n ASN1_OBJECT *obj = OBJ_nid2obj(nid);\n if (obj == NULL) {\n return NULL;\n }\n\n X509_ATTRIBUTE *ret = X509_ATTRIBUTE_new();\n ASN1_TYPE *val = ASN1_TYPE_new();\n if (ret == NULL || val == NULL) {\n goto err;\n }\n\n ret->object = obj;\n if (!sk_ASN1_TYPE_push(ret->set, val)) {\n goto err;\n }\n\n ASN1_TYPE_set(val, attrtype, value);\n return ret;\n\nerr:\n X509_ATTRIBUTE_free(ret);\n ASN1_TYPE_free(val);\n return NULL;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_crl.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n\n#include \"../asn1/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\nstatic int X509_REVOKED_cmp(const X509_REVOKED *const *a,\n const X509_REVOKED *const *b);\nstatic int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp);\n\nASN1_SEQUENCE(X509_REVOKED) = {\n ASN1_SIMPLE(X509_REVOKED, serialNumber, ASN1_INTEGER),\n ASN1_SIMPLE(X509_REVOKED, revocationDate, ASN1_TIME),\n ASN1_SEQUENCE_OF_OPT(X509_REVOKED, extensions, X509_EXTENSION),\n} ASN1_SEQUENCE_END(X509_REVOKED)\n\nstatic int crl_lookup(X509_CRL *crl, X509_REVOKED **ret,\n const ASN1_INTEGER *serial, X509_NAME *issuer);\n\n// The X509_CRL_INFO structure needs a bit of customisation. Since we cache\n// the original encoding the signature wont be affected by reordering of the\n// revoked field.\nstatic int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,\n void *exarg) {\n X509_CRL_INFO *a = (X509_CRL_INFO *)*pval;\n\n if (!a || !a->revoked) {\n return 1;\n }\n switch (operation) {\n // Just set cmp function here. We don't sort because that would\n // affect the output of X509_CRL_print().\n case ASN1_OP_D2I_POST:\n (void)sk_X509_REVOKED_set_cmp_func(a->revoked, X509_REVOKED_cmp);\n break;\n }\n return 1;\n}\n\n\nASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = {\n ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER),\n ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR),\n ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME),\n ASN1_SIMPLE(X509_CRL_INFO, lastUpdate, ASN1_TIME),\n ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME),\n ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED),\n ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0),\n} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)\n\nstatic int crl_parse_entry_extensions(X509_CRL *crl) {\n STACK_OF(X509_REVOKED) *revoked = X509_CRL_get_REVOKED(crl);\n for (size_t i = 0; i < sk_X509_REVOKED_num(revoked); i++) {\n X509_REVOKED *rev = sk_X509_REVOKED_value(revoked, i);\n\n int crit;\n ASN1_ENUMERATED *reason = reinterpret_cast(\n X509_REVOKED_get_ext_d2i(rev, NID_crl_reason, &crit, NULL));\n if (!reason && crit != -1) {\n crl->flags |= EXFLAG_INVALID;\n return 1;\n }\n\n if (reason) {\n rev->reason = ASN1_ENUMERATED_get(reason);\n ASN1_ENUMERATED_free(reason);\n } else {\n rev->reason = CRL_REASON_NONE;\n }\n\n // We do not support any critical CRL entry extensions.\n const STACK_OF(X509_EXTENSION) *exts = rev->extensions;\n for (size_t j = 0; j < sk_X509_EXTENSION_num(exts); j++) {\n const X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, j);\n if (X509_EXTENSION_get_critical(ext)) {\n crl->flags |= EXFLAG_CRITICAL;\n break;\n }\n }\n }\n\n return 1;\n}\n\n// The X509_CRL structure needs a bit of customisation. Cache some extensions\n// and hash of the whole CRL.\nstatic int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,\n void *exarg) {\n X509_CRL *crl = (X509_CRL *)*pval;\n int i;\n\n switch (operation) {\n case ASN1_OP_NEW_POST:\n crl->idp = NULL;\n crl->akid = NULL;\n crl->flags = 0;\n crl->idp_flags = 0;\n break;\n\n case ASN1_OP_D2I_POST: {\n // The version must be one of v1(0) or v2(1).\n long version = X509_CRL_VERSION_1;\n if (crl->crl->version != NULL) {\n version = ASN1_INTEGER_get(crl->crl->version);\n // TODO(https://crbug.com/boringssl/364): |X509_CRL_VERSION_1|\n // should also be rejected. This means an explicitly-encoded X.509v1\n // version. v1 is DEFAULT, so DER requires it be omitted.\n if (version < X509_CRL_VERSION_1 || version > X509_CRL_VERSION_2) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);\n return 0;\n }\n }\n\n // Per RFC 5280, section 5.1.2.1, extensions require v2.\n if (version != X509_CRL_VERSION_2 && crl->crl->extensions != NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);\n return 0;\n }\n\n if (!X509_CRL_digest(crl, EVP_sha256(), crl->crl_hash, NULL)) {\n return 0;\n }\n\n crl->idp = reinterpret_cast(\n X509_CRL_get_ext_d2i(crl, NID_issuing_distribution_point, &i, NULL));\n if (crl->idp != NULL) {\n if (!setup_idp(crl, crl->idp)) {\n return 0;\n }\n } else if (i != -1) {\n return 0;\n }\n\n crl->akid = reinterpret_cast(\n X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, &i, NULL));\n if (crl->akid == NULL && i != -1) {\n return 0;\n }\n\n // See if we have any unhandled critical CRL extensions and indicate\n // this in a flag. We only currently handle IDP so anything else\n // critical sets the flag. This code accesses the X509_CRL structure\n // directly: applications shouldn't do this.\n const STACK_OF(X509_EXTENSION) *exts = crl->crl->extensions;\n for (size_t idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) {\n const X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, idx);\n int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext));\n if (X509_EXTENSION_get_critical(ext)) {\n if (nid == NID_issuing_distribution_point ||\n nid == NID_authority_key_identifier) {\n continue;\n }\n crl->flags |= EXFLAG_CRITICAL;\n break;\n }\n }\n\n if (!crl_parse_entry_extensions(crl)) {\n return 0;\n }\n\n break;\n }\n\n case ASN1_OP_FREE_POST:\n AUTHORITY_KEYID_free(crl->akid);\n ISSUING_DIST_POINT_free(crl->idp);\n break;\n }\n return 1;\n}\n\n// Convert IDP into a more convenient form\n//\n// TODO(davidben): Each of these flags are already booleans, so this is not\n// really more convenient. We can probably remove |idp_flags|.\nstatic int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) {\n int idp_only = 0;\n // Set various flags according to IDP\n crl->idp_flags |= IDP_PRESENT;\n if (idp->onlyuser > 0) {\n idp_only++;\n crl->idp_flags |= IDP_ONLYUSER;\n }\n if (idp->onlyCA > 0) {\n idp_only++;\n crl->idp_flags |= IDP_ONLYCA;\n }\n if (idp->onlyattr > 0) {\n idp_only++;\n crl->idp_flags |= IDP_ONLYATTR;\n }\n\n // Per RFC 5280, section 5.2.5, at most one of onlyContainsUserCerts,\n // onlyContainsCACerts, and onlyContainsAttributeCerts may be true.\n //\n // TODO(crbug.com/boringssl/443): Move this check to the |ISSUING_DIST_POINT|\n // parser.\n if (idp_only > 1) {\n crl->idp_flags |= IDP_INVALID;\n }\n\n if (idp->indirectCRL > 0) {\n crl->idp_flags |= IDP_INDIRECT;\n }\n\n if (idp->onlysomereasons) {\n crl->idp_flags |= IDP_REASONS;\n }\n\n // TODO(davidben): The new verifier does not support nameRelativeToCRLIssuer.\n // Remove this?\n return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));\n}\n\nASN1_SEQUENCE_ref(X509_CRL, crl_cb) = {\n ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),\n ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR),\n ASN1_SIMPLE(X509_CRL, signature, ASN1_BIT_STRING),\n} ASN1_SEQUENCE_END_ref(X509_CRL, X509_CRL)\n\n// Although |X509_REVOKED| contains an |X509_NAME|, it can be const. It is not\n// affected by https://crbug.com/boringssl/407 because the |X509_NAME| does\n// not participate in serialization.\nIMPLEMENT_ASN1_FUNCTIONS_const(X509_REVOKED)\nIMPLEMENT_ASN1_DUP_FUNCTION_const(X509_REVOKED)\n\nIMPLEMENT_ASN1_FUNCTIONS(X509_CRL_INFO)\nIMPLEMENT_ASN1_FUNCTIONS(X509_CRL)\nIMPLEMENT_ASN1_DUP_FUNCTION(X509_CRL)\n\nstatic int X509_REVOKED_cmp(const X509_REVOKED *const *a,\n const X509_REVOKED *const *b) {\n return ASN1_STRING_cmp((*a)->serialNumber, (*b)->serialNumber);\n}\n\nint X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev) {\n X509_CRL_INFO *inf;\n inf = crl->crl;\n if (!inf->revoked) {\n inf->revoked = sk_X509_REVOKED_new(X509_REVOKED_cmp);\n }\n if (!inf->revoked || !sk_X509_REVOKED_push(inf->revoked, rev)) {\n return 0;\n }\n asn1_encoding_clear(&inf->enc);\n return 1;\n}\n\nint X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey) {\n if (X509_ALGOR_cmp(crl->sig_alg, crl->crl->sig_alg) != 0) {\n OPENSSL_PUT_ERROR(X509, X509_R_SIGNATURE_ALGORITHM_MISMATCH);\n return 0;\n }\n\n return ASN1_item_verify(ASN1_ITEM_rptr(X509_CRL_INFO), crl->sig_alg,\n crl->signature, crl->crl, pkey);\n}\n\nint X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret,\n const ASN1_INTEGER *serial) {\n return crl_lookup(crl, ret, serial, NULL);\n}\n\nint X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) {\n return crl_lookup(crl, ret, X509_get_serialNumber(x),\n X509_get_issuer_name(x));\n}\n\nstatic int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm,\n X509_REVOKED *rev) {\n return nm == NULL || X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)) == 0;\n}\n\nstatic CRYPTO_MUTEX g_crl_sort_lock = CRYPTO_MUTEX_INIT;\n\nstatic int crl_lookup(X509_CRL *crl, X509_REVOKED **ret,\n const ASN1_INTEGER *serial, X509_NAME *issuer) {\n // Use an assert, rather than a runtime error, because returning nothing for a\n // CRL is arguably failing open, rather than closed.\n assert(serial->type == V_ASN1_INTEGER || serial->type == V_ASN1_NEG_INTEGER);\n X509_REVOKED rtmp, *rev;\n size_t idx;\n rtmp.serialNumber = (ASN1_INTEGER *)serial;\n // Sort revoked into serial number order if not already sorted. Do this\n // under a lock to avoid race condition.\n\n CRYPTO_MUTEX_lock_read(&g_crl_sort_lock);\n const int is_sorted = sk_X509_REVOKED_is_sorted(crl->crl->revoked);\n CRYPTO_MUTEX_unlock_read(&g_crl_sort_lock);\n\n if (!is_sorted) {\n CRYPTO_MUTEX_lock_write(&g_crl_sort_lock);\n if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked)) {\n sk_X509_REVOKED_sort(crl->crl->revoked);\n }\n CRYPTO_MUTEX_unlock_write(&g_crl_sort_lock);\n }\n\n if (!sk_X509_REVOKED_find(crl->crl->revoked, &idx, &rtmp)) {\n return 0;\n }\n // Need to look for matching name\n for (; idx < sk_X509_REVOKED_num(crl->crl->revoked); idx++) {\n rev = sk_X509_REVOKED_value(crl->crl->revoked, idx);\n if (ASN1_INTEGER_cmp(rev->serialNumber, serial)) {\n return 0;\n }\n if (crl_revoked_issuer_match(crl, issuer, rev)) {\n if (ret) {\n *ret = rev;\n }\n return 1;\n }\n }\n return 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_exten.cc", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nASN1_SEQUENCE(X509_EXTENSION) = {\n ASN1_SIMPLE(X509_EXTENSION, object, ASN1_OBJECT),\n ASN1_OPT(X509_EXTENSION, critical, ASN1_BOOLEAN),\n ASN1_SIMPLE(X509_EXTENSION, value, ASN1_OCTET_STRING),\n} ASN1_SEQUENCE_END(X509_EXTENSION)\n\nASN1_ITEM_TEMPLATE(X509_EXTENSIONS) =\n ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Extension, X509_EXTENSION)\nASN1_ITEM_TEMPLATE_END(X509_EXTENSIONS)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(X509_EXTENSION)\nIMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(X509_EXTENSIONS, X509_EXTENSIONS,\n X509_EXTENSIONS)\nIMPLEMENT_ASN1_DUP_FUNCTION_const(X509_EXTENSION)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_name.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../asn1/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\ntypedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;\nDEFINE_STACK_OF(STACK_OF_X509_NAME_ENTRY)\n\n// Maximum length of X509_NAME: much larger than anything we should\n// ever see in practice.\n\n#define X509_NAME_MAX (1024 * 1024)\n\nstatic int x509_name_ex_d2i(ASN1_VALUE **val, const unsigned char **in,\n long len, const ASN1_ITEM *it, int opt,\n ASN1_TLC *ctx);\n\nstatic int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out,\n const ASN1_ITEM *it);\nstatic int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it);\nstatic void x509_name_ex_free(ASN1_VALUE **val, const ASN1_ITEM *it);\n\nstatic int x509_name_encode(X509_NAME *a);\nstatic int x509_name_canon(X509_NAME *a);\nstatic int asn1_string_canon(ASN1_STRING *out, ASN1_STRING *in);\nstatic int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname,\n unsigned char **in);\n\nASN1_SEQUENCE(X509_NAME_ENTRY) = {\n ASN1_SIMPLE(X509_NAME_ENTRY, object, ASN1_OBJECT),\n ASN1_SIMPLE(X509_NAME_ENTRY, value, ASN1_PRINTABLE),\n} ASN1_SEQUENCE_END(X509_NAME_ENTRY)\n\nIMPLEMENT_ASN1_ALLOC_FUNCTIONS(X509_NAME_ENTRY)\nIMPLEMENT_ASN1_DUP_FUNCTION_const(X509_NAME_ENTRY)\n\n// For the \"Name\" type we need a SEQUENCE OF { SET OF X509_NAME_ENTRY } so\n// declare two template wrappers for this\n\nASN1_ITEM_TEMPLATE(X509_NAME_ENTRIES) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SET_OF,\n 0, RDNS,\n X509_NAME_ENTRY)\nASN1_ITEM_TEMPLATE_END(X509_NAME_ENTRIES)\n\nASN1_ITEM_TEMPLATE(X509_NAME_INTERNAL) =\n ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, Name, X509_NAME_ENTRIES)\nASN1_ITEM_TEMPLATE_END(X509_NAME_INTERNAL)\n\n// Normally that's where it would end: we'd have two nested STACK structures\n// representing the ASN1. Unfortunately X509_NAME uses a completely different\n// form and caches encodings so we have to process the internal form and\n// convert to the external form.\n\nstatic const ASN1_EXTERN_FUNCS x509_name_ff = {\n x509_name_ex_new,\n x509_name_ex_free,\n x509_name_ex_d2i,\n x509_name_ex_i2d,\n};\n\nIMPLEMENT_EXTERN_ASN1(X509_NAME, V_ASN1_SEQUENCE, x509_name_ff)\n\nIMPLEMENT_ASN1_FUNCTIONS(X509_NAME)\n\nIMPLEMENT_ASN1_DUP_FUNCTION(X509_NAME)\n\nstatic int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it) {\n X509_NAME *ret = NULL;\n ret = reinterpret_cast(OPENSSL_malloc(sizeof(X509_NAME)));\n if (!ret) {\n goto memerr;\n }\n if ((ret->entries = sk_X509_NAME_ENTRY_new_null()) == NULL) {\n goto memerr;\n }\n if ((ret->bytes = BUF_MEM_new()) == NULL) {\n goto memerr;\n }\n ret->canon_enc = NULL;\n ret->canon_enclen = 0;\n ret->modified = 1;\n *val = (ASN1_VALUE *)ret;\n return 1;\n\nmemerr:\n if (ret) {\n if (ret->entries) {\n sk_X509_NAME_ENTRY_free(ret->entries);\n }\n OPENSSL_free(ret);\n }\n return 0;\n}\n\nstatic void x509_name_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n X509_NAME *a;\n if (!pval || !*pval) {\n return;\n }\n a = (X509_NAME *)*pval;\n\n BUF_MEM_free(a->bytes);\n sk_X509_NAME_ENTRY_pop_free(a->entries, X509_NAME_ENTRY_free);\n if (a->canon_enc) {\n OPENSSL_free(a->canon_enc);\n }\n OPENSSL_free(a);\n *pval = NULL;\n}\n\nstatic void local_sk_X509_NAME_ENTRY_free(STACK_OF(X509_NAME_ENTRY) *ne) {\n sk_X509_NAME_ENTRY_free(ne);\n}\n\nstatic void local_sk_X509_NAME_ENTRY_pop_free(STACK_OF(X509_NAME_ENTRY) *ne) {\n sk_X509_NAME_ENTRY_pop_free(ne, X509_NAME_ENTRY_free);\n}\n\nstatic int x509_name_ex_d2i(ASN1_VALUE **val, const unsigned char **in,\n long len, const ASN1_ITEM *it, int opt,\n ASN1_TLC *ctx) {\n const unsigned char *p = *in, *q;\n STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname = NULL;\n X509_NAME *nm = NULL;\n size_t i, j;\n int ret;\n STACK_OF(X509_NAME_ENTRY) *entries;\n X509_NAME_ENTRY *entry;\n // Bound the size of an X509_NAME we are willing to parse.\n if (len > X509_NAME_MAX) {\n len = X509_NAME_MAX;\n }\n q = p;\n\n // Get internal representation of Name\n ASN1_VALUE *intname_val = NULL;\n ret = ASN1_item_ex_d2i(&intname_val, &p, len,\n ASN1_ITEM_rptr(X509_NAME_INTERNAL), /*tag=*/-1,\n /*aclass=*/0, opt, /*buf=*/NULL);\n if (ret <= 0) {\n return ret;\n }\n intname = (STACK_OF(STACK_OF_X509_NAME_ENTRY) *)intname_val;\n\n if (*val) {\n x509_name_ex_free(val, NULL);\n }\n ASN1_VALUE *nm_val = NULL;\n if (!x509_name_ex_new(&nm_val, NULL)) {\n goto err;\n }\n nm = (X509_NAME *)nm_val;\n // We've decoded it: now cache encoding\n if (!BUF_MEM_grow(nm->bytes, p - q)) {\n goto err;\n }\n OPENSSL_memcpy(nm->bytes->data, q, p - q);\n\n // Convert internal representation to X509_NAME structure\n for (i = 0; i < sk_STACK_OF_X509_NAME_ENTRY_num(intname); i++) {\n entries = sk_STACK_OF_X509_NAME_ENTRY_value(intname, i);\n for (j = 0; j < sk_X509_NAME_ENTRY_num(entries); j++) {\n entry = sk_X509_NAME_ENTRY_value(entries, j);\n entry->set = (int)i;\n if (!sk_X509_NAME_ENTRY_push(nm->entries, entry)) {\n goto err;\n }\n (void)sk_X509_NAME_ENTRY_set(entries, j, NULL);\n }\n }\n ret = x509_name_canon(nm);\n if (!ret) {\n goto err;\n }\n sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname, local_sk_X509_NAME_ENTRY_free);\n nm->modified = 0;\n *val = (ASN1_VALUE *)nm;\n *in = p;\n return ret;\nerr:\n X509_NAME_free(nm);\n sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,\n local_sk_X509_NAME_ENTRY_pop_free);\n OPENSSL_PUT_ERROR(X509, ERR_R_ASN1_LIB);\n return 0;\n}\n\nstatic int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out,\n const ASN1_ITEM *it) {\n X509_NAME *a = (X509_NAME *)*val;\n if (a->modified && (!x509_name_encode(a) || !x509_name_canon(a))) {\n return -1;\n }\n int ret = a->bytes->length;\n if (out != NULL) {\n OPENSSL_memcpy(*out, a->bytes->data, ret);\n *out += ret;\n }\n return ret;\n}\n\nstatic int x509_name_encode(X509_NAME *a) {\n int len;\n unsigned char *p;\n STACK_OF(X509_NAME_ENTRY) *entries = NULL;\n X509_NAME_ENTRY *entry;\n int set = -1;\n size_t i;\n STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname =\n sk_STACK_OF_X509_NAME_ENTRY_new_null();\n\n {\n if (!intname) {\n goto err;\n }\n for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {\n entry = sk_X509_NAME_ENTRY_value(a->entries, i);\n if (entry->set != set) {\n entries = sk_X509_NAME_ENTRY_new_null();\n if (!entries) {\n goto err;\n }\n if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries)) {\n sk_X509_NAME_ENTRY_free(entries);\n goto err;\n }\n set = entry->set;\n }\n if (!sk_X509_NAME_ENTRY_push(entries, entry)) {\n goto err;\n }\n }\n ASN1_VALUE *intname_val = (ASN1_VALUE *)intname;\n len =\n ASN1_item_ex_i2d(&intname_val, NULL, ASN1_ITEM_rptr(X509_NAME_INTERNAL),\n /*tag=*/-1, /*aclass=*/0);\n if (len <= 0) {\n goto err;\n }\n if (!BUF_MEM_grow(a->bytes, len)) {\n goto err;\n }\n p = (unsigned char *)a->bytes->data;\n if (ASN1_item_ex_i2d(&intname_val, &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL),\n /*tag=*/-1, /*aclass=*/0) <= 0) {\n goto err;\n }\n sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,\n local_sk_X509_NAME_ENTRY_free);\n a->modified = 0;\n return 1;\n }\n\nerr:\n sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname, local_sk_X509_NAME_ENTRY_free);\n return 0;\n}\n\n// This function generates the canonical encoding of the Name structure. In\n// it all strings are converted to UTF8, leading, trailing and multiple\n// spaces collapsed, converted to lower case and the leading SEQUENCE header\n// removed. In future we could also normalize the UTF8 too. By doing this\n// comparison of Name structures can be rapidly perfomed by just using\n// OPENSSL_memcmp() of the canonical encoding. By omitting the leading SEQUENCE\n// name constraints of type dirName can also be checked with a simple\n// OPENSSL_memcmp().\n\nstatic int x509_name_canon(X509_NAME *a) {\n unsigned char *p;\n STACK_OF(STACK_OF_X509_NAME_ENTRY) *intname = NULL;\n STACK_OF(X509_NAME_ENTRY) *entries = NULL;\n X509_NAME_ENTRY *entry, *tmpentry = NULL;\n int set = -1, ret = 0, len;\n size_t i;\n\n if (a->canon_enc) {\n OPENSSL_free(a->canon_enc);\n a->canon_enc = NULL;\n }\n // Special case: empty X509_NAME => null encoding\n if (sk_X509_NAME_ENTRY_num(a->entries) == 0) {\n a->canon_enclen = 0;\n return 1;\n }\n intname = sk_STACK_OF_X509_NAME_ENTRY_new_null();\n if (!intname) {\n goto err;\n }\n for (i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {\n entry = sk_X509_NAME_ENTRY_value(a->entries, i);\n if (entry->set != set) {\n entries = sk_X509_NAME_ENTRY_new_null();\n if (!entries) {\n goto err;\n }\n if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname, entries)) {\n sk_X509_NAME_ENTRY_free(entries);\n goto err;\n }\n set = entry->set;\n }\n tmpentry = X509_NAME_ENTRY_new();\n if (tmpentry == NULL) {\n goto err;\n }\n tmpentry->object = OBJ_dup(entry->object);\n if (!asn1_string_canon(tmpentry->value, entry->value)) {\n goto err;\n }\n if (!sk_X509_NAME_ENTRY_push(entries, tmpentry)) {\n goto err;\n }\n tmpentry = NULL;\n }\n\n // Finally generate encoding\n\n len = i2d_name_canon(intname, NULL);\n if (len < 0) {\n goto err;\n }\n a->canon_enclen = len;\n\n p = reinterpret_cast(OPENSSL_malloc(a->canon_enclen));\n\n if (!p) {\n goto err;\n }\n\n a->canon_enc = p;\n\n i2d_name_canon(intname, &p);\n\n ret = 1;\n\nerr:\n\n if (tmpentry) {\n X509_NAME_ENTRY_free(tmpentry);\n }\n if (intname) {\n sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname,\n local_sk_X509_NAME_ENTRY_pop_free);\n }\n return ret;\n}\n\n// Bitmap of all the types of string that will be canonicalized.\n\n#define ASN1_MASK_CANON \\\n (B_ASN1_UTF8STRING | B_ASN1_BMPSTRING | B_ASN1_UNIVERSALSTRING | \\\n B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_IA5STRING | \\\n B_ASN1_VISIBLESTRING)\n\nstatic int asn1_string_canon(ASN1_STRING *out, ASN1_STRING *in) {\n unsigned char *to, *from;\n int len, i;\n\n // If type not in bitmask just copy string across\n if (!(ASN1_tag2bit(in->type) & ASN1_MASK_CANON)) {\n if (!ASN1_STRING_copy(out, in)) {\n return 0;\n }\n return 1;\n }\n\n out->type = V_ASN1_UTF8STRING;\n out->length = ASN1_STRING_to_UTF8(&out->data, in);\n if (out->length == -1) {\n return 0;\n }\n\n to = out->data;\n from = to;\n\n len = out->length;\n\n // Convert string in place to canonical form.\n\n // Ignore leading spaces\n while ((len > 0) && OPENSSL_isspace(*from)) {\n from++;\n len--;\n }\n\n to = from + len;\n\n // Ignore trailing spaces\n while ((len > 0) && OPENSSL_isspace(to[-1])) {\n to--;\n len--;\n }\n\n to = out->data;\n\n i = 0;\n while (i < len) {\n // Collapse multiple spaces\n if (OPENSSL_isspace(*from)) {\n // Copy one space across\n *to++ = ' ';\n // Ignore subsequent spaces. Note: don't need to check len here\n // because we know the last character is a non-space so we can't\n // overflow.\n do {\n from++;\n i++;\n } while (OPENSSL_isspace(*from));\n } else {\n *to++ = OPENSSL_tolower(*from);\n from++;\n i++;\n }\n }\n\n out->length = to - out->data;\n\n return 1;\n}\n\nstatic int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) *_intname,\n unsigned char **in) {\n int len, ltmp;\n size_t i;\n ASN1_VALUE *v;\n STACK_OF(ASN1_VALUE) *intname = (STACK_OF(ASN1_VALUE) *)_intname;\n\n len = 0;\n for (i = 0; i < sk_ASN1_VALUE_num(intname); i++) {\n v = sk_ASN1_VALUE_value(intname, i);\n ltmp = ASN1_item_ex_i2d(&v, in, ASN1_ITEM_rptr(X509_NAME_ENTRIES),\n /*tag=*/-1, /*aclass=*/0);\n if (ltmp < 0) {\n return ltmp;\n }\n len += ltmp;\n }\n return len;\n}\n\nint X509_NAME_set(X509_NAME **xn, X509_NAME *name) {\n if ((name = X509_NAME_dup(name)) == NULL) {\n return 0;\n }\n X509_NAME_free(*xn);\n *xn = name;\n return 1;\n}\n\nint X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) { return ne->set; }\n\nint X509_NAME_get0_der(X509_NAME *nm, const unsigned char **out_der,\n size_t *out_der_len) {\n // Make sure encoding is valid\n if (i2d_X509_NAME(nm, NULL) <= 0) {\n return 0;\n }\n if (out_der != NULL) {\n *out_der = (unsigned char *)nm->bytes->data;\n }\n if (out_der_len != NULL) {\n *out_der_len = nm->bytes->length;\n }\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_pubkey.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../internal.h\"\n#include \"internal.h\"\n\n\nstatic void x509_pubkey_changed(X509_PUBKEY *pub) {\n EVP_PKEY_free(pub->pkey);\n pub->pkey = NULL;\n\n // Re-encode the |X509_PUBKEY| to DER and parse it with EVP's APIs.\n uint8_t *spki = NULL;\n int spki_len = i2d_X509_PUBKEY(pub, &spki);\n EVP_PKEY *pkey;\n if (spki_len < 0) {\n goto err;\n }\n\n CBS cbs;\n CBS_init(&cbs, spki, (size_t)spki_len);\n pkey = EVP_parse_public_key(&cbs);\n if (pkey == NULL || CBS_len(&cbs) != 0) {\n EVP_PKEY_free(pkey);\n goto err;\n }\n\n pub->pkey = pkey;\n\nerr:\n OPENSSL_free(spki);\n // If the operation failed, clear errors. An |X509_PUBKEY| whose key we cannot\n // parse is still a valid SPKI. It just cannot be converted to an |EVP_PKEY|.\n ERR_clear_error();\n}\n\nstatic int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,\n void *exarg) {\n X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;\n if (operation == ASN1_OP_FREE_POST) {\n EVP_PKEY_free(pubkey->pkey);\n } else if (operation == ASN1_OP_D2I_POST) {\n x509_pubkey_changed(pubkey);\n }\n return 1;\n}\n\nASN1_SEQUENCE_cb(X509_PUBKEY, pubkey_cb) = {\n ASN1_SIMPLE(X509_PUBKEY, algor, X509_ALGOR),\n ASN1_SIMPLE(X509_PUBKEY, public_key, ASN1_BIT_STRING),\n} ASN1_SEQUENCE_END_cb(X509_PUBKEY, X509_PUBKEY)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(X509_PUBKEY)\n\nint X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) {\n X509_PUBKEY *pk = NULL;\n uint8_t *spki = NULL;\n size_t spki_len;\n\n if (x == NULL) {\n return 0;\n }\n\n CBB cbb;\n const uint8_t *p;\n if (!CBB_init(&cbb, 0) || //\n !EVP_marshal_public_key(&cbb, pkey) ||\n !CBB_finish(&cbb, &spki, &spki_len) || //\n spki_len > LONG_MAX) {\n CBB_cleanup(&cbb);\n OPENSSL_PUT_ERROR(X509, X509_R_PUBLIC_KEY_ENCODE_ERROR);\n goto error;\n }\n\n p = spki;\n pk = d2i_X509_PUBKEY(NULL, &p, (long)spki_len);\n if (pk == NULL || p != spki + spki_len) {\n OPENSSL_PUT_ERROR(X509, X509_R_PUBLIC_KEY_DECODE_ERROR);\n goto error;\n }\n\n OPENSSL_free(spki);\n X509_PUBKEY_free(*x);\n *x = pk;\n\n return 1;\nerror:\n X509_PUBKEY_free(pk);\n OPENSSL_free(spki);\n return 0;\n}\n\nEVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key) {\n if (key == NULL) {\n return NULL;\n }\n\n if (key->pkey == NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_PUBLIC_KEY_DECODE_ERROR);\n return NULL;\n }\n\n return key->pkey;\n}\n\nEVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key) {\n EVP_PKEY *pkey = X509_PUBKEY_get0(key);\n if (pkey != NULL) {\n EVP_PKEY_up_ref(pkey);\n }\n return pkey;\n}\n\nint X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, int param_type,\n void *param_value, uint8_t *key, int key_len) {\n if (!X509_ALGOR_set0(pub->algor, obj, param_type, param_value)) {\n return 0;\n }\n\n ASN1_STRING_set0(pub->public_key, key, key_len);\n // Set the number of unused bits to zero.\n pub->public_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);\n pub->public_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;\n\n x509_pubkey_changed(pub);\n return 1;\n}\n\nint X509_PUBKEY_get0_param(ASN1_OBJECT **out_obj, const uint8_t **out_key,\n int *out_key_len, X509_ALGOR **out_alg,\n X509_PUBKEY *pub) {\n if (out_obj != NULL) {\n *out_obj = pub->algor->algorithm;\n }\n if (out_key != NULL) {\n *out_key = pub->public_key->data;\n *out_key_len = pub->public_key->length;\n }\n if (out_alg != NULL) {\n *out_alg = pub->algor;\n }\n return 1;\n}\n\nconst ASN1_BIT_STRING *X509_PUBKEY_get0_public_key(const X509_PUBKEY *pub) {\n return pub->public_key;\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_req.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\n// X509_REQ_INFO is handled in an unusual way to get round invalid encodings.\n// Some broken certificate requests don't encode the attributes field if it\n// is empty. This is in violation of PKCS#10 but we need to tolerate it. We\n// do this by making the attributes field OPTIONAL then using the callback to\n// initialise it to an empty STACK. This means that the field will be\n// correctly encoded unless we NULL out the field.\n\nstatic int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,\n void *exarg) {\n X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval;\n\n if (operation == ASN1_OP_NEW_POST) {\n rinf->attributes = sk_X509_ATTRIBUTE_new_null();\n if (!rinf->attributes) {\n return 0;\n }\n }\n\n if (operation == ASN1_OP_D2I_POST) {\n // The only defined CSR version is v1(0). For compatibility, we also accept\n // a hypothetical v3(2). Although not defined, older versions of certbot\n // use it. See https://github.com/certbot/certbot/pull/9334.\n long version = ASN1_INTEGER_get(rinf->version);\n if (version != X509_REQ_VERSION_1 && version != 2) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);\n return 0;\n }\n }\n\n return 1;\n}\n\nASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {\n ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),\n ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),\n ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),\n // This isn't really OPTIONAL but it gets around invalid encodings.\n ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0),\n} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)\n\nIMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)\n\nASN1_SEQUENCE(X509_REQ) = {\n ASN1_SIMPLE(X509_REQ, req_info, X509_REQ_INFO),\n ASN1_SIMPLE(X509_REQ, sig_alg, X509_ALGOR),\n ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING),\n} ASN1_SEQUENCE_END(X509_REQ)\n\nIMPLEMENT_ASN1_FUNCTIONS(X509_REQ)\n\nIMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_sig.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n\nstruct X509_sig_st {\n X509_ALGOR *algor;\n ASN1_OCTET_STRING *digest;\n} /* X509_SIG */;\n\nASN1_SEQUENCE(X509_SIG) = {\n ASN1_SIMPLE(X509_SIG, algor, X509_ALGOR),\n ASN1_SIMPLE(X509_SIG, digest, ASN1_OCTET_STRING),\n} ASN1_SEQUENCE_END(X509_SIG)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(X509_SIG)\n\nvoid X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **out_alg,\n const ASN1_OCTET_STRING **out_digest) {\n if (out_alg != NULL) {\n *out_alg = sig->algor;\n }\n if (out_digest != NULL) {\n *out_digest = sig->digest;\n }\n}\n\nvoid X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg,\n ASN1_OCTET_STRING **out_digest) {\n if (out_alg != NULL) {\n *out_alg = sig->algor;\n }\n if (out_digest != NULL) {\n *out_digest = sig->digest;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_spki.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n\n#include \"internal.h\"\n\n\nASN1_SEQUENCE(NETSCAPE_SPKAC) = {\n ASN1_SIMPLE(NETSCAPE_SPKAC, pubkey, X509_PUBKEY),\n ASN1_SIMPLE(NETSCAPE_SPKAC, challenge, ASN1_IA5STRING),\n} ASN1_SEQUENCE_END(NETSCAPE_SPKAC)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_SPKAC)\n\nASN1_SEQUENCE(NETSCAPE_SPKI) = {\n ASN1_SIMPLE(NETSCAPE_SPKI, spkac, NETSCAPE_SPKAC),\n ASN1_SIMPLE(NETSCAPE_SPKI, sig_algor, X509_ALGOR),\n ASN1_SIMPLE(NETSCAPE_SPKI, signature, ASN1_BIT_STRING),\n} ASN1_SEQUENCE_END(NETSCAPE_SPKI)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(NETSCAPE_SPKI)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_val.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \"internal.h\"\n\n\nASN1_SEQUENCE(X509_VAL) = {\n ASN1_SIMPLE(X509_VAL, notBefore, ASN1_TIME),\n ASN1_SIMPLE(X509_VAL, notAfter, ASN1_TIME),\n} ASN1_SEQUENCE_END(X509_VAL)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(X509_VAL)\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_x509.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../asn1/internal.h\"\n#include \"../bytestring/internal.h\"\n#include \"../internal.h\"\n#include \"internal.h\"\n\nstatic CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;\n\nASN1_SEQUENCE_enc(X509_CINF, enc, 0) = {\n ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),\n ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER),\n ASN1_SIMPLE(X509_CINF, signature, X509_ALGOR),\n ASN1_SIMPLE(X509_CINF, issuer, X509_NAME),\n ASN1_SIMPLE(X509_CINF, validity, X509_VAL),\n ASN1_SIMPLE(X509_CINF, subject, X509_NAME),\n ASN1_SIMPLE(X509_CINF, key, X509_PUBKEY),\n ASN1_IMP_OPT(X509_CINF, issuerUID, ASN1_BIT_STRING, 1),\n ASN1_IMP_OPT(X509_CINF, subjectUID, ASN1_BIT_STRING, 2),\n ASN1_EXP_SEQUENCE_OF_OPT(X509_CINF, extensions, X509_EXTENSION, 3),\n} ASN1_SEQUENCE_END_enc(X509_CINF, X509_CINF)\n\nIMPLEMENT_ASN1_FUNCTIONS(X509_CINF)\n\n// x509_new_null returns a new |X509| object where the |cert_info|, |sig_alg|,\n// and |signature| fields are not yet filled in.\nstatic X509 *x509_new_null(void) {\n X509 *ret = reinterpret_cast(OPENSSL_zalloc(sizeof(X509)));\n if (ret == NULL) {\n return NULL;\n }\n\n ret->references = 1;\n ret->ex_pathlen = -1;\n CRYPTO_new_ex_data(&ret->ex_data);\n CRYPTO_MUTEX_init(&ret->lock);\n return ret;\n}\n\nX509 *X509_new(void) {\n X509 *ret = x509_new_null();\n if (ret == NULL) {\n return NULL;\n }\n\n ret->cert_info = X509_CINF_new();\n ret->sig_alg = X509_ALGOR_new();\n ret->signature = ASN1_BIT_STRING_new();\n if (ret->cert_info == NULL || ret->sig_alg == NULL ||\n ret->signature == NULL) {\n X509_free(ret);\n return NULL;\n }\n\n return ret;\n}\n\nvoid X509_free(X509 *x509) {\n if (x509 == NULL || !CRYPTO_refcount_dec_and_test_zero(&x509->references)) {\n return;\n }\n\n CRYPTO_free_ex_data(&g_ex_data_class, x509, &x509->ex_data);\n\n X509_CINF_free(x509->cert_info);\n X509_ALGOR_free(x509->sig_alg);\n ASN1_BIT_STRING_free(x509->signature);\n ASN1_OCTET_STRING_free(x509->skid);\n AUTHORITY_KEYID_free(x509->akid);\n CRL_DIST_POINTS_free(x509->crldp);\n GENERAL_NAMES_free(x509->altname);\n NAME_CONSTRAINTS_free(x509->nc);\n X509_CERT_AUX_free(x509->aux);\n CRYPTO_MUTEX_cleanup(&x509->lock);\n\n OPENSSL_free(x509);\n}\n\nstatic X509 *x509_parse(CBS *cbs, CRYPTO_BUFFER *buf) {\n CBS cert, tbs, sigalg, sig;\n if (!CBS_get_asn1(cbs, &cert, CBS_ASN1_SEQUENCE) ||\n // Bound the length to comfortably fit in an int. Lengths in this\n // module often omit overflow checks.\n CBS_len(&cert) > INT_MAX / 2 ||\n !CBS_get_asn1_element(&cert, &tbs, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1_element(&cert, &sigalg, CBS_ASN1_SEQUENCE)) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);\n return NULL;\n }\n\n // For just the signature field, we accept non-minimal BER lengths, though not\n // indefinite-length encoding. See b/18228011.\n //\n // TODO(crbug.com/boringssl/354): Switch the affected callers to convert the\n // certificate before parsing and then remove this workaround.\n CBS_ASN1_TAG tag;\n size_t header_len;\n int indefinite;\n if (!CBS_get_any_ber_asn1_element(&cert, &sig, &tag, &header_len,\n /*out_ber_found=*/NULL,\n &indefinite) ||\n tag != CBS_ASN1_BITSTRING || indefinite || //\n !CBS_skip(&sig, header_len) || //\n CBS_len(&cert) != 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);\n return NULL;\n }\n\n X509 *ret = x509_new_null();\n if (ret == NULL) {\n return NULL;\n }\n\n {\n // TODO(crbug.com/boringssl/443): When the rest of the library is decoupled\n // from the tasn_*.c implementation, replace this with |CBS|-based\n // functions.\n const uint8_t *inp = CBS_data(&tbs);\n if (ASN1_item_ex_d2i((ASN1_VALUE **)&ret->cert_info, &inp, CBS_len(&tbs),\n ASN1_ITEM_rptr(X509_CINF), /*tag=*/-1,\n /*aclass=*/0, /*opt=*/0, buf) <= 0 ||\n inp != CBS_data(&tbs) + CBS_len(&tbs)) {\n goto err;\n }\n\n inp = CBS_data(&sigalg);\n ret->sig_alg = d2i_X509_ALGOR(NULL, &inp, CBS_len(&sigalg));\n if (ret->sig_alg == NULL || inp != CBS_data(&sigalg) + CBS_len(&sigalg)) {\n goto err;\n }\n\n inp = CBS_data(&sig);\n ret->signature = c2i_ASN1_BIT_STRING(NULL, &inp, CBS_len(&sig));\n if (ret->signature == NULL || inp != CBS_data(&sig) + CBS_len(&sig)) {\n goto err;\n }\n\n // The version must be one of v1(0), v2(1), or v3(2).\n long version = X509_VERSION_1;\n if (ret->cert_info->version != NULL) {\n version = ASN1_INTEGER_get(ret->cert_info->version);\n // TODO(https://crbug.com/boringssl/364): |X509_VERSION_1| should\n // also be rejected here. This means an explicitly-encoded X.509v1\n // version. v1 is DEFAULT, so DER requires it be omitted.\n if (version < X509_VERSION_1 || version > X509_VERSION_3) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);\n goto err;\n }\n }\n\n // Per RFC 5280, section 4.1.2.8, these fields require v2 or v3.\n if (version == X509_VERSION_1 && (ret->cert_info->issuerUID != NULL ||\n ret->cert_info->subjectUID != NULL)) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);\n goto err;\n }\n\n // Per RFC 5280, section 4.1.2.9, extensions require v3.\n if (version != X509_VERSION_3 && ret->cert_info->extensions != NULL) {\n OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);\n goto err;\n }\n\n return ret;\n }\n\nerr:\n X509_free(ret);\n return NULL;\n}\n\nX509 *d2i_X509(X509 **out, const uint8_t **inp, long len) {\n X509 *ret = NULL;\n if (len < 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BUFFER_TOO_SMALL);\n goto err;\n }\n\n CBS cbs;\n CBS_init(&cbs, *inp, (size_t)len);\n ret = x509_parse(&cbs, NULL);\n if (ret == NULL) {\n goto err;\n }\n\n *inp = CBS_data(&cbs);\n\nerr:\n if (out != NULL) {\n X509_free(*out);\n *out = ret;\n }\n return ret;\n}\n\nint i2d_X509(X509 *x509, uint8_t **outp) {\n if (x509 == NULL) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_VALUE);\n return -1;\n }\n\n CBB cbb, cert;\n int len;\n if (!CBB_init(&cbb, 64) || //\n !CBB_add_asn1(&cbb, &cert, CBS_ASN1_SEQUENCE)) {\n goto err;\n }\n\n // TODO(crbug.com/boringssl/443): When the rest of the library is decoupled\n // from the tasn_*.c implementation, replace this with |CBS|-based functions.\n uint8_t *out;\n len = i2d_X509_CINF(x509->cert_info, NULL);\n if (len < 0 || //\n !CBB_add_space(&cert, &out, (size_t)len) ||\n i2d_X509_CINF(x509->cert_info, &out) != len) {\n goto err;\n }\n\n len = i2d_X509_ALGOR(x509->sig_alg, NULL);\n if (len < 0 || //\n !CBB_add_space(&cert, &out, (size_t)len) ||\n i2d_X509_ALGOR(x509->sig_alg, &out) != len) {\n goto err;\n }\n\n len = i2d_ASN1_BIT_STRING(x509->signature, NULL);\n if (len < 0 || //\n !CBB_add_space(&cert, &out, (size_t)len) ||\n i2d_ASN1_BIT_STRING(x509->signature, &out) != len) {\n goto err;\n }\n\n return CBB_finish_i2d(&cbb, outp);\n\nerr:\n CBB_cleanup(&cbb);\n return -1;\n}\n\nstatic int x509_new_cb(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n *pval = (ASN1_VALUE *)X509_new();\n return *pval != NULL;\n}\n\nstatic void x509_free_cb(ASN1_VALUE **pval, const ASN1_ITEM *it) {\n X509_free((X509 *)*pval);\n *pval = NULL;\n}\n\nstatic int x509_d2i_cb(ASN1_VALUE **pval, const unsigned char **in, long len,\n const ASN1_ITEM *it, int opt, ASN1_TLC *ctx) {\n if (len < 0) {\n OPENSSL_PUT_ERROR(ASN1, ASN1_R_BUFFER_TOO_SMALL);\n return 0;\n }\n\n CBS cbs;\n CBS_init(&cbs, *in, len);\n if (opt && !CBS_peek_asn1_tag(&cbs, CBS_ASN1_SEQUENCE)) {\n return -1;\n }\n\n X509 *ret = x509_parse(&cbs, NULL);\n if (ret == NULL) {\n return 0;\n }\n\n *in = CBS_data(&cbs);\n X509_free((X509 *)*pval);\n *pval = (ASN1_VALUE *)ret;\n return 1;\n}\n\nstatic int x509_i2d_cb(ASN1_VALUE **pval, unsigned char **out,\n const ASN1_ITEM *it) {\n return i2d_X509((X509 *)*pval, out);\n}\n\nstatic const ASN1_EXTERN_FUNCS x509_extern_funcs = {\n x509_new_cb,\n x509_free_cb,\n x509_d2i_cb,\n x509_i2d_cb,\n};\n\nIMPLEMENT_EXTERN_ASN1(X509, V_ASN1_SEQUENCE, x509_extern_funcs)\n\nX509 *X509_dup(X509 *x509) {\n uint8_t *der = NULL;\n int len = i2d_X509(x509, &der);\n if (len < 0) {\n return NULL;\n }\n\n const uint8_t *inp = der;\n X509 *ret = d2i_X509(NULL, &inp, len);\n OPENSSL_free(der);\n return ret;\n}\n\nX509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf) {\n CBS cbs;\n CBS_init(&cbs, CRYPTO_BUFFER_data(buf), CRYPTO_BUFFER_len(buf));\n X509 *ret = x509_parse(&cbs, buf);\n if (ret == NULL || CBS_len(&cbs) != 0) {\n X509_free(ret);\n return NULL;\n }\n\n return ret;\n}\n\nint X509_up_ref(X509 *x) {\n CRYPTO_refcount_inc(&x->references);\n return 1;\n}\n\nint X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func) {\n return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func);\n}\n\nint X509_set_ex_data(X509 *r, int idx, void *arg) {\n return (CRYPTO_set_ex_data(&r->ex_data, idx, arg));\n}\n\nvoid *X509_get_ex_data(X509 *r, int idx) {\n return (CRYPTO_get_ex_data(&r->ex_data, idx));\n}\n\n// X509_AUX ASN1 routines. X509_AUX is the name given to a certificate with\n// extra info tagged on the end. Since these functions set how a certificate\n// is trusted they should only be used when the certificate comes from a\n// reliable source such as local storage.\n\nX509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) {\n const unsigned char *q = *pp;\n X509 *ret;\n int freeret = 0;\n\n if (!a || *a == NULL) {\n freeret = 1;\n }\n ret = d2i_X509(a, &q, length);\n // If certificate unreadable then forget it\n if (!ret) {\n return NULL;\n }\n // update length\n length -= q - *pp;\n // Parse auxiliary information if there is any.\n if (length > 0 && !d2i_X509_CERT_AUX(&ret->aux, &q, length)) {\n goto err;\n }\n *pp = q;\n return ret;\nerr:\n if (freeret) {\n X509_free(ret);\n if (a) {\n *a = NULL;\n }\n }\n return NULL;\n}\n\n// Serialize trusted certificate to *pp or just return the required buffer\n// length if pp == NULL. We ultimately want to avoid modifying *pp in the\n// error path, but that depends on similar hygiene in lower-level functions.\n// Here we avoid compounding the problem.\nstatic int i2d_x509_aux_internal(X509 *a, unsigned char **pp) {\n int length, tmplen;\n unsigned char *start = pp != NULL ? *pp : NULL;\n\n assert(pp == NULL || *pp != NULL);\n\n // This might perturb *pp on error, but fixing that belongs in i2d_X509()\n // not here. It should be that if a == NULL length is zero, but we check\n // both just in case.\n length = i2d_X509(a, pp);\n if (length <= 0 || a == NULL) {\n return length;\n }\n\n if (a->aux != NULL) {\n tmplen = i2d_X509_CERT_AUX(a->aux, pp);\n if (tmplen < 0) {\n if (start != NULL) {\n *pp = start;\n }\n return tmplen;\n }\n length += tmplen;\n }\n\n return length;\n}\n\n// Serialize trusted certificate to *pp, or just return the required buffer\n// length if pp == NULL.\n//\n// When pp is not NULL, but *pp == NULL, we allocate the buffer, but since\n// we're writing two ASN.1 objects back to back, we can't have i2d_X509() do\n// the allocation, nor can we allow i2d_X509_CERT_AUX() to increment the\n// allocated buffer.\nint i2d_X509_AUX(X509 *a, unsigned char **pp) {\n int length;\n unsigned char *tmp;\n\n // Buffer provided by caller\n if (pp == NULL || *pp != NULL) {\n return i2d_x509_aux_internal(a, pp);\n }\n\n // Obtain the combined length\n if ((length = i2d_x509_aux_internal(a, NULL)) <= 0) {\n return length;\n }\n\n // Allocate requisite combined storage\n *pp = tmp = reinterpret_cast(OPENSSL_malloc(length));\n if (tmp == NULL) {\n return -1; // Push error onto error stack?\n }\n\n // Encode, but keep *pp at the originally malloced pointer\n length = i2d_x509_aux_internal(a, &tmp);\n if (length <= 0) {\n OPENSSL_free(*pp);\n *pp = NULL;\n }\n return length;\n}\n\nint i2d_re_X509_tbs(X509 *x509, unsigned char **outp) {\n asn1_encoding_clear(&x509->cert_info->enc);\n return i2d_X509_CINF(x509->cert_info, outp);\n}\n\nint i2d_X509_tbs(X509 *x509, unsigned char **outp) {\n return i2d_X509_CINF(x509->cert_info, outp);\n}\n\nint X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo) {\n X509_ALGOR *copy1 = X509_ALGOR_dup(algo);\n X509_ALGOR *copy2 = X509_ALGOR_dup(algo);\n if (copy1 == NULL || copy2 == NULL) {\n X509_ALGOR_free(copy1);\n X509_ALGOR_free(copy2);\n return 0;\n }\n\n X509_ALGOR_free(x509->sig_alg);\n x509->sig_alg = copy1;\n X509_ALGOR_free(x509->cert_info->signature);\n x509->cert_info->signature = copy2;\n return 1;\n}\n\nint X509_set1_signature_value(X509 *x509, const uint8_t *sig, size_t sig_len) {\n if (!ASN1_STRING_set(x509->signature, sig, sig_len)) {\n return 0;\n }\n x509->signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);\n x509->signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;\n return 1;\n}\n\nvoid X509_get0_signature(const ASN1_BIT_STRING **psig, const X509_ALGOR **palg,\n const X509 *x) {\n if (psig) {\n *psig = x->signature;\n }\n if (palg) {\n *palg = x->sig_alg;\n }\n}\n\nint X509_get_signature_nid(const X509 *x) {\n return OBJ_obj2nid(x->sig_alg->algorithm);\n}\n" }, { "path": "Sources/CNIOBoringSSL/crypto/x509/x_x509a.cc", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\n// X509_CERT_AUX routines. These are used to encode additional user\n// modifiable data about a certificate. This data is appended to the X509\n// encoding when the *_X509_AUX routines are used. This means that the\n// \"traditional\" X509 routines will simply ignore the extra data.\n\nstatic X509_CERT_AUX *aux_get(X509 *x);\n\nASN1_SEQUENCE(X509_CERT_AUX) = {\n ASN1_SEQUENCE_OF_OPT(X509_CERT_AUX, trust, ASN1_OBJECT),\n ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, reject, ASN1_OBJECT, 0),\n ASN1_OPT(X509_CERT_AUX, alias, ASN1_UTF8STRING),\n ASN1_OPT(X509_CERT_AUX, keyid, ASN1_OCTET_STRING),\n} ASN1_SEQUENCE_END(X509_CERT_AUX)\n\nIMPLEMENT_ASN1_FUNCTIONS_const(X509_CERT_AUX)\n\nstatic X509_CERT_AUX *aux_get(X509 *x) {\n if (!x) {\n return NULL;\n }\n if (!x->aux && !(x->aux = X509_CERT_AUX_new())) {\n return NULL;\n }\n return x->aux;\n}\n\nint X509_alias_set1(X509 *x, const uint8_t *name, ossl_ssize_t len) {\n X509_CERT_AUX *aux;\n // TODO(davidben): Empty aliases are not meaningful in PKCS#12, and the\n // getters cannot quite represent them. Also erase the object if |len| is\n // zero.\n if (!name) {\n if (!x || !x->aux || !x->aux->alias) {\n return 1;\n }\n ASN1_UTF8STRING_free(x->aux->alias);\n x->aux->alias = NULL;\n return 1;\n }\n if (!(aux = aux_get(x))) {\n return 0;\n }\n if (!aux->alias && !(aux->alias = ASN1_UTF8STRING_new())) {\n return 0;\n }\n return ASN1_STRING_set(aux->alias, name, len);\n}\n\nint X509_keyid_set1(X509 *x, const uint8_t *id, ossl_ssize_t len) {\n X509_CERT_AUX *aux;\n // TODO(davidben): Empty key IDs are not meaningful in PKCS#12, and the\n // getters cannot quite represent them. Also erase the object if |len| is\n // zero.\n if (!id) {\n if (!x || !x->aux || !x->aux->keyid) {\n return 1;\n }\n ASN1_OCTET_STRING_free(x->aux->keyid);\n x->aux->keyid = NULL;\n return 1;\n }\n if (!(aux = aux_get(x))) {\n return 0;\n }\n if (!aux->keyid && !(aux->keyid = ASN1_OCTET_STRING_new())) {\n return 0;\n }\n return ASN1_STRING_set(aux->keyid, id, len);\n}\n\nconst uint8_t *X509_alias_get0(const X509 *x, int *out_len) {\n const ASN1_UTF8STRING *alias = x->aux != NULL ? x->aux->alias : NULL;\n if (out_len != NULL) {\n *out_len = alias != NULL ? alias->length : 0;\n }\n return alias != NULL ? alias->data : NULL;\n}\n\nconst uint8_t *X509_keyid_get0(const X509 *x, int *out_len) {\n const ASN1_OCTET_STRING *keyid = x->aux != NULL ? x->aux->keyid : NULL;\n if (out_len != NULL) {\n *out_len = keyid != NULL ? keyid->length : 0;\n }\n return keyid != NULL ? keyid->data : NULL;\n}\n\nint X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj) {\n X509_CERT_AUX *aux;\n ASN1_OBJECT *objtmp = OBJ_dup(obj);\n if (objtmp == NULL) {\n goto err;\n }\n aux = aux_get(x);\n if (aux->trust == NULL) {\n aux->trust = sk_ASN1_OBJECT_new_null();\n if (aux->trust == NULL) {\n goto err;\n }\n }\n if (!sk_ASN1_OBJECT_push(aux->trust, objtmp)) {\n goto err;\n }\n return 1;\n\nerr:\n ASN1_OBJECT_free(objtmp);\n return 0;\n}\n\nint X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj) {\n X509_CERT_AUX *aux;\n ASN1_OBJECT *objtmp = OBJ_dup(obj);\n if (objtmp == NULL) {\n goto err;\n }\n aux = aux_get(x);\n if (aux->reject == NULL) {\n aux->reject = sk_ASN1_OBJECT_new_null();\n if (aux->reject == NULL) {\n goto err;\n }\n }\n if (!sk_ASN1_OBJECT_push(aux->reject, objtmp)) {\n goto err;\n }\n return 1;\n\nerr:\n ASN1_OBJECT_free(objtmp);\n return 0;\n}\n\nvoid X509_trust_clear(X509 *x) {\n if (x->aux && x->aux->trust) {\n sk_ASN1_OBJECT_pop_free(x->aux->trust, ASN1_OBJECT_free);\n x->aux->trust = NULL;\n }\n}\n\nvoid X509_reject_clear(X509 *x) {\n if (x->aux && x->aux->reject) {\n sk_ASN1_OBJECT_pop_free(x->aux->reject, ASN1_OBJECT_free);\n x->aux->reject = NULL;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aes-gcm-avx10-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.section\t__DATA,__const\n.p2align\t6\n\n\nL$bswap_mask:\n.quad\t0x08090a0b0c0d0e0f, 0x0001020304050607\n\n\n\n\n\n\n\n\nL$gfpoly:\n.quad\t1, 0xc200000000000000\n\n\nL$gfpoly_and_internal_carrybit:\n.quad\t1, 0xc200000000000001\n\n\n\n\n\nL$ctr_pattern:\n.quad\t0, 0\n.quad\t1, 0\nL$inc_2blocks:\n.quad\t2, 0\n.quad\t3, 0\nL$inc_4blocks:\n.quad\t4, 0\n\n.text\t\n.globl\t_gcm_gmult_vpclmulqdq_avx10\n.private_extern _gcm_gmult_vpclmulqdq_avx10\n\n.p2align\t5\n_gcm_gmult_vpclmulqdq_avx10:\n\n\n_CET_ENDBR\n\n\n\n\tvmovdqu\t(%rdi),%xmm0\n\tvmovdqu\tL$bswap_mask(%rip),%xmm1\n\tvmovdqu\t256-16(%rsi),%xmm2\n\tvmovdqu\tL$gfpoly(%rip),%xmm3\n\tvpshufb\t%xmm1,%xmm0,%xmm0\n\n\tvpclmulqdq\t$0x00,%xmm2,%xmm0,%xmm4\n\tvpclmulqdq\t$0x01,%xmm2,%xmm0,%xmm5\n\tvpclmulqdq\t$0x10,%xmm2,%xmm0,%xmm6\n\tvpxord\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x01,%xmm4,%xmm3,%xmm6\n\tvpshufd\t$0x4e,%xmm4,%xmm4\n\tvpternlogd\t$0x96,%xmm6,%xmm4,%xmm5\n\tvpclmulqdq\t$0x11,%xmm2,%xmm0,%xmm0\n\tvpclmulqdq\t$0x01,%xmm5,%xmm3,%xmm4\n\tvpshufd\t$0x4e,%xmm5,%xmm5\n\tvpternlogd\t$0x96,%xmm4,%xmm5,%xmm0\n\n\n\tvpshufb\t%xmm1,%xmm0,%xmm0\n\tvmovdqu\t%xmm0,(%rdi)\n\tret\n\n\n\n.globl\t_gcm_init_vpclmulqdq_avx10_512\n.private_extern _gcm_init_vpclmulqdq_avx10_512\n\n.p2align\t5\n_gcm_init_vpclmulqdq_avx10_512:\n\n\n_CET_ENDBR\n\n\tleaq\t256-64(%rdi),%r8\n\n\n\n\tvpshufd\t$0x4e,(%rsi),%xmm3\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tvpshufd\t$0xd3,%xmm3,%xmm0\n\tvpsrad\t$31,%xmm0,%xmm0\n\tvpaddq\t%xmm3,%xmm3,%xmm3\n\n\tvpternlogd\t$0x78,L$gfpoly_and_internal_carrybit(%rip),%xmm0,%xmm3\n\n\n\tvbroadcasti32x4\tL$gfpoly(%rip),%zmm5\n\n\n\n\n\n\n\n\n\tvpclmulqdq\t$0x00,%xmm3,%xmm3,%xmm0\n\tvpclmulqdq\t$0x01,%xmm3,%xmm3,%xmm1\n\tvpclmulqdq\t$0x10,%xmm3,%xmm3,%xmm2\n\tvpxord\t%xmm2,%xmm1,%xmm1\n\tvpclmulqdq\t$0x01,%xmm0,%xmm5,%xmm2\n\tvpshufd\t$0x4e,%xmm0,%xmm0\n\tvpternlogd\t$0x96,%xmm2,%xmm0,%xmm1\n\tvpclmulqdq\t$0x11,%xmm3,%xmm3,%xmm4\n\tvpclmulqdq\t$0x01,%xmm1,%xmm5,%xmm0\n\tvpshufd\t$0x4e,%xmm1,%xmm1\n\tvpternlogd\t$0x96,%xmm0,%xmm1,%xmm4\n\n\n\n\tvinserti128\t$1,%xmm3,%ymm4,%ymm3\n\tvinserti128\t$1,%xmm4,%ymm4,%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm0\n\tvpclmulqdq\t$0x01,%ymm4,%ymm3,%ymm1\n\tvpclmulqdq\t$0x10,%ymm4,%ymm3,%ymm2\n\tvpxord\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x01,%ymm0,%ymm5,%ymm2\n\tvpshufd\t$0x4e,%ymm0,%ymm0\n\tvpternlogd\t$0x96,%ymm2,%ymm0,%ymm1\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm4\n\tvpclmulqdq\t$0x01,%ymm1,%ymm5,%ymm0\n\tvpshufd\t$0x4e,%ymm1,%ymm1\n\tvpternlogd\t$0x96,%ymm0,%ymm1,%ymm4\n\n\tvinserti64x4\t$1,%ymm3,%zmm4,%zmm3\n\tvshufi64x2\t$0,%zmm4,%zmm4,%zmm4\n\n\tvmovdqu8\t%zmm3,(%r8)\n\n\n\n\n\n\tmovl\t$3,%eax\nL$precompute_next__func1:\n\tsubq\t$64,%r8\n\tvpclmulqdq\t$0x00,%zmm4,%zmm3,%zmm0\n\tvpclmulqdq\t$0x01,%zmm4,%zmm3,%zmm1\n\tvpclmulqdq\t$0x10,%zmm4,%zmm3,%zmm2\n\tvpxord\t%zmm2,%zmm1,%zmm1\n\tvpclmulqdq\t$0x01,%zmm0,%zmm5,%zmm2\n\tvpshufd\t$0x4e,%zmm0,%zmm0\n\tvpternlogd\t$0x96,%zmm2,%zmm0,%zmm1\n\tvpclmulqdq\t$0x11,%zmm4,%zmm3,%zmm3\n\tvpclmulqdq\t$0x01,%zmm1,%zmm5,%zmm0\n\tvpshufd\t$0x4e,%zmm1,%zmm1\n\tvpternlogd\t$0x96,%zmm0,%zmm1,%zmm3\n\n\tvmovdqu8\t%zmm3,(%r8)\n\tdecl\t%eax\n\tjnz\tL$precompute_next__func1\n\n\tvzeroupper\n\tret\n\n\n\n.globl\t_gcm_ghash_vpclmulqdq_avx10_512\n.private_extern _gcm_ghash_vpclmulqdq_avx10_512\n\n.p2align\t5\n_gcm_ghash_vpclmulqdq_avx10_512:\n\n\n_CET_ENDBR\n\n\n\n\n\n\n\tvmovdqu\tL$bswap_mask(%rip),%xmm4\n\tvmovdqu\tL$gfpoly(%rip),%xmm10\n\n\n\tvmovdqu\t(%rdi),%xmm5\n\tvpshufb\t%xmm4,%xmm5,%xmm5\n\n\n\tcmpq\t$64,%rcx\n\tjb\tL$aad_blockbyblock__func1\n\n\n\n\tvshufi64x2\t$0,%zmm4,%zmm4,%zmm4\n\tvshufi64x2\t$0,%zmm10,%zmm10,%zmm10\n\n\n\tvmovdqu8\t256-64(%rsi),%zmm9\n\n\tcmpq\t$256-1,%rcx\n\tjbe\tL$aad_loop_1x__func1\n\n\n\tvmovdqu8\t256-256(%rsi),%zmm6\n\tvmovdqu8\t256-192(%rsi),%zmm7\n\tvmovdqu8\t256-128(%rsi),%zmm8\n\n\nL$aad_loop_4x__func1:\n\tvmovdqu8\t0(%rdx),%zmm0\n\tvmovdqu8\t64(%rdx),%zmm1\n\tvmovdqu8\t128(%rdx),%zmm2\n\tvmovdqu8\t192(%rdx),%zmm3\n\tvpshufb\t%zmm4,%zmm0,%zmm0\n\tvpxord\t%zmm5,%zmm0,%zmm0\n\tvpshufb\t%zmm4,%zmm1,%zmm1\n\tvpshufb\t%zmm4,%zmm2,%zmm2\n\tvpshufb\t%zmm4,%zmm3,%zmm3\n\tvpclmulqdq\t$0x00,%zmm6,%zmm0,%zmm5\n\tvpclmulqdq\t$0x00,%zmm7,%zmm1,%zmm11\n\tvpclmulqdq\t$0x00,%zmm8,%zmm2,%zmm12\n\tvpxord\t%zmm11,%zmm5,%zmm5\n\tvpclmulqdq\t$0x00,%zmm9,%zmm3,%zmm13\n\tvpternlogd\t$0x96,%zmm13,%zmm12,%zmm5\n\tvpclmulqdq\t$0x01,%zmm6,%zmm0,%zmm11\n\tvpclmulqdq\t$0x01,%zmm7,%zmm1,%zmm12\n\tvpclmulqdq\t$0x01,%zmm8,%zmm2,%zmm13\n\tvpternlogd\t$0x96,%zmm13,%zmm12,%zmm11\n\tvpclmulqdq\t$0x01,%zmm9,%zmm3,%zmm12\n\tvpclmulqdq\t$0x10,%zmm6,%zmm0,%zmm13\n\tvpternlogd\t$0x96,%zmm13,%zmm12,%zmm11\n\tvpclmulqdq\t$0x10,%zmm7,%zmm1,%zmm12\n\tvpclmulqdq\t$0x10,%zmm8,%zmm2,%zmm13\n\tvpternlogd\t$0x96,%zmm13,%zmm12,%zmm11\n\tvpclmulqdq\t$0x01,%zmm5,%zmm10,%zmm13\n\tvpclmulqdq\t$0x10,%zmm9,%zmm3,%zmm12\n\tvpxord\t%zmm12,%zmm11,%zmm11\n\tvpshufd\t$0x4e,%zmm5,%zmm5\n\tvpclmulqdq\t$0x11,%zmm6,%zmm0,%zmm0\n\tvpclmulqdq\t$0x11,%zmm7,%zmm1,%zmm1\n\tvpclmulqdq\t$0x11,%zmm8,%zmm2,%zmm2\n\tvpternlogd\t$0x96,%zmm13,%zmm5,%zmm11\n\tvpclmulqdq\t$0x11,%zmm9,%zmm3,%zmm3\n\tvpternlogd\t$0x96,%zmm2,%zmm1,%zmm0\n\tvpclmulqdq\t$0x01,%zmm11,%zmm10,%zmm12\n\tvpxord\t%zmm3,%zmm0,%zmm5\n\tvpshufd\t$0x4e,%zmm11,%zmm11\n\tvpternlogd\t$0x96,%zmm12,%zmm11,%zmm5\n\tvextracti32x4\t$1,%zmm5,%xmm0\n\tvextracti32x4\t$2,%zmm5,%xmm1\n\tvextracti32x4\t$3,%zmm5,%xmm2\n\tvpxord\t%xmm0,%xmm5,%xmm5\n\tvpternlogd\t$0x96,%xmm1,%xmm2,%xmm5\n\n\tsubq\t$-256,%rdx\n\taddq\t$-256,%rcx\n\tcmpq\t$256-1,%rcx\n\tja\tL$aad_loop_4x__func1\n\n\n\tcmpq\t$64,%rcx\n\tjb\tL$aad_large_done__func1\nL$aad_loop_1x__func1:\n\tvmovdqu8\t(%rdx),%zmm0\n\tvpshufb\t%zmm4,%zmm0,%zmm0\n\tvpxord\t%zmm0,%zmm5,%zmm5\n\tvpclmulqdq\t$0x00,%zmm9,%zmm5,%zmm0\n\tvpclmulqdq\t$0x01,%zmm9,%zmm5,%zmm1\n\tvpclmulqdq\t$0x10,%zmm9,%zmm5,%zmm2\n\tvpxord\t%zmm2,%zmm1,%zmm1\n\tvpclmulqdq\t$0x01,%zmm0,%zmm10,%zmm2\n\tvpshufd\t$0x4e,%zmm0,%zmm0\n\tvpternlogd\t$0x96,%zmm2,%zmm0,%zmm1\n\tvpclmulqdq\t$0x11,%zmm9,%zmm5,%zmm5\n\tvpclmulqdq\t$0x01,%zmm1,%zmm10,%zmm0\n\tvpshufd\t$0x4e,%zmm1,%zmm1\n\tvpternlogd\t$0x96,%zmm0,%zmm1,%zmm5\n\n\tvextracti32x4\t$1,%zmm5,%xmm0\n\tvextracti32x4\t$2,%zmm5,%xmm1\n\tvextracti32x4\t$3,%zmm5,%xmm2\n\tvpxord\t%xmm0,%xmm5,%xmm5\n\tvpternlogd\t$0x96,%xmm1,%xmm2,%xmm5\n\n\taddq\t$64,%rdx\n\tsubq\t$64,%rcx\n\tcmpq\t$64,%rcx\n\tjae\tL$aad_loop_1x__func1\n\nL$aad_large_done__func1:\n\n\n\tvzeroupper\n\n\nL$aad_blockbyblock__func1:\n\ttestq\t%rcx,%rcx\n\tjz\tL$aad_done__func1\n\tvmovdqu\t256-16(%rsi),%xmm9\nL$aad_loop_blockbyblock__func1:\n\tvmovdqu\t(%rdx),%xmm0\n\tvpshufb\t%xmm4,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm9,%xmm5,%xmm0\n\tvpclmulqdq\t$0x01,%xmm9,%xmm5,%xmm1\n\tvpclmulqdq\t$0x10,%xmm9,%xmm5,%xmm2\n\tvpxord\t%xmm2,%xmm1,%xmm1\n\tvpclmulqdq\t$0x01,%xmm0,%xmm10,%xmm2\n\tvpshufd\t$0x4e,%xmm0,%xmm0\n\tvpternlogd\t$0x96,%xmm2,%xmm0,%xmm1\n\tvpclmulqdq\t$0x11,%xmm9,%xmm5,%xmm5\n\tvpclmulqdq\t$0x01,%xmm1,%xmm10,%xmm0\n\tvpshufd\t$0x4e,%xmm1,%xmm1\n\tvpternlogd\t$0x96,%xmm0,%xmm1,%xmm5\n\n\taddq\t$16,%rdx\n\tsubq\t$16,%rcx\n\tjnz\tL$aad_loop_blockbyblock__func1\n\nL$aad_done__func1:\n\n\tvpshufb\t%xmm4,%xmm5,%xmm5\n\tvmovdqu\t%xmm5,(%rdi)\n\tret\n\n\n\n.globl\t_aes_gcm_enc_update_vaes_avx10_512\n.private_extern _aes_gcm_enc_update_vaes_avx10_512\n\n.p2align\t5\n_aes_gcm_enc_update_vaes_avx10_512:\n\n\n_CET_ENDBR\n\tpushq\t%r12\n\n\n\tmovq\t16(%rsp),%r12\n#ifdef BORINGSSL_DISPATCH_TEST\n\n\tmovb\t$1,_BORINGSSL_function_hit+7(%rip)\n#endif\n\n\tvbroadcasti32x4\tL$bswap_mask(%rip),%zmm8\n\tvbroadcasti32x4\tL$gfpoly(%rip),%zmm31\n\n\n\n\tvmovdqu\t(%r12),%xmm10\n\tvpshufb\t%xmm8,%xmm10,%xmm10\n\tvbroadcasti32x4\t(%r8),%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm12\n\n\n\n\tmovl\t240(%rcx),%r10d\n\tleal\t-20(,%r10,4),%r10d\n\n\n\n\n\tleaq\t96(%rcx,%r10,4),%r11\n\tvbroadcasti32x4\t(%rcx),%zmm13\n\tvbroadcasti32x4\t(%r11),%zmm14\n\n\n\tvpaddd\tL$ctr_pattern(%rip),%zmm12,%zmm12\n\n\n\tvbroadcasti32x4\tL$inc_4blocks(%rip),%zmm11\n\n\n\n\tcmpq\t$256-1,%rdx\n\tjbe\tL$crypt_loop_4x_done__func1\n\n\n\tvmovdqu8\t256-256(%r9),%zmm27\n\tvmovdqu8\t256-192(%r9),%zmm28\n\tvmovdqu8\t256-128(%r9),%zmm29\n\tvmovdqu8\t256-64(%r9),%zmm30\n\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm1\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm2\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm3\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\n\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tvpxord\t%zmm13,%zmm1,%zmm1\n\tvpxord\t%zmm13,%zmm2,%zmm2\n\tvpxord\t%zmm13,%zmm3,%zmm3\n\n\tleaq\t16(%rcx),%rax\nL$vaesenc_loop_first_4_vecs__func1:\n\tvbroadcasti32x4\t(%rax),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\tL$vaesenc_loop_first_4_vecs__func1\n\n\n\n\tvpxord\t0(%rdi),%zmm14,%zmm4\n\tvpxord\t64(%rdi),%zmm14,%zmm5\n\tvpxord\t128(%rdi),%zmm14,%zmm6\n\tvpxord\t192(%rdi),%zmm14,%zmm7\n\n\n\n\tvaesenclast\t%zmm4,%zmm0,%zmm4\n\tvaesenclast\t%zmm5,%zmm1,%zmm5\n\tvaesenclast\t%zmm6,%zmm2,%zmm6\n\tvaesenclast\t%zmm7,%zmm3,%zmm7\n\n\n\tvmovdqu8\t%zmm4,0(%rsi)\n\tvmovdqu8\t%zmm5,64(%rsi)\n\tvmovdqu8\t%zmm6,128(%rsi)\n\tvmovdqu8\t%zmm7,192(%rsi)\n\n\tsubq\t$-256,%rdi\n\tsubq\t$-256,%rsi\n\taddq\t$-256,%rdx\n\tcmpq\t$256-1,%rdx\n\tjbe\tL$ghash_last_ciphertext_4x__func1\n\tvbroadcasti32x4\t-144(%r11),%zmm15\n\tvbroadcasti32x4\t-128(%r11),%zmm16\n\tvbroadcasti32x4\t-112(%r11),%zmm17\n\tvbroadcasti32x4\t-96(%r11),%zmm18\n\tvbroadcasti32x4\t-80(%r11),%zmm19\n\tvbroadcasti32x4\t-64(%r11),%zmm20\n\tvbroadcasti32x4\t-48(%r11),%zmm21\n\tvbroadcasti32x4\t-32(%r11),%zmm22\n\tvbroadcasti32x4\t-16(%r11),%zmm23\nL$crypt_loop_4x__func1:\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm1\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm2\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm3\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\n\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tvpxord\t%zmm13,%zmm1,%zmm1\n\tvpxord\t%zmm13,%zmm2,%zmm2\n\tvpxord\t%zmm13,%zmm3,%zmm3\n\n\tcmpl\t$24,%r10d\n\tjl\tL$aes128__func1\n\tje\tL$aes192__func1\n\n\tvbroadcasti32x4\t-208(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n\tvbroadcasti32x4\t-192(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\nL$aes192__func1:\n\tvbroadcasti32x4\t-176(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n\tvbroadcasti32x4\t-160(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\nL$aes128__func1:\n\tprefetcht0\t512+0(%rdi)\n\tprefetcht0\t512+64(%rdi)\n\tprefetcht0\t512+128(%rdi)\n\tprefetcht0\t512+192(%rdi)\n\tvpshufb\t%zmm8,%zmm4,%zmm4\n\tvpxord\t%zmm10,%zmm4,%zmm4\n\tvpshufb\t%zmm8,%zmm5,%zmm5\n\tvpshufb\t%zmm8,%zmm6,%zmm6\n\n\tvaesenc\t%zmm15,%zmm0,%zmm0\n\tvaesenc\t%zmm15,%zmm1,%zmm1\n\tvaesenc\t%zmm15,%zmm2,%zmm2\n\tvaesenc\t%zmm15,%zmm3,%zmm3\n\n\tvpshufb\t%zmm8,%zmm7,%zmm7\n\tvpclmulqdq\t$0x00,%zmm27,%zmm4,%zmm10\n\tvpclmulqdq\t$0x00,%zmm28,%zmm5,%zmm24\n\tvpclmulqdq\t$0x00,%zmm29,%zmm6,%zmm25\n\n\tvaesenc\t%zmm16,%zmm0,%zmm0\n\tvaesenc\t%zmm16,%zmm1,%zmm1\n\tvaesenc\t%zmm16,%zmm2,%zmm2\n\tvaesenc\t%zmm16,%zmm3,%zmm3\n\n\tvpxord\t%zmm24,%zmm10,%zmm10\n\tvpclmulqdq\t$0x00,%zmm30,%zmm7,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm10\n\tvpclmulqdq\t$0x01,%zmm27,%zmm4,%zmm24\n\n\tvaesenc\t%zmm17,%zmm0,%zmm0\n\tvaesenc\t%zmm17,%zmm1,%zmm1\n\tvaesenc\t%zmm17,%zmm2,%zmm2\n\tvaesenc\t%zmm17,%zmm3,%zmm3\n\n\tvpclmulqdq\t$0x01,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x01,%zmm29,%zmm6,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm30,%zmm7,%zmm25\n\n\tvaesenc\t%zmm18,%zmm0,%zmm0\n\tvaesenc\t%zmm18,%zmm1,%zmm1\n\tvaesenc\t%zmm18,%zmm2,%zmm2\n\tvaesenc\t%zmm18,%zmm3,%zmm3\n\n\tvpclmulqdq\t$0x10,%zmm27,%zmm4,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x10,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x10,%zmm29,%zmm6,%zmm26\n\n\tvaesenc\t%zmm19,%zmm0,%zmm0\n\tvaesenc\t%zmm19,%zmm1,%zmm1\n\tvaesenc\t%zmm19,%zmm2,%zmm2\n\tvaesenc\t%zmm19,%zmm3,%zmm3\n\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm10,%zmm31,%zmm26\n\tvpclmulqdq\t$0x10,%zmm30,%zmm7,%zmm25\n\tvpxord\t%zmm25,%zmm24,%zmm24\n\n\tvaesenc\t%zmm20,%zmm0,%zmm0\n\tvaesenc\t%zmm20,%zmm1,%zmm1\n\tvaesenc\t%zmm20,%zmm2,%zmm2\n\tvaesenc\t%zmm20,%zmm3,%zmm3\n\n\tvpshufd\t$0x4e,%zmm10,%zmm10\n\tvpclmulqdq\t$0x11,%zmm27,%zmm4,%zmm4\n\tvpclmulqdq\t$0x11,%zmm28,%zmm5,%zmm5\n\tvpclmulqdq\t$0x11,%zmm29,%zmm6,%zmm6\n\n\tvaesenc\t%zmm21,%zmm0,%zmm0\n\tvaesenc\t%zmm21,%zmm1,%zmm1\n\tvaesenc\t%zmm21,%zmm2,%zmm2\n\tvaesenc\t%zmm21,%zmm3,%zmm3\n\n\tvpternlogd\t$0x96,%zmm26,%zmm10,%zmm24\n\tvpclmulqdq\t$0x11,%zmm30,%zmm7,%zmm7\n\tvpternlogd\t$0x96,%zmm6,%zmm5,%zmm4\n\tvpclmulqdq\t$0x01,%zmm24,%zmm31,%zmm25\n\n\tvaesenc\t%zmm22,%zmm0,%zmm0\n\tvaesenc\t%zmm22,%zmm1,%zmm1\n\tvaesenc\t%zmm22,%zmm2,%zmm2\n\tvaesenc\t%zmm22,%zmm3,%zmm3\n\n\tvpxord\t%zmm7,%zmm4,%zmm10\n\tvpshufd\t$0x4e,%zmm24,%zmm24\n\tvpternlogd\t$0x96,%zmm25,%zmm24,%zmm10\n\n\tvaesenc\t%zmm23,%zmm0,%zmm0\n\tvaesenc\t%zmm23,%zmm1,%zmm1\n\tvaesenc\t%zmm23,%zmm2,%zmm2\n\tvaesenc\t%zmm23,%zmm3,%zmm3\n\n\tvextracti32x4\t$1,%zmm10,%xmm4\n\tvextracti32x4\t$2,%zmm10,%xmm5\n\tvextracti32x4\t$3,%zmm10,%xmm6\n\tvpxord\t%xmm4,%xmm10,%xmm10\n\tvpternlogd\t$0x96,%xmm5,%xmm6,%xmm10\n\n\n\n\n\tvpxord\t0(%rdi),%zmm14,%zmm4\n\tvpxord\t64(%rdi),%zmm14,%zmm5\n\tvpxord\t128(%rdi),%zmm14,%zmm6\n\tvpxord\t192(%rdi),%zmm14,%zmm7\n\n\n\n\tvaesenclast\t%zmm4,%zmm0,%zmm4\n\tvaesenclast\t%zmm5,%zmm1,%zmm5\n\tvaesenclast\t%zmm6,%zmm2,%zmm6\n\tvaesenclast\t%zmm7,%zmm3,%zmm7\n\n\n\tvmovdqu8\t%zmm4,0(%rsi)\n\tvmovdqu8\t%zmm5,64(%rsi)\n\tvmovdqu8\t%zmm6,128(%rsi)\n\tvmovdqu8\t%zmm7,192(%rsi)\n\n\tsubq\t$-256,%rdi\n\tsubq\t$-256,%rsi\n\taddq\t$-256,%rdx\n\tcmpq\t$256-1,%rdx\n\tja\tL$crypt_loop_4x__func1\nL$ghash_last_ciphertext_4x__func1:\n\tvpshufb\t%zmm8,%zmm4,%zmm4\n\tvpxord\t%zmm10,%zmm4,%zmm4\n\tvpshufb\t%zmm8,%zmm5,%zmm5\n\tvpshufb\t%zmm8,%zmm6,%zmm6\n\tvpshufb\t%zmm8,%zmm7,%zmm7\n\tvpclmulqdq\t$0x00,%zmm27,%zmm4,%zmm10\n\tvpclmulqdq\t$0x00,%zmm28,%zmm5,%zmm24\n\tvpclmulqdq\t$0x00,%zmm29,%zmm6,%zmm25\n\tvpxord\t%zmm24,%zmm10,%zmm10\n\tvpclmulqdq\t$0x00,%zmm30,%zmm7,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm10\n\tvpclmulqdq\t$0x01,%zmm27,%zmm4,%zmm24\n\tvpclmulqdq\t$0x01,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x01,%zmm29,%zmm6,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm30,%zmm7,%zmm25\n\tvpclmulqdq\t$0x10,%zmm27,%zmm4,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x10,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x10,%zmm29,%zmm6,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm10,%zmm31,%zmm26\n\tvpclmulqdq\t$0x10,%zmm30,%zmm7,%zmm25\n\tvpxord\t%zmm25,%zmm24,%zmm24\n\tvpshufd\t$0x4e,%zmm10,%zmm10\n\tvpclmulqdq\t$0x11,%zmm27,%zmm4,%zmm4\n\tvpclmulqdq\t$0x11,%zmm28,%zmm5,%zmm5\n\tvpclmulqdq\t$0x11,%zmm29,%zmm6,%zmm6\n\tvpternlogd\t$0x96,%zmm26,%zmm10,%zmm24\n\tvpclmulqdq\t$0x11,%zmm30,%zmm7,%zmm7\n\tvpternlogd\t$0x96,%zmm6,%zmm5,%zmm4\n\tvpclmulqdq\t$0x01,%zmm24,%zmm31,%zmm25\n\tvpxord\t%zmm7,%zmm4,%zmm10\n\tvpshufd\t$0x4e,%zmm24,%zmm24\n\tvpternlogd\t$0x96,%zmm25,%zmm24,%zmm10\n\tvextracti32x4\t$1,%zmm10,%xmm4\n\tvextracti32x4\t$2,%zmm10,%xmm5\n\tvextracti32x4\t$3,%zmm10,%xmm6\n\tvpxord\t%xmm4,%xmm10,%xmm10\n\tvpternlogd\t$0x96,%xmm5,%xmm6,%xmm10\n\nL$crypt_loop_4x_done__func1:\n\n\ttestq\t%rdx,%rdx\n\tjz\tL$done__func1\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%rdx,%rax\n\tnegq\t%rax\n\tandq\t$-16,%rax\n\tleaq\t256(%r9,%rax,1),%r8\n\tvpxor\t%xmm4,%xmm4,%xmm4\n\tvpxor\t%xmm5,%xmm5,%xmm5\n\tvpxor\t%xmm6,%xmm6,%xmm6\n\n\tcmpq\t$64,%rdx\n\tjb\tL$partial_vec__func1\n\nL$crypt_loop_1x__func1:\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tleaq\t16(%rcx),%rax\nL$vaesenc_loop_tail_full_vec__func1:\n\tvbroadcasti32x4\t(%rax),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\tL$vaesenc_loop_tail_full_vec__func1\n\tvaesenclast\t%zmm14,%zmm0,%zmm0\n\n\n\tvmovdqu8\t(%rdi),%zmm1\n\tvpxord\t%zmm1,%zmm0,%zmm0\n\tvmovdqu8\t%zmm0,(%rsi)\n\n\n\tvmovdqu8\t(%r8),%zmm30\n\tvpshufb\t%zmm8,%zmm0,%zmm0\n\tvpxord\t%zmm10,%zmm0,%zmm0\n\tvpclmulqdq\t$0x00,%zmm30,%zmm0,%zmm7\n\tvpclmulqdq\t$0x01,%zmm30,%zmm0,%zmm1\n\tvpclmulqdq\t$0x10,%zmm30,%zmm0,%zmm2\n\tvpclmulqdq\t$0x11,%zmm30,%zmm0,%zmm3\n\tvpxord\t%zmm7,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm2,%zmm1,%zmm5\n\tvpxord\t%zmm3,%zmm6,%zmm6\n\n\tvpxor\t%xmm10,%xmm10,%xmm10\n\n\taddq\t$64,%r8\n\taddq\t$64,%rdi\n\taddq\t$64,%rsi\n\tsubq\t$64,%rdx\n\tcmpq\t$64,%rdx\n\tjae\tL$crypt_loop_1x__func1\n\n\ttestq\t%rdx,%rdx\n\tjz\tL$reduce__func1\n\nL$partial_vec__func1:\n\n\n\n\n\tmovq\t$-1,%rax\n\tbzhiq\t%rdx,%rax,%rax\n\tkmovq\t%rax,%k1\n\taddq\t$15,%rdx\n\tandq\t$-16,%rdx\n\tmovq\t$-1,%rax\n\tbzhiq\t%rdx,%rax,%rax\n\tkmovq\t%rax,%k2\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tleaq\t16(%rcx),%rax\nL$vaesenc_loop_tail_partialvec__func1:\n\tvbroadcasti32x4\t(%rax),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\tL$vaesenc_loop_tail_partialvec__func1\n\tvaesenclast\t%zmm14,%zmm0,%zmm0\n\n\n\tvmovdqu8\t(%rdi),%zmm1{%k1}{z}\n\tvpxord\t%zmm1,%zmm0,%zmm0\n\tvmovdqu8\t%zmm0,(%rsi){%k1}\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tvmovdqu8\t(%r8),%zmm30{%k2}{z}\n\tvmovdqu8\t%zmm0,%zmm1{%k1}{z}\n\tvpshufb\t%zmm8,%zmm1,%zmm0\n\tvpxord\t%zmm10,%zmm0,%zmm0\n\tvpclmulqdq\t$0x00,%zmm30,%zmm0,%zmm7\n\tvpclmulqdq\t$0x01,%zmm30,%zmm0,%zmm1\n\tvpclmulqdq\t$0x10,%zmm30,%zmm0,%zmm2\n\tvpclmulqdq\t$0x11,%zmm30,%zmm0,%zmm3\n\tvpxord\t%zmm7,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm2,%zmm1,%zmm5\n\tvpxord\t%zmm3,%zmm6,%zmm6\n\n\nL$reduce__func1:\n\n\tvpclmulqdq\t$0x01,%zmm4,%zmm31,%zmm0\n\tvpshufd\t$0x4e,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm0,%zmm4,%zmm5\n\tvpclmulqdq\t$0x01,%zmm5,%zmm31,%zmm0\n\tvpshufd\t$0x4e,%zmm5,%zmm5\n\tvpternlogd\t$0x96,%zmm0,%zmm5,%zmm6\n\n\tvextracti32x4\t$1,%zmm6,%xmm0\n\tvextracti32x4\t$2,%zmm6,%xmm1\n\tvextracti32x4\t$3,%zmm6,%xmm2\n\tvpxord\t%xmm0,%xmm6,%xmm10\n\tvpternlogd\t$0x96,%xmm1,%xmm2,%xmm10\n\n\nL$done__func1:\n\n\tvpshufb\t%xmm8,%xmm10,%xmm10\n\tvmovdqu\t%xmm10,(%r12)\n\n\tvzeroupper\n\tpopq\t%r12\n\n\tret\n\n\n\n.globl\t_aes_gcm_dec_update_vaes_avx10_512\n.private_extern _aes_gcm_dec_update_vaes_avx10_512\n\n.p2align\t5\n_aes_gcm_dec_update_vaes_avx10_512:\n\n\n_CET_ENDBR\n\tpushq\t%r12\n\n\n\tmovq\t16(%rsp),%r12\n\n\tvbroadcasti32x4\tL$bswap_mask(%rip),%zmm8\n\tvbroadcasti32x4\tL$gfpoly(%rip),%zmm31\n\n\n\n\tvmovdqu\t(%r12),%xmm10\n\tvpshufb\t%xmm8,%xmm10,%xmm10\n\tvbroadcasti32x4\t(%r8),%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm12\n\n\n\n\tmovl\t240(%rcx),%r10d\n\tleal\t-20(,%r10,4),%r10d\n\n\n\n\n\tleaq\t96(%rcx,%r10,4),%r11\n\tvbroadcasti32x4\t(%rcx),%zmm13\n\tvbroadcasti32x4\t(%r11),%zmm14\n\n\n\tvpaddd\tL$ctr_pattern(%rip),%zmm12,%zmm12\n\n\n\tvbroadcasti32x4\tL$inc_4blocks(%rip),%zmm11\n\n\n\n\tcmpq\t$256-1,%rdx\n\tjbe\tL$crypt_loop_4x_done__func2\n\n\n\tvmovdqu8\t256-256(%r9),%zmm27\n\tvmovdqu8\t256-192(%r9),%zmm28\n\tvmovdqu8\t256-128(%r9),%zmm29\n\tvmovdqu8\t256-64(%r9),%zmm30\n\tvbroadcasti32x4\t-144(%r11),%zmm15\n\tvbroadcasti32x4\t-128(%r11),%zmm16\n\tvbroadcasti32x4\t-112(%r11),%zmm17\n\tvbroadcasti32x4\t-96(%r11),%zmm18\n\tvbroadcasti32x4\t-80(%r11),%zmm19\n\tvbroadcasti32x4\t-64(%r11),%zmm20\n\tvbroadcasti32x4\t-48(%r11),%zmm21\n\tvbroadcasti32x4\t-32(%r11),%zmm22\n\tvbroadcasti32x4\t-16(%r11),%zmm23\nL$crypt_loop_4x__func2:\n\tvmovdqu8\t0(%rdi),%zmm4\n\tvmovdqu8\t64(%rdi),%zmm5\n\tvmovdqu8\t128(%rdi),%zmm6\n\tvmovdqu8\t192(%rdi),%zmm7\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm1\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm2\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm3\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\n\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tvpxord\t%zmm13,%zmm1,%zmm1\n\tvpxord\t%zmm13,%zmm2,%zmm2\n\tvpxord\t%zmm13,%zmm3,%zmm3\n\n\tcmpl\t$24,%r10d\n\tjl\tL$aes128__func2\n\tje\tL$aes192__func2\n\n\tvbroadcasti32x4\t-208(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n\tvbroadcasti32x4\t-192(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\nL$aes192__func2:\n\tvbroadcasti32x4\t-176(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n\tvbroadcasti32x4\t-160(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\nL$aes128__func2:\n\tprefetcht0\t512+0(%rdi)\n\tprefetcht0\t512+64(%rdi)\n\tprefetcht0\t512+128(%rdi)\n\tprefetcht0\t512+192(%rdi)\n\tvpshufb\t%zmm8,%zmm4,%zmm4\n\tvpxord\t%zmm10,%zmm4,%zmm4\n\tvpshufb\t%zmm8,%zmm5,%zmm5\n\tvpshufb\t%zmm8,%zmm6,%zmm6\n\n\tvaesenc\t%zmm15,%zmm0,%zmm0\n\tvaesenc\t%zmm15,%zmm1,%zmm1\n\tvaesenc\t%zmm15,%zmm2,%zmm2\n\tvaesenc\t%zmm15,%zmm3,%zmm3\n\n\tvpshufb\t%zmm8,%zmm7,%zmm7\n\tvpclmulqdq\t$0x00,%zmm27,%zmm4,%zmm10\n\tvpclmulqdq\t$0x00,%zmm28,%zmm5,%zmm24\n\tvpclmulqdq\t$0x00,%zmm29,%zmm6,%zmm25\n\n\tvaesenc\t%zmm16,%zmm0,%zmm0\n\tvaesenc\t%zmm16,%zmm1,%zmm1\n\tvaesenc\t%zmm16,%zmm2,%zmm2\n\tvaesenc\t%zmm16,%zmm3,%zmm3\n\n\tvpxord\t%zmm24,%zmm10,%zmm10\n\tvpclmulqdq\t$0x00,%zmm30,%zmm7,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm10\n\tvpclmulqdq\t$0x01,%zmm27,%zmm4,%zmm24\n\n\tvaesenc\t%zmm17,%zmm0,%zmm0\n\tvaesenc\t%zmm17,%zmm1,%zmm1\n\tvaesenc\t%zmm17,%zmm2,%zmm2\n\tvaesenc\t%zmm17,%zmm3,%zmm3\n\n\tvpclmulqdq\t$0x01,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x01,%zmm29,%zmm6,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm30,%zmm7,%zmm25\n\n\tvaesenc\t%zmm18,%zmm0,%zmm0\n\tvaesenc\t%zmm18,%zmm1,%zmm1\n\tvaesenc\t%zmm18,%zmm2,%zmm2\n\tvaesenc\t%zmm18,%zmm3,%zmm3\n\n\tvpclmulqdq\t$0x10,%zmm27,%zmm4,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x10,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x10,%zmm29,%zmm6,%zmm26\n\n\tvaesenc\t%zmm19,%zmm0,%zmm0\n\tvaesenc\t%zmm19,%zmm1,%zmm1\n\tvaesenc\t%zmm19,%zmm2,%zmm2\n\tvaesenc\t%zmm19,%zmm3,%zmm3\n\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm10,%zmm31,%zmm26\n\tvpclmulqdq\t$0x10,%zmm30,%zmm7,%zmm25\n\tvpxord\t%zmm25,%zmm24,%zmm24\n\n\tvaesenc\t%zmm20,%zmm0,%zmm0\n\tvaesenc\t%zmm20,%zmm1,%zmm1\n\tvaesenc\t%zmm20,%zmm2,%zmm2\n\tvaesenc\t%zmm20,%zmm3,%zmm3\n\n\tvpshufd\t$0x4e,%zmm10,%zmm10\n\tvpclmulqdq\t$0x11,%zmm27,%zmm4,%zmm4\n\tvpclmulqdq\t$0x11,%zmm28,%zmm5,%zmm5\n\tvpclmulqdq\t$0x11,%zmm29,%zmm6,%zmm6\n\n\tvaesenc\t%zmm21,%zmm0,%zmm0\n\tvaesenc\t%zmm21,%zmm1,%zmm1\n\tvaesenc\t%zmm21,%zmm2,%zmm2\n\tvaesenc\t%zmm21,%zmm3,%zmm3\n\n\tvpternlogd\t$0x96,%zmm26,%zmm10,%zmm24\n\tvpclmulqdq\t$0x11,%zmm30,%zmm7,%zmm7\n\tvpternlogd\t$0x96,%zmm6,%zmm5,%zmm4\n\tvpclmulqdq\t$0x01,%zmm24,%zmm31,%zmm25\n\n\tvaesenc\t%zmm22,%zmm0,%zmm0\n\tvaesenc\t%zmm22,%zmm1,%zmm1\n\tvaesenc\t%zmm22,%zmm2,%zmm2\n\tvaesenc\t%zmm22,%zmm3,%zmm3\n\n\tvpxord\t%zmm7,%zmm4,%zmm10\n\tvpshufd\t$0x4e,%zmm24,%zmm24\n\tvpternlogd\t$0x96,%zmm25,%zmm24,%zmm10\n\n\tvaesenc\t%zmm23,%zmm0,%zmm0\n\tvaesenc\t%zmm23,%zmm1,%zmm1\n\tvaesenc\t%zmm23,%zmm2,%zmm2\n\tvaesenc\t%zmm23,%zmm3,%zmm3\n\n\tvextracti32x4\t$1,%zmm10,%xmm4\n\tvextracti32x4\t$2,%zmm10,%xmm5\n\tvextracti32x4\t$3,%zmm10,%xmm6\n\tvpxord\t%xmm4,%xmm10,%xmm10\n\tvpternlogd\t$0x96,%xmm5,%xmm6,%xmm10\n\n\n\n\n\tvpxord\t0(%rdi),%zmm14,%zmm4\n\tvpxord\t64(%rdi),%zmm14,%zmm5\n\tvpxord\t128(%rdi),%zmm14,%zmm6\n\tvpxord\t192(%rdi),%zmm14,%zmm7\n\n\n\n\tvaesenclast\t%zmm4,%zmm0,%zmm4\n\tvaesenclast\t%zmm5,%zmm1,%zmm5\n\tvaesenclast\t%zmm6,%zmm2,%zmm6\n\tvaesenclast\t%zmm7,%zmm3,%zmm7\n\n\n\tvmovdqu8\t%zmm4,0(%rsi)\n\tvmovdqu8\t%zmm5,64(%rsi)\n\tvmovdqu8\t%zmm6,128(%rsi)\n\tvmovdqu8\t%zmm7,192(%rsi)\n\n\tsubq\t$-256,%rdi\n\tsubq\t$-256,%rsi\n\taddq\t$-256,%rdx\n\tcmpq\t$256-1,%rdx\n\tja\tL$crypt_loop_4x__func2\nL$crypt_loop_4x_done__func2:\n\n\ttestq\t%rdx,%rdx\n\tjz\tL$done__func2\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%rdx,%rax\n\tnegq\t%rax\n\tandq\t$-16,%rax\n\tleaq\t256(%r9,%rax,1),%r8\n\tvpxor\t%xmm4,%xmm4,%xmm4\n\tvpxor\t%xmm5,%xmm5,%xmm5\n\tvpxor\t%xmm6,%xmm6,%xmm6\n\n\tcmpq\t$64,%rdx\n\tjb\tL$partial_vec__func2\n\nL$crypt_loop_1x__func2:\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tleaq\t16(%rcx),%rax\nL$vaesenc_loop_tail_full_vec__func2:\n\tvbroadcasti32x4\t(%rax),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\tL$vaesenc_loop_tail_full_vec__func2\n\tvaesenclast\t%zmm14,%zmm0,%zmm0\n\n\n\tvmovdqu8\t(%rdi),%zmm1\n\tvpxord\t%zmm1,%zmm0,%zmm0\n\tvmovdqu8\t%zmm0,(%rsi)\n\n\n\tvmovdqu8\t(%r8),%zmm30\n\tvpshufb\t%zmm8,%zmm1,%zmm0\n\tvpxord\t%zmm10,%zmm0,%zmm0\n\tvpclmulqdq\t$0x00,%zmm30,%zmm0,%zmm7\n\tvpclmulqdq\t$0x01,%zmm30,%zmm0,%zmm1\n\tvpclmulqdq\t$0x10,%zmm30,%zmm0,%zmm2\n\tvpclmulqdq\t$0x11,%zmm30,%zmm0,%zmm3\n\tvpxord\t%zmm7,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm2,%zmm1,%zmm5\n\tvpxord\t%zmm3,%zmm6,%zmm6\n\n\tvpxor\t%xmm10,%xmm10,%xmm10\n\n\taddq\t$64,%r8\n\taddq\t$64,%rdi\n\taddq\t$64,%rsi\n\tsubq\t$64,%rdx\n\tcmpq\t$64,%rdx\n\tjae\tL$crypt_loop_1x__func2\n\n\ttestq\t%rdx,%rdx\n\tjz\tL$reduce__func2\n\nL$partial_vec__func2:\n\n\n\n\n\tmovq\t$-1,%rax\n\tbzhiq\t%rdx,%rax,%rax\n\tkmovq\t%rax,%k1\n\taddq\t$15,%rdx\n\tandq\t$-16,%rdx\n\tmovq\t$-1,%rax\n\tbzhiq\t%rdx,%rax,%rax\n\tkmovq\t%rax,%k2\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tleaq\t16(%rcx),%rax\nL$vaesenc_loop_tail_partialvec__func2:\n\tvbroadcasti32x4\t(%rax),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\tL$vaesenc_loop_tail_partialvec__func2\n\tvaesenclast\t%zmm14,%zmm0,%zmm0\n\n\n\tvmovdqu8\t(%rdi),%zmm1{%k1}{z}\n\tvpxord\t%zmm1,%zmm0,%zmm0\n\tvmovdqu8\t%zmm0,(%rsi){%k1}\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tvmovdqu8\t(%r8),%zmm30{%k2}{z}\n\n\tvpshufb\t%zmm8,%zmm1,%zmm0\n\tvpxord\t%zmm10,%zmm0,%zmm0\n\tvpclmulqdq\t$0x00,%zmm30,%zmm0,%zmm7\n\tvpclmulqdq\t$0x01,%zmm30,%zmm0,%zmm1\n\tvpclmulqdq\t$0x10,%zmm30,%zmm0,%zmm2\n\tvpclmulqdq\t$0x11,%zmm30,%zmm0,%zmm3\n\tvpxord\t%zmm7,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm2,%zmm1,%zmm5\n\tvpxord\t%zmm3,%zmm6,%zmm6\n\n\nL$reduce__func2:\n\n\tvpclmulqdq\t$0x01,%zmm4,%zmm31,%zmm0\n\tvpshufd\t$0x4e,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm0,%zmm4,%zmm5\n\tvpclmulqdq\t$0x01,%zmm5,%zmm31,%zmm0\n\tvpshufd\t$0x4e,%zmm5,%zmm5\n\tvpternlogd\t$0x96,%zmm0,%zmm5,%zmm6\n\n\tvextracti32x4\t$1,%zmm6,%xmm0\n\tvextracti32x4\t$2,%zmm6,%xmm1\n\tvextracti32x4\t$3,%zmm6,%xmm2\n\tvpxord\t%xmm0,%xmm6,%xmm10\n\tvpternlogd\t$0x96,%xmm1,%xmm2,%xmm10\n\n\nL$done__func2:\n\n\tvpshufb\t%xmm8,%xmm10,%xmm10\n\tvmovdqu\t%xmm10,(%r12)\n\n\tvzeroupper\n\tpopq\t%r12\n\n\tret\n\n\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aes-gcm-avx10-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.section\t.rodata\n.align\t64\n\n\n.Lbswap_mask:\n.quad\t0x08090a0b0c0d0e0f, 0x0001020304050607\n\n\n\n\n\n\n\n\n.Lgfpoly:\n.quad\t1, 0xc200000000000000\n\n\n.Lgfpoly_and_internal_carrybit:\n.quad\t1, 0xc200000000000001\n\n\n\n\n\n.Lctr_pattern:\n.quad\t0, 0\n.quad\t1, 0\n.Linc_2blocks:\n.quad\t2, 0\n.quad\t3, 0\n.Linc_4blocks:\n.quad\t4, 0\n\n.text\t\n.globl\tgcm_gmult_vpclmulqdq_avx10\n.hidden gcm_gmult_vpclmulqdq_avx10\n.type\tgcm_gmult_vpclmulqdq_avx10,@function\n.align\t32\ngcm_gmult_vpclmulqdq_avx10:\n.cfi_startproc\t\n\n_CET_ENDBR\n\n\n\n\tvmovdqu\t(%rdi),%xmm0\n\tvmovdqu\t.Lbswap_mask(%rip),%xmm1\n\tvmovdqu\t256-16(%rsi),%xmm2\n\tvmovdqu\t.Lgfpoly(%rip),%xmm3\n\tvpshufb\t%xmm1,%xmm0,%xmm0\n\n\tvpclmulqdq\t$0x00,%xmm2,%xmm0,%xmm4\n\tvpclmulqdq\t$0x01,%xmm2,%xmm0,%xmm5\n\tvpclmulqdq\t$0x10,%xmm2,%xmm0,%xmm6\n\tvpxord\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x01,%xmm4,%xmm3,%xmm6\n\tvpshufd\t$0x4e,%xmm4,%xmm4\n\tvpternlogd\t$0x96,%xmm6,%xmm4,%xmm5\n\tvpclmulqdq\t$0x11,%xmm2,%xmm0,%xmm0\n\tvpclmulqdq\t$0x01,%xmm5,%xmm3,%xmm4\n\tvpshufd\t$0x4e,%xmm5,%xmm5\n\tvpternlogd\t$0x96,%xmm4,%xmm5,%xmm0\n\n\n\tvpshufb\t%xmm1,%xmm0,%xmm0\n\tvmovdqu\t%xmm0,(%rdi)\n\tret\n\n.cfi_endproc\t\n.size\tgcm_gmult_vpclmulqdq_avx10, . - gcm_gmult_vpclmulqdq_avx10\n.globl\tgcm_init_vpclmulqdq_avx10_512\n.hidden gcm_init_vpclmulqdq_avx10_512\n.type\tgcm_init_vpclmulqdq_avx10_512,@function\n.align\t32\ngcm_init_vpclmulqdq_avx10_512:\n.cfi_startproc\t\n\n_CET_ENDBR\n\n\tleaq\t256-64(%rdi),%r8\n\n\n\n\tvpshufd\t$0x4e,(%rsi),%xmm3\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tvpshufd\t$0xd3,%xmm3,%xmm0\n\tvpsrad\t$31,%xmm0,%xmm0\n\tvpaddq\t%xmm3,%xmm3,%xmm3\n\n\tvpternlogd\t$0x78,.Lgfpoly_and_internal_carrybit(%rip),%xmm0,%xmm3\n\n\n\tvbroadcasti32x4\t.Lgfpoly(%rip),%zmm5\n\n\n\n\n\n\n\n\n\tvpclmulqdq\t$0x00,%xmm3,%xmm3,%xmm0\n\tvpclmulqdq\t$0x01,%xmm3,%xmm3,%xmm1\n\tvpclmulqdq\t$0x10,%xmm3,%xmm3,%xmm2\n\tvpxord\t%xmm2,%xmm1,%xmm1\n\tvpclmulqdq\t$0x01,%xmm0,%xmm5,%xmm2\n\tvpshufd\t$0x4e,%xmm0,%xmm0\n\tvpternlogd\t$0x96,%xmm2,%xmm0,%xmm1\n\tvpclmulqdq\t$0x11,%xmm3,%xmm3,%xmm4\n\tvpclmulqdq\t$0x01,%xmm1,%xmm5,%xmm0\n\tvpshufd\t$0x4e,%xmm1,%xmm1\n\tvpternlogd\t$0x96,%xmm0,%xmm1,%xmm4\n\n\n\n\tvinserti128\t$1,%xmm3,%ymm4,%ymm3\n\tvinserti128\t$1,%xmm4,%ymm4,%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm0\n\tvpclmulqdq\t$0x01,%ymm4,%ymm3,%ymm1\n\tvpclmulqdq\t$0x10,%ymm4,%ymm3,%ymm2\n\tvpxord\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x01,%ymm0,%ymm5,%ymm2\n\tvpshufd\t$0x4e,%ymm0,%ymm0\n\tvpternlogd\t$0x96,%ymm2,%ymm0,%ymm1\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm4\n\tvpclmulqdq\t$0x01,%ymm1,%ymm5,%ymm0\n\tvpshufd\t$0x4e,%ymm1,%ymm1\n\tvpternlogd\t$0x96,%ymm0,%ymm1,%ymm4\n\n\tvinserti64x4\t$1,%ymm3,%zmm4,%zmm3\n\tvshufi64x2\t$0,%zmm4,%zmm4,%zmm4\n\n\tvmovdqu8\t%zmm3,(%r8)\n\n\n\n\n\n\tmovl\t$3,%eax\n.Lprecompute_next__func1:\n\tsubq\t$64,%r8\n\tvpclmulqdq\t$0x00,%zmm4,%zmm3,%zmm0\n\tvpclmulqdq\t$0x01,%zmm4,%zmm3,%zmm1\n\tvpclmulqdq\t$0x10,%zmm4,%zmm3,%zmm2\n\tvpxord\t%zmm2,%zmm1,%zmm1\n\tvpclmulqdq\t$0x01,%zmm0,%zmm5,%zmm2\n\tvpshufd\t$0x4e,%zmm0,%zmm0\n\tvpternlogd\t$0x96,%zmm2,%zmm0,%zmm1\n\tvpclmulqdq\t$0x11,%zmm4,%zmm3,%zmm3\n\tvpclmulqdq\t$0x01,%zmm1,%zmm5,%zmm0\n\tvpshufd\t$0x4e,%zmm1,%zmm1\n\tvpternlogd\t$0x96,%zmm0,%zmm1,%zmm3\n\n\tvmovdqu8\t%zmm3,(%r8)\n\tdecl\t%eax\n\tjnz\t.Lprecompute_next__func1\n\n\tvzeroupper\n\tret\n\n.cfi_endproc\t\n.size\tgcm_init_vpclmulqdq_avx10_512, . - gcm_init_vpclmulqdq_avx10_512\n.globl\tgcm_ghash_vpclmulqdq_avx10_512\n.hidden gcm_ghash_vpclmulqdq_avx10_512\n.type\tgcm_ghash_vpclmulqdq_avx10_512,@function\n.align\t32\ngcm_ghash_vpclmulqdq_avx10_512:\n.cfi_startproc\t\n\n_CET_ENDBR\n\n\n\n\n\n\n\tvmovdqu\t.Lbswap_mask(%rip),%xmm4\n\tvmovdqu\t.Lgfpoly(%rip),%xmm10\n\n\n\tvmovdqu\t(%rdi),%xmm5\n\tvpshufb\t%xmm4,%xmm5,%xmm5\n\n\n\tcmpq\t$64,%rcx\n\tjb\t.Laad_blockbyblock__func1\n\n\n\n\tvshufi64x2\t$0,%zmm4,%zmm4,%zmm4\n\tvshufi64x2\t$0,%zmm10,%zmm10,%zmm10\n\n\n\tvmovdqu8\t256-64(%rsi),%zmm9\n\n\tcmpq\t$256-1,%rcx\n\tjbe\t.Laad_loop_1x__func1\n\n\n\tvmovdqu8\t256-256(%rsi),%zmm6\n\tvmovdqu8\t256-192(%rsi),%zmm7\n\tvmovdqu8\t256-128(%rsi),%zmm8\n\n\n.Laad_loop_4x__func1:\n\tvmovdqu8\t0(%rdx),%zmm0\n\tvmovdqu8\t64(%rdx),%zmm1\n\tvmovdqu8\t128(%rdx),%zmm2\n\tvmovdqu8\t192(%rdx),%zmm3\n\tvpshufb\t%zmm4,%zmm0,%zmm0\n\tvpxord\t%zmm5,%zmm0,%zmm0\n\tvpshufb\t%zmm4,%zmm1,%zmm1\n\tvpshufb\t%zmm4,%zmm2,%zmm2\n\tvpshufb\t%zmm4,%zmm3,%zmm3\n\tvpclmulqdq\t$0x00,%zmm6,%zmm0,%zmm5\n\tvpclmulqdq\t$0x00,%zmm7,%zmm1,%zmm11\n\tvpclmulqdq\t$0x00,%zmm8,%zmm2,%zmm12\n\tvpxord\t%zmm11,%zmm5,%zmm5\n\tvpclmulqdq\t$0x00,%zmm9,%zmm3,%zmm13\n\tvpternlogd\t$0x96,%zmm13,%zmm12,%zmm5\n\tvpclmulqdq\t$0x01,%zmm6,%zmm0,%zmm11\n\tvpclmulqdq\t$0x01,%zmm7,%zmm1,%zmm12\n\tvpclmulqdq\t$0x01,%zmm8,%zmm2,%zmm13\n\tvpternlogd\t$0x96,%zmm13,%zmm12,%zmm11\n\tvpclmulqdq\t$0x01,%zmm9,%zmm3,%zmm12\n\tvpclmulqdq\t$0x10,%zmm6,%zmm0,%zmm13\n\tvpternlogd\t$0x96,%zmm13,%zmm12,%zmm11\n\tvpclmulqdq\t$0x10,%zmm7,%zmm1,%zmm12\n\tvpclmulqdq\t$0x10,%zmm8,%zmm2,%zmm13\n\tvpternlogd\t$0x96,%zmm13,%zmm12,%zmm11\n\tvpclmulqdq\t$0x01,%zmm5,%zmm10,%zmm13\n\tvpclmulqdq\t$0x10,%zmm9,%zmm3,%zmm12\n\tvpxord\t%zmm12,%zmm11,%zmm11\n\tvpshufd\t$0x4e,%zmm5,%zmm5\n\tvpclmulqdq\t$0x11,%zmm6,%zmm0,%zmm0\n\tvpclmulqdq\t$0x11,%zmm7,%zmm1,%zmm1\n\tvpclmulqdq\t$0x11,%zmm8,%zmm2,%zmm2\n\tvpternlogd\t$0x96,%zmm13,%zmm5,%zmm11\n\tvpclmulqdq\t$0x11,%zmm9,%zmm3,%zmm3\n\tvpternlogd\t$0x96,%zmm2,%zmm1,%zmm0\n\tvpclmulqdq\t$0x01,%zmm11,%zmm10,%zmm12\n\tvpxord\t%zmm3,%zmm0,%zmm5\n\tvpshufd\t$0x4e,%zmm11,%zmm11\n\tvpternlogd\t$0x96,%zmm12,%zmm11,%zmm5\n\tvextracti32x4\t$1,%zmm5,%xmm0\n\tvextracti32x4\t$2,%zmm5,%xmm1\n\tvextracti32x4\t$3,%zmm5,%xmm2\n\tvpxord\t%xmm0,%xmm5,%xmm5\n\tvpternlogd\t$0x96,%xmm1,%xmm2,%xmm5\n\n\tsubq\t$-256,%rdx\n\taddq\t$-256,%rcx\n\tcmpq\t$256-1,%rcx\n\tja\t.Laad_loop_4x__func1\n\n\n\tcmpq\t$64,%rcx\n\tjb\t.Laad_large_done__func1\n.Laad_loop_1x__func1:\n\tvmovdqu8\t(%rdx),%zmm0\n\tvpshufb\t%zmm4,%zmm0,%zmm0\n\tvpxord\t%zmm0,%zmm5,%zmm5\n\tvpclmulqdq\t$0x00,%zmm9,%zmm5,%zmm0\n\tvpclmulqdq\t$0x01,%zmm9,%zmm5,%zmm1\n\tvpclmulqdq\t$0x10,%zmm9,%zmm5,%zmm2\n\tvpxord\t%zmm2,%zmm1,%zmm1\n\tvpclmulqdq\t$0x01,%zmm0,%zmm10,%zmm2\n\tvpshufd\t$0x4e,%zmm0,%zmm0\n\tvpternlogd\t$0x96,%zmm2,%zmm0,%zmm1\n\tvpclmulqdq\t$0x11,%zmm9,%zmm5,%zmm5\n\tvpclmulqdq\t$0x01,%zmm1,%zmm10,%zmm0\n\tvpshufd\t$0x4e,%zmm1,%zmm1\n\tvpternlogd\t$0x96,%zmm0,%zmm1,%zmm5\n\n\tvextracti32x4\t$1,%zmm5,%xmm0\n\tvextracti32x4\t$2,%zmm5,%xmm1\n\tvextracti32x4\t$3,%zmm5,%xmm2\n\tvpxord\t%xmm0,%xmm5,%xmm5\n\tvpternlogd\t$0x96,%xmm1,%xmm2,%xmm5\n\n\taddq\t$64,%rdx\n\tsubq\t$64,%rcx\n\tcmpq\t$64,%rcx\n\tjae\t.Laad_loop_1x__func1\n\n.Laad_large_done__func1:\n\n\n\tvzeroupper\n\n\n.Laad_blockbyblock__func1:\n\ttestq\t%rcx,%rcx\n\tjz\t.Laad_done__func1\n\tvmovdqu\t256-16(%rsi),%xmm9\n.Laad_loop_blockbyblock__func1:\n\tvmovdqu\t(%rdx),%xmm0\n\tvpshufb\t%xmm4,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm9,%xmm5,%xmm0\n\tvpclmulqdq\t$0x01,%xmm9,%xmm5,%xmm1\n\tvpclmulqdq\t$0x10,%xmm9,%xmm5,%xmm2\n\tvpxord\t%xmm2,%xmm1,%xmm1\n\tvpclmulqdq\t$0x01,%xmm0,%xmm10,%xmm2\n\tvpshufd\t$0x4e,%xmm0,%xmm0\n\tvpternlogd\t$0x96,%xmm2,%xmm0,%xmm1\n\tvpclmulqdq\t$0x11,%xmm9,%xmm5,%xmm5\n\tvpclmulqdq\t$0x01,%xmm1,%xmm10,%xmm0\n\tvpshufd\t$0x4e,%xmm1,%xmm1\n\tvpternlogd\t$0x96,%xmm0,%xmm1,%xmm5\n\n\taddq\t$16,%rdx\n\tsubq\t$16,%rcx\n\tjnz\t.Laad_loop_blockbyblock__func1\n\n.Laad_done__func1:\n\n\tvpshufb\t%xmm4,%xmm5,%xmm5\n\tvmovdqu\t%xmm5,(%rdi)\n\tret\n\n.cfi_endproc\t\n.size\tgcm_ghash_vpclmulqdq_avx10_512, . - gcm_ghash_vpclmulqdq_avx10_512\n.globl\taes_gcm_enc_update_vaes_avx10_512\n.hidden aes_gcm_enc_update_vaes_avx10_512\n.type\taes_gcm_enc_update_vaes_avx10_512,@function\n.align\t32\naes_gcm_enc_update_vaes_avx10_512:\n.cfi_startproc\t\n\n_CET_ENDBR\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-16\n\n\tmovq\t16(%rsp),%r12\n#ifdef BORINGSSL_DISPATCH_TEST\n.extern\tBORINGSSL_function_hit\n.hidden BORINGSSL_function_hit\n\tmovb\t$1,BORINGSSL_function_hit+7(%rip)\n#endif\n\n\tvbroadcasti32x4\t.Lbswap_mask(%rip),%zmm8\n\tvbroadcasti32x4\t.Lgfpoly(%rip),%zmm31\n\n\n\n\tvmovdqu\t(%r12),%xmm10\n\tvpshufb\t%xmm8,%xmm10,%xmm10\n\tvbroadcasti32x4\t(%r8),%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm12\n\n\n\n\tmovl\t240(%rcx),%r10d\n\tleal\t-20(,%r10,4),%r10d\n\n\n\n\n\tleaq\t96(%rcx,%r10,4),%r11\n\tvbroadcasti32x4\t(%rcx),%zmm13\n\tvbroadcasti32x4\t(%r11),%zmm14\n\n\n\tvpaddd\t.Lctr_pattern(%rip),%zmm12,%zmm12\n\n\n\tvbroadcasti32x4\t.Linc_4blocks(%rip),%zmm11\n\n\n\n\tcmpq\t$256-1,%rdx\n\tjbe\t.Lcrypt_loop_4x_done__func1\n\n\n\tvmovdqu8\t256-256(%r9),%zmm27\n\tvmovdqu8\t256-192(%r9),%zmm28\n\tvmovdqu8\t256-128(%r9),%zmm29\n\tvmovdqu8\t256-64(%r9),%zmm30\n\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm1\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm2\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm3\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\n\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tvpxord\t%zmm13,%zmm1,%zmm1\n\tvpxord\t%zmm13,%zmm2,%zmm2\n\tvpxord\t%zmm13,%zmm3,%zmm3\n\n\tleaq\t16(%rcx),%rax\n.Lvaesenc_loop_first_4_vecs__func1:\n\tvbroadcasti32x4\t(%rax),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\t.Lvaesenc_loop_first_4_vecs__func1\n\n\n\n\tvpxord\t0(%rdi),%zmm14,%zmm4\n\tvpxord\t64(%rdi),%zmm14,%zmm5\n\tvpxord\t128(%rdi),%zmm14,%zmm6\n\tvpxord\t192(%rdi),%zmm14,%zmm7\n\n\n\n\tvaesenclast\t%zmm4,%zmm0,%zmm4\n\tvaesenclast\t%zmm5,%zmm1,%zmm5\n\tvaesenclast\t%zmm6,%zmm2,%zmm6\n\tvaesenclast\t%zmm7,%zmm3,%zmm7\n\n\n\tvmovdqu8\t%zmm4,0(%rsi)\n\tvmovdqu8\t%zmm5,64(%rsi)\n\tvmovdqu8\t%zmm6,128(%rsi)\n\tvmovdqu8\t%zmm7,192(%rsi)\n\n\tsubq\t$-256,%rdi\n\tsubq\t$-256,%rsi\n\taddq\t$-256,%rdx\n\tcmpq\t$256-1,%rdx\n\tjbe\t.Lghash_last_ciphertext_4x__func1\n\tvbroadcasti32x4\t-144(%r11),%zmm15\n\tvbroadcasti32x4\t-128(%r11),%zmm16\n\tvbroadcasti32x4\t-112(%r11),%zmm17\n\tvbroadcasti32x4\t-96(%r11),%zmm18\n\tvbroadcasti32x4\t-80(%r11),%zmm19\n\tvbroadcasti32x4\t-64(%r11),%zmm20\n\tvbroadcasti32x4\t-48(%r11),%zmm21\n\tvbroadcasti32x4\t-32(%r11),%zmm22\n\tvbroadcasti32x4\t-16(%r11),%zmm23\n.Lcrypt_loop_4x__func1:\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm1\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm2\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm3\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\n\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tvpxord\t%zmm13,%zmm1,%zmm1\n\tvpxord\t%zmm13,%zmm2,%zmm2\n\tvpxord\t%zmm13,%zmm3,%zmm3\n\n\tcmpl\t$24,%r10d\n\tjl\t.Laes128__func1\n\tje\t.Laes192__func1\n\n\tvbroadcasti32x4\t-208(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n\tvbroadcasti32x4\t-192(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n.Laes192__func1:\n\tvbroadcasti32x4\t-176(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n\tvbroadcasti32x4\t-160(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n.Laes128__func1:\n\tprefetcht0\t512+0(%rdi)\n\tprefetcht0\t512+64(%rdi)\n\tprefetcht0\t512+128(%rdi)\n\tprefetcht0\t512+192(%rdi)\n\tvpshufb\t%zmm8,%zmm4,%zmm4\n\tvpxord\t%zmm10,%zmm4,%zmm4\n\tvpshufb\t%zmm8,%zmm5,%zmm5\n\tvpshufb\t%zmm8,%zmm6,%zmm6\n\n\tvaesenc\t%zmm15,%zmm0,%zmm0\n\tvaesenc\t%zmm15,%zmm1,%zmm1\n\tvaesenc\t%zmm15,%zmm2,%zmm2\n\tvaesenc\t%zmm15,%zmm3,%zmm3\n\n\tvpshufb\t%zmm8,%zmm7,%zmm7\n\tvpclmulqdq\t$0x00,%zmm27,%zmm4,%zmm10\n\tvpclmulqdq\t$0x00,%zmm28,%zmm5,%zmm24\n\tvpclmulqdq\t$0x00,%zmm29,%zmm6,%zmm25\n\n\tvaesenc\t%zmm16,%zmm0,%zmm0\n\tvaesenc\t%zmm16,%zmm1,%zmm1\n\tvaesenc\t%zmm16,%zmm2,%zmm2\n\tvaesenc\t%zmm16,%zmm3,%zmm3\n\n\tvpxord\t%zmm24,%zmm10,%zmm10\n\tvpclmulqdq\t$0x00,%zmm30,%zmm7,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm10\n\tvpclmulqdq\t$0x01,%zmm27,%zmm4,%zmm24\n\n\tvaesenc\t%zmm17,%zmm0,%zmm0\n\tvaesenc\t%zmm17,%zmm1,%zmm1\n\tvaesenc\t%zmm17,%zmm2,%zmm2\n\tvaesenc\t%zmm17,%zmm3,%zmm3\n\n\tvpclmulqdq\t$0x01,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x01,%zmm29,%zmm6,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm30,%zmm7,%zmm25\n\n\tvaesenc\t%zmm18,%zmm0,%zmm0\n\tvaesenc\t%zmm18,%zmm1,%zmm1\n\tvaesenc\t%zmm18,%zmm2,%zmm2\n\tvaesenc\t%zmm18,%zmm3,%zmm3\n\n\tvpclmulqdq\t$0x10,%zmm27,%zmm4,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x10,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x10,%zmm29,%zmm6,%zmm26\n\n\tvaesenc\t%zmm19,%zmm0,%zmm0\n\tvaesenc\t%zmm19,%zmm1,%zmm1\n\tvaesenc\t%zmm19,%zmm2,%zmm2\n\tvaesenc\t%zmm19,%zmm3,%zmm3\n\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm10,%zmm31,%zmm26\n\tvpclmulqdq\t$0x10,%zmm30,%zmm7,%zmm25\n\tvpxord\t%zmm25,%zmm24,%zmm24\n\n\tvaesenc\t%zmm20,%zmm0,%zmm0\n\tvaesenc\t%zmm20,%zmm1,%zmm1\n\tvaesenc\t%zmm20,%zmm2,%zmm2\n\tvaesenc\t%zmm20,%zmm3,%zmm3\n\n\tvpshufd\t$0x4e,%zmm10,%zmm10\n\tvpclmulqdq\t$0x11,%zmm27,%zmm4,%zmm4\n\tvpclmulqdq\t$0x11,%zmm28,%zmm5,%zmm5\n\tvpclmulqdq\t$0x11,%zmm29,%zmm6,%zmm6\n\n\tvaesenc\t%zmm21,%zmm0,%zmm0\n\tvaesenc\t%zmm21,%zmm1,%zmm1\n\tvaesenc\t%zmm21,%zmm2,%zmm2\n\tvaesenc\t%zmm21,%zmm3,%zmm3\n\n\tvpternlogd\t$0x96,%zmm26,%zmm10,%zmm24\n\tvpclmulqdq\t$0x11,%zmm30,%zmm7,%zmm7\n\tvpternlogd\t$0x96,%zmm6,%zmm5,%zmm4\n\tvpclmulqdq\t$0x01,%zmm24,%zmm31,%zmm25\n\n\tvaesenc\t%zmm22,%zmm0,%zmm0\n\tvaesenc\t%zmm22,%zmm1,%zmm1\n\tvaesenc\t%zmm22,%zmm2,%zmm2\n\tvaesenc\t%zmm22,%zmm3,%zmm3\n\n\tvpxord\t%zmm7,%zmm4,%zmm10\n\tvpshufd\t$0x4e,%zmm24,%zmm24\n\tvpternlogd\t$0x96,%zmm25,%zmm24,%zmm10\n\n\tvaesenc\t%zmm23,%zmm0,%zmm0\n\tvaesenc\t%zmm23,%zmm1,%zmm1\n\tvaesenc\t%zmm23,%zmm2,%zmm2\n\tvaesenc\t%zmm23,%zmm3,%zmm3\n\n\tvextracti32x4\t$1,%zmm10,%xmm4\n\tvextracti32x4\t$2,%zmm10,%xmm5\n\tvextracti32x4\t$3,%zmm10,%xmm6\n\tvpxord\t%xmm4,%xmm10,%xmm10\n\tvpternlogd\t$0x96,%xmm5,%xmm6,%xmm10\n\n\n\n\n\tvpxord\t0(%rdi),%zmm14,%zmm4\n\tvpxord\t64(%rdi),%zmm14,%zmm5\n\tvpxord\t128(%rdi),%zmm14,%zmm6\n\tvpxord\t192(%rdi),%zmm14,%zmm7\n\n\n\n\tvaesenclast\t%zmm4,%zmm0,%zmm4\n\tvaesenclast\t%zmm5,%zmm1,%zmm5\n\tvaesenclast\t%zmm6,%zmm2,%zmm6\n\tvaesenclast\t%zmm7,%zmm3,%zmm7\n\n\n\tvmovdqu8\t%zmm4,0(%rsi)\n\tvmovdqu8\t%zmm5,64(%rsi)\n\tvmovdqu8\t%zmm6,128(%rsi)\n\tvmovdqu8\t%zmm7,192(%rsi)\n\n\tsubq\t$-256,%rdi\n\tsubq\t$-256,%rsi\n\taddq\t$-256,%rdx\n\tcmpq\t$256-1,%rdx\n\tja\t.Lcrypt_loop_4x__func1\n.Lghash_last_ciphertext_4x__func1:\n\tvpshufb\t%zmm8,%zmm4,%zmm4\n\tvpxord\t%zmm10,%zmm4,%zmm4\n\tvpshufb\t%zmm8,%zmm5,%zmm5\n\tvpshufb\t%zmm8,%zmm6,%zmm6\n\tvpshufb\t%zmm8,%zmm7,%zmm7\n\tvpclmulqdq\t$0x00,%zmm27,%zmm4,%zmm10\n\tvpclmulqdq\t$0x00,%zmm28,%zmm5,%zmm24\n\tvpclmulqdq\t$0x00,%zmm29,%zmm6,%zmm25\n\tvpxord\t%zmm24,%zmm10,%zmm10\n\tvpclmulqdq\t$0x00,%zmm30,%zmm7,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm10\n\tvpclmulqdq\t$0x01,%zmm27,%zmm4,%zmm24\n\tvpclmulqdq\t$0x01,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x01,%zmm29,%zmm6,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm30,%zmm7,%zmm25\n\tvpclmulqdq\t$0x10,%zmm27,%zmm4,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x10,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x10,%zmm29,%zmm6,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm10,%zmm31,%zmm26\n\tvpclmulqdq\t$0x10,%zmm30,%zmm7,%zmm25\n\tvpxord\t%zmm25,%zmm24,%zmm24\n\tvpshufd\t$0x4e,%zmm10,%zmm10\n\tvpclmulqdq\t$0x11,%zmm27,%zmm4,%zmm4\n\tvpclmulqdq\t$0x11,%zmm28,%zmm5,%zmm5\n\tvpclmulqdq\t$0x11,%zmm29,%zmm6,%zmm6\n\tvpternlogd\t$0x96,%zmm26,%zmm10,%zmm24\n\tvpclmulqdq\t$0x11,%zmm30,%zmm7,%zmm7\n\tvpternlogd\t$0x96,%zmm6,%zmm5,%zmm4\n\tvpclmulqdq\t$0x01,%zmm24,%zmm31,%zmm25\n\tvpxord\t%zmm7,%zmm4,%zmm10\n\tvpshufd\t$0x4e,%zmm24,%zmm24\n\tvpternlogd\t$0x96,%zmm25,%zmm24,%zmm10\n\tvextracti32x4\t$1,%zmm10,%xmm4\n\tvextracti32x4\t$2,%zmm10,%xmm5\n\tvextracti32x4\t$3,%zmm10,%xmm6\n\tvpxord\t%xmm4,%xmm10,%xmm10\n\tvpternlogd\t$0x96,%xmm5,%xmm6,%xmm10\n\n.Lcrypt_loop_4x_done__func1:\n\n\ttestq\t%rdx,%rdx\n\tjz\t.Ldone__func1\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%rdx,%rax\n\tnegq\t%rax\n\tandq\t$-16,%rax\n\tleaq\t256(%r9,%rax,1),%r8\n\tvpxor\t%xmm4,%xmm4,%xmm4\n\tvpxor\t%xmm5,%xmm5,%xmm5\n\tvpxor\t%xmm6,%xmm6,%xmm6\n\n\tcmpq\t$64,%rdx\n\tjb\t.Lpartial_vec__func1\n\n.Lcrypt_loop_1x__func1:\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tleaq\t16(%rcx),%rax\n.Lvaesenc_loop_tail_full_vec__func1:\n\tvbroadcasti32x4\t(%rax),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\t.Lvaesenc_loop_tail_full_vec__func1\n\tvaesenclast\t%zmm14,%zmm0,%zmm0\n\n\n\tvmovdqu8\t(%rdi),%zmm1\n\tvpxord\t%zmm1,%zmm0,%zmm0\n\tvmovdqu8\t%zmm0,(%rsi)\n\n\n\tvmovdqu8\t(%r8),%zmm30\n\tvpshufb\t%zmm8,%zmm0,%zmm0\n\tvpxord\t%zmm10,%zmm0,%zmm0\n\tvpclmulqdq\t$0x00,%zmm30,%zmm0,%zmm7\n\tvpclmulqdq\t$0x01,%zmm30,%zmm0,%zmm1\n\tvpclmulqdq\t$0x10,%zmm30,%zmm0,%zmm2\n\tvpclmulqdq\t$0x11,%zmm30,%zmm0,%zmm3\n\tvpxord\t%zmm7,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm2,%zmm1,%zmm5\n\tvpxord\t%zmm3,%zmm6,%zmm6\n\n\tvpxor\t%xmm10,%xmm10,%xmm10\n\n\taddq\t$64,%r8\n\taddq\t$64,%rdi\n\taddq\t$64,%rsi\n\tsubq\t$64,%rdx\n\tcmpq\t$64,%rdx\n\tjae\t.Lcrypt_loop_1x__func1\n\n\ttestq\t%rdx,%rdx\n\tjz\t.Lreduce__func1\n\n.Lpartial_vec__func1:\n\n\n\n\n\tmovq\t$-1,%rax\n\tbzhiq\t%rdx,%rax,%rax\n\tkmovq\t%rax,%k1\n\taddq\t$15,%rdx\n\tandq\t$-16,%rdx\n\tmovq\t$-1,%rax\n\tbzhiq\t%rdx,%rax,%rax\n\tkmovq\t%rax,%k2\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tleaq\t16(%rcx),%rax\n.Lvaesenc_loop_tail_partialvec__func1:\n\tvbroadcasti32x4\t(%rax),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\t.Lvaesenc_loop_tail_partialvec__func1\n\tvaesenclast\t%zmm14,%zmm0,%zmm0\n\n\n\tvmovdqu8\t(%rdi),%zmm1{%k1}{z}\n\tvpxord\t%zmm1,%zmm0,%zmm0\n\tvmovdqu8\t%zmm0,(%rsi){%k1}\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tvmovdqu8\t(%r8),%zmm30{%k2}{z}\n\tvmovdqu8\t%zmm0,%zmm1{%k1}{z}\n\tvpshufb\t%zmm8,%zmm1,%zmm0\n\tvpxord\t%zmm10,%zmm0,%zmm0\n\tvpclmulqdq\t$0x00,%zmm30,%zmm0,%zmm7\n\tvpclmulqdq\t$0x01,%zmm30,%zmm0,%zmm1\n\tvpclmulqdq\t$0x10,%zmm30,%zmm0,%zmm2\n\tvpclmulqdq\t$0x11,%zmm30,%zmm0,%zmm3\n\tvpxord\t%zmm7,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm2,%zmm1,%zmm5\n\tvpxord\t%zmm3,%zmm6,%zmm6\n\n\n.Lreduce__func1:\n\n\tvpclmulqdq\t$0x01,%zmm4,%zmm31,%zmm0\n\tvpshufd\t$0x4e,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm0,%zmm4,%zmm5\n\tvpclmulqdq\t$0x01,%zmm5,%zmm31,%zmm0\n\tvpshufd\t$0x4e,%zmm5,%zmm5\n\tvpternlogd\t$0x96,%zmm0,%zmm5,%zmm6\n\n\tvextracti32x4\t$1,%zmm6,%xmm0\n\tvextracti32x4\t$2,%zmm6,%xmm1\n\tvextracti32x4\t$3,%zmm6,%xmm2\n\tvpxord\t%xmm0,%xmm6,%xmm10\n\tvpternlogd\t$0x96,%xmm1,%xmm2,%xmm10\n\n\n.Ldone__func1:\n\n\tvpshufb\t%xmm8,%xmm10,%xmm10\n\tvmovdqu\t%xmm10,(%r12)\n\n\tvzeroupper\n\tpopq\t%r12\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r12\n\tret\n\n.cfi_endproc\t\n.size\taes_gcm_enc_update_vaes_avx10_512, . - aes_gcm_enc_update_vaes_avx10_512\n.globl\taes_gcm_dec_update_vaes_avx10_512\n.hidden aes_gcm_dec_update_vaes_avx10_512\n.type\taes_gcm_dec_update_vaes_avx10_512,@function\n.align\t32\naes_gcm_dec_update_vaes_avx10_512:\n.cfi_startproc\t\n\n_CET_ENDBR\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-16\n\n\tmovq\t16(%rsp),%r12\n\n\tvbroadcasti32x4\t.Lbswap_mask(%rip),%zmm8\n\tvbroadcasti32x4\t.Lgfpoly(%rip),%zmm31\n\n\n\n\tvmovdqu\t(%r12),%xmm10\n\tvpshufb\t%xmm8,%xmm10,%xmm10\n\tvbroadcasti32x4\t(%r8),%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm12\n\n\n\n\tmovl\t240(%rcx),%r10d\n\tleal\t-20(,%r10,4),%r10d\n\n\n\n\n\tleaq\t96(%rcx,%r10,4),%r11\n\tvbroadcasti32x4\t(%rcx),%zmm13\n\tvbroadcasti32x4\t(%r11),%zmm14\n\n\n\tvpaddd\t.Lctr_pattern(%rip),%zmm12,%zmm12\n\n\n\tvbroadcasti32x4\t.Linc_4blocks(%rip),%zmm11\n\n\n\n\tcmpq\t$256-1,%rdx\n\tjbe\t.Lcrypt_loop_4x_done__func2\n\n\n\tvmovdqu8\t256-256(%r9),%zmm27\n\tvmovdqu8\t256-192(%r9),%zmm28\n\tvmovdqu8\t256-128(%r9),%zmm29\n\tvmovdqu8\t256-64(%r9),%zmm30\n\tvbroadcasti32x4\t-144(%r11),%zmm15\n\tvbroadcasti32x4\t-128(%r11),%zmm16\n\tvbroadcasti32x4\t-112(%r11),%zmm17\n\tvbroadcasti32x4\t-96(%r11),%zmm18\n\tvbroadcasti32x4\t-80(%r11),%zmm19\n\tvbroadcasti32x4\t-64(%r11),%zmm20\n\tvbroadcasti32x4\t-48(%r11),%zmm21\n\tvbroadcasti32x4\t-32(%r11),%zmm22\n\tvbroadcasti32x4\t-16(%r11),%zmm23\n.Lcrypt_loop_4x__func2:\n\tvmovdqu8\t0(%rdi),%zmm4\n\tvmovdqu8\t64(%rdi),%zmm5\n\tvmovdqu8\t128(%rdi),%zmm6\n\tvmovdqu8\t192(%rdi),%zmm7\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm1\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm2\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpshufb\t%zmm8,%zmm12,%zmm3\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\n\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tvpxord\t%zmm13,%zmm1,%zmm1\n\tvpxord\t%zmm13,%zmm2,%zmm2\n\tvpxord\t%zmm13,%zmm3,%zmm3\n\n\tcmpl\t$24,%r10d\n\tjl\t.Laes128__func2\n\tje\t.Laes192__func2\n\n\tvbroadcasti32x4\t-208(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n\tvbroadcasti32x4\t-192(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n.Laes192__func2:\n\tvbroadcasti32x4\t-176(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n\tvbroadcasti32x4\t-160(%r11),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\tvaesenc\t%zmm9,%zmm1,%zmm1\n\tvaesenc\t%zmm9,%zmm2,%zmm2\n\tvaesenc\t%zmm9,%zmm3,%zmm3\n\n.Laes128__func2:\n\tprefetcht0\t512+0(%rdi)\n\tprefetcht0\t512+64(%rdi)\n\tprefetcht0\t512+128(%rdi)\n\tprefetcht0\t512+192(%rdi)\n\tvpshufb\t%zmm8,%zmm4,%zmm4\n\tvpxord\t%zmm10,%zmm4,%zmm4\n\tvpshufb\t%zmm8,%zmm5,%zmm5\n\tvpshufb\t%zmm8,%zmm6,%zmm6\n\n\tvaesenc\t%zmm15,%zmm0,%zmm0\n\tvaesenc\t%zmm15,%zmm1,%zmm1\n\tvaesenc\t%zmm15,%zmm2,%zmm2\n\tvaesenc\t%zmm15,%zmm3,%zmm3\n\n\tvpshufb\t%zmm8,%zmm7,%zmm7\n\tvpclmulqdq\t$0x00,%zmm27,%zmm4,%zmm10\n\tvpclmulqdq\t$0x00,%zmm28,%zmm5,%zmm24\n\tvpclmulqdq\t$0x00,%zmm29,%zmm6,%zmm25\n\n\tvaesenc\t%zmm16,%zmm0,%zmm0\n\tvaesenc\t%zmm16,%zmm1,%zmm1\n\tvaesenc\t%zmm16,%zmm2,%zmm2\n\tvaesenc\t%zmm16,%zmm3,%zmm3\n\n\tvpxord\t%zmm24,%zmm10,%zmm10\n\tvpclmulqdq\t$0x00,%zmm30,%zmm7,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm10\n\tvpclmulqdq\t$0x01,%zmm27,%zmm4,%zmm24\n\n\tvaesenc\t%zmm17,%zmm0,%zmm0\n\tvaesenc\t%zmm17,%zmm1,%zmm1\n\tvaesenc\t%zmm17,%zmm2,%zmm2\n\tvaesenc\t%zmm17,%zmm3,%zmm3\n\n\tvpclmulqdq\t$0x01,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x01,%zmm29,%zmm6,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm30,%zmm7,%zmm25\n\n\tvaesenc\t%zmm18,%zmm0,%zmm0\n\tvaesenc\t%zmm18,%zmm1,%zmm1\n\tvaesenc\t%zmm18,%zmm2,%zmm2\n\tvaesenc\t%zmm18,%zmm3,%zmm3\n\n\tvpclmulqdq\t$0x10,%zmm27,%zmm4,%zmm26\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x10,%zmm28,%zmm5,%zmm25\n\tvpclmulqdq\t$0x10,%zmm29,%zmm6,%zmm26\n\n\tvaesenc\t%zmm19,%zmm0,%zmm0\n\tvaesenc\t%zmm19,%zmm1,%zmm1\n\tvaesenc\t%zmm19,%zmm2,%zmm2\n\tvaesenc\t%zmm19,%zmm3,%zmm3\n\n\tvpternlogd\t$0x96,%zmm26,%zmm25,%zmm24\n\tvpclmulqdq\t$0x01,%zmm10,%zmm31,%zmm26\n\tvpclmulqdq\t$0x10,%zmm30,%zmm7,%zmm25\n\tvpxord\t%zmm25,%zmm24,%zmm24\n\n\tvaesenc\t%zmm20,%zmm0,%zmm0\n\tvaesenc\t%zmm20,%zmm1,%zmm1\n\tvaesenc\t%zmm20,%zmm2,%zmm2\n\tvaesenc\t%zmm20,%zmm3,%zmm3\n\n\tvpshufd\t$0x4e,%zmm10,%zmm10\n\tvpclmulqdq\t$0x11,%zmm27,%zmm4,%zmm4\n\tvpclmulqdq\t$0x11,%zmm28,%zmm5,%zmm5\n\tvpclmulqdq\t$0x11,%zmm29,%zmm6,%zmm6\n\n\tvaesenc\t%zmm21,%zmm0,%zmm0\n\tvaesenc\t%zmm21,%zmm1,%zmm1\n\tvaesenc\t%zmm21,%zmm2,%zmm2\n\tvaesenc\t%zmm21,%zmm3,%zmm3\n\n\tvpternlogd\t$0x96,%zmm26,%zmm10,%zmm24\n\tvpclmulqdq\t$0x11,%zmm30,%zmm7,%zmm7\n\tvpternlogd\t$0x96,%zmm6,%zmm5,%zmm4\n\tvpclmulqdq\t$0x01,%zmm24,%zmm31,%zmm25\n\n\tvaesenc\t%zmm22,%zmm0,%zmm0\n\tvaesenc\t%zmm22,%zmm1,%zmm1\n\tvaesenc\t%zmm22,%zmm2,%zmm2\n\tvaesenc\t%zmm22,%zmm3,%zmm3\n\n\tvpxord\t%zmm7,%zmm4,%zmm10\n\tvpshufd\t$0x4e,%zmm24,%zmm24\n\tvpternlogd\t$0x96,%zmm25,%zmm24,%zmm10\n\n\tvaesenc\t%zmm23,%zmm0,%zmm0\n\tvaesenc\t%zmm23,%zmm1,%zmm1\n\tvaesenc\t%zmm23,%zmm2,%zmm2\n\tvaesenc\t%zmm23,%zmm3,%zmm3\n\n\tvextracti32x4\t$1,%zmm10,%xmm4\n\tvextracti32x4\t$2,%zmm10,%xmm5\n\tvextracti32x4\t$3,%zmm10,%xmm6\n\tvpxord\t%xmm4,%xmm10,%xmm10\n\tvpternlogd\t$0x96,%xmm5,%xmm6,%xmm10\n\n\n\n\n\tvpxord\t0(%rdi),%zmm14,%zmm4\n\tvpxord\t64(%rdi),%zmm14,%zmm5\n\tvpxord\t128(%rdi),%zmm14,%zmm6\n\tvpxord\t192(%rdi),%zmm14,%zmm7\n\n\n\n\tvaesenclast\t%zmm4,%zmm0,%zmm4\n\tvaesenclast\t%zmm5,%zmm1,%zmm5\n\tvaesenclast\t%zmm6,%zmm2,%zmm6\n\tvaesenclast\t%zmm7,%zmm3,%zmm7\n\n\n\tvmovdqu8\t%zmm4,0(%rsi)\n\tvmovdqu8\t%zmm5,64(%rsi)\n\tvmovdqu8\t%zmm6,128(%rsi)\n\tvmovdqu8\t%zmm7,192(%rsi)\n\n\tsubq\t$-256,%rdi\n\tsubq\t$-256,%rsi\n\taddq\t$-256,%rdx\n\tcmpq\t$256-1,%rdx\n\tja\t.Lcrypt_loop_4x__func2\n.Lcrypt_loop_4x_done__func2:\n\n\ttestq\t%rdx,%rdx\n\tjz\t.Ldone__func2\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%rdx,%rax\n\tnegq\t%rax\n\tandq\t$-16,%rax\n\tleaq\t256(%r9,%rax,1),%r8\n\tvpxor\t%xmm4,%xmm4,%xmm4\n\tvpxor\t%xmm5,%xmm5,%xmm5\n\tvpxor\t%xmm6,%xmm6,%xmm6\n\n\tcmpq\t$64,%rdx\n\tjb\t.Lpartial_vec__func2\n\n.Lcrypt_loop_1x__func2:\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpaddd\t%zmm11,%zmm12,%zmm12\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tleaq\t16(%rcx),%rax\n.Lvaesenc_loop_tail_full_vec__func2:\n\tvbroadcasti32x4\t(%rax),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\t.Lvaesenc_loop_tail_full_vec__func2\n\tvaesenclast\t%zmm14,%zmm0,%zmm0\n\n\n\tvmovdqu8\t(%rdi),%zmm1\n\tvpxord\t%zmm1,%zmm0,%zmm0\n\tvmovdqu8\t%zmm0,(%rsi)\n\n\n\tvmovdqu8\t(%r8),%zmm30\n\tvpshufb\t%zmm8,%zmm1,%zmm0\n\tvpxord\t%zmm10,%zmm0,%zmm0\n\tvpclmulqdq\t$0x00,%zmm30,%zmm0,%zmm7\n\tvpclmulqdq\t$0x01,%zmm30,%zmm0,%zmm1\n\tvpclmulqdq\t$0x10,%zmm30,%zmm0,%zmm2\n\tvpclmulqdq\t$0x11,%zmm30,%zmm0,%zmm3\n\tvpxord\t%zmm7,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm2,%zmm1,%zmm5\n\tvpxord\t%zmm3,%zmm6,%zmm6\n\n\tvpxor\t%xmm10,%xmm10,%xmm10\n\n\taddq\t$64,%r8\n\taddq\t$64,%rdi\n\taddq\t$64,%rsi\n\tsubq\t$64,%rdx\n\tcmpq\t$64,%rdx\n\tjae\t.Lcrypt_loop_1x__func2\n\n\ttestq\t%rdx,%rdx\n\tjz\t.Lreduce__func2\n\n.Lpartial_vec__func2:\n\n\n\n\n\tmovq\t$-1,%rax\n\tbzhiq\t%rdx,%rax,%rax\n\tkmovq\t%rax,%k1\n\taddq\t$15,%rdx\n\tandq\t$-16,%rdx\n\tmovq\t$-1,%rax\n\tbzhiq\t%rdx,%rax,%rax\n\tkmovq\t%rax,%k2\n\n\n\n\tvpshufb\t%zmm8,%zmm12,%zmm0\n\tvpxord\t%zmm13,%zmm0,%zmm0\n\tleaq\t16(%rcx),%rax\n.Lvaesenc_loop_tail_partialvec__func2:\n\tvbroadcasti32x4\t(%rax),%zmm9\n\tvaesenc\t%zmm9,%zmm0,%zmm0\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\t.Lvaesenc_loop_tail_partialvec__func2\n\tvaesenclast\t%zmm14,%zmm0,%zmm0\n\n\n\tvmovdqu8\t(%rdi),%zmm1{%k1}{z}\n\tvpxord\t%zmm1,%zmm0,%zmm0\n\tvmovdqu8\t%zmm0,(%rsi){%k1}\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tvmovdqu8\t(%r8),%zmm30{%k2}{z}\n\n\tvpshufb\t%zmm8,%zmm1,%zmm0\n\tvpxord\t%zmm10,%zmm0,%zmm0\n\tvpclmulqdq\t$0x00,%zmm30,%zmm0,%zmm7\n\tvpclmulqdq\t$0x01,%zmm30,%zmm0,%zmm1\n\tvpclmulqdq\t$0x10,%zmm30,%zmm0,%zmm2\n\tvpclmulqdq\t$0x11,%zmm30,%zmm0,%zmm3\n\tvpxord\t%zmm7,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm2,%zmm1,%zmm5\n\tvpxord\t%zmm3,%zmm6,%zmm6\n\n\n.Lreduce__func2:\n\n\tvpclmulqdq\t$0x01,%zmm4,%zmm31,%zmm0\n\tvpshufd\t$0x4e,%zmm4,%zmm4\n\tvpternlogd\t$0x96,%zmm0,%zmm4,%zmm5\n\tvpclmulqdq\t$0x01,%zmm5,%zmm31,%zmm0\n\tvpshufd\t$0x4e,%zmm5,%zmm5\n\tvpternlogd\t$0x96,%zmm0,%zmm5,%zmm6\n\n\tvextracti32x4\t$1,%zmm6,%xmm0\n\tvextracti32x4\t$2,%zmm6,%xmm1\n\tvextracti32x4\t$3,%zmm6,%xmm2\n\tvpxord\t%xmm0,%xmm6,%xmm10\n\tvpternlogd\t$0x96,%xmm1,%xmm2,%xmm10\n\n\n.Ldone__func2:\n\n\tvpshufb\t%xmm8,%xmm10,%xmm10\n\tvmovdqu\t%xmm10,(%r12)\n\n\tvzeroupper\n\tpopq\t%r12\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r12\n\tret\n\n.cfi_endproc\t\n.size\taes_gcm_dec_update_vaes_avx10_512, . - aes_gcm_dec_update_vaes_avx10_512\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aes-gcm-avx2-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.section\t__DATA,__const\n.p2align\t4\n\n\nL$bswap_mask:\n.quad\t0x08090a0b0c0d0e0f, 0x0001020304050607\n\n\n\n\n\n\n\n\nL$gfpoly:\n.quad\t1, 0xc200000000000000\n\n\nL$gfpoly_and_internal_carrybit:\n.quad\t1, 0xc200000000000001\n\n.p2align\t5\n\nL$ctr_pattern:\n.quad\t0, 0\n.quad\t1, 0\nL$inc_2blocks:\n.quad\t2, 0\n.quad\t2, 0\n\n.text\t\n.globl\t_gcm_init_vpclmulqdq_avx2\n.private_extern _gcm_init_vpclmulqdq_avx2\n\n.p2align\t5\n_gcm_init_vpclmulqdq_avx2:\n\n\n_CET_ENDBR\n\n\n\n\n\n\tvpshufd\t$0x4e,(%rsi),%xmm3\n\n\n\n\n\n\tvpshufd\t$0xd3,%xmm3,%xmm0\n\tvpsrad\t$31,%xmm0,%xmm0\n\tvpaddq\t%xmm3,%xmm3,%xmm3\n\tvpand\tL$gfpoly_and_internal_carrybit(%rip),%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\n\tvbroadcasti128\tL$gfpoly(%rip),%ymm6\n\n\n\tvpclmulqdq\t$0x00,%xmm3,%xmm3,%xmm0\n\tvpclmulqdq\t$0x01,%xmm3,%xmm3,%xmm1\n\tvpclmulqdq\t$0x10,%xmm3,%xmm3,%xmm2\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvpclmulqdq\t$0x01,%xmm0,%xmm6,%xmm2\n\tvpshufd\t$0x4e,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm3,%xmm3,%xmm5\n\tvpclmulqdq\t$0x01,%xmm1,%xmm6,%xmm0\n\tvpshufd\t$0x4e,%xmm1,%xmm1\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\n\n\n\tvinserti128\t$1,%xmm3,%ymm5,%ymm3\n\tvinserti128\t$1,%xmm5,%ymm5,%ymm5\n\n\n\tvpclmulqdq\t$0x00,%ymm5,%ymm3,%ymm0\n\tvpclmulqdq\t$0x01,%ymm5,%ymm3,%ymm1\n\tvpclmulqdq\t$0x10,%ymm5,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x01,%ymm0,%ymm6,%ymm2\n\tvpshufd\t$0x4e,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x11,%ymm5,%ymm3,%ymm4\n\tvpclmulqdq\t$0x01,%ymm1,%ymm6,%ymm0\n\tvpshufd\t$0x4e,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm4,%ymm4\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\n\n\tvmovdqu\t%ymm3,96(%rdi)\n\tvmovdqu\t%ymm4,64(%rdi)\n\n\n\n\tvpunpcklqdq\t%ymm3,%ymm4,%ymm0\n\tvpunpckhqdq\t%ymm3,%ymm4,%ymm1\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvmovdqu\t%ymm0,128+32(%rdi)\n\n\n\tvpclmulqdq\t$0x00,%ymm5,%ymm4,%ymm0\n\tvpclmulqdq\t$0x01,%ymm5,%ymm4,%ymm1\n\tvpclmulqdq\t$0x10,%ymm5,%ymm4,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x01,%ymm0,%ymm6,%ymm2\n\tvpshufd\t$0x4e,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x11,%ymm5,%ymm4,%ymm3\n\tvpclmulqdq\t$0x01,%ymm1,%ymm6,%ymm0\n\tvpshufd\t$0x4e,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm3,%ymm3\n\tvpxor\t%ymm0,%ymm3,%ymm3\n\n\tvpclmulqdq\t$0x00,%ymm5,%ymm3,%ymm0\n\tvpclmulqdq\t$0x01,%ymm5,%ymm3,%ymm1\n\tvpclmulqdq\t$0x10,%ymm5,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x01,%ymm0,%ymm6,%ymm2\n\tvpshufd\t$0x4e,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x11,%ymm5,%ymm3,%ymm4\n\tvpclmulqdq\t$0x01,%ymm1,%ymm6,%ymm0\n\tvpshufd\t$0x4e,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm4,%ymm4\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\tvmovdqu\t%ymm3,32(%rdi)\n\tvmovdqu\t%ymm4,0(%rdi)\n\n\n\n\tvpunpcklqdq\t%ymm3,%ymm4,%ymm0\n\tvpunpckhqdq\t%ymm3,%ymm4,%ymm1\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvmovdqu\t%ymm0,128(%rdi)\n\n\tvzeroupper\n\tret\n\n\n\n.globl\t_gcm_gmult_vpclmulqdq_avx2\n.private_extern _gcm_gmult_vpclmulqdq_avx2\n\n.p2align\t5\n_gcm_gmult_vpclmulqdq_avx2:\n\n\n_CET_ENDBR\n\n\n\n\tvmovdqu\t(%rdi),%xmm0\n\tvmovdqu\tL$bswap_mask(%rip),%xmm1\n\tvmovdqu\t128-16(%rsi),%xmm2\n\tvmovdqu\tL$gfpoly(%rip),%xmm3\n\tvpshufb\t%xmm1,%xmm0,%xmm0\n\n\tvpclmulqdq\t$0x00,%xmm2,%xmm0,%xmm4\n\tvpclmulqdq\t$0x01,%xmm2,%xmm0,%xmm5\n\tvpclmulqdq\t$0x10,%xmm2,%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x01,%xmm4,%xmm3,%xmm6\n\tvpshufd\t$0x4e,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm5,%xmm5\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x11,%xmm2,%xmm0,%xmm0\n\tvpclmulqdq\t$0x01,%xmm5,%xmm3,%xmm4\n\tvpshufd\t$0x4e,%xmm5,%xmm5\n\tvpxor\t%xmm5,%xmm0,%xmm0\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\n\n\tvpshufb\t%xmm1,%xmm0,%xmm0\n\tvmovdqu\t%xmm0,(%rdi)\n\tret\n\n\n\n.globl\t_gcm_ghash_vpclmulqdq_avx2\n.private_extern _gcm_ghash_vpclmulqdq_avx2\n\n.p2align\t5\n_gcm_ghash_vpclmulqdq_avx2:\n\n\n_CET_ENDBR\n\n\n\n\tvbroadcasti128\tL$bswap_mask(%rip),%ymm6\n\tvmovdqu\t(%rdi),%xmm5\n\tvpshufb\t%xmm6,%xmm5,%xmm5\n\tvbroadcasti128\tL$gfpoly(%rip),%ymm7\n\n\n\tcmpq\t$32,%rcx\n\tjb\tL$ghash_lastblock\n\n\tcmpq\t$127,%rcx\n\tjbe\tL$ghash_loop_1x\n\n\n\tvmovdqu\t128(%rsi),%ymm8\n\tvmovdqu\t128+32(%rsi),%ymm9\nL$ghash_loop_4x:\n\n\tvmovdqu\t0(%rdx),%ymm1\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvmovdqu\t0(%rsi),%ymm2\n\tvpxor\t%ymm5,%ymm1,%ymm1\n\tvpclmulqdq\t$0x00,%ymm2,%ymm1,%ymm3\n\tvpclmulqdq\t$0x11,%ymm2,%ymm1,%ymm5\n\tvpunpckhqdq\t%ymm1,%ymm1,%ymm0\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvpclmulqdq\t$0x00,%ymm8,%ymm0,%ymm4\n\n\tvmovdqu\t32(%rdx),%ymm1\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvmovdqu\t32(%rsi),%ymm2\n\tvpclmulqdq\t$0x00,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm3,%ymm3\n\tvpclmulqdq\t$0x11,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm5,%ymm5\n\tvpunpckhqdq\t%ymm1,%ymm1,%ymm0\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvpclmulqdq\t$0x10,%ymm8,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\tvmovdqu\t64(%rdx),%ymm1\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvmovdqu\t64(%rsi),%ymm2\n\tvpclmulqdq\t$0x00,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm3,%ymm3\n\tvpclmulqdq\t$0x11,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm5,%ymm5\n\tvpunpckhqdq\t%ymm1,%ymm1,%ymm0\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvpclmulqdq\t$0x00,%ymm9,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\n\tvmovdqu\t96(%rdx),%ymm1\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvmovdqu\t96(%rsi),%ymm2\n\tvpclmulqdq\t$0x00,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm3,%ymm3\n\tvpclmulqdq\t$0x11,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm5,%ymm5\n\tvpunpckhqdq\t%ymm1,%ymm1,%ymm0\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvpclmulqdq\t$0x10,%ymm9,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpxor\t%ymm5,%ymm4,%ymm4\n\n\n\tvbroadcasti128\tL$gfpoly(%rip),%ymm2\n\tvpclmulqdq\t$0x01,%ymm3,%ymm2,%ymm0\n\tvpshufd\t$0x4e,%ymm3,%ymm3\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\tvpclmulqdq\t$0x01,%ymm4,%ymm2,%ymm0\n\tvpshufd\t$0x4e,%ymm4,%ymm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpxor\t%ymm0,%ymm5,%ymm5\n\tvextracti128\t$1,%ymm5,%xmm0\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\n\tsubq\t$-128,%rdx\n\taddq\t$-128,%rcx\n\tcmpq\t$127,%rcx\n\tja\tL$ghash_loop_4x\n\n\n\tcmpq\t$32,%rcx\n\tjb\tL$ghash_loop_1x_done\nL$ghash_loop_1x:\n\tvmovdqu\t(%rdx),%ymm0\n\tvpshufb\t%ymm6,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm5,%ymm5\n\tvmovdqu\t128-32(%rsi),%ymm0\n\tvpclmulqdq\t$0x00,%ymm0,%ymm5,%ymm1\n\tvpclmulqdq\t$0x01,%ymm0,%ymm5,%ymm2\n\tvpclmulqdq\t$0x10,%ymm0,%ymm5,%ymm3\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x01,%ymm1,%ymm7,%ymm3\n\tvpshufd\t$0x4e,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm2,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x11,%ymm0,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%ymm2,%ymm7,%ymm1\n\tvpshufd\t$0x4e,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpxor\t%ymm1,%ymm5,%ymm5\n\n\tvextracti128\t$1,%ymm5,%xmm0\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\taddq\t$32,%rdx\n\tsubq\t$32,%rcx\n\tcmpq\t$32,%rcx\n\tjae\tL$ghash_loop_1x\nL$ghash_loop_1x_done:\n\n\n\tvzeroupper\n\n\nL$ghash_lastblock:\n\ttestq\t%rcx,%rcx\n\tjz\tL$ghash_done\n\tvmovdqu\t(%rdx),%xmm0\n\tvpshufb\t%xmm6,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\tvmovdqu\t128-16(%rsi),%xmm0\n\tvpclmulqdq\t$0x00,%xmm0,%xmm5,%xmm1\n\tvpclmulqdq\t$0x01,%xmm0,%xmm5,%xmm2\n\tvpclmulqdq\t$0x10,%xmm0,%xmm5,%xmm3\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\tvpclmulqdq\t$0x01,%xmm1,%xmm7,%xmm3\n\tvpshufd\t$0x4e,%xmm1,%xmm1\n\tvpxor\t%xmm1,%xmm2,%xmm2\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\tvpclmulqdq\t$0x11,%xmm0,%xmm5,%xmm5\n\tvpclmulqdq\t$0x01,%xmm2,%xmm7,%xmm1\n\tvpshufd\t$0x4e,%xmm2,%xmm2\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\n\nL$ghash_done:\n\n\tvpshufb\t%xmm6,%xmm5,%xmm5\n\tvmovdqu\t%xmm5,(%rdi)\n\tret\n\n\n\n.globl\t_aes_gcm_enc_update_vaes_avx2\n.private_extern _aes_gcm_enc_update_vaes_avx2\n\n.p2align\t5\n_aes_gcm_enc_update_vaes_avx2:\n\n\n_CET_ENDBR\n\tpushq\t%r12\n\n\n\tmovq\t16(%rsp),%r12\n#ifdef BORINGSSL_DISPATCH_TEST\n\n\tmovb\t$1,_BORINGSSL_function_hit+8(%rip)\n#endif\n\tvbroadcasti128\tL$bswap_mask(%rip),%ymm0\n\n\n\n\tvmovdqu\t(%r12),%xmm1\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tvbroadcasti128\t(%r8),%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm11\n\n\n\n\tmovl\t240(%rcx),%r10d\n\tleal\t-20(,%r10,4),%r10d\n\n\n\n\n\tleaq\t96(%rcx,%r10,4),%r11\n\tvbroadcasti128\t(%rcx),%ymm9\n\tvbroadcasti128\t(%r11),%ymm10\n\n\n\tvpaddd\tL$ctr_pattern(%rip),%ymm11,%ymm11\n\n\n\n\tcmpq\t$127,%rdx\n\tjbe\tL$crypt_loop_4x_done__func1\n\n\tvmovdqu\t128(%r9),%ymm7\n\tvmovdqu\t128+32(%r9),%ymm8\n\n\n\n\tvmovdqu\tL$inc_2blocks(%rip),%ymm2\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm14\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm15\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\n\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tvpxor\t%ymm9,%ymm14,%ymm14\n\tvpxor\t%ymm9,%ymm15,%ymm15\n\n\tleaq\t16(%rcx),%rax\nL$vaesenc_loop_first_4_vecs__func1:\n\tvbroadcasti128\t(%rax),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\tL$vaesenc_loop_first_4_vecs__func1\n\tvpxor\t0(%rdi),%ymm10,%ymm2\n\tvpxor\t32(%rdi),%ymm10,%ymm3\n\tvpxor\t64(%rdi),%ymm10,%ymm5\n\tvpxor\t96(%rdi),%ymm10,%ymm6\n\tvaesenclast\t%ymm2,%ymm12,%ymm12\n\tvaesenclast\t%ymm3,%ymm13,%ymm13\n\tvaesenclast\t%ymm5,%ymm14,%ymm14\n\tvaesenclast\t%ymm6,%ymm15,%ymm15\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%ymm13,32(%rsi)\n\tvmovdqu\t%ymm14,64(%rsi)\n\tvmovdqu\t%ymm15,96(%rsi)\n\n\tsubq\t$-128,%rdi\n\taddq\t$-128,%rdx\n\tcmpq\t$127,%rdx\n\tjbe\tL$ghash_last_ciphertext_4x__func1\n.p2align\t4\nL$crypt_loop_4x__func1:\n\n\n\n\n\tvmovdqu\tL$inc_2blocks(%rip),%ymm2\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm14\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm15\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\n\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tvpxor\t%ymm9,%ymm14,%ymm14\n\tvpxor\t%ymm9,%ymm15,%ymm15\n\n\tcmpl\t$24,%r10d\n\tjl\tL$aes128__func1\n\tje\tL$aes192__func1\n\n\tvbroadcasti128\t-208(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvbroadcasti128\t-192(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\nL$aes192__func1:\n\tvbroadcasti128\t-176(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvbroadcasti128\t-160(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\nL$aes128__func1:\n\tprefetcht0\t512(%rdi)\n\tprefetcht0\t512+64(%rdi)\n\n\tvmovdqu\t0(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t0(%r9),%ymm4\n\tvpxor\t%ymm1,%ymm3,%ymm3\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm7,%ymm2,%ymm6\n\n\tvbroadcasti128\t-144(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvbroadcasti128\t-128(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvmovdqu\t32(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t32(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm7,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-112(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvmovdqu\t64(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t64(%r9),%ymm4\n\n\tvbroadcasti128\t-96(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\n\tvbroadcasti128\t-80(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\n\tvmovdqu\t96(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\n\tvbroadcasti128\t-64(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvmovdqu\t96(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-48(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm1,%ymm6,%ymm6\n\n\n\tvbroadcasti128\tL$gfpoly(%rip),%ymm4\n\tvpclmulqdq\t$0x01,%ymm5,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm5,%ymm5\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-32(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvpclmulqdq\t$0x01,%ymm6,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm6,%ymm6\n\tvpxor\t%ymm6,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\n\tvbroadcasti128\t-16(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvextracti128\t$1,%ymm1,%xmm2\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\n\tsubq\t$-128,%rsi\n\tvpxor\t0(%rdi),%ymm10,%ymm2\n\tvpxor\t32(%rdi),%ymm10,%ymm3\n\tvpxor\t64(%rdi),%ymm10,%ymm5\n\tvpxor\t96(%rdi),%ymm10,%ymm6\n\tvaesenclast\t%ymm2,%ymm12,%ymm12\n\tvaesenclast\t%ymm3,%ymm13,%ymm13\n\tvaesenclast\t%ymm5,%ymm14,%ymm14\n\tvaesenclast\t%ymm6,%ymm15,%ymm15\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%ymm13,32(%rsi)\n\tvmovdqu\t%ymm14,64(%rsi)\n\tvmovdqu\t%ymm15,96(%rsi)\n\n\tsubq\t$-128,%rdi\n\n\taddq\t$-128,%rdx\n\tcmpq\t$127,%rdx\n\tja\tL$crypt_loop_4x__func1\nL$ghash_last_ciphertext_4x__func1:\n\n\tvmovdqu\t0(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t0(%r9),%ymm4\n\tvpxor\t%ymm1,%ymm3,%ymm3\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm7,%ymm2,%ymm6\n\n\tvmovdqu\t32(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t32(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm7,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvmovdqu\t64(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t64(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\n\tvmovdqu\t96(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t96(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm1,%ymm6,%ymm6\n\n\n\tvbroadcasti128\tL$gfpoly(%rip),%ymm4\n\tvpclmulqdq\t$0x01,%ymm5,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm5,%ymm5\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvpclmulqdq\t$0x01,%ymm6,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm6,%ymm6\n\tvpxor\t%ymm6,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvextracti128\t$1,%ymm1,%xmm2\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tsubq\t$-128,%rsi\nL$crypt_loop_4x_done__func1:\n\n\ttestq\t%rdx,%rdx\n\tjz\tL$done__func1\n\n\n\n\n\n\tleaq\t128(%r9),%r8\n\tsubq\t%rdx,%r8\n\n\n\tvpxor\t%xmm5,%xmm5,%xmm5\n\tvpxor\t%xmm6,%xmm6,%xmm6\n\tvpxor\t%xmm7,%xmm7,%xmm7\n\n\tcmpq\t$64,%rdx\n\tjb\tL$lessthan64bytes__func1\n\n\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\tL$inc_2blocks(%rip),%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpaddd\tL$inc_2blocks(%rip),%ymm11,%ymm11\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tleaq\t16(%rcx),%rax\nL$vaesenc_loop_tail_1__func1:\n\tvbroadcasti128\t(%rax),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\tL$vaesenc_loop_tail_1__func1\n\tvaesenclast\t%ymm10,%ymm12,%ymm12\n\tvaesenclast\t%ymm10,%ymm13,%ymm13\n\n\n\tvmovdqu\t0(%rdi),%ymm2\n\tvmovdqu\t32(%rdi),%ymm3\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvpxor\t%ymm3,%ymm13,%ymm13\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%ymm13,32(%rsi)\n\n\n\tvpshufb\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm0,%ymm13,%ymm13\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tvmovdqu\t32(%r8),%ymm3\n\tvpclmulqdq\t$0x00,%ymm2,%ymm12,%ymm5\n\tvpclmulqdq\t$0x01,%ymm2,%ymm12,%ymm6\n\tvpclmulqdq\t$0x10,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm2,%ymm12,%ymm7\n\tvpclmulqdq\t$0x00,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\n\taddq\t$64,%r8\n\taddq\t$64,%rdi\n\taddq\t$64,%rsi\n\tsubq\t$64,%rdx\n\tjz\tL$reduce__func1\n\n\tvpxor\t%xmm1,%xmm1,%xmm1\n\n\nL$lessthan64bytes__func1:\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\tL$inc_2blocks(%rip),%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tleaq\t16(%rcx),%rax\nL$vaesenc_loop_tail_2__func1:\n\tvbroadcasti128\t(%rax),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\tL$vaesenc_loop_tail_2__func1\n\tvaesenclast\t%ymm10,%ymm12,%ymm12\n\tvaesenclast\t%ymm10,%ymm13,%ymm13\n\n\n\n\n\tcmpq\t$32,%rdx\n\tjb\tL$xor_one_block__func1\n\tje\tL$xor_two_blocks__func1\n\nL$xor_three_blocks__func1:\n\tvmovdqu\t0(%rdi),%ymm2\n\tvmovdqu\t32(%rdi),%xmm3\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvpxor\t%xmm3,%xmm13,%xmm13\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%xmm13,32(%rsi)\n\n\tvpshufb\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%xmm0,%xmm13,%xmm13\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tvmovdqu\t32(%r8),%xmm3\n\tvpclmulqdq\t$0x00,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\tjmp\tL$ghash_mul_one_vec_unreduced__func1\n\nL$xor_two_blocks__func1:\n\tvmovdqu\t(%rdi),%ymm2\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvmovdqu\t%ymm12,(%rsi)\n\tvpshufb\t%ymm0,%ymm12,%ymm12\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tjmp\tL$ghash_mul_one_vec_unreduced__func1\n\nL$xor_one_block__func1:\n\tvmovdqu\t(%rdi),%xmm2\n\tvpxor\t%xmm2,%xmm12,%xmm12\n\tvmovdqu\t%xmm12,(%rsi)\n\tvpshufb\t%xmm0,%xmm12,%xmm12\n\tvpxor\t%xmm1,%xmm12,%xmm12\n\tvmovdqu\t(%r8),%xmm2\n\nL$ghash_mul_one_vec_unreduced__func1:\n\tvpclmulqdq\t$0x00,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\nL$reduce__func1:\n\n\tvbroadcasti128\tL$gfpoly(%rip),%ymm2\n\tvpclmulqdq\t$0x01,%ymm5,%ymm2,%ymm3\n\tvpshufd\t$0x4e,%ymm5,%ymm5\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpclmulqdq\t$0x01,%ymm6,%ymm2,%ymm3\n\tvpshufd\t$0x4e,%ymm6,%ymm6\n\tvpxor\t%ymm6,%ymm7,%ymm7\n\tvpxor\t%ymm3,%ymm7,%ymm7\n\tvextracti128\t$1,%ymm7,%xmm1\n\tvpxor\t%xmm7,%xmm1,%xmm1\n\nL$done__func1:\n\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tvmovdqu\t%xmm1,(%r12)\n\n\tvzeroupper\n\tpopq\t%r12\n\n\tret\n\n\n\n.globl\t_aes_gcm_dec_update_vaes_avx2\n.private_extern _aes_gcm_dec_update_vaes_avx2\n\n.p2align\t5\n_aes_gcm_dec_update_vaes_avx2:\n\n\n_CET_ENDBR\n\tpushq\t%r12\n\n\n\tmovq\t16(%rsp),%r12\n\tvbroadcasti128\tL$bswap_mask(%rip),%ymm0\n\n\n\n\tvmovdqu\t(%r12),%xmm1\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tvbroadcasti128\t(%r8),%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm11\n\n\n\n\tmovl\t240(%rcx),%r10d\n\tleal\t-20(,%r10,4),%r10d\n\n\n\n\n\tleaq\t96(%rcx,%r10,4),%r11\n\tvbroadcasti128\t(%rcx),%ymm9\n\tvbroadcasti128\t(%r11),%ymm10\n\n\n\tvpaddd\tL$ctr_pattern(%rip),%ymm11,%ymm11\n\n\n\n\tcmpq\t$127,%rdx\n\tjbe\tL$crypt_loop_4x_done__func2\n\n\tvmovdqu\t128(%r9),%ymm7\n\tvmovdqu\t128+32(%r9),%ymm8\n.p2align\t4\nL$crypt_loop_4x__func2:\n\n\n\n\n\tvmovdqu\tL$inc_2blocks(%rip),%ymm2\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm14\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm15\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\n\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tvpxor\t%ymm9,%ymm14,%ymm14\n\tvpxor\t%ymm9,%ymm15,%ymm15\n\n\tcmpl\t$24,%r10d\n\tjl\tL$aes128__func2\n\tje\tL$aes192__func2\n\n\tvbroadcasti128\t-208(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvbroadcasti128\t-192(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\nL$aes192__func2:\n\tvbroadcasti128\t-176(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvbroadcasti128\t-160(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\nL$aes128__func2:\n\tprefetcht0\t512(%rdi)\n\tprefetcht0\t512+64(%rdi)\n\n\tvmovdqu\t0(%rdi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t0(%r9),%ymm4\n\tvpxor\t%ymm1,%ymm3,%ymm3\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm7,%ymm2,%ymm6\n\n\tvbroadcasti128\t-144(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvbroadcasti128\t-128(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvmovdqu\t32(%rdi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t32(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm7,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-112(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvmovdqu\t64(%rdi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t64(%r9),%ymm4\n\n\tvbroadcasti128\t-96(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\n\tvbroadcasti128\t-80(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\n\tvmovdqu\t96(%rdi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\n\tvbroadcasti128\t-64(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvmovdqu\t96(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-48(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm1,%ymm6,%ymm6\n\n\n\tvbroadcasti128\tL$gfpoly(%rip),%ymm4\n\tvpclmulqdq\t$0x01,%ymm5,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm5,%ymm5\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-32(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvpclmulqdq\t$0x01,%ymm6,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm6,%ymm6\n\tvpxor\t%ymm6,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\n\tvbroadcasti128\t-16(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvextracti128\t$1,%ymm1,%xmm2\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\n\n\tvpxor\t0(%rdi),%ymm10,%ymm2\n\tvpxor\t32(%rdi),%ymm10,%ymm3\n\tvpxor\t64(%rdi),%ymm10,%ymm5\n\tvpxor\t96(%rdi),%ymm10,%ymm6\n\tvaesenclast\t%ymm2,%ymm12,%ymm12\n\tvaesenclast\t%ymm3,%ymm13,%ymm13\n\tvaesenclast\t%ymm5,%ymm14,%ymm14\n\tvaesenclast\t%ymm6,%ymm15,%ymm15\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%ymm13,32(%rsi)\n\tvmovdqu\t%ymm14,64(%rsi)\n\tvmovdqu\t%ymm15,96(%rsi)\n\n\tsubq\t$-128,%rdi\n\tsubq\t$-128,%rsi\n\taddq\t$-128,%rdx\n\tcmpq\t$127,%rdx\n\tja\tL$crypt_loop_4x__func2\nL$crypt_loop_4x_done__func2:\n\n\ttestq\t%rdx,%rdx\n\tjz\tL$done__func2\n\n\n\n\n\n\tleaq\t128(%r9),%r8\n\tsubq\t%rdx,%r8\n\n\n\tvpxor\t%xmm5,%xmm5,%xmm5\n\tvpxor\t%xmm6,%xmm6,%xmm6\n\tvpxor\t%xmm7,%xmm7,%xmm7\n\n\tcmpq\t$64,%rdx\n\tjb\tL$lessthan64bytes__func2\n\n\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\tL$inc_2blocks(%rip),%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpaddd\tL$inc_2blocks(%rip),%ymm11,%ymm11\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tleaq\t16(%rcx),%rax\nL$vaesenc_loop_tail_1__func2:\n\tvbroadcasti128\t(%rax),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\tL$vaesenc_loop_tail_1__func2\n\tvaesenclast\t%ymm10,%ymm12,%ymm12\n\tvaesenclast\t%ymm10,%ymm13,%ymm13\n\n\n\tvmovdqu\t0(%rdi),%ymm2\n\tvmovdqu\t32(%rdi),%ymm3\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvpxor\t%ymm3,%ymm13,%ymm13\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%ymm13,32(%rsi)\n\n\n\tvpshufb\t%ymm0,%ymm2,%ymm12\n\tvpshufb\t%ymm0,%ymm3,%ymm13\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tvmovdqu\t32(%r8),%ymm3\n\tvpclmulqdq\t$0x00,%ymm2,%ymm12,%ymm5\n\tvpclmulqdq\t$0x01,%ymm2,%ymm12,%ymm6\n\tvpclmulqdq\t$0x10,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm2,%ymm12,%ymm7\n\tvpclmulqdq\t$0x00,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\n\taddq\t$64,%r8\n\taddq\t$64,%rdi\n\taddq\t$64,%rsi\n\tsubq\t$64,%rdx\n\tjz\tL$reduce__func2\n\n\tvpxor\t%xmm1,%xmm1,%xmm1\n\n\nL$lessthan64bytes__func2:\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\tL$inc_2blocks(%rip),%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tleaq\t16(%rcx),%rax\nL$vaesenc_loop_tail_2__func2:\n\tvbroadcasti128\t(%rax),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\tL$vaesenc_loop_tail_2__func2\n\tvaesenclast\t%ymm10,%ymm12,%ymm12\n\tvaesenclast\t%ymm10,%ymm13,%ymm13\n\n\n\n\n\tcmpq\t$32,%rdx\n\tjb\tL$xor_one_block__func2\n\tje\tL$xor_two_blocks__func2\n\nL$xor_three_blocks__func2:\n\tvmovdqu\t0(%rdi),%ymm2\n\tvmovdqu\t32(%rdi),%xmm3\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvpxor\t%xmm3,%xmm13,%xmm13\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%xmm13,32(%rsi)\n\n\tvpshufb\t%ymm0,%ymm2,%ymm12\n\tvpshufb\t%xmm0,%xmm3,%xmm13\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tvmovdqu\t32(%r8),%xmm3\n\tvpclmulqdq\t$0x00,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\tjmp\tL$ghash_mul_one_vec_unreduced__func2\n\nL$xor_two_blocks__func2:\n\tvmovdqu\t(%rdi),%ymm2\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvmovdqu\t%ymm12,(%rsi)\n\tvpshufb\t%ymm0,%ymm2,%ymm12\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tjmp\tL$ghash_mul_one_vec_unreduced__func2\n\nL$xor_one_block__func2:\n\tvmovdqu\t(%rdi),%xmm2\n\tvpxor\t%xmm2,%xmm12,%xmm12\n\tvmovdqu\t%xmm12,(%rsi)\n\tvpshufb\t%xmm0,%xmm2,%xmm12\n\tvpxor\t%xmm1,%xmm12,%xmm12\n\tvmovdqu\t(%r8),%xmm2\n\nL$ghash_mul_one_vec_unreduced__func2:\n\tvpclmulqdq\t$0x00,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\nL$reduce__func2:\n\n\tvbroadcasti128\tL$gfpoly(%rip),%ymm2\n\tvpclmulqdq\t$0x01,%ymm5,%ymm2,%ymm3\n\tvpshufd\t$0x4e,%ymm5,%ymm5\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpclmulqdq\t$0x01,%ymm6,%ymm2,%ymm3\n\tvpshufd\t$0x4e,%ymm6,%ymm6\n\tvpxor\t%ymm6,%ymm7,%ymm7\n\tvpxor\t%ymm3,%ymm7,%ymm7\n\tvextracti128\t$1,%ymm7,%xmm1\n\tvpxor\t%xmm7,%xmm1,%xmm1\n\nL$done__func2:\n\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tvmovdqu\t%xmm1,(%r12)\n\n\tvzeroupper\n\tpopq\t%r12\n\n\tret\n\n\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aes-gcm-avx2-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.section\t.rodata\n.align\t16\n\n\n.Lbswap_mask:\n.quad\t0x08090a0b0c0d0e0f, 0x0001020304050607\n\n\n\n\n\n\n\n\n.Lgfpoly:\n.quad\t1, 0xc200000000000000\n\n\n.Lgfpoly_and_internal_carrybit:\n.quad\t1, 0xc200000000000001\n\n.align\t32\n\n.Lctr_pattern:\n.quad\t0, 0\n.quad\t1, 0\n.Linc_2blocks:\n.quad\t2, 0\n.quad\t2, 0\n\n.text\t\n.globl\tgcm_init_vpclmulqdq_avx2\n.hidden gcm_init_vpclmulqdq_avx2\n.type\tgcm_init_vpclmulqdq_avx2,@function\n.align\t32\ngcm_init_vpclmulqdq_avx2:\n.cfi_startproc\t\n\n_CET_ENDBR\n\n\n\n\n\n\tvpshufd\t$0x4e,(%rsi),%xmm3\n\n\n\n\n\n\tvpshufd\t$0xd3,%xmm3,%xmm0\n\tvpsrad\t$31,%xmm0,%xmm0\n\tvpaddq\t%xmm3,%xmm3,%xmm3\n\tvpand\t.Lgfpoly_and_internal_carrybit(%rip),%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\n\tvbroadcasti128\t.Lgfpoly(%rip),%ymm6\n\n\n\tvpclmulqdq\t$0x00,%xmm3,%xmm3,%xmm0\n\tvpclmulqdq\t$0x01,%xmm3,%xmm3,%xmm1\n\tvpclmulqdq\t$0x10,%xmm3,%xmm3,%xmm2\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvpclmulqdq\t$0x01,%xmm0,%xmm6,%xmm2\n\tvpshufd\t$0x4e,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm3,%xmm3,%xmm5\n\tvpclmulqdq\t$0x01,%xmm1,%xmm6,%xmm0\n\tvpshufd\t$0x4e,%xmm1,%xmm1\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\n\n\n\tvinserti128\t$1,%xmm3,%ymm5,%ymm3\n\tvinserti128\t$1,%xmm5,%ymm5,%ymm5\n\n\n\tvpclmulqdq\t$0x00,%ymm5,%ymm3,%ymm0\n\tvpclmulqdq\t$0x01,%ymm5,%ymm3,%ymm1\n\tvpclmulqdq\t$0x10,%ymm5,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x01,%ymm0,%ymm6,%ymm2\n\tvpshufd\t$0x4e,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x11,%ymm5,%ymm3,%ymm4\n\tvpclmulqdq\t$0x01,%ymm1,%ymm6,%ymm0\n\tvpshufd\t$0x4e,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm4,%ymm4\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\n\n\tvmovdqu\t%ymm3,96(%rdi)\n\tvmovdqu\t%ymm4,64(%rdi)\n\n\n\n\tvpunpcklqdq\t%ymm3,%ymm4,%ymm0\n\tvpunpckhqdq\t%ymm3,%ymm4,%ymm1\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvmovdqu\t%ymm0,128+32(%rdi)\n\n\n\tvpclmulqdq\t$0x00,%ymm5,%ymm4,%ymm0\n\tvpclmulqdq\t$0x01,%ymm5,%ymm4,%ymm1\n\tvpclmulqdq\t$0x10,%ymm5,%ymm4,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x01,%ymm0,%ymm6,%ymm2\n\tvpshufd\t$0x4e,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x11,%ymm5,%ymm4,%ymm3\n\tvpclmulqdq\t$0x01,%ymm1,%ymm6,%ymm0\n\tvpshufd\t$0x4e,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm3,%ymm3\n\tvpxor\t%ymm0,%ymm3,%ymm3\n\n\tvpclmulqdq\t$0x00,%ymm5,%ymm3,%ymm0\n\tvpclmulqdq\t$0x01,%ymm5,%ymm3,%ymm1\n\tvpclmulqdq\t$0x10,%ymm5,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x01,%ymm0,%ymm6,%ymm2\n\tvpshufd\t$0x4e,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpclmulqdq\t$0x11,%ymm5,%ymm3,%ymm4\n\tvpclmulqdq\t$0x01,%ymm1,%ymm6,%ymm0\n\tvpshufd\t$0x4e,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm4,%ymm4\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\tvmovdqu\t%ymm3,32(%rdi)\n\tvmovdqu\t%ymm4,0(%rdi)\n\n\n\n\tvpunpcklqdq\t%ymm3,%ymm4,%ymm0\n\tvpunpckhqdq\t%ymm3,%ymm4,%ymm1\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvmovdqu\t%ymm0,128(%rdi)\n\n\tvzeroupper\n\tret\n\n.cfi_endproc\t\n.size\tgcm_init_vpclmulqdq_avx2, . - gcm_init_vpclmulqdq_avx2\n.globl\tgcm_gmult_vpclmulqdq_avx2\n.hidden gcm_gmult_vpclmulqdq_avx2\n.type\tgcm_gmult_vpclmulqdq_avx2,@function\n.align\t32\ngcm_gmult_vpclmulqdq_avx2:\n.cfi_startproc\t\n\n_CET_ENDBR\n\n\n\n\tvmovdqu\t(%rdi),%xmm0\n\tvmovdqu\t.Lbswap_mask(%rip),%xmm1\n\tvmovdqu\t128-16(%rsi),%xmm2\n\tvmovdqu\t.Lgfpoly(%rip),%xmm3\n\tvpshufb\t%xmm1,%xmm0,%xmm0\n\n\tvpclmulqdq\t$0x00,%xmm2,%xmm0,%xmm4\n\tvpclmulqdq\t$0x01,%xmm2,%xmm0,%xmm5\n\tvpclmulqdq\t$0x10,%xmm2,%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x01,%xmm4,%xmm3,%xmm6\n\tvpshufd\t$0x4e,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm5,%xmm5\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x11,%xmm2,%xmm0,%xmm0\n\tvpclmulqdq\t$0x01,%xmm5,%xmm3,%xmm4\n\tvpshufd\t$0x4e,%xmm5,%xmm5\n\tvpxor\t%xmm5,%xmm0,%xmm0\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\n\n\tvpshufb\t%xmm1,%xmm0,%xmm0\n\tvmovdqu\t%xmm0,(%rdi)\n\tret\n\n.cfi_endproc\t\n.size\tgcm_gmult_vpclmulqdq_avx2, . - gcm_gmult_vpclmulqdq_avx2\n.globl\tgcm_ghash_vpclmulqdq_avx2\n.hidden gcm_ghash_vpclmulqdq_avx2\n.type\tgcm_ghash_vpclmulqdq_avx2,@function\n.align\t32\ngcm_ghash_vpclmulqdq_avx2:\n.cfi_startproc\t\n\n_CET_ENDBR\n\n\n\n\tvbroadcasti128\t.Lbswap_mask(%rip),%ymm6\n\tvmovdqu\t(%rdi),%xmm5\n\tvpshufb\t%xmm6,%xmm5,%xmm5\n\tvbroadcasti128\t.Lgfpoly(%rip),%ymm7\n\n\n\tcmpq\t$32,%rcx\n\tjb\t.Lghash_lastblock\n\n\tcmpq\t$127,%rcx\n\tjbe\t.Lghash_loop_1x\n\n\n\tvmovdqu\t128(%rsi),%ymm8\n\tvmovdqu\t128+32(%rsi),%ymm9\n.Lghash_loop_4x:\n\n\tvmovdqu\t0(%rdx),%ymm1\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvmovdqu\t0(%rsi),%ymm2\n\tvpxor\t%ymm5,%ymm1,%ymm1\n\tvpclmulqdq\t$0x00,%ymm2,%ymm1,%ymm3\n\tvpclmulqdq\t$0x11,%ymm2,%ymm1,%ymm5\n\tvpunpckhqdq\t%ymm1,%ymm1,%ymm0\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvpclmulqdq\t$0x00,%ymm8,%ymm0,%ymm4\n\n\tvmovdqu\t32(%rdx),%ymm1\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvmovdqu\t32(%rsi),%ymm2\n\tvpclmulqdq\t$0x00,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm3,%ymm3\n\tvpclmulqdq\t$0x11,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm5,%ymm5\n\tvpunpckhqdq\t%ymm1,%ymm1,%ymm0\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvpclmulqdq\t$0x10,%ymm8,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\tvmovdqu\t64(%rdx),%ymm1\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvmovdqu\t64(%rsi),%ymm2\n\tvpclmulqdq\t$0x00,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm3,%ymm3\n\tvpclmulqdq\t$0x11,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm5,%ymm5\n\tvpunpckhqdq\t%ymm1,%ymm1,%ymm0\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvpclmulqdq\t$0x00,%ymm9,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\n\tvmovdqu\t96(%rdx),%ymm1\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvmovdqu\t96(%rsi),%ymm2\n\tvpclmulqdq\t$0x00,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm3,%ymm3\n\tvpclmulqdq\t$0x11,%ymm2,%ymm1,%ymm0\n\tvpxor\t%ymm0,%ymm5,%ymm5\n\tvpunpckhqdq\t%ymm1,%ymm1,%ymm0\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tvpclmulqdq\t$0x10,%ymm9,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpxor\t%ymm5,%ymm4,%ymm4\n\n\n\tvbroadcasti128\t.Lgfpoly(%rip),%ymm2\n\tvpclmulqdq\t$0x01,%ymm3,%ymm2,%ymm0\n\tvpshufd\t$0x4e,%ymm3,%ymm3\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\n\tvpclmulqdq\t$0x01,%ymm4,%ymm2,%ymm0\n\tvpshufd\t$0x4e,%ymm4,%ymm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpxor\t%ymm0,%ymm5,%ymm5\n\tvextracti128\t$1,%ymm5,%xmm0\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\n\tsubq\t$-128,%rdx\n\taddq\t$-128,%rcx\n\tcmpq\t$127,%rcx\n\tja\t.Lghash_loop_4x\n\n\n\tcmpq\t$32,%rcx\n\tjb\t.Lghash_loop_1x_done\n.Lghash_loop_1x:\n\tvmovdqu\t(%rdx),%ymm0\n\tvpshufb\t%ymm6,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm5,%ymm5\n\tvmovdqu\t128-32(%rsi),%ymm0\n\tvpclmulqdq\t$0x00,%ymm0,%ymm5,%ymm1\n\tvpclmulqdq\t$0x01,%ymm0,%ymm5,%ymm2\n\tvpclmulqdq\t$0x10,%ymm0,%ymm5,%ymm3\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x01,%ymm1,%ymm7,%ymm3\n\tvpshufd\t$0x4e,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm2,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x11,%ymm0,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%ymm2,%ymm7,%ymm1\n\tvpshufd\t$0x4e,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpxor\t%ymm1,%ymm5,%ymm5\n\n\tvextracti128\t$1,%ymm5,%xmm0\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\taddq\t$32,%rdx\n\tsubq\t$32,%rcx\n\tcmpq\t$32,%rcx\n\tjae\t.Lghash_loop_1x\n.Lghash_loop_1x_done:\n\n\n\tvzeroupper\n\n\n.Lghash_lastblock:\n\ttestq\t%rcx,%rcx\n\tjz\t.Lghash_done\n\tvmovdqu\t(%rdx),%xmm0\n\tvpshufb\t%xmm6,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\tvmovdqu\t128-16(%rsi),%xmm0\n\tvpclmulqdq\t$0x00,%xmm0,%xmm5,%xmm1\n\tvpclmulqdq\t$0x01,%xmm0,%xmm5,%xmm2\n\tvpclmulqdq\t$0x10,%xmm0,%xmm5,%xmm3\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\tvpclmulqdq\t$0x01,%xmm1,%xmm7,%xmm3\n\tvpshufd\t$0x4e,%xmm1,%xmm1\n\tvpxor\t%xmm1,%xmm2,%xmm2\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\tvpclmulqdq\t$0x11,%xmm0,%xmm5,%xmm5\n\tvpclmulqdq\t$0x01,%xmm2,%xmm7,%xmm1\n\tvpshufd\t$0x4e,%xmm2,%xmm2\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\n\n.Lghash_done:\n\n\tvpshufb\t%xmm6,%xmm5,%xmm5\n\tvmovdqu\t%xmm5,(%rdi)\n\tret\n\n.cfi_endproc\t\n.size\tgcm_ghash_vpclmulqdq_avx2, . - gcm_ghash_vpclmulqdq_avx2\n.globl\taes_gcm_enc_update_vaes_avx2\n.hidden aes_gcm_enc_update_vaes_avx2\n.type\taes_gcm_enc_update_vaes_avx2,@function\n.align\t32\naes_gcm_enc_update_vaes_avx2:\n.cfi_startproc\t\n\n_CET_ENDBR\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-16\n\n\tmovq\t16(%rsp),%r12\n#ifdef BORINGSSL_DISPATCH_TEST\n.extern\tBORINGSSL_function_hit\n.hidden BORINGSSL_function_hit\n\tmovb\t$1,BORINGSSL_function_hit+8(%rip)\n#endif\n\tvbroadcasti128\t.Lbswap_mask(%rip),%ymm0\n\n\n\n\tvmovdqu\t(%r12),%xmm1\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tvbroadcasti128\t(%r8),%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm11\n\n\n\n\tmovl\t240(%rcx),%r10d\n\tleal\t-20(,%r10,4),%r10d\n\n\n\n\n\tleaq\t96(%rcx,%r10,4),%r11\n\tvbroadcasti128\t(%rcx),%ymm9\n\tvbroadcasti128\t(%r11),%ymm10\n\n\n\tvpaddd\t.Lctr_pattern(%rip),%ymm11,%ymm11\n\n\n\n\tcmpq\t$127,%rdx\n\tjbe\t.Lcrypt_loop_4x_done__func1\n\n\tvmovdqu\t128(%r9),%ymm7\n\tvmovdqu\t128+32(%r9),%ymm8\n\n\n\n\tvmovdqu\t.Linc_2blocks(%rip),%ymm2\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm14\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm15\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\n\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tvpxor\t%ymm9,%ymm14,%ymm14\n\tvpxor\t%ymm9,%ymm15,%ymm15\n\n\tleaq\t16(%rcx),%rax\n.Lvaesenc_loop_first_4_vecs__func1:\n\tvbroadcasti128\t(%rax),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\t.Lvaesenc_loop_first_4_vecs__func1\n\tvpxor\t0(%rdi),%ymm10,%ymm2\n\tvpxor\t32(%rdi),%ymm10,%ymm3\n\tvpxor\t64(%rdi),%ymm10,%ymm5\n\tvpxor\t96(%rdi),%ymm10,%ymm6\n\tvaesenclast\t%ymm2,%ymm12,%ymm12\n\tvaesenclast\t%ymm3,%ymm13,%ymm13\n\tvaesenclast\t%ymm5,%ymm14,%ymm14\n\tvaesenclast\t%ymm6,%ymm15,%ymm15\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%ymm13,32(%rsi)\n\tvmovdqu\t%ymm14,64(%rsi)\n\tvmovdqu\t%ymm15,96(%rsi)\n\n\tsubq\t$-128,%rdi\n\taddq\t$-128,%rdx\n\tcmpq\t$127,%rdx\n\tjbe\t.Lghash_last_ciphertext_4x__func1\n.align\t16\n.Lcrypt_loop_4x__func1:\n\n\n\n\n\tvmovdqu\t.Linc_2blocks(%rip),%ymm2\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm14\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm15\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\n\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tvpxor\t%ymm9,%ymm14,%ymm14\n\tvpxor\t%ymm9,%ymm15,%ymm15\n\n\tcmpl\t$24,%r10d\n\tjl\t.Laes128__func1\n\tje\t.Laes192__func1\n\n\tvbroadcasti128\t-208(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvbroadcasti128\t-192(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n.Laes192__func1:\n\tvbroadcasti128\t-176(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvbroadcasti128\t-160(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n.Laes128__func1:\n\tprefetcht0\t512(%rdi)\n\tprefetcht0\t512+64(%rdi)\n\n\tvmovdqu\t0(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t0(%r9),%ymm4\n\tvpxor\t%ymm1,%ymm3,%ymm3\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm7,%ymm2,%ymm6\n\n\tvbroadcasti128\t-144(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvbroadcasti128\t-128(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvmovdqu\t32(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t32(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm7,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-112(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvmovdqu\t64(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t64(%r9),%ymm4\n\n\tvbroadcasti128\t-96(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\n\tvbroadcasti128\t-80(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\n\tvmovdqu\t96(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\n\tvbroadcasti128\t-64(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvmovdqu\t96(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-48(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm1,%ymm6,%ymm6\n\n\n\tvbroadcasti128\t.Lgfpoly(%rip),%ymm4\n\tvpclmulqdq\t$0x01,%ymm5,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm5,%ymm5\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-32(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvpclmulqdq\t$0x01,%ymm6,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm6,%ymm6\n\tvpxor\t%ymm6,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\n\tvbroadcasti128\t-16(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvextracti128\t$1,%ymm1,%xmm2\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\n\tsubq\t$-128,%rsi\n\tvpxor\t0(%rdi),%ymm10,%ymm2\n\tvpxor\t32(%rdi),%ymm10,%ymm3\n\tvpxor\t64(%rdi),%ymm10,%ymm5\n\tvpxor\t96(%rdi),%ymm10,%ymm6\n\tvaesenclast\t%ymm2,%ymm12,%ymm12\n\tvaesenclast\t%ymm3,%ymm13,%ymm13\n\tvaesenclast\t%ymm5,%ymm14,%ymm14\n\tvaesenclast\t%ymm6,%ymm15,%ymm15\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%ymm13,32(%rsi)\n\tvmovdqu\t%ymm14,64(%rsi)\n\tvmovdqu\t%ymm15,96(%rsi)\n\n\tsubq\t$-128,%rdi\n\n\taddq\t$-128,%rdx\n\tcmpq\t$127,%rdx\n\tja\t.Lcrypt_loop_4x__func1\n.Lghash_last_ciphertext_4x__func1:\n\n\tvmovdqu\t0(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t0(%r9),%ymm4\n\tvpxor\t%ymm1,%ymm3,%ymm3\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm7,%ymm2,%ymm6\n\n\tvmovdqu\t32(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t32(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm7,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvmovdqu\t64(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t64(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\n\tvmovdqu\t96(%rsi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t96(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm1,%ymm6,%ymm6\n\n\n\tvbroadcasti128\t.Lgfpoly(%rip),%ymm4\n\tvpclmulqdq\t$0x01,%ymm5,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm5,%ymm5\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvpclmulqdq\t$0x01,%ymm6,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm6,%ymm6\n\tvpxor\t%ymm6,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvextracti128\t$1,%ymm1,%xmm2\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tsubq\t$-128,%rsi\n.Lcrypt_loop_4x_done__func1:\n\n\ttestq\t%rdx,%rdx\n\tjz\t.Ldone__func1\n\n\n\n\n\n\tleaq\t128(%r9),%r8\n\tsubq\t%rdx,%r8\n\n\n\tvpxor\t%xmm5,%xmm5,%xmm5\n\tvpxor\t%xmm6,%xmm6,%xmm6\n\tvpxor\t%xmm7,%xmm7,%xmm7\n\n\tcmpq\t$64,%rdx\n\tjb\t.Llessthan64bytes__func1\n\n\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\t.Linc_2blocks(%rip),%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpaddd\t.Linc_2blocks(%rip),%ymm11,%ymm11\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tleaq\t16(%rcx),%rax\n.Lvaesenc_loop_tail_1__func1:\n\tvbroadcasti128\t(%rax),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\t.Lvaesenc_loop_tail_1__func1\n\tvaesenclast\t%ymm10,%ymm12,%ymm12\n\tvaesenclast\t%ymm10,%ymm13,%ymm13\n\n\n\tvmovdqu\t0(%rdi),%ymm2\n\tvmovdqu\t32(%rdi),%ymm3\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvpxor\t%ymm3,%ymm13,%ymm13\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%ymm13,32(%rsi)\n\n\n\tvpshufb\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm0,%ymm13,%ymm13\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tvmovdqu\t32(%r8),%ymm3\n\tvpclmulqdq\t$0x00,%ymm2,%ymm12,%ymm5\n\tvpclmulqdq\t$0x01,%ymm2,%ymm12,%ymm6\n\tvpclmulqdq\t$0x10,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm2,%ymm12,%ymm7\n\tvpclmulqdq\t$0x00,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\n\taddq\t$64,%r8\n\taddq\t$64,%rdi\n\taddq\t$64,%rsi\n\tsubq\t$64,%rdx\n\tjz\t.Lreduce__func1\n\n\tvpxor\t%xmm1,%xmm1,%xmm1\n\n\n.Llessthan64bytes__func1:\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\t.Linc_2blocks(%rip),%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tleaq\t16(%rcx),%rax\n.Lvaesenc_loop_tail_2__func1:\n\tvbroadcasti128\t(%rax),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\t.Lvaesenc_loop_tail_2__func1\n\tvaesenclast\t%ymm10,%ymm12,%ymm12\n\tvaesenclast\t%ymm10,%ymm13,%ymm13\n\n\n\n\n\tcmpq\t$32,%rdx\n\tjb\t.Lxor_one_block__func1\n\tje\t.Lxor_two_blocks__func1\n\n.Lxor_three_blocks__func1:\n\tvmovdqu\t0(%rdi),%ymm2\n\tvmovdqu\t32(%rdi),%xmm3\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvpxor\t%xmm3,%xmm13,%xmm13\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%xmm13,32(%rsi)\n\n\tvpshufb\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%xmm0,%xmm13,%xmm13\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tvmovdqu\t32(%r8),%xmm3\n\tvpclmulqdq\t$0x00,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\tjmp\t.Lghash_mul_one_vec_unreduced__func1\n\n.Lxor_two_blocks__func1:\n\tvmovdqu\t(%rdi),%ymm2\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvmovdqu\t%ymm12,(%rsi)\n\tvpshufb\t%ymm0,%ymm12,%ymm12\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tjmp\t.Lghash_mul_one_vec_unreduced__func1\n\n.Lxor_one_block__func1:\n\tvmovdqu\t(%rdi),%xmm2\n\tvpxor\t%xmm2,%xmm12,%xmm12\n\tvmovdqu\t%xmm12,(%rsi)\n\tvpshufb\t%xmm0,%xmm12,%xmm12\n\tvpxor\t%xmm1,%xmm12,%xmm12\n\tvmovdqu\t(%r8),%xmm2\n\n.Lghash_mul_one_vec_unreduced__func1:\n\tvpclmulqdq\t$0x00,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\n.Lreduce__func1:\n\n\tvbroadcasti128\t.Lgfpoly(%rip),%ymm2\n\tvpclmulqdq\t$0x01,%ymm5,%ymm2,%ymm3\n\tvpshufd\t$0x4e,%ymm5,%ymm5\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpclmulqdq\t$0x01,%ymm6,%ymm2,%ymm3\n\tvpshufd\t$0x4e,%ymm6,%ymm6\n\tvpxor\t%ymm6,%ymm7,%ymm7\n\tvpxor\t%ymm3,%ymm7,%ymm7\n\tvextracti128\t$1,%ymm7,%xmm1\n\tvpxor\t%xmm7,%xmm1,%xmm1\n\n.Ldone__func1:\n\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tvmovdqu\t%xmm1,(%r12)\n\n\tvzeroupper\n\tpopq\t%r12\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r12\n\tret\n\n.cfi_endproc\t\n.size\taes_gcm_enc_update_vaes_avx2, . - aes_gcm_enc_update_vaes_avx2\n.globl\taes_gcm_dec_update_vaes_avx2\n.hidden aes_gcm_dec_update_vaes_avx2\n.type\taes_gcm_dec_update_vaes_avx2,@function\n.align\t32\naes_gcm_dec_update_vaes_avx2:\n.cfi_startproc\t\n\n_CET_ENDBR\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-16\n\n\tmovq\t16(%rsp),%r12\n\tvbroadcasti128\t.Lbswap_mask(%rip),%ymm0\n\n\n\n\tvmovdqu\t(%r12),%xmm1\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tvbroadcasti128\t(%r8),%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm11\n\n\n\n\tmovl\t240(%rcx),%r10d\n\tleal\t-20(,%r10,4),%r10d\n\n\n\n\n\tleaq\t96(%rcx,%r10,4),%r11\n\tvbroadcasti128\t(%rcx),%ymm9\n\tvbroadcasti128\t(%r11),%ymm10\n\n\n\tvpaddd\t.Lctr_pattern(%rip),%ymm11,%ymm11\n\n\n\n\tcmpq\t$127,%rdx\n\tjbe\t.Lcrypt_loop_4x_done__func2\n\n\tvmovdqu\t128(%r9),%ymm7\n\tvmovdqu\t128+32(%r9),%ymm8\n.align\t16\n.Lcrypt_loop_4x__func2:\n\n\n\n\n\tvmovdqu\t.Linc_2blocks(%rip),%ymm2\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm14\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm15\n\tvpaddd\t%ymm2,%ymm11,%ymm11\n\n\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tvpxor\t%ymm9,%ymm14,%ymm14\n\tvpxor\t%ymm9,%ymm15,%ymm15\n\n\tcmpl\t$24,%r10d\n\tjl\t.Laes128__func2\n\tje\t.Laes192__func2\n\n\tvbroadcasti128\t-208(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvbroadcasti128\t-192(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n.Laes192__func2:\n\tvbroadcasti128\t-176(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvbroadcasti128\t-160(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n.Laes128__func2:\n\tprefetcht0\t512(%rdi)\n\tprefetcht0\t512+64(%rdi)\n\n\tvmovdqu\t0(%rdi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t0(%r9),%ymm4\n\tvpxor\t%ymm1,%ymm3,%ymm3\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm7,%ymm2,%ymm6\n\n\tvbroadcasti128\t-144(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvbroadcasti128\t-128(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvmovdqu\t32(%rdi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t32(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm7,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-112(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvmovdqu\t64(%rdi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\tvmovdqu\t64(%r9),%ymm4\n\n\tvbroadcasti128\t-96(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\n\tvbroadcasti128\t-80(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x00,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\n\tvmovdqu\t96(%rdi),%ymm3\n\tvpshufb\t%ymm0,%ymm3,%ymm3\n\n\tvbroadcasti128\t-64(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvmovdqu\t96(%r9),%ymm4\n\tvpclmulqdq\t$0x00,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm5,%ymm5\n\tvpclmulqdq\t$0x11,%ymm4,%ymm3,%ymm2\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tvpunpckhqdq\t%ymm3,%ymm3,%ymm2\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvpclmulqdq\t$0x10,%ymm8,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-48(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm1,%ymm6,%ymm6\n\n\n\tvbroadcasti128\t.Lgfpoly(%rip),%ymm4\n\tvpclmulqdq\t$0x01,%ymm5,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm5,%ymm5\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\n\tvbroadcasti128\t-32(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\n\tvpclmulqdq\t$0x01,%ymm6,%ymm4,%ymm2\n\tvpshufd\t$0x4e,%ymm6,%ymm6\n\tvpxor\t%ymm6,%ymm1,%ymm1\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\n\tvbroadcasti128\t-16(%r11),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\tvaesenc\t%ymm2,%ymm14,%ymm14\n\tvaesenc\t%ymm2,%ymm15,%ymm15\n\n\tvextracti128\t$1,%ymm1,%xmm2\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\n\n\tvpxor\t0(%rdi),%ymm10,%ymm2\n\tvpxor\t32(%rdi),%ymm10,%ymm3\n\tvpxor\t64(%rdi),%ymm10,%ymm5\n\tvpxor\t96(%rdi),%ymm10,%ymm6\n\tvaesenclast\t%ymm2,%ymm12,%ymm12\n\tvaesenclast\t%ymm3,%ymm13,%ymm13\n\tvaesenclast\t%ymm5,%ymm14,%ymm14\n\tvaesenclast\t%ymm6,%ymm15,%ymm15\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%ymm13,32(%rsi)\n\tvmovdqu\t%ymm14,64(%rsi)\n\tvmovdqu\t%ymm15,96(%rsi)\n\n\tsubq\t$-128,%rdi\n\tsubq\t$-128,%rsi\n\taddq\t$-128,%rdx\n\tcmpq\t$127,%rdx\n\tja\t.Lcrypt_loop_4x__func2\n.Lcrypt_loop_4x_done__func2:\n\n\ttestq\t%rdx,%rdx\n\tjz\t.Ldone__func2\n\n\n\n\n\n\tleaq\t128(%r9),%r8\n\tsubq\t%rdx,%r8\n\n\n\tvpxor\t%xmm5,%xmm5,%xmm5\n\tvpxor\t%xmm6,%xmm6,%xmm6\n\tvpxor\t%xmm7,%xmm7,%xmm7\n\n\tcmpq\t$64,%rdx\n\tjb\t.Llessthan64bytes__func2\n\n\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\t.Linc_2blocks(%rip),%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpaddd\t.Linc_2blocks(%rip),%ymm11,%ymm11\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tleaq\t16(%rcx),%rax\n.Lvaesenc_loop_tail_1__func2:\n\tvbroadcasti128\t(%rax),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\t.Lvaesenc_loop_tail_1__func2\n\tvaesenclast\t%ymm10,%ymm12,%ymm12\n\tvaesenclast\t%ymm10,%ymm13,%ymm13\n\n\n\tvmovdqu\t0(%rdi),%ymm2\n\tvmovdqu\t32(%rdi),%ymm3\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvpxor\t%ymm3,%ymm13,%ymm13\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%ymm13,32(%rsi)\n\n\n\tvpshufb\t%ymm0,%ymm2,%ymm12\n\tvpshufb\t%ymm0,%ymm3,%ymm13\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tvmovdqu\t32(%r8),%ymm3\n\tvpclmulqdq\t$0x00,%ymm2,%ymm12,%ymm5\n\tvpclmulqdq\t$0x01,%ymm2,%ymm12,%ymm6\n\tvpclmulqdq\t$0x10,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm2,%ymm12,%ymm7\n\tvpclmulqdq\t$0x00,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm3,%ymm13,%ymm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\n\taddq\t$64,%r8\n\taddq\t$64,%rdi\n\taddq\t$64,%rsi\n\tsubq\t$64,%rdx\n\tjz\t.Lreduce__func2\n\n\tvpxor\t%xmm1,%xmm1,%xmm1\n\n\n.Llessthan64bytes__func2:\n\tvpshufb\t%ymm0,%ymm11,%ymm12\n\tvpaddd\t.Linc_2blocks(%rip),%ymm11,%ymm11\n\tvpshufb\t%ymm0,%ymm11,%ymm13\n\tvpxor\t%ymm9,%ymm12,%ymm12\n\tvpxor\t%ymm9,%ymm13,%ymm13\n\tleaq\t16(%rcx),%rax\n.Lvaesenc_loop_tail_2__func2:\n\tvbroadcasti128\t(%rax),%ymm2\n\tvaesenc\t%ymm2,%ymm12,%ymm12\n\tvaesenc\t%ymm2,%ymm13,%ymm13\n\taddq\t$16,%rax\n\tcmpq\t%rax,%r11\n\tjne\t.Lvaesenc_loop_tail_2__func2\n\tvaesenclast\t%ymm10,%ymm12,%ymm12\n\tvaesenclast\t%ymm10,%ymm13,%ymm13\n\n\n\n\n\tcmpq\t$32,%rdx\n\tjb\t.Lxor_one_block__func2\n\tje\t.Lxor_two_blocks__func2\n\n.Lxor_three_blocks__func2:\n\tvmovdqu\t0(%rdi),%ymm2\n\tvmovdqu\t32(%rdi),%xmm3\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvpxor\t%xmm3,%xmm13,%xmm13\n\tvmovdqu\t%ymm12,0(%rsi)\n\tvmovdqu\t%xmm13,32(%rsi)\n\n\tvpshufb\t%ymm0,%ymm2,%ymm12\n\tvpshufb\t%xmm0,%xmm3,%xmm13\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tvmovdqu\t32(%r8),%xmm3\n\tvpclmulqdq\t$0x00,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%xmm3,%xmm13,%xmm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\tjmp\t.Lghash_mul_one_vec_unreduced__func2\n\n.Lxor_two_blocks__func2:\n\tvmovdqu\t(%rdi),%ymm2\n\tvpxor\t%ymm2,%ymm12,%ymm12\n\tvmovdqu\t%ymm12,(%rsi)\n\tvpshufb\t%ymm0,%ymm2,%ymm12\n\tvpxor\t%ymm1,%ymm12,%ymm12\n\tvmovdqu\t(%r8),%ymm2\n\tjmp\t.Lghash_mul_one_vec_unreduced__func2\n\n.Lxor_one_block__func2:\n\tvmovdqu\t(%rdi),%xmm2\n\tvpxor\t%xmm2,%xmm12,%xmm12\n\tvmovdqu\t%xmm12,(%rsi)\n\tvpshufb\t%xmm0,%xmm2,%xmm12\n\tvpxor\t%xmm1,%xmm12,%xmm12\n\tvmovdqu\t(%r8),%xmm2\n\n.Lghash_mul_one_vec_unreduced__func2:\n\tvpclmulqdq\t$0x00,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm5,%ymm5\n\tvpclmulqdq\t$0x01,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x10,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm6,%ymm6\n\tvpclmulqdq\t$0x11,%ymm2,%ymm12,%ymm4\n\tvpxor\t%ymm4,%ymm7,%ymm7\n\n.Lreduce__func2:\n\n\tvbroadcasti128\t.Lgfpoly(%rip),%ymm2\n\tvpclmulqdq\t$0x01,%ymm5,%ymm2,%ymm3\n\tvpshufd\t$0x4e,%ymm5,%ymm5\n\tvpxor\t%ymm5,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpclmulqdq\t$0x01,%ymm6,%ymm2,%ymm3\n\tvpshufd\t$0x4e,%ymm6,%ymm6\n\tvpxor\t%ymm6,%ymm7,%ymm7\n\tvpxor\t%ymm3,%ymm7,%ymm7\n\tvextracti128\t$1,%ymm7,%xmm1\n\tvpxor\t%xmm7,%xmm1,%xmm1\n\n.Ldone__func2:\n\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tvmovdqu\t%xmm1,(%r12)\n\n\tvzeroupper\n\tpopq\t%r12\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r12\n\tret\n\n.cfi_endproc\t\n.size\taes_gcm_dec_update_vaes_avx2, . - aes_gcm_dec_update_vaes_avx2\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesni-gcm-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n\n.p2align\t5\n_aesni_ctr32_ghash_6x:\n\n\tvmovdqu\t32(%r11),%xmm2\n\tsubq\t$6,%rdx\n\tvpxor\t%xmm4,%xmm4,%xmm4\n\tvmovdqu\t0-128(%rcx),%xmm15\n\tvpaddb\t%xmm2,%xmm1,%xmm10\n\tvpaddb\t%xmm2,%xmm10,%xmm11\n\tvpaddb\t%xmm2,%xmm11,%xmm12\n\tvpaddb\t%xmm2,%xmm12,%xmm13\n\tvpaddb\t%xmm2,%xmm13,%xmm14\n\tvpxor\t%xmm15,%xmm1,%xmm9\n\tvmovdqu\t%xmm4,16+8(%rsp)\n\tjmp\tL$oop6x\n\n.p2align\t5\nL$oop6x:\n\taddl\t$100663296,%ebx\n\tjc\tL$handle_ctr32\n\tvmovdqu\t0-32(%r9),%xmm3\n\tvpaddb\t%xmm2,%xmm14,%xmm1\n\tvpxor\t%xmm15,%xmm10,%xmm10\n\tvpxor\t%xmm15,%xmm11,%xmm11\n\nL$resume_ctr32:\n\tvmovdqu\t%xmm1,(%r8)\n\tvpclmulqdq\t$0x10,%xmm3,%xmm7,%xmm5\n\tvpxor\t%xmm15,%xmm12,%xmm12\n\tvmovups\t16-128(%rcx),%xmm2\n\tvpclmulqdq\t$0x01,%xmm3,%xmm7,%xmm6\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\txorq\t%r12,%r12\n\tcmpq\t%r14,%r15\n\n\tvaesenc\t%xmm2,%xmm9,%xmm9\n\tvmovdqu\t48+8(%rsp),%xmm0\n\tvpxor\t%xmm15,%xmm13,%xmm13\n\tvpclmulqdq\t$0x00,%xmm3,%xmm7,%xmm1\n\tvaesenc\t%xmm2,%xmm10,%xmm10\n\tvpxor\t%xmm15,%xmm14,%xmm14\n\tsetnc\t%r12b\n\tvpclmulqdq\t$0x11,%xmm3,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvmovdqu\t16-32(%r9),%xmm3\n\tnegq\t%r12\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tvpclmulqdq\t$0x00,%xmm3,%xmm0,%xmm5\n\tvpxor\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\tvpxor\t%xmm5,%xmm1,%xmm4\n\tandq\t$0x60,%r12\n\tvmovups\t32-128(%rcx),%xmm15\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm1\n\tvaesenc\t%xmm2,%xmm14,%xmm14\n\n\tvpclmulqdq\t$0x01,%xmm3,%xmm0,%xmm2\n\tleaq\t(%r14,%r12,1),%r14\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t16+8(%rsp),%xmm8,%xmm8\n\tvpclmulqdq\t$0x11,%xmm3,%xmm0,%xmm3\n\tvmovdqu\t64+8(%rsp),%xmm0\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tmovbeq\t88(%r14),%r13\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tmovbeq\t80(%r14),%r12\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tmovq\t%r13,32+8(%rsp)\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tmovq\t%r12,40+8(%rsp)\n\tvmovdqu\t48-32(%r9),%xmm5\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvmovups\t48-128(%rcx),%xmm15\n\tvpxor\t%xmm1,%xmm6,%xmm6\n\tvpclmulqdq\t$0x00,%xmm5,%xmm0,%xmm1\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\tvpclmulqdq\t$0x10,%xmm5,%xmm0,%xmm2\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\tvpclmulqdq\t$0x01,%xmm5,%xmm0,%xmm3\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvpclmulqdq\t$0x11,%xmm5,%xmm0,%xmm5\n\tvmovdqu\t80+8(%rsp),%xmm0\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvmovdqu\t64-32(%r9),%xmm1\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvmovups\t64-128(%rcx),%xmm15\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\tvpclmulqdq\t$0x00,%xmm1,%xmm0,%xmm2\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm3,%xmm6,%xmm6\n\tvpclmulqdq\t$0x10,%xmm1,%xmm0,%xmm3\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tmovbeq\t72(%r14),%r13\n\tvpxor\t%xmm5,%xmm7,%xmm7\n\tvpclmulqdq\t$0x01,%xmm1,%xmm0,%xmm5\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tmovbeq\t64(%r14),%r12\n\tvpclmulqdq\t$0x11,%xmm1,%xmm0,%xmm1\n\tvmovdqu\t96+8(%rsp),%xmm0\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tmovq\t%r13,48+8(%rsp)\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tmovq\t%r12,56+8(%rsp)\n\tvpxor\t%xmm2,%xmm4,%xmm4\n\tvmovdqu\t96-32(%r9),%xmm2\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvmovups\t80-128(%rcx),%xmm15\n\tvpxor\t%xmm3,%xmm6,%xmm6\n\tvpclmulqdq\t$0x00,%xmm2,%xmm0,%xmm3\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tvpclmulqdq\t$0x10,%xmm2,%xmm0,%xmm5\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tmovbeq\t56(%r14),%r13\n\tvpxor\t%xmm1,%xmm7,%xmm7\n\tvpclmulqdq\t$0x01,%xmm2,%xmm0,%xmm1\n\tvpxor\t112+8(%rsp),%xmm8,%xmm8\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tmovbeq\t48(%r14),%r12\n\tvpclmulqdq\t$0x11,%xmm2,%xmm0,%xmm2\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tmovq\t%r13,64+8(%rsp)\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tmovq\t%r12,72+8(%rsp)\n\tvpxor\t%xmm3,%xmm4,%xmm4\n\tvmovdqu\t112-32(%r9),%xmm3\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvmovups\t96-128(%rcx),%xmm15\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tvpclmulqdq\t$0x10,%xmm3,%xmm8,%xmm5\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm1,%xmm6,%xmm6\n\tvpclmulqdq\t$0x01,%xmm3,%xmm8,%xmm1\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tmovbeq\t40(%r14),%r13\n\tvpxor\t%xmm2,%xmm7,%xmm7\n\tvpclmulqdq\t$0x00,%xmm3,%xmm8,%xmm2\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tmovbeq\t32(%r14),%r12\n\tvpclmulqdq\t$0x11,%xmm3,%xmm8,%xmm8\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tmovq\t%r13,80+8(%rsp)\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tmovq\t%r12,88+8(%rsp)\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\tvpxor\t%xmm1,%xmm6,%xmm6\n\n\tvmovups\t112-128(%rcx),%xmm15\n\tvpslldq\t$8,%xmm6,%xmm5\n\tvpxor\t%xmm2,%xmm4,%xmm4\n\tvmovdqu\t16(%r11),%xmm3\n\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm8,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tmovbeq\t24(%r14),%r13\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tmovbeq\t16(%r14),%r12\n\tvpalignr\t$8,%xmm4,%xmm4,%xmm0\n\tvpclmulqdq\t$0x10,%xmm3,%xmm4,%xmm4\n\tmovq\t%r13,96+8(%rsp)\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tmovq\t%r12,104+8(%rsp)\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvmovups\t128-128(%rcx),%xmm1\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvmovups\t144-128(%rcx),%xmm15\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvpsrldq\t$8,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvpxor\t%xmm6,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\tmovbeq\t8(%r14),%r13\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\tmovbeq\t0(%r14),%r12\n\tvaesenc\t%xmm1,%xmm14,%xmm14\n\tvmovups\t160-128(%rcx),%xmm1\n\tcmpl\t$11,%r10d\n\tjb\tL$enc_tail\n\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\tvmovups\t176-128(%rcx),%xmm15\n\tvaesenc\t%xmm1,%xmm14,%xmm14\n\tvmovups\t192-128(%rcx),%xmm1\n\tje\tL$enc_tail\n\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\tvmovups\t208-128(%rcx),%xmm15\n\tvaesenc\t%xmm1,%xmm14,%xmm14\n\tvmovups\t224-128(%rcx),%xmm1\n\tjmp\tL$enc_tail\n\n.p2align\t5\nL$handle_ctr32:\n\tvmovdqu\t(%r11),%xmm0\n\tvpshufb\t%xmm0,%xmm1,%xmm6\n\tvmovdqu\t48(%r11),%xmm5\n\tvpaddd\t64(%r11),%xmm6,%xmm10\n\tvpaddd\t%xmm5,%xmm6,%xmm11\n\tvmovdqu\t0-32(%r9),%xmm3\n\tvpaddd\t%xmm5,%xmm10,%xmm12\n\tvpshufb\t%xmm0,%xmm10,%xmm10\n\tvpaddd\t%xmm5,%xmm11,%xmm13\n\tvpshufb\t%xmm0,%xmm11,%xmm11\n\tvpxor\t%xmm15,%xmm10,%xmm10\n\tvpaddd\t%xmm5,%xmm12,%xmm14\n\tvpshufb\t%xmm0,%xmm12,%xmm12\n\tvpxor\t%xmm15,%xmm11,%xmm11\n\tvpaddd\t%xmm5,%xmm13,%xmm1\n\tvpshufb\t%xmm0,%xmm13,%xmm13\n\tvpshufb\t%xmm0,%xmm14,%xmm14\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tjmp\tL$resume_ctr32\n\n.p2align\t5\nL$enc_tail:\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvmovdqu\t%xmm7,16+8(%rsp)\n\tvpalignr\t$8,%xmm4,%xmm4,%xmm8\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvpclmulqdq\t$0x10,%xmm3,%xmm4,%xmm4\n\tvpxor\t0(%rdi),%xmm1,%xmm2\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvpxor\t16(%rdi),%xmm1,%xmm0\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvpxor\t32(%rdi),%xmm1,%xmm5\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvpxor\t48(%rdi),%xmm1,%xmm6\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\tvpxor\t64(%rdi),%xmm1,%xmm7\n\tvpxor\t80(%rdi),%xmm1,%xmm3\n\tvmovdqu\t(%r8),%xmm1\n\n\tvaesenclast\t%xmm2,%xmm9,%xmm9\n\tvmovdqu\t32(%r11),%xmm2\n\tvaesenclast\t%xmm0,%xmm10,%xmm10\n\tvpaddb\t%xmm2,%xmm1,%xmm0\n\tmovq\t%r13,112+8(%rsp)\n\tleaq\t96(%rdi),%rdi\n\n\tprefetcht0\t512(%rdi)\n\tprefetcht0\t576(%rdi)\n\tvaesenclast\t%xmm5,%xmm11,%xmm11\n\tvpaddb\t%xmm2,%xmm0,%xmm5\n\tmovq\t%r12,120+8(%rsp)\n\tleaq\t96(%rsi),%rsi\n\tvmovdqu\t0-128(%rcx),%xmm15\n\tvaesenclast\t%xmm6,%xmm12,%xmm12\n\tvpaddb\t%xmm2,%xmm5,%xmm6\n\tvaesenclast\t%xmm7,%xmm13,%xmm13\n\tvpaddb\t%xmm2,%xmm6,%xmm7\n\tvaesenclast\t%xmm3,%xmm14,%xmm14\n\tvpaddb\t%xmm2,%xmm7,%xmm3\n\n\taddq\t$0x60,%rax\n\tsubq\t$0x6,%rdx\n\tjc\tL$6x_done\n\n\tvmovups\t%xmm9,-96(%rsi)\n\tvpxor\t%xmm15,%xmm1,%xmm9\n\tvmovups\t%xmm10,-80(%rsi)\n\tvmovdqa\t%xmm0,%xmm10\n\tvmovups\t%xmm11,-64(%rsi)\n\tvmovdqa\t%xmm5,%xmm11\n\tvmovups\t%xmm12,-48(%rsi)\n\tvmovdqa\t%xmm6,%xmm12\n\tvmovups\t%xmm13,-32(%rsi)\n\tvmovdqa\t%xmm7,%xmm13\n\tvmovups\t%xmm14,-16(%rsi)\n\tvmovdqa\t%xmm3,%xmm14\n\tvmovdqu\t32+8(%rsp),%xmm7\n\tjmp\tL$oop6x\n\nL$6x_done:\n\tvpxor\t16+8(%rsp),%xmm8,%xmm8\n\tvpxor\t%xmm4,%xmm8,%xmm8\n\n\tret\n\n\n.globl\t_aesni_gcm_decrypt\n.private_extern _aesni_gcm_decrypt\n\n.p2align\t5\n_aesni_gcm_decrypt:\n\n\n_CET_ENDBR\n\txorq\t%rax,%rax\n\n\n\n\tcmpq\t$0x60,%rdx\n\tjb\tL$gcm_dec_abort\n\n\tpushq\t%rbp\n\n\n\tmovq\t%rsp,%rbp\n\n\tpushq\t%rbx\n\n\n\tpushq\t%r12\n\n\n\tpushq\t%r13\n\n\n\tpushq\t%r14\n\n\n\tpushq\t%r15\n\n\n\tvzeroupper\n\n\tmovq\t16(%rbp),%r12\n\tvmovdqu\t(%r8),%xmm1\n\taddq\t$-128,%rsp\n\tmovl\t12(%r8),%ebx\n\tleaq\tL$bswap_mask(%rip),%r11\n\tleaq\t-128(%rcx),%r14\n\tmovq\t$0xf80,%r15\n\tvmovdqu\t(%r12),%xmm8\n\tandq\t$-128,%rsp\n\tvmovdqu\t(%r11),%xmm0\n\tleaq\t128(%rcx),%rcx\n\tleaq\t32(%r9),%r9\n\tmovl\t240-128(%rcx),%r10d\n\tvpshufb\t%xmm0,%xmm8,%xmm8\n\n\tandq\t%r15,%r14\n\tandq\t%rsp,%r15\n\tsubq\t%r14,%r15\n\tjc\tL$dec_no_key_aliasing\n\tcmpq\t$768,%r15\n\tjnc\tL$dec_no_key_aliasing\n\tsubq\t%r15,%rsp\nL$dec_no_key_aliasing:\n\n\tvmovdqu\t80(%rdi),%xmm7\n\tmovq\t%rdi,%r14\n\tvmovdqu\t64(%rdi),%xmm4\n\n\n\n\n\n\n\n\tleaq\t-192(%rdi,%rdx,1),%r15\n\n\tvmovdqu\t48(%rdi),%xmm5\n\tshrq\t$4,%rdx\n\txorq\t%rax,%rax\n\tvmovdqu\t32(%rdi),%xmm6\n\tvpshufb\t%xmm0,%xmm7,%xmm7\n\tvmovdqu\t16(%rdi),%xmm2\n\tvpshufb\t%xmm0,%xmm4,%xmm4\n\tvmovdqu\t(%rdi),%xmm3\n\tvpshufb\t%xmm0,%xmm5,%xmm5\n\tvmovdqu\t%xmm4,48(%rsp)\n\tvpshufb\t%xmm0,%xmm6,%xmm6\n\tvmovdqu\t%xmm5,64(%rsp)\n\tvpshufb\t%xmm0,%xmm2,%xmm2\n\tvmovdqu\t%xmm6,80(%rsp)\n\tvpshufb\t%xmm0,%xmm3,%xmm3\n\tvmovdqu\t%xmm2,96(%rsp)\n\tvmovdqu\t%xmm3,112(%rsp)\n\n\tcall\t_aesni_ctr32_ghash_6x\n\n\tmovq\t16(%rbp),%r12\n\tvmovups\t%xmm9,-96(%rsi)\n\tvmovups\t%xmm10,-80(%rsi)\n\tvmovups\t%xmm11,-64(%rsi)\n\tvmovups\t%xmm12,-48(%rsi)\n\tvmovups\t%xmm13,-32(%rsi)\n\tvmovups\t%xmm14,-16(%rsi)\n\n\tvpshufb\t(%r11),%xmm8,%xmm8\n\tvmovdqu\t%xmm8,(%r12)\n\n\tvzeroupper\n\tleaq\t-40(%rbp),%rsp\n\n\tpopq\t%r15\n\n\tpopq\t%r14\n\n\tpopq\t%r13\n\n\tpopq\t%r12\n\n\tpopq\t%rbx\n\n\tpopq\t%rbp\n\nL$gcm_dec_abort:\n\tret\n\n\n\n\n.p2align\t5\n_aesni_ctr32_6x:\n\n\tvmovdqu\t0-128(%rcx),%xmm4\n\tvmovdqu\t32(%r11),%xmm2\n\tleaq\t-1(%r10),%r13\n\tvmovups\t16-128(%rcx),%xmm15\n\tleaq\t32-128(%rcx),%r12\n\tvpxor\t%xmm4,%xmm1,%xmm9\n\taddl\t$100663296,%ebx\n\tjc\tL$handle_ctr32_2\n\tvpaddb\t%xmm2,%xmm1,%xmm10\n\tvpaddb\t%xmm2,%xmm10,%xmm11\n\tvpxor\t%xmm4,%xmm10,%xmm10\n\tvpaddb\t%xmm2,%xmm11,%xmm12\n\tvpxor\t%xmm4,%xmm11,%xmm11\n\tvpaddb\t%xmm2,%xmm12,%xmm13\n\tvpxor\t%xmm4,%xmm12,%xmm12\n\tvpaddb\t%xmm2,%xmm13,%xmm14\n\tvpxor\t%xmm4,%xmm13,%xmm13\n\tvpaddb\t%xmm2,%xmm14,%xmm1\n\tvpxor\t%xmm4,%xmm14,%xmm14\n\tjmp\tL$oop_ctr32\n\n.p2align\t4\nL$oop_ctr32:\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\tvmovups\t(%r12),%xmm15\n\tleaq\t16(%r12),%r12\n\tdecl\t%r13d\n\tjnz\tL$oop_ctr32\n\n\tvmovdqu\t(%r12),%xmm3\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t0(%rdi),%xmm3,%xmm4\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvpxor\t16(%rdi),%xmm3,%xmm5\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvpxor\t32(%rdi),%xmm3,%xmm6\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvpxor\t48(%rdi),%xmm3,%xmm8\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvpxor\t64(%rdi),%xmm3,%xmm2\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\tvpxor\t80(%rdi),%xmm3,%xmm3\n\tleaq\t96(%rdi),%rdi\n\n\tvaesenclast\t%xmm4,%xmm9,%xmm9\n\tvaesenclast\t%xmm5,%xmm10,%xmm10\n\tvaesenclast\t%xmm6,%xmm11,%xmm11\n\tvaesenclast\t%xmm8,%xmm12,%xmm12\n\tvaesenclast\t%xmm2,%xmm13,%xmm13\n\tvaesenclast\t%xmm3,%xmm14,%xmm14\n\tvmovups\t%xmm9,0(%rsi)\n\tvmovups\t%xmm10,16(%rsi)\n\tvmovups\t%xmm11,32(%rsi)\n\tvmovups\t%xmm12,48(%rsi)\n\tvmovups\t%xmm13,64(%rsi)\n\tvmovups\t%xmm14,80(%rsi)\n\tleaq\t96(%rsi),%rsi\n\n\tret\n.p2align\t5\nL$handle_ctr32_2:\n\tvpshufb\t%xmm0,%xmm1,%xmm6\n\tvmovdqu\t48(%r11),%xmm5\n\tvpaddd\t64(%r11),%xmm6,%xmm10\n\tvpaddd\t%xmm5,%xmm6,%xmm11\n\tvpaddd\t%xmm5,%xmm10,%xmm12\n\tvpshufb\t%xmm0,%xmm10,%xmm10\n\tvpaddd\t%xmm5,%xmm11,%xmm13\n\tvpshufb\t%xmm0,%xmm11,%xmm11\n\tvpxor\t%xmm4,%xmm10,%xmm10\n\tvpaddd\t%xmm5,%xmm12,%xmm14\n\tvpshufb\t%xmm0,%xmm12,%xmm12\n\tvpxor\t%xmm4,%xmm11,%xmm11\n\tvpaddd\t%xmm5,%xmm13,%xmm1\n\tvpshufb\t%xmm0,%xmm13,%xmm13\n\tvpxor\t%xmm4,%xmm12,%xmm12\n\tvpshufb\t%xmm0,%xmm14,%xmm14\n\tvpxor\t%xmm4,%xmm13,%xmm13\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tvpxor\t%xmm4,%xmm14,%xmm14\n\tjmp\tL$oop_ctr32\n\n\n\n.globl\t_aesni_gcm_encrypt\n.private_extern _aesni_gcm_encrypt\n\n.p2align\t5\n_aesni_gcm_encrypt:\n\n\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n\n\tmovb\t$1,_BORINGSSL_function_hit+2(%rip)\n#endif\n\txorq\t%rax,%rax\n\n\n\n\n\tcmpq\t$288,%rdx\n\tjb\tL$gcm_enc_abort\n\n\tpushq\t%rbp\n\n\n\tmovq\t%rsp,%rbp\n\n\tpushq\t%rbx\n\n\n\tpushq\t%r12\n\n\n\tpushq\t%r13\n\n\n\tpushq\t%r14\n\n\n\tpushq\t%r15\n\n\n\tvzeroupper\n\n\tvmovdqu\t(%r8),%xmm1\n\taddq\t$-128,%rsp\n\tmovl\t12(%r8),%ebx\n\tleaq\tL$bswap_mask(%rip),%r11\n\tleaq\t-128(%rcx),%r14\n\tmovq\t$0xf80,%r15\n\tleaq\t128(%rcx),%rcx\n\tvmovdqu\t(%r11),%xmm0\n\tandq\t$-128,%rsp\n\tmovl\t240-128(%rcx),%r10d\n\n\tandq\t%r15,%r14\n\tandq\t%rsp,%r15\n\tsubq\t%r14,%r15\n\tjc\tL$enc_no_key_aliasing\n\tcmpq\t$768,%r15\n\tjnc\tL$enc_no_key_aliasing\n\tsubq\t%r15,%rsp\nL$enc_no_key_aliasing:\n\n\tmovq\t%rsi,%r14\n\n\n\n\n\n\n\n\n\tleaq\t-192(%rsi,%rdx,1),%r15\n\n\tshrq\t$4,%rdx\n\n\tcall\t_aesni_ctr32_6x\n\tvpshufb\t%xmm0,%xmm9,%xmm8\n\tvpshufb\t%xmm0,%xmm10,%xmm2\n\tvmovdqu\t%xmm8,112(%rsp)\n\tvpshufb\t%xmm0,%xmm11,%xmm4\n\tvmovdqu\t%xmm2,96(%rsp)\n\tvpshufb\t%xmm0,%xmm12,%xmm5\n\tvmovdqu\t%xmm4,80(%rsp)\n\tvpshufb\t%xmm0,%xmm13,%xmm6\n\tvmovdqu\t%xmm5,64(%rsp)\n\tvpshufb\t%xmm0,%xmm14,%xmm7\n\tvmovdqu\t%xmm6,48(%rsp)\n\n\tcall\t_aesni_ctr32_6x\n\n\tmovq\t16(%rbp),%r12\n\tleaq\t32(%r9),%r9\n\tvmovdqu\t(%r12),%xmm8\n\tsubq\t$12,%rdx\n\tmovq\t$192,%rax\n\tvpshufb\t%xmm0,%xmm8,%xmm8\n\n\tcall\t_aesni_ctr32_ghash_6x\n\tvmovdqu\t32(%rsp),%xmm7\n\tvmovdqu\t(%r11),%xmm0\n\tvmovdqu\t0-32(%r9),%xmm3\n\tvpunpckhqdq\t%xmm7,%xmm7,%xmm1\n\tvmovdqu\t32-32(%r9),%xmm15\n\tvmovups\t%xmm9,-96(%rsi)\n\tvpshufb\t%xmm0,%xmm9,%xmm9\n\tvpxor\t%xmm7,%xmm1,%xmm1\n\tvmovups\t%xmm10,-80(%rsi)\n\tvpshufb\t%xmm0,%xmm10,%xmm10\n\tvmovups\t%xmm11,-64(%rsi)\n\tvpshufb\t%xmm0,%xmm11,%xmm11\n\tvmovups\t%xmm12,-48(%rsi)\n\tvpshufb\t%xmm0,%xmm12,%xmm12\n\tvmovups\t%xmm13,-32(%rsi)\n\tvpshufb\t%xmm0,%xmm13,%xmm13\n\tvmovups\t%xmm14,-16(%rsi)\n\tvpshufb\t%xmm0,%xmm14,%xmm14\n\tvmovdqu\t%xmm9,16(%rsp)\n\tvmovdqu\t48(%rsp),%xmm6\n\tvmovdqu\t16-32(%r9),%xmm0\n\tvpunpckhqdq\t%xmm6,%xmm6,%xmm2\n\tvpclmulqdq\t$0x00,%xmm3,%xmm7,%xmm5\n\tvpxor\t%xmm6,%xmm2,%xmm2\n\tvpclmulqdq\t$0x11,%xmm3,%xmm7,%xmm7\n\tvpclmulqdq\t$0x00,%xmm15,%xmm1,%xmm1\n\n\tvmovdqu\t64(%rsp),%xmm9\n\tvpclmulqdq\t$0x00,%xmm0,%xmm6,%xmm4\n\tvmovdqu\t48-32(%r9),%xmm3\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tvpunpckhqdq\t%xmm9,%xmm9,%xmm5\n\tvpclmulqdq\t$0x11,%xmm0,%xmm6,%xmm6\n\tvpxor\t%xmm9,%xmm5,%xmm5\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tvpclmulqdq\t$0x10,%xmm15,%xmm2,%xmm2\n\tvmovdqu\t80-32(%r9),%xmm15\n\tvpxor\t%xmm1,%xmm2,%xmm2\n\n\tvmovdqu\t80(%rsp),%xmm1\n\tvpclmulqdq\t$0x00,%xmm3,%xmm9,%xmm7\n\tvmovdqu\t64-32(%r9),%xmm0\n\tvpxor\t%xmm4,%xmm7,%xmm7\n\tvpunpckhqdq\t%xmm1,%xmm1,%xmm4\n\tvpclmulqdq\t$0x11,%xmm3,%xmm9,%xmm9\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpxor\t%xmm6,%xmm9,%xmm9\n\tvpclmulqdq\t$0x00,%xmm15,%xmm5,%xmm5\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\n\tvmovdqu\t96(%rsp),%xmm2\n\tvpclmulqdq\t$0x00,%xmm0,%xmm1,%xmm6\n\tvmovdqu\t96-32(%r9),%xmm3\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tvpunpckhqdq\t%xmm2,%xmm2,%xmm7\n\tvpclmulqdq\t$0x11,%xmm0,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm7,%xmm7\n\tvpxor\t%xmm9,%xmm1,%xmm1\n\tvpclmulqdq\t$0x10,%xmm15,%xmm4,%xmm4\n\tvmovdqu\t128-32(%r9),%xmm15\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\n\tvpxor\t112(%rsp),%xmm8,%xmm8\n\tvpclmulqdq\t$0x00,%xmm3,%xmm2,%xmm5\n\tvmovdqu\t112-32(%r9),%xmm0\n\tvpunpckhqdq\t%xmm8,%xmm8,%xmm9\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x11,%xmm3,%xmm2,%xmm2\n\tvpxor\t%xmm8,%xmm9,%xmm9\n\tvpxor\t%xmm1,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm15,%xmm7,%xmm7\n\tvpxor\t%xmm4,%xmm7,%xmm4\n\n\tvpclmulqdq\t$0x00,%xmm0,%xmm8,%xmm6\n\tvmovdqu\t0-32(%r9),%xmm3\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm1\n\tvpclmulqdq\t$0x11,%xmm0,%xmm8,%xmm8\n\tvpxor\t%xmm14,%xmm1,%xmm1\n\tvpxor\t%xmm5,%xmm6,%xmm5\n\tvpclmulqdq\t$0x10,%xmm15,%xmm9,%xmm9\n\tvmovdqu\t32-32(%r9),%xmm15\n\tvpxor\t%xmm2,%xmm8,%xmm7\n\tvpxor\t%xmm4,%xmm9,%xmm6\n\n\tvmovdqu\t16-32(%r9),%xmm0\n\tvpxor\t%xmm5,%xmm7,%xmm9\n\tvpclmulqdq\t$0x00,%xmm3,%xmm14,%xmm4\n\tvpxor\t%xmm9,%xmm6,%xmm6\n\tvpunpckhqdq\t%xmm13,%xmm13,%xmm2\n\tvpclmulqdq\t$0x11,%xmm3,%xmm14,%xmm14\n\tvpxor\t%xmm13,%xmm2,%xmm2\n\tvpslldq\t$8,%xmm6,%xmm9\n\tvpclmulqdq\t$0x00,%xmm15,%xmm1,%xmm1\n\tvpxor\t%xmm9,%xmm5,%xmm8\n\tvpsrldq\t$8,%xmm6,%xmm6\n\tvpxor\t%xmm6,%xmm7,%xmm7\n\n\tvpclmulqdq\t$0x00,%xmm0,%xmm13,%xmm5\n\tvmovdqu\t48-32(%r9),%xmm3\n\tvpxor\t%xmm4,%xmm5,%xmm5\n\tvpunpckhqdq\t%xmm12,%xmm12,%xmm9\n\tvpclmulqdq\t$0x11,%xmm0,%xmm13,%xmm13\n\tvpxor\t%xmm12,%xmm9,%xmm9\n\tvpxor\t%xmm14,%xmm13,%xmm13\n\tvpalignr\t$8,%xmm8,%xmm8,%xmm14\n\tvpclmulqdq\t$0x10,%xmm15,%xmm2,%xmm2\n\tvmovdqu\t80-32(%r9),%xmm15\n\tvpxor\t%xmm1,%xmm2,%xmm2\n\n\tvpclmulqdq\t$0x00,%xmm3,%xmm12,%xmm4\n\tvmovdqu\t64-32(%r9),%xmm0\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tvpunpckhqdq\t%xmm11,%xmm11,%xmm1\n\tvpclmulqdq\t$0x11,%xmm3,%xmm12,%xmm12\n\tvpxor\t%xmm11,%xmm1,%xmm1\n\tvpxor\t%xmm13,%xmm12,%xmm12\n\tvxorps\t16(%rsp),%xmm7,%xmm7\n\tvpclmulqdq\t$0x00,%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm2,%xmm9,%xmm9\n\n\tvpclmulqdq\t$0x10,16(%r11),%xmm8,%xmm8\n\tvxorps\t%xmm14,%xmm8,%xmm8\n\n\tvpclmulqdq\t$0x00,%xmm0,%xmm11,%xmm5\n\tvmovdqu\t96-32(%r9),%xmm3\n\tvpxor\t%xmm4,%xmm5,%xmm5\n\tvpunpckhqdq\t%xmm10,%xmm10,%xmm2\n\tvpclmulqdq\t$0x11,%xmm0,%xmm11,%xmm11\n\tvpxor\t%xmm10,%xmm2,%xmm2\n\tvpalignr\t$8,%xmm8,%xmm8,%xmm14\n\tvpxor\t%xmm12,%xmm11,%xmm11\n\tvpclmulqdq\t$0x10,%xmm15,%xmm1,%xmm1\n\tvmovdqu\t128-32(%r9),%xmm15\n\tvpxor\t%xmm9,%xmm1,%xmm1\n\n\tvxorps\t%xmm7,%xmm14,%xmm14\n\tvpclmulqdq\t$0x10,16(%r11),%xmm8,%xmm8\n\tvxorps\t%xmm14,%xmm8,%xmm8\n\n\tvpclmulqdq\t$0x00,%xmm3,%xmm10,%xmm4\n\tvmovdqu\t112-32(%r9),%xmm0\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tvpunpckhqdq\t%xmm8,%xmm8,%xmm9\n\tvpclmulqdq\t$0x11,%xmm3,%xmm10,%xmm10\n\tvpxor\t%xmm8,%xmm9,%xmm9\n\tvpxor\t%xmm11,%xmm10,%xmm10\n\tvpclmulqdq\t$0x00,%xmm15,%xmm2,%xmm2\n\tvpxor\t%xmm1,%xmm2,%xmm2\n\n\tvpclmulqdq\t$0x00,%xmm0,%xmm8,%xmm5\n\tvpclmulqdq\t$0x11,%xmm0,%xmm8,%xmm7\n\tvpxor\t%xmm4,%xmm5,%xmm5\n\tvpclmulqdq\t$0x10,%xmm15,%xmm9,%xmm6\n\tvpxor\t%xmm10,%xmm7,%xmm7\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\n\tvpxor\t%xmm5,%xmm7,%xmm4\n\tvpxor\t%xmm4,%xmm6,%xmm6\n\tvpslldq\t$8,%xmm6,%xmm1\n\tvmovdqu\t16(%r11),%xmm3\n\tvpsrldq\t$8,%xmm6,%xmm6\n\tvpxor\t%xmm1,%xmm5,%xmm8\n\tvpxor\t%xmm6,%xmm7,%xmm7\n\n\tvpalignr\t$8,%xmm8,%xmm8,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm8,%xmm8\n\tvpxor\t%xmm2,%xmm8,%xmm8\n\n\tvpalignr\t$8,%xmm8,%xmm8,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm8,%xmm8\n\tvpxor\t%xmm7,%xmm2,%xmm2\n\tvpxor\t%xmm2,%xmm8,%xmm8\n\tmovq\t16(%rbp),%r12\n\tvpshufb\t(%r11),%xmm8,%xmm8\n\tvmovdqu\t%xmm8,(%r12)\n\n\tvzeroupper\n\tleaq\t-40(%rbp),%rsp\n\n\tpopq\t%r15\n\n\tpopq\t%r14\n\n\tpopq\t%r13\n\n\tpopq\t%r12\n\n\tpopq\t%rbx\n\n\tpopq\t%rbp\n\nL$gcm_enc_abort:\n\tret\n\n\n\n.section\t__DATA,__const\n.p2align\t6\nL$bswap_mask:\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\nL$poly:\n.byte\t0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xc2\nL$one_msb:\n.byte\t0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1\nL$two_lsb:\n.byte\t2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0\nL$one_lsb:\n.byte\t1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0\n.byte\t65,69,83,45,78,73,32,71,67,77,32,109,111,100,117,108,101,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.p2align\t6\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesni-gcm-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n.type\t_aesni_ctr32_ghash_6x,@function\n.align\t32\n_aesni_ctr32_ghash_6x:\n.cfi_startproc\t\n\tvmovdqu\t32(%r11),%xmm2\n\tsubq\t$6,%rdx\n\tvpxor\t%xmm4,%xmm4,%xmm4\n\tvmovdqu\t0-128(%rcx),%xmm15\n\tvpaddb\t%xmm2,%xmm1,%xmm10\n\tvpaddb\t%xmm2,%xmm10,%xmm11\n\tvpaddb\t%xmm2,%xmm11,%xmm12\n\tvpaddb\t%xmm2,%xmm12,%xmm13\n\tvpaddb\t%xmm2,%xmm13,%xmm14\n\tvpxor\t%xmm15,%xmm1,%xmm9\n\tvmovdqu\t%xmm4,16+8(%rsp)\n\tjmp\t.Loop6x\n\n.align\t32\n.Loop6x:\n\taddl\t$100663296,%ebx\n\tjc\t.Lhandle_ctr32\n\tvmovdqu\t0-32(%r9),%xmm3\n\tvpaddb\t%xmm2,%xmm14,%xmm1\n\tvpxor\t%xmm15,%xmm10,%xmm10\n\tvpxor\t%xmm15,%xmm11,%xmm11\n\n.Lresume_ctr32:\n\tvmovdqu\t%xmm1,(%r8)\n\tvpclmulqdq\t$0x10,%xmm3,%xmm7,%xmm5\n\tvpxor\t%xmm15,%xmm12,%xmm12\n\tvmovups\t16-128(%rcx),%xmm2\n\tvpclmulqdq\t$0x01,%xmm3,%xmm7,%xmm6\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\txorq\t%r12,%r12\n\tcmpq\t%r14,%r15\n\n\tvaesenc\t%xmm2,%xmm9,%xmm9\n\tvmovdqu\t48+8(%rsp),%xmm0\n\tvpxor\t%xmm15,%xmm13,%xmm13\n\tvpclmulqdq\t$0x00,%xmm3,%xmm7,%xmm1\n\tvaesenc\t%xmm2,%xmm10,%xmm10\n\tvpxor\t%xmm15,%xmm14,%xmm14\n\tsetnc\t%r12b\n\tvpclmulqdq\t$0x11,%xmm3,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvmovdqu\t16-32(%r9),%xmm3\n\tnegq\t%r12\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tvpclmulqdq\t$0x00,%xmm3,%xmm0,%xmm5\n\tvpxor\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\tvpxor\t%xmm5,%xmm1,%xmm4\n\tandq\t$0x60,%r12\n\tvmovups\t32-128(%rcx),%xmm15\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm1\n\tvaesenc\t%xmm2,%xmm14,%xmm14\n\n\tvpclmulqdq\t$0x01,%xmm3,%xmm0,%xmm2\n\tleaq\t(%r14,%r12,1),%r14\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t16+8(%rsp),%xmm8,%xmm8\n\tvpclmulqdq\t$0x11,%xmm3,%xmm0,%xmm3\n\tvmovdqu\t64+8(%rsp),%xmm0\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tmovbeq\t88(%r14),%r13\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tmovbeq\t80(%r14),%r12\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tmovq\t%r13,32+8(%rsp)\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tmovq\t%r12,40+8(%rsp)\n\tvmovdqu\t48-32(%r9),%xmm5\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvmovups\t48-128(%rcx),%xmm15\n\tvpxor\t%xmm1,%xmm6,%xmm6\n\tvpclmulqdq\t$0x00,%xmm5,%xmm0,%xmm1\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\tvpclmulqdq\t$0x10,%xmm5,%xmm0,%xmm2\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\tvpclmulqdq\t$0x01,%xmm5,%xmm0,%xmm3\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvpclmulqdq\t$0x11,%xmm5,%xmm0,%xmm5\n\tvmovdqu\t80+8(%rsp),%xmm0\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvmovdqu\t64-32(%r9),%xmm1\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvmovups\t64-128(%rcx),%xmm15\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\tvpclmulqdq\t$0x00,%xmm1,%xmm0,%xmm2\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm3,%xmm6,%xmm6\n\tvpclmulqdq\t$0x10,%xmm1,%xmm0,%xmm3\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tmovbeq\t72(%r14),%r13\n\tvpxor\t%xmm5,%xmm7,%xmm7\n\tvpclmulqdq\t$0x01,%xmm1,%xmm0,%xmm5\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tmovbeq\t64(%r14),%r12\n\tvpclmulqdq\t$0x11,%xmm1,%xmm0,%xmm1\n\tvmovdqu\t96+8(%rsp),%xmm0\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tmovq\t%r13,48+8(%rsp)\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tmovq\t%r12,56+8(%rsp)\n\tvpxor\t%xmm2,%xmm4,%xmm4\n\tvmovdqu\t96-32(%r9),%xmm2\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvmovups\t80-128(%rcx),%xmm15\n\tvpxor\t%xmm3,%xmm6,%xmm6\n\tvpclmulqdq\t$0x00,%xmm2,%xmm0,%xmm3\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tvpclmulqdq\t$0x10,%xmm2,%xmm0,%xmm5\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tmovbeq\t56(%r14),%r13\n\tvpxor\t%xmm1,%xmm7,%xmm7\n\tvpclmulqdq\t$0x01,%xmm2,%xmm0,%xmm1\n\tvpxor\t112+8(%rsp),%xmm8,%xmm8\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tmovbeq\t48(%r14),%r12\n\tvpclmulqdq\t$0x11,%xmm2,%xmm0,%xmm2\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tmovq\t%r13,64+8(%rsp)\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tmovq\t%r12,72+8(%rsp)\n\tvpxor\t%xmm3,%xmm4,%xmm4\n\tvmovdqu\t112-32(%r9),%xmm3\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvmovups\t96-128(%rcx),%xmm15\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tvpclmulqdq\t$0x10,%xmm3,%xmm8,%xmm5\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm1,%xmm6,%xmm6\n\tvpclmulqdq\t$0x01,%xmm3,%xmm8,%xmm1\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tmovbeq\t40(%r14),%r13\n\tvpxor\t%xmm2,%xmm7,%xmm7\n\tvpclmulqdq\t$0x00,%xmm3,%xmm8,%xmm2\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tmovbeq\t32(%r14),%r12\n\tvpclmulqdq\t$0x11,%xmm3,%xmm8,%xmm8\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tmovq\t%r13,80+8(%rsp)\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tmovq\t%r12,88+8(%rsp)\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\tvpxor\t%xmm1,%xmm6,%xmm6\n\n\tvmovups\t112-128(%rcx),%xmm15\n\tvpslldq\t$8,%xmm6,%xmm5\n\tvpxor\t%xmm2,%xmm4,%xmm4\n\tvmovdqu\t16(%r11),%xmm3\n\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm8,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tmovbeq\t24(%r14),%r13\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tmovbeq\t16(%r14),%r12\n\tvpalignr\t$8,%xmm4,%xmm4,%xmm0\n\tvpclmulqdq\t$0x10,%xmm3,%xmm4,%xmm4\n\tmovq\t%r13,96+8(%rsp)\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tmovq\t%r12,104+8(%rsp)\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvmovups\t128-128(%rcx),%xmm1\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvmovups\t144-128(%rcx),%xmm15\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvpsrldq\t$8,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvpxor\t%xmm6,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\tmovbeq\t8(%r14),%r13\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\tmovbeq\t0(%r14),%r12\n\tvaesenc\t%xmm1,%xmm14,%xmm14\n\tvmovups\t160-128(%rcx),%xmm1\n\tcmpl\t$11,%r10d\n\tjb\t.Lenc_tail\n\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\tvmovups\t176-128(%rcx),%xmm15\n\tvaesenc\t%xmm1,%xmm14,%xmm14\n\tvmovups\t192-128(%rcx),%xmm1\n\tje\t.Lenc_tail\n\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\tvmovups\t208-128(%rcx),%xmm15\n\tvaesenc\t%xmm1,%xmm14,%xmm14\n\tvmovups\t224-128(%rcx),%xmm1\n\tjmp\t.Lenc_tail\n\n.align\t32\n.Lhandle_ctr32:\n\tvmovdqu\t(%r11),%xmm0\n\tvpshufb\t%xmm0,%xmm1,%xmm6\n\tvmovdqu\t48(%r11),%xmm5\n\tvpaddd\t64(%r11),%xmm6,%xmm10\n\tvpaddd\t%xmm5,%xmm6,%xmm11\n\tvmovdqu\t0-32(%r9),%xmm3\n\tvpaddd\t%xmm5,%xmm10,%xmm12\n\tvpshufb\t%xmm0,%xmm10,%xmm10\n\tvpaddd\t%xmm5,%xmm11,%xmm13\n\tvpshufb\t%xmm0,%xmm11,%xmm11\n\tvpxor\t%xmm15,%xmm10,%xmm10\n\tvpaddd\t%xmm5,%xmm12,%xmm14\n\tvpshufb\t%xmm0,%xmm12,%xmm12\n\tvpxor\t%xmm15,%xmm11,%xmm11\n\tvpaddd\t%xmm5,%xmm13,%xmm1\n\tvpshufb\t%xmm0,%xmm13,%xmm13\n\tvpshufb\t%xmm0,%xmm14,%xmm14\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tjmp\t.Lresume_ctr32\n\n.align\t32\n.Lenc_tail:\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvmovdqu\t%xmm7,16+8(%rsp)\n\tvpalignr\t$8,%xmm4,%xmm4,%xmm8\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvpclmulqdq\t$0x10,%xmm3,%xmm4,%xmm4\n\tvpxor\t0(%rdi),%xmm1,%xmm2\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvpxor\t16(%rdi),%xmm1,%xmm0\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvpxor\t32(%rdi),%xmm1,%xmm5\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvpxor\t48(%rdi),%xmm1,%xmm6\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\tvpxor\t64(%rdi),%xmm1,%xmm7\n\tvpxor\t80(%rdi),%xmm1,%xmm3\n\tvmovdqu\t(%r8),%xmm1\n\n\tvaesenclast\t%xmm2,%xmm9,%xmm9\n\tvmovdqu\t32(%r11),%xmm2\n\tvaesenclast\t%xmm0,%xmm10,%xmm10\n\tvpaddb\t%xmm2,%xmm1,%xmm0\n\tmovq\t%r13,112+8(%rsp)\n\tleaq\t96(%rdi),%rdi\n\n\tprefetcht0\t512(%rdi)\n\tprefetcht0\t576(%rdi)\n\tvaesenclast\t%xmm5,%xmm11,%xmm11\n\tvpaddb\t%xmm2,%xmm0,%xmm5\n\tmovq\t%r12,120+8(%rsp)\n\tleaq\t96(%rsi),%rsi\n\tvmovdqu\t0-128(%rcx),%xmm15\n\tvaesenclast\t%xmm6,%xmm12,%xmm12\n\tvpaddb\t%xmm2,%xmm5,%xmm6\n\tvaesenclast\t%xmm7,%xmm13,%xmm13\n\tvpaddb\t%xmm2,%xmm6,%xmm7\n\tvaesenclast\t%xmm3,%xmm14,%xmm14\n\tvpaddb\t%xmm2,%xmm7,%xmm3\n\n\taddq\t$0x60,%rax\n\tsubq\t$0x6,%rdx\n\tjc\t.L6x_done\n\n\tvmovups\t%xmm9,-96(%rsi)\n\tvpxor\t%xmm15,%xmm1,%xmm9\n\tvmovups\t%xmm10,-80(%rsi)\n\tvmovdqa\t%xmm0,%xmm10\n\tvmovups\t%xmm11,-64(%rsi)\n\tvmovdqa\t%xmm5,%xmm11\n\tvmovups\t%xmm12,-48(%rsi)\n\tvmovdqa\t%xmm6,%xmm12\n\tvmovups\t%xmm13,-32(%rsi)\n\tvmovdqa\t%xmm7,%xmm13\n\tvmovups\t%xmm14,-16(%rsi)\n\tvmovdqa\t%xmm3,%xmm14\n\tvmovdqu\t32+8(%rsp),%xmm7\n\tjmp\t.Loop6x\n\n.L6x_done:\n\tvpxor\t16+8(%rsp),%xmm8,%xmm8\n\tvpxor\t%xmm4,%xmm8,%xmm8\n\n\tret\n.cfi_endproc\t\n.size\t_aesni_ctr32_ghash_6x,.-_aesni_ctr32_ghash_6x\n.globl\taesni_gcm_decrypt\n.hidden aesni_gcm_decrypt\n.type\taesni_gcm_decrypt,@function\n.align\t32\naesni_gcm_decrypt:\n.cfi_startproc\t\n\n_CET_ENDBR\n\txorq\t%rax,%rax\n\n\n\n\tcmpq\t$0x60,%rdx\n\tjb\t.Lgcm_dec_abort\n\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\n\tmovq\t%rsp,%rbp\n.cfi_def_cfa_register\t%rbp\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-24\n\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\n\tvzeroupper\n\n\tmovq\t16(%rbp),%r12\n\tvmovdqu\t(%r8),%xmm1\n\taddq\t$-128,%rsp\n\tmovl\t12(%r8),%ebx\n\tleaq\t.Lbswap_mask(%rip),%r11\n\tleaq\t-128(%rcx),%r14\n\tmovq\t$0xf80,%r15\n\tvmovdqu\t(%r12),%xmm8\n\tandq\t$-128,%rsp\n\tvmovdqu\t(%r11),%xmm0\n\tleaq\t128(%rcx),%rcx\n\tleaq\t32(%r9),%r9\n\tmovl\t240-128(%rcx),%r10d\n\tvpshufb\t%xmm0,%xmm8,%xmm8\n\n\tandq\t%r15,%r14\n\tandq\t%rsp,%r15\n\tsubq\t%r14,%r15\n\tjc\t.Ldec_no_key_aliasing\n\tcmpq\t$768,%r15\n\tjnc\t.Ldec_no_key_aliasing\n\tsubq\t%r15,%rsp\n.Ldec_no_key_aliasing:\n\n\tvmovdqu\t80(%rdi),%xmm7\n\tmovq\t%rdi,%r14\n\tvmovdqu\t64(%rdi),%xmm4\n\n\n\n\n\n\n\n\tleaq\t-192(%rdi,%rdx,1),%r15\n\n\tvmovdqu\t48(%rdi),%xmm5\n\tshrq\t$4,%rdx\n\txorq\t%rax,%rax\n\tvmovdqu\t32(%rdi),%xmm6\n\tvpshufb\t%xmm0,%xmm7,%xmm7\n\tvmovdqu\t16(%rdi),%xmm2\n\tvpshufb\t%xmm0,%xmm4,%xmm4\n\tvmovdqu\t(%rdi),%xmm3\n\tvpshufb\t%xmm0,%xmm5,%xmm5\n\tvmovdqu\t%xmm4,48(%rsp)\n\tvpshufb\t%xmm0,%xmm6,%xmm6\n\tvmovdqu\t%xmm5,64(%rsp)\n\tvpshufb\t%xmm0,%xmm2,%xmm2\n\tvmovdqu\t%xmm6,80(%rsp)\n\tvpshufb\t%xmm0,%xmm3,%xmm3\n\tvmovdqu\t%xmm2,96(%rsp)\n\tvmovdqu\t%xmm3,112(%rsp)\n\n\tcall\t_aesni_ctr32_ghash_6x\n\n\tmovq\t16(%rbp),%r12\n\tvmovups\t%xmm9,-96(%rsi)\n\tvmovups\t%xmm10,-80(%rsi)\n\tvmovups\t%xmm11,-64(%rsi)\n\tvmovups\t%xmm12,-48(%rsi)\n\tvmovups\t%xmm13,-32(%rsi)\n\tvmovups\t%xmm14,-16(%rsi)\n\n\tvpshufb\t(%r11),%xmm8,%xmm8\n\tvmovdqu\t%xmm8,(%r12)\n\n\tvzeroupper\n\tleaq\t-40(%rbp),%rsp\n.cfi_def_cfa\t%rsp, 0x38\n\tpopq\t%r15\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r15\n\tpopq\t%r14\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r14\n\tpopq\t%r13\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r13\n\tpopq\t%r12\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r12\n\tpopq\t%rbx\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%rbx\n\tpopq\t%rbp\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%rbp\n.Lgcm_dec_abort:\n\tret\n\n.cfi_endproc\t\n.size\taesni_gcm_decrypt,.-aesni_gcm_decrypt\n.type\t_aesni_ctr32_6x,@function\n.align\t32\n_aesni_ctr32_6x:\n.cfi_startproc\t\n\tvmovdqu\t0-128(%rcx),%xmm4\n\tvmovdqu\t32(%r11),%xmm2\n\tleaq\t-1(%r10),%r13\n\tvmovups\t16-128(%rcx),%xmm15\n\tleaq\t32-128(%rcx),%r12\n\tvpxor\t%xmm4,%xmm1,%xmm9\n\taddl\t$100663296,%ebx\n\tjc\t.Lhandle_ctr32_2\n\tvpaddb\t%xmm2,%xmm1,%xmm10\n\tvpaddb\t%xmm2,%xmm10,%xmm11\n\tvpxor\t%xmm4,%xmm10,%xmm10\n\tvpaddb\t%xmm2,%xmm11,%xmm12\n\tvpxor\t%xmm4,%xmm11,%xmm11\n\tvpaddb\t%xmm2,%xmm12,%xmm13\n\tvpxor\t%xmm4,%xmm12,%xmm12\n\tvpaddb\t%xmm2,%xmm13,%xmm14\n\tvpxor\t%xmm4,%xmm13,%xmm13\n\tvpaddb\t%xmm2,%xmm14,%xmm1\n\tvpxor\t%xmm4,%xmm14,%xmm14\n\tjmp\t.Loop_ctr32\n\n.align\t16\n.Loop_ctr32:\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\tvmovups\t(%r12),%xmm15\n\tleaq\t16(%r12),%r12\n\tdecl\t%r13d\n\tjnz\t.Loop_ctr32\n\n\tvmovdqu\t(%r12),%xmm3\n\tvaesenc\t%xmm15,%xmm9,%xmm9\n\tvpxor\t0(%rdi),%xmm3,%xmm4\n\tvaesenc\t%xmm15,%xmm10,%xmm10\n\tvpxor\t16(%rdi),%xmm3,%xmm5\n\tvaesenc\t%xmm15,%xmm11,%xmm11\n\tvpxor\t32(%rdi),%xmm3,%xmm6\n\tvaesenc\t%xmm15,%xmm12,%xmm12\n\tvpxor\t48(%rdi),%xmm3,%xmm8\n\tvaesenc\t%xmm15,%xmm13,%xmm13\n\tvpxor\t64(%rdi),%xmm3,%xmm2\n\tvaesenc\t%xmm15,%xmm14,%xmm14\n\tvpxor\t80(%rdi),%xmm3,%xmm3\n\tleaq\t96(%rdi),%rdi\n\n\tvaesenclast\t%xmm4,%xmm9,%xmm9\n\tvaesenclast\t%xmm5,%xmm10,%xmm10\n\tvaesenclast\t%xmm6,%xmm11,%xmm11\n\tvaesenclast\t%xmm8,%xmm12,%xmm12\n\tvaesenclast\t%xmm2,%xmm13,%xmm13\n\tvaesenclast\t%xmm3,%xmm14,%xmm14\n\tvmovups\t%xmm9,0(%rsi)\n\tvmovups\t%xmm10,16(%rsi)\n\tvmovups\t%xmm11,32(%rsi)\n\tvmovups\t%xmm12,48(%rsi)\n\tvmovups\t%xmm13,64(%rsi)\n\tvmovups\t%xmm14,80(%rsi)\n\tleaq\t96(%rsi),%rsi\n\n\tret\n.align\t32\n.Lhandle_ctr32_2:\n\tvpshufb\t%xmm0,%xmm1,%xmm6\n\tvmovdqu\t48(%r11),%xmm5\n\tvpaddd\t64(%r11),%xmm6,%xmm10\n\tvpaddd\t%xmm5,%xmm6,%xmm11\n\tvpaddd\t%xmm5,%xmm10,%xmm12\n\tvpshufb\t%xmm0,%xmm10,%xmm10\n\tvpaddd\t%xmm5,%xmm11,%xmm13\n\tvpshufb\t%xmm0,%xmm11,%xmm11\n\tvpxor\t%xmm4,%xmm10,%xmm10\n\tvpaddd\t%xmm5,%xmm12,%xmm14\n\tvpshufb\t%xmm0,%xmm12,%xmm12\n\tvpxor\t%xmm4,%xmm11,%xmm11\n\tvpaddd\t%xmm5,%xmm13,%xmm1\n\tvpshufb\t%xmm0,%xmm13,%xmm13\n\tvpxor\t%xmm4,%xmm12,%xmm12\n\tvpshufb\t%xmm0,%xmm14,%xmm14\n\tvpxor\t%xmm4,%xmm13,%xmm13\n\tvpshufb\t%xmm0,%xmm1,%xmm1\n\tvpxor\t%xmm4,%xmm14,%xmm14\n\tjmp\t.Loop_ctr32\n.cfi_endproc\t\n.size\t_aesni_ctr32_6x,.-_aesni_ctr32_6x\n\n.globl\taesni_gcm_encrypt\n.hidden aesni_gcm_encrypt\n.type\taesni_gcm_encrypt,@function\n.align\t32\naesni_gcm_encrypt:\n.cfi_startproc\t\n\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n.extern\tBORINGSSL_function_hit\n.hidden BORINGSSL_function_hit\n\tmovb\t$1,BORINGSSL_function_hit+2(%rip)\n#endif\n\txorq\t%rax,%rax\n\n\n\n\n\tcmpq\t$288,%rdx\n\tjb\t.Lgcm_enc_abort\n\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\n\tmovq\t%rsp,%rbp\n.cfi_def_cfa_register\t%rbp\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-24\n\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\n\tvzeroupper\n\n\tvmovdqu\t(%r8),%xmm1\n\taddq\t$-128,%rsp\n\tmovl\t12(%r8),%ebx\n\tleaq\t.Lbswap_mask(%rip),%r11\n\tleaq\t-128(%rcx),%r14\n\tmovq\t$0xf80,%r15\n\tleaq\t128(%rcx),%rcx\n\tvmovdqu\t(%r11),%xmm0\n\tandq\t$-128,%rsp\n\tmovl\t240-128(%rcx),%r10d\n\n\tandq\t%r15,%r14\n\tandq\t%rsp,%r15\n\tsubq\t%r14,%r15\n\tjc\t.Lenc_no_key_aliasing\n\tcmpq\t$768,%r15\n\tjnc\t.Lenc_no_key_aliasing\n\tsubq\t%r15,%rsp\n.Lenc_no_key_aliasing:\n\n\tmovq\t%rsi,%r14\n\n\n\n\n\n\n\n\n\tleaq\t-192(%rsi,%rdx,1),%r15\n\n\tshrq\t$4,%rdx\n\n\tcall\t_aesni_ctr32_6x\n\tvpshufb\t%xmm0,%xmm9,%xmm8\n\tvpshufb\t%xmm0,%xmm10,%xmm2\n\tvmovdqu\t%xmm8,112(%rsp)\n\tvpshufb\t%xmm0,%xmm11,%xmm4\n\tvmovdqu\t%xmm2,96(%rsp)\n\tvpshufb\t%xmm0,%xmm12,%xmm5\n\tvmovdqu\t%xmm4,80(%rsp)\n\tvpshufb\t%xmm0,%xmm13,%xmm6\n\tvmovdqu\t%xmm5,64(%rsp)\n\tvpshufb\t%xmm0,%xmm14,%xmm7\n\tvmovdqu\t%xmm6,48(%rsp)\n\n\tcall\t_aesni_ctr32_6x\n\n\tmovq\t16(%rbp),%r12\n\tleaq\t32(%r9),%r9\n\tvmovdqu\t(%r12),%xmm8\n\tsubq\t$12,%rdx\n\tmovq\t$192,%rax\n\tvpshufb\t%xmm0,%xmm8,%xmm8\n\n\tcall\t_aesni_ctr32_ghash_6x\n\tvmovdqu\t32(%rsp),%xmm7\n\tvmovdqu\t(%r11),%xmm0\n\tvmovdqu\t0-32(%r9),%xmm3\n\tvpunpckhqdq\t%xmm7,%xmm7,%xmm1\n\tvmovdqu\t32-32(%r9),%xmm15\n\tvmovups\t%xmm9,-96(%rsi)\n\tvpshufb\t%xmm0,%xmm9,%xmm9\n\tvpxor\t%xmm7,%xmm1,%xmm1\n\tvmovups\t%xmm10,-80(%rsi)\n\tvpshufb\t%xmm0,%xmm10,%xmm10\n\tvmovups\t%xmm11,-64(%rsi)\n\tvpshufb\t%xmm0,%xmm11,%xmm11\n\tvmovups\t%xmm12,-48(%rsi)\n\tvpshufb\t%xmm0,%xmm12,%xmm12\n\tvmovups\t%xmm13,-32(%rsi)\n\tvpshufb\t%xmm0,%xmm13,%xmm13\n\tvmovups\t%xmm14,-16(%rsi)\n\tvpshufb\t%xmm0,%xmm14,%xmm14\n\tvmovdqu\t%xmm9,16(%rsp)\n\tvmovdqu\t48(%rsp),%xmm6\n\tvmovdqu\t16-32(%r9),%xmm0\n\tvpunpckhqdq\t%xmm6,%xmm6,%xmm2\n\tvpclmulqdq\t$0x00,%xmm3,%xmm7,%xmm5\n\tvpxor\t%xmm6,%xmm2,%xmm2\n\tvpclmulqdq\t$0x11,%xmm3,%xmm7,%xmm7\n\tvpclmulqdq\t$0x00,%xmm15,%xmm1,%xmm1\n\n\tvmovdqu\t64(%rsp),%xmm9\n\tvpclmulqdq\t$0x00,%xmm0,%xmm6,%xmm4\n\tvmovdqu\t48-32(%r9),%xmm3\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tvpunpckhqdq\t%xmm9,%xmm9,%xmm5\n\tvpclmulqdq\t$0x11,%xmm0,%xmm6,%xmm6\n\tvpxor\t%xmm9,%xmm5,%xmm5\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tvpclmulqdq\t$0x10,%xmm15,%xmm2,%xmm2\n\tvmovdqu\t80-32(%r9),%xmm15\n\tvpxor\t%xmm1,%xmm2,%xmm2\n\n\tvmovdqu\t80(%rsp),%xmm1\n\tvpclmulqdq\t$0x00,%xmm3,%xmm9,%xmm7\n\tvmovdqu\t64-32(%r9),%xmm0\n\tvpxor\t%xmm4,%xmm7,%xmm7\n\tvpunpckhqdq\t%xmm1,%xmm1,%xmm4\n\tvpclmulqdq\t$0x11,%xmm3,%xmm9,%xmm9\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpxor\t%xmm6,%xmm9,%xmm9\n\tvpclmulqdq\t$0x00,%xmm15,%xmm5,%xmm5\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\n\tvmovdqu\t96(%rsp),%xmm2\n\tvpclmulqdq\t$0x00,%xmm0,%xmm1,%xmm6\n\tvmovdqu\t96-32(%r9),%xmm3\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tvpunpckhqdq\t%xmm2,%xmm2,%xmm7\n\tvpclmulqdq\t$0x11,%xmm0,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm7,%xmm7\n\tvpxor\t%xmm9,%xmm1,%xmm1\n\tvpclmulqdq\t$0x10,%xmm15,%xmm4,%xmm4\n\tvmovdqu\t128-32(%r9),%xmm15\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\n\tvpxor\t112(%rsp),%xmm8,%xmm8\n\tvpclmulqdq\t$0x00,%xmm3,%xmm2,%xmm5\n\tvmovdqu\t112-32(%r9),%xmm0\n\tvpunpckhqdq\t%xmm8,%xmm8,%xmm9\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x11,%xmm3,%xmm2,%xmm2\n\tvpxor\t%xmm8,%xmm9,%xmm9\n\tvpxor\t%xmm1,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm15,%xmm7,%xmm7\n\tvpxor\t%xmm4,%xmm7,%xmm4\n\n\tvpclmulqdq\t$0x00,%xmm0,%xmm8,%xmm6\n\tvmovdqu\t0-32(%r9),%xmm3\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm1\n\tvpclmulqdq\t$0x11,%xmm0,%xmm8,%xmm8\n\tvpxor\t%xmm14,%xmm1,%xmm1\n\tvpxor\t%xmm5,%xmm6,%xmm5\n\tvpclmulqdq\t$0x10,%xmm15,%xmm9,%xmm9\n\tvmovdqu\t32-32(%r9),%xmm15\n\tvpxor\t%xmm2,%xmm8,%xmm7\n\tvpxor\t%xmm4,%xmm9,%xmm6\n\n\tvmovdqu\t16-32(%r9),%xmm0\n\tvpxor\t%xmm5,%xmm7,%xmm9\n\tvpclmulqdq\t$0x00,%xmm3,%xmm14,%xmm4\n\tvpxor\t%xmm9,%xmm6,%xmm6\n\tvpunpckhqdq\t%xmm13,%xmm13,%xmm2\n\tvpclmulqdq\t$0x11,%xmm3,%xmm14,%xmm14\n\tvpxor\t%xmm13,%xmm2,%xmm2\n\tvpslldq\t$8,%xmm6,%xmm9\n\tvpclmulqdq\t$0x00,%xmm15,%xmm1,%xmm1\n\tvpxor\t%xmm9,%xmm5,%xmm8\n\tvpsrldq\t$8,%xmm6,%xmm6\n\tvpxor\t%xmm6,%xmm7,%xmm7\n\n\tvpclmulqdq\t$0x00,%xmm0,%xmm13,%xmm5\n\tvmovdqu\t48-32(%r9),%xmm3\n\tvpxor\t%xmm4,%xmm5,%xmm5\n\tvpunpckhqdq\t%xmm12,%xmm12,%xmm9\n\tvpclmulqdq\t$0x11,%xmm0,%xmm13,%xmm13\n\tvpxor\t%xmm12,%xmm9,%xmm9\n\tvpxor\t%xmm14,%xmm13,%xmm13\n\tvpalignr\t$8,%xmm8,%xmm8,%xmm14\n\tvpclmulqdq\t$0x10,%xmm15,%xmm2,%xmm2\n\tvmovdqu\t80-32(%r9),%xmm15\n\tvpxor\t%xmm1,%xmm2,%xmm2\n\n\tvpclmulqdq\t$0x00,%xmm3,%xmm12,%xmm4\n\tvmovdqu\t64-32(%r9),%xmm0\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tvpunpckhqdq\t%xmm11,%xmm11,%xmm1\n\tvpclmulqdq\t$0x11,%xmm3,%xmm12,%xmm12\n\tvpxor\t%xmm11,%xmm1,%xmm1\n\tvpxor\t%xmm13,%xmm12,%xmm12\n\tvxorps\t16(%rsp),%xmm7,%xmm7\n\tvpclmulqdq\t$0x00,%xmm15,%xmm9,%xmm9\n\tvpxor\t%xmm2,%xmm9,%xmm9\n\n\tvpclmulqdq\t$0x10,16(%r11),%xmm8,%xmm8\n\tvxorps\t%xmm14,%xmm8,%xmm8\n\n\tvpclmulqdq\t$0x00,%xmm0,%xmm11,%xmm5\n\tvmovdqu\t96-32(%r9),%xmm3\n\tvpxor\t%xmm4,%xmm5,%xmm5\n\tvpunpckhqdq\t%xmm10,%xmm10,%xmm2\n\tvpclmulqdq\t$0x11,%xmm0,%xmm11,%xmm11\n\tvpxor\t%xmm10,%xmm2,%xmm2\n\tvpalignr\t$8,%xmm8,%xmm8,%xmm14\n\tvpxor\t%xmm12,%xmm11,%xmm11\n\tvpclmulqdq\t$0x10,%xmm15,%xmm1,%xmm1\n\tvmovdqu\t128-32(%r9),%xmm15\n\tvpxor\t%xmm9,%xmm1,%xmm1\n\n\tvxorps\t%xmm7,%xmm14,%xmm14\n\tvpclmulqdq\t$0x10,16(%r11),%xmm8,%xmm8\n\tvxorps\t%xmm14,%xmm8,%xmm8\n\n\tvpclmulqdq\t$0x00,%xmm3,%xmm10,%xmm4\n\tvmovdqu\t112-32(%r9),%xmm0\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tvpunpckhqdq\t%xmm8,%xmm8,%xmm9\n\tvpclmulqdq\t$0x11,%xmm3,%xmm10,%xmm10\n\tvpxor\t%xmm8,%xmm9,%xmm9\n\tvpxor\t%xmm11,%xmm10,%xmm10\n\tvpclmulqdq\t$0x00,%xmm15,%xmm2,%xmm2\n\tvpxor\t%xmm1,%xmm2,%xmm2\n\n\tvpclmulqdq\t$0x00,%xmm0,%xmm8,%xmm5\n\tvpclmulqdq\t$0x11,%xmm0,%xmm8,%xmm7\n\tvpxor\t%xmm4,%xmm5,%xmm5\n\tvpclmulqdq\t$0x10,%xmm15,%xmm9,%xmm6\n\tvpxor\t%xmm10,%xmm7,%xmm7\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\n\tvpxor\t%xmm5,%xmm7,%xmm4\n\tvpxor\t%xmm4,%xmm6,%xmm6\n\tvpslldq\t$8,%xmm6,%xmm1\n\tvmovdqu\t16(%r11),%xmm3\n\tvpsrldq\t$8,%xmm6,%xmm6\n\tvpxor\t%xmm1,%xmm5,%xmm8\n\tvpxor\t%xmm6,%xmm7,%xmm7\n\n\tvpalignr\t$8,%xmm8,%xmm8,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm8,%xmm8\n\tvpxor\t%xmm2,%xmm8,%xmm8\n\n\tvpalignr\t$8,%xmm8,%xmm8,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm8,%xmm8\n\tvpxor\t%xmm7,%xmm2,%xmm2\n\tvpxor\t%xmm2,%xmm8,%xmm8\n\tmovq\t16(%rbp),%r12\n\tvpshufb\t(%r11),%xmm8,%xmm8\n\tvmovdqu\t%xmm8,(%r12)\n\n\tvzeroupper\n\tleaq\t-40(%rbp),%rsp\n.cfi_def_cfa\t%rsp, 0x38\n\tpopq\t%r15\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r15\n\tpopq\t%r14\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r14\n\tpopq\t%r13\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r13\n\tpopq\t%r12\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r12\n\tpopq\t%rbx\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%rbx\n\tpopq\t%rbp\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%rbp\n.Lgcm_enc_abort:\n\tret\n\n.cfi_endproc\t\n.size\taesni_gcm_encrypt,.-aesni_gcm_encrypt\n.section\t.rodata\n.align\t64\n.Lbswap_mask:\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\n.Lpoly:\n.byte\t0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xc2\n.Lone_msb:\n.byte\t0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1\n.Ltwo_lsb:\n.byte\t2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0\n.Lone_lsb:\n.byte\t1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0\n.byte\t65,69,83,45,78,73,32,71,67,77,32,109,111,100,117,108,101,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t64\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesni-x86-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n#ifdef BORINGSSL_DISPATCH_TEST\n#endif\n.globl\t_aes_hw_encrypt\n.private_extern\t_aes_hw_encrypt\n.align\t4\n_aes_hw_encrypt:\nL_aes_hw_encrypt_begin:\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\tL000pic_for_function_hit\nL000pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\t_BORINGSSL_function_hit+1-L000pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tmovl\t4(%esp),%eax\n\tmovl\t12(%esp),%edx\n\tmovups\t(%eax),%xmm2\n\tmovl\t240(%edx),%ecx\n\tmovl\t8(%esp),%eax\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL001enc1_loop_1:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL001enc1_loop_1\n.byte\t102,15,56,221,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm2,(%eax)\n\tpxor\t%xmm2,%xmm2\n\tret\n.globl\t_aes_hw_decrypt\n.private_extern\t_aes_hw_decrypt\n.align\t4\n_aes_hw_decrypt:\nL_aes_hw_decrypt_begin:\n\tmovl\t4(%esp),%eax\n\tmovl\t12(%esp),%edx\n\tmovups\t(%eax),%xmm2\n\tmovl\t240(%edx),%ecx\n\tmovl\t8(%esp),%eax\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL002dec1_loop_2:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL002dec1_loop_2\n.byte\t102,15,56,223,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm2,(%eax)\n\tpxor\t%xmm2,%xmm2\n\tret\n.private_extern\t__aesni_encrypt2\n.align\t4\n__aesni_encrypt2:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n\taddl\t$16,%ecx\nL003enc2_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\tL003enc2_loop\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n\tret\n.private_extern\t__aesni_decrypt2\n.align\t4\n__aesni_decrypt2:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n\taddl\t$16,%ecx\nL004dec2_loop:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\tL004dec2_loop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n\tret\n.private_extern\t__aesni_encrypt3\n.align\t4\n__aesni_encrypt3:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n\taddl\t$16,%ecx\nL005enc3_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\tL005enc3_loop\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n\tret\n.private_extern\t__aesni_decrypt3\n.align\t4\n__aesni_decrypt3:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n\taddl\t$16,%ecx\nL006dec3_loop:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\tL006dec3_loop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n\tret\n.private_extern\t__aesni_encrypt4\n.align\t4\n__aesni_encrypt4:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tshll\t$4,%ecx\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm5\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n.byte\t15,31,64,0\n\taddl\t$16,%ecx\nL007enc4_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\tL007enc4_loop\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n.byte\t102,15,56,221,232\n\tret\n.private_extern\t__aesni_decrypt4\n.align\t4\n__aesni_decrypt4:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tshll\t$4,%ecx\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm5\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n.byte\t15,31,64,0\n\taddl\t$16,%ecx\nL008dec4_loop:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\tL008dec4_loop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n.byte\t102,15,56,223,232\n\tret\n.private_extern\t__aesni_encrypt6\n.align\t4\n__aesni_encrypt6:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n.byte\t102,15,56,220,209\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n.byte\t102,15,56,220,217\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n.byte\t102,15,56,220,225\n\tpxor\t%xmm0,%xmm7\n\tmovups\t(%edx,%ecx,1),%xmm0\n\taddl\t$16,%ecx\n\tjmp\tL009_aesni_encrypt6_inner\n.align\t4,0x90\nL010enc6_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\nL009_aesni_encrypt6_inner:\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\nL_aesni_encrypt6_enter:\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\tL010enc6_loop\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n.byte\t102,15,56,221,232\n.byte\t102,15,56,221,240\n.byte\t102,15,56,221,248\n\tret\n.private_extern\t__aesni_decrypt6\n.align\t4\n__aesni_decrypt6:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n.byte\t102,15,56,222,209\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n.byte\t102,15,56,222,217\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n.byte\t102,15,56,222,225\n\tpxor\t%xmm0,%xmm7\n\tmovups\t(%edx,%ecx,1),%xmm0\n\taddl\t$16,%ecx\n\tjmp\tL011_aesni_decrypt6_inner\n.align\t4,0x90\nL012dec6_loop:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\nL011_aesni_decrypt6_inner:\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\nL_aesni_decrypt6_enter:\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\tL012dec6_loop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n.byte\t102,15,56,223,232\n.byte\t102,15,56,223,240\n.byte\t102,15,56,223,248\n\tret\n.globl\t_aes_hw_ecb_encrypt\n.private_extern\t_aes_hw_ecb_encrypt\n.align\t4\n_aes_hw_ecb_encrypt:\nL_aes_hw_ecb_encrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebx\n\tandl\t$-16,%eax\n\tjz\tL013ecb_ret\n\tmovl\t240(%edx),%ecx\n\ttestl\t%ebx,%ebx\n\tjz\tL014ecb_decrypt\n\tmovl\t%edx,%ebp\n\tmovl\t%ecx,%ebx\n\tcmpl\t$96,%eax\n\tjb\tL015ecb_enc_tail\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t16(%esi),%xmm3\n\tmovdqu\t32(%esi),%xmm4\n\tmovdqu\t48(%esi),%xmm5\n\tmovdqu\t64(%esi),%xmm6\n\tmovdqu\t80(%esi),%xmm7\n\tleal\t96(%esi),%esi\n\tsubl\t$96,%eax\n\tjmp\tL016ecb_enc_loop6_enter\n.align\t4,0x90\nL017ecb_enc_loop6:\n\tmovups\t%xmm2,(%edi)\n\tmovdqu\t(%esi),%xmm2\n\tmovups\t%xmm3,16(%edi)\n\tmovdqu\t16(%esi),%xmm3\n\tmovups\t%xmm4,32(%edi)\n\tmovdqu\t32(%esi),%xmm4\n\tmovups\t%xmm5,48(%edi)\n\tmovdqu\t48(%esi),%xmm5\n\tmovups\t%xmm6,64(%edi)\n\tmovdqu\t64(%esi),%xmm6\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\tmovdqu\t80(%esi),%xmm7\n\tleal\t96(%esi),%esi\nL016ecb_enc_loop6_enter:\n\tcall\t__aesni_encrypt6\n\tmovl\t%ebp,%edx\n\tmovl\t%ebx,%ecx\n\tsubl\t$96,%eax\n\tjnc\tL017ecb_enc_loop6\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\taddl\t$96,%eax\n\tjz\tL013ecb_ret\nL015ecb_enc_tail:\n\tmovups\t(%esi),%xmm2\n\tcmpl\t$32,%eax\n\tjb\tL018ecb_enc_one\n\tmovups\t16(%esi),%xmm3\n\tje\tL019ecb_enc_two\n\tmovups\t32(%esi),%xmm4\n\tcmpl\t$64,%eax\n\tjb\tL020ecb_enc_three\n\tmovups\t48(%esi),%xmm5\n\tje\tL021ecb_enc_four\n\tmovups\t64(%esi),%xmm6\n\txorps\t%xmm7,%xmm7\n\tcall\t__aesni_encrypt6\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tjmp\tL013ecb_ret\n.align\t4,0x90\nL018ecb_enc_one:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL022enc1_loop_3:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL022enc1_loop_3\n.byte\t102,15,56,221,209\n\tmovups\t%xmm2,(%edi)\n\tjmp\tL013ecb_ret\n.align\t4,0x90\nL019ecb_enc_two:\n\tcall\t__aesni_encrypt2\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tjmp\tL013ecb_ret\n.align\t4,0x90\nL020ecb_enc_three:\n\tcall\t__aesni_encrypt3\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tjmp\tL013ecb_ret\n.align\t4,0x90\nL021ecb_enc_four:\n\tcall\t__aesni_encrypt4\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tjmp\tL013ecb_ret\n.align\t4,0x90\nL014ecb_decrypt:\n\tmovl\t%edx,%ebp\n\tmovl\t%ecx,%ebx\n\tcmpl\t$96,%eax\n\tjb\tL023ecb_dec_tail\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t16(%esi),%xmm3\n\tmovdqu\t32(%esi),%xmm4\n\tmovdqu\t48(%esi),%xmm5\n\tmovdqu\t64(%esi),%xmm6\n\tmovdqu\t80(%esi),%xmm7\n\tleal\t96(%esi),%esi\n\tsubl\t$96,%eax\n\tjmp\tL024ecb_dec_loop6_enter\n.align\t4,0x90\nL025ecb_dec_loop6:\n\tmovups\t%xmm2,(%edi)\n\tmovdqu\t(%esi),%xmm2\n\tmovups\t%xmm3,16(%edi)\n\tmovdqu\t16(%esi),%xmm3\n\tmovups\t%xmm4,32(%edi)\n\tmovdqu\t32(%esi),%xmm4\n\tmovups\t%xmm5,48(%edi)\n\tmovdqu\t48(%esi),%xmm5\n\tmovups\t%xmm6,64(%edi)\n\tmovdqu\t64(%esi),%xmm6\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\tmovdqu\t80(%esi),%xmm7\n\tleal\t96(%esi),%esi\nL024ecb_dec_loop6_enter:\n\tcall\t__aesni_decrypt6\n\tmovl\t%ebp,%edx\n\tmovl\t%ebx,%ecx\n\tsubl\t$96,%eax\n\tjnc\tL025ecb_dec_loop6\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\taddl\t$96,%eax\n\tjz\tL013ecb_ret\nL023ecb_dec_tail:\n\tmovups\t(%esi),%xmm2\n\tcmpl\t$32,%eax\n\tjb\tL026ecb_dec_one\n\tmovups\t16(%esi),%xmm3\n\tje\tL027ecb_dec_two\n\tmovups\t32(%esi),%xmm4\n\tcmpl\t$64,%eax\n\tjb\tL028ecb_dec_three\n\tmovups\t48(%esi),%xmm5\n\tje\tL029ecb_dec_four\n\tmovups\t64(%esi),%xmm6\n\txorps\t%xmm7,%xmm7\n\tcall\t__aesni_decrypt6\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tjmp\tL013ecb_ret\n.align\t4,0x90\nL026ecb_dec_one:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL030dec1_loop_4:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL030dec1_loop_4\n.byte\t102,15,56,223,209\n\tmovups\t%xmm2,(%edi)\n\tjmp\tL013ecb_ret\n.align\t4,0x90\nL027ecb_dec_two:\n\tcall\t__aesni_decrypt2\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tjmp\tL013ecb_ret\n.align\t4,0x90\nL028ecb_dec_three:\n\tcall\t__aesni_decrypt3\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tjmp\tL013ecb_ret\n.align\t4,0x90\nL029ecb_dec_four:\n\tcall\t__aesni_decrypt4\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\nL013ecb_ret:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_aes_hw_ccm64_encrypt_blocks\n.private_extern\t_aes_hw_ccm64_encrypt_blocks\n.align\t4\n_aes_hw_ccm64_encrypt_blocks:\nL_aes_hw_ccm64_encrypt_blocks_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebx\n\tmovl\t40(%esp),%ecx\n\tmovl\t%esp,%ebp\n\tsubl\t$60,%esp\n\tandl\t$-16,%esp\n\tmovl\t%ebp,48(%esp)\n\tmovdqu\t(%ebx),%xmm7\n\tmovdqu\t(%ecx),%xmm3\n\tmovl\t240(%edx),%ecx\n\tmovl\t$202182159,(%esp)\n\tmovl\t$134810123,4(%esp)\n\tmovl\t$67438087,8(%esp)\n\tmovl\t$66051,12(%esp)\n\tmovl\t$1,%ebx\n\txorl\t%ebp,%ebp\n\tmovl\t%ebx,16(%esp)\n\tmovl\t%ebp,20(%esp)\n\tmovl\t%ebp,24(%esp)\n\tmovl\t%ebp,28(%esp)\n\tshll\t$4,%ecx\n\tmovl\t$16,%ebx\n\tleal\t(%edx),%ebp\n\tmovdqa\t(%esp),%xmm5\n\tmovdqa\t%xmm7,%xmm2\n\tleal\t32(%edx,%ecx,1),%edx\n\tsubl\t%ecx,%ebx\n.byte\t102,15,56,0,253\nL031ccm64_enc_outer:\n\tmovups\t(%ebp),%xmm0\n\tmovl\t%ebx,%ecx\n\tmovups\t(%esi),%xmm6\n\txorps\t%xmm0,%xmm2\n\tmovups\t16(%ebp),%xmm1\n\txorps\t%xmm6,%xmm0\n\txorps\t%xmm0,%xmm3\n\tmovups\t32(%ebp),%xmm0\nL032ccm64_enc2_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\tL032ccm64_enc2_loop\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tpaddq\t16(%esp),%xmm7\n\tdecl\t%eax\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n\tleal\t16(%esi),%esi\n\txorps\t%xmm2,%xmm6\n\tmovdqa\t%xmm7,%xmm2\n\tmovups\t%xmm6,(%edi)\n.byte\t102,15,56,0,213\n\tleal\t16(%edi),%edi\n\tjnz\tL031ccm64_enc_outer\n\tmovl\t48(%esp),%esp\n\tmovl\t40(%esp),%edi\n\tmovups\t%xmm3,(%edi)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_aes_hw_ccm64_decrypt_blocks\n.private_extern\t_aes_hw_ccm64_decrypt_blocks\n.align\t4\n_aes_hw_ccm64_decrypt_blocks:\nL_aes_hw_ccm64_decrypt_blocks_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebx\n\tmovl\t40(%esp),%ecx\n\tmovl\t%esp,%ebp\n\tsubl\t$60,%esp\n\tandl\t$-16,%esp\n\tmovl\t%ebp,48(%esp)\n\tmovdqu\t(%ebx),%xmm7\n\tmovdqu\t(%ecx),%xmm3\n\tmovl\t240(%edx),%ecx\n\tmovl\t$202182159,(%esp)\n\tmovl\t$134810123,4(%esp)\n\tmovl\t$67438087,8(%esp)\n\tmovl\t$66051,12(%esp)\n\tmovl\t$1,%ebx\n\txorl\t%ebp,%ebp\n\tmovl\t%ebx,16(%esp)\n\tmovl\t%ebp,20(%esp)\n\tmovl\t%ebp,24(%esp)\n\tmovl\t%ebp,28(%esp)\n\tmovdqa\t(%esp),%xmm5\n\tmovdqa\t%xmm7,%xmm2\n\tmovl\t%edx,%ebp\n\tmovl\t%ecx,%ebx\n.byte\t102,15,56,0,253\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL033enc1_loop_5:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL033enc1_loop_5\n.byte\t102,15,56,221,209\n\tshll\t$4,%ebx\n\tmovl\t$16,%ecx\n\tmovups\t(%esi),%xmm6\n\tpaddq\t16(%esp),%xmm7\n\tleal\t16(%esi),%esi\n\tsubl\t%ebx,%ecx\n\tleal\t32(%ebp,%ebx,1),%edx\n\tmovl\t%ecx,%ebx\n\tjmp\tL034ccm64_dec_outer\n.align\t4,0x90\nL034ccm64_dec_outer:\n\txorps\t%xmm2,%xmm6\n\tmovdqa\t%xmm7,%xmm2\n\tmovups\t%xmm6,(%edi)\n\tleal\t16(%edi),%edi\n.byte\t102,15,56,0,213\n\tsubl\t$1,%eax\n\tjz\tL035ccm64_dec_break\n\tmovups\t(%ebp),%xmm0\n\tmovl\t%ebx,%ecx\n\tmovups\t16(%ebp),%xmm1\n\txorps\t%xmm0,%xmm6\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm6,%xmm3\n\tmovups\t32(%ebp),%xmm0\nL036ccm64_dec2_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\tL036ccm64_dec2_loop\n\tmovups\t(%esi),%xmm6\n\tpaddq\t16(%esp),%xmm7\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n\tleal\t16(%esi),%esi\n\tjmp\tL034ccm64_dec_outer\n.align\t4,0x90\nL035ccm64_dec_break:\n\tmovl\t240(%ebp),%ecx\n\tmovl\t%ebp,%edx\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm6\n\tleal\t32(%edx),%edx\n\txorps\t%xmm6,%xmm3\nL037enc1_loop_6:\n.byte\t102,15,56,220,217\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL037enc1_loop_6\n.byte\t102,15,56,221,217\n\tmovl\t48(%esp),%esp\n\tmovl\t40(%esp),%edi\n\tmovups\t%xmm3,(%edi)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_aes_hw_ctr32_encrypt_blocks\n.private_extern\t_aes_hw_ctr32_encrypt_blocks\n.align\t4\n_aes_hw_ctr32_encrypt_blocks:\nL_aes_hw_ctr32_encrypt_blocks_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\tL038pic_for_function_hit\nL038pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\t_BORINGSSL_function_hit+0-L038pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebx\n\tmovl\t%esp,%ebp\n\tsubl\t$88,%esp\n\tandl\t$-16,%esp\n\tmovl\t%ebp,80(%esp)\n\tcmpl\t$1,%eax\n\tje\tL039ctr32_one_shortcut\n\tmovdqu\t(%ebx),%xmm7\n\tmovl\t$202182159,(%esp)\n\tmovl\t$134810123,4(%esp)\n\tmovl\t$67438087,8(%esp)\n\tmovl\t$66051,12(%esp)\n\tmovl\t$6,%ecx\n\txorl\t%ebp,%ebp\n\tmovl\t%ecx,16(%esp)\n\tmovl\t%ecx,20(%esp)\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%ebp,28(%esp)\n.byte\t102,15,58,22,251,3\n.byte\t102,15,58,34,253,3\n\tmovl\t240(%edx),%ecx\n\tbswap\t%ebx\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovdqa\t(%esp),%xmm2\n.byte\t102,15,58,34,195,0\n\tleal\t3(%ebx),%ebp\n.byte\t102,15,58,34,205,0\n\tincl\t%ebx\n.byte\t102,15,58,34,195,1\n\tincl\t%ebp\n.byte\t102,15,58,34,205,1\n\tincl\t%ebx\n.byte\t102,15,58,34,195,2\n\tincl\t%ebp\n.byte\t102,15,58,34,205,2\n\tmovdqa\t%xmm0,48(%esp)\n.byte\t102,15,56,0,194\n\tmovdqu\t(%edx),%xmm6\n\tmovdqa\t%xmm1,64(%esp)\n.byte\t102,15,56,0,202\n\tpshufd\t$192,%xmm0,%xmm2\n\tpshufd\t$128,%xmm0,%xmm3\n\tcmpl\t$6,%eax\n\tjb\tL040ctr32_tail\n\tpxor\t%xmm6,%xmm7\n\tshll\t$4,%ecx\n\tmovl\t$16,%ebx\n\tmovdqa\t%xmm7,32(%esp)\n\tmovl\t%edx,%ebp\n\tsubl\t%ecx,%ebx\n\tleal\t32(%edx,%ecx,1),%edx\n\tsubl\t$6,%eax\n\tjmp\tL041ctr32_loop6\n.align\t4,0x90\nL041ctr32_loop6:\n\tpshufd\t$64,%xmm0,%xmm4\n\tmovdqa\t32(%esp),%xmm0\n\tpshufd\t$192,%xmm1,%xmm5\n\tpxor\t%xmm0,%xmm2\n\tpshufd\t$128,%xmm1,%xmm6\n\tpxor\t%xmm0,%xmm3\n\tpshufd\t$64,%xmm1,%xmm7\n\tmovups\t16(%ebp),%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm5\n.byte\t102,15,56,220,209\n\tpxor\t%xmm0,%xmm6\n\tpxor\t%xmm0,%xmm7\n.byte\t102,15,56,220,217\n\tmovups\t32(%ebp),%xmm0\n\tmovl\t%ebx,%ecx\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n\tcall\tL_aesni_encrypt6_enter\n\tmovups\t(%esi),%xmm1\n\tmovups\t16(%esi),%xmm0\n\txorps\t%xmm1,%xmm2\n\tmovups\t32(%esi),%xmm1\n\txorps\t%xmm0,%xmm3\n\tmovups\t%xmm2,(%edi)\n\tmovdqa\t16(%esp),%xmm0\n\txorps\t%xmm1,%xmm4\n\tmovdqa\t64(%esp),%xmm1\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tpaddd\t%xmm0,%xmm1\n\tpaddd\t48(%esp),%xmm0\n\tmovdqa\t(%esp),%xmm2\n\tmovups\t48(%esi),%xmm3\n\tmovups\t64(%esi),%xmm4\n\txorps\t%xmm3,%xmm5\n\tmovups\t80(%esi),%xmm3\n\tleal\t96(%esi),%esi\n\tmovdqa\t%xmm0,48(%esp)\n.byte\t102,15,56,0,194\n\txorps\t%xmm4,%xmm6\n\tmovups\t%xmm5,48(%edi)\n\txorps\t%xmm3,%xmm7\n\tmovdqa\t%xmm1,64(%esp)\n.byte\t102,15,56,0,202\n\tmovups\t%xmm6,64(%edi)\n\tpshufd\t$192,%xmm0,%xmm2\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\tpshufd\t$128,%xmm0,%xmm3\n\tsubl\t$6,%eax\n\tjnc\tL041ctr32_loop6\n\taddl\t$6,%eax\n\tjz\tL042ctr32_ret\n\tmovdqu\t(%ebp),%xmm7\n\tmovl\t%ebp,%edx\n\tpxor\t32(%esp),%xmm7\n\tmovl\t240(%ebp),%ecx\nL040ctr32_tail:\n\tpor\t%xmm7,%xmm2\n\tcmpl\t$2,%eax\n\tjb\tL043ctr32_one\n\tpshufd\t$64,%xmm0,%xmm4\n\tpor\t%xmm7,%xmm3\n\tje\tL044ctr32_two\n\tpshufd\t$192,%xmm1,%xmm5\n\tpor\t%xmm7,%xmm4\n\tcmpl\t$4,%eax\n\tjb\tL045ctr32_three\n\tpshufd\t$128,%xmm1,%xmm6\n\tpor\t%xmm7,%xmm5\n\tje\tL046ctr32_four\n\tpor\t%xmm7,%xmm6\n\tcall\t__aesni_encrypt6\n\tmovups\t(%esi),%xmm1\n\tmovups\t16(%esi),%xmm0\n\txorps\t%xmm1,%xmm2\n\tmovups\t32(%esi),%xmm1\n\txorps\t%xmm0,%xmm3\n\tmovups\t48(%esi),%xmm0\n\txorps\t%xmm1,%xmm4\n\tmovups\t64(%esi),%xmm1\n\txorps\t%xmm0,%xmm5\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm1,%xmm6\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tjmp\tL042ctr32_ret\n.align\t4,0x90\nL039ctr32_one_shortcut:\n\tmovups\t(%ebx),%xmm2\n\tmovl\t240(%edx),%ecx\nL043ctr32_one:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL047enc1_loop_7:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL047enc1_loop_7\n.byte\t102,15,56,221,209\n\tmovups\t(%esi),%xmm6\n\txorps\t%xmm2,%xmm6\n\tmovups\t%xmm6,(%edi)\n\tjmp\tL042ctr32_ret\n.align\t4,0x90\nL044ctr32_two:\n\tcall\t__aesni_encrypt2\n\tmovups\t(%esi),%xmm5\n\tmovups\t16(%esi),%xmm6\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tjmp\tL042ctr32_ret\n.align\t4,0x90\nL045ctr32_three:\n\tcall\t__aesni_encrypt3\n\tmovups\t(%esi),%xmm5\n\tmovups\t16(%esi),%xmm6\n\txorps\t%xmm5,%xmm2\n\tmovups\t32(%esi),%xmm7\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm7,%xmm4\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tjmp\tL042ctr32_ret\n.align\t4,0x90\nL046ctr32_four:\n\tcall\t__aesni_encrypt4\n\tmovups\t(%esi),%xmm6\n\tmovups\t16(%esi),%xmm7\n\tmovups\t32(%esi),%xmm1\n\txorps\t%xmm6,%xmm2\n\tmovups\t48(%esi),%xmm0\n\txorps\t%xmm7,%xmm3\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm1,%xmm4\n\tmovups\t%xmm3,16(%edi)\n\txorps\t%xmm0,%xmm5\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\nL042ctr32_ret:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tmovdqa\t%xmm0,32(%esp)\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t%xmm0,48(%esp)\n\tpxor\t%xmm6,%xmm6\n\tmovdqa\t%xmm0,64(%esp)\n\tpxor\t%xmm7,%xmm7\n\tmovl\t80(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_aes_hw_xts_encrypt\n.private_extern\t_aes_hw_xts_encrypt\n.align\t4\n_aes_hw_xts_encrypt:\nL_aes_hw_xts_encrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t36(%esp),%edx\n\tmovl\t40(%esp),%esi\n\tmovl\t240(%edx),%ecx\n\tmovups\t(%esi),%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL048enc1_loop_8:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL048enc1_loop_8\n.byte\t102,15,56,221,209\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t%esp,%ebp\n\tsubl\t$120,%esp\n\tmovl\t240(%edx),%ecx\n\tandl\t$-16,%esp\n\tmovl\t$135,96(%esp)\n\tmovl\t$0,100(%esp)\n\tmovl\t$1,104(%esp)\n\tmovl\t$0,108(%esp)\n\tmovl\t%eax,112(%esp)\n\tmovl\t%ebp,116(%esp)\n\tmovdqa\t%xmm2,%xmm1\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t96(%esp),%xmm3\n\tpcmpgtd\t%xmm1,%xmm0\n\tandl\t$-16,%eax\n\tmovl\t%edx,%ebp\n\tmovl\t%ecx,%ebx\n\tsubl\t$96,%eax\n\tjc\tL049xts_enc_short\n\tshll\t$4,%ecx\n\tmovl\t$16,%ebx\n\tsubl\t%ecx,%ebx\n\tleal\t32(%edx,%ecx,1),%edx\n\tjmp\tL050xts_enc_loop6\n.align\t4,0x90\nL050xts_enc_loop6:\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,16(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,32(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,48(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm7\n\tmovdqa\t%xmm1,64(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tmovups\t(%ebp),%xmm0\n\tpand\t%xmm3,%xmm7\n\tmovups\t(%esi),%xmm2\n\tpxor\t%xmm1,%xmm7\n\tmovl\t%ebx,%ecx\n\tmovdqu\t16(%esi),%xmm3\n\txorps\t%xmm0,%xmm2\n\tmovdqu\t32(%esi),%xmm4\n\tpxor\t%xmm0,%xmm3\n\tmovdqu\t48(%esi),%xmm5\n\tpxor\t%xmm0,%xmm4\n\tmovdqu\t64(%esi),%xmm6\n\tpxor\t%xmm0,%xmm5\n\tmovdqu\t80(%esi),%xmm1\n\tpxor\t%xmm0,%xmm6\n\tleal\t96(%esi),%esi\n\tpxor\t(%esp),%xmm2\n\tmovdqa\t%xmm7,80(%esp)\n\tpxor\t%xmm1,%xmm7\n\tmovups\t16(%ebp),%xmm1\n\tpxor\t16(%esp),%xmm3\n\tpxor\t32(%esp),%xmm4\n.byte\t102,15,56,220,209\n\tpxor\t48(%esp),%xmm5\n\tpxor\t64(%esp),%xmm6\n.byte\t102,15,56,220,217\n\tpxor\t%xmm0,%xmm7\n\tmovups\t32(%ebp),%xmm0\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n\tcall\tL_aesni_encrypt6_enter\n\tmovdqa\t80(%esp),%xmm1\n\tpxor\t%xmm0,%xmm0\n\txorps\t(%esp),%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\txorps\t16(%esp),%xmm3\n\tmovups\t%xmm2,(%edi)\n\txorps\t32(%esp),%xmm4\n\tmovups\t%xmm3,16(%edi)\n\txorps\t48(%esp),%xmm5\n\tmovups\t%xmm4,32(%edi)\n\txorps\t64(%esp),%xmm6\n\tmovups\t%xmm5,48(%edi)\n\txorps\t%xmm1,%xmm7\n\tmovups\t%xmm6,64(%edi)\n\tpshufd\t$19,%xmm0,%xmm2\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\tmovdqa\t96(%esp),%xmm3\n\tpxor\t%xmm0,%xmm0\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tsubl\t$96,%eax\n\tjnc\tL050xts_enc_loop6\n\tmovl\t240(%ebp),%ecx\n\tmovl\t%ebp,%edx\n\tmovl\t%ecx,%ebx\nL049xts_enc_short:\n\taddl\t$96,%eax\n\tjz\tL051xts_enc_done6x\n\tmovdqa\t%xmm1,%xmm5\n\tcmpl\t$32,%eax\n\tjb\tL052xts_enc_one\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tje\tL053xts_enc_two\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,%xmm6\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tcmpl\t$64,%eax\n\tjb\tL054xts_enc_three\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,%xmm7\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm5,(%esp)\n\tmovdqa\t%xmm6,16(%esp)\n\tje\tL055xts_enc_four\n\tmovdqa\t%xmm7,32(%esp)\n\tpshufd\t$19,%xmm0,%xmm7\n\tmovdqa\t%xmm1,48(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t16(%esi),%xmm3\n\tmovdqu\t32(%esi),%xmm4\n\tpxor\t(%esp),%xmm2\n\tmovdqu\t48(%esi),%xmm5\n\tpxor\t16(%esp),%xmm3\n\tmovdqu\t64(%esi),%xmm6\n\tpxor\t32(%esp),%xmm4\n\tleal\t80(%esi),%esi\n\tpxor\t48(%esp),%xmm5\n\tmovdqa\t%xmm7,64(%esp)\n\tpxor\t%xmm7,%xmm6\n\tcall\t__aesni_encrypt6\n\tmovaps\t64(%esp),%xmm1\n\txorps\t(%esp),%xmm2\n\txorps\t16(%esp),%xmm3\n\txorps\t32(%esp),%xmm4\n\tmovups\t%xmm2,(%edi)\n\txorps\t48(%esp),%xmm5\n\tmovups\t%xmm3,16(%edi)\n\txorps\t%xmm1,%xmm6\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tleal\t80(%edi),%edi\n\tjmp\tL056xts_enc_done\n.align\t4,0x90\nL052xts_enc_one:\n\tmovups\t(%esi),%xmm2\n\tleal\t16(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL057enc1_loop_9:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL057enc1_loop_9\n.byte\t102,15,56,221,209\n\txorps\t%xmm5,%xmm2\n\tmovups\t%xmm2,(%edi)\n\tleal\t16(%edi),%edi\n\tmovdqa\t%xmm5,%xmm1\n\tjmp\tL056xts_enc_done\n.align\t4,0x90\nL053xts_enc_two:\n\tmovaps\t%xmm1,%xmm6\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tleal\t32(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\tcall\t__aesni_encrypt2\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tleal\t32(%edi),%edi\n\tmovdqa\t%xmm6,%xmm1\n\tjmp\tL056xts_enc_done\n.align\t4,0x90\nL054xts_enc_three:\n\tmovaps\t%xmm1,%xmm7\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tmovups\t32(%esi),%xmm4\n\tleal\t48(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\txorps\t%xmm7,%xmm4\n\tcall\t__aesni_encrypt3\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\txorps\t%xmm7,%xmm4\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tleal\t48(%edi),%edi\n\tmovdqa\t%xmm7,%xmm1\n\tjmp\tL056xts_enc_done\n.align\t4,0x90\nL055xts_enc_four:\n\tmovaps\t%xmm1,%xmm6\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tmovups\t32(%esi),%xmm4\n\txorps\t(%esp),%xmm2\n\tmovups\t48(%esi),%xmm5\n\tleal\t64(%esi),%esi\n\txorps\t16(%esp),%xmm3\n\txorps\t%xmm7,%xmm4\n\txorps\t%xmm6,%xmm5\n\tcall\t__aesni_encrypt4\n\txorps\t(%esp),%xmm2\n\txorps\t16(%esp),%xmm3\n\txorps\t%xmm7,%xmm4\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm6,%xmm5\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tleal\t64(%edi),%edi\n\tmovdqa\t%xmm6,%xmm1\n\tjmp\tL056xts_enc_done\n.align\t4,0x90\nL051xts_enc_done6x:\n\tmovl\t112(%esp),%eax\n\tandl\t$15,%eax\n\tjz\tL058xts_enc_ret\n\tmovdqa\t%xmm1,%xmm5\n\tmovl\t%eax,112(%esp)\n\tjmp\tL059xts_enc_steal\n.align\t4,0x90\nL056xts_enc_done:\n\tmovl\t112(%esp),%eax\n\tpxor\t%xmm0,%xmm0\n\tandl\t$15,%eax\n\tjz\tL058xts_enc_ret\n\tpcmpgtd\t%xmm1,%xmm0\n\tmovl\t%eax,112(%esp)\n\tpshufd\t$19,%xmm0,%xmm5\n\tpaddq\t%xmm1,%xmm1\n\tpand\t96(%esp),%xmm5\n\tpxor\t%xmm1,%xmm5\nL059xts_enc_steal:\n\tmovzbl\t(%esi),%ecx\n\tmovzbl\t-16(%edi),%edx\n\tleal\t1(%esi),%esi\n\tmovb\t%cl,-16(%edi)\n\tmovb\t%dl,(%edi)\n\tleal\t1(%edi),%edi\n\tsubl\t$1,%eax\n\tjnz\tL059xts_enc_steal\n\tsubl\t112(%esp),%edi\n\tmovl\t%ebp,%edx\n\tmovl\t%ebx,%ecx\n\tmovups\t-16(%edi),%xmm2\n\txorps\t%xmm5,%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL060enc1_loop_10:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL060enc1_loop_10\n.byte\t102,15,56,221,209\n\txorps\t%xmm5,%xmm2\n\tmovups\t%xmm2,-16(%edi)\nL058xts_enc_ret:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tmovdqa\t%xmm0,(%esp)\n\tpxor\t%xmm3,%xmm3\n\tmovdqa\t%xmm0,16(%esp)\n\tpxor\t%xmm4,%xmm4\n\tmovdqa\t%xmm0,32(%esp)\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t%xmm0,48(%esp)\n\tpxor\t%xmm6,%xmm6\n\tmovdqa\t%xmm0,64(%esp)\n\tpxor\t%xmm7,%xmm7\n\tmovdqa\t%xmm0,80(%esp)\n\tmovl\t116(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_aes_hw_xts_decrypt\n.private_extern\t_aes_hw_xts_decrypt\n.align\t4\n_aes_hw_xts_decrypt:\nL_aes_hw_xts_decrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t36(%esp),%edx\n\tmovl\t40(%esp),%esi\n\tmovl\t240(%edx),%ecx\n\tmovups\t(%esi),%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL061enc1_loop_11:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL061enc1_loop_11\n.byte\t102,15,56,221,209\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t%esp,%ebp\n\tsubl\t$120,%esp\n\tandl\t$-16,%esp\n\txorl\t%ebx,%ebx\n\ttestl\t$15,%eax\n\tsetnz\t%bl\n\tshll\t$4,%ebx\n\tsubl\t%ebx,%eax\n\tmovl\t$135,96(%esp)\n\tmovl\t$0,100(%esp)\n\tmovl\t$1,104(%esp)\n\tmovl\t$0,108(%esp)\n\tmovl\t%eax,112(%esp)\n\tmovl\t%ebp,116(%esp)\n\tmovl\t240(%edx),%ecx\n\tmovl\t%edx,%ebp\n\tmovl\t%ecx,%ebx\n\tmovdqa\t%xmm2,%xmm1\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t96(%esp),%xmm3\n\tpcmpgtd\t%xmm1,%xmm0\n\tandl\t$-16,%eax\n\tsubl\t$96,%eax\n\tjc\tL062xts_dec_short\n\tshll\t$4,%ecx\n\tmovl\t$16,%ebx\n\tsubl\t%ecx,%ebx\n\tleal\t32(%edx,%ecx,1),%edx\n\tjmp\tL063xts_dec_loop6\n.align\t4,0x90\nL063xts_dec_loop6:\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,16(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,32(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,48(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm7\n\tmovdqa\t%xmm1,64(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tmovups\t(%ebp),%xmm0\n\tpand\t%xmm3,%xmm7\n\tmovups\t(%esi),%xmm2\n\tpxor\t%xmm1,%xmm7\n\tmovl\t%ebx,%ecx\n\tmovdqu\t16(%esi),%xmm3\n\txorps\t%xmm0,%xmm2\n\tmovdqu\t32(%esi),%xmm4\n\tpxor\t%xmm0,%xmm3\n\tmovdqu\t48(%esi),%xmm5\n\tpxor\t%xmm0,%xmm4\n\tmovdqu\t64(%esi),%xmm6\n\tpxor\t%xmm0,%xmm5\n\tmovdqu\t80(%esi),%xmm1\n\tpxor\t%xmm0,%xmm6\n\tleal\t96(%esi),%esi\n\tpxor\t(%esp),%xmm2\n\tmovdqa\t%xmm7,80(%esp)\n\tpxor\t%xmm1,%xmm7\n\tmovups\t16(%ebp),%xmm1\n\tpxor\t16(%esp),%xmm3\n\tpxor\t32(%esp),%xmm4\n.byte\t102,15,56,222,209\n\tpxor\t48(%esp),%xmm5\n\tpxor\t64(%esp),%xmm6\n.byte\t102,15,56,222,217\n\tpxor\t%xmm0,%xmm7\n\tmovups\t32(%ebp),%xmm0\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n\tcall\tL_aesni_decrypt6_enter\n\tmovdqa\t80(%esp),%xmm1\n\tpxor\t%xmm0,%xmm0\n\txorps\t(%esp),%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\txorps\t16(%esp),%xmm3\n\tmovups\t%xmm2,(%edi)\n\txorps\t32(%esp),%xmm4\n\tmovups\t%xmm3,16(%edi)\n\txorps\t48(%esp),%xmm5\n\tmovups\t%xmm4,32(%edi)\n\txorps\t64(%esp),%xmm6\n\tmovups\t%xmm5,48(%edi)\n\txorps\t%xmm1,%xmm7\n\tmovups\t%xmm6,64(%edi)\n\tpshufd\t$19,%xmm0,%xmm2\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\tmovdqa\t96(%esp),%xmm3\n\tpxor\t%xmm0,%xmm0\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tsubl\t$96,%eax\n\tjnc\tL063xts_dec_loop6\n\tmovl\t240(%ebp),%ecx\n\tmovl\t%ebp,%edx\n\tmovl\t%ecx,%ebx\nL062xts_dec_short:\n\taddl\t$96,%eax\n\tjz\tL064xts_dec_done6x\n\tmovdqa\t%xmm1,%xmm5\n\tcmpl\t$32,%eax\n\tjb\tL065xts_dec_one\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tje\tL066xts_dec_two\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,%xmm6\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tcmpl\t$64,%eax\n\tjb\tL067xts_dec_three\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,%xmm7\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm5,(%esp)\n\tmovdqa\t%xmm6,16(%esp)\n\tje\tL068xts_dec_four\n\tmovdqa\t%xmm7,32(%esp)\n\tpshufd\t$19,%xmm0,%xmm7\n\tmovdqa\t%xmm1,48(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t16(%esi),%xmm3\n\tmovdqu\t32(%esi),%xmm4\n\tpxor\t(%esp),%xmm2\n\tmovdqu\t48(%esi),%xmm5\n\tpxor\t16(%esp),%xmm3\n\tmovdqu\t64(%esi),%xmm6\n\tpxor\t32(%esp),%xmm4\n\tleal\t80(%esi),%esi\n\tpxor\t48(%esp),%xmm5\n\tmovdqa\t%xmm7,64(%esp)\n\tpxor\t%xmm7,%xmm6\n\tcall\t__aesni_decrypt6\n\tmovaps\t64(%esp),%xmm1\n\txorps\t(%esp),%xmm2\n\txorps\t16(%esp),%xmm3\n\txorps\t32(%esp),%xmm4\n\tmovups\t%xmm2,(%edi)\n\txorps\t48(%esp),%xmm5\n\tmovups\t%xmm3,16(%edi)\n\txorps\t%xmm1,%xmm6\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tleal\t80(%edi),%edi\n\tjmp\tL069xts_dec_done\n.align\t4,0x90\nL065xts_dec_one:\n\tmovups\t(%esi),%xmm2\n\tleal\t16(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL070dec1_loop_12:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL070dec1_loop_12\n.byte\t102,15,56,223,209\n\txorps\t%xmm5,%xmm2\n\tmovups\t%xmm2,(%edi)\n\tleal\t16(%edi),%edi\n\tmovdqa\t%xmm5,%xmm1\n\tjmp\tL069xts_dec_done\n.align\t4,0x90\nL066xts_dec_two:\n\tmovaps\t%xmm1,%xmm6\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tleal\t32(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\tcall\t__aesni_decrypt2\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tleal\t32(%edi),%edi\n\tmovdqa\t%xmm6,%xmm1\n\tjmp\tL069xts_dec_done\n.align\t4,0x90\nL067xts_dec_three:\n\tmovaps\t%xmm1,%xmm7\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tmovups\t32(%esi),%xmm4\n\tleal\t48(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\txorps\t%xmm7,%xmm4\n\tcall\t__aesni_decrypt3\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\txorps\t%xmm7,%xmm4\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tleal\t48(%edi),%edi\n\tmovdqa\t%xmm7,%xmm1\n\tjmp\tL069xts_dec_done\n.align\t4,0x90\nL068xts_dec_four:\n\tmovaps\t%xmm1,%xmm6\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tmovups\t32(%esi),%xmm4\n\txorps\t(%esp),%xmm2\n\tmovups\t48(%esi),%xmm5\n\tleal\t64(%esi),%esi\n\txorps\t16(%esp),%xmm3\n\txorps\t%xmm7,%xmm4\n\txorps\t%xmm6,%xmm5\n\tcall\t__aesni_decrypt4\n\txorps\t(%esp),%xmm2\n\txorps\t16(%esp),%xmm3\n\txorps\t%xmm7,%xmm4\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm6,%xmm5\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tleal\t64(%edi),%edi\n\tmovdqa\t%xmm6,%xmm1\n\tjmp\tL069xts_dec_done\n.align\t4,0x90\nL064xts_dec_done6x:\n\tmovl\t112(%esp),%eax\n\tandl\t$15,%eax\n\tjz\tL071xts_dec_ret\n\tmovl\t%eax,112(%esp)\n\tjmp\tL072xts_dec_only_one_more\n.align\t4,0x90\nL069xts_dec_done:\n\tmovl\t112(%esp),%eax\n\tpxor\t%xmm0,%xmm0\n\tandl\t$15,%eax\n\tjz\tL071xts_dec_ret\n\tpcmpgtd\t%xmm1,%xmm0\n\tmovl\t%eax,112(%esp)\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t96(%esp),%xmm3\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\nL072xts_dec_only_one_more:\n\tpshufd\t$19,%xmm0,%xmm5\n\tmovdqa\t%xmm1,%xmm6\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm5\n\tpxor\t%xmm1,%xmm5\n\tmovl\t%ebp,%edx\n\tmovl\t%ebx,%ecx\n\tmovups\t(%esi),%xmm2\n\txorps\t%xmm5,%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL073dec1_loop_13:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL073dec1_loop_13\n.byte\t102,15,56,223,209\n\txorps\t%xmm5,%xmm2\n\tmovups\t%xmm2,(%edi)\nL074xts_dec_steal:\n\tmovzbl\t16(%esi),%ecx\n\tmovzbl\t(%edi),%edx\n\tleal\t1(%esi),%esi\n\tmovb\t%cl,(%edi)\n\tmovb\t%dl,16(%edi)\n\tleal\t1(%edi),%edi\n\tsubl\t$1,%eax\n\tjnz\tL074xts_dec_steal\n\tsubl\t112(%esp),%edi\n\tmovl\t%ebp,%edx\n\tmovl\t%ebx,%ecx\n\tmovups\t(%edi),%xmm2\n\txorps\t%xmm6,%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL075dec1_loop_14:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL075dec1_loop_14\n.byte\t102,15,56,223,209\n\txorps\t%xmm6,%xmm2\n\tmovups\t%xmm2,(%edi)\nL071xts_dec_ret:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tmovdqa\t%xmm0,(%esp)\n\tpxor\t%xmm3,%xmm3\n\tmovdqa\t%xmm0,16(%esp)\n\tpxor\t%xmm4,%xmm4\n\tmovdqa\t%xmm0,32(%esp)\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t%xmm0,48(%esp)\n\tpxor\t%xmm6,%xmm6\n\tmovdqa\t%xmm0,64(%esp)\n\tpxor\t%xmm7,%xmm7\n\tmovdqa\t%xmm0,80(%esp)\n\tmovl\t116(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_aes_hw_cbc_encrypt\n.private_extern\t_aes_hw_cbc_encrypt\n.align\t4\n_aes_hw_cbc_encrypt:\nL_aes_hw_cbc_encrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t%esp,%ebx\n\tmovl\t24(%esp),%edi\n\tsubl\t$24,%ebx\n\tmovl\t28(%esp),%eax\n\tandl\t$-16,%ebx\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebp\n\ttestl\t%eax,%eax\n\tjz\tL076cbc_abort\n\tcmpl\t$0,40(%esp)\n\txchgl\t%esp,%ebx\n\tmovups\t(%ebp),%xmm7\n\tmovl\t240(%edx),%ecx\n\tmovl\t%edx,%ebp\n\tmovl\t%ebx,16(%esp)\n\tmovl\t%ecx,%ebx\n\tje\tL077cbc_decrypt\n\tmovaps\t%xmm7,%xmm2\n\tcmpl\t$16,%eax\n\tjb\tL078cbc_enc_tail\n\tsubl\t$16,%eax\n\tjmp\tL079cbc_enc_loop\n.align\t4,0x90\nL079cbc_enc_loop:\n\tmovups\t(%esi),%xmm7\n\tleal\t16(%esi),%esi\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm7\n\tleal\t32(%edx),%edx\n\txorps\t%xmm7,%xmm2\nL080enc1_loop_15:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL080enc1_loop_15\n.byte\t102,15,56,221,209\n\tmovl\t%ebx,%ecx\n\tmovl\t%ebp,%edx\n\tmovups\t%xmm2,(%edi)\n\tleal\t16(%edi),%edi\n\tsubl\t$16,%eax\n\tjnc\tL079cbc_enc_loop\n\taddl\t$16,%eax\n\tjnz\tL078cbc_enc_tail\n\tmovaps\t%xmm2,%xmm7\n\tpxor\t%xmm2,%xmm2\n\tjmp\tL081cbc_ret\nL078cbc_enc_tail:\n\tmovl\t%eax,%ecx\n.long\t2767451785\n\tmovl\t$16,%ecx\n\tsubl\t%eax,%ecx\n\txorl\t%eax,%eax\n.long\t2868115081\n\tleal\t-16(%edi),%edi\n\tmovl\t%ebx,%ecx\n\tmovl\t%edi,%esi\n\tmovl\t%ebp,%edx\n\tjmp\tL079cbc_enc_loop\n.align\t4,0x90\nL077cbc_decrypt:\n\tcmpl\t$80,%eax\n\tjbe\tL082cbc_dec_tail\n\tmovaps\t%xmm7,(%esp)\n\tsubl\t$80,%eax\n\tjmp\tL083cbc_dec_loop6_enter\n.align\t4,0x90\nL084cbc_dec_loop6:\n\tmovaps\t%xmm0,(%esp)\n\tmovups\t%xmm7,(%edi)\n\tleal\t16(%edi),%edi\nL083cbc_dec_loop6_enter:\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t16(%esi),%xmm3\n\tmovdqu\t32(%esi),%xmm4\n\tmovdqu\t48(%esi),%xmm5\n\tmovdqu\t64(%esi),%xmm6\n\tmovdqu\t80(%esi),%xmm7\n\tcall\t__aesni_decrypt6\n\tmovups\t(%esi),%xmm1\n\tmovups\t16(%esi),%xmm0\n\txorps\t(%esp),%xmm2\n\txorps\t%xmm1,%xmm3\n\tmovups\t32(%esi),%xmm1\n\txorps\t%xmm0,%xmm4\n\tmovups\t48(%esi),%xmm0\n\txorps\t%xmm1,%xmm5\n\tmovups\t64(%esi),%xmm1\n\txorps\t%xmm0,%xmm6\n\tmovups\t80(%esi),%xmm0\n\txorps\t%xmm1,%xmm7\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tleal\t96(%esi),%esi\n\tmovups\t%xmm4,32(%edi)\n\tmovl\t%ebx,%ecx\n\tmovups\t%xmm5,48(%edi)\n\tmovl\t%ebp,%edx\n\tmovups\t%xmm6,64(%edi)\n\tleal\t80(%edi),%edi\n\tsubl\t$96,%eax\n\tja\tL084cbc_dec_loop6\n\tmovaps\t%xmm7,%xmm2\n\tmovaps\t%xmm0,%xmm7\n\taddl\t$80,%eax\n\tjle\tL085cbc_dec_clear_tail_collected\n\tmovups\t%xmm2,(%edi)\n\tleal\t16(%edi),%edi\nL082cbc_dec_tail:\n\tmovups\t(%esi),%xmm2\n\tmovaps\t%xmm2,%xmm6\n\tcmpl\t$16,%eax\n\tjbe\tL086cbc_dec_one\n\tmovups\t16(%esi),%xmm3\n\tmovaps\t%xmm3,%xmm5\n\tcmpl\t$32,%eax\n\tjbe\tL087cbc_dec_two\n\tmovups\t32(%esi),%xmm4\n\tcmpl\t$48,%eax\n\tjbe\tL088cbc_dec_three\n\tmovups\t48(%esi),%xmm5\n\tcmpl\t$64,%eax\n\tjbe\tL089cbc_dec_four\n\tmovups\t64(%esi),%xmm6\n\tmovaps\t%xmm7,(%esp)\n\tmovups\t(%esi),%xmm2\n\txorps\t%xmm7,%xmm7\n\tcall\t__aesni_decrypt6\n\tmovups\t(%esi),%xmm1\n\tmovups\t16(%esi),%xmm0\n\txorps\t(%esp),%xmm2\n\txorps\t%xmm1,%xmm3\n\tmovups\t32(%esi),%xmm1\n\txorps\t%xmm0,%xmm4\n\tmovups\t48(%esi),%xmm0\n\txorps\t%xmm1,%xmm5\n\tmovups\t64(%esi),%xmm7\n\txorps\t%xmm0,%xmm6\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%edi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%edi)\n\tpxor\t%xmm5,%xmm5\n\tleal\t64(%edi),%edi\n\tmovaps\t%xmm6,%xmm2\n\tpxor\t%xmm6,%xmm6\n\tsubl\t$80,%eax\n\tjmp\tL090cbc_dec_tail_collected\n.align\t4,0x90\nL086cbc_dec_one:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\nL091dec1_loop_16:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\tL091dec1_loop_16\n.byte\t102,15,56,223,209\n\txorps\t%xmm7,%xmm2\n\tmovaps\t%xmm6,%xmm7\n\tsubl\t$16,%eax\n\tjmp\tL090cbc_dec_tail_collected\n.align\t4,0x90\nL087cbc_dec_two:\n\tcall\t__aesni_decrypt2\n\txorps\t%xmm7,%xmm2\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\tmovaps\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tleal\t16(%edi),%edi\n\tmovaps\t%xmm5,%xmm7\n\tsubl\t$32,%eax\n\tjmp\tL090cbc_dec_tail_collected\n.align\t4,0x90\nL088cbc_dec_three:\n\tcall\t__aesni_decrypt3\n\txorps\t%xmm7,%xmm2\n\txorps\t%xmm6,%xmm3\n\txorps\t%xmm5,%xmm4\n\tmovups\t%xmm2,(%edi)\n\tmovaps\t%xmm4,%xmm2\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm3,16(%edi)\n\tpxor\t%xmm3,%xmm3\n\tleal\t32(%edi),%edi\n\tmovups\t32(%esi),%xmm7\n\tsubl\t$48,%eax\n\tjmp\tL090cbc_dec_tail_collected\n.align\t4,0x90\nL089cbc_dec_four:\n\tcall\t__aesni_decrypt4\n\tmovups\t16(%esi),%xmm1\n\tmovups\t32(%esi),%xmm0\n\txorps\t%xmm7,%xmm2\n\tmovups\t48(%esi),%xmm7\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm1,%xmm4\n\tmovups\t%xmm3,16(%edi)\n\tpxor\t%xmm3,%xmm3\n\txorps\t%xmm0,%xmm5\n\tmovups\t%xmm4,32(%edi)\n\tpxor\t%xmm4,%xmm4\n\tleal\t48(%edi),%edi\n\tmovaps\t%xmm5,%xmm2\n\tpxor\t%xmm5,%xmm5\n\tsubl\t$64,%eax\n\tjmp\tL090cbc_dec_tail_collected\n.align\t4,0x90\nL085cbc_dec_clear_tail_collected:\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\nL090cbc_dec_tail_collected:\n\tandl\t$15,%eax\n\tjnz\tL092cbc_dec_tail_partial\n\tmovups\t%xmm2,(%edi)\n\tpxor\t%xmm0,%xmm0\n\tjmp\tL081cbc_ret\n.align\t4,0x90\nL092cbc_dec_tail_partial:\n\tmovaps\t%xmm2,(%esp)\n\tpxor\t%xmm0,%xmm0\n\tmovl\t$16,%ecx\n\tmovl\t%esp,%esi\n\tsubl\t%eax,%ecx\n.long\t2767451785\n\tmovdqa\t%xmm2,(%esp)\nL081cbc_ret:\n\tmovl\t16(%esp),%esp\n\tmovl\t36(%esp),%ebp\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm7,(%ebp)\n\tpxor\t%xmm7,%xmm7\nL076cbc_abort:\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_aes_hw_set_encrypt_key_base\n.private_extern\t_aes_hw_set_encrypt_key_base\n.align\t4\n_aes_hw_set_encrypt_key_base:\nL_aes_hw_set_encrypt_key_base_begin:\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\tL093pic_for_function_hit\nL093pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\t_BORINGSSL_function_hit+3-L093pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%ecx\n\tmovl\t12(%esp),%edx\n\tpushl\t%ebx\n\tcall\tL094pic\nL094pic:\n\tpopl\t%ebx\n\tleal\tLkey_const-L094pic(%ebx),%ebx\n\tmovups\t(%eax),%xmm0\n\txorps\t%xmm4,%xmm4\n\tleal\t16(%edx),%edx\n\tcmpl\t$256,%ecx\n\tje\tL09514rounds\n\tcmpl\t$192,%ecx\n\tje\tL09612rounds\n\tcmpl\t$128,%ecx\n\tjne\tL097bad_keybits\n.align\t4,0x90\nL09810rounds:\n\tmovl\t$9,%ecx\n\tmovups\t%xmm0,-16(%edx)\n.byte\t102,15,58,223,200,1\n\tcall\tL099key_128_cold\n.byte\t102,15,58,223,200,2\n\tcall\tL100key_128\n.byte\t102,15,58,223,200,4\n\tcall\tL100key_128\n.byte\t102,15,58,223,200,8\n\tcall\tL100key_128\n.byte\t102,15,58,223,200,16\n\tcall\tL100key_128\n.byte\t102,15,58,223,200,32\n\tcall\tL100key_128\n.byte\t102,15,58,223,200,64\n\tcall\tL100key_128\n.byte\t102,15,58,223,200,128\n\tcall\tL100key_128\n.byte\t102,15,58,223,200,27\n\tcall\tL100key_128\n.byte\t102,15,58,223,200,54\n\tcall\tL100key_128\n\tmovups\t%xmm0,(%edx)\n\tmovl\t%ecx,80(%edx)\n\tjmp\tL101good_key\n.align\t4,0x90\nL100key_128:\n\tmovups\t%xmm0,(%edx)\n\tleal\t16(%edx),%edx\nL099key_128_cold:\n\tshufps\t$16,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$255,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm0\n\tret\n.align\t4,0x90\nL09612rounds:\n\tmovq\t16(%eax),%xmm2\n\tmovl\t$11,%ecx\n\tmovups\t%xmm0,-16(%edx)\n.byte\t102,15,58,223,202,1\n\tcall\tL102key_192a_cold\n.byte\t102,15,58,223,202,2\n\tcall\tL103key_192b\n.byte\t102,15,58,223,202,4\n\tcall\tL104key_192a\n.byte\t102,15,58,223,202,8\n\tcall\tL103key_192b\n.byte\t102,15,58,223,202,16\n\tcall\tL104key_192a\n.byte\t102,15,58,223,202,32\n\tcall\tL103key_192b\n.byte\t102,15,58,223,202,64\n\tcall\tL104key_192a\n.byte\t102,15,58,223,202,128\n\tcall\tL103key_192b\n\tmovups\t%xmm0,(%edx)\n\tmovl\t%ecx,48(%edx)\n\tjmp\tL101good_key\n.align\t4,0x90\nL104key_192a:\n\tmovups\t%xmm0,(%edx)\n\tleal\t16(%edx),%edx\n.align\t4,0x90\nL102key_192a_cold:\n\tmovaps\t%xmm2,%xmm5\nL105key_192b_warm:\n\tshufps\t$16,%xmm0,%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\tpslldq\t$4,%xmm3\n\txorps\t%xmm4,%xmm0\n\tpshufd\t$85,%xmm1,%xmm1\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm1,%xmm0\n\tpshufd\t$255,%xmm0,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tret\n.align\t4,0x90\nL103key_192b:\n\tmovaps\t%xmm0,%xmm3\n\tshufps\t$68,%xmm0,%xmm5\n\tmovups\t%xmm5,(%edx)\n\tshufps\t$78,%xmm2,%xmm3\n\tmovups\t%xmm3,16(%edx)\n\tleal\t32(%edx),%edx\n\tjmp\tL105key_192b_warm\n.align\t4,0x90\nL09514rounds:\n\tmovups\t16(%eax),%xmm2\n\tleal\t16(%edx),%edx\n\tmovl\t$13,%ecx\n\tmovups\t%xmm0,-32(%edx)\n\tmovups\t%xmm2,-16(%edx)\n.byte\t102,15,58,223,202,1\n\tcall\tL106key_256a_cold\n.byte\t102,15,58,223,200,1\n\tcall\tL107key_256b\n.byte\t102,15,58,223,202,2\n\tcall\tL108key_256a\n.byte\t102,15,58,223,200,2\n\tcall\tL107key_256b\n.byte\t102,15,58,223,202,4\n\tcall\tL108key_256a\n.byte\t102,15,58,223,200,4\n\tcall\tL107key_256b\n.byte\t102,15,58,223,202,8\n\tcall\tL108key_256a\n.byte\t102,15,58,223,200,8\n\tcall\tL107key_256b\n.byte\t102,15,58,223,202,16\n\tcall\tL108key_256a\n.byte\t102,15,58,223,200,16\n\tcall\tL107key_256b\n.byte\t102,15,58,223,202,32\n\tcall\tL108key_256a\n.byte\t102,15,58,223,200,32\n\tcall\tL107key_256b\n.byte\t102,15,58,223,202,64\n\tcall\tL108key_256a\n\tmovups\t%xmm0,(%edx)\n\tmovl\t%ecx,16(%edx)\n\txorl\t%eax,%eax\n\tjmp\tL101good_key\n.align\t4,0x90\nL108key_256a:\n\tmovups\t%xmm2,(%edx)\n\tleal\t16(%edx),%edx\nL106key_256a_cold:\n\tshufps\t$16,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$255,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm0\n\tret\n.align\t4,0x90\nL107key_256b:\n\tmovups\t%xmm0,(%edx)\n\tleal\t16(%edx),%edx\n\tshufps\t$16,%xmm2,%xmm4\n\txorps\t%xmm4,%xmm2\n\tshufps\t$140,%xmm2,%xmm4\n\txorps\t%xmm4,%xmm2\n\tshufps\t$170,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm2\n\tret\nL101good_key:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\txorl\t%eax,%eax\n\tpopl\t%ebx\n\tret\n.align\t2,0x90\nL097bad_keybits:\n\tpxor\t%xmm0,%xmm0\n\tmovl\t$-2,%eax\n\tpopl\t%ebx\n\tret\n.globl\t_aes_hw_set_encrypt_key_alt\n.private_extern\t_aes_hw_set_encrypt_key_alt\n.align\t4\n_aes_hw_set_encrypt_key_alt:\nL_aes_hw_set_encrypt_key_alt_begin:\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\tL109pic_for_function_hit\nL109pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\t_BORINGSSL_function_hit+3-L109pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%ecx\n\tmovl\t12(%esp),%edx\n\tpushl\t%ebx\n\tcall\tL110pic\nL110pic:\n\tpopl\t%ebx\n\tleal\tLkey_const-L110pic(%ebx),%ebx\n\tmovups\t(%eax),%xmm0\n\txorps\t%xmm4,%xmm4\n\tleal\t16(%edx),%edx\n\tcmpl\t$256,%ecx\n\tje\tL11114rounds_alt\n\tcmpl\t$192,%ecx\n\tje\tL11212rounds_alt\n\tcmpl\t$128,%ecx\n\tjne\tL113bad_keybits\n.align\t4,0x90\nL11410rounds_alt:\n\tmovdqa\t(%ebx),%xmm5\n\tmovl\t$8,%ecx\n\tmovdqa\t32(%ebx),%xmm4\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqu\t%xmm0,-16(%edx)\nL115loop_key128:\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\tpslld\t$1,%xmm4\n\tleal\t16(%edx),%edx\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,-16(%edx)\n\tmovdqa\t%xmm0,%xmm2\n\tdecl\t%ecx\n\tjnz\tL115loop_key128\n\tmovdqa\t48(%ebx),%xmm4\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\tpslld\t$1,%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,(%edx)\n\tmovdqa\t%xmm0,%xmm2\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,16(%edx)\n\tmovl\t$9,%ecx\n\tmovl\t%ecx,96(%edx)\n\tjmp\tL116good_key\n.align\t4,0x90\nL11212rounds_alt:\n\tmovq\t16(%eax),%xmm2\n\tmovdqa\t16(%ebx),%xmm5\n\tmovdqa\t32(%ebx),%xmm4\n\tmovl\t$8,%ecx\n\tmovdqu\t%xmm0,-16(%edx)\nL117loop_key192:\n\tmovq\t%xmm2,(%edx)\n\tmovdqa\t%xmm2,%xmm1\n.byte\t102,15,56,0,213\n.byte\t102,15,56,221,212\n\tpslld\t$1,%xmm4\n\tleal\t24(%edx),%edx\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpshufd\t$255,%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\tpxor\t%xmm2,%xmm0\n\tpxor\t%xmm3,%xmm2\n\tmovdqu\t%xmm0,-16(%edx)\n\tdecl\t%ecx\n\tjnz\tL117loop_key192\n\tmovl\t$11,%ecx\n\tmovl\t%ecx,32(%edx)\n\tjmp\tL116good_key\n.align\t4,0x90\nL11114rounds_alt:\n\tmovups\t16(%eax),%xmm2\n\tleal\t16(%edx),%edx\n\tmovdqa\t(%ebx),%xmm5\n\tmovdqa\t32(%ebx),%xmm4\n\tmovl\t$7,%ecx\n\tmovdqu\t%xmm0,-32(%edx)\n\tmovdqa\t%xmm2,%xmm1\n\tmovdqu\t%xmm2,-16(%edx)\nL118loop_key256:\n.byte\t102,15,56,0,213\n.byte\t102,15,56,221,212\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpslld\t$1,%xmm4\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,(%edx)\n\tdecl\t%ecx\n\tjz\tL119done_key256\n\tpshufd\t$255,%xmm0,%xmm2\n\tpxor\t%xmm3,%xmm3\n.byte\t102,15,56,221,211\n\tmovdqa\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm1,%xmm2\n\tmovdqu\t%xmm2,16(%edx)\n\tleal\t32(%edx),%edx\n\tmovdqa\t%xmm2,%xmm1\n\tjmp\tL118loop_key256\nL119done_key256:\n\tmovl\t$13,%ecx\n\tmovl\t%ecx,16(%edx)\nL116good_key:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\txorl\t%eax,%eax\n\tpopl\t%ebx\n\tret\n.align\t2,0x90\nL113bad_keybits:\n\tpxor\t%xmm0,%xmm0\n\tmovl\t$-2,%eax\n\tpopl\t%ebx\n\tret\n.globl\t_aes_hw_encrypt_key_to_decrypt_key\n.private_extern\t_aes_hw_encrypt_key_to_decrypt_key\n.align\t4\n_aes_hw_encrypt_key_to_decrypt_key:\nL_aes_hw_encrypt_key_to_decrypt_key_begin:\n\tmovl\t4(%esp),%edx\n\tmovl\t240(%edx),%ecx\n\tshll\t$4,%ecx\n\tleal\t16(%edx,%ecx,1),%eax\n\tmovups\t(%edx),%xmm0\n\tmovups\t(%eax),%xmm1\n\tmovups\t%xmm0,(%eax)\n\tmovups\t%xmm1,(%edx)\n\tleal\t16(%edx),%edx\n\tleal\t-16(%eax),%eax\nL120dec_key_inverse:\n\tmovups\t(%edx),%xmm0\n\tmovups\t(%eax),%xmm1\n.byte\t102,15,56,219,192\n.byte\t102,15,56,219,201\n\tleal\t16(%edx),%edx\n\tleal\t-16(%eax),%eax\n\tmovups\t%xmm0,16(%eax)\n\tmovups\t%xmm1,-16(%edx)\n\tcmpl\t%edx,%eax\n\tja\tL120dec_key_inverse\n\tmovups\t(%edx),%xmm0\n.byte\t102,15,56,219,192\n\tmovups\t%xmm0,(%edx)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tret\n.align\t6,0x90\nLkey_const:\n.long\t202313229,202313229,202313229,202313229\n.long\t67569157,67569157,67569157,67569157\n.long\t1,1,1,1\n.long\t27,27,27,27\n.byte\t65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69\n.byte\t83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83\n.byte\t32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115\n.byte\t115,108,46,111,114,103,62,0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesni-x86-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n#ifdef BORINGSSL_DISPATCH_TEST\n#endif\n.globl\taes_hw_encrypt\n.hidden\taes_hw_encrypt\n.type\taes_hw_encrypt,@function\n.align\t16\naes_hw_encrypt:\n.L_aes_hw_encrypt_begin:\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\t.L000pic_for_function_hit\n.L000pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\tBORINGSSL_function_hit+1-.L000pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tmovl\t4(%esp),%eax\n\tmovl\t12(%esp),%edx\n\tmovups\t(%eax),%xmm2\n\tmovl\t240(%edx),%ecx\n\tmovl\t8(%esp),%eax\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L001enc1_loop_1:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L001enc1_loop_1\n.byte\t102,15,56,221,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm2,(%eax)\n\tpxor\t%xmm2,%xmm2\n\tret\n.size\taes_hw_encrypt,.-.L_aes_hw_encrypt_begin\n.globl\taes_hw_decrypt\n.hidden\taes_hw_decrypt\n.type\taes_hw_decrypt,@function\n.align\t16\naes_hw_decrypt:\n.L_aes_hw_decrypt_begin:\n\tmovl\t4(%esp),%eax\n\tmovl\t12(%esp),%edx\n\tmovups\t(%eax),%xmm2\n\tmovl\t240(%edx),%ecx\n\tmovl\t8(%esp),%eax\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L002dec1_loop_2:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L002dec1_loop_2\n.byte\t102,15,56,223,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm2,(%eax)\n\tpxor\t%xmm2,%xmm2\n\tret\n.size\taes_hw_decrypt,.-.L_aes_hw_decrypt_begin\n.hidden\t_aesni_encrypt2\n.type\t_aesni_encrypt2,@function\n.align\t16\n_aesni_encrypt2:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n\taddl\t$16,%ecx\n.L003enc2_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\t.L003enc2_loop\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n\tret\n.size\t_aesni_encrypt2,.-_aesni_encrypt2\n.hidden\t_aesni_decrypt2\n.type\t_aesni_decrypt2,@function\n.align\t16\n_aesni_decrypt2:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n\taddl\t$16,%ecx\n.L004dec2_loop:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\t.L004dec2_loop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n\tret\n.size\t_aesni_decrypt2,.-_aesni_decrypt2\n.hidden\t_aesni_encrypt3\n.type\t_aesni_encrypt3,@function\n.align\t16\n_aesni_encrypt3:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n\taddl\t$16,%ecx\n.L005enc3_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\t.L005enc3_loop\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n\tret\n.size\t_aesni_encrypt3,.-_aesni_encrypt3\n.hidden\t_aesni_decrypt3\n.type\t_aesni_decrypt3,@function\n.align\t16\n_aesni_decrypt3:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n\taddl\t$16,%ecx\n.L006dec3_loop:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\t.L006dec3_loop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n\tret\n.size\t_aesni_decrypt3,.-_aesni_decrypt3\n.hidden\t_aesni_encrypt4\n.type\t_aesni_encrypt4,@function\n.align\t16\n_aesni_encrypt4:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tshll\t$4,%ecx\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm5\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n.byte\t15,31,64,0\n\taddl\t$16,%ecx\n.L007enc4_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\t.L007enc4_loop\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n.byte\t102,15,56,221,232\n\tret\n.size\t_aesni_encrypt4,.-_aesni_encrypt4\n.hidden\t_aesni_decrypt4\n.type\t_aesni_decrypt4,@function\n.align\t16\n_aesni_decrypt4:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tshll\t$4,%ecx\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm5\n\tmovups\t32(%edx),%xmm0\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n.byte\t15,31,64,0\n\taddl\t$16,%ecx\n.L008dec4_loop:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\t.L008dec4_loop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n.byte\t102,15,56,223,232\n\tret\n.size\t_aesni_decrypt4,.-_aesni_decrypt4\n.hidden\t_aesni_encrypt6\n.type\t_aesni_encrypt6,@function\n.align\t16\n_aesni_encrypt6:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n.byte\t102,15,56,220,209\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n.byte\t102,15,56,220,217\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n.byte\t102,15,56,220,225\n\tpxor\t%xmm0,%xmm7\n\tmovups\t(%edx,%ecx,1),%xmm0\n\taddl\t$16,%ecx\n\tjmp\t.L009_aesni_encrypt6_inner\n.align\t16\n.L010enc6_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.L009_aesni_encrypt6_inner:\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.L_aesni_encrypt6_enter:\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\t.L010enc6_loop\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n.byte\t102,15,56,221,232\n.byte\t102,15,56,221,240\n.byte\t102,15,56,221,248\n\tret\n.size\t_aesni_encrypt6,.-_aesni_encrypt6\n.hidden\t_aesni_decrypt6\n.type\t_aesni_decrypt6,@function\n.align\t16\n_aesni_decrypt6:\n\tmovups\t(%edx),%xmm0\n\tshll\t$4,%ecx\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n.byte\t102,15,56,222,209\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n.byte\t102,15,56,222,217\n\tleal\t32(%edx,%ecx,1),%edx\n\tnegl\t%ecx\n.byte\t102,15,56,222,225\n\tpxor\t%xmm0,%xmm7\n\tmovups\t(%edx,%ecx,1),%xmm0\n\taddl\t$16,%ecx\n\tjmp\t.L011_aesni_decrypt6_inner\n.align\t16\n.L012dec6_loop:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.L011_aesni_decrypt6_inner:\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.L_aesni_decrypt6_enter:\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\t.L012dec6_loop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n.byte\t102,15,56,223,232\n.byte\t102,15,56,223,240\n.byte\t102,15,56,223,248\n\tret\n.size\t_aesni_decrypt6,.-_aesni_decrypt6\n.globl\taes_hw_ecb_encrypt\n.hidden\taes_hw_ecb_encrypt\n.type\taes_hw_ecb_encrypt,@function\n.align\t16\naes_hw_ecb_encrypt:\n.L_aes_hw_ecb_encrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebx\n\tandl\t$-16,%eax\n\tjz\t.L013ecb_ret\n\tmovl\t240(%edx),%ecx\n\ttestl\t%ebx,%ebx\n\tjz\t.L014ecb_decrypt\n\tmovl\t%edx,%ebp\n\tmovl\t%ecx,%ebx\n\tcmpl\t$96,%eax\n\tjb\t.L015ecb_enc_tail\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t16(%esi),%xmm3\n\tmovdqu\t32(%esi),%xmm4\n\tmovdqu\t48(%esi),%xmm5\n\tmovdqu\t64(%esi),%xmm6\n\tmovdqu\t80(%esi),%xmm7\n\tleal\t96(%esi),%esi\n\tsubl\t$96,%eax\n\tjmp\t.L016ecb_enc_loop6_enter\n.align\t16\n.L017ecb_enc_loop6:\n\tmovups\t%xmm2,(%edi)\n\tmovdqu\t(%esi),%xmm2\n\tmovups\t%xmm3,16(%edi)\n\tmovdqu\t16(%esi),%xmm3\n\tmovups\t%xmm4,32(%edi)\n\tmovdqu\t32(%esi),%xmm4\n\tmovups\t%xmm5,48(%edi)\n\tmovdqu\t48(%esi),%xmm5\n\tmovups\t%xmm6,64(%edi)\n\tmovdqu\t64(%esi),%xmm6\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\tmovdqu\t80(%esi),%xmm7\n\tleal\t96(%esi),%esi\n.L016ecb_enc_loop6_enter:\n\tcall\t_aesni_encrypt6\n\tmovl\t%ebp,%edx\n\tmovl\t%ebx,%ecx\n\tsubl\t$96,%eax\n\tjnc\t.L017ecb_enc_loop6\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\taddl\t$96,%eax\n\tjz\t.L013ecb_ret\n.L015ecb_enc_tail:\n\tmovups\t(%esi),%xmm2\n\tcmpl\t$32,%eax\n\tjb\t.L018ecb_enc_one\n\tmovups\t16(%esi),%xmm3\n\tje\t.L019ecb_enc_two\n\tmovups\t32(%esi),%xmm4\n\tcmpl\t$64,%eax\n\tjb\t.L020ecb_enc_three\n\tmovups\t48(%esi),%xmm5\n\tje\t.L021ecb_enc_four\n\tmovups\t64(%esi),%xmm6\n\txorps\t%xmm7,%xmm7\n\tcall\t_aesni_encrypt6\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tjmp\t.L013ecb_ret\n.align\t16\n.L018ecb_enc_one:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L022enc1_loop_3:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L022enc1_loop_3\n.byte\t102,15,56,221,209\n\tmovups\t%xmm2,(%edi)\n\tjmp\t.L013ecb_ret\n.align\t16\n.L019ecb_enc_two:\n\tcall\t_aesni_encrypt2\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tjmp\t.L013ecb_ret\n.align\t16\n.L020ecb_enc_three:\n\tcall\t_aesni_encrypt3\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tjmp\t.L013ecb_ret\n.align\t16\n.L021ecb_enc_four:\n\tcall\t_aesni_encrypt4\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tjmp\t.L013ecb_ret\n.align\t16\n.L014ecb_decrypt:\n\tmovl\t%edx,%ebp\n\tmovl\t%ecx,%ebx\n\tcmpl\t$96,%eax\n\tjb\t.L023ecb_dec_tail\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t16(%esi),%xmm3\n\tmovdqu\t32(%esi),%xmm4\n\tmovdqu\t48(%esi),%xmm5\n\tmovdqu\t64(%esi),%xmm6\n\tmovdqu\t80(%esi),%xmm7\n\tleal\t96(%esi),%esi\n\tsubl\t$96,%eax\n\tjmp\t.L024ecb_dec_loop6_enter\n.align\t16\n.L025ecb_dec_loop6:\n\tmovups\t%xmm2,(%edi)\n\tmovdqu\t(%esi),%xmm2\n\tmovups\t%xmm3,16(%edi)\n\tmovdqu\t16(%esi),%xmm3\n\tmovups\t%xmm4,32(%edi)\n\tmovdqu\t32(%esi),%xmm4\n\tmovups\t%xmm5,48(%edi)\n\tmovdqu\t48(%esi),%xmm5\n\tmovups\t%xmm6,64(%edi)\n\tmovdqu\t64(%esi),%xmm6\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\tmovdqu\t80(%esi),%xmm7\n\tleal\t96(%esi),%esi\n.L024ecb_dec_loop6_enter:\n\tcall\t_aesni_decrypt6\n\tmovl\t%ebp,%edx\n\tmovl\t%ebx,%ecx\n\tsubl\t$96,%eax\n\tjnc\t.L025ecb_dec_loop6\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\taddl\t$96,%eax\n\tjz\t.L013ecb_ret\n.L023ecb_dec_tail:\n\tmovups\t(%esi),%xmm2\n\tcmpl\t$32,%eax\n\tjb\t.L026ecb_dec_one\n\tmovups\t16(%esi),%xmm3\n\tje\t.L027ecb_dec_two\n\tmovups\t32(%esi),%xmm4\n\tcmpl\t$64,%eax\n\tjb\t.L028ecb_dec_three\n\tmovups\t48(%esi),%xmm5\n\tje\t.L029ecb_dec_four\n\tmovups\t64(%esi),%xmm6\n\txorps\t%xmm7,%xmm7\n\tcall\t_aesni_decrypt6\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tjmp\t.L013ecb_ret\n.align\t16\n.L026ecb_dec_one:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L030dec1_loop_4:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L030dec1_loop_4\n.byte\t102,15,56,223,209\n\tmovups\t%xmm2,(%edi)\n\tjmp\t.L013ecb_ret\n.align\t16\n.L027ecb_dec_two:\n\tcall\t_aesni_decrypt2\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tjmp\t.L013ecb_ret\n.align\t16\n.L028ecb_dec_three:\n\tcall\t_aesni_decrypt3\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tjmp\t.L013ecb_ret\n.align\t16\n.L029ecb_dec_four:\n\tcall\t_aesni_decrypt4\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n.L013ecb_ret:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\taes_hw_ecb_encrypt,.-.L_aes_hw_ecb_encrypt_begin\n.globl\taes_hw_ccm64_encrypt_blocks\n.hidden\taes_hw_ccm64_encrypt_blocks\n.type\taes_hw_ccm64_encrypt_blocks,@function\n.align\t16\naes_hw_ccm64_encrypt_blocks:\n.L_aes_hw_ccm64_encrypt_blocks_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebx\n\tmovl\t40(%esp),%ecx\n\tmovl\t%esp,%ebp\n\tsubl\t$60,%esp\n\tandl\t$-16,%esp\n\tmovl\t%ebp,48(%esp)\n\tmovdqu\t(%ebx),%xmm7\n\tmovdqu\t(%ecx),%xmm3\n\tmovl\t240(%edx),%ecx\n\tmovl\t$202182159,(%esp)\n\tmovl\t$134810123,4(%esp)\n\tmovl\t$67438087,8(%esp)\n\tmovl\t$66051,12(%esp)\n\tmovl\t$1,%ebx\n\txorl\t%ebp,%ebp\n\tmovl\t%ebx,16(%esp)\n\tmovl\t%ebp,20(%esp)\n\tmovl\t%ebp,24(%esp)\n\tmovl\t%ebp,28(%esp)\n\tshll\t$4,%ecx\n\tmovl\t$16,%ebx\n\tleal\t(%edx),%ebp\n\tmovdqa\t(%esp),%xmm5\n\tmovdqa\t%xmm7,%xmm2\n\tleal\t32(%edx,%ecx,1),%edx\n\tsubl\t%ecx,%ebx\n.byte\t102,15,56,0,253\n.L031ccm64_enc_outer:\n\tmovups\t(%ebp),%xmm0\n\tmovl\t%ebx,%ecx\n\tmovups\t(%esi),%xmm6\n\txorps\t%xmm0,%xmm2\n\tmovups\t16(%ebp),%xmm1\n\txorps\t%xmm6,%xmm0\n\txorps\t%xmm0,%xmm3\n\tmovups\t32(%ebp),%xmm0\n.L032ccm64_enc2_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\t.L032ccm64_enc2_loop\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tpaddq\t16(%esp),%xmm7\n\tdecl\t%eax\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n\tleal\t16(%esi),%esi\n\txorps\t%xmm2,%xmm6\n\tmovdqa\t%xmm7,%xmm2\n\tmovups\t%xmm6,(%edi)\n.byte\t102,15,56,0,213\n\tleal\t16(%edi),%edi\n\tjnz\t.L031ccm64_enc_outer\n\tmovl\t48(%esp),%esp\n\tmovl\t40(%esp),%edi\n\tmovups\t%xmm3,(%edi)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\taes_hw_ccm64_encrypt_blocks,.-.L_aes_hw_ccm64_encrypt_blocks_begin\n.globl\taes_hw_ccm64_decrypt_blocks\n.hidden\taes_hw_ccm64_decrypt_blocks\n.type\taes_hw_ccm64_decrypt_blocks,@function\n.align\t16\naes_hw_ccm64_decrypt_blocks:\n.L_aes_hw_ccm64_decrypt_blocks_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebx\n\tmovl\t40(%esp),%ecx\n\tmovl\t%esp,%ebp\n\tsubl\t$60,%esp\n\tandl\t$-16,%esp\n\tmovl\t%ebp,48(%esp)\n\tmovdqu\t(%ebx),%xmm7\n\tmovdqu\t(%ecx),%xmm3\n\tmovl\t240(%edx),%ecx\n\tmovl\t$202182159,(%esp)\n\tmovl\t$134810123,4(%esp)\n\tmovl\t$67438087,8(%esp)\n\tmovl\t$66051,12(%esp)\n\tmovl\t$1,%ebx\n\txorl\t%ebp,%ebp\n\tmovl\t%ebx,16(%esp)\n\tmovl\t%ebp,20(%esp)\n\tmovl\t%ebp,24(%esp)\n\tmovl\t%ebp,28(%esp)\n\tmovdqa\t(%esp),%xmm5\n\tmovdqa\t%xmm7,%xmm2\n\tmovl\t%edx,%ebp\n\tmovl\t%ecx,%ebx\n.byte\t102,15,56,0,253\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L033enc1_loop_5:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L033enc1_loop_5\n.byte\t102,15,56,221,209\n\tshll\t$4,%ebx\n\tmovl\t$16,%ecx\n\tmovups\t(%esi),%xmm6\n\tpaddq\t16(%esp),%xmm7\n\tleal\t16(%esi),%esi\n\tsubl\t%ebx,%ecx\n\tleal\t32(%ebp,%ebx,1),%edx\n\tmovl\t%ecx,%ebx\n\tjmp\t.L034ccm64_dec_outer\n.align\t16\n.L034ccm64_dec_outer:\n\txorps\t%xmm2,%xmm6\n\tmovdqa\t%xmm7,%xmm2\n\tmovups\t%xmm6,(%edi)\n\tleal\t16(%edi),%edi\n.byte\t102,15,56,0,213\n\tsubl\t$1,%eax\n\tjz\t.L035ccm64_dec_break\n\tmovups\t(%ebp),%xmm0\n\tmovl\t%ebx,%ecx\n\tmovups\t16(%ebp),%xmm1\n\txorps\t%xmm0,%xmm6\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm6,%xmm3\n\tmovups\t32(%ebp),%xmm0\n.L036ccm64_dec2_loop:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tmovups\t(%edx,%ecx,1),%xmm1\n\taddl\t$32,%ecx\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\tmovups\t-16(%edx,%ecx,1),%xmm0\n\tjnz\t.L036ccm64_dec2_loop\n\tmovups\t(%esi),%xmm6\n\tpaddq\t16(%esp),%xmm7\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n\tleal\t16(%esi),%esi\n\tjmp\t.L034ccm64_dec_outer\n.align\t16\n.L035ccm64_dec_break:\n\tmovl\t240(%ebp),%ecx\n\tmovl\t%ebp,%edx\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm6\n\tleal\t32(%edx),%edx\n\txorps\t%xmm6,%xmm3\n.L037enc1_loop_6:\n.byte\t102,15,56,220,217\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L037enc1_loop_6\n.byte\t102,15,56,221,217\n\tmovl\t48(%esp),%esp\n\tmovl\t40(%esp),%edi\n\tmovups\t%xmm3,(%edi)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\taes_hw_ccm64_decrypt_blocks,.-.L_aes_hw_ccm64_decrypt_blocks_begin\n.globl\taes_hw_ctr32_encrypt_blocks\n.hidden\taes_hw_ctr32_encrypt_blocks\n.type\taes_hw_ctr32_encrypt_blocks,@function\n.align\t16\naes_hw_ctr32_encrypt_blocks:\n.L_aes_hw_ctr32_encrypt_blocks_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\t.L038pic_for_function_hit\n.L038pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\tBORINGSSL_function_hit+0-.L038pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebx\n\tmovl\t%esp,%ebp\n\tsubl\t$88,%esp\n\tandl\t$-16,%esp\n\tmovl\t%ebp,80(%esp)\n\tcmpl\t$1,%eax\n\tje\t.L039ctr32_one_shortcut\n\tmovdqu\t(%ebx),%xmm7\n\tmovl\t$202182159,(%esp)\n\tmovl\t$134810123,4(%esp)\n\tmovl\t$67438087,8(%esp)\n\tmovl\t$66051,12(%esp)\n\tmovl\t$6,%ecx\n\txorl\t%ebp,%ebp\n\tmovl\t%ecx,16(%esp)\n\tmovl\t%ecx,20(%esp)\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%ebp,28(%esp)\n.byte\t102,15,58,22,251,3\n.byte\t102,15,58,34,253,3\n\tmovl\t240(%edx),%ecx\n\tbswap\t%ebx\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovdqa\t(%esp),%xmm2\n.byte\t102,15,58,34,195,0\n\tleal\t3(%ebx),%ebp\n.byte\t102,15,58,34,205,0\n\tincl\t%ebx\n.byte\t102,15,58,34,195,1\n\tincl\t%ebp\n.byte\t102,15,58,34,205,1\n\tincl\t%ebx\n.byte\t102,15,58,34,195,2\n\tincl\t%ebp\n.byte\t102,15,58,34,205,2\n\tmovdqa\t%xmm0,48(%esp)\n.byte\t102,15,56,0,194\n\tmovdqu\t(%edx),%xmm6\n\tmovdqa\t%xmm1,64(%esp)\n.byte\t102,15,56,0,202\n\tpshufd\t$192,%xmm0,%xmm2\n\tpshufd\t$128,%xmm0,%xmm3\n\tcmpl\t$6,%eax\n\tjb\t.L040ctr32_tail\n\tpxor\t%xmm6,%xmm7\n\tshll\t$4,%ecx\n\tmovl\t$16,%ebx\n\tmovdqa\t%xmm7,32(%esp)\n\tmovl\t%edx,%ebp\n\tsubl\t%ecx,%ebx\n\tleal\t32(%edx,%ecx,1),%edx\n\tsubl\t$6,%eax\n\tjmp\t.L041ctr32_loop6\n.align\t16\n.L041ctr32_loop6:\n\tpshufd\t$64,%xmm0,%xmm4\n\tmovdqa\t32(%esp),%xmm0\n\tpshufd\t$192,%xmm1,%xmm5\n\tpxor\t%xmm0,%xmm2\n\tpshufd\t$128,%xmm1,%xmm6\n\tpxor\t%xmm0,%xmm3\n\tpshufd\t$64,%xmm1,%xmm7\n\tmovups\t16(%ebp),%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm5\n.byte\t102,15,56,220,209\n\tpxor\t%xmm0,%xmm6\n\tpxor\t%xmm0,%xmm7\n.byte\t102,15,56,220,217\n\tmovups\t32(%ebp),%xmm0\n\tmovl\t%ebx,%ecx\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n\tcall\t.L_aesni_encrypt6_enter\n\tmovups\t(%esi),%xmm1\n\tmovups\t16(%esi),%xmm0\n\txorps\t%xmm1,%xmm2\n\tmovups\t32(%esi),%xmm1\n\txorps\t%xmm0,%xmm3\n\tmovups\t%xmm2,(%edi)\n\tmovdqa\t16(%esp),%xmm0\n\txorps\t%xmm1,%xmm4\n\tmovdqa\t64(%esp),%xmm1\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tpaddd\t%xmm0,%xmm1\n\tpaddd\t48(%esp),%xmm0\n\tmovdqa\t(%esp),%xmm2\n\tmovups\t48(%esi),%xmm3\n\tmovups\t64(%esi),%xmm4\n\txorps\t%xmm3,%xmm5\n\tmovups\t80(%esi),%xmm3\n\tleal\t96(%esi),%esi\n\tmovdqa\t%xmm0,48(%esp)\n.byte\t102,15,56,0,194\n\txorps\t%xmm4,%xmm6\n\tmovups\t%xmm5,48(%edi)\n\txorps\t%xmm3,%xmm7\n\tmovdqa\t%xmm1,64(%esp)\n.byte\t102,15,56,0,202\n\tmovups\t%xmm6,64(%edi)\n\tpshufd\t$192,%xmm0,%xmm2\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\tpshufd\t$128,%xmm0,%xmm3\n\tsubl\t$6,%eax\n\tjnc\t.L041ctr32_loop6\n\taddl\t$6,%eax\n\tjz\t.L042ctr32_ret\n\tmovdqu\t(%ebp),%xmm7\n\tmovl\t%ebp,%edx\n\tpxor\t32(%esp),%xmm7\n\tmovl\t240(%ebp),%ecx\n.L040ctr32_tail:\n\tpor\t%xmm7,%xmm2\n\tcmpl\t$2,%eax\n\tjb\t.L043ctr32_one\n\tpshufd\t$64,%xmm0,%xmm4\n\tpor\t%xmm7,%xmm3\n\tje\t.L044ctr32_two\n\tpshufd\t$192,%xmm1,%xmm5\n\tpor\t%xmm7,%xmm4\n\tcmpl\t$4,%eax\n\tjb\t.L045ctr32_three\n\tpshufd\t$128,%xmm1,%xmm6\n\tpor\t%xmm7,%xmm5\n\tje\t.L046ctr32_four\n\tpor\t%xmm7,%xmm6\n\tcall\t_aesni_encrypt6\n\tmovups\t(%esi),%xmm1\n\tmovups\t16(%esi),%xmm0\n\txorps\t%xmm1,%xmm2\n\tmovups\t32(%esi),%xmm1\n\txorps\t%xmm0,%xmm3\n\tmovups\t48(%esi),%xmm0\n\txorps\t%xmm1,%xmm4\n\tmovups\t64(%esi),%xmm1\n\txorps\t%xmm0,%xmm5\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm1,%xmm6\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tjmp\t.L042ctr32_ret\n.align\t16\n.L039ctr32_one_shortcut:\n\tmovups\t(%ebx),%xmm2\n\tmovl\t240(%edx),%ecx\n.L043ctr32_one:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L047enc1_loop_7:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L047enc1_loop_7\n.byte\t102,15,56,221,209\n\tmovups\t(%esi),%xmm6\n\txorps\t%xmm2,%xmm6\n\tmovups\t%xmm6,(%edi)\n\tjmp\t.L042ctr32_ret\n.align\t16\n.L044ctr32_two:\n\tcall\t_aesni_encrypt2\n\tmovups\t(%esi),%xmm5\n\tmovups\t16(%esi),%xmm6\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tjmp\t.L042ctr32_ret\n.align\t16\n.L045ctr32_three:\n\tcall\t_aesni_encrypt3\n\tmovups\t(%esi),%xmm5\n\tmovups\t16(%esi),%xmm6\n\txorps\t%xmm5,%xmm2\n\tmovups\t32(%esi),%xmm7\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm7,%xmm4\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tjmp\t.L042ctr32_ret\n.align\t16\n.L046ctr32_four:\n\tcall\t_aesni_encrypt4\n\tmovups\t(%esi),%xmm6\n\tmovups\t16(%esi),%xmm7\n\tmovups\t32(%esi),%xmm1\n\txorps\t%xmm6,%xmm2\n\tmovups\t48(%esi),%xmm0\n\txorps\t%xmm7,%xmm3\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm1,%xmm4\n\tmovups\t%xmm3,16(%edi)\n\txorps\t%xmm0,%xmm5\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n.L042ctr32_ret:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tmovdqa\t%xmm0,32(%esp)\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t%xmm0,48(%esp)\n\tpxor\t%xmm6,%xmm6\n\tmovdqa\t%xmm0,64(%esp)\n\tpxor\t%xmm7,%xmm7\n\tmovl\t80(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\taes_hw_ctr32_encrypt_blocks,.-.L_aes_hw_ctr32_encrypt_blocks_begin\n.globl\taes_hw_xts_encrypt\n.hidden\taes_hw_xts_encrypt\n.type\taes_hw_xts_encrypt,@function\n.align\t16\naes_hw_xts_encrypt:\n.L_aes_hw_xts_encrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t36(%esp),%edx\n\tmovl\t40(%esp),%esi\n\tmovl\t240(%edx),%ecx\n\tmovups\t(%esi),%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L048enc1_loop_8:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L048enc1_loop_8\n.byte\t102,15,56,221,209\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t%esp,%ebp\n\tsubl\t$120,%esp\n\tmovl\t240(%edx),%ecx\n\tandl\t$-16,%esp\n\tmovl\t$135,96(%esp)\n\tmovl\t$0,100(%esp)\n\tmovl\t$1,104(%esp)\n\tmovl\t$0,108(%esp)\n\tmovl\t%eax,112(%esp)\n\tmovl\t%ebp,116(%esp)\n\tmovdqa\t%xmm2,%xmm1\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t96(%esp),%xmm3\n\tpcmpgtd\t%xmm1,%xmm0\n\tandl\t$-16,%eax\n\tmovl\t%edx,%ebp\n\tmovl\t%ecx,%ebx\n\tsubl\t$96,%eax\n\tjc\t.L049xts_enc_short\n\tshll\t$4,%ecx\n\tmovl\t$16,%ebx\n\tsubl\t%ecx,%ebx\n\tleal\t32(%edx,%ecx,1),%edx\n\tjmp\t.L050xts_enc_loop6\n.align\t16\n.L050xts_enc_loop6:\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,16(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,32(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,48(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm7\n\tmovdqa\t%xmm1,64(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tmovups\t(%ebp),%xmm0\n\tpand\t%xmm3,%xmm7\n\tmovups\t(%esi),%xmm2\n\tpxor\t%xmm1,%xmm7\n\tmovl\t%ebx,%ecx\n\tmovdqu\t16(%esi),%xmm3\n\txorps\t%xmm0,%xmm2\n\tmovdqu\t32(%esi),%xmm4\n\tpxor\t%xmm0,%xmm3\n\tmovdqu\t48(%esi),%xmm5\n\tpxor\t%xmm0,%xmm4\n\tmovdqu\t64(%esi),%xmm6\n\tpxor\t%xmm0,%xmm5\n\tmovdqu\t80(%esi),%xmm1\n\tpxor\t%xmm0,%xmm6\n\tleal\t96(%esi),%esi\n\tpxor\t(%esp),%xmm2\n\tmovdqa\t%xmm7,80(%esp)\n\tpxor\t%xmm1,%xmm7\n\tmovups\t16(%ebp),%xmm1\n\tpxor\t16(%esp),%xmm3\n\tpxor\t32(%esp),%xmm4\n.byte\t102,15,56,220,209\n\tpxor\t48(%esp),%xmm5\n\tpxor\t64(%esp),%xmm6\n.byte\t102,15,56,220,217\n\tpxor\t%xmm0,%xmm7\n\tmovups\t32(%ebp),%xmm0\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n\tcall\t.L_aesni_encrypt6_enter\n\tmovdqa\t80(%esp),%xmm1\n\tpxor\t%xmm0,%xmm0\n\txorps\t(%esp),%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\txorps\t16(%esp),%xmm3\n\tmovups\t%xmm2,(%edi)\n\txorps\t32(%esp),%xmm4\n\tmovups\t%xmm3,16(%edi)\n\txorps\t48(%esp),%xmm5\n\tmovups\t%xmm4,32(%edi)\n\txorps\t64(%esp),%xmm6\n\tmovups\t%xmm5,48(%edi)\n\txorps\t%xmm1,%xmm7\n\tmovups\t%xmm6,64(%edi)\n\tpshufd\t$19,%xmm0,%xmm2\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\tmovdqa\t96(%esp),%xmm3\n\tpxor\t%xmm0,%xmm0\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tsubl\t$96,%eax\n\tjnc\t.L050xts_enc_loop6\n\tmovl\t240(%ebp),%ecx\n\tmovl\t%ebp,%edx\n\tmovl\t%ecx,%ebx\n.L049xts_enc_short:\n\taddl\t$96,%eax\n\tjz\t.L051xts_enc_done6x\n\tmovdqa\t%xmm1,%xmm5\n\tcmpl\t$32,%eax\n\tjb\t.L052xts_enc_one\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tje\t.L053xts_enc_two\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,%xmm6\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tcmpl\t$64,%eax\n\tjb\t.L054xts_enc_three\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,%xmm7\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm5,(%esp)\n\tmovdqa\t%xmm6,16(%esp)\n\tje\t.L055xts_enc_four\n\tmovdqa\t%xmm7,32(%esp)\n\tpshufd\t$19,%xmm0,%xmm7\n\tmovdqa\t%xmm1,48(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t16(%esi),%xmm3\n\tmovdqu\t32(%esi),%xmm4\n\tpxor\t(%esp),%xmm2\n\tmovdqu\t48(%esi),%xmm5\n\tpxor\t16(%esp),%xmm3\n\tmovdqu\t64(%esi),%xmm6\n\tpxor\t32(%esp),%xmm4\n\tleal\t80(%esi),%esi\n\tpxor\t48(%esp),%xmm5\n\tmovdqa\t%xmm7,64(%esp)\n\tpxor\t%xmm7,%xmm6\n\tcall\t_aesni_encrypt6\n\tmovaps\t64(%esp),%xmm1\n\txorps\t(%esp),%xmm2\n\txorps\t16(%esp),%xmm3\n\txorps\t32(%esp),%xmm4\n\tmovups\t%xmm2,(%edi)\n\txorps\t48(%esp),%xmm5\n\tmovups\t%xmm3,16(%edi)\n\txorps\t%xmm1,%xmm6\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tleal\t80(%edi),%edi\n\tjmp\t.L056xts_enc_done\n.align\t16\n.L052xts_enc_one:\n\tmovups\t(%esi),%xmm2\n\tleal\t16(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L057enc1_loop_9:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L057enc1_loop_9\n.byte\t102,15,56,221,209\n\txorps\t%xmm5,%xmm2\n\tmovups\t%xmm2,(%edi)\n\tleal\t16(%edi),%edi\n\tmovdqa\t%xmm5,%xmm1\n\tjmp\t.L056xts_enc_done\n.align\t16\n.L053xts_enc_two:\n\tmovaps\t%xmm1,%xmm6\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tleal\t32(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\tcall\t_aesni_encrypt2\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tleal\t32(%edi),%edi\n\tmovdqa\t%xmm6,%xmm1\n\tjmp\t.L056xts_enc_done\n.align\t16\n.L054xts_enc_three:\n\tmovaps\t%xmm1,%xmm7\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tmovups\t32(%esi),%xmm4\n\tleal\t48(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\txorps\t%xmm7,%xmm4\n\tcall\t_aesni_encrypt3\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\txorps\t%xmm7,%xmm4\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tleal\t48(%edi),%edi\n\tmovdqa\t%xmm7,%xmm1\n\tjmp\t.L056xts_enc_done\n.align\t16\n.L055xts_enc_four:\n\tmovaps\t%xmm1,%xmm6\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tmovups\t32(%esi),%xmm4\n\txorps\t(%esp),%xmm2\n\tmovups\t48(%esi),%xmm5\n\tleal\t64(%esi),%esi\n\txorps\t16(%esp),%xmm3\n\txorps\t%xmm7,%xmm4\n\txorps\t%xmm6,%xmm5\n\tcall\t_aesni_encrypt4\n\txorps\t(%esp),%xmm2\n\txorps\t16(%esp),%xmm3\n\txorps\t%xmm7,%xmm4\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm6,%xmm5\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tleal\t64(%edi),%edi\n\tmovdqa\t%xmm6,%xmm1\n\tjmp\t.L056xts_enc_done\n.align\t16\n.L051xts_enc_done6x:\n\tmovl\t112(%esp),%eax\n\tandl\t$15,%eax\n\tjz\t.L058xts_enc_ret\n\tmovdqa\t%xmm1,%xmm5\n\tmovl\t%eax,112(%esp)\n\tjmp\t.L059xts_enc_steal\n.align\t16\n.L056xts_enc_done:\n\tmovl\t112(%esp),%eax\n\tpxor\t%xmm0,%xmm0\n\tandl\t$15,%eax\n\tjz\t.L058xts_enc_ret\n\tpcmpgtd\t%xmm1,%xmm0\n\tmovl\t%eax,112(%esp)\n\tpshufd\t$19,%xmm0,%xmm5\n\tpaddq\t%xmm1,%xmm1\n\tpand\t96(%esp),%xmm5\n\tpxor\t%xmm1,%xmm5\n.L059xts_enc_steal:\n\tmovzbl\t(%esi),%ecx\n\tmovzbl\t-16(%edi),%edx\n\tleal\t1(%esi),%esi\n\tmovb\t%cl,-16(%edi)\n\tmovb\t%dl,(%edi)\n\tleal\t1(%edi),%edi\n\tsubl\t$1,%eax\n\tjnz\t.L059xts_enc_steal\n\tsubl\t112(%esp),%edi\n\tmovl\t%ebp,%edx\n\tmovl\t%ebx,%ecx\n\tmovups\t-16(%edi),%xmm2\n\txorps\t%xmm5,%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L060enc1_loop_10:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L060enc1_loop_10\n.byte\t102,15,56,221,209\n\txorps\t%xmm5,%xmm2\n\tmovups\t%xmm2,-16(%edi)\n.L058xts_enc_ret:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tmovdqa\t%xmm0,(%esp)\n\tpxor\t%xmm3,%xmm3\n\tmovdqa\t%xmm0,16(%esp)\n\tpxor\t%xmm4,%xmm4\n\tmovdqa\t%xmm0,32(%esp)\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t%xmm0,48(%esp)\n\tpxor\t%xmm6,%xmm6\n\tmovdqa\t%xmm0,64(%esp)\n\tpxor\t%xmm7,%xmm7\n\tmovdqa\t%xmm0,80(%esp)\n\tmovl\t116(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\taes_hw_xts_encrypt,.-.L_aes_hw_xts_encrypt_begin\n.globl\taes_hw_xts_decrypt\n.hidden\taes_hw_xts_decrypt\n.type\taes_hw_xts_decrypt,@function\n.align\t16\naes_hw_xts_decrypt:\n.L_aes_hw_xts_decrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t36(%esp),%edx\n\tmovl\t40(%esp),%esi\n\tmovl\t240(%edx),%ecx\n\tmovups\t(%esi),%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L061enc1_loop_11:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L061enc1_loop_11\n.byte\t102,15,56,221,209\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tmovl\t%esp,%ebp\n\tsubl\t$120,%esp\n\tandl\t$-16,%esp\n\txorl\t%ebx,%ebx\n\ttestl\t$15,%eax\n\tsetnz\t%bl\n\tshll\t$4,%ebx\n\tsubl\t%ebx,%eax\n\tmovl\t$135,96(%esp)\n\tmovl\t$0,100(%esp)\n\tmovl\t$1,104(%esp)\n\tmovl\t$0,108(%esp)\n\tmovl\t%eax,112(%esp)\n\tmovl\t%ebp,116(%esp)\n\tmovl\t240(%edx),%ecx\n\tmovl\t%edx,%ebp\n\tmovl\t%ecx,%ebx\n\tmovdqa\t%xmm2,%xmm1\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t96(%esp),%xmm3\n\tpcmpgtd\t%xmm1,%xmm0\n\tandl\t$-16,%eax\n\tsubl\t$96,%eax\n\tjc\t.L062xts_dec_short\n\tshll\t$4,%ecx\n\tmovl\t$16,%ebx\n\tsubl\t%ecx,%ebx\n\tleal\t32(%edx,%ecx,1),%edx\n\tjmp\t.L063xts_dec_loop6\n.align\t16\n.L063xts_dec_loop6:\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,16(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,32(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,48(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tpshufd\t$19,%xmm0,%xmm7\n\tmovdqa\t%xmm1,64(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tmovups\t(%ebp),%xmm0\n\tpand\t%xmm3,%xmm7\n\tmovups\t(%esi),%xmm2\n\tpxor\t%xmm1,%xmm7\n\tmovl\t%ebx,%ecx\n\tmovdqu\t16(%esi),%xmm3\n\txorps\t%xmm0,%xmm2\n\tmovdqu\t32(%esi),%xmm4\n\tpxor\t%xmm0,%xmm3\n\tmovdqu\t48(%esi),%xmm5\n\tpxor\t%xmm0,%xmm4\n\tmovdqu\t64(%esi),%xmm6\n\tpxor\t%xmm0,%xmm5\n\tmovdqu\t80(%esi),%xmm1\n\tpxor\t%xmm0,%xmm6\n\tleal\t96(%esi),%esi\n\tpxor\t(%esp),%xmm2\n\tmovdqa\t%xmm7,80(%esp)\n\tpxor\t%xmm1,%xmm7\n\tmovups\t16(%ebp),%xmm1\n\tpxor\t16(%esp),%xmm3\n\tpxor\t32(%esp),%xmm4\n.byte\t102,15,56,222,209\n\tpxor\t48(%esp),%xmm5\n\tpxor\t64(%esp),%xmm6\n.byte\t102,15,56,222,217\n\tpxor\t%xmm0,%xmm7\n\tmovups\t32(%ebp),%xmm0\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n\tcall\t.L_aesni_decrypt6_enter\n\tmovdqa\t80(%esp),%xmm1\n\tpxor\t%xmm0,%xmm0\n\txorps\t(%esp),%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\txorps\t16(%esp),%xmm3\n\tmovups\t%xmm2,(%edi)\n\txorps\t32(%esp),%xmm4\n\tmovups\t%xmm3,16(%edi)\n\txorps\t48(%esp),%xmm5\n\tmovups\t%xmm4,32(%edi)\n\txorps\t64(%esp),%xmm6\n\tmovups\t%xmm5,48(%edi)\n\txorps\t%xmm1,%xmm7\n\tmovups\t%xmm6,64(%edi)\n\tpshufd\t$19,%xmm0,%xmm2\n\tmovups\t%xmm7,80(%edi)\n\tleal\t96(%edi),%edi\n\tmovdqa\t96(%esp),%xmm3\n\tpxor\t%xmm0,%xmm0\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tsubl\t$96,%eax\n\tjnc\t.L063xts_dec_loop6\n\tmovl\t240(%ebp),%ecx\n\tmovl\t%ebp,%edx\n\tmovl\t%ecx,%ebx\n.L062xts_dec_short:\n\taddl\t$96,%eax\n\tjz\t.L064xts_dec_done6x\n\tmovdqa\t%xmm1,%xmm5\n\tcmpl\t$32,%eax\n\tjb\t.L065xts_dec_one\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tje\t.L066xts_dec_two\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,%xmm6\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tcmpl\t$64,%eax\n\tjb\t.L067xts_dec_three\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t%xmm1,%xmm7\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm5,(%esp)\n\tmovdqa\t%xmm6,16(%esp)\n\tje\t.L068xts_dec_four\n\tmovdqa\t%xmm7,32(%esp)\n\tpshufd\t$19,%xmm0,%xmm7\n\tmovdqa\t%xmm1,48(%esp)\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t16(%esi),%xmm3\n\tmovdqu\t32(%esi),%xmm4\n\tpxor\t(%esp),%xmm2\n\tmovdqu\t48(%esi),%xmm5\n\tpxor\t16(%esp),%xmm3\n\tmovdqu\t64(%esi),%xmm6\n\tpxor\t32(%esp),%xmm4\n\tleal\t80(%esi),%esi\n\tpxor\t48(%esp),%xmm5\n\tmovdqa\t%xmm7,64(%esp)\n\tpxor\t%xmm7,%xmm6\n\tcall\t_aesni_decrypt6\n\tmovaps\t64(%esp),%xmm1\n\txorps\t(%esp),%xmm2\n\txorps\t16(%esp),%xmm3\n\txorps\t32(%esp),%xmm4\n\tmovups\t%xmm2,(%edi)\n\txorps\t48(%esp),%xmm5\n\tmovups\t%xmm3,16(%edi)\n\txorps\t%xmm1,%xmm6\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tmovups\t%xmm6,64(%edi)\n\tleal\t80(%edi),%edi\n\tjmp\t.L069xts_dec_done\n.align\t16\n.L065xts_dec_one:\n\tmovups\t(%esi),%xmm2\n\tleal\t16(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L070dec1_loop_12:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L070dec1_loop_12\n.byte\t102,15,56,223,209\n\txorps\t%xmm5,%xmm2\n\tmovups\t%xmm2,(%edi)\n\tleal\t16(%edi),%edi\n\tmovdqa\t%xmm5,%xmm1\n\tjmp\t.L069xts_dec_done\n.align\t16\n.L066xts_dec_two:\n\tmovaps\t%xmm1,%xmm6\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tleal\t32(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\tcall\t_aesni_decrypt2\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tleal\t32(%edi),%edi\n\tmovdqa\t%xmm6,%xmm1\n\tjmp\t.L069xts_dec_done\n.align\t16\n.L067xts_dec_three:\n\tmovaps\t%xmm1,%xmm7\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tmovups\t32(%esi),%xmm4\n\tleal\t48(%esi),%esi\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\txorps\t%xmm7,%xmm4\n\tcall\t_aesni_decrypt3\n\txorps\t%xmm5,%xmm2\n\txorps\t%xmm6,%xmm3\n\txorps\t%xmm7,%xmm4\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tleal\t48(%edi),%edi\n\tmovdqa\t%xmm7,%xmm1\n\tjmp\t.L069xts_dec_done\n.align\t16\n.L068xts_dec_four:\n\tmovaps\t%xmm1,%xmm6\n\tmovups\t(%esi),%xmm2\n\tmovups\t16(%esi),%xmm3\n\tmovups\t32(%esi),%xmm4\n\txorps\t(%esp),%xmm2\n\tmovups\t48(%esi),%xmm5\n\tleal\t64(%esi),%esi\n\txorps\t16(%esp),%xmm3\n\txorps\t%xmm7,%xmm4\n\txorps\t%xmm6,%xmm5\n\tcall\t_aesni_decrypt4\n\txorps\t(%esp),%xmm2\n\txorps\t16(%esp),%xmm3\n\txorps\t%xmm7,%xmm4\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm6,%xmm5\n\tmovups\t%xmm3,16(%edi)\n\tmovups\t%xmm4,32(%edi)\n\tmovups\t%xmm5,48(%edi)\n\tleal\t64(%edi),%edi\n\tmovdqa\t%xmm6,%xmm1\n\tjmp\t.L069xts_dec_done\n.align\t16\n.L064xts_dec_done6x:\n\tmovl\t112(%esp),%eax\n\tandl\t$15,%eax\n\tjz\t.L071xts_dec_ret\n\tmovl\t%eax,112(%esp)\n\tjmp\t.L072xts_dec_only_one_more\n.align\t16\n.L069xts_dec_done:\n\tmovl\t112(%esp),%eax\n\tpxor\t%xmm0,%xmm0\n\tandl\t$15,%eax\n\tjz\t.L071xts_dec_ret\n\tpcmpgtd\t%xmm1,%xmm0\n\tmovl\t%eax,112(%esp)\n\tpshufd\t$19,%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm0\n\tmovdqa\t96(%esp),%xmm3\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm2\n\tpcmpgtd\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm1\n.L072xts_dec_only_one_more:\n\tpshufd\t$19,%xmm0,%xmm5\n\tmovdqa\t%xmm1,%xmm6\n\tpaddq\t%xmm1,%xmm1\n\tpand\t%xmm3,%xmm5\n\tpxor\t%xmm1,%xmm5\n\tmovl\t%ebp,%edx\n\tmovl\t%ebx,%ecx\n\tmovups\t(%esi),%xmm2\n\txorps\t%xmm5,%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L073dec1_loop_13:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L073dec1_loop_13\n.byte\t102,15,56,223,209\n\txorps\t%xmm5,%xmm2\n\tmovups\t%xmm2,(%edi)\n.L074xts_dec_steal:\n\tmovzbl\t16(%esi),%ecx\n\tmovzbl\t(%edi),%edx\n\tleal\t1(%esi),%esi\n\tmovb\t%cl,(%edi)\n\tmovb\t%dl,16(%edi)\n\tleal\t1(%edi),%edi\n\tsubl\t$1,%eax\n\tjnz\t.L074xts_dec_steal\n\tsubl\t112(%esp),%edi\n\tmovl\t%ebp,%edx\n\tmovl\t%ebx,%ecx\n\tmovups\t(%edi),%xmm2\n\txorps\t%xmm6,%xmm2\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L075dec1_loop_14:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L075dec1_loop_14\n.byte\t102,15,56,223,209\n\txorps\t%xmm6,%xmm2\n\tmovups\t%xmm2,(%edi)\n.L071xts_dec_ret:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tmovdqa\t%xmm0,(%esp)\n\tpxor\t%xmm3,%xmm3\n\tmovdqa\t%xmm0,16(%esp)\n\tpxor\t%xmm4,%xmm4\n\tmovdqa\t%xmm0,32(%esp)\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t%xmm0,48(%esp)\n\tpxor\t%xmm6,%xmm6\n\tmovdqa\t%xmm0,64(%esp)\n\tpxor\t%xmm7,%xmm7\n\tmovdqa\t%xmm0,80(%esp)\n\tmovl\t116(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\taes_hw_xts_decrypt,.-.L_aes_hw_xts_decrypt_begin\n.globl\taes_hw_cbc_encrypt\n.hidden\taes_hw_cbc_encrypt\n.type\taes_hw_cbc_encrypt,@function\n.align\t16\naes_hw_cbc_encrypt:\n.L_aes_hw_cbc_encrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t%esp,%ebx\n\tmovl\t24(%esp),%edi\n\tsubl\t$24,%ebx\n\tmovl\t28(%esp),%eax\n\tandl\t$-16,%ebx\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebp\n\ttestl\t%eax,%eax\n\tjz\t.L076cbc_abort\n\tcmpl\t$0,40(%esp)\n\txchgl\t%esp,%ebx\n\tmovups\t(%ebp),%xmm7\n\tmovl\t240(%edx),%ecx\n\tmovl\t%edx,%ebp\n\tmovl\t%ebx,16(%esp)\n\tmovl\t%ecx,%ebx\n\tje\t.L077cbc_decrypt\n\tmovaps\t%xmm7,%xmm2\n\tcmpl\t$16,%eax\n\tjb\t.L078cbc_enc_tail\n\tsubl\t$16,%eax\n\tjmp\t.L079cbc_enc_loop\n.align\t16\n.L079cbc_enc_loop:\n\tmovups\t(%esi),%xmm7\n\tleal\t16(%esi),%esi\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\txorps\t%xmm0,%xmm7\n\tleal\t32(%edx),%edx\n\txorps\t%xmm7,%xmm2\n.L080enc1_loop_15:\n.byte\t102,15,56,220,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L080enc1_loop_15\n.byte\t102,15,56,221,209\n\tmovl\t%ebx,%ecx\n\tmovl\t%ebp,%edx\n\tmovups\t%xmm2,(%edi)\n\tleal\t16(%edi),%edi\n\tsubl\t$16,%eax\n\tjnc\t.L079cbc_enc_loop\n\taddl\t$16,%eax\n\tjnz\t.L078cbc_enc_tail\n\tmovaps\t%xmm2,%xmm7\n\tpxor\t%xmm2,%xmm2\n\tjmp\t.L081cbc_ret\n.L078cbc_enc_tail:\n\tmovl\t%eax,%ecx\n.long\t2767451785\n\tmovl\t$16,%ecx\n\tsubl\t%eax,%ecx\n\txorl\t%eax,%eax\n.long\t2868115081\n\tleal\t-16(%edi),%edi\n\tmovl\t%ebx,%ecx\n\tmovl\t%edi,%esi\n\tmovl\t%ebp,%edx\n\tjmp\t.L079cbc_enc_loop\n.align\t16\n.L077cbc_decrypt:\n\tcmpl\t$80,%eax\n\tjbe\t.L082cbc_dec_tail\n\tmovaps\t%xmm7,(%esp)\n\tsubl\t$80,%eax\n\tjmp\t.L083cbc_dec_loop6_enter\n.align\t16\n.L084cbc_dec_loop6:\n\tmovaps\t%xmm0,(%esp)\n\tmovups\t%xmm7,(%edi)\n\tleal\t16(%edi),%edi\n.L083cbc_dec_loop6_enter:\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t16(%esi),%xmm3\n\tmovdqu\t32(%esi),%xmm4\n\tmovdqu\t48(%esi),%xmm5\n\tmovdqu\t64(%esi),%xmm6\n\tmovdqu\t80(%esi),%xmm7\n\tcall\t_aesni_decrypt6\n\tmovups\t(%esi),%xmm1\n\tmovups\t16(%esi),%xmm0\n\txorps\t(%esp),%xmm2\n\txorps\t%xmm1,%xmm3\n\tmovups\t32(%esi),%xmm1\n\txorps\t%xmm0,%xmm4\n\tmovups\t48(%esi),%xmm0\n\txorps\t%xmm1,%xmm5\n\tmovups\t64(%esi),%xmm1\n\txorps\t%xmm0,%xmm6\n\tmovups\t80(%esi),%xmm0\n\txorps\t%xmm1,%xmm7\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tleal\t96(%esi),%esi\n\tmovups\t%xmm4,32(%edi)\n\tmovl\t%ebx,%ecx\n\tmovups\t%xmm5,48(%edi)\n\tmovl\t%ebp,%edx\n\tmovups\t%xmm6,64(%edi)\n\tleal\t80(%edi),%edi\n\tsubl\t$96,%eax\n\tja\t.L084cbc_dec_loop6\n\tmovaps\t%xmm7,%xmm2\n\tmovaps\t%xmm0,%xmm7\n\taddl\t$80,%eax\n\tjle\t.L085cbc_dec_clear_tail_collected\n\tmovups\t%xmm2,(%edi)\n\tleal\t16(%edi),%edi\n.L082cbc_dec_tail:\n\tmovups\t(%esi),%xmm2\n\tmovaps\t%xmm2,%xmm6\n\tcmpl\t$16,%eax\n\tjbe\t.L086cbc_dec_one\n\tmovups\t16(%esi),%xmm3\n\tmovaps\t%xmm3,%xmm5\n\tcmpl\t$32,%eax\n\tjbe\t.L087cbc_dec_two\n\tmovups\t32(%esi),%xmm4\n\tcmpl\t$48,%eax\n\tjbe\t.L088cbc_dec_three\n\tmovups\t48(%esi),%xmm5\n\tcmpl\t$64,%eax\n\tjbe\t.L089cbc_dec_four\n\tmovups\t64(%esi),%xmm6\n\tmovaps\t%xmm7,(%esp)\n\tmovups\t(%esi),%xmm2\n\txorps\t%xmm7,%xmm7\n\tcall\t_aesni_decrypt6\n\tmovups\t(%esi),%xmm1\n\tmovups\t16(%esi),%xmm0\n\txorps\t(%esp),%xmm2\n\txorps\t%xmm1,%xmm3\n\tmovups\t32(%esi),%xmm1\n\txorps\t%xmm0,%xmm4\n\tmovups\t48(%esi),%xmm0\n\txorps\t%xmm1,%xmm5\n\tmovups\t64(%esi),%xmm7\n\txorps\t%xmm0,%xmm6\n\tmovups\t%xmm2,(%edi)\n\tmovups\t%xmm3,16(%edi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%edi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%edi)\n\tpxor\t%xmm5,%xmm5\n\tleal\t64(%edi),%edi\n\tmovaps\t%xmm6,%xmm2\n\tpxor\t%xmm6,%xmm6\n\tsubl\t$80,%eax\n\tjmp\t.L090cbc_dec_tail_collected\n.align\t16\n.L086cbc_dec_one:\n\tmovups\t(%edx),%xmm0\n\tmovups\t16(%edx),%xmm1\n\tleal\t32(%edx),%edx\n\txorps\t%xmm0,%xmm2\n.L091dec1_loop_16:\n.byte\t102,15,56,222,209\n\tdecl\t%ecx\n\tmovups\t(%edx),%xmm1\n\tleal\t16(%edx),%edx\n\tjnz\t.L091dec1_loop_16\n.byte\t102,15,56,223,209\n\txorps\t%xmm7,%xmm2\n\tmovaps\t%xmm6,%xmm7\n\tsubl\t$16,%eax\n\tjmp\t.L090cbc_dec_tail_collected\n.align\t16\n.L087cbc_dec_two:\n\tcall\t_aesni_decrypt2\n\txorps\t%xmm7,%xmm2\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\tmovaps\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tleal\t16(%edi),%edi\n\tmovaps\t%xmm5,%xmm7\n\tsubl\t$32,%eax\n\tjmp\t.L090cbc_dec_tail_collected\n.align\t16\n.L088cbc_dec_three:\n\tcall\t_aesni_decrypt3\n\txorps\t%xmm7,%xmm2\n\txorps\t%xmm6,%xmm3\n\txorps\t%xmm5,%xmm4\n\tmovups\t%xmm2,(%edi)\n\tmovaps\t%xmm4,%xmm2\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm3,16(%edi)\n\tpxor\t%xmm3,%xmm3\n\tleal\t32(%edi),%edi\n\tmovups\t32(%esi),%xmm7\n\tsubl\t$48,%eax\n\tjmp\t.L090cbc_dec_tail_collected\n.align\t16\n.L089cbc_dec_four:\n\tcall\t_aesni_decrypt4\n\tmovups\t16(%esi),%xmm1\n\tmovups\t32(%esi),%xmm0\n\txorps\t%xmm7,%xmm2\n\tmovups\t48(%esi),%xmm7\n\txorps\t%xmm6,%xmm3\n\tmovups\t%xmm2,(%edi)\n\txorps\t%xmm1,%xmm4\n\tmovups\t%xmm3,16(%edi)\n\tpxor\t%xmm3,%xmm3\n\txorps\t%xmm0,%xmm5\n\tmovups\t%xmm4,32(%edi)\n\tpxor\t%xmm4,%xmm4\n\tleal\t48(%edi),%edi\n\tmovaps\t%xmm5,%xmm2\n\tpxor\t%xmm5,%xmm5\n\tsubl\t$64,%eax\n\tjmp\t.L090cbc_dec_tail_collected\n.align\t16\n.L085cbc_dec_clear_tail_collected:\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n.L090cbc_dec_tail_collected:\n\tandl\t$15,%eax\n\tjnz\t.L092cbc_dec_tail_partial\n\tmovups\t%xmm2,(%edi)\n\tpxor\t%xmm0,%xmm0\n\tjmp\t.L081cbc_ret\n.align\t16\n.L092cbc_dec_tail_partial:\n\tmovaps\t%xmm2,(%esp)\n\tpxor\t%xmm0,%xmm0\n\tmovl\t$16,%ecx\n\tmovl\t%esp,%esi\n\tsubl\t%eax,%ecx\n.long\t2767451785\n\tmovdqa\t%xmm2,(%esp)\n.L081cbc_ret:\n\tmovl\t16(%esp),%esp\n\tmovl\t36(%esp),%ebp\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm7,(%ebp)\n\tpxor\t%xmm7,%xmm7\n.L076cbc_abort:\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\taes_hw_cbc_encrypt,.-.L_aes_hw_cbc_encrypt_begin\n.globl\taes_hw_set_encrypt_key_base\n.hidden\taes_hw_set_encrypt_key_base\n.type\taes_hw_set_encrypt_key_base,@function\n.align\t16\naes_hw_set_encrypt_key_base:\n.L_aes_hw_set_encrypt_key_base_begin:\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\t.L093pic_for_function_hit\n.L093pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\tBORINGSSL_function_hit+3-.L093pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%ecx\n\tmovl\t12(%esp),%edx\n\tpushl\t%ebx\n\tcall\t.L094pic\n.L094pic:\n\tpopl\t%ebx\n\tleal\t.Lkey_const-.L094pic(%ebx),%ebx\n\tmovups\t(%eax),%xmm0\n\txorps\t%xmm4,%xmm4\n\tleal\t16(%edx),%edx\n\tcmpl\t$256,%ecx\n\tje\t.L09514rounds\n\tcmpl\t$192,%ecx\n\tje\t.L09612rounds\n\tcmpl\t$128,%ecx\n\tjne\t.L097bad_keybits\n.align\t16\n.L09810rounds:\n\tmovl\t$9,%ecx\n\tmovups\t%xmm0,-16(%edx)\n.byte\t102,15,58,223,200,1\n\tcall\t.L099key_128_cold\n.byte\t102,15,58,223,200,2\n\tcall\t.L100key_128\n.byte\t102,15,58,223,200,4\n\tcall\t.L100key_128\n.byte\t102,15,58,223,200,8\n\tcall\t.L100key_128\n.byte\t102,15,58,223,200,16\n\tcall\t.L100key_128\n.byte\t102,15,58,223,200,32\n\tcall\t.L100key_128\n.byte\t102,15,58,223,200,64\n\tcall\t.L100key_128\n.byte\t102,15,58,223,200,128\n\tcall\t.L100key_128\n.byte\t102,15,58,223,200,27\n\tcall\t.L100key_128\n.byte\t102,15,58,223,200,54\n\tcall\t.L100key_128\n\tmovups\t%xmm0,(%edx)\n\tmovl\t%ecx,80(%edx)\n\tjmp\t.L101good_key\n.align\t16\n.L100key_128:\n\tmovups\t%xmm0,(%edx)\n\tleal\t16(%edx),%edx\n.L099key_128_cold:\n\tshufps\t$16,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$255,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm0\n\tret\n.align\t16\n.L09612rounds:\n\tmovq\t16(%eax),%xmm2\n\tmovl\t$11,%ecx\n\tmovups\t%xmm0,-16(%edx)\n.byte\t102,15,58,223,202,1\n\tcall\t.L102key_192a_cold\n.byte\t102,15,58,223,202,2\n\tcall\t.L103key_192b\n.byte\t102,15,58,223,202,4\n\tcall\t.L104key_192a\n.byte\t102,15,58,223,202,8\n\tcall\t.L103key_192b\n.byte\t102,15,58,223,202,16\n\tcall\t.L104key_192a\n.byte\t102,15,58,223,202,32\n\tcall\t.L103key_192b\n.byte\t102,15,58,223,202,64\n\tcall\t.L104key_192a\n.byte\t102,15,58,223,202,128\n\tcall\t.L103key_192b\n\tmovups\t%xmm0,(%edx)\n\tmovl\t%ecx,48(%edx)\n\tjmp\t.L101good_key\n.align\t16\n.L104key_192a:\n\tmovups\t%xmm0,(%edx)\n\tleal\t16(%edx),%edx\n.align\t16\n.L102key_192a_cold:\n\tmovaps\t%xmm2,%xmm5\n.L105key_192b_warm:\n\tshufps\t$16,%xmm0,%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\tpslldq\t$4,%xmm3\n\txorps\t%xmm4,%xmm0\n\tpshufd\t$85,%xmm1,%xmm1\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm1,%xmm0\n\tpshufd\t$255,%xmm0,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tret\n.align\t16\n.L103key_192b:\n\tmovaps\t%xmm0,%xmm3\n\tshufps\t$68,%xmm0,%xmm5\n\tmovups\t%xmm5,(%edx)\n\tshufps\t$78,%xmm2,%xmm3\n\tmovups\t%xmm3,16(%edx)\n\tleal\t32(%edx),%edx\n\tjmp\t.L105key_192b_warm\n.align\t16\n.L09514rounds:\n\tmovups\t16(%eax),%xmm2\n\tleal\t16(%edx),%edx\n\tmovl\t$13,%ecx\n\tmovups\t%xmm0,-32(%edx)\n\tmovups\t%xmm2,-16(%edx)\n.byte\t102,15,58,223,202,1\n\tcall\t.L106key_256a_cold\n.byte\t102,15,58,223,200,1\n\tcall\t.L107key_256b\n.byte\t102,15,58,223,202,2\n\tcall\t.L108key_256a\n.byte\t102,15,58,223,200,2\n\tcall\t.L107key_256b\n.byte\t102,15,58,223,202,4\n\tcall\t.L108key_256a\n.byte\t102,15,58,223,200,4\n\tcall\t.L107key_256b\n.byte\t102,15,58,223,202,8\n\tcall\t.L108key_256a\n.byte\t102,15,58,223,200,8\n\tcall\t.L107key_256b\n.byte\t102,15,58,223,202,16\n\tcall\t.L108key_256a\n.byte\t102,15,58,223,200,16\n\tcall\t.L107key_256b\n.byte\t102,15,58,223,202,32\n\tcall\t.L108key_256a\n.byte\t102,15,58,223,200,32\n\tcall\t.L107key_256b\n.byte\t102,15,58,223,202,64\n\tcall\t.L108key_256a\n\tmovups\t%xmm0,(%edx)\n\tmovl\t%ecx,16(%edx)\n\txorl\t%eax,%eax\n\tjmp\t.L101good_key\n.align\t16\n.L108key_256a:\n\tmovups\t%xmm2,(%edx)\n\tleal\t16(%edx),%edx\n.L106key_256a_cold:\n\tshufps\t$16,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$255,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm0\n\tret\n.align\t16\n.L107key_256b:\n\tmovups\t%xmm0,(%edx)\n\tleal\t16(%edx),%edx\n\tshufps\t$16,%xmm2,%xmm4\n\txorps\t%xmm4,%xmm2\n\tshufps\t$140,%xmm2,%xmm4\n\txorps\t%xmm4,%xmm2\n\tshufps\t$170,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm2\n\tret\n.L101good_key:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\txorl\t%eax,%eax\n\tpopl\t%ebx\n\tret\n.align\t4\n.L097bad_keybits:\n\tpxor\t%xmm0,%xmm0\n\tmovl\t$-2,%eax\n\tpopl\t%ebx\n\tret\n.size\taes_hw_set_encrypt_key_base,.-.L_aes_hw_set_encrypt_key_base_begin\n.globl\taes_hw_set_encrypt_key_alt\n.hidden\taes_hw_set_encrypt_key_alt\n.type\taes_hw_set_encrypt_key_alt,@function\n.align\t16\naes_hw_set_encrypt_key_alt:\n.L_aes_hw_set_encrypt_key_alt_begin:\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\t.L109pic_for_function_hit\n.L109pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\tBORINGSSL_function_hit+3-.L109pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%ecx\n\tmovl\t12(%esp),%edx\n\tpushl\t%ebx\n\tcall\t.L110pic\n.L110pic:\n\tpopl\t%ebx\n\tleal\t.Lkey_const-.L110pic(%ebx),%ebx\n\tmovups\t(%eax),%xmm0\n\txorps\t%xmm4,%xmm4\n\tleal\t16(%edx),%edx\n\tcmpl\t$256,%ecx\n\tje\t.L11114rounds_alt\n\tcmpl\t$192,%ecx\n\tje\t.L11212rounds_alt\n\tcmpl\t$128,%ecx\n\tjne\t.L113bad_keybits\n.align\t16\n.L11410rounds_alt:\n\tmovdqa\t(%ebx),%xmm5\n\tmovl\t$8,%ecx\n\tmovdqa\t32(%ebx),%xmm4\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqu\t%xmm0,-16(%edx)\n.L115loop_key128:\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\tpslld\t$1,%xmm4\n\tleal\t16(%edx),%edx\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,-16(%edx)\n\tmovdqa\t%xmm0,%xmm2\n\tdecl\t%ecx\n\tjnz\t.L115loop_key128\n\tmovdqa\t48(%ebx),%xmm4\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\tpslld\t$1,%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,(%edx)\n\tmovdqa\t%xmm0,%xmm2\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,16(%edx)\n\tmovl\t$9,%ecx\n\tmovl\t%ecx,96(%edx)\n\tjmp\t.L116good_key\n.align\t16\n.L11212rounds_alt:\n\tmovq\t16(%eax),%xmm2\n\tmovdqa\t16(%ebx),%xmm5\n\tmovdqa\t32(%ebx),%xmm4\n\tmovl\t$8,%ecx\n\tmovdqu\t%xmm0,-16(%edx)\n.L117loop_key192:\n\tmovq\t%xmm2,(%edx)\n\tmovdqa\t%xmm2,%xmm1\n.byte\t102,15,56,0,213\n.byte\t102,15,56,221,212\n\tpslld\t$1,%xmm4\n\tleal\t24(%edx),%edx\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpshufd\t$255,%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\tpxor\t%xmm2,%xmm0\n\tpxor\t%xmm3,%xmm2\n\tmovdqu\t%xmm0,-16(%edx)\n\tdecl\t%ecx\n\tjnz\t.L117loop_key192\n\tmovl\t$11,%ecx\n\tmovl\t%ecx,32(%edx)\n\tjmp\t.L116good_key\n.align\t16\n.L11114rounds_alt:\n\tmovups\t16(%eax),%xmm2\n\tleal\t16(%edx),%edx\n\tmovdqa\t(%ebx),%xmm5\n\tmovdqa\t32(%ebx),%xmm4\n\tmovl\t$7,%ecx\n\tmovdqu\t%xmm0,-32(%edx)\n\tmovdqa\t%xmm2,%xmm1\n\tmovdqu\t%xmm2,-16(%edx)\n.L118loop_key256:\n.byte\t102,15,56,0,213\n.byte\t102,15,56,221,212\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpslld\t$1,%xmm4\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,(%edx)\n\tdecl\t%ecx\n\tjz\t.L119done_key256\n\tpshufd\t$255,%xmm0,%xmm2\n\tpxor\t%xmm3,%xmm3\n.byte\t102,15,56,221,211\n\tmovdqa\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm1,%xmm2\n\tmovdqu\t%xmm2,16(%edx)\n\tleal\t32(%edx),%edx\n\tmovdqa\t%xmm2,%xmm1\n\tjmp\t.L118loop_key256\n.L119done_key256:\n\tmovl\t$13,%ecx\n\tmovl\t%ecx,16(%edx)\n.L116good_key:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\txorl\t%eax,%eax\n\tpopl\t%ebx\n\tret\n.align\t4\n.L113bad_keybits:\n\tpxor\t%xmm0,%xmm0\n\tmovl\t$-2,%eax\n\tpopl\t%ebx\n\tret\n.size\taes_hw_set_encrypt_key_alt,.-.L_aes_hw_set_encrypt_key_alt_begin\n.globl\taes_hw_encrypt_key_to_decrypt_key\n.hidden\taes_hw_encrypt_key_to_decrypt_key\n.type\taes_hw_encrypt_key_to_decrypt_key,@function\n.align\t16\naes_hw_encrypt_key_to_decrypt_key:\n.L_aes_hw_encrypt_key_to_decrypt_key_begin:\n\tmovl\t4(%esp),%edx\n\tmovl\t240(%edx),%ecx\n\tshll\t$4,%ecx\n\tleal\t16(%edx,%ecx,1),%eax\n\tmovups\t(%edx),%xmm0\n\tmovups\t(%eax),%xmm1\n\tmovups\t%xmm0,(%eax)\n\tmovups\t%xmm1,(%edx)\n\tleal\t16(%edx),%edx\n\tleal\t-16(%eax),%eax\n.L120dec_key_inverse:\n\tmovups\t(%edx),%xmm0\n\tmovups\t(%eax),%xmm1\n.byte\t102,15,56,219,192\n.byte\t102,15,56,219,201\n\tleal\t16(%edx),%edx\n\tleal\t-16(%eax),%eax\n\tmovups\t%xmm0,16(%eax)\n\tmovups\t%xmm1,-16(%edx)\n\tcmpl\t%edx,%eax\n\tja\t.L120dec_key_inverse\n\tmovups\t(%edx),%xmm0\n.byte\t102,15,56,219,192\n\tmovups\t%xmm0,(%edx)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tret\n.size\taes_hw_encrypt_key_to_decrypt_key,.-.L_aes_hw_encrypt_key_to_decrypt_key_begin\n.align\t64\n.Lkey_const:\n.long\t202313229,202313229,202313229,202313229\n.long\t67569157,67569157,67569157,67569157\n.long\t1,1,1,1\n.long\t27,27,27,27\n.byte\t65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69\n.byte\t83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83\n.byte\t32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115\n.byte\t115,108,46,111,114,103,62,0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesni-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n.globl\t_aes_hw_encrypt\n.private_extern _aes_hw_encrypt\n\n.p2align\t4\n_aes_hw_encrypt:\n\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n\n\tmovb\t$1,_BORINGSSL_function_hit+1(%rip)\n#endif\n\tmovups\t(%rdi),%xmm2\n\tmovl\t240(%rdx),%eax\n\tmovups\t(%rdx),%xmm0\n\tmovups\t16(%rdx),%xmm1\n\tleaq\t32(%rdx),%rdx\n\txorps\t%xmm0,%xmm2\nL$oop_enc1_1:\n.byte\t102,15,56,220,209\n\tdecl\t%eax\n\tmovups\t(%rdx),%xmm1\n\tleaq\t16(%rdx),%rdx\n\tjnz\tL$oop_enc1_1\n.byte\t102,15,56,221,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tret\n\n\n\n.globl\t_aes_hw_decrypt\n.private_extern _aes_hw_decrypt\n\n.p2align\t4\n_aes_hw_decrypt:\n\n_CET_ENDBR\n\tmovups\t(%rdi),%xmm2\n\tmovl\t240(%rdx),%eax\n\tmovups\t(%rdx),%xmm0\n\tmovups\t16(%rdx),%xmm1\n\tleaq\t32(%rdx),%rdx\n\txorps\t%xmm0,%xmm2\nL$oop_dec1_2:\n.byte\t102,15,56,222,209\n\tdecl\t%eax\n\tmovups\t(%rdx),%xmm1\n\tleaq\t16(%rdx),%rdx\n\tjnz\tL$oop_dec1_2\n.byte\t102,15,56,223,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tret\n\n\n\n.p2align\t4\n_aesni_encrypt2:\n\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n\taddq\t$16,%rax\n\nL$enc_loop2:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\tL$enc_loop2\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n\tret\n\n\n\n.p2align\t4\n_aesni_decrypt2:\n\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n\taddq\t$16,%rax\n\nL$dec_loop2:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\tL$dec_loop2\n\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n\tret\n\n\n\n.p2align\t4\n_aesni_encrypt3:\n\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm0,%xmm4\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n\taddq\t$16,%rax\n\nL$enc_loop3:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\tL$enc_loop3\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n\tret\n\n\n\n.p2align\t4\n_aesni_decrypt3:\n\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm0,%xmm4\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n\taddq\t$16,%rax\n\nL$dec_loop3:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\tL$dec_loop3\n\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n\tret\n\n\n\n.p2align\t4\n_aesni_encrypt4:\n\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm0,%xmm4\n\txorps\t%xmm0,%xmm5\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t0x0f,0x1f,0x00\n\taddq\t$16,%rax\n\nL$enc_loop4:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\tL$enc_loop4\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n.byte\t102,15,56,221,232\n\tret\n\n\n\n.p2align\t4\n_aesni_decrypt4:\n\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm0,%xmm4\n\txorps\t%xmm0,%xmm5\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t0x0f,0x1f,0x00\n\taddq\t$16,%rax\n\nL$dec_loop4:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\tL$dec_loop4\n\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n.byte\t102,15,56,223,232\n\tret\n\n\n\n.p2align\t4\n_aesni_encrypt6:\n\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n.byte\t102,15,56,220,209\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t102,15,56,220,217\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n.byte\t102,15,56,220,225\n\tpxor\t%xmm0,%xmm7\n\tmovups\t(%rcx,%rax,1),%xmm0\n\taddq\t$16,%rax\n\tjmp\tL$enc_loop6_enter\n.p2align\t4\nL$enc_loop6:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\nL$enc_loop6_enter:\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\tL$enc_loop6\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n.byte\t102,15,56,221,232\n.byte\t102,15,56,221,240\n.byte\t102,15,56,221,248\n\tret\n\n\n\n.p2align\t4\n_aesni_decrypt6:\n\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n.byte\t102,15,56,222,209\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t102,15,56,222,217\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n.byte\t102,15,56,222,225\n\tpxor\t%xmm0,%xmm7\n\tmovups\t(%rcx,%rax,1),%xmm0\n\taddq\t$16,%rax\n\tjmp\tL$dec_loop6_enter\n.p2align\t4\nL$dec_loop6:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\nL$dec_loop6_enter:\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\tL$dec_loop6\n\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n.byte\t102,15,56,223,232\n.byte\t102,15,56,223,240\n.byte\t102,15,56,223,248\n\tret\n\n\n\n.p2align\t4\n_aesni_encrypt8:\n\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t102,15,56,220,209\n\tpxor\t%xmm0,%xmm7\n\tpxor\t%xmm0,%xmm8\n.byte\t102,15,56,220,217\n\tpxor\t%xmm0,%xmm9\n\tmovups\t(%rcx,%rax,1),%xmm0\n\taddq\t$16,%rax\n\tjmp\tL$enc_loop8_inner\n.p2align\t4\nL$enc_loop8:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\nL$enc_loop8_inner:\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\nL$enc_loop8_enter:\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\tL$enc_loop8\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n.byte\t102,15,56,221,232\n.byte\t102,15,56,221,240\n.byte\t102,15,56,221,248\n.byte\t102,68,15,56,221,192\n.byte\t102,68,15,56,221,200\n\tret\n\n\n\n.p2align\t4\n_aesni_decrypt8:\n\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t102,15,56,222,209\n\tpxor\t%xmm0,%xmm7\n\tpxor\t%xmm0,%xmm8\n.byte\t102,15,56,222,217\n\tpxor\t%xmm0,%xmm9\n\tmovups\t(%rcx,%rax,1),%xmm0\n\taddq\t$16,%rax\n\tjmp\tL$dec_loop8_inner\n.p2align\t4\nL$dec_loop8:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\nL$dec_loop8_inner:\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\nL$dec_loop8_enter:\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\tL$dec_loop8\n\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n.byte\t102,15,56,223,232\n.byte\t102,15,56,223,240\n.byte\t102,15,56,223,248\n.byte\t102,68,15,56,223,192\n.byte\t102,68,15,56,223,200\n\tret\n\n\n.globl\t_aes_hw_ecb_encrypt\n.private_extern _aes_hw_ecb_encrypt\n\n.p2align\t4\n_aes_hw_ecb_encrypt:\n\n_CET_ENDBR\n\tandq\t$-16,%rdx\n\tjz\tL$ecb_ret\n\n\tmovl\t240(%rcx),%eax\n\tmovups\t(%rcx),%xmm0\n\tmovq\t%rcx,%r11\n\tmovl\t%eax,%r10d\n\ttestl\t%r8d,%r8d\n\tjz\tL$ecb_decrypt\n\n\tcmpq\t$0x80,%rdx\n\tjb\tL$ecb_enc_tail\n\n\tmovdqu\t(%rdi),%xmm2\n\tmovdqu\t16(%rdi),%xmm3\n\tmovdqu\t32(%rdi),%xmm4\n\tmovdqu\t48(%rdi),%xmm5\n\tmovdqu\t64(%rdi),%xmm6\n\tmovdqu\t80(%rdi),%xmm7\n\tmovdqu\t96(%rdi),%xmm8\n\tmovdqu\t112(%rdi),%xmm9\n\tleaq\t128(%rdi),%rdi\n\tsubq\t$0x80,%rdx\n\tjmp\tL$ecb_enc_loop8_enter\n.p2align\t4\nL$ecb_enc_loop8:\n\tmovups\t%xmm2,(%rsi)\n\tmovq\t%r11,%rcx\n\tmovdqu\t(%rdi),%xmm2\n\tmovl\t%r10d,%eax\n\tmovups\t%xmm3,16(%rsi)\n\tmovdqu\t16(%rdi),%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tmovdqu\t32(%rdi),%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tmovdqu\t48(%rdi),%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tmovdqu\t64(%rdi),%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tmovdqu\t80(%rdi),%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tmovdqu\t96(%rdi),%xmm8\n\tmovups\t%xmm9,112(%rsi)\n\tleaq\t128(%rsi),%rsi\n\tmovdqu\t112(%rdi),%xmm9\n\tleaq\t128(%rdi),%rdi\nL$ecb_enc_loop8_enter:\n\n\tcall\t_aesni_encrypt8\n\n\tsubq\t$0x80,%rdx\n\tjnc\tL$ecb_enc_loop8\n\n\tmovups\t%xmm2,(%rsi)\n\tmovq\t%r11,%rcx\n\tmovups\t%xmm3,16(%rsi)\n\tmovl\t%r10d,%eax\n\tmovups\t%xmm4,32(%rsi)\n\tmovups\t%xmm5,48(%rsi)\n\tmovups\t%xmm6,64(%rsi)\n\tmovups\t%xmm7,80(%rsi)\n\tmovups\t%xmm8,96(%rsi)\n\tmovups\t%xmm9,112(%rsi)\n\tleaq\t128(%rsi),%rsi\n\taddq\t$0x80,%rdx\n\tjz\tL$ecb_ret\n\nL$ecb_enc_tail:\n\tmovups\t(%rdi),%xmm2\n\tcmpq\t$0x20,%rdx\n\tjb\tL$ecb_enc_one\n\tmovups\t16(%rdi),%xmm3\n\tje\tL$ecb_enc_two\n\tmovups\t32(%rdi),%xmm4\n\tcmpq\t$0x40,%rdx\n\tjb\tL$ecb_enc_three\n\tmovups\t48(%rdi),%xmm5\n\tje\tL$ecb_enc_four\n\tmovups\t64(%rdi),%xmm6\n\tcmpq\t$0x60,%rdx\n\tjb\tL$ecb_enc_five\n\tmovups\t80(%rdi),%xmm7\n\tje\tL$ecb_enc_six\n\tmovdqu\t96(%rdi),%xmm8\n\txorps\t%xmm9,%xmm9\n\tcall\t_aesni_encrypt8\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tmovups\t%xmm4,32(%rsi)\n\tmovups\t%xmm5,48(%rsi)\n\tmovups\t%xmm6,64(%rsi)\n\tmovups\t%xmm7,80(%rsi)\n\tmovups\t%xmm8,96(%rsi)\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_enc_one:\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm0,%xmm2\nL$oop_enc1_3:\n.byte\t102,15,56,220,209\n\tdecl\t%eax\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\tL$oop_enc1_3\n.byte\t102,15,56,221,209\n\tmovups\t%xmm2,(%rsi)\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_enc_two:\n\tcall\t_aesni_encrypt2\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_enc_three:\n\tcall\t_aesni_encrypt3\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tmovups\t%xmm4,32(%rsi)\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_enc_four:\n\tcall\t_aesni_encrypt4\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tmovups\t%xmm4,32(%rsi)\n\tmovups\t%xmm5,48(%rsi)\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_enc_five:\n\txorps\t%xmm7,%xmm7\n\tcall\t_aesni_encrypt6\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tmovups\t%xmm4,32(%rsi)\n\tmovups\t%xmm5,48(%rsi)\n\tmovups\t%xmm6,64(%rsi)\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_enc_six:\n\tcall\t_aesni_encrypt6\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tmovups\t%xmm4,32(%rsi)\n\tmovups\t%xmm5,48(%rsi)\n\tmovups\t%xmm6,64(%rsi)\n\tmovups\t%xmm7,80(%rsi)\n\tjmp\tL$ecb_ret\n\n.p2align\t4\nL$ecb_decrypt:\n\tcmpq\t$0x80,%rdx\n\tjb\tL$ecb_dec_tail\n\n\tmovdqu\t(%rdi),%xmm2\n\tmovdqu\t16(%rdi),%xmm3\n\tmovdqu\t32(%rdi),%xmm4\n\tmovdqu\t48(%rdi),%xmm5\n\tmovdqu\t64(%rdi),%xmm6\n\tmovdqu\t80(%rdi),%xmm7\n\tmovdqu\t96(%rdi),%xmm8\n\tmovdqu\t112(%rdi),%xmm9\n\tleaq\t128(%rdi),%rdi\n\tsubq\t$0x80,%rdx\n\tjmp\tL$ecb_dec_loop8_enter\n.p2align\t4\nL$ecb_dec_loop8:\n\tmovups\t%xmm2,(%rsi)\n\tmovq\t%r11,%rcx\n\tmovdqu\t(%rdi),%xmm2\n\tmovl\t%r10d,%eax\n\tmovups\t%xmm3,16(%rsi)\n\tmovdqu\t16(%rdi),%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tmovdqu\t32(%rdi),%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tmovdqu\t48(%rdi),%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tmovdqu\t64(%rdi),%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tmovdqu\t80(%rdi),%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tmovdqu\t96(%rdi),%xmm8\n\tmovups\t%xmm9,112(%rsi)\n\tleaq\t128(%rsi),%rsi\n\tmovdqu\t112(%rdi),%xmm9\n\tleaq\t128(%rdi),%rdi\nL$ecb_dec_loop8_enter:\n\n\tcall\t_aesni_decrypt8\n\n\tmovups\t(%r11),%xmm0\n\tsubq\t$0x80,%rdx\n\tjnc\tL$ecb_dec_loop8\n\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovq\t%r11,%rcx\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovl\t%r10d,%eax\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tpxor\t%xmm7,%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tpxor\t%xmm8,%xmm8\n\tmovups\t%xmm9,112(%rsi)\n\tpxor\t%xmm9,%xmm9\n\tleaq\t128(%rsi),%rsi\n\taddq\t$0x80,%rdx\n\tjz\tL$ecb_ret\n\nL$ecb_dec_tail:\n\tmovups\t(%rdi),%xmm2\n\tcmpq\t$0x20,%rdx\n\tjb\tL$ecb_dec_one\n\tmovups\t16(%rdi),%xmm3\n\tje\tL$ecb_dec_two\n\tmovups\t32(%rdi),%xmm4\n\tcmpq\t$0x40,%rdx\n\tjb\tL$ecb_dec_three\n\tmovups\t48(%rdi),%xmm5\n\tje\tL$ecb_dec_four\n\tmovups\t64(%rdi),%xmm6\n\tcmpq\t$0x60,%rdx\n\tjb\tL$ecb_dec_five\n\tmovups\t80(%rdi),%xmm7\n\tje\tL$ecb_dec_six\n\tmovups\t96(%rdi),%xmm8\n\tmovups\t(%rcx),%xmm0\n\txorps\t%xmm9,%xmm9\n\tcall\t_aesni_decrypt8\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tpxor\t%xmm7,%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tpxor\t%xmm8,%xmm8\n\tpxor\t%xmm9,%xmm9\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_dec_one:\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm0,%xmm2\nL$oop_dec1_4:\n.byte\t102,15,56,222,209\n\tdecl\t%eax\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\tL$oop_dec1_4\n.byte\t102,15,56,223,209\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_dec_two:\n\tcall\t_aesni_decrypt2\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_dec_three:\n\tcall\t_aesni_decrypt3\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_dec_four:\n\tcall\t_aesni_decrypt4\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_dec_five:\n\txorps\t%xmm7,%xmm7\n\tcall\t_aesni_decrypt6\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tjmp\tL$ecb_ret\n.p2align\t4\nL$ecb_dec_six:\n\tcall\t_aesni_decrypt6\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tpxor\t%xmm7,%xmm7\n\nL$ecb_ret:\n\txorps\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tret\n\n\n.globl\t_aes_hw_ctr32_encrypt_blocks\n.private_extern _aes_hw_ctr32_encrypt_blocks\n\n.p2align\t4\n_aes_hw_ctr32_encrypt_blocks:\n\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n\tmovb\t$1,_BORINGSSL_function_hit(%rip)\n#endif\n\tcmpq\t$1,%rdx\n\tjne\tL$ctr32_bulk\n\n\n\n\tmovups\t(%r8),%xmm2\n\tmovups\t(%rdi),%xmm3\n\tmovl\t240(%rcx),%edx\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm0,%xmm2\nL$oop_enc1_5:\n.byte\t102,15,56,220,209\n\tdecl\t%edx\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\tL$oop_enc1_5\n.byte\t102,15,56,221,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\txorps\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm2,(%rsi)\n\txorps\t%xmm2,%xmm2\n\tjmp\tL$ctr32_epilogue\n\n.p2align\t4\nL$ctr32_bulk:\n\tleaq\t(%rsp),%r11\n\n\tpushq\t%rbp\n\n\tsubq\t$128,%rsp\n\tandq\t$-16,%rsp\n\n\n\n\n\tmovdqu\t(%r8),%xmm2\n\tmovdqu\t(%rcx),%xmm0\n\tmovl\t12(%r8),%r8d\n\tpxor\t%xmm0,%xmm2\n\tmovl\t12(%rcx),%ebp\n\tmovdqa\t%xmm2,0(%rsp)\n\tbswapl\t%r8d\n\tmovdqa\t%xmm2,%xmm3\n\tmovdqa\t%xmm2,%xmm4\n\tmovdqa\t%xmm2,%xmm5\n\tmovdqa\t%xmm2,64(%rsp)\n\tmovdqa\t%xmm2,80(%rsp)\n\tmovdqa\t%xmm2,96(%rsp)\n\tmovq\t%rdx,%r10\n\tmovdqa\t%xmm2,112(%rsp)\n\n\tleaq\t1(%r8),%rax\n\tleaq\t2(%r8),%rdx\n\tbswapl\t%eax\n\tbswapl\t%edx\n\txorl\t%ebp,%eax\n\txorl\t%ebp,%edx\n.byte\t102,15,58,34,216,3\n\tleaq\t3(%r8),%rax\n\tmovdqa\t%xmm3,16(%rsp)\n.byte\t102,15,58,34,226,3\n\tbswapl\t%eax\n\tmovq\t%r10,%rdx\n\tleaq\t4(%r8),%r10\n\tmovdqa\t%xmm4,32(%rsp)\n\txorl\t%ebp,%eax\n\tbswapl\t%r10d\n.byte\t102,15,58,34,232,3\n\txorl\t%ebp,%r10d\n\tmovdqa\t%xmm5,48(%rsp)\n\tleaq\t5(%r8),%r9\n\tmovl\t%r10d,64+12(%rsp)\n\tbswapl\t%r9d\n\tleaq\t6(%r8),%r10\n\tmovl\t240(%rcx),%eax\n\txorl\t%ebp,%r9d\n\tbswapl\t%r10d\n\tmovl\t%r9d,80+12(%rsp)\n\txorl\t%ebp,%r10d\n\tleaq\t7(%r8),%r9\n\tmovl\t%r10d,96+12(%rsp)\n\tbswapl\t%r9d\n\txorl\t%ebp,%r9d\n\tmovl\t%r9d,112+12(%rsp)\n\n\tmovups\t16(%rcx),%xmm1\n\n\tmovdqa\t64(%rsp),%xmm6\n\tmovdqa\t80(%rsp),%xmm7\n\n\tcmpq\t$8,%rdx\n\tjb\tL$ctr32_tail\n\n\tleaq\t128(%rcx),%rcx\n\tsubq\t$8,%rdx\n\tjmp\tL$ctr32_loop8\n\n.p2align\t5\nL$ctr32_loop8:\n\taddl\t$8,%r8d\n\tmovdqa\t96(%rsp),%xmm8\n.byte\t102,15,56,220,209\n\tmovl\t%r8d,%r9d\n\tmovdqa\t112(%rsp),%xmm9\n.byte\t102,15,56,220,217\n\tbswapl\t%r9d\n\tmovups\t32-128(%rcx),%xmm0\n.byte\t102,15,56,220,225\n\txorl\t%ebp,%r9d\n\tnop\n.byte\t102,15,56,220,233\n\tmovl\t%r9d,0+12(%rsp)\n\tleaq\t1(%r8),%r9\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t48-128(%rcx),%xmm1\n\tbswapl\t%r9d\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n\tmovl\t%r9d,16+12(%rsp)\n\tleaq\t2(%r8),%r9\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t64-128(%rcx),%xmm0\n\tbswapl\t%r9d\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovl\t%r9d,32+12(%rsp)\n\tleaq\t3(%r8),%r9\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t80-128(%rcx),%xmm1\n\tbswapl\t%r9d\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n\tmovl\t%r9d,48+12(%rsp)\n\tleaq\t4(%r8),%r9\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t96-128(%rcx),%xmm0\n\tbswapl\t%r9d\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovl\t%r9d,64+12(%rsp)\n\tleaq\t5(%r8),%r9\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t112-128(%rcx),%xmm1\n\tbswapl\t%r9d\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n\tmovl\t%r9d,80+12(%rsp)\n\tleaq\t6(%r8),%r9\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t128-128(%rcx),%xmm0\n\tbswapl\t%r9d\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovl\t%r9d,96+12(%rsp)\n\tleaq\t7(%r8),%r9\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t144-128(%rcx),%xmm1\n\tbswapl\t%r9d\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n\txorl\t%ebp,%r9d\n\tmovdqu\t0(%rdi),%xmm10\n.byte\t102,15,56,220,232\n\tmovl\t%r9d,112+12(%rsp)\n\tcmpl\t$11,%eax\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t160-128(%rcx),%xmm0\n\n\tjb\tL$ctr32_enc_done\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t176-128(%rcx),%xmm1\n\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t192-128(%rcx),%xmm0\n\tje\tL$ctr32_enc_done\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t208-128(%rcx),%xmm1\n\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t224-128(%rcx),%xmm0\n\tjmp\tL$ctr32_enc_done\n\n.p2align\t4\nL$ctr32_enc_done:\n\tmovdqu\t16(%rdi),%xmm11\n\tpxor\t%xmm0,%xmm10\n\tmovdqu\t32(%rdi),%xmm12\n\tpxor\t%xmm0,%xmm11\n\tmovdqu\t48(%rdi),%xmm13\n\tpxor\t%xmm0,%xmm12\n\tmovdqu\t64(%rdi),%xmm14\n\tpxor\t%xmm0,%xmm13\n\tmovdqu\t80(%rdi),%xmm15\n\tpxor\t%xmm0,%xmm14\n\tprefetcht0\t448(%rdi)\n\tprefetcht0\t512(%rdi)\n\tpxor\t%xmm0,%xmm15\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovdqu\t96(%rdi),%xmm1\n\tleaq\t128(%rdi),%rdi\n\n.byte\t102,65,15,56,221,210\n\tpxor\t%xmm0,%xmm1\n\tmovdqu\t112-128(%rdi),%xmm10\n.byte\t102,65,15,56,221,219\n\tpxor\t%xmm0,%xmm10\n\tmovdqa\t0(%rsp),%xmm11\n.byte\t102,65,15,56,221,228\n.byte\t102,65,15,56,221,237\n\tmovdqa\t16(%rsp),%xmm12\n\tmovdqa\t32(%rsp),%xmm13\n.byte\t102,65,15,56,221,246\n.byte\t102,65,15,56,221,255\n\tmovdqa\t48(%rsp),%xmm14\n\tmovdqa\t64(%rsp),%xmm15\n.byte\t102,68,15,56,221,193\n\tmovdqa\t80(%rsp),%xmm0\n\tmovups\t16-128(%rcx),%xmm1\n.byte\t102,69,15,56,221,202\n\n\tmovups\t%xmm2,(%rsi)\n\tmovdqa\t%xmm11,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tmovdqa\t%xmm12,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tmovdqa\t%xmm13,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tmovdqa\t%xmm14,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tmovdqa\t%xmm15,%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tmovdqa\t%xmm0,%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tmovups\t%xmm9,112(%rsi)\n\tleaq\t128(%rsi),%rsi\n\n\tsubq\t$8,%rdx\n\tjnc\tL$ctr32_loop8\n\n\taddq\t$8,%rdx\n\tjz\tL$ctr32_done\n\tleaq\t-128(%rcx),%rcx\n\nL$ctr32_tail:\n\n\n\tleaq\t16(%rcx),%rcx\n\tcmpq\t$4,%rdx\n\tjb\tL$ctr32_loop3\n\tje\tL$ctr32_loop4\n\n\n\tshll\t$4,%eax\n\tmovdqa\t96(%rsp),%xmm8\n\tpxor\t%xmm9,%xmm9\n\n\tmovups\t16(%rcx),%xmm0\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tleaq\t32-16(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t102,15,56,220,225\n\taddq\t$16,%rax\n\tmovups\t(%rdi),%xmm10\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n\tmovups\t16(%rdi),%xmm11\n\tmovups\t32(%rdi),%xmm12\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n\n\tcall\tL$enc_loop8_enter\n\n\tmovdqu\t48(%rdi),%xmm13\n\tpxor\t%xmm10,%xmm2\n\tmovdqu\t64(%rdi),%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm10,%xmm6\n\tmovdqu\t%xmm5,48(%rsi)\n\tmovdqu\t%xmm6,64(%rsi)\n\tcmpq\t$6,%rdx\n\tjb\tL$ctr32_done\n\n\tmovups\t80(%rdi),%xmm11\n\txorps\t%xmm11,%xmm7\n\tmovups\t%xmm7,80(%rsi)\n\tje\tL$ctr32_done\n\n\tmovups\t96(%rdi),%xmm12\n\txorps\t%xmm12,%xmm8\n\tmovups\t%xmm8,96(%rsi)\n\tjmp\tL$ctr32_done\n\n.p2align\t5\nL$ctr32_loop4:\n.byte\t102,15,56,220,209\n\tleaq\t16(%rcx),%rcx\n\tdecl\t%eax\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovups\t(%rcx),%xmm1\n\tjnz\tL$ctr32_loop4\n.byte\t102,15,56,221,209\n.byte\t102,15,56,221,217\n\tmovups\t(%rdi),%xmm10\n\tmovups\t16(%rdi),%xmm11\n.byte\t102,15,56,221,225\n.byte\t102,15,56,221,233\n\tmovups\t32(%rdi),%xmm12\n\tmovups\t48(%rdi),%xmm13\n\n\txorps\t%xmm10,%xmm2\n\tmovups\t%xmm2,(%rsi)\n\txorps\t%xmm11,%xmm3\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm5,48(%rsi)\n\tjmp\tL$ctr32_done\n\n.p2align\t5\nL$ctr32_loop3:\n.byte\t102,15,56,220,209\n\tleaq\t16(%rcx),%rcx\n\tdecl\t%eax\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n\tmovups\t(%rcx),%xmm1\n\tjnz\tL$ctr32_loop3\n.byte\t102,15,56,221,209\n.byte\t102,15,56,221,217\n.byte\t102,15,56,221,225\n\n\tmovups\t(%rdi),%xmm10\n\txorps\t%xmm10,%xmm2\n\tmovups\t%xmm2,(%rsi)\n\tcmpq\t$2,%rdx\n\tjb\tL$ctr32_done\n\n\tmovups\t16(%rdi),%xmm11\n\txorps\t%xmm11,%xmm3\n\tmovups\t%xmm3,16(%rsi)\n\tje\tL$ctr32_done\n\n\tmovups\t32(%rdi),%xmm12\n\txorps\t%xmm12,%xmm4\n\tmovups\t%xmm4,32(%rsi)\n\nL$ctr32_done:\n\txorps\t%xmm0,%xmm0\n\txorl\t%ebp,%ebp\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tmovaps\t%xmm0,0(%rsp)\n\tpxor\t%xmm8,%xmm8\n\tmovaps\t%xmm0,16(%rsp)\n\tpxor\t%xmm9,%xmm9\n\tmovaps\t%xmm0,32(%rsp)\n\tpxor\t%xmm10,%xmm10\n\tmovaps\t%xmm0,48(%rsp)\n\tpxor\t%xmm11,%xmm11\n\tmovaps\t%xmm0,64(%rsp)\n\tpxor\t%xmm12,%xmm12\n\tmovaps\t%xmm0,80(%rsp)\n\tpxor\t%xmm13,%xmm13\n\tmovaps\t%xmm0,96(%rsp)\n\tpxor\t%xmm14,%xmm14\n\tmovaps\t%xmm0,112(%rsp)\n\tpxor\t%xmm15,%xmm15\n\tmovq\t-8(%r11),%rbp\n\n\tleaq\t(%r11),%rsp\n\nL$ctr32_epilogue:\n\tret\n\n\n.globl\t_aes_hw_cbc_encrypt\n.private_extern _aes_hw_cbc_encrypt\n\n.p2align\t4\n_aes_hw_cbc_encrypt:\n\n_CET_ENDBR\n\ttestq\t%rdx,%rdx\n\tjz\tL$cbc_ret\n\n\tmovl\t240(%rcx),%r10d\n\tmovq\t%rcx,%r11\n\ttestl\t%r9d,%r9d\n\tjz\tL$cbc_decrypt\n\n\tmovups\t(%r8),%xmm2\n\tmovl\t%r10d,%eax\n\tcmpq\t$16,%rdx\n\tjb\tL$cbc_enc_tail\n\tsubq\t$16,%rdx\n\tjmp\tL$cbc_enc_loop\n.p2align\t4\nL$cbc_enc_loop:\n\tmovups\t(%rdi),%xmm3\n\tleaq\t16(%rdi),%rdi\n\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm3\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm3,%xmm2\nL$oop_enc1_6:\n.byte\t102,15,56,220,209\n\tdecl\t%eax\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\tL$oop_enc1_6\n.byte\t102,15,56,221,209\n\tmovl\t%r10d,%eax\n\tmovq\t%r11,%rcx\n\tmovups\t%xmm2,0(%rsi)\n\tleaq\t16(%rsi),%rsi\n\tsubq\t$16,%rdx\n\tjnc\tL$cbc_enc_loop\n\taddq\t$16,%rdx\n\tjnz\tL$cbc_enc_tail\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm2,(%r8)\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tjmp\tL$cbc_ret\n\nL$cbc_enc_tail:\n\tmovq\t%rdx,%rcx\n\txchgq\t%rdi,%rsi\n.long\t0x9066A4F3\n\tmovl\t$16,%ecx\n\tsubq\t%rdx,%rcx\n\txorl\t%eax,%eax\n.long\t0x9066AAF3\n\tleaq\t-16(%rdi),%rdi\n\tmovl\t%r10d,%eax\n\tmovq\t%rdi,%rsi\n\tmovq\t%r11,%rcx\n\txorq\t%rdx,%rdx\n\tjmp\tL$cbc_enc_loop\n\n.p2align\t4\nL$cbc_decrypt:\n\tcmpq\t$16,%rdx\n\tjne\tL$cbc_decrypt_bulk\n\n\n\n\tmovdqu\t(%rdi),%xmm2\n\tmovdqu\t(%r8),%xmm3\n\tmovdqa\t%xmm2,%xmm4\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm0,%xmm2\nL$oop_dec1_7:\n.byte\t102,15,56,222,209\n\tdecl\t%r10d\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\tL$oop_dec1_7\n.byte\t102,15,56,223,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovdqu\t%xmm4,(%r8)\n\txorps\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tjmp\tL$cbc_ret\n.p2align\t4\nL$cbc_decrypt_bulk:\n\tleaq\t(%rsp),%r11\n\n\tpushq\t%rbp\n\n\tsubq\t$16,%rsp\n\tandq\t$-16,%rsp\n\tmovq\t%rcx,%rbp\n\tmovups\t(%r8),%xmm10\n\tmovl\t%r10d,%eax\n\tcmpq\t$0x50,%rdx\n\tjbe\tL$cbc_dec_tail\n\n\tmovups\t(%rcx),%xmm0\n\tmovdqu\t0(%rdi),%xmm2\n\tmovdqu\t16(%rdi),%xmm3\n\tmovdqa\t%xmm2,%xmm11\n\tmovdqu\t32(%rdi),%xmm4\n\tmovdqa\t%xmm3,%xmm12\n\tmovdqu\t48(%rdi),%xmm5\n\tmovdqa\t%xmm4,%xmm13\n\tmovdqu\t64(%rdi),%xmm6\n\tmovdqa\t%xmm5,%xmm14\n\tmovdqu\t80(%rdi),%xmm7\n\tmovdqa\t%xmm6,%xmm15\n\tcmpq\t$0x70,%rdx\n\tjbe\tL$cbc_dec_six_or_seven\n\n\tsubq\t$0x70,%rdx\n\tleaq\t112(%rcx),%rcx\n\tjmp\tL$cbc_dec_loop8_enter\n.p2align\t4\nL$cbc_dec_loop8:\n\tmovups\t%xmm9,(%rsi)\n\tleaq\t16(%rsi),%rsi\nL$cbc_dec_loop8_enter:\n\tmovdqu\t96(%rdi),%xmm8\n\tpxor\t%xmm0,%xmm2\n\tmovdqu\t112(%rdi),%xmm9\n\tpxor\t%xmm0,%xmm3\n\tmovups\t16-112(%rcx),%xmm1\n\tpxor\t%xmm0,%xmm4\n\tmovq\t$-1,%rbp\n\tcmpq\t$0x70,%rdx\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n\tpxor\t%xmm0,%xmm7\n\tpxor\t%xmm0,%xmm8\n\n.byte\t102,15,56,222,209\n\tpxor\t%xmm0,%xmm9\n\tmovups\t32-112(%rcx),%xmm0\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n\tadcq\t$0,%rbp\n\tandq\t$128,%rbp\n.byte\t102,68,15,56,222,201\n\taddq\t%rdi,%rbp\n\tmovups\t48-112(%rcx),%xmm1\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t64-112(%rcx),%xmm0\n\tnop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovups\t80-112(%rcx),%xmm1\n\tnop\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t96-112(%rcx),%xmm0\n\tnop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovups\t112-112(%rcx),%xmm1\n\tnop\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t128-112(%rcx),%xmm0\n\tnop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovups\t144-112(%rcx),%xmm1\n\tcmpl\t$11,%eax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t160-112(%rcx),%xmm0\n\tjb\tL$cbc_dec_done\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovups\t176-112(%rcx),%xmm1\n\tnop\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t192-112(%rcx),%xmm0\n\tje\tL$cbc_dec_done\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovups\t208-112(%rcx),%xmm1\n\tnop\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t224-112(%rcx),%xmm0\n\tjmp\tL$cbc_dec_done\n.p2align\t4\nL$cbc_dec_done:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n\tpxor\t%xmm0,%xmm10\n\tpxor\t%xmm0,%xmm11\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n\tpxor\t%xmm0,%xmm12\n\tpxor\t%xmm0,%xmm13\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n\tpxor\t%xmm0,%xmm14\n\tpxor\t%xmm0,%xmm15\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovdqu\t80(%rdi),%xmm1\n\n.byte\t102,65,15,56,223,210\n\tmovdqu\t96(%rdi),%xmm10\n\tpxor\t%xmm0,%xmm1\n.byte\t102,65,15,56,223,219\n\tpxor\t%xmm0,%xmm10\n\tmovdqu\t112(%rdi),%xmm0\n.byte\t102,65,15,56,223,228\n\tleaq\t128(%rdi),%rdi\n\tmovdqu\t0(%rbp),%xmm11\n.byte\t102,65,15,56,223,237\n.byte\t102,65,15,56,223,246\n\tmovdqu\t16(%rbp),%xmm12\n\tmovdqu\t32(%rbp),%xmm13\n.byte\t102,65,15,56,223,255\n.byte\t102,68,15,56,223,193\n\tmovdqu\t48(%rbp),%xmm14\n\tmovdqu\t64(%rbp),%xmm15\n.byte\t102,69,15,56,223,202\n\tmovdqa\t%xmm0,%xmm10\n\tmovdqu\t80(%rbp),%xmm1\n\tmovups\t-112(%rcx),%xmm0\n\n\tmovups\t%xmm2,(%rsi)\n\tmovdqa\t%xmm11,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tmovdqa\t%xmm12,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tmovdqa\t%xmm13,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tmovdqa\t%xmm14,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tmovdqa\t%xmm15,%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tmovdqa\t%xmm1,%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tleaq\t112(%rsi),%rsi\n\n\tsubq\t$0x80,%rdx\n\tja\tL$cbc_dec_loop8\n\n\tmovaps\t%xmm9,%xmm2\n\tleaq\t-112(%rcx),%rcx\n\taddq\t$0x70,%rdx\n\tjle\tL$cbc_dec_clear_tail_collected\n\tmovups\t%xmm9,(%rsi)\n\tleaq\t16(%rsi),%rsi\n\tcmpq\t$0x50,%rdx\n\tjbe\tL$cbc_dec_tail\n\n\tmovaps\t%xmm11,%xmm2\nL$cbc_dec_six_or_seven:\n\tcmpq\t$0x60,%rdx\n\tja\tL$cbc_dec_seven\n\n\tmovaps\t%xmm7,%xmm8\n\tcall\t_aesni_decrypt6\n\tpxor\t%xmm10,%xmm2\n\tmovaps\t%xmm8,%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm14,%xmm6\n\tmovdqu\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm15,%xmm7\n\tmovdqu\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tleaq\t80(%rsi),%rsi\n\tmovdqa\t%xmm7,%xmm2\n\tpxor\t%xmm7,%xmm7\n\tjmp\tL$cbc_dec_tail_collected\n\n.p2align\t4\nL$cbc_dec_seven:\n\tmovups\t96(%rdi),%xmm8\n\txorps\t%xmm9,%xmm9\n\tcall\t_aesni_decrypt8\n\tmovups\t80(%rdi),%xmm9\n\tpxor\t%xmm10,%xmm2\n\tmovups\t96(%rdi),%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm14,%xmm6\n\tmovdqu\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm15,%xmm7\n\tmovdqu\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm9,%xmm8\n\tmovdqu\t%xmm7,80(%rsi)\n\tpxor\t%xmm7,%xmm7\n\tleaq\t96(%rsi),%rsi\n\tmovdqa\t%xmm8,%xmm2\n\tpxor\t%xmm8,%xmm8\n\tpxor\t%xmm9,%xmm9\n\tjmp\tL$cbc_dec_tail_collected\n\nL$cbc_dec_tail:\n\tmovups\t(%rdi),%xmm2\n\tsubq\t$0x10,%rdx\n\tjbe\tL$cbc_dec_one\n\n\tmovups\t16(%rdi),%xmm3\n\tmovaps\t%xmm2,%xmm11\n\tsubq\t$0x10,%rdx\n\tjbe\tL$cbc_dec_two\n\n\tmovups\t32(%rdi),%xmm4\n\tmovaps\t%xmm3,%xmm12\n\tsubq\t$0x10,%rdx\n\tjbe\tL$cbc_dec_three\n\n\tmovups\t48(%rdi),%xmm5\n\tmovaps\t%xmm4,%xmm13\n\tsubq\t$0x10,%rdx\n\tjbe\tL$cbc_dec_four\n\n\tmovups\t64(%rdi),%xmm6\n\tmovaps\t%xmm5,%xmm14\n\tmovaps\t%xmm6,%xmm15\n\txorps\t%xmm7,%xmm7\n\tcall\t_aesni_decrypt6\n\tpxor\t%xmm10,%xmm2\n\tmovaps\t%xmm15,%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm14,%xmm6\n\tmovdqu\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tleaq\t64(%rsi),%rsi\n\tmovdqa\t%xmm6,%xmm2\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tsubq\t$0x10,%rdx\n\tjmp\tL$cbc_dec_tail_collected\n\n.p2align\t4\nL$cbc_dec_one:\n\tmovaps\t%xmm2,%xmm11\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm0,%xmm2\nL$oop_dec1_8:\n.byte\t102,15,56,222,209\n\tdecl\t%eax\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\tL$oop_dec1_8\n.byte\t102,15,56,223,209\n\txorps\t%xmm10,%xmm2\n\tmovaps\t%xmm11,%xmm10\n\tjmp\tL$cbc_dec_tail_collected\n.p2align\t4\nL$cbc_dec_two:\n\tmovaps\t%xmm3,%xmm12\n\tcall\t_aesni_decrypt2\n\tpxor\t%xmm10,%xmm2\n\tmovaps\t%xmm12,%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tmovdqa\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tleaq\t16(%rsi),%rsi\n\tjmp\tL$cbc_dec_tail_collected\n.p2align\t4\nL$cbc_dec_three:\n\tmovaps\t%xmm4,%xmm13\n\tcall\t_aesni_decrypt3\n\tpxor\t%xmm10,%xmm2\n\tmovaps\t%xmm13,%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovdqa\t%xmm4,%xmm2\n\tpxor\t%xmm4,%xmm4\n\tleaq\t32(%rsi),%rsi\n\tjmp\tL$cbc_dec_tail_collected\n.p2align\t4\nL$cbc_dec_four:\n\tmovaps\t%xmm5,%xmm14\n\tcall\t_aesni_decrypt4\n\tpxor\t%xmm10,%xmm2\n\tmovaps\t%xmm14,%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovdqa\t%xmm5,%xmm2\n\tpxor\t%xmm5,%xmm5\n\tleaq\t48(%rsi),%rsi\n\tjmp\tL$cbc_dec_tail_collected\n\n.p2align\t4\nL$cbc_dec_clear_tail_collected:\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tpxor\t%xmm8,%xmm8\n\tpxor\t%xmm9,%xmm9\nL$cbc_dec_tail_collected:\n\tmovups\t%xmm10,(%r8)\n\tandq\t$15,%rdx\n\tjnz\tL$cbc_dec_tail_partial\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tjmp\tL$cbc_dec_ret\n.p2align\t4\nL$cbc_dec_tail_partial:\n\tmovaps\t%xmm2,(%rsp)\n\tpxor\t%xmm2,%xmm2\n\tmovq\t$16,%rcx\n\tmovq\t%rsi,%rdi\n\tsubq\t%rdx,%rcx\n\tleaq\t(%rsp),%rsi\n.long\t0x9066A4F3\n\tmovdqa\t%xmm2,(%rsp)\n\nL$cbc_dec_ret:\n\txorps\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovq\t-8(%r11),%rbp\n\n\tleaq\t(%r11),%rsp\n\nL$cbc_ret:\n\tret\n\n\n.globl\t_aes_hw_encrypt_key_to_decrypt_key\n.private_extern _aes_hw_encrypt_key_to_decrypt_key\n\n.p2align\t4\n_aes_hw_encrypt_key_to_decrypt_key:\n\n_CET_ENDBR\n\n\tmovl\t240(%rdi),%esi\n\tshll\t$4,%esi\n\n\tleaq\t16(%rdi,%rsi,1),%rdx\n\n\tmovups\t(%rdi),%xmm0\n\tmovups\t(%rdx),%xmm1\n\tmovups\t%xmm0,(%rdx)\n\tmovups\t%xmm1,(%rdi)\n\tleaq\t16(%rdi),%rdi\n\tleaq\t-16(%rdx),%rdx\n\nL$dec_key_inverse:\n\tmovups\t(%rdi),%xmm0\n\tmovups\t(%rdx),%xmm1\n.byte\t102,15,56,219,192\n.byte\t102,15,56,219,201\n\tleaq\t16(%rdi),%rdi\n\tleaq\t-16(%rdx),%rdx\n\tmovups\t%xmm0,16(%rdx)\n\tmovups\t%xmm1,-16(%rdi)\n\tcmpq\t%rdi,%rdx\n\tja\tL$dec_key_inverse\n\n\tmovups\t(%rdi),%xmm0\n.byte\t102,15,56,219,192\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm0,(%rdx)\n\tpxor\t%xmm0,%xmm0\n\tret\n\n\n.globl\t_aes_hw_set_encrypt_key_base\n.private_extern _aes_hw_set_encrypt_key_base\n\n.p2align\t4\n_aes_hw_set_encrypt_key_base:\n\n\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n\tmovb\t$1,_BORINGSSL_function_hit+3(%rip)\n#endif\n\tsubq\t$8,%rsp\n\n\n\n\tmovups\t(%rdi),%xmm0\n\txorps\t%xmm4,%xmm4\n\tleaq\t16(%rdx),%rax\n\tcmpl\t$256,%esi\n\tje\tL$14rounds\n\tcmpl\t$192,%esi\n\tje\tL$12rounds\n\tcmpl\t$128,%esi\n\tjne\tL$bad_keybits\n\nL$10rounds:\n\tmovl\t$9,%esi\n\n\tmovups\t%xmm0,(%rdx)\n.byte\t102,15,58,223,200,1\n\tcall\tL$key_expansion_128_cold\n.byte\t102,15,58,223,200,2\n\tcall\tL$key_expansion_128\n.byte\t102,15,58,223,200,4\n\tcall\tL$key_expansion_128\n.byte\t102,15,58,223,200,8\n\tcall\tL$key_expansion_128\n.byte\t102,15,58,223,200,16\n\tcall\tL$key_expansion_128\n.byte\t102,15,58,223,200,32\n\tcall\tL$key_expansion_128\n.byte\t102,15,58,223,200,64\n\tcall\tL$key_expansion_128\n.byte\t102,15,58,223,200,128\n\tcall\tL$key_expansion_128\n.byte\t102,15,58,223,200,27\n\tcall\tL$key_expansion_128\n.byte\t102,15,58,223,200,54\n\tcall\tL$key_expansion_128\n\tmovups\t%xmm0,(%rax)\n\tmovl\t%esi,80(%rax)\n\txorl\t%eax,%eax\n\tjmp\tL$enc_key_ret\n\n.p2align\t4\nL$12rounds:\n\tmovq\t16(%rdi),%xmm2\n\tmovl\t$11,%esi\n\n\tmovups\t%xmm0,(%rdx)\n.byte\t102,15,58,223,202,1\n\tcall\tL$key_expansion_192a_cold\n.byte\t102,15,58,223,202,2\n\tcall\tL$key_expansion_192b\n.byte\t102,15,58,223,202,4\n\tcall\tL$key_expansion_192a\n.byte\t102,15,58,223,202,8\n\tcall\tL$key_expansion_192b\n.byte\t102,15,58,223,202,16\n\tcall\tL$key_expansion_192a\n.byte\t102,15,58,223,202,32\n\tcall\tL$key_expansion_192b\n.byte\t102,15,58,223,202,64\n\tcall\tL$key_expansion_192a\n.byte\t102,15,58,223,202,128\n\tcall\tL$key_expansion_192b\n\tmovups\t%xmm0,(%rax)\n\tmovl\t%esi,48(%rax)\n\txorq\t%rax,%rax\n\tjmp\tL$enc_key_ret\n\n.p2align\t4\nL$14rounds:\n\tmovups\t16(%rdi),%xmm2\n\tmovl\t$13,%esi\n\tleaq\t16(%rax),%rax\n\n\tmovups\t%xmm0,(%rdx)\n\tmovups\t%xmm2,16(%rdx)\n.byte\t102,15,58,223,202,1\n\tcall\tL$key_expansion_256a_cold\n.byte\t102,15,58,223,200,1\n\tcall\tL$key_expansion_256b\n.byte\t102,15,58,223,202,2\n\tcall\tL$key_expansion_256a\n.byte\t102,15,58,223,200,2\n\tcall\tL$key_expansion_256b\n.byte\t102,15,58,223,202,4\n\tcall\tL$key_expansion_256a\n.byte\t102,15,58,223,200,4\n\tcall\tL$key_expansion_256b\n.byte\t102,15,58,223,202,8\n\tcall\tL$key_expansion_256a\n.byte\t102,15,58,223,200,8\n\tcall\tL$key_expansion_256b\n.byte\t102,15,58,223,202,16\n\tcall\tL$key_expansion_256a\n.byte\t102,15,58,223,200,16\n\tcall\tL$key_expansion_256b\n.byte\t102,15,58,223,202,32\n\tcall\tL$key_expansion_256a\n.byte\t102,15,58,223,200,32\n\tcall\tL$key_expansion_256b\n.byte\t102,15,58,223,202,64\n\tcall\tL$key_expansion_256a\n\tmovups\t%xmm0,(%rax)\n\tmovl\t%esi,16(%rax)\n\txorq\t%rax,%rax\n\tjmp\tL$enc_key_ret\n\n.p2align\t4\nL$bad_keybits:\n\tmovq\t$-2,%rax\nL$enc_key_ret:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\taddq\t$8,%rsp\n\n\tret\n\n\n\n.p2align\t4\nL$key_expansion_128:\n\n\tmovups\t%xmm0,(%rax)\n\tleaq\t16(%rax),%rax\nL$key_expansion_128_cold:\n\tshufps\t$16,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$255,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm0\n\tret\n\n\n.p2align\t4\nL$key_expansion_192a:\n\n\tmovups\t%xmm0,(%rax)\n\tleaq\t16(%rax),%rax\nL$key_expansion_192a_cold:\n\tmovaps\t%xmm2,%xmm5\nL$key_expansion_192b_warm:\n\tshufps\t$16,%xmm0,%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\tpslldq\t$4,%xmm3\n\txorps\t%xmm4,%xmm0\n\tpshufd\t$85,%xmm1,%xmm1\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm1,%xmm0\n\tpshufd\t$255,%xmm0,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tret\n\n\n.p2align\t4\nL$key_expansion_192b:\n\n\tmovaps\t%xmm0,%xmm3\n\tshufps\t$68,%xmm0,%xmm5\n\tmovups\t%xmm5,(%rax)\n\tshufps\t$78,%xmm2,%xmm3\n\tmovups\t%xmm3,16(%rax)\n\tleaq\t32(%rax),%rax\n\tjmp\tL$key_expansion_192b_warm\n\n\n.p2align\t4\nL$key_expansion_256a:\n\n\tmovups\t%xmm2,(%rax)\n\tleaq\t16(%rax),%rax\nL$key_expansion_256a_cold:\n\tshufps\t$16,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$255,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm0\n\tret\n\n\n.p2align\t4\nL$key_expansion_256b:\n\n\tmovups\t%xmm0,(%rax)\n\tleaq\t16(%rax),%rax\n\n\tshufps\t$16,%xmm2,%xmm4\n\txorps\t%xmm4,%xmm2\n\tshufps\t$140,%xmm2,%xmm4\n\txorps\t%xmm4,%xmm2\n\tshufps\t$170,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm2\n\tret\n\n\n\n.globl\t_aes_hw_set_encrypt_key_alt\n.private_extern _aes_hw_set_encrypt_key_alt\n\n.p2align\t4\n_aes_hw_set_encrypt_key_alt:\n\n\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n\tmovb\t$1,_BORINGSSL_function_hit+3(%rip)\n#endif\n\tsubq\t$8,%rsp\n\n\n\n\tmovups\t(%rdi),%xmm0\n\txorps\t%xmm4,%xmm4\n\tleaq\t16(%rdx),%rax\n\tcmpl\t$256,%esi\n\tje\tL$14rounds_alt\n\tcmpl\t$192,%esi\n\tje\tL$12rounds_alt\n\tcmpl\t$128,%esi\n\tjne\tL$bad_keybits_alt\n\n\tmovl\t$9,%esi\n\tmovdqa\tL$key_rotate(%rip),%xmm5\n\tmovl\t$8,%r10d\n\tmovdqa\tL$key_rcon1(%rip),%xmm4\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqu\t%xmm0,(%rdx)\n\tjmp\tL$oop_key128\n\n.p2align\t4\nL$oop_key128:\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\tpslld\t$1,%xmm4\n\tleaq\t16(%rax),%rax\n\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,-16(%rax)\n\tmovdqa\t%xmm0,%xmm2\n\n\tdecl\t%r10d\n\tjnz\tL$oop_key128\n\n\tmovdqa\tL$key_rcon1b(%rip),%xmm4\n\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\tpslld\t$1,%xmm4\n\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,(%rax)\n\n\tmovdqa\t%xmm0,%xmm2\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,16(%rax)\n\n\tmovl\t%esi,96(%rax)\n\txorl\t%eax,%eax\n\tjmp\tL$enc_key_ret_alt\n\n.p2align\t4\nL$12rounds_alt:\n\tmovq\t16(%rdi),%xmm2\n\tmovl\t$11,%esi\n\tmovdqa\tL$key_rotate192(%rip),%xmm5\n\tmovdqa\tL$key_rcon1(%rip),%xmm4\n\tmovl\t$8,%r10d\n\tmovdqu\t%xmm0,(%rdx)\n\tjmp\tL$oop_key192\n\n.p2align\t4\nL$oop_key192:\n\tmovq\t%xmm2,0(%rax)\n\tmovdqa\t%xmm2,%xmm1\n.byte\t102,15,56,0,213\n.byte\t102,15,56,221,212\n\tpslld\t$1,%xmm4\n\tleaq\t24(%rax),%rax\n\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm3,%xmm0\n\n\tpshufd\t$0xff,%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\n\tpxor\t%xmm2,%xmm0\n\tpxor\t%xmm3,%xmm2\n\tmovdqu\t%xmm0,-16(%rax)\n\n\tdecl\t%r10d\n\tjnz\tL$oop_key192\n\n\tmovl\t%esi,32(%rax)\n\txorl\t%eax,%eax\n\tjmp\tL$enc_key_ret_alt\n\n.p2align\t4\nL$14rounds_alt:\n\tmovups\t16(%rdi),%xmm2\n\tmovl\t$13,%esi\n\tleaq\t16(%rax),%rax\n\tmovdqa\tL$key_rotate(%rip),%xmm5\n\tmovdqa\tL$key_rcon1(%rip),%xmm4\n\tmovl\t$7,%r10d\n\tmovdqu\t%xmm0,0(%rdx)\n\tmovdqa\t%xmm2,%xmm1\n\tmovdqu\t%xmm2,16(%rdx)\n\tjmp\tL$oop_key256\n\n.p2align\t4\nL$oop_key256:\n.byte\t102,15,56,0,213\n.byte\t102,15,56,221,212\n\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpslld\t$1,%xmm4\n\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,(%rax)\n\n\tdecl\t%r10d\n\tjz\tL$done_key256\n\n\tpshufd\t$0xff,%xmm0,%xmm2\n\tpxor\t%xmm3,%xmm3\n.byte\t102,15,56,221,211\n\n\tmovdqa\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm3,%xmm1\n\n\tpxor\t%xmm1,%xmm2\n\tmovdqu\t%xmm2,16(%rax)\n\tleaq\t32(%rax),%rax\n\tmovdqa\t%xmm2,%xmm1\n\n\tjmp\tL$oop_key256\n\nL$done_key256:\n\tmovl\t%esi,16(%rax)\n\txorl\t%eax,%eax\n\tjmp\tL$enc_key_ret_alt\n\n.p2align\t4\nL$bad_keybits_alt:\n\tmovq\t$-2,%rax\nL$enc_key_ret_alt:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\taddq\t$8,%rsp\n\n\tret\n\n\n\n.section\t__DATA,__const\n.p2align\t6\nL$bswap_mask:\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\nL$increment32:\n.long\t6,6,6,0\nL$increment64:\n.long\t1,0,0,0\nL$xts_magic:\n.long\t0x87,0,1,0\nL$increment1:\n.byte\t0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1\nL$key_rotate:\n.long\t0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d\nL$key_rotate192:\n.long\t0x04070605,0x04070605,0x04070605,0x04070605\nL$key_rcon1:\n.long\t1,1,1,1\nL$key_rcon1b:\n.long\t0x1b,0x1b,0x1b,0x1b\n\n.byte\t65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69,83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.p2align\t6\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesni-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n.globl\taes_hw_encrypt\n.hidden aes_hw_encrypt\n.type\taes_hw_encrypt,@function\n.align\t16\naes_hw_encrypt:\n.cfi_startproc\t\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n.extern\tBORINGSSL_function_hit\n.hidden BORINGSSL_function_hit\n\tmovb\t$1,BORINGSSL_function_hit+1(%rip)\n#endif\n\tmovups\t(%rdi),%xmm2\n\tmovl\t240(%rdx),%eax\n\tmovups\t(%rdx),%xmm0\n\tmovups\t16(%rdx),%xmm1\n\tleaq\t32(%rdx),%rdx\n\txorps\t%xmm0,%xmm2\n.Loop_enc1_1:\n.byte\t102,15,56,220,209\n\tdecl\t%eax\n\tmovups\t(%rdx),%xmm1\n\tleaq\t16(%rdx),%rdx\n\tjnz\t.Loop_enc1_1\n.byte\t102,15,56,221,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tret\n.cfi_endproc\t\n.size\taes_hw_encrypt,.-aes_hw_encrypt\n\n.globl\taes_hw_decrypt\n.hidden aes_hw_decrypt\n.type\taes_hw_decrypt,@function\n.align\t16\naes_hw_decrypt:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovups\t(%rdi),%xmm2\n\tmovl\t240(%rdx),%eax\n\tmovups\t(%rdx),%xmm0\n\tmovups\t16(%rdx),%xmm1\n\tleaq\t32(%rdx),%rdx\n\txorps\t%xmm0,%xmm2\n.Loop_dec1_2:\n.byte\t102,15,56,222,209\n\tdecl\t%eax\n\tmovups\t(%rdx),%xmm1\n\tleaq\t16(%rdx),%rdx\n\tjnz\t.Loop_dec1_2\n.byte\t102,15,56,223,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tret\n.cfi_endproc\t\n.size\taes_hw_decrypt, .-aes_hw_decrypt\n.type\t_aesni_encrypt2,@function\n.align\t16\n_aesni_encrypt2:\n.cfi_startproc\t\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n\taddq\t$16,%rax\n\n.Lenc_loop2:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\t.Lenc_loop2\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n\tret\n.cfi_endproc\t\n.size\t_aesni_encrypt2,.-_aesni_encrypt2\n.type\t_aesni_decrypt2,@function\n.align\t16\n_aesni_decrypt2:\n.cfi_startproc\t\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n\taddq\t$16,%rax\n\n.Ldec_loop2:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\t.Ldec_loop2\n\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n\tret\n.cfi_endproc\t\n.size\t_aesni_decrypt2,.-_aesni_decrypt2\n.type\t_aesni_encrypt3,@function\n.align\t16\n_aesni_encrypt3:\n.cfi_startproc\t\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm0,%xmm4\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n\taddq\t$16,%rax\n\n.Lenc_loop3:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\t.Lenc_loop3\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n\tret\n.cfi_endproc\t\n.size\t_aesni_encrypt3,.-_aesni_encrypt3\n.type\t_aesni_decrypt3,@function\n.align\t16\n_aesni_decrypt3:\n.cfi_startproc\t\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm0,%xmm4\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n\taddq\t$16,%rax\n\n.Ldec_loop3:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\t.Ldec_loop3\n\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n\tret\n.cfi_endproc\t\n.size\t_aesni_decrypt3,.-_aesni_decrypt3\n.type\t_aesni_encrypt4,@function\n.align\t16\n_aesni_encrypt4:\n.cfi_startproc\t\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm0,%xmm4\n\txorps\t%xmm0,%xmm5\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t0x0f,0x1f,0x00\n\taddq\t$16,%rax\n\n.Lenc_loop4:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\t.Lenc_loop4\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n.byte\t102,15,56,221,232\n\tret\n.cfi_endproc\t\n.size\t_aesni_encrypt4,.-_aesni_encrypt4\n.type\t_aesni_decrypt4,@function\n.align\t16\n_aesni_decrypt4:\n.cfi_startproc\t\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm0,%xmm4\n\txorps\t%xmm0,%xmm5\n\tmovups\t32(%rcx),%xmm0\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t0x0f,0x1f,0x00\n\taddq\t$16,%rax\n\n.Ldec_loop4:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\t.Ldec_loop4\n\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n.byte\t102,15,56,223,232\n\tret\n.cfi_endproc\t\n.size\t_aesni_decrypt4,.-_aesni_decrypt4\n.type\t_aesni_encrypt6,@function\n.align\t16\n_aesni_encrypt6:\n.cfi_startproc\t\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n.byte\t102,15,56,220,209\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t102,15,56,220,217\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n.byte\t102,15,56,220,225\n\tpxor\t%xmm0,%xmm7\n\tmovups\t(%rcx,%rax,1),%xmm0\n\taddq\t$16,%rax\n\tjmp\t.Lenc_loop6_enter\n.align\t16\n.Lenc_loop6:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.Lenc_loop6_enter:\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\t.Lenc_loop6\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n.byte\t102,15,56,221,232\n.byte\t102,15,56,221,240\n.byte\t102,15,56,221,248\n\tret\n.cfi_endproc\t\n.size\t_aesni_encrypt6,.-_aesni_encrypt6\n.type\t_aesni_decrypt6,@function\n.align\t16\n_aesni_decrypt6:\n.cfi_startproc\t\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n.byte\t102,15,56,222,209\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t102,15,56,222,217\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n.byte\t102,15,56,222,225\n\tpxor\t%xmm0,%xmm7\n\tmovups\t(%rcx,%rax,1),%xmm0\n\taddq\t$16,%rax\n\tjmp\t.Ldec_loop6_enter\n.align\t16\n.Ldec_loop6:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.Ldec_loop6_enter:\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\t.Ldec_loop6\n\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n.byte\t102,15,56,223,232\n.byte\t102,15,56,223,240\n.byte\t102,15,56,223,248\n\tret\n.cfi_endproc\t\n.size\t_aesni_decrypt6,.-_aesni_decrypt6\n.type\t_aesni_encrypt8,@function\n.align\t16\n_aesni_encrypt8:\n.cfi_startproc\t\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t102,15,56,220,209\n\tpxor\t%xmm0,%xmm7\n\tpxor\t%xmm0,%xmm8\n.byte\t102,15,56,220,217\n\tpxor\t%xmm0,%xmm9\n\tmovups\t(%rcx,%rax,1),%xmm0\n\taddq\t$16,%rax\n\tjmp\t.Lenc_loop8_inner\n.align\t16\n.Lenc_loop8:\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.Lenc_loop8_inner:\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n.Lenc_loop8_enter:\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\t.Lenc_loop8\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n.byte\t102,15,56,221,208\n.byte\t102,15,56,221,216\n.byte\t102,15,56,221,224\n.byte\t102,15,56,221,232\n.byte\t102,15,56,221,240\n.byte\t102,15,56,221,248\n.byte\t102,68,15,56,221,192\n.byte\t102,68,15,56,221,200\n\tret\n.cfi_endproc\t\n.size\t_aesni_encrypt8,.-_aesni_encrypt8\n.type\t_aesni_decrypt8,@function\n.align\t16\n_aesni_decrypt8:\n.cfi_startproc\t\n\tmovups\t(%rcx),%xmm0\n\tshll\t$4,%eax\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm2\n\txorps\t%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n\tleaq\t32(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t102,15,56,222,209\n\tpxor\t%xmm0,%xmm7\n\tpxor\t%xmm0,%xmm8\n.byte\t102,15,56,222,217\n\tpxor\t%xmm0,%xmm9\n\tmovups\t(%rcx,%rax,1),%xmm0\n\taddq\t$16,%rax\n\tjmp\t.Ldec_loop8_inner\n.align\t16\n.Ldec_loop8:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.Ldec_loop8_inner:\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n.Ldec_loop8_enter:\n\tmovups\t(%rcx,%rax,1),%xmm1\n\taddq\t$32,%rax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t-16(%rcx,%rax,1),%xmm0\n\tjnz\t.Ldec_loop8\n\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n.byte\t102,15,56,223,208\n.byte\t102,15,56,223,216\n.byte\t102,15,56,223,224\n.byte\t102,15,56,223,232\n.byte\t102,15,56,223,240\n.byte\t102,15,56,223,248\n.byte\t102,68,15,56,223,192\n.byte\t102,68,15,56,223,200\n\tret\n.cfi_endproc\t\n.size\t_aesni_decrypt8,.-_aesni_decrypt8\n.globl\taes_hw_ecb_encrypt\n.hidden aes_hw_ecb_encrypt\n.type\taes_hw_ecb_encrypt,@function\n.align\t16\naes_hw_ecb_encrypt:\n.cfi_startproc\t\n_CET_ENDBR\n\tandq\t$-16,%rdx\n\tjz\t.Lecb_ret\n\n\tmovl\t240(%rcx),%eax\n\tmovups\t(%rcx),%xmm0\n\tmovq\t%rcx,%r11\n\tmovl\t%eax,%r10d\n\ttestl\t%r8d,%r8d\n\tjz\t.Lecb_decrypt\n\n\tcmpq\t$0x80,%rdx\n\tjb\t.Lecb_enc_tail\n\n\tmovdqu\t(%rdi),%xmm2\n\tmovdqu\t16(%rdi),%xmm3\n\tmovdqu\t32(%rdi),%xmm4\n\tmovdqu\t48(%rdi),%xmm5\n\tmovdqu\t64(%rdi),%xmm6\n\tmovdqu\t80(%rdi),%xmm7\n\tmovdqu\t96(%rdi),%xmm8\n\tmovdqu\t112(%rdi),%xmm9\n\tleaq\t128(%rdi),%rdi\n\tsubq\t$0x80,%rdx\n\tjmp\t.Lecb_enc_loop8_enter\n.align\t16\n.Lecb_enc_loop8:\n\tmovups\t%xmm2,(%rsi)\n\tmovq\t%r11,%rcx\n\tmovdqu\t(%rdi),%xmm2\n\tmovl\t%r10d,%eax\n\tmovups\t%xmm3,16(%rsi)\n\tmovdqu\t16(%rdi),%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tmovdqu\t32(%rdi),%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tmovdqu\t48(%rdi),%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tmovdqu\t64(%rdi),%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tmovdqu\t80(%rdi),%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tmovdqu\t96(%rdi),%xmm8\n\tmovups\t%xmm9,112(%rsi)\n\tleaq\t128(%rsi),%rsi\n\tmovdqu\t112(%rdi),%xmm9\n\tleaq\t128(%rdi),%rdi\n.Lecb_enc_loop8_enter:\n\n\tcall\t_aesni_encrypt8\n\n\tsubq\t$0x80,%rdx\n\tjnc\t.Lecb_enc_loop8\n\n\tmovups\t%xmm2,(%rsi)\n\tmovq\t%r11,%rcx\n\tmovups\t%xmm3,16(%rsi)\n\tmovl\t%r10d,%eax\n\tmovups\t%xmm4,32(%rsi)\n\tmovups\t%xmm5,48(%rsi)\n\tmovups\t%xmm6,64(%rsi)\n\tmovups\t%xmm7,80(%rsi)\n\tmovups\t%xmm8,96(%rsi)\n\tmovups\t%xmm9,112(%rsi)\n\tleaq\t128(%rsi),%rsi\n\taddq\t$0x80,%rdx\n\tjz\t.Lecb_ret\n\n.Lecb_enc_tail:\n\tmovups\t(%rdi),%xmm2\n\tcmpq\t$0x20,%rdx\n\tjb\t.Lecb_enc_one\n\tmovups\t16(%rdi),%xmm3\n\tje\t.Lecb_enc_two\n\tmovups\t32(%rdi),%xmm4\n\tcmpq\t$0x40,%rdx\n\tjb\t.Lecb_enc_three\n\tmovups\t48(%rdi),%xmm5\n\tje\t.Lecb_enc_four\n\tmovups\t64(%rdi),%xmm6\n\tcmpq\t$0x60,%rdx\n\tjb\t.Lecb_enc_five\n\tmovups\t80(%rdi),%xmm7\n\tje\t.Lecb_enc_six\n\tmovdqu\t96(%rdi),%xmm8\n\txorps\t%xmm9,%xmm9\n\tcall\t_aesni_encrypt8\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tmovups\t%xmm4,32(%rsi)\n\tmovups\t%xmm5,48(%rsi)\n\tmovups\t%xmm6,64(%rsi)\n\tmovups\t%xmm7,80(%rsi)\n\tmovups\t%xmm8,96(%rsi)\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_enc_one:\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm0,%xmm2\n.Loop_enc1_3:\n.byte\t102,15,56,220,209\n\tdecl\t%eax\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\t.Loop_enc1_3\n.byte\t102,15,56,221,209\n\tmovups\t%xmm2,(%rsi)\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_enc_two:\n\tcall\t_aesni_encrypt2\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_enc_three:\n\tcall\t_aesni_encrypt3\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tmovups\t%xmm4,32(%rsi)\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_enc_four:\n\tcall\t_aesni_encrypt4\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tmovups\t%xmm4,32(%rsi)\n\tmovups\t%xmm5,48(%rsi)\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_enc_five:\n\txorps\t%xmm7,%xmm7\n\tcall\t_aesni_encrypt6\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tmovups\t%xmm4,32(%rsi)\n\tmovups\t%xmm5,48(%rsi)\n\tmovups\t%xmm6,64(%rsi)\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_enc_six:\n\tcall\t_aesni_encrypt6\n\tmovups\t%xmm2,(%rsi)\n\tmovups\t%xmm3,16(%rsi)\n\tmovups\t%xmm4,32(%rsi)\n\tmovups\t%xmm5,48(%rsi)\n\tmovups\t%xmm6,64(%rsi)\n\tmovups\t%xmm7,80(%rsi)\n\tjmp\t.Lecb_ret\n\n.align\t16\n.Lecb_decrypt:\n\tcmpq\t$0x80,%rdx\n\tjb\t.Lecb_dec_tail\n\n\tmovdqu\t(%rdi),%xmm2\n\tmovdqu\t16(%rdi),%xmm3\n\tmovdqu\t32(%rdi),%xmm4\n\tmovdqu\t48(%rdi),%xmm5\n\tmovdqu\t64(%rdi),%xmm6\n\tmovdqu\t80(%rdi),%xmm7\n\tmovdqu\t96(%rdi),%xmm8\n\tmovdqu\t112(%rdi),%xmm9\n\tleaq\t128(%rdi),%rdi\n\tsubq\t$0x80,%rdx\n\tjmp\t.Lecb_dec_loop8_enter\n.align\t16\n.Lecb_dec_loop8:\n\tmovups\t%xmm2,(%rsi)\n\tmovq\t%r11,%rcx\n\tmovdqu\t(%rdi),%xmm2\n\tmovl\t%r10d,%eax\n\tmovups\t%xmm3,16(%rsi)\n\tmovdqu\t16(%rdi),%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tmovdqu\t32(%rdi),%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tmovdqu\t48(%rdi),%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tmovdqu\t64(%rdi),%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tmovdqu\t80(%rdi),%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tmovdqu\t96(%rdi),%xmm8\n\tmovups\t%xmm9,112(%rsi)\n\tleaq\t128(%rsi),%rsi\n\tmovdqu\t112(%rdi),%xmm9\n\tleaq\t128(%rdi),%rdi\n.Lecb_dec_loop8_enter:\n\n\tcall\t_aesni_decrypt8\n\n\tmovups\t(%r11),%xmm0\n\tsubq\t$0x80,%rdx\n\tjnc\t.Lecb_dec_loop8\n\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovq\t%r11,%rcx\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovl\t%r10d,%eax\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tpxor\t%xmm7,%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tpxor\t%xmm8,%xmm8\n\tmovups\t%xmm9,112(%rsi)\n\tpxor\t%xmm9,%xmm9\n\tleaq\t128(%rsi),%rsi\n\taddq\t$0x80,%rdx\n\tjz\t.Lecb_ret\n\n.Lecb_dec_tail:\n\tmovups\t(%rdi),%xmm2\n\tcmpq\t$0x20,%rdx\n\tjb\t.Lecb_dec_one\n\tmovups\t16(%rdi),%xmm3\n\tje\t.Lecb_dec_two\n\tmovups\t32(%rdi),%xmm4\n\tcmpq\t$0x40,%rdx\n\tjb\t.Lecb_dec_three\n\tmovups\t48(%rdi),%xmm5\n\tje\t.Lecb_dec_four\n\tmovups\t64(%rdi),%xmm6\n\tcmpq\t$0x60,%rdx\n\tjb\t.Lecb_dec_five\n\tmovups\t80(%rdi),%xmm7\n\tje\t.Lecb_dec_six\n\tmovups\t96(%rdi),%xmm8\n\tmovups\t(%rcx),%xmm0\n\txorps\t%xmm9,%xmm9\n\tcall\t_aesni_decrypt8\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tpxor\t%xmm7,%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tpxor\t%xmm8,%xmm8\n\tpxor\t%xmm9,%xmm9\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_dec_one:\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm0,%xmm2\n.Loop_dec1_4:\n.byte\t102,15,56,222,209\n\tdecl\t%eax\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\t.Loop_dec1_4\n.byte\t102,15,56,223,209\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_dec_two:\n\tcall\t_aesni_decrypt2\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_dec_three:\n\tcall\t_aesni_decrypt3\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_dec_four:\n\tcall\t_aesni_decrypt4\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_dec_five:\n\txorps\t%xmm7,%xmm7\n\tcall\t_aesni_decrypt6\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tjmp\t.Lecb_ret\n.align\t16\n.Lecb_dec_six:\n\tcall\t_aesni_decrypt6\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tpxor\t%xmm7,%xmm7\n\n.Lecb_ret:\n\txorps\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tret\n.cfi_endproc\t\n.size\taes_hw_ecb_encrypt,.-aes_hw_ecb_encrypt\n.globl\taes_hw_ctr32_encrypt_blocks\n.hidden aes_hw_ctr32_encrypt_blocks\n.type\taes_hw_ctr32_encrypt_blocks,@function\n.align\t16\naes_hw_ctr32_encrypt_blocks:\n.cfi_startproc\t\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n\tmovb\t$1,BORINGSSL_function_hit(%rip)\n#endif\n\tcmpq\t$1,%rdx\n\tjne\t.Lctr32_bulk\n\n\n\n\tmovups\t(%r8),%xmm2\n\tmovups\t(%rdi),%xmm3\n\tmovl\t240(%rcx),%edx\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm0,%xmm2\n.Loop_enc1_5:\n.byte\t102,15,56,220,209\n\tdecl\t%edx\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\t.Loop_enc1_5\n.byte\t102,15,56,221,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\txorps\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm2,(%rsi)\n\txorps\t%xmm2,%xmm2\n\tjmp\t.Lctr32_epilogue\n\n.align\t16\n.Lctr32_bulk:\n\tleaq\t(%rsp),%r11\n.cfi_def_cfa_register\t%r11\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-16\n\tsubq\t$128,%rsp\n\tandq\t$-16,%rsp\n\n\n\n\n\tmovdqu\t(%r8),%xmm2\n\tmovdqu\t(%rcx),%xmm0\n\tmovl\t12(%r8),%r8d\n\tpxor\t%xmm0,%xmm2\n\tmovl\t12(%rcx),%ebp\n\tmovdqa\t%xmm2,0(%rsp)\n\tbswapl\t%r8d\n\tmovdqa\t%xmm2,%xmm3\n\tmovdqa\t%xmm2,%xmm4\n\tmovdqa\t%xmm2,%xmm5\n\tmovdqa\t%xmm2,64(%rsp)\n\tmovdqa\t%xmm2,80(%rsp)\n\tmovdqa\t%xmm2,96(%rsp)\n\tmovq\t%rdx,%r10\n\tmovdqa\t%xmm2,112(%rsp)\n\n\tleaq\t1(%r8),%rax\n\tleaq\t2(%r8),%rdx\n\tbswapl\t%eax\n\tbswapl\t%edx\n\txorl\t%ebp,%eax\n\txorl\t%ebp,%edx\n.byte\t102,15,58,34,216,3\n\tleaq\t3(%r8),%rax\n\tmovdqa\t%xmm3,16(%rsp)\n.byte\t102,15,58,34,226,3\n\tbswapl\t%eax\n\tmovq\t%r10,%rdx\n\tleaq\t4(%r8),%r10\n\tmovdqa\t%xmm4,32(%rsp)\n\txorl\t%ebp,%eax\n\tbswapl\t%r10d\n.byte\t102,15,58,34,232,3\n\txorl\t%ebp,%r10d\n\tmovdqa\t%xmm5,48(%rsp)\n\tleaq\t5(%r8),%r9\n\tmovl\t%r10d,64+12(%rsp)\n\tbswapl\t%r9d\n\tleaq\t6(%r8),%r10\n\tmovl\t240(%rcx),%eax\n\txorl\t%ebp,%r9d\n\tbswapl\t%r10d\n\tmovl\t%r9d,80+12(%rsp)\n\txorl\t%ebp,%r10d\n\tleaq\t7(%r8),%r9\n\tmovl\t%r10d,96+12(%rsp)\n\tbswapl\t%r9d\n\txorl\t%ebp,%r9d\n\tmovl\t%r9d,112+12(%rsp)\n\n\tmovups\t16(%rcx),%xmm1\n\n\tmovdqa\t64(%rsp),%xmm6\n\tmovdqa\t80(%rsp),%xmm7\n\n\tcmpq\t$8,%rdx\n\tjb\t.Lctr32_tail\n\n\tleaq\t128(%rcx),%rcx\n\tsubq\t$8,%rdx\n\tjmp\t.Lctr32_loop8\n\n.align\t32\n.Lctr32_loop8:\n\taddl\t$8,%r8d\n\tmovdqa\t96(%rsp),%xmm8\n.byte\t102,15,56,220,209\n\tmovl\t%r8d,%r9d\n\tmovdqa\t112(%rsp),%xmm9\n.byte\t102,15,56,220,217\n\tbswapl\t%r9d\n\tmovups\t32-128(%rcx),%xmm0\n.byte\t102,15,56,220,225\n\txorl\t%ebp,%r9d\n\tnop\n.byte\t102,15,56,220,233\n\tmovl\t%r9d,0+12(%rsp)\n\tleaq\t1(%r8),%r9\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t48-128(%rcx),%xmm1\n\tbswapl\t%r9d\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n\tmovl\t%r9d,16+12(%rsp)\n\tleaq\t2(%r8),%r9\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t64-128(%rcx),%xmm0\n\tbswapl\t%r9d\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovl\t%r9d,32+12(%rsp)\n\tleaq\t3(%r8),%r9\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t80-128(%rcx),%xmm1\n\tbswapl\t%r9d\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n\tmovl\t%r9d,48+12(%rsp)\n\tleaq\t4(%r8),%r9\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t96-128(%rcx),%xmm0\n\tbswapl\t%r9d\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovl\t%r9d,64+12(%rsp)\n\tleaq\t5(%r8),%r9\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t112-128(%rcx),%xmm1\n\tbswapl\t%r9d\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n\tmovl\t%r9d,80+12(%rsp)\n\tleaq\t6(%r8),%r9\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t128-128(%rcx),%xmm0\n\tbswapl\t%r9d\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\txorl\t%ebp,%r9d\n.byte\t0x66,0x90\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovl\t%r9d,96+12(%rsp)\n\tleaq\t7(%r8),%r9\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t144-128(%rcx),%xmm1\n\tbswapl\t%r9d\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n\txorl\t%ebp,%r9d\n\tmovdqu\t0(%rdi),%xmm10\n.byte\t102,15,56,220,232\n\tmovl\t%r9d,112+12(%rsp)\n\tcmpl\t$11,%eax\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t160-128(%rcx),%xmm0\n\n\tjb\t.Lctr32_enc_done\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t176-128(%rcx),%xmm1\n\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t192-128(%rcx),%xmm0\n\tje\t.Lctr32_enc_done\n\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovups\t208-128(%rcx),%xmm1\n\n.byte\t102,15,56,220,208\n.byte\t102,15,56,220,216\n.byte\t102,15,56,220,224\n.byte\t102,15,56,220,232\n.byte\t102,15,56,220,240\n.byte\t102,15,56,220,248\n.byte\t102,68,15,56,220,192\n.byte\t102,68,15,56,220,200\n\tmovups\t224-128(%rcx),%xmm0\n\tjmp\t.Lctr32_enc_done\n\n.align\t16\n.Lctr32_enc_done:\n\tmovdqu\t16(%rdi),%xmm11\n\tpxor\t%xmm0,%xmm10\n\tmovdqu\t32(%rdi),%xmm12\n\tpxor\t%xmm0,%xmm11\n\tmovdqu\t48(%rdi),%xmm13\n\tpxor\t%xmm0,%xmm12\n\tmovdqu\t64(%rdi),%xmm14\n\tpxor\t%xmm0,%xmm13\n\tmovdqu\t80(%rdi),%xmm15\n\tpxor\t%xmm0,%xmm14\n\tprefetcht0\t448(%rdi)\n\tprefetcht0\t512(%rdi)\n\tpxor\t%xmm0,%xmm15\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n.byte\t102,68,15,56,220,201\n\tmovdqu\t96(%rdi),%xmm1\n\tleaq\t128(%rdi),%rdi\n\n.byte\t102,65,15,56,221,210\n\tpxor\t%xmm0,%xmm1\n\tmovdqu\t112-128(%rdi),%xmm10\n.byte\t102,65,15,56,221,219\n\tpxor\t%xmm0,%xmm10\n\tmovdqa\t0(%rsp),%xmm11\n.byte\t102,65,15,56,221,228\n.byte\t102,65,15,56,221,237\n\tmovdqa\t16(%rsp),%xmm12\n\tmovdqa\t32(%rsp),%xmm13\n.byte\t102,65,15,56,221,246\n.byte\t102,65,15,56,221,255\n\tmovdqa\t48(%rsp),%xmm14\n\tmovdqa\t64(%rsp),%xmm15\n.byte\t102,68,15,56,221,193\n\tmovdqa\t80(%rsp),%xmm0\n\tmovups\t16-128(%rcx),%xmm1\n.byte\t102,69,15,56,221,202\n\n\tmovups\t%xmm2,(%rsi)\n\tmovdqa\t%xmm11,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tmovdqa\t%xmm12,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tmovdqa\t%xmm13,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tmovdqa\t%xmm14,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tmovdqa\t%xmm15,%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tmovdqa\t%xmm0,%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tmovups\t%xmm9,112(%rsi)\n\tleaq\t128(%rsi),%rsi\n\n\tsubq\t$8,%rdx\n\tjnc\t.Lctr32_loop8\n\n\taddq\t$8,%rdx\n\tjz\t.Lctr32_done\n\tleaq\t-128(%rcx),%rcx\n\n.Lctr32_tail:\n\n\n\tleaq\t16(%rcx),%rcx\n\tcmpq\t$4,%rdx\n\tjb\t.Lctr32_loop3\n\tje\t.Lctr32_loop4\n\n\n\tshll\t$4,%eax\n\tmovdqa\t96(%rsp),%xmm8\n\tpxor\t%xmm9,%xmm9\n\n\tmovups\t16(%rcx),%xmm0\n.byte\t102,15,56,220,209\n.byte\t102,15,56,220,217\n\tleaq\t32-16(%rcx,%rax,1),%rcx\n\tnegq\t%rax\n.byte\t102,15,56,220,225\n\taddq\t$16,%rax\n\tmovups\t(%rdi),%xmm10\n.byte\t102,15,56,220,233\n.byte\t102,15,56,220,241\n\tmovups\t16(%rdi),%xmm11\n\tmovups\t32(%rdi),%xmm12\n.byte\t102,15,56,220,249\n.byte\t102,68,15,56,220,193\n\n\tcall\t.Lenc_loop8_enter\n\n\tmovdqu\t48(%rdi),%xmm13\n\tpxor\t%xmm10,%xmm2\n\tmovdqu\t64(%rdi),%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm10,%xmm6\n\tmovdqu\t%xmm5,48(%rsi)\n\tmovdqu\t%xmm6,64(%rsi)\n\tcmpq\t$6,%rdx\n\tjb\t.Lctr32_done\n\n\tmovups\t80(%rdi),%xmm11\n\txorps\t%xmm11,%xmm7\n\tmovups\t%xmm7,80(%rsi)\n\tje\t.Lctr32_done\n\n\tmovups\t96(%rdi),%xmm12\n\txorps\t%xmm12,%xmm8\n\tmovups\t%xmm8,96(%rsi)\n\tjmp\t.Lctr32_done\n\n.align\t32\n.Lctr32_loop4:\n.byte\t102,15,56,220,209\n\tleaq\t16(%rcx),%rcx\n\tdecl\t%eax\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n.byte\t102,15,56,220,233\n\tmovups\t(%rcx),%xmm1\n\tjnz\t.Lctr32_loop4\n.byte\t102,15,56,221,209\n.byte\t102,15,56,221,217\n\tmovups\t(%rdi),%xmm10\n\tmovups\t16(%rdi),%xmm11\n.byte\t102,15,56,221,225\n.byte\t102,15,56,221,233\n\tmovups\t32(%rdi),%xmm12\n\tmovups\t48(%rdi),%xmm13\n\n\txorps\t%xmm10,%xmm2\n\tmovups\t%xmm2,(%rsi)\n\txorps\t%xmm11,%xmm3\n\tmovups\t%xmm3,16(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm5,48(%rsi)\n\tjmp\t.Lctr32_done\n\n.align\t32\n.Lctr32_loop3:\n.byte\t102,15,56,220,209\n\tleaq\t16(%rcx),%rcx\n\tdecl\t%eax\n.byte\t102,15,56,220,217\n.byte\t102,15,56,220,225\n\tmovups\t(%rcx),%xmm1\n\tjnz\t.Lctr32_loop3\n.byte\t102,15,56,221,209\n.byte\t102,15,56,221,217\n.byte\t102,15,56,221,225\n\n\tmovups\t(%rdi),%xmm10\n\txorps\t%xmm10,%xmm2\n\tmovups\t%xmm2,(%rsi)\n\tcmpq\t$2,%rdx\n\tjb\t.Lctr32_done\n\n\tmovups\t16(%rdi),%xmm11\n\txorps\t%xmm11,%xmm3\n\tmovups\t%xmm3,16(%rsi)\n\tje\t.Lctr32_done\n\n\tmovups\t32(%rdi),%xmm12\n\txorps\t%xmm12,%xmm4\n\tmovups\t%xmm4,32(%rsi)\n\n.Lctr32_done:\n\txorps\t%xmm0,%xmm0\n\txorl\t%ebp,%ebp\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tmovaps\t%xmm0,0(%rsp)\n\tpxor\t%xmm8,%xmm8\n\tmovaps\t%xmm0,16(%rsp)\n\tpxor\t%xmm9,%xmm9\n\tmovaps\t%xmm0,32(%rsp)\n\tpxor\t%xmm10,%xmm10\n\tmovaps\t%xmm0,48(%rsp)\n\tpxor\t%xmm11,%xmm11\n\tmovaps\t%xmm0,64(%rsp)\n\tpxor\t%xmm12,%xmm12\n\tmovaps\t%xmm0,80(%rsp)\n\tpxor\t%xmm13,%xmm13\n\tmovaps\t%xmm0,96(%rsp)\n\tpxor\t%xmm14,%xmm14\n\tmovaps\t%xmm0,112(%rsp)\n\tpxor\t%xmm15,%xmm15\n\tmovq\t-8(%r11),%rbp\n.cfi_restore\t%rbp\n\tleaq\t(%r11),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lctr32_epilogue:\n\tret\n.cfi_endproc\t\n.size\taes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks\n.globl\taes_hw_cbc_encrypt\n.hidden aes_hw_cbc_encrypt\n.type\taes_hw_cbc_encrypt,@function\n.align\t16\naes_hw_cbc_encrypt:\n.cfi_startproc\t\n_CET_ENDBR\n\ttestq\t%rdx,%rdx\n\tjz\t.Lcbc_ret\n\n\tmovl\t240(%rcx),%r10d\n\tmovq\t%rcx,%r11\n\ttestl\t%r9d,%r9d\n\tjz\t.Lcbc_decrypt\n\n\tmovups\t(%r8),%xmm2\n\tmovl\t%r10d,%eax\n\tcmpq\t$16,%rdx\n\tjb\t.Lcbc_enc_tail\n\tsubq\t$16,%rdx\n\tjmp\t.Lcbc_enc_loop\n.align\t16\n.Lcbc_enc_loop:\n\tmovups\t(%rdi),%xmm3\n\tleaq\t16(%rdi),%rdi\n\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\txorps\t%xmm0,%xmm3\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm3,%xmm2\n.Loop_enc1_6:\n.byte\t102,15,56,220,209\n\tdecl\t%eax\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\t.Loop_enc1_6\n.byte\t102,15,56,221,209\n\tmovl\t%r10d,%eax\n\tmovq\t%r11,%rcx\n\tmovups\t%xmm2,0(%rsi)\n\tleaq\t16(%rsi),%rsi\n\tsubq\t$16,%rdx\n\tjnc\t.Lcbc_enc_loop\n\taddq\t$16,%rdx\n\tjnz\t.Lcbc_enc_tail\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm2,(%r8)\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tjmp\t.Lcbc_ret\n\n.Lcbc_enc_tail:\n\tmovq\t%rdx,%rcx\n\txchgq\t%rdi,%rsi\n.long\t0x9066A4F3\n\tmovl\t$16,%ecx\n\tsubq\t%rdx,%rcx\n\txorl\t%eax,%eax\n.long\t0x9066AAF3\n\tleaq\t-16(%rdi),%rdi\n\tmovl\t%r10d,%eax\n\tmovq\t%rdi,%rsi\n\tmovq\t%r11,%rcx\n\txorq\t%rdx,%rdx\n\tjmp\t.Lcbc_enc_loop\n\n.align\t16\n.Lcbc_decrypt:\n\tcmpq\t$16,%rdx\n\tjne\t.Lcbc_decrypt_bulk\n\n\n\n\tmovdqu\t(%rdi),%xmm2\n\tmovdqu\t(%r8),%xmm3\n\tmovdqa\t%xmm2,%xmm4\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm0,%xmm2\n.Loop_dec1_7:\n.byte\t102,15,56,222,209\n\tdecl\t%r10d\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\t.Loop_dec1_7\n.byte\t102,15,56,223,209\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovdqu\t%xmm4,(%r8)\n\txorps\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tjmp\t.Lcbc_ret\n.align\t16\n.Lcbc_decrypt_bulk:\n\tleaq\t(%rsp),%r11\n.cfi_def_cfa_register\t%r11\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-16\n\tsubq\t$16,%rsp\n\tandq\t$-16,%rsp\n\tmovq\t%rcx,%rbp\n\tmovups\t(%r8),%xmm10\n\tmovl\t%r10d,%eax\n\tcmpq\t$0x50,%rdx\n\tjbe\t.Lcbc_dec_tail\n\n\tmovups\t(%rcx),%xmm0\n\tmovdqu\t0(%rdi),%xmm2\n\tmovdqu\t16(%rdi),%xmm3\n\tmovdqa\t%xmm2,%xmm11\n\tmovdqu\t32(%rdi),%xmm4\n\tmovdqa\t%xmm3,%xmm12\n\tmovdqu\t48(%rdi),%xmm5\n\tmovdqa\t%xmm4,%xmm13\n\tmovdqu\t64(%rdi),%xmm6\n\tmovdqa\t%xmm5,%xmm14\n\tmovdqu\t80(%rdi),%xmm7\n\tmovdqa\t%xmm6,%xmm15\n\tcmpq\t$0x70,%rdx\n\tjbe\t.Lcbc_dec_six_or_seven\n\n\tsubq\t$0x70,%rdx\n\tleaq\t112(%rcx),%rcx\n\tjmp\t.Lcbc_dec_loop8_enter\n.align\t16\n.Lcbc_dec_loop8:\n\tmovups\t%xmm9,(%rsi)\n\tleaq\t16(%rsi),%rsi\n.Lcbc_dec_loop8_enter:\n\tmovdqu\t96(%rdi),%xmm8\n\tpxor\t%xmm0,%xmm2\n\tmovdqu\t112(%rdi),%xmm9\n\tpxor\t%xmm0,%xmm3\n\tmovups\t16-112(%rcx),%xmm1\n\tpxor\t%xmm0,%xmm4\n\tmovq\t$-1,%rbp\n\tcmpq\t$0x70,%rdx\n\tpxor\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm6\n\tpxor\t%xmm0,%xmm7\n\tpxor\t%xmm0,%xmm8\n\n.byte\t102,15,56,222,209\n\tpxor\t%xmm0,%xmm9\n\tmovups\t32-112(%rcx),%xmm0\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n\tadcq\t$0,%rbp\n\tandq\t$128,%rbp\n.byte\t102,68,15,56,222,201\n\taddq\t%rdi,%rbp\n\tmovups\t48-112(%rcx),%xmm1\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t64-112(%rcx),%xmm0\n\tnop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovups\t80-112(%rcx),%xmm1\n\tnop\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t96-112(%rcx),%xmm0\n\tnop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovups\t112-112(%rcx),%xmm1\n\tnop\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t128-112(%rcx),%xmm0\n\tnop\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovups\t144-112(%rcx),%xmm1\n\tcmpl\t$11,%eax\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t160-112(%rcx),%xmm0\n\tjb\t.Lcbc_dec_done\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovups\t176-112(%rcx),%xmm1\n\tnop\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t192-112(%rcx),%xmm0\n\tje\t.Lcbc_dec_done\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovups\t208-112(%rcx),%xmm1\n\tnop\n.byte\t102,15,56,222,208\n.byte\t102,15,56,222,216\n.byte\t102,15,56,222,224\n.byte\t102,15,56,222,232\n.byte\t102,15,56,222,240\n.byte\t102,15,56,222,248\n.byte\t102,68,15,56,222,192\n.byte\t102,68,15,56,222,200\n\tmovups\t224-112(%rcx),%xmm0\n\tjmp\t.Lcbc_dec_done\n.align\t16\n.Lcbc_dec_done:\n.byte\t102,15,56,222,209\n.byte\t102,15,56,222,217\n\tpxor\t%xmm0,%xmm10\n\tpxor\t%xmm0,%xmm11\n.byte\t102,15,56,222,225\n.byte\t102,15,56,222,233\n\tpxor\t%xmm0,%xmm12\n\tpxor\t%xmm0,%xmm13\n.byte\t102,15,56,222,241\n.byte\t102,15,56,222,249\n\tpxor\t%xmm0,%xmm14\n\tpxor\t%xmm0,%xmm15\n.byte\t102,68,15,56,222,193\n.byte\t102,68,15,56,222,201\n\tmovdqu\t80(%rdi),%xmm1\n\n.byte\t102,65,15,56,223,210\n\tmovdqu\t96(%rdi),%xmm10\n\tpxor\t%xmm0,%xmm1\n.byte\t102,65,15,56,223,219\n\tpxor\t%xmm0,%xmm10\n\tmovdqu\t112(%rdi),%xmm0\n.byte\t102,65,15,56,223,228\n\tleaq\t128(%rdi),%rdi\n\tmovdqu\t0(%rbp),%xmm11\n.byte\t102,65,15,56,223,237\n.byte\t102,65,15,56,223,246\n\tmovdqu\t16(%rbp),%xmm12\n\tmovdqu\t32(%rbp),%xmm13\n.byte\t102,65,15,56,223,255\n.byte\t102,68,15,56,223,193\n\tmovdqu\t48(%rbp),%xmm14\n\tmovdqu\t64(%rbp),%xmm15\n.byte\t102,69,15,56,223,202\n\tmovdqa\t%xmm0,%xmm10\n\tmovdqu\t80(%rbp),%xmm1\n\tmovups\t-112(%rcx),%xmm0\n\n\tmovups\t%xmm2,(%rsi)\n\tmovdqa\t%xmm11,%xmm2\n\tmovups\t%xmm3,16(%rsi)\n\tmovdqa\t%xmm12,%xmm3\n\tmovups\t%xmm4,32(%rsi)\n\tmovdqa\t%xmm13,%xmm4\n\tmovups\t%xmm5,48(%rsi)\n\tmovdqa\t%xmm14,%xmm5\n\tmovups\t%xmm6,64(%rsi)\n\tmovdqa\t%xmm15,%xmm6\n\tmovups\t%xmm7,80(%rsi)\n\tmovdqa\t%xmm1,%xmm7\n\tmovups\t%xmm8,96(%rsi)\n\tleaq\t112(%rsi),%rsi\n\n\tsubq\t$0x80,%rdx\n\tja\t.Lcbc_dec_loop8\n\n\tmovaps\t%xmm9,%xmm2\n\tleaq\t-112(%rcx),%rcx\n\taddq\t$0x70,%rdx\n\tjle\t.Lcbc_dec_clear_tail_collected\n\tmovups\t%xmm9,(%rsi)\n\tleaq\t16(%rsi),%rsi\n\tcmpq\t$0x50,%rdx\n\tjbe\t.Lcbc_dec_tail\n\n\tmovaps\t%xmm11,%xmm2\n.Lcbc_dec_six_or_seven:\n\tcmpq\t$0x60,%rdx\n\tja\t.Lcbc_dec_seven\n\n\tmovaps\t%xmm7,%xmm8\n\tcall\t_aesni_decrypt6\n\tpxor\t%xmm10,%xmm2\n\tmovaps\t%xmm8,%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm14,%xmm6\n\tmovdqu\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm15,%xmm7\n\tmovdqu\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tleaq\t80(%rsi),%rsi\n\tmovdqa\t%xmm7,%xmm2\n\tpxor\t%xmm7,%xmm7\n\tjmp\t.Lcbc_dec_tail_collected\n\n.align\t16\n.Lcbc_dec_seven:\n\tmovups\t96(%rdi),%xmm8\n\txorps\t%xmm9,%xmm9\n\tcall\t_aesni_decrypt8\n\tmovups\t80(%rdi),%xmm9\n\tpxor\t%xmm10,%xmm2\n\tmovups\t96(%rdi),%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm14,%xmm6\n\tmovdqu\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm15,%xmm7\n\tmovdqu\t%xmm6,64(%rsi)\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm9,%xmm8\n\tmovdqu\t%xmm7,80(%rsi)\n\tpxor\t%xmm7,%xmm7\n\tleaq\t96(%rsi),%rsi\n\tmovdqa\t%xmm8,%xmm2\n\tpxor\t%xmm8,%xmm8\n\tpxor\t%xmm9,%xmm9\n\tjmp\t.Lcbc_dec_tail_collected\n\n.Lcbc_dec_tail:\n\tmovups\t(%rdi),%xmm2\n\tsubq\t$0x10,%rdx\n\tjbe\t.Lcbc_dec_one\n\n\tmovups\t16(%rdi),%xmm3\n\tmovaps\t%xmm2,%xmm11\n\tsubq\t$0x10,%rdx\n\tjbe\t.Lcbc_dec_two\n\n\tmovups\t32(%rdi),%xmm4\n\tmovaps\t%xmm3,%xmm12\n\tsubq\t$0x10,%rdx\n\tjbe\t.Lcbc_dec_three\n\n\tmovups\t48(%rdi),%xmm5\n\tmovaps\t%xmm4,%xmm13\n\tsubq\t$0x10,%rdx\n\tjbe\t.Lcbc_dec_four\n\n\tmovups\t64(%rdi),%xmm6\n\tmovaps\t%xmm5,%xmm14\n\tmovaps\t%xmm6,%xmm15\n\txorps\t%xmm7,%xmm7\n\tcall\t_aesni_decrypt6\n\tpxor\t%xmm10,%xmm2\n\tmovaps\t%xmm15,%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm14,%xmm6\n\tmovdqu\t%xmm5,48(%rsi)\n\tpxor\t%xmm5,%xmm5\n\tleaq\t64(%rsi),%rsi\n\tmovdqa\t%xmm6,%xmm2\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tsubq\t$0x10,%rdx\n\tjmp\t.Lcbc_dec_tail_collected\n\n.align\t16\n.Lcbc_dec_one:\n\tmovaps\t%xmm2,%xmm11\n\tmovups\t(%rcx),%xmm0\n\tmovups\t16(%rcx),%xmm1\n\tleaq\t32(%rcx),%rcx\n\txorps\t%xmm0,%xmm2\n.Loop_dec1_8:\n.byte\t102,15,56,222,209\n\tdecl\t%eax\n\tmovups\t(%rcx),%xmm1\n\tleaq\t16(%rcx),%rcx\n\tjnz\t.Loop_dec1_8\n.byte\t102,15,56,223,209\n\txorps\t%xmm10,%xmm2\n\tmovaps\t%xmm11,%xmm10\n\tjmp\t.Lcbc_dec_tail_collected\n.align\t16\n.Lcbc_dec_two:\n\tmovaps\t%xmm3,%xmm12\n\tcall\t_aesni_decrypt2\n\tpxor\t%xmm10,%xmm2\n\tmovaps\t%xmm12,%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tmovdqa\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tleaq\t16(%rsi),%rsi\n\tjmp\t.Lcbc_dec_tail_collected\n.align\t16\n.Lcbc_dec_three:\n\tmovaps\t%xmm4,%xmm13\n\tcall\t_aesni_decrypt3\n\tpxor\t%xmm10,%xmm2\n\tmovaps\t%xmm13,%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tmovdqa\t%xmm4,%xmm2\n\tpxor\t%xmm4,%xmm4\n\tleaq\t32(%rsi),%rsi\n\tjmp\t.Lcbc_dec_tail_collected\n.align\t16\n.Lcbc_dec_four:\n\tmovaps\t%xmm5,%xmm14\n\tcall\t_aesni_decrypt4\n\tpxor\t%xmm10,%xmm2\n\tmovaps\t%xmm14,%xmm10\n\tpxor\t%xmm11,%xmm3\n\tmovdqu\t%xmm2,(%rsi)\n\tpxor\t%xmm12,%xmm4\n\tmovdqu\t%xmm3,16(%rsi)\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm13,%xmm5\n\tmovdqu\t%xmm4,32(%rsi)\n\tpxor\t%xmm4,%xmm4\n\tmovdqa\t%xmm5,%xmm2\n\tpxor\t%xmm5,%xmm5\n\tleaq\t48(%rsi),%rsi\n\tjmp\t.Lcbc_dec_tail_collected\n\n.align\t16\n.Lcbc_dec_clear_tail_collected:\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tpxor\t%xmm8,%xmm8\n\tpxor\t%xmm9,%xmm9\n.Lcbc_dec_tail_collected:\n\tmovups\t%xmm10,(%r8)\n\tandq\t$15,%rdx\n\tjnz\t.Lcbc_dec_tail_partial\n\tmovups\t%xmm2,(%rsi)\n\tpxor\t%xmm2,%xmm2\n\tjmp\t.Lcbc_dec_ret\n.align\t16\n.Lcbc_dec_tail_partial:\n\tmovaps\t%xmm2,(%rsp)\n\tpxor\t%xmm2,%xmm2\n\tmovq\t$16,%rcx\n\tmovq\t%rsi,%rdi\n\tsubq\t%rdx,%rcx\n\tleaq\t(%rsp),%rsi\n.long\t0x9066A4F3\n\tmovdqa\t%xmm2,(%rsp)\n\n.Lcbc_dec_ret:\n\txorps\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tmovq\t-8(%r11),%rbp\n.cfi_restore\t%rbp\n\tleaq\t(%r11),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lcbc_ret:\n\tret\n.cfi_endproc\t\n.size\taes_hw_cbc_encrypt,.-aes_hw_cbc_encrypt\n.globl\taes_hw_encrypt_key_to_decrypt_key\n.hidden aes_hw_encrypt_key_to_decrypt_key\n.type\taes_hw_encrypt_key_to_decrypt_key,@function\n.align\t16\naes_hw_encrypt_key_to_decrypt_key:\n.cfi_startproc\t\n_CET_ENDBR\n\n\tmovl\t240(%rdi),%esi\n\tshll\t$4,%esi\n\n\tleaq\t16(%rdi,%rsi,1),%rdx\n\n\tmovups\t(%rdi),%xmm0\n\tmovups\t(%rdx),%xmm1\n\tmovups\t%xmm0,(%rdx)\n\tmovups\t%xmm1,(%rdi)\n\tleaq\t16(%rdi),%rdi\n\tleaq\t-16(%rdx),%rdx\n\n.Ldec_key_inverse:\n\tmovups\t(%rdi),%xmm0\n\tmovups\t(%rdx),%xmm1\n.byte\t102,15,56,219,192\n.byte\t102,15,56,219,201\n\tleaq\t16(%rdi),%rdi\n\tleaq\t-16(%rdx),%rdx\n\tmovups\t%xmm0,16(%rdx)\n\tmovups\t%xmm1,-16(%rdi)\n\tcmpq\t%rdi,%rdx\n\tja\t.Ldec_key_inverse\n\n\tmovups\t(%rdi),%xmm0\n.byte\t102,15,56,219,192\n\tpxor\t%xmm1,%xmm1\n\tmovups\t%xmm0,(%rdx)\n\tpxor\t%xmm0,%xmm0\n\tret\n.cfi_endproc\t\n.size\taes_hw_encrypt_key_to_decrypt_key,.-aes_hw_encrypt_key_to_decrypt_key\n.globl\taes_hw_set_encrypt_key_base\n.hidden aes_hw_set_encrypt_key_base\n.type\taes_hw_set_encrypt_key_base,@function\n.align\t16\naes_hw_set_encrypt_key_base:\n.cfi_startproc\t\n\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n\tmovb\t$1,BORINGSSL_function_hit+3(%rip)\n#endif\n\tsubq\t$8,%rsp\n.cfi_adjust_cfa_offset\t8\n\n\n\tmovups\t(%rdi),%xmm0\n\txorps\t%xmm4,%xmm4\n\tleaq\t16(%rdx),%rax\n\tcmpl\t$256,%esi\n\tje\t.L14rounds\n\tcmpl\t$192,%esi\n\tje\t.L12rounds\n\tcmpl\t$128,%esi\n\tjne\t.Lbad_keybits\n\n.L10rounds:\n\tmovl\t$9,%esi\n\n\tmovups\t%xmm0,(%rdx)\n.byte\t102,15,58,223,200,1\n\tcall\t.Lkey_expansion_128_cold\n.byte\t102,15,58,223,200,2\n\tcall\t.Lkey_expansion_128\n.byte\t102,15,58,223,200,4\n\tcall\t.Lkey_expansion_128\n.byte\t102,15,58,223,200,8\n\tcall\t.Lkey_expansion_128\n.byte\t102,15,58,223,200,16\n\tcall\t.Lkey_expansion_128\n.byte\t102,15,58,223,200,32\n\tcall\t.Lkey_expansion_128\n.byte\t102,15,58,223,200,64\n\tcall\t.Lkey_expansion_128\n.byte\t102,15,58,223,200,128\n\tcall\t.Lkey_expansion_128\n.byte\t102,15,58,223,200,27\n\tcall\t.Lkey_expansion_128\n.byte\t102,15,58,223,200,54\n\tcall\t.Lkey_expansion_128\n\tmovups\t%xmm0,(%rax)\n\tmovl\t%esi,80(%rax)\n\txorl\t%eax,%eax\n\tjmp\t.Lenc_key_ret\n\n.align\t16\n.L12rounds:\n\tmovq\t16(%rdi),%xmm2\n\tmovl\t$11,%esi\n\n\tmovups\t%xmm0,(%rdx)\n.byte\t102,15,58,223,202,1\n\tcall\t.Lkey_expansion_192a_cold\n.byte\t102,15,58,223,202,2\n\tcall\t.Lkey_expansion_192b\n.byte\t102,15,58,223,202,4\n\tcall\t.Lkey_expansion_192a\n.byte\t102,15,58,223,202,8\n\tcall\t.Lkey_expansion_192b\n.byte\t102,15,58,223,202,16\n\tcall\t.Lkey_expansion_192a\n.byte\t102,15,58,223,202,32\n\tcall\t.Lkey_expansion_192b\n.byte\t102,15,58,223,202,64\n\tcall\t.Lkey_expansion_192a\n.byte\t102,15,58,223,202,128\n\tcall\t.Lkey_expansion_192b\n\tmovups\t%xmm0,(%rax)\n\tmovl\t%esi,48(%rax)\n\txorq\t%rax,%rax\n\tjmp\t.Lenc_key_ret\n\n.align\t16\n.L14rounds:\n\tmovups\t16(%rdi),%xmm2\n\tmovl\t$13,%esi\n\tleaq\t16(%rax),%rax\n\n\tmovups\t%xmm0,(%rdx)\n\tmovups\t%xmm2,16(%rdx)\n.byte\t102,15,58,223,202,1\n\tcall\t.Lkey_expansion_256a_cold\n.byte\t102,15,58,223,200,1\n\tcall\t.Lkey_expansion_256b\n.byte\t102,15,58,223,202,2\n\tcall\t.Lkey_expansion_256a\n.byte\t102,15,58,223,200,2\n\tcall\t.Lkey_expansion_256b\n.byte\t102,15,58,223,202,4\n\tcall\t.Lkey_expansion_256a\n.byte\t102,15,58,223,200,4\n\tcall\t.Lkey_expansion_256b\n.byte\t102,15,58,223,202,8\n\tcall\t.Lkey_expansion_256a\n.byte\t102,15,58,223,200,8\n\tcall\t.Lkey_expansion_256b\n.byte\t102,15,58,223,202,16\n\tcall\t.Lkey_expansion_256a\n.byte\t102,15,58,223,200,16\n\tcall\t.Lkey_expansion_256b\n.byte\t102,15,58,223,202,32\n\tcall\t.Lkey_expansion_256a\n.byte\t102,15,58,223,200,32\n\tcall\t.Lkey_expansion_256b\n.byte\t102,15,58,223,202,64\n\tcall\t.Lkey_expansion_256a\n\tmovups\t%xmm0,(%rax)\n\tmovl\t%esi,16(%rax)\n\txorq\t%rax,%rax\n\tjmp\t.Lenc_key_ret\n\n.align\t16\n.Lbad_keybits:\n\tmovq\t$-2,%rax\n.Lenc_key_ret:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\taddq\t$8,%rsp\n.cfi_adjust_cfa_offset\t-8\n\tret\n.cfi_endproc\t\n\n\n.align\t16\n.Lkey_expansion_128:\n.cfi_startproc\t\n\tmovups\t%xmm0,(%rax)\n\tleaq\t16(%rax),%rax\n.Lkey_expansion_128_cold:\n\tshufps\t$16,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$255,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm0\n\tret\n.cfi_endproc\t\n\n.align\t16\n.Lkey_expansion_192a:\n.cfi_startproc\t\n\tmovups\t%xmm0,(%rax)\n\tleaq\t16(%rax),%rax\n.Lkey_expansion_192a_cold:\n\tmovaps\t%xmm2,%xmm5\n.Lkey_expansion_192b_warm:\n\tshufps\t$16,%xmm0,%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\tpslldq\t$4,%xmm3\n\txorps\t%xmm4,%xmm0\n\tpshufd\t$85,%xmm1,%xmm1\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm1,%xmm0\n\tpshufd\t$255,%xmm0,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tret\n.cfi_endproc\t\n\n.align\t16\n.Lkey_expansion_192b:\n.cfi_startproc\t\n\tmovaps\t%xmm0,%xmm3\n\tshufps\t$68,%xmm0,%xmm5\n\tmovups\t%xmm5,(%rax)\n\tshufps\t$78,%xmm2,%xmm3\n\tmovups\t%xmm3,16(%rax)\n\tleaq\t32(%rax),%rax\n\tjmp\t.Lkey_expansion_192b_warm\n.cfi_endproc\t\n\n.align\t16\n.Lkey_expansion_256a:\n.cfi_startproc\t\n\tmovups\t%xmm2,(%rax)\n\tleaq\t16(%rax),%rax\n.Lkey_expansion_256a_cold:\n\tshufps\t$16,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$140,%xmm0,%xmm4\n\txorps\t%xmm4,%xmm0\n\tshufps\t$255,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm0\n\tret\n.cfi_endproc\t\n\n.align\t16\n.Lkey_expansion_256b:\n.cfi_startproc\t\n\tmovups\t%xmm0,(%rax)\n\tleaq\t16(%rax),%rax\n\n\tshufps\t$16,%xmm2,%xmm4\n\txorps\t%xmm4,%xmm2\n\tshufps\t$140,%xmm2,%xmm4\n\txorps\t%xmm4,%xmm2\n\tshufps\t$170,%xmm1,%xmm1\n\txorps\t%xmm1,%xmm2\n\tret\n.cfi_endproc\t\n.size\taes_hw_set_encrypt_key_base,.-aes_hw_set_encrypt_key_base\n\n.globl\taes_hw_set_encrypt_key_alt\n.hidden aes_hw_set_encrypt_key_alt\n.type\taes_hw_set_encrypt_key_alt,@function\n.align\t16\naes_hw_set_encrypt_key_alt:\n.cfi_startproc\t\n\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n\tmovb\t$1,BORINGSSL_function_hit+3(%rip)\n#endif\n\tsubq\t$8,%rsp\n.cfi_adjust_cfa_offset\t8\n\n\n\tmovups\t(%rdi),%xmm0\n\txorps\t%xmm4,%xmm4\n\tleaq\t16(%rdx),%rax\n\tcmpl\t$256,%esi\n\tje\t.L14rounds_alt\n\tcmpl\t$192,%esi\n\tje\t.L12rounds_alt\n\tcmpl\t$128,%esi\n\tjne\t.Lbad_keybits_alt\n\n\tmovl\t$9,%esi\n\tmovdqa\t.Lkey_rotate(%rip),%xmm5\n\tmovl\t$8,%r10d\n\tmovdqa\t.Lkey_rcon1(%rip),%xmm4\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqu\t%xmm0,(%rdx)\n\tjmp\t.Loop_key128\n\n.align\t16\n.Loop_key128:\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\tpslld\t$1,%xmm4\n\tleaq\t16(%rax),%rax\n\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,-16(%rax)\n\tmovdqa\t%xmm0,%xmm2\n\n\tdecl\t%r10d\n\tjnz\t.Loop_key128\n\n\tmovdqa\t.Lkey_rcon1b(%rip),%xmm4\n\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\tpslld\t$1,%xmm4\n\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,(%rax)\n\n\tmovdqa\t%xmm0,%xmm2\n.byte\t102,15,56,0,197\n.byte\t102,15,56,221,196\n\n\tmovdqa\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm2,%xmm3\n\tpslldq\t$4,%xmm2\n\tpxor\t%xmm3,%xmm2\n\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,16(%rax)\n\n\tmovl\t%esi,96(%rax)\n\txorl\t%eax,%eax\n\tjmp\t.Lenc_key_ret_alt\n\n.align\t16\n.L12rounds_alt:\n\tmovq\t16(%rdi),%xmm2\n\tmovl\t$11,%esi\n\tmovdqa\t.Lkey_rotate192(%rip),%xmm5\n\tmovdqa\t.Lkey_rcon1(%rip),%xmm4\n\tmovl\t$8,%r10d\n\tmovdqu\t%xmm0,(%rdx)\n\tjmp\t.Loop_key192\n\n.align\t16\n.Loop_key192:\n\tmovq\t%xmm2,0(%rax)\n\tmovdqa\t%xmm2,%xmm1\n.byte\t102,15,56,0,213\n.byte\t102,15,56,221,212\n\tpslld\t$1,%xmm4\n\tleaq\t24(%rax),%rax\n\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm3,%xmm0\n\n\tpshufd\t$0xff,%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\n\tpxor\t%xmm2,%xmm0\n\tpxor\t%xmm3,%xmm2\n\tmovdqu\t%xmm0,-16(%rax)\n\n\tdecl\t%r10d\n\tjnz\t.Loop_key192\n\n\tmovl\t%esi,32(%rax)\n\txorl\t%eax,%eax\n\tjmp\t.Lenc_key_ret_alt\n\n.align\t16\n.L14rounds_alt:\n\tmovups\t16(%rdi),%xmm2\n\tmovl\t$13,%esi\n\tleaq\t16(%rax),%rax\n\tmovdqa\t.Lkey_rotate(%rip),%xmm5\n\tmovdqa\t.Lkey_rcon1(%rip),%xmm4\n\tmovl\t$7,%r10d\n\tmovdqu\t%xmm0,0(%rdx)\n\tmovdqa\t%xmm2,%xmm1\n\tmovdqu\t%xmm2,16(%rdx)\n\tjmp\t.Loop_key256\n\n.align\t16\n.Loop_key256:\n.byte\t102,15,56,0,213\n.byte\t102,15,56,221,212\n\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpslldq\t$4,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpslld\t$1,%xmm4\n\n\tpxor\t%xmm2,%xmm0\n\tmovdqu\t%xmm0,(%rax)\n\n\tdecl\t%r10d\n\tjz\t.Ldone_key256\n\n\tpshufd\t$0xff,%xmm0,%xmm2\n\tpxor\t%xmm3,%xmm3\n.byte\t102,15,56,221,211\n\n\tmovdqa\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm1,%xmm3\n\tpslldq\t$4,%xmm1\n\tpxor\t%xmm3,%xmm1\n\n\tpxor\t%xmm1,%xmm2\n\tmovdqu\t%xmm2,16(%rax)\n\tleaq\t32(%rax),%rax\n\tmovdqa\t%xmm2,%xmm1\n\n\tjmp\t.Loop_key256\n\n.Ldone_key256:\n\tmovl\t%esi,16(%rax)\n\txorl\t%eax,%eax\n\tjmp\t.Lenc_key_ret_alt\n\n.align\t16\n.Lbad_keybits_alt:\n\tmovq\t$-2,%rax\n.Lenc_key_ret_alt:\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\taddq\t$8,%rsp\n.cfi_adjust_cfa_offset\t-8\n\tret\n.cfi_endproc\t\n\n.size\taes_hw_set_encrypt_key_alt,.-aes_hw_set_encrypt_key_alt\n.section\t.rodata\n.align\t64\n.Lbswap_mask:\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\n.Lincrement32:\n.long\t6,6,6,0\n.Lincrement64:\n.long\t1,0,0,0\n.Lxts_magic:\n.long\t0x87,0,1,0\n.Lincrement1:\n.byte\t0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1\n.Lkey_rotate:\n.long\t0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d\n.Lkey_rotate192:\n.long\t0x04070605,0x04070605,0x04070605,0x04070605\n.Lkey_rcon1:\n.long\t1,1,1,1\n.Lkey_rcon1b:\n.long\t0x1b,0x1b,0x1b,0x1b\n\n.byte\t65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69,83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t64\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesv8-armv7-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n#include \n\n#if __ARM_MAX_ARCH__>=7\n.text\n.arch\tarmv7-a\t@ don't confuse not-so-latest binutils with argv8 :-)\n.fpu\tneon\n.code\t32\n#undef\t__thumb2__\n.align\t5\n.Lrcon:\n.long\t0x01,0x01,0x01,0x01\n.long\t0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d\t@ rotate-n-splat\n.long\t0x1b,0x1b,0x1b,0x1b\n\n.text\n\n.globl\taes_hw_set_encrypt_key\n.hidden\taes_hw_set_encrypt_key\n.type\taes_hw_set_encrypt_key,%function\n.align\t5\naes_hw_set_encrypt_key:\n.Lenc_key:\n\tmov\tr3,#-2\n\tcmp\tr1,#128\n\tblt\t.Lenc_key_abort\n\tcmp\tr1,#256\n\tbgt\t.Lenc_key_abort\n\ttst\tr1,#0x3f\n\tbne\t.Lenc_key_abort\n\n\tadr\tr3,.Lrcon\n\tcmp\tr1,#192\n\n\tveor\tq0,q0,q0\n\tvld1.8\t{q3},[r0]!\n\tmov\tr1,#8\t\t@ reuse r1\n\tvld1.32\t{q1,q2},[r3]!\n\n\tblt\t.Loop128\n\tbeq\t.L192\n\tb\t.L256\n\n.align\t4\n.Loop128:\n\tvtbl.8\td20,{q3},d4\n\tvtbl.8\td21,{q3},d5\n\tvext.8\tq9,q0,q3,#12\n\tvst1.32\t{q3},[r2]!\n.byte\t0x00,0x43,0xf0,0xf3\t@ aese q10,q0\n\tsubs\tr1,r1,#1\n\n\tveor\tq3,q3,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq3,q3,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq10,q10,q1\n\tveor\tq3,q3,q9\n\tvshl.u8\tq1,q1,#1\n\tveor\tq3,q3,q10\n\tbne\t.Loop128\n\n\tvld1.32\t{q1},[r3]\n\n\tvtbl.8\td20,{q3},d4\n\tvtbl.8\td21,{q3},d5\n\tvext.8\tq9,q0,q3,#12\n\tvst1.32\t{q3},[r2]!\n.byte\t0x00,0x43,0xf0,0xf3\t@ aese q10,q0\n\n\tveor\tq3,q3,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq3,q3,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq10,q10,q1\n\tveor\tq3,q3,q9\n\tvshl.u8\tq1,q1,#1\n\tveor\tq3,q3,q10\n\n\tvtbl.8\td20,{q3},d4\n\tvtbl.8\td21,{q3},d5\n\tvext.8\tq9,q0,q3,#12\n\tvst1.32\t{q3},[r2]!\n.byte\t0x00,0x43,0xf0,0xf3\t@ aese q10,q0\n\n\tveor\tq3,q3,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq3,q3,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq10,q10,q1\n\tveor\tq3,q3,q9\n\tveor\tq3,q3,q10\n\tvst1.32\t{q3},[r2]\n\tadd\tr2,r2,#0x50\n\n\tmov\tr12,#10\n\tb\t.Ldone\n\n.align\t4\n.L192:\n\tvld1.8\t{d16},[r0]!\n\tvmov.i8\tq10,#8\t\t\t@ borrow q10\n\tvst1.32\t{q3},[r2]!\n\tvsub.i8\tq2,q2,q10\t@ adjust the mask\n\n.Loop192:\n\tvtbl.8\td20,{q8},d4\n\tvtbl.8\td21,{q8},d5\n\tvext.8\tq9,q0,q3,#12\n\tvst1.32\t{d16},[r2]!\n.byte\t0x00,0x43,0xf0,0xf3\t@ aese q10,q0\n\tsubs\tr1,r1,#1\n\n\tveor\tq3,q3,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq3,q3,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq3,q3,q9\n\n\tvdup.32\tq9,d7[1]\n\tveor\tq9,q9,q8\n\tveor\tq10,q10,q1\n\tvext.8\tq8,q0,q8,#12\n\tvshl.u8\tq1,q1,#1\n\tveor\tq8,q8,q9\n\tveor\tq3,q3,q10\n\tveor\tq8,q8,q10\n\tvst1.32\t{q3},[r2]!\n\tbne\t.Loop192\n\n\tmov\tr12,#12\n\tadd\tr2,r2,#0x20\n\tb\t.Ldone\n\n.align\t4\n.L256:\n\tvld1.8\t{q8},[r0]\n\tmov\tr1,#7\n\tmov\tr12,#14\n\tvst1.32\t{q3},[r2]!\n\n.Loop256:\n\tvtbl.8\td20,{q8},d4\n\tvtbl.8\td21,{q8},d5\n\tvext.8\tq9,q0,q3,#12\n\tvst1.32\t{q8},[r2]!\n.byte\t0x00,0x43,0xf0,0xf3\t@ aese q10,q0\n\tsubs\tr1,r1,#1\n\n\tveor\tq3,q3,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq3,q3,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq10,q10,q1\n\tveor\tq3,q3,q9\n\tvshl.u8\tq1,q1,#1\n\tveor\tq3,q3,q10\n\tvst1.32\t{q3},[r2]!\n\tbeq\t.Ldone\n\n\tvdup.32\tq10,d7[1]\n\tvext.8\tq9,q0,q8,#12\n.byte\t0x00,0x43,0xf0,0xf3\t@ aese q10,q0\n\n\tveor\tq8,q8,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq8,q8,q9\n\tvext.8\tq9,q0,q9,#12\n\tveor\tq8,q8,q9\n\n\tveor\tq8,q8,q10\n\tb\t.Loop256\n\n.Ldone:\n\tstr\tr12,[r2]\n\tmov\tr3,#0\n\n.Lenc_key_abort:\n\tmov\tr0,r3\t\t\t@ return value\n\n\tbx\tlr\n.size\taes_hw_set_encrypt_key,.-aes_hw_set_encrypt_key\n\n.globl\taes_hw_set_decrypt_key\n.hidden\taes_hw_set_decrypt_key\n.type\taes_hw_set_decrypt_key,%function\n.align\t5\naes_hw_set_decrypt_key:\n\tstmdb\tsp!,{r4,lr}\n\tbl\t.Lenc_key\n\n\tcmp\tr0,#0\n\tbne\t.Ldec_key_abort\n\n\tsub\tr2,r2,#240\t\t@ restore original r2\n\tmov\tr4,#-16\n\tadd\tr0,r2,r12,lsl#4\t@ end of key schedule\n\n\tvld1.32\t{q0},[r2]\n\tvld1.32\t{q1},[r0]\n\tvst1.32\t{q0},[r0],r4\n\tvst1.32\t{q1},[r2]!\n\n.Loop_imc:\n\tvld1.32\t{q0},[r2]\n\tvld1.32\t{q1},[r0]\n.byte\t0xc0,0x03,0xb0,0xf3\t@ aesimc q0,q0\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n\tvst1.32\t{q0},[r0],r4\n\tvst1.32\t{q1},[r2]!\n\tcmp\tr0,r2\n\tbhi\t.Loop_imc\n\n\tvld1.32\t{q0},[r2]\n.byte\t0xc0,0x03,0xb0,0xf3\t@ aesimc q0,q0\n\tvst1.32\t{q0},[r0]\n\n\teor\tr0,r0,r0\t\t@ return value\n.Ldec_key_abort:\n\tldmia\tsp!,{r4,pc}\n.size\taes_hw_set_decrypt_key,.-aes_hw_set_decrypt_key\n.globl\taes_hw_encrypt\n.hidden\taes_hw_encrypt\n.type\taes_hw_encrypt,%function\n.align\t5\naes_hw_encrypt:\n\tAARCH64_VALID_CALL_TARGET\n\tldr\tr3,[r2,#240]\n\tvld1.32\t{q0},[r2]!\n\tvld1.8\t{q2},[r0]\n\tsub\tr3,r3,#2\n\tvld1.32\t{q1},[r2]!\n\n.Loop_enc:\n.byte\t0x00,0x43,0xb0,0xf3\t@ aese q2,q0\n.byte\t0x84,0x43,0xb0,0xf3\t@ aesmc q2,q2\n\tvld1.32\t{q0},[r2]!\n\tsubs\tr3,r3,#2\n.byte\t0x02,0x43,0xb0,0xf3\t@ aese q2,q1\n.byte\t0x84,0x43,0xb0,0xf3\t@ aesmc q2,q2\n\tvld1.32\t{q1},[r2]!\n\tbgt\t.Loop_enc\n\n.byte\t0x00,0x43,0xb0,0xf3\t@ aese q2,q0\n.byte\t0x84,0x43,0xb0,0xf3\t@ aesmc q2,q2\n\tvld1.32\t{q0},[r2]\n.byte\t0x02,0x43,0xb0,0xf3\t@ aese q2,q1\n\tveor\tq2,q2,q0\n\n\tvst1.8\t{q2},[r1]\n\tbx\tlr\n.size\taes_hw_encrypt,.-aes_hw_encrypt\n.globl\taes_hw_decrypt\n.hidden\taes_hw_decrypt\n.type\taes_hw_decrypt,%function\n.align\t5\naes_hw_decrypt:\n\tAARCH64_VALID_CALL_TARGET\n\tldr\tr3,[r2,#240]\n\tvld1.32\t{q0},[r2]!\n\tvld1.8\t{q2},[r0]\n\tsub\tr3,r3,#2\n\tvld1.32\t{q1},[r2]!\n\n.Loop_dec:\n.byte\t0x40,0x43,0xb0,0xf3\t@ aesd q2,q0\n.byte\t0xc4,0x43,0xb0,0xf3\t@ aesimc q2,q2\n\tvld1.32\t{q0},[r2]!\n\tsubs\tr3,r3,#2\n.byte\t0x42,0x43,0xb0,0xf3\t@ aesd q2,q1\n.byte\t0xc4,0x43,0xb0,0xf3\t@ aesimc q2,q2\n\tvld1.32\t{q1},[r2]!\n\tbgt\t.Loop_dec\n\n.byte\t0x40,0x43,0xb0,0xf3\t@ aesd q2,q0\n.byte\t0xc4,0x43,0xb0,0xf3\t@ aesimc q2,q2\n\tvld1.32\t{q0},[r2]\n.byte\t0x42,0x43,0xb0,0xf3\t@ aesd q2,q1\n\tveor\tq2,q2,q0\n\n\tvst1.8\t{q2},[r1]\n\tbx\tlr\n.size\taes_hw_decrypt,.-aes_hw_decrypt\n.globl\taes_hw_cbc_encrypt\n.hidden\taes_hw_cbc_encrypt\n.type\taes_hw_cbc_encrypt,%function\n.align\t5\naes_hw_cbc_encrypt:\n\tmov\tip,sp\n\tstmdb\tsp!,{r4,r5,r6,r7,r8,lr}\n\tvstmdb\tsp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI specification says so\n\tldmia\tip,{r4,r5}\t\t@ load remaining args\n\tsubs\tr2,r2,#16\n\tmov\tr8,#16\n\tblo\t.Lcbc_abort\n\tmoveq\tr8,#0\n\n\tcmp\tr5,#0\t\t\t@ en- or decrypting?\n\tldr\tr5,[r3,#240]\n\tand\tr2,r2,#-16\n\tvld1.8\t{q6},[r4]\n\tvld1.8\t{q0},[r0],r8\n\n\tvld1.32\t{q8,q9},[r3]\t\t@ load key schedule...\n\tsub\tr5,r5,#6\n\tadd\tr7,r3,r5,lsl#4\t@ pointer to last 7 round keys\n\tsub\tr5,r5,#2\n\tvld1.32\t{q10,q11},[r7]!\n\tvld1.32\t{q12,q13},[r7]!\n\tvld1.32\t{q14,q15},[r7]!\n\tvld1.32\t{q7},[r7]\n\n\tadd\tr7,r3,#32\n\tmov\tr6,r5\n\tbeq\t.Lcbc_dec\n\n\tcmp\tr5,#2\n\tveor\tq0,q0,q6\n\tveor\tq5,q8,q7\n\tbeq\t.Lcbc_enc128\n\n\tvld1.32\t{q2,q3},[r7]\n\tadd\tr7,r3,#16\n\tadd\tr6,r3,#16*4\n\tadd\tr12,r3,#16*5\n.byte\t0x20,0x03,0xb0,0xf3\t@ aese q0,q8\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tadd\tr14,r3,#16*6\n\tadd\tr3,r3,#16*7\n\tb\t.Lenter_cbc_enc\n\n.align\t4\n.Loop_cbc_enc:\n.byte\t0x20,0x03,0xb0,0xf3\t@ aese q0,q8\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tvst1.8\t{q6},[r1]!\n.Lenter_cbc_enc:\n.byte\t0x22,0x03,0xb0,0xf3\t@ aese q0,q9\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x04,0x03,0xb0,0xf3\t@ aese q0,q2\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tvld1.32\t{q8},[r6]\n\tcmp\tr5,#4\n.byte\t0x06,0x03,0xb0,0xf3\t@ aese q0,q3\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tvld1.32\t{q9},[r12]\n\tbeq\t.Lcbc_enc192\n\n.byte\t0x20,0x03,0xb0,0xf3\t@ aese q0,q8\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tvld1.32\t{q8},[r14]\n.byte\t0x22,0x03,0xb0,0xf3\t@ aese q0,q9\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tvld1.32\t{q9},[r3]\n\tnop\n\n.Lcbc_enc192:\n.byte\t0x20,0x03,0xb0,0xf3\t@ aese q0,q8\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tsubs\tr2,r2,#16\n.byte\t0x22,0x03,0xb0,0xf3\t@ aese q0,q9\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tmoveq\tr8,#0\n.byte\t0x24,0x03,0xb0,0xf3\t@ aese q0,q10\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x26,0x03,0xb0,0xf3\t@ aese q0,q11\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tvld1.8\t{q8},[r0],r8\n.byte\t0x28,0x03,0xb0,0xf3\t@ aese q0,q12\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tveor\tq8,q8,q5\n.byte\t0x2a,0x03,0xb0,0xf3\t@ aese q0,q13\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tvld1.32\t{q9},[r7]\t\t@ re-pre-load rndkey[1]\n.byte\t0x2c,0x03,0xb0,0xf3\t@ aese q0,q14\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x2e,0x03,0xb0,0xf3\t@ aese q0,q15\n\tveor\tq6,q0,q7\n\tbhs\t.Loop_cbc_enc\n\n\tvst1.8\t{q6},[r1]!\n\tb\t.Lcbc_done\n\n.align\t5\n.Lcbc_enc128:\n\tvld1.32\t{q2,q3},[r7]\n.byte\t0x20,0x03,0xb0,0xf3\t@ aese q0,q8\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tb\t.Lenter_cbc_enc128\n.Loop_cbc_enc128:\n.byte\t0x20,0x03,0xb0,0xf3\t@ aese q0,q8\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tvst1.8\t{q6},[r1]!\n.Lenter_cbc_enc128:\n.byte\t0x22,0x03,0xb0,0xf3\t@ aese q0,q9\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tsubs\tr2,r2,#16\n.byte\t0x04,0x03,0xb0,0xf3\t@ aese q0,q2\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tmoveq\tr8,#0\n.byte\t0x06,0x03,0xb0,0xf3\t@ aese q0,q3\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x24,0x03,0xb0,0xf3\t@ aese q0,q10\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x26,0x03,0xb0,0xf3\t@ aese q0,q11\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tvld1.8\t{q8},[r0],r8\n.byte\t0x28,0x03,0xb0,0xf3\t@ aese q0,q12\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x2a,0x03,0xb0,0xf3\t@ aese q0,q13\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x2c,0x03,0xb0,0xf3\t@ aese q0,q14\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n\tveor\tq8,q8,q5\n.byte\t0x2e,0x03,0xb0,0xf3\t@ aese q0,q15\n\tveor\tq6,q0,q7\n\tbhs\t.Loop_cbc_enc128\n\n\tvst1.8\t{q6},[r1]!\n\tb\t.Lcbc_done\n.align\t5\n.Lcbc_dec:\n\tvld1.8\t{q10},[r0]!\n\tsubs\tr2,r2,#32\t\t@ bias\n\tadd\tr6,r5,#2\n\tvorr\tq3,q0,q0\n\tvorr\tq1,q0,q0\n\tvorr\tq11,q10,q10\n\tblo\t.Lcbc_dec_tail\n\n\tvorr\tq1,q10,q10\n\tvld1.8\t{q10},[r0]!\n\tvorr\tq2,q0,q0\n\tvorr\tq3,q1,q1\n\tvorr\tq11,q10,q10\n\n.Loop3x_cbc_dec:\n.byte\t0x60,0x03,0xb0,0xf3\t@ aesd q0,q8\n.byte\t0xc0,0x03,0xb0,0xf3\t@ aesimc q0,q0\n.byte\t0x60,0x23,0xb0,0xf3\t@ aesd q1,q8\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x60,0x43,0xf0,0xf3\t@ aesd q10,q8\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tvld1.32\t{q8},[r7]!\n\tsubs\tr6,r6,#2\n.byte\t0x62,0x03,0xb0,0xf3\t@ aesd q0,q9\n.byte\t0xc0,0x03,0xb0,0xf3\t@ aesimc q0,q0\n.byte\t0x62,0x23,0xb0,0xf3\t@ aesd q1,q9\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x62,0x43,0xf0,0xf3\t@ aesd q10,q9\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tvld1.32\t{q9},[r7]!\n\tbgt\t.Loop3x_cbc_dec\n\n.byte\t0x60,0x03,0xb0,0xf3\t@ aesd q0,q8\n.byte\t0xc0,0x03,0xb0,0xf3\t@ aesimc q0,q0\n.byte\t0x60,0x23,0xb0,0xf3\t@ aesd q1,q8\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x60,0x43,0xf0,0xf3\t@ aesd q10,q8\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tveor\tq4,q6,q7\n\tsubs\tr2,r2,#0x30\n\tveor\tq5,q2,q7\n\tmovlo\tr6,r2\t\t\t@ r6, r6, is zero at this point\n.byte\t0x62,0x03,0xb0,0xf3\t@ aesd q0,q9\n.byte\t0xc0,0x03,0xb0,0xf3\t@ aesimc q0,q0\n.byte\t0x62,0x23,0xb0,0xf3\t@ aesd q1,q9\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x62,0x43,0xf0,0xf3\t@ aesd q10,q9\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tveor\tq9,q3,q7\n\tadd\tr0,r0,r6\t\t@ r0 is adjusted in such way that\n\t\t\t\t\t@ at exit from the loop q1-q10\n\t\t\t\t\t@ are loaded with last \"words\"\n\tvorr\tq6,q11,q11\n\tmov\tr7,r3\n.byte\t0x68,0x03,0xb0,0xf3\t@ aesd q0,q12\n.byte\t0xc0,0x03,0xb0,0xf3\t@ aesimc q0,q0\n.byte\t0x68,0x23,0xb0,0xf3\t@ aesd q1,q12\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x68,0x43,0xf0,0xf3\t@ aesd q10,q12\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tvld1.8\t{q2},[r0]!\n.byte\t0x6a,0x03,0xb0,0xf3\t@ aesd q0,q13\n.byte\t0xc0,0x03,0xb0,0xf3\t@ aesimc q0,q0\n.byte\t0x6a,0x23,0xb0,0xf3\t@ aesd q1,q13\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x6a,0x43,0xf0,0xf3\t@ aesd q10,q13\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tvld1.8\t{q3},[r0]!\n.byte\t0x6c,0x03,0xb0,0xf3\t@ aesd q0,q14\n.byte\t0xc0,0x03,0xb0,0xf3\t@ aesimc q0,q0\n.byte\t0x6c,0x23,0xb0,0xf3\t@ aesd q1,q14\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x6c,0x43,0xf0,0xf3\t@ aesd q10,q14\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tvld1.8\t{q11},[r0]!\n.byte\t0x6e,0x03,0xb0,0xf3\t@ aesd q0,q15\n.byte\t0x6e,0x23,0xb0,0xf3\t@ aesd q1,q15\n.byte\t0x6e,0x43,0xf0,0xf3\t@ aesd q10,q15\n\tvld1.32\t{q8},[r7]!\t@ re-pre-load rndkey[0]\n\tadd\tr6,r5,#2\n\tveor\tq4,q4,q0\n\tveor\tq5,q5,q1\n\tveor\tq10,q10,q9\n\tvld1.32\t{q9},[r7]!\t@ re-pre-load rndkey[1]\n\tvst1.8\t{q4},[r1]!\n\tvorr\tq0,q2,q2\n\tvst1.8\t{q5},[r1]!\n\tvorr\tq1,q3,q3\n\tvst1.8\t{q10},[r1]!\n\tvorr\tq10,q11,q11\n\tbhs\t.Loop3x_cbc_dec\n\n\tcmn\tr2,#0x30\n\tbeq\t.Lcbc_done\n\tnop\n\n.Lcbc_dec_tail:\n.byte\t0x60,0x23,0xb0,0xf3\t@ aesd q1,q8\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x60,0x43,0xf0,0xf3\t@ aesd q10,q8\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tvld1.32\t{q8},[r7]!\n\tsubs\tr6,r6,#2\n.byte\t0x62,0x23,0xb0,0xf3\t@ aesd q1,q9\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x62,0x43,0xf0,0xf3\t@ aesd q10,q9\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tvld1.32\t{q9},[r7]!\n\tbgt\t.Lcbc_dec_tail\n\n.byte\t0x60,0x23,0xb0,0xf3\t@ aesd q1,q8\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x60,0x43,0xf0,0xf3\t@ aesd q10,q8\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n.byte\t0x62,0x23,0xb0,0xf3\t@ aesd q1,q9\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x62,0x43,0xf0,0xf3\t@ aesd q10,q9\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n.byte\t0x68,0x23,0xb0,0xf3\t@ aesd q1,q12\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x68,0x43,0xf0,0xf3\t@ aesd q10,q12\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tcmn\tr2,#0x20\n.byte\t0x6a,0x23,0xb0,0xf3\t@ aesd q1,q13\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x6a,0x43,0xf0,0xf3\t@ aesd q10,q13\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tveor\tq5,q6,q7\n.byte\t0x6c,0x23,0xb0,0xf3\t@ aesd q1,q14\n.byte\t0xc2,0x23,0xb0,0xf3\t@ aesimc q1,q1\n.byte\t0x6c,0x43,0xf0,0xf3\t@ aesd q10,q14\n.byte\t0xe4,0x43,0xf0,0xf3\t@ aesimc q10,q10\n\tveor\tq9,q3,q7\n.byte\t0x6e,0x23,0xb0,0xf3\t@ aesd q1,q15\n.byte\t0x6e,0x43,0xf0,0xf3\t@ aesd q10,q15\n\tbeq\t.Lcbc_dec_one\n\tveor\tq5,q5,q1\n\tveor\tq9,q9,q10\n\tvorr\tq6,q11,q11\n\tvst1.8\t{q5},[r1]!\n\tvst1.8\t{q9},[r1]!\n\tb\t.Lcbc_done\n\n.Lcbc_dec_one:\n\tveor\tq5,q5,q10\n\tvorr\tq6,q11,q11\n\tvst1.8\t{q5},[r1]!\n\n.Lcbc_done:\n\tvst1.8\t{q6},[r4]\n.Lcbc_abort:\n\tvldmia\tsp!,{d8,d9,d10,d11,d12,d13,d14,d15}\n\tldmia\tsp!,{r4,r5,r6,r7,r8,pc}\n.size\taes_hw_cbc_encrypt,.-aes_hw_cbc_encrypt\n.globl\taes_hw_ctr32_encrypt_blocks\n.hidden\taes_hw_ctr32_encrypt_blocks\n.type\taes_hw_ctr32_encrypt_blocks,%function\n.align\t5\naes_hw_ctr32_encrypt_blocks:\n\tmov\tip,sp\n\tstmdb\tsp!,{r4,r5,r6,r7,r8,r9,r10,lr}\n\tvstmdb\tsp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI specification says so\n\tldr\tr4, [ip]\t\t@ load remaining arg\n\tldr\tr5,[r3,#240]\n\n\tldr\tr8, [r4, #12]\n\tvld1.32\t{q0},[r4]\n\n\tvld1.32\t{q8,q9},[r3]\t\t@ load key schedule...\n\tsub\tr5,r5,#4\n\tmov\tr12,#16\n\tcmp\tr2,#2\n\tadd\tr7,r3,r5,lsl#4\t@ pointer to last 5 round keys\n\tsub\tr5,r5,#2\n\tvld1.32\t{q12,q13},[r7]!\n\tvld1.32\t{q14,q15},[r7]!\n\tvld1.32\t{q7},[r7]\n\tadd\tr7,r3,#32\n\tmov\tr6,r5\n\tmovlo\tr12,#0\n\n\t@ ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are\n\t@ affected by silicon errata #1742098 [0] and #1655431 [1],\n\t@ respectively, where the second instruction of an aese/aesmc\n\t@ instruction pair may execute twice if an interrupt is taken right\n\t@ after the first instruction consumes an input register of which a\n\t@ single 32-bit lane has been updated the last time it was modified.\n\t@ \n\t@ This function uses a counter in one 32-bit lane. The \n\t@ could write to q1 and q10 directly, but that trips this bugs.\n\t@ We write to q6 and copy to the final register as a workaround.\n\t@ \n\t@ [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice\n\t@ [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice\n#ifndef __ARMEB__\n\trev\tr8, r8\n#endif\n\tadd\tr10, r8, #1\n\tvorr\tq6,q0,q0\n\trev\tr10, r10\n\tvmov.32\td13[1],r10\n\tadd\tr8, r8, #2\n\tvorr\tq1,q6,q6\n\tbls\t.Lctr32_tail\n\trev\tr12, r8\n\tvmov.32\td13[1],r12\n\tsub\tr2,r2,#3\t\t@ bias\n\tvorr\tq10,q6,q6\n\tb\t.Loop3x_ctr32\n\n.align\t4\n.Loop3x_ctr32:\n.byte\t0x20,0x03,0xb0,0xf3\t@ aese q0,q8\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x20,0x23,0xb0,0xf3\t@ aese q1,q8\n.byte\t0x82,0x23,0xb0,0xf3\t@ aesmc q1,q1\n.byte\t0x20,0x43,0xf0,0xf3\t@ aese q10,q8\n.byte\t0xa4,0x43,0xf0,0xf3\t@ aesmc q10,q10\n\tvld1.32\t{q8},[r7]!\n\tsubs\tr6,r6,#2\n.byte\t0x22,0x03,0xb0,0xf3\t@ aese q0,q9\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x22,0x23,0xb0,0xf3\t@ aese q1,q9\n.byte\t0x82,0x23,0xb0,0xf3\t@ aesmc q1,q1\n.byte\t0x22,0x43,0xf0,0xf3\t@ aese q10,q9\n.byte\t0xa4,0x43,0xf0,0xf3\t@ aesmc q10,q10\n\tvld1.32\t{q9},[r7]!\n\tbgt\t.Loop3x_ctr32\n\n.byte\t0x20,0x03,0xb0,0xf3\t@ aese q0,q8\n.byte\t0x80,0x83,0xb0,0xf3\t@ aesmc q4,q0\n.byte\t0x20,0x23,0xb0,0xf3\t@ aese q1,q8\n.byte\t0x82,0xa3,0xb0,0xf3\t@ aesmc q5,q1\n\tvld1.8\t{q2},[r0]!\n\tadd\tr9,r8,#1\n.byte\t0x20,0x43,0xf0,0xf3\t@ aese q10,q8\n.byte\t0xa4,0x43,0xf0,0xf3\t@ aesmc q10,q10\n\tvld1.8\t{q3},[r0]!\n\trev\tr9,r9\n.byte\t0x22,0x83,0xb0,0xf3\t@ aese q4,q9\n.byte\t0x88,0x83,0xb0,0xf3\t@ aesmc q4,q4\n.byte\t0x22,0xa3,0xb0,0xf3\t@ aese q5,q9\n.byte\t0x8a,0xa3,0xb0,0xf3\t@ aesmc q5,q5\n\tvld1.8\t{q11},[r0]!\n\tmov\tr7,r3\n.byte\t0x22,0x43,0xf0,0xf3\t@ aese q10,q9\n.byte\t0xa4,0x23,0xf0,0xf3\t@ aesmc q9,q10\n.byte\t0x28,0x83,0xb0,0xf3\t@ aese q4,q12\n.byte\t0x88,0x83,0xb0,0xf3\t@ aesmc q4,q4\n.byte\t0x28,0xa3,0xb0,0xf3\t@ aese q5,q12\n.byte\t0x8a,0xa3,0xb0,0xf3\t@ aesmc q5,q5\n\tveor\tq2,q2,q7\n\tadd\tr10,r8,#2\n.byte\t0x28,0x23,0xf0,0xf3\t@ aese q9,q12\n.byte\t0xa2,0x23,0xf0,0xf3\t@ aesmc q9,q9\n\tveor\tq3,q3,q7\n\tadd\tr8,r8,#3\n.byte\t0x2a,0x83,0xb0,0xf3\t@ aese q4,q13\n.byte\t0x88,0x83,0xb0,0xf3\t@ aesmc q4,q4\n.byte\t0x2a,0xa3,0xb0,0xf3\t@ aese q5,q13\n.byte\t0x8a,0xa3,0xb0,0xf3\t@ aesmc q5,q5\n\t @ Note the logic to update q0, q1, and q1 is written to work\n\t @ around a bug in ARM Cortex-A57 and Cortex-A72 cores running in\n\t @ 32-bit mode. See the comment above.\n\tveor\tq11,q11,q7\n\tvmov.32\td13[1], r9\n.byte\t0x2a,0x23,0xf0,0xf3\t@ aese q9,q13\n.byte\t0xa2,0x23,0xf0,0xf3\t@ aesmc q9,q9\n\tvorr\tq0,q6,q6\n\trev\tr10,r10\n.byte\t0x2c,0x83,0xb0,0xf3\t@ aese q4,q14\n.byte\t0x88,0x83,0xb0,0xf3\t@ aesmc q4,q4\n\tvmov.32\td13[1], r10\n\trev\tr12,r8\n.byte\t0x2c,0xa3,0xb0,0xf3\t@ aese q5,q14\n.byte\t0x8a,0xa3,0xb0,0xf3\t@ aesmc q5,q5\n\tvorr\tq1,q6,q6\n\tvmov.32\td13[1], r12\n.byte\t0x2c,0x23,0xf0,0xf3\t@ aese q9,q14\n.byte\t0xa2,0x23,0xf0,0xf3\t@ aesmc q9,q9\n\tvorr\tq10,q6,q6\n\tsubs\tr2,r2,#3\n.byte\t0x2e,0x83,0xb0,0xf3\t@ aese q4,q15\n.byte\t0x2e,0xa3,0xb0,0xf3\t@ aese q5,q15\n.byte\t0x2e,0x23,0xf0,0xf3\t@ aese q9,q15\n\n\tveor\tq2,q2,q4\n\tvld1.32\t{q8},[r7]!\t@ re-pre-load rndkey[0]\n\tvst1.8\t{q2},[r1]!\n\tveor\tq3,q3,q5\n\tmov\tr6,r5\n\tvst1.8\t{q3},[r1]!\n\tveor\tq11,q11,q9\n\tvld1.32\t{q9},[r7]!\t@ re-pre-load rndkey[1]\n\tvst1.8\t{q11},[r1]!\n\tbhs\t.Loop3x_ctr32\n\n\tadds\tr2,r2,#3\n\tbeq\t.Lctr32_done\n\tcmp\tr2,#1\n\tmov\tr12,#16\n\tmoveq\tr12,#0\n\n.Lctr32_tail:\n.byte\t0x20,0x03,0xb0,0xf3\t@ aese q0,q8\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x20,0x23,0xb0,0xf3\t@ aese q1,q8\n.byte\t0x82,0x23,0xb0,0xf3\t@ aesmc q1,q1\n\tvld1.32\t{q8},[r7]!\n\tsubs\tr6,r6,#2\n.byte\t0x22,0x03,0xb0,0xf3\t@ aese q0,q9\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x22,0x23,0xb0,0xf3\t@ aese q1,q9\n.byte\t0x82,0x23,0xb0,0xf3\t@ aesmc q1,q1\n\tvld1.32\t{q9},[r7]!\n\tbgt\t.Lctr32_tail\n\n.byte\t0x20,0x03,0xb0,0xf3\t@ aese q0,q8\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x20,0x23,0xb0,0xf3\t@ aese q1,q8\n.byte\t0x82,0x23,0xb0,0xf3\t@ aesmc q1,q1\n.byte\t0x22,0x03,0xb0,0xf3\t@ aese q0,q9\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x22,0x23,0xb0,0xf3\t@ aese q1,q9\n.byte\t0x82,0x23,0xb0,0xf3\t@ aesmc q1,q1\n\tvld1.8\t{q2},[r0],r12\n.byte\t0x28,0x03,0xb0,0xf3\t@ aese q0,q12\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x28,0x23,0xb0,0xf3\t@ aese q1,q12\n.byte\t0x82,0x23,0xb0,0xf3\t@ aesmc q1,q1\n\tvld1.8\t{q3},[r0]\n.byte\t0x2a,0x03,0xb0,0xf3\t@ aese q0,q13\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x2a,0x23,0xb0,0xf3\t@ aese q1,q13\n.byte\t0x82,0x23,0xb0,0xf3\t@ aesmc q1,q1\n\tveor\tq2,q2,q7\n.byte\t0x2c,0x03,0xb0,0xf3\t@ aese q0,q14\n.byte\t0x80,0x03,0xb0,0xf3\t@ aesmc q0,q0\n.byte\t0x2c,0x23,0xb0,0xf3\t@ aese q1,q14\n.byte\t0x82,0x23,0xb0,0xf3\t@ aesmc q1,q1\n\tveor\tq3,q3,q7\n.byte\t0x2e,0x03,0xb0,0xf3\t@ aese q0,q15\n.byte\t0x2e,0x23,0xb0,0xf3\t@ aese q1,q15\n\n\tcmp\tr2,#1\n\tveor\tq2,q2,q0\n\tveor\tq3,q3,q1\n\tvst1.8\t{q2},[r1]!\n\tbeq\t.Lctr32_done\n\tvst1.8\t{q3},[r1]\n\n.Lctr32_done:\n\tvldmia\tsp!,{d8,d9,d10,d11,d12,d13,d14,d15}\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,pc}\n.size\taes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \n\n#if __ARM_MAX_ARCH__>=7\n.text\n\n.section\t__TEXT,__const\n.align\t5\nLrcon:\n.long\t0x01,0x01,0x01,0x01\n.long\t0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d\t// rotate-n-splat\n.long\t0x1b,0x1b,0x1b,0x1b\n\n.text\n\n.globl\t_aes_hw_set_encrypt_key\n.private_extern\t_aes_hw_set_encrypt_key\n\n.align\t5\n_aes_hw_set_encrypt_key:\nLenc_key:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tmov\tx3,#-2\n\tcmp\tw1,#128\n\tb.lt\tLenc_key_abort\n\tcmp\tw1,#256\n\tb.gt\tLenc_key_abort\n\ttst\tw1,#0x3f\n\tb.ne\tLenc_key_abort\n\n\tadrp\tx3,Lrcon@PAGE\n\tadd\tx3,x3,Lrcon@PAGEOFF\n\tcmp\tw1,#192\n\n\teor\tv0.16b,v0.16b,v0.16b\n\tld1\t{v3.16b},[x0],#16\n\tmov\tw1,#8\t\t// reuse w1\n\tld1\t{v1.4s,v2.4s},[x3],#32\n\n\tb.lt\tLoop128\n\tb.eq\tL192\n\tb\tL256\n\n.align\t4\nLoop128:\n\ttbl\tv6.16b,{v3.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v3.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\tsubs\tw1,w1,#1\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv3.16b,v3.16b,v6.16b\n\tb.ne\tLoop128\n\n\tld1\t{v1.4s},[x3]\n\n\ttbl\tv6.16b,{v3.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v3.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv3.16b,v3.16b,v6.16b\n\n\ttbl\tv6.16b,{v3.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v3.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\teor\tv3.16b,v3.16b,v6.16b\n\tst1\t{v3.4s},[x2]\n\tadd\tx2,x2,#0x50\n\n\tmov\tw12,#10\n\tb\tLdone\n\n.align\t4\nL192:\n\tld1\t{v4.8b},[x0],#8\n\tmovi\tv6.16b,#8\t\t\t// borrow v6.16b\n\tst1\t{v3.4s},[x2],#16\n\tsub\tv2.16b,v2.16b,v6.16b\t// adjust the mask\n\nLoop192:\n\ttbl\tv6.16b,{v4.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v4.8b},[x2],#8\n\taese\tv6.16b,v0.16b\n\tsubs\tw1,w1,#1\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\n\tdup\tv5.4s,v3.s[3]\n\teor\tv5.16b,v5.16b,v4.16b\n\teor\tv6.16b,v6.16b,v1.16b\n\text\tv4.16b,v0.16b,v4.16b,#12\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv4.16b,v4.16b,v5.16b\n\teor\tv3.16b,v3.16b,v6.16b\n\teor\tv4.16b,v4.16b,v6.16b\n\tst1\t{v3.4s},[x2],#16\n\tb.ne\tLoop192\n\n\tmov\tw12,#12\n\tadd\tx2,x2,#0x20\n\tb\tLdone\n\n.align\t4\nL256:\n\tld1\t{v4.16b},[x0]\n\tmov\tw1,#7\n\tmov\tw12,#14\n\tst1\t{v3.4s},[x2],#16\n\nLoop256:\n\ttbl\tv6.16b,{v4.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v4.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\tsubs\tw1,w1,#1\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv3.16b,v3.16b,v6.16b\n\tst1\t{v3.4s},[x2],#16\n\tb.eq\tLdone\n\n\tdup\tv6.4s,v3.s[3]\t\t// just splat\n\text\tv5.16b,v0.16b,v4.16b,#12\n\taese\tv6.16b,v0.16b\n\n\teor\tv4.16b,v4.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv4.16b,v4.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv4.16b,v4.16b,v5.16b\n\n\teor\tv4.16b,v4.16b,v6.16b\n\tb\tLoop256\n\nLdone:\n\tstr\tw12,[x2]\n\tmov\tx3,#0\n\nLenc_key_abort:\n\tmov\tx0,x3\t\t\t// return value\n\tldr\tx29,[sp],#16\n\tret\n\n\n.globl\t_aes_hw_set_decrypt_key\n.private_extern\t_aes_hw_set_decrypt_key\n\n.align\t5\n_aes_hw_set_decrypt_key:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tbl\tLenc_key\n\n\tcmp\tx0,#0\n\tb.ne\tLdec_key_abort\n\n\tsub\tx2,x2,#240\t\t// restore original x2\n\tmov\tx4,#-16\n\tadd\tx0,x2,x12,lsl#4\t// end of key schedule\n\n\tld1\t{v0.4s},[x2]\n\tld1\t{v1.4s},[x0]\n\tst1\t{v0.4s},[x0],x4\n\tst1\t{v1.4s},[x2],#16\n\nLoop_imc:\n\tld1\t{v0.4s},[x2]\n\tld1\t{v1.4s},[x0]\n\taesimc\tv0.16b,v0.16b\n\taesimc\tv1.16b,v1.16b\n\tst1\t{v0.4s},[x0],x4\n\tst1\t{v1.4s},[x2],#16\n\tcmp\tx0,x2\n\tb.hi\tLoop_imc\n\n\tld1\t{v0.4s},[x2]\n\taesimc\tv0.16b,v0.16b\n\tst1\t{v0.4s},[x0]\n\n\teor\tx0,x0,x0\t\t// return value\nLdec_key_abort:\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\t_aes_hw_encrypt\n.private_extern\t_aes_hw_encrypt\n\n.align\t5\n_aes_hw_encrypt:\n\tAARCH64_VALID_CALL_TARGET\n\tldr\tw3,[x2,#240]\n\tld1\t{v0.4s},[x2],#16\n\tld1\t{v2.16b},[x0]\n\tsub\tw3,w3,#2\n\tld1\t{v1.4s},[x2],#16\n\nLoop_enc:\n\taese\tv2.16b,v0.16b\n\taesmc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2],#16\n\tsubs\tw3,w3,#2\n\taese\tv2.16b,v1.16b\n\taesmc\tv2.16b,v2.16b\n\tld1\t{v1.4s},[x2],#16\n\tb.gt\tLoop_enc\n\n\taese\tv2.16b,v0.16b\n\taesmc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2]\n\taese\tv2.16b,v1.16b\n\teor\tv2.16b,v2.16b,v0.16b\n\n\tst1\t{v2.16b},[x1]\n\tret\n\n.globl\t_aes_hw_decrypt\n.private_extern\t_aes_hw_decrypt\n\n.align\t5\n_aes_hw_decrypt:\n\tAARCH64_VALID_CALL_TARGET\n\tldr\tw3,[x2,#240]\n\tld1\t{v0.4s},[x2],#16\n\tld1\t{v2.16b},[x0]\n\tsub\tw3,w3,#2\n\tld1\t{v1.4s},[x2],#16\n\nLoop_dec:\n\taesd\tv2.16b,v0.16b\n\taesimc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2],#16\n\tsubs\tw3,w3,#2\n\taesd\tv2.16b,v1.16b\n\taesimc\tv2.16b,v2.16b\n\tld1\t{v1.4s},[x2],#16\n\tb.gt\tLoop_dec\n\n\taesd\tv2.16b,v0.16b\n\taesimc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2]\n\taesd\tv2.16b,v1.16b\n\teor\tv2.16b,v2.16b,v0.16b\n\n\tst1\t{v2.16b},[x1]\n\tret\n\n.globl\t_aes_hw_cbc_encrypt\n.private_extern\t_aes_hw_cbc_encrypt\n\n.align\t5\n_aes_hw_cbc_encrypt:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tsubs\tx2,x2,#16\n\tmov\tx8,#16\n\tb.lo\tLcbc_abort\n\tcsel\tx8,xzr,x8,eq\n\n\tcmp\tw5,#0\t\t\t// en- or decrypting?\n\tldr\tw5,[x3,#240]\n\tand\tx2,x2,#-16\n\tld1\t{v6.16b},[x4]\n\tld1\t{v0.16b},[x0],x8\n\n\tld1\t{v16.4s,v17.4s},[x3]\t\t// load key schedule...\n\tsub\tw5,w5,#6\n\tadd\tx7,x3,x5,lsl#4\t// pointer to last 7 round keys\n\tsub\tw5,w5,#2\n\tld1\t{v18.4s,v19.4s},[x7],#32\n\tld1\t{v20.4s,v21.4s},[x7],#32\n\tld1\t{v22.4s,v23.4s},[x7],#32\n\tld1\t{v7.4s},[x7]\n\n\tadd\tx7,x3,#32\n\tmov\tw6,w5\n\tb.eq\tLcbc_dec\n\n\tcmp\tw5,#2\n\teor\tv0.16b,v0.16b,v6.16b\n\teor\tv5.16b,v16.16b,v7.16b\n\tb.eq\tLcbc_enc128\n\n\tld1\t{v2.4s,v3.4s},[x7]\n\tadd\tx7,x3,#16\n\tadd\tx6,x3,#16*4\n\tadd\tx12,x3,#16*5\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tadd\tx14,x3,#16*6\n\tadd\tx3,x3,#16*7\n\tb\tLenter_cbc_enc\n\n.align\t4\nLoop_cbc_enc:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tst1\t{v6.16b},[x1],#16\nLenter_cbc_enc:\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v2.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.4s},[x6]\n\tcmp\tw5,#4\n\taese\tv0.16b,v3.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v17.4s},[x12]\n\tb.eq\tLcbc_enc192\n\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.4s},[x14]\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v17.4s},[x3]\n\tnop\n\nLcbc_enc192:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tsubs\tx2,x2,#16\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\tcsel\tx8,xzr,x8,eq\n\taese\tv0.16b,v18.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v19.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.16b},[x0],x8\n\taese\tv0.16b,v20.16b\n\taesmc\tv0.16b,v0.16b\n\teor\tv16.16b,v16.16b,v5.16b\n\taese\tv0.16b,v21.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v17.4s},[x7]\t\t// re-pre-load rndkey[1]\n\taese\tv0.16b,v22.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v23.16b\n\teor\tv6.16b,v0.16b,v7.16b\n\tb.hs\tLoop_cbc_enc\n\n\tst1\t{v6.16b},[x1],#16\n\tb\tLcbc_done\n\n.align\t5\nLcbc_enc128:\n\tld1\t{v2.4s,v3.4s},[x7]\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tb\tLenter_cbc_enc128\nLoop_cbc_enc128:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tst1\t{v6.16b},[x1],#16\nLenter_cbc_enc128:\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\tsubs\tx2,x2,#16\n\taese\tv0.16b,v2.16b\n\taesmc\tv0.16b,v0.16b\n\tcsel\tx8,xzr,x8,eq\n\taese\tv0.16b,v3.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v18.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v19.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.16b},[x0],x8\n\taese\tv0.16b,v20.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v21.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v22.16b\n\taesmc\tv0.16b,v0.16b\n\teor\tv16.16b,v16.16b,v5.16b\n\taese\tv0.16b,v23.16b\n\teor\tv6.16b,v0.16b,v7.16b\n\tb.hs\tLoop_cbc_enc128\n\n\tst1\t{v6.16b},[x1],#16\n\tb\tLcbc_done\n.align\t5\nLcbc_dec:\n\tld1\t{v18.16b},[x0],#16\n\tsubs\tx2,x2,#32\t\t// bias\n\tadd\tw6,w5,#2\n\torr\tv3.16b,v0.16b,v0.16b\n\torr\tv1.16b,v0.16b,v0.16b\n\torr\tv19.16b,v18.16b,v18.16b\n\tb.lo\tLcbc_dec_tail\n\n\torr\tv1.16b,v18.16b,v18.16b\n\tld1\t{v18.16b},[x0],#16\n\torr\tv2.16b,v0.16b,v0.16b\n\torr\tv3.16b,v1.16b,v1.16b\n\torr\tv19.16b,v18.16b,v18.16b\n\nLoop3x_cbc_dec:\n\taesd\tv0.16b,v16.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taesd\tv0.16b,v17.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\tLoop3x_cbc_dec\n\n\taesd\tv0.16b,v16.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv4.16b,v6.16b,v7.16b\n\tsubs\tx2,x2,#0x30\n\teor\tv5.16b,v2.16b,v7.16b\n\tcsel\tx6,x2,x6,lo\t\t\t// x6, w6, is zero at this point\n\taesd\tv0.16b,v17.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv17.16b,v3.16b,v7.16b\n\tadd\tx0,x0,x6\t\t// x0 is adjusted in such way that\n\t\t\t\t\t// at exit from the loop v1.16b-v18.16b\n\t\t\t\t\t// are loaded with last \"words\"\n\torr\tv6.16b,v19.16b,v19.16b\n\tmov\tx7,x3\n\taesd\tv0.16b,v20.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v20.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v20.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v2.16b},[x0],#16\n\taesd\tv0.16b,v21.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v21.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v21.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v3.16b},[x0],#16\n\taesd\tv0.16b,v22.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v22.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v22.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v19.16b},[x0],#16\n\taesd\tv0.16b,v23.16b\n\taesd\tv1.16b,v23.16b\n\taesd\tv18.16b,v23.16b\n\tld1\t{v16.4s},[x7],#16\t// re-pre-load rndkey[0]\n\tadd\tw6,w5,#2\n\teor\tv4.16b,v4.16b,v0.16b\n\teor\tv5.16b,v5.16b,v1.16b\n\teor\tv18.16b,v18.16b,v17.16b\n\tld1\t{v17.4s},[x7],#16\t// re-pre-load rndkey[1]\n\tst1\t{v4.16b},[x1],#16\n\torr\tv0.16b,v2.16b,v2.16b\n\tst1\t{v5.16b},[x1],#16\n\torr\tv1.16b,v3.16b,v3.16b\n\tst1\t{v18.16b},[x1],#16\n\torr\tv18.16b,v19.16b,v19.16b\n\tb.hs\tLoop3x_cbc_dec\n\n\tcmn\tx2,#0x30\n\tb.eq\tLcbc_done\n\tnop\n\nLcbc_dec_tail:\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\tLcbc_dec_tail\n\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\taesd\tv1.16b,v20.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v20.16b\n\taesimc\tv18.16b,v18.16b\n\tcmn\tx2,#0x20\n\taesd\tv1.16b,v21.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v21.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv5.16b,v6.16b,v7.16b\n\taesd\tv1.16b,v22.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v22.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv17.16b,v3.16b,v7.16b\n\taesd\tv1.16b,v23.16b\n\taesd\tv18.16b,v23.16b\n\tb.eq\tLcbc_dec_one\n\teor\tv5.16b,v5.16b,v1.16b\n\teor\tv17.16b,v17.16b,v18.16b\n\torr\tv6.16b,v19.16b,v19.16b\n\tst1\t{v5.16b},[x1],#16\n\tst1\t{v17.16b},[x1],#16\n\tb\tLcbc_done\n\nLcbc_dec_one:\n\teor\tv5.16b,v5.16b,v18.16b\n\torr\tv6.16b,v19.16b,v19.16b\n\tst1\t{v5.16b},[x1],#16\n\nLcbc_done:\n\tst1\t{v6.16b},[x4]\nLcbc_abort:\n\tldr\tx29,[sp],#16\n\tret\n\n.globl\t_aes_hw_ctr32_encrypt_blocks\n.private_extern\t_aes_hw_ctr32_encrypt_blocks\n\n.align\t5\n_aes_hw_ctr32_encrypt_blocks:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tldr\tw5,[x3,#240]\n\n\tldr\tw8, [x4, #12]\n\tld1\t{v0.4s},[x4]\n\n\tld1\t{v16.4s,v17.4s},[x3]\t\t// load key schedule...\n\tsub\tw5,w5,#4\n\tmov\tx12,#16\n\tcmp\tx2,#2\n\tadd\tx7,x3,x5,lsl#4\t// pointer to last 5 round keys\n\tsub\tw5,w5,#2\n\tld1\t{v20.4s,v21.4s},[x7],#32\n\tld1\t{v22.4s,v23.4s},[x7],#32\n\tld1\t{v7.4s},[x7]\n\tadd\tx7,x3,#32\n\tmov\tw6,w5\n\tcsel\tx12,xzr,x12,lo\n\n\t// ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are\n\t// affected by silicon errata #1742098 [0] and #1655431 [1],\n\t// respectively, where the second instruction of an aese/aesmc\n\t// instruction pair may execute twice if an interrupt is taken right\n\t// after the first instruction consumes an input register of which a\n\t// single 32-bit lane has been updated the last time it was modified.\n\t//\n\t// This function uses a counter in one 32-bit lane. The vmov lines\n\t// could write to v1.16b and v18.16b directly, but that trips this bugs.\n\t// We write to v6.16b and copy to the final register as a workaround.\n\t//\n\t// [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice\n\t// [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice\n#ifndef __AARCH64EB__\n\trev\tw8, w8\n#endif\n\tadd\tw10, w8, #1\n\torr\tv6.16b,v0.16b,v0.16b\n\trev\tw10, w10\n\tmov\tv6.s[3],w10\n\tadd\tw8, w8, #2\n\torr\tv1.16b,v6.16b,v6.16b\n\tb.ls\tLctr32_tail\n\trev\tw12, w8\n\tmov\tv6.s[3],w12\n\tsub\tx2,x2,#3\t\t// bias\n\torr\tv18.16b,v6.16b,v6.16b\n\tb\tLoop3x_ctr32\n\n.align\t4\nLoop3x_ctr32:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv1.16b,v1.16b\n\taese\tv18.16b,v16.16b\n\taesmc\tv18.16b,v18.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v17.16b\n\taesmc\tv1.16b,v1.16b\n\taese\tv18.16b,v17.16b\n\taesmc\tv18.16b,v18.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\tLoop3x_ctr32\n\n\taese\tv0.16b,v16.16b\n\taesmc\tv4.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv5.16b,v1.16b\n\tld1\t{v2.16b},[x0],#16\n\tadd\tw9,w8,#1\n\taese\tv18.16b,v16.16b\n\taesmc\tv18.16b,v18.16b\n\tld1\t{v3.16b},[x0],#16\n\trev\tw9,w9\n\taese\tv4.16b,v17.16b\n\taesmc\tv4.16b,v4.16b\n\taese\tv5.16b,v17.16b\n\taesmc\tv5.16b,v5.16b\n\tld1\t{v19.16b},[x0],#16\n\tmov\tx7,x3\n\taese\tv18.16b,v17.16b\n\taesmc\tv17.16b,v18.16b\n\taese\tv4.16b,v20.16b\n\taesmc\tv4.16b,v4.16b\n\taese\tv5.16b,v20.16b\n\taesmc\tv5.16b,v5.16b\n\teor\tv2.16b,v2.16b,v7.16b\n\tadd\tw10,w8,#2\n\taese\tv17.16b,v20.16b\n\taesmc\tv17.16b,v17.16b\n\teor\tv3.16b,v3.16b,v7.16b\n\tadd\tw8,w8,#3\n\taese\tv4.16b,v21.16b\n\taesmc\tv4.16b,v4.16b\n\taese\tv5.16b,v21.16b\n\taesmc\tv5.16b,v5.16b\n\t // Note the logic to update v0.16b, v1.16b, and v1.16b is written to work\n\t // around a bug in ARM Cortex-A57 and Cortex-A72 cores running in\n\t // 32-bit mode. See the comment above.\n\teor\tv19.16b,v19.16b,v7.16b\n\tmov\tv6.s[3], w9\n\taese\tv17.16b,v21.16b\n\taesmc\tv17.16b,v17.16b\n\torr\tv0.16b,v6.16b,v6.16b\n\trev\tw10,w10\n\taese\tv4.16b,v22.16b\n\taesmc\tv4.16b,v4.16b\n\tmov\tv6.s[3], w10\n\trev\tw12,w8\n\taese\tv5.16b,v22.16b\n\taesmc\tv5.16b,v5.16b\n\torr\tv1.16b,v6.16b,v6.16b\n\tmov\tv6.s[3], w12\n\taese\tv17.16b,v22.16b\n\taesmc\tv17.16b,v17.16b\n\torr\tv18.16b,v6.16b,v6.16b\n\tsubs\tx2,x2,#3\n\taese\tv4.16b,v23.16b\n\taese\tv5.16b,v23.16b\n\taese\tv17.16b,v23.16b\n\n\teor\tv2.16b,v2.16b,v4.16b\n\tld1\t{v16.4s},[x7],#16\t// re-pre-load rndkey[0]\n\tst1\t{v2.16b},[x1],#16\n\teor\tv3.16b,v3.16b,v5.16b\n\tmov\tw6,w5\n\tst1\t{v3.16b},[x1],#16\n\teor\tv19.16b,v19.16b,v17.16b\n\tld1\t{v17.4s},[x7],#16\t// re-pre-load rndkey[1]\n\tst1\t{v19.16b},[x1],#16\n\tb.hs\tLoop3x_ctr32\n\n\tadds\tx2,x2,#3\n\tb.eq\tLctr32_done\n\tcmp\tx2,#1\n\tmov\tx12,#16\n\tcsel\tx12,xzr,x12,eq\n\nLctr32_tail:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v17.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\tLctr32_tail\n\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv1.16b,v1.16b\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v17.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v2.16b},[x0],x12\n\taese\tv0.16b,v20.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v20.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v3.16b},[x0]\n\taese\tv0.16b,v21.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v21.16b\n\taesmc\tv1.16b,v1.16b\n\teor\tv2.16b,v2.16b,v7.16b\n\taese\tv0.16b,v22.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v22.16b\n\taesmc\tv1.16b,v1.16b\n\teor\tv3.16b,v3.16b,v7.16b\n\taese\tv0.16b,v23.16b\n\taese\tv1.16b,v23.16b\n\n\tcmp\tx2,#1\n\teor\tv2.16b,v2.16b,v0.16b\n\teor\tv3.16b,v3.16b,v1.16b\n\tst1\t{v2.16b},[x1],#16\n\tb.eq\tLctr32_done\n\tst1\t{v3.16b},[x1]\n\nLctr32_done:\n\tldr\tx29,[sp],#16\n\tret\n\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \n\n#if __ARM_MAX_ARCH__>=7\n.text\n.arch\tarmv8-a+crypto\n.section\t.rodata\n.align\t5\n.Lrcon:\n.long\t0x01,0x01,0x01,0x01\n.long\t0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d\t// rotate-n-splat\n.long\t0x1b,0x1b,0x1b,0x1b\n\n.text\n\n.globl\taes_hw_set_encrypt_key\n.hidden\taes_hw_set_encrypt_key\n.type\taes_hw_set_encrypt_key,%function\n.align\t5\naes_hw_set_encrypt_key:\n.Lenc_key:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tmov\tx3,#-2\n\tcmp\tw1,#128\n\tb.lt\t.Lenc_key_abort\n\tcmp\tw1,#256\n\tb.gt\t.Lenc_key_abort\n\ttst\tw1,#0x3f\n\tb.ne\t.Lenc_key_abort\n\n\tadrp\tx3,.Lrcon\n\tadd\tx3,x3,:lo12:.Lrcon\n\tcmp\tw1,#192\n\n\teor\tv0.16b,v0.16b,v0.16b\n\tld1\t{v3.16b},[x0],#16\n\tmov\tw1,#8\t\t// reuse w1\n\tld1\t{v1.4s,v2.4s},[x3],#32\n\n\tb.lt\t.Loop128\n\tb.eq\t.L192\n\tb\t.L256\n\n.align\t4\n.Loop128:\n\ttbl\tv6.16b,{v3.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v3.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\tsubs\tw1,w1,#1\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv3.16b,v3.16b,v6.16b\n\tb.ne\t.Loop128\n\n\tld1\t{v1.4s},[x3]\n\n\ttbl\tv6.16b,{v3.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v3.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv3.16b,v3.16b,v6.16b\n\n\ttbl\tv6.16b,{v3.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v3.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\teor\tv3.16b,v3.16b,v6.16b\n\tst1\t{v3.4s},[x2]\n\tadd\tx2,x2,#0x50\n\n\tmov\tw12,#10\n\tb\t.Ldone\n\n.align\t4\n.L192:\n\tld1\t{v4.8b},[x0],#8\n\tmovi\tv6.16b,#8\t\t\t// borrow v6.16b\n\tst1\t{v3.4s},[x2],#16\n\tsub\tv2.16b,v2.16b,v6.16b\t// adjust the mask\n\n.Loop192:\n\ttbl\tv6.16b,{v4.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v4.8b},[x2],#8\n\taese\tv6.16b,v0.16b\n\tsubs\tw1,w1,#1\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\n\tdup\tv5.4s,v3.s[3]\n\teor\tv5.16b,v5.16b,v4.16b\n\teor\tv6.16b,v6.16b,v1.16b\n\text\tv4.16b,v0.16b,v4.16b,#12\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv4.16b,v4.16b,v5.16b\n\teor\tv3.16b,v3.16b,v6.16b\n\teor\tv4.16b,v4.16b,v6.16b\n\tst1\t{v3.4s},[x2],#16\n\tb.ne\t.Loop192\n\n\tmov\tw12,#12\n\tadd\tx2,x2,#0x20\n\tb\t.Ldone\n\n.align\t4\n.L256:\n\tld1\t{v4.16b},[x0]\n\tmov\tw1,#7\n\tmov\tw12,#14\n\tst1\t{v3.4s},[x2],#16\n\n.Loop256:\n\ttbl\tv6.16b,{v4.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v4.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\tsubs\tw1,w1,#1\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv3.16b,v3.16b,v6.16b\n\tst1\t{v3.4s},[x2],#16\n\tb.eq\t.Ldone\n\n\tdup\tv6.4s,v3.s[3]\t\t// just splat\n\text\tv5.16b,v0.16b,v4.16b,#12\n\taese\tv6.16b,v0.16b\n\n\teor\tv4.16b,v4.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv4.16b,v4.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv4.16b,v4.16b,v5.16b\n\n\teor\tv4.16b,v4.16b,v6.16b\n\tb\t.Loop256\n\n.Ldone:\n\tstr\tw12,[x2]\n\tmov\tx3,#0\n\n.Lenc_key_abort:\n\tmov\tx0,x3\t\t\t// return value\n\tldr\tx29,[sp],#16\n\tret\n.size\taes_hw_set_encrypt_key,.-aes_hw_set_encrypt_key\n\n.globl\taes_hw_set_decrypt_key\n.hidden\taes_hw_set_decrypt_key\n.type\taes_hw_set_decrypt_key,%function\n.align\t5\naes_hw_set_decrypt_key:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tbl\t.Lenc_key\n\n\tcmp\tx0,#0\n\tb.ne\t.Ldec_key_abort\n\n\tsub\tx2,x2,#240\t\t// restore original x2\n\tmov\tx4,#-16\n\tadd\tx0,x2,x12,lsl#4\t// end of key schedule\n\n\tld1\t{v0.4s},[x2]\n\tld1\t{v1.4s},[x0]\n\tst1\t{v0.4s},[x0],x4\n\tst1\t{v1.4s},[x2],#16\n\n.Loop_imc:\n\tld1\t{v0.4s},[x2]\n\tld1\t{v1.4s},[x0]\n\taesimc\tv0.16b,v0.16b\n\taesimc\tv1.16b,v1.16b\n\tst1\t{v0.4s},[x0],x4\n\tst1\t{v1.4s},[x2],#16\n\tcmp\tx0,x2\n\tb.hi\t.Loop_imc\n\n\tld1\t{v0.4s},[x2]\n\taesimc\tv0.16b,v0.16b\n\tst1\t{v0.4s},[x0]\n\n\teor\tx0,x0,x0\t\t// return value\n.Ldec_key_abort:\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\taes_hw_set_decrypt_key,.-aes_hw_set_decrypt_key\n.globl\taes_hw_encrypt\n.hidden\taes_hw_encrypt\n.type\taes_hw_encrypt,%function\n.align\t5\naes_hw_encrypt:\n\tAARCH64_VALID_CALL_TARGET\n\tldr\tw3,[x2,#240]\n\tld1\t{v0.4s},[x2],#16\n\tld1\t{v2.16b},[x0]\n\tsub\tw3,w3,#2\n\tld1\t{v1.4s},[x2],#16\n\n.Loop_enc:\n\taese\tv2.16b,v0.16b\n\taesmc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2],#16\n\tsubs\tw3,w3,#2\n\taese\tv2.16b,v1.16b\n\taesmc\tv2.16b,v2.16b\n\tld1\t{v1.4s},[x2],#16\n\tb.gt\t.Loop_enc\n\n\taese\tv2.16b,v0.16b\n\taesmc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2]\n\taese\tv2.16b,v1.16b\n\teor\tv2.16b,v2.16b,v0.16b\n\n\tst1\t{v2.16b},[x1]\n\tret\n.size\taes_hw_encrypt,.-aes_hw_encrypt\n.globl\taes_hw_decrypt\n.hidden\taes_hw_decrypt\n.type\taes_hw_decrypt,%function\n.align\t5\naes_hw_decrypt:\n\tAARCH64_VALID_CALL_TARGET\n\tldr\tw3,[x2,#240]\n\tld1\t{v0.4s},[x2],#16\n\tld1\t{v2.16b},[x0]\n\tsub\tw3,w3,#2\n\tld1\t{v1.4s},[x2],#16\n\n.Loop_dec:\n\taesd\tv2.16b,v0.16b\n\taesimc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2],#16\n\tsubs\tw3,w3,#2\n\taesd\tv2.16b,v1.16b\n\taesimc\tv2.16b,v2.16b\n\tld1\t{v1.4s},[x2],#16\n\tb.gt\t.Loop_dec\n\n\taesd\tv2.16b,v0.16b\n\taesimc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2]\n\taesd\tv2.16b,v1.16b\n\teor\tv2.16b,v2.16b,v0.16b\n\n\tst1\t{v2.16b},[x1]\n\tret\n.size\taes_hw_decrypt,.-aes_hw_decrypt\n.globl\taes_hw_cbc_encrypt\n.hidden\taes_hw_cbc_encrypt\n.type\taes_hw_cbc_encrypt,%function\n.align\t5\naes_hw_cbc_encrypt:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tsubs\tx2,x2,#16\n\tmov\tx8,#16\n\tb.lo\t.Lcbc_abort\n\tcsel\tx8,xzr,x8,eq\n\n\tcmp\tw5,#0\t\t\t// en- or decrypting?\n\tldr\tw5,[x3,#240]\n\tand\tx2,x2,#-16\n\tld1\t{v6.16b},[x4]\n\tld1\t{v0.16b},[x0],x8\n\n\tld1\t{v16.4s,v17.4s},[x3]\t\t// load key schedule...\n\tsub\tw5,w5,#6\n\tadd\tx7,x3,x5,lsl#4\t// pointer to last 7 round keys\n\tsub\tw5,w5,#2\n\tld1\t{v18.4s,v19.4s},[x7],#32\n\tld1\t{v20.4s,v21.4s},[x7],#32\n\tld1\t{v22.4s,v23.4s},[x7],#32\n\tld1\t{v7.4s},[x7]\n\n\tadd\tx7,x3,#32\n\tmov\tw6,w5\n\tb.eq\t.Lcbc_dec\n\n\tcmp\tw5,#2\n\teor\tv0.16b,v0.16b,v6.16b\n\teor\tv5.16b,v16.16b,v7.16b\n\tb.eq\t.Lcbc_enc128\n\n\tld1\t{v2.4s,v3.4s},[x7]\n\tadd\tx7,x3,#16\n\tadd\tx6,x3,#16*4\n\tadd\tx12,x3,#16*5\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tadd\tx14,x3,#16*6\n\tadd\tx3,x3,#16*7\n\tb\t.Lenter_cbc_enc\n\n.align\t4\n.Loop_cbc_enc:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tst1\t{v6.16b},[x1],#16\n.Lenter_cbc_enc:\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v2.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.4s},[x6]\n\tcmp\tw5,#4\n\taese\tv0.16b,v3.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v17.4s},[x12]\n\tb.eq\t.Lcbc_enc192\n\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.4s},[x14]\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v17.4s},[x3]\n\tnop\n\n.Lcbc_enc192:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tsubs\tx2,x2,#16\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\tcsel\tx8,xzr,x8,eq\n\taese\tv0.16b,v18.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v19.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.16b},[x0],x8\n\taese\tv0.16b,v20.16b\n\taesmc\tv0.16b,v0.16b\n\teor\tv16.16b,v16.16b,v5.16b\n\taese\tv0.16b,v21.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v17.4s},[x7]\t\t// re-pre-load rndkey[1]\n\taese\tv0.16b,v22.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v23.16b\n\teor\tv6.16b,v0.16b,v7.16b\n\tb.hs\t.Loop_cbc_enc\n\n\tst1\t{v6.16b},[x1],#16\n\tb\t.Lcbc_done\n\n.align\t5\n.Lcbc_enc128:\n\tld1\t{v2.4s,v3.4s},[x7]\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tb\t.Lenter_cbc_enc128\n.Loop_cbc_enc128:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tst1\t{v6.16b},[x1],#16\n.Lenter_cbc_enc128:\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\tsubs\tx2,x2,#16\n\taese\tv0.16b,v2.16b\n\taesmc\tv0.16b,v0.16b\n\tcsel\tx8,xzr,x8,eq\n\taese\tv0.16b,v3.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v18.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v19.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.16b},[x0],x8\n\taese\tv0.16b,v20.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v21.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v22.16b\n\taesmc\tv0.16b,v0.16b\n\teor\tv16.16b,v16.16b,v5.16b\n\taese\tv0.16b,v23.16b\n\teor\tv6.16b,v0.16b,v7.16b\n\tb.hs\t.Loop_cbc_enc128\n\n\tst1\t{v6.16b},[x1],#16\n\tb\t.Lcbc_done\n.align\t5\n.Lcbc_dec:\n\tld1\t{v18.16b},[x0],#16\n\tsubs\tx2,x2,#32\t\t// bias\n\tadd\tw6,w5,#2\n\torr\tv3.16b,v0.16b,v0.16b\n\torr\tv1.16b,v0.16b,v0.16b\n\torr\tv19.16b,v18.16b,v18.16b\n\tb.lo\t.Lcbc_dec_tail\n\n\torr\tv1.16b,v18.16b,v18.16b\n\tld1\t{v18.16b},[x0],#16\n\torr\tv2.16b,v0.16b,v0.16b\n\torr\tv3.16b,v1.16b,v1.16b\n\torr\tv19.16b,v18.16b,v18.16b\n\n.Loop3x_cbc_dec:\n\taesd\tv0.16b,v16.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taesd\tv0.16b,v17.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\t.Loop3x_cbc_dec\n\n\taesd\tv0.16b,v16.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv4.16b,v6.16b,v7.16b\n\tsubs\tx2,x2,#0x30\n\teor\tv5.16b,v2.16b,v7.16b\n\tcsel\tx6,x2,x6,lo\t\t\t// x6, w6, is zero at this point\n\taesd\tv0.16b,v17.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv17.16b,v3.16b,v7.16b\n\tadd\tx0,x0,x6\t\t// x0 is adjusted in such way that\n\t\t\t\t\t// at exit from the loop v1.16b-v18.16b\n\t\t\t\t\t// are loaded with last \"words\"\n\torr\tv6.16b,v19.16b,v19.16b\n\tmov\tx7,x3\n\taesd\tv0.16b,v20.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v20.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v20.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v2.16b},[x0],#16\n\taesd\tv0.16b,v21.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v21.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v21.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v3.16b},[x0],#16\n\taesd\tv0.16b,v22.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v22.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v22.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v19.16b},[x0],#16\n\taesd\tv0.16b,v23.16b\n\taesd\tv1.16b,v23.16b\n\taesd\tv18.16b,v23.16b\n\tld1\t{v16.4s},[x7],#16\t// re-pre-load rndkey[0]\n\tadd\tw6,w5,#2\n\teor\tv4.16b,v4.16b,v0.16b\n\teor\tv5.16b,v5.16b,v1.16b\n\teor\tv18.16b,v18.16b,v17.16b\n\tld1\t{v17.4s},[x7],#16\t// re-pre-load rndkey[1]\n\tst1\t{v4.16b},[x1],#16\n\torr\tv0.16b,v2.16b,v2.16b\n\tst1\t{v5.16b},[x1],#16\n\torr\tv1.16b,v3.16b,v3.16b\n\tst1\t{v18.16b},[x1],#16\n\torr\tv18.16b,v19.16b,v19.16b\n\tb.hs\t.Loop3x_cbc_dec\n\n\tcmn\tx2,#0x30\n\tb.eq\t.Lcbc_done\n\tnop\n\n.Lcbc_dec_tail:\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\t.Lcbc_dec_tail\n\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\taesd\tv1.16b,v20.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v20.16b\n\taesimc\tv18.16b,v18.16b\n\tcmn\tx2,#0x20\n\taesd\tv1.16b,v21.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v21.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv5.16b,v6.16b,v7.16b\n\taesd\tv1.16b,v22.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v22.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv17.16b,v3.16b,v7.16b\n\taesd\tv1.16b,v23.16b\n\taesd\tv18.16b,v23.16b\n\tb.eq\t.Lcbc_dec_one\n\teor\tv5.16b,v5.16b,v1.16b\n\teor\tv17.16b,v17.16b,v18.16b\n\torr\tv6.16b,v19.16b,v19.16b\n\tst1\t{v5.16b},[x1],#16\n\tst1\t{v17.16b},[x1],#16\n\tb\t.Lcbc_done\n\n.Lcbc_dec_one:\n\teor\tv5.16b,v5.16b,v18.16b\n\torr\tv6.16b,v19.16b,v19.16b\n\tst1\t{v5.16b},[x1],#16\n\n.Lcbc_done:\n\tst1\t{v6.16b},[x4]\n.Lcbc_abort:\n\tldr\tx29,[sp],#16\n\tret\n.size\taes_hw_cbc_encrypt,.-aes_hw_cbc_encrypt\n.globl\taes_hw_ctr32_encrypt_blocks\n.hidden\taes_hw_ctr32_encrypt_blocks\n.type\taes_hw_ctr32_encrypt_blocks,%function\n.align\t5\naes_hw_ctr32_encrypt_blocks:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tldr\tw5,[x3,#240]\n\n\tldr\tw8, [x4, #12]\n\tld1\t{v0.4s},[x4]\n\n\tld1\t{v16.4s,v17.4s},[x3]\t\t// load key schedule...\n\tsub\tw5,w5,#4\n\tmov\tx12,#16\n\tcmp\tx2,#2\n\tadd\tx7,x3,x5,lsl#4\t// pointer to last 5 round keys\n\tsub\tw5,w5,#2\n\tld1\t{v20.4s,v21.4s},[x7],#32\n\tld1\t{v22.4s,v23.4s},[x7],#32\n\tld1\t{v7.4s},[x7]\n\tadd\tx7,x3,#32\n\tmov\tw6,w5\n\tcsel\tx12,xzr,x12,lo\n\n\t// ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are\n\t// affected by silicon errata #1742098 [0] and #1655431 [1],\n\t// respectively, where the second instruction of an aese/aesmc\n\t// instruction pair may execute twice if an interrupt is taken right\n\t// after the first instruction consumes an input register of which a\n\t// single 32-bit lane has been updated the last time it was modified.\n\t//\n\t// This function uses a counter in one 32-bit lane. The vmov lines\n\t// could write to v1.16b and v18.16b directly, but that trips this bugs.\n\t// We write to v6.16b and copy to the final register as a workaround.\n\t//\n\t// [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice\n\t// [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice\n#ifndef __AARCH64EB__\n\trev\tw8, w8\n#endif\n\tadd\tw10, w8, #1\n\torr\tv6.16b,v0.16b,v0.16b\n\trev\tw10, w10\n\tmov\tv6.s[3],w10\n\tadd\tw8, w8, #2\n\torr\tv1.16b,v6.16b,v6.16b\n\tb.ls\t.Lctr32_tail\n\trev\tw12, w8\n\tmov\tv6.s[3],w12\n\tsub\tx2,x2,#3\t\t// bias\n\torr\tv18.16b,v6.16b,v6.16b\n\tb\t.Loop3x_ctr32\n\n.align\t4\n.Loop3x_ctr32:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv1.16b,v1.16b\n\taese\tv18.16b,v16.16b\n\taesmc\tv18.16b,v18.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v17.16b\n\taesmc\tv1.16b,v1.16b\n\taese\tv18.16b,v17.16b\n\taesmc\tv18.16b,v18.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\t.Loop3x_ctr32\n\n\taese\tv0.16b,v16.16b\n\taesmc\tv4.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv5.16b,v1.16b\n\tld1\t{v2.16b},[x0],#16\n\tadd\tw9,w8,#1\n\taese\tv18.16b,v16.16b\n\taesmc\tv18.16b,v18.16b\n\tld1\t{v3.16b},[x0],#16\n\trev\tw9,w9\n\taese\tv4.16b,v17.16b\n\taesmc\tv4.16b,v4.16b\n\taese\tv5.16b,v17.16b\n\taesmc\tv5.16b,v5.16b\n\tld1\t{v19.16b},[x0],#16\n\tmov\tx7,x3\n\taese\tv18.16b,v17.16b\n\taesmc\tv17.16b,v18.16b\n\taese\tv4.16b,v20.16b\n\taesmc\tv4.16b,v4.16b\n\taese\tv5.16b,v20.16b\n\taesmc\tv5.16b,v5.16b\n\teor\tv2.16b,v2.16b,v7.16b\n\tadd\tw10,w8,#2\n\taese\tv17.16b,v20.16b\n\taesmc\tv17.16b,v17.16b\n\teor\tv3.16b,v3.16b,v7.16b\n\tadd\tw8,w8,#3\n\taese\tv4.16b,v21.16b\n\taesmc\tv4.16b,v4.16b\n\taese\tv5.16b,v21.16b\n\taesmc\tv5.16b,v5.16b\n\t // Note the logic to update v0.16b, v1.16b, and v1.16b is written to work\n\t // around a bug in ARM Cortex-A57 and Cortex-A72 cores running in\n\t // 32-bit mode. See the comment above.\n\teor\tv19.16b,v19.16b,v7.16b\n\tmov\tv6.s[3], w9\n\taese\tv17.16b,v21.16b\n\taesmc\tv17.16b,v17.16b\n\torr\tv0.16b,v6.16b,v6.16b\n\trev\tw10,w10\n\taese\tv4.16b,v22.16b\n\taesmc\tv4.16b,v4.16b\n\tmov\tv6.s[3], w10\n\trev\tw12,w8\n\taese\tv5.16b,v22.16b\n\taesmc\tv5.16b,v5.16b\n\torr\tv1.16b,v6.16b,v6.16b\n\tmov\tv6.s[3], w12\n\taese\tv17.16b,v22.16b\n\taesmc\tv17.16b,v17.16b\n\torr\tv18.16b,v6.16b,v6.16b\n\tsubs\tx2,x2,#3\n\taese\tv4.16b,v23.16b\n\taese\tv5.16b,v23.16b\n\taese\tv17.16b,v23.16b\n\n\teor\tv2.16b,v2.16b,v4.16b\n\tld1\t{v16.4s},[x7],#16\t// re-pre-load rndkey[0]\n\tst1\t{v2.16b},[x1],#16\n\teor\tv3.16b,v3.16b,v5.16b\n\tmov\tw6,w5\n\tst1\t{v3.16b},[x1],#16\n\teor\tv19.16b,v19.16b,v17.16b\n\tld1\t{v17.4s},[x7],#16\t// re-pre-load rndkey[1]\n\tst1\t{v19.16b},[x1],#16\n\tb.hs\t.Loop3x_ctr32\n\n\tadds\tx2,x2,#3\n\tb.eq\t.Lctr32_done\n\tcmp\tx2,#1\n\tmov\tx12,#16\n\tcsel\tx12,xzr,x12,eq\n\n.Lctr32_tail:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v17.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\t.Lctr32_tail\n\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv1.16b,v1.16b\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v17.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v2.16b},[x0],x12\n\taese\tv0.16b,v20.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v20.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v3.16b},[x0]\n\taese\tv0.16b,v21.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v21.16b\n\taesmc\tv1.16b,v1.16b\n\teor\tv2.16b,v2.16b,v7.16b\n\taese\tv0.16b,v22.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v22.16b\n\taesmc\tv1.16b,v1.16b\n\teor\tv3.16b,v3.16b,v7.16b\n\taese\tv0.16b,v23.16b\n\taese\tv1.16b,v23.16b\n\n\tcmp\tx2,#1\n\teor\tv2.16b,v2.16b,v0.16b\n\teor\tv3.16b,v3.16b,v1.16b\n\tst1\t{v2.16b},[x1],#16\n\tb.eq\t.Lctr32_done\n\tst1\t{v3.16b},[x1]\n\n.Lctr32_done:\n\tldr\tx29,[sp],#16\n\tret\n.size\taes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \n\n#if __ARM_MAX_ARCH__>=7\n.text\n.arch\tarmv8-a+crypto\n.section\t.rodata\n.align\t5\nLrcon:\n.long\t0x01,0x01,0x01,0x01\n.long\t0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d\t// rotate-n-splat\n.long\t0x1b,0x1b,0x1b,0x1b\n\n.text\n\n.globl\taes_hw_set_encrypt_key\n\n.def aes_hw_set_encrypt_key\n .type 32\n.endef\n.align\t5\naes_hw_set_encrypt_key:\nLenc_key:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tmov\tx3,#-2\n\tcmp\tw1,#128\n\tb.lt\tLenc_key_abort\n\tcmp\tw1,#256\n\tb.gt\tLenc_key_abort\n\ttst\tw1,#0x3f\n\tb.ne\tLenc_key_abort\n\n\tadrp\tx3,Lrcon\n\tadd\tx3,x3,:lo12:Lrcon\n\tcmp\tw1,#192\n\n\teor\tv0.16b,v0.16b,v0.16b\n\tld1\t{v3.16b},[x0],#16\n\tmov\tw1,#8\t\t// reuse w1\n\tld1\t{v1.4s,v2.4s},[x3],#32\n\n\tb.lt\tLoop128\n\tb.eq\tL192\n\tb\tL256\n\n.align\t4\nLoop128:\n\ttbl\tv6.16b,{v3.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v3.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\tsubs\tw1,w1,#1\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv3.16b,v3.16b,v6.16b\n\tb.ne\tLoop128\n\n\tld1\t{v1.4s},[x3]\n\n\ttbl\tv6.16b,{v3.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v3.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv3.16b,v3.16b,v6.16b\n\n\ttbl\tv6.16b,{v3.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v3.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\teor\tv3.16b,v3.16b,v6.16b\n\tst1\t{v3.4s},[x2]\n\tadd\tx2,x2,#0x50\n\n\tmov\tw12,#10\n\tb\tLdone\n\n.align\t4\nL192:\n\tld1\t{v4.8b},[x0],#8\n\tmovi\tv6.16b,#8\t\t\t// borrow v6.16b\n\tst1\t{v3.4s},[x2],#16\n\tsub\tv2.16b,v2.16b,v6.16b\t// adjust the mask\n\nLoop192:\n\ttbl\tv6.16b,{v4.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v4.8b},[x2],#8\n\taese\tv6.16b,v0.16b\n\tsubs\tw1,w1,#1\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\n\tdup\tv5.4s,v3.s[3]\n\teor\tv5.16b,v5.16b,v4.16b\n\teor\tv6.16b,v6.16b,v1.16b\n\text\tv4.16b,v0.16b,v4.16b,#12\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv4.16b,v4.16b,v5.16b\n\teor\tv3.16b,v3.16b,v6.16b\n\teor\tv4.16b,v4.16b,v6.16b\n\tst1\t{v3.4s},[x2],#16\n\tb.ne\tLoop192\n\n\tmov\tw12,#12\n\tadd\tx2,x2,#0x20\n\tb\tLdone\n\n.align\t4\nL256:\n\tld1\t{v4.16b},[x0]\n\tmov\tw1,#7\n\tmov\tw12,#14\n\tst1\t{v3.4s},[x2],#16\n\nLoop256:\n\ttbl\tv6.16b,{v4.16b},v2.16b\n\text\tv5.16b,v0.16b,v3.16b,#12\n\tst1\t{v4.4s},[x2],#16\n\taese\tv6.16b,v0.16b\n\tsubs\tw1,w1,#1\n\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv3.16b,v3.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv6.16b,v6.16b,v1.16b\n\teor\tv3.16b,v3.16b,v5.16b\n\tshl\tv1.16b,v1.16b,#1\n\teor\tv3.16b,v3.16b,v6.16b\n\tst1\t{v3.4s},[x2],#16\n\tb.eq\tLdone\n\n\tdup\tv6.4s,v3.s[3]\t\t// just splat\n\text\tv5.16b,v0.16b,v4.16b,#12\n\taese\tv6.16b,v0.16b\n\n\teor\tv4.16b,v4.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv4.16b,v4.16b,v5.16b\n\text\tv5.16b,v0.16b,v5.16b,#12\n\teor\tv4.16b,v4.16b,v5.16b\n\n\teor\tv4.16b,v4.16b,v6.16b\n\tb\tLoop256\n\nLdone:\n\tstr\tw12,[x2]\n\tmov\tx3,#0\n\nLenc_key_abort:\n\tmov\tx0,x3\t\t\t// return value\n\tldr\tx29,[sp],#16\n\tret\n\n\n.globl\taes_hw_set_decrypt_key\n\n.def aes_hw_set_decrypt_key\n .type 32\n.endef\n.align\t5\naes_hw_set_decrypt_key:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tbl\tLenc_key\n\n\tcmp\tx0,#0\n\tb.ne\tLdec_key_abort\n\n\tsub\tx2,x2,#240\t\t// restore original x2\n\tmov\tx4,#-16\n\tadd\tx0,x2,x12,lsl#4\t// end of key schedule\n\n\tld1\t{v0.4s},[x2]\n\tld1\t{v1.4s},[x0]\n\tst1\t{v0.4s},[x0],x4\n\tst1\t{v1.4s},[x2],#16\n\nLoop_imc:\n\tld1\t{v0.4s},[x2]\n\tld1\t{v1.4s},[x0]\n\taesimc\tv0.16b,v0.16b\n\taesimc\tv1.16b,v1.16b\n\tst1\t{v0.4s},[x0],x4\n\tst1\t{v1.4s},[x2],#16\n\tcmp\tx0,x2\n\tb.hi\tLoop_imc\n\n\tld1\t{v0.4s},[x2]\n\taesimc\tv0.16b,v0.16b\n\tst1\t{v0.4s},[x0]\n\n\teor\tx0,x0,x0\t\t// return value\nLdec_key_abort:\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\taes_hw_encrypt\n\n.def aes_hw_encrypt\n .type 32\n.endef\n.align\t5\naes_hw_encrypt:\n\tAARCH64_VALID_CALL_TARGET\n\tldr\tw3,[x2,#240]\n\tld1\t{v0.4s},[x2],#16\n\tld1\t{v2.16b},[x0]\n\tsub\tw3,w3,#2\n\tld1\t{v1.4s},[x2],#16\n\nLoop_enc:\n\taese\tv2.16b,v0.16b\n\taesmc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2],#16\n\tsubs\tw3,w3,#2\n\taese\tv2.16b,v1.16b\n\taesmc\tv2.16b,v2.16b\n\tld1\t{v1.4s},[x2],#16\n\tb.gt\tLoop_enc\n\n\taese\tv2.16b,v0.16b\n\taesmc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2]\n\taese\tv2.16b,v1.16b\n\teor\tv2.16b,v2.16b,v0.16b\n\n\tst1\t{v2.16b},[x1]\n\tret\n\n.globl\taes_hw_decrypt\n\n.def aes_hw_decrypt\n .type 32\n.endef\n.align\t5\naes_hw_decrypt:\n\tAARCH64_VALID_CALL_TARGET\n\tldr\tw3,[x2,#240]\n\tld1\t{v0.4s},[x2],#16\n\tld1\t{v2.16b},[x0]\n\tsub\tw3,w3,#2\n\tld1\t{v1.4s},[x2],#16\n\nLoop_dec:\n\taesd\tv2.16b,v0.16b\n\taesimc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2],#16\n\tsubs\tw3,w3,#2\n\taesd\tv2.16b,v1.16b\n\taesimc\tv2.16b,v2.16b\n\tld1\t{v1.4s},[x2],#16\n\tb.gt\tLoop_dec\n\n\taesd\tv2.16b,v0.16b\n\taesimc\tv2.16b,v2.16b\n\tld1\t{v0.4s},[x2]\n\taesd\tv2.16b,v1.16b\n\teor\tv2.16b,v2.16b,v0.16b\n\n\tst1\t{v2.16b},[x1]\n\tret\n\n.globl\taes_hw_cbc_encrypt\n\n.def aes_hw_cbc_encrypt\n .type 32\n.endef\n.align\t5\naes_hw_cbc_encrypt:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tsubs\tx2,x2,#16\n\tmov\tx8,#16\n\tb.lo\tLcbc_abort\n\tcsel\tx8,xzr,x8,eq\n\n\tcmp\tw5,#0\t\t\t// en- or decrypting?\n\tldr\tw5,[x3,#240]\n\tand\tx2,x2,#-16\n\tld1\t{v6.16b},[x4]\n\tld1\t{v0.16b},[x0],x8\n\n\tld1\t{v16.4s,v17.4s},[x3]\t\t// load key schedule...\n\tsub\tw5,w5,#6\n\tadd\tx7,x3,x5,lsl#4\t// pointer to last 7 round keys\n\tsub\tw5,w5,#2\n\tld1\t{v18.4s,v19.4s},[x7],#32\n\tld1\t{v20.4s,v21.4s},[x7],#32\n\tld1\t{v22.4s,v23.4s},[x7],#32\n\tld1\t{v7.4s},[x7]\n\n\tadd\tx7,x3,#32\n\tmov\tw6,w5\n\tb.eq\tLcbc_dec\n\n\tcmp\tw5,#2\n\teor\tv0.16b,v0.16b,v6.16b\n\teor\tv5.16b,v16.16b,v7.16b\n\tb.eq\tLcbc_enc128\n\n\tld1\t{v2.4s,v3.4s},[x7]\n\tadd\tx7,x3,#16\n\tadd\tx6,x3,#16*4\n\tadd\tx12,x3,#16*5\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tadd\tx14,x3,#16*6\n\tadd\tx3,x3,#16*7\n\tb\tLenter_cbc_enc\n\n.align\t4\nLoop_cbc_enc:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tst1\t{v6.16b},[x1],#16\nLenter_cbc_enc:\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v2.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.4s},[x6]\n\tcmp\tw5,#4\n\taese\tv0.16b,v3.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v17.4s},[x12]\n\tb.eq\tLcbc_enc192\n\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.4s},[x14]\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v17.4s},[x3]\n\tnop\n\nLcbc_enc192:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tsubs\tx2,x2,#16\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\tcsel\tx8,xzr,x8,eq\n\taese\tv0.16b,v18.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v19.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.16b},[x0],x8\n\taese\tv0.16b,v20.16b\n\taesmc\tv0.16b,v0.16b\n\teor\tv16.16b,v16.16b,v5.16b\n\taese\tv0.16b,v21.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v17.4s},[x7]\t\t// re-pre-load rndkey[1]\n\taese\tv0.16b,v22.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v23.16b\n\teor\tv6.16b,v0.16b,v7.16b\n\tb.hs\tLoop_cbc_enc\n\n\tst1\t{v6.16b},[x1],#16\n\tb\tLcbc_done\n\n.align\t5\nLcbc_enc128:\n\tld1\t{v2.4s,v3.4s},[x7]\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tb\tLenter_cbc_enc128\nLoop_cbc_enc128:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\tst1\t{v6.16b},[x1],#16\nLenter_cbc_enc128:\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\tsubs\tx2,x2,#16\n\taese\tv0.16b,v2.16b\n\taesmc\tv0.16b,v0.16b\n\tcsel\tx8,xzr,x8,eq\n\taese\tv0.16b,v3.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v18.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v19.16b\n\taesmc\tv0.16b,v0.16b\n\tld1\t{v16.16b},[x0],x8\n\taese\tv0.16b,v20.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v21.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv0.16b,v22.16b\n\taesmc\tv0.16b,v0.16b\n\teor\tv16.16b,v16.16b,v5.16b\n\taese\tv0.16b,v23.16b\n\teor\tv6.16b,v0.16b,v7.16b\n\tb.hs\tLoop_cbc_enc128\n\n\tst1\t{v6.16b},[x1],#16\n\tb\tLcbc_done\n.align\t5\nLcbc_dec:\n\tld1\t{v18.16b},[x0],#16\n\tsubs\tx2,x2,#32\t\t// bias\n\tadd\tw6,w5,#2\n\torr\tv3.16b,v0.16b,v0.16b\n\torr\tv1.16b,v0.16b,v0.16b\n\torr\tv19.16b,v18.16b,v18.16b\n\tb.lo\tLcbc_dec_tail\n\n\torr\tv1.16b,v18.16b,v18.16b\n\tld1\t{v18.16b},[x0],#16\n\torr\tv2.16b,v0.16b,v0.16b\n\torr\tv3.16b,v1.16b,v1.16b\n\torr\tv19.16b,v18.16b,v18.16b\n\nLoop3x_cbc_dec:\n\taesd\tv0.16b,v16.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taesd\tv0.16b,v17.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\tLoop3x_cbc_dec\n\n\taesd\tv0.16b,v16.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv4.16b,v6.16b,v7.16b\n\tsubs\tx2,x2,#0x30\n\teor\tv5.16b,v2.16b,v7.16b\n\tcsel\tx6,x2,x6,lo\t\t\t// x6, w6, is zero at this point\n\taesd\tv0.16b,v17.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv17.16b,v3.16b,v7.16b\n\tadd\tx0,x0,x6\t\t// x0 is adjusted in such way that\n\t\t\t\t\t// at exit from the loop v1.16b-v18.16b\n\t\t\t\t\t// are loaded with last \"words\"\n\torr\tv6.16b,v19.16b,v19.16b\n\tmov\tx7,x3\n\taesd\tv0.16b,v20.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v20.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v20.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v2.16b},[x0],#16\n\taesd\tv0.16b,v21.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v21.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v21.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v3.16b},[x0],#16\n\taesd\tv0.16b,v22.16b\n\taesimc\tv0.16b,v0.16b\n\taesd\tv1.16b,v22.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v22.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v19.16b},[x0],#16\n\taesd\tv0.16b,v23.16b\n\taesd\tv1.16b,v23.16b\n\taesd\tv18.16b,v23.16b\n\tld1\t{v16.4s},[x7],#16\t// re-pre-load rndkey[0]\n\tadd\tw6,w5,#2\n\teor\tv4.16b,v4.16b,v0.16b\n\teor\tv5.16b,v5.16b,v1.16b\n\teor\tv18.16b,v18.16b,v17.16b\n\tld1\t{v17.4s},[x7],#16\t// re-pre-load rndkey[1]\n\tst1\t{v4.16b},[x1],#16\n\torr\tv0.16b,v2.16b,v2.16b\n\tst1\t{v5.16b},[x1],#16\n\torr\tv1.16b,v3.16b,v3.16b\n\tst1\t{v18.16b},[x1],#16\n\torr\tv18.16b,v19.16b,v19.16b\n\tb.hs\tLoop3x_cbc_dec\n\n\tcmn\tx2,#0x30\n\tb.eq\tLcbc_done\n\tnop\n\nLcbc_dec_tail:\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\tLcbc_dec_tail\n\n\taesd\tv1.16b,v16.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v16.16b\n\taesimc\tv18.16b,v18.16b\n\taesd\tv1.16b,v17.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v17.16b\n\taesimc\tv18.16b,v18.16b\n\taesd\tv1.16b,v20.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v20.16b\n\taesimc\tv18.16b,v18.16b\n\tcmn\tx2,#0x20\n\taesd\tv1.16b,v21.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v21.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv5.16b,v6.16b,v7.16b\n\taesd\tv1.16b,v22.16b\n\taesimc\tv1.16b,v1.16b\n\taesd\tv18.16b,v22.16b\n\taesimc\tv18.16b,v18.16b\n\teor\tv17.16b,v3.16b,v7.16b\n\taesd\tv1.16b,v23.16b\n\taesd\tv18.16b,v23.16b\n\tb.eq\tLcbc_dec_one\n\teor\tv5.16b,v5.16b,v1.16b\n\teor\tv17.16b,v17.16b,v18.16b\n\torr\tv6.16b,v19.16b,v19.16b\n\tst1\t{v5.16b},[x1],#16\n\tst1\t{v17.16b},[x1],#16\n\tb\tLcbc_done\n\nLcbc_dec_one:\n\teor\tv5.16b,v5.16b,v18.16b\n\torr\tv6.16b,v19.16b,v19.16b\n\tst1\t{v5.16b},[x1],#16\n\nLcbc_done:\n\tst1\t{v6.16b},[x4]\nLcbc_abort:\n\tldr\tx29,[sp],#16\n\tret\n\n.globl\taes_hw_ctr32_encrypt_blocks\n\n.def aes_hw_ctr32_encrypt_blocks\n .type 32\n.endef\n.align\t5\naes_hw_ctr32_encrypt_blocks:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tldr\tw5,[x3,#240]\n\n\tldr\tw8, [x4, #12]\n\tld1\t{v0.4s},[x4]\n\n\tld1\t{v16.4s,v17.4s},[x3]\t\t// load key schedule...\n\tsub\tw5,w5,#4\n\tmov\tx12,#16\n\tcmp\tx2,#2\n\tadd\tx7,x3,x5,lsl#4\t// pointer to last 5 round keys\n\tsub\tw5,w5,#2\n\tld1\t{v20.4s,v21.4s},[x7],#32\n\tld1\t{v22.4s,v23.4s},[x7],#32\n\tld1\t{v7.4s},[x7]\n\tadd\tx7,x3,#32\n\tmov\tw6,w5\n\tcsel\tx12,xzr,x12,lo\n\n\t// ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are\n\t// affected by silicon errata #1742098 [0] and #1655431 [1],\n\t// respectively, where the second instruction of an aese/aesmc\n\t// instruction pair may execute twice if an interrupt is taken right\n\t// after the first instruction consumes an input register of which a\n\t// single 32-bit lane has been updated the last time it was modified.\n\t//\n\t// This function uses a counter in one 32-bit lane. The vmov lines\n\t// could write to v1.16b and v18.16b directly, but that trips this bugs.\n\t// We write to v6.16b and copy to the final register as a workaround.\n\t//\n\t// [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice\n\t// [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice\n#ifndef __AARCH64EB__\n\trev\tw8, w8\n#endif\n\tadd\tw10, w8, #1\n\torr\tv6.16b,v0.16b,v0.16b\n\trev\tw10, w10\n\tmov\tv6.s[3],w10\n\tadd\tw8, w8, #2\n\torr\tv1.16b,v6.16b,v6.16b\n\tb.ls\tLctr32_tail\n\trev\tw12, w8\n\tmov\tv6.s[3],w12\n\tsub\tx2,x2,#3\t\t// bias\n\torr\tv18.16b,v6.16b,v6.16b\n\tb\tLoop3x_ctr32\n\n.align\t4\nLoop3x_ctr32:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv1.16b,v1.16b\n\taese\tv18.16b,v16.16b\n\taesmc\tv18.16b,v18.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v17.16b\n\taesmc\tv1.16b,v1.16b\n\taese\tv18.16b,v17.16b\n\taesmc\tv18.16b,v18.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\tLoop3x_ctr32\n\n\taese\tv0.16b,v16.16b\n\taesmc\tv4.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv5.16b,v1.16b\n\tld1\t{v2.16b},[x0],#16\n\tadd\tw9,w8,#1\n\taese\tv18.16b,v16.16b\n\taesmc\tv18.16b,v18.16b\n\tld1\t{v3.16b},[x0],#16\n\trev\tw9,w9\n\taese\tv4.16b,v17.16b\n\taesmc\tv4.16b,v4.16b\n\taese\tv5.16b,v17.16b\n\taesmc\tv5.16b,v5.16b\n\tld1\t{v19.16b},[x0],#16\n\tmov\tx7,x3\n\taese\tv18.16b,v17.16b\n\taesmc\tv17.16b,v18.16b\n\taese\tv4.16b,v20.16b\n\taesmc\tv4.16b,v4.16b\n\taese\tv5.16b,v20.16b\n\taesmc\tv5.16b,v5.16b\n\teor\tv2.16b,v2.16b,v7.16b\n\tadd\tw10,w8,#2\n\taese\tv17.16b,v20.16b\n\taesmc\tv17.16b,v17.16b\n\teor\tv3.16b,v3.16b,v7.16b\n\tadd\tw8,w8,#3\n\taese\tv4.16b,v21.16b\n\taesmc\tv4.16b,v4.16b\n\taese\tv5.16b,v21.16b\n\taesmc\tv5.16b,v5.16b\n\t // Note the logic to update v0.16b, v1.16b, and v1.16b is written to work\n\t // around a bug in ARM Cortex-A57 and Cortex-A72 cores running in\n\t // 32-bit mode. See the comment above.\n\teor\tv19.16b,v19.16b,v7.16b\n\tmov\tv6.s[3], w9\n\taese\tv17.16b,v21.16b\n\taesmc\tv17.16b,v17.16b\n\torr\tv0.16b,v6.16b,v6.16b\n\trev\tw10,w10\n\taese\tv4.16b,v22.16b\n\taesmc\tv4.16b,v4.16b\n\tmov\tv6.s[3], w10\n\trev\tw12,w8\n\taese\tv5.16b,v22.16b\n\taesmc\tv5.16b,v5.16b\n\torr\tv1.16b,v6.16b,v6.16b\n\tmov\tv6.s[3], w12\n\taese\tv17.16b,v22.16b\n\taesmc\tv17.16b,v17.16b\n\torr\tv18.16b,v6.16b,v6.16b\n\tsubs\tx2,x2,#3\n\taese\tv4.16b,v23.16b\n\taese\tv5.16b,v23.16b\n\taese\tv17.16b,v23.16b\n\n\teor\tv2.16b,v2.16b,v4.16b\n\tld1\t{v16.4s},[x7],#16\t// re-pre-load rndkey[0]\n\tst1\t{v2.16b},[x1],#16\n\teor\tv3.16b,v3.16b,v5.16b\n\tmov\tw6,w5\n\tst1\t{v3.16b},[x1],#16\n\teor\tv19.16b,v19.16b,v17.16b\n\tld1\t{v17.4s},[x7],#16\t// re-pre-load rndkey[1]\n\tst1\t{v19.16b},[x1],#16\n\tb.hs\tLoop3x_ctr32\n\n\tadds\tx2,x2,#3\n\tb.eq\tLctr32_done\n\tcmp\tx2,#1\n\tmov\tx12,#16\n\tcsel\tx12,xzr,x12,eq\n\nLctr32_tail:\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v16.4s},[x7],#16\n\tsubs\tw6,w6,#2\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v17.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v17.4s},[x7],#16\n\tb.gt\tLctr32_tail\n\n\taese\tv0.16b,v16.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v16.16b\n\taesmc\tv1.16b,v1.16b\n\taese\tv0.16b,v17.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v17.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v2.16b},[x0],x12\n\taese\tv0.16b,v20.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v20.16b\n\taesmc\tv1.16b,v1.16b\n\tld1\t{v3.16b},[x0]\n\taese\tv0.16b,v21.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v21.16b\n\taesmc\tv1.16b,v1.16b\n\teor\tv2.16b,v2.16b,v7.16b\n\taese\tv0.16b,v22.16b\n\taesmc\tv0.16b,v0.16b\n\taese\tv1.16b,v22.16b\n\taesmc\tv1.16b,v1.16b\n\teor\tv3.16b,v3.16b,v7.16b\n\taese\tv0.16b,v23.16b\n\taese\tv1.16b,v23.16b\n\n\tcmp\tx2,#1\n\teor\tv2.16b,v2.16b,v0.16b\n\teor\tv3.16b,v3.16b,v1.16b\n\tst1\t{v2.16b},[x1],#16\n\tb.eq\tLctr32_done\n\tst1\t{v3.16b},[x1]\n\nLctr32_done:\n\tldr\tx29,[sp],#16\n\tret\n\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \n#if __ARM_MAX_ARCH__ >= 8\n\n\n.text\n.globl\t_aes_gcm_enc_kernel\n.private_extern\t_aes_gcm_enc_kernel\n\n.align\t4\n_aes_gcm_enc_kernel:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29, x30, [sp, #-128]!\n\tmov\tx29, sp\n\tstp\tx19, x20, [sp, #16]\n\tmov\tx16, x4\n\tmov\tx8, x5\n\tstp\tx21, x22, [sp, #32]\n\tstp\tx23, x24, [sp, #48]\n\tstp\td8, d9, [sp, #64]\n\tstp\td10, d11, [sp, #80]\n\tstp\td12, d13, [sp, #96]\n\tstp\td14, d15, [sp, #112]\n\tldr\tw17, [x8, #240]\n\tadd\tx19, x8, x17, lsl #4 // borrow input_l1 for last key\n\tldp\tx13, x14, [x19] // load round N keys\n\tldr\tq31, [x19, #-16] // load round N-1 keys\n\tadd\tx4, x0, x1, lsr #3 // end_input_ptr\n\tlsr\tx5, x1, #3 // byte_len\n\tmov\tx15, x5\n\tldp\tx10, x11, [x16] // ctr96_b64, ctr96_t32\n\tld1\t{ v0.16b}, [x16] // special case vector load initial counter so we can start first AES block as quickly as possible\n\tsub\tx5, x5, #1 // byte_len - 1\n\tldr\tq18, [x8, #0] // load rk0\n\tand\tx5, x5, #0xffffffffffffffc0 // number of bytes to be processed in main loop (at least 1 byte must be handled by tail)\n\tldr\tq25, [x8, #112] // load rk7\n\tadd\tx5, x5, x0\n\tlsr\tx12, x11, #32\n\tfmov\td2, x10 // CTR block 2\n\torr\tw11, w11, w11\n\trev\tw12, w12 // rev_ctr32\n\tfmov\td1, x10 // CTR block 1\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 0\n\tadd\tw12, w12, #1 // increment rev_ctr32\n\trev\tw9, w12 // CTR block 1\n\tfmov\td3, x10 // CTR block 3\n\torr\tx9, x11, x9, lsl #32 // CTR block 1\n\tadd\tw12, w12, #1 // CTR block 1\n\tldr\tq19, [x8, #16] // load rk1\n\tfmov\tv1.d[1], x9 // CTR block 1\n\trev\tw9, w12 // CTR block 2\n\tadd\tw12, w12, #1 // CTR block 2\n\torr\tx9, x11, x9, lsl #32 // CTR block 2\n\tldr\tq20, [x8, #32] // load rk2\n\tfmov\tv2.d[1], x9 // CTR block 2\n\trev\tw9, w12 // CTR block 3\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 1\n\torr\tx9, x11, x9, lsl #32 // CTR block 3\n\tfmov\tv3.d[1], x9 // CTR block 3\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 0\n\tldr\tq21, [x8, #48] // load rk3\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 2\n\tldr\tq24, [x8, #96] // load rk6\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 0\n\tldr\tq23, [x8, #80] // load rk5\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 1\n\tldr\tq14, [x6, #48] // load h3l | h3h\n\text\tv14.16b, v14.16b, v14.16b, #8\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 0\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 1\n\tldr\tq22, [x8, #64] // load rk4\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 2\n\tldr\tq13, [x6, #32] // load h2l | h2h\n\text\tv13.16b, v13.16b, v13.16b, #8\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 1\n\tldr\tq30, [x8, #192] // load rk12\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 2\n\tldr\tq15, [x6, #80] // load h4l | h4h\n\text\tv15.16b, v15.16b, v15.16b, #8\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 3\n\tldr\tq29, [x8, #176] // load rk11\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 2\n\tldr\tq26, [x8, #128] // load rk8\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 3\n\tadd\tw12, w12, #1 // CTR block 3\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 3\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 3\n\tld1\t{ v11.16b}, [x3]\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 4\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 4\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 4\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 4\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 5\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 5\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 5\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 5\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 6\n\ttrn2\tv17.2d, v14.2d, v15.2d // h4l | h3l\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 6\n\tldr\tq27, [x8, #144] // load rk9\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 6\n\tldr\tq12, [x6] // load h1l | h1h\n\text\tv12.16b, v12.16b, v12.16b, #8\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 6\n\tldr\tq28, [x8, #160] // load rk10\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 7\n\ttrn1\tv9.2d, v14.2d, v15.2d // h4h | h3h\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 7\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 7\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 7\n\ttrn2\tv16.2d, v12.2d, v13.2d // h2l | h1l\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 8\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 8\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 8\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 8\n\tb.lt\tLenc_finish_first_blocks // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 9\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 10\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 10\n\tb.eq\tLenc_finish_first_blocks // branch if AES-192\n\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 11\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 12\n\nLenc_finish_first_blocks:\n\tcmp\tx0, x5 // check if we have <= 4 blocks\n\teor\tv17.16b, v17.16b, v9.16b // h4k | h3k\n\taese\tv2.16b, v31.16b // AES block 2 - round N-1\n\ttrn1\tv8.2d, v12.2d, v13.2d // h2h | h1h\n\taese\tv1.16b, v31.16b // AES block 1 - round N-1\n\taese\tv0.16b, v31.16b // AES block 0 - round N-1\n\taese\tv3.16b, v31.16b // AES block 3 - round N-1\n\teor\tv16.16b, v16.16b, v8.16b // h2k | h1k\n\tb.ge\tLenc_tail // handle tail\n\n\tldp\tx19, x20, [x0, #16] // AES block 1 - load plaintext\n\trev\tw9, w12 // CTR block 4\n\tldp\tx6, x7, [x0, #0] // AES block 0 - load plaintext\n\tldp\tx23, x24, [x0, #48] // AES block 3 - load plaintext\n\tldp\tx21, x22, [x0, #32] // AES block 2 - load plaintext\n\tadd\tx0, x0, #64 // AES input_ptr update\n\teor\tx19, x19, x13 // AES block 1 - round N low\n\teor\tx20, x20, x14 // AES block 1 - round N high\n\tfmov\td5, x19 // AES block 1 - mov low\n\teor\tx6, x6, x13 // AES block 0 - round N low\n\teor\tx7, x7, x14 // AES block 0 - round N high\n\teor\tx24, x24, x14 // AES block 3 - round N high\n\tfmov\td4, x6 // AES block 0 - mov low\n\tcmp\tx0, x5 // check if we have <= 8 blocks\n\tfmov\tv4.d[1], x7 // AES block 0 - mov high\n\teor\tx23, x23, x13 // AES block 3 - round N low\n\teor\tx21, x21, x13 // AES block 2 - round N low\n\tfmov\tv5.d[1], x20 // AES block 1 - mov high\n\tfmov\td6, x21 // AES block 2 - mov low\n\tadd\tw12, w12, #1 // CTR block 4\n\torr\tx9, x11, x9, lsl #32 // CTR block 4\n\tfmov\td7, x23 // AES block 3 - mov low\n\teor\tx22, x22, x14 // AES block 2 - round N high\n\tfmov\tv6.d[1], x22 // AES block 2 - mov high\n\teor\tv4.16b, v4.16b, v0.16b // AES block 0 - result\n\tfmov\td0, x10 // CTR block 4\n\tfmov\tv0.d[1], x9 // CTR block 4\n\trev\tw9, w12 // CTR block 5\n\tadd\tw12, w12, #1 // CTR block 5\n\teor\tv5.16b, v5.16b, v1.16b // AES block 1 - result\n\tfmov\td1, x10 // CTR block 5\n\torr\tx9, x11, x9, lsl #32 // CTR block 5\n\tfmov\tv1.d[1], x9 // CTR block 5\n\trev\tw9, w12 // CTR block 6\n\tst1\t{ v4.16b}, [x2], #16 // AES block 0 - store result\n\tfmov\tv7.d[1], x24 // AES block 3 - mov high\n\torr\tx9, x11, x9, lsl #32 // CTR block 6\n\teor\tv6.16b, v6.16b, v2.16b // AES block 2 - result\n\tst1\t{ v5.16b}, [x2], #16 // AES block 1 - store result\n\tadd\tw12, w12, #1 // CTR block 6\n\tfmov\td2, x10 // CTR block 6\n\tfmov\tv2.d[1], x9 // CTR block 6\n\tst1\t{ v6.16b}, [x2], #16 // AES block 2 - store result\n\trev\tw9, w12 // CTR block 7\n\torr\tx9, x11, x9, lsl #32 // CTR block 7\n\teor\tv7.16b, v7.16b, v3.16b // AES block 3 - result\n\tst1\t{ v7.16b}, [x2], #16 // AES block 3 - store result\n\tb.ge\tLenc_prepretail // do prepretail\n\nLenc_main_loop:\t//\tmain loop start\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\trev64\tv4.16b, v4.16b // GHASH block 4k (only t0 is free)\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\tfmov\td3, x10 // CTR block 4k+3\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\tfmov\tv3.d[1], x9 // CTR block 4k+3\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tldp\tx23, x24, [x0, #48] // AES block 4k+7 - load plaintext\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\tldp\tx21, x22, [x0, #32] // AES block 4k+6 - load plaintext\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\teor\tx23, x23, x13 // AES block 4k+7 - round N low\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\teor\tx22, x22, x14 // AES block 4k+6 - round N high\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\trev64\tv5.16b, v5.16b // GHASH block 4k+1 (t0 and t1 free)\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3 (t0, t1, t2 and t3 free)\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2 (t0, t1, and t2 free)\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\tpmull\tv6.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\tldp\tx19, x20, [x0, #16] // AES block 4k+5 - load plaintext\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\tmov\td4, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\teor\tv4.8b, v4.8b, v7.8b // GHASH block 4k+3 - mid\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tx19, x19, x13 // AES block 4k+5 - round N low\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\teor\tx21, x21, x13 // AES block 4k+6 - round N low\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\tmovi\tv8.8b, #0xc2\n\tpmull\tv4.1q, v4.1d, v16.1d // GHASH block 4k+3 - mid\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\tfmov\td5, x19 // AES block 4k+5 - mov low\n\tldp\tx6, x7, [x0, #0] // AES block 4k+4 - load plaintext\n\tb.lt\tLenc_main_loop_continue // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\tb.eq\tLenc_main_loop_continue // branch if AES-192\n\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\nLenc_main_loop_continue:\n\tshl\td8, d8, #56 // mod_constant\n\teor\tv11.16b, v11.16b, v6.16b // GHASH block 4k+3 - low\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+3 - mid\n\tadd\tw12, w12, #1 // CTR block 4k+3\n\teor\tv4.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tadd\tx0, x0, #64 // AES input_ptr update\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\trev\tw9, w12 // CTR block 4k+8\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tv10.16b, v10.16b, v4.16b // MODULO - karatsuba tidy up\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tfmov\td4, x6 // AES block 4k+4 - mov low\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+8\n\teor\tv7.16b, v9.16b, v7.16b // MODULO - fold into mid\n\teor\tx20, x20, x14 // AES block 4k+5 - round N high\n\teor\tx24, x24, x14 // AES block 4k+7 - round N high\n\tadd\tw12, w12, #1 // CTR block 4k+8\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\tfmov\tv4.d[1], x7 // AES block 4k+4 - mov high\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\tfmov\td7, x23 // AES block 4k+7 - mov low\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\tfmov\tv5.d[1], x20 // AES block 4k+5 - mov high\n\tfmov\td6, x21 // AES block 4k+6 - mov low\n\tcmp\tx0, x5 // LOOP CONTROL\n\tfmov\tv6.d[1], x22 // AES block 4k+6 - mov high\n\tpmull\tv9.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\teor\tv4.16b, v4.16b, v0.16b // AES block 4k+4 - result\n\tfmov\td0, x10 // CTR block 4k+8\n\tfmov\tv0.d[1], x9 // CTR block 4k+8\n\trev\tw9, w12 // CTR block 4k+9\n\tadd\tw12, w12, #1 // CTR block 4k+9\n\teor\tv5.16b, v5.16b, v1.16b // AES block 4k+5 - result\n\tfmov\td1, x10 // CTR block 4k+9\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+9\n\tfmov\tv1.d[1], x9 // CTR block 4k+9\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\trev\tw9, w12 // CTR block 4k+10\n\tst1\t{ v4.16b}, [x2], #16 // AES block 4k+4 - store result\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+10\n\teor\tv11.16b, v11.16b, v9.16b // MODULO - fold into low\n\tfmov\tv7.d[1], x24 // AES block 4k+7 - mov high\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tst1\t{ v5.16b}, [x2], #16 // AES block 4k+5 - store result\n\tadd\tw12, w12, #1 // CTR block 4k+10\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\teor\tv6.16b, v6.16b, v2.16b // AES block 4k+6 - result\n\tfmov\td2, x10 // CTR block 4k+10\n\tst1\t{ v6.16b}, [x2], #16 // AES block 4k+6 - store result\n\tfmov\tv2.d[1], x9 // CTR block 4k+10\n\trev\tw9, w12 // CTR block 4k+11\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+11\n\teor\tv7.16b, v7.16b, v3.16b // AES block 4k+7 - result\n\tst1\t{ v7.16b}, [x2], #16 // AES block 4k+7 - store result\n\tb.lt\tLenc_main_loop\n\nLenc_prepretail:\t//\tPREPRETAIL\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2 (t0, t1, and t2 free)\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\tfmov\td3, x10 // CTR block 4k+3\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\trev64\tv4.16b, v4.16b // GHASH block 4k (only t0 is free)\n\tfmov\tv3.d[1], x9 // CTR block 4k+3\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\trev64\tv5.16b, v5.16b // GHASH block 4k+1 (t0 and t1 free)\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3 (t0, t1, t2 and t3 free)\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\tadd\tw12, w12, #1 // CTR block 4k+3\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\tmov\td4, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\teor\tv4.8b, v4.8b, v7.8b // GHASH block 4k+3 - mid\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\tpmull\tv4.1q, v4.1d, v16.1d // GHASH block 4k+3 - mid\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\tmovi\tv8.8b, #0xc2\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\tshl\td8, d8, #56 // mod_constant\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+3 - mid\n\tpmull\tv6.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\teor\tv11.16b, v11.16b, v6.16b // GHASH block 4k+3 - low\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tv10.16b, v10.16b, v9.16b // karatsuba tidy up\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\tpmull\tv4.1q, v9.1d, v8.1d\n\text\tv9.16b, v9.16b, v9.16b, #8\n\teor\tv10.16b, v10.16b, v11.16b\n\tb.lt\tLenc_finish_prepretail // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\tb.eq\tLenc_finish_prepretail // branch if AES-192\n\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\nLenc_finish_prepretail:\n\teor\tv10.16b, v10.16b, v4.16b\n\teor\tv10.16b, v10.16b, v9.16b\n\tpmull\tv4.1q, v10.1d, v8.1d\n\text\tv10.16b, v10.16b, v10.16b, #8\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\teor\tv11.16b, v11.16b, v4.16b\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\teor\tv11.16b, v11.16b, v10.16b\n\nLenc_tail:\t//\tTAIL\n\text\tv8.16b, v11.16b, v11.16b, #8 // prepare final partial tag\n\tsub\tx5, x4, x0 // main_end_input_ptr is number of bytes left to process\n\tldp\tx6, x7, [x0], #16 // AES block 4k+4 - load plaintext\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tcmp\tx5, #48\n\tfmov\td4, x6 // AES block 4k+4 - mov low\n\tfmov\tv4.d[1], x7 // AES block 4k+4 - mov high\n\teor\tv5.16b, v4.16b, v0.16b // AES block 4k+4 - result\n\tb.gt\tLenc_blocks_more_than_3\n\tcmp\tx5, #32\n\tmov\tv3.16b, v2.16b\n\tmovi\tv11.8b, #0\n\tmovi\tv9.8b, #0\n\tsub\tw12, w12, #1\n\tmov\tv2.16b, v1.16b\n\tmovi\tv10.8b, #0\n\tb.gt\tLenc_blocks_more_than_2\n\tmov\tv3.16b, v1.16b\n\tsub\tw12, w12, #1\n\tcmp\tx5, #16\n\tb.gt\tLenc_blocks_more_than_1\n\tsub\tw12, w12, #1\n\tb\tLenc_blocks_less_than_1\nLenc_blocks_more_than_3:\t//\tblocks left > 3\n\tst1\t{ v5.16b}, [x2], #16 // AES final-3 block - store result\n\tldp\tx6, x7, [x0], #16 // AES final-2 block - load input low & high\n\trev64\tv4.16b, v5.16b // GHASH final-3 block\n\teor\tx6, x6, x13 // AES final-2 block - round N low\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\teor\tx7, x7, x14 // AES final-2 block - round N high\n\tmov\td22, v4.d[1] // GHASH final-3 block - mid\n\tfmov\td5, x6 // AES final-2 block - mov low\n\tfmov\tv5.d[1], x7 // AES final-2 block - mov high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-3 block - mid\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tmov\td10, v17.d[1] // GHASH final-3 block - mid\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH final-3 block - low\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH final-3 block - high\n\tpmull\tv10.1q, v22.1d, v10.1d // GHASH final-3 block - mid\n\teor\tv5.16b, v5.16b, v1.16b // AES final-2 block - result\nLenc_blocks_more_than_2:\t//\tblocks left > 2\n\tst1\t{ v5.16b}, [x2], #16 // AES final-2 block - store result\n\tldp\tx6, x7, [x0], #16 // AES final-1 block - load input low & high\n\trev64\tv4.16b, v5.16b // GHASH final-2 block\n\teor\tx6, x6, x13 // AES final-1 block - round N low\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tfmov\td5, x6 // AES final-1 block - mov low\n\teor\tx7, x7, x14 // AES final-1 block - round N high\n\tfmov\tv5.d[1], x7 // AES final-1 block - mov high\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tpmull2\tv20.1q, v4.2d, v14.2d // GHASH final-2 block - high\n\tmov\td22, v4.d[1] // GHASH final-2 block - mid\n\tpmull\tv21.1q, v4.1d, v14.1d // GHASH final-2 block - low\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-2 block - mid\n\teor\tv5.16b, v5.16b, v2.16b // AES final-1 block - result\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-2 block - high\n\tpmull\tv22.1q, v22.1d, v17.1d // GHASH final-2 block - mid\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-2 block - low\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-2 block - mid\nLenc_blocks_more_than_1:\t//\tblocks left > 1\n\tst1\t{ v5.16b}, [x2], #16 // AES final-1 block - store result\n\trev64\tv4.16b, v5.16b // GHASH final-1 block\n\tldp\tx6, x7, [x0], #16 // AES final block - load input low & high\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\teor\tx6, x6, x13 // AES final block - round N low\n\tmov\td22, v4.d[1] // GHASH final-1 block - mid\n\tpmull2\tv20.1q, v4.2d, v13.2d // GHASH final-1 block - high\n\teor\tx7, x7, x14 // AES final block - round N high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-1 block - mid\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-1 block - high\n\tins\tv22.d[1], v22.d[0] // GHASH final-1 block - mid\n\tfmov\td5, x6 // AES final block - mov low\n\tfmov\tv5.d[1], x7 // AES final block - mov high\n\tpmull2\tv22.1q, v22.2d, v16.2d // GHASH final-1 block - mid\n\tpmull\tv21.1q, v4.1d, v13.1d // GHASH final-1 block - low\n\teor\tv5.16b, v5.16b, v3.16b // AES final block - result\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-1 block - mid\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-1 block - low\nLenc_blocks_less_than_1:\t//\tblocks left <= 1\n\tand\tx1, x1, #127 // bit_length %= 128\n\tmvn\tx13, xzr // rkN_l = 0xffffffffffffffff\n\tsub\tx1, x1, #128 // bit_length -= 128\n\tneg\tx1, x1 // bit_length = 128 - #bits in input (in range [1,128])\n\tld1\t{ v18.16b}, [x2] // load existing bytes where the possibly partial last block is to be stored\n\tmvn\tx14, xzr // rkN_h = 0xffffffffffffffff\n\tand\tx1, x1, #127 // bit_length %= 128\n\tlsr\tx14, x14, x1 // rkN_h is mask for top 64b of last block\n\tcmp\tx1, #64\n\tcsel\tx6, x13, x14, lt\n\tcsel\tx7, x14, xzr, lt\n\tfmov\td0, x6 // ctr0b is mask for last block\n\tfmov\tv0.d[1], x7\n\tand\tv5.16b, v5.16b, v0.16b // possibly partial last block has zeroes in highest bits\n\trev64\tv4.16b, v5.16b // GHASH final block\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tbif\tv5.16b, v18.16b, v0.16b // insert existing bytes in top end of result before storing\n\tpmull2\tv20.1q, v4.2d, v12.2d // GHASH final block - high\n\tmov\td8, v4.d[1] // GHASH final block - mid\n\trev\tw9, w12\n\tpmull\tv21.1q, v4.1d, v12.1d // GHASH final block - low\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final block - high\n\teor\tv8.8b, v8.8b, v4.8b // GHASH final block - mid\n\tpmull\tv8.1q, v8.1d, v16.1d // GHASH final block - mid\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final block - low\n\teor\tv10.16b, v10.16b, v8.16b // GHASH final block - mid\n\tmovi\tv8.8b, #0xc2\n\teor\tv4.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tshl\td8, d8, #56 // mod_constant\n\teor\tv10.16b, v10.16b, v4.16b // MODULO - karatsuba tidy up\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\tpmull\tv9.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tstr\tw9, [x16, #12] // store the updated counter\n\tst1\t{ v5.16b}, [x2] // store all 16B\n\teor\tv11.16b, v11.16b, v9.16b // MODULO - fold into low\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\tmov\tx0, x15\n\tst1\t{ v11.16b }, [x3]\n\tldp\tx19, x20, [sp, #16]\n\tldp\tx21, x22, [sp, #32]\n\tldp\tx23, x24, [sp, #48]\n\tldp\td8, d9, [sp, #64]\n\tldp\td10, d11, [sp, #80]\n\tldp\td12, d13, [sp, #96]\n\tldp\td14, d15, [sp, #112]\n\tldp\tx29, x30, [sp], #128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\t_aes_gcm_dec_kernel\n.private_extern\t_aes_gcm_dec_kernel\n\n.align\t4\n_aes_gcm_dec_kernel:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29, x30, [sp, #-128]!\n\tmov\tx29, sp\n\tstp\tx19, x20, [sp, #16]\n\tmov\tx16, x4\n\tmov\tx8, x5\n\tstp\tx21, x22, [sp, #32]\n\tstp\tx23, x24, [sp, #48]\n\tstp\td8, d9, [sp, #64]\n\tstp\td10, d11, [sp, #80]\n\tstp\td12, d13, [sp, #96]\n\tstp\td14, d15, [sp, #112]\n\tldr\tw17, [x8, #240]\n\tadd\tx19, x8, x17, lsl #4 // borrow input_l1 for last key\n\tldp\tx13, x14, [x19] // load round N keys\n\tldr\tq31, [x19, #-16] // load round N-1 keys\n\tlsr\tx5, x1, #3 // byte_len\n\tmov\tx15, x5\n\tldp\tx10, x11, [x16] // ctr96_b64, ctr96_t32\n\tldr\tq26, [x8, #128] // load rk8\n\tsub\tx5, x5, #1 // byte_len - 1\n\tldr\tq25, [x8, #112] // load rk7\n\tand\tx5, x5, #0xffffffffffffffc0 // number of bytes to be processed in main loop (at least 1 byte must be handled by tail)\n\tadd\tx4, x0, x1, lsr #3 // end_input_ptr\n\tldr\tq24, [x8, #96] // load rk6\n\tlsr\tx12, x11, #32\n\tldr\tq23, [x8, #80] // load rk5\n\torr\tw11, w11, w11\n\tldr\tq21, [x8, #48] // load rk3\n\tadd\tx5, x5, x0\n\trev\tw12, w12 // rev_ctr32\n\tadd\tw12, w12, #1 // increment rev_ctr32\n\tfmov\td3, x10 // CTR block 3\n\trev\tw9, w12 // CTR block 1\n\tadd\tw12, w12, #1 // CTR block 1\n\tfmov\td1, x10 // CTR block 1\n\torr\tx9, x11, x9, lsl #32 // CTR block 1\n\tld1\t{ v0.16b}, [x16] // special case vector load initial counter so we can start first AES block as quickly as possible\n\tfmov\tv1.d[1], x9 // CTR block 1\n\trev\tw9, w12 // CTR block 2\n\tadd\tw12, w12, #1 // CTR block 2\n\tfmov\td2, x10 // CTR block 2\n\torr\tx9, x11, x9, lsl #32 // CTR block 2\n\tfmov\tv2.d[1], x9 // CTR block 2\n\trev\tw9, w12 // CTR block 3\n\torr\tx9, x11, x9, lsl #32 // CTR block 3\n\tldr\tq18, [x8, #0] // load rk0\n\tfmov\tv3.d[1], x9 // CTR block 3\n\tadd\tw12, w12, #1 // CTR block 3\n\tldr\tq22, [x8, #64] // load rk4\n\tldr\tq19, [x8, #16] // load rk1\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 0\n\tldr\tq14, [x6, #48] // load h3l | h3h\n\text\tv14.16b, v14.16b, v14.16b, #8\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 0\n\tldr\tq15, [x6, #80] // load h4l | h4h\n\text\tv15.16b, v15.16b, v15.16b, #8\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 0\n\tldr\tq13, [x6, #32] // load h2l | h2h\n\text\tv13.16b, v13.16b, v13.16b, #8\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 0\n\tldr\tq20, [x8, #32] // load rk2\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 1\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 1\n\tld1\t{ v11.16b}, [x3]\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 1\n\tldr\tq27, [x8, #144] // load rk9\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 1\n\tldr\tq30, [x8, #192] // load rk12\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 2\n\tldr\tq12, [x6] // load h1l | h1h\n\text\tv12.16b, v12.16b, v12.16b, #8\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 2\n\tldr\tq28, [x8, #160] // load rk10\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 2\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 3\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 2\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 3\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 4\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 3\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 3\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 4\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 4\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 4\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 5\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 5\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 5\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 5\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 6\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 6\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 6\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 6\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 7\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 7\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 7\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 8\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 7\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 8\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 8\n\tldr\tq29, [x8, #176] // load rk11\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 8\n\tb.lt\tLdec_finish_first_blocks // branch if AES-128\n\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 9\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 9\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 10\n\tb.eq\tLdec_finish_first_blocks // branch if AES-192\n\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 12\n\nLdec_finish_first_blocks:\n\tcmp\tx0, x5 // check if we have <= 4 blocks\n\ttrn1\tv9.2d, v14.2d, v15.2d // h4h | h3h\n\ttrn2\tv17.2d, v14.2d, v15.2d // h4l | h3l\n\ttrn1\tv8.2d, v12.2d, v13.2d // h2h | h1h\n\ttrn2\tv16.2d, v12.2d, v13.2d // h2l | h1l\n\teor\tv17.16b, v17.16b, v9.16b // h4k | h3k\n\taese\tv1.16b, v31.16b // AES block 1 - round N-1\n\taese\tv2.16b, v31.16b // AES block 2 - round N-1\n\teor\tv16.16b, v16.16b, v8.16b // h2k | h1k\n\taese\tv3.16b, v31.16b // AES block 3 - round N-1\n\taese\tv0.16b, v31.16b // AES block 0 - round N-1\n\tb.ge\tLdec_tail // handle tail\n\n\tldr\tq4, [x0, #0] // AES block 0 - load ciphertext\n\tldr\tq5, [x0, #16] // AES block 1 - load ciphertext\n\trev\tw9, w12 // CTR block 4\n\teor\tv0.16b, v4.16b, v0.16b // AES block 0 - result\n\teor\tv1.16b, v5.16b, v1.16b // AES block 1 - result\n\trev64\tv5.16b, v5.16b // GHASH block 1\n\tldr\tq7, [x0, #48] // AES block 3 - load ciphertext\n\tmov\tx7, v0.d[1] // AES block 0 - mov high\n\tmov\tx6, v0.d[0] // AES block 0 - mov low\n\trev64\tv4.16b, v4.16b // GHASH block 0\n\tadd\tw12, w12, #1 // CTR block 4\n\tfmov\td0, x10 // CTR block 4\n\torr\tx9, x11, x9, lsl #32 // CTR block 4\n\tfmov\tv0.d[1], x9 // CTR block 4\n\trev\tw9, w12 // CTR block 5\n\tadd\tw12, w12, #1 // CTR block 5\n\tmov\tx19, v1.d[0] // AES block 1 - mov low\n\torr\tx9, x11, x9, lsl #32 // CTR block 5\n\tmov\tx20, v1.d[1] // AES block 1 - mov high\n\teor\tx7, x7, x14 // AES block 0 - round N high\n\teor\tx6, x6, x13 // AES block 0 - round N low\n\tstp\tx6, x7, [x2], #16 // AES block 0 - store result\n\tfmov\td1, x10 // CTR block 5\n\tldr\tq6, [x0, #32] // AES block 2 - load ciphertext\n\tadd\tx0, x0, #64 // AES input_ptr update\n\tfmov\tv1.d[1], x9 // CTR block 5\n\trev\tw9, w12 // CTR block 6\n\tadd\tw12, w12, #1 // CTR block 6\n\teor\tx19, x19, x13 // AES block 1 - round N low\n\torr\tx9, x11, x9, lsl #32 // CTR block 6\n\teor\tx20, x20, x14 // AES block 1 - round N high\n\tstp\tx19, x20, [x2], #16 // AES block 1 - store result\n\teor\tv2.16b, v6.16b, v2.16b // AES block 2 - result\n\tcmp\tx0, x5 // check if we have <= 8 blocks\n\tb.ge\tLdec_prepretail // do prepretail\n\nLdec_main_loop:\t//\tmain loop start\n\tmov\tx21, v2.d[0] // AES block 4k+2 - mov low\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\teor\tv3.16b, v7.16b, v3.16b // AES block 4k+3 - result\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\tmov\tx22, v2.d[1] // AES block 4k+2 - mov high\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\tfmov\td2, x10 // CTR block 4k+6\n\tfmov\tv2.d[1], x9 // CTR block 4k+6\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\trev\tw9, w12 // CTR block 4k+7\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\tmov\tx24, v3.d[1] // AES block 4k+3 - mov high\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tmov\tx23, v3.d[0] // AES block 4k+3 - mov low\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\tfmov\td3, x10 // CTR block 4k+7\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+7\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\tfmov\tv3.d[1], x9 // CTR block 4k+7\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\teor\tx22, x22, x14 // AES block 4k+2 - round N high\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\teor\tx21, x21, x13 // AES block 4k+2 - round N low\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\tstp\tx21, x22, [x2], #16 // AES block 4k+2 - store result\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\teor\tx23, x23, x13 // AES block 4k+3 - round N low\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\teor\tx24, x24, x14 // AES block 4k+3 - round N high\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\tadd\tw12, w12, #1 // CTR block 4k+7\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\trev\tw9, w12 // CTR block 4k+8\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\tadd\tw12, w12, #1 // CTR block 4k+8\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\tmov\td6, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\tpmull\tv4.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+8\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\teor\tv6.8b, v6.8b, v7.8b // GHASH block 4k+3 - mid\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\tpmull\tv6.1q, v6.1d, v16.1d // GHASH block 4k+3 - mid\n\tmovi\tv8.8b, #0xc2\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tv11.16b, v11.16b, v4.16b // GHASH block 4k+3 - low\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\tshl\td8, d8, #56 // mod_constant\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\teor\tv10.16b, v10.16b, v6.16b // GHASH block 4k+3 - mid\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\tb.lt\tLdec_main_loop_continue // branch if AES-128\n\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\tb.eq\tLdec_main_loop_continue // branch if AES-192\n\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\nLdec_main_loop_continue:\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\teor\tv6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tldr\tq4, [x0, #0] // AES block 4k+4 - load ciphertext\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up\n\tldr\tq5, [x0, #16] // AES block 4k+5 - load ciphertext\n\teor\tv0.16b, v4.16b, v0.16b // AES block 4k+4 - result\n\tstp\tx23, x24, [x2], #16 // AES block 4k+3 - store result\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\tldr\tq7, [x0, #48] // AES block 4k+7 - load ciphertext\n\tldr\tq6, [x0, #32] // AES block 4k+6 - load ciphertext\n\tmov\tx7, v0.d[1] // AES block 4k+4 - mov high\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\tadd\tx0, x0, #64 // AES input_ptr update\n\tmov\tx6, v0.d[0] // AES block 4k+4 - mov low\n\tfmov\td0, x10 // CTR block 4k+8\n\tfmov\tv0.d[1], x9 // CTR block 4k+8\n\tpmull\tv8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\teor\tv1.16b, v5.16b, v1.16b // AES block 4k+5 - result\n\trev\tw9, w12 // CTR block 4k+9\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+9\n\tcmp\tx0, x5 // LOOP CONTROL\n\tadd\tw12, w12, #1 // CTR block 4k+9\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tmov\tx20, v1.d[1] // AES block 4k+5 - mov high\n\teor\tv2.16b, v6.16b, v2.16b // AES block 4k+6 - result\n\teor\tv11.16b, v11.16b, v8.16b // MODULO - fold into low\n\tmov\tx19, v1.d[0] // AES block 4k+5 - mov low\n\tfmov\td1, x10 // CTR block 4k+9\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tfmov\tv1.d[1], x9 // CTR block 4k+9\n\trev\tw9, w12 // CTR block 4k+10\n\tadd\tw12, w12, #1 // CTR block 4k+10\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+10\n\trev64\tv5.16b, v5.16b // GHASH block 4k+5\n\teor\tx20, x20, x14 // AES block 4k+5 - round N high\n\tstp\tx6, x7, [x2], #16 // AES block 4k+4 - store result\n\teor\tx19, x19, x13 // AES block 4k+5 - round N low\n\tstp\tx19, x20, [x2], #16 // AES block 4k+5 - store result\n\trev64\tv4.16b, v4.16b // GHASH block 4k+4\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\tb.lt\tLdec_main_loop\n\nLdec_prepretail:\t//\tPREPRETAIL\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\tmov\tx21, v2.d[0] // AES block 4k+2 - mov low\n\teor\tv3.16b, v7.16b, v3.16b // AES block 4k+3 - result\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\tmov\tx22, v2.d[1] // AES block 4k+2 - mov high\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\tfmov\td2, x10 // CTR block 4k+6\n\tfmov\tv2.d[1], x9 // CTR block 4k+6\n\trev\tw9, w12 // CTR block 4k+7\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+7\n\tmov\tx23, v3.d[0] // AES block 4k+3 - mov low\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tmov\tx24, v3.d[1] // AES block 4k+3 - mov high\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\tfmov\td3, x10 // CTR block 4k+7\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\tfmov\tv3.d[1], x9 // CTR block 4k+7\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\tpmull\tv4.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\tmov\td6, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\teor\tv6.8b, v6.8b, v7.8b // GHASH block 4k+3 - mid\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\tmovi\tv8.8b, #0xc2\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\teor\tv11.16b, v11.16b, v4.16b // GHASH block 4k+3 - low\n\tpmull\tv6.1q, v6.1d, v16.1d // GHASH block 4k+3 - mid\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\teor\tv10.16b, v10.16b, v6.16b // GHASH block 4k+3 - mid\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tv6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\tshl\td8, d8, #56 // mod_constant\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\tb.lt\tLdec_finish_prepretail // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\tb.eq\tLdec_finish_prepretail // branch if AES-192\n\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\nLdec_finish_prepretail:\n\teor\tv10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\teor\tx22, x22, x14 // AES block 4k+2 - round N high\n\teor\tx23, x23, x13 // AES block 4k+3 - round N low\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\tadd\tw12, w12, #1 // CTR block 4k+7\n\teor\tx21, x21, x13 // AES block 4k+2 - round N low\n\tpmull\tv8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\teor\tx24, x24, x14 // AES block 4k+3 - round N high\n\tstp\tx21, x22, [x2], #16 // AES block 4k+2 - store result\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tstp\tx23, x24, [x2], #16 // AES block 4k+3 - store result\n\n\teor\tv11.16b, v11.16b, v8.16b // MODULO - fold into low\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\nLdec_tail:\t//\tTAIL\n\tsub\tx5, x4, x0 // main_end_input_ptr is number of bytes left to process\n\tld1\t{ v5.16b}, [x0], #16 // AES block 4k+4 - load ciphertext\n\teor\tv0.16b, v5.16b, v0.16b // AES block 4k+4 - result\n\tmov\tx6, v0.d[0] // AES block 4k+4 - mov low\n\tmov\tx7, v0.d[1] // AES block 4k+4 - mov high\n\text\tv8.16b, v11.16b, v11.16b, #8 // prepare final partial tag\n\tcmp\tx5, #48\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tb.gt\tLdec_blocks_more_than_3\n\tsub\tw12, w12, #1\n\tmov\tv3.16b, v2.16b\n\tmovi\tv10.8b, #0\n\tmovi\tv11.8b, #0\n\tcmp\tx5, #32\n\tmovi\tv9.8b, #0\n\tmov\tv2.16b, v1.16b\n\tb.gt\tLdec_blocks_more_than_2\n\tsub\tw12, w12, #1\n\tmov\tv3.16b, v1.16b\n\tcmp\tx5, #16\n\tb.gt\tLdec_blocks_more_than_1\n\tsub\tw12, w12, #1\n\tb\tLdec_blocks_less_than_1\nLdec_blocks_more_than_3:\t//\tblocks left > 3\n\trev64\tv4.16b, v5.16b // GHASH final-3 block\n\tld1\t{ v5.16b}, [x0], #16 // AES final-2 block - load ciphertext\n\tstp\tx6, x7, [x2], #16 // AES final-3 block - store result\n\tmov\td10, v17.d[1] // GHASH final-3 block - mid\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\teor\tv0.16b, v5.16b, v1.16b // AES final-2 block - result\n\tmov\td22, v4.d[1] // GHASH final-3 block - mid\n\tmov\tx6, v0.d[0] // AES final-2 block - mov low\n\tmov\tx7, v0.d[1] // AES final-2 block - mov high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-3 block - mid\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH final-3 block - high\n\tpmull\tv10.1q, v22.1d, v10.1d // GHASH final-3 block - mid\n\teor\tx6, x6, x13 // AES final-2 block - round N low\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH final-3 block - low\n\teor\tx7, x7, x14 // AES final-2 block - round N high\nLdec_blocks_more_than_2:\t//\tblocks left > 2\n\trev64\tv4.16b, v5.16b // GHASH final-2 block\n\tld1\t{ v5.16b}, [x0], #16 // AES final-1 block - load ciphertext\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tstp\tx6, x7, [x2], #16 // AES final-2 block - store result\n\teor\tv0.16b, v5.16b, v2.16b // AES final-1 block - result\n\tmov\td22, v4.d[1] // GHASH final-2 block - mid\n\tpmull\tv21.1q, v4.1d, v14.1d // GHASH final-2 block - low\n\tpmull2\tv20.1q, v4.2d, v14.2d // GHASH final-2 block - high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-2 block - mid\n\tmov\tx6, v0.d[0] // AES final-1 block - mov low\n\tmov\tx7, v0.d[1] // AES final-1 block - mov high\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-2 block - low\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tpmull\tv22.1q, v22.1d, v17.1d // GHASH final-2 block - mid\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-2 block - high\n\teor\tx6, x6, x13 // AES final-1 block - round N low\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-2 block - mid\n\teor\tx7, x7, x14 // AES final-1 block - round N high\nLdec_blocks_more_than_1:\t//\tblocks left > 1\n\tstp\tx6, x7, [x2], #16 // AES final-1 block - store result\n\trev64\tv4.16b, v5.16b // GHASH final-1 block\n\tld1\t{ v5.16b}, [x0], #16 // AES final block - load ciphertext\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tmov\td22, v4.d[1] // GHASH final-1 block - mid\n\teor\tv0.16b, v5.16b, v3.16b // AES final block - result\n\tpmull2\tv20.1q, v4.2d, v13.2d // GHASH final-1 block - high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-1 block - mid\n\tpmull\tv21.1q, v4.1d, v13.1d // GHASH final-1 block - low\n\tmov\tx6, v0.d[0] // AES final block - mov low\n\tins\tv22.d[1], v22.d[0] // GHASH final-1 block - mid\n\tmov\tx7, v0.d[1] // AES final block - mov high\n\tpmull2\tv22.1q, v22.2d, v16.2d // GHASH final-1 block - mid\n\teor\tx6, x6, x13 // AES final block - round N low\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-1 block - low\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-1 block - high\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-1 block - mid\n\teor\tx7, x7, x14 // AES final block - round N high\nLdec_blocks_less_than_1:\t//\tblocks left <= 1\n\tand\tx1, x1, #127 // bit_length %= 128\n\tmvn\tx14, xzr // rkN_h = 0xffffffffffffffff\n\tsub\tx1, x1, #128 // bit_length -= 128\n\tmvn\tx13, xzr // rkN_l = 0xffffffffffffffff\n\tldp\tx4, x5, [x2] // load existing bytes we need to not overwrite\n\tneg\tx1, x1 // bit_length = 128 - #bits in input (in range [1,128])\n\tand\tx1, x1, #127 // bit_length %= 128\n\tlsr\tx14, x14, x1 // rkN_h is mask for top 64b of last block\n\tcmp\tx1, #64\n\tcsel\tx9, x13, x14, lt\n\tcsel\tx10, x14, xzr, lt\n\tfmov\td0, x9 // ctr0b is mask for last block\n\tand\tx6, x6, x9\n\tmov\tv0.d[1], x10\n\tbic\tx4, x4, x9 // mask out low existing bytes\n\trev\tw9, w12\n\tbic\tx5, x5, x10 // mask out high existing bytes\n\torr\tx6, x6, x4\n\tand\tx7, x7, x10\n\torr\tx7, x7, x5\n\tand\tv5.16b, v5.16b, v0.16b // possibly partial last block has zeroes in highest bits\n\trev64\tv4.16b, v5.16b // GHASH final block\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tpmull\tv21.1q, v4.1d, v12.1d // GHASH final block - low\n\tmov\td8, v4.d[1] // GHASH final block - mid\n\teor\tv8.8b, v8.8b, v4.8b // GHASH final block - mid\n\tpmull2\tv20.1q, v4.2d, v12.2d // GHASH final block - high\n\tpmull\tv8.1q, v8.1d, v16.1d // GHASH final block - mid\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final block - high\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final block - low\n\teor\tv10.16b, v10.16b, v8.16b // GHASH final block - mid\n\tmovi\tv8.8b, #0xc2\n\teor\tv6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tshl\td8, d8, #56 // mod_constant\n\teor\tv10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\tpmull\tv8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\teor\tv11.16b, v11.16b, v8.16b // MODULO - fold into low\n\tstp\tx6, x7, [x2]\n\tstr\tw9, [x16, #12] // store the updated counter\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\tmov\tx0, x15\n\tst1\t{ v11.16b }, [x3]\n\tldp\tx19, x20, [sp, #16]\n\tldp\tx21, x22, [sp, #32]\n\tldp\tx23, x24, [sp, #48]\n\tldp\td8, d9, [sp, #64]\n\tldp\td10, d11, [sp, #80]\n\tldp\td12, d13, [sp, #96]\n\tldp\td14, d15, [sp, #112]\n\tldp\tx29, x30, [sp], #128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \n#if __ARM_MAX_ARCH__ >= 8\n\n.arch\tarmv8-a+crypto\n.text\n.globl\taes_gcm_enc_kernel\n.hidden\taes_gcm_enc_kernel\n.type\taes_gcm_enc_kernel,%function\n.align\t4\naes_gcm_enc_kernel:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29, x30, [sp, #-128]!\n\tmov\tx29, sp\n\tstp\tx19, x20, [sp, #16]\n\tmov\tx16, x4\n\tmov\tx8, x5\n\tstp\tx21, x22, [sp, #32]\n\tstp\tx23, x24, [sp, #48]\n\tstp\td8, d9, [sp, #64]\n\tstp\td10, d11, [sp, #80]\n\tstp\td12, d13, [sp, #96]\n\tstp\td14, d15, [sp, #112]\n\tldr\tw17, [x8, #240]\n\tadd\tx19, x8, x17, lsl #4 // borrow input_l1 for last key\n\tldp\tx13, x14, [x19] // load round N keys\n\tldr\tq31, [x19, #-16] // load round N-1 keys\n\tadd\tx4, x0, x1, lsr #3 // end_input_ptr\n\tlsr\tx5, x1, #3 // byte_len\n\tmov\tx15, x5\n\tldp\tx10, x11, [x16] // ctr96_b64, ctr96_t32\n\tld1\t{ v0.16b}, [x16] // special case vector load initial counter so we can start first AES block as quickly as possible\n\tsub\tx5, x5, #1 // byte_len - 1\n\tldr\tq18, [x8, #0] // load rk0\n\tand\tx5, x5, #0xffffffffffffffc0 // number of bytes to be processed in main loop (at least 1 byte must be handled by tail)\n\tldr\tq25, [x8, #112] // load rk7\n\tadd\tx5, x5, x0\n\tlsr\tx12, x11, #32\n\tfmov\td2, x10 // CTR block 2\n\torr\tw11, w11, w11\n\trev\tw12, w12 // rev_ctr32\n\tfmov\td1, x10 // CTR block 1\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 0\n\tadd\tw12, w12, #1 // increment rev_ctr32\n\trev\tw9, w12 // CTR block 1\n\tfmov\td3, x10 // CTR block 3\n\torr\tx9, x11, x9, lsl #32 // CTR block 1\n\tadd\tw12, w12, #1 // CTR block 1\n\tldr\tq19, [x8, #16] // load rk1\n\tfmov\tv1.d[1], x9 // CTR block 1\n\trev\tw9, w12 // CTR block 2\n\tadd\tw12, w12, #1 // CTR block 2\n\torr\tx9, x11, x9, lsl #32 // CTR block 2\n\tldr\tq20, [x8, #32] // load rk2\n\tfmov\tv2.d[1], x9 // CTR block 2\n\trev\tw9, w12 // CTR block 3\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 1\n\torr\tx9, x11, x9, lsl #32 // CTR block 3\n\tfmov\tv3.d[1], x9 // CTR block 3\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 0\n\tldr\tq21, [x8, #48] // load rk3\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 2\n\tldr\tq24, [x8, #96] // load rk6\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 0\n\tldr\tq23, [x8, #80] // load rk5\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 1\n\tldr\tq14, [x6, #48] // load h3l | h3h\n\text\tv14.16b, v14.16b, v14.16b, #8\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 0\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 1\n\tldr\tq22, [x8, #64] // load rk4\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 2\n\tldr\tq13, [x6, #32] // load h2l | h2h\n\text\tv13.16b, v13.16b, v13.16b, #8\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 1\n\tldr\tq30, [x8, #192] // load rk12\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 2\n\tldr\tq15, [x6, #80] // load h4l | h4h\n\text\tv15.16b, v15.16b, v15.16b, #8\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 3\n\tldr\tq29, [x8, #176] // load rk11\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 2\n\tldr\tq26, [x8, #128] // load rk8\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 3\n\tadd\tw12, w12, #1 // CTR block 3\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 3\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 3\n\tld1\t{ v11.16b}, [x3]\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 4\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 4\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 4\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 4\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 5\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 5\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 5\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 5\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 6\n\ttrn2\tv17.2d, v14.2d, v15.2d // h4l | h3l\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 6\n\tldr\tq27, [x8, #144] // load rk9\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 6\n\tldr\tq12, [x6] // load h1l | h1h\n\text\tv12.16b, v12.16b, v12.16b, #8\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 6\n\tldr\tq28, [x8, #160] // load rk10\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 7\n\ttrn1\tv9.2d, v14.2d, v15.2d // h4h | h3h\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 7\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 7\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 7\n\ttrn2\tv16.2d, v12.2d, v13.2d // h2l | h1l\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 8\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 8\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 8\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 8\n\tb.lt\t.Lenc_finish_first_blocks // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 9\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 10\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 10\n\tb.eq\t.Lenc_finish_first_blocks // branch if AES-192\n\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 11\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 12\n\n.Lenc_finish_first_blocks:\n\tcmp\tx0, x5 // check if we have <= 4 blocks\n\teor\tv17.16b, v17.16b, v9.16b // h4k | h3k\n\taese\tv2.16b, v31.16b // AES block 2 - round N-1\n\ttrn1\tv8.2d, v12.2d, v13.2d // h2h | h1h\n\taese\tv1.16b, v31.16b // AES block 1 - round N-1\n\taese\tv0.16b, v31.16b // AES block 0 - round N-1\n\taese\tv3.16b, v31.16b // AES block 3 - round N-1\n\teor\tv16.16b, v16.16b, v8.16b // h2k | h1k\n\tb.ge\t.Lenc_tail // handle tail\n\n\tldp\tx19, x20, [x0, #16] // AES block 1 - load plaintext\n\trev\tw9, w12 // CTR block 4\n\tldp\tx6, x7, [x0, #0] // AES block 0 - load plaintext\n\tldp\tx23, x24, [x0, #48] // AES block 3 - load plaintext\n\tldp\tx21, x22, [x0, #32] // AES block 2 - load plaintext\n\tadd\tx0, x0, #64 // AES input_ptr update\n\teor\tx19, x19, x13 // AES block 1 - round N low\n\teor\tx20, x20, x14 // AES block 1 - round N high\n\tfmov\td5, x19 // AES block 1 - mov low\n\teor\tx6, x6, x13 // AES block 0 - round N low\n\teor\tx7, x7, x14 // AES block 0 - round N high\n\teor\tx24, x24, x14 // AES block 3 - round N high\n\tfmov\td4, x6 // AES block 0 - mov low\n\tcmp\tx0, x5 // check if we have <= 8 blocks\n\tfmov\tv4.d[1], x7 // AES block 0 - mov high\n\teor\tx23, x23, x13 // AES block 3 - round N low\n\teor\tx21, x21, x13 // AES block 2 - round N low\n\tfmov\tv5.d[1], x20 // AES block 1 - mov high\n\tfmov\td6, x21 // AES block 2 - mov low\n\tadd\tw12, w12, #1 // CTR block 4\n\torr\tx9, x11, x9, lsl #32 // CTR block 4\n\tfmov\td7, x23 // AES block 3 - mov low\n\teor\tx22, x22, x14 // AES block 2 - round N high\n\tfmov\tv6.d[1], x22 // AES block 2 - mov high\n\teor\tv4.16b, v4.16b, v0.16b // AES block 0 - result\n\tfmov\td0, x10 // CTR block 4\n\tfmov\tv0.d[1], x9 // CTR block 4\n\trev\tw9, w12 // CTR block 5\n\tadd\tw12, w12, #1 // CTR block 5\n\teor\tv5.16b, v5.16b, v1.16b // AES block 1 - result\n\tfmov\td1, x10 // CTR block 5\n\torr\tx9, x11, x9, lsl #32 // CTR block 5\n\tfmov\tv1.d[1], x9 // CTR block 5\n\trev\tw9, w12 // CTR block 6\n\tst1\t{ v4.16b}, [x2], #16 // AES block 0 - store result\n\tfmov\tv7.d[1], x24 // AES block 3 - mov high\n\torr\tx9, x11, x9, lsl #32 // CTR block 6\n\teor\tv6.16b, v6.16b, v2.16b // AES block 2 - result\n\tst1\t{ v5.16b}, [x2], #16 // AES block 1 - store result\n\tadd\tw12, w12, #1 // CTR block 6\n\tfmov\td2, x10 // CTR block 6\n\tfmov\tv2.d[1], x9 // CTR block 6\n\tst1\t{ v6.16b}, [x2], #16 // AES block 2 - store result\n\trev\tw9, w12 // CTR block 7\n\torr\tx9, x11, x9, lsl #32 // CTR block 7\n\teor\tv7.16b, v7.16b, v3.16b // AES block 3 - result\n\tst1\t{ v7.16b}, [x2], #16 // AES block 3 - store result\n\tb.ge\t.Lenc_prepretail // do prepretail\n\n.Lenc_main_loop:\t//\tmain loop start\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\trev64\tv4.16b, v4.16b // GHASH block 4k (only t0 is free)\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\tfmov\td3, x10 // CTR block 4k+3\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\tfmov\tv3.d[1], x9 // CTR block 4k+3\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tldp\tx23, x24, [x0, #48] // AES block 4k+7 - load plaintext\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\tldp\tx21, x22, [x0, #32] // AES block 4k+6 - load plaintext\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\teor\tx23, x23, x13 // AES block 4k+7 - round N low\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\teor\tx22, x22, x14 // AES block 4k+6 - round N high\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\trev64\tv5.16b, v5.16b // GHASH block 4k+1 (t0 and t1 free)\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3 (t0, t1, t2 and t3 free)\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2 (t0, t1, and t2 free)\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\tpmull\tv6.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\tldp\tx19, x20, [x0, #16] // AES block 4k+5 - load plaintext\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\tmov\td4, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\teor\tv4.8b, v4.8b, v7.8b // GHASH block 4k+3 - mid\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tx19, x19, x13 // AES block 4k+5 - round N low\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\teor\tx21, x21, x13 // AES block 4k+6 - round N low\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\tmovi\tv8.8b, #0xc2\n\tpmull\tv4.1q, v4.1d, v16.1d // GHASH block 4k+3 - mid\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\tfmov\td5, x19 // AES block 4k+5 - mov low\n\tldp\tx6, x7, [x0, #0] // AES block 4k+4 - load plaintext\n\tb.lt\t.Lenc_main_loop_continue // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\tb.eq\t.Lenc_main_loop_continue // branch if AES-192\n\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\n.Lenc_main_loop_continue:\n\tshl\td8, d8, #56 // mod_constant\n\teor\tv11.16b, v11.16b, v6.16b // GHASH block 4k+3 - low\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+3 - mid\n\tadd\tw12, w12, #1 // CTR block 4k+3\n\teor\tv4.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tadd\tx0, x0, #64 // AES input_ptr update\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\trev\tw9, w12 // CTR block 4k+8\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tv10.16b, v10.16b, v4.16b // MODULO - karatsuba tidy up\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tfmov\td4, x6 // AES block 4k+4 - mov low\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+8\n\teor\tv7.16b, v9.16b, v7.16b // MODULO - fold into mid\n\teor\tx20, x20, x14 // AES block 4k+5 - round N high\n\teor\tx24, x24, x14 // AES block 4k+7 - round N high\n\tadd\tw12, w12, #1 // CTR block 4k+8\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\tfmov\tv4.d[1], x7 // AES block 4k+4 - mov high\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\tfmov\td7, x23 // AES block 4k+7 - mov low\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\tfmov\tv5.d[1], x20 // AES block 4k+5 - mov high\n\tfmov\td6, x21 // AES block 4k+6 - mov low\n\tcmp\tx0, x5 // .LOOP CONTROL\n\tfmov\tv6.d[1], x22 // AES block 4k+6 - mov high\n\tpmull\tv9.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\teor\tv4.16b, v4.16b, v0.16b // AES block 4k+4 - result\n\tfmov\td0, x10 // CTR block 4k+8\n\tfmov\tv0.d[1], x9 // CTR block 4k+8\n\trev\tw9, w12 // CTR block 4k+9\n\tadd\tw12, w12, #1 // CTR block 4k+9\n\teor\tv5.16b, v5.16b, v1.16b // AES block 4k+5 - result\n\tfmov\td1, x10 // CTR block 4k+9\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+9\n\tfmov\tv1.d[1], x9 // CTR block 4k+9\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\trev\tw9, w12 // CTR block 4k+10\n\tst1\t{ v4.16b}, [x2], #16 // AES block 4k+4 - store result\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+10\n\teor\tv11.16b, v11.16b, v9.16b // MODULO - fold into low\n\tfmov\tv7.d[1], x24 // AES block 4k+7 - mov high\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tst1\t{ v5.16b}, [x2], #16 // AES block 4k+5 - store result\n\tadd\tw12, w12, #1 // CTR block 4k+10\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\teor\tv6.16b, v6.16b, v2.16b // AES block 4k+6 - result\n\tfmov\td2, x10 // CTR block 4k+10\n\tst1\t{ v6.16b}, [x2], #16 // AES block 4k+6 - store result\n\tfmov\tv2.d[1], x9 // CTR block 4k+10\n\trev\tw9, w12 // CTR block 4k+11\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+11\n\teor\tv7.16b, v7.16b, v3.16b // AES block 4k+7 - result\n\tst1\t{ v7.16b}, [x2], #16 // AES block 4k+7 - store result\n\tb.lt\t.Lenc_main_loop\n\n.Lenc_prepretail:\t//\tPREPRETAIL\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2 (t0, t1, and t2 free)\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\tfmov\td3, x10 // CTR block 4k+3\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\trev64\tv4.16b, v4.16b // GHASH block 4k (only t0 is free)\n\tfmov\tv3.d[1], x9 // CTR block 4k+3\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\trev64\tv5.16b, v5.16b // GHASH block 4k+1 (t0 and t1 free)\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3 (t0, t1, t2 and t3 free)\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\tadd\tw12, w12, #1 // CTR block 4k+3\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\tmov\td4, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\teor\tv4.8b, v4.8b, v7.8b // GHASH block 4k+3 - mid\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\tpmull\tv4.1q, v4.1d, v16.1d // GHASH block 4k+3 - mid\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\tmovi\tv8.8b, #0xc2\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\tshl\td8, d8, #56 // mod_constant\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+3 - mid\n\tpmull\tv6.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\teor\tv11.16b, v11.16b, v6.16b // GHASH block 4k+3 - low\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tv10.16b, v10.16b, v9.16b // karatsuba tidy up\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\tpmull\tv4.1q, v9.1d, v8.1d\n\text\tv9.16b, v9.16b, v9.16b, #8\n\teor\tv10.16b, v10.16b, v11.16b\n\tb.lt\t.Lenc_finish_prepretail // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\tb.eq\t.Lenc_finish_prepretail // branch if AES-192\n\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\n.Lenc_finish_prepretail:\n\teor\tv10.16b, v10.16b, v4.16b\n\teor\tv10.16b, v10.16b, v9.16b\n\tpmull\tv4.1q, v10.1d, v8.1d\n\text\tv10.16b, v10.16b, v10.16b, #8\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\teor\tv11.16b, v11.16b, v4.16b\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\teor\tv11.16b, v11.16b, v10.16b\n\n.Lenc_tail:\t//\tTAIL\n\text\tv8.16b, v11.16b, v11.16b, #8 // prepare final partial tag\n\tsub\tx5, x4, x0 // main_end_input_ptr is number of bytes left to process\n\tldp\tx6, x7, [x0], #16 // AES block 4k+4 - load plaintext\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tcmp\tx5, #48\n\tfmov\td4, x6 // AES block 4k+4 - mov low\n\tfmov\tv4.d[1], x7 // AES block 4k+4 - mov high\n\teor\tv5.16b, v4.16b, v0.16b // AES block 4k+4 - result\n\tb.gt\t.Lenc_blocks_more_than_3\n\tcmp\tx5, #32\n\tmov\tv3.16b, v2.16b\n\tmovi\tv11.8b, #0\n\tmovi\tv9.8b, #0\n\tsub\tw12, w12, #1\n\tmov\tv2.16b, v1.16b\n\tmovi\tv10.8b, #0\n\tb.gt\t.Lenc_blocks_more_than_2\n\tmov\tv3.16b, v1.16b\n\tsub\tw12, w12, #1\n\tcmp\tx5, #16\n\tb.gt\t.Lenc_blocks_more_than_1\n\tsub\tw12, w12, #1\n\tb\t.Lenc_blocks_less_than_1\n.Lenc_blocks_more_than_3:\t//\tblocks left > 3\n\tst1\t{ v5.16b}, [x2], #16 // AES final-3 block - store result\n\tldp\tx6, x7, [x0], #16 // AES final-2 block - load input low & high\n\trev64\tv4.16b, v5.16b // GHASH final-3 block\n\teor\tx6, x6, x13 // AES final-2 block - round N low\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\teor\tx7, x7, x14 // AES final-2 block - round N high\n\tmov\td22, v4.d[1] // GHASH final-3 block - mid\n\tfmov\td5, x6 // AES final-2 block - mov low\n\tfmov\tv5.d[1], x7 // AES final-2 block - mov high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-3 block - mid\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tmov\td10, v17.d[1] // GHASH final-3 block - mid\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH final-3 block - low\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH final-3 block - high\n\tpmull\tv10.1q, v22.1d, v10.1d // GHASH final-3 block - mid\n\teor\tv5.16b, v5.16b, v1.16b // AES final-2 block - result\n.Lenc_blocks_more_than_2:\t//\tblocks left > 2\n\tst1\t{ v5.16b}, [x2], #16 // AES final-2 block - store result\n\tldp\tx6, x7, [x0], #16 // AES final-1 block - load input low & high\n\trev64\tv4.16b, v5.16b // GHASH final-2 block\n\teor\tx6, x6, x13 // AES final-1 block - round N low\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tfmov\td5, x6 // AES final-1 block - mov low\n\teor\tx7, x7, x14 // AES final-1 block - round N high\n\tfmov\tv5.d[1], x7 // AES final-1 block - mov high\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tpmull2\tv20.1q, v4.2d, v14.2d // GHASH final-2 block - high\n\tmov\td22, v4.d[1] // GHASH final-2 block - mid\n\tpmull\tv21.1q, v4.1d, v14.1d // GHASH final-2 block - low\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-2 block - mid\n\teor\tv5.16b, v5.16b, v2.16b // AES final-1 block - result\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-2 block - high\n\tpmull\tv22.1q, v22.1d, v17.1d // GHASH final-2 block - mid\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-2 block - low\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-2 block - mid\n.Lenc_blocks_more_than_1:\t//\tblocks left > 1\n\tst1\t{ v5.16b}, [x2], #16 // AES final-1 block - store result\n\trev64\tv4.16b, v5.16b // GHASH final-1 block\n\tldp\tx6, x7, [x0], #16 // AES final block - load input low & high\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\teor\tx6, x6, x13 // AES final block - round N low\n\tmov\td22, v4.d[1] // GHASH final-1 block - mid\n\tpmull2\tv20.1q, v4.2d, v13.2d // GHASH final-1 block - high\n\teor\tx7, x7, x14 // AES final block - round N high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-1 block - mid\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-1 block - high\n\tins\tv22.d[1], v22.d[0] // GHASH final-1 block - mid\n\tfmov\td5, x6 // AES final block - mov low\n\tfmov\tv5.d[1], x7 // AES final block - mov high\n\tpmull2\tv22.1q, v22.2d, v16.2d // GHASH final-1 block - mid\n\tpmull\tv21.1q, v4.1d, v13.1d // GHASH final-1 block - low\n\teor\tv5.16b, v5.16b, v3.16b // AES final block - result\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-1 block - mid\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-1 block - low\n.Lenc_blocks_less_than_1:\t//\tblocks left <= 1\n\tand\tx1, x1, #127 // bit_length %= 128\n\tmvn\tx13, xzr // rkN_l = 0xffffffffffffffff\n\tsub\tx1, x1, #128 // bit_length -= 128\n\tneg\tx1, x1 // bit_length = 128 - #bits in input (in range [1,128])\n\tld1\t{ v18.16b}, [x2] // load existing bytes where the possibly partial last block is to be stored\n\tmvn\tx14, xzr // rkN_h = 0xffffffffffffffff\n\tand\tx1, x1, #127 // bit_length %= 128\n\tlsr\tx14, x14, x1 // rkN_h is mask for top 64b of last block\n\tcmp\tx1, #64\n\tcsel\tx6, x13, x14, lt\n\tcsel\tx7, x14, xzr, lt\n\tfmov\td0, x6 // ctr0b is mask for last block\n\tfmov\tv0.d[1], x7\n\tand\tv5.16b, v5.16b, v0.16b // possibly partial last block has zeroes in highest bits\n\trev64\tv4.16b, v5.16b // GHASH final block\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tbif\tv5.16b, v18.16b, v0.16b // insert existing bytes in top end of result before storing\n\tpmull2\tv20.1q, v4.2d, v12.2d // GHASH final block - high\n\tmov\td8, v4.d[1] // GHASH final block - mid\n\trev\tw9, w12\n\tpmull\tv21.1q, v4.1d, v12.1d // GHASH final block - low\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final block - high\n\teor\tv8.8b, v8.8b, v4.8b // GHASH final block - mid\n\tpmull\tv8.1q, v8.1d, v16.1d // GHASH final block - mid\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final block - low\n\teor\tv10.16b, v10.16b, v8.16b // GHASH final block - mid\n\tmovi\tv8.8b, #0xc2\n\teor\tv4.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tshl\td8, d8, #56 // mod_constant\n\teor\tv10.16b, v10.16b, v4.16b // MODULO - karatsuba tidy up\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\tpmull\tv9.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tstr\tw9, [x16, #12] // store the updated counter\n\tst1\t{ v5.16b}, [x2] // store all 16B\n\teor\tv11.16b, v11.16b, v9.16b // MODULO - fold into low\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\tmov\tx0, x15\n\tst1\t{ v11.16b }, [x3]\n\tldp\tx19, x20, [sp, #16]\n\tldp\tx21, x22, [sp, #32]\n\tldp\tx23, x24, [sp, #48]\n\tldp\td8, d9, [sp, #64]\n\tldp\td10, d11, [sp, #80]\n\tldp\td12, d13, [sp, #96]\n\tldp\td14, d15, [sp, #112]\n\tldp\tx29, x30, [sp], #128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\taes_gcm_enc_kernel,.-aes_gcm_enc_kernel\n.globl\taes_gcm_dec_kernel\n.hidden\taes_gcm_dec_kernel\n.type\taes_gcm_dec_kernel,%function\n.align\t4\naes_gcm_dec_kernel:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29, x30, [sp, #-128]!\n\tmov\tx29, sp\n\tstp\tx19, x20, [sp, #16]\n\tmov\tx16, x4\n\tmov\tx8, x5\n\tstp\tx21, x22, [sp, #32]\n\tstp\tx23, x24, [sp, #48]\n\tstp\td8, d9, [sp, #64]\n\tstp\td10, d11, [sp, #80]\n\tstp\td12, d13, [sp, #96]\n\tstp\td14, d15, [sp, #112]\n\tldr\tw17, [x8, #240]\n\tadd\tx19, x8, x17, lsl #4 // borrow input_l1 for last key\n\tldp\tx13, x14, [x19] // load round N keys\n\tldr\tq31, [x19, #-16] // load round N-1 keys\n\tlsr\tx5, x1, #3 // byte_len\n\tmov\tx15, x5\n\tldp\tx10, x11, [x16] // ctr96_b64, ctr96_t32\n\tldr\tq26, [x8, #128] // load rk8\n\tsub\tx5, x5, #1 // byte_len - 1\n\tldr\tq25, [x8, #112] // load rk7\n\tand\tx5, x5, #0xffffffffffffffc0 // number of bytes to be processed in main loop (at least 1 byte must be handled by tail)\n\tadd\tx4, x0, x1, lsr #3 // end_input_ptr\n\tldr\tq24, [x8, #96] // load rk6\n\tlsr\tx12, x11, #32\n\tldr\tq23, [x8, #80] // load rk5\n\torr\tw11, w11, w11\n\tldr\tq21, [x8, #48] // load rk3\n\tadd\tx5, x5, x0\n\trev\tw12, w12 // rev_ctr32\n\tadd\tw12, w12, #1 // increment rev_ctr32\n\tfmov\td3, x10 // CTR block 3\n\trev\tw9, w12 // CTR block 1\n\tadd\tw12, w12, #1 // CTR block 1\n\tfmov\td1, x10 // CTR block 1\n\torr\tx9, x11, x9, lsl #32 // CTR block 1\n\tld1\t{ v0.16b}, [x16] // special case vector load initial counter so we can start first AES block as quickly as possible\n\tfmov\tv1.d[1], x9 // CTR block 1\n\trev\tw9, w12 // CTR block 2\n\tadd\tw12, w12, #1 // CTR block 2\n\tfmov\td2, x10 // CTR block 2\n\torr\tx9, x11, x9, lsl #32 // CTR block 2\n\tfmov\tv2.d[1], x9 // CTR block 2\n\trev\tw9, w12 // CTR block 3\n\torr\tx9, x11, x9, lsl #32 // CTR block 3\n\tldr\tq18, [x8, #0] // load rk0\n\tfmov\tv3.d[1], x9 // CTR block 3\n\tadd\tw12, w12, #1 // CTR block 3\n\tldr\tq22, [x8, #64] // load rk4\n\tldr\tq19, [x8, #16] // load rk1\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 0\n\tldr\tq14, [x6, #48] // load h3l | h3h\n\text\tv14.16b, v14.16b, v14.16b, #8\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 0\n\tldr\tq15, [x6, #80] // load h4l | h4h\n\text\tv15.16b, v15.16b, v15.16b, #8\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 0\n\tldr\tq13, [x6, #32] // load h2l | h2h\n\text\tv13.16b, v13.16b, v13.16b, #8\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 0\n\tldr\tq20, [x8, #32] // load rk2\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 1\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 1\n\tld1\t{ v11.16b}, [x3]\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 1\n\tldr\tq27, [x8, #144] // load rk9\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 1\n\tldr\tq30, [x8, #192] // load rk12\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 2\n\tldr\tq12, [x6] // load h1l | h1h\n\text\tv12.16b, v12.16b, v12.16b, #8\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 2\n\tldr\tq28, [x8, #160] // load rk10\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 2\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 3\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 2\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 3\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 4\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 3\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 3\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 4\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 4\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 4\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 5\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 5\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 5\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 5\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 6\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 6\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 6\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 6\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 7\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 7\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 7\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 8\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 7\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 8\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 8\n\tldr\tq29, [x8, #176] // load rk11\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 8\n\tb.lt\t.Ldec_finish_first_blocks // branch if AES-128\n\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 9\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 9\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 10\n\tb.eq\t.Ldec_finish_first_blocks // branch if AES-192\n\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 12\n\n.Ldec_finish_first_blocks:\n\tcmp\tx0, x5 // check if we have <= 4 blocks\n\ttrn1\tv9.2d, v14.2d, v15.2d // h4h | h3h\n\ttrn2\tv17.2d, v14.2d, v15.2d // h4l | h3l\n\ttrn1\tv8.2d, v12.2d, v13.2d // h2h | h1h\n\ttrn2\tv16.2d, v12.2d, v13.2d // h2l | h1l\n\teor\tv17.16b, v17.16b, v9.16b // h4k | h3k\n\taese\tv1.16b, v31.16b // AES block 1 - round N-1\n\taese\tv2.16b, v31.16b // AES block 2 - round N-1\n\teor\tv16.16b, v16.16b, v8.16b // h2k | h1k\n\taese\tv3.16b, v31.16b // AES block 3 - round N-1\n\taese\tv0.16b, v31.16b // AES block 0 - round N-1\n\tb.ge\t.Ldec_tail // handle tail\n\n\tldr\tq4, [x0, #0] // AES block 0 - load ciphertext\n\tldr\tq5, [x0, #16] // AES block 1 - load ciphertext\n\trev\tw9, w12 // CTR block 4\n\teor\tv0.16b, v4.16b, v0.16b // AES block 0 - result\n\teor\tv1.16b, v5.16b, v1.16b // AES block 1 - result\n\trev64\tv5.16b, v5.16b // GHASH block 1\n\tldr\tq7, [x0, #48] // AES block 3 - load ciphertext\n\tmov\tx7, v0.d[1] // AES block 0 - mov high\n\tmov\tx6, v0.d[0] // AES block 0 - mov low\n\trev64\tv4.16b, v4.16b // GHASH block 0\n\tadd\tw12, w12, #1 // CTR block 4\n\tfmov\td0, x10 // CTR block 4\n\torr\tx9, x11, x9, lsl #32 // CTR block 4\n\tfmov\tv0.d[1], x9 // CTR block 4\n\trev\tw9, w12 // CTR block 5\n\tadd\tw12, w12, #1 // CTR block 5\n\tmov\tx19, v1.d[0] // AES block 1 - mov low\n\torr\tx9, x11, x9, lsl #32 // CTR block 5\n\tmov\tx20, v1.d[1] // AES block 1 - mov high\n\teor\tx7, x7, x14 // AES block 0 - round N high\n\teor\tx6, x6, x13 // AES block 0 - round N low\n\tstp\tx6, x7, [x2], #16 // AES block 0 - store result\n\tfmov\td1, x10 // CTR block 5\n\tldr\tq6, [x0, #32] // AES block 2 - load ciphertext\n\tadd\tx0, x0, #64 // AES input_ptr update\n\tfmov\tv1.d[1], x9 // CTR block 5\n\trev\tw9, w12 // CTR block 6\n\tadd\tw12, w12, #1 // CTR block 6\n\teor\tx19, x19, x13 // AES block 1 - round N low\n\torr\tx9, x11, x9, lsl #32 // CTR block 6\n\teor\tx20, x20, x14 // AES block 1 - round N high\n\tstp\tx19, x20, [x2], #16 // AES block 1 - store result\n\teor\tv2.16b, v6.16b, v2.16b // AES block 2 - result\n\tcmp\tx0, x5 // check if we have <= 8 blocks\n\tb.ge\t.Ldec_prepretail // do prepretail\n\n.Ldec_main_loop:\t//\tmain loop start\n\tmov\tx21, v2.d[0] // AES block 4k+2 - mov low\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\teor\tv3.16b, v7.16b, v3.16b // AES block 4k+3 - result\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\tmov\tx22, v2.d[1] // AES block 4k+2 - mov high\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\tfmov\td2, x10 // CTR block 4k+6\n\tfmov\tv2.d[1], x9 // CTR block 4k+6\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\trev\tw9, w12 // CTR block 4k+7\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\tmov\tx24, v3.d[1] // AES block 4k+3 - mov high\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tmov\tx23, v3.d[0] // AES block 4k+3 - mov low\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\tfmov\td3, x10 // CTR block 4k+7\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+7\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\tfmov\tv3.d[1], x9 // CTR block 4k+7\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\teor\tx22, x22, x14 // AES block 4k+2 - round N high\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\teor\tx21, x21, x13 // AES block 4k+2 - round N low\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\tstp\tx21, x22, [x2], #16 // AES block 4k+2 - store result\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\teor\tx23, x23, x13 // AES block 4k+3 - round N low\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\teor\tx24, x24, x14 // AES block 4k+3 - round N high\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\tadd\tw12, w12, #1 // CTR block 4k+7\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\trev\tw9, w12 // CTR block 4k+8\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\tadd\tw12, w12, #1 // CTR block 4k+8\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\tmov\td6, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\tpmull\tv4.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+8\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\teor\tv6.8b, v6.8b, v7.8b // GHASH block 4k+3 - mid\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\tpmull\tv6.1q, v6.1d, v16.1d // GHASH block 4k+3 - mid\n\tmovi\tv8.8b, #0xc2\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tv11.16b, v11.16b, v4.16b // GHASH block 4k+3 - low\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\tshl\td8, d8, #56 // mod_constant\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\teor\tv10.16b, v10.16b, v6.16b // GHASH block 4k+3 - mid\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\tb.lt\t.Ldec_main_loop_continue // branch if AES-128\n\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\tb.eq\t.Ldec_main_loop_continue // branch if AES-192\n\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\n.Ldec_main_loop_continue:\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\teor\tv6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tldr\tq4, [x0, #0] // AES block 4k+4 - load ciphertext\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up\n\tldr\tq5, [x0, #16] // AES block 4k+5 - load ciphertext\n\teor\tv0.16b, v4.16b, v0.16b // AES block 4k+4 - result\n\tstp\tx23, x24, [x2], #16 // AES block 4k+3 - store result\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\tldr\tq7, [x0, #48] // AES block 4k+7 - load ciphertext\n\tldr\tq6, [x0, #32] // AES block 4k+6 - load ciphertext\n\tmov\tx7, v0.d[1] // AES block 4k+4 - mov high\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\tadd\tx0, x0, #64 // AES input_ptr update\n\tmov\tx6, v0.d[0] // AES block 4k+4 - mov low\n\tfmov\td0, x10 // CTR block 4k+8\n\tfmov\tv0.d[1], x9 // CTR block 4k+8\n\tpmull\tv8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\teor\tv1.16b, v5.16b, v1.16b // AES block 4k+5 - result\n\trev\tw9, w12 // CTR block 4k+9\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+9\n\tcmp\tx0, x5 // .LOOP CONTROL\n\tadd\tw12, w12, #1 // CTR block 4k+9\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tmov\tx20, v1.d[1] // AES block 4k+5 - mov high\n\teor\tv2.16b, v6.16b, v2.16b // AES block 4k+6 - result\n\teor\tv11.16b, v11.16b, v8.16b // MODULO - fold into low\n\tmov\tx19, v1.d[0] // AES block 4k+5 - mov low\n\tfmov\td1, x10 // CTR block 4k+9\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tfmov\tv1.d[1], x9 // CTR block 4k+9\n\trev\tw9, w12 // CTR block 4k+10\n\tadd\tw12, w12, #1 // CTR block 4k+10\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+10\n\trev64\tv5.16b, v5.16b // GHASH block 4k+5\n\teor\tx20, x20, x14 // AES block 4k+5 - round N high\n\tstp\tx6, x7, [x2], #16 // AES block 4k+4 - store result\n\teor\tx19, x19, x13 // AES block 4k+5 - round N low\n\tstp\tx19, x20, [x2], #16 // AES block 4k+5 - store result\n\trev64\tv4.16b, v4.16b // GHASH block 4k+4\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\tb.lt\t.Ldec_main_loop\n\n.Ldec_prepretail:\t//\tPREPRETAIL\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\tmov\tx21, v2.d[0] // AES block 4k+2 - mov low\n\teor\tv3.16b, v7.16b, v3.16b // AES block 4k+3 - result\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\tmov\tx22, v2.d[1] // AES block 4k+2 - mov high\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\tfmov\td2, x10 // CTR block 4k+6\n\tfmov\tv2.d[1], x9 // CTR block 4k+6\n\trev\tw9, w12 // CTR block 4k+7\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+7\n\tmov\tx23, v3.d[0] // AES block 4k+3 - mov low\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tmov\tx24, v3.d[1] // AES block 4k+3 - mov high\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\tfmov\td3, x10 // CTR block 4k+7\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\tfmov\tv3.d[1], x9 // CTR block 4k+7\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\tpmull\tv4.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\tmov\td6, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\teor\tv6.8b, v6.8b, v7.8b // GHASH block 4k+3 - mid\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\tmovi\tv8.8b, #0xc2\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\teor\tv11.16b, v11.16b, v4.16b // GHASH block 4k+3 - low\n\tpmull\tv6.1q, v6.1d, v16.1d // GHASH block 4k+3 - mid\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\teor\tv10.16b, v10.16b, v6.16b // GHASH block 4k+3 - mid\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tv6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\tshl\td8, d8, #56 // mod_constant\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\tb.lt\t.Ldec_finish_prepretail // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\tb.eq\t.Ldec_finish_prepretail // branch if AES-192\n\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\n.Ldec_finish_prepretail:\n\teor\tv10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\teor\tx22, x22, x14 // AES block 4k+2 - round N high\n\teor\tx23, x23, x13 // AES block 4k+3 - round N low\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\tadd\tw12, w12, #1 // CTR block 4k+7\n\teor\tx21, x21, x13 // AES block 4k+2 - round N low\n\tpmull\tv8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\teor\tx24, x24, x14 // AES block 4k+3 - round N high\n\tstp\tx21, x22, [x2], #16 // AES block 4k+2 - store result\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tstp\tx23, x24, [x2], #16 // AES block 4k+3 - store result\n\n\teor\tv11.16b, v11.16b, v8.16b // MODULO - fold into low\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\n.Ldec_tail:\t//\tTAIL\n\tsub\tx5, x4, x0 // main_end_input_ptr is number of bytes left to process\n\tld1\t{ v5.16b}, [x0], #16 // AES block 4k+4 - load ciphertext\n\teor\tv0.16b, v5.16b, v0.16b // AES block 4k+4 - result\n\tmov\tx6, v0.d[0] // AES block 4k+4 - mov low\n\tmov\tx7, v0.d[1] // AES block 4k+4 - mov high\n\text\tv8.16b, v11.16b, v11.16b, #8 // prepare final partial tag\n\tcmp\tx5, #48\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tb.gt\t.Ldec_blocks_more_than_3\n\tsub\tw12, w12, #1\n\tmov\tv3.16b, v2.16b\n\tmovi\tv10.8b, #0\n\tmovi\tv11.8b, #0\n\tcmp\tx5, #32\n\tmovi\tv9.8b, #0\n\tmov\tv2.16b, v1.16b\n\tb.gt\t.Ldec_blocks_more_than_2\n\tsub\tw12, w12, #1\n\tmov\tv3.16b, v1.16b\n\tcmp\tx5, #16\n\tb.gt\t.Ldec_blocks_more_than_1\n\tsub\tw12, w12, #1\n\tb\t.Ldec_blocks_less_than_1\n.Ldec_blocks_more_than_3:\t//\tblocks left > 3\n\trev64\tv4.16b, v5.16b // GHASH final-3 block\n\tld1\t{ v5.16b}, [x0], #16 // AES final-2 block - load ciphertext\n\tstp\tx6, x7, [x2], #16 // AES final-3 block - store result\n\tmov\td10, v17.d[1] // GHASH final-3 block - mid\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\teor\tv0.16b, v5.16b, v1.16b // AES final-2 block - result\n\tmov\td22, v4.d[1] // GHASH final-3 block - mid\n\tmov\tx6, v0.d[0] // AES final-2 block - mov low\n\tmov\tx7, v0.d[1] // AES final-2 block - mov high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-3 block - mid\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH final-3 block - high\n\tpmull\tv10.1q, v22.1d, v10.1d // GHASH final-3 block - mid\n\teor\tx6, x6, x13 // AES final-2 block - round N low\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH final-3 block - low\n\teor\tx7, x7, x14 // AES final-2 block - round N high\n.Ldec_blocks_more_than_2:\t//\tblocks left > 2\n\trev64\tv4.16b, v5.16b // GHASH final-2 block\n\tld1\t{ v5.16b}, [x0], #16 // AES final-1 block - load ciphertext\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tstp\tx6, x7, [x2], #16 // AES final-2 block - store result\n\teor\tv0.16b, v5.16b, v2.16b // AES final-1 block - result\n\tmov\td22, v4.d[1] // GHASH final-2 block - mid\n\tpmull\tv21.1q, v4.1d, v14.1d // GHASH final-2 block - low\n\tpmull2\tv20.1q, v4.2d, v14.2d // GHASH final-2 block - high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-2 block - mid\n\tmov\tx6, v0.d[0] // AES final-1 block - mov low\n\tmov\tx7, v0.d[1] // AES final-1 block - mov high\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-2 block - low\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tpmull\tv22.1q, v22.1d, v17.1d // GHASH final-2 block - mid\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-2 block - high\n\teor\tx6, x6, x13 // AES final-1 block - round N low\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-2 block - mid\n\teor\tx7, x7, x14 // AES final-1 block - round N high\n.Ldec_blocks_more_than_1:\t//\tblocks left > 1\n\tstp\tx6, x7, [x2], #16 // AES final-1 block - store result\n\trev64\tv4.16b, v5.16b // GHASH final-1 block\n\tld1\t{ v5.16b}, [x0], #16 // AES final block - load ciphertext\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tmov\td22, v4.d[1] // GHASH final-1 block - mid\n\teor\tv0.16b, v5.16b, v3.16b // AES final block - result\n\tpmull2\tv20.1q, v4.2d, v13.2d // GHASH final-1 block - high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-1 block - mid\n\tpmull\tv21.1q, v4.1d, v13.1d // GHASH final-1 block - low\n\tmov\tx6, v0.d[0] // AES final block - mov low\n\tins\tv22.d[1], v22.d[0] // GHASH final-1 block - mid\n\tmov\tx7, v0.d[1] // AES final block - mov high\n\tpmull2\tv22.1q, v22.2d, v16.2d // GHASH final-1 block - mid\n\teor\tx6, x6, x13 // AES final block - round N low\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-1 block - low\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-1 block - high\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-1 block - mid\n\teor\tx7, x7, x14 // AES final block - round N high\n.Ldec_blocks_less_than_1:\t//\tblocks left <= 1\n\tand\tx1, x1, #127 // bit_length %= 128\n\tmvn\tx14, xzr // rkN_h = 0xffffffffffffffff\n\tsub\tx1, x1, #128 // bit_length -= 128\n\tmvn\tx13, xzr // rkN_l = 0xffffffffffffffff\n\tldp\tx4, x5, [x2] // load existing bytes we need to not overwrite\n\tneg\tx1, x1 // bit_length = 128 - #bits in input (in range [1,128])\n\tand\tx1, x1, #127 // bit_length %= 128\n\tlsr\tx14, x14, x1 // rkN_h is mask for top 64b of last block\n\tcmp\tx1, #64\n\tcsel\tx9, x13, x14, lt\n\tcsel\tx10, x14, xzr, lt\n\tfmov\td0, x9 // ctr0b is mask for last block\n\tand\tx6, x6, x9\n\tmov\tv0.d[1], x10\n\tbic\tx4, x4, x9 // mask out low existing bytes\n\trev\tw9, w12\n\tbic\tx5, x5, x10 // mask out high existing bytes\n\torr\tx6, x6, x4\n\tand\tx7, x7, x10\n\torr\tx7, x7, x5\n\tand\tv5.16b, v5.16b, v0.16b // possibly partial last block has zeroes in highest bits\n\trev64\tv4.16b, v5.16b // GHASH final block\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tpmull\tv21.1q, v4.1d, v12.1d // GHASH final block - low\n\tmov\td8, v4.d[1] // GHASH final block - mid\n\teor\tv8.8b, v8.8b, v4.8b // GHASH final block - mid\n\tpmull2\tv20.1q, v4.2d, v12.2d // GHASH final block - high\n\tpmull\tv8.1q, v8.1d, v16.1d // GHASH final block - mid\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final block - high\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final block - low\n\teor\tv10.16b, v10.16b, v8.16b // GHASH final block - mid\n\tmovi\tv8.8b, #0xc2\n\teor\tv6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tshl\td8, d8, #56 // mod_constant\n\teor\tv10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\tpmull\tv8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\teor\tv11.16b, v11.16b, v8.16b // MODULO - fold into low\n\tstp\tx6, x7, [x2]\n\tstr\tw9, [x16, #12] // store the updated counter\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\tmov\tx0, x15\n\tst1\t{ v11.16b }, [x3]\n\tldp\tx19, x20, [sp, #16]\n\tldp\tx21, x22, [sp, #32]\n\tldp\tx23, x24, [sp, #48]\n\tldp\td8, d9, [sp, #64]\n\tldp\td10, d11, [sp, #80]\n\tldp\td12, d13, [sp, #96]\n\tldp\td14, d15, [sp, #112]\n\tldp\tx29, x30, [sp], #128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\taes_gcm_dec_kernel,.-aes_gcm_dec_kernel\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \n#if __ARM_MAX_ARCH__ >= 8\n\n.arch\tarmv8-a+crypto\n.text\n.globl\taes_gcm_enc_kernel\n\n.def aes_gcm_enc_kernel\n .type 32\n.endef\n.align\t4\naes_gcm_enc_kernel:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29, x30, [sp, #-128]!\n\tmov\tx29, sp\n\tstp\tx19, x20, [sp, #16]\n\tmov\tx16, x4\n\tmov\tx8, x5\n\tstp\tx21, x22, [sp, #32]\n\tstp\tx23, x24, [sp, #48]\n\tstp\td8, d9, [sp, #64]\n\tstp\td10, d11, [sp, #80]\n\tstp\td12, d13, [sp, #96]\n\tstp\td14, d15, [sp, #112]\n\tldr\tw17, [x8, #240]\n\tadd\tx19, x8, x17, lsl #4 // borrow input_l1 for last key\n\tldp\tx13, x14, [x19] // load round N keys\n\tldr\tq31, [x19, #-16] // load round N-1 keys\n\tadd\tx4, x0, x1, lsr #3 // end_input_ptr\n\tlsr\tx5, x1, #3 // byte_len\n\tmov\tx15, x5\n\tldp\tx10, x11, [x16] // ctr96_b64, ctr96_t32\n\tld1\t{ v0.16b}, [x16] // special case vector load initial counter so we can start first AES block as quickly as possible\n\tsub\tx5, x5, #1 // byte_len - 1\n\tldr\tq18, [x8, #0] // load rk0\n\tand\tx5, x5, #0xffffffffffffffc0 // number of bytes to be processed in main loop (at least 1 byte must be handled by tail)\n\tldr\tq25, [x8, #112] // load rk7\n\tadd\tx5, x5, x0\n\tlsr\tx12, x11, #32\n\tfmov\td2, x10 // CTR block 2\n\torr\tw11, w11, w11\n\trev\tw12, w12 // rev_ctr32\n\tfmov\td1, x10 // CTR block 1\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 0\n\tadd\tw12, w12, #1 // increment rev_ctr32\n\trev\tw9, w12 // CTR block 1\n\tfmov\td3, x10 // CTR block 3\n\torr\tx9, x11, x9, lsl #32 // CTR block 1\n\tadd\tw12, w12, #1 // CTR block 1\n\tldr\tq19, [x8, #16] // load rk1\n\tfmov\tv1.d[1], x9 // CTR block 1\n\trev\tw9, w12 // CTR block 2\n\tadd\tw12, w12, #1 // CTR block 2\n\torr\tx9, x11, x9, lsl #32 // CTR block 2\n\tldr\tq20, [x8, #32] // load rk2\n\tfmov\tv2.d[1], x9 // CTR block 2\n\trev\tw9, w12 // CTR block 3\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 1\n\torr\tx9, x11, x9, lsl #32 // CTR block 3\n\tfmov\tv3.d[1], x9 // CTR block 3\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 0\n\tldr\tq21, [x8, #48] // load rk3\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 2\n\tldr\tq24, [x8, #96] // load rk6\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 0\n\tldr\tq23, [x8, #80] // load rk5\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 1\n\tldr\tq14, [x6, #48] // load h3l | h3h\n\text\tv14.16b, v14.16b, v14.16b, #8\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 0\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 1\n\tldr\tq22, [x8, #64] // load rk4\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 2\n\tldr\tq13, [x6, #32] // load h2l | h2h\n\text\tv13.16b, v13.16b, v13.16b, #8\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 1\n\tldr\tq30, [x8, #192] // load rk12\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 2\n\tldr\tq15, [x6, #80] // load h4l | h4h\n\text\tv15.16b, v15.16b, v15.16b, #8\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 3\n\tldr\tq29, [x8, #176] // load rk11\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 2\n\tldr\tq26, [x8, #128] // load rk8\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 3\n\tadd\tw12, w12, #1 // CTR block 3\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 3\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 3\n\tld1\t{ v11.16b}, [x3]\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 4\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 4\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 4\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 4\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 5\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 5\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 5\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 5\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 6\n\ttrn2\tv17.2d, v14.2d, v15.2d // h4l | h3l\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 6\n\tldr\tq27, [x8, #144] // load rk9\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 6\n\tldr\tq12, [x6] // load h1l | h1h\n\text\tv12.16b, v12.16b, v12.16b, #8\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 6\n\tldr\tq28, [x8, #160] // load rk10\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 7\n\ttrn1\tv9.2d, v14.2d, v15.2d // h4h | h3h\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 7\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 7\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 7\n\ttrn2\tv16.2d, v12.2d, v13.2d // h2l | h1l\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 8\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 8\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 8\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 8\n\tb.lt\tLenc_finish_first_blocks // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 9\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 10\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 10\n\tb.eq\tLenc_finish_first_blocks // branch if AES-192\n\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 11\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 12\n\nLenc_finish_first_blocks:\n\tcmp\tx0, x5 // check if we have <= 4 blocks\n\teor\tv17.16b, v17.16b, v9.16b // h4k | h3k\n\taese\tv2.16b, v31.16b // AES block 2 - round N-1\n\ttrn1\tv8.2d, v12.2d, v13.2d // h2h | h1h\n\taese\tv1.16b, v31.16b // AES block 1 - round N-1\n\taese\tv0.16b, v31.16b // AES block 0 - round N-1\n\taese\tv3.16b, v31.16b // AES block 3 - round N-1\n\teor\tv16.16b, v16.16b, v8.16b // h2k | h1k\n\tb.ge\tLenc_tail // handle tail\n\n\tldp\tx19, x20, [x0, #16] // AES block 1 - load plaintext\n\trev\tw9, w12 // CTR block 4\n\tldp\tx6, x7, [x0, #0] // AES block 0 - load plaintext\n\tldp\tx23, x24, [x0, #48] // AES block 3 - load plaintext\n\tldp\tx21, x22, [x0, #32] // AES block 2 - load plaintext\n\tadd\tx0, x0, #64 // AES input_ptr update\n\teor\tx19, x19, x13 // AES block 1 - round N low\n\teor\tx20, x20, x14 // AES block 1 - round N high\n\tfmov\td5, x19 // AES block 1 - mov low\n\teor\tx6, x6, x13 // AES block 0 - round N low\n\teor\tx7, x7, x14 // AES block 0 - round N high\n\teor\tx24, x24, x14 // AES block 3 - round N high\n\tfmov\td4, x6 // AES block 0 - mov low\n\tcmp\tx0, x5 // check if we have <= 8 blocks\n\tfmov\tv4.d[1], x7 // AES block 0 - mov high\n\teor\tx23, x23, x13 // AES block 3 - round N low\n\teor\tx21, x21, x13 // AES block 2 - round N low\n\tfmov\tv5.d[1], x20 // AES block 1 - mov high\n\tfmov\td6, x21 // AES block 2 - mov low\n\tadd\tw12, w12, #1 // CTR block 4\n\torr\tx9, x11, x9, lsl #32 // CTR block 4\n\tfmov\td7, x23 // AES block 3 - mov low\n\teor\tx22, x22, x14 // AES block 2 - round N high\n\tfmov\tv6.d[1], x22 // AES block 2 - mov high\n\teor\tv4.16b, v4.16b, v0.16b // AES block 0 - result\n\tfmov\td0, x10 // CTR block 4\n\tfmov\tv0.d[1], x9 // CTR block 4\n\trev\tw9, w12 // CTR block 5\n\tadd\tw12, w12, #1 // CTR block 5\n\teor\tv5.16b, v5.16b, v1.16b // AES block 1 - result\n\tfmov\td1, x10 // CTR block 5\n\torr\tx9, x11, x9, lsl #32 // CTR block 5\n\tfmov\tv1.d[1], x9 // CTR block 5\n\trev\tw9, w12 // CTR block 6\n\tst1\t{ v4.16b}, [x2], #16 // AES block 0 - store result\n\tfmov\tv7.d[1], x24 // AES block 3 - mov high\n\torr\tx9, x11, x9, lsl #32 // CTR block 6\n\teor\tv6.16b, v6.16b, v2.16b // AES block 2 - result\n\tst1\t{ v5.16b}, [x2], #16 // AES block 1 - store result\n\tadd\tw12, w12, #1 // CTR block 6\n\tfmov\td2, x10 // CTR block 6\n\tfmov\tv2.d[1], x9 // CTR block 6\n\tst1\t{ v6.16b}, [x2], #16 // AES block 2 - store result\n\trev\tw9, w12 // CTR block 7\n\torr\tx9, x11, x9, lsl #32 // CTR block 7\n\teor\tv7.16b, v7.16b, v3.16b // AES block 3 - result\n\tst1\t{ v7.16b}, [x2], #16 // AES block 3 - store result\n\tb.ge\tLenc_prepretail // do prepretail\n\nLenc_main_loop:\t//\tmain loop start\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\trev64\tv4.16b, v4.16b // GHASH block 4k (only t0 is free)\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\tfmov\td3, x10 // CTR block 4k+3\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\tfmov\tv3.d[1], x9 // CTR block 4k+3\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tldp\tx23, x24, [x0, #48] // AES block 4k+7 - load plaintext\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\tldp\tx21, x22, [x0, #32] // AES block 4k+6 - load plaintext\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\teor\tx23, x23, x13 // AES block 4k+7 - round N low\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\teor\tx22, x22, x14 // AES block 4k+6 - round N high\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\trev64\tv5.16b, v5.16b // GHASH block 4k+1 (t0 and t1 free)\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3 (t0, t1, t2 and t3 free)\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2 (t0, t1, and t2 free)\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\tpmull\tv6.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\tldp\tx19, x20, [x0, #16] // AES block 4k+5 - load plaintext\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\tmov\td4, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\teor\tv4.8b, v4.8b, v7.8b // GHASH block 4k+3 - mid\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tx19, x19, x13 // AES block 4k+5 - round N low\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\teor\tx21, x21, x13 // AES block 4k+6 - round N low\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\tmovi\tv8.8b, #0xc2\n\tpmull\tv4.1q, v4.1d, v16.1d // GHASH block 4k+3 - mid\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\tfmov\td5, x19 // AES block 4k+5 - mov low\n\tldp\tx6, x7, [x0, #0] // AES block 4k+4 - load plaintext\n\tb.lt\tLenc_main_loop_continue // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\tb.eq\tLenc_main_loop_continue // branch if AES-192\n\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\nLenc_main_loop_continue:\n\tshl\td8, d8, #56 // mod_constant\n\teor\tv11.16b, v11.16b, v6.16b // GHASH block 4k+3 - low\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+3 - mid\n\tadd\tw12, w12, #1 // CTR block 4k+3\n\teor\tv4.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tadd\tx0, x0, #64 // AES input_ptr update\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\trev\tw9, w12 // CTR block 4k+8\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tv10.16b, v10.16b, v4.16b // MODULO - karatsuba tidy up\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tfmov\td4, x6 // AES block 4k+4 - mov low\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+8\n\teor\tv7.16b, v9.16b, v7.16b // MODULO - fold into mid\n\teor\tx20, x20, x14 // AES block 4k+5 - round N high\n\teor\tx24, x24, x14 // AES block 4k+7 - round N high\n\tadd\tw12, w12, #1 // CTR block 4k+8\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\tfmov\tv4.d[1], x7 // AES block 4k+4 - mov high\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\tfmov\td7, x23 // AES block 4k+7 - mov low\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\tfmov\tv5.d[1], x20 // AES block 4k+5 - mov high\n\tfmov\td6, x21 // AES block 4k+6 - mov low\n\tcmp\tx0, x5 // LOOP CONTROL\n\tfmov\tv6.d[1], x22 // AES block 4k+6 - mov high\n\tpmull\tv9.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\teor\tv4.16b, v4.16b, v0.16b // AES block 4k+4 - result\n\tfmov\td0, x10 // CTR block 4k+8\n\tfmov\tv0.d[1], x9 // CTR block 4k+8\n\trev\tw9, w12 // CTR block 4k+9\n\tadd\tw12, w12, #1 // CTR block 4k+9\n\teor\tv5.16b, v5.16b, v1.16b // AES block 4k+5 - result\n\tfmov\td1, x10 // CTR block 4k+9\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+9\n\tfmov\tv1.d[1], x9 // CTR block 4k+9\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\trev\tw9, w12 // CTR block 4k+10\n\tst1\t{ v4.16b}, [x2], #16 // AES block 4k+4 - store result\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+10\n\teor\tv11.16b, v11.16b, v9.16b // MODULO - fold into low\n\tfmov\tv7.d[1], x24 // AES block 4k+7 - mov high\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tst1\t{ v5.16b}, [x2], #16 // AES block 4k+5 - store result\n\tadd\tw12, w12, #1 // CTR block 4k+10\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\teor\tv6.16b, v6.16b, v2.16b // AES block 4k+6 - result\n\tfmov\td2, x10 // CTR block 4k+10\n\tst1\t{ v6.16b}, [x2], #16 // AES block 4k+6 - store result\n\tfmov\tv2.d[1], x9 // CTR block 4k+10\n\trev\tw9, w12 // CTR block 4k+11\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+11\n\teor\tv7.16b, v7.16b, v3.16b // AES block 4k+7 - result\n\tst1\t{ v7.16b}, [x2], #16 // AES block 4k+7 - store result\n\tb.lt\tLenc_main_loop\n\nLenc_prepretail:\t//\tPREPRETAIL\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2 (t0, t1, and t2 free)\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\tfmov\td3, x10 // CTR block 4k+3\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\trev64\tv4.16b, v4.16b // GHASH block 4k (only t0 is free)\n\tfmov\tv3.d[1], x9 // CTR block 4k+3\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\trev64\tv5.16b, v5.16b // GHASH block 4k+1 (t0 and t1 free)\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3 (t0, t1, t2 and t3 free)\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\tadd\tw12, w12, #1 // CTR block 4k+3\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\tmov\td4, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\teor\tv4.8b, v4.8b, v7.8b // GHASH block 4k+3 - mid\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\tpmull\tv4.1q, v4.1d, v16.1d // GHASH block 4k+3 - mid\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\tmovi\tv8.8b, #0xc2\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\tshl\td8, d8, #56 // mod_constant\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+3 - mid\n\tpmull\tv6.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\teor\tv11.16b, v11.16b, v6.16b // GHASH block 4k+3 - low\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tv10.16b, v10.16b, v9.16b // karatsuba tidy up\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\tpmull\tv4.1q, v9.1d, v8.1d\n\text\tv9.16b, v9.16b, v9.16b, #8\n\teor\tv10.16b, v10.16b, v11.16b\n\tb.lt\tLenc_finish_prepretail // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\tb.eq\tLenc_finish_prepretail // branch if AES-192\n\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\nLenc_finish_prepretail:\n\teor\tv10.16b, v10.16b, v4.16b\n\teor\tv10.16b, v10.16b, v9.16b\n\tpmull\tv4.1q, v10.1d, v8.1d\n\text\tv10.16b, v10.16b, v10.16b, #8\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\teor\tv11.16b, v11.16b, v4.16b\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\teor\tv11.16b, v11.16b, v10.16b\n\nLenc_tail:\t//\tTAIL\n\text\tv8.16b, v11.16b, v11.16b, #8 // prepare final partial tag\n\tsub\tx5, x4, x0 // main_end_input_ptr is number of bytes left to process\n\tldp\tx6, x7, [x0], #16 // AES block 4k+4 - load plaintext\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tcmp\tx5, #48\n\tfmov\td4, x6 // AES block 4k+4 - mov low\n\tfmov\tv4.d[1], x7 // AES block 4k+4 - mov high\n\teor\tv5.16b, v4.16b, v0.16b // AES block 4k+4 - result\n\tb.gt\tLenc_blocks_more_than_3\n\tcmp\tx5, #32\n\tmov\tv3.16b, v2.16b\n\tmovi\tv11.8b, #0\n\tmovi\tv9.8b, #0\n\tsub\tw12, w12, #1\n\tmov\tv2.16b, v1.16b\n\tmovi\tv10.8b, #0\n\tb.gt\tLenc_blocks_more_than_2\n\tmov\tv3.16b, v1.16b\n\tsub\tw12, w12, #1\n\tcmp\tx5, #16\n\tb.gt\tLenc_blocks_more_than_1\n\tsub\tw12, w12, #1\n\tb\tLenc_blocks_less_than_1\nLenc_blocks_more_than_3:\t//\tblocks left > 3\n\tst1\t{ v5.16b}, [x2], #16 // AES final-3 block - store result\n\tldp\tx6, x7, [x0], #16 // AES final-2 block - load input low & high\n\trev64\tv4.16b, v5.16b // GHASH final-3 block\n\teor\tx6, x6, x13 // AES final-2 block - round N low\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\teor\tx7, x7, x14 // AES final-2 block - round N high\n\tmov\td22, v4.d[1] // GHASH final-3 block - mid\n\tfmov\td5, x6 // AES final-2 block - mov low\n\tfmov\tv5.d[1], x7 // AES final-2 block - mov high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-3 block - mid\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tmov\td10, v17.d[1] // GHASH final-3 block - mid\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH final-3 block - low\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH final-3 block - high\n\tpmull\tv10.1q, v22.1d, v10.1d // GHASH final-3 block - mid\n\teor\tv5.16b, v5.16b, v1.16b // AES final-2 block - result\nLenc_blocks_more_than_2:\t//\tblocks left > 2\n\tst1\t{ v5.16b}, [x2], #16 // AES final-2 block - store result\n\tldp\tx6, x7, [x0], #16 // AES final-1 block - load input low & high\n\trev64\tv4.16b, v5.16b // GHASH final-2 block\n\teor\tx6, x6, x13 // AES final-1 block - round N low\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tfmov\td5, x6 // AES final-1 block - mov low\n\teor\tx7, x7, x14 // AES final-1 block - round N high\n\tfmov\tv5.d[1], x7 // AES final-1 block - mov high\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tpmull2\tv20.1q, v4.2d, v14.2d // GHASH final-2 block - high\n\tmov\td22, v4.d[1] // GHASH final-2 block - mid\n\tpmull\tv21.1q, v4.1d, v14.1d // GHASH final-2 block - low\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-2 block - mid\n\teor\tv5.16b, v5.16b, v2.16b // AES final-1 block - result\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-2 block - high\n\tpmull\tv22.1q, v22.1d, v17.1d // GHASH final-2 block - mid\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-2 block - low\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-2 block - mid\nLenc_blocks_more_than_1:\t//\tblocks left > 1\n\tst1\t{ v5.16b}, [x2], #16 // AES final-1 block - store result\n\trev64\tv4.16b, v5.16b // GHASH final-1 block\n\tldp\tx6, x7, [x0], #16 // AES final block - load input low & high\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\teor\tx6, x6, x13 // AES final block - round N low\n\tmov\td22, v4.d[1] // GHASH final-1 block - mid\n\tpmull2\tv20.1q, v4.2d, v13.2d // GHASH final-1 block - high\n\teor\tx7, x7, x14 // AES final block - round N high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-1 block - mid\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-1 block - high\n\tins\tv22.d[1], v22.d[0] // GHASH final-1 block - mid\n\tfmov\td5, x6 // AES final block - mov low\n\tfmov\tv5.d[1], x7 // AES final block - mov high\n\tpmull2\tv22.1q, v22.2d, v16.2d // GHASH final-1 block - mid\n\tpmull\tv21.1q, v4.1d, v13.1d // GHASH final-1 block - low\n\teor\tv5.16b, v5.16b, v3.16b // AES final block - result\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-1 block - mid\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-1 block - low\nLenc_blocks_less_than_1:\t//\tblocks left <= 1\n\tand\tx1, x1, #127 // bit_length %= 128\n\tmvn\tx13, xzr // rkN_l = 0xffffffffffffffff\n\tsub\tx1, x1, #128 // bit_length -= 128\n\tneg\tx1, x1 // bit_length = 128 - #bits in input (in range [1,128])\n\tld1\t{ v18.16b}, [x2] // load existing bytes where the possibly partial last block is to be stored\n\tmvn\tx14, xzr // rkN_h = 0xffffffffffffffff\n\tand\tx1, x1, #127 // bit_length %= 128\n\tlsr\tx14, x14, x1 // rkN_h is mask for top 64b of last block\n\tcmp\tx1, #64\n\tcsel\tx6, x13, x14, lt\n\tcsel\tx7, x14, xzr, lt\n\tfmov\td0, x6 // ctr0b is mask for last block\n\tfmov\tv0.d[1], x7\n\tand\tv5.16b, v5.16b, v0.16b // possibly partial last block has zeroes in highest bits\n\trev64\tv4.16b, v5.16b // GHASH final block\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tbif\tv5.16b, v18.16b, v0.16b // insert existing bytes in top end of result before storing\n\tpmull2\tv20.1q, v4.2d, v12.2d // GHASH final block - high\n\tmov\td8, v4.d[1] // GHASH final block - mid\n\trev\tw9, w12\n\tpmull\tv21.1q, v4.1d, v12.1d // GHASH final block - low\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final block - high\n\teor\tv8.8b, v8.8b, v4.8b // GHASH final block - mid\n\tpmull\tv8.1q, v8.1d, v16.1d // GHASH final block - mid\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final block - low\n\teor\tv10.16b, v10.16b, v8.16b // GHASH final block - mid\n\tmovi\tv8.8b, #0xc2\n\teor\tv4.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tshl\td8, d8, #56 // mod_constant\n\teor\tv10.16b, v10.16b, v4.16b // MODULO - karatsuba tidy up\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\tpmull\tv9.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tstr\tw9, [x16, #12] // store the updated counter\n\tst1\t{ v5.16b}, [x2] // store all 16B\n\teor\tv11.16b, v11.16b, v9.16b // MODULO - fold into low\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\tmov\tx0, x15\n\tst1\t{ v11.16b }, [x3]\n\tldp\tx19, x20, [sp, #16]\n\tldp\tx21, x22, [sp, #32]\n\tldp\tx23, x24, [sp, #48]\n\tldp\td8, d9, [sp, #64]\n\tldp\td10, d11, [sp, #80]\n\tldp\td12, d13, [sp, #96]\n\tldp\td14, d15, [sp, #112]\n\tldp\tx29, x30, [sp], #128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\taes_gcm_dec_kernel\n\n.def aes_gcm_dec_kernel\n .type 32\n.endef\n.align\t4\naes_gcm_dec_kernel:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29, x30, [sp, #-128]!\n\tmov\tx29, sp\n\tstp\tx19, x20, [sp, #16]\n\tmov\tx16, x4\n\tmov\tx8, x5\n\tstp\tx21, x22, [sp, #32]\n\tstp\tx23, x24, [sp, #48]\n\tstp\td8, d9, [sp, #64]\n\tstp\td10, d11, [sp, #80]\n\tstp\td12, d13, [sp, #96]\n\tstp\td14, d15, [sp, #112]\n\tldr\tw17, [x8, #240]\n\tadd\tx19, x8, x17, lsl #4 // borrow input_l1 for last key\n\tldp\tx13, x14, [x19] // load round N keys\n\tldr\tq31, [x19, #-16] // load round N-1 keys\n\tlsr\tx5, x1, #3 // byte_len\n\tmov\tx15, x5\n\tldp\tx10, x11, [x16] // ctr96_b64, ctr96_t32\n\tldr\tq26, [x8, #128] // load rk8\n\tsub\tx5, x5, #1 // byte_len - 1\n\tldr\tq25, [x8, #112] // load rk7\n\tand\tx5, x5, #0xffffffffffffffc0 // number of bytes to be processed in main loop (at least 1 byte must be handled by tail)\n\tadd\tx4, x0, x1, lsr #3 // end_input_ptr\n\tldr\tq24, [x8, #96] // load rk6\n\tlsr\tx12, x11, #32\n\tldr\tq23, [x8, #80] // load rk5\n\torr\tw11, w11, w11\n\tldr\tq21, [x8, #48] // load rk3\n\tadd\tx5, x5, x0\n\trev\tw12, w12 // rev_ctr32\n\tadd\tw12, w12, #1 // increment rev_ctr32\n\tfmov\td3, x10 // CTR block 3\n\trev\tw9, w12 // CTR block 1\n\tadd\tw12, w12, #1 // CTR block 1\n\tfmov\td1, x10 // CTR block 1\n\torr\tx9, x11, x9, lsl #32 // CTR block 1\n\tld1\t{ v0.16b}, [x16] // special case vector load initial counter so we can start first AES block as quickly as possible\n\tfmov\tv1.d[1], x9 // CTR block 1\n\trev\tw9, w12 // CTR block 2\n\tadd\tw12, w12, #1 // CTR block 2\n\tfmov\td2, x10 // CTR block 2\n\torr\tx9, x11, x9, lsl #32 // CTR block 2\n\tfmov\tv2.d[1], x9 // CTR block 2\n\trev\tw9, w12 // CTR block 3\n\torr\tx9, x11, x9, lsl #32 // CTR block 3\n\tldr\tq18, [x8, #0] // load rk0\n\tfmov\tv3.d[1], x9 // CTR block 3\n\tadd\tw12, w12, #1 // CTR block 3\n\tldr\tq22, [x8, #64] // load rk4\n\tldr\tq19, [x8, #16] // load rk1\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 0\n\tldr\tq14, [x6, #48] // load h3l | h3h\n\text\tv14.16b, v14.16b, v14.16b, #8\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 0\n\tldr\tq15, [x6, #80] // load h4l | h4h\n\text\tv15.16b, v15.16b, v15.16b, #8\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 0\n\tldr\tq13, [x6, #32] // load h2l | h2h\n\text\tv13.16b, v13.16b, v13.16b, #8\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 0\n\tldr\tq20, [x8, #32] // load rk2\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 1\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 1\n\tld1\t{ v11.16b}, [x3]\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 1\n\tldr\tq27, [x8, #144] // load rk9\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 1\n\tldr\tq30, [x8, #192] // load rk12\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 2\n\tldr\tq12, [x6] // load h1l | h1h\n\text\tv12.16b, v12.16b, v12.16b, #8\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 2\n\tldr\tq28, [x8, #160] // load rk10\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 2\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 3\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 2\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 3\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 4\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 3\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 3\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 4\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 4\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 4\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 5\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 5\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 5\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 5\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 6\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 6\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 6\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 6\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 7\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 7\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 7\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 8\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 7\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 8\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 8\n\tldr\tq29, [x8, #176] // load rk11\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 8\n\tb.lt\tLdec_finish_first_blocks // branch if AES-128\n\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 9\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 9\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 10\n\tb.eq\tLdec_finish_first_blocks // branch if AES-192\n\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 1 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 0 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 2 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 3 - round 12\n\nLdec_finish_first_blocks:\n\tcmp\tx0, x5 // check if we have <= 4 blocks\n\ttrn1\tv9.2d, v14.2d, v15.2d // h4h | h3h\n\ttrn2\tv17.2d, v14.2d, v15.2d // h4l | h3l\n\ttrn1\tv8.2d, v12.2d, v13.2d // h2h | h1h\n\ttrn2\tv16.2d, v12.2d, v13.2d // h2l | h1l\n\teor\tv17.16b, v17.16b, v9.16b // h4k | h3k\n\taese\tv1.16b, v31.16b // AES block 1 - round N-1\n\taese\tv2.16b, v31.16b // AES block 2 - round N-1\n\teor\tv16.16b, v16.16b, v8.16b // h2k | h1k\n\taese\tv3.16b, v31.16b // AES block 3 - round N-1\n\taese\tv0.16b, v31.16b // AES block 0 - round N-1\n\tb.ge\tLdec_tail // handle tail\n\n\tldr\tq4, [x0, #0] // AES block 0 - load ciphertext\n\tldr\tq5, [x0, #16] // AES block 1 - load ciphertext\n\trev\tw9, w12 // CTR block 4\n\teor\tv0.16b, v4.16b, v0.16b // AES block 0 - result\n\teor\tv1.16b, v5.16b, v1.16b // AES block 1 - result\n\trev64\tv5.16b, v5.16b // GHASH block 1\n\tldr\tq7, [x0, #48] // AES block 3 - load ciphertext\n\tmov\tx7, v0.d[1] // AES block 0 - mov high\n\tmov\tx6, v0.d[0] // AES block 0 - mov low\n\trev64\tv4.16b, v4.16b // GHASH block 0\n\tadd\tw12, w12, #1 // CTR block 4\n\tfmov\td0, x10 // CTR block 4\n\torr\tx9, x11, x9, lsl #32 // CTR block 4\n\tfmov\tv0.d[1], x9 // CTR block 4\n\trev\tw9, w12 // CTR block 5\n\tadd\tw12, w12, #1 // CTR block 5\n\tmov\tx19, v1.d[0] // AES block 1 - mov low\n\torr\tx9, x11, x9, lsl #32 // CTR block 5\n\tmov\tx20, v1.d[1] // AES block 1 - mov high\n\teor\tx7, x7, x14 // AES block 0 - round N high\n\teor\tx6, x6, x13 // AES block 0 - round N low\n\tstp\tx6, x7, [x2], #16 // AES block 0 - store result\n\tfmov\td1, x10 // CTR block 5\n\tldr\tq6, [x0, #32] // AES block 2 - load ciphertext\n\tadd\tx0, x0, #64 // AES input_ptr update\n\tfmov\tv1.d[1], x9 // CTR block 5\n\trev\tw9, w12 // CTR block 6\n\tadd\tw12, w12, #1 // CTR block 6\n\teor\tx19, x19, x13 // AES block 1 - round N low\n\torr\tx9, x11, x9, lsl #32 // CTR block 6\n\teor\tx20, x20, x14 // AES block 1 - round N high\n\tstp\tx19, x20, [x2], #16 // AES block 1 - store result\n\teor\tv2.16b, v6.16b, v2.16b // AES block 2 - result\n\tcmp\tx0, x5 // check if we have <= 8 blocks\n\tb.ge\tLdec_prepretail // do prepretail\n\nLdec_main_loop:\t//\tmain loop start\n\tmov\tx21, v2.d[0] // AES block 4k+2 - mov low\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\teor\tv3.16b, v7.16b, v3.16b // AES block 4k+3 - result\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\tmov\tx22, v2.d[1] // AES block 4k+2 - mov high\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\tfmov\td2, x10 // CTR block 4k+6\n\tfmov\tv2.d[1], x9 // CTR block 4k+6\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\trev\tw9, w12 // CTR block 4k+7\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\tmov\tx24, v3.d[1] // AES block 4k+3 - mov high\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tmov\tx23, v3.d[0] // AES block 4k+3 - mov low\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\tfmov\td3, x10 // CTR block 4k+7\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+7\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\tfmov\tv3.d[1], x9 // CTR block 4k+7\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\teor\tx22, x22, x14 // AES block 4k+2 - round N high\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\teor\tx21, x21, x13 // AES block 4k+2 - round N low\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\tstp\tx21, x22, [x2], #16 // AES block 4k+2 - store result\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\teor\tx23, x23, x13 // AES block 4k+3 - round N low\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\teor\tx24, x24, x14 // AES block 4k+3 - round N high\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\tadd\tw12, w12, #1 // CTR block 4k+7\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\trev\tw9, w12 // CTR block 4k+8\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\tadd\tw12, w12, #1 // CTR block 4k+8\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\tmov\td6, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\tpmull\tv4.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+8\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\teor\tv6.8b, v6.8b, v7.8b // GHASH block 4k+3 - mid\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\tpmull\tv6.1q, v6.1d, v16.1d // GHASH block 4k+3 - mid\n\tmovi\tv8.8b, #0xc2\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tv11.16b, v11.16b, v4.16b // GHASH block 4k+3 - low\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\tshl\td8, d8, #56 // mod_constant\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\teor\tv10.16b, v10.16b, v6.16b // GHASH block 4k+3 - mid\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\tb.lt\tLdec_main_loop_continue // branch if AES-128\n\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\tb.eq\tLdec_main_loop_continue // branch if AES-192\n\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\nLdec_main_loop_continue:\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\teor\tv6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tldr\tq4, [x0, #0] // AES block 4k+4 - load ciphertext\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up\n\tldr\tq5, [x0, #16] // AES block 4k+5 - load ciphertext\n\teor\tv0.16b, v4.16b, v0.16b // AES block 4k+4 - result\n\tstp\tx23, x24, [x2], #16 // AES block 4k+3 - store result\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\tldr\tq7, [x0, #48] // AES block 4k+7 - load ciphertext\n\tldr\tq6, [x0, #32] // AES block 4k+6 - load ciphertext\n\tmov\tx7, v0.d[1] // AES block 4k+4 - mov high\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\tadd\tx0, x0, #64 // AES input_ptr update\n\tmov\tx6, v0.d[0] // AES block 4k+4 - mov low\n\tfmov\td0, x10 // CTR block 4k+8\n\tfmov\tv0.d[1], x9 // CTR block 4k+8\n\tpmull\tv8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\teor\tv1.16b, v5.16b, v1.16b // AES block 4k+5 - result\n\trev\tw9, w12 // CTR block 4k+9\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+9\n\tcmp\tx0, x5 // LOOP CONTROL\n\tadd\tw12, w12, #1 // CTR block 4k+9\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tmov\tx20, v1.d[1] // AES block 4k+5 - mov high\n\teor\tv2.16b, v6.16b, v2.16b // AES block 4k+6 - result\n\teor\tv11.16b, v11.16b, v8.16b // MODULO - fold into low\n\tmov\tx19, v1.d[0] // AES block 4k+5 - mov low\n\tfmov\td1, x10 // CTR block 4k+9\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tfmov\tv1.d[1], x9 // CTR block 4k+9\n\trev\tw9, w12 // CTR block 4k+10\n\tadd\tw12, w12, #1 // CTR block 4k+10\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+10\n\trev64\tv5.16b, v5.16b // GHASH block 4k+5\n\teor\tx20, x20, x14 // AES block 4k+5 - round N high\n\tstp\tx6, x7, [x2], #16 // AES block 4k+4 - store result\n\teor\tx19, x19, x13 // AES block 4k+5 - round N low\n\tstp\tx19, x20, [x2], #16 // AES block 4k+5 - store result\n\trev64\tv4.16b, v4.16b // GHASH block 4k+4\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\tb.lt\tLdec_main_loop\n\nLdec_prepretail:\t//\tPREPRETAIL\n\text\tv11.16b, v11.16b, v11.16b, #8 // PRE 0\n\tmov\tx21, v2.d[0] // AES block 4k+2 - mov low\n\teor\tv3.16b, v7.16b, v3.16b // AES block 4k+3 - result\n\taese\tv0.16b, v18.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 0\n\tmov\tx22, v2.d[1] // AES block 4k+2 - mov high\n\taese\tv1.16b, v18.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 0\n\tfmov\td2, x10 // CTR block 4k+6\n\tfmov\tv2.d[1], x9 // CTR block 4k+6\n\trev\tw9, w12 // CTR block 4k+7\n\teor\tv4.16b, v4.16b, v11.16b // PRE 1\n\trev64\tv6.16b, v6.16b // GHASH block 4k+2\n\torr\tx9, x11, x9, lsl #32 // CTR block 4k+7\n\tmov\tx23, v3.d[0] // AES block 4k+3 - mov low\n\taese\tv1.16b, v19.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 1\n\tmov\tx24, v3.d[1] // AES block 4k+3 - mov high\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH block 4k - low\n\tmov\td8, v4.d[1] // GHASH block 4k - mid\n\tfmov\td3, x10 // CTR block 4k+7\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH block 4k - high\n\tfmov\tv3.d[1], x9 // CTR block 4k+7\n\taese\tv2.16b, v18.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 0\n\tmov\td10, v17.d[1] // GHASH block 4k - mid\n\taese\tv0.16b, v19.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 1\n\teor\tv8.8b, v8.8b, v4.8b // GHASH block 4k - mid\n\tpmull2\tv4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high\n\taese\tv2.16b, v19.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 1\n\trev64\tv7.16b, v7.16b // GHASH block 4k+3\n\taese\tv3.16b, v18.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 0\n\tpmull\tv10.1q, v8.1d, v10.1d // GHASH block 4k - mid\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high\n\tpmull\tv8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low\n\taese\tv3.16b, v19.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 1\n\tmov\td4, v5.d[1] // GHASH block 4k+1 - mid\n\taese\tv0.16b, v20.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 2\n\taese\tv1.16b, v20.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 2\n\teor\tv11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low\n\taese\tv2.16b, v20.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 2\n\taese\tv0.16b, v21.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 3\n\tmov\td8, v6.d[1] // GHASH block 4k+2 - mid\n\taese\tv3.16b, v20.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 2\n\teor\tv4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid\n\tpmull\tv5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low\n\taese\tv0.16b, v22.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 4\n\taese\tv3.16b, v21.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 3\n\teor\tv8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid\n\tpmull\tv4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid\n\taese\tv0.16b, v23.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 5\n\teor\tv11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low\n\taese\tv3.16b, v22.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 4\n\tpmull2\tv5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high\n\teor\tv10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid\n\tpmull2\tv4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high\n\taese\tv3.16b, v23.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 5\n\tins\tv8.d[1], v8.d[0] // GHASH block 4k+2 - mid\n\taese\tv2.16b, v21.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 3\n\taese\tv1.16b, v21.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 3\n\teor\tv9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high\n\tpmull\tv4.1q, v7.1d, v12.1d // GHASH block 4k+3 - low\n\taese\tv2.16b, v22.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 4\n\tmov\td6, v7.d[1] // GHASH block 4k+3 - mid\n\taese\tv1.16b, v22.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 4\n\tpmull2\tv8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid\n\taese\tv2.16b, v23.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 5\n\teor\tv6.8b, v6.8b, v7.8b // GHASH block 4k+3 - mid\n\taese\tv1.16b, v23.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 5\n\taese\tv3.16b, v24.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 6\n\teor\tv10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid\n\taese\tv2.16b, v24.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 6\n\taese\tv0.16b, v24.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 6\n\tmovi\tv8.8b, #0xc2\n\taese\tv1.16b, v24.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 6\n\teor\tv11.16b, v11.16b, v4.16b // GHASH block 4k+3 - low\n\tpmull\tv6.1q, v6.1d, v16.1d // GHASH block 4k+3 - mid\n\taese\tv3.16b, v25.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 7\n\tcmp\tx17, #12 // setup flags for AES-128/192/256 check\n\teor\tv9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high\n\taese\tv1.16b, v25.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 7\n\taese\tv0.16b, v25.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 7\n\teor\tv10.16b, v10.16b, v6.16b // GHASH block 4k+3 - mid\n\taese\tv3.16b, v26.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 8\n\taese\tv2.16b, v25.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 7\n\teor\tv6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\taese\tv1.16b, v26.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 8\n\taese\tv0.16b, v26.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 8\n\tshl\td8, d8, #56 // mod_constant\n\taese\tv2.16b, v26.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 8\n\tb.lt\tLdec_finish_prepretail // branch if AES-128\n\n\taese\tv1.16b, v27.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 9\n\taese\tv2.16b, v27.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 9\n\taese\tv3.16b, v27.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 9\n\taese\tv0.16b, v27.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 9\n\taese\tv2.16b, v28.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 10\n\taese\tv3.16b, v28.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 10\n\taese\tv0.16b, v28.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 10\n\taese\tv1.16b, v28.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 10\n\tb.eq\tLdec_finish_prepretail // branch if AES-192\n\n\taese\tv2.16b, v29.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 11\n\taese\tv0.16b, v29.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 11\n\taese\tv1.16b, v29.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 11\n\taese\tv2.16b, v30.16b\n\taesmc\tv2.16b, v2.16b // AES block 4k+6 - round 12\n\taese\tv3.16b, v29.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 11\n\taese\tv1.16b, v30.16b\n\taesmc\tv1.16b, v1.16b // AES block 4k+5 - round 12\n\taese\tv0.16b, v30.16b\n\taesmc\tv0.16b, v0.16b // AES block 4k+4 - round 12\n\taese\tv3.16b, v30.16b\n\taesmc\tv3.16b, v3.16b // AES block 4k+7 - round 12\n\nLdec_finish_prepretail:\n\teor\tv10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\teor\tx22, x22, x14 // AES block 4k+2 - round N high\n\teor\tx23, x23, x13 // AES block 4k+3 - round N low\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\tadd\tw12, w12, #1 // CTR block 4k+7\n\teor\tx21, x21, x13 // AES block 4k+2 - round N low\n\tpmull\tv8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\teor\tx24, x24, x14 // AES block 4k+3 - round N high\n\tstp\tx21, x22, [x2], #16 // AES block 4k+2 - store result\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\tstp\tx23, x24, [x2], #16 // AES block 4k+3 - store result\n\n\teor\tv11.16b, v11.16b, v8.16b // MODULO - fold into low\n\taese\tv1.16b, v31.16b // AES block 4k+5 - round N-1\n\taese\tv0.16b, v31.16b // AES block 4k+4 - round N-1\n\taese\tv3.16b, v31.16b // AES block 4k+7 - round N-1\n\taese\tv2.16b, v31.16b // AES block 4k+6 - round N-1\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\nLdec_tail:\t//\tTAIL\n\tsub\tx5, x4, x0 // main_end_input_ptr is number of bytes left to process\n\tld1\t{ v5.16b}, [x0], #16 // AES block 4k+4 - load ciphertext\n\teor\tv0.16b, v5.16b, v0.16b // AES block 4k+4 - result\n\tmov\tx6, v0.d[0] // AES block 4k+4 - mov low\n\tmov\tx7, v0.d[1] // AES block 4k+4 - mov high\n\text\tv8.16b, v11.16b, v11.16b, #8 // prepare final partial tag\n\tcmp\tx5, #48\n\teor\tx6, x6, x13 // AES block 4k+4 - round N low\n\teor\tx7, x7, x14 // AES block 4k+4 - round N high\n\tb.gt\tLdec_blocks_more_than_3\n\tsub\tw12, w12, #1\n\tmov\tv3.16b, v2.16b\n\tmovi\tv10.8b, #0\n\tmovi\tv11.8b, #0\n\tcmp\tx5, #32\n\tmovi\tv9.8b, #0\n\tmov\tv2.16b, v1.16b\n\tb.gt\tLdec_blocks_more_than_2\n\tsub\tw12, w12, #1\n\tmov\tv3.16b, v1.16b\n\tcmp\tx5, #16\n\tb.gt\tLdec_blocks_more_than_1\n\tsub\tw12, w12, #1\n\tb\tLdec_blocks_less_than_1\nLdec_blocks_more_than_3:\t//\tblocks left > 3\n\trev64\tv4.16b, v5.16b // GHASH final-3 block\n\tld1\t{ v5.16b}, [x0], #16 // AES final-2 block - load ciphertext\n\tstp\tx6, x7, [x2], #16 // AES final-3 block - store result\n\tmov\td10, v17.d[1] // GHASH final-3 block - mid\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\teor\tv0.16b, v5.16b, v1.16b // AES final-2 block - result\n\tmov\td22, v4.d[1] // GHASH final-3 block - mid\n\tmov\tx6, v0.d[0] // AES final-2 block - mov low\n\tmov\tx7, v0.d[1] // AES final-2 block - mov high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-3 block - mid\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tpmull2\tv9.1q, v4.2d, v15.2d // GHASH final-3 block - high\n\tpmull\tv10.1q, v22.1d, v10.1d // GHASH final-3 block - mid\n\teor\tx6, x6, x13 // AES final-2 block - round N low\n\tpmull\tv11.1q, v4.1d, v15.1d // GHASH final-3 block - low\n\teor\tx7, x7, x14 // AES final-2 block - round N high\nLdec_blocks_more_than_2:\t//\tblocks left > 2\n\trev64\tv4.16b, v5.16b // GHASH final-2 block\n\tld1\t{ v5.16b}, [x0], #16 // AES final-1 block - load ciphertext\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tstp\tx6, x7, [x2], #16 // AES final-2 block - store result\n\teor\tv0.16b, v5.16b, v2.16b // AES final-1 block - result\n\tmov\td22, v4.d[1] // GHASH final-2 block - mid\n\tpmull\tv21.1q, v4.1d, v14.1d // GHASH final-2 block - low\n\tpmull2\tv20.1q, v4.2d, v14.2d // GHASH final-2 block - high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-2 block - mid\n\tmov\tx6, v0.d[0] // AES final-1 block - mov low\n\tmov\tx7, v0.d[1] // AES final-1 block - mov high\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-2 block - low\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tpmull\tv22.1q, v22.1d, v17.1d // GHASH final-2 block - mid\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-2 block - high\n\teor\tx6, x6, x13 // AES final-1 block - round N low\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-2 block - mid\n\teor\tx7, x7, x14 // AES final-1 block - round N high\nLdec_blocks_more_than_1:\t//\tblocks left > 1\n\tstp\tx6, x7, [x2], #16 // AES final-1 block - store result\n\trev64\tv4.16b, v5.16b // GHASH final-1 block\n\tld1\t{ v5.16b}, [x0], #16 // AES final block - load ciphertext\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tmovi\tv8.8b, #0 // suppress further partial tag feed in\n\tmov\td22, v4.d[1] // GHASH final-1 block - mid\n\teor\tv0.16b, v5.16b, v3.16b // AES final block - result\n\tpmull2\tv20.1q, v4.2d, v13.2d // GHASH final-1 block - high\n\teor\tv22.8b, v22.8b, v4.8b // GHASH final-1 block - mid\n\tpmull\tv21.1q, v4.1d, v13.1d // GHASH final-1 block - low\n\tmov\tx6, v0.d[0] // AES final block - mov low\n\tins\tv22.d[1], v22.d[0] // GHASH final-1 block - mid\n\tmov\tx7, v0.d[1] // AES final block - mov high\n\tpmull2\tv22.1q, v22.2d, v16.2d // GHASH final-1 block - mid\n\teor\tx6, x6, x13 // AES final block - round N low\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final-1 block - low\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final-1 block - high\n\teor\tv10.16b, v10.16b, v22.16b // GHASH final-1 block - mid\n\teor\tx7, x7, x14 // AES final block - round N high\nLdec_blocks_less_than_1:\t//\tblocks left <= 1\n\tand\tx1, x1, #127 // bit_length %= 128\n\tmvn\tx14, xzr // rkN_h = 0xffffffffffffffff\n\tsub\tx1, x1, #128 // bit_length -= 128\n\tmvn\tx13, xzr // rkN_l = 0xffffffffffffffff\n\tldp\tx4, x5, [x2] // load existing bytes we need to not overwrite\n\tneg\tx1, x1 // bit_length = 128 - #bits in input (in range [1,128])\n\tand\tx1, x1, #127 // bit_length %= 128\n\tlsr\tx14, x14, x1 // rkN_h is mask for top 64b of last block\n\tcmp\tx1, #64\n\tcsel\tx9, x13, x14, lt\n\tcsel\tx10, x14, xzr, lt\n\tfmov\td0, x9 // ctr0b is mask for last block\n\tand\tx6, x6, x9\n\tmov\tv0.d[1], x10\n\tbic\tx4, x4, x9 // mask out low existing bytes\n\trev\tw9, w12\n\tbic\tx5, x5, x10 // mask out high existing bytes\n\torr\tx6, x6, x4\n\tand\tx7, x7, x10\n\torr\tx7, x7, x5\n\tand\tv5.16b, v5.16b, v0.16b // possibly partial last block has zeroes in highest bits\n\trev64\tv4.16b, v5.16b // GHASH final block\n\teor\tv4.16b, v4.16b, v8.16b // feed in partial tag\n\tpmull\tv21.1q, v4.1d, v12.1d // GHASH final block - low\n\tmov\td8, v4.d[1] // GHASH final block - mid\n\teor\tv8.8b, v8.8b, v4.8b // GHASH final block - mid\n\tpmull2\tv20.1q, v4.2d, v12.2d // GHASH final block - high\n\tpmull\tv8.1q, v8.1d, v16.1d // GHASH final block - mid\n\teor\tv9.16b, v9.16b, v20.16b // GHASH final block - high\n\teor\tv11.16b, v11.16b, v21.16b // GHASH final block - low\n\teor\tv10.16b, v10.16b, v8.16b // GHASH final block - mid\n\tmovi\tv8.8b, #0xc2\n\teor\tv6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up\n\tshl\td8, d8, #56 // mod_constant\n\teor\tv10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up\n\tpmull\tv7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid\n\text\tv9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment\n\teor\tv10.16b, v10.16b, v7.16b // MODULO - fold into mid\n\teor\tv10.16b, v10.16b, v9.16b // MODULO - fold into mid\n\tpmull\tv8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low\n\text\tv10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment\n\teor\tv11.16b, v11.16b, v8.16b // MODULO - fold into low\n\tstp\tx6, x7, [x2]\n\tstr\tw9, [x16, #12] // store the updated counter\n\teor\tv11.16b, v11.16b, v10.16b // MODULO - fold into low\n\text\tv11.16b, v11.16b, v11.16b, #8\n\trev64\tv11.16b, v11.16b\n\tmov\tx0, x15\n\tst1\t{ v11.16b }, [x3]\n\tldp\tx19, x20, [sp, #16]\n\tldp\tx21, x22, [sp, #32]\n\tldp\tx23, x24, [sp, #48]\n\tldp\td8, d9, [sp, #64]\n\tldp\td10, d11, [sp, #80]\n\tldp\td12, d13, [sp, #96]\n\tldp\td14, d15, [sp, #112]\n\tldp\tx29, x30, [sp], #128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/armv4-mont-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n#include \n\n@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both\n@ ARMv7 and ARMv8 processors and does not use ARMv8 instructions.\n.arch\tarmv7-a\n\n.text\n#if defined(__thumb2__)\n.syntax\tunified\n.thumb\n#else\n.code\t32\n#endif\n\n.globl\tbn_mul_mont_nohw\n.hidden\tbn_mul_mont_nohw\n.type\tbn_mul_mont_nohw,%function\n\n.align\t5\nbn_mul_mont_nohw:\n\tldr\tip,[sp,#4]\t\t@ load num\n\tstmdb\tsp!,{r0,r2}\t\t@ sp points at argument block\n\tcmp\tip,#2\n\tmov\tr0,ip\t\t\t@ load num\n#ifdef\t__thumb2__\n\tittt\tlt\n#endif\n\tmovlt\tr0,#0\n\taddlt\tsp,sp,#2*4\n\tblt\t.Labrt\n\n\tstmdb\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr}\t\t@ save 10 registers\n\n\tmov\tr0,r0,lsl#2\t\t@ rescale r0 for byte count\n\tsub\tsp,sp,r0\t\t@ alloca(4*num)\n\tsub\tsp,sp,#4\t\t@ +extra dword\n\tsub\tr0,r0,#4\t\t@ \"num=num-1\"\n\tadd\tr4,r2,r0\t\t@ &bp[num-1]\n\n\tadd\tr0,sp,r0\t\t@ r0 to point at &tp[num-1]\n\tldr\tr8,[r0,#14*4]\t\t@ &n0\n\tldr\tr2,[r2]\t\t@ bp[0]\n\tldr\tr5,[r1],#4\t\t@ ap[0],ap++\n\tldr\tr6,[r3],#4\t\t@ np[0],np++\n\tldr\tr8,[r8]\t\t@ *n0\n\tstr\tr4,[r0,#15*4]\t\t@ save &bp[num]\n\n\tumull\tr10,r11,r5,r2\t@ ap[0]*bp[0]\n\tstr\tr8,[r0,#14*4]\t\t@ save n0 value\n\tmul\tr8,r10,r8\t\t@ \"tp[0]\"*n0\n\tmov\tr12,#0\n\tumlal\tr10,r12,r6,r8\t@ np[0]*n0+\"t[0]\"\n\tmov\tr4,sp\n\n.L1st:\n\tldr\tr5,[r1],#4\t\t@ ap[j],ap++\n\tmov\tr10,r11\n\tldr\tr6,[r3],#4\t\t@ np[j],np++\n\tmov\tr11,#0\n\tumlal\tr10,r11,r5,r2\t@ ap[j]*bp[0]\n\tmov\tr14,#0\n\tumlal\tr12,r14,r6,r8\t@ np[j]*n0\n\tadds\tr12,r12,r10\n\tstr\tr12,[r4],#4\t\t@ tp[j-1]=,tp++\n\tadc\tr12,r14,#0\n\tcmp\tr4,r0\n\tbne\t.L1st\n\n\tadds\tr12,r12,r11\n\tldr\tr4,[r0,#13*4]\t\t@ restore bp\n\tmov\tr14,#0\n\tldr\tr8,[r0,#14*4]\t\t@ restore n0\n\tadc\tr14,r14,#0\n\tstr\tr12,[r0]\t\t@ tp[num-1]=\n\tmov\tr7,sp\n\tstr\tr14,[r0,#4]\t\t@ tp[num]=\n\n.Louter:\n\tsub\tr7,r0,r7\t\t@ \"original\" r0-1 value\n\tsub\tr1,r1,r7\t\t@ \"rewind\" ap to &ap[1]\n\tldr\tr2,[r4,#4]!\t\t@ *(++bp)\n\tsub\tr3,r3,r7\t\t@ \"rewind\" np to &np[1]\n\tldr\tr5,[r1,#-4]\t\t@ ap[0]\n\tldr\tr10,[sp]\t\t@ tp[0]\n\tldr\tr6,[r3,#-4]\t\t@ np[0]\n\tldr\tr7,[sp,#4]\t\t@ tp[1]\n\n\tmov\tr11,#0\n\tumlal\tr10,r11,r5,r2\t@ ap[0]*bp[i]+tp[0]\n\tstr\tr4,[r0,#13*4]\t\t@ save bp\n\tmul\tr8,r10,r8\n\tmov\tr12,#0\n\tumlal\tr10,r12,r6,r8\t@ np[0]*n0+\"tp[0]\"\n\tmov\tr4,sp\n\n.Linner:\n\tldr\tr5,[r1],#4\t\t@ ap[j],ap++\n\tadds\tr10,r11,r7\t\t@ +=tp[j]\n\tldr\tr6,[r3],#4\t\t@ np[j],np++\n\tmov\tr11,#0\n\tumlal\tr10,r11,r5,r2\t@ ap[j]*bp[i]\n\tmov\tr14,#0\n\tumlal\tr12,r14,r6,r8\t@ np[j]*n0\n\tadc\tr11,r11,#0\n\tldr\tr7,[r4,#8]\t\t@ tp[j+1]\n\tadds\tr12,r12,r10\n\tstr\tr12,[r4],#4\t\t@ tp[j-1]=,tp++\n\tadc\tr12,r14,#0\n\tcmp\tr4,r0\n\tbne\t.Linner\n\n\tadds\tr12,r12,r11\n\tmov\tr14,#0\n\tldr\tr4,[r0,#13*4]\t\t@ restore bp\n\tadc\tr14,r14,#0\n\tldr\tr8,[r0,#14*4]\t\t@ restore n0\n\tadds\tr12,r12,r7\n\tldr\tr7,[r0,#15*4]\t\t@ restore &bp[num]\n\tadc\tr14,r14,#0\n\tstr\tr12,[r0]\t\t@ tp[num-1]=\n\tstr\tr14,[r0,#4]\t\t@ tp[num]=\n\n\tcmp\tr4,r7\n#ifdef\t__thumb2__\n\titt\tne\n#endif\n\tmovne\tr7,sp\n\tbne\t.Louter\n\n\tldr\tr2,[r0,#12*4]\t\t@ pull rp\n\tmov\tr5,sp\n\tadd\tr0,r0,#4\t\t@ r0 to point at &tp[num]\n\tsub\tr5,r0,r5\t\t@ \"original\" num value\n\tmov\tr4,sp\t\t\t@ \"rewind\" r4\n\tmov\tr1,r4\t\t\t@ \"borrow\" r1\n\tsub\tr3,r3,r5\t\t@ \"rewind\" r3 to &np[0]\n\n\tsubs\tr7,r7,r7\t\t@ \"clear\" carry flag\n.Lsub:\tldr\tr7,[r4],#4\n\tldr\tr6,[r3],#4\n\tsbcs\tr7,r7,r6\t\t@ tp[j]-np[j]\n\tstr\tr7,[r2],#4\t\t@ rp[j]=\n\tteq\tr4,r0\t\t@ preserve carry\n\tbne\t.Lsub\n\tsbcs\tr14,r14,#0\t\t@ upmost carry\n\tmov\tr4,sp\t\t\t@ \"rewind\" r4\n\tsub\tr2,r2,r5\t\t@ \"rewind\" r2\n\n.Lcopy:\tldr\tr7,[r4]\t\t@ conditional copy\n\tldr\tr5,[r2]\n\tstr\tsp,[r4],#4\t\t@ zap tp\n#ifdef\t__thumb2__\n\tit\tcc\n#endif\n\tmovcc\tr5,r7\n\tstr\tr5,[r2],#4\n\tteq\tr4,r0\t\t@ preserve carry\n\tbne\t.Lcopy\n\n\tmov\tsp,r0\n\tadd\tsp,sp,#4\t\t@ skip over tp[num+1]\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr}\t\t@ restore registers\n\tadd\tsp,sp,#2*4\t\t@ skip over {r0,r2}\n\tmov\tr0,#1\n.Labrt:\n#if __ARM_ARCH>=5\n\tbx\tlr\t\t\t\t@ bx lr\n#else\n\ttst\tlr,#1\n\tmoveq\tpc,lr\t\t\t@ be binary compatible with V4, yet\n.word\t0xe12fff1e\t\t\t@ interoperable with Thumb ISA:-)\n#endif\n.size\tbn_mul_mont_nohw,.-bn_mul_mont_nohw\n#if __ARM_MAX_ARCH__>=7\n.arch\tarmv7-a\n.fpu\tneon\n\n.globl\tbn_mul8x_mont_neon\n.hidden\tbn_mul8x_mont_neon\n.type\tbn_mul8x_mont_neon,%function\n.align\t5\nbn_mul8x_mont_neon:\n\tmov\tip,sp\n\tstmdb\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11}\n\tvstmdb\tsp!,{d8,d9,d10,d11,d12,d13,d14,d15}\t\t@ ABI specification says so\n\tldmia\tip,{r4,r5}\t\t@ load rest of parameter block\n\tmov\tip,sp\n\n\tcmp\tr5,#8\n\tbhi\t.LNEON_8n\n\n\t@ special case for r5==8, everything is in register bank...\n\n\tvld1.32\t{d28[0]}, [r2,:32]!\n\tveor\td8,d8,d8\n\tsub\tr7,sp,r5,lsl#4\n\tvld1.32\t{d0,d1,d2,d3}, [r1]!\t\t@ can't specify :32 :-(\n\tand\tr7,r7,#-64\n\tvld1.32\t{d30[0]}, [r4,:32]\n\tmov\tsp,r7\t\t\t@ alloca\n\tvzip.16\td28,d8\n\n\tvmull.u32\tq6,d28,d0[0]\n\tvmull.u32\tq7,d28,d0[1]\n\tvmull.u32\tq8,d28,d1[0]\n\tvshl.i64\td29,d13,#16\n\tvmull.u32\tq9,d28,d1[1]\n\n\tvadd.u64\td29,d29,d12\n\tveor\td8,d8,d8\n\tvmul.u32\td29,d29,d30\n\n\tvmull.u32\tq10,d28,d2[0]\n\tvld1.32\t{d4,d5,d6,d7}, [r3]!\n\tvmull.u32\tq11,d28,d2[1]\n\tvmull.u32\tq12,d28,d3[0]\n\tvzip.16\td29,d8\n\tvmull.u32\tq13,d28,d3[1]\n\n\tvmlal.u32\tq6,d29,d4[0]\n\tsub\tr9,r5,#1\n\tvmlal.u32\tq7,d29,d4[1]\n\tvmlal.u32\tq8,d29,d5[0]\n\tvmlal.u32\tq9,d29,d5[1]\n\n\tvmlal.u32\tq10,d29,d6[0]\n\tvmov\tq5,q6\n\tvmlal.u32\tq11,d29,d6[1]\n\tvmov\tq6,q7\n\tvmlal.u32\tq12,d29,d7[0]\n\tvmov\tq7,q8\n\tvmlal.u32\tq13,d29,d7[1]\n\tvmov\tq8,q9\n\tvmov\tq9,q10\n\tvshr.u64\td10,d10,#16\n\tvmov\tq10,q11\n\tvmov\tq11,q12\n\tvadd.u64\td10,d10,d11\n\tvmov\tq12,q13\n\tveor\tq13,q13\n\tvshr.u64\td10,d10,#16\n\n\tb\t.LNEON_outer8\n\n.align\t4\n.LNEON_outer8:\n\tvld1.32\t{d28[0]}, [r2,:32]!\n\tveor\td8,d8,d8\n\tvzip.16\td28,d8\n\tvadd.u64\td12,d12,d10\n\n\tvmlal.u32\tq6,d28,d0[0]\n\tvmlal.u32\tq7,d28,d0[1]\n\tvmlal.u32\tq8,d28,d1[0]\n\tvshl.i64\td29,d13,#16\n\tvmlal.u32\tq9,d28,d1[1]\n\n\tvadd.u64\td29,d29,d12\n\tveor\td8,d8,d8\n\tsubs\tr9,r9,#1\n\tvmul.u32\td29,d29,d30\n\n\tvmlal.u32\tq10,d28,d2[0]\n\tvmlal.u32\tq11,d28,d2[1]\n\tvmlal.u32\tq12,d28,d3[0]\n\tvzip.16\td29,d8\n\tvmlal.u32\tq13,d28,d3[1]\n\n\tvmlal.u32\tq6,d29,d4[0]\n\tvmlal.u32\tq7,d29,d4[1]\n\tvmlal.u32\tq8,d29,d5[0]\n\tvmlal.u32\tq9,d29,d5[1]\n\n\tvmlal.u32\tq10,d29,d6[0]\n\tvmov\tq5,q6\n\tvmlal.u32\tq11,d29,d6[1]\n\tvmov\tq6,q7\n\tvmlal.u32\tq12,d29,d7[0]\n\tvmov\tq7,q8\n\tvmlal.u32\tq13,d29,d7[1]\n\tvmov\tq8,q9\n\tvmov\tq9,q10\n\tvshr.u64\td10,d10,#16\n\tvmov\tq10,q11\n\tvmov\tq11,q12\n\tvadd.u64\td10,d10,d11\n\tvmov\tq12,q13\n\tveor\tq13,q13\n\tvshr.u64\td10,d10,#16\n\n\tbne\t.LNEON_outer8\n\n\tvadd.u64\td12,d12,d10\n\tmov\tr7,sp\n\tvshr.u64\td10,d12,#16\n\tmov\tr8,r5\n\tvadd.u64\td13,d13,d10\n\tadd\tr6,sp,#96\n\tvshr.u64\td10,d13,#16\n\tvzip.16\td12,d13\n\n\tb\t.LNEON_tail_entry\n\n.align\t4\n.LNEON_8n:\n\tveor\tq6,q6,q6\n\tsub\tr7,sp,#128\n\tveor\tq7,q7,q7\n\tsub\tr7,r7,r5,lsl#4\n\tveor\tq8,q8,q8\n\tand\tr7,r7,#-64\n\tveor\tq9,q9,q9\n\tmov\tsp,r7\t\t\t@ alloca\n\tveor\tq10,q10,q10\n\tadd\tr7,r7,#256\n\tveor\tq11,q11,q11\n\tsub\tr8,r5,#8\n\tveor\tq12,q12,q12\n\tveor\tq13,q13,q13\n\n.LNEON_8n_init:\n\tvst1.64\t{q6,q7},[r7,:256]!\n\tsubs\tr8,r8,#8\n\tvst1.64\t{q8,q9},[r7,:256]!\n\tvst1.64\t{q10,q11},[r7,:256]!\n\tvst1.64\t{q12,q13},[r7,:256]!\n\tbne\t.LNEON_8n_init\n\n\tadd\tr6,sp,#256\n\tvld1.32\t{d0,d1,d2,d3},[r1]!\n\tadd\tr10,sp,#8\n\tvld1.32\t{d30[0]},[r4,:32]\n\tmov\tr9,r5\n\tb\t.LNEON_8n_outer\n\n.align\t4\n.LNEON_8n_outer:\n\tvld1.32\t{d28[0]},[r2,:32]!\t@ *b++\n\tveor\td8,d8,d8\n\tvzip.16\td28,d8\n\tadd\tr7,sp,#128\n\tvld1.32\t{d4,d5,d6,d7},[r3]!\n\n\tvmlal.u32\tq6,d28,d0[0]\n\tvmlal.u32\tq7,d28,d0[1]\n\tveor\td8,d8,d8\n\tvmlal.u32\tq8,d28,d1[0]\n\tvshl.i64\td29,d13,#16\n\tvmlal.u32\tq9,d28,d1[1]\n\tvadd.u64\td29,d29,d12\n\tvmlal.u32\tq10,d28,d2[0]\n\tvmul.u32\td29,d29,d30\n\tvmlal.u32\tq11,d28,d2[1]\n\tvst1.32\t{d28},[sp,:64]\t\t@ put aside smashed b[8*i+0]\n\tvmlal.u32\tq12,d28,d3[0]\n\tvzip.16\td29,d8\n\tvmlal.u32\tq13,d28,d3[1]\n\tvld1.32\t{d28[0]},[r2,:32]!\t@ *b++\n\tvmlal.u32\tq6,d29,d4[0]\n\tveor\td10,d10,d10\n\tvmlal.u32\tq7,d29,d4[1]\n\tvzip.16\td28,d10\n\tvmlal.u32\tq8,d29,d5[0]\n\tvshr.u64\td12,d12,#16\n\tvmlal.u32\tq9,d29,d5[1]\n\tvmlal.u32\tq10,d29,d6[0]\n\tvadd.u64\td12,d12,d13\n\tvmlal.u32\tq11,d29,d6[1]\n\tvshr.u64\td12,d12,#16\n\tvmlal.u32\tq12,d29,d7[0]\n\tvmlal.u32\tq13,d29,d7[1]\n\tvadd.u64\td14,d14,d12\n\tvst1.32\t{d29},[r10,:64]!\t@ put aside smashed m[8*i+0]\n\tvmlal.u32\tq7,d28,d0[0]\n\tvld1.64\t{q6},[r6,:128]!\n\tvmlal.u32\tq8,d28,d0[1]\n\tveor\td8,d8,d8\n\tvmlal.u32\tq9,d28,d1[0]\n\tvshl.i64\td29,d15,#16\n\tvmlal.u32\tq10,d28,d1[1]\n\tvadd.u64\td29,d29,d14\n\tvmlal.u32\tq11,d28,d2[0]\n\tvmul.u32\td29,d29,d30\n\tvmlal.u32\tq12,d28,d2[1]\n\tvst1.32\t{d28},[r10,:64]!\t@ put aside smashed b[8*i+1]\n\tvmlal.u32\tq13,d28,d3[0]\n\tvzip.16\td29,d8\n\tvmlal.u32\tq6,d28,d3[1]\n\tvld1.32\t{d28[0]},[r2,:32]!\t@ *b++\n\tvmlal.u32\tq7,d29,d4[0]\n\tveor\td10,d10,d10\n\tvmlal.u32\tq8,d29,d4[1]\n\tvzip.16\td28,d10\n\tvmlal.u32\tq9,d29,d5[0]\n\tvshr.u64\td14,d14,#16\n\tvmlal.u32\tq10,d29,d5[1]\n\tvmlal.u32\tq11,d29,d6[0]\n\tvadd.u64\td14,d14,d15\n\tvmlal.u32\tq12,d29,d6[1]\n\tvshr.u64\td14,d14,#16\n\tvmlal.u32\tq13,d29,d7[0]\n\tvmlal.u32\tq6,d29,d7[1]\n\tvadd.u64\td16,d16,d14\n\tvst1.32\t{d29},[r10,:64]!\t@ put aside smashed m[8*i+1]\n\tvmlal.u32\tq8,d28,d0[0]\n\tvld1.64\t{q7},[r6,:128]!\n\tvmlal.u32\tq9,d28,d0[1]\n\tveor\td8,d8,d8\n\tvmlal.u32\tq10,d28,d1[0]\n\tvshl.i64\td29,d17,#16\n\tvmlal.u32\tq11,d28,d1[1]\n\tvadd.u64\td29,d29,d16\n\tvmlal.u32\tq12,d28,d2[0]\n\tvmul.u32\td29,d29,d30\n\tvmlal.u32\tq13,d28,d2[1]\n\tvst1.32\t{d28},[r10,:64]!\t@ put aside smashed b[8*i+2]\n\tvmlal.u32\tq6,d28,d3[0]\n\tvzip.16\td29,d8\n\tvmlal.u32\tq7,d28,d3[1]\n\tvld1.32\t{d28[0]},[r2,:32]!\t@ *b++\n\tvmlal.u32\tq8,d29,d4[0]\n\tveor\td10,d10,d10\n\tvmlal.u32\tq9,d29,d4[1]\n\tvzip.16\td28,d10\n\tvmlal.u32\tq10,d29,d5[0]\n\tvshr.u64\td16,d16,#16\n\tvmlal.u32\tq11,d29,d5[1]\n\tvmlal.u32\tq12,d29,d6[0]\n\tvadd.u64\td16,d16,d17\n\tvmlal.u32\tq13,d29,d6[1]\n\tvshr.u64\td16,d16,#16\n\tvmlal.u32\tq6,d29,d7[0]\n\tvmlal.u32\tq7,d29,d7[1]\n\tvadd.u64\td18,d18,d16\n\tvst1.32\t{d29},[r10,:64]!\t@ put aside smashed m[8*i+2]\n\tvmlal.u32\tq9,d28,d0[0]\n\tvld1.64\t{q8},[r6,:128]!\n\tvmlal.u32\tq10,d28,d0[1]\n\tveor\td8,d8,d8\n\tvmlal.u32\tq11,d28,d1[0]\n\tvshl.i64\td29,d19,#16\n\tvmlal.u32\tq12,d28,d1[1]\n\tvadd.u64\td29,d29,d18\n\tvmlal.u32\tq13,d28,d2[0]\n\tvmul.u32\td29,d29,d30\n\tvmlal.u32\tq6,d28,d2[1]\n\tvst1.32\t{d28},[r10,:64]!\t@ put aside smashed b[8*i+3]\n\tvmlal.u32\tq7,d28,d3[0]\n\tvzip.16\td29,d8\n\tvmlal.u32\tq8,d28,d3[1]\n\tvld1.32\t{d28[0]},[r2,:32]!\t@ *b++\n\tvmlal.u32\tq9,d29,d4[0]\n\tveor\td10,d10,d10\n\tvmlal.u32\tq10,d29,d4[1]\n\tvzip.16\td28,d10\n\tvmlal.u32\tq11,d29,d5[0]\n\tvshr.u64\td18,d18,#16\n\tvmlal.u32\tq12,d29,d5[1]\n\tvmlal.u32\tq13,d29,d6[0]\n\tvadd.u64\td18,d18,d19\n\tvmlal.u32\tq6,d29,d6[1]\n\tvshr.u64\td18,d18,#16\n\tvmlal.u32\tq7,d29,d7[0]\n\tvmlal.u32\tq8,d29,d7[1]\n\tvadd.u64\td20,d20,d18\n\tvst1.32\t{d29},[r10,:64]!\t@ put aside smashed m[8*i+3]\n\tvmlal.u32\tq10,d28,d0[0]\n\tvld1.64\t{q9},[r6,:128]!\n\tvmlal.u32\tq11,d28,d0[1]\n\tveor\td8,d8,d8\n\tvmlal.u32\tq12,d28,d1[0]\n\tvshl.i64\td29,d21,#16\n\tvmlal.u32\tq13,d28,d1[1]\n\tvadd.u64\td29,d29,d20\n\tvmlal.u32\tq6,d28,d2[0]\n\tvmul.u32\td29,d29,d30\n\tvmlal.u32\tq7,d28,d2[1]\n\tvst1.32\t{d28},[r10,:64]!\t@ put aside smashed b[8*i+4]\n\tvmlal.u32\tq8,d28,d3[0]\n\tvzip.16\td29,d8\n\tvmlal.u32\tq9,d28,d3[1]\n\tvld1.32\t{d28[0]},[r2,:32]!\t@ *b++\n\tvmlal.u32\tq10,d29,d4[0]\n\tveor\td10,d10,d10\n\tvmlal.u32\tq11,d29,d4[1]\n\tvzip.16\td28,d10\n\tvmlal.u32\tq12,d29,d5[0]\n\tvshr.u64\td20,d20,#16\n\tvmlal.u32\tq13,d29,d5[1]\n\tvmlal.u32\tq6,d29,d6[0]\n\tvadd.u64\td20,d20,d21\n\tvmlal.u32\tq7,d29,d6[1]\n\tvshr.u64\td20,d20,#16\n\tvmlal.u32\tq8,d29,d7[0]\n\tvmlal.u32\tq9,d29,d7[1]\n\tvadd.u64\td22,d22,d20\n\tvst1.32\t{d29},[r10,:64]!\t@ put aside smashed m[8*i+4]\n\tvmlal.u32\tq11,d28,d0[0]\n\tvld1.64\t{q10},[r6,:128]!\n\tvmlal.u32\tq12,d28,d0[1]\n\tveor\td8,d8,d8\n\tvmlal.u32\tq13,d28,d1[0]\n\tvshl.i64\td29,d23,#16\n\tvmlal.u32\tq6,d28,d1[1]\n\tvadd.u64\td29,d29,d22\n\tvmlal.u32\tq7,d28,d2[0]\n\tvmul.u32\td29,d29,d30\n\tvmlal.u32\tq8,d28,d2[1]\n\tvst1.32\t{d28},[r10,:64]!\t@ put aside smashed b[8*i+5]\n\tvmlal.u32\tq9,d28,d3[0]\n\tvzip.16\td29,d8\n\tvmlal.u32\tq10,d28,d3[1]\n\tvld1.32\t{d28[0]},[r2,:32]!\t@ *b++\n\tvmlal.u32\tq11,d29,d4[0]\n\tveor\td10,d10,d10\n\tvmlal.u32\tq12,d29,d4[1]\n\tvzip.16\td28,d10\n\tvmlal.u32\tq13,d29,d5[0]\n\tvshr.u64\td22,d22,#16\n\tvmlal.u32\tq6,d29,d5[1]\n\tvmlal.u32\tq7,d29,d6[0]\n\tvadd.u64\td22,d22,d23\n\tvmlal.u32\tq8,d29,d6[1]\n\tvshr.u64\td22,d22,#16\n\tvmlal.u32\tq9,d29,d7[0]\n\tvmlal.u32\tq10,d29,d7[1]\n\tvadd.u64\td24,d24,d22\n\tvst1.32\t{d29},[r10,:64]!\t@ put aside smashed m[8*i+5]\n\tvmlal.u32\tq12,d28,d0[0]\n\tvld1.64\t{q11},[r6,:128]!\n\tvmlal.u32\tq13,d28,d0[1]\n\tveor\td8,d8,d8\n\tvmlal.u32\tq6,d28,d1[0]\n\tvshl.i64\td29,d25,#16\n\tvmlal.u32\tq7,d28,d1[1]\n\tvadd.u64\td29,d29,d24\n\tvmlal.u32\tq8,d28,d2[0]\n\tvmul.u32\td29,d29,d30\n\tvmlal.u32\tq9,d28,d2[1]\n\tvst1.32\t{d28},[r10,:64]!\t@ put aside smashed b[8*i+6]\n\tvmlal.u32\tq10,d28,d3[0]\n\tvzip.16\td29,d8\n\tvmlal.u32\tq11,d28,d3[1]\n\tvld1.32\t{d28[0]},[r2,:32]!\t@ *b++\n\tvmlal.u32\tq12,d29,d4[0]\n\tveor\td10,d10,d10\n\tvmlal.u32\tq13,d29,d4[1]\n\tvzip.16\td28,d10\n\tvmlal.u32\tq6,d29,d5[0]\n\tvshr.u64\td24,d24,#16\n\tvmlal.u32\tq7,d29,d5[1]\n\tvmlal.u32\tq8,d29,d6[0]\n\tvadd.u64\td24,d24,d25\n\tvmlal.u32\tq9,d29,d6[1]\n\tvshr.u64\td24,d24,#16\n\tvmlal.u32\tq10,d29,d7[0]\n\tvmlal.u32\tq11,d29,d7[1]\n\tvadd.u64\td26,d26,d24\n\tvst1.32\t{d29},[r10,:64]!\t@ put aside smashed m[8*i+6]\n\tvmlal.u32\tq13,d28,d0[0]\n\tvld1.64\t{q12},[r6,:128]!\n\tvmlal.u32\tq6,d28,d0[1]\n\tveor\td8,d8,d8\n\tvmlal.u32\tq7,d28,d1[0]\n\tvshl.i64\td29,d27,#16\n\tvmlal.u32\tq8,d28,d1[1]\n\tvadd.u64\td29,d29,d26\n\tvmlal.u32\tq9,d28,d2[0]\n\tvmul.u32\td29,d29,d30\n\tvmlal.u32\tq10,d28,d2[1]\n\tvst1.32\t{d28},[r10,:64]!\t@ put aside smashed b[8*i+7]\n\tvmlal.u32\tq11,d28,d3[0]\n\tvzip.16\td29,d8\n\tvmlal.u32\tq12,d28,d3[1]\n\tvld1.32\t{d28},[sp,:64]\t\t@ pull smashed b[8*i+0]\n\tvmlal.u32\tq13,d29,d4[0]\n\tvld1.32\t{d0,d1,d2,d3},[r1]!\n\tvmlal.u32\tq6,d29,d4[1]\n\tvmlal.u32\tq7,d29,d5[0]\n\tvshr.u64\td26,d26,#16\n\tvmlal.u32\tq8,d29,d5[1]\n\tvmlal.u32\tq9,d29,d6[0]\n\tvadd.u64\td26,d26,d27\n\tvmlal.u32\tq10,d29,d6[1]\n\tvshr.u64\td26,d26,#16\n\tvmlal.u32\tq11,d29,d7[0]\n\tvmlal.u32\tq12,d29,d7[1]\n\tvadd.u64\td12,d12,d26\n\tvst1.32\t{d29},[r10,:64]\t@ put aside smashed m[8*i+7]\n\tadd\tr10,sp,#8\t\t@ rewind\n\tsub\tr8,r5,#8\n\tb\t.LNEON_8n_inner\n\n.align\t4\n.LNEON_8n_inner:\n\tsubs\tr8,r8,#8\n\tvmlal.u32\tq6,d28,d0[0]\n\tvld1.64\t{q13},[r6,:128]\n\tvmlal.u32\tq7,d28,d0[1]\n\tvld1.32\t{d29},[r10,:64]!\t@ pull smashed m[8*i+0]\n\tvmlal.u32\tq8,d28,d1[0]\n\tvld1.32\t{d4,d5,d6,d7},[r3]!\n\tvmlal.u32\tq9,d28,d1[1]\n\tit\tne\n\taddne\tr6,r6,#16\t@ don't advance in last iteration\n\tvmlal.u32\tq10,d28,d2[0]\n\tvmlal.u32\tq11,d28,d2[1]\n\tvmlal.u32\tq12,d28,d3[0]\n\tvmlal.u32\tq13,d28,d3[1]\n\tvld1.32\t{d28},[r10,:64]!\t@ pull smashed b[8*i+1]\n\tvmlal.u32\tq6,d29,d4[0]\n\tvmlal.u32\tq7,d29,d4[1]\n\tvmlal.u32\tq8,d29,d5[0]\n\tvmlal.u32\tq9,d29,d5[1]\n\tvmlal.u32\tq10,d29,d6[0]\n\tvmlal.u32\tq11,d29,d6[1]\n\tvmlal.u32\tq12,d29,d7[0]\n\tvmlal.u32\tq13,d29,d7[1]\n\tvst1.64\t{q6},[r7,:128]!\n\tvmlal.u32\tq7,d28,d0[0]\n\tvld1.64\t{q6},[r6,:128]\n\tvmlal.u32\tq8,d28,d0[1]\n\tvld1.32\t{d29},[r10,:64]!\t@ pull smashed m[8*i+1]\n\tvmlal.u32\tq9,d28,d1[0]\n\tit\tne\n\taddne\tr6,r6,#16\t@ don't advance in last iteration\n\tvmlal.u32\tq10,d28,d1[1]\n\tvmlal.u32\tq11,d28,d2[0]\n\tvmlal.u32\tq12,d28,d2[1]\n\tvmlal.u32\tq13,d28,d3[0]\n\tvmlal.u32\tq6,d28,d3[1]\n\tvld1.32\t{d28},[r10,:64]!\t@ pull smashed b[8*i+2]\n\tvmlal.u32\tq7,d29,d4[0]\n\tvmlal.u32\tq8,d29,d4[1]\n\tvmlal.u32\tq9,d29,d5[0]\n\tvmlal.u32\tq10,d29,d5[1]\n\tvmlal.u32\tq11,d29,d6[0]\n\tvmlal.u32\tq12,d29,d6[1]\n\tvmlal.u32\tq13,d29,d7[0]\n\tvmlal.u32\tq6,d29,d7[1]\n\tvst1.64\t{q7},[r7,:128]!\n\tvmlal.u32\tq8,d28,d0[0]\n\tvld1.64\t{q7},[r6,:128]\n\tvmlal.u32\tq9,d28,d0[1]\n\tvld1.32\t{d29},[r10,:64]!\t@ pull smashed m[8*i+2]\n\tvmlal.u32\tq10,d28,d1[0]\n\tit\tne\n\taddne\tr6,r6,#16\t@ don't advance in last iteration\n\tvmlal.u32\tq11,d28,d1[1]\n\tvmlal.u32\tq12,d28,d2[0]\n\tvmlal.u32\tq13,d28,d2[1]\n\tvmlal.u32\tq6,d28,d3[0]\n\tvmlal.u32\tq7,d28,d3[1]\n\tvld1.32\t{d28},[r10,:64]!\t@ pull smashed b[8*i+3]\n\tvmlal.u32\tq8,d29,d4[0]\n\tvmlal.u32\tq9,d29,d4[1]\n\tvmlal.u32\tq10,d29,d5[0]\n\tvmlal.u32\tq11,d29,d5[1]\n\tvmlal.u32\tq12,d29,d6[0]\n\tvmlal.u32\tq13,d29,d6[1]\n\tvmlal.u32\tq6,d29,d7[0]\n\tvmlal.u32\tq7,d29,d7[1]\n\tvst1.64\t{q8},[r7,:128]!\n\tvmlal.u32\tq9,d28,d0[0]\n\tvld1.64\t{q8},[r6,:128]\n\tvmlal.u32\tq10,d28,d0[1]\n\tvld1.32\t{d29},[r10,:64]!\t@ pull smashed m[8*i+3]\n\tvmlal.u32\tq11,d28,d1[0]\n\tit\tne\n\taddne\tr6,r6,#16\t@ don't advance in last iteration\n\tvmlal.u32\tq12,d28,d1[1]\n\tvmlal.u32\tq13,d28,d2[0]\n\tvmlal.u32\tq6,d28,d2[1]\n\tvmlal.u32\tq7,d28,d3[0]\n\tvmlal.u32\tq8,d28,d3[1]\n\tvld1.32\t{d28},[r10,:64]!\t@ pull smashed b[8*i+4]\n\tvmlal.u32\tq9,d29,d4[0]\n\tvmlal.u32\tq10,d29,d4[1]\n\tvmlal.u32\tq11,d29,d5[0]\n\tvmlal.u32\tq12,d29,d5[1]\n\tvmlal.u32\tq13,d29,d6[0]\n\tvmlal.u32\tq6,d29,d6[1]\n\tvmlal.u32\tq7,d29,d7[0]\n\tvmlal.u32\tq8,d29,d7[1]\n\tvst1.64\t{q9},[r7,:128]!\n\tvmlal.u32\tq10,d28,d0[0]\n\tvld1.64\t{q9},[r6,:128]\n\tvmlal.u32\tq11,d28,d0[1]\n\tvld1.32\t{d29},[r10,:64]!\t@ pull smashed m[8*i+4]\n\tvmlal.u32\tq12,d28,d1[0]\n\tit\tne\n\taddne\tr6,r6,#16\t@ don't advance in last iteration\n\tvmlal.u32\tq13,d28,d1[1]\n\tvmlal.u32\tq6,d28,d2[0]\n\tvmlal.u32\tq7,d28,d2[1]\n\tvmlal.u32\tq8,d28,d3[0]\n\tvmlal.u32\tq9,d28,d3[1]\n\tvld1.32\t{d28},[r10,:64]!\t@ pull smashed b[8*i+5]\n\tvmlal.u32\tq10,d29,d4[0]\n\tvmlal.u32\tq11,d29,d4[1]\n\tvmlal.u32\tq12,d29,d5[0]\n\tvmlal.u32\tq13,d29,d5[1]\n\tvmlal.u32\tq6,d29,d6[0]\n\tvmlal.u32\tq7,d29,d6[1]\n\tvmlal.u32\tq8,d29,d7[0]\n\tvmlal.u32\tq9,d29,d7[1]\n\tvst1.64\t{q10},[r7,:128]!\n\tvmlal.u32\tq11,d28,d0[0]\n\tvld1.64\t{q10},[r6,:128]\n\tvmlal.u32\tq12,d28,d0[1]\n\tvld1.32\t{d29},[r10,:64]!\t@ pull smashed m[8*i+5]\n\tvmlal.u32\tq13,d28,d1[0]\n\tit\tne\n\taddne\tr6,r6,#16\t@ don't advance in last iteration\n\tvmlal.u32\tq6,d28,d1[1]\n\tvmlal.u32\tq7,d28,d2[0]\n\tvmlal.u32\tq8,d28,d2[1]\n\tvmlal.u32\tq9,d28,d3[0]\n\tvmlal.u32\tq10,d28,d3[1]\n\tvld1.32\t{d28},[r10,:64]!\t@ pull smashed b[8*i+6]\n\tvmlal.u32\tq11,d29,d4[0]\n\tvmlal.u32\tq12,d29,d4[1]\n\tvmlal.u32\tq13,d29,d5[0]\n\tvmlal.u32\tq6,d29,d5[1]\n\tvmlal.u32\tq7,d29,d6[0]\n\tvmlal.u32\tq8,d29,d6[1]\n\tvmlal.u32\tq9,d29,d7[0]\n\tvmlal.u32\tq10,d29,d7[1]\n\tvst1.64\t{q11},[r7,:128]!\n\tvmlal.u32\tq12,d28,d0[0]\n\tvld1.64\t{q11},[r6,:128]\n\tvmlal.u32\tq13,d28,d0[1]\n\tvld1.32\t{d29},[r10,:64]!\t@ pull smashed m[8*i+6]\n\tvmlal.u32\tq6,d28,d1[0]\n\tit\tne\n\taddne\tr6,r6,#16\t@ don't advance in last iteration\n\tvmlal.u32\tq7,d28,d1[1]\n\tvmlal.u32\tq8,d28,d2[0]\n\tvmlal.u32\tq9,d28,d2[1]\n\tvmlal.u32\tq10,d28,d3[0]\n\tvmlal.u32\tq11,d28,d3[1]\n\tvld1.32\t{d28},[r10,:64]!\t@ pull smashed b[8*i+7]\n\tvmlal.u32\tq12,d29,d4[0]\n\tvmlal.u32\tq13,d29,d4[1]\n\tvmlal.u32\tq6,d29,d5[0]\n\tvmlal.u32\tq7,d29,d5[1]\n\tvmlal.u32\tq8,d29,d6[0]\n\tvmlal.u32\tq9,d29,d6[1]\n\tvmlal.u32\tq10,d29,d7[0]\n\tvmlal.u32\tq11,d29,d7[1]\n\tvst1.64\t{q12},[r7,:128]!\n\tvmlal.u32\tq13,d28,d0[0]\n\tvld1.64\t{q12},[r6,:128]\n\tvmlal.u32\tq6,d28,d0[1]\n\tvld1.32\t{d29},[r10,:64]!\t@ pull smashed m[8*i+7]\n\tvmlal.u32\tq7,d28,d1[0]\n\tit\tne\n\taddne\tr6,r6,#16\t@ don't advance in last iteration\n\tvmlal.u32\tq8,d28,d1[1]\n\tvmlal.u32\tq9,d28,d2[0]\n\tvmlal.u32\tq10,d28,d2[1]\n\tvmlal.u32\tq11,d28,d3[0]\n\tvmlal.u32\tq12,d28,d3[1]\n\tit\teq\n\tsubeq\tr1,r1,r5,lsl#2\t@ rewind\n\tvmlal.u32\tq13,d29,d4[0]\n\tvld1.32\t{d28},[sp,:64]\t\t@ pull smashed b[8*i+0]\n\tvmlal.u32\tq6,d29,d4[1]\n\tvld1.32\t{d0,d1,d2,d3},[r1]!\n\tvmlal.u32\tq7,d29,d5[0]\n\tadd\tr10,sp,#8\t\t@ rewind\n\tvmlal.u32\tq8,d29,d5[1]\n\tvmlal.u32\tq9,d29,d6[0]\n\tvmlal.u32\tq10,d29,d6[1]\n\tvmlal.u32\tq11,d29,d7[0]\n\tvst1.64\t{q13},[r7,:128]!\n\tvmlal.u32\tq12,d29,d7[1]\n\n\tbne\t.LNEON_8n_inner\n\tadd\tr6,sp,#128\n\tvst1.64\t{q6,q7},[r7,:256]!\n\tveor\tq2,q2,q2\t\t@ d4-d5\n\tvst1.64\t{q8,q9},[r7,:256]!\n\tveor\tq3,q3,q3\t\t@ d6-d7\n\tvst1.64\t{q10,q11},[r7,:256]!\n\tvst1.64\t{q12},[r7,:128]\n\n\tsubs\tr9,r9,#8\n\tvld1.64\t{q6,q7},[r6,:256]!\n\tvld1.64\t{q8,q9},[r6,:256]!\n\tvld1.64\t{q10,q11},[r6,:256]!\n\tvld1.64\t{q12,q13},[r6,:256]!\n\n\titt\tne\n\tsubne\tr3,r3,r5,lsl#2\t@ rewind\n\tbne\t.LNEON_8n_outer\n\n\tadd\tr7,sp,#128\n\tvst1.64\t{q2,q3}, [sp,:256]!\t@ start wiping stack frame\n\tvshr.u64\td10,d12,#16\n\tvst1.64\t{q2,q3},[sp,:256]!\n\tvadd.u64\td13,d13,d10\n\tvst1.64\t{q2,q3}, [sp,:256]!\n\tvshr.u64\td10,d13,#16\n\tvst1.64\t{q2,q3}, [sp,:256]!\n\tvzip.16\td12,d13\n\n\tmov\tr8,r5\n\tb\t.LNEON_tail_entry\n\n.align\t4\n.LNEON_tail:\n\tvadd.u64\td12,d12,d10\n\tvshr.u64\td10,d12,#16\n\tvld1.64\t{q8,q9}, [r6, :256]!\n\tvadd.u64\td13,d13,d10\n\tvld1.64\t{q10,q11}, [r6, :256]!\n\tvshr.u64\td10,d13,#16\n\tvld1.64\t{q12,q13}, [r6, :256]!\n\tvzip.16\td12,d13\n\n.LNEON_tail_entry:\n\tvadd.u64\td14,d14,d10\n\tvst1.32\t{d12[0]}, [r7, :32]!\n\tvshr.u64\td10,d14,#16\n\tvadd.u64\td15,d15,d10\n\tvshr.u64\td10,d15,#16\n\tvzip.16\td14,d15\n\tvadd.u64\td16,d16,d10\n\tvst1.32\t{d14[0]}, [r7, :32]!\n\tvshr.u64\td10,d16,#16\n\tvadd.u64\td17,d17,d10\n\tvshr.u64\td10,d17,#16\n\tvzip.16\td16,d17\n\tvadd.u64\td18,d18,d10\n\tvst1.32\t{d16[0]}, [r7, :32]!\n\tvshr.u64\td10,d18,#16\n\tvadd.u64\td19,d19,d10\n\tvshr.u64\td10,d19,#16\n\tvzip.16\td18,d19\n\tvadd.u64\td20,d20,d10\n\tvst1.32\t{d18[0]}, [r7, :32]!\n\tvshr.u64\td10,d20,#16\n\tvadd.u64\td21,d21,d10\n\tvshr.u64\td10,d21,#16\n\tvzip.16\td20,d21\n\tvadd.u64\td22,d22,d10\n\tvst1.32\t{d20[0]}, [r7, :32]!\n\tvshr.u64\td10,d22,#16\n\tvadd.u64\td23,d23,d10\n\tvshr.u64\td10,d23,#16\n\tvzip.16\td22,d23\n\tvadd.u64\td24,d24,d10\n\tvst1.32\t{d22[0]}, [r7, :32]!\n\tvshr.u64\td10,d24,#16\n\tvadd.u64\td25,d25,d10\n\tvshr.u64\td10,d25,#16\n\tvzip.16\td24,d25\n\tvadd.u64\td26,d26,d10\n\tvst1.32\t{d24[0]}, [r7, :32]!\n\tvshr.u64\td10,d26,#16\n\tvadd.u64\td27,d27,d10\n\tvshr.u64\td10,d27,#16\n\tvzip.16\td26,d27\n\tvld1.64\t{q6,q7}, [r6, :256]!\n\tsubs\tr8,r8,#8\n\tvst1.32\t{d26[0]}, [r7, :32]!\n\tbne\t.LNEON_tail\n\n\tvst1.32\t{d10[0]}, [r7, :32]\t\t@ top-most bit\n\tsub\tr3,r3,r5,lsl#2\t\t\t@ rewind r3\n\tsubs\tr1,sp,#0\t\t\t\t@ clear carry flag\n\tadd\tr2,sp,r5,lsl#2\n\n.LNEON_sub:\n\tldmia\tr1!, {r4,r5,r6,r7}\n\tldmia\tr3!, {r8,r9,r10,r11}\n\tsbcs\tr8, r4,r8\n\tsbcs\tr9, r5,r9\n\tsbcs\tr10,r6,r10\n\tsbcs\tr11,r7,r11\n\tteq\tr1,r2\t\t\t\t@ preserves carry\n\tstmia\tr0!, {r8,r9,r10,r11}\n\tbne\t.LNEON_sub\n\n\tldr\tr10, [r1]\t\t\t\t@ load top-most bit\n\tmov\tr11,sp\n\tveor\tq0,q0,q0\n\tsub\tr11,r2,r11\t\t\t\t@ this is num*4\n\tveor\tq1,q1,q1\n\tmov\tr1,sp\n\tsub\tr0,r0,r11\t\t\t\t@ rewind r0\n\tmov\tr3,r2\t\t\t\t@ second 3/4th of frame\n\tsbcs\tr10,r10,#0\t\t\t\t@ result is carry flag\n\n.LNEON_copy_n_zap:\n\tldmia\tr1!, {r4,r5,r6,r7}\n\tldmia\tr0, {r8,r9,r10,r11}\n\tit\tcc\n\tmovcc\tr8, r4\n\tvst1.64\t{q0,q1}, [r3,:256]!\t\t\t@ wipe\n\titt\tcc\n\tmovcc\tr9, r5\n\tmovcc\tr10,r6\n\tvst1.64\t{q0,q1}, [r3,:256]!\t\t\t@ wipe\n\tit\tcc\n\tmovcc\tr11,r7\n\tldmia\tr1, {r4,r5,r6,r7}\n\tstmia\tr0!, {r8,r9,r10,r11}\n\tsub\tr1,r1,#16\n\tldmia\tr0, {r8,r9,r10,r11}\n\tit\tcc\n\tmovcc\tr8, r4\n\tvst1.64\t{q0,q1}, [r1,:256]!\t\t\t@ wipe\n\titt\tcc\n\tmovcc\tr9, r5\n\tmovcc\tr10,r6\n\tvst1.64\t{q0,q1}, [r3,:256]!\t\t\t@ wipe\n\tit\tcc\n\tmovcc\tr11,r7\n\tteq\tr1,r2\t\t\t\t@ preserves carry\n\tstmia\tr0!, {r8,r9,r10,r11}\n\tbne\t.LNEON_copy_n_zap\n\n\tmov\tsp,ip\n\tvldmia\tsp!,{d8,d9,d10,d11,d12,d13,d14,d15}\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11}\n\tbx\tlr\t\t\t\t\t\t@ bx lr\n.size\tbn_mul8x_mont_neon,.-bn_mul8x_mont_neon\n#endif\n.byte\t77,111,110,116,103,111,109,101,114,121,32,109,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/armv8-mont-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \n\n.text\n\n.globl\t_bn_mul_mont\n.private_extern\t_bn_mul_mont\n\n.align\t5\n_bn_mul_mont:\n\tAARCH64_SIGN_LINK_REGISTER\n\ttst\tx5,#7\n\tb.eq\t__bn_sqr8x_mont\n\ttst\tx5,#3\n\tb.eq\t__bn_mul4x_mont\nLmul_mont:\n\tstp\tx29,x30,[sp,#-64]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\n\tldr\tx9,[x2],#8\t\t// bp[0]\n\tsub\tx22,sp,x5,lsl#3\n\tldp\tx7,x8,[x1],#16\t// ap[0..1]\n\tlsl\tx5,x5,#3\n\tldr\tx4,[x4]\t\t// *n0\n\tand\tx22,x22,#-16\t\t// ABI says so\n\tldp\tx13,x14,[x3],#16\t// np[0..1]\n\n\tmul\tx6,x7,x9\t\t// ap[0]*bp[0]\n\tsub\tx21,x5,#16\t\t// j=num-2\n\tumulh\tx7,x7,x9\n\tmul\tx10,x8,x9\t\t// ap[1]*bp[0]\n\tumulh\tx11,x8,x9\n\n\tmul\tx15,x6,x4\t\t// \"tp[0]\"*n0\n\tmov\tsp,x22\t\t\t// alloca\n\n\t// (*)\tmul\tx12,x13,x15\t// np[0]*m1\n\tumulh\tx13,x13,x15\n\tmul\tx16,x14,x15\t\t// np[1]*m1\n\t// (*)\tadds\tx12,x12,x6\t// discarded\n\t// (*)\tAs for removal of first multiplication and addition\n\t//\tinstructions. The outcome of first addition is\n\t//\tguaranteed to be zero, which leaves two computationally\n\t//\tsignificant outcomes: it either carries or not. Then\n\t//\tquestion is when does it carry? Is there alternative\n\t//\tway to deduce it? If you follow operations, you can\n\t//\tobserve that condition for carry is quite simple:\n\t//\tx6 being non-zero. So that carry can be calculated\n\t//\tby adding -1 to x6. That's what next instruction does.\n\tsubs\txzr,x6,#1\t\t// (*)\n\tumulh\tx17,x14,x15\n\tadc\tx13,x13,xzr\n\tcbz\tx21,L1st_skip\n\nL1st:\n\tldr\tx8,[x1],#8\n\tadds\tx6,x10,x7\n\tsub\tx21,x21,#8\t\t// j--\n\tadc\tx7,x11,xzr\n\n\tldr\tx14,[x3],#8\n\tadds\tx12,x16,x13\n\tmul\tx10,x8,x9\t\t// ap[j]*bp[0]\n\tadc\tx13,x17,xzr\n\tumulh\tx11,x8,x9\n\n\tadds\tx12,x12,x6\n\tmul\tx16,x14,x15\t\t// np[j]*m1\n\tadc\tx13,x13,xzr\n\tumulh\tx17,x14,x15\n\tstr\tx12,[x22],#8\t\t// tp[j-1]\n\tcbnz\tx21,L1st\n\nL1st_skip:\n\tadds\tx6,x10,x7\n\tsub\tx1,x1,x5\t\t// rewind x1\n\tadc\tx7,x11,xzr\n\n\tadds\tx12,x16,x13\n\tsub\tx3,x3,x5\t\t// rewind x3\n\tadc\tx13,x17,xzr\n\n\tadds\tx12,x12,x6\n\tsub\tx20,x5,#8\t\t// i=num-1\n\tadcs\tx13,x13,x7\n\n\tadc\tx19,xzr,xzr\t\t// upmost overflow bit\n\tstp\tx12,x13,[x22]\n\nLouter:\n\tldr\tx9,[x2],#8\t\t// bp[i]\n\tldp\tx7,x8,[x1],#16\n\tldr\tx23,[sp]\t\t// tp[0]\n\tadd\tx22,sp,#8\n\n\tmul\tx6,x7,x9\t\t// ap[0]*bp[i]\n\tsub\tx21,x5,#16\t\t// j=num-2\n\tumulh\tx7,x7,x9\n\tldp\tx13,x14,[x3],#16\n\tmul\tx10,x8,x9\t\t// ap[1]*bp[i]\n\tadds\tx6,x6,x23\n\tumulh\tx11,x8,x9\n\tadc\tx7,x7,xzr\n\n\tmul\tx15,x6,x4\n\tsub\tx20,x20,#8\t\t// i--\n\n\t// (*)\tmul\tx12,x13,x15\t// np[0]*m1\n\tumulh\tx13,x13,x15\n\tmul\tx16,x14,x15\t\t// np[1]*m1\n\t// (*)\tadds\tx12,x12,x6\n\tsubs\txzr,x6,#1\t\t// (*)\n\tumulh\tx17,x14,x15\n\tcbz\tx21,Linner_skip\n\nLinner:\n\tldr\tx8,[x1],#8\n\tadc\tx13,x13,xzr\n\tldr\tx23,[x22],#8\t\t// tp[j]\n\tadds\tx6,x10,x7\n\tsub\tx21,x21,#8\t\t// j--\n\tadc\tx7,x11,xzr\n\n\tadds\tx12,x16,x13\n\tldr\tx14,[x3],#8\n\tadc\tx13,x17,xzr\n\n\tmul\tx10,x8,x9\t\t// ap[j]*bp[i]\n\tadds\tx6,x6,x23\n\tumulh\tx11,x8,x9\n\tadc\tx7,x7,xzr\n\n\tmul\tx16,x14,x15\t\t// np[j]*m1\n\tadds\tx12,x12,x6\n\tumulh\tx17,x14,x15\n\tstr\tx12,[x22,#-16]\t\t// tp[j-1]\n\tcbnz\tx21,Linner\n\nLinner_skip:\n\tldr\tx23,[x22],#8\t\t// tp[j]\n\tadc\tx13,x13,xzr\n\tadds\tx6,x10,x7\n\tsub\tx1,x1,x5\t\t// rewind x1\n\tadc\tx7,x11,xzr\n\n\tadds\tx12,x16,x13\n\tsub\tx3,x3,x5\t\t// rewind x3\n\tadcs\tx13,x17,x19\n\tadc\tx19,xzr,xzr\n\n\tadds\tx6,x6,x23\n\tadc\tx7,x7,xzr\n\n\tadds\tx12,x12,x6\n\tadcs\tx13,x13,x7\n\tadc\tx19,x19,xzr\t\t// upmost overflow bit\n\tstp\tx12,x13,[x22,#-16]\n\n\tcbnz\tx20,Louter\n\n\t// Final step. We see if result is larger than modulus, and\n\t// if it is, subtract the modulus. But comparison implies\n\t// subtraction. So we subtract modulus, see if it borrowed,\n\t// and conditionally copy original value.\n\tldr\tx23,[sp]\t\t// tp[0]\n\tadd\tx22,sp,#8\n\tldr\tx14,[x3],#8\t\t// np[0]\n\tsubs\tx21,x5,#8\t\t// j=num-1 and clear borrow\n\tmov\tx1,x0\nLsub:\n\tsbcs\tx8,x23,x14\t\t// tp[j]-np[j]\n\tldr\tx23,[x22],#8\n\tsub\tx21,x21,#8\t\t// j--\n\tldr\tx14,[x3],#8\n\tstr\tx8,[x1],#8\t\t// rp[j]=tp[j]-np[j]\n\tcbnz\tx21,Lsub\n\n\tsbcs\tx8,x23,x14\n\tsbcs\tx19,x19,xzr\t\t// did it borrow?\n\tstr\tx8,[x1],#8\t\t// rp[num-1]\n\n\tldr\tx23,[sp]\t\t// tp[0]\n\tadd\tx22,sp,#8\n\tldr\tx8,[x0],#8\t\t// rp[0]\n\tsub\tx5,x5,#8\t\t// num--\n\tnop\nLcond_copy:\n\tsub\tx5,x5,#8\t\t// num--\n\tcsel\tx14,x23,x8,lo\t\t// did it borrow?\n\tldr\tx23,[x22],#8\n\tldr\tx8,[x0],#8\n\tstr\txzr,[x22,#-16]\t\t// wipe tp\n\tstr\tx14,[x0,#-16]\n\tcbnz\tx5,Lcond_copy\n\n\tcsel\tx14,x23,x8,lo\n\tstr\txzr,[x22,#-8]\t\t// wipe tp\n\tstr\tx14,[x0,#-8]\n\n\tldp\tx19,x20,[x29,#16]\n\tmov\tsp,x29\n\tldp\tx21,x22,[x29,#32]\n\tmov\tx0,#1\n\tldp\tx23,x24,[x29,#48]\n\tldr\tx29,[sp],#64\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.align\t5\n__bn_sqr8x_mont:\n\t// Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to\n\t// only from bn_mul_mont which has already signed the return address.\n\tcmp\tx1,x2\n\tb.ne\t__bn_mul4x_mont\nLsqr8x_mont:\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tstp\tx0,x3,[sp,#96]\t// offload rp and np\n\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tldp\tx10,x11,[x1,#8*4]\n\tldp\tx12,x13,[x1,#8*6]\n\n\tsub\tx2,sp,x5,lsl#4\n\tlsl\tx5,x5,#3\n\tldr\tx4,[x4]\t\t// *n0\n\tmov\tsp,x2\t\t\t// alloca\n\tsub\tx27,x5,#8*8\n\tb\tLsqr8x_zero_start\n\nLsqr8x_zero:\n\tsub\tx27,x27,#8*8\n\tstp\txzr,xzr,[x2,#8*0]\n\tstp\txzr,xzr,[x2,#8*2]\n\tstp\txzr,xzr,[x2,#8*4]\n\tstp\txzr,xzr,[x2,#8*6]\nLsqr8x_zero_start:\n\tstp\txzr,xzr,[x2,#8*8]\n\tstp\txzr,xzr,[x2,#8*10]\n\tstp\txzr,xzr,[x2,#8*12]\n\tstp\txzr,xzr,[x2,#8*14]\n\tadd\tx2,x2,#8*16\n\tcbnz\tx27,Lsqr8x_zero\n\n\tadd\tx3,x1,x5\n\tadd\tx1,x1,#8*8\n\tmov\tx19,xzr\n\tmov\tx20,xzr\n\tmov\tx21,xzr\n\tmov\tx22,xzr\n\tmov\tx23,xzr\n\tmov\tx24,xzr\n\tmov\tx25,xzr\n\tmov\tx26,xzr\n\tmov\tx2,sp\n\tstr\tx4,[x29,#112]\t\t// offload n0\n\n\t// Multiply everything but a[i]*a[i]\n.align\t4\nLsqr8x_outer_loop:\n // a[1]a[0]\t(i)\n // a[2]a[0]\n // a[3]a[0]\n // a[4]a[0]\n // a[5]a[0]\n // a[6]a[0]\n // a[7]a[0]\n // a[2]a[1]\t\t(ii)\n // a[3]a[1]\n // a[4]a[1]\n // a[5]a[1]\n // a[6]a[1]\n // a[7]a[1]\n // a[3]a[2]\t\t\t(iii)\n // a[4]a[2]\n // a[5]a[2]\n // a[6]a[2]\n // a[7]a[2]\n // a[4]a[3]\t\t\t\t(iv)\n // a[5]a[3]\n // a[6]a[3]\n // a[7]a[3]\n // a[5]a[4]\t\t\t\t\t(v)\n // a[6]a[4]\n // a[7]a[4]\n // a[6]a[5]\t\t\t\t\t\t(vi)\n // a[7]a[5]\n // a[7]a[6]\t\t\t\t\t\t\t(vii)\n\n\tmul\tx14,x7,x6\t\t// lo(a[1..7]*a[0])\t\t(i)\n\tmul\tx15,x8,x6\n\tmul\tx16,x9,x6\n\tmul\tx17,x10,x6\n\tadds\tx20,x20,x14\t\t// t[1]+lo(a[1]*a[0])\n\tmul\tx14,x11,x6\n\tadcs\tx21,x21,x15\n\tmul\tx15,x12,x6\n\tadcs\tx22,x22,x16\n\tmul\tx16,x13,x6\n\tadcs\tx23,x23,x17\n\tumulh\tx17,x7,x6\t\t// hi(a[1..7]*a[0])\n\tadcs\tx24,x24,x14\n\tumulh\tx14,x8,x6\n\tadcs\tx25,x25,x15\n\tumulh\tx15,x9,x6\n\tadcs\tx26,x26,x16\n\tumulh\tx16,x10,x6\n\tstp\tx19,x20,[x2],#8*2\t// t[0..1]\n\tadc\tx19,xzr,xzr\t\t// t[8]\n\tadds\tx21,x21,x17\t\t// t[2]+lo(a[1]*a[0])\n\tumulh\tx17,x11,x6\n\tadcs\tx22,x22,x14\n\tumulh\tx14,x12,x6\n\tadcs\tx23,x23,x15\n\tumulh\tx15,x13,x6\n\tadcs\tx24,x24,x16\n\tmul\tx16,x8,x7\t\t// lo(a[2..7]*a[1])\t\t(ii)\n\tadcs\tx25,x25,x17\n\tmul\tx17,x9,x7\n\tadcs\tx26,x26,x14\n\tmul\tx14,x10,x7\n\tadc\tx19,x19,x15\n\n\tmul\tx15,x11,x7\n\tadds\tx22,x22,x16\n\tmul\tx16,x12,x7\n\tadcs\tx23,x23,x17\n\tmul\tx17,x13,x7\n\tadcs\tx24,x24,x14\n\tumulh\tx14,x8,x7\t\t// hi(a[2..7]*a[1])\n\tadcs\tx25,x25,x15\n\tumulh\tx15,x9,x7\n\tadcs\tx26,x26,x16\n\tumulh\tx16,x10,x7\n\tadcs\tx19,x19,x17\n\tumulh\tx17,x11,x7\n\tstp\tx21,x22,[x2],#8*2\t// t[2..3]\n\tadc\tx20,xzr,xzr\t\t// t[9]\n\tadds\tx23,x23,x14\n\tumulh\tx14,x12,x7\n\tadcs\tx24,x24,x15\n\tumulh\tx15,x13,x7\n\tadcs\tx25,x25,x16\n\tmul\tx16,x9,x8\t\t// lo(a[3..7]*a[2])\t\t(iii)\n\tadcs\tx26,x26,x17\n\tmul\tx17,x10,x8\n\tadcs\tx19,x19,x14\n\tmul\tx14,x11,x8\n\tadc\tx20,x20,x15\n\n\tmul\tx15,x12,x8\n\tadds\tx24,x24,x16\n\tmul\tx16,x13,x8\n\tadcs\tx25,x25,x17\n\tumulh\tx17,x9,x8\t\t// hi(a[3..7]*a[2])\n\tadcs\tx26,x26,x14\n\tumulh\tx14,x10,x8\n\tadcs\tx19,x19,x15\n\tumulh\tx15,x11,x8\n\tadcs\tx20,x20,x16\n\tumulh\tx16,x12,x8\n\tstp\tx23,x24,[x2],#8*2\t// t[4..5]\n\tadc\tx21,xzr,xzr\t\t// t[10]\n\tadds\tx25,x25,x17\n\tumulh\tx17,x13,x8\n\tadcs\tx26,x26,x14\n\tmul\tx14,x10,x9\t\t// lo(a[4..7]*a[3])\t\t(iv)\n\tadcs\tx19,x19,x15\n\tmul\tx15,x11,x9\n\tadcs\tx20,x20,x16\n\tmul\tx16,x12,x9\n\tadc\tx21,x21,x17\n\n\tmul\tx17,x13,x9\n\tadds\tx26,x26,x14\n\tumulh\tx14,x10,x9\t\t// hi(a[4..7]*a[3])\n\tadcs\tx19,x19,x15\n\tumulh\tx15,x11,x9\n\tadcs\tx20,x20,x16\n\tumulh\tx16,x12,x9\n\tadcs\tx21,x21,x17\n\tumulh\tx17,x13,x9\n\tstp\tx25,x26,[x2],#8*2\t// t[6..7]\n\tadc\tx22,xzr,xzr\t\t// t[11]\n\tadds\tx19,x19,x14\n\tmul\tx14,x11,x10\t\t// lo(a[5..7]*a[4])\t\t(v)\n\tadcs\tx20,x20,x15\n\tmul\tx15,x12,x10\n\tadcs\tx21,x21,x16\n\tmul\tx16,x13,x10\n\tadc\tx22,x22,x17\n\n\tumulh\tx17,x11,x10\t\t// hi(a[5..7]*a[4])\n\tadds\tx20,x20,x14\n\tumulh\tx14,x12,x10\n\tadcs\tx21,x21,x15\n\tumulh\tx15,x13,x10\n\tadcs\tx22,x22,x16\n\tmul\tx16,x12,x11\t\t// lo(a[6..7]*a[5])\t\t(vi)\n\tadc\tx23,xzr,xzr\t\t// t[12]\n\tadds\tx21,x21,x17\n\tmul\tx17,x13,x11\n\tadcs\tx22,x22,x14\n\tumulh\tx14,x12,x11\t\t// hi(a[6..7]*a[5])\n\tadc\tx23,x23,x15\n\n\tumulh\tx15,x13,x11\n\tadds\tx22,x22,x16\n\tmul\tx16,x13,x12\t\t// lo(a[7]*a[6])\t\t(vii)\n\tadcs\tx23,x23,x17\n\tumulh\tx17,x13,x12\t\t// hi(a[7]*a[6])\n\tadc\tx24,xzr,xzr\t\t// t[13]\n\tadds\tx23,x23,x14\n\tsub\tx27,x3,x1\t// done yet?\n\tadc\tx24,x24,x15\n\n\tadds\tx24,x24,x16\n\tsub\tx14,x3,x5\t// rewinded ap\n\tadc\tx25,xzr,xzr\t\t// t[14]\n\tadd\tx25,x25,x17\n\n\tcbz\tx27,Lsqr8x_outer_break\n\n\tmov\tx4,x6\n\tldp\tx6,x7,[x2,#8*0]\n\tldp\tx8,x9,[x2,#8*2]\n\tldp\tx10,x11,[x2,#8*4]\n\tldp\tx12,x13,[x2,#8*6]\n\tadds\tx19,x19,x6\n\tadcs\tx20,x20,x7\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx21,x21,x8\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x1,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x1,#8*4]\n\tadcs\tx25,x25,x12\n\tmov\tx0,x1\n\tadcs\tx26,xzr,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\t//adc\tx28,xzr,xzr\t\t// moved below\n\tmov\tx27,#-8*8\n\n\t// a[8]a[0]\n\t// a[9]a[0]\n\t// a[a]a[0]\n\t// a[b]a[0]\n\t// a[c]a[0]\n\t// a[d]a[0]\n\t// a[e]a[0]\n\t// a[f]a[0]\n\t// a[8]a[1]\n\t// a[f]a[1]........................\n\t// a[8]a[2]\n\t// a[f]a[2]........................\n\t// a[8]a[3]\n\t// a[f]a[3]........................\n\t// a[8]a[4]\n\t// a[f]a[4]........................\n\t// a[8]a[5]\n\t// a[f]a[5]........................\n\t// a[8]a[6]\n\t// a[f]a[6]........................\n\t// a[8]a[7]\n\t// a[f]a[7]........................\nLsqr8x_mul:\n\tmul\tx14,x6,x4\n\tadc\tx28,xzr,xzr\t\t// carry bit, modulo-scheduled\n\tmul\tx15,x7,x4\n\tadd\tx27,x27,#8\n\tmul\tx16,x8,x4\n\tmul\tx17,x9,x4\n\tadds\tx19,x19,x14\n\tmul\tx14,x10,x4\n\tadcs\tx20,x20,x15\n\tmul\tx15,x11,x4\n\tadcs\tx21,x21,x16\n\tmul\tx16,x12,x4\n\tadcs\tx22,x22,x17\n\tmul\tx17,x13,x4\n\tadcs\tx23,x23,x14\n\tumulh\tx14,x6,x4\n\tadcs\tx24,x24,x15\n\tumulh\tx15,x7,x4\n\tadcs\tx25,x25,x16\n\tumulh\tx16,x8,x4\n\tadcs\tx26,x26,x17\n\tumulh\tx17,x9,x4\n\tadc\tx28,x28,xzr\n\tstr\tx19,[x2],#8\n\tadds\tx19,x20,x14\n\tumulh\tx14,x10,x4\n\tadcs\tx20,x21,x15\n\tumulh\tx15,x11,x4\n\tadcs\tx21,x22,x16\n\tumulh\tx16,x12,x4\n\tadcs\tx22,x23,x17\n\tumulh\tx17,x13,x4\n\tldr\tx4,[x0,x27]\n\tadcs\tx23,x24,x14\n\tadcs\tx24,x25,x15\n\tadcs\tx25,x26,x16\n\tadcs\tx26,x28,x17\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tcbnz\tx27,Lsqr8x_mul\n\t\t\t\t\t// note that carry flag is guaranteed\n\t\t\t\t\t// to be zero at this point\n\tcmp\tx1,x3\t\t// done yet?\n\tb.eq\tLsqr8x_break\n\n\tldp\tx6,x7,[x2,#8*0]\n\tldp\tx8,x9,[x2,#8*2]\n\tldp\tx10,x11,[x2,#8*4]\n\tldp\tx12,x13,[x2,#8*6]\n\tadds\tx19,x19,x6\n\tldr\tx4,[x0,#-8*8]\n\tadcs\tx20,x20,x7\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx21,x21,x8\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x1,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x1,#8*4]\n\tadcs\tx25,x25,x12\n\tmov\tx27,#-8*8\n\tadcs\tx26,x26,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tb\tLsqr8x_mul\n\n.align\t4\nLsqr8x_break:\n\tldp\tx6,x7,[x0,#8*0]\n\tadd\tx1,x0,#8*8\n\tldp\tx8,x9,[x0,#8*2]\n\tsub\tx14,x3,x1\t\t// is it last iteration?\n\tldp\tx10,x11,[x0,#8*4]\n\tsub\tx15,x2,x14\n\tldp\tx12,x13,[x0,#8*6]\n\tcbz\tx14,Lsqr8x_outer_loop\n\n\tstp\tx19,x20,[x2,#8*0]\n\tldp\tx19,x20,[x15,#8*0]\n\tstp\tx21,x22,[x2,#8*2]\n\tldp\tx21,x22,[x15,#8*2]\n\tstp\tx23,x24,[x2,#8*4]\n\tldp\tx23,x24,[x15,#8*4]\n\tstp\tx25,x26,[x2,#8*6]\n\tmov\tx2,x15\n\tldp\tx25,x26,[x15,#8*6]\n\tb\tLsqr8x_outer_loop\n\n.align\t4\nLsqr8x_outer_break:\n\t// Now multiply above result by 2 and add a[n-1]*a[n-1]|...|a[0]*a[0]\n\tldp\tx7,x9,[x14,#8*0]\t// recall that x14 is &a[0]\n\tldp\tx15,x16,[sp,#8*1]\n\tldp\tx11,x13,[x14,#8*2]\n\tadd\tx1,x14,#8*4\n\tldp\tx17,x14,[sp,#8*3]\n\n\tstp\tx19,x20,[x2,#8*0]\n\tmul\tx19,x7,x7\n\tstp\tx21,x22,[x2,#8*2]\n\tumulh\tx7,x7,x7\n\tstp\tx23,x24,[x2,#8*4]\n\tmul\tx8,x9,x9\n\tstp\tx25,x26,[x2,#8*6]\n\tmov\tx2,sp\n\tumulh\tx9,x9,x9\n\tadds\tx20,x7,x15,lsl#1\n\textr\tx15,x16,x15,#63\n\tsub\tx27,x5,#8*4\n\nLsqr4x_shift_n_add:\n\tadcs\tx21,x8,x15\n\textr\tx16,x17,x16,#63\n\tsub\tx27,x27,#8*4\n\tadcs\tx22,x9,x16\n\tldp\tx15,x16,[x2,#8*5]\n\tmul\tx10,x11,x11\n\tldp\tx7,x9,[x1],#8*2\n\tumulh\tx11,x11,x11\n\tmul\tx12,x13,x13\n\tumulh\tx13,x13,x13\n\textr\tx17,x14,x17,#63\n\tstp\tx19,x20,[x2,#8*0]\n\tadcs\tx23,x10,x17\n\textr\tx14,x15,x14,#63\n\tstp\tx21,x22,[x2,#8*2]\n\tadcs\tx24,x11,x14\n\tldp\tx17,x14,[x2,#8*7]\n\textr\tx15,x16,x15,#63\n\tadcs\tx25,x12,x15\n\textr\tx16,x17,x16,#63\n\tadcs\tx26,x13,x16\n\tldp\tx15,x16,[x2,#8*9]\n\tmul\tx6,x7,x7\n\tldp\tx11,x13,[x1],#8*2\n\tumulh\tx7,x7,x7\n\tmul\tx8,x9,x9\n\tumulh\tx9,x9,x9\n\tstp\tx23,x24,[x2,#8*4]\n\textr\tx17,x14,x17,#63\n\tstp\tx25,x26,[x2,#8*6]\n\tadd\tx2,x2,#8*8\n\tadcs\tx19,x6,x17\n\textr\tx14,x15,x14,#63\n\tadcs\tx20,x7,x14\n\tldp\tx17,x14,[x2,#8*3]\n\textr\tx15,x16,x15,#63\n\tcbnz\tx27,Lsqr4x_shift_n_add\n\tldp\tx1,x4,[x29,#104]\t// pull np and n0\n\n\tadcs\tx21,x8,x15\n\textr\tx16,x17,x16,#63\n\tadcs\tx22,x9,x16\n\tldp\tx15,x16,[x2,#8*5]\n\tmul\tx10,x11,x11\n\tumulh\tx11,x11,x11\n\tstp\tx19,x20,[x2,#8*0]\n\tmul\tx12,x13,x13\n\tumulh\tx13,x13,x13\n\tstp\tx21,x22,[x2,#8*2]\n\textr\tx17,x14,x17,#63\n\tadcs\tx23,x10,x17\n\textr\tx14,x15,x14,#63\n\tldp\tx19,x20,[sp,#8*0]\n\tadcs\tx24,x11,x14\n\textr\tx15,x16,x15,#63\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx25,x12,x15\n\textr\tx16,xzr,x16,#63\n\tldp\tx8,x9,[x1,#8*2]\n\tadc\tx26,x13,x16\n\tldp\tx10,x11,[x1,#8*4]\n\n\t// Reduce by 512 bits per iteration\n\tmul\tx28,x4,x19\t\t// t[0]*n0\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx3,x1,x5\n\tldp\tx21,x22,[sp,#8*2]\n\tstp\tx23,x24,[x2,#8*4]\n\tldp\tx23,x24,[sp,#8*4]\n\tstp\tx25,x26,[x2,#8*6]\n\tldp\tx25,x26,[sp,#8*6]\n\tadd\tx1,x1,#8*8\n\tmov\tx30,xzr\t\t// initial top-most carry\n\tmov\tx2,sp\n\tmov\tx27,#8\n\nLsqr8x_reduction:\n\t// (*)\tmul\tx14,x6,x28\t// lo(n[0-7])*lo(t[0]*n0)\n\tmul\tx15,x7,x28\n\tsub\tx27,x27,#1\n\tmul\tx16,x8,x28\n\tstr\tx28,[x2],#8\t\t// put aside t[0]*n0 for tail processing\n\tmul\tx17,x9,x28\n\t// (*)\tadds\txzr,x19,x14\n\tsubs\txzr,x19,#1\t\t// (*)\n\tmul\tx14,x10,x28\n\tadcs\tx19,x20,x15\n\tmul\tx15,x11,x28\n\tadcs\tx20,x21,x16\n\tmul\tx16,x12,x28\n\tadcs\tx21,x22,x17\n\tmul\tx17,x13,x28\n\tadcs\tx22,x23,x14\n\tumulh\tx14,x6,x28\t\t// hi(n[0-7])*lo(t[0]*n0)\n\tadcs\tx23,x24,x15\n\tumulh\tx15,x7,x28\n\tadcs\tx24,x25,x16\n\tumulh\tx16,x8,x28\n\tadcs\tx25,x26,x17\n\tumulh\tx17,x9,x28\n\tadc\tx26,xzr,xzr\n\tadds\tx19,x19,x14\n\tumulh\tx14,x10,x28\n\tadcs\tx20,x20,x15\n\tumulh\tx15,x11,x28\n\tadcs\tx21,x21,x16\n\tumulh\tx16,x12,x28\n\tadcs\tx22,x22,x17\n\tumulh\tx17,x13,x28\n\tmul\tx28,x4,x19\t\t// next t[0]*n0\n\tadcs\tx23,x23,x14\n\tadcs\tx24,x24,x15\n\tadcs\tx25,x25,x16\n\tadc\tx26,x26,x17\n\tcbnz\tx27,Lsqr8x_reduction\n\n\tldp\tx14,x15,[x2,#8*0]\n\tldp\tx16,x17,[x2,#8*2]\n\tmov\tx0,x2\n\tsub\tx27,x3,x1\t// done yet?\n\tadds\tx19,x19,x14\n\tadcs\tx20,x20,x15\n\tldp\tx14,x15,[x2,#8*4]\n\tadcs\tx21,x21,x16\n\tadcs\tx22,x22,x17\n\tldp\tx16,x17,[x2,#8*6]\n\tadcs\tx23,x23,x14\n\tadcs\tx24,x24,x15\n\tadcs\tx25,x25,x16\n\tadcs\tx26,x26,x17\n\t//adc\tx28,xzr,xzr\t\t// moved below\n\tcbz\tx27,Lsqr8x8_post_condition\n\n\tldr\tx4,[x2,#-8*8]\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tldp\tx10,x11,[x1,#8*4]\n\tmov\tx27,#-8*8\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\nLsqr8x_tail:\n\tmul\tx14,x6,x4\n\tadc\tx28,xzr,xzr\t\t// carry bit, modulo-scheduled\n\tmul\tx15,x7,x4\n\tadd\tx27,x27,#8\n\tmul\tx16,x8,x4\n\tmul\tx17,x9,x4\n\tadds\tx19,x19,x14\n\tmul\tx14,x10,x4\n\tadcs\tx20,x20,x15\n\tmul\tx15,x11,x4\n\tadcs\tx21,x21,x16\n\tmul\tx16,x12,x4\n\tadcs\tx22,x22,x17\n\tmul\tx17,x13,x4\n\tadcs\tx23,x23,x14\n\tumulh\tx14,x6,x4\n\tadcs\tx24,x24,x15\n\tumulh\tx15,x7,x4\n\tadcs\tx25,x25,x16\n\tumulh\tx16,x8,x4\n\tadcs\tx26,x26,x17\n\tumulh\tx17,x9,x4\n\tadc\tx28,x28,xzr\n\tstr\tx19,[x2],#8\n\tadds\tx19,x20,x14\n\tumulh\tx14,x10,x4\n\tadcs\tx20,x21,x15\n\tumulh\tx15,x11,x4\n\tadcs\tx21,x22,x16\n\tumulh\tx16,x12,x4\n\tadcs\tx22,x23,x17\n\tumulh\tx17,x13,x4\n\tldr\tx4,[x0,x27]\n\tadcs\tx23,x24,x14\n\tadcs\tx24,x25,x15\n\tadcs\tx25,x26,x16\n\tadcs\tx26,x28,x17\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tcbnz\tx27,Lsqr8x_tail\n\t\t\t\t\t// note that carry flag is guaranteed\n\t\t\t\t\t// to be zero at this point\n\tldp\tx6,x7,[x2,#8*0]\n\tsub\tx27,x3,x1\t// done yet?\n\tsub\tx16,x3,x5\t// rewinded np\n\tldp\tx8,x9,[x2,#8*2]\n\tldp\tx10,x11,[x2,#8*4]\n\tldp\tx12,x13,[x2,#8*6]\n\tcbz\tx27,Lsqr8x_tail_break\n\n\tldr\tx4,[x0,#-8*8]\n\tadds\tx19,x19,x6\n\tadcs\tx20,x20,x7\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx21,x21,x8\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x1,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x1,#8*4]\n\tadcs\tx25,x25,x12\n\tmov\tx27,#-8*8\n\tadcs\tx26,x26,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tb\tLsqr8x_tail\n\n.align\t4\nLsqr8x_tail_break:\n\tldr\tx4,[x29,#112]\t\t// pull n0\n\tadd\tx27,x2,#8*8\t\t// end of current t[num] window\n\n\tsubs\txzr,x30,#1\t\t// \"move\" top-most carry to carry bit\n\tadcs\tx14,x19,x6\n\tadcs\tx15,x20,x7\n\tldp\tx19,x20,[x0,#8*0]\n\tadcs\tx21,x21,x8\n\tldp\tx6,x7,[x16,#8*0]\t// recall that x16 is &n[0]\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x16,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x16,#8*4]\n\tadcs\tx25,x25,x12\n\tadcs\tx26,x26,x13\n\tldp\tx12,x13,[x16,#8*6]\n\tadd\tx1,x16,#8*8\n\tadc\tx30,xzr,xzr\t// top-most carry\n\tmul\tx28,x4,x19\n\tstp\tx14,x15,[x2,#8*0]\n\tstp\tx21,x22,[x2,#8*2]\n\tldp\tx21,x22,[x0,#8*2]\n\tstp\tx23,x24,[x2,#8*4]\n\tldp\tx23,x24,[x0,#8*4]\n\tcmp\tx27,x29\t\t// did we hit the bottom?\n\tstp\tx25,x26,[x2,#8*6]\n\tmov\tx2,x0\t\t\t// slide the window\n\tldp\tx25,x26,[x0,#8*6]\n\tmov\tx27,#8\n\tb.ne\tLsqr8x_reduction\n\n\t// Final step. We see if result is larger than modulus, and\n\t// if it is, subtract the modulus. But comparison implies\n\t// subtraction. So we subtract modulus, see if it borrowed,\n\t// and conditionally copy original value.\n\tldr\tx0,[x29,#96]\t\t// pull rp\n\tadd\tx2,x2,#8*8\n\tsubs\tx14,x19,x6\n\tsbcs\tx15,x20,x7\n\tsub\tx27,x5,#8*8\n\tmov\tx3,x0\t\t// x0 copy\n\nLsqr8x_sub:\n\tsbcs\tx16,x21,x8\n\tldp\tx6,x7,[x1,#8*0]\n\tsbcs\tx17,x22,x9\n\tstp\tx14,x15,[x0,#8*0]\n\tsbcs\tx14,x23,x10\n\tldp\tx8,x9,[x1,#8*2]\n\tsbcs\tx15,x24,x11\n\tstp\tx16,x17,[x0,#8*2]\n\tsbcs\tx16,x25,x12\n\tldp\tx10,x11,[x1,#8*4]\n\tsbcs\tx17,x26,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\tldp\tx19,x20,[x2,#8*0]\n\tsub\tx27,x27,#8*8\n\tldp\tx21,x22,[x2,#8*2]\n\tldp\tx23,x24,[x2,#8*4]\n\tldp\tx25,x26,[x2,#8*6]\n\tadd\tx2,x2,#8*8\n\tstp\tx14,x15,[x0,#8*4]\n\tsbcs\tx14,x19,x6\n\tstp\tx16,x17,[x0,#8*6]\n\tadd\tx0,x0,#8*8\n\tsbcs\tx15,x20,x7\n\tcbnz\tx27,Lsqr8x_sub\n\n\tsbcs\tx16,x21,x8\n\tmov\tx2,sp\n\tadd\tx1,sp,x5\n\tldp\tx6,x7,[x3,#8*0]\n\tsbcs\tx17,x22,x9\n\tstp\tx14,x15,[x0,#8*0]\n\tsbcs\tx14,x23,x10\n\tldp\tx8,x9,[x3,#8*2]\n\tsbcs\tx15,x24,x11\n\tstp\tx16,x17,[x0,#8*2]\n\tsbcs\tx16,x25,x12\n\tldp\tx19,x20,[x1,#8*0]\n\tsbcs\tx17,x26,x13\n\tldp\tx21,x22,[x1,#8*2]\n\tsbcs\txzr,x30,xzr\t// did it borrow?\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\tstp\tx14,x15,[x0,#8*4]\n\tstp\tx16,x17,[x0,#8*6]\n\n\tsub\tx27,x5,#8*4\nLsqr4x_cond_copy:\n\tsub\tx27,x27,#8*4\n\tcsel\tx14,x19,x6,lo\n\tstp\txzr,xzr,[x2,#8*0]\n\tcsel\tx15,x20,x7,lo\n\tldp\tx6,x7,[x3,#8*4]\n\tldp\tx19,x20,[x1,#8*4]\n\tcsel\tx16,x21,x8,lo\n\tstp\txzr,xzr,[x2,#8*2]\n\tadd\tx2,x2,#8*4\n\tcsel\tx17,x22,x9,lo\n\tldp\tx8,x9,[x3,#8*6]\n\tldp\tx21,x22,[x1,#8*6]\n\tadd\tx1,x1,#8*4\n\tstp\tx14,x15,[x3,#8*0]\n\tstp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tstp\txzr,xzr,[x1,#8*0]\n\tstp\txzr,xzr,[x1,#8*2]\n\tcbnz\tx27,Lsqr4x_cond_copy\n\n\tcsel\tx14,x19,x6,lo\n\tstp\txzr,xzr,[x2,#8*0]\n\tcsel\tx15,x20,x7,lo\n\tstp\txzr,xzr,[x2,#8*2]\n\tcsel\tx16,x21,x8,lo\n\tcsel\tx17,x22,x9,lo\n\tstp\tx14,x15,[x3,#8*0]\n\tstp\tx16,x17,[x3,#8*2]\n\n\tb\tLsqr8x_done\n\n.align\t4\nLsqr8x8_post_condition:\n\tadc\tx28,xzr,xzr\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\t// x19-7,x28 hold result, x6-7 hold modulus\n\tsubs\tx6,x19,x6\n\tldr\tx1,[x29,#96]\t\t// pull rp\n\tsbcs\tx7,x20,x7\n\tstp\txzr,xzr,[sp,#8*0]\n\tsbcs\tx8,x21,x8\n\tstp\txzr,xzr,[sp,#8*2]\n\tsbcs\tx9,x22,x9\n\tstp\txzr,xzr,[sp,#8*4]\n\tsbcs\tx10,x23,x10\n\tstp\txzr,xzr,[sp,#8*6]\n\tsbcs\tx11,x24,x11\n\tstp\txzr,xzr,[sp,#8*8]\n\tsbcs\tx12,x25,x12\n\tstp\txzr,xzr,[sp,#8*10]\n\tsbcs\tx13,x26,x13\n\tstp\txzr,xzr,[sp,#8*12]\n\tsbcs\tx28,x28,xzr\t// did it borrow?\n\tstp\txzr,xzr,[sp,#8*14]\n\n\t// x6-7 hold result-modulus\n\tcsel\tx6,x19,x6,lo\n\tcsel\tx7,x20,x7,lo\n\tcsel\tx8,x21,x8,lo\n\tcsel\tx9,x22,x9,lo\n\tstp\tx6,x7,[x1,#8*0]\n\tcsel\tx10,x23,x10,lo\n\tcsel\tx11,x24,x11,lo\n\tstp\tx8,x9,[x1,#8*2]\n\tcsel\tx12,x25,x12,lo\n\tcsel\tx13,x26,x13,lo\n\tstp\tx10,x11,[x1,#8*4]\n\tstp\tx12,x13,[x1,#8*6]\n\nLsqr8x_done:\n\tldp\tx19,x20,[x29,#16]\n\tmov\tsp,x29\n\tldp\tx21,x22,[x29,#32]\n\tmov\tx0,#1\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldr\tx29,[sp],#128\n\t// x30 is popped earlier\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.align\t5\n__bn_mul4x_mont:\n\t// Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to\n\t// only from bn_mul_mont or __bn_mul8x_mont which have already signed the\n\t// return address.\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\n\tsub\tx26,sp,x5,lsl#3\n\tlsl\tx5,x5,#3\n\tldr\tx4,[x4]\t\t// *n0\n\tsub\tsp,x26,#8*4\t\t// alloca\n\n\tadd\tx10,x2,x5\n\tadd\tx27,x1,x5\n\tstp\tx0,x10,[x29,#96]\t// offload rp and &b[num]\n\n\tldr\tx24,[x2,#8*0]\t\t// b[0]\n\tldp\tx6,x7,[x1,#8*0]\t// a[0..3]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tmov\tx19,xzr\n\tmov\tx20,xzr\n\tmov\tx21,xzr\n\tmov\tx22,xzr\n\tldp\tx14,x15,[x3,#8*0]\t// n[0..3]\n\tldp\tx16,x17,[x3,#8*2]\n\tadds\tx3,x3,#8*4\t\t// clear carry bit\n\tmov\tx0,xzr\n\tmov\tx28,#0\n\tmov\tx26,sp\n\nLoop_mul4x_1st_reduction:\n\tmul\tx10,x6,x24\t\t// lo(a[0..3]*b[0])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[0..3]*b[0])\n\tadcs\tx20,x20,x11\n\tmul\tx25,x19,x4\t\t// t[0]*n0\n\tadcs\tx21,x21,x12\n\tumulh\tx11,x7,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx12,x8,x24\n\tadc\tx23,xzr,xzr\n\tumulh\tx13,x9,x24\n\tldr\tx24,[x2,x28]\t\t// next b[i] (or b[0])\n\tadds\tx20,x20,x10\n\t// (*)\tmul\tx10,x14,x25\t// lo(n[0..3]*t[0]*n0)\n\tstr\tx25,[x26],#8\t\t// put aside t[0]*n0 for tail processing\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\t// (*)\tadds\txzr,x19,x10\n\tsubs\txzr,x19,#1\t\t// (*)\n\tumulh\tx10,x14,x25\t\t// hi(n[0..3]*t[0]*n0)\n\tadcs\tx19,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx20,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx21,x22,x13\n\tumulh\tx13,x17,x25\n\tadcs\tx22,x23,x0\n\tadc\tx0,xzr,xzr\n\tadds\tx19,x19,x10\n\tsub\tx10,x27,x1\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,Loop_mul4x_1st_reduction\n\n\tcbz\tx10,Lmul4x4_post_condition\n\n\tldp\tx6,x7,[x1,#8*0]\t// a[4..7]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tldr\tx25,[sp]\t\t// a[0]*n0\n\tldp\tx14,x15,[x3,#8*0]\t// n[4..7]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\nLoop_mul4x_1st_tail:\n\tmul\tx10,x6,x24\t\t// lo(a[4..7]*b[i])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[4..7]*b[i])\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x7,x24\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x8,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx13,x9,x24\n\tadc\tx23,xzr,xzr\n\tldr\tx24,[x2,x28]\t\t// next b[i] (or b[0])\n\tadds\tx20,x20,x10\n\tmul\tx10,x14,x25\t\t// lo(n[4..7]*a[0]*n0)\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\tadds\tx19,x19,x10\n\tumulh\tx10,x14,x25\t\t// hi(n[4..7]*a[0]*n0)\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx22,x22,x13\n\tadcs\tx23,x23,x0\n\tumulh\tx13,x17,x25\n\tadc\tx0,xzr,xzr\n\tldr\tx25,[sp,x28]\t\t// next t[0]*n0\n\tstr\tx19,[x26],#8\t\t// result!!!\n\tadds\tx19,x20,x10\n\tsub\tx10,x27,x1\t\t// done yet?\n\tadcs\tx20,x21,x11\n\tadcs\tx21,x22,x12\n\tadcs\tx22,x23,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,Loop_mul4x_1st_tail\n\n\tsub\tx11,x27,x5\t// rewinded x1\n\tcbz\tx10,Lmul4x_proceed\n\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tldp\tx14,x15,[x3,#8*0]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tb\tLoop_mul4x_1st_tail\n\n.align\t5\nLmul4x_proceed:\n\tldr\tx24,[x2,#8*4]!\t\t// *++b\n\tadc\tx30,x0,xzr\n\tldp\tx6,x7,[x11,#8*0]\t// a[0..3]\n\tsub\tx3,x3,x5\t\t// rewind np\n\tldp\tx8,x9,[x11,#8*2]\n\tadd\tx1,x11,#8*4\n\n\tstp\tx19,x20,[x26,#8*0]\t// result!!!\n\tldp\tx19,x20,[sp,#8*4]\t// t[0..3]\n\tstp\tx21,x22,[x26,#8*2]\t// result!!!\n\tldp\tx21,x22,[sp,#8*6]\n\n\tldp\tx14,x15,[x3,#8*0]\t// n[0..3]\n\tmov\tx26,sp\n\tldp\tx16,x17,[x3,#8*2]\n\tadds\tx3,x3,#8*4\t\t// clear carry bit\n\tmov\tx0,xzr\n\n.align\t4\nLoop_mul4x_reduction:\n\tmul\tx10,x6,x24\t\t// lo(a[0..3]*b[4])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[0..3]*b[4])\n\tadcs\tx20,x20,x11\n\tmul\tx25,x19,x4\t\t// t[0]*n0\n\tadcs\tx21,x21,x12\n\tumulh\tx11,x7,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx12,x8,x24\n\tadc\tx23,xzr,xzr\n\tumulh\tx13,x9,x24\n\tldr\tx24,[x2,x28]\t\t// next b[i]\n\tadds\tx20,x20,x10\n\t// (*)\tmul\tx10,x14,x25\n\tstr\tx25,[x26],#8\t\t// put aside t[0]*n0 for tail processing\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\t\t// lo(n[0..3]*t[0]*n0\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\t// (*)\tadds\txzr,x19,x10\n\tsubs\txzr,x19,#1\t\t// (*)\n\tumulh\tx10,x14,x25\t\t// hi(n[0..3]*t[0]*n0\n\tadcs\tx19,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx20,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx21,x22,x13\n\tumulh\tx13,x17,x25\n\tadcs\tx22,x23,x0\n\tadc\tx0,xzr,xzr\n\tadds\tx19,x19,x10\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,Loop_mul4x_reduction\n\n\tadc\tx0,x0,xzr\n\tldp\tx10,x11,[x26,#8*4]\t// t[4..7]\n\tldp\tx12,x13,[x26,#8*6]\n\tldp\tx6,x7,[x1,#8*0]\t// a[4..7]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tadds\tx19,x19,x10\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\n\tldr\tx25,[sp]\t\t// t[0]*n0\n\tldp\tx14,x15,[x3,#8*0]\t// n[4..7]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\n.align\t4\nLoop_mul4x_tail:\n\tmul\tx10,x6,x24\t\t// lo(a[4..7]*b[4])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[4..7]*b[4])\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x7,x24\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x8,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx13,x9,x24\n\tadc\tx23,xzr,xzr\n\tldr\tx24,[x2,x28]\t\t// next b[i]\n\tadds\tx20,x20,x10\n\tmul\tx10,x14,x25\t\t// lo(n[4..7]*t[0]*n0)\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\tadds\tx19,x19,x10\n\tumulh\tx10,x14,x25\t\t// hi(n[4..7]*t[0]*n0)\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx22,x22,x13\n\tumulh\tx13,x17,x25\n\tadcs\tx23,x23,x0\n\tldr\tx25,[sp,x28]\t\t// next a[0]*n0\n\tadc\tx0,xzr,xzr\n\tstr\tx19,[x26],#8\t\t// result!!!\n\tadds\tx19,x20,x10\n\tsub\tx10,x27,x1\t\t// done yet?\n\tadcs\tx20,x21,x11\n\tadcs\tx21,x22,x12\n\tadcs\tx22,x23,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,Loop_mul4x_tail\n\n\tsub\tx11,x3,x5\t\t// rewinded np?\n\tadc\tx0,x0,xzr\n\tcbz\tx10,Loop_mul4x_break\n\n\tldp\tx10,x11,[x26,#8*4]\n\tldp\tx12,x13,[x26,#8*6]\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tadds\tx19,x19,x10\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\tldp\tx14,x15,[x3,#8*0]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tb\tLoop_mul4x_tail\n\n.align\t4\nLoop_mul4x_break:\n\tldp\tx12,x13,[x29,#96]\t// pull rp and &b[num]\n\tadds\tx19,x19,x30\n\tadd\tx2,x2,#8*4\t\t// bp++\n\tadcs\tx20,x20,xzr\n\tsub\tx1,x1,x5\t\t// rewind ap\n\tadcs\tx21,x21,xzr\n\tstp\tx19,x20,[x26,#8*0]\t// result!!!\n\tadcs\tx22,x22,xzr\n\tldp\tx19,x20,[sp,#8*4]\t// t[0..3]\n\tadc\tx30,x0,xzr\n\tstp\tx21,x22,[x26,#8*2]\t// result!!!\n\tcmp\tx2,x13\t\t\t// done yet?\n\tldp\tx21,x22,[sp,#8*6]\n\tldp\tx14,x15,[x11,#8*0]\t// n[0..3]\n\tldp\tx16,x17,[x11,#8*2]\n\tadd\tx3,x11,#8*4\n\tb.eq\tLmul4x_post\n\n\tldr\tx24,[x2]\n\tldp\tx6,x7,[x1,#8*0]\t// a[0..3]\n\tldp\tx8,x9,[x1,#8*2]\n\tadds\tx1,x1,#8*4\t\t// clear carry bit\n\tmov\tx0,xzr\n\tmov\tx26,sp\n\tb\tLoop_mul4x_reduction\n\n.align\t4\nLmul4x_post:\n\t// Final step. We see if result is larger than modulus, and\n\t// if it is, subtract the modulus. But comparison implies\n\t// subtraction. So we subtract modulus, see if it borrowed,\n\t// and conditionally copy original value.\n\tmov\tx0,x12\n\tmov\tx27,x12\t\t// x0 copy\n\tsubs\tx10,x19,x14\n\tadd\tx26,sp,#8*8\n\tsbcs\tx11,x20,x15\n\tsub\tx28,x5,#8*4\n\nLmul4x_sub:\n\tsbcs\tx12,x21,x16\n\tldp\tx14,x15,[x3,#8*0]\n\tsub\tx28,x28,#8*4\n\tldp\tx19,x20,[x26,#8*0]\n\tsbcs\tx13,x22,x17\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tldp\tx21,x22,[x26,#8*2]\n\tadd\tx26,x26,#8*4\n\tstp\tx10,x11,[x0,#8*0]\n\tsbcs\tx10,x19,x14\n\tstp\tx12,x13,[x0,#8*2]\n\tadd\tx0,x0,#8*4\n\tsbcs\tx11,x20,x15\n\tcbnz\tx28,Lmul4x_sub\n\n\tsbcs\tx12,x21,x16\n\tmov\tx26,sp\n\tadd\tx1,sp,#8*4\n\tldp\tx6,x7,[x27,#8*0]\n\tsbcs\tx13,x22,x17\n\tstp\tx10,x11,[x0,#8*0]\n\tldp\tx8,x9,[x27,#8*2]\n\tstp\tx12,x13,[x0,#8*2]\n\tldp\tx19,x20,[x1,#8*0]\n\tldp\tx21,x22,[x1,#8*2]\n\tsbcs\txzr,x30,xzr\t// did it borrow?\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\n\tsub\tx28,x5,#8*4\nLmul4x_cond_copy:\n\tsub\tx28,x28,#8*4\n\tcsel\tx10,x19,x6,lo\n\tstp\txzr,xzr,[x26,#8*0]\n\tcsel\tx11,x20,x7,lo\n\tldp\tx6,x7,[x27,#8*4]\n\tldp\tx19,x20,[x1,#8*4]\n\tcsel\tx12,x21,x8,lo\n\tstp\txzr,xzr,[x26,#8*2]\n\tadd\tx26,x26,#8*4\n\tcsel\tx13,x22,x9,lo\n\tldp\tx8,x9,[x27,#8*6]\n\tldp\tx21,x22,[x1,#8*6]\n\tadd\tx1,x1,#8*4\n\tstp\tx10,x11,[x27,#8*0]\n\tstp\tx12,x13,[x27,#8*2]\n\tadd\tx27,x27,#8*4\n\tcbnz\tx28,Lmul4x_cond_copy\n\n\tcsel\tx10,x19,x6,lo\n\tstp\txzr,xzr,[x26,#8*0]\n\tcsel\tx11,x20,x7,lo\n\tstp\txzr,xzr,[x26,#8*2]\n\tcsel\tx12,x21,x8,lo\n\tstp\txzr,xzr,[x26,#8*3]\n\tcsel\tx13,x22,x9,lo\n\tstp\txzr,xzr,[x26,#8*4]\n\tstp\tx10,x11,[x27,#8*0]\n\tstp\tx12,x13,[x27,#8*2]\n\n\tb\tLmul4x_done\n\n.align\t4\nLmul4x4_post_condition:\n\tadc\tx0,x0,xzr\n\tldr\tx1,[x29,#96]\t\t// pull rp\n\t// x19-3,x0 hold result, x14-7 hold modulus\n\tsubs\tx6,x19,x14\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\tsbcs\tx7,x20,x15\n\tstp\txzr,xzr,[sp,#8*0]\n\tsbcs\tx8,x21,x16\n\tstp\txzr,xzr,[sp,#8*2]\n\tsbcs\tx9,x22,x17\n\tstp\txzr,xzr,[sp,#8*4]\n\tsbcs\txzr,x0,xzr\t\t// did it borrow?\n\tstp\txzr,xzr,[sp,#8*6]\n\n\t// x6-3 hold result-modulus\n\tcsel\tx6,x19,x6,lo\n\tcsel\tx7,x20,x7,lo\n\tcsel\tx8,x21,x8,lo\n\tcsel\tx9,x22,x9,lo\n\tstp\tx6,x7,[x1,#8*0]\n\tstp\tx8,x9,[x1,#8*2]\n\nLmul4x_done:\n\tldp\tx19,x20,[x29,#16]\n\tmov\tsp,x29\n\tldp\tx21,x22,[x29,#32]\n\tmov\tx0,#1\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldr\tx29,[sp],#128\n\t// x30 is popped earlier\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.byte\t77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t4\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/armv8-mont-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \n\n.text\n\n.globl\tbn_mul_mont\n.hidden\tbn_mul_mont\n.type\tbn_mul_mont,%function\n.align\t5\nbn_mul_mont:\n\tAARCH64_SIGN_LINK_REGISTER\n\ttst\tx5,#7\n\tb.eq\t__bn_sqr8x_mont\n\ttst\tx5,#3\n\tb.eq\t__bn_mul4x_mont\n.Lmul_mont:\n\tstp\tx29,x30,[sp,#-64]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\n\tldr\tx9,[x2],#8\t\t// bp[0]\n\tsub\tx22,sp,x5,lsl#3\n\tldp\tx7,x8,[x1],#16\t// ap[0..1]\n\tlsl\tx5,x5,#3\n\tldr\tx4,[x4]\t\t// *n0\n\tand\tx22,x22,#-16\t\t// ABI says so\n\tldp\tx13,x14,[x3],#16\t// np[0..1]\n\n\tmul\tx6,x7,x9\t\t// ap[0]*bp[0]\n\tsub\tx21,x5,#16\t\t// j=num-2\n\tumulh\tx7,x7,x9\n\tmul\tx10,x8,x9\t\t// ap[1]*bp[0]\n\tumulh\tx11,x8,x9\n\n\tmul\tx15,x6,x4\t\t// \"tp[0]\"*n0\n\tmov\tsp,x22\t\t\t// alloca\n\n\t// (*)\tmul\tx12,x13,x15\t// np[0]*m1\n\tumulh\tx13,x13,x15\n\tmul\tx16,x14,x15\t\t// np[1]*m1\n\t// (*)\tadds\tx12,x12,x6\t// discarded\n\t// (*)\tAs for removal of first multiplication and addition\n\t//\tinstructions. The outcome of first addition is\n\t//\tguaranteed to be zero, which leaves two computationally\n\t//\tsignificant outcomes: it either carries or not. Then\n\t//\tquestion is when does it carry? Is there alternative\n\t//\tway to deduce it? If you follow operations, you can\n\t//\tobserve that condition for carry is quite simple:\n\t//\tx6 being non-zero. So that carry can be calculated\n\t//\tby adding -1 to x6. That's what next instruction does.\n\tsubs\txzr,x6,#1\t\t// (*)\n\tumulh\tx17,x14,x15\n\tadc\tx13,x13,xzr\n\tcbz\tx21,.L1st_skip\n\n.L1st:\n\tldr\tx8,[x1],#8\n\tadds\tx6,x10,x7\n\tsub\tx21,x21,#8\t\t// j--\n\tadc\tx7,x11,xzr\n\n\tldr\tx14,[x3],#8\n\tadds\tx12,x16,x13\n\tmul\tx10,x8,x9\t\t// ap[j]*bp[0]\n\tadc\tx13,x17,xzr\n\tumulh\tx11,x8,x9\n\n\tadds\tx12,x12,x6\n\tmul\tx16,x14,x15\t\t// np[j]*m1\n\tadc\tx13,x13,xzr\n\tumulh\tx17,x14,x15\n\tstr\tx12,[x22],#8\t\t// tp[j-1]\n\tcbnz\tx21,.L1st\n\n.L1st_skip:\n\tadds\tx6,x10,x7\n\tsub\tx1,x1,x5\t\t// rewind x1\n\tadc\tx7,x11,xzr\n\n\tadds\tx12,x16,x13\n\tsub\tx3,x3,x5\t\t// rewind x3\n\tadc\tx13,x17,xzr\n\n\tadds\tx12,x12,x6\n\tsub\tx20,x5,#8\t\t// i=num-1\n\tadcs\tx13,x13,x7\n\n\tadc\tx19,xzr,xzr\t\t// upmost overflow bit\n\tstp\tx12,x13,[x22]\n\n.Louter:\n\tldr\tx9,[x2],#8\t\t// bp[i]\n\tldp\tx7,x8,[x1],#16\n\tldr\tx23,[sp]\t\t// tp[0]\n\tadd\tx22,sp,#8\n\n\tmul\tx6,x7,x9\t\t// ap[0]*bp[i]\n\tsub\tx21,x5,#16\t\t// j=num-2\n\tumulh\tx7,x7,x9\n\tldp\tx13,x14,[x3],#16\n\tmul\tx10,x8,x9\t\t// ap[1]*bp[i]\n\tadds\tx6,x6,x23\n\tumulh\tx11,x8,x9\n\tadc\tx7,x7,xzr\n\n\tmul\tx15,x6,x4\n\tsub\tx20,x20,#8\t\t// i--\n\n\t// (*)\tmul\tx12,x13,x15\t// np[0]*m1\n\tumulh\tx13,x13,x15\n\tmul\tx16,x14,x15\t\t// np[1]*m1\n\t// (*)\tadds\tx12,x12,x6\n\tsubs\txzr,x6,#1\t\t// (*)\n\tumulh\tx17,x14,x15\n\tcbz\tx21,.Linner_skip\n\n.Linner:\n\tldr\tx8,[x1],#8\n\tadc\tx13,x13,xzr\n\tldr\tx23,[x22],#8\t\t// tp[j]\n\tadds\tx6,x10,x7\n\tsub\tx21,x21,#8\t\t// j--\n\tadc\tx7,x11,xzr\n\n\tadds\tx12,x16,x13\n\tldr\tx14,[x3],#8\n\tadc\tx13,x17,xzr\n\n\tmul\tx10,x8,x9\t\t// ap[j]*bp[i]\n\tadds\tx6,x6,x23\n\tumulh\tx11,x8,x9\n\tadc\tx7,x7,xzr\n\n\tmul\tx16,x14,x15\t\t// np[j]*m1\n\tadds\tx12,x12,x6\n\tumulh\tx17,x14,x15\n\tstr\tx12,[x22,#-16]\t\t// tp[j-1]\n\tcbnz\tx21,.Linner\n\n.Linner_skip:\n\tldr\tx23,[x22],#8\t\t// tp[j]\n\tadc\tx13,x13,xzr\n\tadds\tx6,x10,x7\n\tsub\tx1,x1,x5\t\t// rewind x1\n\tadc\tx7,x11,xzr\n\n\tadds\tx12,x16,x13\n\tsub\tx3,x3,x5\t\t// rewind x3\n\tadcs\tx13,x17,x19\n\tadc\tx19,xzr,xzr\n\n\tadds\tx6,x6,x23\n\tadc\tx7,x7,xzr\n\n\tadds\tx12,x12,x6\n\tadcs\tx13,x13,x7\n\tadc\tx19,x19,xzr\t\t// upmost overflow bit\n\tstp\tx12,x13,[x22,#-16]\n\n\tcbnz\tx20,.Louter\n\n\t// Final step. We see if result is larger than modulus, and\n\t// if it is, subtract the modulus. But comparison implies\n\t// subtraction. So we subtract modulus, see if it borrowed,\n\t// and conditionally copy original value.\n\tldr\tx23,[sp]\t\t// tp[0]\n\tadd\tx22,sp,#8\n\tldr\tx14,[x3],#8\t\t// np[0]\n\tsubs\tx21,x5,#8\t\t// j=num-1 and clear borrow\n\tmov\tx1,x0\n.Lsub:\n\tsbcs\tx8,x23,x14\t\t// tp[j]-np[j]\n\tldr\tx23,[x22],#8\n\tsub\tx21,x21,#8\t\t// j--\n\tldr\tx14,[x3],#8\n\tstr\tx8,[x1],#8\t\t// rp[j]=tp[j]-np[j]\n\tcbnz\tx21,.Lsub\n\n\tsbcs\tx8,x23,x14\n\tsbcs\tx19,x19,xzr\t\t// did it borrow?\n\tstr\tx8,[x1],#8\t\t// rp[num-1]\n\n\tldr\tx23,[sp]\t\t// tp[0]\n\tadd\tx22,sp,#8\n\tldr\tx8,[x0],#8\t\t// rp[0]\n\tsub\tx5,x5,#8\t\t// num--\n\tnop\n.Lcond_copy:\n\tsub\tx5,x5,#8\t\t// num--\n\tcsel\tx14,x23,x8,lo\t\t// did it borrow?\n\tldr\tx23,[x22],#8\n\tldr\tx8,[x0],#8\n\tstr\txzr,[x22,#-16]\t\t// wipe tp\n\tstr\tx14,[x0,#-16]\n\tcbnz\tx5,.Lcond_copy\n\n\tcsel\tx14,x23,x8,lo\n\tstr\txzr,[x22,#-8]\t\t// wipe tp\n\tstr\tx14,[x0,#-8]\n\n\tldp\tx19,x20,[x29,#16]\n\tmov\tsp,x29\n\tldp\tx21,x22,[x29,#32]\n\tmov\tx0,#1\n\tldp\tx23,x24,[x29,#48]\n\tldr\tx29,[sp],#64\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tbn_mul_mont,.-bn_mul_mont\n.type\t__bn_sqr8x_mont,%function\n.align\t5\n__bn_sqr8x_mont:\n\t// Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to\n\t// only from bn_mul_mont which has already signed the return address.\n\tcmp\tx1,x2\n\tb.ne\t__bn_mul4x_mont\n.Lsqr8x_mont:\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tstp\tx0,x3,[sp,#96]\t// offload rp and np\n\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tldp\tx10,x11,[x1,#8*4]\n\tldp\tx12,x13,[x1,#8*6]\n\n\tsub\tx2,sp,x5,lsl#4\n\tlsl\tx5,x5,#3\n\tldr\tx4,[x4]\t\t// *n0\n\tmov\tsp,x2\t\t\t// alloca\n\tsub\tx27,x5,#8*8\n\tb\t.Lsqr8x_zero_start\n\n.Lsqr8x_zero:\n\tsub\tx27,x27,#8*8\n\tstp\txzr,xzr,[x2,#8*0]\n\tstp\txzr,xzr,[x2,#8*2]\n\tstp\txzr,xzr,[x2,#8*4]\n\tstp\txzr,xzr,[x2,#8*6]\n.Lsqr8x_zero_start:\n\tstp\txzr,xzr,[x2,#8*8]\n\tstp\txzr,xzr,[x2,#8*10]\n\tstp\txzr,xzr,[x2,#8*12]\n\tstp\txzr,xzr,[x2,#8*14]\n\tadd\tx2,x2,#8*16\n\tcbnz\tx27,.Lsqr8x_zero\n\n\tadd\tx3,x1,x5\n\tadd\tx1,x1,#8*8\n\tmov\tx19,xzr\n\tmov\tx20,xzr\n\tmov\tx21,xzr\n\tmov\tx22,xzr\n\tmov\tx23,xzr\n\tmov\tx24,xzr\n\tmov\tx25,xzr\n\tmov\tx26,xzr\n\tmov\tx2,sp\n\tstr\tx4,[x29,#112]\t\t// offload n0\n\n\t// Multiply everything but a[i]*a[i]\n.align\t4\n.Lsqr8x_outer_loop:\n // a[1]a[0]\t(i)\n // a[2]a[0]\n // a[3]a[0]\n // a[4]a[0]\n // a[5]a[0]\n // a[6]a[0]\n // a[7]a[0]\n // a[2]a[1]\t\t(ii)\n // a[3]a[1]\n // a[4]a[1]\n // a[5]a[1]\n // a[6]a[1]\n // a[7]a[1]\n // a[3]a[2]\t\t\t(iii)\n // a[4]a[2]\n // a[5]a[2]\n // a[6]a[2]\n // a[7]a[2]\n // a[4]a[3]\t\t\t\t(iv)\n // a[5]a[3]\n // a[6]a[3]\n // a[7]a[3]\n // a[5]a[4]\t\t\t\t\t(v)\n // a[6]a[4]\n // a[7]a[4]\n // a[6]a[5]\t\t\t\t\t\t(vi)\n // a[7]a[5]\n // a[7]a[6]\t\t\t\t\t\t\t(vii)\n\n\tmul\tx14,x7,x6\t\t// lo(a[1..7]*a[0])\t\t(i)\n\tmul\tx15,x8,x6\n\tmul\tx16,x9,x6\n\tmul\tx17,x10,x6\n\tadds\tx20,x20,x14\t\t// t[1]+lo(a[1]*a[0])\n\tmul\tx14,x11,x6\n\tadcs\tx21,x21,x15\n\tmul\tx15,x12,x6\n\tadcs\tx22,x22,x16\n\tmul\tx16,x13,x6\n\tadcs\tx23,x23,x17\n\tumulh\tx17,x7,x6\t\t// hi(a[1..7]*a[0])\n\tadcs\tx24,x24,x14\n\tumulh\tx14,x8,x6\n\tadcs\tx25,x25,x15\n\tumulh\tx15,x9,x6\n\tadcs\tx26,x26,x16\n\tumulh\tx16,x10,x6\n\tstp\tx19,x20,[x2],#8*2\t// t[0..1]\n\tadc\tx19,xzr,xzr\t\t// t[8]\n\tadds\tx21,x21,x17\t\t// t[2]+lo(a[1]*a[0])\n\tumulh\tx17,x11,x6\n\tadcs\tx22,x22,x14\n\tumulh\tx14,x12,x6\n\tadcs\tx23,x23,x15\n\tumulh\tx15,x13,x6\n\tadcs\tx24,x24,x16\n\tmul\tx16,x8,x7\t\t// lo(a[2..7]*a[1])\t\t(ii)\n\tadcs\tx25,x25,x17\n\tmul\tx17,x9,x7\n\tadcs\tx26,x26,x14\n\tmul\tx14,x10,x7\n\tadc\tx19,x19,x15\n\n\tmul\tx15,x11,x7\n\tadds\tx22,x22,x16\n\tmul\tx16,x12,x7\n\tadcs\tx23,x23,x17\n\tmul\tx17,x13,x7\n\tadcs\tx24,x24,x14\n\tumulh\tx14,x8,x7\t\t// hi(a[2..7]*a[1])\n\tadcs\tx25,x25,x15\n\tumulh\tx15,x9,x7\n\tadcs\tx26,x26,x16\n\tumulh\tx16,x10,x7\n\tadcs\tx19,x19,x17\n\tumulh\tx17,x11,x7\n\tstp\tx21,x22,[x2],#8*2\t// t[2..3]\n\tadc\tx20,xzr,xzr\t\t// t[9]\n\tadds\tx23,x23,x14\n\tumulh\tx14,x12,x7\n\tadcs\tx24,x24,x15\n\tumulh\tx15,x13,x7\n\tadcs\tx25,x25,x16\n\tmul\tx16,x9,x8\t\t// lo(a[3..7]*a[2])\t\t(iii)\n\tadcs\tx26,x26,x17\n\tmul\tx17,x10,x8\n\tadcs\tx19,x19,x14\n\tmul\tx14,x11,x8\n\tadc\tx20,x20,x15\n\n\tmul\tx15,x12,x8\n\tadds\tx24,x24,x16\n\tmul\tx16,x13,x8\n\tadcs\tx25,x25,x17\n\tumulh\tx17,x9,x8\t\t// hi(a[3..7]*a[2])\n\tadcs\tx26,x26,x14\n\tumulh\tx14,x10,x8\n\tadcs\tx19,x19,x15\n\tumulh\tx15,x11,x8\n\tadcs\tx20,x20,x16\n\tumulh\tx16,x12,x8\n\tstp\tx23,x24,[x2],#8*2\t// t[4..5]\n\tadc\tx21,xzr,xzr\t\t// t[10]\n\tadds\tx25,x25,x17\n\tumulh\tx17,x13,x8\n\tadcs\tx26,x26,x14\n\tmul\tx14,x10,x9\t\t// lo(a[4..7]*a[3])\t\t(iv)\n\tadcs\tx19,x19,x15\n\tmul\tx15,x11,x9\n\tadcs\tx20,x20,x16\n\tmul\tx16,x12,x9\n\tadc\tx21,x21,x17\n\n\tmul\tx17,x13,x9\n\tadds\tx26,x26,x14\n\tumulh\tx14,x10,x9\t\t// hi(a[4..7]*a[3])\n\tadcs\tx19,x19,x15\n\tumulh\tx15,x11,x9\n\tadcs\tx20,x20,x16\n\tumulh\tx16,x12,x9\n\tadcs\tx21,x21,x17\n\tumulh\tx17,x13,x9\n\tstp\tx25,x26,[x2],#8*2\t// t[6..7]\n\tadc\tx22,xzr,xzr\t\t// t[11]\n\tadds\tx19,x19,x14\n\tmul\tx14,x11,x10\t\t// lo(a[5..7]*a[4])\t\t(v)\n\tadcs\tx20,x20,x15\n\tmul\tx15,x12,x10\n\tadcs\tx21,x21,x16\n\tmul\tx16,x13,x10\n\tadc\tx22,x22,x17\n\n\tumulh\tx17,x11,x10\t\t// hi(a[5..7]*a[4])\n\tadds\tx20,x20,x14\n\tumulh\tx14,x12,x10\n\tadcs\tx21,x21,x15\n\tumulh\tx15,x13,x10\n\tadcs\tx22,x22,x16\n\tmul\tx16,x12,x11\t\t// lo(a[6..7]*a[5])\t\t(vi)\n\tadc\tx23,xzr,xzr\t\t// t[12]\n\tadds\tx21,x21,x17\n\tmul\tx17,x13,x11\n\tadcs\tx22,x22,x14\n\tumulh\tx14,x12,x11\t\t// hi(a[6..7]*a[5])\n\tadc\tx23,x23,x15\n\n\tumulh\tx15,x13,x11\n\tadds\tx22,x22,x16\n\tmul\tx16,x13,x12\t\t// lo(a[7]*a[6])\t\t(vii)\n\tadcs\tx23,x23,x17\n\tumulh\tx17,x13,x12\t\t// hi(a[7]*a[6])\n\tadc\tx24,xzr,xzr\t\t// t[13]\n\tadds\tx23,x23,x14\n\tsub\tx27,x3,x1\t// done yet?\n\tadc\tx24,x24,x15\n\n\tadds\tx24,x24,x16\n\tsub\tx14,x3,x5\t// rewinded ap\n\tadc\tx25,xzr,xzr\t\t// t[14]\n\tadd\tx25,x25,x17\n\n\tcbz\tx27,.Lsqr8x_outer_break\n\n\tmov\tx4,x6\n\tldp\tx6,x7,[x2,#8*0]\n\tldp\tx8,x9,[x2,#8*2]\n\tldp\tx10,x11,[x2,#8*4]\n\tldp\tx12,x13,[x2,#8*6]\n\tadds\tx19,x19,x6\n\tadcs\tx20,x20,x7\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx21,x21,x8\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x1,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x1,#8*4]\n\tadcs\tx25,x25,x12\n\tmov\tx0,x1\n\tadcs\tx26,xzr,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\t//adc\tx28,xzr,xzr\t\t// moved below\n\tmov\tx27,#-8*8\n\n\t// a[8]a[0]\n\t// a[9]a[0]\n\t// a[a]a[0]\n\t// a[b]a[0]\n\t// a[c]a[0]\n\t// a[d]a[0]\n\t// a[e]a[0]\n\t// a[f]a[0]\n\t// a[8]a[1]\n\t// a[f]a[1]........................\n\t// a[8]a[2]\n\t// a[f]a[2]........................\n\t// a[8]a[3]\n\t// a[f]a[3]........................\n\t// a[8]a[4]\n\t// a[f]a[4]........................\n\t// a[8]a[5]\n\t// a[f]a[5]........................\n\t// a[8]a[6]\n\t// a[f]a[6]........................\n\t// a[8]a[7]\n\t// a[f]a[7]........................\n.Lsqr8x_mul:\n\tmul\tx14,x6,x4\n\tadc\tx28,xzr,xzr\t\t// carry bit, modulo-scheduled\n\tmul\tx15,x7,x4\n\tadd\tx27,x27,#8\n\tmul\tx16,x8,x4\n\tmul\tx17,x9,x4\n\tadds\tx19,x19,x14\n\tmul\tx14,x10,x4\n\tadcs\tx20,x20,x15\n\tmul\tx15,x11,x4\n\tadcs\tx21,x21,x16\n\tmul\tx16,x12,x4\n\tadcs\tx22,x22,x17\n\tmul\tx17,x13,x4\n\tadcs\tx23,x23,x14\n\tumulh\tx14,x6,x4\n\tadcs\tx24,x24,x15\n\tumulh\tx15,x7,x4\n\tadcs\tx25,x25,x16\n\tumulh\tx16,x8,x4\n\tadcs\tx26,x26,x17\n\tumulh\tx17,x9,x4\n\tadc\tx28,x28,xzr\n\tstr\tx19,[x2],#8\n\tadds\tx19,x20,x14\n\tumulh\tx14,x10,x4\n\tadcs\tx20,x21,x15\n\tumulh\tx15,x11,x4\n\tadcs\tx21,x22,x16\n\tumulh\tx16,x12,x4\n\tadcs\tx22,x23,x17\n\tumulh\tx17,x13,x4\n\tldr\tx4,[x0,x27]\n\tadcs\tx23,x24,x14\n\tadcs\tx24,x25,x15\n\tadcs\tx25,x26,x16\n\tadcs\tx26,x28,x17\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tcbnz\tx27,.Lsqr8x_mul\n\t\t\t\t\t// note that carry flag is guaranteed\n\t\t\t\t\t// to be zero at this point\n\tcmp\tx1,x3\t\t// done yet?\n\tb.eq\t.Lsqr8x_break\n\n\tldp\tx6,x7,[x2,#8*0]\n\tldp\tx8,x9,[x2,#8*2]\n\tldp\tx10,x11,[x2,#8*4]\n\tldp\tx12,x13,[x2,#8*6]\n\tadds\tx19,x19,x6\n\tldr\tx4,[x0,#-8*8]\n\tadcs\tx20,x20,x7\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx21,x21,x8\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x1,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x1,#8*4]\n\tadcs\tx25,x25,x12\n\tmov\tx27,#-8*8\n\tadcs\tx26,x26,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tb\t.Lsqr8x_mul\n\n.align\t4\n.Lsqr8x_break:\n\tldp\tx6,x7,[x0,#8*0]\n\tadd\tx1,x0,#8*8\n\tldp\tx8,x9,[x0,#8*2]\n\tsub\tx14,x3,x1\t\t// is it last iteration?\n\tldp\tx10,x11,[x0,#8*4]\n\tsub\tx15,x2,x14\n\tldp\tx12,x13,[x0,#8*6]\n\tcbz\tx14,.Lsqr8x_outer_loop\n\n\tstp\tx19,x20,[x2,#8*0]\n\tldp\tx19,x20,[x15,#8*0]\n\tstp\tx21,x22,[x2,#8*2]\n\tldp\tx21,x22,[x15,#8*2]\n\tstp\tx23,x24,[x2,#8*4]\n\tldp\tx23,x24,[x15,#8*4]\n\tstp\tx25,x26,[x2,#8*6]\n\tmov\tx2,x15\n\tldp\tx25,x26,[x15,#8*6]\n\tb\t.Lsqr8x_outer_loop\n\n.align\t4\n.Lsqr8x_outer_break:\n\t// Now multiply above result by 2 and add a[n-1]*a[n-1]|...|a[0]*a[0]\n\tldp\tx7,x9,[x14,#8*0]\t// recall that x14 is &a[0]\n\tldp\tx15,x16,[sp,#8*1]\n\tldp\tx11,x13,[x14,#8*2]\n\tadd\tx1,x14,#8*4\n\tldp\tx17,x14,[sp,#8*3]\n\n\tstp\tx19,x20,[x2,#8*0]\n\tmul\tx19,x7,x7\n\tstp\tx21,x22,[x2,#8*2]\n\tumulh\tx7,x7,x7\n\tstp\tx23,x24,[x2,#8*4]\n\tmul\tx8,x9,x9\n\tstp\tx25,x26,[x2,#8*6]\n\tmov\tx2,sp\n\tumulh\tx9,x9,x9\n\tadds\tx20,x7,x15,lsl#1\n\textr\tx15,x16,x15,#63\n\tsub\tx27,x5,#8*4\n\n.Lsqr4x_shift_n_add:\n\tadcs\tx21,x8,x15\n\textr\tx16,x17,x16,#63\n\tsub\tx27,x27,#8*4\n\tadcs\tx22,x9,x16\n\tldp\tx15,x16,[x2,#8*5]\n\tmul\tx10,x11,x11\n\tldp\tx7,x9,[x1],#8*2\n\tumulh\tx11,x11,x11\n\tmul\tx12,x13,x13\n\tumulh\tx13,x13,x13\n\textr\tx17,x14,x17,#63\n\tstp\tx19,x20,[x2,#8*0]\n\tadcs\tx23,x10,x17\n\textr\tx14,x15,x14,#63\n\tstp\tx21,x22,[x2,#8*2]\n\tadcs\tx24,x11,x14\n\tldp\tx17,x14,[x2,#8*7]\n\textr\tx15,x16,x15,#63\n\tadcs\tx25,x12,x15\n\textr\tx16,x17,x16,#63\n\tadcs\tx26,x13,x16\n\tldp\tx15,x16,[x2,#8*9]\n\tmul\tx6,x7,x7\n\tldp\tx11,x13,[x1],#8*2\n\tumulh\tx7,x7,x7\n\tmul\tx8,x9,x9\n\tumulh\tx9,x9,x9\n\tstp\tx23,x24,[x2,#8*4]\n\textr\tx17,x14,x17,#63\n\tstp\tx25,x26,[x2,#8*6]\n\tadd\tx2,x2,#8*8\n\tadcs\tx19,x6,x17\n\textr\tx14,x15,x14,#63\n\tadcs\tx20,x7,x14\n\tldp\tx17,x14,[x2,#8*3]\n\textr\tx15,x16,x15,#63\n\tcbnz\tx27,.Lsqr4x_shift_n_add\n\tldp\tx1,x4,[x29,#104]\t// pull np and n0\n\n\tadcs\tx21,x8,x15\n\textr\tx16,x17,x16,#63\n\tadcs\tx22,x9,x16\n\tldp\tx15,x16,[x2,#8*5]\n\tmul\tx10,x11,x11\n\tumulh\tx11,x11,x11\n\tstp\tx19,x20,[x2,#8*0]\n\tmul\tx12,x13,x13\n\tumulh\tx13,x13,x13\n\tstp\tx21,x22,[x2,#8*2]\n\textr\tx17,x14,x17,#63\n\tadcs\tx23,x10,x17\n\textr\tx14,x15,x14,#63\n\tldp\tx19,x20,[sp,#8*0]\n\tadcs\tx24,x11,x14\n\textr\tx15,x16,x15,#63\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx25,x12,x15\n\textr\tx16,xzr,x16,#63\n\tldp\tx8,x9,[x1,#8*2]\n\tadc\tx26,x13,x16\n\tldp\tx10,x11,[x1,#8*4]\n\n\t// Reduce by 512 bits per iteration\n\tmul\tx28,x4,x19\t\t// t[0]*n0\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx3,x1,x5\n\tldp\tx21,x22,[sp,#8*2]\n\tstp\tx23,x24,[x2,#8*4]\n\tldp\tx23,x24,[sp,#8*4]\n\tstp\tx25,x26,[x2,#8*6]\n\tldp\tx25,x26,[sp,#8*6]\n\tadd\tx1,x1,#8*8\n\tmov\tx30,xzr\t\t// initial top-most carry\n\tmov\tx2,sp\n\tmov\tx27,#8\n\n.Lsqr8x_reduction:\n\t// (*)\tmul\tx14,x6,x28\t// lo(n[0-7])*lo(t[0]*n0)\n\tmul\tx15,x7,x28\n\tsub\tx27,x27,#1\n\tmul\tx16,x8,x28\n\tstr\tx28,[x2],#8\t\t// put aside t[0]*n0 for tail processing\n\tmul\tx17,x9,x28\n\t// (*)\tadds\txzr,x19,x14\n\tsubs\txzr,x19,#1\t\t// (*)\n\tmul\tx14,x10,x28\n\tadcs\tx19,x20,x15\n\tmul\tx15,x11,x28\n\tadcs\tx20,x21,x16\n\tmul\tx16,x12,x28\n\tadcs\tx21,x22,x17\n\tmul\tx17,x13,x28\n\tadcs\tx22,x23,x14\n\tumulh\tx14,x6,x28\t\t// hi(n[0-7])*lo(t[0]*n0)\n\tadcs\tx23,x24,x15\n\tumulh\tx15,x7,x28\n\tadcs\tx24,x25,x16\n\tumulh\tx16,x8,x28\n\tadcs\tx25,x26,x17\n\tumulh\tx17,x9,x28\n\tadc\tx26,xzr,xzr\n\tadds\tx19,x19,x14\n\tumulh\tx14,x10,x28\n\tadcs\tx20,x20,x15\n\tumulh\tx15,x11,x28\n\tadcs\tx21,x21,x16\n\tumulh\tx16,x12,x28\n\tadcs\tx22,x22,x17\n\tumulh\tx17,x13,x28\n\tmul\tx28,x4,x19\t\t// next t[0]*n0\n\tadcs\tx23,x23,x14\n\tadcs\tx24,x24,x15\n\tadcs\tx25,x25,x16\n\tadc\tx26,x26,x17\n\tcbnz\tx27,.Lsqr8x_reduction\n\n\tldp\tx14,x15,[x2,#8*0]\n\tldp\tx16,x17,[x2,#8*2]\n\tmov\tx0,x2\n\tsub\tx27,x3,x1\t// done yet?\n\tadds\tx19,x19,x14\n\tadcs\tx20,x20,x15\n\tldp\tx14,x15,[x2,#8*4]\n\tadcs\tx21,x21,x16\n\tadcs\tx22,x22,x17\n\tldp\tx16,x17,[x2,#8*6]\n\tadcs\tx23,x23,x14\n\tadcs\tx24,x24,x15\n\tadcs\tx25,x25,x16\n\tadcs\tx26,x26,x17\n\t//adc\tx28,xzr,xzr\t\t// moved below\n\tcbz\tx27,.Lsqr8x8_post_condition\n\n\tldr\tx4,[x2,#-8*8]\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tldp\tx10,x11,[x1,#8*4]\n\tmov\tx27,#-8*8\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\n.Lsqr8x_tail:\n\tmul\tx14,x6,x4\n\tadc\tx28,xzr,xzr\t\t// carry bit, modulo-scheduled\n\tmul\tx15,x7,x4\n\tadd\tx27,x27,#8\n\tmul\tx16,x8,x4\n\tmul\tx17,x9,x4\n\tadds\tx19,x19,x14\n\tmul\tx14,x10,x4\n\tadcs\tx20,x20,x15\n\tmul\tx15,x11,x4\n\tadcs\tx21,x21,x16\n\tmul\tx16,x12,x4\n\tadcs\tx22,x22,x17\n\tmul\tx17,x13,x4\n\tadcs\tx23,x23,x14\n\tumulh\tx14,x6,x4\n\tadcs\tx24,x24,x15\n\tumulh\tx15,x7,x4\n\tadcs\tx25,x25,x16\n\tumulh\tx16,x8,x4\n\tadcs\tx26,x26,x17\n\tumulh\tx17,x9,x4\n\tadc\tx28,x28,xzr\n\tstr\tx19,[x2],#8\n\tadds\tx19,x20,x14\n\tumulh\tx14,x10,x4\n\tadcs\tx20,x21,x15\n\tumulh\tx15,x11,x4\n\tadcs\tx21,x22,x16\n\tumulh\tx16,x12,x4\n\tadcs\tx22,x23,x17\n\tumulh\tx17,x13,x4\n\tldr\tx4,[x0,x27]\n\tadcs\tx23,x24,x14\n\tadcs\tx24,x25,x15\n\tadcs\tx25,x26,x16\n\tadcs\tx26,x28,x17\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tcbnz\tx27,.Lsqr8x_tail\n\t\t\t\t\t// note that carry flag is guaranteed\n\t\t\t\t\t// to be zero at this point\n\tldp\tx6,x7,[x2,#8*0]\n\tsub\tx27,x3,x1\t// done yet?\n\tsub\tx16,x3,x5\t// rewinded np\n\tldp\tx8,x9,[x2,#8*2]\n\tldp\tx10,x11,[x2,#8*4]\n\tldp\tx12,x13,[x2,#8*6]\n\tcbz\tx27,.Lsqr8x_tail_break\n\n\tldr\tx4,[x0,#-8*8]\n\tadds\tx19,x19,x6\n\tadcs\tx20,x20,x7\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx21,x21,x8\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x1,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x1,#8*4]\n\tadcs\tx25,x25,x12\n\tmov\tx27,#-8*8\n\tadcs\tx26,x26,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tb\t.Lsqr8x_tail\n\n.align\t4\n.Lsqr8x_tail_break:\n\tldr\tx4,[x29,#112]\t\t// pull n0\n\tadd\tx27,x2,#8*8\t\t// end of current t[num] window\n\n\tsubs\txzr,x30,#1\t\t// \"move\" top-most carry to carry bit\n\tadcs\tx14,x19,x6\n\tadcs\tx15,x20,x7\n\tldp\tx19,x20,[x0,#8*0]\n\tadcs\tx21,x21,x8\n\tldp\tx6,x7,[x16,#8*0]\t// recall that x16 is &n[0]\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x16,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x16,#8*4]\n\tadcs\tx25,x25,x12\n\tadcs\tx26,x26,x13\n\tldp\tx12,x13,[x16,#8*6]\n\tadd\tx1,x16,#8*8\n\tadc\tx30,xzr,xzr\t// top-most carry\n\tmul\tx28,x4,x19\n\tstp\tx14,x15,[x2,#8*0]\n\tstp\tx21,x22,[x2,#8*2]\n\tldp\tx21,x22,[x0,#8*2]\n\tstp\tx23,x24,[x2,#8*4]\n\tldp\tx23,x24,[x0,#8*4]\n\tcmp\tx27,x29\t\t// did we hit the bottom?\n\tstp\tx25,x26,[x2,#8*6]\n\tmov\tx2,x0\t\t\t// slide the window\n\tldp\tx25,x26,[x0,#8*6]\n\tmov\tx27,#8\n\tb.ne\t.Lsqr8x_reduction\n\n\t// Final step. We see if result is larger than modulus, and\n\t// if it is, subtract the modulus. But comparison implies\n\t// subtraction. So we subtract modulus, see if it borrowed,\n\t// and conditionally copy original value.\n\tldr\tx0,[x29,#96]\t\t// pull rp\n\tadd\tx2,x2,#8*8\n\tsubs\tx14,x19,x6\n\tsbcs\tx15,x20,x7\n\tsub\tx27,x5,#8*8\n\tmov\tx3,x0\t\t// x0 copy\n\n.Lsqr8x_sub:\n\tsbcs\tx16,x21,x8\n\tldp\tx6,x7,[x1,#8*0]\n\tsbcs\tx17,x22,x9\n\tstp\tx14,x15,[x0,#8*0]\n\tsbcs\tx14,x23,x10\n\tldp\tx8,x9,[x1,#8*2]\n\tsbcs\tx15,x24,x11\n\tstp\tx16,x17,[x0,#8*2]\n\tsbcs\tx16,x25,x12\n\tldp\tx10,x11,[x1,#8*4]\n\tsbcs\tx17,x26,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\tldp\tx19,x20,[x2,#8*0]\n\tsub\tx27,x27,#8*8\n\tldp\tx21,x22,[x2,#8*2]\n\tldp\tx23,x24,[x2,#8*4]\n\tldp\tx25,x26,[x2,#8*6]\n\tadd\tx2,x2,#8*8\n\tstp\tx14,x15,[x0,#8*4]\n\tsbcs\tx14,x19,x6\n\tstp\tx16,x17,[x0,#8*6]\n\tadd\tx0,x0,#8*8\n\tsbcs\tx15,x20,x7\n\tcbnz\tx27,.Lsqr8x_sub\n\n\tsbcs\tx16,x21,x8\n\tmov\tx2,sp\n\tadd\tx1,sp,x5\n\tldp\tx6,x7,[x3,#8*0]\n\tsbcs\tx17,x22,x9\n\tstp\tx14,x15,[x0,#8*0]\n\tsbcs\tx14,x23,x10\n\tldp\tx8,x9,[x3,#8*2]\n\tsbcs\tx15,x24,x11\n\tstp\tx16,x17,[x0,#8*2]\n\tsbcs\tx16,x25,x12\n\tldp\tx19,x20,[x1,#8*0]\n\tsbcs\tx17,x26,x13\n\tldp\tx21,x22,[x1,#8*2]\n\tsbcs\txzr,x30,xzr\t// did it borrow?\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\tstp\tx14,x15,[x0,#8*4]\n\tstp\tx16,x17,[x0,#8*6]\n\n\tsub\tx27,x5,#8*4\n.Lsqr4x_cond_copy:\n\tsub\tx27,x27,#8*4\n\tcsel\tx14,x19,x6,lo\n\tstp\txzr,xzr,[x2,#8*0]\n\tcsel\tx15,x20,x7,lo\n\tldp\tx6,x7,[x3,#8*4]\n\tldp\tx19,x20,[x1,#8*4]\n\tcsel\tx16,x21,x8,lo\n\tstp\txzr,xzr,[x2,#8*2]\n\tadd\tx2,x2,#8*4\n\tcsel\tx17,x22,x9,lo\n\tldp\tx8,x9,[x3,#8*6]\n\tldp\tx21,x22,[x1,#8*6]\n\tadd\tx1,x1,#8*4\n\tstp\tx14,x15,[x3,#8*0]\n\tstp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tstp\txzr,xzr,[x1,#8*0]\n\tstp\txzr,xzr,[x1,#8*2]\n\tcbnz\tx27,.Lsqr4x_cond_copy\n\n\tcsel\tx14,x19,x6,lo\n\tstp\txzr,xzr,[x2,#8*0]\n\tcsel\tx15,x20,x7,lo\n\tstp\txzr,xzr,[x2,#8*2]\n\tcsel\tx16,x21,x8,lo\n\tcsel\tx17,x22,x9,lo\n\tstp\tx14,x15,[x3,#8*0]\n\tstp\tx16,x17,[x3,#8*2]\n\n\tb\t.Lsqr8x_done\n\n.align\t4\n.Lsqr8x8_post_condition:\n\tadc\tx28,xzr,xzr\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\t// x19-7,x28 hold result, x6-7 hold modulus\n\tsubs\tx6,x19,x6\n\tldr\tx1,[x29,#96]\t\t// pull rp\n\tsbcs\tx7,x20,x7\n\tstp\txzr,xzr,[sp,#8*0]\n\tsbcs\tx8,x21,x8\n\tstp\txzr,xzr,[sp,#8*2]\n\tsbcs\tx9,x22,x9\n\tstp\txzr,xzr,[sp,#8*4]\n\tsbcs\tx10,x23,x10\n\tstp\txzr,xzr,[sp,#8*6]\n\tsbcs\tx11,x24,x11\n\tstp\txzr,xzr,[sp,#8*8]\n\tsbcs\tx12,x25,x12\n\tstp\txzr,xzr,[sp,#8*10]\n\tsbcs\tx13,x26,x13\n\tstp\txzr,xzr,[sp,#8*12]\n\tsbcs\tx28,x28,xzr\t// did it borrow?\n\tstp\txzr,xzr,[sp,#8*14]\n\n\t// x6-7 hold result-modulus\n\tcsel\tx6,x19,x6,lo\n\tcsel\tx7,x20,x7,lo\n\tcsel\tx8,x21,x8,lo\n\tcsel\tx9,x22,x9,lo\n\tstp\tx6,x7,[x1,#8*0]\n\tcsel\tx10,x23,x10,lo\n\tcsel\tx11,x24,x11,lo\n\tstp\tx8,x9,[x1,#8*2]\n\tcsel\tx12,x25,x12,lo\n\tcsel\tx13,x26,x13,lo\n\tstp\tx10,x11,[x1,#8*4]\n\tstp\tx12,x13,[x1,#8*6]\n\n.Lsqr8x_done:\n\tldp\tx19,x20,[x29,#16]\n\tmov\tsp,x29\n\tldp\tx21,x22,[x29,#32]\n\tmov\tx0,#1\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldr\tx29,[sp],#128\n\t// x30 is popped earlier\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\t__bn_sqr8x_mont,.-__bn_sqr8x_mont\n.type\t__bn_mul4x_mont,%function\n.align\t5\n__bn_mul4x_mont:\n\t// Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to\n\t// only from bn_mul_mont or __bn_mul8x_mont which have already signed the\n\t// return address.\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\n\tsub\tx26,sp,x5,lsl#3\n\tlsl\tx5,x5,#3\n\tldr\tx4,[x4]\t\t// *n0\n\tsub\tsp,x26,#8*4\t\t// alloca\n\n\tadd\tx10,x2,x5\n\tadd\tx27,x1,x5\n\tstp\tx0,x10,[x29,#96]\t// offload rp and &b[num]\n\n\tldr\tx24,[x2,#8*0]\t\t// b[0]\n\tldp\tx6,x7,[x1,#8*0]\t// a[0..3]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tmov\tx19,xzr\n\tmov\tx20,xzr\n\tmov\tx21,xzr\n\tmov\tx22,xzr\n\tldp\tx14,x15,[x3,#8*0]\t// n[0..3]\n\tldp\tx16,x17,[x3,#8*2]\n\tadds\tx3,x3,#8*4\t\t// clear carry bit\n\tmov\tx0,xzr\n\tmov\tx28,#0\n\tmov\tx26,sp\n\n.Loop_mul4x_1st_reduction:\n\tmul\tx10,x6,x24\t\t// lo(a[0..3]*b[0])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[0..3]*b[0])\n\tadcs\tx20,x20,x11\n\tmul\tx25,x19,x4\t\t// t[0]*n0\n\tadcs\tx21,x21,x12\n\tumulh\tx11,x7,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx12,x8,x24\n\tadc\tx23,xzr,xzr\n\tumulh\tx13,x9,x24\n\tldr\tx24,[x2,x28]\t\t// next b[i] (or b[0])\n\tadds\tx20,x20,x10\n\t// (*)\tmul\tx10,x14,x25\t// lo(n[0..3]*t[0]*n0)\n\tstr\tx25,[x26],#8\t\t// put aside t[0]*n0 for tail processing\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\t// (*)\tadds\txzr,x19,x10\n\tsubs\txzr,x19,#1\t\t// (*)\n\tumulh\tx10,x14,x25\t\t// hi(n[0..3]*t[0]*n0)\n\tadcs\tx19,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx20,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx21,x22,x13\n\tumulh\tx13,x17,x25\n\tadcs\tx22,x23,x0\n\tadc\tx0,xzr,xzr\n\tadds\tx19,x19,x10\n\tsub\tx10,x27,x1\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,.Loop_mul4x_1st_reduction\n\n\tcbz\tx10,.Lmul4x4_post_condition\n\n\tldp\tx6,x7,[x1,#8*0]\t// a[4..7]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tldr\tx25,[sp]\t\t// a[0]*n0\n\tldp\tx14,x15,[x3,#8*0]\t// n[4..7]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\n.Loop_mul4x_1st_tail:\n\tmul\tx10,x6,x24\t\t// lo(a[4..7]*b[i])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[4..7]*b[i])\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x7,x24\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x8,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx13,x9,x24\n\tadc\tx23,xzr,xzr\n\tldr\tx24,[x2,x28]\t\t// next b[i] (or b[0])\n\tadds\tx20,x20,x10\n\tmul\tx10,x14,x25\t\t// lo(n[4..7]*a[0]*n0)\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\tadds\tx19,x19,x10\n\tumulh\tx10,x14,x25\t\t// hi(n[4..7]*a[0]*n0)\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx22,x22,x13\n\tadcs\tx23,x23,x0\n\tumulh\tx13,x17,x25\n\tadc\tx0,xzr,xzr\n\tldr\tx25,[sp,x28]\t\t// next t[0]*n0\n\tstr\tx19,[x26],#8\t\t// result!!!\n\tadds\tx19,x20,x10\n\tsub\tx10,x27,x1\t\t// done yet?\n\tadcs\tx20,x21,x11\n\tadcs\tx21,x22,x12\n\tadcs\tx22,x23,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,.Loop_mul4x_1st_tail\n\n\tsub\tx11,x27,x5\t// rewinded x1\n\tcbz\tx10,.Lmul4x_proceed\n\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tldp\tx14,x15,[x3,#8*0]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tb\t.Loop_mul4x_1st_tail\n\n.align\t5\n.Lmul4x_proceed:\n\tldr\tx24,[x2,#8*4]!\t\t// *++b\n\tadc\tx30,x0,xzr\n\tldp\tx6,x7,[x11,#8*0]\t// a[0..3]\n\tsub\tx3,x3,x5\t\t// rewind np\n\tldp\tx8,x9,[x11,#8*2]\n\tadd\tx1,x11,#8*4\n\n\tstp\tx19,x20,[x26,#8*0]\t// result!!!\n\tldp\tx19,x20,[sp,#8*4]\t// t[0..3]\n\tstp\tx21,x22,[x26,#8*2]\t// result!!!\n\tldp\tx21,x22,[sp,#8*6]\n\n\tldp\tx14,x15,[x3,#8*0]\t// n[0..3]\n\tmov\tx26,sp\n\tldp\tx16,x17,[x3,#8*2]\n\tadds\tx3,x3,#8*4\t\t// clear carry bit\n\tmov\tx0,xzr\n\n.align\t4\n.Loop_mul4x_reduction:\n\tmul\tx10,x6,x24\t\t// lo(a[0..3]*b[4])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[0..3]*b[4])\n\tadcs\tx20,x20,x11\n\tmul\tx25,x19,x4\t\t// t[0]*n0\n\tadcs\tx21,x21,x12\n\tumulh\tx11,x7,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx12,x8,x24\n\tadc\tx23,xzr,xzr\n\tumulh\tx13,x9,x24\n\tldr\tx24,[x2,x28]\t\t// next b[i]\n\tadds\tx20,x20,x10\n\t// (*)\tmul\tx10,x14,x25\n\tstr\tx25,[x26],#8\t\t// put aside t[0]*n0 for tail processing\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\t\t// lo(n[0..3]*t[0]*n0\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\t// (*)\tadds\txzr,x19,x10\n\tsubs\txzr,x19,#1\t\t// (*)\n\tumulh\tx10,x14,x25\t\t// hi(n[0..3]*t[0]*n0\n\tadcs\tx19,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx20,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx21,x22,x13\n\tumulh\tx13,x17,x25\n\tadcs\tx22,x23,x0\n\tadc\tx0,xzr,xzr\n\tadds\tx19,x19,x10\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,.Loop_mul4x_reduction\n\n\tadc\tx0,x0,xzr\n\tldp\tx10,x11,[x26,#8*4]\t// t[4..7]\n\tldp\tx12,x13,[x26,#8*6]\n\tldp\tx6,x7,[x1,#8*0]\t// a[4..7]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tadds\tx19,x19,x10\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\n\tldr\tx25,[sp]\t\t// t[0]*n0\n\tldp\tx14,x15,[x3,#8*0]\t// n[4..7]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\n.align\t4\n.Loop_mul4x_tail:\n\tmul\tx10,x6,x24\t\t// lo(a[4..7]*b[4])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[4..7]*b[4])\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x7,x24\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x8,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx13,x9,x24\n\tadc\tx23,xzr,xzr\n\tldr\tx24,[x2,x28]\t\t// next b[i]\n\tadds\tx20,x20,x10\n\tmul\tx10,x14,x25\t\t// lo(n[4..7]*t[0]*n0)\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\tadds\tx19,x19,x10\n\tumulh\tx10,x14,x25\t\t// hi(n[4..7]*t[0]*n0)\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx22,x22,x13\n\tumulh\tx13,x17,x25\n\tadcs\tx23,x23,x0\n\tldr\tx25,[sp,x28]\t\t// next a[0]*n0\n\tadc\tx0,xzr,xzr\n\tstr\tx19,[x26],#8\t\t// result!!!\n\tadds\tx19,x20,x10\n\tsub\tx10,x27,x1\t\t// done yet?\n\tadcs\tx20,x21,x11\n\tadcs\tx21,x22,x12\n\tadcs\tx22,x23,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,.Loop_mul4x_tail\n\n\tsub\tx11,x3,x5\t\t// rewinded np?\n\tadc\tx0,x0,xzr\n\tcbz\tx10,.Loop_mul4x_break\n\n\tldp\tx10,x11,[x26,#8*4]\n\tldp\tx12,x13,[x26,#8*6]\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tadds\tx19,x19,x10\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\tldp\tx14,x15,[x3,#8*0]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tb\t.Loop_mul4x_tail\n\n.align\t4\n.Loop_mul4x_break:\n\tldp\tx12,x13,[x29,#96]\t// pull rp and &b[num]\n\tadds\tx19,x19,x30\n\tadd\tx2,x2,#8*4\t\t// bp++\n\tadcs\tx20,x20,xzr\n\tsub\tx1,x1,x5\t\t// rewind ap\n\tadcs\tx21,x21,xzr\n\tstp\tx19,x20,[x26,#8*0]\t// result!!!\n\tadcs\tx22,x22,xzr\n\tldp\tx19,x20,[sp,#8*4]\t// t[0..3]\n\tadc\tx30,x0,xzr\n\tstp\tx21,x22,[x26,#8*2]\t// result!!!\n\tcmp\tx2,x13\t\t\t// done yet?\n\tldp\tx21,x22,[sp,#8*6]\n\tldp\tx14,x15,[x11,#8*0]\t// n[0..3]\n\tldp\tx16,x17,[x11,#8*2]\n\tadd\tx3,x11,#8*4\n\tb.eq\t.Lmul4x_post\n\n\tldr\tx24,[x2]\n\tldp\tx6,x7,[x1,#8*0]\t// a[0..3]\n\tldp\tx8,x9,[x1,#8*2]\n\tadds\tx1,x1,#8*4\t\t// clear carry bit\n\tmov\tx0,xzr\n\tmov\tx26,sp\n\tb\t.Loop_mul4x_reduction\n\n.align\t4\n.Lmul4x_post:\n\t// Final step. We see if result is larger than modulus, and\n\t// if it is, subtract the modulus. But comparison implies\n\t// subtraction. So we subtract modulus, see if it borrowed,\n\t// and conditionally copy original value.\n\tmov\tx0,x12\n\tmov\tx27,x12\t\t// x0 copy\n\tsubs\tx10,x19,x14\n\tadd\tx26,sp,#8*8\n\tsbcs\tx11,x20,x15\n\tsub\tx28,x5,#8*4\n\n.Lmul4x_sub:\n\tsbcs\tx12,x21,x16\n\tldp\tx14,x15,[x3,#8*0]\n\tsub\tx28,x28,#8*4\n\tldp\tx19,x20,[x26,#8*0]\n\tsbcs\tx13,x22,x17\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tldp\tx21,x22,[x26,#8*2]\n\tadd\tx26,x26,#8*4\n\tstp\tx10,x11,[x0,#8*0]\n\tsbcs\tx10,x19,x14\n\tstp\tx12,x13,[x0,#8*2]\n\tadd\tx0,x0,#8*4\n\tsbcs\tx11,x20,x15\n\tcbnz\tx28,.Lmul4x_sub\n\n\tsbcs\tx12,x21,x16\n\tmov\tx26,sp\n\tadd\tx1,sp,#8*4\n\tldp\tx6,x7,[x27,#8*0]\n\tsbcs\tx13,x22,x17\n\tstp\tx10,x11,[x0,#8*0]\n\tldp\tx8,x9,[x27,#8*2]\n\tstp\tx12,x13,[x0,#8*2]\n\tldp\tx19,x20,[x1,#8*0]\n\tldp\tx21,x22,[x1,#8*2]\n\tsbcs\txzr,x30,xzr\t// did it borrow?\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\n\tsub\tx28,x5,#8*4\n.Lmul4x_cond_copy:\n\tsub\tx28,x28,#8*4\n\tcsel\tx10,x19,x6,lo\n\tstp\txzr,xzr,[x26,#8*0]\n\tcsel\tx11,x20,x7,lo\n\tldp\tx6,x7,[x27,#8*4]\n\tldp\tx19,x20,[x1,#8*4]\n\tcsel\tx12,x21,x8,lo\n\tstp\txzr,xzr,[x26,#8*2]\n\tadd\tx26,x26,#8*4\n\tcsel\tx13,x22,x9,lo\n\tldp\tx8,x9,[x27,#8*6]\n\tldp\tx21,x22,[x1,#8*6]\n\tadd\tx1,x1,#8*4\n\tstp\tx10,x11,[x27,#8*0]\n\tstp\tx12,x13,[x27,#8*2]\n\tadd\tx27,x27,#8*4\n\tcbnz\tx28,.Lmul4x_cond_copy\n\n\tcsel\tx10,x19,x6,lo\n\tstp\txzr,xzr,[x26,#8*0]\n\tcsel\tx11,x20,x7,lo\n\tstp\txzr,xzr,[x26,#8*2]\n\tcsel\tx12,x21,x8,lo\n\tstp\txzr,xzr,[x26,#8*3]\n\tcsel\tx13,x22,x9,lo\n\tstp\txzr,xzr,[x26,#8*4]\n\tstp\tx10,x11,[x27,#8*0]\n\tstp\tx12,x13,[x27,#8*2]\n\n\tb\t.Lmul4x_done\n\n.align\t4\n.Lmul4x4_post_condition:\n\tadc\tx0,x0,xzr\n\tldr\tx1,[x29,#96]\t\t// pull rp\n\t// x19-3,x0 hold result, x14-7 hold modulus\n\tsubs\tx6,x19,x14\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\tsbcs\tx7,x20,x15\n\tstp\txzr,xzr,[sp,#8*0]\n\tsbcs\tx8,x21,x16\n\tstp\txzr,xzr,[sp,#8*2]\n\tsbcs\tx9,x22,x17\n\tstp\txzr,xzr,[sp,#8*4]\n\tsbcs\txzr,x0,xzr\t\t// did it borrow?\n\tstp\txzr,xzr,[sp,#8*6]\n\n\t// x6-3 hold result-modulus\n\tcsel\tx6,x19,x6,lo\n\tcsel\tx7,x20,x7,lo\n\tcsel\tx8,x21,x8,lo\n\tcsel\tx9,x22,x9,lo\n\tstp\tx6,x7,[x1,#8*0]\n\tstp\tx8,x9,[x1,#8*2]\n\n.Lmul4x_done:\n\tldp\tx19,x20,[x29,#16]\n\tmov\tsp,x29\n\tldp\tx21,x22,[x29,#32]\n\tmov\tx0,#1\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldr\tx29,[sp],#128\n\t// x30 is popped earlier\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\t__bn_mul4x_mont,.-__bn_mul4x_mont\n.byte\t77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t4\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/armv8-mont-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \n\n.text\n\n.globl\tbn_mul_mont\n\n.def bn_mul_mont\n .type 32\n.endef\n.align\t5\nbn_mul_mont:\n\tAARCH64_SIGN_LINK_REGISTER\n\ttst\tx5,#7\n\tb.eq\t__bn_sqr8x_mont\n\ttst\tx5,#3\n\tb.eq\t__bn_mul4x_mont\nLmul_mont:\n\tstp\tx29,x30,[sp,#-64]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\n\tldr\tx9,[x2],#8\t\t// bp[0]\n\tsub\tx22,sp,x5,lsl#3\n\tldp\tx7,x8,[x1],#16\t// ap[0..1]\n\tlsl\tx5,x5,#3\n\tldr\tx4,[x4]\t\t// *n0\n\tand\tx22,x22,#-16\t\t// ABI says so\n\tldp\tx13,x14,[x3],#16\t// np[0..1]\n\n\tmul\tx6,x7,x9\t\t// ap[0]*bp[0]\n\tsub\tx21,x5,#16\t\t// j=num-2\n\tumulh\tx7,x7,x9\n\tmul\tx10,x8,x9\t\t// ap[1]*bp[0]\n\tumulh\tx11,x8,x9\n\n\tmul\tx15,x6,x4\t\t// \"tp[0]\"*n0\n\tmov\tsp,x22\t\t\t// alloca\n\n\t// (*)\tmul\tx12,x13,x15\t// np[0]*m1\n\tumulh\tx13,x13,x15\n\tmul\tx16,x14,x15\t\t// np[1]*m1\n\t// (*)\tadds\tx12,x12,x6\t// discarded\n\t// (*)\tAs for removal of first multiplication and addition\n\t//\tinstructions. The outcome of first addition is\n\t//\tguaranteed to be zero, which leaves two computationally\n\t//\tsignificant outcomes: it either carries or not. Then\n\t//\tquestion is when does it carry? Is there alternative\n\t//\tway to deduce it? If you follow operations, you can\n\t//\tobserve that condition for carry is quite simple:\n\t//\tx6 being non-zero. So that carry can be calculated\n\t//\tby adding -1 to x6. That's what next instruction does.\n\tsubs\txzr,x6,#1\t\t// (*)\n\tumulh\tx17,x14,x15\n\tadc\tx13,x13,xzr\n\tcbz\tx21,L1st_skip\n\nL1st:\n\tldr\tx8,[x1],#8\n\tadds\tx6,x10,x7\n\tsub\tx21,x21,#8\t\t// j--\n\tadc\tx7,x11,xzr\n\n\tldr\tx14,[x3],#8\n\tadds\tx12,x16,x13\n\tmul\tx10,x8,x9\t\t// ap[j]*bp[0]\n\tadc\tx13,x17,xzr\n\tumulh\tx11,x8,x9\n\n\tadds\tx12,x12,x6\n\tmul\tx16,x14,x15\t\t// np[j]*m1\n\tadc\tx13,x13,xzr\n\tumulh\tx17,x14,x15\n\tstr\tx12,[x22],#8\t\t// tp[j-1]\n\tcbnz\tx21,L1st\n\nL1st_skip:\n\tadds\tx6,x10,x7\n\tsub\tx1,x1,x5\t\t// rewind x1\n\tadc\tx7,x11,xzr\n\n\tadds\tx12,x16,x13\n\tsub\tx3,x3,x5\t\t// rewind x3\n\tadc\tx13,x17,xzr\n\n\tadds\tx12,x12,x6\n\tsub\tx20,x5,#8\t\t// i=num-1\n\tadcs\tx13,x13,x7\n\n\tadc\tx19,xzr,xzr\t\t// upmost overflow bit\n\tstp\tx12,x13,[x22]\n\nLouter:\n\tldr\tx9,[x2],#8\t\t// bp[i]\n\tldp\tx7,x8,[x1],#16\n\tldr\tx23,[sp]\t\t// tp[0]\n\tadd\tx22,sp,#8\n\n\tmul\tx6,x7,x9\t\t// ap[0]*bp[i]\n\tsub\tx21,x5,#16\t\t// j=num-2\n\tumulh\tx7,x7,x9\n\tldp\tx13,x14,[x3],#16\n\tmul\tx10,x8,x9\t\t// ap[1]*bp[i]\n\tadds\tx6,x6,x23\n\tumulh\tx11,x8,x9\n\tadc\tx7,x7,xzr\n\n\tmul\tx15,x6,x4\n\tsub\tx20,x20,#8\t\t// i--\n\n\t// (*)\tmul\tx12,x13,x15\t// np[0]*m1\n\tumulh\tx13,x13,x15\n\tmul\tx16,x14,x15\t\t// np[1]*m1\n\t// (*)\tadds\tx12,x12,x6\n\tsubs\txzr,x6,#1\t\t// (*)\n\tumulh\tx17,x14,x15\n\tcbz\tx21,Linner_skip\n\nLinner:\n\tldr\tx8,[x1],#8\n\tadc\tx13,x13,xzr\n\tldr\tx23,[x22],#8\t\t// tp[j]\n\tadds\tx6,x10,x7\n\tsub\tx21,x21,#8\t\t// j--\n\tadc\tx7,x11,xzr\n\n\tadds\tx12,x16,x13\n\tldr\tx14,[x3],#8\n\tadc\tx13,x17,xzr\n\n\tmul\tx10,x8,x9\t\t// ap[j]*bp[i]\n\tadds\tx6,x6,x23\n\tumulh\tx11,x8,x9\n\tadc\tx7,x7,xzr\n\n\tmul\tx16,x14,x15\t\t// np[j]*m1\n\tadds\tx12,x12,x6\n\tumulh\tx17,x14,x15\n\tstr\tx12,[x22,#-16]\t\t// tp[j-1]\n\tcbnz\tx21,Linner\n\nLinner_skip:\n\tldr\tx23,[x22],#8\t\t// tp[j]\n\tadc\tx13,x13,xzr\n\tadds\tx6,x10,x7\n\tsub\tx1,x1,x5\t\t// rewind x1\n\tadc\tx7,x11,xzr\n\n\tadds\tx12,x16,x13\n\tsub\tx3,x3,x5\t\t// rewind x3\n\tadcs\tx13,x17,x19\n\tadc\tx19,xzr,xzr\n\n\tadds\tx6,x6,x23\n\tadc\tx7,x7,xzr\n\n\tadds\tx12,x12,x6\n\tadcs\tx13,x13,x7\n\tadc\tx19,x19,xzr\t\t// upmost overflow bit\n\tstp\tx12,x13,[x22,#-16]\n\n\tcbnz\tx20,Louter\n\n\t// Final step. We see if result is larger than modulus, and\n\t// if it is, subtract the modulus. But comparison implies\n\t// subtraction. So we subtract modulus, see if it borrowed,\n\t// and conditionally copy original value.\n\tldr\tx23,[sp]\t\t// tp[0]\n\tadd\tx22,sp,#8\n\tldr\tx14,[x3],#8\t\t// np[0]\n\tsubs\tx21,x5,#8\t\t// j=num-1 and clear borrow\n\tmov\tx1,x0\nLsub:\n\tsbcs\tx8,x23,x14\t\t// tp[j]-np[j]\n\tldr\tx23,[x22],#8\n\tsub\tx21,x21,#8\t\t// j--\n\tldr\tx14,[x3],#8\n\tstr\tx8,[x1],#8\t\t// rp[j]=tp[j]-np[j]\n\tcbnz\tx21,Lsub\n\n\tsbcs\tx8,x23,x14\n\tsbcs\tx19,x19,xzr\t\t// did it borrow?\n\tstr\tx8,[x1],#8\t\t// rp[num-1]\n\n\tldr\tx23,[sp]\t\t// tp[0]\n\tadd\tx22,sp,#8\n\tldr\tx8,[x0],#8\t\t// rp[0]\n\tsub\tx5,x5,#8\t\t// num--\n\tnop\nLcond_copy:\n\tsub\tx5,x5,#8\t\t// num--\n\tcsel\tx14,x23,x8,lo\t\t// did it borrow?\n\tldr\tx23,[x22],#8\n\tldr\tx8,[x0],#8\n\tstr\txzr,[x22,#-16]\t\t// wipe tp\n\tstr\tx14,[x0,#-16]\n\tcbnz\tx5,Lcond_copy\n\n\tcsel\tx14,x23,x8,lo\n\tstr\txzr,[x22,#-8]\t\t// wipe tp\n\tstr\tx14,[x0,#-8]\n\n\tldp\tx19,x20,[x29,#16]\n\tmov\tsp,x29\n\tldp\tx21,x22,[x29,#32]\n\tmov\tx0,#1\n\tldp\tx23,x24,[x29,#48]\n\tldr\tx29,[sp],#64\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.def __bn_sqr8x_mont\n .type 32\n.endef\n.align\t5\n__bn_sqr8x_mont:\n\t// Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to\n\t// only from bn_mul_mont which has already signed the return address.\n\tcmp\tx1,x2\n\tb.ne\t__bn_mul4x_mont\nLsqr8x_mont:\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tstp\tx0,x3,[sp,#96]\t// offload rp and np\n\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tldp\tx10,x11,[x1,#8*4]\n\tldp\tx12,x13,[x1,#8*6]\n\n\tsub\tx2,sp,x5,lsl#4\n\tlsl\tx5,x5,#3\n\tldr\tx4,[x4]\t\t// *n0\n\tmov\tsp,x2\t\t\t// alloca\n\tsub\tx27,x5,#8*8\n\tb\tLsqr8x_zero_start\n\nLsqr8x_zero:\n\tsub\tx27,x27,#8*8\n\tstp\txzr,xzr,[x2,#8*0]\n\tstp\txzr,xzr,[x2,#8*2]\n\tstp\txzr,xzr,[x2,#8*4]\n\tstp\txzr,xzr,[x2,#8*6]\nLsqr8x_zero_start:\n\tstp\txzr,xzr,[x2,#8*8]\n\tstp\txzr,xzr,[x2,#8*10]\n\tstp\txzr,xzr,[x2,#8*12]\n\tstp\txzr,xzr,[x2,#8*14]\n\tadd\tx2,x2,#8*16\n\tcbnz\tx27,Lsqr8x_zero\n\n\tadd\tx3,x1,x5\n\tadd\tx1,x1,#8*8\n\tmov\tx19,xzr\n\tmov\tx20,xzr\n\tmov\tx21,xzr\n\tmov\tx22,xzr\n\tmov\tx23,xzr\n\tmov\tx24,xzr\n\tmov\tx25,xzr\n\tmov\tx26,xzr\n\tmov\tx2,sp\n\tstr\tx4,[x29,#112]\t\t// offload n0\n\n\t// Multiply everything but a[i]*a[i]\n.align\t4\nLsqr8x_outer_loop:\n // a[1]a[0]\t(i)\n // a[2]a[0]\n // a[3]a[0]\n // a[4]a[0]\n // a[5]a[0]\n // a[6]a[0]\n // a[7]a[0]\n // a[2]a[1]\t\t(ii)\n // a[3]a[1]\n // a[4]a[1]\n // a[5]a[1]\n // a[6]a[1]\n // a[7]a[1]\n // a[3]a[2]\t\t\t(iii)\n // a[4]a[2]\n // a[5]a[2]\n // a[6]a[2]\n // a[7]a[2]\n // a[4]a[3]\t\t\t\t(iv)\n // a[5]a[3]\n // a[6]a[3]\n // a[7]a[3]\n // a[5]a[4]\t\t\t\t\t(v)\n // a[6]a[4]\n // a[7]a[4]\n // a[6]a[5]\t\t\t\t\t\t(vi)\n // a[7]a[5]\n // a[7]a[6]\t\t\t\t\t\t\t(vii)\n\n\tmul\tx14,x7,x6\t\t// lo(a[1..7]*a[0])\t\t(i)\n\tmul\tx15,x8,x6\n\tmul\tx16,x9,x6\n\tmul\tx17,x10,x6\n\tadds\tx20,x20,x14\t\t// t[1]+lo(a[1]*a[0])\n\tmul\tx14,x11,x6\n\tadcs\tx21,x21,x15\n\tmul\tx15,x12,x6\n\tadcs\tx22,x22,x16\n\tmul\tx16,x13,x6\n\tadcs\tx23,x23,x17\n\tumulh\tx17,x7,x6\t\t// hi(a[1..7]*a[0])\n\tadcs\tx24,x24,x14\n\tumulh\tx14,x8,x6\n\tadcs\tx25,x25,x15\n\tumulh\tx15,x9,x6\n\tadcs\tx26,x26,x16\n\tumulh\tx16,x10,x6\n\tstp\tx19,x20,[x2],#8*2\t// t[0..1]\n\tadc\tx19,xzr,xzr\t\t// t[8]\n\tadds\tx21,x21,x17\t\t// t[2]+lo(a[1]*a[0])\n\tumulh\tx17,x11,x6\n\tadcs\tx22,x22,x14\n\tumulh\tx14,x12,x6\n\tadcs\tx23,x23,x15\n\tumulh\tx15,x13,x6\n\tadcs\tx24,x24,x16\n\tmul\tx16,x8,x7\t\t// lo(a[2..7]*a[1])\t\t(ii)\n\tadcs\tx25,x25,x17\n\tmul\tx17,x9,x7\n\tadcs\tx26,x26,x14\n\tmul\tx14,x10,x7\n\tadc\tx19,x19,x15\n\n\tmul\tx15,x11,x7\n\tadds\tx22,x22,x16\n\tmul\tx16,x12,x7\n\tadcs\tx23,x23,x17\n\tmul\tx17,x13,x7\n\tadcs\tx24,x24,x14\n\tumulh\tx14,x8,x7\t\t// hi(a[2..7]*a[1])\n\tadcs\tx25,x25,x15\n\tumulh\tx15,x9,x7\n\tadcs\tx26,x26,x16\n\tumulh\tx16,x10,x7\n\tadcs\tx19,x19,x17\n\tumulh\tx17,x11,x7\n\tstp\tx21,x22,[x2],#8*2\t// t[2..3]\n\tadc\tx20,xzr,xzr\t\t// t[9]\n\tadds\tx23,x23,x14\n\tumulh\tx14,x12,x7\n\tadcs\tx24,x24,x15\n\tumulh\tx15,x13,x7\n\tadcs\tx25,x25,x16\n\tmul\tx16,x9,x8\t\t// lo(a[3..7]*a[2])\t\t(iii)\n\tadcs\tx26,x26,x17\n\tmul\tx17,x10,x8\n\tadcs\tx19,x19,x14\n\tmul\tx14,x11,x8\n\tadc\tx20,x20,x15\n\n\tmul\tx15,x12,x8\n\tadds\tx24,x24,x16\n\tmul\tx16,x13,x8\n\tadcs\tx25,x25,x17\n\tumulh\tx17,x9,x8\t\t// hi(a[3..7]*a[2])\n\tadcs\tx26,x26,x14\n\tumulh\tx14,x10,x8\n\tadcs\tx19,x19,x15\n\tumulh\tx15,x11,x8\n\tadcs\tx20,x20,x16\n\tumulh\tx16,x12,x8\n\tstp\tx23,x24,[x2],#8*2\t// t[4..5]\n\tadc\tx21,xzr,xzr\t\t// t[10]\n\tadds\tx25,x25,x17\n\tumulh\tx17,x13,x8\n\tadcs\tx26,x26,x14\n\tmul\tx14,x10,x9\t\t// lo(a[4..7]*a[3])\t\t(iv)\n\tadcs\tx19,x19,x15\n\tmul\tx15,x11,x9\n\tadcs\tx20,x20,x16\n\tmul\tx16,x12,x9\n\tadc\tx21,x21,x17\n\n\tmul\tx17,x13,x9\n\tadds\tx26,x26,x14\n\tumulh\tx14,x10,x9\t\t// hi(a[4..7]*a[3])\n\tadcs\tx19,x19,x15\n\tumulh\tx15,x11,x9\n\tadcs\tx20,x20,x16\n\tumulh\tx16,x12,x9\n\tadcs\tx21,x21,x17\n\tumulh\tx17,x13,x9\n\tstp\tx25,x26,[x2],#8*2\t// t[6..7]\n\tadc\tx22,xzr,xzr\t\t// t[11]\n\tadds\tx19,x19,x14\n\tmul\tx14,x11,x10\t\t// lo(a[5..7]*a[4])\t\t(v)\n\tadcs\tx20,x20,x15\n\tmul\tx15,x12,x10\n\tadcs\tx21,x21,x16\n\tmul\tx16,x13,x10\n\tadc\tx22,x22,x17\n\n\tumulh\tx17,x11,x10\t\t// hi(a[5..7]*a[4])\n\tadds\tx20,x20,x14\n\tumulh\tx14,x12,x10\n\tadcs\tx21,x21,x15\n\tumulh\tx15,x13,x10\n\tadcs\tx22,x22,x16\n\tmul\tx16,x12,x11\t\t// lo(a[6..7]*a[5])\t\t(vi)\n\tadc\tx23,xzr,xzr\t\t// t[12]\n\tadds\tx21,x21,x17\n\tmul\tx17,x13,x11\n\tadcs\tx22,x22,x14\n\tumulh\tx14,x12,x11\t\t// hi(a[6..7]*a[5])\n\tadc\tx23,x23,x15\n\n\tumulh\tx15,x13,x11\n\tadds\tx22,x22,x16\n\tmul\tx16,x13,x12\t\t// lo(a[7]*a[6])\t\t(vii)\n\tadcs\tx23,x23,x17\n\tumulh\tx17,x13,x12\t\t// hi(a[7]*a[6])\n\tadc\tx24,xzr,xzr\t\t// t[13]\n\tadds\tx23,x23,x14\n\tsub\tx27,x3,x1\t// done yet?\n\tadc\tx24,x24,x15\n\n\tadds\tx24,x24,x16\n\tsub\tx14,x3,x5\t// rewinded ap\n\tadc\tx25,xzr,xzr\t\t// t[14]\n\tadd\tx25,x25,x17\n\n\tcbz\tx27,Lsqr8x_outer_break\n\n\tmov\tx4,x6\n\tldp\tx6,x7,[x2,#8*0]\n\tldp\tx8,x9,[x2,#8*2]\n\tldp\tx10,x11,[x2,#8*4]\n\tldp\tx12,x13,[x2,#8*6]\n\tadds\tx19,x19,x6\n\tadcs\tx20,x20,x7\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx21,x21,x8\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x1,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x1,#8*4]\n\tadcs\tx25,x25,x12\n\tmov\tx0,x1\n\tadcs\tx26,xzr,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\t//adc\tx28,xzr,xzr\t\t// moved below\n\tmov\tx27,#-8*8\n\n\t// a[8]a[0]\n\t// a[9]a[0]\n\t// a[a]a[0]\n\t// a[b]a[0]\n\t// a[c]a[0]\n\t// a[d]a[0]\n\t// a[e]a[0]\n\t// a[f]a[0]\n\t// a[8]a[1]\n\t// a[f]a[1]........................\n\t// a[8]a[2]\n\t// a[f]a[2]........................\n\t// a[8]a[3]\n\t// a[f]a[3]........................\n\t// a[8]a[4]\n\t// a[f]a[4]........................\n\t// a[8]a[5]\n\t// a[f]a[5]........................\n\t// a[8]a[6]\n\t// a[f]a[6]........................\n\t// a[8]a[7]\n\t// a[f]a[7]........................\nLsqr8x_mul:\n\tmul\tx14,x6,x4\n\tadc\tx28,xzr,xzr\t\t// carry bit, modulo-scheduled\n\tmul\tx15,x7,x4\n\tadd\tx27,x27,#8\n\tmul\tx16,x8,x4\n\tmul\tx17,x9,x4\n\tadds\tx19,x19,x14\n\tmul\tx14,x10,x4\n\tadcs\tx20,x20,x15\n\tmul\tx15,x11,x4\n\tadcs\tx21,x21,x16\n\tmul\tx16,x12,x4\n\tadcs\tx22,x22,x17\n\tmul\tx17,x13,x4\n\tadcs\tx23,x23,x14\n\tumulh\tx14,x6,x4\n\tadcs\tx24,x24,x15\n\tumulh\tx15,x7,x4\n\tadcs\tx25,x25,x16\n\tumulh\tx16,x8,x4\n\tadcs\tx26,x26,x17\n\tumulh\tx17,x9,x4\n\tadc\tx28,x28,xzr\n\tstr\tx19,[x2],#8\n\tadds\tx19,x20,x14\n\tumulh\tx14,x10,x4\n\tadcs\tx20,x21,x15\n\tumulh\tx15,x11,x4\n\tadcs\tx21,x22,x16\n\tumulh\tx16,x12,x4\n\tadcs\tx22,x23,x17\n\tumulh\tx17,x13,x4\n\tldr\tx4,[x0,x27]\n\tadcs\tx23,x24,x14\n\tadcs\tx24,x25,x15\n\tadcs\tx25,x26,x16\n\tadcs\tx26,x28,x17\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tcbnz\tx27,Lsqr8x_mul\n\t\t\t\t\t// note that carry flag is guaranteed\n\t\t\t\t\t// to be zero at this point\n\tcmp\tx1,x3\t\t// done yet?\n\tb.eq\tLsqr8x_break\n\n\tldp\tx6,x7,[x2,#8*0]\n\tldp\tx8,x9,[x2,#8*2]\n\tldp\tx10,x11,[x2,#8*4]\n\tldp\tx12,x13,[x2,#8*6]\n\tadds\tx19,x19,x6\n\tldr\tx4,[x0,#-8*8]\n\tadcs\tx20,x20,x7\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx21,x21,x8\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x1,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x1,#8*4]\n\tadcs\tx25,x25,x12\n\tmov\tx27,#-8*8\n\tadcs\tx26,x26,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tb\tLsqr8x_mul\n\n.align\t4\nLsqr8x_break:\n\tldp\tx6,x7,[x0,#8*0]\n\tadd\tx1,x0,#8*8\n\tldp\tx8,x9,[x0,#8*2]\n\tsub\tx14,x3,x1\t\t// is it last iteration?\n\tldp\tx10,x11,[x0,#8*4]\n\tsub\tx15,x2,x14\n\tldp\tx12,x13,[x0,#8*6]\n\tcbz\tx14,Lsqr8x_outer_loop\n\n\tstp\tx19,x20,[x2,#8*0]\n\tldp\tx19,x20,[x15,#8*0]\n\tstp\tx21,x22,[x2,#8*2]\n\tldp\tx21,x22,[x15,#8*2]\n\tstp\tx23,x24,[x2,#8*4]\n\tldp\tx23,x24,[x15,#8*4]\n\tstp\tx25,x26,[x2,#8*6]\n\tmov\tx2,x15\n\tldp\tx25,x26,[x15,#8*6]\n\tb\tLsqr8x_outer_loop\n\n.align\t4\nLsqr8x_outer_break:\n\t// Now multiply above result by 2 and add a[n-1]*a[n-1]|...|a[0]*a[0]\n\tldp\tx7,x9,[x14,#8*0]\t// recall that x14 is &a[0]\n\tldp\tx15,x16,[sp,#8*1]\n\tldp\tx11,x13,[x14,#8*2]\n\tadd\tx1,x14,#8*4\n\tldp\tx17,x14,[sp,#8*3]\n\n\tstp\tx19,x20,[x2,#8*0]\n\tmul\tx19,x7,x7\n\tstp\tx21,x22,[x2,#8*2]\n\tumulh\tx7,x7,x7\n\tstp\tx23,x24,[x2,#8*4]\n\tmul\tx8,x9,x9\n\tstp\tx25,x26,[x2,#8*6]\n\tmov\tx2,sp\n\tumulh\tx9,x9,x9\n\tadds\tx20,x7,x15,lsl#1\n\textr\tx15,x16,x15,#63\n\tsub\tx27,x5,#8*4\n\nLsqr4x_shift_n_add:\n\tadcs\tx21,x8,x15\n\textr\tx16,x17,x16,#63\n\tsub\tx27,x27,#8*4\n\tadcs\tx22,x9,x16\n\tldp\tx15,x16,[x2,#8*5]\n\tmul\tx10,x11,x11\n\tldp\tx7,x9,[x1],#8*2\n\tumulh\tx11,x11,x11\n\tmul\tx12,x13,x13\n\tumulh\tx13,x13,x13\n\textr\tx17,x14,x17,#63\n\tstp\tx19,x20,[x2,#8*0]\n\tadcs\tx23,x10,x17\n\textr\tx14,x15,x14,#63\n\tstp\tx21,x22,[x2,#8*2]\n\tadcs\tx24,x11,x14\n\tldp\tx17,x14,[x2,#8*7]\n\textr\tx15,x16,x15,#63\n\tadcs\tx25,x12,x15\n\textr\tx16,x17,x16,#63\n\tadcs\tx26,x13,x16\n\tldp\tx15,x16,[x2,#8*9]\n\tmul\tx6,x7,x7\n\tldp\tx11,x13,[x1],#8*2\n\tumulh\tx7,x7,x7\n\tmul\tx8,x9,x9\n\tumulh\tx9,x9,x9\n\tstp\tx23,x24,[x2,#8*4]\n\textr\tx17,x14,x17,#63\n\tstp\tx25,x26,[x2,#8*6]\n\tadd\tx2,x2,#8*8\n\tadcs\tx19,x6,x17\n\textr\tx14,x15,x14,#63\n\tadcs\tx20,x7,x14\n\tldp\tx17,x14,[x2,#8*3]\n\textr\tx15,x16,x15,#63\n\tcbnz\tx27,Lsqr4x_shift_n_add\n\tldp\tx1,x4,[x29,#104]\t// pull np and n0\n\n\tadcs\tx21,x8,x15\n\textr\tx16,x17,x16,#63\n\tadcs\tx22,x9,x16\n\tldp\tx15,x16,[x2,#8*5]\n\tmul\tx10,x11,x11\n\tumulh\tx11,x11,x11\n\tstp\tx19,x20,[x2,#8*0]\n\tmul\tx12,x13,x13\n\tumulh\tx13,x13,x13\n\tstp\tx21,x22,[x2,#8*2]\n\textr\tx17,x14,x17,#63\n\tadcs\tx23,x10,x17\n\textr\tx14,x15,x14,#63\n\tldp\tx19,x20,[sp,#8*0]\n\tadcs\tx24,x11,x14\n\textr\tx15,x16,x15,#63\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx25,x12,x15\n\textr\tx16,xzr,x16,#63\n\tldp\tx8,x9,[x1,#8*2]\n\tadc\tx26,x13,x16\n\tldp\tx10,x11,[x1,#8*4]\n\n\t// Reduce by 512 bits per iteration\n\tmul\tx28,x4,x19\t\t// t[0]*n0\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx3,x1,x5\n\tldp\tx21,x22,[sp,#8*2]\n\tstp\tx23,x24,[x2,#8*4]\n\tldp\tx23,x24,[sp,#8*4]\n\tstp\tx25,x26,[x2,#8*6]\n\tldp\tx25,x26,[sp,#8*6]\n\tadd\tx1,x1,#8*8\n\tmov\tx30,xzr\t\t// initial top-most carry\n\tmov\tx2,sp\n\tmov\tx27,#8\n\nLsqr8x_reduction:\n\t// (*)\tmul\tx14,x6,x28\t// lo(n[0-7])*lo(t[0]*n0)\n\tmul\tx15,x7,x28\n\tsub\tx27,x27,#1\n\tmul\tx16,x8,x28\n\tstr\tx28,[x2],#8\t\t// put aside t[0]*n0 for tail processing\n\tmul\tx17,x9,x28\n\t// (*)\tadds\txzr,x19,x14\n\tsubs\txzr,x19,#1\t\t// (*)\n\tmul\tx14,x10,x28\n\tadcs\tx19,x20,x15\n\tmul\tx15,x11,x28\n\tadcs\tx20,x21,x16\n\tmul\tx16,x12,x28\n\tadcs\tx21,x22,x17\n\tmul\tx17,x13,x28\n\tadcs\tx22,x23,x14\n\tumulh\tx14,x6,x28\t\t// hi(n[0-7])*lo(t[0]*n0)\n\tadcs\tx23,x24,x15\n\tumulh\tx15,x7,x28\n\tadcs\tx24,x25,x16\n\tumulh\tx16,x8,x28\n\tadcs\tx25,x26,x17\n\tumulh\tx17,x9,x28\n\tadc\tx26,xzr,xzr\n\tadds\tx19,x19,x14\n\tumulh\tx14,x10,x28\n\tadcs\tx20,x20,x15\n\tumulh\tx15,x11,x28\n\tadcs\tx21,x21,x16\n\tumulh\tx16,x12,x28\n\tadcs\tx22,x22,x17\n\tumulh\tx17,x13,x28\n\tmul\tx28,x4,x19\t\t// next t[0]*n0\n\tadcs\tx23,x23,x14\n\tadcs\tx24,x24,x15\n\tadcs\tx25,x25,x16\n\tadc\tx26,x26,x17\n\tcbnz\tx27,Lsqr8x_reduction\n\n\tldp\tx14,x15,[x2,#8*0]\n\tldp\tx16,x17,[x2,#8*2]\n\tmov\tx0,x2\n\tsub\tx27,x3,x1\t// done yet?\n\tadds\tx19,x19,x14\n\tadcs\tx20,x20,x15\n\tldp\tx14,x15,[x2,#8*4]\n\tadcs\tx21,x21,x16\n\tadcs\tx22,x22,x17\n\tldp\tx16,x17,[x2,#8*6]\n\tadcs\tx23,x23,x14\n\tadcs\tx24,x24,x15\n\tadcs\tx25,x25,x16\n\tadcs\tx26,x26,x17\n\t//adc\tx28,xzr,xzr\t\t// moved below\n\tcbz\tx27,Lsqr8x8_post_condition\n\n\tldr\tx4,[x2,#-8*8]\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tldp\tx10,x11,[x1,#8*4]\n\tmov\tx27,#-8*8\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\nLsqr8x_tail:\n\tmul\tx14,x6,x4\n\tadc\tx28,xzr,xzr\t\t// carry bit, modulo-scheduled\n\tmul\tx15,x7,x4\n\tadd\tx27,x27,#8\n\tmul\tx16,x8,x4\n\tmul\tx17,x9,x4\n\tadds\tx19,x19,x14\n\tmul\tx14,x10,x4\n\tadcs\tx20,x20,x15\n\tmul\tx15,x11,x4\n\tadcs\tx21,x21,x16\n\tmul\tx16,x12,x4\n\tadcs\tx22,x22,x17\n\tmul\tx17,x13,x4\n\tadcs\tx23,x23,x14\n\tumulh\tx14,x6,x4\n\tadcs\tx24,x24,x15\n\tumulh\tx15,x7,x4\n\tadcs\tx25,x25,x16\n\tumulh\tx16,x8,x4\n\tadcs\tx26,x26,x17\n\tumulh\tx17,x9,x4\n\tadc\tx28,x28,xzr\n\tstr\tx19,[x2],#8\n\tadds\tx19,x20,x14\n\tumulh\tx14,x10,x4\n\tadcs\tx20,x21,x15\n\tumulh\tx15,x11,x4\n\tadcs\tx21,x22,x16\n\tumulh\tx16,x12,x4\n\tadcs\tx22,x23,x17\n\tumulh\tx17,x13,x4\n\tldr\tx4,[x0,x27]\n\tadcs\tx23,x24,x14\n\tadcs\tx24,x25,x15\n\tadcs\tx25,x26,x16\n\tadcs\tx26,x28,x17\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tcbnz\tx27,Lsqr8x_tail\n\t\t\t\t\t// note that carry flag is guaranteed\n\t\t\t\t\t// to be zero at this point\n\tldp\tx6,x7,[x2,#8*0]\n\tsub\tx27,x3,x1\t// done yet?\n\tsub\tx16,x3,x5\t// rewinded np\n\tldp\tx8,x9,[x2,#8*2]\n\tldp\tx10,x11,[x2,#8*4]\n\tldp\tx12,x13,[x2,#8*6]\n\tcbz\tx27,Lsqr8x_tail_break\n\n\tldr\tx4,[x0,#-8*8]\n\tadds\tx19,x19,x6\n\tadcs\tx20,x20,x7\n\tldp\tx6,x7,[x1,#8*0]\n\tadcs\tx21,x21,x8\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x1,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x1,#8*4]\n\tadcs\tx25,x25,x12\n\tmov\tx27,#-8*8\n\tadcs\tx26,x26,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\t//adc\tx28,xzr,xzr\t\t// moved above\n\tb\tLsqr8x_tail\n\n.align\t4\nLsqr8x_tail_break:\n\tldr\tx4,[x29,#112]\t\t// pull n0\n\tadd\tx27,x2,#8*8\t\t// end of current t[num] window\n\n\tsubs\txzr,x30,#1\t\t// \"move\" top-most carry to carry bit\n\tadcs\tx14,x19,x6\n\tadcs\tx15,x20,x7\n\tldp\tx19,x20,[x0,#8*0]\n\tadcs\tx21,x21,x8\n\tldp\tx6,x7,[x16,#8*0]\t// recall that x16 is &n[0]\n\tadcs\tx22,x22,x9\n\tldp\tx8,x9,[x16,#8*2]\n\tadcs\tx23,x23,x10\n\tadcs\tx24,x24,x11\n\tldp\tx10,x11,[x16,#8*4]\n\tadcs\tx25,x25,x12\n\tadcs\tx26,x26,x13\n\tldp\tx12,x13,[x16,#8*6]\n\tadd\tx1,x16,#8*8\n\tadc\tx30,xzr,xzr\t// top-most carry\n\tmul\tx28,x4,x19\n\tstp\tx14,x15,[x2,#8*0]\n\tstp\tx21,x22,[x2,#8*2]\n\tldp\tx21,x22,[x0,#8*2]\n\tstp\tx23,x24,[x2,#8*4]\n\tldp\tx23,x24,[x0,#8*4]\n\tcmp\tx27,x29\t\t// did we hit the bottom?\n\tstp\tx25,x26,[x2,#8*6]\n\tmov\tx2,x0\t\t\t// slide the window\n\tldp\tx25,x26,[x0,#8*6]\n\tmov\tx27,#8\n\tb.ne\tLsqr8x_reduction\n\n\t// Final step. We see if result is larger than modulus, and\n\t// if it is, subtract the modulus. But comparison implies\n\t// subtraction. So we subtract modulus, see if it borrowed,\n\t// and conditionally copy original value.\n\tldr\tx0,[x29,#96]\t\t// pull rp\n\tadd\tx2,x2,#8*8\n\tsubs\tx14,x19,x6\n\tsbcs\tx15,x20,x7\n\tsub\tx27,x5,#8*8\n\tmov\tx3,x0\t\t// x0 copy\n\nLsqr8x_sub:\n\tsbcs\tx16,x21,x8\n\tldp\tx6,x7,[x1,#8*0]\n\tsbcs\tx17,x22,x9\n\tstp\tx14,x15,[x0,#8*0]\n\tsbcs\tx14,x23,x10\n\tldp\tx8,x9,[x1,#8*2]\n\tsbcs\tx15,x24,x11\n\tstp\tx16,x17,[x0,#8*2]\n\tsbcs\tx16,x25,x12\n\tldp\tx10,x11,[x1,#8*4]\n\tsbcs\tx17,x26,x13\n\tldp\tx12,x13,[x1,#8*6]\n\tadd\tx1,x1,#8*8\n\tldp\tx19,x20,[x2,#8*0]\n\tsub\tx27,x27,#8*8\n\tldp\tx21,x22,[x2,#8*2]\n\tldp\tx23,x24,[x2,#8*4]\n\tldp\tx25,x26,[x2,#8*6]\n\tadd\tx2,x2,#8*8\n\tstp\tx14,x15,[x0,#8*4]\n\tsbcs\tx14,x19,x6\n\tstp\tx16,x17,[x0,#8*6]\n\tadd\tx0,x0,#8*8\n\tsbcs\tx15,x20,x7\n\tcbnz\tx27,Lsqr8x_sub\n\n\tsbcs\tx16,x21,x8\n\tmov\tx2,sp\n\tadd\tx1,sp,x5\n\tldp\tx6,x7,[x3,#8*0]\n\tsbcs\tx17,x22,x9\n\tstp\tx14,x15,[x0,#8*0]\n\tsbcs\tx14,x23,x10\n\tldp\tx8,x9,[x3,#8*2]\n\tsbcs\tx15,x24,x11\n\tstp\tx16,x17,[x0,#8*2]\n\tsbcs\tx16,x25,x12\n\tldp\tx19,x20,[x1,#8*0]\n\tsbcs\tx17,x26,x13\n\tldp\tx21,x22,[x1,#8*2]\n\tsbcs\txzr,x30,xzr\t// did it borrow?\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\tstp\tx14,x15,[x0,#8*4]\n\tstp\tx16,x17,[x0,#8*6]\n\n\tsub\tx27,x5,#8*4\nLsqr4x_cond_copy:\n\tsub\tx27,x27,#8*4\n\tcsel\tx14,x19,x6,lo\n\tstp\txzr,xzr,[x2,#8*0]\n\tcsel\tx15,x20,x7,lo\n\tldp\tx6,x7,[x3,#8*4]\n\tldp\tx19,x20,[x1,#8*4]\n\tcsel\tx16,x21,x8,lo\n\tstp\txzr,xzr,[x2,#8*2]\n\tadd\tx2,x2,#8*4\n\tcsel\tx17,x22,x9,lo\n\tldp\tx8,x9,[x3,#8*6]\n\tldp\tx21,x22,[x1,#8*6]\n\tadd\tx1,x1,#8*4\n\tstp\tx14,x15,[x3,#8*0]\n\tstp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tstp\txzr,xzr,[x1,#8*0]\n\tstp\txzr,xzr,[x1,#8*2]\n\tcbnz\tx27,Lsqr4x_cond_copy\n\n\tcsel\tx14,x19,x6,lo\n\tstp\txzr,xzr,[x2,#8*0]\n\tcsel\tx15,x20,x7,lo\n\tstp\txzr,xzr,[x2,#8*2]\n\tcsel\tx16,x21,x8,lo\n\tcsel\tx17,x22,x9,lo\n\tstp\tx14,x15,[x3,#8*0]\n\tstp\tx16,x17,[x3,#8*2]\n\n\tb\tLsqr8x_done\n\n.align\t4\nLsqr8x8_post_condition:\n\tadc\tx28,xzr,xzr\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\t// x19-7,x28 hold result, x6-7 hold modulus\n\tsubs\tx6,x19,x6\n\tldr\tx1,[x29,#96]\t\t// pull rp\n\tsbcs\tx7,x20,x7\n\tstp\txzr,xzr,[sp,#8*0]\n\tsbcs\tx8,x21,x8\n\tstp\txzr,xzr,[sp,#8*2]\n\tsbcs\tx9,x22,x9\n\tstp\txzr,xzr,[sp,#8*4]\n\tsbcs\tx10,x23,x10\n\tstp\txzr,xzr,[sp,#8*6]\n\tsbcs\tx11,x24,x11\n\tstp\txzr,xzr,[sp,#8*8]\n\tsbcs\tx12,x25,x12\n\tstp\txzr,xzr,[sp,#8*10]\n\tsbcs\tx13,x26,x13\n\tstp\txzr,xzr,[sp,#8*12]\n\tsbcs\tx28,x28,xzr\t// did it borrow?\n\tstp\txzr,xzr,[sp,#8*14]\n\n\t// x6-7 hold result-modulus\n\tcsel\tx6,x19,x6,lo\n\tcsel\tx7,x20,x7,lo\n\tcsel\tx8,x21,x8,lo\n\tcsel\tx9,x22,x9,lo\n\tstp\tx6,x7,[x1,#8*0]\n\tcsel\tx10,x23,x10,lo\n\tcsel\tx11,x24,x11,lo\n\tstp\tx8,x9,[x1,#8*2]\n\tcsel\tx12,x25,x12,lo\n\tcsel\tx13,x26,x13,lo\n\tstp\tx10,x11,[x1,#8*4]\n\tstp\tx12,x13,[x1,#8*6]\n\nLsqr8x_done:\n\tldp\tx19,x20,[x29,#16]\n\tmov\tsp,x29\n\tldp\tx21,x22,[x29,#32]\n\tmov\tx0,#1\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldr\tx29,[sp],#128\n\t// x30 is popped earlier\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.def __bn_mul4x_mont\n .type 32\n.endef\n.align\t5\n__bn_mul4x_mont:\n\t// Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to\n\t// only from bn_mul_mont or __bn_mul8x_mont which have already signed the\n\t// return address.\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\n\tsub\tx26,sp,x5,lsl#3\n\tlsl\tx5,x5,#3\n\tldr\tx4,[x4]\t\t// *n0\n\tsub\tsp,x26,#8*4\t\t// alloca\n\n\tadd\tx10,x2,x5\n\tadd\tx27,x1,x5\n\tstp\tx0,x10,[x29,#96]\t// offload rp and &b[num]\n\n\tldr\tx24,[x2,#8*0]\t\t// b[0]\n\tldp\tx6,x7,[x1,#8*0]\t// a[0..3]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tmov\tx19,xzr\n\tmov\tx20,xzr\n\tmov\tx21,xzr\n\tmov\tx22,xzr\n\tldp\tx14,x15,[x3,#8*0]\t// n[0..3]\n\tldp\tx16,x17,[x3,#8*2]\n\tadds\tx3,x3,#8*4\t\t// clear carry bit\n\tmov\tx0,xzr\n\tmov\tx28,#0\n\tmov\tx26,sp\n\nLoop_mul4x_1st_reduction:\n\tmul\tx10,x6,x24\t\t// lo(a[0..3]*b[0])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[0..3]*b[0])\n\tadcs\tx20,x20,x11\n\tmul\tx25,x19,x4\t\t// t[0]*n0\n\tadcs\tx21,x21,x12\n\tumulh\tx11,x7,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx12,x8,x24\n\tadc\tx23,xzr,xzr\n\tumulh\tx13,x9,x24\n\tldr\tx24,[x2,x28]\t\t// next b[i] (or b[0])\n\tadds\tx20,x20,x10\n\t// (*)\tmul\tx10,x14,x25\t// lo(n[0..3]*t[0]*n0)\n\tstr\tx25,[x26],#8\t\t// put aside t[0]*n0 for tail processing\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\t// (*)\tadds\txzr,x19,x10\n\tsubs\txzr,x19,#1\t\t// (*)\n\tumulh\tx10,x14,x25\t\t// hi(n[0..3]*t[0]*n0)\n\tadcs\tx19,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx20,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx21,x22,x13\n\tumulh\tx13,x17,x25\n\tadcs\tx22,x23,x0\n\tadc\tx0,xzr,xzr\n\tadds\tx19,x19,x10\n\tsub\tx10,x27,x1\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,Loop_mul4x_1st_reduction\n\n\tcbz\tx10,Lmul4x4_post_condition\n\n\tldp\tx6,x7,[x1,#8*0]\t// a[4..7]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tldr\tx25,[sp]\t\t// a[0]*n0\n\tldp\tx14,x15,[x3,#8*0]\t// n[4..7]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\nLoop_mul4x_1st_tail:\n\tmul\tx10,x6,x24\t\t// lo(a[4..7]*b[i])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[4..7]*b[i])\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x7,x24\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x8,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx13,x9,x24\n\tadc\tx23,xzr,xzr\n\tldr\tx24,[x2,x28]\t\t// next b[i] (or b[0])\n\tadds\tx20,x20,x10\n\tmul\tx10,x14,x25\t\t// lo(n[4..7]*a[0]*n0)\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\tadds\tx19,x19,x10\n\tumulh\tx10,x14,x25\t\t// hi(n[4..7]*a[0]*n0)\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx22,x22,x13\n\tadcs\tx23,x23,x0\n\tumulh\tx13,x17,x25\n\tadc\tx0,xzr,xzr\n\tldr\tx25,[sp,x28]\t\t// next t[0]*n0\n\tstr\tx19,[x26],#8\t\t// result!!!\n\tadds\tx19,x20,x10\n\tsub\tx10,x27,x1\t\t// done yet?\n\tadcs\tx20,x21,x11\n\tadcs\tx21,x22,x12\n\tadcs\tx22,x23,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,Loop_mul4x_1st_tail\n\n\tsub\tx11,x27,x5\t// rewinded x1\n\tcbz\tx10,Lmul4x_proceed\n\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tldp\tx14,x15,[x3,#8*0]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tb\tLoop_mul4x_1st_tail\n\n.align\t5\nLmul4x_proceed:\n\tldr\tx24,[x2,#8*4]!\t\t// *++b\n\tadc\tx30,x0,xzr\n\tldp\tx6,x7,[x11,#8*0]\t// a[0..3]\n\tsub\tx3,x3,x5\t\t// rewind np\n\tldp\tx8,x9,[x11,#8*2]\n\tadd\tx1,x11,#8*4\n\n\tstp\tx19,x20,[x26,#8*0]\t// result!!!\n\tldp\tx19,x20,[sp,#8*4]\t// t[0..3]\n\tstp\tx21,x22,[x26,#8*2]\t// result!!!\n\tldp\tx21,x22,[sp,#8*6]\n\n\tldp\tx14,x15,[x3,#8*0]\t// n[0..3]\n\tmov\tx26,sp\n\tldp\tx16,x17,[x3,#8*2]\n\tadds\tx3,x3,#8*4\t\t// clear carry bit\n\tmov\tx0,xzr\n\n.align\t4\nLoop_mul4x_reduction:\n\tmul\tx10,x6,x24\t\t// lo(a[0..3]*b[4])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[0..3]*b[4])\n\tadcs\tx20,x20,x11\n\tmul\tx25,x19,x4\t\t// t[0]*n0\n\tadcs\tx21,x21,x12\n\tumulh\tx11,x7,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx12,x8,x24\n\tadc\tx23,xzr,xzr\n\tumulh\tx13,x9,x24\n\tldr\tx24,[x2,x28]\t\t// next b[i]\n\tadds\tx20,x20,x10\n\t// (*)\tmul\tx10,x14,x25\n\tstr\tx25,[x26],#8\t\t// put aside t[0]*n0 for tail processing\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\t\t// lo(n[0..3]*t[0]*n0\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\t// (*)\tadds\txzr,x19,x10\n\tsubs\txzr,x19,#1\t\t// (*)\n\tumulh\tx10,x14,x25\t\t// hi(n[0..3]*t[0]*n0\n\tadcs\tx19,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx20,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx21,x22,x13\n\tumulh\tx13,x17,x25\n\tadcs\tx22,x23,x0\n\tadc\tx0,xzr,xzr\n\tadds\tx19,x19,x10\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,Loop_mul4x_reduction\n\n\tadc\tx0,x0,xzr\n\tldp\tx10,x11,[x26,#8*4]\t// t[4..7]\n\tldp\tx12,x13,[x26,#8*6]\n\tldp\tx6,x7,[x1,#8*0]\t// a[4..7]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tadds\tx19,x19,x10\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\n\tldr\tx25,[sp]\t\t// t[0]*n0\n\tldp\tx14,x15,[x3,#8*0]\t// n[4..7]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\n.align\t4\nLoop_mul4x_tail:\n\tmul\tx10,x6,x24\t\t// lo(a[4..7]*b[4])\n\tadc\tx0,x0,xzr\t// modulo-scheduled\n\tmul\tx11,x7,x24\n\tadd\tx28,x28,#8\n\tmul\tx12,x8,x24\n\tand\tx28,x28,#31\n\tmul\tx13,x9,x24\n\tadds\tx19,x19,x10\n\tumulh\tx10,x6,x24\t\t// hi(a[4..7]*b[4])\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x7,x24\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x8,x24\n\tadcs\tx22,x22,x13\n\tumulh\tx13,x9,x24\n\tadc\tx23,xzr,xzr\n\tldr\tx24,[x2,x28]\t\t// next b[i]\n\tadds\tx20,x20,x10\n\tmul\tx10,x14,x25\t\t// lo(n[4..7]*t[0]*n0)\n\tadcs\tx21,x21,x11\n\tmul\tx11,x15,x25\n\tadcs\tx22,x22,x12\n\tmul\tx12,x16,x25\n\tadc\tx23,x23,x13\t\t// can't overflow\n\tmul\tx13,x17,x25\n\tadds\tx19,x19,x10\n\tumulh\tx10,x14,x25\t\t// hi(n[4..7]*t[0]*n0)\n\tadcs\tx20,x20,x11\n\tumulh\tx11,x15,x25\n\tadcs\tx21,x21,x12\n\tumulh\tx12,x16,x25\n\tadcs\tx22,x22,x13\n\tumulh\tx13,x17,x25\n\tadcs\tx23,x23,x0\n\tldr\tx25,[sp,x28]\t\t// next a[0]*n0\n\tadc\tx0,xzr,xzr\n\tstr\tx19,[x26],#8\t\t// result!!!\n\tadds\tx19,x20,x10\n\tsub\tx10,x27,x1\t\t// done yet?\n\tadcs\tx20,x21,x11\n\tadcs\tx21,x22,x12\n\tadcs\tx22,x23,x13\n\t//adc\tx0,x0,xzr\n\tcbnz\tx28,Loop_mul4x_tail\n\n\tsub\tx11,x3,x5\t\t// rewinded np?\n\tadc\tx0,x0,xzr\n\tcbz\tx10,Loop_mul4x_break\n\n\tldp\tx10,x11,[x26,#8*4]\n\tldp\tx12,x13,[x26,#8*6]\n\tldp\tx6,x7,[x1,#8*0]\n\tldp\tx8,x9,[x1,#8*2]\n\tadd\tx1,x1,#8*4\n\tadds\tx19,x19,x10\n\tadcs\tx20,x20,x11\n\tadcs\tx21,x21,x12\n\tadcs\tx22,x22,x13\n\t//adc\tx0,x0,xzr\n\tldp\tx14,x15,[x3,#8*0]\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tb\tLoop_mul4x_tail\n\n.align\t4\nLoop_mul4x_break:\n\tldp\tx12,x13,[x29,#96]\t// pull rp and &b[num]\n\tadds\tx19,x19,x30\n\tadd\tx2,x2,#8*4\t\t// bp++\n\tadcs\tx20,x20,xzr\n\tsub\tx1,x1,x5\t\t// rewind ap\n\tadcs\tx21,x21,xzr\n\tstp\tx19,x20,[x26,#8*0]\t// result!!!\n\tadcs\tx22,x22,xzr\n\tldp\tx19,x20,[sp,#8*4]\t// t[0..3]\n\tadc\tx30,x0,xzr\n\tstp\tx21,x22,[x26,#8*2]\t// result!!!\n\tcmp\tx2,x13\t\t\t// done yet?\n\tldp\tx21,x22,[sp,#8*6]\n\tldp\tx14,x15,[x11,#8*0]\t// n[0..3]\n\tldp\tx16,x17,[x11,#8*2]\n\tadd\tx3,x11,#8*4\n\tb.eq\tLmul4x_post\n\n\tldr\tx24,[x2]\n\tldp\tx6,x7,[x1,#8*0]\t// a[0..3]\n\tldp\tx8,x9,[x1,#8*2]\n\tadds\tx1,x1,#8*4\t\t// clear carry bit\n\tmov\tx0,xzr\n\tmov\tx26,sp\n\tb\tLoop_mul4x_reduction\n\n.align\t4\nLmul4x_post:\n\t// Final step. We see if result is larger than modulus, and\n\t// if it is, subtract the modulus. But comparison implies\n\t// subtraction. So we subtract modulus, see if it borrowed,\n\t// and conditionally copy original value.\n\tmov\tx0,x12\n\tmov\tx27,x12\t\t// x0 copy\n\tsubs\tx10,x19,x14\n\tadd\tx26,sp,#8*8\n\tsbcs\tx11,x20,x15\n\tsub\tx28,x5,#8*4\n\nLmul4x_sub:\n\tsbcs\tx12,x21,x16\n\tldp\tx14,x15,[x3,#8*0]\n\tsub\tx28,x28,#8*4\n\tldp\tx19,x20,[x26,#8*0]\n\tsbcs\tx13,x22,x17\n\tldp\tx16,x17,[x3,#8*2]\n\tadd\tx3,x3,#8*4\n\tldp\tx21,x22,[x26,#8*2]\n\tadd\tx26,x26,#8*4\n\tstp\tx10,x11,[x0,#8*0]\n\tsbcs\tx10,x19,x14\n\tstp\tx12,x13,[x0,#8*2]\n\tadd\tx0,x0,#8*4\n\tsbcs\tx11,x20,x15\n\tcbnz\tx28,Lmul4x_sub\n\n\tsbcs\tx12,x21,x16\n\tmov\tx26,sp\n\tadd\tx1,sp,#8*4\n\tldp\tx6,x7,[x27,#8*0]\n\tsbcs\tx13,x22,x17\n\tstp\tx10,x11,[x0,#8*0]\n\tldp\tx8,x9,[x27,#8*2]\n\tstp\tx12,x13,[x0,#8*2]\n\tldp\tx19,x20,[x1,#8*0]\n\tldp\tx21,x22,[x1,#8*2]\n\tsbcs\txzr,x30,xzr\t// did it borrow?\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\n\tsub\tx28,x5,#8*4\nLmul4x_cond_copy:\n\tsub\tx28,x28,#8*4\n\tcsel\tx10,x19,x6,lo\n\tstp\txzr,xzr,[x26,#8*0]\n\tcsel\tx11,x20,x7,lo\n\tldp\tx6,x7,[x27,#8*4]\n\tldp\tx19,x20,[x1,#8*4]\n\tcsel\tx12,x21,x8,lo\n\tstp\txzr,xzr,[x26,#8*2]\n\tadd\tx26,x26,#8*4\n\tcsel\tx13,x22,x9,lo\n\tldp\tx8,x9,[x27,#8*6]\n\tldp\tx21,x22,[x1,#8*6]\n\tadd\tx1,x1,#8*4\n\tstp\tx10,x11,[x27,#8*0]\n\tstp\tx12,x13,[x27,#8*2]\n\tadd\tx27,x27,#8*4\n\tcbnz\tx28,Lmul4x_cond_copy\n\n\tcsel\tx10,x19,x6,lo\n\tstp\txzr,xzr,[x26,#8*0]\n\tcsel\tx11,x20,x7,lo\n\tstp\txzr,xzr,[x26,#8*2]\n\tcsel\tx12,x21,x8,lo\n\tstp\txzr,xzr,[x26,#8*3]\n\tcsel\tx13,x22,x9,lo\n\tstp\txzr,xzr,[x26,#8*4]\n\tstp\tx10,x11,[x27,#8*0]\n\tstp\tx12,x13,[x27,#8*2]\n\n\tb\tLmul4x_done\n\n.align\t4\nLmul4x4_post_condition:\n\tadc\tx0,x0,xzr\n\tldr\tx1,[x29,#96]\t\t// pull rp\n\t// x19-3,x0 hold result, x14-7 hold modulus\n\tsubs\tx6,x19,x14\n\tldr\tx30,[x29,#8]\t\t// pull return address\n\tsbcs\tx7,x20,x15\n\tstp\txzr,xzr,[sp,#8*0]\n\tsbcs\tx8,x21,x16\n\tstp\txzr,xzr,[sp,#8*2]\n\tsbcs\tx9,x22,x17\n\tstp\txzr,xzr,[sp,#8*4]\n\tsbcs\txzr,x0,xzr\t\t// did it borrow?\n\tstp\txzr,xzr,[sp,#8*6]\n\n\t// x6-3 hold result-modulus\n\tcsel\tx6,x19,x6,lo\n\tcsel\tx7,x20,x7,lo\n\tcsel\tx8,x21,x8,lo\n\tcsel\tx9,x22,x9,lo\n\tstp\tx6,x7,[x1,#8*0]\n\tstp\tx8,x9,[x1,#8*2]\n\nLmul4x_done:\n\tldp\tx19,x20,[x29,#16]\n\tmov\tsp,x29\n\tldp\tx21,x22,[x29,#32]\n\tmov\tx0,#1\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldr\tx29,[sp],#128\n\t// x30 is popped earlier\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.byte\t77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t4\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/bn-586-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n.globl\t_bn_mul_add_words\n.private_extern\t_bn_mul_add_words\n.align\t4\n_bn_mul_add_words:\nL_bn_mul_add_words_begin:\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%edx\n\tmovl\t12(%esp),%ecx\n\tmovd\t16(%esp),%mm0\n\tpxor\t%mm1,%mm1\n\tjmp\tL000maw_sse2_entry\n.align\t4,0x90\nL001maw_sse2_unrolled:\n\tmovd\t(%eax),%mm3\n\tpaddq\t%mm3,%mm1\n\tmovd\t(%edx),%mm2\n\tpmuludq\t%mm0,%mm2\n\tmovd\t4(%edx),%mm4\n\tpmuludq\t%mm0,%mm4\n\tmovd\t8(%edx),%mm6\n\tpmuludq\t%mm0,%mm6\n\tmovd\t12(%edx),%mm7\n\tpmuludq\t%mm0,%mm7\n\tpaddq\t%mm2,%mm1\n\tmovd\t4(%eax),%mm3\n\tpaddq\t%mm4,%mm3\n\tmovd\t8(%eax),%mm5\n\tpaddq\t%mm6,%mm5\n\tmovd\t12(%eax),%mm4\n\tpaddq\t%mm4,%mm7\n\tmovd\t%mm1,(%eax)\n\tmovd\t16(%edx),%mm2\n\tpmuludq\t%mm0,%mm2\n\tpsrlq\t$32,%mm1\n\tmovd\t20(%edx),%mm4\n\tpmuludq\t%mm0,%mm4\n\tpaddq\t%mm3,%mm1\n\tmovd\t24(%edx),%mm6\n\tpmuludq\t%mm0,%mm6\n\tmovd\t%mm1,4(%eax)\n\tpsrlq\t$32,%mm1\n\tmovd\t28(%edx),%mm3\n\taddl\t$32,%edx\n\tpmuludq\t%mm0,%mm3\n\tpaddq\t%mm5,%mm1\n\tmovd\t16(%eax),%mm5\n\tpaddq\t%mm5,%mm2\n\tmovd\t%mm1,8(%eax)\n\tpsrlq\t$32,%mm1\n\tpaddq\t%mm7,%mm1\n\tmovd\t20(%eax),%mm5\n\tpaddq\t%mm5,%mm4\n\tmovd\t%mm1,12(%eax)\n\tpsrlq\t$32,%mm1\n\tpaddq\t%mm2,%mm1\n\tmovd\t24(%eax),%mm5\n\tpaddq\t%mm5,%mm6\n\tmovd\t%mm1,16(%eax)\n\tpsrlq\t$32,%mm1\n\tpaddq\t%mm4,%mm1\n\tmovd\t28(%eax),%mm5\n\tpaddq\t%mm5,%mm3\n\tmovd\t%mm1,20(%eax)\n\tpsrlq\t$32,%mm1\n\tpaddq\t%mm6,%mm1\n\tmovd\t%mm1,24(%eax)\n\tpsrlq\t$32,%mm1\n\tpaddq\t%mm3,%mm1\n\tmovd\t%mm1,28(%eax)\n\tleal\t32(%eax),%eax\n\tpsrlq\t$32,%mm1\n\tsubl\t$8,%ecx\n\tjz\tL002maw_sse2_exit\nL000maw_sse2_entry:\n\ttestl\t$4294967288,%ecx\n\tjnz\tL001maw_sse2_unrolled\n.align\t2,0x90\nL003maw_sse2_loop:\n\tmovd\t(%edx),%mm2\n\tmovd\t(%eax),%mm3\n\tpmuludq\t%mm0,%mm2\n\tleal\t4(%edx),%edx\n\tpaddq\t%mm3,%mm1\n\tpaddq\t%mm2,%mm1\n\tmovd\t%mm1,(%eax)\n\tsubl\t$1,%ecx\n\tpsrlq\t$32,%mm1\n\tleal\t4(%eax),%eax\n\tjnz\tL003maw_sse2_loop\nL002maw_sse2_exit:\n\tmovd\t%mm1,%eax\n\temms\n\tret\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_bn_mul_words\n.private_extern\t_bn_mul_words\n.align\t4\n_bn_mul_words:\nL_bn_mul_words_begin:\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%edx\n\tmovl\t12(%esp),%ecx\n\tmovd\t16(%esp),%mm0\n\tpxor\t%mm1,%mm1\n.align\t4,0x90\nL004mw_sse2_loop:\n\tmovd\t(%edx),%mm2\n\tpmuludq\t%mm0,%mm2\n\tleal\t4(%edx),%edx\n\tpaddq\t%mm2,%mm1\n\tmovd\t%mm1,(%eax)\n\tsubl\t$1,%ecx\n\tpsrlq\t$32,%mm1\n\tleal\t4(%eax),%eax\n\tjnz\tL004mw_sse2_loop\n\tmovd\t%mm1,%eax\n\temms\n\tret\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_bn_sqr_words\n.private_extern\t_bn_sqr_words\n.align\t4\n_bn_sqr_words:\nL_bn_sqr_words_begin:\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%edx\n\tmovl\t12(%esp),%ecx\n.align\t4,0x90\nL005sqr_sse2_loop:\n\tmovd\t(%edx),%mm0\n\tpmuludq\t%mm0,%mm0\n\tleal\t4(%edx),%edx\n\tmovq\t%mm0,(%eax)\n\tsubl\t$1,%ecx\n\tleal\t8(%eax),%eax\n\tjnz\tL005sqr_sse2_loop\n\temms\n\tret\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_bn_div_words\n.private_extern\t_bn_div_words\n.align\t4\n_bn_div_words:\nL_bn_div_words_begin:\n\tmovl\t4(%esp),%edx\n\tmovl\t8(%esp),%eax\n\tmovl\t12(%esp),%ecx\n\tdivl\t%ecx\n\tret\n.globl\t_bn_add_words\n.private_extern\t_bn_add_words\n.align\t4\n_bn_add_words:\nL_bn_add_words_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\n\tmovl\t20(%esp),%ebx\n\tmovl\t24(%esp),%esi\n\tmovl\t28(%esp),%edi\n\tmovl\t32(%esp),%ebp\n\txorl\t%eax,%eax\n\tandl\t$4294967288,%ebp\n\tjz\tL006aw_finish\nL007aw_loop:\n\t# Round 0 \n\tmovl\t(%esi),%ecx\n\tmovl\t(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,(%ebx)\n\t# Round 1 \n\tmovl\t4(%esi),%ecx\n\tmovl\t4(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,4(%ebx)\n\t# Round 2 \n\tmovl\t8(%esi),%ecx\n\tmovl\t8(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,8(%ebx)\n\t# Round 3 \n\tmovl\t12(%esi),%ecx\n\tmovl\t12(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,12(%ebx)\n\t# Round 4 \n\tmovl\t16(%esi),%ecx\n\tmovl\t16(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,16(%ebx)\n\t# Round 5 \n\tmovl\t20(%esi),%ecx\n\tmovl\t20(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,20(%ebx)\n\t# Round 6 \n\tmovl\t24(%esi),%ecx\n\tmovl\t24(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,24(%ebx)\n\t# Round 7 \n\tmovl\t28(%esi),%ecx\n\tmovl\t28(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,28(%ebx)\n\n\taddl\t$32,%esi\n\taddl\t$32,%edi\n\taddl\t$32,%ebx\n\tsubl\t$8,%ebp\n\tjnz\tL007aw_loop\nL006aw_finish:\n\tmovl\t32(%esp),%ebp\n\tandl\t$7,%ebp\n\tjz\tL008aw_end\n\t# Tail Round 0 \n\tmovl\t(%esi),%ecx\n\tmovl\t(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,(%ebx)\n\tjz\tL008aw_end\n\t# Tail Round 1 \n\tmovl\t4(%esi),%ecx\n\tmovl\t4(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,4(%ebx)\n\tjz\tL008aw_end\n\t# Tail Round 2 \n\tmovl\t8(%esi),%ecx\n\tmovl\t8(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,8(%ebx)\n\tjz\tL008aw_end\n\t# Tail Round 3 \n\tmovl\t12(%esi),%ecx\n\tmovl\t12(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,12(%ebx)\n\tjz\tL008aw_end\n\t# Tail Round 4 \n\tmovl\t16(%esi),%ecx\n\tmovl\t16(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,16(%ebx)\n\tjz\tL008aw_end\n\t# Tail Round 5 \n\tmovl\t20(%esi),%ecx\n\tmovl\t20(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,20(%ebx)\n\tjz\tL008aw_end\n\t# Tail Round 6 \n\tmovl\t24(%esi),%ecx\n\tmovl\t24(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,24(%ebx)\nL008aw_end:\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_bn_sub_words\n.private_extern\t_bn_sub_words\n.align\t4\n_bn_sub_words:\nL_bn_sub_words_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\n\tmovl\t20(%esp),%ebx\n\tmovl\t24(%esp),%esi\n\tmovl\t28(%esp),%edi\n\tmovl\t32(%esp),%ebp\n\txorl\t%eax,%eax\n\tandl\t$4294967288,%ebp\n\tjz\tL009aw_finish\nL010aw_loop:\n\t# Round 0 \n\tmovl\t(%esi),%ecx\n\tmovl\t(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,(%ebx)\n\t# Round 1 \n\tmovl\t4(%esi),%ecx\n\tmovl\t4(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,4(%ebx)\n\t# Round 2 \n\tmovl\t8(%esi),%ecx\n\tmovl\t8(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,8(%ebx)\n\t# Round 3 \n\tmovl\t12(%esi),%ecx\n\tmovl\t12(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,12(%ebx)\n\t# Round 4 \n\tmovl\t16(%esi),%ecx\n\tmovl\t16(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,16(%ebx)\n\t# Round 5 \n\tmovl\t20(%esi),%ecx\n\tmovl\t20(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,20(%ebx)\n\t# Round 6 \n\tmovl\t24(%esi),%ecx\n\tmovl\t24(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,24(%ebx)\n\t# Round 7 \n\tmovl\t28(%esi),%ecx\n\tmovl\t28(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,28(%ebx)\n\n\taddl\t$32,%esi\n\taddl\t$32,%edi\n\taddl\t$32,%ebx\n\tsubl\t$8,%ebp\n\tjnz\tL010aw_loop\nL009aw_finish:\n\tmovl\t32(%esp),%ebp\n\tandl\t$7,%ebp\n\tjz\tL011aw_end\n\t# Tail Round 0 \n\tmovl\t(%esi),%ecx\n\tmovl\t(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,(%ebx)\n\tjz\tL011aw_end\n\t# Tail Round 1 \n\tmovl\t4(%esi),%ecx\n\tmovl\t4(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,4(%ebx)\n\tjz\tL011aw_end\n\t# Tail Round 2 \n\tmovl\t8(%esi),%ecx\n\tmovl\t8(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,8(%ebx)\n\tjz\tL011aw_end\n\t# Tail Round 3 \n\tmovl\t12(%esi),%ecx\n\tmovl\t12(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,12(%ebx)\n\tjz\tL011aw_end\n\t# Tail Round 4 \n\tmovl\t16(%esi),%ecx\n\tmovl\t16(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,16(%ebx)\n\tjz\tL011aw_end\n\t# Tail Round 5 \n\tmovl\t20(%esi),%ecx\n\tmovl\t20(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,20(%ebx)\n\tjz\tL011aw_end\n\t# Tail Round 6 \n\tmovl\t24(%esi),%ecx\n\tmovl\t24(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,24(%ebx)\nL011aw_end:\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/bn-586-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n.globl\tbn_mul_add_words\n.hidden\tbn_mul_add_words\n.type\tbn_mul_add_words,@function\n.align\t16\nbn_mul_add_words:\n.L_bn_mul_add_words_begin:\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%edx\n\tmovl\t12(%esp),%ecx\n\tmovd\t16(%esp),%mm0\n\tpxor\t%mm1,%mm1\n\tjmp\t.L000maw_sse2_entry\n.align\t16\n.L001maw_sse2_unrolled:\n\tmovd\t(%eax),%mm3\n\tpaddq\t%mm3,%mm1\n\tmovd\t(%edx),%mm2\n\tpmuludq\t%mm0,%mm2\n\tmovd\t4(%edx),%mm4\n\tpmuludq\t%mm0,%mm4\n\tmovd\t8(%edx),%mm6\n\tpmuludq\t%mm0,%mm6\n\tmovd\t12(%edx),%mm7\n\tpmuludq\t%mm0,%mm7\n\tpaddq\t%mm2,%mm1\n\tmovd\t4(%eax),%mm3\n\tpaddq\t%mm4,%mm3\n\tmovd\t8(%eax),%mm5\n\tpaddq\t%mm6,%mm5\n\tmovd\t12(%eax),%mm4\n\tpaddq\t%mm4,%mm7\n\tmovd\t%mm1,(%eax)\n\tmovd\t16(%edx),%mm2\n\tpmuludq\t%mm0,%mm2\n\tpsrlq\t$32,%mm1\n\tmovd\t20(%edx),%mm4\n\tpmuludq\t%mm0,%mm4\n\tpaddq\t%mm3,%mm1\n\tmovd\t24(%edx),%mm6\n\tpmuludq\t%mm0,%mm6\n\tmovd\t%mm1,4(%eax)\n\tpsrlq\t$32,%mm1\n\tmovd\t28(%edx),%mm3\n\taddl\t$32,%edx\n\tpmuludq\t%mm0,%mm3\n\tpaddq\t%mm5,%mm1\n\tmovd\t16(%eax),%mm5\n\tpaddq\t%mm5,%mm2\n\tmovd\t%mm1,8(%eax)\n\tpsrlq\t$32,%mm1\n\tpaddq\t%mm7,%mm1\n\tmovd\t20(%eax),%mm5\n\tpaddq\t%mm5,%mm4\n\tmovd\t%mm1,12(%eax)\n\tpsrlq\t$32,%mm1\n\tpaddq\t%mm2,%mm1\n\tmovd\t24(%eax),%mm5\n\tpaddq\t%mm5,%mm6\n\tmovd\t%mm1,16(%eax)\n\tpsrlq\t$32,%mm1\n\tpaddq\t%mm4,%mm1\n\tmovd\t28(%eax),%mm5\n\tpaddq\t%mm5,%mm3\n\tmovd\t%mm1,20(%eax)\n\tpsrlq\t$32,%mm1\n\tpaddq\t%mm6,%mm1\n\tmovd\t%mm1,24(%eax)\n\tpsrlq\t$32,%mm1\n\tpaddq\t%mm3,%mm1\n\tmovd\t%mm1,28(%eax)\n\tleal\t32(%eax),%eax\n\tpsrlq\t$32,%mm1\n\tsubl\t$8,%ecx\n\tjz\t.L002maw_sse2_exit\n.L000maw_sse2_entry:\n\ttestl\t$4294967288,%ecx\n\tjnz\t.L001maw_sse2_unrolled\n.align\t4\n.L003maw_sse2_loop:\n\tmovd\t(%edx),%mm2\n\tmovd\t(%eax),%mm3\n\tpmuludq\t%mm0,%mm2\n\tleal\t4(%edx),%edx\n\tpaddq\t%mm3,%mm1\n\tpaddq\t%mm2,%mm1\n\tmovd\t%mm1,(%eax)\n\tsubl\t$1,%ecx\n\tpsrlq\t$32,%mm1\n\tleal\t4(%eax),%eax\n\tjnz\t.L003maw_sse2_loop\n.L002maw_sse2_exit:\n\tmovd\t%mm1,%eax\n\temms\n\tret\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tbn_mul_add_words,.-.L_bn_mul_add_words_begin\n.globl\tbn_mul_words\n.hidden\tbn_mul_words\n.type\tbn_mul_words,@function\n.align\t16\nbn_mul_words:\n.L_bn_mul_words_begin:\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%edx\n\tmovl\t12(%esp),%ecx\n\tmovd\t16(%esp),%mm0\n\tpxor\t%mm1,%mm1\n.align\t16\n.L004mw_sse2_loop:\n\tmovd\t(%edx),%mm2\n\tpmuludq\t%mm0,%mm2\n\tleal\t4(%edx),%edx\n\tpaddq\t%mm2,%mm1\n\tmovd\t%mm1,(%eax)\n\tsubl\t$1,%ecx\n\tpsrlq\t$32,%mm1\n\tleal\t4(%eax),%eax\n\tjnz\t.L004mw_sse2_loop\n\tmovd\t%mm1,%eax\n\temms\n\tret\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tbn_mul_words,.-.L_bn_mul_words_begin\n.globl\tbn_sqr_words\n.hidden\tbn_sqr_words\n.type\tbn_sqr_words,@function\n.align\t16\nbn_sqr_words:\n.L_bn_sqr_words_begin:\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%edx\n\tmovl\t12(%esp),%ecx\n.align\t16\n.L005sqr_sse2_loop:\n\tmovd\t(%edx),%mm0\n\tpmuludq\t%mm0,%mm0\n\tleal\t4(%edx),%edx\n\tmovq\t%mm0,(%eax)\n\tsubl\t$1,%ecx\n\tleal\t8(%eax),%eax\n\tjnz\t.L005sqr_sse2_loop\n\temms\n\tret\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tbn_sqr_words,.-.L_bn_sqr_words_begin\n.globl\tbn_div_words\n.hidden\tbn_div_words\n.type\tbn_div_words,@function\n.align\t16\nbn_div_words:\n.L_bn_div_words_begin:\n\tmovl\t4(%esp),%edx\n\tmovl\t8(%esp),%eax\n\tmovl\t12(%esp),%ecx\n\tdivl\t%ecx\n\tret\n.size\tbn_div_words,.-.L_bn_div_words_begin\n.globl\tbn_add_words\n.hidden\tbn_add_words\n.type\tbn_add_words,@function\n.align\t16\nbn_add_words:\n.L_bn_add_words_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\n\tmovl\t20(%esp),%ebx\n\tmovl\t24(%esp),%esi\n\tmovl\t28(%esp),%edi\n\tmovl\t32(%esp),%ebp\n\txorl\t%eax,%eax\n\tandl\t$4294967288,%ebp\n\tjz\t.L006aw_finish\n.L007aw_loop:\n\n\tmovl\t(%esi),%ecx\n\tmovl\t(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,(%ebx)\n\n\tmovl\t4(%esi),%ecx\n\tmovl\t4(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,4(%ebx)\n\n\tmovl\t8(%esi),%ecx\n\tmovl\t8(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,8(%ebx)\n\n\tmovl\t12(%esi),%ecx\n\tmovl\t12(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,12(%ebx)\n\n\tmovl\t16(%esi),%ecx\n\tmovl\t16(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,16(%ebx)\n\n\tmovl\t20(%esi),%ecx\n\tmovl\t20(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,20(%ebx)\n\n\tmovl\t24(%esi),%ecx\n\tmovl\t24(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,24(%ebx)\n\n\tmovl\t28(%esi),%ecx\n\tmovl\t28(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,28(%ebx)\n\n\taddl\t$32,%esi\n\taddl\t$32,%edi\n\taddl\t$32,%ebx\n\tsubl\t$8,%ebp\n\tjnz\t.L007aw_loop\n.L006aw_finish:\n\tmovl\t32(%esp),%ebp\n\tandl\t$7,%ebp\n\tjz\t.L008aw_end\n\n\tmovl\t(%esi),%ecx\n\tmovl\t(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,(%ebx)\n\tjz\t.L008aw_end\n\n\tmovl\t4(%esi),%ecx\n\tmovl\t4(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,4(%ebx)\n\tjz\t.L008aw_end\n\n\tmovl\t8(%esi),%ecx\n\tmovl\t8(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,8(%ebx)\n\tjz\t.L008aw_end\n\n\tmovl\t12(%esi),%ecx\n\tmovl\t12(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,12(%ebx)\n\tjz\t.L008aw_end\n\n\tmovl\t16(%esi),%ecx\n\tmovl\t16(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,16(%ebx)\n\tjz\t.L008aw_end\n\n\tmovl\t20(%esi),%ecx\n\tmovl\t20(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,20(%ebx)\n\tjz\t.L008aw_end\n\n\tmovl\t24(%esi),%ecx\n\tmovl\t24(%edi),%edx\n\taddl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\taddl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,24(%ebx)\n.L008aw_end:\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tbn_add_words,.-.L_bn_add_words_begin\n.globl\tbn_sub_words\n.hidden\tbn_sub_words\n.type\tbn_sub_words,@function\n.align\t16\nbn_sub_words:\n.L_bn_sub_words_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\n\tmovl\t20(%esp),%ebx\n\tmovl\t24(%esp),%esi\n\tmovl\t28(%esp),%edi\n\tmovl\t32(%esp),%ebp\n\txorl\t%eax,%eax\n\tandl\t$4294967288,%ebp\n\tjz\t.L009aw_finish\n.L010aw_loop:\n\n\tmovl\t(%esi),%ecx\n\tmovl\t(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,(%ebx)\n\n\tmovl\t4(%esi),%ecx\n\tmovl\t4(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,4(%ebx)\n\n\tmovl\t8(%esi),%ecx\n\tmovl\t8(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,8(%ebx)\n\n\tmovl\t12(%esi),%ecx\n\tmovl\t12(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,12(%ebx)\n\n\tmovl\t16(%esi),%ecx\n\tmovl\t16(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,16(%ebx)\n\n\tmovl\t20(%esi),%ecx\n\tmovl\t20(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,20(%ebx)\n\n\tmovl\t24(%esi),%ecx\n\tmovl\t24(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,24(%ebx)\n\n\tmovl\t28(%esi),%ecx\n\tmovl\t28(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,28(%ebx)\n\n\taddl\t$32,%esi\n\taddl\t$32,%edi\n\taddl\t$32,%ebx\n\tsubl\t$8,%ebp\n\tjnz\t.L010aw_loop\n.L009aw_finish:\n\tmovl\t32(%esp),%ebp\n\tandl\t$7,%ebp\n\tjz\t.L011aw_end\n\n\tmovl\t(%esi),%ecx\n\tmovl\t(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,(%ebx)\n\tjz\t.L011aw_end\n\n\tmovl\t4(%esi),%ecx\n\tmovl\t4(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,4(%ebx)\n\tjz\t.L011aw_end\n\n\tmovl\t8(%esi),%ecx\n\tmovl\t8(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,8(%ebx)\n\tjz\t.L011aw_end\n\n\tmovl\t12(%esi),%ecx\n\tmovl\t12(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,12(%ebx)\n\tjz\t.L011aw_end\n\n\tmovl\t16(%esi),%ecx\n\tmovl\t16(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,16(%ebx)\n\tjz\t.L011aw_end\n\n\tmovl\t20(%esi),%ecx\n\tmovl\t20(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tdecl\t%ebp\n\tmovl\t%ecx,20(%ebx)\n\tjz\t.L011aw_end\n\n\tmovl\t24(%esi),%ecx\n\tmovl\t24(%edi),%edx\n\tsubl\t%eax,%ecx\n\tmovl\t$0,%eax\n\tadcl\t%eax,%eax\n\tsubl\t%edx,%ecx\n\tadcl\t$0,%eax\n\tmovl\t%ecx,24(%ebx)\n.L011aw_end:\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tbn_sub_words,.-.L_bn_sub_words_begin\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/bn-armv8-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \n\n.text\n\n// BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n// size_t num);\n\n.globl\t_bn_add_words\n.private_extern\t_bn_add_words\n.align\t4\n_bn_add_words:\n\tAARCH64_VALID_CALL_TARGET\n\t# Clear the carry flag.\n\tcmn\txzr, xzr\n\n\t# aarch64 can load two registers at a time, so we do two loop iterations at\n\t# at a time. Split x3 = 2 * x8 + x3. This allows loop\n\t# operations to use CBNZ without clobbering the carry flag.\n\tlsr\tx8, x3, #1\n\tand\tx3, x3, #1\n\n\tcbz\tx8, Ladd_tail\nLadd_loop:\n\tldp\tx4, x5, [x1], #16\n\tldp\tx6, x7, [x2], #16\n\tsub\tx8, x8, #1\n\tadcs\tx4, x4, x6\n\tadcs\tx5, x5, x7\n\tstp\tx4, x5, [x0], #16\n\tcbnz\tx8, Ladd_loop\n\nLadd_tail:\n\tcbz\tx3, Ladd_exit\n\tldr\tx4, [x1], #8\n\tldr\tx6, [x2], #8\n\tadcs\tx4, x4, x6\n\tstr\tx4, [x0], #8\n\nLadd_exit:\n\tcset\tx0, cs\n\tret\n\n\n// BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n// size_t num);\n\n.globl\t_bn_sub_words\n.private_extern\t_bn_sub_words\n.align\t4\n_bn_sub_words:\n\tAARCH64_VALID_CALL_TARGET\n\t# Set the carry flag. Arm's borrow bit is flipped from the carry flag,\n\t# so we want C = 1 here.\n\tcmp\txzr, xzr\n\n\t# aarch64 can load two registers at a time, so we do two loop iterations at\n\t# at a time. Split x3 = 2 * x8 + x3. This allows loop\n\t# operations to use CBNZ without clobbering the carry flag.\n\tlsr\tx8, x3, #1\n\tand\tx3, x3, #1\n\n\tcbz\tx8, Lsub_tail\nLsub_loop:\n\tldp\tx4, x5, [x1], #16\n\tldp\tx6, x7, [x2], #16\n\tsub\tx8, x8, #1\n\tsbcs\tx4, x4, x6\n\tsbcs\tx5, x5, x7\n\tstp\tx4, x5, [x0], #16\n\tcbnz\tx8, Lsub_loop\n\nLsub_tail:\n\tcbz\tx3, Lsub_exit\n\tldr\tx4, [x1], #8\n\tldr\tx6, [x2], #8\n\tsbcs\tx4, x4, x6\n\tstr\tx4, [x0], #8\n\nLsub_exit:\n\tcset\tx0, cc\n\tret\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/bn-armv8-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \n\n.text\n\n// BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n// size_t num);\n.type\tbn_add_words, %function\n.globl\tbn_add_words\n.hidden\tbn_add_words\n.align\t4\nbn_add_words:\n\tAARCH64_VALID_CALL_TARGET\n\t# Clear the carry flag.\n\tcmn\txzr, xzr\n\n\t# aarch64 can load two registers at a time, so we do two loop iterations at\n\t# at a time. Split x3 = 2 * x8 + x3. This allows loop\n\t# operations to use CBNZ without clobbering the carry flag.\n\tlsr\tx8, x3, #1\n\tand\tx3, x3, #1\n\n\tcbz\tx8, .Ladd_tail\n.Ladd_loop:\n\tldp\tx4, x5, [x1], #16\n\tldp\tx6, x7, [x2], #16\n\tsub\tx8, x8, #1\n\tadcs\tx4, x4, x6\n\tadcs\tx5, x5, x7\n\tstp\tx4, x5, [x0], #16\n\tcbnz\tx8, .Ladd_loop\n\n.Ladd_tail:\n\tcbz\tx3, .Ladd_exit\n\tldr\tx4, [x1], #8\n\tldr\tx6, [x2], #8\n\tadcs\tx4, x4, x6\n\tstr\tx4, [x0], #8\n\n.Ladd_exit:\n\tcset\tx0, cs\n\tret\n.size\tbn_add_words,.-bn_add_words\n\n// BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n// size_t num);\n.type\tbn_sub_words, %function\n.globl\tbn_sub_words\n.hidden\tbn_sub_words\n.align\t4\nbn_sub_words:\n\tAARCH64_VALID_CALL_TARGET\n\t# Set the carry flag. Arm's borrow bit is flipped from the carry flag,\n\t# so we want C = 1 here.\n\tcmp\txzr, xzr\n\n\t# aarch64 can load two registers at a time, so we do two loop iterations at\n\t# at a time. Split x3 = 2 * x8 + x3. This allows loop\n\t# operations to use CBNZ without clobbering the carry flag.\n\tlsr\tx8, x3, #1\n\tand\tx3, x3, #1\n\n\tcbz\tx8, .Lsub_tail\n.Lsub_loop:\n\tldp\tx4, x5, [x1], #16\n\tldp\tx6, x7, [x2], #16\n\tsub\tx8, x8, #1\n\tsbcs\tx4, x4, x6\n\tsbcs\tx5, x5, x7\n\tstp\tx4, x5, [x0], #16\n\tcbnz\tx8, .Lsub_loop\n\n.Lsub_tail:\n\tcbz\tx3, .Lsub_exit\n\tldr\tx4, [x1], #8\n\tldr\tx6, [x2], #8\n\tsbcs\tx4, x4, x6\n\tstr\tx4, [x0], #8\n\n.Lsub_exit:\n\tcset\tx0, cc\n\tret\n.size\tbn_sub_words,.-bn_sub_words\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/bn-armv8-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \n\n.text\n\n// BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n// size_t num);\n\n.globl\tbn_add_words\n\n.align\t4\nbn_add_words:\n\tAARCH64_VALID_CALL_TARGET\n\t# Clear the carry flag.\n\tcmn\txzr, xzr\n\n\t# aarch64 can load two registers at a time, so we do two loop iterations at\n\t# at a time. Split x3 = 2 * x8 + x3. This allows loop\n\t# operations to use CBNZ without clobbering the carry flag.\n\tlsr\tx8, x3, #1\n\tand\tx3, x3, #1\n\n\tcbz\tx8, Ladd_tail\nLadd_loop:\n\tldp\tx4, x5, [x1], #16\n\tldp\tx6, x7, [x2], #16\n\tsub\tx8, x8, #1\n\tadcs\tx4, x4, x6\n\tadcs\tx5, x5, x7\n\tstp\tx4, x5, [x0], #16\n\tcbnz\tx8, Ladd_loop\n\nLadd_tail:\n\tcbz\tx3, Ladd_exit\n\tldr\tx4, [x1], #8\n\tldr\tx6, [x2], #8\n\tadcs\tx4, x4, x6\n\tstr\tx4, [x0], #8\n\nLadd_exit:\n\tcset\tx0, cs\n\tret\n\n\n// BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,\n// size_t num);\n\n.globl\tbn_sub_words\n\n.align\t4\nbn_sub_words:\n\tAARCH64_VALID_CALL_TARGET\n\t# Set the carry flag. Arm's borrow bit is flipped from the carry flag,\n\t# so we want C = 1 here.\n\tcmp\txzr, xzr\n\n\t# aarch64 can load two registers at a time, so we do two loop iterations at\n\t# at a time. Split x3 = 2 * x8 + x3. This allows loop\n\t# operations to use CBNZ without clobbering the carry flag.\n\tlsr\tx8, x3, #1\n\tand\tx3, x3, #1\n\n\tcbz\tx8, Lsub_tail\nLsub_loop:\n\tldp\tx4, x5, [x1], #16\n\tldp\tx6, x7, [x2], #16\n\tsub\tx8, x8, #1\n\tsbcs\tx4, x4, x6\n\tsbcs\tx5, x5, x7\n\tstp\tx4, x5, [x0], #16\n\tcbnz\tx8, Lsub_loop\n\nLsub_tail:\n\tcbz\tx3, Lsub_exit\n\tldr\tx4, [x1], #8\n\tldr\tx6, [x2], #8\n\tsbcs\tx4, x4, x6\n\tstr\tx4, [x0], #8\n\nLsub_exit:\n\tcset\tx0, cc\n\tret\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/bsaes-armv7-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n@ Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.\n@\n@ Licensed under the OpenSSL license (the \"License\"). You may not use\n@ this file except in compliance with the License. You can obtain a copy\n@ in the file LICENSE in the source distribution or at\n@ https://www.openssl.org/source/license.html\n\n\n@ ====================================================================\n@ Written by Andy Polyakov for the OpenSSL\n@ project. The module is, however, dual licensed under OpenSSL and\n@ CRYPTOGAMS licenses depending on where you obtain it. For further\n@ details see http://www.openssl.org/~appro/cryptogams/.\n@\n@ Specific modes and adaptation for Linux kernel by Ard Biesheuvel\n@ of Linaro. Permission to use under GPL terms is granted.\n@ ====================================================================\n\n@ Bit-sliced AES for ARM NEON\n@\n@ February 2012.\n@\n@ This implementation is direct adaptation of bsaes-x86_64 module for\n@ ARM NEON. Except that this module is endian-neutral [in sense that\n@ it can be compiled for either endianness] by courtesy of vld1.8's\n@ neutrality. Initial version doesn't implement interface to OpenSSL,\n@ only low-level primitives and unsupported entry points, just enough\n@ to collect performance results, which for Cortex-A8 core are:\n@\n@ encrypt\t19.5 cycles per byte processed with 128-bit key\n@ decrypt\t22.1 cycles per byte processed with 128-bit key\n@ key conv.\t440 cycles per 128-bit key/0.18 of 8x block\n@\n@ Snapdragon S4 encrypts byte in 17.6 cycles and decrypts in 19.7,\n@ which is [much] worse than anticipated (for further details see\n@ http://www.openssl.org/~appro/Snapdragon-S4.html).\n@\n@ Cortex-A15 manages in 14.2/16.1 cycles [when integer-only code\n@ manages in 20.0 cycles].\n@\n@ When comparing to x86_64 results keep in mind that NEON unit is\n@ [mostly] single-issue and thus can't [fully] benefit from\n@ instruction-level parallelism. And when comparing to aes-armv4\n@ results keep in mind key schedule conversion overhead (see\n@ bsaes-x86_64.pl for further details)...\n@\n@\t\t\t\t\t\t\n\n@ April-August 2013\n@ Add CBC, CTR and XTS subroutines and adapt for kernel use; courtesy of Ard.\n\n#ifndef __KERNEL__\n# include \n\n# define VFP_ABI_PUSH\tvstmdb\tsp!,{d8-d15}\n# define VFP_ABI_POP\tvldmia\tsp!,{d8-d15}\n# define VFP_ABI_FRAME\t0x40\n#else\n# define VFP_ABI_PUSH\n# define VFP_ABI_POP\n# define VFP_ABI_FRAME\t0\n# define BSAES_ASM_EXTENDED_KEY\n# define XTS_CHAIN_TWEAK\n# define __ARM_MAX_ARCH__ 7\n#endif\n\n#ifdef __thumb__\n# define adrl adr\n#endif\n\n#if __ARM_MAX_ARCH__>=7\n.arch\tarmv7-a\n.fpu\tneon\n\n.text\n.syntax\tunified \t@ ARMv7-capable assembler is expected to handle this\n#if defined(__thumb2__) && !defined(__APPLE__)\n.thumb\n#else\n.code\t32\n# undef __thumb2__\n#endif\n\n.type\t_bsaes_decrypt8,%function\n.align\t4\n_bsaes_decrypt8:\n\tadr\tr6,.\n\tvldmia\tr4!, {q9}\t\t@ round 0 key\n#if defined(__thumb2__) || defined(__APPLE__)\n\tadr\tr6,.LM0ISR\n#else\n\tadd\tr6,r6,#.LM0ISR-_bsaes_decrypt8\n#endif\n\n\tvldmia\tr6!, {q8}\t\t@ .LM0ISR\n\tveor\tq10, q0, q9\t@ xor with round0 key\n\tveor\tq11, q1, q9\n\tvtbl.8\td0, {q10}, d16\n\tvtbl.8\td1, {q10}, d17\n\tveor\tq12, q2, q9\n\tvtbl.8\td2, {q11}, d16\n\tvtbl.8\td3, {q11}, d17\n\tveor\tq13, q3, q9\n\tvtbl.8\td4, {q12}, d16\n\tvtbl.8\td5, {q12}, d17\n\tveor\tq14, q4, q9\n\tvtbl.8\td6, {q13}, d16\n\tvtbl.8\td7, {q13}, d17\n\tveor\tq15, q5, q9\n\tvtbl.8\td8, {q14}, d16\n\tvtbl.8\td9, {q14}, d17\n\tveor\tq10, q6, q9\n\tvtbl.8\td10, {q15}, d16\n\tvtbl.8\td11, {q15}, d17\n\tveor\tq11, q7, q9\n\tvtbl.8\td12, {q10}, d16\n\tvtbl.8\td13, {q10}, d17\n\tvtbl.8\td14, {q11}, d16\n\tvtbl.8\td15, {q11}, d17\n\tvmov.i8\tq8,#0x55\t\t\t@ compose .LBS0\n\tvmov.i8\tq9,#0x33\t\t\t@ compose .LBS1\n\tvshr.u64\tq10, q6, #1\n\tvshr.u64\tq11, q4, #1\n\tveor\tq10, q10, q7\n\tveor\tq11, q11, q5\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq7, q7, q10\n\tvshl.u64\tq10, q10, #1\n\tveor\tq5, q5, q11\n\tvshl.u64\tq11, q11, #1\n\tveor\tq6, q6, q10\n\tveor\tq4, q4, q11\n\tvshr.u64\tq10, q2, #1\n\tvshr.u64\tq11, q0, #1\n\tveor\tq10, q10, q3\n\tveor\tq11, q11, q1\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq3, q3, q10\n\tvshl.u64\tq10, q10, #1\n\tveor\tq1, q1, q11\n\tvshl.u64\tq11, q11, #1\n\tveor\tq2, q2, q10\n\tveor\tq0, q0, q11\n\tvmov.i8\tq8,#0x0f\t\t\t@ compose .LBS2\n\tvshr.u64\tq10, q5, #2\n\tvshr.u64\tq11, q4, #2\n\tveor\tq10, q10, q7\n\tveor\tq11, q11, q6\n\tvand\tq10, q10, q9\n\tvand\tq11, q11, q9\n\tveor\tq7, q7, q10\n\tvshl.u64\tq10, q10, #2\n\tveor\tq6, q6, q11\n\tvshl.u64\tq11, q11, #2\n\tveor\tq5, q5, q10\n\tveor\tq4, q4, q11\n\tvshr.u64\tq10, q1, #2\n\tvshr.u64\tq11, q0, #2\n\tveor\tq10, q10, q3\n\tveor\tq11, q11, q2\n\tvand\tq10, q10, q9\n\tvand\tq11, q11, q9\n\tveor\tq3, q3, q10\n\tvshl.u64\tq10, q10, #2\n\tveor\tq2, q2, q11\n\tvshl.u64\tq11, q11, #2\n\tveor\tq1, q1, q10\n\tveor\tq0, q0, q11\n\tvshr.u64\tq10, q3, #4\n\tvshr.u64\tq11, q2, #4\n\tveor\tq10, q10, q7\n\tveor\tq11, q11, q6\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq7, q7, q10\n\tvshl.u64\tq10, q10, #4\n\tveor\tq6, q6, q11\n\tvshl.u64\tq11, q11, #4\n\tveor\tq3, q3, q10\n\tveor\tq2, q2, q11\n\tvshr.u64\tq10, q1, #4\n\tvshr.u64\tq11, q0, #4\n\tveor\tq10, q10, q5\n\tveor\tq11, q11, q4\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq5, q5, q10\n\tvshl.u64\tq10, q10, #4\n\tveor\tq4, q4, q11\n\tvshl.u64\tq11, q11, #4\n\tveor\tq1, q1, q10\n\tveor\tq0, q0, q11\n\tsub\tr5,r5,#1\n\tb\t.Ldec_sbox\n.align\t4\n.Ldec_loop:\n\tvldmia\tr4!, {q8,q9,q10,q11}\n\tveor\tq8, q8, q0\n\tveor\tq9, q9, q1\n\tvtbl.8\td0, {q8}, d24\n\tvtbl.8\td1, {q8}, d25\n\tvldmia\tr4!, {q8}\n\tveor\tq10, q10, q2\n\tvtbl.8\td2, {q9}, d24\n\tvtbl.8\td3, {q9}, d25\n\tvldmia\tr4!, {q9}\n\tveor\tq11, q11, q3\n\tvtbl.8\td4, {q10}, d24\n\tvtbl.8\td5, {q10}, d25\n\tvldmia\tr4!, {q10}\n\tvtbl.8\td6, {q11}, d24\n\tvtbl.8\td7, {q11}, d25\n\tvldmia\tr4!, {q11}\n\tveor\tq8, q8, q4\n\tveor\tq9, q9, q5\n\tvtbl.8\td8, {q8}, d24\n\tvtbl.8\td9, {q8}, d25\n\tveor\tq10, q10, q6\n\tvtbl.8\td10, {q9}, d24\n\tvtbl.8\td11, {q9}, d25\n\tveor\tq11, q11, q7\n\tvtbl.8\td12, {q10}, d24\n\tvtbl.8\td13, {q10}, d25\n\tvtbl.8\td14, {q11}, d24\n\tvtbl.8\td15, {q11}, d25\n.Ldec_sbox:\n\tveor\tq1, q1, q4\n\tveor\tq3, q3, q4\n\n\tveor\tq4, q4, q7\n\tveor\tq1, q1, q6\n\tveor\tq2, q2, q7\n\tveor\tq6, q6, q4\n\n\tveor\tq0, q0, q1\n\tveor\tq2, q2, q5\n\tveor\tq7, q7, q6\n\tveor\tq3, q3, q0\n\tveor\tq5, q5, q0\n\tveor\tq1, q1, q3\n\tveor\tq11, q3, q0\n\tveor\tq10, q7, q4\n\tveor\tq9, q1, q6\n\tveor\tq13, q4, q0\n\tvmov\tq8, q10\n\tveor\tq12, q5, q2\n\n\tvorr\tq10, q10, q9\n\tveor\tq15, q11, q8\n\tvand\tq14, q11, q12\n\tvorr\tq11, q11, q12\n\tveor\tq12, q12, q9\n\tvand\tq8, q8, q9\n\tveor\tq9, q6, q2\n\tvand\tq15, q15, q12\n\tvand\tq13, q13, q9\n\tveor\tq9, q3, q7\n\tveor\tq12, q1, q5\n\tveor\tq11, q11, q13\n\tveor\tq10, q10, q13\n\tvand\tq13, q9, q12\n\tvorr\tq9, q9, q12\n\tveor\tq11, q11, q15\n\tveor\tq8, q8, q13\n\tveor\tq10, q10, q14\n\tveor\tq9, q9, q15\n\tveor\tq8, q8, q14\n\tvand\tq12, q4, q6\n\tveor\tq9, q9, q14\n\tvand\tq13, q0, q2\n\tvand\tq14, q7, q1\n\tvorr\tq15, q3, q5\n\tveor\tq11, q11, q12\n\tveor\tq9, q9, q14\n\tveor\tq8, q8, q15\n\tveor\tq10, q10, q13\n\n\t@ Inv_GF16 \t0, \t1, \t2, \t3, s0, s1, s2, s3\n\n\t@ new smaller inversion\n\n\tvand\tq14, q11, q9\n\tvmov\tq12, q8\n\n\tveor\tq13, q10, q14\n\tveor\tq15, q8, q14\n\tveor\tq14, q8, q14\t@ q14=q15\n\n\tvbsl\tq13, q9, q8\n\tvbsl\tq15, q11, q10\n\tveor\tq11, q11, q10\n\n\tvbsl\tq12, q13, q14\n\tvbsl\tq8, q14, q13\n\n\tvand\tq14, q12, q15\n\tveor\tq9, q9, q8\n\n\tveor\tq14, q14, q11\n\tveor\tq12, q5, q2\n\tveor\tq8, q1, q6\n\tveor\tq10, q15, q14\n\tvand\tq10, q10, q5\n\tveor\tq5, q5, q1\n\tvand\tq11, q1, q15\n\tvand\tq5, q5, q14\n\tveor\tq1, q11, q10\n\tveor\tq5, q5, q11\n\tveor\tq15, q15, q13\n\tveor\tq14, q14, q9\n\tveor\tq11, q15, q14\n\tveor\tq10, q13, q9\n\tvand\tq11, q11, q12\n\tvand\tq10, q10, q2\n\tveor\tq12, q12, q8\n\tveor\tq2, q2, q6\n\tvand\tq8, q8, q15\n\tvand\tq6, q6, q13\n\tvand\tq12, q12, q14\n\tvand\tq2, q2, q9\n\tveor\tq8, q8, q12\n\tveor\tq2, q2, q6\n\tveor\tq12, q12, q11\n\tveor\tq6, q6, q10\n\tveor\tq5, q5, q12\n\tveor\tq2, q2, q12\n\tveor\tq1, q1, q8\n\tveor\tq6, q6, q8\n\n\tveor\tq12, q3, q0\n\tveor\tq8, q7, q4\n\tveor\tq11, q15, q14\n\tveor\tq10, q13, q9\n\tvand\tq11, q11, q12\n\tvand\tq10, q10, q0\n\tveor\tq12, q12, q8\n\tveor\tq0, q0, q4\n\tvand\tq8, q8, q15\n\tvand\tq4, q4, q13\n\tvand\tq12, q12, q14\n\tvand\tq0, q0, q9\n\tveor\tq8, q8, q12\n\tveor\tq0, q0, q4\n\tveor\tq12, q12, q11\n\tveor\tq4, q4, q10\n\tveor\tq15, q15, q13\n\tveor\tq14, q14, q9\n\tveor\tq10, q15, q14\n\tvand\tq10, q10, q3\n\tveor\tq3, q3, q7\n\tvand\tq11, q7, q15\n\tvand\tq3, q3, q14\n\tveor\tq7, q11, q10\n\tveor\tq3, q3, q11\n\tveor\tq3, q3, q12\n\tveor\tq0, q0, q12\n\tveor\tq7, q7, q8\n\tveor\tq4, q4, q8\n\tveor\tq1, q1, q7\n\tveor\tq6, q6, q5\n\n\tveor\tq4, q4, q1\n\tveor\tq2, q2, q7\n\tveor\tq5, q5, q7\n\tveor\tq4, q4, q2\n\tveor\tq7, q7, q0\n\tveor\tq4, q4, q5\n\tveor\tq3, q3, q6\n\tveor\tq6, q6, q1\n\tveor\tq3, q3, q4\n\n\tveor\tq4, q4, q0\n\tveor\tq7, q7, q3\n\tsubs\tr5,r5,#1\n\tbcc\t.Ldec_done\n\t@ multiplication by 0x05-0x00-0x04-0x00\n\tvext.8\tq8, q0, q0, #8\n\tvext.8\tq14, q3, q3, #8\n\tvext.8\tq15, q5, q5, #8\n\tveor\tq8, q8, q0\n\tvext.8\tq9, q1, q1, #8\n\tveor\tq14, q14, q3\n\tvext.8\tq10, q6, q6, #8\n\tveor\tq15, q15, q5\n\tvext.8\tq11, q4, q4, #8\n\tveor\tq9, q9, q1\n\tvext.8\tq12, q2, q2, #8\n\tveor\tq10, q10, q6\n\tvext.8\tq13, q7, q7, #8\n\tveor\tq11, q11, q4\n\tveor\tq12, q12, q2\n\tveor\tq13, q13, q7\n\n\tveor\tq0, q0, q14\n\tveor\tq1, q1, q14\n\tveor\tq6, q6, q8\n\tveor\tq2, q2, q10\n\tveor\tq4, q4, q9\n\tveor\tq1, q1, q15\n\tveor\tq6, q6, q15\n\tveor\tq2, q2, q14\n\tveor\tq7, q7, q11\n\tveor\tq4, q4, q14\n\tveor\tq3, q3, q12\n\tveor\tq2, q2, q15\n\tveor\tq7, q7, q15\n\tveor\tq5, q5, q13\n\tvext.8\tq8, q0, q0, #12\t@ x0 <<< 32\n\tvext.8\tq9, q1, q1, #12\n\tveor\tq0, q0, q8\t\t@ x0 ^ (x0 <<< 32)\n\tvext.8\tq10, q6, q6, #12\n\tveor\tq1, q1, q9\n\tvext.8\tq11, q4, q4, #12\n\tveor\tq6, q6, q10\n\tvext.8\tq12, q2, q2, #12\n\tveor\tq4, q4, q11\n\tvext.8\tq13, q7, q7, #12\n\tveor\tq2, q2, q12\n\tvext.8\tq14, q3, q3, #12\n\tveor\tq7, q7, q13\n\tvext.8\tq15, q5, q5, #12\n\tveor\tq3, q3, q14\n\n\tveor\tq9, q9, q0\n\tveor\tq5, q5, q15\n\tvext.8\tq0, q0, q0, #8\t\t@ (x0 ^ (x0 <<< 32)) <<< 64)\n\tveor\tq10, q10, q1\n\tveor\tq8, q8, q5\n\tveor\tq9, q9, q5\n\tvext.8\tq1, q1, q1, #8\n\tveor\tq13, q13, q2\n\tveor\tq0, q0, q8\n\tveor\tq14, q14, q7\n\tveor\tq1, q1, q9\n\tvext.8\tq8, q2, q2, #8\n\tveor\tq12, q12, q4\n\tvext.8\tq9, q7, q7, #8\n\tveor\tq15, q15, q3\n\tvext.8\tq2, q4, q4, #8\n\tveor\tq11, q11, q6\n\tvext.8\tq7, q5, q5, #8\n\tveor\tq12, q12, q5\n\tvext.8\tq4, q3, q3, #8\n\tveor\tq11, q11, q5\n\tvext.8\tq3, q6, q6, #8\n\tveor\tq5, q9, q13\n\tveor\tq11, q11, q2\n\tveor\tq7, q7, q15\n\tveor\tq6, q4, q14\n\tveor\tq4, q8, q12\n\tveor\tq2, q3, q10\n\tvmov\tq3, q11\n\t @ vmov\tq5, q9\n\tvldmia\tr6, {q12}\t\t@ .LISR\n\tite\teq\t\t\t\t@ Thumb2 thing, sanity check in ARM\n\taddeq\tr6,r6,#0x10\n\tbne\t.Ldec_loop\n\tvldmia\tr6, {q12}\t\t@ .LISRM0\n\tb\t.Ldec_loop\n.align\t4\n.Ldec_done:\n\tvmov.i8\tq8,#0x55\t\t\t@ compose .LBS0\n\tvmov.i8\tq9,#0x33\t\t\t@ compose .LBS1\n\tvshr.u64\tq10, q3, #1\n\tvshr.u64\tq11, q2, #1\n\tveor\tq10, q10, q5\n\tveor\tq11, q11, q7\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq5, q5, q10\n\tvshl.u64\tq10, q10, #1\n\tveor\tq7, q7, q11\n\tvshl.u64\tq11, q11, #1\n\tveor\tq3, q3, q10\n\tveor\tq2, q2, q11\n\tvshr.u64\tq10, q6, #1\n\tvshr.u64\tq11, q0, #1\n\tveor\tq10, q10, q4\n\tveor\tq11, q11, q1\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq4, q4, q10\n\tvshl.u64\tq10, q10, #1\n\tveor\tq1, q1, q11\n\tvshl.u64\tq11, q11, #1\n\tveor\tq6, q6, q10\n\tveor\tq0, q0, q11\n\tvmov.i8\tq8,#0x0f\t\t\t@ compose .LBS2\n\tvshr.u64\tq10, q7, #2\n\tvshr.u64\tq11, q2, #2\n\tveor\tq10, q10, q5\n\tveor\tq11, q11, q3\n\tvand\tq10, q10, q9\n\tvand\tq11, q11, q9\n\tveor\tq5, q5, q10\n\tvshl.u64\tq10, q10, #2\n\tveor\tq3, q3, q11\n\tvshl.u64\tq11, q11, #2\n\tveor\tq7, q7, q10\n\tveor\tq2, q2, q11\n\tvshr.u64\tq10, q1, #2\n\tvshr.u64\tq11, q0, #2\n\tveor\tq10, q10, q4\n\tveor\tq11, q11, q6\n\tvand\tq10, q10, q9\n\tvand\tq11, q11, q9\n\tveor\tq4, q4, q10\n\tvshl.u64\tq10, q10, #2\n\tveor\tq6, q6, q11\n\tvshl.u64\tq11, q11, #2\n\tveor\tq1, q1, q10\n\tveor\tq0, q0, q11\n\tvshr.u64\tq10, q4, #4\n\tvshr.u64\tq11, q6, #4\n\tveor\tq10, q10, q5\n\tveor\tq11, q11, q3\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq5, q5, q10\n\tvshl.u64\tq10, q10, #4\n\tveor\tq3, q3, q11\n\tvshl.u64\tq11, q11, #4\n\tveor\tq4, q4, q10\n\tveor\tq6, q6, q11\n\tvshr.u64\tq10, q1, #4\n\tvshr.u64\tq11, q0, #4\n\tveor\tq10, q10, q7\n\tveor\tq11, q11, q2\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq7, q7, q10\n\tvshl.u64\tq10, q10, #4\n\tveor\tq2, q2, q11\n\tvshl.u64\tq11, q11, #4\n\tveor\tq1, q1, q10\n\tveor\tq0, q0, q11\n\tvldmia\tr4, {q8}\t\t\t@ last round key\n\tveor\tq6, q6, q8\n\tveor\tq4, q4, q8\n\tveor\tq2, q2, q8\n\tveor\tq7, q7, q8\n\tveor\tq3, q3, q8\n\tveor\tq5, q5, q8\n\tveor\tq0, q0, q8\n\tveor\tq1, q1, q8\n\tbx\tlr\n.size\t_bsaes_decrypt8,.-_bsaes_decrypt8\n\n.type\t_bsaes_const,%object\n.align\t6\n_bsaes_const:\n.LM0ISR:@ InvShiftRows constants\n.quad\t0x0a0e0206070b0f03, 0x0004080c0d010509\n.LISR:\n.quad\t0x0504070602010003, 0x0f0e0d0c080b0a09\n.LISRM0:\n.quad\t0x01040b0e0205080f, 0x0306090c00070a0d\n.LM0SR:@ ShiftRows constants\n.quad\t0x0a0e02060f03070b, 0x0004080c05090d01\n.LSR:\n.quad\t0x0504070600030201, 0x0f0e0d0c0a09080b\n.LSRM0:\n.quad\t0x0304090e00050a0f, 0x01060b0c0207080d\n.LM0:\n.quad\t0x02060a0e03070b0f, 0x0004080c0105090d\n.LREVM0SR:\n.quad\t0x090d01050c000408, 0x03070b0f060a0e02\n.byte\t66,105,116,45,115,108,105,99,101,100,32,65,69,83,32,102,111,114,32,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t6\n.size\t_bsaes_const,.-_bsaes_const\n\n.type\t_bsaes_encrypt8,%function\n.align\t4\n_bsaes_encrypt8:\n\tadr\tr6,.\n\tvldmia\tr4!, {q9}\t\t@ round 0 key\n#if defined(__thumb2__) || defined(__APPLE__)\n\tadr\tr6,.LM0SR\n#else\n\tsub\tr6,r6,#_bsaes_encrypt8-.LM0SR\n#endif\n\n\tvldmia\tr6!, {q8}\t\t@ .LM0SR\n_bsaes_encrypt8_alt:\n\tveor\tq10, q0, q9\t@ xor with round0 key\n\tveor\tq11, q1, q9\n\tvtbl.8\td0, {q10}, d16\n\tvtbl.8\td1, {q10}, d17\n\tveor\tq12, q2, q9\n\tvtbl.8\td2, {q11}, d16\n\tvtbl.8\td3, {q11}, d17\n\tveor\tq13, q3, q9\n\tvtbl.8\td4, {q12}, d16\n\tvtbl.8\td5, {q12}, d17\n\tveor\tq14, q4, q9\n\tvtbl.8\td6, {q13}, d16\n\tvtbl.8\td7, {q13}, d17\n\tveor\tq15, q5, q9\n\tvtbl.8\td8, {q14}, d16\n\tvtbl.8\td9, {q14}, d17\n\tveor\tq10, q6, q9\n\tvtbl.8\td10, {q15}, d16\n\tvtbl.8\td11, {q15}, d17\n\tveor\tq11, q7, q9\n\tvtbl.8\td12, {q10}, d16\n\tvtbl.8\td13, {q10}, d17\n\tvtbl.8\td14, {q11}, d16\n\tvtbl.8\td15, {q11}, d17\n_bsaes_encrypt8_bitslice:\n\tvmov.i8\tq8,#0x55\t\t\t@ compose .LBS0\n\tvmov.i8\tq9,#0x33\t\t\t@ compose .LBS1\n\tvshr.u64\tq10, q6, #1\n\tvshr.u64\tq11, q4, #1\n\tveor\tq10, q10, q7\n\tveor\tq11, q11, q5\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq7, q7, q10\n\tvshl.u64\tq10, q10, #1\n\tveor\tq5, q5, q11\n\tvshl.u64\tq11, q11, #1\n\tveor\tq6, q6, q10\n\tveor\tq4, q4, q11\n\tvshr.u64\tq10, q2, #1\n\tvshr.u64\tq11, q0, #1\n\tveor\tq10, q10, q3\n\tveor\tq11, q11, q1\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq3, q3, q10\n\tvshl.u64\tq10, q10, #1\n\tveor\tq1, q1, q11\n\tvshl.u64\tq11, q11, #1\n\tveor\tq2, q2, q10\n\tveor\tq0, q0, q11\n\tvmov.i8\tq8,#0x0f\t\t\t@ compose .LBS2\n\tvshr.u64\tq10, q5, #2\n\tvshr.u64\tq11, q4, #2\n\tveor\tq10, q10, q7\n\tveor\tq11, q11, q6\n\tvand\tq10, q10, q9\n\tvand\tq11, q11, q9\n\tveor\tq7, q7, q10\n\tvshl.u64\tq10, q10, #2\n\tveor\tq6, q6, q11\n\tvshl.u64\tq11, q11, #2\n\tveor\tq5, q5, q10\n\tveor\tq4, q4, q11\n\tvshr.u64\tq10, q1, #2\n\tvshr.u64\tq11, q0, #2\n\tveor\tq10, q10, q3\n\tveor\tq11, q11, q2\n\tvand\tq10, q10, q9\n\tvand\tq11, q11, q9\n\tveor\tq3, q3, q10\n\tvshl.u64\tq10, q10, #2\n\tveor\tq2, q2, q11\n\tvshl.u64\tq11, q11, #2\n\tveor\tq1, q1, q10\n\tveor\tq0, q0, q11\n\tvshr.u64\tq10, q3, #4\n\tvshr.u64\tq11, q2, #4\n\tveor\tq10, q10, q7\n\tveor\tq11, q11, q6\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq7, q7, q10\n\tvshl.u64\tq10, q10, #4\n\tveor\tq6, q6, q11\n\tvshl.u64\tq11, q11, #4\n\tveor\tq3, q3, q10\n\tveor\tq2, q2, q11\n\tvshr.u64\tq10, q1, #4\n\tvshr.u64\tq11, q0, #4\n\tveor\tq10, q10, q5\n\tveor\tq11, q11, q4\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq5, q5, q10\n\tvshl.u64\tq10, q10, #4\n\tveor\tq4, q4, q11\n\tvshl.u64\tq11, q11, #4\n\tveor\tq1, q1, q10\n\tveor\tq0, q0, q11\n\tsub\tr5,r5,#1\n\tb\t.Lenc_sbox\n.align\t4\n.Lenc_loop:\n\tvldmia\tr4!, {q8,q9,q10,q11}\n\tveor\tq8, q8, q0\n\tveor\tq9, q9, q1\n\tvtbl.8\td0, {q8}, d24\n\tvtbl.8\td1, {q8}, d25\n\tvldmia\tr4!, {q8}\n\tveor\tq10, q10, q2\n\tvtbl.8\td2, {q9}, d24\n\tvtbl.8\td3, {q9}, d25\n\tvldmia\tr4!, {q9}\n\tveor\tq11, q11, q3\n\tvtbl.8\td4, {q10}, d24\n\tvtbl.8\td5, {q10}, d25\n\tvldmia\tr4!, {q10}\n\tvtbl.8\td6, {q11}, d24\n\tvtbl.8\td7, {q11}, d25\n\tvldmia\tr4!, {q11}\n\tveor\tq8, q8, q4\n\tveor\tq9, q9, q5\n\tvtbl.8\td8, {q8}, d24\n\tvtbl.8\td9, {q8}, d25\n\tveor\tq10, q10, q6\n\tvtbl.8\td10, {q9}, d24\n\tvtbl.8\td11, {q9}, d25\n\tveor\tq11, q11, q7\n\tvtbl.8\td12, {q10}, d24\n\tvtbl.8\td13, {q10}, d25\n\tvtbl.8\td14, {q11}, d24\n\tvtbl.8\td15, {q11}, d25\n.Lenc_sbox:\n\tveor\tq2, q2, q1\n\tveor\tq5, q5, q6\n\tveor\tq3, q3, q0\n\tveor\tq6, q6, q2\n\tveor\tq5, q5, q0\n\n\tveor\tq6, q6, q3\n\tveor\tq3, q3, q7\n\tveor\tq7, q7, q5\n\tveor\tq3, q3, q4\n\tveor\tq4, q4, q5\n\n\tveor\tq2, q2, q7\n\tveor\tq3, q3, q1\n\tveor\tq1, q1, q5\n\tveor\tq11, q7, q4\n\tveor\tq10, q1, q2\n\tveor\tq9, q5, q3\n\tveor\tq13, q2, q4\n\tvmov\tq8, q10\n\tveor\tq12, q6, q0\n\n\tvorr\tq10, q10, q9\n\tveor\tq15, q11, q8\n\tvand\tq14, q11, q12\n\tvorr\tq11, q11, q12\n\tveor\tq12, q12, q9\n\tvand\tq8, q8, q9\n\tveor\tq9, q3, q0\n\tvand\tq15, q15, q12\n\tvand\tq13, q13, q9\n\tveor\tq9, q7, q1\n\tveor\tq12, q5, q6\n\tveor\tq11, q11, q13\n\tveor\tq10, q10, q13\n\tvand\tq13, q9, q12\n\tvorr\tq9, q9, q12\n\tveor\tq11, q11, q15\n\tveor\tq8, q8, q13\n\tveor\tq10, q10, q14\n\tveor\tq9, q9, q15\n\tveor\tq8, q8, q14\n\tvand\tq12, q2, q3\n\tveor\tq9, q9, q14\n\tvand\tq13, q4, q0\n\tvand\tq14, q1, q5\n\tvorr\tq15, q7, q6\n\tveor\tq11, q11, q12\n\tveor\tq9, q9, q14\n\tveor\tq8, q8, q15\n\tveor\tq10, q10, q13\n\n\t@ Inv_GF16 \t0, \t1, \t2, \t3, s0, s1, s2, s3\n\n\t@ new smaller inversion\n\n\tvand\tq14, q11, q9\n\tvmov\tq12, q8\n\n\tveor\tq13, q10, q14\n\tveor\tq15, q8, q14\n\tveor\tq14, q8, q14\t@ q14=q15\n\n\tvbsl\tq13, q9, q8\n\tvbsl\tq15, q11, q10\n\tveor\tq11, q11, q10\n\n\tvbsl\tq12, q13, q14\n\tvbsl\tq8, q14, q13\n\n\tvand\tq14, q12, q15\n\tveor\tq9, q9, q8\n\n\tveor\tq14, q14, q11\n\tveor\tq12, q6, q0\n\tveor\tq8, q5, q3\n\tveor\tq10, q15, q14\n\tvand\tq10, q10, q6\n\tveor\tq6, q6, q5\n\tvand\tq11, q5, q15\n\tvand\tq6, q6, q14\n\tveor\tq5, q11, q10\n\tveor\tq6, q6, q11\n\tveor\tq15, q15, q13\n\tveor\tq14, q14, q9\n\tveor\tq11, q15, q14\n\tveor\tq10, q13, q9\n\tvand\tq11, q11, q12\n\tvand\tq10, q10, q0\n\tveor\tq12, q12, q8\n\tveor\tq0, q0, q3\n\tvand\tq8, q8, q15\n\tvand\tq3, q3, q13\n\tvand\tq12, q12, q14\n\tvand\tq0, q0, q9\n\tveor\tq8, q8, q12\n\tveor\tq0, q0, q3\n\tveor\tq12, q12, q11\n\tveor\tq3, q3, q10\n\tveor\tq6, q6, q12\n\tveor\tq0, q0, q12\n\tveor\tq5, q5, q8\n\tveor\tq3, q3, q8\n\n\tveor\tq12, q7, q4\n\tveor\tq8, q1, q2\n\tveor\tq11, q15, q14\n\tveor\tq10, q13, q9\n\tvand\tq11, q11, q12\n\tvand\tq10, q10, q4\n\tveor\tq12, q12, q8\n\tveor\tq4, q4, q2\n\tvand\tq8, q8, q15\n\tvand\tq2, q2, q13\n\tvand\tq12, q12, q14\n\tvand\tq4, q4, q9\n\tveor\tq8, q8, q12\n\tveor\tq4, q4, q2\n\tveor\tq12, q12, q11\n\tveor\tq2, q2, q10\n\tveor\tq15, q15, q13\n\tveor\tq14, q14, q9\n\tveor\tq10, q15, q14\n\tvand\tq10, q10, q7\n\tveor\tq7, q7, q1\n\tvand\tq11, q1, q15\n\tvand\tq7, q7, q14\n\tveor\tq1, q11, q10\n\tveor\tq7, q7, q11\n\tveor\tq7, q7, q12\n\tveor\tq4, q4, q12\n\tveor\tq1, q1, q8\n\tveor\tq2, q2, q8\n\tveor\tq7, q7, q0\n\tveor\tq1, q1, q6\n\tveor\tq6, q6, q0\n\tveor\tq4, q4, q7\n\tveor\tq0, q0, q1\n\n\tveor\tq1, q1, q5\n\tveor\tq5, q5, q2\n\tveor\tq2, q2, q3\n\tveor\tq3, q3, q5\n\tveor\tq4, q4, q5\n\n\tveor\tq6, q6, q3\n\tsubs\tr5,r5,#1\n\tbcc\t.Lenc_done\n\tvext.8\tq8, q0, q0, #12\t@ x0 <<< 32\n\tvext.8\tq9, q1, q1, #12\n\tveor\tq0, q0, q8\t\t@ x0 ^ (x0 <<< 32)\n\tvext.8\tq10, q4, q4, #12\n\tveor\tq1, q1, q9\n\tvext.8\tq11, q6, q6, #12\n\tveor\tq4, q4, q10\n\tvext.8\tq12, q3, q3, #12\n\tveor\tq6, q6, q11\n\tvext.8\tq13, q7, q7, #12\n\tveor\tq3, q3, q12\n\tvext.8\tq14, q2, q2, #12\n\tveor\tq7, q7, q13\n\tvext.8\tq15, q5, q5, #12\n\tveor\tq2, q2, q14\n\n\tveor\tq9, q9, q0\n\tveor\tq5, q5, q15\n\tvext.8\tq0, q0, q0, #8\t\t@ (x0 ^ (x0 <<< 32)) <<< 64)\n\tveor\tq10, q10, q1\n\tveor\tq8, q8, q5\n\tveor\tq9, q9, q5\n\tvext.8\tq1, q1, q1, #8\n\tveor\tq13, q13, q3\n\tveor\tq0, q0, q8\n\tveor\tq14, q14, q7\n\tveor\tq1, q1, q9\n\tvext.8\tq8, q3, q3, #8\n\tveor\tq12, q12, q6\n\tvext.8\tq9, q7, q7, #8\n\tveor\tq15, q15, q2\n\tvext.8\tq3, q6, q6, #8\n\tveor\tq11, q11, q4\n\tvext.8\tq7, q5, q5, #8\n\tveor\tq12, q12, q5\n\tvext.8\tq6, q2, q2, #8\n\tveor\tq11, q11, q5\n\tvext.8\tq2, q4, q4, #8\n\tveor\tq5, q9, q13\n\tveor\tq4, q8, q12\n\tveor\tq3, q3, q11\n\tveor\tq7, q7, q15\n\tveor\tq6, q6, q14\n\t @ vmov\tq4, q8\n\tveor\tq2, q2, q10\n\t @ vmov\tq5, q9\n\tvldmia\tr6, {q12}\t\t@ .LSR\n\tite\teq\t\t\t\t@ Thumb2 thing, samity check in ARM\n\taddeq\tr6,r6,#0x10\n\tbne\t.Lenc_loop\n\tvldmia\tr6, {q12}\t\t@ .LSRM0\n\tb\t.Lenc_loop\n.align\t4\n.Lenc_done:\n\tvmov.i8\tq8,#0x55\t\t\t@ compose .LBS0\n\tvmov.i8\tq9,#0x33\t\t\t@ compose .LBS1\n\tvshr.u64\tq10, q2, #1\n\tvshr.u64\tq11, q3, #1\n\tveor\tq10, q10, q5\n\tveor\tq11, q11, q7\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq5, q5, q10\n\tvshl.u64\tq10, q10, #1\n\tveor\tq7, q7, q11\n\tvshl.u64\tq11, q11, #1\n\tveor\tq2, q2, q10\n\tveor\tq3, q3, q11\n\tvshr.u64\tq10, q4, #1\n\tvshr.u64\tq11, q0, #1\n\tveor\tq10, q10, q6\n\tveor\tq11, q11, q1\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq6, q6, q10\n\tvshl.u64\tq10, q10, #1\n\tveor\tq1, q1, q11\n\tvshl.u64\tq11, q11, #1\n\tveor\tq4, q4, q10\n\tveor\tq0, q0, q11\n\tvmov.i8\tq8,#0x0f\t\t\t@ compose .LBS2\n\tvshr.u64\tq10, q7, #2\n\tvshr.u64\tq11, q3, #2\n\tveor\tq10, q10, q5\n\tveor\tq11, q11, q2\n\tvand\tq10, q10, q9\n\tvand\tq11, q11, q9\n\tveor\tq5, q5, q10\n\tvshl.u64\tq10, q10, #2\n\tveor\tq2, q2, q11\n\tvshl.u64\tq11, q11, #2\n\tveor\tq7, q7, q10\n\tveor\tq3, q3, q11\n\tvshr.u64\tq10, q1, #2\n\tvshr.u64\tq11, q0, #2\n\tveor\tq10, q10, q6\n\tveor\tq11, q11, q4\n\tvand\tq10, q10, q9\n\tvand\tq11, q11, q9\n\tveor\tq6, q6, q10\n\tvshl.u64\tq10, q10, #2\n\tveor\tq4, q4, q11\n\tvshl.u64\tq11, q11, #2\n\tveor\tq1, q1, q10\n\tveor\tq0, q0, q11\n\tvshr.u64\tq10, q6, #4\n\tvshr.u64\tq11, q4, #4\n\tveor\tq10, q10, q5\n\tveor\tq11, q11, q2\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq5, q5, q10\n\tvshl.u64\tq10, q10, #4\n\tveor\tq2, q2, q11\n\tvshl.u64\tq11, q11, #4\n\tveor\tq6, q6, q10\n\tveor\tq4, q4, q11\n\tvshr.u64\tq10, q1, #4\n\tvshr.u64\tq11, q0, #4\n\tveor\tq10, q10, q7\n\tveor\tq11, q11, q3\n\tvand\tq10, q10, q8\n\tvand\tq11, q11, q8\n\tveor\tq7, q7, q10\n\tvshl.u64\tq10, q10, #4\n\tveor\tq3, q3, q11\n\tvshl.u64\tq11, q11, #4\n\tveor\tq1, q1, q10\n\tveor\tq0, q0, q11\n\tvldmia\tr4, {q8}\t\t\t@ last round key\n\tveor\tq4, q4, q8\n\tveor\tq6, q6, q8\n\tveor\tq3, q3, q8\n\tveor\tq7, q7, q8\n\tveor\tq2, q2, q8\n\tveor\tq5, q5, q8\n\tveor\tq0, q0, q8\n\tveor\tq1, q1, q8\n\tbx\tlr\n.size\t_bsaes_encrypt8,.-_bsaes_encrypt8\n.type\t_bsaes_key_convert,%function\n.align\t4\n_bsaes_key_convert:\n\tadr\tr6,.\n\tvld1.8\t{q7}, [r4]!\t\t@ load round 0 key\n#if defined(__thumb2__) || defined(__APPLE__)\n\tadr\tr6,.LM0\n#else\n\tsub\tr6,r6,#_bsaes_key_convert-.LM0\n#endif\n\tvld1.8\t{q15}, [r4]!\t\t@ load round 1 key\n\n\tvmov.i8\tq8, #0x01\t\t\t@ bit masks\n\tvmov.i8\tq9, #0x02\n\tvmov.i8\tq10, #0x04\n\tvmov.i8\tq11, #0x08\n\tvmov.i8\tq12, #0x10\n\tvmov.i8\tq13, #0x20\n\tvldmia\tr6, {q14}\t\t@ .LM0\n\n#ifdef __ARMEL__\n\tvrev32.8\tq7, q7\n\tvrev32.8\tq15, q15\n#endif\n\tsub\tr5,r5,#1\n\tvstmia\tr12!, {q7}\t\t@ save round 0 key\n\tb\t.Lkey_loop\n\n.align\t4\n.Lkey_loop:\n\tvtbl.8\td14,{q15},d28\n\tvtbl.8\td15,{q15},d29\n\tvmov.i8\tq6, #0x40\n\tvmov.i8\tq15, #0x80\n\n\tvtst.8\tq0, q7, q8\n\tvtst.8\tq1, q7, q9\n\tvtst.8\tq2, q7, q10\n\tvtst.8\tq3, q7, q11\n\tvtst.8\tq4, q7, q12\n\tvtst.8\tq5, q7, q13\n\tvtst.8\tq6, q7, q6\n\tvtst.8\tq7, q7, q15\n\tvld1.8\t{q15}, [r4]!\t\t@ load next round key\n\tvmvn\tq0, q0\t\t@ \"pnot\"\n\tvmvn\tq1, q1\n\tvmvn\tq5, q5\n\tvmvn\tq6, q6\n#ifdef __ARMEL__\n\tvrev32.8\tq15, q15\n#endif\n\tsubs\tr5,r5,#1\n\tvstmia\tr12!,{q0,q1,q2,q3,q4,q5,q6,q7}\t\t@ write bit-sliced round key\n\tbne\t.Lkey_loop\n\n\tvmov.i8\tq7,#0x63\t\t\t@ compose .L63\n\t@ don't save last round key\n\tbx\tlr\n.size\t_bsaes_key_convert,.-_bsaes_key_convert\n.globl\tbsaes_cbc_encrypt\n.hidden\tbsaes_cbc_encrypt\n.type\tbsaes_cbc_encrypt,%function\n.align\t5\nbsaes_cbc_encrypt:\n\t@ In OpenSSL, this function had a fallback to aes_nohw_cbc_encrypt for\n\t@ short inputs. We patch this out, using bsaes for all input sizes.\n\n\t@ it is up to the caller to make sure we are called with enc == 0\n\n\tmov\tip, sp\n\tstmdb\tsp!, {r4,r5,r6,r7,r8,r9,r10, lr}\n\tVFP_ABI_PUSH\n\tldr\tr8, [ip]\t\t\t@ IV is 1st arg on the stack\n\tmov\tr2, r2, lsr#4\t\t@ len in 16 byte blocks\n\tsub\tsp, #0x10\t\t\t@ scratch space to carry over the IV\n\tmov\tr9, sp\t\t\t\t@ save sp\n\n\tldr\tr10, [r3, #240]\t\t@ get # of rounds\n#ifndef\tBSAES_ASM_EXTENDED_KEY\n\t@ allocate the key schedule on the stack\n\tsub\tr12, sp, r10, lsl#7\t\t@ 128 bytes per inner round key\n\tadd\tr12, #96\t\t\t@ sifze of bit-slices key schedule\n\n\t@ populate the key schedule\n\tmov\tr4, r3\t\t\t@ pass key\n\tmov\tr5, r10\t\t\t@ pass # of rounds\n\tmov\tsp, r12\t\t\t\t@ sp is sp\n\tbl\t_bsaes_key_convert\n\tvldmia\tsp, {q6}\n\tvstmia\tr12, {q15}\t\t@ save last round key\n\tveor\tq7, q7, q6\t@ fix up round 0 key\n\tvstmia\tsp, {q7}\n#else\n\tldr\tr12, [r3, #244]\n\teors\tr12, #1\n\tbeq\t0f\n\n\t@ populate the key schedule\n\tstr\tr12, [r3, #244]\n\tmov\tr4, r3\t\t\t@ pass key\n\tmov\tr5, r10\t\t\t@ pass # of rounds\n\tadd\tr12, r3, #248\t\t\t@ pass key schedule\n\tbl\t_bsaes_key_convert\n\tadd\tr4, r3, #248\n\tvldmia\tr4, {q6}\n\tvstmia\tr12, {q15}\t\t\t@ save last round key\n\tveor\tq7, q7, q6\t@ fix up round 0 key\n\tvstmia\tr4, {q7}\n\n.align\t2\n\n#endif\n\n\tvld1.8\t{q15}, [r8]\t\t@ load IV\n\tb\t.Lcbc_dec_loop\n\n.align\t4\n.Lcbc_dec_loop:\n\tsubs\tr2, r2, #0x8\n\tbmi\t.Lcbc_dec_loop_finish\n\n\tvld1.8\t{q0,q1}, [r0]!\t@ load input\n\tvld1.8\t{q2,q3}, [r0]!\n#ifndef\tBSAES_ASM_EXTENDED_KEY\n\tmov\tr4, sp\t\t\t@ pass the key\n#else\n\tadd\tr4, r3, #248\n#endif\n\tvld1.8\t{q4,q5}, [r0]!\n\tmov\tr5, r10\n\tvld1.8\t{q6,q7}, [r0]\n\tsub\tr0, r0, #0x60\n\tvstmia\tr9, {q15}\t\t\t@ put aside IV\n\n\tbl\t_bsaes_decrypt8\n\n\tvldmia\tr9, {q14}\t\t\t@ reload IV\n\tvld1.8\t{q8,q9}, [r0]!\t@ reload input\n\tveor\tq0, q0, q14\t@ ^= IV\n\tvld1.8\t{q10,q11}, [r0]!\n\tveor\tq1, q1, q8\n\tveor\tq6, q6, q9\n\tvld1.8\t{q12,q13}, [r0]!\n\tveor\tq4, q4, q10\n\tveor\tq2, q2, q11\n\tvld1.8\t{q14,q15}, [r0]!\n\tveor\tq7, q7, q12\n\tvst1.8\t{q0,q1}, [r1]!\t@ write output\n\tveor\tq3, q3, q13\n\tvst1.8\t{q6}, [r1]!\n\tveor\tq5, q5, q14\n\tvst1.8\t{q4}, [r1]!\n\tvst1.8\t{q2}, [r1]!\n\tvst1.8\t{q7}, [r1]!\n\tvst1.8\t{q3}, [r1]!\n\tvst1.8\t{q5}, [r1]!\n\n\tb\t.Lcbc_dec_loop\n\n.Lcbc_dec_loop_finish:\n\tadds\tr2, r2, #8\n\tbeq\t.Lcbc_dec_done\n\n\t@ Set up most parameters for the _bsaes_decrypt8 call.\n#ifndef\tBSAES_ASM_EXTENDED_KEY\n\tmov\tr4, sp\t\t\t@ pass the key\n#else\n\tadd\tr4, r3, #248\n#endif\n\tmov\tr5, r10\n\tvstmia\tr9, {q15}\t\t\t@ put aside IV\n\n\tvld1.8\t{q0}, [r0]!\t\t@ load input\n\tcmp\tr2, #2\n\tblo\t.Lcbc_dec_one\n\tvld1.8\t{q1}, [r0]!\n\tbeq\t.Lcbc_dec_two\n\tvld1.8\t{q2}, [r0]!\n\tcmp\tr2, #4\n\tblo\t.Lcbc_dec_three\n\tvld1.8\t{q3}, [r0]!\n\tbeq\t.Lcbc_dec_four\n\tvld1.8\t{q4}, [r0]!\n\tcmp\tr2, #6\n\tblo\t.Lcbc_dec_five\n\tvld1.8\t{q5}, [r0]!\n\tbeq\t.Lcbc_dec_six\n\tvld1.8\t{q6}, [r0]!\n\tsub\tr0, r0, #0x70\n\n\tbl\t_bsaes_decrypt8\n\n\tvldmia\tr9, {q14}\t\t\t@ reload IV\n\tvld1.8\t{q8,q9}, [r0]!\t@ reload input\n\tveor\tq0, q0, q14\t@ ^= IV\n\tvld1.8\t{q10,q11}, [r0]!\n\tveor\tq1, q1, q8\n\tveor\tq6, q6, q9\n\tvld1.8\t{q12,q13}, [r0]!\n\tveor\tq4, q4, q10\n\tveor\tq2, q2, q11\n\tvld1.8\t{q15}, [r0]!\n\tveor\tq7, q7, q12\n\tvst1.8\t{q0,q1}, [r1]!\t@ write output\n\tveor\tq3, q3, q13\n\tvst1.8\t{q6}, [r1]!\n\tvst1.8\t{q4}, [r1]!\n\tvst1.8\t{q2}, [r1]!\n\tvst1.8\t{q7}, [r1]!\n\tvst1.8\t{q3}, [r1]!\n\tb\t.Lcbc_dec_done\n.align\t4\n.Lcbc_dec_six:\n\tsub\tr0, r0, #0x60\n\tbl\t_bsaes_decrypt8\n\tvldmia\tr9,{q14}\t\t\t@ reload IV\n\tvld1.8\t{q8,q9}, [r0]!\t@ reload input\n\tveor\tq0, q0, q14\t@ ^= IV\n\tvld1.8\t{q10,q11}, [r0]!\n\tveor\tq1, q1, q8\n\tveor\tq6, q6, q9\n\tvld1.8\t{q12}, [r0]!\n\tveor\tq4, q4, q10\n\tveor\tq2, q2, q11\n\tvld1.8\t{q15}, [r0]!\n\tveor\tq7, q7, q12\n\tvst1.8\t{q0,q1}, [r1]!\t@ write output\n\tvst1.8\t{q6}, [r1]!\n\tvst1.8\t{q4}, [r1]!\n\tvst1.8\t{q2}, [r1]!\n\tvst1.8\t{q7}, [r1]!\n\tb\t.Lcbc_dec_done\n.align\t4\n.Lcbc_dec_five:\n\tsub\tr0, r0, #0x50\n\tbl\t_bsaes_decrypt8\n\tvldmia\tr9, {q14}\t\t\t@ reload IV\n\tvld1.8\t{q8,q9}, [r0]!\t@ reload input\n\tveor\tq0, q0, q14\t@ ^= IV\n\tvld1.8\t{q10,q11}, [r0]!\n\tveor\tq1, q1, q8\n\tveor\tq6, q6, q9\n\tvld1.8\t{q15}, [r0]!\n\tveor\tq4, q4, q10\n\tvst1.8\t{q0,q1}, [r1]!\t@ write output\n\tveor\tq2, q2, q11\n\tvst1.8\t{q6}, [r1]!\n\tvst1.8\t{q4}, [r1]!\n\tvst1.8\t{q2}, [r1]!\n\tb\t.Lcbc_dec_done\n.align\t4\n.Lcbc_dec_four:\n\tsub\tr0, r0, #0x40\n\tbl\t_bsaes_decrypt8\n\tvldmia\tr9, {q14}\t\t\t@ reload IV\n\tvld1.8\t{q8,q9}, [r0]!\t@ reload input\n\tveor\tq0, q0, q14\t@ ^= IV\n\tvld1.8\t{q10}, [r0]!\n\tveor\tq1, q1, q8\n\tveor\tq6, q6, q9\n\tvld1.8\t{q15}, [r0]!\n\tveor\tq4, q4, q10\n\tvst1.8\t{q0,q1}, [r1]!\t@ write output\n\tvst1.8\t{q6}, [r1]!\n\tvst1.8\t{q4}, [r1]!\n\tb\t.Lcbc_dec_done\n.align\t4\n.Lcbc_dec_three:\n\tsub\tr0, r0, #0x30\n\tbl\t_bsaes_decrypt8\n\tvldmia\tr9, {q14}\t\t\t@ reload IV\n\tvld1.8\t{q8,q9}, [r0]!\t@ reload input\n\tveor\tq0, q0, q14\t@ ^= IV\n\tvld1.8\t{q15}, [r0]!\n\tveor\tq1, q1, q8\n\tveor\tq6, q6, q9\n\tvst1.8\t{q0,q1}, [r1]!\t@ write output\n\tvst1.8\t{q6}, [r1]!\n\tb\t.Lcbc_dec_done\n.align\t4\n.Lcbc_dec_two:\n\tsub\tr0, r0, #0x20\n\tbl\t_bsaes_decrypt8\n\tvldmia\tr9, {q14}\t\t\t@ reload IV\n\tvld1.8\t{q8}, [r0]!\t\t@ reload input\n\tveor\tq0, q0, q14\t@ ^= IV\n\tvld1.8\t{q15}, [r0]!\t\t@ reload input\n\tveor\tq1, q1, q8\n\tvst1.8\t{q0,q1}, [r1]!\t@ write output\n\tb\t.Lcbc_dec_done\n.align\t4\n.Lcbc_dec_one:\n\tsub\tr0, r0, #0x10\n\tbl\t_bsaes_decrypt8\n\tvldmia\tr9, {q14}\t\t\t@ reload IV\n\tvld1.8\t{q15}, [r0]!\t\t@ reload input\n\tveor\tq0, q0, q14\t@ ^= IV\n\tvst1.8\t{q0}, [r1]!\t\t@ write output\n\n.Lcbc_dec_done:\n#ifndef\tBSAES_ASM_EXTENDED_KEY\n\tvmov.i32\tq0, #0\n\tvmov.i32\tq1, #0\n.Lcbc_dec_bzero:@ wipe key schedule [if any]\n\tvstmia\tsp!, {q0,q1}\n\tcmp\tsp, r9\n\tbne\t.Lcbc_dec_bzero\n#endif\n\n\tmov\tsp, r9\n\tadd\tsp, #0x10\t\t\t@ add sp,r9,#0x10 is no good for thumb\n\tvst1.8\t{q15}, [r8]\t\t@ return IV\n\tVFP_ABI_POP\n\tldmia\tsp!, {r4,r5,r6,r7,r8,r9,r10, pc}\n.size\tbsaes_cbc_encrypt,.-bsaes_cbc_encrypt\n.globl\tbsaes_ctr32_encrypt_blocks\n.hidden\tbsaes_ctr32_encrypt_blocks\n.type\tbsaes_ctr32_encrypt_blocks,%function\n.align\t5\nbsaes_ctr32_encrypt_blocks:\n\t@ In OpenSSL, short inputs fall back to aes_nohw_* here. We patch this\n\t@ out to retain a constant-time implementation.\n\tmov\tip, sp\n\tstmdb\tsp!, {r4,r5,r6,r7,r8,r9,r10, lr}\n\tVFP_ABI_PUSH\n\tldr\tr8, [ip]\t\t\t@ ctr is 1st arg on the stack\n\tsub\tsp, sp, #0x10\t\t\t@ scratch space to carry over the ctr\n\tmov\tr9, sp\t\t\t\t@ save sp\n\n\tldr\tr10, [r3, #240]\t\t@ get # of rounds\n#ifndef\tBSAES_ASM_EXTENDED_KEY\n\t@ allocate the key schedule on the stack\n\tsub\tr12, sp, r10, lsl#7\t\t@ 128 bytes per inner round key\n\tadd\tr12, #96\t\t\t@ size of bit-sliced key schedule\n\n\t@ populate the key schedule\n\tmov\tr4, r3\t\t\t@ pass key\n\tmov\tr5, r10\t\t\t@ pass # of rounds\n\tmov\tsp, r12\t\t\t\t@ sp is sp\n\tbl\t_bsaes_key_convert\n\tveor\tq7,q7,q15\t@ fix up last round key\n\tvstmia\tr12, {q7}\t\t\t@ save last round key\n\n\tvld1.8\t{q0}, [r8]\t\t@ load counter\n#ifdef\t__APPLE__\n\tmov\tr8, #:lower16:(.LREVM0SR-.LM0)\n\tadd\tr8, r6, r8\n#else\n\tadd\tr8, r6, #.LREVM0SR-.LM0\t@ borrow r8\n#endif\n\tvldmia\tsp, {q4}\t\t@ load round0 key\n#else\n\tldr\tr12, [r3, #244]\n\teors\tr12, #1\n\tbeq\t0f\n\n\t@ populate the key schedule\n\tstr\tr12, [r3, #244]\n\tmov\tr4, r3\t\t\t@ pass key\n\tmov\tr5, r10\t\t\t@ pass # of rounds\n\tadd\tr12, r3, #248\t\t\t@ pass key schedule\n\tbl\t_bsaes_key_convert\n\tveor\tq7,q7,q15\t@ fix up last round key\n\tvstmia\tr12, {q7}\t\t\t@ save last round key\n\n.align\t2\n\tadd\tr12, r3, #248\n\tvld1.8\t{q0}, [r8]\t\t@ load counter\n\tadrl\tr8, .LREVM0SR\t\t\t@ borrow r8\n\tvldmia\tr12, {q4}\t\t\t@ load round0 key\n\tsub\tsp, #0x10\t\t\t@ place for adjusted round0 key\n#endif\n\n\tvmov.i32\tq8,#1\t\t@ compose 1<<96\n\tveor\tq9,q9,q9\n\tvrev32.8\tq0,q0\n\tvext.8\tq8,q9,q8,#4\n\tvrev32.8\tq4,q4\n\tvadd.u32\tq9,q8,q8\t@ compose 2<<96\n\tvstmia\tsp, {q4}\t\t@ save adjusted round0 key\n\tb\t.Lctr_enc_loop\n\n.align\t4\n.Lctr_enc_loop:\n\tvadd.u32\tq10, q8, q9\t@ compose 3<<96\n\tvadd.u32\tq1, q0, q8\t@ +1\n\tvadd.u32\tq2, q0, q9\t@ +2\n\tvadd.u32\tq3, q0, q10\t@ +3\n\tvadd.u32\tq4, q1, q10\n\tvadd.u32\tq5, q2, q10\n\tvadd.u32\tq6, q3, q10\n\tvadd.u32\tq7, q4, q10\n\tvadd.u32\tq10, q5, q10\t@ next counter\n\n\t@ Borrow prologue from _bsaes_encrypt8 to use the opportunity\n\t@ to flip byte order in 32-bit counter\n\n\tvldmia\tsp, {q9}\t\t@ load round0 key\n#ifndef\tBSAES_ASM_EXTENDED_KEY\n\tadd\tr4, sp, #0x10\t\t@ pass next round key\n#else\n\tadd\tr4, r3, #264\n#endif\n\tvldmia\tr8, {q8}\t\t\t@ .LREVM0SR\n\tmov\tr5, r10\t\t\t@ pass rounds\n\tvstmia\tr9, {q10}\t\t\t@ save next counter\n#ifdef\t__APPLE__\n\tmov\tr6, #:lower16:(.LREVM0SR-.LSR)\n\tsub\tr6, r8, r6\n#else\n\tsub\tr6, r8, #.LREVM0SR-.LSR\t@ pass constants\n#endif\n\n\tbl\t_bsaes_encrypt8_alt\n\n\tsubs\tr2, r2, #8\n\tblo\t.Lctr_enc_loop_done\n\n\tvld1.8\t{q8,q9}, [r0]!\t@ load input\n\tvld1.8\t{q10,q11}, [r0]!\n\tveor\tq0, q8\n\tveor\tq1, q9\n\tvld1.8\t{q12,q13}, [r0]!\n\tveor\tq4, q10\n\tveor\tq6, q11\n\tvld1.8\t{q14,q15}, [r0]!\n\tveor\tq3, q12\n\tvst1.8\t{q0,q1}, [r1]!\t@ write output\n\tveor\tq7, q13\n\tveor\tq2, q14\n\tvst1.8\t{q4}, [r1]!\n\tveor\tq5, q15\n\tvst1.8\t{q6}, [r1]!\n\tvmov.i32\tq8, #1\t\t\t@ compose 1<<96\n\tvst1.8\t{q3}, [r1]!\n\tveor\tq9, q9, q9\n\tvst1.8\t{q7}, [r1]!\n\tvext.8\tq8, q9, q8, #4\n\tvst1.8\t{q2}, [r1]!\n\tvadd.u32\tq9,q8,q8\t\t@ compose 2<<96\n\tvst1.8\t{q5}, [r1]!\n\tvldmia\tr9, {q0}\t\t\t@ load counter\n\n\tbne\t.Lctr_enc_loop\n\tb\t.Lctr_enc_done\n\n.align\t4\n.Lctr_enc_loop_done:\n\tadd\tr2, r2, #8\n\tvld1.8\t{q8}, [r0]!\t@ load input\n\tveor\tq0, q8\n\tvst1.8\t{q0}, [r1]!\t@ write output\n\tcmp\tr2, #2\n\tblo\t.Lctr_enc_done\n\tvld1.8\t{q9}, [r0]!\n\tveor\tq1, q9\n\tvst1.8\t{q1}, [r1]!\n\tbeq\t.Lctr_enc_done\n\tvld1.8\t{q10}, [r0]!\n\tveor\tq4, q10\n\tvst1.8\t{q4}, [r1]!\n\tcmp\tr2, #4\n\tblo\t.Lctr_enc_done\n\tvld1.8\t{q11}, [r0]!\n\tveor\tq6, q11\n\tvst1.8\t{q6}, [r1]!\n\tbeq\t.Lctr_enc_done\n\tvld1.8\t{q12}, [r0]!\n\tveor\tq3, q12\n\tvst1.8\t{q3}, [r1]!\n\tcmp\tr2, #6\n\tblo\t.Lctr_enc_done\n\tvld1.8\t{q13}, [r0]!\n\tveor\tq7, q13\n\tvst1.8\t{q7}, [r1]!\n\tbeq\t.Lctr_enc_done\n\tvld1.8\t{q14}, [r0]\n\tveor\tq2, q14\n\tvst1.8\t{q2}, [r1]!\n\n.Lctr_enc_done:\n\tvmov.i32\tq0, #0\n\tvmov.i32\tq1, #0\n#ifndef\tBSAES_ASM_EXTENDED_KEY\n.Lctr_enc_bzero:@ wipe key schedule [if any]\n\tvstmia\tsp!, {q0,q1}\n\tcmp\tsp, r9\n\tbne\t.Lctr_enc_bzero\n#else\n\tvstmia\tsp, {q0,q1}\n#endif\n\n\tmov\tsp, r9\n\tadd\tsp, #0x10\t\t@ add sp,r9,#0x10 is no good for thumb\n\tVFP_ABI_POP\n\tldmia\tsp!, {r4,r5,r6,r7,r8,r9,r10, pc}\t@ return\n\n\t@ OpenSSL contains aes_nohw_* fallback code here. We patch this\n\t@ out to retain a constant-time implementation.\n.size\tbsaes_ctr32_encrypt_blocks,.-bsaes_ctr32_encrypt_blocks\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/co-586-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n.globl\t_bn_mul_comba8\n.private_extern\t_bn_mul_comba8\n.align\t4\n_bn_mul_comba8:\nL_bn_mul_comba8_begin:\n\tpushl\t%esi\n\tmovl\t12(%esp),%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%edi\n\tpushl\t%ebp\n\tpushl\t%ebx\n\txorl\t%ebx,%ebx\n\tmovl\t(%esi),%eax\n\txorl\t%ecx,%ecx\n\tmovl\t(%edi),%edx\n\t# ################## Calculate word 0 \n\txorl\t%ebp,%ebp\n\t# mul a[0]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,(%eax)\n\tmovl\t4(%esi),%eax\n\t# saved r[0] \n\t# ################## Calculate word 1 \n\txorl\t%ebx,%ebx\n\t# mul a[1]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[0]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,4(%eax)\n\tmovl\t8(%esi),%eax\n\t# saved r[1] \n\t# ################## Calculate word 2 \n\txorl\t%ecx,%ecx\n\t# mul a[2]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[1]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[0]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,8(%eax)\n\tmovl\t12(%esi),%eax\n\t# saved r[2] \n\t# ################## Calculate word 3 \n\txorl\t%ebp,%ebp\n\t# mul a[3]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[2]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[1]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[0]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,12(%eax)\n\tmovl\t16(%esi),%eax\n\t# saved r[3] \n\t# ################## Calculate word 4 \n\txorl\t%ebx,%ebx\n\t# mul a[4]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[3]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[2]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[1]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[0]*b[4] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,16(%eax)\n\tmovl\t20(%esi),%eax\n\t# saved r[4] \n\t# ################## Calculate word 5 \n\txorl\t%ecx,%ecx\n\t# mul a[5]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[4]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[3]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[2]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[1]*b[4] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[0]*b[5] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,20(%eax)\n\tmovl\t24(%esi),%eax\n\t# saved r[5] \n\t# ################## Calculate word 6 \n\txorl\t%ebp,%ebp\n\t# mul a[6]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[5]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[4]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[3]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[2]*b[4] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[1]*b[5] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[0]*b[6] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,24(%eax)\n\tmovl\t28(%esi),%eax\n\t# saved r[6] \n\t# ################## Calculate word 7 \n\txorl\t%ebx,%ebx\n\t# mul a[7]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[6]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[5]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[4]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[3]*b[4] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[2]*b[5] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[1]*b[6] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[0]*b[7] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,28(%eax)\n\tmovl\t28(%esi),%eax\n\t# saved r[7] \n\t# ################## Calculate word 8 \n\txorl\t%ecx,%ecx\n\t# mul a[7]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[6]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[5]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[4]*b[4] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[3]*b[5] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[2]*b[6] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[1]*b[7] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,32(%eax)\n\tmovl\t28(%esi),%eax\n\t# saved r[8] \n\t# ################## Calculate word 9 \n\txorl\t%ebp,%ebp\n\t# mul a[7]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[6]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[5]*b[4] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[4]*b[5] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[3]*b[6] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[2]*b[7] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,36(%eax)\n\tmovl\t28(%esi),%eax\n\t# saved r[9] \n\t# ################## Calculate word 10 \n\txorl\t%ebx,%ebx\n\t# mul a[7]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[6]*b[4] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[5]*b[5] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[4]*b[6] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[3]*b[7] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,40(%eax)\n\tmovl\t28(%esi),%eax\n\t# saved r[10] \n\t# ################## Calculate word 11 \n\txorl\t%ecx,%ecx\n\t# mul a[7]*b[4] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[6]*b[5] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[5]*b[6] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[4]*b[7] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,44(%eax)\n\tmovl\t28(%esi),%eax\n\t# saved r[11] \n\t# ################## Calculate word 12 \n\txorl\t%ebp,%ebp\n\t# mul a[7]*b[5] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[6]*b[6] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[5]*b[7] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,48(%eax)\n\tmovl\t28(%esi),%eax\n\t# saved r[12] \n\t# ################## Calculate word 13 \n\txorl\t%ebx,%ebx\n\t# mul a[7]*b[6] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[6]*b[7] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,52(%eax)\n\tmovl\t28(%esi),%eax\n\t# saved r[13] \n\t# ################## Calculate word 14 \n\txorl\t%ecx,%ecx\n\t# mul a[7]*b[7] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,56(%eax)\n\t# saved r[14] \n\t# save r[15] \n\tmovl\t%ebx,60(%eax)\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tpopl\t%edi\n\tpopl\t%esi\n\tret\n.globl\t_bn_mul_comba4\n.private_extern\t_bn_mul_comba4\n.align\t4\n_bn_mul_comba4:\nL_bn_mul_comba4_begin:\n\tpushl\t%esi\n\tmovl\t12(%esp),%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%edi\n\tpushl\t%ebp\n\tpushl\t%ebx\n\txorl\t%ebx,%ebx\n\tmovl\t(%esi),%eax\n\txorl\t%ecx,%ecx\n\tmovl\t(%edi),%edx\n\t# ################## Calculate word 0 \n\txorl\t%ebp,%ebp\n\t# mul a[0]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,(%eax)\n\tmovl\t4(%esi),%eax\n\t# saved r[0] \n\t# ################## Calculate word 1 \n\txorl\t%ebx,%ebx\n\t# mul a[1]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[0]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,4(%eax)\n\tmovl\t8(%esi),%eax\n\t# saved r[1] \n\t# ################## Calculate word 2 \n\txorl\t%ecx,%ecx\n\t# mul a[2]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[1]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[0]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,8(%eax)\n\tmovl\t12(%esi),%eax\n\t# saved r[2] \n\t# ################## Calculate word 3 \n\txorl\t%ebp,%ebp\n\t# mul a[3]*b[0] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[2]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[1]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebp\n\t# mul a[0]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,12(%eax)\n\tmovl\t12(%esi),%eax\n\t# saved r[3] \n\t# ################## Calculate word 4 \n\txorl\t%ebx,%ebx\n\t# mul a[3]*b[1] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[2]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebx\n\t# mul a[1]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,16(%eax)\n\tmovl\t12(%esi),%eax\n\t# saved r[4] \n\t# ################## Calculate word 5 \n\txorl\t%ecx,%ecx\n\t# mul a[3]*b[2] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ecx\n\t# mul a[2]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,20(%eax)\n\tmovl\t12(%esi),%eax\n\t# saved r[5] \n\t# ################## Calculate word 6 \n\txorl\t%ebp,%ebp\n\t# mul a[3]*b[3] \n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,24(%eax)\n\t# saved r[6] \n\t# save r[7] \n\tmovl\t%ecx,28(%eax)\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tpopl\t%edi\n\tpopl\t%esi\n\tret\n.globl\t_bn_sqr_comba8\n.private_extern\t_bn_sqr_comba8\n.align\t4\n_bn_sqr_comba8:\nL_bn_sqr_comba8_begin:\n\tpushl\t%esi\n\tpushl\t%edi\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%esi\n\txorl\t%ebx,%ebx\n\txorl\t%ecx,%ecx\n\tmovl\t(%esi),%eax\n\t# ############### Calculate word 0 \n\txorl\t%ebp,%ebp\n\t# sqr a[0]*a[0] \n\tmull\t%eax\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,(%edi)\n\tmovl\t4(%esi),%eax\n\t# saved r[0] \n\t# ############### Calculate word 1 \n\txorl\t%ebx,%ebx\n\t# sqr a[1]*a[0] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,4(%edi)\n\tmovl\t(%esi),%edx\n\t# saved r[1] \n\t# ############### Calculate word 2 \n\txorl\t%ecx,%ecx\n\t# sqr a[2]*a[0] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t4(%esi),%eax\n\tadcl\t$0,%ecx\n\t# sqr a[1]*a[1] \n\tmull\t%eax\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,8(%edi)\n\tmovl\t12(%esi),%eax\n\t# saved r[2] \n\t# ############### Calculate word 3 \n\txorl\t%ebp,%ebp\n\t# sqr a[3]*a[0] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t4(%esi),%edx\n\t# sqr a[2]*a[1] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t16(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,12(%edi)\n\tmovl\t(%esi),%edx\n\t# saved r[3] \n\t# ############### Calculate word 4 \n\txorl\t%ebx,%ebx\n\t# sqr a[4]*a[0] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t12(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t4(%esi),%edx\n\t# sqr a[3]*a[1] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebx\n\t# sqr a[2]*a[2] \n\tmull\t%eax\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,16(%edi)\n\tmovl\t20(%esi),%eax\n\t# saved r[4] \n\t# ############### Calculate word 5 \n\txorl\t%ecx,%ecx\n\t# sqr a[5]*a[0] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t16(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t4(%esi),%edx\n\t# sqr a[4]*a[1] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t12(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t8(%esi),%edx\n\t# sqr a[3]*a[2] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,20(%edi)\n\tmovl\t(%esi),%edx\n\t# saved r[5] \n\t# ############### Calculate word 6 \n\txorl\t%ebp,%ebp\n\t# sqr a[6]*a[0] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t20(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t4(%esi),%edx\n\t# sqr a[5]*a[1] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t16(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t8(%esi),%edx\n\t# sqr a[4]*a[2] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t12(%esi),%eax\n\tadcl\t$0,%ebp\n\t# sqr a[3]*a[3] \n\tmull\t%eax\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,24(%edi)\n\tmovl\t28(%esi),%eax\n\t# saved r[6] \n\t# ############### Calculate word 7 \n\txorl\t%ebx,%ebx\n\t# sqr a[7]*a[0] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t4(%esi),%edx\n\t# sqr a[6]*a[1] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t20(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t8(%esi),%edx\n\t# sqr a[5]*a[2] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t16(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t12(%esi),%edx\n\t# sqr a[4]*a[3] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t28(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,28(%edi)\n\tmovl\t4(%esi),%edx\n\t# saved r[7] \n\t# ############### Calculate word 8 \n\txorl\t%ecx,%ecx\n\t# sqr a[7]*a[1] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t8(%esi),%edx\n\t# sqr a[6]*a[2] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t20(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t12(%esi),%edx\n\t# sqr a[5]*a[3] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t16(%esi),%eax\n\tadcl\t$0,%ecx\n\t# sqr a[4]*a[4] \n\tmull\t%eax\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t8(%esi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,32(%edi)\n\tmovl\t28(%esi),%eax\n\t# saved r[8] \n\t# ############### Calculate word 9 \n\txorl\t%ebp,%ebp\n\t# sqr a[7]*a[2] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t12(%esi),%edx\n\t# sqr a[6]*a[3] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t20(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t16(%esi),%edx\n\t# sqr a[5]*a[4] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t28(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,36(%edi)\n\tmovl\t12(%esi),%edx\n\t# saved r[9] \n\t# ############### Calculate word 10 \n\txorl\t%ebx,%ebx\n\t# sqr a[7]*a[3] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t16(%esi),%edx\n\t# sqr a[6]*a[4] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t20(%esi),%eax\n\tadcl\t$0,%ebx\n\t# sqr a[5]*a[5] \n\tmull\t%eax\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t16(%esi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,40(%edi)\n\tmovl\t28(%esi),%eax\n\t# saved r[10] \n\t# ############### Calculate word 11 \n\txorl\t%ecx,%ecx\n\t# sqr a[7]*a[4] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t20(%esi),%edx\n\t# sqr a[6]*a[5] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t28(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,44(%edi)\n\tmovl\t20(%esi),%edx\n\t# saved r[11] \n\t# ############### Calculate word 12 \n\txorl\t%ebp,%ebp\n\t# sqr a[7]*a[5] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ebp\n\t# sqr a[6]*a[6] \n\tmull\t%eax\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t24(%esi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,48(%edi)\n\tmovl\t28(%esi),%eax\n\t# saved r[12] \n\t# ############### Calculate word 13 \n\txorl\t%ebx,%ebx\n\t# sqr a[7]*a[6] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t28(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,52(%edi)\n\t# saved r[13] \n\t# ############### Calculate word 14 \n\txorl\t%ecx,%ecx\n\t# sqr a[7]*a[7] \n\tmull\t%eax\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,56(%edi)\n\t# saved r[14] \n\tmovl\t%ebx,60(%edi)\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tpopl\t%edi\n\tpopl\t%esi\n\tret\n.globl\t_bn_sqr_comba4\n.private_extern\t_bn_sqr_comba4\n.align\t4\n_bn_sqr_comba4:\nL_bn_sqr_comba4_begin:\n\tpushl\t%esi\n\tpushl\t%edi\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%esi\n\txorl\t%ebx,%ebx\n\txorl\t%ecx,%ecx\n\tmovl\t(%esi),%eax\n\t# ############### Calculate word 0 \n\txorl\t%ebp,%ebp\n\t# sqr a[0]*a[0] \n\tmull\t%eax\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,(%edi)\n\tmovl\t4(%esi),%eax\n\t# saved r[0] \n\t# ############### Calculate word 1 \n\txorl\t%ebx,%ebx\n\t# sqr a[1]*a[0] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,4(%edi)\n\tmovl\t(%esi),%edx\n\t# saved r[1] \n\t# ############### Calculate word 2 \n\txorl\t%ecx,%ecx\n\t# sqr a[2]*a[0] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t4(%esi),%eax\n\tadcl\t$0,%ecx\n\t# sqr a[1]*a[1] \n\tmull\t%eax\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,8(%edi)\n\tmovl\t12(%esi),%eax\n\t# saved r[2] \n\t# ############### Calculate word 3 \n\txorl\t%ebp,%ebp\n\t# sqr a[3]*a[0] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t4(%esi),%edx\n\t# sqr a[2]*a[1] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t12(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,12(%edi)\n\tmovl\t4(%esi),%edx\n\t# saved r[3] \n\t# ############### Calculate word 4 \n\txorl\t%ebx,%ebx\n\t# sqr a[3]*a[1] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebx\n\t# sqr a[2]*a[2] \n\tmull\t%eax\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t8(%esi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,16(%edi)\n\tmovl\t12(%esi),%eax\n\t# saved r[4] \n\t# ############### Calculate word 5 \n\txorl\t%ecx,%ecx\n\t# sqr a[3]*a[2] \n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t12(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,20(%edi)\n\t# saved r[5] \n\t# ############### Calculate word 6 \n\txorl\t%ebp,%ebp\n\t# sqr a[3]*a[3] \n\tmull\t%eax\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,24(%edi)\n\t# saved r[6] \n\tmovl\t%ecx,28(%edi)\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tpopl\t%edi\n\tpopl\t%esi\n\tret\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/co-586-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n.globl\tbn_mul_comba8\n.hidden\tbn_mul_comba8\n.type\tbn_mul_comba8,@function\n.align\t16\nbn_mul_comba8:\n.L_bn_mul_comba8_begin:\n\tpushl\t%esi\n\tmovl\t12(%esp),%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%edi\n\tpushl\t%ebp\n\tpushl\t%ebx\n\txorl\t%ebx,%ebx\n\tmovl\t(%esi),%eax\n\txorl\t%ecx,%ecx\n\tmovl\t(%edi),%edx\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,(%eax)\n\tmovl\t4(%esi),%eax\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,4(%eax)\n\tmovl\t8(%esi),%eax\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,8(%eax)\n\tmovl\t12(%esi),%eax\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,12(%eax)\n\tmovl\t16(%esi),%eax\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,16(%eax)\n\tmovl\t20(%esi),%eax\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,20(%eax)\n\tmovl\t24(%esi),%eax\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,24(%eax)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,28(%eax)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,32(%eax)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,36(%eax)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t12(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t16(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,40(%eax)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t16(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t20(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,44(%eax)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t24(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,48(%eax)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t24(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t28(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,52(%eax)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,56(%eax)\n\n\n\tmovl\t%ebx,60(%eax)\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tpopl\t%edi\n\tpopl\t%esi\n\tret\n.size\tbn_mul_comba8,.-.L_bn_mul_comba8_begin\n.globl\tbn_mul_comba4\n.hidden\tbn_mul_comba4\n.type\tbn_mul_comba4,@function\n.align\t16\nbn_mul_comba4:\n.L_bn_mul_comba4_begin:\n\tpushl\t%esi\n\tmovl\t12(%esp),%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%edi\n\tpushl\t%ebp\n\tpushl\t%ebx\n\txorl\t%ebx,%ebx\n\tmovl\t(%esi),%eax\n\txorl\t%ecx,%ecx\n\tmovl\t(%edi),%edx\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,(%eax)\n\tmovl\t4(%esi),%eax\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,4(%eax)\n\tmovl\t8(%esi),%eax\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,8(%eax)\n\tmovl\t12(%esi),%eax\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t(%esi),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tmovl\t4(%edi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,12(%eax)\n\tmovl\t12(%esi),%eax\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t4(%esi),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%ecx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebp\n\tmovl\t8(%edi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,16(%eax)\n\tmovl\t12(%esi),%eax\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%ebp\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ebx\n\tmovl\t12(%edi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,20(%eax)\n\tmovl\t12(%esi),%eax\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%ebx\n\tmovl\t20(%esp),%eax\n\tadcl\t%edx,%ecx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,24(%eax)\n\n\n\tmovl\t%ecx,28(%eax)\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tpopl\t%edi\n\tpopl\t%esi\n\tret\n.size\tbn_mul_comba4,.-.L_bn_mul_comba4_begin\n.globl\tbn_sqr_comba8\n.hidden\tbn_sqr_comba8\n.type\tbn_sqr_comba8,@function\n.align\t16\nbn_sqr_comba8:\n.L_bn_sqr_comba8_begin:\n\tpushl\t%esi\n\tpushl\t%edi\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%esi\n\txorl\t%ebx,%ebx\n\txorl\t%ecx,%ecx\n\tmovl\t(%esi),%eax\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%eax\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,(%edi)\n\tmovl\t4(%esi),%eax\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,4(%edi)\n\tmovl\t(%esi),%edx\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t4(%esi),%eax\n\tadcl\t$0,%ecx\n\n\tmull\t%eax\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,8(%edi)\n\tmovl\t12(%esi),%eax\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t4(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t16(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,12(%edi)\n\tmovl\t(%esi),%edx\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t12(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t4(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebx\n\n\tmull\t%eax\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,16(%edi)\n\tmovl\t20(%esi),%eax\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t16(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t4(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t12(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t8(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,20(%edi)\n\tmovl\t(%esi),%edx\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t20(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t4(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t16(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t8(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t12(%esi),%eax\n\tadcl\t$0,%ebp\n\n\tmull\t%eax\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,24(%edi)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t4(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t20(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t8(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t16(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t12(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t28(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,28(%edi)\n\tmovl\t4(%esi),%edx\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t8(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t20(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t12(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t16(%esi),%eax\n\tadcl\t$0,%ecx\n\n\tmull\t%eax\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t8(%esi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,32(%edi)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t12(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t20(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t16(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t28(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,36(%edi)\n\tmovl\t12(%esi),%edx\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t16(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t20(%esi),%eax\n\tadcl\t$0,%ebx\n\n\tmull\t%eax\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t16(%esi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,40(%edi)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t20(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t28(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,44(%edi)\n\tmovl\t20(%esi),%edx\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t24(%esi),%eax\n\tadcl\t$0,%ebp\n\n\tmull\t%eax\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t24(%esi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,48(%edi)\n\tmovl\t28(%esi),%eax\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t28(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,52(%edi)\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%eax\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,56(%edi)\n\n\tmovl\t%ebx,60(%edi)\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tpopl\t%edi\n\tpopl\t%esi\n\tret\n.size\tbn_sqr_comba8,.-.L_bn_sqr_comba8_begin\n.globl\tbn_sqr_comba4\n.hidden\tbn_sqr_comba4\n.type\tbn_sqr_comba4,@function\n.align\t16\nbn_sqr_comba4:\n.L_bn_sqr_comba4_begin:\n\tpushl\t%esi\n\tpushl\t%edi\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%esi\n\txorl\t%ebx,%ebx\n\txorl\t%ecx,%ecx\n\tmovl\t(%esi),%eax\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%eax\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,(%edi)\n\tmovl\t4(%esi),%eax\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,4(%edi)\n\tmovl\t(%esi),%edx\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t4(%esi),%eax\n\tadcl\t$0,%ecx\n\n\tmull\t%eax\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t(%esi),%edx\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,8(%edi)\n\tmovl\t12(%esi),%eax\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t4(%esi),%edx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebp\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tmovl\t12(%esi),%eax\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,12(%edi)\n\tmovl\t4(%esi),%edx\n\n\n\txorl\t%ebx,%ebx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ebx\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t8(%esi),%eax\n\tadcl\t$0,%ebx\n\n\tmull\t%eax\n\taddl\t%eax,%ecx\n\tadcl\t%edx,%ebp\n\tmovl\t8(%esi),%edx\n\tadcl\t$0,%ebx\n\tmovl\t%ecx,16(%edi)\n\tmovl\t12(%esi),%eax\n\n\n\txorl\t%ecx,%ecx\n\n\tmull\t%edx\n\taddl\t%eax,%eax\n\tadcl\t%edx,%edx\n\tadcl\t$0,%ecx\n\taddl\t%eax,%ebp\n\tadcl\t%edx,%ebx\n\tmovl\t12(%esi),%eax\n\tadcl\t$0,%ecx\n\tmovl\t%ebp,20(%edi)\n\n\n\txorl\t%ebp,%ebp\n\n\tmull\t%eax\n\taddl\t%eax,%ebx\n\tadcl\t%edx,%ecx\n\tadcl\t$0,%ebp\n\tmovl\t%ebx,24(%edi)\n\n\tmovl\t%ecx,28(%edi)\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tpopl\t%edi\n\tpopl\t%esi\n\tret\n.size\tbn_sqr_comba4,.-.L_bn_sqr_comba4_begin\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-armv4-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n#include \n\n@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both\n@ ARMv7 and ARMv8 processors and does not use ARMv8 instructions. (ARMv8 PMULL\n@ instructions are in aesv8-armx.pl.)\n.arch\tarmv7-a\n\n.text\n#if defined(__thumb2__) || defined(__clang__)\n.syntax\tunified\n#define ldrplb ldrbpl\n#define ldrneb ldrbne\n#endif\n#if defined(__thumb2__)\n.thumb\n#else\n.code\t32\n#endif\n#if __ARM_MAX_ARCH__>=7\n.arch\tarmv7-a\n.fpu\tneon\n\n.globl\tgcm_init_neon\n.hidden\tgcm_init_neon\n.type\tgcm_init_neon,%function\n.align\t4\ngcm_init_neon:\n\tvld1.64\td7,[r1]!\t\t@ load H\n\tvmov.i8\tq8,#0xe1\n\tvld1.64\td6,[r1]\n\tvshl.i64\td17,#57\n\tvshr.u64\td16,#63\t\t@ t0=0xc2....01\n\tvdup.8\tq9,d7[7]\n\tvshr.u64\td26,d6,#63\n\tvshr.s8\tq9,#7\t\t\t@ broadcast carry bit\n\tvshl.i64\tq3,q3,#1\n\tvand\tq8,q8,q9\n\tvorr\td7,d26\t\t@ H<<<=1\n\tveor\tq3,q3,q8\t\t@ twisted H\n\tvstmia\tr0,{q3}\n\n\tbx\tlr\t\t\t\t\t@ bx lr\n.size\tgcm_init_neon,.-gcm_init_neon\n\n.globl\tgcm_gmult_neon\n.hidden\tgcm_gmult_neon\n.type\tgcm_gmult_neon,%function\n.align\t4\ngcm_gmult_neon:\n\tvld1.64\td7,[r0]!\t\t@ load Xi\n\tvld1.64\td6,[r0]!\n\tvmov.i64\td29,#0x0000ffffffffffff\n\tvldmia\tr1,{d26,d27}\t@ load twisted H\n\tvmov.i64\td30,#0x00000000ffffffff\n#ifdef __ARMEL__\n\tvrev64.8\tq3,q3\n#endif\n\tvmov.i64\td31,#0x000000000000ffff\n\tveor\td28,d26,d27\t\t@ Karatsuba pre-processing\n\tmov\tr3,#16\n\tb\t.Lgmult_neon\n.size\tgcm_gmult_neon,.-gcm_gmult_neon\n\n.globl\tgcm_ghash_neon\n.hidden\tgcm_ghash_neon\n.type\tgcm_ghash_neon,%function\n.align\t4\ngcm_ghash_neon:\n\tvld1.64\td1,[r0]!\t\t@ load Xi\n\tvld1.64\td0,[r0]!\n\tvmov.i64\td29,#0x0000ffffffffffff\n\tvldmia\tr1,{d26,d27}\t@ load twisted H\n\tvmov.i64\td30,#0x00000000ffffffff\n#ifdef __ARMEL__\n\tvrev64.8\tq0,q0\n#endif\n\tvmov.i64\td31,#0x000000000000ffff\n\tveor\td28,d26,d27\t\t@ Karatsuba pre-processing\n\n.Loop_neon:\n\tvld1.64\td7,[r2]!\t\t@ load inp\n\tvld1.64\td6,[r2]!\n#ifdef __ARMEL__\n\tvrev64.8\tq3,q3\n#endif\n\tveor\tq3,q0\t\t\t@ inp^=Xi\n.Lgmult_neon:\n\tvext.8\td16, d26, d26, #1\t@ A1\n\tvmull.p8\tq8, d16, d6\t\t@ F = A1*B\n\tvext.8\td0, d6, d6, #1\t@ B1\n\tvmull.p8\tq0, d26, d0\t\t@ E = A*B1\n\tvext.8\td18, d26, d26, #2\t@ A2\n\tvmull.p8\tq9, d18, d6\t\t@ H = A2*B\n\tvext.8\td22, d6, d6, #2\t@ B2\n\tvmull.p8\tq11, d26, d22\t\t@ G = A*B2\n\tvext.8\td20, d26, d26, #3\t@ A3\n\tveor\tq8, q8, q0\t\t@ L = E + F\n\tvmull.p8\tq10, d20, d6\t\t@ J = A3*B\n\tvext.8\td0, d6, d6, #3\t@ B3\n\tveor\tq9, q9, q11\t\t@ M = G + H\n\tvmull.p8\tq0, d26, d0\t\t@ I = A*B3\n\tveor\td16, d16, d17\t@ t0 = (L) (P0 + P1) << 8\n\tvand\td17, d17, d29\n\tvext.8\td22, d6, d6, #4\t@ B4\n\tveor\td18, d18, d19\t@ t1 = (M) (P2 + P3) << 16\n\tvand\td19, d19, d30\n\tvmull.p8\tq11, d26, d22\t\t@ K = A*B4\n\tveor\tq10, q10, q0\t\t@ N = I + J\n\tveor\td16, d16, d17\n\tveor\td18, d18, d19\n\tveor\td20, d20, d21\t@ t2 = (N) (P4 + P5) << 24\n\tvand\td21, d21, d31\n\tvext.8\tq8, q8, q8, #15\n\tveor\td22, d22, d23\t@ t3 = (K) (P6 + P7) << 32\n\tvmov.i64\td23, #0\n\tvext.8\tq9, q9, q9, #14\n\tveor\td20, d20, d21\n\tvmull.p8\tq0, d26, d6\t\t@ D = A*B\n\tvext.8\tq11, q11, q11, #12\n\tvext.8\tq10, q10, q10, #13\n\tveor\tq8, q8, q9\n\tveor\tq10, q10, q11\n\tveor\tq0, q0, q8\n\tveor\tq0, q0, q10\n\tveor\td6,d6,d7\t@ Karatsuba pre-processing\n\tvext.8\td16, d28, d28, #1\t@ A1\n\tvmull.p8\tq8, d16, d6\t\t@ F = A1*B\n\tvext.8\td2, d6, d6, #1\t@ B1\n\tvmull.p8\tq1, d28, d2\t\t@ E = A*B1\n\tvext.8\td18, d28, d28, #2\t@ A2\n\tvmull.p8\tq9, d18, d6\t\t@ H = A2*B\n\tvext.8\td22, d6, d6, #2\t@ B2\n\tvmull.p8\tq11, d28, d22\t\t@ G = A*B2\n\tvext.8\td20, d28, d28, #3\t@ A3\n\tveor\tq8, q8, q1\t\t@ L = E + F\n\tvmull.p8\tq10, d20, d6\t\t@ J = A3*B\n\tvext.8\td2, d6, d6, #3\t@ B3\n\tveor\tq9, q9, q11\t\t@ M = G + H\n\tvmull.p8\tq1, d28, d2\t\t@ I = A*B3\n\tveor\td16, d16, d17\t@ t0 = (L) (P0 + P1) << 8\n\tvand\td17, d17, d29\n\tvext.8\td22, d6, d6, #4\t@ B4\n\tveor\td18, d18, d19\t@ t1 = (M) (P2 + P3) << 16\n\tvand\td19, d19, d30\n\tvmull.p8\tq11, d28, d22\t\t@ K = A*B4\n\tveor\tq10, q10, q1\t\t@ N = I + J\n\tveor\td16, d16, d17\n\tveor\td18, d18, d19\n\tveor\td20, d20, d21\t@ t2 = (N) (P4 + P5) << 24\n\tvand\td21, d21, d31\n\tvext.8\tq8, q8, q8, #15\n\tveor\td22, d22, d23\t@ t3 = (K) (P6 + P7) << 32\n\tvmov.i64\td23, #0\n\tvext.8\tq9, q9, q9, #14\n\tveor\td20, d20, d21\n\tvmull.p8\tq1, d28, d6\t\t@ D = A*B\n\tvext.8\tq11, q11, q11, #12\n\tvext.8\tq10, q10, q10, #13\n\tveor\tq8, q8, q9\n\tveor\tq10, q10, q11\n\tveor\tq1, q1, q8\n\tveor\tq1, q1, q10\n\tvext.8\td16, d27, d27, #1\t@ A1\n\tvmull.p8\tq8, d16, d7\t\t@ F = A1*B\n\tvext.8\td4, d7, d7, #1\t@ B1\n\tvmull.p8\tq2, d27, d4\t\t@ E = A*B1\n\tvext.8\td18, d27, d27, #2\t@ A2\n\tvmull.p8\tq9, d18, d7\t\t@ H = A2*B\n\tvext.8\td22, d7, d7, #2\t@ B2\n\tvmull.p8\tq11, d27, d22\t\t@ G = A*B2\n\tvext.8\td20, d27, d27, #3\t@ A3\n\tveor\tq8, q8, q2\t\t@ L = E + F\n\tvmull.p8\tq10, d20, d7\t\t@ J = A3*B\n\tvext.8\td4, d7, d7, #3\t@ B3\n\tveor\tq9, q9, q11\t\t@ M = G + H\n\tvmull.p8\tq2, d27, d4\t\t@ I = A*B3\n\tveor\td16, d16, d17\t@ t0 = (L) (P0 + P1) << 8\n\tvand\td17, d17, d29\n\tvext.8\td22, d7, d7, #4\t@ B4\n\tveor\td18, d18, d19\t@ t1 = (M) (P2 + P3) << 16\n\tvand\td19, d19, d30\n\tvmull.p8\tq11, d27, d22\t\t@ K = A*B4\n\tveor\tq10, q10, q2\t\t@ N = I + J\n\tveor\td16, d16, d17\n\tveor\td18, d18, d19\n\tveor\td20, d20, d21\t@ t2 = (N) (P4 + P5) << 24\n\tvand\td21, d21, d31\n\tvext.8\tq8, q8, q8, #15\n\tveor\td22, d22, d23\t@ t3 = (K) (P6 + P7) << 32\n\tvmov.i64\td23, #0\n\tvext.8\tq9, q9, q9, #14\n\tveor\td20, d20, d21\n\tvmull.p8\tq2, d27, d7\t\t@ D = A*B\n\tvext.8\tq11, q11, q11, #12\n\tvext.8\tq10, q10, q10, #13\n\tveor\tq8, q8, q9\n\tveor\tq10, q10, q11\n\tveor\tq2, q2, q8\n\tveor\tq2, q2, q10\n\tveor\tq1,q1,q0\t\t@ Karatsuba post-processing\n\tveor\tq1,q1,q2\n\tveor\td1,d1,d2\n\tveor\td4,d4,d3\t@ Xh|Xl - 256-bit result\n\n\t@ equivalent of reduction_avx from ghash-x86_64.pl\n\tvshl.i64\tq9,q0,#57\t\t@ 1st phase\n\tvshl.i64\tq10,q0,#62\n\tveor\tq10,q10,q9\t\t@\n\tvshl.i64\tq9,q0,#63\n\tveor\tq10, q10, q9\t\t@\n\tveor\td1,d1,d20\t@\n\tveor\td4,d4,d21\n\n\tvshr.u64\tq10,q0,#1\t\t@ 2nd phase\n\tveor\tq2,q2,q0\n\tveor\tq0,q0,q10\t\t@\n\tvshr.u64\tq10,q10,#6\n\tvshr.u64\tq0,q0,#1\t\t@\n\tveor\tq0,q0,q2\t\t@\n\tveor\tq0,q0,q10\t\t@\n\n\tsubs\tr3,#16\n\tbne\t.Loop_neon\n\n#ifdef __ARMEL__\n\tvrev64.8\tq0,q0\n#endif\n\tsub\tr0,#16\n\tvst1.64\td1,[r0]!\t\t@ write out Xi\n\tvst1.64\td0,[r0]\n\n\tbx\tlr\t\t\t\t\t@ bx lr\n.size\tgcm_ghash_neon,.-gcm_ghash_neon\n#endif\n.byte\t71,72,65,83,72,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \n\n.text\n\n.globl\t_gcm_init_neon\n.private_extern\t_gcm_init_neon\n\n.align\t4\n_gcm_init_neon:\n\tAARCH64_VALID_CALL_TARGET\n\t// This function is adapted from gcm_init_v8. xC2 is t3.\n\tld1\t{v17.2d}, [x1]\t\t\t// load H\n\tmovi\tv19.16b, #0xe1\n\tshl\tv19.2d, v19.2d, #57\t\t// 0xc2.0\n\text\tv3.16b, v17.16b, v17.16b, #8\n\tushr\tv18.2d, v19.2d, #63\n\tdup\tv17.4s, v17.s[1]\n\text\tv16.16b, v18.16b, v19.16b, #8\t// t0=0xc2....01\n\tushr\tv18.2d, v3.2d, #63\n\tsshr\tv17.4s, v17.4s, #31\t\t// broadcast carry bit\n\tand\tv18.16b, v18.16b, v16.16b\n\tshl\tv3.2d, v3.2d, #1\n\text\tv18.16b, v18.16b, v18.16b, #8\n\tand\tv16.16b, v16.16b, v17.16b\n\torr\tv3.16b, v3.16b, v18.16b\t// H<<<=1\n\teor\tv5.16b, v3.16b, v16.16b\t// twisted H\n\tst1\t{v5.2d}, [x0]\t\t\t// store Htable[0]\n\tret\n\n\n.globl\t_gcm_gmult_neon\n.private_extern\t_gcm_gmult_neon\n\n.align\t4\n_gcm_gmult_neon:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v3.16b}, [x0]\t\t// load Xi\n\tld1\t{v5.1d}, [x1], #8\t\t// load twisted H\n\tld1\t{v6.1d}, [x1]\n\tadrp\tx9, Lmasks@PAGE\t\t// load constants\n\tadd\tx9, x9, Lmasks@PAGEOFF\n\tld1\t{v24.2d, v25.2d}, [x9]\n\trev64\tv3.16b, v3.16b\t\t// byteswap Xi\n\text\tv3.16b, v3.16b, v3.16b, #8\n\teor\tv7.8b, v5.8b, v6.8b\t// Karatsuba pre-processing\n\n\tmov\tx3, #16\n\tb\tLgmult_neon\n\n\n.globl\t_gcm_ghash_neon\n.private_extern\t_gcm_ghash_neon\n\n.align\t4\n_gcm_ghash_neon:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v0.16b}, [x0]\t\t// load Xi\n\tld1\t{v5.1d}, [x1], #8\t\t// load twisted H\n\tld1\t{v6.1d}, [x1]\n\tadrp\tx9, Lmasks@PAGE\t\t// load constants\n\tadd\tx9, x9, Lmasks@PAGEOFF\n\tld1\t{v24.2d, v25.2d}, [x9]\n\trev64\tv0.16b, v0.16b\t\t// byteswap Xi\n\text\tv0.16b, v0.16b, v0.16b, #8\n\teor\tv7.8b, v5.8b, v6.8b\t// Karatsuba pre-processing\n\nLoop_neon:\n\tld1\t{v3.16b}, [x2], #16\t// load inp\n\trev64\tv3.16b, v3.16b\t\t// byteswap inp\n\text\tv3.16b, v3.16b, v3.16b, #8\n\teor\tv3.16b, v3.16b, v0.16b\t// inp ^= Xi\n\nLgmult_neon:\n\t// Split the input into v3 and v4. (The upper halves are unused,\n\t// so it is okay to leave them alone.)\n\tins\tv4.d[0], v3.d[1]\n\text\tv16.8b, v5.8b, v5.8b, #1\t// A1\n\tpmull\tv16.8h, v16.8b, v3.8b\t\t// F = A1*B\n\text\tv0.8b, v3.8b, v3.8b, #1\t\t// B1\n\tpmull\tv0.8h, v5.8b, v0.8b\t\t// E = A*B1\n\text\tv17.8b, v5.8b, v5.8b, #2\t// A2\n\tpmull\tv17.8h, v17.8b, v3.8b\t\t// H = A2*B\n\text\tv19.8b, v3.8b, v3.8b, #2\t// B2\n\tpmull\tv19.8h, v5.8b, v19.8b\t\t// G = A*B2\n\text\tv18.8b, v5.8b, v5.8b, #3\t// A3\n\teor\tv16.16b, v16.16b, v0.16b\t// L = E + F\n\tpmull\tv18.8h, v18.8b, v3.8b\t\t// J = A3*B\n\text\tv0.8b, v3.8b, v3.8b, #3\t\t// B3\n\teor\tv17.16b, v17.16b, v19.16b\t// M = G + H\n\tpmull\tv0.8h, v5.8b, v0.8b\t\t// I = A*B3\n\n\t// Here we diverge from the 32-bit version. It computes the following\n\t// (instructions reordered for clarity):\n\t//\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\t@ t0 = P0 + P1 (L)\n\t// vand\t$t0#hi, $t0#hi, $k48\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\n\t//\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\t@ t1 = P2 + P3 (M)\n\t// vand\t$t1#hi, $t1#hi, $k32\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\n\t//\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\t@ t2 = P4 + P5 (N)\n\t// vand\t$t2#hi, $t2#hi, $k16\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\n\t//\n\t// veor\t$t3#lo, $t3#lo, $t3#hi\t@ t3 = P6 + P7 (K)\n\t// vmov.i64\t$t3#hi, #0\n\t//\n\t// $kN is a mask with the bottom N bits set. AArch64 cannot compute on\n\t// upper halves of SIMD registers, so we must split each half into\n\t// separate registers. To compensate, we pair computations up and\n\t// parallelize.\n\n\text\tv19.8b, v3.8b, v3.8b, #4\t// B4\n\teor\tv18.16b, v18.16b, v0.16b\t// N = I + J\n\tpmull\tv19.8h, v5.8b, v19.8b\t\t// K = A*B4\n\n\t// This can probably be scheduled more efficiently. For now, we just\n\t// pair up independent instructions.\n\tzip1\tv20.2d, v16.2d, v17.2d\n\tzip1\tv22.2d, v18.2d, v19.2d\n\tzip2\tv21.2d, v16.2d, v17.2d\n\tzip2\tv23.2d, v18.2d, v19.2d\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tand\tv21.16b, v21.16b, v24.16b\n\tand\tv23.16b, v23.16b, v25.16b\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tzip1\tv16.2d, v20.2d, v21.2d\n\tzip1\tv18.2d, v22.2d, v23.2d\n\tzip2\tv17.2d, v20.2d, v21.2d\n\tzip2\tv19.2d, v22.2d, v23.2d\n\n\text\tv16.16b, v16.16b, v16.16b, #15\t// t0 = t0 << 8\n\text\tv17.16b, v17.16b, v17.16b, #14\t// t1 = t1 << 16\n\tpmull\tv0.8h, v5.8b, v3.8b\t\t// D = A*B\n\text\tv19.16b, v19.16b, v19.16b, #12\t// t3 = t3 << 32\n\text\tv18.16b, v18.16b, v18.16b, #13\t// t2 = t2 << 24\n\teor\tv16.16b, v16.16b, v17.16b\n\teor\tv18.16b, v18.16b, v19.16b\n\teor\tv0.16b, v0.16b, v16.16b\n\teor\tv0.16b, v0.16b, v18.16b\n\teor\tv3.8b, v3.8b, v4.8b\t// Karatsuba pre-processing\n\text\tv16.8b, v7.8b, v7.8b, #1\t// A1\n\tpmull\tv16.8h, v16.8b, v3.8b\t\t// F = A1*B\n\text\tv1.8b, v3.8b, v3.8b, #1\t\t// B1\n\tpmull\tv1.8h, v7.8b, v1.8b\t\t// E = A*B1\n\text\tv17.8b, v7.8b, v7.8b, #2\t// A2\n\tpmull\tv17.8h, v17.8b, v3.8b\t\t// H = A2*B\n\text\tv19.8b, v3.8b, v3.8b, #2\t// B2\n\tpmull\tv19.8h, v7.8b, v19.8b\t\t// G = A*B2\n\text\tv18.8b, v7.8b, v7.8b, #3\t// A3\n\teor\tv16.16b, v16.16b, v1.16b\t// L = E + F\n\tpmull\tv18.8h, v18.8b, v3.8b\t\t// J = A3*B\n\text\tv1.8b, v3.8b, v3.8b, #3\t\t// B3\n\teor\tv17.16b, v17.16b, v19.16b\t// M = G + H\n\tpmull\tv1.8h, v7.8b, v1.8b\t\t// I = A*B3\n\n\t// Here we diverge from the 32-bit version. It computes the following\n\t// (instructions reordered for clarity):\n\t//\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\t@ t0 = P0 + P1 (L)\n\t// vand\t$t0#hi, $t0#hi, $k48\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\n\t//\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\t@ t1 = P2 + P3 (M)\n\t// vand\t$t1#hi, $t1#hi, $k32\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\n\t//\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\t@ t2 = P4 + P5 (N)\n\t// vand\t$t2#hi, $t2#hi, $k16\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\n\t//\n\t// veor\t$t3#lo, $t3#lo, $t3#hi\t@ t3 = P6 + P7 (K)\n\t// vmov.i64\t$t3#hi, #0\n\t//\n\t// $kN is a mask with the bottom N bits set. AArch64 cannot compute on\n\t// upper halves of SIMD registers, so we must split each half into\n\t// separate registers. To compensate, we pair computations up and\n\t// parallelize.\n\n\text\tv19.8b, v3.8b, v3.8b, #4\t// B4\n\teor\tv18.16b, v18.16b, v1.16b\t// N = I + J\n\tpmull\tv19.8h, v7.8b, v19.8b\t\t// K = A*B4\n\n\t// This can probably be scheduled more efficiently. For now, we just\n\t// pair up independent instructions.\n\tzip1\tv20.2d, v16.2d, v17.2d\n\tzip1\tv22.2d, v18.2d, v19.2d\n\tzip2\tv21.2d, v16.2d, v17.2d\n\tzip2\tv23.2d, v18.2d, v19.2d\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tand\tv21.16b, v21.16b, v24.16b\n\tand\tv23.16b, v23.16b, v25.16b\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tzip1\tv16.2d, v20.2d, v21.2d\n\tzip1\tv18.2d, v22.2d, v23.2d\n\tzip2\tv17.2d, v20.2d, v21.2d\n\tzip2\tv19.2d, v22.2d, v23.2d\n\n\text\tv16.16b, v16.16b, v16.16b, #15\t// t0 = t0 << 8\n\text\tv17.16b, v17.16b, v17.16b, #14\t// t1 = t1 << 16\n\tpmull\tv1.8h, v7.8b, v3.8b\t\t// D = A*B\n\text\tv19.16b, v19.16b, v19.16b, #12\t// t3 = t3 << 32\n\text\tv18.16b, v18.16b, v18.16b, #13\t// t2 = t2 << 24\n\teor\tv16.16b, v16.16b, v17.16b\n\teor\tv18.16b, v18.16b, v19.16b\n\teor\tv1.16b, v1.16b, v16.16b\n\teor\tv1.16b, v1.16b, v18.16b\n\text\tv16.8b, v6.8b, v6.8b, #1\t// A1\n\tpmull\tv16.8h, v16.8b, v4.8b\t\t// F = A1*B\n\text\tv2.8b, v4.8b, v4.8b, #1\t\t// B1\n\tpmull\tv2.8h, v6.8b, v2.8b\t\t// E = A*B1\n\text\tv17.8b, v6.8b, v6.8b, #2\t// A2\n\tpmull\tv17.8h, v17.8b, v4.8b\t\t// H = A2*B\n\text\tv19.8b, v4.8b, v4.8b, #2\t// B2\n\tpmull\tv19.8h, v6.8b, v19.8b\t\t// G = A*B2\n\text\tv18.8b, v6.8b, v6.8b, #3\t// A3\n\teor\tv16.16b, v16.16b, v2.16b\t// L = E + F\n\tpmull\tv18.8h, v18.8b, v4.8b\t\t// J = A3*B\n\text\tv2.8b, v4.8b, v4.8b, #3\t\t// B3\n\teor\tv17.16b, v17.16b, v19.16b\t// M = G + H\n\tpmull\tv2.8h, v6.8b, v2.8b\t\t// I = A*B3\n\n\t// Here we diverge from the 32-bit version. It computes the following\n\t// (instructions reordered for clarity):\n\t//\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\t@ t0 = P0 + P1 (L)\n\t// vand\t$t0#hi, $t0#hi, $k48\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\n\t//\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\t@ t1 = P2 + P3 (M)\n\t// vand\t$t1#hi, $t1#hi, $k32\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\n\t//\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\t@ t2 = P4 + P5 (N)\n\t// vand\t$t2#hi, $t2#hi, $k16\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\n\t//\n\t// veor\t$t3#lo, $t3#lo, $t3#hi\t@ t3 = P6 + P7 (K)\n\t// vmov.i64\t$t3#hi, #0\n\t//\n\t// $kN is a mask with the bottom N bits set. AArch64 cannot compute on\n\t// upper halves of SIMD registers, so we must split each half into\n\t// separate registers. To compensate, we pair computations up and\n\t// parallelize.\n\n\text\tv19.8b, v4.8b, v4.8b, #4\t// B4\n\teor\tv18.16b, v18.16b, v2.16b\t// N = I + J\n\tpmull\tv19.8h, v6.8b, v19.8b\t\t// K = A*B4\n\n\t// This can probably be scheduled more efficiently. For now, we just\n\t// pair up independent instructions.\n\tzip1\tv20.2d, v16.2d, v17.2d\n\tzip1\tv22.2d, v18.2d, v19.2d\n\tzip2\tv21.2d, v16.2d, v17.2d\n\tzip2\tv23.2d, v18.2d, v19.2d\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tand\tv21.16b, v21.16b, v24.16b\n\tand\tv23.16b, v23.16b, v25.16b\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tzip1\tv16.2d, v20.2d, v21.2d\n\tzip1\tv18.2d, v22.2d, v23.2d\n\tzip2\tv17.2d, v20.2d, v21.2d\n\tzip2\tv19.2d, v22.2d, v23.2d\n\n\text\tv16.16b, v16.16b, v16.16b, #15\t// t0 = t0 << 8\n\text\tv17.16b, v17.16b, v17.16b, #14\t// t1 = t1 << 16\n\tpmull\tv2.8h, v6.8b, v4.8b\t\t// D = A*B\n\text\tv19.16b, v19.16b, v19.16b, #12\t// t3 = t3 << 32\n\text\tv18.16b, v18.16b, v18.16b, #13\t// t2 = t2 << 24\n\teor\tv16.16b, v16.16b, v17.16b\n\teor\tv18.16b, v18.16b, v19.16b\n\teor\tv2.16b, v2.16b, v16.16b\n\teor\tv2.16b, v2.16b, v18.16b\n\text\tv16.16b, v0.16b, v2.16b, #8\n\teor\tv1.16b, v1.16b, v0.16b\t// Karatsuba post-processing\n\teor\tv1.16b, v1.16b, v2.16b\n\teor\tv1.16b, v1.16b, v16.16b\t// Xm overlaps Xh.lo and Xl.hi\n\tins\tv0.d[1], v1.d[0]\t\t// Xh|Xl - 256-bit result\n\t// This is a no-op due to the ins instruction below.\n\t// ins\tv2.d[0], v1.d[1]\n\n\t// equivalent of reduction_avx from ghash-x86_64.pl\n\tshl\tv17.2d, v0.2d, #57\t\t// 1st phase\n\tshl\tv18.2d, v0.2d, #62\n\teor\tv18.16b, v18.16b, v17.16b\t//\n\tshl\tv17.2d, v0.2d, #63\n\teor\tv18.16b, v18.16b, v17.16b\t//\n\t// Note Xm contains {Xl.d[1], Xh.d[0]}.\n\teor\tv18.16b, v18.16b, v1.16b\n\tins\tv0.d[1], v18.d[0]\t\t// Xl.d[1] ^= t2.d[0]\n\tins\tv2.d[0], v18.d[1]\t\t// Xh.d[0] ^= t2.d[1]\n\n\tushr\tv18.2d, v0.2d, #1\t\t// 2nd phase\n\teor\tv2.16b, v2.16b,v0.16b\n\teor\tv0.16b, v0.16b,v18.16b\t//\n\tushr\tv18.2d, v18.2d, #6\n\tushr\tv0.2d, v0.2d, #1\t\t//\n\teor\tv0.16b, v0.16b, v2.16b\t//\n\teor\tv0.16b, v0.16b, v18.16b\t//\n\n\tsubs\tx3, x3, #16\n\tbne\tLoop_neon\n\n\trev64\tv0.16b, v0.16b\t\t// byteswap Xi and write\n\text\tv0.16b, v0.16b, v0.16b, #8\n\tst1\t{v0.16b}, [x0]\n\n\tret\n\n\n.section\t__TEXT,__const\n.align\t4\nLmasks:\n.quad\t0x0000ffffffffffff\t// k48\n.quad\t0x00000000ffffffff\t// k32\n.quad\t0x000000000000ffff\t// k16\n.quad\t0x0000000000000000\t// k0\n.byte\t71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,100,101,114,105,118,101,100,32,102,114,111,109,32,65,82,77,118,52,32,118,101,114,115,105,111,110,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \n\n.text\n\n.globl\tgcm_init_neon\n.hidden\tgcm_init_neon\n.type\tgcm_init_neon,%function\n.align\t4\ngcm_init_neon:\n\tAARCH64_VALID_CALL_TARGET\n\t// This function is adapted from gcm_init_v8. xC2 is t3.\n\tld1\t{v17.2d}, [x1]\t\t\t// load H\n\tmovi\tv19.16b, #0xe1\n\tshl\tv19.2d, v19.2d, #57\t\t// 0xc2.0\n\text\tv3.16b, v17.16b, v17.16b, #8\n\tushr\tv18.2d, v19.2d, #63\n\tdup\tv17.4s, v17.s[1]\n\text\tv16.16b, v18.16b, v19.16b, #8\t// t0=0xc2....01\n\tushr\tv18.2d, v3.2d, #63\n\tsshr\tv17.4s, v17.4s, #31\t\t// broadcast carry bit\n\tand\tv18.16b, v18.16b, v16.16b\n\tshl\tv3.2d, v3.2d, #1\n\text\tv18.16b, v18.16b, v18.16b, #8\n\tand\tv16.16b, v16.16b, v17.16b\n\torr\tv3.16b, v3.16b, v18.16b\t// H<<<=1\n\teor\tv5.16b, v3.16b, v16.16b\t// twisted H\n\tst1\t{v5.2d}, [x0]\t\t\t// store Htable[0]\n\tret\n.size\tgcm_init_neon,.-gcm_init_neon\n\n.globl\tgcm_gmult_neon\n.hidden\tgcm_gmult_neon\n.type\tgcm_gmult_neon,%function\n.align\t4\ngcm_gmult_neon:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v3.16b}, [x0]\t\t// load Xi\n\tld1\t{v5.1d}, [x1], #8\t\t// load twisted H\n\tld1\t{v6.1d}, [x1]\n\tadrp\tx9, .Lmasks\t\t// load constants\n\tadd\tx9, x9, :lo12:.Lmasks\n\tld1\t{v24.2d, v25.2d}, [x9]\n\trev64\tv3.16b, v3.16b\t\t// byteswap Xi\n\text\tv3.16b, v3.16b, v3.16b, #8\n\teor\tv7.8b, v5.8b, v6.8b\t// Karatsuba pre-processing\n\n\tmov\tx3, #16\n\tb\t.Lgmult_neon\n.size\tgcm_gmult_neon,.-gcm_gmult_neon\n\n.globl\tgcm_ghash_neon\n.hidden\tgcm_ghash_neon\n.type\tgcm_ghash_neon,%function\n.align\t4\ngcm_ghash_neon:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v0.16b}, [x0]\t\t// load Xi\n\tld1\t{v5.1d}, [x1], #8\t\t// load twisted H\n\tld1\t{v6.1d}, [x1]\n\tadrp\tx9, .Lmasks\t\t// load constants\n\tadd\tx9, x9, :lo12:.Lmasks\n\tld1\t{v24.2d, v25.2d}, [x9]\n\trev64\tv0.16b, v0.16b\t\t// byteswap Xi\n\text\tv0.16b, v0.16b, v0.16b, #8\n\teor\tv7.8b, v5.8b, v6.8b\t// Karatsuba pre-processing\n\n.Loop_neon:\n\tld1\t{v3.16b}, [x2], #16\t// load inp\n\trev64\tv3.16b, v3.16b\t\t// byteswap inp\n\text\tv3.16b, v3.16b, v3.16b, #8\n\teor\tv3.16b, v3.16b, v0.16b\t// inp ^= Xi\n\n.Lgmult_neon:\n\t// Split the input into v3 and v4. (The upper halves are unused,\n\t// so it is okay to leave them alone.)\n\tins\tv4.d[0], v3.d[1]\n\text\tv16.8b, v5.8b, v5.8b, #1\t// A1\n\tpmull\tv16.8h, v16.8b, v3.8b\t\t// F = A1*B\n\text\tv0.8b, v3.8b, v3.8b, #1\t\t// B1\n\tpmull\tv0.8h, v5.8b, v0.8b\t\t// E = A*B1\n\text\tv17.8b, v5.8b, v5.8b, #2\t// A2\n\tpmull\tv17.8h, v17.8b, v3.8b\t\t// H = A2*B\n\text\tv19.8b, v3.8b, v3.8b, #2\t// B2\n\tpmull\tv19.8h, v5.8b, v19.8b\t\t// G = A*B2\n\text\tv18.8b, v5.8b, v5.8b, #3\t// A3\n\teor\tv16.16b, v16.16b, v0.16b\t// L = E + F\n\tpmull\tv18.8h, v18.8b, v3.8b\t\t// J = A3*B\n\text\tv0.8b, v3.8b, v3.8b, #3\t\t// B3\n\teor\tv17.16b, v17.16b, v19.16b\t// M = G + H\n\tpmull\tv0.8h, v5.8b, v0.8b\t\t// I = A*B3\n\n\t// Here we diverge from the 32-bit version. It computes the following\n\t// (instructions reordered for clarity):\n\t//\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\t@ t0 = P0 + P1 (L)\n\t// vand\t$t0#hi, $t0#hi, $k48\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\n\t//\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\t@ t1 = P2 + P3 (M)\n\t// vand\t$t1#hi, $t1#hi, $k32\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\n\t//\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\t@ t2 = P4 + P5 (N)\n\t// vand\t$t2#hi, $t2#hi, $k16\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\n\t//\n\t// veor\t$t3#lo, $t3#lo, $t3#hi\t@ t3 = P6 + P7 (K)\n\t// vmov.i64\t$t3#hi, #0\n\t//\n\t// $kN is a mask with the bottom N bits set. AArch64 cannot compute on\n\t// upper halves of SIMD registers, so we must split each half into\n\t// separate registers. To compensate, we pair computations up and\n\t// parallelize.\n\n\text\tv19.8b, v3.8b, v3.8b, #4\t// B4\n\teor\tv18.16b, v18.16b, v0.16b\t// N = I + J\n\tpmull\tv19.8h, v5.8b, v19.8b\t\t// K = A*B4\n\n\t// This can probably be scheduled more efficiently. For now, we just\n\t// pair up independent instructions.\n\tzip1\tv20.2d, v16.2d, v17.2d\n\tzip1\tv22.2d, v18.2d, v19.2d\n\tzip2\tv21.2d, v16.2d, v17.2d\n\tzip2\tv23.2d, v18.2d, v19.2d\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tand\tv21.16b, v21.16b, v24.16b\n\tand\tv23.16b, v23.16b, v25.16b\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tzip1\tv16.2d, v20.2d, v21.2d\n\tzip1\tv18.2d, v22.2d, v23.2d\n\tzip2\tv17.2d, v20.2d, v21.2d\n\tzip2\tv19.2d, v22.2d, v23.2d\n\n\text\tv16.16b, v16.16b, v16.16b, #15\t// t0 = t0 << 8\n\text\tv17.16b, v17.16b, v17.16b, #14\t// t1 = t1 << 16\n\tpmull\tv0.8h, v5.8b, v3.8b\t\t// D = A*B\n\text\tv19.16b, v19.16b, v19.16b, #12\t// t3 = t3 << 32\n\text\tv18.16b, v18.16b, v18.16b, #13\t// t2 = t2 << 24\n\teor\tv16.16b, v16.16b, v17.16b\n\teor\tv18.16b, v18.16b, v19.16b\n\teor\tv0.16b, v0.16b, v16.16b\n\teor\tv0.16b, v0.16b, v18.16b\n\teor\tv3.8b, v3.8b, v4.8b\t// Karatsuba pre-processing\n\text\tv16.8b, v7.8b, v7.8b, #1\t// A1\n\tpmull\tv16.8h, v16.8b, v3.8b\t\t// F = A1*B\n\text\tv1.8b, v3.8b, v3.8b, #1\t\t// B1\n\tpmull\tv1.8h, v7.8b, v1.8b\t\t// E = A*B1\n\text\tv17.8b, v7.8b, v7.8b, #2\t// A2\n\tpmull\tv17.8h, v17.8b, v3.8b\t\t// H = A2*B\n\text\tv19.8b, v3.8b, v3.8b, #2\t// B2\n\tpmull\tv19.8h, v7.8b, v19.8b\t\t// G = A*B2\n\text\tv18.8b, v7.8b, v7.8b, #3\t// A3\n\teor\tv16.16b, v16.16b, v1.16b\t// L = E + F\n\tpmull\tv18.8h, v18.8b, v3.8b\t\t// J = A3*B\n\text\tv1.8b, v3.8b, v3.8b, #3\t\t// B3\n\teor\tv17.16b, v17.16b, v19.16b\t// M = G + H\n\tpmull\tv1.8h, v7.8b, v1.8b\t\t// I = A*B3\n\n\t// Here we diverge from the 32-bit version. It computes the following\n\t// (instructions reordered for clarity):\n\t//\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\t@ t0 = P0 + P1 (L)\n\t// vand\t$t0#hi, $t0#hi, $k48\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\n\t//\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\t@ t1 = P2 + P3 (M)\n\t// vand\t$t1#hi, $t1#hi, $k32\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\n\t//\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\t@ t2 = P4 + P5 (N)\n\t// vand\t$t2#hi, $t2#hi, $k16\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\n\t//\n\t// veor\t$t3#lo, $t3#lo, $t3#hi\t@ t3 = P6 + P7 (K)\n\t// vmov.i64\t$t3#hi, #0\n\t//\n\t// $kN is a mask with the bottom N bits set. AArch64 cannot compute on\n\t// upper halves of SIMD registers, so we must split each half into\n\t// separate registers. To compensate, we pair computations up and\n\t// parallelize.\n\n\text\tv19.8b, v3.8b, v3.8b, #4\t// B4\n\teor\tv18.16b, v18.16b, v1.16b\t// N = I + J\n\tpmull\tv19.8h, v7.8b, v19.8b\t\t// K = A*B4\n\n\t// This can probably be scheduled more efficiently. For now, we just\n\t// pair up independent instructions.\n\tzip1\tv20.2d, v16.2d, v17.2d\n\tzip1\tv22.2d, v18.2d, v19.2d\n\tzip2\tv21.2d, v16.2d, v17.2d\n\tzip2\tv23.2d, v18.2d, v19.2d\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tand\tv21.16b, v21.16b, v24.16b\n\tand\tv23.16b, v23.16b, v25.16b\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tzip1\tv16.2d, v20.2d, v21.2d\n\tzip1\tv18.2d, v22.2d, v23.2d\n\tzip2\tv17.2d, v20.2d, v21.2d\n\tzip2\tv19.2d, v22.2d, v23.2d\n\n\text\tv16.16b, v16.16b, v16.16b, #15\t// t0 = t0 << 8\n\text\tv17.16b, v17.16b, v17.16b, #14\t// t1 = t1 << 16\n\tpmull\tv1.8h, v7.8b, v3.8b\t\t// D = A*B\n\text\tv19.16b, v19.16b, v19.16b, #12\t// t3 = t3 << 32\n\text\tv18.16b, v18.16b, v18.16b, #13\t// t2 = t2 << 24\n\teor\tv16.16b, v16.16b, v17.16b\n\teor\tv18.16b, v18.16b, v19.16b\n\teor\tv1.16b, v1.16b, v16.16b\n\teor\tv1.16b, v1.16b, v18.16b\n\text\tv16.8b, v6.8b, v6.8b, #1\t// A1\n\tpmull\tv16.8h, v16.8b, v4.8b\t\t// F = A1*B\n\text\tv2.8b, v4.8b, v4.8b, #1\t\t// B1\n\tpmull\tv2.8h, v6.8b, v2.8b\t\t// E = A*B1\n\text\tv17.8b, v6.8b, v6.8b, #2\t// A2\n\tpmull\tv17.8h, v17.8b, v4.8b\t\t// H = A2*B\n\text\tv19.8b, v4.8b, v4.8b, #2\t// B2\n\tpmull\tv19.8h, v6.8b, v19.8b\t\t// G = A*B2\n\text\tv18.8b, v6.8b, v6.8b, #3\t// A3\n\teor\tv16.16b, v16.16b, v2.16b\t// L = E + F\n\tpmull\tv18.8h, v18.8b, v4.8b\t\t// J = A3*B\n\text\tv2.8b, v4.8b, v4.8b, #3\t\t// B3\n\teor\tv17.16b, v17.16b, v19.16b\t// M = G + H\n\tpmull\tv2.8h, v6.8b, v2.8b\t\t// I = A*B3\n\n\t// Here we diverge from the 32-bit version. It computes the following\n\t// (instructions reordered for clarity):\n\t//\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\t@ t0 = P0 + P1 (L)\n\t// vand\t$t0#hi, $t0#hi, $k48\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\n\t//\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\t@ t1 = P2 + P3 (M)\n\t// vand\t$t1#hi, $t1#hi, $k32\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\n\t//\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\t@ t2 = P4 + P5 (N)\n\t// vand\t$t2#hi, $t2#hi, $k16\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\n\t//\n\t// veor\t$t3#lo, $t3#lo, $t3#hi\t@ t3 = P6 + P7 (K)\n\t// vmov.i64\t$t3#hi, #0\n\t//\n\t// $kN is a mask with the bottom N bits set. AArch64 cannot compute on\n\t// upper halves of SIMD registers, so we must split each half into\n\t// separate registers. To compensate, we pair computations up and\n\t// parallelize.\n\n\text\tv19.8b, v4.8b, v4.8b, #4\t// B4\n\teor\tv18.16b, v18.16b, v2.16b\t// N = I + J\n\tpmull\tv19.8h, v6.8b, v19.8b\t\t// K = A*B4\n\n\t// This can probably be scheduled more efficiently. For now, we just\n\t// pair up independent instructions.\n\tzip1\tv20.2d, v16.2d, v17.2d\n\tzip1\tv22.2d, v18.2d, v19.2d\n\tzip2\tv21.2d, v16.2d, v17.2d\n\tzip2\tv23.2d, v18.2d, v19.2d\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tand\tv21.16b, v21.16b, v24.16b\n\tand\tv23.16b, v23.16b, v25.16b\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tzip1\tv16.2d, v20.2d, v21.2d\n\tzip1\tv18.2d, v22.2d, v23.2d\n\tzip2\tv17.2d, v20.2d, v21.2d\n\tzip2\tv19.2d, v22.2d, v23.2d\n\n\text\tv16.16b, v16.16b, v16.16b, #15\t// t0 = t0 << 8\n\text\tv17.16b, v17.16b, v17.16b, #14\t// t1 = t1 << 16\n\tpmull\tv2.8h, v6.8b, v4.8b\t\t// D = A*B\n\text\tv19.16b, v19.16b, v19.16b, #12\t// t3 = t3 << 32\n\text\tv18.16b, v18.16b, v18.16b, #13\t// t2 = t2 << 24\n\teor\tv16.16b, v16.16b, v17.16b\n\teor\tv18.16b, v18.16b, v19.16b\n\teor\tv2.16b, v2.16b, v16.16b\n\teor\tv2.16b, v2.16b, v18.16b\n\text\tv16.16b, v0.16b, v2.16b, #8\n\teor\tv1.16b, v1.16b, v0.16b\t// Karatsuba post-processing\n\teor\tv1.16b, v1.16b, v2.16b\n\teor\tv1.16b, v1.16b, v16.16b\t// Xm overlaps Xh.lo and Xl.hi\n\tins\tv0.d[1], v1.d[0]\t\t// Xh|Xl - 256-bit result\n\t// This is a no-op due to the ins instruction below.\n\t// ins\tv2.d[0], v1.d[1]\n\n\t// equivalent of reduction_avx from ghash-x86_64.pl\n\tshl\tv17.2d, v0.2d, #57\t\t// 1st phase\n\tshl\tv18.2d, v0.2d, #62\n\teor\tv18.16b, v18.16b, v17.16b\t//\n\tshl\tv17.2d, v0.2d, #63\n\teor\tv18.16b, v18.16b, v17.16b\t//\n\t// Note Xm contains {Xl.d[1], Xh.d[0]}.\n\teor\tv18.16b, v18.16b, v1.16b\n\tins\tv0.d[1], v18.d[0]\t\t// Xl.d[1] ^= t2.d[0]\n\tins\tv2.d[0], v18.d[1]\t\t// Xh.d[0] ^= t2.d[1]\n\n\tushr\tv18.2d, v0.2d, #1\t\t// 2nd phase\n\teor\tv2.16b, v2.16b,v0.16b\n\teor\tv0.16b, v0.16b,v18.16b\t//\n\tushr\tv18.2d, v18.2d, #6\n\tushr\tv0.2d, v0.2d, #1\t\t//\n\teor\tv0.16b, v0.16b, v2.16b\t//\n\teor\tv0.16b, v0.16b, v18.16b\t//\n\n\tsubs\tx3, x3, #16\n\tbne\t.Loop_neon\n\n\trev64\tv0.16b, v0.16b\t\t// byteswap Xi and write\n\text\tv0.16b, v0.16b, v0.16b, #8\n\tst1\t{v0.16b}, [x0]\n\n\tret\n.size\tgcm_ghash_neon,.-gcm_ghash_neon\n\n.section\t.rodata\n.align\t4\n.Lmasks:\n.quad\t0x0000ffffffffffff\t// k48\n.quad\t0x00000000ffffffff\t// k32\n.quad\t0x000000000000ffff\t// k16\n.quad\t0x0000000000000000\t// k0\n.byte\t71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,100,101,114,105,118,101,100,32,102,114,111,109,32,65,82,77,118,52,32,118,101,114,115,105,111,110,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \n\n.text\n\n.globl\tgcm_init_neon\n\n.def gcm_init_neon\n .type 32\n.endef\n.align\t4\ngcm_init_neon:\n\tAARCH64_VALID_CALL_TARGET\n\t// This function is adapted from gcm_init_v8. xC2 is t3.\n\tld1\t{v17.2d}, [x1]\t\t\t// load H\n\tmovi\tv19.16b, #0xe1\n\tshl\tv19.2d, v19.2d, #57\t\t// 0xc2.0\n\text\tv3.16b, v17.16b, v17.16b, #8\n\tushr\tv18.2d, v19.2d, #63\n\tdup\tv17.4s, v17.s[1]\n\text\tv16.16b, v18.16b, v19.16b, #8\t// t0=0xc2....01\n\tushr\tv18.2d, v3.2d, #63\n\tsshr\tv17.4s, v17.4s, #31\t\t// broadcast carry bit\n\tand\tv18.16b, v18.16b, v16.16b\n\tshl\tv3.2d, v3.2d, #1\n\text\tv18.16b, v18.16b, v18.16b, #8\n\tand\tv16.16b, v16.16b, v17.16b\n\torr\tv3.16b, v3.16b, v18.16b\t// H<<<=1\n\teor\tv5.16b, v3.16b, v16.16b\t// twisted H\n\tst1\t{v5.2d}, [x0]\t\t\t// store Htable[0]\n\tret\n\n\n.globl\tgcm_gmult_neon\n\n.def gcm_gmult_neon\n .type 32\n.endef\n.align\t4\ngcm_gmult_neon:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v3.16b}, [x0]\t\t// load Xi\n\tld1\t{v5.1d}, [x1], #8\t\t// load twisted H\n\tld1\t{v6.1d}, [x1]\n\tadrp\tx9, Lmasks\t\t// load constants\n\tadd\tx9, x9, :lo12:Lmasks\n\tld1\t{v24.2d, v25.2d}, [x9]\n\trev64\tv3.16b, v3.16b\t\t// byteswap Xi\n\text\tv3.16b, v3.16b, v3.16b, #8\n\teor\tv7.8b, v5.8b, v6.8b\t// Karatsuba pre-processing\n\n\tmov\tx3, #16\n\tb\tLgmult_neon\n\n\n.globl\tgcm_ghash_neon\n\n.def gcm_ghash_neon\n .type 32\n.endef\n.align\t4\ngcm_ghash_neon:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v0.16b}, [x0]\t\t// load Xi\n\tld1\t{v5.1d}, [x1], #8\t\t// load twisted H\n\tld1\t{v6.1d}, [x1]\n\tadrp\tx9, Lmasks\t\t// load constants\n\tadd\tx9, x9, :lo12:Lmasks\n\tld1\t{v24.2d, v25.2d}, [x9]\n\trev64\tv0.16b, v0.16b\t\t// byteswap Xi\n\text\tv0.16b, v0.16b, v0.16b, #8\n\teor\tv7.8b, v5.8b, v6.8b\t// Karatsuba pre-processing\n\nLoop_neon:\n\tld1\t{v3.16b}, [x2], #16\t// load inp\n\trev64\tv3.16b, v3.16b\t\t// byteswap inp\n\text\tv3.16b, v3.16b, v3.16b, #8\n\teor\tv3.16b, v3.16b, v0.16b\t// inp ^= Xi\n\nLgmult_neon:\n\t// Split the input into v3 and v4. (The upper halves are unused,\n\t// so it is okay to leave them alone.)\n\tins\tv4.d[0], v3.d[1]\n\text\tv16.8b, v5.8b, v5.8b, #1\t// A1\n\tpmull\tv16.8h, v16.8b, v3.8b\t\t// F = A1*B\n\text\tv0.8b, v3.8b, v3.8b, #1\t\t// B1\n\tpmull\tv0.8h, v5.8b, v0.8b\t\t// E = A*B1\n\text\tv17.8b, v5.8b, v5.8b, #2\t// A2\n\tpmull\tv17.8h, v17.8b, v3.8b\t\t// H = A2*B\n\text\tv19.8b, v3.8b, v3.8b, #2\t// B2\n\tpmull\tv19.8h, v5.8b, v19.8b\t\t// G = A*B2\n\text\tv18.8b, v5.8b, v5.8b, #3\t// A3\n\teor\tv16.16b, v16.16b, v0.16b\t// L = E + F\n\tpmull\tv18.8h, v18.8b, v3.8b\t\t// J = A3*B\n\text\tv0.8b, v3.8b, v3.8b, #3\t\t// B3\n\teor\tv17.16b, v17.16b, v19.16b\t// M = G + H\n\tpmull\tv0.8h, v5.8b, v0.8b\t\t// I = A*B3\n\n\t// Here we diverge from the 32-bit version. It computes the following\n\t// (instructions reordered for clarity):\n\t//\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\t@ t0 = P0 + P1 (L)\n\t// vand\t$t0#hi, $t0#hi, $k48\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\n\t//\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\t@ t1 = P2 + P3 (M)\n\t// vand\t$t1#hi, $t1#hi, $k32\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\n\t//\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\t@ t2 = P4 + P5 (N)\n\t// vand\t$t2#hi, $t2#hi, $k16\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\n\t//\n\t// veor\t$t3#lo, $t3#lo, $t3#hi\t@ t3 = P6 + P7 (K)\n\t// vmov.i64\t$t3#hi, #0\n\t//\n\t// $kN is a mask with the bottom N bits set. AArch64 cannot compute on\n\t// upper halves of SIMD registers, so we must split each half into\n\t// separate registers. To compensate, we pair computations up and\n\t// parallelize.\n\n\text\tv19.8b, v3.8b, v3.8b, #4\t// B4\n\teor\tv18.16b, v18.16b, v0.16b\t// N = I + J\n\tpmull\tv19.8h, v5.8b, v19.8b\t\t// K = A*B4\n\n\t// This can probably be scheduled more efficiently. For now, we just\n\t// pair up independent instructions.\n\tzip1\tv20.2d, v16.2d, v17.2d\n\tzip1\tv22.2d, v18.2d, v19.2d\n\tzip2\tv21.2d, v16.2d, v17.2d\n\tzip2\tv23.2d, v18.2d, v19.2d\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tand\tv21.16b, v21.16b, v24.16b\n\tand\tv23.16b, v23.16b, v25.16b\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tzip1\tv16.2d, v20.2d, v21.2d\n\tzip1\tv18.2d, v22.2d, v23.2d\n\tzip2\tv17.2d, v20.2d, v21.2d\n\tzip2\tv19.2d, v22.2d, v23.2d\n\n\text\tv16.16b, v16.16b, v16.16b, #15\t// t0 = t0 << 8\n\text\tv17.16b, v17.16b, v17.16b, #14\t// t1 = t1 << 16\n\tpmull\tv0.8h, v5.8b, v3.8b\t\t// D = A*B\n\text\tv19.16b, v19.16b, v19.16b, #12\t// t3 = t3 << 32\n\text\tv18.16b, v18.16b, v18.16b, #13\t// t2 = t2 << 24\n\teor\tv16.16b, v16.16b, v17.16b\n\teor\tv18.16b, v18.16b, v19.16b\n\teor\tv0.16b, v0.16b, v16.16b\n\teor\tv0.16b, v0.16b, v18.16b\n\teor\tv3.8b, v3.8b, v4.8b\t// Karatsuba pre-processing\n\text\tv16.8b, v7.8b, v7.8b, #1\t// A1\n\tpmull\tv16.8h, v16.8b, v3.8b\t\t// F = A1*B\n\text\tv1.8b, v3.8b, v3.8b, #1\t\t// B1\n\tpmull\tv1.8h, v7.8b, v1.8b\t\t// E = A*B1\n\text\tv17.8b, v7.8b, v7.8b, #2\t// A2\n\tpmull\tv17.8h, v17.8b, v3.8b\t\t// H = A2*B\n\text\tv19.8b, v3.8b, v3.8b, #2\t// B2\n\tpmull\tv19.8h, v7.8b, v19.8b\t\t// G = A*B2\n\text\tv18.8b, v7.8b, v7.8b, #3\t// A3\n\teor\tv16.16b, v16.16b, v1.16b\t// L = E + F\n\tpmull\tv18.8h, v18.8b, v3.8b\t\t// J = A3*B\n\text\tv1.8b, v3.8b, v3.8b, #3\t\t// B3\n\teor\tv17.16b, v17.16b, v19.16b\t// M = G + H\n\tpmull\tv1.8h, v7.8b, v1.8b\t\t// I = A*B3\n\n\t// Here we diverge from the 32-bit version. It computes the following\n\t// (instructions reordered for clarity):\n\t//\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\t@ t0 = P0 + P1 (L)\n\t// vand\t$t0#hi, $t0#hi, $k48\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\n\t//\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\t@ t1 = P2 + P3 (M)\n\t// vand\t$t1#hi, $t1#hi, $k32\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\n\t//\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\t@ t2 = P4 + P5 (N)\n\t// vand\t$t2#hi, $t2#hi, $k16\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\n\t//\n\t// veor\t$t3#lo, $t3#lo, $t3#hi\t@ t3 = P6 + P7 (K)\n\t// vmov.i64\t$t3#hi, #0\n\t//\n\t// $kN is a mask with the bottom N bits set. AArch64 cannot compute on\n\t// upper halves of SIMD registers, so we must split each half into\n\t// separate registers. To compensate, we pair computations up and\n\t// parallelize.\n\n\text\tv19.8b, v3.8b, v3.8b, #4\t// B4\n\teor\tv18.16b, v18.16b, v1.16b\t// N = I + J\n\tpmull\tv19.8h, v7.8b, v19.8b\t\t// K = A*B4\n\n\t// This can probably be scheduled more efficiently. For now, we just\n\t// pair up independent instructions.\n\tzip1\tv20.2d, v16.2d, v17.2d\n\tzip1\tv22.2d, v18.2d, v19.2d\n\tzip2\tv21.2d, v16.2d, v17.2d\n\tzip2\tv23.2d, v18.2d, v19.2d\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tand\tv21.16b, v21.16b, v24.16b\n\tand\tv23.16b, v23.16b, v25.16b\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tzip1\tv16.2d, v20.2d, v21.2d\n\tzip1\tv18.2d, v22.2d, v23.2d\n\tzip2\tv17.2d, v20.2d, v21.2d\n\tzip2\tv19.2d, v22.2d, v23.2d\n\n\text\tv16.16b, v16.16b, v16.16b, #15\t// t0 = t0 << 8\n\text\tv17.16b, v17.16b, v17.16b, #14\t// t1 = t1 << 16\n\tpmull\tv1.8h, v7.8b, v3.8b\t\t// D = A*B\n\text\tv19.16b, v19.16b, v19.16b, #12\t// t3 = t3 << 32\n\text\tv18.16b, v18.16b, v18.16b, #13\t// t2 = t2 << 24\n\teor\tv16.16b, v16.16b, v17.16b\n\teor\tv18.16b, v18.16b, v19.16b\n\teor\tv1.16b, v1.16b, v16.16b\n\teor\tv1.16b, v1.16b, v18.16b\n\text\tv16.8b, v6.8b, v6.8b, #1\t// A1\n\tpmull\tv16.8h, v16.8b, v4.8b\t\t// F = A1*B\n\text\tv2.8b, v4.8b, v4.8b, #1\t\t// B1\n\tpmull\tv2.8h, v6.8b, v2.8b\t\t// E = A*B1\n\text\tv17.8b, v6.8b, v6.8b, #2\t// A2\n\tpmull\tv17.8h, v17.8b, v4.8b\t\t// H = A2*B\n\text\tv19.8b, v4.8b, v4.8b, #2\t// B2\n\tpmull\tv19.8h, v6.8b, v19.8b\t\t// G = A*B2\n\text\tv18.8b, v6.8b, v6.8b, #3\t// A3\n\teor\tv16.16b, v16.16b, v2.16b\t// L = E + F\n\tpmull\tv18.8h, v18.8b, v4.8b\t\t// J = A3*B\n\text\tv2.8b, v4.8b, v4.8b, #3\t\t// B3\n\teor\tv17.16b, v17.16b, v19.16b\t// M = G + H\n\tpmull\tv2.8h, v6.8b, v2.8b\t\t// I = A*B3\n\n\t// Here we diverge from the 32-bit version. It computes the following\n\t// (instructions reordered for clarity):\n\t//\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\t@ t0 = P0 + P1 (L)\n\t// vand\t$t0#hi, $t0#hi, $k48\n\t// veor\t$t0#lo, $t0#lo, $t0#hi\n\t//\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\t@ t1 = P2 + P3 (M)\n\t// vand\t$t1#hi, $t1#hi, $k32\n\t// veor\t$t1#lo, $t1#lo, $t1#hi\n\t//\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\t@ t2 = P4 + P5 (N)\n\t// vand\t$t2#hi, $t2#hi, $k16\n\t// veor\t$t2#lo, $t2#lo, $t2#hi\n\t//\n\t// veor\t$t3#lo, $t3#lo, $t3#hi\t@ t3 = P6 + P7 (K)\n\t// vmov.i64\t$t3#hi, #0\n\t//\n\t// $kN is a mask with the bottom N bits set. AArch64 cannot compute on\n\t// upper halves of SIMD registers, so we must split each half into\n\t// separate registers. To compensate, we pair computations up and\n\t// parallelize.\n\n\text\tv19.8b, v4.8b, v4.8b, #4\t// B4\n\teor\tv18.16b, v18.16b, v2.16b\t// N = I + J\n\tpmull\tv19.8h, v6.8b, v19.8b\t\t// K = A*B4\n\n\t// This can probably be scheduled more efficiently. For now, we just\n\t// pair up independent instructions.\n\tzip1\tv20.2d, v16.2d, v17.2d\n\tzip1\tv22.2d, v18.2d, v19.2d\n\tzip2\tv21.2d, v16.2d, v17.2d\n\tzip2\tv23.2d, v18.2d, v19.2d\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tand\tv21.16b, v21.16b, v24.16b\n\tand\tv23.16b, v23.16b, v25.16b\n\teor\tv20.16b, v20.16b, v21.16b\n\teor\tv22.16b, v22.16b, v23.16b\n\tzip1\tv16.2d, v20.2d, v21.2d\n\tzip1\tv18.2d, v22.2d, v23.2d\n\tzip2\tv17.2d, v20.2d, v21.2d\n\tzip2\tv19.2d, v22.2d, v23.2d\n\n\text\tv16.16b, v16.16b, v16.16b, #15\t// t0 = t0 << 8\n\text\tv17.16b, v17.16b, v17.16b, #14\t// t1 = t1 << 16\n\tpmull\tv2.8h, v6.8b, v4.8b\t\t// D = A*B\n\text\tv19.16b, v19.16b, v19.16b, #12\t// t3 = t3 << 32\n\text\tv18.16b, v18.16b, v18.16b, #13\t// t2 = t2 << 24\n\teor\tv16.16b, v16.16b, v17.16b\n\teor\tv18.16b, v18.16b, v19.16b\n\teor\tv2.16b, v2.16b, v16.16b\n\teor\tv2.16b, v2.16b, v18.16b\n\text\tv16.16b, v0.16b, v2.16b, #8\n\teor\tv1.16b, v1.16b, v0.16b\t// Karatsuba post-processing\n\teor\tv1.16b, v1.16b, v2.16b\n\teor\tv1.16b, v1.16b, v16.16b\t// Xm overlaps Xh.lo and Xl.hi\n\tins\tv0.d[1], v1.d[0]\t\t// Xh|Xl - 256-bit result\n\t// This is a no-op due to the ins instruction below.\n\t// ins\tv2.d[0], v1.d[1]\n\n\t// equivalent of reduction_avx from ghash-x86_64.pl\n\tshl\tv17.2d, v0.2d, #57\t\t// 1st phase\n\tshl\tv18.2d, v0.2d, #62\n\teor\tv18.16b, v18.16b, v17.16b\t//\n\tshl\tv17.2d, v0.2d, #63\n\teor\tv18.16b, v18.16b, v17.16b\t//\n\t// Note Xm contains {Xl.d[1], Xh.d[0]}.\n\teor\tv18.16b, v18.16b, v1.16b\n\tins\tv0.d[1], v18.d[0]\t\t// Xl.d[1] ^= t2.d[0]\n\tins\tv2.d[0], v18.d[1]\t\t// Xh.d[0] ^= t2.d[1]\n\n\tushr\tv18.2d, v0.2d, #1\t\t// 2nd phase\n\teor\tv2.16b, v2.16b,v0.16b\n\teor\tv0.16b, v0.16b,v18.16b\t//\n\tushr\tv18.2d, v18.2d, #6\n\tushr\tv0.2d, v0.2d, #1\t\t//\n\teor\tv0.16b, v0.16b, v2.16b\t//\n\teor\tv0.16b, v0.16b, v18.16b\t//\n\n\tsubs\tx3, x3, #16\n\tbne\tLoop_neon\n\n\trev64\tv0.16b, v0.16b\t\t// byteswap Xi and write\n\text\tv0.16b, v0.16b, v0.16b, #8\n\tst1\t{v0.16b}, [x0]\n\n\tret\n\n\n.section\t.rodata\n.align\t4\nLmasks:\n.quad\t0x0000ffffffffffff\t// k48\n.quad\t0x00000000ffffffff\t// k32\n.quad\t0x000000000000ffff\t// k16\n.quad\t0x0000000000000000\t// k0\n.byte\t71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,100,101,114,105,118,101,100,32,102,114,111,109,32,65,82,77,118,52,32,118,101,114,115,105,111,110,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n.globl\t_gcm_gmult_ssse3\n.private_extern\t_gcm_gmult_ssse3\n.align\t4\n_gcm_gmult_ssse3:\nL_gcm_gmult_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%esi\n\tmovdqu\t(%edi),%xmm0\n\tcall\tL000pic_point\nL000pic_point:\n\tpopl\t%eax\n\tmovdqa\tLreverse_bytes-L000pic_point(%eax),%xmm7\n\tmovdqa\tLlow4_mask-L000pic_point(%eax),%xmm2\n.byte\t102,15,56,0,199\n\tmovdqa\t%xmm2,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm2,%xmm0\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovl\t$5,%eax\nL001loop_row_1:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\tL001loop_row_1\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovl\t$5,%eax\nL002loop_row_2:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\tL002loop_row_2\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovl\t$6,%eax\nL003loop_row_3:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\tL003loop_row_3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n.byte\t102,15,56,0,215\n\tmovdqu\t%xmm2,(%edi)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_gcm_ghash_ssse3\n.private_extern\t_gcm_ghash_ssse3\n.align\t4\n_gcm_ghash_ssse3:\nL_gcm_ghash_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%esi\n\tmovl\t28(%esp),%edx\n\tmovl\t32(%esp),%ecx\n\tmovdqu\t(%edi),%xmm0\n\tcall\tL004pic_point\nL004pic_point:\n\tpopl\t%ebx\n\tmovdqa\tLreverse_bytes-L004pic_point(%ebx),%xmm7\n\tandl\t$-16,%ecx\n.byte\t102,15,56,0,199\n\tpxor\t%xmm3,%xmm3\nL005loop_ghash:\n\tmovdqa\tLlow4_mask-L004pic_point(%ebx),%xmm2\n\tmovdqu\t(%edx),%xmm1\n.byte\t102,15,56,0,207\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm2,%xmm0\n\tpxor\t%xmm2,%xmm2\n\tmovl\t$5,%eax\nL006loop_row_4:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\tL006loop_row_4\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovl\t$5,%eax\nL007loop_row_5:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\tL007loop_row_5\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovl\t$6,%eax\nL008loop_row_6:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\tL008loop_row_6\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovdqa\t%xmm2,%xmm0\n\tleal\t-256(%esi),%esi\n\tleal\t16(%edx),%edx\n\tsubl\t$16,%ecx\n\tjnz\tL005loop_ghash\n.byte\t102,15,56,0,199\n\tmovdqu\t%xmm0,(%edi)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.align\t4,0x90\nLreverse_bytes:\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\n.align\t4,0x90\nLlow4_mask:\n.long\t252645135,252645135,252645135,252645135\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n.globl\tgcm_gmult_ssse3\n.hidden\tgcm_gmult_ssse3\n.type\tgcm_gmult_ssse3,@function\n.align\t16\ngcm_gmult_ssse3:\n.L_gcm_gmult_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%esi\n\tmovdqu\t(%edi),%xmm0\n\tcall\t.L000pic_point\n.L000pic_point:\n\tpopl\t%eax\n\tmovdqa\t.Lreverse_bytes-.L000pic_point(%eax),%xmm7\n\tmovdqa\t.Llow4_mask-.L000pic_point(%eax),%xmm2\n.byte\t102,15,56,0,199\n\tmovdqa\t%xmm2,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm2,%xmm0\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovl\t$5,%eax\n.L001loop_row_1:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\t.L001loop_row_1\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovl\t$5,%eax\n.L002loop_row_2:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\t.L002loop_row_2\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovl\t$6,%eax\n.L003loop_row_3:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\t.L003loop_row_3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n.byte\t102,15,56,0,215\n\tmovdqu\t%xmm2,(%edi)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tgcm_gmult_ssse3,.-.L_gcm_gmult_ssse3_begin\n.globl\tgcm_ghash_ssse3\n.hidden\tgcm_ghash_ssse3\n.type\tgcm_ghash_ssse3,@function\n.align\t16\ngcm_ghash_ssse3:\n.L_gcm_ghash_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%esi\n\tmovl\t28(%esp),%edx\n\tmovl\t32(%esp),%ecx\n\tmovdqu\t(%edi),%xmm0\n\tcall\t.L004pic_point\n.L004pic_point:\n\tpopl\t%ebx\n\tmovdqa\t.Lreverse_bytes-.L004pic_point(%ebx),%xmm7\n\tandl\t$-16,%ecx\n.byte\t102,15,56,0,199\n\tpxor\t%xmm3,%xmm3\n.L005loop_ghash:\n\tmovdqa\t.Llow4_mask-.L004pic_point(%ebx),%xmm2\n\tmovdqu\t(%edx),%xmm1\n.byte\t102,15,56,0,207\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm2,%xmm0\n\tpxor\t%xmm2,%xmm2\n\tmovl\t$5,%eax\n.L006loop_row_4:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\t.L006loop_row_4\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovl\t$5,%eax\n.L007loop_row_5:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\t.L007loop_row_5\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovl\t$6,%eax\n.L008loop_row_6:\n\tmovdqu\t(%esi),%xmm4\n\tleal\t16(%esi),%esi\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tsubl\t$1,%eax\n\tjnz\t.L008loop_row_6\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovdqa\t%xmm2,%xmm0\n\tleal\t-256(%esi),%esi\n\tleal\t16(%edx),%edx\n\tsubl\t$16,%ecx\n\tjnz\t.L005loop_ghash\n.byte\t102,15,56,0,199\n\tmovdqu\t%xmm0,(%edi)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tgcm_ghash_ssse3,.-.L_gcm_ghash_ssse3_begin\n.align\t16\n.Lreverse_bytes:\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\n.align\t16\n.Llow4_mask:\n.long\t252645135,252645135,252645135,252645135\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n\n\n\n\n\n.globl\t_gcm_gmult_ssse3\n.private_extern _gcm_gmult_ssse3\n.p2align\t4\n_gcm_gmult_ssse3:\n\n\n_CET_ENDBR\n\tmovdqu\t(%rdi),%xmm0\n\tmovdqa\tL$reverse_bytes(%rip),%xmm10\n\tmovdqa\tL$low4_mask(%rip),%xmm2\n\n\n.byte\t102,65,15,56,0,194\n\n\n\tmovdqa\t%xmm2,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm2,%xmm0\n\n\n\n\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovq\t$5,%rax\nL$oop_row_1:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\tL$oop_row_1\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovq\t$5,%rax\nL$oop_row_2:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\tL$oop_row_2\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovq\t$6,%rax\nL$oop_row_3:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\tL$oop_row_3\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\n.byte\t102,65,15,56,0,210\n\tmovdqu\t%xmm2,(%rdi)\n\n\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tret\n\n\n\n\n\n\n\n\n\n.globl\t_gcm_ghash_ssse3\n.private_extern _gcm_ghash_ssse3\n.p2align\t4\n_gcm_ghash_ssse3:\n\n\n_CET_ENDBR\n\tmovdqu\t(%rdi),%xmm0\n\tmovdqa\tL$reverse_bytes(%rip),%xmm10\n\tmovdqa\tL$low4_mask(%rip),%xmm11\n\n\n\tandq\t$-16,%rcx\n\n\n\n.byte\t102,65,15,56,0,194\n\n\n\tpxor\t%xmm3,%xmm3\nL$oop_ghash:\n\n\tmovdqu\t(%rdx),%xmm1\n.byte\t102,65,15,56,0,202\n\tpxor\t%xmm1,%xmm0\n\n\n\tmovdqa\t%xmm11,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm11,%xmm0\n\n\n\n\n\tpxor\t%xmm2,%xmm2\n\n\tmovq\t$5,%rax\nL$oop_row_4:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\tL$oop_row_4\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovq\t$5,%rax\nL$oop_row_5:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\tL$oop_row_5\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovq\t$6,%rax\nL$oop_row_6:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\tL$oop_row_6\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovdqa\t%xmm2,%xmm0\n\n\n\tleaq\t-256(%rsi),%rsi\n\n\n\tleaq\t16(%rdx),%rdx\n\tsubq\t$16,%rcx\n\tjnz\tL$oop_ghash\n\n\n.byte\t102,65,15,56,0,194\n\tmovdqu\t%xmm0,(%rdi)\n\n\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tret\n\n\n\n\n.section\t__DATA,__const\n.p2align\t4\n\n\nL$reverse_bytes:\n.byte\t15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0\n\nL$low4_mask:\n.quad\t0x0f0f0f0f0f0f0f0f, 0x0f0f0f0f0f0f0f0f\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n\n\n\n\n.type\tgcm_gmult_ssse3, @function\n.globl\tgcm_gmult_ssse3\n.hidden gcm_gmult_ssse3\n.align\t16\ngcm_gmult_ssse3:\n.cfi_startproc\t\n\n_CET_ENDBR\n\tmovdqu\t(%rdi),%xmm0\n\tmovdqa\t.Lreverse_bytes(%rip),%xmm10\n\tmovdqa\t.Llow4_mask(%rip),%xmm2\n\n\n.byte\t102,65,15,56,0,194\n\n\n\tmovdqa\t%xmm2,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm2,%xmm0\n\n\n\n\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovq\t$5,%rax\n.Loop_row_1:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\t.Loop_row_1\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovq\t$5,%rax\n.Loop_row_2:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\t.Loop_row_2\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovq\t$6,%rax\n.Loop_row_3:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\t.Loop_row_3\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\n.byte\t102,65,15,56,0,210\n\tmovdqu\t%xmm2,(%rdi)\n\n\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tret\n.cfi_endproc\t\n\n.size\tgcm_gmult_ssse3,.-gcm_gmult_ssse3\n\n\n\n\n\n.type\tgcm_ghash_ssse3, @function\n.globl\tgcm_ghash_ssse3\n.hidden gcm_ghash_ssse3\n.align\t16\ngcm_ghash_ssse3:\n.cfi_startproc\t\n\n_CET_ENDBR\n\tmovdqu\t(%rdi),%xmm0\n\tmovdqa\t.Lreverse_bytes(%rip),%xmm10\n\tmovdqa\t.Llow4_mask(%rip),%xmm11\n\n\n\tandq\t$-16,%rcx\n\n\n\n.byte\t102,65,15,56,0,194\n\n\n\tpxor\t%xmm3,%xmm3\n.Loop_ghash:\n\n\tmovdqu\t(%rdx),%xmm1\n.byte\t102,65,15,56,0,202\n\tpxor\t%xmm1,%xmm0\n\n\n\tmovdqa\t%xmm11,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm11,%xmm0\n\n\n\n\n\tpxor\t%xmm2,%xmm2\n\n\tmovq\t$5,%rax\n.Loop_row_4:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\t.Loop_row_4\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovq\t$5,%rax\n.Loop_row_5:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\t.Loop_row_5\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovq\t$6,%rax\n.Loop_row_6:\n\tmovdqu\t(%rsi),%xmm4\n\tleaq\t16(%rsi),%rsi\n\n\n\tmovdqa\t%xmm2,%xmm6\n.byte\t102,15,58,15,243,1\n\tmovdqa\t%xmm6,%xmm3\n\tpsrldq\t$1,%xmm2\n\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n.byte\t102,15,56,0,224\n.byte\t102,15,56,0,233\n\n\n\tpxor\t%xmm5,%xmm2\n\n\n\n\tmovdqa\t%xmm4,%xmm5\n\tpsllq\t$60,%xmm5\n\tmovdqa\t%xmm5,%xmm6\n\tpslldq\t$8,%xmm6\n\tpxor\t%xmm6,%xmm3\n\n\n\tpsrldq\t$8,%xmm5\n\tpxor\t%xmm5,%xmm2\n\tpsrlq\t$4,%xmm4\n\tpxor\t%xmm4,%xmm2\n\n\tsubq\t$1,%rax\n\tjnz\t.Loop_row_6\n\n\n\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpsrlq\t$5,%xmm3\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tmovdqa\t%xmm2,%xmm0\n\n\n\tleaq\t-256(%rsi),%rsi\n\n\n\tleaq\t16(%rdx),%rdx\n\tsubq\t$16,%rcx\n\tjnz\t.Loop_ghash\n\n\n.byte\t102,65,15,56,0,194\n\tmovdqu\t%xmm0,(%rdi)\n\n\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tret\n.cfi_endproc\t\n\n.size\tgcm_ghash_ssse3,.-gcm_ghash_ssse3\n\n.section\t.rodata\n.align\t16\n\n\n.Lreverse_bytes:\n.byte\t15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0\n\n.Llow4_mask:\n.quad\t0x0f0f0f0f0f0f0f0f, 0x0f0f0f0f0f0f0f0f\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-x86-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n.globl\t_gcm_init_clmul\n.private_extern\t_gcm_init_clmul\n.align\t4\n_gcm_init_clmul:\nL_gcm_init_clmul_begin:\n\tmovl\t4(%esp),%edx\n\tmovl\t8(%esp),%eax\n\tcall\tL000pic\nL000pic:\n\tpopl\t%ecx\n\tleal\tLbswap-L000pic(%ecx),%ecx\n\tmovdqu\t(%eax),%xmm2\n\tpshufd\t$78,%xmm2,%xmm2\n\tpshufd\t$255,%xmm2,%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\tpsllq\t$1,%xmm2\n\tpxor\t%xmm5,%xmm5\n\tpsrlq\t$63,%xmm3\n\tpcmpgtd\t%xmm4,%xmm5\n\tpslldq\t$8,%xmm3\n\tpor\t%xmm3,%xmm2\n\tpand\t16(%ecx),%xmm5\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm2,%xmm0\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpshufd\t$78,%xmm2,%xmm4\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm2,%xmm4\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,220,0\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm1,%xmm3\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\tpshufd\t$78,%xmm2,%xmm3\n\tpshufd\t$78,%xmm0,%xmm4\n\tpxor\t%xmm2,%xmm3\n\tmovdqu\t%xmm2,(%edx)\n\tpxor\t%xmm0,%xmm4\n\tmovdqu\t%xmm0,16(%edx)\n.byte\t102,15,58,15,227,8\n\tmovdqu\t%xmm4,32(%edx)\n\tret\n.globl\t_gcm_gmult_clmul\n.private_extern\t_gcm_gmult_clmul\n.align\t4\n_gcm_gmult_clmul:\nL_gcm_gmult_clmul_begin:\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%edx\n\tcall\tL001pic\nL001pic:\n\tpopl\t%ecx\n\tleal\tLbswap-L001pic(%ecx),%ecx\n\tmovdqu\t(%eax),%xmm0\n\tmovdqa\t(%ecx),%xmm5\n\tmovups\t(%edx),%xmm2\n.byte\t102,15,56,0,197\n\tmovups\t32(%edx),%xmm4\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,220,0\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm1,%xmm3\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,197\n\tmovdqu\t%xmm0,(%eax)\n\tret\n.globl\t_gcm_ghash_clmul\n.private_extern\t_gcm_ghash_clmul\n.align\t4\n_gcm_ghash_clmul:\nL_gcm_ghash_clmul_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%eax\n\tmovl\t24(%esp),%edx\n\tmovl\t28(%esp),%esi\n\tmovl\t32(%esp),%ebx\n\tcall\tL002pic\nL002pic:\n\tpopl\t%ecx\n\tleal\tLbswap-L002pic(%ecx),%ecx\n\tmovdqu\t(%eax),%xmm0\n\tmovdqa\t(%ecx),%xmm5\n\tmovdqu\t(%edx),%xmm2\n.byte\t102,15,56,0,197\n\tsubl\t$16,%ebx\n\tjz\tL003odd_tail\n\tmovdqu\t(%esi),%xmm3\n\tmovdqu\t16(%esi),%xmm6\n.byte\t102,15,56,0,221\n.byte\t102,15,56,0,245\n\tmovdqu\t32(%edx),%xmm5\n\tpxor\t%xmm3,%xmm0\n\tpshufd\t$78,%xmm6,%xmm3\n\tmovdqa\t%xmm6,%xmm7\n\tpxor\t%xmm6,%xmm3\n\tleal\t32(%esi),%esi\n.byte\t102,15,58,68,242,0\n.byte\t102,15,58,68,250,17\n.byte\t102,15,58,68,221,0\n\tmovups\t16(%edx),%xmm2\n\tnop\n\tsubl\t$32,%ebx\n\tjbe\tL004even_tail\n\tjmp\tL005mod_loop\n.align\t5,0x90\nL005mod_loop:\n\tpshufd\t$78,%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tnop\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,229,16\n\tmovups\t(%edx),%xmm2\n\txorps\t%xmm6,%xmm0\n\tmovdqa\t(%ecx),%xmm5\n\txorps\t%xmm7,%xmm1\n\tmovdqu\t(%esi),%xmm7\n\tpxor\t%xmm0,%xmm3\n\tmovdqu\t16(%esi),%xmm6\n\tpxor\t%xmm1,%xmm3\n.byte\t102,15,56,0,253\n\tpxor\t%xmm3,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpsrldq\t$8,%xmm4\n\tpslldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm3,%xmm0\n.byte\t102,15,56,0,245\n\tpxor\t%xmm7,%xmm1\n\tmovdqa\t%xmm6,%xmm7\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n.byte\t102,15,58,68,242,0\n\tmovups\t32(%edx),%xmm5\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\tpshufd\t$78,%xmm7,%xmm3\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm7,%xmm3\n\tpxor\t%xmm4,%xmm1\n.byte\t102,15,58,68,250,17\n\tmovups\t16(%edx),%xmm2\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,58,68,221,0\n\tleal\t32(%esi),%esi\n\tsubl\t$32,%ebx\n\tja\tL005mod_loop\nL004even_tail:\n\tpshufd\t$78,%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm1\n\tpxor\t%xmm0,%xmm4\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,229,16\n\tmovdqa\t(%ecx),%xmm5\n\txorps\t%xmm6,%xmm0\n\txorps\t%xmm7,%xmm1\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\tpxor\t%xmm3,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpsrldq\t$8,%xmm4\n\tpslldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm3,%xmm0\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\ttestl\t%ebx,%ebx\n\tjnz\tL006done\n\tmovups\t(%edx),%xmm2\nL003odd_tail:\n\tmovdqu\t(%esi),%xmm3\n.byte\t102,15,56,0,221\n\tpxor\t%xmm3,%xmm0\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpshufd\t$78,%xmm2,%xmm4\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm2,%xmm4\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,220,0\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm1,%xmm3\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\nL006done:\n.byte\t102,15,56,0,197\n\tmovdqu\t%xmm0,(%eax)\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.align\t6,0x90\nLbswap:\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\n.byte\t1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,194\n.byte\t71,72,65,83,72,32,102,111,114,32,120,56,54,44,32,67\n.byte\t82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112\n.byte\t112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62\n.byte\t0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-x86-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n.globl\tgcm_init_clmul\n.hidden\tgcm_init_clmul\n.type\tgcm_init_clmul,@function\n.align\t16\ngcm_init_clmul:\n.L_gcm_init_clmul_begin:\n\tmovl\t4(%esp),%edx\n\tmovl\t8(%esp),%eax\n\tcall\t.L000pic\n.L000pic:\n\tpopl\t%ecx\n\tleal\t.Lbswap-.L000pic(%ecx),%ecx\n\tmovdqu\t(%eax),%xmm2\n\tpshufd\t$78,%xmm2,%xmm2\n\tpshufd\t$255,%xmm2,%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\tpsllq\t$1,%xmm2\n\tpxor\t%xmm5,%xmm5\n\tpsrlq\t$63,%xmm3\n\tpcmpgtd\t%xmm4,%xmm5\n\tpslldq\t$8,%xmm3\n\tpor\t%xmm3,%xmm2\n\tpand\t16(%ecx),%xmm5\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t%xmm2,%xmm0\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpshufd\t$78,%xmm2,%xmm4\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm2,%xmm4\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,220,0\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm1,%xmm3\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\tpshufd\t$78,%xmm2,%xmm3\n\tpshufd\t$78,%xmm0,%xmm4\n\tpxor\t%xmm2,%xmm3\n\tmovdqu\t%xmm2,(%edx)\n\tpxor\t%xmm0,%xmm4\n\tmovdqu\t%xmm0,16(%edx)\n.byte\t102,15,58,15,227,8\n\tmovdqu\t%xmm4,32(%edx)\n\tret\n.size\tgcm_init_clmul,.-.L_gcm_init_clmul_begin\n.globl\tgcm_gmult_clmul\n.hidden\tgcm_gmult_clmul\n.type\tgcm_gmult_clmul,@function\n.align\t16\ngcm_gmult_clmul:\n.L_gcm_gmult_clmul_begin:\n\tmovl\t4(%esp),%eax\n\tmovl\t8(%esp),%edx\n\tcall\t.L001pic\n.L001pic:\n\tpopl\t%ecx\n\tleal\t.Lbswap-.L001pic(%ecx),%ecx\n\tmovdqu\t(%eax),%xmm0\n\tmovdqa\t(%ecx),%xmm5\n\tmovups\t(%edx),%xmm2\n.byte\t102,15,56,0,197\n\tmovups\t32(%edx),%xmm4\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,220,0\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm1,%xmm3\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,197\n\tmovdqu\t%xmm0,(%eax)\n\tret\n.size\tgcm_gmult_clmul,.-.L_gcm_gmult_clmul_begin\n.globl\tgcm_ghash_clmul\n.hidden\tgcm_ghash_clmul\n.type\tgcm_ghash_clmul,@function\n.align\t16\ngcm_ghash_clmul:\n.L_gcm_ghash_clmul_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%eax\n\tmovl\t24(%esp),%edx\n\tmovl\t28(%esp),%esi\n\tmovl\t32(%esp),%ebx\n\tcall\t.L002pic\n.L002pic:\n\tpopl\t%ecx\n\tleal\t.Lbswap-.L002pic(%ecx),%ecx\n\tmovdqu\t(%eax),%xmm0\n\tmovdqa\t(%ecx),%xmm5\n\tmovdqu\t(%edx),%xmm2\n.byte\t102,15,56,0,197\n\tsubl\t$16,%ebx\n\tjz\t.L003odd_tail\n\tmovdqu\t(%esi),%xmm3\n\tmovdqu\t16(%esi),%xmm6\n.byte\t102,15,56,0,221\n.byte\t102,15,56,0,245\n\tmovdqu\t32(%edx),%xmm5\n\tpxor\t%xmm3,%xmm0\n\tpshufd\t$78,%xmm6,%xmm3\n\tmovdqa\t%xmm6,%xmm7\n\tpxor\t%xmm6,%xmm3\n\tleal\t32(%esi),%esi\n.byte\t102,15,58,68,242,0\n.byte\t102,15,58,68,250,17\n.byte\t102,15,58,68,221,0\n\tmovups\t16(%edx),%xmm2\n\tnop\n\tsubl\t$32,%ebx\n\tjbe\t.L004even_tail\n\tjmp\t.L005mod_loop\n.align\t32\n.L005mod_loop:\n\tpshufd\t$78,%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tnop\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,229,16\n\tmovups\t(%edx),%xmm2\n\txorps\t%xmm6,%xmm0\n\tmovdqa\t(%ecx),%xmm5\n\txorps\t%xmm7,%xmm1\n\tmovdqu\t(%esi),%xmm7\n\tpxor\t%xmm0,%xmm3\n\tmovdqu\t16(%esi),%xmm6\n\tpxor\t%xmm1,%xmm3\n.byte\t102,15,56,0,253\n\tpxor\t%xmm3,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpsrldq\t$8,%xmm4\n\tpslldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm3,%xmm0\n.byte\t102,15,56,0,245\n\tpxor\t%xmm7,%xmm1\n\tmovdqa\t%xmm6,%xmm7\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n.byte\t102,15,58,68,242,0\n\tmovups\t32(%edx),%xmm5\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\tpshufd\t$78,%xmm7,%xmm3\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm7,%xmm3\n\tpxor\t%xmm4,%xmm1\n.byte\t102,15,58,68,250,17\n\tmovups\t16(%edx),%xmm2\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,58,68,221,0\n\tleal\t32(%esi),%esi\n\tsubl\t$32,%ebx\n\tja\t.L005mod_loop\n.L004even_tail:\n\tpshufd\t$78,%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm1\n\tpxor\t%xmm0,%xmm4\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,229,16\n\tmovdqa\t(%ecx),%xmm5\n\txorps\t%xmm6,%xmm0\n\txorps\t%xmm7,%xmm1\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\tpxor\t%xmm3,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpsrldq\t$8,%xmm4\n\tpslldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm3,%xmm0\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\ttestl\t%ebx,%ebx\n\tjnz\t.L006done\n\tmovups\t(%edx),%xmm2\n.L003odd_tail:\n\tmovdqu\t(%esi),%xmm3\n.byte\t102,15,56,0,221\n\tpxor\t%xmm3,%xmm0\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpshufd\t$78,%xmm2,%xmm4\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm2,%xmm4\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,220,0\n\txorps\t%xmm0,%xmm3\n\txorps\t%xmm1,%xmm3\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n.L006done:\n.byte\t102,15,56,0,197\n\tmovdqu\t%xmm0,(%eax)\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tgcm_ghash_clmul,.-.L_gcm_ghash_clmul_begin\n.align\t64\n.Lbswap:\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\n.byte\t1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,194\n.byte\t71,72,65,83,72,32,102,111,114,32,120,56,54,44,32,67\n.byte\t82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112\n.byte\t112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62\n.byte\t0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n.globl\t_gcm_init_clmul\n.private_extern _gcm_init_clmul\n\n.p2align\t4\n_gcm_init_clmul:\n\n\n_CET_ENDBR\nL$_init_clmul:\n\tmovdqu\t(%rsi),%xmm2\n\tpshufd\t$78,%xmm2,%xmm2\n\n\n\tpshufd\t$255,%xmm2,%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\tpsllq\t$1,%xmm2\n\tpxor\t%xmm5,%xmm5\n\tpsrlq\t$63,%xmm3\n\tpcmpgtd\t%xmm4,%xmm5\n\tpslldq\t$8,%xmm3\n\tpor\t%xmm3,%xmm2\n\n\n\tpand\tL$0x1c2_polynomial(%rip),%xmm5\n\tpxor\t%xmm5,%xmm2\n\n\n\tpshufd\t$78,%xmm2,%xmm6\n\tmovdqa\t%xmm2,%xmm0\n\tpxor\t%xmm2,%xmm6\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,222,0\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\tpshufd\t$78,%xmm2,%xmm3\n\tpshufd\t$78,%xmm0,%xmm4\n\tpxor\t%xmm2,%xmm3\n\tmovdqu\t%xmm2,0(%rdi)\n\tpxor\t%xmm0,%xmm4\n\tmovdqu\t%xmm0,16(%rdi)\n.byte\t102,15,58,15,227,8\n\tmovdqu\t%xmm4,32(%rdi)\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,222,0\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm0,%xmm5\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,222,0\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\tpshufd\t$78,%xmm5,%xmm3\n\tpshufd\t$78,%xmm0,%xmm4\n\tpxor\t%xmm5,%xmm3\n\tmovdqu\t%xmm5,48(%rdi)\n\tpxor\t%xmm0,%xmm4\n\tmovdqu\t%xmm0,64(%rdi)\n.byte\t102,15,58,15,227,8\n\tmovdqu\t%xmm4,80(%rdi)\n\tret\n\n\n\n.globl\t_gcm_gmult_clmul\n.private_extern _gcm_gmult_clmul\n\n.p2align\t4\n_gcm_gmult_clmul:\n\n_CET_ENDBR\nL$_gmult_clmul:\n\tmovdqu\t(%rdi),%xmm0\n\tmovdqa\tL$bswap_mask(%rip),%xmm5\n\tmovdqu\t(%rsi),%xmm2\n\tmovdqu\t32(%rsi),%xmm4\n.byte\t102,15,56,0,197\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,220,0\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,197\n\tmovdqu\t%xmm0,(%rdi)\n\tret\n\n\n.globl\t_gcm_ghash_clmul\n.private_extern _gcm_ghash_clmul\n\n.p2align\t5\n_gcm_ghash_clmul:\n\n\n_CET_ENDBR\nL$_ghash_clmul:\n\tmovdqa\tL$bswap_mask(%rip),%xmm10\n\n\tmovdqu\t(%rdi),%xmm0\n\tmovdqu\t(%rsi),%xmm2\n\tmovdqu\t32(%rsi),%xmm7\n.byte\t102,65,15,56,0,194\n\n\tsubq\t$0x10,%rcx\n\tjz\tL$odd_tail\n\n\tmovdqu\t16(%rsi),%xmm6\n\tcmpq\t$0x30,%rcx\n\tjb\tL$skip4x\n\n\tsubq\t$0x30,%rcx\n\tmovq\t$0xA040608020C0E000,%rax\n\tmovdqu\t48(%rsi),%xmm14\n\tmovdqu\t64(%rsi),%xmm15\n\n\n\n\n\tmovdqu\t48(%rdx),%xmm3\n\tmovdqu\t32(%rdx),%xmm11\n.byte\t102,65,15,56,0,218\n.byte\t102,69,15,56,0,218\n\tmovdqa\t%xmm3,%xmm5\n\tpshufd\t$78,%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,68,218,0\n.byte\t102,15,58,68,234,17\n.byte\t102,15,58,68,231,0\n\n\tmovdqa\t%xmm11,%xmm13\n\tpshufd\t$78,%xmm11,%xmm12\n\tpxor\t%xmm11,%xmm12\n.byte\t102,68,15,58,68,222,0\n.byte\t102,68,15,58,68,238,17\n.byte\t102,68,15,58,68,231,16\n\txorps\t%xmm11,%xmm3\n\txorps\t%xmm13,%xmm5\n\tmovups\t80(%rsi),%xmm7\n\txorps\t%xmm12,%xmm4\n\n\tmovdqu\t16(%rdx),%xmm11\n\tmovdqu\t0(%rdx),%xmm8\n.byte\t102,69,15,56,0,218\n.byte\t102,69,15,56,0,194\n\tmovdqa\t%xmm11,%xmm13\n\tpshufd\t$78,%xmm11,%xmm12\n\tpxor\t%xmm8,%xmm0\n\tpxor\t%xmm11,%xmm12\n.byte\t102,69,15,58,68,222,0\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm8\n\tpxor\t%xmm0,%xmm8\n.byte\t102,69,15,58,68,238,17\n.byte\t102,68,15,58,68,231,0\n\txorps\t%xmm11,%xmm3\n\txorps\t%xmm13,%xmm5\n\n\tleaq\t64(%rdx),%rdx\n\tsubq\t$0x40,%rcx\n\tjc\tL$tail4x\n\n\tjmp\tL$mod4_loop\n.p2align\t5\nL$mod4_loop:\n.byte\t102,65,15,58,68,199,0\n\txorps\t%xmm12,%xmm4\n\tmovdqu\t48(%rdx),%xmm11\n.byte\t102,69,15,56,0,218\n.byte\t102,65,15,58,68,207,17\n\txorps\t%xmm3,%xmm0\n\tmovdqu\t32(%rdx),%xmm3\n\tmovdqa\t%xmm11,%xmm13\n.byte\t102,68,15,58,68,199,16\n\tpshufd\t$78,%xmm11,%xmm12\n\txorps\t%xmm5,%xmm1\n\tpxor\t%xmm11,%xmm12\n.byte\t102,65,15,56,0,218\n\tmovups\t32(%rsi),%xmm7\n\txorps\t%xmm4,%xmm8\n.byte\t102,68,15,58,68,218,0\n\tpshufd\t$78,%xmm3,%xmm4\n\n\tpxor\t%xmm0,%xmm8\n\tmovdqa\t%xmm3,%xmm5\n\tpxor\t%xmm1,%xmm8\n\tpxor\t%xmm3,%xmm4\n\tmovdqa\t%xmm8,%xmm9\n.byte\t102,68,15,58,68,234,17\n\tpslldq\t$8,%xmm8\n\tpsrldq\t$8,%xmm9\n\tpxor\t%xmm8,%xmm0\n\tmovdqa\tL$7_mask(%rip),%xmm8\n\tpxor\t%xmm9,%xmm1\n.byte\t102,76,15,110,200\n\n\tpand\t%xmm0,%xmm8\n.byte\t102,69,15,56,0,200\n\tpxor\t%xmm0,%xmm9\n.byte\t102,68,15,58,68,231,0\n\tpsllq\t$57,%xmm9\n\tmovdqa\t%xmm9,%xmm8\n\tpslldq\t$8,%xmm9\n.byte\t102,15,58,68,222,0\n\tpsrldq\t$8,%xmm8\n\tpxor\t%xmm9,%xmm0\n\tpxor\t%xmm8,%xmm1\n\tmovdqu\t0(%rdx),%xmm8\n\n\tmovdqa\t%xmm0,%xmm9\n\tpsrlq\t$1,%xmm0\n.byte\t102,15,58,68,238,17\n\txorps\t%xmm11,%xmm3\n\tmovdqu\t16(%rdx),%xmm11\n.byte\t102,69,15,56,0,218\n.byte\t102,15,58,68,231,16\n\txorps\t%xmm13,%xmm5\n\tmovups\t80(%rsi),%xmm7\n.byte\t102,69,15,56,0,194\n\tpxor\t%xmm9,%xmm1\n\tpxor\t%xmm0,%xmm9\n\tpsrlq\t$5,%xmm0\n\n\tmovdqa\t%xmm11,%xmm13\n\tpxor\t%xmm12,%xmm4\n\tpshufd\t$78,%xmm11,%xmm12\n\tpxor\t%xmm9,%xmm0\n\tpxor\t%xmm8,%xmm1\n\tpxor\t%xmm11,%xmm12\n.byte\t102,69,15,58,68,222,0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm0,%xmm1\n.byte\t102,69,15,58,68,238,17\n\txorps\t%xmm11,%xmm3\n\tpshufd\t$78,%xmm0,%xmm8\n\tpxor\t%xmm0,%xmm8\n\n.byte\t102,68,15,58,68,231,0\n\txorps\t%xmm13,%xmm5\n\n\tleaq\t64(%rdx),%rdx\n\tsubq\t$0x40,%rcx\n\tjnc\tL$mod4_loop\n\nL$tail4x:\n.byte\t102,65,15,58,68,199,0\n.byte\t102,65,15,58,68,207,17\n.byte\t102,68,15,58,68,199,16\n\txorps\t%xmm12,%xmm4\n\txorps\t%xmm3,%xmm0\n\txorps\t%xmm5,%xmm1\n\tpxor\t%xmm0,%xmm1\n\tpxor\t%xmm4,%xmm8\n\n\tpxor\t%xmm1,%xmm8\n\tpxor\t%xmm0,%xmm1\n\n\tmovdqa\t%xmm8,%xmm9\n\tpsrldq\t$8,%xmm8\n\tpslldq\t$8,%xmm9\n\tpxor\t%xmm8,%xmm1\n\tpxor\t%xmm9,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\taddq\t$0x40,%rcx\n\tjz\tL$done\n\tmovdqu\t32(%rsi),%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\tL$odd_tail\nL$skip4x:\n\n\n\n\n\n\tmovdqu\t(%rdx),%xmm8\n\tmovdqu\t16(%rdx),%xmm3\n.byte\t102,69,15,56,0,194\n.byte\t102,65,15,56,0,218\n\tpxor\t%xmm8,%xmm0\n\n\tmovdqa\t%xmm3,%xmm5\n\tpshufd\t$78,%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,68,218,0\n.byte\t102,15,58,68,234,17\n.byte\t102,15,58,68,231,0\n\n\tleaq\t32(%rdx),%rdx\n\tnop\n\tsubq\t$0x20,%rcx\n\tjbe\tL$even_tail\n\tnop\n\tjmp\tL$mod_loop\n\n.p2align\t5\nL$mod_loop:\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm8\n\tpshufd\t$78,%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm4\n\n.byte\t102,15,58,68,198,0\n.byte\t102,15,58,68,206,17\n.byte\t102,15,58,68,231,16\n\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm5,%xmm1\n\tmovdqu\t(%rdx),%xmm9\n\tpxor\t%xmm0,%xmm8\n.byte\t102,69,15,56,0,202\n\tmovdqu\t16(%rdx),%xmm3\n\n\tpxor\t%xmm1,%xmm8\n\tpxor\t%xmm9,%xmm1\n\tpxor\t%xmm8,%xmm4\n.byte\t102,65,15,56,0,218\n\tmovdqa\t%xmm4,%xmm8\n\tpsrldq\t$8,%xmm8\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm8,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm3,%xmm5\n\n\tmovdqa\t%xmm0,%xmm9\n\tmovdqa\t%xmm0,%xmm8\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm8\n.byte\t102,15,58,68,218,0\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm8,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm8\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm8\n\tpxor\t%xmm9,%xmm0\n\tpshufd\t$78,%xmm5,%xmm4\n\tpxor\t%xmm8,%xmm1\n\tpxor\t%xmm5,%xmm4\n\n\tmovdqa\t%xmm0,%xmm9\n\tpsrlq\t$1,%xmm0\n.byte\t102,15,58,68,234,17\n\tpxor\t%xmm9,%xmm1\n\tpxor\t%xmm0,%xmm9\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm9,%xmm0\n\tleaq\t32(%rdx),%rdx\n\tpsrlq\t$1,%xmm0\n.byte\t102,15,58,68,231,0\n\tpxor\t%xmm1,%xmm0\n\n\tsubq\t$0x20,%rcx\n\tja\tL$mod_loop\n\nL$even_tail:\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm8\n\tpshufd\t$78,%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm4\n\n.byte\t102,15,58,68,198,0\n.byte\t102,15,58,68,206,17\n.byte\t102,15,58,68,231,16\n\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm5,%xmm1\n\tpxor\t%xmm0,%xmm8\n\tpxor\t%xmm1,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm8\n\tpsrldq\t$8,%xmm8\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm8,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\ttestq\t%rcx,%rcx\n\tjnz\tL$done\n\nL$odd_tail:\n\tmovdqu\t(%rdx),%xmm8\n.byte\t102,69,15,56,0,194\n\tpxor\t%xmm8,%xmm0\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,223,0\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\nL$done:\n.byte\t102,65,15,56,0,194\n\tmovdqu\t%xmm0,(%rdi)\n\tret\n\n\n\n.globl\t_gcm_init_avx\n.private_extern _gcm_init_avx\n\n.p2align\t5\n_gcm_init_avx:\n\n\n_CET_ENDBR\n\tvzeroupper\n\n\tvmovdqu\t(%rsi),%xmm2\n\tvpshufd\t$78,%xmm2,%xmm2\n\n\n\tvpshufd\t$255,%xmm2,%xmm4\n\tvpsrlq\t$63,%xmm2,%xmm3\n\tvpsllq\t$1,%xmm2,%xmm2\n\tvpxor\t%xmm5,%xmm5,%xmm5\n\tvpcmpgtd\t%xmm4,%xmm5,%xmm5\n\tvpslldq\t$8,%xmm3,%xmm3\n\tvpor\t%xmm3,%xmm2,%xmm2\n\n\n\tvpand\tL$0x1c2_polynomial(%rip),%xmm5,%xmm5\n\tvpxor\t%xmm5,%xmm2,%xmm2\n\n\tvpunpckhqdq\t%xmm2,%xmm2,%xmm6\n\tvmovdqa\t%xmm2,%xmm0\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\tmovq\t$4,%r10\n\tjmp\tL$init_start_avx\n.p2align\t5\nL$init_loop_avx:\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm5\n\tvmovdqu\t%xmm5,-16(%rdi)\n\tvpunpckhqdq\t%xmm0,%xmm0,%xmm3\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,%xmm2,%xmm0,%xmm1\n\tvpclmulqdq\t$0x00,%xmm2,%xmm0,%xmm0\n\tvpclmulqdq\t$0x00,%xmm6,%xmm3,%xmm3\n\tvpxor\t%xmm0,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\n\tvpslldq\t$8,%xmm3,%xmm4\n\tvpsrldq\t$8,%xmm3,%xmm3\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpsllq\t$57,%xmm0,%xmm3\n\tvpsllq\t$62,%xmm0,%xmm4\n\tvpxor\t%xmm3,%xmm4,%xmm4\n\tvpsllq\t$63,%xmm0,%xmm3\n\tvpxor\t%xmm3,%xmm4,%xmm4\n\tvpslldq\t$8,%xmm4,%xmm3\n\tvpsrldq\t$8,%xmm4,%xmm4\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvpsrlq\t$1,%xmm0,%xmm4\n\tvpxor\t%xmm0,%xmm1,%xmm1\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpsrlq\t$5,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpsrlq\t$1,%xmm0,%xmm0\n\tvpxor\t%xmm1,%xmm0,%xmm0\nL$init_start_avx:\n\tvmovdqa\t%xmm0,%xmm5\n\tvpunpckhqdq\t%xmm0,%xmm0,%xmm3\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,%xmm2,%xmm0,%xmm1\n\tvpclmulqdq\t$0x00,%xmm2,%xmm0,%xmm0\n\tvpclmulqdq\t$0x00,%xmm6,%xmm3,%xmm3\n\tvpxor\t%xmm0,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\n\tvpslldq\t$8,%xmm3,%xmm4\n\tvpsrldq\t$8,%xmm3,%xmm3\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpsllq\t$57,%xmm0,%xmm3\n\tvpsllq\t$62,%xmm0,%xmm4\n\tvpxor\t%xmm3,%xmm4,%xmm4\n\tvpsllq\t$63,%xmm0,%xmm3\n\tvpxor\t%xmm3,%xmm4,%xmm4\n\tvpslldq\t$8,%xmm4,%xmm3\n\tvpsrldq\t$8,%xmm4,%xmm4\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvpsrlq\t$1,%xmm0,%xmm4\n\tvpxor\t%xmm0,%xmm1,%xmm1\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpsrlq\t$5,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpsrlq\t$1,%xmm0,%xmm0\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\tvpshufd\t$78,%xmm5,%xmm3\n\tvpshufd\t$78,%xmm0,%xmm4\n\tvpxor\t%xmm5,%xmm3,%xmm3\n\tvmovdqu\t%xmm5,0(%rdi)\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\tvmovdqu\t%xmm0,16(%rdi)\n\tleaq\t48(%rdi),%rdi\n\tsubq\t$1,%r10\n\tjnz\tL$init_loop_avx\n\n\tvpalignr\t$8,%xmm4,%xmm3,%xmm5\n\tvmovdqu\t%xmm5,-16(%rdi)\n\n\tvzeroupper\n\tret\n\n\n\n.globl\t_gcm_gmult_avx\n.private_extern _gcm_gmult_avx\n\n.p2align\t5\n_gcm_gmult_avx:\n\n_CET_ENDBR\n\tjmp\tL$_gmult_clmul\n\n\n.globl\t_gcm_ghash_avx\n.private_extern _gcm_ghash_avx\n\n.p2align\t5\n_gcm_ghash_avx:\n\n\n_CET_ENDBR\n\tvzeroupper\n\n\tvmovdqu\t(%rdi),%xmm10\n\tleaq\tL$0x1c2_polynomial(%rip),%r10\n\tleaq\t64(%rsi),%rsi\n\tvmovdqu\tL$bswap_mask(%rip),%xmm13\n\tvpshufb\t%xmm13,%xmm10,%xmm10\n\tcmpq\t$0x80,%rcx\n\tjb\tL$short_avx\n\tsubq\t$0x80,%rcx\n\n\tvmovdqu\t112(%rdx),%xmm14\n\tvmovdqu\t0-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvmovdqu\t32-64(%rsi),%xmm7\n\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvmovdqu\t96(%rdx),%xmm15\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t16-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvmovdqu\t80(%rdx),%xmm14\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvmovdqu\t48-64(%rsi),%xmm6\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\tvmovdqu\t64(%rdx),%xmm15\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t80-64(%rsi),%xmm7\n\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t64-64(%rsi),%xmm6\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t48(%rdx),%xmm14\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvmovdqu\t96-64(%rsi),%xmm6\n\tvpxor\t%xmm5,%xmm2,%xmm2\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t128-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\n\tvmovdqu\t32(%rdx),%xmm15\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t112-64(%rsi),%xmm6\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t16(%rdx),%xmm14\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvmovdqu\t144-64(%rsi),%xmm6\n\tvpxor\t%xmm5,%xmm2,%xmm2\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t176-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\n\tvmovdqu\t(%rdx),%xmm15\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t160-64(%rsi),%xmm6\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x10,%xmm7,%xmm9,%xmm2\n\n\tleaq\t128(%rdx),%rdx\n\tcmpq\t$0x80,%rcx\n\tjb\tL$tail_avx\n\n\tvpxor\t%xmm10,%xmm15,%xmm15\n\tsubq\t$0x80,%rcx\n\tjmp\tL$oop8x_avx\n\n.p2align\t5\nL$oop8x_avx:\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvmovdqu\t112(%rdx),%xmm14\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm10\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm11\n\tvmovdqu\t0-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm12\n\tvmovdqu\t32-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\n\tvmovdqu\t96(%rdx),%xmm15\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpxor\t%xmm3,%xmm10,%xmm10\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvxorps\t%xmm4,%xmm11,%xmm11\n\tvmovdqu\t16-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm5,%xmm12,%xmm12\n\tvxorps\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t80(%rdx),%xmm14\n\tvpxor\t%xmm10,%xmm12,%xmm12\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpxor\t%xmm11,%xmm12,%xmm12\n\tvpslldq\t$8,%xmm12,%xmm9\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvpsrldq\t$8,%xmm12,%xmm12\n\tvpxor\t%xmm9,%xmm10,%xmm10\n\tvmovdqu\t48-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvxorps\t%xmm12,%xmm11,%xmm11\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t80-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\n\tvmovdqu\t64(%rdx),%xmm15\n\tvpalignr\t$8,%xmm10,%xmm10,%xmm12\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t64-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvxorps\t%xmm15,%xmm8,%xmm8\n\tvpxor\t%xmm5,%xmm2,%xmm2\n\n\tvmovdqu\t48(%rdx),%xmm14\n\tvpclmulqdq\t$0x10,(%r10),%xmm10,%xmm10\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvmovdqu\t96-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t128-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\n\tvmovdqu\t32(%rdx),%xmm15\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t112-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvpxor\t%xmm5,%xmm2,%xmm2\n\tvxorps\t%xmm12,%xmm10,%xmm10\n\n\tvmovdqu\t16(%rdx),%xmm14\n\tvpalignr\t$8,%xmm10,%xmm10,%xmm12\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvmovdqu\t144-64(%rsi),%xmm6\n\tvpclmulqdq\t$0x10,(%r10),%xmm10,%xmm10\n\tvxorps\t%xmm11,%xmm12,%xmm12\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t176-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\n\tvmovdqu\t(%rdx),%xmm15\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t160-64(%rsi),%xmm6\n\tvpxor\t%xmm12,%xmm15,%xmm15\n\tvpclmulqdq\t$0x10,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm10,%xmm15,%xmm15\n\n\tleaq\t128(%rdx),%rdx\n\tsubq\t$0x80,%rcx\n\tjnc\tL$oop8x_avx\n\n\taddq\t$0x80,%rcx\n\tjmp\tL$tail_no_xor_avx\n\n.p2align\t5\nL$short_avx:\n\tvmovdqu\t-16(%rdx,%rcx,1),%xmm14\n\tleaq\t(%rdx,%rcx,1),%rdx\n\tvmovdqu\t0-64(%rsi),%xmm6\n\tvmovdqu\t32-64(%rsi),%xmm7\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\n\tvmovdqa\t%xmm0,%xmm3\n\tvmovdqa\t%xmm1,%xmm4\n\tvmovdqa\t%xmm2,%xmm5\n\tsubq\t$0x10,%rcx\n\tjz\tL$tail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-32(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t16-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\tL$tail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-48(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t48-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvmovdqu\t80-64(%rsi),%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\tL$tail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-64(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t64-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\tL$tail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-80(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t96-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvmovdqu\t128-64(%rsi),%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\tL$tail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-96(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t112-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\tL$tail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-112(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t144-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvmovq\t184-64(%rsi),%xmm7\n\tsubq\t$0x10,%rcx\n\tjmp\tL$tail_avx\n\n.p2align\t5\nL$tail_avx:\n\tvpxor\t%xmm10,%xmm15,%xmm15\nL$tail_no_xor_avx:\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\n\tvmovdqu\t(%r10),%xmm12\n\n\tvpxor\t%xmm0,%xmm3,%xmm10\n\tvpxor\t%xmm1,%xmm4,%xmm11\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\n\tvpxor\t%xmm10,%xmm5,%xmm5\n\tvpxor\t%xmm11,%xmm5,%xmm5\n\tvpslldq\t$8,%xmm5,%xmm9\n\tvpsrldq\t$8,%xmm5,%xmm5\n\tvpxor\t%xmm9,%xmm10,%xmm10\n\tvpxor\t%xmm5,%xmm11,%xmm11\n\n\tvpclmulqdq\t$0x10,%xmm12,%xmm10,%xmm9\n\tvpalignr\t$8,%xmm10,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm10,%xmm10\n\n\tvpclmulqdq\t$0x10,%xmm12,%xmm10,%xmm9\n\tvpalignr\t$8,%xmm10,%xmm10,%xmm10\n\tvpxor\t%xmm11,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm10,%xmm10\n\n\tcmpq\t$0,%rcx\n\tjne\tL$short_avx\n\n\tvpshufb\t%xmm13,%xmm10,%xmm10\n\tvmovdqu\t%xmm10,(%rdi)\n\tvzeroupper\n\tret\n\n\n\n.section\t__DATA,__const\n.p2align\t6\nL$bswap_mask:\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\nL$0x1c2_polynomial:\n.byte\t1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xc2\nL$7_mask:\n.long\t7,0,7,0\n.p2align\t6\n\n.byte\t71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.p2align\t6\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghash-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n.globl\tgcm_init_clmul\n.hidden gcm_init_clmul\n.type\tgcm_init_clmul,@function\n.align\t16\ngcm_init_clmul:\n.cfi_startproc\t\n\n_CET_ENDBR\n.L_init_clmul:\n\tmovdqu\t(%rsi),%xmm2\n\tpshufd\t$78,%xmm2,%xmm2\n\n\n\tpshufd\t$255,%xmm2,%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\tpsllq\t$1,%xmm2\n\tpxor\t%xmm5,%xmm5\n\tpsrlq\t$63,%xmm3\n\tpcmpgtd\t%xmm4,%xmm5\n\tpslldq\t$8,%xmm3\n\tpor\t%xmm3,%xmm2\n\n\n\tpand\t.L0x1c2_polynomial(%rip),%xmm5\n\tpxor\t%xmm5,%xmm2\n\n\n\tpshufd\t$78,%xmm2,%xmm6\n\tmovdqa\t%xmm2,%xmm0\n\tpxor\t%xmm2,%xmm6\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,222,0\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\tpshufd\t$78,%xmm2,%xmm3\n\tpshufd\t$78,%xmm0,%xmm4\n\tpxor\t%xmm2,%xmm3\n\tmovdqu\t%xmm2,0(%rdi)\n\tpxor\t%xmm0,%xmm4\n\tmovdqu\t%xmm0,16(%rdi)\n.byte\t102,15,58,15,227,8\n\tmovdqu\t%xmm4,32(%rdi)\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,222,0\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm0,%xmm5\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,222,0\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\tpshufd\t$78,%xmm5,%xmm3\n\tpshufd\t$78,%xmm0,%xmm4\n\tpxor\t%xmm5,%xmm3\n\tmovdqu\t%xmm5,48(%rdi)\n\tpxor\t%xmm0,%xmm4\n\tmovdqu\t%xmm0,64(%rdi)\n.byte\t102,15,58,15,227,8\n\tmovdqu\t%xmm4,80(%rdi)\n\tret\n.cfi_endproc\t\n\n.size\tgcm_init_clmul,.-gcm_init_clmul\n.globl\tgcm_gmult_clmul\n.hidden gcm_gmult_clmul\n.type\tgcm_gmult_clmul,@function\n.align\t16\ngcm_gmult_clmul:\n.cfi_startproc\t\n_CET_ENDBR\n.L_gmult_clmul:\n\tmovdqu\t(%rdi),%xmm0\n\tmovdqa\t.Lbswap_mask(%rip),%xmm5\n\tmovdqu\t(%rsi),%xmm2\n\tmovdqu\t32(%rsi),%xmm4\n.byte\t102,15,56,0,197\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,220,0\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,197\n\tmovdqu\t%xmm0,(%rdi)\n\tret\n.cfi_endproc\t\n.size\tgcm_gmult_clmul,.-gcm_gmult_clmul\n.globl\tgcm_ghash_clmul\n.hidden gcm_ghash_clmul\n.type\tgcm_ghash_clmul,@function\n.align\t32\ngcm_ghash_clmul:\n.cfi_startproc\t\n\n_CET_ENDBR\n.L_ghash_clmul:\n\tmovdqa\t.Lbswap_mask(%rip),%xmm10\n\n\tmovdqu\t(%rdi),%xmm0\n\tmovdqu\t(%rsi),%xmm2\n\tmovdqu\t32(%rsi),%xmm7\n.byte\t102,65,15,56,0,194\n\n\tsubq\t$0x10,%rcx\n\tjz\t.Lodd_tail\n\n\tmovdqu\t16(%rsi),%xmm6\n\tcmpq\t$0x30,%rcx\n\tjb\t.Lskip4x\n\n\tsubq\t$0x30,%rcx\n\tmovq\t$0xA040608020C0E000,%rax\n\tmovdqu\t48(%rsi),%xmm14\n\tmovdqu\t64(%rsi),%xmm15\n\n\n\n\n\tmovdqu\t48(%rdx),%xmm3\n\tmovdqu\t32(%rdx),%xmm11\n.byte\t102,65,15,56,0,218\n.byte\t102,69,15,56,0,218\n\tmovdqa\t%xmm3,%xmm5\n\tpshufd\t$78,%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,68,218,0\n.byte\t102,15,58,68,234,17\n.byte\t102,15,58,68,231,0\n\n\tmovdqa\t%xmm11,%xmm13\n\tpshufd\t$78,%xmm11,%xmm12\n\tpxor\t%xmm11,%xmm12\n.byte\t102,68,15,58,68,222,0\n.byte\t102,68,15,58,68,238,17\n.byte\t102,68,15,58,68,231,16\n\txorps\t%xmm11,%xmm3\n\txorps\t%xmm13,%xmm5\n\tmovups\t80(%rsi),%xmm7\n\txorps\t%xmm12,%xmm4\n\n\tmovdqu\t16(%rdx),%xmm11\n\tmovdqu\t0(%rdx),%xmm8\n.byte\t102,69,15,56,0,218\n.byte\t102,69,15,56,0,194\n\tmovdqa\t%xmm11,%xmm13\n\tpshufd\t$78,%xmm11,%xmm12\n\tpxor\t%xmm8,%xmm0\n\tpxor\t%xmm11,%xmm12\n.byte\t102,69,15,58,68,222,0\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm8\n\tpxor\t%xmm0,%xmm8\n.byte\t102,69,15,58,68,238,17\n.byte\t102,68,15,58,68,231,0\n\txorps\t%xmm11,%xmm3\n\txorps\t%xmm13,%xmm5\n\n\tleaq\t64(%rdx),%rdx\n\tsubq\t$0x40,%rcx\n\tjc\t.Ltail4x\n\n\tjmp\t.Lmod4_loop\n.align\t32\n.Lmod4_loop:\n.byte\t102,65,15,58,68,199,0\n\txorps\t%xmm12,%xmm4\n\tmovdqu\t48(%rdx),%xmm11\n.byte\t102,69,15,56,0,218\n.byte\t102,65,15,58,68,207,17\n\txorps\t%xmm3,%xmm0\n\tmovdqu\t32(%rdx),%xmm3\n\tmovdqa\t%xmm11,%xmm13\n.byte\t102,68,15,58,68,199,16\n\tpshufd\t$78,%xmm11,%xmm12\n\txorps\t%xmm5,%xmm1\n\tpxor\t%xmm11,%xmm12\n.byte\t102,65,15,56,0,218\n\tmovups\t32(%rsi),%xmm7\n\txorps\t%xmm4,%xmm8\n.byte\t102,68,15,58,68,218,0\n\tpshufd\t$78,%xmm3,%xmm4\n\n\tpxor\t%xmm0,%xmm8\n\tmovdqa\t%xmm3,%xmm5\n\tpxor\t%xmm1,%xmm8\n\tpxor\t%xmm3,%xmm4\n\tmovdqa\t%xmm8,%xmm9\n.byte\t102,68,15,58,68,234,17\n\tpslldq\t$8,%xmm8\n\tpsrldq\t$8,%xmm9\n\tpxor\t%xmm8,%xmm0\n\tmovdqa\t.L7_mask(%rip),%xmm8\n\tpxor\t%xmm9,%xmm1\n.byte\t102,76,15,110,200\n\n\tpand\t%xmm0,%xmm8\n.byte\t102,69,15,56,0,200\n\tpxor\t%xmm0,%xmm9\n.byte\t102,68,15,58,68,231,0\n\tpsllq\t$57,%xmm9\n\tmovdqa\t%xmm9,%xmm8\n\tpslldq\t$8,%xmm9\n.byte\t102,15,58,68,222,0\n\tpsrldq\t$8,%xmm8\n\tpxor\t%xmm9,%xmm0\n\tpxor\t%xmm8,%xmm1\n\tmovdqu\t0(%rdx),%xmm8\n\n\tmovdqa\t%xmm0,%xmm9\n\tpsrlq\t$1,%xmm0\n.byte\t102,15,58,68,238,17\n\txorps\t%xmm11,%xmm3\n\tmovdqu\t16(%rdx),%xmm11\n.byte\t102,69,15,56,0,218\n.byte\t102,15,58,68,231,16\n\txorps\t%xmm13,%xmm5\n\tmovups\t80(%rsi),%xmm7\n.byte\t102,69,15,56,0,194\n\tpxor\t%xmm9,%xmm1\n\tpxor\t%xmm0,%xmm9\n\tpsrlq\t$5,%xmm0\n\n\tmovdqa\t%xmm11,%xmm13\n\tpxor\t%xmm12,%xmm4\n\tpshufd\t$78,%xmm11,%xmm12\n\tpxor\t%xmm9,%xmm0\n\tpxor\t%xmm8,%xmm1\n\tpxor\t%xmm11,%xmm12\n.byte\t102,69,15,58,68,222,0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm0,%xmm1\n.byte\t102,69,15,58,68,238,17\n\txorps\t%xmm11,%xmm3\n\tpshufd\t$78,%xmm0,%xmm8\n\tpxor\t%xmm0,%xmm8\n\n.byte\t102,68,15,58,68,231,0\n\txorps\t%xmm13,%xmm5\n\n\tleaq\t64(%rdx),%rdx\n\tsubq\t$0x40,%rcx\n\tjnc\t.Lmod4_loop\n\n.Ltail4x:\n.byte\t102,65,15,58,68,199,0\n.byte\t102,65,15,58,68,207,17\n.byte\t102,68,15,58,68,199,16\n\txorps\t%xmm12,%xmm4\n\txorps\t%xmm3,%xmm0\n\txorps\t%xmm5,%xmm1\n\tpxor\t%xmm0,%xmm1\n\tpxor\t%xmm4,%xmm8\n\n\tpxor\t%xmm1,%xmm8\n\tpxor\t%xmm0,%xmm1\n\n\tmovdqa\t%xmm8,%xmm9\n\tpsrldq\t$8,%xmm8\n\tpslldq\t$8,%xmm9\n\tpxor\t%xmm8,%xmm1\n\tpxor\t%xmm9,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\taddq\t$0x40,%rcx\n\tjz\t.Ldone\n\tmovdqu\t32(%rsi),%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\t.Lodd_tail\n.Lskip4x:\n\n\n\n\n\n\tmovdqu\t(%rdx),%xmm8\n\tmovdqu\t16(%rdx),%xmm3\n.byte\t102,69,15,56,0,194\n.byte\t102,65,15,56,0,218\n\tpxor\t%xmm8,%xmm0\n\n\tmovdqa\t%xmm3,%xmm5\n\tpshufd\t$78,%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,68,218,0\n.byte\t102,15,58,68,234,17\n.byte\t102,15,58,68,231,0\n\n\tleaq\t32(%rdx),%rdx\n\tnop\n\tsubq\t$0x20,%rcx\n\tjbe\t.Leven_tail\n\tnop\n\tjmp\t.Lmod_loop\n\n.align\t32\n.Lmod_loop:\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm8\n\tpshufd\t$78,%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm4\n\n.byte\t102,15,58,68,198,0\n.byte\t102,15,58,68,206,17\n.byte\t102,15,58,68,231,16\n\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm5,%xmm1\n\tmovdqu\t(%rdx),%xmm9\n\tpxor\t%xmm0,%xmm8\n.byte\t102,69,15,56,0,202\n\tmovdqu\t16(%rdx),%xmm3\n\n\tpxor\t%xmm1,%xmm8\n\tpxor\t%xmm9,%xmm1\n\tpxor\t%xmm8,%xmm4\n.byte\t102,65,15,56,0,218\n\tmovdqa\t%xmm4,%xmm8\n\tpsrldq\t$8,%xmm8\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm8,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm3,%xmm5\n\n\tmovdqa\t%xmm0,%xmm9\n\tmovdqa\t%xmm0,%xmm8\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm8\n.byte\t102,15,58,68,218,0\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm8,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm8\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm8\n\tpxor\t%xmm9,%xmm0\n\tpshufd\t$78,%xmm5,%xmm4\n\tpxor\t%xmm8,%xmm1\n\tpxor\t%xmm5,%xmm4\n\n\tmovdqa\t%xmm0,%xmm9\n\tpsrlq\t$1,%xmm0\n.byte\t102,15,58,68,234,17\n\tpxor\t%xmm9,%xmm1\n\tpxor\t%xmm0,%xmm9\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm9,%xmm0\n\tleaq\t32(%rdx),%rdx\n\tpsrlq\t$1,%xmm0\n.byte\t102,15,58,68,231,0\n\tpxor\t%xmm1,%xmm0\n\n\tsubq\t$0x20,%rcx\n\tja\t.Lmod_loop\n\n.Leven_tail:\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm8\n\tpshufd\t$78,%xmm0,%xmm4\n\tpxor\t%xmm0,%xmm4\n\n.byte\t102,15,58,68,198,0\n.byte\t102,15,58,68,206,17\n.byte\t102,15,58,68,231,16\n\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm5,%xmm1\n\tpxor\t%xmm0,%xmm8\n\tpxor\t%xmm1,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm8\n\tpsrldq\t$8,%xmm8\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm8,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n\ttestq\t%rcx,%rcx\n\tjnz\t.Ldone\n\n.Lodd_tail:\n\tmovdqu\t(%rdx),%xmm8\n.byte\t102,69,15,56,0,194\n\tpxor\t%xmm8,%xmm0\n\tmovdqa\t%xmm0,%xmm1\n\tpshufd\t$78,%xmm0,%xmm3\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,58,68,194,0\n.byte\t102,15,58,68,202,17\n.byte\t102,15,58,68,223,0\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm3,%xmm4\n\tpsrldq\t$8,%xmm3\n\tpslldq\t$8,%xmm4\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm4,%xmm0\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t%xmm0,%xmm3\n\tpsllq\t$5,%xmm0\n\tpxor\t%xmm0,%xmm3\n\tpsllq\t$1,%xmm0\n\tpxor\t%xmm3,%xmm0\n\tpsllq\t$57,%xmm0\n\tmovdqa\t%xmm0,%xmm3\n\tpslldq\t$8,%xmm0\n\tpsrldq\t$8,%xmm3\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm1\n\n\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm4\n\tpsrlq\t$5,%xmm0\n\tpxor\t%xmm4,%xmm0\n\tpsrlq\t$1,%xmm0\n\tpxor\t%xmm1,%xmm0\n.Ldone:\n.byte\t102,65,15,56,0,194\n\tmovdqu\t%xmm0,(%rdi)\n\tret\n.cfi_endproc\t\n\n.size\tgcm_ghash_clmul,.-gcm_ghash_clmul\n.globl\tgcm_init_avx\n.hidden gcm_init_avx\n.type\tgcm_init_avx,@function\n.align\t32\ngcm_init_avx:\n.cfi_startproc\t\n\n_CET_ENDBR\n\tvzeroupper\n\n\tvmovdqu\t(%rsi),%xmm2\n\tvpshufd\t$78,%xmm2,%xmm2\n\n\n\tvpshufd\t$255,%xmm2,%xmm4\n\tvpsrlq\t$63,%xmm2,%xmm3\n\tvpsllq\t$1,%xmm2,%xmm2\n\tvpxor\t%xmm5,%xmm5,%xmm5\n\tvpcmpgtd\t%xmm4,%xmm5,%xmm5\n\tvpslldq\t$8,%xmm3,%xmm3\n\tvpor\t%xmm3,%xmm2,%xmm2\n\n\n\tvpand\t.L0x1c2_polynomial(%rip),%xmm5,%xmm5\n\tvpxor\t%xmm5,%xmm2,%xmm2\n\n\tvpunpckhqdq\t%xmm2,%xmm2,%xmm6\n\tvmovdqa\t%xmm2,%xmm0\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\tmovq\t$4,%r10\n\tjmp\t.Linit_start_avx\n.align\t32\n.Linit_loop_avx:\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm5\n\tvmovdqu\t%xmm5,-16(%rdi)\n\tvpunpckhqdq\t%xmm0,%xmm0,%xmm3\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,%xmm2,%xmm0,%xmm1\n\tvpclmulqdq\t$0x00,%xmm2,%xmm0,%xmm0\n\tvpclmulqdq\t$0x00,%xmm6,%xmm3,%xmm3\n\tvpxor\t%xmm0,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\n\tvpslldq\t$8,%xmm3,%xmm4\n\tvpsrldq\t$8,%xmm3,%xmm3\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpsllq\t$57,%xmm0,%xmm3\n\tvpsllq\t$62,%xmm0,%xmm4\n\tvpxor\t%xmm3,%xmm4,%xmm4\n\tvpsllq\t$63,%xmm0,%xmm3\n\tvpxor\t%xmm3,%xmm4,%xmm4\n\tvpslldq\t$8,%xmm4,%xmm3\n\tvpsrldq\t$8,%xmm4,%xmm4\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvpsrlq\t$1,%xmm0,%xmm4\n\tvpxor\t%xmm0,%xmm1,%xmm1\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpsrlq\t$5,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpsrlq\t$1,%xmm0,%xmm0\n\tvpxor\t%xmm1,%xmm0,%xmm0\n.Linit_start_avx:\n\tvmovdqa\t%xmm0,%xmm5\n\tvpunpckhqdq\t%xmm0,%xmm0,%xmm3\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,%xmm2,%xmm0,%xmm1\n\tvpclmulqdq\t$0x00,%xmm2,%xmm0,%xmm0\n\tvpclmulqdq\t$0x00,%xmm6,%xmm3,%xmm3\n\tvpxor\t%xmm0,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\n\tvpslldq\t$8,%xmm3,%xmm4\n\tvpsrldq\t$8,%xmm3,%xmm3\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpsllq\t$57,%xmm0,%xmm3\n\tvpsllq\t$62,%xmm0,%xmm4\n\tvpxor\t%xmm3,%xmm4,%xmm4\n\tvpsllq\t$63,%xmm0,%xmm3\n\tvpxor\t%xmm3,%xmm4,%xmm4\n\tvpslldq\t$8,%xmm4,%xmm3\n\tvpsrldq\t$8,%xmm4,%xmm4\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvpsrlq\t$1,%xmm0,%xmm4\n\tvpxor\t%xmm0,%xmm1,%xmm1\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpsrlq\t$5,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tvpsrlq\t$1,%xmm0,%xmm0\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\tvpshufd\t$78,%xmm5,%xmm3\n\tvpshufd\t$78,%xmm0,%xmm4\n\tvpxor\t%xmm5,%xmm3,%xmm3\n\tvmovdqu\t%xmm5,0(%rdi)\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\tvmovdqu\t%xmm0,16(%rdi)\n\tleaq\t48(%rdi),%rdi\n\tsubq\t$1,%r10\n\tjnz\t.Linit_loop_avx\n\n\tvpalignr\t$8,%xmm4,%xmm3,%xmm5\n\tvmovdqu\t%xmm5,-16(%rdi)\n\n\tvzeroupper\n\tret\n\n.cfi_endproc\t\n.size\tgcm_init_avx,.-gcm_init_avx\n.globl\tgcm_gmult_avx\n.hidden gcm_gmult_avx\n.type\tgcm_gmult_avx,@function\n.align\t32\ngcm_gmult_avx:\n.cfi_startproc\t\n_CET_ENDBR\n\tjmp\t.L_gmult_clmul\n.cfi_endproc\t\n.size\tgcm_gmult_avx,.-gcm_gmult_avx\n.globl\tgcm_ghash_avx\n.hidden gcm_ghash_avx\n.type\tgcm_ghash_avx,@function\n.align\t32\ngcm_ghash_avx:\n.cfi_startproc\t\n\n_CET_ENDBR\n\tvzeroupper\n\n\tvmovdqu\t(%rdi),%xmm10\n\tleaq\t.L0x1c2_polynomial(%rip),%r10\n\tleaq\t64(%rsi),%rsi\n\tvmovdqu\t.Lbswap_mask(%rip),%xmm13\n\tvpshufb\t%xmm13,%xmm10,%xmm10\n\tcmpq\t$0x80,%rcx\n\tjb\t.Lshort_avx\n\tsubq\t$0x80,%rcx\n\n\tvmovdqu\t112(%rdx),%xmm14\n\tvmovdqu\t0-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvmovdqu\t32-64(%rsi),%xmm7\n\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvmovdqu\t96(%rdx),%xmm15\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t16-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvmovdqu\t80(%rdx),%xmm14\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvmovdqu\t48-64(%rsi),%xmm6\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\tvmovdqu\t64(%rdx),%xmm15\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t80-64(%rsi),%xmm7\n\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t64-64(%rsi),%xmm6\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t48(%rdx),%xmm14\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvmovdqu\t96-64(%rsi),%xmm6\n\tvpxor\t%xmm5,%xmm2,%xmm2\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t128-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\n\tvmovdqu\t32(%rdx),%xmm15\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t112-64(%rsi),%xmm6\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t16(%rdx),%xmm14\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvmovdqu\t144-64(%rsi),%xmm6\n\tvpxor\t%xmm5,%xmm2,%xmm2\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t176-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\n\tvmovdqu\t(%rdx),%xmm15\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t160-64(%rsi),%xmm6\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x10,%xmm7,%xmm9,%xmm2\n\n\tleaq\t128(%rdx),%rdx\n\tcmpq\t$0x80,%rcx\n\tjb\t.Ltail_avx\n\n\tvpxor\t%xmm10,%xmm15,%xmm15\n\tsubq\t$0x80,%rcx\n\tjmp\t.Loop8x_avx\n\n.align\t32\n.Loop8x_avx:\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvmovdqu\t112(%rdx),%xmm14\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm10\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm11\n\tvmovdqu\t0-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm12\n\tvmovdqu\t32-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\n\tvmovdqu\t96(%rdx),%xmm15\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpxor\t%xmm3,%xmm10,%xmm10\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvxorps\t%xmm4,%xmm11,%xmm11\n\tvmovdqu\t16-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm5,%xmm12,%xmm12\n\tvxorps\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t80(%rdx),%xmm14\n\tvpxor\t%xmm10,%xmm12,%xmm12\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpxor\t%xmm11,%xmm12,%xmm12\n\tvpslldq\t$8,%xmm12,%xmm9\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvpsrldq\t$8,%xmm12,%xmm12\n\tvpxor\t%xmm9,%xmm10,%xmm10\n\tvmovdqu\t48-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvxorps\t%xmm12,%xmm11,%xmm11\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t80-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\n\tvmovdqu\t64(%rdx),%xmm15\n\tvpalignr\t$8,%xmm10,%xmm10,%xmm12\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t64-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvxorps\t%xmm15,%xmm8,%xmm8\n\tvpxor\t%xmm5,%xmm2,%xmm2\n\n\tvmovdqu\t48(%rdx),%xmm14\n\tvpclmulqdq\t$0x10,(%r10),%xmm10,%xmm10\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvmovdqu\t96-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t128-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\n\tvmovdqu\t32(%rdx),%xmm15\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpxor\t%xmm3,%xmm0,%xmm0\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t112-64(%rsi),%xmm6\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x00,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvpxor\t%xmm5,%xmm2,%xmm2\n\tvxorps\t%xmm12,%xmm10,%xmm10\n\n\tvmovdqu\t16(%rdx),%xmm14\n\tvpalignr\t$8,%xmm10,%xmm10,%xmm12\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm3\n\tvpshufb\t%xmm13,%xmm14,%xmm14\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm4\n\tvmovdqu\t144-64(%rsi),%xmm6\n\tvpclmulqdq\t$0x10,(%r10),%xmm10,%xmm10\n\tvxorps\t%xmm11,%xmm12,%xmm12\n\tvpunpckhqdq\t%xmm14,%xmm14,%xmm9\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,%xmm7,%xmm8,%xmm5\n\tvmovdqu\t176-64(%rsi),%xmm7\n\tvpxor\t%xmm14,%xmm9,%xmm9\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\n\tvmovdqu\t(%rdx),%xmm15\n\tvpclmulqdq\t$0x00,%xmm6,%xmm14,%xmm0\n\tvpshufb\t%xmm13,%xmm15,%xmm15\n\tvpclmulqdq\t$0x11,%xmm6,%xmm14,%xmm1\n\tvmovdqu\t160-64(%rsi),%xmm6\n\tvpxor\t%xmm12,%xmm15,%xmm15\n\tvpclmulqdq\t$0x10,%xmm7,%xmm9,%xmm2\n\tvpxor\t%xmm10,%xmm15,%xmm15\n\n\tleaq\t128(%rdx),%rdx\n\tsubq\t$0x80,%rcx\n\tjnc\t.Loop8x_avx\n\n\taddq\t$0x80,%rcx\n\tjmp\t.Ltail_no_xor_avx\n\n.align\t32\n.Lshort_avx:\n\tvmovdqu\t-16(%rdx,%rcx,1),%xmm14\n\tleaq\t(%rdx,%rcx,1),%rdx\n\tvmovdqu\t0-64(%rsi),%xmm6\n\tvmovdqu\t32-64(%rsi),%xmm7\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\n\tvmovdqa\t%xmm0,%xmm3\n\tvmovdqa\t%xmm1,%xmm4\n\tvmovdqa\t%xmm2,%xmm5\n\tsubq\t$0x10,%rcx\n\tjz\t.Ltail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-32(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t16-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\t.Ltail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-48(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t48-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvmovdqu\t80-64(%rsi),%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\t.Ltail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-64(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t64-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\t.Ltail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-80(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t96-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvmovdqu\t128-64(%rsi),%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\t.Ltail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-96(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t112-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tsubq\t$0x10,%rcx\n\tjz\t.Ltail_avx\n\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvmovdqu\t-112(%rdx),%xmm14\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvmovdqu\t144-64(%rsi),%xmm6\n\tvpshufb\t%xmm13,%xmm14,%xmm15\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\tvmovq\t184-64(%rsi),%xmm7\n\tsubq\t$0x10,%rcx\n\tjmp\t.Ltail_avx\n\n.align\t32\n.Ltail_avx:\n\tvpxor\t%xmm10,%xmm15,%xmm15\n.Ltail_no_xor_avx:\n\tvpunpckhqdq\t%xmm15,%xmm15,%xmm8\n\tvpxor\t%xmm0,%xmm3,%xmm3\n\tvpclmulqdq\t$0x00,%xmm6,%xmm15,%xmm0\n\tvpxor\t%xmm15,%xmm8,%xmm8\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpclmulqdq\t$0x11,%xmm6,%xmm15,%xmm1\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,%xmm7,%xmm8,%xmm2\n\n\tvmovdqu\t(%r10),%xmm12\n\n\tvpxor\t%xmm0,%xmm3,%xmm10\n\tvpxor\t%xmm1,%xmm4,%xmm11\n\tvpxor\t%xmm2,%xmm5,%xmm5\n\n\tvpxor\t%xmm10,%xmm5,%xmm5\n\tvpxor\t%xmm11,%xmm5,%xmm5\n\tvpslldq\t$8,%xmm5,%xmm9\n\tvpsrldq\t$8,%xmm5,%xmm5\n\tvpxor\t%xmm9,%xmm10,%xmm10\n\tvpxor\t%xmm5,%xmm11,%xmm11\n\n\tvpclmulqdq\t$0x10,%xmm12,%xmm10,%xmm9\n\tvpalignr\t$8,%xmm10,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm10,%xmm10\n\n\tvpclmulqdq\t$0x10,%xmm12,%xmm10,%xmm9\n\tvpalignr\t$8,%xmm10,%xmm10,%xmm10\n\tvpxor\t%xmm11,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm10,%xmm10\n\n\tcmpq\t$0,%rcx\n\tjne\t.Lshort_avx\n\n\tvpshufb\t%xmm13,%xmm10,%xmm10\n\tvmovdqu\t%xmm10,(%rdi)\n\tvzeroupper\n\tret\n.cfi_endproc\t\n\n.size\tgcm_ghash_avx,.-gcm_ghash_avx\n.section\t.rodata\n.align\t64\n.Lbswap_mask:\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\n.L0x1c2_polynomial:\n.byte\t1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xc2\n.L7_mask:\n.long\t7,0,7,0\n.align\t64\n\n.byte\t71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t64\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv7-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n#include \n\n#if __ARM_MAX_ARCH__>=7\n.text\n.fpu\tneon\n.code\t32\n#undef\t__thumb2__\n.globl\tgcm_init_v8\n.hidden\tgcm_init_v8\n.type\tgcm_init_v8,%function\n.align\t4\ngcm_init_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tvld1.64\t{q9},[r1]\t\t@ load input H\n\tvmov.i8\tq11,#0xe1\n\tvshl.i64\tq11,q11,#57\t\t@ 0xc2.0\n\tvext.8\tq3,q9,q9,#8\n\tvshr.u64\tq10,q11,#63\n\tvdup.32\tq9,d18[1]\n\tvext.8\tq8,q10,q11,#8\t\t@ t0=0xc2....01\n\tvshr.u64\tq10,q3,#63\n\tvshr.s32\tq9,q9,#31\t\t@ broadcast carry bit\n\tvand\tq10,q10,q8\n\tvshl.i64\tq3,q3,#1\n\tvext.8\tq10,q10,q10,#8\n\tvand\tq8,q8,q9\n\tvorr\tq3,q3,q10\t\t@ H<<<=1\n\tveor\tq12,q3,q8\t\t@ twisted H\n\tvst1.64\t{q12},[r0]!\t\t@ store Htable[0]\n\n\t@ calculate H^2\n\tvext.8\tq8,q12,q12,#8\t\t@ Karatsuba pre-processing\n.byte\t0xa8,0x0e,0xa8,0xf2\t@ pmull q0,q12,q12\n\tveor\tq8,q8,q12\n.byte\t0xa9,0x4e,0xa9,0xf2\t@ pmull2 q2,q12,q12\n.byte\t0xa0,0x2e,0xa0,0xf2\t@ pmull q1,q8,q8\n\n\tvext.8\tq9,q0,q2,#8\t\t@ Karatsuba post-processing\n\tveor\tq10,q0,q2\n\tveor\tq1,q1,q9\n\tveor\tq1,q1,q10\n.byte\t0x26,0x4e,0xe0,0xf2\t@ pmull q10,q0,q11\t\t@ 1st phase\n\n\tvmov\td4,d3\t\t@ Xh|Xm - 256-bit result\n\tvmov\td3,d0\t\t@ Xm is rotated Xl\n\tveor\tq0,q1,q10\n\n\tvext.8\tq10,q0,q0,#8\t\t@ 2nd phase\n.byte\t0x26,0x0e,0xa0,0xf2\t@ pmull q0,q0,q11\n\tveor\tq10,q10,q2\n\tveor\tq14,q0,q10\n\n\tvext.8\tq9,q14,q14,#8\t\t@ Karatsuba pre-processing\n\tveor\tq9,q9,q14\n\tvext.8\tq13,q8,q9,#8\t\t@ pack Karatsuba pre-processed\n\tvst1.64\t{q13,q14},[r0]!\t@ store Htable[1..2]\n\tbx\tlr\n.size\tgcm_init_v8,.-gcm_init_v8\n.globl\tgcm_gmult_v8\n.hidden\tgcm_gmult_v8\n.type\tgcm_gmult_v8,%function\n.align\t4\ngcm_gmult_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tvld1.64\t{q9},[r0]\t\t@ load Xi\n\tvmov.i8\tq11,#0xe1\n\tvld1.64\t{q12,q13},[r1]\t@ load twisted H, ...\n\tvshl.u64\tq11,q11,#57\n#ifndef __ARMEB__\n\tvrev64.8\tq9,q9\n#endif\n\tvext.8\tq3,q9,q9,#8\n\n.byte\t0x86,0x0e,0xa8,0xf2\t@ pmull q0,q12,q3\t\t@ H.lo·Xi.lo\n\tveor\tq9,q9,q3\t\t@ Karatsuba pre-processing\n.byte\t0x87,0x4e,0xa9,0xf2\t@ pmull2 q2,q12,q3\t\t@ H.hi·Xi.hi\n.byte\t0xa2,0x2e,0xaa,0xf2\t@ pmull q1,q13,q9\t\t@ (H.lo+H.hi)·(Xi.lo+Xi.hi)\n\n\tvext.8\tq9,q0,q2,#8\t\t@ Karatsuba post-processing\n\tveor\tq10,q0,q2\n\tveor\tq1,q1,q9\n\tveor\tq1,q1,q10\n.byte\t0x26,0x4e,0xe0,0xf2\t@ pmull q10,q0,q11\t\t@ 1st phase of reduction\n\n\tvmov\td4,d3\t\t@ Xh|Xm - 256-bit result\n\tvmov\td3,d0\t\t@ Xm is rotated Xl\n\tveor\tq0,q1,q10\n\n\tvext.8\tq10,q0,q0,#8\t\t@ 2nd phase of reduction\n.byte\t0x26,0x0e,0xa0,0xf2\t@ pmull q0,q0,q11\n\tveor\tq10,q10,q2\n\tveor\tq0,q0,q10\n\n#ifndef __ARMEB__\n\tvrev64.8\tq0,q0\n#endif\n\tvext.8\tq0,q0,q0,#8\n\tvst1.64\t{q0},[r0]\t\t@ write out Xi\n\n\tbx\tlr\n.size\tgcm_gmult_v8,.-gcm_gmult_v8\n.globl\tgcm_ghash_v8\n.hidden\tgcm_ghash_v8\n.type\tgcm_ghash_v8,%function\n.align\t4\ngcm_ghash_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tvstmdb\tsp!,{d8,d9,d10,d11,d12,d13,d14,d15}\t\t@ 32-bit ABI says so\n\tvld1.64\t{q0},[r0]\t\t@ load [rotated] Xi\n\t\t\t\t\t\t@ \"[rotated]\" means that\n\t\t\t\t\t\t@ loaded value would have\n\t\t\t\t\t\t@ to be rotated in order to\n\t\t\t\t\t\t@ make it appear as in\n\t\t\t\t\t\t@ algorithm specification\n\tsubs\tr3,r3,#32\t\t@ see if r3 is 32 or larger\n\tmov\tr12,#16\t\t@ r12 is used as post-\n\t\t\t\t\t\t@ increment for input pointer;\n\t\t\t\t\t\t@ as loop is modulo-scheduled\n\t\t\t\t\t\t@ r12 is zeroed just in time\n\t\t\t\t\t\t@ to preclude overstepping\n\t\t\t\t\t\t@ inp[len], which means that\n\t\t\t\t\t\t@ last block[s] are actually\n\t\t\t\t\t\t@ loaded twice, but last\n\t\t\t\t\t\t@ copy is not processed\n\tvld1.64\t{q12,q13},[r1]!\t@ load twisted H, ..., H^2\n\tvmov.i8\tq11,#0xe1\n\tvld1.64\t{q14},[r1]\n\tmoveq\tr12,#0\t\t\t@ is it time to zero r12?\n\tvext.8\tq0,q0,q0,#8\t\t@ rotate Xi\n\tvld1.64\t{q8},[r2]!\t@ load [rotated] I[0]\n\tvshl.u64\tq11,q11,#57\t\t@ compose 0xc2.0 constant\n#ifndef __ARMEB__\n\tvrev64.8\tq8,q8\n\tvrev64.8\tq0,q0\n#endif\n\tvext.8\tq3,q8,q8,#8\t\t@ rotate I[0]\n\tblo\t.Lodd_tail_v8\t\t@ r3 was less than 32\n\tvld1.64\t{q9},[r2],r12\t@ load [rotated] I[1]\n#ifndef __ARMEB__\n\tvrev64.8\tq9,q9\n#endif\n\tvext.8\tq7,q9,q9,#8\n\tveor\tq3,q3,q0\t\t@ I[i]^=Xi\n.byte\t0x8e,0x8e,0xa8,0xf2\t@ pmull q4,q12,q7\t\t@ H·Ii+1\n\tveor\tq9,q9,q7\t\t@ Karatsuba pre-processing\n.byte\t0x8f,0xce,0xa9,0xf2\t@ pmull2 q6,q12,q7\n\tb\t.Loop_mod2x_v8\n\n.align\t4\n.Loop_mod2x_v8:\n\tvext.8\tq10,q3,q3,#8\n\tsubs\tr3,r3,#32\t\t@ is there more data?\n.byte\t0x86,0x0e,0xac,0xf2\t@ pmull q0,q14,q3\t\t@ H^2.lo·Xi.lo\n\tmovlo\tr12,#0\t\t\t@ is it time to zero r12?\n\n.byte\t0xa2,0xae,0xaa,0xf2\t@ pmull q5,q13,q9\n\tveor\tq10,q10,q3\t\t@ Karatsuba pre-processing\n.byte\t0x87,0x4e,0xad,0xf2\t@ pmull2 q2,q14,q3\t\t@ H^2.hi·Xi.hi\n\tveor\tq0,q0,q4\t\t@ accumulate\n.byte\t0xa5,0x2e,0xab,0xf2\t@ pmull2 q1,q13,q10\t\t@ (H^2.lo+H^2.hi)·(Xi.lo+Xi.hi)\n\tvld1.64\t{q8},[r2],r12\t@ load [rotated] I[i+2]\n\n\tveor\tq2,q2,q6\n\tmoveq\tr12,#0\t\t\t@ is it time to zero r12?\n\tveor\tq1,q1,q5\n\n\tvext.8\tq9,q0,q2,#8\t\t@ Karatsuba post-processing\n\tveor\tq10,q0,q2\n\tveor\tq1,q1,q9\n\tvld1.64\t{q9},[r2],r12\t@ load [rotated] I[i+3]\n#ifndef __ARMEB__\n\tvrev64.8\tq8,q8\n#endif\n\tveor\tq1,q1,q10\n.byte\t0x26,0x4e,0xe0,0xf2\t@ pmull q10,q0,q11\t\t@ 1st phase of reduction\n\n#ifndef __ARMEB__\n\tvrev64.8\tq9,q9\n#endif\n\tvmov\td4,d3\t\t@ Xh|Xm - 256-bit result\n\tvmov\td3,d0\t\t@ Xm is rotated Xl\n\tvext.8\tq7,q9,q9,#8\n\tvext.8\tq3,q8,q8,#8\n\tveor\tq0,q1,q10\n.byte\t0x8e,0x8e,0xa8,0xf2\t@ pmull q4,q12,q7\t\t@ H·Ii+1\n\tveor\tq3,q3,q2\t\t@ accumulate q3 early\n\n\tvext.8\tq10,q0,q0,#8\t\t@ 2nd phase of reduction\n.byte\t0x26,0x0e,0xa0,0xf2\t@ pmull q0,q0,q11\n\tveor\tq3,q3,q10\n\tveor\tq9,q9,q7\t\t@ Karatsuba pre-processing\n\tveor\tq3,q3,q0\n.byte\t0x8f,0xce,0xa9,0xf2\t@ pmull2 q6,q12,q7\n\tbhs\t.Loop_mod2x_v8\t\t@ there was at least 32 more bytes\n\n\tveor\tq2,q2,q10\n\tvext.8\tq3,q8,q8,#8\t\t@ re-construct q3\n\tadds\tr3,r3,#32\t\t@ re-construct r3\n\tveor\tq0,q0,q2\t\t@ re-construct q0\n\tbeq\t.Ldone_v8\t\t@ is r3 zero?\n.Lodd_tail_v8:\n\tvext.8\tq10,q0,q0,#8\n\tveor\tq3,q3,q0\t\t@ inp^=Xi\n\tveor\tq9,q8,q10\t\t@ q9 is rotated inp^Xi\n\n.byte\t0x86,0x0e,0xa8,0xf2\t@ pmull q0,q12,q3\t\t@ H.lo·Xi.lo\n\tveor\tq9,q9,q3\t\t@ Karatsuba pre-processing\n.byte\t0x87,0x4e,0xa9,0xf2\t@ pmull2 q2,q12,q3\t\t@ H.hi·Xi.hi\n.byte\t0xa2,0x2e,0xaa,0xf2\t@ pmull q1,q13,q9\t\t@ (H.lo+H.hi)·(Xi.lo+Xi.hi)\n\n\tvext.8\tq9,q0,q2,#8\t\t@ Karatsuba post-processing\n\tveor\tq10,q0,q2\n\tveor\tq1,q1,q9\n\tveor\tq1,q1,q10\n.byte\t0x26,0x4e,0xe0,0xf2\t@ pmull q10,q0,q11\t\t@ 1st phase of reduction\n\n\tvmov\td4,d3\t\t@ Xh|Xm - 256-bit result\n\tvmov\td3,d0\t\t@ Xm is rotated Xl\n\tveor\tq0,q1,q10\n\n\tvext.8\tq10,q0,q0,#8\t\t@ 2nd phase of reduction\n.byte\t0x26,0x0e,0xa0,0xf2\t@ pmull q0,q0,q11\n\tveor\tq10,q10,q2\n\tveor\tq0,q0,q10\n\n.Ldone_v8:\n#ifndef __ARMEB__\n\tvrev64.8\tq0,q0\n#endif\n\tvext.8\tq0,q0,q0,#8\n\tvst1.64\t{q0},[r0]\t\t@ write out Xi\n\n\tvldmia\tsp!,{d8,d9,d10,d11,d12,d13,d14,d15}\t\t@ 32-bit ABI says so\n\tbx\tlr\n.size\tgcm_ghash_v8,.-gcm_ghash_v8\n.byte\t71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \n\n#if __ARM_MAX_ARCH__>=7\n.text\n\n.globl\t_gcm_init_v8\n.private_extern\t_gcm_init_v8\n\n.align\t4\n_gcm_init_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v17.2d},[x1]\t\t//load input H\n\tmovi\tv19.16b,#0xe1\n\tshl\tv19.2d,v19.2d,#57\t\t//0xc2.0\n\text\tv3.16b,v17.16b,v17.16b,#8\n\tushr\tv18.2d,v19.2d,#63\n\tdup\tv17.4s,v17.s[1]\n\text\tv16.16b,v18.16b,v19.16b,#8\t\t//t0=0xc2....01\n\tushr\tv18.2d,v3.2d,#63\n\tsshr\tv17.4s,v17.4s,#31\t\t//broadcast carry bit\n\tand\tv18.16b,v18.16b,v16.16b\n\tshl\tv3.2d,v3.2d,#1\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tand\tv16.16b,v16.16b,v17.16b\n\torr\tv3.16b,v3.16b,v18.16b\t\t//H<<<=1\n\teor\tv20.16b,v3.16b,v16.16b\t\t//twisted H\n\tst1\t{v20.2d},[x0],#16\t\t//store Htable[0]\n\n\t//calculate H^2\n\text\tv16.16b,v20.16b,v20.16b,#8\t\t//Karatsuba pre-processing\n\tpmull\tv0.1q,v20.1d,v20.1d\n\teor\tv16.16b,v16.16b,v20.16b\n\tpmull2\tv2.1q,v20.2d,v20.2d\n\tpmull\tv1.1q,v16.1d,v16.1d\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv22.16b,v0.16b,v18.16b\n\n\text\tv17.16b,v22.16b,v22.16b,#8\t\t//Karatsuba pre-processing\n\teor\tv17.16b,v17.16b,v22.16b\n\text\tv21.16b,v16.16b,v17.16b,#8\t\t//pack Karatsuba pre-processed\n\tst1\t{v21.2d,v22.2d},[x0],#32\t//store Htable[1..2]\n\t//calculate H^3 and H^4\n\tpmull\tv0.1q,v20.1d, v22.1d\n\tpmull\tv5.1q,v22.1d,v22.1d\n\tpmull2\tv2.1q,v20.2d, v22.2d\n\tpmull2\tv7.1q,v22.2d,v22.2d\n\tpmull\tv1.1q,v16.1d,v17.1d\n\tpmull\tv6.1q,v17.1d,v17.1d\n\n\text\tv16.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\text\tv17.16b,v5.16b,v7.16b,#8\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v16.16b\n\teor\tv4.16b,v5.16b,v7.16b\n\teor\tv6.16b,v6.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase\n\teor\tv6.16b,v6.16b,v4.16b\n\tpmull\tv4.1q,v5.1d,v19.1d\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv7.d[0],v6.d[1]\n\tins\tv1.d[1],v0.d[0]\n\tins\tv6.d[1],v5.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\teor\tv5.16b,v6.16b,v4.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase\n\text\tv4.16b,v5.16b,v5.16b,#8\n\tpmull\tv0.1q,v0.1d,v19.1d\n\tpmull\tv5.1q,v5.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv4.16b,v4.16b,v7.16b\n\teor\tv20.16b, v0.16b,v18.16b\t\t//H^3\n\teor\tv22.16b,v5.16b,v4.16b\t\t//H^4\n\n\text\tv16.16b,v20.16b, v20.16b,#8\t\t//Karatsuba pre-processing\n\text\tv17.16b,v22.16b,v22.16b,#8\n\teor\tv16.16b,v16.16b,v20.16b\n\teor\tv17.16b,v17.16b,v22.16b\n\text\tv21.16b,v16.16b,v17.16b,#8\t\t//pack Karatsuba pre-processed\n\tst1\t{v20.2d,v21.2d,v22.2d},[x0]\t\t//store Htable[3..5]\n\tret\n\n.globl\t_gcm_gmult_v8\n.private_extern\t_gcm_gmult_v8\n\n.align\t4\n_gcm_gmult_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v17.2d},[x0]\t\t//load Xi\n\tmovi\tv19.16b,#0xe1\n\tld1\t{v20.2d,v21.2d},[x1]\t//load twisted H, ...\n\tshl\tv19.2d,v19.2d,#57\n#ifndef __AARCH64EB__\n\trev64\tv17.16b,v17.16b\n#endif\n\text\tv3.16b,v17.16b,v17.16b,#8\n\n\tpmull\tv0.1q,v20.1d,v3.1d\t\t//H.lo·Xi.lo\n\teor\tv17.16b,v17.16b,v3.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv2.1q,v20.2d,v3.2d\t\t//H.hi·Xi.hi\n\tpmull\tv1.1q,v21.1d,v17.1d\t\t//(H.lo+H.hi)·(Xi.lo+Xi.hi)\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n#endif\n\text\tv0.16b,v0.16b,v0.16b,#8\n\tst1\t{v0.2d},[x0]\t\t//write out Xi\n\n\tret\n\n.globl\t_gcm_ghash_v8\n.private_extern\t_gcm_ghash_v8\n\n.align\t4\n_gcm_ghash_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tcmp\tx3,#64\n\tb.hs\tLgcm_ghash_v8_4x\n\tld1\t{v0.2d},[x0]\t\t//load [rotated] Xi\n\t\t\t\t\t\t//\"[rotated]\" means that\n\t\t\t\t\t\t//loaded value would have\n\t\t\t\t\t\t//to be rotated in order to\n\t\t\t\t\t\t//make it appear as in\n\t\t\t\t\t\t//algorithm specification\n\tsubs\tx3,x3,#32\t\t//see if x3 is 32 or larger\n\tmov\tx12,#16\t\t//x12 is used as post-\n\t\t\t\t\t\t//increment for input pointer;\n\t\t\t\t\t\t//as loop is modulo-scheduled\n\t\t\t\t\t\t//x12 is zeroed just in time\n\t\t\t\t\t\t//to preclude overstepping\n\t\t\t\t\t\t//inp[len], which means that\n\t\t\t\t\t\t//last block[s] are actually\n\t\t\t\t\t\t//loaded twice, but last\n\t\t\t\t\t\t//copy is not processed\n\tld1\t{v20.2d,v21.2d},[x1],#32\t//load twisted H, ..., H^2\n\tmovi\tv19.16b,#0xe1\n\tld1\t{v22.2d},[x1]\n\tcsel\tx12,xzr,x12,eq\t\t\t//is it time to zero x12?\n\text\tv0.16b,v0.16b,v0.16b,#8\t\t//rotate Xi\n\tld1\t{v16.2d},[x2],#16\t//load [rotated] I[0]\n\tshl\tv19.2d,v19.2d,#57\t\t//compose 0xc2.0 constant\n#ifndef __AARCH64EB__\n\trev64\tv16.16b,v16.16b\n\trev64\tv0.16b,v0.16b\n#endif\n\text\tv3.16b,v16.16b,v16.16b,#8\t\t//rotate I[0]\n\tb.lo\tLodd_tail_v8\t\t//x3 was less than 32\n\tld1\t{v17.2d},[x2],x12\t//load [rotated] I[1]\n#ifndef __AARCH64EB__\n\trev64\tv17.16b,v17.16b\n#endif\n\text\tv7.16b,v17.16b,v17.16b,#8\n\teor\tv3.16b,v3.16b,v0.16b\t\t//I[i]^=Xi\n\tpmull\tv4.1q,v20.1d,v7.1d\t\t//H·Ii+1\n\teor\tv17.16b,v17.16b,v7.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv6.1q,v20.2d,v7.2d\n\tb\tLoop_mod2x_v8\n\n.align\t4\nLoop_mod2x_v8:\n\text\tv18.16b,v3.16b,v3.16b,#8\n\tsubs\tx3,x3,#32\t\t//is there more data?\n\tpmull\tv0.1q,v22.1d,v3.1d\t\t//H^2.lo·Xi.lo\n\tcsel\tx12,xzr,x12,lo\t\t\t//is it time to zero x12?\n\n\tpmull\tv5.1q,v21.1d,v17.1d\n\teor\tv18.16b,v18.16b,v3.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv2.1q,v22.2d,v3.2d\t\t//H^2.hi·Xi.hi\n\teor\tv0.16b,v0.16b,v4.16b\t\t//accumulate\n\tpmull2\tv1.1q,v21.2d,v18.2d\t\t//(H^2.lo+H^2.hi)·(Xi.lo+Xi.hi)\n\tld1\t{v16.2d},[x2],x12\t//load [rotated] I[i+2]\n\n\teor\tv2.16b,v2.16b,v6.16b\n\tcsel\tx12,xzr,x12,eq\t\t\t//is it time to zero x12?\n\teor\tv1.16b,v1.16b,v5.16b\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v17.2d},[x2],x12\t//load [rotated] I[i+3]\n#ifndef __AARCH64EB__\n\trev64\tv16.16b,v16.16b\n#endif\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\n#ifndef __AARCH64EB__\n\trev64\tv17.16b,v17.16b\n#endif\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\text\tv7.16b,v17.16b,v17.16b,#8\n\text\tv3.16b,v16.16b,v16.16b,#8\n\teor\tv0.16b,v1.16b,v18.16b\n\tpmull\tv4.1q,v20.1d,v7.1d\t\t//H·Ii+1\n\teor\tv3.16b,v3.16b,v2.16b\t\t//accumulate v3.16b early\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv3.16b,v3.16b,v18.16b\n\teor\tv17.16b,v17.16b,v7.16b\t\t//Karatsuba pre-processing\n\teor\tv3.16b,v3.16b,v0.16b\n\tpmull2\tv6.1q,v20.2d,v7.2d\n\tb.hs\tLoop_mod2x_v8\t\t//there was at least 32 more bytes\n\n\teor\tv2.16b,v2.16b,v18.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\t\t//re-construct v3.16b\n\tadds\tx3,x3,#32\t\t//re-construct x3\n\teor\tv0.16b,v0.16b,v2.16b\t\t//re-construct v0.16b\n\tb.eq\tLdone_v8\t\t//is x3 zero?\nLodd_tail_v8:\n\text\tv18.16b,v0.16b,v0.16b,#8\n\teor\tv3.16b,v3.16b,v0.16b\t\t//inp^=Xi\n\teor\tv17.16b,v16.16b,v18.16b\t\t//v17.16b is rotated inp^Xi\n\n\tpmull\tv0.1q,v20.1d,v3.1d\t\t//H.lo·Xi.lo\n\teor\tv17.16b,v17.16b,v3.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv2.1q,v20.2d,v3.2d\t\t//H.hi·Xi.hi\n\tpmull\tv1.1q,v21.1d,v17.1d\t\t//(H.lo+H.hi)·(Xi.lo+Xi.hi)\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\nLdone_v8:\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n#endif\n\text\tv0.16b,v0.16b,v0.16b,#8\n\tst1\t{v0.2d},[x0]\t\t//write out Xi\n\n\tret\n\n\n.align\t4\ngcm_ghash_v8_4x:\nLgcm_ghash_v8_4x:\n\tld1\t{v0.2d},[x0]\t\t//load [rotated] Xi\n\tld1\t{v20.2d,v21.2d,v22.2d},[x1],#48\t//load twisted H, ..., H^2\n\tmovi\tv19.16b,#0xe1\n\tld1\t{v26.2d,v27.2d,v28.2d},[x1]\t//load twisted H^3, ..., H^4\n\tshl\tv19.2d,v19.2d,#57\t\t//compose 0xc2.0 constant\n\n\tld1\t{v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n\trev64\tv5.16b,v5.16b\n\trev64\tv6.16b,v6.16b\n\trev64\tv7.16b,v7.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\text\tv25.16b,v7.16b,v7.16b,#8\n\text\tv24.16b,v6.16b,v6.16b,#8\n\text\tv23.16b,v5.16b,v5.16b,#8\n\n\tpmull\tv29.1q,v20.1d,v25.1d\t\t//H·Ii+3\n\teor\tv7.16b,v7.16b,v25.16b\n\tpmull2\tv31.1q,v20.2d,v25.2d\n\tpmull\tv30.1q,v21.1d,v7.1d\n\n\tpmull\tv16.1q,v22.1d,v24.1d\t\t//H^2·Ii+2\n\teor\tv6.16b,v6.16b,v24.16b\n\tpmull2\tv24.1q,v22.2d,v24.2d\n\tpmull2\tv6.1q,v21.2d,v6.2d\n\n\teor\tv29.16b,v29.16b,v16.16b\n\teor\tv31.16b,v31.16b,v24.16b\n\teor\tv30.16b,v30.16b,v6.16b\n\n\tpmull\tv7.1q,v26.1d,v23.1d\t\t//H^3·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\tpmull2\tv23.1q,v26.2d,v23.2d\n\tpmull\tv5.1q,v27.1d,v5.1d\n\n\teor\tv29.16b,v29.16b,v7.16b\n\teor\tv31.16b,v31.16b,v23.16b\n\teor\tv30.16b,v30.16b,v5.16b\n\n\tsubs\tx3,x3,#128\n\tb.lo\tLtail4x\n\n\tb\tLoop4x\n\n.align\t4\nLoop4x:\n\teor\tv16.16b,v4.16b,v0.16b\n\tld1\t{v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64\n\text\tv3.16b,v16.16b,v16.16b,#8\n#ifndef __AARCH64EB__\n\trev64\tv5.16b,v5.16b\n\trev64\tv6.16b,v6.16b\n\trev64\tv7.16b,v7.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv0.1q,v28.1d,v3.1d\t\t//H^4·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v28.2d,v3.2d\n\text\tv25.16b,v7.16b,v7.16b,#8\n\tpmull2\tv1.1q,v27.2d,v16.2d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\text\tv24.16b,v6.16b,v6.16b,#8\n\teor\tv1.16b,v1.16b,v30.16b\n\text\tv23.16b,v5.16b,v5.16b,#8\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\tpmull\tv29.1q,v20.1d,v25.1d\t\t//H·Ii+3\n\teor\tv7.16b,v7.16b,v25.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tpmull2\tv31.1q,v20.2d,v25.2d\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv30.1q,v21.1d,v7.1d\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\tpmull\tv16.1q,v22.1d,v24.1d\t\t//H^2·Ii+2\n\teor\tv6.16b,v6.16b,v24.16b\n\tpmull2\tv24.1q,v22.2d,v24.2d\n\teor\tv0.16b,v1.16b,v18.16b\n\tpmull2\tv6.1q,v21.2d,v6.2d\n\n\teor\tv29.16b,v29.16b,v16.16b\n\teor\tv31.16b,v31.16b,v24.16b\n\teor\tv30.16b,v30.16b,v6.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\tpmull\tv7.1q,v26.1d,v23.1d\t\t//H^3·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\teor\tv18.16b,v18.16b,v2.16b\n\tpmull2\tv23.1q,v26.2d,v23.2d\n\tpmull\tv5.1q,v27.1d,v5.1d\n\n\teor\tv0.16b,v0.16b,v18.16b\n\teor\tv29.16b,v29.16b,v7.16b\n\teor\tv31.16b,v31.16b,v23.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\teor\tv30.16b,v30.16b,v5.16b\n\n\tsubs\tx3,x3,#64\n\tb.hs\tLoop4x\n\nLtail4x:\n\teor\tv16.16b,v4.16b,v0.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\tpmull\tv0.1q,v28.1d,v3.1d\t\t//H^4·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v28.2d,v3.2d\n\tpmull2\tv1.1q,v27.2d,v16.2d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\teor\tv1.16b,v1.16b,v30.16b\n\n\tadds\tx3,x3,#64\n\tb.eq\tLdone4x\n\n\tcmp\tx3,#32\n\tb.lo\tLone\n\tb.eq\tLtwo\nLthree:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v4.2d,v5.2d,v6.2d},[x2]\n\teor\tv1.16b,v1.16b,v18.16b\n#ifndef\t__AARCH64EB__\n\trev64\tv5.16b,v5.16b\n\trev64\tv6.16b,v6.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\text\tv24.16b,v6.16b,v6.16b,#8\n\text\tv23.16b,v5.16b,v5.16b,#8\n\teor\tv0.16b,v1.16b,v18.16b\n\n\tpmull\tv29.1q,v20.1d,v24.1d\t\t//H·Ii+2\n\teor\tv6.16b,v6.16b,v24.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\tpmull2\tv31.1q,v20.2d,v24.2d\n\tpmull\tv30.1q,v21.1d,v6.1d\n\teor\tv0.16b,v0.16b,v18.16b\n\tpmull\tv7.1q,v22.1d,v23.1d\t\t//H^2·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n\tpmull2\tv23.1q,v22.2d,v23.2d\n\teor\tv16.16b,v4.16b,v0.16b\n\tpmull2\tv5.1q,v21.2d,v5.2d\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\teor\tv29.16b,v29.16b,v7.16b\n\teor\tv31.16b,v31.16b,v23.16b\n\teor\tv30.16b,v30.16b,v5.16b\n\n\tpmull\tv0.1q,v26.1d,v3.1d\t\t//H^3·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v26.2d,v3.2d\n\tpmull\tv1.1q,v27.1d,v16.1d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\teor\tv1.16b,v1.16b,v30.16b\n\tb\tLdone4x\n\n.align\t4\nLtwo:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v4.2d,v5.2d},[x2]\n\teor\tv1.16b,v1.16b,v18.16b\n#ifndef\t__AARCH64EB__\n\trev64\tv5.16b,v5.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\text\tv23.16b,v5.16b,v5.16b,#8\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n\tpmull\tv29.1q,v20.1d,v23.1d\t\t//H·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\n\teor\tv16.16b,v4.16b,v0.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\tpmull2\tv31.1q,v20.2d,v23.2d\n\tpmull\tv30.1q,v21.1d,v5.1d\n\n\tpmull\tv0.1q,v22.1d,v3.1d\t\t//H^2·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v22.2d,v3.2d\n\tpmull2\tv1.1q,v21.2d,v16.2d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\teor\tv1.16b,v1.16b,v30.16b\n\tb\tLdone4x\n\n.align\t4\nLone:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v4.2d},[x2]\n\teor\tv1.16b,v1.16b,v18.16b\n#ifndef\t__AARCH64EB__\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n\teor\tv16.16b,v4.16b,v0.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\tpmull\tv0.1q,v20.1d,v3.1d\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v20.2d,v3.2d\n\tpmull\tv1.1q,v21.1d,v16.1d\n\nLdone4x:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n#endif\n\tst1\t{v0.2d},[x0]\t\t//write out Xi\n\n\tret\n\n.byte\t71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \n\n#if __ARM_MAX_ARCH__>=7\n.text\n.arch\tarmv8-a+crypto\n.globl\tgcm_init_v8\n.hidden\tgcm_init_v8\n.type\tgcm_init_v8,%function\n.align\t4\ngcm_init_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v17.2d},[x1]\t\t//load input H\n\tmovi\tv19.16b,#0xe1\n\tshl\tv19.2d,v19.2d,#57\t\t//0xc2.0\n\text\tv3.16b,v17.16b,v17.16b,#8\n\tushr\tv18.2d,v19.2d,#63\n\tdup\tv17.4s,v17.s[1]\n\text\tv16.16b,v18.16b,v19.16b,#8\t\t//t0=0xc2....01\n\tushr\tv18.2d,v3.2d,#63\n\tsshr\tv17.4s,v17.4s,#31\t\t//broadcast carry bit\n\tand\tv18.16b,v18.16b,v16.16b\n\tshl\tv3.2d,v3.2d,#1\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tand\tv16.16b,v16.16b,v17.16b\n\torr\tv3.16b,v3.16b,v18.16b\t\t//H<<<=1\n\teor\tv20.16b,v3.16b,v16.16b\t\t//twisted H\n\tst1\t{v20.2d},[x0],#16\t\t//store Htable[0]\n\n\t//calculate H^2\n\text\tv16.16b,v20.16b,v20.16b,#8\t\t//Karatsuba pre-processing\n\tpmull\tv0.1q,v20.1d,v20.1d\n\teor\tv16.16b,v16.16b,v20.16b\n\tpmull2\tv2.1q,v20.2d,v20.2d\n\tpmull\tv1.1q,v16.1d,v16.1d\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv22.16b,v0.16b,v18.16b\n\n\text\tv17.16b,v22.16b,v22.16b,#8\t\t//Karatsuba pre-processing\n\teor\tv17.16b,v17.16b,v22.16b\n\text\tv21.16b,v16.16b,v17.16b,#8\t\t//pack Karatsuba pre-processed\n\tst1\t{v21.2d,v22.2d},[x0],#32\t//store Htable[1..2]\n\t//calculate H^3 and H^4\n\tpmull\tv0.1q,v20.1d, v22.1d\n\tpmull\tv5.1q,v22.1d,v22.1d\n\tpmull2\tv2.1q,v20.2d, v22.2d\n\tpmull2\tv7.1q,v22.2d,v22.2d\n\tpmull\tv1.1q,v16.1d,v17.1d\n\tpmull\tv6.1q,v17.1d,v17.1d\n\n\text\tv16.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\text\tv17.16b,v5.16b,v7.16b,#8\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v16.16b\n\teor\tv4.16b,v5.16b,v7.16b\n\teor\tv6.16b,v6.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase\n\teor\tv6.16b,v6.16b,v4.16b\n\tpmull\tv4.1q,v5.1d,v19.1d\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv7.d[0],v6.d[1]\n\tins\tv1.d[1],v0.d[0]\n\tins\tv6.d[1],v5.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\teor\tv5.16b,v6.16b,v4.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase\n\text\tv4.16b,v5.16b,v5.16b,#8\n\tpmull\tv0.1q,v0.1d,v19.1d\n\tpmull\tv5.1q,v5.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv4.16b,v4.16b,v7.16b\n\teor\tv20.16b, v0.16b,v18.16b\t\t//H^3\n\teor\tv22.16b,v5.16b,v4.16b\t\t//H^4\n\n\text\tv16.16b,v20.16b, v20.16b,#8\t\t//Karatsuba pre-processing\n\text\tv17.16b,v22.16b,v22.16b,#8\n\teor\tv16.16b,v16.16b,v20.16b\n\teor\tv17.16b,v17.16b,v22.16b\n\text\tv21.16b,v16.16b,v17.16b,#8\t\t//pack Karatsuba pre-processed\n\tst1\t{v20.2d,v21.2d,v22.2d},[x0]\t\t//store Htable[3..5]\n\tret\n.size\tgcm_init_v8,.-gcm_init_v8\n.globl\tgcm_gmult_v8\n.hidden\tgcm_gmult_v8\n.type\tgcm_gmult_v8,%function\n.align\t4\ngcm_gmult_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v17.2d},[x0]\t\t//load Xi\n\tmovi\tv19.16b,#0xe1\n\tld1\t{v20.2d,v21.2d},[x1]\t//load twisted H, ...\n\tshl\tv19.2d,v19.2d,#57\n#ifndef __AARCH64EB__\n\trev64\tv17.16b,v17.16b\n#endif\n\text\tv3.16b,v17.16b,v17.16b,#8\n\n\tpmull\tv0.1q,v20.1d,v3.1d\t\t//H.lo·Xi.lo\n\teor\tv17.16b,v17.16b,v3.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv2.1q,v20.2d,v3.2d\t\t//H.hi·Xi.hi\n\tpmull\tv1.1q,v21.1d,v17.1d\t\t//(H.lo+H.hi)·(Xi.lo+Xi.hi)\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n#endif\n\text\tv0.16b,v0.16b,v0.16b,#8\n\tst1\t{v0.2d},[x0]\t\t//write out Xi\n\n\tret\n.size\tgcm_gmult_v8,.-gcm_gmult_v8\n.globl\tgcm_ghash_v8\n.hidden\tgcm_ghash_v8\n.type\tgcm_ghash_v8,%function\n.align\t4\ngcm_ghash_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tcmp\tx3,#64\n\tb.hs\t.Lgcm_ghash_v8_4x\n\tld1\t{v0.2d},[x0]\t\t//load [rotated] Xi\n\t\t\t\t\t\t//\"[rotated]\" means that\n\t\t\t\t\t\t//loaded value would have\n\t\t\t\t\t\t//to be rotated in order to\n\t\t\t\t\t\t//make it appear as in\n\t\t\t\t\t\t//algorithm specification\n\tsubs\tx3,x3,#32\t\t//see if x3 is 32 or larger\n\tmov\tx12,#16\t\t//x12 is used as post-\n\t\t\t\t\t\t//increment for input pointer;\n\t\t\t\t\t\t//as loop is modulo-scheduled\n\t\t\t\t\t\t//x12 is zeroed just in time\n\t\t\t\t\t\t//to preclude overstepping\n\t\t\t\t\t\t//inp[len], which means that\n\t\t\t\t\t\t//last block[s] are actually\n\t\t\t\t\t\t//loaded twice, but last\n\t\t\t\t\t\t//copy is not processed\n\tld1\t{v20.2d,v21.2d},[x1],#32\t//load twisted H, ..., H^2\n\tmovi\tv19.16b,#0xe1\n\tld1\t{v22.2d},[x1]\n\tcsel\tx12,xzr,x12,eq\t\t\t//is it time to zero x12?\n\text\tv0.16b,v0.16b,v0.16b,#8\t\t//rotate Xi\n\tld1\t{v16.2d},[x2],#16\t//load [rotated] I[0]\n\tshl\tv19.2d,v19.2d,#57\t\t//compose 0xc2.0 constant\n#ifndef __AARCH64EB__\n\trev64\tv16.16b,v16.16b\n\trev64\tv0.16b,v0.16b\n#endif\n\text\tv3.16b,v16.16b,v16.16b,#8\t\t//rotate I[0]\n\tb.lo\t.Lodd_tail_v8\t\t//x3 was less than 32\n\tld1\t{v17.2d},[x2],x12\t//load [rotated] I[1]\n#ifndef __AARCH64EB__\n\trev64\tv17.16b,v17.16b\n#endif\n\text\tv7.16b,v17.16b,v17.16b,#8\n\teor\tv3.16b,v3.16b,v0.16b\t\t//I[i]^=Xi\n\tpmull\tv4.1q,v20.1d,v7.1d\t\t//H·Ii+1\n\teor\tv17.16b,v17.16b,v7.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv6.1q,v20.2d,v7.2d\n\tb\t.Loop_mod2x_v8\n\n.align\t4\n.Loop_mod2x_v8:\n\text\tv18.16b,v3.16b,v3.16b,#8\n\tsubs\tx3,x3,#32\t\t//is there more data?\n\tpmull\tv0.1q,v22.1d,v3.1d\t\t//H^2.lo·Xi.lo\n\tcsel\tx12,xzr,x12,lo\t\t\t//is it time to zero x12?\n\n\tpmull\tv5.1q,v21.1d,v17.1d\n\teor\tv18.16b,v18.16b,v3.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv2.1q,v22.2d,v3.2d\t\t//H^2.hi·Xi.hi\n\teor\tv0.16b,v0.16b,v4.16b\t\t//accumulate\n\tpmull2\tv1.1q,v21.2d,v18.2d\t\t//(H^2.lo+H^2.hi)·(Xi.lo+Xi.hi)\n\tld1\t{v16.2d},[x2],x12\t//load [rotated] I[i+2]\n\n\teor\tv2.16b,v2.16b,v6.16b\n\tcsel\tx12,xzr,x12,eq\t\t\t//is it time to zero x12?\n\teor\tv1.16b,v1.16b,v5.16b\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v17.2d},[x2],x12\t//load [rotated] I[i+3]\n#ifndef __AARCH64EB__\n\trev64\tv16.16b,v16.16b\n#endif\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\n#ifndef __AARCH64EB__\n\trev64\tv17.16b,v17.16b\n#endif\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\text\tv7.16b,v17.16b,v17.16b,#8\n\text\tv3.16b,v16.16b,v16.16b,#8\n\teor\tv0.16b,v1.16b,v18.16b\n\tpmull\tv4.1q,v20.1d,v7.1d\t\t//H·Ii+1\n\teor\tv3.16b,v3.16b,v2.16b\t\t//accumulate v3.16b early\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv3.16b,v3.16b,v18.16b\n\teor\tv17.16b,v17.16b,v7.16b\t\t//Karatsuba pre-processing\n\teor\tv3.16b,v3.16b,v0.16b\n\tpmull2\tv6.1q,v20.2d,v7.2d\n\tb.hs\t.Loop_mod2x_v8\t\t//there was at least 32 more bytes\n\n\teor\tv2.16b,v2.16b,v18.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\t\t//re-construct v3.16b\n\tadds\tx3,x3,#32\t\t//re-construct x3\n\teor\tv0.16b,v0.16b,v2.16b\t\t//re-construct v0.16b\n\tb.eq\t.Ldone_v8\t\t//is x3 zero?\n.Lodd_tail_v8:\n\text\tv18.16b,v0.16b,v0.16b,#8\n\teor\tv3.16b,v3.16b,v0.16b\t\t//inp^=Xi\n\teor\tv17.16b,v16.16b,v18.16b\t\t//v17.16b is rotated inp^Xi\n\n\tpmull\tv0.1q,v20.1d,v3.1d\t\t//H.lo·Xi.lo\n\teor\tv17.16b,v17.16b,v3.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv2.1q,v20.2d,v3.2d\t\t//H.hi·Xi.hi\n\tpmull\tv1.1q,v21.1d,v17.1d\t\t//(H.lo+H.hi)·(Xi.lo+Xi.hi)\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\n.Ldone_v8:\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n#endif\n\text\tv0.16b,v0.16b,v0.16b,#8\n\tst1\t{v0.2d},[x0]\t\t//write out Xi\n\n\tret\n.size\tgcm_ghash_v8,.-gcm_ghash_v8\n.type\tgcm_ghash_v8_4x,%function\n.align\t4\ngcm_ghash_v8_4x:\n.Lgcm_ghash_v8_4x:\n\tld1\t{v0.2d},[x0]\t\t//load [rotated] Xi\n\tld1\t{v20.2d,v21.2d,v22.2d},[x1],#48\t//load twisted H, ..., H^2\n\tmovi\tv19.16b,#0xe1\n\tld1\t{v26.2d,v27.2d,v28.2d},[x1]\t//load twisted H^3, ..., H^4\n\tshl\tv19.2d,v19.2d,#57\t\t//compose 0xc2.0 constant\n\n\tld1\t{v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n\trev64\tv5.16b,v5.16b\n\trev64\tv6.16b,v6.16b\n\trev64\tv7.16b,v7.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\text\tv25.16b,v7.16b,v7.16b,#8\n\text\tv24.16b,v6.16b,v6.16b,#8\n\text\tv23.16b,v5.16b,v5.16b,#8\n\n\tpmull\tv29.1q,v20.1d,v25.1d\t\t//H·Ii+3\n\teor\tv7.16b,v7.16b,v25.16b\n\tpmull2\tv31.1q,v20.2d,v25.2d\n\tpmull\tv30.1q,v21.1d,v7.1d\n\n\tpmull\tv16.1q,v22.1d,v24.1d\t\t//H^2·Ii+2\n\teor\tv6.16b,v6.16b,v24.16b\n\tpmull2\tv24.1q,v22.2d,v24.2d\n\tpmull2\tv6.1q,v21.2d,v6.2d\n\n\teor\tv29.16b,v29.16b,v16.16b\n\teor\tv31.16b,v31.16b,v24.16b\n\teor\tv30.16b,v30.16b,v6.16b\n\n\tpmull\tv7.1q,v26.1d,v23.1d\t\t//H^3·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\tpmull2\tv23.1q,v26.2d,v23.2d\n\tpmull\tv5.1q,v27.1d,v5.1d\n\n\teor\tv29.16b,v29.16b,v7.16b\n\teor\tv31.16b,v31.16b,v23.16b\n\teor\tv30.16b,v30.16b,v5.16b\n\n\tsubs\tx3,x3,#128\n\tb.lo\t.Ltail4x\n\n\tb\t.Loop4x\n\n.align\t4\n.Loop4x:\n\teor\tv16.16b,v4.16b,v0.16b\n\tld1\t{v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64\n\text\tv3.16b,v16.16b,v16.16b,#8\n#ifndef __AARCH64EB__\n\trev64\tv5.16b,v5.16b\n\trev64\tv6.16b,v6.16b\n\trev64\tv7.16b,v7.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv0.1q,v28.1d,v3.1d\t\t//H^4·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v28.2d,v3.2d\n\text\tv25.16b,v7.16b,v7.16b,#8\n\tpmull2\tv1.1q,v27.2d,v16.2d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\text\tv24.16b,v6.16b,v6.16b,#8\n\teor\tv1.16b,v1.16b,v30.16b\n\text\tv23.16b,v5.16b,v5.16b,#8\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\tpmull\tv29.1q,v20.1d,v25.1d\t\t//H·Ii+3\n\teor\tv7.16b,v7.16b,v25.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tpmull2\tv31.1q,v20.2d,v25.2d\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv30.1q,v21.1d,v7.1d\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\tpmull\tv16.1q,v22.1d,v24.1d\t\t//H^2·Ii+2\n\teor\tv6.16b,v6.16b,v24.16b\n\tpmull2\tv24.1q,v22.2d,v24.2d\n\teor\tv0.16b,v1.16b,v18.16b\n\tpmull2\tv6.1q,v21.2d,v6.2d\n\n\teor\tv29.16b,v29.16b,v16.16b\n\teor\tv31.16b,v31.16b,v24.16b\n\teor\tv30.16b,v30.16b,v6.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\tpmull\tv7.1q,v26.1d,v23.1d\t\t//H^3·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\teor\tv18.16b,v18.16b,v2.16b\n\tpmull2\tv23.1q,v26.2d,v23.2d\n\tpmull\tv5.1q,v27.1d,v5.1d\n\n\teor\tv0.16b,v0.16b,v18.16b\n\teor\tv29.16b,v29.16b,v7.16b\n\teor\tv31.16b,v31.16b,v23.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\teor\tv30.16b,v30.16b,v5.16b\n\n\tsubs\tx3,x3,#64\n\tb.hs\t.Loop4x\n\n.Ltail4x:\n\teor\tv16.16b,v4.16b,v0.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\tpmull\tv0.1q,v28.1d,v3.1d\t\t//H^4·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v28.2d,v3.2d\n\tpmull2\tv1.1q,v27.2d,v16.2d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\teor\tv1.16b,v1.16b,v30.16b\n\n\tadds\tx3,x3,#64\n\tb.eq\t.Ldone4x\n\n\tcmp\tx3,#32\n\tb.lo\t.Lone\n\tb.eq\t.Ltwo\n.Lthree:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v4.2d,v5.2d,v6.2d},[x2]\n\teor\tv1.16b,v1.16b,v18.16b\n#ifndef\t__AARCH64EB__\n\trev64\tv5.16b,v5.16b\n\trev64\tv6.16b,v6.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\text\tv24.16b,v6.16b,v6.16b,#8\n\text\tv23.16b,v5.16b,v5.16b,#8\n\teor\tv0.16b,v1.16b,v18.16b\n\n\tpmull\tv29.1q,v20.1d,v24.1d\t\t//H·Ii+2\n\teor\tv6.16b,v6.16b,v24.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\tpmull2\tv31.1q,v20.2d,v24.2d\n\tpmull\tv30.1q,v21.1d,v6.1d\n\teor\tv0.16b,v0.16b,v18.16b\n\tpmull\tv7.1q,v22.1d,v23.1d\t\t//H^2·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n\tpmull2\tv23.1q,v22.2d,v23.2d\n\teor\tv16.16b,v4.16b,v0.16b\n\tpmull2\tv5.1q,v21.2d,v5.2d\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\teor\tv29.16b,v29.16b,v7.16b\n\teor\tv31.16b,v31.16b,v23.16b\n\teor\tv30.16b,v30.16b,v5.16b\n\n\tpmull\tv0.1q,v26.1d,v3.1d\t\t//H^3·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v26.2d,v3.2d\n\tpmull\tv1.1q,v27.1d,v16.1d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\teor\tv1.16b,v1.16b,v30.16b\n\tb\t.Ldone4x\n\n.align\t4\n.Ltwo:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v4.2d,v5.2d},[x2]\n\teor\tv1.16b,v1.16b,v18.16b\n#ifndef\t__AARCH64EB__\n\trev64\tv5.16b,v5.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\text\tv23.16b,v5.16b,v5.16b,#8\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n\tpmull\tv29.1q,v20.1d,v23.1d\t\t//H·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\n\teor\tv16.16b,v4.16b,v0.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\tpmull2\tv31.1q,v20.2d,v23.2d\n\tpmull\tv30.1q,v21.1d,v5.1d\n\n\tpmull\tv0.1q,v22.1d,v3.1d\t\t//H^2·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v22.2d,v3.2d\n\tpmull2\tv1.1q,v21.2d,v16.2d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\teor\tv1.16b,v1.16b,v30.16b\n\tb\t.Ldone4x\n\n.align\t4\n.Lone:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v4.2d},[x2]\n\teor\tv1.16b,v1.16b,v18.16b\n#ifndef\t__AARCH64EB__\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n\teor\tv16.16b,v4.16b,v0.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\tpmull\tv0.1q,v20.1d,v3.1d\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v20.2d,v3.2d\n\tpmull\tv1.1q,v21.1d,v16.1d\n\n.Ldone4x:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n#endif\n\tst1\t{v0.2d},[x0]\t\t//write out Xi\n\n\tret\n.size\tgcm_ghash_v8_4x,.-gcm_ghash_v8_4x\n.byte\t71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \n\n#if __ARM_MAX_ARCH__>=7\n.text\n.arch\tarmv8-a+crypto\n.globl\tgcm_init_v8\n\n.def gcm_init_v8\n .type 32\n.endef\n.align\t4\ngcm_init_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v17.2d},[x1]\t\t//load input H\n\tmovi\tv19.16b,#0xe1\n\tshl\tv19.2d,v19.2d,#57\t\t//0xc2.0\n\text\tv3.16b,v17.16b,v17.16b,#8\n\tushr\tv18.2d,v19.2d,#63\n\tdup\tv17.4s,v17.s[1]\n\text\tv16.16b,v18.16b,v19.16b,#8\t\t//t0=0xc2....01\n\tushr\tv18.2d,v3.2d,#63\n\tsshr\tv17.4s,v17.4s,#31\t\t//broadcast carry bit\n\tand\tv18.16b,v18.16b,v16.16b\n\tshl\tv3.2d,v3.2d,#1\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tand\tv16.16b,v16.16b,v17.16b\n\torr\tv3.16b,v3.16b,v18.16b\t\t//H<<<=1\n\teor\tv20.16b,v3.16b,v16.16b\t\t//twisted H\n\tst1\t{v20.2d},[x0],#16\t\t//store Htable[0]\n\n\t//calculate H^2\n\text\tv16.16b,v20.16b,v20.16b,#8\t\t//Karatsuba pre-processing\n\tpmull\tv0.1q,v20.1d,v20.1d\n\teor\tv16.16b,v16.16b,v20.16b\n\tpmull2\tv2.1q,v20.2d,v20.2d\n\tpmull\tv1.1q,v16.1d,v16.1d\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv22.16b,v0.16b,v18.16b\n\n\text\tv17.16b,v22.16b,v22.16b,#8\t\t//Karatsuba pre-processing\n\teor\tv17.16b,v17.16b,v22.16b\n\text\tv21.16b,v16.16b,v17.16b,#8\t\t//pack Karatsuba pre-processed\n\tst1\t{v21.2d,v22.2d},[x0],#32\t//store Htable[1..2]\n\t//calculate H^3 and H^4\n\tpmull\tv0.1q,v20.1d, v22.1d\n\tpmull\tv5.1q,v22.1d,v22.1d\n\tpmull2\tv2.1q,v20.2d, v22.2d\n\tpmull2\tv7.1q,v22.2d,v22.2d\n\tpmull\tv1.1q,v16.1d,v17.1d\n\tpmull\tv6.1q,v17.1d,v17.1d\n\n\text\tv16.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\text\tv17.16b,v5.16b,v7.16b,#8\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v16.16b\n\teor\tv4.16b,v5.16b,v7.16b\n\teor\tv6.16b,v6.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase\n\teor\tv6.16b,v6.16b,v4.16b\n\tpmull\tv4.1q,v5.1d,v19.1d\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv7.d[0],v6.d[1]\n\tins\tv1.d[1],v0.d[0]\n\tins\tv6.d[1],v5.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\teor\tv5.16b,v6.16b,v4.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase\n\text\tv4.16b,v5.16b,v5.16b,#8\n\tpmull\tv0.1q,v0.1d,v19.1d\n\tpmull\tv5.1q,v5.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv4.16b,v4.16b,v7.16b\n\teor\tv20.16b, v0.16b,v18.16b\t\t//H^3\n\teor\tv22.16b,v5.16b,v4.16b\t\t//H^4\n\n\text\tv16.16b,v20.16b, v20.16b,#8\t\t//Karatsuba pre-processing\n\text\tv17.16b,v22.16b,v22.16b,#8\n\teor\tv16.16b,v16.16b,v20.16b\n\teor\tv17.16b,v17.16b,v22.16b\n\text\tv21.16b,v16.16b,v17.16b,#8\t\t//pack Karatsuba pre-processed\n\tst1\t{v20.2d,v21.2d,v22.2d},[x0]\t\t//store Htable[3..5]\n\tret\n\n.globl\tgcm_gmult_v8\n\n.def gcm_gmult_v8\n .type 32\n.endef\n.align\t4\ngcm_gmult_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tld1\t{v17.2d},[x0]\t\t//load Xi\n\tmovi\tv19.16b,#0xe1\n\tld1\t{v20.2d,v21.2d},[x1]\t//load twisted H, ...\n\tshl\tv19.2d,v19.2d,#57\n#ifndef __AARCH64EB__\n\trev64\tv17.16b,v17.16b\n#endif\n\text\tv3.16b,v17.16b,v17.16b,#8\n\n\tpmull\tv0.1q,v20.1d,v3.1d\t\t//H.lo·Xi.lo\n\teor\tv17.16b,v17.16b,v3.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv2.1q,v20.2d,v3.2d\t\t//H.hi·Xi.hi\n\tpmull\tv1.1q,v21.1d,v17.1d\t\t//(H.lo+H.hi)·(Xi.lo+Xi.hi)\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n#endif\n\text\tv0.16b,v0.16b,v0.16b,#8\n\tst1\t{v0.2d},[x0]\t\t//write out Xi\n\n\tret\n\n.globl\tgcm_ghash_v8\n\n.def gcm_ghash_v8\n .type 32\n.endef\n.align\t4\ngcm_ghash_v8:\n\tAARCH64_VALID_CALL_TARGET\n\tcmp\tx3,#64\n\tb.hs\tLgcm_ghash_v8_4x\n\tld1\t{v0.2d},[x0]\t\t//load [rotated] Xi\n\t\t\t\t\t\t//\"[rotated]\" means that\n\t\t\t\t\t\t//loaded value would have\n\t\t\t\t\t\t//to be rotated in order to\n\t\t\t\t\t\t//make it appear as in\n\t\t\t\t\t\t//algorithm specification\n\tsubs\tx3,x3,#32\t\t//see if x3 is 32 or larger\n\tmov\tx12,#16\t\t//x12 is used as post-\n\t\t\t\t\t\t//increment for input pointer;\n\t\t\t\t\t\t//as loop is modulo-scheduled\n\t\t\t\t\t\t//x12 is zeroed just in time\n\t\t\t\t\t\t//to preclude overstepping\n\t\t\t\t\t\t//inp[len], which means that\n\t\t\t\t\t\t//last block[s] are actually\n\t\t\t\t\t\t//loaded twice, but last\n\t\t\t\t\t\t//copy is not processed\n\tld1\t{v20.2d,v21.2d},[x1],#32\t//load twisted H, ..., H^2\n\tmovi\tv19.16b,#0xe1\n\tld1\t{v22.2d},[x1]\n\tcsel\tx12,xzr,x12,eq\t\t\t//is it time to zero x12?\n\text\tv0.16b,v0.16b,v0.16b,#8\t\t//rotate Xi\n\tld1\t{v16.2d},[x2],#16\t//load [rotated] I[0]\n\tshl\tv19.2d,v19.2d,#57\t\t//compose 0xc2.0 constant\n#ifndef __AARCH64EB__\n\trev64\tv16.16b,v16.16b\n\trev64\tv0.16b,v0.16b\n#endif\n\text\tv3.16b,v16.16b,v16.16b,#8\t\t//rotate I[0]\n\tb.lo\tLodd_tail_v8\t\t//x3 was less than 32\n\tld1\t{v17.2d},[x2],x12\t//load [rotated] I[1]\n#ifndef __AARCH64EB__\n\trev64\tv17.16b,v17.16b\n#endif\n\text\tv7.16b,v17.16b,v17.16b,#8\n\teor\tv3.16b,v3.16b,v0.16b\t\t//I[i]^=Xi\n\tpmull\tv4.1q,v20.1d,v7.1d\t\t//H·Ii+1\n\teor\tv17.16b,v17.16b,v7.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv6.1q,v20.2d,v7.2d\n\tb\tLoop_mod2x_v8\n\n.align\t4\nLoop_mod2x_v8:\n\text\tv18.16b,v3.16b,v3.16b,#8\n\tsubs\tx3,x3,#32\t\t//is there more data?\n\tpmull\tv0.1q,v22.1d,v3.1d\t\t//H^2.lo·Xi.lo\n\tcsel\tx12,xzr,x12,lo\t\t\t//is it time to zero x12?\n\n\tpmull\tv5.1q,v21.1d,v17.1d\n\teor\tv18.16b,v18.16b,v3.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv2.1q,v22.2d,v3.2d\t\t//H^2.hi·Xi.hi\n\teor\tv0.16b,v0.16b,v4.16b\t\t//accumulate\n\tpmull2\tv1.1q,v21.2d,v18.2d\t\t//(H^2.lo+H^2.hi)·(Xi.lo+Xi.hi)\n\tld1\t{v16.2d},[x2],x12\t//load [rotated] I[i+2]\n\n\teor\tv2.16b,v2.16b,v6.16b\n\tcsel\tx12,xzr,x12,eq\t\t\t//is it time to zero x12?\n\teor\tv1.16b,v1.16b,v5.16b\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v17.2d},[x2],x12\t//load [rotated] I[i+3]\n#ifndef __AARCH64EB__\n\trev64\tv16.16b,v16.16b\n#endif\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\n#ifndef __AARCH64EB__\n\trev64\tv17.16b,v17.16b\n#endif\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\text\tv7.16b,v17.16b,v17.16b,#8\n\text\tv3.16b,v16.16b,v16.16b,#8\n\teor\tv0.16b,v1.16b,v18.16b\n\tpmull\tv4.1q,v20.1d,v7.1d\t\t//H·Ii+1\n\teor\tv3.16b,v3.16b,v2.16b\t\t//accumulate v3.16b early\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv3.16b,v3.16b,v18.16b\n\teor\tv17.16b,v17.16b,v7.16b\t\t//Karatsuba pre-processing\n\teor\tv3.16b,v3.16b,v0.16b\n\tpmull2\tv6.1q,v20.2d,v7.2d\n\tb.hs\tLoop_mod2x_v8\t\t//there was at least 32 more bytes\n\n\teor\tv2.16b,v2.16b,v18.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\t\t//re-construct v3.16b\n\tadds\tx3,x3,#32\t\t//re-construct x3\n\teor\tv0.16b,v0.16b,v2.16b\t\t//re-construct v0.16b\n\tb.eq\tLdone_v8\t\t//is x3 zero?\nLodd_tail_v8:\n\text\tv18.16b,v0.16b,v0.16b,#8\n\teor\tv3.16b,v3.16b,v0.16b\t\t//inp^=Xi\n\teor\tv17.16b,v16.16b,v18.16b\t\t//v17.16b is rotated inp^Xi\n\n\tpmull\tv0.1q,v20.1d,v3.1d\t\t//H.lo·Xi.lo\n\teor\tv17.16b,v17.16b,v3.16b\t\t//Karatsuba pre-processing\n\tpmull2\tv2.1q,v20.2d,v3.2d\t\t//H.hi·Xi.hi\n\tpmull\tv1.1q,v21.1d,v17.1d\t\t//(H.lo+H.hi)·(Xi.lo+Xi.hi)\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\nLdone_v8:\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n#endif\n\text\tv0.16b,v0.16b,v0.16b,#8\n\tst1\t{v0.2d},[x0]\t\t//write out Xi\n\n\tret\n\n.def gcm_ghash_v8_4x\n .type 32\n.endef\n.align\t4\ngcm_ghash_v8_4x:\nLgcm_ghash_v8_4x:\n\tld1\t{v0.2d},[x0]\t\t//load [rotated] Xi\n\tld1\t{v20.2d,v21.2d,v22.2d},[x1],#48\t//load twisted H, ..., H^2\n\tmovi\tv19.16b,#0xe1\n\tld1\t{v26.2d,v27.2d,v28.2d},[x1]\t//load twisted H^3, ..., H^4\n\tshl\tv19.2d,v19.2d,#57\t\t//compose 0xc2.0 constant\n\n\tld1\t{v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n\trev64\tv5.16b,v5.16b\n\trev64\tv6.16b,v6.16b\n\trev64\tv7.16b,v7.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\text\tv25.16b,v7.16b,v7.16b,#8\n\text\tv24.16b,v6.16b,v6.16b,#8\n\text\tv23.16b,v5.16b,v5.16b,#8\n\n\tpmull\tv29.1q,v20.1d,v25.1d\t\t//H·Ii+3\n\teor\tv7.16b,v7.16b,v25.16b\n\tpmull2\tv31.1q,v20.2d,v25.2d\n\tpmull\tv30.1q,v21.1d,v7.1d\n\n\tpmull\tv16.1q,v22.1d,v24.1d\t\t//H^2·Ii+2\n\teor\tv6.16b,v6.16b,v24.16b\n\tpmull2\tv24.1q,v22.2d,v24.2d\n\tpmull2\tv6.1q,v21.2d,v6.2d\n\n\teor\tv29.16b,v29.16b,v16.16b\n\teor\tv31.16b,v31.16b,v24.16b\n\teor\tv30.16b,v30.16b,v6.16b\n\n\tpmull\tv7.1q,v26.1d,v23.1d\t\t//H^3·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\tpmull2\tv23.1q,v26.2d,v23.2d\n\tpmull\tv5.1q,v27.1d,v5.1d\n\n\teor\tv29.16b,v29.16b,v7.16b\n\teor\tv31.16b,v31.16b,v23.16b\n\teor\tv30.16b,v30.16b,v5.16b\n\n\tsubs\tx3,x3,#128\n\tb.lo\tLtail4x\n\n\tb\tLoop4x\n\n.align\t4\nLoop4x:\n\teor\tv16.16b,v4.16b,v0.16b\n\tld1\t{v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64\n\text\tv3.16b,v16.16b,v16.16b,#8\n#ifndef __AARCH64EB__\n\trev64\tv5.16b,v5.16b\n\trev64\tv6.16b,v6.16b\n\trev64\tv7.16b,v7.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv0.1q,v28.1d,v3.1d\t\t//H^4·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v28.2d,v3.2d\n\text\tv25.16b,v7.16b,v7.16b,#8\n\tpmull2\tv1.1q,v27.2d,v16.2d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\text\tv24.16b,v6.16b,v6.16b,#8\n\teor\tv1.16b,v1.16b,v30.16b\n\text\tv23.16b,v5.16b,v5.16b,#8\n\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\tpmull\tv29.1q,v20.1d,v25.1d\t\t//H·Ii+3\n\teor\tv7.16b,v7.16b,v25.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tpmull2\tv31.1q,v20.2d,v25.2d\n\teor\tv1.16b,v1.16b,v18.16b\n\tpmull\tv30.1q,v21.1d,v7.1d\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\tpmull\tv16.1q,v22.1d,v24.1d\t\t//H^2·Ii+2\n\teor\tv6.16b,v6.16b,v24.16b\n\tpmull2\tv24.1q,v22.2d,v24.2d\n\teor\tv0.16b,v1.16b,v18.16b\n\tpmull2\tv6.1q,v21.2d,v6.2d\n\n\teor\tv29.16b,v29.16b,v16.16b\n\teor\tv31.16b,v31.16b,v24.16b\n\teor\tv30.16b,v30.16b,v6.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\tpmull\tv7.1q,v26.1d,v23.1d\t\t//H^3·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\teor\tv18.16b,v18.16b,v2.16b\n\tpmull2\tv23.1q,v26.2d,v23.2d\n\tpmull\tv5.1q,v27.1d,v5.1d\n\n\teor\tv0.16b,v0.16b,v18.16b\n\teor\tv29.16b,v29.16b,v7.16b\n\teor\tv31.16b,v31.16b,v23.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\teor\tv30.16b,v30.16b,v5.16b\n\n\tsubs\tx3,x3,#64\n\tb.hs\tLoop4x\n\nLtail4x:\n\teor\tv16.16b,v4.16b,v0.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\tpmull\tv0.1q,v28.1d,v3.1d\t\t//H^4·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v28.2d,v3.2d\n\tpmull2\tv1.1q,v27.2d,v16.2d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\teor\tv1.16b,v1.16b,v30.16b\n\n\tadds\tx3,x3,#64\n\tb.eq\tLdone4x\n\n\tcmp\tx3,#32\n\tb.lo\tLone\n\tb.eq\tLtwo\nLthree:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v4.2d,v5.2d,v6.2d},[x2]\n\teor\tv1.16b,v1.16b,v18.16b\n#ifndef\t__AARCH64EB__\n\trev64\tv5.16b,v5.16b\n\trev64\tv6.16b,v6.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\text\tv24.16b,v6.16b,v6.16b,#8\n\text\tv23.16b,v5.16b,v5.16b,#8\n\teor\tv0.16b,v1.16b,v18.16b\n\n\tpmull\tv29.1q,v20.1d,v24.1d\t\t//H·Ii+2\n\teor\tv6.16b,v6.16b,v24.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\tpmull2\tv31.1q,v20.2d,v24.2d\n\tpmull\tv30.1q,v21.1d,v6.1d\n\teor\tv0.16b,v0.16b,v18.16b\n\tpmull\tv7.1q,v22.1d,v23.1d\t\t//H^2·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n\tpmull2\tv23.1q,v22.2d,v23.2d\n\teor\tv16.16b,v4.16b,v0.16b\n\tpmull2\tv5.1q,v21.2d,v5.2d\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\teor\tv29.16b,v29.16b,v7.16b\n\teor\tv31.16b,v31.16b,v23.16b\n\teor\tv30.16b,v30.16b,v5.16b\n\n\tpmull\tv0.1q,v26.1d,v3.1d\t\t//H^3·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v26.2d,v3.2d\n\tpmull\tv1.1q,v27.1d,v16.1d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\teor\tv1.16b,v1.16b,v30.16b\n\tb\tLdone4x\n\n.align\t4\nLtwo:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v4.2d,v5.2d},[x2]\n\teor\tv1.16b,v1.16b,v18.16b\n#ifndef\t__AARCH64EB__\n\trev64\tv5.16b,v5.16b\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\text\tv23.16b,v5.16b,v5.16b,#8\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n\tpmull\tv29.1q,v20.1d,v23.1d\t\t//H·Ii+1\n\teor\tv5.16b,v5.16b,v23.16b\n\n\teor\tv16.16b,v4.16b,v0.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\tpmull2\tv31.1q,v20.2d,v23.2d\n\tpmull\tv30.1q,v21.1d,v5.1d\n\n\tpmull\tv0.1q,v22.1d,v3.1d\t\t//H^2·(Xi+Ii)\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v22.2d,v3.2d\n\tpmull2\tv1.1q,v21.2d,v16.2d\n\n\teor\tv0.16b,v0.16b,v29.16b\n\teor\tv2.16b,v2.16b,v31.16b\n\teor\tv1.16b,v1.16b,v30.16b\n\tb\tLdone4x\n\n.align\t4\nLone:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\tld1\t{v4.2d},[x2]\n\teor\tv1.16b,v1.16b,v18.16b\n#ifndef\t__AARCH64EB__\n\trev64\tv4.16b,v4.16b\n#endif\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n\teor\tv16.16b,v4.16b,v0.16b\n\text\tv3.16b,v16.16b,v16.16b,#8\n\n\tpmull\tv0.1q,v20.1d,v3.1d\n\teor\tv16.16b,v16.16b,v3.16b\n\tpmull2\tv2.1q,v20.2d,v3.2d\n\tpmull\tv1.1q,v21.1d,v16.1d\n\nLdone4x:\n\text\tv17.16b,v0.16b,v2.16b,#8\t\t//Karatsuba post-processing\n\teor\tv18.16b,v0.16b,v2.16b\n\teor\tv1.16b,v1.16b,v17.16b\n\teor\tv1.16b,v1.16b,v18.16b\n\n\tpmull\tv18.1q,v0.1d,v19.1d\t\t//1st phase of reduction\n\tins\tv2.d[0],v1.d[1]\n\tins\tv1.d[1],v0.d[0]\n\teor\tv0.16b,v1.16b,v18.16b\n\n\text\tv18.16b,v0.16b,v0.16b,#8\t\t//2nd phase of reduction\n\tpmull\tv0.1q,v0.1d,v19.1d\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv0.16b,v0.16b,v18.16b\n\text\tv0.16b,v0.16b,v0.16b,#8\n\n#ifndef __AARCH64EB__\n\trev64\tv0.16b,v0.16b\n#endif\n\tst1\t{v0.2d},[x0]\t\t//write out Xi\n\n\tret\n\n.byte\t71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \"CNIOBoringSSL_arm_arch.h\"\n\n.section\t__TEXT,__const\n.align\t5\nLpoly:\n.quad\t0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001\nLRR:\t//\t2^512 mod P precomputed for NIST P256 polynomial\n.quad\t0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd\nLone_mont:\n.quad\t0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe\nLone:\n.quad\t1,0,0,0\nLord:\n.quad\t0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000\nLordK:\n.quad\t0xccd1c8aaee00bc4f\n.byte\t69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.text\n\n// void\tecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4],\n//\t\t\t\t\t const BN_ULONG x2[4]);\n.globl\t_ecp_nistz256_mul_mont\n.private_extern\t_ecp_nistz256_mul_mont\n\n.align\t4\n_ecp_nistz256_mul_mont:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-32]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\n\tldr\tx3,[x2]\t\t// bp[0]\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\tadrp\tx13,Lpoly@PAGE\n\tadd\tx13,x13,Lpoly@PAGEOFF\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_mul_mont\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx29,x30,[sp],#32\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\t_ecp_nistz256_sqr_mont\n.private_extern\t_ecp_nistz256_sqr_mont\n\n.align\t4\n_ecp_nistz256_sqr_mont:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-32]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\tadrp\tx13,Lpoly@PAGE\n\tadd\tx13,x13,Lpoly@PAGEOFF\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_sqr_mont\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx29,x30,[sp],#32\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\t_ecp_nistz256_div_by_2\n.private_extern\t_ecp_nistz256_div_by_2\n\n.align\t4\n_ecp_nistz256_div_by_2:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,Lpoly@PAGE\n\tadd\tx13,x13,Lpoly@PAGEOFF\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_div_by_2\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\t_ecp_nistz256_mul_by_2\n.private_extern\t_ecp_nistz256_mul_by_2\n\n.align\t4\n_ecp_nistz256_mul_by_2:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,Lpoly@PAGE\n\tadd\tx13,x13,Lpoly@PAGEOFF\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\n\tbl\t__ecp_nistz256_add_to\t// ret = a+a\t// 2*a\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\t_ecp_nistz256_mul_by_3\n.private_extern\t_ecp_nistz256_mul_by_3\n\n.align\t4\n_ecp_nistz256_mul_by_3:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,Lpoly@PAGE\n\tadd\tx13,x13,Lpoly@PAGEOFF\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tmov\tx4,x14\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\n\tbl\t__ecp_nistz256_add_to\t// ret = a+a\t// 2*a\n\n\tmov\tx8,x4\n\tmov\tx9,x5\n\tmov\tx10,x6\n\tmov\tx11,x7\n\n\tbl\t__ecp_nistz256_add_to\t// ret += a\t// 2*a+a=3*a\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4],\n//\t\t\t\t const BN_ULONG x2[4]);\n.globl\t_ecp_nistz256_sub\n.private_extern\t_ecp_nistz256_sub\n\n.align\t4\n_ecp_nistz256_sub:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,Lpoly@PAGE\n\tadd\tx13,x13,Lpoly@PAGEOFF\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_sub_from\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\t_ecp_nistz256_neg\n.private_extern\t_ecp_nistz256_neg\n\n.align\t4\n_ecp_nistz256_neg:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tmov\tx2,x1\n\tmov\tx14,xzr\t\t// a = 0\n\tmov\tx15,xzr\n\tmov\tx16,xzr\n\tmov\tx17,xzr\n\tadrp\tx13,Lpoly@PAGE\n\tadd\tx13,x13,Lpoly@PAGEOFF\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_sub_from\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded\n// to x4-x7 and b[0] - to x3\n\n.align\t4\n__ecp_nistz256_mul_mont:\n\tmul\tx14,x4,x3\t\t// a[0]*b[0]\n\tumulh\tx8,x4,x3\n\n\tmul\tx15,x5,x3\t\t// a[1]*b[0]\n\tumulh\tx9,x5,x3\n\n\tmul\tx16,x6,x3\t\t// a[2]*b[0]\n\tumulh\tx10,x6,x3\n\n\tmul\tx17,x7,x3\t\t// a[3]*b[0]\n\tumulh\tx11,x7,x3\n\tldr\tx3,[x2,#8]\t\t// b[1]\n\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadc\tx19,xzr,x11\n\tmov\tx20,xzr\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tmul\tx8,x4,x3\t\t// lo(a[0]*b[i])\n\tadcs\tx15,x16,x9\n\tmul\tx9,x5,x3\t\t// lo(a[1]*b[i])\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tmul\tx10,x6,x3\t\t// lo(a[2]*b[i])\n\tadcs\tx17,x19,x11\n\tmul\tx11,x7,x3\t\t// lo(a[3]*b[i])\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx8,x4,x3\t\t// hi(a[0]*b[i])\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\t\t// hi(a[1]*b[i])\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\t\t// hi(a[2]*b[i])\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\t\t// hi(a[3]*b[i])\n\tadc\tx19,x19,xzr\n\tldr\tx3,[x2,#8*(1+1)]\t// b[1+1]\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tmul\tx8,x4,x3\t\t// lo(a[0]*b[i])\n\tadcs\tx15,x16,x9\n\tmul\tx9,x5,x3\t\t// lo(a[1]*b[i])\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tmul\tx10,x6,x3\t\t// lo(a[2]*b[i])\n\tadcs\tx17,x19,x11\n\tmul\tx11,x7,x3\t\t// lo(a[3]*b[i])\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx8,x4,x3\t\t// hi(a[0]*b[i])\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\t\t// hi(a[1]*b[i])\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\t\t// hi(a[2]*b[i])\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\t\t// hi(a[3]*b[i])\n\tadc\tx19,x19,xzr\n\tldr\tx3,[x2,#8*(2+1)]\t// b[2+1]\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tmul\tx8,x4,x3\t\t// lo(a[0]*b[i])\n\tadcs\tx15,x16,x9\n\tmul\tx9,x5,x3\t\t// lo(a[1]*b[i])\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tmul\tx10,x6,x3\t\t// lo(a[2]*b[i])\n\tadcs\tx17,x19,x11\n\tmul\tx11,x7,x3\t\t// lo(a[3]*b[i])\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx8,x4,x3\t\t// hi(a[0]*b[i])\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\t\t// hi(a[1]*b[i])\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\t\t// hi(a[2]*b[i])\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\t\t// hi(a[3]*b[i])\n\tadc\tx19,x19,xzr\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\t// last reduction\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tadcs\tx17,x19,x11\n\tadc\tx19,x20,xzr\n\n\tadds\tx8,x14,#1\t\t// subs\tx8,x14,#-1 // tmp = ret-modulus\n\tsbcs\tx9,x15,x12\n\tsbcs\tx10,x16,xzr\n\tsbcs\tx11,x17,x13\n\tsbcs\txzr,x19,xzr\t\t// did it borrow?\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n\n// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded\n// to x4-x7\n\n.align\t4\n__ecp_nistz256_sqr_mont:\n\t// | | | | | |a1*a0| |\n\t// | | | | |a2*a0| | |\n\t// | |a3*a2|a3*a0| | | |\n\t// | | | |a2*a1| | | |\n\t// | | |a3*a1| | | | |\n\t// *| | | | | | | | 2|\n\t// +|a3*a3|a2*a2|a1*a1|a0*a0|\n\t// |--+--+--+--+--+--+--+--|\n\t// |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow \n\t//\n\t// \"can't overflow\" below mark carrying into high part of\n\t// multiplication result, which can't overflow, because it\n\t// can never be all ones.\n\n\tmul\tx15,x5,x4\t\t// a[1]*a[0]\n\tumulh\tx9,x5,x4\n\tmul\tx16,x6,x4\t\t// a[2]*a[0]\n\tumulh\tx10,x6,x4\n\tmul\tx17,x7,x4\t\t// a[3]*a[0]\n\tumulh\tx19,x7,x4\n\n\tadds\tx16,x16,x9\t\t// accumulate high parts of multiplication\n\tmul\tx8,x6,x5\t\t// a[2]*a[1]\n\tumulh\tx9,x6,x5\n\tadcs\tx17,x17,x10\n\tmul\tx10,x7,x5\t\t// a[3]*a[1]\n\tumulh\tx11,x7,x5\n\tadc\tx19,x19,xzr\t\t// can't overflow\n\n\tmul\tx20,x7,x6\t\t// a[3]*a[2]\n\tumulh\tx1,x7,x6\n\n\tadds\tx9,x9,x10\t\t// accumulate high parts of multiplication\n\tmul\tx14,x4,x4\t\t// a[0]*a[0]\n\tadc\tx10,x11,xzr\t\t// can't overflow\n\n\tadds\tx17,x17,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx4,x4,x4\n\tadcs\tx19,x19,x9\n\tmul\tx9,x5,x5\t\t// a[1]*a[1]\n\tadcs\tx20,x20,x10\n\tumulh\tx5,x5,x5\n\tadc\tx1,x1,xzr\t\t// can't overflow\n\n\tadds\tx15,x15,x15\t// acc[1-6]*=2\n\tmul\tx10,x6,x6\t\t// a[2]*a[2]\n\tadcs\tx16,x16,x16\n\tumulh\tx6,x6,x6\n\tadcs\tx17,x17,x17\n\tmul\tx11,x7,x7\t\t// a[3]*a[3]\n\tadcs\tx19,x19,x19\n\tumulh\tx7,x7,x7\n\tadcs\tx20,x20,x20\n\tadcs\tx1,x1,x1\n\tadc\tx2,xzr,xzr\n\n\tadds\tx15,x15,x4\t\t// +a[i]*a[i]\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x5\n\tadcs\tx19,x19,x10\n\tadcs\tx20,x20,x6\n\tlsl\tx8,x14,#32\n\tadcs\tx1,x1,x11\n\tlsr\tx9,x14,#32\n\tadc\tx2,x2,x7\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tlsr\tx9,x14,#32\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tlsr\tx9,x14,#32\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tlsr\tx9,x14,#32\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\n\tadds\tx14,x14,x19\t// accumulate upper half\n\tadcs\tx15,x15,x20\n\tadcs\tx16,x16,x1\n\tadcs\tx17,x17,x2\n\tadc\tx19,xzr,xzr\n\n\tadds\tx8,x14,#1\t\t// subs\tx8,x14,#-1 // tmp = ret-modulus\n\tsbcs\tx9,x15,x12\n\tsbcs\tx10,x16,xzr\n\tsbcs\tx11,x17,x13\n\tsbcs\txzr,x19,xzr\t\t// did it borrow?\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n\n// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to\n// x4-x7 and x8-x11. This is done because it's used in multiple\n// contexts, e.g. in multiplication by 2 and 3...\n\n.align\t4\n__ecp_nistz256_add_to:\n\tadds\tx14,x14,x8\t\t// ret = a+b\n\tadcs\tx15,x15,x9\n\tadcs\tx16,x16,x10\n\tadcs\tx17,x17,x11\n\tadc\tx1,xzr,xzr\t\t// zap x1\n\n\tadds\tx8,x14,#1\t\t// subs\tx8,x4,#-1 // tmp = ret-modulus\n\tsbcs\tx9,x15,x12\n\tsbcs\tx10,x16,xzr\n\tsbcs\tx11,x17,x13\n\tsbcs\txzr,x1,xzr\t\t// did subtraction borrow?\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n\n\n.align\t4\n__ecp_nistz256_sub_from:\n\tldp\tx8,x9,[x2]\n\tldp\tx10,x11,[x2,#16]\n\tsubs\tx14,x14,x8\t\t// ret = a-b\n\tsbcs\tx15,x15,x9\n\tsbcs\tx16,x16,x10\n\tsbcs\tx17,x17,x11\n\tsbc\tx1,xzr,xzr\t\t// zap x1\n\n\tsubs\tx8,x14,#1\t\t// adds\tx8,x4,#-1 // tmp = ret+modulus\n\tadcs\tx9,x15,x12\n\tadcs\tx10,x16,xzr\n\tadc\tx11,x17,x13\n\tcmp\tx1,xzr\t\t\t// did subtraction borrow?\n\n\tcsel\tx14,x14,x8,eq\t// ret = borrow ? ret+modulus : ret\n\tcsel\tx15,x15,x9,eq\n\tcsel\tx16,x16,x10,eq\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,eq\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n\n\n.align\t4\n__ecp_nistz256_sub_morf:\n\tldp\tx8,x9,[x2]\n\tldp\tx10,x11,[x2,#16]\n\tsubs\tx14,x8,x14\t\t// ret = b-a\n\tsbcs\tx15,x9,x15\n\tsbcs\tx16,x10,x16\n\tsbcs\tx17,x11,x17\n\tsbc\tx1,xzr,xzr\t\t// zap x1\n\n\tsubs\tx8,x14,#1\t\t// adds\tx8,x4,#-1 // tmp = ret+modulus\n\tadcs\tx9,x15,x12\n\tadcs\tx10,x16,xzr\n\tadc\tx11,x17,x13\n\tcmp\tx1,xzr\t\t\t// did subtraction borrow?\n\n\tcsel\tx14,x14,x8,eq\t// ret = borrow ? ret+modulus : ret\n\tcsel\tx15,x15,x9,eq\n\tcsel\tx16,x16,x10,eq\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,eq\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n\n\n.align\t4\n__ecp_nistz256_div_by_2:\n\tsubs\tx8,x14,#1\t\t// adds\tx8,x4,#-1 // tmp = a+modulus\n\tadcs\tx9,x15,x12\n\tadcs\tx10,x16,xzr\n\tadcs\tx11,x17,x13\n\tadc\tx1,xzr,xzr\t\t// zap x1\n\ttst\tx14,#1\t\t// is a even?\n\n\tcsel\tx14,x14,x8,eq\t// ret = even ? a : a+modulus\n\tcsel\tx15,x15,x9,eq\n\tcsel\tx16,x16,x10,eq\n\tcsel\tx17,x17,x11,eq\n\tcsel\tx1,xzr,x1,eq\n\n\tlsr\tx14,x14,#1\t\t// ret >>= 1\n\torr\tx14,x14,x15,lsl#63\n\tlsr\tx15,x15,#1\n\torr\tx15,x15,x16,lsl#63\n\tlsr\tx16,x16,#1\n\torr\tx16,x16,x17,lsl#63\n\tlsr\tx17,x17,#1\n\tstp\tx14,x15,[x0]\n\torr\tx17,x17,x1,lsl#63\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n.globl\t_ecp_nistz256_point_double\n.private_extern\t_ecp_nistz256_point_double\n\n.align\t5\n_ecp_nistz256_point_double:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tsub\tsp,sp,#32*4\n\nLdouble_shortcut:\n\tldp\tx14,x15,[x1,#32]\n\tmov\tx21,x0\n\tldp\tx16,x17,[x1,#48]\n\tmov\tx22,x1\n\tadrp\tx13,Lpoly@PAGE\n\tadd\tx13,x13,Lpoly@PAGEOFF\n\tldr\tx12,[x13,#8]\n\tmov\tx8,x14\n\tldr\tx13,[x13,#24]\n\tmov\tx9,x15\n\tldp\tx4,x5,[x22,#64]\t// forward load for p256_sqr_mont\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tldp\tx6,x7,[x22,#64+16]\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(S, in_y);\n\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Zsqr, in_z);\n\n\tldp\tx8,x9,[x22]\n\tldp\tx10,x11,[x22,#16]\n\tmov\tx4,x14\t\t// put Zsqr aside for p256_sub\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_add_to\t// p256_add(M, Zsqr, in_x);\n\n\tadd\tx2,x22,#0\n\tmov\tx14,x4\t\t// restore Zsqr\n\tmov\tx15,x5\n\tldp\tx4,x5,[sp,#0]\t// forward load for p256_sqr_mont\n\tmov\tx16,x6\n\tmov\tx17,x7\n\tldp\tx6,x7,[sp,#0+16]\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(Zsqr, in_x, Zsqr);\n\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(S, S);\n\n\tldr\tx3,[x22,#32]\n\tldp\tx4,x5,[x22,#64]\n\tldp\tx6,x7,[x22,#64+16]\n\tadd\tx2,x22,#32\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(tmp0, in_z, in_y);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tldp\tx4,x5,[sp,#0]\t// forward load for p256_sqr_mont\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tldp\tx6,x7,[sp,#0+16]\n\tadd\tx0,x21,#64\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(res_z, tmp0);\n\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(tmp0, S);\n\n\tldr\tx3,[sp,#64]\t\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#32]\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx0,x21,#32\n\tbl\t__ecp_nistz256_div_by_2\t// p256_div_by_2(res_y, tmp0);\n\n\tadd\tx2,sp,#64\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(M, M, Zsqr);\n\n\tmov\tx8,x14\t\t// duplicate M\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tmov\tx4,x14\t\t// put M aside\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_add_to\n\tmov\tx8,x4\t\t\t// restore M\n\tmov\tx9,x5\n\tldr\tx3,[x22]\t\t// forward load for p256_mul_mont\n\tmov\tx10,x6\n\tldp\tx4,x5,[sp,#0]\n\tmov\tx11,x7\n\tldp\tx6,x7,[sp,#0+16]\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_3(M, M);\n\n\tadd\tx2,x22,#0\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S, S, in_x);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tldp\tx4,x5,[sp,#32]\t// forward load for p256_sqr_mont\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(tmp0, S);\n\n\tadd\tx0,x21,#0\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(res_x, M);\n\n\tadd\tx2,sp,#96\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_x, res_x, tmp0);\n\n\tadd\tx2,sp,#0\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(S, S, res_x);\n\n\tldr\tx3,[sp,#32]\n\tmov\tx4,x14\t\t// copy S\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tadd\tx2,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S, S, M);\n\n\tadd\tx2,x21,#32\n\tadd\tx0,x21,#32\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_y, S, res_y);\n\n\tadd\tsp,x29,#0\t\t// destroy frame\n\tldp\tx19,x20,[x29,#16]\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\t_ecp_nistz256_point_add\n.private_extern\t_ecp_nistz256_point_add\n\n.align\t5\n_ecp_nistz256_point_add:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#32*12\n\n\tldp\tx4,x5,[x2,#64]\t// in2_z\n\tldp\tx6,x7,[x2,#64+16]\n\tmov\tx21,x0\n\tmov\tx22,x1\n\tmov\tx23,x2\n\tadrp\tx13,Lpoly@PAGE\n\tadd\tx13,x13,Lpoly@PAGEOFF\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\torr\tx8,x4,x5\n\torr\tx10,x6,x7\n\torr\tx25,x8,x10\n\tcmp\tx25,#0\n\tcsetm\tx25,ne\t\t// ~in2infty\n\tadd\tx0,sp,#192\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Z2sqr, in2_z);\n\n\tldp\tx4,x5,[x22,#64]\t// in1_z\n\tldp\tx6,x7,[x22,#64+16]\n\torr\tx8,x4,x5\n\torr\tx10,x6,x7\n\torr\tx24,x8,x10\n\tcmp\tx24,#0\n\tcsetm\tx24,ne\t\t// ~in1infty\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Z1sqr, in1_z);\n\n\tldr\tx3,[x23,#64]\n\tldp\tx4,x5,[sp,#192]\n\tldp\tx6,x7,[sp,#192+16]\n\tadd\tx2,x23,#64\n\tadd\tx0,sp,#320\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S1, Z2sqr, in2_z);\n\n\tldr\tx3,[x22,#64]\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#352\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, Z1sqr, in1_z);\n\n\tldr\tx3,[x22,#32]\n\tldp\tx4,x5,[sp,#320]\n\tldp\tx6,x7,[sp,#320+16]\n\tadd\tx2,x22,#32\n\tadd\tx0,sp,#320\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S1, S1, in1_y);\n\n\tldr\tx3,[x23,#32]\n\tldp\tx4,x5,[sp,#352]\n\tldp\tx6,x7,[sp,#352+16]\n\tadd\tx2,x23,#32\n\tadd\tx0,sp,#352\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, S2, in2_y);\n\n\tadd\tx2,sp,#320\n\tldr\tx3,[sp,#192]\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[x22]\n\tldp\tx6,x7,[x22,#16]\n\tadd\tx0,sp,#160\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(R, S2, S1);\n\n\torr\tx14,x14,x15\t// see if result is zero\n\torr\tx16,x16,x17\n\torr\tx26,x14,x16\t// ~is_equal(S1,S2)\n\n\tadd\tx2,sp,#192\n\tadd\tx0,sp,#256\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U1, in1_x, Z2sqr);\n\n\tldr\tx3,[sp,#128]\n\tldp\tx4,x5,[x23]\n\tldp\tx6,x7,[x23,#16]\n\tadd\tx2,sp,#128\n\tadd\tx0,sp,#288\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, in2_x, Z1sqr);\n\n\tadd\tx2,sp,#256\n\tldp\tx4,x5,[sp,#160]\t// forward load for p256_sqr_mont\n\tldp\tx6,x7,[sp,#160+16]\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(H, U2, U1);\n\n\torr\tx14,x14,x15\t// see if result is zero\n\torr\tx16,x16,x17\n\torr\tx14,x14,x16\t// ~is_equal(U1,U2)\n\n\tmvn\tx27,x24\t// -1/0 -> 0/-1\n\tmvn\tx28,x25\t// -1/0 -> 0/-1\n\torr\tx14,x14,x27\n\torr\tx14,x14,x28\n\torr\tx14,x14,x26\n\tcbnz\tx14,Ladd_proceed\t// if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))\n\nLadd_double:\n\tmov\tx1,x22\n\tmov\tx0,x21\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tadd\tsp,sp,#256\t// #256 is from #32*(12-4). difference in stack frames\n\tb\tLdouble_shortcut\n\n.align\t4\nLadd_proceed:\n\tadd\tx0,sp,#192\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Rsqr, R);\n\n\tldr\tx3,[x22,#64]\n\tldp\tx4,x5,[sp,#96]\n\tldp\tx6,x7,[sp,#96+16]\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_z, H, in1_z);\n\n\tldp\tx4,x5,[sp,#96]\n\tldp\tx6,x7,[sp,#96+16]\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Hsqr, H);\n\n\tldr\tx3,[x23,#64]\n\tldp\tx4,x5,[sp,#64]\n\tldp\tx6,x7,[sp,#64+16]\n\tadd\tx2,x23,#64\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_z, res_z, in2_z);\n\n\tldr\tx3,[sp,#96]\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx2,sp,#96\n\tadd\tx0,sp,#224\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(Hcub, Hsqr, H);\n\n\tldr\tx3,[sp,#128]\n\tldp\tx4,x5,[sp,#256]\n\tldp\tx6,x7,[sp,#256+16]\n\tadd\tx2,sp,#128\n\tadd\tx0,sp,#288\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, U1, Hsqr);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(Hsqr, U2);\n\n\tadd\tx2,sp,#192\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_x, Rsqr, Hsqr);\n\n\tadd\tx2,sp,#224\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_x, res_x, Hcub);\n\n\tadd\tx2,sp,#288\n\tldr\tx3,[sp,#224]\t\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#320]\n\tldp\tx6,x7,[sp,#320+16]\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_y, U2, res_x);\n\n\tadd\tx2,sp,#224\n\tadd\tx0,sp,#352\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, S1, Hcub);\n\n\tldr\tx3,[sp,#160]\n\tldp\tx4,x5,[sp,#32]\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx2,sp,#160\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_y, res_y, R);\n\n\tadd\tx2,sp,#352\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_y, res_y, S2);\n\n\tldp\tx4,x5,[sp,#0]\t\t// res\n\tldp\tx6,x7,[sp,#0+16]\n\tldp\tx8,x9,[x23]\t\t// in2\n\tldp\tx10,x11,[x23,#16]\n\tldp\tx14,x15,[x22,#0]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#0+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+0+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+0+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#0+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#0+48]\n\tstp\tx14,x15,[x21,#0]\n\tstp\tx16,x17,[x21,#0+16]\n\tldp\tx14,x15,[x22,#32]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#32+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+32+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+32+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#32+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#32+48]\n\tstp\tx14,x15,[x21,#32]\n\tstp\tx16,x17,[x21,#32+16]\n\tldp\tx14,x15,[x22,#64]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#64+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tstp\tx14,x15,[x21,#64]\n\tstp\tx16,x17,[x21,#64+16]\n\nLadd_done:\n\tadd\tsp,x29,#0\t\t// destroy frame\n\tldp\tx19,x20,[x29,#16]\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\t_ecp_nistz256_point_add_affine\n.private_extern\t_ecp_nistz256_point_add_affine\n\n.align\t5\n_ecp_nistz256_point_add_affine:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-80]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tsub\tsp,sp,#32*10\n\n\tmov\tx21,x0\n\tmov\tx22,x1\n\tmov\tx23,x2\n\tadrp\tx13,Lpoly@PAGE\n\tadd\tx13,x13,Lpoly@PAGEOFF\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tldp\tx4,x5,[x1,#64]\t// in1_z\n\tldp\tx6,x7,[x1,#64+16]\n\torr\tx8,x4,x5\n\torr\tx10,x6,x7\n\torr\tx24,x8,x10\n\tcmp\tx24,#0\n\tcsetm\tx24,ne\t\t// ~in1infty\n\n\tldp\tx14,x15,[x2]\t// in2_x\n\tldp\tx16,x17,[x2,#16]\n\tldp\tx8,x9,[x2,#32]\t// in2_y\n\tldp\tx10,x11,[x2,#48]\n\torr\tx14,x14,x15\n\torr\tx16,x16,x17\n\torr\tx8,x8,x9\n\torr\tx10,x10,x11\n\torr\tx14,x14,x16\n\torr\tx8,x8,x10\n\torr\tx25,x14,x8\n\tcmp\tx25,#0\n\tcsetm\tx25,ne\t\t// ~in2infty\n\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Z1sqr, in1_z);\n\n\tmov\tx4,x14\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tldr\tx3,[x23]\n\tadd\tx2,x23,#0\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, Z1sqr, in2_x);\n\n\tadd\tx2,x22,#0\n\tldr\tx3,[x22,#64]\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx0,sp,#160\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(H, U2, in1_x);\n\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, Z1sqr, in1_z);\n\n\tldr\tx3,[x22,#64]\n\tldp\tx4,x5,[sp,#160]\n\tldp\tx6,x7,[sp,#160+16]\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_z, H, in1_z);\n\n\tldr\tx3,[x23,#32]\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx2,x23,#32\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, S2, in2_y);\n\n\tadd\tx2,x22,#32\n\tldp\tx4,x5,[sp,#160]\t// forward load for p256_sqr_mont\n\tldp\tx6,x7,[sp,#160+16]\n\tadd\tx0,sp,#192\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(R, S2, in1_y);\n\n\tadd\tx0,sp,#224\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Hsqr, H);\n\n\tldp\tx4,x5,[sp,#192]\n\tldp\tx6,x7,[sp,#192+16]\n\tadd\tx0,sp,#288\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Rsqr, R);\n\n\tldr\tx3,[sp,#160]\n\tldp\tx4,x5,[sp,#224]\n\tldp\tx6,x7,[sp,#224+16]\n\tadd\tx2,sp,#160\n\tadd\tx0,sp,#256\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(Hcub, Hsqr, H);\n\n\tldr\tx3,[x22]\n\tldp\tx4,x5,[sp,#224]\n\tldp\tx6,x7,[sp,#224+16]\n\tadd\tx2,x22,#0\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, in1_x, Hsqr);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tadd\tx0,sp,#224\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(Hsqr, U2);\n\n\tadd\tx2,sp,#288\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_x, Rsqr, Hsqr);\n\n\tadd\tx2,sp,#256\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_x, res_x, Hcub);\n\n\tadd\tx2,sp,#96\n\tldr\tx3,[x22,#32]\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#256]\n\tldp\tx6,x7,[sp,#256+16]\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_y, U2, res_x);\n\n\tadd\tx2,x22,#32\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, in1_y, Hcub);\n\n\tldr\tx3,[sp,#192]\n\tldp\tx4,x5,[sp,#32]\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx2,sp,#192\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_y, res_y, R);\n\n\tadd\tx2,sp,#128\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_y, res_y, S2);\n\n\tldp\tx4,x5,[sp,#0]\t\t// res\n\tldp\tx6,x7,[sp,#0+16]\n\tldp\tx8,x9,[x23]\t\t// in2\n\tldp\tx10,x11,[x23,#16]\n\tldp\tx14,x15,[x22,#0]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#0+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+0+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+0+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#0+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#0+48]\n\tstp\tx14,x15,[x21,#0]\n\tstp\tx16,x17,[x21,#0+16]\n\tadrp\tx23,Lone_mont@PAGE-64\n\tadd\tx23,x23,Lone_mont@PAGEOFF-64\n\tldp\tx14,x15,[x22,#32]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#32+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+32+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+32+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#32+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#32+48]\n\tstp\tx14,x15,[x21,#32]\n\tstp\tx16,x17,[x21,#32+16]\n\tldp\tx14,x15,[x22,#64]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#64+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tstp\tx14,x15,[x21,#64]\n\tstp\tx16,x17,[x21,#64+16]\n\n\tadd\tsp,x29,#0\t\t// destroy frame\n\tldp\tx19,x20,[x29,#16]\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx29,x30,[sp],#80\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4],\n// uint64_t b[4]);\n.globl\t_ecp_nistz256_ord_mul_mont\n.private_extern\t_ecp_nistz256_ord_mul_mont\n\n.align\t4\n_ecp_nistz256_ord_mul_mont:\n\tAARCH64_VALID_CALL_TARGET\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tstp\tx29,x30,[sp,#-64]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\n\tadrp\tx23,Lord@PAGE\n\tadd\tx23,x23,Lord@PAGEOFF\n\tldr\tx3,[x2]\t\t// bp[0]\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\n\tldp\tx12,x13,[x23,#0]\n\tldp\tx21,x22,[x23,#16]\n\tldr\tx23,[x23,#32]\n\n\tmul\tx14,x4,x3\t\t// a[0]*b[0]\n\tumulh\tx8,x4,x3\n\n\tmul\tx15,x5,x3\t\t// a[1]*b[0]\n\tumulh\tx9,x5,x3\n\n\tmul\tx16,x6,x3\t\t// a[2]*b[0]\n\tumulh\tx10,x6,x3\n\n\tmul\tx17,x7,x3\t\t// a[3]*b[0]\n\tumulh\tx19,x7,x3\n\n\tmul\tx24,x14,x23\n\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadc\tx19,x19,xzr\n\tmov\tx20,xzr\n\tldr\tx3,[x2,#8*1]\t\t// b[i]\n\n\tlsl\tx8,x24,#32\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tmul\tx8,x4,x3\n\tadc\tx11,x11,xzr\n\tmul\tx9,x5,x3\n\n\tadds\tx14,x15,x10\n\tmul\tx10,x6,x3\n\tadcs\tx15,x16,x11\n\tmul\tx11,x7,x3\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts\n\tumulh\tx8,x4,x3\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\n\tadc\tx19,x19,xzr\n\tmul\tx24,x14,x23\n\tadds\tx15,x15,x8\t\t// accumulate high parts\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tldr\tx3,[x2,#8*2]\t\t// b[i]\n\n\tlsl\tx8,x24,#32\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tmul\tx8,x4,x3\n\tadc\tx11,x11,xzr\n\tmul\tx9,x5,x3\n\n\tadds\tx14,x15,x10\n\tmul\tx10,x6,x3\n\tadcs\tx15,x16,x11\n\tmul\tx11,x7,x3\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts\n\tumulh\tx8,x4,x3\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\n\tadc\tx19,x19,xzr\n\tmul\tx24,x14,x23\n\tadds\tx15,x15,x8\t\t// accumulate high parts\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tldr\tx3,[x2,#8*3]\t\t// b[i]\n\n\tlsl\tx8,x24,#32\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tmul\tx8,x4,x3\n\tadc\tx11,x11,xzr\n\tmul\tx9,x5,x3\n\n\tadds\tx14,x15,x10\n\tmul\tx10,x6,x3\n\tadcs\tx15,x16,x11\n\tmul\tx11,x7,x3\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts\n\tumulh\tx8,x4,x3\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\n\tadc\tx19,x19,xzr\n\tmul\tx24,x14,x23\n\tadds\tx15,x15,x8\t\t// accumulate high parts\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tlsl\tx8,x24,#32\t\t// last reduction\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tadc\tx11,x11,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x11\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tsubs\tx8,x14,x12\t\t// ret -= modulus\n\tsbcs\tx9,x15,x13\n\tsbcs\tx10,x16,x21\n\tsbcs\tx11,x17,x22\n\tsbcs\txzr,x19,xzr\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldr\tx29,[sp],#64\n\tret\n\n\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4],\n// uint64_t rep);\n.globl\t_ecp_nistz256_ord_sqr_mont\n.private_extern\t_ecp_nistz256_ord_sqr_mont\n\n.align\t4\n_ecp_nistz256_ord_sqr_mont:\n\tAARCH64_VALID_CALL_TARGET\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tstp\tx29,x30,[sp,#-64]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\n\tadrp\tx23,Lord@PAGE\n\tadd\tx23,x23,Lord@PAGEOFF\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\n\tldp\tx12,x13,[x23,#0]\n\tldp\tx21,x22,[x23,#16]\n\tldr\tx23,[x23,#32]\n\tb\tLoop_ord_sqr\n\n.align\t4\nLoop_ord_sqr:\n\tsub\tx2,x2,#1\n\t////////////////////////////////////////////////////////////////\n\t// | | | | | |a1*a0| |\n\t// | | | | |a2*a0| | |\n\t// | |a3*a2|a3*a0| | | |\n\t// | | | |a2*a1| | | |\n\t// | | |a3*a1| | | | |\n\t// *| | | | | | | | 2|\n\t// +|a3*a3|a2*a2|a1*a1|a0*a0|\n\t// |--+--+--+--+--+--+--+--|\n\t// |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow \n\t//\n\t// \"can't overflow\" below mark carrying into high part of\n\t// multiplication result, which can't overflow, because it\n\t// can never be all ones.\n\n\tmul\tx15,x5,x4\t\t// a[1]*a[0]\n\tumulh\tx9,x5,x4\n\tmul\tx16,x6,x4\t\t// a[2]*a[0]\n\tumulh\tx10,x6,x4\n\tmul\tx17,x7,x4\t\t// a[3]*a[0]\n\tumulh\tx19,x7,x4\n\n\tadds\tx16,x16,x9\t\t// accumulate high parts of multiplication\n\tmul\tx8,x6,x5\t\t// a[2]*a[1]\n\tumulh\tx9,x6,x5\n\tadcs\tx17,x17,x10\n\tmul\tx10,x7,x5\t\t// a[3]*a[1]\n\tumulh\tx11,x7,x5\n\tadc\tx19,x19,xzr\t\t// can't overflow\n\n\tmul\tx20,x7,x6\t\t// a[3]*a[2]\n\tumulh\tx1,x7,x6\n\n\tadds\tx9,x9,x10\t\t// accumulate high parts of multiplication\n\tmul\tx14,x4,x4\t\t// a[0]*a[0]\n\tadc\tx10,x11,xzr\t\t// can't overflow\n\n\tadds\tx17,x17,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx4,x4,x4\n\tadcs\tx19,x19,x9\n\tmul\tx9,x5,x5\t\t// a[1]*a[1]\n\tadcs\tx20,x20,x10\n\tumulh\tx5,x5,x5\n\tadc\tx1,x1,xzr\t\t// can't overflow\n\n\tadds\tx15,x15,x15\t// acc[1-6]*=2\n\tmul\tx10,x6,x6\t\t// a[2]*a[2]\n\tadcs\tx16,x16,x16\n\tumulh\tx6,x6,x6\n\tadcs\tx17,x17,x17\n\tmul\tx11,x7,x7\t\t// a[3]*a[3]\n\tadcs\tx19,x19,x19\n\tumulh\tx7,x7,x7\n\tadcs\tx20,x20,x20\n\tadcs\tx1,x1,x1\n\tadc\tx3,xzr,xzr\n\n\tadds\tx15,x15,x4\t\t// +a[i]*a[i]\n\tmul\tx24,x14,x23\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x5\n\tadcs\tx19,x19,x10\n\tadcs\tx20,x20,x6\n\tadcs\tx1,x1,x11\n\tadc\tx3,x3,x7\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tadc\tx11,x11,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x11\n\tadcs\tx16,x17,x24\n\tadc\tx17,xzr,x24\t\t// can't overflow\n\tmul\tx11,x14,x23\n\tlsl\tx8,x24,#32\n\tsubs\tx15,x15,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x11\n\tmul\tx10,x13,x11\n\tumulh\tx24,x13,x11\n\n\tadcs\tx10,x10,x9\n\tadc\tx24,x24,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x24\n\tadcs\tx16,x17,x11\n\tadc\tx17,xzr,x11\t\t// can't overflow\n\tmul\tx24,x14,x23\n\tlsl\tx8,x11,#32\n\tsubs\tx15,x15,x11\n\tlsr\tx9,x11,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tadc\tx11,x11,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x11\n\tadcs\tx16,x17,x24\n\tadc\tx17,xzr,x24\t\t// can't overflow\n\tmul\tx11,x14,x23\n\tlsl\tx8,x24,#32\n\tsubs\tx15,x15,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x11\n\tmul\tx10,x13,x11\n\tumulh\tx24,x13,x11\n\n\tadcs\tx10,x10,x9\n\tadc\tx24,x24,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x24\n\tadcs\tx16,x17,x11\n\tadc\tx17,xzr,x11\t\t// can't overflow\n\tlsl\tx8,x11,#32\n\tsubs\tx15,x15,x11\n\tlsr\tx9,x11,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tadds\tx14,x14,x19\t// accumulate upper half\n\tadcs\tx15,x15,x20\n\tadcs\tx16,x16,x1\n\tadcs\tx17,x17,x3\n\tadc\tx19,xzr,xzr\n\n\tsubs\tx8,x14,x12\t\t// ret -= modulus\n\tsbcs\tx9,x15,x13\n\tsbcs\tx10,x16,x21\n\tsbcs\tx11,x17,x22\n\tsbcs\txzr,x19,xzr\n\n\tcsel\tx4,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx5,x15,x9,lo\n\tcsel\tx6,x16,x10,lo\n\tcsel\tx7,x17,x11,lo\n\n\tcbnz\tx2,Loop_ord_sqr\n\n\tstp\tx4,x5,[x0]\n\tstp\tx6,x7,[x0,#16]\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldr\tx29,[sp],#64\n\tret\n\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index);\n.globl\t_ecp_nistz256_select_w5\n.private_extern\t_ecp_nistz256_select_w5\n\n.align\t4\n_ecp_nistz256_select_w5:\n\tAARCH64_VALID_CALL_TARGET\n\n // x10 := x0\n // w9 := 0; loop counter and incremented internal index\n\tmov\tx10, x0\n\tmov\tw9, #0\n\n // [v16-v21] := 0\n\tmovi\tv16.16b, #0\n\tmovi\tv17.16b, #0\n\tmovi\tv18.16b, #0\n\tmovi\tv19.16b, #0\n\tmovi\tv20.16b, #0\n\tmovi\tv21.16b, #0\n\nLselect_w5_loop:\n // Loop 16 times.\n\n // Increment index (loop counter); tested at the end of the loop\n\tadd\tw9, w9, #1\n\n // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1\n // and advance x1 to point to the next entry\n\tld1\t{v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64\n\n // x11 := (w9 == w2)? All 1s : All 0s\n\tcmp\tw9, w2\n\tcsetm\tx11, eq\n\n // continue loading ...\n\tld1\t{v26.2d, v27.2d}, [x1],#32\n\n // duplicate mask_64 into Mask (all 0s or all 1s)\n\tdup\tv3.2d, x11\n\n // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]\n // i.e., values in output registers will remain the same if w9 != w2\n\tbit\tv16.16b, v22.16b, v3.16b\n\tbit\tv17.16b, v23.16b, v3.16b\n\n\tbit\tv18.16b, v24.16b, v3.16b\n\tbit\tv19.16b, v25.16b, v3.16b\n\n\tbit\tv20.16b, v26.16b, v3.16b\n\tbit\tv21.16b, v27.16b, v3.16b\n\n // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back\n\ttbz\tw9, #4, Lselect_w5_loop\n\n // Write [v16-v21] to memory at the output pointer\n\tst1\t{v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64\n\tst1\t{v20.2d, v21.2d}, [x10]\n\n\tret\n\n\n\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index);\n.globl\t_ecp_nistz256_select_w7\n.private_extern\t_ecp_nistz256_select_w7\n\n.align\t4\n_ecp_nistz256_select_w7:\n\tAARCH64_VALID_CALL_TARGET\n\n // w9 := 0; loop counter and incremented internal index\n\tmov\tw9, #0\n\n // [v16-v21] := 0\n\tmovi\tv16.16b, #0\n\tmovi\tv17.16b, #0\n\tmovi\tv18.16b, #0\n\tmovi\tv19.16b, #0\n\nLselect_w7_loop:\n // Loop 64 times.\n\n // Increment index (loop counter); tested at the end of the loop\n\tadd\tw9, w9, #1\n\n // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1\n // and advance x1 to point to the next entry\n\tld1\t{v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64\n\n // x11 := (w9 == w2)? All 1s : All 0s\n\tcmp\tw9, w2\n\tcsetm\tx11, eq\n\n // duplicate mask_64 into Mask (all 0s or all 1s)\n\tdup\tv3.2d, x11\n\n // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]\n // i.e., values in output registers will remain the same if w9 != w2\n\tbit\tv16.16b, v22.16b, v3.16b\n\tbit\tv17.16b, v23.16b, v3.16b\n\n\tbit\tv18.16b, v24.16b, v3.16b\n\tbit\tv19.16b, v25.16b, v3.16b\n\n // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back\n\ttbz\tw9, #6, Lselect_w7_loop\n\n // Write [v16-v19] to memory at the output pointer\n\tst1\t{v16.2d, v17.2d, v18.2d, v19.2d}, [x0]\n\n\tret\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \"CNIOBoringSSL_arm_arch.h\"\n\n.section\t.rodata\n.align\t5\n.Lpoly:\n.quad\t0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001\n.LRR:\t//\t2^512 mod P precomputed for NIST P256 polynomial\n.quad\t0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd\n.Lone_mont:\n.quad\t0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe\n.Lone:\n.quad\t1,0,0,0\n.Lord:\n.quad\t0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000\n.LordK:\n.quad\t0xccd1c8aaee00bc4f\n.byte\t69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.text\n\n// void\tecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4],\n//\t\t\t\t\t const BN_ULONG x2[4]);\n.globl\tecp_nistz256_mul_mont\n.hidden\tecp_nistz256_mul_mont\n.type\tecp_nistz256_mul_mont,%function\n.align\t4\necp_nistz256_mul_mont:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-32]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\n\tldr\tx3,[x2]\t\t// bp[0]\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\tadrp\tx13,.Lpoly\n\tadd\tx13,x13,:lo12:.Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_mul_mont\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx29,x30,[sp],#32\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont\n\n// void\tecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\tecp_nistz256_sqr_mont\n.hidden\tecp_nistz256_sqr_mont\n.type\tecp_nistz256_sqr_mont,%function\n.align\t4\necp_nistz256_sqr_mont:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-32]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\tadrp\tx13,.Lpoly\n\tadd\tx13,x13,:lo12:.Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_sqr_mont\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx29,x30,[sp],#32\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont\n\n// void\tecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\tecp_nistz256_div_by_2\n.hidden\tecp_nistz256_div_by_2\n.type\tecp_nistz256_div_by_2,%function\n.align\t4\necp_nistz256_div_by_2:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,.Lpoly\n\tadd\tx13,x13,:lo12:.Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_div_by_2\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2\n\n// void\tecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\tecp_nistz256_mul_by_2\n.hidden\tecp_nistz256_mul_by_2\n.type\tecp_nistz256_mul_by_2,%function\n.align\t4\necp_nistz256_mul_by_2:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,.Lpoly\n\tadd\tx13,x13,:lo12:.Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\n\tbl\t__ecp_nistz256_add_to\t// ret = a+a\t// 2*a\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2\n\n// void\tecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\tecp_nistz256_mul_by_3\n.hidden\tecp_nistz256_mul_by_3\n.type\tecp_nistz256_mul_by_3,%function\n.align\t4\necp_nistz256_mul_by_3:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,.Lpoly\n\tadd\tx13,x13,:lo12:.Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tmov\tx4,x14\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\n\tbl\t__ecp_nistz256_add_to\t// ret = a+a\t// 2*a\n\n\tmov\tx8,x4\n\tmov\tx9,x5\n\tmov\tx10,x6\n\tmov\tx11,x7\n\n\tbl\t__ecp_nistz256_add_to\t// ret += a\t// 2*a+a=3*a\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3\n\n// void\tecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4],\n//\t\t\t\t const BN_ULONG x2[4]);\n.globl\tecp_nistz256_sub\n.hidden\tecp_nistz256_sub\n.type\tecp_nistz256_sub,%function\n.align\t4\necp_nistz256_sub:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,.Lpoly\n\tadd\tx13,x13,:lo12:.Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_sub_from\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tecp_nistz256_sub,.-ecp_nistz256_sub\n\n// void\tecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\tecp_nistz256_neg\n.hidden\tecp_nistz256_neg\n.type\tecp_nistz256_neg,%function\n.align\t4\necp_nistz256_neg:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tmov\tx2,x1\n\tmov\tx14,xzr\t\t// a = 0\n\tmov\tx15,xzr\n\tmov\tx16,xzr\n\tmov\tx17,xzr\n\tadrp\tx13,.Lpoly\n\tadd\tx13,x13,:lo12:.Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_sub_from\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tecp_nistz256_neg,.-ecp_nistz256_neg\n\n// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded\n// to x4-x7 and b[0] - to x3\n.type\t__ecp_nistz256_mul_mont,%function\n.align\t4\n__ecp_nistz256_mul_mont:\n\tmul\tx14,x4,x3\t\t// a[0]*b[0]\n\tumulh\tx8,x4,x3\n\n\tmul\tx15,x5,x3\t\t// a[1]*b[0]\n\tumulh\tx9,x5,x3\n\n\tmul\tx16,x6,x3\t\t// a[2]*b[0]\n\tumulh\tx10,x6,x3\n\n\tmul\tx17,x7,x3\t\t// a[3]*b[0]\n\tumulh\tx11,x7,x3\n\tldr\tx3,[x2,#8]\t\t// b[1]\n\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadc\tx19,xzr,x11\n\tmov\tx20,xzr\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tmul\tx8,x4,x3\t\t// lo(a[0]*b[i])\n\tadcs\tx15,x16,x9\n\tmul\tx9,x5,x3\t\t// lo(a[1]*b[i])\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tmul\tx10,x6,x3\t\t// lo(a[2]*b[i])\n\tadcs\tx17,x19,x11\n\tmul\tx11,x7,x3\t\t// lo(a[3]*b[i])\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx8,x4,x3\t\t// hi(a[0]*b[i])\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\t\t// hi(a[1]*b[i])\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\t\t// hi(a[2]*b[i])\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\t\t// hi(a[3]*b[i])\n\tadc\tx19,x19,xzr\n\tldr\tx3,[x2,#8*(1+1)]\t// b[1+1]\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tmul\tx8,x4,x3\t\t// lo(a[0]*b[i])\n\tadcs\tx15,x16,x9\n\tmul\tx9,x5,x3\t\t// lo(a[1]*b[i])\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tmul\tx10,x6,x3\t\t// lo(a[2]*b[i])\n\tadcs\tx17,x19,x11\n\tmul\tx11,x7,x3\t\t// lo(a[3]*b[i])\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx8,x4,x3\t\t// hi(a[0]*b[i])\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\t\t// hi(a[1]*b[i])\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\t\t// hi(a[2]*b[i])\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\t\t// hi(a[3]*b[i])\n\tadc\tx19,x19,xzr\n\tldr\tx3,[x2,#8*(2+1)]\t// b[2+1]\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tmul\tx8,x4,x3\t\t// lo(a[0]*b[i])\n\tadcs\tx15,x16,x9\n\tmul\tx9,x5,x3\t\t// lo(a[1]*b[i])\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tmul\tx10,x6,x3\t\t// lo(a[2]*b[i])\n\tadcs\tx17,x19,x11\n\tmul\tx11,x7,x3\t\t// lo(a[3]*b[i])\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx8,x4,x3\t\t// hi(a[0]*b[i])\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\t\t// hi(a[1]*b[i])\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\t\t// hi(a[2]*b[i])\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\t\t// hi(a[3]*b[i])\n\tadc\tx19,x19,xzr\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\t// last reduction\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tadcs\tx17,x19,x11\n\tadc\tx19,x20,xzr\n\n\tadds\tx8,x14,#1\t\t// subs\tx8,x14,#-1 // tmp = ret-modulus\n\tsbcs\tx9,x15,x12\n\tsbcs\tx10,x16,xzr\n\tsbcs\tx11,x17,x13\n\tsbcs\txzr,x19,xzr\t\t// did it borrow?\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n.size\t__ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont\n\n// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded\n// to x4-x7\n.type\t__ecp_nistz256_sqr_mont,%function\n.align\t4\n__ecp_nistz256_sqr_mont:\n\t// | | | | | |a1*a0| |\n\t// | | | | |a2*a0| | |\n\t// | |a3*a2|a3*a0| | | |\n\t// | | | |a2*a1| | | |\n\t// | | |a3*a1| | | | |\n\t// *| | | | | | | | 2|\n\t// +|a3*a3|a2*a2|a1*a1|a0*a0|\n\t// |--+--+--+--+--+--+--+--|\n\t// |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow \n\t//\n\t// \"can't overflow\" below mark carrying into high part of\n\t// multiplication result, which can't overflow, because it\n\t// can never be all ones.\n\n\tmul\tx15,x5,x4\t\t// a[1]*a[0]\n\tumulh\tx9,x5,x4\n\tmul\tx16,x6,x4\t\t// a[2]*a[0]\n\tumulh\tx10,x6,x4\n\tmul\tx17,x7,x4\t\t// a[3]*a[0]\n\tumulh\tx19,x7,x4\n\n\tadds\tx16,x16,x9\t\t// accumulate high parts of multiplication\n\tmul\tx8,x6,x5\t\t// a[2]*a[1]\n\tumulh\tx9,x6,x5\n\tadcs\tx17,x17,x10\n\tmul\tx10,x7,x5\t\t// a[3]*a[1]\n\tumulh\tx11,x7,x5\n\tadc\tx19,x19,xzr\t\t// can't overflow\n\n\tmul\tx20,x7,x6\t\t// a[3]*a[2]\n\tumulh\tx1,x7,x6\n\n\tadds\tx9,x9,x10\t\t// accumulate high parts of multiplication\n\tmul\tx14,x4,x4\t\t// a[0]*a[0]\n\tadc\tx10,x11,xzr\t\t// can't overflow\n\n\tadds\tx17,x17,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx4,x4,x4\n\tadcs\tx19,x19,x9\n\tmul\tx9,x5,x5\t\t// a[1]*a[1]\n\tadcs\tx20,x20,x10\n\tumulh\tx5,x5,x5\n\tadc\tx1,x1,xzr\t\t// can't overflow\n\n\tadds\tx15,x15,x15\t// acc[1-6]*=2\n\tmul\tx10,x6,x6\t\t// a[2]*a[2]\n\tadcs\tx16,x16,x16\n\tumulh\tx6,x6,x6\n\tadcs\tx17,x17,x17\n\tmul\tx11,x7,x7\t\t// a[3]*a[3]\n\tadcs\tx19,x19,x19\n\tumulh\tx7,x7,x7\n\tadcs\tx20,x20,x20\n\tadcs\tx1,x1,x1\n\tadc\tx2,xzr,xzr\n\n\tadds\tx15,x15,x4\t\t// +a[i]*a[i]\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x5\n\tadcs\tx19,x19,x10\n\tadcs\tx20,x20,x6\n\tlsl\tx8,x14,#32\n\tadcs\tx1,x1,x11\n\tlsr\tx9,x14,#32\n\tadc\tx2,x2,x7\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tlsr\tx9,x14,#32\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tlsr\tx9,x14,#32\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tlsr\tx9,x14,#32\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\n\tadds\tx14,x14,x19\t// accumulate upper half\n\tadcs\tx15,x15,x20\n\tadcs\tx16,x16,x1\n\tadcs\tx17,x17,x2\n\tadc\tx19,xzr,xzr\n\n\tadds\tx8,x14,#1\t\t// subs\tx8,x14,#-1 // tmp = ret-modulus\n\tsbcs\tx9,x15,x12\n\tsbcs\tx10,x16,xzr\n\tsbcs\tx11,x17,x13\n\tsbcs\txzr,x19,xzr\t\t// did it borrow?\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n.size\t__ecp_nistz256_sqr_mont,.-__ecp_nistz256_sqr_mont\n\n// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to\n// x4-x7 and x8-x11. This is done because it's used in multiple\n// contexts, e.g. in multiplication by 2 and 3...\n.type\t__ecp_nistz256_add_to,%function\n.align\t4\n__ecp_nistz256_add_to:\n\tadds\tx14,x14,x8\t\t// ret = a+b\n\tadcs\tx15,x15,x9\n\tadcs\tx16,x16,x10\n\tadcs\tx17,x17,x11\n\tadc\tx1,xzr,xzr\t\t// zap x1\n\n\tadds\tx8,x14,#1\t\t// subs\tx8,x4,#-1 // tmp = ret-modulus\n\tsbcs\tx9,x15,x12\n\tsbcs\tx10,x16,xzr\n\tsbcs\tx11,x17,x13\n\tsbcs\txzr,x1,xzr\t\t// did subtraction borrow?\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n.size\t__ecp_nistz256_add_to,.-__ecp_nistz256_add_to\n\n.type\t__ecp_nistz256_sub_from,%function\n.align\t4\n__ecp_nistz256_sub_from:\n\tldp\tx8,x9,[x2]\n\tldp\tx10,x11,[x2,#16]\n\tsubs\tx14,x14,x8\t\t// ret = a-b\n\tsbcs\tx15,x15,x9\n\tsbcs\tx16,x16,x10\n\tsbcs\tx17,x17,x11\n\tsbc\tx1,xzr,xzr\t\t// zap x1\n\n\tsubs\tx8,x14,#1\t\t// adds\tx8,x4,#-1 // tmp = ret+modulus\n\tadcs\tx9,x15,x12\n\tadcs\tx10,x16,xzr\n\tadc\tx11,x17,x13\n\tcmp\tx1,xzr\t\t\t// did subtraction borrow?\n\n\tcsel\tx14,x14,x8,eq\t// ret = borrow ? ret+modulus : ret\n\tcsel\tx15,x15,x9,eq\n\tcsel\tx16,x16,x10,eq\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,eq\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n.size\t__ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from\n\n.type\t__ecp_nistz256_sub_morf,%function\n.align\t4\n__ecp_nistz256_sub_morf:\n\tldp\tx8,x9,[x2]\n\tldp\tx10,x11,[x2,#16]\n\tsubs\tx14,x8,x14\t\t// ret = b-a\n\tsbcs\tx15,x9,x15\n\tsbcs\tx16,x10,x16\n\tsbcs\tx17,x11,x17\n\tsbc\tx1,xzr,xzr\t\t// zap x1\n\n\tsubs\tx8,x14,#1\t\t// adds\tx8,x4,#-1 // tmp = ret+modulus\n\tadcs\tx9,x15,x12\n\tadcs\tx10,x16,xzr\n\tadc\tx11,x17,x13\n\tcmp\tx1,xzr\t\t\t// did subtraction borrow?\n\n\tcsel\tx14,x14,x8,eq\t// ret = borrow ? ret+modulus : ret\n\tcsel\tx15,x15,x9,eq\n\tcsel\tx16,x16,x10,eq\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,eq\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n.size\t__ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf\n\n.type\t__ecp_nistz256_div_by_2,%function\n.align\t4\n__ecp_nistz256_div_by_2:\n\tsubs\tx8,x14,#1\t\t// adds\tx8,x4,#-1 // tmp = a+modulus\n\tadcs\tx9,x15,x12\n\tadcs\tx10,x16,xzr\n\tadcs\tx11,x17,x13\n\tadc\tx1,xzr,xzr\t\t// zap x1\n\ttst\tx14,#1\t\t// is a even?\n\n\tcsel\tx14,x14,x8,eq\t// ret = even ? a : a+modulus\n\tcsel\tx15,x15,x9,eq\n\tcsel\tx16,x16,x10,eq\n\tcsel\tx17,x17,x11,eq\n\tcsel\tx1,xzr,x1,eq\n\n\tlsr\tx14,x14,#1\t\t// ret >>= 1\n\torr\tx14,x14,x15,lsl#63\n\tlsr\tx15,x15,#1\n\torr\tx15,x15,x16,lsl#63\n\tlsr\tx16,x16,#1\n\torr\tx16,x16,x17,lsl#63\n\tlsr\tx17,x17,#1\n\tstp\tx14,x15,[x0]\n\torr\tx17,x17,x1,lsl#63\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n.size\t__ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2\n.globl\tecp_nistz256_point_double\n.hidden\tecp_nistz256_point_double\n.type\tecp_nistz256_point_double,%function\n.align\t5\necp_nistz256_point_double:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tsub\tsp,sp,#32*4\n\n.Ldouble_shortcut:\n\tldp\tx14,x15,[x1,#32]\n\tmov\tx21,x0\n\tldp\tx16,x17,[x1,#48]\n\tmov\tx22,x1\n\tadrp\tx13,.Lpoly\n\tadd\tx13,x13,:lo12:.Lpoly\n\tldr\tx12,[x13,#8]\n\tmov\tx8,x14\n\tldr\tx13,[x13,#24]\n\tmov\tx9,x15\n\tldp\tx4,x5,[x22,#64]\t// forward load for p256_sqr_mont\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tldp\tx6,x7,[x22,#64+16]\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(S, in_y);\n\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Zsqr, in_z);\n\n\tldp\tx8,x9,[x22]\n\tldp\tx10,x11,[x22,#16]\n\tmov\tx4,x14\t\t// put Zsqr aside for p256_sub\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_add_to\t// p256_add(M, Zsqr, in_x);\n\n\tadd\tx2,x22,#0\n\tmov\tx14,x4\t\t// restore Zsqr\n\tmov\tx15,x5\n\tldp\tx4,x5,[sp,#0]\t// forward load for p256_sqr_mont\n\tmov\tx16,x6\n\tmov\tx17,x7\n\tldp\tx6,x7,[sp,#0+16]\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(Zsqr, in_x, Zsqr);\n\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(S, S);\n\n\tldr\tx3,[x22,#32]\n\tldp\tx4,x5,[x22,#64]\n\tldp\tx6,x7,[x22,#64+16]\n\tadd\tx2,x22,#32\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(tmp0, in_z, in_y);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tldp\tx4,x5,[sp,#0]\t// forward load for p256_sqr_mont\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tldp\tx6,x7,[sp,#0+16]\n\tadd\tx0,x21,#64\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(res_z, tmp0);\n\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(tmp0, S);\n\n\tldr\tx3,[sp,#64]\t\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#32]\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx0,x21,#32\n\tbl\t__ecp_nistz256_div_by_2\t// p256_div_by_2(res_y, tmp0);\n\n\tadd\tx2,sp,#64\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(M, M, Zsqr);\n\n\tmov\tx8,x14\t\t// duplicate M\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tmov\tx4,x14\t\t// put M aside\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_add_to\n\tmov\tx8,x4\t\t\t// restore M\n\tmov\tx9,x5\n\tldr\tx3,[x22]\t\t// forward load for p256_mul_mont\n\tmov\tx10,x6\n\tldp\tx4,x5,[sp,#0]\n\tmov\tx11,x7\n\tldp\tx6,x7,[sp,#0+16]\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_3(M, M);\n\n\tadd\tx2,x22,#0\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S, S, in_x);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tldp\tx4,x5,[sp,#32]\t// forward load for p256_sqr_mont\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(tmp0, S);\n\n\tadd\tx0,x21,#0\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(res_x, M);\n\n\tadd\tx2,sp,#96\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_x, res_x, tmp0);\n\n\tadd\tx2,sp,#0\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(S, S, res_x);\n\n\tldr\tx3,[sp,#32]\n\tmov\tx4,x14\t\t// copy S\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tadd\tx2,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S, S, M);\n\n\tadd\tx2,x21,#32\n\tadd\tx0,x21,#32\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_y, S, res_y);\n\n\tadd\tsp,x29,#0\t\t// destroy frame\n\tldp\tx19,x20,[x29,#16]\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tecp_nistz256_point_double,.-ecp_nistz256_point_double\n.globl\tecp_nistz256_point_add\n.hidden\tecp_nistz256_point_add\n.type\tecp_nistz256_point_add,%function\n.align\t5\necp_nistz256_point_add:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#32*12\n\n\tldp\tx4,x5,[x2,#64]\t// in2_z\n\tldp\tx6,x7,[x2,#64+16]\n\tmov\tx21,x0\n\tmov\tx22,x1\n\tmov\tx23,x2\n\tadrp\tx13,.Lpoly\n\tadd\tx13,x13,:lo12:.Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\torr\tx8,x4,x5\n\torr\tx10,x6,x7\n\torr\tx25,x8,x10\n\tcmp\tx25,#0\n\tcsetm\tx25,ne\t\t// ~in2infty\n\tadd\tx0,sp,#192\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Z2sqr, in2_z);\n\n\tldp\tx4,x5,[x22,#64]\t// in1_z\n\tldp\tx6,x7,[x22,#64+16]\n\torr\tx8,x4,x5\n\torr\tx10,x6,x7\n\torr\tx24,x8,x10\n\tcmp\tx24,#0\n\tcsetm\tx24,ne\t\t// ~in1infty\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Z1sqr, in1_z);\n\n\tldr\tx3,[x23,#64]\n\tldp\tx4,x5,[sp,#192]\n\tldp\tx6,x7,[sp,#192+16]\n\tadd\tx2,x23,#64\n\tadd\tx0,sp,#320\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S1, Z2sqr, in2_z);\n\n\tldr\tx3,[x22,#64]\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#352\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, Z1sqr, in1_z);\n\n\tldr\tx3,[x22,#32]\n\tldp\tx4,x5,[sp,#320]\n\tldp\tx6,x7,[sp,#320+16]\n\tadd\tx2,x22,#32\n\tadd\tx0,sp,#320\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S1, S1, in1_y);\n\n\tldr\tx3,[x23,#32]\n\tldp\tx4,x5,[sp,#352]\n\tldp\tx6,x7,[sp,#352+16]\n\tadd\tx2,x23,#32\n\tadd\tx0,sp,#352\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, S2, in2_y);\n\n\tadd\tx2,sp,#320\n\tldr\tx3,[sp,#192]\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[x22]\n\tldp\tx6,x7,[x22,#16]\n\tadd\tx0,sp,#160\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(R, S2, S1);\n\n\torr\tx14,x14,x15\t// see if result is zero\n\torr\tx16,x16,x17\n\torr\tx26,x14,x16\t// ~is_equal(S1,S2)\n\n\tadd\tx2,sp,#192\n\tadd\tx0,sp,#256\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U1, in1_x, Z2sqr);\n\n\tldr\tx3,[sp,#128]\n\tldp\tx4,x5,[x23]\n\tldp\tx6,x7,[x23,#16]\n\tadd\tx2,sp,#128\n\tadd\tx0,sp,#288\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, in2_x, Z1sqr);\n\n\tadd\tx2,sp,#256\n\tldp\tx4,x5,[sp,#160]\t// forward load for p256_sqr_mont\n\tldp\tx6,x7,[sp,#160+16]\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(H, U2, U1);\n\n\torr\tx14,x14,x15\t// see if result is zero\n\torr\tx16,x16,x17\n\torr\tx14,x14,x16\t// ~is_equal(U1,U2)\n\n\tmvn\tx27,x24\t// -1/0 -> 0/-1\n\tmvn\tx28,x25\t// -1/0 -> 0/-1\n\torr\tx14,x14,x27\n\torr\tx14,x14,x28\n\torr\tx14,x14,x26\n\tcbnz\tx14,.Ladd_proceed\t// if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))\n\n.Ladd_double:\n\tmov\tx1,x22\n\tmov\tx0,x21\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tadd\tsp,sp,#256\t// #256 is from #32*(12-4). difference in stack frames\n\tb\t.Ldouble_shortcut\n\n.align\t4\n.Ladd_proceed:\n\tadd\tx0,sp,#192\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Rsqr, R);\n\n\tldr\tx3,[x22,#64]\n\tldp\tx4,x5,[sp,#96]\n\tldp\tx6,x7,[sp,#96+16]\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_z, H, in1_z);\n\n\tldp\tx4,x5,[sp,#96]\n\tldp\tx6,x7,[sp,#96+16]\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Hsqr, H);\n\n\tldr\tx3,[x23,#64]\n\tldp\tx4,x5,[sp,#64]\n\tldp\tx6,x7,[sp,#64+16]\n\tadd\tx2,x23,#64\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_z, res_z, in2_z);\n\n\tldr\tx3,[sp,#96]\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx2,sp,#96\n\tadd\tx0,sp,#224\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(Hcub, Hsqr, H);\n\n\tldr\tx3,[sp,#128]\n\tldp\tx4,x5,[sp,#256]\n\tldp\tx6,x7,[sp,#256+16]\n\tadd\tx2,sp,#128\n\tadd\tx0,sp,#288\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, U1, Hsqr);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(Hsqr, U2);\n\n\tadd\tx2,sp,#192\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_x, Rsqr, Hsqr);\n\n\tadd\tx2,sp,#224\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_x, res_x, Hcub);\n\n\tadd\tx2,sp,#288\n\tldr\tx3,[sp,#224]\t\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#320]\n\tldp\tx6,x7,[sp,#320+16]\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_y, U2, res_x);\n\n\tadd\tx2,sp,#224\n\tadd\tx0,sp,#352\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, S1, Hcub);\n\n\tldr\tx3,[sp,#160]\n\tldp\tx4,x5,[sp,#32]\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx2,sp,#160\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_y, res_y, R);\n\n\tadd\tx2,sp,#352\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_y, res_y, S2);\n\n\tldp\tx4,x5,[sp,#0]\t\t// res\n\tldp\tx6,x7,[sp,#0+16]\n\tldp\tx8,x9,[x23]\t\t// in2\n\tldp\tx10,x11,[x23,#16]\n\tldp\tx14,x15,[x22,#0]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#0+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+0+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+0+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#0+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#0+48]\n\tstp\tx14,x15,[x21,#0]\n\tstp\tx16,x17,[x21,#0+16]\n\tldp\tx14,x15,[x22,#32]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#32+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+32+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+32+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#32+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#32+48]\n\tstp\tx14,x15,[x21,#32]\n\tstp\tx16,x17,[x21,#32+16]\n\tldp\tx14,x15,[x22,#64]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#64+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tstp\tx14,x15,[x21,#64]\n\tstp\tx16,x17,[x21,#64+16]\n\n.Ladd_done:\n\tadd\tsp,x29,#0\t\t// destroy frame\n\tldp\tx19,x20,[x29,#16]\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tecp_nistz256_point_add,.-ecp_nistz256_point_add\n.globl\tecp_nistz256_point_add_affine\n.hidden\tecp_nistz256_point_add_affine\n.type\tecp_nistz256_point_add_affine,%function\n.align\t5\necp_nistz256_point_add_affine:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-80]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tsub\tsp,sp,#32*10\n\n\tmov\tx21,x0\n\tmov\tx22,x1\n\tmov\tx23,x2\n\tadrp\tx13,.Lpoly\n\tadd\tx13,x13,:lo12:.Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tldp\tx4,x5,[x1,#64]\t// in1_z\n\tldp\tx6,x7,[x1,#64+16]\n\torr\tx8,x4,x5\n\torr\tx10,x6,x7\n\torr\tx24,x8,x10\n\tcmp\tx24,#0\n\tcsetm\tx24,ne\t\t// ~in1infty\n\n\tldp\tx14,x15,[x2]\t// in2_x\n\tldp\tx16,x17,[x2,#16]\n\tldp\tx8,x9,[x2,#32]\t// in2_y\n\tldp\tx10,x11,[x2,#48]\n\torr\tx14,x14,x15\n\torr\tx16,x16,x17\n\torr\tx8,x8,x9\n\torr\tx10,x10,x11\n\torr\tx14,x14,x16\n\torr\tx8,x8,x10\n\torr\tx25,x14,x8\n\tcmp\tx25,#0\n\tcsetm\tx25,ne\t\t// ~in2infty\n\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Z1sqr, in1_z);\n\n\tmov\tx4,x14\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tldr\tx3,[x23]\n\tadd\tx2,x23,#0\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, Z1sqr, in2_x);\n\n\tadd\tx2,x22,#0\n\tldr\tx3,[x22,#64]\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx0,sp,#160\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(H, U2, in1_x);\n\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, Z1sqr, in1_z);\n\n\tldr\tx3,[x22,#64]\n\tldp\tx4,x5,[sp,#160]\n\tldp\tx6,x7,[sp,#160+16]\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_z, H, in1_z);\n\n\tldr\tx3,[x23,#32]\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx2,x23,#32\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, S2, in2_y);\n\n\tadd\tx2,x22,#32\n\tldp\tx4,x5,[sp,#160]\t// forward load for p256_sqr_mont\n\tldp\tx6,x7,[sp,#160+16]\n\tadd\tx0,sp,#192\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(R, S2, in1_y);\n\n\tadd\tx0,sp,#224\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Hsqr, H);\n\n\tldp\tx4,x5,[sp,#192]\n\tldp\tx6,x7,[sp,#192+16]\n\tadd\tx0,sp,#288\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Rsqr, R);\n\n\tldr\tx3,[sp,#160]\n\tldp\tx4,x5,[sp,#224]\n\tldp\tx6,x7,[sp,#224+16]\n\tadd\tx2,sp,#160\n\tadd\tx0,sp,#256\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(Hcub, Hsqr, H);\n\n\tldr\tx3,[x22]\n\tldp\tx4,x5,[sp,#224]\n\tldp\tx6,x7,[sp,#224+16]\n\tadd\tx2,x22,#0\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, in1_x, Hsqr);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tadd\tx0,sp,#224\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(Hsqr, U2);\n\n\tadd\tx2,sp,#288\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_x, Rsqr, Hsqr);\n\n\tadd\tx2,sp,#256\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_x, res_x, Hcub);\n\n\tadd\tx2,sp,#96\n\tldr\tx3,[x22,#32]\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#256]\n\tldp\tx6,x7,[sp,#256+16]\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_y, U2, res_x);\n\n\tadd\tx2,x22,#32\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, in1_y, Hcub);\n\n\tldr\tx3,[sp,#192]\n\tldp\tx4,x5,[sp,#32]\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx2,sp,#192\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_y, res_y, R);\n\n\tadd\tx2,sp,#128\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_y, res_y, S2);\n\n\tldp\tx4,x5,[sp,#0]\t\t// res\n\tldp\tx6,x7,[sp,#0+16]\n\tldp\tx8,x9,[x23]\t\t// in2\n\tldp\tx10,x11,[x23,#16]\n\tldp\tx14,x15,[x22,#0]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#0+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+0+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+0+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#0+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#0+48]\n\tstp\tx14,x15,[x21,#0]\n\tstp\tx16,x17,[x21,#0+16]\n\tadrp\tx23,.Lone_mont-64\n\tadd\tx23,x23,:lo12:.Lone_mont-64\n\tldp\tx14,x15,[x22,#32]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#32+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+32+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+32+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#32+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#32+48]\n\tstp\tx14,x15,[x21,#32]\n\tstp\tx16,x17,[x21,#32+16]\n\tldp\tx14,x15,[x22,#64]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#64+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tstp\tx14,x15,[x21,#64]\n\tstp\tx16,x17,[x21,#64+16]\n\n\tadd\tsp,x29,#0\t\t// destroy frame\n\tldp\tx19,x20,[x29,#16]\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx29,x30,[sp],#80\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4],\n// uint64_t b[4]);\n.globl\tecp_nistz256_ord_mul_mont\n.hidden\tecp_nistz256_ord_mul_mont\n.type\tecp_nistz256_ord_mul_mont,%function\n.align\t4\necp_nistz256_ord_mul_mont:\n\tAARCH64_VALID_CALL_TARGET\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tstp\tx29,x30,[sp,#-64]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\n\tadrp\tx23,.Lord\n\tadd\tx23,x23,:lo12:.Lord\n\tldr\tx3,[x2]\t\t// bp[0]\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\n\tldp\tx12,x13,[x23,#0]\n\tldp\tx21,x22,[x23,#16]\n\tldr\tx23,[x23,#32]\n\n\tmul\tx14,x4,x3\t\t// a[0]*b[0]\n\tumulh\tx8,x4,x3\n\n\tmul\tx15,x5,x3\t\t// a[1]*b[0]\n\tumulh\tx9,x5,x3\n\n\tmul\tx16,x6,x3\t\t// a[2]*b[0]\n\tumulh\tx10,x6,x3\n\n\tmul\tx17,x7,x3\t\t// a[3]*b[0]\n\tumulh\tx19,x7,x3\n\n\tmul\tx24,x14,x23\n\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadc\tx19,x19,xzr\n\tmov\tx20,xzr\n\tldr\tx3,[x2,#8*1]\t\t// b[i]\n\n\tlsl\tx8,x24,#32\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tmul\tx8,x4,x3\n\tadc\tx11,x11,xzr\n\tmul\tx9,x5,x3\n\n\tadds\tx14,x15,x10\n\tmul\tx10,x6,x3\n\tadcs\tx15,x16,x11\n\tmul\tx11,x7,x3\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts\n\tumulh\tx8,x4,x3\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\n\tadc\tx19,x19,xzr\n\tmul\tx24,x14,x23\n\tadds\tx15,x15,x8\t\t// accumulate high parts\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tldr\tx3,[x2,#8*2]\t\t// b[i]\n\n\tlsl\tx8,x24,#32\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tmul\tx8,x4,x3\n\tadc\tx11,x11,xzr\n\tmul\tx9,x5,x3\n\n\tadds\tx14,x15,x10\n\tmul\tx10,x6,x3\n\tadcs\tx15,x16,x11\n\tmul\tx11,x7,x3\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts\n\tumulh\tx8,x4,x3\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\n\tadc\tx19,x19,xzr\n\tmul\tx24,x14,x23\n\tadds\tx15,x15,x8\t\t// accumulate high parts\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tldr\tx3,[x2,#8*3]\t\t// b[i]\n\n\tlsl\tx8,x24,#32\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tmul\tx8,x4,x3\n\tadc\tx11,x11,xzr\n\tmul\tx9,x5,x3\n\n\tadds\tx14,x15,x10\n\tmul\tx10,x6,x3\n\tadcs\tx15,x16,x11\n\tmul\tx11,x7,x3\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts\n\tumulh\tx8,x4,x3\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\n\tadc\tx19,x19,xzr\n\tmul\tx24,x14,x23\n\tadds\tx15,x15,x8\t\t// accumulate high parts\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tlsl\tx8,x24,#32\t\t// last reduction\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tadc\tx11,x11,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x11\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tsubs\tx8,x14,x12\t\t// ret -= modulus\n\tsbcs\tx9,x15,x13\n\tsbcs\tx10,x16,x21\n\tsbcs\tx11,x17,x22\n\tsbcs\txzr,x19,xzr\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldr\tx29,[sp],#64\n\tret\n.size\tecp_nistz256_ord_mul_mont,.-ecp_nistz256_ord_mul_mont\n\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4],\n// uint64_t rep);\n.globl\tecp_nistz256_ord_sqr_mont\n.hidden\tecp_nistz256_ord_sqr_mont\n.type\tecp_nistz256_ord_sqr_mont,%function\n.align\t4\necp_nistz256_ord_sqr_mont:\n\tAARCH64_VALID_CALL_TARGET\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tstp\tx29,x30,[sp,#-64]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\n\tadrp\tx23,.Lord\n\tadd\tx23,x23,:lo12:.Lord\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\n\tldp\tx12,x13,[x23,#0]\n\tldp\tx21,x22,[x23,#16]\n\tldr\tx23,[x23,#32]\n\tb\t.Loop_ord_sqr\n\n.align\t4\n.Loop_ord_sqr:\n\tsub\tx2,x2,#1\n\t////////////////////////////////////////////////////////////////\n\t// | | | | | |a1*a0| |\n\t// | | | | |a2*a0| | |\n\t// | |a3*a2|a3*a0| | | |\n\t// | | | |a2*a1| | | |\n\t// | | |a3*a1| | | | |\n\t// *| | | | | | | | 2|\n\t// +|a3*a3|a2*a2|a1*a1|a0*a0|\n\t// |--+--+--+--+--+--+--+--|\n\t// |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow \n\t//\n\t// \"can't overflow\" below mark carrying into high part of\n\t// multiplication result, which can't overflow, because it\n\t// can never be all ones.\n\n\tmul\tx15,x5,x4\t\t// a[1]*a[0]\n\tumulh\tx9,x5,x4\n\tmul\tx16,x6,x4\t\t// a[2]*a[0]\n\tumulh\tx10,x6,x4\n\tmul\tx17,x7,x4\t\t// a[3]*a[0]\n\tumulh\tx19,x7,x4\n\n\tadds\tx16,x16,x9\t\t// accumulate high parts of multiplication\n\tmul\tx8,x6,x5\t\t// a[2]*a[1]\n\tumulh\tx9,x6,x5\n\tadcs\tx17,x17,x10\n\tmul\tx10,x7,x5\t\t// a[3]*a[1]\n\tumulh\tx11,x7,x5\n\tadc\tx19,x19,xzr\t\t// can't overflow\n\n\tmul\tx20,x7,x6\t\t// a[3]*a[2]\n\tumulh\tx1,x7,x6\n\n\tadds\tx9,x9,x10\t\t// accumulate high parts of multiplication\n\tmul\tx14,x4,x4\t\t// a[0]*a[0]\n\tadc\tx10,x11,xzr\t\t// can't overflow\n\n\tadds\tx17,x17,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx4,x4,x4\n\tadcs\tx19,x19,x9\n\tmul\tx9,x5,x5\t\t// a[1]*a[1]\n\tadcs\tx20,x20,x10\n\tumulh\tx5,x5,x5\n\tadc\tx1,x1,xzr\t\t// can't overflow\n\n\tadds\tx15,x15,x15\t// acc[1-6]*=2\n\tmul\tx10,x6,x6\t\t// a[2]*a[2]\n\tadcs\tx16,x16,x16\n\tumulh\tx6,x6,x6\n\tadcs\tx17,x17,x17\n\tmul\tx11,x7,x7\t\t// a[3]*a[3]\n\tadcs\tx19,x19,x19\n\tumulh\tx7,x7,x7\n\tadcs\tx20,x20,x20\n\tadcs\tx1,x1,x1\n\tadc\tx3,xzr,xzr\n\n\tadds\tx15,x15,x4\t\t// +a[i]*a[i]\n\tmul\tx24,x14,x23\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x5\n\tadcs\tx19,x19,x10\n\tadcs\tx20,x20,x6\n\tadcs\tx1,x1,x11\n\tadc\tx3,x3,x7\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tadc\tx11,x11,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x11\n\tadcs\tx16,x17,x24\n\tadc\tx17,xzr,x24\t\t// can't overflow\n\tmul\tx11,x14,x23\n\tlsl\tx8,x24,#32\n\tsubs\tx15,x15,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x11\n\tmul\tx10,x13,x11\n\tumulh\tx24,x13,x11\n\n\tadcs\tx10,x10,x9\n\tadc\tx24,x24,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x24\n\tadcs\tx16,x17,x11\n\tadc\tx17,xzr,x11\t\t// can't overflow\n\tmul\tx24,x14,x23\n\tlsl\tx8,x11,#32\n\tsubs\tx15,x15,x11\n\tlsr\tx9,x11,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tadc\tx11,x11,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x11\n\tadcs\tx16,x17,x24\n\tadc\tx17,xzr,x24\t\t// can't overflow\n\tmul\tx11,x14,x23\n\tlsl\tx8,x24,#32\n\tsubs\tx15,x15,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x11\n\tmul\tx10,x13,x11\n\tumulh\tx24,x13,x11\n\n\tadcs\tx10,x10,x9\n\tadc\tx24,x24,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x24\n\tadcs\tx16,x17,x11\n\tadc\tx17,xzr,x11\t\t// can't overflow\n\tlsl\tx8,x11,#32\n\tsubs\tx15,x15,x11\n\tlsr\tx9,x11,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tadds\tx14,x14,x19\t// accumulate upper half\n\tadcs\tx15,x15,x20\n\tadcs\tx16,x16,x1\n\tadcs\tx17,x17,x3\n\tadc\tx19,xzr,xzr\n\n\tsubs\tx8,x14,x12\t\t// ret -= modulus\n\tsbcs\tx9,x15,x13\n\tsbcs\tx10,x16,x21\n\tsbcs\tx11,x17,x22\n\tsbcs\txzr,x19,xzr\n\n\tcsel\tx4,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx5,x15,x9,lo\n\tcsel\tx6,x16,x10,lo\n\tcsel\tx7,x17,x11,lo\n\n\tcbnz\tx2,.Loop_ord_sqr\n\n\tstp\tx4,x5,[x0]\n\tstp\tx6,x7,[x0,#16]\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldr\tx29,[sp],#64\n\tret\n.size\tecp_nistz256_ord_sqr_mont,.-ecp_nistz256_ord_sqr_mont\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index);\n.globl\tecp_nistz256_select_w5\n.hidden\tecp_nistz256_select_w5\n.type\tecp_nistz256_select_w5,%function\n.align\t4\necp_nistz256_select_w5:\n\tAARCH64_VALID_CALL_TARGET\n\n // x10 := x0\n // w9 := 0; loop counter and incremented internal index\n\tmov\tx10, x0\n\tmov\tw9, #0\n\n // [v16-v21] := 0\n\tmovi\tv16.16b, #0\n\tmovi\tv17.16b, #0\n\tmovi\tv18.16b, #0\n\tmovi\tv19.16b, #0\n\tmovi\tv20.16b, #0\n\tmovi\tv21.16b, #0\n\n.Lselect_w5_loop:\n // Loop 16 times.\n\n // Increment index (loop counter); tested at the end of the loop\n\tadd\tw9, w9, #1\n\n // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1\n // and advance x1 to point to the next entry\n\tld1\t{v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64\n\n // x11 := (w9 == w2)? All 1s : All 0s\n\tcmp\tw9, w2\n\tcsetm\tx11, eq\n\n // continue loading ...\n\tld1\t{v26.2d, v27.2d}, [x1],#32\n\n // duplicate mask_64 into Mask (all 0s or all 1s)\n\tdup\tv3.2d, x11\n\n // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]\n // i.e., values in output registers will remain the same if w9 != w2\n\tbit\tv16.16b, v22.16b, v3.16b\n\tbit\tv17.16b, v23.16b, v3.16b\n\n\tbit\tv18.16b, v24.16b, v3.16b\n\tbit\tv19.16b, v25.16b, v3.16b\n\n\tbit\tv20.16b, v26.16b, v3.16b\n\tbit\tv21.16b, v27.16b, v3.16b\n\n // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back\n\ttbz\tw9, #4, .Lselect_w5_loop\n\n // Write [v16-v21] to memory at the output pointer\n\tst1\t{v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64\n\tst1\t{v20.2d, v21.2d}, [x10]\n\n\tret\n.size\tecp_nistz256_select_w5,.-ecp_nistz256_select_w5\n\n\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index);\n.globl\tecp_nistz256_select_w7\n.hidden\tecp_nistz256_select_w7\n.type\tecp_nistz256_select_w7,%function\n.align\t4\necp_nistz256_select_w7:\n\tAARCH64_VALID_CALL_TARGET\n\n // w9 := 0; loop counter and incremented internal index\n\tmov\tw9, #0\n\n // [v16-v21] := 0\n\tmovi\tv16.16b, #0\n\tmovi\tv17.16b, #0\n\tmovi\tv18.16b, #0\n\tmovi\tv19.16b, #0\n\n.Lselect_w7_loop:\n // Loop 64 times.\n\n // Increment index (loop counter); tested at the end of the loop\n\tadd\tw9, w9, #1\n\n // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1\n // and advance x1 to point to the next entry\n\tld1\t{v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64\n\n // x11 := (w9 == w2)? All 1s : All 0s\n\tcmp\tw9, w2\n\tcsetm\tx11, eq\n\n // duplicate mask_64 into Mask (all 0s or all 1s)\n\tdup\tv3.2d, x11\n\n // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]\n // i.e., values in output registers will remain the same if w9 != w2\n\tbit\tv16.16b, v22.16b, v3.16b\n\tbit\tv17.16b, v23.16b, v3.16b\n\n\tbit\tv18.16b, v24.16b, v3.16b\n\tbit\tv19.16b, v25.16b, v3.16b\n\n // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back\n\ttbz\tw9, #6, .Lselect_w7_loop\n\n // Write [v16-v19] to memory at the output pointer\n\tst1\t{v16.2d, v17.2d, v18.2d, v19.2d}, [x0]\n\n\tret\n.size\tecp_nistz256_select_w7,.-ecp_nistz256_select_w7\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \"CNIOBoringSSL_arm_arch.h\"\n\n.section\t.rodata\n.align\t5\nLpoly:\n.quad\t0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001\nLRR:\t//\t2^512 mod P precomputed for NIST P256 polynomial\n.quad\t0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd\nLone_mont:\n.quad\t0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe\nLone:\n.quad\t1,0,0,0\nLord:\n.quad\t0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000\nLordK:\n.quad\t0xccd1c8aaee00bc4f\n.byte\t69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.text\n\n// void\tecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4],\n//\t\t\t\t\t const BN_ULONG x2[4]);\n.globl\tecp_nistz256_mul_mont\n\n.def ecp_nistz256_mul_mont\n .type 32\n.endef\n.align\t4\necp_nistz256_mul_mont:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-32]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\n\tldr\tx3,[x2]\t\t// bp[0]\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\tadrp\tx13,Lpoly\n\tadd\tx13,x13,:lo12:Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_mul_mont\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx29,x30,[sp],#32\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\tecp_nistz256_sqr_mont\n\n.def ecp_nistz256_sqr_mont\n .type 32\n.endef\n.align\t4\necp_nistz256_sqr_mont:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-32]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\tadrp\tx13,Lpoly\n\tadd\tx13,x13,:lo12:Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_sqr_mont\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx29,x30,[sp],#32\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\tecp_nistz256_div_by_2\n\n.def ecp_nistz256_div_by_2\n .type 32\n.endef\n.align\t4\necp_nistz256_div_by_2:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,Lpoly\n\tadd\tx13,x13,:lo12:Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_div_by_2\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\tecp_nistz256_mul_by_2\n\n.def ecp_nistz256_mul_by_2\n .type 32\n.endef\n.align\t4\necp_nistz256_mul_by_2:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,Lpoly\n\tadd\tx13,x13,:lo12:Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\n\tbl\t__ecp_nistz256_add_to\t// ret = a+a\t// 2*a\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\tecp_nistz256_mul_by_3\n\n.def ecp_nistz256_mul_by_3\n .type 32\n.endef\n.align\t4\necp_nistz256_mul_by_3:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,Lpoly\n\tadd\tx13,x13,:lo12:Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tmov\tx4,x14\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\n\tbl\t__ecp_nistz256_add_to\t// ret = a+a\t// 2*a\n\n\tmov\tx8,x4\n\tmov\tx9,x5\n\tmov\tx10,x6\n\tmov\tx11,x7\n\n\tbl\t__ecp_nistz256_add_to\t// ret += a\t// 2*a+a=3*a\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4],\n//\t\t\t\t const BN_ULONG x2[4]);\n.globl\tecp_nistz256_sub\n\n.def ecp_nistz256_sub\n .type 32\n.endef\n.align\t4\necp_nistz256_sub:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tldp\tx14,x15,[x1]\n\tldp\tx16,x17,[x1,#16]\n\tadrp\tx13,Lpoly\n\tadd\tx13,x13,:lo12:Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_sub_from\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// void\tecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]);\n.globl\tecp_nistz256_neg\n\n.def ecp_nistz256_neg\n .type 32\n.endef\n.align\t4\necp_nistz256_neg:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tmov\tx2,x1\n\tmov\tx14,xzr\t\t// a = 0\n\tmov\tx15,xzr\n\tmov\tx16,xzr\n\tmov\tx17,xzr\n\tadrp\tx13,Lpoly\n\tadd\tx13,x13,:lo12:Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tbl\t__ecp_nistz256_sub_from\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded\n// to x4-x7 and b[0] - to x3\n.def __ecp_nistz256_mul_mont\n .type 32\n.endef\n.align\t4\n__ecp_nistz256_mul_mont:\n\tmul\tx14,x4,x3\t\t// a[0]*b[0]\n\tumulh\tx8,x4,x3\n\n\tmul\tx15,x5,x3\t\t// a[1]*b[0]\n\tumulh\tx9,x5,x3\n\n\tmul\tx16,x6,x3\t\t// a[2]*b[0]\n\tumulh\tx10,x6,x3\n\n\tmul\tx17,x7,x3\t\t// a[3]*b[0]\n\tumulh\tx11,x7,x3\n\tldr\tx3,[x2,#8]\t\t// b[1]\n\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadc\tx19,xzr,x11\n\tmov\tx20,xzr\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tmul\tx8,x4,x3\t\t// lo(a[0]*b[i])\n\tadcs\tx15,x16,x9\n\tmul\tx9,x5,x3\t\t// lo(a[1]*b[i])\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tmul\tx10,x6,x3\t\t// lo(a[2]*b[i])\n\tadcs\tx17,x19,x11\n\tmul\tx11,x7,x3\t\t// lo(a[3]*b[i])\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx8,x4,x3\t\t// hi(a[0]*b[i])\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\t\t// hi(a[1]*b[i])\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\t\t// hi(a[2]*b[i])\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\t\t// hi(a[3]*b[i])\n\tadc\tx19,x19,xzr\n\tldr\tx3,[x2,#8*(1+1)]\t// b[1+1]\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tmul\tx8,x4,x3\t\t// lo(a[0]*b[i])\n\tadcs\tx15,x16,x9\n\tmul\tx9,x5,x3\t\t// lo(a[1]*b[i])\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tmul\tx10,x6,x3\t\t// lo(a[2]*b[i])\n\tadcs\tx17,x19,x11\n\tmul\tx11,x7,x3\t\t// lo(a[3]*b[i])\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx8,x4,x3\t\t// hi(a[0]*b[i])\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\t\t// hi(a[1]*b[i])\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\t\t// hi(a[2]*b[i])\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\t\t// hi(a[3]*b[i])\n\tadc\tx19,x19,xzr\n\tldr\tx3,[x2,#8*(2+1)]\t// b[2+1]\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tmul\tx8,x4,x3\t\t// lo(a[0]*b[i])\n\tadcs\tx15,x16,x9\n\tmul\tx9,x5,x3\t\t// lo(a[1]*b[i])\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tmul\tx10,x6,x3\t\t// lo(a[2]*b[i])\n\tadcs\tx17,x19,x11\n\tmul\tx11,x7,x3\t\t// lo(a[3]*b[i])\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx8,x4,x3\t\t// hi(a[0]*b[i])\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\t\t// hi(a[1]*b[i])\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\t\t// hi(a[2]*b[i])\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\t\t// hi(a[3]*b[i])\n\tadc\tx19,x19,xzr\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x16,x9\n\tlsr\tx9,x14,#32\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\t// last reduction\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tadcs\tx17,x19,x11\n\tadc\tx19,x20,xzr\n\n\tadds\tx8,x14,#1\t\t// subs\tx8,x14,#-1 // tmp = ret-modulus\n\tsbcs\tx9,x15,x12\n\tsbcs\tx10,x16,xzr\n\tsbcs\tx11,x17,x13\n\tsbcs\txzr,x19,xzr\t\t// did it borrow?\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n\n// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded\n// to x4-x7\n.def __ecp_nistz256_sqr_mont\n .type 32\n.endef\n.align\t4\n__ecp_nistz256_sqr_mont:\n\t// | | | | | |a1*a0| |\n\t// | | | | |a2*a0| | |\n\t// | |a3*a2|a3*a0| | | |\n\t// | | | |a2*a1| | | |\n\t// | | |a3*a1| | | | |\n\t// *| | | | | | | | 2|\n\t// +|a3*a3|a2*a2|a1*a1|a0*a0|\n\t// |--+--+--+--+--+--+--+--|\n\t// |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow \n\t//\n\t// \"can't overflow\" below mark carrying into high part of\n\t// multiplication result, which can't overflow, because it\n\t// can never be all ones.\n\n\tmul\tx15,x5,x4\t\t// a[1]*a[0]\n\tumulh\tx9,x5,x4\n\tmul\tx16,x6,x4\t\t// a[2]*a[0]\n\tumulh\tx10,x6,x4\n\tmul\tx17,x7,x4\t\t// a[3]*a[0]\n\tumulh\tx19,x7,x4\n\n\tadds\tx16,x16,x9\t\t// accumulate high parts of multiplication\n\tmul\tx8,x6,x5\t\t// a[2]*a[1]\n\tumulh\tx9,x6,x5\n\tadcs\tx17,x17,x10\n\tmul\tx10,x7,x5\t\t// a[3]*a[1]\n\tumulh\tx11,x7,x5\n\tadc\tx19,x19,xzr\t\t// can't overflow\n\n\tmul\tx20,x7,x6\t\t// a[3]*a[2]\n\tumulh\tx1,x7,x6\n\n\tadds\tx9,x9,x10\t\t// accumulate high parts of multiplication\n\tmul\tx14,x4,x4\t\t// a[0]*a[0]\n\tadc\tx10,x11,xzr\t\t// can't overflow\n\n\tadds\tx17,x17,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx4,x4,x4\n\tadcs\tx19,x19,x9\n\tmul\tx9,x5,x5\t\t// a[1]*a[1]\n\tadcs\tx20,x20,x10\n\tumulh\tx5,x5,x5\n\tadc\tx1,x1,xzr\t\t// can't overflow\n\n\tadds\tx15,x15,x15\t// acc[1-6]*=2\n\tmul\tx10,x6,x6\t\t// a[2]*a[2]\n\tadcs\tx16,x16,x16\n\tumulh\tx6,x6,x6\n\tadcs\tx17,x17,x17\n\tmul\tx11,x7,x7\t\t// a[3]*a[3]\n\tadcs\tx19,x19,x19\n\tumulh\tx7,x7,x7\n\tadcs\tx20,x20,x20\n\tadcs\tx1,x1,x1\n\tadc\tx2,xzr,xzr\n\n\tadds\tx15,x15,x4\t\t// +a[i]*a[i]\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x5\n\tadcs\tx19,x19,x10\n\tadcs\tx20,x20,x6\n\tlsl\tx8,x14,#32\n\tadcs\tx1,x1,x11\n\tlsr\tx9,x14,#32\n\tadc\tx2,x2,x7\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tlsr\tx9,x14,#32\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tlsr\tx9,x14,#32\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tlsl\tx8,x14,#32\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tlsr\tx9,x14,#32\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\tsubs\tx10,x14,x8\t\t// \"*0xffff0001\"\n\tsbc\tx11,x14,x9\n\tadds\tx14,x15,x8\t\t// +=acc[0]<<96 and omit acc[0]\n\tadcs\tx15,x16,x9\n\tadcs\tx16,x17,x10\t\t// +=acc[0]*0xffff0001\n\tadc\tx17,x11,xzr\t\t// can't overflow\n\n\tadds\tx14,x14,x19\t// accumulate upper half\n\tadcs\tx15,x15,x20\n\tadcs\tx16,x16,x1\n\tadcs\tx17,x17,x2\n\tadc\tx19,xzr,xzr\n\n\tadds\tx8,x14,#1\t\t// subs\tx8,x14,#-1 // tmp = ret-modulus\n\tsbcs\tx9,x15,x12\n\tsbcs\tx10,x16,xzr\n\tsbcs\tx11,x17,x13\n\tsbcs\txzr,x19,xzr\t\t// did it borrow?\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n\n// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to\n// x4-x7 and x8-x11. This is done because it's used in multiple\n// contexts, e.g. in multiplication by 2 and 3...\n.def __ecp_nistz256_add_to\n .type 32\n.endef\n.align\t4\n__ecp_nistz256_add_to:\n\tadds\tx14,x14,x8\t\t// ret = a+b\n\tadcs\tx15,x15,x9\n\tadcs\tx16,x16,x10\n\tadcs\tx17,x17,x11\n\tadc\tx1,xzr,xzr\t\t// zap x1\n\n\tadds\tx8,x14,#1\t\t// subs\tx8,x4,#-1 // tmp = ret-modulus\n\tsbcs\tx9,x15,x12\n\tsbcs\tx10,x16,xzr\n\tsbcs\tx11,x17,x13\n\tsbcs\txzr,x1,xzr\t\t// did subtraction borrow?\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n\n.def __ecp_nistz256_sub_from\n .type 32\n.endef\n.align\t4\n__ecp_nistz256_sub_from:\n\tldp\tx8,x9,[x2]\n\tldp\tx10,x11,[x2,#16]\n\tsubs\tx14,x14,x8\t\t// ret = a-b\n\tsbcs\tx15,x15,x9\n\tsbcs\tx16,x16,x10\n\tsbcs\tx17,x17,x11\n\tsbc\tx1,xzr,xzr\t\t// zap x1\n\n\tsubs\tx8,x14,#1\t\t// adds\tx8,x4,#-1 // tmp = ret+modulus\n\tadcs\tx9,x15,x12\n\tadcs\tx10,x16,xzr\n\tadc\tx11,x17,x13\n\tcmp\tx1,xzr\t\t\t// did subtraction borrow?\n\n\tcsel\tx14,x14,x8,eq\t// ret = borrow ? ret+modulus : ret\n\tcsel\tx15,x15,x9,eq\n\tcsel\tx16,x16,x10,eq\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,eq\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n\n.def __ecp_nistz256_sub_morf\n .type 32\n.endef\n.align\t4\n__ecp_nistz256_sub_morf:\n\tldp\tx8,x9,[x2]\n\tldp\tx10,x11,[x2,#16]\n\tsubs\tx14,x8,x14\t\t// ret = b-a\n\tsbcs\tx15,x9,x15\n\tsbcs\tx16,x10,x16\n\tsbcs\tx17,x11,x17\n\tsbc\tx1,xzr,xzr\t\t// zap x1\n\n\tsubs\tx8,x14,#1\t\t// adds\tx8,x4,#-1 // tmp = ret+modulus\n\tadcs\tx9,x15,x12\n\tadcs\tx10,x16,xzr\n\tadc\tx11,x17,x13\n\tcmp\tx1,xzr\t\t\t// did subtraction borrow?\n\n\tcsel\tx14,x14,x8,eq\t// ret = borrow ? ret+modulus : ret\n\tcsel\tx15,x15,x9,eq\n\tcsel\tx16,x16,x10,eq\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,eq\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n\n.def __ecp_nistz256_div_by_2\n .type 32\n.endef\n.align\t4\n__ecp_nistz256_div_by_2:\n\tsubs\tx8,x14,#1\t\t// adds\tx8,x4,#-1 // tmp = a+modulus\n\tadcs\tx9,x15,x12\n\tadcs\tx10,x16,xzr\n\tadcs\tx11,x17,x13\n\tadc\tx1,xzr,xzr\t\t// zap x1\n\ttst\tx14,#1\t\t// is a even?\n\n\tcsel\tx14,x14,x8,eq\t// ret = even ? a : a+modulus\n\tcsel\tx15,x15,x9,eq\n\tcsel\tx16,x16,x10,eq\n\tcsel\tx17,x17,x11,eq\n\tcsel\tx1,xzr,x1,eq\n\n\tlsr\tx14,x14,#1\t\t// ret >>= 1\n\torr\tx14,x14,x15,lsl#63\n\tlsr\tx15,x15,#1\n\torr\tx15,x15,x16,lsl#63\n\tlsr\tx16,x16,#1\n\torr\tx16,x16,x17,lsl#63\n\tlsr\tx17,x17,#1\n\tstp\tx14,x15,[x0]\n\torr\tx17,x17,x1,lsl#63\n\tstp\tx16,x17,[x0,#16]\n\n\tret\n\n.globl\tecp_nistz256_point_double\n\n.def ecp_nistz256_point_double\n .type 32\n.endef\n.align\t5\necp_nistz256_point_double:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tsub\tsp,sp,#32*4\n\nLdouble_shortcut:\n\tldp\tx14,x15,[x1,#32]\n\tmov\tx21,x0\n\tldp\tx16,x17,[x1,#48]\n\tmov\tx22,x1\n\tadrp\tx13,Lpoly\n\tadd\tx13,x13,:lo12:Lpoly\n\tldr\tx12,[x13,#8]\n\tmov\tx8,x14\n\tldr\tx13,[x13,#24]\n\tmov\tx9,x15\n\tldp\tx4,x5,[x22,#64]\t// forward load for p256_sqr_mont\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tldp\tx6,x7,[x22,#64+16]\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(S, in_y);\n\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Zsqr, in_z);\n\n\tldp\tx8,x9,[x22]\n\tldp\tx10,x11,[x22,#16]\n\tmov\tx4,x14\t\t// put Zsqr aside for p256_sub\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_add_to\t// p256_add(M, Zsqr, in_x);\n\n\tadd\tx2,x22,#0\n\tmov\tx14,x4\t\t// restore Zsqr\n\tmov\tx15,x5\n\tldp\tx4,x5,[sp,#0]\t// forward load for p256_sqr_mont\n\tmov\tx16,x6\n\tmov\tx17,x7\n\tldp\tx6,x7,[sp,#0+16]\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(Zsqr, in_x, Zsqr);\n\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(S, S);\n\n\tldr\tx3,[x22,#32]\n\tldp\tx4,x5,[x22,#64]\n\tldp\tx6,x7,[x22,#64+16]\n\tadd\tx2,x22,#32\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(tmp0, in_z, in_y);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tldp\tx4,x5,[sp,#0]\t// forward load for p256_sqr_mont\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tldp\tx6,x7,[sp,#0+16]\n\tadd\tx0,x21,#64\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(res_z, tmp0);\n\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(tmp0, S);\n\n\tldr\tx3,[sp,#64]\t\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#32]\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx0,x21,#32\n\tbl\t__ecp_nistz256_div_by_2\t// p256_div_by_2(res_y, tmp0);\n\n\tadd\tx2,sp,#64\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(M, M, Zsqr);\n\n\tmov\tx8,x14\t\t// duplicate M\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tmov\tx4,x14\t\t// put M aside\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_add_to\n\tmov\tx8,x4\t\t\t// restore M\n\tmov\tx9,x5\n\tldr\tx3,[x22]\t\t// forward load for p256_mul_mont\n\tmov\tx10,x6\n\tldp\tx4,x5,[sp,#0]\n\tmov\tx11,x7\n\tldp\tx6,x7,[sp,#0+16]\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_3(M, M);\n\n\tadd\tx2,x22,#0\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S, S, in_x);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tldp\tx4,x5,[sp,#32]\t// forward load for p256_sqr_mont\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(tmp0, S);\n\n\tadd\tx0,x21,#0\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(res_x, M);\n\n\tadd\tx2,sp,#96\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_x, res_x, tmp0);\n\n\tadd\tx2,sp,#0\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(S, S, res_x);\n\n\tldr\tx3,[sp,#32]\n\tmov\tx4,x14\t\t// copy S\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tadd\tx2,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S, S, M);\n\n\tadd\tx2,x21,#32\n\tadd\tx0,x21,#32\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_y, S, res_y);\n\n\tadd\tsp,x29,#0\t\t// destroy frame\n\tldp\tx19,x20,[x29,#16]\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\tecp_nistz256_point_add\n\n.def ecp_nistz256_point_add\n .type 32\n.endef\n.align\t5\necp_nistz256_point_add:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#32*12\n\n\tldp\tx4,x5,[x2,#64]\t// in2_z\n\tldp\tx6,x7,[x2,#64+16]\n\tmov\tx21,x0\n\tmov\tx22,x1\n\tmov\tx23,x2\n\tadrp\tx13,Lpoly\n\tadd\tx13,x13,:lo12:Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\torr\tx8,x4,x5\n\torr\tx10,x6,x7\n\torr\tx25,x8,x10\n\tcmp\tx25,#0\n\tcsetm\tx25,ne\t\t// ~in2infty\n\tadd\tx0,sp,#192\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Z2sqr, in2_z);\n\n\tldp\tx4,x5,[x22,#64]\t// in1_z\n\tldp\tx6,x7,[x22,#64+16]\n\torr\tx8,x4,x5\n\torr\tx10,x6,x7\n\torr\tx24,x8,x10\n\tcmp\tx24,#0\n\tcsetm\tx24,ne\t\t// ~in1infty\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Z1sqr, in1_z);\n\n\tldr\tx3,[x23,#64]\n\tldp\tx4,x5,[sp,#192]\n\tldp\tx6,x7,[sp,#192+16]\n\tadd\tx2,x23,#64\n\tadd\tx0,sp,#320\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S1, Z2sqr, in2_z);\n\n\tldr\tx3,[x22,#64]\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#352\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, Z1sqr, in1_z);\n\n\tldr\tx3,[x22,#32]\n\tldp\tx4,x5,[sp,#320]\n\tldp\tx6,x7,[sp,#320+16]\n\tadd\tx2,x22,#32\n\tadd\tx0,sp,#320\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S1, S1, in1_y);\n\n\tldr\tx3,[x23,#32]\n\tldp\tx4,x5,[sp,#352]\n\tldp\tx6,x7,[sp,#352+16]\n\tadd\tx2,x23,#32\n\tadd\tx0,sp,#352\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, S2, in2_y);\n\n\tadd\tx2,sp,#320\n\tldr\tx3,[sp,#192]\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[x22]\n\tldp\tx6,x7,[x22,#16]\n\tadd\tx0,sp,#160\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(R, S2, S1);\n\n\torr\tx14,x14,x15\t// see if result is zero\n\torr\tx16,x16,x17\n\torr\tx26,x14,x16\t// ~is_equal(S1,S2)\n\n\tadd\tx2,sp,#192\n\tadd\tx0,sp,#256\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U1, in1_x, Z2sqr);\n\n\tldr\tx3,[sp,#128]\n\tldp\tx4,x5,[x23]\n\tldp\tx6,x7,[x23,#16]\n\tadd\tx2,sp,#128\n\tadd\tx0,sp,#288\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, in2_x, Z1sqr);\n\n\tadd\tx2,sp,#256\n\tldp\tx4,x5,[sp,#160]\t// forward load for p256_sqr_mont\n\tldp\tx6,x7,[sp,#160+16]\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(H, U2, U1);\n\n\torr\tx14,x14,x15\t// see if result is zero\n\torr\tx16,x16,x17\n\torr\tx14,x14,x16\t// ~is_equal(U1,U2)\n\n\tmvn\tx27,x24\t// -1/0 -> 0/-1\n\tmvn\tx28,x25\t// -1/0 -> 0/-1\n\torr\tx14,x14,x27\n\torr\tx14,x14,x28\n\torr\tx14,x14,x26\n\tcbnz\tx14,Ladd_proceed\t// if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))\n\nLadd_double:\n\tmov\tx1,x22\n\tmov\tx0,x21\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tadd\tsp,sp,#256\t// #256 is from #32*(12-4). difference in stack frames\n\tb\tLdouble_shortcut\n\n.align\t4\nLadd_proceed:\n\tadd\tx0,sp,#192\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Rsqr, R);\n\n\tldr\tx3,[x22,#64]\n\tldp\tx4,x5,[sp,#96]\n\tldp\tx6,x7,[sp,#96+16]\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_z, H, in1_z);\n\n\tldp\tx4,x5,[sp,#96]\n\tldp\tx6,x7,[sp,#96+16]\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Hsqr, H);\n\n\tldr\tx3,[x23,#64]\n\tldp\tx4,x5,[sp,#64]\n\tldp\tx6,x7,[sp,#64+16]\n\tadd\tx2,x23,#64\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_z, res_z, in2_z);\n\n\tldr\tx3,[sp,#96]\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx2,sp,#96\n\tadd\tx0,sp,#224\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(Hcub, Hsqr, H);\n\n\tldr\tx3,[sp,#128]\n\tldp\tx4,x5,[sp,#256]\n\tldp\tx6,x7,[sp,#256+16]\n\tadd\tx2,sp,#128\n\tadd\tx0,sp,#288\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, U1, Hsqr);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(Hsqr, U2);\n\n\tadd\tx2,sp,#192\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_x, Rsqr, Hsqr);\n\n\tadd\tx2,sp,#224\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_x, res_x, Hcub);\n\n\tadd\tx2,sp,#288\n\tldr\tx3,[sp,#224]\t\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#320]\n\tldp\tx6,x7,[sp,#320+16]\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_y, U2, res_x);\n\n\tadd\tx2,sp,#224\n\tadd\tx0,sp,#352\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, S1, Hcub);\n\n\tldr\tx3,[sp,#160]\n\tldp\tx4,x5,[sp,#32]\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx2,sp,#160\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_y, res_y, R);\n\n\tadd\tx2,sp,#352\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_y, res_y, S2);\n\n\tldp\tx4,x5,[sp,#0]\t\t// res\n\tldp\tx6,x7,[sp,#0+16]\n\tldp\tx8,x9,[x23]\t\t// in2\n\tldp\tx10,x11,[x23,#16]\n\tldp\tx14,x15,[x22,#0]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#0+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+0+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+0+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#0+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#0+48]\n\tstp\tx14,x15,[x21,#0]\n\tstp\tx16,x17,[x21,#0+16]\n\tldp\tx14,x15,[x22,#32]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#32+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+32+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+32+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#32+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#32+48]\n\tstp\tx14,x15,[x21,#32]\n\tstp\tx16,x17,[x21,#32+16]\n\tldp\tx14,x15,[x22,#64]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#64+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tstp\tx14,x15,[x21,#64]\n\tstp\tx16,x17,[x21,#64+16]\n\nLadd_done:\n\tadd\tsp,x29,#0\t\t// destroy frame\n\tldp\tx19,x20,[x29,#16]\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\tecp_nistz256_point_add_affine\n\n.def ecp_nistz256_point_add_affine\n .type 32\n.endef\n.align\t5\necp_nistz256_point_add_affine:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-80]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tsub\tsp,sp,#32*10\n\n\tmov\tx21,x0\n\tmov\tx22,x1\n\tmov\tx23,x2\n\tadrp\tx13,Lpoly\n\tadd\tx13,x13,:lo12:Lpoly\n\tldr\tx12,[x13,#8]\n\tldr\tx13,[x13,#24]\n\n\tldp\tx4,x5,[x1,#64]\t// in1_z\n\tldp\tx6,x7,[x1,#64+16]\n\torr\tx8,x4,x5\n\torr\tx10,x6,x7\n\torr\tx24,x8,x10\n\tcmp\tx24,#0\n\tcsetm\tx24,ne\t\t// ~in1infty\n\n\tldp\tx14,x15,[x2]\t// in2_x\n\tldp\tx16,x17,[x2,#16]\n\tldp\tx8,x9,[x2,#32]\t// in2_y\n\tldp\tx10,x11,[x2,#48]\n\torr\tx14,x14,x15\n\torr\tx16,x16,x17\n\torr\tx8,x8,x9\n\torr\tx10,x10,x11\n\torr\tx14,x14,x16\n\torr\tx8,x8,x10\n\torr\tx25,x14,x8\n\tcmp\tx25,#0\n\tcsetm\tx25,ne\t\t// ~in2infty\n\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Z1sqr, in1_z);\n\n\tmov\tx4,x14\n\tmov\tx5,x15\n\tmov\tx6,x16\n\tmov\tx7,x17\n\tldr\tx3,[x23]\n\tadd\tx2,x23,#0\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, Z1sqr, in2_x);\n\n\tadd\tx2,x22,#0\n\tldr\tx3,[x22,#64]\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx0,sp,#160\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(H, U2, in1_x);\n\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, Z1sqr, in1_z);\n\n\tldr\tx3,[x22,#64]\n\tldp\tx4,x5,[sp,#160]\n\tldp\tx6,x7,[sp,#160+16]\n\tadd\tx2,x22,#64\n\tadd\tx0,sp,#64\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_z, H, in1_z);\n\n\tldr\tx3,[x23,#32]\n\tldp\tx4,x5,[sp,#128]\n\tldp\tx6,x7,[sp,#128+16]\n\tadd\tx2,x23,#32\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, S2, in2_y);\n\n\tadd\tx2,x22,#32\n\tldp\tx4,x5,[sp,#160]\t// forward load for p256_sqr_mont\n\tldp\tx6,x7,[sp,#160+16]\n\tadd\tx0,sp,#192\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(R, S2, in1_y);\n\n\tadd\tx0,sp,#224\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Hsqr, H);\n\n\tldp\tx4,x5,[sp,#192]\n\tldp\tx6,x7,[sp,#192+16]\n\tadd\tx0,sp,#288\n\tbl\t__ecp_nistz256_sqr_mont\t// p256_sqr_mont(Rsqr, R);\n\n\tldr\tx3,[sp,#160]\n\tldp\tx4,x5,[sp,#224]\n\tldp\tx6,x7,[sp,#224+16]\n\tadd\tx2,sp,#160\n\tadd\tx0,sp,#256\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(Hcub, Hsqr, H);\n\n\tldr\tx3,[x22]\n\tldp\tx4,x5,[sp,#224]\n\tldp\tx6,x7,[sp,#224+16]\n\tadd\tx2,x22,#0\n\tadd\tx0,sp,#96\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(U2, in1_x, Hsqr);\n\n\tmov\tx8,x14\n\tmov\tx9,x15\n\tmov\tx10,x16\n\tmov\tx11,x17\n\tadd\tx0,sp,#224\n\tbl\t__ecp_nistz256_add_to\t// p256_mul_by_2(Hsqr, U2);\n\n\tadd\tx2,sp,#288\n\tadd\tx0,sp,#0\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_x, Rsqr, Hsqr);\n\n\tadd\tx2,sp,#256\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_x, res_x, Hcub);\n\n\tadd\tx2,sp,#96\n\tldr\tx3,[x22,#32]\t// forward load for p256_mul_mont\n\tldp\tx4,x5,[sp,#256]\n\tldp\tx6,x7,[sp,#256+16]\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_sub_morf\t// p256_sub(res_y, U2, res_x);\n\n\tadd\tx2,x22,#32\n\tadd\tx0,sp,#128\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(S2, in1_y, Hcub);\n\n\tldr\tx3,[sp,#192]\n\tldp\tx4,x5,[sp,#32]\n\tldp\tx6,x7,[sp,#32+16]\n\tadd\tx2,sp,#192\n\tadd\tx0,sp,#32\n\tbl\t__ecp_nistz256_mul_mont\t// p256_mul_mont(res_y, res_y, R);\n\n\tadd\tx2,sp,#128\n\tbl\t__ecp_nistz256_sub_from\t// p256_sub(res_y, res_y, S2);\n\n\tldp\tx4,x5,[sp,#0]\t\t// res\n\tldp\tx6,x7,[sp,#0+16]\n\tldp\tx8,x9,[x23]\t\t// in2\n\tldp\tx10,x11,[x23,#16]\n\tldp\tx14,x15,[x22,#0]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#0+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+0+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+0+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#0+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#0+48]\n\tstp\tx14,x15,[x21,#0]\n\tstp\tx16,x17,[x21,#0+16]\n\tadrp\tx23,Lone_mont-64\n\tadd\tx23,x23,:lo12:Lone_mont-64\n\tldp\tx14,x15,[x22,#32]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#32+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tldp\tx4,x5,[sp,#0+32+32]\t// res\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tldp\tx6,x7,[sp,#0+32+48]\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tldp\tx8,x9,[x23,#32+32]\t// in2\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tldp\tx10,x11,[x23,#32+48]\n\tstp\tx14,x15,[x21,#32]\n\tstp\tx16,x17,[x21,#32+16]\n\tldp\tx14,x15,[x22,#64]\t// in1\n\tcmp\tx24,#0\t\t\t// ~, remember?\n\tldp\tx16,x17,[x22,#64+16]\n\tcsel\tx8,x4,x8,ne\n\tcsel\tx9,x5,x9,ne\n\tcsel\tx10,x6,x10,ne\n\tcsel\tx11,x7,x11,ne\n\tcmp\tx25,#0\t\t\t// ~, remember?\n\tcsel\tx14,x8,x14,ne\n\tcsel\tx15,x9,x15,ne\n\tcsel\tx16,x10,x16,ne\n\tcsel\tx17,x11,x17,ne\n\tstp\tx14,x15,[x21,#64]\n\tstp\tx16,x17,[x21,#64+16]\n\n\tadd\tsp,x29,#0\t\t// destroy frame\n\tldp\tx19,x20,[x29,#16]\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx29,x30,[sp],#80\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4],\n// uint64_t b[4]);\n.globl\tecp_nistz256_ord_mul_mont\n\n.def ecp_nistz256_ord_mul_mont\n .type 32\n.endef\n.align\t4\necp_nistz256_ord_mul_mont:\n\tAARCH64_VALID_CALL_TARGET\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tstp\tx29,x30,[sp,#-64]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\n\tadrp\tx23,Lord\n\tadd\tx23,x23,:lo12:Lord\n\tldr\tx3,[x2]\t\t// bp[0]\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\n\tldp\tx12,x13,[x23,#0]\n\tldp\tx21,x22,[x23,#16]\n\tldr\tx23,[x23,#32]\n\n\tmul\tx14,x4,x3\t\t// a[0]*b[0]\n\tumulh\tx8,x4,x3\n\n\tmul\tx15,x5,x3\t\t// a[1]*b[0]\n\tumulh\tx9,x5,x3\n\n\tmul\tx16,x6,x3\t\t// a[2]*b[0]\n\tumulh\tx10,x6,x3\n\n\tmul\tx17,x7,x3\t\t// a[3]*b[0]\n\tumulh\tx19,x7,x3\n\n\tmul\tx24,x14,x23\n\n\tadds\tx15,x15,x8\t\t// accumulate high parts of multiplication\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadc\tx19,x19,xzr\n\tmov\tx20,xzr\n\tldr\tx3,[x2,#8*1]\t\t// b[i]\n\n\tlsl\tx8,x24,#32\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tmul\tx8,x4,x3\n\tadc\tx11,x11,xzr\n\tmul\tx9,x5,x3\n\n\tadds\tx14,x15,x10\n\tmul\tx10,x6,x3\n\tadcs\tx15,x16,x11\n\tmul\tx11,x7,x3\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts\n\tumulh\tx8,x4,x3\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\n\tadc\tx19,x19,xzr\n\tmul\tx24,x14,x23\n\tadds\tx15,x15,x8\t\t// accumulate high parts\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tldr\tx3,[x2,#8*2]\t\t// b[i]\n\n\tlsl\tx8,x24,#32\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tmul\tx8,x4,x3\n\tadc\tx11,x11,xzr\n\tmul\tx9,x5,x3\n\n\tadds\tx14,x15,x10\n\tmul\tx10,x6,x3\n\tadcs\tx15,x16,x11\n\tmul\tx11,x7,x3\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts\n\tumulh\tx8,x4,x3\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\n\tadc\tx19,x19,xzr\n\tmul\tx24,x14,x23\n\tadds\tx15,x15,x8\t\t// accumulate high parts\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tldr\tx3,[x2,#8*3]\t\t// b[i]\n\n\tlsl\tx8,x24,#32\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tmul\tx8,x4,x3\n\tadc\tx11,x11,xzr\n\tmul\tx9,x5,x3\n\n\tadds\tx14,x15,x10\n\tmul\tx10,x6,x3\n\tadcs\tx15,x16,x11\n\tmul\tx11,x7,x3\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tadds\tx14,x14,x8\t\t// accumulate low parts\n\tumulh\tx8,x4,x3\n\tadcs\tx15,x15,x9\n\tumulh\tx9,x5,x3\n\tadcs\tx16,x16,x10\n\tumulh\tx10,x6,x3\n\tadcs\tx17,x17,x11\n\tumulh\tx11,x7,x3\n\tadc\tx19,x19,xzr\n\tmul\tx24,x14,x23\n\tadds\tx15,x15,x8\t\t// accumulate high parts\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x10\n\tadcs\tx19,x19,x11\n\tadc\tx20,xzr,xzr\n\tlsl\tx8,x24,#32\t\t// last reduction\n\tsubs\tx16,x16,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx17,x17,x8\n\tsbcs\tx19,x19,x9\n\tsbc\tx20,x20,xzr\n\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tadc\tx11,x11,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x11\n\tadcs\tx16,x17,x24\n\tadcs\tx17,x19,x24\n\tadc\tx19,x20,xzr\n\n\tsubs\tx8,x14,x12\t\t// ret -= modulus\n\tsbcs\tx9,x15,x13\n\tsbcs\tx10,x16,x21\n\tsbcs\tx11,x17,x22\n\tsbcs\txzr,x19,xzr\n\n\tcsel\tx14,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx15,x15,x9,lo\n\tcsel\tx16,x16,x10,lo\n\tstp\tx14,x15,[x0]\n\tcsel\tx17,x17,x11,lo\n\tstp\tx16,x17,[x0,#16]\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldr\tx29,[sp],#64\n\tret\n\n\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4],\n// uint64_t rep);\n.globl\tecp_nistz256_ord_sqr_mont\n\n.def ecp_nistz256_ord_sqr_mont\n .type 32\n.endef\n.align\t4\necp_nistz256_ord_sqr_mont:\n\tAARCH64_VALID_CALL_TARGET\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tstp\tx29,x30,[sp,#-64]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\n\tadrp\tx23,Lord\n\tadd\tx23,x23,:lo12:Lord\n\tldp\tx4,x5,[x1]\n\tldp\tx6,x7,[x1,#16]\n\n\tldp\tx12,x13,[x23,#0]\n\tldp\tx21,x22,[x23,#16]\n\tldr\tx23,[x23,#32]\n\tb\tLoop_ord_sqr\n\n.align\t4\nLoop_ord_sqr:\n\tsub\tx2,x2,#1\n\t////////////////////////////////////////////////////////////////\n\t// | | | | | |a1*a0| |\n\t// | | | | |a2*a0| | |\n\t// | |a3*a2|a3*a0| | | |\n\t// | | | |a2*a1| | | |\n\t// | | |a3*a1| | | | |\n\t// *| | | | | | | | 2|\n\t// +|a3*a3|a2*a2|a1*a1|a0*a0|\n\t// |--+--+--+--+--+--+--+--|\n\t// |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow \n\t//\n\t// \"can't overflow\" below mark carrying into high part of\n\t// multiplication result, which can't overflow, because it\n\t// can never be all ones.\n\n\tmul\tx15,x5,x4\t\t// a[1]*a[0]\n\tumulh\tx9,x5,x4\n\tmul\tx16,x6,x4\t\t// a[2]*a[0]\n\tumulh\tx10,x6,x4\n\tmul\tx17,x7,x4\t\t// a[3]*a[0]\n\tumulh\tx19,x7,x4\n\n\tadds\tx16,x16,x9\t\t// accumulate high parts of multiplication\n\tmul\tx8,x6,x5\t\t// a[2]*a[1]\n\tumulh\tx9,x6,x5\n\tadcs\tx17,x17,x10\n\tmul\tx10,x7,x5\t\t// a[3]*a[1]\n\tumulh\tx11,x7,x5\n\tadc\tx19,x19,xzr\t\t// can't overflow\n\n\tmul\tx20,x7,x6\t\t// a[3]*a[2]\n\tumulh\tx1,x7,x6\n\n\tadds\tx9,x9,x10\t\t// accumulate high parts of multiplication\n\tmul\tx14,x4,x4\t\t// a[0]*a[0]\n\tadc\tx10,x11,xzr\t\t// can't overflow\n\n\tadds\tx17,x17,x8\t\t// accumulate low parts of multiplication\n\tumulh\tx4,x4,x4\n\tadcs\tx19,x19,x9\n\tmul\tx9,x5,x5\t\t// a[1]*a[1]\n\tadcs\tx20,x20,x10\n\tumulh\tx5,x5,x5\n\tadc\tx1,x1,xzr\t\t// can't overflow\n\n\tadds\tx15,x15,x15\t// acc[1-6]*=2\n\tmul\tx10,x6,x6\t\t// a[2]*a[2]\n\tadcs\tx16,x16,x16\n\tumulh\tx6,x6,x6\n\tadcs\tx17,x17,x17\n\tmul\tx11,x7,x7\t\t// a[3]*a[3]\n\tadcs\tx19,x19,x19\n\tumulh\tx7,x7,x7\n\tadcs\tx20,x20,x20\n\tadcs\tx1,x1,x1\n\tadc\tx3,xzr,xzr\n\n\tadds\tx15,x15,x4\t\t// +a[i]*a[i]\n\tmul\tx24,x14,x23\n\tadcs\tx16,x16,x9\n\tadcs\tx17,x17,x5\n\tadcs\tx19,x19,x10\n\tadcs\tx20,x20,x6\n\tadcs\tx1,x1,x11\n\tadc\tx3,x3,x7\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tadc\tx11,x11,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x11\n\tadcs\tx16,x17,x24\n\tadc\tx17,xzr,x24\t\t// can't overflow\n\tmul\tx11,x14,x23\n\tlsl\tx8,x24,#32\n\tsubs\tx15,x15,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x11\n\tmul\tx10,x13,x11\n\tumulh\tx24,x13,x11\n\n\tadcs\tx10,x10,x9\n\tadc\tx24,x24,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x24\n\tadcs\tx16,x17,x11\n\tadc\tx17,xzr,x11\t\t// can't overflow\n\tmul\tx24,x14,x23\n\tlsl\tx8,x11,#32\n\tsubs\tx15,x15,x11\n\tlsr\tx9,x11,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x24\n\tmul\tx10,x13,x24\n\tumulh\tx11,x13,x24\n\n\tadcs\tx10,x10,x9\n\tadc\tx11,x11,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x11\n\tadcs\tx16,x17,x24\n\tadc\tx17,xzr,x24\t\t// can't overflow\n\tmul\tx11,x14,x23\n\tlsl\tx8,x24,#32\n\tsubs\tx15,x15,x24\n\tlsr\tx9,x24,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tsubs\txzr,x14,#1\n\tumulh\tx9,x12,x11\n\tmul\tx10,x13,x11\n\tumulh\tx24,x13,x11\n\n\tadcs\tx10,x10,x9\n\tadc\tx24,x24,xzr\n\n\tadds\tx14,x15,x10\n\tadcs\tx15,x16,x24\n\tadcs\tx16,x17,x11\n\tadc\tx17,xzr,x11\t\t// can't overflow\n\tlsl\tx8,x11,#32\n\tsubs\tx15,x15,x11\n\tlsr\tx9,x11,#32\n\tsbcs\tx16,x16,x8\n\tsbc\tx17,x17,x9\t\t// can't borrow\n\tadds\tx14,x14,x19\t// accumulate upper half\n\tadcs\tx15,x15,x20\n\tadcs\tx16,x16,x1\n\tadcs\tx17,x17,x3\n\tadc\tx19,xzr,xzr\n\n\tsubs\tx8,x14,x12\t\t// ret -= modulus\n\tsbcs\tx9,x15,x13\n\tsbcs\tx10,x16,x21\n\tsbcs\tx11,x17,x22\n\tsbcs\txzr,x19,xzr\n\n\tcsel\tx4,x14,x8,lo\t// ret = borrow ? ret : ret-modulus\n\tcsel\tx5,x15,x9,lo\n\tcsel\tx6,x16,x10,lo\n\tcsel\tx7,x17,x11,lo\n\n\tcbnz\tx2,Loop_ord_sqr\n\n\tstp\tx4,x5,[x0]\n\tstp\tx6,x7,[x0,#16]\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldr\tx29,[sp],#64\n\tret\n\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index);\n.globl\tecp_nistz256_select_w5\n\n.def ecp_nistz256_select_w5\n .type 32\n.endef\n.align\t4\necp_nistz256_select_w5:\n\tAARCH64_VALID_CALL_TARGET\n\n // x10 := x0\n // w9 := 0; loop counter and incremented internal index\n\tmov\tx10, x0\n\tmov\tw9, #0\n\n // [v16-v21] := 0\n\tmovi\tv16.16b, #0\n\tmovi\tv17.16b, #0\n\tmovi\tv18.16b, #0\n\tmovi\tv19.16b, #0\n\tmovi\tv20.16b, #0\n\tmovi\tv21.16b, #0\n\nLselect_w5_loop:\n // Loop 16 times.\n\n // Increment index (loop counter); tested at the end of the loop\n\tadd\tw9, w9, #1\n\n // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1\n // and advance x1 to point to the next entry\n\tld1\t{v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64\n\n // x11 := (w9 == w2)? All 1s : All 0s\n\tcmp\tw9, w2\n\tcsetm\tx11, eq\n\n // continue loading ...\n\tld1\t{v26.2d, v27.2d}, [x1],#32\n\n // duplicate mask_64 into Mask (all 0s or all 1s)\n\tdup\tv3.2d, x11\n\n // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]\n // i.e., values in output registers will remain the same if w9 != w2\n\tbit\tv16.16b, v22.16b, v3.16b\n\tbit\tv17.16b, v23.16b, v3.16b\n\n\tbit\tv18.16b, v24.16b, v3.16b\n\tbit\tv19.16b, v25.16b, v3.16b\n\n\tbit\tv20.16b, v26.16b, v3.16b\n\tbit\tv21.16b, v27.16b, v3.16b\n\n // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back\n\ttbz\tw9, #4, Lselect_w5_loop\n\n // Write [v16-v21] to memory at the output pointer\n\tst1\t{v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64\n\tst1\t{v20.2d, v21.2d}, [x10]\n\n\tret\n\n\n\n////////////////////////////////////////////////////////////////////////\n// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index);\n.globl\tecp_nistz256_select_w7\n\n.def ecp_nistz256_select_w7\n .type 32\n.endef\n.align\t4\necp_nistz256_select_w7:\n\tAARCH64_VALID_CALL_TARGET\n\n // w9 := 0; loop counter and incremented internal index\n\tmov\tw9, #0\n\n // [v16-v21] := 0\n\tmovi\tv16.16b, #0\n\tmovi\tv17.16b, #0\n\tmovi\tv18.16b, #0\n\tmovi\tv19.16b, #0\n\nLselect_w7_loop:\n // Loop 64 times.\n\n // Increment index (loop counter); tested at the end of the loop\n\tadd\tw9, w9, #1\n\n // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1\n // and advance x1 to point to the next entry\n\tld1\t{v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64\n\n // x11 := (w9 == w2)? All 1s : All 0s\n\tcmp\tw9, w2\n\tcsetm\tx11, eq\n\n // duplicate mask_64 into Mask (all 0s or all 1s)\n\tdup\tv3.2d, x11\n\n // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19]\n // i.e., values in output registers will remain the same if w9 != w2\n\tbit\tv16.16b, v22.16b, v3.16b\n\tbit\tv17.16b, v23.16b, v3.16b\n\n\tbit\tv18.16b, v24.16b, v3.16b\n\tbit\tv19.16b, v25.16b, v3.16b\n\n // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back\n\ttbz\tw9, #6, Lselect_w7_loop\n\n // Write [v16-v19] to memory at the output pointer\n\tst1\t{v16.2d, v17.2d, v18.2d, v19.2d}, [x0]\n\n\tret\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/p256-x86_64-asm-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n\n.section\t__DATA,__const\n.p2align\t6\nL$poly:\n.quad\t0xffffffffffffffff, 0x00000000ffffffff, 0x0000000000000000, 0xffffffff00000001\n\nL$One:\n.long\t1,1,1,1,1,1,1,1\nL$Two:\n.long\t2,2,2,2,2,2,2,2\nL$Three:\n.long\t3,3,3,3,3,3,3,3\nL$ONE_mont:\n.quad\t0x0000000000000001, 0xffffffff00000000, 0xffffffffffffffff, 0x00000000fffffffe\n\n\nL$ord:\n.quad\t0xf3b9cac2fc632551, 0xbce6faada7179e84, 0xffffffffffffffff, 0xffffffff00000000\nL$ordK:\n.quad\t0xccd1c8aaee00bc4f\n.text\t\n\n\n\n.globl\t_ecp_nistz256_neg\n.private_extern _ecp_nistz256_neg\n\n.p2align\t5\n_ecp_nistz256_neg:\n\n_CET_ENDBR\n\tpushq\t%r12\n\n\tpushq\t%r13\n\nL$neg_body:\n\n\txorq\t%r8,%r8\n\txorq\t%r9,%r9\n\txorq\t%r10,%r10\n\txorq\t%r11,%r11\n\txorq\t%r13,%r13\n\n\tsubq\t0(%rsi),%r8\n\tsbbq\t8(%rsi),%r9\n\tsbbq\t16(%rsi),%r10\n\tmovq\t%r8,%rax\n\tsbbq\t24(%rsi),%r11\n\tleaq\tL$poly(%rip),%rsi\n\tmovq\t%r9,%rdx\n\tsbbq\t$0,%r13\n\n\taddq\t0(%rsi),%r8\n\tmovq\t%r10,%rcx\n\tadcq\t8(%rsi),%r9\n\tadcq\t16(%rsi),%r10\n\tmovq\t%r11,%r12\n\tadcq\t24(%rsi),%r11\n\ttestq\t%r13,%r13\n\n\tcmovzq\t%rax,%r8\n\tcmovzq\t%rdx,%r9\n\tmovq\t%r8,0(%rdi)\n\tcmovzq\t%rcx,%r10\n\tmovq\t%r9,8(%rdi)\n\tcmovzq\t%r12,%r11\n\tmovq\t%r10,16(%rdi)\n\tmovq\t%r11,24(%rdi)\n\n\tmovq\t0(%rsp),%r13\n\n\tmovq\t8(%rsp),%r12\n\n\tleaq\t16(%rsp),%rsp\n\nL$neg_epilogue:\n\tret\n\n\n\n\n\n\n\n\n.globl\t_ecp_nistz256_ord_mul_mont_nohw\n.private_extern _ecp_nistz256_ord_mul_mont_nohw\n\n.p2align\t5\n_ecp_nistz256_ord_mul_mont_nohw:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$ord_mul_body:\n\n\tmovq\t0(%rdx),%rax\n\tmovq\t%rdx,%rbx\n\tleaq\tL$ord(%rip),%r14\n\tmovq\tL$ordK(%rip),%r15\n\n\n\tmovq\t%rax,%rcx\n\tmulq\t0(%rsi)\n\tmovq\t%rax,%r8\n\tmovq\t%rcx,%rax\n\tmovq\t%rdx,%r9\n\n\tmulq\t8(%rsi)\n\taddq\t%rax,%r9\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t16(%rsi)\n\taddq\t%rax,%r10\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\n\tmovq\t%r8,%r13\n\timulq\t%r15,%r8\n\n\tmovq\t%rdx,%r11\n\tmulq\t24(%rsi)\n\taddq\t%rax,%r11\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r12\n\n\n\tmulq\t0(%r14)\n\tmovq\t%r8,%rbp\n\taddq\t%rax,%r13\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tsubq\t%r8,%r10\n\tsbbq\t$0,%r8\n\n\tmulq\t8(%r14)\n\taddq\t%rcx,%r9\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r9\n\tmovq\t%rbp,%rax\n\tadcq\t%rdx,%r10\n\tmovq\t%rbp,%rdx\n\tadcq\t$0,%r8\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r11\n\tmovq\t8(%rbx),%rax\n\tsbbq\t%rdx,%rbp\n\n\taddq\t%r8,%r11\n\tadcq\t%rbp,%r12\n\tadcq\t$0,%r13\n\n\n\tmovq\t%rax,%rcx\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r9\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t8(%rsi)\n\taddq\t%rbp,%r10\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r10\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t16(%rsi)\n\taddq\t%rbp,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\n\tmovq\t%r9,%rcx\n\timulq\t%r15,%r9\n\n\tmovq\t%rdx,%rbp\n\tmulq\t24(%rsi)\n\taddq\t%rbp,%r12\n\tadcq\t$0,%rdx\n\txorq\t%r8,%r8\n\taddq\t%rax,%r12\n\tmovq\t%r9,%rax\n\tadcq\t%rdx,%r13\n\tadcq\t$0,%r8\n\n\n\tmulq\t0(%r14)\n\tmovq\t%r9,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t%r9,%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r9,%r11\n\tsbbq\t$0,%r9\n\n\tmulq\t8(%r14)\n\taddq\t%rcx,%r10\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r10\n\tmovq\t%rbp,%rax\n\tadcq\t%rdx,%r11\n\tmovq\t%rbp,%rdx\n\tadcq\t$0,%r9\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r12\n\tmovq\t16(%rbx),%rax\n\tsbbq\t%rdx,%rbp\n\n\taddq\t%r9,%r12\n\tadcq\t%rbp,%r13\n\tadcq\t$0,%r8\n\n\n\tmovq\t%rax,%rcx\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r10\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t8(%rsi)\n\taddq\t%rbp,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t16(%rsi)\n\taddq\t%rbp,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\n\tmovq\t%r10,%rcx\n\timulq\t%r15,%r10\n\n\tmovq\t%rdx,%rbp\n\tmulq\t24(%rsi)\n\taddq\t%rbp,%r13\n\tadcq\t$0,%rdx\n\txorq\t%r9,%r9\n\taddq\t%rax,%r13\n\tmovq\t%r10,%rax\n\tadcq\t%rdx,%r8\n\tadcq\t$0,%r9\n\n\n\tmulq\t0(%r14)\n\tmovq\t%r10,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t%r10,%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r10,%r12\n\tsbbq\t$0,%r10\n\n\tmulq\t8(%r14)\n\taddq\t%rcx,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%rbp,%rax\n\tadcq\t%rdx,%r12\n\tmovq\t%rbp,%rdx\n\tadcq\t$0,%r10\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r13\n\tmovq\t24(%rbx),%rax\n\tsbbq\t%rdx,%rbp\n\n\taddq\t%r10,%r13\n\tadcq\t%rbp,%r8\n\tadcq\t$0,%r9\n\n\n\tmovq\t%rax,%rcx\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r11\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t8(%rsi)\n\taddq\t%rbp,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t16(%rsi)\n\taddq\t%rbp,%r13\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r13\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\n\tmovq\t%r11,%rcx\n\timulq\t%r15,%r11\n\n\tmovq\t%rdx,%rbp\n\tmulq\t24(%rsi)\n\taddq\t%rbp,%r8\n\tadcq\t$0,%rdx\n\txorq\t%r10,%r10\n\taddq\t%rax,%r8\n\tmovq\t%r11,%rax\n\tadcq\t%rdx,%r9\n\tadcq\t$0,%r10\n\n\n\tmulq\t0(%r14)\n\tmovq\t%r11,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t%r11,%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r11,%r13\n\tsbbq\t$0,%r11\n\n\tmulq\t8(%r14)\n\taddq\t%rcx,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%rbp,%rax\n\tadcq\t%rdx,%r13\n\tmovq\t%rbp,%rdx\n\tadcq\t$0,%r11\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r8\n\tsbbq\t%rdx,%rbp\n\n\taddq\t%r11,%r8\n\tadcq\t%rbp,%r9\n\tadcq\t$0,%r10\n\n\n\tmovq\t%r12,%rsi\n\tsubq\t0(%r14),%r12\n\tmovq\t%r13,%r11\n\tsbbq\t8(%r14),%r13\n\tmovq\t%r8,%rcx\n\tsbbq\t16(%r14),%r8\n\tmovq\t%r9,%rbp\n\tsbbq\t24(%r14),%r9\n\tsbbq\t$0,%r10\n\n\tcmovcq\t%rsi,%r12\n\tcmovcq\t%r11,%r13\n\tcmovcq\t%rcx,%r8\n\tcmovcq\t%rbp,%r9\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tmovq\t0(%rsp),%r15\n\n\tmovq\t8(%rsp),%r14\n\n\tmovq\t16(%rsp),%r13\n\n\tmovq\t24(%rsp),%r12\n\n\tmovq\t32(%rsp),%rbx\n\n\tmovq\t40(%rsp),%rbp\n\n\tleaq\t48(%rsp),%rsp\n\nL$ord_mul_epilogue:\n\tret\n\n\n\n\n\n\n\n\n\n.globl\t_ecp_nistz256_ord_sqr_mont_nohw\n.private_extern _ecp_nistz256_ord_sqr_mont_nohw\n\n.p2align\t5\n_ecp_nistz256_ord_sqr_mont_nohw:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$ord_sqr_body:\n\n\tmovq\t0(%rsi),%r8\n\tmovq\t8(%rsi),%rax\n\tmovq\t16(%rsi),%r14\n\tmovq\t24(%rsi),%r15\n\tleaq\tL$ord(%rip),%rsi\n\tmovq\t%rdx,%rbx\n\tjmp\tL$oop_ord_sqr\n\n.p2align\t5\nL$oop_ord_sqr:\n\n\tmovq\t%rax,%rbp\n\tmulq\t%r8\n\tmovq\t%rax,%r9\n.byte\t102,72,15,110,205\n\tmovq\t%r14,%rax\n\tmovq\t%rdx,%r10\n\n\tmulq\t%r8\n\taddq\t%rax,%r10\n\tmovq\t%r15,%rax\n.byte\t102,73,15,110,214\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%r8\n\taddq\t%rax,%r11\n\tmovq\t%r15,%rax\n.byte\t102,73,15,110,223\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r12\n\n\n\tmulq\t%r14\n\tmovq\t%rax,%r13\n\tmovq\t%r14,%rax\n\tmovq\t%rdx,%r14\n\n\n\tmulq\t%rbp\n\taddq\t%rax,%r11\n\tmovq\t%r15,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r15\n\n\tmulq\t%rbp\n\taddq\t%rax,%r12\n\tadcq\t$0,%rdx\n\n\taddq\t%r15,%r12\n\tadcq\t%rdx,%r13\n\tadcq\t$0,%r14\n\n\n\txorq\t%r15,%r15\n\tmovq\t%r8,%rax\n\taddq\t%r9,%r9\n\tadcq\t%r10,%r10\n\tadcq\t%r11,%r11\n\tadcq\t%r12,%r12\n\tadcq\t%r13,%r13\n\tadcq\t%r14,%r14\n\tadcq\t$0,%r15\n\n\n\tmulq\t%rax\n\tmovq\t%rax,%r8\n.byte\t102,72,15,126,200\n\tmovq\t%rdx,%rbp\n\n\tmulq\t%rax\n\taddq\t%rbp,%r9\n\tadcq\t%rax,%r10\n.byte\t102,72,15,126,208\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t%rax\n\taddq\t%rbp,%r11\n\tadcq\t%rax,%r12\n.byte\t102,72,15,126,216\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmovq\t%r8,%rcx\n\timulq\t32(%rsi),%r8\n\n\tmulq\t%rax\n\taddq\t%rbp,%r13\n\tadcq\t%rax,%r14\n\tmovq\t0(%rsi),%rax\n\tadcq\t%rdx,%r15\n\n\n\tmulq\t%r8\n\tmovq\t%r8,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t8(%rsi),%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r8,%r10\n\tsbbq\t$0,%rbp\n\n\tmulq\t%r8\n\taddq\t%rcx,%r9\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r9\n\tmovq\t%r8,%rax\n\tadcq\t%rdx,%r10\n\tmovq\t%r8,%rdx\n\tadcq\t$0,%rbp\n\n\tmovq\t%r9,%rcx\n\timulq\t32(%rsi),%r9\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r11\n\tmovq\t0(%rsi),%rax\n\tsbbq\t%rdx,%r8\n\n\taddq\t%rbp,%r11\n\tadcq\t$0,%r8\n\n\n\tmulq\t%r9\n\tmovq\t%r9,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t8(%rsi),%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r9,%r11\n\tsbbq\t$0,%rbp\n\n\tmulq\t%r9\n\taddq\t%rcx,%r10\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r10\n\tmovq\t%r9,%rax\n\tadcq\t%rdx,%r11\n\tmovq\t%r9,%rdx\n\tadcq\t$0,%rbp\n\n\tmovq\t%r10,%rcx\n\timulq\t32(%rsi),%r10\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r8\n\tmovq\t0(%rsi),%rax\n\tsbbq\t%rdx,%r9\n\n\taddq\t%rbp,%r8\n\tadcq\t$0,%r9\n\n\n\tmulq\t%r10\n\tmovq\t%r10,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t8(%rsi),%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r10,%r8\n\tsbbq\t$0,%rbp\n\n\tmulq\t%r10\n\taddq\t%rcx,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%r10,%rax\n\tadcq\t%rdx,%r8\n\tmovq\t%r10,%rdx\n\tadcq\t$0,%rbp\n\n\tmovq\t%r11,%rcx\n\timulq\t32(%rsi),%r11\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r9\n\tmovq\t0(%rsi),%rax\n\tsbbq\t%rdx,%r10\n\n\taddq\t%rbp,%r9\n\tadcq\t$0,%r10\n\n\n\tmulq\t%r11\n\tmovq\t%r11,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t8(%rsi),%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r11,%r9\n\tsbbq\t$0,%rbp\n\n\tmulq\t%r11\n\taddq\t%rcx,%r8\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r8\n\tmovq\t%r11,%rax\n\tadcq\t%rdx,%r9\n\tmovq\t%r11,%rdx\n\tadcq\t$0,%rbp\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r10\n\tsbbq\t%rdx,%r11\n\n\taddq\t%rbp,%r10\n\tadcq\t$0,%r11\n\n\n\txorq\t%rdx,%rdx\n\taddq\t%r12,%r8\n\tadcq\t%r13,%r9\n\tmovq\t%r8,%r12\n\tadcq\t%r14,%r10\n\tadcq\t%r15,%r11\n\tmovq\t%r9,%rax\n\tadcq\t$0,%rdx\n\n\n\tsubq\t0(%rsi),%r8\n\tmovq\t%r10,%r14\n\tsbbq\t8(%rsi),%r9\n\tsbbq\t16(%rsi),%r10\n\tmovq\t%r11,%r15\n\tsbbq\t24(%rsi),%r11\n\tsbbq\t$0,%rdx\n\n\tcmovcq\t%r12,%r8\n\tcmovncq\t%r9,%rax\n\tcmovncq\t%r10,%r14\n\tcmovncq\t%r11,%r15\n\n\tdecq\t%rbx\n\tjnz\tL$oop_ord_sqr\n\n\tmovq\t%r8,0(%rdi)\n\tmovq\t%rax,8(%rdi)\n\tpxor\t%xmm1,%xmm1\n\tmovq\t%r14,16(%rdi)\n\tpxor\t%xmm2,%xmm2\n\tmovq\t%r15,24(%rdi)\n\tpxor\t%xmm3,%xmm3\n\n\tmovq\t0(%rsp),%r15\n\n\tmovq\t8(%rsp),%r14\n\n\tmovq\t16(%rsp),%r13\n\n\tmovq\t24(%rsp),%r12\n\n\tmovq\t32(%rsp),%rbx\n\n\tmovq\t40(%rsp),%rbp\n\n\tleaq\t48(%rsp),%rsp\n\nL$ord_sqr_epilogue:\n\tret\n\n\n\n.globl\t_ecp_nistz256_ord_mul_mont_adx\n.private_extern _ecp_nistz256_ord_mul_mont_adx\n\n.p2align\t5\n_ecp_nistz256_ord_mul_mont_adx:\n\nL$ecp_nistz256_ord_mul_mont_adx:\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$ord_mulx_body:\n\n\tmovq\t%rdx,%rbx\n\tmovq\t0(%rdx),%rdx\n\tmovq\t0(%rsi),%r9\n\tmovq\t8(%rsi),%r10\n\tmovq\t16(%rsi),%r11\n\tmovq\t24(%rsi),%r12\n\tleaq\t-128(%rsi),%rsi\n\tleaq\tL$ord-128(%rip),%r14\n\tmovq\tL$ordK(%rip),%r15\n\n\n\tmulxq\t%r9,%r8,%r9\n\tmulxq\t%r10,%rcx,%r10\n\tmulxq\t%r11,%rbp,%r11\n\taddq\t%rcx,%r9\n\tmulxq\t%r12,%rcx,%r12\n\tmovq\t%r8,%rdx\n\tmulxq\t%r15,%rdx,%rax\n\tadcq\t%rbp,%r10\n\tadcq\t%rcx,%r11\n\tadcq\t$0,%r12\n\n\n\txorq\t%r13,%r13\n\tmulxq\t0+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r8\n\tadoxq\t%rbp,%r9\n\n\tmulxq\t8+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\n\tmulxq\t16+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t24+128(%r14),%rcx,%rbp\n\tmovq\t8(%rbx),%rdx\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\tadcxq\t%r8,%r12\n\tadoxq\t%r8,%r13\n\tadcq\t$0,%r13\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r9,%rdx\n\tmulxq\t%r15,%rdx,%rax\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tadcxq\t%r8,%r13\n\tadoxq\t%r8,%r8\n\tadcq\t$0,%r8\n\n\n\tmulxq\t0+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\n\tmulxq\t8+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t16+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t24+128(%r14),%rcx,%rbp\n\tmovq\t16(%rbx),%rdx\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\tadcxq\t%r9,%r13\n\tadoxq\t%r9,%r8\n\tadcq\t$0,%r8\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r10,%rdx\n\tmulxq\t%r15,%rdx,%rax\n\tadcxq\t%rcx,%r13\n\tadoxq\t%rbp,%r8\n\n\tadcxq\t%r9,%r8\n\tadoxq\t%r9,%r9\n\tadcq\t$0,%r9\n\n\n\tmulxq\t0+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t8+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t16+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t24+128(%r14),%rcx,%rbp\n\tmovq\t24(%rbx),%rdx\n\tadcxq\t%rcx,%r13\n\tadoxq\t%rbp,%r8\n\tadcxq\t%r10,%r8\n\tadoxq\t%r10,%r9\n\tadcq\t$0,%r9\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r13\n\tadoxq\t%rbp,%r8\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r11,%rdx\n\tmulxq\t%r15,%rdx,%rax\n\tadcxq\t%rcx,%r8\n\tadoxq\t%rbp,%r9\n\n\tadcxq\t%r10,%r9\n\tadoxq\t%r10,%r10\n\tadcq\t$0,%r10\n\n\n\tmulxq\t0+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t8+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t16+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r13\n\tadoxq\t%rbp,%r8\n\n\tmulxq\t24+128(%r14),%rcx,%rbp\n\tleaq\t128(%r14),%r14\n\tmovq\t%r12,%rbx\n\tadcxq\t%rcx,%r8\n\tadoxq\t%rbp,%r9\n\tmovq\t%r13,%rdx\n\tadcxq\t%r11,%r9\n\tadoxq\t%r11,%r10\n\tadcq\t$0,%r10\n\n\n\n\tmovq\t%r8,%rcx\n\tsubq\t0(%r14),%r12\n\tsbbq\t8(%r14),%r13\n\tsbbq\t16(%r14),%r8\n\tmovq\t%r9,%rbp\n\tsbbq\t24(%r14),%r9\n\tsbbq\t$0,%r10\n\n\tcmovcq\t%rbx,%r12\n\tcmovcq\t%rdx,%r13\n\tcmovcq\t%rcx,%r8\n\tcmovcq\t%rbp,%r9\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tmovq\t0(%rsp),%r15\n\n\tmovq\t8(%rsp),%r14\n\n\tmovq\t16(%rsp),%r13\n\n\tmovq\t24(%rsp),%r12\n\n\tmovq\t32(%rsp),%rbx\n\n\tmovq\t40(%rsp),%rbp\n\n\tleaq\t48(%rsp),%rsp\n\nL$ord_mulx_epilogue:\n\tret\n\n\n\n.globl\t_ecp_nistz256_ord_sqr_mont_adx\n.private_extern _ecp_nistz256_ord_sqr_mont_adx\n\n.p2align\t5\n_ecp_nistz256_ord_sqr_mont_adx:\n\n_CET_ENDBR\nL$ecp_nistz256_ord_sqr_mont_adx:\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$ord_sqrx_body:\n\n\tmovq\t%rdx,%rbx\n\tmovq\t0(%rsi),%rdx\n\tmovq\t8(%rsi),%r14\n\tmovq\t16(%rsi),%r15\n\tmovq\t24(%rsi),%r8\n\tleaq\tL$ord(%rip),%rsi\n\tjmp\tL$oop_ord_sqrx\n\n.p2align\t5\nL$oop_ord_sqrx:\n\tmulxq\t%r14,%r9,%r10\n\tmulxq\t%r15,%rcx,%r11\n\tmovq\t%rdx,%rax\n.byte\t102,73,15,110,206\n\tmulxq\t%r8,%rbp,%r12\n\tmovq\t%r14,%rdx\n\taddq\t%rcx,%r10\n.byte\t102,73,15,110,215\n\tadcq\t%rbp,%r11\n\tadcq\t$0,%r12\n\txorq\t%r13,%r13\n\n\tmulxq\t%r15,%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t%r8,%rcx,%rbp\n\tmovq\t%r15,%rdx\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\tadcq\t$0,%r13\n\n\tmulxq\t%r8,%rcx,%r14\n\tmovq\t%rax,%rdx\n.byte\t102,73,15,110,216\n\txorq\t%r15,%r15\n\tadcxq\t%r9,%r9\n\tadoxq\t%rcx,%r13\n\tadcxq\t%r10,%r10\n\tadoxq\t%r15,%r14\n\n\n\tmulxq\t%rdx,%r8,%rbp\n.byte\t102,72,15,126,202\n\tadcxq\t%r11,%r11\n\tadoxq\t%rbp,%r9\n\tadcxq\t%r12,%r12\n\tmulxq\t%rdx,%rcx,%rax\n.byte\t102,72,15,126,210\n\tadcxq\t%r13,%r13\n\tadoxq\t%rcx,%r10\n\tadcxq\t%r14,%r14\n\tmulxq\t%rdx,%rcx,%rbp\n.byte\t0x67\n.byte\t102,72,15,126,218\n\tadoxq\t%rax,%r11\n\tadcxq\t%r15,%r15\n\tadoxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\tmulxq\t%rdx,%rcx,%rax\n\tadoxq\t%rcx,%r14\n\tadoxq\t%rax,%r15\n\n\n\tmovq\t%r8,%rdx\n\tmulxq\t32(%rsi),%rdx,%rcx\n\n\txorq\t%rax,%rax\n\tmulxq\t0(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r8\n\tadoxq\t%rbp,%r9\n\tmulxq\t8(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\tmulxq\t16(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\tmulxq\t24(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r8\n\tadcxq\t%rax,%r8\n\n\n\tmovq\t%r9,%rdx\n\tmulxq\t32(%rsi),%rdx,%rcx\n\n\tmulxq\t0(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r9\n\tadcxq\t%rbp,%r10\n\tmulxq\t8(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r10\n\tadcxq\t%rbp,%r11\n\tmulxq\t16(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r11\n\tadcxq\t%rbp,%r8\n\tmulxq\t24(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r8\n\tadcxq\t%rbp,%r9\n\tadoxq\t%rax,%r9\n\n\n\tmovq\t%r10,%rdx\n\tmulxq\t32(%rsi),%rdx,%rcx\n\n\tmulxq\t0(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\tmulxq\t8(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r8\n\tmulxq\t16(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r8\n\tadoxq\t%rbp,%r9\n\tmulxq\t24(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\tadcxq\t%rax,%r10\n\n\n\tmovq\t%r11,%rdx\n\tmulxq\t32(%rsi),%rdx,%rcx\n\n\tmulxq\t0(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r11\n\tadcxq\t%rbp,%r8\n\tmulxq\t8(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r8\n\tadcxq\t%rbp,%r9\n\tmulxq\t16(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r9\n\tadcxq\t%rbp,%r10\n\tmulxq\t24(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r10\n\tadcxq\t%rbp,%r11\n\tadoxq\t%rax,%r11\n\n\n\taddq\t%r8,%r12\n\tadcq\t%r13,%r9\n\tmovq\t%r12,%rdx\n\tadcq\t%r14,%r10\n\tadcq\t%r15,%r11\n\tmovq\t%r9,%r14\n\tadcq\t$0,%rax\n\n\n\tsubq\t0(%rsi),%r12\n\tmovq\t%r10,%r15\n\tsbbq\t8(%rsi),%r9\n\tsbbq\t16(%rsi),%r10\n\tmovq\t%r11,%r8\n\tsbbq\t24(%rsi),%r11\n\tsbbq\t$0,%rax\n\n\tcmovncq\t%r12,%rdx\n\tcmovncq\t%r9,%r14\n\tcmovncq\t%r10,%r15\n\tcmovncq\t%r11,%r8\n\n\tdecq\t%rbx\n\tjnz\tL$oop_ord_sqrx\n\n\tmovq\t%rdx,0(%rdi)\n\tmovq\t%r14,8(%rdi)\n\tpxor\t%xmm1,%xmm1\n\tmovq\t%r15,16(%rdi)\n\tpxor\t%xmm2,%xmm2\n\tmovq\t%r8,24(%rdi)\n\tpxor\t%xmm3,%xmm3\n\n\tmovq\t0(%rsp),%r15\n\n\tmovq\t8(%rsp),%r14\n\n\tmovq\t16(%rsp),%r13\n\n\tmovq\t24(%rsp),%r12\n\n\tmovq\t32(%rsp),%rbx\n\n\tmovq\t40(%rsp),%rbp\n\n\tleaq\t48(%rsp),%rsp\n\nL$ord_sqrx_epilogue:\n\tret\n\n\n\n\n\n\n\n\n.globl\t_ecp_nistz256_mul_mont_nohw\n.private_extern _ecp_nistz256_mul_mont_nohw\n\n.p2align\t5\n_ecp_nistz256_mul_mont_nohw:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$mul_body:\n\tmovq\t%rdx,%rbx\n\tmovq\t0(%rdx),%rax\n\tmovq\t0(%rsi),%r9\n\tmovq\t8(%rsi),%r10\n\tmovq\t16(%rsi),%r11\n\tmovq\t24(%rsi),%r12\n\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t0(%rsp),%r15\n\n\tmovq\t8(%rsp),%r14\n\n\tmovq\t16(%rsp),%r13\n\n\tmovq\t24(%rsp),%r12\n\n\tmovq\t32(%rsp),%rbx\n\n\tmovq\t40(%rsp),%rbp\n\n\tleaq\t48(%rsp),%rsp\n\nL$mul_epilogue:\n\tret\n\n\n\n\n.p2align\t5\n__ecp_nistz256_mul_montq:\n\n\n\n\tmovq\t%rax,%rbp\n\tmulq\t%r9\n\tmovq\tL$poly+8(%rip),%r14\n\tmovq\t%rax,%r8\n\tmovq\t%rbp,%rax\n\tmovq\t%rdx,%r9\n\n\tmulq\t%r10\n\tmovq\tL$poly+24(%rip),%r15\n\taddq\t%rax,%r9\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%r11\n\taddq\t%rax,%r10\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%r12\n\taddq\t%rax,%r11\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\txorq\t%r13,%r13\n\tmovq\t%rdx,%r12\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%r8,%rbp\n\tshlq\t$32,%r8\n\tmulq\t%r15\n\tshrq\t$32,%rbp\n\taddq\t%r8,%r9\n\tadcq\t%rbp,%r10\n\tadcq\t%rax,%r11\n\tmovq\t8(%rbx),%rax\n\tadcq\t%rdx,%r12\n\tadcq\t$0,%r13\n\txorq\t%r8,%r8\n\n\n\n\tmovq\t%rax,%rbp\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r9\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t8(%rsi)\n\taddq\t%rcx,%r10\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r10\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t16(%rsi)\n\taddq\t%rcx,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t24(%rsi)\n\taddq\t%rcx,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%r9,%rax\n\tadcq\t%rdx,%r13\n\tadcq\t$0,%r8\n\n\n\n\tmovq\t%r9,%rbp\n\tshlq\t$32,%r9\n\tmulq\t%r15\n\tshrq\t$32,%rbp\n\taddq\t%r9,%r10\n\tadcq\t%rbp,%r11\n\tadcq\t%rax,%r12\n\tmovq\t16(%rbx),%rax\n\tadcq\t%rdx,%r13\n\tadcq\t$0,%r8\n\txorq\t%r9,%r9\n\n\n\n\tmovq\t%rax,%rbp\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r10\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t8(%rsi)\n\taddq\t%rcx,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t16(%rsi)\n\taddq\t%rcx,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t24(%rsi)\n\taddq\t%rcx,%r13\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r13\n\tmovq\t%r10,%rax\n\tadcq\t%rdx,%r8\n\tadcq\t$0,%r9\n\n\n\n\tmovq\t%r10,%rbp\n\tshlq\t$32,%r10\n\tmulq\t%r15\n\tshrq\t$32,%rbp\n\taddq\t%r10,%r11\n\tadcq\t%rbp,%r12\n\tadcq\t%rax,%r13\n\tmovq\t24(%rbx),%rax\n\tadcq\t%rdx,%r8\n\tadcq\t$0,%r9\n\txorq\t%r10,%r10\n\n\n\n\tmovq\t%rax,%rbp\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r11\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t8(%rsi)\n\taddq\t%rcx,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t16(%rsi)\n\taddq\t%rcx,%r13\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r13\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t24(%rsi)\n\taddq\t%rcx,%r8\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r8\n\tmovq\t%r11,%rax\n\tadcq\t%rdx,%r9\n\tadcq\t$0,%r10\n\n\n\n\tmovq\t%r11,%rbp\n\tshlq\t$32,%r11\n\tmulq\t%r15\n\tshrq\t$32,%rbp\n\taddq\t%r11,%r12\n\tadcq\t%rbp,%r13\n\tmovq\t%r12,%rcx\n\tadcq\t%rax,%r8\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r10\n\n\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rbx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%rdx\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r10\n\n\tcmovcq\t%rcx,%r12\n\tcmovcq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rbx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%rdx,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n\n\n\n\n\n\n\n\n\n\n.globl\t_ecp_nistz256_sqr_mont_nohw\n.private_extern _ecp_nistz256_sqr_mont_nohw\n\n.p2align\t5\n_ecp_nistz256_sqr_mont_nohw:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$sqr_body:\n\tmovq\t0(%rsi),%rax\n\tmovq\t8(%rsi),%r14\n\tmovq\t16(%rsi),%r15\n\tmovq\t24(%rsi),%r8\n\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t0(%rsp),%r15\n\n\tmovq\t8(%rsp),%r14\n\n\tmovq\t16(%rsp),%r13\n\n\tmovq\t24(%rsp),%r12\n\n\tmovq\t32(%rsp),%rbx\n\n\tmovq\t40(%rsp),%rbp\n\n\tleaq\t48(%rsp),%rsp\n\nL$sqr_epilogue:\n\tret\n\n\n\n\n.p2align\t5\n__ecp_nistz256_sqr_montq:\n\n\tmovq\t%rax,%r13\n\tmulq\t%r14\n\tmovq\t%rax,%r9\n\tmovq\t%r15,%rax\n\tmovq\t%rdx,%r10\n\n\tmulq\t%r13\n\taddq\t%rax,%r10\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%r13\n\taddq\t%rax,%r11\n\tmovq\t%r15,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r12\n\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t%r14\n\taddq\t%rax,%r12\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\taddq\t%rbp,%r12\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\n\tmulq\t%r15\n\txorq\t%r15,%r15\n\taddq\t%rax,%r13\n\tmovq\t0(%rsi),%rax\n\tmovq\t%rdx,%r14\n\tadcq\t$0,%r14\n\n\taddq\t%r9,%r9\n\tadcq\t%r10,%r10\n\tadcq\t%r11,%r11\n\tadcq\t%r12,%r12\n\tadcq\t%r13,%r13\n\tadcq\t%r14,%r14\n\tadcq\t$0,%r15\n\n\tmulq\t%rax\n\tmovq\t%rax,%r8\n\tmovq\t8(%rsi),%rax\n\tmovq\t%rdx,%rcx\n\n\tmulq\t%rax\n\taddq\t%rcx,%r9\n\tadcq\t%rax,%r10\n\tmovq\t16(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t%rax\n\taddq\t%rcx,%r11\n\tadcq\t%rax,%r12\n\tmovq\t24(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t%rax\n\taddq\t%rcx,%r13\n\tadcq\t%rax,%r14\n\tmovq\t%r8,%rax\n\tadcq\t%rdx,%r15\n\n\tmovq\tL$poly+8(%rip),%rsi\n\tmovq\tL$poly+24(%rip),%rbp\n\n\n\n\n\tmovq\t%r8,%rcx\n\tshlq\t$32,%r8\n\tmulq\t%rbp\n\tshrq\t$32,%rcx\n\taddq\t%r8,%r9\n\tadcq\t%rcx,%r10\n\tadcq\t%rax,%r11\n\tmovq\t%r9,%rax\n\tadcq\t$0,%rdx\n\n\n\n\tmovq\t%r9,%rcx\n\tshlq\t$32,%r9\n\tmovq\t%rdx,%r8\n\tmulq\t%rbp\n\tshrq\t$32,%rcx\n\taddq\t%r9,%r10\n\tadcq\t%rcx,%r11\n\tadcq\t%rax,%r8\n\tmovq\t%r10,%rax\n\tadcq\t$0,%rdx\n\n\n\n\tmovq\t%r10,%rcx\n\tshlq\t$32,%r10\n\tmovq\t%rdx,%r9\n\tmulq\t%rbp\n\tshrq\t$32,%rcx\n\taddq\t%r10,%r11\n\tadcq\t%rcx,%r8\n\tadcq\t%rax,%r9\n\tmovq\t%r11,%rax\n\tadcq\t$0,%rdx\n\n\n\n\tmovq\t%r11,%rcx\n\tshlq\t$32,%r11\n\tmovq\t%rdx,%r10\n\tmulq\t%rbp\n\tshrq\t$32,%rcx\n\taddq\t%r11,%r8\n\tadcq\t%rcx,%r9\n\tadcq\t%rax,%r10\n\tadcq\t$0,%rdx\n\txorq\t%r11,%r11\n\n\n\n\taddq\t%r8,%r12\n\tadcq\t%r9,%r13\n\tmovq\t%r12,%r8\n\tadcq\t%r10,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t%r13,%r9\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r14,%r10\n\tsbbq\t%rsi,%r13\n\tsbbq\t$0,%r14\n\tmovq\t%r15,%rcx\n\tsbbq\t%rbp,%r15\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%r8,%r12\n\tcmovcq\t%r9,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%r10,%r14\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%rcx,%r15\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\n\tret\n\n\n.globl\t_ecp_nistz256_mul_mont_adx\n.private_extern _ecp_nistz256_mul_mont_adx\n\n.p2align\t5\n_ecp_nistz256_mul_mont_adx:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$mulx_body:\n\tmovq\t%rdx,%rbx\n\tmovq\t0(%rdx),%rdx\n\tmovq\t0(%rsi),%r9\n\tmovq\t8(%rsi),%r10\n\tmovq\t16(%rsi),%r11\n\tmovq\t24(%rsi),%r12\n\tleaq\t-128(%rsi),%rsi\n\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t0(%rsp),%r15\n\n\tmovq\t8(%rsp),%r14\n\n\tmovq\t16(%rsp),%r13\n\n\tmovq\t24(%rsp),%r12\n\n\tmovq\t32(%rsp),%rbx\n\n\tmovq\t40(%rsp),%rbp\n\n\tleaq\t48(%rsp),%rsp\n\nL$mulx_epilogue:\n\tret\n\n\n\n\n.p2align\t5\n__ecp_nistz256_mul_montx:\n\n\n\n\tmulxq\t%r9,%r8,%r9\n\tmulxq\t%r10,%rcx,%r10\n\tmovq\t$32,%r14\n\txorq\t%r13,%r13\n\tmulxq\t%r11,%rbp,%r11\n\tmovq\tL$poly+24(%rip),%r15\n\tadcq\t%rcx,%r9\n\tmulxq\t%r12,%rcx,%r12\n\tmovq\t%r8,%rdx\n\tadcq\t%rbp,%r10\n\tshlxq\t%r14,%r8,%rbp\n\tadcq\t%rcx,%r11\n\tshrxq\t%r14,%r8,%rcx\n\tadcq\t$0,%r12\n\n\n\n\taddq\t%rbp,%r9\n\tadcq\t%rcx,%r10\n\n\tmulxq\t%r15,%rcx,%rbp\n\tmovq\t8(%rbx),%rdx\n\tadcq\t%rcx,%r11\n\tadcq\t%rbp,%r12\n\tadcq\t$0,%r13\n\txorq\t%r8,%r8\n\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r9,%rdx\n\tadcxq\t%rcx,%r12\n\tshlxq\t%r14,%r9,%rcx\n\tadoxq\t%rbp,%r13\n\tshrxq\t%r14,%r9,%rbp\n\n\tadcxq\t%r8,%r13\n\tadoxq\t%r8,%r8\n\tadcq\t$0,%r8\n\n\n\n\taddq\t%rcx,%r10\n\tadcq\t%rbp,%r11\n\n\tmulxq\t%r15,%rcx,%rbp\n\tmovq\t16(%rbx),%rdx\n\tadcq\t%rcx,%r12\n\tadcq\t%rbp,%r13\n\tadcq\t$0,%r8\n\txorq\t%r9,%r9\n\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r10,%rdx\n\tadcxq\t%rcx,%r13\n\tshlxq\t%r14,%r10,%rcx\n\tadoxq\t%rbp,%r8\n\tshrxq\t%r14,%r10,%rbp\n\n\tadcxq\t%r9,%r8\n\tadoxq\t%r9,%r9\n\tadcq\t$0,%r9\n\n\n\n\taddq\t%rcx,%r11\n\tadcq\t%rbp,%r12\n\n\tmulxq\t%r15,%rcx,%rbp\n\tmovq\t24(%rbx),%rdx\n\tadcq\t%rcx,%r13\n\tadcq\t%rbp,%r8\n\tadcq\t$0,%r9\n\txorq\t%r10,%r10\n\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r13\n\tadoxq\t%rbp,%r8\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r11,%rdx\n\tadcxq\t%rcx,%r8\n\tshlxq\t%r14,%r11,%rcx\n\tadoxq\t%rbp,%r9\n\tshrxq\t%r14,%r11,%rbp\n\n\tadcxq\t%r10,%r9\n\tadoxq\t%r10,%r10\n\tadcq\t$0,%r10\n\n\n\n\taddq\t%rcx,%r12\n\tadcq\t%rbp,%r13\n\n\tmulxq\t%r15,%rcx,%rbp\n\tmovq\t%r12,%rbx\n\tmovq\tL$poly+8(%rip),%r14\n\tadcq\t%rcx,%r8\n\tmovq\t%r13,%rdx\n\tadcq\t%rbp,%r9\n\tadcq\t$0,%r10\n\n\n\n\txorl\t%eax,%eax\n\tmovq\t%r8,%rcx\n\tsbbq\t$-1,%r12\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%rbp\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r10\n\n\tcmovcq\t%rbx,%r12\n\tcmovcq\t%rdx,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%rbp,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n\n\n\n.globl\t_ecp_nistz256_sqr_mont_adx\n.private_extern _ecp_nistz256_sqr_mont_adx\n\n.p2align\t5\n_ecp_nistz256_sqr_mont_adx:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$sqrx_body:\n\tmovq\t0(%rsi),%rdx\n\tmovq\t8(%rsi),%r14\n\tmovq\t16(%rsi),%r15\n\tmovq\t24(%rsi),%r8\n\tleaq\t-128(%rsi),%rsi\n\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t0(%rsp),%r15\n\n\tmovq\t8(%rsp),%r14\n\n\tmovq\t16(%rsp),%r13\n\n\tmovq\t24(%rsp),%r12\n\n\tmovq\t32(%rsp),%rbx\n\n\tmovq\t40(%rsp),%rbp\n\n\tleaq\t48(%rsp),%rsp\n\nL$sqrx_epilogue:\n\tret\n\n\n\n\n.p2align\t5\n__ecp_nistz256_sqr_montx:\n\n\tmulxq\t%r14,%r9,%r10\n\tmulxq\t%r15,%rcx,%r11\n\txorl\t%eax,%eax\n\tadcq\t%rcx,%r10\n\tmulxq\t%r8,%rbp,%r12\n\tmovq\t%r14,%rdx\n\tadcq\t%rbp,%r11\n\tadcq\t$0,%r12\n\txorq\t%r13,%r13\n\n\n\tmulxq\t%r15,%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t%r8,%rcx,%rbp\n\tmovq\t%r15,%rdx\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\tadcq\t$0,%r13\n\n\n\tmulxq\t%r8,%rcx,%r14\n\tmovq\t0+128(%rsi),%rdx\n\txorq\t%r15,%r15\n\tadcxq\t%r9,%r9\n\tadoxq\t%rcx,%r13\n\tadcxq\t%r10,%r10\n\tadoxq\t%r15,%r14\n\n\tmulxq\t%rdx,%r8,%rbp\n\tmovq\t8+128(%rsi),%rdx\n\tadcxq\t%r11,%r11\n\tadoxq\t%rbp,%r9\n\tadcxq\t%r12,%r12\n\tmulxq\t%rdx,%rcx,%rax\n\tmovq\t16+128(%rsi),%rdx\n\tadcxq\t%r13,%r13\n\tadoxq\t%rcx,%r10\n\tadcxq\t%r14,%r14\n.byte\t0x67\n\tmulxq\t%rdx,%rcx,%rbp\n\tmovq\t24+128(%rsi),%rdx\n\tadoxq\t%rax,%r11\n\tadcxq\t%r15,%r15\n\tadoxq\t%rcx,%r12\n\tmovq\t$32,%rsi\n\tadoxq\t%rbp,%r13\n.byte\t0x67,0x67\n\tmulxq\t%rdx,%rcx,%rax\n\tmovq\tL$poly+24(%rip),%rdx\n\tadoxq\t%rcx,%r14\n\tshlxq\t%rsi,%r8,%rcx\n\tadoxq\t%rax,%r15\n\tshrxq\t%rsi,%r8,%rax\n\tmovq\t%rdx,%rbp\n\n\n\taddq\t%rcx,%r9\n\tadcq\t%rax,%r10\n\n\tmulxq\t%r8,%rcx,%r8\n\tadcq\t%rcx,%r11\n\tshlxq\t%rsi,%r9,%rcx\n\tadcq\t$0,%r8\n\tshrxq\t%rsi,%r9,%rax\n\n\n\taddq\t%rcx,%r10\n\tadcq\t%rax,%r11\n\n\tmulxq\t%r9,%rcx,%r9\n\tadcq\t%rcx,%r8\n\tshlxq\t%rsi,%r10,%rcx\n\tadcq\t$0,%r9\n\tshrxq\t%rsi,%r10,%rax\n\n\n\taddq\t%rcx,%r11\n\tadcq\t%rax,%r8\n\n\tmulxq\t%r10,%rcx,%r10\n\tadcq\t%rcx,%r9\n\tshlxq\t%rsi,%r11,%rcx\n\tadcq\t$0,%r10\n\tshrxq\t%rsi,%r11,%rax\n\n\n\taddq\t%rcx,%r8\n\tadcq\t%rax,%r9\n\n\tmulxq\t%r11,%rcx,%r11\n\tadcq\t%rcx,%r10\n\tadcq\t$0,%r11\n\n\txorq\t%rdx,%rdx\n\taddq\t%r8,%r12\n\tmovq\tL$poly+8(%rip),%rsi\n\tadcq\t%r9,%r13\n\tmovq\t%r12,%r8\n\tadcq\t%r10,%r14\n\tadcq\t%r11,%r15\n\tmovq\t%r13,%r9\n\tadcq\t$0,%rdx\n\n\tsubq\t$-1,%r12\n\tmovq\t%r14,%r10\n\tsbbq\t%rsi,%r13\n\tsbbq\t$0,%r14\n\tmovq\t%r15,%r11\n\tsbbq\t%rbp,%r15\n\tsbbq\t$0,%rdx\n\n\tcmovcq\t%r8,%r12\n\tcmovcq\t%r9,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%r10,%r14\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%r11,%r15\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\n\tret\n\n\n\n\n.globl\t_ecp_nistz256_select_w5_nohw\n.private_extern _ecp_nistz256_select_w5_nohw\n\n.p2align\t5\n_ecp_nistz256_select_w5_nohw:\n\n_CET_ENDBR\n\tmovdqa\tL$One(%rip),%xmm0\n\tmovd\t%edx,%xmm1\n\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\n\tmovdqa\t%xmm0,%xmm8\n\tpshufd\t$0,%xmm1,%xmm1\n\n\tmovq\t$16,%rax\nL$select_loop_sse_w5:\n\n\tmovdqa\t%xmm8,%xmm15\n\tpaddd\t%xmm0,%xmm8\n\tpcmpeqd\t%xmm1,%xmm15\n\n\tmovdqa\t0(%rsi),%xmm9\n\tmovdqa\t16(%rsi),%xmm10\n\tmovdqa\t32(%rsi),%xmm11\n\tmovdqa\t48(%rsi),%xmm12\n\tmovdqa\t64(%rsi),%xmm13\n\tmovdqa\t80(%rsi),%xmm14\n\tleaq\t96(%rsi),%rsi\n\n\tpand\t%xmm15,%xmm9\n\tpand\t%xmm15,%xmm10\n\tpor\t%xmm9,%xmm2\n\tpand\t%xmm15,%xmm11\n\tpor\t%xmm10,%xmm3\n\tpand\t%xmm15,%xmm12\n\tpor\t%xmm11,%xmm4\n\tpand\t%xmm15,%xmm13\n\tpor\t%xmm12,%xmm5\n\tpand\t%xmm15,%xmm14\n\tpor\t%xmm13,%xmm6\n\tpor\t%xmm14,%xmm7\n\n\tdecq\t%rax\n\tjnz\tL$select_loop_sse_w5\n\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\tmovdqu\t%xmm4,32(%rdi)\n\tmovdqu\t%xmm5,48(%rdi)\n\tmovdqu\t%xmm6,64(%rdi)\n\tmovdqu\t%xmm7,80(%rdi)\n\tret\n\nL$SEH_end_ecp_nistz256_select_w5_nohw:\n\n\n\n\n.globl\t_ecp_nistz256_select_w7_nohw\n.private_extern _ecp_nistz256_select_w7_nohw\n\n.p2align\t5\n_ecp_nistz256_select_w7_nohw:\n\n_CET_ENDBR\n\tmovdqa\tL$One(%rip),%xmm8\n\tmovd\t%edx,%xmm1\n\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\n\tmovdqa\t%xmm8,%xmm0\n\tpshufd\t$0,%xmm1,%xmm1\n\tmovq\t$64,%rax\n\nL$select_loop_sse_w7:\n\tmovdqa\t%xmm8,%xmm15\n\tpaddd\t%xmm0,%xmm8\n\tmovdqa\t0(%rsi),%xmm9\n\tmovdqa\t16(%rsi),%xmm10\n\tpcmpeqd\t%xmm1,%xmm15\n\tmovdqa\t32(%rsi),%xmm11\n\tmovdqa\t48(%rsi),%xmm12\n\tleaq\t64(%rsi),%rsi\n\n\tpand\t%xmm15,%xmm9\n\tpand\t%xmm15,%xmm10\n\tpor\t%xmm9,%xmm2\n\tpand\t%xmm15,%xmm11\n\tpor\t%xmm10,%xmm3\n\tpand\t%xmm15,%xmm12\n\tpor\t%xmm11,%xmm4\n\tprefetcht0\t255(%rsi)\n\tpor\t%xmm12,%xmm5\n\n\tdecq\t%rax\n\tjnz\tL$select_loop_sse_w7\n\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\tmovdqu\t%xmm4,32(%rdi)\n\tmovdqu\t%xmm5,48(%rdi)\n\tret\n\nL$SEH_end_ecp_nistz256_select_w7_nohw:\n\n\n\n.globl\t_ecp_nistz256_select_w5_avx2\n.private_extern _ecp_nistz256_select_w5_avx2\n\n.p2align\t5\n_ecp_nistz256_select_w5_avx2:\n\n_CET_ENDBR\n\tvzeroupper\n\tvmovdqa\tL$Two(%rip),%ymm0\n\n\tvpxor\t%ymm2,%ymm2,%ymm2\n\tvpxor\t%ymm3,%ymm3,%ymm3\n\tvpxor\t%ymm4,%ymm4,%ymm4\n\n\tvmovdqa\tL$One(%rip),%ymm5\n\tvmovdqa\tL$Two(%rip),%ymm10\n\n\tvmovd\t%edx,%xmm1\n\tvpermd\t%ymm1,%ymm2,%ymm1\n\n\tmovq\t$8,%rax\nL$select_loop_avx2_w5:\n\n\tvmovdqa\t0(%rsi),%ymm6\n\tvmovdqa\t32(%rsi),%ymm7\n\tvmovdqa\t64(%rsi),%ymm8\n\n\tvmovdqa\t96(%rsi),%ymm11\n\tvmovdqa\t128(%rsi),%ymm12\n\tvmovdqa\t160(%rsi),%ymm13\n\n\tvpcmpeqd\t%ymm1,%ymm5,%ymm9\n\tvpcmpeqd\t%ymm1,%ymm10,%ymm14\n\n\tvpaddd\t%ymm0,%ymm5,%ymm5\n\tvpaddd\t%ymm0,%ymm10,%ymm10\n\tleaq\t192(%rsi),%rsi\n\n\tvpand\t%ymm9,%ymm6,%ymm6\n\tvpand\t%ymm9,%ymm7,%ymm7\n\tvpand\t%ymm9,%ymm8,%ymm8\n\tvpand\t%ymm14,%ymm11,%ymm11\n\tvpand\t%ymm14,%ymm12,%ymm12\n\tvpand\t%ymm14,%ymm13,%ymm13\n\n\tvpxor\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm7,%ymm3,%ymm3\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpxor\t%ymm11,%ymm2,%ymm2\n\tvpxor\t%ymm12,%ymm3,%ymm3\n\tvpxor\t%ymm13,%ymm4,%ymm4\n\n\tdecq\t%rax\n\tjnz\tL$select_loop_avx2_w5\n\n\tvmovdqu\t%ymm2,0(%rdi)\n\tvmovdqu\t%ymm3,32(%rdi)\n\tvmovdqu\t%ymm4,64(%rdi)\n\tvzeroupper\n\tret\n\nL$SEH_end_ecp_nistz256_select_w5_avx2:\n\n\n\n\n.globl\t_ecp_nistz256_select_w7_avx2\n.private_extern _ecp_nistz256_select_w7_avx2\n\n.p2align\t5\n_ecp_nistz256_select_w7_avx2:\n\n_CET_ENDBR\n\tvzeroupper\n\tvmovdqa\tL$Three(%rip),%ymm0\n\n\tvpxor\t%ymm2,%ymm2,%ymm2\n\tvpxor\t%ymm3,%ymm3,%ymm3\n\n\tvmovdqa\tL$One(%rip),%ymm4\n\tvmovdqa\tL$Two(%rip),%ymm8\n\tvmovdqa\tL$Three(%rip),%ymm12\n\n\tvmovd\t%edx,%xmm1\n\tvpermd\t%ymm1,%ymm2,%ymm1\n\n\n\tmovq\t$21,%rax\nL$select_loop_avx2_w7:\n\n\tvmovdqa\t0(%rsi),%ymm5\n\tvmovdqa\t32(%rsi),%ymm6\n\n\tvmovdqa\t64(%rsi),%ymm9\n\tvmovdqa\t96(%rsi),%ymm10\n\n\tvmovdqa\t128(%rsi),%ymm13\n\tvmovdqa\t160(%rsi),%ymm14\n\n\tvpcmpeqd\t%ymm1,%ymm4,%ymm7\n\tvpcmpeqd\t%ymm1,%ymm8,%ymm11\n\tvpcmpeqd\t%ymm1,%ymm12,%ymm15\n\n\tvpaddd\t%ymm0,%ymm4,%ymm4\n\tvpaddd\t%ymm0,%ymm8,%ymm8\n\tvpaddd\t%ymm0,%ymm12,%ymm12\n\tleaq\t192(%rsi),%rsi\n\n\tvpand\t%ymm7,%ymm5,%ymm5\n\tvpand\t%ymm7,%ymm6,%ymm6\n\tvpand\t%ymm11,%ymm9,%ymm9\n\tvpand\t%ymm11,%ymm10,%ymm10\n\tvpand\t%ymm15,%ymm13,%ymm13\n\tvpand\t%ymm15,%ymm14,%ymm14\n\n\tvpxor\t%ymm5,%ymm2,%ymm2\n\tvpxor\t%ymm6,%ymm3,%ymm3\n\tvpxor\t%ymm9,%ymm2,%ymm2\n\tvpxor\t%ymm10,%ymm3,%ymm3\n\tvpxor\t%ymm13,%ymm2,%ymm2\n\tvpxor\t%ymm14,%ymm3,%ymm3\n\n\tdecq\t%rax\n\tjnz\tL$select_loop_avx2_w7\n\n\n\tvmovdqa\t0(%rsi),%ymm5\n\tvmovdqa\t32(%rsi),%ymm6\n\n\tvpcmpeqd\t%ymm1,%ymm4,%ymm7\n\n\tvpand\t%ymm7,%ymm5,%ymm5\n\tvpand\t%ymm7,%ymm6,%ymm6\n\n\tvpxor\t%ymm5,%ymm2,%ymm2\n\tvpxor\t%ymm6,%ymm3,%ymm3\n\n\tvmovdqu\t%ymm2,0(%rdi)\n\tvmovdqu\t%ymm3,32(%rdi)\n\tvzeroupper\n\tret\n\nL$SEH_end_ecp_nistz256_select_w7_avx2:\n\n\n.p2align\t5\n__ecp_nistz256_add_toq:\n\n\txorq\t%r11,%r11\n\taddq\t0(%rbx),%r12\n\tadcq\t8(%rbx),%r13\n\tmovq\t%r12,%rax\n\tadcq\t16(%rbx),%r8\n\tadcq\t24(%rbx),%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tcmovcq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n\n\n\n\n.p2align\t5\n__ecp_nistz256_sub_fromq:\n\n\tsubq\t0(%rbx),%r12\n\tsbbq\t8(%rbx),%r13\n\tmovq\t%r12,%rax\n\tsbbq\t16(%rbx),%r8\n\tsbbq\t24(%rbx),%r9\n\tmovq\t%r13,%rbp\n\tsbbq\t%r11,%r11\n\n\taddq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tadcq\t%r14,%r13\n\tadcq\t$0,%r8\n\tmovq\t%r9,%r10\n\tadcq\t%r15,%r9\n\ttestq\t%r11,%r11\n\n\tcmovzq\t%rax,%r12\n\tcmovzq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovzq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovzq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n\n\n\n\n.p2align\t5\n__ecp_nistz256_subq:\n\n\tsubq\t%r12,%rax\n\tsbbq\t%r13,%rbp\n\tmovq\t%rax,%r12\n\tsbbq\t%r8,%rcx\n\tsbbq\t%r9,%r10\n\tmovq\t%rbp,%r13\n\tsbbq\t%r11,%r11\n\n\taddq\t$-1,%rax\n\tmovq\t%rcx,%r8\n\tadcq\t%r14,%rbp\n\tadcq\t$0,%rcx\n\tmovq\t%r10,%r9\n\tadcq\t%r15,%r10\n\ttestq\t%r11,%r11\n\n\tcmovnzq\t%rax,%r12\n\tcmovnzq\t%rbp,%r13\n\tcmovnzq\t%rcx,%r8\n\tcmovnzq\t%r10,%r9\n\n\tret\n\n\n\n\n.p2align\t5\n__ecp_nistz256_mul_by_2q:\n\n\txorq\t%r11,%r11\n\taddq\t%r12,%r12\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tcmovcq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n\n\n.globl\t_ecp_nistz256_point_double_nohw\n.private_extern _ecp_nistz256_point_double_nohw\n\n.p2align\t5\n_ecp_nistz256_point_double_nohw:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tsubq\t$160+8,%rsp\n\nL$point_doubleq_body:\n\nL$point_double_shortcutq:\n\tmovdqu\t0(%rsi),%xmm0\n\tmovq\t%rsi,%rbx\n\tmovdqu\t16(%rsi),%xmm1\n\tmovq\t32+0(%rsi),%r12\n\tmovq\t32+8(%rsi),%r13\n\tmovq\t32+16(%rsi),%r8\n\tmovq\t32+24(%rsi),%r9\n\tmovq\tL$poly+8(%rip),%r14\n\tmovq\tL$poly+24(%rip),%r15\n\tmovdqa\t%xmm0,96(%rsp)\n\tmovdqa\t%xmm1,96+16(%rsp)\n\tleaq\t32(%rdi),%r10\n\tleaq\t64(%rdi),%r11\n.byte\t102,72,15,110,199\n.byte\t102,73,15,110,202\n.byte\t102,73,15,110,211\n\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2q\n\n\tmovq\t64+0(%rsi),%rax\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tleaq\t64-0(%rsi),%rsi\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t0+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t32(%rbx),%rax\n\tmovq\t64+0(%rbx),%r9\n\tmovq\t64+8(%rbx),%r10\n\tmovq\t64+16(%rbx),%r11\n\tmovq\t64+24(%rbx),%r12\n\tleaq\t64-0(%rbx),%rsi\n\tleaq\t32(%rbx),%rbx\n.byte\t102,72,15,126,215\n\tcall\t__ecp_nistz256_mul_montq\n\tcall\t__ecp_nistz256_mul_by_2q\n\n\tmovq\t96+0(%rsp),%r12\n\tmovq\t96+8(%rsp),%r13\n\tleaq\t64(%rsp),%rbx\n\tmovq\t96+16(%rsp),%r8\n\tmovq\t96+24(%rsp),%r9\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_add_toq\n\n\tmovq\t96+0(%rsp),%r12\n\tmovq\t96+8(%rsp),%r13\n\tleaq\t64(%rsp),%rbx\n\tmovq\t96+16(%rsp),%r8\n\tmovq\t96+24(%rsp),%r9\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t0+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n.byte\t102,72,15,126,207\n\tcall\t__ecp_nistz256_sqr_montq\n\txorq\t%r9,%r9\n\tmovq\t%r12,%rax\n\taddq\t$-1,%r12\n\tmovq\t%r13,%r10\n\tadcq\t%rsi,%r13\n\tmovq\t%r14,%rcx\n\tadcq\t$0,%r14\n\tmovq\t%r15,%r8\n\tadcq\t%rbp,%r15\n\tadcq\t$0,%r9\n\txorq\t%rsi,%rsi\n\ttestq\t$1,%rax\n\n\tcmovzq\t%rax,%r12\n\tcmovzq\t%r10,%r13\n\tcmovzq\t%rcx,%r14\n\tcmovzq\t%r8,%r15\n\tcmovzq\t%rsi,%r9\n\n\tmovq\t%r13,%rax\n\tshrq\t$1,%r12\n\tshlq\t$63,%rax\n\tmovq\t%r14,%r10\n\tshrq\t$1,%r13\n\torq\t%rax,%r12\n\tshlq\t$63,%r10\n\tmovq\t%r15,%rcx\n\tshrq\t$1,%r14\n\torq\t%r10,%r13\n\tshlq\t$63,%rcx\n\tmovq\t%r12,0(%rdi)\n\tshrq\t$1,%r15\n\tmovq\t%r13,8(%rdi)\n\tshlq\t$63,%r9\n\torq\t%rcx,%r14\n\torq\t%r9,%r15\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\tmovq\t64(%rsp),%rax\n\tleaq\t64(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2q\n\n\tleaq\t32(%rsp),%rbx\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_add_toq\n\n\tmovq\t96(%rsp),%rax\n\tleaq\t96(%rsp),%rbx\n\tmovq\t0+0(%rsp),%r9\n\tmovq\t8+0(%rsp),%r10\n\tleaq\t0+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r11\n\tmovq\t24+0(%rsp),%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2q\n\n\tmovq\t0+32(%rsp),%rax\n\tmovq\t8+32(%rsp),%r14\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r15\n\tmovq\t24+32(%rsp),%r8\n.byte\t102,72,15,126,199\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tleaq\t128(%rsp),%rbx\n\tmovq\t%r14,%r8\n\tmovq\t%r15,%r9\n\tmovq\t%rsi,%r14\n\tmovq\t%rbp,%r15\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t0+8(%rsp),%rbp\n\tmovq\t0+16(%rsp),%rcx\n\tmovq\t0+24(%rsp),%r10\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_subq\n\n\tmovq\t32(%rsp),%rax\n\tleaq\t32(%rsp),%rbx\n\tmovq\t%r12,%r14\n\txorl\t%ecx,%ecx\n\tmovq\t%r12,0+0(%rsp)\n\tmovq\t%r13,%r10\n\tmovq\t%r13,0+8(%rsp)\n\tcmovzq\t%r8,%r11\n\tmovq\t%r8,0+16(%rsp)\n\tleaq\t0-0(%rsp),%rsi\n\tcmovzq\t%r9,%r12\n\tmovq\t%r9,0+24(%rsp)\n\tmovq\t%r14,%r9\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n.byte\t102,72,15,126,203\n.byte\t102,72,15,126,207\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tleaq\t160+56(%rsp),%rsi\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbx\n\n\tmovq\t-8(%rsi),%rbp\n\n\tleaq\t(%rsi),%rsp\n\nL$point_doubleq_epilogue:\n\tret\n\n\n.globl\t_ecp_nistz256_point_add_nohw\n.private_extern _ecp_nistz256_point_add_nohw\n\n.p2align\t5\n_ecp_nistz256_point_add_nohw:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tsubq\t$576+8,%rsp\n\nL$point_addq_body:\n\n\tmovdqu\t0(%rsi),%xmm0\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm3\n\tmovdqu\t64(%rsi),%xmm4\n\tmovdqu\t80(%rsi),%xmm5\n\tmovq\t%rsi,%rbx\n\tmovq\t%rdx,%rsi\n\tmovdqa\t%xmm0,384(%rsp)\n\tmovdqa\t%xmm1,384+16(%rsp)\n\tmovdqa\t%xmm2,416(%rsp)\n\tmovdqa\t%xmm3,416+16(%rsp)\n\tmovdqa\t%xmm4,448(%rsp)\n\tmovdqa\t%xmm5,448+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\n\tmovdqu\t0(%rsi),%xmm0\n\tpshufd\t$0xb1,%xmm5,%xmm3\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t48(%rsi),%xmm3\n\tmovq\t64+0(%rsi),%rax\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tmovdqa\t%xmm0,480(%rsp)\n\tpshufd\t$0x1e,%xmm5,%xmm4\n\tmovdqa\t%xmm1,480+16(%rsp)\n\tmovdqu\t64(%rsi),%xmm0\n\tmovdqu\t80(%rsi),%xmm1\n\tmovdqa\t%xmm2,512(%rsp)\n\tmovdqa\t%xmm3,512+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\tpxor\t%xmm4,%xmm4\n\tpor\t%xmm0,%xmm1\n.byte\t102,72,15,110,199\n\n\tleaq\t64-0(%rsi),%rsi\n\tmovq\t%rax,544+0(%rsp)\n\tmovq\t%r14,544+8(%rsp)\n\tmovq\t%r15,544+16(%rsp)\n\tmovq\t%r8,544+24(%rsp)\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tpcmpeqd\t%xmm4,%xmm5\n\tpshufd\t$0xb1,%xmm1,%xmm4\n\tpor\t%xmm1,%xmm4\n\tpshufd\t$0,%xmm5,%xmm5\n\tpshufd\t$0x1e,%xmm4,%xmm3\n\tpor\t%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm3\n\tpcmpeqd\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm4,%xmm4\n\tmovq\t64+0(%rbx),%rax\n\tmovq\t64+8(%rbx),%r14\n\tmovq\t64+16(%rbx),%r15\n\tmovq\t64+24(%rbx),%r8\n.byte\t102,72,15,110,203\n\n\tleaq\t64-0(%rbx),%rsi\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t544(%rsp),%rax\n\tleaq\t544(%rsp),%rbx\n\tmovq\t0+96(%rsp),%r9\n\tmovq\t8+96(%rsp),%r10\n\tleaq\t0+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r11\n\tmovq\t24+96(%rsp),%r12\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t448(%rsp),%rax\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t416(%rsp),%rax\n\tleaq\t416(%rsp),%rbx\n\tmovq\t0+224(%rsp),%r9\n\tmovq\t8+224(%rsp),%r10\n\tleaq\t0+224(%rsp),%rsi\n\tmovq\t16+224(%rsp),%r11\n\tmovq\t24+224(%rsp),%r12\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t512(%rsp),%rax\n\tleaq\t512(%rsp),%rbx\n\tmovq\t0+256(%rsp),%r9\n\tmovq\t8+256(%rsp),%r10\n\tleaq\t0+256(%rsp),%rsi\n\tmovq\t16+256(%rsp),%r11\n\tmovq\t24+256(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t224(%rsp),%rbx\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\torq\t%r13,%r12\n\tmovdqa\t%xmm4,%xmm2\n\torq\t%r8,%r12\n\torq\t%r9,%r12\n\tpor\t%xmm5,%xmm2\n.byte\t102,73,15,110,220\n\n\tmovq\t384(%rsp),%rax\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+96(%rsp),%r9\n\tmovq\t8+96(%rsp),%r10\n\tleaq\t0+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r11\n\tmovq\t24+96(%rsp),%r12\n\tleaq\t160(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t480(%rsp),%rax\n\tleaq\t480(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t160(%rsp),%rbx\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\torq\t%r13,%r12\n\torq\t%r8,%r12\n\torq\t%r9,%r12\n\n.byte\t102,73,15,126,208\n.byte\t102,73,15,126,217\n\torq\t%r8,%r12\n.byte\t0x3e\n\tjnz\tL$add_proceedq\n\n\n\n\ttestq\t%r9,%r9\n\tjz\tL$add_doubleq\n\n\n\n\n\n\n.byte\t102,72,15,126,199\n\tpxor\t%xmm0,%xmm0\n\tmovdqu\t%xmm0,0(%rdi)\n\tmovdqu\t%xmm0,16(%rdi)\n\tmovdqu\t%xmm0,32(%rdi)\n\tmovdqu\t%xmm0,48(%rdi)\n\tmovdqu\t%xmm0,64(%rdi)\n\tmovdqu\t%xmm0,80(%rdi)\n\tjmp\tL$add_doneq\n\n.p2align\t5\nL$add_doubleq:\n.byte\t102,72,15,126,206\n.byte\t102,72,15,126,199\n\taddq\t$416,%rsp\n\n\tjmp\tL$point_double_shortcutq\n\n\n.p2align\t5\nL$add_proceedq:\n\tmovq\t0+64(%rsp),%rax\n\tmovq\t8+64(%rsp),%r14\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r15\n\tmovq\t24+64(%rsp),%r8\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t448(%rsp),%rax\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+0(%rsp),%r9\n\tmovq\t8+0(%rsp),%r10\n\tleaq\t0+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r11\n\tmovq\t24+0(%rsp),%r12\n\tleaq\t352(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t0+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t544(%rsp),%rax\n\tleaq\t544(%rsp),%rbx\n\tmovq\t0+352(%rsp),%r9\n\tmovq\t8+352(%rsp),%r10\n\tleaq\t0+352(%rsp),%rsi\n\tmovq\t16+352(%rsp),%r11\n\tmovq\t24+352(%rsp),%r12\n\tleaq\t352(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t0(%rsp),%rax\n\tleaq\t0(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t160(%rsp),%rax\n\tleaq\t160(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\n\n\n\txorq\t%r11,%r11\n\taddq\t%r12,%r12\n\tleaq\t96(%rsp),%rsi\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tmovq\t0(%rsi),%rax\n\tcmovcq\t%rbp,%r13\n\tmovq\t8(%rsi),%rbp\n\tcmovcq\t%rcx,%r8\n\tmovq\t16(%rsi),%rcx\n\tcmovcq\t%r10,%r9\n\tmovq\t24(%rsi),%r10\n\n\tcall\t__ecp_nistz256_subq\n\n\tleaq\t128(%rsp),%rbx\n\tleaq\t288(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t192+0(%rsp),%rax\n\tmovq\t192+8(%rsp),%rbp\n\tmovq\t192+16(%rsp),%rcx\n\tmovq\t192+24(%rsp),%r10\n\tleaq\t320(%rsp),%rdi\n\n\tcall\t__ecp_nistz256_subq\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\tmovq\t128(%rsp),%rax\n\tleaq\t128(%rsp),%rbx\n\tmovq\t0+224(%rsp),%r9\n\tmovq\t8+224(%rsp),%r10\n\tleaq\t0+224(%rsp),%rsi\n\tmovq\t16+224(%rsp),%r11\n\tmovq\t24+224(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t320(%rsp),%rax\n\tleaq\t320(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t320(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t256(%rsp),%rbx\n\tleaq\t320(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n.byte\t102,72,15,126,199\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t352(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t352+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t544(%rsp),%xmm2\n\tpand\t544+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t448(%rsp),%xmm2\n\tpand\t448+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,64(%rdi)\n\tmovdqu\t%xmm3,80(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t288(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t288+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t480(%rsp),%xmm2\n\tpand\t480+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t384(%rsp),%xmm2\n\tpand\t384+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t320(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t320+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t512(%rsp),%xmm2\n\tpand\t512+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t416(%rsp),%xmm2\n\tpand\t416+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm3,48(%rdi)\n\nL$add_doneq:\n\tleaq\t576+56(%rsp),%rsi\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbx\n\n\tmovq\t-8(%rsi),%rbp\n\n\tleaq\t(%rsi),%rsp\n\nL$point_addq_epilogue:\n\tret\n\n\n.globl\t_ecp_nistz256_point_add_affine_nohw\n.private_extern _ecp_nistz256_point_add_affine_nohw\n\n.p2align\t5\n_ecp_nistz256_point_add_affine_nohw:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tsubq\t$480+8,%rsp\n\nL$add_affineq_body:\n\n\tmovdqu\t0(%rsi),%xmm0\n\tmovq\t%rdx,%rbx\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm3\n\tmovdqu\t64(%rsi),%xmm4\n\tmovdqu\t80(%rsi),%xmm5\n\tmovq\t64+0(%rsi),%rax\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tmovdqa\t%xmm0,320(%rsp)\n\tmovdqa\t%xmm1,320+16(%rsp)\n\tmovdqa\t%xmm2,352(%rsp)\n\tmovdqa\t%xmm3,352+16(%rsp)\n\tmovdqa\t%xmm4,384(%rsp)\n\tmovdqa\t%xmm5,384+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\n\tmovdqu\t0(%rbx),%xmm0\n\tpshufd\t$0xb1,%xmm5,%xmm3\n\tmovdqu\t16(%rbx),%xmm1\n\tmovdqu\t32(%rbx),%xmm2\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t48(%rbx),%xmm3\n\tmovdqa\t%xmm0,416(%rsp)\n\tpshufd\t$0x1e,%xmm5,%xmm4\n\tmovdqa\t%xmm1,416+16(%rsp)\n\tpor\t%xmm0,%xmm1\n.byte\t102,72,15,110,199\n\tmovdqa\t%xmm2,448(%rsp)\n\tmovdqa\t%xmm3,448+16(%rsp)\n\tpor\t%xmm2,%xmm3\n\tpor\t%xmm4,%xmm5\n\tpxor\t%xmm4,%xmm4\n\tpor\t%xmm1,%xmm3\n\n\tleaq\t64-0(%rsi),%rsi\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tpcmpeqd\t%xmm4,%xmm5\n\tpshufd\t$0xb1,%xmm3,%xmm4\n\tmovq\t0(%rbx),%rax\n\n\tmovq\t%r12,%r9\n\tpor\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm5,%xmm5\n\tpshufd\t$0x1e,%xmm4,%xmm3\n\tmovq\t%r13,%r10\n\tpor\t%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm3\n\tmovq\t%r14,%r11\n\tpcmpeqd\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm4,%xmm4\n\n\tleaq\t32-0(%rsp),%rsi\n\tmovq\t%r15,%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t320(%rsp),%rbx\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t384(%rsp),%rax\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t384(%rsp),%rax\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t288(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t448(%rsp),%rax\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t352(%rsp),%rbx\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t0+64(%rsp),%rax\n\tmovq\t8+64(%rsp),%r14\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r15\n\tmovq\t24+64(%rsp),%r8\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t0+96(%rsp),%rax\n\tmovq\t8+96(%rsp),%r14\n\tleaq\t0+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r15\n\tmovq\t24+96(%rsp),%r8\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t128(%rsp),%rax\n\tleaq\t128(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t160(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t320(%rsp),%rax\n\tleaq\t320(%rsp),%rbx\n\tmovq\t0+128(%rsp),%r9\n\tmovq\t8+128(%rsp),%r10\n\tleaq\t0+128(%rsp),%rsi\n\tmovq\t16+128(%rsp),%r11\n\tmovq\t24+128(%rsp),%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\n\n\n\txorq\t%r11,%r11\n\taddq\t%r12,%r12\n\tleaq\t192(%rsp),%rsi\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tmovq\t0(%rsi),%rax\n\tcmovcq\t%rbp,%r13\n\tmovq\t8(%rsi),%rbp\n\tcmovcq\t%rcx,%r8\n\tmovq\t16(%rsi),%rcx\n\tcmovcq\t%r10,%r9\n\tmovq\t24(%rsi),%r10\n\n\tcall\t__ecp_nistz256_subq\n\n\tleaq\t160(%rsp),%rbx\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t0+8(%rsp),%rbp\n\tmovq\t0+16(%rsp),%rcx\n\tmovq\t0+24(%rsp),%r10\n\tleaq\t64(%rsp),%rdi\n\n\tcall\t__ecp_nistz256_subq\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\tmovq\t352(%rsp),%rax\n\tleaq\t352(%rsp),%rbx\n\tmovq\t0+160(%rsp),%r9\n\tmovq\t8+160(%rsp),%r10\n\tleaq\t0+160(%rsp),%rsi\n\tmovq\t16+160(%rsp),%r11\n\tmovq\t24+160(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t96(%rsp),%rax\n\tleaq\t96(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t32(%rsp),%rbx\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n.byte\t102,72,15,126,199\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t288(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t288+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\tL$ONE_mont(%rip),%xmm2\n\tpand\tL$ONE_mont+16(%rip),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t384(%rsp),%xmm2\n\tpand\t384+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,64(%rdi)\n\tmovdqu\t%xmm3,80(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t224(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t224+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t416(%rsp),%xmm2\n\tpand\t416+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t320(%rsp),%xmm2\n\tpand\t320+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t256(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t256+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t448(%rsp),%xmm2\n\tpand\t448+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t352(%rsp),%xmm2\n\tpand\t352+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm3,48(%rdi)\n\n\tleaq\t480+56(%rsp),%rsi\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbx\n\n\tmovq\t-8(%rsi),%rbp\n\n\tleaq\t(%rsi),%rsp\n\nL$add_affineq_epilogue:\n\tret\n\n\n\n.p2align\t5\n__ecp_nistz256_add_tox:\n\n\txorq\t%r11,%r11\n\tadcq\t0(%rbx),%r12\n\tadcq\t8(%rbx),%r13\n\tmovq\t%r12,%rax\n\tadcq\t16(%rbx),%r8\n\tadcq\t24(%rbx),%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\txorq\t%r10,%r10\n\tsbbq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tcmovcq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n\n\n\n\n.p2align\t5\n__ecp_nistz256_sub_fromx:\n\n\txorq\t%r11,%r11\n\tsbbq\t0(%rbx),%r12\n\tsbbq\t8(%rbx),%r13\n\tmovq\t%r12,%rax\n\tsbbq\t16(%rbx),%r8\n\tsbbq\t24(%rbx),%r9\n\tmovq\t%r13,%rbp\n\tsbbq\t$0,%r11\n\n\txorq\t%r10,%r10\n\tadcq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tadcq\t%r14,%r13\n\tadcq\t$0,%r8\n\tmovq\t%r9,%r10\n\tadcq\t%r15,%r9\n\n\tbtq\t$0,%r11\n\tcmovncq\t%rax,%r12\n\tcmovncq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovncq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovncq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n\n\n\n\n.p2align\t5\n__ecp_nistz256_subx:\n\n\txorq\t%r11,%r11\n\tsbbq\t%r12,%rax\n\tsbbq\t%r13,%rbp\n\tmovq\t%rax,%r12\n\tsbbq\t%r8,%rcx\n\tsbbq\t%r9,%r10\n\tmovq\t%rbp,%r13\n\tsbbq\t$0,%r11\n\n\txorq\t%r9,%r9\n\tadcq\t$-1,%rax\n\tmovq\t%rcx,%r8\n\tadcq\t%r14,%rbp\n\tadcq\t$0,%rcx\n\tmovq\t%r10,%r9\n\tadcq\t%r15,%r10\n\n\tbtq\t$0,%r11\n\tcmovcq\t%rax,%r12\n\tcmovcq\t%rbp,%r13\n\tcmovcq\t%rcx,%r8\n\tcmovcq\t%r10,%r9\n\n\tret\n\n\n\n\n.p2align\t5\n__ecp_nistz256_mul_by_2x:\n\n\txorq\t%r11,%r11\n\tadcq\t%r12,%r12\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\txorq\t%r10,%r10\n\tsbbq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tcmovcq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n\n\n.globl\t_ecp_nistz256_point_double_adx\n.private_extern _ecp_nistz256_point_double_adx\n\n.p2align\t5\n_ecp_nistz256_point_double_adx:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tsubq\t$160+8,%rsp\n\nL$point_doublex_body:\n\nL$point_double_shortcutx:\n\tmovdqu\t0(%rsi),%xmm0\n\tmovq\t%rsi,%rbx\n\tmovdqu\t16(%rsi),%xmm1\n\tmovq\t32+0(%rsi),%r12\n\tmovq\t32+8(%rsi),%r13\n\tmovq\t32+16(%rsi),%r8\n\tmovq\t32+24(%rsi),%r9\n\tmovq\tL$poly+8(%rip),%r14\n\tmovq\tL$poly+24(%rip),%r15\n\tmovdqa\t%xmm0,96(%rsp)\n\tmovdqa\t%xmm1,96+16(%rsp)\n\tleaq\t32(%rdi),%r10\n\tleaq\t64(%rdi),%r11\n.byte\t102,72,15,110,199\n.byte\t102,73,15,110,202\n.byte\t102,73,15,110,211\n\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2x\n\n\tmovq\t64+0(%rsi),%rdx\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tleaq\t64-128(%rsi),%rsi\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t0+0(%rsp),%rdx\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t-128+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t32(%rbx),%rdx\n\tmovq\t64+0(%rbx),%r9\n\tmovq\t64+8(%rbx),%r10\n\tmovq\t64+16(%rbx),%r11\n\tmovq\t64+24(%rbx),%r12\n\tleaq\t64-128(%rbx),%rsi\n\tleaq\t32(%rbx),%rbx\n.byte\t102,72,15,126,215\n\tcall\t__ecp_nistz256_mul_montx\n\tcall\t__ecp_nistz256_mul_by_2x\n\n\tmovq\t96+0(%rsp),%r12\n\tmovq\t96+8(%rsp),%r13\n\tleaq\t64(%rsp),%rbx\n\tmovq\t96+16(%rsp),%r8\n\tmovq\t96+24(%rsp),%r9\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_add_tox\n\n\tmovq\t96+0(%rsp),%r12\n\tmovq\t96+8(%rsp),%r13\n\tleaq\t64(%rsp),%rbx\n\tmovq\t96+16(%rsp),%r8\n\tmovq\t96+24(%rsp),%r9\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t0+0(%rsp),%rdx\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t-128+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n.byte\t102,72,15,126,207\n\tcall\t__ecp_nistz256_sqr_montx\n\txorq\t%r9,%r9\n\tmovq\t%r12,%rax\n\taddq\t$-1,%r12\n\tmovq\t%r13,%r10\n\tadcq\t%rsi,%r13\n\tmovq\t%r14,%rcx\n\tadcq\t$0,%r14\n\tmovq\t%r15,%r8\n\tadcq\t%rbp,%r15\n\tadcq\t$0,%r9\n\txorq\t%rsi,%rsi\n\ttestq\t$1,%rax\n\n\tcmovzq\t%rax,%r12\n\tcmovzq\t%r10,%r13\n\tcmovzq\t%rcx,%r14\n\tcmovzq\t%r8,%r15\n\tcmovzq\t%rsi,%r9\n\n\tmovq\t%r13,%rax\n\tshrq\t$1,%r12\n\tshlq\t$63,%rax\n\tmovq\t%r14,%r10\n\tshrq\t$1,%r13\n\torq\t%rax,%r12\n\tshlq\t$63,%r10\n\tmovq\t%r15,%rcx\n\tshrq\t$1,%r14\n\torq\t%r10,%r13\n\tshlq\t$63,%rcx\n\tmovq\t%r12,0(%rdi)\n\tshrq\t$1,%r15\n\tmovq\t%r13,8(%rdi)\n\tshlq\t$63,%r9\n\torq\t%rcx,%r14\n\torq\t%r9,%r15\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\tmovq\t64(%rsp),%rdx\n\tleaq\t64(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2x\n\n\tleaq\t32(%rsp),%rbx\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_add_tox\n\n\tmovq\t96(%rsp),%rdx\n\tleaq\t96(%rsp),%rbx\n\tmovq\t0+0(%rsp),%r9\n\tmovq\t8+0(%rsp),%r10\n\tleaq\t-128+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r11\n\tmovq\t24+0(%rsp),%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2x\n\n\tmovq\t0+32(%rsp),%rdx\n\tmovq\t8+32(%rsp),%r14\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r15\n\tmovq\t24+32(%rsp),%r8\n.byte\t102,72,15,126,199\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tleaq\t128(%rsp),%rbx\n\tmovq\t%r14,%r8\n\tmovq\t%r15,%r9\n\tmovq\t%rsi,%r14\n\tmovq\t%rbp,%r15\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t0+8(%rsp),%rbp\n\tmovq\t0+16(%rsp),%rcx\n\tmovq\t0+24(%rsp),%r10\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_subx\n\n\tmovq\t32(%rsp),%rdx\n\tleaq\t32(%rsp),%rbx\n\tmovq\t%r12,%r14\n\txorl\t%ecx,%ecx\n\tmovq\t%r12,0+0(%rsp)\n\tmovq\t%r13,%r10\n\tmovq\t%r13,0+8(%rsp)\n\tcmovzq\t%r8,%r11\n\tmovq\t%r8,0+16(%rsp)\n\tleaq\t0-128(%rsp),%rsi\n\tcmovzq\t%r9,%r12\n\tmovq\t%r9,0+24(%rsp)\n\tmovq\t%r14,%r9\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n.byte\t102,72,15,126,203\n.byte\t102,72,15,126,207\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tleaq\t160+56(%rsp),%rsi\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbx\n\n\tmovq\t-8(%rsi),%rbp\n\n\tleaq\t(%rsi),%rsp\n\nL$point_doublex_epilogue:\n\tret\n\n\n.globl\t_ecp_nistz256_point_add_adx\n.private_extern _ecp_nistz256_point_add_adx\n\n.p2align\t5\n_ecp_nistz256_point_add_adx:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tsubq\t$576+8,%rsp\n\nL$point_addx_body:\n\n\tmovdqu\t0(%rsi),%xmm0\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm3\n\tmovdqu\t64(%rsi),%xmm4\n\tmovdqu\t80(%rsi),%xmm5\n\tmovq\t%rsi,%rbx\n\tmovq\t%rdx,%rsi\n\tmovdqa\t%xmm0,384(%rsp)\n\tmovdqa\t%xmm1,384+16(%rsp)\n\tmovdqa\t%xmm2,416(%rsp)\n\tmovdqa\t%xmm3,416+16(%rsp)\n\tmovdqa\t%xmm4,448(%rsp)\n\tmovdqa\t%xmm5,448+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\n\tmovdqu\t0(%rsi),%xmm0\n\tpshufd\t$0xb1,%xmm5,%xmm3\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t48(%rsi),%xmm3\n\tmovq\t64+0(%rsi),%rdx\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tmovdqa\t%xmm0,480(%rsp)\n\tpshufd\t$0x1e,%xmm5,%xmm4\n\tmovdqa\t%xmm1,480+16(%rsp)\n\tmovdqu\t64(%rsi),%xmm0\n\tmovdqu\t80(%rsi),%xmm1\n\tmovdqa\t%xmm2,512(%rsp)\n\tmovdqa\t%xmm3,512+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\tpxor\t%xmm4,%xmm4\n\tpor\t%xmm0,%xmm1\n.byte\t102,72,15,110,199\n\n\tleaq\t64-128(%rsi),%rsi\n\tmovq\t%rdx,544+0(%rsp)\n\tmovq\t%r14,544+8(%rsp)\n\tmovq\t%r15,544+16(%rsp)\n\tmovq\t%r8,544+24(%rsp)\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tpcmpeqd\t%xmm4,%xmm5\n\tpshufd\t$0xb1,%xmm1,%xmm4\n\tpor\t%xmm1,%xmm4\n\tpshufd\t$0,%xmm5,%xmm5\n\tpshufd\t$0x1e,%xmm4,%xmm3\n\tpor\t%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm3\n\tpcmpeqd\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm4,%xmm4\n\tmovq\t64+0(%rbx),%rdx\n\tmovq\t64+8(%rbx),%r14\n\tmovq\t64+16(%rbx),%r15\n\tmovq\t64+24(%rbx),%r8\n.byte\t102,72,15,110,203\n\n\tleaq\t64-128(%rbx),%rsi\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t544(%rsp),%rdx\n\tleaq\t544(%rsp),%rbx\n\tmovq\t0+96(%rsp),%r9\n\tmovq\t8+96(%rsp),%r10\n\tleaq\t-128+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r11\n\tmovq\t24+96(%rsp),%r12\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t448(%rsp),%rdx\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t416(%rsp),%rdx\n\tleaq\t416(%rsp),%rbx\n\tmovq\t0+224(%rsp),%r9\n\tmovq\t8+224(%rsp),%r10\n\tleaq\t-128+224(%rsp),%rsi\n\tmovq\t16+224(%rsp),%r11\n\tmovq\t24+224(%rsp),%r12\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t512(%rsp),%rdx\n\tleaq\t512(%rsp),%rbx\n\tmovq\t0+256(%rsp),%r9\n\tmovq\t8+256(%rsp),%r10\n\tleaq\t-128+256(%rsp),%rsi\n\tmovq\t16+256(%rsp),%r11\n\tmovq\t24+256(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t224(%rsp),%rbx\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\torq\t%r13,%r12\n\tmovdqa\t%xmm4,%xmm2\n\torq\t%r8,%r12\n\torq\t%r9,%r12\n\tpor\t%xmm5,%xmm2\n.byte\t102,73,15,110,220\n\n\tmovq\t384(%rsp),%rdx\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+96(%rsp),%r9\n\tmovq\t8+96(%rsp),%r10\n\tleaq\t-128+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r11\n\tmovq\t24+96(%rsp),%r12\n\tleaq\t160(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t480(%rsp),%rdx\n\tleaq\t480(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t160(%rsp),%rbx\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\torq\t%r13,%r12\n\torq\t%r8,%r12\n\torq\t%r9,%r12\n\n.byte\t102,73,15,126,208\n.byte\t102,73,15,126,217\n\torq\t%r8,%r12\n.byte\t0x3e\n\tjnz\tL$add_proceedx\n\n\n\n\ttestq\t%r9,%r9\n\tjz\tL$add_doublex\n\n\n\n\n\n\n.byte\t102,72,15,126,199\n\tpxor\t%xmm0,%xmm0\n\tmovdqu\t%xmm0,0(%rdi)\n\tmovdqu\t%xmm0,16(%rdi)\n\tmovdqu\t%xmm0,32(%rdi)\n\tmovdqu\t%xmm0,48(%rdi)\n\tmovdqu\t%xmm0,64(%rdi)\n\tmovdqu\t%xmm0,80(%rdi)\n\tjmp\tL$add_donex\n\n.p2align\t5\nL$add_doublex:\n.byte\t102,72,15,126,206\n.byte\t102,72,15,126,199\n\taddq\t$416,%rsp\n\n\tjmp\tL$point_double_shortcutx\n\n\n.p2align\t5\nL$add_proceedx:\n\tmovq\t0+64(%rsp),%rdx\n\tmovq\t8+64(%rsp),%r14\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r15\n\tmovq\t24+64(%rsp),%r8\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t448(%rsp),%rdx\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+0(%rsp),%r9\n\tmovq\t8+0(%rsp),%r10\n\tleaq\t-128+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r11\n\tmovq\t24+0(%rsp),%r12\n\tleaq\t352(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t0+0(%rsp),%rdx\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t-128+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t544(%rsp),%rdx\n\tleaq\t544(%rsp),%rbx\n\tmovq\t0+352(%rsp),%r9\n\tmovq\t8+352(%rsp),%r10\n\tleaq\t-128+352(%rsp),%rsi\n\tmovq\t16+352(%rsp),%r11\n\tmovq\t24+352(%rsp),%r12\n\tleaq\t352(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t0(%rsp),%rdx\n\tleaq\t0(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t160(%rsp),%rdx\n\tleaq\t160(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\n\n\n\txorq\t%r11,%r11\n\taddq\t%r12,%r12\n\tleaq\t96(%rsp),%rsi\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tmovq\t0(%rsi),%rax\n\tcmovcq\t%rbp,%r13\n\tmovq\t8(%rsi),%rbp\n\tcmovcq\t%rcx,%r8\n\tmovq\t16(%rsi),%rcx\n\tcmovcq\t%r10,%r9\n\tmovq\t24(%rsi),%r10\n\n\tcall\t__ecp_nistz256_subx\n\n\tleaq\t128(%rsp),%rbx\n\tleaq\t288(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t192+0(%rsp),%rax\n\tmovq\t192+8(%rsp),%rbp\n\tmovq\t192+16(%rsp),%rcx\n\tmovq\t192+24(%rsp),%r10\n\tleaq\t320(%rsp),%rdi\n\n\tcall\t__ecp_nistz256_subx\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\tmovq\t128(%rsp),%rdx\n\tleaq\t128(%rsp),%rbx\n\tmovq\t0+224(%rsp),%r9\n\tmovq\t8+224(%rsp),%r10\n\tleaq\t-128+224(%rsp),%rsi\n\tmovq\t16+224(%rsp),%r11\n\tmovq\t24+224(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t320(%rsp),%rdx\n\tleaq\t320(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t320(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t256(%rsp),%rbx\n\tleaq\t320(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n.byte\t102,72,15,126,199\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t352(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t352+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t544(%rsp),%xmm2\n\tpand\t544+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t448(%rsp),%xmm2\n\tpand\t448+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,64(%rdi)\n\tmovdqu\t%xmm3,80(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t288(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t288+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t480(%rsp),%xmm2\n\tpand\t480+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t384(%rsp),%xmm2\n\tpand\t384+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t320(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t320+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t512(%rsp),%xmm2\n\tpand\t512+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t416(%rsp),%xmm2\n\tpand\t416+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm3,48(%rdi)\n\nL$add_donex:\n\tleaq\t576+56(%rsp),%rsi\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbx\n\n\tmovq\t-8(%rsi),%rbp\n\n\tleaq\t(%rsi),%rsp\n\nL$point_addx_epilogue:\n\tret\n\n\n.globl\t_ecp_nistz256_point_add_affine_adx\n.private_extern _ecp_nistz256_point_add_affine_adx\n\n.p2align\t5\n_ecp_nistz256_point_add_affine_adx:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tsubq\t$480+8,%rsp\n\nL$add_affinex_body:\n\n\tmovdqu\t0(%rsi),%xmm0\n\tmovq\t%rdx,%rbx\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm3\n\tmovdqu\t64(%rsi),%xmm4\n\tmovdqu\t80(%rsi),%xmm5\n\tmovq\t64+0(%rsi),%rdx\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tmovdqa\t%xmm0,320(%rsp)\n\tmovdqa\t%xmm1,320+16(%rsp)\n\tmovdqa\t%xmm2,352(%rsp)\n\tmovdqa\t%xmm3,352+16(%rsp)\n\tmovdqa\t%xmm4,384(%rsp)\n\tmovdqa\t%xmm5,384+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\n\tmovdqu\t0(%rbx),%xmm0\n\tpshufd\t$0xb1,%xmm5,%xmm3\n\tmovdqu\t16(%rbx),%xmm1\n\tmovdqu\t32(%rbx),%xmm2\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t48(%rbx),%xmm3\n\tmovdqa\t%xmm0,416(%rsp)\n\tpshufd\t$0x1e,%xmm5,%xmm4\n\tmovdqa\t%xmm1,416+16(%rsp)\n\tpor\t%xmm0,%xmm1\n.byte\t102,72,15,110,199\n\tmovdqa\t%xmm2,448(%rsp)\n\tmovdqa\t%xmm3,448+16(%rsp)\n\tpor\t%xmm2,%xmm3\n\tpor\t%xmm4,%xmm5\n\tpxor\t%xmm4,%xmm4\n\tpor\t%xmm1,%xmm3\n\n\tleaq\t64-128(%rsi),%rsi\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tpcmpeqd\t%xmm4,%xmm5\n\tpshufd\t$0xb1,%xmm3,%xmm4\n\tmovq\t0(%rbx),%rdx\n\n\tmovq\t%r12,%r9\n\tpor\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm5,%xmm5\n\tpshufd\t$0x1e,%xmm4,%xmm3\n\tmovq\t%r13,%r10\n\tpor\t%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm3\n\tmovq\t%r14,%r11\n\tpcmpeqd\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm4,%xmm4\n\n\tleaq\t32-128(%rsp),%rsi\n\tmovq\t%r15,%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t320(%rsp),%rbx\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t384(%rsp),%rdx\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t384(%rsp),%rdx\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t288(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t448(%rsp),%rdx\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t352(%rsp),%rbx\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t0+64(%rsp),%rdx\n\tmovq\t8+64(%rsp),%r14\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r15\n\tmovq\t24+64(%rsp),%r8\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t0+96(%rsp),%rdx\n\tmovq\t8+96(%rsp),%r14\n\tleaq\t-128+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r15\n\tmovq\t24+96(%rsp),%r8\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t128(%rsp),%rdx\n\tleaq\t128(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t160(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t320(%rsp),%rdx\n\tleaq\t320(%rsp),%rbx\n\tmovq\t0+128(%rsp),%r9\n\tmovq\t8+128(%rsp),%r10\n\tleaq\t-128+128(%rsp),%rsi\n\tmovq\t16+128(%rsp),%r11\n\tmovq\t24+128(%rsp),%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\n\n\n\txorq\t%r11,%r11\n\taddq\t%r12,%r12\n\tleaq\t192(%rsp),%rsi\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tmovq\t0(%rsi),%rax\n\tcmovcq\t%rbp,%r13\n\tmovq\t8(%rsi),%rbp\n\tcmovcq\t%rcx,%r8\n\tmovq\t16(%rsi),%rcx\n\tcmovcq\t%r10,%r9\n\tmovq\t24(%rsi),%r10\n\n\tcall\t__ecp_nistz256_subx\n\n\tleaq\t160(%rsp),%rbx\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t0+8(%rsp),%rbp\n\tmovq\t0+16(%rsp),%rcx\n\tmovq\t0+24(%rsp),%r10\n\tleaq\t64(%rsp),%rdi\n\n\tcall\t__ecp_nistz256_subx\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\tmovq\t352(%rsp),%rdx\n\tleaq\t352(%rsp),%rbx\n\tmovq\t0+160(%rsp),%r9\n\tmovq\t8+160(%rsp),%r10\n\tleaq\t-128+160(%rsp),%rsi\n\tmovq\t16+160(%rsp),%r11\n\tmovq\t24+160(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t96(%rsp),%rdx\n\tleaq\t96(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t32(%rsp),%rbx\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n.byte\t102,72,15,126,199\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t288(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t288+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\tL$ONE_mont(%rip),%xmm2\n\tpand\tL$ONE_mont+16(%rip),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t384(%rsp),%xmm2\n\tpand\t384+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,64(%rdi)\n\tmovdqu\t%xmm3,80(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t224(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t224+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t416(%rsp),%xmm2\n\tpand\t416+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t320(%rsp),%xmm2\n\tpand\t320+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t256(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t256+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t448(%rsp),%xmm2\n\tpand\t448+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t352(%rsp),%xmm2\n\tpand\t352+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm3,48(%rdi)\n\n\tleaq\t480+56(%rsp),%rsi\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbx\n\n\tmovq\t-8(%rsi),%rbp\n\n\tleaq\t(%rsi),%rsp\n\nL$add_affinex_epilogue:\n\tret\n\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/p256-x86_64-asm-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n\n.section\t.rodata\n.align\t64\n.Lpoly:\n.quad\t0xffffffffffffffff, 0x00000000ffffffff, 0x0000000000000000, 0xffffffff00000001\n\n.LOne:\n.long\t1,1,1,1,1,1,1,1\n.LTwo:\n.long\t2,2,2,2,2,2,2,2\n.LThree:\n.long\t3,3,3,3,3,3,3,3\n.LONE_mont:\n.quad\t0x0000000000000001, 0xffffffff00000000, 0xffffffffffffffff, 0x00000000fffffffe\n\n\n.Lord:\n.quad\t0xf3b9cac2fc632551, 0xbce6faada7179e84, 0xffffffffffffffff, 0xffffffff00000000\n.LordK:\n.quad\t0xccd1c8aaee00bc4f\n.text\t\n\n\n\n.globl\tecp_nistz256_neg\n.hidden ecp_nistz256_neg\n.type\tecp_nistz256_neg,@function\n.align\t32\necp_nistz256_neg:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-16\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-24\n.Lneg_body:\n\n\txorq\t%r8,%r8\n\txorq\t%r9,%r9\n\txorq\t%r10,%r10\n\txorq\t%r11,%r11\n\txorq\t%r13,%r13\n\n\tsubq\t0(%rsi),%r8\n\tsbbq\t8(%rsi),%r9\n\tsbbq\t16(%rsi),%r10\n\tmovq\t%r8,%rax\n\tsbbq\t24(%rsi),%r11\n\tleaq\t.Lpoly(%rip),%rsi\n\tmovq\t%r9,%rdx\n\tsbbq\t$0,%r13\n\n\taddq\t0(%rsi),%r8\n\tmovq\t%r10,%rcx\n\tadcq\t8(%rsi),%r9\n\tadcq\t16(%rsi),%r10\n\tmovq\t%r11,%r12\n\tadcq\t24(%rsi),%r11\n\ttestq\t%r13,%r13\n\n\tcmovzq\t%rax,%r8\n\tcmovzq\t%rdx,%r9\n\tmovq\t%r8,0(%rdi)\n\tcmovzq\t%rcx,%r10\n\tmovq\t%r9,8(%rdi)\n\tcmovzq\t%r12,%r11\n\tmovq\t%r10,16(%rdi)\n\tmovq\t%r11,24(%rdi)\n\n\tmovq\t0(%rsp),%r13\n.cfi_restore\t%r13\n\tmovq\t8(%rsp),%r12\n.cfi_restore\t%r12\n\tleaq\t16(%rsp),%rsp\n.cfi_adjust_cfa_offset\t-16\n.Lneg_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_neg,.-ecp_nistz256_neg\n\n\n\n\n\n\n.globl\tecp_nistz256_ord_mul_mont_nohw\n.hidden ecp_nistz256_ord_mul_mont_nohw\n.type\tecp_nistz256_ord_mul_mont_nohw,@function\n.align\t32\necp_nistz256_ord_mul_mont_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n.Lord_mul_body:\n\n\tmovq\t0(%rdx),%rax\n\tmovq\t%rdx,%rbx\n\tleaq\t.Lord(%rip),%r14\n\tmovq\t.LordK(%rip),%r15\n\n\n\tmovq\t%rax,%rcx\n\tmulq\t0(%rsi)\n\tmovq\t%rax,%r8\n\tmovq\t%rcx,%rax\n\tmovq\t%rdx,%r9\n\n\tmulq\t8(%rsi)\n\taddq\t%rax,%r9\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t16(%rsi)\n\taddq\t%rax,%r10\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\n\tmovq\t%r8,%r13\n\timulq\t%r15,%r8\n\n\tmovq\t%rdx,%r11\n\tmulq\t24(%rsi)\n\taddq\t%rax,%r11\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r12\n\n\n\tmulq\t0(%r14)\n\tmovq\t%r8,%rbp\n\taddq\t%rax,%r13\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tsubq\t%r8,%r10\n\tsbbq\t$0,%r8\n\n\tmulq\t8(%r14)\n\taddq\t%rcx,%r9\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r9\n\tmovq\t%rbp,%rax\n\tadcq\t%rdx,%r10\n\tmovq\t%rbp,%rdx\n\tadcq\t$0,%r8\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r11\n\tmovq\t8(%rbx),%rax\n\tsbbq\t%rdx,%rbp\n\n\taddq\t%r8,%r11\n\tadcq\t%rbp,%r12\n\tadcq\t$0,%r13\n\n\n\tmovq\t%rax,%rcx\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r9\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t8(%rsi)\n\taddq\t%rbp,%r10\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r10\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t16(%rsi)\n\taddq\t%rbp,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\n\tmovq\t%r9,%rcx\n\timulq\t%r15,%r9\n\n\tmovq\t%rdx,%rbp\n\tmulq\t24(%rsi)\n\taddq\t%rbp,%r12\n\tadcq\t$0,%rdx\n\txorq\t%r8,%r8\n\taddq\t%rax,%r12\n\tmovq\t%r9,%rax\n\tadcq\t%rdx,%r13\n\tadcq\t$0,%r8\n\n\n\tmulq\t0(%r14)\n\tmovq\t%r9,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t%r9,%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r9,%r11\n\tsbbq\t$0,%r9\n\n\tmulq\t8(%r14)\n\taddq\t%rcx,%r10\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r10\n\tmovq\t%rbp,%rax\n\tadcq\t%rdx,%r11\n\tmovq\t%rbp,%rdx\n\tadcq\t$0,%r9\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r12\n\tmovq\t16(%rbx),%rax\n\tsbbq\t%rdx,%rbp\n\n\taddq\t%r9,%r12\n\tadcq\t%rbp,%r13\n\tadcq\t$0,%r8\n\n\n\tmovq\t%rax,%rcx\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r10\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t8(%rsi)\n\taddq\t%rbp,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t16(%rsi)\n\taddq\t%rbp,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\n\tmovq\t%r10,%rcx\n\timulq\t%r15,%r10\n\n\tmovq\t%rdx,%rbp\n\tmulq\t24(%rsi)\n\taddq\t%rbp,%r13\n\tadcq\t$0,%rdx\n\txorq\t%r9,%r9\n\taddq\t%rax,%r13\n\tmovq\t%r10,%rax\n\tadcq\t%rdx,%r8\n\tadcq\t$0,%r9\n\n\n\tmulq\t0(%r14)\n\tmovq\t%r10,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t%r10,%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r10,%r12\n\tsbbq\t$0,%r10\n\n\tmulq\t8(%r14)\n\taddq\t%rcx,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%rbp,%rax\n\tadcq\t%rdx,%r12\n\tmovq\t%rbp,%rdx\n\tadcq\t$0,%r10\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r13\n\tmovq\t24(%rbx),%rax\n\tsbbq\t%rdx,%rbp\n\n\taddq\t%r10,%r13\n\tadcq\t%rbp,%r8\n\tadcq\t$0,%r9\n\n\n\tmovq\t%rax,%rcx\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r11\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t8(%rsi)\n\taddq\t%rbp,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t16(%rsi)\n\taddq\t%rbp,%r13\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r13\n\tmovq\t%rcx,%rax\n\tadcq\t$0,%rdx\n\n\tmovq\t%r11,%rcx\n\timulq\t%r15,%r11\n\n\tmovq\t%rdx,%rbp\n\tmulq\t24(%rsi)\n\taddq\t%rbp,%r8\n\tadcq\t$0,%rdx\n\txorq\t%r10,%r10\n\taddq\t%rax,%r8\n\tmovq\t%r11,%rax\n\tadcq\t%rdx,%r9\n\tadcq\t$0,%r10\n\n\n\tmulq\t0(%r14)\n\tmovq\t%r11,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t%r11,%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r11,%r13\n\tsbbq\t$0,%r11\n\n\tmulq\t8(%r14)\n\taddq\t%rcx,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%rbp,%rax\n\tadcq\t%rdx,%r13\n\tmovq\t%rbp,%rdx\n\tadcq\t$0,%r11\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r8\n\tsbbq\t%rdx,%rbp\n\n\taddq\t%r11,%r8\n\tadcq\t%rbp,%r9\n\tadcq\t$0,%r10\n\n\n\tmovq\t%r12,%rsi\n\tsubq\t0(%r14),%r12\n\tmovq\t%r13,%r11\n\tsbbq\t8(%r14),%r13\n\tmovq\t%r8,%rcx\n\tsbbq\t16(%r14),%r8\n\tmovq\t%r9,%rbp\n\tsbbq\t24(%r14),%r9\n\tsbbq\t$0,%r10\n\n\tcmovcq\t%rsi,%r12\n\tcmovcq\t%r11,%r13\n\tcmovcq\t%rcx,%r8\n\tcmovcq\t%rbp,%r9\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tmovq\t0(%rsp),%r15\n.cfi_restore\t%r15\n\tmovq\t8(%rsp),%r14\n.cfi_restore\t%r14\n\tmovq\t16(%rsp),%r13\n.cfi_restore\t%r13\n\tmovq\t24(%rsp),%r12\n.cfi_restore\t%r12\n\tmovq\t32(%rsp),%rbx\n.cfi_restore\t%rbx\n\tmovq\t40(%rsp),%rbp\n.cfi_restore\t%rbp\n\tleaq\t48(%rsp),%rsp\n.cfi_adjust_cfa_offset\t-48\n.Lord_mul_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_ord_mul_mont_nohw,.-ecp_nistz256_ord_mul_mont_nohw\n\n\n\n\n\n\n\n.globl\tecp_nistz256_ord_sqr_mont_nohw\n.hidden ecp_nistz256_ord_sqr_mont_nohw\n.type\tecp_nistz256_ord_sqr_mont_nohw,@function\n.align\t32\necp_nistz256_ord_sqr_mont_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n.Lord_sqr_body:\n\n\tmovq\t0(%rsi),%r8\n\tmovq\t8(%rsi),%rax\n\tmovq\t16(%rsi),%r14\n\tmovq\t24(%rsi),%r15\n\tleaq\t.Lord(%rip),%rsi\n\tmovq\t%rdx,%rbx\n\tjmp\t.Loop_ord_sqr\n\n.align\t32\n.Loop_ord_sqr:\n\n\tmovq\t%rax,%rbp\n\tmulq\t%r8\n\tmovq\t%rax,%r9\n.byte\t102,72,15,110,205\n\tmovq\t%r14,%rax\n\tmovq\t%rdx,%r10\n\n\tmulq\t%r8\n\taddq\t%rax,%r10\n\tmovq\t%r15,%rax\n.byte\t102,73,15,110,214\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%r8\n\taddq\t%rax,%r11\n\tmovq\t%r15,%rax\n.byte\t102,73,15,110,223\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r12\n\n\n\tmulq\t%r14\n\tmovq\t%rax,%r13\n\tmovq\t%r14,%rax\n\tmovq\t%rdx,%r14\n\n\n\tmulq\t%rbp\n\taddq\t%rax,%r11\n\tmovq\t%r15,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r15\n\n\tmulq\t%rbp\n\taddq\t%rax,%r12\n\tadcq\t$0,%rdx\n\n\taddq\t%r15,%r12\n\tadcq\t%rdx,%r13\n\tadcq\t$0,%r14\n\n\n\txorq\t%r15,%r15\n\tmovq\t%r8,%rax\n\taddq\t%r9,%r9\n\tadcq\t%r10,%r10\n\tadcq\t%r11,%r11\n\tadcq\t%r12,%r12\n\tadcq\t%r13,%r13\n\tadcq\t%r14,%r14\n\tadcq\t$0,%r15\n\n\n\tmulq\t%rax\n\tmovq\t%rax,%r8\n.byte\t102,72,15,126,200\n\tmovq\t%rdx,%rbp\n\n\tmulq\t%rax\n\taddq\t%rbp,%r9\n\tadcq\t%rax,%r10\n.byte\t102,72,15,126,208\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t%rax\n\taddq\t%rbp,%r11\n\tadcq\t%rax,%r12\n.byte\t102,72,15,126,216\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmovq\t%r8,%rcx\n\timulq\t32(%rsi),%r8\n\n\tmulq\t%rax\n\taddq\t%rbp,%r13\n\tadcq\t%rax,%r14\n\tmovq\t0(%rsi),%rax\n\tadcq\t%rdx,%r15\n\n\n\tmulq\t%r8\n\tmovq\t%r8,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t8(%rsi),%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r8,%r10\n\tsbbq\t$0,%rbp\n\n\tmulq\t%r8\n\taddq\t%rcx,%r9\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r9\n\tmovq\t%r8,%rax\n\tadcq\t%rdx,%r10\n\tmovq\t%r8,%rdx\n\tadcq\t$0,%rbp\n\n\tmovq\t%r9,%rcx\n\timulq\t32(%rsi),%r9\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r11\n\tmovq\t0(%rsi),%rax\n\tsbbq\t%rdx,%r8\n\n\taddq\t%rbp,%r11\n\tadcq\t$0,%r8\n\n\n\tmulq\t%r9\n\tmovq\t%r9,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t8(%rsi),%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r9,%r11\n\tsbbq\t$0,%rbp\n\n\tmulq\t%r9\n\taddq\t%rcx,%r10\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r10\n\tmovq\t%r9,%rax\n\tadcq\t%rdx,%r11\n\tmovq\t%r9,%rdx\n\tadcq\t$0,%rbp\n\n\tmovq\t%r10,%rcx\n\timulq\t32(%rsi),%r10\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r8\n\tmovq\t0(%rsi),%rax\n\tsbbq\t%rdx,%r9\n\n\taddq\t%rbp,%r8\n\tadcq\t$0,%r9\n\n\n\tmulq\t%r10\n\tmovq\t%r10,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t8(%rsi),%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r10,%r8\n\tsbbq\t$0,%rbp\n\n\tmulq\t%r10\n\taddq\t%rcx,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%r10,%rax\n\tadcq\t%rdx,%r8\n\tmovq\t%r10,%rdx\n\tadcq\t$0,%rbp\n\n\tmovq\t%r11,%rcx\n\timulq\t32(%rsi),%r11\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r9\n\tmovq\t0(%rsi),%rax\n\tsbbq\t%rdx,%r10\n\n\taddq\t%rbp,%r9\n\tadcq\t$0,%r10\n\n\n\tmulq\t%r11\n\tmovq\t%r11,%rbp\n\taddq\t%rax,%rcx\n\tmovq\t8(%rsi),%rax\n\tadcq\t%rdx,%rcx\n\n\tsubq\t%r11,%r9\n\tsbbq\t$0,%rbp\n\n\tmulq\t%r11\n\taddq\t%rcx,%r8\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r8\n\tmovq\t%r11,%rax\n\tadcq\t%rdx,%r9\n\tmovq\t%r11,%rdx\n\tadcq\t$0,%rbp\n\n\tshlq\t$32,%rax\n\tshrq\t$32,%rdx\n\tsubq\t%rax,%r10\n\tsbbq\t%rdx,%r11\n\n\taddq\t%rbp,%r10\n\tadcq\t$0,%r11\n\n\n\txorq\t%rdx,%rdx\n\taddq\t%r12,%r8\n\tadcq\t%r13,%r9\n\tmovq\t%r8,%r12\n\tadcq\t%r14,%r10\n\tadcq\t%r15,%r11\n\tmovq\t%r9,%rax\n\tadcq\t$0,%rdx\n\n\n\tsubq\t0(%rsi),%r8\n\tmovq\t%r10,%r14\n\tsbbq\t8(%rsi),%r9\n\tsbbq\t16(%rsi),%r10\n\tmovq\t%r11,%r15\n\tsbbq\t24(%rsi),%r11\n\tsbbq\t$0,%rdx\n\n\tcmovcq\t%r12,%r8\n\tcmovncq\t%r9,%rax\n\tcmovncq\t%r10,%r14\n\tcmovncq\t%r11,%r15\n\n\tdecq\t%rbx\n\tjnz\t.Loop_ord_sqr\n\n\tmovq\t%r8,0(%rdi)\n\tmovq\t%rax,8(%rdi)\n\tpxor\t%xmm1,%xmm1\n\tmovq\t%r14,16(%rdi)\n\tpxor\t%xmm2,%xmm2\n\tmovq\t%r15,24(%rdi)\n\tpxor\t%xmm3,%xmm3\n\n\tmovq\t0(%rsp),%r15\n.cfi_restore\t%r15\n\tmovq\t8(%rsp),%r14\n.cfi_restore\t%r14\n\tmovq\t16(%rsp),%r13\n.cfi_restore\t%r13\n\tmovq\t24(%rsp),%r12\n.cfi_restore\t%r12\n\tmovq\t32(%rsp),%rbx\n.cfi_restore\t%rbx\n\tmovq\t40(%rsp),%rbp\n.cfi_restore\t%rbp\n\tleaq\t48(%rsp),%rsp\n.cfi_adjust_cfa_offset\t-48\n.Lord_sqr_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_ord_sqr_mont_nohw,.-ecp_nistz256_ord_sqr_mont_nohw\n\n.globl\tecp_nistz256_ord_mul_mont_adx\n.hidden ecp_nistz256_ord_mul_mont_adx\n.type\tecp_nistz256_ord_mul_mont_adx,@function\n.align\t32\necp_nistz256_ord_mul_mont_adx:\n.cfi_startproc\t\n.Lecp_nistz256_ord_mul_mont_adx:\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n.Lord_mulx_body:\n\n\tmovq\t%rdx,%rbx\n\tmovq\t0(%rdx),%rdx\n\tmovq\t0(%rsi),%r9\n\tmovq\t8(%rsi),%r10\n\tmovq\t16(%rsi),%r11\n\tmovq\t24(%rsi),%r12\n\tleaq\t-128(%rsi),%rsi\n\tleaq\t.Lord-128(%rip),%r14\n\tmovq\t.LordK(%rip),%r15\n\n\n\tmulxq\t%r9,%r8,%r9\n\tmulxq\t%r10,%rcx,%r10\n\tmulxq\t%r11,%rbp,%r11\n\taddq\t%rcx,%r9\n\tmulxq\t%r12,%rcx,%r12\n\tmovq\t%r8,%rdx\n\tmulxq\t%r15,%rdx,%rax\n\tadcq\t%rbp,%r10\n\tadcq\t%rcx,%r11\n\tadcq\t$0,%r12\n\n\n\txorq\t%r13,%r13\n\tmulxq\t0+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r8\n\tadoxq\t%rbp,%r9\n\n\tmulxq\t8+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\n\tmulxq\t16+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t24+128(%r14),%rcx,%rbp\n\tmovq\t8(%rbx),%rdx\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\tadcxq\t%r8,%r12\n\tadoxq\t%r8,%r13\n\tadcq\t$0,%r13\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r9,%rdx\n\tmulxq\t%r15,%rdx,%rax\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tadcxq\t%r8,%r13\n\tadoxq\t%r8,%r8\n\tadcq\t$0,%r8\n\n\n\tmulxq\t0+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\n\tmulxq\t8+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t16+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t24+128(%r14),%rcx,%rbp\n\tmovq\t16(%rbx),%rdx\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\tadcxq\t%r9,%r13\n\tadoxq\t%r9,%r8\n\tadcq\t$0,%r8\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r10,%rdx\n\tmulxq\t%r15,%rdx,%rax\n\tadcxq\t%rcx,%r13\n\tadoxq\t%rbp,%r8\n\n\tadcxq\t%r9,%r8\n\tadoxq\t%r9,%r9\n\tadcq\t$0,%r9\n\n\n\tmulxq\t0+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t8+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t16+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t24+128(%r14),%rcx,%rbp\n\tmovq\t24(%rbx),%rdx\n\tadcxq\t%rcx,%r13\n\tadoxq\t%rbp,%r8\n\tadcxq\t%r10,%r8\n\tadoxq\t%r10,%r9\n\tadcq\t$0,%r9\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r13\n\tadoxq\t%rbp,%r8\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r11,%rdx\n\tmulxq\t%r15,%rdx,%rax\n\tadcxq\t%rcx,%r8\n\tadoxq\t%rbp,%r9\n\n\tadcxq\t%r10,%r9\n\tadoxq\t%r10,%r10\n\tadcq\t$0,%r10\n\n\n\tmulxq\t0+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t8+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t16+128(%r14),%rcx,%rbp\n\tadcxq\t%rcx,%r13\n\tadoxq\t%rbp,%r8\n\n\tmulxq\t24+128(%r14),%rcx,%rbp\n\tleaq\t128(%r14),%r14\n\tmovq\t%r12,%rbx\n\tadcxq\t%rcx,%r8\n\tadoxq\t%rbp,%r9\n\tmovq\t%r13,%rdx\n\tadcxq\t%r11,%r9\n\tadoxq\t%r11,%r10\n\tadcq\t$0,%r10\n\n\n\n\tmovq\t%r8,%rcx\n\tsubq\t0(%r14),%r12\n\tsbbq\t8(%r14),%r13\n\tsbbq\t16(%r14),%r8\n\tmovq\t%r9,%rbp\n\tsbbq\t24(%r14),%r9\n\tsbbq\t$0,%r10\n\n\tcmovcq\t%rbx,%r12\n\tcmovcq\t%rdx,%r13\n\tcmovcq\t%rcx,%r8\n\tcmovcq\t%rbp,%r9\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tmovq\t0(%rsp),%r15\n.cfi_restore\t%r15\n\tmovq\t8(%rsp),%r14\n.cfi_restore\t%r14\n\tmovq\t16(%rsp),%r13\n.cfi_restore\t%r13\n\tmovq\t24(%rsp),%r12\n.cfi_restore\t%r12\n\tmovq\t32(%rsp),%rbx\n.cfi_restore\t%rbx\n\tmovq\t40(%rsp),%rbp\n.cfi_restore\t%rbp\n\tleaq\t48(%rsp),%rsp\n.cfi_adjust_cfa_offset\t-48\n.Lord_mulx_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_ord_mul_mont_adx,.-ecp_nistz256_ord_mul_mont_adx\n\n.globl\tecp_nistz256_ord_sqr_mont_adx\n.hidden ecp_nistz256_ord_sqr_mont_adx\n.type\tecp_nistz256_ord_sqr_mont_adx,@function\n.align\t32\necp_nistz256_ord_sqr_mont_adx:\n.cfi_startproc\t\n_CET_ENDBR\n.Lecp_nistz256_ord_sqr_mont_adx:\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n.Lord_sqrx_body:\n\n\tmovq\t%rdx,%rbx\n\tmovq\t0(%rsi),%rdx\n\tmovq\t8(%rsi),%r14\n\tmovq\t16(%rsi),%r15\n\tmovq\t24(%rsi),%r8\n\tleaq\t.Lord(%rip),%rsi\n\tjmp\t.Loop_ord_sqrx\n\n.align\t32\n.Loop_ord_sqrx:\n\tmulxq\t%r14,%r9,%r10\n\tmulxq\t%r15,%rcx,%r11\n\tmovq\t%rdx,%rax\n.byte\t102,73,15,110,206\n\tmulxq\t%r8,%rbp,%r12\n\tmovq\t%r14,%rdx\n\taddq\t%rcx,%r10\n.byte\t102,73,15,110,215\n\tadcq\t%rbp,%r11\n\tadcq\t$0,%r12\n\txorq\t%r13,%r13\n\n\tmulxq\t%r15,%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t%r8,%rcx,%rbp\n\tmovq\t%r15,%rdx\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\tadcq\t$0,%r13\n\n\tmulxq\t%r8,%rcx,%r14\n\tmovq\t%rax,%rdx\n.byte\t102,73,15,110,216\n\txorq\t%r15,%r15\n\tadcxq\t%r9,%r9\n\tadoxq\t%rcx,%r13\n\tadcxq\t%r10,%r10\n\tadoxq\t%r15,%r14\n\n\n\tmulxq\t%rdx,%r8,%rbp\n.byte\t102,72,15,126,202\n\tadcxq\t%r11,%r11\n\tadoxq\t%rbp,%r9\n\tadcxq\t%r12,%r12\n\tmulxq\t%rdx,%rcx,%rax\n.byte\t102,72,15,126,210\n\tadcxq\t%r13,%r13\n\tadoxq\t%rcx,%r10\n\tadcxq\t%r14,%r14\n\tmulxq\t%rdx,%rcx,%rbp\n.byte\t0x67\n.byte\t102,72,15,126,218\n\tadoxq\t%rax,%r11\n\tadcxq\t%r15,%r15\n\tadoxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\tmulxq\t%rdx,%rcx,%rax\n\tadoxq\t%rcx,%r14\n\tadoxq\t%rax,%r15\n\n\n\tmovq\t%r8,%rdx\n\tmulxq\t32(%rsi),%rdx,%rcx\n\n\txorq\t%rax,%rax\n\tmulxq\t0(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r8\n\tadoxq\t%rbp,%r9\n\tmulxq\t8(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\tmulxq\t16(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\tmulxq\t24(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r8\n\tadcxq\t%rax,%r8\n\n\n\tmovq\t%r9,%rdx\n\tmulxq\t32(%rsi),%rdx,%rcx\n\n\tmulxq\t0(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r9\n\tadcxq\t%rbp,%r10\n\tmulxq\t8(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r10\n\tadcxq\t%rbp,%r11\n\tmulxq\t16(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r11\n\tadcxq\t%rbp,%r8\n\tmulxq\t24(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r8\n\tadcxq\t%rbp,%r9\n\tadoxq\t%rax,%r9\n\n\n\tmovq\t%r10,%rdx\n\tmulxq\t32(%rsi),%rdx,%rcx\n\n\tmulxq\t0(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\tmulxq\t8(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r8\n\tmulxq\t16(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r8\n\tadoxq\t%rbp,%r9\n\tmulxq\t24(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\tadcxq\t%rax,%r10\n\n\n\tmovq\t%r11,%rdx\n\tmulxq\t32(%rsi),%rdx,%rcx\n\n\tmulxq\t0(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r11\n\tadcxq\t%rbp,%r8\n\tmulxq\t8(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r8\n\tadcxq\t%rbp,%r9\n\tmulxq\t16(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r9\n\tadcxq\t%rbp,%r10\n\tmulxq\t24(%rsi),%rcx,%rbp\n\tadoxq\t%rcx,%r10\n\tadcxq\t%rbp,%r11\n\tadoxq\t%rax,%r11\n\n\n\taddq\t%r8,%r12\n\tadcq\t%r13,%r9\n\tmovq\t%r12,%rdx\n\tadcq\t%r14,%r10\n\tadcq\t%r15,%r11\n\tmovq\t%r9,%r14\n\tadcq\t$0,%rax\n\n\n\tsubq\t0(%rsi),%r12\n\tmovq\t%r10,%r15\n\tsbbq\t8(%rsi),%r9\n\tsbbq\t16(%rsi),%r10\n\tmovq\t%r11,%r8\n\tsbbq\t24(%rsi),%r11\n\tsbbq\t$0,%rax\n\n\tcmovncq\t%r12,%rdx\n\tcmovncq\t%r9,%r14\n\tcmovncq\t%r10,%r15\n\tcmovncq\t%r11,%r8\n\n\tdecq\t%rbx\n\tjnz\t.Loop_ord_sqrx\n\n\tmovq\t%rdx,0(%rdi)\n\tmovq\t%r14,8(%rdi)\n\tpxor\t%xmm1,%xmm1\n\tmovq\t%r15,16(%rdi)\n\tpxor\t%xmm2,%xmm2\n\tmovq\t%r8,24(%rdi)\n\tpxor\t%xmm3,%xmm3\n\n\tmovq\t0(%rsp),%r15\n.cfi_restore\t%r15\n\tmovq\t8(%rsp),%r14\n.cfi_restore\t%r14\n\tmovq\t16(%rsp),%r13\n.cfi_restore\t%r13\n\tmovq\t24(%rsp),%r12\n.cfi_restore\t%r12\n\tmovq\t32(%rsp),%rbx\n.cfi_restore\t%rbx\n\tmovq\t40(%rsp),%rbp\n.cfi_restore\t%rbp\n\tleaq\t48(%rsp),%rsp\n.cfi_adjust_cfa_offset\t-48\n.Lord_sqrx_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_ord_sqr_mont_adx,.-ecp_nistz256_ord_sqr_mont_adx\n\n\n\n\n\n\n.globl\tecp_nistz256_mul_mont_nohw\n.hidden ecp_nistz256_mul_mont_nohw\n.type\tecp_nistz256_mul_mont_nohw,@function\n.align\t32\necp_nistz256_mul_mont_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n.Lmul_body:\n\tmovq\t%rdx,%rbx\n\tmovq\t0(%rdx),%rax\n\tmovq\t0(%rsi),%r9\n\tmovq\t8(%rsi),%r10\n\tmovq\t16(%rsi),%r11\n\tmovq\t24(%rsi),%r12\n\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t0(%rsp),%r15\n.cfi_restore\t%r15\n\tmovq\t8(%rsp),%r14\n.cfi_restore\t%r14\n\tmovq\t16(%rsp),%r13\n.cfi_restore\t%r13\n\tmovq\t24(%rsp),%r12\n.cfi_restore\t%r12\n\tmovq\t32(%rsp),%rbx\n.cfi_restore\t%rbx\n\tmovq\t40(%rsp),%rbp\n.cfi_restore\t%rbp\n\tleaq\t48(%rsp),%rsp\n.cfi_adjust_cfa_offset\t-48\n.Lmul_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_mul_mont_nohw,.-ecp_nistz256_mul_mont_nohw\n\n.type\t__ecp_nistz256_mul_montq,@function\n.align\t32\n__ecp_nistz256_mul_montq:\n.cfi_startproc\t\n\n\n\tmovq\t%rax,%rbp\n\tmulq\t%r9\n\tmovq\t.Lpoly+8(%rip),%r14\n\tmovq\t%rax,%r8\n\tmovq\t%rbp,%rax\n\tmovq\t%rdx,%r9\n\n\tmulq\t%r10\n\tmovq\t.Lpoly+24(%rip),%r15\n\taddq\t%rax,%r9\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%r11\n\taddq\t%rax,%r10\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%r12\n\taddq\t%rax,%r11\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\txorq\t%r13,%r13\n\tmovq\t%rdx,%r12\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%r8,%rbp\n\tshlq\t$32,%r8\n\tmulq\t%r15\n\tshrq\t$32,%rbp\n\taddq\t%r8,%r9\n\tadcq\t%rbp,%r10\n\tadcq\t%rax,%r11\n\tmovq\t8(%rbx),%rax\n\tadcq\t%rdx,%r12\n\tadcq\t$0,%r13\n\txorq\t%r8,%r8\n\n\n\n\tmovq\t%rax,%rbp\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r9\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t8(%rsi)\n\taddq\t%rcx,%r10\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r10\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t16(%rsi)\n\taddq\t%rcx,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t24(%rsi)\n\taddq\t%rcx,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%r9,%rax\n\tadcq\t%rdx,%r13\n\tadcq\t$0,%r8\n\n\n\n\tmovq\t%r9,%rbp\n\tshlq\t$32,%r9\n\tmulq\t%r15\n\tshrq\t$32,%rbp\n\taddq\t%r9,%r10\n\tadcq\t%rbp,%r11\n\tadcq\t%rax,%r12\n\tmovq\t16(%rbx),%rax\n\tadcq\t%rdx,%r13\n\tadcq\t$0,%r8\n\txorq\t%r9,%r9\n\n\n\n\tmovq\t%rax,%rbp\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r10\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t8(%rsi)\n\taddq\t%rcx,%r11\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r11\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t16(%rsi)\n\taddq\t%rcx,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t24(%rsi)\n\taddq\t%rcx,%r13\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r13\n\tmovq\t%r10,%rax\n\tadcq\t%rdx,%r8\n\tadcq\t$0,%r9\n\n\n\n\tmovq\t%r10,%rbp\n\tshlq\t$32,%r10\n\tmulq\t%r15\n\tshrq\t$32,%rbp\n\taddq\t%r10,%r11\n\tadcq\t%rbp,%r12\n\tadcq\t%rax,%r13\n\tmovq\t24(%rbx),%rax\n\tadcq\t%rdx,%r8\n\tadcq\t$0,%r9\n\txorq\t%r10,%r10\n\n\n\n\tmovq\t%rax,%rbp\n\tmulq\t0(%rsi)\n\taddq\t%rax,%r11\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t8(%rsi)\n\taddq\t%rcx,%r12\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r12\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t16(%rsi)\n\taddq\t%rcx,%r13\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r13\n\tmovq\t%rbp,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t24(%rsi)\n\taddq\t%rcx,%r8\n\tadcq\t$0,%rdx\n\taddq\t%rax,%r8\n\tmovq\t%r11,%rax\n\tadcq\t%rdx,%r9\n\tadcq\t$0,%r10\n\n\n\n\tmovq\t%r11,%rbp\n\tshlq\t$32,%r11\n\tmulq\t%r15\n\tshrq\t$32,%rbp\n\taddq\t%r11,%r12\n\tadcq\t%rbp,%r13\n\tmovq\t%r12,%rcx\n\tadcq\t%rax,%r8\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r10\n\n\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rbx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%rdx\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r10\n\n\tcmovcq\t%rcx,%r12\n\tcmovcq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rbx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%rdx,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_mul_montq,.-__ecp_nistz256_mul_montq\n\n\n\n\n\n\n\n\n.globl\tecp_nistz256_sqr_mont_nohw\n.hidden ecp_nistz256_sqr_mont_nohw\n.type\tecp_nistz256_sqr_mont_nohw,@function\n.align\t32\necp_nistz256_sqr_mont_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n.Lsqr_body:\n\tmovq\t0(%rsi),%rax\n\tmovq\t8(%rsi),%r14\n\tmovq\t16(%rsi),%r15\n\tmovq\t24(%rsi),%r8\n\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t0(%rsp),%r15\n.cfi_restore\t%r15\n\tmovq\t8(%rsp),%r14\n.cfi_restore\t%r14\n\tmovq\t16(%rsp),%r13\n.cfi_restore\t%r13\n\tmovq\t24(%rsp),%r12\n.cfi_restore\t%r12\n\tmovq\t32(%rsp),%rbx\n.cfi_restore\t%rbx\n\tmovq\t40(%rsp),%rbp\n.cfi_restore\t%rbp\n\tleaq\t48(%rsp),%rsp\n.cfi_adjust_cfa_offset\t-48\n.Lsqr_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_sqr_mont_nohw,.-ecp_nistz256_sqr_mont_nohw\n\n.type\t__ecp_nistz256_sqr_montq,@function\n.align\t32\n__ecp_nistz256_sqr_montq:\n.cfi_startproc\t\n\tmovq\t%rax,%r13\n\tmulq\t%r14\n\tmovq\t%rax,%r9\n\tmovq\t%r15,%rax\n\tmovq\t%rdx,%r10\n\n\tmulq\t%r13\n\taddq\t%rax,%r10\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%r13\n\taddq\t%rax,%r11\n\tmovq\t%r15,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r12\n\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rbp\n\n\tmulq\t%r14\n\taddq\t%rax,%r12\n\tmovq\t%r8,%rax\n\tadcq\t$0,%rdx\n\taddq\t%rbp,%r12\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\n\tmulq\t%r15\n\txorq\t%r15,%r15\n\taddq\t%rax,%r13\n\tmovq\t0(%rsi),%rax\n\tmovq\t%rdx,%r14\n\tadcq\t$0,%r14\n\n\taddq\t%r9,%r9\n\tadcq\t%r10,%r10\n\tadcq\t%r11,%r11\n\tadcq\t%r12,%r12\n\tadcq\t%r13,%r13\n\tadcq\t%r14,%r14\n\tadcq\t$0,%r15\n\n\tmulq\t%rax\n\tmovq\t%rax,%r8\n\tmovq\t8(%rsi),%rax\n\tmovq\t%rdx,%rcx\n\n\tmulq\t%rax\n\taddq\t%rcx,%r9\n\tadcq\t%rax,%r10\n\tmovq\t16(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t%rax\n\taddq\t%rcx,%r11\n\tadcq\t%rax,%r12\n\tmovq\t24(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rcx\n\n\tmulq\t%rax\n\taddq\t%rcx,%r13\n\tadcq\t%rax,%r14\n\tmovq\t%r8,%rax\n\tadcq\t%rdx,%r15\n\n\tmovq\t.Lpoly+8(%rip),%rsi\n\tmovq\t.Lpoly+24(%rip),%rbp\n\n\n\n\n\tmovq\t%r8,%rcx\n\tshlq\t$32,%r8\n\tmulq\t%rbp\n\tshrq\t$32,%rcx\n\taddq\t%r8,%r9\n\tadcq\t%rcx,%r10\n\tadcq\t%rax,%r11\n\tmovq\t%r9,%rax\n\tadcq\t$0,%rdx\n\n\n\n\tmovq\t%r9,%rcx\n\tshlq\t$32,%r9\n\tmovq\t%rdx,%r8\n\tmulq\t%rbp\n\tshrq\t$32,%rcx\n\taddq\t%r9,%r10\n\tadcq\t%rcx,%r11\n\tadcq\t%rax,%r8\n\tmovq\t%r10,%rax\n\tadcq\t$0,%rdx\n\n\n\n\tmovq\t%r10,%rcx\n\tshlq\t$32,%r10\n\tmovq\t%rdx,%r9\n\tmulq\t%rbp\n\tshrq\t$32,%rcx\n\taddq\t%r10,%r11\n\tadcq\t%rcx,%r8\n\tadcq\t%rax,%r9\n\tmovq\t%r11,%rax\n\tadcq\t$0,%rdx\n\n\n\n\tmovq\t%r11,%rcx\n\tshlq\t$32,%r11\n\tmovq\t%rdx,%r10\n\tmulq\t%rbp\n\tshrq\t$32,%rcx\n\taddq\t%r11,%r8\n\tadcq\t%rcx,%r9\n\tadcq\t%rax,%r10\n\tadcq\t$0,%rdx\n\txorq\t%r11,%r11\n\n\n\n\taddq\t%r8,%r12\n\tadcq\t%r9,%r13\n\tmovq\t%r12,%r8\n\tadcq\t%r10,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t%r13,%r9\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r14,%r10\n\tsbbq\t%rsi,%r13\n\tsbbq\t$0,%r14\n\tmovq\t%r15,%rcx\n\tsbbq\t%rbp,%r15\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%r8,%r12\n\tcmovcq\t%r9,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%r10,%r14\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%rcx,%r15\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_sqr_montq,.-__ecp_nistz256_sqr_montq\n.globl\tecp_nistz256_mul_mont_adx\n.hidden ecp_nistz256_mul_mont_adx\n.type\tecp_nistz256_mul_mont_adx,@function\n.align\t32\necp_nistz256_mul_mont_adx:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n.Lmulx_body:\n\tmovq\t%rdx,%rbx\n\tmovq\t0(%rdx),%rdx\n\tmovq\t0(%rsi),%r9\n\tmovq\t8(%rsi),%r10\n\tmovq\t16(%rsi),%r11\n\tmovq\t24(%rsi),%r12\n\tleaq\t-128(%rsi),%rsi\n\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t0(%rsp),%r15\n.cfi_restore\t%r15\n\tmovq\t8(%rsp),%r14\n.cfi_restore\t%r14\n\tmovq\t16(%rsp),%r13\n.cfi_restore\t%r13\n\tmovq\t24(%rsp),%r12\n.cfi_restore\t%r12\n\tmovq\t32(%rsp),%rbx\n.cfi_restore\t%rbx\n\tmovq\t40(%rsp),%rbp\n.cfi_restore\t%rbp\n\tleaq\t48(%rsp),%rsp\n.cfi_adjust_cfa_offset\t-48\n.Lmulx_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_mul_mont_adx,.-ecp_nistz256_mul_mont_adx\n\n.type\t__ecp_nistz256_mul_montx,@function\n.align\t32\n__ecp_nistz256_mul_montx:\n.cfi_startproc\t\n\n\n\tmulxq\t%r9,%r8,%r9\n\tmulxq\t%r10,%rcx,%r10\n\tmovq\t$32,%r14\n\txorq\t%r13,%r13\n\tmulxq\t%r11,%rbp,%r11\n\tmovq\t.Lpoly+24(%rip),%r15\n\tadcq\t%rcx,%r9\n\tmulxq\t%r12,%rcx,%r12\n\tmovq\t%r8,%rdx\n\tadcq\t%rbp,%r10\n\tshlxq\t%r14,%r8,%rbp\n\tadcq\t%rcx,%r11\n\tshrxq\t%r14,%r8,%rcx\n\tadcq\t$0,%r12\n\n\n\n\taddq\t%rbp,%r9\n\tadcq\t%rcx,%r10\n\n\tmulxq\t%r15,%rcx,%rbp\n\tmovq\t8(%rbx),%rdx\n\tadcq\t%rcx,%r11\n\tadcq\t%rbp,%r12\n\tadcq\t$0,%r13\n\txorq\t%r8,%r8\n\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r9\n\tadoxq\t%rbp,%r10\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r9,%rdx\n\tadcxq\t%rcx,%r12\n\tshlxq\t%r14,%r9,%rcx\n\tadoxq\t%rbp,%r13\n\tshrxq\t%r14,%r9,%rbp\n\n\tadcxq\t%r8,%r13\n\tadoxq\t%r8,%r8\n\tadcq\t$0,%r8\n\n\n\n\taddq\t%rcx,%r10\n\tadcq\t%rbp,%r11\n\n\tmulxq\t%r15,%rcx,%rbp\n\tmovq\t16(%rbx),%rdx\n\tadcq\t%rcx,%r12\n\tadcq\t%rbp,%r13\n\tadcq\t$0,%r8\n\txorq\t%r9,%r9\n\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r10\n\tadoxq\t%rbp,%r11\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r10,%rdx\n\tadcxq\t%rcx,%r13\n\tshlxq\t%r14,%r10,%rcx\n\tadoxq\t%rbp,%r8\n\tshrxq\t%r14,%r10,%rbp\n\n\tadcxq\t%r9,%r8\n\tadoxq\t%r9,%r9\n\tadcq\t$0,%r9\n\n\n\n\taddq\t%rcx,%r11\n\tadcq\t%rbp,%r12\n\n\tmulxq\t%r15,%rcx,%rbp\n\tmovq\t24(%rbx),%rdx\n\tadcq\t%rcx,%r13\n\tadcq\t%rbp,%r8\n\tadcq\t$0,%r9\n\txorq\t%r10,%r10\n\n\n\n\tmulxq\t0+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t8+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\n\tmulxq\t16+128(%rsi),%rcx,%rbp\n\tadcxq\t%rcx,%r13\n\tadoxq\t%rbp,%r8\n\n\tmulxq\t24+128(%rsi),%rcx,%rbp\n\tmovq\t%r11,%rdx\n\tadcxq\t%rcx,%r8\n\tshlxq\t%r14,%r11,%rcx\n\tadoxq\t%rbp,%r9\n\tshrxq\t%r14,%r11,%rbp\n\n\tadcxq\t%r10,%r9\n\tadoxq\t%r10,%r10\n\tadcq\t$0,%r10\n\n\n\n\taddq\t%rcx,%r12\n\tadcq\t%rbp,%r13\n\n\tmulxq\t%r15,%rcx,%rbp\n\tmovq\t%r12,%rbx\n\tmovq\t.Lpoly+8(%rip),%r14\n\tadcq\t%rcx,%r8\n\tmovq\t%r13,%rdx\n\tadcq\t%rbp,%r9\n\tadcq\t$0,%r10\n\n\n\n\txorl\t%eax,%eax\n\tmovq\t%r8,%rcx\n\tsbbq\t$-1,%r12\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%rbp\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r10\n\n\tcmovcq\t%rbx,%r12\n\tcmovcq\t%rdx,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%rbp,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_mul_montx,.-__ecp_nistz256_mul_montx\n\n.globl\tecp_nistz256_sqr_mont_adx\n.hidden ecp_nistz256_sqr_mont_adx\n.type\tecp_nistz256_sqr_mont_adx,@function\n.align\t32\necp_nistz256_sqr_mont_adx:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n.Lsqrx_body:\n\tmovq\t0(%rsi),%rdx\n\tmovq\t8(%rsi),%r14\n\tmovq\t16(%rsi),%r15\n\tmovq\t24(%rsi),%r8\n\tleaq\t-128(%rsi),%rsi\n\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t0(%rsp),%r15\n.cfi_restore\t%r15\n\tmovq\t8(%rsp),%r14\n.cfi_restore\t%r14\n\tmovq\t16(%rsp),%r13\n.cfi_restore\t%r13\n\tmovq\t24(%rsp),%r12\n.cfi_restore\t%r12\n\tmovq\t32(%rsp),%rbx\n.cfi_restore\t%rbx\n\tmovq\t40(%rsp),%rbp\n.cfi_restore\t%rbp\n\tleaq\t48(%rsp),%rsp\n.cfi_adjust_cfa_offset\t-48\n.Lsqrx_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_sqr_mont_adx,.-ecp_nistz256_sqr_mont_adx\n\n.type\t__ecp_nistz256_sqr_montx,@function\n.align\t32\n__ecp_nistz256_sqr_montx:\n.cfi_startproc\t\n\tmulxq\t%r14,%r9,%r10\n\tmulxq\t%r15,%rcx,%r11\n\txorl\t%eax,%eax\n\tadcq\t%rcx,%r10\n\tmulxq\t%r8,%rbp,%r12\n\tmovq\t%r14,%rdx\n\tadcq\t%rbp,%r11\n\tadcq\t$0,%r12\n\txorq\t%r13,%r13\n\n\n\tmulxq\t%r15,%rcx,%rbp\n\tadcxq\t%rcx,%r11\n\tadoxq\t%rbp,%r12\n\n\tmulxq\t%r8,%rcx,%rbp\n\tmovq\t%r15,%rdx\n\tadcxq\t%rcx,%r12\n\tadoxq\t%rbp,%r13\n\tadcq\t$0,%r13\n\n\n\tmulxq\t%r8,%rcx,%r14\n\tmovq\t0+128(%rsi),%rdx\n\txorq\t%r15,%r15\n\tadcxq\t%r9,%r9\n\tadoxq\t%rcx,%r13\n\tadcxq\t%r10,%r10\n\tadoxq\t%r15,%r14\n\n\tmulxq\t%rdx,%r8,%rbp\n\tmovq\t8+128(%rsi),%rdx\n\tadcxq\t%r11,%r11\n\tadoxq\t%rbp,%r9\n\tadcxq\t%r12,%r12\n\tmulxq\t%rdx,%rcx,%rax\n\tmovq\t16+128(%rsi),%rdx\n\tadcxq\t%r13,%r13\n\tadoxq\t%rcx,%r10\n\tadcxq\t%r14,%r14\n.byte\t0x67\n\tmulxq\t%rdx,%rcx,%rbp\n\tmovq\t24+128(%rsi),%rdx\n\tadoxq\t%rax,%r11\n\tadcxq\t%r15,%r15\n\tadoxq\t%rcx,%r12\n\tmovq\t$32,%rsi\n\tadoxq\t%rbp,%r13\n.byte\t0x67,0x67\n\tmulxq\t%rdx,%rcx,%rax\n\tmovq\t.Lpoly+24(%rip),%rdx\n\tadoxq\t%rcx,%r14\n\tshlxq\t%rsi,%r8,%rcx\n\tadoxq\t%rax,%r15\n\tshrxq\t%rsi,%r8,%rax\n\tmovq\t%rdx,%rbp\n\n\n\taddq\t%rcx,%r9\n\tadcq\t%rax,%r10\n\n\tmulxq\t%r8,%rcx,%r8\n\tadcq\t%rcx,%r11\n\tshlxq\t%rsi,%r9,%rcx\n\tadcq\t$0,%r8\n\tshrxq\t%rsi,%r9,%rax\n\n\n\taddq\t%rcx,%r10\n\tadcq\t%rax,%r11\n\n\tmulxq\t%r9,%rcx,%r9\n\tadcq\t%rcx,%r8\n\tshlxq\t%rsi,%r10,%rcx\n\tadcq\t$0,%r9\n\tshrxq\t%rsi,%r10,%rax\n\n\n\taddq\t%rcx,%r11\n\tadcq\t%rax,%r8\n\n\tmulxq\t%r10,%rcx,%r10\n\tadcq\t%rcx,%r9\n\tshlxq\t%rsi,%r11,%rcx\n\tadcq\t$0,%r10\n\tshrxq\t%rsi,%r11,%rax\n\n\n\taddq\t%rcx,%r8\n\tadcq\t%rax,%r9\n\n\tmulxq\t%r11,%rcx,%r11\n\tadcq\t%rcx,%r10\n\tadcq\t$0,%r11\n\n\txorq\t%rdx,%rdx\n\taddq\t%r8,%r12\n\tmovq\t.Lpoly+8(%rip),%rsi\n\tadcq\t%r9,%r13\n\tmovq\t%r12,%r8\n\tadcq\t%r10,%r14\n\tadcq\t%r11,%r15\n\tmovq\t%r13,%r9\n\tadcq\t$0,%rdx\n\n\tsubq\t$-1,%r12\n\tmovq\t%r14,%r10\n\tsbbq\t%rsi,%r13\n\tsbbq\t$0,%r14\n\tmovq\t%r15,%r11\n\tsbbq\t%rbp,%r15\n\tsbbq\t$0,%rdx\n\n\tcmovcq\t%r8,%r12\n\tcmovcq\t%r9,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%r10,%r14\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%r11,%r15\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_sqr_montx,.-__ecp_nistz256_sqr_montx\n\n\n.globl\tecp_nistz256_select_w5_nohw\n.hidden ecp_nistz256_select_w5_nohw\n.type\tecp_nistz256_select_w5_nohw,@function\n.align\t32\necp_nistz256_select_w5_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovdqa\t.LOne(%rip),%xmm0\n\tmovd\t%edx,%xmm1\n\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\n\tmovdqa\t%xmm0,%xmm8\n\tpshufd\t$0,%xmm1,%xmm1\n\n\tmovq\t$16,%rax\n.Lselect_loop_sse_w5:\n\n\tmovdqa\t%xmm8,%xmm15\n\tpaddd\t%xmm0,%xmm8\n\tpcmpeqd\t%xmm1,%xmm15\n\n\tmovdqa\t0(%rsi),%xmm9\n\tmovdqa\t16(%rsi),%xmm10\n\tmovdqa\t32(%rsi),%xmm11\n\tmovdqa\t48(%rsi),%xmm12\n\tmovdqa\t64(%rsi),%xmm13\n\tmovdqa\t80(%rsi),%xmm14\n\tleaq\t96(%rsi),%rsi\n\n\tpand\t%xmm15,%xmm9\n\tpand\t%xmm15,%xmm10\n\tpor\t%xmm9,%xmm2\n\tpand\t%xmm15,%xmm11\n\tpor\t%xmm10,%xmm3\n\tpand\t%xmm15,%xmm12\n\tpor\t%xmm11,%xmm4\n\tpand\t%xmm15,%xmm13\n\tpor\t%xmm12,%xmm5\n\tpand\t%xmm15,%xmm14\n\tpor\t%xmm13,%xmm6\n\tpor\t%xmm14,%xmm7\n\n\tdecq\t%rax\n\tjnz\t.Lselect_loop_sse_w5\n\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\tmovdqu\t%xmm4,32(%rdi)\n\tmovdqu\t%xmm5,48(%rdi)\n\tmovdqu\t%xmm6,64(%rdi)\n\tmovdqu\t%xmm7,80(%rdi)\n\tret\n.cfi_endproc\t\n.LSEH_end_ecp_nistz256_select_w5_nohw:\n.size\tecp_nistz256_select_w5_nohw,.-ecp_nistz256_select_w5_nohw\n\n\n\n.globl\tecp_nistz256_select_w7_nohw\n.hidden ecp_nistz256_select_w7_nohw\n.type\tecp_nistz256_select_w7_nohw,@function\n.align\t32\necp_nistz256_select_w7_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovdqa\t.LOne(%rip),%xmm8\n\tmovd\t%edx,%xmm1\n\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\n\tmovdqa\t%xmm8,%xmm0\n\tpshufd\t$0,%xmm1,%xmm1\n\tmovq\t$64,%rax\n\n.Lselect_loop_sse_w7:\n\tmovdqa\t%xmm8,%xmm15\n\tpaddd\t%xmm0,%xmm8\n\tmovdqa\t0(%rsi),%xmm9\n\tmovdqa\t16(%rsi),%xmm10\n\tpcmpeqd\t%xmm1,%xmm15\n\tmovdqa\t32(%rsi),%xmm11\n\tmovdqa\t48(%rsi),%xmm12\n\tleaq\t64(%rsi),%rsi\n\n\tpand\t%xmm15,%xmm9\n\tpand\t%xmm15,%xmm10\n\tpor\t%xmm9,%xmm2\n\tpand\t%xmm15,%xmm11\n\tpor\t%xmm10,%xmm3\n\tpand\t%xmm15,%xmm12\n\tpor\t%xmm11,%xmm4\n\tprefetcht0\t255(%rsi)\n\tpor\t%xmm12,%xmm5\n\n\tdecq\t%rax\n\tjnz\t.Lselect_loop_sse_w7\n\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\tmovdqu\t%xmm4,32(%rdi)\n\tmovdqu\t%xmm5,48(%rdi)\n\tret\n.cfi_endproc\t\n.LSEH_end_ecp_nistz256_select_w7_nohw:\n.size\tecp_nistz256_select_w7_nohw,.-ecp_nistz256_select_w7_nohw\n\n\n.globl\tecp_nistz256_select_w5_avx2\n.hidden ecp_nistz256_select_w5_avx2\n.type\tecp_nistz256_select_w5_avx2,@function\n.align\t32\necp_nistz256_select_w5_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tvzeroupper\n\tvmovdqa\t.LTwo(%rip),%ymm0\n\n\tvpxor\t%ymm2,%ymm2,%ymm2\n\tvpxor\t%ymm3,%ymm3,%ymm3\n\tvpxor\t%ymm4,%ymm4,%ymm4\n\n\tvmovdqa\t.LOne(%rip),%ymm5\n\tvmovdqa\t.LTwo(%rip),%ymm10\n\n\tvmovd\t%edx,%xmm1\n\tvpermd\t%ymm1,%ymm2,%ymm1\n\n\tmovq\t$8,%rax\n.Lselect_loop_avx2_w5:\n\n\tvmovdqa\t0(%rsi),%ymm6\n\tvmovdqa\t32(%rsi),%ymm7\n\tvmovdqa\t64(%rsi),%ymm8\n\n\tvmovdqa\t96(%rsi),%ymm11\n\tvmovdqa\t128(%rsi),%ymm12\n\tvmovdqa\t160(%rsi),%ymm13\n\n\tvpcmpeqd\t%ymm1,%ymm5,%ymm9\n\tvpcmpeqd\t%ymm1,%ymm10,%ymm14\n\n\tvpaddd\t%ymm0,%ymm5,%ymm5\n\tvpaddd\t%ymm0,%ymm10,%ymm10\n\tleaq\t192(%rsi),%rsi\n\n\tvpand\t%ymm9,%ymm6,%ymm6\n\tvpand\t%ymm9,%ymm7,%ymm7\n\tvpand\t%ymm9,%ymm8,%ymm8\n\tvpand\t%ymm14,%ymm11,%ymm11\n\tvpand\t%ymm14,%ymm12,%ymm12\n\tvpand\t%ymm14,%ymm13,%ymm13\n\n\tvpxor\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm7,%ymm3,%ymm3\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpxor\t%ymm11,%ymm2,%ymm2\n\tvpxor\t%ymm12,%ymm3,%ymm3\n\tvpxor\t%ymm13,%ymm4,%ymm4\n\n\tdecq\t%rax\n\tjnz\t.Lselect_loop_avx2_w5\n\n\tvmovdqu\t%ymm2,0(%rdi)\n\tvmovdqu\t%ymm3,32(%rdi)\n\tvmovdqu\t%ymm4,64(%rdi)\n\tvzeroupper\n\tret\n.cfi_endproc\t\n.LSEH_end_ecp_nistz256_select_w5_avx2:\n.size\tecp_nistz256_select_w5_avx2,.-ecp_nistz256_select_w5_avx2\n\n\n\n.globl\tecp_nistz256_select_w7_avx2\n.hidden ecp_nistz256_select_w7_avx2\n.type\tecp_nistz256_select_w7_avx2,@function\n.align\t32\necp_nistz256_select_w7_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tvzeroupper\n\tvmovdqa\t.LThree(%rip),%ymm0\n\n\tvpxor\t%ymm2,%ymm2,%ymm2\n\tvpxor\t%ymm3,%ymm3,%ymm3\n\n\tvmovdqa\t.LOne(%rip),%ymm4\n\tvmovdqa\t.LTwo(%rip),%ymm8\n\tvmovdqa\t.LThree(%rip),%ymm12\n\n\tvmovd\t%edx,%xmm1\n\tvpermd\t%ymm1,%ymm2,%ymm1\n\n\n\tmovq\t$21,%rax\n.Lselect_loop_avx2_w7:\n\n\tvmovdqa\t0(%rsi),%ymm5\n\tvmovdqa\t32(%rsi),%ymm6\n\n\tvmovdqa\t64(%rsi),%ymm9\n\tvmovdqa\t96(%rsi),%ymm10\n\n\tvmovdqa\t128(%rsi),%ymm13\n\tvmovdqa\t160(%rsi),%ymm14\n\n\tvpcmpeqd\t%ymm1,%ymm4,%ymm7\n\tvpcmpeqd\t%ymm1,%ymm8,%ymm11\n\tvpcmpeqd\t%ymm1,%ymm12,%ymm15\n\n\tvpaddd\t%ymm0,%ymm4,%ymm4\n\tvpaddd\t%ymm0,%ymm8,%ymm8\n\tvpaddd\t%ymm0,%ymm12,%ymm12\n\tleaq\t192(%rsi),%rsi\n\n\tvpand\t%ymm7,%ymm5,%ymm5\n\tvpand\t%ymm7,%ymm6,%ymm6\n\tvpand\t%ymm11,%ymm9,%ymm9\n\tvpand\t%ymm11,%ymm10,%ymm10\n\tvpand\t%ymm15,%ymm13,%ymm13\n\tvpand\t%ymm15,%ymm14,%ymm14\n\n\tvpxor\t%ymm5,%ymm2,%ymm2\n\tvpxor\t%ymm6,%ymm3,%ymm3\n\tvpxor\t%ymm9,%ymm2,%ymm2\n\tvpxor\t%ymm10,%ymm3,%ymm3\n\tvpxor\t%ymm13,%ymm2,%ymm2\n\tvpxor\t%ymm14,%ymm3,%ymm3\n\n\tdecq\t%rax\n\tjnz\t.Lselect_loop_avx2_w7\n\n\n\tvmovdqa\t0(%rsi),%ymm5\n\tvmovdqa\t32(%rsi),%ymm6\n\n\tvpcmpeqd\t%ymm1,%ymm4,%ymm7\n\n\tvpand\t%ymm7,%ymm5,%ymm5\n\tvpand\t%ymm7,%ymm6,%ymm6\n\n\tvpxor\t%ymm5,%ymm2,%ymm2\n\tvpxor\t%ymm6,%ymm3,%ymm3\n\n\tvmovdqu\t%ymm2,0(%rdi)\n\tvmovdqu\t%ymm3,32(%rdi)\n\tvzeroupper\n\tret\n.cfi_endproc\t\n.LSEH_end_ecp_nistz256_select_w7_avx2:\n.size\tecp_nistz256_select_w7_avx2,.-ecp_nistz256_select_w7_avx2\n.type\t__ecp_nistz256_add_toq,@function\n.align\t32\n__ecp_nistz256_add_toq:\n.cfi_startproc\t\n\txorq\t%r11,%r11\n\taddq\t0(%rbx),%r12\n\tadcq\t8(%rbx),%r13\n\tmovq\t%r12,%rax\n\tadcq\t16(%rbx),%r8\n\tadcq\t24(%rbx),%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tcmovcq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_add_toq,.-__ecp_nistz256_add_toq\n\n.type\t__ecp_nistz256_sub_fromq,@function\n.align\t32\n__ecp_nistz256_sub_fromq:\n.cfi_startproc\t\n\tsubq\t0(%rbx),%r12\n\tsbbq\t8(%rbx),%r13\n\tmovq\t%r12,%rax\n\tsbbq\t16(%rbx),%r8\n\tsbbq\t24(%rbx),%r9\n\tmovq\t%r13,%rbp\n\tsbbq\t%r11,%r11\n\n\taddq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tadcq\t%r14,%r13\n\tadcq\t$0,%r8\n\tmovq\t%r9,%r10\n\tadcq\t%r15,%r9\n\ttestq\t%r11,%r11\n\n\tcmovzq\t%rax,%r12\n\tcmovzq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovzq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovzq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_sub_fromq,.-__ecp_nistz256_sub_fromq\n\n.type\t__ecp_nistz256_subq,@function\n.align\t32\n__ecp_nistz256_subq:\n.cfi_startproc\t\n\tsubq\t%r12,%rax\n\tsbbq\t%r13,%rbp\n\tmovq\t%rax,%r12\n\tsbbq\t%r8,%rcx\n\tsbbq\t%r9,%r10\n\tmovq\t%rbp,%r13\n\tsbbq\t%r11,%r11\n\n\taddq\t$-1,%rax\n\tmovq\t%rcx,%r8\n\tadcq\t%r14,%rbp\n\tadcq\t$0,%rcx\n\tmovq\t%r10,%r9\n\tadcq\t%r15,%r10\n\ttestq\t%r11,%r11\n\n\tcmovnzq\t%rax,%r12\n\tcmovnzq\t%rbp,%r13\n\tcmovnzq\t%rcx,%r8\n\tcmovnzq\t%r10,%r9\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_subq,.-__ecp_nistz256_subq\n\n.type\t__ecp_nistz256_mul_by_2q,@function\n.align\t32\n__ecp_nistz256_mul_by_2q:\n.cfi_startproc\t\n\txorq\t%r11,%r11\n\taddq\t%r12,%r12\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tcmovcq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_mul_by_2q,.-__ecp_nistz256_mul_by_2q\n.globl\tecp_nistz256_point_double_nohw\n.hidden ecp_nistz256_point_double_nohw\n.type\tecp_nistz256_point_double_nohw,@function\n.align\t32\necp_nistz256_point_double_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n\tsubq\t$160+8,%rsp\n.cfi_adjust_cfa_offset\t32*5+8\n.Lpoint_doubleq_body:\n\n.Lpoint_double_shortcutq:\n\tmovdqu\t0(%rsi),%xmm0\n\tmovq\t%rsi,%rbx\n\tmovdqu\t16(%rsi),%xmm1\n\tmovq\t32+0(%rsi),%r12\n\tmovq\t32+8(%rsi),%r13\n\tmovq\t32+16(%rsi),%r8\n\tmovq\t32+24(%rsi),%r9\n\tmovq\t.Lpoly+8(%rip),%r14\n\tmovq\t.Lpoly+24(%rip),%r15\n\tmovdqa\t%xmm0,96(%rsp)\n\tmovdqa\t%xmm1,96+16(%rsp)\n\tleaq\t32(%rdi),%r10\n\tleaq\t64(%rdi),%r11\n.byte\t102,72,15,110,199\n.byte\t102,73,15,110,202\n.byte\t102,73,15,110,211\n\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2q\n\n\tmovq\t64+0(%rsi),%rax\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tleaq\t64-0(%rsi),%rsi\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t0+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t32(%rbx),%rax\n\tmovq\t64+0(%rbx),%r9\n\tmovq\t64+8(%rbx),%r10\n\tmovq\t64+16(%rbx),%r11\n\tmovq\t64+24(%rbx),%r12\n\tleaq\t64-0(%rbx),%rsi\n\tleaq\t32(%rbx),%rbx\n.byte\t102,72,15,126,215\n\tcall\t__ecp_nistz256_mul_montq\n\tcall\t__ecp_nistz256_mul_by_2q\n\n\tmovq\t96+0(%rsp),%r12\n\tmovq\t96+8(%rsp),%r13\n\tleaq\t64(%rsp),%rbx\n\tmovq\t96+16(%rsp),%r8\n\tmovq\t96+24(%rsp),%r9\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_add_toq\n\n\tmovq\t96+0(%rsp),%r12\n\tmovq\t96+8(%rsp),%r13\n\tleaq\t64(%rsp),%rbx\n\tmovq\t96+16(%rsp),%r8\n\tmovq\t96+24(%rsp),%r9\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t0+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n.byte\t102,72,15,126,207\n\tcall\t__ecp_nistz256_sqr_montq\n\txorq\t%r9,%r9\n\tmovq\t%r12,%rax\n\taddq\t$-1,%r12\n\tmovq\t%r13,%r10\n\tadcq\t%rsi,%r13\n\tmovq\t%r14,%rcx\n\tadcq\t$0,%r14\n\tmovq\t%r15,%r8\n\tadcq\t%rbp,%r15\n\tadcq\t$0,%r9\n\txorq\t%rsi,%rsi\n\ttestq\t$1,%rax\n\n\tcmovzq\t%rax,%r12\n\tcmovzq\t%r10,%r13\n\tcmovzq\t%rcx,%r14\n\tcmovzq\t%r8,%r15\n\tcmovzq\t%rsi,%r9\n\n\tmovq\t%r13,%rax\n\tshrq\t$1,%r12\n\tshlq\t$63,%rax\n\tmovq\t%r14,%r10\n\tshrq\t$1,%r13\n\torq\t%rax,%r12\n\tshlq\t$63,%r10\n\tmovq\t%r15,%rcx\n\tshrq\t$1,%r14\n\torq\t%r10,%r13\n\tshlq\t$63,%rcx\n\tmovq\t%r12,0(%rdi)\n\tshrq\t$1,%r15\n\tmovq\t%r13,8(%rdi)\n\tshlq\t$63,%r9\n\torq\t%rcx,%r14\n\torq\t%r9,%r15\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\tmovq\t64(%rsp),%rax\n\tleaq\t64(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2q\n\n\tleaq\t32(%rsp),%rbx\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_add_toq\n\n\tmovq\t96(%rsp),%rax\n\tleaq\t96(%rsp),%rbx\n\tmovq\t0+0(%rsp),%r9\n\tmovq\t8+0(%rsp),%r10\n\tleaq\t0+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r11\n\tmovq\t24+0(%rsp),%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2q\n\n\tmovq\t0+32(%rsp),%rax\n\tmovq\t8+32(%rsp),%r14\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r15\n\tmovq\t24+32(%rsp),%r8\n.byte\t102,72,15,126,199\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tleaq\t128(%rsp),%rbx\n\tmovq\t%r14,%r8\n\tmovq\t%r15,%r9\n\tmovq\t%rsi,%r14\n\tmovq\t%rbp,%r15\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t0+8(%rsp),%rbp\n\tmovq\t0+16(%rsp),%rcx\n\tmovq\t0+24(%rsp),%r10\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_subq\n\n\tmovq\t32(%rsp),%rax\n\tleaq\t32(%rsp),%rbx\n\tmovq\t%r12,%r14\n\txorl\t%ecx,%ecx\n\tmovq\t%r12,0+0(%rsp)\n\tmovq\t%r13,%r10\n\tmovq\t%r13,0+8(%rsp)\n\tcmovzq\t%r8,%r11\n\tmovq\t%r8,0+16(%rsp)\n\tleaq\t0-0(%rsp),%rsi\n\tcmovzq\t%r9,%r12\n\tmovq\t%r9,0+24(%rsp)\n\tmovq\t%r14,%r9\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n.byte\t102,72,15,126,203\n.byte\t102,72,15,126,207\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tleaq\t160+56(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbx\n.cfi_restore\t%rbx\n\tmovq\t-8(%rsi),%rbp\n.cfi_restore\t%rbp\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lpoint_doubleq_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_point_double_nohw,.-ecp_nistz256_point_double_nohw\n.globl\tecp_nistz256_point_add_nohw\n.hidden ecp_nistz256_point_add_nohw\n.type\tecp_nistz256_point_add_nohw,@function\n.align\t32\necp_nistz256_point_add_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n\tsubq\t$576+8,%rsp\n.cfi_adjust_cfa_offset\t32*18+8\n.Lpoint_addq_body:\n\n\tmovdqu\t0(%rsi),%xmm0\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm3\n\tmovdqu\t64(%rsi),%xmm4\n\tmovdqu\t80(%rsi),%xmm5\n\tmovq\t%rsi,%rbx\n\tmovq\t%rdx,%rsi\n\tmovdqa\t%xmm0,384(%rsp)\n\tmovdqa\t%xmm1,384+16(%rsp)\n\tmovdqa\t%xmm2,416(%rsp)\n\tmovdqa\t%xmm3,416+16(%rsp)\n\tmovdqa\t%xmm4,448(%rsp)\n\tmovdqa\t%xmm5,448+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\n\tmovdqu\t0(%rsi),%xmm0\n\tpshufd\t$0xb1,%xmm5,%xmm3\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t48(%rsi),%xmm3\n\tmovq\t64+0(%rsi),%rax\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tmovdqa\t%xmm0,480(%rsp)\n\tpshufd\t$0x1e,%xmm5,%xmm4\n\tmovdqa\t%xmm1,480+16(%rsp)\n\tmovdqu\t64(%rsi),%xmm0\n\tmovdqu\t80(%rsi),%xmm1\n\tmovdqa\t%xmm2,512(%rsp)\n\tmovdqa\t%xmm3,512+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\tpxor\t%xmm4,%xmm4\n\tpor\t%xmm0,%xmm1\n.byte\t102,72,15,110,199\n\n\tleaq\t64-0(%rsi),%rsi\n\tmovq\t%rax,544+0(%rsp)\n\tmovq\t%r14,544+8(%rsp)\n\tmovq\t%r15,544+16(%rsp)\n\tmovq\t%r8,544+24(%rsp)\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tpcmpeqd\t%xmm4,%xmm5\n\tpshufd\t$0xb1,%xmm1,%xmm4\n\tpor\t%xmm1,%xmm4\n\tpshufd\t$0,%xmm5,%xmm5\n\tpshufd\t$0x1e,%xmm4,%xmm3\n\tpor\t%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm3\n\tpcmpeqd\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm4,%xmm4\n\tmovq\t64+0(%rbx),%rax\n\tmovq\t64+8(%rbx),%r14\n\tmovq\t64+16(%rbx),%r15\n\tmovq\t64+24(%rbx),%r8\n.byte\t102,72,15,110,203\n\n\tleaq\t64-0(%rbx),%rsi\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t544(%rsp),%rax\n\tleaq\t544(%rsp),%rbx\n\tmovq\t0+96(%rsp),%r9\n\tmovq\t8+96(%rsp),%r10\n\tleaq\t0+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r11\n\tmovq\t24+96(%rsp),%r12\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t448(%rsp),%rax\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t416(%rsp),%rax\n\tleaq\t416(%rsp),%rbx\n\tmovq\t0+224(%rsp),%r9\n\tmovq\t8+224(%rsp),%r10\n\tleaq\t0+224(%rsp),%rsi\n\tmovq\t16+224(%rsp),%r11\n\tmovq\t24+224(%rsp),%r12\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t512(%rsp),%rax\n\tleaq\t512(%rsp),%rbx\n\tmovq\t0+256(%rsp),%r9\n\tmovq\t8+256(%rsp),%r10\n\tleaq\t0+256(%rsp),%rsi\n\tmovq\t16+256(%rsp),%r11\n\tmovq\t24+256(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t224(%rsp),%rbx\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\torq\t%r13,%r12\n\tmovdqa\t%xmm4,%xmm2\n\torq\t%r8,%r12\n\torq\t%r9,%r12\n\tpor\t%xmm5,%xmm2\n.byte\t102,73,15,110,220\n\n\tmovq\t384(%rsp),%rax\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+96(%rsp),%r9\n\tmovq\t8+96(%rsp),%r10\n\tleaq\t0+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r11\n\tmovq\t24+96(%rsp),%r12\n\tleaq\t160(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t480(%rsp),%rax\n\tleaq\t480(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t160(%rsp),%rbx\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\torq\t%r13,%r12\n\torq\t%r8,%r12\n\torq\t%r9,%r12\n\n.byte\t102,73,15,126,208\n.byte\t102,73,15,126,217\n\torq\t%r8,%r12\n.byte\t0x3e\n\tjnz\t.Ladd_proceedq\n\n\n\n\ttestq\t%r9,%r9\n\tjz\t.Ladd_doubleq\n\n\n\n\n\n\n.byte\t102,72,15,126,199\n\tpxor\t%xmm0,%xmm0\n\tmovdqu\t%xmm0,0(%rdi)\n\tmovdqu\t%xmm0,16(%rdi)\n\tmovdqu\t%xmm0,32(%rdi)\n\tmovdqu\t%xmm0,48(%rdi)\n\tmovdqu\t%xmm0,64(%rdi)\n\tmovdqu\t%xmm0,80(%rdi)\n\tjmp\t.Ladd_doneq\n\n.align\t32\n.Ladd_doubleq:\n.byte\t102,72,15,126,206\n.byte\t102,72,15,126,199\n\taddq\t$416,%rsp\n.cfi_adjust_cfa_offset\t-416\n\tjmp\t.Lpoint_double_shortcutq\n.cfi_adjust_cfa_offset\t416\n\n.align\t32\n.Ladd_proceedq:\n\tmovq\t0+64(%rsp),%rax\n\tmovq\t8+64(%rsp),%r14\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r15\n\tmovq\t24+64(%rsp),%r8\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t448(%rsp),%rax\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+0(%rsp),%r9\n\tmovq\t8+0(%rsp),%r10\n\tleaq\t0+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r11\n\tmovq\t24+0(%rsp),%r12\n\tleaq\t352(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t0+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t544(%rsp),%rax\n\tleaq\t544(%rsp),%rbx\n\tmovq\t0+352(%rsp),%r9\n\tmovq\t8+352(%rsp),%r10\n\tleaq\t0+352(%rsp),%rsi\n\tmovq\t16+352(%rsp),%r11\n\tmovq\t24+352(%rsp),%r12\n\tleaq\t352(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t0(%rsp),%rax\n\tleaq\t0(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t160(%rsp),%rax\n\tleaq\t160(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\n\n\n\txorq\t%r11,%r11\n\taddq\t%r12,%r12\n\tleaq\t96(%rsp),%rsi\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tmovq\t0(%rsi),%rax\n\tcmovcq\t%rbp,%r13\n\tmovq\t8(%rsi),%rbp\n\tcmovcq\t%rcx,%r8\n\tmovq\t16(%rsi),%rcx\n\tcmovcq\t%r10,%r9\n\tmovq\t24(%rsi),%r10\n\n\tcall\t__ecp_nistz256_subq\n\n\tleaq\t128(%rsp),%rbx\n\tleaq\t288(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t192+0(%rsp),%rax\n\tmovq\t192+8(%rsp),%rbp\n\tmovq\t192+16(%rsp),%rcx\n\tmovq\t192+24(%rsp),%r10\n\tleaq\t320(%rsp),%rdi\n\n\tcall\t__ecp_nistz256_subq\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\tmovq\t128(%rsp),%rax\n\tleaq\t128(%rsp),%rbx\n\tmovq\t0+224(%rsp),%r9\n\tmovq\t8+224(%rsp),%r10\n\tleaq\t0+224(%rsp),%rsi\n\tmovq\t16+224(%rsp),%r11\n\tmovq\t24+224(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t320(%rsp),%rax\n\tleaq\t320(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t320(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t256(%rsp),%rbx\n\tleaq\t320(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n.byte\t102,72,15,126,199\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t352(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t352+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t544(%rsp),%xmm2\n\tpand\t544+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t448(%rsp),%xmm2\n\tpand\t448+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,64(%rdi)\n\tmovdqu\t%xmm3,80(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t288(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t288+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t480(%rsp),%xmm2\n\tpand\t480+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t384(%rsp),%xmm2\n\tpand\t384+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t320(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t320+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t512(%rsp),%xmm2\n\tpand\t512+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t416(%rsp),%xmm2\n\tpand\t416+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm3,48(%rdi)\n\n.Ladd_doneq:\n\tleaq\t576+56(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbx\n.cfi_restore\t%rbx\n\tmovq\t-8(%rsi),%rbp\n.cfi_restore\t%rbp\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lpoint_addq_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_point_add_nohw,.-ecp_nistz256_point_add_nohw\n.globl\tecp_nistz256_point_add_affine_nohw\n.hidden ecp_nistz256_point_add_affine_nohw\n.type\tecp_nistz256_point_add_affine_nohw,@function\n.align\t32\necp_nistz256_point_add_affine_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n\tsubq\t$480+8,%rsp\n.cfi_adjust_cfa_offset\t32*15+8\n.Ladd_affineq_body:\n\n\tmovdqu\t0(%rsi),%xmm0\n\tmovq\t%rdx,%rbx\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm3\n\tmovdqu\t64(%rsi),%xmm4\n\tmovdqu\t80(%rsi),%xmm5\n\tmovq\t64+0(%rsi),%rax\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tmovdqa\t%xmm0,320(%rsp)\n\tmovdqa\t%xmm1,320+16(%rsp)\n\tmovdqa\t%xmm2,352(%rsp)\n\tmovdqa\t%xmm3,352+16(%rsp)\n\tmovdqa\t%xmm4,384(%rsp)\n\tmovdqa\t%xmm5,384+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\n\tmovdqu\t0(%rbx),%xmm0\n\tpshufd\t$0xb1,%xmm5,%xmm3\n\tmovdqu\t16(%rbx),%xmm1\n\tmovdqu\t32(%rbx),%xmm2\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t48(%rbx),%xmm3\n\tmovdqa\t%xmm0,416(%rsp)\n\tpshufd\t$0x1e,%xmm5,%xmm4\n\tmovdqa\t%xmm1,416+16(%rsp)\n\tpor\t%xmm0,%xmm1\n.byte\t102,72,15,110,199\n\tmovdqa\t%xmm2,448(%rsp)\n\tmovdqa\t%xmm3,448+16(%rsp)\n\tpor\t%xmm2,%xmm3\n\tpor\t%xmm4,%xmm5\n\tpxor\t%xmm4,%xmm4\n\tpor\t%xmm1,%xmm3\n\n\tleaq\t64-0(%rsi),%rsi\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tpcmpeqd\t%xmm4,%xmm5\n\tpshufd\t$0xb1,%xmm3,%xmm4\n\tmovq\t0(%rbx),%rax\n\n\tmovq\t%r12,%r9\n\tpor\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm5,%xmm5\n\tpshufd\t$0x1e,%xmm4,%xmm3\n\tmovq\t%r13,%r10\n\tpor\t%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm3\n\tmovq\t%r14,%r11\n\tpcmpeqd\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm4,%xmm4\n\n\tleaq\t32-0(%rsp),%rsi\n\tmovq\t%r15,%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t320(%rsp),%rbx\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t384(%rsp),%rax\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t384(%rsp),%rax\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t288(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t448(%rsp),%rax\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t0+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t352(%rsp),%rbx\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t0+64(%rsp),%rax\n\tmovq\t8+64(%rsp),%r14\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r15\n\tmovq\t24+64(%rsp),%r8\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t0+96(%rsp),%rax\n\tmovq\t8+96(%rsp),%r14\n\tleaq\t0+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r15\n\tmovq\t24+96(%rsp),%r8\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montq\n\n\tmovq\t128(%rsp),%rax\n\tleaq\t128(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t160(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t320(%rsp),%rax\n\tleaq\t320(%rsp),%rbx\n\tmovq\t0+128(%rsp),%r9\n\tmovq\t8+128(%rsp),%r10\n\tleaq\t0+128(%rsp),%rsi\n\tmovq\t16+128(%rsp),%r11\n\tmovq\t24+128(%rsp),%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\n\n\n\txorq\t%r11,%r11\n\taddq\t%r12,%r12\n\tleaq\t192(%rsp),%rsi\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tmovq\t0(%rsi),%rax\n\tcmovcq\t%rbp,%r13\n\tmovq\t8(%rsi),%rbp\n\tcmovcq\t%rcx,%r8\n\tmovq\t16(%rsi),%rcx\n\tcmovcq\t%r10,%r9\n\tmovq\t24(%rsi),%r10\n\n\tcall\t__ecp_nistz256_subq\n\n\tleaq\t160(%rsp),%rbx\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t0+8(%rsp),%rbp\n\tmovq\t0+16(%rsp),%rcx\n\tmovq\t0+24(%rsp),%r10\n\tleaq\t64(%rsp),%rdi\n\n\tcall\t__ecp_nistz256_subq\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\tmovq\t352(%rsp),%rax\n\tleaq\t352(%rsp),%rbx\n\tmovq\t0+160(%rsp),%r9\n\tmovq\t8+160(%rsp),%r10\n\tleaq\t0+160(%rsp),%rsi\n\tmovq\t16+160(%rsp),%r11\n\tmovq\t24+160(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tmovq\t96(%rsp),%rax\n\tleaq\t96(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t0+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montq\n\n\tleaq\t32(%rsp),%rbx\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromq\n\n.byte\t102,72,15,126,199\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t288(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t288+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t.LONE_mont(%rip),%xmm2\n\tpand\t.LONE_mont+16(%rip),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t384(%rsp),%xmm2\n\tpand\t384+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,64(%rdi)\n\tmovdqu\t%xmm3,80(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t224(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t224+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t416(%rsp),%xmm2\n\tpand\t416+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t320(%rsp),%xmm2\n\tpand\t320+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t256(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t256+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t448(%rsp),%xmm2\n\tpand\t448+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t352(%rsp),%xmm2\n\tpand\t352+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm3,48(%rdi)\n\n\tleaq\t480+56(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbx\n.cfi_restore\t%rbx\n\tmovq\t-8(%rsi),%rbp\n.cfi_restore\t%rbp\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Ladd_affineq_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_point_add_affine_nohw,.-ecp_nistz256_point_add_affine_nohw\n.type\t__ecp_nistz256_add_tox,@function\n.align\t32\n__ecp_nistz256_add_tox:\n.cfi_startproc\t\n\txorq\t%r11,%r11\n\tadcq\t0(%rbx),%r12\n\tadcq\t8(%rbx),%r13\n\tmovq\t%r12,%rax\n\tadcq\t16(%rbx),%r8\n\tadcq\t24(%rbx),%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\txorq\t%r10,%r10\n\tsbbq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tcmovcq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_add_tox,.-__ecp_nistz256_add_tox\n\n.type\t__ecp_nistz256_sub_fromx,@function\n.align\t32\n__ecp_nistz256_sub_fromx:\n.cfi_startproc\t\n\txorq\t%r11,%r11\n\tsbbq\t0(%rbx),%r12\n\tsbbq\t8(%rbx),%r13\n\tmovq\t%r12,%rax\n\tsbbq\t16(%rbx),%r8\n\tsbbq\t24(%rbx),%r9\n\tmovq\t%r13,%rbp\n\tsbbq\t$0,%r11\n\n\txorq\t%r10,%r10\n\tadcq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tadcq\t%r14,%r13\n\tadcq\t$0,%r8\n\tmovq\t%r9,%r10\n\tadcq\t%r15,%r9\n\n\tbtq\t$0,%r11\n\tcmovncq\t%rax,%r12\n\tcmovncq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovncq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovncq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_sub_fromx,.-__ecp_nistz256_sub_fromx\n\n.type\t__ecp_nistz256_subx,@function\n.align\t32\n__ecp_nistz256_subx:\n.cfi_startproc\t\n\txorq\t%r11,%r11\n\tsbbq\t%r12,%rax\n\tsbbq\t%r13,%rbp\n\tmovq\t%rax,%r12\n\tsbbq\t%r8,%rcx\n\tsbbq\t%r9,%r10\n\tmovq\t%rbp,%r13\n\tsbbq\t$0,%r11\n\n\txorq\t%r9,%r9\n\tadcq\t$-1,%rax\n\tmovq\t%rcx,%r8\n\tadcq\t%r14,%rbp\n\tadcq\t$0,%rcx\n\tmovq\t%r10,%r9\n\tadcq\t%r15,%r10\n\n\tbtq\t$0,%r11\n\tcmovcq\t%rax,%r12\n\tcmovcq\t%rbp,%r13\n\tcmovcq\t%rcx,%r8\n\tcmovcq\t%r10,%r9\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_subx,.-__ecp_nistz256_subx\n\n.type\t__ecp_nistz256_mul_by_2x,@function\n.align\t32\n__ecp_nistz256_mul_by_2x:\n.cfi_startproc\t\n\txorq\t%r11,%r11\n\tadcq\t%r12,%r12\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\txorq\t%r10,%r10\n\tsbbq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tcmovcq\t%rbp,%r13\n\tmovq\t%r12,0(%rdi)\n\tcmovcq\t%rcx,%r8\n\tmovq\t%r13,8(%rdi)\n\tcmovcq\t%r10,%r9\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\n\tret\n.cfi_endproc\t\n.size\t__ecp_nistz256_mul_by_2x,.-__ecp_nistz256_mul_by_2x\n.globl\tecp_nistz256_point_double_adx\n.hidden ecp_nistz256_point_double_adx\n.type\tecp_nistz256_point_double_adx,@function\n.align\t32\necp_nistz256_point_double_adx:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n\tsubq\t$160+8,%rsp\n.cfi_adjust_cfa_offset\t32*5+8\n.Lpoint_doublex_body:\n\n.Lpoint_double_shortcutx:\n\tmovdqu\t0(%rsi),%xmm0\n\tmovq\t%rsi,%rbx\n\tmovdqu\t16(%rsi),%xmm1\n\tmovq\t32+0(%rsi),%r12\n\tmovq\t32+8(%rsi),%r13\n\tmovq\t32+16(%rsi),%r8\n\tmovq\t32+24(%rsi),%r9\n\tmovq\t.Lpoly+8(%rip),%r14\n\tmovq\t.Lpoly+24(%rip),%r15\n\tmovdqa\t%xmm0,96(%rsp)\n\tmovdqa\t%xmm1,96+16(%rsp)\n\tleaq\t32(%rdi),%r10\n\tleaq\t64(%rdi),%r11\n.byte\t102,72,15,110,199\n.byte\t102,73,15,110,202\n.byte\t102,73,15,110,211\n\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2x\n\n\tmovq\t64+0(%rsi),%rdx\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tleaq\t64-128(%rsi),%rsi\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t0+0(%rsp),%rdx\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t-128+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t32(%rbx),%rdx\n\tmovq\t64+0(%rbx),%r9\n\tmovq\t64+8(%rbx),%r10\n\tmovq\t64+16(%rbx),%r11\n\tmovq\t64+24(%rbx),%r12\n\tleaq\t64-128(%rbx),%rsi\n\tleaq\t32(%rbx),%rbx\n.byte\t102,72,15,126,215\n\tcall\t__ecp_nistz256_mul_montx\n\tcall\t__ecp_nistz256_mul_by_2x\n\n\tmovq\t96+0(%rsp),%r12\n\tmovq\t96+8(%rsp),%r13\n\tleaq\t64(%rsp),%rbx\n\tmovq\t96+16(%rsp),%r8\n\tmovq\t96+24(%rsp),%r9\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_add_tox\n\n\tmovq\t96+0(%rsp),%r12\n\tmovq\t96+8(%rsp),%r13\n\tleaq\t64(%rsp),%rbx\n\tmovq\t96+16(%rsp),%r8\n\tmovq\t96+24(%rsp),%r9\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t0+0(%rsp),%rdx\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t-128+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n.byte\t102,72,15,126,207\n\tcall\t__ecp_nistz256_sqr_montx\n\txorq\t%r9,%r9\n\tmovq\t%r12,%rax\n\taddq\t$-1,%r12\n\tmovq\t%r13,%r10\n\tadcq\t%rsi,%r13\n\tmovq\t%r14,%rcx\n\tadcq\t$0,%r14\n\tmovq\t%r15,%r8\n\tadcq\t%rbp,%r15\n\tadcq\t$0,%r9\n\txorq\t%rsi,%rsi\n\ttestq\t$1,%rax\n\n\tcmovzq\t%rax,%r12\n\tcmovzq\t%r10,%r13\n\tcmovzq\t%rcx,%r14\n\tcmovzq\t%r8,%r15\n\tcmovzq\t%rsi,%r9\n\n\tmovq\t%r13,%rax\n\tshrq\t$1,%r12\n\tshlq\t$63,%rax\n\tmovq\t%r14,%r10\n\tshrq\t$1,%r13\n\torq\t%rax,%r12\n\tshlq\t$63,%r10\n\tmovq\t%r15,%rcx\n\tshrq\t$1,%r14\n\torq\t%r10,%r13\n\tshlq\t$63,%rcx\n\tmovq\t%r12,0(%rdi)\n\tshrq\t$1,%r15\n\tmovq\t%r13,8(%rdi)\n\tshlq\t$63,%r9\n\torq\t%rcx,%r14\n\torq\t%r9,%r15\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\tmovq\t64(%rsp),%rdx\n\tleaq\t64(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2x\n\n\tleaq\t32(%rsp),%rbx\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_add_tox\n\n\tmovq\t96(%rsp),%rdx\n\tleaq\t96(%rsp),%rbx\n\tmovq\t0+0(%rsp),%r9\n\tmovq\t8+0(%rsp),%r10\n\tleaq\t-128+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r11\n\tmovq\t24+0(%rsp),%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_by_2x\n\n\tmovq\t0+32(%rsp),%rdx\n\tmovq\t8+32(%rsp),%r14\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r15\n\tmovq\t24+32(%rsp),%r8\n.byte\t102,72,15,126,199\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tleaq\t128(%rsp),%rbx\n\tmovq\t%r14,%r8\n\tmovq\t%r15,%r9\n\tmovq\t%rsi,%r14\n\tmovq\t%rbp,%r15\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t0+8(%rsp),%rbp\n\tmovq\t0+16(%rsp),%rcx\n\tmovq\t0+24(%rsp),%r10\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_subx\n\n\tmovq\t32(%rsp),%rdx\n\tleaq\t32(%rsp),%rbx\n\tmovq\t%r12,%r14\n\txorl\t%ecx,%ecx\n\tmovq\t%r12,0+0(%rsp)\n\tmovq\t%r13,%r10\n\tmovq\t%r13,0+8(%rsp)\n\tcmovzq\t%r8,%r11\n\tmovq\t%r8,0+16(%rsp)\n\tleaq\t0-128(%rsp),%rsi\n\tcmovzq\t%r9,%r12\n\tmovq\t%r9,0+24(%rsp)\n\tmovq\t%r14,%r9\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n.byte\t102,72,15,126,203\n.byte\t102,72,15,126,207\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tleaq\t160+56(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbx\n.cfi_restore\t%rbx\n\tmovq\t-8(%rsi),%rbp\n.cfi_restore\t%rbp\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lpoint_doublex_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_point_double_adx,.-ecp_nistz256_point_double_adx\n.globl\tecp_nistz256_point_add_adx\n.hidden ecp_nistz256_point_add_adx\n.type\tecp_nistz256_point_add_adx,@function\n.align\t32\necp_nistz256_point_add_adx:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n\tsubq\t$576+8,%rsp\n.cfi_adjust_cfa_offset\t32*18+8\n.Lpoint_addx_body:\n\n\tmovdqu\t0(%rsi),%xmm0\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm3\n\tmovdqu\t64(%rsi),%xmm4\n\tmovdqu\t80(%rsi),%xmm5\n\tmovq\t%rsi,%rbx\n\tmovq\t%rdx,%rsi\n\tmovdqa\t%xmm0,384(%rsp)\n\tmovdqa\t%xmm1,384+16(%rsp)\n\tmovdqa\t%xmm2,416(%rsp)\n\tmovdqa\t%xmm3,416+16(%rsp)\n\tmovdqa\t%xmm4,448(%rsp)\n\tmovdqa\t%xmm5,448+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\n\tmovdqu\t0(%rsi),%xmm0\n\tpshufd\t$0xb1,%xmm5,%xmm3\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t48(%rsi),%xmm3\n\tmovq\t64+0(%rsi),%rdx\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tmovdqa\t%xmm0,480(%rsp)\n\tpshufd\t$0x1e,%xmm5,%xmm4\n\tmovdqa\t%xmm1,480+16(%rsp)\n\tmovdqu\t64(%rsi),%xmm0\n\tmovdqu\t80(%rsi),%xmm1\n\tmovdqa\t%xmm2,512(%rsp)\n\tmovdqa\t%xmm3,512+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\tpxor\t%xmm4,%xmm4\n\tpor\t%xmm0,%xmm1\n.byte\t102,72,15,110,199\n\n\tleaq\t64-128(%rsi),%rsi\n\tmovq\t%rdx,544+0(%rsp)\n\tmovq\t%r14,544+8(%rsp)\n\tmovq\t%r15,544+16(%rsp)\n\tmovq\t%r8,544+24(%rsp)\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tpcmpeqd\t%xmm4,%xmm5\n\tpshufd\t$0xb1,%xmm1,%xmm4\n\tpor\t%xmm1,%xmm4\n\tpshufd\t$0,%xmm5,%xmm5\n\tpshufd\t$0x1e,%xmm4,%xmm3\n\tpor\t%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm3\n\tpcmpeqd\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm4,%xmm4\n\tmovq\t64+0(%rbx),%rdx\n\tmovq\t64+8(%rbx),%r14\n\tmovq\t64+16(%rbx),%r15\n\tmovq\t64+24(%rbx),%r8\n.byte\t102,72,15,110,203\n\n\tleaq\t64-128(%rbx),%rsi\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t544(%rsp),%rdx\n\tleaq\t544(%rsp),%rbx\n\tmovq\t0+96(%rsp),%r9\n\tmovq\t8+96(%rsp),%r10\n\tleaq\t-128+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r11\n\tmovq\t24+96(%rsp),%r12\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t448(%rsp),%rdx\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t416(%rsp),%rdx\n\tleaq\t416(%rsp),%rbx\n\tmovq\t0+224(%rsp),%r9\n\tmovq\t8+224(%rsp),%r10\n\tleaq\t-128+224(%rsp),%rsi\n\tmovq\t16+224(%rsp),%r11\n\tmovq\t24+224(%rsp),%r12\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t512(%rsp),%rdx\n\tleaq\t512(%rsp),%rbx\n\tmovq\t0+256(%rsp),%r9\n\tmovq\t8+256(%rsp),%r10\n\tleaq\t-128+256(%rsp),%rsi\n\tmovq\t16+256(%rsp),%r11\n\tmovq\t24+256(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t224(%rsp),%rbx\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\torq\t%r13,%r12\n\tmovdqa\t%xmm4,%xmm2\n\torq\t%r8,%r12\n\torq\t%r9,%r12\n\tpor\t%xmm5,%xmm2\n.byte\t102,73,15,110,220\n\n\tmovq\t384(%rsp),%rdx\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+96(%rsp),%r9\n\tmovq\t8+96(%rsp),%r10\n\tleaq\t-128+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r11\n\tmovq\t24+96(%rsp),%r12\n\tleaq\t160(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t480(%rsp),%rdx\n\tleaq\t480(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t160(%rsp),%rbx\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\torq\t%r13,%r12\n\torq\t%r8,%r12\n\torq\t%r9,%r12\n\n.byte\t102,73,15,126,208\n.byte\t102,73,15,126,217\n\torq\t%r8,%r12\n.byte\t0x3e\n\tjnz\t.Ladd_proceedx\n\n\n\n\ttestq\t%r9,%r9\n\tjz\t.Ladd_doublex\n\n\n\n\n\n\n.byte\t102,72,15,126,199\n\tpxor\t%xmm0,%xmm0\n\tmovdqu\t%xmm0,0(%rdi)\n\tmovdqu\t%xmm0,16(%rdi)\n\tmovdqu\t%xmm0,32(%rdi)\n\tmovdqu\t%xmm0,48(%rdi)\n\tmovdqu\t%xmm0,64(%rdi)\n\tmovdqu\t%xmm0,80(%rdi)\n\tjmp\t.Ladd_donex\n\n.align\t32\n.Ladd_doublex:\n.byte\t102,72,15,126,206\n.byte\t102,72,15,126,199\n\taddq\t$416,%rsp\n.cfi_adjust_cfa_offset\t-416\n\tjmp\t.Lpoint_double_shortcutx\n.cfi_adjust_cfa_offset\t416\n\n.align\t32\n.Ladd_proceedx:\n\tmovq\t0+64(%rsp),%rdx\n\tmovq\t8+64(%rsp),%r14\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r15\n\tmovq\t24+64(%rsp),%r8\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t448(%rsp),%rdx\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+0(%rsp),%r9\n\tmovq\t8+0(%rsp),%r10\n\tleaq\t-128+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r11\n\tmovq\t24+0(%rsp),%r12\n\tleaq\t352(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t0+0(%rsp),%rdx\n\tmovq\t8+0(%rsp),%r14\n\tleaq\t-128+0(%rsp),%rsi\n\tmovq\t16+0(%rsp),%r15\n\tmovq\t24+0(%rsp),%r8\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t544(%rsp),%rdx\n\tleaq\t544(%rsp),%rbx\n\tmovq\t0+352(%rsp),%r9\n\tmovq\t8+352(%rsp),%r10\n\tleaq\t-128+352(%rsp),%rsi\n\tmovq\t16+352(%rsp),%r11\n\tmovq\t24+352(%rsp),%r12\n\tleaq\t352(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t0(%rsp),%rdx\n\tleaq\t0(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t160(%rsp),%rdx\n\tleaq\t160(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\n\n\n\txorq\t%r11,%r11\n\taddq\t%r12,%r12\n\tleaq\t96(%rsp),%rsi\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tmovq\t0(%rsi),%rax\n\tcmovcq\t%rbp,%r13\n\tmovq\t8(%rsi),%rbp\n\tcmovcq\t%rcx,%r8\n\tmovq\t16(%rsi),%rcx\n\tcmovcq\t%r10,%r9\n\tmovq\t24(%rsi),%r10\n\n\tcall\t__ecp_nistz256_subx\n\n\tleaq\t128(%rsp),%rbx\n\tleaq\t288(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t192+0(%rsp),%rax\n\tmovq\t192+8(%rsp),%rbp\n\tmovq\t192+16(%rsp),%rcx\n\tmovq\t192+24(%rsp),%r10\n\tleaq\t320(%rsp),%rdi\n\n\tcall\t__ecp_nistz256_subx\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\tmovq\t128(%rsp),%rdx\n\tleaq\t128(%rsp),%rbx\n\tmovq\t0+224(%rsp),%r9\n\tmovq\t8+224(%rsp),%r10\n\tleaq\t-128+224(%rsp),%rsi\n\tmovq\t16+224(%rsp),%r11\n\tmovq\t24+224(%rsp),%r12\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t320(%rsp),%rdx\n\tleaq\t320(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t320(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t256(%rsp),%rbx\n\tleaq\t320(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n.byte\t102,72,15,126,199\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t352(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t352+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t544(%rsp),%xmm2\n\tpand\t544+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t448(%rsp),%xmm2\n\tpand\t448+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,64(%rdi)\n\tmovdqu\t%xmm3,80(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t288(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t288+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t480(%rsp),%xmm2\n\tpand\t480+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t384(%rsp),%xmm2\n\tpand\t384+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t320(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t320+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t512(%rsp),%xmm2\n\tpand\t512+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t416(%rsp),%xmm2\n\tpand\t416+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm3,48(%rdi)\n\n.Ladd_donex:\n\tleaq\t576+56(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbx\n.cfi_restore\t%rbx\n\tmovq\t-8(%rsi),%rbp\n.cfi_restore\t%rbp\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lpoint_addx_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_point_add_adx,.-ecp_nistz256_point_add_adx\n.globl\tecp_nistz256_point_add_affine_adx\n.hidden ecp_nistz256_point_add_affine_adx\n.type\tecp_nistz256_point_add_affine_adx,@function\n.align\t32\necp_nistz256_point_add_affine_adx:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n\tsubq\t$480+8,%rsp\n.cfi_adjust_cfa_offset\t32*15+8\n.Ladd_affinex_body:\n\n\tmovdqu\t0(%rsi),%xmm0\n\tmovq\t%rdx,%rbx\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm3\n\tmovdqu\t64(%rsi),%xmm4\n\tmovdqu\t80(%rsi),%xmm5\n\tmovq\t64+0(%rsi),%rdx\n\tmovq\t64+8(%rsi),%r14\n\tmovq\t64+16(%rsi),%r15\n\tmovq\t64+24(%rsi),%r8\n\tmovdqa\t%xmm0,320(%rsp)\n\tmovdqa\t%xmm1,320+16(%rsp)\n\tmovdqa\t%xmm2,352(%rsp)\n\tmovdqa\t%xmm3,352+16(%rsp)\n\tmovdqa\t%xmm4,384(%rsp)\n\tmovdqa\t%xmm5,384+16(%rsp)\n\tpor\t%xmm4,%xmm5\n\n\tmovdqu\t0(%rbx),%xmm0\n\tpshufd\t$0xb1,%xmm5,%xmm3\n\tmovdqu\t16(%rbx),%xmm1\n\tmovdqu\t32(%rbx),%xmm2\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t48(%rbx),%xmm3\n\tmovdqa\t%xmm0,416(%rsp)\n\tpshufd\t$0x1e,%xmm5,%xmm4\n\tmovdqa\t%xmm1,416+16(%rsp)\n\tpor\t%xmm0,%xmm1\n.byte\t102,72,15,110,199\n\tmovdqa\t%xmm2,448(%rsp)\n\tmovdqa\t%xmm3,448+16(%rsp)\n\tpor\t%xmm2,%xmm3\n\tpor\t%xmm4,%xmm5\n\tpxor\t%xmm4,%xmm4\n\tpor\t%xmm1,%xmm3\n\n\tleaq\t64-128(%rsi),%rsi\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tpcmpeqd\t%xmm4,%xmm5\n\tpshufd\t$0xb1,%xmm3,%xmm4\n\tmovq\t0(%rbx),%rdx\n\n\tmovq\t%r12,%r9\n\tpor\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm5,%xmm5\n\tpshufd\t$0x1e,%xmm4,%xmm3\n\tmovq\t%r13,%r10\n\tpor\t%xmm3,%xmm4\n\tpxor\t%xmm3,%xmm3\n\tmovq\t%r14,%r11\n\tpcmpeqd\t%xmm3,%xmm4\n\tpshufd\t$0,%xmm4,%xmm4\n\n\tleaq\t32-128(%rsp),%rsi\n\tmovq\t%r15,%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t320(%rsp),%rbx\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t384(%rsp),%rdx\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t384(%rsp),%rdx\n\tleaq\t384(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t288(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t448(%rsp),%rdx\n\tleaq\t448(%rsp),%rbx\n\tmovq\t0+32(%rsp),%r9\n\tmovq\t8+32(%rsp),%r10\n\tleaq\t-128+32(%rsp),%rsi\n\tmovq\t16+32(%rsp),%r11\n\tmovq\t24+32(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t352(%rsp),%rbx\n\tleaq\t96(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t0+64(%rsp),%rdx\n\tmovq\t8+64(%rsp),%r14\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r15\n\tmovq\t24+64(%rsp),%r8\n\tleaq\t128(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t0+96(%rsp),%rdx\n\tmovq\t8+96(%rsp),%r14\n\tleaq\t-128+96(%rsp),%rsi\n\tmovq\t16+96(%rsp),%r15\n\tmovq\t24+96(%rsp),%r8\n\tleaq\t192(%rsp),%rdi\n\tcall\t__ecp_nistz256_sqr_montx\n\n\tmovq\t128(%rsp),%rdx\n\tleaq\t128(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t160(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t320(%rsp),%rdx\n\tleaq\t320(%rsp),%rbx\n\tmovq\t0+128(%rsp),%r9\n\tmovq\t8+128(%rsp),%r10\n\tleaq\t-128+128(%rsp),%rsi\n\tmovq\t16+128(%rsp),%r11\n\tmovq\t24+128(%rsp),%r12\n\tleaq\t0(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\n\n\n\txorq\t%r11,%r11\n\taddq\t%r12,%r12\n\tleaq\t192(%rsp),%rsi\n\tadcq\t%r13,%r13\n\tmovq\t%r12,%rax\n\tadcq\t%r8,%r8\n\tadcq\t%r9,%r9\n\tmovq\t%r13,%rbp\n\tadcq\t$0,%r11\n\n\tsubq\t$-1,%r12\n\tmovq\t%r8,%rcx\n\tsbbq\t%r14,%r13\n\tsbbq\t$0,%r8\n\tmovq\t%r9,%r10\n\tsbbq\t%r15,%r9\n\tsbbq\t$0,%r11\n\n\tcmovcq\t%rax,%r12\n\tmovq\t0(%rsi),%rax\n\tcmovcq\t%rbp,%r13\n\tmovq\t8(%rsi),%rbp\n\tcmovcq\t%rcx,%r8\n\tmovq\t16(%rsi),%rcx\n\tcmovcq\t%r10,%r9\n\tmovq\t24(%rsi),%r10\n\n\tcall\t__ecp_nistz256_subx\n\n\tleaq\t160(%rsp),%rbx\n\tleaq\t224(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n\tmovq\t0+0(%rsp),%rax\n\tmovq\t0+8(%rsp),%rbp\n\tmovq\t0+16(%rsp),%rcx\n\tmovq\t0+24(%rsp),%r10\n\tleaq\t64(%rsp),%rdi\n\n\tcall\t__ecp_nistz256_subx\n\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r8,16(%rdi)\n\tmovq\t%r9,24(%rdi)\n\tmovq\t352(%rsp),%rdx\n\tleaq\t352(%rsp),%rbx\n\tmovq\t0+160(%rsp),%r9\n\tmovq\t8+160(%rsp),%r10\n\tleaq\t-128+160(%rsp),%rsi\n\tmovq\t16+160(%rsp),%r11\n\tmovq\t24+160(%rsp),%r12\n\tleaq\t32(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tmovq\t96(%rsp),%rdx\n\tleaq\t96(%rsp),%rbx\n\tmovq\t0+64(%rsp),%r9\n\tmovq\t8+64(%rsp),%r10\n\tleaq\t-128+64(%rsp),%rsi\n\tmovq\t16+64(%rsp),%r11\n\tmovq\t24+64(%rsp),%r12\n\tleaq\t64(%rsp),%rdi\n\tcall\t__ecp_nistz256_mul_montx\n\n\tleaq\t32(%rsp),%rbx\n\tleaq\t256(%rsp),%rdi\n\tcall\t__ecp_nistz256_sub_fromx\n\n.byte\t102,72,15,126,199\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t288(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t288+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t.LONE_mont(%rip),%xmm2\n\tpand\t.LONE_mont+16(%rip),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t384(%rsp),%xmm2\n\tpand\t384+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,64(%rdi)\n\tmovdqu\t%xmm3,80(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t224(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t224+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t416(%rsp),%xmm2\n\tpand\t416+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t320(%rsp),%xmm2\n\tpand\t320+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,0(%rdi)\n\tmovdqu\t%xmm3,16(%rdi)\n\n\tmovdqa\t%xmm5,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpandn\t256(%rsp),%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpandn\t256+16(%rsp),%xmm1\n\tmovdqa\t%xmm5,%xmm3\n\tpand\t448(%rsp),%xmm2\n\tpand\t448+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm2,%xmm0\n\tmovdqa\t%xmm4,%xmm2\n\tpandn\t%xmm3,%xmm1\n\tmovdqa\t%xmm4,%xmm3\n\tpand\t352(%rsp),%xmm2\n\tpand\t352+16(%rsp),%xmm3\n\tpor\t%xmm0,%xmm2\n\tpor\t%xmm1,%xmm3\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm3,48(%rdi)\n\n\tleaq\t480+56(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbx\n.cfi_restore\t%rbx\n\tmovq\t-8(%rsi),%rbp\n.cfi_restore\t%rbp\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Ladd_affinex_epilogue:\n\tret\n.cfi_endproc\t\n.size\tecp_nistz256_point_add_affine_adx,.-ecp_nistz256_point_add_affine_adx\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \"CNIOBoringSSL_arm_arch.h\"\n\n.text\n.globl\t_beeu_mod_inverse_vartime\n.private_extern\t_beeu_mod_inverse_vartime\n\n.align\t4\n_beeu_mod_inverse_vartime:\n // Reserve enough space for 14 8-byte registers on the stack\n // in the first stp call for x29, x30.\n // Then store the remaining callee-saved registers.\n //\n // | x29 | x30 | x19 | x20 | ... | x27 | x28 | x0 | x2 |\n // ^ ^\n // sp <------------------- 112 bytes ----------------> old sp\n // x29 (FP)\n //\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-112]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tstp\tx0,x2,[sp,#96]\n\n // B = b3..b0 := a\n\tldp\tx25,x26,[x1]\n\tldp\tx27,x28,[x1,#16]\n\n // n3..n0 := n\n // Note: the value of input params are changed in the following.\n\tldp\tx0,x1,[x2]\n\tldp\tx2,x30,[x2,#16]\n\n // A = a3..a0 := n\n\tmov\tx21, x0\n\tmov\tx22, x1\n\tmov\tx23, x2\n\tmov\tx24, x30\n\n // X = x4..x0 := 1\n\tmov\tx3, #1\n\teor\tx4, x4, x4\n\teor\tx5, x5, x5\n\teor\tx6, x6, x6\n\teor\tx7, x7, x7\n\n // Y = y4..y0 := 0\n\teor\tx8, x8, x8\n\teor\tx9, x9, x9\n\teor\tx10, x10, x10\n\teor\tx11, x11, x11\n\teor\tx12, x12, x12\n\nLbeeu_loop:\n // if B == 0, jump to .Lbeeu_loop_end\n\torr\tx14, x25, x26\n\torr\tx14, x14, x27\n\n // reverse the bit order of x25. This is needed for clz after this macro\n\trbit\tx15, x25\n\n\torr\tx14, x14, x28\n\tcbz\tx14,Lbeeu_loop_end\n\n\n // 0 < B < |n|,\n // 0 < A <= |n|,\n // (1) X*a == B (mod |n|),\n // (2) (-1)*Y*a == A (mod |n|)\n\n // Now divide B by the maximum possible power of two in the\n // integers, and divide X by the same value mod |n|.\n // When we're done, (1) still holds.\n\n // shift := number of trailing 0s in x25\n // ( = number of leading 0s in x15; see the \"rbit\" instruction in TEST_B_ZERO)\n\tclz\tx13, x15\n\n // If there is no shift, goto shift_A_Y\n\tcbz\tx13, Lbeeu_shift_A_Y\n\n // Shift B right by \"x13\" bits\n\tneg\tx14, x13\n\tlsr\tx25, x25, x13\n\tlsl\tx15, x26, x14\n\n\tlsr\tx26, x26, x13\n\tlsl\tx19, x27, x14\n\n\torr\tx25, x25, x15\n\n\tlsr\tx27, x27, x13\n\tlsl\tx20, x28, x14\n\n\torr\tx26, x26, x19\n\n\tlsr\tx28, x28, x13\n\n\torr\tx27, x27, x20\n\n\n // Shift X right by \"x13\" bits, adding n whenever X becomes odd.\n // x13--;\n // x14 := 0; needed in the addition to the most significant word in SHIFT1\n\teor\tx14, x14, x14\nLbeeu_shift_loop_X:\n\ttbz\tx3, #0, Lshift1_0\n\tadds\tx3, x3, x0\n\tadcs\tx4, x4, x1\n\tadcs\tx5, x5, x2\n\tadcs\tx6, x6, x30\n\tadc\tx7, x7, x14\nLshift1_0:\n // var0 := [var1|var0]<64..1>;\n // i.e. concatenate var1 and var0,\n // extract bits <64..1> from the resulting 128-bit value\n // and put them in var0\n\textr\tx3, x4, x3, #1\n\textr\tx4, x5, x4, #1\n\textr\tx5, x6, x5, #1\n\textr\tx6, x7, x6, #1\n\tlsr\tx7, x7, #1\n\n\tsubs\tx13, x13, #1\n\tbne\tLbeeu_shift_loop_X\n\n // Note: the steps above perform the same sequence as in p256_beeu-x86_64-asm.pl\n // with the following differences:\n // - \"x13\" is set directly to the number of trailing 0s in B\n // (using rbit and clz instructions)\n // - The loop is only used to call SHIFT1(X)\n // and x13 is decreased while executing the X loop.\n // - SHIFT256(B, x13) is performed before right-shifting X; they are independent\n\nLbeeu_shift_A_Y:\n // Same for A and Y.\n // Afterwards, (2) still holds.\n // Reverse the bit order of x21\n // x13 := number of trailing 0s in x21 (= number of leading 0s in x15)\n\trbit\tx15, x21\n\tclz\tx13, x15\n\n // If there is no shift, goto |B-A|, X+Y update\n\tcbz\tx13, Lbeeu_update_B_X_or_A_Y\n\n // Shift A right by \"x13\" bits\n\tneg\tx14, x13\n\tlsr\tx21, x21, x13\n\tlsl\tx15, x22, x14\n\n\tlsr\tx22, x22, x13\n\tlsl\tx19, x23, x14\n\n\torr\tx21, x21, x15\n\n\tlsr\tx23, x23, x13\n\tlsl\tx20, x24, x14\n\n\torr\tx22, x22, x19\n\n\tlsr\tx24, x24, x13\n\n\torr\tx23, x23, x20\n\n\n // Shift Y right by \"x13\" bits, adding n whenever Y becomes odd.\n // x13--;\n // x14 := 0; needed in the addition to the most significant word in SHIFT1\n\teor\tx14, x14, x14\nLbeeu_shift_loop_Y:\n\ttbz\tx8, #0, Lshift1_1\n\tadds\tx8, x8, x0\n\tadcs\tx9, x9, x1\n\tadcs\tx10, x10, x2\n\tadcs\tx11, x11, x30\n\tadc\tx12, x12, x14\nLshift1_1:\n // var0 := [var1|var0]<64..1>;\n // i.e. concatenate var1 and var0,\n // extract bits <64..1> from the resulting 128-bit value\n // and put them in var0\n\textr\tx8, x9, x8, #1\n\textr\tx9, x10, x9, #1\n\textr\tx10, x11, x10, #1\n\textr\tx11, x12, x11, #1\n\tlsr\tx12, x12, #1\n\n\tsubs\tx13, x13, #1\n\tbne\tLbeeu_shift_loop_Y\n\nLbeeu_update_B_X_or_A_Y:\n // Try T := B - A; if cs, continue with B > A (cs: carry set = no borrow)\n // Note: this is a case of unsigned arithmetic, where T fits in 4 64-bit words\n // without taking a sign bit if generated. The lack of a carry would\n // indicate a negative result. See, for example,\n // https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/condition-codes-1-condition-flags-and-codes\n\tsubs\tx14, x25, x21\n\tsbcs\tx15, x26, x22\n\tsbcs\tx19, x27, x23\n\tsbcs\tx20, x28, x24\n\tbcs\tLbeeu_B_greater_than_A\n\n // Else A > B =>\n // A := A - B; Y := Y + X; goto beginning of the loop\n\tsubs\tx21, x21, x25\n\tsbcs\tx22, x22, x26\n\tsbcs\tx23, x23, x27\n\tsbcs\tx24, x24, x28\n\n\tadds\tx8, x8, x3\n\tadcs\tx9, x9, x4\n\tadcs\tx10, x10, x5\n\tadcs\tx11, x11, x6\n\tadc\tx12, x12, x7\n\tb\tLbeeu_loop\n\nLbeeu_B_greater_than_A:\n // Continue with B > A =>\n // B := B - A; X := X + Y; goto beginning of the loop\n\tmov\tx25, x14\n\tmov\tx26, x15\n\tmov\tx27, x19\n\tmov\tx28, x20\n\n\tadds\tx3, x3, x8\n\tadcs\tx4, x4, x9\n\tadcs\tx5, x5, x10\n\tadcs\tx6, x6, x11\n\tadc\tx7, x7, x12\n\tb\tLbeeu_loop\n\nLbeeu_loop_end:\n // The Euclid's algorithm loop ends when A == gcd(a,n);\n // this would be 1, when a and n are co-prime (i.e. do not have a common factor).\n // Since (-1)*Y*a == A (mod |n|), Y>0\n // then out = -Y mod n\n\n // Verify that A = 1 ==> (-1)*Y*a = A = 1 (mod |n|)\n // Is A-1 == 0?\n // If not, fail.\n\tsub\tx14, x21, #1\n\torr\tx14, x14, x22\n\torr\tx14, x14, x23\n\torr\tx14, x14, x24\n\tcbnz\tx14, Lbeeu_err\n\n // If Y>n ==> Y:=Y-n\nLbeeu_reduction_loop:\n // x_i := y_i - n_i (X is no longer needed, use it as temp)\n // (x14 = 0 from above)\n\tsubs\tx3, x8, x0\n\tsbcs\tx4, x9, x1\n\tsbcs\tx5, x10, x2\n\tsbcs\tx6, x11, x30\n\tsbcs\tx7, x12, x14\n\n // If result is non-negative (i.e., cs = carry set = no borrow),\n // y_i := x_i; goto reduce again\n // else\n // y_i := y_i; continue\n\tcsel\tx8, x3, x8, cs\n\tcsel\tx9, x4, x9, cs\n\tcsel\tx10, x5, x10, cs\n\tcsel\tx11, x6, x11, cs\n\tcsel\tx12, x7, x12, cs\n\tbcs\tLbeeu_reduction_loop\n\n // Now Y < n (Y cannot be equal to n, since the inverse cannot be 0)\n // out = -Y = n-Y\n\tsubs\tx8, x0, x8\n\tsbcs\tx9, x1, x9\n\tsbcs\tx10, x2, x10\n\tsbcs\tx11, x30, x11\n\n // Save Y in output (out (x0) was saved on the stack)\n\tldr\tx3, [sp,#96]\n\tstp\tx8, x9, [x3]\n\tstp\tx10, x11, [x3,#16]\n // return 1 (success)\n\tmov\tx0, #1\n\tb\tLbeeu_finish\n\nLbeeu_err:\n // return 0 (error)\n\teor\tx0, x0, x0\n\nLbeeu_finish:\n // Restore callee-saved registers, except x0, x2\n\tadd\tsp,x29,#0\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldp\tx25,x26,[sp,#64]\n\tldp\tx27,x28,[sp,#80]\n\tldp\tx29,x30,[sp],#112\n\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \"CNIOBoringSSL_arm_arch.h\"\n\n.text\n.globl\tbeeu_mod_inverse_vartime\n.hidden\tbeeu_mod_inverse_vartime\n.type\tbeeu_mod_inverse_vartime, %function\n.align\t4\nbeeu_mod_inverse_vartime:\n // Reserve enough space for 14 8-byte registers on the stack\n // in the first stp call for x29, x30.\n // Then store the remaining callee-saved registers.\n //\n // | x29 | x30 | x19 | x20 | ... | x27 | x28 | x0 | x2 |\n // ^ ^\n // sp <------------------- 112 bytes ----------------> old sp\n // x29 (FP)\n //\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-112]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tstp\tx0,x2,[sp,#96]\n\n // B = b3..b0 := a\n\tldp\tx25,x26,[x1]\n\tldp\tx27,x28,[x1,#16]\n\n // n3..n0 := n\n // Note: the value of input params are changed in the following.\n\tldp\tx0,x1,[x2]\n\tldp\tx2,x30,[x2,#16]\n\n // A = a3..a0 := n\n\tmov\tx21, x0\n\tmov\tx22, x1\n\tmov\tx23, x2\n\tmov\tx24, x30\n\n // X = x4..x0 := 1\n\tmov\tx3, #1\n\teor\tx4, x4, x4\n\teor\tx5, x5, x5\n\teor\tx6, x6, x6\n\teor\tx7, x7, x7\n\n // Y = y4..y0 := 0\n\teor\tx8, x8, x8\n\teor\tx9, x9, x9\n\teor\tx10, x10, x10\n\teor\tx11, x11, x11\n\teor\tx12, x12, x12\n\n.Lbeeu_loop:\n // if B == 0, jump to .Lbeeu_loop_end\n\torr\tx14, x25, x26\n\torr\tx14, x14, x27\n\n // reverse the bit order of x25. This is needed for clz after this macro\n\trbit\tx15, x25\n\n\torr\tx14, x14, x28\n\tcbz\tx14,.Lbeeu_loop_end\n\n\n // 0 < B < |n|,\n // 0 < A <= |n|,\n // (1) X*a == B (mod |n|),\n // (2) (-1)*Y*a == A (mod |n|)\n\n // Now divide B by the maximum possible power of two in the\n // integers, and divide X by the same value mod |n|.\n // When we're done, (1) still holds.\n\n // shift := number of trailing 0s in x25\n // ( = number of leading 0s in x15; see the \"rbit\" instruction in TEST_B_ZERO)\n\tclz\tx13, x15\n\n // If there is no shift, goto shift_A_Y\n\tcbz\tx13, .Lbeeu_shift_A_Y\n\n // Shift B right by \"x13\" bits\n\tneg\tx14, x13\n\tlsr\tx25, x25, x13\n\tlsl\tx15, x26, x14\n\n\tlsr\tx26, x26, x13\n\tlsl\tx19, x27, x14\n\n\torr\tx25, x25, x15\n\n\tlsr\tx27, x27, x13\n\tlsl\tx20, x28, x14\n\n\torr\tx26, x26, x19\n\n\tlsr\tx28, x28, x13\n\n\torr\tx27, x27, x20\n\n\n // Shift X right by \"x13\" bits, adding n whenever X becomes odd.\n // x13--;\n // x14 := 0; needed in the addition to the most significant word in SHIFT1\n\teor\tx14, x14, x14\n.Lbeeu_shift_loop_X:\n\ttbz\tx3, #0, .Lshift1_0\n\tadds\tx3, x3, x0\n\tadcs\tx4, x4, x1\n\tadcs\tx5, x5, x2\n\tadcs\tx6, x6, x30\n\tadc\tx7, x7, x14\n.Lshift1_0:\n // var0 := [var1|var0]<64..1>;\n // i.e. concatenate var1 and var0,\n // extract bits <64..1> from the resulting 128-bit value\n // and put them in var0\n\textr\tx3, x4, x3, #1\n\textr\tx4, x5, x4, #1\n\textr\tx5, x6, x5, #1\n\textr\tx6, x7, x6, #1\n\tlsr\tx7, x7, #1\n\n\tsubs\tx13, x13, #1\n\tbne\t.Lbeeu_shift_loop_X\n\n // Note: the steps above perform the same sequence as in p256_beeu-x86_64-asm.pl\n // with the following differences:\n // - \"x13\" is set directly to the number of trailing 0s in B\n // (using rbit and clz instructions)\n // - The loop is only used to call SHIFT1(X)\n // and x13 is decreased while executing the X loop.\n // - SHIFT256(B, x13) is performed before right-shifting X; they are independent\n\n.Lbeeu_shift_A_Y:\n // Same for A and Y.\n // Afterwards, (2) still holds.\n // Reverse the bit order of x21\n // x13 := number of trailing 0s in x21 (= number of leading 0s in x15)\n\trbit\tx15, x21\n\tclz\tx13, x15\n\n // If there is no shift, goto |B-A|, X+Y update\n\tcbz\tx13, .Lbeeu_update_B_X_or_A_Y\n\n // Shift A right by \"x13\" bits\n\tneg\tx14, x13\n\tlsr\tx21, x21, x13\n\tlsl\tx15, x22, x14\n\n\tlsr\tx22, x22, x13\n\tlsl\tx19, x23, x14\n\n\torr\tx21, x21, x15\n\n\tlsr\tx23, x23, x13\n\tlsl\tx20, x24, x14\n\n\torr\tx22, x22, x19\n\n\tlsr\tx24, x24, x13\n\n\torr\tx23, x23, x20\n\n\n // Shift Y right by \"x13\" bits, adding n whenever Y becomes odd.\n // x13--;\n // x14 := 0; needed in the addition to the most significant word in SHIFT1\n\teor\tx14, x14, x14\n.Lbeeu_shift_loop_Y:\n\ttbz\tx8, #0, .Lshift1_1\n\tadds\tx8, x8, x0\n\tadcs\tx9, x9, x1\n\tadcs\tx10, x10, x2\n\tadcs\tx11, x11, x30\n\tadc\tx12, x12, x14\n.Lshift1_1:\n // var0 := [var1|var0]<64..1>;\n // i.e. concatenate var1 and var0,\n // extract bits <64..1> from the resulting 128-bit value\n // and put them in var0\n\textr\tx8, x9, x8, #1\n\textr\tx9, x10, x9, #1\n\textr\tx10, x11, x10, #1\n\textr\tx11, x12, x11, #1\n\tlsr\tx12, x12, #1\n\n\tsubs\tx13, x13, #1\n\tbne\t.Lbeeu_shift_loop_Y\n\n.Lbeeu_update_B_X_or_A_Y:\n // Try T := B - A; if cs, continue with B > A (cs: carry set = no borrow)\n // Note: this is a case of unsigned arithmetic, where T fits in 4 64-bit words\n // without taking a sign bit if generated. The lack of a carry would\n // indicate a negative result. See, for example,\n // https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/condition-codes-1-condition-flags-and-codes\n\tsubs\tx14, x25, x21\n\tsbcs\tx15, x26, x22\n\tsbcs\tx19, x27, x23\n\tsbcs\tx20, x28, x24\n\tbcs\t.Lbeeu_B_greater_than_A\n\n // Else A > B =>\n // A := A - B; Y := Y + X; goto beginning of the loop\n\tsubs\tx21, x21, x25\n\tsbcs\tx22, x22, x26\n\tsbcs\tx23, x23, x27\n\tsbcs\tx24, x24, x28\n\n\tadds\tx8, x8, x3\n\tadcs\tx9, x9, x4\n\tadcs\tx10, x10, x5\n\tadcs\tx11, x11, x6\n\tadc\tx12, x12, x7\n\tb\t.Lbeeu_loop\n\n.Lbeeu_B_greater_than_A:\n // Continue with B > A =>\n // B := B - A; X := X + Y; goto beginning of the loop\n\tmov\tx25, x14\n\tmov\tx26, x15\n\tmov\tx27, x19\n\tmov\tx28, x20\n\n\tadds\tx3, x3, x8\n\tadcs\tx4, x4, x9\n\tadcs\tx5, x5, x10\n\tadcs\tx6, x6, x11\n\tadc\tx7, x7, x12\n\tb\t.Lbeeu_loop\n\n.Lbeeu_loop_end:\n // The Euclid's algorithm loop ends when A == gcd(a,n);\n // this would be 1, when a and n are co-prime (i.e. do not have a common factor).\n // Since (-1)*Y*a == A (mod |n|), Y>0\n // then out = -Y mod n\n\n // Verify that A = 1 ==> (-1)*Y*a = A = 1 (mod |n|)\n // Is A-1 == 0?\n // If not, fail.\n\tsub\tx14, x21, #1\n\torr\tx14, x14, x22\n\torr\tx14, x14, x23\n\torr\tx14, x14, x24\n\tcbnz\tx14, .Lbeeu_err\n\n // If Y>n ==> Y:=Y-n\n.Lbeeu_reduction_loop:\n // x_i := y_i - n_i (X is no longer needed, use it as temp)\n // (x14 = 0 from above)\n\tsubs\tx3, x8, x0\n\tsbcs\tx4, x9, x1\n\tsbcs\tx5, x10, x2\n\tsbcs\tx6, x11, x30\n\tsbcs\tx7, x12, x14\n\n // If result is non-negative (i.e., cs = carry set = no borrow),\n // y_i := x_i; goto reduce again\n // else\n // y_i := y_i; continue\n\tcsel\tx8, x3, x8, cs\n\tcsel\tx9, x4, x9, cs\n\tcsel\tx10, x5, x10, cs\n\tcsel\tx11, x6, x11, cs\n\tcsel\tx12, x7, x12, cs\n\tbcs\t.Lbeeu_reduction_loop\n\n // Now Y < n (Y cannot be equal to n, since the inverse cannot be 0)\n // out = -Y = n-Y\n\tsubs\tx8, x0, x8\n\tsbcs\tx9, x1, x9\n\tsbcs\tx10, x2, x10\n\tsbcs\tx11, x30, x11\n\n // Save Y in output (out (x0) was saved on the stack)\n\tldr\tx3, [sp,#96]\n\tstp\tx8, x9, [x3]\n\tstp\tx10, x11, [x3,#16]\n // return 1 (success)\n\tmov\tx0, #1\n\tb\t.Lbeeu_finish\n\n.Lbeeu_err:\n // return 0 (error)\n\teor\tx0, x0, x0\n\n.Lbeeu_finish:\n // Restore callee-saved registers, except x0, x2\n\tadd\tsp,x29,#0\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldp\tx25,x26,[sp,#64]\n\tldp\tx27,x28,[sp,#80]\n\tldp\tx29,x30,[sp],#112\n\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tbeeu_mod_inverse_vartime,.-beeu_mod_inverse_vartime\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \"CNIOBoringSSL_arm_arch.h\"\n\n.text\n.globl\tbeeu_mod_inverse_vartime\n\n\n.align\t4\nbeeu_mod_inverse_vartime:\n // Reserve enough space for 14 8-byte registers on the stack\n // in the first stp call for x29, x30.\n // Then store the remaining callee-saved registers.\n //\n // | x29 | x30 | x19 | x20 | ... | x27 | x28 | x0 | x2 |\n // ^ ^\n // sp <------------------- 112 bytes ----------------> old sp\n // x29 (FP)\n //\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-112]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tstp\tx0,x2,[sp,#96]\n\n // B = b3..b0 := a\n\tldp\tx25,x26,[x1]\n\tldp\tx27,x28,[x1,#16]\n\n // n3..n0 := n\n // Note: the value of input params are changed in the following.\n\tldp\tx0,x1,[x2]\n\tldp\tx2,x30,[x2,#16]\n\n // A = a3..a0 := n\n\tmov\tx21, x0\n\tmov\tx22, x1\n\tmov\tx23, x2\n\tmov\tx24, x30\n\n // X = x4..x0 := 1\n\tmov\tx3, #1\n\teor\tx4, x4, x4\n\teor\tx5, x5, x5\n\teor\tx6, x6, x6\n\teor\tx7, x7, x7\n\n // Y = y4..y0 := 0\n\teor\tx8, x8, x8\n\teor\tx9, x9, x9\n\teor\tx10, x10, x10\n\teor\tx11, x11, x11\n\teor\tx12, x12, x12\n\nLbeeu_loop:\n // if B == 0, jump to .Lbeeu_loop_end\n\torr\tx14, x25, x26\n\torr\tx14, x14, x27\n\n // reverse the bit order of x25. This is needed for clz after this macro\n\trbit\tx15, x25\n\n\torr\tx14, x14, x28\n\tcbz\tx14,Lbeeu_loop_end\n\n\n // 0 < B < |n|,\n // 0 < A <= |n|,\n // (1) X*a == B (mod |n|),\n // (2) (-1)*Y*a == A (mod |n|)\n\n // Now divide B by the maximum possible power of two in the\n // integers, and divide X by the same value mod |n|.\n // When we're done, (1) still holds.\n\n // shift := number of trailing 0s in x25\n // ( = number of leading 0s in x15; see the \"rbit\" instruction in TEST_B_ZERO)\n\tclz\tx13, x15\n\n // If there is no shift, goto shift_A_Y\n\tcbz\tx13, Lbeeu_shift_A_Y\n\n // Shift B right by \"x13\" bits\n\tneg\tx14, x13\n\tlsr\tx25, x25, x13\n\tlsl\tx15, x26, x14\n\n\tlsr\tx26, x26, x13\n\tlsl\tx19, x27, x14\n\n\torr\tx25, x25, x15\n\n\tlsr\tx27, x27, x13\n\tlsl\tx20, x28, x14\n\n\torr\tx26, x26, x19\n\n\tlsr\tx28, x28, x13\n\n\torr\tx27, x27, x20\n\n\n // Shift X right by \"x13\" bits, adding n whenever X becomes odd.\n // x13--;\n // x14 := 0; needed in the addition to the most significant word in SHIFT1\n\teor\tx14, x14, x14\nLbeeu_shift_loop_X:\n\ttbz\tx3, #0, Lshift1_0\n\tadds\tx3, x3, x0\n\tadcs\tx4, x4, x1\n\tadcs\tx5, x5, x2\n\tadcs\tx6, x6, x30\n\tadc\tx7, x7, x14\nLshift1_0:\n // var0 := [var1|var0]<64..1>;\n // i.e. concatenate var1 and var0,\n // extract bits <64..1> from the resulting 128-bit value\n // and put them in var0\n\textr\tx3, x4, x3, #1\n\textr\tx4, x5, x4, #1\n\textr\tx5, x6, x5, #1\n\textr\tx6, x7, x6, #1\n\tlsr\tx7, x7, #1\n\n\tsubs\tx13, x13, #1\n\tbne\tLbeeu_shift_loop_X\n\n // Note: the steps above perform the same sequence as in p256_beeu-x86_64-asm.pl\n // with the following differences:\n // - \"x13\" is set directly to the number of trailing 0s in B\n // (using rbit and clz instructions)\n // - The loop is only used to call SHIFT1(X)\n // and x13 is decreased while executing the X loop.\n // - SHIFT256(B, x13) is performed before right-shifting X; they are independent\n\nLbeeu_shift_A_Y:\n // Same for A and Y.\n // Afterwards, (2) still holds.\n // Reverse the bit order of x21\n // x13 := number of trailing 0s in x21 (= number of leading 0s in x15)\n\trbit\tx15, x21\n\tclz\tx13, x15\n\n // If there is no shift, goto |B-A|, X+Y update\n\tcbz\tx13, Lbeeu_update_B_X_or_A_Y\n\n // Shift A right by \"x13\" bits\n\tneg\tx14, x13\n\tlsr\tx21, x21, x13\n\tlsl\tx15, x22, x14\n\n\tlsr\tx22, x22, x13\n\tlsl\tx19, x23, x14\n\n\torr\tx21, x21, x15\n\n\tlsr\tx23, x23, x13\n\tlsl\tx20, x24, x14\n\n\torr\tx22, x22, x19\n\n\tlsr\tx24, x24, x13\n\n\torr\tx23, x23, x20\n\n\n // Shift Y right by \"x13\" bits, adding n whenever Y becomes odd.\n // x13--;\n // x14 := 0; needed in the addition to the most significant word in SHIFT1\n\teor\tx14, x14, x14\nLbeeu_shift_loop_Y:\n\ttbz\tx8, #0, Lshift1_1\n\tadds\tx8, x8, x0\n\tadcs\tx9, x9, x1\n\tadcs\tx10, x10, x2\n\tadcs\tx11, x11, x30\n\tadc\tx12, x12, x14\nLshift1_1:\n // var0 := [var1|var0]<64..1>;\n // i.e. concatenate var1 and var0,\n // extract bits <64..1> from the resulting 128-bit value\n // and put them in var0\n\textr\tx8, x9, x8, #1\n\textr\tx9, x10, x9, #1\n\textr\tx10, x11, x10, #1\n\textr\tx11, x12, x11, #1\n\tlsr\tx12, x12, #1\n\n\tsubs\tx13, x13, #1\n\tbne\tLbeeu_shift_loop_Y\n\nLbeeu_update_B_X_or_A_Y:\n // Try T := B - A; if cs, continue with B > A (cs: carry set = no borrow)\n // Note: this is a case of unsigned arithmetic, where T fits in 4 64-bit words\n // without taking a sign bit if generated. The lack of a carry would\n // indicate a negative result. See, for example,\n // https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/condition-codes-1-condition-flags-and-codes\n\tsubs\tx14, x25, x21\n\tsbcs\tx15, x26, x22\n\tsbcs\tx19, x27, x23\n\tsbcs\tx20, x28, x24\n\tbcs\tLbeeu_B_greater_than_A\n\n // Else A > B =>\n // A := A - B; Y := Y + X; goto beginning of the loop\n\tsubs\tx21, x21, x25\n\tsbcs\tx22, x22, x26\n\tsbcs\tx23, x23, x27\n\tsbcs\tx24, x24, x28\n\n\tadds\tx8, x8, x3\n\tadcs\tx9, x9, x4\n\tadcs\tx10, x10, x5\n\tadcs\tx11, x11, x6\n\tadc\tx12, x12, x7\n\tb\tLbeeu_loop\n\nLbeeu_B_greater_than_A:\n // Continue with B > A =>\n // B := B - A; X := X + Y; goto beginning of the loop\n\tmov\tx25, x14\n\tmov\tx26, x15\n\tmov\tx27, x19\n\tmov\tx28, x20\n\n\tadds\tx3, x3, x8\n\tadcs\tx4, x4, x9\n\tadcs\tx5, x5, x10\n\tadcs\tx6, x6, x11\n\tadc\tx7, x7, x12\n\tb\tLbeeu_loop\n\nLbeeu_loop_end:\n // The Euclid's algorithm loop ends when A == gcd(a,n);\n // this would be 1, when a and n are co-prime (i.e. do not have a common factor).\n // Since (-1)*Y*a == A (mod |n|), Y>0\n // then out = -Y mod n\n\n // Verify that A = 1 ==> (-1)*Y*a = A = 1 (mod |n|)\n // Is A-1 == 0?\n // If not, fail.\n\tsub\tx14, x21, #1\n\torr\tx14, x14, x22\n\torr\tx14, x14, x23\n\torr\tx14, x14, x24\n\tcbnz\tx14, Lbeeu_err\n\n // If Y>n ==> Y:=Y-n\nLbeeu_reduction_loop:\n // x_i := y_i - n_i (X is no longer needed, use it as temp)\n // (x14 = 0 from above)\n\tsubs\tx3, x8, x0\n\tsbcs\tx4, x9, x1\n\tsbcs\tx5, x10, x2\n\tsbcs\tx6, x11, x30\n\tsbcs\tx7, x12, x14\n\n // If result is non-negative (i.e., cs = carry set = no borrow),\n // y_i := x_i; goto reduce again\n // else\n // y_i := y_i; continue\n\tcsel\tx8, x3, x8, cs\n\tcsel\tx9, x4, x9, cs\n\tcsel\tx10, x5, x10, cs\n\tcsel\tx11, x6, x11, cs\n\tcsel\tx12, x7, x12, cs\n\tbcs\tLbeeu_reduction_loop\n\n // Now Y < n (Y cannot be equal to n, since the inverse cannot be 0)\n // out = -Y = n-Y\n\tsubs\tx8, x0, x8\n\tsbcs\tx9, x1, x9\n\tsbcs\tx10, x2, x10\n\tsbcs\tx11, x30, x11\n\n // Save Y in output (out (x0) was saved on the stack)\n\tldr\tx3, [sp,#96]\n\tstp\tx8, x9, [x3]\n\tstp\tx10, x11, [x3,#16]\n // return 1 (success)\n\tmov\tx0, #1\n\tb\tLbeeu_finish\n\nLbeeu_err:\n // return 0 (error)\n\teor\tx0, x0, x0\n\nLbeeu_finish:\n // Restore callee-saved registers, except x0, x2\n\tadd\tsp,x29,#0\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldp\tx25,x26,[sp,#64]\n\tldp\tx27,x28,[sp,#80]\n\tldp\tx29,x30,[sp],#112\n\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/p256_beeu-x86_64-asm-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n\n.private_extern\t_beeu_mod_inverse_vartime\n.globl\t_beeu_mod_inverse_vartime\n.private_extern _beeu_mod_inverse_vartime\n.p2align\t5\n_beeu_mod_inverse_vartime:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tpushq\t%rbx\n\n\tpushq\t%rsi\n\n\n\tsubq\t$80,%rsp\n\n\tmovq\t%rdi,0(%rsp)\n\n\n\tmovq\t$1,%r8\n\txorq\t%r9,%r9\n\txorq\t%r10,%r10\n\txorq\t%r11,%r11\n\txorq\t%rdi,%rdi\n\n\txorq\t%r12,%r12\n\txorq\t%r13,%r13\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\txorq\t%rbp,%rbp\n\n\n\tvmovdqu\t0(%rsi),%xmm0\n\tvmovdqu\t16(%rsi),%xmm1\n\tvmovdqu\t%xmm0,48(%rsp)\n\tvmovdqu\t%xmm1,64(%rsp)\n\n\tvmovdqu\t0(%rdx),%xmm0\n\tvmovdqu\t16(%rdx),%xmm1\n\tvmovdqu\t%xmm0,16(%rsp)\n\tvmovdqu\t%xmm1,32(%rsp)\n\nL$beeu_loop:\n\txorq\t%rbx,%rbx\n\torq\t48(%rsp),%rbx\n\torq\t56(%rsp),%rbx\n\torq\t64(%rsp),%rbx\n\torq\t72(%rsp),%rbx\n\tjz\tL$beeu_loop_end\n\n\n\n\n\n\n\n\n\n\n\tmovq\t$1,%rcx\n\n\nL$beeu_shift_loop_XB:\n\tmovq\t%rcx,%rbx\n\tandq\t48(%rsp),%rbx\n\tjnz\tL$beeu_shift_loop_end_XB\n\n\n\tmovq\t$1,%rbx\n\tandq\t%r8,%rbx\n\tjz\tL$shift1_0\n\taddq\t0(%rdx),%r8\n\tadcq\t8(%rdx),%r9\n\tadcq\t16(%rdx),%r10\n\tadcq\t24(%rdx),%r11\n\tadcq\t$0,%rdi\n\nL$shift1_0:\n\tshrdq\t$1,%r9,%r8\n\tshrdq\t$1,%r10,%r9\n\tshrdq\t$1,%r11,%r10\n\tshrdq\t$1,%rdi,%r11\n\tshrq\t$1,%rdi\n\n\tshlq\t$1,%rcx\n\n\n\n\n\n\tcmpq\t$0x8000000,%rcx\n\tjne\tL$beeu_shift_loop_XB\n\nL$beeu_shift_loop_end_XB:\n\tbsfq\t%rcx,%rcx\n\ttestq\t%rcx,%rcx\n\tjz\tL$beeu_no_shift_XB\n\n\n\n\tmovq\t8+48(%rsp),%rax\n\tmovq\t16+48(%rsp),%rbx\n\tmovq\t24+48(%rsp),%rsi\n\n\tshrdq\t%cl,%rax,0+48(%rsp)\n\tshrdq\t%cl,%rbx,8+48(%rsp)\n\tshrdq\t%cl,%rsi,16+48(%rsp)\n\n\tshrq\t%cl,%rsi\n\tmovq\t%rsi,24+48(%rsp)\n\n\nL$beeu_no_shift_XB:\n\n\tmovq\t$1,%rcx\n\n\nL$beeu_shift_loop_YA:\n\tmovq\t%rcx,%rbx\n\tandq\t16(%rsp),%rbx\n\tjnz\tL$beeu_shift_loop_end_YA\n\n\n\tmovq\t$1,%rbx\n\tandq\t%r12,%rbx\n\tjz\tL$shift1_1\n\taddq\t0(%rdx),%r12\n\tadcq\t8(%rdx),%r13\n\tadcq\t16(%rdx),%r14\n\tadcq\t24(%rdx),%r15\n\tadcq\t$0,%rbp\n\nL$shift1_1:\n\tshrdq\t$1,%r13,%r12\n\tshrdq\t$1,%r14,%r13\n\tshrdq\t$1,%r15,%r14\n\tshrdq\t$1,%rbp,%r15\n\tshrq\t$1,%rbp\n\n\tshlq\t$1,%rcx\n\n\n\n\n\n\tcmpq\t$0x8000000,%rcx\n\tjne\tL$beeu_shift_loop_YA\n\nL$beeu_shift_loop_end_YA:\n\tbsfq\t%rcx,%rcx\n\ttestq\t%rcx,%rcx\n\tjz\tL$beeu_no_shift_YA\n\n\n\n\tmovq\t8+16(%rsp),%rax\n\tmovq\t16+16(%rsp),%rbx\n\tmovq\t24+16(%rsp),%rsi\n\n\tshrdq\t%cl,%rax,0+16(%rsp)\n\tshrdq\t%cl,%rbx,8+16(%rsp)\n\tshrdq\t%cl,%rsi,16+16(%rsp)\n\n\tshrq\t%cl,%rsi\n\tmovq\t%rsi,24+16(%rsp)\n\n\nL$beeu_no_shift_YA:\n\n\tmovq\t48(%rsp),%rax\n\tmovq\t56(%rsp),%rbx\n\tmovq\t64(%rsp),%rsi\n\tmovq\t72(%rsp),%rcx\n\tsubq\t16(%rsp),%rax\n\tsbbq\t24(%rsp),%rbx\n\tsbbq\t32(%rsp),%rsi\n\tsbbq\t40(%rsp),%rcx\n\tjnc\tL$beeu_B_bigger_than_A\n\n\n\tmovq\t16(%rsp),%rax\n\tmovq\t24(%rsp),%rbx\n\tmovq\t32(%rsp),%rsi\n\tmovq\t40(%rsp),%rcx\n\tsubq\t48(%rsp),%rax\n\tsbbq\t56(%rsp),%rbx\n\tsbbq\t64(%rsp),%rsi\n\tsbbq\t72(%rsp),%rcx\n\tmovq\t%rax,16(%rsp)\n\tmovq\t%rbx,24(%rsp)\n\tmovq\t%rsi,32(%rsp)\n\tmovq\t%rcx,40(%rsp)\n\n\n\taddq\t%r8,%r12\n\tadcq\t%r9,%r13\n\tadcq\t%r10,%r14\n\tadcq\t%r11,%r15\n\tadcq\t%rdi,%rbp\n\tjmp\tL$beeu_loop\n\nL$beeu_B_bigger_than_A:\n\n\tmovq\t%rax,48(%rsp)\n\tmovq\t%rbx,56(%rsp)\n\tmovq\t%rsi,64(%rsp)\n\tmovq\t%rcx,72(%rsp)\n\n\n\taddq\t%r12,%r8\n\tadcq\t%r13,%r9\n\tadcq\t%r14,%r10\n\tadcq\t%r15,%r11\n\tadcq\t%rbp,%rdi\n\n\tjmp\tL$beeu_loop\n\nL$beeu_loop_end:\n\n\n\n\n\tmovq\t16(%rsp),%rbx\n\tsubq\t$1,%rbx\n\torq\t24(%rsp),%rbx\n\torq\t32(%rsp),%rbx\n\torq\t40(%rsp),%rbx\n\n\tjnz\tL$beeu_err\n\n\n\n\n\tmovq\t0(%rdx),%r8\n\tmovq\t8(%rdx),%r9\n\tmovq\t16(%rdx),%r10\n\tmovq\t24(%rdx),%r11\n\txorq\t%rdi,%rdi\n\nL$beeu_reduction_loop:\n\tmovq\t%r12,16(%rsp)\n\tmovq\t%r13,24(%rsp)\n\tmovq\t%r14,32(%rsp)\n\tmovq\t%r15,40(%rsp)\n\tmovq\t%rbp,48(%rsp)\n\n\n\tsubq\t%r8,%r12\n\tsbbq\t%r9,%r13\n\tsbbq\t%r10,%r14\n\tsbbq\t%r11,%r15\n\tsbbq\t$0,%rbp\n\n\n\tcmovcq\t16(%rsp),%r12\n\tcmovcq\t24(%rsp),%r13\n\tcmovcq\t32(%rsp),%r14\n\tcmovcq\t40(%rsp),%r15\n\tjnc\tL$beeu_reduction_loop\n\n\n\tsubq\t%r12,%r8\n\tsbbq\t%r13,%r9\n\tsbbq\t%r14,%r10\n\tsbbq\t%r15,%r11\n\nL$beeu_save:\n\n\tmovq\t0(%rsp),%rdi\n\n\tmovq\t%r8,0(%rdi)\n\tmovq\t%r9,8(%rdi)\n\tmovq\t%r10,16(%rdi)\n\tmovq\t%r11,24(%rdi)\n\n\n\tmovq\t$1,%rax\n\tjmp\tL$beeu_finish\n\nL$beeu_err:\n\n\txorq\t%rax,%rax\n\nL$beeu_finish:\n\taddq\t$80,%rsp\n\n\tpopq\t%rsi\n\n\tpopq\t%rbx\n\n\tpopq\t%r15\n\n\tpopq\t%r14\n\n\tpopq\t%r13\n\n\tpopq\t%r12\n\n\tpopq\t%rbp\n\n\tret\n\n\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/p256_beeu-x86_64-asm-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n.type\tbeeu_mod_inverse_vartime,@function\n.hidden\tbeeu_mod_inverse_vartime\n.globl\tbeeu_mod_inverse_vartime\n.hidden beeu_mod_inverse_vartime\n.align\t32\nbeeu_mod_inverse_vartime:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\trbp,-16\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\tr12,-24\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\tr13,-32\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\tr14,-40\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\tr15,-48\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\trbx,-56\n\tpushq\t%rsi\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\trsi,-64\n\n\tsubq\t$80,%rsp\n.cfi_adjust_cfa_offset\t80\n\tmovq\t%rdi,0(%rsp)\n\n\n\tmovq\t$1,%r8\n\txorq\t%r9,%r9\n\txorq\t%r10,%r10\n\txorq\t%r11,%r11\n\txorq\t%rdi,%rdi\n\n\txorq\t%r12,%r12\n\txorq\t%r13,%r13\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\txorq\t%rbp,%rbp\n\n\n\tvmovdqu\t0(%rsi),%xmm0\n\tvmovdqu\t16(%rsi),%xmm1\n\tvmovdqu\t%xmm0,48(%rsp)\n\tvmovdqu\t%xmm1,64(%rsp)\n\n\tvmovdqu\t0(%rdx),%xmm0\n\tvmovdqu\t16(%rdx),%xmm1\n\tvmovdqu\t%xmm0,16(%rsp)\n\tvmovdqu\t%xmm1,32(%rsp)\n\n.Lbeeu_loop:\n\txorq\t%rbx,%rbx\n\torq\t48(%rsp),%rbx\n\torq\t56(%rsp),%rbx\n\torq\t64(%rsp),%rbx\n\torq\t72(%rsp),%rbx\n\tjz\t.Lbeeu_loop_end\n\n\n\n\n\n\n\n\n\n\n\tmovq\t$1,%rcx\n\n\n.Lbeeu_shift_loop_XB:\n\tmovq\t%rcx,%rbx\n\tandq\t48(%rsp),%rbx\n\tjnz\t.Lbeeu_shift_loop_end_XB\n\n\n\tmovq\t$1,%rbx\n\tandq\t%r8,%rbx\n\tjz\t.Lshift1_0\n\taddq\t0(%rdx),%r8\n\tadcq\t8(%rdx),%r9\n\tadcq\t16(%rdx),%r10\n\tadcq\t24(%rdx),%r11\n\tadcq\t$0,%rdi\n\n.Lshift1_0:\n\tshrdq\t$1,%r9,%r8\n\tshrdq\t$1,%r10,%r9\n\tshrdq\t$1,%r11,%r10\n\tshrdq\t$1,%rdi,%r11\n\tshrq\t$1,%rdi\n\n\tshlq\t$1,%rcx\n\n\n\n\n\n\tcmpq\t$0x8000000,%rcx\n\tjne\t.Lbeeu_shift_loop_XB\n\n.Lbeeu_shift_loop_end_XB:\n\tbsfq\t%rcx,%rcx\n\ttestq\t%rcx,%rcx\n\tjz\t.Lbeeu_no_shift_XB\n\n\n\n\tmovq\t8+48(%rsp),%rax\n\tmovq\t16+48(%rsp),%rbx\n\tmovq\t24+48(%rsp),%rsi\n\n\tshrdq\t%cl,%rax,0+48(%rsp)\n\tshrdq\t%cl,%rbx,8+48(%rsp)\n\tshrdq\t%cl,%rsi,16+48(%rsp)\n\n\tshrq\t%cl,%rsi\n\tmovq\t%rsi,24+48(%rsp)\n\n\n.Lbeeu_no_shift_XB:\n\n\tmovq\t$1,%rcx\n\n\n.Lbeeu_shift_loop_YA:\n\tmovq\t%rcx,%rbx\n\tandq\t16(%rsp),%rbx\n\tjnz\t.Lbeeu_shift_loop_end_YA\n\n\n\tmovq\t$1,%rbx\n\tandq\t%r12,%rbx\n\tjz\t.Lshift1_1\n\taddq\t0(%rdx),%r12\n\tadcq\t8(%rdx),%r13\n\tadcq\t16(%rdx),%r14\n\tadcq\t24(%rdx),%r15\n\tadcq\t$0,%rbp\n\n.Lshift1_1:\n\tshrdq\t$1,%r13,%r12\n\tshrdq\t$1,%r14,%r13\n\tshrdq\t$1,%r15,%r14\n\tshrdq\t$1,%rbp,%r15\n\tshrq\t$1,%rbp\n\n\tshlq\t$1,%rcx\n\n\n\n\n\n\tcmpq\t$0x8000000,%rcx\n\tjne\t.Lbeeu_shift_loop_YA\n\n.Lbeeu_shift_loop_end_YA:\n\tbsfq\t%rcx,%rcx\n\ttestq\t%rcx,%rcx\n\tjz\t.Lbeeu_no_shift_YA\n\n\n\n\tmovq\t8+16(%rsp),%rax\n\tmovq\t16+16(%rsp),%rbx\n\tmovq\t24+16(%rsp),%rsi\n\n\tshrdq\t%cl,%rax,0+16(%rsp)\n\tshrdq\t%cl,%rbx,8+16(%rsp)\n\tshrdq\t%cl,%rsi,16+16(%rsp)\n\n\tshrq\t%cl,%rsi\n\tmovq\t%rsi,24+16(%rsp)\n\n\n.Lbeeu_no_shift_YA:\n\n\tmovq\t48(%rsp),%rax\n\tmovq\t56(%rsp),%rbx\n\tmovq\t64(%rsp),%rsi\n\tmovq\t72(%rsp),%rcx\n\tsubq\t16(%rsp),%rax\n\tsbbq\t24(%rsp),%rbx\n\tsbbq\t32(%rsp),%rsi\n\tsbbq\t40(%rsp),%rcx\n\tjnc\t.Lbeeu_B_bigger_than_A\n\n\n\tmovq\t16(%rsp),%rax\n\tmovq\t24(%rsp),%rbx\n\tmovq\t32(%rsp),%rsi\n\tmovq\t40(%rsp),%rcx\n\tsubq\t48(%rsp),%rax\n\tsbbq\t56(%rsp),%rbx\n\tsbbq\t64(%rsp),%rsi\n\tsbbq\t72(%rsp),%rcx\n\tmovq\t%rax,16(%rsp)\n\tmovq\t%rbx,24(%rsp)\n\tmovq\t%rsi,32(%rsp)\n\tmovq\t%rcx,40(%rsp)\n\n\n\taddq\t%r8,%r12\n\tadcq\t%r9,%r13\n\tadcq\t%r10,%r14\n\tadcq\t%r11,%r15\n\tadcq\t%rdi,%rbp\n\tjmp\t.Lbeeu_loop\n\n.Lbeeu_B_bigger_than_A:\n\n\tmovq\t%rax,48(%rsp)\n\tmovq\t%rbx,56(%rsp)\n\tmovq\t%rsi,64(%rsp)\n\tmovq\t%rcx,72(%rsp)\n\n\n\taddq\t%r12,%r8\n\tadcq\t%r13,%r9\n\tadcq\t%r14,%r10\n\tadcq\t%r15,%r11\n\tadcq\t%rbp,%rdi\n\n\tjmp\t.Lbeeu_loop\n\n.Lbeeu_loop_end:\n\n\n\n\n\tmovq\t16(%rsp),%rbx\n\tsubq\t$1,%rbx\n\torq\t24(%rsp),%rbx\n\torq\t32(%rsp),%rbx\n\torq\t40(%rsp),%rbx\n\n\tjnz\t.Lbeeu_err\n\n\n\n\n\tmovq\t0(%rdx),%r8\n\tmovq\t8(%rdx),%r9\n\tmovq\t16(%rdx),%r10\n\tmovq\t24(%rdx),%r11\n\txorq\t%rdi,%rdi\n\n.Lbeeu_reduction_loop:\n\tmovq\t%r12,16(%rsp)\n\tmovq\t%r13,24(%rsp)\n\tmovq\t%r14,32(%rsp)\n\tmovq\t%r15,40(%rsp)\n\tmovq\t%rbp,48(%rsp)\n\n\n\tsubq\t%r8,%r12\n\tsbbq\t%r9,%r13\n\tsbbq\t%r10,%r14\n\tsbbq\t%r11,%r15\n\tsbbq\t$0,%rbp\n\n\n\tcmovcq\t16(%rsp),%r12\n\tcmovcq\t24(%rsp),%r13\n\tcmovcq\t32(%rsp),%r14\n\tcmovcq\t40(%rsp),%r15\n\tjnc\t.Lbeeu_reduction_loop\n\n\n\tsubq\t%r12,%r8\n\tsbbq\t%r13,%r9\n\tsbbq\t%r14,%r10\n\tsbbq\t%r15,%r11\n\n.Lbeeu_save:\n\n\tmovq\t0(%rsp),%rdi\n\n\tmovq\t%r8,0(%rdi)\n\tmovq\t%r9,8(%rdi)\n\tmovq\t%r10,16(%rdi)\n\tmovq\t%r11,24(%rdi)\n\n\n\tmovq\t$1,%rax\n\tjmp\t.Lbeeu_finish\n\n.Lbeeu_err:\n\n\txorq\t%rax,%rax\n\n.Lbeeu_finish:\n\taddq\t$80,%rsp\n.cfi_adjust_cfa_offset\t-80\n\tpopq\t%rsi\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\trsi\n\tpopq\t%rbx\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\trbx\n\tpopq\t%r15\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\tr15\n\tpopq\t%r14\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\tr14\n\tpopq\t%r13\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\tr13\n\tpopq\t%r12\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\tr12\n\tpopq\t%rbp\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\trbp\n\tret\n.cfi_endproc\t\n\n.size\tbeeu_mod_inverse_vartime, .-beeu_mod_inverse_vartime\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/rdrand-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n\n\n\n.globl\t_CRYPTO_rdrand\n.private_extern _CRYPTO_rdrand\n\n.p2align\t4\n_CRYPTO_rdrand:\n\n_CET_ENDBR\n\txorq\t%rax,%rax\n.byte\t72,15,199,242\n\n\tadcq\t%rax,%rax\n\tmovq\t%rdx,0(%rdi)\n\tret\n\n\n\n\n\n\n\n.globl\t_CRYPTO_rdrand_multiple8_buf\n.private_extern _CRYPTO_rdrand_multiple8_buf\n\n.p2align\t4\n_CRYPTO_rdrand_multiple8_buf:\n\n_CET_ENDBR\n\ttestq\t%rsi,%rsi\n\tjz\tL$out\n\tmovq\t$8,%rdx\nL$loop:\n.byte\t72,15,199,241\n\tjnc\tL$err\n\tmovq\t%rcx,0(%rdi)\n\taddq\t%rdx,%rdi\n\tsubq\t%rdx,%rsi\n\tjnz\tL$loop\nL$out:\n\tmovq\t$1,%rax\n\tret\nL$err:\n\txorq\t%rax,%rax\n\tret\n\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/rdrand-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n\n\n\n.globl\tCRYPTO_rdrand\n.hidden CRYPTO_rdrand\n.type\tCRYPTO_rdrand,@function\n.align\t16\nCRYPTO_rdrand:\n.cfi_startproc\t\n_CET_ENDBR\n\txorq\t%rax,%rax\n.byte\t72,15,199,242\n\n\tadcq\t%rax,%rax\n\tmovq\t%rdx,0(%rdi)\n\tret\n.cfi_endproc\t\n.size\tCRYPTO_rdrand,.-CRYPTO_rdrand\n\n\n\n\n\n.globl\tCRYPTO_rdrand_multiple8_buf\n.hidden CRYPTO_rdrand_multiple8_buf\n.type\tCRYPTO_rdrand_multiple8_buf,@function\n.align\t16\nCRYPTO_rdrand_multiple8_buf:\n.cfi_startproc\t\n_CET_ENDBR\n\ttestq\t%rsi,%rsi\n\tjz\t.Lout\n\tmovq\t$8,%rdx\n.Lloop:\n.byte\t72,15,199,241\n\tjnc\t.Lerr\n\tmovq\t%rcx,0(%rdi)\n\taddq\t%rdx,%rdi\n\tsubq\t%rdx,%rsi\n\tjnz\t.Lloop\n.Lout:\n\tmovq\t$1,%rax\n\tret\n.Lerr:\n\txorq\t%rax,%rax\n\tret\n.cfi_endproc\t\n.size\tCRYPTO_rdrand_multiple8_buf,.-CRYPTO_rdrand_multiple8_buf\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/rsaz-avx2-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n.globl\t_rsaz_1024_sqr_avx2\n.private_extern _rsaz_1024_sqr_avx2\n\n.p2align\t6\n_rsaz_1024_sqr_avx2:\n\n_CET_ENDBR\n\tleaq\t(%rsp),%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tvzeroupper\n\tmovq\t%rax,%rbp\n\n\tmovq\t%rdx,%r13\n\tsubq\t$832,%rsp\n\tmovq\t%r13,%r15\n\tsubq\t$-128,%rdi\n\tsubq\t$-128,%rsi\n\tsubq\t$-128,%r13\n\n\tandq\t$4095,%r15\n\taddq\t$320,%r15\n\tshrq\t$12,%r15\n\tvpxor\t%ymm9,%ymm9,%ymm9\n\tjz\tL$sqr_1024_no_n_copy\n\n\n\n\n\n\tsubq\t$320,%rsp\n\tvmovdqu\t0-128(%r13),%ymm0\n\tandq\t$-2048,%rsp\n\tvmovdqu\t32-128(%r13),%ymm1\n\tvmovdqu\t64-128(%r13),%ymm2\n\tvmovdqu\t96-128(%r13),%ymm3\n\tvmovdqu\t128-128(%r13),%ymm4\n\tvmovdqu\t160-128(%r13),%ymm5\n\tvmovdqu\t192-128(%r13),%ymm6\n\tvmovdqu\t224-128(%r13),%ymm7\n\tvmovdqu\t256-128(%r13),%ymm8\n\tleaq\t832+128(%rsp),%r13\n\tvmovdqu\t%ymm0,0-128(%r13)\n\tvmovdqu\t%ymm1,32-128(%r13)\n\tvmovdqu\t%ymm2,64-128(%r13)\n\tvmovdqu\t%ymm3,96-128(%r13)\n\tvmovdqu\t%ymm4,128-128(%r13)\n\tvmovdqu\t%ymm5,160-128(%r13)\n\tvmovdqu\t%ymm6,192-128(%r13)\n\tvmovdqu\t%ymm7,224-128(%r13)\n\tvmovdqu\t%ymm8,256-128(%r13)\n\tvmovdqu\t%ymm9,288-128(%r13)\n\nL$sqr_1024_no_n_copy:\n\tandq\t$-1024,%rsp\n\n\tvmovdqu\t32-128(%rsi),%ymm1\n\tvmovdqu\t64-128(%rsi),%ymm2\n\tvmovdqu\t96-128(%rsi),%ymm3\n\tvmovdqu\t128-128(%rsi),%ymm4\n\tvmovdqu\t160-128(%rsi),%ymm5\n\tvmovdqu\t192-128(%rsi),%ymm6\n\tvmovdqu\t224-128(%rsi),%ymm7\n\tvmovdqu\t256-128(%rsi),%ymm8\n\n\tleaq\t192(%rsp),%rbx\n\tvmovdqu\tL$and_mask(%rip),%ymm15\n\tjmp\tL$OOP_GRANDE_SQR_1024\n\n.p2align\t5\nL$OOP_GRANDE_SQR_1024:\n\tleaq\t576+128(%rsp),%r9\n\tleaq\t448(%rsp),%r12\n\n\n\n\n\tvpaddq\t%ymm1,%ymm1,%ymm1\n\tvpbroadcastq\t0-128(%rsi),%ymm10\n\tvpaddq\t%ymm2,%ymm2,%ymm2\n\tvmovdqa\t%ymm1,0-128(%r9)\n\tvpaddq\t%ymm3,%ymm3,%ymm3\n\tvmovdqa\t%ymm2,32-128(%r9)\n\tvpaddq\t%ymm4,%ymm4,%ymm4\n\tvmovdqa\t%ymm3,64-128(%r9)\n\tvpaddq\t%ymm5,%ymm5,%ymm5\n\tvmovdqa\t%ymm4,96-128(%r9)\n\tvpaddq\t%ymm6,%ymm6,%ymm6\n\tvmovdqa\t%ymm5,128-128(%r9)\n\tvpaddq\t%ymm7,%ymm7,%ymm7\n\tvmovdqa\t%ymm6,160-128(%r9)\n\tvpaddq\t%ymm8,%ymm8,%ymm8\n\tvmovdqa\t%ymm7,192-128(%r9)\n\tvpxor\t%ymm9,%ymm9,%ymm9\n\tvmovdqa\t%ymm8,224-128(%r9)\n\n\tvpmuludq\t0-128(%rsi),%ymm10,%ymm0\n\tvpbroadcastq\t32-128(%rsi),%ymm11\n\tvmovdqu\t%ymm9,288-192(%rbx)\n\tvpmuludq\t%ymm10,%ymm1,%ymm1\n\tvmovdqu\t%ymm9,320-448(%r12)\n\tvpmuludq\t%ymm10,%ymm2,%ymm2\n\tvmovdqu\t%ymm9,352-448(%r12)\n\tvpmuludq\t%ymm10,%ymm3,%ymm3\n\tvmovdqu\t%ymm9,384-448(%r12)\n\tvpmuludq\t%ymm10,%ymm4,%ymm4\n\tvmovdqu\t%ymm9,416-448(%r12)\n\tvpmuludq\t%ymm10,%ymm5,%ymm5\n\tvmovdqu\t%ymm9,448-448(%r12)\n\tvpmuludq\t%ymm10,%ymm6,%ymm6\n\tvmovdqu\t%ymm9,480-448(%r12)\n\tvpmuludq\t%ymm10,%ymm7,%ymm7\n\tvmovdqu\t%ymm9,512-448(%r12)\n\tvpmuludq\t%ymm10,%ymm8,%ymm8\n\tvpbroadcastq\t64-128(%rsi),%ymm10\n\tvmovdqu\t%ymm9,544-448(%r12)\n\n\tmovq\t%rsi,%r15\n\tmovl\t$4,%r14d\n\tjmp\tL$sqr_entry_1024\n.p2align\t5\nL$OOP_SQR_1024:\n\tvpbroadcastq\t32-128(%r15),%ymm11\n\tvpmuludq\t0-128(%rsi),%ymm10,%ymm0\n\tvpaddq\t0-192(%rbx),%ymm0,%ymm0\n\tvpmuludq\t0-128(%r9),%ymm10,%ymm1\n\tvpaddq\t32-192(%rbx),%ymm1,%ymm1\n\tvpmuludq\t32-128(%r9),%ymm10,%ymm2\n\tvpaddq\t64-192(%rbx),%ymm2,%ymm2\n\tvpmuludq\t64-128(%r9),%ymm10,%ymm3\n\tvpaddq\t96-192(%rbx),%ymm3,%ymm3\n\tvpmuludq\t96-128(%r9),%ymm10,%ymm4\n\tvpaddq\t128-192(%rbx),%ymm4,%ymm4\n\tvpmuludq\t128-128(%r9),%ymm10,%ymm5\n\tvpaddq\t160-192(%rbx),%ymm5,%ymm5\n\tvpmuludq\t160-128(%r9),%ymm10,%ymm6\n\tvpaddq\t192-192(%rbx),%ymm6,%ymm6\n\tvpmuludq\t192-128(%r9),%ymm10,%ymm7\n\tvpaddq\t224-192(%rbx),%ymm7,%ymm7\n\tvpmuludq\t224-128(%r9),%ymm10,%ymm8\n\tvpbroadcastq\t64-128(%r15),%ymm10\n\tvpaddq\t256-192(%rbx),%ymm8,%ymm8\nL$sqr_entry_1024:\n\tvmovdqu\t%ymm0,0-192(%rbx)\n\tvmovdqu\t%ymm1,32-192(%rbx)\n\n\tvpmuludq\t32-128(%rsi),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t32-128(%r9),%ymm11,%ymm14\n\tvpaddq\t%ymm14,%ymm3,%ymm3\n\tvpmuludq\t64-128(%r9),%ymm11,%ymm13\n\tvpaddq\t%ymm13,%ymm4,%ymm4\n\tvpmuludq\t96-128(%r9),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t128-128(%r9),%ymm11,%ymm14\n\tvpaddq\t%ymm14,%ymm6,%ymm6\n\tvpmuludq\t160-128(%r9),%ymm11,%ymm13\n\tvpaddq\t%ymm13,%ymm7,%ymm7\n\tvpmuludq\t192-128(%r9),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t224-128(%r9),%ymm11,%ymm0\n\tvpbroadcastq\t96-128(%r15),%ymm11\n\tvpaddq\t288-192(%rbx),%ymm0,%ymm0\n\n\tvmovdqu\t%ymm2,64-192(%rbx)\n\tvmovdqu\t%ymm3,96-192(%rbx)\n\n\tvpmuludq\t64-128(%rsi),%ymm10,%ymm13\n\tvpaddq\t%ymm13,%ymm4,%ymm4\n\tvpmuludq\t64-128(%r9),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t96-128(%r9),%ymm10,%ymm14\n\tvpaddq\t%ymm14,%ymm6,%ymm6\n\tvpmuludq\t128-128(%r9),%ymm10,%ymm13\n\tvpaddq\t%ymm13,%ymm7,%ymm7\n\tvpmuludq\t160-128(%r9),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t192-128(%r9),%ymm10,%ymm14\n\tvpaddq\t%ymm14,%ymm0,%ymm0\n\tvpmuludq\t224-128(%r9),%ymm10,%ymm1\n\tvpbroadcastq\t128-128(%r15),%ymm10\n\tvpaddq\t320-448(%r12),%ymm1,%ymm1\n\n\tvmovdqu\t%ymm4,128-192(%rbx)\n\tvmovdqu\t%ymm5,160-192(%rbx)\n\n\tvpmuludq\t96-128(%rsi),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm6,%ymm6\n\tvpmuludq\t96-128(%r9),%ymm11,%ymm14\n\tvpaddq\t%ymm14,%ymm7,%ymm7\n\tvpmuludq\t128-128(%r9),%ymm11,%ymm13\n\tvpaddq\t%ymm13,%ymm8,%ymm8\n\tvpmuludq\t160-128(%r9),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm0,%ymm0\n\tvpmuludq\t192-128(%r9),%ymm11,%ymm14\n\tvpaddq\t%ymm14,%ymm1,%ymm1\n\tvpmuludq\t224-128(%r9),%ymm11,%ymm2\n\tvpbroadcastq\t160-128(%r15),%ymm11\n\tvpaddq\t352-448(%r12),%ymm2,%ymm2\n\n\tvmovdqu\t%ymm6,192-192(%rbx)\n\tvmovdqu\t%ymm7,224-192(%rbx)\n\n\tvpmuludq\t128-128(%rsi),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t128-128(%r9),%ymm10,%ymm14\n\tvpaddq\t%ymm14,%ymm0,%ymm0\n\tvpmuludq\t160-128(%r9),%ymm10,%ymm13\n\tvpaddq\t%ymm13,%ymm1,%ymm1\n\tvpmuludq\t192-128(%r9),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t224-128(%r9),%ymm10,%ymm3\n\tvpbroadcastq\t192-128(%r15),%ymm10\n\tvpaddq\t384-448(%r12),%ymm3,%ymm3\n\n\tvmovdqu\t%ymm8,256-192(%rbx)\n\tvmovdqu\t%ymm0,288-192(%rbx)\n\tleaq\t8(%rbx),%rbx\n\n\tvpmuludq\t160-128(%rsi),%ymm11,%ymm13\n\tvpaddq\t%ymm13,%ymm1,%ymm1\n\tvpmuludq\t160-128(%r9),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t192-128(%r9),%ymm11,%ymm14\n\tvpaddq\t%ymm14,%ymm3,%ymm3\n\tvpmuludq\t224-128(%r9),%ymm11,%ymm4\n\tvpbroadcastq\t224-128(%r15),%ymm11\n\tvpaddq\t416-448(%r12),%ymm4,%ymm4\n\n\tvmovdqu\t%ymm1,320-448(%r12)\n\tvmovdqu\t%ymm2,352-448(%r12)\n\n\tvpmuludq\t192-128(%rsi),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm3,%ymm3\n\tvpmuludq\t192-128(%r9),%ymm10,%ymm14\n\tvpbroadcastq\t256-128(%r15),%ymm0\n\tvpaddq\t%ymm14,%ymm4,%ymm4\n\tvpmuludq\t224-128(%r9),%ymm10,%ymm5\n\tvpbroadcastq\t0+8-128(%r15),%ymm10\n\tvpaddq\t448-448(%r12),%ymm5,%ymm5\n\n\tvmovdqu\t%ymm3,384-448(%r12)\n\tvmovdqu\t%ymm4,416-448(%r12)\n\tleaq\t8(%r15),%r15\n\n\tvpmuludq\t224-128(%rsi),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t224-128(%r9),%ymm11,%ymm6\n\tvpaddq\t480-448(%r12),%ymm6,%ymm6\n\n\tvpmuludq\t256-128(%rsi),%ymm0,%ymm7\n\tvmovdqu\t%ymm5,448-448(%r12)\n\tvpaddq\t512-448(%r12),%ymm7,%ymm7\n\tvmovdqu\t%ymm6,480-448(%r12)\n\tvmovdqu\t%ymm7,512-448(%r12)\n\tleaq\t8(%r12),%r12\n\n\tdecl\t%r14d\n\tjnz\tL$OOP_SQR_1024\n\n\tvmovdqu\t256(%rsp),%ymm8\n\tvmovdqu\t288(%rsp),%ymm1\n\tvmovdqu\t320(%rsp),%ymm2\n\tleaq\t192(%rsp),%rbx\n\n\tvpsrlq\t$29,%ymm8,%ymm14\n\tvpand\t%ymm15,%ymm8,%ymm8\n\tvpsrlq\t$29,%ymm1,%ymm11\n\tvpand\t%ymm15,%ymm1,%ymm1\n\n\tvpermq\t$0x93,%ymm14,%ymm14\n\tvpxor\t%ymm9,%ymm9,%ymm9\n\tvpermq\t$0x93,%ymm11,%ymm11\n\n\tvpblendd\t$3,%ymm9,%ymm14,%ymm10\n\tvpblendd\t$3,%ymm14,%ymm11,%ymm14\n\tvpaddq\t%ymm10,%ymm8,%ymm8\n\tvpblendd\t$3,%ymm11,%ymm9,%ymm11\n\tvpaddq\t%ymm14,%ymm1,%ymm1\n\tvpaddq\t%ymm11,%ymm2,%ymm2\n\tvmovdqu\t%ymm1,288-192(%rbx)\n\tvmovdqu\t%ymm2,320-192(%rbx)\n\n\tmovq\t(%rsp),%rax\n\tmovq\t8(%rsp),%r10\n\tmovq\t16(%rsp),%r11\n\tmovq\t24(%rsp),%r12\n\tvmovdqu\t32(%rsp),%ymm1\n\tvmovdqu\t64-192(%rbx),%ymm2\n\tvmovdqu\t96-192(%rbx),%ymm3\n\tvmovdqu\t128-192(%rbx),%ymm4\n\tvmovdqu\t160-192(%rbx),%ymm5\n\tvmovdqu\t192-192(%rbx),%ymm6\n\tvmovdqu\t224-192(%rbx),%ymm7\n\n\tmovq\t%rax,%r9\n\timull\t%ecx,%eax\n\tandl\t$0x1fffffff,%eax\n\tvmovd\t%eax,%xmm12\n\n\tmovq\t%rax,%rdx\n\timulq\t-128(%r13),%rax\n\tvpbroadcastq\t%xmm12,%ymm12\n\taddq\t%rax,%r9\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%r13),%rax\n\tshrq\t$29,%r9\n\taddq\t%rax,%r10\n\tmovq\t%rdx,%rax\n\timulq\t16-128(%r13),%rax\n\taddq\t%r9,%r10\n\taddq\t%rax,%r11\n\timulq\t24-128(%r13),%rdx\n\taddq\t%rdx,%r12\n\n\tmovq\t%r10,%rax\n\timull\t%ecx,%eax\n\tandl\t$0x1fffffff,%eax\n\n\tmovl\t$9,%r14d\n\tjmp\tL$OOP_REDUCE_1024\n\n.p2align\t5\nL$OOP_REDUCE_1024:\n\tvmovd\t%eax,%xmm13\n\tvpbroadcastq\t%xmm13,%ymm13\n\n\tvpmuludq\t32-128(%r13),%ymm12,%ymm10\n\tmovq\t%rax,%rdx\n\timulq\t-128(%r13),%rax\n\tvpaddq\t%ymm10,%ymm1,%ymm1\n\taddq\t%rax,%r10\n\tvpmuludq\t64-128(%r13),%ymm12,%ymm14\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%r13),%rax\n\tvpaddq\t%ymm14,%ymm2,%ymm2\n\tvpmuludq\t96-128(%r13),%ymm12,%ymm11\n.byte\t0x67\n\taddq\t%rax,%r11\n.byte\t0x67\n\tmovq\t%rdx,%rax\n\timulq\t16-128(%r13),%rax\n\tshrq\t$29,%r10\n\tvpaddq\t%ymm11,%ymm3,%ymm3\n\tvpmuludq\t128-128(%r13),%ymm12,%ymm10\n\taddq\t%rax,%r12\n\taddq\t%r10,%r11\n\tvpaddq\t%ymm10,%ymm4,%ymm4\n\tvpmuludq\t160-128(%r13),%ymm12,%ymm14\n\tmovq\t%r11,%rax\n\timull\t%ecx,%eax\n\tvpaddq\t%ymm14,%ymm5,%ymm5\n\tvpmuludq\t192-128(%r13),%ymm12,%ymm11\n\tandl\t$0x1fffffff,%eax\n\tvpaddq\t%ymm11,%ymm6,%ymm6\n\tvpmuludq\t224-128(%r13),%ymm12,%ymm10\n\tvpaddq\t%ymm10,%ymm7,%ymm7\n\tvpmuludq\t256-128(%r13),%ymm12,%ymm14\n\tvmovd\t%eax,%xmm12\n\n\tvpaddq\t%ymm14,%ymm8,%ymm8\n\n\tvpbroadcastq\t%xmm12,%ymm12\n\n\tvpmuludq\t32-8-128(%r13),%ymm13,%ymm11\n\tvmovdqu\t96-8-128(%r13),%ymm14\n\tmovq\t%rax,%rdx\n\timulq\t-128(%r13),%rax\n\tvpaddq\t%ymm11,%ymm1,%ymm1\n\tvpmuludq\t64-8-128(%r13),%ymm13,%ymm10\n\tvmovdqu\t128-8-128(%r13),%ymm11\n\taddq\t%rax,%r11\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%r13),%rax\n\tvpaddq\t%ymm10,%ymm2,%ymm2\n\taddq\t%r12,%rax\n\tshrq\t$29,%r11\n\tvpmuludq\t%ymm13,%ymm14,%ymm14\n\tvmovdqu\t160-8-128(%r13),%ymm10\n\taddq\t%r11,%rax\n\tvpaddq\t%ymm14,%ymm3,%ymm3\n\tvpmuludq\t%ymm13,%ymm11,%ymm11\n\tvmovdqu\t192-8-128(%r13),%ymm14\n.byte\t0x67\n\tmovq\t%rax,%r12\n\timull\t%ecx,%eax\n\tvpaddq\t%ymm11,%ymm4,%ymm4\n\tvpmuludq\t%ymm13,%ymm10,%ymm10\n.byte\t0xc4,0x41,0x7e,0x6f,0x9d,0x58,0x00,0x00,0x00\n\tandl\t$0x1fffffff,%eax\n\tvpaddq\t%ymm10,%ymm5,%ymm5\n\tvpmuludq\t%ymm13,%ymm14,%ymm14\n\tvmovdqu\t256-8-128(%r13),%ymm10\n\tvpaddq\t%ymm14,%ymm6,%ymm6\n\tvpmuludq\t%ymm13,%ymm11,%ymm11\n\tvmovdqu\t288-8-128(%r13),%ymm9\n\tvmovd\t%eax,%xmm0\n\timulq\t-128(%r13),%rax\n\tvpaddq\t%ymm11,%ymm7,%ymm7\n\tvpmuludq\t%ymm13,%ymm10,%ymm10\n\tvmovdqu\t32-16-128(%r13),%ymm14\n\tvpbroadcastq\t%xmm0,%ymm0\n\tvpaddq\t%ymm10,%ymm8,%ymm8\n\tvpmuludq\t%ymm13,%ymm9,%ymm9\n\tvmovdqu\t64-16-128(%r13),%ymm11\n\taddq\t%rax,%r12\n\n\tvmovdqu\t32-24-128(%r13),%ymm13\n\tvpmuludq\t%ymm12,%ymm14,%ymm14\n\tvmovdqu\t96-16-128(%r13),%ymm10\n\tvpaddq\t%ymm14,%ymm1,%ymm1\n\tvpmuludq\t%ymm0,%ymm13,%ymm13\n\tvpmuludq\t%ymm12,%ymm11,%ymm11\n.byte\t0xc4,0x41,0x7e,0x6f,0xb5,0xf0,0xff,0xff,0xff\n\tvpaddq\t%ymm1,%ymm13,%ymm13\n\tvpaddq\t%ymm11,%ymm2,%ymm2\n\tvpmuludq\t%ymm12,%ymm10,%ymm10\n\tvmovdqu\t160-16-128(%r13),%ymm11\n.byte\t0x67\n\tvmovq\t%xmm13,%rax\n\tvmovdqu\t%ymm13,(%rsp)\n\tvpaddq\t%ymm10,%ymm3,%ymm3\n\tvpmuludq\t%ymm12,%ymm14,%ymm14\n\tvmovdqu\t192-16-128(%r13),%ymm10\n\tvpaddq\t%ymm14,%ymm4,%ymm4\n\tvpmuludq\t%ymm12,%ymm11,%ymm11\n\tvmovdqu\t224-16-128(%r13),%ymm14\n\tvpaddq\t%ymm11,%ymm5,%ymm5\n\tvpmuludq\t%ymm12,%ymm10,%ymm10\n\tvmovdqu\t256-16-128(%r13),%ymm11\n\tvpaddq\t%ymm10,%ymm6,%ymm6\n\tvpmuludq\t%ymm12,%ymm14,%ymm14\n\tshrq\t$29,%r12\n\tvmovdqu\t288-16-128(%r13),%ymm10\n\taddq\t%r12,%rax\n\tvpaddq\t%ymm14,%ymm7,%ymm7\n\tvpmuludq\t%ymm12,%ymm11,%ymm11\n\n\tmovq\t%rax,%r9\n\timull\t%ecx,%eax\n\tvpaddq\t%ymm11,%ymm8,%ymm8\n\tvpmuludq\t%ymm12,%ymm10,%ymm10\n\tandl\t$0x1fffffff,%eax\n\tvmovd\t%eax,%xmm12\n\tvmovdqu\t96-24-128(%r13),%ymm11\n.byte\t0x67\n\tvpaddq\t%ymm10,%ymm9,%ymm9\n\tvpbroadcastq\t%xmm12,%ymm12\n\n\tvpmuludq\t64-24-128(%r13),%ymm0,%ymm14\n\tvmovdqu\t128-24-128(%r13),%ymm10\n\tmovq\t%rax,%rdx\n\timulq\t-128(%r13),%rax\n\tmovq\t8(%rsp),%r10\n\tvpaddq\t%ymm14,%ymm2,%ymm1\n\tvpmuludq\t%ymm0,%ymm11,%ymm11\n\tvmovdqu\t160-24-128(%r13),%ymm14\n\taddq\t%rax,%r9\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%r13),%rax\n.byte\t0x67\n\tshrq\t$29,%r9\n\tmovq\t16(%rsp),%r11\n\tvpaddq\t%ymm11,%ymm3,%ymm2\n\tvpmuludq\t%ymm0,%ymm10,%ymm10\n\tvmovdqu\t192-24-128(%r13),%ymm11\n\taddq\t%rax,%r10\n\tmovq\t%rdx,%rax\n\timulq\t16-128(%r13),%rax\n\tvpaddq\t%ymm10,%ymm4,%ymm3\n\tvpmuludq\t%ymm0,%ymm14,%ymm14\n\tvmovdqu\t224-24-128(%r13),%ymm10\n\timulq\t24-128(%r13),%rdx\n\taddq\t%rax,%r11\n\tleaq\t(%r9,%r10,1),%rax\n\tvpaddq\t%ymm14,%ymm5,%ymm4\n\tvpmuludq\t%ymm0,%ymm11,%ymm11\n\tvmovdqu\t256-24-128(%r13),%ymm14\n\tmovq\t%rax,%r10\n\timull\t%ecx,%eax\n\tvpmuludq\t%ymm0,%ymm10,%ymm10\n\tvpaddq\t%ymm11,%ymm6,%ymm5\n\tvmovdqu\t288-24-128(%r13),%ymm11\n\tandl\t$0x1fffffff,%eax\n\tvpaddq\t%ymm10,%ymm7,%ymm6\n\tvpmuludq\t%ymm0,%ymm14,%ymm14\n\taddq\t24(%rsp),%rdx\n\tvpaddq\t%ymm14,%ymm8,%ymm7\n\tvpmuludq\t%ymm0,%ymm11,%ymm11\n\tvpaddq\t%ymm11,%ymm9,%ymm8\n\tvmovq\t%r12,%xmm9\n\tmovq\t%rdx,%r12\n\n\tdecl\t%r14d\n\tjnz\tL$OOP_REDUCE_1024\n\tleaq\t448(%rsp),%r12\n\tvpaddq\t%ymm9,%ymm13,%ymm0\n\tvpxor\t%ymm9,%ymm9,%ymm9\n\n\tvpaddq\t288-192(%rbx),%ymm0,%ymm0\n\tvpaddq\t320-448(%r12),%ymm1,%ymm1\n\tvpaddq\t352-448(%r12),%ymm2,%ymm2\n\tvpaddq\t384-448(%r12),%ymm3,%ymm3\n\tvpaddq\t416-448(%r12),%ymm4,%ymm4\n\tvpaddq\t448-448(%r12),%ymm5,%ymm5\n\tvpaddq\t480-448(%r12),%ymm6,%ymm6\n\tvpaddq\t512-448(%r12),%ymm7,%ymm7\n\tvpaddq\t544-448(%r12),%ymm8,%ymm8\n\n\tvpsrlq\t$29,%ymm0,%ymm14\n\tvpand\t%ymm15,%ymm0,%ymm0\n\tvpsrlq\t$29,%ymm1,%ymm11\n\tvpand\t%ymm15,%ymm1,%ymm1\n\tvpsrlq\t$29,%ymm2,%ymm12\n\tvpermq\t$0x93,%ymm14,%ymm14\n\tvpand\t%ymm15,%ymm2,%ymm2\n\tvpsrlq\t$29,%ymm3,%ymm13\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpand\t%ymm15,%ymm3,%ymm3\n\tvpermq\t$0x93,%ymm12,%ymm12\n\n\tvpblendd\t$3,%ymm9,%ymm14,%ymm10\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpblendd\t$3,%ymm14,%ymm11,%ymm14\n\tvpaddq\t%ymm10,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm11,%ymm12,%ymm11\n\tvpaddq\t%ymm14,%ymm1,%ymm1\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm11,%ymm2,%ymm2\n\tvpblendd\t$3,%ymm13,%ymm9,%ymm13\n\tvpaddq\t%ymm12,%ymm3,%ymm3\n\tvpaddq\t%ymm13,%ymm4,%ymm4\n\n\tvpsrlq\t$29,%ymm0,%ymm14\n\tvpand\t%ymm15,%ymm0,%ymm0\n\tvpsrlq\t$29,%ymm1,%ymm11\n\tvpand\t%ymm15,%ymm1,%ymm1\n\tvpsrlq\t$29,%ymm2,%ymm12\n\tvpermq\t$0x93,%ymm14,%ymm14\n\tvpand\t%ymm15,%ymm2,%ymm2\n\tvpsrlq\t$29,%ymm3,%ymm13\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpand\t%ymm15,%ymm3,%ymm3\n\tvpermq\t$0x93,%ymm12,%ymm12\n\n\tvpblendd\t$3,%ymm9,%ymm14,%ymm10\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpblendd\t$3,%ymm14,%ymm11,%ymm14\n\tvpaddq\t%ymm10,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm11,%ymm12,%ymm11\n\tvpaddq\t%ymm14,%ymm1,%ymm1\n\tvmovdqu\t%ymm0,0-128(%rdi)\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm11,%ymm2,%ymm2\n\tvmovdqu\t%ymm1,32-128(%rdi)\n\tvpblendd\t$3,%ymm13,%ymm9,%ymm13\n\tvpaddq\t%ymm12,%ymm3,%ymm3\n\tvmovdqu\t%ymm2,64-128(%rdi)\n\tvpaddq\t%ymm13,%ymm4,%ymm4\n\tvmovdqu\t%ymm3,96-128(%rdi)\n\tvpsrlq\t$29,%ymm4,%ymm14\n\tvpand\t%ymm15,%ymm4,%ymm4\n\tvpsrlq\t$29,%ymm5,%ymm11\n\tvpand\t%ymm15,%ymm5,%ymm5\n\tvpsrlq\t$29,%ymm6,%ymm12\n\tvpermq\t$0x93,%ymm14,%ymm14\n\tvpand\t%ymm15,%ymm6,%ymm6\n\tvpsrlq\t$29,%ymm7,%ymm13\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpand\t%ymm15,%ymm7,%ymm7\n\tvpsrlq\t$29,%ymm8,%ymm0\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm8,%ymm8\n\tvpermq\t$0x93,%ymm13,%ymm13\n\n\tvpblendd\t$3,%ymm9,%ymm14,%ymm10\n\tvpermq\t$0x93,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm14,%ymm11,%ymm14\n\tvpaddq\t%ymm10,%ymm4,%ymm4\n\tvpblendd\t$3,%ymm11,%ymm12,%ymm11\n\tvpaddq\t%ymm14,%ymm5,%ymm5\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm11,%ymm6,%ymm6\n\tvpblendd\t$3,%ymm13,%ymm0,%ymm13\n\tvpaddq\t%ymm12,%ymm7,%ymm7\n\tvpaddq\t%ymm13,%ymm8,%ymm8\n\n\tvpsrlq\t$29,%ymm4,%ymm14\n\tvpand\t%ymm15,%ymm4,%ymm4\n\tvpsrlq\t$29,%ymm5,%ymm11\n\tvpand\t%ymm15,%ymm5,%ymm5\n\tvpsrlq\t$29,%ymm6,%ymm12\n\tvpermq\t$0x93,%ymm14,%ymm14\n\tvpand\t%ymm15,%ymm6,%ymm6\n\tvpsrlq\t$29,%ymm7,%ymm13\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpand\t%ymm15,%ymm7,%ymm7\n\tvpsrlq\t$29,%ymm8,%ymm0\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm8,%ymm8\n\tvpermq\t$0x93,%ymm13,%ymm13\n\n\tvpblendd\t$3,%ymm9,%ymm14,%ymm10\n\tvpermq\t$0x93,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm14,%ymm11,%ymm14\n\tvpaddq\t%ymm10,%ymm4,%ymm4\n\tvpblendd\t$3,%ymm11,%ymm12,%ymm11\n\tvpaddq\t%ymm14,%ymm5,%ymm5\n\tvmovdqu\t%ymm4,128-128(%rdi)\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm11,%ymm6,%ymm6\n\tvmovdqu\t%ymm5,160-128(%rdi)\n\tvpblendd\t$3,%ymm13,%ymm0,%ymm13\n\tvpaddq\t%ymm12,%ymm7,%ymm7\n\tvmovdqu\t%ymm6,192-128(%rdi)\n\tvpaddq\t%ymm13,%ymm8,%ymm8\n\tvmovdqu\t%ymm7,224-128(%rdi)\n\tvmovdqu\t%ymm8,256-128(%rdi)\n\n\tmovq\t%rdi,%rsi\n\tdecl\t%r8d\n\tjne\tL$OOP_GRANDE_SQR_1024\n\n\tvzeroall\n\tmovq\t%rbp,%rax\n\n\tmovq\t-48(%rax),%r15\n\n\tmovq\t-40(%rax),%r14\n\n\tmovq\t-32(%rax),%r13\n\n\tmovq\t-24(%rax),%r12\n\n\tmovq\t-16(%rax),%rbp\n\n\tmovq\t-8(%rax),%rbx\n\n\tleaq\t(%rax),%rsp\n\nL$sqr_1024_epilogue:\n\tret\n\n\n.globl\t_rsaz_1024_mul_avx2\n.private_extern _rsaz_1024_mul_avx2\n\n.p2align\t6\n_rsaz_1024_mul_avx2:\n\n_CET_ENDBR\n\tleaq\t(%rsp),%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tmovq\t%rax,%rbp\n\n\tvzeroall\n\tmovq\t%rdx,%r13\n\tsubq\t$64,%rsp\n\n\n\n\n\n\n.byte\t0x67,0x67\n\tmovq\t%rsi,%r15\n\tandq\t$4095,%r15\n\taddq\t$320,%r15\n\tshrq\t$12,%r15\n\tmovq\t%rsi,%r15\n\tcmovnzq\t%r13,%rsi\n\tcmovnzq\t%r15,%r13\n\n\tmovq\t%rcx,%r15\n\tsubq\t$-128,%rsi\n\tsubq\t$-128,%rcx\n\tsubq\t$-128,%rdi\n\n\tandq\t$4095,%r15\n\taddq\t$320,%r15\n.byte\t0x67,0x67\n\tshrq\t$12,%r15\n\tjz\tL$mul_1024_no_n_copy\n\n\n\n\n\n\tsubq\t$320,%rsp\n\tvmovdqu\t0-128(%rcx),%ymm0\n\tandq\t$-512,%rsp\n\tvmovdqu\t32-128(%rcx),%ymm1\n\tvmovdqu\t64-128(%rcx),%ymm2\n\tvmovdqu\t96-128(%rcx),%ymm3\n\tvmovdqu\t128-128(%rcx),%ymm4\n\tvmovdqu\t160-128(%rcx),%ymm5\n\tvmovdqu\t192-128(%rcx),%ymm6\n\tvmovdqu\t224-128(%rcx),%ymm7\n\tvmovdqu\t256-128(%rcx),%ymm8\n\tleaq\t64+128(%rsp),%rcx\n\tvmovdqu\t%ymm0,0-128(%rcx)\n\tvpxor\t%ymm0,%ymm0,%ymm0\n\tvmovdqu\t%ymm1,32-128(%rcx)\n\tvpxor\t%ymm1,%ymm1,%ymm1\n\tvmovdqu\t%ymm2,64-128(%rcx)\n\tvpxor\t%ymm2,%ymm2,%ymm2\n\tvmovdqu\t%ymm3,96-128(%rcx)\n\tvpxor\t%ymm3,%ymm3,%ymm3\n\tvmovdqu\t%ymm4,128-128(%rcx)\n\tvpxor\t%ymm4,%ymm4,%ymm4\n\tvmovdqu\t%ymm5,160-128(%rcx)\n\tvpxor\t%ymm5,%ymm5,%ymm5\n\tvmovdqu\t%ymm6,192-128(%rcx)\n\tvpxor\t%ymm6,%ymm6,%ymm6\n\tvmovdqu\t%ymm7,224-128(%rcx)\n\tvpxor\t%ymm7,%ymm7,%ymm7\n\tvmovdqu\t%ymm8,256-128(%rcx)\n\tvmovdqa\t%ymm0,%ymm8\n\tvmovdqu\t%ymm9,288-128(%rcx)\nL$mul_1024_no_n_copy:\n\tandq\t$-64,%rsp\n\n\tmovq\t(%r13),%rbx\n\tvpbroadcastq\t(%r13),%ymm10\n\tvmovdqu\t%ymm0,(%rsp)\n\txorq\t%r9,%r9\n.byte\t0x67\n\txorq\t%r10,%r10\n\txorq\t%r11,%r11\n\txorq\t%r12,%r12\n\n\tvmovdqu\tL$and_mask(%rip),%ymm15\n\tmovl\t$9,%r14d\n\tvmovdqu\t%ymm9,288-128(%rdi)\n\tjmp\tL$oop_mul_1024\n\n.p2align\t5\nL$oop_mul_1024:\n\tvpsrlq\t$29,%ymm3,%ymm9\n\tmovq\t%rbx,%rax\n\timulq\t-128(%rsi),%rax\n\taddq\t%r9,%rax\n\tmovq\t%rbx,%r10\n\timulq\t8-128(%rsi),%r10\n\taddq\t8(%rsp),%r10\n\n\tmovq\t%rax,%r9\n\timull\t%r8d,%eax\n\tandl\t$0x1fffffff,%eax\n\n\tmovq\t%rbx,%r11\n\timulq\t16-128(%rsi),%r11\n\taddq\t16(%rsp),%r11\n\n\tmovq\t%rbx,%r12\n\timulq\t24-128(%rsi),%r12\n\taddq\t24(%rsp),%r12\n\tvpmuludq\t32-128(%rsi),%ymm10,%ymm0\n\tvmovd\t%eax,%xmm11\n\tvpaddq\t%ymm0,%ymm1,%ymm1\n\tvpmuludq\t64-128(%rsi),%ymm10,%ymm12\n\tvpbroadcastq\t%xmm11,%ymm11\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t96-128(%rsi),%ymm10,%ymm13\n\tvpand\t%ymm15,%ymm3,%ymm3\n\tvpaddq\t%ymm13,%ymm3,%ymm3\n\tvpmuludq\t128-128(%rsi),%ymm10,%ymm0\n\tvpaddq\t%ymm0,%ymm4,%ymm4\n\tvpmuludq\t160-128(%rsi),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t192-128(%rsi),%ymm10,%ymm13\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpmuludq\t224-128(%rsi),%ymm10,%ymm0\n\tvpermq\t$0x93,%ymm9,%ymm9\n\tvpaddq\t%ymm0,%ymm7,%ymm7\n\tvpmuludq\t256-128(%rsi),%ymm10,%ymm12\n\tvpbroadcastq\t8(%r13),%ymm10\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\n\tmovq\t%rax,%rdx\n\timulq\t-128(%rcx),%rax\n\taddq\t%rax,%r9\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%rcx),%rax\n\taddq\t%rax,%r10\n\tmovq\t%rdx,%rax\n\timulq\t16-128(%rcx),%rax\n\taddq\t%rax,%r11\n\tshrq\t$29,%r9\n\timulq\t24-128(%rcx),%rdx\n\taddq\t%rdx,%r12\n\taddq\t%r9,%r10\n\n\tvpmuludq\t32-128(%rcx),%ymm11,%ymm13\n\tvmovq\t%xmm10,%rbx\n\tvpaddq\t%ymm13,%ymm1,%ymm1\n\tvpmuludq\t64-128(%rcx),%ymm11,%ymm0\n\tvpaddq\t%ymm0,%ymm2,%ymm2\n\tvpmuludq\t96-128(%rcx),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm3,%ymm3\n\tvpmuludq\t128-128(%rcx),%ymm11,%ymm13\n\tvpaddq\t%ymm13,%ymm4,%ymm4\n\tvpmuludq\t160-128(%rcx),%ymm11,%ymm0\n\tvpaddq\t%ymm0,%ymm5,%ymm5\n\tvpmuludq\t192-128(%rcx),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm6,%ymm6\n\tvpmuludq\t224-128(%rcx),%ymm11,%ymm13\n\tvpblendd\t$3,%ymm14,%ymm9,%ymm12\n\tvpaddq\t%ymm13,%ymm7,%ymm7\n\tvpmuludq\t256-128(%rcx),%ymm11,%ymm0\n\tvpaddq\t%ymm12,%ymm3,%ymm3\n\tvpaddq\t%ymm0,%ymm8,%ymm8\n\n\tmovq\t%rbx,%rax\n\timulq\t-128(%rsi),%rax\n\taddq\t%rax,%r10\n\tvmovdqu\t-8+32-128(%rsi),%ymm12\n\tmovq\t%rbx,%rax\n\timulq\t8-128(%rsi),%rax\n\taddq\t%rax,%r11\n\tvmovdqu\t-8+64-128(%rsi),%ymm13\n\n\tmovq\t%r10,%rax\n\tvpblendd\t$0xfc,%ymm14,%ymm9,%ymm9\n\timull\t%r8d,%eax\n\tvpaddq\t%ymm9,%ymm4,%ymm4\n\tandl\t$0x1fffffff,%eax\n\n\timulq\t16-128(%rsi),%rbx\n\taddq\t%rbx,%r12\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvmovd\t%eax,%xmm11\n\tvmovdqu\t-8+96-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm1,%ymm1\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvpbroadcastq\t%xmm11,%ymm11\n\tvmovdqu\t-8+128-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm2,%ymm2\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-8+160-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm3,%ymm3\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvmovdqu\t-8+192-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm4,%ymm4\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvmovdqu\t-8+224-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm5,%ymm5\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-8+256-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm6,%ymm6\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvmovdqu\t-8+288-128(%rsi),%ymm9\n\tvpaddq\t%ymm12,%ymm7,%ymm7\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvpaddq\t%ymm13,%ymm8,%ymm8\n\tvpmuludq\t%ymm10,%ymm9,%ymm9\n\tvpbroadcastq\t16(%r13),%ymm10\n\n\tmovq\t%rax,%rdx\n\timulq\t-128(%rcx),%rax\n\taddq\t%rax,%r10\n\tvmovdqu\t-8+32-128(%rcx),%ymm0\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%rcx),%rax\n\taddq\t%rax,%r11\n\tvmovdqu\t-8+64-128(%rcx),%ymm12\n\tshrq\t$29,%r10\n\timulq\t16-128(%rcx),%rdx\n\taddq\t%rdx,%r12\n\taddq\t%r10,%r11\n\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovq\t%xmm10,%rbx\n\tvmovdqu\t-8+96-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm1,%ymm1\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-8+128-128(%rcx),%ymm0\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-8+160-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm3,%ymm3\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-8+192-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm4,%ymm4\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-8+224-128(%rcx),%ymm0\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-8+256-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-8+288-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm7,%ymm7\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvpaddq\t%ymm13,%ymm9,%ymm9\n\n\tvmovdqu\t-16+32-128(%rsi),%ymm0\n\tmovq\t%rbx,%rax\n\timulq\t-128(%rsi),%rax\n\taddq\t%r11,%rax\n\n\tvmovdqu\t-16+64-128(%rsi),%ymm12\n\tmovq\t%rax,%r11\n\timull\t%r8d,%eax\n\tandl\t$0x1fffffff,%eax\n\n\timulq\t8-128(%rsi),%rbx\n\taddq\t%rbx,%r12\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovd\t%eax,%xmm11\n\tvmovdqu\t-16+96-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm1,%ymm1\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvpbroadcastq\t%xmm11,%ymm11\n\tvmovdqu\t-16+128-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvmovdqu\t-16+160-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm3,%ymm3\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-16+192-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm4,%ymm4\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvmovdqu\t-16+224-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvmovdqu\t-16+256-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-16+288-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm7,%ymm7\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvpbroadcastq\t24(%r13),%ymm10\n\tvpaddq\t%ymm13,%ymm9,%ymm9\n\n\tvmovdqu\t-16+32-128(%rcx),%ymm0\n\tmovq\t%rax,%rdx\n\timulq\t-128(%rcx),%rax\n\taddq\t%rax,%r11\n\tvmovdqu\t-16+64-128(%rcx),%ymm12\n\timulq\t8-128(%rcx),%rdx\n\taddq\t%rdx,%r12\n\tshrq\t$29,%r11\n\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovq\t%xmm10,%rbx\n\tvmovdqu\t-16+96-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm1,%ymm1\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-16+128-128(%rcx),%ymm0\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-16+160-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm3,%ymm3\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-16+192-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm4,%ymm4\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-16+224-128(%rcx),%ymm0\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-16+256-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-16+288-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm7,%ymm7\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-24+32-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-24+64-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm9,%ymm9\n\n\taddq\t%r11,%r12\n\timulq\t-128(%rsi),%rbx\n\taddq\t%rbx,%r12\n\n\tmovq\t%r12,%rax\n\timull\t%r8d,%eax\n\tandl\t$0x1fffffff,%eax\n\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovd\t%eax,%xmm11\n\tvmovdqu\t-24+96-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm1,%ymm1\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvpbroadcastq\t%xmm11,%ymm11\n\tvmovdqu\t-24+128-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvmovdqu\t-24+160-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm3,%ymm3\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-24+192-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm4,%ymm4\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvmovdqu\t-24+224-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvmovdqu\t-24+256-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-24+288-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm7,%ymm7\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvpbroadcastq\t32(%r13),%ymm10\n\tvpaddq\t%ymm13,%ymm9,%ymm9\n\taddq\t$32,%r13\n\n\tvmovdqu\t-24+32-128(%rcx),%ymm0\n\timulq\t-128(%rcx),%rax\n\taddq\t%rax,%r12\n\tshrq\t$29,%r12\n\n\tvmovdqu\t-24+64-128(%rcx),%ymm12\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovq\t%xmm10,%rbx\n\tvmovdqu\t-24+96-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm1,%ymm0\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t%ymm0,(%rsp)\n\tvpaddq\t%ymm12,%ymm2,%ymm1\n\tvmovdqu\t-24+128-128(%rcx),%ymm0\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-24+160-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm3,%ymm2\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-24+192-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm4,%ymm3\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-24+224-128(%rcx),%ymm0\n\tvpaddq\t%ymm12,%ymm5,%ymm4\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-24+256-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm6,%ymm5\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-24+288-128(%rcx),%ymm13\n\tmovq\t%r12,%r9\n\tvpaddq\t%ymm0,%ymm7,%ymm6\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\taddq\t(%rsp),%r9\n\tvpaddq\t%ymm12,%ymm8,%ymm7\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovq\t%r12,%xmm12\n\tvpaddq\t%ymm13,%ymm9,%ymm8\n\n\tdecl\t%r14d\n\tjnz\tL$oop_mul_1024\n\tvpaddq\t(%rsp),%ymm12,%ymm0\n\n\tvpsrlq\t$29,%ymm0,%ymm12\n\tvpand\t%ymm15,%ymm0,%ymm0\n\tvpsrlq\t$29,%ymm1,%ymm13\n\tvpand\t%ymm15,%ymm1,%ymm1\n\tvpsrlq\t$29,%ymm2,%ymm10\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm2,%ymm2\n\tvpsrlq\t$29,%ymm3,%ymm11\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpand\t%ymm15,%ymm3,%ymm3\n\n\tvpblendd\t$3,%ymm14,%ymm12,%ymm9\n\tvpermq\t$0x93,%ymm10,%ymm10\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpaddq\t%ymm9,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm13,%ymm10,%ymm13\n\tvpaddq\t%ymm12,%ymm1,%ymm1\n\tvpblendd\t$3,%ymm10,%ymm11,%ymm10\n\tvpaddq\t%ymm13,%ymm2,%ymm2\n\tvpblendd\t$3,%ymm11,%ymm14,%ymm11\n\tvpaddq\t%ymm10,%ymm3,%ymm3\n\tvpaddq\t%ymm11,%ymm4,%ymm4\n\n\tvpsrlq\t$29,%ymm0,%ymm12\n\tvpand\t%ymm15,%ymm0,%ymm0\n\tvpsrlq\t$29,%ymm1,%ymm13\n\tvpand\t%ymm15,%ymm1,%ymm1\n\tvpsrlq\t$29,%ymm2,%ymm10\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm2,%ymm2\n\tvpsrlq\t$29,%ymm3,%ymm11\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpand\t%ymm15,%ymm3,%ymm3\n\tvpermq\t$0x93,%ymm10,%ymm10\n\n\tvpblendd\t$3,%ymm14,%ymm12,%ymm9\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm9,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm13,%ymm10,%ymm13\n\tvpaddq\t%ymm12,%ymm1,%ymm1\n\tvpblendd\t$3,%ymm10,%ymm11,%ymm10\n\tvpaddq\t%ymm13,%ymm2,%ymm2\n\tvpblendd\t$3,%ymm11,%ymm14,%ymm11\n\tvpaddq\t%ymm10,%ymm3,%ymm3\n\tvpaddq\t%ymm11,%ymm4,%ymm4\n\n\tvmovdqu\t%ymm0,0-128(%rdi)\n\tvmovdqu\t%ymm1,32-128(%rdi)\n\tvmovdqu\t%ymm2,64-128(%rdi)\n\tvmovdqu\t%ymm3,96-128(%rdi)\n\tvpsrlq\t$29,%ymm4,%ymm12\n\tvpand\t%ymm15,%ymm4,%ymm4\n\tvpsrlq\t$29,%ymm5,%ymm13\n\tvpand\t%ymm15,%ymm5,%ymm5\n\tvpsrlq\t$29,%ymm6,%ymm10\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm6,%ymm6\n\tvpsrlq\t$29,%ymm7,%ymm11\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpand\t%ymm15,%ymm7,%ymm7\n\tvpsrlq\t$29,%ymm8,%ymm0\n\tvpermq\t$0x93,%ymm10,%ymm10\n\tvpand\t%ymm15,%ymm8,%ymm8\n\tvpermq\t$0x93,%ymm11,%ymm11\n\n\tvpblendd\t$3,%ymm14,%ymm12,%ymm9\n\tvpermq\t$0x93,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm9,%ymm4,%ymm4\n\tvpblendd\t$3,%ymm13,%ymm10,%ymm13\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpblendd\t$3,%ymm10,%ymm11,%ymm10\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpblendd\t$3,%ymm11,%ymm0,%ymm11\n\tvpaddq\t%ymm10,%ymm7,%ymm7\n\tvpaddq\t%ymm11,%ymm8,%ymm8\n\n\tvpsrlq\t$29,%ymm4,%ymm12\n\tvpand\t%ymm15,%ymm4,%ymm4\n\tvpsrlq\t$29,%ymm5,%ymm13\n\tvpand\t%ymm15,%ymm5,%ymm5\n\tvpsrlq\t$29,%ymm6,%ymm10\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm6,%ymm6\n\tvpsrlq\t$29,%ymm7,%ymm11\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpand\t%ymm15,%ymm7,%ymm7\n\tvpsrlq\t$29,%ymm8,%ymm0\n\tvpermq\t$0x93,%ymm10,%ymm10\n\tvpand\t%ymm15,%ymm8,%ymm8\n\tvpermq\t$0x93,%ymm11,%ymm11\n\n\tvpblendd\t$3,%ymm14,%ymm12,%ymm9\n\tvpermq\t$0x93,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm9,%ymm4,%ymm4\n\tvpblendd\t$3,%ymm13,%ymm10,%ymm13\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpblendd\t$3,%ymm10,%ymm11,%ymm10\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpblendd\t$3,%ymm11,%ymm0,%ymm11\n\tvpaddq\t%ymm10,%ymm7,%ymm7\n\tvpaddq\t%ymm11,%ymm8,%ymm8\n\n\tvmovdqu\t%ymm4,128-128(%rdi)\n\tvmovdqu\t%ymm5,160-128(%rdi)\n\tvmovdqu\t%ymm6,192-128(%rdi)\n\tvmovdqu\t%ymm7,224-128(%rdi)\n\tvmovdqu\t%ymm8,256-128(%rdi)\n\tvzeroupper\n\n\tmovq\t%rbp,%rax\n\n\tmovq\t-48(%rax),%r15\n\n\tmovq\t-40(%rax),%r14\n\n\tmovq\t-32(%rax),%r13\n\n\tmovq\t-24(%rax),%r12\n\n\tmovq\t-16(%rax),%rbp\n\n\tmovq\t-8(%rax),%rbx\n\n\tleaq\t(%rax),%rsp\n\nL$mul_1024_epilogue:\n\tret\n\n\n.globl\t_rsaz_1024_red2norm_avx2\n.private_extern _rsaz_1024_red2norm_avx2\n\n.p2align\t5\n_rsaz_1024_red2norm_avx2:\n\n_CET_ENDBR\n\tsubq\t$-128,%rsi\n\txorq\t%rax,%rax\n\tmovq\t-128(%rsi),%r8\n\tmovq\t-120(%rsi),%r9\n\tmovq\t-112(%rsi),%r10\n\tshlq\t$0,%r8\n\tshlq\t$29,%r9\n\tmovq\t%r10,%r11\n\tshlq\t$58,%r10\n\tshrq\t$6,%r11\n\taddq\t%r8,%rax\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\tadcq\t$0,%r11\n\tmovq\t%rax,0(%rdi)\n\tmovq\t%r11,%rax\n\tmovq\t-104(%rsi),%r8\n\tmovq\t-96(%rsi),%r9\n\tshlq\t$23,%r8\n\tmovq\t%r9,%r10\n\tshlq\t$52,%r9\n\tshrq\t$12,%r10\n\taddq\t%r8,%rax\n\taddq\t%r9,%rax\n\tadcq\t$0,%r10\n\tmovq\t%rax,8(%rdi)\n\tmovq\t%r10,%rax\n\tmovq\t-88(%rsi),%r11\n\tmovq\t-80(%rsi),%r8\n\tshlq\t$17,%r11\n\tmovq\t%r8,%r9\n\tshlq\t$46,%r8\n\tshrq\t$18,%r9\n\taddq\t%r11,%rax\n\taddq\t%r8,%rax\n\tadcq\t$0,%r9\n\tmovq\t%rax,16(%rdi)\n\tmovq\t%r9,%rax\n\tmovq\t-72(%rsi),%r10\n\tmovq\t-64(%rsi),%r11\n\tshlq\t$11,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$40,%r11\n\tshrq\t$24,%r8\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,24(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t-56(%rsi),%r9\n\tmovq\t-48(%rsi),%r10\n\tmovq\t-40(%rsi),%r11\n\tshlq\t$5,%r9\n\tshlq\t$34,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$63,%r11\n\tshrq\t$1,%r8\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,32(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t-32(%rsi),%r9\n\tmovq\t-24(%rsi),%r10\n\tshlq\t$28,%r9\n\tmovq\t%r10,%r11\n\tshlq\t$57,%r10\n\tshrq\t$7,%r11\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\tadcq\t$0,%r11\n\tmovq\t%rax,40(%rdi)\n\tmovq\t%r11,%rax\n\tmovq\t-16(%rsi),%r8\n\tmovq\t-8(%rsi),%r9\n\tshlq\t$22,%r8\n\tmovq\t%r9,%r10\n\tshlq\t$51,%r9\n\tshrq\t$13,%r10\n\taddq\t%r8,%rax\n\taddq\t%r9,%rax\n\tadcq\t$0,%r10\n\tmovq\t%rax,48(%rdi)\n\tmovq\t%r10,%rax\n\tmovq\t0(%rsi),%r11\n\tmovq\t8(%rsi),%r8\n\tshlq\t$16,%r11\n\tmovq\t%r8,%r9\n\tshlq\t$45,%r8\n\tshrq\t$19,%r9\n\taddq\t%r11,%rax\n\taddq\t%r8,%rax\n\tadcq\t$0,%r9\n\tmovq\t%rax,56(%rdi)\n\tmovq\t%r9,%rax\n\tmovq\t16(%rsi),%r10\n\tmovq\t24(%rsi),%r11\n\tshlq\t$10,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$39,%r11\n\tshrq\t$25,%r8\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,64(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t32(%rsi),%r9\n\tmovq\t40(%rsi),%r10\n\tmovq\t48(%rsi),%r11\n\tshlq\t$4,%r9\n\tshlq\t$33,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$62,%r11\n\tshrq\t$2,%r8\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,72(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t56(%rsi),%r9\n\tmovq\t64(%rsi),%r10\n\tshlq\t$27,%r9\n\tmovq\t%r10,%r11\n\tshlq\t$56,%r10\n\tshrq\t$8,%r11\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\tadcq\t$0,%r11\n\tmovq\t%rax,80(%rdi)\n\tmovq\t%r11,%rax\n\tmovq\t72(%rsi),%r8\n\tmovq\t80(%rsi),%r9\n\tshlq\t$21,%r8\n\tmovq\t%r9,%r10\n\tshlq\t$50,%r9\n\tshrq\t$14,%r10\n\taddq\t%r8,%rax\n\taddq\t%r9,%rax\n\tadcq\t$0,%r10\n\tmovq\t%rax,88(%rdi)\n\tmovq\t%r10,%rax\n\tmovq\t88(%rsi),%r11\n\tmovq\t96(%rsi),%r8\n\tshlq\t$15,%r11\n\tmovq\t%r8,%r9\n\tshlq\t$44,%r8\n\tshrq\t$20,%r9\n\taddq\t%r11,%rax\n\taddq\t%r8,%rax\n\tadcq\t$0,%r9\n\tmovq\t%rax,96(%rdi)\n\tmovq\t%r9,%rax\n\tmovq\t104(%rsi),%r10\n\tmovq\t112(%rsi),%r11\n\tshlq\t$9,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$38,%r11\n\tshrq\t$26,%r8\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,104(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t120(%rsi),%r9\n\tmovq\t128(%rsi),%r10\n\tmovq\t136(%rsi),%r11\n\tshlq\t$3,%r9\n\tshlq\t$32,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$61,%r11\n\tshrq\t$3,%r8\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,112(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t144(%rsi),%r9\n\tmovq\t152(%rsi),%r10\n\tshlq\t$26,%r9\n\tmovq\t%r10,%r11\n\tshlq\t$55,%r10\n\tshrq\t$9,%r11\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\tadcq\t$0,%r11\n\tmovq\t%rax,120(%rdi)\n\tmovq\t%r11,%rax\n\tret\n\n\n\n.globl\t_rsaz_1024_norm2red_avx2\n.private_extern _rsaz_1024_norm2red_avx2\n\n.p2align\t5\n_rsaz_1024_norm2red_avx2:\n\n_CET_ENDBR\n\tsubq\t$-128,%rdi\n\tmovq\t(%rsi),%r8\n\tmovl\t$0x1fffffff,%eax\n\tmovq\t8(%rsi),%r9\n\tmovq\t%r8,%r11\n\tshrq\t$0,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,-128(%rdi)\n\tmovq\t%r8,%r10\n\tshrq\t$29,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,-120(%rdi)\n\tshrdq\t$58,%r9,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,-112(%rdi)\n\tmovq\t16(%rsi),%r10\n\tmovq\t%r9,%r8\n\tshrq\t$23,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,-104(%rdi)\n\tshrdq\t$52,%r10,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,-96(%rdi)\n\tmovq\t24(%rsi),%r11\n\tmovq\t%r10,%r9\n\tshrq\t$17,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,-88(%rdi)\n\tshrdq\t$46,%r11,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,-80(%rdi)\n\tmovq\t32(%rsi),%r8\n\tmovq\t%r11,%r10\n\tshrq\t$11,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,-72(%rdi)\n\tshrdq\t$40,%r8,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,-64(%rdi)\n\tmovq\t40(%rsi),%r9\n\tmovq\t%r8,%r11\n\tshrq\t$5,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,-56(%rdi)\n\tmovq\t%r8,%r10\n\tshrq\t$34,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,-48(%rdi)\n\tshrdq\t$63,%r9,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,-40(%rdi)\n\tmovq\t48(%rsi),%r10\n\tmovq\t%r9,%r8\n\tshrq\t$28,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,-32(%rdi)\n\tshrdq\t$57,%r10,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,-24(%rdi)\n\tmovq\t56(%rsi),%r11\n\tmovq\t%r10,%r9\n\tshrq\t$22,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,-16(%rdi)\n\tshrdq\t$51,%r11,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,-8(%rdi)\n\tmovq\t64(%rsi),%r8\n\tmovq\t%r11,%r10\n\tshrq\t$16,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,0(%rdi)\n\tshrdq\t$45,%r8,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,8(%rdi)\n\tmovq\t72(%rsi),%r9\n\tmovq\t%r8,%r11\n\tshrq\t$10,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,16(%rdi)\n\tshrdq\t$39,%r9,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,24(%rdi)\n\tmovq\t80(%rsi),%r10\n\tmovq\t%r9,%r8\n\tshrq\t$4,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,32(%rdi)\n\tmovq\t%r9,%r11\n\tshrq\t$33,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,40(%rdi)\n\tshrdq\t$62,%r10,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,48(%rdi)\n\tmovq\t88(%rsi),%r11\n\tmovq\t%r10,%r9\n\tshrq\t$27,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,56(%rdi)\n\tshrdq\t$56,%r11,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,64(%rdi)\n\tmovq\t96(%rsi),%r8\n\tmovq\t%r11,%r10\n\tshrq\t$21,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,72(%rdi)\n\tshrdq\t$50,%r8,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,80(%rdi)\n\tmovq\t104(%rsi),%r9\n\tmovq\t%r8,%r11\n\tshrq\t$15,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,88(%rdi)\n\tshrdq\t$44,%r9,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,96(%rdi)\n\tmovq\t112(%rsi),%r10\n\tmovq\t%r9,%r8\n\tshrq\t$9,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,104(%rdi)\n\tshrdq\t$38,%r10,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,112(%rdi)\n\tmovq\t120(%rsi),%r11\n\tmovq\t%r10,%r9\n\tshrq\t$3,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,120(%rdi)\n\tmovq\t%r10,%r8\n\tshrq\t$32,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,128(%rdi)\n\tshrdq\t$61,%r11,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,136(%rdi)\n\txorq\t%r8,%r8\n\tmovq\t%r11,%r10\n\tshrq\t$26,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,144(%rdi)\n\tshrdq\t$55,%r8,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,152(%rdi)\n\tmovq\t%r8,160(%rdi)\n\tmovq\t%r8,168(%rdi)\n\tmovq\t%r8,176(%rdi)\n\tmovq\t%r8,184(%rdi)\n\tret\n\n\n.globl\t_rsaz_1024_scatter5_avx2\n.private_extern _rsaz_1024_scatter5_avx2\n\n.p2align\t5\n_rsaz_1024_scatter5_avx2:\n\n_CET_ENDBR\n\tvzeroupper\n\tvmovdqu\tL$scatter_permd(%rip),%ymm5\n\tshll\t$4,%edx\n\tleaq\t(%rdi,%rdx,1),%rdi\n\tmovl\t$9,%eax\n\tjmp\tL$oop_scatter_1024\n\n.p2align\t5\nL$oop_scatter_1024:\n\tvmovdqu\t(%rsi),%ymm0\n\tleaq\t32(%rsi),%rsi\n\tvpermd\t%ymm0,%ymm5,%ymm0\n\tvmovdqu\t%xmm0,(%rdi)\n\tleaq\t512(%rdi),%rdi\n\tdecl\t%eax\n\tjnz\tL$oop_scatter_1024\n\n\tvzeroupper\n\tret\n\n\n\n.globl\t_rsaz_1024_gather5_avx2\n.private_extern _rsaz_1024_gather5_avx2\n\n.p2align\t5\n_rsaz_1024_gather5_avx2:\n\n_CET_ENDBR\n\tvzeroupper\n\tmovq\t%rsp,%r11\n\n\tleaq\t-256(%rsp),%rsp\n\tandq\t$-32,%rsp\n\tleaq\tL$inc(%rip),%r10\n\tleaq\t-128(%rsp),%rax\n\n\tvmovd\t%edx,%xmm4\n\tvmovdqa\t(%r10),%ymm0\n\tvmovdqa\t32(%r10),%ymm1\n\tvmovdqa\t64(%r10),%ymm5\n\tvpbroadcastd\t%xmm4,%ymm4\n\n\tvpaddd\t%ymm5,%ymm0,%ymm2\n\tvpcmpeqd\t%ymm4,%ymm0,%ymm0\n\tvpaddd\t%ymm5,%ymm1,%ymm3\n\tvpcmpeqd\t%ymm4,%ymm1,%ymm1\n\tvmovdqa\t%ymm0,0+128(%rax)\n\tvpaddd\t%ymm5,%ymm2,%ymm0\n\tvpcmpeqd\t%ymm4,%ymm2,%ymm2\n\tvmovdqa\t%ymm1,32+128(%rax)\n\tvpaddd\t%ymm5,%ymm3,%ymm1\n\tvpcmpeqd\t%ymm4,%ymm3,%ymm3\n\tvmovdqa\t%ymm2,64+128(%rax)\n\tvpaddd\t%ymm5,%ymm0,%ymm2\n\tvpcmpeqd\t%ymm4,%ymm0,%ymm0\n\tvmovdqa\t%ymm3,96+128(%rax)\n\tvpaddd\t%ymm5,%ymm1,%ymm3\n\tvpcmpeqd\t%ymm4,%ymm1,%ymm1\n\tvmovdqa\t%ymm0,128+128(%rax)\n\tvpaddd\t%ymm5,%ymm2,%ymm8\n\tvpcmpeqd\t%ymm4,%ymm2,%ymm2\n\tvmovdqa\t%ymm1,160+128(%rax)\n\tvpaddd\t%ymm5,%ymm3,%ymm9\n\tvpcmpeqd\t%ymm4,%ymm3,%ymm3\n\tvmovdqa\t%ymm2,192+128(%rax)\n\tvpaddd\t%ymm5,%ymm8,%ymm10\n\tvpcmpeqd\t%ymm4,%ymm8,%ymm8\n\tvmovdqa\t%ymm3,224+128(%rax)\n\tvpaddd\t%ymm5,%ymm9,%ymm11\n\tvpcmpeqd\t%ymm4,%ymm9,%ymm9\n\tvpaddd\t%ymm5,%ymm10,%ymm12\n\tvpcmpeqd\t%ymm4,%ymm10,%ymm10\n\tvpaddd\t%ymm5,%ymm11,%ymm13\n\tvpcmpeqd\t%ymm4,%ymm11,%ymm11\n\tvpaddd\t%ymm5,%ymm12,%ymm14\n\tvpcmpeqd\t%ymm4,%ymm12,%ymm12\n\tvpaddd\t%ymm5,%ymm13,%ymm15\n\tvpcmpeqd\t%ymm4,%ymm13,%ymm13\n\tvpcmpeqd\t%ymm4,%ymm14,%ymm14\n\tvpcmpeqd\t%ymm4,%ymm15,%ymm15\n\n\tvmovdqa\t-32(%r10),%ymm7\n\tleaq\t128(%rsi),%rsi\n\tmovl\t$9,%edx\n\nL$oop_gather_1024:\n\tvmovdqa\t0-128(%rsi),%ymm0\n\tvmovdqa\t32-128(%rsi),%ymm1\n\tvmovdqa\t64-128(%rsi),%ymm2\n\tvmovdqa\t96-128(%rsi),%ymm3\n\tvpand\t0+128(%rax),%ymm0,%ymm0\n\tvpand\t32+128(%rax),%ymm1,%ymm1\n\tvpand\t64+128(%rax),%ymm2,%ymm2\n\tvpor\t%ymm0,%ymm1,%ymm4\n\tvpand\t96+128(%rax),%ymm3,%ymm3\n\tvmovdqa\t128-128(%rsi),%ymm0\n\tvmovdqa\t160-128(%rsi),%ymm1\n\tvpor\t%ymm2,%ymm3,%ymm5\n\tvmovdqa\t192-128(%rsi),%ymm2\n\tvmovdqa\t224-128(%rsi),%ymm3\n\tvpand\t128+128(%rax),%ymm0,%ymm0\n\tvpand\t160+128(%rax),%ymm1,%ymm1\n\tvpand\t192+128(%rax),%ymm2,%ymm2\n\tvpor\t%ymm0,%ymm4,%ymm4\n\tvpand\t224+128(%rax),%ymm3,%ymm3\n\tvpand\t256-128(%rsi),%ymm8,%ymm0\n\tvpor\t%ymm1,%ymm5,%ymm5\n\tvpand\t288-128(%rsi),%ymm9,%ymm1\n\tvpor\t%ymm2,%ymm4,%ymm4\n\tvpand\t320-128(%rsi),%ymm10,%ymm2\n\tvpor\t%ymm3,%ymm5,%ymm5\n\tvpand\t352-128(%rsi),%ymm11,%ymm3\n\tvpor\t%ymm0,%ymm4,%ymm4\n\tvpand\t384-128(%rsi),%ymm12,%ymm0\n\tvpor\t%ymm1,%ymm5,%ymm5\n\tvpand\t416-128(%rsi),%ymm13,%ymm1\n\tvpor\t%ymm2,%ymm4,%ymm4\n\tvpand\t448-128(%rsi),%ymm14,%ymm2\n\tvpor\t%ymm3,%ymm5,%ymm5\n\tvpand\t480-128(%rsi),%ymm15,%ymm3\n\tleaq\t512(%rsi),%rsi\n\tvpor\t%ymm0,%ymm4,%ymm4\n\tvpor\t%ymm1,%ymm5,%ymm5\n\tvpor\t%ymm2,%ymm4,%ymm4\n\tvpor\t%ymm3,%ymm5,%ymm5\n\n\tvpor\t%ymm5,%ymm4,%ymm4\n\tvextracti128\t$1,%ymm4,%xmm5\n\tvpor\t%xmm4,%xmm5,%xmm5\n\tvpermd\t%ymm5,%ymm7,%ymm5\n\tvmovdqu\t%ymm5,(%rdi)\n\tleaq\t32(%rdi),%rdi\n\tdecl\t%edx\n\tjnz\tL$oop_gather_1024\n\n\tvpxor\t%ymm0,%ymm0,%ymm0\n\tvmovdqu\t%ymm0,(%rdi)\n\tvzeroupper\n\tleaq\t(%r11),%rsp\n\n\tret\n\nL$SEH_end_rsaz_1024_gather5:\n\n.section\t__DATA,__const\n.p2align\t6\nL$and_mask:\n.quad\t0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff\nL$scatter_permd:\n.long\t0,2,4,6,7,7,7,7\nL$gather_permd:\n.long\t0,7,1,7,2,7,3,7\nL$inc:\n.long\t0,0,0,0, 1,1,1,1\n.long\t2,2,2,2, 3,3,3,3\n.long\t4,4,4,4, 4,4,4,4\n.p2align\t6\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/rsaz-avx2-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n.globl\trsaz_1024_sqr_avx2\n.hidden rsaz_1024_sqr_avx2\n.type\trsaz_1024_sqr_avx2,@function\n.align\t64\nrsaz_1024_sqr_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tleaq\t(%rsp),%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\tvzeroupper\n\tmovq\t%rax,%rbp\n.cfi_def_cfa_register\t%rbp\n\tmovq\t%rdx,%r13\n\tsubq\t$832,%rsp\n\tmovq\t%r13,%r15\n\tsubq\t$-128,%rdi\n\tsubq\t$-128,%rsi\n\tsubq\t$-128,%r13\n\n\tandq\t$4095,%r15\n\taddq\t$320,%r15\n\tshrq\t$12,%r15\n\tvpxor\t%ymm9,%ymm9,%ymm9\n\tjz\t.Lsqr_1024_no_n_copy\n\n\n\n\n\n\tsubq\t$320,%rsp\n\tvmovdqu\t0-128(%r13),%ymm0\n\tandq\t$-2048,%rsp\n\tvmovdqu\t32-128(%r13),%ymm1\n\tvmovdqu\t64-128(%r13),%ymm2\n\tvmovdqu\t96-128(%r13),%ymm3\n\tvmovdqu\t128-128(%r13),%ymm4\n\tvmovdqu\t160-128(%r13),%ymm5\n\tvmovdqu\t192-128(%r13),%ymm6\n\tvmovdqu\t224-128(%r13),%ymm7\n\tvmovdqu\t256-128(%r13),%ymm8\n\tleaq\t832+128(%rsp),%r13\n\tvmovdqu\t%ymm0,0-128(%r13)\n\tvmovdqu\t%ymm1,32-128(%r13)\n\tvmovdqu\t%ymm2,64-128(%r13)\n\tvmovdqu\t%ymm3,96-128(%r13)\n\tvmovdqu\t%ymm4,128-128(%r13)\n\tvmovdqu\t%ymm5,160-128(%r13)\n\tvmovdqu\t%ymm6,192-128(%r13)\n\tvmovdqu\t%ymm7,224-128(%r13)\n\tvmovdqu\t%ymm8,256-128(%r13)\n\tvmovdqu\t%ymm9,288-128(%r13)\n\n.Lsqr_1024_no_n_copy:\n\tandq\t$-1024,%rsp\n\n\tvmovdqu\t32-128(%rsi),%ymm1\n\tvmovdqu\t64-128(%rsi),%ymm2\n\tvmovdqu\t96-128(%rsi),%ymm3\n\tvmovdqu\t128-128(%rsi),%ymm4\n\tvmovdqu\t160-128(%rsi),%ymm5\n\tvmovdqu\t192-128(%rsi),%ymm6\n\tvmovdqu\t224-128(%rsi),%ymm7\n\tvmovdqu\t256-128(%rsi),%ymm8\n\n\tleaq\t192(%rsp),%rbx\n\tvmovdqu\t.Land_mask(%rip),%ymm15\n\tjmp\t.LOOP_GRANDE_SQR_1024\n\n.align\t32\n.LOOP_GRANDE_SQR_1024:\n\tleaq\t576+128(%rsp),%r9\n\tleaq\t448(%rsp),%r12\n\n\n\n\n\tvpaddq\t%ymm1,%ymm1,%ymm1\n\tvpbroadcastq\t0-128(%rsi),%ymm10\n\tvpaddq\t%ymm2,%ymm2,%ymm2\n\tvmovdqa\t%ymm1,0-128(%r9)\n\tvpaddq\t%ymm3,%ymm3,%ymm3\n\tvmovdqa\t%ymm2,32-128(%r9)\n\tvpaddq\t%ymm4,%ymm4,%ymm4\n\tvmovdqa\t%ymm3,64-128(%r9)\n\tvpaddq\t%ymm5,%ymm5,%ymm5\n\tvmovdqa\t%ymm4,96-128(%r9)\n\tvpaddq\t%ymm6,%ymm6,%ymm6\n\tvmovdqa\t%ymm5,128-128(%r9)\n\tvpaddq\t%ymm7,%ymm7,%ymm7\n\tvmovdqa\t%ymm6,160-128(%r9)\n\tvpaddq\t%ymm8,%ymm8,%ymm8\n\tvmovdqa\t%ymm7,192-128(%r9)\n\tvpxor\t%ymm9,%ymm9,%ymm9\n\tvmovdqa\t%ymm8,224-128(%r9)\n\n\tvpmuludq\t0-128(%rsi),%ymm10,%ymm0\n\tvpbroadcastq\t32-128(%rsi),%ymm11\n\tvmovdqu\t%ymm9,288-192(%rbx)\n\tvpmuludq\t%ymm10,%ymm1,%ymm1\n\tvmovdqu\t%ymm9,320-448(%r12)\n\tvpmuludq\t%ymm10,%ymm2,%ymm2\n\tvmovdqu\t%ymm9,352-448(%r12)\n\tvpmuludq\t%ymm10,%ymm3,%ymm3\n\tvmovdqu\t%ymm9,384-448(%r12)\n\tvpmuludq\t%ymm10,%ymm4,%ymm4\n\tvmovdqu\t%ymm9,416-448(%r12)\n\tvpmuludq\t%ymm10,%ymm5,%ymm5\n\tvmovdqu\t%ymm9,448-448(%r12)\n\tvpmuludq\t%ymm10,%ymm6,%ymm6\n\tvmovdqu\t%ymm9,480-448(%r12)\n\tvpmuludq\t%ymm10,%ymm7,%ymm7\n\tvmovdqu\t%ymm9,512-448(%r12)\n\tvpmuludq\t%ymm10,%ymm8,%ymm8\n\tvpbroadcastq\t64-128(%rsi),%ymm10\n\tvmovdqu\t%ymm9,544-448(%r12)\n\n\tmovq\t%rsi,%r15\n\tmovl\t$4,%r14d\n\tjmp\t.Lsqr_entry_1024\n.align\t32\n.LOOP_SQR_1024:\n\tvpbroadcastq\t32-128(%r15),%ymm11\n\tvpmuludq\t0-128(%rsi),%ymm10,%ymm0\n\tvpaddq\t0-192(%rbx),%ymm0,%ymm0\n\tvpmuludq\t0-128(%r9),%ymm10,%ymm1\n\tvpaddq\t32-192(%rbx),%ymm1,%ymm1\n\tvpmuludq\t32-128(%r9),%ymm10,%ymm2\n\tvpaddq\t64-192(%rbx),%ymm2,%ymm2\n\tvpmuludq\t64-128(%r9),%ymm10,%ymm3\n\tvpaddq\t96-192(%rbx),%ymm3,%ymm3\n\tvpmuludq\t96-128(%r9),%ymm10,%ymm4\n\tvpaddq\t128-192(%rbx),%ymm4,%ymm4\n\tvpmuludq\t128-128(%r9),%ymm10,%ymm5\n\tvpaddq\t160-192(%rbx),%ymm5,%ymm5\n\tvpmuludq\t160-128(%r9),%ymm10,%ymm6\n\tvpaddq\t192-192(%rbx),%ymm6,%ymm6\n\tvpmuludq\t192-128(%r9),%ymm10,%ymm7\n\tvpaddq\t224-192(%rbx),%ymm7,%ymm7\n\tvpmuludq\t224-128(%r9),%ymm10,%ymm8\n\tvpbroadcastq\t64-128(%r15),%ymm10\n\tvpaddq\t256-192(%rbx),%ymm8,%ymm8\n.Lsqr_entry_1024:\n\tvmovdqu\t%ymm0,0-192(%rbx)\n\tvmovdqu\t%ymm1,32-192(%rbx)\n\n\tvpmuludq\t32-128(%rsi),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t32-128(%r9),%ymm11,%ymm14\n\tvpaddq\t%ymm14,%ymm3,%ymm3\n\tvpmuludq\t64-128(%r9),%ymm11,%ymm13\n\tvpaddq\t%ymm13,%ymm4,%ymm4\n\tvpmuludq\t96-128(%r9),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t128-128(%r9),%ymm11,%ymm14\n\tvpaddq\t%ymm14,%ymm6,%ymm6\n\tvpmuludq\t160-128(%r9),%ymm11,%ymm13\n\tvpaddq\t%ymm13,%ymm7,%ymm7\n\tvpmuludq\t192-128(%r9),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t224-128(%r9),%ymm11,%ymm0\n\tvpbroadcastq\t96-128(%r15),%ymm11\n\tvpaddq\t288-192(%rbx),%ymm0,%ymm0\n\n\tvmovdqu\t%ymm2,64-192(%rbx)\n\tvmovdqu\t%ymm3,96-192(%rbx)\n\n\tvpmuludq\t64-128(%rsi),%ymm10,%ymm13\n\tvpaddq\t%ymm13,%ymm4,%ymm4\n\tvpmuludq\t64-128(%r9),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t96-128(%r9),%ymm10,%ymm14\n\tvpaddq\t%ymm14,%ymm6,%ymm6\n\tvpmuludq\t128-128(%r9),%ymm10,%ymm13\n\tvpaddq\t%ymm13,%ymm7,%ymm7\n\tvpmuludq\t160-128(%r9),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t192-128(%r9),%ymm10,%ymm14\n\tvpaddq\t%ymm14,%ymm0,%ymm0\n\tvpmuludq\t224-128(%r9),%ymm10,%ymm1\n\tvpbroadcastq\t128-128(%r15),%ymm10\n\tvpaddq\t320-448(%r12),%ymm1,%ymm1\n\n\tvmovdqu\t%ymm4,128-192(%rbx)\n\tvmovdqu\t%ymm5,160-192(%rbx)\n\n\tvpmuludq\t96-128(%rsi),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm6,%ymm6\n\tvpmuludq\t96-128(%r9),%ymm11,%ymm14\n\tvpaddq\t%ymm14,%ymm7,%ymm7\n\tvpmuludq\t128-128(%r9),%ymm11,%ymm13\n\tvpaddq\t%ymm13,%ymm8,%ymm8\n\tvpmuludq\t160-128(%r9),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm0,%ymm0\n\tvpmuludq\t192-128(%r9),%ymm11,%ymm14\n\tvpaddq\t%ymm14,%ymm1,%ymm1\n\tvpmuludq\t224-128(%r9),%ymm11,%ymm2\n\tvpbroadcastq\t160-128(%r15),%ymm11\n\tvpaddq\t352-448(%r12),%ymm2,%ymm2\n\n\tvmovdqu\t%ymm6,192-192(%rbx)\n\tvmovdqu\t%ymm7,224-192(%rbx)\n\n\tvpmuludq\t128-128(%rsi),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t128-128(%r9),%ymm10,%ymm14\n\tvpaddq\t%ymm14,%ymm0,%ymm0\n\tvpmuludq\t160-128(%r9),%ymm10,%ymm13\n\tvpaddq\t%ymm13,%ymm1,%ymm1\n\tvpmuludq\t192-128(%r9),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t224-128(%r9),%ymm10,%ymm3\n\tvpbroadcastq\t192-128(%r15),%ymm10\n\tvpaddq\t384-448(%r12),%ymm3,%ymm3\n\n\tvmovdqu\t%ymm8,256-192(%rbx)\n\tvmovdqu\t%ymm0,288-192(%rbx)\n\tleaq\t8(%rbx),%rbx\n\n\tvpmuludq\t160-128(%rsi),%ymm11,%ymm13\n\tvpaddq\t%ymm13,%ymm1,%ymm1\n\tvpmuludq\t160-128(%r9),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t192-128(%r9),%ymm11,%ymm14\n\tvpaddq\t%ymm14,%ymm3,%ymm3\n\tvpmuludq\t224-128(%r9),%ymm11,%ymm4\n\tvpbroadcastq\t224-128(%r15),%ymm11\n\tvpaddq\t416-448(%r12),%ymm4,%ymm4\n\n\tvmovdqu\t%ymm1,320-448(%r12)\n\tvmovdqu\t%ymm2,352-448(%r12)\n\n\tvpmuludq\t192-128(%rsi),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm3,%ymm3\n\tvpmuludq\t192-128(%r9),%ymm10,%ymm14\n\tvpbroadcastq\t256-128(%r15),%ymm0\n\tvpaddq\t%ymm14,%ymm4,%ymm4\n\tvpmuludq\t224-128(%r9),%ymm10,%ymm5\n\tvpbroadcastq\t0+8-128(%r15),%ymm10\n\tvpaddq\t448-448(%r12),%ymm5,%ymm5\n\n\tvmovdqu\t%ymm3,384-448(%r12)\n\tvmovdqu\t%ymm4,416-448(%r12)\n\tleaq\t8(%r15),%r15\n\n\tvpmuludq\t224-128(%rsi),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t224-128(%r9),%ymm11,%ymm6\n\tvpaddq\t480-448(%r12),%ymm6,%ymm6\n\n\tvpmuludq\t256-128(%rsi),%ymm0,%ymm7\n\tvmovdqu\t%ymm5,448-448(%r12)\n\tvpaddq\t512-448(%r12),%ymm7,%ymm7\n\tvmovdqu\t%ymm6,480-448(%r12)\n\tvmovdqu\t%ymm7,512-448(%r12)\n\tleaq\t8(%r12),%r12\n\n\tdecl\t%r14d\n\tjnz\t.LOOP_SQR_1024\n\n\tvmovdqu\t256(%rsp),%ymm8\n\tvmovdqu\t288(%rsp),%ymm1\n\tvmovdqu\t320(%rsp),%ymm2\n\tleaq\t192(%rsp),%rbx\n\n\tvpsrlq\t$29,%ymm8,%ymm14\n\tvpand\t%ymm15,%ymm8,%ymm8\n\tvpsrlq\t$29,%ymm1,%ymm11\n\tvpand\t%ymm15,%ymm1,%ymm1\n\n\tvpermq\t$0x93,%ymm14,%ymm14\n\tvpxor\t%ymm9,%ymm9,%ymm9\n\tvpermq\t$0x93,%ymm11,%ymm11\n\n\tvpblendd\t$3,%ymm9,%ymm14,%ymm10\n\tvpblendd\t$3,%ymm14,%ymm11,%ymm14\n\tvpaddq\t%ymm10,%ymm8,%ymm8\n\tvpblendd\t$3,%ymm11,%ymm9,%ymm11\n\tvpaddq\t%ymm14,%ymm1,%ymm1\n\tvpaddq\t%ymm11,%ymm2,%ymm2\n\tvmovdqu\t%ymm1,288-192(%rbx)\n\tvmovdqu\t%ymm2,320-192(%rbx)\n\n\tmovq\t(%rsp),%rax\n\tmovq\t8(%rsp),%r10\n\tmovq\t16(%rsp),%r11\n\tmovq\t24(%rsp),%r12\n\tvmovdqu\t32(%rsp),%ymm1\n\tvmovdqu\t64-192(%rbx),%ymm2\n\tvmovdqu\t96-192(%rbx),%ymm3\n\tvmovdqu\t128-192(%rbx),%ymm4\n\tvmovdqu\t160-192(%rbx),%ymm5\n\tvmovdqu\t192-192(%rbx),%ymm6\n\tvmovdqu\t224-192(%rbx),%ymm7\n\n\tmovq\t%rax,%r9\n\timull\t%ecx,%eax\n\tandl\t$0x1fffffff,%eax\n\tvmovd\t%eax,%xmm12\n\n\tmovq\t%rax,%rdx\n\timulq\t-128(%r13),%rax\n\tvpbroadcastq\t%xmm12,%ymm12\n\taddq\t%rax,%r9\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%r13),%rax\n\tshrq\t$29,%r9\n\taddq\t%rax,%r10\n\tmovq\t%rdx,%rax\n\timulq\t16-128(%r13),%rax\n\taddq\t%r9,%r10\n\taddq\t%rax,%r11\n\timulq\t24-128(%r13),%rdx\n\taddq\t%rdx,%r12\n\n\tmovq\t%r10,%rax\n\timull\t%ecx,%eax\n\tandl\t$0x1fffffff,%eax\n\n\tmovl\t$9,%r14d\n\tjmp\t.LOOP_REDUCE_1024\n\n.align\t32\n.LOOP_REDUCE_1024:\n\tvmovd\t%eax,%xmm13\n\tvpbroadcastq\t%xmm13,%ymm13\n\n\tvpmuludq\t32-128(%r13),%ymm12,%ymm10\n\tmovq\t%rax,%rdx\n\timulq\t-128(%r13),%rax\n\tvpaddq\t%ymm10,%ymm1,%ymm1\n\taddq\t%rax,%r10\n\tvpmuludq\t64-128(%r13),%ymm12,%ymm14\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%r13),%rax\n\tvpaddq\t%ymm14,%ymm2,%ymm2\n\tvpmuludq\t96-128(%r13),%ymm12,%ymm11\n.byte\t0x67\n\taddq\t%rax,%r11\n.byte\t0x67\n\tmovq\t%rdx,%rax\n\timulq\t16-128(%r13),%rax\n\tshrq\t$29,%r10\n\tvpaddq\t%ymm11,%ymm3,%ymm3\n\tvpmuludq\t128-128(%r13),%ymm12,%ymm10\n\taddq\t%rax,%r12\n\taddq\t%r10,%r11\n\tvpaddq\t%ymm10,%ymm4,%ymm4\n\tvpmuludq\t160-128(%r13),%ymm12,%ymm14\n\tmovq\t%r11,%rax\n\timull\t%ecx,%eax\n\tvpaddq\t%ymm14,%ymm5,%ymm5\n\tvpmuludq\t192-128(%r13),%ymm12,%ymm11\n\tandl\t$0x1fffffff,%eax\n\tvpaddq\t%ymm11,%ymm6,%ymm6\n\tvpmuludq\t224-128(%r13),%ymm12,%ymm10\n\tvpaddq\t%ymm10,%ymm7,%ymm7\n\tvpmuludq\t256-128(%r13),%ymm12,%ymm14\n\tvmovd\t%eax,%xmm12\n\n\tvpaddq\t%ymm14,%ymm8,%ymm8\n\n\tvpbroadcastq\t%xmm12,%ymm12\n\n\tvpmuludq\t32-8-128(%r13),%ymm13,%ymm11\n\tvmovdqu\t96-8-128(%r13),%ymm14\n\tmovq\t%rax,%rdx\n\timulq\t-128(%r13),%rax\n\tvpaddq\t%ymm11,%ymm1,%ymm1\n\tvpmuludq\t64-8-128(%r13),%ymm13,%ymm10\n\tvmovdqu\t128-8-128(%r13),%ymm11\n\taddq\t%rax,%r11\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%r13),%rax\n\tvpaddq\t%ymm10,%ymm2,%ymm2\n\taddq\t%r12,%rax\n\tshrq\t$29,%r11\n\tvpmuludq\t%ymm13,%ymm14,%ymm14\n\tvmovdqu\t160-8-128(%r13),%ymm10\n\taddq\t%r11,%rax\n\tvpaddq\t%ymm14,%ymm3,%ymm3\n\tvpmuludq\t%ymm13,%ymm11,%ymm11\n\tvmovdqu\t192-8-128(%r13),%ymm14\n.byte\t0x67\n\tmovq\t%rax,%r12\n\timull\t%ecx,%eax\n\tvpaddq\t%ymm11,%ymm4,%ymm4\n\tvpmuludq\t%ymm13,%ymm10,%ymm10\n.byte\t0xc4,0x41,0x7e,0x6f,0x9d,0x58,0x00,0x00,0x00\n\tandl\t$0x1fffffff,%eax\n\tvpaddq\t%ymm10,%ymm5,%ymm5\n\tvpmuludq\t%ymm13,%ymm14,%ymm14\n\tvmovdqu\t256-8-128(%r13),%ymm10\n\tvpaddq\t%ymm14,%ymm6,%ymm6\n\tvpmuludq\t%ymm13,%ymm11,%ymm11\n\tvmovdqu\t288-8-128(%r13),%ymm9\n\tvmovd\t%eax,%xmm0\n\timulq\t-128(%r13),%rax\n\tvpaddq\t%ymm11,%ymm7,%ymm7\n\tvpmuludq\t%ymm13,%ymm10,%ymm10\n\tvmovdqu\t32-16-128(%r13),%ymm14\n\tvpbroadcastq\t%xmm0,%ymm0\n\tvpaddq\t%ymm10,%ymm8,%ymm8\n\tvpmuludq\t%ymm13,%ymm9,%ymm9\n\tvmovdqu\t64-16-128(%r13),%ymm11\n\taddq\t%rax,%r12\n\n\tvmovdqu\t32-24-128(%r13),%ymm13\n\tvpmuludq\t%ymm12,%ymm14,%ymm14\n\tvmovdqu\t96-16-128(%r13),%ymm10\n\tvpaddq\t%ymm14,%ymm1,%ymm1\n\tvpmuludq\t%ymm0,%ymm13,%ymm13\n\tvpmuludq\t%ymm12,%ymm11,%ymm11\n.byte\t0xc4,0x41,0x7e,0x6f,0xb5,0xf0,0xff,0xff,0xff\n\tvpaddq\t%ymm1,%ymm13,%ymm13\n\tvpaddq\t%ymm11,%ymm2,%ymm2\n\tvpmuludq\t%ymm12,%ymm10,%ymm10\n\tvmovdqu\t160-16-128(%r13),%ymm11\n.byte\t0x67\n\tvmovq\t%xmm13,%rax\n\tvmovdqu\t%ymm13,(%rsp)\n\tvpaddq\t%ymm10,%ymm3,%ymm3\n\tvpmuludq\t%ymm12,%ymm14,%ymm14\n\tvmovdqu\t192-16-128(%r13),%ymm10\n\tvpaddq\t%ymm14,%ymm4,%ymm4\n\tvpmuludq\t%ymm12,%ymm11,%ymm11\n\tvmovdqu\t224-16-128(%r13),%ymm14\n\tvpaddq\t%ymm11,%ymm5,%ymm5\n\tvpmuludq\t%ymm12,%ymm10,%ymm10\n\tvmovdqu\t256-16-128(%r13),%ymm11\n\tvpaddq\t%ymm10,%ymm6,%ymm6\n\tvpmuludq\t%ymm12,%ymm14,%ymm14\n\tshrq\t$29,%r12\n\tvmovdqu\t288-16-128(%r13),%ymm10\n\taddq\t%r12,%rax\n\tvpaddq\t%ymm14,%ymm7,%ymm7\n\tvpmuludq\t%ymm12,%ymm11,%ymm11\n\n\tmovq\t%rax,%r9\n\timull\t%ecx,%eax\n\tvpaddq\t%ymm11,%ymm8,%ymm8\n\tvpmuludq\t%ymm12,%ymm10,%ymm10\n\tandl\t$0x1fffffff,%eax\n\tvmovd\t%eax,%xmm12\n\tvmovdqu\t96-24-128(%r13),%ymm11\n.byte\t0x67\n\tvpaddq\t%ymm10,%ymm9,%ymm9\n\tvpbroadcastq\t%xmm12,%ymm12\n\n\tvpmuludq\t64-24-128(%r13),%ymm0,%ymm14\n\tvmovdqu\t128-24-128(%r13),%ymm10\n\tmovq\t%rax,%rdx\n\timulq\t-128(%r13),%rax\n\tmovq\t8(%rsp),%r10\n\tvpaddq\t%ymm14,%ymm2,%ymm1\n\tvpmuludq\t%ymm0,%ymm11,%ymm11\n\tvmovdqu\t160-24-128(%r13),%ymm14\n\taddq\t%rax,%r9\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%r13),%rax\n.byte\t0x67\n\tshrq\t$29,%r9\n\tmovq\t16(%rsp),%r11\n\tvpaddq\t%ymm11,%ymm3,%ymm2\n\tvpmuludq\t%ymm0,%ymm10,%ymm10\n\tvmovdqu\t192-24-128(%r13),%ymm11\n\taddq\t%rax,%r10\n\tmovq\t%rdx,%rax\n\timulq\t16-128(%r13),%rax\n\tvpaddq\t%ymm10,%ymm4,%ymm3\n\tvpmuludq\t%ymm0,%ymm14,%ymm14\n\tvmovdqu\t224-24-128(%r13),%ymm10\n\timulq\t24-128(%r13),%rdx\n\taddq\t%rax,%r11\n\tleaq\t(%r9,%r10,1),%rax\n\tvpaddq\t%ymm14,%ymm5,%ymm4\n\tvpmuludq\t%ymm0,%ymm11,%ymm11\n\tvmovdqu\t256-24-128(%r13),%ymm14\n\tmovq\t%rax,%r10\n\timull\t%ecx,%eax\n\tvpmuludq\t%ymm0,%ymm10,%ymm10\n\tvpaddq\t%ymm11,%ymm6,%ymm5\n\tvmovdqu\t288-24-128(%r13),%ymm11\n\tandl\t$0x1fffffff,%eax\n\tvpaddq\t%ymm10,%ymm7,%ymm6\n\tvpmuludq\t%ymm0,%ymm14,%ymm14\n\taddq\t24(%rsp),%rdx\n\tvpaddq\t%ymm14,%ymm8,%ymm7\n\tvpmuludq\t%ymm0,%ymm11,%ymm11\n\tvpaddq\t%ymm11,%ymm9,%ymm8\n\tvmovq\t%r12,%xmm9\n\tmovq\t%rdx,%r12\n\n\tdecl\t%r14d\n\tjnz\t.LOOP_REDUCE_1024\n\tleaq\t448(%rsp),%r12\n\tvpaddq\t%ymm9,%ymm13,%ymm0\n\tvpxor\t%ymm9,%ymm9,%ymm9\n\n\tvpaddq\t288-192(%rbx),%ymm0,%ymm0\n\tvpaddq\t320-448(%r12),%ymm1,%ymm1\n\tvpaddq\t352-448(%r12),%ymm2,%ymm2\n\tvpaddq\t384-448(%r12),%ymm3,%ymm3\n\tvpaddq\t416-448(%r12),%ymm4,%ymm4\n\tvpaddq\t448-448(%r12),%ymm5,%ymm5\n\tvpaddq\t480-448(%r12),%ymm6,%ymm6\n\tvpaddq\t512-448(%r12),%ymm7,%ymm7\n\tvpaddq\t544-448(%r12),%ymm8,%ymm8\n\n\tvpsrlq\t$29,%ymm0,%ymm14\n\tvpand\t%ymm15,%ymm0,%ymm0\n\tvpsrlq\t$29,%ymm1,%ymm11\n\tvpand\t%ymm15,%ymm1,%ymm1\n\tvpsrlq\t$29,%ymm2,%ymm12\n\tvpermq\t$0x93,%ymm14,%ymm14\n\tvpand\t%ymm15,%ymm2,%ymm2\n\tvpsrlq\t$29,%ymm3,%ymm13\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpand\t%ymm15,%ymm3,%ymm3\n\tvpermq\t$0x93,%ymm12,%ymm12\n\n\tvpblendd\t$3,%ymm9,%ymm14,%ymm10\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpblendd\t$3,%ymm14,%ymm11,%ymm14\n\tvpaddq\t%ymm10,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm11,%ymm12,%ymm11\n\tvpaddq\t%ymm14,%ymm1,%ymm1\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm11,%ymm2,%ymm2\n\tvpblendd\t$3,%ymm13,%ymm9,%ymm13\n\tvpaddq\t%ymm12,%ymm3,%ymm3\n\tvpaddq\t%ymm13,%ymm4,%ymm4\n\n\tvpsrlq\t$29,%ymm0,%ymm14\n\tvpand\t%ymm15,%ymm0,%ymm0\n\tvpsrlq\t$29,%ymm1,%ymm11\n\tvpand\t%ymm15,%ymm1,%ymm1\n\tvpsrlq\t$29,%ymm2,%ymm12\n\tvpermq\t$0x93,%ymm14,%ymm14\n\tvpand\t%ymm15,%ymm2,%ymm2\n\tvpsrlq\t$29,%ymm3,%ymm13\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpand\t%ymm15,%ymm3,%ymm3\n\tvpermq\t$0x93,%ymm12,%ymm12\n\n\tvpblendd\t$3,%ymm9,%ymm14,%ymm10\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpblendd\t$3,%ymm14,%ymm11,%ymm14\n\tvpaddq\t%ymm10,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm11,%ymm12,%ymm11\n\tvpaddq\t%ymm14,%ymm1,%ymm1\n\tvmovdqu\t%ymm0,0-128(%rdi)\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm11,%ymm2,%ymm2\n\tvmovdqu\t%ymm1,32-128(%rdi)\n\tvpblendd\t$3,%ymm13,%ymm9,%ymm13\n\tvpaddq\t%ymm12,%ymm3,%ymm3\n\tvmovdqu\t%ymm2,64-128(%rdi)\n\tvpaddq\t%ymm13,%ymm4,%ymm4\n\tvmovdqu\t%ymm3,96-128(%rdi)\n\tvpsrlq\t$29,%ymm4,%ymm14\n\tvpand\t%ymm15,%ymm4,%ymm4\n\tvpsrlq\t$29,%ymm5,%ymm11\n\tvpand\t%ymm15,%ymm5,%ymm5\n\tvpsrlq\t$29,%ymm6,%ymm12\n\tvpermq\t$0x93,%ymm14,%ymm14\n\tvpand\t%ymm15,%ymm6,%ymm6\n\tvpsrlq\t$29,%ymm7,%ymm13\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpand\t%ymm15,%ymm7,%ymm7\n\tvpsrlq\t$29,%ymm8,%ymm0\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm8,%ymm8\n\tvpermq\t$0x93,%ymm13,%ymm13\n\n\tvpblendd\t$3,%ymm9,%ymm14,%ymm10\n\tvpermq\t$0x93,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm14,%ymm11,%ymm14\n\tvpaddq\t%ymm10,%ymm4,%ymm4\n\tvpblendd\t$3,%ymm11,%ymm12,%ymm11\n\tvpaddq\t%ymm14,%ymm5,%ymm5\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm11,%ymm6,%ymm6\n\tvpblendd\t$3,%ymm13,%ymm0,%ymm13\n\tvpaddq\t%ymm12,%ymm7,%ymm7\n\tvpaddq\t%ymm13,%ymm8,%ymm8\n\n\tvpsrlq\t$29,%ymm4,%ymm14\n\tvpand\t%ymm15,%ymm4,%ymm4\n\tvpsrlq\t$29,%ymm5,%ymm11\n\tvpand\t%ymm15,%ymm5,%ymm5\n\tvpsrlq\t$29,%ymm6,%ymm12\n\tvpermq\t$0x93,%ymm14,%ymm14\n\tvpand\t%ymm15,%ymm6,%ymm6\n\tvpsrlq\t$29,%ymm7,%ymm13\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpand\t%ymm15,%ymm7,%ymm7\n\tvpsrlq\t$29,%ymm8,%ymm0\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm8,%ymm8\n\tvpermq\t$0x93,%ymm13,%ymm13\n\n\tvpblendd\t$3,%ymm9,%ymm14,%ymm10\n\tvpermq\t$0x93,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm14,%ymm11,%ymm14\n\tvpaddq\t%ymm10,%ymm4,%ymm4\n\tvpblendd\t$3,%ymm11,%ymm12,%ymm11\n\tvpaddq\t%ymm14,%ymm5,%ymm5\n\tvmovdqu\t%ymm4,128-128(%rdi)\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm11,%ymm6,%ymm6\n\tvmovdqu\t%ymm5,160-128(%rdi)\n\tvpblendd\t$3,%ymm13,%ymm0,%ymm13\n\tvpaddq\t%ymm12,%ymm7,%ymm7\n\tvmovdqu\t%ymm6,192-128(%rdi)\n\tvpaddq\t%ymm13,%ymm8,%ymm8\n\tvmovdqu\t%ymm7,224-128(%rdi)\n\tvmovdqu\t%ymm8,256-128(%rdi)\n\n\tmovq\t%rdi,%rsi\n\tdecl\t%r8d\n\tjne\t.LOOP_GRANDE_SQR_1024\n\n\tvzeroall\n\tmovq\t%rbp,%rax\n.cfi_def_cfa_register\t%rax\n\tmovq\t-48(%rax),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rax),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rax),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rax),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rax),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rax),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rax),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lsqr_1024_epilogue:\n\tret\n.cfi_endproc\t\n.size\trsaz_1024_sqr_avx2,.-rsaz_1024_sqr_avx2\n.globl\trsaz_1024_mul_avx2\n.hidden rsaz_1024_mul_avx2\n.type\trsaz_1024_mul_avx2,@function\n.align\t64\nrsaz_1024_mul_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tleaq\t(%rsp),%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\tmovq\t%rax,%rbp\n.cfi_def_cfa_register\t%rbp\n\tvzeroall\n\tmovq\t%rdx,%r13\n\tsubq\t$64,%rsp\n\n\n\n\n\n\n.byte\t0x67,0x67\n\tmovq\t%rsi,%r15\n\tandq\t$4095,%r15\n\taddq\t$320,%r15\n\tshrq\t$12,%r15\n\tmovq\t%rsi,%r15\n\tcmovnzq\t%r13,%rsi\n\tcmovnzq\t%r15,%r13\n\n\tmovq\t%rcx,%r15\n\tsubq\t$-128,%rsi\n\tsubq\t$-128,%rcx\n\tsubq\t$-128,%rdi\n\n\tandq\t$4095,%r15\n\taddq\t$320,%r15\n.byte\t0x67,0x67\n\tshrq\t$12,%r15\n\tjz\t.Lmul_1024_no_n_copy\n\n\n\n\n\n\tsubq\t$320,%rsp\n\tvmovdqu\t0-128(%rcx),%ymm0\n\tandq\t$-512,%rsp\n\tvmovdqu\t32-128(%rcx),%ymm1\n\tvmovdqu\t64-128(%rcx),%ymm2\n\tvmovdqu\t96-128(%rcx),%ymm3\n\tvmovdqu\t128-128(%rcx),%ymm4\n\tvmovdqu\t160-128(%rcx),%ymm5\n\tvmovdqu\t192-128(%rcx),%ymm6\n\tvmovdqu\t224-128(%rcx),%ymm7\n\tvmovdqu\t256-128(%rcx),%ymm8\n\tleaq\t64+128(%rsp),%rcx\n\tvmovdqu\t%ymm0,0-128(%rcx)\n\tvpxor\t%ymm0,%ymm0,%ymm0\n\tvmovdqu\t%ymm1,32-128(%rcx)\n\tvpxor\t%ymm1,%ymm1,%ymm1\n\tvmovdqu\t%ymm2,64-128(%rcx)\n\tvpxor\t%ymm2,%ymm2,%ymm2\n\tvmovdqu\t%ymm3,96-128(%rcx)\n\tvpxor\t%ymm3,%ymm3,%ymm3\n\tvmovdqu\t%ymm4,128-128(%rcx)\n\tvpxor\t%ymm4,%ymm4,%ymm4\n\tvmovdqu\t%ymm5,160-128(%rcx)\n\tvpxor\t%ymm5,%ymm5,%ymm5\n\tvmovdqu\t%ymm6,192-128(%rcx)\n\tvpxor\t%ymm6,%ymm6,%ymm6\n\tvmovdqu\t%ymm7,224-128(%rcx)\n\tvpxor\t%ymm7,%ymm7,%ymm7\n\tvmovdqu\t%ymm8,256-128(%rcx)\n\tvmovdqa\t%ymm0,%ymm8\n\tvmovdqu\t%ymm9,288-128(%rcx)\n.Lmul_1024_no_n_copy:\n\tandq\t$-64,%rsp\n\n\tmovq\t(%r13),%rbx\n\tvpbroadcastq\t(%r13),%ymm10\n\tvmovdqu\t%ymm0,(%rsp)\n\txorq\t%r9,%r9\n.byte\t0x67\n\txorq\t%r10,%r10\n\txorq\t%r11,%r11\n\txorq\t%r12,%r12\n\n\tvmovdqu\t.Land_mask(%rip),%ymm15\n\tmovl\t$9,%r14d\n\tvmovdqu\t%ymm9,288-128(%rdi)\n\tjmp\t.Loop_mul_1024\n\n.align\t32\n.Loop_mul_1024:\n\tvpsrlq\t$29,%ymm3,%ymm9\n\tmovq\t%rbx,%rax\n\timulq\t-128(%rsi),%rax\n\taddq\t%r9,%rax\n\tmovq\t%rbx,%r10\n\timulq\t8-128(%rsi),%r10\n\taddq\t8(%rsp),%r10\n\n\tmovq\t%rax,%r9\n\timull\t%r8d,%eax\n\tandl\t$0x1fffffff,%eax\n\n\tmovq\t%rbx,%r11\n\timulq\t16-128(%rsi),%r11\n\taddq\t16(%rsp),%r11\n\n\tmovq\t%rbx,%r12\n\timulq\t24-128(%rsi),%r12\n\taddq\t24(%rsp),%r12\n\tvpmuludq\t32-128(%rsi),%ymm10,%ymm0\n\tvmovd\t%eax,%xmm11\n\tvpaddq\t%ymm0,%ymm1,%ymm1\n\tvpmuludq\t64-128(%rsi),%ymm10,%ymm12\n\tvpbroadcastq\t%xmm11,%ymm11\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t96-128(%rsi),%ymm10,%ymm13\n\tvpand\t%ymm15,%ymm3,%ymm3\n\tvpaddq\t%ymm13,%ymm3,%ymm3\n\tvpmuludq\t128-128(%rsi),%ymm10,%ymm0\n\tvpaddq\t%ymm0,%ymm4,%ymm4\n\tvpmuludq\t160-128(%rsi),%ymm10,%ymm12\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t192-128(%rsi),%ymm10,%ymm13\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpmuludq\t224-128(%rsi),%ymm10,%ymm0\n\tvpermq\t$0x93,%ymm9,%ymm9\n\tvpaddq\t%ymm0,%ymm7,%ymm7\n\tvpmuludq\t256-128(%rsi),%ymm10,%ymm12\n\tvpbroadcastq\t8(%r13),%ymm10\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\n\tmovq\t%rax,%rdx\n\timulq\t-128(%rcx),%rax\n\taddq\t%rax,%r9\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%rcx),%rax\n\taddq\t%rax,%r10\n\tmovq\t%rdx,%rax\n\timulq\t16-128(%rcx),%rax\n\taddq\t%rax,%r11\n\tshrq\t$29,%r9\n\timulq\t24-128(%rcx),%rdx\n\taddq\t%rdx,%r12\n\taddq\t%r9,%r10\n\n\tvpmuludq\t32-128(%rcx),%ymm11,%ymm13\n\tvmovq\t%xmm10,%rbx\n\tvpaddq\t%ymm13,%ymm1,%ymm1\n\tvpmuludq\t64-128(%rcx),%ymm11,%ymm0\n\tvpaddq\t%ymm0,%ymm2,%ymm2\n\tvpmuludq\t96-128(%rcx),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm3,%ymm3\n\tvpmuludq\t128-128(%rcx),%ymm11,%ymm13\n\tvpaddq\t%ymm13,%ymm4,%ymm4\n\tvpmuludq\t160-128(%rcx),%ymm11,%ymm0\n\tvpaddq\t%ymm0,%ymm5,%ymm5\n\tvpmuludq\t192-128(%rcx),%ymm11,%ymm12\n\tvpaddq\t%ymm12,%ymm6,%ymm6\n\tvpmuludq\t224-128(%rcx),%ymm11,%ymm13\n\tvpblendd\t$3,%ymm14,%ymm9,%ymm12\n\tvpaddq\t%ymm13,%ymm7,%ymm7\n\tvpmuludq\t256-128(%rcx),%ymm11,%ymm0\n\tvpaddq\t%ymm12,%ymm3,%ymm3\n\tvpaddq\t%ymm0,%ymm8,%ymm8\n\n\tmovq\t%rbx,%rax\n\timulq\t-128(%rsi),%rax\n\taddq\t%rax,%r10\n\tvmovdqu\t-8+32-128(%rsi),%ymm12\n\tmovq\t%rbx,%rax\n\timulq\t8-128(%rsi),%rax\n\taddq\t%rax,%r11\n\tvmovdqu\t-8+64-128(%rsi),%ymm13\n\n\tmovq\t%r10,%rax\n\tvpblendd\t$0xfc,%ymm14,%ymm9,%ymm9\n\timull\t%r8d,%eax\n\tvpaddq\t%ymm9,%ymm4,%ymm4\n\tandl\t$0x1fffffff,%eax\n\n\timulq\t16-128(%rsi),%rbx\n\taddq\t%rbx,%r12\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvmovd\t%eax,%xmm11\n\tvmovdqu\t-8+96-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm1,%ymm1\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvpbroadcastq\t%xmm11,%ymm11\n\tvmovdqu\t-8+128-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm2,%ymm2\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-8+160-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm3,%ymm3\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvmovdqu\t-8+192-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm4,%ymm4\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvmovdqu\t-8+224-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm5,%ymm5\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-8+256-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm6,%ymm6\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvmovdqu\t-8+288-128(%rsi),%ymm9\n\tvpaddq\t%ymm12,%ymm7,%ymm7\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvpaddq\t%ymm13,%ymm8,%ymm8\n\tvpmuludq\t%ymm10,%ymm9,%ymm9\n\tvpbroadcastq\t16(%r13),%ymm10\n\n\tmovq\t%rax,%rdx\n\timulq\t-128(%rcx),%rax\n\taddq\t%rax,%r10\n\tvmovdqu\t-8+32-128(%rcx),%ymm0\n\tmovq\t%rdx,%rax\n\timulq\t8-128(%rcx),%rax\n\taddq\t%rax,%r11\n\tvmovdqu\t-8+64-128(%rcx),%ymm12\n\tshrq\t$29,%r10\n\timulq\t16-128(%rcx),%rdx\n\taddq\t%rdx,%r12\n\taddq\t%r10,%r11\n\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovq\t%xmm10,%rbx\n\tvmovdqu\t-8+96-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm1,%ymm1\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-8+128-128(%rcx),%ymm0\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-8+160-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm3,%ymm3\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-8+192-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm4,%ymm4\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-8+224-128(%rcx),%ymm0\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-8+256-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-8+288-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm7,%ymm7\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvpaddq\t%ymm13,%ymm9,%ymm9\n\n\tvmovdqu\t-16+32-128(%rsi),%ymm0\n\tmovq\t%rbx,%rax\n\timulq\t-128(%rsi),%rax\n\taddq\t%r11,%rax\n\n\tvmovdqu\t-16+64-128(%rsi),%ymm12\n\tmovq\t%rax,%r11\n\timull\t%r8d,%eax\n\tandl\t$0x1fffffff,%eax\n\n\timulq\t8-128(%rsi),%rbx\n\taddq\t%rbx,%r12\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovd\t%eax,%xmm11\n\tvmovdqu\t-16+96-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm1,%ymm1\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvpbroadcastq\t%xmm11,%ymm11\n\tvmovdqu\t-16+128-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvmovdqu\t-16+160-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm3,%ymm3\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-16+192-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm4,%ymm4\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvmovdqu\t-16+224-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvmovdqu\t-16+256-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-16+288-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm7,%ymm7\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvpbroadcastq\t24(%r13),%ymm10\n\tvpaddq\t%ymm13,%ymm9,%ymm9\n\n\tvmovdqu\t-16+32-128(%rcx),%ymm0\n\tmovq\t%rax,%rdx\n\timulq\t-128(%rcx),%rax\n\taddq\t%rax,%r11\n\tvmovdqu\t-16+64-128(%rcx),%ymm12\n\timulq\t8-128(%rcx),%rdx\n\taddq\t%rdx,%r12\n\tshrq\t$29,%r11\n\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovq\t%xmm10,%rbx\n\tvmovdqu\t-16+96-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm1,%ymm1\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-16+128-128(%rcx),%ymm0\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-16+160-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm3,%ymm3\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-16+192-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm4,%ymm4\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-16+224-128(%rcx),%ymm0\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-16+256-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-16+288-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm7,%ymm7\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-24+32-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-24+64-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm9,%ymm9\n\n\taddq\t%r11,%r12\n\timulq\t-128(%rsi),%rbx\n\taddq\t%rbx,%r12\n\n\tmovq\t%r12,%rax\n\timull\t%r8d,%eax\n\tandl\t$0x1fffffff,%eax\n\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovd\t%eax,%xmm11\n\tvmovdqu\t-24+96-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm1,%ymm1\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvpbroadcastq\t%xmm11,%ymm11\n\tvmovdqu\t-24+128-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm2,%ymm2\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvmovdqu\t-24+160-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm3,%ymm3\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-24+192-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm4,%ymm4\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvmovdqu\t-24+224-128(%rsi),%ymm0\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvmovdqu\t-24+256-128(%rsi),%ymm12\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpmuludq\t%ymm10,%ymm0,%ymm0\n\tvmovdqu\t-24+288-128(%rsi),%ymm13\n\tvpaddq\t%ymm0,%ymm7,%ymm7\n\tvpmuludq\t%ymm10,%ymm12,%ymm12\n\tvpaddq\t%ymm12,%ymm8,%ymm8\n\tvpmuludq\t%ymm10,%ymm13,%ymm13\n\tvpbroadcastq\t32(%r13),%ymm10\n\tvpaddq\t%ymm13,%ymm9,%ymm9\n\taddq\t$32,%r13\n\n\tvmovdqu\t-24+32-128(%rcx),%ymm0\n\timulq\t-128(%rcx),%rax\n\taddq\t%rax,%r12\n\tshrq\t$29,%r12\n\n\tvmovdqu\t-24+64-128(%rcx),%ymm12\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovq\t%xmm10,%rbx\n\tvmovdqu\t-24+96-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm1,%ymm0\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t%ymm0,(%rsp)\n\tvpaddq\t%ymm12,%ymm2,%ymm1\n\tvmovdqu\t-24+128-128(%rcx),%ymm0\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-24+160-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm3,%ymm2\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-24+192-128(%rcx),%ymm13\n\tvpaddq\t%ymm0,%ymm4,%ymm3\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\tvmovdqu\t-24+224-128(%rcx),%ymm0\n\tvpaddq\t%ymm12,%ymm5,%ymm4\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovdqu\t-24+256-128(%rcx),%ymm12\n\tvpaddq\t%ymm13,%ymm6,%ymm5\n\tvpmuludq\t%ymm11,%ymm0,%ymm0\n\tvmovdqu\t-24+288-128(%rcx),%ymm13\n\tmovq\t%r12,%r9\n\tvpaddq\t%ymm0,%ymm7,%ymm6\n\tvpmuludq\t%ymm11,%ymm12,%ymm12\n\taddq\t(%rsp),%r9\n\tvpaddq\t%ymm12,%ymm8,%ymm7\n\tvpmuludq\t%ymm11,%ymm13,%ymm13\n\tvmovq\t%r12,%xmm12\n\tvpaddq\t%ymm13,%ymm9,%ymm8\n\n\tdecl\t%r14d\n\tjnz\t.Loop_mul_1024\n\tvpaddq\t(%rsp),%ymm12,%ymm0\n\n\tvpsrlq\t$29,%ymm0,%ymm12\n\tvpand\t%ymm15,%ymm0,%ymm0\n\tvpsrlq\t$29,%ymm1,%ymm13\n\tvpand\t%ymm15,%ymm1,%ymm1\n\tvpsrlq\t$29,%ymm2,%ymm10\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm2,%ymm2\n\tvpsrlq\t$29,%ymm3,%ymm11\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpand\t%ymm15,%ymm3,%ymm3\n\n\tvpblendd\t$3,%ymm14,%ymm12,%ymm9\n\tvpermq\t$0x93,%ymm10,%ymm10\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpaddq\t%ymm9,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm13,%ymm10,%ymm13\n\tvpaddq\t%ymm12,%ymm1,%ymm1\n\tvpblendd\t$3,%ymm10,%ymm11,%ymm10\n\tvpaddq\t%ymm13,%ymm2,%ymm2\n\tvpblendd\t$3,%ymm11,%ymm14,%ymm11\n\tvpaddq\t%ymm10,%ymm3,%ymm3\n\tvpaddq\t%ymm11,%ymm4,%ymm4\n\n\tvpsrlq\t$29,%ymm0,%ymm12\n\tvpand\t%ymm15,%ymm0,%ymm0\n\tvpsrlq\t$29,%ymm1,%ymm13\n\tvpand\t%ymm15,%ymm1,%ymm1\n\tvpsrlq\t$29,%ymm2,%ymm10\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm2,%ymm2\n\tvpsrlq\t$29,%ymm3,%ymm11\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpand\t%ymm15,%ymm3,%ymm3\n\tvpermq\t$0x93,%ymm10,%ymm10\n\n\tvpblendd\t$3,%ymm14,%ymm12,%ymm9\n\tvpermq\t$0x93,%ymm11,%ymm11\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm9,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm13,%ymm10,%ymm13\n\tvpaddq\t%ymm12,%ymm1,%ymm1\n\tvpblendd\t$3,%ymm10,%ymm11,%ymm10\n\tvpaddq\t%ymm13,%ymm2,%ymm2\n\tvpblendd\t$3,%ymm11,%ymm14,%ymm11\n\tvpaddq\t%ymm10,%ymm3,%ymm3\n\tvpaddq\t%ymm11,%ymm4,%ymm4\n\n\tvmovdqu\t%ymm0,0-128(%rdi)\n\tvmovdqu\t%ymm1,32-128(%rdi)\n\tvmovdqu\t%ymm2,64-128(%rdi)\n\tvmovdqu\t%ymm3,96-128(%rdi)\n\tvpsrlq\t$29,%ymm4,%ymm12\n\tvpand\t%ymm15,%ymm4,%ymm4\n\tvpsrlq\t$29,%ymm5,%ymm13\n\tvpand\t%ymm15,%ymm5,%ymm5\n\tvpsrlq\t$29,%ymm6,%ymm10\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm6,%ymm6\n\tvpsrlq\t$29,%ymm7,%ymm11\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpand\t%ymm15,%ymm7,%ymm7\n\tvpsrlq\t$29,%ymm8,%ymm0\n\tvpermq\t$0x93,%ymm10,%ymm10\n\tvpand\t%ymm15,%ymm8,%ymm8\n\tvpermq\t$0x93,%ymm11,%ymm11\n\n\tvpblendd\t$3,%ymm14,%ymm12,%ymm9\n\tvpermq\t$0x93,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm9,%ymm4,%ymm4\n\tvpblendd\t$3,%ymm13,%ymm10,%ymm13\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpblendd\t$3,%ymm10,%ymm11,%ymm10\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpblendd\t$3,%ymm11,%ymm0,%ymm11\n\tvpaddq\t%ymm10,%ymm7,%ymm7\n\tvpaddq\t%ymm11,%ymm8,%ymm8\n\n\tvpsrlq\t$29,%ymm4,%ymm12\n\tvpand\t%ymm15,%ymm4,%ymm4\n\tvpsrlq\t$29,%ymm5,%ymm13\n\tvpand\t%ymm15,%ymm5,%ymm5\n\tvpsrlq\t$29,%ymm6,%ymm10\n\tvpermq\t$0x93,%ymm12,%ymm12\n\tvpand\t%ymm15,%ymm6,%ymm6\n\tvpsrlq\t$29,%ymm7,%ymm11\n\tvpermq\t$0x93,%ymm13,%ymm13\n\tvpand\t%ymm15,%ymm7,%ymm7\n\tvpsrlq\t$29,%ymm8,%ymm0\n\tvpermq\t$0x93,%ymm10,%ymm10\n\tvpand\t%ymm15,%ymm8,%ymm8\n\tvpermq\t$0x93,%ymm11,%ymm11\n\n\tvpblendd\t$3,%ymm14,%ymm12,%ymm9\n\tvpermq\t$0x93,%ymm0,%ymm0\n\tvpblendd\t$3,%ymm12,%ymm13,%ymm12\n\tvpaddq\t%ymm9,%ymm4,%ymm4\n\tvpblendd\t$3,%ymm13,%ymm10,%ymm13\n\tvpaddq\t%ymm12,%ymm5,%ymm5\n\tvpblendd\t$3,%ymm10,%ymm11,%ymm10\n\tvpaddq\t%ymm13,%ymm6,%ymm6\n\tvpblendd\t$3,%ymm11,%ymm0,%ymm11\n\tvpaddq\t%ymm10,%ymm7,%ymm7\n\tvpaddq\t%ymm11,%ymm8,%ymm8\n\n\tvmovdqu\t%ymm4,128-128(%rdi)\n\tvmovdqu\t%ymm5,160-128(%rdi)\n\tvmovdqu\t%ymm6,192-128(%rdi)\n\tvmovdqu\t%ymm7,224-128(%rdi)\n\tvmovdqu\t%ymm8,256-128(%rdi)\n\tvzeroupper\n\n\tmovq\t%rbp,%rax\n.cfi_def_cfa_register\t%rax\n\tmovq\t-48(%rax),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rax),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rax),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rax),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rax),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rax),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rax),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lmul_1024_epilogue:\n\tret\n.cfi_endproc\t\n.size\trsaz_1024_mul_avx2,.-rsaz_1024_mul_avx2\n.globl\trsaz_1024_red2norm_avx2\n.hidden rsaz_1024_red2norm_avx2\n.type\trsaz_1024_red2norm_avx2,@function\n.align\t32\nrsaz_1024_red2norm_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tsubq\t$-128,%rsi\n\txorq\t%rax,%rax\n\tmovq\t-128(%rsi),%r8\n\tmovq\t-120(%rsi),%r9\n\tmovq\t-112(%rsi),%r10\n\tshlq\t$0,%r8\n\tshlq\t$29,%r9\n\tmovq\t%r10,%r11\n\tshlq\t$58,%r10\n\tshrq\t$6,%r11\n\taddq\t%r8,%rax\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\tadcq\t$0,%r11\n\tmovq\t%rax,0(%rdi)\n\tmovq\t%r11,%rax\n\tmovq\t-104(%rsi),%r8\n\tmovq\t-96(%rsi),%r9\n\tshlq\t$23,%r8\n\tmovq\t%r9,%r10\n\tshlq\t$52,%r9\n\tshrq\t$12,%r10\n\taddq\t%r8,%rax\n\taddq\t%r9,%rax\n\tadcq\t$0,%r10\n\tmovq\t%rax,8(%rdi)\n\tmovq\t%r10,%rax\n\tmovq\t-88(%rsi),%r11\n\tmovq\t-80(%rsi),%r8\n\tshlq\t$17,%r11\n\tmovq\t%r8,%r9\n\tshlq\t$46,%r8\n\tshrq\t$18,%r9\n\taddq\t%r11,%rax\n\taddq\t%r8,%rax\n\tadcq\t$0,%r9\n\tmovq\t%rax,16(%rdi)\n\tmovq\t%r9,%rax\n\tmovq\t-72(%rsi),%r10\n\tmovq\t-64(%rsi),%r11\n\tshlq\t$11,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$40,%r11\n\tshrq\t$24,%r8\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,24(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t-56(%rsi),%r9\n\tmovq\t-48(%rsi),%r10\n\tmovq\t-40(%rsi),%r11\n\tshlq\t$5,%r9\n\tshlq\t$34,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$63,%r11\n\tshrq\t$1,%r8\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,32(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t-32(%rsi),%r9\n\tmovq\t-24(%rsi),%r10\n\tshlq\t$28,%r9\n\tmovq\t%r10,%r11\n\tshlq\t$57,%r10\n\tshrq\t$7,%r11\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\tadcq\t$0,%r11\n\tmovq\t%rax,40(%rdi)\n\tmovq\t%r11,%rax\n\tmovq\t-16(%rsi),%r8\n\tmovq\t-8(%rsi),%r9\n\tshlq\t$22,%r8\n\tmovq\t%r9,%r10\n\tshlq\t$51,%r9\n\tshrq\t$13,%r10\n\taddq\t%r8,%rax\n\taddq\t%r9,%rax\n\tadcq\t$0,%r10\n\tmovq\t%rax,48(%rdi)\n\tmovq\t%r10,%rax\n\tmovq\t0(%rsi),%r11\n\tmovq\t8(%rsi),%r8\n\tshlq\t$16,%r11\n\tmovq\t%r8,%r9\n\tshlq\t$45,%r8\n\tshrq\t$19,%r9\n\taddq\t%r11,%rax\n\taddq\t%r8,%rax\n\tadcq\t$0,%r9\n\tmovq\t%rax,56(%rdi)\n\tmovq\t%r9,%rax\n\tmovq\t16(%rsi),%r10\n\tmovq\t24(%rsi),%r11\n\tshlq\t$10,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$39,%r11\n\tshrq\t$25,%r8\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,64(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t32(%rsi),%r9\n\tmovq\t40(%rsi),%r10\n\tmovq\t48(%rsi),%r11\n\tshlq\t$4,%r9\n\tshlq\t$33,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$62,%r11\n\tshrq\t$2,%r8\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,72(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t56(%rsi),%r9\n\tmovq\t64(%rsi),%r10\n\tshlq\t$27,%r9\n\tmovq\t%r10,%r11\n\tshlq\t$56,%r10\n\tshrq\t$8,%r11\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\tadcq\t$0,%r11\n\tmovq\t%rax,80(%rdi)\n\tmovq\t%r11,%rax\n\tmovq\t72(%rsi),%r8\n\tmovq\t80(%rsi),%r9\n\tshlq\t$21,%r8\n\tmovq\t%r9,%r10\n\tshlq\t$50,%r9\n\tshrq\t$14,%r10\n\taddq\t%r8,%rax\n\taddq\t%r9,%rax\n\tadcq\t$0,%r10\n\tmovq\t%rax,88(%rdi)\n\tmovq\t%r10,%rax\n\tmovq\t88(%rsi),%r11\n\tmovq\t96(%rsi),%r8\n\tshlq\t$15,%r11\n\tmovq\t%r8,%r9\n\tshlq\t$44,%r8\n\tshrq\t$20,%r9\n\taddq\t%r11,%rax\n\taddq\t%r8,%rax\n\tadcq\t$0,%r9\n\tmovq\t%rax,96(%rdi)\n\tmovq\t%r9,%rax\n\tmovq\t104(%rsi),%r10\n\tmovq\t112(%rsi),%r11\n\tshlq\t$9,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$38,%r11\n\tshrq\t$26,%r8\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,104(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t120(%rsi),%r9\n\tmovq\t128(%rsi),%r10\n\tmovq\t136(%rsi),%r11\n\tshlq\t$3,%r9\n\tshlq\t$32,%r10\n\tmovq\t%r11,%r8\n\tshlq\t$61,%r11\n\tshrq\t$3,%r8\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\taddq\t%r11,%rax\n\tadcq\t$0,%r8\n\tmovq\t%rax,112(%rdi)\n\tmovq\t%r8,%rax\n\tmovq\t144(%rsi),%r9\n\tmovq\t152(%rsi),%r10\n\tshlq\t$26,%r9\n\tmovq\t%r10,%r11\n\tshlq\t$55,%r10\n\tshrq\t$9,%r11\n\taddq\t%r9,%rax\n\taddq\t%r10,%rax\n\tadcq\t$0,%r11\n\tmovq\t%rax,120(%rdi)\n\tmovq\t%r11,%rax\n\tret\n.cfi_endproc\t\n.size\trsaz_1024_red2norm_avx2,.-rsaz_1024_red2norm_avx2\n\n.globl\trsaz_1024_norm2red_avx2\n.hidden rsaz_1024_norm2red_avx2\n.type\trsaz_1024_norm2red_avx2,@function\n.align\t32\nrsaz_1024_norm2red_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tsubq\t$-128,%rdi\n\tmovq\t(%rsi),%r8\n\tmovl\t$0x1fffffff,%eax\n\tmovq\t8(%rsi),%r9\n\tmovq\t%r8,%r11\n\tshrq\t$0,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,-128(%rdi)\n\tmovq\t%r8,%r10\n\tshrq\t$29,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,-120(%rdi)\n\tshrdq\t$58,%r9,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,-112(%rdi)\n\tmovq\t16(%rsi),%r10\n\tmovq\t%r9,%r8\n\tshrq\t$23,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,-104(%rdi)\n\tshrdq\t$52,%r10,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,-96(%rdi)\n\tmovq\t24(%rsi),%r11\n\tmovq\t%r10,%r9\n\tshrq\t$17,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,-88(%rdi)\n\tshrdq\t$46,%r11,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,-80(%rdi)\n\tmovq\t32(%rsi),%r8\n\tmovq\t%r11,%r10\n\tshrq\t$11,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,-72(%rdi)\n\tshrdq\t$40,%r8,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,-64(%rdi)\n\tmovq\t40(%rsi),%r9\n\tmovq\t%r8,%r11\n\tshrq\t$5,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,-56(%rdi)\n\tmovq\t%r8,%r10\n\tshrq\t$34,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,-48(%rdi)\n\tshrdq\t$63,%r9,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,-40(%rdi)\n\tmovq\t48(%rsi),%r10\n\tmovq\t%r9,%r8\n\tshrq\t$28,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,-32(%rdi)\n\tshrdq\t$57,%r10,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,-24(%rdi)\n\tmovq\t56(%rsi),%r11\n\tmovq\t%r10,%r9\n\tshrq\t$22,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,-16(%rdi)\n\tshrdq\t$51,%r11,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,-8(%rdi)\n\tmovq\t64(%rsi),%r8\n\tmovq\t%r11,%r10\n\tshrq\t$16,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,0(%rdi)\n\tshrdq\t$45,%r8,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,8(%rdi)\n\tmovq\t72(%rsi),%r9\n\tmovq\t%r8,%r11\n\tshrq\t$10,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,16(%rdi)\n\tshrdq\t$39,%r9,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,24(%rdi)\n\tmovq\t80(%rsi),%r10\n\tmovq\t%r9,%r8\n\tshrq\t$4,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,32(%rdi)\n\tmovq\t%r9,%r11\n\tshrq\t$33,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,40(%rdi)\n\tshrdq\t$62,%r10,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,48(%rdi)\n\tmovq\t88(%rsi),%r11\n\tmovq\t%r10,%r9\n\tshrq\t$27,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,56(%rdi)\n\tshrdq\t$56,%r11,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,64(%rdi)\n\tmovq\t96(%rsi),%r8\n\tmovq\t%r11,%r10\n\tshrq\t$21,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,72(%rdi)\n\tshrdq\t$50,%r8,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,80(%rdi)\n\tmovq\t104(%rsi),%r9\n\tmovq\t%r8,%r11\n\tshrq\t$15,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,88(%rdi)\n\tshrdq\t$44,%r9,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,96(%rdi)\n\tmovq\t112(%rsi),%r10\n\tmovq\t%r9,%r8\n\tshrq\t$9,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,104(%rdi)\n\tshrdq\t$38,%r10,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,112(%rdi)\n\tmovq\t120(%rsi),%r11\n\tmovq\t%r10,%r9\n\tshrq\t$3,%r9\n\tandq\t%rax,%r9\n\tmovq\t%r9,120(%rdi)\n\tmovq\t%r10,%r8\n\tshrq\t$32,%r8\n\tandq\t%rax,%r8\n\tmovq\t%r8,128(%rdi)\n\tshrdq\t$61,%r11,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,136(%rdi)\n\txorq\t%r8,%r8\n\tmovq\t%r11,%r10\n\tshrq\t$26,%r10\n\tandq\t%rax,%r10\n\tmovq\t%r10,144(%rdi)\n\tshrdq\t$55,%r8,%r11\n\tandq\t%rax,%r11\n\tmovq\t%r11,152(%rdi)\n\tmovq\t%r8,160(%rdi)\n\tmovq\t%r8,168(%rdi)\n\tmovq\t%r8,176(%rdi)\n\tmovq\t%r8,184(%rdi)\n\tret\n.cfi_endproc\t\n.size\trsaz_1024_norm2red_avx2,.-rsaz_1024_norm2red_avx2\n.globl\trsaz_1024_scatter5_avx2\n.hidden rsaz_1024_scatter5_avx2\n.type\trsaz_1024_scatter5_avx2,@function\n.align\t32\nrsaz_1024_scatter5_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tvzeroupper\n\tvmovdqu\t.Lscatter_permd(%rip),%ymm5\n\tshll\t$4,%edx\n\tleaq\t(%rdi,%rdx,1),%rdi\n\tmovl\t$9,%eax\n\tjmp\t.Loop_scatter_1024\n\n.align\t32\n.Loop_scatter_1024:\n\tvmovdqu\t(%rsi),%ymm0\n\tleaq\t32(%rsi),%rsi\n\tvpermd\t%ymm0,%ymm5,%ymm0\n\tvmovdqu\t%xmm0,(%rdi)\n\tleaq\t512(%rdi),%rdi\n\tdecl\t%eax\n\tjnz\t.Loop_scatter_1024\n\n\tvzeroupper\n\tret\n.cfi_endproc\t\n.size\trsaz_1024_scatter5_avx2,.-rsaz_1024_scatter5_avx2\n\n.globl\trsaz_1024_gather5_avx2\n.hidden rsaz_1024_gather5_avx2\n.type\trsaz_1024_gather5_avx2,@function\n.align\t32\nrsaz_1024_gather5_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tvzeroupper\n\tmovq\t%rsp,%r11\n.cfi_def_cfa_register\t%r11\n\tleaq\t-256(%rsp),%rsp\n\tandq\t$-32,%rsp\n\tleaq\t.Linc(%rip),%r10\n\tleaq\t-128(%rsp),%rax\n\n\tvmovd\t%edx,%xmm4\n\tvmovdqa\t(%r10),%ymm0\n\tvmovdqa\t32(%r10),%ymm1\n\tvmovdqa\t64(%r10),%ymm5\n\tvpbroadcastd\t%xmm4,%ymm4\n\n\tvpaddd\t%ymm5,%ymm0,%ymm2\n\tvpcmpeqd\t%ymm4,%ymm0,%ymm0\n\tvpaddd\t%ymm5,%ymm1,%ymm3\n\tvpcmpeqd\t%ymm4,%ymm1,%ymm1\n\tvmovdqa\t%ymm0,0+128(%rax)\n\tvpaddd\t%ymm5,%ymm2,%ymm0\n\tvpcmpeqd\t%ymm4,%ymm2,%ymm2\n\tvmovdqa\t%ymm1,32+128(%rax)\n\tvpaddd\t%ymm5,%ymm3,%ymm1\n\tvpcmpeqd\t%ymm4,%ymm3,%ymm3\n\tvmovdqa\t%ymm2,64+128(%rax)\n\tvpaddd\t%ymm5,%ymm0,%ymm2\n\tvpcmpeqd\t%ymm4,%ymm0,%ymm0\n\tvmovdqa\t%ymm3,96+128(%rax)\n\tvpaddd\t%ymm5,%ymm1,%ymm3\n\tvpcmpeqd\t%ymm4,%ymm1,%ymm1\n\tvmovdqa\t%ymm0,128+128(%rax)\n\tvpaddd\t%ymm5,%ymm2,%ymm8\n\tvpcmpeqd\t%ymm4,%ymm2,%ymm2\n\tvmovdqa\t%ymm1,160+128(%rax)\n\tvpaddd\t%ymm5,%ymm3,%ymm9\n\tvpcmpeqd\t%ymm4,%ymm3,%ymm3\n\tvmovdqa\t%ymm2,192+128(%rax)\n\tvpaddd\t%ymm5,%ymm8,%ymm10\n\tvpcmpeqd\t%ymm4,%ymm8,%ymm8\n\tvmovdqa\t%ymm3,224+128(%rax)\n\tvpaddd\t%ymm5,%ymm9,%ymm11\n\tvpcmpeqd\t%ymm4,%ymm9,%ymm9\n\tvpaddd\t%ymm5,%ymm10,%ymm12\n\tvpcmpeqd\t%ymm4,%ymm10,%ymm10\n\tvpaddd\t%ymm5,%ymm11,%ymm13\n\tvpcmpeqd\t%ymm4,%ymm11,%ymm11\n\tvpaddd\t%ymm5,%ymm12,%ymm14\n\tvpcmpeqd\t%ymm4,%ymm12,%ymm12\n\tvpaddd\t%ymm5,%ymm13,%ymm15\n\tvpcmpeqd\t%ymm4,%ymm13,%ymm13\n\tvpcmpeqd\t%ymm4,%ymm14,%ymm14\n\tvpcmpeqd\t%ymm4,%ymm15,%ymm15\n\n\tvmovdqa\t-32(%r10),%ymm7\n\tleaq\t128(%rsi),%rsi\n\tmovl\t$9,%edx\n\n.Loop_gather_1024:\n\tvmovdqa\t0-128(%rsi),%ymm0\n\tvmovdqa\t32-128(%rsi),%ymm1\n\tvmovdqa\t64-128(%rsi),%ymm2\n\tvmovdqa\t96-128(%rsi),%ymm3\n\tvpand\t0+128(%rax),%ymm0,%ymm0\n\tvpand\t32+128(%rax),%ymm1,%ymm1\n\tvpand\t64+128(%rax),%ymm2,%ymm2\n\tvpor\t%ymm0,%ymm1,%ymm4\n\tvpand\t96+128(%rax),%ymm3,%ymm3\n\tvmovdqa\t128-128(%rsi),%ymm0\n\tvmovdqa\t160-128(%rsi),%ymm1\n\tvpor\t%ymm2,%ymm3,%ymm5\n\tvmovdqa\t192-128(%rsi),%ymm2\n\tvmovdqa\t224-128(%rsi),%ymm3\n\tvpand\t128+128(%rax),%ymm0,%ymm0\n\tvpand\t160+128(%rax),%ymm1,%ymm1\n\tvpand\t192+128(%rax),%ymm2,%ymm2\n\tvpor\t%ymm0,%ymm4,%ymm4\n\tvpand\t224+128(%rax),%ymm3,%ymm3\n\tvpand\t256-128(%rsi),%ymm8,%ymm0\n\tvpor\t%ymm1,%ymm5,%ymm5\n\tvpand\t288-128(%rsi),%ymm9,%ymm1\n\tvpor\t%ymm2,%ymm4,%ymm4\n\tvpand\t320-128(%rsi),%ymm10,%ymm2\n\tvpor\t%ymm3,%ymm5,%ymm5\n\tvpand\t352-128(%rsi),%ymm11,%ymm3\n\tvpor\t%ymm0,%ymm4,%ymm4\n\tvpand\t384-128(%rsi),%ymm12,%ymm0\n\tvpor\t%ymm1,%ymm5,%ymm5\n\tvpand\t416-128(%rsi),%ymm13,%ymm1\n\tvpor\t%ymm2,%ymm4,%ymm4\n\tvpand\t448-128(%rsi),%ymm14,%ymm2\n\tvpor\t%ymm3,%ymm5,%ymm5\n\tvpand\t480-128(%rsi),%ymm15,%ymm3\n\tleaq\t512(%rsi),%rsi\n\tvpor\t%ymm0,%ymm4,%ymm4\n\tvpor\t%ymm1,%ymm5,%ymm5\n\tvpor\t%ymm2,%ymm4,%ymm4\n\tvpor\t%ymm3,%ymm5,%ymm5\n\n\tvpor\t%ymm5,%ymm4,%ymm4\n\tvextracti128\t$1,%ymm4,%xmm5\n\tvpor\t%xmm4,%xmm5,%xmm5\n\tvpermd\t%ymm5,%ymm7,%ymm5\n\tvmovdqu\t%ymm5,(%rdi)\n\tleaq\t32(%rdi),%rdi\n\tdecl\t%edx\n\tjnz\t.Loop_gather_1024\n\n\tvpxor\t%ymm0,%ymm0,%ymm0\n\tvmovdqu\t%ymm0,(%rdi)\n\tvzeroupper\n\tleaq\t(%r11),%rsp\n.cfi_def_cfa_register\t%rsp\n\tret\n.cfi_endproc\t\n.LSEH_end_rsaz_1024_gather5:\n.size\trsaz_1024_gather5_avx2,.-rsaz_1024_gather5_avx2\n.section\t.rodata\n.align\t64\n.Land_mask:\n.quad\t0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff\n.Lscatter_permd:\n.long\t0,2,4,6,7,7,7,7\n.Lgather_permd:\n.long\t0,7,1,7,2,7,3,7\n.Linc:\n.long\t0,0,0,0, 1,1,1,1\n.long\t2,2,2,2, 3,3,3,3\n.long\t4,4,4,4, 4,4,4,4\n.align\t64\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha1-586-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n.globl\t_sha1_block_data_order_nohw\n.private_extern\t_sha1_block_data_order_nohw\n.align\t4\n_sha1_block_data_order_nohw:\nL_sha1_block_data_order_nohw_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%ebp\n\tmovl\t24(%esp),%esi\n\tmovl\t28(%esp),%eax\n\tsubl\t$76,%esp\n\tshll\t$6,%eax\n\taddl\t%esi,%eax\n\tmovl\t%eax,104(%esp)\n\tmovl\t16(%ebp),%edi\n\tjmp\tL000loop\n.align\t4,0x90\nL000loop:\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%edx\n\tbswap\t%eax\n\tbswap\t%ebx\n\tbswap\t%ecx\n\tbswap\t%edx\n\tmovl\t%eax,(%esp)\n\tmovl\t%ebx,4(%esp)\n\tmovl\t%ecx,8(%esp)\n\tmovl\t%edx,12(%esp)\n\tmovl\t16(%esi),%eax\n\tmovl\t20(%esi),%ebx\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%edx\n\tbswap\t%eax\n\tbswap\t%ebx\n\tbswap\t%ecx\n\tbswap\t%edx\n\tmovl\t%eax,16(%esp)\n\tmovl\t%ebx,20(%esp)\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%edx,28(%esp)\n\tmovl\t32(%esi),%eax\n\tmovl\t36(%esi),%ebx\n\tmovl\t40(%esi),%ecx\n\tmovl\t44(%esi),%edx\n\tbswap\t%eax\n\tbswap\t%ebx\n\tbswap\t%ecx\n\tbswap\t%edx\n\tmovl\t%eax,32(%esp)\n\tmovl\t%ebx,36(%esp)\n\tmovl\t%ecx,40(%esp)\n\tmovl\t%edx,44(%esp)\n\tmovl\t48(%esi),%eax\n\tmovl\t52(%esi),%ebx\n\tmovl\t56(%esi),%ecx\n\tmovl\t60(%esi),%edx\n\tbswap\t%eax\n\tbswap\t%ebx\n\tbswap\t%ecx\n\tbswap\t%edx\n\tmovl\t%eax,48(%esp)\n\tmovl\t%ebx,52(%esp)\n\tmovl\t%ecx,56(%esp)\n\tmovl\t%edx,60(%esp)\n\tmovl\t%esi,100(%esp)\n\tmovl\t(%ebp),%eax\n\tmovl\t4(%ebp),%ebx\n\tmovl\t8(%ebp),%ecx\n\tmovl\t12(%ebp),%edx\n\t# 00_15 0 \n\tmovl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\txorl\t%edx,%esi\n\taddl\t%edi,%ebp\n\tmovl\t(%esp),%edi\n\tandl\t%ebx,%esi\n\trorl\t$2,%ebx\n\txorl\t%edx,%esi\n\tleal\t1518500249(%ebp,%edi,1),%ebp\n\taddl\t%esi,%ebp\n\t# 00_15 1 \n\tmovl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edx,%ebp\n\tmovl\t4(%esp),%edx\n\tandl\t%eax,%edi\n\trorl\t$2,%eax\n\txorl\t%ecx,%edi\n\tleal\t1518500249(%ebp,%edx,1),%ebp\n\taddl\t%edi,%ebp\n\t# 00_15 2 \n\tmovl\t%eax,%edx\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\txorl\t%ebx,%edx\n\taddl\t%ecx,%ebp\n\tmovl\t8(%esp),%ecx\n\tandl\t%esi,%edx\n\trorl\t$2,%esi\n\txorl\t%ebx,%edx\n\tleal\t1518500249(%ebp,%ecx,1),%ebp\n\taddl\t%edx,%ebp\n\t# 00_15 3 \n\tmovl\t%esi,%ecx\n\tmovl\t%ebp,%edx\n\troll\t$5,%ebp\n\txorl\t%eax,%ecx\n\taddl\t%ebx,%ebp\n\tmovl\t12(%esp),%ebx\n\tandl\t%edi,%ecx\n\trorl\t$2,%edi\n\txorl\t%eax,%ecx\n\tleal\t1518500249(%ebp,%ebx,1),%ebp\n\taddl\t%ecx,%ebp\n\t# 00_15 4 \n\tmovl\t%edi,%ebx\n\tmovl\t%ebp,%ecx\n\troll\t$5,%ebp\n\txorl\t%esi,%ebx\n\taddl\t%eax,%ebp\n\tmovl\t16(%esp),%eax\n\tandl\t%edx,%ebx\n\trorl\t$2,%edx\n\txorl\t%esi,%ebx\n\tleal\t1518500249(%ebp,%eax,1),%ebp\n\taddl\t%ebx,%ebp\n\t# 00_15 5 \n\tmovl\t%edx,%eax\n\tmovl\t%ebp,%ebx\n\troll\t$5,%ebp\n\txorl\t%edi,%eax\n\taddl\t%esi,%ebp\n\tmovl\t20(%esp),%esi\n\tandl\t%ecx,%eax\n\trorl\t$2,%ecx\n\txorl\t%edi,%eax\n\tleal\t1518500249(%ebp,%esi,1),%ebp\n\taddl\t%eax,%ebp\n\t# 00_15 6 \n\tmovl\t%ecx,%esi\n\tmovl\t%ebp,%eax\n\troll\t$5,%ebp\n\txorl\t%edx,%esi\n\taddl\t%edi,%ebp\n\tmovl\t24(%esp),%edi\n\tandl\t%ebx,%esi\n\trorl\t$2,%ebx\n\txorl\t%edx,%esi\n\tleal\t1518500249(%ebp,%edi,1),%ebp\n\taddl\t%esi,%ebp\n\t# 00_15 7 \n\tmovl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edx,%ebp\n\tmovl\t28(%esp),%edx\n\tandl\t%eax,%edi\n\trorl\t$2,%eax\n\txorl\t%ecx,%edi\n\tleal\t1518500249(%ebp,%edx,1),%ebp\n\taddl\t%edi,%ebp\n\t# 00_15 8 \n\tmovl\t%eax,%edx\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\txorl\t%ebx,%edx\n\taddl\t%ecx,%ebp\n\tmovl\t32(%esp),%ecx\n\tandl\t%esi,%edx\n\trorl\t$2,%esi\n\txorl\t%ebx,%edx\n\tleal\t1518500249(%ebp,%ecx,1),%ebp\n\taddl\t%edx,%ebp\n\t# 00_15 9 \n\tmovl\t%esi,%ecx\n\tmovl\t%ebp,%edx\n\troll\t$5,%ebp\n\txorl\t%eax,%ecx\n\taddl\t%ebx,%ebp\n\tmovl\t36(%esp),%ebx\n\tandl\t%edi,%ecx\n\trorl\t$2,%edi\n\txorl\t%eax,%ecx\n\tleal\t1518500249(%ebp,%ebx,1),%ebp\n\taddl\t%ecx,%ebp\n\t# 00_15 10 \n\tmovl\t%edi,%ebx\n\tmovl\t%ebp,%ecx\n\troll\t$5,%ebp\n\txorl\t%esi,%ebx\n\taddl\t%eax,%ebp\n\tmovl\t40(%esp),%eax\n\tandl\t%edx,%ebx\n\trorl\t$2,%edx\n\txorl\t%esi,%ebx\n\tleal\t1518500249(%ebp,%eax,1),%ebp\n\taddl\t%ebx,%ebp\n\t# 00_15 11 \n\tmovl\t%edx,%eax\n\tmovl\t%ebp,%ebx\n\troll\t$5,%ebp\n\txorl\t%edi,%eax\n\taddl\t%esi,%ebp\n\tmovl\t44(%esp),%esi\n\tandl\t%ecx,%eax\n\trorl\t$2,%ecx\n\txorl\t%edi,%eax\n\tleal\t1518500249(%ebp,%esi,1),%ebp\n\taddl\t%eax,%ebp\n\t# 00_15 12 \n\tmovl\t%ecx,%esi\n\tmovl\t%ebp,%eax\n\troll\t$5,%ebp\n\txorl\t%edx,%esi\n\taddl\t%edi,%ebp\n\tmovl\t48(%esp),%edi\n\tandl\t%ebx,%esi\n\trorl\t$2,%ebx\n\txorl\t%edx,%esi\n\tleal\t1518500249(%ebp,%edi,1),%ebp\n\taddl\t%esi,%ebp\n\t# 00_15 13 \n\tmovl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edx,%ebp\n\tmovl\t52(%esp),%edx\n\tandl\t%eax,%edi\n\trorl\t$2,%eax\n\txorl\t%ecx,%edi\n\tleal\t1518500249(%ebp,%edx,1),%ebp\n\taddl\t%edi,%ebp\n\t# 00_15 14 \n\tmovl\t%eax,%edx\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\txorl\t%ebx,%edx\n\taddl\t%ecx,%ebp\n\tmovl\t56(%esp),%ecx\n\tandl\t%esi,%edx\n\trorl\t$2,%esi\n\txorl\t%ebx,%edx\n\tleal\t1518500249(%ebp,%ecx,1),%ebp\n\taddl\t%edx,%ebp\n\t# 00_15 15 \n\tmovl\t%esi,%ecx\n\tmovl\t%ebp,%edx\n\troll\t$5,%ebp\n\txorl\t%eax,%ecx\n\taddl\t%ebx,%ebp\n\tmovl\t60(%esp),%ebx\n\tandl\t%edi,%ecx\n\trorl\t$2,%edi\n\txorl\t%eax,%ecx\n\tleal\t1518500249(%ebp,%ebx,1),%ebp\n\tmovl\t(%esp),%ebx\n\taddl\t%ebp,%ecx\n\t# 16_19 16 \n\tmovl\t%edi,%ebp\n\txorl\t8(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t32(%esp),%ebx\n\tandl\t%edx,%ebp\n\txorl\t52(%esp),%ebx\n\troll\t$1,%ebx\n\txorl\t%esi,%ebp\n\taddl\t%ebp,%eax\n\tmovl\t%ecx,%ebp\n\trorl\t$2,%edx\n\tmovl\t%ebx,(%esp)\n\troll\t$5,%ebp\n\tleal\t1518500249(%ebx,%eax,1),%ebx\n\tmovl\t4(%esp),%eax\n\taddl\t%ebp,%ebx\n\t# 16_19 17 \n\tmovl\t%edx,%ebp\n\txorl\t12(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t36(%esp),%eax\n\tandl\t%ecx,%ebp\n\txorl\t56(%esp),%eax\n\troll\t$1,%eax\n\txorl\t%edi,%ebp\n\taddl\t%ebp,%esi\n\tmovl\t%ebx,%ebp\n\trorl\t$2,%ecx\n\tmovl\t%eax,4(%esp)\n\troll\t$5,%ebp\n\tleal\t1518500249(%eax,%esi,1),%eax\n\tmovl\t8(%esp),%esi\n\taddl\t%ebp,%eax\n\t# 16_19 18 \n\tmovl\t%ecx,%ebp\n\txorl\t16(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t40(%esp),%esi\n\tandl\t%ebx,%ebp\n\txorl\t60(%esp),%esi\n\troll\t$1,%esi\n\txorl\t%edx,%ebp\n\taddl\t%ebp,%edi\n\tmovl\t%eax,%ebp\n\trorl\t$2,%ebx\n\tmovl\t%esi,8(%esp)\n\troll\t$5,%ebp\n\tleal\t1518500249(%esi,%edi,1),%esi\n\tmovl\t12(%esp),%edi\n\taddl\t%ebp,%esi\n\t# 16_19 19 \n\tmovl\t%ebx,%ebp\n\txorl\t20(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t44(%esp),%edi\n\tandl\t%eax,%ebp\n\txorl\t(%esp),%edi\n\troll\t$1,%edi\n\txorl\t%ecx,%ebp\n\taddl\t%ebp,%edx\n\tmovl\t%esi,%ebp\n\trorl\t$2,%eax\n\tmovl\t%edi,12(%esp)\n\troll\t$5,%ebp\n\tleal\t1518500249(%edi,%edx,1),%edi\n\tmovl\t16(%esp),%edx\n\taddl\t%ebp,%edi\n\t# 20_39 20 \n\tmovl\t%esi,%ebp\n\txorl\t24(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t48(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t4(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,16(%esp)\n\tleal\t1859775393(%edx,%ecx,1),%edx\n\tmovl\t20(%esp),%ecx\n\taddl\t%ebp,%edx\n\t# 20_39 21 \n\tmovl\t%edi,%ebp\n\txorl\t28(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t8(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,20(%esp)\n\tleal\t1859775393(%ecx,%ebx,1),%ecx\n\tmovl\t24(%esp),%ebx\n\taddl\t%ebp,%ecx\n\t# 20_39 22 \n\tmovl\t%edx,%ebp\n\txorl\t32(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t56(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t12(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,24(%esp)\n\tleal\t1859775393(%ebx,%eax,1),%ebx\n\tmovl\t28(%esp),%eax\n\taddl\t%ebp,%ebx\n\t# 20_39 23 \n\tmovl\t%ecx,%ebp\n\txorl\t36(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t60(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t16(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%eax,28(%esp)\n\tleal\t1859775393(%eax,%esi,1),%eax\n\tmovl\t32(%esp),%esi\n\taddl\t%ebp,%eax\n\t# 20_39 24 \n\tmovl\t%ebx,%ebp\n\txorl\t40(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t20(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,32(%esp)\n\tleal\t1859775393(%esi,%edi,1),%esi\n\tmovl\t36(%esp),%edi\n\taddl\t%ebp,%esi\n\t# 20_39 25 \n\tmovl\t%eax,%ebp\n\txorl\t44(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t4(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t24(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,36(%esp)\n\tleal\t1859775393(%edi,%edx,1),%edi\n\tmovl\t40(%esp),%edx\n\taddl\t%ebp,%edi\n\t# 20_39 26 \n\tmovl\t%esi,%ebp\n\txorl\t48(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t8(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t28(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,40(%esp)\n\tleal\t1859775393(%edx,%ecx,1),%edx\n\tmovl\t44(%esp),%ecx\n\taddl\t%ebp,%edx\n\t# 20_39 27 \n\tmovl\t%edi,%ebp\n\txorl\t52(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t12(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t32(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,44(%esp)\n\tleal\t1859775393(%ecx,%ebx,1),%ecx\n\tmovl\t48(%esp),%ebx\n\taddl\t%ebp,%ecx\n\t# 20_39 28 \n\tmovl\t%edx,%ebp\n\txorl\t56(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t16(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t36(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,48(%esp)\n\tleal\t1859775393(%ebx,%eax,1),%ebx\n\tmovl\t52(%esp),%eax\n\taddl\t%ebp,%ebx\n\t# 20_39 29 \n\tmovl\t%ecx,%ebp\n\txorl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t20(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t40(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%eax,52(%esp)\n\tleal\t1859775393(%eax,%esi,1),%eax\n\tmovl\t56(%esp),%esi\n\taddl\t%ebp,%eax\n\t# 20_39 30 \n\tmovl\t%ebx,%ebp\n\txorl\t(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t24(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t44(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,56(%esp)\n\tleal\t1859775393(%esi,%edi,1),%esi\n\tmovl\t60(%esp),%edi\n\taddl\t%ebp,%esi\n\t# 20_39 31 \n\tmovl\t%eax,%ebp\n\txorl\t4(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t28(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t48(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,60(%esp)\n\tleal\t1859775393(%edi,%edx,1),%edi\n\tmovl\t(%esp),%edx\n\taddl\t%ebp,%edi\n\t# 20_39 32 \n\tmovl\t%esi,%ebp\n\txorl\t8(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t32(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t52(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,(%esp)\n\tleal\t1859775393(%edx,%ecx,1),%edx\n\tmovl\t4(%esp),%ecx\n\taddl\t%ebp,%edx\n\t# 20_39 33 \n\tmovl\t%edi,%ebp\n\txorl\t12(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t36(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t56(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,4(%esp)\n\tleal\t1859775393(%ecx,%ebx,1),%ecx\n\tmovl\t8(%esp),%ebx\n\taddl\t%ebp,%ecx\n\t# 20_39 34 \n\tmovl\t%edx,%ebp\n\txorl\t16(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t40(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t60(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,8(%esp)\n\tleal\t1859775393(%ebx,%eax,1),%ebx\n\tmovl\t12(%esp),%eax\n\taddl\t%ebp,%ebx\n\t# 20_39 35 \n\tmovl\t%ecx,%ebp\n\txorl\t20(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t44(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%eax,12(%esp)\n\tleal\t1859775393(%eax,%esi,1),%eax\n\tmovl\t16(%esp),%esi\n\taddl\t%ebp,%eax\n\t# 20_39 36 \n\tmovl\t%ebx,%ebp\n\txorl\t24(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t48(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t4(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,16(%esp)\n\tleal\t1859775393(%esi,%edi,1),%esi\n\tmovl\t20(%esp),%edi\n\taddl\t%ebp,%esi\n\t# 20_39 37 \n\tmovl\t%eax,%ebp\n\txorl\t28(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t52(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t8(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,20(%esp)\n\tleal\t1859775393(%edi,%edx,1),%edi\n\tmovl\t24(%esp),%edx\n\taddl\t%ebp,%edi\n\t# 20_39 38 \n\tmovl\t%esi,%ebp\n\txorl\t32(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t56(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t12(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,24(%esp)\n\tleal\t1859775393(%edx,%ecx,1),%edx\n\tmovl\t28(%esp),%ecx\n\taddl\t%ebp,%edx\n\t# 20_39 39 \n\tmovl\t%edi,%ebp\n\txorl\t36(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t60(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t16(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,28(%esp)\n\tleal\t1859775393(%ecx,%ebx,1),%ecx\n\tmovl\t32(%esp),%ebx\n\taddl\t%ebp,%ecx\n\t# 40_59 40 \n\tmovl\t%edi,%ebp\n\txorl\t40(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t(%esp),%ebx\n\tandl\t%edx,%ebp\n\txorl\t20(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$2,%edx\n\tmovl\t%ecx,%eax\n\troll\t$5,%eax\n\tmovl\t%ebx,32(%esp)\n\tleal\t2400959708(%ebx,%ebp,1),%ebx\n\tmovl\t%edi,%ebp\n\taddl\t%eax,%ebx\n\tandl\t%esi,%ebp\n\tmovl\t36(%esp),%eax\n\taddl\t%ebp,%ebx\n\t# 40_59 41 \n\tmovl\t%edx,%ebp\n\txorl\t44(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t4(%esp),%eax\n\tandl\t%ecx,%ebp\n\txorl\t24(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%esi,%ebp\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%esi\n\troll\t$5,%esi\n\tmovl\t%eax,36(%esp)\n\tleal\t2400959708(%eax,%ebp,1),%eax\n\tmovl\t%edx,%ebp\n\taddl\t%esi,%eax\n\tandl\t%edi,%ebp\n\tmovl\t40(%esp),%esi\n\taddl\t%ebp,%eax\n\t# 40_59 42 \n\tmovl\t%ecx,%ebp\n\txorl\t48(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t8(%esp),%esi\n\tandl\t%ebx,%ebp\n\txorl\t28(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%edi,%ebp\n\trorl\t$2,%ebx\n\tmovl\t%eax,%edi\n\troll\t$5,%edi\n\tmovl\t%esi,40(%esp)\n\tleal\t2400959708(%esi,%ebp,1),%esi\n\tmovl\t%ecx,%ebp\n\taddl\t%edi,%esi\n\tandl\t%edx,%ebp\n\tmovl\t44(%esp),%edi\n\taddl\t%ebp,%esi\n\t# 40_59 43 \n\tmovl\t%ebx,%ebp\n\txorl\t52(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t12(%esp),%edi\n\tandl\t%eax,%ebp\n\txorl\t32(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%edx,%ebp\n\trorl\t$2,%eax\n\tmovl\t%esi,%edx\n\troll\t$5,%edx\n\tmovl\t%edi,44(%esp)\n\tleal\t2400959708(%edi,%ebp,1),%edi\n\tmovl\t%ebx,%ebp\n\taddl\t%edx,%edi\n\tandl\t%ecx,%ebp\n\tmovl\t48(%esp),%edx\n\taddl\t%ebp,%edi\n\t# 40_59 44 \n\tmovl\t%eax,%ebp\n\txorl\t56(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t16(%esp),%edx\n\tandl\t%esi,%ebp\n\txorl\t36(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ecx,%ebp\n\trorl\t$2,%esi\n\tmovl\t%edi,%ecx\n\troll\t$5,%ecx\n\tmovl\t%edx,48(%esp)\n\tleal\t2400959708(%edx,%ebp,1),%edx\n\tmovl\t%eax,%ebp\n\taddl\t%ecx,%edx\n\tandl\t%ebx,%ebp\n\tmovl\t52(%esp),%ecx\n\taddl\t%ebp,%edx\n\t# 40_59 45 \n\tmovl\t%esi,%ebp\n\txorl\t60(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t20(%esp),%ecx\n\tandl\t%edi,%ebp\n\txorl\t40(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebx,%ebp\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebx\n\troll\t$5,%ebx\n\tmovl\t%ecx,52(%esp)\n\tleal\t2400959708(%ecx,%ebp,1),%ecx\n\tmovl\t%esi,%ebp\n\taddl\t%ebx,%ecx\n\tandl\t%eax,%ebp\n\tmovl\t56(%esp),%ebx\n\taddl\t%ebp,%ecx\n\t# 40_59 46 \n\tmovl\t%edi,%ebp\n\txorl\t(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t24(%esp),%ebx\n\tandl\t%edx,%ebp\n\txorl\t44(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$2,%edx\n\tmovl\t%ecx,%eax\n\troll\t$5,%eax\n\tmovl\t%ebx,56(%esp)\n\tleal\t2400959708(%ebx,%ebp,1),%ebx\n\tmovl\t%edi,%ebp\n\taddl\t%eax,%ebx\n\tandl\t%esi,%ebp\n\tmovl\t60(%esp),%eax\n\taddl\t%ebp,%ebx\n\t# 40_59 47 \n\tmovl\t%edx,%ebp\n\txorl\t4(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t28(%esp),%eax\n\tandl\t%ecx,%ebp\n\txorl\t48(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%esi,%ebp\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%esi\n\troll\t$5,%esi\n\tmovl\t%eax,60(%esp)\n\tleal\t2400959708(%eax,%ebp,1),%eax\n\tmovl\t%edx,%ebp\n\taddl\t%esi,%eax\n\tandl\t%edi,%ebp\n\tmovl\t(%esp),%esi\n\taddl\t%ebp,%eax\n\t# 40_59 48 \n\tmovl\t%ecx,%ebp\n\txorl\t8(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t32(%esp),%esi\n\tandl\t%ebx,%ebp\n\txorl\t52(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%edi,%ebp\n\trorl\t$2,%ebx\n\tmovl\t%eax,%edi\n\troll\t$5,%edi\n\tmovl\t%esi,(%esp)\n\tleal\t2400959708(%esi,%ebp,1),%esi\n\tmovl\t%ecx,%ebp\n\taddl\t%edi,%esi\n\tandl\t%edx,%ebp\n\tmovl\t4(%esp),%edi\n\taddl\t%ebp,%esi\n\t# 40_59 49 \n\tmovl\t%ebx,%ebp\n\txorl\t12(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t36(%esp),%edi\n\tandl\t%eax,%ebp\n\txorl\t56(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%edx,%ebp\n\trorl\t$2,%eax\n\tmovl\t%esi,%edx\n\troll\t$5,%edx\n\tmovl\t%edi,4(%esp)\n\tleal\t2400959708(%edi,%ebp,1),%edi\n\tmovl\t%ebx,%ebp\n\taddl\t%edx,%edi\n\tandl\t%ecx,%ebp\n\tmovl\t8(%esp),%edx\n\taddl\t%ebp,%edi\n\t# 40_59 50 \n\tmovl\t%eax,%ebp\n\txorl\t16(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t40(%esp),%edx\n\tandl\t%esi,%ebp\n\txorl\t60(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ecx,%ebp\n\trorl\t$2,%esi\n\tmovl\t%edi,%ecx\n\troll\t$5,%ecx\n\tmovl\t%edx,8(%esp)\n\tleal\t2400959708(%edx,%ebp,1),%edx\n\tmovl\t%eax,%ebp\n\taddl\t%ecx,%edx\n\tandl\t%ebx,%ebp\n\tmovl\t12(%esp),%ecx\n\taddl\t%ebp,%edx\n\t# 40_59 51 \n\tmovl\t%esi,%ebp\n\txorl\t20(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t44(%esp),%ecx\n\tandl\t%edi,%ebp\n\txorl\t(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebx,%ebp\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebx\n\troll\t$5,%ebx\n\tmovl\t%ecx,12(%esp)\n\tleal\t2400959708(%ecx,%ebp,1),%ecx\n\tmovl\t%esi,%ebp\n\taddl\t%ebx,%ecx\n\tandl\t%eax,%ebp\n\tmovl\t16(%esp),%ebx\n\taddl\t%ebp,%ecx\n\t# 40_59 52 \n\tmovl\t%edi,%ebp\n\txorl\t24(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t48(%esp),%ebx\n\tandl\t%edx,%ebp\n\txorl\t4(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$2,%edx\n\tmovl\t%ecx,%eax\n\troll\t$5,%eax\n\tmovl\t%ebx,16(%esp)\n\tleal\t2400959708(%ebx,%ebp,1),%ebx\n\tmovl\t%edi,%ebp\n\taddl\t%eax,%ebx\n\tandl\t%esi,%ebp\n\tmovl\t20(%esp),%eax\n\taddl\t%ebp,%ebx\n\t# 40_59 53 \n\tmovl\t%edx,%ebp\n\txorl\t28(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t52(%esp),%eax\n\tandl\t%ecx,%ebp\n\txorl\t8(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%esi,%ebp\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%esi\n\troll\t$5,%esi\n\tmovl\t%eax,20(%esp)\n\tleal\t2400959708(%eax,%ebp,1),%eax\n\tmovl\t%edx,%ebp\n\taddl\t%esi,%eax\n\tandl\t%edi,%ebp\n\tmovl\t24(%esp),%esi\n\taddl\t%ebp,%eax\n\t# 40_59 54 \n\tmovl\t%ecx,%ebp\n\txorl\t32(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t56(%esp),%esi\n\tandl\t%ebx,%ebp\n\txorl\t12(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%edi,%ebp\n\trorl\t$2,%ebx\n\tmovl\t%eax,%edi\n\troll\t$5,%edi\n\tmovl\t%esi,24(%esp)\n\tleal\t2400959708(%esi,%ebp,1),%esi\n\tmovl\t%ecx,%ebp\n\taddl\t%edi,%esi\n\tandl\t%edx,%ebp\n\tmovl\t28(%esp),%edi\n\taddl\t%ebp,%esi\n\t# 40_59 55 \n\tmovl\t%ebx,%ebp\n\txorl\t36(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t60(%esp),%edi\n\tandl\t%eax,%ebp\n\txorl\t16(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%edx,%ebp\n\trorl\t$2,%eax\n\tmovl\t%esi,%edx\n\troll\t$5,%edx\n\tmovl\t%edi,28(%esp)\n\tleal\t2400959708(%edi,%ebp,1),%edi\n\tmovl\t%ebx,%ebp\n\taddl\t%edx,%edi\n\tandl\t%ecx,%ebp\n\tmovl\t32(%esp),%edx\n\taddl\t%ebp,%edi\n\t# 40_59 56 \n\tmovl\t%eax,%ebp\n\txorl\t40(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t(%esp),%edx\n\tandl\t%esi,%ebp\n\txorl\t20(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ecx,%ebp\n\trorl\t$2,%esi\n\tmovl\t%edi,%ecx\n\troll\t$5,%ecx\n\tmovl\t%edx,32(%esp)\n\tleal\t2400959708(%edx,%ebp,1),%edx\n\tmovl\t%eax,%ebp\n\taddl\t%ecx,%edx\n\tandl\t%ebx,%ebp\n\tmovl\t36(%esp),%ecx\n\taddl\t%ebp,%edx\n\t# 40_59 57 \n\tmovl\t%esi,%ebp\n\txorl\t44(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t4(%esp),%ecx\n\tandl\t%edi,%ebp\n\txorl\t24(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebx,%ebp\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebx\n\troll\t$5,%ebx\n\tmovl\t%ecx,36(%esp)\n\tleal\t2400959708(%ecx,%ebp,1),%ecx\n\tmovl\t%esi,%ebp\n\taddl\t%ebx,%ecx\n\tandl\t%eax,%ebp\n\tmovl\t40(%esp),%ebx\n\taddl\t%ebp,%ecx\n\t# 40_59 58 \n\tmovl\t%edi,%ebp\n\txorl\t48(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t8(%esp),%ebx\n\tandl\t%edx,%ebp\n\txorl\t28(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$2,%edx\n\tmovl\t%ecx,%eax\n\troll\t$5,%eax\n\tmovl\t%ebx,40(%esp)\n\tleal\t2400959708(%ebx,%ebp,1),%ebx\n\tmovl\t%edi,%ebp\n\taddl\t%eax,%ebx\n\tandl\t%esi,%ebp\n\tmovl\t44(%esp),%eax\n\taddl\t%ebp,%ebx\n\t# 40_59 59 \n\tmovl\t%edx,%ebp\n\txorl\t52(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t12(%esp),%eax\n\tandl\t%ecx,%ebp\n\txorl\t32(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%esi,%ebp\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%esi\n\troll\t$5,%esi\n\tmovl\t%eax,44(%esp)\n\tleal\t2400959708(%eax,%ebp,1),%eax\n\tmovl\t%edx,%ebp\n\taddl\t%esi,%eax\n\tandl\t%edi,%ebp\n\tmovl\t48(%esp),%esi\n\taddl\t%ebp,%eax\n\t# 20_39 60 \n\tmovl\t%ebx,%ebp\n\txorl\t56(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t16(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t36(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,48(%esp)\n\tleal\t3395469782(%esi,%edi,1),%esi\n\tmovl\t52(%esp),%edi\n\taddl\t%ebp,%esi\n\t# 20_39 61 \n\tmovl\t%eax,%ebp\n\txorl\t60(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t20(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t40(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,52(%esp)\n\tleal\t3395469782(%edi,%edx,1),%edi\n\tmovl\t56(%esp),%edx\n\taddl\t%ebp,%edi\n\t# 20_39 62 \n\tmovl\t%esi,%ebp\n\txorl\t(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t24(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t44(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,56(%esp)\n\tleal\t3395469782(%edx,%ecx,1),%edx\n\tmovl\t60(%esp),%ecx\n\taddl\t%ebp,%edx\n\t# 20_39 63 \n\tmovl\t%edi,%ebp\n\txorl\t4(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t28(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t48(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,60(%esp)\n\tleal\t3395469782(%ecx,%ebx,1),%ecx\n\tmovl\t(%esp),%ebx\n\taddl\t%ebp,%ecx\n\t# 20_39 64 \n\tmovl\t%edx,%ebp\n\txorl\t8(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t32(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t52(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,(%esp)\n\tleal\t3395469782(%ebx,%eax,1),%ebx\n\tmovl\t4(%esp),%eax\n\taddl\t%ebp,%ebx\n\t# 20_39 65 \n\tmovl\t%ecx,%ebp\n\txorl\t12(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t36(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t56(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%eax,4(%esp)\n\tleal\t3395469782(%eax,%esi,1),%eax\n\tmovl\t8(%esp),%esi\n\taddl\t%ebp,%eax\n\t# 20_39 66 \n\tmovl\t%ebx,%ebp\n\txorl\t16(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t40(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t60(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,8(%esp)\n\tleal\t3395469782(%esi,%edi,1),%esi\n\tmovl\t12(%esp),%edi\n\taddl\t%ebp,%esi\n\t# 20_39 67 \n\tmovl\t%eax,%ebp\n\txorl\t20(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t44(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,12(%esp)\n\tleal\t3395469782(%edi,%edx,1),%edi\n\tmovl\t16(%esp),%edx\n\taddl\t%ebp,%edi\n\t# 20_39 68 \n\tmovl\t%esi,%ebp\n\txorl\t24(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t48(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t4(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,16(%esp)\n\tleal\t3395469782(%edx,%ecx,1),%edx\n\tmovl\t20(%esp),%ecx\n\taddl\t%ebp,%edx\n\t# 20_39 69 \n\tmovl\t%edi,%ebp\n\txorl\t28(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t8(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,20(%esp)\n\tleal\t3395469782(%ecx,%ebx,1),%ecx\n\tmovl\t24(%esp),%ebx\n\taddl\t%ebp,%ecx\n\t# 20_39 70 \n\tmovl\t%edx,%ebp\n\txorl\t32(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t56(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t12(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,24(%esp)\n\tleal\t3395469782(%ebx,%eax,1),%ebx\n\tmovl\t28(%esp),%eax\n\taddl\t%ebp,%ebx\n\t# 20_39 71 \n\tmovl\t%ecx,%ebp\n\txorl\t36(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t60(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t16(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%eax,28(%esp)\n\tleal\t3395469782(%eax,%esi,1),%eax\n\tmovl\t32(%esp),%esi\n\taddl\t%ebp,%eax\n\t# 20_39 72 \n\tmovl\t%ebx,%ebp\n\txorl\t40(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t20(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,32(%esp)\n\tleal\t3395469782(%esi,%edi,1),%esi\n\tmovl\t36(%esp),%edi\n\taddl\t%ebp,%esi\n\t# 20_39 73 \n\tmovl\t%eax,%ebp\n\txorl\t44(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t4(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t24(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,36(%esp)\n\tleal\t3395469782(%edi,%edx,1),%edi\n\tmovl\t40(%esp),%edx\n\taddl\t%ebp,%edi\n\t# 20_39 74 \n\tmovl\t%esi,%ebp\n\txorl\t48(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t8(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t28(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,40(%esp)\n\tleal\t3395469782(%edx,%ecx,1),%edx\n\tmovl\t44(%esp),%ecx\n\taddl\t%ebp,%edx\n\t# 20_39 75 \n\tmovl\t%edi,%ebp\n\txorl\t52(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t12(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t32(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,44(%esp)\n\tleal\t3395469782(%ecx,%ebx,1),%ecx\n\tmovl\t48(%esp),%ebx\n\taddl\t%ebp,%ecx\n\t# 20_39 76 \n\tmovl\t%edx,%ebp\n\txorl\t56(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t16(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t36(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,48(%esp)\n\tleal\t3395469782(%ebx,%eax,1),%ebx\n\tmovl\t52(%esp),%eax\n\taddl\t%ebp,%ebx\n\t# 20_39 77 \n\tmovl\t%ecx,%ebp\n\txorl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t20(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t40(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tleal\t3395469782(%eax,%esi,1),%eax\n\tmovl\t56(%esp),%esi\n\taddl\t%ebp,%eax\n\t# 20_39 78 \n\tmovl\t%ebx,%ebp\n\txorl\t(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t24(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t44(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tleal\t3395469782(%esi,%edi,1),%esi\n\tmovl\t60(%esp),%edi\n\taddl\t%ebp,%esi\n\t# 20_39 79 \n\tmovl\t%eax,%ebp\n\txorl\t4(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t28(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t48(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tleal\t3395469782(%edi,%edx,1),%edi\n\taddl\t%ebp,%edi\n\tmovl\t96(%esp),%ebp\n\tmovl\t100(%esp),%edx\n\taddl\t(%ebp),%edi\n\taddl\t4(%ebp),%esi\n\taddl\t8(%ebp),%eax\n\taddl\t12(%ebp),%ebx\n\taddl\t16(%ebp),%ecx\n\tmovl\t%edi,(%ebp)\n\taddl\t$64,%edx\n\tmovl\t%esi,4(%ebp)\n\tcmpl\t104(%esp),%edx\n\tmovl\t%eax,8(%ebp)\n\tmovl\t%ecx,%edi\n\tmovl\t%ebx,12(%ebp)\n\tmovl\t%edx,%esi\n\tmovl\t%ecx,16(%ebp)\n\tjb\tL000loop\n\taddl\t$76,%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_sha1_block_data_order_ssse3\n.private_extern\t_sha1_block_data_order_ssse3\n.align\t4\n_sha1_block_data_order_ssse3:\nL_sha1_block_data_order_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tcall\tL001pic_point\nL001pic_point:\n\tpopl\t%ebp\n\tleal\tLK_XX_XX-L001pic_point(%ebp),%ebp\n\tmovdqa\t(%ebp),%xmm7\n\tmovdqa\t16(%ebp),%xmm0\n\tmovdqa\t32(%ebp),%xmm1\n\tmovdqa\t48(%ebp),%xmm2\n\tmovdqa\t64(%ebp),%xmm6\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%ebp\n\tmovl\t28(%esp),%edx\n\tmovl\t%esp,%esi\n\tsubl\t$208,%esp\n\tandl\t$-64,%esp\n\tmovdqa\t%xmm0,112(%esp)\n\tmovdqa\t%xmm1,128(%esp)\n\tmovdqa\t%xmm2,144(%esp)\n\tshll\t$6,%edx\n\tmovdqa\t%xmm7,160(%esp)\n\taddl\t%ebp,%edx\n\tmovdqa\t%xmm6,176(%esp)\n\taddl\t$64,%ebp\n\tmovl\t%edi,192(%esp)\n\tmovl\t%ebp,196(%esp)\n\tmovl\t%edx,200(%esp)\n\tmovl\t%esi,204(%esp)\n\tmovl\t(%edi),%eax\n\tmovl\t4(%edi),%ebx\n\tmovl\t8(%edi),%ecx\n\tmovl\t12(%edi),%edx\n\tmovl\t16(%edi),%edi\n\tmovl\t%ebx,%esi\n\tmovdqu\t-64(%ebp),%xmm0\n\tmovdqu\t-48(%ebp),%xmm1\n\tmovdqu\t-32(%ebp),%xmm2\n\tmovdqu\t-16(%ebp),%xmm3\n.byte\t102,15,56,0,198\n.byte\t102,15,56,0,206\n.byte\t102,15,56,0,214\n\tmovdqa\t%xmm7,96(%esp)\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm7,%xmm0\n\tpaddd\t%xmm7,%xmm1\n\tpaddd\t%xmm7,%xmm2\n\tmovdqa\t%xmm0,(%esp)\n\tpsubd\t%xmm7,%xmm0\n\tmovdqa\t%xmm1,16(%esp)\n\tpsubd\t%xmm7,%xmm1\n\tmovdqa\t%xmm2,32(%esp)\n\tmovl\t%ecx,%ebp\n\tpsubd\t%xmm7,%xmm2\n\txorl\t%edx,%ebp\n\tpshufd\t$238,%xmm0,%xmm4\n\tandl\t%ebp,%esi\n\tjmp\tL002loop\n.align\t4,0x90\nL002loop:\n\trorl\t$2,%ebx\n\txorl\t%edx,%esi\n\tmovl\t%eax,%ebp\n\tpunpcklqdq\t%xmm1,%xmm4\n\tmovdqa\t%xmm3,%xmm6\n\taddl\t(%esp),%edi\n\txorl\t%ecx,%ebx\n\tpaddd\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,64(%esp)\n\troll\t$5,%eax\n\taddl\t%esi,%edi\n\tpsrldq\t$4,%xmm6\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\tpxor\t%xmm0,%xmm4\n\taddl\t%eax,%edi\n\trorl\t$7,%eax\n\tpxor\t%xmm2,%xmm6\n\txorl\t%ecx,%ebp\n\tmovl\t%edi,%esi\n\taddl\t4(%esp),%edx\n\tpxor\t%xmm6,%xmm4\n\txorl\t%ebx,%eax\n\troll\t$5,%edi\n\tmovdqa\t%xmm7,48(%esp)\n\taddl\t%ebp,%edx\n\tandl\t%eax,%esi\n\tmovdqa\t%xmm4,%xmm0\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\trorl\t$7,%edi\n\tmovdqa\t%xmm4,%xmm6\n\txorl\t%ebx,%esi\n\tpslldq\t$12,%xmm0\n\tpaddd\t%xmm4,%xmm4\n\tmovl\t%edx,%ebp\n\taddl\t8(%esp),%ecx\n\tpsrld\t$31,%xmm6\n\txorl\t%eax,%edi\n\troll\t$5,%edx\n\tmovdqa\t%xmm0,%xmm7\n\taddl\t%esi,%ecx\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\tpsrld\t$30,%xmm0\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpor\t%xmm6,%xmm4\n\txorl\t%eax,%ebp\n\tmovl\t%ecx,%esi\n\taddl\t12(%esp),%ebx\n\tpslld\t$2,%xmm7\n\txorl\t%edi,%edx\n\troll\t$5,%ecx\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t96(%esp),%xmm0\n\taddl\t%ebp,%ebx\n\tandl\t%edx,%esi\n\tpxor\t%xmm7,%xmm4\n\tpshufd\t$238,%xmm1,%xmm5\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\tmovl\t%ebx,%ebp\n\tpunpcklqdq\t%xmm2,%xmm5\n\tmovdqa\t%xmm4,%xmm7\n\taddl\t16(%esp),%eax\n\txorl\t%edx,%ecx\n\tpaddd\t%xmm4,%xmm0\n\tmovdqa\t%xmm1,80(%esp)\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\tpsrldq\t$4,%xmm7\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\tpxor\t%xmm1,%xmm5\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tpxor\t%xmm3,%xmm7\n\txorl\t%edx,%ebp\n\tmovl\t%eax,%esi\n\taddl\t20(%esp),%edi\n\tpxor\t%xmm7,%xmm5\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\tmovdqa\t%xmm0,(%esp)\n\taddl\t%ebp,%edi\n\tandl\t%ebx,%esi\n\tmovdqa\t%xmm5,%xmm1\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\trorl\t$7,%eax\n\tmovdqa\t%xmm5,%xmm7\n\txorl\t%ecx,%esi\n\tpslldq\t$12,%xmm1\n\tpaddd\t%xmm5,%xmm5\n\tmovl\t%edi,%ebp\n\taddl\t24(%esp),%edx\n\tpsrld\t$31,%xmm7\n\txorl\t%ebx,%eax\n\troll\t$5,%edi\n\tmovdqa\t%xmm1,%xmm0\n\taddl\t%esi,%edx\n\tandl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\tpsrld\t$30,%xmm1\n\taddl\t%edi,%edx\n\trorl\t$7,%edi\n\tpor\t%xmm7,%xmm5\n\txorl\t%ebx,%ebp\n\tmovl\t%edx,%esi\n\taddl\t28(%esp),%ecx\n\tpslld\t$2,%xmm0\n\txorl\t%eax,%edi\n\troll\t$5,%edx\n\tpxor\t%xmm1,%xmm5\n\tmovdqa\t112(%esp),%xmm1\n\taddl\t%ebp,%ecx\n\tandl\t%edi,%esi\n\tpxor\t%xmm0,%xmm5\n\tpshufd\t$238,%xmm2,%xmm6\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\txorl\t%eax,%esi\n\tmovl\t%ecx,%ebp\n\tpunpcklqdq\t%xmm3,%xmm6\n\tmovdqa\t%xmm5,%xmm0\n\taddl\t32(%esp),%ebx\n\txorl\t%edi,%edx\n\tpaddd\t%xmm5,%xmm1\n\tmovdqa\t%xmm2,96(%esp)\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\tpsrldq\t$4,%xmm0\n\tandl\t%edx,%ebp\n\txorl\t%edi,%edx\n\tpxor\t%xmm2,%xmm6\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\tpxor\t%xmm4,%xmm0\n\txorl\t%edi,%ebp\n\tmovl\t%ebx,%esi\n\taddl\t36(%esp),%eax\n\tpxor\t%xmm0,%xmm6\n\txorl\t%edx,%ecx\n\troll\t$5,%ebx\n\tmovdqa\t%xmm1,16(%esp)\n\taddl\t%ebp,%eax\n\tandl\t%ecx,%esi\n\tmovdqa\t%xmm6,%xmm2\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tmovdqa\t%xmm6,%xmm0\n\txorl\t%edx,%esi\n\tpslldq\t$12,%xmm2\n\tpaddd\t%xmm6,%xmm6\n\tmovl\t%eax,%ebp\n\taddl\t40(%esp),%edi\n\tpsrld\t$31,%xmm0\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\tmovdqa\t%xmm2,%xmm1\n\taddl\t%esi,%edi\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\tpsrld\t$30,%xmm2\n\taddl\t%eax,%edi\n\trorl\t$7,%eax\n\tpor\t%xmm0,%xmm6\n\txorl\t%ecx,%ebp\n\tmovdqa\t64(%esp),%xmm0\n\tmovl\t%edi,%esi\n\taddl\t44(%esp),%edx\n\tpslld\t$2,%xmm1\n\txorl\t%ebx,%eax\n\troll\t$5,%edi\n\tpxor\t%xmm2,%xmm6\n\tmovdqa\t112(%esp),%xmm2\n\taddl\t%ebp,%edx\n\tandl\t%eax,%esi\n\tpxor\t%xmm1,%xmm6\n\tpshufd\t$238,%xmm3,%xmm7\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\trorl\t$7,%edi\n\txorl\t%ebx,%esi\n\tmovl\t%edx,%ebp\n\tpunpcklqdq\t%xmm4,%xmm7\n\tmovdqa\t%xmm6,%xmm1\n\taddl\t48(%esp),%ecx\n\txorl\t%eax,%edi\n\tpaddd\t%xmm6,%xmm2\n\tmovdqa\t%xmm3,64(%esp)\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\tpsrldq\t$4,%xmm1\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\tpxor\t%xmm3,%xmm7\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpxor\t%xmm5,%xmm1\n\txorl\t%eax,%ebp\n\tmovl\t%ecx,%esi\n\taddl\t52(%esp),%ebx\n\tpxor\t%xmm1,%xmm7\n\txorl\t%edi,%edx\n\troll\t$5,%ecx\n\tmovdqa\t%xmm2,32(%esp)\n\taddl\t%ebp,%ebx\n\tandl\t%edx,%esi\n\tmovdqa\t%xmm7,%xmm3\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\tmovdqa\t%xmm7,%xmm1\n\txorl\t%edi,%esi\n\tpslldq\t$12,%xmm3\n\tpaddd\t%xmm7,%xmm7\n\tmovl\t%ebx,%ebp\n\taddl\t56(%esp),%eax\n\tpsrld\t$31,%xmm1\n\txorl\t%edx,%ecx\n\troll\t$5,%ebx\n\tmovdqa\t%xmm3,%xmm2\n\taddl\t%esi,%eax\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\tpsrld\t$30,%xmm3\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tpor\t%xmm1,%xmm7\n\txorl\t%edx,%ebp\n\tmovdqa\t80(%esp),%xmm1\n\tmovl\t%eax,%esi\n\taddl\t60(%esp),%edi\n\tpslld\t$2,%xmm2\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\tpxor\t%xmm3,%xmm7\n\tmovdqa\t112(%esp),%xmm3\n\taddl\t%ebp,%edi\n\tandl\t%ebx,%esi\n\tpxor\t%xmm2,%xmm7\n\tpshufd\t$238,%xmm6,%xmm2\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\trorl\t$7,%eax\n\tpxor\t%xmm4,%xmm0\n\tpunpcklqdq\t%xmm7,%xmm2\n\txorl\t%ecx,%esi\n\tmovl\t%edi,%ebp\n\taddl\t(%esp),%edx\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm4,80(%esp)\n\txorl\t%ebx,%eax\n\troll\t$5,%edi\n\tmovdqa\t%xmm3,%xmm4\n\taddl\t%esi,%edx\n\tpaddd\t%xmm7,%xmm3\n\tandl\t%eax,%ebp\n\tpxor\t%xmm2,%xmm0\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\trorl\t$7,%edi\n\txorl\t%ebx,%ebp\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm3,48(%esp)\n\tmovl\t%edx,%esi\n\taddl\t4(%esp),%ecx\n\txorl\t%eax,%edi\n\troll\t$5,%edx\n\tpslld\t$2,%xmm0\n\taddl\t%ebp,%ecx\n\tandl\t%edi,%esi\n\tpsrld\t$30,%xmm2\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\txorl\t%eax,%esi\n\tmovl\t%ecx,%ebp\n\taddl\t8(%esp),%ebx\n\txorl\t%edi,%edx\n\troll\t$5,%ecx\n\tpor\t%xmm2,%xmm0\n\taddl\t%esi,%ebx\n\tandl\t%edx,%ebp\n\tmovdqa\t96(%esp),%xmm2\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t12(%esp),%eax\n\txorl\t%edi,%ebp\n\tmovl\t%ebx,%esi\n\tpshufd\t$238,%xmm7,%xmm3\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t16(%esp),%edi\n\tpxor\t%xmm5,%xmm1\n\tpunpcklqdq\t%xmm0,%xmm3\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\troll\t$5,%eax\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm5,96(%esp)\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tmovdqa\t%xmm4,%xmm5\n\trorl\t$7,%ebx\n\tpaddd\t%xmm0,%xmm4\n\taddl\t%eax,%edi\n\tpxor\t%xmm3,%xmm1\n\taddl\t20(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\troll\t$5,%edi\n\tmovdqa\t%xmm1,%xmm3\n\tmovdqa\t%xmm4,(%esp)\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\tpslld\t$2,%xmm1\n\taddl\t24(%esp),%ecx\n\txorl\t%eax,%esi\n\tpsrld\t$30,%xmm3\n\tmovl\t%edx,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\tpor\t%xmm3,%xmm1\n\taddl\t28(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovdqa\t64(%esp),%xmm3\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\trorl\t$7,%edx\n\tpshufd\t$238,%xmm0,%xmm4\n\taddl\t%ecx,%ebx\n\taddl\t32(%esp),%eax\n\tpxor\t%xmm6,%xmm2\n\tpunpcklqdq\t%xmm1,%xmm4\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebx\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t%xmm6,64(%esp)\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\tmovdqa\t128(%esp),%xmm6\n\trorl\t$7,%ecx\n\tpaddd\t%xmm1,%xmm5\n\taddl\t%ebx,%eax\n\tpxor\t%xmm4,%xmm2\n\taddl\t36(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\tmovdqa\t%xmm2,%xmm4\n\tmovdqa\t%xmm5,16(%esp)\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\tpslld\t$2,%xmm2\n\taddl\t40(%esp),%edx\n\txorl\t%ebx,%esi\n\tpsrld\t$30,%xmm4\n\tmovl\t%edi,%ebp\n\troll\t$5,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\tpor\t%xmm4,%xmm2\n\taddl\t44(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovdqa\t80(%esp),%xmm4\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%edi\n\tpshufd\t$238,%xmm1,%xmm5\n\taddl\t%edx,%ecx\n\taddl\t48(%esp),%ebx\n\tpxor\t%xmm7,%xmm3\n\tpunpcklqdq\t%xmm2,%xmm5\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ecx\n\tpxor\t%xmm4,%xmm3\n\tmovdqa\t%xmm7,80(%esp)\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tmovdqa\t%xmm6,%xmm7\n\trorl\t$7,%edx\n\tpaddd\t%xmm2,%xmm6\n\taddl\t%ecx,%ebx\n\tpxor\t%xmm5,%xmm3\n\taddl\t52(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\tmovdqa\t%xmm3,%xmm5\n\tmovdqa\t%xmm6,32(%esp)\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\tpslld\t$2,%xmm3\n\taddl\t56(%esp),%edi\n\txorl\t%ecx,%esi\n\tpsrld\t$30,%xmm5\n\tmovl\t%eax,%ebp\n\troll\t$5,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\tpor\t%xmm5,%xmm3\n\taddl\t60(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovdqa\t96(%esp),%xmm5\n\tmovl\t%edi,%esi\n\troll\t$5,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\tpshufd\t$238,%xmm2,%xmm6\n\taddl\t%edi,%edx\n\taddl\t(%esp),%ecx\n\tpxor\t%xmm0,%xmm4\n\tpunpcklqdq\t%xmm3,%xmm6\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\troll\t$5,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovdqa\t%xmm0,96(%esp)\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tmovdqa\t%xmm7,%xmm0\n\trorl\t$7,%edi\n\tpaddd\t%xmm3,%xmm7\n\taddl\t%edx,%ecx\n\tpxor\t%xmm6,%xmm4\n\taddl\t4(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm7,48(%esp)\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\tpslld\t$2,%xmm4\n\taddl\t8(%esp),%eax\n\txorl\t%edx,%esi\n\tpsrld\t$30,%xmm6\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\tpor\t%xmm6,%xmm4\n\taddl\t12(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovdqa\t64(%esp),%xmm6\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\tpshufd\t$238,%xmm3,%xmm7\n\taddl\t%eax,%edi\n\taddl\t16(%esp),%edx\n\tpxor\t%xmm1,%xmm5\n\tpunpcklqdq\t%xmm4,%xmm7\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%edi\n\tpxor\t%xmm6,%xmm5\n\tmovdqa\t%xmm1,64(%esp)\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tmovdqa\t%xmm0,%xmm1\n\trorl\t$7,%eax\n\tpaddd\t%xmm4,%xmm0\n\taddl\t%edi,%edx\n\tpxor\t%xmm7,%xmm5\n\taddl\t20(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\tmovdqa\t%xmm5,%xmm7\n\tmovdqa\t%xmm0,(%esp)\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\tpslld\t$2,%xmm5\n\taddl\t24(%esp),%ebx\n\txorl\t%edi,%esi\n\tpsrld\t$30,%xmm7\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\tpor\t%xmm7,%xmm5\n\taddl\t28(%esp),%eax\n\tmovdqa\t80(%esp),%xmm7\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%ebp\n\troll\t$5,%ebx\n\tpshufd\t$238,%xmm4,%xmm0\n\taddl\t%ebp,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t32(%esp),%edi\n\tpxor\t%xmm2,%xmm6\n\tpunpcklqdq\t%xmm5,%xmm0\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tpxor\t%xmm7,%xmm6\n\tmovdqa\t%xmm2,80(%esp)\n\tmovl\t%eax,%ebp\n\txorl\t%ecx,%esi\n\troll\t$5,%eax\n\tmovdqa\t%xmm1,%xmm2\n\taddl\t%esi,%edi\n\tpaddd\t%xmm5,%xmm1\n\txorl\t%ebx,%ebp\n\tpxor\t%xmm0,%xmm6\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t36(%esp),%edx\n\tandl\t%ebx,%ebp\n\tmovdqa\t%xmm6,%xmm0\n\tmovdqa\t%xmm1,16(%esp)\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tmovl\t%edi,%esi\n\txorl\t%ebx,%ebp\n\troll\t$5,%edi\n\tpslld\t$2,%xmm6\n\taddl\t%ebp,%edx\n\txorl\t%eax,%esi\n\tpsrld\t$30,%xmm0\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t40(%esp),%ecx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\trorl\t$7,%edi\n\tpor\t%xmm0,%xmm6\n\tmovl\t%edx,%ebp\n\txorl\t%eax,%esi\n\tmovdqa\t96(%esp),%xmm0\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tpshufd\t$238,%xmm5,%xmm1\n\taddl\t44(%esp),%ebx\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\trorl\t$7,%edx\n\tmovl\t%ecx,%esi\n\txorl\t%edi,%ebp\n\troll\t$5,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edx,%esi\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t48(%esp),%eax\n\tpxor\t%xmm3,%xmm7\n\tpunpcklqdq\t%xmm6,%xmm1\n\tandl\t%edx,%esi\n\txorl\t%edi,%edx\n\trorl\t$7,%ecx\n\tpxor\t%xmm0,%xmm7\n\tmovdqa\t%xmm3,96(%esp)\n\tmovl\t%ebx,%ebp\n\txorl\t%edx,%esi\n\troll\t$5,%ebx\n\tmovdqa\t144(%esp),%xmm3\n\taddl\t%esi,%eax\n\tpaddd\t%xmm6,%xmm2\n\txorl\t%ecx,%ebp\n\tpxor\t%xmm1,%xmm7\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t52(%esp),%edi\n\tandl\t%ecx,%ebp\n\tmovdqa\t%xmm7,%xmm1\n\tmovdqa\t%xmm2,32(%esp)\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%ebp\n\troll\t$5,%eax\n\tpslld\t$2,%xmm7\n\taddl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\tpsrld\t$30,%xmm1\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t56(%esp),%edx\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tpor\t%xmm1,%xmm7\n\tmovl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\tmovdqa\t64(%esp),%xmm1\n\troll\t$5,%edi\n\taddl\t%esi,%edx\n\txorl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tpshufd\t$238,%xmm6,%xmm2\n\taddl\t60(%esp),%ecx\n\tandl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\trorl\t$7,%edi\n\tmovl\t%edx,%esi\n\txorl\t%eax,%ebp\n\troll\t$5,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%edi,%esi\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t(%esp),%ebx\n\tpxor\t%xmm4,%xmm0\n\tpunpcklqdq\t%xmm7,%xmm2\n\tandl\t%edi,%esi\n\txorl\t%eax,%edi\n\trorl\t$7,%edx\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm4,64(%esp)\n\tmovl\t%ecx,%ebp\n\txorl\t%edi,%esi\n\troll\t$5,%ecx\n\tmovdqa\t%xmm3,%xmm4\n\taddl\t%esi,%ebx\n\tpaddd\t%xmm7,%xmm3\n\txorl\t%edx,%ebp\n\tpxor\t%xmm2,%xmm0\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t4(%esp),%eax\n\tandl\t%edx,%ebp\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm3,48(%esp)\n\txorl\t%edi,%edx\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%ebp\n\troll\t$5,%ebx\n\tpslld\t$2,%xmm0\n\taddl\t%ebp,%eax\n\txorl\t%ecx,%esi\n\tpsrld\t$30,%xmm2\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t8(%esp),%edi\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tpor\t%xmm2,%xmm0\n\tmovl\t%eax,%ebp\n\txorl\t%ecx,%esi\n\tmovdqa\t80(%esp),%xmm2\n\troll\t$5,%eax\n\taddl\t%esi,%edi\n\txorl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tpshufd\t$238,%xmm7,%xmm3\n\taddl\t12(%esp),%edx\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tmovl\t%edi,%esi\n\txorl\t%ebx,%ebp\n\troll\t$5,%edi\n\taddl\t%ebp,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t16(%esp),%ecx\n\tpxor\t%xmm5,%xmm1\n\tpunpcklqdq\t%xmm0,%xmm3\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\trorl\t$7,%edi\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm5,80(%esp)\n\tmovl\t%edx,%ebp\n\txorl\t%eax,%esi\n\troll\t$5,%edx\n\tmovdqa\t%xmm4,%xmm5\n\taddl\t%esi,%ecx\n\tpaddd\t%xmm0,%xmm4\n\txorl\t%edi,%ebp\n\tpxor\t%xmm3,%xmm1\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t20(%esp),%ebx\n\tandl\t%edi,%ebp\n\tmovdqa\t%xmm1,%xmm3\n\tmovdqa\t%xmm4,(%esp)\n\txorl\t%eax,%edi\n\trorl\t$7,%edx\n\tmovl\t%ecx,%esi\n\txorl\t%edi,%ebp\n\troll\t$5,%ecx\n\tpslld\t$2,%xmm1\n\taddl\t%ebp,%ebx\n\txorl\t%edx,%esi\n\tpsrld\t$30,%xmm3\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t24(%esp),%eax\n\tandl\t%edx,%esi\n\txorl\t%edi,%edx\n\trorl\t$7,%ecx\n\tpor\t%xmm3,%xmm1\n\tmovl\t%ebx,%ebp\n\txorl\t%edx,%esi\n\tmovdqa\t96(%esp),%xmm3\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tpshufd\t$238,%xmm0,%xmm4\n\taddl\t28(%esp),%edi\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%ebp\n\troll\t$5,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t32(%esp),%edx\n\tpxor\t%xmm6,%xmm2\n\tpunpcklqdq\t%xmm1,%xmm4\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t%xmm6,96(%esp)\n\tmovl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\troll\t$5,%edi\n\tmovdqa\t%xmm5,%xmm6\n\taddl\t%esi,%edx\n\tpaddd\t%xmm1,%xmm5\n\txorl\t%eax,%ebp\n\tpxor\t%xmm4,%xmm2\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t36(%esp),%ecx\n\tandl\t%eax,%ebp\n\tmovdqa\t%xmm2,%xmm4\n\tmovdqa\t%xmm5,16(%esp)\n\txorl\t%ebx,%eax\n\trorl\t$7,%edi\n\tmovl\t%edx,%esi\n\txorl\t%eax,%ebp\n\troll\t$5,%edx\n\tpslld\t$2,%xmm2\n\taddl\t%ebp,%ecx\n\txorl\t%edi,%esi\n\tpsrld\t$30,%xmm4\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t40(%esp),%ebx\n\tandl\t%edi,%esi\n\txorl\t%eax,%edi\n\trorl\t$7,%edx\n\tpor\t%xmm4,%xmm2\n\tmovl\t%ecx,%ebp\n\txorl\t%edi,%esi\n\tmovdqa\t64(%esp),%xmm4\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edx,%ebp\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\tpshufd\t$238,%xmm1,%xmm5\n\taddl\t44(%esp),%eax\n\tandl\t%edx,%ebp\n\txorl\t%edi,%edx\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%ebp\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\taddl\t%ebx,%eax\n\taddl\t48(%esp),%edi\n\tpxor\t%xmm7,%xmm3\n\tpunpcklqdq\t%xmm2,%xmm5\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\troll\t$5,%eax\n\tpxor\t%xmm4,%xmm3\n\tmovdqa\t%xmm7,64(%esp)\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tmovdqa\t%xmm6,%xmm7\n\trorl\t$7,%ebx\n\tpaddd\t%xmm2,%xmm6\n\taddl\t%eax,%edi\n\tpxor\t%xmm5,%xmm3\n\taddl\t52(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\troll\t$5,%edi\n\tmovdqa\t%xmm3,%xmm5\n\tmovdqa\t%xmm6,32(%esp)\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\tpslld\t$2,%xmm3\n\taddl\t56(%esp),%ecx\n\txorl\t%eax,%esi\n\tpsrld\t$30,%xmm5\n\tmovl\t%edx,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\tpor\t%xmm5,%xmm3\n\taddl\t60(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\trorl\t$7,%ecx\n\tpaddd\t%xmm3,%xmm7\n\taddl\t%ebx,%eax\n\taddl\t4(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\tmovdqa\t%xmm7,48(%esp)\n\troll\t$5,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\taddl\t8(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\taddl\t12(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\tmovl\t196(%esp),%ebp\n\tcmpl\t200(%esp),%ebp\n\tje\tL003done\n\tmovdqa\t160(%esp),%xmm7\n\tmovdqa\t176(%esp),%xmm6\n\tmovdqu\t(%ebp),%xmm0\n\tmovdqu\t16(%ebp),%xmm1\n\tmovdqu\t32(%ebp),%xmm2\n\tmovdqu\t48(%ebp),%xmm3\n\taddl\t$64,%ebp\n.byte\t102,15,56,0,198\n\tmovl\t%ebp,196(%esp)\n\tmovdqa\t%xmm7,96(%esp)\n\taddl\t16(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\trorl\t$7,%edx\n.byte\t102,15,56,0,206\n\taddl\t%ecx,%ebx\n\taddl\t20(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tpaddd\t%xmm7,%xmm0\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\tmovdqa\t%xmm0,(%esp)\n\taddl\t%ebx,%eax\n\taddl\t24(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tpsubd\t%xmm7,%xmm0\n\troll\t$5,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\taddl\t28(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\troll\t$5,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\taddl\t32(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\trorl\t$7,%edi\n.byte\t102,15,56,0,214\n\taddl\t%edx,%ecx\n\taddl\t36(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\tpaddd\t%xmm7,%xmm1\n\troll\t$5,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\trorl\t$7,%edx\n\tmovdqa\t%xmm1,16(%esp)\n\taddl\t%ecx,%ebx\n\taddl\t40(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tpsubd\t%xmm7,%xmm1\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\taddl\t48(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\trorl\t$7,%eax\n.byte\t102,15,56,0,222\n\taddl\t%edi,%edx\n\taddl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\tpaddd\t%xmm7,%xmm2\n\troll\t$5,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%edi\n\tmovdqa\t%xmm2,32(%esp)\n\taddl\t%edx,%ecx\n\taddl\t56(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tpsubd\t%xmm7,%xmm2\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\tmovl\t192(%esp),%ebp\n\taddl\t(%ebp),%eax\n\taddl\t4(%ebp),%esi\n\taddl\t8(%ebp),%ecx\n\tmovl\t%eax,(%ebp)\n\taddl\t12(%ebp),%edx\n\tmovl\t%esi,4(%ebp)\n\taddl\t16(%ebp),%edi\n\tmovl\t%ecx,8(%ebp)\n\tmovl\t%ecx,%ebx\n\tmovl\t%edx,12(%ebp)\n\txorl\t%edx,%ebx\n\tmovl\t%edi,16(%ebp)\n\tmovl\t%esi,%ebp\n\tpshufd\t$238,%xmm0,%xmm4\n\tandl\t%ebx,%esi\n\tmovl\t%ebp,%ebx\n\tjmp\tL002loop\n.align\t4,0x90\nL003done:\n\taddl\t16(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t20(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\troll\t$5,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\taddl\t28(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\troll\t$5,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\taddl\t32(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\taddl\t36(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\taddl\t48(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\taddl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\taddl\t56(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\tmovl\t192(%esp),%ebp\n\taddl\t(%ebp),%eax\n\tmovl\t204(%esp),%esp\n\taddl\t4(%ebp),%esi\n\taddl\t8(%ebp),%ecx\n\tmovl\t%eax,(%ebp)\n\taddl\t12(%ebp),%edx\n\tmovl\t%esi,4(%ebp)\n\taddl\t16(%ebp),%edi\n\tmovl\t%ecx,8(%ebp)\n\tmovl\t%edx,12(%ebp)\n\tmovl\t%edi,16(%ebp)\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_sha1_block_data_order_avx\n.private_extern\t_sha1_block_data_order_avx\n.align\t4\n_sha1_block_data_order_avx:\nL_sha1_block_data_order_avx_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tcall\tL004pic_point\nL004pic_point:\n\tpopl\t%ebp\n\tleal\tLK_XX_XX-L004pic_point(%ebp),%ebp\n\tvzeroall\n\tvmovdqa\t(%ebp),%xmm7\n\tvmovdqa\t16(%ebp),%xmm0\n\tvmovdqa\t32(%ebp),%xmm1\n\tvmovdqa\t48(%ebp),%xmm2\n\tvmovdqa\t64(%ebp),%xmm6\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%ebp\n\tmovl\t28(%esp),%edx\n\tmovl\t%esp,%esi\n\tsubl\t$208,%esp\n\tandl\t$-64,%esp\n\tvmovdqa\t%xmm0,112(%esp)\n\tvmovdqa\t%xmm1,128(%esp)\n\tvmovdqa\t%xmm2,144(%esp)\n\tshll\t$6,%edx\n\tvmovdqa\t%xmm7,160(%esp)\n\taddl\t%ebp,%edx\n\tvmovdqa\t%xmm6,176(%esp)\n\taddl\t$64,%ebp\n\tmovl\t%edi,192(%esp)\n\tmovl\t%ebp,196(%esp)\n\tmovl\t%edx,200(%esp)\n\tmovl\t%esi,204(%esp)\n\tmovl\t(%edi),%eax\n\tmovl\t4(%edi),%ebx\n\tmovl\t8(%edi),%ecx\n\tmovl\t12(%edi),%edx\n\tmovl\t16(%edi),%edi\n\tmovl\t%ebx,%esi\n\tvmovdqu\t-64(%ebp),%xmm0\n\tvmovdqu\t-48(%ebp),%xmm1\n\tvmovdqu\t-32(%ebp),%xmm2\n\tvmovdqu\t-16(%ebp),%xmm3\n\tvpshufb\t%xmm6,%xmm0,%xmm0\n\tvpshufb\t%xmm6,%xmm1,%xmm1\n\tvpshufb\t%xmm6,%xmm2,%xmm2\n\tvmovdqa\t%xmm7,96(%esp)\n\tvpshufb\t%xmm6,%xmm3,%xmm3\n\tvpaddd\t%xmm7,%xmm0,%xmm4\n\tvpaddd\t%xmm7,%xmm1,%xmm5\n\tvpaddd\t%xmm7,%xmm2,%xmm6\n\tvmovdqa\t%xmm4,(%esp)\n\tmovl\t%ecx,%ebp\n\tvmovdqa\t%xmm5,16(%esp)\n\txorl\t%edx,%ebp\n\tvmovdqa\t%xmm6,32(%esp)\n\tandl\t%ebp,%esi\n\tjmp\tL005loop\n.align\t4,0x90\nL005loop:\n\tshrdl\t$2,%ebx,%ebx\n\txorl\t%edx,%esi\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm4\n\tmovl\t%eax,%ebp\n\taddl\t(%esp),%edi\n\tvpaddd\t%xmm3,%xmm7,%xmm7\n\tvmovdqa\t%xmm0,64(%esp)\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvpsrldq\t$4,%xmm3,%xmm6\n\taddl\t%esi,%edi\n\tandl\t%ebx,%ebp\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%ebp\n\tvmovdqa\t%xmm7,48(%esp)\n\tmovl\t%edi,%esi\n\taddl\t4(%esp),%edx\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%ebx,%eax\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\tandl\t%eax,%esi\n\tvpsrld\t$31,%xmm4,%xmm6\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tshrdl\t$7,%edi,%edi\n\txorl\t%ebx,%esi\n\tvpslldq\t$12,%xmm4,%xmm0\n\tvpaddd\t%xmm4,%xmm4,%xmm4\n\tmovl\t%edx,%ebp\n\taddl\t8(%esp),%ecx\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\tvpsrld\t$30,%xmm0,%xmm7\n\tvpor\t%xmm6,%xmm4,%xmm4\n\taddl\t%esi,%ecx\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tvpslld\t$2,%xmm0,%xmm0\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%ebp\n\tvpxor\t%xmm7,%xmm4,%xmm4\n\tmovl\t%ecx,%esi\n\taddl\t12(%esp),%ebx\n\txorl\t%edi,%edx\n\tshldl\t$5,%ecx,%ecx\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\taddl\t%ebp,%ebx\n\tandl\t%edx,%esi\n\tvmovdqa\t96(%esp),%xmm0\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%edi,%esi\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm5\n\tmovl\t%ebx,%ebp\n\taddl\t16(%esp),%eax\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\tvmovdqa\t%xmm1,80(%esp)\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\tvpsrldq\t$4,%xmm4,%xmm7\n\taddl\t%esi,%eax\n\tandl\t%ecx,%ebp\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%ebp\n\tvmovdqa\t%xmm0,(%esp)\n\tmovl\t%eax,%esi\n\taddl\t20(%esp),%edi\n\tvpxor\t%xmm7,%xmm5,%xmm5\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\tandl\t%ebx,%esi\n\tvpsrld\t$31,%xmm5,%xmm7\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%esi\n\tvpslldq\t$12,%xmm5,%xmm1\n\tvpaddd\t%xmm5,%xmm5,%xmm5\n\tmovl\t%edi,%ebp\n\taddl\t24(%esp),%edx\n\txorl\t%ebx,%eax\n\tshldl\t$5,%edi,%edi\n\tvpsrld\t$30,%xmm1,%xmm0\n\tvpor\t%xmm7,%xmm5,%xmm5\n\taddl\t%esi,%edx\n\tandl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tvpslld\t$2,%xmm1,%xmm1\n\tshrdl\t$7,%edi,%edi\n\txorl\t%ebx,%ebp\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\tmovl\t%edx,%esi\n\taddl\t28(%esp),%ecx\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\taddl\t%ebp,%ecx\n\tandl\t%edi,%esi\n\tvmovdqa\t112(%esp),%xmm1\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%esi\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm6\n\tmovl\t%ecx,%ebp\n\taddl\t32(%esp),%ebx\n\tvpaddd\t%xmm5,%xmm1,%xmm1\n\tvmovdqa\t%xmm2,96(%esp)\n\txorl\t%edi,%edx\n\tshldl\t$5,%ecx,%ecx\n\tvpsrldq\t$4,%xmm5,%xmm0\n\taddl\t%esi,%ebx\n\tandl\t%edx,%ebp\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%edi,%ebp\n\tvmovdqa\t%xmm1,16(%esp)\n\tmovl\t%ebx,%esi\n\taddl\t36(%esp),%eax\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\tandl\t%ecx,%esi\n\tvpsrld\t$31,%xmm6,%xmm0\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%esi\n\tvpslldq\t$12,%xmm6,%xmm2\n\tvpaddd\t%xmm6,%xmm6,%xmm6\n\tmovl\t%eax,%ebp\n\taddl\t40(%esp),%edi\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvpsrld\t$30,%xmm2,%xmm1\n\tvpor\t%xmm0,%xmm6,%xmm6\n\taddl\t%esi,%edi\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tvpslld\t$2,%xmm2,%xmm2\n\tvmovdqa\t64(%esp),%xmm0\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%ebp\n\tvpxor\t%xmm1,%xmm6,%xmm6\n\tmovl\t%edi,%esi\n\taddl\t44(%esp),%edx\n\txorl\t%ebx,%eax\n\tshldl\t$5,%edi,%edi\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\taddl\t%ebp,%edx\n\tandl\t%eax,%esi\n\tvmovdqa\t112(%esp),%xmm2\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tshrdl\t$7,%edi,%edi\n\txorl\t%ebx,%esi\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm7\n\tmovl\t%edx,%ebp\n\taddl\t48(%esp),%ecx\n\tvpaddd\t%xmm6,%xmm2,%xmm2\n\tvmovdqa\t%xmm3,64(%esp)\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\tvpsrldq\t$4,%xmm6,%xmm1\n\taddl\t%esi,%ecx\n\tandl\t%edi,%ebp\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tvpxor\t%xmm5,%xmm1,%xmm1\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%ebp\n\tvmovdqa\t%xmm2,32(%esp)\n\tmovl\t%ecx,%esi\n\taddl\t52(%esp),%ebx\n\tvpxor\t%xmm1,%xmm7,%xmm7\n\txorl\t%edi,%edx\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\tandl\t%edx,%esi\n\tvpsrld\t$31,%xmm7,%xmm1\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%edi,%esi\n\tvpslldq\t$12,%xmm7,%xmm3\n\tvpaddd\t%xmm7,%xmm7,%xmm7\n\tmovl\t%ebx,%ebp\n\taddl\t56(%esp),%eax\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\tvpsrld\t$30,%xmm3,%xmm2\n\tvpor\t%xmm1,%xmm7,%xmm7\n\taddl\t%esi,%eax\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpslld\t$2,%xmm3,%xmm3\n\tvmovdqa\t80(%esp),%xmm1\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%ebp\n\tvpxor\t%xmm2,%xmm7,%xmm7\n\tmovl\t%eax,%esi\n\taddl\t60(%esp),%edi\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\taddl\t%ebp,%edi\n\tandl\t%ebx,%esi\n\tvmovdqa\t112(%esp),%xmm3\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm2\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%esi\n\tmovl\t%edi,%ebp\n\taddl\t(%esp),%edx\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\tvmovdqa\t%xmm4,80(%esp)\n\txorl\t%ebx,%eax\n\tshldl\t$5,%edi,%edi\n\tvmovdqa\t%xmm3,%xmm4\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\taddl\t%esi,%edx\n\tandl\t%eax,%ebp\n\tvpxor\t%xmm2,%xmm0,%xmm0\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tshrdl\t$7,%edi,%edi\n\txorl\t%ebx,%ebp\n\tvpsrld\t$30,%xmm0,%xmm2\n\tvmovdqa\t%xmm3,48(%esp)\n\tmovl\t%edx,%esi\n\taddl\t4(%esp),%ecx\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\tvpslld\t$2,%xmm0,%xmm0\n\taddl\t%ebp,%ecx\n\tandl\t%edi,%esi\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%esi\n\tmovl\t%ecx,%ebp\n\taddl\t8(%esp),%ebx\n\tvpor\t%xmm2,%xmm0,%xmm0\n\txorl\t%edi,%edx\n\tshldl\t$5,%ecx,%ecx\n\tvmovdqa\t96(%esp),%xmm2\n\taddl\t%esi,%ebx\n\tandl\t%edx,%ebp\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t12(%esp),%eax\n\txorl\t%edi,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm3\n\tvpxor\t%xmm5,%xmm1,%xmm1\n\taddl\t16(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tshldl\t$5,%eax,%eax\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm5,96(%esp)\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tvmovdqa\t%xmm4,%xmm5\n\tvpaddd\t%xmm0,%xmm4,%xmm4\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\taddl\t20(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\tshldl\t$5,%edi,%edi\n\tvpsrld\t$30,%xmm1,%xmm3\n\tvmovdqa\t%xmm4,(%esp)\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvpslld\t$2,%xmm1,%xmm1\n\taddl\t24(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvpor\t%xmm3,%xmm1,%xmm1\n\taddl\t28(%esp),%ebx\n\txorl\t%edi,%ebp\n\tvmovdqa\t64(%esp),%xmm3\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm4\n\tvpxor\t%xmm6,%xmm2,%xmm2\n\taddl\t32(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\tvmovdqa\t%xmm6,64(%esp)\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\tvmovdqa\t128(%esp),%xmm6\n\tvpaddd\t%xmm1,%xmm5,%xmm5\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\taddl\t36(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\tvpsrld\t$30,%xmm2,%xmm4\n\tvmovdqa\t%xmm5,16(%esp)\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\tvpslld\t$2,%xmm2,%xmm2\n\taddl\t40(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\tshldl\t$5,%edi,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvpor\t%xmm4,%xmm2,%xmm2\n\taddl\t44(%esp),%ecx\n\txorl\t%eax,%ebp\n\tvmovdqa\t80(%esp),%xmm4\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm5\n\tvpxor\t%xmm7,%xmm3,%xmm3\n\taddl\t48(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvmovdqa\t%xmm7,80(%esp)\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tvmovdqa\t%xmm6,%xmm7\n\tvpaddd\t%xmm2,%xmm6,%xmm6\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpxor\t%xmm5,%xmm3,%xmm3\n\taddl\t52(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\tvpsrld\t$30,%xmm3,%xmm5\n\tvmovdqa\t%xmm6,32(%esp)\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpslld\t$2,%xmm3,%xmm3\n\taddl\t56(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\tvpor\t%xmm5,%xmm3,%xmm3\n\taddl\t60(%esp),%edx\n\txorl\t%ebx,%ebp\n\tvmovdqa\t96(%esp),%xmm5\n\tmovl\t%edi,%esi\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm6\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\taddl\t(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\tshldl\t$5,%edx,%edx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tvmovdqa\t%xmm0,96(%esp)\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tvmovdqa\t%xmm7,%xmm0\n\tvpaddd\t%xmm3,%xmm7,%xmm7\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\taddl\t4(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\tvpsrld\t$30,%xmm4,%xmm6\n\tvmovdqa\t%xmm7,48(%esp)\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$2,%xmm4,%xmm4\n\taddl\t8(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpor\t%xmm6,%xmm4,%xmm4\n\taddl\t12(%esp),%edi\n\txorl\t%ecx,%ebp\n\tvmovdqa\t64(%esp),%xmm6\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm7\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\taddl\t16(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\tshldl\t$5,%edi,%edi\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvmovdqa\t%xmm1,64(%esp)\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tvmovdqa\t%xmm0,%xmm1\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvpxor\t%xmm7,%xmm5,%xmm5\n\taddl\t20(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\tvpsrld\t$30,%xmm5,%xmm7\n\tvmovdqa\t%xmm0,(%esp)\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvpslld\t$2,%xmm5,%xmm5\n\taddl\t24(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpor\t%xmm7,%xmm5,%xmm5\n\taddl\t28(%esp),%eax\n\tvmovdqa\t80(%esp),%xmm7\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm4,%xmm5,%xmm0\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\taddl\t32(%esp),%edi\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tvmovdqa\t%xmm2,80(%esp)\n\tmovl\t%eax,%ebp\n\txorl\t%ecx,%esi\n\tvmovdqa\t%xmm1,%xmm2\n\tvpaddd\t%xmm5,%xmm1,%xmm1\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%edi\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\txorl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t36(%esp),%edx\n\tvpsrld\t$30,%xmm6,%xmm0\n\tvmovdqa\t%xmm1,16(%esp)\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tmovl\t%edi,%esi\n\tvpslld\t$2,%xmm6,%xmm6\n\txorl\t%ebx,%ebp\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t40(%esp),%ecx\n\tandl\t%eax,%esi\n\tvpor\t%xmm0,%xmm6,%xmm6\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%edi,%edi\n\tvmovdqa\t96(%esp),%xmm0\n\tmovl\t%edx,%ebp\n\txorl\t%eax,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t44(%esp),%ebx\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\tshrdl\t$7,%edx,%edx\n\tmovl\t%ecx,%esi\n\txorl\t%edi,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edx,%esi\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\tvpalignr\t$8,%xmm5,%xmm6,%xmm1\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\taddl\t48(%esp),%eax\n\tandl\t%edx,%esi\n\txorl\t%edi,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tvpxor\t%xmm0,%xmm7,%xmm7\n\tvmovdqa\t%xmm3,96(%esp)\n\tmovl\t%ebx,%ebp\n\txorl\t%edx,%esi\n\tvmovdqa\t144(%esp),%xmm3\n\tvpaddd\t%xmm6,%xmm2,%xmm2\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\tvpxor\t%xmm1,%xmm7,%xmm7\n\txorl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t52(%esp),%edi\n\tvpsrld\t$30,%xmm7,%xmm1\n\tvmovdqa\t%xmm2,32(%esp)\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tmovl\t%eax,%esi\n\tvpslld\t$2,%xmm7,%xmm7\n\txorl\t%ecx,%ebp\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t56(%esp),%edx\n\tandl\t%ebx,%esi\n\tvpor\t%xmm1,%xmm7,%xmm7\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tvmovdqa\t64(%esp),%xmm1\n\tmovl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\tshldl\t$5,%edi,%edi\n\taddl\t%esi,%edx\n\txorl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t60(%esp),%ecx\n\tandl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%edi,%edi\n\tmovl\t%edx,%esi\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%edi,%esi\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm2\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\taddl\t(%esp),%ebx\n\tandl\t%edi,%esi\n\txorl\t%eax,%edi\n\tshrdl\t$7,%edx,%edx\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\tvmovdqa\t%xmm4,64(%esp)\n\tmovl\t%ecx,%ebp\n\txorl\t%edi,%esi\n\tvmovdqa\t%xmm3,%xmm4\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\tvpxor\t%xmm2,%xmm0,%xmm0\n\txorl\t%edx,%ebp\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t4(%esp),%eax\n\tvpsrld\t$30,%xmm0,%xmm2\n\tvmovdqa\t%xmm3,48(%esp)\n\tandl\t%edx,%ebp\n\txorl\t%edi,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\tvpslld\t$2,%xmm0,%xmm0\n\txorl\t%edx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t8(%esp),%edi\n\tandl\t%ecx,%esi\n\tvpor\t%xmm2,%xmm0,%xmm0\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tvmovdqa\t80(%esp),%xmm2\n\tmovl\t%eax,%ebp\n\txorl\t%ecx,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%edi\n\txorl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t12(%esp),%edx\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tmovl\t%edi,%esi\n\txorl\t%ebx,%ebp\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm3\n\tvpxor\t%xmm5,%xmm1,%xmm1\n\taddl\t16(%esp),%ecx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%edi,%edi\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm5,80(%esp)\n\tmovl\t%edx,%ebp\n\txorl\t%eax,%esi\n\tvmovdqa\t%xmm4,%xmm5\n\tvpaddd\t%xmm0,%xmm4,%xmm4\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\txorl\t%edi,%ebp\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t20(%esp),%ebx\n\tvpsrld\t$30,%xmm1,%xmm3\n\tvmovdqa\t%xmm4,(%esp)\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\tshrdl\t$7,%edx,%edx\n\tmovl\t%ecx,%esi\n\tvpslld\t$2,%xmm1,%xmm1\n\txorl\t%edi,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edx,%esi\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t24(%esp),%eax\n\tandl\t%edx,%esi\n\tvpor\t%xmm3,%xmm1,%xmm1\n\txorl\t%edi,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tvmovdqa\t96(%esp),%xmm3\n\tmovl\t%ebx,%ebp\n\txorl\t%edx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t28(%esp),%edi\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%ebp\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm4\n\tvpxor\t%xmm6,%xmm2,%xmm2\n\taddl\t32(%esp),%edx\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\tvmovdqa\t%xmm6,96(%esp)\n\tmovl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\tvmovdqa\t%xmm5,%xmm6\n\tvpaddd\t%xmm1,%xmm5,%xmm5\n\tshldl\t$5,%edi,%edi\n\taddl\t%esi,%edx\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\txorl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t36(%esp),%ecx\n\tvpsrld\t$30,%xmm2,%xmm4\n\tvmovdqa\t%xmm5,16(%esp)\n\tandl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%edi,%edi\n\tmovl\t%edx,%esi\n\tvpslld\t$2,%xmm2,%xmm2\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%edi,%esi\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t40(%esp),%ebx\n\tandl\t%edi,%esi\n\tvpor\t%xmm4,%xmm2,%xmm2\n\txorl\t%eax,%edi\n\tshrdl\t$7,%edx,%edx\n\tvmovdqa\t64(%esp),%xmm4\n\tmovl\t%ecx,%ebp\n\txorl\t%edi,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edx,%ebp\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t44(%esp),%eax\n\tandl\t%edx,%ebp\n\txorl\t%edi,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm5\n\tvpxor\t%xmm7,%xmm3,%xmm3\n\taddl\t48(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tshldl\t$5,%eax,%eax\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvmovdqa\t%xmm7,64(%esp)\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tvmovdqa\t%xmm6,%xmm7\n\tvpaddd\t%xmm2,%xmm6,%xmm6\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\tvpxor\t%xmm5,%xmm3,%xmm3\n\taddl\t52(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\tshldl\t$5,%edi,%edi\n\tvpsrld\t$30,%xmm3,%xmm5\n\tvmovdqa\t%xmm6,32(%esp)\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvpslld\t$2,%xmm3,%xmm3\n\taddl\t56(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvpor\t%xmm5,%xmm3,%xmm3\n\taddl\t60(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t(%esp),%eax\n\tvpaddd\t%xmm3,%xmm7,%xmm7\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\tvmovdqa\t%xmm7,48(%esp)\n\txorl\t%edx,%ebp\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t4(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\taddl\t8(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\tshldl\t$5,%edi,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\taddl\t12(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tmovl\t196(%esp),%ebp\n\tcmpl\t200(%esp),%ebp\n\tje\tL006done\n\tvmovdqa\t160(%esp),%xmm7\n\tvmovdqa\t176(%esp),%xmm6\n\tvmovdqu\t(%ebp),%xmm0\n\tvmovdqu\t16(%ebp),%xmm1\n\tvmovdqu\t32(%ebp),%xmm2\n\tvmovdqu\t48(%ebp),%xmm3\n\taddl\t$64,%ebp\n\tvpshufb\t%xmm6,%xmm0,%xmm0\n\tmovl\t%ebp,196(%esp)\n\tvmovdqa\t%xmm7,96(%esp)\n\taddl\t16(%esp),%ebx\n\txorl\t%edi,%esi\n\tvpshufb\t%xmm6,%xmm1,%xmm1\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\tvpaddd\t%xmm7,%xmm0,%xmm4\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvmovdqa\t%xmm4,(%esp)\n\taddl\t20(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\taddl\t28(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\taddl\t32(%esp),%ecx\n\txorl\t%eax,%esi\n\tvpshufb\t%xmm6,%xmm2,%xmm2\n\tmovl\t%edx,%ebp\n\tshldl\t$5,%edx,%edx\n\tvpaddd\t%xmm7,%xmm1,%xmm5\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvmovdqa\t%xmm5,16(%esp)\n\taddl\t36(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\taddl\t48(%esp),%edx\n\txorl\t%ebx,%esi\n\tvpshufb\t%xmm6,%xmm3,%xmm3\n\tmovl\t%edi,%ebp\n\tshldl\t$5,%edi,%edi\n\tvpaddd\t%xmm7,%xmm2,%xmm6\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvmovdqa\t%xmm6,32(%esp)\n\taddl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\taddl\t56(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tmovl\t192(%esp),%ebp\n\taddl\t(%ebp),%eax\n\taddl\t4(%ebp),%esi\n\taddl\t8(%ebp),%ecx\n\tmovl\t%eax,(%ebp)\n\taddl\t12(%ebp),%edx\n\tmovl\t%esi,4(%ebp)\n\taddl\t16(%ebp),%edi\n\tmovl\t%ecx,%ebx\n\tmovl\t%ecx,8(%ebp)\n\txorl\t%edx,%ebx\n\tmovl\t%edx,12(%ebp)\n\tmovl\t%edi,16(%ebp)\n\tmovl\t%esi,%ebp\n\tandl\t%ebx,%esi\n\tmovl\t%ebp,%ebx\n\tjmp\tL005loop\n.align\t4,0x90\nL006done:\n\taddl\t16(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t20(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\taddl\t28(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\taddl\t32(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\taddl\t36(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\taddl\t48(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\tshldl\t$5,%edi,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\taddl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\taddl\t56(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvzeroall\n\tmovl\t192(%esp),%ebp\n\taddl\t(%ebp),%eax\n\tmovl\t204(%esp),%esp\n\taddl\t4(%ebp),%esi\n\taddl\t8(%ebp),%ecx\n\tmovl\t%eax,(%ebp)\n\taddl\t12(%ebp),%edx\n\tmovl\t%esi,4(%ebp)\n\taddl\t16(%ebp),%edi\n\tmovl\t%ecx,8(%ebp)\n\tmovl\t%edx,12(%ebp)\n\tmovl\t%edi,16(%ebp)\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.align\t6,0x90\nLK_XX_XX:\n.long\t1518500249,1518500249,1518500249,1518500249\n.long\t1859775393,1859775393,1859775393,1859775393\n.long\t2400959708,2400959708,2400959708,2400959708\n.long\t3395469782,3395469782,3395469782,3395469782\n.long\t66051,67438087,134810123,202182159\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\n.byte\t83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115\n.byte\t102,111,114,109,32,102,111,114,32,120,56,54,44,32,67,82\n.byte\t89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112\n.byte\t114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha1-586-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n.globl\tsha1_block_data_order_nohw\n.hidden\tsha1_block_data_order_nohw\n.type\tsha1_block_data_order_nohw,@function\n.align\t16\nsha1_block_data_order_nohw:\n.L_sha1_block_data_order_nohw_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%ebp\n\tmovl\t24(%esp),%esi\n\tmovl\t28(%esp),%eax\n\tsubl\t$76,%esp\n\tshll\t$6,%eax\n\taddl\t%esi,%eax\n\tmovl\t%eax,104(%esp)\n\tmovl\t16(%ebp),%edi\n\tjmp\t.L000loop\n.align\t16\n.L000loop:\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%edx\n\tbswap\t%eax\n\tbswap\t%ebx\n\tbswap\t%ecx\n\tbswap\t%edx\n\tmovl\t%eax,(%esp)\n\tmovl\t%ebx,4(%esp)\n\tmovl\t%ecx,8(%esp)\n\tmovl\t%edx,12(%esp)\n\tmovl\t16(%esi),%eax\n\tmovl\t20(%esi),%ebx\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%edx\n\tbswap\t%eax\n\tbswap\t%ebx\n\tbswap\t%ecx\n\tbswap\t%edx\n\tmovl\t%eax,16(%esp)\n\tmovl\t%ebx,20(%esp)\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%edx,28(%esp)\n\tmovl\t32(%esi),%eax\n\tmovl\t36(%esi),%ebx\n\tmovl\t40(%esi),%ecx\n\tmovl\t44(%esi),%edx\n\tbswap\t%eax\n\tbswap\t%ebx\n\tbswap\t%ecx\n\tbswap\t%edx\n\tmovl\t%eax,32(%esp)\n\tmovl\t%ebx,36(%esp)\n\tmovl\t%ecx,40(%esp)\n\tmovl\t%edx,44(%esp)\n\tmovl\t48(%esi),%eax\n\tmovl\t52(%esi),%ebx\n\tmovl\t56(%esi),%ecx\n\tmovl\t60(%esi),%edx\n\tbswap\t%eax\n\tbswap\t%ebx\n\tbswap\t%ecx\n\tbswap\t%edx\n\tmovl\t%eax,48(%esp)\n\tmovl\t%ebx,52(%esp)\n\tmovl\t%ecx,56(%esp)\n\tmovl\t%edx,60(%esp)\n\tmovl\t%esi,100(%esp)\n\tmovl\t(%ebp),%eax\n\tmovl\t4(%ebp),%ebx\n\tmovl\t8(%ebp),%ecx\n\tmovl\t12(%ebp),%edx\n\n\tmovl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\txorl\t%edx,%esi\n\taddl\t%edi,%ebp\n\tmovl\t(%esp),%edi\n\tandl\t%ebx,%esi\n\trorl\t$2,%ebx\n\txorl\t%edx,%esi\n\tleal\t1518500249(%ebp,%edi,1),%ebp\n\taddl\t%esi,%ebp\n\n\tmovl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edx,%ebp\n\tmovl\t4(%esp),%edx\n\tandl\t%eax,%edi\n\trorl\t$2,%eax\n\txorl\t%ecx,%edi\n\tleal\t1518500249(%ebp,%edx,1),%ebp\n\taddl\t%edi,%ebp\n\n\tmovl\t%eax,%edx\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\txorl\t%ebx,%edx\n\taddl\t%ecx,%ebp\n\tmovl\t8(%esp),%ecx\n\tandl\t%esi,%edx\n\trorl\t$2,%esi\n\txorl\t%ebx,%edx\n\tleal\t1518500249(%ebp,%ecx,1),%ebp\n\taddl\t%edx,%ebp\n\n\tmovl\t%esi,%ecx\n\tmovl\t%ebp,%edx\n\troll\t$5,%ebp\n\txorl\t%eax,%ecx\n\taddl\t%ebx,%ebp\n\tmovl\t12(%esp),%ebx\n\tandl\t%edi,%ecx\n\trorl\t$2,%edi\n\txorl\t%eax,%ecx\n\tleal\t1518500249(%ebp,%ebx,1),%ebp\n\taddl\t%ecx,%ebp\n\n\tmovl\t%edi,%ebx\n\tmovl\t%ebp,%ecx\n\troll\t$5,%ebp\n\txorl\t%esi,%ebx\n\taddl\t%eax,%ebp\n\tmovl\t16(%esp),%eax\n\tandl\t%edx,%ebx\n\trorl\t$2,%edx\n\txorl\t%esi,%ebx\n\tleal\t1518500249(%ebp,%eax,1),%ebp\n\taddl\t%ebx,%ebp\n\n\tmovl\t%edx,%eax\n\tmovl\t%ebp,%ebx\n\troll\t$5,%ebp\n\txorl\t%edi,%eax\n\taddl\t%esi,%ebp\n\tmovl\t20(%esp),%esi\n\tandl\t%ecx,%eax\n\trorl\t$2,%ecx\n\txorl\t%edi,%eax\n\tleal\t1518500249(%ebp,%esi,1),%ebp\n\taddl\t%eax,%ebp\n\n\tmovl\t%ecx,%esi\n\tmovl\t%ebp,%eax\n\troll\t$5,%ebp\n\txorl\t%edx,%esi\n\taddl\t%edi,%ebp\n\tmovl\t24(%esp),%edi\n\tandl\t%ebx,%esi\n\trorl\t$2,%ebx\n\txorl\t%edx,%esi\n\tleal\t1518500249(%ebp,%edi,1),%ebp\n\taddl\t%esi,%ebp\n\n\tmovl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edx,%ebp\n\tmovl\t28(%esp),%edx\n\tandl\t%eax,%edi\n\trorl\t$2,%eax\n\txorl\t%ecx,%edi\n\tleal\t1518500249(%ebp,%edx,1),%ebp\n\taddl\t%edi,%ebp\n\n\tmovl\t%eax,%edx\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\txorl\t%ebx,%edx\n\taddl\t%ecx,%ebp\n\tmovl\t32(%esp),%ecx\n\tandl\t%esi,%edx\n\trorl\t$2,%esi\n\txorl\t%ebx,%edx\n\tleal\t1518500249(%ebp,%ecx,1),%ebp\n\taddl\t%edx,%ebp\n\n\tmovl\t%esi,%ecx\n\tmovl\t%ebp,%edx\n\troll\t$5,%ebp\n\txorl\t%eax,%ecx\n\taddl\t%ebx,%ebp\n\tmovl\t36(%esp),%ebx\n\tandl\t%edi,%ecx\n\trorl\t$2,%edi\n\txorl\t%eax,%ecx\n\tleal\t1518500249(%ebp,%ebx,1),%ebp\n\taddl\t%ecx,%ebp\n\n\tmovl\t%edi,%ebx\n\tmovl\t%ebp,%ecx\n\troll\t$5,%ebp\n\txorl\t%esi,%ebx\n\taddl\t%eax,%ebp\n\tmovl\t40(%esp),%eax\n\tandl\t%edx,%ebx\n\trorl\t$2,%edx\n\txorl\t%esi,%ebx\n\tleal\t1518500249(%ebp,%eax,1),%ebp\n\taddl\t%ebx,%ebp\n\n\tmovl\t%edx,%eax\n\tmovl\t%ebp,%ebx\n\troll\t$5,%ebp\n\txorl\t%edi,%eax\n\taddl\t%esi,%ebp\n\tmovl\t44(%esp),%esi\n\tandl\t%ecx,%eax\n\trorl\t$2,%ecx\n\txorl\t%edi,%eax\n\tleal\t1518500249(%ebp,%esi,1),%ebp\n\taddl\t%eax,%ebp\n\n\tmovl\t%ecx,%esi\n\tmovl\t%ebp,%eax\n\troll\t$5,%ebp\n\txorl\t%edx,%esi\n\taddl\t%edi,%ebp\n\tmovl\t48(%esp),%edi\n\tandl\t%ebx,%esi\n\trorl\t$2,%ebx\n\txorl\t%edx,%esi\n\tleal\t1518500249(%ebp,%edi,1),%ebp\n\taddl\t%esi,%ebp\n\n\tmovl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edx,%ebp\n\tmovl\t52(%esp),%edx\n\tandl\t%eax,%edi\n\trorl\t$2,%eax\n\txorl\t%ecx,%edi\n\tleal\t1518500249(%ebp,%edx,1),%ebp\n\taddl\t%edi,%ebp\n\n\tmovl\t%eax,%edx\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\txorl\t%ebx,%edx\n\taddl\t%ecx,%ebp\n\tmovl\t56(%esp),%ecx\n\tandl\t%esi,%edx\n\trorl\t$2,%esi\n\txorl\t%ebx,%edx\n\tleal\t1518500249(%ebp,%ecx,1),%ebp\n\taddl\t%edx,%ebp\n\n\tmovl\t%esi,%ecx\n\tmovl\t%ebp,%edx\n\troll\t$5,%ebp\n\txorl\t%eax,%ecx\n\taddl\t%ebx,%ebp\n\tmovl\t60(%esp),%ebx\n\tandl\t%edi,%ecx\n\trorl\t$2,%edi\n\txorl\t%eax,%ecx\n\tleal\t1518500249(%ebp,%ebx,1),%ebp\n\tmovl\t(%esp),%ebx\n\taddl\t%ebp,%ecx\n\n\tmovl\t%edi,%ebp\n\txorl\t8(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t32(%esp),%ebx\n\tandl\t%edx,%ebp\n\txorl\t52(%esp),%ebx\n\troll\t$1,%ebx\n\txorl\t%esi,%ebp\n\taddl\t%ebp,%eax\n\tmovl\t%ecx,%ebp\n\trorl\t$2,%edx\n\tmovl\t%ebx,(%esp)\n\troll\t$5,%ebp\n\tleal\t1518500249(%ebx,%eax,1),%ebx\n\tmovl\t4(%esp),%eax\n\taddl\t%ebp,%ebx\n\n\tmovl\t%edx,%ebp\n\txorl\t12(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t36(%esp),%eax\n\tandl\t%ecx,%ebp\n\txorl\t56(%esp),%eax\n\troll\t$1,%eax\n\txorl\t%edi,%ebp\n\taddl\t%ebp,%esi\n\tmovl\t%ebx,%ebp\n\trorl\t$2,%ecx\n\tmovl\t%eax,4(%esp)\n\troll\t$5,%ebp\n\tleal\t1518500249(%eax,%esi,1),%eax\n\tmovl\t8(%esp),%esi\n\taddl\t%ebp,%eax\n\n\tmovl\t%ecx,%ebp\n\txorl\t16(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t40(%esp),%esi\n\tandl\t%ebx,%ebp\n\txorl\t60(%esp),%esi\n\troll\t$1,%esi\n\txorl\t%edx,%ebp\n\taddl\t%ebp,%edi\n\tmovl\t%eax,%ebp\n\trorl\t$2,%ebx\n\tmovl\t%esi,8(%esp)\n\troll\t$5,%ebp\n\tleal\t1518500249(%esi,%edi,1),%esi\n\tmovl\t12(%esp),%edi\n\taddl\t%ebp,%esi\n\n\tmovl\t%ebx,%ebp\n\txorl\t20(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t44(%esp),%edi\n\tandl\t%eax,%ebp\n\txorl\t(%esp),%edi\n\troll\t$1,%edi\n\txorl\t%ecx,%ebp\n\taddl\t%ebp,%edx\n\tmovl\t%esi,%ebp\n\trorl\t$2,%eax\n\tmovl\t%edi,12(%esp)\n\troll\t$5,%ebp\n\tleal\t1518500249(%edi,%edx,1),%edi\n\tmovl\t16(%esp),%edx\n\taddl\t%ebp,%edi\n\n\tmovl\t%esi,%ebp\n\txorl\t24(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t48(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t4(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,16(%esp)\n\tleal\t1859775393(%edx,%ecx,1),%edx\n\tmovl\t20(%esp),%ecx\n\taddl\t%ebp,%edx\n\n\tmovl\t%edi,%ebp\n\txorl\t28(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t8(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,20(%esp)\n\tleal\t1859775393(%ecx,%ebx,1),%ecx\n\tmovl\t24(%esp),%ebx\n\taddl\t%ebp,%ecx\n\n\tmovl\t%edx,%ebp\n\txorl\t32(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t56(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t12(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,24(%esp)\n\tleal\t1859775393(%ebx,%eax,1),%ebx\n\tmovl\t28(%esp),%eax\n\taddl\t%ebp,%ebx\n\n\tmovl\t%ecx,%ebp\n\txorl\t36(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t60(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t16(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%eax,28(%esp)\n\tleal\t1859775393(%eax,%esi,1),%eax\n\tmovl\t32(%esp),%esi\n\taddl\t%ebp,%eax\n\n\tmovl\t%ebx,%ebp\n\txorl\t40(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t20(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,32(%esp)\n\tleal\t1859775393(%esi,%edi,1),%esi\n\tmovl\t36(%esp),%edi\n\taddl\t%ebp,%esi\n\n\tmovl\t%eax,%ebp\n\txorl\t44(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t4(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t24(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,36(%esp)\n\tleal\t1859775393(%edi,%edx,1),%edi\n\tmovl\t40(%esp),%edx\n\taddl\t%ebp,%edi\n\n\tmovl\t%esi,%ebp\n\txorl\t48(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t8(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t28(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,40(%esp)\n\tleal\t1859775393(%edx,%ecx,1),%edx\n\tmovl\t44(%esp),%ecx\n\taddl\t%ebp,%edx\n\n\tmovl\t%edi,%ebp\n\txorl\t52(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t12(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t32(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,44(%esp)\n\tleal\t1859775393(%ecx,%ebx,1),%ecx\n\tmovl\t48(%esp),%ebx\n\taddl\t%ebp,%ecx\n\n\tmovl\t%edx,%ebp\n\txorl\t56(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t16(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t36(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,48(%esp)\n\tleal\t1859775393(%ebx,%eax,1),%ebx\n\tmovl\t52(%esp),%eax\n\taddl\t%ebp,%ebx\n\n\tmovl\t%ecx,%ebp\n\txorl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t20(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t40(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%eax,52(%esp)\n\tleal\t1859775393(%eax,%esi,1),%eax\n\tmovl\t56(%esp),%esi\n\taddl\t%ebp,%eax\n\n\tmovl\t%ebx,%ebp\n\txorl\t(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t24(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t44(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,56(%esp)\n\tleal\t1859775393(%esi,%edi,1),%esi\n\tmovl\t60(%esp),%edi\n\taddl\t%ebp,%esi\n\n\tmovl\t%eax,%ebp\n\txorl\t4(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t28(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t48(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,60(%esp)\n\tleal\t1859775393(%edi,%edx,1),%edi\n\tmovl\t(%esp),%edx\n\taddl\t%ebp,%edi\n\n\tmovl\t%esi,%ebp\n\txorl\t8(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t32(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t52(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,(%esp)\n\tleal\t1859775393(%edx,%ecx,1),%edx\n\tmovl\t4(%esp),%ecx\n\taddl\t%ebp,%edx\n\n\tmovl\t%edi,%ebp\n\txorl\t12(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t36(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t56(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,4(%esp)\n\tleal\t1859775393(%ecx,%ebx,1),%ecx\n\tmovl\t8(%esp),%ebx\n\taddl\t%ebp,%ecx\n\n\tmovl\t%edx,%ebp\n\txorl\t16(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t40(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t60(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,8(%esp)\n\tleal\t1859775393(%ebx,%eax,1),%ebx\n\tmovl\t12(%esp),%eax\n\taddl\t%ebp,%ebx\n\n\tmovl\t%ecx,%ebp\n\txorl\t20(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t44(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%eax,12(%esp)\n\tleal\t1859775393(%eax,%esi,1),%eax\n\tmovl\t16(%esp),%esi\n\taddl\t%ebp,%eax\n\n\tmovl\t%ebx,%ebp\n\txorl\t24(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t48(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t4(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,16(%esp)\n\tleal\t1859775393(%esi,%edi,1),%esi\n\tmovl\t20(%esp),%edi\n\taddl\t%ebp,%esi\n\n\tmovl\t%eax,%ebp\n\txorl\t28(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t52(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t8(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,20(%esp)\n\tleal\t1859775393(%edi,%edx,1),%edi\n\tmovl\t24(%esp),%edx\n\taddl\t%ebp,%edi\n\n\tmovl\t%esi,%ebp\n\txorl\t32(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t56(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t12(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,24(%esp)\n\tleal\t1859775393(%edx,%ecx,1),%edx\n\tmovl\t28(%esp),%ecx\n\taddl\t%ebp,%edx\n\n\tmovl\t%edi,%ebp\n\txorl\t36(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t60(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t16(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,28(%esp)\n\tleal\t1859775393(%ecx,%ebx,1),%ecx\n\tmovl\t32(%esp),%ebx\n\taddl\t%ebp,%ecx\n\n\tmovl\t%edi,%ebp\n\txorl\t40(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t(%esp),%ebx\n\tandl\t%edx,%ebp\n\txorl\t20(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$2,%edx\n\tmovl\t%ecx,%eax\n\troll\t$5,%eax\n\tmovl\t%ebx,32(%esp)\n\tleal\t2400959708(%ebx,%ebp,1),%ebx\n\tmovl\t%edi,%ebp\n\taddl\t%eax,%ebx\n\tandl\t%esi,%ebp\n\tmovl\t36(%esp),%eax\n\taddl\t%ebp,%ebx\n\n\tmovl\t%edx,%ebp\n\txorl\t44(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t4(%esp),%eax\n\tandl\t%ecx,%ebp\n\txorl\t24(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%esi,%ebp\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%esi\n\troll\t$5,%esi\n\tmovl\t%eax,36(%esp)\n\tleal\t2400959708(%eax,%ebp,1),%eax\n\tmovl\t%edx,%ebp\n\taddl\t%esi,%eax\n\tandl\t%edi,%ebp\n\tmovl\t40(%esp),%esi\n\taddl\t%ebp,%eax\n\n\tmovl\t%ecx,%ebp\n\txorl\t48(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t8(%esp),%esi\n\tandl\t%ebx,%ebp\n\txorl\t28(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%edi,%ebp\n\trorl\t$2,%ebx\n\tmovl\t%eax,%edi\n\troll\t$5,%edi\n\tmovl\t%esi,40(%esp)\n\tleal\t2400959708(%esi,%ebp,1),%esi\n\tmovl\t%ecx,%ebp\n\taddl\t%edi,%esi\n\tandl\t%edx,%ebp\n\tmovl\t44(%esp),%edi\n\taddl\t%ebp,%esi\n\n\tmovl\t%ebx,%ebp\n\txorl\t52(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t12(%esp),%edi\n\tandl\t%eax,%ebp\n\txorl\t32(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%edx,%ebp\n\trorl\t$2,%eax\n\tmovl\t%esi,%edx\n\troll\t$5,%edx\n\tmovl\t%edi,44(%esp)\n\tleal\t2400959708(%edi,%ebp,1),%edi\n\tmovl\t%ebx,%ebp\n\taddl\t%edx,%edi\n\tandl\t%ecx,%ebp\n\tmovl\t48(%esp),%edx\n\taddl\t%ebp,%edi\n\n\tmovl\t%eax,%ebp\n\txorl\t56(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t16(%esp),%edx\n\tandl\t%esi,%ebp\n\txorl\t36(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ecx,%ebp\n\trorl\t$2,%esi\n\tmovl\t%edi,%ecx\n\troll\t$5,%ecx\n\tmovl\t%edx,48(%esp)\n\tleal\t2400959708(%edx,%ebp,1),%edx\n\tmovl\t%eax,%ebp\n\taddl\t%ecx,%edx\n\tandl\t%ebx,%ebp\n\tmovl\t52(%esp),%ecx\n\taddl\t%ebp,%edx\n\n\tmovl\t%esi,%ebp\n\txorl\t60(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t20(%esp),%ecx\n\tandl\t%edi,%ebp\n\txorl\t40(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebx,%ebp\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebx\n\troll\t$5,%ebx\n\tmovl\t%ecx,52(%esp)\n\tleal\t2400959708(%ecx,%ebp,1),%ecx\n\tmovl\t%esi,%ebp\n\taddl\t%ebx,%ecx\n\tandl\t%eax,%ebp\n\tmovl\t56(%esp),%ebx\n\taddl\t%ebp,%ecx\n\n\tmovl\t%edi,%ebp\n\txorl\t(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t24(%esp),%ebx\n\tandl\t%edx,%ebp\n\txorl\t44(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$2,%edx\n\tmovl\t%ecx,%eax\n\troll\t$5,%eax\n\tmovl\t%ebx,56(%esp)\n\tleal\t2400959708(%ebx,%ebp,1),%ebx\n\tmovl\t%edi,%ebp\n\taddl\t%eax,%ebx\n\tandl\t%esi,%ebp\n\tmovl\t60(%esp),%eax\n\taddl\t%ebp,%ebx\n\n\tmovl\t%edx,%ebp\n\txorl\t4(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t28(%esp),%eax\n\tandl\t%ecx,%ebp\n\txorl\t48(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%esi,%ebp\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%esi\n\troll\t$5,%esi\n\tmovl\t%eax,60(%esp)\n\tleal\t2400959708(%eax,%ebp,1),%eax\n\tmovl\t%edx,%ebp\n\taddl\t%esi,%eax\n\tandl\t%edi,%ebp\n\tmovl\t(%esp),%esi\n\taddl\t%ebp,%eax\n\n\tmovl\t%ecx,%ebp\n\txorl\t8(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t32(%esp),%esi\n\tandl\t%ebx,%ebp\n\txorl\t52(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%edi,%ebp\n\trorl\t$2,%ebx\n\tmovl\t%eax,%edi\n\troll\t$5,%edi\n\tmovl\t%esi,(%esp)\n\tleal\t2400959708(%esi,%ebp,1),%esi\n\tmovl\t%ecx,%ebp\n\taddl\t%edi,%esi\n\tandl\t%edx,%ebp\n\tmovl\t4(%esp),%edi\n\taddl\t%ebp,%esi\n\n\tmovl\t%ebx,%ebp\n\txorl\t12(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t36(%esp),%edi\n\tandl\t%eax,%ebp\n\txorl\t56(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%edx,%ebp\n\trorl\t$2,%eax\n\tmovl\t%esi,%edx\n\troll\t$5,%edx\n\tmovl\t%edi,4(%esp)\n\tleal\t2400959708(%edi,%ebp,1),%edi\n\tmovl\t%ebx,%ebp\n\taddl\t%edx,%edi\n\tandl\t%ecx,%ebp\n\tmovl\t8(%esp),%edx\n\taddl\t%ebp,%edi\n\n\tmovl\t%eax,%ebp\n\txorl\t16(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t40(%esp),%edx\n\tandl\t%esi,%ebp\n\txorl\t60(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ecx,%ebp\n\trorl\t$2,%esi\n\tmovl\t%edi,%ecx\n\troll\t$5,%ecx\n\tmovl\t%edx,8(%esp)\n\tleal\t2400959708(%edx,%ebp,1),%edx\n\tmovl\t%eax,%ebp\n\taddl\t%ecx,%edx\n\tandl\t%ebx,%ebp\n\tmovl\t12(%esp),%ecx\n\taddl\t%ebp,%edx\n\n\tmovl\t%esi,%ebp\n\txorl\t20(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t44(%esp),%ecx\n\tandl\t%edi,%ebp\n\txorl\t(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebx,%ebp\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebx\n\troll\t$5,%ebx\n\tmovl\t%ecx,12(%esp)\n\tleal\t2400959708(%ecx,%ebp,1),%ecx\n\tmovl\t%esi,%ebp\n\taddl\t%ebx,%ecx\n\tandl\t%eax,%ebp\n\tmovl\t16(%esp),%ebx\n\taddl\t%ebp,%ecx\n\n\tmovl\t%edi,%ebp\n\txorl\t24(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t48(%esp),%ebx\n\tandl\t%edx,%ebp\n\txorl\t4(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$2,%edx\n\tmovl\t%ecx,%eax\n\troll\t$5,%eax\n\tmovl\t%ebx,16(%esp)\n\tleal\t2400959708(%ebx,%ebp,1),%ebx\n\tmovl\t%edi,%ebp\n\taddl\t%eax,%ebx\n\tandl\t%esi,%ebp\n\tmovl\t20(%esp),%eax\n\taddl\t%ebp,%ebx\n\n\tmovl\t%edx,%ebp\n\txorl\t28(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t52(%esp),%eax\n\tandl\t%ecx,%ebp\n\txorl\t8(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%esi,%ebp\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%esi\n\troll\t$5,%esi\n\tmovl\t%eax,20(%esp)\n\tleal\t2400959708(%eax,%ebp,1),%eax\n\tmovl\t%edx,%ebp\n\taddl\t%esi,%eax\n\tandl\t%edi,%ebp\n\tmovl\t24(%esp),%esi\n\taddl\t%ebp,%eax\n\n\tmovl\t%ecx,%ebp\n\txorl\t32(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t56(%esp),%esi\n\tandl\t%ebx,%ebp\n\txorl\t12(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%edi,%ebp\n\trorl\t$2,%ebx\n\tmovl\t%eax,%edi\n\troll\t$5,%edi\n\tmovl\t%esi,24(%esp)\n\tleal\t2400959708(%esi,%ebp,1),%esi\n\tmovl\t%ecx,%ebp\n\taddl\t%edi,%esi\n\tandl\t%edx,%ebp\n\tmovl\t28(%esp),%edi\n\taddl\t%ebp,%esi\n\n\tmovl\t%ebx,%ebp\n\txorl\t36(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t60(%esp),%edi\n\tandl\t%eax,%ebp\n\txorl\t16(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%edx,%ebp\n\trorl\t$2,%eax\n\tmovl\t%esi,%edx\n\troll\t$5,%edx\n\tmovl\t%edi,28(%esp)\n\tleal\t2400959708(%edi,%ebp,1),%edi\n\tmovl\t%ebx,%ebp\n\taddl\t%edx,%edi\n\tandl\t%ecx,%ebp\n\tmovl\t32(%esp),%edx\n\taddl\t%ebp,%edi\n\n\tmovl\t%eax,%ebp\n\txorl\t40(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t(%esp),%edx\n\tandl\t%esi,%ebp\n\txorl\t20(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ecx,%ebp\n\trorl\t$2,%esi\n\tmovl\t%edi,%ecx\n\troll\t$5,%ecx\n\tmovl\t%edx,32(%esp)\n\tleal\t2400959708(%edx,%ebp,1),%edx\n\tmovl\t%eax,%ebp\n\taddl\t%ecx,%edx\n\tandl\t%ebx,%ebp\n\tmovl\t36(%esp),%ecx\n\taddl\t%ebp,%edx\n\n\tmovl\t%esi,%ebp\n\txorl\t44(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t4(%esp),%ecx\n\tandl\t%edi,%ebp\n\txorl\t24(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebx,%ebp\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebx\n\troll\t$5,%ebx\n\tmovl\t%ecx,36(%esp)\n\tleal\t2400959708(%ecx,%ebp,1),%ecx\n\tmovl\t%esi,%ebp\n\taddl\t%ebx,%ecx\n\tandl\t%eax,%ebp\n\tmovl\t40(%esp),%ebx\n\taddl\t%ebp,%ecx\n\n\tmovl\t%edi,%ebp\n\txorl\t48(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t8(%esp),%ebx\n\tandl\t%edx,%ebp\n\txorl\t28(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$2,%edx\n\tmovl\t%ecx,%eax\n\troll\t$5,%eax\n\tmovl\t%ebx,40(%esp)\n\tleal\t2400959708(%ebx,%ebp,1),%ebx\n\tmovl\t%edi,%ebp\n\taddl\t%eax,%ebx\n\tandl\t%esi,%ebp\n\tmovl\t44(%esp),%eax\n\taddl\t%ebp,%ebx\n\n\tmovl\t%edx,%ebp\n\txorl\t52(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t12(%esp),%eax\n\tandl\t%ecx,%ebp\n\txorl\t32(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%esi,%ebp\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%esi\n\troll\t$5,%esi\n\tmovl\t%eax,44(%esp)\n\tleal\t2400959708(%eax,%ebp,1),%eax\n\tmovl\t%edx,%ebp\n\taddl\t%esi,%eax\n\tandl\t%edi,%ebp\n\tmovl\t48(%esp),%esi\n\taddl\t%ebp,%eax\n\n\tmovl\t%ebx,%ebp\n\txorl\t56(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t16(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t36(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,48(%esp)\n\tleal\t3395469782(%esi,%edi,1),%esi\n\tmovl\t52(%esp),%edi\n\taddl\t%ebp,%esi\n\n\tmovl\t%eax,%ebp\n\txorl\t60(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t20(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t40(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,52(%esp)\n\tleal\t3395469782(%edi,%edx,1),%edi\n\tmovl\t56(%esp),%edx\n\taddl\t%ebp,%edi\n\n\tmovl\t%esi,%ebp\n\txorl\t(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t24(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t44(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,56(%esp)\n\tleal\t3395469782(%edx,%ecx,1),%edx\n\tmovl\t60(%esp),%ecx\n\taddl\t%ebp,%edx\n\n\tmovl\t%edi,%ebp\n\txorl\t4(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t28(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t48(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,60(%esp)\n\tleal\t3395469782(%ecx,%ebx,1),%ecx\n\tmovl\t(%esp),%ebx\n\taddl\t%ebp,%ecx\n\n\tmovl\t%edx,%ebp\n\txorl\t8(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t32(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t52(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,(%esp)\n\tleal\t3395469782(%ebx,%eax,1),%ebx\n\tmovl\t4(%esp),%eax\n\taddl\t%ebp,%ebx\n\n\tmovl\t%ecx,%ebp\n\txorl\t12(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t36(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t56(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%eax,4(%esp)\n\tleal\t3395469782(%eax,%esi,1),%eax\n\tmovl\t8(%esp),%esi\n\taddl\t%ebp,%eax\n\n\tmovl\t%ebx,%ebp\n\txorl\t16(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t40(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t60(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,8(%esp)\n\tleal\t3395469782(%esi,%edi,1),%esi\n\tmovl\t12(%esp),%edi\n\taddl\t%ebp,%esi\n\n\tmovl\t%eax,%ebp\n\txorl\t20(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t44(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,12(%esp)\n\tleal\t3395469782(%edi,%edx,1),%edi\n\tmovl\t16(%esp),%edx\n\taddl\t%ebp,%edi\n\n\tmovl\t%esi,%ebp\n\txorl\t24(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t48(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t4(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,16(%esp)\n\tleal\t3395469782(%edx,%ecx,1),%edx\n\tmovl\t20(%esp),%ecx\n\taddl\t%ebp,%edx\n\n\tmovl\t%edi,%ebp\n\txorl\t28(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t8(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,20(%esp)\n\tleal\t3395469782(%ecx,%ebx,1),%ecx\n\tmovl\t24(%esp),%ebx\n\taddl\t%ebp,%ecx\n\n\tmovl\t%edx,%ebp\n\txorl\t32(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t56(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t12(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,24(%esp)\n\tleal\t3395469782(%ebx,%eax,1),%ebx\n\tmovl\t28(%esp),%eax\n\taddl\t%ebp,%ebx\n\n\tmovl\t%ecx,%ebp\n\txorl\t36(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t60(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t16(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%eax,28(%esp)\n\tleal\t3395469782(%eax,%esi,1),%eax\n\tmovl\t32(%esp),%esi\n\taddl\t%ebp,%eax\n\n\tmovl\t%ebx,%ebp\n\txorl\t40(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t20(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tmovl\t%esi,32(%esp)\n\tleal\t3395469782(%esi,%edi,1),%esi\n\tmovl\t36(%esp),%edi\n\taddl\t%ebp,%esi\n\n\tmovl\t%eax,%ebp\n\txorl\t44(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t4(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t24(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edi,36(%esp)\n\tleal\t3395469782(%edi,%edx,1),%edi\n\tmovl\t40(%esp),%edx\n\taddl\t%ebp,%edi\n\n\tmovl\t%esi,%ebp\n\txorl\t48(%esp),%edx\n\txorl\t%eax,%ebp\n\txorl\t8(%esp),%edx\n\txorl\t%ebx,%ebp\n\txorl\t28(%esp),%edx\n\troll\t$1,%edx\n\taddl\t%ebp,%ecx\n\trorl\t$2,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%ebp\n\tmovl\t%edx,40(%esp)\n\tleal\t3395469782(%edx,%ecx,1),%edx\n\tmovl\t44(%esp),%ecx\n\taddl\t%ebp,%edx\n\n\tmovl\t%edi,%ebp\n\txorl\t52(%esp),%ecx\n\txorl\t%esi,%ebp\n\txorl\t12(%esp),%ecx\n\txorl\t%eax,%ebp\n\txorl\t32(%esp),%ecx\n\troll\t$1,%ecx\n\taddl\t%ebp,%ebx\n\trorl\t$2,%edi\n\tmovl\t%edx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ecx,44(%esp)\n\tleal\t3395469782(%ecx,%ebx,1),%ecx\n\tmovl\t48(%esp),%ebx\n\taddl\t%ebp,%ecx\n\n\tmovl\t%edx,%ebp\n\txorl\t56(%esp),%ebx\n\txorl\t%edi,%ebp\n\txorl\t16(%esp),%ebx\n\txorl\t%esi,%ebp\n\txorl\t36(%esp),%ebx\n\troll\t$1,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$2,%edx\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ebp\n\tmovl\t%ebx,48(%esp)\n\tleal\t3395469782(%ebx,%eax,1),%ebx\n\tmovl\t52(%esp),%eax\n\taddl\t%ebp,%ebx\n\n\tmovl\t%ecx,%ebp\n\txorl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\txorl\t20(%esp),%eax\n\txorl\t%edi,%ebp\n\txorl\t40(%esp),%eax\n\troll\t$1,%eax\n\taddl\t%ebp,%esi\n\trorl\t$2,%ecx\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebp\n\tleal\t3395469782(%eax,%esi,1),%eax\n\tmovl\t56(%esp),%esi\n\taddl\t%ebp,%eax\n\n\tmovl\t%ebx,%ebp\n\txorl\t(%esp),%esi\n\txorl\t%ecx,%ebp\n\txorl\t24(%esp),%esi\n\txorl\t%edx,%ebp\n\txorl\t44(%esp),%esi\n\troll\t$1,%esi\n\taddl\t%ebp,%edi\n\trorl\t$2,%ebx\n\tmovl\t%eax,%ebp\n\troll\t$5,%ebp\n\tleal\t3395469782(%esi,%edi,1),%esi\n\tmovl\t60(%esp),%edi\n\taddl\t%ebp,%esi\n\n\tmovl\t%eax,%ebp\n\txorl\t4(%esp),%edi\n\txorl\t%ebx,%ebp\n\txorl\t28(%esp),%edi\n\txorl\t%ecx,%ebp\n\txorl\t48(%esp),%edi\n\troll\t$1,%edi\n\taddl\t%ebp,%edx\n\trorl\t$2,%eax\n\tmovl\t%esi,%ebp\n\troll\t$5,%ebp\n\tleal\t3395469782(%edi,%edx,1),%edi\n\taddl\t%ebp,%edi\n\tmovl\t96(%esp),%ebp\n\tmovl\t100(%esp),%edx\n\taddl\t(%ebp),%edi\n\taddl\t4(%ebp),%esi\n\taddl\t8(%ebp),%eax\n\taddl\t12(%ebp),%ebx\n\taddl\t16(%ebp),%ecx\n\tmovl\t%edi,(%ebp)\n\taddl\t$64,%edx\n\tmovl\t%esi,4(%ebp)\n\tcmpl\t104(%esp),%edx\n\tmovl\t%eax,8(%ebp)\n\tmovl\t%ecx,%edi\n\tmovl\t%ebx,12(%ebp)\n\tmovl\t%edx,%esi\n\tmovl\t%ecx,16(%ebp)\n\tjb\t.L000loop\n\taddl\t$76,%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tsha1_block_data_order_nohw,.-.L_sha1_block_data_order_nohw_begin\n.globl\tsha1_block_data_order_ssse3\n.hidden\tsha1_block_data_order_ssse3\n.type\tsha1_block_data_order_ssse3,@function\n.align\t16\nsha1_block_data_order_ssse3:\n.L_sha1_block_data_order_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tcall\t.L001pic_point\n.L001pic_point:\n\tpopl\t%ebp\n\tleal\t.LK_XX_XX-.L001pic_point(%ebp),%ebp\n\tmovdqa\t(%ebp),%xmm7\n\tmovdqa\t16(%ebp),%xmm0\n\tmovdqa\t32(%ebp),%xmm1\n\tmovdqa\t48(%ebp),%xmm2\n\tmovdqa\t64(%ebp),%xmm6\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%ebp\n\tmovl\t28(%esp),%edx\n\tmovl\t%esp,%esi\n\tsubl\t$208,%esp\n\tandl\t$-64,%esp\n\tmovdqa\t%xmm0,112(%esp)\n\tmovdqa\t%xmm1,128(%esp)\n\tmovdqa\t%xmm2,144(%esp)\n\tshll\t$6,%edx\n\tmovdqa\t%xmm7,160(%esp)\n\taddl\t%ebp,%edx\n\tmovdqa\t%xmm6,176(%esp)\n\taddl\t$64,%ebp\n\tmovl\t%edi,192(%esp)\n\tmovl\t%ebp,196(%esp)\n\tmovl\t%edx,200(%esp)\n\tmovl\t%esi,204(%esp)\n\tmovl\t(%edi),%eax\n\tmovl\t4(%edi),%ebx\n\tmovl\t8(%edi),%ecx\n\tmovl\t12(%edi),%edx\n\tmovl\t16(%edi),%edi\n\tmovl\t%ebx,%esi\n\tmovdqu\t-64(%ebp),%xmm0\n\tmovdqu\t-48(%ebp),%xmm1\n\tmovdqu\t-32(%ebp),%xmm2\n\tmovdqu\t-16(%ebp),%xmm3\n.byte\t102,15,56,0,198\n.byte\t102,15,56,0,206\n.byte\t102,15,56,0,214\n\tmovdqa\t%xmm7,96(%esp)\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm7,%xmm0\n\tpaddd\t%xmm7,%xmm1\n\tpaddd\t%xmm7,%xmm2\n\tmovdqa\t%xmm0,(%esp)\n\tpsubd\t%xmm7,%xmm0\n\tmovdqa\t%xmm1,16(%esp)\n\tpsubd\t%xmm7,%xmm1\n\tmovdqa\t%xmm2,32(%esp)\n\tmovl\t%ecx,%ebp\n\tpsubd\t%xmm7,%xmm2\n\txorl\t%edx,%ebp\n\tpshufd\t$238,%xmm0,%xmm4\n\tandl\t%ebp,%esi\n\tjmp\t.L002loop\n.align\t16\n.L002loop:\n\trorl\t$2,%ebx\n\txorl\t%edx,%esi\n\tmovl\t%eax,%ebp\n\tpunpcklqdq\t%xmm1,%xmm4\n\tmovdqa\t%xmm3,%xmm6\n\taddl\t(%esp),%edi\n\txorl\t%ecx,%ebx\n\tpaddd\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,64(%esp)\n\troll\t$5,%eax\n\taddl\t%esi,%edi\n\tpsrldq\t$4,%xmm6\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\tpxor\t%xmm0,%xmm4\n\taddl\t%eax,%edi\n\trorl\t$7,%eax\n\tpxor\t%xmm2,%xmm6\n\txorl\t%ecx,%ebp\n\tmovl\t%edi,%esi\n\taddl\t4(%esp),%edx\n\tpxor\t%xmm6,%xmm4\n\txorl\t%ebx,%eax\n\troll\t$5,%edi\n\tmovdqa\t%xmm7,48(%esp)\n\taddl\t%ebp,%edx\n\tandl\t%eax,%esi\n\tmovdqa\t%xmm4,%xmm0\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\trorl\t$7,%edi\n\tmovdqa\t%xmm4,%xmm6\n\txorl\t%ebx,%esi\n\tpslldq\t$12,%xmm0\n\tpaddd\t%xmm4,%xmm4\n\tmovl\t%edx,%ebp\n\taddl\t8(%esp),%ecx\n\tpsrld\t$31,%xmm6\n\txorl\t%eax,%edi\n\troll\t$5,%edx\n\tmovdqa\t%xmm0,%xmm7\n\taddl\t%esi,%ecx\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\tpsrld\t$30,%xmm0\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpor\t%xmm6,%xmm4\n\txorl\t%eax,%ebp\n\tmovl\t%ecx,%esi\n\taddl\t12(%esp),%ebx\n\tpslld\t$2,%xmm7\n\txorl\t%edi,%edx\n\troll\t$5,%ecx\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t96(%esp),%xmm0\n\taddl\t%ebp,%ebx\n\tandl\t%edx,%esi\n\tpxor\t%xmm7,%xmm4\n\tpshufd\t$238,%xmm1,%xmm5\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\tmovl\t%ebx,%ebp\n\tpunpcklqdq\t%xmm2,%xmm5\n\tmovdqa\t%xmm4,%xmm7\n\taddl\t16(%esp),%eax\n\txorl\t%edx,%ecx\n\tpaddd\t%xmm4,%xmm0\n\tmovdqa\t%xmm1,80(%esp)\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\tpsrldq\t$4,%xmm7\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\tpxor\t%xmm1,%xmm5\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tpxor\t%xmm3,%xmm7\n\txorl\t%edx,%ebp\n\tmovl\t%eax,%esi\n\taddl\t20(%esp),%edi\n\tpxor\t%xmm7,%xmm5\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\tmovdqa\t%xmm0,(%esp)\n\taddl\t%ebp,%edi\n\tandl\t%ebx,%esi\n\tmovdqa\t%xmm5,%xmm1\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\trorl\t$7,%eax\n\tmovdqa\t%xmm5,%xmm7\n\txorl\t%ecx,%esi\n\tpslldq\t$12,%xmm1\n\tpaddd\t%xmm5,%xmm5\n\tmovl\t%edi,%ebp\n\taddl\t24(%esp),%edx\n\tpsrld\t$31,%xmm7\n\txorl\t%ebx,%eax\n\troll\t$5,%edi\n\tmovdqa\t%xmm1,%xmm0\n\taddl\t%esi,%edx\n\tandl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\tpsrld\t$30,%xmm1\n\taddl\t%edi,%edx\n\trorl\t$7,%edi\n\tpor\t%xmm7,%xmm5\n\txorl\t%ebx,%ebp\n\tmovl\t%edx,%esi\n\taddl\t28(%esp),%ecx\n\tpslld\t$2,%xmm0\n\txorl\t%eax,%edi\n\troll\t$5,%edx\n\tpxor\t%xmm1,%xmm5\n\tmovdqa\t112(%esp),%xmm1\n\taddl\t%ebp,%ecx\n\tandl\t%edi,%esi\n\tpxor\t%xmm0,%xmm5\n\tpshufd\t$238,%xmm2,%xmm6\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\txorl\t%eax,%esi\n\tmovl\t%ecx,%ebp\n\tpunpcklqdq\t%xmm3,%xmm6\n\tmovdqa\t%xmm5,%xmm0\n\taddl\t32(%esp),%ebx\n\txorl\t%edi,%edx\n\tpaddd\t%xmm5,%xmm1\n\tmovdqa\t%xmm2,96(%esp)\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\tpsrldq\t$4,%xmm0\n\tandl\t%edx,%ebp\n\txorl\t%edi,%edx\n\tpxor\t%xmm2,%xmm6\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\tpxor\t%xmm4,%xmm0\n\txorl\t%edi,%ebp\n\tmovl\t%ebx,%esi\n\taddl\t36(%esp),%eax\n\tpxor\t%xmm0,%xmm6\n\txorl\t%edx,%ecx\n\troll\t$5,%ebx\n\tmovdqa\t%xmm1,16(%esp)\n\taddl\t%ebp,%eax\n\tandl\t%ecx,%esi\n\tmovdqa\t%xmm6,%xmm2\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tmovdqa\t%xmm6,%xmm0\n\txorl\t%edx,%esi\n\tpslldq\t$12,%xmm2\n\tpaddd\t%xmm6,%xmm6\n\tmovl\t%eax,%ebp\n\taddl\t40(%esp),%edi\n\tpsrld\t$31,%xmm0\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\tmovdqa\t%xmm2,%xmm1\n\taddl\t%esi,%edi\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\tpsrld\t$30,%xmm2\n\taddl\t%eax,%edi\n\trorl\t$7,%eax\n\tpor\t%xmm0,%xmm6\n\txorl\t%ecx,%ebp\n\tmovdqa\t64(%esp),%xmm0\n\tmovl\t%edi,%esi\n\taddl\t44(%esp),%edx\n\tpslld\t$2,%xmm1\n\txorl\t%ebx,%eax\n\troll\t$5,%edi\n\tpxor\t%xmm2,%xmm6\n\tmovdqa\t112(%esp),%xmm2\n\taddl\t%ebp,%edx\n\tandl\t%eax,%esi\n\tpxor\t%xmm1,%xmm6\n\tpshufd\t$238,%xmm3,%xmm7\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\trorl\t$7,%edi\n\txorl\t%ebx,%esi\n\tmovl\t%edx,%ebp\n\tpunpcklqdq\t%xmm4,%xmm7\n\tmovdqa\t%xmm6,%xmm1\n\taddl\t48(%esp),%ecx\n\txorl\t%eax,%edi\n\tpaddd\t%xmm6,%xmm2\n\tmovdqa\t%xmm3,64(%esp)\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\tpsrldq\t$4,%xmm1\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\tpxor\t%xmm3,%xmm7\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpxor\t%xmm5,%xmm1\n\txorl\t%eax,%ebp\n\tmovl\t%ecx,%esi\n\taddl\t52(%esp),%ebx\n\tpxor\t%xmm1,%xmm7\n\txorl\t%edi,%edx\n\troll\t$5,%ecx\n\tmovdqa\t%xmm2,32(%esp)\n\taddl\t%ebp,%ebx\n\tandl\t%edx,%esi\n\tmovdqa\t%xmm7,%xmm3\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\tmovdqa\t%xmm7,%xmm1\n\txorl\t%edi,%esi\n\tpslldq\t$12,%xmm3\n\tpaddd\t%xmm7,%xmm7\n\tmovl\t%ebx,%ebp\n\taddl\t56(%esp),%eax\n\tpsrld\t$31,%xmm1\n\txorl\t%edx,%ecx\n\troll\t$5,%ebx\n\tmovdqa\t%xmm3,%xmm2\n\taddl\t%esi,%eax\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\tpsrld\t$30,%xmm3\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tpor\t%xmm1,%xmm7\n\txorl\t%edx,%ebp\n\tmovdqa\t80(%esp),%xmm1\n\tmovl\t%eax,%esi\n\taddl\t60(%esp),%edi\n\tpslld\t$2,%xmm2\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\tpxor\t%xmm3,%xmm7\n\tmovdqa\t112(%esp),%xmm3\n\taddl\t%ebp,%edi\n\tandl\t%ebx,%esi\n\tpxor\t%xmm2,%xmm7\n\tpshufd\t$238,%xmm6,%xmm2\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\trorl\t$7,%eax\n\tpxor\t%xmm4,%xmm0\n\tpunpcklqdq\t%xmm7,%xmm2\n\txorl\t%ecx,%esi\n\tmovl\t%edi,%ebp\n\taddl\t(%esp),%edx\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm4,80(%esp)\n\txorl\t%ebx,%eax\n\troll\t$5,%edi\n\tmovdqa\t%xmm3,%xmm4\n\taddl\t%esi,%edx\n\tpaddd\t%xmm7,%xmm3\n\tandl\t%eax,%ebp\n\tpxor\t%xmm2,%xmm0\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\trorl\t$7,%edi\n\txorl\t%ebx,%ebp\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm3,48(%esp)\n\tmovl\t%edx,%esi\n\taddl\t4(%esp),%ecx\n\txorl\t%eax,%edi\n\troll\t$5,%edx\n\tpslld\t$2,%xmm0\n\taddl\t%ebp,%ecx\n\tandl\t%edi,%esi\n\tpsrld\t$30,%xmm2\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\txorl\t%eax,%esi\n\tmovl\t%ecx,%ebp\n\taddl\t8(%esp),%ebx\n\txorl\t%edi,%edx\n\troll\t$5,%ecx\n\tpor\t%xmm2,%xmm0\n\taddl\t%esi,%ebx\n\tandl\t%edx,%ebp\n\tmovdqa\t96(%esp),%xmm2\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t12(%esp),%eax\n\txorl\t%edi,%ebp\n\tmovl\t%ebx,%esi\n\tpshufd\t$238,%xmm7,%xmm3\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t16(%esp),%edi\n\tpxor\t%xmm5,%xmm1\n\tpunpcklqdq\t%xmm0,%xmm3\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\troll\t$5,%eax\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm5,96(%esp)\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tmovdqa\t%xmm4,%xmm5\n\trorl\t$7,%ebx\n\tpaddd\t%xmm0,%xmm4\n\taddl\t%eax,%edi\n\tpxor\t%xmm3,%xmm1\n\taddl\t20(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\troll\t$5,%edi\n\tmovdqa\t%xmm1,%xmm3\n\tmovdqa\t%xmm4,(%esp)\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\tpslld\t$2,%xmm1\n\taddl\t24(%esp),%ecx\n\txorl\t%eax,%esi\n\tpsrld\t$30,%xmm3\n\tmovl\t%edx,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\tpor\t%xmm3,%xmm1\n\taddl\t28(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovdqa\t64(%esp),%xmm3\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\trorl\t$7,%edx\n\tpshufd\t$238,%xmm0,%xmm4\n\taddl\t%ecx,%ebx\n\taddl\t32(%esp),%eax\n\tpxor\t%xmm6,%xmm2\n\tpunpcklqdq\t%xmm1,%xmm4\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebx\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t%xmm6,64(%esp)\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\tmovdqa\t128(%esp),%xmm6\n\trorl\t$7,%ecx\n\tpaddd\t%xmm1,%xmm5\n\taddl\t%ebx,%eax\n\tpxor\t%xmm4,%xmm2\n\taddl\t36(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\tmovdqa\t%xmm2,%xmm4\n\tmovdqa\t%xmm5,16(%esp)\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\tpslld\t$2,%xmm2\n\taddl\t40(%esp),%edx\n\txorl\t%ebx,%esi\n\tpsrld\t$30,%xmm4\n\tmovl\t%edi,%ebp\n\troll\t$5,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\tpor\t%xmm4,%xmm2\n\taddl\t44(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovdqa\t80(%esp),%xmm4\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%edi\n\tpshufd\t$238,%xmm1,%xmm5\n\taddl\t%edx,%ecx\n\taddl\t48(%esp),%ebx\n\tpxor\t%xmm7,%xmm3\n\tpunpcklqdq\t%xmm2,%xmm5\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ecx\n\tpxor\t%xmm4,%xmm3\n\tmovdqa\t%xmm7,80(%esp)\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tmovdqa\t%xmm6,%xmm7\n\trorl\t$7,%edx\n\tpaddd\t%xmm2,%xmm6\n\taddl\t%ecx,%ebx\n\tpxor\t%xmm5,%xmm3\n\taddl\t52(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\tmovdqa\t%xmm3,%xmm5\n\tmovdqa\t%xmm6,32(%esp)\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\tpslld\t$2,%xmm3\n\taddl\t56(%esp),%edi\n\txorl\t%ecx,%esi\n\tpsrld\t$30,%xmm5\n\tmovl\t%eax,%ebp\n\troll\t$5,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\tpor\t%xmm5,%xmm3\n\taddl\t60(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovdqa\t96(%esp),%xmm5\n\tmovl\t%edi,%esi\n\troll\t$5,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\tpshufd\t$238,%xmm2,%xmm6\n\taddl\t%edi,%edx\n\taddl\t(%esp),%ecx\n\tpxor\t%xmm0,%xmm4\n\tpunpcklqdq\t%xmm3,%xmm6\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\troll\t$5,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovdqa\t%xmm0,96(%esp)\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tmovdqa\t%xmm7,%xmm0\n\trorl\t$7,%edi\n\tpaddd\t%xmm3,%xmm7\n\taddl\t%edx,%ecx\n\tpxor\t%xmm6,%xmm4\n\taddl\t4(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm7,48(%esp)\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\tpslld\t$2,%xmm4\n\taddl\t8(%esp),%eax\n\txorl\t%edx,%esi\n\tpsrld\t$30,%xmm6\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\tpor\t%xmm6,%xmm4\n\taddl\t12(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovdqa\t64(%esp),%xmm6\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\tpshufd\t$238,%xmm3,%xmm7\n\taddl\t%eax,%edi\n\taddl\t16(%esp),%edx\n\tpxor\t%xmm1,%xmm5\n\tpunpcklqdq\t%xmm4,%xmm7\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%edi\n\tpxor\t%xmm6,%xmm5\n\tmovdqa\t%xmm1,64(%esp)\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tmovdqa\t%xmm0,%xmm1\n\trorl\t$7,%eax\n\tpaddd\t%xmm4,%xmm0\n\taddl\t%edi,%edx\n\tpxor\t%xmm7,%xmm5\n\taddl\t20(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\tmovdqa\t%xmm5,%xmm7\n\tmovdqa\t%xmm0,(%esp)\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\tpslld\t$2,%xmm5\n\taddl\t24(%esp),%ebx\n\txorl\t%edi,%esi\n\tpsrld\t$30,%xmm7\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\tpor\t%xmm7,%xmm5\n\taddl\t28(%esp),%eax\n\tmovdqa\t80(%esp),%xmm7\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%ebp\n\troll\t$5,%ebx\n\tpshufd\t$238,%xmm4,%xmm0\n\taddl\t%ebp,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t32(%esp),%edi\n\tpxor\t%xmm2,%xmm6\n\tpunpcklqdq\t%xmm5,%xmm0\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tpxor\t%xmm7,%xmm6\n\tmovdqa\t%xmm2,80(%esp)\n\tmovl\t%eax,%ebp\n\txorl\t%ecx,%esi\n\troll\t$5,%eax\n\tmovdqa\t%xmm1,%xmm2\n\taddl\t%esi,%edi\n\tpaddd\t%xmm5,%xmm1\n\txorl\t%ebx,%ebp\n\tpxor\t%xmm0,%xmm6\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t36(%esp),%edx\n\tandl\t%ebx,%ebp\n\tmovdqa\t%xmm6,%xmm0\n\tmovdqa\t%xmm1,16(%esp)\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tmovl\t%edi,%esi\n\txorl\t%ebx,%ebp\n\troll\t$5,%edi\n\tpslld\t$2,%xmm6\n\taddl\t%ebp,%edx\n\txorl\t%eax,%esi\n\tpsrld\t$30,%xmm0\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t40(%esp),%ecx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\trorl\t$7,%edi\n\tpor\t%xmm0,%xmm6\n\tmovl\t%edx,%ebp\n\txorl\t%eax,%esi\n\tmovdqa\t96(%esp),%xmm0\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tpshufd\t$238,%xmm5,%xmm1\n\taddl\t44(%esp),%ebx\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\trorl\t$7,%edx\n\tmovl\t%ecx,%esi\n\txorl\t%edi,%ebp\n\troll\t$5,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edx,%esi\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t48(%esp),%eax\n\tpxor\t%xmm3,%xmm7\n\tpunpcklqdq\t%xmm6,%xmm1\n\tandl\t%edx,%esi\n\txorl\t%edi,%edx\n\trorl\t$7,%ecx\n\tpxor\t%xmm0,%xmm7\n\tmovdqa\t%xmm3,96(%esp)\n\tmovl\t%ebx,%ebp\n\txorl\t%edx,%esi\n\troll\t$5,%ebx\n\tmovdqa\t144(%esp),%xmm3\n\taddl\t%esi,%eax\n\tpaddd\t%xmm6,%xmm2\n\txorl\t%ecx,%ebp\n\tpxor\t%xmm1,%xmm7\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t52(%esp),%edi\n\tandl\t%ecx,%ebp\n\tmovdqa\t%xmm7,%xmm1\n\tmovdqa\t%xmm2,32(%esp)\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%ebp\n\troll\t$5,%eax\n\tpslld\t$2,%xmm7\n\taddl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\tpsrld\t$30,%xmm1\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t56(%esp),%edx\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tpor\t%xmm1,%xmm7\n\tmovl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\tmovdqa\t64(%esp),%xmm1\n\troll\t$5,%edi\n\taddl\t%esi,%edx\n\txorl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tpshufd\t$238,%xmm6,%xmm2\n\taddl\t60(%esp),%ecx\n\tandl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\trorl\t$7,%edi\n\tmovl\t%edx,%esi\n\txorl\t%eax,%ebp\n\troll\t$5,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%edi,%esi\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t(%esp),%ebx\n\tpxor\t%xmm4,%xmm0\n\tpunpcklqdq\t%xmm7,%xmm2\n\tandl\t%edi,%esi\n\txorl\t%eax,%edi\n\trorl\t$7,%edx\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm4,64(%esp)\n\tmovl\t%ecx,%ebp\n\txorl\t%edi,%esi\n\troll\t$5,%ecx\n\tmovdqa\t%xmm3,%xmm4\n\taddl\t%esi,%ebx\n\tpaddd\t%xmm7,%xmm3\n\txorl\t%edx,%ebp\n\tpxor\t%xmm2,%xmm0\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t4(%esp),%eax\n\tandl\t%edx,%ebp\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm3,48(%esp)\n\txorl\t%edi,%edx\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%ebp\n\troll\t$5,%ebx\n\tpslld\t$2,%xmm0\n\taddl\t%ebp,%eax\n\txorl\t%ecx,%esi\n\tpsrld\t$30,%xmm2\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t8(%esp),%edi\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tpor\t%xmm2,%xmm0\n\tmovl\t%eax,%ebp\n\txorl\t%ecx,%esi\n\tmovdqa\t80(%esp),%xmm2\n\troll\t$5,%eax\n\taddl\t%esi,%edi\n\txorl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tpshufd\t$238,%xmm7,%xmm3\n\taddl\t12(%esp),%edx\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tmovl\t%edi,%esi\n\txorl\t%ebx,%ebp\n\troll\t$5,%edi\n\taddl\t%ebp,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t16(%esp),%ecx\n\tpxor\t%xmm5,%xmm1\n\tpunpcklqdq\t%xmm0,%xmm3\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\trorl\t$7,%edi\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm5,80(%esp)\n\tmovl\t%edx,%ebp\n\txorl\t%eax,%esi\n\troll\t$5,%edx\n\tmovdqa\t%xmm4,%xmm5\n\taddl\t%esi,%ecx\n\tpaddd\t%xmm0,%xmm4\n\txorl\t%edi,%ebp\n\tpxor\t%xmm3,%xmm1\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t20(%esp),%ebx\n\tandl\t%edi,%ebp\n\tmovdqa\t%xmm1,%xmm3\n\tmovdqa\t%xmm4,(%esp)\n\txorl\t%eax,%edi\n\trorl\t$7,%edx\n\tmovl\t%ecx,%esi\n\txorl\t%edi,%ebp\n\troll\t$5,%ecx\n\tpslld\t$2,%xmm1\n\taddl\t%ebp,%ebx\n\txorl\t%edx,%esi\n\tpsrld\t$30,%xmm3\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t24(%esp),%eax\n\tandl\t%edx,%esi\n\txorl\t%edi,%edx\n\trorl\t$7,%ecx\n\tpor\t%xmm3,%xmm1\n\tmovl\t%ebx,%ebp\n\txorl\t%edx,%esi\n\tmovdqa\t96(%esp),%xmm3\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tpshufd\t$238,%xmm0,%xmm4\n\taddl\t28(%esp),%edi\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%ebp\n\troll\t$5,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t32(%esp),%edx\n\tpxor\t%xmm6,%xmm2\n\tpunpcklqdq\t%xmm1,%xmm4\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t%xmm6,96(%esp)\n\tmovl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\troll\t$5,%edi\n\tmovdqa\t%xmm5,%xmm6\n\taddl\t%esi,%edx\n\tpaddd\t%xmm1,%xmm5\n\txorl\t%eax,%ebp\n\tpxor\t%xmm4,%xmm2\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t36(%esp),%ecx\n\tandl\t%eax,%ebp\n\tmovdqa\t%xmm2,%xmm4\n\tmovdqa\t%xmm5,16(%esp)\n\txorl\t%ebx,%eax\n\trorl\t$7,%edi\n\tmovl\t%edx,%esi\n\txorl\t%eax,%ebp\n\troll\t$5,%edx\n\tpslld\t$2,%xmm2\n\taddl\t%ebp,%ecx\n\txorl\t%edi,%esi\n\tpsrld\t$30,%xmm4\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t40(%esp),%ebx\n\tandl\t%edi,%esi\n\txorl\t%eax,%edi\n\trorl\t$7,%edx\n\tpor\t%xmm4,%xmm2\n\tmovl\t%ecx,%ebp\n\txorl\t%edi,%esi\n\tmovdqa\t64(%esp),%xmm4\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edx,%ebp\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\tpshufd\t$238,%xmm1,%xmm5\n\taddl\t44(%esp),%eax\n\tandl\t%edx,%ebp\n\txorl\t%edi,%edx\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%ebp\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\taddl\t%ebx,%eax\n\taddl\t48(%esp),%edi\n\tpxor\t%xmm7,%xmm3\n\tpunpcklqdq\t%xmm2,%xmm5\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\troll\t$5,%eax\n\tpxor\t%xmm4,%xmm3\n\tmovdqa\t%xmm7,64(%esp)\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tmovdqa\t%xmm6,%xmm7\n\trorl\t$7,%ebx\n\tpaddd\t%xmm2,%xmm6\n\taddl\t%eax,%edi\n\tpxor\t%xmm5,%xmm3\n\taddl\t52(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\troll\t$5,%edi\n\tmovdqa\t%xmm3,%xmm5\n\tmovdqa\t%xmm6,32(%esp)\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\tpslld\t$2,%xmm3\n\taddl\t56(%esp),%ecx\n\txorl\t%eax,%esi\n\tpsrld\t$30,%xmm5\n\tmovl\t%edx,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\tpor\t%xmm5,%xmm3\n\taddl\t60(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\trorl\t$7,%ecx\n\tpaddd\t%xmm3,%xmm7\n\taddl\t%ebx,%eax\n\taddl\t4(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\tmovdqa\t%xmm7,48(%esp)\n\troll\t$5,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\taddl\t8(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\taddl\t12(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\tmovl\t196(%esp),%ebp\n\tcmpl\t200(%esp),%ebp\n\tje\t.L003done\n\tmovdqa\t160(%esp),%xmm7\n\tmovdqa\t176(%esp),%xmm6\n\tmovdqu\t(%ebp),%xmm0\n\tmovdqu\t16(%ebp),%xmm1\n\tmovdqu\t32(%ebp),%xmm2\n\tmovdqu\t48(%ebp),%xmm3\n\taddl\t$64,%ebp\n.byte\t102,15,56,0,198\n\tmovl\t%ebp,196(%esp)\n\tmovdqa\t%xmm7,96(%esp)\n\taddl\t16(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\trorl\t$7,%edx\n.byte\t102,15,56,0,206\n\taddl\t%ecx,%ebx\n\taddl\t20(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tpaddd\t%xmm7,%xmm0\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\tmovdqa\t%xmm0,(%esp)\n\taddl\t%ebx,%eax\n\taddl\t24(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tpsubd\t%xmm7,%xmm0\n\troll\t$5,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\taddl\t28(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\troll\t$5,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\taddl\t32(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\trorl\t$7,%edi\n.byte\t102,15,56,0,214\n\taddl\t%edx,%ecx\n\taddl\t36(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\tpaddd\t%xmm7,%xmm1\n\troll\t$5,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\trorl\t$7,%edx\n\tmovdqa\t%xmm1,16(%esp)\n\taddl\t%ecx,%ebx\n\taddl\t40(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tpsubd\t%xmm7,%xmm1\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\taddl\t48(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\trorl\t$7,%eax\n.byte\t102,15,56,0,222\n\taddl\t%edi,%edx\n\taddl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\tpaddd\t%xmm7,%xmm2\n\troll\t$5,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%edi\n\tmovdqa\t%xmm2,32(%esp)\n\taddl\t%edx,%ecx\n\taddl\t56(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tpsubd\t%xmm7,%xmm2\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\tmovl\t192(%esp),%ebp\n\taddl\t(%ebp),%eax\n\taddl\t4(%ebp),%esi\n\taddl\t8(%ebp),%ecx\n\tmovl\t%eax,(%ebp)\n\taddl\t12(%ebp),%edx\n\tmovl\t%esi,4(%ebp)\n\taddl\t16(%ebp),%edi\n\tmovl\t%ecx,8(%ebp)\n\tmovl\t%ecx,%ebx\n\tmovl\t%edx,12(%ebp)\n\txorl\t%edx,%ebx\n\tmovl\t%edi,16(%ebp)\n\tmovl\t%esi,%ebp\n\tpshufd\t$238,%xmm0,%xmm4\n\tandl\t%ebx,%esi\n\tmovl\t%ebp,%ebx\n\tjmp\t.L002loop\n.align\t16\n.L003done:\n\taddl\t16(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t20(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\troll\t$5,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\taddl\t28(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\troll\t$5,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\taddl\t32(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\taddl\t36(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%edi\n\taddl\t48(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\troll\t$5,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\trorl\t$7,%eax\n\taddl\t%edi,%edx\n\taddl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%edi\n\taddl\t%edx,%ecx\n\taddl\t56(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%ebp,%eax\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\tmovl\t192(%esp),%ebp\n\taddl\t(%ebp),%eax\n\tmovl\t204(%esp),%esp\n\taddl\t4(%ebp),%esi\n\taddl\t8(%ebp),%ecx\n\tmovl\t%eax,(%ebp)\n\taddl\t12(%ebp),%edx\n\tmovl\t%esi,4(%ebp)\n\taddl\t16(%ebp),%edi\n\tmovl\t%ecx,8(%ebp)\n\tmovl\t%edx,12(%ebp)\n\tmovl\t%edi,16(%ebp)\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tsha1_block_data_order_ssse3,.-.L_sha1_block_data_order_ssse3_begin\n.globl\tsha1_block_data_order_avx\n.hidden\tsha1_block_data_order_avx\n.type\tsha1_block_data_order_avx,@function\n.align\t16\nsha1_block_data_order_avx:\n.L_sha1_block_data_order_avx_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tcall\t.L004pic_point\n.L004pic_point:\n\tpopl\t%ebp\n\tleal\t.LK_XX_XX-.L004pic_point(%ebp),%ebp\n\tvzeroall\n\tvmovdqa\t(%ebp),%xmm7\n\tvmovdqa\t16(%ebp),%xmm0\n\tvmovdqa\t32(%ebp),%xmm1\n\tvmovdqa\t48(%ebp),%xmm2\n\tvmovdqa\t64(%ebp),%xmm6\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%ebp\n\tmovl\t28(%esp),%edx\n\tmovl\t%esp,%esi\n\tsubl\t$208,%esp\n\tandl\t$-64,%esp\n\tvmovdqa\t%xmm0,112(%esp)\n\tvmovdqa\t%xmm1,128(%esp)\n\tvmovdqa\t%xmm2,144(%esp)\n\tshll\t$6,%edx\n\tvmovdqa\t%xmm7,160(%esp)\n\taddl\t%ebp,%edx\n\tvmovdqa\t%xmm6,176(%esp)\n\taddl\t$64,%ebp\n\tmovl\t%edi,192(%esp)\n\tmovl\t%ebp,196(%esp)\n\tmovl\t%edx,200(%esp)\n\tmovl\t%esi,204(%esp)\n\tmovl\t(%edi),%eax\n\tmovl\t4(%edi),%ebx\n\tmovl\t8(%edi),%ecx\n\tmovl\t12(%edi),%edx\n\tmovl\t16(%edi),%edi\n\tmovl\t%ebx,%esi\n\tvmovdqu\t-64(%ebp),%xmm0\n\tvmovdqu\t-48(%ebp),%xmm1\n\tvmovdqu\t-32(%ebp),%xmm2\n\tvmovdqu\t-16(%ebp),%xmm3\n\tvpshufb\t%xmm6,%xmm0,%xmm0\n\tvpshufb\t%xmm6,%xmm1,%xmm1\n\tvpshufb\t%xmm6,%xmm2,%xmm2\n\tvmovdqa\t%xmm7,96(%esp)\n\tvpshufb\t%xmm6,%xmm3,%xmm3\n\tvpaddd\t%xmm7,%xmm0,%xmm4\n\tvpaddd\t%xmm7,%xmm1,%xmm5\n\tvpaddd\t%xmm7,%xmm2,%xmm6\n\tvmovdqa\t%xmm4,(%esp)\n\tmovl\t%ecx,%ebp\n\tvmovdqa\t%xmm5,16(%esp)\n\txorl\t%edx,%ebp\n\tvmovdqa\t%xmm6,32(%esp)\n\tandl\t%ebp,%esi\n\tjmp\t.L005loop\n.align\t16\n.L005loop:\n\tshrdl\t$2,%ebx,%ebx\n\txorl\t%edx,%esi\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm4\n\tmovl\t%eax,%ebp\n\taddl\t(%esp),%edi\n\tvpaddd\t%xmm3,%xmm7,%xmm7\n\tvmovdqa\t%xmm0,64(%esp)\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvpsrldq\t$4,%xmm3,%xmm6\n\taddl\t%esi,%edi\n\tandl\t%ebx,%ebp\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%ebp\n\tvmovdqa\t%xmm7,48(%esp)\n\tmovl\t%edi,%esi\n\taddl\t4(%esp),%edx\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%ebx,%eax\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\tandl\t%eax,%esi\n\tvpsrld\t$31,%xmm4,%xmm6\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tshrdl\t$7,%edi,%edi\n\txorl\t%ebx,%esi\n\tvpslldq\t$12,%xmm4,%xmm0\n\tvpaddd\t%xmm4,%xmm4,%xmm4\n\tmovl\t%edx,%ebp\n\taddl\t8(%esp),%ecx\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\tvpsrld\t$30,%xmm0,%xmm7\n\tvpor\t%xmm6,%xmm4,%xmm4\n\taddl\t%esi,%ecx\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tvpslld\t$2,%xmm0,%xmm0\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%ebp\n\tvpxor\t%xmm7,%xmm4,%xmm4\n\tmovl\t%ecx,%esi\n\taddl\t12(%esp),%ebx\n\txorl\t%edi,%edx\n\tshldl\t$5,%ecx,%ecx\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\taddl\t%ebp,%ebx\n\tandl\t%edx,%esi\n\tvmovdqa\t96(%esp),%xmm0\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%edi,%esi\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm5\n\tmovl\t%ebx,%ebp\n\taddl\t16(%esp),%eax\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\tvmovdqa\t%xmm1,80(%esp)\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\tvpsrldq\t$4,%xmm4,%xmm7\n\taddl\t%esi,%eax\n\tandl\t%ecx,%ebp\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%ebp\n\tvmovdqa\t%xmm0,(%esp)\n\tmovl\t%eax,%esi\n\taddl\t20(%esp),%edi\n\tvpxor\t%xmm7,%xmm5,%xmm5\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\tandl\t%ebx,%esi\n\tvpsrld\t$31,%xmm5,%xmm7\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%esi\n\tvpslldq\t$12,%xmm5,%xmm1\n\tvpaddd\t%xmm5,%xmm5,%xmm5\n\tmovl\t%edi,%ebp\n\taddl\t24(%esp),%edx\n\txorl\t%ebx,%eax\n\tshldl\t$5,%edi,%edi\n\tvpsrld\t$30,%xmm1,%xmm0\n\tvpor\t%xmm7,%xmm5,%xmm5\n\taddl\t%esi,%edx\n\tandl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tvpslld\t$2,%xmm1,%xmm1\n\tshrdl\t$7,%edi,%edi\n\txorl\t%ebx,%ebp\n\tvpxor\t%xmm0,%xmm5,%xmm5\n\tmovl\t%edx,%esi\n\taddl\t28(%esp),%ecx\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\taddl\t%ebp,%ecx\n\tandl\t%edi,%esi\n\tvmovdqa\t112(%esp),%xmm1\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%esi\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm6\n\tmovl\t%ecx,%ebp\n\taddl\t32(%esp),%ebx\n\tvpaddd\t%xmm5,%xmm1,%xmm1\n\tvmovdqa\t%xmm2,96(%esp)\n\txorl\t%edi,%edx\n\tshldl\t$5,%ecx,%ecx\n\tvpsrldq\t$4,%xmm5,%xmm0\n\taddl\t%esi,%ebx\n\tandl\t%edx,%ebp\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%edi,%ebp\n\tvmovdqa\t%xmm1,16(%esp)\n\tmovl\t%ebx,%esi\n\taddl\t36(%esp),%eax\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\tandl\t%ecx,%esi\n\tvpsrld\t$31,%xmm6,%xmm0\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%esi\n\tvpslldq\t$12,%xmm6,%xmm2\n\tvpaddd\t%xmm6,%xmm6,%xmm6\n\tmovl\t%eax,%ebp\n\taddl\t40(%esp),%edi\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvpsrld\t$30,%xmm2,%xmm1\n\tvpor\t%xmm0,%xmm6,%xmm6\n\taddl\t%esi,%edi\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tvpslld\t$2,%xmm2,%xmm2\n\tvmovdqa\t64(%esp),%xmm0\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%ebp\n\tvpxor\t%xmm1,%xmm6,%xmm6\n\tmovl\t%edi,%esi\n\taddl\t44(%esp),%edx\n\txorl\t%ebx,%eax\n\tshldl\t$5,%edi,%edi\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\taddl\t%ebp,%edx\n\tandl\t%eax,%esi\n\tvmovdqa\t112(%esp),%xmm2\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tshrdl\t$7,%edi,%edi\n\txorl\t%ebx,%esi\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm7\n\tmovl\t%edx,%ebp\n\taddl\t48(%esp),%ecx\n\tvpaddd\t%xmm6,%xmm2,%xmm2\n\tvmovdqa\t%xmm3,64(%esp)\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\tvpsrldq\t$4,%xmm6,%xmm1\n\taddl\t%esi,%ecx\n\tandl\t%edi,%ebp\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tvpxor\t%xmm5,%xmm1,%xmm1\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%ebp\n\tvmovdqa\t%xmm2,32(%esp)\n\tmovl\t%ecx,%esi\n\taddl\t52(%esp),%ebx\n\tvpxor\t%xmm1,%xmm7,%xmm7\n\txorl\t%edi,%edx\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\tandl\t%edx,%esi\n\tvpsrld\t$31,%xmm7,%xmm1\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%edi,%esi\n\tvpslldq\t$12,%xmm7,%xmm3\n\tvpaddd\t%xmm7,%xmm7,%xmm7\n\tmovl\t%ebx,%ebp\n\taddl\t56(%esp),%eax\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\tvpsrld\t$30,%xmm3,%xmm2\n\tvpor\t%xmm1,%xmm7,%xmm7\n\taddl\t%esi,%eax\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpslld\t$2,%xmm3,%xmm3\n\tvmovdqa\t80(%esp),%xmm1\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%ebp\n\tvpxor\t%xmm2,%xmm7,%xmm7\n\tmovl\t%eax,%esi\n\taddl\t60(%esp),%edi\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\taddl\t%ebp,%edi\n\tandl\t%ebx,%esi\n\tvmovdqa\t112(%esp),%xmm3\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm2\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%esi\n\tmovl\t%edi,%ebp\n\taddl\t(%esp),%edx\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\tvmovdqa\t%xmm4,80(%esp)\n\txorl\t%ebx,%eax\n\tshldl\t$5,%edi,%edi\n\tvmovdqa\t%xmm3,%xmm4\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\taddl\t%esi,%edx\n\tandl\t%eax,%ebp\n\tvpxor\t%xmm2,%xmm0,%xmm0\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tshrdl\t$7,%edi,%edi\n\txorl\t%ebx,%ebp\n\tvpsrld\t$30,%xmm0,%xmm2\n\tvmovdqa\t%xmm3,48(%esp)\n\tmovl\t%edx,%esi\n\taddl\t4(%esp),%ecx\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\tvpslld\t$2,%xmm0,%xmm0\n\taddl\t%ebp,%ecx\n\tandl\t%edi,%esi\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%esi\n\tmovl\t%ecx,%ebp\n\taddl\t8(%esp),%ebx\n\tvpor\t%xmm2,%xmm0,%xmm0\n\txorl\t%edi,%edx\n\tshldl\t$5,%ecx,%ecx\n\tvmovdqa\t96(%esp),%xmm2\n\taddl\t%esi,%ebx\n\tandl\t%edx,%ebp\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t12(%esp),%eax\n\txorl\t%edi,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm3\n\tvpxor\t%xmm5,%xmm1,%xmm1\n\taddl\t16(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tshldl\t$5,%eax,%eax\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm5,96(%esp)\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tvmovdqa\t%xmm4,%xmm5\n\tvpaddd\t%xmm0,%xmm4,%xmm4\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\taddl\t20(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\tshldl\t$5,%edi,%edi\n\tvpsrld\t$30,%xmm1,%xmm3\n\tvmovdqa\t%xmm4,(%esp)\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvpslld\t$2,%xmm1,%xmm1\n\taddl\t24(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvpor\t%xmm3,%xmm1,%xmm1\n\taddl\t28(%esp),%ebx\n\txorl\t%edi,%ebp\n\tvmovdqa\t64(%esp),%xmm3\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm4\n\tvpxor\t%xmm6,%xmm2,%xmm2\n\taddl\t32(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\tvmovdqa\t%xmm6,64(%esp)\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\tvmovdqa\t128(%esp),%xmm6\n\tvpaddd\t%xmm1,%xmm5,%xmm5\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\taddl\t36(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\tvpsrld\t$30,%xmm2,%xmm4\n\tvmovdqa\t%xmm5,16(%esp)\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\tvpslld\t$2,%xmm2,%xmm2\n\taddl\t40(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\tshldl\t$5,%edi,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvpor\t%xmm4,%xmm2,%xmm2\n\taddl\t44(%esp),%ecx\n\txorl\t%eax,%ebp\n\tvmovdqa\t80(%esp),%xmm4\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm5\n\tvpxor\t%xmm7,%xmm3,%xmm3\n\taddl\t48(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvmovdqa\t%xmm7,80(%esp)\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tvmovdqa\t%xmm6,%xmm7\n\tvpaddd\t%xmm2,%xmm6,%xmm6\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpxor\t%xmm5,%xmm3,%xmm3\n\taddl\t52(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\tvpsrld\t$30,%xmm3,%xmm5\n\tvmovdqa\t%xmm6,32(%esp)\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpslld\t$2,%xmm3,%xmm3\n\taddl\t56(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\tvpor\t%xmm5,%xmm3,%xmm3\n\taddl\t60(%esp),%edx\n\txorl\t%ebx,%ebp\n\tvmovdqa\t96(%esp),%xmm5\n\tmovl\t%edi,%esi\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm6\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\taddl\t(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\tshldl\t$5,%edx,%edx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tvmovdqa\t%xmm0,96(%esp)\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tvmovdqa\t%xmm7,%xmm0\n\tvpaddd\t%xmm3,%xmm7,%xmm7\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\taddl\t4(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\tvpsrld\t$30,%xmm4,%xmm6\n\tvmovdqa\t%xmm7,48(%esp)\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$2,%xmm4,%xmm4\n\taddl\t8(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpor\t%xmm6,%xmm4,%xmm4\n\taddl\t12(%esp),%edi\n\txorl\t%ecx,%ebp\n\tvmovdqa\t64(%esp),%xmm6\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm7\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\taddl\t16(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\tshldl\t$5,%edi,%edi\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvmovdqa\t%xmm1,64(%esp)\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tvmovdqa\t%xmm0,%xmm1\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvpxor\t%xmm7,%xmm5,%xmm5\n\taddl\t20(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\tvpsrld\t$30,%xmm5,%xmm7\n\tvmovdqa\t%xmm0,(%esp)\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvpslld\t$2,%xmm5,%xmm5\n\taddl\t24(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpor\t%xmm7,%xmm5,%xmm5\n\taddl\t28(%esp),%eax\n\tvmovdqa\t80(%esp),%xmm7\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm4,%xmm5,%xmm0\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\taddl\t32(%esp),%edi\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tvmovdqa\t%xmm2,80(%esp)\n\tmovl\t%eax,%ebp\n\txorl\t%ecx,%esi\n\tvmovdqa\t%xmm1,%xmm2\n\tvpaddd\t%xmm5,%xmm1,%xmm1\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%edi\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\txorl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t36(%esp),%edx\n\tvpsrld\t$30,%xmm6,%xmm0\n\tvmovdqa\t%xmm1,16(%esp)\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tmovl\t%edi,%esi\n\tvpslld\t$2,%xmm6,%xmm6\n\txorl\t%ebx,%ebp\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t40(%esp),%ecx\n\tandl\t%eax,%esi\n\tvpor\t%xmm0,%xmm6,%xmm6\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%edi,%edi\n\tvmovdqa\t96(%esp),%xmm0\n\tmovl\t%edx,%ebp\n\txorl\t%eax,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t44(%esp),%ebx\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\tshrdl\t$7,%edx,%edx\n\tmovl\t%ecx,%esi\n\txorl\t%edi,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edx,%esi\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\tvpalignr\t$8,%xmm5,%xmm6,%xmm1\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\taddl\t48(%esp),%eax\n\tandl\t%edx,%esi\n\txorl\t%edi,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tvpxor\t%xmm0,%xmm7,%xmm7\n\tvmovdqa\t%xmm3,96(%esp)\n\tmovl\t%ebx,%ebp\n\txorl\t%edx,%esi\n\tvmovdqa\t144(%esp),%xmm3\n\tvpaddd\t%xmm6,%xmm2,%xmm2\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\tvpxor\t%xmm1,%xmm7,%xmm7\n\txorl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t52(%esp),%edi\n\tvpsrld\t$30,%xmm7,%xmm1\n\tvmovdqa\t%xmm2,32(%esp)\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tmovl\t%eax,%esi\n\tvpslld\t$2,%xmm7,%xmm7\n\txorl\t%ecx,%ebp\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t56(%esp),%edx\n\tandl\t%ebx,%esi\n\tvpor\t%xmm1,%xmm7,%xmm7\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tvmovdqa\t64(%esp),%xmm1\n\tmovl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\tshldl\t$5,%edi,%edi\n\taddl\t%esi,%edx\n\txorl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t60(%esp),%ecx\n\tandl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%edi,%edi\n\tmovl\t%edx,%esi\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%edi,%esi\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm2\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\taddl\t(%esp),%ebx\n\tandl\t%edi,%esi\n\txorl\t%eax,%edi\n\tshrdl\t$7,%edx,%edx\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\tvmovdqa\t%xmm4,64(%esp)\n\tmovl\t%ecx,%ebp\n\txorl\t%edi,%esi\n\tvmovdqa\t%xmm3,%xmm4\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\tvpxor\t%xmm2,%xmm0,%xmm0\n\txorl\t%edx,%ebp\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t4(%esp),%eax\n\tvpsrld\t$30,%xmm0,%xmm2\n\tvmovdqa\t%xmm3,48(%esp)\n\tandl\t%edx,%ebp\n\txorl\t%edi,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\tvpslld\t$2,%xmm0,%xmm0\n\txorl\t%edx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t8(%esp),%edi\n\tandl\t%ecx,%esi\n\tvpor\t%xmm2,%xmm0,%xmm0\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tvmovdqa\t80(%esp),%xmm2\n\tmovl\t%eax,%ebp\n\txorl\t%ecx,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%edi\n\txorl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\taddl\t12(%esp),%edx\n\tandl\t%ebx,%ebp\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tmovl\t%edi,%esi\n\txorl\t%ebx,%ebp\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm3\n\tvpxor\t%xmm5,%xmm1,%xmm1\n\taddl\t16(%esp),%ecx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%edi,%edi\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm5,80(%esp)\n\tmovl\t%edx,%ebp\n\txorl\t%eax,%esi\n\tvmovdqa\t%xmm4,%xmm5\n\tvpaddd\t%xmm0,%xmm4,%xmm4\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\txorl\t%edi,%ebp\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t20(%esp),%ebx\n\tvpsrld\t$30,%xmm1,%xmm3\n\tvmovdqa\t%xmm4,(%esp)\n\tandl\t%edi,%ebp\n\txorl\t%eax,%edi\n\tshrdl\t$7,%edx,%edx\n\tmovl\t%ecx,%esi\n\tvpslld\t$2,%xmm1,%xmm1\n\txorl\t%edi,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edx,%esi\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t24(%esp),%eax\n\tandl\t%edx,%esi\n\tvpor\t%xmm3,%xmm1,%xmm1\n\txorl\t%edi,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tvmovdqa\t96(%esp),%xmm3\n\tmovl\t%ebx,%ebp\n\txorl\t%edx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t28(%esp),%edi\n\tandl\t%ecx,%ebp\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%ebp\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%edi\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm4\n\tvpxor\t%xmm6,%xmm2,%xmm2\n\taddl\t32(%esp),%edx\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\tvmovdqa\t%xmm6,96(%esp)\n\tmovl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\tvmovdqa\t%xmm5,%xmm6\n\tvpaddd\t%xmm1,%xmm5,%xmm5\n\tshldl\t$5,%edi,%edi\n\taddl\t%esi,%edx\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\txorl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%edi,%edx\n\taddl\t36(%esp),%ecx\n\tvpsrld\t$30,%xmm2,%xmm4\n\tvmovdqa\t%xmm5,16(%esp)\n\tandl\t%eax,%ebp\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%edi,%edi\n\tmovl\t%edx,%esi\n\tvpslld\t$2,%xmm2,%xmm2\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%edi,%esi\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\taddl\t40(%esp),%ebx\n\tandl\t%edi,%esi\n\tvpor\t%xmm4,%xmm2,%xmm2\n\txorl\t%eax,%edi\n\tshrdl\t$7,%edx,%edx\n\tvmovdqa\t64(%esp),%xmm4\n\tmovl\t%ecx,%ebp\n\txorl\t%edi,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edx,%ebp\n\txorl\t%edi,%edx\n\taddl\t%ecx,%ebx\n\taddl\t44(%esp),%eax\n\tandl\t%edx,%ebp\n\txorl\t%edi,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm5\n\tvpxor\t%xmm7,%xmm3,%xmm3\n\taddl\t48(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tshldl\t$5,%eax,%eax\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvmovdqa\t%xmm7,64(%esp)\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tvmovdqa\t%xmm6,%xmm7\n\tvpaddd\t%xmm2,%xmm6,%xmm6\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\tvpxor\t%xmm5,%xmm3,%xmm3\n\taddl\t52(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\tshldl\t$5,%edi,%edi\n\tvpsrld\t$30,%xmm3,%xmm5\n\tvmovdqa\t%xmm6,32(%esp)\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvpslld\t$2,%xmm3,%xmm3\n\taddl\t56(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvpor\t%xmm5,%xmm3,%xmm3\n\taddl\t60(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t(%esp),%eax\n\tvpaddd\t%xmm3,%xmm7,%xmm7\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\tvmovdqa\t%xmm7,48(%esp)\n\txorl\t%edx,%ebp\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t4(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\taddl\t8(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\tshldl\t$5,%edi,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\taddl\t12(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tmovl\t196(%esp),%ebp\n\tcmpl\t200(%esp),%ebp\n\tje\t.L006done\n\tvmovdqa\t160(%esp),%xmm7\n\tvmovdqa\t176(%esp),%xmm6\n\tvmovdqu\t(%ebp),%xmm0\n\tvmovdqu\t16(%ebp),%xmm1\n\tvmovdqu\t32(%ebp),%xmm2\n\tvmovdqu\t48(%ebp),%xmm3\n\taddl\t$64,%ebp\n\tvpshufb\t%xmm6,%xmm0,%xmm0\n\tmovl\t%ebp,196(%esp)\n\tvmovdqa\t%xmm7,96(%esp)\n\taddl\t16(%esp),%ebx\n\txorl\t%edi,%esi\n\tvpshufb\t%xmm6,%xmm1,%xmm1\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\tvpaddd\t%xmm7,%xmm0,%xmm4\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvmovdqa\t%xmm4,(%esp)\n\taddl\t20(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\taddl\t28(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\taddl\t32(%esp),%ecx\n\txorl\t%eax,%esi\n\tvpshufb\t%xmm6,%xmm2,%xmm2\n\tmovl\t%edx,%ebp\n\tshldl\t$5,%edx,%edx\n\tvpaddd\t%xmm7,%xmm1,%xmm5\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\tvmovdqa\t%xmm5,16(%esp)\n\taddl\t36(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\taddl\t48(%esp),%edx\n\txorl\t%ebx,%esi\n\tvpshufb\t%xmm6,%xmm3,%xmm3\n\tmovl\t%edi,%ebp\n\tshldl\t$5,%edi,%edi\n\tvpaddd\t%xmm7,%xmm2,%xmm6\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\tvmovdqa\t%xmm6,32(%esp)\n\taddl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\taddl\t56(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tmovl\t192(%esp),%ebp\n\taddl\t(%ebp),%eax\n\taddl\t4(%ebp),%esi\n\taddl\t8(%ebp),%ecx\n\tmovl\t%eax,(%ebp)\n\taddl\t12(%ebp),%edx\n\tmovl\t%esi,4(%ebp)\n\taddl\t16(%ebp),%edi\n\tmovl\t%ecx,%ebx\n\tmovl\t%ecx,8(%ebp)\n\txorl\t%edx,%ebx\n\tmovl\t%edx,12(%ebp)\n\tmovl\t%edi,16(%ebp)\n\tmovl\t%esi,%ebp\n\tandl\t%ebx,%esi\n\tmovl\t%ebp,%ebx\n\tjmp\t.L005loop\n.align\t16\n.L006done:\n\taddl\t16(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t20(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%esp),%edi\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%ebp\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%edi\n\txorl\t%ecx,%ebp\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\taddl\t28(%esp),%edx\n\txorl\t%ebx,%ebp\n\tmovl\t%edi,%esi\n\tshldl\t$5,%edi,%edi\n\taddl\t%ebp,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\taddl\t32(%esp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%ebp\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\taddl\t36(%esp),%ebx\n\txorl\t%edi,%ebp\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%ebp,%ebx\n\txorl\t%edi,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%esp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%ebp\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%ebp\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%esp),%edi\n\txorl\t%ecx,%ebp\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%ebp,%edi\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%edi\n\taddl\t48(%esp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%edi,%ebp\n\tshldl\t$5,%edi,%edi\n\taddl\t%esi,%edx\n\txorl\t%ebx,%ebp\n\tshrdl\t$7,%eax,%eax\n\taddl\t%edi,%edx\n\taddl\t52(%esp),%ecx\n\txorl\t%eax,%ebp\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%ebp,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%edi,%edi\n\taddl\t%edx,%ecx\n\taddl\t56(%esp),%ebx\n\txorl\t%edi,%esi\n\tmovl\t%ecx,%ebp\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edi,%ebp\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%esp),%eax\n\txorl\t%edx,%ebp\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%ebp,%eax\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvzeroall\n\tmovl\t192(%esp),%ebp\n\taddl\t(%ebp),%eax\n\tmovl\t204(%esp),%esp\n\taddl\t4(%ebp),%esi\n\taddl\t8(%ebp),%ecx\n\tmovl\t%eax,(%ebp)\n\taddl\t12(%ebp),%edx\n\tmovl\t%esi,4(%ebp)\n\taddl\t16(%ebp),%edi\n\tmovl\t%ecx,8(%ebp)\n\tmovl\t%edx,12(%ebp)\n\tmovl\t%edi,16(%ebp)\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tsha1_block_data_order_avx,.-.L_sha1_block_data_order_avx_begin\n.align\t64\n.LK_XX_XX:\n.long\t1518500249,1518500249,1518500249,1518500249\n.long\t1859775393,1859775393,1859775393,1859775393\n.long\t2400959708,2400959708,2400959708,2400959708\n.long\t3395469782,3395469782,3395469782,3395469782\n.long\t66051,67438087,134810123,202182159\n.byte\t15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0\n.byte\t83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115\n.byte\t102,111,114,109,32,102,111,114,32,120,56,54,44,32,67,82\n.byte\t89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112\n.byte\t114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha1-armv4-large-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n#include \n\n.text\n#if defined(__thumb2__)\n.syntax\tunified\n.thumb\n#else\n.code\t32\n#endif\n\n.globl\tsha1_block_data_order_nohw\n.hidden\tsha1_block_data_order_nohw\n.type\tsha1_block_data_order_nohw,%function\n\n.align\t5\nsha1_block_data_order_nohw:\n\tstmdb\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr}\n\tadd\tr2,r1,r2,lsl#6\t@ r2 to point at the end of r1\n\tldmia\tr0,{r3,r4,r5,r6,r7}\n.Lloop:\n\tldr\tr8,.LK_00_19\n\tmov\tr14,sp\n\tsub\tsp,sp,#15*4\n\tmov\tr5,r5,ror#30\n\tmov\tr6,r6,ror#30\n\tmov\tr7,r7,ror#30\t\t@ [6]\n.L_00_15:\n#if __ARM_ARCH<7\n\tldrb\tr10,[r1,#2]\n\tldrb\tr9,[r1,#3]\n\tldrb\tr11,[r1,#1]\n\tadd\tr7,r8,r7,ror#2\t\t\t@ E+=K_00_19\n\tldrb\tr12,[r1],#4\n\torr\tr9,r9,r10,lsl#8\n\teor\tr10,r5,r6\t\t\t@ F_xx_xx\n\torr\tr9,r9,r11,lsl#16\n\tadd\tr7,r7,r3,ror#27\t\t\t@ E+=ROR(A,27)\n\torr\tr9,r9,r12,lsl#24\n#else\n\tldr\tr9,[r1],#4\t\t\t@ handles unaligned\n\tadd\tr7,r8,r7,ror#2\t\t\t@ E+=K_00_19\n\teor\tr10,r5,r6\t\t\t@ F_xx_xx\n\tadd\tr7,r7,r3,ror#27\t\t\t@ E+=ROR(A,27)\n#ifdef __ARMEL__\n\trev\tr9,r9\t\t\t\t@ byte swap\n#endif\n#endif\n\tand\tr10,r4,r10,ror#2\n\tadd\tr7,r7,r9\t\t\t@ E+=X[i]\n\teor\tr10,r10,r6,ror#2\t\t@ F_00_19(B,C,D)\n\tstr\tr9,[r14,#-4]!\n\tadd\tr7,r7,r10\t\t\t@ E+=F_00_19(B,C,D)\n#if __ARM_ARCH<7\n\tldrb\tr10,[r1,#2]\n\tldrb\tr9,[r1,#3]\n\tldrb\tr11,[r1,#1]\n\tadd\tr6,r8,r6,ror#2\t\t\t@ E+=K_00_19\n\tldrb\tr12,[r1],#4\n\torr\tr9,r9,r10,lsl#8\n\teor\tr10,r4,r5\t\t\t@ F_xx_xx\n\torr\tr9,r9,r11,lsl#16\n\tadd\tr6,r6,r7,ror#27\t\t\t@ E+=ROR(A,27)\n\torr\tr9,r9,r12,lsl#24\n#else\n\tldr\tr9,[r1],#4\t\t\t@ handles unaligned\n\tadd\tr6,r8,r6,ror#2\t\t\t@ E+=K_00_19\n\teor\tr10,r4,r5\t\t\t@ F_xx_xx\n\tadd\tr6,r6,r7,ror#27\t\t\t@ E+=ROR(A,27)\n#ifdef __ARMEL__\n\trev\tr9,r9\t\t\t\t@ byte swap\n#endif\n#endif\n\tand\tr10,r3,r10,ror#2\n\tadd\tr6,r6,r9\t\t\t@ E+=X[i]\n\teor\tr10,r10,r5,ror#2\t\t@ F_00_19(B,C,D)\n\tstr\tr9,[r14,#-4]!\n\tadd\tr6,r6,r10\t\t\t@ E+=F_00_19(B,C,D)\n#if __ARM_ARCH<7\n\tldrb\tr10,[r1,#2]\n\tldrb\tr9,[r1,#3]\n\tldrb\tr11,[r1,#1]\n\tadd\tr5,r8,r5,ror#2\t\t\t@ E+=K_00_19\n\tldrb\tr12,[r1],#4\n\torr\tr9,r9,r10,lsl#8\n\teor\tr10,r3,r4\t\t\t@ F_xx_xx\n\torr\tr9,r9,r11,lsl#16\n\tadd\tr5,r5,r6,ror#27\t\t\t@ E+=ROR(A,27)\n\torr\tr9,r9,r12,lsl#24\n#else\n\tldr\tr9,[r1],#4\t\t\t@ handles unaligned\n\tadd\tr5,r8,r5,ror#2\t\t\t@ E+=K_00_19\n\teor\tr10,r3,r4\t\t\t@ F_xx_xx\n\tadd\tr5,r5,r6,ror#27\t\t\t@ E+=ROR(A,27)\n#ifdef __ARMEL__\n\trev\tr9,r9\t\t\t\t@ byte swap\n#endif\n#endif\n\tand\tr10,r7,r10,ror#2\n\tadd\tr5,r5,r9\t\t\t@ E+=X[i]\n\teor\tr10,r10,r4,ror#2\t\t@ F_00_19(B,C,D)\n\tstr\tr9,[r14,#-4]!\n\tadd\tr5,r5,r10\t\t\t@ E+=F_00_19(B,C,D)\n#if __ARM_ARCH<7\n\tldrb\tr10,[r1,#2]\n\tldrb\tr9,[r1,#3]\n\tldrb\tr11,[r1,#1]\n\tadd\tr4,r8,r4,ror#2\t\t\t@ E+=K_00_19\n\tldrb\tr12,[r1],#4\n\torr\tr9,r9,r10,lsl#8\n\teor\tr10,r7,r3\t\t\t@ F_xx_xx\n\torr\tr9,r9,r11,lsl#16\n\tadd\tr4,r4,r5,ror#27\t\t\t@ E+=ROR(A,27)\n\torr\tr9,r9,r12,lsl#24\n#else\n\tldr\tr9,[r1],#4\t\t\t@ handles unaligned\n\tadd\tr4,r8,r4,ror#2\t\t\t@ E+=K_00_19\n\teor\tr10,r7,r3\t\t\t@ F_xx_xx\n\tadd\tr4,r4,r5,ror#27\t\t\t@ E+=ROR(A,27)\n#ifdef __ARMEL__\n\trev\tr9,r9\t\t\t\t@ byte swap\n#endif\n#endif\n\tand\tr10,r6,r10,ror#2\n\tadd\tr4,r4,r9\t\t\t@ E+=X[i]\n\teor\tr10,r10,r3,ror#2\t\t@ F_00_19(B,C,D)\n\tstr\tr9,[r14,#-4]!\n\tadd\tr4,r4,r10\t\t\t@ E+=F_00_19(B,C,D)\n#if __ARM_ARCH<7\n\tldrb\tr10,[r1,#2]\n\tldrb\tr9,[r1,#3]\n\tldrb\tr11,[r1,#1]\n\tadd\tr3,r8,r3,ror#2\t\t\t@ E+=K_00_19\n\tldrb\tr12,[r1],#4\n\torr\tr9,r9,r10,lsl#8\n\teor\tr10,r6,r7\t\t\t@ F_xx_xx\n\torr\tr9,r9,r11,lsl#16\n\tadd\tr3,r3,r4,ror#27\t\t\t@ E+=ROR(A,27)\n\torr\tr9,r9,r12,lsl#24\n#else\n\tldr\tr9,[r1],#4\t\t\t@ handles unaligned\n\tadd\tr3,r8,r3,ror#2\t\t\t@ E+=K_00_19\n\teor\tr10,r6,r7\t\t\t@ F_xx_xx\n\tadd\tr3,r3,r4,ror#27\t\t\t@ E+=ROR(A,27)\n#ifdef __ARMEL__\n\trev\tr9,r9\t\t\t\t@ byte swap\n#endif\n#endif\n\tand\tr10,r5,r10,ror#2\n\tadd\tr3,r3,r9\t\t\t@ E+=X[i]\n\teor\tr10,r10,r7,ror#2\t\t@ F_00_19(B,C,D)\n\tstr\tr9,[r14,#-4]!\n\tadd\tr3,r3,r10\t\t\t@ E+=F_00_19(B,C,D)\n#if defined(__thumb2__)\n\tmov\tr12,sp\n\tteq\tr14,r12\n#else\n\tteq\tr14,sp\n#endif\n\tbne\t.L_00_15\t\t@ [((11+4)*5+2)*3]\n\tsub\tsp,sp,#25*4\n#if __ARM_ARCH<7\n\tldrb\tr10,[r1,#2]\n\tldrb\tr9,[r1,#3]\n\tldrb\tr11,[r1,#1]\n\tadd\tr7,r8,r7,ror#2\t\t\t@ E+=K_00_19\n\tldrb\tr12,[r1],#4\n\torr\tr9,r9,r10,lsl#8\n\teor\tr10,r5,r6\t\t\t@ F_xx_xx\n\torr\tr9,r9,r11,lsl#16\n\tadd\tr7,r7,r3,ror#27\t\t\t@ E+=ROR(A,27)\n\torr\tr9,r9,r12,lsl#24\n#else\n\tldr\tr9,[r1],#4\t\t\t@ handles unaligned\n\tadd\tr7,r8,r7,ror#2\t\t\t@ E+=K_00_19\n\teor\tr10,r5,r6\t\t\t@ F_xx_xx\n\tadd\tr7,r7,r3,ror#27\t\t\t@ E+=ROR(A,27)\n#ifdef __ARMEL__\n\trev\tr9,r9\t\t\t\t@ byte swap\n#endif\n#endif\n\tand\tr10,r4,r10,ror#2\n\tadd\tr7,r7,r9\t\t\t@ E+=X[i]\n\teor\tr10,r10,r6,ror#2\t\t@ F_00_19(B,C,D)\n\tstr\tr9,[r14,#-4]!\n\tadd\tr7,r7,r10\t\t\t@ E+=F_00_19(B,C,D)\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr6,r8,r6,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r4,r5\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr6,r6,r7,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\tand\tr10,r3,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\t\t\t\t\t\t@ F_xx_xx\n\tadd\tr6,r6,r9\t\t\t@ E+=X[i]\n\teor\tr10,r10,r5,ror#2\t\t@ F_00_19(B,C,D)\n\tadd\tr6,r6,r10\t\t\t@ E+=F_00_19(B,C,D)\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr5,r8,r5,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r3,r4\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr5,r5,r6,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\tand\tr10,r7,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\t\t\t\t\t\t@ F_xx_xx\n\tadd\tr5,r5,r9\t\t\t@ E+=X[i]\n\teor\tr10,r10,r4,ror#2\t\t@ F_00_19(B,C,D)\n\tadd\tr5,r5,r10\t\t\t@ E+=F_00_19(B,C,D)\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr4,r8,r4,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r7,r3\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr4,r4,r5,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\tand\tr10,r6,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\t\t\t\t\t\t@ F_xx_xx\n\tadd\tr4,r4,r9\t\t\t@ E+=X[i]\n\teor\tr10,r10,r3,ror#2\t\t@ F_00_19(B,C,D)\n\tadd\tr4,r4,r10\t\t\t@ E+=F_00_19(B,C,D)\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr3,r8,r3,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r6,r7\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr3,r3,r4,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\tand\tr10,r5,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\t\t\t\t\t\t@ F_xx_xx\n\tadd\tr3,r3,r9\t\t\t@ E+=X[i]\n\teor\tr10,r10,r7,ror#2\t\t@ F_00_19(B,C,D)\n\tadd\tr3,r3,r10\t\t\t@ E+=F_00_19(B,C,D)\n\n\tldr\tr8,.LK_20_39\t\t@ [+15+16*4]\n\tcmn\tsp,#0\t\t\t@ [+3], clear carry to denote 20_39\n.L_20_39_or_60_79:\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr7,r8,r7,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r5,r6\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr7,r7,r3,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\teor\tr10,r4,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\t\t\t\t\t\t@ F_xx_xx\n\tadd\tr7,r7,r9\t\t\t@ E+=X[i]\n\tadd\tr7,r7,r10\t\t\t@ E+=F_20_39(B,C,D)\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr6,r8,r6,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r4,r5\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr6,r6,r7,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\teor\tr10,r3,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\t\t\t\t\t\t@ F_xx_xx\n\tadd\tr6,r6,r9\t\t\t@ E+=X[i]\n\tadd\tr6,r6,r10\t\t\t@ E+=F_20_39(B,C,D)\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr5,r8,r5,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r3,r4\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr5,r5,r6,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\teor\tr10,r7,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\t\t\t\t\t\t@ F_xx_xx\n\tadd\tr5,r5,r9\t\t\t@ E+=X[i]\n\tadd\tr5,r5,r10\t\t\t@ E+=F_20_39(B,C,D)\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr4,r8,r4,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r7,r3\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr4,r4,r5,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\teor\tr10,r6,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\t\t\t\t\t\t@ F_xx_xx\n\tadd\tr4,r4,r9\t\t\t@ E+=X[i]\n\tadd\tr4,r4,r10\t\t\t@ E+=F_20_39(B,C,D)\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr3,r8,r3,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r6,r7\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr3,r3,r4,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\teor\tr10,r5,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\t\t\t\t\t\t@ F_xx_xx\n\tadd\tr3,r3,r9\t\t\t@ E+=X[i]\n\tadd\tr3,r3,r10\t\t\t@ E+=F_20_39(B,C,D)\n#if defined(__thumb2__)\n\tmov\tr12,sp\n\tteq\tr14,r12\n#else\n\tteq\tr14,sp\t\t\t@ preserve carry\n#endif\n\tbne\t.L_20_39_or_60_79\t@ [+((12+3)*5+2)*4]\n\tbcs\t.L_done\t\t\t@ [+((12+3)*5+2)*4], spare 300 bytes\n\n\tldr\tr8,.LK_40_59\n\tsub\tsp,sp,#20*4\t\t@ [+2]\n.L_40_59:\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr7,r8,r7,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r5,r6\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr7,r7,r3,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\tand\tr10,r4,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\tand\tr11,r5,r6\t\t\t\t\t@ F_xx_xx\n\tadd\tr7,r7,r9\t\t\t@ E+=X[i]\n\tadd\tr7,r7,r10\t\t\t@ E+=F_40_59(B,C,D)\n\tadd\tr7,r7,r11,ror#2\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr6,r8,r6,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r4,r5\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr6,r6,r7,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\tand\tr10,r3,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\tand\tr11,r4,r5\t\t\t\t\t@ F_xx_xx\n\tadd\tr6,r6,r9\t\t\t@ E+=X[i]\n\tadd\tr6,r6,r10\t\t\t@ E+=F_40_59(B,C,D)\n\tadd\tr6,r6,r11,ror#2\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr5,r8,r5,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r3,r4\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr5,r5,r6,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\tand\tr10,r7,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\tand\tr11,r3,r4\t\t\t\t\t@ F_xx_xx\n\tadd\tr5,r5,r9\t\t\t@ E+=X[i]\n\tadd\tr5,r5,r10\t\t\t@ E+=F_40_59(B,C,D)\n\tadd\tr5,r5,r11,ror#2\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr4,r8,r4,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r7,r3\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr4,r4,r5,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\tand\tr10,r6,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\tand\tr11,r7,r3\t\t\t\t\t@ F_xx_xx\n\tadd\tr4,r4,r9\t\t\t@ E+=X[i]\n\tadd\tr4,r4,r10\t\t\t@ E+=F_40_59(B,C,D)\n\tadd\tr4,r4,r11,ror#2\n\tldr\tr9,[r14,#15*4]\n\tldr\tr10,[r14,#13*4]\n\tldr\tr11,[r14,#7*4]\n\tadd\tr3,r8,r3,ror#2\t\t\t@ E+=K_xx_xx\n\tldr\tr12,[r14,#2*4]\n\teor\tr9,r9,r10\n\teor\tr11,r11,r12\t\t\t@ 1 cycle stall\n\teor\tr10,r6,r7\t\t\t@ F_xx_xx\n\tmov\tr9,r9,ror#31\n\tadd\tr3,r3,r4,ror#27\t\t\t@ E+=ROR(A,27)\n\teor\tr9,r9,r11,ror#31\n\tstr\tr9,[r14,#-4]!\n\tand\tr10,r5,r10,ror#2\t\t\t\t\t@ F_xx_xx\n\tand\tr11,r6,r7\t\t\t\t\t@ F_xx_xx\n\tadd\tr3,r3,r9\t\t\t@ E+=X[i]\n\tadd\tr3,r3,r10\t\t\t@ E+=F_40_59(B,C,D)\n\tadd\tr3,r3,r11,ror#2\n#if defined(__thumb2__)\n\tmov\tr12,sp\n\tteq\tr14,r12\n#else\n\tteq\tr14,sp\n#endif\n\tbne\t.L_40_59\t\t@ [+((12+5)*5+2)*4]\n\n\tldr\tr8,.LK_60_79\n\tsub\tsp,sp,#20*4\n\tcmp\tsp,#0\t\t\t@ set carry to denote 60_79\n\tb\t.L_20_39_or_60_79\t@ [+4], spare 300 bytes\n.L_done:\n\tadd\tsp,sp,#80*4\t\t@ \"deallocate\" stack frame\n\tldmia\tr0,{r8,r9,r10,r11,r12}\n\tadd\tr3,r8,r3\n\tadd\tr4,r9,r4\n\tadd\tr5,r10,r5,ror#2\n\tadd\tr6,r11,r6,ror#2\n\tadd\tr7,r12,r7,ror#2\n\tstmia\tr0,{r3,r4,r5,r6,r7}\n\tteq\tr1,r2\n\tbne\t.Lloop\t\t\t@ [+18], total 1307\n\n#if __ARM_ARCH>=5\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc}\n#else\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr}\n\ttst\tlr,#1\n\tmoveq\tpc,lr\t\t\t@ be binary compatible with V4, yet\n.word\t0xe12fff1e\t\t\t@ interoperable with Thumb ISA:-)\n#endif\n.size\tsha1_block_data_order_nohw,.-sha1_block_data_order_nohw\n\n.align\t5\n.LK_00_19:.word\t0x5a827999\n.LK_20_39:.word\t0x6ed9eba1\n.LK_40_59:.word\t0x8f1bbcdc\n.LK_60_79:.word\t0xca62c1d6\n.byte\t83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,47,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t5\n#if __ARM_MAX_ARCH__>=7\n.arch\tarmv7-a\n.fpu\tneon\n\n.globl\tsha1_block_data_order_neon\n.hidden\tsha1_block_data_order_neon\n.type\tsha1_block_data_order_neon,%function\n.align\t4\nsha1_block_data_order_neon:\n\tstmdb\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr}\n\tadd\tr2,r1,r2,lsl#6\t@ r2 to point at the end of r1\n\t@ dmb\t\t\t\t@ errata #451034 on early Cortex A8\n\t@ vstmdb\tsp!,{d8-d15}\t@ ABI specification says so\n\tmov\tr14,sp\n\tsub\tr12,sp,#64\n\tadr\tr8,.LK_00_19\n\tbic\tr12,r12,#15\t\t@ align for 128-bit stores\n\n\tldmia\tr0,{r3,r4,r5,r6,r7}\t@ load context\n\tmov\tsp,r12\t\t@ alloca\n\n\tvld1.8\t{q0,q1},[r1]!\t@ handles unaligned\n\tveor\tq15,q15,q15\n\tvld1.8\t{q2,q3},[r1]!\n\tvld1.32\t{d28[],d29[]},[r8,:32]!\t@ load K_00_19\n\tvrev32.8\tq0,q0\t\t@ yes, even on\n\tvrev32.8\tq1,q1\t\t@ big-endian...\n\tvrev32.8\tq2,q2\n\tvadd.i32\tq8,q0,q14\n\tvrev32.8\tq3,q3\n\tvadd.i32\tq9,q1,q14\n\tvst1.32\t{q8},[r12,:128]!\n\tvadd.i32\tq10,q2,q14\n\tvst1.32\t{q9},[r12,:128]!\n\tvst1.32\t{q10},[r12,:128]!\n\tldr\tr9,[sp]\t\t\t@ big RAW stall\n\n.Loop_neon:\n\tvext.8\tq8,q0,q1,#8\n\tbic\tr10,r6,r4\n\tadd\tr7,r7,r9\n\tand\tr11,r5,r4\n\tvadd.i32\tq13,q3,q14\n\tldr\tr9,[sp,#4]\n\tadd\tr7,r7,r3,ror#27\n\tvext.8\tq12,q3,q15,#4\n\teor\tr11,r11,r10\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\tveor\tq8,q8,q0\n\tbic\tr10,r5,r3\n\tadd\tr6,r6,r9\n\tveor\tq12,q12,q2\n\tand\tr11,r4,r3\n\tldr\tr9,[sp,#8]\n\tveor\tq12,q12,q8\n\tadd\tr6,r6,r7,ror#27\n\teor\tr11,r11,r10\n\tvst1.32\t{q13},[r12,:128]!\n\tsub\tr12,r12,#64\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\tvext.8\tq13,q15,q12,#4\n\tbic\tr10,r4,r7\n\tadd\tr5,r5,r9\n\tvadd.i32\tq8,q12,q12\n\tand\tr11,r3,r7\n\tldr\tr9,[sp,#12]\n\tvsri.32\tq8,q12,#31\n\tadd\tr5,r5,r6,ror#27\n\teor\tr11,r11,r10\n\tmov\tr7,r7,ror#2\n\tvshr.u32\tq12,q13,#30\n\tadd\tr5,r5,r11\n\tbic\tr10,r3,r6\n\tvshl.u32\tq13,q13,#2\n\tadd\tr4,r4,r9\n\tand\tr11,r7,r6\n\tveor\tq8,q8,q12\n\tldr\tr9,[sp,#16]\n\tadd\tr4,r4,r5,ror#27\n\tveor\tq8,q8,q13\n\teor\tr11,r11,r10\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\tvext.8\tq9,q1,q2,#8\n\tbic\tr10,r7,r5\n\tadd\tr3,r3,r9\n\tand\tr11,r6,r5\n\tvadd.i32\tq13,q8,q14\n\tldr\tr9,[sp,#20]\n\tvld1.32\t{d28[],d29[]},[r8,:32]!\n\tadd\tr3,r3,r4,ror#27\n\tvext.8\tq12,q8,q15,#4\n\teor\tr11,r11,r10\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\tveor\tq9,q9,q1\n\tbic\tr10,r6,r4\n\tadd\tr7,r7,r9\n\tveor\tq12,q12,q3\n\tand\tr11,r5,r4\n\tldr\tr9,[sp,#24]\n\tveor\tq12,q12,q9\n\tadd\tr7,r7,r3,ror#27\n\teor\tr11,r11,r10\n\tvst1.32\t{q13},[r12,:128]!\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\tvext.8\tq13,q15,q12,#4\n\tbic\tr10,r5,r3\n\tadd\tr6,r6,r9\n\tvadd.i32\tq9,q12,q12\n\tand\tr11,r4,r3\n\tldr\tr9,[sp,#28]\n\tvsri.32\tq9,q12,#31\n\tadd\tr6,r6,r7,ror#27\n\teor\tr11,r11,r10\n\tmov\tr3,r3,ror#2\n\tvshr.u32\tq12,q13,#30\n\tadd\tr6,r6,r11\n\tbic\tr10,r4,r7\n\tvshl.u32\tq13,q13,#2\n\tadd\tr5,r5,r9\n\tand\tr11,r3,r7\n\tveor\tq9,q9,q12\n\tldr\tr9,[sp,#32]\n\tadd\tr5,r5,r6,ror#27\n\tveor\tq9,q9,q13\n\teor\tr11,r11,r10\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\tvext.8\tq10,q2,q3,#8\n\tbic\tr10,r3,r6\n\tadd\tr4,r4,r9\n\tand\tr11,r7,r6\n\tvadd.i32\tq13,q9,q14\n\tldr\tr9,[sp,#36]\n\tadd\tr4,r4,r5,ror#27\n\tvext.8\tq12,q9,q15,#4\n\teor\tr11,r11,r10\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\tveor\tq10,q10,q2\n\tbic\tr10,r7,r5\n\tadd\tr3,r3,r9\n\tveor\tq12,q12,q8\n\tand\tr11,r6,r5\n\tldr\tr9,[sp,#40]\n\tveor\tq12,q12,q10\n\tadd\tr3,r3,r4,ror#27\n\teor\tr11,r11,r10\n\tvst1.32\t{q13},[r12,:128]!\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\tvext.8\tq13,q15,q12,#4\n\tbic\tr10,r6,r4\n\tadd\tr7,r7,r9\n\tvadd.i32\tq10,q12,q12\n\tand\tr11,r5,r4\n\tldr\tr9,[sp,#44]\n\tvsri.32\tq10,q12,#31\n\tadd\tr7,r7,r3,ror#27\n\teor\tr11,r11,r10\n\tmov\tr4,r4,ror#2\n\tvshr.u32\tq12,q13,#30\n\tadd\tr7,r7,r11\n\tbic\tr10,r5,r3\n\tvshl.u32\tq13,q13,#2\n\tadd\tr6,r6,r9\n\tand\tr11,r4,r3\n\tveor\tq10,q10,q12\n\tldr\tr9,[sp,#48]\n\tadd\tr6,r6,r7,ror#27\n\tveor\tq10,q10,q13\n\teor\tr11,r11,r10\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\tvext.8\tq11,q3,q8,#8\n\tbic\tr10,r4,r7\n\tadd\tr5,r5,r9\n\tand\tr11,r3,r7\n\tvadd.i32\tq13,q10,q14\n\tldr\tr9,[sp,#52]\n\tadd\tr5,r5,r6,ror#27\n\tvext.8\tq12,q10,q15,#4\n\teor\tr11,r11,r10\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\tveor\tq11,q11,q3\n\tbic\tr10,r3,r6\n\tadd\tr4,r4,r9\n\tveor\tq12,q12,q9\n\tand\tr11,r7,r6\n\tldr\tr9,[sp,#56]\n\tveor\tq12,q12,q11\n\tadd\tr4,r4,r5,ror#27\n\teor\tr11,r11,r10\n\tvst1.32\t{q13},[r12,:128]!\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\tvext.8\tq13,q15,q12,#4\n\tbic\tr10,r7,r5\n\tadd\tr3,r3,r9\n\tvadd.i32\tq11,q12,q12\n\tand\tr11,r6,r5\n\tldr\tr9,[sp,#60]\n\tvsri.32\tq11,q12,#31\n\tadd\tr3,r3,r4,ror#27\n\teor\tr11,r11,r10\n\tmov\tr5,r5,ror#2\n\tvshr.u32\tq12,q13,#30\n\tadd\tr3,r3,r11\n\tbic\tr10,r6,r4\n\tvshl.u32\tq13,q13,#2\n\tadd\tr7,r7,r9\n\tand\tr11,r5,r4\n\tveor\tq11,q11,q12\n\tldr\tr9,[sp,#0]\n\tadd\tr7,r7,r3,ror#27\n\tveor\tq11,q11,q13\n\teor\tr11,r11,r10\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\tvext.8\tq12,q10,q11,#8\n\tbic\tr10,r5,r3\n\tadd\tr6,r6,r9\n\tand\tr11,r4,r3\n\tveor\tq0,q0,q8\n\tldr\tr9,[sp,#4]\n\tadd\tr6,r6,r7,ror#27\n\tveor\tq0,q0,q1\n\teor\tr11,r11,r10\n\tmov\tr3,r3,ror#2\n\tvadd.i32\tq13,q11,q14\n\tadd\tr6,r6,r11\n\tbic\tr10,r4,r7\n\tveor\tq12,q12,q0\n\tadd\tr5,r5,r9\n\tand\tr11,r3,r7\n\tvshr.u32\tq0,q12,#30\n\tldr\tr9,[sp,#8]\n\tadd\tr5,r5,r6,ror#27\n\tvst1.32\t{q13},[r12,:128]!\n\tsub\tr12,r12,#64\n\teor\tr11,r11,r10\n\tmov\tr7,r7,ror#2\n\tvsli.32\tq0,q12,#2\n\tadd\tr5,r5,r11\n\tbic\tr10,r3,r6\n\tadd\tr4,r4,r9\n\tand\tr11,r7,r6\n\tldr\tr9,[sp,#12]\n\tadd\tr4,r4,r5,ror#27\n\teor\tr11,r11,r10\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\tbic\tr10,r7,r5\n\tadd\tr3,r3,r9\n\tand\tr11,r6,r5\n\tldr\tr9,[sp,#16]\n\tadd\tr3,r3,r4,ror#27\n\teor\tr11,r11,r10\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\tvext.8\tq12,q11,q0,#8\n\teor\tr10,r4,r6\n\tadd\tr7,r7,r9\n\tldr\tr9,[sp,#20]\n\tveor\tq1,q1,q9\n\teor\tr11,r10,r5\n\tadd\tr7,r7,r3,ror#27\n\tveor\tq1,q1,q2\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\tvadd.i32\tq13,q0,q14\n\teor\tr10,r3,r5\n\tadd\tr6,r6,r9\n\tveor\tq12,q12,q1\n\tldr\tr9,[sp,#24]\n\teor\tr11,r10,r4\n\tvshr.u32\tq1,q12,#30\n\tadd\tr6,r6,r7,ror#27\n\tmov\tr3,r3,ror#2\n\tvst1.32\t{q13},[r12,:128]!\n\tadd\tr6,r6,r11\n\teor\tr10,r7,r4\n\tvsli.32\tq1,q12,#2\n\tadd\tr5,r5,r9\n\tldr\tr9,[sp,#28]\n\teor\tr11,r10,r3\n\tadd\tr5,r5,r6,ror#27\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\teor\tr10,r6,r3\n\tadd\tr4,r4,r9\n\tldr\tr9,[sp,#32]\n\teor\tr11,r10,r7\n\tadd\tr4,r4,r5,ror#27\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\tvext.8\tq12,q0,q1,#8\n\teor\tr10,r5,r7\n\tadd\tr3,r3,r9\n\tldr\tr9,[sp,#36]\n\tveor\tq2,q2,q10\n\teor\tr11,r10,r6\n\tadd\tr3,r3,r4,ror#27\n\tveor\tq2,q2,q3\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\tvadd.i32\tq13,q1,q14\n\teor\tr10,r4,r6\n\tvld1.32\t{d28[],d29[]},[r8,:32]!\n\tadd\tr7,r7,r9\n\tveor\tq12,q12,q2\n\tldr\tr9,[sp,#40]\n\teor\tr11,r10,r5\n\tvshr.u32\tq2,q12,#30\n\tadd\tr7,r7,r3,ror#27\n\tmov\tr4,r4,ror#2\n\tvst1.32\t{q13},[r12,:128]!\n\tadd\tr7,r7,r11\n\teor\tr10,r3,r5\n\tvsli.32\tq2,q12,#2\n\tadd\tr6,r6,r9\n\tldr\tr9,[sp,#44]\n\teor\tr11,r10,r4\n\tadd\tr6,r6,r7,ror#27\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\teor\tr10,r7,r4\n\tadd\tr5,r5,r9\n\tldr\tr9,[sp,#48]\n\teor\tr11,r10,r3\n\tadd\tr5,r5,r6,ror#27\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\tvext.8\tq12,q1,q2,#8\n\teor\tr10,r6,r3\n\tadd\tr4,r4,r9\n\tldr\tr9,[sp,#52]\n\tveor\tq3,q3,q11\n\teor\tr11,r10,r7\n\tadd\tr4,r4,r5,ror#27\n\tveor\tq3,q3,q8\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\tvadd.i32\tq13,q2,q14\n\teor\tr10,r5,r7\n\tadd\tr3,r3,r9\n\tveor\tq12,q12,q3\n\tldr\tr9,[sp,#56]\n\teor\tr11,r10,r6\n\tvshr.u32\tq3,q12,#30\n\tadd\tr3,r3,r4,ror#27\n\tmov\tr5,r5,ror#2\n\tvst1.32\t{q13},[r12,:128]!\n\tadd\tr3,r3,r11\n\teor\tr10,r4,r6\n\tvsli.32\tq3,q12,#2\n\tadd\tr7,r7,r9\n\tldr\tr9,[sp,#60]\n\teor\tr11,r10,r5\n\tadd\tr7,r7,r3,ror#27\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\teor\tr10,r3,r5\n\tadd\tr6,r6,r9\n\tldr\tr9,[sp,#0]\n\teor\tr11,r10,r4\n\tadd\tr6,r6,r7,ror#27\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\tvext.8\tq12,q2,q3,#8\n\teor\tr10,r7,r4\n\tadd\tr5,r5,r9\n\tldr\tr9,[sp,#4]\n\tveor\tq8,q8,q0\n\teor\tr11,r10,r3\n\tadd\tr5,r5,r6,ror#27\n\tveor\tq8,q8,q9\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\tvadd.i32\tq13,q3,q14\n\teor\tr10,r6,r3\n\tadd\tr4,r4,r9\n\tveor\tq12,q12,q8\n\tldr\tr9,[sp,#8]\n\teor\tr11,r10,r7\n\tvshr.u32\tq8,q12,#30\n\tadd\tr4,r4,r5,ror#27\n\tmov\tr6,r6,ror#2\n\tvst1.32\t{q13},[r12,:128]!\n\tsub\tr12,r12,#64\n\tadd\tr4,r4,r11\n\teor\tr10,r5,r7\n\tvsli.32\tq8,q12,#2\n\tadd\tr3,r3,r9\n\tldr\tr9,[sp,#12]\n\teor\tr11,r10,r6\n\tadd\tr3,r3,r4,ror#27\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\teor\tr10,r4,r6\n\tadd\tr7,r7,r9\n\tldr\tr9,[sp,#16]\n\teor\tr11,r10,r5\n\tadd\tr7,r7,r3,ror#27\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\tvext.8\tq12,q3,q8,#8\n\teor\tr10,r3,r5\n\tadd\tr6,r6,r9\n\tldr\tr9,[sp,#20]\n\tveor\tq9,q9,q1\n\teor\tr11,r10,r4\n\tadd\tr6,r6,r7,ror#27\n\tveor\tq9,q9,q10\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\tvadd.i32\tq13,q8,q14\n\teor\tr10,r7,r4\n\tadd\tr5,r5,r9\n\tveor\tq12,q12,q9\n\tldr\tr9,[sp,#24]\n\teor\tr11,r10,r3\n\tvshr.u32\tq9,q12,#30\n\tadd\tr5,r5,r6,ror#27\n\tmov\tr7,r7,ror#2\n\tvst1.32\t{q13},[r12,:128]!\n\tadd\tr5,r5,r11\n\teor\tr10,r6,r3\n\tvsli.32\tq9,q12,#2\n\tadd\tr4,r4,r9\n\tldr\tr9,[sp,#28]\n\teor\tr11,r10,r7\n\tadd\tr4,r4,r5,ror#27\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\teor\tr10,r5,r7\n\tadd\tr3,r3,r9\n\tldr\tr9,[sp,#32]\n\teor\tr11,r10,r6\n\tadd\tr3,r3,r4,ror#27\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\tvext.8\tq12,q8,q9,#8\n\tadd\tr7,r7,r9\n\tand\tr10,r5,r6\n\tldr\tr9,[sp,#36]\n\tveor\tq10,q10,q2\n\tadd\tr7,r7,r3,ror#27\n\teor\tr11,r5,r6\n\tveor\tq10,q10,q11\n\tadd\tr7,r7,r10\n\tand\tr11,r11,r4\n\tvadd.i32\tq13,q9,q14\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\tveor\tq12,q12,q10\n\tadd\tr6,r6,r9\n\tand\tr10,r4,r5\n\tvshr.u32\tq10,q12,#30\n\tldr\tr9,[sp,#40]\n\tadd\tr6,r6,r7,ror#27\n\tvst1.32\t{q13},[r12,:128]!\n\teor\tr11,r4,r5\n\tadd\tr6,r6,r10\n\tvsli.32\tq10,q12,#2\n\tand\tr11,r11,r3\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\tadd\tr5,r5,r9\n\tand\tr10,r3,r4\n\tldr\tr9,[sp,#44]\n\tadd\tr5,r5,r6,ror#27\n\teor\tr11,r3,r4\n\tadd\tr5,r5,r10\n\tand\tr11,r11,r7\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\tadd\tr4,r4,r9\n\tand\tr10,r7,r3\n\tldr\tr9,[sp,#48]\n\tadd\tr4,r4,r5,ror#27\n\teor\tr11,r7,r3\n\tadd\tr4,r4,r10\n\tand\tr11,r11,r6\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\tvext.8\tq12,q9,q10,#8\n\tadd\tr3,r3,r9\n\tand\tr10,r6,r7\n\tldr\tr9,[sp,#52]\n\tveor\tq11,q11,q3\n\tadd\tr3,r3,r4,ror#27\n\teor\tr11,r6,r7\n\tveor\tq11,q11,q0\n\tadd\tr3,r3,r10\n\tand\tr11,r11,r5\n\tvadd.i32\tq13,q10,q14\n\tmov\tr5,r5,ror#2\n\tvld1.32\t{d28[],d29[]},[r8,:32]!\n\tadd\tr3,r3,r11\n\tveor\tq12,q12,q11\n\tadd\tr7,r7,r9\n\tand\tr10,r5,r6\n\tvshr.u32\tq11,q12,#30\n\tldr\tr9,[sp,#56]\n\tadd\tr7,r7,r3,ror#27\n\tvst1.32\t{q13},[r12,:128]!\n\teor\tr11,r5,r6\n\tadd\tr7,r7,r10\n\tvsli.32\tq11,q12,#2\n\tand\tr11,r11,r4\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\tadd\tr6,r6,r9\n\tand\tr10,r4,r5\n\tldr\tr9,[sp,#60]\n\tadd\tr6,r6,r7,ror#27\n\teor\tr11,r4,r5\n\tadd\tr6,r6,r10\n\tand\tr11,r11,r3\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\tadd\tr5,r5,r9\n\tand\tr10,r3,r4\n\tldr\tr9,[sp,#0]\n\tadd\tr5,r5,r6,ror#27\n\teor\tr11,r3,r4\n\tadd\tr5,r5,r10\n\tand\tr11,r11,r7\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\tvext.8\tq12,q10,q11,#8\n\tadd\tr4,r4,r9\n\tand\tr10,r7,r3\n\tldr\tr9,[sp,#4]\n\tveor\tq0,q0,q8\n\tadd\tr4,r4,r5,ror#27\n\teor\tr11,r7,r3\n\tveor\tq0,q0,q1\n\tadd\tr4,r4,r10\n\tand\tr11,r11,r6\n\tvadd.i32\tq13,q11,q14\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\tveor\tq12,q12,q0\n\tadd\tr3,r3,r9\n\tand\tr10,r6,r7\n\tvshr.u32\tq0,q12,#30\n\tldr\tr9,[sp,#8]\n\tadd\tr3,r3,r4,ror#27\n\tvst1.32\t{q13},[r12,:128]!\n\tsub\tr12,r12,#64\n\teor\tr11,r6,r7\n\tadd\tr3,r3,r10\n\tvsli.32\tq0,q12,#2\n\tand\tr11,r11,r5\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\tadd\tr7,r7,r9\n\tand\tr10,r5,r6\n\tldr\tr9,[sp,#12]\n\tadd\tr7,r7,r3,ror#27\n\teor\tr11,r5,r6\n\tadd\tr7,r7,r10\n\tand\tr11,r11,r4\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\tadd\tr6,r6,r9\n\tand\tr10,r4,r5\n\tldr\tr9,[sp,#16]\n\tadd\tr6,r6,r7,ror#27\n\teor\tr11,r4,r5\n\tadd\tr6,r6,r10\n\tand\tr11,r11,r3\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\tvext.8\tq12,q11,q0,#8\n\tadd\tr5,r5,r9\n\tand\tr10,r3,r4\n\tldr\tr9,[sp,#20]\n\tveor\tq1,q1,q9\n\tadd\tr5,r5,r6,ror#27\n\teor\tr11,r3,r4\n\tveor\tq1,q1,q2\n\tadd\tr5,r5,r10\n\tand\tr11,r11,r7\n\tvadd.i32\tq13,q0,q14\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\tveor\tq12,q12,q1\n\tadd\tr4,r4,r9\n\tand\tr10,r7,r3\n\tvshr.u32\tq1,q12,#30\n\tldr\tr9,[sp,#24]\n\tadd\tr4,r4,r5,ror#27\n\tvst1.32\t{q13},[r12,:128]!\n\teor\tr11,r7,r3\n\tadd\tr4,r4,r10\n\tvsli.32\tq1,q12,#2\n\tand\tr11,r11,r6\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\tadd\tr3,r3,r9\n\tand\tr10,r6,r7\n\tldr\tr9,[sp,#28]\n\tadd\tr3,r3,r4,ror#27\n\teor\tr11,r6,r7\n\tadd\tr3,r3,r10\n\tand\tr11,r11,r5\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\tadd\tr7,r7,r9\n\tand\tr10,r5,r6\n\tldr\tr9,[sp,#32]\n\tadd\tr7,r7,r3,ror#27\n\teor\tr11,r5,r6\n\tadd\tr7,r7,r10\n\tand\tr11,r11,r4\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\tvext.8\tq12,q0,q1,#8\n\tadd\tr6,r6,r9\n\tand\tr10,r4,r5\n\tldr\tr9,[sp,#36]\n\tveor\tq2,q2,q10\n\tadd\tr6,r6,r7,ror#27\n\teor\tr11,r4,r5\n\tveor\tq2,q2,q3\n\tadd\tr6,r6,r10\n\tand\tr11,r11,r3\n\tvadd.i32\tq13,q1,q14\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\tveor\tq12,q12,q2\n\tadd\tr5,r5,r9\n\tand\tr10,r3,r4\n\tvshr.u32\tq2,q12,#30\n\tldr\tr9,[sp,#40]\n\tadd\tr5,r5,r6,ror#27\n\tvst1.32\t{q13},[r12,:128]!\n\teor\tr11,r3,r4\n\tadd\tr5,r5,r10\n\tvsli.32\tq2,q12,#2\n\tand\tr11,r11,r7\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\tadd\tr4,r4,r9\n\tand\tr10,r7,r3\n\tldr\tr9,[sp,#44]\n\tadd\tr4,r4,r5,ror#27\n\teor\tr11,r7,r3\n\tadd\tr4,r4,r10\n\tand\tr11,r11,r6\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\tadd\tr3,r3,r9\n\tand\tr10,r6,r7\n\tldr\tr9,[sp,#48]\n\tadd\tr3,r3,r4,ror#27\n\teor\tr11,r6,r7\n\tadd\tr3,r3,r10\n\tand\tr11,r11,r5\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\tvext.8\tq12,q1,q2,#8\n\teor\tr10,r4,r6\n\tadd\tr7,r7,r9\n\tldr\tr9,[sp,#52]\n\tveor\tq3,q3,q11\n\teor\tr11,r10,r5\n\tadd\tr7,r7,r3,ror#27\n\tveor\tq3,q3,q8\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\tvadd.i32\tq13,q2,q14\n\teor\tr10,r3,r5\n\tadd\tr6,r6,r9\n\tveor\tq12,q12,q3\n\tldr\tr9,[sp,#56]\n\teor\tr11,r10,r4\n\tvshr.u32\tq3,q12,#30\n\tadd\tr6,r6,r7,ror#27\n\tmov\tr3,r3,ror#2\n\tvst1.32\t{q13},[r12,:128]!\n\tadd\tr6,r6,r11\n\teor\tr10,r7,r4\n\tvsli.32\tq3,q12,#2\n\tadd\tr5,r5,r9\n\tldr\tr9,[sp,#60]\n\teor\tr11,r10,r3\n\tadd\tr5,r5,r6,ror#27\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\teor\tr10,r6,r3\n\tadd\tr4,r4,r9\n\tldr\tr9,[sp,#0]\n\teor\tr11,r10,r7\n\tadd\tr4,r4,r5,ror#27\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\tvadd.i32\tq13,q3,q14\n\teor\tr10,r5,r7\n\tadd\tr3,r3,r9\n\tvst1.32\t{q13},[r12,:128]!\n\tsub\tr12,r12,#64\n\tteq\tr1,r2\n\tsub\tr8,r8,#16\n\tit\teq\n\tsubeq\tr1,r1,#64\n\tvld1.8\t{q0,q1},[r1]!\n\tldr\tr9,[sp,#4]\n\teor\tr11,r10,r6\n\tvld1.8\t{q2,q3},[r1]!\n\tadd\tr3,r3,r4,ror#27\n\tmov\tr5,r5,ror#2\n\tvld1.32\t{d28[],d29[]},[r8,:32]!\n\tadd\tr3,r3,r11\n\teor\tr10,r4,r6\n\tvrev32.8\tq0,q0\n\tadd\tr7,r7,r9\n\tldr\tr9,[sp,#8]\n\teor\tr11,r10,r5\n\tadd\tr7,r7,r3,ror#27\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\teor\tr10,r3,r5\n\tadd\tr6,r6,r9\n\tldr\tr9,[sp,#12]\n\teor\tr11,r10,r4\n\tadd\tr6,r6,r7,ror#27\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\teor\tr10,r7,r4\n\tadd\tr5,r5,r9\n\tldr\tr9,[sp,#16]\n\teor\tr11,r10,r3\n\tadd\tr5,r5,r6,ror#27\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\tvrev32.8\tq1,q1\n\teor\tr10,r6,r3\n\tadd\tr4,r4,r9\n\tvadd.i32\tq8,q0,q14\n\tldr\tr9,[sp,#20]\n\teor\tr11,r10,r7\n\tvst1.32\t{q8},[r12,:128]!\n\tadd\tr4,r4,r5,ror#27\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\teor\tr10,r5,r7\n\tadd\tr3,r3,r9\n\tldr\tr9,[sp,#24]\n\teor\tr11,r10,r6\n\tadd\tr3,r3,r4,ror#27\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\teor\tr10,r4,r6\n\tadd\tr7,r7,r9\n\tldr\tr9,[sp,#28]\n\teor\tr11,r10,r5\n\tadd\tr7,r7,r3,ror#27\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\teor\tr10,r3,r5\n\tadd\tr6,r6,r9\n\tldr\tr9,[sp,#32]\n\teor\tr11,r10,r4\n\tadd\tr6,r6,r7,ror#27\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\tvrev32.8\tq2,q2\n\teor\tr10,r7,r4\n\tadd\tr5,r5,r9\n\tvadd.i32\tq9,q1,q14\n\tldr\tr9,[sp,#36]\n\teor\tr11,r10,r3\n\tvst1.32\t{q9},[r12,:128]!\n\tadd\tr5,r5,r6,ror#27\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\teor\tr10,r6,r3\n\tadd\tr4,r4,r9\n\tldr\tr9,[sp,#40]\n\teor\tr11,r10,r7\n\tadd\tr4,r4,r5,ror#27\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\teor\tr10,r5,r7\n\tadd\tr3,r3,r9\n\tldr\tr9,[sp,#44]\n\teor\tr11,r10,r6\n\tadd\tr3,r3,r4,ror#27\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\teor\tr10,r4,r6\n\tadd\tr7,r7,r9\n\tldr\tr9,[sp,#48]\n\teor\tr11,r10,r5\n\tadd\tr7,r7,r3,ror#27\n\tmov\tr4,r4,ror#2\n\tadd\tr7,r7,r11\n\tvrev32.8\tq3,q3\n\teor\tr10,r3,r5\n\tadd\tr6,r6,r9\n\tvadd.i32\tq10,q2,q14\n\tldr\tr9,[sp,#52]\n\teor\tr11,r10,r4\n\tvst1.32\t{q10},[r12,:128]!\n\tadd\tr6,r6,r7,ror#27\n\tmov\tr3,r3,ror#2\n\tadd\tr6,r6,r11\n\teor\tr10,r7,r4\n\tadd\tr5,r5,r9\n\tldr\tr9,[sp,#56]\n\teor\tr11,r10,r3\n\tadd\tr5,r5,r6,ror#27\n\tmov\tr7,r7,ror#2\n\tadd\tr5,r5,r11\n\teor\tr10,r6,r3\n\tadd\tr4,r4,r9\n\tldr\tr9,[sp,#60]\n\teor\tr11,r10,r7\n\tadd\tr4,r4,r5,ror#27\n\tmov\tr6,r6,ror#2\n\tadd\tr4,r4,r11\n\teor\tr10,r5,r7\n\tadd\tr3,r3,r9\n\teor\tr11,r10,r6\n\tadd\tr3,r3,r4,ror#27\n\tmov\tr5,r5,ror#2\n\tadd\tr3,r3,r11\n\tldmia\tr0,{r9,r10,r11,r12}\t@ accumulate context\n\tadd\tr3,r3,r9\n\tldr\tr9,[r0,#16]\n\tadd\tr4,r4,r10\n\tadd\tr5,r5,r11\n\tadd\tr6,r6,r12\n\tit\teq\n\tmoveq\tsp,r14\n\tadd\tr7,r7,r9\n\tit\tne\n\tldrne\tr9,[sp]\n\tstmia\tr0,{r3,r4,r5,r6,r7}\n\titt\tne\n\taddne\tr12,sp,#3*16\n\tbne\t.Loop_neon\n\n\t@ vldmia\tsp!,{d8-d15}\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc}\n.size\tsha1_block_data_order_neon,.-sha1_block_data_order_neon\n#endif\n#if __ARM_MAX_ARCH__>=7\n\n# if defined(__thumb2__)\n# define INST(a,b,c,d)\t.byte\tc,d|0xf,a,b\n# else\n# define INST(a,b,c,d)\t.byte\ta,b,c,d|0x10\n# endif\n\n.globl\tsha1_block_data_order_hw\n.hidden\tsha1_block_data_order_hw\n.type\tsha1_block_data_order_hw,%function\n.align\t5\nsha1_block_data_order_hw:\n\tvstmdb\tsp!,{d8,d9,d10,d11,d12,d13,d14,d15}\t\t@ ABI specification says so\n\n\tveor\tq1,q1,q1\n\tadr\tr3,.LK_00_19\n\tvld1.32\t{q0},[r0]!\n\tvld1.32\t{d2[0]},[r0]\n\tsub\tr0,r0,#16\n\tvld1.32\t{d16[],d17[]},[r3,:32]!\n\tvld1.32\t{d18[],d19[]},[r3,:32]!\n\tvld1.32\t{d20[],d21[]},[r3,:32]!\n\tvld1.32\t{d22[],d23[]},[r3,:32]\n\n.Loop_v8:\n\tvld1.8\t{q4,q5},[r1]!\n\tvld1.8\t{q6,q7},[r1]!\n\tvrev32.8\tq4,q4\n\tvrev32.8\tq5,q5\n\n\tvadd.i32\tq12,q8,q4\n\tvrev32.8\tq6,q6\n\tvmov\tq14,q0\t@ offload\n\tsubs\tr2,r2,#1\n\n\tvadd.i32\tq13,q8,q5\n\tvrev32.8\tq7,q7\n\tINST(0xc0,0x62,0xb9,0xf3)\t@ sha1h q3,q0\t\t@ 0\n\tINST(0x68,0x0c,0x02,0xe2)\t@ sha1c q0,q1,q12\n\tvadd.i32\tq12,q8,q6\n\tINST(0x4c,0x8c,0x3a,0xe2)\t@ sha1su0 q4,q5,q6\n\tINST(0xc0,0x42,0xb9,0xf3)\t@ sha1h q2,q0\t\t@ 1\n\tINST(0x6a,0x0c,0x06,0xe2)\t@ sha1c q0,q3,q13\n\tvadd.i32\tq13,q8,q7\n\tINST(0x8e,0x83,0xba,0xf3)\t@ sha1su1 q4,q7\n\tINST(0x4e,0xac,0x3c,0xe2)\t@ sha1su0 q5,q6,q7\n\tINST(0xc0,0x62,0xb9,0xf3)\t@ sha1h q3,q0\t\t@ 2\n\tINST(0x68,0x0c,0x04,0xe2)\t@ sha1c q0,q2,q12\n\tvadd.i32\tq12,q8,q4\n\tINST(0x88,0xa3,0xba,0xf3)\t@ sha1su1 q5,q4\n\tINST(0x48,0xcc,0x3e,0xe2)\t@ sha1su0 q6,q7,q4\n\tINST(0xc0,0x42,0xb9,0xf3)\t@ sha1h q2,q0\t\t@ 3\n\tINST(0x6a,0x0c,0x06,0xe2)\t@ sha1c q0,q3,q13\n\tvadd.i32\tq13,q9,q5\n\tINST(0x8a,0xc3,0xba,0xf3)\t@ sha1su1 q6,q5\n\tINST(0x4a,0xec,0x38,0xe2)\t@ sha1su0 q7,q4,q5\n\tINST(0xc0,0x62,0xb9,0xf3)\t@ sha1h q3,q0\t\t@ 4\n\tINST(0x68,0x0c,0x04,0xe2)\t@ sha1c q0,q2,q12\n\tvadd.i32\tq12,q9,q6\n\tINST(0x8c,0xe3,0xba,0xf3)\t@ sha1su1 q7,q6\n\tINST(0x4c,0x8c,0x3a,0xe2)\t@ sha1su0 q4,q5,q6\n\tINST(0xc0,0x42,0xb9,0xf3)\t@ sha1h q2,q0\t\t@ 5\n\tINST(0x6a,0x0c,0x16,0xe2)\t@ sha1p q0,q3,q13\n\tvadd.i32\tq13,q9,q7\n\tINST(0x8e,0x83,0xba,0xf3)\t@ sha1su1 q4,q7\n\tINST(0x4e,0xac,0x3c,0xe2)\t@ sha1su0 q5,q6,q7\n\tINST(0xc0,0x62,0xb9,0xf3)\t@ sha1h q3,q0\t\t@ 6\n\tINST(0x68,0x0c,0x14,0xe2)\t@ sha1p q0,q2,q12\n\tvadd.i32\tq12,q9,q4\n\tINST(0x88,0xa3,0xba,0xf3)\t@ sha1su1 q5,q4\n\tINST(0x48,0xcc,0x3e,0xe2)\t@ sha1su0 q6,q7,q4\n\tINST(0xc0,0x42,0xb9,0xf3)\t@ sha1h q2,q0\t\t@ 7\n\tINST(0x6a,0x0c,0x16,0xe2)\t@ sha1p q0,q3,q13\n\tvadd.i32\tq13,q9,q5\n\tINST(0x8a,0xc3,0xba,0xf3)\t@ sha1su1 q6,q5\n\tINST(0x4a,0xec,0x38,0xe2)\t@ sha1su0 q7,q4,q5\n\tINST(0xc0,0x62,0xb9,0xf3)\t@ sha1h q3,q0\t\t@ 8\n\tINST(0x68,0x0c,0x14,0xe2)\t@ sha1p q0,q2,q12\n\tvadd.i32\tq12,q10,q6\n\tINST(0x8c,0xe3,0xba,0xf3)\t@ sha1su1 q7,q6\n\tINST(0x4c,0x8c,0x3a,0xe2)\t@ sha1su0 q4,q5,q6\n\tINST(0xc0,0x42,0xb9,0xf3)\t@ sha1h q2,q0\t\t@ 9\n\tINST(0x6a,0x0c,0x16,0xe2)\t@ sha1p q0,q3,q13\n\tvadd.i32\tq13,q10,q7\n\tINST(0x8e,0x83,0xba,0xf3)\t@ sha1su1 q4,q7\n\tINST(0x4e,0xac,0x3c,0xe2)\t@ sha1su0 q5,q6,q7\n\tINST(0xc0,0x62,0xb9,0xf3)\t@ sha1h q3,q0\t\t@ 10\n\tINST(0x68,0x0c,0x24,0xe2)\t@ sha1m q0,q2,q12\n\tvadd.i32\tq12,q10,q4\n\tINST(0x88,0xa3,0xba,0xf3)\t@ sha1su1 q5,q4\n\tINST(0x48,0xcc,0x3e,0xe2)\t@ sha1su0 q6,q7,q4\n\tINST(0xc0,0x42,0xb9,0xf3)\t@ sha1h q2,q0\t\t@ 11\n\tINST(0x6a,0x0c,0x26,0xe2)\t@ sha1m q0,q3,q13\n\tvadd.i32\tq13,q10,q5\n\tINST(0x8a,0xc3,0xba,0xf3)\t@ sha1su1 q6,q5\n\tINST(0x4a,0xec,0x38,0xe2)\t@ sha1su0 q7,q4,q5\n\tINST(0xc0,0x62,0xb9,0xf3)\t@ sha1h q3,q0\t\t@ 12\n\tINST(0x68,0x0c,0x24,0xe2)\t@ sha1m q0,q2,q12\n\tvadd.i32\tq12,q10,q6\n\tINST(0x8c,0xe3,0xba,0xf3)\t@ sha1su1 q7,q6\n\tINST(0x4c,0x8c,0x3a,0xe2)\t@ sha1su0 q4,q5,q6\n\tINST(0xc0,0x42,0xb9,0xf3)\t@ sha1h q2,q0\t\t@ 13\n\tINST(0x6a,0x0c,0x26,0xe2)\t@ sha1m q0,q3,q13\n\tvadd.i32\tq13,q11,q7\n\tINST(0x8e,0x83,0xba,0xf3)\t@ sha1su1 q4,q7\n\tINST(0x4e,0xac,0x3c,0xe2)\t@ sha1su0 q5,q6,q7\n\tINST(0xc0,0x62,0xb9,0xf3)\t@ sha1h q3,q0\t\t@ 14\n\tINST(0x68,0x0c,0x24,0xe2)\t@ sha1m q0,q2,q12\n\tvadd.i32\tq12,q11,q4\n\tINST(0x88,0xa3,0xba,0xf3)\t@ sha1su1 q5,q4\n\tINST(0x48,0xcc,0x3e,0xe2)\t@ sha1su0 q6,q7,q4\n\tINST(0xc0,0x42,0xb9,0xf3)\t@ sha1h q2,q0\t\t@ 15\n\tINST(0x6a,0x0c,0x16,0xe2)\t@ sha1p q0,q3,q13\n\tvadd.i32\tq13,q11,q5\n\tINST(0x8a,0xc3,0xba,0xf3)\t@ sha1su1 q6,q5\n\tINST(0x4a,0xec,0x38,0xe2)\t@ sha1su0 q7,q4,q5\n\tINST(0xc0,0x62,0xb9,0xf3)\t@ sha1h q3,q0\t\t@ 16\n\tINST(0x68,0x0c,0x14,0xe2)\t@ sha1p q0,q2,q12\n\tvadd.i32\tq12,q11,q6\n\tINST(0x8c,0xe3,0xba,0xf3)\t@ sha1su1 q7,q6\n\tINST(0xc0,0x42,0xb9,0xf3)\t@ sha1h q2,q0\t\t@ 17\n\tINST(0x6a,0x0c,0x16,0xe2)\t@ sha1p q0,q3,q13\n\tvadd.i32\tq13,q11,q7\n\n\tINST(0xc0,0x62,0xb9,0xf3)\t@ sha1h q3,q0\t\t@ 18\n\tINST(0x68,0x0c,0x14,0xe2)\t@ sha1p q0,q2,q12\n\n\tINST(0xc0,0x42,0xb9,0xf3)\t@ sha1h q2,q0\t\t@ 19\n\tINST(0x6a,0x0c,0x16,0xe2)\t@ sha1p q0,q3,q13\n\n\tvadd.i32\tq1,q1,q2\n\tvadd.i32\tq0,q0,q14\n\tbne\t.Loop_v8\n\n\tvst1.32\t{q0},[r0]!\n\tvst1.32\t{d2[0]},[r0]\n\n\tvldmia\tsp!,{d8,d9,d10,d11,d12,d13,d14,d15}\n\tbx\tlr\t\t\t\t\t@ bx lr\n.size\tsha1_block_data_order_hw,.-sha1_block_data_order_hw\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \n\n.text\n\n.globl\t_sha1_block_data_order_nohw\n.private_extern\t_sha1_block_data_order_nohw\n\n.align\t6\n_sha1_block_data_order_nohw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\n\tldp\tw20,w21,[x0]\n\tldp\tw22,w23,[x0,#8]\n\tldr\tw24,[x0,#16]\n\nLoop:\n\tldr\tx3,[x1],#64\n\tmovz\tw28,#0x7999\n\tsub\tx2,x2,#1\n\tmovk\tw28,#0x5a82,lsl#16\n#ifdef\t__AARCH64EB__\n\tror\tx3,x3,#32\n#else\n\trev32\tx3,x3\n#endif\n\tadd\tw24,w24,w28\t\t// warm it up\n\tadd\tw24,w24,w3\n\tlsr\tx4,x3,#32\n\tldr\tx5,[x1,#-56]\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w4\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx5,x5,#32\n#else\n\trev32\tx5,x5\n#endif\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w5\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tlsr\tx6,x5,#32\n\tldr\tx7,[x1,#-48]\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w6\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx7,x7,#32\n#else\n\trev32\tx7,x7\n#endif\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w7\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tlsr\tx8,x7,#32\n\tldr\tx9,[x1,#-40]\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w8\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx9,x9,#32\n#else\n\trev32\tx9,x9\n#endif\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w9\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tlsr\tx10,x9,#32\n\tldr\tx11,[x1,#-32]\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w10\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx11,x11,#32\n#else\n\trev32\tx11,x11\n#endif\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w11\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tlsr\tx12,x11,#32\n\tldr\tx13,[x1,#-24]\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w12\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx13,x13,#32\n#else\n\trev32\tx13,x13\n#endif\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w13\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tlsr\tx14,x13,#32\n\tldr\tx15,[x1,#-16]\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w14\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx15,x15,#32\n#else\n\trev32\tx15,x15\n#endif\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w15\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tlsr\tx16,x15,#32\n\tldr\tx17,[x1,#-8]\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w16\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx17,x17,#32\n#else\n\trev32\tx17,x17\n#endif\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w17\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tlsr\tx19,x17,#32\n\teor\tw3,w3,w5\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\teor\tw3,w3,w11\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\teor\tw3,w3,w16\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w19\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\teor\tw4,w4,w6\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\teor\tw4,w4,w12\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\teor\tw4,w4,w17\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w3\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\teor\tw5,w5,w7\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\teor\tw5,w5,w13\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\teor\tw5,w5,w19\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w4\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\teor\tw6,w6,w8\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\teor\tw6,w6,w14\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\teor\tw6,w6,w3\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w5\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\teor\tw7,w7,w9\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\teor\tw7,w7,w15\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\teor\tw7,w7,w4\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w6\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\tmovz\tw28,#0xeba1\n\tmovk\tw28,#0x6ed9,lsl#16\n\teor\tw8,w8,w10\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\teor\tw8,w8,w16\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\teor\tw8,w8,w5\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w7\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\teor\tw9,w9,w11\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw9,w9,w6\n\tadd\tw23,w23,w8\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\teor\tw10,w10,w12\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw10,w10,w7\n\tadd\tw22,w22,w9\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\teor\tw11,w11,w13\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw11,w11,w8\n\tadd\tw21,w21,w10\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\teor\tw12,w12,w14\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw12,w12,w9\n\tadd\tw20,w20,w11\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\teor\tw13,w13,w15\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw13,w13,w10\n\tadd\tw24,w24,w12\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\teor\tw14,w14,w16\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw14,w14,w11\n\tadd\tw23,w23,w13\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\teor\tw15,w15,w17\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw15,w15,w12\n\tadd\tw22,w22,w14\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\teor\tw16,w16,w19\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw16,w16,w13\n\tadd\tw21,w21,w15\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\teor\tw17,w17,w3\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw17,w17,w14\n\tadd\tw20,w20,w16\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\teor\tw19,w19,w4\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw19,w19,w15\n\tadd\tw24,w24,w17\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\teor\tw3,w3,w5\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw3,w3,w11\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw3,w3,w16\n\tadd\tw23,w23,w19\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\teor\tw4,w4,w6\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw4,w4,w12\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw4,w4,w17\n\tadd\tw22,w22,w3\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\teor\tw5,w5,w7\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw5,w5,w13\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw5,w5,w19\n\tadd\tw21,w21,w4\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\teor\tw6,w6,w8\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw6,w6,w14\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw6,w6,w3\n\tadd\tw20,w20,w5\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\teor\tw7,w7,w9\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw7,w7,w15\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw7,w7,w4\n\tadd\tw24,w24,w6\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\teor\tw8,w8,w10\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw8,w8,w16\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw8,w8,w5\n\tadd\tw23,w23,w7\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\teor\tw9,w9,w11\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw9,w9,w6\n\tadd\tw22,w22,w8\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\teor\tw10,w10,w12\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw10,w10,w7\n\tadd\tw21,w21,w9\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\teor\tw11,w11,w13\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw11,w11,w8\n\tadd\tw20,w20,w10\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\tmovz\tw28,#0xbcdc\n\tmovk\tw28,#0x8f1b,lsl#16\n\teor\tw12,w12,w14\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw12,w12,w9\n\tadd\tw24,w24,w11\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw13,w13,w15\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw13,w13,w10\n\tadd\tw23,w23,w12\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw14,w14,w16\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw14,w14,w11\n\tadd\tw22,w22,w13\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw15,w15,w17\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw15,w15,w12\n\tadd\tw21,w21,w14\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw16,w16,w19\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw16,w16,w13\n\tadd\tw20,w20,w15\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw17,w17,w3\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw17,w17,w14\n\tadd\tw24,w24,w16\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw19,w19,w4\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw19,w19,w15\n\tadd\tw23,w23,w17\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw3,w3,w5\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw3,w3,w11\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw3,w3,w16\n\tadd\tw22,w22,w19\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw4,w4,w6\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw4,w4,w12\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw4,w4,w17\n\tadd\tw21,w21,w3\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw5,w5,w7\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw5,w5,w13\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw5,w5,w19\n\tadd\tw20,w20,w4\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw6,w6,w8\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw6,w6,w14\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw6,w6,w3\n\tadd\tw24,w24,w5\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw7,w7,w9\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw7,w7,w15\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw7,w7,w4\n\tadd\tw23,w23,w6\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw8,w8,w10\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw8,w8,w16\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw8,w8,w5\n\tadd\tw22,w22,w7\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw9,w9,w11\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw9,w9,w6\n\tadd\tw21,w21,w8\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw10,w10,w12\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw10,w10,w7\n\tadd\tw20,w20,w9\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw11,w11,w13\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw11,w11,w8\n\tadd\tw24,w24,w10\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw12,w12,w14\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw12,w12,w9\n\tadd\tw23,w23,w11\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw13,w13,w15\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw13,w13,w10\n\tadd\tw22,w22,w12\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw14,w14,w16\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw14,w14,w11\n\tadd\tw21,w21,w13\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw15,w15,w17\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw15,w15,w12\n\tadd\tw20,w20,w14\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\tmovz\tw28,#0xc1d6\n\tmovk\tw28,#0xca62,lsl#16\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw16,w16,w19\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw16,w16,w13\n\tadd\tw24,w24,w15\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\teor\tw17,w17,w3\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw17,w17,w14\n\tadd\tw23,w23,w16\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\teor\tw19,w19,w4\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw19,w19,w15\n\tadd\tw22,w22,w17\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\teor\tw3,w3,w5\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw3,w3,w11\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw3,w3,w16\n\tadd\tw21,w21,w19\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\teor\tw4,w4,w6\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw4,w4,w12\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw4,w4,w17\n\tadd\tw20,w20,w3\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\teor\tw5,w5,w7\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw5,w5,w13\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw5,w5,w19\n\tadd\tw24,w24,w4\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\teor\tw6,w6,w8\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw6,w6,w14\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw6,w6,w3\n\tadd\tw23,w23,w5\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\teor\tw7,w7,w9\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw7,w7,w15\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw7,w7,w4\n\tadd\tw22,w22,w6\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\teor\tw8,w8,w10\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw8,w8,w16\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw8,w8,w5\n\tadd\tw21,w21,w7\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\teor\tw9,w9,w11\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw9,w9,w6\n\tadd\tw20,w20,w8\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\teor\tw10,w10,w12\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw10,w10,w7\n\tadd\tw24,w24,w9\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\teor\tw11,w11,w13\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw11,w11,w8\n\tadd\tw23,w23,w10\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\teor\tw12,w12,w14\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw12,w12,w9\n\tadd\tw22,w22,w11\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\teor\tw13,w13,w15\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw13,w13,w10\n\tadd\tw21,w21,w12\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\teor\tw14,w14,w16\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw14,w14,w11\n\tadd\tw20,w20,w13\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\teor\tw15,w15,w17\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw15,w15,w12\n\tadd\tw24,w24,w14\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\teor\tw16,w16,w19\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw16,w16,w13\n\tadd\tw23,w23,w15\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\teor\tw17,w17,w3\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw17,w17,w14\n\tadd\tw22,w22,w16\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\teor\tw19,w19,w4\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw19,w19,w15\n\tadd\tw21,w21,w17\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\tldp\tw4,w5,[x0]\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w19\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tldp\tw6,w7,[x0,#8]\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\tldr\tw8,[x0,#16]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tadd\tw21,w21,w5\n\tadd\tw22,w22,w6\n\tadd\tw20,w20,w4\n\tadd\tw23,w23,w7\n\tadd\tw24,w24,w8\n\tstp\tw20,w21,[x0]\n\tstp\tw22,w23,[x0,#8]\n\tstr\tw24,[x0,#16]\n\tcbnz\tx2,Loop\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldp\tx25,x26,[sp,#64]\n\tldp\tx27,x28,[sp,#80]\n\tldr\tx29,[sp],#96\n\tret\n\n.globl\t_sha1_block_data_order_hw\n.private_extern\t_sha1_block_data_order_hw\n\n.align\t6\n_sha1_block_data_order_hw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx4,Lconst@PAGE\n\tadd\tx4,x4,Lconst@PAGEOFF\n\teor\tv1.16b,v1.16b,v1.16b\n\tld1\t{v0.4s},[x0],#16\n\tld1\t{v1.s}[0],[x0]\n\tsub\tx0,x0,#16\n\tld1\t{v16.4s,v17.4s,v18.4s,v19.4s},[x4]\n\nLoop_hw:\n\tld1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64\n\tsub\tx2,x2,#1\n\trev32\tv4.16b,v4.16b\n\trev32\tv5.16b,v5.16b\n\n\tadd\tv20.4s,v16.4s,v4.4s\n\trev32\tv6.16b,v6.16b\n\torr\tv22.16b,v0.16b,v0.16b\t// offload\n\n\tadd\tv21.4s,v16.4s,v5.4s\n\trev32\tv7.16b,v7.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\n.long\t0x5e140020\t//sha1c v0.16b,v1.16b,v20.4s\t\t// 0\n\tadd\tv20.4s,v16.4s,v6.4s\n.long\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 1\n.long\t0x5e150060\t//sha1c v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v16.4s,v7.4s\n.long\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.long\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 2\n.long\t0x5e140040\t//sha1c v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v16.4s,v4.4s\n.long\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.long\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 3\n.long\t0x5e150060\t//sha1c v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v17.4s,v5.4s\n.long\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.long\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 4\n.long\t0x5e140040\t//sha1c v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v17.4s,v6.4s\n.long\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.long\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 5\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v17.4s,v7.4s\n.long\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.long\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 6\n.long\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v17.4s,v4.4s\n.long\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.long\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 7\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v17.4s,v5.4s\n.long\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.long\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 8\n.long\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v18.4s,v6.4s\n.long\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.long\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 9\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v18.4s,v7.4s\n.long\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.long\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 10\n.long\t0x5e142040\t//sha1m v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v18.4s,v4.4s\n.long\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.long\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 11\n.long\t0x5e152060\t//sha1m v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v18.4s,v5.4s\n.long\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.long\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 12\n.long\t0x5e142040\t//sha1m v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v18.4s,v6.4s\n.long\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.long\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 13\n.long\t0x5e152060\t//sha1m v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v19.4s,v7.4s\n.long\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.long\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 14\n.long\t0x5e142040\t//sha1m v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v19.4s,v4.4s\n.long\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.long\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 15\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v19.4s,v5.4s\n.long\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.long\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 16\n.long\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v19.4s,v6.4s\n.long\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 17\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v19.4s,v7.4s\n\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 18\n.long\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 19\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\n\tadd\tv1.4s,v1.4s,v2.4s\n\tadd\tv0.4s,v0.4s,v22.4s\n\n\tcbnz\tx2,Loop_hw\n\n\tst1\t{v0.4s},[x0],#16\n\tst1\t{v1.s}[0],[x0]\n\n\tldr\tx29,[sp],#16\n\tret\n\n.section\t__TEXT,__const\n.align\t6\nLconst:\n.long\t0x5a827999,0x5a827999,0x5a827999,0x5a827999\t//K_00_19\n.long\t0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1\t//K_20_39\n.long\t0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc\t//K_40_59\n.long\t0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6\t//K_60_79\n.byte\t83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \n\n.text\n\n.globl\tsha1_block_data_order_nohw\n.hidden\tsha1_block_data_order_nohw\n.type\tsha1_block_data_order_nohw,%function\n.align\t6\nsha1_block_data_order_nohw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\n\tldp\tw20,w21,[x0]\n\tldp\tw22,w23,[x0,#8]\n\tldr\tw24,[x0,#16]\n\n.Loop:\n\tldr\tx3,[x1],#64\n\tmovz\tw28,#0x7999\n\tsub\tx2,x2,#1\n\tmovk\tw28,#0x5a82,lsl#16\n#ifdef\t__AARCH64EB__\n\tror\tx3,x3,#32\n#else\n\trev32\tx3,x3\n#endif\n\tadd\tw24,w24,w28\t\t// warm it up\n\tadd\tw24,w24,w3\n\tlsr\tx4,x3,#32\n\tldr\tx5,[x1,#-56]\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w4\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx5,x5,#32\n#else\n\trev32\tx5,x5\n#endif\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w5\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tlsr\tx6,x5,#32\n\tldr\tx7,[x1,#-48]\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w6\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx7,x7,#32\n#else\n\trev32\tx7,x7\n#endif\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w7\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tlsr\tx8,x7,#32\n\tldr\tx9,[x1,#-40]\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w8\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx9,x9,#32\n#else\n\trev32\tx9,x9\n#endif\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w9\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tlsr\tx10,x9,#32\n\tldr\tx11,[x1,#-32]\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w10\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx11,x11,#32\n#else\n\trev32\tx11,x11\n#endif\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w11\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tlsr\tx12,x11,#32\n\tldr\tx13,[x1,#-24]\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w12\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx13,x13,#32\n#else\n\trev32\tx13,x13\n#endif\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w13\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tlsr\tx14,x13,#32\n\tldr\tx15,[x1,#-16]\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w14\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx15,x15,#32\n#else\n\trev32\tx15,x15\n#endif\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w15\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tlsr\tx16,x15,#32\n\tldr\tx17,[x1,#-8]\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w16\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx17,x17,#32\n#else\n\trev32\tx17,x17\n#endif\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w17\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tlsr\tx19,x17,#32\n\teor\tw3,w3,w5\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\teor\tw3,w3,w11\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\teor\tw3,w3,w16\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w19\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\teor\tw4,w4,w6\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\teor\tw4,w4,w12\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\teor\tw4,w4,w17\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w3\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\teor\tw5,w5,w7\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\teor\tw5,w5,w13\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\teor\tw5,w5,w19\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w4\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\teor\tw6,w6,w8\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\teor\tw6,w6,w14\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\teor\tw6,w6,w3\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w5\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\teor\tw7,w7,w9\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\teor\tw7,w7,w15\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\teor\tw7,w7,w4\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w6\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\tmovz\tw28,#0xeba1\n\tmovk\tw28,#0x6ed9,lsl#16\n\teor\tw8,w8,w10\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\teor\tw8,w8,w16\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\teor\tw8,w8,w5\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w7\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\teor\tw9,w9,w11\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw9,w9,w6\n\tadd\tw23,w23,w8\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\teor\tw10,w10,w12\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw10,w10,w7\n\tadd\tw22,w22,w9\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\teor\tw11,w11,w13\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw11,w11,w8\n\tadd\tw21,w21,w10\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\teor\tw12,w12,w14\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw12,w12,w9\n\tadd\tw20,w20,w11\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\teor\tw13,w13,w15\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw13,w13,w10\n\tadd\tw24,w24,w12\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\teor\tw14,w14,w16\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw14,w14,w11\n\tadd\tw23,w23,w13\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\teor\tw15,w15,w17\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw15,w15,w12\n\tadd\tw22,w22,w14\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\teor\tw16,w16,w19\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw16,w16,w13\n\tadd\tw21,w21,w15\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\teor\tw17,w17,w3\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw17,w17,w14\n\tadd\tw20,w20,w16\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\teor\tw19,w19,w4\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw19,w19,w15\n\tadd\tw24,w24,w17\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\teor\tw3,w3,w5\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw3,w3,w11\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw3,w3,w16\n\tadd\tw23,w23,w19\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\teor\tw4,w4,w6\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw4,w4,w12\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw4,w4,w17\n\tadd\tw22,w22,w3\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\teor\tw5,w5,w7\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw5,w5,w13\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw5,w5,w19\n\tadd\tw21,w21,w4\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\teor\tw6,w6,w8\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw6,w6,w14\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw6,w6,w3\n\tadd\tw20,w20,w5\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\teor\tw7,w7,w9\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw7,w7,w15\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw7,w7,w4\n\tadd\tw24,w24,w6\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\teor\tw8,w8,w10\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw8,w8,w16\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw8,w8,w5\n\tadd\tw23,w23,w7\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\teor\tw9,w9,w11\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw9,w9,w6\n\tadd\tw22,w22,w8\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\teor\tw10,w10,w12\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw10,w10,w7\n\tadd\tw21,w21,w9\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\teor\tw11,w11,w13\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw11,w11,w8\n\tadd\tw20,w20,w10\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\tmovz\tw28,#0xbcdc\n\tmovk\tw28,#0x8f1b,lsl#16\n\teor\tw12,w12,w14\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw12,w12,w9\n\tadd\tw24,w24,w11\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw13,w13,w15\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw13,w13,w10\n\tadd\tw23,w23,w12\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw14,w14,w16\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw14,w14,w11\n\tadd\tw22,w22,w13\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw15,w15,w17\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw15,w15,w12\n\tadd\tw21,w21,w14\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw16,w16,w19\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw16,w16,w13\n\tadd\tw20,w20,w15\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw17,w17,w3\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw17,w17,w14\n\tadd\tw24,w24,w16\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw19,w19,w4\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw19,w19,w15\n\tadd\tw23,w23,w17\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw3,w3,w5\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw3,w3,w11\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw3,w3,w16\n\tadd\tw22,w22,w19\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw4,w4,w6\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw4,w4,w12\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw4,w4,w17\n\tadd\tw21,w21,w3\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw5,w5,w7\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw5,w5,w13\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw5,w5,w19\n\tadd\tw20,w20,w4\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw6,w6,w8\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw6,w6,w14\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw6,w6,w3\n\tadd\tw24,w24,w5\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw7,w7,w9\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw7,w7,w15\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw7,w7,w4\n\tadd\tw23,w23,w6\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw8,w8,w10\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw8,w8,w16\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw8,w8,w5\n\tadd\tw22,w22,w7\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw9,w9,w11\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw9,w9,w6\n\tadd\tw21,w21,w8\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw10,w10,w12\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw10,w10,w7\n\tadd\tw20,w20,w9\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw11,w11,w13\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw11,w11,w8\n\tadd\tw24,w24,w10\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw12,w12,w14\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw12,w12,w9\n\tadd\tw23,w23,w11\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw13,w13,w15\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw13,w13,w10\n\tadd\tw22,w22,w12\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw14,w14,w16\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw14,w14,w11\n\tadd\tw21,w21,w13\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw15,w15,w17\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw15,w15,w12\n\tadd\tw20,w20,w14\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\tmovz\tw28,#0xc1d6\n\tmovk\tw28,#0xca62,lsl#16\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw16,w16,w19\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw16,w16,w13\n\tadd\tw24,w24,w15\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\teor\tw17,w17,w3\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw17,w17,w14\n\tadd\tw23,w23,w16\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\teor\tw19,w19,w4\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw19,w19,w15\n\tadd\tw22,w22,w17\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\teor\tw3,w3,w5\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw3,w3,w11\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw3,w3,w16\n\tadd\tw21,w21,w19\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\teor\tw4,w4,w6\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw4,w4,w12\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw4,w4,w17\n\tadd\tw20,w20,w3\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\teor\tw5,w5,w7\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw5,w5,w13\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw5,w5,w19\n\tadd\tw24,w24,w4\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\teor\tw6,w6,w8\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw6,w6,w14\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw6,w6,w3\n\tadd\tw23,w23,w5\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\teor\tw7,w7,w9\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw7,w7,w15\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw7,w7,w4\n\tadd\tw22,w22,w6\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\teor\tw8,w8,w10\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw8,w8,w16\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw8,w8,w5\n\tadd\tw21,w21,w7\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\teor\tw9,w9,w11\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw9,w9,w6\n\tadd\tw20,w20,w8\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\teor\tw10,w10,w12\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw10,w10,w7\n\tadd\tw24,w24,w9\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\teor\tw11,w11,w13\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw11,w11,w8\n\tadd\tw23,w23,w10\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\teor\tw12,w12,w14\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw12,w12,w9\n\tadd\tw22,w22,w11\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\teor\tw13,w13,w15\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw13,w13,w10\n\tadd\tw21,w21,w12\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\teor\tw14,w14,w16\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw14,w14,w11\n\tadd\tw20,w20,w13\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\teor\tw15,w15,w17\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw15,w15,w12\n\tadd\tw24,w24,w14\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\teor\tw16,w16,w19\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw16,w16,w13\n\tadd\tw23,w23,w15\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\teor\tw17,w17,w3\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw17,w17,w14\n\tadd\tw22,w22,w16\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\teor\tw19,w19,w4\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw19,w19,w15\n\tadd\tw21,w21,w17\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\tldp\tw4,w5,[x0]\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w19\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tldp\tw6,w7,[x0,#8]\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\tldr\tw8,[x0,#16]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tadd\tw21,w21,w5\n\tadd\tw22,w22,w6\n\tadd\tw20,w20,w4\n\tadd\tw23,w23,w7\n\tadd\tw24,w24,w8\n\tstp\tw20,w21,[x0]\n\tstp\tw22,w23,[x0,#8]\n\tstr\tw24,[x0,#16]\n\tcbnz\tx2,.Loop\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldp\tx25,x26,[sp,#64]\n\tldp\tx27,x28,[sp,#80]\n\tldr\tx29,[sp],#96\n\tret\n.size\tsha1_block_data_order_nohw,.-sha1_block_data_order_nohw\n.globl\tsha1_block_data_order_hw\n.hidden\tsha1_block_data_order_hw\n.type\tsha1_block_data_order_hw,%function\n.align\t6\nsha1_block_data_order_hw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx4,.Lconst\n\tadd\tx4,x4,:lo12:.Lconst\n\teor\tv1.16b,v1.16b,v1.16b\n\tld1\t{v0.4s},[x0],#16\n\tld1\t{v1.s}[0],[x0]\n\tsub\tx0,x0,#16\n\tld1\t{v16.4s,v17.4s,v18.4s,v19.4s},[x4]\n\n.Loop_hw:\n\tld1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64\n\tsub\tx2,x2,#1\n\trev32\tv4.16b,v4.16b\n\trev32\tv5.16b,v5.16b\n\n\tadd\tv20.4s,v16.4s,v4.4s\n\trev32\tv6.16b,v6.16b\n\torr\tv22.16b,v0.16b,v0.16b\t// offload\n\n\tadd\tv21.4s,v16.4s,v5.4s\n\trev32\tv7.16b,v7.16b\n.inst\t0x5e280803\t//sha1h v3.16b,v0.16b\n.inst\t0x5e140020\t//sha1c v0.16b,v1.16b,v20.4s\t\t// 0\n\tadd\tv20.4s,v16.4s,v6.4s\n.inst\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.inst\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 1\n.inst\t0x5e150060\t//sha1c v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v16.4s,v7.4s\n.inst\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.inst\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.inst\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 2\n.inst\t0x5e140040\t//sha1c v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v16.4s,v4.4s\n.inst\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.inst\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.inst\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 3\n.inst\t0x5e150060\t//sha1c v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v17.4s,v5.4s\n.inst\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.inst\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.inst\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 4\n.inst\t0x5e140040\t//sha1c v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v17.4s,v6.4s\n.inst\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.inst\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.inst\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 5\n.inst\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v17.4s,v7.4s\n.inst\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.inst\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.inst\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 6\n.inst\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v17.4s,v4.4s\n.inst\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.inst\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.inst\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 7\n.inst\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v17.4s,v5.4s\n.inst\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.inst\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.inst\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 8\n.inst\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v18.4s,v6.4s\n.inst\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.inst\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.inst\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 9\n.inst\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v18.4s,v7.4s\n.inst\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.inst\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.inst\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 10\n.inst\t0x5e142040\t//sha1m v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v18.4s,v4.4s\n.inst\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.inst\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.inst\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 11\n.inst\t0x5e152060\t//sha1m v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v18.4s,v5.4s\n.inst\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.inst\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.inst\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 12\n.inst\t0x5e142040\t//sha1m v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v18.4s,v6.4s\n.inst\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.inst\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.inst\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 13\n.inst\t0x5e152060\t//sha1m v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v19.4s,v7.4s\n.inst\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.inst\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.inst\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 14\n.inst\t0x5e142040\t//sha1m v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v19.4s,v4.4s\n.inst\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.inst\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.inst\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 15\n.inst\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v19.4s,v5.4s\n.inst\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.inst\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.inst\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 16\n.inst\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v19.4s,v6.4s\n.inst\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.inst\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 17\n.inst\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v19.4s,v7.4s\n\n.inst\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 18\n.inst\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\n.inst\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 19\n.inst\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\n\tadd\tv1.4s,v1.4s,v2.4s\n\tadd\tv0.4s,v0.4s,v22.4s\n\n\tcbnz\tx2,.Loop_hw\n\n\tst1\t{v0.4s},[x0],#16\n\tst1\t{v1.s}[0],[x0]\n\n\tldr\tx29,[sp],#16\n\tret\n.size\tsha1_block_data_order_hw,.-sha1_block_data_order_hw\n.section\t.rodata\n.align\t6\n.Lconst:\n.long\t0x5a827999,0x5a827999,0x5a827999,0x5a827999\t//K_00_19\n.long\t0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1\t//K_20_39\n.long\t0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc\t//K_40_59\n.long\t0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6\t//K_60_79\n.byte\t83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \n\n.text\n\n.globl\tsha1_block_data_order_nohw\n\n.def sha1_block_data_order_nohw\n .type 32\n.endef\n.align\t6\nsha1_block_data_order_nohw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\n\tldp\tw20,w21,[x0]\n\tldp\tw22,w23,[x0,#8]\n\tldr\tw24,[x0,#16]\n\nLoop:\n\tldr\tx3,[x1],#64\n\tmovz\tw28,#0x7999\n\tsub\tx2,x2,#1\n\tmovk\tw28,#0x5a82,lsl#16\n#ifdef\t__AARCH64EB__\n\tror\tx3,x3,#32\n#else\n\trev32\tx3,x3\n#endif\n\tadd\tw24,w24,w28\t\t// warm it up\n\tadd\tw24,w24,w3\n\tlsr\tx4,x3,#32\n\tldr\tx5,[x1,#-56]\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w4\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx5,x5,#32\n#else\n\trev32\tx5,x5\n#endif\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w5\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tlsr\tx6,x5,#32\n\tldr\tx7,[x1,#-48]\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w6\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx7,x7,#32\n#else\n\trev32\tx7,x7\n#endif\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w7\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tlsr\tx8,x7,#32\n\tldr\tx9,[x1,#-40]\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w8\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx9,x9,#32\n#else\n\trev32\tx9,x9\n#endif\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w9\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tlsr\tx10,x9,#32\n\tldr\tx11,[x1,#-32]\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w10\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx11,x11,#32\n#else\n\trev32\tx11,x11\n#endif\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w11\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tlsr\tx12,x11,#32\n\tldr\tx13,[x1,#-24]\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w12\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx13,x13,#32\n#else\n\trev32\tx13,x13\n#endif\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w13\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tlsr\tx14,x13,#32\n\tldr\tx15,[x1,#-16]\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w14\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx15,x15,#32\n#else\n\trev32\tx15,x15\n#endif\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w15\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tlsr\tx16,x15,#32\n\tldr\tx17,[x1,#-8]\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w16\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n#ifdef\t__AARCH64EB__\n\tror\tx17,x17,#32\n#else\n\trev32\tx17,x17\n#endif\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w17\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tlsr\tx19,x17,#32\n\teor\tw3,w3,w5\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\teor\tw3,w3,w11\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\teor\tw3,w3,w16\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w19\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\teor\tw4,w4,w6\n\tbic\tw25,w23,w21\n\tand\tw26,w22,w21\n\tror\tw27,w20,#27\n\teor\tw4,w4,w12\n\tadd\tw23,w23,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\teor\tw4,w4,w17\n\tror\tw21,w21,#2\n\tadd\tw23,w23,w3\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\teor\tw5,w5,w7\n\tbic\tw25,w22,w20\n\tand\tw26,w21,w20\n\tror\tw27,w24,#27\n\teor\tw5,w5,w13\n\tadd\tw22,w22,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\teor\tw5,w5,w19\n\tror\tw20,w20,#2\n\tadd\tw22,w22,w4\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\teor\tw6,w6,w8\n\tbic\tw25,w21,w24\n\tand\tw26,w20,w24\n\tror\tw27,w23,#27\n\teor\tw6,w6,w14\n\tadd\tw21,w21,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\teor\tw6,w6,w3\n\tror\tw24,w24,#2\n\tadd\tw21,w21,w5\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\teor\tw7,w7,w9\n\tbic\tw25,w20,w23\n\tand\tw26,w24,w23\n\tror\tw27,w22,#27\n\teor\tw7,w7,w15\n\tadd\tw20,w20,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\teor\tw7,w7,w4\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w6\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\tmovz\tw28,#0xeba1\n\tmovk\tw28,#0x6ed9,lsl#16\n\teor\tw8,w8,w10\n\tbic\tw25,w24,w22\n\tand\tw26,w23,w22\n\tror\tw27,w21,#27\n\teor\tw8,w8,w16\n\tadd\tw24,w24,w28\t\t// future e+=K\n\torr\tw25,w25,w26\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\teor\tw8,w8,w5\n\tror\tw22,w22,#2\n\tadd\tw24,w24,w7\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\teor\tw9,w9,w11\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw9,w9,w6\n\tadd\tw23,w23,w8\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\teor\tw10,w10,w12\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw10,w10,w7\n\tadd\tw22,w22,w9\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\teor\tw11,w11,w13\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw11,w11,w8\n\tadd\tw21,w21,w10\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\teor\tw12,w12,w14\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw12,w12,w9\n\tadd\tw20,w20,w11\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\teor\tw13,w13,w15\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw13,w13,w10\n\tadd\tw24,w24,w12\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\teor\tw14,w14,w16\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw14,w14,w11\n\tadd\tw23,w23,w13\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\teor\tw15,w15,w17\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw15,w15,w12\n\tadd\tw22,w22,w14\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\teor\tw16,w16,w19\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw16,w16,w13\n\tadd\tw21,w21,w15\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\teor\tw17,w17,w3\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw17,w17,w14\n\tadd\tw20,w20,w16\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\teor\tw19,w19,w4\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw19,w19,w15\n\tadd\tw24,w24,w17\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\teor\tw3,w3,w5\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw3,w3,w11\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw3,w3,w16\n\tadd\tw23,w23,w19\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\teor\tw4,w4,w6\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw4,w4,w12\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw4,w4,w17\n\tadd\tw22,w22,w3\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\teor\tw5,w5,w7\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw5,w5,w13\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw5,w5,w19\n\tadd\tw21,w21,w4\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\teor\tw6,w6,w8\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw6,w6,w14\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw6,w6,w3\n\tadd\tw20,w20,w5\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\teor\tw7,w7,w9\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw7,w7,w15\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw7,w7,w4\n\tadd\tw24,w24,w6\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\teor\tw8,w8,w10\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw8,w8,w16\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw8,w8,w5\n\tadd\tw23,w23,w7\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\teor\tw9,w9,w11\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw9,w9,w6\n\tadd\tw22,w22,w8\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\teor\tw10,w10,w12\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw10,w10,w7\n\tadd\tw21,w21,w9\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\teor\tw11,w11,w13\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw11,w11,w8\n\tadd\tw20,w20,w10\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\tmovz\tw28,#0xbcdc\n\tmovk\tw28,#0x8f1b,lsl#16\n\teor\tw12,w12,w14\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw12,w12,w9\n\tadd\tw24,w24,w11\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw13,w13,w15\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw13,w13,w10\n\tadd\tw23,w23,w12\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw14,w14,w16\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw14,w14,w11\n\tadd\tw22,w22,w13\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw15,w15,w17\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw15,w15,w12\n\tadd\tw21,w21,w14\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw16,w16,w19\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw16,w16,w13\n\tadd\tw20,w20,w15\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw17,w17,w3\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw17,w17,w14\n\tadd\tw24,w24,w16\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw19,w19,w4\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw19,w19,w15\n\tadd\tw23,w23,w17\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw3,w3,w5\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw3,w3,w11\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw3,w3,w16\n\tadd\tw22,w22,w19\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw4,w4,w6\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw4,w4,w12\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw4,w4,w17\n\tadd\tw21,w21,w3\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw5,w5,w7\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw5,w5,w13\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw5,w5,w19\n\tadd\tw20,w20,w4\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw6,w6,w8\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw6,w6,w14\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw6,w6,w3\n\tadd\tw24,w24,w5\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw7,w7,w9\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw7,w7,w15\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw7,w7,w4\n\tadd\tw23,w23,w6\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw8,w8,w10\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw8,w8,w16\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw8,w8,w5\n\tadd\tw22,w22,w7\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw9,w9,w11\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw9,w9,w6\n\tadd\tw21,w21,w8\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw10,w10,w12\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw10,w10,w7\n\tadd\tw20,w20,w9\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw11,w11,w13\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw11,w11,w8\n\tadd\tw24,w24,w10\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\torr\tw25,w21,w22\n\tand\tw26,w21,w22\n\teor\tw12,w12,w14\n\tror\tw27,w20,#27\n\tand\tw25,w25,w23\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw21,w21,#2\n\teor\tw12,w12,w9\n\tadd\tw23,w23,w11\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\torr\tw25,w20,w21\n\tand\tw26,w20,w21\n\teor\tw13,w13,w15\n\tror\tw27,w24,#27\n\tand\tw25,w25,w22\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw20,w20,#2\n\teor\tw13,w13,w10\n\tadd\tw22,w22,w12\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\torr\tw25,w24,w20\n\tand\tw26,w24,w20\n\teor\tw14,w14,w16\n\tror\tw27,w23,#27\n\tand\tw25,w25,w21\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw24,w24,#2\n\teor\tw14,w14,w11\n\tadd\tw21,w21,w13\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\torr\tw25,w23,w24\n\tand\tw26,w23,w24\n\teor\tw15,w15,w17\n\tror\tw27,w22,#27\n\tand\tw25,w25,w20\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw23,w23,#2\n\teor\tw15,w15,w12\n\tadd\tw20,w20,w14\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\tmovz\tw28,#0xc1d6\n\tmovk\tw28,#0xca62,lsl#16\n\torr\tw25,w22,w23\n\tand\tw26,w22,w23\n\teor\tw16,w16,w19\n\tror\tw27,w21,#27\n\tand\tw25,w25,w24\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\torr\tw25,w25,w26\n\tror\tw22,w22,#2\n\teor\tw16,w16,w13\n\tadd\tw24,w24,w15\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\teor\tw17,w17,w3\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw17,w17,w14\n\tadd\tw23,w23,w16\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\teor\tw19,w19,w4\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw19,w19,w15\n\tadd\tw22,w22,w17\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\teor\tw3,w3,w5\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw3,w3,w11\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw3,w3,w16\n\tadd\tw21,w21,w19\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw3,w3,#31\n\teor\tw4,w4,w6\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw4,w4,w12\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw4,w4,w17\n\tadd\tw20,w20,w3\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw4,w4,#31\n\teor\tw5,w5,w7\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw5,w5,w13\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw5,w5,w19\n\tadd\tw24,w24,w4\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw5,w5,#31\n\teor\tw6,w6,w8\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw6,w6,w14\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw6,w6,w3\n\tadd\tw23,w23,w5\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw6,w6,#31\n\teor\tw7,w7,w9\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw7,w7,w15\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw7,w7,w4\n\tadd\tw22,w22,w6\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw7,w7,#31\n\teor\tw8,w8,w10\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw8,w8,w16\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw8,w8,w5\n\tadd\tw21,w21,w7\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw8,w8,#31\n\teor\tw9,w9,w11\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw9,w9,w17\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw9,w9,w6\n\tadd\tw20,w20,w8\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw9,w9,#31\n\teor\tw10,w10,w12\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw10,w10,w19\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw10,w10,w7\n\tadd\tw24,w24,w9\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw10,w10,#31\n\teor\tw11,w11,w13\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw11,w11,w3\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw11,w11,w8\n\tadd\tw23,w23,w10\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw11,w11,#31\n\teor\tw12,w12,w14\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw12,w12,w4\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw12,w12,w9\n\tadd\tw22,w22,w11\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw12,w12,#31\n\teor\tw13,w13,w15\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw13,w13,w5\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw13,w13,w10\n\tadd\tw21,w21,w12\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw13,w13,#31\n\teor\tw14,w14,w16\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw14,w14,w6\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\teor\tw14,w14,w11\n\tadd\tw20,w20,w13\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tror\tw14,w14,#31\n\teor\tw15,w15,w17\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\tadd\tw24,w24,w28\t\t// future e+=K\n\teor\tw15,w15,w7\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\teor\tw15,w15,w12\n\tadd\tw24,w24,w14\t// future e+=X[i]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tror\tw15,w15,#31\n\teor\tw16,w16,w19\n\teor\tw25,w23,w21\n\tror\tw27,w20,#27\n\tadd\tw23,w23,w28\t\t// future e+=K\n\teor\tw16,w16,w8\n\teor\tw25,w25,w22\n\tadd\tw24,w24,w27\t\t// e+=rot(a,5)\n\tror\tw21,w21,#2\n\teor\tw16,w16,w13\n\tadd\tw23,w23,w15\t// future e+=X[i]\n\tadd\tw24,w24,w25\t\t// e+=F(b,c,d)\n\tror\tw16,w16,#31\n\teor\tw17,w17,w3\n\teor\tw25,w22,w20\n\tror\tw27,w24,#27\n\tadd\tw22,w22,w28\t\t// future e+=K\n\teor\tw17,w17,w9\n\teor\tw25,w25,w21\n\tadd\tw23,w23,w27\t\t// e+=rot(a,5)\n\tror\tw20,w20,#2\n\teor\tw17,w17,w14\n\tadd\tw22,w22,w16\t// future e+=X[i]\n\tadd\tw23,w23,w25\t\t// e+=F(b,c,d)\n\tror\tw17,w17,#31\n\teor\tw19,w19,w4\n\teor\tw25,w21,w24\n\tror\tw27,w23,#27\n\tadd\tw21,w21,w28\t\t// future e+=K\n\teor\tw19,w19,w10\n\teor\tw25,w25,w20\n\tadd\tw22,w22,w27\t\t// e+=rot(a,5)\n\tror\tw24,w24,#2\n\teor\tw19,w19,w15\n\tadd\tw21,w21,w17\t// future e+=X[i]\n\tadd\tw22,w22,w25\t\t// e+=F(b,c,d)\n\tror\tw19,w19,#31\n\tldp\tw4,w5,[x0]\n\teor\tw25,w20,w23\n\tror\tw27,w22,#27\n\tadd\tw20,w20,w28\t\t// future e+=K\n\teor\tw25,w25,w24\n\tadd\tw21,w21,w27\t\t// e+=rot(a,5)\n\tror\tw23,w23,#2\n\tadd\tw20,w20,w19\t// future e+=X[i]\n\tadd\tw21,w21,w25\t\t// e+=F(b,c,d)\n\tldp\tw6,w7,[x0,#8]\n\teor\tw25,w24,w22\n\tror\tw27,w21,#27\n\teor\tw25,w25,w23\n\tadd\tw20,w20,w27\t\t// e+=rot(a,5)\n\tror\tw22,w22,#2\n\tldr\tw8,[x0,#16]\n\tadd\tw20,w20,w25\t\t// e+=F(b,c,d)\n\tadd\tw21,w21,w5\n\tadd\tw22,w22,w6\n\tadd\tw20,w20,w4\n\tadd\tw23,w23,w7\n\tadd\tw24,w24,w8\n\tstp\tw20,w21,[x0]\n\tstp\tw22,w23,[x0,#8]\n\tstr\tw24,[x0,#16]\n\tcbnz\tx2,Loop\n\n\tldp\tx19,x20,[sp,#16]\n\tldp\tx21,x22,[sp,#32]\n\tldp\tx23,x24,[sp,#48]\n\tldp\tx25,x26,[sp,#64]\n\tldp\tx27,x28,[sp,#80]\n\tldr\tx29,[sp],#96\n\tret\n\n.globl\tsha1_block_data_order_hw\n\n.def sha1_block_data_order_hw\n .type 32\n.endef\n.align\t6\nsha1_block_data_order_hw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx4,Lconst\n\tadd\tx4,x4,:lo12:Lconst\n\teor\tv1.16b,v1.16b,v1.16b\n\tld1\t{v0.4s},[x0],#16\n\tld1\t{v1.s}[0],[x0]\n\tsub\tx0,x0,#16\n\tld1\t{v16.4s,v17.4s,v18.4s,v19.4s},[x4]\n\nLoop_hw:\n\tld1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64\n\tsub\tx2,x2,#1\n\trev32\tv4.16b,v4.16b\n\trev32\tv5.16b,v5.16b\n\n\tadd\tv20.4s,v16.4s,v4.4s\n\trev32\tv6.16b,v6.16b\n\torr\tv22.16b,v0.16b,v0.16b\t// offload\n\n\tadd\tv21.4s,v16.4s,v5.4s\n\trev32\tv7.16b,v7.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\n.long\t0x5e140020\t//sha1c v0.16b,v1.16b,v20.4s\t\t// 0\n\tadd\tv20.4s,v16.4s,v6.4s\n.long\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 1\n.long\t0x5e150060\t//sha1c v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v16.4s,v7.4s\n.long\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.long\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 2\n.long\t0x5e140040\t//sha1c v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v16.4s,v4.4s\n.long\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.long\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 3\n.long\t0x5e150060\t//sha1c v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v17.4s,v5.4s\n.long\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.long\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 4\n.long\t0x5e140040\t//sha1c v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v17.4s,v6.4s\n.long\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.long\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 5\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v17.4s,v7.4s\n.long\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.long\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 6\n.long\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v17.4s,v4.4s\n.long\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.long\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 7\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v17.4s,v5.4s\n.long\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.long\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 8\n.long\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v18.4s,v6.4s\n.long\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.long\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 9\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v18.4s,v7.4s\n.long\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.long\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 10\n.long\t0x5e142040\t//sha1m v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v18.4s,v4.4s\n.long\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.long\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 11\n.long\t0x5e152060\t//sha1m v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v18.4s,v5.4s\n.long\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.long\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 12\n.long\t0x5e142040\t//sha1m v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v18.4s,v6.4s\n.long\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.long\t0x5e0630a4\t//sha1su0 v4.16b,v5.16b,v6.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 13\n.long\t0x5e152060\t//sha1m v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v19.4s,v7.4s\n.long\t0x5e2818e4\t//sha1su1 v4.16b,v7.16b\n.long\t0x5e0730c5\t//sha1su0 v5.16b,v6.16b,v7.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 14\n.long\t0x5e142040\t//sha1m v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v19.4s,v4.4s\n.long\t0x5e281885\t//sha1su1 v5.16b,v4.16b\n.long\t0x5e0430e6\t//sha1su0 v6.16b,v7.16b,v4.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 15\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v19.4s,v5.4s\n.long\t0x5e2818a6\t//sha1su1 v6.16b,v5.16b\n.long\t0x5e053087\t//sha1su0 v7.16b,v4.16b,v5.16b\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 16\n.long\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\tadd\tv20.4s,v19.4s,v6.4s\n.long\t0x5e2818c7\t//sha1su1 v7.16b,v6.16b\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 17\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\tadd\tv21.4s,v19.4s,v7.4s\n\n.long\t0x5e280803\t//sha1h v3.16b,v0.16b\t\t// 18\n.long\t0x5e141040\t//sha1p v0.16b,v2.16b,v20.4s\n\n.long\t0x5e280802\t//sha1h v2.16b,v0.16b\t\t// 19\n.long\t0x5e151060\t//sha1p v0.16b,v3.16b,v21.4s\n\n\tadd\tv1.4s,v1.4s,v2.4s\n\tadd\tv0.4s,v0.4s,v22.4s\n\n\tcbnz\tx2,Loop_hw\n\n\tst1\t{v0.4s},[x0],#16\n\tst1\t{v1.s}[0],[x0]\n\n\tldr\tx29,[sp],#16\n\tret\n\n.section\t.rodata\n.align\t6\nLconst:\n.long\t0x5a827999,0x5a827999,0x5a827999,0x5a827999\t//K_00_19\n.long\t0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1\t//K_20_39\n.long\t0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc\t//K_40_59\n.long\t0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6\t//K_60_79\n.byte\t83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha1-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n.globl\t_sha1_block_data_order_nohw\n.private_extern _sha1_block_data_order_nohw\n\n.p2align\t4\n_sha1_block_data_order_nohw:\n\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tmovq\t%rdi,%r8\n\tsubq\t$72,%rsp\n\tmovq\t%rsi,%r9\n\tandq\t$-64,%rsp\n\tmovq\t%rdx,%r10\n\tmovq\t%rax,64(%rsp)\n\nL$prologue:\n\n\tmovl\t0(%r8),%esi\n\tmovl\t4(%r8),%edi\n\tmovl\t8(%r8),%r11d\n\tmovl\t12(%r8),%r12d\n\tmovl\t16(%r8),%r13d\n\tjmp\tL$loop\n\n.p2align\t4\nL$loop:\n\tmovl\t0(%r9),%edx\n\tbswapl\t%edx\n\tmovl\t4(%r9),%ebp\n\tmovl\t%r12d,%eax\n\tmovl\t%edx,0(%rsp)\n\tmovl\t%esi,%ecx\n\tbswapl\t%ebp\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\tandl\t%edi,%eax\n\tleal\t1518500249(%rdx,%r13,1),%r13d\n\taddl\t%ecx,%r13d\n\txorl\t%r12d,%eax\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\tmovl\t8(%r9),%r14d\n\tmovl\t%r11d,%eax\n\tmovl\t%ebp,4(%rsp)\n\tmovl\t%r13d,%ecx\n\tbswapl\t%r14d\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\tandl\t%esi,%eax\n\tleal\t1518500249(%rbp,%r12,1),%r12d\n\taddl\t%ecx,%r12d\n\txorl\t%r11d,%eax\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\tmovl\t12(%r9),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,8(%rsp)\n\tmovl\t%r12d,%ecx\n\tbswapl\t%edx\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\tandl\t%r13d,%eax\n\tleal\t1518500249(%r14,%r11,1),%r11d\n\taddl\t%ecx,%r11d\n\txorl\t%edi,%eax\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\tmovl\t16(%r9),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,12(%rsp)\n\tmovl\t%r11d,%ecx\n\tbswapl\t%ebp\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\tandl\t%r12d,%eax\n\tleal\t1518500249(%rdx,%rdi,1),%edi\n\taddl\t%ecx,%edi\n\txorl\t%esi,%eax\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\tmovl\t20(%r9),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,16(%rsp)\n\tmovl\t%edi,%ecx\n\tbswapl\t%r14d\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\tandl\t%r11d,%eax\n\tleal\t1518500249(%rbp,%rsi,1),%esi\n\taddl\t%ecx,%esi\n\txorl\t%r13d,%eax\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\tmovl\t24(%r9),%edx\n\tmovl\t%r12d,%eax\n\tmovl\t%r14d,20(%rsp)\n\tmovl\t%esi,%ecx\n\tbswapl\t%edx\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\tandl\t%edi,%eax\n\tleal\t1518500249(%r14,%r13,1),%r13d\n\taddl\t%ecx,%r13d\n\txorl\t%r12d,%eax\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\tmovl\t28(%r9),%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edx,24(%rsp)\n\tmovl\t%r13d,%ecx\n\tbswapl\t%ebp\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\tandl\t%esi,%eax\n\tleal\t1518500249(%rdx,%r12,1),%r12d\n\taddl\t%ecx,%r12d\n\txorl\t%r11d,%eax\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\tmovl\t32(%r9),%r14d\n\tmovl\t%edi,%eax\n\tmovl\t%ebp,28(%rsp)\n\tmovl\t%r12d,%ecx\n\tbswapl\t%r14d\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\tandl\t%r13d,%eax\n\tleal\t1518500249(%rbp,%r11,1),%r11d\n\taddl\t%ecx,%r11d\n\txorl\t%edi,%eax\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\tmovl\t36(%r9),%edx\n\tmovl\t%esi,%eax\n\tmovl\t%r14d,32(%rsp)\n\tmovl\t%r11d,%ecx\n\tbswapl\t%edx\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\tandl\t%r12d,%eax\n\tleal\t1518500249(%r14,%rdi,1),%edi\n\taddl\t%ecx,%edi\n\txorl\t%esi,%eax\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\tmovl\t40(%r9),%ebp\n\tmovl\t%r13d,%eax\n\tmovl\t%edx,36(%rsp)\n\tmovl\t%edi,%ecx\n\tbswapl\t%ebp\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\tandl\t%r11d,%eax\n\tleal\t1518500249(%rdx,%rsi,1),%esi\n\taddl\t%ecx,%esi\n\txorl\t%r13d,%eax\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\tmovl\t44(%r9),%r14d\n\tmovl\t%r12d,%eax\n\tmovl\t%ebp,40(%rsp)\n\tmovl\t%esi,%ecx\n\tbswapl\t%r14d\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\tandl\t%edi,%eax\n\tleal\t1518500249(%rbp,%r13,1),%r13d\n\taddl\t%ecx,%r13d\n\txorl\t%r12d,%eax\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\tmovl\t48(%r9),%edx\n\tmovl\t%r11d,%eax\n\tmovl\t%r14d,44(%rsp)\n\tmovl\t%r13d,%ecx\n\tbswapl\t%edx\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\tandl\t%esi,%eax\n\tleal\t1518500249(%r14,%r12,1),%r12d\n\taddl\t%ecx,%r12d\n\txorl\t%r11d,%eax\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\tmovl\t52(%r9),%ebp\n\tmovl\t%edi,%eax\n\tmovl\t%edx,48(%rsp)\n\tmovl\t%r12d,%ecx\n\tbswapl\t%ebp\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\tandl\t%r13d,%eax\n\tleal\t1518500249(%rdx,%r11,1),%r11d\n\taddl\t%ecx,%r11d\n\txorl\t%edi,%eax\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\tmovl\t56(%r9),%r14d\n\tmovl\t%esi,%eax\n\tmovl\t%ebp,52(%rsp)\n\tmovl\t%r11d,%ecx\n\tbswapl\t%r14d\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\tandl\t%r12d,%eax\n\tleal\t1518500249(%rbp,%rdi,1),%edi\n\taddl\t%ecx,%edi\n\txorl\t%esi,%eax\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\tmovl\t60(%r9),%edx\n\tmovl\t%r13d,%eax\n\tmovl\t%r14d,56(%rsp)\n\tmovl\t%edi,%ecx\n\tbswapl\t%edx\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\tandl\t%r11d,%eax\n\tleal\t1518500249(%r14,%rsi,1),%esi\n\taddl\t%ecx,%esi\n\txorl\t%r13d,%eax\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\txorl\t0(%rsp),%ebp\n\tmovl\t%r12d,%eax\n\tmovl\t%edx,60(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t8(%rsp),%ebp\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t32(%rsp),%ebp\n\tandl\t%edi,%eax\n\tleal\t1518500249(%rdx,%r13,1),%r13d\n\troll\t$30,%edi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$1,%ebp\n\taddl\t%eax,%r13d\n\txorl\t4(%rsp),%r14d\n\tmovl\t%r11d,%eax\n\tmovl\t%ebp,0(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t12(%rsp),%r14d\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t36(%rsp),%r14d\n\tandl\t%esi,%eax\n\tleal\t1518500249(%rbp,%r12,1),%r12d\n\troll\t$30,%esi\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r12d\n\troll\t$1,%r14d\n\taddl\t%eax,%r12d\n\txorl\t8(%rsp),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,4(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t16(%rsp),%edx\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t40(%rsp),%edx\n\tandl\t%r13d,%eax\n\tleal\t1518500249(%r14,%r11,1),%r11d\n\troll\t$30,%r13d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$1,%edx\n\taddl\t%eax,%r11d\n\txorl\t12(%rsp),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,8(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t20(%rsp),%ebp\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t44(%rsp),%ebp\n\tandl\t%r12d,%eax\n\tleal\t1518500249(%rdx,%rdi,1),%edi\n\troll\t$30,%r12d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%edi\n\troll\t$1,%ebp\n\taddl\t%eax,%edi\n\txorl\t16(%rsp),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,12(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t24(%rsp),%r14d\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t48(%rsp),%r14d\n\tandl\t%r11d,%eax\n\tleal\t1518500249(%rbp,%rsi,1),%esi\n\troll\t$30,%r11d\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%esi\n\troll\t$1,%r14d\n\taddl\t%eax,%esi\n\txorl\t20(%rsp),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,16(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t28(%rsp),%edx\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t52(%rsp),%edx\n\tleal\t1859775393(%r14,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%edx\n\txorl\t24(%rsp),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,20(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t32(%rsp),%ebp\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t56(%rsp),%ebp\n\tleal\t1859775393(%rdx,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%ebp\n\txorl\t28(%rsp),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,24(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t36(%rsp),%r14d\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t60(%rsp),%r14d\n\tleal\t1859775393(%rbp,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%r14d\n\txorl\t32(%rsp),%edx\n\tmovl\t%r12d,%eax\n\tmovl\t%r14d,28(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t40(%rsp),%edx\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t0(%rsp),%edx\n\tleal\t1859775393(%r14,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%edx\n\txorl\t36(%rsp),%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edx,32(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t44(%rsp),%ebp\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t4(%rsp),%ebp\n\tleal\t1859775393(%rdx,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%ebp\n\txorl\t40(%rsp),%r14d\n\tmovl\t%edi,%eax\n\tmovl\t%ebp,36(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t48(%rsp),%r14d\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t8(%rsp),%r14d\n\tleal\t1859775393(%rbp,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%r14d\n\txorl\t44(%rsp),%edx\n\tmovl\t%esi,%eax\n\tmovl\t%r14d,40(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t52(%rsp),%edx\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t12(%rsp),%edx\n\tleal\t1859775393(%r14,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%edx\n\txorl\t48(%rsp),%ebp\n\tmovl\t%r13d,%eax\n\tmovl\t%edx,44(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t56(%rsp),%ebp\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t16(%rsp),%ebp\n\tleal\t1859775393(%rdx,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%ebp\n\txorl\t52(%rsp),%r14d\n\tmovl\t%r12d,%eax\n\tmovl\t%ebp,48(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t60(%rsp),%r14d\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t20(%rsp),%r14d\n\tleal\t1859775393(%rbp,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%r14d\n\txorl\t56(%rsp),%edx\n\tmovl\t%r11d,%eax\n\tmovl\t%r14d,52(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t0(%rsp),%edx\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t24(%rsp),%edx\n\tleal\t1859775393(%r14,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%edx\n\txorl\t60(%rsp),%ebp\n\tmovl\t%edi,%eax\n\tmovl\t%edx,56(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t4(%rsp),%ebp\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t28(%rsp),%ebp\n\tleal\t1859775393(%rdx,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%ebp\n\txorl\t0(%rsp),%r14d\n\tmovl\t%esi,%eax\n\tmovl\t%ebp,60(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t8(%rsp),%r14d\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t32(%rsp),%r14d\n\tleal\t1859775393(%rbp,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%r14d\n\txorl\t4(%rsp),%edx\n\tmovl\t%r13d,%eax\n\tmovl\t%r14d,0(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t12(%rsp),%edx\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t36(%rsp),%edx\n\tleal\t1859775393(%r14,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%edx\n\txorl\t8(%rsp),%ebp\n\tmovl\t%r12d,%eax\n\tmovl\t%edx,4(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t16(%rsp),%ebp\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t40(%rsp),%ebp\n\tleal\t1859775393(%rdx,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%ebp\n\txorl\t12(%rsp),%r14d\n\tmovl\t%r11d,%eax\n\tmovl\t%ebp,8(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t20(%rsp),%r14d\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t44(%rsp),%r14d\n\tleal\t1859775393(%rbp,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%r14d\n\txorl\t16(%rsp),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,12(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t24(%rsp),%edx\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t48(%rsp),%edx\n\tleal\t1859775393(%r14,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%edx\n\txorl\t20(%rsp),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,16(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t28(%rsp),%ebp\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t52(%rsp),%ebp\n\tleal\t1859775393(%rdx,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%ebp\n\txorl\t24(%rsp),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,20(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t32(%rsp),%r14d\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t56(%rsp),%r14d\n\tleal\t1859775393(%rbp,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%r14d\n\txorl\t28(%rsp),%edx\n\tmovl\t%r12d,%eax\n\tmovl\t%r14d,24(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t36(%rsp),%edx\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t60(%rsp),%edx\n\tleal\t1859775393(%r14,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%edx\n\txorl\t32(%rsp),%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edx,28(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t40(%rsp),%ebp\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t0(%rsp),%ebp\n\tleal\t1859775393(%rdx,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%ebp\n\txorl\t36(%rsp),%r14d\n\tmovl\t%r12d,%eax\n\tmovl\t%ebp,32(%rsp)\n\tmovl\t%r12d,%ebx\n\txorl\t44(%rsp),%r14d\n\tandl\t%r11d,%eax\n\tmovl\t%esi,%ecx\n\txorl\t4(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%r13,1),%r13d\n\txorl\t%r11d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r13d\n\troll\t$1,%r14d\n\tandl\t%edi,%ebx\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%ebx,%r13d\n\txorl\t40(%rsp),%edx\n\tmovl\t%r11d,%eax\n\tmovl\t%r14d,36(%rsp)\n\tmovl\t%r11d,%ebx\n\txorl\t48(%rsp),%edx\n\tandl\t%edi,%eax\n\tmovl\t%r13d,%ecx\n\txorl\t8(%rsp),%edx\n\tleal\t-1894007588(%r14,%r12,1),%r12d\n\txorl\t%edi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r12d\n\troll\t$1,%edx\n\tandl\t%esi,%ebx\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%ebx,%r12d\n\txorl\t44(%rsp),%ebp\n\tmovl\t%edi,%eax\n\tmovl\t%edx,40(%rsp)\n\tmovl\t%edi,%ebx\n\txorl\t52(%rsp),%ebp\n\tandl\t%esi,%eax\n\tmovl\t%r12d,%ecx\n\txorl\t12(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%r11,1),%r11d\n\txorl\t%esi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r11d\n\troll\t$1,%ebp\n\tandl\t%r13d,%ebx\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%ebx,%r11d\n\txorl\t48(%rsp),%r14d\n\tmovl\t%esi,%eax\n\tmovl\t%ebp,44(%rsp)\n\tmovl\t%esi,%ebx\n\txorl\t56(%rsp),%r14d\n\tandl\t%r13d,%eax\n\tmovl\t%r11d,%ecx\n\txorl\t16(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%rdi,1),%edi\n\txorl\t%r13d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%edi\n\troll\t$1,%r14d\n\tandl\t%r12d,%ebx\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%ebx,%edi\n\txorl\t52(%rsp),%edx\n\tmovl\t%r13d,%eax\n\tmovl\t%r14d,48(%rsp)\n\tmovl\t%r13d,%ebx\n\txorl\t60(%rsp),%edx\n\tandl\t%r12d,%eax\n\tmovl\t%edi,%ecx\n\txorl\t20(%rsp),%edx\n\tleal\t-1894007588(%r14,%rsi,1),%esi\n\txorl\t%r12d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%esi\n\troll\t$1,%edx\n\tandl\t%r11d,%ebx\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%ebx,%esi\n\txorl\t56(%rsp),%ebp\n\tmovl\t%r12d,%eax\n\tmovl\t%edx,52(%rsp)\n\tmovl\t%r12d,%ebx\n\txorl\t0(%rsp),%ebp\n\tandl\t%r11d,%eax\n\tmovl\t%esi,%ecx\n\txorl\t24(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%r13,1),%r13d\n\txorl\t%r11d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r13d\n\troll\t$1,%ebp\n\tandl\t%edi,%ebx\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%ebx,%r13d\n\txorl\t60(%rsp),%r14d\n\tmovl\t%r11d,%eax\n\tmovl\t%ebp,56(%rsp)\n\tmovl\t%r11d,%ebx\n\txorl\t4(%rsp),%r14d\n\tandl\t%edi,%eax\n\tmovl\t%r13d,%ecx\n\txorl\t28(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%r12,1),%r12d\n\txorl\t%edi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r12d\n\troll\t$1,%r14d\n\tandl\t%esi,%ebx\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%ebx,%r12d\n\txorl\t0(%rsp),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,60(%rsp)\n\tmovl\t%edi,%ebx\n\txorl\t8(%rsp),%edx\n\tandl\t%esi,%eax\n\tmovl\t%r12d,%ecx\n\txorl\t32(%rsp),%edx\n\tleal\t-1894007588(%r14,%r11,1),%r11d\n\txorl\t%esi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r11d\n\troll\t$1,%edx\n\tandl\t%r13d,%ebx\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%ebx,%r11d\n\txorl\t4(%rsp),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,0(%rsp)\n\tmovl\t%esi,%ebx\n\txorl\t12(%rsp),%ebp\n\tandl\t%r13d,%eax\n\tmovl\t%r11d,%ecx\n\txorl\t36(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%rdi,1),%edi\n\txorl\t%r13d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%edi\n\troll\t$1,%ebp\n\tandl\t%r12d,%ebx\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%ebx,%edi\n\txorl\t8(%rsp),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,4(%rsp)\n\tmovl\t%r13d,%ebx\n\txorl\t16(%rsp),%r14d\n\tandl\t%r12d,%eax\n\tmovl\t%edi,%ecx\n\txorl\t40(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%rsi,1),%esi\n\txorl\t%r12d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%esi\n\troll\t$1,%r14d\n\tandl\t%r11d,%ebx\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%ebx,%esi\n\txorl\t12(%rsp),%edx\n\tmovl\t%r12d,%eax\n\tmovl\t%r14d,8(%rsp)\n\tmovl\t%r12d,%ebx\n\txorl\t20(%rsp),%edx\n\tandl\t%r11d,%eax\n\tmovl\t%esi,%ecx\n\txorl\t44(%rsp),%edx\n\tleal\t-1894007588(%r14,%r13,1),%r13d\n\txorl\t%r11d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r13d\n\troll\t$1,%edx\n\tandl\t%edi,%ebx\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%ebx,%r13d\n\txorl\t16(%rsp),%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edx,12(%rsp)\n\tmovl\t%r11d,%ebx\n\txorl\t24(%rsp),%ebp\n\tandl\t%edi,%eax\n\tmovl\t%r13d,%ecx\n\txorl\t48(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%r12,1),%r12d\n\txorl\t%edi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r12d\n\troll\t$1,%ebp\n\tandl\t%esi,%ebx\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%ebx,%r12d\n\txorl\t20(%rsp),%r14d\n\tmovl\t%edi,%eax\n\tmovl\t%ebp,16(%rsp)\n\tmovl\t%edi,%ebx\n\txorl\t28(%rsp),%r14d\n\tandl\t%esi,%eax\n\tmovl\t%r12d,%ecx\n\txorl\t52(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%r11,1),%r11d\n\txorl\t%esi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r11d\n\troll\t$1,%r14d\n\tandl\t%r13d,%ebx\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%ebx,%r11d\n\txorl\t24(%rsp),%edx\n\tmovl\t%esi,%eax\n\tmovl\t%r14d,20(%rsp)\n\tmovl\t%esi,%ebx\n\txorl\t32(%rsp),%edx\n\tandl\t%r13d,%eax\n\tmovl\t%r11d,%ecx\n\txorl\t56(%rsp),%edx\n\tleal\t-1894007588(%r14,%rdi,1),%edi\n\txorl\t%r13d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%edi\n\troll\t$1,%edx\n\tandl\t%r12d,%ebx\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%ebx,%edi\n\txorl\t28(%rsp),%ebp\n\tmovl\t%r13d,%eax\n\tmovl\t%edx,24(%rsp)\n\tmovl\t%r13d,%ebx\n\txorl\t36(%rsp),%ebp\n\tandl\t%r12d,%eax\n\tmovl\t%edi,%ecx\n\txorl\t60(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%rsi,1),%esi\n\txorl\t%r12d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%esi\n\troll\t$1,%ebp\n\tandl\t%r11d,%ebx\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%ebx,%esi\n\txorl\t32(%rsp),%r14d\n\tmovl\t%r12d,%eax\n\tmovl\t%ebp,28(%rsp)\n\tmovl\t%r12d,%ebx\n\txorl\t40(%rsp),%r14d\n\tandl\t%r11d,%eax\n\tmovl\t%esi,%ecx\n\txorl\t0(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%r13,1),%r13d\n\txorl\t%r11d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r13d\n\troll\t$1,%r14d\n\tandl\t%edi,%ebx\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%ebx,%r13d\n\txorl\t36(%rsp),%edx\n\tmovl\t%r11d,%eax\n\tmovl\t%r14d,32(%rsp)\n\tmovl\t%r11d,%ebx\n\txorl\t44(%rsp),%edx\n\tandl\t%edi,%eax\n\tmovl\t%r13d,%ecx\n\txorl\t4(%rsp),%edx\n\tleal\t-1894007588(%r14,%r12,1),%r12d\n\txorl\t%edi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r12d\n\troll\t$1,%edx\n\tandl\t%esi,%ebx\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%ebx,%r12d\n\txorl\t40(%rsp),%ebp\n\tmovl\t%edi,%eax\n\tmovl\t%edx,36(%rsp)\n\tmovl\t%edi,%ebx\n\txorl\t48(%rsp),%ebp\n\tandl\t%esi,%eax\n\tmovl\t%r12d,%ecx\n\txorl\t8(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%r11,1),%r11d\n\txorl\t%esi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r11d\n\troll\t$1,%ebp\n\tandl\t%r13d,%ebx\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%ebx,%r11d\n\txorl\t44(%rsp),%r14d\n\tmovl\t%esi,%eax\n\tmovl\t%ebp,40(%rsp)\n\tmovl\t%esi,%ebx\n\txorl\t52(%rsp),%r14d\n\tandl\t%r13d,%eax\n\tmovl\t%r11d,%ecx\n\txorl\t12(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%rdi,1),%edi\n\txorl\t%r13d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%edi\n\troll\t$1,%r14d\n\tandl\t%r12d,%ebx\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%ebx,%edi\n\txorl\t48(%rsp),%edx\n\tmovl\t%r13d,%eax\n\tmovl\t%r14d,44(%rsp)\n\tmovl\t%r13d,%ebx\n\txorl\t56(%rsp),%edx\n\tandl\t%r12d,%eax\n\tmovl\t%edi,%ecx\n\txorl\t16(%rsp),%edx\n\tleal\t-1894007588(%r14,%rsi,1),%esi\n\txorl\t%r12d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%esi\n\troll\t$1,%edx\n\tandl\t%r11d,%ebx\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%ebx,%esi\n\txorl\t52(%rsp),%ebp\n\tmovl\t%edi,%eax\n\tmovl\t%edx,48(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t60(%rsp),%ebp\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t20(%rsp),%ebp\n\tleal\t-899497514(%rdx,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%ebp\n\txorl\t56(%rsp),%r14d\n\tmovl\t%esi,%eax\n\tmovl\t%ebp,52(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t0(%rsp),%r14d\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t24(%rsp),%r14d\n\tleal\t-899497514(%rbp,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%r14d\n\txorl\t60(%rsp),%edx\n\tmovl\t%r13d,%eax\n\tmovl\t%r14d,56(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t4(%rsp),%edx\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t28(%rsp),%edx\n\tleal\t-899497514(%r14,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%edx\n\txorl\t0(%rsp),%ebp\n\tmovl\t%r12d,%eax\n\tmovl\t%edx,60(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t8(%rsp),%ebp\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t32(%rsp),%ebp\n\tleal\t-899497514(%rdx,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%ebp\n\txorl\t4(%rsp),%r14d\n\tmovl\t%r11d,%eax\n\tmovl\t%ebp,0(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t12(%rsp),%r14d\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t36(%rsp),%r14d\n\tleal\t-899497514(%rbp,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%r14d\n\txorl\t8(%rsp),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,4(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t16(%rsp),%edx\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t40(%rsp),%edx\n\tleal\t-899497514(%r14,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%edx\n\txorl\t12(%rsp),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,8(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t20(%rsp),%ebp\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t44(%rsp),%ebp\n\tleal\t-899497514(%rdx,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%ebp\n\txorl\t16(%rsp),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,12(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t24(%rsp),%r14d\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t48(%rsp),%r14d\n\tleal\t-899497514(%rbp,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%r14d\n\txorl\t20(%rsp),%edx\n\tmovl\t%r12d,%eax\n\tmovl\t%r14d,16(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t28(%rsp),%edx\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t52(%rsp),%edx\n\tleal\t-899497514(%r14,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%edx\n\txorl\t24(%rsp),%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edx,20(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t32(%rsp),%ebp\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t56(%rsp),%ebp\n\tleal\t-899497514(%rdx,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%ebp\n\txorl\t28(%rsp),%r14d\n\tmovl\t%edi,%eax\n\tmovl\t%ebp,24(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t36(%rsp),%r14d\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t60(%rsp),%r14d\n\tleal\t-899497514(%rbp,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%r14d\n\txorl\t32(%rsp),%edx\n\tmovl\t%esi,%eax\n\tmovl\t%r14d,28(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t40(%rsp),%edx\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t0(%rsp),%edx\n\tleal\t-899497514(%r14,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%edx\n\txorl\t36(%rsp),%ebp\n\tmovl\t%r13d,%eax\n\n\tmovl\t%r12d,%ecx\n\txorl\t44(%rsp),%ebp\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t4(%rsp),%ebp\n\tleal\t-899497514(%rdx,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%ebp\n\txorl\t40(%rsp),%r14d\n\tmovl\t%r12d,%eax\n\n\tmovl\t%r11d,%ecx\n\txorl\t48(%rsp),%r14d\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t8(%rsp),%r14d\n\tleal\t-899497514(%rbp,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%r14d\n\txorl\t44(%rsp),%edx\n\tmovl\t%r11d,%eax\n\n\tmovl\t%edi,%ecx\n\txorl\t52(%rsp),%edx\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t12(%rsp),%edx\n\tleal\t-899497514(%r14,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%edx\n\txorl\t48(%rsp),%ebp\n\tmovl\t%edi,%eax\n\n\tmovl\t%esi,%ecx\n\txorl\t56(%rsp),%ebp\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t16(%rsp),%ebp\n\tleal\t-899497514(%rdx,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%ebp\n\txorl\t52(%rsp),%r14d\n\tmovl\t%esi,%eax\n\n\tmovl\t%r13d,%ecx\n\txorl\t60(%rsp),%r14d\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t20(%rsp),%r14d\n\tleal\t-899497514(%rbp,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%r14d\n\txorl\t56(%rsp),%edx\n\tmovl\t%r13d,%eax\n\n\tmovl\t%r12d,%ecx\n\txorl\t0(%rsp),%edx\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t24(%rsp),%edx\n\tleal\t-899497514(%r14,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%edx\n\txorl\t60(%rsp),%ebp\n\tmovl\t%r12d,%eax\n\n\tmovl\t%r11d,%ecx\n\txorl\t4(%rsp),%ebp\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t28(%rsp),%ebp\n\tleal\t-899497514(%rdx,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edi,%ecx\n\txorl\t%r13d,%eax\n\tleal\t-899497514(%rbp,%rsi,1),%esi\n\troll\t$5,%ecx\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\taddl\t0(%r8),%esi\n\taddl\t4(%r8),%edi\n\taddl\t8(%r8),%r11d\n\taddl\t12(%r8),%r12d\n\taddl\t16(%r8),%r13d\n\tmovl\t%esi,0(%r8)\n\tmovl\t%edi,4(%r8)\n\tmovl\t%r11d,8(%r8)\n\tmovl\t%r12d,12(%r8)\n\tmovl\t%r13d,16(%r8)\n\n\tsubq\t$1,%r10\n\tleaq\t64(%r9),%r9\n\tjnz\tL$loop\n\n\tmovq\t64(%rsp),%rsi\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$epilogue:\n\tret\n\n\n.globl\t_sha1_block_data_order_hw\n.private_extern _sha1_block_data_order_hw\n\n.p2align\t5\n_sha1_block_data_order_hw:\n\n_CET_ENDBR\n\tmovdqu\t(%rdi),%xmm0\n\tmovd\t16(%rdi),%xmm1\n\tmovdqa\tK_XX_XX+160(%rip),%xmm3\n\n\tmovdqu\t(%rsi),%xmm4\n\tpshufd\t$27,%xmm0,%xmm0\n\tmovdqu\t16(%rsi),%xmm5\n\tpshufd\t$27,%xmm1,%xmm1\n\tmovdqu\t32(%rsi),%xmm6\n.byte\t102,15,56,0,227\n\tmovdqu\t48(%rsi),%xmm7\n.byte\t102,15,56,0,235\n.byte\t102,15,56,0,243\n\tmovdqa\t%xmm1,%xmm9\n.byte\t102,15,56,0,251\n\tjmp\tL$oop_shaext\n\n.p2align\t4\nL$oop_shaext:\n\tdecq\t%rdx\n\tleaq\t64(%rsi),%r8\n\tpaddd\t%xmm4,%xmm1\n\tcmovneq\t%r8,%rsi\n\tprefetcht0\t512(%rsi)\n\tmovdqa\t%xmm0,%xmm8\n.byte\t15,56,201,229\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,0\n.byte\t15,56,200,213\n\tpxor\t%xmm6,%xmm4\n.byte\t15,56,201,238\n.byte\t15,56,202,231\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,0\n.byte\t15,56,200,206\n\tpxor\t%xmm7,%xmm5\n.byte\t15,56,202,236\n.byte\t15,56,201,247\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,0\n.byte\t15,56,200,215\n\tpxor\t%xmm4,%xmm6\n.byte\t15,56,201,252\n.byte\t15,56,202,245\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,0\n.byte\t15,56,200,204\n\tpxor\t%xmm5,%xmm7\n.byte\t15,56,202,254\n.byte\t15,56,201,229\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,0\n.byte\t15,56,200,213\n\tpxor\t%xmm6,%xmm4\n.byte\t15,56,201,238\n.byte\t15,56,202,231\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,1\n.byte\t15,56,200,206\n\tpxor\t%xmm7,%xmm5\n.byte\t15,56,202,236\n.byte\t15,56,201,247\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,1\n.byte\t15,56,200,215\n\tpxor\t%xmm4,%xmm6\n.byte\t15,56,201,252\n.byte\t15,56,202,245\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,1\n.byte\t15,56,200,204\n\tpxor\t%xmm5,%xmm7\n.byte\t15,56,202,254\n.byte\t15,56,201,229\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,1\n.byte\t15,56,200,213\n\tpxor\t%xmm6,%xmm4\n.byte\t15,56,201,238\n.byte\t15,56,202,231\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,1\n.byte\t15,56,200,206\n\tpxor\t%xmm7,%xmm5\n.byte\t15,56,202,236\n.byte\t15,56,201,247\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,2\n.byte\t15,56,200,215\n\tpxor\t%xmm4,%xmm6\n.byte\t15,56,201,252\n.byte\t15,56,202,245\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,2\n.byte\t15,56,200,204\n\tpxor\t%xmm5,%xmm7\n.byte\t15,56,202,254\n.byte\t15,56,201,229\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,2\n.byte\t15,56,200,213\n\tpxor\t%xmm6,%xmm4\n.byte\t15,56,201,238\n.byte\t15,56,202,231\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,2\n.byte\t15,56,200,206\n\tpxor\t%xmm7,%xmm5\n.byte\t15,56,202,236\n.byte\t15,56,201,247\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,2\n.byte\t15,56,200,215\n\tpxor\t%xmm4,%xmm6\n.byte\t15,56,201,252\n.byte\t15,56,202,245\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,3\n.byte\t15,56,200,204\n\tpxor\t%xmm5,%xmm7\n.byte\t15,56,202,254\n\tmovdqu\t(%rsi),%xmm4\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,3\n.byte\t15,56,200,213\n\tmovdqu\t16(%rsi),%xmm5\n.byte\t102,15,56,0,227\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,3\n.byte\t15,56,200,206\n\tmovdqu\t32(%rsi),%xmm6\n.byte\t102,15,56,0,235\n\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,3\n.byte\t15,56,200,215\n\tmovdqu\t48(%rsi),%xmm7\n.byte\t102,15,56,0,243\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,3\n.byte\t65,15,56,200,201\n.byte\t102,15,56,0,251\n\n\tpaddd\t%xmm8,%xmm0\n\tmovdqa\t%xmm1,%xmm9\n\n\tjnz\tL$oop_shaext\n\n\tpshufd\t$27,%xmm0,%xmm0\n\tpshufd\t$27,%xmm1,%xmm1\n\tmovdqu\t%xmm0,(%rdi)\n\tmovd\t%xmm1,16(%rdi)\n\tret\n\n\n.globl\t_sha1_block_data_order_ssse3\n.private_extern _sha1_block_data_order_ssse3\n\n.p2align\t4\n_sha1_block_data_order_ssse3:\n\n_CET_ENDBR\n\tmovq\t%rsp,%r11\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tleaq\t-64(%rsp),%rsp\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,%r8\n\tmovq\t%rsi,%r9\n\tmovq\t%rdx,%r10\n\n\tshlq\t$6,%r10\n\taddq\t%r9,%r10\n\tleaq\tK_XX_XX+64(%rip),%r14\n\n\tmovl\t0(%r8),%eax\n\tmovl\t4(%r8),%ebx\n\tmovl\t8(%r8),%ecx\n\tmovl\t12(%r8),%edx\n\tmovl\t%ebx,%esi\n\tmovl\t16(%r8),%ebp\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tandl\t%edi,%esi\n\n\tmovdqa\t64(%r14),%xmm6\n\tmovdqa\t-64(%r14),%xmm9\n\tmovdqu\t0(%r9),%xmm0\n\tmovdqu\t16(%r9),%xmm1\n\tmovdqu\t32(%r9),%xmm2\n\tmovdqu\t48(%r9),%xmm3\n.byte\t102,15,56,0,198\n.byte\t102,15,56,0,206\n.byte\t102,15,56,0,214\n\taddq\t$64,%r9\n\tpaddd\t%xmm9,%xmm0\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm9,%xmm1\n\tpaddd\t%xmm9,%xmm2\n\tmovdqa\t%xmm0,0(%rsp)\n\tpsubd\t%xmm9,%xmm0\n\tmovdqa\t%xmm1,16(%rsp)\n\tpsubd\t%xmm9,%xmm1\n\tmovdqa\t%xmm2,32(%rsp)\n\tpsubd\t%xmm9,%xmm2\n\tjmp\tL$oop_ssse3\n.p2align\t4\nL$oop_ssse3:\n\trorl\t$2,%ebx\n\tpshufd\t$238,%xmm0,%xmm4\n\txorl\t%edx,%esi\n\tmovdqa\t%xmm3,%xmm8\n\tpaddd\t%xmm3,%xmm9\n\tmovl\t%eax,%edi\n\taddl\t0(%rsp),%ebp\n\tpunpcklqdq\t%xmm1,%xmm4\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\tpsrldq\t$4,%xmm8\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\tpxor\t%xmm0,%xmm4\n\taddl\t%eax,%ebp\n\trorl\t$7,%eax\n\tpxor\t%xmm2,%xmm8\n\txorl\t%ecx,%edi\n\tmovl\t%ebp,%esi\n\taddl\t4(%rsp),%edx\n\tpxor\t%xmm8,%xmm4\n\txorl\t%ebx,%eax\n\troll\t$5,%ebp\n\tmovdqa\t%xmm9,48(%rsp)\n\taddl\t%edi,%edx\n\tandl\t%eax,%esi\n\tmovdqa\t%xmm4,%xmm10\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\trorl\t$7,%ebp\n\tmovdqa\t%xmm4,%xmm8\n\txorl\t%ebx,%esi\n\tpslldq\t$12,%xmm10\n\tpaddd\t%xmm4,%xmm4\n\tmovl\t%edx,%edi\n\taddl\t8(%rsp),%ecx\n\tpsrld\t$31,%xmm8\n\txorl\t%eax,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\tmovdqa\t%xmm10,%xmm9\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\tpsrld\t$30,%xmm10\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpor\t%xmm8,%xmm4\n\txorl\t%eax,%edi\n\tmovl\t%ecx,%esi\n\taddl\t12(%rsp),%ebx\n\tpslld\t$2,%xmm9\n\tpxor\t%xmm10,%xmm4\n\txorl\t%ebp,%edx\n\tmovdqa\t-64(%r14),%xmm10\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\tandl\t%edx,%esi\n\tpxor\t%xmm9,%xmm4\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\tpshufd\t$238,%xmm1,%xmm5\n\txorl\t%ebp,%esi\n\tmovdqa\t%xmm4,%xmm9\n\tpaddd\t%xmm4,%xmm10\n\tmovl\t%ebx,%edi\n\taddl\t16(%rsp),%eax\n\tpunpcklqdq\t%xmm2,%xmm5\n\txorl\t%edx,%ecx\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\tpsrldq\t$4,%xmm9\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\tpxor\t%xmm1,%xmm5\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tpxor\t%xmm3,%xmm9\n\txorl\t%edx,%edi\n\tmovl\t%eax,%esi\n\taddl\t20(%rsp),%ebp\n\tpxor\t%xmm9,%xmm5\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\tmovdqa\t%xmm10,0(%rsp)\n\taddl\t%edi,%ebp\n\tandl\t%ebx,%esi\n\tmovdqa\t%xmm5,%xmm8\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$7,%eax\n\tmovdqa\t%xmm5,%xmm9\n\txorl\t%ecx,%esi\n\tpslldq\t$12,%xmm8\n\tpaddd\t%xmm5,%xmm5\n\tmovl\t%ebp,%edi\n\taddl\t24(%rsp),%edx\n\tpsrld\t$31,%xmm9\n\txorl\t%ebx,%eax\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\tmovdqa\t%xmm8,%xmm10\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\tpsrld\t$30,%xmm8\n\taddl\t%ebp,%edx\n\trorl\t$7,%ebp\n\tpor\t%xmm9,%xmm5\n\txorl\t%ebx,%edi\n\tmovl\t%edx,%esi\n\taddl\t28(%rsp),%ecx\n\tpslld\t$2,%xmm10\n\tpxor\t%xmm8,%xmm5\n\txorl\t%eax,%ebp\n\tmovdqa\t-32(%r14),%xmm8\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\tandl\t%ebp,%esi\n\tpxor\t%xmm10,%xmm5\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpshufd\t$238,%xmm2,%xmm6\n\txorl\t%eax,%esi\n\tmovdqa\t%xmm5,%xmm10\n\tpaddd\t%xmm5,%xmm8\n\tmovl\t%ecx,%edi\n\taddl\t32(%rsp),%ebx\n\tpunpcklqdq\t%xmm3,%xmm6\n\txorl\t%ebp,%edx\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\tpsrldq\t$4,%xmm10\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\tpxor\t%xmm2,%xmm6\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\tpxor\t%xmm4,%xmm10\n\txorl\t%ebp,%edi\n\tmovl\t%ebx,%esi\n\taddl\t36(%rsp),%eax\n\tpxor\t%xmm10,%xmm6\n\txorl\t%edx,%ecx\n\troll\t$5,%ebx\n\tmovdqa\t%xmm8,16(%rsp)\n\taddl\t%edi,%eax\n\tandl\t%ecx,%esi\n\tmovdqa\t%xmm6,%xmm9\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tmovdqa\t%xmm6,%xmm10\n\txorl\t%edx,%esi\n\tpslldq\t$12,%xmm9\n\tpaddd\t%xmm6,%xmm6\n\tmovl\t%eax,%edi\n\taddl\t40(%rsp),%ebp\n\tpsrld\t$31,%xmm10\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\tmovdqa\t%xmm9,%xmm8\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\tpsrld\t$30,%xmm9\n\taddl\t%eax,%ebp\n\trorl\t$7,%eax\n\tpor\t%xmm10,%xmm6\n\txorl\t%ecx,%edi\n\tmovl\t%ebp,%esi\n\taddl\t44(%rsp),%edx\n\tpslld\t$2,%xmm8\n\tpxor\t%xmm9,%xmm6\n\txorl\t%ebx,%eax\n\tmovdqa\t-32(%r14),%xmm9\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\tandl\t%eax,%esi\n\tpxor\t%xmm8,%xmm6\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\trorl\t$7,%ebp\n\tpshufd\t$238,%xmm3,%xmm7\n\txorl\t%ebx,%esi\n\tmovdqa\t%xmm6,%xmm8\n\tpaddd\t%xmm6,%xmm9\n\tmovl\t%edx,%edi\n\taddl\t48(%rsp),%ecx\n\tpunpcklqdq\t%xmm4,%xmm7\n\txorl\t%eax,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\tpsrldq\t$4,%xmm8\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\tpxor\t%xmm3,%xmm7\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpxor\t%xmm5,%xmm8\n\txorl\t%eax,%edi\n\tmovl\t%ecx,%esi\n\taddl\t52(%rsp),%ebx\n\tpxor\t%xmm8,%xmm7\n\txorl\t%ebp,%edx\n\troll\t$5,%ecx\n\tmovdqa\t%xmm9,32(%rsp)\n\taddl\t%edi,%ebx\n\tandl\t%edx,%esi\n\tmovdqa\t%xmm7,%xmm10\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\tmovdqa\t%xmm7,%xmm8\n\txorl\t%ebp,%esi\n\tpslldq\t$12,%xmm10\n\tpaddd\t%xmm7,%xmm7\n\tmovl\t%ebx,%edi\n\taddl\t56(%rsp),%eax\n\tpsrld\t$31,%xmm8\n\txorl\t%edx,%ecx\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\tmovdqa\t%xmm10,%xmm9\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\tpsrld\t$30,%xmm10\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tpor\t%xmm8,%xmm7\n\txorl\t%edx,%edi\n\tmovl\t%eax,%esi\n\taddl\t60(%rsp),%ebp\n\tpslld\t$2,%xmm9\n\tpxor\t%xmm10,%xmm7\n\txorl\t%ecx,%ebx\n\tmovdqa\t-32(%r14),%xmm10\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\tandl\t%ebx,%esi\n\tpxor\t%xmm9,%xmm7\n\tpshufd\t$238,%xmm6,%xmm9\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$7,%eax\n\tpxor\t%xmm4,%xmm0\n\txorl\t%ecx,%esi\n\tmovl\t%ebp,%edi\n\taddl\t0(%rsp),%edx\n\tpunpcklqdq\t%xmm7,%xmm9\n\txorl\t%ebx,%eax\n\troll\t$5,%ebp\n\tpxor\t%xmm1,%xmm0\n\taddl\t%esi,%edx\n\tandl\t%eax,%edi\n\tmovdqa\t%xmm10,%xmm8\n\txorl\t%ebx,%eax\n\tpaddd\t%xmm7,%xmm10\n\taddl\t%ebp,%edx\n\tpxor\t%xmm9,%xmm0\n\trorl\t$7,%ebp\n\txorl\t%ebx,%edi\n\tmovl\t%edx,%esi\n\taddl\t4(%rsp),%ecx\n\tmovdqa\t%xmm0,%xmm9\n\txorl\t%eax,%ebp\n\troll\t$5,%edx\n\tmovdqa\t%xmm10,48(%rsp)\n\taddl\t%edi,%ecx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\tpslld\t$2,%xmm0\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpsrld\t$30,%xmm9\n\txorl\t%eax,%esi\n\tmovl\t%ecx,%edi\n\taddl\t8(%rsp),%ebx\n\tpor\t%xmm9,%xmm0\n\txorl\t%ebp,%edx\n\troll\t$5,%ecx\n\tpshufd\t$238,%xmm7,%xmm10\n\taddl\t%esi,%ebx\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t12(%rsp),%eax\n\txorl\t%ebp,%edi\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\tpxor\t%xmm5,%xmm1\n\taddl\t16(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tpunpcklqdq\t%xmm0,%xmm10\n\tmovl\t%eax,%edi\n\troll\t$5,%eax\n\tpxor\t%xmm2,%xmm1\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tmovdqa\t%xmm8,%xmm9\n\trorl\t$7,%ebx\n\tpaddd\t%xmm0,%xmm8\n\taddl\t%eax,%ebp\n\tpxor\t%xmm10,%xmm1\n\taddl\t20(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\tmovdqa\t%xmm1,%xmm10\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tmovdqa\t%xmm8,0(%rsp)\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t24(%rsp),%ecx\n\tpslld\t$2,%xmm1\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tpsrld\t$30,%xmm10\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\trorl\t$7,%ebp\n\tpor\t%xmm10,%xmm1\n\taddl\t%edx,%ecx\n\taddl\t28(%rsp),%ebx\n\tpshufd\t$238,%xmm0,%xmm8\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\tpxor\t%xmm6,%xmm2\n\taddl\t32(%rsp),%eax\n\txorl\t%edx,%esi\n\tpunpcklqdq\t%xmm1,%xmm8\n\tmovl\t%ebx,%edi\n\troll\t$5,%ebx\n\tpxor\t%xmm3,%xmm2\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tmovdqa\t0(%r14),%xmm10\n\trorl\t$7,%ecx\n\tpaddd\t%xmm1,%xmm9\n\taddl\t%ebx,%eax\n\tpxor\t%xmm8,%xmm2\n\taddl\t36(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\tmovdqa\t%xmm2,%xmm8\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tmovdqa\t%xmm9,16(%rsp)\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t40(%rsp),%edx\n\tpslld\t$2,%xmm2\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\tpsrld\t$30,%xmm8\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\trorl\t$7,%eax\n\tpor\t%xmm8,%xmm2\n\taddl\t%ebp,%edx\n\taddl\t44(%rsp),%ecx\n\tpshufd\t$238,%xmm1,%xmm9\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%ebp\n\taddl\t%edx,%ecx\n\tpxor\t%xmm7,%xmm3\n\taddl\t48(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tpunpcklqdq\t%xmm2,%xmm9\n\tmovl\t%ecx,%edi\n\troll\t$5,%ecx\n\tpxor\t%xmm4,%xmm3\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tmovdqa\t%xmm10,%xmm8\n\trorl\t$7,%edx\n\tpaddd\t%xmm2,%xmm10\n\taddl\t%ecx,%ebx\n\tpxor\t%xmm9,%xmm3\n\taddl\t52(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\tmovdqa\t%xmm3,%xmm9\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\tmovdqa\t%xmm10,32(%rsp)\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t56(%rsp),%ebp\n\tpslld\t$2,%xmm3\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tpsrld\t$30,%xmm9\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\trorl\t$7,%ebx\n\tpor\t%xmm9,%xmm3\n\taddl\t%eax,%ebp\n\taddl\t60(%rsp),%edx\n\tpshufd\t$238,%xmm2,%xmm10\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\tpxor\t%xmm0,%xmm4\n\taddl\t0(%rsp),%ecx\n\txorl\t%eax,%esi\n\tpunpcklqdq\t%xmm3,%xmm10\n\tmovl\t%edx,%edi\n\troll\t$5,%edx\n\tpxor\t%xmm5,%xmm4\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tmovdqa\t%xmm8,%xmm9\n\trorl\t$7,%ebp\n\tpaddd\t%xmm3,%xmm8\n\taddl\t%edx,%ecx\n\tpxor\t%xmm10,%xmm4\n\taddl\t4(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\tmovdqa\t%xmm4,%xmm10\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tmovdqa\t%xmm8,48(%rsp)\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t8(%rsp),%eax\n\tpslld\t$2,%xmm4\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tpsrld\t$30,%xmm10\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\trorl\t$7,%ecx\n\tpor\t%xmm10,%xmm4\n\taddl\t%ebx,%eax\n\taddl\t12(%rsp),%ebp\n\tpshufd\t$238,%xmm3,%xmm8\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\tpxor\t%xmm1,%xmm5\n\taddl\t16(%rsp),%edx\n\txorl\t%ebx,%esi\n\tpunpcklqdq\t%xmm4,%xmm8\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\tpxor\t%xmm6,%xmm5\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tmovdqa\t%xmm9,%xmm10\n\trorl\t$7,%eax\n\tpaddd\t%xmm4,%xmm9\n\taddl\t%ebp,%edx\n\tpxor\t%xmm8,%xmm5\n\taddl\t20(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\tmovdqa\t%xmm5,%xmm8\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tmovdqa\t%xmm9,0(%rsp)\n\trorl\t$7,%ebp\n\taddl\t%edx,%ecx\n\taddl\t24(%rsp),%ebx\n\tpslld\t$2,%xmm5\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tpsrld\t$30,%xmm8\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\trorl\t$7,%edx\n\tpor\t%xmm8,%xmm5\n\taddl\t%ecx,%ebx\n\taddl\t28(%rsp),%eax\n\tpshufd\t$238,%xmm4,%xmm9\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%edi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tpxor\t%xmm2,%xmm6\n\taddl\t32(%rsp),%ebp\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tpunpcklqdq\t%xmm5,%xmm9\n\tmovl\t%eax,%edi\n\txorl\t%ecx,%esi\n\tpxor\t%xmm7,%xmm6\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\tmovdqa\t%xmm10,%xmm8\n\txorl\t%ebx,%edi\n\tpaddd\t%xmm5,%xmm10\n\txorl\t%ecx,%ebx\n\tpxor\t%xmm9,%xmm6\n\taddl\t%eax,%ebp\n\taddl\t36(%rsp),%edx\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tmovdqa\t%xmm6,%xmm9\n\tmovl\t%ebp,%esi\n\txorl\t%ebx,%edi\n\tmovdqa\t%xmm10,16(%rsp)\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\txorl\t%eax,%esi\n\tpslld\t$2,%xmm6\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tpsrld\t$30,%xmm9\n\taddl\t40(%rsp),%ecx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\tpor\t%xmm9,%xmm6\n\trorl\t$7,%ebp\n\tmovl\t%edx,%edi\n\txorl\t%eax,%esi\n\troll\t$5,%edx\n\tpshufd\t$238,%xmm5,%xmm10\n\taddl\t%esi,%ecx\n\txorl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\taddl\t44(%rsp),%ebx\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\trorl\t$7,%edx\n\tmovl\t%ecx,%esi\n\txorl\t%ebp,%edi\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%edx,%esi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tpxor\t%xmm3,%xmm7\n\taddl\t48(%rsp),%eax\n\tandl\t%edx,%esi\n\txorl\t%ebp,%edx\n\trorl\t$7,%ecx\n\tpunpcklqdq\t%xmm6,%xmm10\n\tmovl\t%ebx,%edi\n\txorl\t%edx,%esi\n\tpxor\t%xmm0,%xmm7\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\tmovdqa\t32(%r14),%xmm9\n\txorl\t%ecx,%edi\n\tpaddd\t%xmm6,%xmm8\n\txorl\t%edx,%ecx\n\tpxor\t%xmm10,%xmm7\n\taddl\t%ebx,%eax\n\taddl\t52(%rsp),%ebp\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tmovdqa\t%xmm7,%xmm10\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%edi\n\tmovdqa\t%xmm8,32(%rsp)\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\tpslld\t$2,%xmm7\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tpsrld\t$30,%xmm10\n\taddl\t56(%rsp),%edx\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\tpor\t%xmm10,%xmm7\n\trorl\t$7,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\troll\t$5,%ebp\n\tpshufd\t$238,%xmm6,%xmm8\n\taddl\t%esi,%edx\n\txorl\t%eax,%edi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\taddl\t60(%rsp),%ecx\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\trorl\t$7,%ebp\n\tmovl\t%edx,%esi\n\txorl\t%eax,%edi\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tpxor\t%xmm4,%xmm0\n\taddl\t0(%rsp),%ebx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\trorl\t$7,%edx\n\tpunpcklqdq\t%xmm7,%xmm8\n\tmovl\t%ecx,%edi\n\txorl\t%ebp,%esi\n\tpxor\t%xmm1,%xmm0\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\tmovdqa\t%xmm9,%xmm10\n\txorl\t%edx,%edi\n\tpaddd\t%xmm7,%xmm9\n\txorl\t%ebp,%edx\n\tpxor\t%xmm8,%xmm0\n\taddl\t%ecx,%ebx\n\taddl\t4(%rsp),%eax\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\trorl\t$7,%ecx\n\tmovdqa\t%xmm0,%xmm8\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%edi\n\tmovdqa\t%xmm9,48(%rsp)\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%ecx,%esi\n\tpslld\t$2,%xmm0\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tpsrld\t$30,%xmm8\n\taddl\t8(%rsp),%ebp\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\tpor\t%xmm8,%xmm0\n\trorl\t$7,%ebx\n\tmovl\t%eax,%edi\n\txorl\t%ecx,%esi\n\troll\t$5,%eax\n\tpshufd\t$238,%xmm7,%xmm9\n\taddl\t%esi,%ebp\n\txorl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t12(%rsp),%edx\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tmovl\t%ebp,%esi\n\txorl\t%ebx,%edi\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tpxor\t%xmm5,%xmm1\n\taddl\t16(%rsp),%ecx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\trorl\t$7,%ebp\n\tpunpcklqdq\t%xmm0,%xmm9\n\tmovl\t%edx,%edi\n\txorl\t%eax,%esi\n\tpxor\t%xmm2,%xmm1\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\tmovdqa\t%xmm10,%xmm8\n\txorl\t%ebp,%edi\n\tpaddd\t%xmm0,%xmm10\n\txorl\t%eax,%ebp\n\tpxor\t%xmm9,%xmm1\n\taddl\t%edx,%ecx\n\taddl\t20(%rsp),%ebx\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\trorl\t$7,%edx\n\tmovdqa\t%xmm1,%xmm9\n\tmovl\t%ecx,%esi\n\txorl\t%ebp,%edi\n\tmovdqa\t%xmm10,0(%rsp)\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%edx,%esi\n\tpslld\t$2,%xmm1\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tpsrld\t$30,%xmm9\n\taddl\t24(%rsp),%eax\n\tandl\t%edx,%esi\n\txorl\t%ebp,%edx\n\tpor\t%xmm9,%xmm1\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%edi\n\txorl\t%edx,%esi\n\troll\t$5,%ebx\n\tpshufd\t$238,%xmm0,%xmm10\n\taddl\t%esi,%eax\n\txorl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t28(%rsp),%ebp\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%edi\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tpxor\t%xmm6,%xmm2\n\taddl\t32(%rsp),%edx\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tpunpcklqdq\t%xmm1,%xmm10\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\tpxor\t%xmm3,%xmm2\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\tmovdqa\t%xmm8,%xmm9\n\txorl\t%eax,%edi\n\tpaddd\t%xmm1,%xmm8\n\txorl\t%ebx,%eax\n\tpxor\t%xmm10,%xmm2\n\taddl\t%ebp,%edx\n\taddl\t36(%rsp),%ecx\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\trorl\t$7,%ebp\n\tmovdqa\t%xmm2,%xmm10\n\tmovl\t%edx,%esi\n\txorl\t%eax,%edi\n\tmovdqa\t%xmm8,16(%rsp)\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%ebp,%esi\n\tpslld\t$2,%xmm2\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tpsrld\t$30,%xmm10\n\taddl\t40(%rsp),%ebx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\tpor\t%xmm10,%xmm2\n\trorl\t$7,%edx\n\tmovl\t%ecx,%edi\n\txorl\t%ebp,%esi\n\troll\t$5,%ecx\n\tpshufd\t$238,%xmm1,%xmm8\n\taddl\t%esi,%ebx\n\txorl\t%edx,%edi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t44(%rsp),%eax\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%edi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\taddl\t%ebx,%eax\n\tpxor\t%xmm7,%xmm3\n\taddl\t48(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tpunpcklqdq\t%xmm2,%xmm8\n\tmovl\t%eax,%edi\n\troll\t$5,%eax\n\tpxor\t%xmm4,%xmm3\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tmovdqa\t%xmm9,%xmm10\n\trorl\t$7,%ebx\n\tpaddd\t%xmm2,%xmm9\n\taddl\t%eax,%ebp\n\tpxor\t%xmm8,%xmm3\n\taddl\t52(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\tmovdqa\t%xmm3,%xmm8\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tmovdqa\t%xmm9,32(%rsp)\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t56(%rsp),%ecx\n\tpslld\t$2,%xmm3\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tpsrld\t$30,%xmm8\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\trorl\t$7,%ebp\n\tpor\t%xmm8,%xmm3\n\taddl\t%edx,%ecx\n\taddl\t60(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t0(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\troll\t$5,%ebx\n\tpaddd\t%xmm3,%xmm10\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tmovdqa\t%xmm10,48(%rsp)\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t4(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t8(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t12(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%ebp\n\taddl\t%edx,%ecx\n\tcmpq\t%r10,%r9\n\tje\tL$done_ssse3\n\tmovdqa\t64(%r14),%xmm6\n\tmovdqa\t-64(%r14),%xmm9\n\tmovdqu\t0(%r9),%xmm0\n\tmovdqu\t16(%r9),%xmm1\n\tmovdqu\t32(%r9),%xmm2\n\tmovdqu\t48(%r9),%xmm3\n.byte\t102,15,56,0,198\n\taddq\t$64,%r9\n\taddl\t16(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n.byte\t102,15,56,0,206\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\trorl\t$7,%edx\n\tpaddd\t%xmm9,%xmm0\n\taddl\t%ecx,%ebx\n\taddl\t20(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tmovdqa\t%xmm0,0(%rsp)\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\tpsubd\t%xmm9,%xmm0\n\taddl\t%ebx,%eax\n\taddl\t24(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t28(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t32(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n.byte\t102,15,56,0,214\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\trorl\t$7,%ebp\n\tpaddd\t%xmm9,%xmm1\n\taddl\t%edx,%ecx\n\taddl\t36(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tmovdqa\t%xmm1,16(%rsp)\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\trorl\t$7,%edx\n\tpsubd\t%xmm9,%xmm1\n\taddl\t%ecx,%ebx\n\taddl\t40(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t48(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n.byte\t102,15,56,0,222\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\trorl\t$7,%eax\n\tpaddd\t%xmm9,%xmm2\n\taddl\t%ebp,%edx\n\taddl\t52(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tmovdqa\t%xmm2,32(%rsp)\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%ebp\n\tpsubd\t%xmm9,%xmm2\n\taddl\t%edx,%ecx\n\taddl\t56(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t0(%r8),%eax\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ecx\n\taddl\t12(%r8),%edx\n\tmovl\t%eax,0(%r8)\n\taddl\t16(%r8),%ebp\n\tmovl\t%esi,4(%r8)\n\tmovl\t%esi,%ebx\n\tmovl\t%ecx,8(%r8)\n\tmovl\t%ecx,%edi\n\tmovl\t%edx,12(%r8)\n\txorl\t%edx,%edi\n\tmovl\t%ebp,16(%r8)\n\tandl\t%edi,%esi\n\tjmp\tL$oop_ssse3\n\n.p2align\t4\nL$done_ssse3:\n\taddl\t16(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t20(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t28(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t32(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\trorl\t$7,%ebp\n\taddl\t%edx,%ecx\n\taddl\t36(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t48(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t52(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%ebp\n\taddl\t%edx,%ecx\n\taddl\t56(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t0(%r8),%eax\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ecx\n\tmovl\t%eax,0(%r8)\n\taddl\t12(%r8),%edx\n\tmovl\t%esi,4(%r8)\n\taddl\t16(%r8),%ebp\n\tmovl\t%ecx,8(%r8)\n\tmovl\t%edx,12(%r8)\n\tmovl\t%ebp,16(%r8)\n\tmovq\t-40(%r11),%r14\n\n\tmovq\t-32(%r11),%r13\n\n\tmovq\t-24(%r11),%r12\n\n\tmovq\t-16(%r11),%rbp\n\n\tmovq\t-8(%r11),%rbx\n\n\tleaq\t(%r11),%rsp\n\nL$epilogue_ssse3:\n\tret\n\n\n.globl\t_sha1_block_data_order_avx\n.private_extern _sha1_block_data_order_avx\n\n.p2align\t4\n_sha1_block_data_order_avx:\n\n_CET_ENDBR\n\tmovq\t%rsp,%r11\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tleaq\t-64(%rsp),%rsp\n\tvzeroupper\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,%r8\n\tmovq\t%rsi,%r9\n\tmovq\t%rdx,%r10\n\n\tshlq\t$6,%r10\n\taddq\t%r9,%r10\n\tleaq\tK_XX_XX+64(%rip),%r14\n\n\tmovl\t0(%r8),%eax\n\tmovl\t4(%r8),%ebx\n\tmovl\t8(%r8),%ecx\n\tmovl\t12(%r8),%edx\n\tmovl\t%ebx,%esi\n\tmovl\t16(%r8),%ebp\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tandl\t%edi,%esi\n\n\tvmovdqa\t64(%r14),%xmm6\n\tvmovdqa\t-64(%r14),%xmm11\n\tvmovdqu\t0(%r9),%xmm0\n\tvmovdqu\t16(%r9),%xmm1\n\tvmovdqu\t32(%r9),%xmm2\n\tvmovdqu\t48(%r9),%xmm3\n\tvpshufb\t%xmm6,%xmm0,%xmm0\n\taddq\t$64,%r9\n\tvpshufb\t%xmm6,%xmm1,%xmm1\n\tvpshufb\t%xmm6,%xmm2,%xmm2\n\tvpshufb\t%xmm6,%xmm3,%xmm3\n\tvpaddd\t%xmm11,%xmm0,%xmm4\n\tvpaddd\t%xmm11,%xmm1,%xmm5\n\tvpaddd\t%xmm11,%xmm2,%xmm6\n\tvmovdqa\t%xmm4,0(%rsp)\n\tvmovdqa\t%xmm5,16(%rsp)\n\tvmovdqa\t%xmm6,32(%rsp)\n\tjmp\tL$oop_avx\n.p2align\t4\nL$oop_avx:\n\tshrdl\t$2,%ebx,%ebx\n\txorl\t%edx,%esi\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm4\n\tmovl\t%eax,%edi\n\taddl\t0(%rsp),%ebp\n\tvpaddd\t%xmm3,%xmm11,%xmm9\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvpsrldq\t$4,%xmm3,%xmm8\n\taddl\t%esi,%ebp\n\tandl\t%ebx,%edi\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tvpxor\t%xmm2,%xmm8,%xmm8\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%edi\n\tmovl\t%ebp,%esi\n\taddl\t4(%rsp),%edx\n\tvpxor\t%xmm8,%xmm4,%xmm4\n\txorl\t%ebx,%eax\n\tshldl\t$5,%ebp,%ebp\n\tvmovdqa\t%xmm9,48(%rsp)\n\taddl\t%edi,%edx\n\tandl\t%eax,%esi\n\tvpsrld\t$31,%xmm4,%xmm8\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tshrdl\t$7,%ebp,%ebp\n\txorl\t%ebx,%esi\n\tvpslldq\t$12,%xmm4,%xmm10\n\tvpaddd\t%xmm4,%xmm4,%xmm4\n\tmovl\t%edx,%edi\n\taddl\t8(%rsp),%ecx\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\tvpsrld\t$30,%xmm10,%xmm9\n\tvpor\t%xmm8,%xmm4,%xmm4\n\taddl\t%esi,%ecx\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tvpslld\t$2,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm4,%xmm4\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%edi\n\tmovl\t%ecx,%esi\n\taddl\t12(%rsp),%ebx\n\tvpxor\t%xmm10,%xmm4,%xmm4\n\txorl\t%ebp,%edx\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\tandl\t%edx,%esi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%ebp,%esi\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm5\n\tmovl\t%ebx,%edi\n\taddl\t16(%rsp),%eax\n\tvpaddd\t%xmm4,%xmm11,%xmm9\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\tvpsrldq\t$4,%xmm4,%xmm8\n\taddl\t%esi,%eax\n\tandl\t%ecx,%edi\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpxor\t%xmm3,%xmm8,%xmm8\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%edi\n\tmovl\t%eax,%esi\n\taddl\t20(%rsp),%ebp\n\tvpxor\t%xmm8,%xmm5,%xmm5\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvmovdqa\t%xmm9,0(%rsp)\n\taddl\t%edi,%ebp\n\tandl\t%ebx,%esi\n\tvpsrld\t$31,%xmm5,%xmm8\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%esi\n\tvpslldq\t$12,%xmm5,%xmm10\n\tvpaddd\t%xmm5,%xmm5,%xmm5\n\tmovl\t%ebp,%edi\n\taddl\t24(%rsp),%edx\n\txorl\t%ebx,%eax\n\tshldl\t$5,%ebp,%ebp\n\tvpsrld\t$30,%xmm10,%xmm9\n\tvpor\t%xmm8,%xmm5,%xmm5\n\taddl\t%esi,%edx\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tvpslld\t$2,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm5,%xmm5\n\tshrdl\t$7,%ebp,%ebp\n\txorl\t%ebx,%edi\n\tmovl\t%edx,%esi\n\taddl\t28(%rsp),%ecx\n\tvpxor\t%xmm10,%xmm5,%xmm5\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\tvmovdqa\t-32(%r14),%xmm11\n\taddl\t%edi,%ecx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%esi\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm6\n\tmovl\t%ecx,%edi\n\taddl\t32(%rsp),%ebx\n\tvpaddd\t%xmm5,%xmm11,%xmm9\n\txorl\t%ebp,%edx\n\tshldl\t$5,%ecx,%ecx\n\tvpsrldq\t$4,%xmm5,%xmm8\n\taddl\t%esi,%ebx\n\tandl\t%edx,%edi\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tvpxor\t%xmm4,%xmm8,%xmm8\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%ebp,%edi\n\tmovl\t%ebx,%esi\n\taddl\t36(%rsp),%eax\n\tvpxor\t%xmm8,%xmm6,%xmm6\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\tvmovdqa\t%xmm9,16(%rsp)\n\taddl\t%edi,%eax\n\tandl\t%ecx,%esi\n\tvpsrld\t$31,%xmm6,%xmm8\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%esi\n\tvpslldq\t$12,%xmm6,%xmm10\n\tvpaddd\t%xmm6,%xmm6,%xmm6\n\tmovl\t%eax,%edi\n\taddl\t40(%rsp),%ebp\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvpsrld\t$30,%xmm10,%xmm9\n\tvpor\t%xmm8,%xmm6,%xmm6\n\taddl\t%esi,%ebp\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tvpslld\t$2,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm6,%xmm6\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%edi\n\tmovl\t%ebp,%esi\n\taddl\t44(%rsp),%edx\n\tvpxor\t%xmm10,%xmm6,%xmm6\n\txorl\t%ebx,%eax\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tshrdl\t$7,%ebp,%ebp\n\txorl\t%ebx,%esi\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm7\n\tmovl\t%edx,%edi\n\taddl\t48(%rsp),%ecx\n\tvpaddd\t%xmm6,%xmm11,%xmm9\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\tvpsrldq\t$4,%xmm6,%xmm8\n\taddl\t%esi,%ecx\n\tandl\t%ebp,%edi\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tvpxor\t%xmm5,%xmm8,%xmm8\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%edi\n\tmovl\t%ecx,%esi\n\taddl\t52(%rsp),%ebx\n\tvpxor\t%xmm8,%xmm7,%xmm7\n\txorl\t%ebp,%edx\n\tshldl\t$5,%ecx,%ecx\n\tvmovdqa\t%xmm9,32(%rsp)\n\taddl\t%edi,%ebx\n\tandl\t%edx,%esi\n\tvpsrld\t$31,%xmm7,%xmm8\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%ebp,%esi\n\tvpslldq\t$12,%xmm7,%xmm10\n\tvpaddd\t%xmm7,%xmm7,%xmm7\n\tmovl\t%ebx,%edi\n\taddl\t56(%rsp),%eax\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\tvpsrld\t$30,%xmm10,%xmm9\n\tvpor\t%xmm8,%xmm7,%xmm7\n\taddl\t%esi,%eax\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpslld\t$2,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm7,%xmm7\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%edi\n\tmovl\t%eax,%esi\n\taddl\t60(%rsp),%ebp\n\tvpxor\t%xmm10,%xmm7,%xmm7\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm8\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%esi\n\tmovl\t%ebp,%edi\n\taddl\t0(%rsp),%edx\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\txorl\t%ebx,%eax\n\tshldl\t$5,%ebp,%ebp\n\tvpaddd\t%xmm7,%xmm11,%xmm9\n\taddl\t%esi,%edx\n\tandl\t%eax,%edi\n\tvpxor\t%xmm8,%xmm0,%xmm0\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tshrdl\t$7,%ebp,%ebp\n\txorl\t%ebx,%edi\n\tvpsrld\t$30,%xmm0,%xmm8\n\tvmovdqa\t%xmm9,48(%rsp)\n\tmovl\t%edx,%esi\n\taddl\t4(%rsp),%ecx\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\tvpslld\t$2,%xmm0,%xmm0\n\taddl\t%edi,%ecx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%esi\n\tmovl\t%ecx,%edi\n\taddl\t8(%rsp),%ebx\n\tvpor\t%xmm8,%xmm0,%xmm0\n\txorl\t%ebp,%edx\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t12(%rsp),%eax\n\txorl\t%ebp,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm8\n\tvpxor\t%xmm5,%xmm1,%xmm1\n\taddl\t16(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tshldl\t$5,%eax,%eax\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tvpaddd\t%xmm0,%xmm11,%xmm9\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\tvpxor\t%xmm8,%xmm1,%xmm1\n\taddl\t20(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\tshldl\t$5,%ebp,%ebp\n\tvpsrld\t$30,%xmm1,%xmm8\n\tvmovdqa\t%xmm9,0(%rsp)\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvpslld\t$2,%xmm1,%xmm1\n\taddl\t24(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvpor\t%xmm8,%xmm1,%xmm1\n\taddl\t28(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm8\n\tvpxor\t%xmm6,%xmm2,%xmm2\n\taddl\t32(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tshldl\t$5,%ebx,%ebx\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tvpaddd\t%xmm1,%xmm11,%xmm9\n\tvmovdqa\t0(%r14),%xmm11\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpxor\t%xmm8,%xmm2,%xmm2\n\taddl\t36(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\tvpsrld\t$30,%xmm2,%xmm8\n\tvmovdqa\t%xmm9,16(%rsp)\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\tvpslld\t$2,%xmm2,%xmm2\n\taddl\t40(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvpor\t%xmm8,%xmm2,%xmm2\n\taddl\t44(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm8\n\tvpxor\t%xmm7,%xmm3,%xmm3\n\taddl\t48(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tvpaddd\t%xmm2,%xmm11,%xmm9\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpxor\t%xmm8,%xmm3,%xmm3\n\taddl\t52(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\tvpsrld\t$30,%xmm3,%xmm8\n\tvmovdqa\t%xmm9,32(%rsp)\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpslld\t$2,%xmm3,%xmm3\n\taddl\t56(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\tvpor\t%xmm8,%xmm3,%xmm3\n\taddl\t60(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm8\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\taddl\t0(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tshldl\t$5,%edx,%edx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tvpaddd\t%xmm3,%xmm11,%xmm9\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvpxor\t%xmm8,%xmm4,%xmm4\n\taddl\t4(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\tvpsrld\t$30,%xmm4,%xmm8\n\tvmovdqa\t%xmm9,48(%rsp)\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$2,%xmm4,%xmm4\n\taddl\t8(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpor\t%xmm8,%xmm4,%xmm4\n\taddl\t12(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm8\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\taddl\t16(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\tshldl\t$5,%ebp,%ebp\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tvpaddd\t%xmm4,%xmm11,%xmm9\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvpxor\t%xmm8,%xmm5,%xmm5\n\taddl\t20(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\tvpsrld\t$30,%xmm5,%xmm8\n\tvmovdqa\t%xmm9,0(%rsp)\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvpslld\t$2,%xmm5,%xmm5\n\taddl\t24(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpor\t%xmm8,%xmm5,%xmm5\n\taddl\t28(%rsp),%eax\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm4,%xmm5,%xmm8\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\taddl\t32(%rsp),%ebp\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tmovl\t%eax,%edi\n\txorl\t%ecx,%esi\n\tvpaddd\t%xmm5,%xmm11,%xmm9\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%ebp\n\tvpxor\t%xmm8,%xmm6,%xmm6\n\txorl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t36(%rsp),%edx\n\tvpsrld\t$30,%xmm6,%xmm8\n\tvmovdqa\t%xmm9,16(%rsp)\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tmovl\t%ebp,%esi\n\tvpslld\t$2,%xmm6,%xmm6\n\txorl\t%ebx,%edi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\taddl\t40(%rsp),%ecx\n\tandl\t%eax,%esi\n\tvpor\t%xmm8,%xmm6,%xmm6\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%ebp,%ebp\n\tmovl\t%edx,%edi\n\txorl\t%eax,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\taddl\t44(%rsp),%ebx\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edx,%edx\n\tmovl\t%ecx,%esi\n\txorl\t%ebp,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%edx,%esi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tvpalignr\t$8,%xmm5,%xmm6,%xmm8\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\taddl\t48(%rsp),%eax\n\tandl\t%edx,%esi\n\txorl\t%ebp,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tvpxor\t%xmm0,%xmm7,%xmm7\n\tmovl\t%ebx,%edi\n\txorl\t%edx,%esi\n\tvpaddd\t%xmm6,%xmm11,%xmm9\n\tvmovdqa\t32(%r14),%xmm11\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\tvpxor\t%xmm8,%xmm7,%xmm7\n\txorl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t52(%rsp),%ebp\n\tvpsrld\t$30,%xmm7,%xmm8\n\tvmovdqa\t%xmm9,32(%rsp)\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tmovl\t%eax,%esi\n\tvpslld\t$2,%xmm7,%xmm7\n\txorl\t%ecx,%edi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t56(%rsp),%edx\n\tandl\t%ebx,%esi\n\tvpor\t%xmm8,%xmm7,%xmm7\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%esi,%edx\n\txorl\t%eax,%edi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\taddl\t60(%rsp),%ecx\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%ebp,%ebp\n\tmovl\t%edx,%esi\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm8\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\taddl\t0(%rsp),%ebx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edx,%edx\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\tmovl\t%ecx,%edi\n\txorl\t%ebp,%esi\n\tvpaddd\t%xmm7,%xmm11,%xmm9\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\tvpxor\t%xmm8,%xmm0,%xmm0\n\txorl\t%edx,%edi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t4(%rsp),%eax\n\tvpsrld\t$30,%xmm0,%xmm8\n\tvmovdqa\t%xmm9,48(%rsp)\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\tvpslld\t$2,%xmm0,%xmm0\n\txorl\t%edx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t8(%rsp),%ebp\n\tandl\t%ecx,%esi\n\tvpor\t%xmm8,%xmm0,%xmm0\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tmovl\t%eax,%edi\n\txorl\t%ecx,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t12(%rsp),%edx\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tmovl\t%ebp,%esi\n\txorl\t%ebx,%edi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm8\n\tvpxor\t%xmm5,%xmm1,%xmm1\n\taddl\t16(%rsp),%ecx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%ebp,%ebp\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tmovl\t%edx,%edi\n\txorl\t%eax,%esi\n\tvpaddd\t%xmm0,%xmm11,%xmm9\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\tvpxor\t%xmm8,%xmm1,%xmm1\n\txorl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\taddl\t20(%rsp),%ebx\n\tvpsrld\t$30,%xmm1,%xmm8\n\tvmovdqa\t%xmm9,0(%rsp)\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edx,%edx\n\tmovl\t%ecx,%esi\n\tvpslld\t$2,%xmm1,%xmm1\n\txorl\t%ebp,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%edx,%esi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t24(%rsp),%eax\n\tandl\t%edx,%esi\n\tvpor\t%xmm8,%xmm1,%xmm1\n\txorl\t%ebp,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%edi\n\txorl\t%edx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t28(%rsp),%ebp\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%edi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm8\n\tvpxor\t%xmm6,%xmm2,%xmm2\n\taddl\t32(%rsp),%edx\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\tvpaddd\t%xmm1,%xmm11,%xmm9\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%esi,%edx\n\tvpxor\t%xmm8,%xmm2,%xmm2\n\txorl\t%eax,%edi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\taddl\t36(%rsp),%ecx\n\tvpsrld\t$30,%xmm2,%xmm8\n\tvmovdqa\t%xmm9,16(%rsp)\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%ebp,%ebp\n\tmovl\t%edx,%esi\n\tvpslld\t$2,%xmm2,%xmm2\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\taddl\t40(%rsp),%ebx\n\tandl\t%ebp,%esi\n\tvpor\t%xmm8,%xmm2,%xmm2\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edx,%edx\n\tmovl\t%ecx,%edi\n\txorl\t%ebp,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edx,%edi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t44(%rsp),%eax\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm8\n\tvpxor\t%xmm7,%xmm3,%xmm3\n\taddl\t48(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tshldl\t$5,%eax,%eax\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tvpaddd\t%xmm2,%xmm11,%xmm9\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\tvpxor\t%xmm8,%xmm3,%xmm3\n\taddl\t52(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\tshldl\t$5,%ebp,%ebp\n\tvpsrld\t$30,%xmm3,%xmm8\n\tvmovdqa\t%xmm9,32(%rsp)\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvpslld\t$2,%xmm3,%xmm3\n\taddl\t56(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvpor\t%xmm8,%xmm3,%xmm3\n\taddl\t60(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t0(%rsp),%eax\n\tvpaddd\t%xmm3,%xmm11,%xmm9\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\tvmovdqa\t%xmm9,48(%rsp)\n\txorl\t%edx,%edi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t4(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t8(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\taddl\t12(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tcmpq\t%r10,%r9\n\tje\tL$done_avx\n\tvmovdqa\t64(%r14),%xmm6\n\tvmovdqa\t-64(%r14),%xmm11\n\tvmovdqu\t0(%r9),%xmm0\n\tvmovdqu\t16(%r9),%xmm1\n\tvmovdqu\t32(%r9),%xmm2\n\tvmovdqu\t48(%r9),%xmm3\n\tvpshufb\t%xmm6,%xmm0,%xmm0\n\taddq\t$64,%r9\n\taddl\t16(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tvpshufb\t%xmm6,%xmm1,%xmm1\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\tvpaddd\t%xmm11,%xmm0,%xmm4\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvmovdqa\t%xmm4,0(%rsp)\n\taddl\t20(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t28(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\taddl\t32(%rsp),%ecx\n\txorl\t%eax,%esi\n\tvpshufb\t%xmm6,%xmm2,%xmm2\n\tmovl\t%edx,%edi\n\tshldl\t$5,%edx,%edx\n\tvpaddd\t%xmm11,%xmm1,%xmm5\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvmovdqa\t%xmm5,16(%rsp)\n\taddl\t36(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t48(%rsp),%edx\n\txorl\t%ebx,%esi\n\tvpshufb\t%xmm6,%xmm3,%xmm3\n\tmovl\t%ebp,%edi\n\tshldl\t$5,%ebp,%ebp\n\tvpaddd\t%xmm11,%xmm2,%xmm6\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvmovdqa\t%xmm6,32(%rsp)\n\taddl\t52(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\taddl\t56(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t0(%r8),%eax\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ecx\n\taddl\t12(%r8),%edx\n\tmovl\t%eax,0(%r8)\n\taddl\t16(%r8),%ebp\n\tmovl\t%esi,4(%r8)\n\tmovl\t%esi,%ebx\n\tmovl\t%ecx,8(%r8)\n\tmovl\t%ecx,%edi\n\tmovl\t%edx,12(%r8)\n\txorl\t%edx,%edi\n\tmovl\t%ebp,16(%r8)\n\tandl\t%edi,%esi\n\tjmp\tL$oop_avx\n\n.p2align\t4\nL$done_avx:\n\taddl\t16(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t20(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t28(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\taddl\t32(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\taddl\t36(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t48(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\taddl\t52(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\taddl\t56(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvzeroupper\n\n\taddl\t0(%r8),%eax\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ecx\n\tmovl\t%eax,0(%r8)\n\taddl\t12(%r8),%edx\n\tmovl\t%esi,4(%r8)\n\taddl\t16(%r8),%ebp\n\tmovl\t%ecx,8(%r8)\n\tmovl\t%edx,12(%r8)\n\tmovl\t%ebp,16(%r8)\n\tmovq\t-40(%r11),%r14\n\n\tmovq\t-32(%r11),%r13\n\n\tmovq\t-24(%r11),%r12\n\n\tmovq\t-16(%r11),%rbp\n\n\tmovq\t-8(%r11),%rbx\n\n\tleaq\t(%r11),%rsp\n\nL$epilogue_avx:\n\tret\n\n\n.globl\t_sha1_block_data_order_avx2\n.private_extern _sha1_block_data_order_avx2\n\n.p2align\t4\n_sha1_block_data_order_avx2:\n\n_CET_ENDBR\n\tmovq\t%rsp,%r11\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tvzeroupper\n\tmovq\t%rdi,%r8\n\tmovq\t%rsi,%r9\n\tmovq\t%rdx,%r10\n\n\tleaq\t-640(%rsp),%rsp\n\tshlq\t$6,%r10\n\tleaq\t64(%r9),%r13\n\tandq\t$-128,%rsp\n\taddq\t%r9,%r10\n\tleaq\tK_XX_XX+64(%rip),%r14\n\n\tmovl\t0(%r8),%eax\n\tcmpq\t%r10,%r13\n\tcmovaeq\t%r9,%r13\n\tmovl\t4(%r8),%ebp\n\tmovl\t8(%r8),%ecx\n\tmovl\t12(%r8),%edx\n\tmovl\t16(%r8),%esi\n\tvmovdqu\t64(%r14),%ymm6\n\n\tvmovdqu\t(%r9),%xmm0\n\tvmovdqu\t16(%r9),%xmm1\n\tvmovdqu\t32(%r9),%xmm2\n\tvmovdqu\t48(%r9),%xmm3\n\tleaq\t64(%r9),%r9\n\tvinserti128\t$1,(%r13),%ymm0,%ymm0\n\tvinserti128\t$1,16(%r13),%ymm1,%ymm1\n\tvpshufb\t%ymm6,%ymm0,%ymm0\n\tvinserti128\t$1,32(%r13),%ymm2,%ymm2\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvinserti128\t$1,48(%r13),%ymm3,%ymm3\n\tvpshufb\t%ymm6,%ymm2,%ymm2\n\tvmovdqu\t-64(%r14),%ymm11\n\tvpshufb\t%ymm6,%ymm3,%ymm3\n\n\tvpaddd\t%ymm11,%ymm0,%ymm4\n\tvpaddd\t%ymm11,%ymm1,%ymm5\n\tvmovdqu\t%ymm4,0(%rsp)\n\tvpaddd\t%ymm11,%ymm2,%ymm6\n\tvmovdqu\t%ymm5,32(%rsp)\n\tvpaddd\t%ymm11,%ymm3,%ymm7\n\tvmovdqu\t%ymm6,64(%rsp)\n\tvmovdqu\t%ymm7,96(%rsp)\n\tvpalignr\t$8,%ymm0,%ymm1,%ymm4\n\tvpsrldq\t$4,%ymm3,%ymm8\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\tvpxor\t%ymm2,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$31,%ymm4,%ymm8\n\tvpslldq\t$12,%ymm4,%ymm10\n\tvpaddd\t%ymm4,%ymm4,%ymm4\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm4,%ymm4\n\tvpxor\t%ymm10,%ymm4,%ymm4\n\tvpaddd\t%ymm11,%ymm4,%ymm9\n\tvmovdqu\t%ymm9,128(%rsp)\n\tvpalignr\t$8,%ymm1,%ymm2,%ymm5\n\tvpsrldq\t$4,%ymm4,%ymm8\n\tvpxor\t%ymm1,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$31,%ymm5,%ymm8\n\tvmovdqu\t-32(%r14),%ymm11\n\tvpslldq\t$12,%ymm5,%ymm10\n\tvpaddd\t%ymm5,%ymm5,%ymm5\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm5,%ymm5\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm10,%ymm5,%ymm5\n\tvpaddd\t%ymm11,%ymm5,%ymm9\n\tvmovdqu\t%ymm9,160(%rsp)\n\tvpalignr\t$8,%ymm2,%ymm3,%ymm6\n\tvpsrldq\t$4,%ymm5,%ymm8\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\tvpxor\t%ymm4,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$31,%ymm6,%ymm8\n\tvpslldq\t$12,%ymm6,%ymm10\n\tvpaddd\t%ymm6,%ymm6,%ymm6\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm6,%ymm6\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm6,%ymm6\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpaddd\t%ymm11,%ymm6,%ymm9\n\tvmovdqu\t%ymm9,192(%rsp)\n\tvpalignr\t$8,%ymm3,%ymm4,%ymm7\n\tvpsrldq\t$4,%ymm6,%ymm8\n\tvpxor\t%ymm3,%ymm7,%ymm7\n\tvpxor\t%ymm5,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$31,%ymm7,%ymm8\n\tvpslldq\t$12,%ymm7,%ymm10\n\tvpaddd\t%ymm7,%ymm7,%ymm7\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm7,%ymm7\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm7,%ymm7\n\tvpaddd\t%ymm11,%ymm7,%ymm9\n\tvmovdqu\t%ymm9,224(%rsp)\n\tleaq\t128(%rsp),%r13\n\tjmp\tL$oop_avx2\n.p2align\t5\nL$oop_avx2:\n\trorxl\t$2,%ebp,%ebx\n\tandnl\t%edx,%ebp,%edi\n\tandl\t%ecx,%ebp\n\txorl\t%edi,%ebp\n\tjmp\tL$align32_1\n.p2align\t5\nL$align32_1:\n\tvpalignr\t$8,%ymm6,%ymm7,%ymm8\n\tvpxor\t%ymm4,%ymm0,%ymm0\n\taddl\t-128(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tvpxor\t%ymm8,%ymm0,%ymm0\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\tvpsrld\t$30,%ymm0,%ymm8\n\tvpslld\t$2,%ymm0,%ymm0\n\taddl\t-124(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\tvpor\t%ymm8,%ymm0,%ymm0\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-120(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\tvpaddd\t%ymm11,%ymm0,%ymm9\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\tvmovdqu\t%ymm9,256(%rsp)\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\taddl\t-116(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\taddl\t-96(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tandl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\tvpalignr\t$8,%ymm7,%ymm0,%ymm8\n\tvpxor\t%ymm5,%ymm1,%ymm1\n\taddl\t-92(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tvpxor\t%ymm8,%ymm1,%ymm1\n\tandl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\tvpsrld\t$30,%ymm1,%ymm8\n\tvpslld\t$2,%ymm1,%ymm1\n\taddl\t-88(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\tvpor\t%ymm8,%ymm1,%ymm1\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t-84(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\tvpaddd\t%ymm11,%ymm1,%ymm9\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\tvmovdqu\t%ymm9,288(%rsp)\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-64(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\taddl\t-60(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\tvpalignr\t$8,%ymm0,%ymm1,%ymm8\n\tvpxor\t%ymm6,%ymm2,%ymm2\n\taddl\t-56(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvmovdqu\t0(%r14),%ymm11\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tvpxor\t%ymm8,%ymm2,%ymm2\n\tandl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\tvpsrld\t$30,%ymm2,%ymm8\n\tvpslld\t$2,%ymm2,%ymm2\n\taddl\t-52(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tandl\t%ecx,%ebp\n\tvpor\t%ymm8,%ymm2,%ymm2\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\taddl\t-32(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\tvpaddd\t%ymm11,%ymm2,%ymm9\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\tvmovdqu\t%ymm9,320(%rsp)\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t-28(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-24(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\tvpalignr\t$8,%ymm1,%ymm2,%ymm8\n\tvpxor\t%ymm7,%ymm3,%ymm3\n\taddl\t-20(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\tvpxor\t%ymm4,%ymm3,%ymm3\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tvpxor\t%ymm8,%ymm3,%ymm3\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\tvpsrld\t$30,%ymm3,%ymm8\n\tvpslld\t$2,%ymm3,%ymm3\n\taddl\t0(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tandl\t%edx,%ebx\n\tvpor\t%ymm8,%ymm3,%ymm3\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\taddl\t4(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\tvpaddd\t%ymm11,%ymm3,%ymm9\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tandl\t%ecx,%ebp\n\tvmovdqu\t%ymm9,352(%rsp)\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\taddl\t8(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t12(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\tvpalignr\t$8,%ymm2,%ymm3,%ymm8\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\taddl\t32(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\tvpxor\t%ymm5,%ymm4,%ymm4\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t36(%r13),%ebx\n\tvpsrld\t$30,%ymm4,%ymm8\n\tvpslld\t$2,%ymm4,%ymm4\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\tvpor\t%ymm8,%ymm4,%ymm4\n\taddl\t40(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tvpaddd\t%ymm11,%ymm4,%ymm9\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t44(%r13),%eax\n\tvmovdqu\t%ymm9,384(%rsp)\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t64(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\tvpalignr\t$8,%ymm3,%ymm4,%ymm8\n\tvpxor\t%ymm1,%ymm5,%ymm5\n\taddl\t68(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\tvpxor\t%ymm6,%ymm5,%ymm5\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t72(%r13),%ecx\n\tvpsrld\t$30,%ymm5,%ymm8\n\tvpslld\t$2,%ymm5,%ymm5\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\tvpor\t%ymm8,%ymm5,%ymm5\n\taddl\t76(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tvpaddd\t%ymm11,%ymm5,%ymm9\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t96(%r13),%ebp\n\tvmovdqu\t%ymm9,416(%rsp)\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t100(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\tvpalignr\t$8,%ymm4,%ymm5,%ymm8\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\taddl\t104(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\tvpxor\t%ymm7,%ymm6,%ymm6\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t108(%r13),%edx\n\tleaq\t256(%r13),%r13\n\tvpsrld\t$30,%ymm6,%ymm8\n\tvpslld\t$2,%ymm6,%ymm6\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\tvpor\t%ymm8,%ymm6,%ymm6\n\taddl\t-128(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tvpaddd\t%ymm11,%ymm6,%ymm9\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-124(%r13),%ebx\n\tvmovdqu\t%ymm9,448(%rsp)\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-120(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\tvpalignr\t$8,%ymm5,%ymm6,%ymm8\n\tvpxor\t%ymm3,%ymm7,%ymm7\n\taddl\t-116(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\tvpxor\t%ymm0,%ymm7,%ymm7\n\tvmovdqu\t32(%r14),%ymm11\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-96(%r13),%esi\n\tvpsrld\t$30,%ymm7,%ymm8\n\tvpslld\t$2,%ymm7,%ymm7\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\tvpor\t%ymm8,%ymm7,%ymm7\n\taddl\t-92(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tvpaddd\t%ymm11,%ymm7,%ymm9\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t-88(%r13),%ecx\n\tvmovdqu\t%ymm9,480(%rsp)\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-84(%r13),%ebx\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\tjmp\tL$align32_2\n.p2align\t5\nL$align32_2:\n\tvpalignr\t$8,%ymm6,%ymm7,%ymm8\n\tvpxor\t%ymm4,%ymm0,%ymm0\n\taddl\t-64(%r13),%ebp\n\txorl\t%esi,%ecx\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\tvpxor\t%ymm8,%ymm0,%ymm0\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\tvpsrld\t$30,%ymm0,%ymm8\n\tvpslld\t$2,%ymm0,%ymm0\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t-60(%r13),%eax\n\txorl\t%edx,%ebx\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tvpor\t%ymm8,%ymm0,%ymm0\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\tvpaddd\t%ymm11,%ymm0,%ymm9\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t-56(%r13),%esi\n\txorl\t%ecx,%ebp\n\tvmovdqu\t%ymm9,512(%rsp)\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\taddl\t-52(%r13),%edx\n\txorl\t%ebx,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tandl\t%edi,%esi\n\taddl\t-32(%r13),%ecx\n\txorl\t%ebp,%esi\n\tmovl\t%eax,%edi\n\txorl\t%ebp,%edi\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\tvpalignr\t$8,%ymm7,%ymm0,%ymm8\n\tvpxor\t%ymm5,%ymm1,%ymm1\n\taddl\t-28(%r13),%ebx\n\txorl\t%eax,%edx\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\tvpxor\t%ymm8,%ymm1,%ymm1\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\tvpsrld\t$30,%ymm1,%ymm8\n\tvpslld\t$2,%ymm1,%ymm1\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t-24(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tvpor\t%ymm8,%ymm1,%ymm1\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\tvpaddd\t%ymm11,%ymm1,%ymm9\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t-20(%r13),%eax\n\txorl\t%edx,%ebx\n\tvmovdqu\t%ymm9,544(%rsp)\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t0(%r13),%esi\n\txorl\t%ecx,%ebp\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\taddl\t4(%r13),%edx\n\txorl\t%ebx,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tandl\t%edi,%esi\n\tvpalignr\t$8,%ymm0,%ymm1,%ymm8\n\tvpxor\t%ymm6,%ymm2,%ymm2\n\taddl\t8(%r13),%ecx\n\txorl\t%ebp,%esi\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tmovl\t%eax,%edi\n\txorl\t%ebp,%edi\n\tleal\t(%rcx,%rsi,1),%ecx\n\tvpxor\t%ymm8,%ymm2,%ymm2\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\tvpsrld\t$30,%ymm2,%ymm8\n\tvpslld\t$2,%ymm2,%ymm2\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\taddl\t12(%r13),%ebx\n\txorl\t%eax,%edx\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tvpor\t%ymm8,%ymm2,%ymm2\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\tvpaddd\t%ymm11,%ymm2,%ymm9\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t32(%r13),%ebp\n\txorl\t%esi,%ecx\n\tvmovdqu\t%ymm9,576(%rsp)\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t36(%r13),%eax\n\txorl\t%edx,%ebx\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t40(%r13),%esi\n\txorl\t%ecx,%ebp\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\tvpalignr\t$8,%ymm1,%ymm2,%ymm8\n\tvpxor\t%ymm7,%ymm3,%ymm3\n\taddl\t44(%r13),%edx\n\txorl\t%ebx,%eax\n\tvpxor\t%ymm4,%ymm3,%ymm3\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tleal\t(%rdx,%rax,1),%edx\n\tvpxor\t%ymm8,%ymm3,%ymm3\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\tvpsrld\t$30,%ymm3,%ymm8\n\tvpslld\t$2,%ymm3,%ymm3\n\taddl\t%r12d,%edx\n\tandl\t%edi,%esi\n\taddl\t64(%r13),%ecx\n\txorl\t%ebp,%esi\n\tmovl\t%eax,%edi\n\txorl\t%ebp,%edi\n\tvpor\t%ymm8,%ymm3,%ymm3\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\tvpaddd\t%ymm11,%ymm3,%ymm9\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\taddl\t68(%r13),%ebx\n\txorl\t%eax,%edx\n\tvmovdqu\t%ymm9,608(%rsp)\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t72(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t76(%r13),%eax\n\txorl\t%edx,%ebx\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t96(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t100(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t104(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t108(%r13),%ebx\n\tleaq\t256(%r13),%r13\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-128(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t-124(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-120(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t-116(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t-96(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-92(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-88(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t-84(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-64(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t-60(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t-56(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-52(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-32(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t-28(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-24(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t-20(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\taddl\t%r12d,%edx\n\tleaq\t128(%r9),%r13\n\tleaq\t128(%r9),%rdi\n\tcmpq\t%r10,%r13\n\tcmovaeq\t%r9,%r13\n\n\n\taddl\t0(%r8),%edx\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ebp\n\tmovl\t%edx,0(%r8)\n\taddl\t12(%r8),%ebx\n\tmovl\t%esi,4(%r8)\n\tmovl\t%edx,%eax\n\taddl\t16(%r8),%ecx\n\tmovl\t%ebp,%r12d\n\tmovl\t%ebp,8(%r8)\n\tmovl\t%ebx,%edx\n\n\tmovl\t%ebx,12(%r8)\n\tmovl\t%esi,%ebp\n\tmovl\t%ecx,16(%r8)\n\n\tmovl\t%ecx,%esi\n\tmovl\t%r12d,%ecx\n\n\n\tcmpq\t%r10,%r9\n\tje\tL$done_avx2\n\tvmovdqu\t64(%r14),%ymm6\n\tcmpq\t%r10,%rdi\n\tja\tL$ast_avx2\n\n\tvmovdqu\t-64(%rdi),%xmm0\n\tvmovdqu\t-48(%rdi),%xmm1\n\tvmovdqu\t-32(%rdi),%xmm2\n\tvmovdqu\t-16(%rdi),%xmm3\n\tvinserti128\t$1,0(%r13),%ymm0,%ymm0\n\tvinserti128\t$1,16(%r13),%ymm1,%ymm1\n\tvinserti128\t$1,32(%r13),%ymm2,%ymm2\n\tvinserti128\t$1,48(%r13),%ymm3,%ymm3\n\tjmp\tL$ast_avx2\n\n.p2align\t5\nL$ast_avx2:\n\tleaq\t128+16(%rsp),%r13\n\trorxl\t$2,%ebp,%ebx\n\tandnl\t%edx,%ebp,%edi\n\tandl\t%ecx,%ebp\n\txorl\t%edi,%ebp\n\tsubq\t$-128,%r9\n\taddl\t-128(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t-124(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-120(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\taddl\t-116(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\taddl\t-96(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tandl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\taddl\t-92(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tandl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\taddl\t-88(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t-84(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-64(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\taddl\t-60(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\taddl\t-56(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tandl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\taddl\t-52(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tandl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\taddl\t-32(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t-28(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-24(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\taddl\t-20(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\taddl\t0(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tandl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\taddl\t4(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tandl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\taddl\t8(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t12(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t32(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t36(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t40(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t44(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t64(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\tvmovdqu\t-64(%r14),%ymm11\n\tvpshufb\t%ymm6,%ymm0,%ymm0\n\taddl\t68(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t72(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t76(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t96(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t100(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvpaddd\t%ymm11,%ymm0,%ymm8\n\taddl\t104(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t108(%r13),%edx\n\tleaq\t256(%r13),%r13\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t-128(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-124(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-120(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\tvmovdqu\t%ymm8,0(%rsp)\n\tvpshufb\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm11,%ymm1,%ymm9\n\taddl\t-116(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-96(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t-92(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t-88(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-84(%r13),%ebx\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\tvmovdqu\t%ymm9,32(%rsp)\n\tvpshufb\t%ymm6,%ymm3,%ymm3\n\tvpaddd\t%ymm11,%ymm2,%ymm6\n\taddl\t-64(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t-60(%r13),%eax\n\txorl\t%edx,%ebx\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t-56(%r13),%esi\n\txorl\t%ecx,%ebp\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\taddl\t-52(%r13),%edx\n\txorl\t%ebx,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tandl\t%edi,%esi\n\taddl\t-32(%r13),%ecx\n\txorl\t%ebp,%esi\n\tmovl\t%eax,%edi\n\txorl\t%ebp,%edi\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\tjmp\tL$align32_3\n.p2align\t5\nL$align32_3:\n\tvmovdqu\t%ymm6,64(%rsp)\n\tvpaddd\t%ymm11,%ymm3,%ymm7\n\taddl\t-28(%r13),%ebx\n\txorl\t%eax,%edx\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t-24(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t-20(%r13),%eax\n\txorl\t%edx,%ebx\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t0(%r13),%esi\n\txorl\t%ecx,%ebp\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\taddl\t4(%r13),%edx\n\txorl\t%ebx,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tandl\t%edi,%esi\n\tvmovdqu\t%ymm7,96(%rsp)\n\taddl\t8(%r13),%ecx\n\txorl\t%ebp,%esi\n\tmovl\t%eax,%edi\n\txorl\t%ebp,%edi\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\taddl\t12(%r13),%ebx\n\txorl\t%eax,%edx\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t32(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t36(%r13),%eax\n\txorl\t%edx,%ebx\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t40(%r13),%esi\n\txorl\t%ecx,%ebp\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\tvpalignr\t$8,%ymm0,%ymm1,%ymm4\n\taddl\t44(%r13),%edx\n\txorl\t%ebx,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tvpsrldq\t$4,%ymm3,%ymm8\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\tvpxor\t%ymm2,%ymm8,%ymm8\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tandl\t%edi,%esi\n\taddl\t64(%r13),%ecx\n\txorl\t%ebp,%esi\n\tmovl\t%eax,%edi\n\tvpsrld\t$31,%ymm4,%ymm8\n\txorl\t%ebp,%edi\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\tvpslldq\t$12,%ymm4,%ymm10\n\tvpaddd\t%ymm4,%ymm4,%ymm4\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm4,%ymm4\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm4,%ymm4\n\taddl\t68(%r13),%ebx\n\txorl\t%eax,%edx\n\tvpxor\t%ymm10,%ymm4,%ymm4\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\tvpaddd\t%ymm11,%ymm4,%ymm9\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\tvmovdqu\t%ymm9,128(%rsp)\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t72(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t76(%r13),%eax\n\txorl\t%edx,%ebx\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\tvpalignr\t$8,%ymm1,%ymm2,%ymm5\n\taddl\t96(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tvpsrldq\t$4,%ymm4,%ymm8\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\tvpxor\t%ymm1,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm8,%ymm8\n\taddl\t100(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tvpsrld\t$31,%ymm5,%ymm8\n\tvmovdqu\t-32(%r14),%ymm11\n\txorl\t%ebx,%esi\n\taddl\t104(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\tvpslldq\t$12,%ymm5,%ymm10\n\tvpaddd\t%ymm5,%ymm5,%ymm5\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm5,%ymm5\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\txorl\t%ebp,%edx\n\taddl\t108(%r13),%ebx\n\tleaq\t256(%r13),%r13\n\tvpxor\t%ymm10,%ymm5,%ymm5\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tvpaddd\t%ymm11,%ymm5,%ymm9\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\tvmovdqu\t%ymm9,160(%rsp)\n\taddl\t-128(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\tvpalignr\t$8,%ymm2,%ymm3,%ymm6\n\taddl\t-124(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tvpsrldq\t$4,%ymm5,%ymm8\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\tvpxor\t%ymm4,%ymm8,%ymm8\n\taddl\t-120(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tvpsrld\t$31,%ymm6,%ymm8\n\txorl\t%ecx,%eax\n\taddl\t-116(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\tvpslldq\t$12,%ymm6,%ymm10\n\tvpaddd\t%ymm6,%ymm6,%ymm6\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm6,%ymm6\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm6,%ymm6\n\txorl\t%ebx,%esi\n\taddl\t-96(%r13),%ecx\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tvpaddd\t%ymm11,%ymm6,%ymm9\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\tvmovdqu\t%ymm9,192(%rsp)\n\taddl\t-92(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\tvpalignr\t$8,%ymm3,%ymm4,%ymm7\n\taddl\t-88(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tvpsrldq\t$4,%ymm6,%ymm8\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\tvpxor\t%ymm3,%ymm7,%ymm7\n\tvpxor\t%ymm5,%ymm8,%ymm8\n\taddl\t-84(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tvpsrld\t$31,%ymm7,%ymm8\n\txorl\t%edx,%ebp\n\taddl\t-64(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\tvpslldq\t$12,%ymm7,%ymm10\n\tvpaddd\t%ymm7,%ymm7,%ymm7\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm7,%ymm7\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm7,%ymm7\n\txorl\t%ecx,%eax\n\taddl\t-60(%r13),%edx\n\tvpxor\t%ymm10,%ymm7,%ymm7\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tvpaddd\t%ymm11,%ymm7,%ymm9\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\tvmovdqu\t%ymm9,224(%rsp)\n\taddl\t-56(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-52(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-32(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t-28(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-24(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t-20(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\taddl\t%r12d,%edx\n\tleaq\t128(%rsp),%r13\n\n\n\taddl\t0(%r8),%edx\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ebp\n\tmovl\t%edx,0(%r8)\n\taddl\t12(%r8),%ebx\n\tmovl\t%esi,4(%r8)\n\tmovl\t%edx,%eax\n\taddl\t16(%r8),%ecx\n\tmovl\t%ebp,%r12d\n\tmovl\t%ebp,8(%r8)\n\tmovl\t%ebx,%edx\n\n\tmovl\t%ebx,12(%r8)\n\tmovl\t%esi,%ebp\n\tmovl\t%ecx,16(%r8)\n\n\tmovl\t%ecx,%esi\n\tmovl\t%r12d,%ecx\n\n\n\tcmpq\t%r10,%r9\n\tjbe\tL$oop_avx2\n\nL$done_avx2:\n\tvzeroupper\n\tmovq\t-40(%r11),%r14\n\n\tmovq\t-32(%r11),%r13\n\n\tmovq\t-24(%r11),%r12\n\n\tmovq\t-16(%r11),%rbp\n\n\tmovq\t-8(%r11),%rbx\n\n\tleaq\t(%r11),%rsp\n\nL$epilogue_avx2:\n\tret\n\n\n.section\t__DATA,__const\n.p2align\t6\nK_XX_XX:\n.long\t0x5a827999,0x5a827999,0x5a827999,0x5a827999\n.long\t0x5a827999,0x5a827999,0x5a827999,0x5a827999\n.long\t0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1\n.long\t0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1\n.long\t0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc\n.long\t0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc\n.long\t0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6\n.long\t0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6\n.long\t0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f\n.long\t0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f\n.byte\t0xf,0xe,0xd,0xc,0xb,0xa,0x9,0x8,0x7,0x6,0x5,0x4,0x3,0x2,0x1,0x0\n.byte\t83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.p2align\t6\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha1-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n.globl\tsha1_block_data_order_nohw\n.hidden sha1_block_data_order_nohw\n.type\tsha1_block_data_order_nohw,@function\n.align\t16\nsha1_block_data_order_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tmovq\t%rdi,%r8\n\tsubq\t$72,%rsp\n\tmovq\t%rsi,%r9\n\tandq\t$-64,%rsp\n\tmovq\t%rdx,%r10\n\tmovq\t%rax,64(%rsp)\n.cfi_escape\t0x0f,0x06,0x77,0xc0,0x00,0x06,0x23,0x08\n.Lprologue:\n\n\tmovl\t0(%r8),%esi\n\tmovl\t4(%r8),%edi\n\tmovl\t8(%r8),%r11d\n\tmovl\t12(%r8),%r12d\n\tmovl\t16(%r8),%r13d\n\tjmp\t.Lloop\n\n.align\t16\n.Lloop:\n\tmovl\t0(%r9),%edx\n\tbswapl\t%edx\n\tmovl\t4(%r9),%ebp\n\tmovl\t%r12d,%eax\n\tmovl\t%edx,0(%rsp)\n\tmovl\t%esi,%ecx\n\tbswapl\t%ebp\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\tandl\t%edi,%eax\n\tleal\t1518500249(%rdx,%r13,1),%r13d\n\taddl\t%ecx,%r13d\n\txorl\t%r12d,%eax\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\tmovl\t8(%r9),%r14d\n\tmovl\t%r11d,%eax\n\tmovl\t%ebp,4(%rsp)\n\tmovl\t%r13d,%ecx\n\tbswapl\t%r14d\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\tandl\t%esi,%eax\n\tleal\t1518500249(%rbp,%r12,1),%r12d\n\taddl\t%ecx,%r12d\n\txorl\t%r11d,%eax\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\tmovl\t12(%r9),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,8(%rsp)\n\tmovl\t%r12d,%ecx\n\tbswapl\t%edx\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\tandl\t%r13d,%eax\n\tleal\t1518500249(%r14,%r11,1),%r11d\n\taddl\t%ecx,%r11d\n\txorl\t%edi,%eax\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\tmovl\t16(%r9),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,12(%rsp)\n\tmovl\t%r11d,%ecx\n\tbswapl\t%ebp\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\tandl\t%r12d,%eax\n\tleal\t1518500249(%rdx,%rdi,1),%edi\n\taddl\t%ecx,%edi\n\txorl\t%esi,%eax\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\tmovl\t20(%r9),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,16(%rsp)\n\tmovl\t%edi,%ecx\n\tbswapl\t%r14d\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\tandl\t%r11d,%eax\n\tleal\t1518500249(%rbp,%rsi,1),%esi\n\taddl\t%ecx,%esi\n\txorl\t%r13d,%eax\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\tmovl\t24(%r9),%edx\n\tmovl\t%r12d,%eax\n\tmovl\t%r14d,20(%rsp)\n\tmovl\t%esi,%ecx\n\tbswapl\t%edx\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\tandl\t%edi,%eax\n\tleal\t1518500249(%r14,%r13,1),%r13d\n\taddl\t%ecx,%r13d\n\txorl\t%r12d,%eax\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\tmovl\t28(%r9),%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edx,24(%rsp)\n\tmovl\t%r13d,%ecx\n\tbswapl\t%ebp\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\tandl\t%esi,%eax\n\tleal\t1518500249(%rdx,%r12,1),%r12d\n\taddl\t%ecx,%r12d\n\txorl\t%r11d,%eax\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\tmovl\t32(%r9),%r14d\n\tmovl\t%edi,%eax\n\tmovl\t%ebp,28(%rsp)\n\tmovl\t%r12d,%ecx\n\tbswapl\t%r14d\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\tandl\t%r13d,%eax\n\tleal\t1518500249(%rbp,%r11,1),%r11d\n\taddl\t%ecx,%r11d\n\txorl\t%edi,%eax\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\tmovl\t36(%r9),%edx\n\tmovl\t%esi,%eax\n\tmovl\t%r14d,32(%rsp)\n\tmovl\t%r11d,%ecx\n\tbswapl\t%edx\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\tandl\t%r12d,%eax\n\tleal\t1518500249(%r14,%rdi,1),%edi\n\taddl\t%ecx,%edi\n\txorl\t%esi,%eax\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\tmovl\t40(%r9),%ebp\n\tmovl\t%r13d,%eax\n\tmovl\t%edx,36(%rsp)\n\tmovl\t%edi,%ecx\n\tbswapl\t%ebp\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\tandl\t%r11d,%eax\n\tleal\t1518500249(%rdx,%rsi,1),%esi\n\taddl\t%ecx,%esi\n\txorl\t%r13d,%eax\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\tmovl\t44(%r9),%r14d\n\tmovl\t%r12d,%eax\n\tmovl\t%ebp,40(%rsp)\n\tmovl\t%esi,%ecx\n\tbswapl\t%r14d\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\tandl\t%edi,%eax\n\tleal\t1518500249(%rbp,%r13,1),%r13d\n\taddl\t%ecx,%r13d\n\txorl\t%r12d,%eax\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\tmovl\t48(%r9),%edx\n\tmovl\t%r11d,%eax\n\tmovl\t%r14d,44(%rsp)\n\tmovl\t%r13d,%ecx\n\tbswapl\t%edx\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\tandl\t%esi,%eax\n\tleal\t1518500249(%r14,%r12,1),%r12d\n\taddl\t%ecx,%r12d\n\txorl\t%r11d,%eax\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\tmovl\t52(%r9),%ebp\n\tmovl\t%edi,%eax\n\tmovl\t%edx,48(%rsp)\n\tmovl\t%r12d,%ecx\n\tbswapl\t%ebp\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\tandl\t%r13d,%eax\n\tleal\t1518500249(%rdx,%r11,1),%r11d\n\taddl\t%ecx,%r11d\n\txorl\t%edi,%eax\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\tmovl\t56(%r9),%r14d\n\tmovl\t%esi,%eax\n\tmovl\t%ebp,52(%rsp)\n\tmovl\t%r11d,%ecx\n\tbswapl\t%r14d\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\tandl\t%r12d,%eax\n\tleal\t1518500249(%rbp,%rdi,1),%edi\n\taddl\t%ecx,%edi\n\txorl\t%esi,%eax\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\tmovl\t60(%r9),%edx\n\tmovl\t%r13d,%eax\n\tmovl\t%r14d,56(%rsp)\n\tmovl\t%edi,%ecx\n\tbswapl\t%edx\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\tandl\t%r11d,%eax\n\tleal\t1518500249(%r14,%rsi,1),%esi\n\taddl\t%ecx,%esi\n\txorl\t%r13d,%eax\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\txorl\t0(%rsp),%ebp\n\tmovl\t%r12d,%eax\n\tmovl\t%edx,60(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t8(%rsp),%ebp\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t32(%rsp),%ebp\n\tandl\t%edi,%eax\n\tleal\t1518500249(%rdx,%r13,1),%r13d\n\troll\t$30,%edi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$1,%ebp\n\taddl\t%eax,%r13d\n\txorl\t4(%rsp),%r14d\n\tmovl\t%r11d,%eax\n\tmovl\t%ebp,0(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t12(%rsp),%r14d\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t36(%rsp),%r14d\n\tandl\t%esi,%eax\n\tleal\t1518500249(%rbp,%r12,1),%r12d\n\troll\t$30,%esi\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r12d\n\troll\t$1,%r14d\n\taddl\t%eax,%r12d\n\txorl\t8(%rsp),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,4(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t16(%rsp),%edx\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t40(%rsp),%edx\n\tandl\t%r13d,%eax\n\tleal\t1518500249(%r14,%r11,1),%r11d\n\troll\t$30,%r13d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$1,%edx\n\taddl\t%eax,%r11d\n\txorl\t12(%rsp),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,8(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t20(%rsp),%ebp\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t44(%rsp),%ebp\n\tandl\t%r12d,%eax\n\tleal\t1518500249(%rdx,%rdi,1),%edi\n\troll\t$30,%r12d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%edi\n\troll\t$1,%ebp\n\taddl\t%eax,%edi\n\txorl\t16(%rsp),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,12(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t24(%rsp),%r14d\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t48(%rsp),%r14d\n\tandl\t%r11d,%eax\n\tleal\t1518500249(%rbp,%rsi,1),%esi\n\troll\t$30,%r11d\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%esi\n\troll\t$1,%r14d\n\taddl\t%eax,%esi\n\txorl\t20(%rsp),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,16(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t28(%rsp),%edx\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t52(%rsp),%edx\n\tleal\t1859775393(%r14,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%edx\n\txorl\t24(%rsp),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,20(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t32(%rsp),%ebp\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t56(%rsp),%ebp\n\tleal\t1859775393(%rdx,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%ebp\n\txorl\t28(%rsp),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,24(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t36(%rsp),%r14d\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t60(%rsp),%r14d\n\tleal\t1859775393(%rbp,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%r14d\n\txorl\t32(%rsp),%edx\n\tmovl\t%r12d,%eax\n\tmovl\t%r14d,28(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t40(%rsp),%edx\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t0(%rsp),%edx\n\tleal\t1859775393(%r14,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%edx\n\txorl\t36(%rsp),%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edx,32(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t44(%rsp),%ebp\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t4(%rsp),%ebp\n\tleal\t1859775393(%rdx,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%ebp\n\txorl\t40(%rsp),%r14d\n\tmovl\t%edi,%eax\n\tmovl\t%ebp,36(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t48(%rsp),%r14d\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t8(%rsp),%r14d\n\tleal\t1859775393(%rbp,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%r14d\n\txorl\t44(%rsp),%edx\n\tmovl\t%esi,%eax\n\tmovl\t%r14d,40(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t52(%rsp),%edx\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t12(%rsp),%edx\n\tleal\t1859775393(%r14,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%edx\n\txorl\t48(%rsp),%ebp\n\tmovl\t%r13d,%eax\n\tmovl\t%edx,44(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t56(%rsp),%ebp\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t16(%rsp),%ebp\n\tleal\t1859775393(%rdx,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%ebp\n\txorl\t52(%rsp),%r14d\n\tmovl\t%r12d,%eax\n\tmovl\t%ebp,48(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t60(%rsp),%r14d\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t20(%rsp),%r14d\n\tleal\t1859775393(%rbp,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%r14d\n\txorl\t56(%rsp),%edx\n\tmovl\t%r11d,%eax\n\tmovl\t%r14d,52(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t0(%rsp),%edx\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t24(%rsp),%edx\n\tleal\t1859775393(%r14,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%edx\n\txorl\t60(%rsp),%ebp\n\tmovl\t%edi,%eax\n\tmovl\t%edx,56(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t4(%rsp),%ebp\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t28(%rsp),%ebp\n\tleal\t1859775393(%rdx,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%ebp\n\txorl\t0(%rsp),%r14d\n\tmovl\t%esi,%eax\n\tmovl\t%ebp,60(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t8(%rsp),%r14d\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t32(%rsp),%r14d\n\tleal\t1859775393(%rbp,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%r14d\n\txorl\t4(%rsp),%edx\n\tmovl\t%r13d,%eax\n\tmovl\t%r14d,0(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t12(%rsp),%edx\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t36(%rsp),%edx\n\tleal\t1859775393(%r14,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%edx\n\txorl\t8(%rsp),%ebp\n\tmovl\t%r12d,%eax\n\tmovl\t%edx,4(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t16(%rsp),%ebp\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t40(%rsp),%ebp\n\tleal\t1859775393(%rdx,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%ebp\n\txorl\t12(%rsp),%r14d\n\tmovl\t%r11d,%eax\n\tmovl\t%ebp,8(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t20(%rsp),%r14d\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t44(%rsp),%r14d\n\tleal\t1859775393(%rbp,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%r14d\n\txorl\t16(%rsp),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,12(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t24(%rsp),%edx\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t48(%rsp),%edx\n\tleal\t1859775393(%r14,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%edx\n\txorl\t20(%rsp),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,16(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t28(%rsp),%ebp\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t52(%rsp),%ebp\n\tleal\t1859775393(%rdx,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%ebp\n\txorl\t24(%rsp),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,20(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t32(%rsp),%r14d\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t56(%rsp),%r14d\n\tleal\t1859775393(%rbp,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%r14d\n\txorl\t28(%rsp),%edx\n\tmovl\t%r12d,%eax\n\tmovl\t%r14d,24(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t36(%rsp),%edx\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t60(%rsp),%edx\n\tleal\t1859775393(%r14,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%edx\n\txorl\t32(%rsp),%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edx,28(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t40(%rsp),%ebp\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t0(%rsp),%ebp\n\tleal\t1859775393(%rdx,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%ebp\n\txorl\t36(%rsp),%r14d\n\tmovl\t%r12d,%eax\n\tmovl\t%ebp,32(%rsp)\n\tmovl\t%r12d,%ebx\n\txorl\t44(%rsp),%r14d\n\tandl\t%r11d,%eax\n\tmovl\t%esi,%ecx\n\txorl\t4(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%r13,1),%r13d\n\txorl\t%r11d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r13d\n\troll\t$1,%r14d\n\tandl\t%edi,%ebx\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%ebx,%r13d\n\txorl\t40(%rsp),%edx\n\tmovl\t%r11d,%eax\n\tmovl\t%r14d,36(%rsp)\n\tmovl\t%r11d,%ebx\n\txorl\t48(%rsp),%edx\n\tandl\t%edi,%eax\n\tmovl\t%r13d,%ecx\n\txorl\t8(%rsp),%edx\n\tleal\t-1894007588(%r14,%r12,1),%r12d\n\txorl\t%edi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r12d\n\troll\t$1,%edx\n\tandl\t%esi,%ebx\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%ebx,%r12d\n\txorl\t44(%rsp),%ebp\n\tmovl\t%edi,%eax\n\tmovl\t%edx,40(%rsp)\n\tmovl\t%edi,%ebx\n\txorl\t52(%rsp),%ebp\n\tandl\t%esi,%eax\n\tmovl\t%r12d,%ecx\n\txorl\t12(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%r11,1),%r11d\n\txorl\t%esi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r11d\n\troll\t$1,%ebp\n\tandl\t%r13d,%ebx\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%ebx,%r11d\n\txorl\t48(%rsp),%r14d\n\tmovl\t%esi,%eax\n\tmovl\t%ebp,44(%rsp)\n\tmovl\t%esi,%ebx\n\txorl\t56(%rsp),%r14d\n\tandl\t%r13d,%eax\n\tmovl\t%r11d,%ecx\n\txorl\t16(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%rdi,1),%edi\n\txorl\t%r13d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%edi\n\troll\t$1,%r14d\n\tandl\t%r12d,%ebx\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%ebx,%edi\n\txorl\t52(%rsp),%edx\n\tmovl\t%r13d,%eax\n\tmovl\t%r14d,48(%rsp)\n\tmovl\t%r13d,%ebx\n\txorl\t60(%rsp),%edx\n\tandl\t%r12d,%eax\n\tmovl\t%edi,%ecx\n\txorl\t20(%rsp),%edx\n\tleal\t-1894007588(%r14,%rsi,1),%esi\n\txorl\t%r12d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%esi\n\troll\t$1,%edx\n\tandl\t%r11d,%ebx\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%ebx,%esi\n\txorl\t56(%rsp),%ebp\n\tmovl\t%r12d,%eax\n\tmovl\t%edx,52(%rsp)\n\tmovl\t%r12d,%ebx\n\txorl\t0(%rsp),%ebp\n\tandl\t%r11d,%eax\n\tmovl\t%esi,%ecx\n\txorl\t24(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%r13,1),%r13d\n\txorl\t%r11d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r13d\n\troll\t$1,%ebp\n\tandl\t%edi,%ebx\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%ebx,%r13d\n\txorl\t60(%rsp),%r14d\n\tmovl\t%r11d,%eax\n\tmovl\t%ebp,56(%rsp)\n\tmovl\t%r11d,%ebx\n\txorl\t4(%rsp),%r14d\n\tandl\t%edi,%eax\n\tmovl\t%r13d,%ecx\n\txorl\t28(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%r12,1),%r12d\n\txorl\t%edi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r12d\n\troll\t$1,%r14d\n\tandl\t%esi,%ebx\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%ebx,%r12d\n\txorl\t0(%rsp),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,60(%rsp)\n\tmovl\t%edi,%ebx\n\txorl\t8(%rsp),%edx\n\tandl\t%esi,%eax\n\tmovl\t%r12d,%ecx\n\txorl\t32(%rsp),%edx\n\tleal\t-1894007588(%r14,%r11,1),%r11d\n\txorl\t%esi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r11d\n\troll\t$1,%edx\n\tandl\t%r13d,%ebx\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%ebx,%r11d\n\txorl\t4(%rsp),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,0(%rsp)\n\tmovl\t%esi,%ebx\n\txorl\t12(%rsp),%ebp\n\tandl\t%r13d,%eax\n\tmovl\t%r11d,%ecx\n\txorl\t36(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%rdi,1),%edi\n\txorl\t%r13d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%edi\n\troll\t$1,%ebp\n\tandl\t%r12d,%ebx\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%ebx,%edi\n\txorl\t8(%rsp),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,4(%rsp)\n\tmovl\t%r13d,%ebx\n\txorl\t16(%rsp),%r14d\n\tandl\t%r12d,%eax\n\tmovl\t%edi,%ecx\n\txorl\t40(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%rsi,1),%esi\n\txorl\t%r12d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%esi\n\troll\t$1,%r14d\n\tandl\t%r11d,%ebx\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%ebx,%esi\n\txorl\t12(%rsp),%edx\n\tmovl\t%r12d,%eax\n\tmovl\t%r14d,8(%rsp)\n\tmovl\t%r12d,%ebx\n\txorl\t20(%rsp),%edx\n\tandl\t%r11d,%eax\n\tmovl\t%esi,%ecx\n\txorl\t44(%rsp),%edx\n\tleal\t-1894007588(%r14,%r13,1),%r13d\n\txorl\t%r11d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r13d\n\troll\t$1,%edx\n\tandl\t%edi,%ebx\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%ebx,%r13d\n\txorl\t16(%rsp),%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edx,12(%rsp)\n\tmovl\t%r11d,%ebx\n\txorl\t24(%rsp),%ebp\n\tandl\t%edi,%eax\n\tmovl\t%r13d,%ecx\n\txorl\t48(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%r12,1),%r12d\n\txorl\t%edi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r12d\n\troll\t$1,%ebp\n\tandl\t%esi,%ebx\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%ebx,%r12d\n\txorl\t20(%rsp),%r14d\n\tmovl\t%edi,%eax\n\tmovl\t%ebp,16(%rsp)\n\tmovl\t%edi,%ebx\n\txorl\t28(%rsp),%r14d\n\tandl\t%esi,%eax\n\tmovl\t%r12d,%ecx\n\txorl\t52(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%r11,1),%r11d\n\txorl\t%esi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r11d\n\troll\t$1,%r14d\n\tandl\t%r13d,%ebx\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%ebx,%r11d\n\txorl\t24(%rsp),%edx\n\tmovl\t%esi,%eax\n\tmovl\t%r14d,20(%rsp)\n\tmovl\t%esi,%ebx\n\txorl\t32(%rsp),%edx\n\tandl\t%r13d,%eax\n\tmovl\t%r11d,%ecx\n\txorl\t56(%rsp),%edx\n\tleal\t-1894007588(%r14,%rdi,1),%edi\n\txorl\t%r13d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%edi\n\troll\t$1,%edx\n\tandl\t%r12d,%ebx\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%ebx,%edi\n\txorl\t28(%rsp),%ebp\n\tmovl\t%r13d,%eax\n\tmovl\t%edx,24(%rsp)\n\tmovl\t%r13d,%ebx\n\txorl\t36(%rsp),%ebp\n\tandl\t%r12d,%eax\n\tmovl\t%edi,%ecx\n\txorl\t60(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%rsi,1),%esi\n\txorl\t%r12d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%esi\n\troll\t$1,%ebp\n\tandl\t%r11d,%ebx\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%ebx,%esi\n\txorl\t32(%rsp),%r14d\n\tmovl\t%r12d,%eax\n\tmovl\t%ebp,28(%rsp)\n\tmovl\t%r12d,%ebx\n\txorl\t40(%rsp),%r14d\n\tandl\t%r11d,%eax\n\tmovl\t%esi,%ecx\n\txorl\t0(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%r13,1),%r13d\n\txorl\t%r11d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r13d\n\troll\t$1,%r14d\n\tandl\t%edi,%ebx\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%ebx,%r13d\n\txorl\t36(%rsp),%edx\n\tmovl\t%r11d,%eax\n\tmovl\t%r14d,32(%rsp)\n\tmovl\t%r11d,%ebx\n\txorl\t44(%rsp),%edx\n\tandl\t%edi,%eax\n\tmovl\t%r13d,%ecx\n\txorl\t4(%rsp),%edx\n\tleal\t-1894007588(%r14,%r12,1),%r12d\n\txorl\t%edi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r12d\n\troll\t$1,%edx\n\tandl\t%esi,%ebx\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%ebx,%r12d\n\txorl\t40(%rsp),%ebp\n\tmovl\t%edi,%eax\n\tmovl\t%edx,36(%rsp)\n\tmovl\t%edi,%ebx\n\txorl\t48(%rsp),%ebp\n\tandl\t%esi,%eax\n\tmovl\t%r12d,%ecx\n\txorl\t8(%rsp),%ebp\n\tleal\t-1894007588(%rdx,%r11,1),%r11d\n\txorl\t%esi,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%r11d\n\troll\t$1,%ebp\n\tandl\t%r13d,%ebx\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%ebx,%r11d\n\txorl\t44(%rsp),%r14d\n\tmovl\t%esi,%eax\n\tmovl\t%ebp,40(%rsp)\n\tmovl\t%esi,%ebx\n\txorl\t52(%rsp),%r14d\n\tandl\t%r13d,%eax\n\tmovl\t%r11d,%ecx\n\txorl\t12(%rsp),%r14d\n\tleal\t-1894007588(%rbp,%rdi,1),%edi\n\txorl\t%r13d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%edi\n\troll\t$1,%r14d\n\tandl\t%r12d,%ebx\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%ebx,%edi\n\txorl\t48(%rsp),%edx\n\tmovl\t%r13d,%eax\n\tmovl\t%r14d,44(%rsp)\n\tmovl\t%r13d,%ebx\n\txorl\t56(%rsp),%edx\n\tandl\t%r12d,%eax\n\tmovl\t%edi,%ecx\n\txorl\t16(%rsp),%edx\n\tleal\t-1894007588(%r14,%rsi,1),%esi\n\txorl\t%r12d,%ebx\n\troll\t$5,%ecx\n\taddl\t%eax,%esi\n\troll\t$1,%edx\n\tandl\t%r11d,%ebx\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%ebx,%esi\n\txorl\t52(%rsp),%ebp\n\tmovl\t%edi,%eax\n\tmovl\t%edx,48(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t60(%rsp),%ebp\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t20(%rsp),%ebp\n\tleal\t-899497514(%rdx,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%ebp\n\txorl\t56(%rsp),%r14d\n\tmovl\t%esi,%eax\n\tmovl\t%ebp,52(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t0(%rsp),%r14d\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t24(%rsp),%r14d\n\tleal\t-899497514(%rbp,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%r14d\n\txorl\t60(%rsp),%edx\n\tmovl\t%r13d,%eax\n\tmovl\t%r14d,56(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t4(%rsp),%edx\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t28(%rsp),%edx\n\tleal\t-899497514(%r14,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%edx\n\txorl\t0(%rsp),%ebp\n\tmovl\t%r12d,%eax\n\tmovl\t%edx,60(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t8(%rsp),%ebp\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t32(%rsp),%ebp\n\tleal\t-899497514(%rdx,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%ebp\n\txorl\t4(%rsp),%r14d\n\tmovl\t%r11d,%eax\n\tmovl\t%ebp,0(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t12(%rsp),%r14d\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t36(%rsp),%r14d\n\tleal\t-899497514(%rbp,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%r14d\n\txorl\t8(%rsp),%edx\n\tmovl\t%edi,%eax\n\tmovl\t%r14d,4(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t16(%rsp),%edx\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t40(%rsp),%edx\n\tleal\t-899497514(%r14,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%edx\n\txorl\t12(%rsp),%ebp\n\tmovl\t%esi,%eax\n\tmovl\t%edx,8(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t20(%rsp),%ebp\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t44(%rsp),%ebp\n\tleal\t-899497514(%rdx,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%ebp\n\txorl\t16(%rsp),%r14d\n\tmovl\t%r13d,%eax\n\tmovl\t%ebp,12(%rsp)\n\tmovl\t%r12d,%ecx\n\txorl\t24(%rsp),%r14d\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t48(%rsp),%r14d\n\tleal\t-899497514(%rbp,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%r14d\n\txorl\t20(%rsp),%edx\n\tmovl\t%r12d,%eax\n\tmovl\t%r14d,16(%rsp)\n\tmovl\t%r11d,%ecx\n\txorl\t28(%rsp),%edx\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t52(%rsp),%edx\n\tleal\t-899497514(%r14,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%edx\n\txorl\t24(%rsp),%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edx,20(%rsp)\n\tmovl\t%edi,%ecx\n\txorl\t32(%rsp),%ebp\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t56(%rsp),%ebp\n\tleal\t-899497514(%rdx,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%ebp\n\txorl\t28(%rsp),%r14d\n\tmovl\t%edi,%eax\n\tmovl\t%ebp,24(%rsp)\n\tmovl\t%esi,%ecx\n\txorl\t36(%rsp),%r14d\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t60(%rsp),%r14d\n\tleal\t-899497514(%rbp,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%r14d\n\txorl\t32(%rsp),%edx\n\tmovl\t%esi,%eax\n\tmovl\t%r14d,28(%rsp)\n\tmovl\t%r13d,%ecx\n\txorl\t40(%rsp),%edx\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t0(%rsp),%edx\n\tleal\t-899497514(%r14,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%edx\n\txorl\t36(%rsp),%ebp\n\tmovl\t%r13d,%eax\n\n\tmovl\t%r12d,%ecx\n\txorl\t44(%rsp),%ebp\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t4(%rsp),%ebp\n\tleal\t-899497514(%rdx,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%ebp\n\txorl\t40(%rsp),%r14d\n\tmovl\t%r12d,%eax\n\n\tmovl\t%r11d,%ecx\n\txorl\t48(%rsp),%r14d\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t8(%rsp),%r14d\n\tleal\t-899497514(%rbp,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%r14d\n\txorl\t44(%rsp),%edx\n\tmovl\t%r11d,%eax\n\n\tmovl\t%edi,%ecx\n\txorl\t52(%rsp),%edx\n\txorl\t%r13d,%eax\n\troll\t$5,%ecx\n\txorl\t12(%rsp),%edx\n\tleal\t-899497514(%r14,%rsi,1),%esi\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\troll\t$1,%edx\n\txorl\t48(%rsp),%ebp\n\tmovl\t%edi,%eax\n\n\tmovl\t%esi,%ecx\n\txorl\t56(%rsp),%ebp\n\txorl\t%r12d,%eax\n\troll\t$5,%ecx\n\txorl\t16(%rsp),%ebp\n\tleal\t-899497514(%rdx,%r13,1),%r13d\n\txorl\t%r11d,%eax\n\taddl\t%ecx,%r13d\n\troll\t$30,%edi\n\taddl\t%eax,%r13d\n\troll\t$1,%ebp\n\txorl\t52(%rsp),%r14d\n\tmovl\t%esi,%eax\n\n\tmovl\t%r13d,%ecx\n\txorl\t60(%rsp),%r14d\n\txorl\t%r11d,%eax\n\troll\t$5,%ecx\n\txorl\t20(%rsp),%r14d\n\tleal\t-899497514(%rbp,%r12,1),%r12d\n\txorl\t%edi,%eax\n\taddl\t%ecx,%r12d\n\troll\t$30,%esi\n\taddl\t%eax,%r12d\n\troll\t$1,%r14d\n\txorl\t56(%rsp),%edx\n\tmovl\t%r13d,%eax\n\n\tmovl\t%r12d,%ecx\n\txorl\t0(%rsp),%edx\n\txorl\t%edi,%eax\n\troll\t$5,%ecx\n\txorl\t24(%rsp),%edx\n\tleal\t-899497514(%r14,%r11,1),%r11d\n\txorl\t%esi,%eax\n\taddl\t%ecx,%r11d\n\troll\t$30,%r13d\n\taddl\t%eax,%r11d\n\troll\t$1,%edx\n\txorl\t60(%rsp),%ebp\n\tmovl\t%r12d,%eax\n\n\tmovl\t%r11d,%ecx\n\txorl\t4(%rsp),%ebp\n\txorl\t%esi,%eax\n\troll\t$5,%ecx\n\txorl\t28(%rsp),%ebp\n\tleal\t-899497514(%rdx,%rdi,1),%edi\n\txorl\t%r13d,%eax\n\taddl\t%ecx,%edi\n\troll\t$30,%r12d\n\taddl\t%eax,%edi\n\troll\t$1,%ebp\n\tmovl\t%r11d,%eax\n\tmovl\t%edi,%ecx\n\txorl\t%r13d,%eax\n\tleal\t-899497514(%rbp,%rsi,1),%esi\n\troll\t$5,%ecx\n\txorl\t%r12d,%eax\n\taddl\t%ecx,%esi\n\troll\t$30,%r11d\n\taddl\t%eax,%esi\n\taddl\t0(%r8),%esi\n\taddl\t4(%r8),%edi\n\taddl\t8(%r8),%r11d\n\taddl\t12(%r8),%r12d\n\taddl\t16(%r8),%r13d\n\tmovl\t%esi,0(%r8)\n\tmovl\t%edi,4(%r8)\n\tmovl\t%r11d,8(%r8)\n\tmovl\t%r12d,12(%r8)\n\tmovl\t%r13d,16(%r8)\n\n\tsubq\t$1,%r10\n\tleaq\t64(%r9),%r9\n\tjnz\t.Lloop\n\n\tmovq\t64(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lepilogue:\n\tret\n.cfi_endproc\t\n.size\tsha1_block_data_order_nohw,.-sha1_block_data_order_nohw\n.globl\tsha1_block_data_order_hw\n.hidden sha1_block_data_order_hw\n.type\tsha1_block_data_order_hw,@function\n.align\t32\nsha1_block_data_order_hw:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovdqu\t(%rdi),%xmm0\n\tmovd\t16(%rdi),%xmm1\n\tmovdqa\tK_XX_XX+160(%rip),%xmm3\n\n\tmovdqu\t(%rsi),%xmm4\n\tpshufd\t$27,%xmm0,%xmm0\n\tmovdqu\t16(%rsi),%xmm5\n\tpshufd\t$27,%xmm1,%xmm1\n\tmovdqu\t32(%rsi),%xmm6\n.byte\t102,15,56,0,227\n\tmovdqu\t48(%rsi),%xmm7\n.byte\t102,15,56,0,235\n.byte\t102,15,56,0,243\n\tmovdqa\t%xmm1,%xmm9\n.byte\t102,15,56,0,251\n\tjmp\t.Loop_shaext\n\n.align\t16\n.Loop_shaext:\n\tdecq\t%rdx\n\tleaq\t64(%rsi),%r8\n\tpaddd\t%xmm4,%xmm1\n\tcmovneq\t%r8,%rsi\n\tprefetcht0\t512(%rsi)\n\tmovdqa\t%xmm0,%xmm8\n.byte\t15,56,201,229\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,0\n.byte\t15,56,200,213\n\tpxor\t%xmm6,%xmm4\n.byte\t15,56,201,238\n.byte\t15,56,202,231\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,0\n.byte\t15,56,200,206\n\tpxor\t%xmm7,%xmm5\n.byte\t15,56,202,236\n.byte\t15,56,201,247\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,0\n.byte\t15,56,200,215\n\tpxor\t%xmm4,%xmm6\n.byte\t15,56,201,252\n.byte\t15,56,202,245\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,0\n.byte\t15,56,200,204\n\tpxor\t%xmm5,%xmm7\n.byte\t15,56,202,254\n.byte\t15,56,201,229\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,0\n.byte\t15,56,200,213\n\tpxor\t%xmm6,%xmm4\n.byte\t15,56,201,238\n.byte\t15,56,202,231\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,1\n.byte\t15,56,200,206\n\tpxor\t%xmm7,%xmm5\n.byte\t15,56,202,236\n.byte\t15,56,201,247\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,1\n.byte\t15,56,200,215\n\tpxor\t%xmm4,%xmm6\n.byte\t15,56,201,252\n.byte\t15,56,202,245\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,1\n.byte\t15,56,200,204\n\tpxor\t%xmm5,%xmm7\n.byte\t15,56,202,254\n.byte\t15,56,201,229\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,1\n.byte\t15,56,200,213\n\tpxor\t%xmm6,%xmm4\n.byte\t15,56,201,238\n.byte\t15,56,202,231\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,1\n.byte\t15,56,200,206\n\tpxor\t%xmm7,%xmm5\n.byte\t15,56,202,236\n.byte\t15,56,201,247\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,2\n.byte\t15,56,200,215\n\tpxor\t%xmm4,%xmm6\n.byte\t15,56,201,252\n.byte\t15,56,202,245\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,2\n.byte\t15,56,200,204\n\tpxor\t%xmm5,%xmm7\n.byte\t15,56,202,254\n.byte\t15,56,201,229\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,2\n.byte\t15,56,200,213\n\tpxor\t%xmm6,%xmm4\n.byte\t15,56,201,238\n.byte\t15,56,202,231\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,2\n.byte\t15,56,200,206\n\tpxor\t%xmm7,%xmm5\n.byte\t15,56,202,236\n.byte\t15,56,201,247\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,2\n.byte\t15,56,200,215\n\tpxor\t%xmm4,%xmm6\n.byte\t15,56,201,252\n.byte\t15,56,202,245\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,3\n.byte\t15,56,200,204\n\tpxor\t%xmm5,%xmm7\n.byte\t15,56,202,254\n\tmovdqu\t(%rsi),%xmm4\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,3\n.byte\t15,56,200,213\n\tmovdqu\t16(%rsi),%xmm5\n.byte\t102,15,56,0,227\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,3\n.byte\t15,56,200,206\n\tmovdqu\t32(%rsi),%xmm6\n.byte\t102,15,56,0,235\n\n\tmovdqa\t%xmm0,%xmm2\n.byte\t15,58,204,193,3\n.byte\t15,56,200,215\n\tmovdqu\t48(%rsi),%xmm7\n.byte\t102,15,56,0,243\n\n\tmovdqa\t%xmm0,%xmm1\n.byte\t15,58,204,194,3\n.byte\t65,15,56,200,201\n.byte\t102,15,56,0,251\n\n\tpaddd\t%xmm8,%xmm0\n\tmovdqa\t%xmm1,%xmm9\n\n\tjnz\t.Loop_shaext\n\n\tpshufd\t$27,%xmm0,%xmm0\n\tpshufd\t$27,%xmm1,%xmm1\n\tmovdqu\t%xmm0,(%rdi)\n\tmovd\t%xmm1,16(%rdi)\n\tret\n.cfi_endproc\t\n.size\tsha1_block_data_order_hw,.-sha1_block_data_order_hw\n.globl\tsha1_block_data_order_ssse3\n.hidden sha1_block_data_order_ssse3\n.type\tsha1_block_data_order_ssse3,@function\n.align\t16\nsha1_block_data_order_ssse3:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%r11\n.cfi_def_cfa_register\t%r11\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tleaq\t-64(%rsp),%rsp\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,%r8\n\tmovq\t%rsi,%r9\n\tmovq\t%rdx,%r10\n\n\tshlq\t$6,%r10\n\taddq\t%r9,%r10\n\tleaq\tK_XX_XX+64(%rip),%r14\n\n\tmovl\t0(%r8),%eax\n\tmovl\t4(%r8),%ebx\n\tmovl\t8(%r8),%ecx\n\tmovl\t12(%r8),%edx\n\tmovl\t%ebx,%esi\n\tmovl\t16(%r8),%ebp\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tandl\t%edi,%esi\n\n\tmovdqa\t64(%r14),%xmm6\n\tmovdqa\t-64(%r14),%xmm9\n\tmovdqu\t0(%r9),%xmm0\n\tmovdqu\t16(%r9),%xmm1\n\tmovdqu\t32(%r9),%xmm2\n\tmovdqu\t48(%r9),%xmm3\n.byte\t102,15,56,0,198\n.byte\t102,15,56,0,206\n.byte\t102,15,56,0,214\n\taddq\t$64,%r9\n\tpaddd\t%xmm9,%xmm0\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm9,%xmm1\n\tpaddd\t%xmm9,%xmm2\n\tmovdqa\t%xmm0,0(%rsp)\n\tpsubd\t%xmm9,%xmm0\n\tmovdqa\t%xmm1,16(%rsp)\n\tpsubd\t%xmm9,%xmm1\n\tmovdqa\t%xmm2,32(%rsp)\n\tpsubd\t%xmm9,%xmm2\n\tjmp\t.Loop_ssse3\n.align\t16\n.Loop_ssse3:\n\trorl\t$2,%ebx\n\tpshufd\t$238,%xmm0,%xmm4\n\txorl\t%edx,%esi\n\tmovdqa\t%xmm3,%xmm8\n\tpaddd\t%xmm3,%xmm9\n\tmovl\t%eax,%edi\n\taddl\t0(%rsp),%ebp\n\tpunpcklqdq\t%xmm1,%xmm4\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\tpsrldq\t$4,%xmm8\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\tpxor\t%xmm0,%xmm4\n\taddl\t%eax,%ebp\n\trorl\t$7,%eax\n\tpxor\t%xmm2,%xmm8\n\txorl\t%ecx,%edi\n\tmovl\t%ebp,%esi\n\taddl\t4(%rsp),%edx\n\tpxor\t%xmm8,%xmm4\n\txorl\t%ebx,%eax\n\troll\t$5,%ebp\n\tmovdqa\t%xmm9,48(%rsp)\n\taddl\t%edi,%edx\n\tandl\t%eax,%esi\n\tmovdqa\t%xmm4,%xmm10\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\trorl\t$7,%ebp\n\tmovdqa\t%xmm4,%xmm8\n\txorl\t%ebx,%esi\n\tpslldq\t$12,%xmm10\n\tpaddd\t%xmm4,%xmm4\n\tmovl\t%edx,%edi\n\taddl\t8(%rsp),%ecx\n\tpsrld\t$31,%xmm8\n\txorl\t%eax,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\tmovdqa\t%xmm10,%xmm9\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\tpsrld\t$30,%xmm10\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpor\t%xmm8,%xmm4\n\txorl\t%eax,%edi\n\tmovl\t%ecx,%esi\n\taddl\t12(%rsp),%ebx\n\tpslld\t$2,%xmm9\n\tpxor\t%xmm10,%xmm4\n\txorl\t%ebp,%edx\n\tmovdqa\t-64(%r14),%xmm10\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\tandl\t%edx,%esi\n\tpxor\t%xmm9,%xmm4\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\tpshufd\t$238,%xmm1,%xmm5\n\txorl\t%ebp,%esi\n\tmovdqa\t%xmm4,%xmm9\n\tpaddd\t%xmm4,%xmm10\n\tmovl\t%ebx,%edi\n\taddl\t16(%rsp),%eax\n\tpunpcklqdq\t%xmm2,%xmm5\n\txorl\t%edx,%ecx\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\tpsrldq\t$4,%xmm9\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\tpxor\t%xmm1,%xmm5\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tpxor\t%xmm3,%xmm9\n\txorl\t%edx,%edi\n\tmovl\t%eax,%esi\n\taddl\t20(%rsp),%ebp\n\tpxor\t%xmm9,%xmm5\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\tmovdqa\t%xmm10,0(%rsp)\n\taddl\t%edi,%ebp\n\tandl\t%ebx,%esi\n\tmovdqa\t%xmm5,%xmm8\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$7,%eax\n\tmovdqa\t%xmm5,%xmm9\n\txorl\t%ecx,%esi\n\tpslldq\t$12,%xmm8\n\tpaddd\t%xmm5,%xmm5\n\tmovl\t%ebp,%edi\n\taddl\t24(%rsp),%edx\n\tpsrld\t$31,%xmm9\n\txorl\t%ebx,%eax\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\tmovdqa\t%xmm8,%xmm10\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\tpsrld\t$30,%xmm8\n\taddl\t%ebp,%edx\n\trorl\t$7,%ebp\n\tpor\t%xmm9,%xmm5\n\txorl\t%ebx,%edi\n\tmovl\t%edx,%esi\n\taddl\t28(%rsp),%ecx\n\tpslld\t$2,%xmm10\n\tpxor\t%xmm8,%xmm5\n\txorl\t%eax,%ebp\n\tmovdqa\t-32(%r14),%xmm8\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\tandl\t%ebp,%esi\n\tpxor\t%xmm10,%xmm5\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpshufd\t$238,%xmm2,%xmm6\n\txorl\t%eax,%esi\n\tmovdqa\t%xmm5,%xmm10\n\tpaddd\t%xmm5,%xmm8\n\tmovl\t%ecx,%edi\n\taddl\t32(%rsp),%ebx\n\tpunpcklqdq\t%xmm3,%xmm6\n\txorl\t%ebp,%edx\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\tpsrldq\t$4,%xmm10\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\tpxor\t%xmm2,%xmm6\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\tpxor\t%xmm4,%xmm10\n\txorl\t%ebp,%edi\n\tmovl\t%ebx,%esi\n\taddl\t36(%rsp),%eax\n\tpxor\t%xmm10,%xmm6\n\txorl\t%edx,%ecx\n\troll\t$5,%ebx\n\tmovdqa\t%xmm8,16(%rsp)\n\taddl\t%edi,%eax\n\tandl\t%ecx,%esi\n\tmovdqa\t%xmm6,%xmm9\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tmovdqa\t%xmm6,%xmm10\n\txorl\t%edx,%esi\n\tpslldq\t$12,%xmm9\n\tpaddd\t%xmm6,%xmm6\n\tmovl\t%eax,%edi\n\taddl\t40(%rsp),%ebp\n\tpsrld\t$31,%xmm10\n\txorl\t%ecx,%ebx\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\tmovdqa\t%xmm9,%xmm8\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\tpsrld\t$30,%xmm9\n\taddl\t%eax,%ebp\n\trorl\t$7,%eax\n\tpor\t%xmm10,%xmm6\n\txorl\t%ecx,%edi\n\tmovl\t%ebp,%esi\n\taddl\t44(%rsp),%edx\n\tpslld\t$2,%xmm8\n\tpxor\t%xmm9,%xmm6\n\txorl\t%ebx,%eax\n\tmovdqa\t-32(%r14),%xmm9\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\tandl\t%eax,%esi\n\tpxor\t%xmm8,%xmm6\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\trorl\t$7,%ebp\n\tpshufd\t$238,%xmm3,%xmm7\n\txorl\t%ebx,%esi\n\tmovdqa\t%xmm6,%xmm8\n\tpaddd\t%xmm6,%xmm9\n\tmovl\t%edx,%edi\n\taddl\t48(%rsp),%ecx\n\tpunpcklqdq\t%xmm4,%xmm7\n\txorl\t%eax,%ebp\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\tpsrldq\t$4,%xmm8\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\tpxor\t%xmm3,%xmm7\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpxor\t%xmm5,%xmm8\n\txorl\t%eax,%edi\n\tmovl\t%ecx,%esi\n\taddl\t52(%rsp),%ebx\n\tpxor\t%xmm8,%xmm7\n\txorl\t%ebp,%edx\n\troll\t$5,%ecx\n\tmovdqa\t%xmm9,32(%rsp)\n\taddl\t%edi,%ebx\n\tandl\t%edx,%esi\n\tmovdqa\t%xmm7,%xmm10\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\trorl\t$7,%ecx\n\tmovdqa\t%xmm7,%xmm8\n\txorl\t%ebp,%esi\n\tpslldq\t$12,%xmm10\n\tpaddd\t%xmm7,%xmm7\n\tmovl\t%ebx,%edi\n\taddl\t56(%rsp),%eax\n\tpsrld\t$31,%xmm8\n\txorl\t%edx,%ecx\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\tmovdqa\t%xmm10,%xmm9\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\tpsrld\t$30,%xmm10\n\taddl\t%ebx,%eax\n\trorl\t$7,%ebx\n\tpor\t%xmm8,%xmm7\n\txorl\t%edx,%edi\n\tmovl\t%eax,%esi\n\taddl\t60(%rsp),%ebp\n\tpslld\t$2,%xmm9\n\tpxor\t%xmm10,%xmm7\n\txorl\t%ecx,%ebx\n\tmovdqa\t-32(%r14),%xmm10\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\tandl\t%ebx,%esi\n\tpxor\t%xmm9,%xmm7\n\tpshufd\t$238,%xmm6,%xmm9\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\trorl\t$7,%eax\n\tpxor\t%xmm4,%xmm0\n\txorl\t%ecx,%esi\n\tmovl\t%ebp,%edi\n\taddl\t0(%rsp),%edx\n\tpunpcklqdq\t%xmm7,%xmm9\n\txorl\t%ebx,%eax\n\troll\t$5,%ebp\n\tpxor\t%xmm1,%xmm0\n\taddl\t%esi,%edx\n\tandl\t%eax,%edi\n\tmovdqa\t%xmm10,%xmm8\n\txorl\t%ebx,%eax\n\tpaddd\t%xmm7,%xmm10\n\taddl\t%ebp,%edx\n\tpxor\t%xmm9,%xmm0\n\trorl\t$7,%ebp\n\txorl\t%ebx,%edi\n\tmovl\t%edx,%esi\n\taddl\t4(%rsp),%ecx\n\tmovdqa\t%xmm0,%xmm9\n\txorl\t%eax,%ebp\n\troll\t$5,%edx\n\tmovdqa\t%xmm10,48(%rsp)\n\taddl\t%edi,%ecx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\tpslld\t$2,%xmm0\n\taddl\t%edx,%ecx\n\trorl\t$7,%edx\n\tpsrld\t$30,%xmm9\n\txorl\t%eax,%esi\n\tmovl\t%ecx,%edi\n\taddl\t8(%rsp),%ebx\n\tpor\t%xmm9,%xmm0\n\txorl\t%ebp,%edx\n\troll\t$5,%ecx\n\tpshufd\t$238,%xmm7,%xmm10\n\taddl\t%esi,%ebx\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t12(%rsp),%eax\n\txorl\t%ebp,%edi\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\tpxor\t%xmm5,%xmm1\n\taddl\t16(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tpunpcklqdq\t%xmm0,%xmm10\n\tmovl\t%eax,%edi\n\troll\t$5,%eax\n\tpxor\t%xmm2,%xmm1\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tmovdqa\t%xmm8,%xmm9\n\trorl\t$7,%ebx\n\tpaddd\t%xmm0,%xmm8\n\taddl\t%eax,%ebp\n\tpxor\t%xmm10,%xmm1\n\taddl\t20(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\tmovdqa\t%xmm1,%xmm10\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tmovdqa\t%xmm8,0(%rsp)\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t24(%rsp),%ecx\n\tpslld\t$2,%xmm1\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tpsrld\t$30,%xmm10\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\trorl\t$7,%ebp\n\tpor\t%xmm10,%xmm1\n\taddl\t%edx,%ecx\n\taddl\t28(%rsp),%ebx\n\tpshufd\t$238,%xmm0,%xmm8\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\tpxor\t%xmm6,%xmm2\n\taddl\t32(%rsp),%eax\n\txorl\t%edx,%esi\n\tpunpcklqdq\t%xmm1,%xmm8\n\tmovl\t%ebx,%edi\n\troll\t$5,%ebx\n\tpxor\t%xmm3,%xmm2\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tmovdqa\t0(%r14),%xmm10\n\trorl\t$7,%ecx\n\tpaddd\t%xmm1,%xmm9\n\taddl\t%ebx,%eax\n\tpxor\t%xmm8,%xmm2\n\taddl\t36(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\tmovdqa\t%xmm2,%xmm8\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tmovdqa\t%xmm9,16(%rsp)\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t40(%rsp),%edx\n\tpslld\t$2,%xmm2\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\tpsrld\t$30,%xmm8\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\trorl\t$7,%eax\n\tpor\t%xmm8,%xmm2\n\taddl\t%ebp,%edx\n\taddl\t44(%rsp),%ecx\n\tpshufd\t$238,%xmm1,%xmm9\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%ebp\n\taddl\t%edx,%ecx\n\tpxor\t%xmm7,%xmm3\n\taddl\t48(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tpunpcklqdq\t%xmm2,%xmm9\n\tmovl\t%ecx,%edi\n\troll\t$5,%ecx\n\tpxor\t%xmm4,%xmm3\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tmovdqa\t%xmm10,%xmm8\n\trorl\t$7,%edx\n\tpaddd\t%xmm2,%xmm10\n\taddl\t%ecx,%ebx\n\tpxor\t%xmm9,%xmm3\n\taddl\t52(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\tmovdqa\t%xmm3,%xmm9\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\tmovdqa\t%xmm10,32(%rsp)\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t56(%rsp),%ebp\n\tpslld\t$2,%xmm3\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tpsrld\t$30,%xmm9\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\trorl\t$7,%ebx\n\tpor\t%xmm9,%xmm3\n\taddl\t%eax,%ebp\n\taddl\t60(%rsp),%edx\n\tpshufd\t$238,%xmm2,%xmm10\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\tpxor\t%xmm0,%xmm4\n\taddl\t0(%rsp),%ecx\n\txorl\t%eax,%esi\n\tpunpcklqdq\t%xmm3,%xmm10\n\tmovl\t%edx,%edi\n\troll\t$5,%edx\n\tpxor\t%xmm5,%xmm4\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tmovdqa\t%xmm8,%xmm9\n\trorl\t$7,%ebp\n\tpaddd\t%xmm3,%xmm8\n\taddl\t%edx,%ecx\n\tpxor\t%xmm10,%xmm4\n\taddl\t4(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\tmovdqa\t%xmm4,%xmm10\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tmovdqa\t%xmm8,48(%rsp)\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t8(%rsp),%eax\n\tpslld\t$2,%xmm4\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tpsrld\t$30,%xmm10\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\trorl\t$7,%ecx\n\tpor\t%xmm10,%xmm4\n\taddl\t%ebx,%eax\n\taddl\t12(%rsp),%ebp\n\tpshufd\t$238,%xmm3,%xmm8\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\tpxor\t%xmm1,%xmm5\n\taddl\t16(%rsp),%edx\n\txorl\t%ebx,%esi\n\tpunpcklqdq\t%xmm4,%xmm8\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\tpxor\t%xmm6,%xmm5\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tmovdqa\t%xmm9,%xmm10\n\trorl\t$7,%eax\n\tpaddd\t%xmm4,%xmm9\n\taddl\t%ebp,%edx\n\tpxor\t%xmm8,%xmm5\n\taddl\t20(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\tmovdqa\t%xmm5,%xmm8\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tmovdqa\t%xmm9,0(%rsp)\n\trorl\t$7,%ebp\n\taddl\t%edx,%ecx\n\taddl\t24(%rsp),%ebx\n\tpslld\t$2,%xmm5\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tpsrld\t$30,%xmm8\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\trorl\t$7,%edx\n\tpor\t%xmm8,%xmm5\n\taddl\t%ecx,%ebx\n\taddl\t28(%rsp),%eax\n\tpshufd\t$238,%xmm4,%xmm9\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%edi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tpxor\t%xmm2,%xmm6\n\taddl\t32(%rsp),%ebp\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tpunpcklqdq\t%xmm5,%xmm9\n\tmovl\t%eax,%edi\n\txorl\t%ecx,%esi\n\tpxor\t%xmm7,%xmm6\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\tmovdqa\t%xmm10,%xmm8\n\txorl\t%ebx,%edi\n\tpaddd\t%xmm5,%xmm10\n\txorl\t%ecx,%ebx\n\tpxor\t%xmm9,%xmm6\n\taddl\t%eax,%ebp\n\taddl\t36(%rsp),%edx\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tmovdqa\t%xmm6,%xmm9\n\tmovl\t%ebp,%esi\n\txorl\t%ebx,%edi\n\tmovdqa\t%xmm10,16(%rsp)\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\txorl\t%eax,%esi\n\tpslld\t$2,%xmm6\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tpsrld\t$30,%xmm9\n\taddl\t40(%rsp),%ecx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\tpor\t%xmm9,%xmm6\n\trorl\t$7,%ebp\n\tmovl\t%edx,%edi\n\txorl\t%eax,%esi\n\troll\t$5,%edx\n\tpshufd\t$238,%xmm5,%xmm10\n\taddl\t%esi,%ecx\n\txorl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\taddl\t44(%rsp),%ebx\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\trorl\t$7,%edx\n\tmovl\t%ecx,%esi\n\txorl\t%ebp,%edi\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%edx,%esi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tpxor\t%xmm3,%xmm7\n\taddl\t48(%rsp),%eax\n\tandl\t%edx,%esi\n\txorl\t%ebp,%edx\n\trorl\t$7,%ecx\n\tpunpcklqdq\t%xmm6,%xmm10\n\tmovl\t%ebx,%edi\n\txorl\t%edx,%esi\n\tpxor\t%xmm0,%xmm7\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\tmovdqa\t32(%r14),%xmm9\n\txorl\t%ecx,%edi\n\tpaddd\t%xmm6,%xmm8\n\txorl\t%edx,%ecx\n\tpxor\t%xmm10,%xmm7\n\taddl\t%ebx,%eax\n\taddl\t52(%rsp),%ebp\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tmovdqa\t%xmm7,%xmm10\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%edi\n\tmovdqa\t%xmm8,32(%rsp)\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\tpslld\t$2,%xmm7\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tpsrld\t$30,%xmm10\n\taddl\t56(%rsp),%edx\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\tpor\t%xmm10,%xmm7\n\trorl\t$7,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\troll\t$5,%ebp\n\tpshufd\t$238,%xmm6,%xmm8\n\taddl\t%esi,%edx\n\txorl\t%eax,%edi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\taddl\t60(%rsp),%ecx\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\trorl\t$7,%ebp\n\tmovl\t%edx,%esi\n\txorl\t%eax,%edi\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tpxor\t%xmm4,%xmm0\n\taddl\t0(%rsp),%ebx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\trorl\t$7,%edx\n\tpunpcklqdq\t%xmm7,%xmm8\n\tmovl\t%ecx,%edi\n\txorl\t%ebp,%esi\n\tpxor\t%xmm1,%xmm0\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\tmovdqa\t%xmm9,%xmm10\n\txorl\t%edx,%edi\n\tpaddd\t%xmm7,%xmm9\n\txorl\t%ebp,%edx\n\tpxor\t%xmm8,%xmm0\n\taddl\t%ecx,%ebx\n\taddl\t4(%rsp),%eax\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\trorl\t$7,%ecx\n\tmovdqa\t%xmm0,%xmm8\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%edi\n\tmovdqa\t%xmm9,48(%rsp)\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%ecx,%esi\n\tpslld\t$2,%xmm0\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tpsrld\t$30,%xmm8\n\taddl\t8(%rsp),%ebp\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\tpor\t%xmm8,%xmm0\n\trorl\t$7,%ebx\n\tmovl\t%eax,%edi\n\txorl\t%ecx,%esi\n\troll\t$5,%eax\n\tpshufd\t$238,%xmm7,%xmm9\n\taddl\t%esi,%ebp\n\txorl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t12(%rsp),%edx\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tmovl\t%ebp,%esi\n\txorl\t%ebx,%edi\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tpxor\t%xmm5,%xmm1\n\taddl\t16(%rsp),%ecx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\trorl\t$7,%ebp\n\tpunpcklqdq\t%xmm0,%xmm9\n\tmovl\t%edx,%edi\n\txorl\t%eax,%esi\n\tpxor\t%xmm2,%xmm1\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\tmovdqa\t%xmm10,%xmm8\n\txorl\t%ebp,%edi\n\tpaddd\t%xmm0,%xmm10\n\txorl\t%eax,%ebp\n\tpxor\t%xmm9,%xmm1\n\taddl\t%edx,%ecx\n\taddl\t20(%rsp),%ebx\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\trorl\t$7,%edx\n\tmovdqa\t%xmm1,%xmm9\n\tmovl\t%ecx,%esi\n\txorl\t%ebp,%edi\n\tmovdqa\t%xmm10,0(%rsp)\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%edx,%esi\n\tpslld\t$2,%xmm1\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tpsrld\t$30,%xmm9\n\taddl\t24(%rsp),%eax\n\tandl\t%edx,%esi\n\txorl\t%ebp,%edx\n\tpor\t%xmm9,%xmm1\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%edi\n\txorl\t%edx,%esi\n\troll\t$5,%ebx\n\tpshufd\t$238,%xmm0,%xmm10\n\taddl\t%esi,%eax\n\txorl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t28(%rsp),%ebp\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\trorl\t$7,%ebx\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%edi\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tpxor\t%xmm6,%xmm2\n\taddl\t32(%rsp),%edx\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$7,%eax\n\tpunpcklqdq\t%xmm1,%xmm10\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\tpxor\t%xmm3,%xmm2\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\tmovdqa\t%xmm8,%xmm9\n\txorl\t%eax,%edi\n\tpaddd\t%xmm1,%xmm8\n\txorl\t%ebx,%eax\n\tpxor\t%xmm10,%xmm2\n\taddl\t%ebp,%edx\n\taddl\t36(%rsp),%ecx\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\trorl\t$7,%ebp\n\tmovdqa\t%xmm2,%xmm10\n\tmovl\t%edx,%esi\n\txorl\t%eax,%edi\n\tmovdqa\t%xmm8,16(%rsp)\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%ebp,%esi\n\tpslld\t$2,%xmm2\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tpsrld\t$30,%xmm10\n\taddl\t40(%rsp),%ebx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\tpor\t%xmm10,%xmm2\n\trorl\t$7,%edx\n\tmovl\t%ecx,%edi\n\txorl\t%ebp,%esi\n\troll\t$5,%ecx\n\tpshufd\t$238,%xmm1,%xmm8\n\taddl\t%esi,%ebx\n\txorl\t%edx,%edi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t44(%rsp),%eax\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\trorl\t$7,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%edi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\taddl\t%ebx,%eax\n\tpxor\t%xmm7,%xmm3\n\taddl\t48(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tpunpcklqdq\t%xmm2,%xmm8\n\tmovl\t%eax,%edi\n\troll\t$5,%eax\n\tpxor\t%xmm4,%xmm3\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tmovdqa\t%xmm9,%xmm10\n\trorl\t$7,%ebx\n\tpaddd\t%xmm2,%xmm9\n\taddl\t%eax,%ebp\n\tpxor\t%xmm8,%xmm3\n\taddl\t52(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\tmovdqa\t%xmm3,%xmm8\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tmovdqa\t%xmm9,32(%rsp)\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t56(%rsp),%ecx\n\tpslld\t$2,%xmm3\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tpsrld\t$30,%xmm8\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\trorl\t$7,%ebp\n\tpor\t%xmm8,%xmm3\n\taddl\t%edx,%ecx\n\taddl\t60(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t0(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\troll\t$5,%ebx\n\tpaddd\t%xmm3,%xmm10\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tmovdqa\t%xmm10,48(%rsp)\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t4(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t8(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t12(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%ebp\n\taddl\t%edx,%ecx\n\tcmpq\t%r10,%r9\n\tje\t.Ldone_ssse3\n\tmovdqa\t64(%r14),%xmm6\n\tmovdqa\t-64(%r14),%xmm9\n\tmovdqu\t0(%r9),%xmm0\n\tmovdqu\t16(%r9),%xmm1\n\tmovdqu\t32(%r9),%xmm2\n\tmovdqu\t48(%r9),%xmm3\n.byte\t102,15,56,0,198\n\taddq\t$64,%r9\n\taddl\t16(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n.byte\t102,15,56,0,206\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\trorl\t$7,%edx\n\tpaddd\t%xmm9,%xmm0\n\taddl\t%ecx,%ebx\n\taddl\t20(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tmovdqa\t%xmm0,0(%rsp)\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\tpsubd\t%xmm9,%xmm0\n\taddl\t%ebx,%eax\n\taddl\t24(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t28(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t32(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n.byte\t102,15,56,0,214\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\trorl\t$7,%ebp\n\tpaddd\t%xmm9,%xmm1\n\taddl\t%edx,%ecx\n\taddl\t36(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tmovdqa\t%xmm1,16(%rsp)\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\trorl\t$7,%edx\n\tpsubd\t%xmm9,%xmm1\n\taddl\t%ecx,%ebx\n\taddl\t40(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t48(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n.byte\t102,15,56,0,222\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\trorl\t$7,%eax\n\tpaddd\t%xmm9,%xmm2\n\taddl\t%ebp,%edx\n\taddl\t52(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tmovdqa\t%xmm2,32(%rsp)\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%ebp\n\tpsubd\t%xmm9,%xmm2\n\taddl\t%edx,%ecx\n\taddl\t56(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t0(%r8),%eax\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ecx\n\taddl\t12(%r8),%edx\n\tmovl\t%eax,0(%r8)\n\taddl\t16(%r8),%ebp\n\tmovl\t%esi,4(%r8)\n\tmovl\t%esi,%ebx\n\tmovl\t%ecx,8(%r8)\n\tmovl\t%ecx,%edi\n\tmovl\t%edx,12(%r8)\n\txorl\t%edx,%edi\n\tmovl\t%ebp,16(%r8)\n\tandl\t%edi,%esi\n\tjmp\t.Loop_ssse3\n\n.align\t16\n.Ldone_ssse3:\n\taddl\t16(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t20(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\troll\t$5,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t28(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\troll\t$5,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t32(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\troll\t$5,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\trorl\t$7,%ebp\n\taddl\t%edx,%ecx\n\taddl\t36(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\troll\t$5,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\troll\t$5,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\troll\t$5,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\trorl\t$7,%ebx\n\taddl\t%eax,%ebp\n\taddl\t48(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\troll\t$5,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\trorl\t$7,%eax\n\taddl\t%ebp,%edx\n\taddl\t52(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\troll\t$5,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\trorl\t$7,%ebp\n\taddl\t%edx,%ecx\n\taddl\t56(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\troll\t$5,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\trorl\t$7,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\troll\t$5,%ebx\n\taddl\t%edi,%eax\n\trorl\t$7,%ecx\n\taddl\t%ebx,%eax\n\taddl\t0(%r8),%eax\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ecx\n\tmovl\t%eax,0(%r8)\n\taddl\t12(%r8),%edx\n\tmovl\t%esi,4(%r8)\n\taddl\t16(%r8),%ebp\n\tmovl\t%ecx,8(%r8)\n\tmovl\t%edx,12(%r8)\n\tmovl\t%ebp,16(%r8)\n\tmovq\t-40(%r11),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%r11),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%r11),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%r11),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%r11),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%r11),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lepilogue_ssse3:\n\tret\n.cfi_endproc\t\n.size\tsha1_block_data_order_ssse3,.-sha1_block_data_order_ssse3\n.globl\tsha1_block_data_order_avx\n.hidden sha1_block_data_order_avx\n.type\tsha1_block_data_order_avx,@function\n.align\t16\nsha1_block_data_order_avx:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%r11\n.cfi_def_cfa_register\t%r11\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tleaq\t-64(%rsp),%rsp\n\tvzeroupper\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,%r8\n\tmovq\t%rsi,%r9\n\tmovq\t%rdx,%r10\n\n\tshlq\t$6,%r10\n\taddq\t%r9,%r10\n\tleaq\tK_XX_XX+64(%rip),%r14\n\n\tmovl\t0(%r8),%eax\n\tmovl\t4(%r8),%ebx\n\tmovl\t8(%r8),%ecx\n\tmovl\t12(%r8),%edx\n\tmovl\t%ebx,%esi\n\tmovl\t16(%r8),%ebp\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tandl\t%edi,%esi\n\n\tvmovdqa\t64(%r14),%xmm6\n\tvmovdqa\t-64(%r14),%xmm11\n\tvmovdqu\t0(%r9),%xmm0\n\tvmovdqu\t16(%r9),%xmm1\n\tvmovdqu\t32(%r9),%xmm2\n\tvmovdqu\t48(%r9),%xmm3\n\tvpshufb\t%xmm6,%xmm0,%xmm0\n\taddq\t$64,%r9\n\tvpshufb\t%xmm6,%xmm1,%xmm1\n\tvpshufb\t%xmm6,%xmm2,%xmm2\n\tvpshufb\t%xmm6,%xmm3,%xmm3\n\tvpaddd\t%xmm11,%xmm0,%xmm4\n\tvpaddd\t%xmm11,%xmm1,%xmm5\n\tvpaddd\t%xmm11,%xmm2,%xmm6\n\tvmovdqa\t%xmm4,0(%rsp)\n\tvmovdqa\t%xmm5,16(%rsp)\n\tvmovdqa\t%xmm6,32(%rsp)\n\tjmp\t.Loop_avx\n.align\t16\n.Loop_avx:\n\tshrdl\t$2,%ebx,%ebx\n\txorl\t%edx,%esi\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm4\n\tmovl\t%eax,%edi\n\taddl\t0(%rsp),%ebp\n\tvpaddd\t%xmm3,%xmm11,%xmm9\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvpsrldq\t$4,%xmm3,%xmm8\n\taddl\t%esi,%ebp\n\tandl\t%ebx,%edi\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tvpxor\t%xmm2,%xmm8,%xmm8\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%edi\n\tmovl\t%ebp,%esi\n\taddl\t4(%rsp),%edx\n\tvpxor\t%xmm8,%xmm4,%xmm4\n\txorl\t%ebx,%eax\n\tshldl\t$5,%ebp,%ebp\n\tvmovdqa\t%xmm9,48(%rsp)\n\taddl\t%edi,%edx\n\tandl\t%eax,%esi\n\tvpsrld\t$31,%xmm4,%xmm8\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tshrdl\t$7,%ebp,%ebp\n\txorl\t%ebx,%esi\n\tvpslldq\t$12,%xmm4,%xmm10\n\tvpaddd\t%xmm4,%xmm4,%xmm4\n\tmovl\t%edx,%edi\n\taddl\t8(%rsp),%ecx\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\tvpsrld\t$30,%xmm10,%xmm9\n\tvpor\t%xmm8,%xmm4,%xmm4\n\taddl\t%esi,%ecx\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tvpslld\t$2,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm4,%xmm4\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%edi\n\tmovl\t%ecx,%esi\n\taddl\t12(%rsp),%ebx\n\tvpxor\t%xmm10,%xmm4,%xmm4\n\txorl\t%ebp,%edx\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\tandl\t%edx,%esi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%ebp,%esi\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm5\n\tmovl\t%ebx,%edi\n\taddl\t16(%rsp),%eax\n\tvpaddd\t%xmm4,%xmm11,%xmm9\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\tvpsrldq\t$4,%xmm4,%xmm8\n\taddl\t%esi,%eax\n\tandl\t%ecx,%edi\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpxor\t%xmm3,%xmm8,%xmm8\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%edi\n\tmovl\t%eax,%esi\n\taddl\t20(%rsp),%ebp\n\tvpxor\t%xmm8,%xmm5,%xmm5\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvmovdqa\t%xmm9,0(%rsp)\n\taddl\t%edi,%ebp\n\tandl\t%ebx,%esi\n\tvpsrld\t$31,%xmm5,%xmm8\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%esi\n\tvpslldq\t$12,%xmm5,%xmm10\n\tvpaddd\t%xmm5,%xmm5,%xmm5\n\tmovl\t%ebp,%edi\n\taddl\t24(%rsp),%edx\n\txorl\t%ebx,%eax\n\tshldl\t$5,%ebp,%ebp\n\tvpsrld\t$30,%xmm10,%xmm9\n\tvpor\t%xmm8,%xmm5,%xmm5\n\taddl\t%esi,%edx\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tvpslld\t$2,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm5,%xmm5\n\tshrdl\t$7,%ebp,%ebp\n\txorl\t%ebx,%edi\n\tmovl\t%edx,%esi\n\taddl\t28(%rsp),%ecx\n\tvpxor\t%xmm10,%xmm5,%xmm5\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\tvmovdqa\t-32(%r14),%xmm11\n\taddl\t%edi,%ecx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%esi\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm6\n\tmovl\t%ecx,%edi\n\taddl\t32(%rsp),%ebx\n\tvpaddd\t%xmm5,%xmm11,%xmm9\n\txorl\t%ebp,%edx\n\tshldl\t$5,%ecx,%ecx\n\tvpsrldq\t$4,%xmm5,%xmm8\n\taddl\t%esi,%ebx\n\tandl\t%edx,%edi\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tvpxor\t%xmm4,%xmm8,%xmm8\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%ebp,%edi\n\tmovl\t%ebx,%esi\n\taddl\t36(%rsp),%eax\n\tvpxor\t%xmm8,%xmm6,%xmm6\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\tvmovdqa\t%xmm9,16(%rsp)\n\taddl\t%edi,%eax\n\tandl\t%ecx,%esi\n\tvpsrld\t$31,%xmm6,%xmm8\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%esi\n\tvpslldq\t$12,%xmm6,%xmm10\n\tvpaddd\t%xmm6,%xmm6,%xmm6\n\tmovl\t%eax,%edi\n\taddl\t40(%rsp),%ebp\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\tvpsrld\t$30,%xmm10,%xmm9\n\tvpor\t%xmm8,%xmm6,%xmm6\n\taddl\t%esi,%ebp\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tvpslld\t$2,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm6,%xmm6\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%edi\n\tmovl\t%ebp,%esi\n\taddl\t44(%rsp),%edx\n\tvpxor\t%xmm10,%xmm6,%xmm6\n\txorl\t%ebx,%eax\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tshrdl\t$7,%ebp,%ebp\n\txorl\t%ebx,%esi\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm7\n\tmovl\t%edx,%edi\n\taddl\t48(%rsp),%ecx\n\tvpaddd\t%xmm6,%xmm11,%xmm9\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\tvpsrldq\t$4,%xmm6,%xmm8\n\taddl\t%esi,%ecx\n\tandl\t%ebp,%edi\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tvpxor\t%xmm5,%xmm8,%xmm8\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%edi\n\tmovl\t%ecx,%esi\n\taddl\t52(%rsp),%ebx\n\tvpxor\t%xmm8,%xmm7,%xmm7\n\txorl\t%ebp,%edx\n\tshldl\t$5,%ecx,%ecx\n\tvmovdqa\t%xmm9,32(%rsp)\n\taddl\t%edi,%ebx\n\tandl\t%edx,%esi\n\tvpsrld\t$31,%xmm7,%xmm8\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tshrdl\t$7,%ecx,%ecx\n\txorl\t%ebp,%esi\n\tvpslldq\t$12,%xmm7,%xmm10\n\tvpaddd\t%xmm7,%xmm7,%xmm7\n\tmovl\t%ebx,%edi\n\taddl\t56(%rsp),%eax\n\txorl\t%edx,%ecx\n\tshldl\t$5,%ebx,%ebx\n\tvpsrld\t$30,%xmm10,%xmm9\n\tvpor\t%xmm8,%xmm7,%xmm7\n\taddl\t%esi,%eax\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpslld\t$2,%xmm10,%xmm10\n\tvpxor\t%xmm9,%xmm7,%xmm7\n\tshrdl\t$7,%ebx,%ebx\n\txorl\t%edx,%edi\n\tmovl\t%eax,%esi\n\taddl\t60(%rsp),%ebp\n\tvpxor\t%xmm10,%xmm7,%xmm7\n\txorl\t%ecx,%ebx\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm8\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\tshrdl\t$7,%eax,%eax\n\txorl\t%ecx,%esi\n\tmovl\t%ebp,%edi\n\taddl\t0(%rsp),%edx\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\txorl\t%ebx,%eax\n\tshldl\t$5,%ebp,%ebp\n\tvpaddd\t%xmm7,%xmm11,%xmm9\n\taddl\t%esi,%edx\n\tandl\t%eax,%edi\n\tvpxor\t%xmm8,%xmm0,%xmm0\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tshrdl\t$7,%ebp,%ebp\n\txorl\t%ebx,%edi\n\tvpsrld\t$30,%xmm0,%xmm8\n\tvmovdqa\t%xmm9,48(%rsp)\n\tmovl\t%edx,%esi\n\taddl\t4(%rsp),%ecx\n\txorl\t%eax,%ebp\n\tshldl\t$5,%edx,%edx\n\tvpslld\t$2,%xmm0,%xmm0\n\taddl\t%edi,%ecx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tshrdl\t$7,%edx,%edx\n\txorl\t%eax,%esi\n\tmovl\t%ecx,%edi\n\taddl\t8(%rsp),%ebx\n\tvpor\t%xmm8,%xmm0,%xmm0\n\txorl\t%ebp,%edx\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t12(%rsp),%eax\n\txorl\t%ebp,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm8\n\tvpxor\t%xmm5,%xmm1,%xmm1\n\taddl\t16(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tshldl\t$5,%eax,%eax\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tvpaddd\t%xmm0,%xmm11,%xmm9\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\tvpxor\t%xmm8,%xmm1,%xmm1\n\taddl\t20(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\tshldl\t$5,%ebp,%ebp\n\tvpsrld\t$30,%xmm1,%xmm8\n\tvmovdqa\t%xmm9,0(%rsp)\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvpslld\t$2,%xmm1,%xmm1\n\taddl\t24(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvpor\t%xmm8,%xmm1,%xmm1\n\taddl\t28(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm8\n\tvpxor\t%xmm6,%xmm2,%xmm2\n\taddl\t32(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tshldl\t$5,%ebx,%ebx\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tvpaddd\t%xmm1,%xmm11,%xmm9\n\tvmovdqa\t0(%r14),%xmm11\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpxor\t%xmm8,%xmm2,%xmm2\n\taddl\t36(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\tvpsrld\t$30,%xmm2,%xmm8\n\tvmovdqa\t%xmm9,16(%rsp)\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\tvpslld\t$2,%xmm2,%xmm2\n\taddl\t40(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvpor\t%xmm8,%xmm2,%xmm2\n\taddl\t44(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm8\n\tvpxor\t%xmm7,%xmm3,%xmm3\n\taddl\t48(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tvpaddd\t%xmm2,%xmm11,%xmm9\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpxor\t%xmm8,%xmm3,%xmm3\n\taddl\t52(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\tvpsrld\t$30,%xmm3,%xmm8\n\tvmovdqa\t%xmm9,32(%rsp)\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpslld\t$2,%xmm3,%xmm3\n\taddl\t56(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\tvpor\t%xmm8,%xmm3,%xmm3\n\taddl\t60(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm8\n\tvpxor\t%xmm0,%xmm4,%xmm4\n\taddl\t0(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tshldl\t$5,%edx,%edx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tvpaddd\t%xmm3,%xmm11,%xmm9\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvpxor\t%xmm8,%xmm4,%xmm4\n\taddl\t4(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\tvpsrld\t$30,%xmm4,%xmm8\n\tvmovdqa\t%xmm9,48(%rsp)\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$2,%xmm4,%xmm4\n\taddl\t8(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvpor\t%xmm8,%xmm4,%xmm4\n\taddl\t12(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm8\n\tvpxor\t%xmm1,%xmm5,%xmm5\n\taddl\t16(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\tshldl\t$5,%ebp,%ebp\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tvpaddd\t%xmm4,%xmm11,%xmm9\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvpxor\t%xmm8,%xmm5,%xmm5\n\taddl\t20(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\tvpsrld\t$30,%xmm5,%xmm8\n\tvmovdqa\t%xmm9,0(%rsp)\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvpslld\t$2,%xmm5,%xmm5\n\taddl\t24(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvpor\t%xmm8,%xmm5,%xmm5\n\taddl\t28(%rsp),%eax\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm4,%xmm5,%xmm8\n\tvpxor\t%xmm2,%xmm6,%xmm6\n\taddl\t32(%rsp),%ebp\n\tandl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tmovl\t%eax,%edi\n\txorl\t%ecx,%esi\n\tvpaddd\t%xmm5,%xmm11,%xmm9\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%ebp\n\tvpxor\t%xmm8,%xmm6,%xmm6\n\txorl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t36(%rsp),%edx\n\tvpsrld\t$30,%xmm6,%xmm8\n\tvmovdqa\t%xmm9,16(%rsp)\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tmovl\t%ebp,%esi\n\tvpslld\t$2,%xmm6,%xmm6\n\txorl\t%ebx,%edi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\taddl\t40(%rsp),%ecx\n\tandl\t%eax,%esi\n\tvpor\t%xmm8,%xmm6,%xmm6\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%ebp,%ebp\n\tmovl\t%edx,%edi\n\txorl\t%eax,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\taddl\t44(%rsp),%ebx\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edx,%edx\n\tmovl\t%ecx,%esi\n\txorl\t%ebp,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%edx,%esi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\tvpalignr\t$8,%xmm5,%xmm6,%xmm8\n\tvpxor\t%xmm3,%xmm7,%xmm7\n\taddl\t48(%rsp),%eax\n\tandl\t%edx,%esi\n\txorl\t%ebp,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tvpxor\t%xmm0,%xmm7,%xmm7\n\tmovl\t%ebx,%edi\n\txorl\t%edx,%esi\n\tvpaddd\t%xmm6,%xmm11,%xmm9\n\tvmovdqa\t32(%r14),%xmm11\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\tvpxor\t%xmm8,%xmm7,%xmm7\n\txorl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t52(%rsp),%ebp\n\tvpsrld\t$30,%xmm7,%xmm8\n\tvmovdqa\t%xmm9,32(%rsp)\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tmovl\t%eax,%esi\n\tvpslld\t$2,%xmm7,%xmm7\n\txorl\t%ecx,%edi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t56(%rsp),%edx\n\tandl\t%ebx,%esi\n\tvpor\t%xmm8,%xmm7,%xmm7\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%esi,%edx\n\txorl\t%eax,%edi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\taddl\t60(%rsp),%ecx\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%ebp,%ebp\n\tmovl\t%edx,%esi\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm8\n\tvpxor\t%xmm4,%xmm0,%xmm0\n\taddl\t0(%rsp),%ebx\n\tandl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edx,%edx\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\tmovl\t%ecx,%edi\n\txorl\t%ebp,%esi\n\tvpaddd\t%xmm7,%xmm11,%xmm9\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\tvpxor\t%xmm8,%xmm0,%xmm0\n\txorl\t%edx,%edi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t4(%rsp),%eax\n\tvpsrld\t$30,%xmm0,%xmm8\n\tvmovdqa\t%xmm9,48(%rsp)\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\tvpslld\t$2,%xmm0,%xmm0\n\txorl\t%edx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%ecx,%esi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t8(%rsp),%ebp\n\tandl\t%ecx,%esi\n\tvpor\t%xmm8,%xmm0,%xmm0\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tmovl\t%eax,%edi\n\txorl\t%ecx,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t12(%rsp),%edx\n\tandl\t%ebx,%edi\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tmovl\t%ebp,%esi\n\txorl\t%ebx,%edi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\txorl\t%eax,%esi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm8\n\tvpxor\t%xmm5,%xmm1,%xmm1\n\taddl\t16(%rsp),%ecx\n\tandl\t%eax,%esi\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%ebp,%ebp\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tmovl\t%edx,%edi\n\txorl\t%eax,%esi\n\tvpaddd\t%xmm0,%xmm11,%xmm9\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\tvpxor\t%xmm8,%xmm1,%xmm1\n\txorl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\taddl\t20(%rsp),%ebx\n\tvpsrld\t$30,%xmm1,%xmm8\n\tvmovdqa\t%xmm9,0(%rsp)\n\tandl\t%ebp,%edi\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edx,%edx\n\tmovl\t%ecx,%esi\n\tvpslld\t$2,%xmm1,%xmm1\n\txorl\t%ebp,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%edx,%esi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t24(%rsp),%eax\n\tandl\t%edx,%esi\n\tvpor\t%xmm8,%xmm1,%xmm1\n\txorl\t%ebp,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%edi\n\txorl\t%edx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t28(%rsp),%ebp\n\tandl\t%ecx,%edi\n\txorl\t%edx,%ecx\n\tshrdl\t$7,%ebx,%ebx\n\tmovl\t%eax,%esi\n\txorl\t%ecx,%edi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\taddl\t%eax,%ebp\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm8\n\tvpxor\t%xmm6,%xmm2,%xmm2\n\taddl\t32(%rsp),%edx\n\tandl\t%ebx,%esi\n\txorl\t%ecx,%ebx\n\tshrdl\t$7,%eax,%eax\n\tvpxor\t%xmm3,%xmm2,%xmm2\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%esi\n\tvpaddd\t%xmm1,%xmm11,%xmm9\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%esi,%edx\n\tvpxor\t%xmm8,%xmm2,%xmm2\n\txorl\t%eax,%edi\n\txorl\t%ebx,%eax\n\taddl\t%ebp,%edx\n\taddl\t36(%rsp),%ecx\n\tvpsrld\t$30,%xmm2,%xmm8\n\tvmovdqa\t%xmm9,16(%rsp)\n\tandl\t%eax,%edi\n\txorl\t%ebx,%eax\n\tshrdl\t$7,%ebp,%ebp\n\tmovl\t%edx,%esi\n\tvpslld\t$2,%xmm2,%xmm2\n\txorl\t%eax,%edi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%ebp,%esi\n\txorl\t%eax,%ebp\n\taddl\t%edx,%ecx\n\taddl\t40(%rsp),%ebx\n\tandl\t%ebp,%esi\n\tvpor\t%xmm8,%xmm2,%xmm2\n\txorl\t%eax,%ebp\n\tshrdl\t$7,%edx,%edx\n\tmovl\t%ecx,%edi\n\txorl\t%ebp,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%edx,%edi\n\txorl\t%ebp,%edx\n\taddl\t%ecx,%ebx\n\taddl\t44(%rsp),%eax\n\tandl\t%edx,%edi\n\txorl\t%ebp,%edx\n\tshrdl\t$7,%ecx,%ecx\n\tmovl\t%ebx,%esi\n\txorl\t%edx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\taddl\t%ebx,%eax\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm8\n\tvpxor\t%xmm7,%xmm3,%xmm3\n\taddl\t48(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tshldl\t$5,%eax,%eax\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tvpaddd\t%xmm2,%xmm11,%xmm9\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\tvpxor\t%xmm8,%xmm3,%xmm3\n\taddl\t52(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\tshldl\t$5,%ebp,%ebp\n\tvpsrld\t$30,%xmm3,%xmm8\n\tvmovdqa\t%xmm9,32(%rsp)\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvpslld\t$2,%xmm3,%xmm3\n\taddl\t56(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvpor\t%xmm8,%xmm3,%xmm3\n\taddl\t60(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t0(%rsp),%eax\n\tvpaddd\t%xmm3,%xmm11,%xmm9\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\tvmovdqa\t%xmm9,48(%rsp)\n\txorl\t%edx,%edi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t4(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t8(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\taddl\t12(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tcmpq\t%r10,%r9\n\tje\t.Ldone_avx\n\tvmovdqa\t64(%r14),%xmm6\n\tvmovdqa\t-64(%r14),%xmm11\n\tvmovdqu\t0(%r9),%xmm0\n\tvmovdqu\t16(%r9),%xmm1\n\tvmovdqu\t32(%r9),%xmm2\n\tvmovdqu\t48(%r9),%xmm3\n\tvpshufb\t%xmm6,%xmm0,%xmm0\n\taddq\t$64,%r9\n\taddl\t16(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tvpshufb\t%xmm6,%xmm1,%xmm1\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\tvpaddd\t%xmm11,%xmm0,%xmm4\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\tvmovdqa\t%xmm4,0(%rsp)\n\taddl\t20(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t28(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\taddl\t32(%rsp),%ecx\n\txorl\t%eax,%esi\n\tvpshufb\t%xmm6,%xmm2,%xmm2\n\tmovl\t%edx,%edi\n\tshldl\t$5,%edx,%edx\n\tvpaddd\t%xmm11,%xmm1,%xmm5\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\tvmovdqa\t%xmm5,16(%rsp)\n\taddl\t36(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t48(%rsp),%edx\n\txorl\t%ebx,%esi\n\tvpshufb\t%xmm6,%xmm3,%xmm3\n\tmovl\t%ebp,%edi\n\tshldl\t$5,%ebp,%ebp\n\tvpaddd\t%xmm11,%xmm2,%xmm6\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\tvmovdqa\t%xmm6,32(%rsp)\n\taddl\t52(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\taddl\t56(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t0(%r8),%eax\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ecx\n\taddl\t12(%r8),%edx\n\tmovl\t%eax,0(%r8)\n\taddl\t16(%r8),%ebp\n\tmovl\t%esi,4(%r8)\n\tmovl\t%esi,%ebx\n\tmovl\t%ecx,8(%r8)\n\tmovl\t%ecx,%edi\n\tmovl\t%edx,12(%r8)\n\txorl\t%edx,%edi\n\tmovl\t%ebp,16(%r8)\n\tandl\t%edi,%esi\n\tjmp\t.Loop_avx\n\n.align\t16\n.Ldone_avx:\n\taddl\t16(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t20(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\txorl\t%edx,%esi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t24(%rsp),%ebp\n\txorl\t%ecx,%esi\n\tmovl\t%eax,%edi\n\tshldl\t$5,%eax,%eax\n\taddl\t%esi,%ebp\n\txorl\t%ecx,%edi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t28(%rsp),%edx\n\txorl\t%ebx,%edi\n\tmovl\t%ebp,%esi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%edi,%edx\n\txorl\t%ebx,%esi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\taddl\t32(%rsp),%ecx\n\txorl\t%eax,%esi\n\tmovl\t%edx,%edi\n\tshldl\t$5,%edx,%edx\n\taddl\t%esi,%ecx\n\txorl\t%eax,%edi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\taddl\t36(%rsp),%ebx\n\txorl\t%ebp,%edi\n\tmovl\t%ecx,%esi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%edi,%ebx\n\txorl\t%ebp,%esi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t40(%rsp),%eax\n\txorl\t%edx,%esi\n\tmovl\t%ebx,%edi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%esi,%eax\n\txorl\t%edx,%edi\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\taddl\t44(%rsp),%ebp\n\txorl\t%ecx,%edi\n\tmovl\t%eax,%esi\n\tshldl\t$5,%eax,%eax\n\taddl\t%edi,%ebp\n\txorl\t%ecx,%esi\n\tshrdl\t$7,%ebx,%ebx\n\taddl\t%eax,%ebp\n\taddl\t48(%rsp),%edx\n\txorl\t%ebx,%esi\n\tmovl\t%ebp,%edi\n\tshldl\t$5,%ebp,%ebp\n\taddl\t%esi,%edx\n\txorl\t%ebx,%edi\n\tshrdl\t$7,%eax,%eax\n\taddl\t%ebp,%edx\n\taddl\t52(%rsp),%ecx\n\txorl\t%eax,%edi\n\tmovl\t%edx,%esi\n\tshldl\t$5,%edx,%edx\n\taddl\t%edi,%ecx\n\txorl\t%eax,%esi\n\tshrdl\t$7,%ebp,%ebp\n\taddl\t%edx,%ecx\n\taddl\t56(%rsp),%ebx\n\txorl\t%ebp,%esi\n\tmovl\t%ecx,%edi\n\tshldl\t$5,%ecx,%ecx\n\taddl\t%esi,%ebx\n\txorl\t%ebp,%edi\n\tshrdl\t$7,%edx,%edx\n\taddl\t%ecx,%ebx\n\taddl\t60(%rsp),%eax\n\txorl\t%edx,%edi\n\tmovl\t%ebx,%esi\n\tshldl\t$5,%ebx,%ebx\n\taddl\t%edi,%eax\n\tshrdl\t$7,%ecx,%ecx\n\taddl\t%ebx,%eax\n\tvzeroupper\n\n\taddl\t0(%r8),%eax\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ecx\n\tmovl\t%eax,0(%r8)\n\taddl\t12(%r8),%edx\n\tmovl\t%esi,4(%r8)\n\taddl\t16(%r8),%ebp\n\tmovl\t%ecx,8(%r8)\n\tmovl\t%edx,12(%r8)\n\tmovl\t%ebp,16(%r8)\n\tmovq\t-40(%r11),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%r11),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%r11),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%r11),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%r11),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%r11),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lepilogue_avx:\n\tret\n.cfi_endproc\t\n.size\tsha1_block_data_order_avx,.-sha1_block_data_order_avx\n.globl\tsha1_block_data_order_avx2\n.hidden sha1_block_data_order_avx2\n.type\tsha1_block_data_order_avx2,@function\n.align\t16\nsha1_block_data_order_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%r11\n.cfi_def_cfa_register\t%r11\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tvzeroupper\n\tmovq\t%rdi,%r8\n\tmovq\t%rsi,%r9\n\tmovq\t%rdx,%r10\n\n\tleaq\t-640(%rsp),%rsp\n\tshlq\t$6,%r10\n\tleaq\t64(%r9),%r13\n\tandq\t$-128,%rsp\n\taddq\t%r9,%r10\n\tleaq\tK_XX_XX+64(%rip),%r14\n\n\tmovl\t0(%r8),%eax\n\tcmpq\t%r10,%r13\n\tcmovaeq\t%r9,%r13\n\tmovl\t4(%r8),%ebp\n\tmovl\t8(%r8),%ecx\n\tmovl\t12(%r8),%edx\n\tmovl\t16(%r8),%esi\n\tvmovdqu\t64(%r14),%ymm6\n\n\tvmovdqu\t(%r9),%xmm0\n\tvmovdqu\t16(%r9),%xmm1\n\tvmovdqu\t32(%r9),%xmm2\n\tvmovdqu\t48(%r9),%xmm3\n\tleaq\t64(%r9),%r9\n\tvinserti128\t$1,(%r13),%ymm0,%ymm0\n\tvinserti128\t$1,16(%r13),%ymm1,%ymm1\n\tvpshufb\t%ymm6,%ymm0,%ymm0\n\tvinserti128\t$1,32(%r13),%ymm2,%ymm2\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvinserti128\t$1,48(%r13),%ymm3,%ymm3\n\tvpshufb\t%ymm6,%ymm2,%ymm2\n\tvmovdqu\t-64(%r14),%ymm11\n\tvpshufb\t%ymm6,%ymm3,%ymm3\n\n\tvpaddd\t%ymm11,%ymm0,%ymm4\n\tvpaddd\t%ymm11,%ymm1,%ymm5\n\tvmovdqu\t%ymm4,0(%rsp)\n\tvpaddd\t%ymm11,%ymm2,%ymm6\n\tvmovdqu\t%ymm5,32(%rsp)\n\tvpaddd\t%ymm11,%ymm3,%ymm7\n\tvmovdqu\t%ymm6,64(%rsp)\n\tvmovdqu\t%ymm7,96(%rsp)\n\tvpalignr\t$8,%ymm0,%ymm1,%ymm4\n\tvpsrldq\t$4,%ymm3,%ymm8\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\tvpxor\t%ymm2,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$31,%ymm4,%ymm8\n\tvpslldq\t$12,%ymm4,%ymm10\n\tvpaddd\t%ymm4,%ymm4,%ymm4\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm4,%ymm4\n\tvpxor\t%ymm10,%ymm4,%ymm4\n\tvpaddd\t%ymm11,%ymm4,%ymm9\n\tvmovdqu\t%ymm9,128(%rsp)\n\tvpalignr\t$8,%ymm1,%ymm2,%ymm5\n\tvpsrldq\t$4,%ymm4,%ymm8\n\tvpxor\t%ymm1,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$31,%ymm5,%ymm8\n\tvmovdqu\t-32(%r14),%ymm11\n\tvpslldq\t$12,%ymm5,%ymm10\n\tvpaddd\t%ymm5,%ymm5,%ymm5\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm5,%ymm5\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm10,%ymm5,%ymm5\n\tvpaddd\t%ymm11,%ymm5,%ymm9\n\tvmovdqu\t%ymm9,160(%rsp)\n\tvpalignr\t$8,%ymm2,%ymm3,%ymm6\n\tvpsrldq\t$4,%ymm5,%ymm8\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\tvpxor\t%ymm4,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$31,%ymm6,%ymm8\n\tvpslldq\t$12,%ymm6,%ymm10\n\tvpaddd\t%ymm6,%ymm6,%ymm6\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm6,%ymm6\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm6,%ymm6\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpaddd\t%ymm11,%ymm6,%ymm9\n\tvmovdqu\t%ymm9,192(%rsp)\n\tvpalignr\t$8,%ymm3,%ymm4,%ymm7\n\tvpsrldq\t$4,%ymm6,%ymm8\n\tvpxor\t%ymm3,%ymm7,%ymm7\n\tvpxor\t%ymm5,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$31,%ymm7,%ymm8\n\tvpslldq\t$12,%ymm7,%ymm10\n\tvpaddd\t%ymm7,%ymm7,%ymm7\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm7,%ymm7\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm7,%ymm7\n\tvpaddd\t%ymm11,%ymm7,%ymm9\n\tvmovdqu\t%ymm9,224(%rsp)\n\tleaq\t128(%rsp),%r13\n\tjmp\t.Loop_avx2\n.align\t32\n.Loop_avx2:\n\trorxl\t$2,%ebp,%ebx\n\tandnl\t%edx,%ebp,%edi\n\tandl\t%ecx,%ebp\n\txorl\t%edi,%ebp\n\tjmp\t.Lalign32_1\n.align\t32\n.Lalign32_1:\n\tvpalignr\t$8,%ymm6,%ymm7,%ymm8\n\tvpxor\t%ymm4,%ymm0,%ymm0\n\taddl\t-128(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tvpxor\t%ymm8,%ymm0,%ymm0\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\tvpsrld\t$30,%ymm0,%ymm8\n\tvpslld\t$2,%ymm0,%ymm0\n\taddl\t-124(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\tvpor\t%ymm8,%ymm0,%ymm0\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-120(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\tvpaddd\t%ymm11,%ymm0,%ymm9\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\tvmovdqu\t%ymm9,256(%rsp)\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\taddl\t-116(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\taddl\t-96(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tandl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\tvpalignr\t$8,%ymm7,%ymm0,%ymm8\n\tvpxor\t%ymm5,%ymm1,%ymm1\n\taddl\t-92(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tvpxor\t%ymm8,%ymm1,%ymm1\n\tandl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\tvpsrld\t$30,%ymm1,%ymm8\n\tvpslld\t$2,%ymm1,%ymm1\n\taddl\t-88(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\tvpor\t%ymm8,%ymm1,%ymm1\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t-84(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\tvpaddd\t%ymm11,%ymm1,%ymm9\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\tvmovdqu\t%ymm9,288(%rsp)\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-64(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\taddl\t-60(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\tvpalignr\t$8,%ymm0,%ymm1,%ymm8\n\tvpxor\t%ymm6,%ymm2,%ymm2\n\taddl\t-56(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tvmovdqu\t0(%r14),%ymm11\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tvpxor\t%ymm8,%ymm2,%ymm2\n\tandl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\tvpsrld\t$30,%ymm2,%ymm8\n\tvpslld\t$2,%ymm2,%ymm2\n\taddl\t-52(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tandl\t%ecx,%ebp\n\tvpor\t%ymm8,%ymm2,%ymm2\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\taddl\t-32(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\tvpaddd\t%ymm11,%ymm2,%ymm9\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\tvmovdqu\t%ymm9,320(%rsp)\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t-28(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-24(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\tvpalignr\t$8,%ymm1,%ymm2,%ymm8\n\tvpxor\t%ymm7,%ymm3,%ymm3\n\taddl\t-20(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\tvpxor\t%ymm4,%ymm3,%ymm3\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tvpxor\t%ymm8,%ymm3,%ymm3\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\tvpsrld\t$30,%ymm3,%ymm8\n\tvpslld\t$2,%ymm3,%ymm3\n\taddl\t0(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tandl\t%edx,%ebx\n\tvpor\t%ymm8,%ymm3,%ymm3\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\taddl\t4(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\tvpaddd\t%ymm11,%ymm3,%ymm9\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tandl\t%ecx,%ebp\n\tvmovdqu\t%ymm9,352(%rsp)\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\taddl\t8(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t12(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\tvpalignr\t$8,%ymm2,%ymm3,%ymm8\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\taddl\t32(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\tvpxor\t%ymm5,%ymm4,%ymm4\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t36(%r13),%ebx\n\tvpsrld\t$30,%ymm4,%ymm8\n\tvpslld\t$2,%ymm4,%ymm4\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\tvpor\t%ymm8,%ymm4,%ymm4\n\taddl\t40(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tvpaddd\t%ymm11,%ymm4,%ymm9\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t44(%r13),%eax\n\tvmovdqu\t%ymm9,384(%rsp)\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t64(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\tvpalignr\t$8,%ymm3,%ymm4,%ymm8\n\tvpxor\t%ymm1,%ymm5,%ymm5\n\taddl\t68(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\tvpxor\t%ymm6,%ymm5,%ymm5\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t72(%r13),%ecx\n\tvpsrld\t$30,%ymm5,%ymm8\n\tvpslld\t$2,%ymm5,%ymm5\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\tvpor\t%ymm8,%ymm5,%ymm5\n\taddl\t76(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tvpaddd\t%ymm11,%ymm5,%ymm9\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t96(%r13),%ebp\n\tvmovdqu\t%ymm9,416(%rsp)\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t100(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\tvpalignr\t$8,%ymm4,%ymm5,%ymm8\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\taddl\t104(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\tvpxor\t%ymm7,%ymm6,%ymm6\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t108(%r13),%edx\n\tleaq\t256(%r13),%r13\n\tvpsrld\t$30,%ymm6,%ymm8\n\tvpslld\t$2,%ymm6,%ymm6\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\tvpor\t%ymm8,%ymm6,%ymm6\n\taddl\t-128(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tvpaddd\t%ymm11,%ymm6,%ymm9\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-124(%r13),%ebx\n\tvmovdqu\t%ymm9,448(%rsp)\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-120(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\tvpalignr\t$8,%ymm5,%ymm6,%ymm8\n\tvpxor\t%ymm3,%ymm7,%ymm7\n\taddl\t-116(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\tvpxor\t%ymm0,%ymm7,%ymm7\n\tvmovdqu\t32(%r14),%ymm11\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-96(%r13),%esi\n\tvpsrld\t$30,%ymm7,%ymm8\n\tvpslld\t$2,%ymm7,%ymm7\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\tvpor\t%ymm8,%ymm7,%ymm7\n\taddl\t-92(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tvpaddd\t%ymm11,%ymm7,%ymm9\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t-88(%r13),%ecx\n\tvmovdqu\t%ymm9,480(%rsp)\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-84(%r13),%ebx\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\tjmp\t.Lalign32_2\n.align\t32\n.Lalign32_2:\n\tvpalignr\t$8,%ymm6,%ymm7,%ymm8\n\tvpxor\t%ymm4,%ymm0,%ymm0\n\taddl\t-64(%r13),%ebp\n\txorl\t%esi,%ecx\n\tvpxor\t%ymm1,%ymm0,%ymm0\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\tvpxor\t%ymm8,%ymm0,%ymm0\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\tvpsrld\t$30,%ymm0,%ymm8\n\tvpslld\t$2,%ymm0,%ymm0\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t-60(%r13),%eax\n\txorl\t%edx,%ebx\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tvpor\t%ymm8,%ymm0,%ymm0\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\tvpaddd\t%ymm11,%ymm0,%ymm9\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t-56(%r13),%esi\n\txorl\t%ecx,%ebp\n\tvmovdqu\t%ymm9,512(%rsp)\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\taddl\t-52(%r13),%edx\n\txorl\t%ebx,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tandl\t%edi,%esi\n\taddl\t-32(%r13),%ecx\n\txorl\t%ebp,%esi\n\tmovl\t%eax,%edi\n\txorl\t%ebp,%edi\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\tvpalignr\t$8,%ymm7,%ymm0,%ymm8\n\tvpxor\t%ymm5,%ymm1,%ymm1\n\taddl\t-28(%r13),%ebx\n\txorl\t%eax,%edx\n\tvpxor\t%ymm2,%ymm1,%ymm1\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\tvpxor\t%ymm8,%ymm1,%ymm1\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\tvpsrld\t$30,%ymm1,%ymm8\n\tvpslld\t$2,%ymm1,%ymm1\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t-24(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tvpor\t%ymm8,%ymm1,%ymm1\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\tvpaddd\t%ymm11,%ymm1,%ymm9\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t-20(%r13),%eax\n\txorl\t%edx,%ebx\n\tvmovdqu\t%ymm9,544(%rsp)\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t0(%r13),%esi\n\txorl\t%ecx,%ebp\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\taddl\t4(%r13),%edx\n\txorl\t%ebx,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tandl\t%edi,%esi\n\tvpalignr\t$8,%ymm0,%ymm1,%ymm8\n\tvpxor\t%ymm6,%ymm2,%ymm2\n\taddl\t8(%r13),%ecx\n\txorl\t%ebp,%esi\n\tvpxor\t%ymm3,%ymm2,%ymm2\n\tmovl\t%eax,%edi\n\txorl\t%ebp,%edi\n\tleal\t(%rcx,%rsi,1),%ecx\n\tvpxor\t%ymm8,%ymm2,%ymm2\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\tvpsrld\t$30,%ymm2,%ymm8\n\tvpslld\t$2,%ymm2,%ymm2\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\taddl\t12(%r13),%ebx\n\txorl\t%eax,%edx\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tvpor\t%ymm8,%ymm2,%ymm2\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\tvpaddd\t%ymm11,%ymm2,%ymm9\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t32(%r13),%ebp\n\txorl\t%esi,%ecx\n\tvmovdqu\t%ymm9,576(%rsp)\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t36(%r13),%eax\n\txorl\t%edx,%ebx\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t40(%r13),%esi\n\txorl\t%ecx,%ebp\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\tvpalignr\t$8,%ymm1,%ymm2,%ymm8\n\tvpxor\t%ymm7,%ymm3,%ymm3\n\taddl\t44(%r13),%edx\n\txorl\t%ebx,%eax\n\tvpxor\t%ymm4,%ymm3,%ymm3\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tleal\t(%rdx,%rax,1),%edx\n\tvpxor\t%ymm8,%ymm3,%ymm3\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\tvpsrld\t$30,%ymm3,%ymm8\n\tvpslld\t$2,%ymm3,%ymm3\n\taddl\t%r12d,%edx\n\tandl\t%edi,%esi\n\taddl\t64(%r13),%ecx\n\txorl\t%ebp,%esi\n\tmovl\t%eax,%edi\n\txorl\t%ebp,%edi\n\tvpor\t%ymm8,%ymm3,%ymm3\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\tvpaddd\t%ymm11,%ymm3,%ymm9\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\taddl\t68(%r13),%ebx\n\txorl\t%eax,%edx\n\tvmovdqu\t%ymm9,608(%rsp)\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t72(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t76(%r13),%eax\n\txorl\t%edx,%ebx\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t96(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t100(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t104(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t108(%r13),%ebx\n\tleaq\t256(%r13),%r13\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-128(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t-124(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-120(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t-116(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t-96(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-92(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-88(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t-84(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-64(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t-60(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t-56(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-52(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-32(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t-28(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-24(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t-20(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\taddl\t%r12d,%edx\n\tleaq\t128(%r9),%r13\n\tleaq\t128(%r9),%rdi\n\tcmpq\t%r10,%r13\n\tcmovaeq\t%r9,%r13\n\n\n\taddl\t0(%r8),%edx\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ebp\n\tmovl\t%edx,0(%r8)\n\taddl\t12(%r8),%ebx\n\tmovl\t%esi,4(%r8)\n\tmovl\t%edx,%eax\n\taddl\t16(%r8),%ecx\n\tmovl\t%ebp,%r12d\n\tmovl\t%ebp,8(%r8)\n\tmovl\t%ebx,%edx\n\n\tmovl\t%ebx,12(%r8)\n\tmovl\t%esi,%ebp\n\tmovl\t%ecx,16(%r8)\n\n\tmovl\t%ecx,%esi\n\tmovl\t%r12d,%ecx\n\n\n\tcmpq\t%r10,%r9\n\tje\t.Ldone_avx2\n\tvmovdqu\t64(%r14),%ymm6\n\tcmpq\t%r10,%rdi\n\tja\t.Last_avx2\n\n\tvmovdqu\t-64(%rdi),%xmm0\n\tvmovdqu\t-48(%rdi),%xmm1\n\tvmovdqu\t-32(%rdi),%xmm2\n\tvmovdqu\t-16(%rdi),%xmm3\n\tvinserti128\t$1,0(%r13),%ymm0,%ymm0\n\tvinserti128\t$1,16(%r13),%ymm1,%ymm1\n\tvinserti128\t$1,32(%r13),%ymm2,%ymm2\n\tvinserti128\t$1,48(%r13),%ymm3,%ymm3\n\tjmp\t.Last_avx2\n\n.align\t32\n.Last_avx2:\n\tleaq\t128+16(%rsp),%r13\n\trorxl\t$2,%ebp,%ebx\n\tandnl\t%edx,%ebp,%edi\n\tandl\t%ecx,%ebp\n\txorl\t%edi,%ebp\n\tsubq\t$-128,%r9\n\taddl\t-128(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t-124(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-120(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\taddl\t-116(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\taddl\t-96(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tandl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\taddl\t-92(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tandl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\taddl\t-88(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t-84(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-64(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\taddl\t-60(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\taddl\t-56(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tandl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\taddl\t-52(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tandl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\taddl\t-32(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t-28(%r13),%edx\n\tandnl\t%ebx,%esi,%edi\n\taddl\t%eax,%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tandl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%edi,%esi\n\taddl\t-24(%r13),%ecx\n\tandnl\t%ebp,%edx,%edi\n\taddl\t%esi,%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tandl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%edi,%edx\n\taddl\t-20(%r13),%ebx\n\tandnl\t%eax,%ecx,%edi\n\taddl\t%edx,%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tandl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%edi,%ecx\n\taddl\t0(%r13),%ebp\n\tandnl\t%esi,%ebx,%edi\n\taddl\t%ecx,%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tandl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%edi,%ebx\n\taddl\t4(%r13),%eax\n\tandnl\t%edx,%ebp,%edi\n\taddl\t%ebx,%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tandl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edi,%ebp\n\taddl\t8(%r13),%esi\n\tandnl\t%ecx,%eax,%edi\n\taddl\t%ebp,%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tandl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%edi,%eax\n\taddl\t12(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t32(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t36(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t40(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t44(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t64(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\tvmovdqu\t-64(%r14),%ymm11\n\tvpshufb\t%ymm6,%ymm0,%ymm0\n\taddl\t68(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t72(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t76(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t96(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t100(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\tvpshufb\t%ymm6,%ymm1,%ymm1\n\tvpaddd\t%ymm11,%ymm0,%ymm8\n\taddl\t104(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t108(%r13),%edx\n\tleaq\t256(%r13),%r13\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t-128(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-124(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-120(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\tvmovdqu\t%ymm8,0(%rsp)\n\tvpshufb\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm11,%ymm1,%ymm9\n\taddl\t-116(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-96(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t-92(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\taddl\t-88(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-84(%r13),%ebx\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\tvmovdqu\t%ymm9,32(%rsp)\n\tvpshufb\t%ymm6,%ymm3,%ymm3\n\tvpaddd\t%ymm11,%ymm2,%ymm6\n\taddl\t-64(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t-60(%r13),%eax\n\txorl\t%edx,%ebx\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t-56(%r13),%esi\n\txorl\t%ecx,%ebp\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\taddl\t-52(%r13),%edx\n\txorl\t%ebx,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tandl\t%edi,%esi\n\taddl\t-32(%r13),%ecx\n\txorl\t%ebp,%esi\n\tmovl\t%eax,%edi\n\txorl\t%ebp,%edi\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\tjmp\t.Lalign32_3\n.align\t32\n.Lalign32_3:\n\tvmovdqu\t%ymm6,64(%rsp)\n\tvpaddd\t%ymm11,%ymm3,%ymm7\n\taddl\t-28(%r13),%ebx\n\txorl\t%eax,%edx\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t-24(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t-20(%r13),%eax\n\txorl\t%edx,%ebx\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t0(%r13),%esi\n\txorl\t%ecx,%ebp\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\taddl\t4(%r13),%edx\n\txorl\t%ebx,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tandl\t%edi,%esi\n\tvmovdqu\t%ymm7,96(%rsp)\n\taddl\t8(%r13),%ecx\n\txorl\t%ebp,%esi\n\tmovl\t%eax,%edi\n\txorl\t%ebp,%edi\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\taddl\t12(%r13),%ebx\n\txorl\t%eax,%edx\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t32(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t36(%r13),%eax\n\txorl\t%edx,%ebx\n\tmovl\t%ecx,%edi\n\txorl\t%edx,%edi\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tandl\t%edi,%ebp\n\taddl\t40(%r13),%esi\n\txorl\t%ecx,%ebp\n\tmovl\t%ebx,%edi\n\txorl\t%ecx,%edi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tandl\t%edi,%eax\n\tvpalignr\t$8,%ymm0,%ymm1,%ymm4\n\taddl\t44(%r13),%edx\n\txorl\t%ebx,%eax\n\tmovl\t%ebp,%edi\n\txorl\t%ebx,%edi\n\tvpsrldq\t$4,%ymm3,%ymm8\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tvpxor\t%ymm0,%ymm4,%ymm4\n\tvpxor\t%ymm2,%ymm8,%ymm8\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tandl\t%edi,%esi\n\taddl\t64(%r13),%ecx\n\txorl\t%ebp,%esi\n\tmovl\t%eax,%edi\n\tvpsrld\t$31,%ymm4,%ymm8\n\txorl\t%ebp,%edi\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\tvpslldq\t$12,%ymm4,%ymm10\n\tvpaddd\t%ymm4,%ymm4,%ymm4\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm4,%ymm4\n\taddl\t%r12d,%ecx\n\tandl\t%edi,%edx\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm4,%ymm4\n\taddl\t68(%r13),%ebx\n\txorl\t%eax,%edx\n\tvpxor\t%ymm10,%ymm4,%ymm4\n\tmovl\t%esi,%edi\n\txorl\t%eax,%edi\n\tleal\t(%rbx,%rdx,1),%ebx\n\tvpaddd\t%ymm11,%ymm4,%ymm9\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\tvmovdqu\t%ymm9,128(%rsp)\n\taddl\t%r12d,%ebx\n\tandl\t%edi,%ecx\n\taddl\t72(%r13),%ebp\n\txorl\t%esi,%ecx\n\tmovl\t%edx,%edi\n\txorl\t%esi,%edi\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\tandl\t%edi,%ebx\n\taddl\t76(%r13),%eax\n\txorl\t%edx,%ebx\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\tvpalignr\t$8,%ymm1,%ymm2,%ymm5\n\taddl\t96(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tvpsrldq\t$4,%ymm4,%ymm8\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\tvpxor\t%ymm1,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm8,%ymm8\n\taddl\t100(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tvpsrld\t$31,%ymm5,%ymm8\n\tvmovdqu\t-32(%r14),%ymm11\n\txorl\t%ebx,%esi\n\taddl\t104(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\tvpslldq\t$12,%ymm5,%ymm10\n\tvpaddd\t%ymm5,%ymm5,%ymm5\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm5,%ymm5\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\txorl\t%ebp,%edx\n\taddl\t108(%r13),%ebx\n\tleaq\t256(%r13),%r13\n\tvpxor\t%ymm10,%ymm5,%ymm5\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\tvpaddd\t%ymm11,%ymm5,%ymm9\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\tvmovdqu\t%ymm9,160(%rsp)\n\taddl\t-128(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\tvpalignr\t$8,%ymm2,%ymm3,%ymm6\n\taddl\t-124(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\tvpsrldq\t$4,%ymm5,%ymm8\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\tvpxor\t%ymm2,%ymm6,%ymm6\n\tvpxor\t%ymm4,%ymm8,%ymm8\n\taddl\t-120(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tvpsrld\t$31,%ymm6,%ymm8\n\txorl\t%ecx,%eax\n\taddl\t-116(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\tvpslldq\t$12,%ymm6,%ymm10\n\tvpaddd\t%ymm6,%ymm6,%ymm6\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm6,%ymm6\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm6,%ymm6\n\txorl\t%ebx,%esi\n\taddl\t-96(%r13),%ecx\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\tvpaddd\t%ymm11,%ymm6,%ymm9\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\tvmovdqu\t%ymm9,192(%rsp)\n\taddl\t-92(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\tvpalignr\t$8,%ymm3,%ymm4,%ymm7\n\taddl\t-88(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\tvpsrldq\t$4,%ymm6,%ymm8\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\tvpxor\t%ymm3,%ymm7,%ymm7\n\tvpxor\t%ymm5,%ymm8,%ymm8\n\taddl\t-84(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\tvpsrld\t$31,%ymm7,%ymm8\n\txorl\t%edx,%ebp\n\taddl\t-64(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\tvpslldq\t$12,%ymm7,%ymm10\n\tvpaddd\t%ymm7,%ymm7,%ymm7\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\tvpsrld\t$30,%ymm10,%ymm9\n\tvpor\t%ymm8,%ymm7,%ymm7\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\tvpslld\t$2,%ymm10,%ymm10\n\tvpxor\t%ymm9,%ymm7,%ymm7\n\txorl\t%ecx,%eax\n\taddl\t-60(%r13),%edx\n\tvpxor\t%ymm10,%ymm7,%ymm7\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\trorxl\t$2,%esi,%eax\n\tvpaddd\t%ymm11,%ymm7,%ymm9\n\txorl\t%ebp,%esi\n\taddl\t%r12d,%edx\n\txorl\t%ebx,%esi\n\tvmovdqu\t%ymm9,224(%rsp)\n\taddl\t-56(%r13),%ecx\n\tleal\t(%rcx,%rsi,1),%ecx\n\trorxl\t$27,%edx,%r12d\n\trorxl\t$2,%edx,%esi\n\txorl\t%eax,%edx\n\taddl\t%r12d,%ecx\n\txorl\t%ebp,%edx\n\taddl\t-52(%r13),%ebx\n\tleal\t(%rbx,%rdx,1),%ebx\n\trorxl\t$27,%ecx,%r12d\n\trorxl\t$2,%ecx,%edx\n\txorl\t%esi,%ecx\n\taddl\t%r12d,%ebx\n\txorl\t%eax,%ecx\n\taddl\t-32(%r13),%ebp\n\tleal\t(%rcx,%rbp,1),%ebp\n\trorxl\t$27,%ebx,%r12d\n\trorxl\t$2,%ebx,%ecx\n\txorl\t%edx,%ebx\n\taddl\t%r12d,%ebp\n\txorl\t%esi,%ebx\n\taddl\t-28(%r13),%eax\n\tleal\t(%rax,%rbx,1),%eax\n\trorxl\t$27,%ebp,%r12d\n\trorxl\t$2,%ebp,%ebx\n\txorl\t%ecx,%ebp\n\taddl\t%r12d,%eax\n\txorl\t%edx,%ebp\n\taddl\t-24(%r13),%esi\n\tleal\t(%rsi,%rbp,1),%esi\n\trorxl\t$27,%eax,%r12d\n\trorxl\t$2,%eax,%ebp\n\txorl\t%ebx,%eax\n\taddl\t%r12d,%esi\n\txorl\t%ecx,%eax\n\taddl\t-20(%r13),%edx\n\tleal\t(%rdx,%rax,1),%edx\n\trorxl\t$27,%esi,%r12d\n\taddl\t%r12d,%edx\n\tleaq\t128(%rsp),%r13\n\n\n\taddl\t0(%r8),%edx\n\taddl\t4(%r8),%esi\n\taddl\t8(%r8),%ebp\n\tmovl\t%edx,0(%r8)\n\taddl\t12(%r8),%ebx\n\tmovl\t%esi,4(%r8)\n\tmovl\t%edx,%eax\n\taddl\t16(%r8),%ecx\n\tmovl\t%ebp,%r12d\n\tmovl\t%ebp,8(%r8)\n\tmovl\t%ebx,%edx\n\n\tmovl\t%ebx,12(%r8)\n\tmovl\t%esi,%ebp\n\tmovl\t%ecx,16(%r8)\n\n\tmovl\t%ecx,%esi\n\tmovl\t%r12d,%ecx\n\n\n\tcmpq\t%r10,%r9\n\tjbe\t.Loop_avx2\n\n.Ldone_avx2:\n\tvzeroupper\n\tmovq\t-40(%r11),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%r11),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%r11),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%r11),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%r11),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%r11),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lepilogue_avx2:\n\tret\n.cfi_endproc\t\n.size\tsha1_block_data_order_avx2,.-sha1_block_data_order_avx2\n.section\t.rodata\n.align\t64\nK_XX_XX:\n.long\t0x5a827999,0x5a827999,0x5a827999,0x5a827999\n.long\t0x5a827999,0x5a827999,0x5a827999,0x5a827999\n.long\t0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1\n.long\t0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1\n.long\t0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc\n.long\t0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc\n.long\t0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6\n.long\t0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6\n.long\t0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f\n.long\t0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f\n.byte\t0xf,0xe,0xd,0xc,0xb,0xa,0x9,0x8,0x7,0x6,0x5,0x4,0x3,0x2,0x1,0x0\n.byte\t83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t64\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha256-586-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n.globl\t_sha256_block_data_order_nohw\n.private_extern\t_sha256_block_data_order_nohw\n.align\t4\n_sha256_block_data_order_nohw:\nL_sha256_block_data_order_nohw_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t%esp,%ebx\n\tcall\tL000pic_point\nL000pic_point:\n\tpopl\t%ebp\n\tleal\tLK256-L000pic_point(%ebp),%ebp\n\tsubl\t$16,%esp\n\tandl\t$-64,%esp\n\tshll\t$6,%eax\n\taddl\t%edi,%eax\n\tmovl\t%esi,(%esp)\n\tmovl\t%edi,4(%esp)\n\tmovl\t%eax,8(%esp)\n\tmovl\t%ebx,12(%esp)\nL001no_xmm:\n\tsubl\t%edi,%eax\n\tcmpl\t$256,%eax\n\tjae\tL002unrolled\n\tjmp\tL003loop\n.align\t4,0x90\nL003loop:\n\tmovl\t(%edi),%eax\n\tmovl\t4(%edi),%ebx\n\tmovl\t8(%edi),%ecx\n\tbswap\t%eax\n\tmovl\t12(%edi),%edx\n\tbswap\t%ebx\n\tpushl\t%eax\n\tbswap\t%ecx\n\tpushl\t%ebx\n\tbswap\t%edx\n\tpushl\t%ecx\n\tpushl\t%edx\n\tmovl\t16(%edi),%eax\n\tmovl\t20(%edi),%ebx\n\tmovl\t24(%edi),%ecx\n\tbswap\t%eax\n\tmovl\t28(%edi),%edx\n\tbswap\t%ebx\n\tpushl\t%eax\n\tbswap\t%ecx\n\tpushl\t%ebx\n\tbswap\t%edx\n\tpushl\t%ecx\n\tpushl\t%edx\n\tmovl\t32(%edi),%eax\n\tmovl\t36(%edi),%ebx\n\tmovl\t40(%edi),%ecx\n\tbswap\t%eax\n\tmovl\t44(%edi),%edx\n\tbswap\t%ebx\n\tpushl\t%eax\n\tbswap\t%ecx\n\tpushl\t%ebx\n\tbswap\t%edx\n\tpushl\t%ecx\n\tpushl\t%edx\n\tmovl\t48(%edi),%eax\n\tmovl\t52(%edi),%ebx\n\tmovl\t56(%edi),%ecx\n\tbswap\t%eax\n\tmovl\t60(%edi),%edx\n\tbswap\t%ebx\n\tpushl\t%eax\n\tbswap\t%ecx\n\tpushl\t%ebx\n\tbswap\t%edx\n\tpushl\t%ecx\n\tpushl\t%edx\n\taddl\t$64,%edi\n\tleal\t-36(%esp),%esp\n\tmovl\t%edi,104(%esp)\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%edi\n\tmovl\t%ebx,8(%esp)\n\txorl\t%ecx,%ebx\n\tmovl\t%ecx,12(%esp)\n\tmovl\t%edi,16(%esp)\n\tmovl\t%ebx,(%esp)\n\tmovl\t16(%esi),%edx\n\tmovl\t20(%esi),%ebx\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%edi\n\tmovl\t%ebx,24(%esp)\n\tmovl\t%ecx,28(%esp)\n\tmovl\t%edi,32(%esp)\n.align\t4,0x90\nL00400_15:\n\tmovl\t%edx,%ecx\n\tmovl\t24(%esp),%esi\n\trorl\t$14,%ecx\n\tmovl\t28(%esp),%edi\n\txorl\t%edx,%ecx\n\txorl\t%edi,%esi\n\tmovl\t96(%esp),%ebx\n\trorl\t$5,%ecx\n\tandl\t%edx,%esi\n\tmovl\t%edx,20(%esp)\n\txorl\t%ecx,%edx\n\taddl\t32(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%esi,%ebx\n\trorl\t$9,%ecx\n\taddl\t%edx,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,4(%esp)\n\tleal\t-4(%esp),%esp\n\trorl\t$11,%ecx\n\tmovl\t(%ebp),%esi\n\txorl\t%eax,%ecx\n\tmovl\t20(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%esi,%ebx\n\tmovl\t%eax,(%esp)\n\taddl\t%ebx,%edx\n\tandl\t4(%esp),%eax\n\taddl\t%ecx,%ebx\n\txorl\t%edi,%eax\n\taddl\t$4,%ebp\n\taddl\t%ebx,%eax\n\tcmpl\t$3248222580,%esi\n\tjne\tL00400_15\n\tmovl\t156(%esp),%ecx\n\tjmp\tL00516_63\n.align\t4,0x90\nL00516_63:\n\tmovl\t%ecx,%ebx\n\tmovl\t104(%esp),%esi\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t160(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t124(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t24(%esp),%esi\n\trorl\t$14,%ecx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%edx,%ecx\n\txorl\t%edi,%esi\n\tmovl\t%ebx,96(%esp)\n\trorl\t$5,%ecx\n\tandl\t%edx,%esi\n\tmovl\t%edx,20(%esp)\n\txorl\t%ecx,%edx\n\taddl\t32(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%esi,%ebx\n\trorl\t$9,%ecx\n\taddl\t%edx,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,4(%esp)\n\tleal\t-4(%esp),%esp\n\trorl\t$11,%ecx\n\tmovl\t(%ebp),%esi\n\txorl\t%eax,%ecx\n\tmovl\t20(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%esi,%ebx\n\tmovl\t%eax,(%esp)\n\taddl\t%ebx,%edx\n\tandl\t4(%esp),%eax\n\taddl\t%ecx,%ebx\n\txorl\t%edi,%eax\n\tmovl\t156(%esp),%ecx\n\taddl\t$4,%ebp\n\taddl\t%ebx,%eax\n\tcmpl\t$3329325298,%esi\n\tjne\tL00516_63\n\tmovl\t356(%esp),%esi\n\tmovl\t8(%esp),%ebx\n\tmovl\t16(%esp),%ecx\n\taddl\t(%esi),%eax\n\taddl\t4(%esi),%ebx\n\taddl\t8(%esi),%edi\n\taddl\t12(%esi),%ecx\n\tmovl\t%eax,(%esi)\n\tmovl\t%ebx,4(%esi)\n\tmovl\t%edi,8(%esi)\n\tmovl\t%ecx,12(%esi)\n\tmovl\t24(%esp),%eax\n\tmovl\t28(%esp),%ebx\n\tmovl\t32(%esp),%ecx\n\tmovl\t360(%esp),%edi\n\taddl\t16(%esi),%edx\n\taddl\t20(%esi),%eax\n\taddl\t24(%esi),%ebx\n\taddl\t28(%esi),%ecx\n\tmovl\t%edx,16(%esi)\n\tmovl\t%eax,20(%esi)\n\tmovl\t%ebx,24(%esi)\n\tmovl\t%ecx,28(%esi)\n\tleal\t356(%esp),%esp\n\tsubl\t$256,%ebp\n\tcmpl\t8(%esp),%edi\n\tjb\tL003loop\n\tmovl\t12(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.align\t6,0x90\nLK256:\n.long\t1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298\n.long\t66051,67438087,134810123,202182159\n.byte\t83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97\n.byte\t110,115,102,111,114,109,32,102,111,114,32,120,56,54,44,32\n.byte\t67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97\n.byte\t112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103\n.byte\t62,0\n.align\t4,0x90\nL002unrolled:\n\tleal\t-96(%esp),%esp\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebp\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%ebx\n\tmovl\t%ebp,4(%esp)\n\txorl\t%ecx,%ebp\n\tmovl\t%ecx,8(%esp)\n\tmovl\t%ebx,12(%esp)\n\tmovl\t16(%esi),%edx\n\tmovl\t20(%esi),%ebx\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%esi\n\tmovl\t%ebx,20(%esp)\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%esi,28(%esp)\n\tjmp\tL006grand_loop\n.align\t4,0x90\nL006grand_loop:\n\tmovl\t(%edi),%ebx\n\tmovl\t4(%edi),%ecx\n\tbswap\t%ebx\n\tmovl\t8(%edi),%esi\n\tbswap\t%ecx\n\tmovl\t%ebx,32(%esp)\n\tbswap\t%esi\n\tmovl\t%ecx,36(%esp)\n\tmovl\t%esi,40(%esp)\n\tmovl\t12(%edi),%ebx\n\tmovl\t16(%edi),%ecx\n\tbswap\t%ebx\n\tmovl\t20(%edi),%esi\n\tbswap\t%ecx\n\tmovl\t%ebx,44(%esp)\n\tbswap\t%esi\n\tmovl\t%ecx,48(%esp)\n\tmovl\t%esi,52(%esp)\n\tmovl\t24(%edi),%ebx\n\tmovl\t28(%edi),%ecx\n\tbswap\t%ebx\n\tmovl\t32(%edi),%esi\n\tbswap\t%ecx\n\tmovl\t%ebx,56(%esp)\n\tbswap\t%esi\n\tmovl\t%ecx,60(%esp)\n\tmovl\t%esi,64(%esp)\n\tmovl\t36(%edi),%ebx\n\tmovl\t40(%edi),%ecx\n\tbswap\t%ebx\n\tmovl\t44(%edi),%esi\n\tbswap\t%ecx\n\tmovl\t%ebx,68(%esp)\n\tbswap\t%esi\n\tmovl\t%ecx,72(%esp)\n\tmovl\t%esi,76(%esp)\n\tmovl\t48(%edi),%ebx\n\tmovl\t52(%edi),%ecx\n\tbswap\t%ebx\n\tmovl\t56(%edi),%esi\n\tbswap\t%ecx\n\tmovl\t%ebx,80(%esp)\n\tbswap\t%esi\n\tmovl\t%ecx,84(%esp)\n\tmovl\t%esi,88(%esp)\n\tmovl\t60(%edi),%ebx\n\taddl\t$64,%edi\n\tbswap\t%ebx\n\tmovl\t%edi,100(%esp)\n\tmovl\t%ebx,92(%esp)\n\tmovl\t%edx,%ecx\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t32(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1116352408(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t36(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1899447441(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t40(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3049323471(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t44(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3921009573(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t48(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t961987163(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t52(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1508970993(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t56(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2453635748(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t60(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2870763221(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t64(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3624381080(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t68(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t310598401(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t72(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t607225278(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t76(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1426881987(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t80(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1925078388(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t84(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2162078206(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t88(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2614888103(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t92(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3248222580(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t36(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t88(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t32(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t68(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,32(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3835390401(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t40(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t92(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t36(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t72(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,36(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t4022224774(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t44(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t32(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t40(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t76(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,40(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t264347078(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t48(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t36(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t44(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t80(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,44(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t604807628(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t52(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t40(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t48(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t84(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,48(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t770255983(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t56(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t44(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t52(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t88(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,52(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1249150122(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t60(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t48(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t56(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t92(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,56(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1555081692(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t64(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t52(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t60(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t32(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,60(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1996064986(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t68(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t56(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t64(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t36(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,64(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2554220882(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t72(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t60(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t68(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t40(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,68(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2821834349(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t76(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t64(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t72(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t44(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,72(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2952996808(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t80(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t68(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t76(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t48(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,76(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3210313671(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t84(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t72(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t80(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t52(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,80(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3336571891(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t88(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t76(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t84(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t56(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,84(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3584528711(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t92(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t80(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t88(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t60(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,88(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t113926993(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t32(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t84(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t92(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t64(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,92(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t338241895(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t36(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t88(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t32(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t68(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,32(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t666307205(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t40(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t92(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t36(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t72(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,36(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t773529912(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t44(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t32(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t40(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t76(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,40(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1294757372(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t48(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t36(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t44(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t80(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,44(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1396182291(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t52(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t40(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t48(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t84(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,48(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1695183700(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t56(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t44(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t52(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t88(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,52(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1986661051(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t60(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t48(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t56(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t92(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,56(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2177026350(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t64(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t52(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t60(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t32(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,60(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2456956037(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t68(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t56(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t64(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t36(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,64(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2730485921(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t72(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t60(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t68(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t40(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,68(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2820302411(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t76(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t64(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t72(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t44(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,72(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3259730800(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t80(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t68(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t76(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t48(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,76(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3345764771(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t84(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t72(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t80(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t52(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,80(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3516065817(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t88(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t76(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t84(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t56(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,84(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3600352804(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t92(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t80(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t88(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t60(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,88(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t4094571909(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t32(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t84(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t92(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t64(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,92(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t275423344(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t36(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t88(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t32(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t68(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,32(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t430227734(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t40(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t92(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t36(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t72(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,36(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t506948616(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t44(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t32(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t40(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t76(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,40(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t659060556(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t48(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t36(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t44(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t80(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,44(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t883997877(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t52(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t40(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t48(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t84(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,48(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t958139571(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t56(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t44(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t52(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t88(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,52(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1322822218(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t60(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t48(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t56(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t92(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,56(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1537002063(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t64(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t52(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t60(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t32(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,60(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1747873779(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t68(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t56(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t64(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t36(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,64(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1955562222(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t72(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t60(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t68(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t40(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,68(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2024104815(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t76(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t64(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t72(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t44(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,72(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2227730452(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t80(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t68(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t76(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t48(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,76(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2361852424(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t84(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t72(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t80(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t52(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,80(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2428436474(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t88(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t76(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t84(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t56(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,84(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2756734187(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t92(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t80(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t88(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t60(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3204031479(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t32(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t84(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t92(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t64(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3329325298(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t96(%esp),%esi\n\txorl\t%edi,%ebp\n\tmovl\t12(%esp),%ecx\n\taddl\t(%esi),%eax\n\taddl\t4(%esi),%ebp\n\taddl\t8(%esi),%edi\n\taddl\t12(%esi),%ecx\n\tmovl\t%eax,(%esi)\n\tmovl\t%ebp,4(%esi)\n\tmovl\t%edi,8(%esi)\n\tmovl\t%ecx,12(%esi)\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\tmovl\t%edi,8(%esp)\n\tmovl\t%ecx,12(%esp)\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%ebx\n\tmovl\t28(%esp),%ecx\n\taddl\t16(%esi),%edx\n\taddl\t20(%esi),%edi\n\taddl\t24(%esi),%ebx\n\taddl\t28(%esi),%ecx\n\tmovl\t%edx,16(%esi)\n\tmovl\t%edi,20(%esi)\n\tmovl\t%ebx,24(%esi)\n\tmovl\t%ecx,28(%esi)\n\tmovl\t%edi,20(%esp)\n\tmovl\t100(%esp),%edi\n\tmovl\t%ebx,24(%esp)\n\tmovl\t%ecx,28(%esp)\n\tcmpl\t104(%esp),%edi\n\tjb\tL006grand_loop\n\tmovl\t108(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_sha256_block_data_order_ssse3\n.private_extern\t_sha256_block_data_order_ssse3\n.align\t4\n_sha256_block_data_order_ssse3:\nL_sha256_block_data_order_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t%esp,%ebx\n\tcall\tL007pic_point\nL007pic_point:\n\tpopl\t%ebp\n\tleal\tLK256-L007pic_point(%ebp),%ebp\n\tsubl\t$16,%esp\n\tandl\t$-64,%esp\n\tshll\t$6,%eax\n\taddl\t%edi,%eax\n\tmovl\t%esi,(%esp)\n\tmovl\t%edi,4(%esp)\n\tmovl\t%eax,8(%esp)\n\tmovl\t%ebx,12(%esp)\n\tleal\t-96(%esp),%esp\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%edi\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ecx,%ebx\n\tmovl\t%ecx,8(%esp)\n\tmovl\t%edi,12(%esp)\n\tmovl\t16(%esi),%edx\n\tmovl\t20(%esi),%edi\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%esi\n\tmovl\t%edi,20(%esp)\n\tmovl\t100(%esp),%edi\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%esi,28(%esp)\n\tmovdqa\t256(%ebp),%xmm7\n\tjmp\tL008grand_ssse3\n.align\t4,0x90\nL008grand_ssse3:\n\tmovdqu\t(%edi),%xmm0\n\tmovdqu\t16(%edi),%xmm1\n\tmovdqu\t32(%edi),%xmm2\n\tmovdqu\t48(%edi),%xmm3\n\taddl\t$64,%edi\n.byte\t102,15,56,0,199\n\tmovl\t%edi,100(%esp)\n.byte\t102,15,56,0,207\n\tmovdqa\t(%ebp),%xmm4\n.byte\t102,15,56,0,215\n\tmovdqa\t16(%ebp),%xmm5\n\tpaddd\t%xmm0,%xmm4\n.byte\t102,15,56,0,223\n\tmovdqa\t32(%ebp),%xmm6\n\tpaddd\t%xmm1,%xmm5\n\tmovdqa\t48(%ebp),%xmm7\n\tmovdqa\t%xmm4,32(%esp)\n\tpaddd\t%xmm2,%xmm6\n\tmovdqa\t%xmm5,48(%esp)\n\tpaddd\t%xmm3,%xmm7\n\tmovdqa\t%xmm6,64(%esp)\n\tmovdqa\t%xmm7,80(%esp)\n\tjmp\tL009ssse3_00_47\n.align\t4,0x90\nL009ssse3_00_47:\n\taddl\t$64,%ebp\n\tmovl\t%edx,%ecx\n\tmovdqa\t%xmm1,%xmm4\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%esi\n\tmovdqa\t%xmm3,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n.byte\t102,15,58,15,224,4\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n.byte\t102,15,58,15,250,4\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tmovdqa\t%xmm4,%xmm5\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\tmovdqa\t%xmm4,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tpsrld\t$3,%xmm4\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm0\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\tpsrld\t$7,%xmm6\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\tpshufd\t$250,%xmm3,%xmm7\n\txorl\t%esi,%ecx\n\taddl\t32(%esp),%edx\n\tpslld\t$14,%xmm5\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\tpsrld\t$11,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tpslld\t$11,%xmm5\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tpxor\t%xmm6,%xmm4\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tpsrld\t$10,%xmm7\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm4,%xmm0\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\tpsrlq\t$17,%xmm6\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\trorl\t$11,%ecx\n\tpxor\t%xmm6,%xmm7\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tpsrlq\t$2,%xmm6\n\taddl\t36(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\tpshufd\t$128,%xmm7,%xmm7\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tpsrldq\t$8,%xmm7\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tpaddd\t%xmm7,%xmm0\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,24(%esp)\n\tpshufd\t$80,%xmm0,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tmovdqa\t%xmm7,%xmm6\n\trorl\t$11,%ecx\n\tpsrld\t$10,%xmm7\n\tandl\t%eax,%ebx\n\tpsrlq\t$17,%xmm6\n\txorl\t%esi,%ecx\n\taddl\t40(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\tpsrlq\t$2,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm6,%xmm7\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tmovdqa\t(%ebp),%xmm6\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\tpslldq\t$8,%xmm7\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm0\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tpaddd\t%xmm0,%xmm6\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t44(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovdqa\t%xmm6,32(%esp)\n\tmovl\t%edx,%ecx\n\tmovdqa\t%xmm2,%xmm4\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%esi\n\tmovdqa\t%xmm0,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n.byte\t102,15,58,15,225,4\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n.byte\t102,15,58,15,251,4\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tmovdqa\t%xmm4,%xmm5\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\tmovdqa\t%xmm4,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tpsrld\t$3,%xmm4\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm1\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\tpsrld\t$7,%xmm6\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\tpshufd\t$250,%xmm0,%xmm7\n\txorl\t%esi,%ecx\n\taddl\t48(%esp),%edx\n\tpslld\t$14,%xmm5\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\tpsrld\t$11,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tpslld\t$11,%xmm5\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tpxor\t%xmm6,%xmm4\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tpsrld\t$10,%xmm7\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm4,%xmm1\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\tpsrlq\t$17,%xmm6\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\trorl\t$11,%ecx\n\tpxor\t%xmm6,%xmm7\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tpsrlq\t$2,%xmm6\n\taddl\t52(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\tpshufd\t$128,%xmm7,%xmm7\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tpsrldq\t$8,%xmm7\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tpaddd\t%xmm7,%xmm1\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,8(%esp)\n\tpshufd\t$80,%xmm1,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tmovdqa\t%xmm7,%xmm6\n\trorl\t$11,%ecx\n\tpsrld\t$10,%xmm7\n\tandl\t%eax,%ebx\n\tpsrlq\t$17,%xmm6\n\txorl\t%esi,%ecx\n\taddl\t56(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\tpsrlq\t$2,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm6,%xmm7\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tmovdqa\t16(%ebp),%xmm6\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\tpslldq\t$8,%xmm7\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm1\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tpaddd\t%xmm1,%xmm6\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t60(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovdqa\t%xmm6,48(%esp)\n\tmovl\t%edx,%ecx\n\tmovdqa\t%xmm3,%xmm4\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%esi\n\tmovdqa\t%xmm1,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n.byte\t102,15,58,15,226,4\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n.byte\t102,15,58,15,248,4\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tmovdqa\t%xmm4,%xmm5\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\tmovdqa\t%xmm4,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tpsrld\t$3,%xmm4\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm2\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\tpsrld\t$7,%xmm6\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\tpshufd\t$250,%xmm1,%xmm7\n\txorl\t%esi,%ecx\n\taddl\t64(%esp),%edx\n\tpslld\t$14,%xmm5\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\tpsrld\t$11,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tpslld\t$11,%xmm5\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tpxor\t%xmm6,%xmm4\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tpsrld\t$10,%xmm7\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm4,%xmm2\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\tpsrlq\t$17,%xmm6\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\trorl\t$11,%ecx\n\tpxor\t%xmm6,%xmm7\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tpsrlq\t$2,%xmm6\n\taddl\t68(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\tpshufd\t$128,%xmm7,%xmm7\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tpsrldq\t$8,%xmm7\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tpaddd\t%xmm7,%xmm2\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,24(%esp)\n\tpshufd\t$80,%xmm2,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tmovdqa\t%xmm7,%xmm6\n\trorl\t$11,%ecx\n\tpsrld\t$10,%xmm7\n\tandl\t%eax,%ebx\n\tpsrlq\t$17,%xmm6\n\txorl\t%esi,%ecx\n\taddl\t72(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\tpsrlq\t$2,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm6,%xmm7\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tmovdqa\t32(%ebp),%xmm6\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\tpslldq\t$8,%xmm7\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm2\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tpaddd\t%xmm2,%xmm6\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t76(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovdqa\t%xmm6,64(%esp)\n\tmovl\t%edx,%ecx\n\tmovdqa\t%xmm0,%xmm4\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%esi\n\tmovdqa\t%xmm2,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n.byte\t102,15,58,15,227,4\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n.byte\t102,15,58,15,249,4\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tmovdqa\t%xmm4,%xmm5\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\tmovdqa\t%xmm4,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tpsrld\t$3,%xmm4\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm3\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\tpsrld\t$7,%xmm6\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\tpshufd\t$250,%xmm2,%xmm7\n\txorl\t%esi,%ecx\n\taddl\t80(%esp),%edx\n\tpslld\t$14,%xmm5\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\tpsrld\t$11,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tpslld\t$11,%xmm5\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tpxor\t%xmm6,%xmm4\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tpsrld\t$10,%xmm7\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm4,%xmm3\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\tpsrlq\t$17,%xmm6\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\trorl\t$11,%ecx\n\tpxor\t%xmm6,%xmm7\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tpsrlq\t$2,%xmm6\n\taddl\t84(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\tpshufd\t$128,%xmm7,%xmm7\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tpsrldq\t$8,%xmm7\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tpaddd\t%xmm7,%xmm3\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,8(%esp)\n\tpshufd\t$80,%xmm3,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tmovdqa\t%xmm7,%xmm6\n\trorl\t$11,%ecx\n\tpsrld\t$10,%xmm7\n\tandl\t%eax,%ebx\n\tpsrlq\t$17,%xmm6\n\txorl\t%esi,%ecx\n\taddl\t88(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\tpsrlq\t$2,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm6,%xmm7\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tmovdqa\t48(%ebp),%xmm6\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\tpslldq\t$8,%xmm7\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm3\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tpaddd\t%xmm3,%xmm6\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t92(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovdqa\t%xmm6,80(%esp)\n\tcmpl\t$66051,64(%ebp)\n\tjne\tL009ssse3_00_47\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t32(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t36(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t40(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t44(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t48(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t52(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t56(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t60(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t64(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t68(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t72(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t76(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t80(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t84(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t88(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t92(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t96(%esp),%esi\n\txorl\t%edi,%ebx\n\tmovl\t12(%esp),%ecx\n\taddl\t(%esi),%eax\n\taddl\t4(%esi),%ebx\n\taddl\t8(%esi),%edi\n\taddl\t12(%esi),%ecx\n\tmovl\t%eax,(%esi)\n\tmovl\t%ebx,4(%esi)\n\tmovl\t%edi,8(%esi)\n\tmovl\t%ecx,12(%esi)\n\tmovl\t%ebx,4(%esp)\n\txorl\t%edi,%ebx\n\tmovl\t%edi,8(%esp)\n\tmovl\t%ecx,12(%esp)\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%ecx\n\taddl\t16(%esi),%edx\n\taddl\t20(%esi),%edi\n\taddl\t24(%esi),%ecx\n\tmovl\t%edx,16(%esi)\n\tmovl\t%edi,20(%esi)\n\tmovl\t%edi,20(%esp)\n\tmovl\t28(%esp),%edi\n\tmovl\t%ecx,24(%esi)\n\taddl\t28(%esi),%edi\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%edi,28(%esi)\n\tmovl\t%edi,28(%esp)\n\tmovl\t100(%esp),%edi\n\tmovdqa\t64(%ebp),%xmm7\n\tsubl\t$192,%ebp\n\tcmpl\t104(%esp),%edi\n\tjb\tL008grand_ssse3\n\tmovl\t108(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_sha256_block_data_order_avx\n.private_extern\t_sha256_block_data_order_avx\n.align\t4\n_sha256_block_data_order_avx:\nL_sha256_block_data_order_avx_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t%esp,%ebx\n\tcall\tL010pic_point\nL010pic_point:\n\tpopl\t%ebp\n\tleal\tLK256-L010pic_point(%ebp),%ebp\n\tsubl\t$16,%esp\n\tandl\t$-64,%esp\n\tshll\t$6,%eax\n\taddl\t%edi,%eax\n\tmovl\t%esi,(%esp)\n\tmovl\t%edi,4(%esp)\n\tmovl\t%eax,8(%esp)\n\tmovl\t%ebx,12(%esp)\n\tleal\t-96(%esp),%esp\n\tvzeroall\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%edi\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ecx,%ebx\n\tmovl\t%ecx,8(%esp)\n\tmovl\t%edi,12(%esp)\n\tmovl\t16(%esi),%edx\n\tmovl\t20(%esi),%edi\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%esi\n\tmovl\t%edi,20(%esp)\n\tmovl\t100(%esp),%edi\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%esi,28(%esp)\n\tvmovdqa\t256(%ebp),%xmm7\n\tjmp\tL011grand_avx\n.align\t5,0x90\nL011grand_avx:\n\tvmovdqu\t(%edi),%xmm0\n\tvmovdqu\t16(%edi),%xmm1\n\tvmovdqu\t32(%edi),%xmm2\n\tvmovdqu\t48(%edi),%xmm3\n\taddl\t$64,%edi\n\tvpshufb\t%xmm7,%xmm0,%xmm0\n\tmovl\t%edi,100(%esp)\n\tvpshufb\t%xmm7,%xmm1,%xmm1\n\tvpshufb\t%xmm7,%xmm2,%xmm2\n\tvpaddd\t(%ebp),%xmm0,%xmm4\n\tvpshufb\t%xmm7,%xmm3,%xmm3\n\tvpaddd\t16(%ebp),%xmm1,%xmm5\n\tvpaddd\t32(%ebp),%xmm2,%xmm6\n\tvpaddd\t48(%ebp),%xmm3,%xmm7\n\tvmovdqa\t%xmm4,32(%esp)\n\tvmovdqa\t%xmm5,48(%esp)\n\tvmovdqa\t%xmm6,64(%esp)\n\tvmovdqa\t%xmm7,80(%esp)\n\tjmp\tL012avx_00_47\n.align\t4,0x90\nL012avx_00_47:\n\taddl\t$64,%ebp\n\tvpalignr\t$4,%xmm0,%xmm1,%xmm4\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t20(%esp),%esi\n\tvpalignr\t$4,%xmm2,%xmm3,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\tvpaddd\t%xmm7,%xmm0,%xmm0\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrld\t$3,%xmm4,%xmm7\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tvpslld\t$14,%xmm4,%xmm5\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,(%esp)\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\tvpshufd\t$250,%xmm3,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpsrld\t$11,%xmm6,%xmm6\n\taddl\t32(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$11,%xmm5,%xmm5\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t16(%esp),%esi\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$10,%xmm7,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,28(%esp)\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\tvpsrlq\t$19,%xmm7,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t36(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\tvpshufd\t$132,%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t12(%esp),%esi\n\tvpaddd\t%xmm7,%xmm0,%xmm0\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\tvpshufd\t$80,%xmm0,%xmm7\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,24(%esp)\n\tvpsrlq\t$19,%xmm7,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpshufd\t$232,%xmm6,%xmm7\n\taddl\t40(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpslldq\t$8,%xmm7,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpaddd\t%xmm7,%xmm0,%xmm0\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t8(%esp),%esi\n\tvpaddd\t(%ebp),%xmm0,%xmm6\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t44(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tvmovdqa\t%xmm6,32(%esp)\n\tvpalignr\t$4,%xmm1,%xmm2,%xmm4\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t4(%esp),%esi\n\tvpalignr\t$4,%xmm3,%xmm0,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\tvpaddd\t%xmm7,%xmm1,%xmm1\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrld\t$3,%xmm4,%xmm7\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tvpslld\t$14,%xmm4,%xmm5\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,16(%esp)\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\tvpshufd\t$250,%xmm0,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpsrld\t$11,%xmm6,%xmm6\n\taddl\t48(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$11,%xmm5,%xmm5\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t(%esp),%esi\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$10,%xmm7,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tvpaddd\t%xmm4,%xmm1,%xmm1\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,12(%esp)\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\tvpsrlq\t$19,%xmm7,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t52(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\tvpshufd\t$132,%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t28(%esp),%esi\n\tvpaddd\t%xmm7,%xmm1,%xmm1\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\tvpshufd\t$80,%xmm1,%xmm7\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,8(%esp)\n\tvpsrlq\t$19,%xmm7,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpshufd\t$232,%xmm6,%xmm7\n\taddl\t56(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpslldq\t$8,%xmm7,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpaddd\t%xmm7,%xmm1,%xmm1\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t24(%esp),%esi\n\tvpaddd\t16(%ebp),%xmm1,%xmm6\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t60(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tvmovdqa\t%xmm6,48(%esp)\n\tvpalignr\t$4,%xmm2,%xmm3,%xmm4\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t20(%esp),%esi\n\tvpalignr\t$4,%xmm0,%xmm1,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\tvpaddd\t%xmm7,%xmm2,%xmm2\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrld\t$3,%xmm4,%xmm7\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tvpslld\t$14,%xmm4,%xmm5\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,(%esp)\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\tvpshufd\t$250,%xmm1,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpsrld\t$11,%xmm6,%xmm6\n\taddl\t64(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$11,%xmm5,%xmm5\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t16(%esp),%esi\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$10,%xmm7,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tvpaddd\t%xmm4,%xmm2,%xmm2\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,28(%esp)\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\tvpsrlq\t$19,%xmm7,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t68(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\tvpshufd\t$132,%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t12(%esp),%esi\n\tvpaddd\t%xmm7,%xmm2,%xmm2\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\tvpshufd\t$80,%xmm2,%xmm7\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,24(%esp)\n\tvpsrlq\t$19,%xmm7,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpshufd\t$232,%xmm6,%xmm7\n\taddl\t72(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpslldq\t$8,%xmm7,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpaddd\t%xmm7,%xmm2,%xmm2\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t8(%esp),%esi\n\tvpaddd\t32(%ebp),%xmm2,%xmm6\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t76(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tvmovdqa\t%xmm6,64(%esp)\n\tvpalignr\t$4,%xmm3,%xmm0,%xmm4\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t4(%esp),%esi\n\tvpalignr\t$4,%xmm1,%xmm2,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrld\t$3,%xmm4,%xmm7\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tvpslld\t$14,%xmm4,%xmm5\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,16(%esp)\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\tvpshufd\t$250,%xmm2,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpsrld\t$11,%xmm6,%xmm6\n\taddl\t80(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$11,%xmm5,%xmm5\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t(%esp),%esi\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$10,%xmm7,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tvpaddd\t%xmm4,%xmm3,%xmm3\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,12(%esp)\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\tvpsrlq\t$19,%xmm7,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t84(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\tvpshufd\t$132,%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t28(%esp),%esi\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\tvpshufd\t$80,%xmm3,%xmm7\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,8(%esp)\n\tvpsrlq\t$19,%xmm7,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpshufd\t$232,%xmm6,%xmm7\n\taddl\t88(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpslldq\t$8,%xmm7,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t24(%esp),%esi\n\tvpaddd\t48(%ebp),%xmm3,%xmm6\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t92(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tvmovdqa\t%xmm6,80(%esp)\n\tcmpl\t$66051,64(%ebp)\n\tjne\tL012avx_00_47\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t20(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t32(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t36(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t40(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t44(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t4(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t48(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t52(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t56(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t60(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t20(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t64(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t68(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t72(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t76(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t4(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t80(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t84(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t88(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t92(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t96(%esp),%esi\n\txorl\t%edi,%ebx\n\tmovl\t12(%esp),%ecx\n\taddl\t(%esi),%eax\n\taddl\t4(%esi),%ebx\n\taddl\t8(%esi),%edi\n\taddl\t12(%esi),%ecx\n\tmovl\t%eax,(%esi)\n\tmovl\t%ebx,4(%esi)\n\tmovl\t%edi,8(%esi)\n\tmovl\t%ecx,12(%esi)\n\tmovl\t%ebx,4(%esp)\n\txorl\t%edi,%ebx\n\tmovl\t%edi,8(%esp)\n\tmovl\t%ecx,12(%esp)\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%ecx\n\taddl\t16(%esi),%edx\n\taddl\t20(%esi),%edi\n\taddl\t24(%esi),%ecx\n\tmovl\t%edx,16(%esi)\n\tmovl\t%edi,20(%esi)\n\tmovl\t%edi,20(%esp)\n\tmovl\t28(%esp),%edi\n\tmovl\t%ecx,24(%esi)\n\taddl\t28(%esi),%edi\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%edi,28(%esi)\n\tmovl\t%edi,28(%esp)\n\tmovl\t100(%esp),%edi\n\tvmovdqa\t64(%ebp),%xmm7\n\tsubl\t$192,%ebp\n\tcmpl\t104(%esp),%edi\n\tjb\tL011grand_avx\n\tmovl\t108(%esp),%esp\n\tvzeroall\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha256-586-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n.globl\tsha256_block_data_order_nohw\n.hidden\tsha256_block_data_order_nohw\n.type\tsha256_block_data_order_nohw,@function\n.align\t16\nsha256_block_data_order_nohw:\n.L_sha256_block_data_order_nohw_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t%esp,%ebx\n\tcall\t.L000pic_point\n.L000pic_point:\n\tpopl\t%ebp\n\tleal\t.LK256-.L000pic_point(%ebp),%ebp\n\tsubl\t$16,%esp\n\tandl\t$-64,%esp\n\tshll\t$6,%eax\n\taddl\t%edi,%eax\n\tmovl\t%esi,(%esp)\n\tmovl\t%edi,4(%esp)\n\tmovl\t%eax,8(%esp)\n\tmovl\t%ebx,12(%esp)\n.L001no_xmm:\n\tsubl\t%edi,%eax\n\tcmpl\t$256,%eax\n\tjae\t.L002unrolled\n\tjmp\t.L003loop\n.align\t16\n.L003loop:\n\tmovl\t(%edi),%eax\n\tmovl\t4(%edi),%ebx\n\tmovl\t8(%edi),%ecx\n\tbswap\t%eax\n\tmovl\t12(%edi),%edx\n\tbswap\t%ebx\n\tpushl\t%eax\n\tbswap\t%ecx\n\tpushl\t%ebx\n\tbswap\t%edx\n\tpushl\t%ecx\n\tpushl\t%edx\n\tmovl\t16(%edi),%eax\n\tmovl\t20(%edi),%ebx\n\tmovl\t24(%edi),%ecx\n\tbswap\t%eax\n\tmovl\t28(%edi),%edx\n\tbswap\t%ebx\n\tpushl\t%eax\n\tbswap\t%ecx\n\tpushl\t%ebx\n\tbswap\t%edx\n\tpushl\t%ecx\n\tpushl\t%edx\n\tmovl\t32(%edi),%eax\n\tmovl\t36(%edi),%ebx\n\tmovl\t40(%edi),%ecx\n\tbswap\t%eax\n\tmovl\t44(%edi),%edx\n\tbswap\t%ebx\n\tpushl\t%eax\n\tbswap\t%ecx\n\tpushl\t%ebx\n\tbswap\t%edx\n\tpushl\t%ecx\n\tpushl\t%edx\n\tmovl\t48(%edi),%eax\n\tmovl\t52(%edi),%ebx\n\tmovl\t56(%edi),%ecx\n\tbswap\t%eax\n\tmovl\t60(%edi),%edx\n\tbswap\t%ebx\n\tpushl\t%eax\n\tbswap\t%ecx\n\tpushl\t%ebx\n\tbswap\t%edx\n\tpushl\t%ecx\n\tpushl\t%edx\n\taddl\t$64,%edi\n\tleal\t-36(%esp),%esp\n\tmovl\t%edi,104(%esp)\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%edi\n\tmovl\t%ebx,8(%esp)\n\txorl\t%ecx,%ebx\n\tmovl\t%ecx,12(%esp)\n\tmovl\t%edi,16(%esp)\n\tmovl\t%ebx,(%esp)\n\tmovl\t16(%esi),%edx\n\tmovl\t20(%esi),%ebx\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%edi\n\tmovl\t%ebx,24(%esp)\n\tmovl\t%ecx,28(%esp)\n\tmovl\t%edi,32(%esp)\n.align\t16\n.L00400_15:\n\tmovl\t%edx,%ecx\n\tmovl\t24(%esp),%esi\n\trorl\t$14,%ecx\n\tmovl\t28(%esp),%edi\n\txorl\t%edx,%ecx\n\txorl\t%edi,%esi\n\tmovl\t96(%esp),%ebx\n\trorl\t$5,%ecx\n\tandl\t%edx,%esi\n\tmovl\t%edx,20(%esp)\n\txorl\t%ecx,%edx\n\taddl\t32(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%esi,%ebx\n\trorl\t$9,%ecx\n\taddl\t%edx,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,4(%esp)\n\tleal\t-4(%esp),%esp\n\trorl\t$11,%ecx\n\tmovl\t(%ebp),%esi\n\txorl\t%eax,%ecx\n\tmovl\t20(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%esi,%ebx\n\tmovl\t%eax,(%esp)\n\taddl\t%ebx,%edx\n\tandl\t4(%esp),%eax\n\taddl\t%ecx,%ebx\n\txorl\t%edi,%eax\n\taddl\t$4,%ebp\n\taddl\t%ebx,%eax\n\tcmpl\t$3248222580,%esi\n\tjne\t.L00400_15\n\tmovl\t156(%esp),%ecx\n\tjmp\t.L00516_63\n.align\t16\n.L00516_63:\n\tmovl\t%ecx,%ebx\n\tmovl\t104(%esp),%esi\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t160(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t124(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t24(%esp),%esi\n\trorl\t$14,%ecx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%edx,%ecx\n\txorl\t%edi,%esi\n\tmovl\t%ebx,96(%esp)\n\trorl\t$5,%ecx\n\tandl\t%edx,%esi\n\tmovl\t%edx,20(%esp)\n\txorl\t%ecx,%edx\n\taddl\t32(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%esi,%ebx\n\trorl\t$9,%ecx\n\taddl\t%edx,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,4(%esp)\n\tleal\t-4(%esp),%esp\n\trorl\t$11,%ecx\n\tmovl\t(%ebp),%esi\n\txorl\t%eax,%ecx\n\tmovl\t20(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%esi,%ebx\n\tmovl\t%eax,(%esp)\n\taddl\t%ebx,%edx\n\tandl\t4(%esp),%eax\n\taddl\t%ecx,%ebx\n\txorl\t%edi,%eax\n\tmovl\t156(%esp),%ecx\n\taddl\t$4,%ebp\n\taddl\t%ebx,%eax\n\tcmpl\t$3329325298,%esi\n\tjne\t.L00516_63\n\tmovl\t356(%esp),%esi\n\tmovl\t8(%esp),%ebx\n\tmovl\t16(%esp),%ecx\n\taddl\t(%esi),%eax\n\taddl\t4(%esi),%ebx\n\taddl\t8(%esi),%edi\n\taddl\t12(%esi),%ecx\n\tmovl\t%eax,(%esi)\n\tmovl\t%ebx,4(%esi)\n\tmovl\t%edi,8(%esi)\n\tmovl\t%ecx,12(%esi)\n\tmovl\t24(%esp),%eax\n\tmovl\t28(%esp),%ebx\n\tmovl\t32(%esp),%ecx\n\tmovl\t360(%esp),%edi\n\taddl\t16(%esi),%edx\n\taddl\t20(%esi),%eax\n\taddl\t24(%esi),%ebx\n\taddl\t28(%esi),%ecx\n\tmovl\t%edx,16(%esi)\n\tmovl\t%eax,20(%esi)\n\tmovl\t%ebx,24(%esi)\n\tmovl\t%ecx,28(%esi)\n\tleal\t356(%esp),%esp\n\tsubl\t$256,%ebp\n\tcmpl\t8(%esp),%edi\n\tjb\t.L003loop\n\tmovl\t12(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.align\t64\n.LK256:\n.long\t1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298\n.long\t66051,67438087,134810123,202182159\n.byte\t83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97\n.byte\t110,115,102,111,114,109,32,102,111,114,32,120,56,54,44,32\n.byte\t67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97\n.byte\t112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103\n.byte\t62,0\n.align\t16\n.L002unrolled:\n\tleal\t-96(%esp),%esp\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebp\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%ebx\n\tmovl\t%ebp,4(%esp)\n\txorl\t%ecx,%ebp\n\tmovl\t%ecx,8(%esp)\n\tmovl\t%ebx,12(%esp)\n\tmovl\t16(%esi),%edx\n\tmovl\t20(%esi),%ebx\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%esi\n\tmovl\t%ebx,20(%esp)\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%esi,28(%esp)\n\tjmp\t.L006grand_loop\n.align\t16\n.L006grand_loop:\n\tmovl\t(%edi),%ebx\n\tmovl\t4(%edi),%ecx\n\tbswap\t%ebx\n\tmovl\t8(%edi),%esi\n\tbswap\t%ecx\n\tmovl\t%ebx,32(%esp)\n\tbswap\t%esi\n\tmovl\t%ecx,36(%esp)\n\tmovl\t%esi,40(%esp)\n\tmovl\t12(%edi),%ebx\n\tmovl\t16(%edi),%ecx\n\tbswap\t%ebx\n\tmovl\t20(%edi),%esi\n\tbswap\t%ecx\n\tmovl\t%ebx,44(%esp)\n\tbswap\t%esi\n\tmovl\t%ecx,48(%esp)\n\tmovl\t%esi,52(%esp)\n\tmovl\t24(%edi),%ebx\n\tmovl\t28(%edi),%ecx\n\tbswap\t%ebx\n\tmovl\t32(%edi),%esi\n\tbswap\t%ecx\n\tmovl\t%ebx,56(%esp)\n\tbswap\t%esi\n\tmovl\t%ecx,60(%esp)\n\tmovl\t%esi,64(%esp)\n\tmovl\t36(%edi),%ebx\n\tmovl\t40(%edi),%ecx\n\tbswap\t%ebx\n\tmovl\t44(%edi),%esi\n\tbswap\t%ecx\n\tmovl\t%ebx,68(%esp)\n\tbswap\t%esi\n\tmovl\t%ecx,72(%esp)\n\tmovl\t%esi,76(%esp)\n\tmovl\t48(%edi),%ebx\n\tmovl\t52(%edi),%ecx\n\tbswap\t%ebx\n\tmovl\t56(%edi),%esi\n\tbswap\t%ecx\n\tmovl\t%ebx,80(%esp)\n\tbswap\t%esi\n\tmovl\t%ecx,84(%esp)\n\tmovl\t%esi,88(%esp)\n\tmovl\t60(%edi),%ebx\n\taddl\t$64,%edi\n\tbswap\t%ebx\n\tmovl\t%edi,100(%esp)\n\tmovl\t%ebx,92(%esp)\n\tmovl\t%edx,%ecx\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t32(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1116352408(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t36(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1899447441(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t40(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3049323471(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t44(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3921009573(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t48(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t961987163(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t52(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1508970993(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t56(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2453635748(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t60(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2870763221(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t64(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3624381080(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t68(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t310598401(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t72(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t607225278(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t76(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1426881987(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t80(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1925078388(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t84(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2162078206(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t%edx,%ecx\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t88(%esp),%ebx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2614888103(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t%edx,%esi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t92(%esp),%ebx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3248222580(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t36(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t88(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t32(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t68(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,32(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3835390401(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t40(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t92(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t36(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t72(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,36(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t4022224774(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t44(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t32(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t40(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t76(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,40(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t264347078(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t48(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t36(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t44(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t80(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,44(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t604807628(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t52(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t40(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t48(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t84(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,48(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t770255983(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t56(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t44(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t52(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t88(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,52(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1249150122(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t60(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t48(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t56(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t92(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,56(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1555081692(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t64(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t52(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t60(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t32(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,60(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1996064986(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t68(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t56(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t64(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t36(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,64(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2554220882(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t72(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t60(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t68(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t40(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,68(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2821834349(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t76(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t64(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t72(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t44(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,72(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2952996808(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t80(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t68(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t76(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t48(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,76(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3210313671(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t84(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t72(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t80(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t52(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,80(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3336571891(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t88(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t76(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t84(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t56(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,84(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3584528711(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t92(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t80(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t88(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t60(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,88(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t113926993(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t32(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t84(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t92(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t64(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,92(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t338241895(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t36(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t88(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t32(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t68(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,32(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t666307205(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t40(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t92(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t36(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t72(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,36(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t773529912(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t44(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t32(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t40(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t76(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,40(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1294757372(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t48(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t36(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t44(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t80(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,44(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1396182291(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t52(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t40(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t48(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t84(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,48(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1695183700(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t56(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t44(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t52(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t88(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,52(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1986661051(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t60(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t48(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t56(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t92(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,56(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2177026350(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t64(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t52(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t60(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t32(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,60(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2456956037(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t68(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t56(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t64(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t36(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,64(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2730485921(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t72(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t60(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t68(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t40(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,68(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2820302411(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t76(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t64(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t72(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t44(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,72(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3259730800(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t80(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t68(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t76(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t48(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,76(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3345764771(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t84(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t72(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t80(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t52(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,80(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3516065817(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t88(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t76(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t84(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t56(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,84(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3600352804(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t92(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t80(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t88(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t60(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,88(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t4094571909(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t32(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t84(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t92(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t64(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,92(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t275423344(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t36(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t88(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t32(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t68(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,32(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t430227734(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t40(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t92(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t36(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t72(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,36(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t506948616(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t44(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t32(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t40(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t76(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,40(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t659060556(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t48(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t36(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t44(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t80(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,44(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t883997877(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t52(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t40(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t48(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t84(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,48(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t958139571(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t56(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t44(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t52(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t88(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,52(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1322822218(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t60(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t48(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t56(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t92(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,56(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1537002063(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t64(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t52(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t60(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t32(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,60(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t1747873779(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t68(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t56(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t64(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t36(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t20(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t24(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,64(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\taddl\t28(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t4(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t1955562222(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t72(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t60(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t68(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t40(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t16(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t20(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,68(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,12(%esp)\n\txorl\t%esi,%edx\n\taddl\t24(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,28(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2024104815(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t76(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t64(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t72(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t44(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t12(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t16(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,72(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\taddl\t20(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t28(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2227730452(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t80(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t68(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t76(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t48(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t8(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t12(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,76(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,4(%esp)\n\txorl\t%esi,%edx\n\taddl\t16(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t24(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,20(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2361852424(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t84(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t72(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t80(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t52(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t4(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t8(%esp),%edi\n\txorl\t%ecx,%edx\n\tmovl\t%ebx,80(%esp)\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\taddl\t12(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t20(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t2428436474(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t88(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t76(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t84(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t56(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t4(%esp),%edi\n\txorl\t%esi,%edx\n\tmovl\t%ebx,84(%esp)\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,28(%esp)\n\txorl\t%esi,%edx\n\taddl\t8(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t16(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,12(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t2756734187(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\tmovl\t92(%esp),%ecx\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t80(%esp),%esi\n\tmovl\t%ecx,%ebx\n\trorl\t$11,%ecx\n\tmovl\t%esi,%edi\n\trorl\t$2,%esi\n\txorl\t%ebx,%ecx\n\tshrl\t$3,%ebx\n\trorl\t$7,%ecx\n\txorl\t%edi,%esi\n\txorl\t%ecx,%ebx\n\trorl\t$17,%esi\n\taddl\t88(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t60(%esp),%ebx\n\tmovl\t%edx,%ecx\n\txorl\t%esi,%edi\n\tmovl\t28(%esp),%esi\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t(%esp),%edi\n\txorl\t%ecx,%edx\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\taddl\t4(%esp),%ebx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%ebx\n\trorl\t$9,%ecx\n\tmovl\t%eax,%esi\n\tmovl\t12(%esp),%edi\n\txorl\t%eax,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%edi,%eax\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebp\n\tleal\t3204031479(%ebx,%edx,1),%edx\n\txorl\t%esi,%ecx\n\txorl\t%edi,%ebp\n\tmovl\t32(%esp),%esi\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebp\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebp\n\tmovl\t84(%esp),%ecx\n\tmovl\t%esi,%ebx\n\trorl\t$11,%esi\n\tmovl\t%ecx,%edi\n\trorl\t$2,%ecx\n\txorl\t%ebx,%esi\n\tshrl\t$3,%ebx\n\trorl\t$7,%esi\n\txorl\t%edi,%ecx\n\txorl\t%esi,%ebx\n\trorl\t$17,%ecx\n\taddl\t92(%esp),%ebx\n\tshrl\t$10,%edi\n\taddl\t64(%esp),%ebx\n\tmovl\t%edx,%esi\n\txorl\t%ecx,%edi\n\tmovl\t24(%esp),%ecx\n\trorl\t$14,%edx\n\taddl\t%edi,%ebx\n\tmovl\t28(%esp),%edi\n\txorl\t%esi,%edx\n\txorl\t%edi,%ecx\n\trorl\t$5,%edx\n\tandl\t%esi,%ecx\n\tmovl\t%esi,20(%esp)\n\txorl\t%esi,%edx\n\taddl\t(%esp),%ebx\n\txorl\t%ecx,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebp,%esi\n\taddl\t%edi,%ebx\n\trorl\t$9,%esi\n\tmovl\t%ebp,%ecx\n\tmovl\t8(%esp),%edi\n\txorl\t%ebp,%esi\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\trorl\t$11,%esi\n\tandl\t%ebp,%eax\n\tleal\t3329325298(%ebx,%edx,1),%edx\n\txorl\t%ecx,%esi\n\txorl\t%edi,%eax\n\trorl\t$2,%esi\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%esi,%eax\n\tmovl\t96(%esp),%esi\n\txorl\t%edi,%ebp\n\tmovl\t12(%esp),%ecx\n\taddl\t(%esi),%eax\n\taddl\t4(%esi),%ebp\n\taddl\t8(%esi),%edi\n\taddl\t12(%esi),%ecx\n\tmovl\t%eax,(%esi)\n\tmovl\t%ebp,4(%esi)\n\tmovl\t%edi,8(%esi)\n\tmovl\t%ecx,12(%esi)\n\tmovl\t%ebp,4(%esp)\n\txorl\t%edi,%ebp\n\tmovl\t%edi,8(%esp)\n\tmovl\t%ecx,12(%esp)\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%ebx\n\tmovl\t28(%esp),%ecx\n\taddl\t16(%esi),%edx\n\taddl\t20(%esi),%edi\n\taddl\t24(%esi),%ebx\n\taddl\t28(%esi),%ecx\n\tmovl\t%edx,16(%esi)\n\tmovl\t%edi,20(%esi)\n\tmovl\t%ebx,24(%esi)\n\tmovl\t%ecx,28(%esi)\n\tmovl\t%edi,20(%esp)\n\tmovl\t100(%esp),%edi\n\tmovl\t%ebx,24(%esp)\n\tmovl\t%ecx,28(%esp)\n\tcmpl\t104(%esp),%edi\n\tjb\t.L006grand_loop\n\tmovl\t108(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tsha256_block_data_order_nohw,.-.L_sha256_block_data_order_nohw_begin\n.globl\tsha256_block_data_order_ssse3\n.hidden\tsha256_block_data_order_ssse3\n.type\tsha256_block_data_order_ssse3,@function\n.align\t16\nsha256_block_data_order_ssse3:\n.L_sha256_block_data_order_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t%esp,%ebx\n\tcall\t.L007pic_point\n.L007pic_point:\n\tpopl\t%ebp\n\tleal\t.LK256-.L007pic_point(%ebp),%ebp\n\tsubl\t$16,%esp\n\tandl\t$-64,%esp\n\tshll\t$6,%eax\n\taddl\t%edi,%eax\n\tmovl\t%esi,(%esp)\n\tmovl\t%edi,4(%esp)\n\tmovl\t%eax,8(%esp)\n\tmovl\t%ebx,12(%esp)\n\tleal\t-96(%esp),%esp\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%edi\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ecx,%ebx\n\tmovl\t%ecx,8(%esp)\n\tmovl\t%edi,12(%esp)\n\tmovl\t16(%esi),%edx\n\tmovl\t20(%esi),%edi\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%esi\n\tmovl\t%edi,20(%esp)\n\tmovl\t100(%esp),%edi\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%esi,28(%esp)\n\tmovdqa\t256(%ebp),%xmm7\n\tjmp\t.L008grand_ssse3\n.align\t16\n.L008grand_ssse3:\n\tmovdqu\t(%edi),%xmm0\n\tmovdqu\t16(%edi),%xmm1\n\tmovdqu\t32(%edi),%xmm2\n\tmovdqu\t48(%edi),%xmm3\n\taddl\t$64,%edi\n.byte\t102,15,56,0,199\n\tmovl\t%edi,100(%esp)\n.byte\t102,15,56,0,207\n\tmovdqa\t(%ebp),%xmm4\n.byte\t102,15,56,0,215\n\tmovdqa\t16(%ebp),%xmm5\n\tpaddd\t%xmm0,%xmm4\n.byte\t102,15,56,0,223\n\tmovdqa\t32(%ebp),%xmm6\n\tpaddd\t%xmm1,%xmm5\n\tmovdqa\t48(%ebp),%xmm7\n\tmovdqa\t%xmm4,32(%esp)\n\tpaddd\t%xmm2,%xmm6\n\tmovdqa\t%xmm5,48(%esp)\n\tpaddd\t%xmm3,%xmm7\n\tmovdqa\t%xmm6,64(%esp)\n\tmovdqa\t%xmm7,80(%esp)\n\tjmp\t.L009ssse3_00_47\n.align\t16\n.L009ssse3_00_47:\n\taddl\t$64,%ebp\n\tmovl\t%edx,%ecx\n\tmovdqa\t%xmm1,%xmm4\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%esi\n\tmovdqa\t%xmm3,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n.byte\t102,15,58,15,224,4\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n.byte\t102,15,58,15,250,4\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tmovdqa\t%xmm4,%xmm5\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\tmovdqa\t%xmm4,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tpsrld\t$3,%xmm4\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm0\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\tpsrld\t$7,%xmm6\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\tpshufd\t$250,%xmm3,%xmm7\n\txorl\t%esi,%ecx\n\taddl\t32(%esp),%edx\n\tpslld\t$14,%xmm5\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\tpsrld\t$11,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tpslld\t$11,%xmm5\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tpxor\t%xmm6,%xmm4\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tpsrld\t$10,%xmm7\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm4,%xmm0\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\tpsrlq\t$17,%xmm6\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\trorl\t$11,%ecx\n\tpxor\t%xmm6,%xmm7\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tpsrlq\t$2,%xmm6\n\taddl\t36(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\tpshufd\t$128,%xmm7,%xmm7\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tpsrldq\t$8,%xmm7\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tpaddd\t%xmm7,%xmm0\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,24(%esp)\n\tpshufd\t$80,%xmm0,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tmovdqa\t%xmm7,%xmm6\n\trorl\t$11,%ecx\n\tpsrld\t$10,%xmm7\n\tandl\t%eax,%ebx\n\tpsrlq\t$17,%xmm6\n\txorl\t%esi,%ecx\n\taddl\t40(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\tpsrlq\t$2,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm6,%xmm7\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tmovdqa\t(%ebp),%xmm6\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\tpslldq\t$8,%xmm7\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm0\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tpaddd\t%xmm0,%xmm6\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t44(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovdqa\t%xmm6,32(%esp)\n\tmovl\t%edx,%ecx\n\tmovdqa\t%xmm2,%xmm4\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%esi\n\tmovdqa\t%xmm0,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n.byte\t102,15,58,15,225,4\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n.byte\t102,15,58,15,251,4\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tmovdqa\t%xmm4,%xmm5\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\tmovdqa\t%xmm4,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tpsrld\t$3,%xmm4\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm1\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\tpsrld\t$7,%xmm6\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\tpshufd\t$250,%xmm0,%xmm7\n\txorl\t%esi,%ecx\n\taddl\t48(%esp),%edx\n\tpslld\t$14,%xmm5\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\tpsrld\t$11,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tpslld\t$11,%xmm5\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tpxor\t%xmm6,%xmm4\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tpsrld\t$10,%xmm7\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm4,%xmm1\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\tpsrlq\t$17,%xmm6\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\trorl\t$11,%ecx\n\tpxor\t%xmm6,%xmm7\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tpsrlq\t$2,%xmm6\n\taddl\t52(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\tpshufd\t$128,%xmm7,%xmm7\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tpsrldq\t$8,%xmm7\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tpaddd\t%xmm7,%xmm1\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,8(%esp)\n\tpshufd\t$80,%xmm1,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tmovdqa\t%xmm7,%xmm6\n\trorl\t$11,%ecx\n\tpsrld\t$10,%xmm7\n\tandl\t%eax,%ebx\n\tpsrlq\t$17,%xmm6\n\txorl\t%esi,%ecx\n\taddl\t56(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\tpsrlq\t$2,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm6,%xmm7\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tmovdqa\t16(%ebp),%xmm6\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\tpslldq\t$8,%xmm7\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm1\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tpaddd\t%xmm1,%xmm6\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t60(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovdqa\t%xmm6,48(%esp)\n\tmovl\t%edx,%ecx\n\tmovdqa\t%xmm3,%xmm4\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%esi\n\tmovdqa\t%xmm1,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n.byte\t102,15,58,15,226,4\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n.byte\t102,15,58,15,248,4\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tmovdqa\t%xmm4,%xmm5\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\tmovdqa\t%xmm4,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tpsrld\t$3,%xmm4\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm2\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\tpsrld\t$7,%xmm6\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\tpshufd\t$250,%xmm1,%xmm7\n\txorl\t%esi,%ecx\n\taddl\t64(%esp),%edx\n\tpslld\t$14,%xmm5\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\tpsrld\t$11,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tpslld\t$11,%xmm5\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tpxor\t%xmm6,%xmm4\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tpsrld\t$10,%xmm7\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm4,%xmm2\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\tpsrlq\t$17,%xmm6\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\trorl\t$11,%ecx\n\tpxor\t%xmm6,%xmm7\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tpsrlq\t$2,%xmm6\n\taddl\t68(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\tpshufd\t$128,%xmm7,%xmm7\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tpsrldq\t$8,%xmm7\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tpaddd\t%xmm7,%xmm2\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,24(%esp)\n\tpshufd\t$80,%xmm2,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tmovdqa\t%xmm7,%xmm6\n\trorl\t$11,%ecx\n\tpsrld\t$10,%xmm7\n\tandl\t%eax,%ebx\n\tpsrlq\t$17,%xmm6\n\txorl\t%esi,%ecx\n\taddl\t72(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\tpsrlq\t$2,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm6,%xmm7\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tmovdqa\t32(%ebp),%xmm6\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\tpslldq\t$8,%xmm7\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm2\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tpaddd\t%xmm2,%xmm6\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t76(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovdqa\t%xmm6,64(%esp)\n\tmovl\t%edx,%ecx\n\tmovdqa\t%xmm0,%xmm4\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%esi\n\tmovdqa\t%xmm2,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n.byte\t102,15,58,15,227,4\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n.byte\t102,15,58,15,249,4\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tmovdqa\t%xmm4,%xmm5\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\tmovdqa\t%xmm4,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tpsrld\t$3,%xmm4\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm3\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\tpsrld\t$7,%xmm6\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\tpshufd\t$250,%xmm2,%xmm7\n\txorl\t%esi,%ecx\n\taddl\t80(%esp),%edx\n\tpslld\t$14,%xmm5\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\tpsrld\t$11,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tpslld\t$11,%xmm5\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tpxor\t%xmm6,%xmm4\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tpxor\t%xmm5,%xmm4\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tpsrld\t$10,%xmm7\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm4,%xmm3\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\tpsrlq\t$17,%xmm6\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\trorl\t$11,%ecx\n\tpxor\t%xmm6,%xmm7\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tpsrlq\t$2,%xmm6\n\taddl\t84(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\tpshufd\t$128,%xmm7,%xmm7\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tpsrldq\t$8,%xmm7\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tpaddd\t%xmm7,%xmm3\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,8(%esp)\n\tpshufd\t$80,%xmm3,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tmovdqa\t%xmm7,%xmm6\n\trorl\t$11,%ecx\n\tpsrld\t$10,%xmm7\n\tandl\t%eax,%ebx\n\tpsrlq\t$17,%xmm6\n\txorl\t%esi,%ecx\n\taddl\t88(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\tpxor\t%xmm6,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\tpsrlq\t$2,%xmm6\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tpxor\t%xmm6,%xmm7\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tmovdqa\t48(%ebp),%xmm6\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\tpslldq\t$8,%xmm7\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tpaddd\t%xmm7,%xmm3\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tpaddd\t%xmm3,%xmm6\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t92(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovdqa\t%xmm6,80(%esp)\n\tcmpl\t$66051,64(%ebp)\n\tjne\t.L009ssse3_00_47\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t32(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t36(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t40(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t44(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t48(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t52(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t56(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t60(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t20(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t64(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t68(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t72(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t76(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t4(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t80(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t84(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\trorl\t$9,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t88(%esp),%edx\n\txorl\t%edi,%ebx\n\trorl\t$2,%ecx\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\trorl\t$14,%edx\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\trorl\t$5,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\trorl\t$6,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\trorl\t$9,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\trorl\t$11,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t92(%esp),%edx\n\txorl\t%edi,%eax\n\trorl\t$2,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t96(%esp),%esi\n\txorl\t%edi,%ebx\n\tmovl\t12(%esp),%ecx\n\taddl\t(%esi),%eax\n\taddl\t4(%esi),%ebx\n\taddl\t8(%esi),%edi\n\taddl\t12(%esi),%ecx\n\tmovl\t%eax,(%esi)\n\tmovl\t%ebx,4(%esi)\n\tmovl\t%edi,8(%esi)\n\tmovl\t%ecx,12(%esi)\n\tmovl\t%ebx,4(%esp)\n\txorl\t%edi,%ebx\n\tmovl\t%edi,8(%esp)\n\tmovl\t%ecx,12(%esp)\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%ecx\n\taddl\t16(%esi),%edx\n\taddl\t20(%esi),%edi\n\taddl\t24(%esi),%ecx\n\tmovl\t%edx,16(%esi)\n\tmovl\t%edi,20(%esi)\n\tmovl\t%edi,20(%esp)\n\tmovl\t28(%esp),%edi\n\tmovl\t%ecx,24(%esi)\n\taddl\t28(%esi),%edi\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%edi,28(%esi)\n\tmovl\t%edi,28(%esp)\n\tmovl\t100(%esp),%edi\n\tmovdqa\t64(%ebp),%xmm7\n\tsubl\t$192,%ebp\n\tcmpl\t104(%esp),%edi\n\tjb\t.L008grand_ssse3\n\tmovl\t108(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tsha256_block_data_order_ssse3,.-.L_sha256_block_data_order_ssse3_begin\n.globl\tsha256_block_data_order_avx\n.hidden\tsha256_block_data_order_avx\n.type\tsha256_block_data_order_avx,@function\n.align\t16\nsha256_block_data_order_avx:\n.L_sha256_block_data_order_avx_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t%esp,%ebx\n\tcall\t.L010pic_point\n.L010pic_point:\n\tpopl\t%ebp\n\tleal\t.LK256-.L010pic_point(%ebp),%ebp\n\tsubl\t$16,%esp\n\tandl\t$-64,%esp\n\tshll\t$6,%eax\n\taddl\t%edi,%eax\n\tmovl\t%esi,(%esp)\n\tmovl\t%edi,4(%esp)\n\tmovl\t%eax,8(%esp)\n\tmovl\t%ebx,12(%esp)\n\tleal\t-96(%esp),%esp\n\tvzeroall\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%edi\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ecx,%ebx\n\tmovl\t%ecx,8(%esp)\n\tmovl\t%edi,12(%esp)\n\tmovl\t16(%esi),%edx\n\tmovl\t20(%esi),%edi\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%esi\n\tmovl\t%edi,20(%esp)\n\tmovl\t100(%esp),%edi\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%esi,28(%esp)\n\tvmovdqa\t256(%ebp),%xmm7\n\tjmp\t.L011grand_avx\n.align\t32\n.L011grand_avx:\n\tvmovdqu\t(%edi),%xmm0\n\tvmovdqu\t16(%edi),%xmm1\n\tvmovdqu\t32(%edi),%xmm2\n\tvmovdqu\t48(%edi),%xmm3\n\taddl\t$64,%edi\n\tvpshufb\t%xmm7,%xmm0,%xmm0\n\tmovl\t%edi,100(%esp)\n\tvpshufb\t%xmm7,%xmm1,%xmm1\n\tvpshufb\t%xmm7,%xmm2,%xmm2\n\tvpaddd\t(%ebp),%xmm0,%xmm4\n\tvpshufb\t%xmm7,%xmm3,%xmm3\n\tvpaddd\t16(%ebp),%xmm1,%xmm5\n\tvpaddd\t32(%ebp),%xmm2,%xmm6\n\tvpaddd\t48(%ebp),%xmm3,%xmm7\n\tvmovdqa\t%xmm4,32(%esp)\n\tvmovdqa\t%xmm5,48(%esp)\n\tvmovdqa\t%xmm6,64(%esp)\n\tvmovdqa\t%xmm7,80(%esp)\n\tjmp\t.L012avx_00_47\n.align\t16\n.L012avx_00_47:\n\taddl\t$64,%ebp\n\tvpalignr\t$4,%xmm0,%xmm1,%xmm4\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t20(%esp),%esi\n\tvpalignr\t$4,%xmm2,%xmm3,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\tvpaddd\t%xmm7,%xmm0,%xmm0\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrld\t$3,%xmm4,%xmm7\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tvpslld\t$14,%xmm4,%xmm5\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,(%esp)\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\tvpshufd\t$250,%xmm3,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpsrld\t$11,%xmm6,%xmm6\n\taddl\t32(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$11,%xmm5,%xmm5\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t16(%esp),%esi\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$10,%xmm7,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,28(%esp)\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\tvpsrlq\t$19,%xmm7,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t36(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\tvpshufd\t$132,%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t12(%esp),%esi\n\tvpaddd\t%xmm7,%xmm0,%xmm0\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\tvpshufd\t$80,%xmm0,%xmm7\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,24(%esp)\n\tvpsrlq\t$19,%xmm7,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpshufd\t$232,%xmm6,%xmm7\n\taddl\t40(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpslldq\t$8,%xmm7,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpaddd\t%xmm7,%xmm0,%xmm0\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t8(%esp),%esi\n\tvpaddd\t(%ebp),%xmm0,%xmm6\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t44(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tvmovdqa\t%xmm6,32(%esp)\n\tvpalignr\t$4,%xmm1,%xmm2,%xmm4\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t4(%esp),%esi\n\tvpalignr\t$4,%xmm3,%xmm0,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\tvpaddd\t%xmm7,%xmm1,%xmm1\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrld\t$3,%xmm4,%xmm7\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tvpslld\t$14,%xmm4,%xmm5\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,16(%esp)\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\tvpshufd\t$250,%xmm0,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpsrld\t$11,%xmm6,%xmm6\n\taddl\t48(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$11,%xmm5,%xmm5\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t(%esp),%esi\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$10,%xmm7,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tvpaddd\t%xmm4,%xmm1,%xmm1\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,12(%esp)\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\tvpsrlq\t$19,%xmm7,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t52(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\tvpshufd\t$132,%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t28(%esp),%esi\n\tvpaddd\t%xmm7,%xmm1,%xmm1\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\tvpshufd\t$80,%xmm1,%xmm7\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,8(%esp)\n\tvpsrlq\t$19,%xmm7,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpshufd\t$232,%xmm6,%xmm7\n\taddl\t56(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpslldq\t$8,%xmm7,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpaddd\t%xmm7,%xmm1,%xmm1\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t24(%esp),%esi\n\tvpaddd\t16(%ebp),%xmm1,%xmm6\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t60(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tvmovdqa\t%xmm6,48(%esp)\n\tvpalignr\t$4,%xmm2,%xmm3,%xmm4\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t20(%esp),%esi\n\tvpalignr\t$4,%xmm0,%xmm1,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\tvpaddd\t%xmm7,%xmm2,%xmm2\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrld\t$3,%xmm4,%xmm7\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tvpslld\t$14,%xmm4,%xmm5\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,(%esp)\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\tvpshufd\t$250,%xmm1,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpsrld\t$11,%xmm6,%xmm6\n\taddl\t64(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$11,%xmm5,%xmm5\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t16(%esp),%esi\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$10,%xmm7,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tvpaddd\t%xmm4,%xmm2,%xmm2\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,28(%esp)\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\tvpsrlq\t$19,%xmm7,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t68(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\tvpshufd\t$132,%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t12(%esp),%esi\n\tvpaddd\t%xmm7,%xmm2,%xmm2\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\tvpshufd\t$80,%xmm2,%xmm7\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,24(%esp)\n\tvpsrlq\t$19,%xmm7,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpshufd\t$232,%xmm6,%xmm7\n\taddl\t72(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpslldq\t$8,%xmm7,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpaddd\t%xmm7,%xmm2,%xmm2\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t8(%esp),%esi\n\tvpaddd\t32(%ebp),%xmm2,%xmm6\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t76(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tvmovdqa\t%xmm6,64(%esp)\n\tvpalignr\t$4,%xmm3,%xmm0,%xmm4\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t4(%esp),%esi\n\tvpalignr\t$4,%xmm1,%xmm2,%xmm7\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrld\t$3,%xmm4,%xmm7\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tvpslld\t$14,%xmm4,%xmm5\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,16(%esp)\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\tvpshufd\t$250,%xmm2,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpsrld\t$11,%xmm6,%xmm6\n\taddl\t80(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpslld\t$11,%xmm5,%xmm5\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t(%esp),%esi\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\tvpsrld\t$10,%xmm7,%xmm6\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tvpaddd\t%xmm4,%xmm3,%xmm3\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,12(%esp)\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\tvpsrlq\t$19,%xmm7,%xmm7\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t84(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\tvpshufd\t$132,%xmm6,%xmm7\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tvpsrldq\t$8,%xmm7,%xmm7\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t28(%esp),%esi\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\tvpshufd\t$80,%xmm3,%xmm7\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tvpsrlq\t$17,%xmm7,%xmm5\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tvpxor\t%xmm5,%xmm6,%xmm6\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,8(%esp)\n\tvpsrlq\t$19,%xmm7,%xmm7\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\tvpshufd\t$232,%xmm6,%xmm7\n\taddl\t88(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\tvpslldq\t$8,%xmm7,%xmm7\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t24(%esp),%esi\n\tvpaddd\t48(%ebp),%xmm3,%xmm6\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t92(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tvmovdqa\t%xmm6,80(%esp)\n\tcmpl\t$66051,64(%ebp)\n\tjne\t.L012avx_00_47\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t20(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t32(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t36(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t40(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t44(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t4(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t48(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t52(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t56(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t60(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t20(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t24(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,16(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t4(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t28(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t64(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t12(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t16(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t20(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,12(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,28(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t24(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t68(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t8(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t12(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t16(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,8(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t28(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,24(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t20(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t72(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t4(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t8(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t12(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,4(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t24(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,20(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t16(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t76(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t4(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t8(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t20(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,16(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t12(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t80(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t28(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t4(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,28(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t16(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,12(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t8(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t84(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t24(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t28(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,24(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%eax,%ecx\n\taddl\t%edi,%edx\n\tmovl\t12(%esp),%edi\n\tmovl\t%eax,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%eax,8(%esp)\n\txorl\t%eax,%ecx\n\txorl\t%edi,%eax\n\taddl\t4(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%eax,%ebx\n\txorl\t%esi,%ecx\n\taddl\t88(%esp),%edx\n\txorl\t%edi,%ebx\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%ebx\n\taddl\t20(%esp),%edx\n\taddl\t%ecx,%ebx\n\tmovl\t%edx,%ecx\n\tshrdl\t$14,%edx,%edx\n\tmovl\t24(%esp),%esi\n\txorl\t%ecx,%edx\n\tmovl\t28(%esp),%edi\n\txorl\t%edi,%esi\n\tshrdl\t$5,%edx,%edx\n\tandl\t%ecx,%esi\n\tmovl\t%ecx,20(%esp)\n\txorl\t%ecx,%edx\n\txorl\t%esi,%edi\n\tshrdl\t$6,%edx,%edx\n\tmovl\t%ebx,%ecx\n\taddl\t%edi,%edx\n\tmovl\t8(%esp),%edi\n\tmovl\t%ebx,%esi\n\tshrdl\t$9,%ecx,%ecx\n\tmovl\t%ebx,4(%esp)\n\txorl\t%ebx,%ecx\n\txorl\t%edi,%ebx\n\taddl\t(%esp),%edx\n\tshrdl\t$11,%ecx,%ecx\n\tandl\t%ebx,%eax\n\txorl\t%esi,%ecx\n\taddl\t92(%esp),%edx\n\txorl\t%edi,%eax\n\tshrdl\t$2,%ecx,%ecx\n\taddl\t%edx,%eax\n\taddl\t16(%esp),%edx\n\taddl\t%ecx,%eax\n\tmovl\t96(%esp),%esi\n\txorl\t%edi,%ebx\n\tmovl\t12(%esp),%ecx\n\taddl\t(%esi),%eax\n\taddl\t4(%esi),%ebx\n\taddl\t8(%esi),%edi\n\taddl\t12(%esi),%ecx\n\tmovl\t%eax,(%esi)\n\tmovl\t%ebx,4(%esi)\n\tmovl\t%edi,8(%esi)\n\tmovl\t%ecx,12(%esi)\n\tmovl\t%ebx,4(%esp)\n\txorl\t%edi,%ebx\n\tmovl\t%edi,8(%esp)\n\tmovl\t%ecx,12(%esp)\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%ecx\n\taddl\t16(%esi),%edx\n\taddl\t20(%esi),%edi\n\taddl\t24(%esi),%ecx\n\tmovl\t%edx,16(%esi)\n\tmovl\t%edi,20(%esi)\n\tmovl\t%edi,20(%esp)\n\tmovl\t28(%esp),%edi\n\tmovl\t%ecx,24(%esi)\n\taddl\t28(%esi),%edi\n\tmovl\t%ecx,24(%esp)\n\tmovl\t%edi,28(%esi)\n\tmovl\t%edi,28(%esp)\n\tmovl\t100(%esp),%edi\n\tvmovdqa\t64(%ebp),%xmm7\n\tsubl\t$192,%ebp\n\tcmpl\t104(%esp),%edi\n\tjb\t.L011grand_avx\n\tmovl\t108(%esp),%esp\n\tvzeroall\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tsha256_block_data_order_avx,.-.L_sha256_block_data_order_avx_begin\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha256-armv4-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n@ Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved.\n@\n@ Licensed under the OpenSSL license (the \"License\"). You may not use\n@ this file except in compliance with the License. You can obtain a copy\n@ in the file LICENSE in the source distribution or at\n@ https://www.openssl.org/source/license.html\n\n\n@ ====================================================================\n@ Written by Andy Polyakov for the OpenSSL\n@ project. The module is, however, dual licensed under OpenSSL and\n@ CRYPTOGAMS licenses depending on where you obtain it. For further\n@ details see http://www.openssl.org/~appro/cryptogams/.\n@\n@ Permission to use under GPL terms is granted.\n@ ====================================================================\n\n@ SHA256 block procedure for ARMv4. May 2007.\n\n@ Performance is ~2x better than gcc 3.4 generated code and in \"abso-\n@ lute\" terms is ~2250 cycles per 64-byte block or ~35 cycles per\n@ byte [on single-issue Xscale PXA250 core].\n\n@ July 2010.\n@\n@ Rescheduling for dual-issue pipeline resulted in 22% improvement on\n@ Cortex A8 core and ~20 cycles per processed byte.\n\n@ February 2011.\n@\n@ Profiler-assisted and platform-specific optimization resulted in 16%\n@ improvement on Cortex A8 core and ~15.4 cycles per processed byte.\n\n@ September 2013.\n@\n@ Add NEON implementation. On Cortex A8 it was measured to process one\n@ byte in 12.5 cycles or 23% faster than integer-only code. Snapdragon\n@ S4 does it in 12.5 cycles too, but it's 50% faster than integer-only\n@ code (meaning that latter performs sub-optimally, nothing was done\n@ about it).\n\n@ May 2014.\n@\n@ Add ARMv8 code path performing at 2.0 cpb on Apple A7.\n\n#ifndef __KERNEL__\n# include \n#else\n# define __ARM_ARCH __LINUX_ARM_ARCH__\n# define __ARM_MAX_ARCH__ 7\n#endif\n\n@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both\n@ ARMv7 and ARMv8 processors. It does have ARMv8-only code, but those\n@ instructions are manually-encoded. (See unsha256.)\n.arch\tarmv7-a\n\n.text\n#if defined(__thumb2__)\n.syntax\tunified\n.thumb\n#else\n.code\t32\n#endif\n\n.type\tK256,%object\n.align\t5\nK256:\n.word\t0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5\n.word\t0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5\n.word\t0xd807aa98,0x12835b01,0x243185be,0x550c7dc3\n.word\t0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174\n.word\t0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc\n.word\t0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da\n.word\t0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7\n.word\t0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967\n.word\t0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13\n.word\t0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85\n.word\t0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3\n.word\t0xd192e819,0xd6990624,0xf40e3585,0x106aa070\n.word\t0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5\n.word\t0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3\n.word\t0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208\n.word\t0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2\n.size\tK256,.-K256\n.word\t0\t\t\t\t@ terminator\n.align\t5\n\n.globl\tsha256_block_data_order_nohw\n.hidden\tsha256_block_data_order_nohw\n.type\tsha256_block_data_order_nohw,%function\nsha256_block_data_order_nohw:\n\tadd\tr2,r1,r2,lsl#6\t@ len to point at the end of inp\n\tstmdb\tsp!,{r0,r1,r2,r4-r11,lr}\n\tldmia\tr0,{r4,r5,r6,r7,r8,r9,r10,r11}\n\tadr\tr14,K256\n\tsub\tsp,sp,#16*4\t\t@ alloca(X[16])\n.Loop:\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r5,r6\t\t@ magic\n\teor\tr12,r12,r12\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 0\n# if 0==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r8,r8,ror#5\n\tadd\tr4,r4,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r8,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 0\n\tadd\tr4,r4,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr12,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r12,lsl#8\n\tldrb\tr12,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 0==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r8,r8,ror#5\n\torr\tr2,r2,r12,lsl#24\n\teor\tr0,r0,r8,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr11,r11,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#0*4]\n\teor\tr2,r9,r10\n\tadd\tr11,r11,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r8\n\tadd\tr11,r11,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r10\t\t\t@ Ch(e,f,g)\n\teor\tr0,r4,r4,ror#11\n\tadd\tr11,r11,r2\t\t\t@ h+=Ch(e,f,g)\n#if 0==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 0<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r4,r5\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#2*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r4,r5\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#15*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r4,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr7,r7,r11\t\t\t@ d+=h\n\teor\tr3,r3,r5\t\t\t@ Maj(a,b,c)\n\tadd\tr11,r11,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr11,r11,r3\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 1\n# if 1==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r7,r7,ror#5\n\tadd\tr11,r11,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r7,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 1\n\tadd\tr11,r11,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr3,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r3,lsl#8\n\tldrb\tr3,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 1==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r7,r7,ror#5\n\torr\tr2,r2,r3,lsl#24\n\teor\tr0,r0,r7,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr10,r10,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#1*4]\n\teor\tr2,r8,r9\n\tadd\tr10,r10,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r7\n\tadd\tr10,r10,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r9\t\t\t@ Ch(e,f,g)\n\teor\tr0,r11,r11,ror#11\n\tadd\tr10,r10,r2\t\t\t@ h+=Ch(e,f,g)\n#if 1==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 1<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r11,r4\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#3*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r11,r4\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#0*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r11,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr6,r6,r10\t\t\t@ d+=h\n\teor\tr12,r12,r4\t\t\t@ Maj(a,b,c)\n\tadd\tr10,r10,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr10,r10,r12\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 2\n# if 2==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r6,r6,ror#5\n\tadd\tr10,r10,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r6,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 2\n\tadd\tr10,r10,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr12,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r12,lsl#8\n\tldrb\tr12,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 2==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r6,r6,ror#5\n\torr\tr2,r2,r12,lsl#24\n\teor\tr0,r0,r6,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr9,r9,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#2*4]\n\teor\tr2,r7,r8\n\tadd\tr9,r9,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r6\n\tadd\tr9,r9,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r8\t\t\t@ Ch(e,f,g)\n\teor\tr0,r10,r10,ror#11\n\tadd\tr9,r9,r2\t\t\t@ h+=Ch(e,f,g)\n#if 2==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 2<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r10,r11\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#4*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r10,r11\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#1*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r10,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr5,r5,r9\t\t\t@ d+=h\n\teor\tr3,r3,r11\t\t\t@ Maj(a,b,c)\n\tadd\tr9,r9,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr9,r9,r3\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 3\n# if 3==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r5,r5,ror#5\n\tadd\tr9,r9,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r5,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 3\n\tadd\tr9,r9,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr3,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r3,lsl#8\n\tldrb\tr3,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 3==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r5,r5,ror#5\n\torr\tr2,r2,r3,lsl#24\n\teor\tr0,r0,r5,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr8,r8,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#3*4]\n\teor\tr2,r6,r7\n\tadd\tr8,r8,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r5\n\tadd\tr8,r8,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r7\t\t\t@ Ch(e,f,g)\n\teor\tr0,r9,r9,ror#11\n\tadd\tr8,r8,r2\t\t\t@ h+=Ch(e,f,g)\n#if 3==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 3<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r9,r10\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#5*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r9,r10\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#2*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r9,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr4,r4,r8\t\t\t@ d+=h\n\teor\tr12,r12,r10\t\t\t@ Maj(a,b,c)\n\tadd\tr8,r8,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr8,r8,r12\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 4\n# if 4==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r4,r4,ror#5\n\tadd\tr8,r8,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r4,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 4\n\tadd\tr8,r8,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr12,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r12,lsl#8\n\tldrb\tr12,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 4==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r4,r4,ror#5\n\torr\tr2,r2,r12,lsl#24\n\teor\tr0,r0,r4,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr7,r7,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#4*4]\n\teor\tr2,r5,r6\n\tadd\tr7,r7,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r4\n\tadd\tr7,r7,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r6\t\t\t@ Ch(e,f,g)\n\teor\tr0,r8,r8,ror#11\n\tadd\tr7,r7,r2\t\t\t@ h+=Ch(e,f,g)\n#if 4==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 4<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r8,r9\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#6*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r8,r9\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#3*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r8,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr11,r11,r7\t\t\t@ d+=h\n\teor\tr3,r3,r9\t\t\t@ Maj(a,b,c)\n\tadd\tr7,r7,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr7,r7,r3\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 5\n# if 5==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r11,r11,ror#5\n\tadd\tr7,r7,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r11,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 5\n\tadd\tr7,r7,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr3,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r3,lsl#8\n\tldrb\tr3,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 5==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r11,r11,ror#5\n\torr\tr2,r2,r3,lsl#24\n\teor\tr0,r0,r11,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr6,r6,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#5*4]\n\teor\tr2,r4,r5\n\tadd\tr6,r6,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r11\n\tadd\tr6,r6,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r5\t\t\t@ Ch(e,f,g)\n\teor\tr0,r7,r7,ror#11\n\tadd\tr6,r6,r2\t\t\t@ h+=Ch(e,f,g)\n#if 5==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 5<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r7,r8\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#7*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r7,r8\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#4*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r7,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr10,r10,r6\t\t\t@ d+=h\n\teor\tr12,r12,r8\t\t\t@ Maj(a,b,c)\n\tadd\tr6,r6,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr6,r6,r12\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 6\n# if 6==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r10,r10,ror#5\n\tadd\tr6,r6,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r10,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 6\n\tadd\tr6,r6,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr12,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r12,lsl#8\n\tldrb\tr12,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 6==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r10,r10,ror#5\n\torr\tr2,r2,r12,lsl#24\n\teor\tr0,r0,r10,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr5,r5,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#6*4]\n\teor\tr2,r11,r4\n\tadd\tr5,r5,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r10\n\tadd\tr5,r5,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r4\t\t\t@ Ch(e,f,g)\n\teor\tr0,r6,r6,ror#11\n\tadd\tr5,r5,r2\t\t\t@ h+=Ch(e,f,g)\n#if 6==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 6<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r6,r7\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#8*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r6,r7\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#5*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r6,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr9,r9,r5\t\t\t@ d+=h\n\teor\tr3,r3,r7\t\t\t@ Maj(a,b,c)\n\tadd\tr5,r5,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr5,r5,r3\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 7\n# if 7==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r9,r9,ror#5\n\tadd\tr5,r5,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r9,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 7\n\tadd\tr5,r5,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr3,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r3,lsl#8\n\tldrb\tr3,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 7==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r9,r9,ror#5\n\torr\tr2,r2,r3,lsl#24\n\teor\tr0,r0,r9,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr4,r4,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#7*4]\n\teor\tr2,r10,r11\n\tadd\tr4,r4,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r9\n\tadd\tr4,r4,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r11\t\t\t@ Ch(e,f,g)\n\teor\tr0,r5,r5,ror#11\n\tadd\tr4,r4,r2\t\t\t@ h+=Ch(e,f,g)\n#if 7==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 7<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r5,r6\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#9*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r5,r6\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#6*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r5,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr8,r8,r4\t\t\t@ d+=h\n\teor\tr12,r12,r6\t\t\t@ Maj(a,b,c)\n\tadd\tr4,r4,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr4,r4,r12\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 8\n# if 8==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r8,r8,ror#5\n\tadd\tr4,r4,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r8,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 8\n\tadd\tr4,r4,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr12,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r12,lsl#8\n\tldrb\tr12,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 8==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r8,r8,ror#5\n\torr\tr2,r2,r12,lsl#24\n\teor\tr0,r0,r8,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr11,r11,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#8*4]\n\teor\tr2,r9,r10\n\tadd\tr11,r11,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r8\n\tadd\tr11,r11,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r10\t\t\t@ Ch(e,f,g)\n\teor\tr0,r4,r4,ror#11\n\tadd\tr11,r11,r2\t\t\t@ h+=Ch(e,f,g)\n#if 8==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 8<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r4,r5\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#10*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r4,r5\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#7*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r4,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr7,r7,r11\t\t\t@ d+=h\n\teor\tr3,r3,r5\t\t\t@ Maj(a,b,c)\n\tadd\tr11,r11,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr11,r11,r3\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 9\n# if 9==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r7,r7,ror#5\n\tadd\tr11,r11,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r7,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 9\n\tadd\tr11,r11,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr3,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r3,lsl#8\n\tldrb\tr3,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 9==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r7,r7,ror#5\n\torr\tr2,r2,r3,lsl#24\n\teor\tr0,r0,r7,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr10,r10,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#9*4]\n\teor\tr2,r8,r9\n\tadd\tr10,r10,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r7\n\tadd\tr10,r10,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r9\t\t\t@ Ch(e,f,g)\n\teor\tr0,r11,r11,ror#11\n\tadd\tr10,r10,r2\t\t\t@ h+=Ch(e,f,g)\n#if 9==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 9<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r11,r4\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#11*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r11,r4\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#8*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r11,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr6,r6,r10\t\t\t@ d+=h\n\teor\tr12,r12,r4\t\t\t@ Maj(a,b,c)\n\tadd\tr10,r10,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr10,r10,r12\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 10\n# if 10==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r6,r6,ror#5\n\tadd\tr10,r10,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r6,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 10\n\tadd\tr10,r10,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr12,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r12,lsl#8\n\tldrb\tr12,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 10==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r6,r6,ror#5\n\torr\tr2,r2,r12,lsl#24\n\teor\tr0,r0,r6,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr9,r9,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#10*4]\n\teor\tr2,r7,r8\n\tadd\tr9,r9,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r6\n\tadd\tr9,r9,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r8\t\t\t@ Ch(e,f,g)\n\teor\tr0,r10,r10,ror#11\n\tadd\tr9,r9,r2\t\t\t@ h+=Ch(e,f,g)\n#if 10==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 10<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r10,r11\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#12*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r10,r11\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#9*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r10,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr5,r5,r9\t\t\t@ d+=h\n\teor\tr3,r3,r11\t\t\t@ Maj(a,b,c)\n\tadd\tr9,r9,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr9,r9,r3\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 11\n# if 11==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r5,r5,ror#5\n\tadd\tr9,r9,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r5,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 11\n\tadd\tr9,r9,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr3,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r3,lsl#8\n\tldrb\tr3,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 11==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r5,r5,ror#5\n\torr\tr2,r2,r3,lsl#24\n\teor\tr0,r0,r5,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr8,r8,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#11*4]\n\teor\tr2,r6,r7\n\tadd\tr8,r8,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r5\n\tadd\tr8,r8,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r7\t\t\t@ Ch(e,f,g)\n\teor\tr0,r9,r9,ror#11\n\tadd\tr8,r8,r2\t\t\t@ h+=Ch(e,f,g)\n#if 11==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 11<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r9,r10\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#13*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r9,r10\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#10*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r9,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr4,r4,r8\t\t\t@ d+=h\n\teor\tr12,r12,r10\t\t\t@ Maj(a,b,c)\n\tadd\tr8,r8,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr8,r8,r12\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 12\n# if 12==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r4,r4,ror#5\n\tadd\tr8,r8,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r4,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 12\n\tadd\tr8,r8,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr12,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r12,lsl#8\n\tldrb\tr12,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 12==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r4,r4,ror#5\n\torr\tr2,r2,r12,lsl#24\n\teor\tr0,r0,r4,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr7,r7,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#12*4]\n\teor\tr2,r5,r6\n\tadd\tr7,r7,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r4\n\tadd\tr7,r7,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r6\t\t\t@ Ch(e,f,g)\n\teor\tr0,r8,r8,ror#11\n\tadd\tr7,r7,r2\t\t\t@ h+=Ch(e,f,g)\n#if 12==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 12<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r8,r9\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#14*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r8,r9\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#11*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r8,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr11,r11,r7\t\t\t@ d+=h\n\teor\tr3,r3,r9\t\t\t@ Maj(a,b,c)\n\tadd\tr7,r7,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr7,r7,r3\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 13\n# if 13==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r11,r11,ror#5\n\tadd\tr7,r7,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r11,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 13\n\tadd\tr7,r7,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr3,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r3,lsl#8\n\tldrb\tr3,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 13==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r11,r11,ror#5\n\torr\tr2,r2,r3,lsl#24\n\teor\tr0,r0,r11,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr6,r6,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#13*4]\n\teor\tr2,r4,r5\n\tadd\tr6,r6,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r11\n\tadd\tr6,r6,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r5\t\t\t@ Ch(e,f,g)\n\teor\tr0,r7,r7,ror#11\n\tadd\tr6,r6,r2\t\t\t@ h+=Ch(e,f,g)\n#if 13==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 13<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r7,r8\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#15*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r7,r8\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#12*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r7,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr10,r10,r6\t\t\t@ d+=h\n\teor\tr12,r12,r8\t\t\t@ Maj(a,b,c)\n\tadd\tr6,r6,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr6,r6,r12\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 14\n# if 14==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r10,r10,ror#5\n\tadd\tr6,r6,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r10,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 14\n\tadd\tr6,r6,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr12,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r12,lsl#8\n\tldrb\tr12,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 14==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r10,r10,ror#5\n\torr\tr2,r2,r12,lsl#24\n\teor\tr0,r0,r10,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr5,r5,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#14*4]\n\teor\tr2,r11,r4\n\tadd\tr5,r5,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r10\n\tadd\tr5,r5,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r4\t\t\t@ Ch(e,f,g)\n\teor\tr0,r6,r6,ror#11\n\tadd\tr5,r5,r2\t\t\t@ h+=Ch(e,f,g)\n#if 14==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 14<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r6,r7\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#0*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r6,r7\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#13*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r6,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr9,r9,r5\t\t\t@ d+=h\n\teor\tr3,r3,r7\t\t\t@ Maj(a,b,c)\n\tadd\tr5,r5,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr5,r5,r3\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\t@ ldr\tr2,[r1],#4\t\t\t@ 15\n# if 15==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r9,r9,ror#5\n\tadd\tr5,r5,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\teor\tr0,r0,r9,ror#19\t@ Sigma1(e)\n# ifndef __ARMEB__\n\trev\tr2,r2\n# endif\n#else\n\t@ ldrb\tr2,[r1,#3]\t\t\t@ 15\n\tadd\tr5,r5,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tldrb\tr3,[r1,#2]\n\tldrb\tr0,[r1,#1]\n\torr\tr2,r2,r3,lsl#8\n\tldrb\tr3,[r1],#4\n\torr\tr2,r2,r0,lsl#16\n# if 15==15\n\tstr\tr1,[sp,#17*4]\t\t\t@ make room for r1\n# endif\n\teor\tr0,r9,r9,ror#5\n\torr\tr2,r2,r3,lsl#24\n\teor\tr0,r0,r9,ror#19\t@ Sigma1(e)\n#endif\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr4,r4,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#15*4]\n\teor\tr2,r10,r11\n\tadd\tr4,r4,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r9\n\tadd\tr4,r4,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r11\t\t\t@ Ch(e,f,g)\n\teor\tr0,r5,r5,ror#11\n\tadd\tr4,r4,r2\t\t\t@ h+=Ch(e,f,g)\n#if 15==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 15<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r5,r6\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#1*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r5,r6\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#14*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r5,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr8,r8,r4\t\t\t@ d+=h\n\teor\tr12,r12,r6\t\t\t@ Maj(a,b,c)\n\tadd\tr4,r4,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr4,r4,r12\t\t\t@ h+=Maj(a,b,c)\n.Lrounds_16_xx:\n\t@ ldr\tr2,[sp,#1*4]\t\t@ 16\n\t@ ldr\tr1,[sp,#14*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr4,r4,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr12,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr12,r12,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#0*4]\n\teor\tr12,r12,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#9*4]\n\n\tadd\tr12,r12,r0\n\teor\tr0,r8,r8,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r12\n\teor\tr0,r0,r8,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr11,r11,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#0*4]\n\teor\tr2,r9,r10\n\tadd\tr11,r11,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r8\n\tadd\tr11,r11,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r10\t\t\t@ Ch(e,f,g)\n\teor\tr0,r4,r4,ror#11\n\tadd\tr11,r11,r2\t\t\t@ h+=Ch(e,f,g)\n#if 16==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 16<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r4,r5\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#2*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r4,r5\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#15*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r4,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr7,r7,r11\t\t\t@ d+=h\n\teor\tr3,r3,r5\t\t\t@ Maj(a,b,c)\n\tadd\tr11,r11,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr11,r11,r3\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#2*4]\t\t@ 17\n\t@ ldr\tr1,[sp,#15*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr11,r11,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr3,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr3,r3,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#1*4]\n\teor\tr3,r3,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#10*4]\n\n\tadd\tr3,r3,r0\n\teor\tr0,r7,r7,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r3\n\teor\tr0,r0,r7,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr10,r10,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#1*4]\n\teor\tr2,r8,r9\n\tadd\tr10,r10,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r7\n\tadd\tr10,r10,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r9\t\t\t@ Ch(e,f,g)\n\teor\tr0,r11,r11,ror#11\n\tadd\tr10,r10,r2\t\t\t@ h+=Ch(e,f,g)\n#if 17==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 17<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r11,r4\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#3*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r11,r4\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#0*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r11,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr6,r6,r10\t\t\t@ d+=h\n\teor\tr12,r12,r4\t\t\t@ Maj(a,b,c)\n\tadd\tr10,r10,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr10,r10,r12\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#3*4]\t\t@ 18\n\t@ ldr\tr1,[sp,#0*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr10,r10,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr12,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr12,r12,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#2*4]\n\teor\tr12,r12,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#11*4]\n\n\tadd\tr12,r12,r0\n\teor\tr0,r6,r6,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r12\n\teor\tr0,r0,r6,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr9,r9,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#2*4]\n\teor\tr2,r7,r8\n\tadd\tr9,r9,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r6\n\tadd\tr9,r9,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r8\t\t\t@ Ch(e,f,g)\n\teor\tr0,r10,r10,ror#11\n\tadd\tr9,r9,r2\t\t\t@ h+=Ch(e,f,g)\n#if 18==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 18<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r10,r11\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#4*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r10,r11\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#1*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r10,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr5,r5,r9\t\t\t@ d+=h\n\teor\tr3,r3,r11\t\t\t@ Maj(a,b,c)\n\tadd\tr9,r9,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr9,r9,r3\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#4*4]\t\t@ 19\n\t@ ldr\tr1,[sp,#1*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr9,r9,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr3,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr3,r3,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#3*4]\n\teor\tr3,r3,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#12*4]\n\n\tadd\tr3,r3,r0\n\teor\tr0,r5,r5,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r3\n\teor\tr0,r0,r5,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr8,r8,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#3*4]\n\teor\tr2,r6,r7\n\tadd\tr8,r8,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r5\n\tadd\tr8,r8,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r7\t\t\t@ Ch(e,f,g)\n\teor\tr0,r9,r9,ror#11\n\tadd\tr8,r8,r2\t\t\t@ h+=Ch(e,f,g)\n#if 19==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 19<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r9,r10\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#5*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r9,r10\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#2*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r9,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr4,r4,r8\t\t\t@ d+=h\n\teor\tr12,r12,r10\t\t\t@ Maj(a,b,c)\n\tadd\tr8,r8,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr8,r8,r12\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#5*4]\t\t@ 20\n\t@ ldr\tr1,[sp,#2*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr8,r8,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr12,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr12,r12,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#4*4]\n\teor\tr12,r12,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#13*4]\n\n\tadd\tr12,r12,r0\n\teor\tr0,r4,r4,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r12\n\teor\tr0,r0,r4,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr7,r7,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#4*4]\n\teor\tr2,r5,r6\n\tadd\tr7,r7,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r4\n\tadd\tr7,r7,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r6\t\t\t@ Ch(e,f,g)\n\teor\tr0,r8,r8,ror#11\n\tadd\tr7,r7,r2\t\t\t@ h+=Ch(e,f,g)\n#if 20==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 20<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r8,r9\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#6*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r8,r9\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#3*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r8,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr11,r11,r7\t\t\t@ d+=h\n\teor\tr3,r3,r9\t\t\t@ Maj(a,b,c)\n\tadd\tr7,r7,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr7,r7,r3\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#6*4]\t\t@ 21\n\t@ ldr\tr1,[sp,#3*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr7,r7,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr3,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr3,r3,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#5*4]\n\teor\tr3,r3,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#14*4]\n\n\tadd\tr3,r3,r0\n\teor\tr0,r11,r11,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r3\n\teor\tr0,r0,r11,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr6,r6,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#5*4]\n\teor\tr2,r4,r5\n\tadd\tr6,r6,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r11\n\tadd\tr6,r6,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r5\t\t\t@ Ch(e,f,g)\n\teor\tr0,r7,r7,ror#11\n\tadd\tr6,r6,r2\t\t\t@ h+=Ch(e,f,g)\n#if 21==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 21<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r7,r8\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#7*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r7,r8\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#4*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r7,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr10,r10,r6\t\t\t@ d+=h\n\teor\tr12,r12,r8\t\t\t@ Maj(a,b,c)\n\tadd\tr6,r6,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr6,r6,r12\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#7*4]\t\t@ 22\n\t@ ldr\tr1,[sp,#4*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr6,r6,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr12,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr12,r12,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#6*4]\n\teor\tr12,r12,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#15*4]\n\n\tadd\tr12,r12,r0\n\teor\tr0,r10,r10,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r12\n\teor\tr0,r0,r10,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr5,r5,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#6*4]\n\teor\tr2,r11,r4\n\tadd\tr5,r5,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r10\n\tadd\tr5,r5,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r4\t\t\t@ Ch(e,f,g)\n\teor\tr0,r6,r6,ror#11\n\tadd\tr5,r5,r2\t\t\t@ h+=Ch(e,f,g)\n#if 22==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 22<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r6,r7\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#8*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r6,r7\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#5*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r6,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr9,r9,r5\t\t\t@ d+=h\n\teor\tr3,r3,r7\t\t\t@ Maj(a,b,c)\n\tadd\tr5,r5,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr5,r5,r3\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#8*4]\t\t@ 23\n\t@ ldr\tr1,[sp,#5*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr5,r5,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr3,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr3,r3,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#7*4]\n\teor\tr3,r3,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#0*4]\n\n\tadd\tr3,r3,r0\n\teor\tr0,r9,r9,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r3\n\teor\tr0,r0,r9,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr4,r4,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#7*4]\n\teor\tr2,r10,r11\n\tadd\tr4,r4,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r9\n\tadd\tr4,r4,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r11\t\t\t@ Ch(e,f,g)\n\teor\tr0,r5,r5,ror#11\n\tadd\tr4,r4,r2\t\t\t@ h+=Ch(e,f,g)\n#if 23==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 23<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r5,r6\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#9*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r5,r6\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#6*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r5,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr8,r8,r4\t\t\t@ d+=h\n\teor\tr12,r12,r6\t\t\t@ Maj(a,b,c)\n\tadd\tr4,r4,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr4,r4,r12\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#9*4]\t\t@ 24\n\t@ ldr\tr1,[sp,#6*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr4,r4,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr12,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr12,r12,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#8*4]\n\teor\tr12,r12,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#1*4]\n\n\tadd\tr12,r12,r0\n\teor\tr0,r8,r8,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r12\n\teor\tr0,r0,r8,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr11,r11,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#8*4]\n\teor\tr2,r9,r10\n\tadd\tr11,r11,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r8\n\tadd\tr11,r11,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r10\t\t\t@ Ch(e,f,g)\n\teor\tr0,r4,r4,ror#11\n\tadd\tr11,r11,r2\t\t\t@ h+=Ch(e,f,g)\n#if 24==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 24<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r4,r5\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#10*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r4,r5\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#7*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r4,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr7,r7,r11\t\t\t@ d+=h\n\teor\tr3,r3,r5\t\t\t@ Maj(a,b,c)\n\tadd\tr11,r11,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr11,r11,r3\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#10*4]\t\t@ 25\n\t@ ldr\tr1,[sp,#7*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr11,r11,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr3,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr3,r3,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#9*4]\n\teor\tr3,r3,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#2*4]\n\n\tadd\tr3,r3,r0\n\teor\tr0,r7,r7,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r3\n\teor\tr0,r0,r7,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr10,r10,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#9*4]\n\teor\tr2,r8,r9\n\tadd\tr10,r10,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r7\n\tadd\tr10,r10,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r9\t\t\t@ Ch(e,f,g)\n\teor\tr0,r11,r11,ror#11\n\tadd\tr10,r10,r2\t\t\t@ h+=Ch(e,f,g)\n#if 25==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 25<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r11,r4\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#11*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r11,r4\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#8*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r11,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr6,r6,r10\t\t\t@ d+=h\n\teor\tr12,r12,r4\t\t\t@ Maj(a,b,c)\n\tadd\tr10,r10,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr10,r10,r12\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#11*4]\t\t@ 26\n\t@ ldr\tr1,[sp,#8*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr10,r10,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr12,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr12,r12,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#10*4]\n\teor\tr12,r12,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#3*4]\n\n\tadd\tr12,r12,r0\n\teor\tr0,r6,r6,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r12\n\teor\tr0,r0,r6,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr9,r9,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#10*4]\n\teor\tr2,r7,r8\n\tadd\tr9,r9,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r6\n\tadd\tr9,r9,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r8\t\t\t@ Ch(e,f,g)\n\teor\tr0,r10,r10,ror#11\n\tadd\tr9,r9,r2\t\t\t@ h+=Ch(e,f,g)\n#if 26==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 26<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r10,r11\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#12*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r10,r11\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#9*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r10,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr5,r5,r9\t\t\t@ d+=h\n\teor\tr3,r3,r11\t\t\t@ Maj(a,b,c)\n\tadd\tr9,r9,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr9,r9,r3\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#12*4]\t\t@ 27\n\t@ ldr\tr1,[sp,#9*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr9,r9,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr3,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr3,r3,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#11*4]\n\teor\tr3,r3,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#4*4]\n\n\tadd\tr3,r3,r0\n\teor\tr0,r5,r5,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r3\n\teor\tr0,r0,r5,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr8,r8,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#11*4]\n\teor\tr2,r6,r7\n\tadd\tr8,r8,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r5\n\tadd\tr8,r8,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r7\t\t\t@ Ch(e,f,g)\n\teor\tr0,r9,r9,ror#11\n\tadd\tr8,r8,r2\t\t\t@ h+=Ch(e,f,g)\n#if 27==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 27<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r9,r10\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#13*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r9,r10\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#10*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r9,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr4,r4,r8\t\t\t@ d+=h\n\teor\tr12,r12,r10\t\t\t@ Maj(a,b,c)\n\tadd\tr8,r8,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr8,r8,r12\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#13*4]\t\t@ 28\n\t@ ldr\tr1,[sp,#10*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr8,r8,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr12,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr12,r12,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#12*4]\n\teor\tr12,r12,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#5*4]\n\n\tadd\tr12,r12,r0\n\teor\tr0,r4,r4,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r12\n\teor\tr0,r0,r4,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr7,r7,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#12*4]\n\teor\tr2,r5,r6\n\tadd\tr7,r7,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r4\n\tadd\tr7,r7,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r6\t\t\t@ Ch(e,f,g)\n\teor\tr0,r8,r8,ror#11\n\tadd\tr7,r7,r2\t\t\t@ h+=Ch(e,f,g)\n#if 28==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 28<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r8,r9\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#14*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r8,r9\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#11*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r8,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr11,r11,r7\t\t\t@ d+=h\n\teor\tr3,r3,r9\t\t\t@ Maj(a,b,c)\n\tadd\tr7,r7,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr7,r7,r3\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#14*4]\t\t@ 29\n\t@ ldr\tr1,[sp,#11*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr7,r7,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr3,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr3,r3,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#13*4]\n\teor\tr3,r3,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#6*4]\n\n\tadd\tr3,r3,r0\n\teor\tr0,r11,r11,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r3\n\teor\tr0,r0,r11,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr6,r6,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#13*4]\n\teor\tr2,r4,r5\n\tadd\tr6,r6,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r11\n\tadd\tr6,r6,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r5\t\t\t@ Ch(e,f,g)\n\teor\tr0,r7,r7,ror#11\n\tadd\tr6,r6,r2\t\t\t@ h+=Ch(e,f,g)\n#if 29==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 29<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r7,r8\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#15*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r7,r8\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#12*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r7,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr10,r10,r6\t\t\t@ d+=h\n\teor\tr12,r12,r8\t\t\t@ Maj(a,b,c)\n\tadd\tr6,r6,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr6,r6,r12\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#15*4]\t\t@ 30\n\t@ ldr\tr1,[sp,#12*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr6,r6,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr12,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr12,r12,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#14*4]\n\teor\tr12,r12,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#7*4]\n\n\tadd\tr12,r12,r0\n\teor\tr0,r10,r10,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r12\n\teor\tr0,r0,r10,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr12,[r14],#4\t\t\t@ *K256++\n\tadd\tr5,r5,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#14*4]\n\teor\tr2,r11,r4\n\tadd\tr5,r5,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r10\n\tadd\tr5,r5,r12\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r4\t\t\t@ Ch(e,f,g)\n\teor\tr0,r6,r6,ror#11\n\tadd\tr5,r5,r2\t\t\t@ h+=Ch(e,f,g)\n#if 30==31\n\tand\tr12,r12,#0xff\n\tcmp\tr12,#0xf2\t\t\t@ done?\n#endif\n#if 30<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr12,r6,r7\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#0*4]\t\t@ from future BODY_16_xx\n\teor\tr12,r6,r7\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#13*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r6,ror#20\t@ Sigma0(a)\n\tand\tr3,r3,r12\t\t\t@ (b^c)&=(a^b)\n\tadd\tr9,r9,r5\t\t\t@ d+=h\n\teor\tr3,r3,r7\t\t\t@ Maj(a,b,c)\n\tadd\tr5,r5,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr5,r5,r3\t\t\t@ h+=Maj(a,b,c)\n\t@ ldr\tr2,[sp,#0*4]\t\t@ 31\n\t@ ldr\tr1,[sp,#13*4]\n\tmov\tr0,r2,ror#7\n\tadd\tr5,r5,r3\t\t\t@ h+=Maj(a,b,c) from the past\n\tmov\tr3,r1,ror#17\n\teor\tr0,r0,r2,ror#18\n\teor\tr3,r3,r1,ror#19\n\teor\tr0,r0,r2,lsr#3\t@ sigma0(X[i+1])\n\tldr\tr2,[sp,#15*4]\n\teor\tr3,r3,r1,lsr#10\t@ sigma1(X[i+14])\n\tldr\tr1,[sp,#8*4]\n\n\tadd\tr3,r3,r0\n\teor\tr0,r9,r9,ror#5\t@ from BODY_00_15\n\tadd\tr2,r2,r3\n\teor\tr0,r0,r9,ror#19\t@ Sigma1(e)\n\tadd\tr2,r2,r1\t\t\t@ X[i]\n\tldr\tr3,[r14],#4\t\t\t@ *K256++\n\tadd\tr4,r4,r2\t\t\t@ h+=X[i]\n\tstr\tr2,[sp,#15*4]\n\teor\tr2,r10,r11\n\tadd\tr4,r4,r0,ror#6\t@ h+=Sigma1(e)\n\tand\tr2,r2,r9\n\tadd\tr4,r4,r3\t\t\t@ h+=K256[i]\n\teor\tr2,r2,r11\t\t\t@ Ch(e,f,g)\n\teor\tr0,r5,r5,ror#11\n\tadd\tr4,r4,r2\t\t\t@ h+=Ch(e,f,g)\n#if 31==31\n\tand\tr3,r3,#0xff\n\tcmp\tr3,#0xf2\t\t\t@ done?\n#endif\n#if 31<15\n# if __ARM_ARCH>=7\n\tldr\tr2,[r1],#4\t\t\t@ prefetch\n# else\n\tldrb\tr2,[r1,#3]\n# endif\n\teor\tr3,r5,r6\t\t\t@ a^b, b^c in next round\n#else\n\tldr\tr2,[sp,#1*4]\t\t@ from future BODY_16_xx\n\teor\tr3,r5,r6\t\t\t@ a^b, b^c in next round\n\tldr\tr1,[sp,#14*4]\t@ from future BODY_16_xx\n#endif\n\teor\tr0,r0,r5,ror#20\t@ Sigma0(a)\n\tand\tr12,r12,r3\t\t\t@ (b^c)&=(a^b)\n\tadd\tr8,r8,r4\t\t\t@ d+=h\n\teor\tr12,r12,r6\t\t\t@ Maj(a,b,c)\n\tadd\tr4,r4,r0,ror#2\t@ h+=Sigma0(a)\n\t@ add\tr4,r4,r12\t\t\t@ h+=Maj(a,b,c)\n#if __ARM_ARCH>=7\n\tite\teq\t\t\t@ Thumb2 thing, sanity check in ARM\n#endif\n\tldreq\tr3,[sp,#16*4]\t\t@ pull ctx\n\tbne\t.Lrounds_16_xx\n\n\tadd\tr4,r4,r12\t\t@ h+=Maj(a,b,c) from the past\n\tldr\tr0,[r3,#0]\n\tldr\tr2,[r3,#4]\n\tldr\tr12,[r3,#8]\n\tadd\tr4,r4,r0\n\tldr\tr0,[r3,#12]\n\tadd\tr5,r5,r2\n\tldr\tr2,[r3,#16]\n\tadd\tr6,r6,r12\n\tldr\tr12,[r3,#20]\n\tadd\tr7,r7,r0\n\tldr\tr0,[r3,#24]\n\tadd\tr8,r8,r2\n\tldr\tr2,[r3,#28]\n\tadd\tr9,r9,r12\n\tldr\tr1,[sp,#17*4]\t\t@ pull inp\n\tldr\tr12,[sp,#18*4]\t\t@ pull inp+len\n\tadd\tr10,r10,r0\n\tadd\tr11,r11,r2\n\tstmia\tr3,{r4,r5,r6,r7,r8,r9,r10,r11}\n\tcmp\tr1,r12\n\tsub\tr14,r14,#256\t@ rewind Ktbl\n\tbne\t.Loop\n\n\tadd\tsp,sp,#19*4\t@ destroy frame\n#if __ARM_ARCH>=5\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc}\n#else\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,lr}\n\ttst\tlr,#1\n\tmoveq\tpc,lr\t\t\t@ be binary compatible with V4, yet\n.word\t0xe12fff1e\t\t\t@ interoperable with Thumb ISA:-)\n#endif\n.size\tsha256_block_data_order_nohw,.-sha256_block_data_order_nohw\n#if __ARM_MAX_ARCH__>=7\n.arch\tarmv7-a\n.fpu\tneon\n\n.LK256_shortcut_neon:\n@ PC is 8 bytes ahead in Arm mode and 4 bytes ahead in Thumb mode.\n#if defined(__thumb2__)\n.word\tK256-(.LK256_add_neon+4)\n#else\n.word\tK256-(.LK256_add_neon+8)\n#endif\n\n.globl\tsha256_block_data_order_neon\n.hidden\tsha256_block_data_order_neon\n.type\tsha256_block_data_order_neon,%function\n.align\t5\n.skip\t16\nsha256_block_data_order_neon:\n\tstmdb\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr}\n\n\tsub\tr11,sp,#16*4+16\n\n\t@ K256 is just at the boundary of being easily referenced by an ADR from\n\t@ this function. In Arm mode, when building with __ARM_ARCH=6, it does\n\t@ not fit. By moving code around, we could make it fit, but this is too\n\t@ fragile. For simplicity, just load the offset from\n\t@ .LK256_shortcut_neon.\n\t@\n\t@ TODO(davidben): adrl would avoid a load, but clang-assembler does not\n\t@ support it. We might be able to emulate it with a macro, but Android's\n\t@ did not work when I tried it.\n\t@ https://android.googlesource.com/platform/ndk/+/refs/heads/main/docs/ClangMigration.md#arm\n\tldr\tr14,.LK256_shortcut_neon\n.LK256_add_neon:\n\tadd\tr14,pc,r14\n\n\tbic\tr11,r11,#15\t\t@ align for 128-bit stores\n\tmov\tr12,sp\n\tmov\tsp,r11\t\t\t@ alloca\n\tadd\tr2,r1,r2,lsl#6\t@ len to point at the end of inp\n\n\tvld1.8\t{q0},[r1]!\n\tvld1.8\t{q1},[r1]!\n\tvld1.8\t{q2},[r1]!\n\tvld1.8\t{q3},[r1]!\n\tvld1.32\t{q8},[r14,:128]!\n\tvld1.32\t{q9},[r14,:128]!\n\tvld1.32\t{q10},[r14,:128]!\n\tvld1.32\t{q11},[r14,:128]!\n\tvrev32.8\tq0,q0\t\t@ yes, even on\n\tstr\tr0,[sp,#64]\n\tvrev32.8\tq1,q1\t\t@ big-endian\n\tstr\tr1,[sp,#68]\n\tmov\tr1,sp\n\tvrev32.8\tq2,q2\n\tstr\tr2,[sp,#72]\n\tvrev32.8\tq3,q3\n\tstr\tr12,[sp,#76]\t\t@ save original sp\n\tvadd.i32\tq8,q8,q0\n\tvadd.i32\tq9,q9,q1\n\tvst1.32\t{q8},[r1,:128]!\n\tvadd.i32\tq10,q10,q2\n\tvst1.32\t{q9},[r1,:128]!\n\tvadd.i32\tq11,q11,q3\n\tvst1.32\t{q10},[r1,:128]!\n\tvst1.32\t{q11},[r1,:128]!\n\n\tldmia\tr0,{r4,r5,r6,r7,r8,r9,r10,r11}\n\tsub\tr1,r1,#64\n\tldr\tr2,[sp,#0]\n\teor\tr12,r12,r12\n\teor\tr3,r5,r6\n\tb\t.L_00_48\n\n.align\t4\n.L_00_48:\n\tvext.8\tq8,q0,q1,#4\n\tadd\tr11,r11,r2\n\teor\tr2,r9,r10\n\teor\tr0,r8,r8,ror#5\n\tvext.8\tq9,q2,q3,#4\n\tadd\tr4,r4,r12\n\tand\tr2,r2,r8\n\teor\tr12,r0,r8,ror#19\n\tvshr.u32\tq10,q8,#7\n\teor\tr0,r4,r4,ror#11\n\teor\tr2,r2,r10\n\tvadd.i32\tq0,q0,q9\n\tadd\tr11,r11,r12,ror#6\n\teor\tr12,r4,r5\n\tvshr.u32\tq9,q8,#3\n\teor\tr0,r0,r4,ror#20\n\tadd\tr11,r11,r2\n\tvsli.32\tq10,q8,#25\n\tldr\tr2,[sp,#4]\n\tand\tr3,r3,r12\n\tvshr.u32\tq11,q8,#18\n\tadd\tr7,r7,r11\n\tadd\tr11,r11,r0,ror#2\n\teor\tr3,r3,r5\n\tveor\tq9,q9,q10\n\tadd\tr10,r10,r2\n\tvsli.32\tq11,q8,#14\n\teor\tr2,r8,r9\n\teor\tr0,r7,r7,ror#5\n\tvshr.u32\td24,d7,#17\n\tadd\tr11,r11,r3\n\tand\tr2,r2,r7\n\tveor\tq9,q9,q11\n\teor\tr3,r0,r7,ror#19\n\teor\tr0,r11,r11,ror#11\n\tvsli.32\td24,d7,#15\n\teor\tr2,r2,r9\n\tadd\tr10,r10,r3,ror#6\n\tvshr.u32\td25,d7,#10\n\teor\tr3,r11,r4\n\teor\tr0,r0,r11,ror#20\n\tvadd.i32\tq0,q0,q9\n\tadd\tr10,r10,r2\n\tldr\tr2,[sp,#8]\n\tveor\td25,d25,d24\n\tand\tr12,r12,r3\n\tadd\tr6,r6,r10\n\tvshr.u32\td24,d7,#19\n\tadd\tr10,r10,r0,ror#2\n\teor\tr12,r12,r4\n\tvsli.32\td24,d7,#13\n\tadd\tr9,r9,r2\n\teor\tr2,r7,r8\n\tveor\td25,d25,d24\n\teor\tr0,r6,r6,ror#5\n\tadd\tr10,r10,r12\n\tvadd.i32\td0,d0,d25\n\tand\tr2,r2,r6\n\teor\tr12,r0,r6,ror#19\n\tvshr.u32\td24,d0,#17\n\teor\tr0,r10,r10,ror#11\n\teor\tr2,r2,r8\n\tvsli.32\td24,d0,#15\n\tadd\tr9,r9,r12,ror#6\n\teor\tr12,r10,r11\n\tvshr.u32\td25,d0,#10\n\teor\tr0,r0,r10,ror#20\n\tadd\tr9,r9,r2\n\tveor\td25,d25,d24\n\tldr\tr2,[sp,#12]\n\tand\tr3,r3,r12\n\tvshr.u32\td24,d0,#19\n\tadd\tr5,r5,r9\n\tadd\tr9,r9,r0,ror#2\n\teor\tr3,r3,r11\n\tvld1.32\t{q8},[r14,:128]!\n\tadd\tr8,r8,r2\n\tvsli.32\td24,d0,#13\n\teor\tr2,r6,r7\n\teor\tr0,r5,r5,ror#5\n\tveor\td25,d25,d24\n\tadd\tr9,r9,r3\n\tand\tr2,r2,r5\n\tvadd.i32\td1,d1,d25\n\teor\tr3,r0,r5,ror#19\n\teor\tr0,r9,r9,ror#11\n\tvadd.i32\tq8,q8,q0\n\teor\tr2,r2,r7\n\tadd\tr8,r8,r3,ror#6\n\teor\tr3,r9,r10\n\teor\tr0,r0,r9,ror#20\n\tadd\tr8,r8,r2\n\tldr\tr2,[sp,#16]\n\tand\tr12,r12,r3\n\tadd\tr4,r4,r8\n\tvst1.32\t{q8},[r1,:128]!\n\tadd\tr8,r8,r0,ror#2\n\teor\tr12,r12,r10\n\tvext.8\tq8,q1,q2,#4\n\tadd\tr7,r7,r2\n\teor\tr2,r5,r6\n\teor\tr0,r4,r4,ror#5\n\tvext.8\tq9,q3,q0,#4\n\tadd\tr8,r8,r12\n\tand\tr2,r2,r4\n\teor\tr12,r0,r4,ror#19\n\tvshr.u32\tq10,q8,#7\n\teor\tr0,r8,r8,ror#11\n\teor\tr2,r2,r6\n\tvadd.i32\tq1,q1,q9\n\tadd\tr7,r7,r12,ror#6\n\teor\tr12,r8,r9\n\tvshr.u32\tq9,q8,#3\n\teor\tr0,r0,r8,ror#20\n\tadd\tr7,r7,r2\n\tvsli.32\tq10,q8,#25\n\tldr\tr2,[sp,#20]\n\tand\tr3,r3,r12\n\tvshr.u32\tq11,q8,#18\n\tadd\tr11,r11,r7\n\tadd\tr7,r7,r0,ror#2\n\teor\tr3,r3,r9\n\tveor\tq9,q9,q10\n\tadd\tr6,r6,r2\n\tvsli.32\tq11,q8,#14\n\teor\tr2,r4,r5\n\teor\tr0,r11,r11,ror#5\n\tvshr.u32\td24,d1,#17\n\tadd\tr7,r7,r3\n\tand\tr2,r2,r11\n\tveor\tq9,q9,q11\n\teor\tr3,r0,r11,ror#19\n\teor\tr0,r7,r7,ror#11\n\tvsli.32\td24,d1,#15\n\teor\tr2,r2,r5\n\tadd\tr6,r6,r3,ror#6\n\tvshr.u32\td25,d1,#10\n\teor\tr3,r7,r8\n\teor\tr0,r0,r7,ror#20\n\tvadd.i32\tq1,q1,q9\n\tadd\tr6,r6,r2\n\tldr\tr2,[sp,#24]\n\tveor\td25,d25,d24\n\tand\tr12,r12,r3\n\tadd\tr10,r10,r6\n\tvshr.u32\td24,d1,#19\n\tadd\tr6,r6,r0,ror#2\n\teor\tr12,r12,r8\n\tvsli.32\td24,d1,#13\n\tadd\tr5,r5,r2\n\teor\tr2,r11,r4\n\tveor\td25,d25,d24\n\teor\tr0,r10,r10,ror#5\n\tadd\tr6,r6,r12\n\tvadd.i32\td2,d2,d25\n\tand\tr2,r2,r10\n\teor\tr12,r0,r10,ror#19\n\tvshr.u32\td24,d2,#17\n\teor\tr0,r6,r6,ror#11\n\teor\tr2,r2,r4\n\tvsli.32\td24,d2,#15\n\tadd\tr5,r5,r12,ror#6\n\teor\tr12,r6,r7\n\tvshr.u32\td25,d2,#10\n\teor\tr0,r0,r6,ror#20\n\tadd\tr5,r5,r2\n\tveor\td25,d25,d24\n\tldr\tr2,[sp,#28]\n\tand\tr3,r3,r12\n\tvshr.u32\td24,d2,#19\n\tadd\tr9,r9,r5\n\tadd\tr5,r5,r0,ror#2\n\teor\tr3,r3,r7\n\tvld1.32\t{q8},[r14,:128]!\n\tadd\tr4,r4,r2\n\tvsli.32\td24,d2,#13\n\teor\tr2,r10,r11\n\teor\tr0,r9,r9,ror#5\n\tveor\td25,d25,d24\n\tadd\tr5,r5,r3\n\tand\tr2,r2,r9\n\tvadd.i32\td3,d3,d25\n\teor\tr3,r0,r9,ror#19\n\teor\tr0,r5,r5,ror#11\n\tvadd.i32\tq8,q8,q1\n\teor\tr2,r2,r11\n\tadd\tr4,r4,r3,ror#6\n\teor\tr3,r5,r6\n\teor\tr0,r0,r5,ror#20\n\tadd\tr4,r4,r2\n\tldr\tr2,[sp,#32]\n\tand\tr12,r12,r3\n\tadd\tr8,r8,r4\n\tvst1.32\t{q8},[r1,:128]!\n\tadd\tr4,r4,r0,ror#2\n\teor\tr12,r12,r6\n\tvext.8\tq8,q2,q3,#4\n\tadd\tr11,r11,r2\n\teor\tr2,r9,r10\n\teor\tr0,r8,r8,ror#5\n\tvext.8\tq9,q0,q1,#4\n\tadd\tr4,r4,r12\n\tand\tr2,r2,r8\n\teor\tr12,r0,r8,ror#19\n\tvshr.u32\tq10,q8,#7\n\teor\tr0,r4,r4,ror#11\n\teor\tr2,r2,r10\n\tvadd.i32\tq2,q2,q9\n\tadd\tr11,r11,r12,ror#6\n\teor\tr12,r4,r5\n\tvshr.u32\tq9,q8,#3\n\teor\tr0,r0,r4,ror#20\n\tadd\tr11,r11,r2\n\tvsli.32\tq10,q8,#25\n\tldr\tr2,[sp,#36]\n\tand\tr3,r3,r12\n\tvshr.u32\tq11,q8,#18\n\tadd\tr7,r7,r11\n\tadd\tr11,r11,r0,ror#2\n\teor\tr3,r3,r5\n\tveor\tq9,q9,q10\n\tadd\tr10,r10,r2\n\tvsli.32\tq11,q8,#14\n\teor\tr2,r8,r9\n\teor\tr0,r7,r7,ror#5\n\tvshr.u32\td24,d3,#17\n\tadd\tr11,r11,r3\n\tand\tr2,r2,r7\n\tveor\tq9,q9,q11\n\teor\tr3,r0,r7,ror#19\n\teor\tr0,r11,r11,ror#11\n\tvsli.32\td24,d3,#15\n\teor\tr2,r2,r9\n\tadd\tr10,r10,r3,ror#6\n\tvshr.u32\td25,d3,#10\n\teor\tr3,r11,r4\n\teor\tr0,r0,r11,ror#20\n\tvadd.i32\tq2,q2,q9\n\tadd\tr10,r10,r2\n\tldr\tr2,[sp,#40]\n\tveor\td25,d25,d24\n\tand\tr12,r12,r3\n\tadd\tr6,r6,r10\n\tvshr.u32\td24,d3,#19\n\tadd\tr10,r10,r0,ror#2\n\teor\tr12,r12,r4\n\tvsli.32\td24,d3,#13\n\tadd\tr9,r9,r2\n\teor\tr2,r7,r8\n\tveor\td25,d25,d24\n\teor\tr0,r6,r6,ror#5\n\tadd\tr10,r10,r12\n\tvadd.i32\td4,d4,d25\n\tand\tr2,r2,r6\n\teor\tr12,r0,r6,ror#19\n\tvshr.u32\td24,d4,#17\n\teor\tr0,r10,r10,ror#11\n\teor\tr2,r2,r8\n\tvsli.32\td24,d4,#15\n\tadd\tr9,r9,r12,ror#6\n\teor\tr12,r10,r11\n\tvshr.u32\td25,d4,#10\n\teor\tr0,r0,r10,ror#20\n\tadd\tr9,r9,r2\n\tveor\td25,d25,d24\n\tldr\tr2,[sp,#44]\n\tand\tr3,r3,r12\n\tvshr.u32\td24,d4,#19\n\tadd\tr5,r5,r9\n\tadd\tr9,r9,r0,ror#2\n\teor\tr3,r3,r11\n\tvld1.32\t{q8},[r14,:128]!\n\tadd\tr8,r8,r2\n\tvsli.32\td24,d4,#13\n\teor\tr2,r6,r7\n\teor\tr0,r5,r5,ror#5\n\tveor\td25,d25,d24\n\tadd\tr9,r9,r3\n\tand\tr2,r2,r5\n\tvadd.i32\td5,d5,d25\n\teor\tr3,r0,r5,ror#19\n\teor\tr0,r9,r9,ror#11\n\tvadd.i32\tq8,q8,q2\n\teor\tr2,r2,r7\n\tadd\tr8,r8,r3,ror#6\n\teor\tr3,r9,r10\n\teor\tr0,r0,r9,ror#20\n\tadd\tr8,r8,r2\n\tldr\tr2,[sp,#48]\n\tand\tr12,r12,r3\n\tadd\tr4,r4,r8\n\tvst1.32\t{q8},[r1,:128]!\n\tadd\tr8,r8,r0,ror#2\n\teor\tr12,r12,r10\n\tvext.8\tq8,q3,q0,#4\n\tadd\tr7,r7,r2\n\teor\tr2,r5,r6\n\teor\tr0,r4,r4,ror#5\n\tvext.8\tq9,q1,q2,#4\n\tadd\tr8,r8,r12\n\tand\tr2,r2,r4\n\teor\tr12,r0,r4,ror#19\n\tvshr.u32\tq10,q8,#7\n\teor\tr0,r8,r8,ror#11\n\teor\tr2,r2,r6\n\tvadd.i32\tq3,q3,q9\n\tadd\tr7,r7,r12,ror#6\n\teor\tr12,r8,r9\n\tvshr.u32\tq9,q8,#3\n\teor\tr0,r0,r8,ror#20\n\tadd\tr7,r7,r2\n\tvsli.32\tq10,q8,#25\n\tldr\tr2,[sp,#52]\n\tand\tr3,r3,r12\n\tvshr.u32\tq11,q8,#18\n\tadd\tr11,r11,r7\n\tadd\tr7,r7,r0,ror#2\n\teor\tr3,r3,r9\n\tveor\tq9,q9,q10\n\tadd\tr6,r6,r2\n\tvsli.32\tq11,q8,#14\n\teor\tr2,r4,r5\n\teor\tr0,r11,r11,ror#5\n\tvshr.u32\td24,d5,#17\n\tadd\tr7,r7,r3\n\tand\tr2,r2,r11\n\tveor\tq9,q9,q11\n\teor\tr3,r0,r11,ror#19\n\teor\tr0,r7,r7,ror#11\n\tvsli.32\td24,d5,#15\n\teor\tr2,r2,r5\n\tadd\tr6,r6,r3,ror#6\n\tvshr.u32\td25,d5,#10\n\teor\tr3,r7,r8\n\teor\tr0,r0,r7,ror#20\n\tvadd.i32\tq3,q3,q9\n\tadd\tr6,r6,r2\n\tldr\tr2,[sp,#56]\n\tveor\td25,d25,d24\n\tand\tr12,r12,r3\n\tadd\tr10,r10,r6\n\tvshr.u32\td24,d5,#19\n\tadd\tr6,r6,r0,ror#2\n\teor\tr12,r12,r8\n\tvsli.32\td24,d5,#13\n\tadd\tr5,r5,r2\n\teor\tr2,r11,r4\n\tveor\td25,d25,d24\n\teor\tr0,r10,r10,ror#5\n\tadd\tr6,r6,r12\n\tvadd.i32\td6,d6,d25\n\tand\tr2,r2,r10\n\teor\tr12,r0,r10,ror#19\n\tvshr.u32\td24,d6,#17\n\teor\tr0,r6,r6,ror#11\n\teor\tr2,r2,r4\n\tvsli.32\td24,d6,#15\n\tadd\tr5,r5,r12,ror#6\n\teor\tr12,r6,r7\n\tvshr.u32\td25,d6,#10\n\teor\tr0,r0,r6,ror#20\n\tadd\tr5,r5,r2\n\tveor\td25,d25,d24\n\tldr\tr2,[sp,#60]\n\tand\tr3,r3,r12\n\tvshr.u32\td24,d6,#19\n\tadd\tr9,r9,r5\n\tadd\tr5,r5,r0,ror#2\n\teor\tr3,r3,r7\n\tvld1.32\t{q8},[r14,:128]!\n\tadd\tr4,r4,r2\n\tvsli.32\td24,d6,#13\n\teor\tr2,r10,r11\n\teor\tr0,r9,r9,ror#5\n\tveor\td25,d25,d24\n\tadd\tr5,r5,r3\n\tand\tr2,r2,r9\n\tvadd.i32\td7,d7,d25\n\teor\tr3,r0,r9,ror#19\n\teor\tr0,r5,r5,ror#11\n\tvadd.i32\tq8,q8,q3\n\teor\tr2,r2,r11\n\tadd\tr4,r4,r3,ror#6\n\teor\tr3,r5,r6\n\teor\tr0,r0,r5,ror#20\n\tadd\tr4,r4,r2\n\tldr\tr2,[r14]\n\tand\tr12,r12,r3\n\tadd\tr8,r8,r4\n\tvst1.32\t{q8},[r1,:128]!\n\tadd\tr4,r4,r0,ror#2\n\teor\tr12,r12,r6\n\tteq\tr2,#0\t\t\t\t@ check for K256 terminator\n\tldr\tr2,[sp,#0]\n\tsub\tr1,r1,#64\n\tbne\t.L_00_48\n\n\tldr\tr1,[sp,#68]\n\tldr\tr0,[sp,#72]\n\tsub\tr14,r14,#256\t@ rewind r14\n\tteq\tr1,r0\n\tit\teq\n\tsubeq\tr1,r1,#64\t\t@ avoid SEGV\n\tvld1.8\t{q0},[r1]!\t\t@ load next input block\n\tvld1.8\t{q1},[r1]!\n\tvld1.8\t{q2},[r1]!\n\tvld1.8\t{q3},[r1]!\n\tit\tne\n\tstrne\tr1,[sp,#68]\n\tmov\tr1,sp\n\tadd\tr11,r11,r2\n\teor\tr2,r9,r10\n\teor\tr0,r8,r8,ror#5\n\tadd\tr4,r4,r12\n\tvld1.32\t{q8},[r14,:128]!\n\tand\tr2,r2,r8\n\teor\tr12,r0,r8,ror#19\n\teor\tr0,r4,r4,ror#11\n\teor\tr2,r2,r10\n\tvrev32.8\tq0,q0\n\tadd\tr11,r11,r12,ror#6\n\teor\tr12,r4,r5\n\teor\tr0,r0,r4,ror#20\n\tadd\tr11,r11,r2\n\tvadd.i32\tq8,q8,q0\n\tldr\tr2,[sp,#4]\n\tand\tr3,r3,r12\n\tadd\tr7,r7,r11\n\tadd\tr11,r11,r0,ror#2\n\teor\tr3,r3,r5\n\tadd\tr10,r10,r2\n\teor\tr2,r8,r9\n\teor\tr0,r7,r7,ror#5\n\tadd\tr11,r11,r3\n\tand\tr2,r2,r7\n\teor\tr3,r0,r7,ror#19\n\teor\tr0,r11,r11,ror#11\n\teor\tr2,r2,r9\n\tadd\tr10,r10,r3,ror#6\n\teor\tr3,r11,r4\n\teor\tr0,r0,r11,ror#20\n\tadd\tr10,r10,r2\n\tldr\tr2,[sp,#8]\n\tand\tr12,r12,r3\n\tadd\tr6,r6,r10\n\tadd\tr10,r10,r0,ror#2\n\teor\tr12,r12,r4\n\tadd\tr9,r9,r2\n\teor\tr2,r7,r8\n\teor\tr0,r6,r6,ror#5\n\tadd\tr10,r10,r12\n\tand\tr2,r2,r6\n\teor\tr12,r0,r6,ror#19\n\teor\tr0,r10,r10,ror#11\n\teor\tr2,r2,r8\n\tadd\tr9,r9,r12,ror#6\n\teor\tr12,r10,r11\n\teor\tr0,r0,r10,ror#20\n\tadd\tr9,r9,r2\n\tldr\tr2,[sp,#12]\n\tand\tr3,r3,r12\n\tadd\tr5,r5,r9\n\tadd\tr9,r9,r0,ror#2\n\teor\tr3,r3,r11\n\tadd\tr8,r8,r2\n\teor\tr2,r6,r7\n\teor\tr0,r5,r5,ror#5\n\tadd\tr9,r9,r3\n\tand\tr2,r2,r5\n\teor\tr3,r0,r5,ror#19\n\teor\tr0,r9,r9,ror#11\n\teor\tr2,r2,r7\n\tadd\tr8,r8,r3,ror#6\n\teor\tr3,r9,r10\n\teor\tr0,r0,r9,ror#20\n\tadd\tr8,r8,r2\n\tldr\tr2,[sp,#16]\n\tand\tr12,r12,r3\n\tadd\tr4,r4,r8\n\tadd\tr8,r8,r0,ror#2\n\teor\tr12,r12,r10\n\tvst1.32\t{q8},[r1,:128]!\n\tadd\tr7,r7,r2\n\teor\tr2,r5,r6\n\teor\tr0,r4,r4,ror#5\n\tadd\tr8,r8,r12\n\tvld1.32\t{q8},[r14,:128]!\n\tand\tr2,r2,r4\n\teor\tr12,r0,r4,ror#19\n\teor\tr0,r8,r8,ror#11\n\teor\tr2,r2,r6\n\tvrev32.8\tq1,q1\n\tadd\tr7,r7,r12,ror#6\n\teor\tr12,r8,r9\n\teor\tr0,r0,r8,ror#20\n\tadd\tr7,r7,r2\n\tvadd.i32\tq8,q8,q1\n\tldr\tr2,[sp,#20]\n\tand\tr3,r3,r12\n\tadd\tr11,r11,r7\n\tadd\tr7,r7,r0,ror#2\n\teor\tr3,r3,r9\n\tadd\tr6,r6,r2\n\teor\tr2,r4,r5\n\teor\tr0,r11,r11,ror#5\n\tadd\tr7,r7,r3\n\tand\tr2,r2,r11\n\teor\tr3,r0,r11,ror#19\n\teor\tr0,r7,r7,ror#11\n\teor\tr2,r2,r5\n\tadd\tr6,r6,r3,ror#6\n\teor\tr3,r7,r8\n\teor\tr0,r0,r7,ror#20\n\tadd\tr6,r6,r2\n\tldr\tr2,[sp,#24]\n\tand\tr12,r12,r3\n\tadd\tr10,r10,r6\n\tadd\tr6,r6,r0,ror#2\n\teor\tr12,r12,r8\n\tadd\tr5,r5,r2\n\teor\tr2,r11,r4\n\teor\tr0,r10,r10,ror#5\n\tadd\tr6,r6,r12\n\tand\tr2,r2,r10\n\teor\tr12,r0,r10,ror#19\n\teor\tr0,r6,r6,ror#11\n\teor\tr2,r2,r4\n\tadd\tr5,r5,r12,ror#6\n\teor\tr12,r6,r7\n\teor\tr0,r0,r6,ror#20\n\tadd\tr5,r5,r2\n\tldr\tr2,[sp,#28]\n\tand\tr3,r3,r12\n\tadd\tr9,r9,r5\n\tadd\tr5,r5,r0,ror#2\n\teor\tr3,r3,r7\n\tadd\tr4,r4,r2\n\teor\tr2,r10,r11\n\teor\tr0,r9,r9,ror#5\n\tadd\tr5,r5,r3\n\tand\tr2,r2,r9\n\teor\tr3,r0,r9,ror#19\n\teor\tr0,r5,r5,ror#11\n\teor\tr2,r2,r11\n\tadd\tr4,r4,r3,ror#6\n\teor\tr3,r5,r6\n\teor\tr0,r0,r5,ror#20\n\tadd\tr4,r4,r2\n\tldr\tr2,[sp,#32]\n\tand\tr12,r12,r3\n\tadd\tr8,r8,r4\n\tadd\tr4,r4,r0,ror#2\n\teor\tr12,r12,r6\n\tvst1.32\t{q8},[r1,:128]!\n\tadd\tr11,r11,r2\n\teor\tr2,r9,r10\n\teor\tr0,r8,r8,ror#5\n\tadd\tr4,r4,r12\n\tvld1.32\t{q8},[r14,:128]!\n\tand\tr2,r2,r8\n\teor\tr12,r0,r8,ror#19\n\teor\tr0,r4,r4,ror#11\n\teor\tr2,r2,r10\n\tvrev32.8\tq2,q2\n\tadd\tr11,r11,r12,ror#6\n\teor\tr12,r4,r5\n\teor\tr0,r0,r4,ror#20\n\tadd\tr11,r11,r2\n\tvadd.i32\tq8,q8,q2\n\tldr\tr2,[sp,#36]\n\tand\tr3,r3,r12\n\tadd\tr7,r7,r11\n\tadd\tr11,r11,r0,ror#2\n\teor\tr3,r3,r5\n\tadd\tr10,r10,r2\n\teor\tr2,r8,r9\n\teor\tr0,r7,r7,ror#5\n\tadd\tr11,r11,r3\n\tand\tr2,r2,r7\n\teor\tr3,r0,r7,ror#19\n\teor\tr0,r11,r11,ror#11\n\teor\tr2,r2,r9\n\tadd\tr10,r10,r3,ror#6\n\teor\tr3,r11,r4\n\teor\tr0,r0,r11,ror#20\n\tadd\tr10,r10,r2\n\tldr\tr2,[sp,#40]\n\tand\tr12,r12,r3\n\tadd\tr6,r6,r10\n\tadd\tr10,r10,r0,ror#2\n\teor\tr12,r12,r4\n\tadd\tr9,r9,r2\n\teor\tr2,r7,r8\n\teor\tr0,r6,r6,ror#5\n\tadd\tr10,r10,r12\n\tand\tr2,r2,r6\n\teor\tr12,r0,r6,ror#19\n\teor\tr0,r10,r10,ror#11\n\teor\tr2,r2,r8\n\tadd\tr9,r9,r12,ror#6\n\teor\tr12,r10,r11\n\teor\tr0,r0,r10,ror#20\n\tadd\tr9,r9,r2\n\tldr\tr2,[sp,#44]\n\tand\tr3,r3,r12\n\tadd\tr5,r5,r9\n\tadd\tr9,r9,r0,ror#2\n\teor\tr3,r3,r11\n\tadd\tr8,r8,r2\n\teor\tr2,r6,r7\n\teor\tr0,r5,r5,ror#5\n\tadd\tr9,r9,r3\n\tand\tr2,r2,r5\n\teor\tr3,r0,r5,ror#19\n\teor\tr0,r9,r9,ror#11\n\teor\tr2,r2,r7\n\tadd\tr8,r8,r3,ror#6\n\teor\tr3,r9,r10\n\teor\tr0,r0,r9,ror#20\n\tadd\tr8,r8,r2\n\tldr\tr2,[sp,#48]\n\tand\tr12,r12,r3\n\tadd\tr4,r4,r8\n\tadd\tr8,r8,r0,ror#2\n\teor\tr12,r12,r10\n\tvst1.32\t{q8},[r1,:128]!\n\tadd\tr7,r7,r2\n\teor\tr2,r5,r6\n\teor\tr0,r4,r4,ror#5\n\tadd\tr8,r8,r12\n\tvld1.32\t{q8},[r14,:128]!\n\tand\tr2,r2,r4\n\teor\tr12,r0,r4,ror#19\n\teor\tr0,r8,r8,ror#11\n\teor\tr2,r2,r6\n\tvrev32.8\tq3,q3\n\tadd\tr7,r7,r12,ror#6\n\teor\tr12,r8,r9\n\teor\tr0,r0,r8,ror#20\n\tadd\tr7,r7,r2\n\tvadd.i32\tq8,q8,q3\n\tldr\tr2,[sp,#52]\n\tand\tr3,r3,r12\n\tadd\tr11,r11,r7\n\tadd\tr7,r7,r0,ror#2\n\teor\tr3,r3,r9\n\tadd\tr6,r6,r2\n\teor\tr2,r4,r5\n\teor\tr0,r11,r11,ror#5\n\tadd\tr7,r7,r3\n\tand\tr2,r2,r11\n\teor\tr3,r0,r11,ror#19\n\teor\tr0,r7,r7,ror#11\n\teor\tr2,r2,r5\n\tadd\tr6,r6,r3,ror#6\n\teor\tr3,r7,r8\n\teor\tr0,r0,r7,ror#20\n\tadd\tr6,r6,r2\n\tldr\tr2,[sp,#56]\n\tand\tr12,r12,r3\n\tadd\tr10,r10,r6\n\tadd\tr6,r6,r0,ror#2\n\teor\tr12,r12,r8\n\tadd\tr5,r5,r2\n\teor\tr2,r11,r4\n\teor\tr0,r10,r10,ror#5\n\tadd\tr6,r6,r12\n\tand\tr2,r2,r10\n\teor\tr12,r0,r10,ror#19\n\teor\tr0,r6,r6,ror#11\n\teor\tr2,r2,r4\n\tadd\tr5,r5,r12,ror#6\n\teor\tr12,r6,r7\n\teor\tr0,r0,r6,ror#20\n\tadd\tr5,r5,r2\n\tldr\tr2,[sp,#60]\n\tand\tr3,r3,r12\n\tadd\tr9,r9,r5\n\tadd\tr5,r5,r0,ror#2\n\teor\tr3,r3,r7\n\tadd\tr4,r4,r2\n\teor\tr2,r10,r11\n\teor\tr0,r9,r9,ror#5\n\tadd\tr5,r5,r3\n\tand\tr2,r2,r9\n\teor\tr3,r0,r9,ror#19\n\teor\tr0,r5,r5,ror#11\n\teor\tr2,r2,r11\n\tadd\tr4,r4,r3,ror#6\n\teor\tr3,r5,r6\n\teor\tr0,r0,r5,ror#20\n\tadd\tr4,r4,r2\n\tldr\tr2,[sp,#64]\n\tand\tr12,r12,r3\n\tadd\tr8,r8,r4\n\tadd\tr4,r4,r0,ror#2\n\teor\tr12,r12,r6\n\tvst1.32\t{q8},[r1,:128]!\n\tldr\tr0,[r2,#0]\n\tadd\tr4,r4,r12\t\t\t@ h+=Maj(a,b,c) from the past\n\tldr\tr12,[r2,#4]\n\tldr\tr3,[r2,#8]\n\tldr\tr1,[r2,#12]\n\tadd\tr4,r4,r0\t\t\t@ accumulate\n\tldr\tr0,[r2,#16]\n\tadd\tr5,r5,r12\n\tldr\tr12,[r2,#20]\n\tadd\tr6,r6,r3\n\tldr\tr3,[r2,#24]\n\tadd\tr7,r7,r1\n\tldr\tr1,[r2,#28]\n\tadd\tr8,r8,r0\n\tstr\tr4,[r2],#4\n\tadd\tr9,r9,r12\n\tstr\tr5,[r2],#4\n\tadd\tr10,r10,r3\n\tstr\tr6,[r2],#4\n\tadd\tr11,r11,r1\n\tstr\tr7,[r2],#4\n\tstmia\tr2,{r8,r9,r10,r11}\n\n\tittte\tne\n\tmovne\tr1,sp\n\tldrne\tr2,[sp,#0]\n\teorne\tr12,r12,r12\n\tldreq\tsp,[sp,#76]\t\t\t@ restore original sp\n\titt\tne\n\teorne\tr3,r5,r6\n\tbne\t.L_00_48\n\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc}\n.size\tsha256_block_data_order_neon,.-sha256_block_data_order_neon\n#endif\n#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__)\n\n# if defined(__thumb2__)\n# define INST(a,b,c,d)\t.byte\tc,d|0xc,a,b\n# else\n# define INST(a,b,c,d)\t.byte\ta,b,c,d\n# endif\n\n.LK256_shortcut_hw:\n@ PC is 8 bytes ahead in Arm mode and 4 bytes ahead in Thumb mode.\n#if defined(__thumb2__)\n.word\tK256-(.LK256_add_hw+4)\n#else\n.word\tK256-(.LK256_add_hw+8)\n#endif\n\n.globl\tsha256_block_data_order_hw\n.hidden\tsha256_block_data_order_hw\n.type\tsha256_block_data_order_hw,%function\n.align\t5\nsha256_block_data_order_hw:\n\t@ K256 is too far to reference from one ADR command in Thumb mode. In\n\t@ Arm mode, we could make it fit by aligning the ADR offset to a 64-byte\n\t@ boundary. For simplicity, just load the offset from .LK256_shortcut_hw.\n\tldr\tr3,.LK256_shortcut_hw\n.LK256_add_hw:\n\tadd\tr3,pc,r3\n\n\tvld1.32\t{q0,q1},[r0]\n\tadd\tr2,r1,r2,lsl#6\t@ len to point at the end of inp\n\tb\t.Loop_v8\n\n.align\t4\n.Loop_v8:\n\tvld1.8\t{q8,q9},[r1]!\n\tvld1.8\t{q10,q11},[r1]!\n\tvld1.32\t{q12},[r3]!\n\tvrev32.8\tq8,q8\n\tvrev32.8\tq9,q9\n\tvrev32.8\tq10,q10\n\tvrev32.8\tq11,q11\n\tvmov\tq14,q0\t@ offload\n\tvmov\tq15,q1\n\tteq\tr1,r2\n\tvld1.32\t{q13},[r3]!\n\tvadd.i32\tq12,q12,q8\n\tINST(0xe2,0x03,0xfa,0xf3)\t@ sha256su0 q8,q9\n\tvmov\tq2,q0\n\tINST(0x68,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q12\n\tINST(0x68,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q12\n\tINST(0xe6,0x0c,0x64,0xf3)\t@ sha256su1 q8,q10,q11\n\tvld1.32\t{q12},[r3]!\n\tvadd.i32\tq13,q13,q9\n\tINST(0xe4,0x23,0xfa,0xf3)\t@ sha256su0 q9,q10\n\tvmov\tq2,q0\n\tINST(0x6a,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q13\n\tINST(0x6a,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q13\n\tINST(0xe0,0x2c,0x66,0xf3)\t@ sha256su1 q9,q11,q8\n\tvld1.32\t{q13},[r3]!\n\tvadd.i32\tq12,q12,q10\n\tINST(0xe6,0x43,0xfa,0xf3)\t@ sha256su0 q10,q11\n\tvmov\tq2,q0\n\tINST(0x68,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q12\n\tINST(0x68,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q12\n\tINST(0xe2,0x4c,0x60,0xf3)\t@ sha256su1 q10,q8,q9\n\tvld1.32\t{q12},[r3]!\n\tvadd.i32\tq13,q13,q11\n\tINST(0xe0,0x63,0xfa,0xf3)\t@ sha256su0 q11,q8\n\tvmov\tq2,q0\n\tINST(0x6a,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q13\n\tINST(0x6a,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q13\n\tINST(0xe4,0x6c,0x62,0xf3)\t@ sha256su1 q11,q9,q10\n\tvld1.32\t{q13},[r3]!\n\tvadd.i32\tq12,q12,q8\n\tINST(0xe2,0x03,0xfa,0xf3)\t@ sha256su0 q8,q9\n\tvmov\tq2,q0\n\tINST(0x68,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q12\n\tINST(0x68,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q12\n\tINST(0xe6,0x0c,0x64,0xf3)\t@ sha256su1 q8,q10,q11\n\tvld1.32\t{q12},[r3]!\n\tvadd.i32\tq13,q13,q9\n\tINST(0xe4,0x23,0xfa,0xf3)\t@ sha256su0 q9,q10\n\tvmov\tq2,q0\n\tINST(0x6a,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q13\n\tINST(0x6a,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q13\n\tINST(0xe0,0x2c,0x66,0xf3)\t@ sha256su1 q9,q11,q8\n\tvld1.32\t{q13},[r3]!\n\tvadd.i32\tq12,q12,q10\n\tINST(0xe6,0x43,0xfa,0xf3)\t@ sha256su0 q10,q11\n\tvmov\tq2,q0\n\tINST(0x68,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q12\n\tINST(0x68,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q12\n\tINST(0xe2,0x4c,0x60,0xf3)\t@ sha256su1 q10,q8,q9\n\tvld1.32\t{q12},[r3]!\n\tvadd.i32\tq13,q13,q11\n\tINST(0xe0,0x63,0xfa,0xf3)\t@ sha256su0 q11,q8\n\tvmov\tq2,q0\n\tINST(0x6a,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q13\n\tINST(0x6a,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q13\n\tINST(0xe4,0x6c,0x62,0xf3)\t@ sha256su1 q11,q9,q10\n\tvld1.32\t{q13},[r3]!\n\tvadd.i32\tq12,q12,q8\n\tINST(0xe2,0x03,0xfa,0xf3)\t@ sha256su0 q8,q9\n\tvmov\tq2,q0\n\tINST(0x68,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q12\n\tINST(0x68,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q12\n\tINST(0xe6,0x0c,0x64,0xf3)\t@ sha256su1 q8,q10,q11\n\tvld1.32\t{q12},[r3]!\n\tvadd.i32\tq13,q13,q9\n\tINST(0xe4,0x23,0xfa,0xf3)\t@ sha256su0 q9,q10\n\tvmov\tq2,q0\n\tINST(0x6a,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q13\n\tINST(0x6a,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q13\n\tINST(0xe0,0x2c,0x66,0xf3)\t@ sha256su1 q9,q11,q8\n\tvld1.32\t{q13},[r3]!\n\tvadd.i32\tq12,q12,q10\n\tINST(0xe6,0x43,0xfa,0xf3)\t@ sha256su0 q10,q11\n\tvmov\tq2,q0\n\tINST(0x68,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q12\n\tINST(0x68,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q12\n\tINST(0xe2,0x4c,0x60,0xf3)\t@ sha256su1 q10,q8,q9\n\tvld1.32\t{q12},[r3]!\n\tvadd.i32\tq13,q13,q11\n\tINST(0xe0,0x63,0xfa,0xf3)\t@ sha256su0 q11,q8\n\tvmov\tq2,q0\n\tINST(0x6a,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q13\n\tINST(0x6a,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q13\n\tINST(0xe4,0x6c,0x62,0xf3)\t@ sha256su1 q11,q9,q10\n\tvld1.32\t{q13},[r3]!\n\tvadd.i32\tq12,q12,q8\n\tvmov\tq2,q0\n\tINST(0x68,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q12\n\tINST(0x68,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q12\n\n\tvld1.32\t{q12},[r3]!\n\tvadd.i32\tq13,q13,q9\n\tvmov\tq2,q0\n\tINST(0x6a,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q13\n\tINST(0x6a,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q13\n\n\tvld1.32\t{q13},[r3]\n\tvadd.i32\tq12,q12,q10\n\tsub\tr3,r3,#256-16\t@ rewind\n\tvmov\tq2,q0\n\tINST(0x68,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q12\n\tINST(0x68,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q12\n\n\tvadd.i32\tq13,q13,q11\n\tvmov\tq2,q0\n\tINST(0x6a,0x0c,0x02,0xf3)\t@ sha256h q0,q1,q13\n\tINST(0x6a,0x2c,0x14,0xf3)\t@ sha256h2 q1,q2,q13\n\n\tvadd.i32\tq0,q0,q14\n\tvadd.i32\tq1,q1,q15\n\tit\tne\n\tbne\t.Loop_v8\n\n\tvst1.32\t{q0,q1},[r0]\n\n\tbx\tlr\t\t@ bx lr\n.size\tsha256_block_data_order_hw,.-sha256_block_data_order_hw\n#endif\n.byte\t83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,47,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.\n//\n// Licensed under the OpenSSL license (the \"License\"). You may not use\n// this file except in compliance with the License. You can obtain a copy\n// in the file LICENSE in the source distribution or at\n// https://www.openssl.org/source/license.html\n\n// ====================================================================\n// Written by Andy Polyakov for the OpenSSL\n// project. The module is, however, dual licensed under OpenSSL and\n// CRYPTOGAMS licenses depending on where you obtain it. For further\n// details see http://www.openssl.org/~appro/cryptogams/.\n//\n// Permission to use under GPLv2 terms is granted.\n// ====================================================================\n//\n// SHA256/512 for ARMv8.\n//\n// Performance in cycles per processed byte and improvement coefficient\n// over code generated with \"default\" compiler:\n//\n//\t\tSHA256-hw\tSHA256(*)\tSHA512\n// Apple A7\t1.97\t\t10.5 (+33%)\t6.73 (-1%(**))\n// Cortex-A53\t2.38\t\t15.5 (+115%)\t10.0 (+150%(***))\n// Cortex-A57\t2.31\t\t11.6 (+86%)\t7.51 (+260%(***))\n// Denver\t2.01\t\t10.5 (+26%)\t6.70 (+8%)\n// X-Gene\t\t\t20.0 (+100%)\t12.8 (+300%(***))\n// Mongoose\t2.36\t\t13.0 (+50%)\t8.36 (+33%)\n// Kryo\t\t1.92\t\t17.4 (+30%)\t11.2 (+8%)\n//\n// (*)\tSoftware SHA256 results are of lesser relevance, presented\n//\tmostly for informational purposes.\n// (**)\tThe result is a trade-off: it's possible to improve it by\n//\t10% (or by 1 cycle per round), but at the cost of 20% loss\n//\ton Cortex-A53 (or by 4 cycles per round).\n// (***)\tSuper-impressive coefficients over gcc-generated code are\n//\tindication of some compiler \"pathology\", most notably code\n//\tgenerated with -mgeneral-regs-only is significantly faster\n//\tand the gap is only 40-90%.\n\n#ifndef\t__KERNEL__\n# include \n#endif\n\n.text\n\n.globl\t_sha256_block_data_order_nohw\n.private_extern\t_sha256_block_data_order_nohw\n\n.align\t6\n_sha256_block_data_order_nohw:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#4*4\n\n\tldp\tw20,w21,[x0]\t\t\t\t// load context\n\tldp\tw22,w23,[x0,#2*4]\n\tldp\tw24,w25,[x0,#4*4]\n\tadd\tx2,x1,x2,lsl#6\t// end of input\n\tldp\tw26,w27,[x0,#6*4]\n\tadrp\tx30,LK256@PAGE\n\tadd\tx30,x30,LK256@PAGEOFF\n\tstp\tx0,x2,[x29,#96]\n\nLoop:\n\tldp\tw3,w4,[x1],#2*4\n\tldr\tw19,[x30],#4\t\t\t// *K++\n\teor\tw28,w21,w22\t\t\t\t// magic seed\n\tstr\tx1,[x29,#112]\n#ifndef\t__AARCH64EB__\n\trev\tw3,w3\t\t\t// 0\n#endif\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\teor\tw6,w24,w24,ror#14\n\tand\tw17,w25,w24\n\tbic\tw19,w26,w24\n\tadd\tw27,w27,w3\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w6,ror#11\t// Sigma1(e)\n\tror\tw6,w20,#2\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w20,w20,ror#9\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w6,w17,ror#13\t// Sigma0(a)\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw4,w4\t\t\t// 1\n#endif\n\tldp\tw5,w6,[x1],#2*4\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\teor\tw7,w23,w23,ror#14\n\tand\tw17,w24,w23\n\tbic\tw28,w25,w23\n\tadd\tw26,w26,w4\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w7,ror#11\t// Sigma1(e)\n\tror\tw7,w27,#2\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w27,w27,ror#9\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w7,w17,ror#13\t// Sigma0(a)\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw5,w5\t\t\t// 2\n#endif\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\teor\tw8,w22,w22,ror#14\n\tand\tw17,w23,w22\n\tbic\tw19,w24,w22\n\tadd\tw25,w25,w5\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w8,ror#11\t// Sigma1(e)\n\tror\tw8,w26,#2\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w26,w26,ror#9\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w8,w17,ror#13\t// Sigma0(a)\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw6,w6\t\t\t// 3\n#endif\n\tldp\tw7,w8,[x1],#2*4\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\teor\tw9,w21,w21,ror#14\n\tand\tw17,w22,w21\n\tbic\tw28,w23,w21\n\tadd\tw24,w24,w6\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w9,ror#11\t// Sigma1(e)\n\tror\tw9,w25,#2\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w25,w25,ror#9\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w9,w17,ror#13\t// Sigma0(a)\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw7,w7\t\t\t// 4\n#endif\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\teor\tw10,w20,w20,ror#14\n\tand\tw17,w21,w20\n\tbic\tw19,w22,w20\n\tadd\tw23,w23,w7\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w10,ror#11\t// Sigma1(e)\n\tror\tw10,w24,#2\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w24,w24,ror#9\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w10,w17,ror#13\t// Sigma0(a)\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw8,w8\t\t\t// 5\n#endif\n\tldp\tw9,w10,[x1],#2*4\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\teor\tw11,w27,w27,ror#14\n\tand\tw17,w20,w27\n\tbic\tw28,w21,w27\n\tadd\tw22,w22,w8\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w11,ror#11\t// Sigma1(e)\n\tror\tw11,w23,#2\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w23,w23,ror#9\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w11,w17,ror#13\t// Sigma0(a)\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw9,w9\t\t\t// 6\n#endif\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\teor\tw12,w26,w26,ror#14\n\tand\tw17,w27,w26\n\tbic\tw19,w20,w26\n\tadd\tw21,w21,w9\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w12,ror#11\t// Sigma1(e)\n\tror\tw12,w22,#2\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w22,w22,ror#9\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w12,w17,ror#13\t// Sigma0(a)\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw10,w10\t\t\t// 7\n#endif\n\tldp\tw11,w12,[x1],#2*4\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\teor\tw13,w25,w25,ror#14\n\tand\tw17,w26,w25\n\tbic\tw28,w27,w25\n\tadd\tw20,w20,w10\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w13,ror#11\t// Sigma1(e)\n\tror\tw13,w21,#2\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w21,w21,ror#9\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w13,w17,ror#13\t// Sigma0(a)\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw11,w11\t\t\t// 8\n#endif\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\teor\tw14,w24,w24,ror#14\n\tand\tw17,w25,w24\n\tbic\tw19,w26,w24\n\tadd\tw27,w27,w11\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w14,ror#11\t// Sigma1(e)\n\tror\tw14,w20,#2\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w20,w20,ror#9\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w14,w17,ror#13\t// Sigma0(a)\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw12,w12\t\t\t// 9\n#endif\n\tldp\tw13,w14,[x1],#2*4\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\teor\tw15,w23,w23,ror#14\n\tand\tw17,w24,w23\n\tbic\tw28,w25,w23\n\tadd\tw26,w26,w12\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w15,ror#11\t// Sigma1(e)\n\tror\tw15,w27,#2\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w27,w27,ror#9\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w15,w17,ror#13\t// Sigma0(a)\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw13,w13\t\t\t// 10\n#endif\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\teor\tw0,w22,w22,ror#14\n\tand\tw17,w23,w22\n\tbic\tw19,w24,w22\n\tadd\tw25,w25,w13\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w0,ror#11\t// Sigma1(e)\n\tror\tw0,w26,#2\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w26,w26,ror#9\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w0,w17,ror#13\t// Sigma0(a)\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw14,w14\t\t\t// 11\n#endif\n\tldp\tw15,w0,[x1],#2*4\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw6,[sp,#12]\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\teor\tw6,w21,w21,ror#14\n\tand\tw17,w22,w21\n\tbic\tw28,w23,w21\n\tadd\tw24,w24,w14\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w6,ror#11\t// Sigma1(e)\n\tror\tw6,w25,#2\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w25,w25,ror#9\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w6,w17,ror#13\t// Sigma0(a)\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw15,w15\t\t\t// 12\n#endif\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw7,[sp,#0]\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\teor\tw7,w20,w20,ror#14\n\tand\tw17,w21,w20\n\tbic\tw19,w22,w20\n\tadd\tw23,w23,w15\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w7,ror#11\t// Sigma1(e)\n\tror\tw7,w24,#2\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w24,w24,ror#9\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w7,w17,ror#13\t// Sigma0(a)\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw0,w0\t\t\t// 13\n#endif\n\tldp\tw1,w2,[x1]\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw8,[sp,#4]\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\teor\tw8,w27,w27,ror#14\n\tand\tw17,w20,w27\n\tbic\tw28,w21,w27\n\tadd\tw22,w22,w0\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w8,ror#11\t// Sigma1(e)\n\tror\tw8,w23,#2\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w23,w23,ror#9\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w8,w17,ror#13\t// Sigma0(a)\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw1,w1\t\t\t// 14\n#endif\n\tldr\tw6,[sp,#12]\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw9,[sp,#8]\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\teor\tw9,w26,w26,ror#14\n\tand\tw17,w27,w26\n\tbic\tw19,w20,w26\n\tadd\tw21,w21,w1\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w9,ror#11\t// Sigma1(e)\n\tror\tw9,w22,#2\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w22,w22,ror#9\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w9,w17,ror#13\t// Sigma0(a)\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw2,w2\t\t\t// 15\n#endif\n\tldr\tw7,[sp,#0]\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw10,[sp,#12]\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\tror\tw9,w4,#7\n\tand\tw17,w26,w25\n\tror\tw8,w1,#17\n\tbic\tw28,w27,w25\n\tror\tw10,w21,#2\n\tadd\tw20,w20,w2\t\t\t// h+=X[i]\n\teor\tw16,w16,w25,ror#11\n\teor\tw9,w9,w4,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w25,ror#25\t// Sigma1(e)\n\teor\tw10,w10,w21,ror#13\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw8,w8,w1,ror#19\n\teor\tw9,w9,w4,lsr#3\t// sigma0(X[i+1])\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w10,w21,ror#22\t// Sigma0(a)\n\teor\tw8,w8,w1,lsr#10\t// sigma1(X[i+14])\n\tadd\tw3,w3,w12\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw3,w3,w9\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw3,w3,w8\nLoop_16_xx:\n\tldr\tw8,[sp,#4]\n\tstr\tw11,[sp,#0]\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\tror\tw10,w5,#7\n\tand\tw17,w25,w24\n\tror\tw9,w2,#17\n\tbic\tw19,w26,w24\n\tror\tw11,w20,#2\n\tadd\tw27,w27,w3\t\t\t// h+=X[i]\n\teor\tw16,w16,w24,ror#11\n\teor\tw10,w10,w5,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w24,ror#25\t// Sigma1(e)\n\teor\tw11,w11,w20,ror#13\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw9,w9,w2,ror#19\n\teor\tw10,w10,w5,lsr#3\t// sigma0(X[i+1])\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w11,w20,ror#22\t// Sigma0(a)\n\teor\tw9,w9,w2,lsr#10\t// sigma1(X[i+14])\n\tadd\tw4,w4,w13\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw4,w4,w10\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw4,w4,w9\n\tldr\tw9,[sp,#8]\n\tstr\tw12,[sp,#4]\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\tror\tw11,w6,#7\n\tand\tw17,w24,w23\n\tror\tw10,w3,#17\n\tbic\tw28,w25,w23\n\tror\tw12,w27,#2\n\tadd\tw26,w26,w4\t\t\t// h+=X[i]\n\teor\tw16,w16,w23,ror#11\n\teor\tw11,w11,w6,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w23,ror#25\t// Sigma1(e)\n\teor\tw12,w12,w27,ror#13\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw10,w10,w3,ror#19\n\teor\tw11,w11,w6,lsr#3\t// sigma0(X[i+1])\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w12,w27,ror#22\t// Sigma0(a)\n\teor\tw10,w10,w3,lsr#10\t// sigma1(X[i+14])\n\tadd\tw5,w5,w14\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw5,w5,w11\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw5,w5,w10\n\tldr\tw10,[sp,#12]\n\tstr\tw13,[sp,#8]\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\tror\tw12,w7,#7\n\tand\tw17,w23,w22\n\tror\tw11,w4,#17\n\tbic\tw19,w24,w22\n\tror\tw13,w26,#2\n\tadd\tw25,w25,w5\t\t\t// h+=X[i]\n\teor\tw16,w16,w22,ror#11\n\teor\tw12,w12,w7,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w22,ror#25\t// Sigma1(e)\n\teor\tw13,w13,w26,ror#13\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw11,w11,w4,ror#19\n\teor\tw12,w12,w7,lsr#3\t// sigma0(X[i+1])\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w13,w26,ror#22\t// Sigma0(a)\n\teor\tw11,w11,w4,lsr#10\t// sigma1(X[i+14])\n\tadd\tw6,w6,w15\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw6,w6,w12\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw6,w6,w11\n\tldr\tw11,[sp,#0]\n\tstr\tw14,[sp,#12]\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\tror\tw13,w8,#7\n\tand\tw17,w22,w21\n\tror\tw12,w5,#17\n\tbic\tw28,w23,w21\n\tror\tw14,w25,#2\n\tadd\tw24,w24,w6\t\t\t// h+=X[i]\n\teor\tw16,w16,w21,ror#11\n\teor\tw13,w13,w8,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w21,ror#25\t// Sigma1(e)\n\teor\tw14,w14,w25,ror#13\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw12,w12,w5,ror#19\n\teor\tw13,w13,w8,lsr#3\t// sigma0(X[i+1])\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w14,w25,ror#22\t// Sigma0(a)\n\teor\tw12,w12,w5,lsr#10\t// sigma1(X[i+14])\n\tadd\tw7,w7,w0\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw7,w7,w13\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw7,w7,w12\n\tldr\tw12,[sp,#4]\n\tstr\tw15,[sp,#0]\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\tror\tw14,w9,#7\n\tand\tw17,w21,w20\n\tror\tw13,w6,#17\n\tbic\tw19,w22,w20\n\tror\tw15,w24,#2\n\tadd\tw23,w23,w7\t\t\t// h+=X[i]\n\teor\tw16,w16,w20,ror#11\n\teor\tw14,w14,w9,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w20,ror#25\t// Sigma1(e)\n\teor\tw15,w15,w24,ror#13\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw13,w13,w6,ror#19\n\teor\tw14,w14,w9,lsr#3\t// sigma0(X[i+1])\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w15,w24,ror#22\t// Sigma0(a)\n\teor\tw13,w13,w6,lsr#10\t// sigma1(X[i+14])\n\tadd\tw8,w8,w1\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw8,w8,w14\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw8,w8,w13\n\tldr\tw13,[sp,#8]\n\tstr\tw0,[sp,#4]\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\tror\tw15,w10,#7\n\tand\tw17,w20,w27\n\tror\tw14,w7,#17\n\tbic\tw28,w21,w27\n\tror\tw0,w23,#2\n\tadd\tw22,w22,w8\t\t\t// h+=X[i]\n\teor\tw16,w16,w27,ror#11\n\teor\tw15,w15,w10,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w27,ror#25\t// Sigma1(e)\n\teor\tw0,w0,w23,ror#13\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw14,w14,w7,ror#19\n\teor\tw15,w15,w10,lsr#3\t// sigma0(X[i+1])\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w0,w23,ror#22\t// Sigma0(a)\n\teor\tw14,w14,w7,lsr#10\t// sigma1(X[i+14])\n\tadd\tw9,w9,w2\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw9,w9,w15\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw9,w9,w14\n\tldr\tw14,[sp,#12]\n\tstr\tw1,[sp,#8]\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\tror\tw0,w11,#7\n\tand\tw17,w27,w26\n\tror\tw15,w8,#17\n\tbic\tw19,w20,w26\n\tror\tw1,w22,#2\n\tadd\tw21,w21,w9\t\t\t// h+=X[i]\n\teor\tw16,w16,w26,ror#11\n\teor\tw0,w0,w11,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w26,ror#25\t// Sigma1(e)\n\teor\tw1,w1,w22,ror#13\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw15,w15,w8,ror#19\n\teor\tw0,w0,w11,lsr#3\t// sigma0(X[i+1])\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w1,w22,ror#22\t// Sigma0(a)\n\teor\tw15,w15,w8,lsr#10\t// sigma1(X[i+14])\n\tadd\tw10,w10,w3\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw10,w10,w0\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw10,w10,w15\n\tldr\tw15,[sp,#0]\n\tstr\tw2,[sp,#12]\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\tror\tw1,w12,#7\n\tand\tw17,w26,w25\n\tror\tw0,w9,#17\n\tbic\tw28,w27,w25\n\tror\tw2,w21,#2\n\tadd\tw20,w20,w10\t\t\t// h+=X[i]\n\teor\tw16,w16,w25,ror#11\n\teor\tw1,w1,w12,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w25,ror#25\t// Sigma1(e)\n\teor\tw2,w2,w21,ror#13\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw0,w0,w9,ror#19\n\teor\tw1,w1,w12,lsr#3\t// sigma0(X[i+1])\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w2,w21,ror#22\t// Sigma0(a)\n\teor\tw0,w0,w9,lsr#10\t// sigma1(X[i+14])\n\tadd\tw11,w11,w4\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw11,w11,w1\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw11,w11,w0\n\tldr\tw0,[sp,#4]\n\tstr\tw3,[sp,#0]\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\tror\tw2,w13,#7\n\tand\tw17,w25,w24\n\tror\tw1,w10,#17\n\tbic\tw19,w26,w24\n\tror\tw3,w20,#2\n\tadd\tw27,w27,w11\t\t\t// h+=X[i]\n\teor\tw16,w16,w24,ror#11\n\teor\tw2,w2,w13,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w24,ror#25\t// Sigma1(e)\n\teor\tw3,w3,w20,ror#13\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw1,w1,w10,ror#19\n\teor\tw2,w2,w13,lsr#3\t// sigma0(X[i+1])\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w3,w20,ror#22\t// Sigma0(a)\n\teor\tw1,w1,w10,lsr#10\t// sigma1(X[i+14])\n\tadd\tw12,w12,w5\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw12,w12,w2\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw12,w12,w1\n\tldr\tw1,[sp,#8]\n\tstr\tw4,[sp,#4]\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\tror\tw3,w14,#7\n\tand\tw17,w24,w23\n\tror\tw2,w11,#17\n\tbic\tw28,w25,w23\n\tror\tw4,w27,#2\n\tadd\tw26,w26,w12\t\t\t// h+=X[i]\n\teor\tw16,w16,w23,ror#11\n\teor\tw3,w3,w14,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w23,ror#25\t// Sigma1(e)\n\teor\tw4,w4,w27,ror#13\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw2,w2,w11,ror#19\n\teor\tw3,w3,w14,lsr#3\t// sigma0(X[i+1])\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w4,w27,ror#22\t// Sigma0(a)\n\teor\tw2,w2,w11,lsr#10\t// sigma1(X[i+14])\n\tadd\tw13,w13,w6\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw13,w13,w3\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw13,w13,w2\n\tldr\tw2,[sp,#12]\n\tstr\tw5,[sp,#8]\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\tror\tw4,w15,#7\n\tand\tw17,w23,w22\n\tror\tw3,w12,#17\n\tbic\tw19,w24,w22\n\tror\tw5,w26,#2\n\tadd\tw25,w25,w13\t\t\t// h+=X[i]\n\teor\tw16,w16,w22,ror#11\n\teor\tw4,w4,w15,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w22,ror#25\t// Sigma1(e)\n\teor\tw5,w5,w26,ror#13\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw3,w3,w12,ror#19\n\teor\tw4,w4,w15,lsr#3\t// sigma0(X[i+1])\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w5,w26,ror#22\t// Sigma0(a)\n\teor\tw3,w3,w12,lsr#10\t// sigma1(X[i+14])\n\tadd\tw14,w14,w7\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw14,w14,w4\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw14,w14,w3\n\tldr\tw3,[sp,#0]\n\tstr\tw6,[sp,#12]\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\tror\tw5,w0,#7\n\tand\tw17,w22,w21\n\tror\tw4,w13,#17\n\tbic\tw28,w23,w21\n\tror\tw6,w25,#2\n\tadd\tw24,w24,w14\t\t\t// h+=X[i]\n\teor\tw16,w16,w21,ror#11\n\teor\tw5,w5,w0,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w21,ror#25\t// Sigma1(e)\n\teor\tw6,w6,w25,ror#13\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw4,w4,w13,ror#19\n\teor\tw5,w5,w0,lsr#3\t// sigma0(X[i+1])\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w6,w25,ror#22\t// Sigma0(a)\n\teor\tw4,w4,w13,lsr#10\t// sigma1(X[i+14])\n\tadd\tw15,w15,w8\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw15,w15,w5\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw15,w15,w4\n\tldr\tw4,[sp,#4]\n\tstr\tw7,[sp,#0]\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\tror\tw6,w1,#7\n\tand\tw17,w21,w20\n\tror\tw5,w14,#17\n\tbic\tw19,w22,w20\n\tror\tw7,w24,#2\n\tadd\tw23,w23,w15\t\t\t// h+=X[i]\n\teor\tw16,w16,w20,ror#11\n\teor\tw6,w6,w1,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w20,ror#25\t// Sigma1(e)\n\teor\tw7,w7,w24,ror#13\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw5,w5,w14,ror#19\n\teor\tw6,w6,w1,lsr#3\t// sigma0(X[i+1])\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w7,w24,ror#22\t// Sigma0(a)\n\teor\tw5,w5,w14,lsr#10\t// sigma1(X[i+14])\n\tadd\tw0,w0,w9\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw0,w0,w6\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw0,w0,w5\n\tldr\tw5,[sp,#8]\n\tstr\tw8,[sp,#4]\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\tror\tw7,w2,#7\n\tand\tw17,w20,w27\n\tror\tw6,w15,#17\n\tbic\tw28,w21,w27\n\tror\tw8,w23,#2\n\tadd\tw22,w22,w0\t\t\t// h+=X[i]\n\teor\tw16,w16,w27,ror#11\n\teor\tw7,w7,w2,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w27,ror#25\t// Sigma1(e)\n\teor\tw8,w8,w23,ror#13\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw6,w6,w15,ror#19\n\teor\tw7,w7,w2,lsr#3\t// sigma0(X[i+1])\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w8,w23,ror#22\t// Sigma0(a)\n\teor\tw6,w6,w15,lsr#10\t// sigma1(X[i+14])\n\tadd\tw1,w1,w10\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw1,w1,w7\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw1,w1,w6\n\tldr\tw6,[sp,#12]\n\tstr\tw9,[sp,#8]\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\tror\tw8,w3,#7\n\tand\tw17,w27,w26\n\tror\tw7,w0,#17\n\tbic\tw19,w20,w26\n\tror\tw9,w22,#2\n\tadd\tw21,w21,w1\t\t\t// h+=X[i]\n\teor\tw16,w16,w26,ror#11\n\teor\tw8,w8,w3,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w26,ror#25\t// Sigma1(e)\n\teor\tw9,w9,w22,ror#13\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw7,w7,w0,ror#19\n\teor\tw8,w8,w3,lsr#3\t// sigma0(X[i+1])\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w9,w22,ror#22\t// Sigma0(a)\n\teor\tw7,w7,w0,lsr#10\t// sigma1(X[i+14])\n\tadd\tw2,w2,w11\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw2,w2,w8\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw2,w2,w7\n\tldr\tw7,[sp,#0]\n\tstr\tw10,[sp,#12]\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\tror\tw9,w4,#7\n\tand\tw17,w26,w25\n\tror\tw8,w1,#17\n\tbic\tw28,w27,w25\n\tror\tw10,w21,#2\n\tadd\tw20,w20,w2\t\t\t// h+=X[i]\n\teor\tw16,w16,w25,ror#11\n\teor\tw9,w9,w4,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w25,ror#25\t// Sigma1(e)\n\teor\tw10,w10,w21,ror#13\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw8,w8,w1,ror#19\n\teor\tw9,w9,w4,lsr#3\t// sigma0(X[i+1])\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w10,w21,ror#22\t// Sigma0(a)\n\teor\tw8,w8,w1,lsr#10\t// sigma1(X[i+14])\n\tadd\tw3,w3,w12\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw3,w3,w9\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw3,w3,w8\n\tcbnz\tw19,Loop_16_xx\n\n\tldp\tx0,x2,[x29,#96]\n\tldr\tx1,[x29,#112]\n\tsub\tx30,x30,#260\t\t// rewind\n\n\tldp\tw3,w4,[x0]\n\tldp\tw5,w6,[x0,#2*4]\n\tadd\tx1,x1,#14*4\t\t\t// advance input pointer\n\tldp\tw7,w8,[x0,#4*4]\n\tadd\tw20,w20,w3\n\tldp\tw9,w10,[x0,#6*4]\n\tadd\tw21,w21,w4\n\tadd\tw22,w22,w5\n\tadd\tw23,w23,w6\n\tstp\tw20,w21,[x0]\n\tadd\tw24,w24,w7\n\tadd\tw25,w25,w8\n\tstp\tw22,w23,[x0,#2*4]\n\tadd\tw26,w26,w9\n\tadd\tw27,w27,w10\n\tcmp\tx1,x2\n\tstp\tw24,w25,[x0,#4*4]\n\tstp\tw26,w27,[x0,#6*4]\n\tb.ne\tLoop\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#4*4\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.section\t__TEXT,__const\n.align\t6\n\nLK256:\n.long\t0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5\n.long\t0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5\n.long\t0xd807aa98,0x12835b01,0x243185be,0x550c7dc3\n.long\t0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174\n.long\t0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc\n.long\t0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da\n.long\t0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7\n.long\t0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967\n.long\t0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13\n.long\t0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85\n.long\t0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3\n.long\t0xd192e819,0xd6990624,0xf40e3585,0x106aa070\n.long\t0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5\n.long\t0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3\n.long\t0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208\n.long\t0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2\n.long\t0\t//terminator\n\n.byte\t83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n.text\n#ifndef\t__KERNEL__\n.globl\t_sha256_block_data_order_hw\n.private_extern\t_sha256_block_data_order_hw\n\n.align\t6\n_sha256_block_data_order_hw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v0.4s,v1.4s},[x0]\n\tadrp\tx3,LK256@PAGE\n\tadd\tx3,x3,LK256@PAGEOFF\n\nLoop_hw:\n\tld1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64\n\tsub\tx2,x2,#1\n\tld1\t{v16.4s},[x3],#16\n\trev32\tv4.16b,v4.16b\n\trev32\tv5.16b,v5.16b\n\trev32\tv6.16b,v6.16b\n\trev32\tv7.16b,v7.16b\n\torr\tv18.16b,v0.16b,v0.16b\t\t// offload\n\torr\tv19.16b,v1.16b,v1.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n.long\t0x5e2828a4\t//sha256su0 v4.16b,v5.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e0760c4\t//sha256su1 v4.16b,v6.16b,v7.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n.long\t0x5e2828c5\t//sha256su0 v5.16b,v6.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0460e5\t//sha256su1 v5.16b,v7.16b,v4.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v6.4s\n.long\t0x5e2828e6\t//sha256su0 v6.16b,v7.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e056086\t//sha256su1 v6.16b,v4.16b,v5.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v7.4s\n.long\t0x5e282887\t//sha256su0 v7.16b,v4.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0660a7\t//sha256su1 v7.16b,v5.16b,v6.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n.long\t0x5e2828a4\t//sha256su0 v4.16b,v5.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e0760c4\t//sha256su1 v4.16b,v6.16b,v7.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n.long\t0x5e2828c5\t//sha256su0 v5.16b,v6.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0460e5\t//sha256su1 v5.16b,v7.16b,v4.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v6.4s\n.long\t0x5e2828e6\t//sha256su0 v6.16b,v7.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e056086\t//sha256su1 v6.16b,v4.16b,v5.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v7.4s\n.long\t0x5e282887\t//sha256su0 v7.16b,v4.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0660a7\t//sha256su1 v7.16b,v5.16b,v6.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n.long\t0x5e2828a4\t//sha256su0 v4.16b,v5.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e0760c4\t//sha256su1 v4.16b,v6.16b,v7.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n.long\t0x5e2828c5\t//sha256su0 v5.16b,v6.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0460e5\t//sha256su1 v5.16b,v7.16b,v4.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v6.4s\n.long\t0x5e2828e6\t//sha256su0 v6.16b,v7.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e056086\t//sha256su1 v6.16b,v4.16b,v5.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v7.4s\n.long\t0x5e282887\t//sha256su0 v7.16b,v4.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0660a7\t//sha256su1 v7.16b,v5.16b,v6.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n\n\tld1\t{v17.4s},[x3]\n\tadd\tv16.4s,v16.4s,v6.4s\n\tsub\tx3,x3,#64*4-16\t// rewind\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n\n\tadd\tv17.4s,v17.4s,v7.4s\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n\n\tadd\tv0.4s,v0.4s,v18.4s\n\tadd\tv1.4s,v1.4s,v19.4s\n\n\tcbnz\tx2,Loop_hw\n\n\tst1\t{v0.4s,v1.4s},[x0]\n\n\tldr\tx29,[sp],#16\n\tret\n\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.\n//\n// Licensed under the OpenSSL license (the \"License\"). You may not use\n// this file except in compliance with the License. You can obtain a copy\n// in the file LICENSE in the source distribution or at\n// https://www.openssl.org/source/license.html\n\n// ====================================================================\n// Written by Andy Polyakov for the OpenSSL\n// project. The module is, however, dual licensed under OpenSSL and\n// CRYPTOGAMS licenses depending on where you obtain it. For further\n// details see http://www.openssl.org/~appro/cryptogams/.\n//\n// Permission to use under GPLv2 terms is granted.\n// ====================================================================\n//\n// SHA256/512 for ARMv8.\n//\n// Performance in cycles per processed byte and improvement coefficient\n// over code generated with \"default\" compiler:\n//\n//\t\tSHA256-hw\tSHA256(*)\tSHA512\n// Apple A7\t1.97\t\t10.5 (+33%)\t6.73 (-1%(**))\n// Cortex-A53\t2.38\t\t15.5 (+115%)\t10.0 (+150%(***))\n// Cortex-A57\t2.31\t\t11.6 (+86%)\t7.51 (+260%(***))\n// Denver\t2.01\t\t10.5 (+26%)\t6.70 (+8%)\n// X-Gene\t\t\t20.0 (+100%)\t12.8 (+300%(***))\n// Mongoose\t2.36\t\t13.0 (+50%)\t8.36 (+33%)\n// Kryo\t\t1.92\t\t17.4 (+30%)\t11.2 (+8%)\n//\n// (*)\tSoftware SHA256 results are of lesser relevance, presented\n//\tmostly for informational purposes.\n// (**)\tThe result is a trade-off: it's possible to improve it by\n//\t10% (or by 1 cycle per round), but at the cost of 20% loss\n//\ton Cortex-A53 (or by 4 cycles per round).\n// (***)\tSuper-impressive coefficients over gcc-generated code are\n//\tindication of some compiler \"pathology\", most notably code\n//\tgenerated with -mgeneral-regs-only is significantly faster\n//\tand the gap is only 40-90%.\n\n#ifndef\t__KERNEL__\n# include \n#endif\n\n.text\n\n.globl\tsha256_block_data_order_nohw\n.hidden\tsha256_block_data_order_nohw\n.type\tsha256_block_data_order_nohw,%function\n.align\t6\nsha256_block_data_order_nohw:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#4*4\n\n\tldp\tw20,w21,[x0]\t\t\t\t// load context\n\tldp\tw22,w23,[x0,#2*4]\n\tldp\tw24,w25,[x0,#4*4]\n\tadd\tx2,x1,x2,lsl#6\t// end of input\n\tldp\tw26,w27,[x0,#6*4]\n\tadrp\tx30,.LK256\n\tadd\tx30,x30,:lo12:.LK256\n\tstp\tx0,x2,[x29,#96]\n\n.Loop:\n\tldp\tw3,w4,[x1],#2*4\n\tldr\tw19,[x30],#4\t\t\t// *K++\n\teor\tw28,w21,w22\t\t\t\t// magic seed\n\tstr\tx1,[x29,#112]\n#ifndef\t__AARCH64EB__\n\trev\tw3,w3\t\t\t// 0\n#endif\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\teor\tw6,w24,w24,ror#14\n\tand\tw17,w25,w24\n\tbic\tw19,w26,w24\n\tadd\tw27,w27,w3\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w6,ror#11\t// Sigma1(e)\n\tror\tw6,w20,#2\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w20,w20,ror#9\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w6,w17,ror#13\t// Sigma0(a)\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw4,w4\t\t\t// 1\n#endif\n\tldp\tw5,w6,[x1],#2*4\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\teor\tw7,w23,w23,ror#14\n\tand\tw17,w24,w23\n\tbic\tw28,w25,w23\n\tadd\tw26,w26,w4\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w7,ror#11\t// Sigma1(e)\n\tror\tw7,w27,#2\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w27,w27,ror#9\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w7,w17,ror#13\t// Sigma0(a)\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw5,w5\t\t\t// 2\n#endif\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\teor\tw8,w22,w22,ror#14\n\tand\tw17,w23,w22\n\tbic\tw19,w24,w22\n\tadd\tw25,w25,w5\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w8,ror#11\t// Sigma1(e)\n\tror\tw8,w26,#2\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w26,w26,ror#9\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w8,w17,ror#13\t// Sigma0(a)\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw6,w6\t\t\t// 3\n#endif\n\tldp\tw7,w8,[x1],#2*4\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\teor\tw9,w21,w21,ror#14\n\tand\tw17,w22,w21\n\tbic\tw28,w23,w21\n\tadd\tw24,w24,w6\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w9,ror#11\t// Sigma1(e)\n\tror\tw9,w25,#2\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w25,w25,ror#9\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w9,w17,ror#13\t// Sigma0(a)\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw7,w7\t\t\t// 4\n#endif\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\teor\tw10,w20,w20,ror#14\n\tand\tw17,w21,w20\n\tbic\tw19,w22,w20\n\tadd\tw23,w23,w7\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w10,ror#11\t// Sigma1(e)\n\tror\tw10,w24,#2\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w24,w24,ror#9\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w10,w17,ror#13\t// Sigma0(a)\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw8,w8\t\t\t// 5\n#endif\n\tldp\tw9,w10,[x1],#2*4\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\teor\tw11,w27,w27,ror#14\n\tand\tw17,w20,w27\n\tbic\tw28,w21,w27\n\tadd\tw22,w22,w8\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w11,ror#11\t// Sigma1(e)\n\tror\tw11,w23,#2\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w23,w23,ror#9\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w11,w17,ror#13\t// Sigma0(a)\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw9,w9\t\t\t// 6\n#endif\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\teor\tw12,w26,w26,ror#14\n\tand\tw17,w27,w26\n\tbic\tw19,w20,w26\n\tadd\tw21,w21,w9\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w12,ror#11\t// Sigma1(e)\n\tror\tw12,w22,#2\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w22,w22,ror#9\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w12,w17,ror#13\t// Sigma0(a)\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw10,w10\t\t\t// 7\n#endif\n\tldp\tw11,w12,[x1],#2*4\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\teor\tw13,w25,w25,ror#14\n\tand\tw17,w26,w25\n\tbic\tw28,w27,w25\n\tadd\tw20,w20,w10\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w13,ror#11\t// Sigma1(e)\n\tror\tw13,w21,#2\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w21,w21,ror#9\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w13,w17,ror#13\t// Sigma0(a)\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw11,w11\t\t\t// 8\n#endif\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\teor\tw14,w24,w24,ror#14\n\tand\tw17,w25,w24\n\tbic\tw19,w26,w24\n\tadd\tw27,w27,w11\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w14,ror#11\t// Sigma1(e)\n\tror\tw14,w20,#2\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w20,w20,ror#9\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w14,w17,ror#13\t// Sigma0(a)\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw12,w12\t\t\t// 9\n#endif\n\tldp\tw13,w14,[x1],#2*4\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\teor\tw15,w23,w23,ror#14\n\tand\tw17,w24,w23\n\tbic\tw28,w25,w23\n\tadd\tw26,w26,w12\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w15,ror#11\t// Sigma1(e)\n\tror\tw15,w27,#2\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w27,w27,ror#9\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w15,w17,ror#13\t// Sigma0(a)\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw13,w13\t\t\t// 10\n#endif\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\teor\tw0,w22,w22,ror#14\n\tand\tw17,w23,w22\n\tbic\tw19,w24,w22\n\tadd\tw25,w25,w13\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w0,ror#11\t// Sigma1(e)\n\tror\tw0,w26,#2\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w26,w26,ror#9\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w0,w17,ror#13\t// Sigma0(a)\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw14,w14\t\t\t// 11\n#endif\n\tldp\tw15,w0,[x1],#2*4\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw6,[sp,#12]\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\teor\tw6,w21,w21,ror#14\n\tand\tw17,w22,w21\n\tbic\tw28,w23,w21\n\tadd\tw24,w24,w14\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w6,ror#11\t// Sigma1(e)\n\tror\tw6,w25,#2\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w25,w25,ror#9\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w6,w17,ror#13\t// Sigma0(a)\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw15,w15\t\t\t// 12\n#endif\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw7,[sp,#0]\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\teor\tw7,w20,w20,ror#14\n\tand\tw17,w21,w20\n\tbic\tw19,w22,w20\n\tadd\tw23,w23,w15\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w7,ror#11\t// Sigma1(e)\n\tror\tw7,w24,#2\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w24,w24,ror#9\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w7,w17,ror#13\t// Sigma0(a)\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw0,w0\t\t\t// 13\n#endif\n\tldp\tw1,w2,[x1]\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw8,[sp,#4]\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\teor\tw8,w27,w27,ror#14\n\tand\tw17,w20,w27\n\tbic\tw28,w21,w27\n\tadd\tw22,w22,w0\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w8,ror#11\t// Sigma1(e)\n\tror\tw8,w23,#2\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w23,w23,ror#9\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w8,w17,ror#13\t// Sigma0(a)\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw1,w1\t\t\t// 14\n#endif\n\tldr\tw6,[sp,#12]\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw9,[sp,#8]\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\teor\tw9,w26,w26,ror#14\n\tand\tw17,w27,w26\n\tbic\tw19,w20,w26\n\tadd\tw21,w21,w1\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w9,ror#11\t// Sigma1(e)\n\tror\tw9,w22,#2\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w22,w22,ror#9\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w9,w17,ror#13\t// Sigma0(a)\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw2,w2\t\t\t// 15\n#endif\n\tldr\tw7,[sp,#0]\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw10,[sp,#12]\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\tror\tw9,w4,#7\n\tand\tw17,w26,w25\n\tror\tw8,w1,#17\n\tbic\tw28,w27,w25\n\tror\tw10,w21,#2\n\tadd\tw20,w20,w2\t\t\t// h+=X[i]\n\teor\tw16,w16,w25,ror#11\n\teor\tw9,w9,w4,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w25,ror#25\t// Sigma1(e)\n\teor\tw10,w10,w21,ror#13\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw8,w8,w1,ror#19\n\teor\tw9,w9,w4,lsr#3\t// sigma0(X[i+1])\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w10,w21,ror#22\t// Sigma0(a)\n\teor\tw8,w8,w1,lsr#10\t// sigma1(X[i+14])\n\tadd\tw3,w3,w12\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw3,w3,w9\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw3,w3,w8\n.Loop_16_xx:\n\tldr\tw8,[sp,#4]\n\tstr\tw11,[sp,#0]\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\tror\tw10,w5,#7\n\tand\tw17,w25,w24\n\tror\tw9,w2,#17\n\tbic\tw19,w26,w24\n\tror\tw11,w20,#2\n\tadd\tw27,w27,w3\t\t\t// h+=X[i]\n\teor\tw16,w16,w24,ror#11\n\teor\tw10,w10,w5,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w24,ror#25\t// Sigma1(e)\n\teor\tw11,w11,w20,ror#13\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw9,w9,w2,ror#19\n\teor\tw10,w10,w5,lsr#3\t// sigma0(X[i+1])\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w11,w20,ror#22\t// Sigma0(a)\n\teor\tw9,w9,w2,lsr#10\t// sigma1(X[i+14])\n\tadd\tw4,w4,w13\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw4,w4,w10\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw4,w4,w9\n\tldr\tw9,[sp,#8]\n\tstr\tw12,[sp,#4]\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\tror\tw11,w6,#7\n\tand\tw17,w24,w23\n\tror\tw10,w3,#17\n\tbic\tw28,w25,w23\n\tror\tw12,w27,#2\n\tadd\tw26,w26,w4\t\t\t// h+=X[i]\n\teor\tw16,w16,w23,ror#11\n\teor\tw11,w11,w6,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w23,ror#25\t// Sigma1(e)\n\teor\tw12,w12,w27,ror#13\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw10,w10,w3,ror#19\n\teor\tw11,w11,w6,lsr#3\t// sigma0(X[i+1])\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w12,w27,ror#22\t// Sigma0(a)\n\teor\tw10,w10,w3,lsr#10\t// sigma1(X[i+14])\n\tadd\tw5,w5,w14\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw5,w5,w11\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw5,w5,w10\n\tldr\tw10,[sp,#12]\n\tstr\tw13,[sp,#8]\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\tror\tw12,w7,#7\n\tand\tw17,w23,w22\n\tror\tw11,w4,#17\n\tbic\tw19,w24,w22\n\tror\tw13,w26,#2\n\tadd\tw25,w25,w5\t\t\t// h+=X[i]\n\teor\tw16,w16,w22,ror#11\n\teor\tw12,w12,w7,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w22,ror#25\t// Sigma1(e)\n\teor\tw13,w13,w26,ror#13\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw11,w11,w4,ror#19\n\teor\tw12,w12,w7,lsr#3\t// sigma0(X[i+1])\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w13,w26,ror#22\t// Sigma0(a)\n\teor\tw11,w11,w4,lsr#10\t// sigma1(X[i+14])\n\tadd\tw6,w6,w15\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw6,w6,w12\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw6,w6,w11\n\tldr\tw11,[sp,#0]\n\tstr\tw14,[sp,#12]\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\tror\tw13,w8,#7\n\tand\tw17,w22,w21\n\tror\tw12,w5,#17\n\tbic\tw28,w23,w21\n\tror\tw14,w25,#2\n\tadd\tw24,w24,w6\t\t\t// h+=X[i]\n\teor\tw16,w16,w21,ror#11\n\teor\tw13,w13,w8,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w21,ror#25\t// Sigma1(e)\n\teor\tw14,w14,w25,ror#13\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw12,w12,w5,ror#19\n\teor\tw13,w13,w8,lsr#3\t// sigma0(X[i+1])\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w14,w25,ror#22\t// Sigma0(a)\n\teor\tw12,w12,w5,lsr#10\t// sigma1(X[i+14])\n\tadd\tw7,w7,w0\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw7,w7,w13\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw7,w7,w12\n\tldr\tw12,[sp,#4]\n\tstr\tw15,[sp,#0]\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\tror\tw14,w9,#7\n\tand\tw17,w21,w20\n\tror\tw13,w6,#17\n\tbic\tw19,w22,w20\n\tror\tw15,w24,#2\n\tadd\tw23,w23,w7\t\t\t// h+=X[i]\n\teor\tw16,w16,w20,ror#11\n\teor\tw14,w14,w9,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w20,ror#25\t// Sigma1(e)\n\teor\tw15,w15,w24,ror#13\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw13,w13,w6,ror#19\n\teor\tw14,w14,w9,lsr#3\t// sigma0(X[i+1])\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w15,w24,ror#22\t// Sigma0(a)\n\teor\tw13,w13,w6,lsr#10\t// sigma1(X[i+14])\n\tadd\tw8,w8,w1\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw8,w8,w14\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw8,w8,w13\n\tldr\tw13,[sp,#8]\n\tstr\tw0,[sp,#4]\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\tror\tw15,w10,#7\n\tand\tw17,w20,w27\n\tror\tw14,w7,#17\n\tbic\tw28,w21,w27\n\tror\tw0,w23,#2\n\tadd\tw22,w22,w8\t\t\t// h+=X[i]\n\teor\tw16,w16,w27,ror#11\n\teor\tw15,w15,w10,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w27,ror#25\t// Sigma1(e)\n\teor\tw0,w0,w23,ror#13\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw14,w14,w7,ror#19\n\teor\tw15,w15,w10,lsr#3\t// sigma0(X[i+1])\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w0,w23,ror#22\t// Sigma0(a)\n\teor\tw14,w14,w7,lsr#10\t// sigma1(X[i+14])\n\tadd\tw9,w9,w2\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw9,w9,w15\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw9,w9,w14\n\tldr\tw14,[sp,#12]\n\tstr\tw1,[sp,#8]\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\tror\tw0,w11,#7\n\tand\tw17,w27,w26\n\tror\tw15,w8,#17\n\tbic\tw19,w20,w26\n\tror\tw1,w22,#2\n\tadd\tw21,w21,w9\t\t\t// h+=X[i]\n\teor\tw16,w16,w26,ror#11\n\teor\tw0,w0,w11,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w26,ror#25\t// Sigma1(e)\n\teor\tw1,w1,w22,ror#13\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw15,w15,w8,ror#19\n\teor\tw0,w0,w11,lsr#3\t// sigma0(X[i+1])\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w1,w22,ror#22\t// Sigma0(a)\n\teor\tw15,w15,w8,lsr#10\t// sigma1(X[i+14])\n\tadd\tw10,w10,w3\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw10,w10,w0\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw10,w10,w15\n\tldr\tw15,[sp,#0]\n\tstr\tw2,[sp,#12]\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\tror\tw1,w12,#7\n\tand\tw17,w26,w25\n\tror\tw0,w9,#17\n\tbic\tw28,w27,w25\n\tror\tw2,w21,#2\n\tadd\tw20,w20,w10\t\t\t// h+=X[i]\n\teor\tw16,w16,w25,ror#11\n\teor\tw1,w1,w12,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w25,ror#25\t// Sigma1(e)\n\teor\tw2,w2,w21,ror#13\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw0,w0,w9,ror#19\n\teor\tw1,w1,w12,lsr#3\t// sigma0(X[i+1])\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w2,w21,ror#22\t// Sigma0(a)\n\teor\tw0,w0,w9,lsr#10\t// sigma1(X[i+14])\n\tadd\tw11,w11,w4\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw11,w11,w1\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw11,w11,w0\n\tldr\tw0,[sp,#4]\n\tstr\tw3,[sp,#0]\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\tror\tw2,w13,#7\n\tand\tw17,w25,w24\n\tror\tw1,w10,#17\n\tbic\tw19,w26,w24\n\tror\tw3,w20,#2\n\tadd\tw27,w27,w11\t\t\t// h+=X[i]\n\teor\tw16,w16,w24,ror#11\n\teor\tw2,w2,w13,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w24,ror#25\t// Sigma1(e)\n\teor\tw3,w3,w20,ror#13\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw1,w1,w10,ror#19\n\teor\tw2,w2,w13,lsr#3\t// sigma0(X[i+1])\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w3,w20,ror#22\t// Sigma0(a)\n\teor\tw1,w1,w10,lsr#10\t// sigma1(X[i+14])\n\tadd\tw12,w12,w5\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw12,w12,w2\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw12,w12,w1\n\tldr\tw1,[sp,#8]\n\tstr\tw4,[sp,#4]\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\tror\tw3,w14,#7\n\tand\tw17,w24,w23\n\tror\tw2,w11,#17\n\tbic\tw28,w25,w23\n\tror\tw4,w27,#2\n\tadd\tw26,w26,w12\t\t\t// h+=X[i]\n\teor\tw16,w16,w23,ror#11\n\teor\tw3,w3,w14,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w23,ror#25\t// Sigma1(e)\n\teor\tw4,w4,w27,ror#13\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw2,w2,w11,ror#19\n\teor\tw3,w3,w14,lsr#3\t// sigma0(X[i+1])\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w4,w27,ror#22\t// Sigma0(a)\n\teor\tw2,w2,w11,lsr#10\t// sigma1(X[i+14])\n\tadd\tw13,w13,w6\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw13,w13,w3\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw13,w13,w2\n\tldr\tw2,[sp,#12]\n\tstr\tw5,[sp,#8]\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\tror\tw4,w15,#7\n\tand\tw17,w23,w22\n\tror\tw3,w12,#17\n\tbic\tw19,w24,w22\n\tror\tw5,w26,#2\n\tadd\tw25,w25,w13\t\t\t// h+=X[i]\n\teor\tw16,w16,w22,ror#11\n\teor\tw4,w4,w15,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w22,ror#25\t// Sigma1(e)\n\teor\tw5,w5,w26,ror#13\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw3,w3,w12,ror#19\n\teor\tw4,w4,w15,lsr#3\t// sigma0(X[i+1])\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w5,w26,ror#22\t// Sigma0(a)\n\teor\tw3,w3,w12,lsr#10\t// sigma1(X[i+14])\n\tadd\tw14,w14,w7\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw14,w14,w4\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw14,w14,w3\n\tldr\tw3,[sp,#0]\n\tstr\tw6,[sp,#12]\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\tror\tw5,w0,#7\n\tand\tw17,w22,w21\n\tror\tw4,w13,#17\n\tbic\tw28,w23,w21\n\tror\tw6,w25,#2\n\tadd\tw24,w24,w14\t\t\t// h+=X[i]\n\teor\tw16,w16,w21,ror#11\n\teor\tw5,w5,w0,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w21,ror#25\t// Sigma1(e)\n\teor\tw6,w6,w25,ror#13\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw4,w4,w13,ror#19\n\teor\tw5,w5,w0,lsr#3\t// sigma0(X[i+1])\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w6,w25,ror#22\t// Sigma0(a)\n\teor\tw4,w4,w13,lsr#10\t// sigma1(X[i+14])\n\tadd\tw15,w15,w8\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw15,w15,w5\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw15,w15,w4\n\tldr\tw4,[sp,#4]\n\tstr\tw7,[sp,#0]\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\tror\tw6,w1,#7\n\tand\tw17,w21,w20\n\tror\tw5,w14,#17\n\tbic\tw19,w22,w20\n\tror\tw7,w24,#2\n\tadd\tw23,w23,w15\t\t\t// h+=X[i]\n\teor\tw16,w16,w20,ror#11\n\teor\tw6,w6,w1,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w20,ror#25\t// Sigma1(e)\n\teor\tw7,w7,w24,ror#13\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw5,w5,w14,ror#19\n\teor\tw6,w6,w1,lsr#3\t// sigma0(X[i+1])\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w7,w24,ror#22\t// Sigma0(a)\n\teor\tw5,w5,w14,lsr#10\t// sigma1(X[i+14])\n\tadd\tw0,w0,w9\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw0,w0,w6\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw0,w0,w5\n\tldr\tw5,[sp,#8]\n\tstr\tw8,[sp,#4]\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\tror\tw7,w2,#7\n\tand\tw17,w20,w27\n\tror\tw6,w15,#17\n\tbic\tw28,w21,w27\n\tror\tw8,w23,#2\n\tadd\tw22,w22,w0\t\t\t// h+=X[i]\n\teor\tw16,w16,w27,ror#11\n\teor\tw7,w7,w2,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w27,ror#25\t// Sigma1(e)\n\teor\tw8,w8,w23,ror#13\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw6,w6,w15,ror#19\n\teor\tw7,w7,w2,lsr#3\t// sigma0(X[i+1])\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w8,w23,ror#22\t// Sigma0(a)\n\teor\tw6,w6,w15,lsr#10\t// sigma1(X[i+14])\n\tadd\tw1,w1,w10\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw1,w1,w7\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw1,w1,w6\n\tldr\tw6,[sp,#12]\n\tstr\tw9,[sp,#8]\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\tror\tw8,w3,#7\n\tand\tw17,w27,w26\n\tror\tw7,w0,#17\n\tbic\tw19,w20,w26\n\tror\tw9,w22,#2\n\tadd\tw21,w21,w1\t\t\t// h+=X[i]\n\teor\tw16,w16,w26,ror#11\n\teor\tw8,w8,w3,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w26,ror#25\t// Sigma1(e)\n\teor\tw9,w9,w22,ror#13\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw7,w7,w0,ror#19\n\teor\tw8,w8,w3,lsr#3\t// sigma0(X[i+1])\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w9,w22,ror#22\t// Sigma0(a)\n\teor\tw7,w7,w0,lsr#10\t// sigma1(X[i+14])\n\tadd\tw2,w2,w11\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw2,w2,w8\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw2,w2,w7\n\tldr\tw7,[sp,#0]\n\tstr\tw10,[sp,#12]\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\tror\tw9,w4,#7\n\tand\tw17,w26,w25\n\tror\tw8,w1,#17\n\tbic\tw28,w27,w25\n\tror\tw10,w21,#2\n\tadd\tw20,w20,w2\t\t\t// h+=X[i]\n\teor\tw16,w16,w25,ror#11\n\teor\tw9,w9,w4,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w25,ror#25\t// Sigma1(e)\n\teor\tw10,w10,w21,ror#13\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw8,w8,w1,ror#19\n\teor\tw9,w9,w4,lsr#3\t// sigma0(X[i+1])\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w10,w21,ror#22\t// Sigma0(a)\n\teor\tw8,w8,w1,lsr#10\t// sigma1(X[i+14])\n\tadd\tw3,w3,w12\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw3,w3,w9\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw3,w3,w8\n\tcbnz\tw19,.Loop_16_xx\n\n\tldp\tx0,x2,[x29,#96]\n\tldr\tx1,[x29,#112]\n\tsub\tx30,x30,#260\t\t// rewind\n\n\tldp\tw3,w4,[x0]\n\tldp\tw5,w6,[x0,#2*4]\n\tadd\tx1,x1,#14*4\t\t\t// advance input pointer\n\tldp\tw7,w8,[x0,#4*4]\n\tadd\tw20,w20,w3\n\tldp\tw9,w10,[x0,#6*4]\n\tadd\tw21,w21,w4\n\tadd\tw22,w22,w5\n\tadd\tw23,w23,w6\n\tstp\tw20,w21,[x0]\n\tadd\tw24,w24,w7\n\tadd\tw25,w25,w8\n\tstp\tw22,w23,[x0,#2*4]\n\tadd\tw26,w26,w9\n\tadd\tw27,w27,w10\n\tcmp\tx1,x2\n\tstp\tw24,w25,[x0,#4*4]\n\tstp\tw26,w27,[x0,#6*4]\n\tb.ne\t.Loop\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#4*4\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tsha256_block_data_order_nohw,.-sha256_block_data_order_nohw\n\n.section\t.rodata\n.align\t6\n.type\t.LK256,%object\n.LK256:\n.long\t0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5\n.long\t0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5\n.long\t0xd807aa98,0x12835b01,0x243185be,0x550c7dc3\n.long\t0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174\n.long\t0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc\n.long\t0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da\n.long\t0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7\n.long\t0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967\n.long\t0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13\n.long\t0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85\n.long\t0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3\n.long\t0xd192e819,0xd6990624,0xf40e3585,0x106aa070\n.long\t0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5\n.long\t0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3\n.long\t0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208\n.long\t0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2\n.long\t0\t//terminator\n.size\t.LK256,.-.LK256\n.byte\t83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n.text\n#ifndef\t__KERNEL__\n.globl\tsha256_block_data_order_hw\n.hidden\tsha256_block_data_order_hw\n.type\tsha256_block_data_order_hw,%function\n.align\t6\nsha256_block_data_order_hw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v0.4s,v1.4s},[x0]\n\tadrp\tx3,.LK256\n\tadd\tx3,x3,:lo12:.LK256\n\n.Loop_hw:\n\tld1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64\n\tsub\tx2,x2,#1\n\tld1\t{v16.4s},[x3],#16\n\trev32\tv4.16b,v4.16b\n\trev32\tv5.16b,v5.16b\n\trev32\tv6.16b,v6.16b\n\trev32\tv7.16b,v7.16b\n\torr\tv18.16b,v0.16b,v0.16b\t\t// offload\n\torr\tv19.16b,v1.16b,v1.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n.inst\t0x5e2828a4\t//sha256su0 v4.16b,v5.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.inst\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.inst\t0x5e0760c4\t//sha256su1 v4.16b,v6.16b,v7.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n.inst\t0x5e2828c5\t//sha256su0 v5.16b,v6.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.inst\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.inst\t0x5e0460e5\t//sha256su1 v5.16b,v7.16b,v4.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v6.4s\n.inst\t0x5e2828e6\t//sha256su0 v6.16b,v7.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.inst\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.inst\t0x5e056086\t//sha256su1 v6.16b,v4.16b,v5.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v7.4s\n.inst\t0x5e282887\t//sha256su0 v7.16b,v4.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.inst\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.inst\t0x5e0660a7\t//sha256su1 v7.16b,v5.16b,v6.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n.inst\t0x5e2828a4\t//sha256su0 v4.16b,v5.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.inst\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.inst\t0x5e0760c4\t//sha256su1 v4.16b,v6.16b,v7.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n.inst\t0x5e2828c5\t//sha256su0 v5.16b,v6.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.inst\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.inst\t0x5e0460e5\t//sha256su1 v5.16b,v7.16b,v4.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v6.4s\n.inst\t0x5e2828e6\t//sha256su0 v6.16b,v7.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.inst\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.inst\t0x5e056086\t//sha256su1 v6.16b,v4.16b,v5.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v7.4s\n.inst\t0x5e282887\t//sha256su0 v7.16b,v4.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.inst\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.inst\t0x5e0660a7\t//sha256su1 v7.16b,v5.16b,v6.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n.inst\t0x5e2828a4\t//sha256su0 v4.16b,v5.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.inst\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.inst\t0x5e0760c4\t//sha256su1 v4.16b,v6.16b,v7.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n.inst\t0x5e2828c5\t//sha256su0 v5.16b,v6.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.inst\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.inst\t0x5e0460e5\t//sha256su1 v5.16b,v7.16b,v4.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v6.4s\n.inst\t0x5e2828e6\t//sha256su0 v6.16b,v7.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.inst\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.inst\t0x5e056086\t//sha256su1 v6.16b,v4.16b,v5.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v7.4s\n.inst\t0x5e282887\t//sha256su0 v7.16b,v4.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.inst\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.inst\t0x5e0660a7\t//sha256su1 v7.16b,v5.16b,v6.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.inst\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.inst\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n\n\tld1\t{v17.4s},[x3]\n\tadd\tv16.4s,v16.4s,v6.4s\n\tsub\tx3,x3,#64*4-16\t// rewind\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.inst\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n\n\tadd\tv17.4s,v17.4s,v7.4s\n\torr\tv2.16b,v0.16b,v0.16b\n.inst\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.inst\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n\n\tadd\tv0.4s,v0.4s,v18.4s\n\tadd\tv1.4s,v1.4s,v19.4s\n\n\tcbnz\tx2,.Loop_hw\n\n\tst1\t{v0.4s,v1.4s},[x0]\n\n\tldr\tx29,[sp],#16\n\tret\n.size\tsha256_block_data_order_hw,.-sha256_block_data_order_hw\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.\n//\n// Licensed under the OpenSSL license (the \"License\"). You may not use\n// this file except in compliance with the License. You can obtain a copy\n// in the file LICENSE in the source distribution or at\n// https://www.openssl.org/source/license.html\n\n// ====================================================================\n// Written by Andy Polyakov for the OpenSSL\n// project. The module is, however, dual licensed under OpenSSL and\n// CRYPTOGAMS licenses depending on where you obtain it. For further\n// details see http://www.openssl.org/~appro/cryptogams/.\n//\n// Permission to use under GPLv2 terms is granted.\n// ====================================================================\n//\n// SHA256/512 for ARMv8.\n//\n// Performance in cycles per processed byte and improvement coefficient\n// over code generated with \"default\" compiler:\n//\n//\t\tSHA256-hw\tSHA256(*)\tSHA512\n// Apple A7\t1.97\t\t10.5 (+33%)\t6.73 (-1%(**))\n// Cortex-A53\t2.38\t\t15.5 (+115%)\t10.0 (+150%(***))\n// Cortex-A57\t2.31\t\t11.6 (+86%)\t7.51 (+260%(***))\n// Denver\t2.01\t\t10.5 (+26%)\t6.70 (+8%)\n// X-Gene\t\t\t20.0 (+100%)\t12.8 (+300%(***))\n// Mongoose\t2.36\t\t13.0 (+50%)\t8.36 (+33%)\n// Kryo\t\t1.92\t\t17.4 (+30%)\t11.2 (+8%)\n//\n// (*)\tSoftware SHA256 results are of lesser relevance, presented\n//\tmostly for informational purposes.\n// (**)\tThe result is a trade-off: it's possible to improve it by\n//\t10% (or by 1 cycle per round), but at the cost of 20% loss\n//\ton Cortex-A53 (or by 4 cycles per round).\n// (***)\tSuper-impressive coefficients over gcc-generated code are\n//\tindication of some compiler \"pathology\", most notably code\n//\tgenerated with -mgeneral-regs-only is significantly faster\n//\tand the gap is only 40-90%.\n\n#ifndef\t__KERNEL__\n# include \n#endif\n\n.text\n\n.globl\tsha256_block_data_order_nohw\n\n.def sha256_block_data_order_nohw\n .type 32\n.endef\n.align\t6\nsha256_block_data_order_nohw:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#4*4\n\n\tldp\tw20,w21,[x0]\t\t\t\t// load context\n\tldp\tw22,w23,[x0,#2*4]\n\tldp\tw24,w25,[x0,#4*4]\n\tadd\tx2,x1,x2,lsl#6\t// end of input\n\tldp\tw26,w27,[x0,#6*4]\n\tadrp\tx30,LK256\n\tadd\tx30,x30,:lo12:LK256\n\tstp\tx0,x2,[x29,#96]\n\nLoop:\n\tldp\tw3,w4,[x1],#2*4\n\tldr\tw19,[x30],#4\t\t\t// *K++\n\teor\tw28,w21,w22\t\t\t\t// magic seed\n\tstr\tx1,[x29,#112]\n#ifndef\t__AARCH64EB__\n\trev\tw3,w3\t\t\t// 0\n#endif\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\teor\tw6,w24,w24,ror#14\n\tand\tw17,w25,w24\n\tbic\tw19,w26,w24\n\tadd\tw27,w27,w3\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w6,ror#11\t// Sigma1(e)\n\tror\tw6,w20,#2\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w20,w20,ror#9\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w6,w17,ror#13\t// Sigma0(a)\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw4,w4\t\t\t// 1\n#endif\n\tldp\tw5,w6,[x1],#2*4\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\teor\tw7,w23,w23,ror#14\n\tand\tw17,w24,w23\n\tbic\tw28,w25,w23\n\tadd\tw26,w26,w4\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w7,ror#11\t// Sigma1(e)\n\tror\tw7,w27,#2\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w27,w27,ror#9\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w7,w17,ror#13\t// Sigma0(a)\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw5,w5\t\t\t// 2\n#endif\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\teor\tw8,w22,w22,ror#14\n\tand\tw17,w23,w22\n\tbic\tw19,w24,w22\n\tadd\tw25,w25,w5\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w8,ror#11\t// Sigma1(e)\n\tror\tw8,w26,#2\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w26,w26,ror#9\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w8,w17,ror#13\t// Sigma0(a)\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw6,w6\t\t\t// 3\n#endif\n\tldp\tw7,w8,[x1],#2*4\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\teor\tw9,w21,w21,ror#14\n\tand\tw17,w22,w21\n\tbic\tw28,w23,w21\n\tadd\tw24,w24,w6\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w9,ror#11\t// Sigma1(e)\n\tror\tw9,w25,#2\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w25,w25,ror#9\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w9,w17,ror#13\t// Sigma0(a)\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw7,w7\t\t\t// 4\n#endif\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\teor\tw10,w20,w20,ror#14\n\tand\tw17,w21,w20\n\tbic\tw19,w22,w20\n\tadd\tw23,w23,w7\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w10,ror#11\t// Sigma1(e)\n\tror\tw10,w24,#2\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w24,w24,ror#9\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w10,w17,ror#13\t// Sigma0(a)\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw8,w8\t\t\t// 5\n#endif\n\tldp\tw9,w10,[x1],#2*4\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\teor\tw11,w27,w27,ror#14\n\tand\tw17,w20,w27\n\tbic\tw28,w21,w27\n\tadd\tw22,w22,w8\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w11,ror#11\t// Sigma1(e)\n\tror\tw11,w23,#2\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w23,w23,ror#9\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w11,w17,ror#13\t// Sigma0(a)\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw9,w9\t\t\t// 6\n#endif\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\teor\tw12,w26,w26,ror#14\n\tand\tw17,w27,w26\n\tbic\tw19,w20,w26\n\tadd\tw21,w21,w9\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w12,ror#11\t// Sigma1(e)\n\tror\tw12,w22,#2\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w22,w22,ror#9\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w12,w17,ror#13\t// Sigma0(a)\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw10,w10\t\t\t// 7\n#endif\n\tldp\tw11,w12,[x1],#2*4\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\teor\tw13,w25,w25,ror#14\n\tand\tw17,w26,w25\n\tbic\tw28,w27,w25\n\tadd\tw20,w20,w10\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w13,ror#11\t// Sigma1(e)\n\tror\tw13,w21,#2\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w21,w21,ror#9\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w13,w17,ror#13\t// Sigma0(a)\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw11,w11\t\t\t// 8\n#endif\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\teor\tw14,w24,w24,ror#14\n\tand\tw17,w25,w24\n\tbic\tw19,w26,w24\n\tadd\tw27,w27,w11\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w14,ror#11\t// Sigma1(e)\n\tror\tw14,w20,#2\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w20,w20,ror#9\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w14,w17,ror#13\t// Sigma0(a)\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw12,w12\t\t\t// 9\n#endif\n\tldp\tw13,w14,[x1],#2*4\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\teor\tw15,w23,w23,ror#14\n\tand\tw17,w24,w23\n\tbic\tw28,w25,w23\n\tadd\tw26,w26,w12\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w15,ror#11\t// Sigma1(e)\n\tror\tw15,w27,#2\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w27,w27,ror#9\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w15,w17,ror#13\t// Sigma0(a)\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw13,w13\t\t\t// 10\n#endif\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\teor\tw0,w22,w22,ror#14\n\tand\tw17,w23,w22\n\tbic\tw19,w24,w22\n\tadd\tw25,w25,w13\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w0,ror#11\t// Sigma1(e)\n\tror\tw0,w26,#2\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w26,w26,ror#9\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w0,w17,ror#13\t// Sigma0(a)\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw14,w14\t\t\t// 11\n#endif\n\tldp\tw15,w0,[x1],#2*4\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw6,[sp,#12]\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\teor\tw6,w21,w21,ror#14\n\tand\tw17,w22,w21\n\tbic\tw28,w23,w21\n\tadd\tw24,w24,w14\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w6,ror#11\t// Sigma1(e)\n\tror\tw6,w25,#2\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w25,w25,ror#9\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w6,w17,ror#13\t// Sigma0(a)\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw15,w15\t\t\t// 12\n#endif\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw7,[sp,#0]\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\teor\tw7,w20,w20,ror#14\n\tand\tw17,w21,w20\n\tbic\tw19,w22,w20\n\tadd\tw23,w23,w15\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w7,ror#11\t// Sigma1(e)\n\tror\tw7,w24,#2\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w24,w24,ror#9\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w7,w17,ror#13\t// Sigma0(a)\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw0,w0\t\t\t// 13\n#endif\n\tldp\tw1,w2,[x1]\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw8,[sp,#4]\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\teor\tw8,w27,w27,ror#14\n\tand\tw17,w20,w27\n\tbic\tw28,w21,w27\n\tadd\tw22,w22,w0\t\t\t// h+=X[i]\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w8,ror#11\t// Sigma1(e)\n\tror\tw8,w23,#2\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w23,w23,ror#9\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w8,w17,ror#13\t// Sigma0(a)\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\t//add\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw1,w1\t\t\t// 14\n#endif\n\tldr\tw6,[sp,#12]\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw9,[sp,#8]\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\teor\tw9,w26,w26,ror#14\n\tand\tw17,w27,w26\n\tbic\tw19,w20,w26\n\tadd\tw21,w21,w1\t\t\t// h+=X[i]\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w9,ror#11\t// Sigma1(e)\n\tror\tw9,w22,#2\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\teor\tw17,w22,w22,ror#9\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w9,w17,ror#13\t// Sigma0(a)\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\t//add\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tw2,w2\t\t\t// 15\n#endif\n\tldr\tw7,[sp,#0]\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tstr\tw10,[sp,#12]\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\tror\tw9,w4,#7\n\tand\tw17,w26,w25\n\tror\tw8,w1,#17\n\tbic\tw28,w27,w25\n\tror\tw10,w21,#2\n\tadd\tw20,w20,w2\t\t\t// h+=X[i]\n\teor\tw16,w16,w25,ror#11\n\teor\tw9,w9,w4,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w25,ror#25\t// Sigma1(e)\n\teor\tw10,w10,w21,ror#13\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw8,w8,w1,ror#19\n\teor\tw9,w9,w4,lsr#3\t// sigma0(X[i+1])\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w10,w21,ror#22\t// Sigma0(a)\n\teor\tw8,w8,w1,lsr#10\t// sigma1(X[i+14])\n\tadd\tw3,w3,w12\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw3,w3,w9\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw3,w3,w8\nLoop_16_xx:\n\tldr\tw8,[sp,#4]\n\tstr\tw11,[sp,#0]\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\tror\tw10,w5,#7\n\tand\tw17,w25,w24\n\tror\tw9,w2,#17\n\tbic\tw19,w26,w24\n\tror\tw11,w20,#2\n\tadd\tw27,w27,w3\t\t\t// h+=X[i]\n\teor\tw16,w16,w24,ror#11\n\teor\tw10,w10,w5,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w24,ror#25\t// Sigma1(e)\n\teor\tw11,w11,w20,ror#13\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw9,w9,w2,ror#19\n\teor\tw10,w10,w5,lsr#3\t// sigma0(X[i+1])\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w11,w20,ror#22\t// Sigma0(a)\n\teor\tw9,w9,w2,lsr#10\t// sigma1(X[i+14])\n\tadd\tw4,w4,w13\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw4,w4,w10\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw4,w4,w9\n\tldr\tw9,[sp,#8]\n\tstr\tw12,[sp,#4]\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\tror\tw11,w6,#7\n\tand\tw17,w24,w23\n\tror\tw10,w3,#17\n\tbic\tw28,w25,w23\n\tror\tw12,w27,#2\n\tadd\tw26,w26,w4\t\t\t// h+=X[i]\n\teor\tw16,w16,w23,ror#11\n\teor\tw11,w11,w6,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w23,ror#25\t// Sigma1(e)\n\teor\tw12,w12,w27,ror#13\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw10,w10,w3,ror#19\n\teor\tw11,w11,w6,lsr#3\t// sigma0(X[i+1])\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w12,w27,ror#22\t// Sigma0(a)\n\teor\tw10,w10,w3,lsr#10\t// sigma1(X[i+14])\n\tadd\tw5,w5,w14\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw5,w5,w11\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw5,w5,w10\n\tldr\tw10,[sp,#12]\n\tstr\tw13,[sp,#8]\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\tror\tw12,w7,#7\n\tand\tw17,w23,w22\n\tror\tw11,w4,#17\n\tbic\tw19,w24,w22\n\tror\tw13,w26,#2\n\tadd\tw25,w25,w5\t\t\t// h+=X[i]\n\teor\tw16,w16,w22,ror#11\n\teor\tw12,w12,w7,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w22,ror#25\t// Sigma1(e)\n\teor\tw13,w13,w26,ror#13\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw11,w11,w4,ror#19\n\teor\tw12,w12,w7,lsr#3\t// sigma0(X[i+1])\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w13,w26,ror#22\t// Sigma0(a)\n\teor\tw11,w11,w4,lsr#10\t// sigma1(X[i+14])\n\tadd\tw6,w6,w15\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw6,w6,w12\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw6,w6,w11\n\tldr\tw11,[sp,#0]\n\tstr\tw14,[sp,#12]\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\tror\tw13,w8,#7\n\tand\tw17,w22,w21\n\tror\tw12,w5,#17\n\tbic\tw28,w23,w21\n\tror\tw14,w25,#2\n\tadd\tw24,w24,w6\t\t\t// h+=X[i]\n\teor\tw16,w16,w21,ror#11\n\teor\tw13,w13,w8,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w21,ror#25\t// Sigma1(e)\n\teor\tw14,w14,w25,ror#13\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw12,w12,w5,ror#19\n\teor\tw13,w13,w8,lsr#3\t// sigma0(X[i+1])\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w14,w25,ror#22\t// Sigma0(a)\n\teor\tw12,w12,w5,lsr#10\t// sigma1(X[i+14])\n\tadd\tw7,w7,w0\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw7,w7,w13\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw7,w7,w12\n\tldr\tw12,[sp,#4]\n\tstr\tw15,[sp,#0]\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\tror\tw14,w9,#7\n\tand\tw17,w21,w20\n\tror\tw13,w6,#17\n\tbic\tw19,w22,w20\n\tror\tw15,w24,#2\n\tadd\tw23,w23,w7\t\t\t// h+=X[i]\n\teor\tw16,w16,w20,ror#11\n\teor\tw14,w14,w9,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w20,ror#25\t// Sigma1(e)\n\teor\tw15,w15,w24,ror#13\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw13,w13,w6,ror#19\n\teor\tw14,w14,w9,lsr#3\t// sigma0(X[i+1])\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w15,w24,ror#22\t// Sigma0(a)\n\teor\tw13,w13,w6,lsr#10\t// sigma1(X[i+14])\n\tadd\tw8,w8,w1\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw8,w8,w14\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw8,w8,w13\n\tldr\tw13,[sp,#8]\n\tstr\tw0,[sp,#4]\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\tror\tw15,w10,#7\n\tand\tw17,w20,w27\n\tror\tw14,w7,#17\n\tbic\tw28,w21,w27\n\tror\tw0,w23,#2\n\tadd\tw22,w22,w8\t\t\t// h+=X[i]\n\teor\tw16,w16,w27,ror#11\n\teor\tw15,w15,w10,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w27,ror#25\t// Sigma1(e)\n\teor\tw0,w0,w23,ror#13\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw14,w14,w7,ror#19\n\teor\tw15,w15,w10,lsr#3\t// sigma0(X[i+1])\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w0,w23,ror#22\t// Sigma0(a)\n\teor\tw14,w14,w7,lsr#10\t// sigma1(X[i+14])\n\tadd\tw9,w9,w2\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw9,w9,w15\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw9,w9,w14\n\tldr\tw14,[sp,#12]\n\tstr\tw1,[sp,#8]\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\tror\tw0,w11,#7\n\tand\tw17,w27,w26\n\tror\tw15,w8,#17\n\tbic\tw19,w20,w26\n\tror\tw1,w22,#2\n\tadd\tw21,w21,w9\t\t\t// h+=X[i]\n\teor\tw16,w16,w26,ror#11\n\teor\tw0,w0,w11,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w26,ror#25\t// Sigma1(e)\n\teor\tw1,w1,w22,ror#13\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw15,w15,w8,ror#19\n\teor\tw0,w0,w11,lsr#3\t// sigma0(X[i+1])\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w1,w22,ror#22\t// Sigma0(a)\n\teor\tw15,w15,w8,lsr#10\t// sigma1(X[i+14])\n\tadd\tw10,w10,w3\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw10,w10,w0\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw10,w10,w15\n\tldr\tw15,[sp,#0]\n\tstr\tw2,[sp,#12]\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\tror\tw1,w12,#7\n\tand\tw17,w26,w25\n\tror\tw0,w9,#17\n\tbic\tw28,w27,w25\n\tror\tw2,w21,#2\n\tadd\tw20,w20,w10\t\t\t// h+=X[i]\n\teor\tw16,w16,w25,ror#11\n\teor\tw1,w1,w12,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w25,ror#25\t// Sigma1(e)\n\teor\tw2,w2,w21,ror#13\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw0,w0,w9,ror#19\n\teor\tw1,w1,w12,lsr#3\t// sigma0(X[i+1])\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w2,w21,ror#22\t// Sigma0(a)\n\teor\tw0,w0,w9,lsr#10\t// sigma1(X[i+14])\n\tadd\tw11,w11,w4\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw11,w11,w1\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw11,w11,w0\n\tldr\tw0,[sp,#4]\n\tstr\tw3,[sp,#0]\n\tror\tw16,w24,#6\n\tadd\tw27,w27,w19\t\t\t// h+=K[i]\n\tror\tw2,w13,#7\n\tand\tw17,w25,w24\n\tror\tw1,w10,#17\n\tbic\tw19,w26,w24\n\tror\tw3,w20,#2\n\tadd\tw27,w27,w11\t\t\t// h+=X[i]\n\teor\tw16,w16,w24,ror#11\n\teor\tw2,w2,w13,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w20,w21\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w24,ror#25\t// Sigma1(e)\n\teor\tw3,w3,w20,ror#13\n\tadd\tw27,w27,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw1,w1,w10,ror#19\n\teor\tw2,w2,w13,lsr#3\t// sigma0(X[i+1])\n\tadd\tw27,w27,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w21\t\t\t// Maj(a,b,c)\n\teor\tw17,w3,w20,ror#22\t// Sigma0(a)\n\teor\tw1,w1,w10,lsr#10\t// sigma1(X[i+14])\n\tadd\tw12,w12,w5\n\tadd\tw23,w23,w27\t\t\t// d+=h\n\tadd\tw27,w27,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw12,w12,w2\n\tadd\tw27,w27,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw12,w12,w1\n\tldr\tw1,[sp,#8]\n\tstr\tw4,[sp,#4]\n\tror\tw16,w23,#6\n\tadd\tw26,w26,w28\t\t\t// h+=K[i]\n\tror\tw3,w14,#7\n\tand\tw17,w24,w23\n\tror\tw2,w11,#17\n\tbic\tw28,w25,w23\n\tror\tw4,w27,#2\n\tadd\tw26,w26,w12\t\t\t// h+=X[i]\n\teor\tw16,w16,w23,ror#11\n\teor\tw3,w3,w14,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w27,w20\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w23,ror#25\t// Sigma1(e)\n\teor\tw4,w4,w27,ror#13\n\tadd\tw26,w26,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw2,w2,w11,ror#19\n\teor\tw3,w3,w14,lsr#3\t// sigma0(X[i+1])\n\tadd\tw26,w26,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w20\t\t\t// Maj(a,b,c)\n\teor\tw17,w4,w27,ror#22\t// Sigma0(a)\n\teor\tw2,w2,w11,lsr#10\t// sigma1(X[i+14])\n\tadd\tw13,w13,w6\n\tadd\tw22,w22,w26\t\t\t// d+=h\n\tadd\tw26,w26,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw13,w13,w3\n\tadd\tw26,w26,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw13,w13,w2\n\tldr\tw2,[sp,#12]\n\tstr\tw5,[sp,#8]\n\tror\tw16,w22,#6\n\tadd\tw25,w25,w19\t\t\t// h+=K[i]\n\tror\tw4,w15,#7\n\tand\tw17,w23,w22\n\tror\tw3,w12,#17\n\tbic\tw19,w24,w22\n\tror\tw5,w26,#2\n\tadd\tw25,w25,w13\t\t\t// h+=X[i]\n\teor\tw16,w16,w22,ror#11\n\teor\tw4,w4,w15,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w26,w27\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w22,ror#25\t// Sigma1(e)\n\teor\tw5,w5,w26,ror#13\n\tadd\tw25,w25,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw3,w3,w12,ror#19\n\teor\tw4,w4,w15,lsr#3\t// sigma0(X[i+1])\n\tadd\tw25,w25,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w27\t\t\t// Maj(a,b,c)\n\teor\tw17,w5,w26,ror#22\t// Sigma0(a)\n\teor\tw3,w3,w12,lsr#10\t// sigma1(X[i+14])\n\tadd\tw14,w14,w7\n\tadd\tw21,w21,w25\t\t\t// d+=h\n\tadd\tw25,w25,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw14,w14,w4\n\tadd\tw25,w25,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw14,w14,w3\n\tldr\tw3,[sp,#0]\n\tstr\tw6,[sp,#12]\n\tror\tw16,w21,#6\n\tadd\tw24,w24,w28\t\t\t// h+=K[i]\n\tror\tw5,w0,#7\n\tand\tw17,w22,w21\n\tror\tw4,w13,#17\n\tbic\tw28,w23,w21\n\tror\tw6,w25,#2\n\tadd\tw24,w24,w14\t\t\t// h+=X[i]\n\teor\tw16,w16,w21,ror#11\n\teor\tw5,w5,w0,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w25,w26\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w21,ror#25\t// Sigma1(e)\n\teor\tw6,w6,w25,ror#13\n\tadd\tw24,w24,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw4,w4,w13,ror#19\n\teor\tw5,w5,w0,lsr#3\t// sigma0(X[i+1])\n\tadd\tw24,w24,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w26\t\t\t// Maj(a,b,c)\n\teor\tw17,w6,w25,ror#22\t// Sigma0(a)\n\teor\tw4,w4,w13,lsr#10\t// sigma1(X[i+14])\n\tadd\tw15,w15,w8\n\tadd\tw20,w20,w24\t\t\t// d+=h\n\tadd\tw24,w24,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw15,w15,w5\n\tadd\tw24,w24,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw15,w15,w4\n\tldr\tw4,[sp,#4]\n\tstr\tw7,[sp,#0]\n\tror\tw16,w20,#6\n\tadd\tw23,w23,w19\t\t\t// h+=K[i]\n\tror\tw6,w1,#7\n\tand\tw17,w21,w20\n\tror\tw5,w14,#17\n\tbic\tw19,w22,w20\n\tror\tw7,w24,#2\n\tadd\tw23,w23,w15\t\t\t// h+=X[i]\n\teor\tw16,w16,w20,ror#11\n\teor\tw6,w6,w1,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w24,w25\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w20,ror#25\t// Sigma1(e)\n\teor\tw7,w7,w24,ror#13\n\tadd\tw23,w23,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw5,w5,w14,ror#19\n\teor\tw6,w6,w1,lsr#3\t// sigma0(X[i+1])\n\tadd\tw23,w23,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w25\t\t\t// Maj(a,b,c)\n\teor\tw17,w7,w24,ror#22\t// Sigma0(a)\n\teor\tw5,w5,w14,lsr#10\t// sigma1(X[i+14])\n\tadd\tw0,w0,w9\n\tadd\tw27,w27,w23\t\t\t// d+=h\n\tadd\tw23,w23,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw0,w0,w6\n\tadd\tw23,w23,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw0,w0,w5\n\tldr\tw5,[sp,#8]\n\tstr\tw8,[sp,#4]\n\tror\tw16,w27,#6\n\tadd\tw22,w22,w28\t\t\t// h+=K[i]\n\tror\tw7,w2,#7\n\tand\tw17,w20,w27\n\tror\tw6,w15,#17\n\tbic\tw28,w21,w27\n\tror\tw8,w23,#2\n\tadd\tw22,w22,w0\t\t\t// h+=X[i]\n\teor\tw16,w16,w27,ror#11\n\teor\tw7,w7,w2,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w23,w24\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w27,ror#25\t// Sigma1(e)\n\teor\tw8,w8,w23,ror#13\n\tadd\tw22,w22,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw6,w6,w15,ror#19\n\teor\tw7,w7,w2,lsr#3\t// sigma0(X[i+1])\n\tadd\tw22,w22,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w24\t\t\t// Maj(a,b,c)\n\teor\tw17,w8,w23,ror#22\t// Sigma0(a)\n\teor\tw6,w6,w15,lsr#10\t// sigma1(X[i+14])\n\tadd\tw1,w1,w10\n\tadd\tw26,w26,w22\t\t\t// d+=h\n\tadd\tw22,w22,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw1,w1,w7\n\tadd\tw22,w22,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw1,w1,w6\n\tldr\tw6,[sp,#12]\n\tstr\tw9,[sp,#8]\n\tror\tw16,w26,#6\n\tadd\tw21,w21,w19\t\t\t// h+=K[i]\n\tror\tw8,w3,#7\n\tand\tw17,w27,w26\n\tror\tw7,w0,#17\n\tbic\tw19,w20,w26\n\tror\tw9,w22,#2\n\tadd\tw21,w21,w1\t\t\t// h+=X[i]\n\teor\tw16,w16,w26,ror#11\n\teor\tw8,w8,w3,ror#18\n\torr\tw17,w17,w19\t\t\t// Ch(e,f,g)\n\teor\tw19,w22,w23\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w26,ror#25\t// Sigma1(e)\n\teor\tw9,w9,w22,ror#13\n\tadd\tw21,w21,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw28,w28,w19\t\t\t// (b^c)&=(a^b)\n\teor\tw7,w7,w0,ror#19\n\teor\tw8,w8,w3,lsr#3\t// sigma0(X[i+1])\n\tadd\tw21,w21,w16\t\t\t// h+=Sigma1(e)\n\teor\tw28,w28,w23\t\t\t// Maj(a,b,c)\n\teor\tw17,w9,w22,ror#22\t// Sigma0(a)\n\teor\tw7,w7,w0,lsr#10\t// sigma1(X[i+14])\n\tadd\tw2,w2,w11\n\tadd\tw25,w25,w21\t\t\t// d+=h\n\tadd\tw21,w21,w28\t\t\t// h+=Maj(a,b,c)\n\tldr\tw28,[x30],#4\t\t// *K++, w19 in next round\n\tadd\tw2,w2,w8\n\tadd\tw21,w21,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw2,w2,w7\n\tldr\tw7,[sp,#0]\n\tstr\tw10,[sp,#12]\n\tror\tw16,w25,#6\n\tadd\tw20,w20,w28\t\t\t// h+=K[i]\n\tror\tw9,w4,#7\n\tand\tw17,w26,w25\n\tror\tw8,w1,#17\n\tbic\tw28,w27,w25\n\tror\tw10,w21,#2\n\tadd\tw20,w20,w2\t\t\t// h+=X[i]\n\teor\tw16,w16,w25,ror#11\n\teor\tw9,w9,w4,ror#18\n\torr\tw17,w17,w28\t\t\t// Ch(e,f,g)\n\teor\tw28,w21,w22\t\t\t// a^b, b^c in next round\n\teor\tw16,w16,w25,ror#25\t// Sigma1(e)\n\teor\tw10,w10,w21,ror#13\n\tadd\tw20,w20,w17\t\t\t// h+=Ch(e,f,g)\n\tand\tw19,w19,w28\t\t\t// (b^c)&=(a^b)\n\teor\tw8,w8,w1,ror#19\n\teor\tw9,w9,w4,lsr#3\t// sigma0(X[i+1])\n\tadd\tw20,w20,w16\t\t\t// h+=Sigma1(e)\n\teor\tw19,w19,w22\t\t\t// Maj(a,b,c)\n\teor\tw17,w10,w21,ror#22\t// Sigma0(a)\n\teor\tw8,w8,w1,lsr#10\t// sigma1(X[i+14])\n\tadd\tw3,w3,w12\n\tadd\tw24,w24,w20\t\t\t// d+=h\n\tadd\tw20,w20,w19\t\t\t// h+=Maj(a,b,c)\n\tldr\tw19,[x30],#4\t\t// *K++, w28 in next round\n\tadd\tw3,w3,w9\n\tadd\tw20,w20,w17\t\t\t// h+=Sigma0(a)\n\tadd\tw3,w3,w8\n\tcbnz\tw19,Loop_16_xx\n\n\tldp\tx0,x2,[x29,#96]\n\tldr\tx1,[x29,#112]\n\tsub\tx30,x30,#260\t\t// rewind\n\n\tldp\tw3,w4,[x0]\n\tldp\tw5,w6,[x0,#2*4]\n\tadd\tx1,x1,#14*4\t\t\t// advance input pointer\n\tldp\tw7,w8,[x0,#4*4]\n\tadd\tw20,w20,w3\n\tldp\tw9,w10,[x0,#6*4]\n\tadd\tw21,w21,w4\n\tadd\tw22,w22,w5\n\tadd\tw23,w23,w6\n\tstp\tw20,w21,[x0]\n\tadd\tw24,w24,w7\n\tadd\tw25,w25,w8\n\tstp\tw22,w23,[x0,#2*4]\n\tadd\tw26,w26,w9\n\tadd\tw27,w27,w10\n\tcmp\tx1,x2\n\tstp\tw24,w25,[x0,#4*4]\n\tstp\tw26,w27,[x0,#6*4]\n\tb.ne\tLoop\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#4*4\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.section\t.rodata\n.align\t6\n\nLK256:\n.long\t0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5\n.long\t0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5\n.long\t0xd807aa98,0x12835b01,0x243185be,0x550c7dc3\n.long\t0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174\n.long\t0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc\n.long\t0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da\n.long\t0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7\n.long\t0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967\n.long\t0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13\n.long\t0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85\n.long\t0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3\n.long\t0xd192e819,0xd6990624,0xf40e3585,0x106aa070\n.long\t0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5\n.long\t0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3\n.long\t0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208\n.long\t0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2\n.long\t0\t//terminator\n\n.byte\t83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n.text\n#ifndef\t__KERNEL__\n.globl\tsha256_block_data_order_hw\n\n.def sha256_block_data_order_hw\n .type 32\n.endef\n.align\t6\nsha256_block_data_order_hw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v0.4s,v1.4s},[x0]\n\tadrp\tx3,LK256\n\tadd\tx3,x3,:lo12:LK256\n\nLoop_hw:\n\tld1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64\n\tsub\tx2,x2,#1\n\tld1\t{v16.4s},[x3],#16\n\trev32\tv4.16b,v4.16b\n\trev32\tv5.16b,v5.16b\n\trev32\tv6.16b,v6.16b\n\trev32\tv7.16b,v7.16b\n\torr\tv18.16b,v0.16b,v0.16b\t\t// offload\n\torr\tv19.16b,v1.16b,v1.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n.long\t0x5e2828a4\t//sha256su0 v4.16b,v5.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e0760c4\t//sha256su1 v4.16b,v6.16b,v7.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n.long\t0x5e2828c5\t//sha256su0 v5.16b,v6.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0460e5\t//sha256su1 v5.16b,v7.16b,v4.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v6.4s\n.long\t0x5e2828e6\t//sha256su0 v6.16b,v7.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e056086\t//sha256su1 v6.16b,v4.16b,v5.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v7.4s\n.long\t0x5e282887\t//sha256su0 v7.16b,v4.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0660a7\t//sha256su1 v7.16b,v5.16b,v6.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n.long\t0x5e2828a4\t//sha256su0 v4.16b,v5.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e0760c4\t//sha256su1 v4.16b,v6.16b,v7.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n.long\t0x5e2828c5\t//sha256su0 v5.16b,v6.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0460e5\t//sha256su1 v5.16b,v7.16b,v4.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v6.4s\n.long\t0x5e2828e6\t//sha256su0 v6.16b,v7.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e056086\t//sha256su1 v6.16b,v4.16b,v5.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v7.4s\n.long\t0x5e282887\t//sha256su0 v7.16b,v4.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0660a7\t//sha256su1 v7.16b,v5.16b,v6.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n.long\t0x5e2828a4\t//sha256su0 v4.16b,v5.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e0760c4\t//sha256su1 v4.16b,v6.16b,v7.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n.long\t0x5e2828c5\t//sha256su0 v5.16b,v6.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0460e5\t//sha256su1 v5.16b,v7.16b,v4.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v6.4s\n.long\t0x5e2828e6\t//sha256su0 v6.16b,v7.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n.long\t0x5e056086\t//sha256su1 v6.16b,v4.16b,v5.16b\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v7.4s\n.long\t0x5e282887\t//sha256su0 v7.16b,v4.16b\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n.long\t0x5e0660a7\t//sha256su1 v7.16b,v5.16b,v6.16b\n\tld1\t{v17.4s},[x3],#16\n\tadd\tv16.4s,v16.4s,v4.4s\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n\n\tld1\t{v16.4s},[x3],#16\n\tadd\tv17.4s,v17.4s,v5.4s\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n\n\tld1\t{v17.4s},[x3]\n\tadd\tv16.4s,v16.4s,v6.4s\n\tsub\tx3,x3,#64*4-16\t// rewind\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e104020\t//sha256h v0.16b,v1.16b,v16.4s\n.long\t0x5e105041\t//sha256h2 v1.16b,v2.16b,v16.4s\n\n\tadd\tv17.4s,v17.4s,v7.4s\n\torr\tv2.16b,v0.16b,v0.16b\n.long\t0x5e114020\t//sha256h v0.16b,v1.16b,v17.4s\n.long\t0x5e115041\t//sha256h2 v1.16b,v2.16b,v17.4s\n\n\tadd\tv0.4s,v0.4s,v18.4s\n\tadd\tv1.4s,v1.4s,v19.4s\n\n\tcbnz\tx2,Loop_hw\n\n\tst1\t{v0.4s,v1.4s},[x0]\n\n\tldr\tx29,[sp],#16\n\tret\n\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha256-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n.globl\t_sha256_block_data_order_nohw\n.private_extern _sha256_block_data_order_nohw\n\n.p2align\t4\n_sha256_block_data_order_nohw:\n\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tshlq\t$4,%rdx\n\tsubq\t$64+32,%rsp\n\tleaq\t(%rsi,%rdx,4),%rdx\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,64+0(%rsp)\n\tmovq\t%rsi,64+8(%rsp)\n\tmovq\t%rdx,64+16(%rsp)\n\tmovq\t%rax,88(%rsp)\n\nL$prologue:\n\n\tmovl\t0(%rdi),%eax\n\tmovl\t4(%rdi),%ebx\n\tmovl\t8(%rdi),%ecx\n\tmovl\t12(%rdi),%edx\n\tmovl\t16(%rdi),%r8d\n\tmovl\t20(%rdi),%r9d\n\tmovl\t24(%rdi),%r10d\n\tmovl\t28(%rdi),%r11d\n\tjmp\tL$loop\n\n.p2align\t4\nL$loop:\n\tmovl\t%ebx,%edi\n\tleaq\tK256(%rip),%rbp\n\txorl\t%ecx,%edi\n\tmovl\t0(%rsi),%r12d\n\tmovl\t%r8d,%r13d\n\tmovl\t%eax,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r9d,%r15d\n\n\txorl\t%r8d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r15d\n\n\tmovl\t%r12d,0(%rsp)\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r11d,%r12d\n\txorl\t%r10d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%eax,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%eax,%r14d\n\n\txorl\t%ebx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%ebx,%r11d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r11d\n\taddl\t%r12d,%edx\n\taddl\t%r12d,%r11d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r11d\n\tmovl\t4(%rsi),%r12d\n\tmovl\t%edx,%r13d\n\tmovl\t%r11d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r8d,%edi\n\n\txorl\t%edx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%edi\n\n\tmovl\t%r12d,4(%rsp)\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r10d,%r12d\n\txorl\t%r9d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r11d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r11d,%r14d\n\n\txorl\t%eax,%edi\n\trorl\t$6,%r13d\n\tmovl\t%eax,%r10d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r10d\n\taddl\t%r12d,%ecx\n\taddl\t%r12d,%r10d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r10d\n\tmovl\t8(%rsi),%r12d\n\tmovl\t%ecx,%r13d\n\tmovl\t%r10d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%edx,%r15d\n\n\txorl\t%ecx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r15d\n\n\tmovl\t%r12d,8(%rsp)\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r9d,%r12d\n\txorl\t%r8d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r10d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r10d,%r14d\n\n\txorl\t%r11d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r11d,%r9d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r9d\n\taddl\t%r12d,%ebx\n\taddl\t%r12d,%r9d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r9d\n\tmovl\t12(%rsi),%r12d\n\tmovl\t%ebx,%r13d\n\tmovl\t%r9d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%ecx,%edi\n\n\txorl\t%ebx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%edx,%edi\n\n\tmovl\t%r12d,12(%rsp)\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r8d,%r12d\n\txorl\t%edx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r9d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r9d,%r14d\n\n\txorl\t%r10d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r10d,%r8d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r8d\n\taddl\t%r12d,%eax\n\taddl\t%r12d,%r8d\n\n\tleaq\t20(%rbp),%rbp\n\taddl\t%r14d,%r8d\n\tmovl\t16(%rsi),%r12d\n\tmovl\t%eax,%r13d\n\tmovl\t%r8d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%ebx,%r15d\n\n\txorl\t%eax,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r15d\n\n\tmovl\t%r12d,16(%rsp)\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%edx,%r12d\n\txorl\t%ecx,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r8d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r8d,%r14d\n\n\txorl\t%r9d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r9d,%edx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%edx\n\taddl\t%r12d,%r11d\n\taddl\t%r12d,%edx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%edx\n\tmovl\t20(%rsi),%r12d\n\tmovl\t%r11d,%r13d\n\tmovl\t%edx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%eax,%edi\n\n\txorl\t%r11d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%edi\n\n\tmovl\t%r12d,20(%rsp)\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%ecx,%r12d\n\txorl\t%ebx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%edx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%edx,%r14d\n\n\txorl\t%r8d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r8d,%ecx\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%ecx\n\taddl\t%r12d,%r10d\n\taddl\t%r12d,%ecx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%ecx\n\tmovl\t24(%rsi),%r12d\n\tmovl\t%r10d,%r13d\n\tmovl\t%ecx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r11d,%r15d\n\n\txorl\t%r10d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r15d\n\n\tmovl\t%r12d,24(%rsp)\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%ebx,%r12d\n\txorl\t%eax,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%ecx,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%ecx,%r14d\n\n\txorl\t%edx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%edx,%ebx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%ebx\n\taddl\t%r12d,%r9d\n\taddl\t%r12d,%ebx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%ebx\n\tmovl\t28(%rsi),%r12d\n\tmovl\t%r9d,%r13d\n\tmovl\t%ebx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r10d,%edi\n\n\txorl\t%r9d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%edi\n\n\tmovl\t%r12d,28(%rsp)\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%eax,%r12d\n\txorl\t%r11d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%ebx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%ebx,%r14d\n\n\txorl\t%ecx,%edi\n\trorl\t$6,%r13d\n\tmovl\t%ecx,%eax\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%eax\n\taddl\t%r12d,%r8d\n\taddl\t%r12d,%eax\n\n\tleaq\t20(%rbp),%rbp\n\taddl\t%r14d,%eax\n\tmovl\t32(%rsi),%r12d\n\tmovl\t%r8d,%r13d\n\tmovl\t%eax,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r9d,%r15d\n\n\txorl\t%r8d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r15d\n\n\tmovl\t%r12d,32(%rsp)\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r11d,%r12d\n\txorl\t%r10d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%eax,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%eax,%r14d\n\n\txorl\t%ebx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%ebx,%r11d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r11d\n\taddl\t%r12d,%edx\n\taddl\t%r12d,%r11d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r11d\n\tmovl\t36(%rsi),%r12d\n\tmovl\t%edx,%r13d\n\tmovl\t%r11d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r8d,%edi\n\n\txorl\t%edx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%edi\n\n\tmovl\t%r12d,36(%rsp)\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r10d,%r12d\n\txorl\t%r9d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r11d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r11d,%r14d\n\n\txorl\t%eax,%edi\n\trorl\t$6,%r13d\n\tmovl\t%eax,%r10d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r10d\n\taddl\t%r12d,%ecx\n\taddl\t%r12d,%r10d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r10d\n\tmovl\t40(%rsi),%r12d\n\tmovl\t%ecx,%r13d\n\tmovl\t%r10d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%edx,%r15d\n\n\txorl\t%ecx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r15d\n\n\tmovl\t%r12d,40(%rsp)\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r9d,%r12d\n\txorl\t%r8d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r10d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r10d,%r14d\n\n\txorl\t%r11d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r11d,%r9d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r9d\n\taddl\t%r12d,%ebx\n\taddl\t%r12d,%r9d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r9d\n\tmovl\t44(%rsi),%r12d\n\tmovl\t%ebx,%r13d\n\tmovl\t%r9d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%ecx,%edi\n\n\txorl\t%ebx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%edx,%edi\n\n\tmovl\t%r12d,44(%rsp)\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r8d,%r12d\n\txorl\t%edx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r9d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r9d,%r14d\n\n\txorl\t%r10d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r10d,%r8d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r8d\n\taddl\t%r12d,%eax\n\taddl\t%r12d,%r8d\n\n\tleaq\t20(%rbp),%rbp\n\taddl\t%r14d,%r8d\n\tmovl\t48(%rsi),%r12d\n\tmovl\t%eax,%r13d\n\tmovl\t%r8d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%ebx,%r15d\n\n\txorl\t%eax,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r15d\n\n\tmovl\t%r12d,48(%rsp)\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%edx,%r12d\n\txorl\t%ecx,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r8d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r8d,%r14d\n\n\txorl\t%r9d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r9d,%edx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%edx\n\taddl\t%r12d,%r11d\n\taddl\t%r12d,%edx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%edx\n\tmovl\t52(%rsi),%r12d\n\tmovl\t%r11d,%r13d\n\tmovl\t%edx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%eax,%edi\n\n\txorl\t%r11d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%edi\n\n\tmovl\t%r12d,52(%rsp)\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%ecx,%r12d\n\txorl\t%ebx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%edx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%edx,%r14d\n\n\txorl\t%r8d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r8d,%ecx\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%ecx\n\taddl\t%r12d,%r10d\n\taddl\t%r12d,%ecx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%ecx\n\tmovl\t56(%rsi),%r12d\n\tmovl\t%r10d,%r13d\n\tmovl\t%ecx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r11d,%r15d\n\n\txorl\t%r10d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r15d\n\n\tmovl\t%r12d,56(%rsp)\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%ebx,%r12d\n\txorl\t%eax,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%ecx,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%ecx,%r14d\n\n\txorl\t%edx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%edx,%ebx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%ebx\n\taddl\t%r12d,%r9d\n\taddl\t%r12d,%ebx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%ebx\n\tmovl\t60(%rsi),%r12d\n\tmovl\t%r9d,%r13d\n\tmovl\t%ebx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r10d,%edi\n\n\txorl\t%r9d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%edi\n\n\tmovl\t%r12d,60(%rsp)\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%eax,%r12d\n\txorl\t%r11d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%ebx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%ebx,%r14d\n\n\txorl\t%ecx,%edi\n\trorl\t$6,%r13d\n\tmovl\t%ecx,%eax\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%eax\n\taddl\t%r12d,%r8d\n\taddl\t%r12d,%eax\n\n\tleaq\t20(%rbp),%rbp\n\tjmp\tL$rounds_16_xx\n.p2align\t4\nL$rounds_16_xx:\n\tmovl\t4(%rsp),%r13d\n\tmovl\t56(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%eax\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t36(%rsp),%r12d\n\n\taddl\t0(%rsp),%r12d\n\tmovl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%eax,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r9d,%r15d\n\n\txorl\t%r8d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r15d\n\n\tmovl\t%r12d,0(%rsp)\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r11d,%r12d\n\txorl\t%r10d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%eax,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%eax,%r14d\n\n\txorl\t%ebx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%ebx,%r11d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r11d\n\taddl\t%r12d,%edx\n\taddl\t%r12d,%r11d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t8(%rsp),%r13d\n\tmovl\t60(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r11d\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t40(%rsp),%r12d\n\n\taddl\t4(%rsp),%r12d\n\tmovl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r8d,%edi\n\n\txorl\t%edx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%edi\n\n\tmovl\t%r12d,4(%rsp)\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r10d,%r12d\n\txorl\t%r9d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r11d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r11d,%r14d\n\n\txorl\t%eax,%edi\n\trorl\t$6,%r13d\n\tmovl\t%eax,%r10d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r10d\n\taddl\t%r12d,%ecx\n\taddl\t%r12d,%r10d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t12(%rsp),%r13d\n\tmovl\t0(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r10d\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t44(%rsp),%r12d\n\n\taddl\t8(%rsp),%r12d\n\tmovl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%r10d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%edx,%r15d\n\n\txorl\t%ecx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r15d\n\n\tmovl\t%r12d,8(%rsp)\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r9d,%r12d\n\txorl\t%r8d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r10d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r10d,%r14d\n\n\txorl\t%r11d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r11d,%r9d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r9d\n\taddl\t%r12d,%ebx\n\taddl\t%r12d,%r9d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t16(%rsp),%r13d\n\tmovl\t4(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r9d\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t48(%rsp),%r12d\n\n\taddl\t12(%rsp),%r12d\n\tmovl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%ecx,%edi\n\n\txorl\t%ebx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%edx,%edi\n\n\tmovl\t%r12d,12(%rsp)\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r8d,%r12d\n\txorl\t%edx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r9d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r9d,%r14d\n\n\txorl\t%r10d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r10d,%r8d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r8d\n\taddl\t%r12d,%eax\n\taddl\t%r12d,%r8d\n\n\tleaq\t20(%rbp),%rbp\n\tmovl\t20(%rsp),%r13d\n\tmovl\t8(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r8d\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t52(%rsp),%r12d\n\n\taddl\t16(%rsp),%r12d\n\tmovl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%r8d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%ebx,%r15d\n\n\txorl\t%eax,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r15d\n\n\tmovl\t%r12d,16(%rsp)\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%edx,%r12d\n\txorl\t%ecx,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r8d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r8d,%r14d\n\n\txorl\t%r9d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r9d,%edx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%edx\n\taddl\t%r12d,%r11d\n\taddl\t%r12d,%edx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t24(%rsp),%r13d\n\tmovl\t12(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%edx\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t56(%rsp),%r12d\n\n\taddl\t20(%rsp),%r12d\n\tmovl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%eax,%edi\n\n\txorl\t%r11d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%edi\n\n\tmovl\t%r12d,20(%rsp)\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%ecx,%r12d\n\txorl\t%ebx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%edx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%edx,%r14d\n\n\txorl\t%r8d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r8d,%ecx\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%ecx\n\taddl\t%r12d,%r10d\n\taddl\t%r12d,%ecx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t28(%rsp),%r13d\n\tmovl\t16(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%ecx\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t60(%rsp),%r12d\n\n\taddl\t24(%rsp),%r12d\n\tmovl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%ecx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r11d,%r15d\n\n\txorl\t%r10d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r15d\n\n\tmovl\t%r12d,24(%rsp)\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%ebx,%r12d\n\txorl\t%eax,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%ecx,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%ecx,%r14d\n\n\txorl\t%edx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%edx,%ebx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%ebx\n\taddl\t%r12d,%r9d\n\taddl\t%r12d,%ebx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t32(%rsp),%r13d\n\tmovl\t20(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%ebx\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t0(%rsp),%r12d\n\n\taddl\t28(%rsp),%r12d\n\tmovl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r10d,%edi\n\n\txorl\t%r9d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%edi\n\n\tmovl\t%r12d,28(%rsp)\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%eax,%r12d\n\txorl\t%r11d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%ebx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%ebx,%r14d\n\n\txorl\t%ecx,%edi\n\trorl\t$6,%r13d\n\tmovl\t%ecx,%eax\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%eax\n\taddl\t%r12d,%r8d\n\taddl\t%r12d,%eax\n\n\tleaq\t20(%rbp),%rbp\n\tmovl\t36(%rsp),%r13d\n\tmovl\t24(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%eax\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t4(%rsp),%r12d\n\n\taddl\t32(%rsp),%r12d\n\tmovl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%eax,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r9d,%r15d\n\n\txorl\t%r8d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r15d\n\n\tmovl\t%r12d,32(%rsp)\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r11d,%r12d\n\txorl\t%r10d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%eax,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%eax,%r14d\n\n\txorl\t%ebx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%ebx,%r11d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r11d\n\taddl\t%r12d,%edx\n\taddl\t%r12d,%r11d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t40(%rsp),%r13d\n\tmovl\t28(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r11d\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t8(%rsp),%r12d\n\n\taddl\t36(%rsp),%r12d\n\tmovl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r8d,%edi\n\n\txorl\t%edx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%edi\n\n\tmovl\t%r12d,36(%rsp)\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r10d,%r12d\n\txorl\t%r9d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r11d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r11d,%r14d\n\n\txorl\t%eax,%edi\n\trorl\t$6,%r13d\n\tmovl\t%eax,%r10d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r10d\n\taddl\t%r12d,%ecx\n\taddl\t%r12d,%r10d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t44(%rsp),%r13d\n\tmovl\t32(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r10d\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t12(%rsp),%r12d\n\n\taddl\t40(%rsp),%r12d\n\tmovl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%r10d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%edx,%r15d\n\n\txorl\t%ecx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r15d\n\n\tmovl\t%r12d,40(%rsp)\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r9d,%r12d\n\txorl\t%r8d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r10d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r10d,%r14d\n\n\txorl\t%r11d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r11d,%r9d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r9d\n\taddl\t%r12d,%ebx\n\taddl\t%r12d,%r9d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t48(%rsp),%r13d\n\tmovl\t36(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r9d\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t16(%rsp),%r12d\n\n\taddl\t44(%rsp),%r12d\n\tmovl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%ecx,%edi\n\n\txorl\t%ebx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%edx,%edi\n\n\tmovl\t%r12d,44(%rsp)\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r8d,%r12d\n\txorl\t%edx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r9d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r9d,%r14d\n\n\txorl\t%r10d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r10d,%r8d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r8d\n\taddl\t%r12d,%eax\n\taddl\t%r12d,%r8d\n\n\tleaq\t20(%rbp),%rbp\n\tmovl\t52(%rsp),%r13d\n\tmovl\t40(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r8d\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t20(%rsp),%r12d\n\n\taddl\t48(%rsp),%r12d\n\tmovl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%r8d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%ebx,%r15d\n\n\txorl\t%eax,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r15d\n\n\tmovl\t%r12d,48(%rsp)\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%edx,%r12d\n\txorl\t%ecx,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r8d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r8d,%r14d\n\n\txorl\t%r9d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r9d,%edx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%edx\n\taddl\t%r12d,%r11d\n\taddl\t%r12d,%edx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t56(%rsp),%r13d\n\tmovl\t44(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%edx\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t24(%rsp),%r12d\n\n\taddl\t52(%rsp),%r12d\n\tmovl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%eax,%edi\n\n\txorl\t%r11d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%edi\n\n\tmovl\t%r12d,52(%rsp)\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%ecx,%r12d\n\txorl\t%ebx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%edx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%edx,%r14d\n\n\txorl\t%r8d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r8d,%ecx\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%ecx\n\taddl\t%r12d,%r10d\n\taddl\t%r12d,%ecx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t60(%rsp),%r13d\n\tmovl\t48(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%ecx\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t28(%rsp),%r12d\n\n\taddl\t56(%rsp),%r12d\n\tmovl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%ecx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r11d,%r15d\n\n\txorl\t%r10d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r15d\n\n\tmovl\t%r12d,56(%rsp)\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%ebx,%r12d\n\txorl\t%eax,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%ecx,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%ecx,%r14d\n\n\txorl\t%edx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%edx,%ebx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%ebx\n\taddl\t%r12d,%r9d\n\taddl\t%r12d,%ebx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t0(%rsp),%r13d\n\tmovl\t52(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%ebx\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t32(%rsp),%r12d\n\n\taddl\t60(%rsp),%r12d\n\tmovl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r10d,%edi\n\n\txorl\t%r9d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%edi\n\n\tmovl\t%r12d,60(%rsp)\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%eax,%r12d\n\txorl\t%r11d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%ebx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%ebx,%r14d\n\n\txorl\t%ecx,%edi\n\trorl\t$6,%r13d\n\tmovl\t%ecx,%eax\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%eax\n\taddl\t%r12d,%r8d\n\taddl\t%r12d,%eax\n\n\tleaq\t20(%rbp),%rbp\n\tcmpb\t$0,3(%rbp)\n\tjnz\tL$rounds_16_xx\n\n\tmovq\t64+0(%rsp),%rdi\n\taddl\t%r14d,%eax\n\tleaq\t64(%rsi),%rsi\n\n\taddl\t0(%rdi),%eax\n\taddl\t4(%rdi),%ebx\n\taddl\t8(%rdi),%ecx\n\taddl\t12(%rdi),%edx\n\taddl\t16(%rdi),%r8d\n\taddl\t20(%rdi),%r9d\n\taddl\t24(%rdi),%r10d\n\taddl\t28(%rdi),%r11d\n\n\tcmpq\t64+16(%rsp),%rsi\n\n\tmovl\t%eax,0(%rdi)\n\tmovl\t%ebx,4(%rdi)\n\tmovl\t%ecx,8(%rdi)\n\tmovl\t%edx,12(%rdi)\n\tmovl\t%r8d,16(%rdi)\n\tmovl\t%r9d,20(%rdi)\n\tmovl\t%r10d,24(%rdi)\n\tmovl\t%r11d,28(%rdi)\n\tjb\tL$loop\n\n\tmovq\t88(%rsp),%rsi\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$epilogue:\n\tret\n\n\n.section\t__DATA,__const\n.p2align\t6\n\nK256:\n.long\t0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5\n.long\t0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5\n.long\t0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5\n.long\t0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5\n.long\t0xd807aa98,0x12835b01,0x243185be,0x550c7dc3\n.long\t0xd807aa98,0x12835b01,0x243185be,0x550c7dc3\n.long\t0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174\n.long\t0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174\n.long\t0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc\n.long\t0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc\n.long\t0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da\n.long\t0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da\n.long\t0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7\n.long\t0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7\n.long\t0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967\n.long\t0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967\n.long\t0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13\n.long\t0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13\n.long\t0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85\n.long\t0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85\n.long\t0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3\n.long\t0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3\n.long\t0xd192e819,0xd6990624,0xf40e3585,0x106aa070\n.long\t0xd192e819,0xd6990624,0xf40e3585,0x106aa070\n.long\t0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5\n.long\t0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5\n.long\t0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3\n.long\t0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3\n.long\t0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208\n.long\t0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208\n.long\t0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2\n.long\t0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2\n\n.long\t0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f\n.long\t0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f\n.long\t0x03020100,0x0b0a0908,0xffffffff,0xffffffff\n.long\t0x03020100,0x0b0a0908,0xffffffff,0xffffffff\n.long\t0xffffffff,0xffffffff,0x03020100,0x0b0a0908\n.long\t0xffffffff,0xffffffff,0x03020100,0x0b0a0908\n.byte\t83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.text\t\n.globl\t_sha256_block_data_order_hw\n.private_extern _sha256_block_data_order_hw\n\n.p2align\t6\n_sha256_block_data_order_hw:\n\n_CET_ENDBR\n\tleaq\tK256+128(%rip),%rcx\n\tmovdqu\t(%rdi),%xmm1\n\tmovdqu\t16(%rdi),%xmm2\n\tmovdqa\t512-128(%rcx),%xmm7\n\n\tpshufd\t$0x1b,%xmm1,%xmm0\n\tpshufd\t$0xb1,%xmm1,%xmm1\n\tpshufd\t$0x1b,%xmm2,%xmm2\n\tmovdqa\t%xmm7,%xmm8\n.byte\t102,15,58,15,202,8\n\tpunpcklqdq\t%xmm0,%xmm2\n\tjmp\tL$oop_shaext\n\n.p2align\t4\nL$oop_shaext:\n\tmovdqu\t(%rsi),%xmm3\n\tmovdqu\t16(%rsi),%xmm4\n\tmovdqu\t32(%rsi),%xmm5\n.byte\t102,15,56,0,223\n\tmovdqu\t48(%rsi),%xmm6\n\n\tmovdqa\t0-128(%rcx),%xmm0\n\tpaddd\t%xmm3,%xmm0\n.byte\t102,15,56,0,231\n\tmovdqa\t%xmm2,%xmm10\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tnop\n\tmovdqa\t%xmm1,%xmm9\n.byte\t15,56,203,202\n\n\tmovdqa\t32-128(%rcx),%xmm0\n\tpaddd\t%xmm4,%xmm0\n.byte\t102,15,56,0,239\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tleaq\t64(%rsi),%rsi\n.byte\t15,56,204,220\n.byte\t15,56,203,202\n\n\tmovdqa\t64-128(%rcx),%xmm0\n\tpaddd\t%xmm5,%xmm0\n.byte\t102,15,56,0,247\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm6,%xmm7\n.byte\t102,15,58,15,253,4\n\tnop\n\tpaddd\t%xmm7,%xmm3\n.byte\t15,56,204,229\n.byte\t15,56,203,202\n\n\tmovdqa\t96-128(%rcx),%xmm0\n\tpaddd\t%xmm6,%xmm0\n.byte\t15,56,205,222\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm3,%xmm7\n.byte\t102,15,58,15,254,4\n\tnop\n\tpaddd\t%xmm7,%xmm4\n.byte\t15,56,204,238\n.byte\t15,56,203,202\n\tmovdqa\t128-128(%rcx),%xmm0\n\tpaddd\t%xmm3,%xmm0\n.byte\t15,56,205,227\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm4,%xmm7\n.byte\t102,15,58,15,251,4\n\tnop\n\tpaddd\t%xmm7,%xmm5\n.byte\t15,56,204,243\n.byte\t15,56,203,202\n\tmovdqa\t160-128(%rcx),%xmm0\n\tpaddd\t%xmm4,%xmm0\n.byte\t15,56,205,236\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm5,%xmm7\n.byte\t102,15,58,15,252,4\n\tnop\n\tpaddd\t%xmm7,%xmm6\n.byte\t15,56,204,220\n.byte\t15,56,203,202\n\tmovdqa\t192-128(%rcx),%xmm0\n\tpaddd\t%xmm5,%xmm0\n.byte\t15,56,205,245\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm6,%xmm7\n.byte\t102,15,58,15,253,4\n\tnop\n\tpaddd\t%xmm7,%xmm3\n.byte\t15,56,204,229\n.byte\t15,56,203,202\n\tmovdqa\t224-128(%rcx),%xmm0\n\tpaddd\t%xmm6,%xmm0\n.byte\t15,56,205,222\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm3,%xmm7\n.byte\t102,15,58,15,254,4\n\tnop\n\tpaddd\t%xmm7,%xmm4\n.byte\t15,56,204,238\n.byte\t15,56,203,202\n\tmovdqa\t256-128(%rcx),%xmm0\n\tpaddd\t%xmm3,%xmm0\n.byte\t15,56,205,227\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm4,%xmm7\n.byte\t102,15,58,15,251,4\n\tnop\n\tpaddd\t%xmm7,%xmm5\n.byte\t15,56,204,243\n.byte\t15,56,203,202\n\tmovdqa\t288-128(%rcx),%xmm0\n\tpaddd\t%xmm4,%xmm0\n.byte\t15,56,205,236\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm5,%xmm7\n.byte\t102,15,58,15,252,4\n\tnop\n\tpaddd\t%xmm7,%xmm6\n.byte\t15,56,204,220\n.byte\t15,56,203,202\n\tmovdqa\t320-128(%rcx),%xmm0\n\tpaddd\t%xmm5,%xmm0\n.byte\t15,56,205,245\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm6,%xmm7\n.byte\t102,15,58,15,253,4\n\tnop\n\tpaddd\t%xmm7,%xmm3\n.byte\t15,56,204,229\n.byte\t15,56,203,202\n\tmovdqa\t352-128(%rcx),%xmm0\n\tpaddd\t%xmm6,%xmm0\n.byte\t15,56,205,222\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm3,%xmm7\n.byte\t102,15,58,15,254,4\n\tnop\n\tpaddd\t%xmm7,%xmm4\n.byte\t15,56,204,238\n.byte\t15,56,203,202\n\tmovdqa\t384-128(%rcx),%xmm0\n\tpaddd\t%xmm3,%xmm0\n.byte\t15,56,205,227\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm4,%xmm7\n.byte\t102,15,58,15,251,4\n\tnop\n\tpaddd\t%xmm7,%xmm5\n.byte\t15,56,204,243\n.byte\t15,56,203,202\n\tmovdqa\t416-128(%rcx),%xmm0\n\tpaddd\t%xmm4,%xmm0\n.byte\t15,56,205,236\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm5,%xmm7\n.byte\t102,15,58,15,252,4\n.byte\t15,56,203,202\n\tpaddd\t%xmm7,%xmm6\n\n\tmovdqa\t448-128(%rcx),%xmm0\n\tpaddd\t%xmm5,%xmm0\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n.byte\t15,56,205,245\n\tmovdqa\t%xmm8,%xmm7\n.byte\t15,56,203,202\n\n\tmovdqa\t480-128(%rcx),%xmm0\n\tpaddd\t%xmm6,%xmm0\n\tnop\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tdecq\t%rdx\n\tnop\n.byte\t15,56,203,202\n\n\tpaddd\t%xmm10,%xmm2\n\tpaddd\t%xmm9,%xmm1\n\tjnz\tL$oop_shaext\n\n\tpshufd\t$0xb1,%xmm2,%xmm2\n\tpshufd\t$0x1b,%xmm1,%xmm7\n\tpshufd\t$0xb1,%xmm1,%xmm1\n\tpunpckhqdq\t%xmm2,%xmm1\n.byte\t102,15,58,15,215,8\n\n\tmovdqu\t%xmm1,(%rdi)\n\tmovdqu\t%xmm2,16(%rdi)\n\tret\n\n\n.globl\t_sha256_block_data_order_ssse3\n.private_extern _sha256_block_data_order_ssse3\n\n.p2align\t6\n_sha256_block_data_order_ssse3:\n\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tshlq\t$4,%rdx\n\tsubq\t$96,%rsp\n\tleaq\t(%rsi,%rdx,4),%rdx\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,64+0(%rsp)\n\tmovq\t%rsi,64+8(%rsp)\n\tmovq\t%rdx,64+16(%rsp)\n\tmovq\t%rax,88(%rsp)\n\nL$prologue_ssse3:\n\n\tmovl\t0(%rdi),%eax\n\tmovl\t4(%rdi),%ebx\n\tmovl\t8(%rdi),%ecx\n\tmovl\t12(%rdi),%edx\n\tmovl\t16(%rdi),%r8d\n\tmovl\t20(%rdi),%r9d\n\tmovl\t24(%rdi),%r10d\n\tmovl\t28(%rdi),%r11d\n\n\n\tjmp\tL$loop_ssse3\n.p2align\t4\nL$loop_ssse3:\n\tmovdqa\tK256+512(%rip),%xmm7\n\tmovdqu\t0(%rsi),%xmm0\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n.byte\t102,15,56,0,199\n\tmovdqu\t48(%rsi),%xmm3\n\tleaq\tK256(%rip),%rbp\n.byte\t102,15,56,0,207\n\tmovdqa\t0(%rbp),%xmm4\n\tmovdqa\t32(%rbp),%xmm5\n.byte\t102,15,56,0,215\n\tpaddd\t%xmm0,%xmm4\n\tmovdqa\t64(%rbp),%xmm6\n.byte\t102,15,56,0,223\n\tmovdqa\t96(%rbp),%xmm7\n\tpaddd\t%xmm1,%xmm5\n\tpaddd\t%xmm2,%xmm6\n\tpaddd\t%xmm3,%xmm7\n\tmovdqa\t%xmm4,0(%rsp)\n\tmovl\t%eax,%r14d\n\tmovdqa\t%xmm5,16(%rsp)\n\tmovl\t%ebx,%edi\n\tmovdqa\t%xmm6,32(%rsp)\n\txorl\t%ecx,%edi\n\tmovdqa\t%xmm7,48(%rsp)\n\tmovl\t%r8d,%r13d\n\tjmp\tL$ssse3_00_47\n\n.p2align\t4\nL$ssse3_00_47:\n\tsubq\t$-128,%rbp\n\trorl\t$14,%r13d\n\tmovdqa\t%xmm1,%xmm4\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tmovdqa\t%xmm3,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%eax,%r14d\n.byte\t102,15,58,15,224,4\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n.byte\t102,15,58,15,250,4\n\taddl\t0(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm4,%xmm5\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\tmovdqa\t%xmm4,%xmm6\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\tpsrld\t$3,%xmm4\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tpaddd\t%xmm7,%xmm0\n\trorl\t$2,%r14d\n\taddl\t%r11d,%edx\n\tpsrld\t$7,%xmm6\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\tpshufd\t$250,%xmm3,%xmm7\n\taddl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tpslld\t$14,%xmm5\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tpxor\t%xmm6,%xmm4\n\trorl\t$9,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\trorl\t$5,%r13d\n\tpsrld\t$11,%xmm6\n\txorl\t%r11d,%r14d\n\tpxor\t%xmm5,%xmm4\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\tpslld\t$11,%xmm5\n\taddl\t4(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\tpxor\t%xmm6,%xmm4\n\txorl\t%r9d,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tpxor\t%xmm5,%xmm4\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\tpsrld\t$10,%xmm7\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tpaddd\t%xmm4,%xmm0\n\trorl\t$2,%r14d\n\taddl\t%r10d,%ecx\n\tpsrlq\t$17,%xmm6\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\trorl\t$9,%r14d\n\tpsrlq\t$2,%xmm6\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$5,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\tpshufd\t$128,%xmm7,%xmm7\n\txorl\t%ecx,%r13d\n\taddl\t8(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\tpsrldq\t$8,%xmm7\n\txorl\t%r8d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\trorl\t$6,%r13d\n\tpaddd\t%xmm7,%xmm0\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\tpshufd\t$80,%xmm0,%xmm7\n\txorl\t%r11d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r9d,%ebx\n\tmovdqa\t%xmm7,%xmm6\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\tpsrld\t$10,%xmm7\n\taddl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tpsrlq\t$17,%xmm6\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r9d,%r14d\n\tpsrlq\t$2,%xmm6\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t12(%rsp),%r8d\n\tpxor\t%xmm6,%xmm7\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\trorl\t$11,%r14d\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tmovdqa\t0(%rbp),%xmm6\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\tpslldq\t$8,%xmm7\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tpaddd\t%xmm7,%xmm0\n\trorl\t$2,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tpaddd\t%xmm0,%xmm6\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tmovdqa\t%xmm6,0(%rsp)\n\trorl\t$14,%r13d\n\tmovdqa\t%xmm2,%xmm4\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tmovdqa\t%xmm0,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r8d,%r14d\n.byte\t102,15,58,15,225,4\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n.byte\t102,15,58,15,251,4\n\taddl\t16(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm4,%xmm5\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\tmovdqa\t%xmm4,%xmm6\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\tpsrld\t$3,%xmm4\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tpaddd\t%xmm7,%xmm1\n\trorl\t$2,%r14d\n\taddl\t%edx,%r11d\n\tpsrld\t$7,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\tpshufd\t$250,%xmm0,%xmm7\n\taddl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tpslld\t$14,%xmm5\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tpxor\t%xmm6,%xmm4\n\trorl\t$9,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\trorl\t$5,%r13d\n\tpsrld\t$11,%xmm6\n\txorl\t%edx,%r14d\n\tpxor\t%xmm5,%xmm4\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\tpslld\t$11,%xmm5\n\taddl\t20(%rsp),%ecx\n\tmovl\t%edx,%edi\n\tpxor\t%xmm6,%xmm4\n\txorl\t%ebx,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tpxor\t%xmm5,%xmm4\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\tpsrld\t$10,%xmm7\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tpaddd\t%xmm4,%xmm1\n\trorl\t$2,%r14d\n\taddl\t%ecx,%r10d\n\tpsrlq\t$17,%xmm6\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\trorl\t$9,%r14d\n\tpsrlq\t$2,%xmm6\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$5,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\tpshufd\t$128,%xmm7,%xmm7\n\txorl\t%r10d,%r13d\n\taddl\t24(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\tpsrldq\t$8,%xmm7\n\txorl\t%eax,%r12d\n\trorl\t$11,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\trorl\t$6,%r13d\n\tpaddd\t%xmm7,%xmm1\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\tpshufd\t$80,%xmm1,%xmm7\n\txorl\t%edx,%edi\n\trorl\t$2,%r14d\n\taddl\t%ebx,%r9d\n\tmovdqa\t%xmm7,%xmm6\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\tpsrld\t$10,%xmm7\n\taddl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tpsrlq\t$17,%xmm6\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ebx,%r14d\n\tpsrlq\t$2,%xmm6\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t28(%rsp),%eax\n\tpxor\t%xmm6,%xmm7\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\trorl\t$11,%r14d\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tmovdqa\t32(%rbp),%xmm6\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\tpslldq\t$8,%xmm7\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tpaddd\t%xmm7,%xmm1\n\trorl\t$2,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tpaddd\t%xmm1,%xmm6\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tmovdqa\t%xmm6,16(%rsp)\n\trorl\t$14,%r13d\n\tmovdqa\t%xmm3,%xmm4\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tmovdqa\t%xmm1,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%eax,%r14d\n.byte\t102,15,58,15,226,4\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n.byte\t102,15,58,15,248,4\n\taddl\t32(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm4,%xmm5\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\tmovdqa\t%xmm4,%xmm6\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\tpsrld\t$3,%xmm4\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tpaddd\t%xmm7,%xmm2\n\trorl\t$2,%r14d\n\taddl\t%r11d,%edx\n\tpsrld\t$7,%xmm6\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\tpshufd\t$250,%xmm1,%xmm7\n\taddl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tpslld\t$14,%xmm5\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tpxor\t%xmm6,%xmm4\n\trorl\t$9,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\trorl\t$5,%r13d\n\tpsrld\t$11,%xmm6\n\txorl\t%r11d,%r14d\n\tpxor\t%xmm5,%xmm4\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\tpslld\t$11,%xmm5\n\taddl\t36(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\tpxor\t%xmm6,%xmm4\n\txorl\t%r9d,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tpxor\t%xmm5,%xmm4\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\tpsrld\t$10,%xmm7\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tpaddd\t%xmm4,%xmm2\n\trorl\t$2,%r14d\n\taddl\t%r10d,%ecx\n\tpsrlq\t$17,%xmm6\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\trorl\t$9,%r14d\n\tpsrlq\t$2,%xmm6\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$5,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\tpshufd\t$128,%xmm7,%xmm7\n\txorl\t%ecx,%r13d\n\taddl\t40(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\tpsrldq\t$8,%xmm7\n\txorl\t%r8d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\trorl\t$6,%r13d\n\tpaddd\t%xmm7,%xmm2\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\tpshufd\t$80,%xmm2,%xmm7\n\txorl\t%r11d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r9d,%ebx\n\tmovdqa\t%xmm7,%xmm6\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\tpsrld\t$10,%xmm7\n\taddl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tpsrlq\t$17,%xmm6\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r9d,%r14d\n\tpsrlq\t$2,%xmm6\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t44(%rsp),%r8d\n\tpxor\t%xmm6,%xmm7\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\trorl\t$11,%r14d\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tmovdqa\t64(%rbp),%xmm6\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\tpslldq\t$8,%xmm7\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tpaddd\t%xmm7,%xmm2\n\trorl\t$2,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tpaddd\t%xmm2,%xmm6\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tmovdqa\t%xmm6,32(%rsp)\n\trorl\t$14,%r13d\n\tmovdqa\t%xmm0,%xmm4\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tmovdqa\t%xmm2,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r8d,%r14d\n.byte\t102,15,58,15,227,4\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n.byte\t102,15,58,15,249,4\n\taddl\t48(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm4,%xmm5\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\tmovdqa\t%xmm4,%xmm6\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\tpsrld\t$3,%xmm4\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tpaddd\t%xmm7,%xmm3\n\trorl\t$2,%r14d\n\taddl\t%edx,%r11d\n\tpsrld\t$7,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\tpshufd\t$250,%xmm2,%xmm7\n\taddl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tpslld\t$14,%xmm5\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tpxor\t%xmm6,%xmm4\n\trorl\t$9,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\trorl\t$5,%r13d\n\tpsrld\t$11,%xmm6\n\txorl\t%edx,%r14d\n\tpxor\t%xmm5,%xmm4\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\tpslld\t$11,%xmm5\n\taddl\t52(%rsp),%ecx\n\tmovl\t%edx,%edi\n\tpxor\t%xmm6,%xmm4\n\txorl\t%ebx,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tpxor\t%xmm5,%xmm4\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\tpsrld\t$10,%xmm7\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tpaddd\t%xmm4,%xmm3\n\trorl\t$2,%r14d\n\taddl\t%ecx,%r10d\n\tpsrlq\t$17,%xmm6\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\trorl\t$9,%r14d\n\tpsrlq\t$2,%xmm6\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$5,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\tpshufd\t$128,%xmm7,%xmm7\n\txorl\t%r10d,%r13d\n\taddl\t56(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\tpsrldq\t$8,%xmm7\n\txorl\t%eax,%r12d\n\trorl\t$11,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\trorl\t$6,%r13d\n\tpaddd\t%xmm7,%xmm3\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\tpshufd\t$80,%xmm3,%xmm7\n\txorl\t%edx,%edi\n\trorl\t$2,%r14d\n\taddl\t%ebx,%r9d\n\tmovdqa\t%xmm7,%xmm6\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\tpsrld\t$10,%xmm7\n\taddl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tpsrlq\t$17,%xmm6\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ebx,%r14d\n\tpsrlq\t$2,%xmm6\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t60(%rsp),%eax\n\tpxor\t%xmm6,%xmm7\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\trorl\t$11,%r14d\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tmovdqa\t96(%rbp),%xmm6\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\tpslldq\t$8,%xmm7\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tpaddd\t%xmm7,%xmm3\n\trorl\t$2,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tpaddd\t%xmm3,%xmm6\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tmovdqa\t%xmm6,48(%rsp)\n\tcmpb\t$0,131(%rbp)\n\tjne\tL$ssse3_00_47\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n\taddl\t0(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\trorl\t$2,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\taddl\t4(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t8(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\txorl\t%r11d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r9d,%ebx\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t12(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n\taddl\t16(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\trorl\t$2,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\taddl\t20(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\trorl\t$2,%r14d\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t24(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\trorl\t$11,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\txorl\t%edx,%edi\n\trorl\t$2,%r14d\n\taddl\t%ebx,%r9d\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t28(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\trorl\t$2,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n\taddl\t32(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\trorl\t$2,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\taddl\t36(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t40(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\txorl\t%r11d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r9d,%ebx\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t44(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n\taddl\t48(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\trorl\t$2,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\taddl\t52(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\trorl\t$2,%r14d\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t56(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\trorl\t$11,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\txorl\t%edx,%edi\n\trorl\t$2,%r14d\n\taddl\t%ebx,%r9d\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t60(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\trorl\t$2,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tmovq\t64+0(%rsp),%rdi\n\tmovl\t%r14d,%eax\n\n\taddl\t0(%rdi),%eax\n\tleaq\t64(%rsi),%rsi\n\taddl\t4(%rdi),%ebx\n\taddl\t8(%rdi),%ecx\n\taddl\t12(%rdi),%edx\n\taddl\t16(%rdi),%r8d\n\taddl\t20(%rdi),%r9d\n\taddl\t24(%rdi),%r10d\n\taddl\t28(%rdi),%r11d\n\n\tcmpq\t64+16(%rsp),%rsi\n\n\tmovl\t%eax,0(%rdi)\n\tmovl\t%ebx,4(%rdi)\n\tmovl\t%ecx,8(%rdi)\n\tmovl\t%edx,12(%rdi)\n\tmovl\t%r8d,16(%rdi)\n\tmovl\t%r9d,20(%rdi)\n\tmovl\t%r10d,24(%rdi)\n\tmovl\t%r11d,28(%rdi)\n\tjb\tL$loop_ssse3\n\n\tmovq\t88(%rsp),%rsi\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$epilogue_ssse3:\n\tret\n\n\n.globl\t_sha256_block_data_order_avx\n.private_extern _sha256_block_data_order_avx\n\n.p2align\t6\n_sha256_block_data_order_avx:\n\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tshlq\t$4,%rdx\n\tsubq\t$96,%rsp\n\tleaq\t(%rsi,%rdx,4),%rdx\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,64+0(%rsp)\n\tmovq\t%rsi,64+8(%rsp)\n\tmovq\t%rdx,64+16(%rsp)\n\tmovq\t%rax,88(%rsp)\n\nL$prologue_avx:\n\n\tvzeroupper\n\tmovl\t0(%rdi),%eax\n\tmovl\t4(%rdi),%ebx\n\tmovl\t8(%rdi),%ecx\n\tmovl\t12(%rdi),%edx\n\tmovl\t16(%rdi),%r8d\n\tmovl\t20(%rdi),%r9d\n\tmovl\t24(%rdi),%r10d\n\tmovl\t28(%rdi),%r11d\n\tvmovdqa\tK256+512+32(%rip),%xmm8\n\tvmovdqa\tK256+512+64(%rip),%xmm9\n\tjmp\tL$loop_avx\n.p2align\t4\nL$loop_avx:\n\tvmovdqa\tK256+512(%rip),%xmm7\n\tvmovdqu\t0(%rsi),%xmm0\n\tvmovdqu\t16(%rsi),%xmm1\n\tvmovdqu\t32(%rsi),%xmm2\n\tvmovdqu\t48(%rsi),%xmm3\n\tvpshufb\t%xmm7,%xmm0,%xmm0\n\tleaq\tK256(%rip),%rbp\n\tvpshufb\t%xmm7,%xmm1,%xmm1\n\tvpshufb\t%xmm7,%xmm2,%xmm2\n\tvpaddd\t0(%rbp),%xmm0,%xmm4\n\tvpshufb\t%xmm7,%xmm3,%xmm3\n\tvpaddd\t32(%rbp),%xmm1,%xmm5\n\tvpaddd\t64(%rbp),%xmm2,%xmm6\n\tvpaddd\t96(%rbp),%xmm3,%xmm7\n\tvmovdqa\t%xmm4,0(%rsp)\n\tmovl\t%eax,%r14d\n\tvmovdqa\t%xmm5,16(%rsp)\n\tmovl\t%ebx,%edi\n\tvmovdqa\t%xmm6,32(%rsp)\n\txorl\t%ecx,%edi\n\tvmovdqa\t%xmm7,48(%rsp)\n\tmovl\t%r8d,%r13d\n\tjmp\tL$avx_00_47\n\n.p2align\t4\nL$avx_00_47:\n\tsubq\t$-128,%rbp\n\tvpalignr\t$4,%xmm0,%xmm1,%xmm4\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tvpalignr\t$4,%xmm2,%xmm3,%xmm7\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\tvpaddd\t%xmm7,%xmm0,%xmm0\n\txorl\t%r8d,%r13d\n\taddl\t0(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\tvpsrld\t$3,%xmm4,%xmm7\n\txorl\t%r10d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ebx,%r15d\n\tvpslld\t$14,%xmm4,%xmm5\n\taddl\t%r12d,%r11d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tvpshufd\t$250,%xmm3,%xmm7\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tvpsrld\t$11,%xmm6,%xmm6\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\tvpslld\t$11,%xmm5,%xmm5\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\tvpsrld\t$10,%xmm7,%xmm6\n\taddl\t4(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%r10d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r10d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tmovl\t%edx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ecx,%r13d\n\tvpshufb\t%xmm8,%xmm6,%xmm6\n\txorl\t%r8d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r10d,%r14d\n\tvpaddd\t%xmm6,%xmm0,%xmm0\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t8(%rsp),%r9d\n\tvpshufd\t$80,%xmm0,%xmm7\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\tshrdl\t$6,%r13d,%r13d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\txorl\t%r11d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r9d,%ebx\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tvpshufb\t%xmm9,%xmm6,%xmm6\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\tvpaddd\t%xmm6,%xmm0,%xmm0\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\tvpaddd\t0(%rbp),%xmm0,%xmm6\n\txorl\t%ebx,%r13d\n\taddl\t12(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tvmovdqa\t%xmm6,0(%rsp)\n\tvpalignr\t$4,%xmm1,%xmm2,%xmm4\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tvpalignr\t$4,%xmm3,%xmm0,%xmm7\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\tvpaddd\t%xmm7,%xmm1,%xmm1\n\txorl\t%eax,%r13d\n\taddl\t16(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\tvpsrld\t$3,%xmm4,%xmm7\n\txorl\t%ecx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r9d,%r15d\n\tvpslld\t$14,%xmm4,%xmm5\n\taddl\t%r12d,%edx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tvpshufd\t$250,%xmm0,%xmm7\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tvpsrld\t$11,%xmm6,%xmm6\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\tvpslld\t$11,%xmm5,%xmm5\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\tvpsrld\t$10,%xmm7,%xmm6\n\taddl\t20(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\tvpaddd\t%xmm4,%xmm1,%xmm1\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%ecx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tmovl\t%r11d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r10d,%r13d\n\tvpshufb\t%xmm8,%xmm6,%xmm6\n\txorl\t%eax,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ecx,%r14d\n\tvpaddd\t%xmm6,%xmm1,%xmm1\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t24(%rsp),%ebx\n\tvpshufd\t$80,%xmm1,%xmm7\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\tshrdl\t$6,%r13d,%r13d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\txorl\t%edx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ebx,%r9d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tvpshufb\t%xmm9,%xmm6,%xmm6\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\tvpaddd\t%xmm6,%xmm1,%xmm1\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\tvpaddd\t32(%rbp),%xmm1,%xmm6\n\txorl\t%r9d,%r13d\n\taddl\t28(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tvmovdqa\t%xmm6,16(%rsp)\n\tvpalignr\t$4,%xmm2,%xmm3,%xmm4\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tvpalignr\t$4,%xmm0,%xmm1,%xmm7\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\tvpaddd\t%xmm7,%xmm2,%xmm2\n\txorl\t%r8d,%r13d\n\taddl\t32(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\tvpsrld\t$3,%xmm4,%xmm7\n\txorl\t%r10d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ebx,%r15d\n\tvpslld\t$14,%xmm4,%xmm5\n\taddl\t%r12d,%r11d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tvpshufd\t$250,%xmm1,%xmm7\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tvpsrld\t$11,%xmm6,%xmm6\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\tvpslld\t$11,%xmm5,%xmm5\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\tvpsrld\t$10,%xmm7,%xmm6\n\taddl\t36(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\tvpaddd\t%xmm4,%xmm2,%xmm2\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%r10d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r10d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tmovl\t%edx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ecx,%r13d\n\tvpshufb\t%xmm8,%xmm6,%xmm6\n\txorl\t%r8d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r10d,%r14d\n\tvpaddd\t%xmm6,%xmm2,%xmm2\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t40(%rsp),%r9d\n\tvpshufd\t$80,%xmm2,%xmm7\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\tshrdl\t$6,%r13d,%r13d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\txorl\t%r11d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r9d,%ebx\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tvpshufb\t%xmm9,%xmm6,%xmm6\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\tvpaddd\t%xmm6,%xmm2,%xmm2\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\tvpaddd\t64(%rbp),%xmm2,%xmm6\n\txorl\t%ebx,%r13d\n\taddl\t44(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tvmovdqa\t%xmm6,32(%rsp)\n\tvpalignr\t$4,%xmm3,%xmm0,%xmm4\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tvpalignr\t$4,%xmm1,%xmm2,%xmm7\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\txorl\t%eax,%r13d\n\taddl\t48(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\tvpsrld\t$3,%xmm4,%xmm7\n\txorl\t%ecx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r9d,%r15d\n\tvpslld\t$14,%xmm4,%xmm5\n\taddl\t%r12d,%edx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tvpshufd\t$250,%xmm2,%xmm7\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tvpsrld\t$11,%xmm6,%xmm6\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\tvpslld\t$11,%xmm5,%xmm5\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\tvpsrld\t$10,%xmm7,%xmm6\n\taddl\t52(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\tvpaddd\t%xmm4,%xmm3,%xmm3\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%ecx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tmovl\t%r11d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r10d,%r13d\n\tvpshufb\t%xmm8,%xmm6,%xmm6\n\txorl\t%eax,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ecx,%r14d\n\tvpaddd\t%xmm6,%xmm3,%xmm3\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t56(%rsp),%ebx\n\tvpshufd\t$80,%xmm3,%xmm7\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\tshrdl\t$6,%r13d,%r13d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\txorl\t%edx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ebx,%r9d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tvpshufb\t%xmm9,%xmm6,%xmm6\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\tvpaddd\t%xmm6,%xmm3,%xmm3\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\tvpaddd\t96(%rbp),%xmm3,%xmm6\n\txorl\t%r9d,%r13d\n\taddl\t60(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tvmovdqa\t%xmm6,48(%rsp)\n\tcmpb\t$0,131(%rbp)\n\tjne\tL$avx_00_47\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n\taddl\t0(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\taddl\t4(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t8(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\txorl\t%r11d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r9d,%ebx\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t12(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n\taddl\t16(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\taddl\t20(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t24(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\txorl\t%edx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ebx,%r9d\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t28(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n\taddl\t32(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\taddl\t36(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t40(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\txorl\t%r11d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r9d,%ebx\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t44(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n\taddl\t48(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\taddl\t52(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t56(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\txorl\t%edx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ebx,%r9d\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t60(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tmovq\t64+0(%rsp),%rdi\n\tmovl\t%r14d,%eax\n\n\taddl\t0(%rdi),%eax\n\tleaq\t64(%rsi),%rsi\n\taddl\t4(%rdi),%ebx\n\taddl\t8(%rdi),%ecx\n\taddl\t12(%rdi),%edx\n\taddl\t16(%rdi),%r8d\n\taddl\t20(%rdi),%r9d\n\taddl\t24(%rdi),%r10d\n\taddl\t28(%rdi),%r11d\n\n\tcmpq\t64+16(%rsp),%rsi\n\n\tmovl\t%eax,0(%rdi)\n\tmovl\t%ebx,4(%rdi)\n\tmovl\t%ecx,8(%rdi)\n\tmovl\t%edx,12(%rdi)\n\tmovl\t%r8d,16(%rdi)\n\tmovl\t%r9d,20(%rdi)\n\tmovl\t%r10d,24(%rdi)\n\tmovl\t%r11d,28(%rdi)\n\tjb\tL$loop_avx\n\n\tmovq\t88(%rsp),%rsi\n\n\tvzeroupper\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$epilogue_avx:\n\tret\n\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha256-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n.globl\tsha256_block_data_order_nohw\n.hidden sha256_block_data_order_nohw\n.type\tsha256_block_data_order_nohw,@function\n.align\t16\nsha256_block_data_order_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\tshlq\t$4,%rdx\n\tsubq\t$64+32,%rsp\n\tleaq\t(%rsi,%rdx,4),%rdx\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,64+0(%rsp)\n\tmovq\t%rsi,64+8(%rsp)\n\tmovq\t%rdx,64+16(%rsp)\n\tmovq\t%rax,88(%rsp)\n.cfi_escape\t0x0f,0x06,0x77,0xd8,0x00,0x06,0x23,0x08\n.Lprologue:\n\n\tmovl\t0(%rdi),%eax\n\tmovl\t4(%rdi),%ebx\n\tmovl\t8(%rdi),%ecx\n\tmovl\t12(%rdi),%edx\n\tmovl\t16(%rdi),%r8d\n\tmovl\t20(%rdi),%r9d\n\tmovl\t24(%rdi),%r10d\n\tmovl\t28(%rdi),%r11d\n\tjmp\t.Lloop\n\n.align\t16\n.Lloop:\n\tmovl\t%ebx,%edi\n\tleaq\tK256(%rip),%rbp\n\txorl\t%ecx,%edi\n\tmovl\t0(%rsi),%r12d\n\tmovl\t%r8d,%r13d\n\tmovl\t%eax,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r9d,%r15d\n\n\txorl\t%r8d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r15d\n\n\tmovl\t%r12d,0(%rsp)\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r11d,%r12d\n\txorl\t%r10d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%eax,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%eax,%r14d\n\n\txorl\t%ebx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%ebx,%r11d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r11d\n\taddl\t%r12d,%edx\n\taddl\t%r12d,%r11d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r11d\n\tmovl\t4(%rsi),%r12d\n\tmovl\t%edx,%r13d\n\tmovl\t%r11d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r8d,%edi\n\n\txorl\t%edx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%edi\n\n\tmovl\t%r12d,4(%rsp)\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r10d,%r12d\n\txorl\t%r9d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r11d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r11d,%r14d\n\n\txorl\t%eax,%edi\n\trorl\t$6,%r13d\n\tmovl\t%eax,%r10d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r10d\n\taddl\t%r12d,%ecx\n\taddl\t%r12d,%r10d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r10d\n\tmovl\t8(%rsi),%r12d\n\tmovl\t%ecx,%r13d\n\tmovl\t%r10d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%edx,%r15d\n\n\txorl\t%ecx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r15d\n\n\tmovl\t%r12d,8(%rsp)\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r9d,%r12d\n\txorl\t%r8d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r10d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r10d,%r14d\n\n\txorl\t%r11d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r11d,%r9d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r9d\n\taddl\t%r12d,%ebx\n\taddl\t%r12d,%r9d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r9d\n\tmovl\t12(%rsi),%r12d\n\tmovl\t%ebx,%r13d\n\tmovl\t%r9d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%ecx,%edi\n\n\txorl\t%ebx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%edx,%edi\n\n\tmovl\t%r12d,12(%rsp)\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r8d,%r12d\n\txorl\t%edx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r9d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r9d,%r14d\n\n\txorl\t%r10d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r10d,%r8d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r8d\n\taddl\t%r12d,%eax\n\taddl\t%r12d,%r8d\n\n\tleaq\t20(%rbp),%rbp\n\taddl\t%r14d,%r8d\n\tmovl\t16(%rsi),%r12d\n\tmovl\t%eax,%r13d\n\tmovl\t%r8d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%ebx,%r15d\n\n\txorl\t%eax,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r15d\n\n\tmovl\t%r12d,16(%rsp)\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%edx,%r12d\n\txorl\t%ecx,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r8d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r8d,%r14d\n\n\txorl\t%r9d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r9d,%edx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%edx\n\taddl\t%r12d,%r11d\n\taddl\t%r12d,%edx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%edx\n\tmovl\t20(%rsi),%r12d\n\tmovl\t%r11d,%r13d\n\tmovl\t%edx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%eax,%edi\n\n\txorl\t%r11d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%edi\n\n\tmovl\t%r12d,20(%rsp)\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%ecx,%r12d\n\txorl\t%ebx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%edx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%edx,%r14d\n\n\txorl\t%r8d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r8d,%ecx\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%ecx\n\taddl\t%r12d,%r10d\n\taddl\t%r12d,%ecx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%ecx\n\tmovl\t24(%rsi),%r12d\n\tmovl\t%r10d,%r13d\n\tmovl\t%ecx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r11d,%r15d\n\n\txorl\t%r10d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r15d\n\n\tmovl\t%r12d,24(%rsp)\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%ebx,%r12d\n\txorl\t%eax,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%ecx,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%ecx,%r14d\n\n\txorl\t%edx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%edx,%ebx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%ebx\n\taddl\t%r12d,%r9d\n\taddl\t%r12d,%ebx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%ebx\n\tmovl\t28(%rsi),%r12d\n\tmovl\t%r9d,%r13d\n\tmovl\t%ebx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r10d,%edi\n\n\txorl\t%r9d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%edi\n\n\tmovl\t%r12d,28(%rsp)\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%eax,%r12d\n\txorl\t%r11d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%ebx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%ebx,%r14d\n\n\txorl\t%ecx,%edi\n\trorl\t$6,%r13d\n\tmovl\t%ecx,%eax\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%eax\n\taddl\t%r12d,%r8d\n\taddl\t%r12d,%eax\n\n\tleaq\t20(%rbp),%rbp\n\taddl\t%r14d,%eax\n\tmovl\t32(%rsi),%r12d\n\tmovl\t%r8d,%r13d\n\tmovl\t%eax,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r9d,%r15d\n\n\txorl\t%r8d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r15d\n\n\tmovl\t%r12d,32(%rsp)\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r11d,%r12d\n\txorl\t%r10d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%eax,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%eax,%r14d\n\n\txorl\t%ebx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%ebx,%r11d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r11d\n\taddl\t%r12d,%edx\n\taddl\t%r12d,%r11d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r11d\n\tmovl\t36(%rsi),%r12d\n\tmovl\t%edx,%r13d\n\tmovl\t%r11d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r8d,%edi\n\n\txorl\t%edx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%edi\n\n\tmovl\t%r12d,36(%rsp)\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r10d,%r12d\n\txorl\t%r9d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r11d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r11d,%r14d\n\n\txorl\t%eax,%edi\n\trorl\t$6,%r13d\n\tmovl\t%eax,%r10d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r10d\n\taddl\t%r12d,%ecx\n\taddl\t%r12d,%r10d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r10d\n\tmovl\t40(%rsi),%r12d\n\tmovl\t%ecx,%r13d\n\tmovl\t%r10d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%edx,%r15d\n\n\txorl\t%ecx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r15d\n\n\tmovl\t%r12d,40(%rsp)\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r9d,%r12d\n\txorl\t%r8d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r10d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r10d,%r14d\n\n\txorl\t%r11d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r11d,%r9d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r9d\n\taddl\t%r12d,%ebx\n\taddl\t%r12d,%r9d\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%r9d\n\tmovl\t44(%rsi),%r12d\n\tmovl\t%ebx,%r13d\n\tmovl\t%r9d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%ecx,%edi\n\n\txorl\t%ebx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%edx,%edi\n\n\tmovl\t%r12d,44(%rsp)\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r8d,%r12d\n\txorl\t%edx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r9d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r9d,%r14d\n\n\txorl\t%r10d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r10d,%r8d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r8d\n\taddl\t%r12d,%eax\n\taddl\t%r12d,%r8d\n\n\tleaq\t20(%rbp),%rbp\n\taddl\t%r14d,%r8d\n\tmovl\t48(%rsi),%r12d\n\tmovl\t%eax,%r13d\n\tmovl\t%r8d,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%ebx,%r15d\n\n\txorl\t%eax,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r15d\n\n\tmovl\t%r12d,48(%rsp)\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%edx,%r12d\n\txorl\t%ecx,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r8d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r8d,%r14d\n\n\txorl\t%r9d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r9d,%edx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%edx\n\taddl\t%r12d,%r11d\n\taddl\t%r12d,%edx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%edx\n\tmovl\t52(%rsi),%r12d\n\tmovl\t%r11d,%r13d\n\tmovl\t%edx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%eax,%edi\n\n\txorl\t%r11d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%edi\n\n\tmovl\t%r12d,52(%rsp)\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%ecx,%r12d\n\txorl\t%ebx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%edx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%edx,%r14d\n\n\txorl\t%r8d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r8d,%ecx\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%ecx\n\taddl\t%r12d,%r10d\n\taddl\t%r12d,%ecx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%ecx\n\tmovl\t56(%rsi),%r12d\n\tmovl\t%r10d,%r13d\n\tmovl\t%ecx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r11d,%r15d\n\n\txorl\t%r10d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r15d\n\n\tmovl\t%r12d,56(%rsp)\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%ebx,%r12d\n\txorl\t%eax,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%ecx,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%ecx,%r14d\n\n\txorl\t%edx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%edx,%ebx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%ebx\n\taddl\t%r12d,%r9d\n\taddl\t%r12d,%ebx\n\n\tleaq\t4(%rbp),%rbp\n\taddl\t%r14d,%ebx\n\tmovl\t60(%rsi),%r12d\n\tmovl\t%r9d,%r13d\n\tmovl\t%ebx,%r14d\n\tbswapl\t%r12d\n\trorl\t$14,%r13d\n\tmovl\t%r10d,%edi\n\n\txorl\t%r9d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%edi\n\n\tmovl\t%r12d,60(%rsp)\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%eax,%r12d\n\txorl\t%r11d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%ebx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%ebx,%r14d\n\n\txorl\t%ecx,%edi\n\trorl\t$6,%r13d\n\tmovl\t%ecx,%eax\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%eax\n\taddl\t%r12d,%r8d\n\taddl\t%r12d,%eax\n\n\tleaq\t20(%rbp),%rbp\n\tjmp\t.Lrounds_16_xx\n.align\t16\n.Lrounds_16_xx:\n\tmovl\t4(%rsp),%r13d\n\tmovl\t56(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%eax\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t36(%rsp),%r12d\n\n\taddl\t0(%rsp),%r12d\n\tmovl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%eax,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r9d,%r15d\n\n\txorl\t%r8d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r15d\n\n\tmovl\t%r12d,0(%rsp)\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r11d,%r12d\n\txorl\t%r10d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%eax,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%eax,%r14d\n\n\txorl\t%ebx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%ebx,%r11d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r11d\n\taddl\t%r12d,%edx\n\taddl\t%r12d,%r11d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t8(%rsp),%r13d\n\tmovl\t60(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r11d\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t40(%rsp),%r12d\n\n\taddl\t4(%rsp),%r12d\n\tmovl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r8d,%edi\n\n\txorl\t%edx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%edi\n\n\tmovl\t%r12d,4(%rsp)\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r10d,%r12d\n\txorl\t%r9d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r11d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r11d,%r14d\n\n\txorl\t%eax,%edi\n\trorl\t$6,%r13d\n\tmovl\t%eax,%r10d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r10d\n\taddl\t%r12d,%ecx\n\taddl\t%r12d,%r10d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t12(%rsp),%r13d\n\tmovl\t0(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r10d\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t44(%rsp),%r12d\n\n\taddl\t8(%rsp),%r12d\n\tmovl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%r10d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%edx,%r15d\n\n\txorl\t%ecx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r15d\n\n\tmovl\t%r12d,8(%rsp)\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r9d,%r12d\n\txorl\t%r8d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r10d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r10d,%r14d\n\n\txorl\t%r11d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r11d,%r9d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r9d\n\taddl\t%r12d,%ebx\n\taddl\t%r12d,%r9d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t16(%rsp),%r13d\n\tmovl\t4(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r9d\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t48(%rsp),%r12d\n\n\taddl\t12(%rsp),%r12d\n\tmovl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%ecx,%edi\n\n\txorl\t%ebx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%edx,%edi\n\n\tmovl\t%r12d,12(%rsp)\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r8d,%r12d\n\txorl\t%edx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r9d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r9d,%r14d\n\n\txorl\t%r10d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r10d,%r8d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r8d\n\taddl\t%r12d,%eax\n\taddl\t%r12d,%r8d\n\n\tleaq\t20(%rbp),%rbp\n\tmovl\t20(%rsp),%r13d\n\tmovl\t8(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r8d\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t52(%rsp),%r12d\n\n\taddl\t16(%rsp),%r12d\n\tmovl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%r8d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%ebx,%r15d\n\n\txorl\t%eax,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r15d\n\n\tmovl\t%r12d,16(%rsp)\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%edx,%r12d\n\txorl\t%ecx,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r8d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r8d,%r14d\n\n\txorl\t%r9d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r9d,%edx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%edx\n\taddl\t%r12d,%r11d\n\taddl\t%r12d,%edx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t24(%rsp),%r13d\n\tmovl\t12(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%edx\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t56(%rsp),%r12d\n\n\taddl\t20(%rsp),%r12d\n\tmovl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%eax,%edi\n\n\txorl\t%r11d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%edi\n\n\tmovl\t%r12d,20(%rsp)\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%ecx,%r12d\n\txorl\t%ebx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%edx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%edx,%r14d\n\n\txorl\t%r8d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r8d,%ecx\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%ecx\n\taddl\t%r12d,%r10d\n\taddl\t%r12d,%ecx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t28(%rsp),%r13d\n\tmovl\t16(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%ecx\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t60(%rsp),%r12d\n\n\taddl\t24(%rsp),%r12d\n\tmovl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%ecx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r11d,%r15d\n\n\txorl\t%r10d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r15d\n\n\tmovl\t%r12d,24(%rsp)\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%ebx,%r12d\n\txorl\t%eax,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%ecx,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%ecx,%r14d\n\n\txorl\t%edx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%edx,%ebx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%ebx\n\taddl\t%r12d,%r9d\n\taddl\t%r12d,%ebx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t32(%rsp),%r13d\n\tmovl\t20(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%ebx\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t0(%rsp),%r12d\n\n\taddl\t28(%rsp),%r12d\n\tmovl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r10d,%edi\n\n\txorl\t%r9d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%edi\n\n\tmovl\t%r12d,28(%rsp)\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%eax,%r12d\n\txorl\t%r11d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%ebx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%ebx,%r14d\n\n\txorl\t%ecx,%edi\n\trorl\t$6,%r13d\n\tmovl\t%ecx,%eax\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%eax\n\taddl\t%r12d,%r8d\n\taddl\t%r12d,%eax\n\n\tleaq\t20(%rbp),%rbp\n\tmovl\t36(%rsp),%r13d\n\tmovl\t24(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%eax\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t4(%rsp),%r12d\n\n\taddl\t32(%rsp),%r12d\n\tmovl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%eax,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r9d,%r15d\n\n\txorl\t%r8d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r15d\n\n\tmovl\t%r12d,32(%rsp)\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r11d,%r12d\n\txorl\t%r10d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r8d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%eax,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%eax,%r14d\n\n\txorl\t%ebx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%ebx,%r11d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r11d\n\taddl\t%r12d,%edx\n\taddl\t%r12d,%r11d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t40(%rsp),%r13d\n\tmovl\t28(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r11d\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t8(%rsp),%r12d\n\n\taddl\t36(%rsp),%r12d\n\tmovl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r8d,%edi\n\n\txorl\t%edx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%edi\n\n\tmovl\t%r12d,36(%rsp)\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r10d,%r12d\n\txorl\t%r9d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%edx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r11d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r11d,%r14d\n\n\txorl\t%eax,%edi\n\trorl\t$6,%r13d\n\tmovl\t%eax,%r10d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r10d\n\taddl\t%r12d,%ecx\n\taddl\t%r12d,%r10d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t44(%rsp),%r13d\n\tmovl\t32(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r10d\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t12(%rsp),%r12d\n\n\taddl\t40(%rsp),%r12d\n\tmovl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%r10d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%edx,%r15d\n\n\txorl\t%ecx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r15d\n\n\tmovl\t%r12d,40(%rsp)\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%r9d,%r12d\n\txorl\t%r8d,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%ecx,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r10d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r10d,%r14d\n\n\txorl\t%r11d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r11d,%r9d\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%r9d\n\taddl\t%r12d,%ebx\n\taddl\t%r12d,%r9d\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t48(%rsp),%r13d\n\tmovl\t36(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r9d\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t16(%rsp),%r12d\n\n\taddl\t44(%rsp),%r12d\n\tmovl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%ecx,%edi\n\n\txorl\t%ebx,%r13d\n\trorl\t$9,%r14d\n\txorl\t%edx,%edi\n\n\tmovl\t%r12d,44(%rsp)\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%r8d,%r12d\n\txorl\t%edx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%r9d,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%r9d,%r14d\n\n\txorl\t%r10d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r10d,%r8d\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%r8d\n\taddl\t%r12d,%eax\n\taddl\t%r12d,%r8d\n\n\tleaq\t20(%rbp),%rbp\n\tmovl\t52(%rsp),%r13d\n\tmovl\t40(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%r8d\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t20(%rsp),%r12d\n\n\taddl\t48(%rsp),%r12d\n\tmovl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%r8d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%ebx,%r15d\n\n\txorl\t%eax,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r15d\n\n\tmovl\t%r12d,48(%rsp)\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%edx,%r12d\n\txorl\t%ecx,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%eax,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%r8d,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%r8d,%r14d\n\n\txorl\t%r9d,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%r9d,%edx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%edx\n\taddl\t%r12d,%r11d\n\taddl\t%r12d,%edx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t56(%rsp),%r13d\n\tmovl\t44(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%edx\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t24(%rsp),%r12d\n\n\taddl\t52(%rsp),%r12d\n\tmovl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%eax,%edi\n\n\txorl\t%r11d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%edi\n\n\tmovl\t%r12d,52(%rsp)\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%ecx,%r12d\n\txorl\t%ebx,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%edx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%edx,%r14d\n\n\txorl\t%r8d,%edi\n\trorl\t$6,%r13d\n\tmovl\t%r8d,%ecx\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%ecx\n\taddl\t%r12d,%r10d\n\taddl\t%r12d,%ecx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t60(%rsp),%r13d\n\tmovl\t48(%rsp),%r15d\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%ecx\n\tmovl\t%r15d,%r14d\n\trorl\t$2,%r15d\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%r15d\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%r15d\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%r15d\n\taddl\t28(%rsp),%r12d\n\n\taddl\t56(%rsp),%r12d\n\tmovl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\tmovl\t%ecx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r11d,%r15d\n\n\txorl\t%r10d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r15d\n\n\tmovl\t%r12d,56(%rsp)\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r15d\n\n\trorl\t$5,%r13d\n\taddl\t%ebx,%r12d\n\txorl\t%eax,%r15d\n\n\trorl\t$11,%r14d\n\txorl\t%r10d,%r13d\n\taddl\t%r15d,%r12d\n\n\tmovl\t%ecx,%r15d\n\taddl\t(%rbp),%r12d\n\txorl\t%ecx,%r14d\n\n\txorl\t%edx,%r15d\n\trorl\t$6,%r13d\n\tmovl\t%edx,%ebx\n\n\tandl\t%r15d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%edi,%ebx\n\taddl\t%r12d,%r9d\n\taddl\t%r12d,%ebx\n\n\tleaq\t4(%rbp),%rbp\n\tmovl\t0(%rsp),%r13d\n\tmovl\t52(%rsp),%edi\n\n\tmovl\t%r13d,%r12d\n\trorl\t$11,%r13d\n\taddl\t%r14d,%ebx\n\tmovl\t%edi,%r14d\n\trorl\t$2,%edi\n\n\txorl\t%r12d,%r13d\n\tshrl\t$3,%r12d\n\trorl\t$7,%r13d\n\txorl\t%r14d,%edi\n\tshrl\t$10,%r14d\n\n\trorl\t$17,%edi\n\txorl\t%r13d,%r12d\n\txorl\t%r14d,%edi\n\taddl\t32(%rsp),%r12d\n\n\taddl\t60(%rsp),%r12d\n\tmovl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\tmovl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r10d,%edi\n\n\txorl\t%r9d,%r13d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%edi\n\n\tmovl\t%r12d,60(%rsp)\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%edi\n\n\trorl\t$5,%r13d\n\taddl\t%eax,%r12d\n\txorl\t%r11d,%edi\n\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r13d\n\taddl\t%edi,%r12d\n\n\tmovl\t%ebx,%edi\n\taddl\t(%rbp),%r12d\n\txorl\t%ebx,%r14d\n\n\txorl\t%ecx,%edi\n\trorl\t$6,%r13d\n\tmovl\t%ecx,%eax\n\n\tandl\t%edi,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r13d,%r12d\n\n\txorl\t%r15d,%eax\n\taddl\t%r12d,%r8d\n\taddl\t%r12d,%eax\n\n\tleaq\t20(%rbp),%rbp\n\tcmpb\t$0,3(%rbp)\n\tjnz\t.Lrounds_16_xx\n\n\tmovq\t64+0(%rsp),%rdi\n\taddl\t%r14d,%eax\n\tleaq\t64(%rsi),%rsi\n\n\taddl\t0(%rdi),%eax\n\taddl\t4(%rdi),%ebx\n\taddl\t8(%rdi),%ecx\n\taddl\t12(%rdi),%edx\n\taddl\t16(%rdi),%r8d\n\taddl\t20(%rdi),%r9d\n\taddl\t24(%rdi),%r10d\n\taddl\t28(%rdi),%r11d\n\n\tcmpq\t64+16(%rsp),%rsi\n\n\tmovl\t%eax,0(%rdi)\n\tmovl\t%ebx,4(%rdi)\n\tmovl\t%ecx,8(%rdi)\n\tmovl\t%edx,12(%rdi)\n\tmovl\t%r8d,16(%rdi)\n\tmovl\t%r9d,20(%rdi)\n\tmovl\t%r10d,24(%rdi)\n\tmovl\t%r11d,28(%rdi)\n\tjb\t.Lloop\n\n\tmovq\t88(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lepilogue:\n\tret\n.cfi_endproc\t\n.size\tsha256_block_data_order_nohw,.-sha256_block_data_order_nohw\n.section\t.rodata\n.align\t64\n.type\tK256,@object\nK256:\n.long\t0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5\n.long\t0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5\n.long\t0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5\n.long\t0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5\n.long\t0xd807aa98,0x12835b01,0x243185be,0x550c7dc3\n.long\t0xd807aa98,0x12835b01,0x243185be,0x550c7dc3\n.long\t0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174\n.long\t0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174\n.long\t0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc\n.long\t0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc\n.long\t0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da\n.long\t0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da\n.long\t0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7\n.long\t0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7\n.long\t0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967\n.long\t0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967\n.long\t0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13\n.long\t0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13\n.long\t0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85\n.long\t0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85\n.long\t0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3\n.long\t0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3\n.long\t0xd192e819,0xd6990624,0xf40e3585,0x106aa070\n.long\t0xd192e819,0xd6990624,0xf40e3585,0x106aa070\n.long\t0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5\n.long\t0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5\n.long\t0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3\n.long\t0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3\n.long\t0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208\n.long\t0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208\n.long\t0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2\n.long\t0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2\n\n.long\t0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f\n.long\t0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f\n.long\t0x03020100,0x0b0a0908,0xffffffff,0xffffffff\n.long\t0x03020100,0x0b0a0908,0xffffffff,0xffffffff\n.long\t0xffffffff,0xffffffff,0x03020100,0x0b0a0908\n.long\t0xffffffff,0xffffffff,0x03020100,0x0b0a0908\n.byte\t83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.text\t\n.globl\tsha256_block_data_order_hw\n.hidden sha256_block_data_order_hw\n.type\tsha256_block_data_order_hw,@function\n.align\t64\nsha256_block_data_order_hw:\n.cfi_startproc\t\n_CET_ENDBR\n\tleaq\tK256+128(%rip),%rcx\n\tmovdqu\t(%rdi),%xmm1\n\tmovdqu\t16(%rdi),%xmm2\n\tmovdqa\t512-128(%rcx),%xmm7\n\n\tpshufd\t$0x1b,%xmm1,%xmm0\n\tpshufd\t$0xb1,%xmm1,%xmm1\n\tpshufd\t$0x1b,%xmm2,%xmm2\n\tmovdqa\t%xmm7,%xmm8\n.byte\t102,15,58,15,202,8\n\tpunpcklqdq\t%xmm0,%xmm2\n\tjmp\t.Loop_shaext\n\n.align\t16\n.Loop_shaext:\n\tmovdqu\t(%rsi),%xmm3\n\tmovdqu\t16(%rsi),%xmm4\n\tmovdqu\t32(%rsi),%xmm5\n.byte\t102,15,56,0,223\n\tmovdqu\t48(%rsi),%xmm6\n\n\tmovdqa\t0-128(%rcx),%xmm0\n\tpaddd\t%xmm3,%xmm0\n.byte\t102,15,56,0,231\n\tmovdqa\t%xmm2,%xmm10\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tnop\n\tmovdqa\t%xmm1,%xmm9\n.byte\t15,56,203,202\n\n\tmovdqa\t32-128(%rcx),%xmm0\n\tpaddd\t%xmm4,%xmm0\n.byte\t102,15,56,0,239\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tleaq\t64(%rsi),%rsi\n.byte\t15,56,204,220\n.byte\t15,56,203,202\n\n\tmovdqa\t64-128(%rcx),%xmm0\n\tpaddd\t%xmm5,%xmm0\n.byte\t102,15,56,0,247\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm6,%xmm7\n.byte\t102,15,58,15,253,4\n\tnop\n\tpaddd\t%xmm7,%xmm3\n.byte\t15,56,204,229\n.byte\t15,56,203,202\n\n\tmovdqa\t96-128(%rcx),%xmm0\n\tpaddd\t%xmm6,%xmm0\n.byte\t15,56,205,222\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm3,%xmm7\n.byte\t102,15,58,15,254,4\n\tnop\n\tpaddd\t%xmm7,%xmm4\n.byte\t15,56,204,238\n.byte\t15,56,203,202\n\tmovdqa\t128-128(%rcx),%xmm0\n\tpaddd\t%xmm3,%xmm0\n.byte\t15,56,205,227\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm4,%xmm7\n.byte\t102,15,58,15,251,4\n\tnop\n\tpaddd\t%xmm7,%xmm5\n.byte\t15,56,204,243\n.byte\t15,56,203,202\n\tmovdqa\t160-128(%rcx),%xmm0\n\tpaddd\t%xmm4,%xmm0\n.byte\t15,56,205,236\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm5,%xmm7\n.byte\t102,15,58,15,252,4\n\tnop\n\tpaddd\t%xmm7,%xmm6\n.byte\t15,56,204,220\n.byte\t15,56,203,202\n\tmovdqa\t192-128(%rcx),%xmm0\n\tpaddd\t%xmm5,%xmm0\n.byte\t15,56,205,245\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm6,%xmm7\n.byte\t102,15,58,15,253,4\n\tnop\n\tpaddd\t%xmm7,%xmm3\n.byte\t15,56,204,229\n.byte\t15,56,203,202\n\tmovdqa\t224-128(%rcx),%xmm0\n\tpaddd\t%xmm6,%xmm0\n.byte\t15,56,205,222\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm3,%xmm7\n.byte\t102,15,58,15,254,4\n\tnop\n\tpaddd\t%xmm7,%xmm4\n.byte\t15,56,204,238\n.byte\t15,56,203,202\n\tmovdqa\t256-128(%rcx),%xmm0\n\tpaddd\t%xmm3,%xmm0\n.byte\t15,56,205,227\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm4,%xmm7\n.byte\t102,15,58,15,251,4\n\tnop\n\tpaddd\t%xmm7,%xmm5\n.byte\t15,56,204,243\n.byte\t15,56,203,202\n\tmovdqa\t288-128(%rcx),%xmm0\n\tpaddd\t%xmm4,%xmm0\n.byte\t15,56,205,236\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm5,%xmm7\n.byte\t102,15,58,15,252,4\n\tnop\n\tpaddd\t%xmm7,%xmm6\n.byte\t15,56,204,220\n.byte\t15,56,203,202\n\tmovdqa\t320-128(%rcx),%xmm0\n\tpaddd\t%xmm5,%xmm0\n.byte\t15,56,205,245\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm6,%xmm7\n.byte\t102,15,58,15,253,4\n\tnop\n\tpaddd\t%xmm7,%xmm3\n.byte\t15,56,204,229\n.byte\t15,56,203,202\n\tmovdqa\t352-128(%rcx),%xmm0\n\tpaddd\t%xmm6,%xmm0\n.byte\t15,56,205,222\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm3,%xmm7\n.byte\t102,15,58,15,254,4\n\tnop\n\tpaddd\t%xmm7,%xmm4\n.byte\t15,56,204,238\n.byte\t15,56,203,202\n\tmovdqa\t384-128(%rcx),%xmm0\n\tpaddd\t%xmm3,%xmm0\n.byte\t15,56,205,227\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm4,%xmm7\n.byte\t102,15,58,15,251,4\n\tnop\n\tpaddd\t%xmm7,%xmm5\n.byte\t15,56,204,243\n.byte\t15,56,203,202\n\tmovdqa\t416-128(%rcx),%xmm0\n\tpaddd\t%xmm4,%xmm0\n.byte\t15,56,205,236\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tmovdqa\t%xmm5,%xmm7\n.byte\t102,15,58,15,252,4\n.byte\t15,56,203,202\n\tpaddd\t%xmm7,%xmm6\n\n\tmovdqa\t448-128(%rcx),%xmm0\n\tpaddd\t%xmm5,%xmm0\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n.byte\t15,56,205,245\n\tmovdqa\t%xmm8,%xmm7\n.byte\t15,56,203,202\n\n\tmovdqa\t480-128(%rcx),%xmm0\n\tpaddd\t%xmm6,%xmm0\n\tnop\n.byte\t15,56,203,209\n\tpshufd\t$0x0e,%xmm0,%xmm0\n\tdecq\t%rdx\n\tnop\n.byte\t15,56,203,202\n\n\tpaddd\t%xmm10,%xmm2\n\tpaddd\t%xmm9,%xmm1\n\tjnz\t.Loop_shaext\n\n\tpshufd\t$0xb1,%xmm2,%xmm2\n\tpshufd\t$0x1b,%xmm1,%xmm7\n\tpshufd\t$0xb1,%xmm1,%xmm1\n\tpunpckhqdq\t%xmm2,%xmm1\n.byte\t102,15,58,15,215,8\n\n\tmovdqu\t%xmm1,(%rdi)\n\tmovdqu\t%xmm2,16(%rdi)\n\tret\n.cfi_endproc\t\n.size\tsha256_block_data_order_hw,.-sha256_block_data_order_hw\n.globl\tsha256_block_data_order_ssse3\n.hidden sha256_block_data_order_ssse3\n.type\tsha256_block_data_order_ssse3,@function\n.align\t64\nsha256_block_data_order_ssse3:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\tshlq\t$4,%rdx\n\tsubq\t$96,%rsp\n\tleaq\t(%rsi,%rdx,4),%rdx\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,64+0(%rsp)\n\tmovq\t%rsi,64+8(%rsp)\n\tmovq\t%rdx,64+16(%rsp)\n\tmovq\t%rax,88(%rsp)\n.cfi_escape\t0x0f,0x06,0x77,0xd8,0x00,0x06,0x23,0x08\n.Lprologue_ssse3:\n\n\tmovl\t0(%rdi),%eax\n\tmovl\t4(%rdi),%ebx\n\tmovl\t8(%rdi),%ecx\n\tmovl\t12(%rdi),%edx\n\tmovl\t16(%rdi),%r8d\n\tmovl\t20(%rdi),%r9d\n\tmovl\t24(%rdi),%r10d\n\tmovl\t28(%rdi),%r11d\n\n\n\tjmp\t.Lloop_ssse3\n.align\t16\n.Lloop_ssse3:\n\tmovdqa\tK256+512(%rip),%xmm7\n\tmovdqu\t0(%rsi),%xmm0\n\tmovdqu\t16(%rsi),%xmm1\n\tmovdqu\t32(%rsi),%xmm2\n.byte\t102,15,56,0,199\n\tmovdqu\t48(%rsi),%xmm3\n\tleaq\tK256(%rip),%rbp\n.byte\t102,15,56,0,207\n\tmovdqa\t0(%rbp),%xmm4\n\tmovdqa\t32(%rbp),%xmm5\n.byte\t102,15,56,0,215\n\tpaddd\t%xmm0,%xmm4\n\tmovdqa\t64(%rbp),%xmm6\n.byte\t102,15,56,0,223\n\tmovdqa\t96(%rbp),%xmm7\n\tpaddd\t%xmm1,%xmm5\n\tpaddd\t%xmm2,%xmm6\n\tpaddd\t%xmm3,%xmm7\n\tmovdqa\t%xmm4,0(%rsp)\n\tmovl\t%eax,%r14d\n\tmovdqa\t%xmm5,16(%rsp)\n\tmovl\t%ebx,%edi\n\tmovdqa\t%xmm6,32(%rsp)\n\txorl\t%ecx,%edi\n\tmovdqa\t%xmm7,48(%rsp)\n\tmovl\t%r8d,%r13d\n\tjmp\t.Lssse3_00_47\n\n.align\t16\n.Lssse3_00_47:\n\tsubq\t$-128,%rbp\n\trorl\t$14,%r13d\n\tmovdqa\t%xmm1,%xmm4\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tmovdqa\t%xmm3,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%eax,%r14d\n.byte\t102,15,58,15,224,4\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n.byte\t102,15,58,15,250,4\n\taddl\t0(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm4,%xmm5\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\tmovdqa\t%xmm4,%xmm6\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\tpsrld\t$3,%xmm4\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tpaddd\t%xmm7,%xmm0\n\trorl\t$2,%r14d\n\taddl\t%r11d,%edx\n\tpsrld\t$7,%xmm6\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\tpshufd\t$250,%xmm3,%xmm7\n\taddl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tpslld\t$14,%xmm5\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tpxor\t%xmm6,%xmm4\n\trorl\t$9,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\trorl\t$5,%r13d\n\tpsrld\t$11,%xmm6\n\txorl\t%r11d,%r14d\n\tpxor\t%xmm5,%xmm4\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\tpslld\t$11,%xmm5\n\taddl\t4(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\tpxor\t%xmm6,%xmm4\n\txorl\t%r9d,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tpxor\t%xmm5,%xmm4\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\tpsrld\t$10,%xmm7\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tpaddd\t%xmm4,%xmm0\n\trorl\t$2,%r14d\n\taddl\t%r10d,%ecx\n\tpsrlq\t$17,%xmm6\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\trorl\t$9,%r14d\n\tpsrlq\t$2,%xmm6\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$5,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\tpshufd\t$128,%xmm7,%xmm7\n\txorl\t%ecx,%r13d\n\taddl\t8(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\tpsrldq\t$8,%xmm7\n\txorl\t%r8d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\trorl\t$6,%r13d\n\tpaddd\t%xmm7,%xmm0\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\tpshufd\t$80,%xmm0,%xmm7\n\txorl\t%r11d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r9d,%ebx\n\tmovdqa\t%xmm7,%xmm6\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\tpsrld\t$10,%xmm7\n\taddl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tpsrlq\t$17,%xmm6\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r9d,%r14d\n\tpsrlq\t$2,%xmm6\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t12(%rsp),%r8d\n\tpxor\t%xmm6,%xmm7\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\trorl\t$11,%r14d\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tmovdqa\t0(%rbp),%xmm6\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\tpslldq\t$8,%xmm7\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tpaddd\t%xmm7,%xmm0\n\trorl\t$2,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tpaddd\t%xmm0,%xmm6\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tmovdqa\t%xmm6,0(%rsp)\n\trorl\t$14,%r13d\n\tmovdqa\t%xmm2,%xmm4\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tmovdqa\t%xmm0,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r8d,%r14d\n.byte\t102,15,58,15,225,4\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n.byte\t102,15,58,15,251,4\n\taddl\t16(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm4,%xmm5\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\tmovdqa\t%xmm4,%xmm6\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\tpsrld\t$3,%xmm4\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tpaddd\t%xmm7,%xmm1\n\trorl\t$2,%r14d\n\taddl\t%edx,%r11d\n\tpsrld\t$7,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\tpshufd\t$250,%xmm0,%xmm7\n\taddl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tpslld\t$14,%xmm5\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tpxor\t%xmm6,%xmm4\n\trorl\t$9,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\trorl\t$5,%r13d\n\tpsrld\t$11,%xmm6\n\txorl\t%edx,%r14d\n\tpxor\t%xmm5,%xmm4\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\tpslld\t$11,%xmm5\n\taddl\t20(%rsp),%ecx\n\tmovl\t%edx,%edi\n\tpxor\t%xmm6,%xmm4\n\txorl\t%ebx,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tpxor\t%xmm5,%xmm4\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\tpsrld\t$10,%xmm7\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tpaddd\t%xmm4,%xmm1\n\trorl\t$2,%r14d\n\taddl\t%ecx,%r10d\n\tpsrlq\t$17,%xmm6\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\trorl\t$9,%r14d\n\tpsrlq\t$2,%xmm6\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$5,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\tpshufd\t$128,%xmm7,%xmm7\n\txorl\t%r10d,%r13d\n\taddl\t24(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\tpsrldq\t$8,%xmm7\n\txorl\t%eax,%r12d\n\trorl\t$11,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\trorl\t$6,%r13d\n\tpaddd\t%xmm7,%xmm1\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\tpshufd\t$80,%xmm1,%xmm7\n\txorl\t%edx,%edi\n\trorl\t$2,%r14d\n\taddl\t%ebx,%r9d\n\tmovdqa\t%xmm7,%xmm6\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\tpsrld\t$10,%xmm7\n\taddl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tpsrlq\t$17,%xmm6\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ebx,%r14d\n\tpsrlq\t$2,%xmm6\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t28(%rsp),%eax\n\tpxor\t%xmm6,%xmm7\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\trorl\t$11,%r14d\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tmovdqa\t32(%rbp),%xmm6\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\tpslldq\t$8,%xmm7\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tpaddd\t%xmm7,%xmm1\n\trorl\t$2,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tpaddd\t%xmm1,%xmm6\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tmovdqa\t%xmm6,16(%rsp)\n\trorl\t$14,%r13d\n\tmovdqa\t%xmm3,%xmm4\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tmovdqa\t%xmm1,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%eax,%r14d\n.byte\t102,15,58,15,226,4\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n.byte\t102,15,58,15,248,4\n\taddl\t32(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm4,%xmm5\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\tmovdqa\t%xmm4,%xmm6\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\tpsrld\t$3,%xmm4\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tpaddd\t%xmm7,%xmm2\n\trorl\t$2,%r14d\n\taddl\t%r11d,%edx\n\tpsrld\t$7,%xmm6\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\tpshufd\t$250,%xmm1,%xmm7\n\taddl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tpslld\t$14,%xmm5\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tpxor\t%xmm6,%xmm4\n\trorl\t$9,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\trorl\t$5,%r13d\n\tpsrld\t$11,%xmm6\n\txorl\t%r11d,%r14d\n\tpxor\t%xmm5,%xmm4\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\tpslld\t$11,%xmm5\n\taddl\t36(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\tpxor\t%xmm6,%xmm4\n\txorl\t%r9d,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tpxor\t%xmm5,%xmm4\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\tpsrld\t$10,%xmm7\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tpaddd\t%xmm4,%xmm2\n\trorl\t$2,%r14d\n\taddl\t%r10d,%ecx\n\tpsrlq\t$17,%xmm6\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\trorl\t$9,%r14d\n\tpsrlq\t$2,%xmm6\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$5,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\tpshufd\t$128,%xmm7,%xmm7\n\txorl\t%ecx,%r13d\n\taddl\t40(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\tpsrldq\t$8,%xmm7\n\txorl\t%r8d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\trorl\t$6,%r13d\n\tpaddd\t%xmm7,%xmm2\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\tpshufd\t$80,%xmm2,%xmm7\n\txorl\t%r11d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r9d,%ebx\n\tmovdqa\t%xmm7,%xmm6\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\tpsrld\t$10,%xmm7\n\taddl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tpsrlq\t$17,%xmm6\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r9d,%r14d\n\tpsrlq\t$2,%xmm6\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t44(%rsp),%r8d\n\tpxor\t%xmm6,%xmm7\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\trorl\t$11,%r14d\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tmovdqa\t64(%rbp),%xmm6\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\tpslldq\t$8,%xmm7\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tpaddd\t%xmm7,%xmm2\n\trorl\t$2,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tpaddd\t%xmm2,%xmm6\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tmovdqa\t%xmm6,32(%rsp)\n\trorl\t$14,%r13d\n\tmovdqa\t%xmm0,%xmm4\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tmovdqa\t%xmm2,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r8d,%r14d\n.byte\t102,15,58,15,227,4\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n.byte\t102,15,58,15,249,4\n\taddl\t48(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm4,%xmm5\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\tmovdqa\t%xmm4,%xmm6\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\tpsrld\t$3,%xmm4\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tpaddd\t%xmm7,%xmm3\n\trorl\t$2,%r14d\n\taddl\t%edx,%r11d\n\tpsrld\t$7,%xmm6\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\tpshufd\t$250,%xmm2,%xmm7\n\taddl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tpslld\t$14,%xmm5\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tpxor\t%xmm6,%xmm4\n\trorl\t$9,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\trorl\t$5,%r13d\n\tpsrld\t$11,%xmm6\n\txorl\t%edx,%r14d\n\tpxor\t%xmm5,%xmm4\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\tpslld\t$11,%xmm5\n\taddl\t52(%rsp),%ecx\n\tmovl\t%edx,%edi\n\tpxor\t%xmm6,%xmm4\n\txorl\t%ebx,%r12d\n\trorl\t$11,%r14d\n\tmovdqa\t%xmm7,%xmm6\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tpxor\t%xmm5,%xmm4\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\tpsrld\t$10,%xmm7\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tpaddd\t%xmm4,%xmm3\n\trorl\t$2,%r14d\n\taddl\t%ecx,%r10d\n\tpsrlq\t$17,%xmm6\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\trorl\t$9,%r14d\n\tpsrlq\t$2,%xmm6\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$5,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\tpshufd\t$128,%xmm7,%xmm7\n\txorl\t%r10d,%r13d\n\taddl\t56(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\tpsrldq\t$8,%xmm7\n\txorl\t%eax,%r12d\n\trorl\t$11,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\trorl\t$6,%r13d\n\tpaddd\t%xmm7,%xmm3\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\tpshufd\t$80,%xmm3,%xmm7\n\txorl\t%edx,%edi\n\trorl\t$2,%r14d\n\taddl\t%ebx,%r9d\n\tmovdqa\t%xmm7,%xmm6\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\tpsrld\t$10,%xmm7\n\taddl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tpsrlq\t$17,%xmm6\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tpxor\t%xmm6,%xmm7\n\trorl\t$9,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ebx,%r14d\n\tpsrlq\t$2,%xmm6\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t60(%rsp),%eax\n\tpxor\t%xmm6,%xmm7\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\trorl\t$11,%r14d\n\tpshufd\t$8,%xmm7,%xmm7\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tmovdqa\t96(%rbp),%xmm6\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\tpslldq\t$8,%xmm7\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tpaddd\t%xmm7,%xmm3\n\trorl\t$2,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tpaddd\t%xmm3,%xmm6\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tmovdqa\t%xmm6,48(%rsp)\n\tcmpb\t$0,131(%rbp)\n\tjne\t.Lssse3_00_47\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n\taddl\t0(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\trorl\t$2,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\taddl\t4(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t8(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\txorl\t%r11d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r9d,%ebx\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t12(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n\taddl\t16(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\trorl\t$2,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\taddl\t20(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\trorl\t$2,%r14d\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t24(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\trorl\t$11,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\txorl\t%edx,%edi\n\trorl\t$2,%r14d\n\taddl\t%ebx,%r9d\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t28(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\trorl\t$2,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n\taddl\t32(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\trorl\t$2,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\taddl\t36(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t40(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\txorl\t%r11d,%edi\n\trorl\t$2,%r14d\n\taddl\t%r9d,%ebx\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t44(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\trorl\t$2,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\trorl\t$9,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n\taddl\t48(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\trorl\t$2,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\trorl\t$5,%r13d\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\taddl\t52(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\trorl\t$11,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\trorl\t$2,%r14d\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t56(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\trorl\t$11,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\trorl\t$6,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\txorl\t%edx,%edi\n\trorl\t$2,%r14d\n\taddl\t%ebx,%r9d\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\trorl\t$14,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\trorl\t$9,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\trorl\t$5,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t60(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\trorl\t$11,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\trorl\t$6,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\trorl\t$2,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tmovq\t64+0(%rsp),%rdi\n\tmovl\t%r14d,%eax\n\n\taddl\t0(%rdi),%eax\n\tleaq\t64(%rsi),%rsi\n\taddl\t4(%rdi),%ebx\n\taddl\t8(%rdi),%ecx\n\taddl\t12(%rdi),%edx\n\taddl\t16(%rdi),%r8d\n\taddl\t20(%rdi),%r9d\n\taddl\t24(%rdi),%r10d\n\taddl\t28(%rdi),%r11d\n\n\tcmpq\t64+16(%rsp),%rsi\n\n\tmovl\t%eax,0(%rdi)\n\tmovl\t%ebx,4(%rdi)\n\tmovl\t%ecx,8(%rdi)\n\tmovl\t%edx,12(%rdi)\n\tmovl\t%r8d,16(%rdi)\n\tmovl\t%r9d,20(%rdi)\n\tmovl\t%r10d,24(%rdi)\n\tmovl\t%r11d,28(%rdi)\n\tjb\t.Lloop_ssse3\n\n\tmovq\t88(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lepilogue_ssse3:\n\tret\n.cfi_endproc\t\n.size\tsha256_block_data_order_ssse3,.-sha256_block_data_order_ssse3\n.globl\tsha256_block_data_order_avx\n.hidden sha256_block_data_order_avx\n.type\tsha256_block_data_order_avx,@function\n.align\t64\nsha256_block_data_order_avx:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\tshlq\t$4,%rdx\n\tsubq\t$96,%rsp\n\tleaq\t(%rsi,%rdx,4),%rdx\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,64+0(%rsp)\n\tmovq\t%rsi,64+8(%rsp)\n\tmovq\t%rdx,64+16(%rsp)\n\tmovq\t%rax,88(%rsp)\n.cfi_escape\t0x0f,0x06,0x77,0xd8,0x00,0x06,0x23,0x08\n.Lprologue_avx:\n\n\tvzeroupper\n\tmovl\t0(%rdi),%eax\n\tmovl\t4(%rdi),%ebx\n\tmovl\t8(%rdi),%ecx\n\tmovl\t12(%rdi),%edx\n\tmovl\t16(%rdi),%r8d\n\tmovl\t20(%rdi),%r9d\n\tmovl\t24(%rdi),%r10d\n\tmovl\t28(%rdi),%r11d\n\tvmovdqa\tK256+512+32(%rip),%xmm8\n\tvmovdqa\tK256+512+64(%rip),%xmm9\n\tjmp\t.Lloop_avx\n.align\t16\n.Lloop_avx:\n\tvmovdqa\tK256+512(%rip),%xmm7\n\tvmovdqu\t0(%rsi),%xmm0\n\tvmovdqu\t16(%rsi),%xmm1\n\tvmovdqu\t32(%rsi),%xmm2\n\tvmovdqu\t48(%rsi),%xmm3\n\tvpshufb\t%xmm7,%xmm0,%xmm0\n\tleaq\tK256(%rip),%rbp\n\tvpshufb\t%xmm7,%xmm1,%xmm1\n\tvpshufb\t%xmm7,%xmm2,%xmm2\n\tvpaddd\t0(%rbp),%xmm0,%xmm4\n\tvpshufb\t%xmm7,%xmm3,%xmm3\n\tvpaddd\t32(%rbp),%xmm1,%xmm5\n\tvpaddd\t64(%rbp),%xmm2,%xmm6\n\tvpaddd\t96(%rbp),%xmm3,%xmm7\n\tvmovdqa\t%xmm4,0(%rsp)\n\tmovl\t%eax,%r14d\n\tvmovdqa\t%xmm5,16(%rsp)\n\tmovl\t%ebx,%edi\n\tvmovdqa\t%xmm6,32(%rsp)\n\txorl\t%ecx,%edi\n\tvmovdqa\t%xmm7,48(%rsp)\n\tmovl\t%r8d,%r13d\n\tjmp\t.Lavx_00_47\n\n.align\t16\n.Lavx_00_47:\n\tsubq\t$-128,%rbp\n\tvpalignr\t$4,%xmm0,%xmm1,%xmm4\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tvpalignr\t$4,%xmm2,%xmm3,%xmm7\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\tvpaddd\t%xmm7,%xmm0,%xmm0\n\txorl\t%r8d,%r13d\n\taddl\t0(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\tvpsrld\t$3,%xmm4,%xmm7\n\txorl\t%r10d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ebx,%r15d\n\tvpslld\t$14,%xmm4,%xmm5\n\taddl\t%r12d,%r11d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tvpshufd\t$250,%xmm3,%xmm7\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tvpsrld\t$11,%xmm6,%xmm6\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\tvpslld\t$11,%xmm5,%xmm5\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\tvpsrld\t$10,%xmm7,%xmm6\n\taddl\t4(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%r10d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r10d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tmovl\t%edx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ecx,%r13d\n\tvpshufb\t%xmm8,%xmm6,%xmm6\n\txorl\t%r8d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r10d,%r14d\n\tvpaddd\t%xmm6,%xmm0,%xmm0\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t8(%rsp),%r9d\n\tvpshufd\t$80,%xmm0,%xmm7\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\tshrdl\t$6,%r13d,%r13d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\txorl\t%r11d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r9d,%ebx\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tvpshufb\t%xmm9,%xmm6,%xmm6\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\tvpaddd\t%xmm6,%xmm0,%xmm0\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\tvpaddd\t0(%rbp),%xmm0,%xmm6\n\txorl\t%ebx,%r13d\n\taddl\t12(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tvmovdqa\t%xmm6,0(%rsp)\n\tvpalignr\t$4,%xmm1,%xmm2,%xmm4\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tvpalignr\t$4,%xmm3,%xmm0,%xmm7\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\tvpaddd\t%xmm7,%xmm1,%xmm1\n\txorl\t%eax,%r13d\n\taddl\t16(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\tvpsrld\t$3,%xmm4,%xmm7\n\txorl\t%ecx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r9d,%r15d\n\tvpslld\t$14,%xmm4,%xmm5\n\taddl\t%r12d,%edx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tvpshufd\t$250,%xmm0,%xmm7\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tvpsrld\t$11,%xmm6,%xmm6\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\tvpslld\t$11,%xmm5,%xmm5\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\tvpsrld\t$10,%xmm7,%xmm6\n\taddl\t20(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\tvpaddd\t%xmm4,%xmm1,%xmm1\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%ecx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tmovl\t%r11d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r10d,%r13d\n\tvpshufb\t%xmm8,%xmm6,%xmm6\n\txorl\t%eax,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ecx,%r14d\n\tvpaddd\t%xmm6,%xmm1,%xmm1\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t24(%rsp),%ebx\n\tvpshufd\t$80,%xmm1,%xmm7\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\tshrdl\t$6,%r13d,%r13d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\txorl\t%edx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ebx,%r9d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tvpshufb\t%xmm9,%xmm6,%xmm6\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\tvpaddd\t%xmm6,%xmm1,%xmm1\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\tvpaddd\t32(%rbp),%xmm1,%xmm6\n\txorl\t%r9d,%r13d\n\taddl\t28(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tvmovdqa\t%xmm6,16(%rsp)\n\tvpalignr\t$4,%xmm2,%xmm3,%xmm4\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tvpalignr\t$4,%xmm0,%xmm1,%xmm7\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\tvpaddd\t%xmm7,%xmm2,%xmm2\n\txorl\t%r8d,%r13d\n\taddl\t32(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\tvpsrld\t$3,%xmm4,%xmm7\n\txorl\t%r10d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ebx,%r15d\n\tvpslld\t$14,%xmm4,%xmm5\n\taddl\t%r12d,%r11d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tvpshufd\t$250,%xmm1,%xmm7\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tvpsrld\t$11,%xmm6,%xmm6\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\tvpslld\t$11,%xmm5,%xmm5\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\tvpsrld\t$10,%xmm7,%xmm6\n\taddl\t36(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\tvpaddd\t%xmm4,%xmm2,%xmm2\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%r10d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r10d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tmovl\t%edx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ecx,%r13d\n\tvpshufb\t%xmm8,%xmm6,%xmm6\n\txorl\t%r8d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r10d,%r14d\n\tvpaddd\t%xmm6,%xmm2,%xmm2\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t40(%rsp),%r9d\n\tvpshufd\t$80,%xmm2,%xmm7\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\tshrdl\t$6,%r13d,%r13d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\txorl\t%r11d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r9d,%ebx\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tvpshufb\t%xmm9,%xmm6,%xmm6\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\tvpaddd\t%xmm6,%xmm2,%xmm2\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\tvpaddd\t64(%rbp),%xmm2,%xmm6\n\txorl\t%ebx,%r13d\n\taddl\t44(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tvmovdqa\t%xmm6,32(%rsp)\n\tvpalignr\t$4,%xmm3,%xmm0,%xmm4\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tvpalignr\t$4,%xmm1,%xmm2,%xmm7\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\tvpsrld\t$7,%xmm4,%xmm6\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\tvpaddd\t%xmm7,%xmm3,%xmm3\n\txorl\t%eax,%r13d\n\taddl\t48(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\tvpsrld\t$3,%xmm4,%xmm7\n\txorl\t%ecx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r9d,%r15d\n\tvpslld\t$14,%xmm4,%xmm5\n\taddl\t%r12d,%edx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\tvpxor\t%xmm6,%xmm7,%xmm4\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tvpshufd\t$250,%xmm2,%xmm7\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tvpsrld\t$11,%xmm6,%xmm6\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\tvpslld\t$11,%xmm5,%xmm5\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\tvpsrld\t$10,%xmm7,%xmm6\n\taddl\t52(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\tvpxor\t%xmm5,%xmm4,%xmm4\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\tvpaddd\t%xmm4,%xmm3,%xmm3\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%ecx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ecx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tmovl\t%r11d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r10d,%r13d\n\tvpshufb\t%xmm8,%xmm6,%xmm6\n\txorl\t%eax,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ecx,%r14d\n\tvpaddd\t%xmm6,%xmm3,%xmm3\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t56(%rsp),%ebx\n\tvpshufd\t$80,%xmm3,%xmm7\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\tvpsrld\t$10,%xmm7,%xmm6\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\tshrdl\t$6,%r13d,%r13d\n\tvpsrlq\t$17,%xmm7,%xmm7\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\txorl\t%edx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ebx,%r9d\n\tvpsrlq\t$2,%xmm7,%xmm7\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\tvpxor\t%xmm7,%xmm6,%xmm6\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tvpshufb\t%xmm9,%xmm6,%xmm6\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\tvpaddd\t%xmm6,%xmm3,%xmm3\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\tvpaddd\t96(%rbp),%xmm3,%xmm6\n\txorl\t%r9d,%r13d\n\taddl\t60(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tvmovdqa\t%xmm6,48(%rsp)\n\tcmpb\t$0,131(%rbp)\n\tjne\t.Lavx_00_47\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n\taddl\t0(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\taddl\t4(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t8(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\txorl\t%r11d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r9d,%ebx\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t12(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n\taddl\t16(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\taddl\t20(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t24(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\txorl\t%edx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ebx,%r9d\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t28(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%eax\n\tmovl\t%r9d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r8d,%r13d\n\txorl\t%r10d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%eax,%r14d\n\tandl\t%r8d,%r12d\n\txorl\t%r8d,%r13d\n\taddl\t32(%rsp),%r11d\n\tmovl\t%eax,%r15d\n\txorl\t%r10d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ebx,%r15d\n\taddl\t%r12d,%r11d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%eax,%r14d\n\taddl\t%r13d,%r11d\n\txorl\t%ebx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r11d,%edx\n\taddl\t%edi,%r11d\n\tmovl\t%edx,%r13d\n\taddl\t%r11d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r11d\n\tmovl\t%r8d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%edx,%r13d\n\txorl\t%r9d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r11d,%r14d\n\tandl\t%edx,%r12d\n\txorl\t%edx,%r13d\n\taddl\t36(%rsp),%r10d\n\tmovl\t%r11d,%edi\n\txorl\t%r9d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%eax,%edi\n\taddl\t%r12d,%r10d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r11d,%r14d\n\taddl\t%r13d,%r10d\n\txorl\t%eax,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r10d,%ecx\n\taddl\t%r15d,%r10d\n\tmovl\t%ecx,%r13d\n\taddl\t%r10d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r10d\n\tmovl\t%edx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ecx,%r13d\n\txorl\t%r8d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r10d,%r14d\n\tandl\t%ecx,%r12d\n\txorl\t%ecx,%r13d\n\taddl\t40(%rsp),%r9d\n\tmovl\t%r10d,%r15d\n\txorl\t%r8d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r11d,%r15d\n\taddl\t%r12d,%r9d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r10d,%r14d\n\taddl\t%r13d,%r9d\n\txorl\t%r11d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r9d,%ebx\n\taddl\t%edi,%r9d\n\tmovl\t%ebx,%r13d\n\taddl\t%r9d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r9d\n\tmovl\t%ecx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%ebx,%r13d\n\txorl\t%edx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r9d,%r14d\n\tandl\t%ebx,%r12d\n\txorl\t%ebx,%r13d\n\taddl\t44(%rsp),%r8d\n\tmovl\t%r9d,%edi\n\txorl\t%edx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r10d,%edi\n\taddl\t%r12d,%r8d\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%r9d,%r14d\n\taddl\t%r13d,%r8d\n\txorl\t%r10d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%r8d,%eax\n\taddl\t%r15d,%r8d\n\tmovl\t%eax,%r13d\n\taddl\t%r8d,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%r8d\n\tmovl\t%ebx,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%eax,%r13d\n\txorl\t%ecx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%r8d,%r14d\n\tandl\t%eax,%r12d\n\txorl\t%eax,%r13d\n\taddl\t48(%rsp),%edx\n\tmovl\t%r8d,%r15d\n\txorl\t%ecx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r9d,%r15d\n\taddl\t%r12d,%edx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%r8d,%r14d\n\taddl\t%r13d,%edx\n\txorl\t%r9d,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%edx,%r11d\n\taddl\t%edi,%edx\n\tmovl\t%r11d,%r13d\n\taddl\t%edx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%edx\n\tmovl\t%eax,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r11d,%r13d\n\txorl\t%ebx,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%edx,%r14d\n\tandl\t%r11d,%r12d\n\txorl\t%r11d,%r13d\n\taddl\t52(%rsp),%ecx\n\tmovl\t%edx,%edi\n\txorl\t%ebx,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%r8d,%edi\n\taddl\t%r12d,%ecx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%edx,%r14d\n\taddl\t%r13d,%ecx\n\txorl\t%r8d,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ecx,%r10d\n\taddl\t%r15d,%ecx\n\tmovl\t%r10d,%r13d\n\taddl\t%ecx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ecx\n\tmovl\t%r11d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r10d,%r13d\n\txorl\t%eax,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ecx,%r14d\n\tandl\t%r10d,%r12d\n\txorl\t%r10d,%r13d\n\taddl\t56(%rsp),%ebx\n\tmovl\t%ecx,%r15d\n\txorl\t%eax,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%edx,%r15d\n\taddl\t%r12d,%ebx\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%r15d,%edi\n\txorl\t%ecx,%r14d\n\taddl\t%r13d,%ebx\n\txorl\t%edx,%edi\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%ebx,%r9d\n\taddl\t%edi,%ebx\n\tmovl\t%r9d,%r13d\n\taddl\t%ebx,%r14d\n\tshrdl\t$14,%r13d,%r13d\n\tmovl\t%r14d,%ebx\n\tmovl\t%r10d,%r12d\n\tshrdl\t$9,%r14d,%r14d\n\txorl\t%r9d,%r13d\n\txorl\t%r11d,%r12d\n\tshrdl\t$5,%r13d,%r13d\n\txorl\t%ebx,%r14d\n\tandl\t%r9d,%r12d\n\txorl\t%r9d,%r13d\n\taddl\t60(%rsp),%eax\n\tmovl\t%ebx,%edi\n\txorl\t%r11d,%r12d\n\tshrdl\t$11,%r14d,%r14d\n\txorl\t%ecx,%edi\n\taddl\t%r12d,%eax\n\tshrdl\t$6,%r13d,%r13d\n\tandl\t%edi,%r15d\n\txorl\t%ebx,%r14d\n\taddl\t%r13d,%eax\n\txorl\t%ecx,%r15d\n\tshrdl\t$2,%r14d,%r14d\n\taddl\t%eax,%r8d\n\taddl\t%r15d,%eax\n\tmovl\t%r8d,%r13d\n\taddl\t%eax,%r14d\n\tmovq\t64+0(%rsp),%rdi\n\tmovl\t%r14d,%eax\n\n\taddl\t0(%rdi),%eax\n\tleaq\t64(%rsi),%rsi\n\taddl\t4(%rdi),%ebx\n\taddl\t8(%rdi),%ecx\n\taddl\t12(%rdi),%edx\n\taddl\t16(%rdi),%r8d\n\taddl\t20(%rdi),%r9d\n\taddl\t24(%rdi),%r10d\n\taddl\t28(%rdi),%r11d\n\n\tcmpq\t64+16(%rsp),%rsi\n\n\tmovl\t%eax,0(%rdi)\n\tmovl\t%ebx,4(%rdi)\n\tmovl\t%ecx,8(%rdi)\n\tmovl\t%edx,12(%rdi)\n\tmovl\t%r8d,16(%rdi)\n\tmovl\t%r9d,20(%rdi)\n\tmovl\t%r10d,24(%rdi)\n\tmovl\t%r11d,28(%rdi)\n\tjb\t.Lloop_avx\n\n\tmovq\t88(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tvzeroupper\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lepilogue_avx:\n\tret\n.cfi_endproc\t\n.size\tsha256_block_data_order_avx,.-sha256_block_data_order_avx\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha512-586-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n.globl\t_sha512_block_data_order_nohw\n.private_extern\t_sha512_block_data_order_nohw\n.align\t4\n_sha512_block_data_order_nohw:\nL_sha512_block_data_order_nohw_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t%esp,%ebx\n\tcall\tL000pic_point\nL000pic_point:\n\tpopl\t%ebp\n\tleal\tLK512-L000pic_point(%ebp),%ebp\n\tsubl\t$16,%esp\n\tandl\t$-64,%esp\n\tshll\t$7,%eax\n\taddl\t%edi,%eax\n\tmovl\t%esi,(%esp)\n\tmovl\t%edi,4(%esp)\n\tmovl\t%eax,8(%esp)\n\tmovl\t%ebx,12(%esp)\n\tmovq\t(%esi),%mm0\n\tmovq\t8(%esi),%mm1\n\tmovq\t16(%esi),%mm2\n\tmovq\t24(%esi),%mm3\n\tmovq\t32(%esi),%mm4\n\tmovq\t40(%esi),%mm5\n\tmovq\t48(%esi),%mm6\n\tmovq\t56(%esi),%mm7\n\tsubl\t$80,%esp\n\tjmp\tL001loop_sse2\n.align\t4,0x90\nL001loop_sse2:\n\tmovq\t%mm1,8(%esp)\n\tmovq\t%mm2,16(%esp)\n\tmovq\t%mm3,24(%esp)\n\tmovq\t%mm5,40(%esp)\n\tmovq\t%mm6,48(%esp)\n\tpxor\t%mm1,%mm2\n\tmovq\t%mm7,56(%esp)\n\tmovq\t%mm0,%mm3\n\tmovl\t(%edi),%eax\n\tmovl\t4(%edi),%ebx\n\taddl\t$8,%edi\n\tmovl\t$15,%edx\n\tbswap\t%eax\n\tbswap\t%ebx\n\tjmp\tL00200_14_sse2\n.align\t4,0x90\nL00200_14_sse2:\n\tmovd\t%eax,%mm1\n\tmovl\t(%edi),%eax\n\tmovd\t%ebx,%mm7\n\tmovl\t4(%edi),%ebx\n\taddl\t$8,%edi\n\tbswap\t%eax\n\tbswap\t%ebx\n\tpunpckldq\t%mm1,%mm7\n\tmovq\t%mm4,%mm1\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tmovq\t%mm3,%mm0\n\tmovq\t%mm7,72(%esp)\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpaddq\t(%ebp),%mm7\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tsubl\t$8,%esp\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t40(%esp),%mm5\n\tpaddq\t%mm2,%mm3\n\tmovq\t%mm0,%mm2\n\taddl\t$8,%ebp\n\tpaddq\t%mm6,%mm3\n\tmovq\t48(%esp),%mm6\n\tdecl\t%edx\n\tjnz\tL00200_14_sse2\n\tmovd\t%eax,%mm1\n\tmovd\t%ebx,%mm7\n\tpunpckldq\t%mm1,%mm7\n\tmovq\t%mm4,%mm1\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tmovq\t%mm3,%mm0\n\tmovq\t%mm7,72(%esp)\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpaddq\t(%ebp),%mm7\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tsubl\t$8,%esp\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t192(%esp),%mm7\n\tpaddq\t%mm2,%mm3\n\tmovq\t%mm0,%mm2\n\taddl\t$8,%ebp\n\tpaddq\t%mm6,%mm3\n\tpxor\t%mm0,%mm0\n\tmovl\t$32,%edx\n\tjmp\tL00316_79_sse2\n.align\t4,0x90\nL00316_79_sse2:\n\tmovq\t88(%esp),%mm5\n\tmovq\t%mm7,%mm1\n\tpsrlq\t$1,%mm7\n\tmovq\t%mm5,%mm6\n\tpsrlq\t$6,%mm5\n\tpsllq\t$56,%mm1\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm7,%mm3\n\tpsrlq\t$6,%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$7,%mm1\n\tpxor\t%mm7,%mm3\n\tpsrlq\t$1,%mm7\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm5,%mm1\n\tpsrlq\t$13,%mm5\n\tpxor\t%mm3,%mm7\n\tpsllq\t$3,%mm6\n\tpxor\t%mm5,%mm1\n\tpaddq\t200(%esp),%mm7\n\tpxor\t%mm6,%mm1\n\tpsrlq\t$42,%mm5\n\tpaddq\t128(%esp),%mm7\n\tpxor\t%mm5,%mm1\n\tpsllq\t$42,%mm6\n\tmovq\t40(%esp),%mm5\n\tpxor\t%mm6,%mm1\n\tmovq\t48(%esp),%mm6\n\tpaddq\t%mm1,%mm7\n\tmovq\t%mm4,%mm1\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tmovq\t%mm7,72(%esp)\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpaddq\t(%ebp),%mm7\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tsubl\t$8,%esp\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t192(%esp),%mm7\n\tpaddq\t%mm6,%mm2\n\taddl\t$8,%ebp\n\tmovq\t88(%esp),%mm5\n\tmovq\t%mm7,%mm1\n\tpsrlq\t$1,%mm7\n\tmovq\t%mm5,%mm6\n\tpsrlq\t$6,%mm5\n\tpsllq\t$56,%mm1\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm7,%mm3\n\tpsrlq\t$6,%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$7,%mm1\n\tpxor\t%mm7,%mm3\n\tpsrlq\t$1,%mm7\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm5,%mm1\n\tpsrlq\t$13,%mm5\n\tpxor\t%mm3,%mm7\n\tpsllq\t$3,%mm6\n\tpxor\t%mm5,%mm1\n\tpaddq\t200(%esp),%mm7\n\tpxor\t%mm6,%mm1\n\tpsrlq\t$42,%mm5\n\tpaddq\t128(%esp),%mm7\n\tpxor\t%mm5,%mm1\n\tpsllq\t$42,%mm6\n\tmovq\t40(%esp),%mm5\n\tpxor\t%mm6,%mm1\n\tmovq\t48(%esp),%mm6\n\tpaddq\t%mm1,%mm7\n\tmovq\t%mm4,%mm1\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tmovq\t%mm7,72(%esp)\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpaddq\t(%ebp),%mm7\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tsubl\t$8,%esp\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t192(%esp),%mm7\n\tpaddq\t%mm6,%mm0\n\taddl\t$8,%ebp\n\tdecl\t%edx\n\tjnz\tL00316_79_sse2\n\tpaddq\t%mm3,%mm0\n\tmovq\t8(%esp),%mm1\n\tmovq\t24(%esp),%mm3\n\tmovq\t40(%esp),%mm5\n\tmovq\t48(%esp),%mm6\n\tmovq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm2\n\tpaddq\t(%esi),%mm0\n\tpaddq\t8(%esi),%mm1\n\tpaddq\t16(%esi),%mm2\n\tpaddq\t24(%esi),%mm3\n\tpaddq\t32(%esi),%mm4\n\tpaddq\t40(%esi),%mm5\n\tpaddq\t48(%esi),%mm6\n\tpaddq\t56(%esi),%mm7\n\tmovl\t$640,%eax\n\tmovq\t%mm0,(%esi)\n\tmovq\t%mm1,8(%esi)\n\tmovq\t%mm2,16(%esi)\n\tmovq\t%mm3,24(%esi)\n\tmovq\t%mm4,32(%esi)\n\tmovq\t%mm5,40(%esi)\n\tmovq\t%mm6,48(%esi)\n\tmovq\t%mm7,56(%esi)\n\tleal\t(%esp,%eax,1),%esp\n\tsubl\t%eax,%ebp\n\tcmpl\t88(%esp),%edi\n\tjb\tL001loop_sse2\n\tmovl\t92(%esp),%esp\n\temms\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_sha512_block_data_order_ssse3\n.private_extern\t_sha512_block_data_order_ssse3\n.align\t4\n_sha512_block_data_order_ssse3:\nL_sha512_block_data_order_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t%esp,%ebx\n\tcall\tL004pic_point\nL004pic_point:\n\tpopl\t%ebp\n\tleal\tLK512-L004pic_point(%ebp),%ebp\n\tsubl\t$16,%esp\n\tandl\t$-64,%esp\n\tshll\t$7,%eax\n\taddl\t%edi,%eax\n\tmovl\t%esi,(%esp)\n\tmovl\t%edi,4(%esp)\n\tmovl\t%eax,8(%esp)\n\tmovl\t%ebx,12(%esp)\n\tmovq\t(%esi),%mm0\n\tmovq\t8(%esi),%mm1\n\tmovq\t16(%esi),%mm2\n\tmovq\t24(%esi),%mm3\n\tmovq\t32(%esi),%mm4\n\tmovq\t40(%esi),%mm5\n\tmovq\t48(%esi),%mm6\n\tmovq\t56(%esi),%mm7\n\tleal\t-64(%esp),%edx\n\tsubl\t$256,%esp\n\tmovdqa\t640(%ebp),%xmm1\n\tmovdqu\t(%edi),%xmm0\n.byte\t102,15,56,0,193\n\tmovdqa\t(%ebp),%xmm3\n\tmovdqa\t%xmm1,%xmm2\n\tmovdqu\t16(%edi),%xmm1\n\tpaddq\t%xmm0,%xmm3\n.byte\t102,15,56,0,202\n\tmovdqa\t%xmm3,-128(%edx)\n\tmovdqa\t16(%ebp),%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\tmovdqu\t32(%edi),%xmm2\n\tpaddq\t%xmm1,%xmm4\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm4,-112(%edx)\n\tmovdqa\t32(%ebp),%xmm5\n\tmovdqa\t%xmm3,%xmm4\n\tmovdqu\t48(%edi),%xmm3\n\tpaddq\t%xmm2,%xmm5\n.byte\t102,15,56,0,220\n\tmovdqa\t%xmm5,-96(%edx)\n\tmovdqa\t48(%ebp),%xmm6\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqu\t64(%edi),%xmm4\n\tpaddq\t%xmm3,%xmm6\n.byte\t102,15,56,0,229\n\tmovdqa\t%xmm6,-80(%edx)\n\tmovdqa\t64(%ebp),%xmm7\n\tmovdqa\t%xmm5,%xmm6\n\tmovdqu\t80(%edi),%xmm5\n\tpaddq\t%xmm4,%xmm7\n.byte\t102,15,56,0,238\n\tmovdqa\t%xmm7,-64(%edx)\n\tmovdqa\t%xmm0,(%edx)\n\tmovdqa\t80(%ebp),%xmm0\n\tmovdqa\t%xmm6,%xmm7\n\tmovdqu\t96(%edi),%xmm6\n\tpaddq\t%xmm5,%xmm0\n.byte\t102,15,56,0,247\n\tmovdqa\t%xmm0,-48(%edx)\n\tmovdqa\t%xmm1,16(%edx)\n\tmovdqa\t96(%ebp),%xmm1\n\tmovdqa\t%xmm7,%xmm0\n\tmovdqu\t112(%edi),%xmm7\n\tpaddq\t%xmm6,%xmm1\n.byte\t102,15,56,0,248\n\tmovdqa\t%xmm1,-32(%edx)\n\tmovdqa\t%xmm2,32(%edx)\n\tmovdqa\t112(%ebp),%xmm2\n\tmovdqa\t(%edx),%xmm0\n\tpaddq\t%xmm7,%xmm2\n\tmovdqa\t%xmm2,-16(%edx)\n\tnop\n.align\t5,0x90\nL005loop_ssse3:\n\tmovdqa\t16(%edx),%xmm2\n\tmovdqa\t%xmm3,48(%edx)\n\tleal\t128(%ebp),%ebp\n\tmovq\t%mm1,8(%esp)\n\tmovl\t%edi,%ebx\n\tmovq\t%mm2,16(%esp)\n\tleal\t128(%edi),%edi\n\tmovq\t%mm3,24(%esp)\n\tcmpl\t%eax,%edi\n\tmovq\t%mm5,40(%esp)\n\tcmovbl\t%edi,%ebx\n\tmovq\t%mm6,48(%esp)\n\tmovl\t$4,%ecx\n\tpxor\t%mm1,%mm2\n\tmovq\t%mm7,56(%esp)\n\tpxor\t%mm3,%mm3\n\tjmp\tL00600_47_ssse3\n.align\t5,0x90\nL00600_47_ssse3:\n\tmovdqa\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,%xmm1\n.byte\t102,15,58,15,208,8\n\tmovdqa\t%xmm4,(%edx)\n.byte\t102,15,58,15,220,8\n\tmovdqa\t%xmm2,%xmm4\n\tpsrlq\t$7,%xmm2\n\tpaddq\t%xmm3,%xmm0\n\tmovdqa\t%xmm4,%xmm3\n\tpsrlq\t$1,%xmm4\n\tpsllq\t$56,%xmm3\n\tpxor\t%xmm4,%xmm2\n\tpsrlq\t$7,%xmm4\n\tpxor\t%xmm3,%xmm2\n\tpsllq\t$7,%xmm3\n\tpxor\t%xmm4,%xmm2\n\tmovdqa\t%xmm7,%xmm4\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t%xmm7,%xmm3\n\tpsrlq\t$6,%xmm4\n\tpaddq\t%xmm2,%xmm0\n\tmovdqa\t%xmm7,%xmm2\n\tpsrlq\t$19,%xmm3\n\tpsllq\t$3,%xmm2\n\tpxor\t%xmm3,%xmm4\n\tpsrlq\t$42,%xmm3\n\tpxor\t%xmm2,%xmm4\n\tpsllq\t$42,%xmm2\n\tpxor\t%xmm3,%xmm4\n\tmovdqa\t32(%edx),%xmm3\n\tpxor\t%xmm2,%xmm4\n\tmovdqa\t(%ebp),%xmm2\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm4,%xmm0\n\tmovq\t-128(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpaddq\t%xmm0,%xmm2\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t32(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t40(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-120(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,24(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,56(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t48(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t16(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t24(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t32(%esp),%mm6\n\tmovdqa\t%xmm2,-128(%edx)\n\tmovdqa\t%xmm6,%xmm4\n\tmovdqa\t%xmm3,%xmm2\n.byte\t102,15,58,15,217,8\n\tmovdqa\t%xmm5,16(%edx)\n.byte\t102,15,58,15,229,8\n\tmovdqa\t%xmm3,%xmm5\n\tpsrlq\t$7,%xmm3\n\tpaddq\t%xmm4,%xmm1\n\tmovdqa\t%xmm5,%xmm4\n\tpsrlq\t$1,%xmm5\n\tpsllq\t$56,%xmm4\n\tpxor\t%xmm5,%xmm3\n\tpsrlq\t$7,%xmm5\n\tpxor\t%xmm4,%xmm3\n\tpsllq\t$7,%xmm4\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t%xmm0,%xmm5\n\tpxor\t%xmm4,%xmm3\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$6,%xmm5\n\tpaddq\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm3\n\tpsrlq\t$19,%xmm4\n\tpsllq\t$3,%xmm3\n\tpxor\t%xmm4,%xmm5\n\tpsrlq\t$42,%xmm4\n\tpxor\t%xmm3,%xmm5\n\tpsllq\t$42,%xmm3\n\tpxor\t%xmm4,%xmm5\n\tmovdqa\t48(%edx),%xmm4\n\tpxor\t%xmm3,%xmm5\n\tmovdqa\t16(%ebp),%xmm3\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm5,%xmm1\n\tmovq\t-112(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,16(%esp)\n\tpaddq\t%xmm1,%xmm3\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,48(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t40(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t8(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t56(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t16(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t24(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-104(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,8(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,40(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t32(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t48(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t8(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t16(%esp),%mm6\n\tmovdqa\t%xmm3,-112(%edx)\n\tmovdqa\t%xmm7,%xmm5\n\tmovdqa\t%xmm4,%xmm3\n.byte\t102,15,58,15,226,8\n\tmovdqa\t%xmm6,32(%edx)\n.byte\t102,15,58,15,238,8\n\tmovdqa\t%xmm4,%xmm6\n\tpsrlq\t$7,%xmm4\n\tpaddq\t%xmm5,%xmm2\n\tmovdqa\t%xmm6,%xmm5\n\tpsrlq\t$1,%xmm6\n\tpsllq\t$56,%xmm5\n\tpxor\t%xmm6,%xmm4\n\tpsrlq\t$7,%xmm6\n\tpxor\t%xmm5,%xmm4\n\tpsllq\t$7,%xmm5\n\tpxor\t%xmm6,%xmm4\n\tmovdqa\t%xmm1,%xmm6\n\tpxor\t%xmm5,%xmm4\n\tmovdqa\t%xmm1,%xmm5\n\tpsrlq\t$6,%xmm6\n\tpaddq\t%xmm4,%xmm2\n\tmovdqa\t%xmm1,%xmm4\n\tpsrlq\t$19,%xmm5\n\tpsllq\t$3,%xmm4\n\tpxor\t%xmm5,%xmm6\n\tpsrlq\t$42,%xmm5\n\tpxor\t%xmm4,%xmm6\n\tpsllq\t$42,%xmm4\n\tpxor\t%xmm5,%xmm6\n\tmovdqa\t(%edx),%xmm5\n\tpxor\t%xmm4,%xmm6\n\tmovdqa\t32(%ebp),%xmm4\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm6,%xmm2\n\tmovq\t-96(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,(%esp)\n\tpaddq\t%xmm2,%xmm4\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,32(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t24(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t56(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t40(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t8(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-88(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,56(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,24(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t16(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t48(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t32(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t56(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t(%esp),%mm6\n\tmovdqa\t%xmm4,-96(%edx)\n\tmovdqa\t%xmm0,%xmm6\n\tmovdqa\t%xmm5,%xmm4\n.byte\t102,15,58,15,235,8\n\tmovdqa\t%xmm7,48(%edx)\n.byte\t102,15,58,15,247,8\n\tmovdqa\t%xmm5,%xmm7\n\tpsrlq\t$7,%xmm5\n\tpaddq\t%xmm6,%xmm3\n\tmovdqa\t%xmm7,%xmm6\n\tpsrlq\t$1,%xmm7\n\tpsllq\t$56,%xmm6\n\tpxor\t%xmm7,%xmm5\n\tpsrlq\t$7,%xmm7\n\tpxor\t%xmm6,%xmm5\n\tpsllq\t$7,%xmm6\n\tpxor\t%xmm7,%xmm5\n\tmovdqa\t%xmm2,%xmm7\n\tpxor\t%xmm6,%xmm5\n\tmovdqa\t%xmm2,%xmm6\n\tpsrlq\t$6,%xmm7\n\tpaddq\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,%xmm5\n\tpsrlq\t$19,%xmm6\n\tpsllq\t$3,%xmm5\n\tpxor\t%xmm6,%xmm7\n\tpsrlq\t$42,%xmm6\n\tpxor\t%xmm5,%xmm7\n\tpsllq\t$42,%xmm5\n\tpxor\t%xmm6,%xmm7\n\tmovdqa\t16(%edx),%xmm6\n\tpxor\t%xmm5,%xmm7\n\tmovdqa\t48(%ebp),%xmm5\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm7,%xmm3\n\tmovq\t-80(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,48(%esp)\n\tpaddq\t%xmm3,%xmm5\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,16(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t8(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t40(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t24(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t48(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t56(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-72(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,40(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,8(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t32(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t16(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t40(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t48(%esp),%mm6\n\tmovdqa\t%xmm5,-80(%edx)\n\tmovdqa\t%xmm1,%xmm7\n\tmovdqa\t%xmm6,%xmm5\n.byte\t102,15,58,15,244,8\n\tmovdqa\t%xmm0,(%edx)\n.byte\t102,15,58,15,248,8\n\tmovdqa\t%xmm6,%xmm0\n\tpsrlq\t$7,%xmm6\n\tpaddq\t%xmm7,%xmm4\n\tmovdqa\t%xmm0,%xmm7\n\tpsrlq\t$1,%xmm0\n\tpsllq\t$56,%xmm7\n\tpxor\t%xmm0,%xmm6\n\tpsrlq\t$7,%xmm0\n\tpxor\t%xmm7,%xmm6\n\tpsllq\t$7,%xmm7\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm3,%xmm0\n\tpxor\t%xmm7,%xmm6\n\tmovdqa\t%xmm3,%xmm7\n\tpsrlq\t$6,%xmm0\n\tpaddq\t%xmm6,%xmm4\n\tmovdqa\t%xmm3,%xmm6\n\tpsrlq\t$19,%xmm7\n\tpsllq\t$3,%xmm6\n\tpxor\t%xmm7,%xmm0\n\tpsrlq\t$42,%xmm7\n\tpxor\t%xmm6,%xmm0\n\tpsllq\t$42,%xmm6\n\tpxor\t%xmm7,%xmm0\n\tmovdqa\t32(%edx),%xmm7\n\tpxor\t%xmm6,%xmm0\n\tmovdqa\t64(%ebp),%xmm6\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm0,%xmm4\n\tmovq\t-64(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpaddq\t%xmm4,%xmm6\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t32(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t40(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-56(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,24(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,56(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t48(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t16(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t24(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t32(%esp),%mm6\n\tmovdqa\t%xmm6,-64(%edx)\n\tmovdqa\t%xmm2,%xmm0\n\tmovdqa\t%xmm7,%xmm6\n.byte\t102,15,58,15,253,8\n\tmovdqa\t%xmm1,16(%edx)\n.byte\t102,15,58,15,193,8\n\tmovdqa\t%xmm7,%xmm1\n\tpsrlq\t$7,%xmm7\n\tpaddq\t%xmm0,%xmm5\n\tmovdqa\t%xmm1,%xmm0\n\tpsrlq\t$1,%xmm1\n\tpsllq\t$56,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tpsrlq\t$7,%xmm1\n\tpxor\t%xmm0,%xmm7\n\tpsllq\t$7,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm7\n\tmovdqa\t%xmm4,%xmm0\n\tpsrlq\t$6,%xmm1\n\tpaddq\t%xmm7,%xmm5\n\tmovdqa\t%xmm4,%xmm7\n\tpsrlq\t$19,%xmm0\n\tpsllq\t$3,%xmm7\n\tpxor\t%xmm0,%xmm1\n\tpsrlq\t$42,%xmm0\n\tpxor\t%xmm7,%xmm1\n\tpsllq\t$42,%xmm7\n\tpxor\t%xmm0,%xmm1\n\tmovdqa\t48(%edx),%xmm0\n\tpxor\t%xmm7,%xmm1\n\tmovdqa\t80(%ebp),%xmm7\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm1,%xmm5\n\tmovq\t-48(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,16(%esp)\n\tpaddq\t%xmm5,%xmm7\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,48(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t40(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t8(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t56(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t16(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t24(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-40(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,8(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,40(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t32(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t48(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t8(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t16(%esp),%mm6\n\tmovdqa\t%xmm7,-48(%edx)\n\tmovdqa\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm7\n.byte\t102,15,58,15,198,8\n\tmovdqa\t%xmm2,32(%edx)\n.byte\t102,15,58,15,202,8\n\tmovdqa\t%xmm0,%xmm2\n\tpsrlq\t$7,%xmm0\n\tpaddq\t%xmm1,%xmm6\n\tmovdqa\t%xmm2,%xmm1\n\tpsrlq\t$1,%xmm2\n\tpsllq\t$56,%xmm1\n\tpxor\t%xmm2,%xmm0\n\tpsrlq\t$7,%xmm2\n\tpxor\t%xmm1,%xmm0\n\tpsllq\t$7,%xmm1\n\tpxor\t%xmm2,%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpsrlq\t$6,%xmm2\n\tpaddq\t%xmm0,%xmm6\n\tmovdqa\t%xmm5,%xmm0\n\tpsrlq\t$19,%xmm1\n\tpsllq\t$3,%xmm0\n\tpxor\t%xmm1,%xmm2\n\tpsrlq\t$42,%xmm1\n\tpxor\t%xmm0,%xmm2\n\tpsllq\t$42,%xmm0\n\tpxor\t%xmm1,%xmm2\n\tmovdqa\t(%edx),%xmm1\n\tpxor\t%xmm0,%xmm2\n\tmovdqa\t96(%ebp),%xmm0\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm2,%xmm6\n\tmovq\t-32(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,(%esp)\n\tpaddq\t%xmm6,%xmm0\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,32(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t24(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t56(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t40(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t8(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-24(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,56(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,24(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t16(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t48(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t32(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t56(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t(%esp),%mm6\n\tmovdqa\t%xmm0,-32(%edx)\n\tmovdqa\t%xmm4,%xmm2\n\tmovdqa\t%xmm1,%xmm0\n.byte\t102,15,58,15,207,8\n\tmovdqa\t%xmm3,48(%edx)\n.byte\t102,15,58,15,211,8\n\tmovdqa\t%xmm1,%xmm3\n\tpsrlq\t$7,%xmm1\n\tpaddq\t%xmm2,%xmm7\n\tmovdqa\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpsllq\t$56,%xmm2\n\tpxor\t%xmm3,%xmm1\n\tpsrlq\t$7,%xmm3\n\tpxor\t%xmm2,%xmm1\n\tpsllq\t$7,%xmm2\n\tpxor\t%xmm3,%xmm1\n\tmovdqa\t%xmm6,%xmm3\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm6,%xmm2\n\tpsrlq\t$6,%xmm3\n\tpaddq\t%xmm1,%xmm7\n\tmovdqa\t%xmm6,%xmm1\n\tpsrlq\t$19,%xmm2\n\tpsllq\t$3,%xmm1\n\tpxor\t%xmm2,%xmm3\n\tpsrlq\t$42,%xmm2\n\tpxor\t%xmm1,%xmm3\n\tpsllq\t$42,%xmm1\n\tpxor\t%xmm2,%xmm3\n\tmovdqa\t16(%edx),%xmm2\n\tpxor\t%xmm1,%xmm3\n\tmovdqa\t112(%ebp),%xmm1\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm3,%xmm7\n\tmovq\t-16(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,48(%esp)\n\tpaddq\t%xmm7,%xmm1\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,16(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t8(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t40(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t24(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t48(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t56(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-8(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,40(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,8(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t32(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t16(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t40(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t48(%esp),%mm6\n\tmovdqa\t%xmm1,-16(%edx)\n\tleal\t128(%ebp),%ebp\n\tdecl\t%ecx\n\tjnz\tL00600_47_ssse3\n\tmovdqa\t(%ebp),%xmm1\n\tleal\t-640(%ebp),%ebp\n\tmovdqu\t(%ebx),%xmm0\n.byte\t102,15,56,0,193\n\tmovdqa\t(%ebp),%xmm3\n\tmovdqa\t%xmm1,%xmm2\n\tmovdqu\t16(%ebx),%xmm1\n\tpaddq\t%xmm0,%xmm3\n.byte\t102,15,56,0,202\n\tmovq\t%mm4,%mm1\n\tmovq\t-128(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t32(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t40(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-120(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,24(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,56(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t48(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t16(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t24(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t32(%esp),%mm6\n\tmovdqa\t%xmm3,-128(%edx)\n\tmovdqa\t16(%ebp),%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\tmovdqu\t32(%ebx),%xmm2\n\tpaddq\t%xmm1,%xmm4\n.byte\t102,15,56,0,211\n\tmovq\t%mm4,%mm1\n\tmovq\t-112(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,16(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,48(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t40(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t8(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t56(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t16(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t24(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-104(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,8(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,40(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t32(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t48(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t8(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t16(%esp),%mm6\n\tmovdqa\t%xmm4,-112(%edx)\n\tmovdqa\t32(%ebp),%xmm5\n\tmovdqa\t%xmm3,%xmm4\n\tmovdqu\t48(%ebx),%xmm3\n\tpaddq\t%xmm2,%xmm5\n.byte\t102,15,56,0,220\n\tmovq\t%mm4,%mm1\n\tmovq\t-96(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,32(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t24(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t56(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t40(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t8(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-88(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,56(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,24(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t16(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t48(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t32(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t56(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t(%esp),%mm6\n\tmovdqa\t%xmm5,-96(%edx)\n\tmovdqa\t48(%ebp),%xmm6\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqu\t64(%ebx),%xmm4\n\tpaddq\t%xmm3,%xmm6\n.byte\t102,15,56,0,229\n\tmovq\t%mm4,%mm1\n\tmovq\t-80(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,48(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,16(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t8(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t40(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t24(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t48(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t56(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-72(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,40(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,8(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t32(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t16(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t40(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t48(%esp),%mm6\n\tmovdqa\t%xmm6,-80(%edx)\n\tmovdqa\t64(%ebp),%xmm7\n\tmovdqa\t%xmm5,%xmm6\n\tmovdqu\t80(%ebx),%xmm5\n\tpaddq\t%xmm4,%xmm7\n.byte\t102,15,56,0,238\n\tmovq\t%mm4,%mm1\n\tmovq\t-64(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t32(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t40(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-56(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,24(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,56(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t48(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t16(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t24(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t32(%esp),%mm6\n\tmovdqa\t%xmm7,-64(%edx)\n\tmovdqa\t%xmm0,(%edx)\n\tmovdqa\t80(%ebp),%xmm0\n\tmovdqa\t%xmm6,%xmm7\n\tmovdqu\t96(%ebx),%xmm6\n\tpaddq\t%xmm5,%xmm0\n.byte\t102,15,56,0,247\n\tmovq\t%mm4,%mm1\n\tmovq\t-48(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,16(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,48(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t40(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t8(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t56(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t16(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t24(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-40(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,8(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,40(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t32(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t48(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t8(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t16(%esp),%mm6\n\tmovdqa\t%xmm0,-48(%edx)\n\tmovdqa\t%xmm1,16(%edx)\n\tmovdqa\t96(%ebp),%xmm1\n\tmovdqa\t%xmm7,%xmm0\n\tmovdqu\t112(%ebx),%xmm7\n\tpaddq\t%xmm6,%xmm1\n.byte\t102,15,56,0,248\n\tmovq\t%mm4,%mm1\n\tmovq\t-32(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,32(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t24(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t56(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t40(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t8(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-24(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,56(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,24(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t16(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t48(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t32(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t56(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t(%esp),%mm6\n\tmovdqa\t%xmm1,-32(%edx)\n\tmovdqa\t%xmm2,32(%edx)\n\tmovdqa\t112(%ebp),%xmm2\n\tmovdqa\t(%edx),%xmm0\n\tpaddq\t%xmm7,%xmm2\n\tmovq\t%mm4,%mm1\n\tmovq\t-16(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,48(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,16(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t8(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t40(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t24(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t48(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t56(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-8(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,40(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,8(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t32(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t16(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t40(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t48(%esp),%mm6\n\tmovdqa\t%xmm2,-16(%edx)\n\tmovq\t8(%esp),%mm1\n\tpaddq\t%mm3,%mm0\n\tmovq\t24(%esp),%mm3\n\tmovq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm2\n\tpaddq\t(%esi),%mm0\n\tpaddq\t8(%esi),%mm1\n\tpaddq\t16(%esi),%mm2\n\tpaddq\t24(%esi),%mm3\n\tpaddq\t32(%esi),%mm4\n\tpaddq\t40(%esi),%mm5\n\tpaddq\t48(%esi),%mm6\n\tpaddq\t56(%esi),%mm7\n\tmovq\t%mm0,(%esi)\n\tmovq\t%mm1,8(%esi)\n\tmovq\t%mm2,16(%esi)\n\tmovq\t%mm3,24(%esi)\n\tmovq\t%mm4,32(%esi)\n\tmovq\t%mm5,40(%esi)\n\tmovq\t%mm6,48(%esi)\n\tmovq\t%mm7,56(%esi)\n\tcmpl\t%eax,%edi\n\tjb\tL005loop_ssse3\n\tmovl\t76(%edx),%esp\n\temms\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.align\t6,0x90\nLK512:\n.long\t3609767458,1116352408\n.long\t602891725,1899447441\n.long\t3964484399,3049323471\n.long\t2173295548,3921009573\n.long\t4081628472,961987163\n.long\t3053834265,1508970993\n.long\t2937671579,2453635748\n.long\t3664609560,2870763221\n.long\t2734883394,3624381080\n.long\t1164996542,310598401\n.long\t1323610764,607225278\n.long\t3590304994,1426881987\n.long\t4068182383,1925078388\n.long\t991336113,2162078206\n.long\t633803317,2614888103\n.long\t3479774868,3248222580\n.long\t2666613458,3835390401\n.long\t944711139,4022224774\n.long\t2341262773,264347078\n.long\t2007800933,604807628\n.long\t1495990901,770255983\n.long\t1856431235,1249150122\n.long\t3175218132,1555081692\n.long\t2198950837,1996064986\n.long\t3999719339,2554220882\n.long\t766784016,2821834349\n.long\t2566594879,2952996808\n.long\t3203337956,3210313671\n.long\t1034457026,3336571891\n.long\t2466948901,3584528711\n.long\t3758326383,113926993\n.long\t168717936,338241895\n.long\t1188179964,666307205\n.long\t1546045734,773529912\n.long\t1522805485,1294757372\n.long\t2643833823,1396182291\n.long\t2343527390,1695183700\n.long\t1014477480,1986661051\n.long\t1206759142,2177026350\n.long\t344077627,2456956037\n.long\t1290863460,2730485921\n.long\t3158454273,2820302411\n.long\t3505952657,3259730800\n.long\t106217008,3345764771\n.long\t3606008344,3516065817\n.long\t1432725776,3600352804\n.long\t1467031594,4094571909\n.long\t851169720,275423344\n.long\t3100823752,430227734\n.long\t1363258195,506948616\n.long\t3750685593,659060556\n.long\t3785050280,883997877\n.long\t3318307427,958139571\n.long\t3812723403,1322822218\n.long\t2003034995,1537002063\n.long\t3602036899,1747873779\n.long\t1575990012,1955562222\n.long\t1125592928,2024104815\n.long\t2716904306,2227730452\n.long\t442776044,2361852424\n.long\t593698344,2428436474\n.long\t3733110249,2756734187\n.long\t2999351573,3204031479\n.long\t3815920427,3329325298\n.long\t3928383900,3391569614\n.long\t566280711,3515267271\n.long\t3454069534,3940187606\n.long\t4000239992,4118630271\n.long\t1914138554,116418474\n.long\t2731055270,174292421\n.long\t3203993006,289380356\n.long\t320620315,460393269\n.long\t587496836,685471733\n.long\t1086792851,852142971\n.long\t365543100,1017036298\n.long\t2618297676,1126000580\n.long\t3409855158,1288033470\n.long\t4234509866,1501505948\n.long\t987167468,1607167915\n.long\t1246189591,1816402316\n.long\t67438087,66051\n.long\t202182159,134810123\n.byte\t83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97\n.byte\t110,115,102,111,114,109,32,102,111,114,32,120,56,54,44,32\n.byte\t67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97\n.byte\t112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103\n.byte\t62,0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha512-586-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n.globl\tsha512_block_data_order_nohw\n.hidden\tsha512_block_data_order_nohw\n.type\tsha512_block_data_order_nohw,@function\n.align\t16\nsha512_block_data_order_nohw:\n.L_sha512_block_data_order_nohw_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t%esp,%ebx\n\tcall\t.L000pic_point\n.L000pic_point:\n\tpopl\t%ebp\n\tleal\t.LK512-.L000pic_point(%ebp),%ebp\n\tsubl\t$16,%esp\n\tandl\t$-64,%esp\n\tshll\t$7,%eax\n\taddl\t%edi,%eax\n\tmovl\t%esi,(%esp)\n\tmovl\t%edi,4(%esp)\n\tmovl\t%eax,8(%esp)\n\tmovl\t%ebx,12(%esp)\n\tmovq\t(%esi),%mm0\n\tmovq\t8(%esi),%mm1\n\tmovq\t16(%esi),%mm2\n\tmovq\t24(%esi),%mm3\n\tmovq\t32(%esi),%mm4\n\tmovq\t40(%esi),%mm5\n\tmovq\t48(%esi),%mm6\n\tmovq\t56(%esi),%mm7\n\tsubl\t$80,%esp\n\tjmp\t.L001loop_sse2\n.align\t16\n.L001loop_sse2:\n\tmovq\t%mm1,8(%esp)\n\tmovq\t%mm2,16(%esp)\n\tmovq\t%mm3,24(%esp)\n\tmovq\t%mm5,40(%esp)\n\tmovq\t%mm6,48(%esp)\n\tpxor\t%mm1,%mm2\n\tmovq\t%mm7,56(%esp)\n\tmovq\t%mm0,%mm3\n\tmovl\t(%edi),%eax\n\tmovl\t4(%edi),%ebx\n\taddl\t$8,%edi\n\tmovl\t$15,%edx\n\tbswap\t%eax\n\tbswap\t%ebx\n\tjmp\t.L00200_14_sse2\n.align\t16\n.L00200_14_sse2:\n\tmovd\t%eax,%mm1\n\tmovl\t(%edi),%eax\n\tmovd\t%ebx,%mm7\n\tmovl\t4(%edi),%ebx\n\taddl\t$8,%edi\n\tbswap\t%eax\n\tbswap\t%ebx\n\tpunpckldq\t%mm1,%mm7\n\tmovq\t%mm4,%mm1\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tmovq\t%mm3,%mm0\n\tmovq\t%mm7,72(%esp)\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpaddq\t(%ebp),%mm7\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tsubl\t$8,%esp\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t40(%esp),%mm5\n\tpaddq\t%mm2,%mm3\n\tmovq\t%mm0,%mm2\n\taddl\t$8,%ebp\n\tpaddq\t%mm6,%mm3\n\tmovq\t48(%esp),%mm6\n\tdecl\t%edx\n\tjnz\t.L00200_14_sse2\n\tmovd\t%eax,%mm1\n\tmovd\t%ebx,%mm7\n\tpunpckldq\t%mm1,%mm7\n\tmovq\t%mm4,%mm1\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tmovq\t%mm3,%mm0\n\tmovq\t%mm7,72(%esp)\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpaddq\t(%ebp),%mm7\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tsubl\t$8,%esp\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t192(%esp),%mm7\n\tpaddq\t%mm2,%mm3\n\tmovq\t%mm0,%mm2\n\taddl\t$8,%ebp\n\tpaddq\t%mm6,%mm3\n\tpxor\t%mm0,%mm0\n\tmovl\t$32,%edx\n\tjmp\t.L00316_79_sse2\n.align\t16\n.L00316_79_sse2:\n\tmovq\t88(%esp),%mm5\n\tmovq\t%mm7,%mm1\n\tpsrlq\t$1,%mm7\n\tmovq\t%mm5,%mm6\n\tpsrlq\t$6,%mm5\n\tpsllq\t$56,%mm1\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm7,%mm3\n\tpsrlq\t$6,%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$7,%mm1\n\tpxor\t%mm7,%mm3\n\tpsrlq\t$1,%mm7\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm5,%mm1\n\tpsrlq\t$13,%mm5\n\tpxor\t%mm3,%mm7\n\tpsllq\t$3,%mm6\n\tpxor\t%mm5,%mm1\n\tpaddq\t200(%esp),%mm7\n\tpxor\t%mm6,%mm1\n\tpsrlq\t$42,%mm5\n\tpaddq\t128(%esp),%mm7\n\tpxor\t%mm5,%mm1\n\tpsllq\t$42,%mm6\n\tmovq\t40(%esp),%mm5\n\tpxor\t%mm6,%mm1\n\tmovq\t48(%esp),%mm6\n\tpaddq\t%mm1,%mm7\n\tmovq\t%mm4,%mm1\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tmovq\t%mm7,72(%esp)\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpaddq\t(%ebp),%mm7\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tsubl\t$8,%esp\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t192(%esp),%mm7\n\tpaddq\t%mm6,%mm2\n\taddl\t$8,%ebp\n\tmovq\t88(%esp),%mm5\n\tmovq\t%mm7,%mm1\n\tpsrlq\t$1,%mm7\n\tmovq\t%mm5,%mm6\n\tpsrlq\t$6,%mm5\n\tpsllq\t$56,%mm1\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm7,%mm3\n\tpsrlq\t$6,%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$7,%mm1\n\tpxor\t%mm7,%mm3\n\tpsrlq\t$1,%mm7\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm5,%mm1\n\tpsrlq\t$13,%mm5\n\tpxor\t%mm3,%mm7\n\tpsllq\t$3,%mm6\n\tpxor\t%mm5,%mm1\n\tpaddq\t200(%esp),%mm7\n\tpxor\t%mm6,%mm1\n\tpsrlq\t$42,%mm5\n\tpaddq\t128(%esp),%mm7\n\tpxor\t%mm5,%mm1\n\tpsllq\t$42,%mm6\n\tmovq\t40(%esp),%mm5\n\tpxor\t%mm6,%mm1\n\tmovq\t48(%esp),%mm6\n\tpaddq\t%mm1,%mm7\n\tmovq\t%mm4,%mm1\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tmovq\t%mm7,72(%esp)\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpaddq\t(%ebp),%mm7\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tsubl\t$8,%esp\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t192(%esp),%mm7\n\tpaddq\t%mm6,%mm0\n\taddl\t$8,%ebp\n\tdecl\t%edx\n\tjnz\t.L00316_79_sse2\n\tpaddq\t%mm3,%mm0\n\tmovq\t8(%esp),%mm1\n\tmovq\t24(%esp),%mm3\n\tmovq\t40(%esp),%mm5\n\tmovq\t48(%esp),%mm6\n\tmovq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm2\n\tpaddq\t(%esi),%mm0\n\tpaddq\t8(%esi),%mm1\n\tpaddq\t16(%esi),%mm2\n\tpaddq\t24(%esi),%mm3\n\tpaddq\t32(%esi),%mm4\n\tpaddq\t40(%esi),%mm5\n\tpaddq\t48(%esi),%mm6\n\tpaddq\t56(%esi),%mm7\n\tmovl\t$640,%eax\n\tmovq\t%mm0,(%esi)\n\tmovq\t%mm1,8(%esi)\n\tmovq\t%mm2,16(%esi)\n\tmovq\t%mm3,24(%esi)\n\tmovq\t%mm4,32(%esi)\n\tmovq\t%mm5,40(%esi)\n\tmovq\t%mm6,48(%esi)\n\tmovq\t%mm7,56(%esi)\n\tleal\t(%esp,%eax,1),%esp\n\tsubl\t%eax,%ebp\n\tcmpl\t88(%esp),%edi\n\tjb\t.L001loop_sse2\n\tmovl\t92(%esp),%esp\n\temms\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tsha512_block_data_order_nohw,.-.L_sha512_block_data_order_nohw_begin\n.globl\tsha512_block_data_order_ssse3\n.hidden\tsha512_block_data_order_ssse3\n.type\tsha512_block_data_order_ssse3,@function\n.align\t16\nsha512_block_data_order_ssse3:\n.L_sha512_block_data_order_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t%esp,%ebx\n\tcall\t.L004pic_point\n.L004pic_point:\n\tpopl\t%ebp\n\tleal\t.LK512-.L004pic_point(%ebp),%ebp\n\tsubl\t$16,%esp\n\tandl\t$-64,%esp\n\tshll\t$7,%eax\n\taddl\t%edi,%eax\n\tmovl\t%esi,(%esp)\n\tmovl\t%edi,4(%esp)\n\tmovl\t%eax,8(%esp)\n\tmovl\t%ebx,12(%esp)\n\tmovq\t(%esi),%mm0\n\tmovq\t8(%esi),%mm1\n\tmovq\t16(%esi),%mm2\n\tmovq\t24(%esi),%mm3\n\tmovq\t32(%esi),%mm4\n\tmovq\t40(%esi),%mm5\n\tmovq\t48(%esi),%mm6\n\tmovq\t56(%esi),%mm7\n\tleal\t-64(%esp),%edx\n\tsubl\t$256,%esp\n\tmovdqa\t640(%ebp),%xmm1\n\tmovdqu\t(%edi),%xmm0\n.byte\t102,15,56,0,193\n\tmovdqa\t(%ebp),%xmm3\n\tmovdqa\t%xmm1,%xmm2\n\tmovdqu\t16(%edi),%xmm1\n\tpaddq\t%xmm0,%xmm3\n.byte\t102,15,56,0,202\n\tmovdqa\t%xmm3,-128(%edx)\n\tmovdqa\t16(%ebp),%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\tmovdqu\t32(%edi),%xmm2\n\tpaddq\t%xmm1,%xmm4\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm4,-112(%edx)\n\tmovdqa\t32(%ebp),%xmm5\n\tmovdqa\t%xmm3,%xmm4\n\tmovdqu\t48(%edi),%xmm3\n\tpaddq\t%xmm2,%xmm5\n.byte\t102,15,56,0,220\n\tmovdqa\t%xmm5,-96(%edx)\n\tmovdqa\t48(%ebp),%xmm6\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqu\t64(%edi),%xmm4\n\tpaddq\t%xmm3,%xmm6\n.byte\t102,15,56,0,229\n\tmovdqa\t%xmm6,-80(%edx)\n\tmovdqa\t64(%ebp),%xmm7\n\tmovdqa\t%xmm5,%xmm6\n\tmovdqu\t80(%edi),%xmm5\n\tpaddq\t%xmm4,%xmm7\n.byte\t102,15,56,0,238\n\tmovdqa\t%xmm7,-64(%edx)\n\tmovdqa\t%xmm0,(%edx)\n\tmovdqa\t80(%ebp),%xmm0\n\tmovdqa\t%xmm6,%xmm7\n\tmovdqu\t96(%edi),%xmm6\n\tpaddq\t%xmm5,%xmm0\n.byte\t102,15,56,0,247\n\tmovdqa\t%xmm0,-48(%edx)\n\tmovdqa\t%xmm1,16(%edx)\n\tmovdqa\t96(%ebp),%xmm1\n\tmovdqa\t%xmm7,%xmm0\n\tmovdqu\t112(%edi),%xmm7\n\tpaddq\t%xmm6,%xmm1\n.byte\t102,15,56,0,248\n\tmovdqa\t%xmm1,-32(%edx)\n\tmovdqa\t%xmm2,32(%edx)\n\tmovdqa\t112(%ebp),%xmm2\n\tmovdqa\t(%edx),%xmm0\n\tpaddq\t%xmm7,%xmm2\n\tmovdqa\t%xmm2,-16(%edx)\n\tnop\n.align\t32\n.L005loop_ssse3:\n\tmovdqa\t16(%edx),%xmm2\n\tmovdqa\t%xmm3,48(%edx)\n\tleal\t128(%ebp),%ebp\n\tmovq\t%mm1,8(%esp)\n\tmovl\t%edi,%ebx\n\tmovq\t%mm2,16(%esp)\n\tleal\t128(%edi),%edi\n\tmovq\t%mm3,24(%esp)\n\tcmpl\t%eax,%edi\n\tmovq\t%mm5,40(%esp)\n\tcmovbl\t%edi,%ebx\n\tmovq\t%mm6,48(%esp)\n\tmovl\t$4,%ecx\n\tpxor\t%mm1,%mm2\n\tmovq\t%mm7,56(%esp)\n\tpxor\t%mm3,%mm3\n\tjmp\t.L00600_47_ssse3\n.align\t32\n.L00600_47_ssse3:\n\tmovdqa\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,%xmm1\n.byte\t102,15,58,15,208,8\n\tmovdqa\t%xmm4,(%edx)\n.byte\t102,15,58,15,220,8\n\tmovdqa\t%xmm2,%xmm4\n\tpsrlq\t$7,%xmm2\n\tpaddq\t%xmm3,%xmm0\n\tmovdqa\t%xmm4,%xmm3\n\tpsrlq\t$1,%xmm4\n\tpsllq\t$56,%xmm3\n\tpxor\t%xmm4,%xmm2\n\tpsrlq\t$7,%xmm4\n\tpxor\t%xmm3,%xmm2\n\tpsllq\t$7,%xmm3\n\tpxor\t%xmm4,%xmm2\n\tmovdqa\t%xmm7,%xmm4\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t%xmm7,%xmm3\n\tpsrlq\t$6,%xmm4\n\tpaddq\t%xmm2,%xmm0\n\tmovdqa\t%xmm7,%xmm2\n\tpsrlq\t$19,%xmm3\n\tpsllq\t$3,%xmm2\n\tpxor\t%xmm3,%xmm4\n\tpsrlq\t$42,%xmm3\n\tpxor\t%xmm2,%xmm4\n\tpsllq\t$42,%xmm2\n\tpxor\t%xmm3,%xmm4\n\tmovdqa\t32(%edx),%xmm3\n\tpxor\t%xmm2,%xmm4\n\tmovdqa\t(%ebp),%xmm2\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm4,%xmm0\n\tmovq\t-128(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpaddq\t%xmm0,%xmm2\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t32(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t40(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-120(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,24(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,56(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t48(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t16(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t24(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t32(%esp),%mm6\n\tmovdqa\t%xmm2,-128(%edx)\n\tmovdqa\t%xmm6,%xmm4\n\tmovdqa\t%xmm3,%xmm2\n.byte\t102,15,58,15,217,8\n\tmovdqa\t%xmm5,16(%edx)\n.byte\t102,15,58,15,229,8\n\tmovdqa\t%xmm3,%xmm5\n\tpsrlq\t$7,%xmm3\n\tpaddq\t%xmm4,%xmm1\n\tmovdqa\t%xmm5,%xmm4\n\tpsrlq\t$1,%xmm5\n\tpsllq\t$56,%xmm4\n\tpxor\t%xmm5,%xmm3\n\tpsrlq\t$7,%xmm5\n\tpxor\t%xmm4,%xmm3\n\tpsllq\t$7,%xmm4\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t%xmm0,%xmm5\n\tpxor\t%xmm4,%xmm3\n\tmovdqa\t%xmm0,%xmm4\n\tpsrlq\t$6,%xmm5\n\tpaddq\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm3\n\tpsrlq\t$19,%xmm4\n\tpsllq\t$3,%xmm3\n\tpxor\t%xmm4,%xmm5\n\tpsrlq\t$42,%xmm4\n\tpxor\t%xmm3,%xmm5\n\tpsllq\t$42,%xmm3\n\tpxor\t%xmm4,%xmm5\n\tmovdqa\t48(%edx),%xmm4\n\tpxor\t%xmm3,%xmm5\n\tmovdqa\t16(%ebp),%xmm3\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm5,%xmm1\n\tmovq\t-112(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,16(%esp)\n\tpaddq\t%xmm1,%xmm3\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,48(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t40(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t8(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t56(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t16(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t24(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-104(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,8(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,40(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t32(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t48(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t8(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t16(%esp),%mm6\n\tmovdqa\t%xmm3,-112(%edx)\n\tmovdqa\t%xmm7,%xmm5\n\tmovdqa\t%xmm4,%xmm3\n.byte\t102,15,58,15,226,8\n\tmovdqa\t%xmm6,32(%edx)\n.byte\t102,15,58,15,238,8\n\tmovdqa\t%xmm4,%xmm6\n\tpsrlq\t$7,%xmm4\n\tpaddq\t%xmm5,%xmm2\n\tmovdqa\t%xmm6,%xmm5\n\tpsrlq\t$1,%xmm6\n\tpsllq\t$56,%xmm5\n\tpxor\t%xmm6,%xmm4\n\tpsrlq\t$7,%xmm6\n\tpxor\t%xmm5,%xmm4\n\tpsllq\t$7,%xmm5\n\tpxor\t%xmm6,%xmm4\n\tmovdqa\t%xmm1,%xmm6\n\tpxor\t%xmm5,%xmm4\n\tmovdqa\t%xmm1,%xmm5\n\tpsrlq\t$6,%xmm6\n\tpaddq\t%xmm4,%xmm2\n\tmovdqa\t%xmm1,%xmm4\n\tpsrlq\t$19,%xmm5\n\tpsllq\t$3,%xmm4\n\tpxor\t%xmm5,%xmm6\n\tpsrlq\t$42,%xmm5\n\tpxor\t%xmm4,%xmm6\n\tpsllq\t$42,%xmm4\n\tpxor\t%xmm5,%xmm6\n\tmovdqa\t(%edx),%xmm5\n\tpxor\t%xmm4,%xmm6\n\tmovdqa\t32(%ebp),%xmm4\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm6,%xmm2\n\tmovq\t-96(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,(%esp)\n\tpaddq\t%xmm2,%xmm4\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,32(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t24(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t56(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t40(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t8(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-88(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,56(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,24(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t16(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t48(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t32(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t56(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t(%esp),%mm6\n\tmovdqa\t%xmm4,-96(%edx)\n\tmovdqa\t%xmm0,%xmm6\n\tmovdqa\t%xmm5,%xmm4\n.byte\t102,15,58,15,235,8\n\tmovdqa\t%xmm7,48(%edx)\n.byte\t102,15,58,15,247,8\n\tmovdqa\t%xmm5,%xmm7\n\tpsrlq\t$7,%xmm5\n\tpaddq\t%xmm6,%xmm3\n\tmovdqa\t%xmm7,%xmm6\n\tpsrlq\t$1,%xmm7\n\tpsllq\t$56,%xmm6\n\tpxor\t%xmm7,%xmm5\n\tpsrlq\t$7,%xmm7\n\tpxor\t%xmm6,%xmm5\n\tpsllq\t$7,%xmm6\n\tpxor\t%xmm7,%xmm5\n\tmovdqa\t%xmm2,%xmm7\n\tpxor\t%xmm6,%xmm5\n\tmovdqa\t%xmm2,%xmm6\n\tpsrlq\t$6,%xmm7\n\tpaddq\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,%xmm5\n\tpsrlq\t$19,%xmm6\n\tpsllq\t$3,%xmm5\n\tpxor\t%xmm6,%xmm7\n\tpsrlq\t$42,%xmm6\n\tpxor\t%xmm5,%xmm7\n\tpsllq\t$42,%xmm5\n\tpxor\t%xmm6,%xmm7\n\tmovdqa\t16(%edx),%xmm6\n\tpxor\t%xmm5,%xmm7\n\tmovdqa\t48(%ebp),%xmm5\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm7,%xmm3\n\tmovq\t-80(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,48(%esp)\n\tpaddq\t%xmm3,%xmm5\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,16(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t8(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t40(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t24(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t48(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t56(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-72(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,40(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,8(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t32(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t16(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t40(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t48(%esp),%mm6\n\tmovdqa\t%xmm5,-80(%edx)\n\tmovdqa\t%xmm1,%xmm7\n\tmovdqa\t%xmm6,%xmm5\n.byte\t102,15,58,15,244,8\n\tmovdqa\t%xmm0,(%edx)\n.byte\t102,15,58,15,248,8\n\tmovdqa\t%xmm6,%xmm0\n\tpsrlq\t$7,%xmm6\n\tpaddq\t%xmm7,%xmm4\n\tmovdqa\t%xmm0,%xmm7\n\tpsrlq\t$1,%xmm0\n\tpsllq\t$56,%xmm7\n\tpxor\t%xmm0,%xmm6\n\tpsrlq\t$7,%xmm0\n\tpxor\t%xmm7,%xmm6\n\tpsllq\t$7,%xmm7\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm3,%xmm0\n\tpxor\t%xmm7,%xmm6\n\tmovdqa\t%xmm3,%xmm7\n\tpsrlq\t$6,%xmm0\n\tpaddq\t%xmm6,%xmm4\n\tmovdqa\t%xmm3,%xmm6\n\tpsrlq\t$19,%xmm7\n\tpsllq\t$3,%xmm6\n\tpxor\t%xmm7,%xmm0\n\tpsrlq\t$42,%xmm7\n\tpxor\t%xmm6,%xmm0\n\tpsllq\t$42,%xmm6\n\tpxor\t%xmm7,%xmm0\n\tmovdqa\t32(%edx),%xmm7\n\tpxor\t%xmm6,%xmm0\n\tmovdqa\t64(%ebp),%xmm6\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm0,%xmm4\n\tmovq\t-64(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpaddq\t%xmm4,%xmm6\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t32(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t40(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-56(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,24(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,56(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t48(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t16(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t24(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t32(%esp),%mm6\n\tmovdqa\t%xmm6,-64(%edx)\n\tmovdqa\t%xmm2,%xmm0\n\tmovdqa\t%xmm7,%xmm6\n.byte\t102,15,58,15,253,8\n\tmovdqa\t%xmm1,16(%edx)\n.byte\t102,15,58,15,193,8\n\tmovdqa\t%xmm7,%xmm1\n\tpsrlq\t$7,%xmm7\n\tpaddq\t%xmm0,%xmm5\n\tmovdqa\t%xmm1,%xmm0\n\tpsrlq\t$1,%xmm1\n\tpsllq\t$56,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tpsrlq\t$7,%xmm1\n\tpxor\t%xmm0,%xmm7\n\tpsllq\t$7,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm4,%xmm1\n\tpxor\t%xmm0,%xmm7\n\tmovdqa\t%xmm4,%xmm0\n\tpsrlq\t$6,%xmm1\n\tpaddq\t%xmm7,%xmm5\n\tmovdqa\t%xmm4,%xmm7\n\tpsrlq\t$19,%xmm0\n\tpsllq\t$3,%xmm7\n\tpxor\t%xmm0,%xmm1\n\tpsrlq\t$42,%xmm0\n\tpxor\t%xmm7,%xmm1\n\tpsllq\t$42,%xmm7\n\tpxor\t%xmm0,%xmm1\n\tmovdqa\t48(%edx),%xmm0\n\tpxor\t%xmm7,%xmm1\n\tmovdqa\t80(%ebp),%xmm7\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm1,%xmm5\n\tmovq\t-48(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,16(%esp)\n\tpaddq\t%xmm5,%xmm7\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,48(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t40(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t8(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t56(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t16(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t24(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-40(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,8(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,40(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t32(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t48(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t8(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t16(%esp),%mm6\n\tmovdqa\t%xmm7,-48(%edx)\n\tmovdqa\t%xmm3,%xmm1\n\tmovdqa\t%xmm0,%xmm7\n.byte\t102,15,58,15,198,8\n\tmovdqa\t%xmm2,32(%edx)\n.byte\t102,15,58,15,202,8\n\tmovdqa\t%xmm0,%xmm2\n\tpsrlq\t$7,%xmm0\n\tpaddq\t%xmm1,%xmm6\n\tmovdqa\t%xmm2,%xmm1\n\tpsrlq\t$1,%xmm2\n\tpsllq\t$56,%xmm1\n\tpxor\t%xmm2,%xmm0\n\tpsrlq\t$7,%xmm2\n\tpxor\t%xmm1,%xmm0\n\tpsllq\t$7,%xmm1\n\tpxor\t%xmm2,%xmm0\n\tmovdqa\t%xmm5,%xmm2\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm5,%xmm1\n\tpsrlq\t$6,%xmm2\n\tpaddq\t%xmm0,%xmm6\n\tmovdqa\t%xmm5,%xmm0\n\tpsrlq\t$19,%xmm1\n\tpsllq\t$3,%xmm0\n\tpxor\t%xmm1,%xmm2\n\tpsrlq\t$42,%xmm1\n\tpxor\t%xmm0,%xmm2\n\tpsllq\t$42,%xmm0\n\tpxor\t%xmm1,%xmm2\n\tmovdqa\t(%edx),%xmm1\n\tpxor\t%xmm0,%xmm2\n\tmovdqa\t96(%ebp),%xmm0\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm2,%xmm6\n\tmovq\t-32(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,(%esp)\n\tpaddq\t%xmm6,%xmm0\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,32(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t24(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t56(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t40(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t8(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-24(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,56(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,24(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t16(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t48(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t32(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t56(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t(%esp),%mm6\n\tmovdqa\t%xmm0,-32(%edx)\n\tmovdqa\t%xmm4,%xmm2\n\tmovdqa\t%xmm1,%xmm0\n.byte\t102,15,58,15,207,8\n\tmovdqa\t%xmm3,48(%edx)\n.byte\t102,15,58,15,211,8\n\tmovdqa\t%xmm1,%xmm3\n\tpsrlq\t$7,%xmm1\n\tpaddq\t%xmm2,%xmm7\n\tmovdqa\t%xmm3,%xmm2\n\tpsrlq\t$1,%xmm3\n\tpsllq\t$56,%xmm2\n\tpxor\t%xmm3,%xmm1\n\tpsrlq\t$7,%xmm3\n\tpxor\t%xmm2,%xmm1\n\tpsllq\t$7,%xmm2\n\tpxor\t%xmm3,%xmm1\n\tmovdqa\t%xmm6,%xmm3\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm6,%xmm2\n\tpsrlq\t$6,%xmm3\n\tpaddq\t%xmm1,%xmm7\n\tmovdqa\t%xmm6,%xmm1\n\tpsrlq\t$19,%xmm2\n\tpsllq\t$3,%xmm1\n\tpxor\t%xmm2,%xmm3\n\tpsrlq\t$42,%xmm2\n\tpxor\t%xmm1,%xmm3\n\tpsllq\t$42,%xmm1\n\tpxor\t%xmm2,%xmm3\n\tmovdqa\t16(%edx),%xmm2\n\tpxor\t%xmm1,%xmm3\n\tmovdqa\t112(%ebp),%xmm1\n\tmovq\t%mm4,%mm1\n\tpaddq\t%xmm3,%xmm7\n\tmovq\t-16(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,48(%esp)\n\tpaddq\t%xmm7,%xmm1\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,16(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t8(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t40(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t24(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t48(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t56(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-8(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,40(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,8(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t32(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t16(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t40(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t48(%esp),%mm6\n\tmovdqa\t%xmm1,-16(%edx)\n\tleal\t128(%ebp),%ebp\n\tdecl\t%ecx\n\tjnz\t.L00600_47_ssse3\n\tmovdqa\t(%ebp),%xmm1\n\tleal\t-640(%ebp),%ebp\n\tmovdqu\t(%ebx),%xmm0\n.byte\t102,15,56,0,193\n\tmovdqa\t(%ebp),%xmm3\n\tmovdqa\t%xmm1,%xmm2\n\tmovdqu\t16(%ebx),%xmm1\n\tpaddq\t%xmm0,%xmm3\n.byte\t102,15,56,0,202\n\tmovq\t%mm4,%mm1\n\tmovq\t-128(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t32(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t40(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-120(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,24(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,56(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t48(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t16(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t24(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t32(%esp),%mm6\n\tmovdqa\t%xmm3,-128(%edx)\n\tmovdqa\t16(%ebp),%xmm4\n\tmovdqa\t%xmm2,%xmm3\n\tmovdqu\t32(%ebx),%xmm2\n\tpaddq\t%xmm1,%xmm4\n.byte\t102,15,56,0,211\n\tmovq\t%mm4,%mm1\n\tmovq\t-112(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,16(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,48(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t40(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t8(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t56(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t16(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t24(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-104(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,8(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,40(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t32(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t48(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t8(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t16(%esp),%mm6\n\tmovdqa\t%xmm4,-112(%edx)\n\tmovdqa\t32(%ebp),%xmm5\n\tmovdqa\t%xmm3,%xmm4\n\tmovdqu\t48(%ebx),%xmm3\n\tpaddq\t%xmm2,%xmm5\n.byte\t102,15,56,0,220\n\tmovq\t%mm4,%mm1\n\tmovq\t-96(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,32(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t24(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t56(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t40(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t8(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-88(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,56(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,24(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t16(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t48(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t32(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t56(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t(%esp),%mm6\n\tmovdqa\t%xmm5,-96(%edx)\n\tmovdqa\t48(%ebp),%xmm6\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqu\t64(%ebx),%xmm4\n\tpaddq\t%xmm3,%xmm6\n.byte\t102,15,56,0,229\n\tmovq\t%mm4,%mm1\n\tmovq\t-80(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,48(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,16(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t8(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t40(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t24(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t48(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t56(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-72(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,40(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,8(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t32(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t16(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t40(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t48(%esp),%mm6\n\tmovdqa\t%xmm6,-80(%edx)\n\tmovdqa\t64(%ebp),%xmm7\n\tmovdqa\t%xmm5,%xmm6\n\tmovdqu\t80(%ebx),%xmm5\n\tpaddq\t%xmm4,%xmm7\n.byte\t102,15,56,0,238\n\tmovq\t%mm4,%mm1\n\tmovq\t-64(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,32(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t24(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t8(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t32(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t40(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-56(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,24(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,56(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t48(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t16(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t24(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t32(%esp),%mm6\n\tmovdqa\t%xmm7,-64(%edx)\n\tmovdqa\t%xmm0,(%edx)\n\tmovdqa\t80(%ebp),%xmm0\n\tmovdqa\t%xmm6,%xmm7\n\tmovdqu\t96(%ebx),%xmm6\n\tpaddq\t%xmm5,%xmm0\n.byte\t102,15,56,0,247\n\tmovq\t%mm4,%mm1\n\tmovq\t-48(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,16(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,48(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t40(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t8(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t56(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t16(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t24(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-40(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,8(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,40(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t32(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t48(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t8(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t16(%esp),%mm6\n\tmovdqa\t%xmm0,-48(%edx)\n\tmovdqa\t%xmm1,16(%edx)\n\tmovdqa\t96(%ebp),%xmm1\n\tmovdqa\t%xmm7,%xmm0\n\tmovdqu\t112(%ebx),%xmm7\n\tpaddq\t%xmm6,%xmm1\n.byte\t102,15,56,0,248\n\tmovq\t%mm4,%mm1\n\tmovq\t-32(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,32(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t24(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t56(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t40(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t8(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-24(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,56(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,24(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t16(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t48(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t32(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t56(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t(%esp),%mm6\n\tmovdqa\t%xmm1,-32(%edx)\n\tmovdqa\t%xmm2,32(%edx)\n\tmovdqa\t112(%ebp),%xmm2\n\tmovdqa\t(%edx),%xmm0\n\tpaddq\t%xmm7,%xmm2\n\tmovq\t%mm4,%mm1\n\tmovq\t-16(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,48(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm0\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm0,16(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t8(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t40(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm0,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm0,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t24(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm0,%mm2\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpxor\t%mm7,%mm6\n\tmovq\t48(%esp),%mm5\n\tpaddq\t%mm6,%mm2\n\tmovq\t56(%esp),%mm6\n\tmovq\t%mm4,%mm1\n\tmovq\t-8(%edx),%mm7\n\tpxor\t%mm6,%mm5\n\tpsrlq\t$14,%mm1\n\tmovq\t%mm4,40(%esp)\n\tpand\t%mm4,%mm5\n\tpsllq\t$23,%mm4\n\tpaddq\t%mm3,%mm2\n\tmovq\t%mm1,%mm3\n\tpsrlq\t$4,%mm1\n\tpxor\t%mm6,%mm5\n\tpxor\t%mm4,%mm3\n\tpsllq\t$23,%mm4\n\tpxor\t%mm1,%mm3\n\tmovq\t%mm2,8(%esp)\n\tpaddq\t%mm5,%mm7\n\tpxor\t%mm4,%mm3\n\tpsrlq\t$23,%mm1\n\tpaddq\t(%esp),%mm7\n\tpxor\t%mm1,%mm3\n\tpsllq\t$4,%mm4\n\tpxor\t%mm4,%mm3\n\tmovq\t32(%esp),%mm4\n\tpaddq\t%mm7,%mm3\n\tmovq\t%mm2,%mm5\n\tpsrlq\t$28,%mm5\n\tpaddq\t%mm3,%mm4\n\tmovq\t%mm2,%mm6\n\tmovq\t%mm5,%mm7\n\tpsllq\t$25,%mm6\n\tmovq\t16(%esp),%mm1\n\tpsrlq\t$6,%mm5\n\tpxor\t%mm6,%mm7\n\tpsllq\t$5,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm2\n\tpsrlq\t$5,%mm5\n\tpxor\t%mm6,%mm7\n\tpand\t%mm2,%mm0\n\tpsllq\t$6,%mm6\n\tpxor\t%mm5,%mm7\n\tpxor\t%mm1,%mm0\n\tpxor\t%mm7,%mm6\n\tmovq\t40(%esp),%mm5\n\tpaddq\t%mm6,%mm0\n\tmovq\t48(%esp),%mm6\n\tmovdqa\t%xmm2,-16(%edx)\n\tmovq\t8(%esp),%mm1\n\tpaddq\t%mm3,%mm0\n\tmovq\t24(%esp),%mm3\n\tmovq\t56(%esp),%mm7\n\tpxor\t%mm1,%mm2\n\tpaddq\t(%esi),%mm0\n\tpaddq\t8(%esi),%mm1\n\tpaddq\t16(%esi),%mm2\n\tpaddq\t24(%esi),%mm3\n\tpaddq\t32(%esi),%mm4\n\tpaddq\t40(%esi),%mm5\n\tpaddq\t48(%esi),%mm6\n\tpaddq\t56(%esi),%mm7\n\tmovq\t%mm0,(%esi)\n\tmovq\t%mm1,8(%esi)\n\tmovq\t%mm2,16(%esi)\n\tmovq\t%mm3,24(%esi)\n\tmovq\t%mm4,32(%esi)\n\tmovq\t%mm5,40(%esi)\n\tmovq\t%mm6,48(%esi)\n\tmovq\t%mm7,56(%esi)\n\tcmpl\t%eax,%edi\n\tjb\t.L005loop_ssse3\n\tmovl\t76(%edx),%esp\n\temms\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tsha512_block_data_order_ssse3,.-.L_sha512_block_data_order_ssse3_begin\n.align\t64\n.LK512:\n.long\t3609767458,1116352408\n.long\t602891725,1899447441\n.long\t3964484399,3049323471\n.long\t2173295548,3921009573\n.long\t4081628472,961987163\n.long\t3053834265,1508970993\n.long\t2937671579,2453635748\n.long\t3664609560,2870763221\n.long\t2734883394,3624381080\n.long\t1164996542,310598401\n.long\t1323610764,607225278\n.long\t3590304994,1426881987\n.long\t4068182383,1925078388\n.long\t991336113,2162078206\n.long\t633803317,2614888103\n.long\t3479774868,3248222580\n.long\t2666613458,3835390401\n.long\t944711139,4022224774\n.long\t2341262773,264347078\n.long\t2007800933,604807628\n.long\t1495990901,770255983\n.long\t1856431235,1249150122\n.long\t3175218132,1555081692\n.long\t2198950837,1996064986\n.long\t3999719339,2554220882\n.long\t766784016,2821834349\n.long\t2566594879,2952996808\n.long\t3203337956,3210313671\n.long\t1034457026,3336571891\n.long\t2466948901,3584528711\n.long\t3758326383,113926993\n.long\t168717936,338241895\n.long\t1188179964,666307205\n.long\t1546045734,773529912\n.long\t1522805485,1294757372\n.long\t2643833823,1396182291\n.long\t2343527390,1695183700\n.long\t1014477480,1986661051\n.long\t1206759142,2177026350\n.long\t344077627,2456956037\n.long\t1290863460,2730485921\n.long\t3158454273,2820302411\n.long\t3505952657,3259730800\n.long\t106217008,3345764771\n.long\t3606008344,3516065817\n.long\t1432725776,3600352804\n.long\t1467031594,4094571909\n.long\t851169720,275423344\n.long\t3100823752,430227734\n.long\t1363258195,506948616\n.long\t3750685593,659060556\n.long\t3785050280,883997877\n.long\t3318307427,958139571\n.long\t3812723403,1322822218\n.long\t2003034995,1537002063\n.long\t3602036899,1747873779\n.long\t1575990012,1955562222\n.long\t1125592928,2024104815\n.long\t2716904306,2227730452\n.long\t442776044,2361852424\n.long\t593698344,2428436474\n.long\t3733110249,2756734187\n.long\t2999351573,3204031479\n.long\t3815920427,3329325298\n.long\t3928383900,3391569614\n.long\t566280711,3515267271\n.long\t3454069534,3940187606\n.long\t4000239992,4118630271\n.long\t1914138554,116418474\n.long\t2731055270,174292421\n.long\t3203993006,289380356\n.long\t320620315,460393269\n.long\t587496836,685471733\n.long\t1086792851,852142971\n.long\t365543100,1017036298\n.long\t2618297676,1126000580\n.long\t3409855158,1288033470\n.long\t4234509866,1501505948\n.long\t987167468,1607167915\n.long\t1246189591,1816402316\n.long\t67438087,66051\n.long\t202182159,134810123\n.byte\t83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97\n.byte\t110,115,102,111,114,109,32,102,111,114,32,120,56,54,44,32\n.byte\t67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97\n.byte\t112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103\n.byte\t62,0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha512-armv4-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n@ Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved.\n@\n@ Licensed under the OpenSSL license (the \"License\"). You may not use\n@ this file except in compliance with the License. You can obtain a copy\n@ in the file LICENSE in the source distribution or at\n@ https://www.openssl.org/source/license.html\n\n\n@ ====================================================================\n@ Written by Andy Polyakov for the OpenSSL\n@ project. The module is, however, dual licensed under OpenSSL and\n@ CRYPTOGAMS licenses depending on where you obtain it. For further\n@ details see http://www.openssl.org/~appro/cryptogams/.\n@\n@ Permission to use under GPL terms is granted.\n@ ====================================================================\n\n@ SHA512 block procedure for ARMv4. September 2007.\n\n@ This code is ~4.5 (four and a half) times faster than code generated\n@ by gcc 3.4 and it spends ~72 clock cycles per byte [on single-issue\n@ Xscale PXA250 core].\n@\n@ July 2010.\n@\n@ Rescheduling for dual-issue pipeline resulted in 6% improvement on\n@ Cortex A8 core and ~40 cycles per processed byte.\n\n@ February 2011.\n@\n@ Profiler-assisted and platform-specific optimization resulted in 7%\n@ improvement on Coxtex A8 core and ~38 cycles per byte.\n\n@ March 2011.\n@\n@ Add NEON implementation. On Cortex A8 it was measured to process\n@ one byte in 23.3 cycles or ~60% faster than integer-only code.\n\n@ August 2012.\n@\n@ Improve NEON performance by 12% on Snapdragon S4. In absolute\n@ terms it's 22.6 cycles per byte, which is disappointing result.\n@ Technical writers asserted that 3-way S4 pipeline can sustain\n@ multiple NEON instructions per cycle, but dual NEON issue could\n@ not be observed, see http://www.openssl.org/~appro/Snapdragon-S4.html\n@ for further details. On side note Cortex-A15 processes one byte in\n@ 16 cycles.\n\n@ Byte order [in]dependence. =========================================\n@\n@ Originally caller was expected to maintain specific *dword* order in\n@ h[0-7], namely with most significant dword at *lower* address, which\n@ was reflected in below two parameters as 0 and 4. Now caller is\n@ expected to maintain native byte order for whole 64-bit values.\n#ifndef __KERNEL__\n# include \n# define VFP_ABI_PUSH\tvstmdb\tsp!,{d8-d15}\n# define VFP_ABI_POP\tvldmia\tsp!,{d8-d15}\n#else\n# define __ARM_MAX_ARCH__ 7\n# define VFP_ABI_PUSH\n# define VFP_ABI_POP\n#endif\n\n@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both\n@ ARMv7 and ARMv8 processors and does not use ARMv8 instructions.\n.arch\tarmv7-a\n\n#ifdef __ARMEL__\n# define LO 0\n# define HI 4\n# define WORD64(hi0,lo0,hi1,lo1)\t.word\tlo0,hi0, lo1,hi1\n#else\n# define HI 0\n# define LO 4\n# define WORD64(hi0,lo0,hi1,lo1)\t.word\thi0,lo0, hi1,lo1\n#endif\n\n.text\n#if defined(__thumb2__)\n.syntax\tunified\n.thumb\n# define adrl adr\n#else\n.code\t32\n#endif\n\n.type\tK512,%object\n.align\t5\nK512:\n\tWORD64(0x428a2f98,0xd728ae22,\t0x71374491,0x23ef65cd)\n\tWORD64(0xb5c0fbcf,0xec4d3b2f,\t0xe9b5dba5,0x8189dbbc)\n\tWORD64(0x3956c25b,0xf348b538,\t0x59f111f1,0xb605d019)\n\tWORD64(0x923f82a4,0xaf194f9b,\t0xab1c5ed5,0xda6d8118)\n\tWORD64(0xd807aa98,0xa3030242,\t0x12835b01,0x45706fbe)\n\tWORD64(0x243185be,0x4ee4b28c,\t0x550c7dc3,0xd5ffb4e2)\n\tWORD64(0x72be5d74,0xf27b896f,\t0x80deb1fe,0x3b1696b1)\n\tWORD64(0x9bdc06a7,0x25c71235,\t0xc19bf174,0xcf692694)\n\tWORD64(0xe49b69c1,0x9ef14ad2,\t0xefbe4786,0x384f25e3)\n\tWORD64(0x0fc19dc6,0x8b8cd5b5,\t0x240ca1cc,0x77ac9c65)\n\tWORD64(0x2de92c6f,0x592b0275,\t0x4a7484aa,0x6ea6e483)\n\tWORD64(0x5cb0a9dc,0xbd41fbd4,\t0x76f988da,0x831153b5)\n\tWORD64(0x983e5152,0xee66dfab,\t0xa831c66d,0x2db43210)\n\tWORD64(0xb00327c8,0x98fb213f,\t0xbf597fc7,0xbeef0ee4)\n\tWORD64(0xc6e00bf3,0x3da88fc2,\t0xd5a79147,0x930aa725)\n\tWORD64(0x06ca6351,0xe003826f,\t0x14292967,0x0a0e6e70)\n\tWORD64(0x27b70a85,0x46d22ffc,\t0x2e1b2138,0x5c26c926)\n\tWORD64(0x4d2c6dfc,0x5ac42aed,\t0x53380d13,0x9d95b3df)\n\tWORD64(0x650a7354,0x8baf63de,\t0x766a0abb,0x3c77b2a8)\n\tWORD64(0x81c2c92e,0x47edaee6,\t0x92722c85,0x1482353b)\n\tWORD64(0xa2bfe8a1,0x4cf10364,\t0xa81a664b,0xbc423001)\n\tWORD64(0xc24b8b70,0xd0f89791,\t0xc76c51a3,0x0654be30)\n\tWORD64(0xd192e819,0xd6ef5218,\t0xd6990624,0x5565a910)\n\tWORD64(0xf40e3585,0x5771202a,\t0x106aa070,0x32bbd1b8)\n\tWORD64(0x19a4c116,0xb8d2d0c8,\t0x1e376c08,0x5141ab53)\n\tWORD64(0x2748774c,0xdf8eeb99,\t0x34b0bcb5,0xe19b48a8)\n\tWORD64(0x391c0cb3,0xc5c95a63,\t0x4ed8aa4a,0xe3418acb)\n\tWORD64(0x5b9cca4f,0x7763e373,\t0x682e6ff3,0xd6b2b8a3)\n\tWORD64(0x748f82ee,0x5defb2fc,\t0x78a5636f,0x43172f60)\n\tWORD64(0x84c87814,0xa1f0ab72,\t0x8cc70208,0x1a6439ec)\n\tWORD64(0x90befffa,0x23631e28,\t0xa4506ceb,0xde82bde9)\n\tWORD64(0xbef9a3f7,0xb2c67915,\t0xc67178f2,0xe372532b)\n\tWORD64(0xca273ece,0xea26619c,\t0xd186b8c7,0x21c0c207)\n\tWORD64(0xeada7dd6,0xcde0eb1e,\t0xf57d4f7f,0xee6ed178)\n\tWORD64(0x06f067aa,0x72176fba,\t0x0a637dc5,0xa2c898a6)\n\tWORD64(0x113f9804,0xbef90dae,\t0x1b710b35,0x131c471b)\n\tWORD64(0x28db77f5,0x23047d84,\t0x32caab7b,0x40c72493)\n\tWORD64(0x3c9ebe0a,0x15c9bebc,\t0x431d67c4,0x9c100d4c)\n\tWORD64(0x4cc5d4be,0xcb3e42b6,\t0x597f299c,0xfc657e2a)\n\tWORD64(0x5fcb6fab,0x3ad6faec,\t0x6c44198c,0x4a475817)\n.size\tK512,.-K512\n\n.globl\tsha512_block_data_order_nohw\n.hidden\tsha512_block_data_order_nohw\n.type\tsha512_block_data_order_nohw,%function\nsha512_block_data_order_nohw:\n\tadd\tr2,r1,r2,lsl#7\t@ len to point at the end of inp\n\tstmdb\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr}\n\tadr\tr14,K512\n\tsub\tsp,sp,#9*8\n\n\tldr\tr7,[r0,#32+LO]\n\tldr\tr8,[r0,#32+HI]\n\tldr\tr9, [r0,#48+LO]\n\tldr\tr10, [r0,#48+HI]\n\tldr\tr11, [r0,#56+LO]\n\tldr\tr12, [r0,#56+HI]\n.Loop:\n\tstr\tr9, [sp,#48+0]\n\tstr\tr10, [sp,#48+4]\n\tstr\tr11, [sp,#56+0]\n\tstr\tr12, [sp,#56+4]\n\tldr\tr5,[r0,#0+LO]\n\tldr\tr6,[r0,#0+HI]\n\tldr\tr3,[r0,#8+LO]\n\tldr\tr4,[r0,#8+HI]\n\tldr\tr9, [r0,#16+LO]\n\tldr\tr10, [r0,#16+HI]\n\tldr\tr11, [r0,#24+LO]\n\tldr\tr12, [r0,#24+HI]\n\tstr\tr3,[sp,#8+0]\n\tstr\tr4,[sp,#8+4]\n\tstr\tr9, [sp,#16+0]\n\tstr\tr10, [sp,#16+4]\n\tstr\tr11, [sp,#24+0]\n\tstr\tr12, [sp,#24+4]\n\tldr\tr3,[r0,#40+LO]\n\tldr\tr4,[r0,#40+HI]\n\tstr\tr3,[sp,#40+0]\n\tstr\tr4,[sp,#40+4]\n\n.L00_15:\n#if __ARM_ARCH<7\n\tldrb\tr3,[r1,#7]\n\tldrb\tr9, [r1,#6]\n\tldrb\tr10, [r1,#5]\n\tldrb\tr11, [r1,#4]\n\tldrb\tr4,[r1,#3]\n\tldrb\tr12, [r1,#2]\n\torr\tr3,r3,r9,lsl#8\n\tldrb\tr9, [r1,#1]\n\torr\tr3,r3,r10,lsl#16\n\tldrb\tr10, [r1],#8\n\torr\tr3,r3,r11,lsl#24\n\torr\tr4,r4,r12,lsl#8\n\torr\tr4,r4,r9,lsl#16\n\torr\tr4,r4,r10,lsl#24\n#else\n\tldr\tr3,[r1,#4]\n\tldr\tr4,[r1],#8\n#ifdef __ARMEL__\n\trev\tr3,r3\n\trev\tr4,r4\n#endif\n#endif\n\t@ Sigma1(x)\t(ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))\n\t@ LO\t\tlo>>14^hi<<18 ^ lo>>18^hi<<14 ^ hi>>9^lo<<23\n\t@ HI\t\thi>>14^lo<<18 ^ hi>>18^lo<<14 ^ lo>>9^hi<<23\n\tmov\tr9,r7,lsr#14\n\tstr\tr3,[sp,#64+0]\n\tmov\tr10,r8,lsr#14\n\tstr\tr4,[sp,#64+4]\n\teor\tr9,r9,r8,lsl#18\n\tldr\tr11,[sp,#56+0]\t@ h.lo\n\teor\tr10,r10,r7,lsl#18\n\tldr\tr12,[sp,#56+4]\t@ h.hi\n\teor\tr9,r9,r7,lsr#18\n\teor\tr10,r10,r8,lsr#18\n\teor\tr9,r9,r8,lsl#14\n\teor\tr10,r10,r7,lsl#14\n\teor\tr9,r9,r8,lsr#9\n\teor\tr10,r10,r7,lsr#9\n\teor\tr9,r9,r7,lsl#23\n\teor\tr10,r10,r8,lsl#23\t@ Sigma1(e)\n\tadds\tr3,r3,r9\n\tldr\tr9,[sp,#40+0]\t@ f.lo\n\tadc\tr4,r4,r10\t\t@ T += Sigma1(e)\n\tldr\tr10,[sp,#40+4]\t@ f.hi\n\tadds\tr3,r3,r11\n\tldr\tr11,[sp,#48+0]\t@ g.lo\n\tadc\tr4,r4,r12\t\t@ T += h\n\tldr\tr12,[sp,#48+4]\t@ g.hi\n\n\teor\tr9,r9,r11\n\tstr\tr7,[sp,#32+0]\n\teor\tr10,r10,r12\n\tstr\tr8,[sp,#32+4]\n\tand\tr9,r9,r7\n\tstr\tr5,[sp,#0+0]\n\tand\tr10,r10,r8\n\tstr\tr6,[sp,#0+4]\n\teor\tr9,r9,r11\n\tldr\tr11,[r14,#LO]\t@ K[i].lo\n\teor\tr10,r10,r12\t\t@ Ch(e,f,g)\n\tldr\tr12,[r14,#HI]\t@ K[i].hi\n\n\tadds\tr3,r3,r9\n\tldr\tr7,[sp,#24+0]\t@ d.lo\n\tadc\tr4,r4,r10\t\t@ T += Ch(e,f,g)\n\tldr\tr8,[sp,#24+4]\t@ d.hi\n\tadds\tr3,r3,r11\n\tand\tr9,r11,#0xff\n\tadc\tr4,r4,r12\t\t@ T += K[i]\n\tadds\tr7,r7,r3\n\tldr\tr11,[sp,#8+0]\t@ b.lo\n\tadc\tr8,r8,r4\t\t@ d += T\n\tteq\tr9,#148\n\n\tldr\tr12,[sp,#16+0]\t@ c.lo\n#if __ARM_ARCH>=7\n\tit\teq\t\t\t@ Thumb2 thing, sanity check in ARM\n#endif\n\torreq\tr14,r14,#1\n\t@ Sigma0(x)\t(ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))\n\t@ LO\t\tlo>>28^hi<<4 ^ hi>>2^lo<<30 ^ hi>>7^lo<<25\n\t@ HI\t\thi>>28^lo<<4 ^ lo>>2^hi<<30 ^ lo>>7^hi<<25\n\tmov\tr9,r5,lsr#28\n\tmov\tr10,r6,lsr#28\n\teor\tr9,r9,r6,lsl#4\n\teor\tr10,r10,r5,lsl#4\n\teor\tr9,r9,r6,lsr#2\n\teor\tr10,r10,r5,lsr#2\n\teor\tr9,r9,r5,lsl#30\n\teor\tr10,r10,r6,lsl#30\n\teor\tr9,r9,r6,lsr#7\n\teor\tr10,r10,r5,lsr#7\n\teor\tr9,r9,r5,lsl#25\n\teor\tr10,r10,r6,lsl#25\t@ Sigma0(a)\n\tadds\tr3,r3,r9\n\tand\tr9,r5,r11\n\tadc\tr4,r4,r10\t\t@ T += Sigma0(a)\n\n\tldr\tr10,[sp,#8+4]\t@ b.hi\n\torr\tr5,r5,r11\n\tldr\tr11,[sp,#16+4]\t@ c.hi\n\tand\tr5,r5,r12\n\tand\tr12,r6,r10\n\torr\tr6,r6,r10\n\torr\tr5,r5,r9\t\t@ Maj(a,b,c).lo\n\tand\tr6,r6,r11\n\tadds\tr5,r5,r3\n\torr\tr6,r6,r12\t\t@ Maj(a,b,c).hi\n\tsub\tsp,sp,#8\n\tadc\tr6,r6,r4\t\t@ h += T\n\ttst\tr14,#1\n\tadd\tr14,r14,#8\n\ttst\tr14,#1\n\tbeq\t.L00_15\n\tldr\tr9,[sp,#184+0]\n\tldr\tr10,[sp,#184+4]\n\tbic\tr14,r14,#1\n.L16_79:\n\t@ sigma0(x)\t(ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7))\n\t@ LO\t\tlo>>1^hi<<31 ^ lo>>8^hi<<24 ^ lo>>7^hi<<25\n\t@ HI\t\thi>>1^lo<<31 ^ hi>>8^lo<<24 ^ hi>>7\n\tmov\tr3,r9,lsr#1\n\tldr\tr11,[sp,#80+0]\n\tmov\tr4,r10,lsr#1\n\tldr\tr12,[sp,#80+4]\n\teor\tr3,r3,r10,lsl#31\n\teor\tr4,r4,r9,lsl#31\n\teor\tr3,r3,r9,lsr#8\n\teor\tr4,r4,r10,lsr#8\n\teor\tr3,r3,r10,lsl#24\n\teor\tr4,r4,r9,lsl#24\n\teor\tr3,r3,r9,lsr#7\n\teor\tr4,r4,r10,lsr#7\n\teor\tr3,r3,r10,lsl#25\n\n\t@ sigma1(x)\t(ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6))\n\t@ LO\t\tlo>>19^hi<<13 ^ hi>>29^lo<<3 ^ lo>>6^hi<<26\n\t@ HI\t\thi>>19^lo<<13 ^ lo>>29^hi<<3 ^ hi>>6\n\tmov\tr9,r11,lsr#19\n\tmov\tr10,r12,lsr#19\n\teor\tr9,r9,r12,lsl#13\n\teor\tr10,r10,r11,lsl#13\n\teor\tr9,r9,r12,lsr#29\n\teor\tr10,r10,r11,lsr#29\n\teor\tr9,r9,r11,lsl#3\n\teor\tr10,r10,r12,lsl#3\n\teor\tr9,r9,r11,lsr#6\n\teor\tr10,r10,r12,lsr#6\n\tldr\tr11,[sp,#120+0]\n\teor\tr9,r9,r12,lsl#26\n\n\tldr\tr12,[sp,#120+4]\n\tadds\tr3,r3,r9\n\tldr\tr9,[sp,#192+0]\n\tadc\tr4,r4,r10\n\n\tldr\tr10,[sp,#192+4]\n\tadds\tr3,r3,r11\n\tadc\tr4,r4,r12\n\tadds\tr3,r3,r9\n\tadc\tr4,r4,r10\n\t@ Sigma1(x)\t(ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41))\n\t@ LO\t\tlo>>14^hi<<18 ^ lo>>18^hi<<14 ^ hi>>9^lo<<23\n\t@ HI\t\thi>>14^lo<<18 ^ hi>>18^lo<<14 ^ lo>>9^hi<<23\n\tmov\tr9,r7,lsr#14\n\tstr\tr3,[sp,#64+0]\n\tmov\tr10,r8,lsr#14\n\tstr\tr4,[sp,#64+4]\n\teor\tr9,r9,r8,lsl#18\n\tldr\tr11,[sp,#56+0]\t@ h.lo\n\teor\tr10,r10,r7,lsl#18\n\tldr\tr12,[sp,#56+4]\t@ h.hi\n\teor\tr9,r9,r7,lsr#18\n\teor\tr10,r10,r8,lsr#18\n\teor\tr9,r9,r8,lsl#14\n\teor\tr10,r10,r7,lsl#14\n\teor\tr9,r9,r8,lsr#9\n\teor\tr10,r10,r7,lsr#9\n\teor\tr9,r9,r7,lsl#23\n\teor\tr10,r10,r8,lsl#23\t@ Sigma1(e)\n\tadds\tr3,r3,r9\n\tldr\tr9,[sp,#40+0]\t@ f.lo\n\tadc\tr4,r4,r10\t\t@ T += Sigma1(e)\n\tldr\tr10,[sp,#40+4]\t@ f.hi\n\tadds\tr3,r3,r11\n\tldr\tr11,[sp,#48+0]\t@ g.lo\n\tadc\tr4,r4,r12\t\t@ T += h\n\tldr\tr12,[sp,#48+4]\t@ g.hi\n\n\teor\tr9,r9,r11\n\tstr\tr7,[sp,#32+0]\n\teor\tr10,r10,r12\n\tstr\tr8,[sp,#32+4]\n\tand\tr9,r9,r7\n\tstr\tr5,[sp,#0+0]\n\tand\tr10,r10,r8\n\tstr\tr6,[sp,#0+4]\n\teor\tr9,r9,r11\n\tldr\tr11,[r14,#LO]\t@ K[i].lo\n\teor\tr10,r10,r12\t\t@ Ch(e,f,g)\n\tldr\tr12,[r14,#HI]\t@ K[i].hi\n\n\tadds\tr3,r3,r9\n\tldr\tr7,[sp,#24+0]\t@ d.lo\n\tadc\tr4,r4,r10\t\t@ T += Ch(e,f,g)\n\tldr\tr8,[sp,#24+4]\t@ d.hi\n\tadds\tr3,r3,r11\n\tand\tr9,r11,#0xff\n\tadc\tr4,r4,r12\t\t@ T += K[i]\n\tadds\tr7,r7,r3\n\tldr\tr11,[sp,#8+0]\t@ b.lo\n\tadc\tr8,r8,r4\t\t@ d += T\n\tteq\tr9,#23\n\n\tldr\tr12,[sp,#16+0]\t@ c.lo\n#if __ARM_ARCH>=7\n\tit\teq\t\t\t@ Thumb2 thing, sanity check in ARM\n#endif\n\torreq\tr14,r14,#1\n\t@ Sigma0(x)\t(ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39))\n\t@ LO\t\tlo>>28^hi<<4 ^ hi>>2^lo<<30 ^ hi>>7^lo<<25\n\t@ HI\t\thi>>28^lo<<4 ^ lo>>2^hi<<30 ^ lo>>7^hi<<25\n\tmov\tr9,r5,lsr#28\n\tmov\tr10,r6,lsr#28\n\teor\tr9,r9,r6,lsl#4\n\teor\tr10,r10,r5,lsl#4\n\teor\tr9,r9,r6,lsr#2\n\teor\tr10,r10,r5,lsr#2\n\teor\tr9,r9,r5,lsl#30\n\teor\tr10,r10,r6,lsl#30\n\teor\tr9,r9,r6,lsr#7\n\teor\tr10,r10,r5,lsr#7\n\teor\tr9,r9,r5,lsl#25\n\teor\tr10,r10,r6,lsl#25\t@ Sigma0(a)\n\tadds\tr3,r3,r9\n\tand\tr9,r5,r11\n\tadc\tr4,r4,r10\t\t@ T += Sigma0(a)\n\n\tldr\tr10,[sp,#8+4]\t@ b.hi\n\torr\tr5,r5,r11\n\tldr\tr11,[sp,#16+4]\t@ c.hi\n\tand\tr5,r5,r12\n\tand\tr12,r6,r10\n\torr\tr6,r6,r10\n\torr\tr5,r5,r9\t\t@ Maj(a,b,c).lo\n\tand\tr6,r6,r11\n\tadds\tr5,r5,r3\n\torr\tr6,r6,r12\t\t@ Maj(a,b,c).hi\n\tsub\tsp,sp,#8\n\tadc\tr6,r6,r4\t\t@ h += T\n\ttst\tr14,#1\n\tadd\tr14,r14,#8\n#if __ARM_ARCH>=7\n\tittt\teq\t\t\t@ Thumb2 thing, sanity check in ARM\n#endif\n\tldreq\tr9,[sp,#184+0]\n\tldreq\tr10,[sp,#184+4]\n\tbeq\t.L16_79\n\tbic\tr14,r14,#1\n\n\tldr\tr3,[sp,#8+0]\n\tldr\tr4,[sp,#8+4]\n\tldr\tr9, [r0,#0+LO]\n\tldr\tr10, [r0,#0+HI]\n\tldr\tr11, [r0,#8+LO]\n\tldr\tr12, [r0,#8+HI]\n\tadds\tr9,r5,r9\n\tstr\tr9, [r0,#0+LO]\n\tadc\tr10,r6,r10\n\tstr\tr10, [r0,#0+HI]\n\tadds\tr11,r3,r11\n\tstr\tr11, [r0,#8+LO]\n\tadc\tr12,r4,r12\n\tstr\tr12, [r0,#8+HI]\n\n\tldr\tr5,[sp,#16+0]\n\tldr\tr6,[sp,#16+4]\n\tldr\tr3,[sp,#24+0]\n\tldr\tr4,[sp,#24+4]\n\tldr\tr9, [r0,#16+LO]\n\tldr\tr10, [r0,#16+HI]\n\tldr\tr11, [r0,#24+LO]\n\tldr\tr12, [r0,#24+HI]\n\tadds\tr9,r5,r9\n\tstr\tr9, [r0,#16+LO]\n\tadc\tr10,r6,r10\n\tstr\tr10, [r0,#16+HI]\n\tadds\tr11,r3,r11\n\tstr\tr11, [r0,#24+LO]\n\tadc\tr12,r4,r12\n\tstr\tr12, [r0,#24+HI]\n\n\tldr\tr3,[sp,#40+0]\n\tldr\tr4,[sp,#40+4]\n\tldr\tr9, [r0,#32+LO]\n\tldr\tr10, [r0,#32+HI]\n\tldr\tr11, [r0,#40+LO]\n\tldr\tr12, [r0,#40+HI]\n\tadds\tr7,r7,r9\n\tstr\tr7,[r0,#32+LO]\n\tadc\tr8,r8,r10\n\tstr\tr8,[r0,#32+HI]\n\tadds\tr11,r3,r11\n\tstr\tr11, [r0,#40+LO]\n\tadc\tr12,r4,r12\n\tstr\tr12, [r0,#40+HI]\n\n\tldr\tr5,[sp,#48+0]\n\tldr\tr6,[sp,#48+4]\n\tldr\tr3,[sp,#56+0]\n\tldr\tr4,[sp,#56+4]\n\tldr\tr9, [r0,#48+LO]\n\tldr\tr10, [r0,#48+HI]\n\tldr\tr11, [r0,#56+LO]\n\tldr\tr12, [r0,#56+HI]\n\tadds\tr9,r5,r9\n\tstr\tr9, [r0,#48+LO]\n\tadc\tr10,r6,r10\n\tstr\tr10, [r0,#48+HI]\n\tadds\tr11,r3,r11\n\tstr\tr11, [r0,#56+LO]\n\tadc\tr12,r4,r12\n\tstr\tr12, [r0,#56+HI]\n\n\tadd\tsp,sp,#640\n\tsub\tr14,r14,#640\n\n\tteq\tr1,r2\n\tbne\t.Loop\n\n\tadd\tsp,sp,#8*9\t\t@ destroy frame\n#if __ARM_ARCH>=5\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc}\n#else\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr}\n\ttst\tlr,#1\n\tmoveq\tpc,lr\t\t\t@ be binary compatible with V4, yet\n.word\t0xe12fff1e\t\t\t@ interoperable with Thumb ISA:-)\n#endif\n.size\tsha512_block_data_order_nohw,.-sha512_block_data_order_nohw\n#if __ARM_MAX_ARCH__>=7\n.arch\tarmv7-a\n.fpu\tneon\n\n.globl\tsha512_block_data_order_neon\n.hidden\tsha512_block_data_order_neon\n.type\tsha512_block_data_order_neon,%function\n.align\t4\nsha512_block_data_order_neon:\n\tdmb\t@ errata #451034 on early Cortex A8\n\tadd\tr2,r1,r2,lsl#7\t@ len to point at the end of inp\n\tadr\tr3,K512\n\tVFP_ABI_PUSH\n\tvldmia\tr0,{d16,d17,d18,d19,d20,d21,d22,d23}\t\t@ load context\n.Loop_neon:\n\tvshr.u64\td24,d20,#14\t@ 0\n#if 0<16\n\tvld1.64\t{d0},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d20,#18\n#if 0>0\n\tvadd.i64\td16,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d20,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d20,#50\n\tvsli.64\td25,d20,#46\n\tvmov\td29,d20\n\tvsli.64\td26,d20,#23\n#if 0<16 && defined(__ARMEL__)\n\tvrev64.8\td0,d0\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d21,d22\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d16,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d23\n\tvshr.u64\td25,d16,#34\n\tvsli.64\td24,d16,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d16,#39\n\tvadd.i64\td28,d0\n\tvsli.64\td25,d16,#30\n\tveor\td30,d16,d17\n\tvsli.64\td26,d16,#25\n\tveor\td23,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d18,d17\t\t@ Maj(a,b,c)\n\tveor\td23,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td19,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td23,d30\n\tvshr.u64\td24,d19,#14\t@ 1\n#if 1<16\n\tvld1.64\t{d1},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d19,#18\n#if 1>0\n\tvadd.i64\td23,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d19,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d19,#50\n\tvsli.64\td25,d19,#46\n\tvmov\td29,d19\n\tvsli.64\td26,d19,#23\n#if 1<16 && defined(__ARMEL__)\n\tvrev64.8\td1,d1\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d20,d21\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d23,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d22\n\tvshr.u64\td25,d23,#34\n\tvsli.64\td24,d23,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d23,#39\n\tvadd.i64\td28,d1\n\tvsli.64\td25,d23,#30\n\tveor\td30,d23,d16\n\tvsli.64\td26,d23,#25\n\tveor\td22,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d17,d16\t\t@ Maj(a,b,c)\n\tveor\td22,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td18,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td22,d30\n\tvshr.u64\td24,d18,#14\t@ 2\n#if 2<16\n\tvld1.64\t{d2},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d18,#18\n#if 2>0\n\tvadd.i64\td22,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d18,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d18,#50\n\tvsli.64\td25,d18,#46\n\tvmov\td29,d18\n\tvsli.64\td26,d18,#23\n#if 2<16 && defined(__ARMEL__)\n\tvrev64.8\td2,d2\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d19,d20\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d22,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d21\n\tvshr.u64\td25,d22,#34\n\tvsli.64\td24,d22,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d22,#39\n\tvadd.i64\td28,d2\n\tvsli.64\td25,d22,#30\n\tveor\td30,d22,d23\n\tvsli.64\td26,d22,#25\n\tveor\td21,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d16,d23\t\t@ Maj(a,b,c)\n\tveor\td21,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td17,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td21,d30\n\tvshr.u64\td24,d17,#14\t@ 3\n#if 3<16\n\tvld1.64\t{d3},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d17,#18\n#if 3>0\n\tvadd.i64\td21,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d17,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d17,#50\n\tvsli.64\td25,d17,#46\n\tvmov\td29,d17\n\tvsli.64\td26,d17,#23\n#if 3<16 && defined(__ARMEL__)\n\tvrev64.8\td3,d3\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d18,d19\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d21,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d20\n\tvshr.u64\td25,d21,#34\n\tvsli.64\td24,d21,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d21,#39\n\tvadd.i64\td28,d3\n\tvsli.64\td25,d21,#30\n\tveor\td30,d21,d22\n\tvsli.64\td26,d21,#25\n\tveor\td20,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d23,d22\t\t@ Maj(a,b,c)\n\tveor\td20,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td16,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td20,d30\n\tvshr.u64\td24,d16,#14\t@ 4\n#if 4<16\n\tvld1.64\t{d4},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d16,#18\n#if 4>0\n\tvadd.i64\td20,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d16,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d16,#50\n\tvsli.64\td25,d16,#46\n\tvmov\td29,d16\n\tvsli.64\td26,d16,#23\n#if 4<16 && defined(__ARMEL__)\n\tvrev64.8\td4,d4\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d17,d18\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d20,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d19\n\tvshr.u64\td25,d20,#34\n\tvsli.64\td24,d20,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d20,#39\n\tvadd.i64\td28,d4\n\tvsli.64\td25,d20,#30\n\tveor\td30,d20,d21\n\tvsli.64\td26,d20,#25\n\tveor\td19,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d22,d21\t\t@ Maj(a,b,c)\n\tveor\td19,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td23,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td19,d30\n\tvshr.u64\td24,d23,#14\t@ 5\n#if 5<16\n\tvld1.64\t{d5},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d23,#18\n#if 5>0\n\tvadd.i64\td19,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d23,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d23,#50\n\tvsli.64\td25,d23,#46\n\tvmov\td29,d23\n\tvsli.64\td26,d23,#23\n#if 5<16 && defined(__ARMEL__)\n\tvrev64.8\td5,d5\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d16,d17\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d19,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d18\n\tvshr.u64\td25,d19,#34\n\tvsli.64\td24,d19,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d19,#39\n\tvadd.i64\td28,d5\n\tvsli.64\td25,d19,#30\n\tveor\td30,d19,d20\n\tvsli.64\td26,d19,#25\n\tveor\td18,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d21,d20\t\t@ Maj(a,b,c)\n\tveor\td18,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td22,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td18,d30\n\tvshr.u64\td24,d22,#14\t@ 6\n#if 6<16\n\tvld1.64\t{d6},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d22,#18\n#if 6>0\n\tvadd.i64\td18,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d22,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d22,#50\n\tvsli.64\td25,d22,#46\n\tvmov\td29,d22\n\tvsli.64\td26,d22,#23\n#if 6<16 && defined(__ARMEL__)\n\tvrev64.8\td6,d6\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d23,d16\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d18,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d17\n\tvshr.u64\td25,d18,#34\n\tvsli.64\td24,d18,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d18,#39\n\tvadd.i64\td28,d6\n\tvsli.64\td25,d18,#30\n\tveor\td30,d18,d19\n\tvsli.64\td26,d18,#25\n\tveor\td17,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d20,d19\t\t@ Maj(a,b,c)\n\tveor\td17,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td21,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td17,d30\n\tvshr.u64\td24,d21,#14\t@ 7\n#if 7<16\n\tvld1.64\t{d7},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d21,#18\n#if 7>0\n\tvadd.i64\td17,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d21,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d21,#50\n\tvsli.64\td25,d21,#46\n\tvmov\td29,d21\n\tvsli.64\td26,d21,#23\n#if 7<16 && defined(__ARMEL__)\n\tvrev64.8\td7,d7\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d22,d23\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d17,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d16\n\tvshr.u64\td25,d17,#34\n\tvsli.64\td24,d17,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d17,#39\n\tvadd.i64\td28,d7\n\tvsli.64\td25,d17,#30\n\tveor\td30,d17,d18\n\tvsli.64\td26,d17,#25\n\tveor\td16,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d19,d18\t\t@ Maj(a,b,c)\n\tveor\td16,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td20,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td16,d30\n\tvshr.u64\td24,d20,#14\t@ 8\n#if 8<16\n\tvld1.64\t{d8},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d20,#18\n#if 8>0\n\tvadd.i64\td16,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d20,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d20,#50\n\tvsli.64\td25,d20,#46\n\tvmov\td29,d20\n\tvsli.64\td26,d20,#23\n#if 8<16 && defined(__ARMEL__)\n\tvrev64.8\td8,d8\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d21,d22\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d16,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d23\n\tvshr.u64\td25,d16,#34\n\tvsli.64\td24,d16,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d16,#39\n\tvadd.i64\td28,d8\n\tvsli.64\td25,d16,#30\n\tveor\td30,d16,d17\n\tvsli.64\td26,d16,#25\n\tveor\td23,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d18,d17\t\t@ Maj(a,b,c)\n\tveor\td23,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td19,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td23,d30\n\tvshr.u64\td24,d19,#14\t@ 9\n#if 9<16\n\tvld1.64\t{d9},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d19,#18\n#if 9>0\n\tvadd.i64\td23,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d19,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d19,#50\n\tvsli.64\td25,d19,#46\n\tvmov\td29,d19\n\tvsli.64\td26,d19,#23\n#if 9<16 && defined(__ARMEL__)\n\tvrev64.8\td9,d9\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d20,d21\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d23,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d22\n\tvshr.u64\td25,d23,#34\n\tvsli.64\td24,d23,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d23,#39\n\tvadd.i64\td28,d9\n\tvsli.64\td25,d23,#30\n\tveor\td30,d23,d16\n\tvsli.64\td26,d23,#25\n\tveor\td22,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d17,d16\t\t@ Maj(a,b,c)\n\tveor\td22,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td18,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td22,d30\n\tvshr.u64\td24,d18,#14\t@ 10\n#if 10<16\n\tvld1.64\t{d10},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d18,#18\n#if 10>0\n\tvadd.i64\td22,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d18,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d18,#50\n\tvsli.64\td25,d18,#46\n\tvmov\td29,d18\n\tvsli.64\td26,d18,#23\n#if 10<16 && defined(__ARMEL__)\n\tvrev64.8\td10,d10\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d19,d20\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d22,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d21\n\tvshr.u64\td25,d22,#34\n\tvsli.64\td24,d22,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d22,#39\n\tvadd.i64\td28,d10\n\tvsli.64\td25,d22,#30\n\tveor\td30,d22,d23\n\tvsli.64\td26,d22,#25\n\tveor\td21,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d16,d23\t\t@ Maj(a,b,c)\n\tveor\td21,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td17,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td21,d30\n\tvshr.u64\td24,d17,#14\t@ 11\n#if 11<16\n\tvld1.64\t{d11},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d17,#18\n#if 11>0\n\tvadd.i64\td21,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d17,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d17,#50\n\tvsli.64\td25,d17,#46\n\tvmov\td29,d17\n\tvsli.64\td26,d17,#23\n#if 11<16 && defined(__ARMEL__)\n\tvrev64.8\td11,d11\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d18,d19\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d21,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d20\n\tvshr.u64\td25,d21,#34\n\tvsli.64\td24,d21,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d21,#39\n\tvadd.i64\td28,d11\n\tvsli.64\td25,d21,#30\n\tveor\td30,d21,d22\n\tvsli.64\td26,d21,#25\n\tveor\td20,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d23,d22\t\t@ Maj(a,b,c)\n\tveor\td20,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td16,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td20,d30\n\tvshr.u64\td24,d16,#14\t@ 12\n#if 12<16\n\tvld1.64\t{d12},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d16,#18\n#if 12>0\n\tvadd.i64\td20,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d16,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d16,#50\n\tvsli.64\td25,d16,#46\n\tvmov\td29,d16\n\tvsli.64\td26,d16,#23\n#if 12<16 && defined(__ARMEL__)\n\tvrev64.8\td12,d12\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d17,d18\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d20,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d19\n\tvshr.u64\td25,d20,#34\n\tvsli.64\td24,d20,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d20,#39\n\tvadd.i64\td28,d12\n\tvsli.64\td25,d20,#30\n\tveor\td30,d20,d21\n\tvsli.64\td26,d20,#25\n\tveor\td19,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d22,d21\t\t@ Maj(a,b,c)\n\tveor\td19,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td23,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td19,d30\n\tvshr.u64\td24,d23,#14\t@ 13\n#if 13<16\n\tvld1.64\t{d13},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d23,#18\n#if 13>0\n\tvadd.i64\td19,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d23,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d23,#50\n\tvsli.64\td25,d23,#46\n\tvmov\td29,d23\n\tvsli.64\td26,d23,#23\n#if 13<16 && defined(__ARMEL__)\n\tvrev64.8\td13,d13\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d16,d17\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d19,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d18\n\tvshr.u64\td25,d19,#34\n\tvsli.64\td24,d19,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d19,#39\n\tvadd.i64\td28,d13\n\tvsli.64\td25,d19,#30\n\tveor\td30,d19,d20\n\tvsli.64\td26,d19,#25\n\tveor\td18,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d21,d20\t\t@ Maj(a,b,c)\n\tveor\td18,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td22,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td18,d30\n\tvshr.u64\td24,d22,#14\t@ 14\n#if 14<16\n\tvld1.64\t{d14},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d22,#18\n#if 14>0\n\tvadd.i64\td18,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d22,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d22,#50\n\tvsli.64\td25,d22,#46\n\tvmov\td29,d22\n\tvsli.64\td26,d22,#23\n#if 14<16 && defined(__ARMEL__)\n\tvrev64.8\td14,d14\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d23,d16\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d18,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d17\n\tvshr.u64\td25,d18,#34\n\tvsli.64\td24,d18,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d18,#39\n\tvadd.i64\td28,d14\n\tvsli.64\td25,d18,#30\n\tveor\td30,d18,d19\n\tvsli.64\td26,d18,#25\n\tveor\td17,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d20,d19\t\t@ Maj(a,b,c)\n\tveor\td17,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td21,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td17,d30\n\tvshr.u64\td24,d21,#14\t@ 15\n#if 15<16\n\tvld1.64\t{d15},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d21,#18\n#if 15>0\n\tvadd.i64\td17,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d21,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d21,#50\n\tvsli.64\td25,d21,#46\n\tvmov\td29,d21\n\tvsli.64\td26,d21,#23\n#if 15<16 && defined(__ARMEL__)\n\tvrev64.8\td15,d15\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d22,d23\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d17,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d16\n\tvshr.u64\td25,d17,#34\n\tvsli.64\td24,d17,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d17,#39\n\tvadd.i64\td28,d15\n\tvsli.64\td25,d17,#30\n\tveor\td30,d17,d18\n\tvsli.64\td26,d17,#25\n\tveor\td16,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d19,d18\t\t@ Maj(a,b,c)\n\tveor\td16,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td20,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td16,d30\n\tmov\tr12,#4\n.L16_79_neon:\n\tsubs\tr12,#1\n\tvshr.u64\tq12,q7,#19\n\tvshr.u64\tq13,q7,#61\n\tvadd.i64\td16,d30\t\t\t@ h+=Maj from the past\n\tvshr.u64\tq15,q7,#6\n\tvsli.64\tq12,q7,#45\n\tvext.8\tq14,q0,q1,#8\t@ X[i+1]\n\tvsli.64\tq13,q7,#3\n\tveor\tq15,q12\n\tvshr.u64\tq12,q14,#1\n\tveor\tq15,q13\t\t\t\t@ sigma1(X[i+14])\n\tvshr.u64\tq13,q14,#8\n\tvadd.i64\tq0,q15\n\tvshr.u64\tq15,q14,#7\n\tvsli.64\tq12,q14,#63\n\tvsli.64\tq13,q14,#56\n\tvext.8\tq14,q4,q5,#8\t@ X[i+9]\n\tveor\tq15,q12\n\tvshr.u64\td24,d20,#14\t\t@ from NEON_00_15\n\tvadd.i64\tq0,q14\n\tvshr.u64\td25,d20,#18\t\t@ from NEON_00_15\n\tveor\tq15,q13\t\t\t\t@ sigma0(X[i+1])\n\tvshr.u64\td26,d20,#41\t\t@ from NEON_00_15\n\tvadd.i64\tq0,q15\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d20,#50\n\tvsli.64\td25,d20,#46\n\tvmov\td29,d20\n\tvsli.64\td26,d20,#23\n#if 16<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d21,d22\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d16,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d23\n\tvshr.u64\td25,d16,#34\n\tvsli.64\td24,d16,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d16,#39\n\tvadd.i64\td28,d0\n\tvsli.64\td25,d16,#30\n\tveor\td30,d16,d17\n\tvsli.64\td26,d16,#25\n\tveor\td23,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d18,d17\t\t@ Maj(a,b,c)\n\tveor\td23,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td19,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td23,d30\n\tvshr.u64\td24,d19,#14\t@ 17\n#if 17<16\n\tvld1.64\t{d1},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d19,#18\n#if 17>0\n\tvadd.i64\td23,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d19,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d19,#50\n\tvsli.64\td25,d19,#46\n\tvmov\td29,d19\n\tvsli.64\td26,d19,#23\n#if 17<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d20,d21\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d23,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d22\n\tvshr.u64\td25,d23,#34\n\tvsli.64\td24,d23,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d23,#39\n\tvadd.i64\td28,d1\n\tvsli.64\td25,d23,#30\n\tveor\td30,d23,d16\n\tvsli.64\td26,d23,#25\n\tveor\td22,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d17,d16\t\t@ Maj(a,b,c)\n\tveor\td22,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td18,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td22,d30\n\tvshr.u64\tq12,q0,#19\n\tvshr.u64\tq13,q0,#61\n\tvadd.i64\td22,d30\t\t\t@ h+=Maj from the past\n\tvshr.u64\tq15,q0,#6\n\tvsli.64\tq12,q0,#45\n\tvext.8\tq14,q1,q2,#8\t@ X[i+1]\n\tvsli.64\tq13,q0,#3\n\tveor\tq15,q12\n\tvshr.u64\tq12,q14,#1\n\tveor\tq15,q13\t\t\t\t@ sigma1(X[i+14])\n\tvshr.u64\tq13,q14,#8\n\tvadd.i64\tq1,q15\n\tvshr.u64\tq15,q14,#7\n\tvsli.64\tq12,q14,#63\n\tvsli.64\tq13,q14,#56\n\tvext.8\tq14,q5,q6,#8\t@ X[i+9]\n\tveor\tq15,q12\n\tvshr.u64\td24,d18,#14\t\t@ from NEON_00_15\n\tvadd.i64\tq1,q14\n\tvshr.u64\td25,d18,#18\t\t@ from NEON_00_15\n\tveor\tq15,q13\t\t\t\t@ sigma0(X[i+1])\n\tvshr.u64\td26,d18,#41\t\t@ from NEON_00_15\n\tvadd.i64\tq1,q15\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d18,#50\n\tvsli.64\td25,d18,#46\n\tvmov\td29,d18\n\tvsli.64\td26,d18,#23\n#if 18<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d19,d20\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d22,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d21\n\tvshr.u64\td25,d22,#34\n\tvsli.64\td24,d22,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d22,#39\n\tvadd.i64\td28,d2\n\tvsli.64\td25,d22,#30\n\tveor\td30,d22,d23\n\tvsli.64\td26,d22,#25\n\tveor\td21,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d16,d23\t\t@ Maj(a,b,c)\n\tveor\td21,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td17,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td21,d30\n\tvshr.u64\td24,d17,#14\t@ 19\n#if 19<16\n\tvld1.64\t{d3},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d17,#18\n#if 19>0\n\tvadd.i64\td21,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d17,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d17,#50\n\tvsli.64\td25,d17,#46\n\tvmov\td29,d17\n\tvsli.64\td26,d17,#23\n#if 19<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d18,d19\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d21,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d20\n\tvshr.u64\td25,d21,#34\n\tvsli.64\td24,d21,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d21,#39\n\tvadd.i64\td28,d3\n\tvsli.64\td25,d21,#30\n\tveor\td30,d21,d22\n\tvsli.64\td26,d21,#25\n\tveor\td20,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d23,d22\t\t@ Maj(a,b,c)\n\tveor\td20,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td16,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td20,d30\n\tvshr.u64\tq12,q1,#19\n\tvshr.u64\tq13,q1,#61\n\tvadd.i64\td20,d30\t\t\t@ h+=Maj from the past\n\tvshr.u64\tq15,q1,#6\n\tvsli.64\tq12,q1,#45\n\tvext.8\tq14,q2,q3,#8\t@ X[i+1]\n\tvsli.64\tq13,q1,#3\n\tveor\tq15,q12\n\tvshr.u64\tq12,q14,#1\n\tveor\tq15,q13\t\t\t\t@ sigma1(X[i+14])\n\tvshr.u64\tq13,q14,#8\n\tvadd.i64\tq2,q15\n\tvshr.u64\tq15,q14,#7\n\tvsli.64\tq12,q14,#63\n\tvsli.64\tq13,q14,#56\n\tvext.8\tq14,q6,q7,#8\t@ X[i+9]\n\tveor\tq15,q12\n\tvshr.u64\td24,d16,#14\t\t@ from NEON_00_15\n\tvadd.i64\tq2,q14\n\tvshr.u64\td25,d16,#18\t\t@ from NEON_00_15\n\tveor\tq15,q13\t\t\t\t@ sigma0(X[i+1])\n\tvshr.u64\td26,d16,#41\t\t@ from NEON_00_15\n\tvadd.i64\tq2,q15\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d16,#50\n\tvsli.64\td25,d16,#46\n\tvmov\td29,d16\n\tvsli.64\td26,d16,#23\n#if 20<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d17,d18\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d20,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d19\n\tvshr.u64\td25,d20,#34\n\tvsli.64\td24,d20,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d20,#39\n\tvadd.i64\td28,d4\n\tvsli.64\td25,d20,#30\n\tveor\td30,d20,d21\n\tvsli.64\td26,d20,#25\n\tveor\td19,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d22,d21\t\t@ Maj(a,b,c)\n\tveor\td19,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td23,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td19,d30\n\tvshr.u64\td24,d23,#14\t@ 21\n#if 21<16\n\tvld1.64\t{d5},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d23,#18\n#if 21>0\n\tvadd.i64\td19,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d23,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d23,#50\n\tvsli.64\td25,d23,#46\n\tvmov\td29,d23\n\tvsli.64\td26,d23,#23\n#if 21<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d16,d17\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d19,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d18\n\tvshr.u64\td25,d19,#34\n\tvsli.64\td24,d19,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d19,#39\n\tvadd.i64\td28,d5\n\tvsli.64\td25,d19,#30\n\tveor\td30,d19,d20\n\tvsli.64\td26,d19,#25\n\tveor\td18,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d21,d20\t\t@ Maj(a,b,c)\n\tveor\td18,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td22,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td18,d30\n\tvshr.u64\tq12,q2,#19\n\tvshr.u64\tq13,q2,#61\n\tvadd.i64\td18,d30\t\t\t@ h+=Maj from the past\n\tvshr.u64\tq15,q2,#6\n\tvsli.64\tq12,q2,#45\n\tvext.8\tq14,q3,q4,#8\t@ X[i+1]\n\tvsli.64\tq13,q2,#3\n\tveor\tq15,q12\n\tvshr.u64\tq12,q14,#1\n\tveor\tq15,q13\t\t\t\t@ sigma1(X[i+14])\n\tvshr.u64\tq13,q14,#8\n\tvadd.i64\tq3,q15\n\tvshr.u64\tq15,q14,#7\n\tvsli.64\tq12,q14,#63\n\tvsli.64\tq13,q14,#56\n\tvext.8\tq14,q7,q0,#8\t@ X[i+9]\n\tveor\tq15,q12\n\tvshr.u64\td24,d22,#14\t\t@ from NEON_00_15\n\tvadd.i64\tq3,q14\n\tvshr.u64\td25,d22,#18\t\t@ from NEON_00_15\n\tveor\tq15,q13\t\t\t\t@ sigma0(X[i+1])\n\tvshr.u64\td26,d22,#41\t\t@ from NEON_00_15\n\tvadd.i64\tq3,q15\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d22,#50\n\tvsli.64\td25,d22,#46\n\tvmov\td29,d22\n\tvsli.64\td26,d22,#23\n#if 22<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d23,d16\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d18,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d17\n\tvshr.u64\td25,d18,#34\n\tvsli.64\td24,d18,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d18,#39\n\tvadd.i64\td28,d6\n\tvsli.64\td25,d18,#30\n\tveor\td30,d18,d19\n\tvsli.64\td26,d18,#25\n\tveor\td17,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d20,d19\t\t@ Maj(a,b,c)\n\tveor\td17,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td21,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td17,d30\n\tvshr.u64\td24,d21,#14\t@ 23\n#if 23<16\n\tvld1.64\t{d7},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d21,#18\n#if 23>0\n\tvadd.i64\td17,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d21,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d21,#50\n\tvsli.64\td25,d21,#46\n\tvmov\td29,d21\n\tvsli.64\td26,d21,#23\n#if 23<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d22,d23\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d17,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d16\n\tvshr.u64\td25,d17,#34\n\tvsli.64\td24,d17,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d17,#39\n\tvadd.i64\td28,d7\n\tvsli.64\td25,d17,#30\n\tveor\td30,d17,d18\n\tvsli.64\td26,d17,#25\n\tveor\td16,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d19,d18\t\t@ Maj(a,b,c)\n\tveor\td16,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td20,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td16,d30\n\tvshr.u64\tq12,q3,#19\n\tvshr.u64\tq13,q3,#61\n\tvadd.i64\td16,d30\t\t\t@ h+=Maj from the past\n\tvshr.u64\tq15,q3,#6\n\tvsli.64\tq12,q3,#45\n\tvext.8\tq14,q4,q5,#8\t@ X[i+1]\n\tvsli.64\tq13,q3,#3\n\tveor\tq15,q12\n\tvshr.u64\tq12,q14,#1\n\tveor\tq15,q13\t\t\t\t@ sigma1(X[i+14])\n\tvshr.u64\tq13,q14,#8\n\tvadd.i64\tq4,q15\n\tvshr.u64\tq15,q14,#7\n\tvsli.64\tq12,q14,#63\n\tvsli.64\tq13,q14,#56\n\tvext.8\tq14,q0,q1,#8\t@ X[i+9]\n\tveor\tq15,q12\n\tvshr.u64\td24,d20,#14\t\t@ from NEON_00_15\n\tvadd.i64\tq4,q14\n\tvshr.u64\td25,d20,#18\t\t@ from NEON_00_15\n\tveor\tq15,q13\t\t\t\t@ sigma0(X[i+1])\n\tvshr.u64\td26,d20,#41\t\t@ from NEON_00_15\n\tvadd.i64\tq4,q15\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d20,#50\n\tvsli.64\td25,d20,#46\n\tvmov\td29,d20\n\tvsli.64\td26,d20,#23\n#if 24<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d21,d22\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d16,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d23\n\tvshr.u64\td25,d16,#34\n\tvsli.64\td24,d16,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d16,#39\n\tvadd.i64\td28,d8\n\tvsli.64\td25,d16,#30\n\tveor\td30,d16,d17\n\tvsli.64\td26,d16,#25\n\tveor\td23,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d18,d17\t\t@ Maj(a,b,c)\n\tveor\td23,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td19,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td23,d30\n\tvshr.u64\td24,d19,#14\t@ 25\n#if 25<16\n\tvld1.64\t{d9},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d19,#18\n#if 25>0\n\tvadd.i64\td23,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d19,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d19,#50\n\tvsli.64\td25,d19,#46\n\tvmov\td29,d19\n\tvsli.64\td26,d19,#23\n#if 25<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d20,d21\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d23,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d22\n\tvshr.u64\td25,d23,#34\n\tvsli.64\td24,d23,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d23,#39\n\tvadd.i64\td28,d9\n\tvsli.64\td25,d23,#30\n\tveor\td30,d23,d16\n\tvsli.64\td26,d23,#25\n\tveor\td22,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d17,d16\t\t@ Maj(a,b,c)\n\tveor\td22,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td18,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td22,d30\n\tvshr.u64\tq12,q4,#19\n\tvshr.u64\tq13,q4,#61\n\tvadd.i64\td22,d30\t\t\t@ h+=Maj from the past\n\tvshr.u64\tq15,q4,#6\n\tvsli.64\tq12,q4,#45\n\tvext.8\tq14,q5,q6,#8\t@ X[i+1]\n\tvsli.64\tq13,q4,#3\n\tveor\tq15,q12\n\tvshr.u64\tq12,q14,#1\n\tveor\tq15,q13\t\t\t\t@ sigma1(X[i+14])\n\tvshr.u64\tq13,q14,#8\n\tvadd.i64\tq5,q15\n\tvshr.u64\tq15,q14,#7\n\tvsli.64\tq12,q14,#63\n\tvsli.64\tq13,q14,#56\n\tvext.8\tq14,q1,q2,#8\t@ X[i+9]\n\tveor\tq15,q12\n\tvshr.u64\td24,d18,#14\t\t@ from NEON_00_15\n\tvadd.i64\tq5,q14\n\tvshr.u64\td25,d18,#18\t\t@ from NEON_00_15\n\tveor\tq15,q13\t\t\t\t@ sigma0(X[i+1])\n\tvshr.u64\td26,d18,#41\t\t@ from NEON_00_15\n\tvadd.i64\tq5,q15\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d18,#50\n\tvsli.64\td25,d18,#46\n\tvmov\td29,d18\n\tvsli.64\td26,d18,#23\n#if 26<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d19,d20\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d22,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d21\n\tvshr.u64\td25,d22,#34\n\tvsli.64\td24,d22,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d22,#39\n\tvadd.i64\td28,d10\n\tvsli.64\td25,d22,#30\n\tveor\td30,d22,d23\n\tvsli.64\td26,d22,#25\n\tveor\td21,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d16,d23\t\t@ Maj(a,b,c)\n\tveor\td21,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td17,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td21,d30\n\tvshr.u64\td24,d17,#14\t@ 27\n#if 27<16\n\tvld1.64\t{d11},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d17,#18\n#if 27>0\n\tvadd.i64\td21,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d17,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d17,#50\n\tvsli.64\td25,d17,#46\n\tvmov\td29,d17\n\tvsli.64\td26,d17,#23\n#if 27<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d18,d19\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d21,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d20\n\tvshr.u64\td25,d21,#34\n\tvsli.64\td24,d21,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d21,#39\n\tvadd.i64\td28,d11\n\tvsli.64\td25,d21,#30\n\tveor\td30,d21,d22\n\tvsli.64\td26,d21,#25\n\tveor\td20,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d23,d22\t\t@ Maj(a,b,c)\n\tveor\td20,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td16,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td20,d30\n\tvshr.u64\tq12,q5,#19\n\tvshr.u64\tq13,q5,#61\n\tvadd.i64\td20,d30\t\t\t@ h+=Maj from the past\n\tvshr.u64\tq15,q5,#6\n\tvsli.64\tq12,q5,#45\n\tvext.8\tq14,q6,q7,#8\t@ X[i+1]\n\tvsli.64\tq13,q5,#3\n\tveor\tq15,q12\n\tvshr.u64\tq12,q14,#1\n\tveor\tq15,q13\t\t\t\t@ sigma1(X[i+14])\n\tvshr.u64\tq13,q14,#8\n\tvadd.i64\tq6,q15\n\tvshr.u64\tq15,q14,#7\n\tvsli.64\tq12,q14,#63\n\tvsli.64\tq13,q14,#56\n\tvext.8\tq14,q2,q3,#8\t@ X[i+9]\n\tveor\tq15,q12\n\tvshr.u64\td24,d16,#14\t\t@ from NEON_00_15\n\tvadd.i64\tq6,q14\n\tvshr.u64\td25,d16,#18\t\t@ from NEON_00_15\n\tveor\tq15,q13\t\t\t\t@ sigma0(X[i+1])\n\tvshr.u64\td26,d16,#41\t\t@ from NEON_00_15\n\tvadd.i64\tq6,q15\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d16,#50\n\tvsli.64\td25,d16,#46\n\tvmov\td29,d16\n\tvsli.64\td26,d16,#23\n#if 28<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d17,d18\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d20,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d19\n\tvshr.u64\td25,d20,#34\n\tvsli.64\td24,d20,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d20,#39\n\tvadd.i64\td28,d12\n\tvsli.64\td25,d20,#30\n\tveor\td30,d20,d21\n\tvsli.64\td26,d20,#25\n\tveor\td19,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d22,d21\t\t@ Maj(a,b,c)\n\tveor\td19,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td23,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td19,d30\n\tvshr.u64\td24,d23,#14\t@ 29\n#if 29<16\n\tvld1.64\t{d13},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d23,#18\n#if 29>0\n\tvadd.i64\td19,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d23,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d23,#50\n\tvsli.64\td25,d23,#46\n\tvmov\td29,d23\n\tvsli.64\td26,d23,#23\n#if 29<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d16,d17\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d19,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d18\n\tvshr.u64\td25,d19,#34\n\tvsli.64\td24,d19,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d19,#39\n\tvadd.i64\td28,d13\n\tvsli.64\td25,d19,#30\n\tveor\td30,d19,d20\n\tvsli.64\td26,d19,#25\n\tveor\td18,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d21,d20\t\t@ Maj(a,b,c)\n\tveor\td18,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td22,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td18,d30\n\tvshr.u64\tq12,q6,#19\n\tvshr.u64\tq13,q6,#61\n\tvadd.i64\td18,d30\t\t\t@ h+=Maj from the past\n\tvshr.u64\tq15,q6,#6\n\tvsli.64\tq12,q6,#45\n\tvext.8\tq14,q7,q0,#8\t@ X[i+1]\n\tvsli.64\tq13,q6,#3\n\tveor\tq15,q12\n\tvshr.u64\tq12,q14,#1\n\tveor\tq15,q13\t\t\t\t@ sigma1(X[i+14])\n\tvshr.u64\tq13,q14,#8\n\tvadd.i64\tq7,q15\n\tvshr.u64\tq15,q14,#7\n\tvsli.64\tq12,q14,#63\n\tvsli.64\tq13,q14,#56\n\tvext.8\tq14,q3,q4,#8\t@ X[i+9]\n\tveor\tq15,q12\n\tvshr.u64\td24,d22,#14\t\t@ from NEON_00_15\n\tvadd.i64\tq7,q14\n\tvshr.u64\td25,d22,#18\t\t@ from NEON_00_15\n\tveor\tq15,q13\t\t\t\t@ sigma0(X[i+1])\n\tvshr.u64\td26,d22,#41\t\t@ from NEON_00_15\n\tvadd.i64\tq7,q15\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d22,#50\n\tvsli.64\td25,d22,#46\n\tvmov\td29,d22\n\tvsli.64\td26,d22,#23\n#if 30<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d23,d16\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d18,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d17\n\tvshr.u64\td25,d18,#34\n\tvsli.64\td24,d18,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d18,#39\n\tvadd.i64\td28,d14\n\tvsli.64\td25,d18,#30\n\tveor\td30,d18,d19\n\tvsli.64\td26,d18,#25\n\tveor\td17,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d20,d19\t\t@ Maj(a,b,c)\n\tveor\td17,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td21,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td17,d30\n\tvshr.u64\td24,d21,#14\t@ 31\n#if 31<16\n\tvld1.64\t{d15},[r1]!\t@ handles unaligned\n#endif\n\tvshr.u64\td25,d21,#18\n#if 31>0\n\tvadd.i64\td17,d30\t\t\t@ h+=Maj from the past\n#endif\n\tvshr.u64\td26,d21,#41\n\tvld1.64\t{d28},[r3,:64]!\t@ K[i++]\n\tvsli.64\td24,d21,#50\n\tvsli.64\td25,d21,#46\n\tvmov\td29,d21\n\tvsli.64\td26,d21,#23\n#if 31<16 && defined(__ARMEL__)\n\tvrev64.8\t,\n#endif\n\tveor\td25,d24\n\tvbsl\td29,d22,d23\t\t@ Ch(e,f,g)\n\tvshr.u64\td24,d17,#28\n\tveor\td26,d25\t\t\t@ Sigma1(e)\n\tvadd.i64\td27,d29,d16\n\tvshr.u64\td25,d17,#34\n\tvsli.64\td24,d17,#36\n\tvadd.i64\td27,d26\n\tvshr.u64\td26,d17,#39\n\tvadd.i64\td28,d15\n\tvsli.64\td25,d17,#30\n\tveor\td30,d17,d18\n\tvsli.64\td26,d17,#25\n\tveor\td16,d24,d25\n\tvadd.i64\td27,d28\n\tvbsl\td30,d19,d18\t\t@ Maj(a,b,c)\n\tveor\td16,d26\t\t\t@ Sigma0(a)\n\tvadd.i64\td20,d27\n\tvadd.i64\td30,d27\n\t@ vadd.i64\td16,d30\n\tbne\t.L16_79_neon\n\n\tvadd.i64\td16,d30\t\t@ h+=Maj from the past\n\tvldmia\tr0,{d24,d25,d26,d27,d28,d29,d30,d31}\t@ load context to temp\n\tvadd.i64\tq8,q12\t\t@ vectorized accumulate\n\tvadd.i64\tq9,q13\n\tvadd.i64\tq10,q14\n\tvadd.i64\tq11,q15\n\tvstmia\tr0,{d16,d17,d18,d19,d20,d21,d22,d23}\t@ save context\n\tteq\tr1,r2\n\tsub\tr3,#640\t@ rewind K512\n\tbne\t.Loop_neon\n\n\tVFP_ABI_POP\n\tbx\tlr\t\t\t\t@ .word\t0xe12fff1e\n.size\tsha512_block_data_order_neon,.-sha512_block_data_order_neon\n#endif\n.byte\t83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.\n//\n// Licensed under the OpenSSL license (the \"License\"). You may not use\n// this file except in compliance with the License. You can obtain a copy\n// in the file LICENSE in the source distribution or at\n// https://www.openssl.org/source/license.html\n\n// ====================================================================\n// Written by Andy Polyakov for the OpenSSL\n// project. The module is, however, dual licensed under OpenSSL and\n// CRYPTOGAMS licenses depending on where you obtain it. For further\n// details see http://www.openssl.org/~appro/cryptogams/.\n//\n// Permission to use under GPLv2 terms is granted.\n// ====================================================================\n//\n// SHA256/512 for ARMv8.\n//\n// Performance in cycles per processed byte and improvement coefficient\n// over code generated with \"default\" compiler:\n//\n//\t\tSHA256-hw\tSHA256(*)\tSHA512\n// Apple A7\t1.97\t\t10.5 (+33%)\t6.73 (-1%(**))\n// Cortex-A53\t2.38\t\t15.5 (+115%)\t10.0 (+150%(***))\n// Cortex-A57\t2.31\t\t11.6 (+86%)\t7.51 (+260%(***))\n// Denver\t2.01\t\t10.5 (+26%)\t6.70 (+8%)\n// X-Gene\t\t\t20.0 (+100%)\t12.8 (+300%(***))\n// Mongoose\t2.36\t\t13.0 (+50%)\t8.36 (+33%)\n// Kryo\t\t1.92\t\t17.4 (+30%)\t11.2 (+8%)\n//\n// (*)\tSoftware SHA256 results are of lesser relevance, presented\n//\tmostly for informational purposes.\n// (**)\tThe result is a trade-off: it's possible to improve it by\n//\t10% (or by 1 cycle per round), but at the cost of 20% loss\n//\ton Cortex-A53 (or by 4 cycles per round).\n// (***)\tSuper-impressive coefficients over gcc-generated code are\n//\tindication of some compiler \"pathology\", most notably code\n//\tgenerated with -mgeneral-regs-only is significantly faster\n//\tand the gap is only 40-90%.\n\n#ifndef\t__KERNEL__\n# include \n#endif\n\n.text\n\n.globl\t_sha512_block_data_order_nohw\n.private_extern\t_sha512_block_data_order_nohw\n\n.align\t6\n_sha512_block_data_order_nohw:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#4*8\n\n\tldp\tx20,x21,[x0]\t\t\t\t// load context\n\tldp\tx22,x23,[x0,#2*8]\n\tldp\tx24,x25,[x0,#4*8]\n\tadd\tx2,x1,x2,lsl#7\t// end of input\n\tldp\tx26,x27,[x0,#6*8]\n\tadrp\tx30,LK512@PAGE\n\tadd\tx30,x30,LK512@PAGEOFF\n\tstp\tx0,x2,[x29,#96]\n\nLoop:\n\tldp\tx3,x4,[x1],#2*8\n\tldr\tx19,[x30],#8\t\t\t// *K++\n\teor\tx28,x21,x22\t\t\t\t// magic seed\n\tstr\tx1,[x29,#112]\n#ifndef\t__AARCH64EB__\n\trev\tx3,x3\t\t\t// 0\n#endif\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\teor\tx6,x24,x24,ror#23\n\tand\tx17,x25,x24\n\tbic\tx19,x26,x24\n\tadd\tx27,x27,x3\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x6,ror#18\t// Sigma1(e)\n\tror\tx6,x20,#28\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x20,x20,ror#5\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x6,x17,ror#34\t// Sigma0(a)\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx4,x4\t\t\t// 1\n#endif\n\tldp\tx5,x6,[x1],#2*8\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\teor\tx7,x23,x23,ror#23\n\tand\tx17,x24,x23\n\tbic\tx28,x25,x23\n\tadd\tx26,x26,x4\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x7,ror#18\t// Sigma1(e)\n\tror\tx7,x27,#28\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x27,x27,ror#5\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x7,x17,ror#34\t// Sigma0(a)\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx5,x5\t\t\t// 2\n#endif\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\teor\tx8,x22,x22,ror#23\n\tand\tx17,x23,x22\n\tbic\tx19,x24,x22\n\tadd\tx25,x25,x5\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x8,ror#18\t// Sigma1(e)\n\tror\tx8,x26,#28\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x26,x26,ror#5\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x8,x17,ror#34\t// Sigma0(a)\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx6,x6\t\t\t// 3\n#endif\n\tldp\tx7,x8,[x1],#2*8\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\teor\tx9,x21,x21,ror#23\n\tand\tx17,x22,x21\n\tbic\tx28,x23,x21\n\tadd\tx24,x24,x6\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x9,ror#18\t// Sigma1(e)\n\tror\tx9,x25,#28\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x25,x25,ror#5\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x9,x17,ror#34\t// Sigma0(a)\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx7,x7\t\t\t// 4\n#endif\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\teor\tx10,x20,x20,ror#23\n\tand\tx17,x21,x20\n\tbic\tx19,x22,x20\n\tadd\tx23,x23,x7\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x10,ror#18\t// Sigma1(e)\n\tror\tx10,x24,#28\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x24,x24,ror#5\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x10,x17,ror#34\t// Sigma0(a)\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx8,x8\t\t\t// 5\n#endif\n\tldp\tx9,x10,[x1],#2*8\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\teor\tx11,x27,x27,ror#23\n\tand\tx17,x20,x27\n\tbic\tx28,x21,x27\n\tadd\tx22,x22,x8\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x11,ror#18\t// Sigma1(e)\n\tror\tx11,x23,#28\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x23,x23,ror#5\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x11,x17,ror#34\t// Sigma0(a)\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx9,x9\t\t\t// 6\n#endif\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\teor\tx12,x26,x26,ror#23\n\tand\tx17,x27,x26\n\tbic\tx19,x20,x26\n\tadd\tx21,x21,x9\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x12,ror#18\t// Sigma1(e)\n\tror\tx12,x22,#28\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x22,x22,ror#5\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x12,x17,ror#34\t// Sigma0(a)\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx10,x10\t\t\t// 7\n#endif\n\tldp\tx11,x12,[x1],#2*8\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\teor\tx13,x25,x25,ror#23\n\tand\tx17,x26,x25\n\tbic\tx28,x27,x25\n\tadd\tx20,x20,x10\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x13,ror#18\t// Sigma1(e)\n\tror\tx13,x21,#28\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x21,x21,ror#5\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x13,x17,ror#34\t// Sigma0(a)\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx11,x11\t\t\t// 8\n#endif\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\teor\tx14,x24,x24,ror#23\n\tand\tx17,x25,x24\n\tbic\tx19,x26,x24\n\tadd\tx27,x27,x11\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x14,ror#18\t// Sigma1(e)\n\tror\tx14,x20,#28\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x20,x20,ror#5\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x14,x17,ror#34\t// Sigma0(a)\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx12,x12\t\t\t// 9\n#endif\n\tldp\tx13,x14,[x1],#2*8\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\teor\tx15,x23,x23,ror#23\n\tand\tx17,x24,x23\n\tbic\tx28,x25,x23\n\tadd\tx26,x26,x12\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x15,ror#18\t// Sigma1(e)\n\tror\tx15,x27,#28\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x27,x27,ror#5\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x15,x17,ror#34\t// Sigma0(a)\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx13,x13\t\t\t// 10\n#endif\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\teor\tx0,x22,x22,ror#23\n\tand\tx17,x23,x22\n\tbic\tx19,x24,x22\n\tadd\tx25,x25,x13\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x0,ror#18\t// Sigma1(e)\n\tror\tx0,x26,#28\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x26,x26,ror#5\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x0,x17,ror#34\t// Sigma0(a)\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx14,x14\t\t\t// 11\n#endif\n\tldp\tx15,x0,[x1],#2*8\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx6,[sp,#24]\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\teor\tx6,x21,x21,ror#23\n\tand\tx17,x22,x21\n\tbic\tx28,x23,x21\n\tadd\tx24,x24,x14\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x6,ror#18\t// Sigma1(e)\n\tror\tx6,x25,#28\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x25,x25,ror#5\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x6,x17,ror#34\t// Sigma0(a)\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx15,x15\t\t\t// 12\n#endif\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx7,[sp,#0]\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\teor\tx7,x20,x20,ror#23\n\tand\tx17,x21,x20\n\tbic\tx19,x22,x20\n\tadd\tx23,x23,x15\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x7,ror#18\t// Sigma1(e)\n\tror\tx7,x24,#28\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x24,x24,ror#5\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x7,x17,ror#34\t// Sigma0(a)\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx0,x0\t\t\t// 13\n#endif\n\tldp\tx1,x2,[x1]\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx8,[sp,#8]\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\teor\tx8,x27,x27,ror#23\n\tand\tx17,x20,x27\n\tbic\tx28,x21,x27\n\tadd\tx22,x22,x0\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x8,ror#18\t// Sigma1(e)\n\tror\tx8,x23,#28\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x23,x23,ror#5\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x8,x17,ror#34\t// Sigma0(a)\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx1,x1\t\t\t// 14\n#endif\n\tldr\tx6,[sp,#24]\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx9,[sp,#16]\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\teor\tx9,x26,x26,ror#23\n\tand\tx17,x27,x26\n\tbic\tx19,x20,x26\n\tadd\tx21,x21,x1\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x9,ror#18\t// Sigma1(e)\n\tror\tx9,x22,#28\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x22,x22,ror#5\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x9,x17,ror#34\t// Sigma0(a)\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx2,x2\t\t\t// 15\n#endif\n\tldr\tx7,[sp,#0]\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx10,[sp,#24]\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\tror\tx9,x4,#1\n\tand\tx17,x26,x25\n\tror\tx8,x1,#19\n\tbic\tx28,x27,x25\n\tror\tx10,x21,#28\n\tadd\tx20,x20,x2\t\t\t// h+=X[i]\n\teor\tx16,x16,x25,ror#18\n\teor\tx9,x9,x4,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x25,ror#41\t// Sigma1(e)\n\teor\tx10,x10,x21,ror#34\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx8,x8,x1,ror#61\n\teor\tx9,x9,x4,lsr#7\t// sigma0(X[i+1])\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x10,x21,ror#39\t// Sigma0(a)\n\teor\tx8,x8,x1,lsr#6\t// sigma1(X[i+14])\n\tadd\tx3,x3,x12\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx3,x3,x9\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx3,x3,x8\nLoop_16_xx:\n\tldr\tx8,[sp,#8]\n\tstr\tx11,[sp,#0]\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\tror\tx10,x5,#1\n\tand\tx17,x25,x24\n\tror\tx9,x2,#19\n\tbic\tx19,x26,x24\n\tror\tx11,x20,#28\n\tadd\tx27,x27,x3\t\t\t// h+=X[i]\n\teor\tx16,x16,x24,ror#18\n\teor\tx10,x10,x5,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x24,ror#41\t// Sigma1(e)\n\teor\tx11,x11,x20,ror#34\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx9,x9,x2,ror#61\n\teor\tx10,x10,x5,lsr#7\t// sigma0(X[i+1])\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x11,x20,ror#39\t// Sigma0(a)\n\teor\tx9,x9,x2,lsr#6\t// sigma1(X[i+14])\n\tadd\tx4,x4,x13\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx4,x4,x10\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx4,x4,x9\n\tldr\tx9,[sp,#16]\n\tstr\tx12,[sp,#8]\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\tror\tx11,x6,#1\n\tand\tx17,x24,x23\n\tror\tx10,x3,#19\n\tbic\tx28,x25,x23\n\tror\tx12,x27,#28\n\tadd\tx26,x26,x4\t\t\t// h+=X[i]\n\teor\tx16,x16,x23,ror#18\n\teor\tx11,x11,x6,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x23,ror#41\t// Sigma1(e)\n\teor\tx12,x12,x27,ror#34\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx10,x10,x3,ror#61\n\teor\tx11,x11,x6,lsr#7\t// sigma0(X[i+1])\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x12,x27,ror#39\t// Sigma0(a)\n\teor\tx10,x10,x3,lsr#6\t// sigma1(X[i+14])\n\tadd\tx5,x5,x14\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx5,x5,x11\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx5,x5,x10\n\tldr\tx10,[sp,#24]\n\tstr\tx13,[sp,#16]\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\tror\tx12,x7,#1\n\tand\tx17,x23,x22\n\tror\tx11,x4,#19\n\tbic\tx19,x24,x22\n\tror\tx13,x26,#28\n\tadd\tx25,x25,x5\t\t\t// h+=X[i]\n\teor\tx16,x16,x22,ror#18\n\teor\tx12,x12,x7,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x22,ror#41\t// Sigma1(e)\n\teor\tx13,x13,x26,ror#34\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx11,x11,x4,ror#61\n\teor\tx12,x12,x7,lsr#7\t// sigma0(X[i+1])\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x13,x26,ror#39\t// Sigma0(a)\n\teor\tx11,x11,x4,lsr#6\t// sigma1(X[i+14])\n\tadd\tx6,x6,x15\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx6,x6,x12\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx6,x6,x11\n\tldr\tx11,[sp,#0]\n\tstr\tx14,[sp,#24]\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\tror\tx13,x8,#1\n\tand\tx17,x22,x21\n\tror\tx12,x5,#19\n\tbic\tx28,x23,x21\n\tror\tx14,x25,#28\n\tadd\tx24,x24,x6\t\t\t// h+=X[i]\n\teor\tx16,x16,x21,ror#18\n\teor\tx13,x13,x8,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x21,ror#41\t// Sigma1(e)\n\teor\tx14,x14,x25,ror#34\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx12,x12,x5,ror#61\n\teor\tx13,x13,x8,lsr#7\t// sigma0(X[i+1])\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x14,x25,ror#39\t// Sigma0(a)\n\teor\tx12,x12,x5,lsr#6\t// sigma1(X[i+14])\n\tadd\tx7,x7,x0\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx7,x7,x13\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx7,x7,x12\n\tldr\tx12,[sp,#8]\n\tstr\tx15,[sp,#0]\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\tror\tx14,x9,#1\n\tand\tx17,x21,x20\n\tror\tx13,x6,#19\n\tbic\tx19,x22,x20\n\tror\tx15,x24,#28\n\tadd\tx23,x23,x7\t\t\t// h+=X[i]\n\teor\tx16,x16,x20,ror#18\n\teor\tx14,x14,x9,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x20,ror#41\t// Sigma1(e)\n\teor\tx15,x15,x24,ror#34\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx13,x13,x6,ror#61\n\teor\tx14,x14,x9,lsr#7\t// sigma0(X[i+1])\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x15,x24,ror#39\t// Sigma0(a)\n\teor\tx13,x13,x6,lsr#6\t// sigma1(X[i+14])\n\tadd\tx8,x8,x1\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx8,x8,x14\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx8,x8,x13\n\tldr\tx13,[sp,#16]\n\tstr\tx0,[sp,#8]\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\tror\tx15,x10,#1\n\tand\tx17,x20,x27\n\tror\tx14,x7,#19\n\tbic\tx28,x21,x27\n\tror\tx0,x23,#28\n\tadd\tx22,x22,x8\t\t\t// h+=X[i]\n\teor\tx16,x16,x27,ror#18\n\teor\tx15,x15,x10,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x27,ror#41\t// Sigma1(e)\n\teor\tx0,x0,x23,ror#34\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx14,x14,x7,ror#61\n\teor\tx15,x15,x10,lsr#7\t// sigma0(X[i+1])\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x0,x23,ror#39\t// Sigma0(a)\n\teor\tx14,x14,x7,lsr#6\t// sigma1(X[i+14])\n\tadd\tx9,x9,x2\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx9,x9,x15\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx9,x9,x14\n\tldr\tx14,[sp,#24]\n\tstr\tx1,[sp,#16]\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\tror\tx0,x11,#1\n\tand\tx17,x27,x26\n\tror\tx15,x8,#19\n\tbic\tx19,x20,x26\n\tror\tx1,x22,#28\n\tadd\tx21,x21,x9\t\t\t// h+=X[i]\n\teor\tx16,x16,x26,ror#18\n\teor\tx0,x0,x11,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x26,ror#41\t// Sigma1(e)\n\teor\tx1,x1,x22,ror#34\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx15,x15,x8,ror#61\n\teor\tx0,x0,x11,lsr#7\t// sigma0(X[i+1])\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x1,x22,ror#39\t// Sigma0(a)\n\teor\tx15,x15,x8,lsr#6\t// sigma1(X[i+14])\n\tadd\tx10,x10,x3\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx10,x10,x0\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx10,x10,x15\n\tldr\tx15,[sp,#0]\n\tstr\tx2,[sp,#24]\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\tror\tx1,x12,#1\n\tand\tx17,x26,x25\n\tror\tx0,x9,#19\n\tbic\tx28,x27,x25\n\tror\tx2,x21,#28\n\tadd\tx20,x20,x10\t\t\t// h+=X[i]\n\teor\tx16,x16,x25,ror#18\n\teor\tx1,x1,x12,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x25,ror#41\t// Sigma1(e)\n\teor\tx2,x2,x21,ror#34\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx0,x0,x9,ror#61\n\teor\tx1,x1,x12,lsr#7\t// sigma0(X[i+1])\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x2,x21,ror#39\t// Sigma0(a)\n\teor\tx0,x0,x9,lsr#6\t// sigma1(X[i+14])\n\tadd\tx11,x11,x4\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx11,x11,x1\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx11,x11,x0\n\tldr\tx0,[sp,#8]\n\tstr\tx3,[sp,#0]\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\tror\tx2,x13,#1\n\tand\tx17,x25,x24\n\tror\tx1,x10,#19\n\tbic\tx19,x26,x24\n\tror\tx3,x20,#28\n\tadd\tx27,x27,x11\t\t\t// h+=X[i]\n\teor\tx16,x16,x24,ror#18\n\teor\tx2,x2,x13,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x24,ror#41\t// Sigma1(e)\n\teor\tx3,x3,x20,ror#34\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx1,x1,x10,ror#61\n\teor\tx2,x2,x13,lsr#7\t// sigma0(X[i+1])\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x3,x20,ror#39\t// Sigma0(a)\n\teor\tx1,x1,x10,lsr#6\t// sigma1(X[i+14])\n\tadd\tx12,x12,x5\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx12,x12,x2\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx12,x12,x1\n\tldr\tx1,[sp,#16]\n\tstr\tx4,[sp,#8]\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\tror\tx3,x14,#1\n\tand\tx17,x24,x23\n\tror\tx2,x11,#19\n\tbic\tx28,x25,x23\n\tror\tx4,x27,#28\n\tadd\tx26,x26,x12\t\t\t// h+=X[i]\n\teor\tx16,x16,x23,ror#18\n\teor\tx3,x3,x14,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x23,ror#41\t// Sigma1(e)\n\teor\tx4,x4,x27,ror#34\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx2,x2,x11,ror#61\n\teor\tx3,x3,x14,lsr#7\t// sigma0(X[i+1])\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x4,x27,ror#39\t// Sigma0(a)\n\teor\tx2,x2,x11,lsr#6\t// sigma1(X[i+14])\n\tadd\tx13,x13,x6\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx13,x13,x3\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx13,x13,x2\n\tldr\tx2,[sp,#24]\n\tstr\tx5,[sp,#16]\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\tror\tx4,x15,#1\n\tand\tx17,x23,x22\n\tror\tx3,x12,#19\n\tbic\tx19,x24,x22\n\tror\tx5,x26,#28\n\tadd\tx25,x25,x13\t\t\t// h+=X[i]\n\teor\tx16,x16,x22,ror#18\n\teor\tx4,x4,x15,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x22,ror#41\t// Sigma1(e)\n\teor\tx5,x5,x26,ror#34\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx3,x3,x12,ror#61\n\teor\tx4,x4,x15,lsr#7\t// sigma0(X[i+1])\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x5,x26,ror#39\t// Sigma0(a)\n\teor\tx3,x3,x12,lsr#6\t// sigma1(X[i+14])\n\tadd\tx14,x14,x7\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx14,x14,x4\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx14,x14,x3\n\tldr\tx3,[sp,#0]\n\tstr\tx6,[sp,#24]\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\tror\tx5,x0,#1\n\tand\tx17,x22,x21\n\tror\tx4,x13,#19\n\tbic\tx28,x23,x21\n\tror\tx6,x25,#28\n\tadd\tx24,x24,x14\t\t\t// h+=X[i]\n\teor\tx16,x16,x21,ror#18\n\teor\tx5,x5,x0,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x21,ror#41\t// Sigma1(e)\n\teor\tx6,x6,x25,ror#34\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx4,x4,x13,ror#61\n\teor\tx5,x5,x0,lsr#7\t// sigma0(X[i+1])\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x6,x25,ror#39\t// Sigma0(a)\n\teor\tx4,x4,x13,lsr#6\t// sigma1(X[i+14])\n\tadd\tx15,x15,x8\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx15,x15,x5\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx15,x15,x4\n\tldr\tx4,[sp,#8]\n\tstr\tx7,[sp,#0]\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\tror\tx6,x1,#1\n\tand\tx17,x21,x20\n\tror\tx5,x14,#19\n\tbic\tx19,x22,x20\n\tror\tx7,x24,#28\n\tadd\tx23,x23,x15\t\t\t// h+=X[i]\n\teor\tx16,x16,x20,ror#18\n\teor\tx6,x6,x1,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x20,ror#41\t// Sigma1(e)\n\teor\tx7,x7,x24,ror#34\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx5,x5,x14,ror#61\n\teor\tx6,x6,x1,lsr#7\t// sigma0(X[i+1])\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x7,x24,ror#39\t// Sigma0(a)\n\teor\tx5,x5,x14,lsr#6\t// sigma1(X[i+14])\n\tadd\tx0,x0,x9\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx0,x0,x6\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx0,x0,x5\n\tldr\tx5,[sp,#16]\n\tstr\tx8,[sp,#8]\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\tror\tx7,x2,#1\n\tand\tx17,x20,x27\n\tror\tx6,x15,#19\n\tbic\tx28,x21,x27\n\tror\tx8,x23,#28\n\tadd\tx22,x22,x0\t\t\t// h+=X[i]\n\teor\tx16,x16,x27,ror#18\n\teor\tx7,x7,x2,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x27,ror#41\t// Sigma1(e)\n\teor\tx8,x8,x23,ror#34\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx6,x6,x15,ror#61\n\teor\tx7,x7,x2,lsr#7\t// sigma0(X[i+1])\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x8,x23,ror#39\t// Sigma0(a)\n\teor\tx6,x6,x15,lsr#6\t// sigma1(X[i+14])\n\tadd\tx1,x1,x10\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx1,x1,x7\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx1,x1,x6\n\tldr\tx6,[sp,#24]\n\tstr\tx9,[sp,#16]\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\tror\tx8,x3,#1\n\tand\tx17,x27,x26\n\tror\tx7,x0,#19\n\tbic\tx19,x20,x26\n\tror\tx9,x22,#28\n\tadd\tx21,x21,x1\t\t\t// h+=X[i]\n\teor\tx16,x16,x26,ror#18\n\teor\tx8,x8,x3,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x26,ror#41\t// Sigma1(e)\n\teor\tx9,x9,x22,ror#34\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx7,x7,x0,ror#61\n\teor\tx8,x8,x3,lsr#7\t// sigma0(X[i+1])\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x9,x22,ror#39\t// Sigma0(a)\n\teor\tx7,x7,x0,lsr#6\t// sigma1(X[i+14])\n\tadd\tx2,x2,x11\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx2,x2,x8\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx2,x2,x7\n\tldr\tx7,[sp,#0]\n\tstr\tx10,[sp,#24]\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\tror\tx9,x4,#1\n\tand\tx17,x26,x25\n\tror\tx8,x1,#19\n\tbic\tx28,x27,x25\n\tror\tx10,x21,#28\n\tadd\tx20,x20,x2\t\t\t// h+=X[i]\n\teor\tx16,x16,x25,ror#18\n\teor\tx9,x9,x4,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x25,ror#41\t// Sigma1(e)\n\teor\tx10,x10,x21,ror#34\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx8,x8,x1,ror#61\n\teor\tx9,x9,x4,lsr#7\t// sigma0(X[i+1])\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x10,x21,ror#39\t// Sigma0(a)\n\teor\tx8,x8,x1,lsr#6\t// sigma1(X[i+14])\n\tadd\tx3,x3,x12\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx3,x3,x9\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx3,x3,x8\n\tcbnz\tx19,Loop_16_xx\n\n\tldp\tx0,x2,[x29,#96]\n\tldr\tx1,[x29,#112]\n\tsub\tx30,x30,#648\t\t// rewind\n\n\tldp\tx3,x4,[x0]\n\tldp\tx5,x6,[x0,#2*8]\n\tadd\tx1,x1,#14*8\t\t\t// advance input pointer\n\tldp\tx7,x8,[x0,#4*8]\n\tadd\tx20,x20,x3\n\tldp\tx9,x10,[x0,#6*8]\n\tadd\tx21,x21,x4\n\tadd\tx22,x22,x5\n\tadd\tx23,x23,x6\n\tstp\tx20,x21,[x0]\n\tadd\tx24,x24,x7\n\tadd\tx25,x25,x8\n\tstp\tx22,x23,[x0,#2*8]\n\tadd\tx26,x26,x9\n\tadd\tx27,x27,x10\n\tcmp\tx1,x2\n\tstp\tx24,x25,[x0,#4*8]\n\tstp\tx26,x27,[x0,#6*8]\n\tb.ne\tLoop\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#4*8\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.section\t__TEXT,__const\n.align\t6\n\nLK512:\n.quad\t0x428a2f98d728ae22,0x7137449123ef65cd\n.quad\t0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc\n.quad\t0x3956c25bf348b538,0x59f111f1b605d019\n.quad\t0x923f82a4af194f9b,0xab1c5ed5da6d8118\n.quad\t0xd807aa98a3030242,0x12835b0145706fbe\n.quad\t0x243185be4ee4b28c,0x550c7dc3d5ffb4e2\n.quad\t0x72be5d74f27b896f,0x80deb1fe3b1696b1\n.quad\t0x9bdc06a725c71235,0xc19bf174cf692694\n.quad\t0xe49b69c19ef14ad2,0xefbe4786384f25e3\n.quad\t0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65\n.quad\t0x2de92c6f592b0275,0x4a7484aa6ea6e483\n.quad\t0x5cb0a9dcbd41fbd4,0x76f988da831153b5\n.quad\t0x983e5152ee66dfab,0xa831c66d2db43210\n.quad\t0xb00327c898fb213f,0xbf597fc7beef0ee4\n.quad\t0xc6e00bf33da88fc2,0xd5a79147930aa725\n.quad\t0x06ca6351e003826f,0x142929670a0e6e70\n.quad\t0x27b70a8546d22ffc,0x2e1b21385c26c926\n.quad\t0x4d2c6dfc5ac42aed,0x53380d139d95b3df\n.quad\t0x650a73548baf63de,0x766a0abb3c77b2a8\n.quad\t0x81c2c92e47edaee6,0x92722c851482353b\n.quad\t0xa2bfe8a14cf10364,0xa81a664bbc423001\n.quad\t0xc24b8b70d0f89791,0xc76c51a30654be30\n.quad\t0xd192e819d6ef5218,0xd69906245565a910\n.quad\t0xf40e35855771202a,0x106aa07032bbd1b8\n.quad\t0x19a4c116b8d2d0c8,0x1e376c085141ab53\n.quad\t0x2748774cdf8eeb99,0x34b0bcb5e19b48a8\n.quad\t0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb\n.quad\t0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3\n.quad\t0x748f82ee5defb2fc,0x78a5636f43172f60\n.quad\t0x84c87814a1f0ab72,0x8cc702081a6439ec\n.quad\t0x90befffa23631e28,0xa4506cebde82bde9\n.quad\t0xbef9a3f7b2c67915,0xc67178f2e372532b\n.quad\t0xca273eceea26619c,0xd186b8c721c0c207\n.quad\t0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178\n.quad\t0x06f067aa72176fba,0x0a637dc5a2c898a6\n.quad\t0x113f9804bef90dae,0x1b710b35131c471b\n.quad\t0x28db77f523047d84,0x32caab7b40c72493\n.quad\t0x3c9ebe0a15c9bebc,0x431d67c49c100d4c\n.quad\t0x4cc5d4becb3e42b6,0x597f299cfc657e2a\n.quad\t0x5fcb6fab3ad6faec,0x6c44198c4a475817\n.quad\t0\t// terminator\n\n.byte\t83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n.text\n#ifndef\t__KERNEL__\n.globl\t_sha512_block_data_order_hw\n.private_extern\t_sha512_block_data_order_hw\n\n.align\t6\n_sha512_block_data_order_hw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v16.16b,v17.16b,v18.16b,v19.16b},[x1],#64\t// load input\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\n\tld1\t{v0.2d,v1.2d,v2.2d,v3.2d},[x0]\t\t// load context\n\tadrp\tx3,LK512@PAGE\n\tadd\tx3,x3,LK512@PAGEOFF\n\n\trev64\tv16.16b,v16.16b\n\trev64\tv17.16b,v17.16b\n\trev64\tv18.16b,v18.16b\n\trev64\tv19.16b,v19.16b\n\trev64\tv20.16b,v20.16b\n\trev64\tv21.16b,v21.16b\n\trev64\tv22.16b,v22.16b\n\trev64\tv23.16b,v23.16b\n\tb\tLoop_hw\n\n.align\t4\nLoop_hw:\n\tld1\t{v24.2d},[x3],#16\n\tsubs\tx2,x2,#1\n\tsub\tx4,x1,#128\n\torr\tv26.16b,v0.16b,v0.16b\t\t\t// offload\n\torr\tv27.16b,v1.16b,v1.16b\n\torr\tv28.16b,v2.16b,v2.16b\n\torr\tv29.16b,v3.16b,v3.16b\n\tcsel\tx1,x1,x4,ne\t\t\t// conditional rewind\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v16.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n\trev64\tv16.16b,v16.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tld1\t{v24.2d},[x3],#16\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v17.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n\trev64\tv17.16b,v17.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v18.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n\trev64\tv18.16b,v18.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tld1\t{v24.2d},[x3],#16\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v19.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n\trev64\tv19.16b,v19.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v20.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n\trev64\tv20.16b,v20.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tld1\t{v24.2d},[x3],#16\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v21.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n\trev64\tv21.16b,v21.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v22.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n\trev64\tv22.16b,v22.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tsub\tx3,x3,#80*8\t// rewind\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v23.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n\trev64\tv23.16b,v23.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv0.2d,v0.2d,v26.2d\t\t\t// accumulate\n\tadd\tv1.2d,v1.2d,v27.2d\n\tadd\tv2.2d,v2.2d,v28.2d\n\tadd\tv3.2d,v3.2d,v29.2d\n\n\tcbnz\tx2,Loop_hw\n\n\tst1\t{v0.2d,v1.2d,v2.2d,v3.2d},[x0]\t\t// store context\n\n\tldr\tx29,[sp],#16\n\tret\n\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.\n//\n// Licensed under the OpenSSL license (the \"License\"). You may not use\n// this file except in compliance with the License. You can obtain a copy\n// in the file LICENSE in the source distribution or at\n// https://www.openssl.org/source/license.html\n\n// ====================================================================\n// Written by Andy Polyakov for the OpenSSL\n// project. The module is, however, dual licensed under OpenSSL and\n// CRYPTOGAMS licenses depending on where you obtain it. For further\n// details see http://www.openssl.org/~appro/cryptogams/.\n//\n// Permission to use under GPLv2 terms is granted.\n// ====================================================================\n//\n// SHA256/512 for ARMv8.\n//\n// Performance in cycles per processed byte and improvement coefficient\n// over code generated with \"default\" compiler:\n//\n//\t\tSHA256-hw\tSHA256(*)\tSHA512\n// Apple A7\t1.97\t\t10.5 (+33%)\t6.73 (-1%(**))\n// Cortex-A53\t2.38\t\t15.5 (+115%)\t10.0 (+150%(***))\n// Cortex-A57\t2.31\t\t11.6 (+86%)\t7.51 (+260%(***))\n// Denver\t2.01\t\t10.5 (+26%)\t6.70 (+8%)\n// X-Gene\t\t\t20.0 (+100%)\t12.8 (+300%(***))\n// Mongoose\t2.36\t\t13.0 (+50%)\t8.36 (+33%)\n// Kryo\t\t1.92\t\t17.4 (+30%)\t11.2 (+8%)\n//\n// (*)\tSoftware SHA256 results are of lesser relevance, presented\n//\tmostly for informational purposes.\n// (**)\tThe result is a trade-off: it's possible to improve it by\n//\t10% (or by 1 cycle per round), but at the cost of 20% loss\n//\ton Cortex-A53 (or by 4 cycles per round).\n// (***)\tSuper-impressive coefficients over gcc-generated code are\n//\tindication of some compiler \"pathology\", most notably code\n//\tgenerated with -mgeneral-regs-only is significantly faster\n//\tand the gap is only 40-90%.\n\n#ifndef\t__KERNEL__\n# include \n#endif\n\n.text\n\n.globl\tsha512_block_data_order_nohw\n.hidden\tsha512_block_data_order_nohw\n.type\tsha512_block_data_order_nohw,%function\n.align\t6\nsha512_block_data_order_nohw:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#4*8\n\n\tldp\tx20,x21,[x0]\t\t\t\t// load context\n\tldp\tx22,x23,[x0,#2*8]\n\tldp\tx24,x25,[x0,#4*8]\n\tadd\tx2,x1,x2,lsl#7\t// end of input\n\tldp\tx26,x27,[x0,#6*8]\n\tadrp\tx30,.LK512\n\tadd\tx30,x30,:lo12:.LK512\n\tstp\tx0,x2,[x29,#96]\n\n.Loop:\n\tldp\tx3,x4,[x1],#2*8\n\tldr\tx19,[x30],#8\t\t\t// *K++\n\teor\tx28,x21,x22\t\t\t\t// magic seed\n\tstr\tx1,[x29,#112]\n#ifndef\t__AARCH64EB__\n\trev\tx3,x3\t\t\t// 0\n#endif\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\teor\tx6,x24,x24,ror#23\n\tand\tx17,x25,x24\n\tbic\tx19,x26,x24\n\tadd\tx27,x27,x3\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x6,ror#18\t// Sigma1(e)\n\tror\tx6,x20,#28\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x20,x20,ror#5\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x6,x17,ror#34\t// Sigma0(a)\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx4,x4\t\t\t// 1\n#endif\n\tldp\tx5,x6,[x1],#2*8\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\teor\tx7,x23,x23,ror#23\n\tand\tx17,x24,x23\n\tbic\tx28,x25,x23\n\tadd\tx26,x26,x4\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x7,ror#18\t// Sigma1(e)\n\tror\tx7,x27,#28\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x27,x27,ror#5\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x7,x17,ror#34\t// Sigma0(a)\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx5,x5\t\t\t// 2\n#endif\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\teor\tx8,x22,x22,ror#23\n\tand\tx17,x23,x22\n\tbic\tx19,x24,x22\n\tadd\tx25,x25,x5\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x8,ror#18\t// Sigma1(e)\n\tror\tx8,x26,#28\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x26,x26,ror#5\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x8,x17,ror#34\t// Sigma0(a)\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx6,x6\t\t\t// 3\n#endif\n\tldp\tx7,x8,[x1],#2*8\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\teor\tx9,x21,x21,ror#23\n\tand\tx17,x22,x21\n\tbic\tx28,x23,x21\n\tadd\tx24,x24,x6\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x9,ror#18\t// Sigma1(e)\n\tror\tx9,x25,#28\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x25,x25,ror#5\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x9,x17,ror#34\t// Sigma0(a)\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx7,x7\t\t\t// 4\n#endif\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\teor\tx10,x20,x20,ror#23\n\tand\tx17,x21,x20\n\tbic\tx19,x22,x20\n\tadd\tx23,x23,x7\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x10,ror#18\t// Sigma1(e)\n\tror\tx10,x24,#28\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x24,x24,ror#5\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x10,x17,ror#34\t// Sigma0(a)\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx8,x8\t\t\t// 5\n#endif\n\tldp\tx9,x10,[x1],#2*8\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\teor\tx11,x27,x27,ror#23\n\tand\tx17,x20,x27\n\tbic\tx28,x21,x27\n\tadd\tx22,x22,x8\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x11,ror#18\t// Sigma1(e)\n\tror\tx11,x23,#28\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x23,x23,ror#5\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x11,x17,ror#34\t// Sigma0(a)\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx9,x9\t\t\t// 6\n#endif\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\teor\tx12,x26,x26,ror#23\n\tand\tx17,x27,x26\n\tbic\tx19,x20,x26\n\tadd\tx21,x21,x9\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x12,ror#18\t// Sigma1(e)\n\tror\tx12,x22,#28\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x22,x22,ror#5\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x12,x17,ror#34\t// Sigma0(a)\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx10,x10\t\t\t// 7\n#endif\n\tldp\tx11,x12,[x1],#2*8\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\teor\tx13,x25,x25,ror#23\n\tand\tx17,x26,x25\n\tbic\tx28,x27,x25\n\tadd\tx20,x20,x10\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x13,ror#18\t// Sigma1(e)\n\tror\tx13,x21,#28\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x21,x21,ror#5\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x13,x17,ror#34\t// Sigma0(a)\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx11,x11\t\t\t// 8\n#endif\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\teor\tx14,x24,x24,ror#23\n\tand\tx17,x25,x24\n\tbic\tx19,x26,x24\n\tadd\tx27,x27,x11\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x14,ror#18\t// Sigma1(e)\n\tror\tx14,x20,#28\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x20,x20,ror#5\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x14,x17,ror#34\t// Sigma0(a)\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx12,x12\t\t\t// 9\n#endif\n\tldp\tx13,x14,[x1],#2*8\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\teor\tx15,x23,x23,ror#23\n\tand\tx17,x24,x23\n\tbic\tx28,x25,x23\n\tadd\tx26,x26,x12\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x15,ror#18\t// Sigma1(e)\n\tror\tx15,x27,#28\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x27,x27,ror#5\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x15,x17,ror#34\t// Sigma0(a)\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx13,x13\t\t\t// 10\n#endif\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\teor\tx0,x22,x22,ror#23\n\tand\tx17,x23,x22\n\tbic\tx19,x24,x22\n\tadd\tx25,x25,x13\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x0,ror#18\t// Sigma1(e)\n\tror\tx0,x26,#28\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x26,x26,ror#5\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x0,x17,ror#34\t// Sigma0(a)\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx14,x14\t\t\t// 11\n#endif\n\tldp\tx15,x0,[x1],#2*8\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx6,[sp,#24]\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\teor\tx6,x21,x21,ror#23\n\tand\tx17,x22,x21\n\tbic\tx28,x23,x21\n\tadd\tx24,x24,x14\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x6,ror#18\t// Sigma1(e)\n\tror\tx6,x25,#28\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x25,x25,ror#5\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x6,x17,ror#34\t// Sigma0(a)\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx15,x15\t\t\t// 12\n#endif\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx7,[sp,#0]\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\teor\tx7,x20,x20,ror#23\n\tand\tx17,x21,x20\n\tbic\tx19,x22,x20\n\tadd\tx23,x23,x15\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x7,ror#18\t// Sigma1(e)\n\tror\tx7,x24,#28\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x24,x24,ror#5\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x7,x17,ror#34\t// Sigma0(a)\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx0,x0\t\t\t// 13\n#endif\n\tldp\tx1,x2,[x1]\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx8,[sp,#8]\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\teor\tx8,x27,x27,ror#23\n\tand\tx17,x20,x27\n\tbic\tx28,x21,x27\n\tadd\tx22,x22,x0\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x8,ror#18\t// Sigma1(e)\n\tror\tx8,x23,#28\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x23,x23,ror#5\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x8,x17,ror#34\t// Sigma0(a)\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx1,x1\t\t\t// 14\n#endif\n\tldr\tx6,[sp,#24]\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx9,[sp,#16]\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\teor\tx9,x26,x26,ror#23\n\tand\tx17,x27,x26\n\tbic\tx19,x20,x26\n\tadd\tx21,x21,x1\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x9,ror#18\t// Sigma1(e)\n\tror\tx9,x22,#28\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x22,x22,ror#5\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x9,x17,ror#34\t// Sigma0(a)\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx2,x2\t\t\t// 15\n#endif\n\tldr\tx7,[sp,#0]\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx10,[sp,#24]\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\tror\tx9,x4,#1\n\tand\tx17,x26,x25\n\tror\tx8,x1,#19\n\tbic\tx28,x27,x25\n\tror\tx10,x21,#28\n\tadd\tx20,x20,x2\t\t\t// h+=X[i]\n\teor\tx16,x16,x25,ror#18\n\teor\tx9,x9,x4,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x25,ror#41\t// Sigma1(e)\n\teor\tx10,x10,x21,ror#34\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx8,x8,x1,ror#61\n\teor\tx9,x9,x4,lsr#7\t// sigma0(X[i+1])\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x10,x21,ror#39\t// Sigma0(a)\n\teor\tx8,x8,x1,lsr#6\t// sigma1(X[i+14])\n\tadd\tx3,x3,x12\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx3,x3,x9\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx3,x3,x8\n.Loop_16_xx:\n\tldr\tx8,[sp,#8]\n\tstr\tx11,[sp,#0]\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\tror\tx10,x5,#1\n\tand\tx17,x25,x24\n\tror\tx9,x2,#19\n\tbic\tx19,x26,x24\n\tror\tx11,x20,#28\n\tadd\tx27,x27,x3\t\t\t// h+=X[i]\n\teor\tx16,x16,x24,ror#18\n\teor\tx10,x10,x5,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x24,ror#41\t// Sigma1(e)\n\teor\tx11,x11,x20,ror#34\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx9,x9,x2,ror#61\n\teor\tx10,x10,x5,lsr#7\t// sigma0(X[i+1])\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x11,x20,ror#39\t// Sigma0(a)\n\teor\tx9,x9,x2,lsr#6\t// sigma1(X[i+14])\n\tadd\tx4,x4,x13\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx4,x4,x10\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx4,x4,x9\n\tldr\tx9,[sp,#16]\n\tstr\tx12,[sp,#8]\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\tror\tx11,x6,#1\n\tand\tx17,x24,x23\n\tror\tx10,x3,#19\n\tbic\tx28,x25,x23\n\tror\tx12,x27,#28\n\tadd\tx26,x26,x4\t\t\t// h+=X[i]\n\teor\tx16,x16,x23,ror#18\n\teor\tx11,x11,x6,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x23,ror#41\t// Sigma1(e)\n\teor\tx12,x12,x27,ror#34\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx10,x10,x3,ror#61\n\teor\tx11,x11,x6,lsr#7\t// sigma0(X[i+1])\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x12,x27,ror#39\t// Sigma0(a)\n\teor\tx10,x10,x3,lsr#6\t// sigma1(X[i+14])\n\tadd\tx5,x5,x14\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx5,x5,x11\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx5,x5,x10\n\tldr\tx10,[sp,#24]\n\tstr\tx13,[sp,#16]\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\tror\tx12,x7,#1\n\tand\tx17,x23,x22\n\tror\tx11,x4,#19\n\tbic\tx19,x24,x22\n\tror\tx13,x26,#28\n\tadd\tx25,x25,x5\t\t\t// h+=X[i]\n\teor\tx16,x16,x22,ror#18\n\teor\tx12,x12,x7,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x22,ror#41\t// Sigma1(e)\n\teor\tx13,x13,x26,ror#34\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx11,x11,x4,ror#61\n\teor\tx12,x12,x7,lsr#7\t// sigma0(X[i+1])\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x13,x26,ror#39\t// Sigma0(a)\n\teor\tx11,x11,x4,lsr#6\t// sigma1(X[i+14])\n\tadd\tx6,x6,x15\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx6,x6,x12\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx6,x6,x11\n\tldr\tx11,[sp,#0]\n\tstr\tx14,[sp,#24]\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\tror\tx13,x8,#1\n\tand\tx17,x22,x21\n\tror\tx12,x5,#19\n\tbic\tx28,x23,x21\n\tror\tx14,x25,#28\n\tadd\tx24,x24,x6\t\t\t// h+=X[i]\n\teor\tx16,x16,x21,ror#18\n\teor\tx13,x13,x8,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x21,ror#41\t// Sigma1(e)\n\teor\tx14,x14,x25,ror#34\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx12,x12,x5,ror#61\n\teor\tx13,x13,x8,lsr#7\t// sigma0(X[i+1])\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x14,x25,ror#39\t// Sigma0(a)\n\teor\tx12,x12,x5,lsr#6\t// sigma1(X[i+14])\n\tadd\tx7,x7,x0\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx7,x7,x13\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx7,x7,x12\n\tldr\tx12,[sp,#8]\n\tstr\tx15,[sp,#0]\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\tror\tx14,x9,#1\n\tand\tx17,x21,x20\n\tror\tx13,x6,#19\n\tbic\tx19,x22,x20\n\tror\tx15,x24,#28\n\tadd\tx23,x23,x7\t\t\t// h+=X[i]\n\teor\tx16,x16,x20,ror#18\n\teor\tx14,x14,x9,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x20,ror#41\t// Sigma1(e)\n\teor\tx15,x15,x24,ror#34\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx13,x13,x6,ror#61\n\teor\tx14,x14,x9,lsr#7\t// sigma0(X[i+1])\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x15,x24,ror#39\t// Sigma0(a)\n\teor\tx13,x13,x6,lsr#6\t// sigma1(X[i+14])\n\tadd\tx8,x8,x1\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx8,x8,x14\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx8,x8,x13\n\tldr\tx13,[sp,#16]\n\tstr\tx0,[sp,#8]\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\tror\tx15,x10,#1\n\tand\tx17,x20,x27\n\tror\tx14,x7,#19\n\tbic\tx28,x21,x27\n\tror\tx0,x23,#28\n\tadd\tx22,x22,x8\t\t\t// h+=X[i]\n\teor\tx16,x16,x27,ror#18\n\teor\tx15,x15,x10,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x27,ror#41\t// Sigma1(e)\n\teor\tx0,x0,x23,ror#34\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx14,x14,x7,ror#61\n\teor\tx15,x15,x10,lsr#7\t// sigma0(X[i+1])\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x0,x23,ror#39\t// Sigma0(a)\n\teor\tx14,x14,x7,lsr#6\t// sigma1(X[i+14])\n\tadd\tx9,x9,x2\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx9,x9,x15\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx9,x9,x14\n\tldr\tx14,[sp,#24]\n\tstr\tx1,[sp,#16]\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\tror\tx0,x11,#1\n\tand\tx17,x27,x26\n\tror\tx15,x8,#19\n\tbic\tx19,x20,x26\n\tror\tx1,x22,#28\n\tadd\tx21,x21,x9\t\t\t// h+=X[i]\n\teor\tx16,x16,x26,ror#18\n\teor\tx0,x0,x11,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x26,ror#41\t// Sigma1(e)\n\teor\tx1,x1,x22,ror#34\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx15,x15,x8,ror#61\n\teor\tx0,x0,x11,lsr#7\t// sigma0(X[i+1])\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x1,x22,ror#39\t// Sigma0(a)\n\teor\tx15,x15,x8,lsr#6\t// sigma1(X[i+14])\n\tadd\tx10,x10,x3\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx10,x10,x0\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx10,x10,x15\n\tldr\tx15,[sp,#0]\n\tstr\tx2,[sp,#24]\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\tror\tx1,x12,#1\n\tand\tx17,x26,x25\n\tror\tx0,x9,#19\n\tbic\tx28,x27,x25\n\tror\tx2,x21,#28\n\tadd\tx20,x20,x10\t\t\t// h+=X[i]\n\teor\tx16,x16,x25,ror#18\n\teor\tx1,x1,x12,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x25,ror#41\t// Sigma1(e)\n\teor\tx2,x2,x21,ror#34\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx0,x0,x9,ror#61\n\teor\tx1,x1,x12,lsr#7\t// sigma0(X[i+1])\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x2,x21,ror#39\t// Sigma0(a)\n\teor\tx0,x0,x9,lsr#6\t// sigma1(X[i+14])\n\tadd\tx11,x11,x4\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx11,x11,x1\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx11,x11,x0\n\tldr\tx0,[sp,#8]\n\tstr\tx3,[sp,#0]\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\tror\tx2,x13,#1\n\tand\tx17,x25,x24\n\tror\tx1,x10,#19\n\tbic\tx19,x26,x24\n\tror\tx3,x20,#28\n\tadd\tx27,x27,x11\t\t\t// h+=X[i]\n\teor\tx16,x16,x24,ror#18\n\teor\tx2,x2,x13,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x24,ror#41\t// Sigma1(e)\n\teor\tx3,x3,x20,ror#34\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx1,x1,x10,ror#61\n\teor\tx2,x2,x13,lsr#7\t// sigma0(X[i+1])\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x3,x20,ror#39\t// Sigma0(a)\n\teor\tx1,x1,x10,lsr#6\t// sigma1(X[i+14])\n\tadd\tx12,x12,x5\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx12,x12,x2\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx12,x12,x1\n\tldr\tx1,[sp,#16]\n\tstr\tx4,[sp,#8]\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\tror\tx3,x14,#1\n\tand\tx17,x24,x23\n\tror\tx2,x11,#19\n\tbic\tx28,x25,x23\n\tror\tx4,x27,#28\n\tadd\tx26,x26,x12\t\t\t// h+=X[i]\n\teor\tx16,x16,x23,ror#18\n\teor\tx3,x3,x14,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x23,ror#41\t// Sigma1(e)\n\teor\tx4,x4,x27,ror#34\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx2,x2,x11,ror#61\n\teor\tx3,x3,x14,lsr#7\t// sigma0(X[i+1])\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x4,x27,ror#39\t// Sigma0(a)\n\teor\tx2,x2,x11,lsr#6\t// sigma1(X[i+14])\n\tadd\tx13,x13,x6\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx13,x13,x3\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx13,x13,x2\n\tldr\tx2,[sp,#24]\n\tstr\tx5,[sp,#16]\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\tror\tx4,x15,#1\n\tand\tx17,x23,x22\n\tror\tx3,x12,#19\n\tbic\tx19,x24,x22\n\tror\tx5,x26,#28\n\tadd\tx25,x25,x13\t\t\t// h+=X[i]\n\teor\tx16,x16,x22,ror#18\n\teor\tx4,x4,x15,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x22,ror#41\t// Sigma1(e)\n\teor\tx5,x5,x26,ror#34\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx3,x3,x12,ror#61\n\teor\tx4,x4,x15,lsr#7\t// sigma0(X[i+1])\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x5,x26,ror#39\t// Sigma0(a)\n\teor\tx3,x3,x12,lsr#6\t// sigma1(X[i+14])\n\tadd\tx14,x14,x7\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx14,x14,x4\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx14,x14,x3\n\tldr\tx3,[sp,#0]\n\tstr\tx6,[sp,#24]\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\tror\tx5,x0,#1\n\tand\tx17,x22,x21\n\tror\tx4,x13,#19\n\tbic\tx28,x23,x21\n\tror\tx6,x25,#28\n\tadd\tx24,x24,x14\t\t\t// h+=X[i]\n\teor\tx16,x16,x21,ror#18\n\teor\tx5,x5,x0,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x21,ror#41\t// Sigma1(e)\n\teor\tx6,x6,x25,ror#34\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx4,x4,x13,ror#61\n\teor\tx5,x5,x0,lsr#7\t// sigma0(X[i+1])\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x6,x25,ror#39\t// Sigma0(a)\n\teor\tx4,x4,x13,lsr#6\t// sigma1(X[i+14])\n\tadd\tx15,x15,x8\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx15,x15,x5\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx15,x15,x4\n\tldr\tx4,[sp,#8]\n\tstr\tx7,[sp,#0]\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\tror\tx6,x1,#1\n\tand\tx17,x21,x20\n\tror\tx5,x14,#19\n\tbic\tx19,x22,x20\n\tror\tx7,x24,#28\n\tadd\tx23,x23,x15\t\t\t// h+=X[i]\n\teor\tx16,x16,x20,ror#18\n\teor\tx6,x6,x1,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x20,ror#41\t// Sigma1(e)\n\teor\tx7,x7,x24,ror#34\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx5,x5,x14,ror#61\n\teor\tx6,x6,x1,lsr#7\t// sigma0(X[i+1])\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x7,x24,ror#39\t// Sigma0(a)\n\teor\tx5,x5,x14,lsr#6\t// sigma1(X[i+14])\n\tadd\tx0,x0,x9\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx0,x0,x6\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx0,x0,x5\n\tldr\tx5,[sp,#16]\n\tstr\tx8,[sp,#8]\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\tror\tx7,x2,#1\n\tand\tx17,x20,x27\n\tror\tx6,x15,#19\n\tbic\tx28,x21,x27\n\tror\tx8,x23,#28\n\tadd\tx22,x22,x0\t\t\t// h+=X[i]\n\teor\tx16,x16,x27,ror#18\n\teor\tx7,x7,x2,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x27,ror#41\t// Sigma1(e)\n\teor\tx8,x8,x23,ror#34\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx6,x6,x15,ror#61\n\teor\tx7,x7,x2,lsr#7\t// sigma0(X[i+1])\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x8,x23,ror#39\t// Sigma0(a)\n\teor\tx6,x6,x15,lsr#6\t// sigma1(X[i+14])\n\tadd\tx1,x1,x10\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx1,x1,x7\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx1,x1,x6\n\tldr\tx6,[sp,#24]\n\tstr\tx9,[sp,#16]\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\tror\tx8,x3,#1\n\tand\tx17,x27,x26\n\tror\tx7,x0,#19\n\tbic\tx19,x20,x26\n\tror\tx9,x22,#28\n\tadd\tx21,x21,x1\t\t\t// h+=X[i]\n\teor\tx16,x16,x26,ror#18\n\teor\tx8,x8,x3,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x26,ror#41\t// Sigma1(e)\n\teor\tx9,x9,x22,ror#34\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx7,x7,x0,ror#61\n\teor\tx8,x8,x3,lsr#7\t// sigma0(X[i+1])\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x9,x22,ror#39\t// Sigma0(a)\n\teor\tx7,x7,x0,lsr#6\t// sigma1(X[i+14])\n\tadd\tx2,x2,x11\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx2,x2,x8\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx2,x2,x7\n\tldr\tx7,[sp,#0]\n\tstr\tx10,[sp,#24]\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\tror\tx9,x4,#1\n\tand\tx17,x26,x25\n\tror\tx8,x1,#19\n\tbic\tx28,x27,x25\n\tror\tx10,x21,#28\n\tadd\tx20,x20,x2\t\t\t// h+=X[i]\n\teor\tx16,x16,x25,ror#18\n\teor\tx9,x9,x4,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x25,ror#41\t// Sigma1(e)\n\teor\tx10,x10,x21,ror#34\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx8,x8,x1,ror#61\n\teor\tx9,x9,x4,lsr#7\t// sigma0(X[i+1])\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x10,x21,ror#39\t// Sigma0(a)\n\teor\tx8,x8,x1,lsr#6\t// sigma1(X[i+14])\n\tadd\tx3,x3,x12\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx3,x3,x9\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx3,x3,x8\n\tcbnz\tx19,.Loop_16_xx\n\n\tldp\tx0,x2,[x29,#96]\n\tldr\tx1,[x29,#112]\n\tsub\tx30,x30,#648\t\t// rewind\n\n\tldp\tx3,x4,[x0]\n\tldp\tx5,x6,[x0,#2*8]\n\tadd\tx1,x1,#14*8\t\t\t// advance input pointer\n\tldp\tx7,x8,[x0,#4*8]\n\tadd\tx20,x20,x3\n\tldp\tx9,x10,[x0,#6*8]\n\tadd\tx21,x21,x4\n\tadd\tx22,x22,x5\n\tadd\tx23,x23,x6\n\tstp\tx20,x21,[x0]\n\tadd\tx24,x24,x7\n\tadd\tx25,x25,x8\n\tstp\tx22,x23,[x0,#2*8]\n\tadd\tx26,x26,x9\n\tadd\tx27,x27,x10\n\tcmp\tx1,x2\n\tstp\tx24,x25,[x0,#4*8]\n\tstp\tx26,x27,[x0,#6*8]\n\tb.ne\t.Loop\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#4*8\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tsha512_block_data_order_nohw,.-sha512_block_data_order_nohw\n\n.section\t.rodata\n.align\t6\n.type\t.LK512,%object\n.LK512:\n.quad\t0x428a2f98d728ae22,0x7137449123ef65cd\n.quad\t0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc\n.quad\t0x3956c25bf348b538,0x59f111f1b605d019\n.quad\t0x923f82a4af194f9b,0xab1c5ed5da6d8118\n.quad\t0xd807aa98a3030242,0x12835b0145706fbe\n.quad\t0x243185be4ee4b28c,0x550c7dc3d5ffb4e2\n.quad\t0x72be5d74f27b896f,0x80deb1fe3b1696b1\n.quad\t0x9bdc06a725c71235,0xc19bf174cf692694\n.quad\t0xe49b69c19ef14ad2,0xefbe4786384f25e3\n.quad\t0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65\n.quad\t0x2de92c6f592b0275,0x4a7484aa6ea6e483\n.quad\t0x5cb0a9dcbd41fbd4,0x76f988da831153b5\n.quad\t0x983e5152ee66dfab,0xa831c66d2db43210\n.quad\t0xb00327c898fb213f,0xbf597fc7beef0ee4\n.quad\t0xc6e00bf33da88fc2,0xd5a79147930aa725\n.quad\t0x06ca6351e003826f,0x142929670a0e6e70\n.quad\t0x27b70a8546d22ffc,0x2e1b21385c26c926\n.quad\t0x4d2c6dfc5ac42aed,0x53380d139d95b3df\n.quad\t0x650a73548baf63de,0x766a0abb3c77b2a8\n.quad\t0x81c2c92e47edaee6,0x92722c851482353b\n.quad\t0xa2bfe8a14cf10364,0xa81a664bbc423001\n.quad\t0xc24b8b70d0f89791,0xc76c51a30654be30\n.quad\t0xd192e819d6ef5218,0xd69906245565a910\n.quad\t0xf40e35855771202a,0x106aa07032bbd1b8\n.quad\t0x19a4c116b8d2d0c8,0x1e376c085141ab53\n.quad\t0x2748774cdf8eeb99,0x34b0bcb5e19b48a8\n.quad\t0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb\n.quad\t0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3\n.quad\t0x748f82ee5defb2fc,0x78a5636f43172f60\n.quad\t0x84c87814a1f0ab72,0x8cc702081a6439ec\n.quad\t0x90befffa23631e28,0xa4506cebde82bde9\n.quad\t0xbef9a3f7b2c67915,0xc67178f2e372532b\n.quad\t0xca273eceea26619c,0xd186b8c721c0c207\n.quad\t0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178\n.quad\t0x06f067aa72176fba,0x0a637dc5a2c898a6\n.quad\t0x113f9804bef90dae,0x1b710b35131c471b\n.quad\t0x28db77f523047d84,0x32caab7b40c72493\n.quad\t0x3c9ebe0a15c9bebc,0x431d67c49c100d4c\n.quad\t0x4cc5d4becb3e42b6,0x597f299cfc657e2a\n.quad\t0x5fcb6fab3ad6faec,0x6c44198c4a475817\n.quad\t0\t// terminator\n.size\t.LK512,.-.LK512\n.byte\t83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n.text\n#ifndef\t__KERNEL__\n.globl\tsha512_block_data_order_hw\n.hidden\tsha512_block_data_order_hw\n.type\tsha512_block_data_order_hw,%function\n.align\t6\nsha512_block_data_order_hw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v16.16b,v17.16b,v18.16b,v19.16b},[x1],#64\t// load input\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\n\tld1\t{v0.2d,v1.2d,v2.2d,v3.2d},[x0]\t\t// load context\n\tadrp\tx3,.LK512\n\tadd\tx3,x3,:lo12:.LK512\n\n\trev64\tv16.16b,v16.16b\n\trev64\tv17.16b,v17.16b\n\trev64\tv18.16b,v18.16b\n\trev64\tv19.16b,v19.16b\n\trev64\tv20.16b,v20.16b\n\trev64\tv21.16b,v21.16b\n\trev64\tv22.16b,v22.16b\n\trev64\tv23.16b,v23.16b\n\tb\t.Loop_hw\n\n.align\t4\n.Loop_hw:\n\tld1\t{v24.2d},[x3],#16\n\tsubs\tx2,x2,#1\n\tsub\tx4,x1,#128\n\torr\tv26.16b,v0.16b,v0.16b\t\t\t// offload\n\torr\tv27.16b,v1.16b,v1.16b\n\torr\tv28.16b,v2.16b,v2.16b\n\torr\tv29.16b,v3.16b,v3.16b\n\tcsel\tx1,x1,x4,ne\t\t\t// conditional rewind\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.inst\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.inst\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.inst\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.inst\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.inst\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.inst\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.inst\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.inst\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.inst\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.inst\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.inst\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.inst\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.inst\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.inst\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.inst\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.inst\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.inst\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.inst\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.inst\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.inst\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.inst\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.inst\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.inst\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.inst\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.inst\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.inst\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.inst\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.inst\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.inst\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.inst\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.inst\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.inst\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.inst\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.inst\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.inst\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.inst\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.inst\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.inst\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.inst\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.inst\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.inst\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.inst\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.inst\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.inst\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.inst\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.inst\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.inst\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.inst\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.inst\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.inst\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.inst\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.inst\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.inst\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.inst\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.inst\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.inst\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.inst\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.inst\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.inst\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.inst\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.inst\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.inst\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.inst\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.inst\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.inst\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.inst\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.inst\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.inst\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.inst\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.inst\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.inst\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.inst\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.inst\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.inst\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.inst\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.inst\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.inst\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.inst\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.inst\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.inst\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.inst\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.inst\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.inst\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.inst\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.inst\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.inst\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.inst\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.inst\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.inst\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.inst\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.inst\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.inst\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.inst\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.inst\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.inst\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.inst\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v16.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n\trev64\tv16.16b,v16.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.inst\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tld1\t{v24.2d},[x3],#16\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v17.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n\trev64\tv17.16b,v17.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.inst\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v18.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n\trev64\tv18.16b,v18.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.inst\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tld1\t{v24.2d},[x3],#16\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v19.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n\trev64\tv19.16b,v19.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.inst\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v20.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n\trev64\tv20.16b,v20.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.inst\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tld1\t{v24.2d},[x3],#16\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v21.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n\trev64\tv21.16b,v21.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.inst\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v22.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n\trev64\tv22.16b,v22.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.inst\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tsub\tx3,x3,#80*8\t// rewind\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v23.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.inst\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n\trev64\tv23.16b,v23.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.inst\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv0.2d,v0.2d,v26.2d\t\t\t// accumulate\n\tadd\tv1.2d,v1.2d,v27.2d\n\tadd\tv2.2d,v2.2d,v28.2d\n\tadd\tv3.2d,v3.2d,v29.2d\n\n\tcbnz\tx2,.Loop_hw\n\n\tst1\t{v0.2d,v1.2d,v2.2d,v3.2d},[x0]\t\t// store context\n\n\tldr\tx29,[sp],#16\n\tret\n.size\tsha512_block_data_order_hw,.-sha512_block_data_order_hw\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.\n//\n// Licensed under the OpenSSL license (the \"License\"). You may not use\n// this file except in compliance with the License. You can obtain a copy\n// in the file LICENSE in the source distribution or at\n// https://www.openssl.org/source/license.html\n\n// ====================================================================\n// Written by Andy Polyakov for the OpenSSL\n// project. The module is, however, dual licensed under OpenSSL and\n// CRYPTOGAMS licenses depending on where you obtain it. For further\n// details see http://www.openssl.org/~appro/cryptogams/.\n//\n// Permission to use under GPLv2 terms is granted.\n// ====================================================================\n//\n// SHA256/512 for ARMv8.\n//\n// Performance in cycles per processed byte and improvement coefficient\n// over code generated with \"default\" compiler:\n//\n//\t\tSHA256-hw\tSHA256(*)\tSHA512\n// Apple A7\t1.97\t\t10.5 (+33%)\t6.73 (-1%(**))\n// Cortex-A53\t2.38\t\t15.5 (+115%)\t10.0 (+150%(***))\n// Cortex-A57\t2.31\t\t11.6 (+86%)\t7.51 (+260%(***))\n// Denver\t2.01\t\t10.5 (+26%)\t6.70 (+8%)\n// X-Gene\t\t\t20.0 (+100%)\t12.8 (+300%(***))\n// Mongoose\t2.36\t\t13.0 (+50%)\t8.36 (+33%)\n// Kryo\t\t1.92\t\t17.4 (+30%)\t11.2 (+8%)\n//\n// (*)\tSoftware SHA256 results are of lesser relevance, presented\n//\tmostly for informational purposes.\n// (**)\tThe result is a trade-off: it's possible to improve it by\n//\t10% (or by 1 cycle per round), but at the cost of 20% loss\n//\ton Cortex-A53 (or by 4 cycles per round).\n// (***)\tSuper-impressive coefficients over gcc-generated code are\n//\tindication of some compiler \"pathology\", most notably code\n//\tgenerated with -mgeneral-regs-only is significantly faster\n//\tand the gap is only 40-90%.\n\n#ifndef\t__KERNEL__\n# include \n#endif\n\n.text\n\n.globl\tsha512_block_data_order_nohw\n\n.def sha512_block_data_order_nohw\n .type 32\n.endef\n.align\t6\nsha512_block_data_order_nohw:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-128]!\n\tadd\tx29,sp,#0\n\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#4*8\n\n\tldp\tx20,x21,[x0]\t\t\t\t// load context\n\tldp\tx22,x23,[x0,#2*8]\n\tldp\tx24,x25,[x0,#4*8]\n\tadd\tx2,x1,x2,lsl#7\t// end of input\n\tldp\tx26,x27,[x0,#6*8]\n\tadrp\tx30,LK512\n\tadd\tx30,x30,:lo12:LK512\n\tstp\tx0,x2,[x29,#96]\n\nLoop:\n\tldp\tx3,x4,[x1],#2*8\n\tldr\tx19,[x30],#8\t\t\t// *K++\n\teor\tx28,x21,x22\t\t\t\t// magic seed\n\tstr\tx1,[x29,#112]\n#ifndef\t__AARCH64EB__\n\trev\tx3,x3\t\t\t// 0\n#endif\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\teor\tx6,x24,x24,ror#23\n\tand\tx17,x25,x24\n\tbic\tx19,x26,x24\n\tadd\tx27,x27,x3\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x6,ror#18\t// Sigma1(e)\n\tror\tx6,x20,#28\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x20,x20,ror#5\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x6,x17,ror#34\t// Sigma0(a)\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx4,x4\t\t\t// 1\n#endif\n\tldp\tx5,x6,[x1],#2*8\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\teor\tx7,x23,x23,ror#23\n\tand\tx17,x24,x23\n\tbic\tx28,x25,x23\n\tadd\tx26,x26,x4\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x7,ror#18\t// Sigma1(e)\n\tror\tx7,x27,#28\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x27,x27,ror#5\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x7,x17,ror#34\t// Sigma0(a)\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx5,x5\t\t\t// 2\n#endif\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\teor\tx8,x22,x22,ror#23\n\tand\tx17,x23,x22\n\tbic\tx19,x24,x22\n\tadd\tx25,x25,x5\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x8,ror#18\t// Sigma1(e)\n\tror\tx8,x26,#28\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x26,x26,ror#5\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x8,x17,ror#34\t// Sigma0(a)\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx6,x6\t\t\t// 3\n#endif\n\tldp\tx7,x8,[x1],#2*8\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\teor\tx9,x21,x21,ror#23\n\tand\tx17,x22,x21\n\tbic\tx28,x23,x21\n\tadd\tx24,x24,x6\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x9,ror#18\t// Sigma1(e)\n\tror\tx9,x25,#28\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x25,x25,ror#5\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x9,x17,ror#34\t// Sigma0(a)\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx7,x7\t\t\t// 4\n#endif\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\teor\tx10,x20,x20,ror#23\n\tand\tx17,x21,x20\n\tbic\tx19,x22,x20\n\tadd\tx23,x23,x7\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x10,ror#18\t// Sigma1(e)\n\tror\tx10,x24,#28\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x24,x24,ror#5\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x10,x17,ror#34\t// Sigma0(a)\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx8,x8\t\t\t// 5\n#endif\n\tldp\tx9,x10,[x1],#2*8\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\teor\tx11,x27,x27,ror#23\n\tand\tx17,x20,x27\n\tbic\tx28,x21,x27\n\tadd\tx22,x22,x8\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x11,ror#18\t// Sigma1(e)\n\tror\tx11,x23,#28\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x23,x23,ror#5\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x11,x17,ror#34\t// Sigma0(a)\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx9,x9\t\t\t// 6\n#endif\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\teor\tx12,x26,x26,ror#23\n\tand\tx17,x27,x26\n\tbic\tx19,x20,x26\n\tadd\tx21,x21,x9\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x12,ror#18\t// Sigma1(e)\n\tror\tx12,x22,#28\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x22,x22,ror#5\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x12,x17,ror#34\t// Sigma0(a)\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx10,x10\t\t\t// 7\n#endif\n\tldp\tx11,x12,[x1],#2*8\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\teor\tx13,x25,x25,ror#23\n\tand\tx17,x26,x25\n\tbic\tx28,x27,x25\n\tadd\tx20,x20,x10\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x13,ror#18\t// Sigma1(e)\n\tror\tx13,x21,#28\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x21,x21,ror#5\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x13,x17,ror#34\t// Sigma0(a)\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx11,x11\t\t\t// 8\n#endif\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\teor\tx14,x24,x24,ror#23\n\tand\tx17,x25,x24\n\tbic\tx19,x26,x24\n\tadd\tx27,x27,x11\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x14,ror#18\t// Sigma1(e)\n\tror\tx14,x20,#28\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x20,x20,ror#5\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x14,x17,ror#34\t// Sigma0(a)\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx12,x12\t\t\t// 9\n#endif\n\tldp\tx13,x14,[x1],#2*8\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\teor\tx15,x23,x23,ror#23\n\tand\tx17,x24,x23\n\tbic\tx28,x25,x23\n\tadd\tx26,x26,x12\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x15,ror#18\t// Sigma1(e)\n\tror\tx15,x27,#28\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x27,x27,ror#5\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x15,x17,ror#34\t// Sigma0(a)\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx13,x13\t\t\t// 10\n#endif\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\teor\tx0,x22,x22,ror#23\n\tand\tx17,x23,x22\n\tbic\tx19,x24,x22\n\tadd\tx25,x25,x13\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x0,ror#18\t// Sigma1(e)\n\tror\tx0,x26,#28\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x26,x26,ror#5\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x0,x17,ror#34\t// Sigma0(a)\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx14,x14\t\t\t// 11\n#endif\n\tldp\tx15,x0,[x1],#2*8\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx6,[sp,#24]\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\teor\tx6,x21,x21,ror#23\n\tand\tx17,x22,x21\n\tbic\tx28,x23,x21\n\tadd\tx24,x24,x14\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x6,ror#18\t// Sigma1(e)\n\tror\tx6,x25,#28\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x25,x25,ror#5\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x6,x17,ror#34\t// Sigma0(a)\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx15,x15\t\t\t// 12\n#endif\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx7,[sp,#0]\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\teor\tx7,x20,x20,ror#23\n\tand\tx17,x21,x20\n\tbic\tx19,x22,x20\n\tadd\tx23,x23,x15\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x7,ror#18\t// Sigma1(e)\n\tror\tx7,x24,#28\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x24,x24,ror#5\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x7,x17,ror#34\t// Sigma0(a)\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx0,x0\t\t\t// 13\n#endif\n\tldp\tx1,x2,[x1]\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx8,[sp,#8]\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\teor\tx8,x27,x27,ror#23\n\tand\tx17,x20,x27\n\tbic\tx28,x21,x27\n\tadd\tx22,x22,x0\t\t\t// h+=X[i]\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x8,ror#18\t// Sigma1(e)\n\tror\tx8,x23,#28\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x23,x23,ror#5\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x8,x17,ror#34\t// Sigma0(a)\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\t//add\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx1,x1\t\t\t// 14\n#endif\n\tldr\tx6,[sp,#24]\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx9,[sp,#16]\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\teor\tx9,x26,x26,ror#23\n\tand\tx17,x27,x26\n\tbic\tx19,x20,x26\n\tadd\tx21,x21,x1\t\t\t// h+=X[i]\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x9,ror#18\t// Sigma1(e)\n\tror\tx9,x22,#28\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\teor\tx17,x22,x22,ror#5\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x9,x17,ror#34\t// Sigma0(a)\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\t//add\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n#ifndef\t__AARCH64EB__\n\trev\tx2,x2\t\t\t// 15\n#endif\n\tldr\tx7,[sp,#0]\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tstr\tx10,[sp,#24]\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\tror\tx9,x4,#1\n\tand\tx17,x26,x25\n\tror\tx8,x1,#19\n\tbic\tx28,x27,x25\n\tror\tx10,x21,#28\n\tadd\tx20,x20,x2\t\t\t// h+=X[i]\n\teor\tx16,x16,x25,ror#18\n\teor\tx9,x9,x4,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x25,ror#41\t// Sigma1(e)\n\teor\tx10,x10,x21,ror#34\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx8,x8,x1,ror#61\n\teor\tx9,x9,x4,lsr#7\t// sigma0(X[i+1])\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x10,x21,ror#39\t// Sigma0(a)\n\teor\tx8,x8,x1,lsr#6\t// sigma1(X[i+14])\n\tadd\tx3,x3,x12\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx3,x3,x9\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx3,x3,x8\nLoop_16_xx:\n\tldr\tx8,[sp,#8]\n\tstr\tx11,[sp,#0]\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\tror\tx10,x5,#1\n\tand\tx17,x25,x24\n\tror\tx9,x2,#19\n\tbic\tx19,x26,x24\n\tror\tx11,x20,#28\n\tadd\tx27,x27,x3\t\t\t// h+=X[i]\n\teor\tx16,x16,x24,ror#18\n\teor\tx10,x10,x5,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x24,ror#41\t// Sigma1(e)\n\teor\tx11,x11,x20,ror#34\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx9,x9,x2,ror#61\n\teor\tx10,x10,x5,lsr#7\t// sigma0(X[i+1])\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x11,x20,ror#39\t// Sigma0(a)\n\teor\tx9,x9,x2,lsr#6\t// sigma1(X[i+14])\n\tadd\tx4,x4,x13\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx4,x4,x10\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx4,x4,x9\n\tldr\tx9,[sp,#16]\n\tstr\tx12,[sp,#8]\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\tror\tx11,x6,#1\n\tand\tx17,x24,x23\n\tror\tx10,x3,#19\n\tbic\tx28,x25,x23\n\tror\tx12,x27,#28\n\tadd\tx26,x26,x4\t\t\t// h+=X[i]\n\teor\tx16,x16,x23,ror#18\n\teor\tx11,x11,x6,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x23,ror#41\t// Sigma1(e)\n\teor\tx12,x12,x27,ror#34\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx10,x10,x3,ror#61\n\teor\tx11,x11,x6,lsr#7\t// sigma0(X[i+1])\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x12,x27,ror#39\t// Sigma0(a)\n\teor\tx10,x10,x3,lsr#6\t// sigma1(X[i+14])\n\tadd\tx5,x5,x14\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx5,x5,x11\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx5,x5,x10\n\tldr\tx10,[sp,#24]\n\tstr\tx13,[sp,#16]\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\tror\tx12,x7,#1\n\tand\tx17,x23,x22\n\tror\tx11,x4,#19\n\tbic\tx19,x24,x22\n\tror\tx13,x26,#28\n\tadd\tx25,x25,x5\t\t\t// h+=X[i]\n\teor\tx16,x16,x22,ror#18\n\teor\tx12,x12,x7,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x22,ror#41\t// Sigma1(e)\n\teor\tx13,x13,x26,ror#34\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx11,x11,x4,ror#61\n\teor\tx12,x12,x7,lsr#7\t// sigma0(X[i+1])\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x13,x26,ror#39\t// Sigma0(a)\n\teor\tx11,x11,x4,lsr#6\t// sigma1(X[i+14])\n\tadd\tx6,x6,x15\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx6,x6,x12\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx6,x6,x11\n\tldr\tx11,[sp,#0]\n\tstr\tx14,[sp,#24]\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\tror\tx13,x8,#1\n\tand\tx17,x22,x21\n\tror\tx12,x5,#19\n\tbic\tx28,x23,x21\n\tror\tx14,x25,#28\n\tadd\tx24,x24,x6\t\t\t// h+=X[i]\n\teor\tx16,x16,x21,ror#18\n\teor\tx13,x13,x8,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x21,ror#41\t// Sigma1(e)\n\teor\tx14,x14,x25,ror#34\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx12,x12,x5,ror#61\n\teor\tx13,x13,x8,lsr#7\t// sigma0(X[i+1])\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x14,x25,ror#39\t// Sigma0(a)\n\teor\tx12,x12,x5,lsr#6\t// sigma1(X[i+14])\n\tadd\tx7,x7,x0\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx7,x7,x13\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx7,x7,x12\n\tldr\tx12,[sp,#8]\n\tstr\tx15,[sp,#0]\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\tror\tx14,x9,#1\n\tand\tx17,x21,x20\n\tror\tx13,x6,#19\n\tbic\tx19,x22,x20\n\tror\tx15,x24,#28\n\tadd\tx23,x23,x7\t\t\t// h+=X[i]\n\teor\tx16,x16,x20,ror#18\n\teor\tx14,x14,x9,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x20,ror#41\t// Sigma1(e)\n\teor\tx15,x15,x24,ror#34\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx13,x13,x6,ror#61\n\teor\tx14,x14,x9,lsr#7\t// sigma0(X[i+1])\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x15,x24,ror#39\t// Sigma0(a)\n\teor\tx13,x13,x6,lsr#6\t// sigma1(X[i+14])\n\tadd\tx8,x8,x1\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx8,x8,x14\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx8,x8,x13\n\tldr\tx13,[sp,#16]\n\tstr\tx0,[sp,#8]\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\tror\tx15,x10,#1\n\tand\tx17,x20,x27\n\tror\tx14,x7,#19\n\tbic\tx28,x21,x27\n\tror\tx0,x23,#28\n\tadd\tx22,x22,x8\t\t\t// h+=X[i]\n\teor\tx16,x16,x27,ror#18\n\teor\tx15,x15,x10,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x27,ror#41\t// Sigma1(e)\n\teor\tx0,x0,x23,ror#34\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx14,x14,x7,ror#61\n\teor\tx15,x15,x10,lsr#7\t// sigma0(X[i+1])\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x0,x23,ror#39\t// Sigma0(a)\n\teor\tx14,x14,x7,lsr#6\t// sigma1(X[i+14])\n\tadd\tx9,x9,x2\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx9,x9,x15\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx9,x9,x14\n\tldr\tx14,[sp,#24]\n\tstr\tx1,[sp,#16]\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\tror\tx0,x11,#1\n\tand\tx17,x27,x26\n\tror\tx15,x8,#19\n\tbic\tx19,x20,x26\n\tror\tx1,x22,#28\n\tadd\tx21,x21,x9\t\t\t// h+=X[i]\n\teor\tx16,x16,x26,ror#18\n\teor\tx0,x0,x11,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x26,ror#41\t// Sigma1(e)\n\teor\tx1,x1,x22,ror#34\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx15,x15,x8,ror#61\n\teor\tx0,x0,x11,lsr#7\t// sigma0(X[i+1])\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x1,x22,ror#39\t// Sigma0(a)\n\teor\tx15,x15,x8,lsr#6\t// sigma1(X[i+14])\n\tadd\tx10,x10,x3\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx10,x10,x0\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx10,x10,x15\n\tldr\tx15,[sp,#0]\n\tstr\tx2,[sp,#24]\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\tror\tx1,x12,#1\n\tand\tx17,x26,x25\n\tror\tx0,x9,#19\n\tbic\tx28,x27,x25\n\tror\tx2,x21,#28\n\tadd\tx20,x20,x10\t\t\t// h+=X[i]\n\teor\tx16,x16,x25,ror#18\n\teor\tx1,x1,x12,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x25,ror#41\t// Sigma1(e)\n\teor\tx2,x2,x21,ror#34\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx0,x0,x9,ror#61\n\teor\tx1,x1,x12,lsr#7\t// sigma0(X[i+1])\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x2,x21,ror#39\t// Sigma0(a)\n\teor\tx0,x0,x9,lsr#6\t// sigma1(X[i+14])\n\tadd\tx11,x11,x4\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx11,x11,x1\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx11,x11,x0\n\tldr\tx0,[sp,#8]\n\tstr\tx3,[sp,#0]\n\tror\tx16,x24,#14\n\tadd\tx27,x27,x19\t\t\t// h+=K[i]\n\tror\tx2,x13,#1\n\tand\tx17,x25,x24\n\tror\tx1,x10,#19\n\tbic\tx19,x26,x24\n\tror\tx3,x20,#28\n\tadd\tx27,x27,x11\t\t\t// h+=X[i]\n\teor\tx16,x16,x24,ror#18\n\teor\tx2,x2,x13,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x20,x21\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x24,ror#41\t// Sigma1(e)\n\teor\tx3,x3,x20,ror#34\n\tadd\tx27,x27,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx1,x1,x10,ror#61\n\teor\tx2,x2,x13,lsr#7\t// sigma0(X[i+1])\n\tadd\tx27,x27,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x21\t\t\t// Maj(a,b,c)\n\teor\tx17,x3,x20,ror#39\t// Sigma0(a)\n\teor\tx1,x1,x10,lsr#6\t// sigma1(X[i+14])\n\tadd\tx12,x12,x5\n\tadd\tx23,x23,x27\t\t\t// d+=h\n\tadd\tx27,x27,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx12,x12,x2\n\tadd\tx27,x27,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx12,x12,x1\n\tldr\tx1,[sp,#16]\n\tstr\tx4,[sp,#8]\n\tror\tx16,x23,#14\n\tadd\tx26,x26,x28\t\t\t// h+=K[i]\n\tror\tx3,x14,#1\n\tand\tx17,x24,x23\n\tror\tx2,x11,#19\n\tbic\tx28,x25,x23\n\tror\tx4,x27,#28\n\tadd\tx26,x26,x12\t\t\t// h+=X[i]\n\teor\tx16,x16,x23,ror#18\n\teor\tx3,x3,x14,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x27,x20\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x23,ror#41\t// Sigma1(e)\n\teor\tx4,x4,x27,ror#34\n\tadd\tx26,x26,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx2,x2,x11,ror#61\n\teor\tx3,x3,x14,lsr#7\t// sigma0(X[i+1])\n\tadd\tx26,x26,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x20\t\t\t// Maj(a,b,c)\n\teor\tx17,x4,x27,ror#39\t// Sigma0(a)\n\teor\tx2,x2,x11,lsr#6\t// sigma1(X[i+14])\n\tadd\tx13,x13,x6\n\tadd\tx22,x22,x26\t\t\t// d+=h\n\tadd\tx26,x26,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx13,x13,x3\n\tadd\tx26,x26,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx13,x13,x2\n\tldr\tx2,[sp,#24]\n\tstr\tx5,[sp,#16]\n\tror\tx16,x22,#14\n\tadd\tx25,x25,x19\t\t\t// h+=K[i]\n\tror\tx4,x15,#1\n\tand\tx17,x23,x22\n\tror\tx3,x12,#19\n\tbic\tx19,x24,x22\n\tror\tx5,x26,#28\n\tadd\tx25,x25,x13\t\t\t// h+=X[i]\n\teor\tx16,x16,x22,ror#18\n\teor\tx4,x4,x15,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x26,x27\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x22,ror#41\t// Sigma1(e)\n\teor\tx5,x5,x26,ror#34\n\tadd\tx25,x25,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx3,x3,x12,ror#61\n\teor\tx4,x4,x15,lsr#7\t// sigma0(X[i+1])\n\tadd\tx25,x25,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x27\t\t\t// Maj(a,b,c)\n\teor\tx17,x5,x26,ror#39\t// Sigma0(a)\n\teor\tx3,x3,x12,lsr#6\t// sigma1(X[i+14])\n\tadd\tx14,x14,x7\n\tadd\tx21,x21,x25\t\t\t// d+=h\n\tadd\tx25,x25,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx14,x14,x4\n\tadd\tx25,x25,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx14,x14,x3\n\tldr\tx3,[sp,#0]\n\tstr\tx6,[sp,#24]\n\tror\tx16,x21,#14\n\tadd\tx24,x24,x28\t\t\t// h+=K[i]\n\tror\tx5,x0,#1\n\tand\tx17,x22,x21\n\tror\tx4,x13,#19\n\tbic\tx28,x23,x21\n\tror\tx6,x25,#28\n\tadd\tx24,x24,x14\t\t\t// h+=X[i]\n\teor\tx16,x16,x21,ror#18\n\teor\tx5,x5,x0,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x25,x26\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x21,ror#41\t// Sigma1(e)\n\teor\tx6,x6,x25,ror#34\n\tadd\tx24,x24,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx4,x4,x13,ror#61\n\teor\tx5,x5,x0,lsr#7\t// sigma0(X[i+1])\n\tadd\tx24,x24,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x26\t\t\t// Maj(a,b,c)\n\teor\tx17,x6,x25,ror#39\t// Sigma0(a)\n\teor\tx4,x4,x13,lsr#6\t// sigma1(X[i+14])\n\tadd\tx15,x15,x8\n\tadd\tx20,x20,x24\t\t\t// d+=h\n\tadd\tx24,x24,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx15,x15,x5\n\tadd\tx24,x24,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx15,x15,x4\n\tldr\tx4,[sp,#8]\n\tstr\tx7,[sp,#0]\n\tror\tx16,x20,#14\n\tadd\tx23,x23,x19\t\t\t// h+=K[i]\n\tror\tx6,x1,#1\n\tand\tx17,x21,x20\n\tror\tx5,x14,#19\n\tbic\tx19,x22,x20\n\tror\tx7,x24,#28\n\tadd\tx23,x23,x15\t\t\t// h+=X[i]\n\teor\tx16,x16,x20,ror#18\n\teor\tx6,x6,x1,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x24,x25\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x20,ror#41\t// Sigma1(e)\n\teor\tx7,x7,x24,ror#34\n\tadd\tx23,x23,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx5,x5,x14,ror#61\n\teor\tx6,x6,x1,lsr#7\t// sigma0(X[i+1])\n\tadd\tx23,x23,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x25\t\t\t// Maj(a,b,c)\n\teor\tx17,x7,x24,ror#39\t// Sigma0(a)\n\teor\tx5,x5,x14,lsr#6\t// sigma1(X[i+14])\n\tadd\tx0,x0,x9\n\tadd\tx27,x27,x23\t\t\t// d+=h\n\tadd\tx23,x23,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx0,x0,x6\n\tadd\tx23,x23,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx0,x0,x5\n\tldr\tx5,[sp,#16]\n\tstr\tx8,[sp,#8]\n\tror\tx16,x27,#14\n\tadd\tx22,x22,x28\t\t\t// h+=K[i]\n\tror\tx7,x2,#1\n\tand\tx17,x20,x27\n\tror\tx6,x15,#19\n\tbic\tx28,x21,x27\n\tror\tx8,x23,#28\n\tadd\tx22,x22,x0\t\t\t// h+=X[i]\n\teor\tx16,x16,x27,ror#18\n\teor\tx7,x7,x2,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x23,x24\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x27,ror#41\t// Sigma1(e)\n\teor\tx8,x8,x23,ror#34\n\tadd\tx22,x22,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx6,x6,x15,ror#61\n\teor\tx7,x7,x2,lsr#7\t// sigma0(X[i+1])\n\tadd\tx22,x22,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x24\t\t\t// Maj(a,b,c)\n\teor\tx17,x8,x23,ror#39\t// Sigma0(a)\n\teor\tx6,x6,x15,lsr#6\t// sigma1(X[i+14])\n\tadd\tx1,x1,x10\n\tadd\tx26,x26,x22\t\t\t// d+=h\n\tadd\tx22,x22,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx1,x1,x7\n\tadd\tx22,x22,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx1,x1,x6\n\tldr\tx6,[sp,#24]\n\tstr\tx9,[sp,#16]\n\tror\tx16,x26,#14\n\tadd\tx21,x21,x19\t\t\t// h+=K[i]\n\tror\tx8,x3,#1\n\tand\tx17,x27,x26\n\tror\tx7,x0,#19\n\tbic\tx19,x20,x26\n\tror\tx9,x22,#28\n\tadd\tx21,x21,x1\t\t\t// h+=X[i]\n\teor\tx16,x16,x26,ror#18\n\teor\tx8,x8,x3,ror#8\n\torr\tx17,x17,x19\t\t\t// Ch(e,f,g)\n\teor\tx19,x22,x23\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x26,ror#41\t// Sigma1(e)\n\teor\tx9,x9,x22,ror#34\n\tadd\tx21,x21,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx28,x28,x19\t\t\t// (b^c)&=(a^b)\n\teor\tx7,x7,x0,ror#61\n\teor\tx8,x8,x3,lsr#7\t// sigma0(X[i+1])\n\tadd\tx21,x21,x16\t\t\t// h+=Sigma1(e)\n\teor\tx28,x28,x23\t\t\t// Maj(a,b,c)\n\teor\tx17,x9,x22,ror#39\t// Sigma0(a)\n\teor\tx7,x7,x0,lsr#6\t// sigma1(X[i+14])\n\tadd\tx2,x2,x11\n\tadd\tx25,x25,x21\t\t\t// d+=h\n\tadd\tx21,x21,x28\t\t\t// h+=Maj(a,b,c)\n\tldr\tx28,[x30],#8\t\t// *K++, x19 in next round\n\tadd\tx2,x2,x8\n\tadd\tx21,x21,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx2,x2,x7\n\tldr\tx7,[sp,#0]\n\tstr\tx10,[sp,#24]\n\tror\tx16,x25,#14\n\tadd\tx20,x20,x28\t\t\t// h+=K[i]\n\tror\tx9,x4,#1\n\tand\tx17,x26,x25\n\tror\tx8,x1,#19\n\tbic\tx28,x27,x25\n\tror\tx10,x21,#28\n\tadd\tx20,x20,x2\t\t\t// h+=X[i]\n\teor\tx16,x16,x25,ror#18\n\teor\tx9,x9,x4,ror#8\n\torr\tx17,x17,x28\t\t\t// Ch(e,f,g)\n\teor\tx28,x21,x22\t\t\t// a^b, b^c in next round\n\teor\tx16,x16,x25,ror#41\t// Sigma1(e)\n\teor\tx10,x10,x21,ror#34\n\tadd\tx20,x20,x17\t\t\t// h+=Ch(e,f,g)\n\tand\tx19,x19,x28\t\t\t// (b^c)&=(a^b)\n\teor\tx8,x8,x1,ror#61\n\teor\tx9,x9,x4,lsr#7\t// sigma0(X[i+1])\n\tadd\tx20,x20,x16\t\t\t// h+=Sigma1(e)\n\teor\tx19,x19,x22\t\t\t// Maj(a,b,c)\n\teor\tx17,x10,x21,ror#39\t// Sigma0(a)\n\teor\tx8,x8,x1,lsr#6\t// sigma1(X[i+14])\n\tadd\tx3,x3,x12\n\tadd\tx24,x24,x20\t\t\t// d+=h\n\tadd\tx20,x20,x19\t\t\t// h+=Maj(a,b,c)\n\tldr\tx19,[x30],#8\t\t// *K++, x28 in next round\n\tadd\tx3,x3,x9\n\tadd\tx20,x20,x17\t\t\t// h+=Sigma0(a)\n\tadd\tx3,x3,x8\n\tcbnz\tx19,Loop_16_xx\n\n\tldp\tx0,x2,[x29,#96]\n\tldr\tx1,[x29,#112]\n\tsub\tx30,x30,#648\t\t// rewind\n\n\tldp\tx3,x4,[x0]\n\tldp\tx5,x6,[x0,#2*8]\n\tadd\tx1,x1,#14*8\t\t\t// advance input pointer\n\tldp\tx7,x8,[x0,#4*8]\n\tadd\tx20,x20,x3\n\tldp\tx9,x10,[x0,#6*8]\n\tadd\tx21,x21,x4\n\tadd\tx22,x22,x5\n\tadd\tx23,x23,x6\n\tstp\tx20,x21,[x0]\n\tadd\tx24,x24,x7\n\tadd\tx25,x25,x8\n\tstp\tx22,x23,[x0,#2*8]\n\tadd\tx26,x26,x9\n\tadd\tx27,x27,x10\n\tcmp\tx1,x2\n\tstp\tx24,x25,[x0,#4*8]\n\tstp\tx26,x27,[x0,#6*8]\n\tb.ne\tLoop\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#4*8\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#128\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.section\t.rodata\n.align\t6\n\nLK512:\n.quad\t0x428a2f98d728ae22,0x7137449123ef65cd\n.quad\t0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc\n.quad\t0x3956c25bf348b538,0x59f111f1b605d019\n.quad\t0x923f82a4af194f9b,0xab1c5ed5da6d8118\n.quad\t0xd807aa98a3030242,0x12835b0145706fbe\n.quad\t0x243185be4ee4b28c,0x550c7dc3d5ffb4e2\n.quad\t0x72be5d74f27b896f,0x80deb1fe3b1696b1\n.quad\t0x9bdc06a725c71235,0xc19bf174cf692694\n.quad\t0xe49b69c19ef14ad2,0xefbe4786384f25e3\n.quad\t0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65\n.quad\t0x2de92c6f592b0275,0x4a7484aa6ea6e483\n.quad\t0x5cb0a9dcbd41fbd4,0x76f988da831153b5\n.quad\t0x983e5152ee66dfab,0xa831c66d2db43210\n.quad\t0xb00327c898fb213f,0xbf597fc7beef0ee4\n.quad\t0xc6e00bf33da88fc2,0xd5a79147930aa725\n.quad\t0x06ca6351e003826f,0x142929670a0e6e70\n.quad\t0x27b70a8546d22ffc,0x2e1b21385c26c926\n.quad\t0x4d2c6dfc5ac42aed,0x53380d139d95b3df\n.quad\t0x650a73548baf63de,0x766a0abb3c77b2a8\n.quad\t0x81c2c92e47edaee6,0x92722c851482353b\n.quad\t0xa2bfe8a14cf10364,0xa81a664bbc423001\n.quad\t0xc24b8b70d0f89791,0xc76c51a30654be30\n.quad\t0xd192e819d6ef5218,0xd69906245565a910\n.quad\t0xf40e35855771202a,0x106aa07032bbd1b8\n.quad\t0x19a4c116b8d2d0c8,0x1e376c085141ab53\n.quad\t0x2748774cdf8eeb99,0x34b0bcb5e19b48a8\n.quad\t0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb\n.quad\t0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3\n.quad\t0x748f82ee5defb2fc,0x78a5636f43172f60\n.quad\t0x84c87814a1f0ab72,0x8cc702081a6439ec\n.quad\t0x90befffa23631e28,0xa4506cebde82bde9\n.quad\t0xbef9a3f7b2c67915,0xc67178f2e372532b\n.quad\t0xca273eceea26619c,0xd186b8c721c0c207\n.quad\t0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178\n.quad\t0x06f067aa72176fba,0x0a637dc5a2c898a6\n.quad\t0x113f9804bef90dae,0x1b710b35131c471b\n.quad\t0x28db77f523047d84,0x32caab7b40c72493\n.quad\t0x3c9ebe0a15c9bebc,0x431d67c49c100d4c\n.quad\t0x4cc5d4becb3e42b6,0x597f299cfc657e2a\n.quad\t0x5fcb6fab3ad6faec,0x6c44198c4a475817\n.quad\t0\t// terminator\n\n.byte\t83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n.align\t2\n.text\n#ifndef\t__KERNEL__\n.globl\tsha512_block_data_order_hw\n\n.def sha512_block_data_order_hw\n .type 32\n.endef\n.align\t6\nsha512_block_data_order_hw:\n\t// Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later.\n\tAARCH64_VALID_CALL_TARGET\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v16.16b,v17.16b,v18.16b,v19.16b},[x1],#64\t// load input\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\n\tld1\t{v0.2d,v1.2d,v2.2d,v3.2d},[x0]\t\t// load context\n\tadrp\tx3,LK512\n\tadd\tx3,x3,:lo12:LK512\n\n\trev64\tv16.16b,v16.16b\n\trev64\tv17.16b,v17.16b\n\trev64\tv18.16b,v18.16b\n\trev64\tv19.16b,v19.16b\n\trev64\tv20.16b,v20.16b\n\trev64\tv21.16b,v21.16b\n\trev64\tv22.16b,v22.16b\n\trev64\tv23.16b,v23.16b\n\tb\tLoop_hw\n\n.align\t4\nLoop_hw:\n\tld1\t{v24.2d},[x3],#16\n\tsubs\tx2,x2,#1\n\tsub\tx4,x1,#128\n\torr\tv26.16b,v0.16b,v0.16b\t\t\t// offload\n\torr\tv27.16b,v1.16b,v1.16b\n\torr\tv28.16b,v2.16b,v2.16b\n\torr\tv29.16b,v3.16b,v3.16b\n\tcsel\tx1,x1,x4,ne\t\t\t// conditional rewind\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08230\t//sha512su0 v16.16b,v17.16b\n\text\tv7.16b,v20.16b,v21.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678af0\t//sha512su1 v16.16b,v23.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08251\t//sha512su0 v17.16b,v18.16b\n\text\tv7.16b,v21.16b,v22.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678a11\t//sha512su1 v17.16b,v16.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08272\t//sha512su0 v18.16b,v19.16b\n\text\tv7.16b,v22.16b,v23.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678a32\t//sha512su1 v18.16b,v17.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08293\t//sha512su0 v19.16b,v20.16b\n\text\tv7.16b,v23.16b,v16.16b,#8\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n.long\t0xce678a53\t//sha512su1 v19.16b,v18.16b,v7.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082b4\t//sha512su0 v20.16b,v21.16b\n\text\tv7.16b,v16.16b,v17.16b,#8\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n.long\t0xce678a74\t//sha512su1 v20.16b,v19.16b,v7.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082d5\t//sha512su0 v21.16b,v22.16b\n\text\tv7.16b,v17.16b,v18.16b,#8\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n.long\t0xce678a95\t//sha512su1 v21.16b,v20.16b,v7.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v25.2d},[x3],#16\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec082f6\t//sha512su0 v22.16b,v23.16b\n\text\tv7.16b,v18.16b,v19.16b,#8\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n.long\t0xce678ab6\t//sha512su1 v22.16b,v21.16b,v7.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v24.2d},[x3],#16\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xcec08217\t//sha512su0 v23.16b,v16.16b\n\text\tv7.16b,v19.16b,v20.16b,#8\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n.long\t0xce678ad7\t//sha512su1 v23.16b,v22.16b,v7.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v16.2d\n\tld1\t{v16.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n\trev64\tv16.16b,v16.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tld1\t{v24.2d},[x3],#16\n\tadd\tv25.2d,v25.2d,v17.2d\n\tld1\t{v17.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n\trev64\tv17.16b,v17.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v18.2d\n\tld1\t{v18.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n\trev64\tv18.16b,v18.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tld1\t{v24.2d},[x3],#16\n\tadd\tv25.2d,v25.2d,v19.2d\n\tld1\t{v19.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v2.16b,v3.16b,#8\n\text\tv6.16b,v1.16b,v2.16b,#8\n\tadd\tv3.2d,v3.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a3\t//sha512h v3.16b,v5.16b,v6.16b\n\trev64\tv19.16b,v19.16b\n\tadd\tv4.2d,v1.2d,v3.2d\t\t// \"D + T1\"\n.long\t0xce608423\t//sha512h2 v3.16b,v1.16b,v0.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v20.2d\n\tld1\t{v20.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v4.16b,v2.16b,#8\n\text\tv6.16b,v0.16b,v4.16b,#8\n\tadd\tv2.2d,v2.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a2\t//sha512h v2.16b,v5.16b,v6.16b\n\trev64\tv20.16b,v20.16b\n\tadd\tv1.2d,v0.2d,v2.2d\t\t// \"D + T1\"\n.long\t0xce638402\t//sha512h2 v2.16b,v0.16b,v3.16b\n\tld1\t{v24.2d},[x3],#16\n\tadd\tv25.2d,v25.2d,v21.2d\n\tld1\t{v21.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v1.16b,v4.16b,#8\n\text\tv6.16b,v3.16b,v1.16b,#8\n\tadd\tv4.2d,v4.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a4\t//sha512h v4.16b,v5.16b,v6.16b\n\trev64\tv21.16b,v21.16b\n\tadd\tv0.2d,v3.2d,v4.2d\t\t// \"D + T1\"\n.long\t0xce628464\t//sha512h2 v4.16b,v3.16b,v2.16b\n\tld1\t{v25.2d},[x3],#16\n\tadd\tv24.2d,v24.2d,v22.2d\n\tld1\t{v22.16b},[x1],#16\t\t// load next input\n\text\tv24.16b,v24.16b,v24.16b,#8\n\text\tv5.16b,v0.16b,v1.16b,#8\n\text\tv6.16b,v2.16b,v0.16b,#8\n\tadd\tv1.2d,v1.2d,v24.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a1\t//sha512h v1.16b,v5.16b,v6.16b\n\trev64\tv22.16b,v22.16b\n\tadd\tv3.2d,v2.2d,v1.2d\t\t// \"D + T1\"\n.long\t0xce648441\t//sha512h2 v1.16b,v2.16b,v4.16b\n\tsub\tx3,x3,#80*8\t// rewind\n\tadd\tv25.2d,v25.2d,v23.2d\n\tld1\t{v23.16b},[x1],#16\t\t// load next input\n\text\tv25.16b,v25.16b,v25.16b,#8\n\text\tv5.16b,v3.16b,v0.16b,#8\n\text\tv6.16b,v4.16b,v3.16b,#8\n\tadd\tv0.2d,v0.2d,v25.2d\t\t\t// \"T1 + H + K512[i]\"\n.long\t0xce6680a0\t//sha512h v0.16b,v5.16b,v6.16b\n\trev64\tv23.16b,v23.16b\n\tadd\tv2.2d,v4.2d,v0.2d\t\t// \"D + T1\"\n.long\t0xce618480\t//sha512h2 v0.16b,v4.16b,v1.16b\n\tadd\tv0.2d,v0.2d,v26.2d\t\t\t// accumulate\n\tadd\tv1.2d,v1.2d,v27.2d\n\tadd\tv2.2d,v2.2d,v28.2d\n\tadd\tv3.2d,v3.2d,v29.2d\n\n\tcbnz\tx2,Loop_hw\n\n\tst1\t{v0.2d,v1.2d,v2.2d,v3.2d},[x0]\t\t// store context\n\n\tldr\tx29,[sp],#16\n\tret\n\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha512-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n.globl\t_sha512_block_data_order_nohw\n.private_extern _sha512_block_data_order_nohw\n\n.p2align\t4\n_sha512_block_data_order_nohw:\n\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tshlq\t$4,%rdx\n\tsubq\t$128+32,%rsp\n\tleaq\t(%rsi,%rdx,8),%rdx\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,128+0(%rsp)\n\tmovq\t%rsi,128+8(%rsp)\n\tmovq\t%rdx,128+16(%rsp)\n\tmovq\t%rax,152(%rsp)\n\nL$prologue:\n\n\tmovq\t0(%rdi),%rax\n\tmovq\t8(%rdi),%rbx\n\tmovq\t16(%rdi),%rcx\n\tmovq\t24(%rdi),%rdx\n\tmovq\t32(%rdi),%r8\n\tmovq\t40(%rdi),%r9\n\tmovq\t48(%rdi),%r10\n\tmovq\t56(%rdi),%r11\n\tjmp\tL$loop\n\n.p2align\t4\nL$loop:\n\tmovq\t%rbx,%rdi\n\tleaq\tK512(%rip),%rbp\n\txorq\t%rcx,%rdi\n\tmovq\t0(%rsi),%r12\n\tmovq\t%r8,%r13\n\tmovq\t%rax,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r9,%r15\n\n\txorq\t%r8,%r13\n\trorq\t$5,%r14\n\txorq\t%r10,%r15\n\n\tmovq\t%r12,0(%rsp)\n\txorq\t%rax,%r14\n\tandq\t%r8,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r11,%r12\n\txorq\t%r10,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r8,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rax,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rax,%r14\n\n\txorq\t%rbx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rbx,%r11\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r11\n\taddq\t%r12,%rdx\n\taddq\t%r12,%r11\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%r11\n\tmovq\t8(%rsi),%r12\n\tmovq\t%rdx,%r13\n\tmovq\t%r11,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r8,%rdi\n\n\txorq\t%rdx,%r13\n\trorq\t$5,%r14\n\txorq\t%r9,%rdi\n\n\tmovq\t%r12,8(%rsp)\n\txorq\t%r11,%r14\n\tandq\t%rdx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r10,%r12\n\txorq\t%r9,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r11,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r11,%r14\n\n\txorq\t%rax,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rax,%r10\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r10\n\taddq\t%r12,%rcx\n\taddq\t%r12,%r10\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%r10\n\tmovq\t16(%rsi),%r12\n\tmovq\t%rcx,%r13\n\tmovq\t%r10,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rdx,%r15\n\n\txorq\t%rcx,%r13\n\trorq\t$5,%r14\n\txorq\t%r8,%r15\n\n\tmovq\t%r12,16(%rsp)\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r9,%r12\n\txorq\t%r8,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rcx,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r10,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r10,%r14\n\n\txorq\t%r11,%r15\n\trorq\t$14,%r13\n\tmovq\t%r11,%r9\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r9\n\taddq\t%r12,%rbx\n\taddq\t%r12,%r9\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%r9\n\tmovq\t24(%rsi),%r12\n\tmovq\t%rbx,%r13\n\tmovq\t%r9,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rcx,%rdi\n\n\txorq\t%rbx,%r13\n\trorq\t$5,%r14\n\txorq\t%rdx,%rdi\n\n\tmovq\t%r12,24(%rsp)\n\txorq\t%r9,%r14\n\tandq\t%rbx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r8,%r12\n\txorq\t%rdx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r9,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r9,%r14\n\n\txorq\t%r10,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r10,%r8\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r8\n\taddq\t%r12,%rax\n\taddq\t%r12,%r8\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%r8\n\tmovq\t32(%rsi),%r12\n\tmovq\t%rax,%r13\n\tmovq\t%r8,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rbx,%r15\n\n\txorq\t%rax,%r13\n\trorq\t$5,%r14\n\txorq\t%rcx,%r15\n\n\tmovq\t%r12,32(%rsp)\n\txorq\t%r8,%r14\n\tandq\t%rax,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rdx,%r12\n\txorq\t%rcx,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rax,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r8,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r8,%r14\n\n\txorq\t%r9,%r15\n\trorq\t$14,%r13\n\tmovq\t%r9,%rdx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rdx\n\taddq\t%r12,%r11\n\taddq\t%r12,%rdx\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%rdx\n\tmovq\t40(%rsi),%r12\n\tmovq\t%r11,%r13\n\tmovq\t%rdx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rax,%rdi\n\n\txorq\t%r11,%r13\n\trorq\t$5,%r14\n\txorq\t%rbx,%rdi\n\n\tmovq\t%r12,40(%rsp)\n\txorq\t%rdx,%r14\n\tandq\t%r11,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rcx,%r12\n\txorq\t%rbx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r11,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rdx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rdx,%r14\n\n\txorq\t%r8,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r8,%rcx\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rcx\n\taddq\t%r12,%r10\n\taddq\t%r12,%rcx\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%rcx\n\tmovq\t48(%rsi),%r12\n\tmovq\t%r10,%r13\n\tmovq\t%rcx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r11,%r15\n\n\txorq\t%r10,%r13\n\trorq\t$5,%r14\n\txorq\t%rax,%r15\n\n\tmovq\t%r12,48(%rsp)\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rbx,%r12\n\txorq\t%rax,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r10,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rcx,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rcx,%r14\n\n\txorq\t%rdx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rdx,%rbx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rbx\n\taddq\t%r12,%r9\n\taddq\t%r12,%rbx\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%rbx\n\tmovq\t56(%rsi),%r12\n\tmovq\t%r9,%r13\n\tmovq\t%rbx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r10,%rdi\n\n\txorq\t%r9,%r13\n\trorq\t$5,%r14\n\txorq\t%r11,%rdi\n\n\tmovq\t%r12,56(%rsp)\n\txorq\t%rbx,%r14\n\tandq\t%r9,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rax,%r12\n\txorq\t%r11,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r9,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rbx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rbx,%r14\n\n\txorq\t%rcx,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rcx,%rax\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rax\n\taddq\t%r12,%r8\n\taddq\t%r12,%rax\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%rax\n\tmovq\t64(%rsi),%r12\n\tmovq\t%r8,%r13\n\tmovq\t%rax,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r9,%r15\n\n\txorq\t%r8,%r13\n\trorq\t$5,%r14\n\txorq\t%r10,%r15\n\n\tmovq\t%r12,64(%rsp)\n\txorq\t%rax,%r14\n\tandq\t%r8,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r11,%r12\n\txorq\t%r10,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r8,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rax,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rax,%r14\n\n\txorq\t%rbx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rbx,%r11\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r11\n\taddq\t%r12,%rdx\n\taddq\t%r12,%r11\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%r11\n\tmovq\t72(%rsi),%r12\n\tmovq\t%rdx,%r13\n\tmovq\t%r11,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r8,%rdi\n\n\txorq\t%rdx,%r13\n\trorq\t$5,%r14\n\txorq\t%r9,%rdi\n\n\tmovq\t%r12,72(%rsp)\n\txorq\t%r11,%r14\n\tandq\t%rdx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r10,%r12\n\txorq\t%r9,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r11,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r11,%r14\n\n\txorq\t%rax,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rax,%r10\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r10\n\taddq\t%r12,%rcx\n\taddq\t%r12,%r10\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%r10\n\tmovq\t80(%rsi),%r12\n\tmovq\t%rcx,%r13\n\tmovq\t%r10,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rdx,%r15\n\n\txorq\t%rcx,%r13\n\trorq\t$5,%r14\n\txorq\t%r8,%r15\n\n\tmovq\t%r12,80(%rsp)\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r9,%r12\n\txorq\t%r8,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rcx,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r10,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r10,%r14\n\n\txorq\t%r11,%r15\n\trorq\t$14,%r13\n\tmovq\t%r11,%r9\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r9\n\taddq\t%r12,%rbx\n\taddq\t%r12,%r9\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%r9\n\tmovq\t88(%rsi),%r12\n\tmovq\t%rbx,%r13\n\tmovq\t%r9,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rcx,%rdi\n\n\txorq\t%rbx,%r13\n\trorq\t$5,%r14\n\txorq\t%rdx,%rdi\n\n\tmovq\t%r12,88(%rsp)\n\txorq\t%r9,%r14\n\tandq\t%rbx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r8,%r12\n\txorq\t%rdx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r9,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r9,%r14\n\n\txorq\t%r10,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r10,%r8\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r8\n\taddq\t%r12,%rax\n\taddq\t%r12,%r8\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%r8\n\tmovq\t96(%rsi),%r12\n\tmovq\t%rax,%r13\n\tmovq\t%r8,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rbx,%r15\n\n\txorq\t%rax,%r13\n\trorq\t$5,%r14\n\txorq\t%rcx,%r15\n\n\tmovq\t%r12,96(%rsp)\n\txorq\t%r8,%r14\n\tandq\t%rax,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rdx,%r12\n\txorq\t%rcx,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rax,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r8,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r8,%r14\n\n\txorq\t%r9,%r15\n\trorq\t$14,%r13\n\tmovq\t%r9,%rdx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rdx\n\taddq\t%r12,%r11\n\taddq\t%r12,%rdx\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%rdx\n\tmovq\t104(%rsi),%r12\n\tmovq\t%r11,%r13\n\tmovq\t%rdx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rax,%rdi\n\n\txorq\t%r11,%r13\n\trorq\t$5,%r14\n\txorq\t%rbx,%rdi\n\n\tmovq\t%r12,104(%rsp)\n\txorq\t%rdx,%r14\n\tandq\t%r11,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rcx,%r12\n\txorq\t%rbx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r11,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rdx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rdx,%r14\n\n\txorq\t%r8,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r8,%rcx\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rcx\n\taddq\t%r12,%r10\n\taddq\t%r12,%rcx\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%rcx\n\tmovq\t112(%rsi),%r12\n\tmovq\t%r10,%r13\n\tmovq\t%rcx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r11,%r15\n\n\txorq\t%r10,%r13\n\trorq\t$5,%r14\n\txorq\t%rax,%r15\n\n\tmovq\t%r12,112(%rsp)\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rbx,%r12\n\txorq\t%rax,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r10,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rcx,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rcx,%r14\n\n\txorq\t%rdx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rdx,%rbx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rbx\n\taddq\t%r12,%r9\n\taddq\t%r12,%rbx\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%rbx\n\tmovq\t120(%rsi),%r12\n\tmovq\t%r9,%r13\n\tmovq\t%rbx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r10,%rdi\n\n\txorq\t%r9,%r13\n\trorq\t$5,%r14\n\txorq\t%r11,%rdi\n\n\tmovq\t%r12,120(%rsp)\n\txorq\t%rbx,%r14\n\tandq\t%r9,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rax,%r12\n\txorq\t%r11,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r9,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rbx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rbx,%r14\n\n\txorq\t%rcx,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rcx,%rax\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rax\n\taddq\t%r12,%r8\n\taddq\t%r12,%rax\n\n\tleaq\t24(%rbp),%rbp\n\tjmp\tL$rounds_16_xx\n.p2align\t4\nL$rounds_16_xx:\n\tmovq\t8(%rsp),%r13\n\tmovq\t112(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rax\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t72(%rsp),%r12\n\n\taddq\t0(%rsp),%r12\n\tmovq\t%r8,%r13\n\taddq\t%r15,%r12\n\tmovq\t%rax,%r14\n\trorq\t$23,%r13\n\tmovq\t%r9,%r15\n\n\txorq\t%r8,%r13\n\trorq\t$5,%r14\n\txorq\t%r10,%r15\n\n\tmovq\t%r12,0(%rsp)\n\txorq\t%rax,%r14\n\tandq\t%r8,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r11,%r12\n\txorq\t%r10,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r8,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rax,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rax,%r14\n\n\txorq\t%rbx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rbx,%r11\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r11\n\taddq\t%r12,%rdx\n\taddq\t%r12,%r11\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t16(%rsp),%r13\n\tmovq\t120(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r11\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t80(%rsp),%r12\n\n\taddq\t8(%rsp),%r12\n\tmovq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%r11,%r14\n\trorq\t$23,%r13\n\tmovq\t%r8,%rdi\n\n\txorq\t%rdx,%r13\n\trorq\t$5,%r14\n\txorq\t%r9,%rdi\n\n\tmovq\t%r12,8(%rsp)\n\txorq\t%r11,%r14\n\tandq\t%rdx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r10,%r12\n\txorq\t%r9,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r11,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r11,%r14\n\n\txorq\t%rax,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rax,%r10\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r10\n\taddq\t%r12,%rcx\n\taddq\t%r12,%r10\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t24(%rsp),%r13\n\tmovq\t0(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r10\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t88(%rsp),%r12\n\n\taddq\t16(%rsp),%r12\n\tmovq\t%rcx,%r13\n\taddq\t%r15,%r12\n\tmovq\t%r10,%r14\n\trorq\t$23,%r13\n\tmovq\t%rdx,%r15\n\n\txorq\t%rcx,%r13\n\trorq\t$5,%r14\n\txorq\t%r8,%r15\n\n\tmovq\t%r12,16(%rsp)\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r9,%r12\n\txorq\t%r8,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rcx,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r10,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r10,%r14\n\n\txorq\t%r11,%r15\n\trorq\t$14,%r13\n\tmovq\t%r11,%r9\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r9\n\taddq\t%r12,%rbx\n\taddq\t%r12,%r9\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t32(%rsp),%r13\n\tmovq\t8(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r9\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t96(%rsp),%r12\n\n\taddq\t24(%rsp),%r12\n\tmovq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%r9,%r14\n\trorq\t$23,%r13\n\tmovq\t%rcx,%rdi\n\n\txorq\t%rbx,%r13\n\trorq\t$5,%r14\n\txorq\t%rdx,%rdi\n\n\tmovq\t%r12,24(%rsp)\n\txorq\t%r9,%r14\n\tandq\t%rbx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r8,%r12\n\txorq\t%rdx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r9,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r9,%r14\n\n\txorq\t%r10,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r10,%r8\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r8\n\taddq\t%r12,%rax\n\taddq\t%r12,%r8\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t40(%rsp),%r13\n\tmovq\t16(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r8\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t104(%rsp),%r12\n\n\taddq\t32(%rsp),%r12\n\tmovq\t%rax,%r13\n\taddq\t%r15,%r12\n\tmovq\t%r8,%r14\n\trorq\t$23,%r13\n\tmovq\t%rbx,%r15\n\n\txorq\t%rax,%r13\n\trorq\t$5,%r14\n\txorq\t%rcx,%r15\n\n\tmovq\t%r12,32(%rsp)\n\txorq\t%r8,%r14\n\tandq\t%rax,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rdx,%r12\n\txorq\t%rcx,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rax,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r8,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r8,%r14\n\n\txorq\t%r9,%r15\n\trorq\t$14,%r13\n\tmovq\t%r9,%rdx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rdx\n\taddq\t%r12,%r11\n\taddq\t%r12,%rdx\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t48(%rsp),%r13\n\tmovq\t24(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rdx\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t112(%rsp),%r12\n\n\taddq\t40(%rsp),%r12\n\tmovq\t%r11,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%rdx,%r14\n\trorq\t$23,%r13\n\tmovq\t%rax,%rdi\n\n\txorq\t%r11,%r13\n\trorq\t$5,%r14\n\txorq\t%rbx,%rdi\n\n\tmovq\t%r12,40(%rsp)\n\txorq\t%rdx,%r14\n\tandq\t%r11,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rcx,%r12\n\txorq\t%rbx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r11,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rdx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rdx,%r14\n\n\txorq\t%r8,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r8,%rcx\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rcx\n\taddq\t%r12,%r10\n\taddq\t%r12,%rcx\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t56(%rsp),%r13\n\tmovq\t32(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rcx\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t120(%rsp),%r12\n\n\taddq\t48(%rsp),%r12\n\tmovq\t%r10,%r13\n\taddq\t%r15,%r12\n\tmovq\t%rcx,%r14\n\trorq\t$23,%r13\n\tmovq\t%r11,%r15\n\n\txorq\t%r10,%r13\n\trorq\t$5,%r14\n\txorq\t%rax,%r15\n\n\tmovq\t%r12,48(%rsp)\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rbx,%r12\n\txorq\t%rax,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r10,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rcx,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rcx,%r14\n\n\txorq\t%rdx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rdx,%rbx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rbx\n\taddq\t%r12,%r9\n\taddq\t%r12,%rbx\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t64(%rsp),%r13\n\tmovq\t40(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rbx\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t0(%rsp),%r12\n\n\taddq\t56(%rsp),%r12\n\tmovq\t%r9,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%rbx,%r14\n\trorq\t$23,%r13\n\tmovq\t%r10,%rdi\n\n\txorq\t%r9,%r13\n\trorq\t$5,%r14\n\txorq\t%r11,%rdi\n\n\tmovq\t%r12,56(%rsp)\n\txorq\t%rbx,%r14\n\tandq\t%r9,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rax,%r12\n\txorq\t%r11,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r9,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rbx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rbx,%r14\n\n\txorq\t%rcx,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rcx,%rax\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rax\n\taddq\t%r12,%r8\n\taddq\t%r12,%rax\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t72(%rsp),%r13\n\tmovq\t48(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rax\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t8(%rsp),%r12\n\n\taddq\t64(%rsp),%r12\n\tmovq\t%r8,%r13\n\taddq\t%r15,%r12\n\tmovq\t%rax,%r14\n\trorq\t$23,%r13\n\tmovq\t%r9,%r15\n\n\txorq\t%r8,%r13\n\trorq\t$5,%r14\n\txorq\t%r10,%r15\n\n\tmovq\t%r12,64(%rsp)\n\txorq\t%rax,%r14\n\tandq\t%r8,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r11,%r12\n\txorq\t%r10,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r8,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rax,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rax,%r14\n\n\txorq\t%rbx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rbx,%r11\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r11\n\taddq\t%r12,%rdx\n\taddq\t%r12,%r11\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t80(%rsp),%r13\n\tmovq\t56(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r11\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t16(%rsp),%r12\n\n\taddq\t72(%rsp),%r12\n\tmovq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%r11,%r14\n\trorq\t$23,%r13\n\tmovq\t%r8,%rdi\n\n\txorq\t%rdx,%r13\n\trorq\t$5,%r14\n\txorq\t%r9,%rdi\n\n\tmovq\t%r12,72(%rsp)\n\txorq\t%r11,%r14\n\tandq\t%rdx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r10,%r12\n\txorq\t%r9,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r11,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r11,%r14\n\n\txorq\t%rax,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rax,%r10\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r10\n\taddq\t%r12,%rcx\n\taddq\t%r12,%r10\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t88(%rsp),%r13\n\tmovq\t64(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r10\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t24(%rsp),%r12\n\n\taddq\t80(%rsp),%r12\n\tmovq\t%rcx,%r13\n\taddq\t%r15,%r12\n\tmovq\t%r10,%r14\n\trorq\t$23,%r13\n\tmovq\t%rdx,%r15\n\n\txorq\t%rcx,%r13\n\trorq\t$5,%r14\n\txorq\t%r8,%r15\n\n\tmovq\t%r12,80(%rsp)\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r9,%r12\n\txorq\t%r8,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rcx,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r10,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r10,%r14\n\n\txorq\t%r11,%r15\n\trorq\t$14,%r13\n\tmovq\t%r11,%r9\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r9\n\taddq\t%r12,%rbx\n\taddq\t%r12,%r9\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t96(%rsp),%r13\n\tmovq\t72(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r9\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t32(%rsp),%r12\n\n\taddq\t88(%rsp),%r12\n\tmovq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%r9,%r14\n\trorq\t$23,%r13\n\tmovq\t%rcx,%rdi\n\n\txorq\t%rbx,%r13\n\trorq\t$5,%r14\n\txorq\t%rdx,%rdi\n\n\tmovq\t%r12,88(%rsp)\n\txorq\t%r9,%r14\n\tandq\t%rbx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r8,%r12\n\txorq\t%rdx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r9,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r9,%r14\n\n\txorq\t%r10,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r10,%r8\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r8\n\taddq\t%r12,%rax\n\taddq\t%r12,%r8\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t104(%rsp),%r13\n\tmovq\t80(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r8\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t40(%rsp),%r12\n\n\taddq\t96(%rsp),%r12\n\tmovq\t%rax,%r13\n\taddq\t%r15,%r12\n\tmovq\t%r8,%r14\n\trorq\t$23,%r13\n\tmovq\t%rbx,%r15\n\n\txorq\t%rax,%r13\n\trorq\t$5,%r14\n\txorq\t%rcx,%r15\n\n\tmovq\t%r12,96(%rsp)\n\txorq\t%r8,%r14\n\tandq\t%rax,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rdx,%r12\n\txorq\t%rcx,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rax,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r8,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r8,%r14\n\n\txorq\t%r9,%r15\n\trorq\t$14,%r13\n\tmovq\t%r9,%rdx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rdx\n\taddq\t%r12,%r11\n\taddq\t%r12,%rdx\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t112(%rsp),%r13\n\tmovq\t88(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rdx\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t48(%rsp),%r12\n\n\taddq\t104(%rsp),%r12\n\tmovq\t%r11,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%rdx,%r14\n\trorq\t$23,%r13\n\tmovq\t%rax,%rdi\n\n\txorq\t%r11,%r13\n\trorq\t$5,%r14\n\txorq\t%rbx,%rdi\n\n\tmovq\t%r12,104(%rsp)\n\txorq\t%rdx,%r14\n\tandq\t%r11,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rcx,%r12\n\txorq\t%rbx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r11,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rdx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rdx,%r14\n\n\txorq\t%r8,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r8,%rcx\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rcx\n\taddq\t%r12,%r10\n\taddq\t%r12,%rcx\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t120(%rsp),%r13\n\tmovq\t96(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rcx\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t56(%rsp),%r12\n\n\taddq\t112(%rsp),%r12\n\tmovq\t%r10,%r13\n\taddq\t%r15,%r12\n\tmovq\t%rcx,%r14\n\trorq\t$23,%r13\n\tmovq\t%r11,%r15\n\n\txorq\t%r10,%r13\n\trorq\t$5,%r14\n\txorq\t%rax,%r15\n\n\tmovq\t%r12,112(%rsp)\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rbx,%r12\n\txorq\t%rax,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r10,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rcx,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rcx,%r14\n\n\txorq\t%rdx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rdx,%rbx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rbx\n\taddq\t%r12,%r9\n\taddq\t%r12,%rbx\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t0(%rsp),%r13\n\tmovq\t104(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rbx\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t64(%rsp),%r12\n\n\taddq\t120(%rsp),%r12\n\tmovq\t%r9,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%rbx,%r14\n\trorq\t$23,%r13\n\tmovq\t%r10,%rdi\n\n\txorq\t%r9,%r13\n\trorq\t$5,%r14\n\txorq\t%r11,%rdi\n\n\tmovq\t%r12,120(%rsp)\n\txorq\t%rbx,%r14\n\tandq\t%r9,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rax,%r12\n\txorq\t%r11,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r9,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rbx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rbx,%r14\n\n\txorq\t%rcx,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rcx,%rax\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rax\n\taddq\t%r12,%r8\n\taddq\t%r12,%rax\n\n\tleaq\t24(%rbp),%rbp\n\tcmpb\t$0,7(%rbp)\n\tjnz\tL$rounds_16_xx\n\n\tmovq\t128+0(%rsp),%rdi\n\taddq\t%r14,%rax\n\tleaq\t128(%rsi),%rsi\n\n\taddq\t0(%rdi),%rax\n\taddq\t8(%rdi),%rbx\n\taddq\t16(%rdi),%rcx\n\taddq\t24(%rdi),%rdx\n\taddq\t32(%rdi),%r8\n\taddq\t40(%rdi),%r9\n\taddq\t48(%rdi),%r10\n\taddq\t56(%rdi),%r11\n\n\tcmpq\t128+16(%rsp),%rsi\n\n\tmovq\t%rax,0(%rdi)\n\tmovq\t%rbx,8(%rdi)\n\tmovq\t%rcx,16(%rdi)\n\tmovq\t%rdx,24(%rdi)\n\tmovq\t%r8,32(%rdi)\n\tmovq\t%r9,40(%rdi)\n\tmovq\t%r10,48(%rdi)\n\tmovq\t%r11,56(%rdi)\n\tjb\tL$loop\n\n\tmovq\t152(%rsp),%rsi\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$epilogue:\n\tret\n\n\n.section\t__DATA,__const\n.p2align\t6\n\nK512:\n.quad\t0x428a2f98d728ae22,0x7137449123ef65cd\n.quad\t0x428a2f98d728ae22,0x7137449123ef65cd\n.quad\t0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc\n.quad\t0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc\n.quad\t0x3956c25bf348b538,0x59f111f1b605d019\n.quad\t0x3956c25bf348b538,0x59f111f1b605d019\n.quad\t0x923f82a4af194f9b,0xab1c5ed5da6d8118\n.quad\t0x923f82a4af194f9b,0xab1c5ed5da6d8118\n.quad\t0xd807aa98a3030242,0x12835b0145706fbe\n.quad\t0xd807aa98a3030242,0x12835b0145706fbe\n.quad\t0x243185be4ee4b28c,0x550c7dc3d5ffb4e2\n.quad\t0x243185be4ee4b28c,0x550c7dc3d5ffb4e2\n.quad\t0x72be5d74f27b896f,0x80deb1fe3b1696b1\n.quad\t0x72be5d74f27b896f,0x80deb1fe3b1696b1\n.quad\t0x9bdc06a725c71235,0xc19bf174cf692694\n.quad\t0x9bdc06a725c71235,0xc19bf174cf692694\n.quad\t0xe49b69c19ef14ad2,0xefbe4786384f25e3\n.quad\t0xe49b69c19ef14ad2,0xefbe4786384f25e3\n.quad\t0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65\n.quad\t0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65\n.quad\t0x2de92c6f592b0275,0x4a7484aa6ea6e483\n.quad\t0x2de92c6f592b0275,0x4a7484aa6ea6e483\n.quad\t0x5cb0a9dcbd41fbd4,0x76f988da831153b5\n.quad\t0x5cb0a9dcbd41fbd4,0x76f988da831153b5\n.quad\t0x983e5152ee66dfab,0xa831c66d2db43210\n.quad\t0x983e5152ee66dfab,0xa831c66d2db43210\n.quad\t0xb00327c898fb213f,0xbf597fc7beef0ee4\n.quad\t0xb00327c898fb213f,0xbf597fc7beef0ee4\n.quad\t0xc6e00bf33da88fc2,0xd5a79147930aa725\n.quad\t0xc6e00bf33da88fc2,0xd5a79147930aa725\n.quad\t0x06ca6351e003826f,0x142929670a0e6e70\n.quad\t0x06ca6351e003826f,0x142929670a0e6e70\n.quad\t0x27b70a8546d22ffc,0x2e1b21385c26c926\n.quad\t0x27b70a8546d22ffc,0x2e1b21385c26c926\n.quad\t0x4d2c6dfc5ac42aed,0x53380d139d95b3df\n.quad\t0x4d2c6dfc5ac42aed,0x53380d139d95b3df\n.quad\t0x650a73548baf63de,0x766a0abb3c77b2a8\n.quad\t0x650a73548baf63de,0x766a0abb3c77b2a8\n.quad\t0x81c2c92e47edaee6,0x92722c851482353b\n.quad\t0x81c2c92e47edaee6,0x92722c851482353b\n.quad\t0xa2bfe8a14cf10364,0xa81a664bbc423001\n.quad\t0xa2bfe8a14cf10364,0xa81a664bbc423001\n.quad\t0xc24b8b70d0f89791,0xc76c51a30654be30\n.quad\t0xc24b8b70d0f89791,0xc76c51a30654be30\n.quad\t0xd192e819d6ef5218,0xd69906245565a910\n.quad\t0xd192e819d6ef5218,0xd69906245565a910\n.quad\t0xf40e35855771202a,0x106aa07032bbd1b8\n.quad\t0xf40e35855771202a,0x106aa07032bbd1b8\n.quad\t0x19a4c116b8d2d0c8,0x1e376c085141ab53\n.quad\t0x19a4c116b8d2d0c8,0x1e376c085141ab53\n.quad\t0x2748774cdf8eeb99,0x34b0bcb5e19b48a8\n.quad\t0x2748774cdf8eeb99,0x34b0bcb5e19b48a8\n.quad\t0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb\n.quad\t0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb\n.quad\t0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3\n.quad\t0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3\n.quad\t0x748f82ee5defb2fc,0x78a5636f43172f60\n.quad\t0x748f82ee5defb2fc,0x78a5636f43172f60\n.quad\t0x84c87814a1f0ab72,0x8cc702081a6439ec\n.quad\t0x84c87814a1f0ab72,0x8cc702081a6439ec\n.quad\t0x90befffa23631e28,0xa4506cebde82bde9\n.quad\t0x90befffa23631e28,0xa4506cebde82bde9\n.quad\t0xbef9a3f7b2c67915,0xc67178f2e372532b\n.quad\t0xbef9a3f7b2c67915,0xc67178f2e372532b\n.quad\t0xca273eceea26619c,0xd186b8c721c0c207\n.quad\t0xca273eceea26619c,0xd186b8c721c0c207\n.quad\t0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178\n.quad\t0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178\n.quad\t0x06f067aa72176fba,0x0a637dc5a2c898a6\n.quad\t0x06f067aa72176fba,0x0a637dc5a2c898a6\n.quad\t0x113f9804bef90dae,0x1b710b35131c471b\n.quad\t0x113f9804bef90dae,0x1b710b35131c471b\n.quad\t0x28db77f523047d84,0x32caab7b40c72493\n.quad\t0x28db77f523047d84,0x32caab7b40c72493\n.quad\t0x3c9ebe0a15c9bebc,0x431d67c49c100d4c\n.quad\t0x3c9ebe0a15c9bebc,0x431d67c49c100d4c\n.quad\t0x4cc5d4becb3e42b6,0x597f299cfc657e2a\n.quad\t0x4cc5d4becb3e42b6,0x597f299cfc657e2a\n.quad\t0x5fcb6fab3ad6faec,0x6c44198c4a475817\n.quad\t0x5fcb6fab3ad6faec,0x6c44198c4a475817\n\n.quad\t0x0001020304050607,0x08090a0b0c0d0e0f\n.quad\t0x0001020304050607,0x08090a0b0c0d0e0f\n.byte\t83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.text\t\n.globl\t_sha512_block_data_order_avx\n.private_extern _sha512_block_data_order_avx\n\n.p2align\t6\n_sha512_block_data_order_avx:\n\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tshlq\t$4,%rdx\n\tsubq\t$160,%rsp\n\tleaq\t(%rsi,%rdx,8),%rdx\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,128+0(%rsp)\n\tmovq\t%rsi,128+8(%rsp)\n\tmovq\t%rdx,128+16(%rsp)\n\tmovq\t%rax,152(%rsp)\n\nL$prologue_avx:\n\n\tvzeroupper\n\tmovq\t0(%rdi),%rax\n\tmovq\t8(%rdi),%rbx\n\tmovq\t16(%rdi),%rcx\n\tmovq\t24(%rdi),%rdx\n\tmovq\t32(%rdi),%r8\n\tmovq\t40(%rdi),%r9\n\tmovq\t48(%rdi),%r10\n\tmovq\t56(%rdi),%r11\n\tjmp\tL$loop_avx\n.p2align\t4\nL$loop_avx:\n\tvmovdqa\tK512+1280(%rip),%xmm11\n\tvmovdqu\t0(%rsi),%xmm0\n\tleaq\tK512+128(%rip),%rbp\n\tvmovdqu\t16(%rsi),%xmm1\n\tvmovdqu\t32(%rsi),%xmm2\n\tvpshufb\t%xmm11,%xmm0,%xmm0\n\tvmovdqu\t48(%rsi),%xmm3\n\tvpshufb\t%xmm11,%xmm1,%xmm1\n\tvmovdqu\t64(%rsi),%xmm4\n\tvpshufb\t%xmm11,%xmm2,%xmm2\n\tvmovdqu\t80(%rsi),%xmm5\n\tvpshufb\t%xmm11,%xmm3,%xmm3\n\tvmovdqu\t96(%rsi),%xmm6\n\tvpshufb\t%xmm11,%xmm4,%xmm4\n\tvmovdqu\t112(%rsi),%xmm7\n\tvpshufb\t%xmm11,%xmm5,%xmm5\n\tvpaddq\t-128(%rbp),%xmm0,%xmm8\n\tvpshufb\t%xmm11,%xmm6,%xmm6\n\tvpaddq\t-96(%rbp),%xmm1,%xmm9\n\tvpshufb\t%xmm11,%xmm7,%xmm7\n\tvpaddq\t-64(%rbp),%xmm2,%xmm10\n\tvpaddq\t-32(%rbp),%xmm3,%xmm11\n\tvmovdqa\t%xmm8,0(%rsp)\n\tvpaddq\t0(%rbp),%xmm4,%xmm8\n\tvmovdqa\t%xmm9,16(%rsp)\n\tvpaddq\t32(%rbp),%xmm5,%xmm9\n\tvmovdqa\t%xmm10,32(%rsp)\n\tvpaddq\t64(%rbp),%xmm6,%xmm10\n\tvmovdqa\t%xmm11,48(%rsp)\n\tvpaddq\t96(%rbp),%xmm7,%xmm11\n\tvmovdqa\t%xmm8,64(%rsp)\n\tmovq\t%rax,%r14\n\tvmovdqa\t%xmm9,80(%rsp)\n\tmovq\t%rbx,%rdi\n\tvmovdqa\t%xmm10,96(%rsp)\n\txorq\t%rcx,%rdi\n\tvmovdqa\t%xmm11,112(%rsp)\n\tmovq\t%r8,%r13\n\tjmp\tL$avx_00_47\n\n.p2align\t4\nL$avx_00_47:\n\taddq\t$256,%rbp\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rax\n\tvpalignr\t$8,%xmm4,%xmm5,%xmm11\n\tmovq\t%r9,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%r8,%r13\n\txorq\t%r10,%r12\n\tvpaddq\t%xmm11,%xmm0,%xmm0\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rax,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%r8,%r12\n\txorq\t%r8,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t0(%rsp),%r11\n\tmovq\t%rax,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%r10,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%rbx,%r15\n\taddq\t%r12,%r11\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%rax,%r14\n\taddq\t%r13,%r11\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%rbx,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm7,%xmm11\n\taddq\t%r11,%rdx\n\taddq\t%rdi,%r11\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%rdx,%r13\n\taddq\t%r11,%r14\n\tvpsllq\t$3,%xmm7,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r11\n\tvpaddq\t%xmm8,%xmm0,%xmm0\n\tmovq\t%r8,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm7,%xmm9\n\txorq\t%rdx,%r13\n\txorq\t%r9,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r11,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%rdx,%r12\n\txorq\t%rdx,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t8(%rsp),%r10\n\tmovq\t%r11,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%r9,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%rax,%rdi\n\taddq\t%r12,%r10\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm0,%xmm0\n\txorq\t%r11,%r14\n\taddq\t%r13,%r10\n\tvpaddq\t-128(%rbp),%xmm0,%xmm10\n\txorq\t%rax,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r10,%rcx\n\taddq\t%r15,%r10\n\tmovq\t%rcx,%r13\n\taddq\t%r10,%r14\n\tvmovdqa\t%xmm10,0(%rsp)\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r10\n\tvpalignr\t$8,%xmm5,%xmm6,%xmm11\n\tmovq\t%rdx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%rcx,%r13\n\txorq\t%r8,%r12\n\tvpaddq\t%xmm11,%xmm1,%xmm1\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r10,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%rcx,%r12\n\txorq\t%rcx,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t16(%rsp),%r9\n\tmovq\t%r10,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%r8,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%r11,%r15\n\taddq\t%r12,%r9\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%r10,%r14\n\taddq\t%r13,%r9\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%r11,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm0,%xmm11\n\taddq\t%r9,%rbx\n\taddq\t%rdi,%r9\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%rbx,%r13\n\taddq\t%r9,%r14\n\tvpsllq\t$3,%xmm0,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r9\n\tvpaddq\t%xmm8,%xmm1,%xmm1\n\tmovq\t%rcx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm0,%xmm9\n\txorq\t%rbx,%r13\n\txorq\t%rdx,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r9,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%rbx,%r12\n\txorq\t%rbx,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t24(%rsp),%r8\n\tmovq\t%r9,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%rdx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%r10,%rdi\n\taddq\t%r12,%r8\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm1,%xmm1\n\txorq\t%r9,%r14\n\taddq\t%r13,%r8\n\tvpaddq\t-96(%rbp),%xmm1,%xmm10\n\txorq\t%r10,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r8,%rax\n\taddq\t%r15,%r8\n\tmovq\t%rax,%r13\n\taddq\t%r8,%r14\n\tvmovdqa\t%xmm10,16(%rsp)\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r8\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm11\n\tmovq\t%rbx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%rax,%r13\n\txorq\t%rcx,%r12\n\tvpaddq\t%xmm11,%xmm2,%xmm2\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r8,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%rax,%r12\n\txorq\t%rax,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t32(%rsp),%rdx\n\tmovq\t%r8,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%rcx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%r9,%r15\n\taddq\t%r12,%rdx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%r8,%r14\n\taddq\t%r13,%rdx\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%r9,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm1,%xmm11\n\taddq\t%rdx,%r11\n\taddq\t%rdi,%rdx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%r11,%r13\n\taddq\t%rdx,%r14\n\tvpsllq\t$3,%xmm1,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rdx\n\tvpaddq\t%xmm8,%xmm2,%xmm2\n\tmovq\t%rax,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm1,%xmm9\n\txorq\t%r11,%r13\n\txorq\t%rbx,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rdx,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%r11,%r12\n\txorq\t%r11,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t40(%rsp),%rcx\n\tmovq\t%rdx,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%rbx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%r8,%rdi\n\taddq\t%r12,%rcx\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm2,%xmm2\n\txorq\t%rdx,%r14\n\taddq\t%r13,%rcx\n\tvpaddq\t-64(%rbp),%xmm2,%xmm10\n\txorq\t%r8,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rcx,%r10\n\taddq\t%r15,%rcx\n\tmovq\t%r10,%r13\n\taddq\t%rcx,%r14\n\tvmovdqa\t%xmm10,32(%rsp)\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rcx\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm11\n\tmovq\t%r11,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%r10,%r13\n\txorq\t%rax,%r12\n\tvpaddq\t%xmm11,%xmm3,%xmm3\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rcx,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%r10,%r12\n\txorq\t%r10,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t48(%rsp),%rbx\n\tmovq\t%rcx,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%rax,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%rdx,%r15\n\taddq\t%r12,%rbx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%rcx,%r14\n\taddq\t%r13,%rbx\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%rdx,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm2,%xmm11\n\taddq\t%rbx,%r9\n\taddq\t%rdi,%rbx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%r9,%r13\n\taddq\t%rbx,%r14\n\tvpsllq\t$3,%xmm2,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rbx\n\tvpaddq\t%xmm8,%xmm3,%xmm3\n\tmovq\t%r10,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm2,%xmm9\n\txorq\t%r9,%r13\n\txorq\t%r11,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rbx,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%r9,%r12\n\txorq\t%r9,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t56(%rsp),%rax\n\tmovq\t%rbx,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%r11,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%rcx,%rdi\n\taddq\t%r12,%rax\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm3,%xmm3\n\txorq\t%rbx,%r14\n\taddq\t%r13,%rax\n\tvpaddq\t-32(%rbp),%xmm3,%xmm10\n\txorq\t%rcx,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rax,%r8\n\taddq\t%r15,%rax\n\tmovq\t%r8,%r13\n\taddq\t%rax,%r14\n\tvmovdqa\t%xmm10,48(%rsp)\n\tvpalignr\t$8,%xmm4,%xmm5,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rax\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm11\n\tmovq\t%r9,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%r8,%r13\n\txorq\t%r10,%r12\n\tvpaddq\t%xmm11,%xmm4,%xmm4\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rax,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%r8,%r12\n\txorq\t%r8,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t64(%rsp),%r11\n\tmovq\t%rax,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%r10,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%rbx,%r15\n\taddq\t%r12,%r11\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%rax,%r14\n\taddq\t%r13,%r11\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%rbx,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm3,%xmm11\n\taddq\t%r11,%rdx\n\taddq\t%rdi,%r11\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%rdx,%r13\n\taddq\t%r11,%r14\n\tvpsllq\t$3,%xmm3,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r11\n\tvpaddq\t%xmm8,%xmm4,%xmm4\n\tmovq\t%r8,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm3,%xmm9\n\txorq\t%rdx,%r13\n\txorq\t%r9,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r11,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%rdx,%r12\n\txorq\t%rdx,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t72(%rsp),%r10\n\tmovq\t%r11,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%r9,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%rax,%rdi\n\taddq\t%r12,%r10\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm4,%xmm4\n\txorq\t%r11,%r14\n\taddq\t%r13,%r10\n\tvpaddq\t0(%rbp),%xmm4,%xmm10\n\txorq\t%rax,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r10,%rcx\n\taddq\t%r15,%r10\n\tmovq\t%rcx,%r13\n\taddq\t%r10,%r14\n\tvmovdqa\t%xmm10,64(%rsp)\n\tvpalignr\t$8,%xmm5,%xmm6,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r10\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm11\n\tmovq\t%rdx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%rcx,%r13\n\txorq\t%r8,%r12\n\tvpaddq\t%xmm11,%xmm5,%xmm5\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r10,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%rcx,%r12\n\txorq\t%rcx,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t80(%rsp),%r9\n\tmovq\t%r10,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%r8,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%r11,%r15\n\taddq\t%r12,%r9\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%r10,%r14\n\taddq\t%r13,%r9\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%r11,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm4,%xmm11\n\taddq\t%r9,%rbx\n\taddq\t%rdi,%r9\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%rbx,%r13\n\taddq\t%r9,%r14\n\tvpsllq\t$3,%xmm4,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r9\n\tvpaddq\t%xmm8,%xmm5,%xmm5\n\tmovq\t%rcx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm4,%xmm9\n\txorq\t%rbx,%r13\n\txorq\t%rdx,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r9,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%rbx,%r12\n\txorq\t%rbx,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t88(%rsp),%r8\n\tmovq\t%r9,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%rdx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%r10,%rdi\n\taddq\t%r12,%r8\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm5,%xmm5\n\txorq\t%r9,%r14\n\taddq\t%r13,%r8\n\tvpaddq\t32(%rbp),%xmm5,%xmm10\n\txorq\t%r10,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r8,%rax\n\taddq\t%r15,%r8\n\tmovq\t%rax,%r13\n\taddq\t%r8,%r14\n\tvmovdqa\t%xmm10,80(%rsp)\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r8\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm11\n\tmovq\t%rbx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%rax,%r13\n\txorq\t%rcx,%r12\n\tvpaddq\t%xmm11,%xmm6,%xmm6\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r8,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%rax,%r12\n\txorq\t%rax,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t96(%rsp),%rdx\n\tmovq\t%r8,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%rcx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%r9,%r15\n\taddq\t%r12,%rdx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%r8,%r14\n\taddq\t%r13,%rdx\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%r9,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm5,%xmm11\n\taddq\t%rdx,%r11\n\taddq\t%rdi,%rdx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%r11,%r13\n\taddq\t%rdx,%r14\n\tvpsllq\t$3,%xmm5,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rdx\n\tvpaddq\t%xmm8,%xmm6,%xmm6\n\tmovq\t%rax,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm5,%xmm9\n\txorq\t%r11,%r13\n\txorq\t%rbx,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rdx,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%r11,%r12\n\txorq\t%r11,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t104(%rsp),%rcx\n\tmovq\t%rdx,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%rbx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%r8,%rdi\n\taddq\t%r12,%rcx\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm6,%xmm6\n\txorq\t%rdx,%r14\n\taddq\t%r13,%rcx\n\tvpaddq\t64(%rbp),%xmm6,%xmm10\n\txorq\t%r8,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rcx,%r10\n\taddq\t%r15,%rcx\n\tmovq\t%r10,%r13\n\taddq\t%rcx,%r14\n\tvmovdqa\t%xmm10,96(%rsp)\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rcx\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm11\n\tmovq\t%r11,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%r10,%r13\n\txorq\t%rax,%r12\n\tvpaddq\t%xmm11,%xmm7,%xmm7\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rcx,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%r10,%r12\n\txorq\t%r10,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t112(%rsp),%rbx\n\tmovq\t%rcx,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%rax,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%rdx,%r15\n\taddq\t%r12,%rbx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%rcx,%r14\n\taddq\t%r13,%rbx\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%rdx,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm6,%xmm11\n\taddq\t%rbx,%r9\n\taddq\t%rdi,%rbx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%r9,%r13\n\taddq\t%rbx,%r14\n\tvpsllq\t$3,%xmm6,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rbx\n\tvpaddq\t%xmm8,%xmm7,%xmm7\n\tmovq\t%r10,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm6,%xmm9\n\txorq\t%r9,%r13\n\txorq\t%r11,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rbx,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%r9,%r12\n\txorq\t%r9,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t120(%rsp),%rax\n\tmovq\t%rbx,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%r11,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%rcx,%rdi\n\taddq\t%r12,%rax\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm7,%xmm7\n\txorq\t%rbx,%r14\n\taddq\t%r13,%rax\n\tvpaddq\t96(%rbp),%xmm7,%xmm10\n\txorq\t%rcx,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rax,%r8\n\taddq\t%r15,%rax\n\tmovq\t%r8,%r13\n\taddq\t%rax,%r14\n\tvmovdqa\t%xmm10,112(%rsp)\n\tcmpb\t$0,135(%rbp)\n\tjne\tL$avx_00_47\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rax\n\tmovq\t%r9,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r8,%r13\n\txorq\t%r10,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rax,%r14\n\tandq\t%r8,%r12\n\txorq\t%r8,%r13\n\taddq\t0(%rsp),%r11\n\tmovq\t%rax,%r15\n\txorq\t%r10,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rbx,%r15\n\taddq\t%r12,%r11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%rax,%r14\n\taddq\t%r13,%r11\n\txorq\t%rbx,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r11,%rdx\n\taddq\t%rdi,%r11\n\tmovq\t%rdx,%r13\n\taddq\t%r11,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r11\n\tmovq\t%r8,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rdx,%r13\n\txorq\t%r9,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r11,%r14\n\tandq\t%rdx,%r12\n\txorq\t%rdx,%r13\n\taddq\t8(%rsp),%r10\n\tmovq\t%r11,%rdi\n\txorq\t%r9,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rax,%rdi\n\taddq\t%r12,%r10\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%r11,%r14\n\taddq\t%r13,%r10\n\txorq\t%rax,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r10,%rcx\n\taddq\t%r15,%r10\n\tmovq\t%rcx,%r13\n\taddq\t%r10,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r10\n\tmovq\t%rdx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rcx,%r13\n\txorq\t%r8,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r12\n\txorq\t%rcx,%r13\n\taddq\t16(%rsp),%r9\n\tmovq\t%r10,%r15\n\txorq\t%r8,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r11,%r15\n\taddq\t%r12,%r9\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%r10,%r14\n\taddq\t%r13,%r9\n\txorq\t%r11,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r9,%rbx\n\taddq\t%rdi,%r9\n\tmovq\t%rbx,%r13\n\taddq\t%r9,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r9\n\tmovq\t%rcx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rbx,%r13\n\txorq\t%rdx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r9,%r14\n\tandq\t%rbx,%r12\n\txorq\t%rbx,%r13\n\taddq\t24(%rsp),%r8\n\tmovq\t%r9,%rdi\n\txorq\t%rdx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r10,%rdi\n\taddq\t%r12,%r8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%r9,%r14\n\taddq\t%r13,%r8\n\txorq\t%r10,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r8,%rax\n\taddq\t%r15,%r8\n\tmovq\t%rax,%r13\n\taddq\t%r8,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r8\n\tmovq\t%rbx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rax,%r13\n\txorq\t%rcx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r8,%r14\n\tandq\t%rax,%r12\n\txorq\t%rax,%r13\n\taddq\t32(%rsp),%rdx\n\tmovq\t%r8,%r15\n\txorq\t%rcx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r9,%r15\n\taddq\t%r12,%rdx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%r8,%r14\n\taddq\t%r13,%rdx\n\txorq\t%r9,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rdx,%r11\n\taddq\t%rdi,%rdx\n\tmovq\t%r11,%r13\n\taddq\t%rdx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rdx\n\tmovq\t%rax,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r11,%r13\n\txorq\t%rbx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rdx,%r14\n\tandq\t%r11,%r12\n\txorq\t%r11,%r13\n\taddq\t40(%rsp),%rcx\n\tmovq\t%rdx,%rdi\n\txorq\t%rbx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r8,%rdi\n\taddq\t%r12,%rcx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%rdx,%r14\n\taddq\t%r13,%rcx\n\txorq\t%r8,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rcx,%r10\n\taddq\t%r15,%rcx\n\tmovq\t%r10,%r13\n\taddq\t%rcx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rcx\n\tmovq\t%r11,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r10,%r13\n\txorq\t%rax,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r12\n\txorq\t%r10,%r13\n\taddq\t48(%rsp),%rbx\n\tmovq\t%rcx,%r15\n\txorq\t%rax,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rdx,%r15\n\taddq\t%r12,%rbx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%rcx,%r14\n\taddq\t%r13,%rbx\n\txorq\t%rdx,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rbx,%r9\n\taddq\t%rdi,%rbx\n\tmovq\t%r9,%r13\n\taddq\t%rbx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rbx\n\tmovq\t%r10,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r9,%r13\n\txorq\t%r11,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rbx,%r14\n\tandq\t%r9,%r12\n\txorq\t%r9,%r13\n\taddq\t56(%rsp),%rax\n\tmovq\t%rbx,%rdi\n\txorq\t%r11,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rcx,%rdi\n\taddq\t%r12,%rax\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%rbx,%r14\n\taddq\t%r13,%rax\n\txorq\t%rcx,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rax,%r8\n\taddq\t%r15,%rax\n\tmovq\t%r8,%r13\n\taddq\t%rax,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rax\n\tmovq\t%r9,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r8,%r13\n\txorq\t%r10,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rax,%r14\n\tandq\t%r8,%r12\n\txorq\t%r8,%r13\n\taddq\t64(%rsp),%r11\n\tmovq\t%rax,%r15\n\txorq\t%r10,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rbx,%r15\n\taddq\t%r12,%r11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%rax,%r14\n\taddq\t%r13,%r11\n\txorq\t%rbx,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r11,%rdx\n\taddq\t%rdi,%r11\n\tmovq\t%rdx,%r13\n\taddq\t%r11,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r11\n\tmovq\t%r8,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rdx,%r13\n\txorq\t%r9,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r11,%r14\n\tandq\t%rdx,%r12\n\txorq\t%rdx,%r13\n\taddq\t72(%rsp),%r10\n\tmovq\t%r11,%rdi\n\txorq\t%r9,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rax,%rdi\n\taddq\t%r12,%r10\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%r11,%r14\n\taddq\t%r13,%r10\n\txorq\t%rax,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r10,%rcx\n\taddq\t%r15,%r10\n\tmovq\t%rcx,%r13\n\taddq\t%r10,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r10\n\tmovq\t%rdx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rcx,%r13\n\txorq\t%r8,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r12\n\txorq\t%rcx,%r13\n\taddq\t80(%rsp),%r9\n\tmovq\t%r10,%r15\n\txorq\t%r8,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r11,%r15\n\taddq\t%r12,%r9\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%r10,%r14\n\taddq\t%r13,%r9\n\txorq\t%r11,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r9,%rbx\n\taddq\t%rdi,%r9\n\tmovq\t%rbx,%r13\n\taddq\t%r9,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r9\n\tmovq\t%rcx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rbx,%r13\n\txorq\t%rdx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r9,%r14\n\tandq\t%rbx,%r12\n\txorq\t%rbx,%r13\n\taddq\t88(%rsp),%r8\n\tmovq\t%r9,%rdi\n\txorq\t%rdx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r10,%rdi\n\taddq\t%r12,%r8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%r9,%r14\n\taddq\t%r13,%r8\n\txorq\t%r10,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r8,%rax\n\taddq\t%r15,%r8\n\tmovq\t%rax,%r13\n\taddq\t%r8,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r8\n\tmovq\t%rbx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rax,%r13\n\txorq\t%rcx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r8,%r14\n\tandq\t%rax,%r12\n\txorq\t%rax,%r13\n\taddq\t96(%rsp),%rdx\n\tmovq\t%r8,%r15\n\txorq\t%rcx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r9,%r15\n\taddq\t%r12,%rdx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%r8,%r14\n\taddq\t%r13,%rdx\n\txorq\t%r9,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rdx,%r11\n\taddq\t%rdi,%rdx\n\tmovq\t%r11,%r13\n\taddq\t%rdx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rdx\n\tmovq\t%rax,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r11,%r13\n\txorq\t%rbx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rdx,%r14\n\tandq\t%r11,%r12\n\txorq\t%r11,%r13\n\taddq\t104(%rsp),%rcx\n\tmovq\t%rdx,%rdi\n\txorq\t%rbx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r8,%rdi\n\taddq\t%r12,%rcx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%rdx,%r14\n\taddq\t%r13,%rcx\n\txorq\t%r8,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rcx,%r10\n\taddq\t%r15,%rcx\n\tmovq\t%r10,%r13\n\taddq\t%rcx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rcx\n\tmovq\t%r11,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r10,%r13\n\txorq\t%rax,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r12\n\txorq\t%r10,%r13\n\taddq\t112(%rsp),%rbx\n\tmovq\t%rcx,%r15\n\txorq\t%rax,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rdx,%r15\n\taddq\t%r12,%rbx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%rcx,%r14\n\taddq\t%r13,%rbx\n\txorq\t%rdx,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rbx,%r9\n\taddq\t%rdi,%rbx\n\tmovq\t%r9,%r13\n\taddq\t%rbx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rbx\n\tmovq\t%r10,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r9,%r13\n\txorq\t%r11,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rbx,%r14\n\tandq\t%r9,%r12\n\txorq\t%r9,%r13\n\taddq\t120(%rsp),%rax\n\tmovq\t%rbx,%rdi\n\txorq\t%r11,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rcx,%rdi\n\taddq\t%r12,%rax\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%rbx,%r14\n\taddq\t%r13,%rax\n\txorq\t%rcx,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rax,%r8\n\taddq\t%r15,%rax\n\tmovq\t%r8,%r13\n\taddq\t%rax,%r14\n\tmovq\t128+0(%rsp),%rdi\n\tmovq\t%r14,%rax\n\n\taddq\t0(%rdi),%rax\n\tleaq\t128(%rsi),%rsi\n\taddq\t8(%rdi),%rbx\n\taddq\t16(%rdi),%rcx\n\taddq\t24(%rdi),%rdx\n\taddq\t32(%rdi),%r8\n\taddq\t40(%rdi),%r9\n\taddq\t48(%rdi),%r10\n\taddq\t56(%rdi),%r11\n\n\tcmpq\t128+16(%rsp),%rsi\n\n\tmovq\t%rax,0(%rdi)\n\tmovq\t%rbx,8(%rdi)\n\tmovq\t%rcx,16(%rdi)\n\tmovq\t%rdx,24(%rdi)\n\tmovq\t%r8,32(%rdi)\n\tmovq\t%r9,40(%rdi)\n\tmovq\t%r10,48(%rdi)\n\tmovq\t%r11,56(%rdi)\n\tjb\tL$loop_avx\n\n\tmovq\t152(%rsp),%rsi\n\n\tvzeroupper\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$epilogue_avx:\n\tret\n\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/sha512-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n.globl\tsha512_block_data_order_nohw\n.hidden sha512_block_data_order_nohw\n.type\tsha512_block_data_order_nohw,@function\n.align\t16\nsha512_block_data_order_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\tshlq\t$4,%rdx\n\tsubq\t$128+32,%rsp\n\tleaq\t(%rsi,%rdx,8),%rdx\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,128+0(%rsp)\n\tmovq\t%rsi,128+8(%rsp)\n\tmovq\t%rdx,128+16(%rsp)\n\tmovq\t%rax,152(%rsp)\n.cfi_escape\t0x0f,0x06,0x77,0x98,0x01,0x06,0x23,0x08\n.Lprologue:\n\n\tmovq\t0(%rdi),%rax\n\tmovq\t8(%rdi),%rbx\n\tmovq\t16(%rdi),%rcx\n\tmovq\t24(%rdi),%rdx\n\tmovq\t32(%rdi),%r8\n\tmovq\t40(%rdi),%r9\n\tmovq\t48(%rdi),%r10\n\tmovq\t56(%rdi),%r11\n\tjmp\t.Lloop\n\n.align\t16\n.Lloop:\n\tmovq\t%rbx,%rdi\n\tleaq\tK512(%rip),%rbp\n\txorq\t%rcx,%rdi\n\tmovq\t0(%rsi),%r12\n\tmovq\t%r8,%r13\n\tmovq\t%rax,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r9,%r15\n\n\txorq\t%r8,%r13\n\trorq\t$5,%r14\n\txorq\t%r10,%r15\n\n\tmovq\t%r12,0(%rsp)\n\txorq\t%rax,%r14\n\tandq\t%r8,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r11,%r12\n\txorq\t%r10,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r8,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rax,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rax,%r14\n\n\txorq\t%rbx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rbx,%r11\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r11\n\taddq\t%r12,%rdx\n\taddq\t%r12,%r11\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%r11\n\tmovq\t8(%rsi),%r12\n\tmovq\t%rdx,%r13\n\tmovq\t%r11,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r8,%rdi\n\n\txorq\t%rdx,%r13\n\trorq\t$5,%r14\n\txorq\t%r9,%rdi\n\n\tmovq\t%r12,8(%rsp)\n\txorq\t%r11,%r14\n\tandq\t%rdx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r10,%r12\n\txorq\t%r9,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r11,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r11,%r14\n\n\txorq\t%rax,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rax,%r10\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r10\n\taddq\t%r12,%rcx\n\taddq\t%r12,%r10\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%r10\n\tmovq\t16(%rsi),%r12\n\tmovq\t%rcx,%r13\n\tmovq\t%r10,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rdx,%r15\n\n\txorq\t%rcx,%r13\n\trorq\t$5,%r14\n\txorq\t%r8,%r15\n\n\tmovq\t%r12,16(%rsp)\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r9,%r12\n\txorq\t%r8,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rcx,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r10,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r10,%r14\n\n\txorq\t%r11,%r15\n\trorq\t$14,%r13\n\tmovq\t%r11,%r9\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r9\n\taddq\t%r12,%rbx\n\taddq\t%r12,%r9\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%r9\n\tmovq\t24(%rsi),%r12\n\tmovq\t%rbx,%r13\n\tmovq\t%r9,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rcx,%rdi\n\n\txorq\t%rbx,%r13\n\trorq\t$5,%r14\n\txorq\t%rdx,%rdi\n\n\tmovq\t%r12,24(%rsp)\n\txorq\t%r9,%r14\n\tandq\t%rbx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r8,%r12\n\txorq\t%rdx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r9,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r9,%r14\n\n\txorq\t%r10,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r10,%r8\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r8\n\taddq\t%r12,%rax\n\taddq\t%r12,%r8\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%r8\n\tmovq\t32(%rsi),%r12\n\tmovq\t%rax,%r13\n\tmovq\t%r8,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rbx,%r15\n\n\txorq\t%rax,%r13\n\trorq\t$5,%r14\n\txorq\t%rcx,%r15\n\n\tmovq\t%r12,32(%rsp)\n\txorq\t%r8,%r14\n\tandq\t%rax,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rdx,%r12\n\txorq\t%rcx,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rax,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r8,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r8,%r14\n\n\txorq\t%r9,%r15\n\trorq\t$14,%r13\n\tmovq\t%r9,%rdx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rdx\n\taddq\t%r12,%r11\n\taddq\t%r12,%rdx\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%rdx\n\tmovq\t40(%rsi),%r12\n\tmovq\t%r11,%r13\n\tmovq\t%rdx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rax,%rdi\n\n\txorq\t%r11,%r13\n\trorq\t$5,%r14\n\txorq\t%rbx,%rdi\n\n\tmovq\t%r12,40(%rsp)\n\txorq\t%rdx,%r14\n\tandq\t%r11,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rcx,%r12\n\txorq\t%rbx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r11,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rdx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rdx,%r14\n\n\txorq\t%r8,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r8,%rcx\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rcx\n\taddq\t%r12,%r10\n\taddq\t%r12,%rcx\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%rcx\n\tmovq\t48(%rsi),%r12\n\tmovq\t%r10,%r13\n\tmovq\t%rcx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r11,%r15\n\n\txorq\t%r10,%r13\n\trorq\t$5,%r14\n\txorq\t%rax,%r15\n\n\tmovq\t%r12,48(%rsp)\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rbx,%r12\n\txorq\t%rax,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r10,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rcx,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rcx,%r14\n\n\txorq\t%rdx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rdx,%rbx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rbx\n\taddq\t%r12,%r9\n\taddq\t%r12,%rbx\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%rbx\n\tmovq\t56(%rsi),%r12\n\tmovq\t%r9,%r13\n\tmovq\t%rbx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r10,%rdi\n\n\txorq\t%r9,%r13\n\trorq\t$5,%r14\n\txorq\t%r11,%rdi\n\n\tmovq\t%r12,56(%rsp)\n\txorq\t%rbx,%r14\n\tandq\t%r9,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rax,%r12\n\txorq\t%r11,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r9,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rbx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rbx,%r14\n\n\txorq\t%rcx,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rcx,%rax\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rax\n\taddq\t%r12,%r8\n\taddq\t%r12,%rax\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%rax\n\tmovq\t64(%rsi),%r12\n\tmovq\t%r8,%r13\n\tmovq\t%rax,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r9,%r15\n\n\txorq\t%r8,%r13\n\trorq\t$5,%r14\n\txorq\t%r10,%r15\n\n\tmovq\t%r12,64(%rsp)\n\txorq\t%rax,%r14\n\tandq\t%r8,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r11,%r12\n\txorq\t%r10,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r8,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rax,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rax,%r14\n\n\txorq\t%rbx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rbx,%r11\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r11\n\taddq\t%r12,%rdx\n\taddq\t%r12,%r11\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%r11\n\tmovq\t72(%rsi),%r12\n\tmovq\t%rdx,%r13\n\tmovq\t%r11,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r8,%rdi\n\n\txorq\t%rdx,%r13\n\trorq\t$5,%r14\n\txorq\t%r9,%rdi\n\n\tmovq\t%r12,72(%rsp)\n\txorq\t%r11,%r14\n\tandq\t%rdx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r10,%r12\n\txorq\t%r9,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r11,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r11,%r14\n\n\txorq\t%rax,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rax,%r10\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r10\n\taddq\t%r12,%rcx\n\taddq\t%r12,%r10\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%r10\n\tmovq\t80(%rsi),%r12\n\tmovq\t%rcx,%r13\n\tmovq\t%r10,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rdx,%r15\n\n\txorq\t%rcx,%r13\n\trorq\t$5,%r14\n\txorq\t%r8,%r15\n\n\tmovq\t%r12,80(%rsp)\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r9,%r12\n\txorq\t%r8,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rcx,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r10,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r10,%r14\n\n\txorq\t%r11,%r15\n\trorq\t$14,%r13\n\tmovq\t%r11,%r9\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r9\n\taddq\t%r12,%rbx\n\taddq\t%r12,%r9\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%r9\n\tmovq\t88(%rsi),%r12\n\tmovq\t%rbx,%r13\n\tmovq\t%r9,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rcx,%rdi\n\n\txorq\t%rbx,%r13\n\trorq\t$5,%r14\n\txorq\t%rdx,%rdi\n\n\tmovq\t%r12,88(%rsp)\n\txorq\t%r9,%r14\n\tandq\t%rbx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r8,%r12\n\txorq\t%rdx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r9,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r9,%r14\n\n\txorq\t%r10,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r10,%r8\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r8\n\taddq\t%r12,%rax\n\taddq\t%r12,%r8\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%r8\n\tmovq\t96(%rsi),%r12\n\tmovq\t%rax,%r13\n\tmovq\t%r8,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rbx,%r15\n\n\txorq\t%rax,%r13\n\trorq\t$5,%r14\n\txorq\t%rcx,%r15\n\n\tmovq\t%r12,96(%rsp)\n\txorq\t%r8,%r14\n\tandq\t%rax,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rdx,%r12\n\txorq\t%rcx,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rax,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r8,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r8,%r14\n\n\txorq\t%r9,%r15\n\trorq\t$14,%r13\n\tmovq\t%r9,%rdx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rdx\n\taddq\t%r12,%r11\n\taddq\t%r12,%rdx\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%rdx\n\tmovq\t104(%rsi),%r12\n\tmovq\t%r11,%r13\n\tmovq\t%rdx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%rax,%rdi\n\n\txorq\t%r11,%r13\n\trorq\t$5,%r14\n\txorq\t%rbx,%rdi\n\n\tmovq\t%r12,104(%rsp)\n\txorq\t%rdx,%r14\n\tandq\t%r11,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rcx,%r12\n\txorq\t%rbx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r11,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rdx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rdx,%r14\n\n\txorq\t%r8,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r8,%rcx\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rcx\n\taddq\t%r12,%r10\n\taddq\t%r12,%rcx\n\n\tleaq\t24(%rbp),%rbp\n\taddq\t%r14,%rcx\n\tmovq\t112(%rsi),%r12\n\tmovq\t%r10,%r13\n\tmovq\t%rcx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r11,%r15\n\n\txorq\t%r10,%r13\n\trorq\t$5,%r14\n\txorq\t%rax,%r15\n\n\tmovq\t%r12,112(%rsp)\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rbx,%r12\n\txorq\t%rax,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r10,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rcx,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rcx,%r14\n\n\txorq\t%rdx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rdx,%rbx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rbx\n\taddq\t%r12,%r9\n\taddq\t%r12,%rbx\n\n\tleaq\t8(%rbp),%rbp\n\taddq\t%r14,%rbx\n\tmovq\t120(%rsi),%r12\n\tmovq\t%r9,%r13\n\tmovq\t%rbx,%r14\n\tbswapq\t%r12\n\trorq\t$23,%r13\n\tmovq\t%r10,%rdi\n\n\txorq\t%r9,%r13\n\trorq\t$5,%r14\n\txorq\t%r11,%rdi\n\n\tmovq\t%r12,120(%rsp)\n\txorq\t%rbx,%r14\n\tandq\t%r9,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rax,%r12\n\txorq\t%r11,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r9,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rbx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rbx,%r14\n\n\txorq\t%rcx,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rcx,%rax\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rax\n\taddq\t%r12,%r8\n\taddq\t%r12,%rax\n\n\tleaq\t24(%rbp),%rbp\n\tjmp\t.Lrounds_16_xx\n.align\t16\n.Lrounds_16_xx:\n\tmovq\t8(%rsp),%r13\n\tmovq\t112(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rax\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t72(%rsp),%r12\n\n\taddq\t0(%rsp),%r12\n\tmovq\t%r8,%r13\n\taddq\t%r15,%r12\n\tmovq\t%rax,%r14\n\trorq\t$23,%r13\n\tmovq\t%r9,%r15\n\n\txorq\t%r8,%r13\n\trorq\t$5,%r14\n\txorq\t%r10,%r15\n\n\tmovq\t%r12,0(%rsp)\n\txorq\t%rax,%r14\n\tandq\t%r8,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r11,%r12\n\txorq\t%r10,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r8,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rax,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rax,%r14\n\n\txorq\t%rbx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rbx,%r11\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r11\n\taddq\t%r12,%rdx\n\taddq\t%r12,%r11\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t16(%rsp),%r13\n\tmovq\t120(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r11\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t80(%rsp),%r12\n\n\taddq\t8(%rsp),%r12\n\tmovq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%r11,%r14\n\trorq\t$23,%r13\n\tmovq\t%r8,%rdi\n\n\txorq\t%rdx,%r13\n\trorq\t$5,%r14\n\txorq\t%r9,%rdi\n\n\tmovq\t%r12,8(%rsp)\n\txorq\t%r11,%r14\n\tandq\t%rdx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r10,%r12\n\txorq\t%r9,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r11,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r11,%r14\n\n\txorq\t%rax,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rax,%r10\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r10\n\taddq\t%r12,%rcx\n\taddq\t%r12,%r10\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t24(%rsp),%r13\n\tmovq\t0(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r10\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t88(%rsp),%r12\n\n\taddq\t16(%rsp),%r12\n\tmovq\t%rcx,%r13\n\taddq\t%r15,%r12\n\tmovq\t%r10,%r14\n\trorq\t$23,%r13\n\tmovq\t%rdx,%r15\n\n\txorq\t%rcx,%r13\n\trorq\t$5,%r14\n\txorq\t%r8,%r15\n\n\tmovq\t%r12,16(%rsp)\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r9,%r12\n\txorq\t%r8,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rcx,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r10,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r10,%r14\n\n\txorq\t%r11,%r15\n\trorq\t$14,%r13\n\tmovq\t%r11,%r9\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r9\n\taddq\t%r12,%rbx\n\taddq\t%r12,%r9\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t32(%rsp),%r13\n\tmovq\t8(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r9\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t96(%rsp),%r12\n\n\taddq\t24(%rsp),%r12\n\tmovq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%r9,%r14\n\trorq\t$23,%r13\n\tmovq\t%rcx,%rdi\n\n\txorq\t%rbx,%r13\n\trorq\t$5,%r14\n\txorq\t%rdx,%rdi\n\n\tmovq\t%r12,24(%rsp)\n\txorq\t%r9,%r14\n\tandq\t%rbx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r8,%r12\n\txorq\t%rdx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r9,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r9,%r14\n\n\txorq\t%r10,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r10,%r8\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r8\n\taddq\t%r12,%rax\n\taddq\t%r12,%r8\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t40(%rsp),%r13\n\tmovq\t16(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r8\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t104(%rsp),%r12\n\n\taddq\t32(%rsp),%r12\n\tmovq\t%rax,%r13\n\taddq\t%r15,%r12\n\tmovq\t%r8,%r14\n\trorq\t$23,%r13\n\tmovq\t%rbx,%r15\n\n\txorq\t%rax,%r13\n\trorq\t$5,%r14\n\txorq\t%rcx,%r15\n\n\tmovq\t%r12,32(%rsp)\n\txorq\t%r8,%r14\n\tandq\t%rax,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rdx,%r12\n\txorq\t%rcx,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rax,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r8,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r8,%r14\n\n\txorq\t%r9,%r15\n\trorq\t$14,%r13\n\tmovq\t%r9,%rdx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rdx\n\taddq\t%r12,%r11\n\taddq\t%r12,%rdx\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t48(%rsp),%r13\n\tmovq\t24(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rdx\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t112(%rsp),%r12\n\n\taddq\t40(%rsp),%r12\n\tmovq\t%r11,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%rdx,%r14\n\trorq\t$23,%r13\n\tmovq\t%rax,%rdi\n\n\txorq\t%r11,%r13\n\trorq\t$5,%r14\n\txorq\t%rbx,%rdi\n\n\tmovq\t%r12,40(%rsp)\n\txorq\t%rdx,%r14\n\tandq\t%r11,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rcx,%r12\n\txorq\t%rbx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r11,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rdx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rdx,%r14\n\n\txorq\t%r8,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r8,%rcx\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rcx\n\taddq\t%r12,%r10\n\taddq\t%r12,%rcx\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t56(%rsp),%r13\n\tmovq\t32(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rcx\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t120(%rsp),%r12\n\n\taddq\t48(%rsp),%r12\n\tmovq\t%r10,%r13\n\taddq\t%r15,%r12\n\tmovq\t%rcx,%r14\n\trorq\t$23,%r13\n\tmovq\t%r11,%r15\n\n\txorq\t%r10,%r13\n\trorq\t$5,%r14\n\txorq\t%rax,%r15\n\n\tmovq\t%r12,48(%rsp)\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rbx,%r12\n\txorq\t%rax,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r10,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rcx,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rcx,%r14\n\n\txorq\t%rdx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rdx,%rbx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rbx\n\taddq\t%r12,%r9\n\taddq\t%r12,%rbx\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t64(%rsp),%r13\n\tmovq\t40(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rbx\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t0(%rsp),%r12\n\n\taddq\t56(%rsp),%r12\n\tmovq\t%r9,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%rbx,%r14\n\trorq\t$23,%r13\n\tmovq\t%r10,%rdi\n\n\txorq\t%r9,%r13\n\trorq\t$5,%r14\n\txorq\t%r11,%rdi\n\n\tmovq\t%r12,56(%rsp)\n\txorq\t%rbx,%r14\n\tandq\t%r9,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rax,%r12\n\txorq\t%r11,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r9,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rbx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rbx,%r14\n\n\txorq\t%rcx,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rcx,%rax\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rax\n\taddq\t%r12,%r8\n\taddq\t%r12,%rax\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t72(%rsp),%r13\n\tmovq\t48(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rax\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t8(%rsp),%r12\n\n\taddq\t64(%rsp),%r12\n\tmovq\t%r8,%r13\n\taddq\t%r15,%r12\n\tmovq\t%rax,%r14\n\trorq\t$23,%r13\n\tmovq\t%r9,%r15\n\n\txorq\t%r8,%r13\n\trorq\t$5,%r14\n\txorq\t%r10,%r15\n\n\tmovq\t%r12,64(%rsp)\n\txorq\t%rax,%r14\n\tandq\t%r8,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r11,%r12\n\txorq\t%r10,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r8,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rax,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rax,%r14\n\n\txorq\t%rbx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rbx,%r11\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r11\n\taddq\t%r12,%rdx\n\taddq\t%r12,%r11\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t80(%rsp),%r13\n\tmovq\t56(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r11\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t16(%rsp),%r12\n\n\taddq\t72(%rsp),%r12\n\tmovq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%r11,%r14\n\trorq\t$23,%r13\n\tmovq\t%r8,%rdi\n\n\txorq\t%rdx,%r13\n\trorq\t$5,%r14\n\txorq\t%r9,%rdi\n\n\tmovq\t%r12,72(%rsp)\n\txorq\t%r11,%r14\n\tandq\t%rdx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r10,%r12\n\txorq\t%r9,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rdx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r11,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r11,%r14\n\n\txorq\t%rax,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rax,%r10\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r10\n\taddq\t%r12,%rcx\n\taddq\t%r12,%r10\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t88(%rsp),%r13\n\tmovq\t64(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r10\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t24(%rsp),%r12\n\n\taddq\t80(%rsp),%r12\n\tmovq\t%rcx,%r13\n\taddq\t%r15,%r12\n\tmovq\t%r10,%r14\n\trorq\t$23,%r13\n\tmovq\t%rdx,%r15\n\n\txorq\t%rcx,%r13\n\trorq\t$5,%r14\n\txorq\t%r8,%r15\n\n\tmovq\t%r12,80(%rsp)\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r15\n\n\trorq\t$4,%r13\n\taddq\t%r9,%r12\n\txorq\t%r8,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rcx,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r10,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r10,%r14\n\n\txorq\t%r11,%r15\n\trorq\t$14,%r13\n\tmovq\t%r11,%r9\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%r9\n\taddq\t%r12,%rbx\n\taddq\t%r12,%r9\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t96(%rsp),%r13\n\tmovq\t72(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r9\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t32(%rsp),%r12\n\n\taddq\t88(%rsp),%r12\n\tmovq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%r9,%r14\n\trorq\t$23,%r13\n\tmovq\t%rcx,%rdi\n\n\txorq\t%rbx,%r13\n\trorq\t$5,%r14\n\txorq\t%rdx,%rdi\n\n\tmovq\t%r12,88(%rsp)\n\txorq\t%r9,%r14\n\tandq\t%rbx,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%r8,%r12\n\txorq\t%rdx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%rbx,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%r9,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%r9,%r14\n\n\txorq\t%r10,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r10,%r8\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%r8\n\taddq\t%r12,%rax\n\taddq\t%r12,%r8\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t104(%rsp),%r13\n\tmovq\t80(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%r8\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t40(%rsp),%r12\n\n\taddq\t96(%rsp),%r12\n\tmovq\t%rax,%r13\n\taddq\t%r15,%r12\n\tmovq\t%r8,%r14\n\trorq\t$23,%r13\n\tmovq\t%rbx,%r15\n\n\txorq\t%rax,%r13\n\trorq\t$5,%r14\n\txorq\t%rcx,%r15\n\n\tmovq\t%r12,96(%rsp)\n\txorq\t%r8,%r14\n\tandq\t%rax,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rdx,%r12\n\txorq\t%rcx,%r15\n\n\trorq\t$6,%r14\n\txorq\t%rax,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%r8,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%r8,%r14\n\n\txorq\t%r9,%r15\n\trorq\t$14,%r13\n\tmovq\t%r9,%rdx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rdx\n\taddq\t%r12,%r11\n\taddq\t%r12,%rdx\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t112(%rsp),%r13\n\tmovq\t88(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rdx\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t48(%rsp),%r12\n\n\taddq\t104(%rsp),%r12\n\tmovq\t%r11,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%rdx,%r14\n\trorq\t$23,%r13\n\tmovq\t%rax,%rdi\n\n\txorq\t%r11,%r13\n\trorq\t$5,%r14\n\txorq\t%rbx,%rdi\n\n\tmovq\t%r12,104(%rsp)\n\txorq\t%rdx,%r14\n\tandq\t%r11,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rcx,%r12\n\txorq\t%rbx,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r11,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rdx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rdx,%r14\n\n\txorq\t%r8,%rdi\n\trorq\t$14,%r13\n\tmovq\t%r8,%rcx\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rcx\n\taddq\t%r12,%r10\n\taddq\t%r12,%rcx\n\n\tleaq\t24(%rbp),%rbp\n\tmovq\t120(%rsp),%r13\n\tmovq\t96(%rsp),%r15\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rcx\n\tmovq\t%r15,%r14\n\trorq\t$42,%r15\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%r15\n\tshrq\t$6,%r14\n\n\trorq\t$19,%r15\n\txorq\t%r13,%r12\n\txorq\t%r14,%r15\n\taddq\t56(%rsp),%r12\n\n\taddq\t112(%rsp),%r12\n\tmovq\t%r10,%r13\n\taddq\t%r15,%r12\n\tmovq\t%rcx,%r14\n\trorq\t$23,%r13\n\tmovq\t%r11,%r15\n\n\txorq\t%r10,%r13\n\trorq\t$5,%r14\n\txorq\t%rax,%r15\n\n\tmovq\t%r12,112(%rsp)\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r15\n\n\trorq\t$4,%r13\n\taddq\t%rbx,%r12\n\txorq\t%rax,%r15\n\n\trorq\t$6,%r14\n\txorq\t%r10,%r13\n\taddq\t%r15,%r12\n\n\tmovq\t%rcx,%r15\n\taddq\t(%rbp),%r12\n\txorq\t%rcx,%r14\n\n\txorq\t%rdx,%r15\n\trorq\t$14,%r13\n\tmovq\t%rdx,%rbx\n\n\tandq\t%r15,%rdi\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%rdi,%rbx\n\taddq\t%r12,%r9\n\taddq\t%r12,%rbx\n\n\tleaq\t8(%rbp),%rbp\n\tmovq\t0(%rsp),%r13\n\tmovq\t104(%rsp),%rdi\n\n\tmovq\t%r13,%r12\n\trorq\t$7,%r13\n\taddq\t%r14,%rbx\n\tmovq\t%rdi,%r14\n\trorq\t$42,%rdi\n\n\txorq\t%r12,%r13\n\tshrq\t$7,%r12\n\trorq\t$1,%r13\n\txorq\t%r14,%rdi\n\tshrq\t$6,%r14\n\n\trorq\t$19,%rdi\n\txorq\t%r13,%r12\n\txorq\t%r14,%rdi\n\taddq\t64(%rsp),%r12\n\n\taddq\t120(%rsp),%r12\n\tmovq\t%r9,%r13\n\taddq\t%rdi,%r12\n\tmovq\t%rbx,%r14\n\trorq\t$23,%r13\n\tmovq\t%r10,%rdi\n\n\txorq\t%r9,%r13\n\trorq\t$5,%r14\n\txorq\t%r11,%rdi\n\n\tmovq\t%r12,120(%rsp)\n\txorq\t%rbx,%r14\n\tandq\t%r9,%rdi\n\n\trorq\t$4,%r13\n\taddq\t%rax,%r12\n\txorq\t%r11,%rdi\n\n\trorq\t$6,%r14\n\txorq\t%r9,%r13\n\taddq\t%rdi,%r12\n\n\tmovq\t%rbx,%rdi\n\taddq\t(%rbp),%r12\n\txorq\t%rbx,%r14\n\n\txorq\t%rcx,%rdi\n\trorq\t$14,%r13\n\tmovq\t%rcx,%rax\n\n\tandq\t%rdi,%r15\n\trorq\t$28,%r14\n\taddq\t%r13,%r12\n\n\txorq\t%r15,%rax\n\taddq\t%r12,%r8\n\taddq\t%r12,%rax\n\n\tleaq\t24(%rbp),%rbp\n\tcmpb\t$0,7(%rbp)\n\tjnz\t.Lrounds_16_xx\n\n\tmovq\t128+0(%rsp),%rdi\n\taddq\t%r14,%rax\n\tleaq\t128(%rsi),%rsi\n\n\taddq\t0(%rdi),%rax\n\taddq\t8(%rdi),%rbx\n\taddq\t16(%rdi),%rcx\n\taddq\t24(%rdi),%rdx\n\taddq\t32(%rdi),%r8\n\taddq\t40(%rdi),%r9\n\taddq\t48(%rdi),%r10\n\taddq\t56(%rdi),%r11\n\n\tcmpq\t128+16(%rsp),%rsi\n\n\tmovq\t%rax,0(%rdi)\n\tmovq\t%rbx,8(%rdi)\n\tmovq\t%rcx,16(%rdi)\n\tmovq\t%rdx,24(%rdi)\n\tmovq\t%r8,32(%rdi)\n\tmovq\t%r9,40(%rdi)\n\tmovq\t%r10,48(%rdi)\n\tmovq\t%r11,56(%rdi)\n\tjb\t.Lloop\n\n\tmovq\t152(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lepilogue:\n\tret\n.cfi_endproc\t\n.size\tsha512_block_data_order_nohw,.-sha512_block_data_order_nohw\n.section\t.rodata\n.align\t64\n.type\tK512,@object\nK512:\n.quad\t0x428a2f98d728ae22,0x7137449123ef65cd\n.quad\t0x428a2f98d728ae22,0x7137449123ef65cd\n.quad\t0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc\n.quad\t0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc\n.quad\t0x3956c25bf348b538,0x59f111f1b605d019\n.quad\t0x3956c25bf348b538,0x59f111f1b605d019\n.quad\t0x923f82a4af194f9b,0xab1c5ed5da6d8118\n.quad\t0x923f82a4af194f9b,0xab1c5ed5da6d8118\n.quad\t0xd807aa98a3030242,0x12835b0145706fbe\n.quad\t0xd807aa98a3030242,0x12835b0145706fbe\n.quad\t0x243185be4ee4b28c,0x550c7dc3d5ffb4e2\n.quad\t0x243185be4ee4b28c,0x550c7dc3d5ffb4e2\n.quad\t0x72be5d74f27b896f,0x80deb1fe3b1696b1\n.quad\t0x72be5d74f27b896f,0x80deb1fe3b1696b1\n.quad\t0x9bdc06a725c71235,0xc19bf174cf692694\n.quad\t0x9bdc06a725c71235,0xc19bf174cf692694\n.quad\t0xe49b69c19ef14ad2,0xefbe4786384f25e3\n.quad\t0xe49b69c19ef14ad2,0xefbe4786384f25e3\n.quad\t0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65\n.quad\t0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65\n.quad\t0x2de92c6f592b0275,0x4a7484aa6ea6e483\n.quad\t0x2de92c6f592b0275,0x4a7484aa6ea6e483\n.quad\t0x5cb0a9dcbd41fbd4,0x76f988da831153b5\n.quad\t0x5cb0a9dcbd41fbd4,0x76f988da831153b5\n.quad\t0x983e5152ee66dfab,0xa831c66d2db43210\n.quad\t0x983e5152ee66dfab,0xa831c66d2db43210\n.quad\t0xb00327c898fb213f,0xbf597fc7beef0ee4\n.quad\t0xb00327c898fb213f,0xbf597fc7beef0ee4\n.quad\t0xc6e00bf33da88fc2,0xd5a79147930aa725\n.quad\t0xc6e00bf33da88fc2,0xd5a79147930aa725\n.quad\t0x06ca6351e003826f,0x142929670a0e6e70\n.quad\t0x06ca6351e003826f,0x142929670a0e6e70\n.quad\t0x27b70a8546d22ffc,0x2e1b21385c26c926\n.quad\t0x27b70a8546d22ffc,0x2e1b21385c26c926\n.quad\t0x4d2c6dfc5ac42aed,0x53380d139d95b3df\n.quad\t0x4d2c6dfc5ac42aed,0x53380d139d95b3df\n.quad\t0x650a73548baf63de,0x766a0abb3c77b2a8\n.quad\t0x650a73548baf63de,0x766a0abb3c77b2a8\n.quad\t0x81c2c92e47edaee6,0x92722c851482353b\n.quad\t0x81c2c92e47edaee6,0x92722c851482353b\n.quad\t0xa2bfe8a14cf10364,0xa81a664bbc423001\n.quad\t0xa2bfe8a14cf10364,0xa81a664bbc423001\n.quad\t0xc24b8b70d0f89791,0xc76c51a30654be30\n.quad\t0xc24b8b70d0f89791,0xc76c51a30654be30\n.quad\t0xd192e819d6ef5218,0xd69906245565a910\n.quad\t0xd192e819d6ef5218,0xd69906245565a910\n.quad\t0xf40e35855771202a,0x106aa07032bbd1b8\n.quad\t0xf40e35855771202a,0x106aa07032bbd1b8\n.quad\t0x19a4c116b8d2d0c8,0x1e376c085141ab53\n.quad\t0x19a4c116b8d2d0c8,0x1e376c085141ab53\n.quad\t0x2748774cdf8eeb99,0x34b0bcb5e19b48a8\n.quad\t0x2748774cdf8eeb99,0x34b0bcb5e19b48a8\n.quad\t0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb\n.quad\t0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb\n.quad\t0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3\n.quad\t0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3\n.quad\t0x748f82ee5defb2fc,0x78a5636f43172f60\n.quad\t0x748f82ee5defb2fc,0x78a5636f43172f60\n.quad\t0x84c87814a1f0ab72,0x8cc702081a6439ec\n.quad\t0x84c87814a1f0ab72,0x8cc702081a6439ec\n.quad\t0x90befffa23631e28,0xa4506cebde82bde9\n.quad\t0x90befffa23631e28,0xa4506cebde82bde9\n.quad\t0xbef9a3f7b2c67915,0xc67178f2e372532b\n.quad\t0xbef9a3f7b2c67915,0xc67178f2e372532b\n.quad\t0xca273eceea26619c,0xd186b8c721c0c207\n.quad\t0xca273eceea26619c,0xd186b8c721c0c207\n.quad\t0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178\n.quad\t0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178\n.quad\t0x06f067aa72176fba,0x0a637dc5a2c898a6\n.quad\t0x06f067aa72176fba,0x0a637dc5a2c898a6\n.quad\t0x113f9804bef90dae,0x1b710b35131c471b\n.quad\t0x113f9804bef90dae,0x1b710b35131c471b\n.quad\t0x28db77f523047d84,0x32caab7b40c72493\n.quad\t0x28db77f523047d84,0x32caab7b40c72493\n.quad\t0x3c9ebe0a15c9bebc,0x431d67c49c100d4c\n.quad\t0x3c9ebe0a15c9bebc,0x431d67c49c100d4c\n.quad\t0x4cc5d4becb3e42b6,0x597f299cfc657e2a\n.quad\t0x4cc5d4becb3e42b6,0x597f299cfc657e2a\n.quad\t0x5fcb6fab3ad6faec,0x6c44198c4a475817\n.quad\t0x5fcb6fab3ad6faec,0x6c44198c4a475817\n\n.quad\t0x0001020304050607,0x08090a0b0c0d0e0f\n.quad\t0x0001020304050607,0x08090a0b0c0d0e0f\n.byte\t83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.text\t\n.globl\tsha512_block_data_order_avx\n.hidden sha512_block_data_order_avx\n.type\tsha512_block_data_order_avx,@function\n.align\t64\nsha512_block_data_order_avx:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\tshlq\t$4,%rdx\n\tsubq\t$160,%rsp\n\tleaq\t(%rsi,%rdx,8),%rdx\n\tandq\t$-64,%rsp\n\tmovq\t%rdi,128+0(%rsp)\n\tmovq\t%rsi,128+8(%rsp)\n\tmovq\t%rdx,128+16(%rsp)\n\tmovq\t%rax,152(%rsp)\n.cfi_escape\t0x0f,0x06,0x77,0x98,0x01,0x06,0x23,0x08\n.Lprologue_avx:\n\n\tvzeroupper\n\tmovq\t0(%rdi),%rax\n\tmovq\t8(%rdi),%rbx\n\tmovq\t16(%rdi),%rcx\n\tmovq\t24(%rdi),%rdx\n\tmovq\t32(%rdi),%r8\n\tmovq\t40(%rdi),%r9\n\tmovq\t48(%rdi),%r10\n\tmovq\t56(%rdi),%r11\n\tjmp\t.Lloop_avx\n.align\t16\n.Lloop_avx:\n\tvmovdqa\tK512+1280(%rip),%xmm11\n\tvmovdqu\t0(%rsi),%xmm0\n\tleaq\tK512+128(%rip),%rbp\n\tvmovdqu\t16(%rsi),%xmm1\n\tvmovdqu\t32(%rsi),%xmm2\n\tvpshufb\t%xmm11,%xmm0,%xmm0\n\tvmovdqu\t48(%rsi),%xmm3\n\tvpshufb\t%xmm11,%xmm1,%xmm1\n\tvmovdqu\t64(%rsi),%xmm4\n\tvpshufb\t%xmm11,%xmm2,%xmm2\n\tvmovdqu\t80(%rsi),%xmm5\n\tvpshufb\t%xmm11,%xmm3,%xmm3\n\tvmovdqu\t96(%rsi),%xmm6\n\tvpshufb\t%xmm11,%xmm4,%xmm4\n\tvmovdqu\t112(%rsi),%xmm7\n\tvpshufb\t%xmm11,%xmm5,%xmm5\n\tvpaddq\t-128(%rbp),%xmm0,%xmm8\n\tvpshufb\t%xmm11,%xmm6,%xmm6\n\tvpaddq\t-96(%rbp),%xmm1,%xmm9\n\tvpshufb\t%xmm11,%xmm7,%xmm7\n\tvpaddq\t-64(%rbp),%xmm2,%xmm10\n\tvpaddq\t-32(%rbp),%xmm3,%xmm11\n\tvmovdqa\t%xmm8,0(%rsp)\n\tvpaddq\t0(%rbp),%xmm4,%xmm8\n\tvmovdqa\t%xmm9,16(%rsp)\n\tvpaddq\t32(%rbp),%xmm5,%xmm9\n\tvmovdqa\t%xmm10,32(%rsp)\n\tvpaddq\t64(%rbp),%xmm6,%xmm10\n\tvmovdqa\t%xmm11,48(%rsp)\n\tvpaddq\t96(%rbp),%xmm7,%xmm11\n\tvmovdqa\t%xmm8,64(%rsp)\n\tmovq\t%rax,%r14\n\tvmovdqa\t%xmm9,80(%rsp)\n\tmovq\t%rbx,%rdi\n\tvmovdqa\t%xmm10,96(%rsp)\n\txorq\t%rcx,%rdi\n\tvmovdqa\t%xmm11,112(%rsp)\n\tmovq\t%r8,%r13\n\tjmp\t.Lavx_00_47\n\n.align\t16\n.Lavx_00_47:\n\taddq\t$256,%rbp\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rax\n\tvpalignr\t$8,%xmm4,%xmm5,%xmm11\n\tmovq\t%r9,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%r8,%r13\n\txorq\t%r10,%r12\n\tvpaddq\t%xmm11,%xmm0,%xmm0\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rax,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%r8,%r12\n\txorq\t%r8,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t0(%rsp),%r11\n\tmovq\t%rax,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%r10,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%rbx,%r15\n\taddq\t%r12,%r11\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%rax,%r14\n\taddq\t%r13,%r11\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%rbx,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm7,%xmm11\n\taddq\t%r11,%rdx\n\taddq\t%rdi,%r11\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%rdx,%r13\n\taddq\t%r11,%r14\n\tvpsllq\t$3,%xmm7,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r11\n\tvpaddq\t%xmm8,%xmm0,%xmm0\n\tmovq\t%r8,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm7,%xmm9\n\txorq\t%rdx,%r13\n\txorq\t%r9,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r11,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%rdx,%r12\n\txorq\t%rdx,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t8(%rsp),%r10\n\tmovq\t%r11,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%r9,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%rax,%rdi\n\taddq\t%r12,%r10\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm0,%xmm0\n\txorq\t%r11,%r14\n\taddq\t%r13,%r10\n\tvpaddq\t-128(%rbp),%xmm0,%xmm10\n\txorq\t%rax,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r10,%rcx\n\taddq\t%r15,%r10\n\tmovq\t%rcx,%r13\n\taddq\t%r10,%r14\n\tvmovdqa\t%xmm10,0(%rsp)\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r10\n\tvpalignr\t$8,%xmm5,%xmm6,%xmm11\n\tmovq\t%rdx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%rcx,%r13\n\txorq\t%r8,%r12\n\tvpaddq\t%xmm11,%xmm1,%xmm1\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r10,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%rcx,%r12\n\txorq\t%rcx,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t16(%rsp),%r9\n\tmovq\t%r10,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%r8,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%r11,%r15\n\taddq\t%r12,%r9\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%r10,%r14\n\taddq\t%r13,%r9\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%r11,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm0,%xmm11\n\taddq\t%r9,%rbx\n\taddq\t%rdi,%r9\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%rbx,%r13\n\taddq\t%r9,%r14\n\tvpsllq\t$3,%xmm0,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r9\n\tvpaddq\t%xmm8,%xmm1,%xmm1\n\tmovq\t%rcx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm0,%xmm9\n\txorq\t%rbx,%r13\n\txorq\t%rdx,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r9,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%rbx,%r12\n\txorq\t%rbx,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t24(%rsp),%r8\n\tmovq\t%r9,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%rdx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%r10,%rdi\n\taddq\t%r12,%r8\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm1,%xmm1\n\txorq\t%r9,%r14\n\taddq\t%r13,%r8\n\tvpaddq\t-96(%rbp),%xmm1,%xmm10\n\txorq\t%r10,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r8,%rax\n\taddq\t%r15,%r8\n\tmovq\t%rax,%r13\n\taddq\t%r8,%r14\n\tvmovdqa\t%xmm10,16(%rsp)\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r8\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm11\n\tmovq\t%rbx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%rax,%r13\n\txorq\t%rcx,%r12\n\tvpaddq\t%xmm11,%xmm2,%xmm2\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r8,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%rax,%r12\n\txorq\t%rax,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t32(%rsp),%rdx\n\tmovq\t%r8,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%rcx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%r9,%r15\n\taddq\t%r12,%rdx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%r8,%r14\n\taddq\t%r13,%rdx\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%r9,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm1,%xmm11\n\taddq\t%rdx,%r11\n\taddq\t%rdi,%rdx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%r11,%r13\n\taddq\t%rdx,%r14\n\tvpsllq\t$3,%xmm1,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rdx\n\tvpaddq\t%xmm8,%xmm2,%xmm2\n\tmovq\t%rax,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm1,%xmm9\n\txorq\t%r11,%r13\n\txorq\t%rbx,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rdx,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%r11,%r12\n\txorq\t%r11,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t40(%rsp),%rcx\n\tmovq\t%rdx,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%rbx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%r8,%rdi\n\taddq\t%r12,%rcx\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm2,%xmm2\n\txorq\t%rdx,%r14\n\taddq\t%r13,%rcx\n\tvpaddq\t-64(%rbp),%xmm2,%xmm10\n\txorq\t%r8,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rcx,%r10\n\taddq\t%r15,%rcx\n\tmovq\t%r10,%r13\n\taddq\t%rcx,%r14\n\tvmovdqa\t%xmm10,32(%rsp)\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rcx\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm11\n\tmovq\t%r11,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%r10,%r13\n\txorq\t%rax,%r12\n\tvpaddq\t%xmm11,%xmm3,%xmm3\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rcx,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%r10,%r12\n\txorq\t%r10,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t48(%rsp),%rbx\n\tmovq\t%rcx,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%rax,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%rdx,%r15\n\taddq\t%r12,%rbx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%rcx,%r14\n\taddq\t%r13,%rbx\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%rdx,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm2,%xmm11\n\taddq\t%rbx,%r9\n\taddq\t%rdi,%rbx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%r9,%r13\n\taddq\t%rbx,%r14\n\tvpsllq\t$3,%xmm2,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rbx\n\tvpaddq\t%xmm8,%xmm3,%xmm3\n\tmovq\t%r10,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm2,%xmm9\n\txorq\t%r9,%r13\n\txorq\t%r11,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rbx,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%r9,%r12\n\txorq\t%r9,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t56(%rsp),%rax\n\tmovq\t%rbx,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%r11,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%rcx,%rdi\n\taddq\t%r12,%rax\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm3,%xmm3\n\txorq\t%rbx,%r14\n\taddq\t%r13,%rax\n\tvpaddq\t-32(%rbp),%xmm3,%xmm10\n\txorq\t%rcx,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rax,%r8\n\taddq\t%r15,%rax\n\tmovq\t%r8,%r13\n\taddq\t%rax,%r14\n\tvmovdqa\t%xmm10,48(%rsp)\n\tvpalignr\t$8,%xmm4,%xmm5,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rax\n\tvpalignr\t$8,%xmm0,%xmm1,%xmm11\n\tmovq\t%r9,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%r8,%r13\n\txorq\t%r10,%r12\n\tvpaddq\t%xmm11,%xmm4,%xmm4\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rax,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%r8,%r12\n\txorq\t%r8,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t64(%rsp),%r11\n\tmovq\t%rax,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%r10,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%rbx,%r15\n\taddq\t%r12,%r11\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%rax,%r14\n\taddq\t%r13,%r11\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%rbx,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm3,%xmm11\n\taddq\t%r11,%rdx\n\taddq\t%rdi,%r11\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%rdx,%r13\n\taddq\t%r11,%r14\n\tvpsllq\t$3,%xmm3,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r11\n\tvpaddq\t%xmm8,%xmm4,%xmm4\n\tmovq\t%r8,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm3,%xmm9\n\txorq\t%rdx,%r13\n\txorq\t%r9,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r11,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%rdx,%r12\n\txorq\t%rdx,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t72(%rsp),%r10\n\tmovq\t%r11,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%r9,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%rax,%rdi\n\taddq\t%r12,%r10\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm4,%xmm4\n\txorq\t%r11,%r14\n\taddq\t%r13,%r10\n\tvpaddq\t0(%rbp),%xmm4,%xmm10\n\txorq\t%rax,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r10,%rcx\n\taddq\t%r15,%r10\n\tmovq\t%rcx,%r13\n\taddq\t%r10,%r14\n\tvmovdqa\t%xmm10,64(%rsp)\n\tvpalignr\t$8,%xmm5,%xmm6,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r10\n\tvpalignr\t$8,%xmm1,%xmm2,%xmm11\n\tmovq\t%rdx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%rcx,%r13\n\txorq\t%r8,%r12\n\tvpaddq\t%xmm11,%xmm5,%xmm5\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r10,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%rcx,%r12\n\txorq\t%rcx,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t80(%rsp),%r9\n\tmovq\t%r10,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%r8,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%r11,%r15\n\taddq\t%r12,%r9\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%r10,%r14\n\taddq\t%r13,%r9\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%r11,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm4,%xmm11\n\taddq\t%r9,%rbx\n\taddq\t%rdi,%r9\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%rbx,%r13\n\taddq\t%r9,%r14\n\tvpsllq\t$3,%xmm4,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r9\n\tvpaddq\t%xmm8,%xmm5,%xmm5\n\tmovq\t%rcx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm4,%xmm9\n\txorq\t%rbx,%r13\n\txorq\t%rdx,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r9,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%rbx,%r12\n\txorq\t%rbx,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t88(%rsp),%r8\n\tmovq\t%r9,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%rdx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%r10,%rdi\n\taddq\t%r12,%r8\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm5,%xmm5\n\txorq\t%r9,%r14\n\taddq\t%r13,%r8\n\tvpaddq\t32(%rbp),%xmm5,%xmm10\n\txorq\t%r10,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r8,%rax\n\taddq\t%r15,%r8\n\tmovq\t%rax,%r13\n\taddq\t%r8,%r14\n\tvmovdqa\t%xmm10,80(%rsp)\n\tvpalignr\t$8,%xmm6,%xmm7,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r8\n\tvpalignr\t$8,%xmm2,%xmm3,%xmm11\n\tmovq\t%rbx,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%rax,%r13\n\txorq\t%rcx,%r12\n\tvpaddq\t%xmm11,%xmm6,%xmm6\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r8,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%rax,%r12\n\txorq\t%rax,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t96(%rsp),%rdx\n\tmovq\t%r8,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%rcx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%r9,%r15\n\taddq\t%r12,%rdx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%r8,%r14\n\taddq\t%r13,%rdx\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%r9,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm5,%xmm11\n\taddq\t%rdx,%r11\n\taddq\t%rdi,%rdx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%r11,%r13\n\taddq\t%rdx,%r14\n\tvpsllq\t$3,%xmm5,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rdx\n\tvpaddq\t%xmm8,%xmm6,%xmm6\n\tmovq\t%rax,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm5,%xmm9\n\txorq\t%r11,%r13\n\txorq\t%rbx,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rdx,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%r11,%r12\n\txorq\t%r11,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t104(%rsp),%rcx\n\tmovq\t%rdx,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%rbx,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%r8,%rdi\n\taddq\t%r12,%rcx\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm6,%xmm6\n\txorq\t%rdx,%r14\n\taddq\t%r13,%rcx\n\tvpaddq\t64(%rbp),%xmm6,%xmm10\n\txorq\t%r8,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rcx,%r10\n\taddq\t%r15,%rcx\n\tmovq\t%r10,%r13\n\taddq\t%rcx,%r14\n\tvmovdqa\t%xmm10,96(%rsp)\n\tvpalignr\t$8,%xmm7,%xmm0,%xmm8\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rcx\n\tvpalignr\t$8,%xmm3,%xmm4,%xmm11\n\tmovq\t%r11,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$1,%xmm8,%xmm10\n\txorq\t%r10,%r13\n\txorq\t%rax,%r12\n\tvpaddq\t%xmm11,%xmm7,%xmm7\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rcx,%r14\n\tvpsrlq\t$7,%xmm8,%xmm11\n\tandq\t%r10,%r12\n\txorq\t%r10,%r13\n\tvpsllq\t$56,%xmm8,%xmm9\n\taddq\t112(%rsp),%rbx\n\tmovq\t%rcx,%r15\n\tvpxor\t%xmm10,%xmm11,%xmm8\n\txorq\t%rax,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpsrlq\t$7,%xmm10,%xmm10\n\txorq\t%rdx,%r15\n\taddq\t%r12,%rbx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\tvpsllq\t$7,%xmm9,%xmm9\n\txorq\t%rcx,%r14\n\taddq\t%r13,%rbx\n\tvpxor\t%xmm10,%xmm8,%xmm8\n\txorq\t%rdx,%rdi\n\tshrdq\t$28,%r14,%r14\n\tvpsrlq\t$6,%xmm6,%xmm11\n\taddq\t%rbx,%r9\n\taddq\t%rdi,%rbx\n\tvpxor\t%xmm9,%xmm8,%xmm8\n\tmovq\t%r9,%r13\n\taddq\t%rbx,%r14\n\tvpsllq\t$3,%xmm6,%xmm10\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rbx\n\tvpaddq\t%xmm8,%xmm7,%xmm7\n\tmovq\t%r10,%r12\n\tshrdq\t$5,%r14,%r14\n\tvpsrlq\t$19,%xmm6,%xmm9\n\txorq\t%r9,%r13\n\txorq\t%r11,%r12\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rbx,%r14\n\tvpsllq\t$42,%xmm10,%xmm10\n\tandq\t%r9,%r12\n\txorq\t%r9,%r13\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\taddq\t120(%rsp),%rax\n\tmovq\t%rbx,%rdi\n\tvpsrlq\t$42,%xmm9,%xmm9\n\txorq\t%r11,%r12\n\tshrdq\t$6,%r14,%r14\n\tvpxor\t%xmm10,%xmm11,%xmm11\n\txorq\t%rcx,%rdi\n\taddq\t%r12,%rax\n\tvpxor\t%xmm9,%xmm11,%xmm11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\tvpaddq\t%xmm11,%xmm7,%xmm7\n\txorq\t%rbx,%r14\n\taddq\t%r13,%rax\n\tvpaddq\t96(%rbp),%xmm7,%xmm10\n\txorq\t%rcx,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rax,%r8\n\taddq\t%r15,%rax\n\tmovq\t%r8,%r13\n\taddq\t%rax,%r14\n\tvmovdqa\t%xmm10,112(%rsp)\n\tcmpb\t$0,135(%rbp)\n\tjne\t.Lavx_00_47\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rax\n\tmovq\t%r9,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r8,%r13\n\txorq\t%r10,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rax,%r14\n\tandq\t%r8,%r12\n\txorq\t%r8,%r13\n\taddq\t0(%rsp),%r11\n\tmovq\t%rax,%r15\n\txorq\t%r10,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rbx,%r15\n\taddq\t%r12,%r11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%rax,%r14\n\taddq\t%r13,%r11\n\txorq\t%rbx,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r11,%rdx\n\taddq\t%rdi,%r11\n\tmovq\t%rdx,%r13\n\taddq\t%r11,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r11\n\tmovq\t%r8,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rdx,%r13\n\txorq\t%r9,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r11,%r14\n\tandq\t%rdx,%r12\n\txorq\t%rdx,%r13\n\taddq\t8(%rsp),%r10\n\tmovq\t%r11,%rdi\n\txorq\t%r9,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rax,%rdi\n\taddq\t%r12,%r10\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%r11,%r14\n\taddq\t%r13,%r10\n\txorq\t%rax,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r10,%rcx\n\taddq\t%r15,%r10\n\tmovq\t%rcx,%r13\n\taddq\t%r10,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r10\n\tmovq\t%rdx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rcx,%r13\n\txorq\t%r8,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r12\n\txorq\t%rcx,%r13\n\taddq\t16(%rsp),%r9\n\tmovq\t%r10,%r15\n\txorq\t%r8,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r11,%r15\n\taddq\t%r12,%r9\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%r10,%r14\n\taddq\t%r13,%r9\n\txorq\t%r11,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r9,%rbx\n\taddq\t%rdi,%r9\n\tmovq\t%rbx,%r13\n\taddq\t%r9,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r9\n\tmovq\t%rcx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rbx,%r13\n\txorq\t%rdx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r9,%r14\n\tandq\t%rbx,%r12\n\txorq\t%rbx,%r13\n\taddq\t24(%rsp),%r8\n\tmovq\t%r9,%rdi\n\txorq\t%rdx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r10,%rdi\n\taddq\t%r12,%r8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%r9,%r14\n\taddq\t%r13,%r8\n\txorq\t%r10,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r8,%rax\n\taddq\t%r15,%r8\n\tmovq\t%rax,%r13\n\taddq\t%r8,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r8\n\tmovq\t%rbx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rax,%r13\n\txorq\t%rcx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r8,%r14\n\tandq\t%rax,%r12\n\txorq\t%rax,%r13\n\taddq\t32(%rsp),%rdx\n\tmovq\t%r8,%r15\n\txorq\t%rcx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r9,%r15\n\taddq\t%r12,%rdx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%r8,%r14\n\taddq\t%r13,%rdx\n\txorq\t%r9,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rdx,%r11\n\taddq\t%rdi,%rdx\n\tmovq\t%r11,%r13\n\taddq\t%rdx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rdx\n\tmovq\t%rax,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r11,%r13\n\txorq\t%rbx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rdx,%r14\n\tandq\t%r11,%r12\n\txorq\t%r11,%r13\n\taddq\t40(%rsp),%rcx\n\tmovq\t%rdx,%rdi\n\txorq\t%rbx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r8,%rdi\n\taddq\t%r12,%rcx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%rdx,%r14\n\taddq\t%r13,%rcx\n\txorq\t%r8,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rcx,%r10\n\taddq\t%r15,%rcx\n\tmovq\t%r10,%r13\n\taddq\t%rcx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rcx\n\tmovq\t%r11,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r10,%r13\n\txorq\t%rax,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r12\n\txorq\t%r10,%r13\n\taddq\t48(%rsp),%rbx\n\tmovq\t%rcx,%r15\n\txorq\t%rax,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rdx,%r15\n\taddq\t%r12,%rbx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%rcx,%r14\n\taddq\t%r13,%rbx\n\txorq\t%rdx,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rbx,%r9\n\taddq\t%rdi,%rbx\n\tmovq\t%r9,%r13\n\taddq\t%rbx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rbx\n\tmovq\t%r10,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r9,%r13\n\txorq\t%r11,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rbx,%r14\n\tandq\t%r9,%r12\n\txorq\t%r9,%r13\n\taddq\t56(%rsp),%rax\n\tmovq\t%rbx,%rdi\n\txorq\t%r11,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rcx,%rdi\n\taddq\t%r12,%rax\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%rbx,%r14\n\taddq\t%r13,%rax\n\txorq\t%rcx,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rax,%r8\n\taddq\t%r15,%rax\n\tmovq\t%r8,%r13\n\taddq\t%rax,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rax\n\tmovq\t%r9,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r8,%r13\n\txorq\t%r10,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rax,%r14\n\tandq\t%r8,%r12\n\txorq\t%r8,%r13\n\taddq\t64(%rsp),%r11\n\tmovq\t%rax,%r15\n\txorq\t%r10,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rbx,%r15\n\taddq\t%r12,%r11\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%rax,%r14\n\taddq\t%r13,%r11\n\txorq\t%rbx,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r11,%rdx\n\taddq\t%rdi,%r11\n\tmovq\t%rdx,%r13\n\taddq\t%r11,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r11\n\tmovq\t%r8,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rdx,%r13\n\txorq\t%r9,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r11,%r14\n\tandq\t%rdx,%r12\n\txorq\t%rdx,%r13\n\taddq\t72(%rsp),%r10\n\tmovq\t%r11,%rdi\n\txorq\t%r9,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rax,%rdi\n\taddq\t%r12,%r10\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%r11,%r14\n\taddq\t%r13,%r10\n\txorq\t%rax,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r10,%rcx\n\taddq\t%r15,%r10\n\tmovq\t%rcx,%r13\n\taddq\t%r10,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r10\n\tmovq\t%rdx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rcx,%r13\n\txorq\t%r8,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r10,%r14\n\tandq\t%rcx,%r12\n\txorq\t%rcx,%r13\n\taddq\t80(%rsp),%r9\n\tmovq\t%r10,%r15\n\txorq\t%r8,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r11,%r15\n\taddq\t%r12,%r9\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%r10,%r14\n\taddq\t%r13,%r9\n\txorq\t%r11,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r9,%rbx\n\taddq\t%rdi,%r9\n\tmovq\t%rbx,%r13\n\taddq\t%r9,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r9\n\tmovq\t%rcx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rbx,%r13\n\txorq\t%rdx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r9,%r14\n\tandq\t%rbx,%r12\n\txorq\t%rbx,%r13\n\taddq\t88(%rsp),%r8\n\tmovq\t%r9,%rdi\n\txorq\t%rdx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r10,%rdi\n\taddq\t%r12,%r8\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%r9,%r14\n\taddq\t%r13,%r8\n\txorq\t%r10,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%r8,%rax\n\taddq\t%r15,%r8\n\tmovq\t%rax,%r13\n\taddq\t%r8,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%r8\n\tmovq\t%rbx,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%rax,%r13\n\txorq\t%rcx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%r8,%r14\n\tandq\t%rax,%r12\n\txorq\t%rax,%r13\n\taddq\t96(%rsp),%rdx\n\tmovq\t%r8,%r15\n\txorq\t%rcx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r9,%r15\n\taddq\t%r12,%rdx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%r8,%r14\n\taddq\t%r13,%rdx\n\txorq\t%r9,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rdx,%r11\n\taddq\t%rdi,%rdx\n\tmovq\t%r11,%r13\n\taddq\t%rdx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rdx\n\tmovq\t%rax,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r11,%r13\n\txorq\t%rbx,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rdx,%r14\n\tandq\t%r11,%r12\n\txorq\t%r11,%r13\n\taddq\t104(%rsp),%rcx\n\tmovq\t%rdx,%rdi\n\txorq\t%rbx,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%r8,%rdi\n\taddq\t%r12,%rcx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%rdx,%r14\n\taddq\t%r13,%rcx\n\txorq\t%r8,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rcx,%r10\n\taddq\t%r15,%rcx\n\tmovq\t%r10,%r13\n\taddq\t%rcx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rcx\n\tmovq\t%r11,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r10,%r13\n\txorq\t%rax,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rcx,%r14\n\tandq\t%r10,%r12\n\txorq\t%r10,%r13\n\taddq\t112(%rsp),%rbx\n\tmovq\t%rcx,%r15\n\txorq\t%rax,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rdx,%r15\n\taddq\t%r12,%rbx\n\tshrdq\t$14,%r13,%r13\n\tandq\t%r15,%rdi\n\txorq\t%rcx,%r14\n\taddq\t%r13,%rbx\n\txorq\t%rdx,%rdi\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rbx,%r9\n\taddq\t%rdi,%rbx\n\tmovq\t%r9,%r13\n\taddq\t%rbx,%r14\n\tshrdq\t$23,%r13,%r13\n\tmovq\t%r14,%rbx\n\tmovq\t%r10,%r12\n\tshrdq\t$5,%r14,%r14\n\txorq\t%r9,%r13\n\txorq\t%r11,%r12\n\tshrdq\t$4,%r13,%r13\n\txorq\t%rbx,%r14\n\tandq\t%r9,%r12\n\txorq\t%r9,%r13\n\taddq\t120(%rsp),%rax\n\tmovq\t%rbx,%rdi\n\txorq\t%r11,%r12\n\tshrdq\t$6,%r14,%r14\n\txorq\t%rcx,%rdi\n\taddq\t%r12,%rax\n\tshrdq\t$14,%r13,%r13\n\tandq\t%rdi,%r15\n\txorq\t%rbx,%r14\n\taddq\t%r13,%rax\n\txorq\t%rcx,%r15\n\tshrdq\t$28,%r14,%r14\n\taddq\t%rax,%r8\n\taddq\t%r15,%rax\n\tmovq\t%r8,%r13\n\taddq\t%rax,%r14\n\tmovq\t128+0(%rsp),%rdi\n\tmovq\t%r14,%rax\n\n\taddq\t0(%rdi),%rax\n\tleaq\t128(%rsi),%rsi\n\taddq\t8(%rdi),%rbx\n\taddq\t16(%rdi),%rcx\n\taddq\t24(%rdi),%rdx\n\taddq\t32(%rdi),%r8\n\taddq\t40(%rdi),%r9\n\taddq\t48(%rdi),%r10\n\taddq\t56(%rdi),%r11\n\n\tcmpq\t128+16(%rsp),%rsi\n\n\tmovq\t%rax,0(%rdi)\n\tmovq\t%rbx,8(%rdi)\n\tmovq\t%rcx,16(%rdi)\n\tmovq\t%rdx,24(%rdi)\n\tmovq\t%r8,32(%rdi)\n\tmovq\t%r9,40(%rdi)\n\tmovq\t%r10,48(%rdi)\n\tmovq\t%r11,56(%rdi)\n\tjb\t.Lloop_avx\n\n\tmovq\t152(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tvzeroupper\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lepilogue_avx:\n\tret\n.cfi_endproc\t\n.size\tsha512_block_data_order_avx,.-sha512_block_data_order_avx\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/vpaes-armv7-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n.syntax\tunified\n\n.arch\tarmv7-a\n.fpu\tneon\n\n#if defined(__thumb2__)\n.thumb\n#else\n.code\t32\n#endif\n\n.text\n\n.type\t_vpaes_consts,%object\n.align\t7\t@ totally strategic alignment\n_vpaes_consts:\n.Lk_mc_forward:@ mc_forward\n.quad\t0x0407060500030201, 0x0C0F0E0D080B0A09\n.quad\t0x080B0A0904070605, 0x000302010C0F0E0D\n.quad\t0x0C0F0E0D080B0A09, 0x0407060500030201\n.quad\t0x000302010C0F0E0D, 0x080B0A0904070605\n.Lk_mc_backward:@ mc_backward\n.quad\t0x0605040702010003, 0x0E0D0C0F0A09080B\n.quad\t0x020100030E0D0C0F, 0x0A09080B06050407\n.quad\t0x0E0D0C0F0A09080B, 0x0605040702010003\n.quad\t0x0A09080B06050407, 0x020100030E0D0C0F\n.Lk_sr:@ sr\n.quad\t0x0706050403020100, 0x0F0E0D0C0B0A0908\n.quad\t0x030E09040F0A0500, 0x0B06010C07020D08\n.quad\t0x0F060D040B020900, 0x070E050C030A0108\n.quad\t0x0B0E0104070A0D00, 0x0306090C0F020508\n\n@\n@ \"Hot\" constants\n@\n.Lk_inv:@ inv, inva\n.quad\t0x0E05060F0D080180, 0x040703090A0B0C02\n.quad\t0x01040A060F0B0780, 0x030D0E0C02050809\n.Lk_ipt:@ input transform (lo, hi)\n.quad\t0xC2B2E8985A2A7000, 0xCABAE09052227808\n.quad\t0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81\n.Lk_sbo:@ sbou, sbot\n.quad\t0xD0D26D176FBDC700, 0x15AABF7AC502A878\n.quad\t0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA\n.Lk_sb1:@ sb1u, sb1t\n.quad\t0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF\n.quad\t0xB19BE18FCB503E00, 0xA5DF7A6E142AF544\n.Lk_sb2:@ sb2u, sb2t\n.quad\t0x69EB88400AE12900, 0xC2A163C8AB82234A\n.quad\t0xE27A93C60B712400, 0x5EB7E955BC982FCD\n\n.byte\t86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,65,82,77,118,55,32,78,69,79,78,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0\n.align\t2\n.size\t_vpaes_consts,.-_vpaes_consts\n.align\t6\n@@\n@@ _aes_preheat\n@@\n@@ Fills q9-q15 as specified below.\n@@\n.type\t_vpaes_preheat,%function\n.align\t4\n_vpaes_preheat:\n\tadr\tr10, .Lk_inv\n\tvmov.i8\tq9, #0x0f\t\t@ .Lk_s0F\n\tvld1.64\t{q10,q11}, [r10]!\t@ .Lk_inv\n\tadd\tr10, r10, #64\t\t@ Skip .Lk_ipt, .Lk_sbo\n\tvld1.64\t{q12,q13}, [r10]!\t@ .Lk_sb1\n\tvld1.64\t{q14,q15}, [r10]\t@ .Lk_sb2\n\tbx\tlr\n\n@@\n@@ _aes_encrypt_core\n@@\n@@ AES-encrypt q0.\n@@\n@@ Inputs:\n@@ q0 = input\n@@ q9-q15 as in _vpaes_preheat\n@@ [r2] = scheduled keys\n@@\n@@ Output in q0\n@@ Clobbers q1-q5, r8-r11\n@@ Preserves q6-q8 so you get some local vectors\n@@\n@@\n.type\t_vpaes_encrypt_core,%function\n.align\t4\n_vpaes_encrypt_core:\n\tmov\tr9, r2\n\tldr\tr8, [r2,#240]\t\t@ pull rounds\n\tadr\tr11, .Lk_ipt\n\t@ vmovdqa\t.Lk_ipt(%rip),\t%xmm2\t# iptlo\n\t@ vmovdqa\t.Lk_ipt+16(%rip), %xmm3\t# ipthi\n\tvld1.64\t{q2, q3}, [r11]\n\tadr\tr11, .Lk_mc_forward+16\n\tvld1.64\t{q5}, [r9]!\t\t@ vmovdqu\t(%r9),\t%xmm5\t\t# round0 key\n\tvand\tq1, q0, q9\t\t@ vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tvshr.u8\tq0, q0, #4\t\t@ vpsrlb\t$4,\t%xmm0,\t%xmm0\n\tvtbl.8\td2, {q2}, d2\t@ vpshufb\t%xmm1,\t%xmm2,\t%xmm1\n\tvtbl.8\td3, {q2}, d3\n\tvtbl.8\td4, {q3}, d0\t@ vpshufb\t%xmm0,\t%xmm3,\t%xmm2\n\tvtbl.8\td5, {q3}, d1\n\tveor\tq0, q1, q5\t\t@ vpxor\t%xmm5,\t%xmm1,\t%xmm0\n\tveor\tq0, q0, q2\t\t@ vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\n\t@ .Lenc_entry ends with a bnz instruction which is normally paired with\n\t@ subs in .Lenc_loop.\n\ttst\tr8, r8\n\tb\t.Lenc_entry\n\n.align\t4\n.Lenc_loop:\n\t@ middle of middle round\n\tadd\tr10, r11, #0x40\n\tvtbl.8\td8, {q13}, d4\t@ vpshufb\t%xmm2,\t%xmm13,\t%xmm4\t# 4 = sb1u\n\tvtbl.8\td9, {q13}, d5\n\tvld1.64\t{q1}, [r11]!\t\t@ vmovdqa\t-0x40(%r11,%r10), %xmm1\t# .Lk_mc_forward[]\n\tvtbl.8\td0, {q12}, d6\t@ vpshufb\t%xmm3,\t%xmm12,\t%xmm0\t# 0 = sb1t\n\tvtbl.8\td1, {q12}, d7\n\tveor\tq4, q4, q5\t\t@ vpxor\t\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\tvtbl.8\td10, {q15}, d4\t@ vpshufb\t%xmm2,\t%xmm15,\t%xmm5\t# 4 = sb2u\n\tvtbl.8\td11, {q15}, d5\n\tveor\tq0, q0, q4\t\t@ vpxor\t\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\tvtbl.8\td4, {q14}, d6\t@ vpshufb\t%xmm3,\t%xmm14,\t%xmm2\t# 2 = sb2t\n\tvtbl.8\td5, {q14}, d7\n\tvld1.64\t{q4}, [r10]\t\t@ vmovdqa\t(%r11,%r10), %xmm4\t# .Lk_mc_backward[]\n\tvtbl.8\td6, {q0}, d2\t@ vpshufb\t%xmm1,\t%xmm0,\t%xmm3\t# 0 = B\n\tvtbl.8\td7, {q0}, d3\n\tveor\tq2, q2, q5\t\t@ vpxor\t\t%xmm5,\t%xmm2,\t%xmm2\t# 2 = 2A\n\t@ Write to q5 instead of q0, so the table and destination registers do\n\t@ not overlap.\n\tvtbl.8\td10, {q0}, d8\t@ vpshufb\t%xmm4,\t%xmm0,\t%xmm0\t# 3 = D\n\tvtbl.8\td11, {q0}, d9\n\tveor\tq3, q3, q2\t\t@ vpxor\t\t%xmm2,\t%xmm3,\t%xmm3\t# 0 = 2A+B\n\tvtbl.8\td8, {q3}, d2\t@ vpshufb\t%xmm1,\t%xmm3,\t%xmm4\t# 0 = 2B+C\n\tvtbl.8\td9, {q3}, d3\n\t@ Here we restore the original q0/q5 usage.\n\tveor\tq0, q5, q3\t\t@ vpxor\t\t%xmm3,\t%xmm0,\t%xmm0\t# 3 = 2A+B+D\n\tand\tr11, r11, #~(1<<6)\t@ and\t\t$0x30,\t%r11\t\t# ... mod 4\n\tveor\tq0, q0, q4\t\t@ vpxor\t\t%xmm4,\t%xmm0, %xmm0\t# 0 = 2A+3B+C+D\n\tsubs\tr8, r8, #1\t\t@ nr--\n\n.Lenc_entry:\n\t@ top of round\n\tvand\tq1, q0, q9\t\t@ vpand\t\t%xmm0,\t%xmm9,\t%xmm1 # 0 = k\n\tvshr.u8\tq0, q0, #4\t\t@ vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\tvtbl.8\td10, {q11}, d2\t@ vpshufb\t%xmm1,\t%xmm11,\t%xmm5\t# 2 = a/k\n\tvtbl.8\td11, {q11}, d3\n\tveor\tq1, q1, q0\t\t@ vpxor\t\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\tvtbl.8\td6, {q10}, d0\t@ vpshufb\t%xmm0, \t%xmm10,\t%xmm3 \t# 3 = 1/i\n\tvtbl.8\td7, {q10}, d1\n\tvtbl.8\td8, {q10}, d2\t@ vpshufb\t%xmm1, \t%xmm10,\t%xmm4 \t# 4 = 1/j\n\tvtbl.8\td9, {q10}, d3\n\tveor\tq3, q3, q5\t\t@ vpxor\t\t%xmm5,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\tveor\tq4, q4, q5\t\t@ vpxor\t\t%xmm5,\t%xmm4,\t%xmm4 \t# 4 = jak = 1/j + a/k\n\tvtbl.8\td4, {q10}, d6\t@ vpshufb\t%xmm3,\t%xmm10,\t%xmm2 \t# 2 = 1/iak\n\tvtbl.8\td5, {q10}, d7\n\tvtbl.8\td6, {q10}, d8\t@ vpshufb\t%xmm4,\t%xmm10,\t%xmm3\t# 3 = 1/jak\n\tvtbl.8\td7, {q10}, d9\n\tveor\tq2, q2, q1\t\t@ vpxor\t\t%xmm1,\t%xmm2,\t%xmm2 \t# 2 = io\n\tveor\tq3, q3, q0\t\t@ vpxor\t\t%xmm0,\t%xmm3,\t%xmm3\t# 3 = jo\n\tvld1.64\t{q5}, [r9]!\t\t@ vmovdqu\t(%r9),\t%xmm5\n\tbne\t.Lenc_loop\n\n\t@ middle of last round\n\tadd\tr10, r11, #0x80\n\n\tadr\tr11, .Lk_sbo\n\t@ Read to q1 instead of q4, so the vtbl.8 instruction below does not\n\t@ overlap table and destination registers.\n\tvld1.64\t{q1}, [r11]!\t\t@ vmovdqa\t-0x60(%r10), %xmm4\t# 3 : sbou\n\tvld1.64\t{q0}, [r11]\t\t@ vmovdqa\t-0x50(%r10), %xmm0\t# 0 : sbot\t.Lk_sbo+16\n\tvtbl.8\td8, {q1}, d4\t@ vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\tvtbl.8\td9, {q1}, d5\n\tvld1.64\t{q1}, [r10]\t\t@ vmovdqa\t0x40(%r11,%r10), %xmm1\t# .Lk_sr[]\n\t@ Write to q2 instead of q0 below, to avoid overlapping table and\n\t@ destination registers.\n\tvtbl.8\td4, {q0}, d6\t@ vpshufb\t%xmm3,\t%xmm0,\t%xmm0\t# 0 = sb1t\n\tvtbl.8\td5, {q0}, d7\n\tveor\tq4, q4, q5\t\t@ vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\tveor\tq2, q2, q4\t\t@ vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\t@ Here we restore the original q0/q2 usage.\n\tvtbl.8\td0, {q2}, d2\t@ vpshufb\t%xmm1,\t%xmm0,\t%xmm0\n\tvtbl.8\td1, {q2}, d3\n\tbx\tlr\n.size\t_vpaes_encrypt_core,.-_vpaes_encrypt_core\n\n.globl\tvpaes_encrypt\n.hidden\tvpaes_encrypt\n.type\tvpaes_encrypt,%function\n.align\t4\nvpaes_encrypt:\n\t@ _vpaes_encrypt_core uses r8-r11. Round up to r7-r11 to maintain stack\n\t@ alignment.\n\tstmdb\tsp!, {r7,r8,r9,r10,r11,lr}\n\t@ _vpaes_encrypt_core uses q4-q5 (d8-d11), which are callee-saved.\n\tvstmdb\tsp!, {d8,d9,d10,d11}\n\n\tvld1.64\t{q0}, [r0]\n\tbl\t_vpaes_preheat\n\tbl\t_vpaes_encrypt_core\n\tvst1.64\t{q0}, [r1]\n\n\tvldmia\tsp!, {d8,d9,d10,d11}\n\tldmia\tsp!, {r7,r8,r9,r10,r11, pc}\t@ return\n.size\tvpaes_encrypt,.-vpaes_encrypt\n\n@\n@ Decryption stuff\n@\n.type\t_vpaes_decrypt_consts,%object\n.align\t4\n_vpaes_decrypt_consts:\n.Lk_dipt:@ decryption input transform\n.quad\t0x0F505B040B545F00, 0x154A411E114E451A\n.quad\t0x86E383E660056500, 0x12771772F491F194\n.Lk_dsbo:@ decryption sbox final output\n.quad\t0x1387EA537EF94000, 0xC7AA6DB9D4943E2D\n.quad\t0x12D7560F93441D00, 0xCA4B8159D8C58E9C\n.Lk_dsb9:@ decryption sbox output *9*u, *9*t\n.quad\t0x851C03539A86D600, 0xCAD51F504F994CC9\n.quad\t0xC03B1789ECD74900, 0x725E2C9EB2FBA565\n.Lk_dsbd:@ decryption sbox output *D*u, *D*t\n.quad\t0x7D57CCDFE6B1A200, 0xF56E9B13882A4439\n.quad\t0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3\n.Lk_dsbb:@ decryption sbox output *B*u, *B*t\n.quad\t0xD022649296B44200, 0x602646F6B0F2D404\n.quad\t0xC19498A6CD596700, 0xF3FF0C3E3255AA6B\n.Lk_dsbe:@ decryption sbox output *E*u, *E*t\n.quad\t0x46F2929626D4D000, 0x2242600464B4F6B0\n.quad\t0x0C55A6CDFFAAC100, 0x9467F36B98593E32\n.size\t_vpaes_decrypt_consts,.-_vpaes_decrypt_consts\n\n@@\n@@ Decryption core\n@@\n@@ Same API as encryption core, except it clobbers q12-q15 rather than using\n@@ the values from _vpaes_preheat. q9-q11 must still be set from\n@@ _vpaes_preheat.\n@@\n.type\t_vpaes_decrypt_core,%function\n.align\t4\n_vpaes_decrypt_core:\n\tmov\tr9, r2\n\tldr\tr8, [r2,#240]\t\t@ pull rounds\n\n\t@ This function performs shuffles with various constants. The x86_64\n\t@ version loads them on-demand into %xmm0-%xmm5. This does not work well\n\t@ for ARMv7 because those registers are shuffle destinations. The ARMv8\n\t@ version preloads those constants into registers, but ARMv7 has half\n\t@ the registers to work with. Instead, we load them on-demand into\n\t@ q12-q15, registers normally use for preloaded constants. This is fine\n\t@ because decryption doesn't use those constants. The values are\n\t@ constant, so this does not interfere with potential 2x optimizations.\n\tadr\tr7, .Lk_dipt\n\n\tvld1.64\t{q12,q13}, [r7]\t\t@ vmovdqa\t.Lk_dipt(%rip), %xmm2\t# iptlo\n\tlsl\tr11, r8, #4\t\t@ mov\t\t%rax,\t%r11;\tshl\t$4, %r11\n\teor\tr11, r11, #0x30\t\t@ xor\t\t$0x30,\t%r11\n\tadr\tr10, .Lk_sr\n\tand\tr11, r11, #0x30\t\t@ and\t\t$0x30,\t%r11\n\tadd\tr11, r11, r10\n\tadr\tr10, .Lk_mc_forward+48\n\n\tvld1.64\t{q4}, [r9]!\t\t@ vmovdqu\t(%r9),\t%xmm4\t\t# round0 key\n\tvand\tq1, q0, q9\t\t@ vpand\t\t%xmm9,\t%xmm0,\t%xmm1\n\tvshr.u8\tq0, q0, #4\t\t@ vpsrlb\t$4,\t%xmm0,\t%xmm0\n\tvtbl.8\td4, {q12}, d2\t@ vpshufb\t%xmm1,\t%xmm2,\t%xmm2\n\tvtbl.8\td5, {q12}, d3\n\tvld1.64\t{q5}, [r10]\t\t@ vmovdqa\t.Lk_mc_forward+48(%rip), %xmm5\n\t\t\t\t\t@ vmovdqa\t.Lk_dipt+16(%rip), %xmm1 # ipthi\n\tvtbl.8\td0, {q13}, d0\t@ vpshufb\t%xmm0,\t%xmm1,\t%xmm0\n\tvtbl.8\td1, {q13}, d1\n\tveor\tq2, q2, q4\t\t@ vpxor\t\t%xmm4,\t%xmm2,\t%xmm2\n\tveor\tq0, q0, q2\t\t@ vpxor\t\t%xmm2,\t%xmm0,\t%xmm0\n\n\t@ .Ldec_entry ends with a bnz instruction which is normally paired with\n\t@ subs in .Ldec_loop.\n\ttst\tr8, r8\n\tb\t.Ldec_entry\n\n.align\t4\n.Ldec_loop:\n@\n@ Inverse mix columns\n@\n\n\t@ We load .Lk_dsb* into q12-q15 on-demand. See the comment at the top of\n\t@ the function.\n\tadr\tr10, .Lk_dsb9\n\tvld1.64\t{q12,q13}, [r10]!\t@ vmovdqa\t-0x20(%r10),%xmm4\t\t# 4 : sb9u\n\t\t\t\t\t@ vmovdqa\t-0x10(%r10),%xmm1\t\t# 0 : sb9t\n\t@ Load sbd* ahead of time.\n\tvld1.64\t{q14,q15}, [r10]!\t@ vmovdqa\t0x00(%r10),%xmm4\t\t# 4 : sbdu\n\t\t\t\t\t@ vmovdqa\t0x10(%r10),%xmm1\t\t# 0 : sbdt\n\tvtbl.8\td8, {q12}, d4\t@ vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sb9u\n\tvtbl.8\td9, {q12}, d5\n\tvtbl.8\td2, {q13}, d6\t@ vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sb9t\n\tvtbl.8\td3, {q13}, d7\n\tveor\tq0, q4, q0\t\t@ vpxor\t\t%xmm4,\t%xmm0,\t%xmm0\n\n\tveor\tq0, q0, q1\t\t@ vpxor\t\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\n\t@ Load sbb* ahead of time.\n\tvld1.64\t{q12,q13}, [r10]!\t@ vmovdqa\t0x20(%r10),%xmm4\t\t# 4 : sbbu\n\t\t\t\t\t@ vmovdqa\t0x30(%r10),%xmm1\t\t# 0 : sbbt\n\n\tvtbl.8\td8, {q14}, d4\t@ vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbdu\n\tvtbl.8\td9, {q14}, d5\n\t@ Write to q1 instead of q0, so the table and destination registers do\n\t@ not overlap.\n\tvtbl.8\td2, {q0}, d10\t@ vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\tvtbl.8\td3, {q0}, d11\n\t@ Here we restore the original q0/q1 usage. This instruction is\n\t@ reordered from the ARMv8 version so we do not clobber the vtbl.8\n\t@ below.\n\tveor\tq0, q1, q4\t\t@ vpxor\t\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\tvtbl.8\td2, {q15}, d6\t@ vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbdt\n\tvtbl.8\td3, {q15}, d7\n\t\t\t\t\t@ vmovdqa\t0x20(%r10),\t%xmm4\t\t# 4 : sbbu\n\tveor\tq0, q0, q1\t\t@ vpxor\t\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t@ vmovdqa\t0x30(%r10),\t%xmm1\t\t# 0 : sbbt\n\n\t@ Load sbd* ahead of time.\n\tvld1.64\t{q14,q15}, [r10]!\t@ vmovdqa\t0x40(%r10),%xmm4\t\t# 4 : sbeu\n\t\t\t\t\t@ vmovdqa\t0x50(%r10),%xmm1\t\t# 0 : sbet\n\n\tvtbl.8\td8, {q12}, d4\t@ vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbbu\n\tvtbl.8\td9, {q12}, d5\n\t@ Write to q1 instead of q0, so the table and destination registers do\n\t@ not overlap.\n\tvtbl.8\td2, {q0}, d10\t@ vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\tvtbl.8\td3, {q0}, d11\n\t@ Here we restore the original q0/q1 usage. This instruction is\n\t@ reordered from the ARMv8 version so we do not clobber the vtbl.8\n\t@ below.\n\tveor\tq0, q1, q4\t\t@ vpxor\t\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\tvtbl.8\td2, {q13}, d6\t@ vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbbt\n\tvtbl.8\td3, {q13}, d7\n\tveor\tq0, q0, q1\t\t@ vpxor\t\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\n\tvtbl.8\td8, {q14}, d4\t@ vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbeu\n\tvtbl.8\td9, {q14}, d5\n\t@ Write to q1 instead of q0, so the table and destination registers do\n\t@ not overlap.\n\tvtbl.8\td2, {q0}, d10\t@ vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\tvtbl.8\td3, {q0}, d11\n\t@ Here we restore the original q0/q1 usage. This instruction is\n\t@ reordered from the ARMv8 version so we do not clobber the vtbl.8\n\t@ below.\n\tveor\tq0, q1, q4\t\t@ vpxor\t\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\tvtbl.8\td2, {q15}, d6\t@ vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbet\n\tvtbl.8\td3, {q15}, d7\n\tvext.8\tq5, q5, q5, #12\t\t@ vpalignr \t$12,\t%xmm5,\t%xmm5,\t%xmm5\n\tveor\tq0, q0, q1\t\t@ vpxor\t\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\tsubs\tr8, r8, #1\t\t@ sub\t\t$1,%rax\t\t\t# nr--\n\n.Ldec_entry:\n\t@ top of round\n\tvand\tq1, q0, q9\t\t@ vpand\t\t%xmm9,\t%xmm0,\t%xmm1\t# 0 = k\n\tvshr.u8\tq0, q0, #4\t\t@ vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\tvtbl.8\td4, {q11}, d2\t@ vpshufb\t%xmm1,\t%xmm11,\t%xmm2\t# 2 = a/k\n\tvtbl.8\td5, {q11}, d3\n\tveor\tq1, q1, q0\t\t@ vpxor\t\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\tvtbl.8\td6, {q10}, d0\t@ vpshufb\t%xmm0, \t%xmm10,\t%xmm3\t# 3 = 1/i\n\tvtbl.8\td7, {q10}, d1\n\tvtbl.8\td8, {q10}, d2\t@ vpshufb\t%xmm1,\t%xmm10,\t%xmm4\t# 4 = 1/j\n\tvtbl.8\td9, {q10}, d3\n\tveor\tq3, q3, q2\t\t@ vpxor\t\t%xmm2,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\tveor\tq4, q4, q2\t\t@ vpxor\t\t%xmm2, \t%xmm4,\t%xmm4\t# 4 = jak = 1/j + a/k\n\tvtbl.8\td4, {q10}, d6\t@ vpshufb\t%xmm3,\t%xmm10,\t%xmm2\t# 2 = 1/iak\n\tvtbl.8\td5, {q10}, d7\n\tvtbl.8\td6, {q10}, d8\t@ vpshufb\t%xmm4, %xmm10,\t%xmm3\t# 3 = 1/jak\n\tvtbl.8\td7, {q10}, d9\n\tveor\tq2, q2, q1\t\t@ vpxor\t\t%xmm1,\t%xmm2,\t%xmm2\t# 2 = io\n\tveor\tq3, q3, q0\t\t@ vpxor\t\t%xmm0, %xmm3,\t%xmm3\t# 3 = jo\n\tvld1.64\t{q0}, [r9]!\t\t@ vmovdqu\t(%r9),\t%xmm0\n\tbne\t.Ldec_loop\n\n\t@ middle of last round\n\n\tadr\tr10, .Lk_dsbo\n\n\t@ Write to q1 rather than q4 to avoid overlapping table and destination.\n\tvld1.64\t{q1}, [r10]!\t\t@ vmovdqa\t0x60(%r10),\t%xmm4\t# 3 : sbou\n\tvtbl.8\td8, {q1}, d4\t@ vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\tvtbl.8\td9, {q1}, d5\n\t@ Write to q2 rather than q1 to avoid overlapping table and destination.\n\tvld1.64\t{q2}, [r10]\t\t@ vmovdqa\t0x70(%r10),\t%xmm1\t# 0 : sbot\n\tvtbl.8\td2, {q2}, d6\t@ vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t# 0 = sb1t\n\tvtbl.8\td3, {q2}, d7\n\tvld1.64\t{q2}, [r11]\t\t@ vmovdqa\t-0x160(%r11),\t%xmm2\t# .Lk_sr-.Lk_dsbd=-0x160\n\tveor\tq4, q4, q0\t\t@ vpxor\t\t%xmm0,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\t@ Write to q1 rather than q0 so the table and destination registers\n\t@ below do not overlap.\n\tveor\tq1, q1, q4\t\t@ vpxor\t\t%xmm4,\t%xmm1,\t%xmm0\t# 0 = A\n\tvtbl.8\td0, {q1}, d4\t@ vpshufb\t%xmm2,\t%xmm0,\t%xmm0\n\tvtbl.8\td1, {q1}, d5\n\tbx\tlr\n.size\t_vpaes_decrypt_core,.-_vpaes_decrypt_core\n\n.globl\tvpaes_decrypt\n.hidden\tvpaes_decrypt\n.type\tvpaes_decrypt,%function\n.align\t4\nvpaes_decrypt:\n\t@ _vpaes_decrypt_core uses r7-r11.\n\tstmdb\tsp!, {r7,r8,r9,r10,r11,lr}\n\t@ _vpaes_decrypt_core uses q4-q5 (d8-d11), which are callee-saved.\n\tvstmdb\tsp!, {d8,d9,d10,d11}\n\n\tvld1.64\t{q0}, [r0]\n\tbl\t_vpaes_preheat\n\tbl\t_vpaes_decrypt_core\n\tvst1.64\t{q0}, [r1]\n\n\tvldmia\tsp!, {d8,d9,d10,d11}\n\tldmia\tsp!, {r7,r8,r9,r10,r11, pc}\t@ return\n.size\tvpaes_decrypt,.-vpaes_decrypt\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n@@ @@\n@@ AES key schedule @@\n@@ @@\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\n\n@ This function diverges from both x86_64 and armv7 in which constants are\n@ pinned. x86_64 has a common preheat function for all operations. aarch64\n@ separates them because it has enough registers to pin nearly all constants.\n@ armv7 does not have enough registers, but needing explicit loads and stores\n@ also complicates using x86_64's register allocation directly.\n@\n@ We pin some constants for convenience and leave q14 and q15 free to load\n@ others on demand.\n\n@\n@ Key schedule constants\n@\n.type\t_vpaes_key_consts,%object\n.align\t4\n_vpaes_key_consts:\n.Lk_dksd:@ decryption key schedule: invskew x*D\n.quad\t0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9\n.quad\t0x41C277F4B5368300, 0x5FDC69EAAB289D1E\n.Lk_dksb:@ decryption key schedule: invskew x*B\n.quad\t0x9A4FCA1F8550D500, 0x03D653861CC94C99\n.quad\t0x115BEDA7B6FC4A00, 0xD993256F7E3482C8\n.Lk_dkse:@ decryption key schedule: invskew x*E + 0x63\n.quad\t0xD5031CCA1FC9D600, 0x53859A4C994F5086\n.quad\t0xA23196054FDC7BE8, 0xCD5EF96A20B31487\n.Lk_dks9:@ decryption key schedule: invskew x*9\n.quad\t0xB6116FC87ED9A700, 0x4AED933482255BFC\n.quad\t0x4576516227143300, 0x8BB89FACE9DAFDCE\n\n.Lk_rcon:@ rcon\n.quad\t0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81\n\n.Lk_opt:@ output transform\n.quad\t0xFF9F4929D6B66000, 0xF7974121DEBE6808\n.quad\t0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0\n.Lk_deskew:@ deskew tables: inverts the sbox's \"skew\"\n.quad\t0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A\n.quad\t0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77\n.size\t_vpaes_key_consts,.-_vpaes_key_consts\n\n.type\t_vpaes_key_preheat,%function\n.align\t4\n_vpaes_key_preheat:\n\tadr\tr11, .Lk_rcon\n\tvmov.i8\tq12, #0x5b\t\t\t@ .Lk_s63\n\tadr\tr10, .Lk_inv\t\t\t@ Must be aligned to 8 mod 16.\n\tvmov.i8\tq9, #0x0f\t\t\t@ .Lk_s0F\n\tvld1.64\t{q10,q11}, [r10]\t\t@ .Lk_inv\n\tvld1.64\t{q8}, [r11]\t\t\t@ .Lk_rcon\n\tbx\tlr\n.size\t_vpaes_key_preheat,.-_vpaes_key_preheat\n\n.type\t_vpaes_schedule_core,%function\n.align\t4\n_vpaes_schedule_core:\n\t@ We only need to save lr, but ARM requires an 8-byte stack alignment,\n\t@ so save an extra register.\n\tstmdb\tsp!, {r3,lr}\n\n\tbl\t_vpaes_key_preheat\t@ load the tables\n\n\tadr\tr11, .Lk_ipt\t\t@ Must be aligned to 8 mod 16.\n\tvld1.64\t{q0}, [r0]!\t\t@ vmovdqu\t(%rdi),\t%xmm0\t\t# load key (unaligned)\n\n\t@ input transform\n\t@ Use q4 here rather than q3 so .Lschedule_am_decrypting does not\n\t@ overlap table and destination.\n\tvmov\tq4, q0\t\t\t@ vmovdqa\t%xmm0,\t%xmm3\n\tbl\t_vpaes_schedule_transform\n\tadr\tr10, .Lk_sr\t\t@ Must be aligned to 8 mod 16.\n\tvmov\tq7, q0\t\t\t@ vmovdqa\t%xmm0,\t%xmm7\n\n\tadd\tr8, r8, r10\n\ttst\tr3, r3\n\tbne\t.Lschedule_am_decrypting\n\n\t@ encrypting, output zeroth round key after transform\n\tvst1.64\t{q0}, [r2]\t\t@ vmovdqu\t%xmm0,\t(%rdx)\n\tb\t.Lschedule_go\n\n.Lschedule_am_decrypting:\n\t@ decrypting, output zeroth round key after shiftrows\n\tvld1.64\t{q1}, [r8]\t\t@ vmovdqa\t(%r8,%r10),\t%xmm1\n\tvtbl.8\td6, {q4}, d2\t@ vpshufb \t%xmm1,\t%xmm3,\t%xmm3\n\tvtbl.8\td7, {q4}, d3\n\tvst1.64\t{q3}, [r2]\t\t@ vmovdqu\t%xmm3,\t(%rdx)\n\teor\tr8, r8, #0x30\t\t@ xor\t$0x30, %r8\n\n.Lschedule_go:\n\tcmp\tr1, #192\t\t@ cmp\t$192,\t%esi\n\tbhi\t.Lschedule_256\n\tbeq\t.Lschedule_192\n\t@ 128: fall though\n\n@@\n@@ .schedule_128\n@@\n@@ 128-bit specific part of key schedule.\n@@\n@@ This schedule is really simple, because all its parts\n@@ are accomplished by the subroutines.\n@@\n.Lschedule_128:\n\tmov\tr0, #10\t\t@ mov\t$10, %esi\n\n.Loop_schedule_128:\n\tbl\t_vpaes_schedule_round\n\tsubs\tr0, r0, #1\t\t@ dec\t%esi\n\tbeq\t.Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\t@ write output\n\tb\t.Loop_schedule_128\n\n@@\n@@ .aes_schedule_192\n@@\n@@ 192-bit specific part of key schedule.\n@@\n@@ The main body of this schedule is the same as the 128-bit\n@@ schedule, but with more smearing. The long, high side is\n@@ stored in q7 as before, and the short, low side is in\n@@ the high bits of q6.\n@@\n@@ This schedule is somewhat nastier, however, because each\n@@ round produces 192 bits of key material, or 1.5 round keys.\n@@ Therefore, on each cycle we do 2 rounds and produce 3 round\n@@ keys.\n@@\n.align\t4\n.Lschedule_192:\n\tsub\tr0, r0, #8\n\tvld1.64\t{q0}, [r0]\t\t\t@ vmovdqu\t8(%rdi),%xmm0\t\t# load key part 2 (very unaligned)\n\tbl\t_vpaes_schedule_transform\t@ input transform\n\tvmov\tq6, q0\t\t\t\t@ vmovdqa\t%xmm0,\t%xmm6\t\t# save short part\n\tvmov.i8\td12, #0\t\t\t@ vpxor\t%xmm4,\t%xmm4, %xmm4\t# clear 4\n\t\t\t\t\t\t@ vmovhlps\t%xmm4,\t%xmm6,\t%xmm6\t\t# clobber low side with zeros\n\tmov\tr0, #4\t\t\t@ mov\t$4,\t%esi\n\n.Loop_schedule_192:\n\tbl\t_vpaes_schedule_round\n\tvext.8\tq0, q6, q0, #8\t\t\t@ vpalignr\t$8,%xmm6,%xmm0,%xmm0\n\tbl\t_vpaes_schedule_mangle\t\t@ save key n\n\tbl\t_vpaes_schedule_192_smear\n\tbl\t_vpaes_schedule_mangle\t\t@ save key n+1\n\tbl\t_vpaes_schedule_round\n\tsubs\tr0, r0, #1\t\t\t@ dec\t%esi\n\tbeq\t.Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\t\t@ save key n+2\n\tbl\t_vpaes_schedule_192_smear\n\tb\t.Loop_schedule_192\n\n@@\n@@ .aes_schedule_256\n@@\n@@ 256-bit specific part of key schedule.\n@@\n@@ The structure here is very similar to the 128-bit\n@@ schedule, but with an additional \"low side\" in\n@@ q6. The low side's rounds are the same as the\n@@ high side's, except no rcon and no rotation.\n@@\n.align\t4\n.Lschedule_256:\n\tvld1.64\t{q0}, [r0]\t\t\t@ vmovdqu\t16(%rdi),%xmm0\t\t# load key part 2 (unaligned)\n\tbl\t_vpaes_schedule_transform\t@ input transform\n\tmov\tr0, #7\t\t\t@ mov\t$7, %esi\n\n.Loop_schedule_256:\n\tbl\t_vpaes_schedule_mangle\t\t@ output low result\n\tvmov\tq6, q0\t\t\t\t@ vmovdqa\t%xmm0,\t%xmm6\t\t# save cur_lo in xmm6\n\n\t@ high round\n\tbl\t_vpaes_schedule_round\n\tsubs\tr0, r0, #1\t\t\t@ dec\t%esi\n\tbeq\t.Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\n\n\t@ low round. swap xmm7 and xmm6\n\tvdup.32\tq0, d1[1]\t\t@ vpshufd\t$0xFF,\t%xmm0,\t%xmm0\n\tvmov.i8\tq4, #0\n\tvmov\tq5, q7\t\t\t@ vmovdqa\t%xmm7,\t%xmm5\n\tvmov\tq7, q6\t\t\t@ vmovdqa\t%xmm6,\t%xmm7\n\tbl\t_vpaes_schedule_low_round\n\tvmov\tq7, q5\t\t\t@ vmovdqa\t%xmm5,\t%xmm7\n\n\tb\t.Loop_schedule_256\n\n@@\n@@ .aes_schedule_mangle_last\n@@\n@@ Mangler for last round of key schedule\n@@ Mangles q0\n@@ when encrypting, outputs out(q0) ^ 63\n@@ when decrypting, outputs unskew(q0)\n@@\n@@ Always called right before return... jumps to cleanup and exits\n@@\n.align\t4\n.Lschedule_mangle_last:\n\t@ schedule last round key from xmm0\n\tadr\tr11, .Lk_deskew\t\t\t@ lea\t.Lk_deskew(%rip),%r11\t# prepare to deskew\n\ttst\tr3, r3\n\tbne\t.Lschedule_mangle_last_dec\n\n\t@ encrypting\n\tvld1.64\t{q1}, [r8]\t\t@ vmovdqa\t(%r8,%r10),%xmm1\n\tadr\tr11, .Lk_opt\t\t@ lea\t\t.Lk_opt(%rip),\t%r11\t\t# prepare to output transform\n\tadd\tr2, r2, #32\t\t@ add\t\t$32,\t%rdx\n\tvmov\tq2, q0\n\tvtbl.8\td0, {q2}, d2\t@ vpshufb\t%xmm1,\t%xmm0,\t%xmm0\t\t# output permute\n\tvtbl.8\td1, {q2}, d3\n\n.Lschedule_mangle_last_dec:\n\tsub\tr2, r2, #16\t\t\t@ add\t$-16,\t%rdx\n\tveor\tq0, q0, q12\t\t\t@ vpxor\t.Lk_s63(%rip),\t%xmm0,\t%xmm0\n\tbl\t_vpaes_schedule_transform\t@ output transform\n\tvst1.64\t{q0}, [r2]\t\t\t@ vmovdqu\t%xmm0,\t(%rdx)\t\t# save last key\n\n\t@ cleanup\n\tveor\tq0, q0, q0\t\t@ vpxor\t%xmm0,\t%xmm0,\t%xmm0\n\tveor\tq1, q1, q1\t\t@ vpxor\t%xmm1,\t%xmm1,\t%xmm1\n\tveor\tq2, q2, q2\t\t@ vpxor\t%xmm2,\t%xmm2,\t%xmm2\n\tveor\tq3, q3, q3\t\t@ vpxor\t%xmm3,\t%xmm3,\t%xmm3\n\tveor\tq4, q4, q4\t\t@ vpxor\t%xmm4,\t%xmm4,\t%xmm4\n\tveor\tq5, q5, q5\t\t@ vpxor\t%xmm5,\t%xmm5,\t%xmm5\n\tveor\tq6, q6, q6\t\t@ vpxor\t%xmm6,\t%xmm6,\t%xmm6\n\tveor\tq7, q7, q7\t\t@ vpxor\t%xmm7,\t%xmm7,\t%xmm7\n\tldmia\tsp!, {r3,pc}\t\t@ return\n.size\t_vpaes_schedule_core,.-_vpaes_schedule_core\n\n@@\n@@ .aes_schedule_192_smear\n@@\n@@ Smear the short, low side in the 192-bit key schedule.\n@@\n@@ Inputs:\n@@ q7: high side, b a x y\n@@ q6: low side, d c 0 0\n@@\n@@ Outputs:\n@@ q6: b+c+d b+c 0 0\n@@ q0: b+c+d b+c b a\n@@\n.type\t_vpaes_schedule_192_smear,%function\n.align\t4\n_vpaes_schedule_192_smear:\n\tvmov.i8\tq1, #0\n\tvdup.32\tq0, d15[1]\n\tvshl.i64\tq1, q6, #32\t\t@ vpshufd\t$0x80,\t%xmm6,\t%xmm1\t# d c 0 0 -> c 0 0 0\n\tvmov\td0, d15\t\t@ vpshufd\t$0xFE,\t%xmm7,\t%xmm0\t# b a _ _ -> b b b a\n\tveor\tq6, q6, q1\t\t@ vpxor\t%xmm1,\t%xmm6,\t%xmm6\t# -> c+d c 0 0\n\tveor\tq1, q1, q1\t\t@ vpxor\t%xmm1,\t%xmm1,\t%xmm1\n\tveor\tq6, q6, q0\t\t@ vpxor\t%xmm0,\t%xmm6,\t%xmm6\t# -> b+c+d b+c b a\n\tvmov\tq0, q6\t\t\t@ vmovdqa\t%xmm6,\t%xmm0\n\tvmov\td12, d2\t\t@ vmovhlps\t%xmm1,\t%xmm6,\t%xmm6\t# clobber low side with zeros\n\tbx\tlr\n.size\t_vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear\n\n@@\n@@ .aes_schedule_round\n@@\n@@ Runs one main round of the key schedule on q0, q7\n@@\n@@ Specifically, runs subbytes on the high dword of q0\n@@ then rotates it by one byte and xors into the low dword of\n@@ q7.\n@@\n@@ Adds rcon from low byte of q8, then rotates q8 for\n@@ next rcon.\n@@\n@@ Smears the dwords of q7 by xoring the low into the\n@@ second low, result into third, result into highest.\n@@\n@@ Returns results in q7 = q0.\n@@ Clobbers q1-q4, r11.\n@@\n.type\t_vpaes_schedule_round,%function\n.align\t4\n_vpaes_schedule_round:\n\t@ extract rcon from xmm8\n\tvmov.i8\tq4, #0\t\t\t\t@ vpxor\t\t%xmm4,\t%xmm4,\t%xmm4\n\tvext.8\tq1, q8, q4, #15\t\t@ vpalignr\t$15,\t%xmm8,\t%xmm4,\t%xmm1\n\tvext.8\tq8, q8, q8, #15\t@ vpalignr\t$15,\t%xmm8,\t%xmm8,\t%xmm8\n\tveor\tq7, q7, q1\t\t\t@ vpxor\t\t%xmm1,\t%xmm7,\t%xmm7\n\n\t@ rotate\n\tvdup.32\tq0, d1[1]\t\t\t@ vpshufd\t$0xFF,\t%xmm0,\t%xmm0\n\tvext.8\tq0, q0, q0, #1\t\t\t@ vpalignr\t$1,\t%xmm0,\t%xmm0,\t%xmm0\n\n\t@ fall through...\n\n\t@ low round: same as high round, but no rotation and no rcon.\n_vpaes_schedule_low_round:\n\t@ The x86_64 version pins .Lk_sb1 in %xmm13 and .Lk_sb1+16 in %xmm12.\n\t@ We pin other values in _vpaes_key_preheat, so load them now.\n\tadr\tr11, .Lk_sb1\n\tvld1.64\t{q14,q15}, [r11]\n\n\t@ smear xmm7\n\tvext.8\tq1, q4, q7, #12\t\t\t@ vpslldq\t$4,\t%xmm7,\t%xmm1\n\tveor\tq7, q7, q1\t\t\t@ vpxor\t%xmm1,\t%xmm7,\t%xmm7\n\tvext.8\tq4, q4, q7, #8\t\t\t@ vpslldq\t$8,\t%xmm7,\t%xmm4\n\n\t@ subbytes\n\tvand\tq1, q0, q9\t\t\t@ vpand\t\t%xmm9,\t%xmm0,\t%xmm1\t\t# 0 = k\n\tvshr.u8\tq0, q0, #4\t\t\t@ vpsrlb\t$4,\t%xmm0,\t%xmm0\t\t# 1 = i\n\tveor\tq7, q7, q4\t\t\t@ vpxor\t\t%xmm4,\t%xmm7,\t%xmm7\n\tvtbl.8\td4, {q11}, d2\t\t@ vpshufb\t%xmm1,\t%xmm11,\t%xmm2\t\t# 2 = a/k\n\tvtbl.8\td5, {q11}, d3\n\tveor\tq1, q1, q0\t\t\t@ vpxor\t\t%xmm0,\t%xmm1,\t%xmm1\t\t# 0 = j\n\tvtbl.8\td6, {q10}, d0\t\t@ vpshufb\t%xmm0, \t%xmm10,\t%xmm3\t\t# 3 = 1/i\n\tvtbl.8\td7, {q10}, d1\n\tveor\tq3, q3, q2\t\t\t@ vpxor\t\t%xmm2,\t%xmm3,\t%xmm3\t\t# 3 = iak = 1/i + a/k\n\tvtbl.8\td8, {q10}, d2\t\t@ vpshufb\t%xmm1,\t%xmm10,\t%xmm4\t\t# 4 = 1/j\n\tvtbl.8\td9, {q10}, d3\n\tveor\tq7, q7, q12\t\t\t@ vpxor\t\t.Lk_s63(%rip),\t%xmm7,\t%xmm7\n\tvtbl.8\td6, {q10}, d6\t\t@ vpshufb\t%xmm3,\t%xmm10,\t%xmm3\t\t# 2 = 1/iak\n\tvtbl.8\td7, {q10}, d7\n\tveor\tq4, q4, q2\t\t\t@ vpxor\t\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = jak = 1/j + a/k\n\tvtbl.8\td4, {q10}, d8\t\t@ vpshufb\t%xmm4,\t%xmm10,\t%xmm2\t\t# 3 = 1/jak\n\tvtbl.8\td5, {q10}, d9\n\tveor\tq3, q3, q1\t\t\t@ vpxor\t\t%xmm1,\t%xmm3,\t%xmm3\t\t# 2 = io\n\tveor\tq2, q2, q0\t\t\t@ vpxor\t\t%xmm0,\t%xmm2,\t%xmm2\t\t# 3 = jo\n\tvtbl.8\td8, {q15}, d6\t\t@ vpshufb\t%xmm3,\t%xmm13,\t%xmm4\t\t# 4 = sbou\n\tvtbl.8\td9, {q15}, d7\n\tvtbl.8\td2, {q14}, d4\t\t@ vpshufb\t%xmm2,\t%xmm12,\t%xmm1\t\t# 0 = sb1t\n\tvtbl.8\td3, {q14}, d5\n\tveor\tq1, q1, q4\t\t\t@ vpxor\t\t%xmm4,\t%xmm1,\t%xmm1\t\t# 0 = sbox output\n\n\t@ add in smeared stuff\n\tveor\tq0, q1, q7\t\t\t@ vpxor\t%xmm7,\t%xmm1,\t%xmm0\n\tveor\tq7, q1, q7\t\t\t@ vmovdqa\t%xmm0,\t%xmm7\n\tbx\tlr\n.size\t_vpaes_schedule_round,.-_vpaes_schedule_round\n\n@@\n@@ .aes_schedule_transform\n@@\n@@ Linear-transform q0 according to tables at [r11]\n@@\n@@ Requires that q9 = 0x0F0F... as in preheat\n@@ Output in q0\n@@ Clobbers q1, q2, q14, q15\n@@\n.type\t_vpaes_schedule_transform,%function\n.align\t4\n_vpaes_schedule_transform:\n\tvld1.64\t{q14,q15}, [r11]\t@ vmovdqa\t(%r11),\t%xmm2 \t# lo\n\t\t\t\t\t@ vmovdqa\t16(%r11),\t%xmm1 # hi\n\tvand\tq1, q0, q9\t\t@ vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tvshr.u8\tq0, q0, #4\t\t@ vpsrlb\t$4,\t%xmm0,\t%xmm0\n\tvtbl.8\td4, {q14}, d2\t@ vpshufb\t%xmm1,\t%xmm2,\t%xmm2\n\tvtbl.8\td5, {q14}, d3\n\tvtbl.8\td0, {q15}, d0\t@ vpshufb\t%xmm0,\t%xmm1,\t%xmm0\n\tvtbl.8\td1, {q15}, d1\n\tveor\tq0, q0, q2\t\t@ vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\tbx\tlr\n.size\t_vpaes_schedule_transform,.-_vpaes_schedule_transform\n\n@@\n@@ .aes_schedule_mangle\n@@\n@@ Mangles q0 from (basis-transformed) standard version\n@@ to our version.\n@@\n@@ On encrypt,\n@@ xor with 0x63\n@@ multiply by circulant 0,1,1,1\n@@ apply shiftrows transform\n@@\n@@ On decrypt,\n@@ xor with 0x63\n@@ multiply by \"inverse mixcolumns\" circulant E,B,D,9\n@@ deskew\n@@ apply shiftrows transform\n@@\n@@\n@@ Writes out to [r2], and increments or decrements it\n@@ Keeps track of round number mod 4 in r8\n@@ Preserves q0\n@@ Clobbers q1-q5\n@@\n.type\t_vpaes_schedule_mangle,%function\n.align\t4\n_vpaes_schedule_mangle:\n\ttst\tr3, r3\n\tvmov\tq4, q0\t\t\t@ vmovdqa\t%xmm0,\t%xmm4\t# save xmm0 for later\n\tadr\tr11, .Lk_mc_forward\t@ Must be aligned to 8 mod 16.\n\tvld1.64\t{q5}, [r11]\t\t@ vmovdqa\t.Lk_mc_forward(%rip),%xmm5\n\tbne\t.Lschedule_mangle_dec\n\n\t@ encrypting\n\t@ Write to q2 so we do not overlap table and destination below.\n\tveor\tq2, q0, q12\t\t@ vpxor\t\t.Lk_s63(%rip),\t%xmm0,\t%xmm4\n\tadd\tr2, r2, #16\t\t@ add\t\t$16,\t%rdx\n\tvtbl.8\td8, {q2}, d10\t@ vpshufb\t%xmm5,\t%xmm4,\t%xmm4\n\tvtbl.8\td9, {q2}, d11\n\tvtbl.8\td2, {q4}, d10\t@ vpshufb\t%xmm5,\t%xmm4,\t%xmm1\n\tvtbl.8\td3, {q4}, d11\n\tvtbl.8\td6, {q1}, d10\t@ vpshufb\t%xmm5,\t%xmm1,\t%xmm3\n\tvtbl.8\td7, {q1}, d11\n\tveor\tq4, q4, q1\t\t@ vpxor\t\t%xmm1,\t%xmm4,\t%xmm4\n\tvld1.64\t{q1}, [r8]\t\t@ vmovdqa\t(%r8,%r10),\t%xmm1\n\tveor\tq3, q3, q4\t\t@ vpxor\t\t%xmm4,\t%xmm3,\t%xmm3\n\n\tb\t.Lschedule_mangle_both\n.align\t4\n.Lschedule_mangle_dec:\n\t@ inverse mix columns\n\tadr\tr11, .Lk_dksd \t\t@ lea\t\t.Lk_dksd(%rip),%r11\n\tvshr.u8\tq1, q4, #4\t\t@ vpsrlb\t$4,\t%xmm4,\t%xmm1\t# 1 = hi\n\tvand\tq4, q4, q9\t\t@ vpand\t\t%xmm9,\t%xmm4,\t%xmm4\t# 4 = lo\n\n\tvld1.64\t{q14,q15}, [r11]! \t@ vmovdqa\t0x00(%r11),\t%xmm2\n\t\t\t\t\t@ vmovdqa\t0x10(%r11),\t%xmm3\n\tvtbl.8\td4, {q14}, d8\t@ vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\tvtbl.8\td5, {q14}, d9\n\tvtbl.8\td6, {q15}, d2\t@ vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\tvtbl.8\td7, {q15}, d3\n\t@ Load .Lk_dksb ahead of time.\n\tvld1.64\t{q14,q15}, [r11]! \t@ vmovdqa\t0x20(%r11),\t%xmm2\n\t\t\t\t\t@ vmovdqa\t0x30(%r11),\t%xmm3\n\t@ Write to q13 so we do not overlap table and destination.\n\tveor\tq13, q3, q2\t\t@ vpxor\t\t%xmm2,\t%xmm3,\t%xmm3\n\tvtbl.8\td6, {q13}, d10\t@ vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\tvtbl.8\td7, {q13}, d11\n\n\tvtbl.8\td4, {q14}, d8\t@ vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\tvtbl.8\td5, {q14}, d9\n\tveor\tq2, q2, q3\t\t@ vpxor\t\t%xmm3,\t%xmm2,\t%xmm2\n\tvtbl.8\td6, {q15}, d2\t@ vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\tvtbl.8\td7, {q15}, d3\n\t@ Load .Lk_dkse ahead of time.\n\tvld1.64\t{q14,q15}, [r11]! \t@ vmovdqa\t0x40(%r11),\t%xmm2\n\t\t\t\t\t@ vmovdqa\t0x50(%r11),\t%xmm3\n\t@ Write to q13 so we do not overlap table and destination.\n\tveor\tq13, q3, q2\t\t@ vpxor\t\t%xmm2,\t%xmm3,\t%xmm3\n\tvtbl.8\td6, {q13}, d10\t@ vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\tvtbl.8\td7, {q13}, d11\n\n\tvtbl.8\td4, {q14}, d8\t@ vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\tvtbl.8\td5, {q14}, d9\n\tveor\tq2, q2, q3\t\t@ vpxor\t\t%xmm3,\t%xmm2,\t%xmm2\n\tvtbl.8\td6, {q15}, d2\t@ vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\tvtbl.8\td7, {q15}, d3\n\t@ Load .Lk_dkse ahead of time.\n\tvld1.64\t{q14,q15}, [r11]! \t@ vmovdqa\t0x60(%r11),\t%xmm2\n\t\t\t\t\t@ vmovdqa\t0x70(%r11),\t%xmm4\n\t@ Write to q13 so we do not overlap table and destination.\n\tveor\tq13, q3, q2\t\t@ vpxor\t\t%xmm2,\t%xmm3,\t%xmm3\n\n\tvtbl.8\td4, {q14}, d8\t@ vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\tvtbl.8\td5, {q14}, d9\n\tvtbl.8\td6, {q13}, d10\t@ vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\tvtbl.8\td7, {q13}, d11\n\tvtbl.8\td8, {q15}, d2\t@ vpshufb\t%xmm1,\t%xmm4,\t%xmm4\n\tvtbl.8\td9, {q15}, d3\n\tvld1.64\t{q1}, [r8]\t\t@ vmovdqa\t(%r8,%r10),\t%xmm1\n\tveor\tq2, q2, q3\t\t@ vpxor\t%xmm3,\t%xmm2,\t%xmm2\n\tveor\tq3, q4, q2\t\t@ vpxor\t%xmm2,\t%xmm4,\t%xmm3\n\n\tsub\tr2, r2, #16\t\t@ add\t$-16,\t%rdx\n\n.Lschedule_mangle_both:\n\t@ Write to q2 so table and destination do not overlap.\n\tvtbl.8\td4, {q3}, d2\t@ vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\tvtbl.8\td5, {q3}, d3\n\tadd\tr8, r8, #64-16\t\t@ add\t$-16,\t%r8\n\tand\tr8, r8, #~(1<<6)\t@ and\t$0x30,\t%r8\n\tvst1.64\t{q2}, [r2]\t\t@ vmovdqu\t%xmm3,\t(%rdx)\n\tbx\tlr\n.size\t_vpaes_schedule_mangle,.-_vpaes_schedule_mangle\n\n.globl\tvpaes_set_encrypt_key\n.hidden\tvpaes_set_encrypt_key\n.type\tvpaes_set_encrypt_key,%function\n.align\t4\nvpaes_set_encrypt_key:\n\tstmdb\tsp!, {r7,r8,r9,r10,r11, lr}\n\tvstmdb\tsp!, {d8,d9,d10,d11,d12,d13,d14,d15}\n\n\tlsr\tr9, r1, #5\t\t@ shr\t$5,%eax\n\tadd\tr9, r9, #5\t\t@ $5,%eax\n\tstr\tr9, [r2,#240]\t\t@ mov\t%eax,240(%rdx)\t# AES_KEY->rounds = nbits/32+5;\n\n\tmov\tr3, #0\t\t@ mov\t$0,%ecx\n\tmov\tr8, #0x30\t\t@ mov\t$0x30,%r8d\n\tbl\t_vpaes_schedule_core\n\teor\tr0, r0, r0\n\n\tvldmia\tsp!, {d8,d9,d10,d11,d12,d13,d14,d15}\n\tldmia\tsp!, {r7,r8,r9,r10,r11, pc}\t@ return\n.size\tvpaes_set_encrypt_key,.-vpaes_set_encrypt_key\n\n.globl\tvpaes_set_decrypt_key\n.hidden\tvpaes_set_decrypt_key\n.type\tvpaes_set_decrypt_key,%function\n.align\t4\nvpaes_set_decrypt_key:\n\tstmdb\tsp!, {r7,r8,r9,r10,r11, lr}\n\tvstmdb\tsp!, {d8,d9,d10,d11,d12,d13,d14,d15}\n\n\tlsr\tr9, r1, #5\t\t@ shr\t$5,%eax\n\tadd\tr9, r9, #5\t\t@ $5,%eax\n\tstr\tr9, [r2,#240]\t\t@ mov\t%eax,240(%rdx)\t# AES_KEY->rounds = nbits/32+5;\n\tlsl\tr9, r9, #4\t\t@ shl\t$4,%eax\n\tadd\tr2, r2, #16\t\t@ lea\t16(%rdx,%rax),%rdx\n\tadd\tr2, r2, r9\n\n\tmov\tr3, #1\t\t@ mov\t$1,%ecx\n\tlsr\tr8, r1, #1\t\t@ shr\t$1,%r8d\n\tand\tr8, r8, #32\t\t@ and\t$32,%r8d\n\teor\tr8, r8, #32\t\t@ xor\t$32,%r8d\t# nbits==192?0:32\n\tbl\t_vpaes_schedule_core\n\n\tvldmia\tsp!, {d8,d9,d10,d11,d12,d13,d14,d15}\n\tldmia\tsp!, {r7,r8,r9,r10,r11, pc}\t@ return\n.size\tvpaes_set_decrypt_key,.-vpaes_set_decrypt_key\n\n@ Additional constants for converting to bsaes.\n.type\t_vpaes_convert_consts,%object\n.align\t4\n_vpaes_convert_consts:\n@ .Lk_opt_then_skew applies skew(opt(x)) XOR 0x63, where skew is the linear\n@ transform in the AES S-box. 0x63 is incorporated into the low half of the\n@ table. This was computed with the following script:\n@\n@ def u64s_to_u128(x, y):\n@ return x | (y << 64)\n@ def u128_to_u64s(w):\n@ return w & ((1<<64)-1), w >> 64\n@ def get_byte(w, i):\n@ return (w >> (i*8)) & 0xff\n@ def apply_table(table, b):\n@ lo = b & 0xf\n@ hi = b >> 4\n@ return get_byte(table[0], lo) ^ get_byte(table[1], hi)\n@ def opt(b):\n@ table = [\n@ u64s_to_u128(0xFF9F4929D6B66000, 0xF7974121DEBE6808),\n@ u64s_to_u128(0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0),\n@ ]\n@ return apply_table(table, b)\n@ def rot_byte(b, n):\n@ return 0xff & ((b << n) | (b >> (8-n)))\n@ def skew(x):\n@ return (x ^ rot_byte(x, 1) ^ rot_byte(x, 2) ^ rot_byte(x, 3) ^\n@ rot_byte(x, 4))\n@ table = [0, 0]\n@ for i in range(16):\n@ table[0] |= (skew(opt(i)) ^ 0x63) << (i*8)\n@ table[1] |= skew(opt(i<<4)) << (i*8)\n@ print(\"\t.quad\t0x%016x, 0x%016x\" % u128_to_u64s(table[0]))\n@ print(\"\t.quad\t0x%016x, 0x%016x\" % u128_to_u64s(table[1]))\n.Lk_opt_then_skew:\n.quad\t0x9cb8436798bc4763, 0x6440bb9f6044bf9b\n.quad\t0x1f30062936192f00, 0xb49bad829db284ab\n\n@ .Lk_decrypt_transform is a permutation which performs an 8-bit left-rotation\n@ followed by a byte-swap on each 32-bit word of a vector. E.g., 0x11223344\n@ becomes 0x22334411 and then 0x11443322.\n.Lk_decrypt_transform:\n.quad\t0x0704050603000102, 0x0f0c0d0e0b08090a\n.size\t_vpaes_convert_consts,.-_vpaes_convert_consts\n\n@ void vpaes_encrypt_key_to_bsaes(AES_KEY *bsaes, const AES_KEY *vpaes);\n.globl\tvpaes_encrypt_key_to_bsaes\n.hidden\tvpaes_encrypt_key_to_bsaes\n.type\tvpaes_encrypt_key_to_bsaes,%function\n.align\t4\nvpaes_encrypt_key_to_bsaes:\n\tstmdb\tsp!, {r11, lr}\n\n\t@ See _vpaes_schedule_core for the key schedule logic. In particular,\n\t@ _vpaes_schedule_transform(.Lk_ipt) (section 2.2 of the paper),\n\t@ _vpaes_schedule_mangle (section 4.3), and .Lschedule_mangle_last\n\t@ contain the transformations not in the bsaes representation. This\n\t@ function inverts those transforms.\n\t@\n\t@ Note also that bsaes-armv7.pl expects aes-armv4.pl's key\n\t@ representation, which does not match the other aes_nohw_*\n\t@ implementations. The ARM aes_nohw_* stores each 32-bit word\n\t@ byteswapped, as a convenience for (unsupported) big-endian ARM, at the\n\t@ cost of extra REV and VREV32 operations in little-endian ARM.\n\n\tvmov.i8\tq9, #0x0f\t\t@ Required by _vpaes_schedule_transform\n\tadr\tr2, .Lk_mc_forward\t@ Must be aligned to 8 mod 16.\n\tadd\tr3, r2, 0x90\t\t@ .Lk_sr+0x10-.Lk_mc_forward = 0x90 (Apple's toolchain doesn't support the expression)\n\n\tvld1.64\t{q12}, [r2]\n\tvmov.i8\tq10, #0x5b\t\t@ .Lk_s63 from vpaes-x86_64\n\tadr\tr11, .Lk_opt\t\t@ Must be aligned to 8 mod 16.\n\tvmov.i8\tq11, #0x63\t\t@ .LK_s63 without .Lk_ipt applied\n\n\t@ vpaes stores one fewer round count than bsaes, but the number of keys\n\t@ is the same.\n\tldr\tr2, [r1,#240]\n\tadd\tr2, r2, #1\n\tstr\tr2, [r0,#240]\n\n\t@ The first key is transformed with _vpaes_schedule_transform(.Lk_ipt).\n\t@ Invert this with .Lk_opt.\n\tvld1.64\t{q0}, [r1]!\n\tbl\t_vpaes_schedule_transform\n\tvrev32.8\tq0, q0\n\tvst1.64\t{q0}, [r0]!\n\n\t@ The middle keys have _vpaes_schedule_transform(.Lk_ipt) applied,\n\t@ followed by _vpaes_schedule_mangle. _vpaes_schedule_mangle XORs 0x63,\n\t@ multiplies by the circulant 0,1,1,1, then applies ShiftRows.\n.Loop_enc_key_to_bsaes:\n\tvld1.64\t{q0}, [r1]!\n\n\t@ Invert the ShiftRows step (see .Lschedule_mangle_both). Note we cycle\n\t@ r3 in the opposite direction and start at .Lk_sr+0x10 instead of 0x30.\n\t@ We use r3 rather than r8 to avoid a callee-saved register.\n\tvld1.64\t{q1}, [r3]\n\tvtbl.8\td4, {q0}, d2\n\tvtbl.8\td5, {q0}, d3\n\tadd\tr3, r3, #16\n\tand\tr3, r3, #~(1<<6)\n\tvmov\tq0, q2\n\n\t@ Handle the last key differently.\n\tsubs\tr2, r2, #1\n\tbeq\t.Loop_enc_key_to_bsaes_last\n\n\t@ Multiply by the circulant. This is its own inverse.\n\tvtbl.8\td2, {q0}, d24\n\tvtbl.8\td3, {q0}, d25\n\tvmov\tq0, q1\n\tvtbl.8\td4, {q1}, d24\n\tvtbl.8\td5, {q1}, d25\n\tveor\tq0, q0, q2\n\tvtbl.8\td2, {q2}, d24\n\tvtbl.8\td3, {q2}, d25\n\tveor\tq0, q0, q1\n\n\t@ XOR and finish.\n\tveor\tq0, q0, q10\n\tbl\t_vpaes_schedule_transform\n\tvrev32.8\tq0, q0\n\tvst1.64\t{q0}, [r0]!\n\tb\t.Loop_enc_key_to_bsaes\n\n.Loop_enc_key_to_bsaes_last:\n\t@ The final key does not have a basis transform (note\n\t@ .Lschedule_mangle_last inverts the original transform). It only XORs\n\t@ 0x63 and applies ShiftRows. The latter was already inverted in the\n\t@ loop. Note that, because we act on the original representation, we use\n\t@ q11, not q10.\n\tveor\tq0, q0, q11\n\tvrev32.8\tq0, q0\n\tvst1.64\t{q0}, [r0]\n\n\t@ Wipe registers which contained key material.\n\tveor\tq0, q0, q0\n\tveor\tq1, q1, q1\n\tveor\tq2, q2, q2\n\n\tldmia\tsp!, {r11, pc}\t@ return\n.size\tvpaes_encrypt_key_to_bsaes,.-vpaes_encrypt_key_to_bsaes\n\n@ void vpaes_decrypt_key_to_bsaes(AES_KEY *vpaes, const AES_KEY *bsaes);\n.globl\tvpaes_decrypt_key_to_bsaes\n.hidden\tvpaes_decrypt_key_to_bsaes\n.type\tvpaes_decrypt_key_to_bsaes,%function\n.align\t4\nvpaes_decrypt_key_to_bsaes:\n\tstmdb\tsp!, {r11, lr}\n\n\t@ See _vpaes_schedule_core for the key schedule logic. Note vpaes\n\t@ computes the decryption key schedule in reverse. Additionally,\n\t@ aes-x86_64.pl shares some transformations, so we must only partially\n\t@ invert vpaes's transformations. In general, vpaes computes in a\n\t@ different basis (.Lk_ipt and .Lk_opt) and applies the inverses of\n\t@ MixColumns, ShiftRows, and the affine part of the AES S-box (which is\n\t@ split into a linear skew and XOR of 0x63). We undo all but MixColumns.\n\t@\n\t@ Note also that bsaes-armv7.pl expects aes-armv4.pl's key\n\t@ representation, which does not match the other aes_nohw_*\n\t@ implementations. The ARM aes_nohw_* stores each 32-bit word\n\t@ byteswapped, as a convenience for (unsupported) big-endian ARM, at the\n\t@ cost of extra REV and VREV32 operations in little-endian ARM.\n\n\tadr\tr2, .Lk_decrypt_transform\n\tadr\tr3, .Lk_sr+0x30\n\tadr\tr11, .Lk_opt_then_skew\t@ Input to _vpaes_schedule_transform.\n\tvld1.64\t{q12}, [r2]\t@ Reuse q12 from encryption.\n\tvmov.i8\tq9, #0x0f\t\t@ Required by _vpaes_schedule_transform\n\n\t@ vpaes stores one fewer round count than bsaes, but the number of keys\n\t@ is the same.\n\tldr\tr2, [r1,#240]\n\tadd\tr2, r2, #1\n\tstr\tr2, [r0,#240]\n\n\t@ Undo the basis change and reapply the S-box affine transform. See\n\t@ .Lschedule_mangle_last.\n\tvld1.64\t{q0}, [r1]!\n\tbl\t_vpaes_schedule_transform\n\tvrev32.8\tq0, q0\n\tvst1.64\t{q0}, [r0]!\n\n\t@ See _vpaes_schedule_mangle for the transform on the middle keys. Note\n\t@ it simultaneously inverts MixColumns and the S-box affine transform.\n\t@ See .Lk_dksd through .Lk_dks9.\n.Loop_dec_key_to_bsaes:\n\tvld1.64\t{q0}, [r1]!\n\n\t@ Invert the ShiftRows step (see .Lschedule_mangle_both). Note going\n\t@ forwards cancels inverting for which direction we cycle r3. We use r3\n\t@ rather than r8 to avoid a callee-saved register.\n\tvld1.64\t{q1}, [r3]\n\tvtbl.8\td4, {q0}, d2\n\tvtbl.8\td5, {q0}, d3\n\tadd\tr3, r3, #64-16\n\tand\tr3, r3, #~(1<<6)\n\tvmov\tq0, q2\n\n\t@ Handle the last key differently.\n\tsubs\tr2, r2, #1\n\tbeq\t.Loop_dec_key_to_bsaes_last\n\n\t@ Undo the basis change and reapply the S-box affine transform.\n\tbl\t_vpaes_schedule_transform\n\n\t@ Rotate each word by 8 bytes (cycle the rows) and then byte-swap. We\n\t@ combine the two operations in .Lk_decrypt_transform.\n\t@\n\t@ TODO(davidben): Where does the rotation come from?\n\tvtbl.8\td2, {q0}, d24\n\tvtbl.8\td3, {q0}, d25\n\n\tvst1.64\t{q1}, [r0]!\n\tb\t.Loop_dec_key_to_bsaes\n\n.Loop_dec_key_to_bsaes_last:\n\t@ The final key only inverts ShiftRows (already done in the loop). See\n\t@ .Lschedule_am_decrypting. Its basis is not transformed.\n\tvrev32.8\tq0, q0\n\tvst1.64\t{q0}, [r0]!\n\n\t@ Wipe registers which contained key material.\n\tveor\tq0, q0, q0\n\tveor\tq1, q1, q1\n\tveor\tq2, q2, q2\n\n\tldmia\tsp!, {r11, pc}\t@ return\n.size\tvpaes_decrypt_key_to_bsaes,.-vpaes_decrypt_key_to_bsaes\n.globl\tvpaes_ctr32_encrypt_blocks\n.hidden\tvpaes_ctr32_encrypt_blocks\n.type\tvpaes_ctr32_encrypt_blocks,%function\n.align\t4\nvpaes_ctr32_encrypt_blocks:\n\tmov\tip, sp\n\tstmdb\tsp!, {r7,r8,r9,r10,r11, lr}\n\t@ This function uses q4-q7 (d8-d15), which are callee-saved.\n\tvstmdb\tsp!, {d8,d9,d10,d11,d12,d13,d14,d15}\n\n\tcmp\tr2, #0\n\t@ r8 is passed on the stack.\n\tldr\tr8, [ip]\n\tbeq\t.Lctr32_done\n\n\t@ _vpaes_encrypt_core expects the key in r2, so swap r2 and r3.\n\tmov\tr9, r3\n\tmov\tr3, r2\n\tmov\tr2, r9\n\n\t@ Load the IV and counter portion.\n\tldr\tr7, [r8, #12]\n\tvld1.8\t{q7}, [r8]\n\n\tbl\t_vpaes_preheat\n\trev\tr7, r7\t\t@ The counter is big-endian.\n\n.Lctr32_loop:\n\tvmov\tq0, q7\n\tvld1.8\t{q6}, [r0]!\t\t@ .Load input ahead of time\n\tbl\t_vpaes_encrypt_core\n\tveor\tq0, q0, q6\t\t@ XOR input and result\n\tvst1.8\t{q0}, [r1]!\n\tsubs\tr3, r3, #1\n\t@ Update the counter.\n\tadd\tr7, r7, #1\n\trev\tr9, r7\n\tvmov.32\td15[1], r9\n\tbne\t.Lctr32_loop\n\n.Lctr32_done:\n\tvldmia\tsp!, {d8,d9,d10,d11,d12,d13,d14,d15}\n\tldmia\tsp!, {r7,r8,r9,r10,r11, pc}\t@ return\n.size\tvpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \n\n.section\t__TEXT,__const\n\n\n.align\t7\t// totally strategic alignment\n_vpaes_consts:\nLk_mc_forward:\t//\tmc_forward\n.quad\t0x0407060500030201, 0x0C0F0E0D080B0A09\n.quad\t0x080B0A0904070605, 0x000302010C0F0E0D\n.quad\t0x0C0F0E0D080B0A09, 0x0407060500030201\n.quad\t0x000302010C0F0E0D, 0x080B0A0904070605\nLk_mc_backward:\t//\tmc_backward\n.quad\t0x0605040702010003, 0x0E0D0C0F0A09080B\n.quad\t0x020100030E0D0C0F, 0x0A09080B06050407\n.quad\t0x0E0D0C0F0A09080B, 0x0605040702010003\n.quad\t0x0A09080B06050407, 0x020100030E0D0C0F\nLk_sr:\t//\tsr\n.quad\t0x0706050403020100, 0x0F0E0D0C0B0A0908\n.quad\t0x030E09040F0A0500, 0x0B06010C07020D08\n.quad\t0x0F060D040B020900, 0x070E050C030A0108\n.quad\t0x0B0E0104070A0D00, 0x0306090C0F020508\n\n//\n// \"Hot\" constants\n//\nLk_inv:\t//\tinv, inva\n.quad\t0x0E05060F0D080180, 0x040703090A0B0C02\n.quad\t0x01040A060F0B0780, 0x030D0E0C02050809\nLk_ipt:\t//\tinput transform (lo, hi)\n.quad\t0xC2B2E8985A2A7000, 0xCABAE09052227808\n.quad\t0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81\nLk_sbo:\t//\tsbou, sbot\n.quad\t0xD0D26D176FBDC700, 0x15AABF7AC502A878\n.quad\t0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA\nLk_sb1:\t//\tsb1u, sb1t\n.quad\t0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF\n.quad\t0xB19BE18FCB503E00, 0xA5DF7A6E142AF544\nLk_sb2:\t//\tsb2u, sb2t\n.quad\t0x69EB88400AE12900, 0xC2A163C8AB82234A\n.quad\t0xE27A93C60B712400, 0x5EB7E955BC982FCD\n\n//\n// Decryption stuff\n//\nLk_dipt:\t//\tdecryption input transform\n.quad\t0x0F505B040B545F00, 0x154A411E114E451A\n.quad\t0x86E383E660056500, 0x12771772F491F194\nLk_dsbo:\t//\tdecryption sbox final output\n.quad\t0x1387EA537EF94000, 0xC7AA6DB9D4943E2D\n.quad\t0x12D7560F93441D00, 0xCA4B8159D8C58E9C\nLk_dsb9:\t//\tdecryption sbox output *9*u, *9*t\n.quad\t0x851C03539A86D600, 0xCAD51F504F994CC9\n.quad\t0xC03B1789ECD74900, 0x725E2C9EB2FBA565\nLk_dsbd:\t//\tdecryption sbox output *D*u, *D*t\n.quad\t0x7D57CCDFE6B1A200, 0xF56E9B13882A4439\n.quad\t0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3\nLk_dsbb:\t//\tdecryption sbox output *B*u, *B*t\n.quad\t0xD022649296B44200, 0x602646F6B0F2D404\n.quad\t0xC19498A6CD596700, 0xF3FF0C3E3255AA6B\nLk_dsbe:\t//\tdecryption sbox output *E*u, *E*t\n.quad\t0x46F2929626D4D000, 0x2242600464B4F6B0\n.quad\t0x0C55A6CDFFAAC100, 0x9467F36B98593E32\n\n//\n// Key schedule constants\n//\nLk_dksd:\t//\tdecryption key schedule: invskew x*D\n.quad\t0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9\n.quad\t0x41C277F4B5368300, 0x5FDC69EAAB289D1E\nLk_dksb:\t//\tdecryption key schedule: invskew x*B\n.quad\t0x9A4FCA1F8550D500, 0x03D653861CC94C99\n.quad\t0x115BEDA7B6FC4A00, 0xD993256F7E3482C8\nLk_dkse:\t//\tdecryption key schedule: invskew x*E + 0x63\n.quad\t0xD5031CCA1FC9D600, 0x53859A4C994F5086\n.quad\t0xA23196054FDC7BE8, 0xCD5EF96A20B31487\nLk_dks9:\t//\tdecryption key schedule: invskew x*9\n.quad\t0xB6116FC87ED9A700, 0x4AED933482255BFC\n.quad\t0x4576516227143300, 0x8BB89FACE9DAFDCE\n\nLk_rcon:\t//\trcon\n.quad\t0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81\n\nLk_opt:\t//\toutput transform\n.quad\t0xFF9F4929D6B66000, 0xF7974121DEBE6808\n.quad\t0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0\nLk_deskew:\t//\tdeskew tables: inverts the sbox's \"skew\"\n.quad\t0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A\n.quad\t0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77\n\n.byte\t86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,65,82,77,118,56,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0\n.align\t2\n\n.align\t6\n\n.text\n##\n## _aes_preheat\n##\n## Fills register %r10 -> .aes_consts (so you can -fPIC)\n## and %xmm9-%xmm15 as specified below.\n##\n\n.align\t4\n_vpaes_encrypt_preheat:\n\tadrp\tx10, Lk_inv@PAGE\n\tadd\tx10, x10, Lk_inv@PAGEOFF\n\tmovi\tv17.16b, #0x0f\n\tld1\t{v18.2d,v19.2d}, [x10],#32\t// Lk_inv\n\tld1\t{v20.2d,v21.2d,v22.2d,v23.2d}, [x10],#64\t// Lk_ipt, Lk_sbo\n\tld1\t{v24.2d,v25.2d,v26.2d,v27.2d}, [x10]\t\t// Lk_sb1, Lk_sb2\n\tret\n\n\n##\n## _aes_encrypt_core\n##\n## AES-encrypt %xmm0.\n##\n## Inputs:\n## %xmm0 = input\n## %xmm9-%xmm15 as in _vpaes_preheat\n## (%rdx) = scheduled keys\n##\n## Output in %xmm0\n## Clobbers %xmm1-%xmm5, %r9, %r10, %r11, %rax\n## Preserves %xmm6 - %xmm8 so you get some local vectors\n##\n##\n\n.align\t4\n_vpaes_encrypt_core:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\tadrp\tx11, Lk_mc_forward@PAGE+16\n\tadd\tx11, x11, Lk_mc_forward@PAGEOFF+16\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt(%rip),\t%xmm2\t# iptlo\n\tld1\t{v16.2d}, [x9], #16\t\t// vmovdqu\t(%r9),\t%xmm5\t\t# round0 key\n\tand\tv1.16b, v7.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v7.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\ttbl\tv1.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm1\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt+16(%rip), %xmm3\t# ipthi\n\ttbl\tv2.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm3,\t%xmm2\n\teor\tv0.16b, v1.16b, v16.16b\t\t// vpxor\t%xmm5,\t%xmm1,\t%xmm0\n\teor\tv0.16b, v0.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\tb\tLenc_entry\n\n.align\t4\nLenc_loop:\n\t// middle of middle round\n\tadd\tx10, x11, #0x40\n\ttbl\tv4.16b, {v25.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm13,\t%xmm4\t# 4 = sb1u\n\tld1\t{v1.2d}, [x11], #16\t\t// vmovdqa\t-0x40(%r11,%r10), %xmm1\t# Lk_mc_forward[]\n\ttbl\tv0.16b, {v24.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm12,\t%xmm0\t# 0 = sb1t\n\teor\tv4.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\ttbl\tv5.16b,\t{v27.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm15,\t%xmm5\t# 4 = sb2u\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\ttbl\tv2.16b, {v26.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm14,\t%xmm2\t# 2 = sb2t\n\tld1\t{v4.2d}, [x10]\t\t\t// vmovdqa\t(%r11,%r10), %xmm4\t# Lk_mc_backward[]\n\ttbl\tv3.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm3\t# 0 = B\n\teor\tv2.16b, v2.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm2,\t%xmm2\t# 2 = 2A\n\ttbl\tv0.16b, {v0.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm0,\t%xmm0\t# 3 = D\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 0 = 2A+B\n\ttbl\tv4.16b, {v3.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm4\t# 0 = 2B+C\n\teor\tv0.16b, v0.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm0,\t%xmm0\t# 3 = 2A+B+D\n\tand\tx11, x11, #~(1<<6)\t\t// and\t\t$0x30,\t%r11\t\t# ... mod 4\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0, %xmm0\t# 0 = 2A+3B+C+D\n\tsub\tw8, w8, #1\t\t\t// nr--\n\nLenc_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm0,\t%xmm9,\t%xmm1 # 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\ttbl\tv5.16b, {v19.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm5\t# 2 = a/k\n\teor\tv1.16b, v1.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\ttbl\tv3.16b, {v18.16b}, v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3 \t# 3 = 1/i\n\ttbl\tv4.16b, {v18.16b}, v1.16b\t// vpshufb\t%xmm1, \t%xmm10,\t%xmm4 \t# 4 = 1/j\n\teor\tv3.16b, v3.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv4.16b, v4.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4 \t# 4 = jak = 1/j + a/k\n\ttbl\tv2.16b, {v18.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2 \t# 2 = 1/iak\n\ttbl\tv3.16b, {v18.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm10,\t%xmm3\t# 3 = 1/jak\n\teor\tv2.16b, v2.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2 \t# 2 = io\n\teor\tv3.16b, v3.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm3,\t%xmm3\t# 3 = jo\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm5\n\tcbnz\tw8, Lenc_loop\n\n\t// middle of last round\n\tadd\tx10, x11, #0x80\n\t\t\t\t\t\t// vmovdqa\t-0x60(%r10), %xmm4\t# 3 : sbou\t.Lk_sbo\n\t\t\t\t\t\t// vmovdqa\t-0x50(%r10), %xmm0\t# 0 : sbot\t.Lk_sbo+16\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\tld1\t{v1.2d}, [x10]\t\t\t// vmovdqa\t0x40(%r11,%r10), %xmm1\t# Lk_sr[]\n\ttbl\tv0.16b, {v23.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm0,\t%xmm0\t# 0 = sb1t\n\teor\tv4.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\ttbl\tv0.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm0\n\tret\n\n\n.globl\t_vpaes_encrypt\n.private_extern\t_vpaes_encrypt\n\n.align\t4\n_vpaes_encrypt:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v7.16b}, [x0]\n\tbl\t_vpaes_encrypt_preheat\n\tbl\t_vpaes_encrypt_core\n\tst1\t{v0.16b}, [x1]\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n\n.align\t4\n_vpaes_encrypt_2x:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\tadrp\tx11, Lk_mc_forward@PAGE+16\n\tadd\tx11, x11, Lk_mc_forward@PAGEOFF+16\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt(%rip),\t%xmm2\t# iptlo\n\tld1\t{v16.2d}, [x9], #16\t\t// vmovdqu\t(%r9),\t%xmm5\t\t# round0 key\n\tand\tv1.16b, v14.16b, v17.16b\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v14.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\tand\tv9.16b, v15.16b, v17.16b\n\tushr\tv8.16b, v15.16b, #4\n\ttbl\tv1.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm1\n\ttbl\tv9.16b, {v20.16b}, v9.16b\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt+16(%rip), %xmm3\t# ipthi\n\ttbl\tv2.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm3,\t%xmm2\n\ttbl\tv10.16b, {v21.16b}, v8.16b\n\teor\tv0.16b, v1.16b, v16.16b\t// vpxor\t%xmm5,\t%xmm1,\t%xmm0\n\teor\tv8.16b, v9.16b, v16.16b\n\teor\tv0.16b, v0.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\teor\tv8.16b, v8.16b, v10.16b\n\tb\tLenc_2x_entry\n\n.align\t4\nLenc_2x_loop:\n\t// middle of middle round\n\tadd\tx10, x11, #0x40\n\ttbl\tv4.16b, {v25.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm13,\t%xmm4\t# 4 = sb1u\n\ttbl\tv12.16b, {v25.16b}, v10.16b\n\tld1\t{v1.2d}, [x11], #16\t\t// vmovdqa\t-0x40(%r11,%r10), %xmm1\t# Lk_mc_forward[]\n\ttbl\tv0.16b, {v24.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm12,\t%xmm0\t# 0 = sb1t\n\ttbl\tv8.16b, {v24.16b}, v11.16b\n\teor\tv4.16b, v4.16b, v16.16b\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv12.16b, v12.16b, v16.16b\n\ttbl\tv5.16b,\t {v27.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm15,\t%xmm5\t# 4 = sb2u\n\ttbl\tv13.16b, {v27.16b}, v10.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\teor\tv8.16b, v8.16b, v12.16b\n\ttbl\tv2.16b, {v26.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm14,\t%xmm2\t# 2 = sb2t\n\ttbl\tv10.16b, {v26.16b}, v11.16b\n\tld1\t{v4.2d}, [x10]\t\t\t// vmovdqa\t(%r11,%r10), %xmm4\t# Lk_mc_backward[]\n\ttbl\tv3.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm3\t# 0 = B\n\ttbl\tv11.16b, {v8.16b}, v1.16b\n\teor\tv2.16b, v2.16b, v5.16b\t// vpxor\t%xmm5,\t%xmm2,\t%xmm2\t# 2 = 2A\n\teor\tv10.16b, v10.16b, v13.16b\n\ttbl\tv0.16b, {v0.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm0,\t%xmm0\t# 3 = D\n\ttbl\tv8.16b, {v8.16b}, v4.16b\n\teor\tv3.16b, v3.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 0 = 2A+B\n\teor\tv11.16b, v11.16b, v10.16b\n\ttbl\tv4.16b, {v3.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm4\t# 0 = 2B+C\n\ttbl\tv12.16b, {v11.16b},v1.16b\n\teor\tv0.16b, v0.16b, v3.16b\t// vpxor\t%xmm3,\t%xmm0,\t%xmm0\t# 3 = 2A+B+D\n\teor\tv8.16b, v8.16b, v11.16b\n\tand\tx11, x11, #~(1<<6)\t\t// and\t\t$0x30,\t%r11\t\t# ... mod 4\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0, %xmm0\t# 0 = 2A+3B+C+D\n\teor\tv8.16b, v8.16b, v12.16b\n\tsub\tw8, w8, #1\t\t\t// nr--\n\nLenc_2x_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t// vpand\t%xmm0,\t%xmm9,\t%xmm1 # 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\tand\tv9.16b, v8.16b, v17.16b\n\tushr\tv8.16b, v8.16b, #4\n\ttbl\tv5.16b, {v19.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm5\t# 2 = a/k\n\ttbl\tv13.16b, {v19.16b},v9.16b\n\teor\tv1.16b, v1.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\teor\tv9.16b, v9.16b, v8.16b\n\ttbl\tv3.16b, {v18.16b},v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3 \t# 3 = 1/i\n\ttbl\tv11.16b, {v18.16b},v8.16b\n\ttbl\tv4.16b, {v18.16b},v1.16b\t// vpshufb\t%xmm1, \t%xmm10,\t%xmm4 \t# 4 = 1/j\n\ttbl\tv12.16b, {v18.16b},v9.16b\n\teor\tv3.16b, v3.16b, v5.16b\t// vpxor\t%xmm5,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv11.16b, v11.16b, v13.16b\n\teor\tv4.16b, v4.16b, v5.16b\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4 \t# 4 = jak = 1/j + a/k\n\teor\tv12.16b, v12.16b, v13.16b\n\ttbl\tv2.16b, {v18.16b},v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2 \t# 2 = 1/iak\n\ttbl\tv10.16b, {v18.16b},v11.16b\n\ttbl\tv3.16b, {v18.16b},v4.16b\t// vpshufb\t%xmm4,\t%xmm10,\t%xmm3\t# 3 = 1/jak\n\ttbl\tv11.16b, {v18.16b},v12.16b\n\teor\tv2.16b, v2.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2 \t# 2 = io\n\teor\tv10.16b, v10.16b, v9.16b\n\teor\tv3.16b, v3.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm3,\t%xmm3\t# 3 = jo\n\teor\tv11.16b, v11.16b, v8.16b\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm5\n\tcbnz\tw8, Lenc_2x_loop\n\n\t// middle of last round\n\tadd\tx10, x11, #0x80\n\t\t\t\t\t\t// vmovdqa\t-0x60(%r10), %xmm4\t# 3 : sbou\t.Lk_sbo\n\t\t\t\t\t\t// vmovdqa\t-0x50(%r10), %xmm0\t# 0 : sbot\t.Lk_sbo+16\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\ttbl\tv12.16b, {v22.16b}, v10.16b\n\tld1\t{v1.2d}, [x10]\t\t\t// vmovdqa\t0x40(%r11,%r10), %xmm1\t# Lk_sr[]\n\ttbl\tv0.16b, {v23.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm0,\t%xmm0\t# 0 = sb1t\n\ttbl\tv8.16b, {v23.16b}, v11.16b\n\teor\tv4.16b, v4.16b, v16.16b\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv12.16b, v12.16b, v16.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\teor\tv8.16b, v8.16b, v12.16b\n\ttbl\tv0.16b, {v0.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm0\n\ttbl\tv1.16b, {v8.16b},v1.16b\n\tret\n\n\n\n.align\t4\n_vpaes_decrypt_preheat:\n\tadrp\tx10, Lk_inv@PAGE\n\tadd\tx10, x10, Lk_inv@PAGEOFF\n\tmovi\tv17.16b, #0x0f\n\tadrp\tx11, Lk_dipt@PAGE\n\tadd\tx11, x11, Lk_dipt@PAGEOFF\n\tld1\t{v18.2d,v19.2d}, [x10],#32\t// Lk_inv\n\tld1\t{v20.2d,v21.2d,v22.2d,v23.2d}, [x11],#64\t// Lk_dipt, Lk_dsbo\n\tld1\t{v24.2d,v25.2d,v26.2d,v27.2d}, [x11],#64\t// Lk_dsb9, Lk_dsbd\n\tld1\t{v28.2d,v29.2d,v30.2d,v31.2d}, [x11]\t\t// Lk_dsbb, Lk_dsbe\n\tret\n\n\n##\n## Decryption core\n##\n## Same API as encryption core.\n##\n\n.align\t4\n_vpaes_decrypt_core:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt(%rip), %xmm2\t# iptlo\n\tlsl\tx11, x8, #4\t\t\t// mov\t%rax,\t%r11;\tshl\t$4, %r11\n\teor\tx11, x11, #0x30\t\t\t// xor\t\t$0x30,\t%r11\n\tadrp\tx10, Lk_sr@PAGE\n\tadd\tx10, x10, Lk_sr@PAGEOFF\n\tand\tx11, x11, #0x30\t\t\t// and\t\t$0x30,\t%r11\n\tadd\tx11, x11, x10\n\tadrp\tx10, Lk_mc_forward@PAGE+48\n\tadd\tx10, x10, Lk_mc_forward@PAGEOFF+48\n\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm4\t\t# round0 key\n\tand\tv1.16b, v7.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v7.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\ttbl\tv2.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm2\n\tld1\t{v5.2d}, [x10]\t\t\t// vmovdqa\tLk_mc_forward+48(%rip), %xmm5\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt+16(%rip), %xmm1 # ipthi\n\ttbl\tv0.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm1,\t%xmm0\n\teor\tv2.16b, v2.16b, v16.16b\t\t// vpxor\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv0.16b, v0.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\tb\tLdec_entry\n\n.align\t4\nLdec_loop:\n//\n// Inverse mix columns\n//\n\t\t\t\t\t\t// vmovdqa\t-0x20(%r10),%xmm4\t\t# 4 : sb9u\n\t\t\t\t\t\t// vmovdqa\t-0x10(%r10),%xmm1\t\t# 0 : sb9t\n\ttbl\tv4.16b, {v24.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sb9u\n\ttbl\tv1.16b, {v25.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sb9t\n\teor\tv0.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\n\t\t\t\t\t\t// vmovdqa\t0x00(%r10),%xmm4\t\t# 4 : sbdu\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x10(%r10),%xmm1\t\t# 0 : sbdt\n\n\ttbl\tv4.16b, {v26.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbdu\n\ttbl\tv0.16b, {v0.16b}, v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv1.16b, {v27.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbdt\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\t\t\t\t\t\t// vmovdqa\t0x20(%r10),\t%xmm4\t\t# 4 : sbbu\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x30(%r10),\t%xmm1\t\t# 0 : sbbt\n\n\ttbl\tv4.16b, {v28.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbbu\n\ttbl\tv0.16b, {v0.16b}, v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv1.16b, {v29.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbbt\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\t\t\t\t\t\t// vmovdqa\t0x40(%r10),\t%xmm4\t\t# 4 : sbeu\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x50(%r10),\t%xmm1\t\t# 0 : sbet\n\n\ttbl\tv4.16b, {v30.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbeu\n\ttbl\tv0.16b, {v0.16b}, v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv1.16b, {v31.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbet\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\text\tv5.16b, v5.16b, v5.16b, #12\t// vpalignr $12,\t%xmm5,\t%xmm5,\t%xmm5\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\tsub\tw8, w8, #1\t\t\t// sub\t\t$1,%rax\t\t\t# nr--\n\nLdec_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\t# 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\ttbl\tv2.16b, {v19.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm2\t# 2 = a/k\n\teor\tv1.16b,\tv1.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\ttbl\tv3.16b, {v18.16b}, v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3\t# 3 = 1/i\n\ttbl\tv4.16b, {v18.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm10,\t%xmm4\t# 4 = 1/j\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv4.16b, v4.16b, v2.16b\t\t// vpxor\t%xmm2, \t%xmm4,\t%xmm4\t# 4 = jak = 1/j + a/k\n\ttbl\tv2.16b, {v18.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2\t# 2 = 1/iak\n\ttbl\tv3.16b, {v18.16b}, v4.16b\t// vpshufb\t%xmm4, %xmm10,\t%xmm3\t# 3 = 1/jak\n\teor\tv2.16b, v2.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2\t# 2 = io\n\teor\tv3.16b, v3.16b, v0.16b\t\t// vpxor\t%xmm0, %xmm3,\t%xmm3\t# 3 = jo\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm0\n\tcbnz\tw8, Ldec_loop\n\n\t// middle of last round\n\t\t\t\t\t\t// vmovdqa\t0x60(%r10),\t%xmm4\t# 3 : sbou\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\t\t\t\t\t\t// vmovdqa\t0x70(%r10),\t%xmm1\t# 0 : sbot\n\tld1\t{v2.2d}, [x11]\t\t\t// vmovdqa\t-0x160(%r11),\t%xmm2\t# Lk_sr-Lk_dsbd=-0x160\n\ttbl\tv1.16b, {v23.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t# 0 = sb1t\n\teor\tv4.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm0,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv0.16b, v1.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm1,\t%xmm0\t# 0 = A\n\ttbl\tv0.16b, {v0.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm0,\t%xmm0\n\tret\n\n\n.globl\t_vpaes_decrypt\n.private_extern\t_vpaes_decrypt\n\n.align\t4\n_vpaes_decrypt:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v7.16b}, [x0]\n\tbl\t_vpaes_decrypt_preheat\n\tbl\t_vpaes_decrypt_core\n\tst1\t{v0.16b}, [x1]\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// v14-v15 input, v0-v1 output\n\n.align\t4\n_vpaes_decrypt_2x:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt(%rip), %xmm2\t# iptlo\n\tlsl\tx11, x8, #4\t\t\t// mov\t%rax,\t%r11;\tshl\t$4, %r11\n\teor\tx11, x11, #0x30\t\t\t// xor\t\t$0x30,\t%r11\n\tadrp\tx10, Lk_sr@PAGE\n\tadd\tx10, x10, Lk_sr@PAGEOFF\n\tand\tx11, x11, #0x30\t\t\t// and\t\t$0x30,\t%r11\n\tadd\tx11, x11, x10\n\tadrp\tx10, Lk_mc_forward@PAGE+48\n\tadd\tx10, x10, Lk_mc_forward@PAGEOFF+48\n\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm4\t\t# round0 key\n\tand\tv1.16b, v14.16b, v17.16b\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v14.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\tand\tv9.16b, v15.16b, v17.16b\n\tushr\tv8.16b, v15.16b, #4\n\ttbl\tv2.16b, {v20.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm2\n\ttbl\tv10.16b, {v20.16b},v9.16b\n\tld1\t{v5.2d}, [x10]\t\t\t// vmovdqa\tLk_mc_forward+48(%rip), %xmm5\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt+16(%rip), %xmm1 # ipthi\n\ttbl\tv0.16b, {v21.16b},v0.16b\t// vpshufb\t%xmm0,\t%xmm1,\t%xmm0\n\ttbl\tv8.16b, {v21.16b},v8.16b\n\teor\tv2.16b, v2.16b, v16.16b\t// vpxor\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv10.16b, v10.16b, v16.16b\n\teor\tv0.16b, v0.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\teor\tv8.16b, v8.16b, v10.16b\n\tb\tLdec_2x_entry\n\n.align\t4\nLdec_2x_loop:\n//\n// Inverse mix columns\n//\n\t\t\t\t\t\t// vmovdqa\t-0x20(%r10),%xmm4\t\t# 4 : sb9u\n\t\t\t\t\t\t// vmovdqa\t-0x10(%r10),%xmm1\t\t# 0 : sb9t\n\ttbl\tv4.16b, {v24.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sb9u\n\ttbl\tv12.16b, {v24.16b}, v10.16b\n\ttbl\tv1.16b, {v25.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sb9t\n\ttbl\tv9.16b, {v25.16b}, v11.16b\n\teor\tv0.16b, v4.16b, v16.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\n\teor\tv8.16b, v12.16b, v16.16b\n\t\t\t\t\t\t// vmovdqa\t0x00(%r10),%xmm4\t\t# 4 : sbdu\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x10(%r10),%xmm1\t\t# 0 : sbdt\n\n\ttbl\tv4.16b, {v26.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbdu\n\ttbl\tv12.16b, {v26.16b}, v10.16b\n\ttbl\tv0.16b, {v0.16b},v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv8.16b, {v8.16b},v5.16b\n\ttbl\tv1.16b, {v27.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbdt\n\ttbl\tv9.16b, {v27.16b}, v11.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\teor\tv8.16b, v8.16b, v12.16b\n\t\t\t\t\t\t// vmovdqa\t0x20(%r10),\t%xmm4\t\t# 4 : sbbu\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\n\t\t\t\t\t\t// vmovdqa\t0x30(%r10),\t%xmm1\t\t# 0 : sbbt\n\n\ttbl\tv4.16b, {v28.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbbu\n\ttbl\tv12.16b, {v28.16b}, v10.16b\n\ttbl\tv0.16b, {v0.16b},v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv8.16b, {v8.16b},v5.16b\n\ttbl\tv1.16b, {v29.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbbt\n\ttbl\tv9.16b, {v29.16b}, v11.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\teor\tv8.16b, v8.16b, v12.16b\n\t\t\t\t\t\t// vmovdqa\t0x40(%r10),\t%xmm4\t\t# 4 : sbeu\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\n\t\t\t\t\t\t// vmovdqa\t0x50(%r10),\t%xmm1\t\t# 0 : sbet\n\n\ttbl\tv4.16b, {v30.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbeu\n\ttbl\tv12.16b, {v30.16b}, v10.16b\n\ttbl\tv0.16b, {v0.16b},v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv8.16b, {v8.16b},v5.16b\n\ttbl\tv1.16b, {v31.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbet\n\ttbl\tv9.16b, {v31.16b}, v11.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\teor\tv8.16b, v8.16b, v12.16b\n\text\tv5.16b, v5.16b, v5.16b, #12\t// vpalignr $12,\t%xmm5,\t%xmm5,\t%xmm5\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\n\tsub\tw8, w8, #1\t\t\t// sub\t\t$1,%rax\t\t\t# nr--\n\nLdec_2x_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\t# 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\tand\tv9.16b, v8.16b, v17.16b\n\tushr\tv8.16b, v8.16b, #4\n\ttbl\tv2.16b, {v19.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm2\t# 2 = a/k\n\ttbl\tv10.16b, {v19.16b},v9.16b\n\teor\tv1.16b,\t v1.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\teor\tv9.16b,\t v9.16b, v8.16b\n\ttbl\tv3.16b, {v18.16b},v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3\t# 3 = 1/i\n\ttbl\tv11.16b, {v18.16b},v8.16b\n\ttbl\tv4.16b, {v18.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm10,\t%xmm4\t# 4 = 1/j\n\ttbl\tv12.16b, {v18.16b},v9.16b\n\teor\tv3.16b, v3.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv11.16b, v11.16b, v10.16b\n\teor\tv4.16b, v4.16b, v2.16b\t// vpxor\t%xmm2, \t%xmm4,\t%xmm4\t# 4 = jak = 1/j + a/k\n\teor\tv12.16b, v12.16b, v10.16b\n\ttbl\tv2.16b, {v18.16b},v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2\t# 2 = 1/iak\n\ttbl\tv10.16b, {v18.16b},v11.16b\n\ttbl\tv3.16b, {v18.16b},v4.16b\t// vpshufb\t%xmm4, %xmm10,\t%xmm3\t# 3 = 1/jak\n\ttbl\tv11.16b, {v18.16b},v12.16b\n\teor\tv2.16b, v2.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2\t# 2 = io\n\teor\tv10.16b, v10.16b, v9.16b\n\teor\tv3.16b, v3.16b, v0.16b\t// vpxor\t%xmm0, %xmm3,\t%xmm3\t# 3 = jo\n\teor\tv11.16b, v11.16b, v8.16b\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm0\n\tcbnz\tw8, Ldec_2x_loop\n\n\t// middle of last round\n\t\t\t\t\t\t// vmovdqa\t0x60(%r10),\t%xmm4\t# 3 : sbou\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\ttbl\tv12.16b, {v22.16b}, v10.16b\n\t\t\t\t\t\t// vmovdqa\t0x70(%r10),\t%xmm1\t# 0 : sbot\n\ttbl\tv1.16b, {v23.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t# 0 = sb1t\n\ttbl\tv9.16b, {v23.16b}, v11.16b\n\tld1\t{v2.2d}, [x11]\t\t\t// vmovdqa\t-0x160(%r11),\t%xmm2\t# Lk_sr-Lk_dsbd=-0x160\n\teor\tv4.16b, v4.16b, v16.16b\t// vpxor\t%xmm0,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv12.16b, v12.16b, v16.16b\n\teor\tv0.16b, v1.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm1,\t%xmm0\t# 0 = A\n\teor\tv8.16b, v9.16b, v12.16b\n\ttbl\tv0.16b, {v0.16b},v2.16b\t// vpshufb\t%xmm2,\t%xmm0,\t%xmm0\n\ttbl\tv1.16b, {v8.16b},v2.16b\n\tret\n\n########################################################\n## ##\n## AES key schedule ##\n## ##\n########################################################\n\n.align\t4\n_vpaes_key_preheat:\n\tadrp\tx10, Lk_inv@PAGE\n\tadd\tx10, x10, Lk_inv@PAGEOFF\n\tmovi\tv16.16b, #0x5b\t\t\t// Lk_s63\n\tadrp\tx11, Lk_sb1@PAGE\n\tadd\tx11, x11, Lk_sb1@PAGEOFF\n\tmovi\tv17.16b, #0x0f\t\t\t// Lk_s0F\n\tld1\t{v18.2d,v19.2d,v20.2d,v21.2d}, [x10]\t\t// Lk_inv, Lk_ipt\n\tadrp\tx10, Lk_dksd@PAGE\n\tadd\tx10, x10, Lk_dksd@PAGEOFF\n\tld1\t{v22.2d,v23.2d}, [x11]\t\t// Lk_sb1\n\tadrp\tx11, Lk_mc_forward@PAGE\n\tadd\tx11, x11, Lk_mc_forward@PAGEOFF\n\tld1\t{v24.2d,v25.2d,v26.2d,v27.2d}, [x10],#64\t// Lk_dksd, Lk_dksb\n\tld1\t{v28.2d,v29.2d,v30.2d,v31.2d}, [x10],#64\t// Lk_dkse, Lk_dks9\n\tld1\t{v8.2d}, [x10]\t\t\t// Lk_rcon\n\tld1\t{v9.2d}, [x11]\t\t\t// Lk_mc_forward[0]\n\tret\n\n\n\n.align\t4\n_vpaes_schedule_core:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29, x30, [sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tbl\t_vpaes_key_preheat\t\t// load the tables\n\n\tld1\t{v0.16b}, [x0],#16\t\t// vmovdqu\t(%rdi),\t%xmm0\t\t# load key (unaligned)\n\n\t// input transform\n\tmov\tv3.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm3\n\tbl\t_vpaes_schedule_transform\n\tmov\tv7.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm7\n\n\tadrp\tx10, Lk_sr@PAGE\t\t// lea\tLk_sr(%rip),%r10\n\tadd\tx10, x10, Lk_sr@PAGEOFF\n\n\tadd\tx8, x8, x10\n\tcbnz\tw3, Lschedule_am_decrypting\n\n\t// encrypting, output zeroth round key after transform\n\tst1\t{v0.2d}, [x2]\t\t\t// vmovdqu\t%xmm0,\t(%rdx)\n\tb\tLschedule_go\n\nLschedule_am_decrypting:\n\t// decrypting, output zeroth round key after shiftrows\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),\t%xmm1\n\ttbl\tv3.16b, {v3.16b}, v1.16b\t// vpshufb %xmm1,\t%xmm3,\t%xmm3\n\tst1\t{v3.2d}, [x2]\t\t\t// vmovdqu\t%xmm3,\t(%rdx)\n\teor\tx8, x8, #0x30\t\t\t// xor\t$0x30, %r8\n\nLschedule_go:\n\tcmp\tw1, #192\t\t\t// cmp\t$192,\t%esi\n\tb.hi\tLschedule_256\n\tb.eq\tLschedule_192\n\t// 128: fall though\n\n##\n## .schedule_128\n##\n## 128-bit specific part of key schedule.\n##\n## This schedule is really simple, because all its parts\n## are accomplished by the subroutines.\n##\nLschedule_128:\n\tmov\tx0, #10\t\t\t// mov\t$10, %esi\n\nLoop_schedule_128:\n\tsub\tx0, x0, #1\t\t\t// dec\t%esi\n\tbl\t_vpaes_schedule_round\n\tcbz\tx0, Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\t\t// write output\n\tb\tLoop_schedule_128\n\n##\n## .aes_schedule_192\n##\n## 192-bit specific part of key schedule.\n##\n## The main body of this schedule is the same as the 128-bit\n## schedule, but with more smearing. The long, high side is\n## stored in %xmm7 as before, and the short, low side is in\n## the high bits of %xmm6.\n##\n## This schedule is somewhat nastier, however, because each\n## round produces 192 bits of key material, or 1.5 round keys.\n## Therefore, on each cycle we do 2 rounds and produce 3 round\n## keys.\n##\n.align\t4\nLschedule_192:\n\tsub\tx0, x0, #8\n\tld1\t{v0.16b}, [x0]\t\t// vmovdqu\t8(%rdi),%xmm0\t\t# load key part 2 (very unaligned)\n\tbl\t_vpaes_schedule_transform\t// input transform\n\tmov\tv6.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm6\t\t# save short part\n\teor\tv4.16b, v4.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm4, %xmm4\t# clear 4\n\tins\tv6.d[0], v4.d[0]\t\t// vmovhlps\t%xmm4,\t%xmm6,\t%xmm6\t\t# clobber low side with zeros\n\tmov\tx0, #4\t\t\t// mov\t$4,\t%esi\n\nLoop_schedule_192:\n\tsub\tx0, x0, #1\t\t\t// dec\t%esi\n\tbl\t_vpaes_schedule_round\n\text\tv0.16b, v6.16b, v0.16b, #8\t// vpalignr\t$8,%xmm6,%xmm0,%xmm0\n\tbl\t_vpaes_schedule_mangle\t\t// save key n\n\tbl\t_vpaes_schedule_192_smear\n\tbl\t_vpaes_schedule_mangle\t\t// save key n+1\n\tbl\t_vpaes_schedule_round\n\tcbz\tx0, Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\t\t// save key n+2\n\tbl\t_vpaes_schedule_192_smear\n\tb\tLoop_schedule_192\n\n##\n## .aes_schedule_256\n##\n## 256-bit specific part of key schedule.\n##\n## The structure here is very similar to the 128-bit\n## schedule, but with an additional \"low side\" in\n## %xmm6. The low side's rounds are the same as the\n## high side's, except no rcon and no rotation.\n##\n.align\t4\nLschedule_256:\n\tld1\t{v0.16b}, [x0]\t\t// vmovdqu\t16(%rdi),%xmm0\t\t# load key part 2 (unaligned)\n\tbl\t_vpaes_schedule_transform\t// input transform\n\tmov\tx0, #7\t\t\t// mov\t$7, %esi\n\nLoop_schedule_256:\n\tsub\tx0, x0, #1\t\t\t// dec\t%esi\n\tbl\t_vpaes_schedule_mangle\t\t// output low result\n\tmov\tv6.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm6\t\t# save cur_lo in xmm6\n\n\t// high round\n\tbl\t_vpaes_schedule_round\n\tcbz\tx0, Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\n\n\t// low round. swap xmm7 and xmm6\n\tdup\tv0.4s, v0.s[3]\t\t\t// vpshufd\t$0xFF,\t%xmm0,\t%xmm0\n\tmovi\tv4.16b, #0\n\tmov\tv5.16b, v7.16b\t\t\t// vmovdqa\t%xmm7,\t%xmm5\n\tmov\tv7.16b, v6.16b\t\t\t// vmovdqa\t%xmm6,\t%xmm7\n\tbl\t_vpaes_schedule_low_round\n\tmov\tv7.16b, v5.16b\t\t\t// vmovdqa\t%xmm5,\t%xmm7\n\n\tb\tLoop_schedule_256\n\n##\n## .aes_schedule_mangle_last\n##\n## Mangler for last round of key schedule\n## Mangles %xmm0\n## when encrypting, outputs out(%xmm0) ^ 63\n## when decrypting, outputs unskew(%xmm0)\n##\n## Always called right before return... jumps to cleanup and exits\n##\n.align\t4\nLschedule_mangle_last:\n\t// schedule last round key from xmm0\n\tadrp\tx11, Lk_deskew@PAGE\t// lea\tLk_deskew(%rip),%r11\t# prepare to deskew\n\tadd\tx11, x11, Lk_deskew@PAGEOFF\n\n\tcbnz\tw3, Lschedule_mangle_last_dec\n\n\t// encrypting\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),%xmm1\n\tadrp\tx11, Lk_opt@PAGE\t\t// lea\tLk_opt(%rip),\t%r11\t\t# prepare to output transform\n\tadd\tx11, x11, Lk_opt@PAGEOFF\n\tadd\tx2, x2, #32\t\t\t// add\t$32,\t%rdx\n\ttbl\tv0.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm0\t\t# output permute\n\nLschedule_mangle_last_dec:\n\tld1\t{v20.2d,v21.2d}, [x11]\t\t// reload constants\n\tsub\tx2, x2, #16\t\t\t// add\t$-16,\t%rdx\n\teor\tv0.16b, v0.16b, v16.16b\t\t// vpxor\tLk_s63(%rip),\t%xmm0,\t%xmm0\n\tbl\t_vpaes_schedule_transform\t// output transform\n\tst1\t{v0.2d}, [x2]\t\t\t// vmovdqu\t%xmm0,\t(%rdx)\t\t# save last key\n\n\t// cleanup\n\teor\tv0.16b, v0.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm0,\t%xmm0\n\teor\tv1.16b, v1.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm1,\t%xmm1\n\teor\tv2.16b, v2.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm2,\t%xmm2\n\teor\tv3.16b, v3.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm3,\t%xmm3\n\teor\tv4.16b, v4.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm4,\t%xmm4\n\teor\tv5.16b, v5.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm5,\t%xmm5\n\teor\tv6.16b, v6.16b, v6.16b\t\t// vpxor\t%xmm6,\t%xmm6,\t%xmm6\n\teor\tv7.16b, v7.16b, v7.16b\t\t// vpxor\t%xmm7,\t%xmm7,\t%xmm7\n\tldp\tx29, x30, [sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n##\n## .aes_schedule_192_smear\n##\n## Smear the short, low side in the 192-bit key schedule.\n##\n## Inputs:\n## %xmm7: high side, b a x y\n## %xmm6: low side, d c 0 0\n## %xmm13: 0\n##\n## Outputs:\n## %xmm6: b+c+d b+c 0 0\n## %xmm0: b+c+d b+c b a\n##\n\n.align\t4\n_vpaes_schedule_192_smear:\n\tmovi\tv1.16b, #0\n\tdup\tv0.4s, v7.s[3]\n\tins\tv1.s[3], v6.s[2]\t// vpshufd\t$0x80,\t%xmm6,\t%xmm1\t# d c 0 0 -> c 0 0 0\n\tins\tv0.s[0], v7.s[2]\t// vpshufd\t$0xFE,\t%xmm7,\t%xmm0\t# b a _ _ -> b b b a\n\teor\tv6.16b, v6.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm6,\t%xmm6\t# -> c+d c 0 0\n\teor\tv1.16b, v1.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm1,\t%xmm1\n\teor\tv6.16b, v6.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm6,\t%xmm6\t# -> b+c+d b+c b a\n\tmov\tv0.16b, v6.16b\t\t// vmovdqa\t%xmm6,\t%xmm0\n\tins\tv6.d[0], v1.d[0]\t// vmovhlps\t%xmm1,\t%xmm6,\t%xmm6\t# clobber low side with zeros\n\tret\n\n\n##\n## .aes_schedule_round\n##\n## Runs one main round of the key schedule on %xmm0, %xmm7\n##\n## Specifically, runs subbytes on the high dword of %xmm0\n## then rotates it by one byte and xors into the low dword of\n## %xmm7.\n##\n## Adds rcon from low byte of %xmm8, then rotates %xmm8 for\n## next rcon.\n##\n## Smears the dwords of %xmm7 by xoring the low into the\n## second low, result into third, result into highest.\n##\n## Returns results in %xmm7 = %xmm0.\n## Clobbers %xmm1-%xmm4, %r11.\n##\n\n.align\t4\n_vpaes_schedule_round:\n\t// extract rcon from xmm8\n\tmovi\tv4.16b, #0\t\t\t// vpxor\t%xmm4,\t%xmm4,\t%xmm4\n\text\tv1.16b, v8.16b, v4.16b, #15\t// vpalignr\t$15,\t%xmm8,\t%xmm4,\t%xmm1\n\text\tv8.16b, v8.16b, v8.16b, #15\t// vpalignr\t$15,\t%xmm8,\t%xmm8,\t%xmm8\n\teor\tv7.16b, v7.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm7,\t%xmm7\n\n\t// rotate\n\tdup\tv0.4s, v0.s[3]\t\t\t// vpshufd\t$0xFF,\t%xmm0,\t%xmm0\n\text\tv0.16b, v0.16b, v0.16b, #1\t// vpalignr\t$1,\t%xmm0,\t%xmm0,\t%xmm0\n\n\t// fall through...\n\n\t// low round: same as high round, but no rotation and no rcon.\n_vpaes_schedule_low_round:\n\t// smear xmm7\n\text\tv1.16b, v4.16b, v7.16b, #12\t// vpslldq\t$4,\t%xmm7,\t%xmm1\n\teor\tv7.16b, v7.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm7,\t%xmm7\n\text\tv4.16b, v4.16b, v7.16b, #8\t// vpslldq\t$8,\t%xmm7,\t%xmm4\n\n\t// subbytes\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\t\t# 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t\t# 1 = i\n\teor\tv7.16b, v7.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm7,\t%xmm7\n\ttbl\tv2.16b, {v19.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm2\t\t# 2 = a/k\n\teor\tv1.16b, v1.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t\t# 0 = j\n\ttbl\tv3.16b, {v18.16b}, v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3\t\t# 3 = 1/i\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t\t# 3 = iak = 1/i + a/k\n\ttbl\tv4.16b, {v18.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm10,\t%xmm4\t\t# 4 = 1/j\n\teor\tv7.16b, v7.16b, v16.16b\t\t// vpxor\tLk_s63(%rip),\t%xmm7,\t%xmm7\n\ttbl\tv3.16b, {v18.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm3\t\t# 2 = 1/iak\n\teor\tv4.16b, v4.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = jak = 1/j + a/k\n\ttbl\tv2.16b, {v18.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm10,\t%xmm2\t\t# 3 = 1/jak\n\teor\tv3.16b, v3.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm3,\t%xmm3\t\t# 2 = io\n\teor\tv2.16b, v2.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm2,\t%xmm2\t\t# 3 = jo\n\ttbl\tv4.16b, {v23.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm13,\t%xmm4\t\t# 4 = sbou\n\ttbl\tv1.16b, {v22.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm12,\t%xmm1\t\t# 0 = sb1t\n\teor\tv1.16b, v1.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm1,\t%xmm1\t\t# 0 = sbox output\n\n\t// add in smeared stuff\n\teor\tv0.16b, v1.16b, v7.16b\t\t// vpxor\t%xmm7,\t%xmm1,\t%xmm0\n\teor\tv7.16b, v1.16b, v7.16b\t\t// vmovdqa\t%xmm0,\t%xmm7\n\tret\n\n\n##\n## .aes_schedule_transform\n##\n## Linear-transform %xmm0 according to tables at (%r11)\n##\n## Requires that %xmm9 = 0x0F0F... as in preheat\n## Output in %xmm0\n## Clobbers %xmm1, %xmm2\n##\n\n.align\t4\n_vpaes_schedule_transform:\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\t\t\t\t\t\t// vmovdqa\t(%r11),\t%xmm2 \t# lo\n\ttbl\tv2.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t16(%r11),\t%xmm1 # hi\n\ttbl\tv0.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm1,\t%xmm0\n\teor\tv0.16b, v0.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\tret\n\n\n##\n## .aes_schedule_mangle\n##\n## Mangle xmm0 from (basis-transformed) standard version\n## to our version.\n##\n## On encrypt,\n## xor with 0x63\n## multiply by circulant 0,1,1,1\n## apply shiftrows transform\n##\n## On decrypt,\n## xor with 0x63\n## multiply by \"inverse mixcolumns\" circulant E,B,D,9\n## deskew\n## apply shiftrows transform\n##\n##\n## Writes out to (%rdx), and increments or decrements it\n## Keeps track of round number mod 4 in %r8\n## Preserves xmm0\n## Clobbers xmm1-xmm5\n##\n\n.align\t4\n_vpaes_schedule_mangle:\n\tmov\tv4.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm4\t# save xmm0 for later\n\t\t\t\t\t\t// vmovdqa\t.Lk_mc_forward(%rip),%xmm5\n\tcbnz\tw3, Lschedule_mangle_dec\n\n\t// encrypting\n\teor\tv4.16b, v0.16b, v16.16b\t\t// vpxor\tLk_s63(%rip),\t%xmm0,\t%xmm4\n\tadd\tx2, x2, #16\t\t\t// add\t$16,\t%rdx\n\ttbl\tv4.16b, {v4.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm4,\t%xmm4\n\ttbl\tv1.16b, {v4.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm4,\t%xmm1\n\ttbl\tv3.16b, {v1.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm1,\t%xmm3\n\teor\tv4.16b, v4.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm4,\t%xmm4\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),\t%xmm1\n\teor\tv3.16b, v3.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm3,\t%xmm3\n\n\tb\tLschedule_mangle_both\n.align\t4\nLschedule_mangle_dec:\n\t// inverse mix columns\n\t\t\t\t\t\t// lea\t.Lk_dksd(%rip),%r11\n\tushr\tv1.16b, v4.16b, #4\t\t// vpsrlb\t$4,\t%xmm4,\t%xmm1\t# 1 = hi\n\tand\tv4.16b, v4.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm4,\t%xmm4\t# 4 = lo\n\n\t\t\t\t\t\t// vmovdqa\t0x00(%r11),\t%xmm2\n\ttbl\tv2.16b, {v24.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t0x10(%r11),\t%xmm3\n\ttbl\tv3.16b,\t{v25.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\n\ttbl\tv3.16b, {v3.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\n\t\t\t\t\t\t// vmovdqa\t0x20(%r11),\t%xmm2\n\ttbl\tv2.16b, {v26.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv2.16b, v2.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t0x30(%r11),\t%xmm3\n\ttbl\tv3.16b, {v27.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\n\ttbl\tv3.16b, {v3.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\n\t\t\t\t\t\t// vmovdqa\t0x40(%r11),\t%xmm2\n\ttbl\tv2.16b, {v28.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv2.16b, v2.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t0x50(%r11),\t%xmm3\n\ttbl\tv3.16b, {v29.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\n\n\t\t\t\t\t\t// vmovdqa\t0x60(%r11),\t%xmm2\n\ttbl\tv2.16b, {v30.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\ttbl\tv3.16b, {v3.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\t\t\t\t\t\t// vmovdqa\t0x70(%r11),\t%xmm4\n\ttbl\tv4.16b, {v31.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm4,\t%xmm4\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),\t%xmm1\n\teor\tv2.16b, v2.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm2,\t%xmm2\n\teor\tv3.16b, v4.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm4,\t%xmm3\n\n\tsub\tx2, x2, #16\t\t\t// add\t$-16,\t%rdx\n\nLschedule_mangle_both:\n\ttbl\tv3.16b, {v3.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\tadd\tx8, x8, #48\t\t\t// add\t$-16,\t%r8\n\tand\tx8, x8, #~(1<<6)\t\t// and\t$0x30,\t%r8\n\tst1\t{v3.2d}, [x2]\t\t\t// vmovdqu\t%xmm3,\t(%rdx)\n\tret\n\n\n.globl\t_vpaes_set_encrypt_key\n.private_extern\t_vpaes_set_encrypt_key\n\n.align\t4\n_vpaes_set_encrypt_key:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\n\tlsr\tw9, w1, #5\t\t// shr\t$5,%eax\n\tadd\tw9, w9, #5\t\t// $5,%eax\n\tstr\tw9, [x2,#240]\t\t// mov\t%eax,240(%rdx)\t# AES_KEY->rounds = nbits/32+5;\n\n\tmov\tw3, #0\t\t// mov\t$0,%ecx\n\tmov\tx8, #0x30\t\t// mov\t$0x30,%r8d\n\tbl\t_vpaes_schedule_core\n\teor\tx0, x0, x0\n\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.globl\t_vpaes_set_decrypt_key\n.private_extern\t_vpaes_set_decrypt_key\n\n.align\t4\n_vpaes_set_decrypt_key:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\n\tlsr\tw9, w1, #5\t\t// shr\t$5,%eax\n\tadd\tw9, w9, #5\t\t// $5,%eax\n\tstr\tw9, [x2,#240]\t\t// mov\t%eax,240(%rdx)\t# AES_KEY->rounds = nbits/32+5;\n\tlsl\tw9, w9, #4\t\t// shl\t$4,%eax\n\tadd\tx2, x2, #16\t\t// lea\t16(%rdx,%rax),%rdx\n\tadd\tx2, x2, x9\n\n\tmov\tw3, #1\t\t// mov\t$1,%ecx\n\tlsr\tw8, w1, #1\t\t// shr\t$1,%r8d\n\tand\tx8, x8, #32\t\t// and\t$32,%r8d\n\teor\tx8, x8, #32\t\t// xor\t$32,%r8d\t# nbits==192?0:32\n\tbl\t_vpaes_schedule_core\n\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\t_vpaes_cbc_encrypt\n.private_extern\t_vpaes_cbc_encrypt\n\n.align\t4\n_vpaes_cbc_encrypt:\n\tAARCH64_SIGN_LINK_REGISTER\n\tcbz\tx2, Lcbc_abort\n\tcmp\tw5, #0\t\t\t// check direction\n\tb.eq\tvpaes_cbc_decrypt\n\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tmov\tx17, x2\t\t// reassign\n\tmov\tx2, x3\t\t// reassign\n\n\tld1\t{v0.16b}, [x4]\t// load ivec\n\tbl\t_vpaes_encrypt_preheat\n\tb\tLcbc_enc_loop\n\n.align\t4\nLcbc_enc_loop:\n\tld1\t{v7.16b}, [x0],#16\t// load input\n\teor\tv7.16b, v7.16b, v0.16b\t// xor with ivec\n\tbl\t_vpaes_encrypt_core\n\tst1\t{v0.16b}, [x1],#16\t// save output\n\tsubs\tx17, x17, #16\n\tb.hi\tLcbc_enc_loop\n\n\tst1\t{v0.16b}, [x4]\t// write ivec\n\n\tldp\tx29,x30,[sp],#16\nLcbc_abort:\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n\n.align\t4\nvpaes_cbc_decrypt:\n\t// Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to\n\t// only from vpaes_cbc_encrypt which has already signed the return address.\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\tstp\td10,d11,[sp,#-16]!\n\tstp\td12,d13,[sp,#-16]!\n\tstp\td14,d15,[sp,#-16]!\n\n\tmov\tx17, x2\t\t// reassign\n\tmov\tx2, x3\t\t// reassign\n\tld1\t{v6.16b}, [x4]\t// load ivec\n\tbl\t_vpaes_decrypt_preheat\n\ttst\tx17, #16\n\tb.eq\tLcbc_dec_loop2x\n\n\tld1\t{v7.16b}, [x0], #16\t// load input\n\tbl\t_vpaes_decrypt_core\n\teor\tv0.16b, v0.16b, v6.16b\t// xor with ivec\n\torr\tv6.16b, v7.16b, v7.16b\t// next ivec value\n\tst1\t{v0.16b}, [x1], #16\n\tsubs\tx17, x17, #16\n\tb.ls\tLcbc_dec_done\n\n.align\t4\nLcbc_dec_loop2x:\n\tld1\t{v14.16b,v15.16b}, [x0], #32\n\tbl\t_vpaes_decrypt_2x\n\teor\tv0.16b, v0.16b, v6.16b\t// xor with ivec\n\teor\tv1.16b, v1.16b, v14.16b\n\torr\tv6.16b, v15.16b, v15.16b\n\tst1\t{v0.16b,v1.16b}, [x1], #32\n\tsubs\tx17, x17, #32\n\tb.hi\tLcbc_dec_loop2x\n\nLcbc_dec_done:\n\tst1\t{v6.16b}, [x4]\n\n\tldp\td14,d15,[sp],#16\n\tldp\td12,d13,[sp],#16\n\tldp\td10,d11,[sp],#16\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\t_vpaes_ctr32_encrypt_blocks\n.private_extern\t_vpaes_ctr32_encrypt_blocks\n\n.align\t4\n_vpaes_ctr32_encrypt_blocks:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\tstp\td10,d11,[sp,#-16]!\n\tstp\td12,d13,[sp,#-16]!\n\tstp\td14,d15,[sp,#-16]!\n\n\tcbz\tx2, Lctr32_done\n\n\t// Note, unlike the other functions, x2 here is measured in blocks,\n\t// not bytes.\n\tmov\tx17, x2\n\tmov\tx2, x3\n\n\t// Load the IV and counter portion.\n\tldr\tw6, [x4, #12]\n\tld1\t{v7.16b}, [x4]\n\n\tbl\t_vpaes_encrypt_preheat\n\ttst\tx17, #1\n\trev\tw6, w6\t\t// The counter is big-endian.\n\tb.eq\tLctr32_prep_loop\n\n\t// Handle one block so the remaining block count is even for\n\t// _vpaes_encrypt_2x.\n\tld1\t{v6.16b}, [x0], #16\t// Load input ahead of time\n\tbl\t_vpaes_encrypt_core\n\teor\tv0.16b, v0.16b, v6.16b\t// XOR input and result\n\tst1\t{v0.16b}, [x1], #16\n\tsubs\tx17, x17, #1\n\t// Update the counter.\n\tadd\tw6, w6, #1\n\trev\tw7, w6\n\tmov\tv7.s[3], w7\n\tb.ls\tLctr32_done\n\nLctr32_prep_loop:\n\t// _vpaes_encrypt_core takes its input from v7, while _vpaes_encrypt_2x\n\t// uses v14 and v15.\n\tmov\tv15.16b, v7.16b\n\tmov\tv14.16b, v7.16b\n\tadd\tw6, w6, #1\n\trev\tw7, w6\n\tmov\tv15.s[3], w7\n\nLctr32_loop:\n\tld1\t{v6.16b,v7.16b}, [x0], #32\t// Load input ahead of time\n\tbl\t_vpaes_encrypt_2x\n\teor\tv0.16b, v0.16b, v6.16b\t\t// XOR input and result\n\teor\tv1.16b, v1.16b, v7.16b\t\t// XOR input and result (#2)\n\tst1\t{v0.16b,v1.16b}, [x1], #32\n\tsubs\tx17, x17, #2\n\t// Update the counter.\n\tadd\tw7, w6, #1\n\tadd\tw6, w6, #2\n\trev\tw7, w7\n\tmov\tv14.s[3], w7\n\trev\tw7, w6\n\tmov\tv15.s[3], w7\n\tb.hi\tLctr32_loop\n\nLctr32_done:\n\tldp\td14,d15,[sp],#16\n\tldp\td12,d13,[sp],#16\n\tldp\td10,d11,[sp],#16\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \n\n.section\t.rodata\n\n.type\t_vpaes_consts,%object\n.align\t7\t// totally strategic alignment\n_vpaes_consts:\n.Lk_mc_forward:\t//\tmc_forward\n.quad\t0x0407060500030201, 0x0C0F0E0D080B0A09\n.quad\t0x080B0A0904070605, 0x000302010C0F0E0D\n.quad\t0x0C0F0E0D080B0A09, 0x0407060500030201\n.quad\t0x000302010C0F0E0D, 0x080B0A0904070605\n.Lk_mc_backward:\t//\tmc_backward\n.quad\t0x0605040702010003, 0x0E0D0C0F0A09080B\n.quad\t0x020100030E0D0C0F, 0x0A09080B06050407\n.quad\t0x0E0D0C0F0A09080B, 0x0605040702010003\n.quad\t0x0A09080B06050407, 0x020100030E0D0C0F\n.Lk_sr:\t//\tsr\n.quad\t0x0706050403020100, 0x0F0E0D0C0B0A0908\n.quad\t0x030E09040F0A0500, 0x0B06010C07020D08\n.quad\t0x0F060D040B020900, 0x070E050C030A0108\n.quad\t0x0B0E0104070A0D00, 0x0306090C0F020508\n\n//\n// \"Hot\" constants\n//\n.Lk_inv:\t//\tinv, inva\n.quad\t0x0E05060F0D080180, 0x040703090A0B0C02\n.quad\t0x01040A060F0B0780, 0x030D0E0C02050809\n.Lk_ipt:\t//\tinput transform (lo, hi)\n.quad\t0xC2B2E8985A2A7000, 0xCABAE09052227808\n.quad\t0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81\n.Lk_sbo:\t//\tsbou, sbot\n.quad\t0xD0D26D176FBDC700, 0x15AABF7AC502A878\n.quad\t0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA\n.Lk_sb1:\t//\tsb1u, sb1t\n.quad\t0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF\n.quad\t0xB19BE18FCB503E00, 0xA5DF7A6E142AF544\n.Lk_sb2:\t//\tsb2u, sb2t\n.quad\t0x69EB88400AE12900, 0xC2A163C8AB82234A\n.quad\t0xE27A93C60B712400, 0x5EB7E955BC982FCD\n\n//\n// Decryption stuff\n//\n.Lk_dipt:\t//\tdecryption input transform\n.quad\t0x0F505B040B545F00, 0x154A411E114E451A\n.quad\t0x86E383E660056500, 0x12771772F491F194\n.Lk_dsbo:\t//\tdecryption sbox final output\n.quad\t0x1387EA537EF94000, 0xC7AA6DB9D4943E2D\n.quad\t0x12D7560F93441D00, 0xCA4B8159D8C58E9C\n.Lk_dsb9:\t//\tdecryption sbox output *9*u, *9*t\n.quad\t0x851C03539A86D600, 0xCAD51F504F994CC9\n.quad\t0xC03B1789ECD74900, 0x725E2C9EB2FBA565\n.Lk_dsbd:\t//\tdecryption sbox output *D*u, *D*t\n.quad\t0x7D57CCDFE6B1A200, 0xF56E9B13882A4439\n.quad\t0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3\n.Lk_dsbb:\t//\tdecryption sbox output *B*u, *B*t\n.quad\t0xD022649296B44200, 0x602646F6B0F2D404\n.quad\t0xC19498A6CD596700, 0xF3FF0C3E3255AA6B\n.Lk_dsbe:\t//\tdecryption sbox output *E*u, *E*t\n.quad\t0x46F2929626D4D000, 0x2242600464B4F6B0\n.quad\t0x0C55A6CDFFAAC100, 0x9467F36B98593E32\n\n//\n// Key schedule constants\n//\n.Lk_dksd:\t//\tdecryption key schedule: invskew x*D\n.quad\t0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9\n.quad\t0x41C277F4B5368300, 0x5FDC69EAAB289D1E\n.Lk_dksb:\t//\tdecryption key schedule: invskew x*B\n.quad\t0x9A4FCA1F8550D500, 0x03D653861CC94C99\n.quad\t0x115BEDA7B6FC4A00, 0xD993256F7E3482C8\n.Lk_dkse:\t//\tdecryption key schedule: invskew x*E + 0x63\n.quad\t0xD5031CCA1FC9D600, 0x53859A4C994F5086\n.quad\t0xA23196054FDC7BE8, 0xCD5EF96A20B31487\n.Lk_dks9:\t//\tdecryption key schedule: invskew x*9\n.quad\t0xB6116FC87ED9A700, 0x4AED933482255BFC\n.quad\t0x4576516227143300, 0x8BB89FACE9DAFDCE\n\n.Lk_rcon:\t//\trcon\n.quad\t0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81\n\n.Lk_opt:\t//\toutput transform\n.quad\t0xFF9F4929D6B66000, 0xF7974121DEBE6808\n.quad\t0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0\n.Lk_deskew:\t//\tdeskew tables: inverts the sbox's \"skew\"\n.quad\t0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A\n.quad\t0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77\n\n.byte\t86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,65,82,77,118,56,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0\n.align\t2\n.size\t_vpaes_consts,.-_vpaes_consts\n.align\t6\n\n.text\n##\n## _aes_preheat\n##\n## Fills register %r10 -> .aes_consts (so you can -fPIC)\n## and %xmm9-%xmm15 as specified below.\n##\n.type\t_vpaes_encrypt_preheat,%function\n.align\t4\n_vpaes_encrypt_preheat:\n\tadrp\tx10, .Lk_inv\n\tadd\tx10, x10, :lo12:.Lk_inv\n\tmovi\tv17.16b, #0x0f\n\tld1\t{v18.2d,v19.2d}, [x10],#32\t// .Lk_inv\n\tld1\t{v20.2d,v21.2d,v22.2d,v23.2d}, [x10],#64\t// .Lk_ipt, .Lk_sbo\n\tld1\t{v24.2d,v25.2d,v26.2d,v27.2d}, [x10]\t\t// .Lk_sb1, .Lk_sb2\n\tret\n.size\t_vpaes_encrypt_preheat,.-_vpaes_encrypt_preheat\n\n##\n## _aes_encrypt_core\n##\n## AES-encrypt %xmm0.\n##\n## Inputs:\n## %xmm0 = input\n## %xmm9-%xmm15 as in _vpaes_preheat\n## (%rdx) = scheduled keys\n##\n## Output in %xmm0\n## Clobbers %xmm1-%xmm5, %r9, %r10, %r11, %rax\n## Preserves %xmm6 - %xmm8 so you get some local vectors\n##\n##\n.type\t_vpaes_encrypt_core,%function\n.align\t4\n_vpaes_encrypt_core:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\tadrp\tx11, .Lk_mc_forward+16\n\tadd\tx11, x11, :lo12:.Lk_mc_forward+16\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt(%rip),\t%xmm2\t# iptlo\n\tld1\t{v16.2d}, [x9], #16\t\t// vmovdqu\t(%r9),\t%xmm5\t\t# round0 key\n\tand\tv1.16b, v7.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v7.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\ttbl\tv1.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm1\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt+16(%rip), %xmm3\t# ipthi\n\ttbl\tv2.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm3,\t%xmm2\n\teor\tv0.16b, v1.16b, v16.16b\t\t// vpxor\t%xmm5,\t%xmm1,\t%xmm0\n\teor\tv0.16b, v0.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\tb\t.Lenc_entry\n\n.align\t4\n.Lenc_loop:\n\t// middle of middle round\n\tadd\tx10, x11, #0x40\n\ttbl\tv4.16b, {v25.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm13,\t%xmm4\t# 4 = sb1u\n\tld1\t{v1.2d}, [x11], #16\t\t// vmovdqa\t-0x40(%r11,%r10), %xmm1\t# .Lk_mc_forward[]\n\ttbl\tv0.16b, {v24.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm12,\t%xmm0\t# 0 = sb1t\n\teor\tv4.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\ttbl\tv5.16b,\t{v27.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm15,\t%xmm5\t# 4 = sb2u\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\ttbl\tv2.16b, {v26.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm14,\t%xmm2\t# 2 = sb2t\n\tld1\t{v4.2d}, [x10]\t\t\t// vmovdqa\t(%r11,%r10), %xmm4\t# .Lk_mc_backward[]\n\ttbl\tv3.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm3\t# 0 = B\n\teor\tv2.16b, v2.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm2,\t%xmm2\t# 2 = 2A\n\ttbl\tv0.16b, {v0.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm0,\t%xmm0\t# 3 = D\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 0 = 2A+B\n\ttbl\tv4.16b, {v3.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm4\t# 0 = 2B+C\n\teor\tv0.16b, v0.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm0,\t%xmm0\t# 3 = 2A+B+D\n\tand\tx11, x11, #~(1<<6)\t\t// and\t\t$0x30,\t%r11\t\t# ... mod 4\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0, %xmm0\t# 0 = 2A+3B+C+D\n\tsub\tw8, w8, #1\t\t\t// nr--\n\n.Lenc_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm0,\t%xmm9,\t%xmm1 # 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\ttbl\tv5.16b, {v19.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm5\t# 2 = a/k\n\teor\tv1.16b, v1.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\ttbl\tv3.16b, {v18.16b}, v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3 \t# 3 = 1/i\n\ttbl\tv4.16b, {v18.16b}, v1.16b\t// vpshufb\t%xmm1, \t%xmm10,\t%xmm4 \t# 4 = 1/j\n\teor\tv3.16b, v3.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv4.16b, v4.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4 \t# 4 = jak = 1/j + a/k\n\ttbl\tv2.16b, {v18.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2 \t# 2 = 1/iak\n\ttbl\tv3.16b, {v18.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm10,\t%xmm3\t# 3 = 1/jak\n\teor\tv2.16b, v2.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2 \t# 2 = io\n\teor\tv3.16b, v3.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm3,\t%xmm3\t# 3 = jo\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm5\n\tcbnz\tw8, .Lenc_loop\n\n\t// middle of last round\n\tadd\tx10, x11, #0x80\n\t\t\t\t\t\t// vmovdqa\t-0x60(%r10), %xmm4\t# 3 : sbou\t.Lk_sbo\n\t\t\t\t\t\t// vmovdqa\t-0x50(%r10), %xmm0\t# 0 : sbot\t.Lk_sbo+16\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\tld1\t{v1.2d}, [x10]\t\t\t// vmovdqa\t0x40(%r11,%r10), %xmm1\t# .Lk_sr[]\n\ttbl\tv0.16b, {v23.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm0,\t%xmm0\t# 0 = sb1t\n\teor\tv4.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\ttbl\tv0.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm0\n\tret\n.size\t_vpaes_encrypt_core,.-_vpaes_encrypt_core\n\n.globl\tvpaes_encrypt\n.hidden\tvpaes_encrypt\n.type\tvpaes_encrypt,%function\n.align\t4\nvpaes_encrypt:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v7.16b}, [x0]\n\tbl\t_vpaes_encrypt_preheat\n\tbl\t_vpaes_encrypt_core\n\tst1\t{v0.16b}, [x1]\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tvpaes_encrypt,.-vpaes_encrypt\n\n.type\t_vpaes_encrypt_2x,%function\n.align\t4\n_vpaes_encrypt_2x:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\tadrp\tx11, .Lk_mc_forward+16\n\tadd\tx11, x11, :lo12:.Lk_mc_forward+16\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt(%rip),\t%xmm2\t# iptlo\n\tld1\t{v16.2d}, [x9], #16\t\t// vmovdqu\t(%r9),\t%xmm5\t\t# round0 key\n\tand\tv1.16b, v14.16b, v17.16b\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v14.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\tand\tv9.16b, v15.16b, v17.16b\n\tushr\tv8.16b, v15.16b, #4\n\ttbl\tv1.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm1\n\ttbl\tv9.16b, {v20.16b}, v9.16b\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt+16(%rip), %xmm3\t# ipthi\n\ttbl\tv2.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm3,\t%xmm2\n\ttbl\tv10.16b, {v21.16b}, v8.16b\n\teor\tv0.16b, v1.16b, v16.16b\t// vpxor\t%xmm5,\t%xmm1,\t%xmm0\n\teor\tv8.16b, v9.16b, v16.16b\n\teor\tv0.16b, v0.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\teor\tv8.16b, v8.16b, v10.16b\n\tb\t.Lenc_2x_entry\n\n.align\t4\n.Lenc_2x_loop:\n\t// middle of middle round\n\tadd\tx10, x11, #0x40\n\ttbl\tv4.16b, {v25.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm13,\t%xmm4\t# 4 = sb1u\n\ttbl\tv12.16b, {v25.16b}, v10.16b\n\tld1\t{v1.2d}, [x11], #16\t\t// vmovdqa\t-0x40(%r11,%r10), %xmm1\t# .Lk_mc_forward[]\n\ttbl\tv0.16b, {v24.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm12,\t%xmm0\t# 0 = sb1t\n\ttbl\tv8.16b, {v24.16b}, v11.16b\n\teor\tv4.16b, v4.16b, v16.16b\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv12.16b, v12.16b, v16.16b\n\ttbl\tv5.16b,\t {v27.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm15,\t%xmm5\t# 4 = sb2u\n\ttbl\tv13.16b, {v27.16b}, v10.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\teor\tv8.16b, v8.16b, v12.16b\n\ttbl\tv2.16b, {v26.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm14,\t%xmm2\t# 2 = sb2t\n\ttbl\tv10.16b, {v26.16b}, v11.16b\n\tld1\t{v4.2d}, [x10]\t\t\t// vmovdqa\t(%r11,%r10), %xmm4\t# .Lk_mc_backward[]\n\ttbl\tv3.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm3\t# 0 = B\n\ttbl\tv11.16b, {v8.16b}, v1.16b\n\teor\tv2.16b, v2.16b, v5.16b\t// vpxor\t%xmm5,\t%xmm2,\t%xmm2\t# 2 = 2A\n\teor\tv10.16b, v10.16b, v13.16b\n\ttbl\tv0.16b, {v0.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm0,\t%xmm0\t# 3 = D\n\ttbl\tv8.16b, {v8.16b}, v4.16b\n\teor\tv3.16b, v3.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 0 = 2A+B\n\teor\tv11.16b, v11.16b, v10.16b\n\ttbl\tv4.16b, {v3.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm4\t# 0 = 2B+C\n\ttbl\tv12.16b, {v11.16b},v1.16b\n\teor\tv0.16b, v0.16b, v3.16b\t// vpxor\t%xmm3,\t%xmm0,\t%xmm0\t# 3 = 2A+B+D\n\teor\tv8.16b, v8.16b, v11.16b\n\tand\tx11, x11, #~(1<<6)\t\t// and\t\t$0x30,\t%r11\t\t# ... mod 4\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0, %xmm0\t# 0 = 2A+3B+C+D\n\teor\tv8.16b, v8.16b, v12.16b\n\tsub\tw8, w8, #1\t\t\t// nr--\n\n.Lenc_2x_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t// vpand\t%xmm0,\t%xmm9,\t%xmm1 # 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\tand\tv9.16b, v8.16b, v17.16b\n\tushr\tv8.16b, v8.16b, #4\n\ttbl\tv5.16b, {v19.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm5\t# 2 = a/k\n\ttbl\tv13.16b, {v19.16b},v9.16b\n\teor\tv1.16b, v1.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\teor\tv9.16b, v9.16b, v8.16b\n\ttbl\tv3.16b, {v18.16b},v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3 \t# 3 = 1/i\n\ttbl\tv11.16b, {v18.16b},v8.16b\n\ttbl\tv4.16b, {v18.16b},v1.16b\t// vpshufb\t%xmm1, \t%xmm10,\t%xmm4 \t# 4 = 1/j\n\ttbl\tv12.16b, {v18.16b},v9.16b\n\teor\tv3.16b, v3.16b, v5.16b\t// vpxor\t%xmm5,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv11.16b, v11.16b, v13.16b\n\teor\tv4.16b, v4.16b, v5.16b\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4 \t# 4 = jak = 1/j + a/k\n\teor\tv12.16b, v12.16b, v13.16b\n\ttbl\tv2.16b, {v18.16b},v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2 \t# 2 = 1/iak\n\ttbl\tv10.16b, {v18.16b},v11.16b\n\ttbl\tv3.16b, {v18.16b},v4.16b\t// vpshufb\t%xmm4,\t%xmm10,\t%xmm3\t# 3 = 1/jak\n\ttbl\tv11.16b, {v18.16b},v12.16b\n\teor\tv2.16b, v2.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2 \t# 2 = io\n\teor\tv10.16b, v10.16b, v9.16b\n\teor\tv3.16b, v3.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm3,\t%xmm3\t# 3 = jo\n\teor\tv11.16b, v11.16b, v8.16b\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm5\n\tcbnz\tw8, .Lenc_2x_loop\n\n\t// middle of last round\n\tadd\tx10, x11, #0x80\n\t\t\t\t\t\t// vmovdqa\t-0x60(%r10), %xmm4\t# 3 : sbou\t.Lk_sbo\n\t\t\t\t\t\t// vmovdqa\t-0x50(%r10), %xmm0\t# 0 : sbot\t.Lk_sbo+16\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\ttbl\tv12.16b, {v22.16b}, v10.16b\n\tld1\t{v1.2d}, [x10]\t\t\t// vmovdqa\t0x40(%r11,%r10), %xmm1\t# .Lk_sr[]\n\ttbl\tv0.16b, {v23.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm0,\t%xmm0\t# 0 = sb1t\n\ttbl\tv8.16b, {v23.16b}, v11.16b\n\teor\tv4.16b, v4.16b, v16.16b\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv12.16b, v12.16b, v16.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\teor\tv8.16b, v8.16b, v12.16b\n\ttbl\tv0.16b, {v0.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm0\n\ttbl\tv1.16b, {v8.16b},v1.16b\n\tret\n.size\t_vpaes_encrypt_2x,.-_vpaes_encrypt_2x\n\n.type\t_vpaes_decrypt_preheat,%function\n.align\t4\n_vpaes_decrypt_preheat:\n\tadrp\tx10, .Lk_inv\n\tadd\tx10, x10, :lo12:.Lk_inv\n\tmovi\tv17.16b, #0x0f\n\tadrp\tx11, .Lk_dipt\n\tadd\tx11, x11, :lo12:.Lk_dipt\n\tld1\t{v18.2d,v19.2d}, [x10],#32\t// .Lk_inv\n\tld1\t{v20.2d,v21.2d,v22.2d,v23.2d}, [x11],#64\t// .Lk_dipt, .Lk_dsbo\n\tld1\t{v24.2d,v25.2d,v26.2d,v27.2d}, [x11],#64\t// .Lk_dsb9, .Lk_dsbd\n\tld1\t{v28.2d,v29.2d,v30.2d,v31.2d}, [x11]\t\t// .Lk_dsbb, .Lk_dsbe\n\tret\n.size\t_vpaes_decrypt_preheat,.-_vpaes_decrypt_preheat\n\n##\n## Decryption core\n##\n## Same API as encryption core.\n##\n.type\t_vpaes_decrypt_core,%function\n.align\t4\n_vpaes_decrypt_core:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt(%rip), %xmm2\t# iptlo\n\tlsl\tx11, x8, #4\t\t\t// mov\t%rax,\t%r11;\tshl\t$4, %r11\n\teor\tx11, x11, #0x30\t\t\t// xor\t\t$0x30,\t%r11\n\tadrp\tx10, .Lk_sr\n\tadd\tx10, x10, :lo12:.Lk_sr\n\tand\tx11, x11, #0x30\t\t\t// and\t\t$0x30,\t%r11\n\tadd\tx11, x11, x10\n\tadrp\tx10, .Lk_mc_forward+48\n\tadd\tx10, x10, :lo12:.Lk_mc_forward+48\n\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm4\t\t# round0 key\n\tand\tv1.16b, v7.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v7.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\ttbl\tv2.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm2\n\tld1\t{v5.2d}, [x10]\t\t\t// vmovdqa\t.Lk_mc_forward+48(%rip), %xmm5\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt+16(%rip), %xmm1 # ipthi\n\ttbl\tv0.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm1,\t%xmm0\n\teor\tv2.16b, v2.16b, v16.16b\t\t// vpxor\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv0.16b, v0.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\tb\t.Ldec_entry\n\n.align\t4\n.Ldec_loop:\n//\n// Inverse mix columns\n//\n\t\t\t\t\t\t// vmovdqa\t-0x20(%r10),%xmm4\t\t# 4 : sb9u\n\t\t\t\t\t\t// vmovdqa\t-0x10(%r10),%xmm1\t\t# 0 : sb9t\n\ttbl\tv4.16b, {v24.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sb9u\n\ttbl\tv1.16b, {v25.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sb9t\n\teor\tv0.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\n\t\t\t\t\t\t// vmovdqa\t0x00(%r10),%xmm4\t\t# 4 : sbdu\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x10(%r10),%xmm1\t\t# 0 : sbdt\n\n\ttbl\tv4.16b, {v26.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbdu\n\ttbl\tv0.16b, {v0.16b}, v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv1.16b, {v27.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbdt\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\t\t\t\t\t\t// vmovdqa\t0x20(%r10),\t%xmm4\t\t# 4 : sbbu\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x30(%r10),\t%xmm1\t\t# 0 : sbbt\n\n\ttbl\tv4.16b, {v28.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbbu\n\ttbl\tv0.16b, {v0.16b}, v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv1.16b, {v29.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbbt\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\t\t\t\t\t\t// vmovdqa\t0x40(%r10),\t%xmm4\t\t# 4 : sbeu\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x50(%r10),\t%xmm1\t\t# 0 : sbet\n\n\ttbl\tv4.16b, {v30.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbeu\n\ttbl\tv0.16b, {v0.16b}, v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv1.16b, {v31.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbet\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\text\tv5.16b, v5.16b, v5.16b, #12\t// vpalignr $12,\t%xmm5,\t%xmm5,\t%xmm5\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\tsub\tw8, w8, #1\t\t\t// sub\t\t$1,%rax\t\t\t# nr--\n\n.Ldec_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\t# 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\ttbl\tv2.16b, {v19.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm2\t# 2 = a/k\n\teor\tv1.16b,\tv1.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\ttbl\tv3.16b, {v18.16b}, v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3\t# 3 = 1/i\n\ttbl\tv4.16b, {v18.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm10,\t%xmm4\t# 4 = 1/j\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv4.16b, v4.16b, v2.16b\t\t// vpxor\t%xmm2, \t%xmm4,\t%xmm4\t# 4 = jak = 1/j + a/k\n\ttbl\tv2.16b, {v18.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2\t# 2 = 1/iak\n\ttbl\tv3.16b, {v18.16b}, v4.16b\t// vpshufb\t%xmm4, %xmm10,\t%xmm3\t# 3 = 1/jak\n\teor\tv2.16b, v2.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2\t# 2 = io\n\teor\tv3.16b, v3.16b, v0.16b\t\t// vpxor\t%xmm0, %xmm3,\t%xmm3\t# 3 = jo\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm0\n\tcbnz\tw8, .Ldec_loop\n\n\t// middle of last round\n\t\t\t\t\t\t// vmovdqa\t0x60(%r10),\t%xmm4\t# 3 : sbou\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\t\t\t\t\t\t// vmovdqa\t0x70(%r10),\t%xmm1\t# 0 : sbot\n\tld1\t{v2.2d}, [x11]\t\t\t// vmovdqa\t-0x160(%r11),\t%xmm2\t# .Lk_sr-.Lk_dsbd=-0x160\n\ttbl\tv1.16b, {v23.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t# 0 = sb1t\n\teor\tv4.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm0,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv0.16b, v1.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm1,\t%xmm0\t# 0 = A\n\ttbl\tv0.16b, {v0.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm0,\t%xmm0\n\tret\n.size\t_vpaes_decrypt_core,.-_vpaes_decrypt_core\n\n.globl\tvpaes_decrypt\n.hidden\tvpaes_decrypt\n.type\tvpaes_decrypt,%function\n.align\t4\nvpaes_decrypt:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v7.16b}, [x0]\n\tbl\t_vpaes_decrypt_preheat\n\tbl\t_vpaes_decrypt_core\n\tst1\t{v0.16b}, [x1]\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tvpaes_decrypt,.-vpaes_decrypt\n\n// v14-v15 input, v0-v1 output\n.type\t_vpaes_decrypt_2x,%function\n.align\t4\n_vpaes_decrypt_2x:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt(%rip), %xmm2\t# iptlo\n\tlsl\tx11, x8, #4\t\t\t// mov\t%rax,\t%r11;\tshl\t$4, %r11\n\teor\tx11, x11, #0x30\t\t\t// xor\t\t$0x30,\t%r11\n\tadrp\tx10, .Lk_sr\n\tadd\tx10, x10, :lo12:.Lk_sr\n\tand\tx11, x11, #0x30\t\t\t// and\t\t$0x30,\t%r11\n\tadd\tx11, x11, x10\n\tadrp\tx10, .Lk_mc_forward+48\n\tadd\tx10, x10, :lo12:.Lk_mc_forward+48\n\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm4\t\t# round0 key\n\tand\tv1.16b, v14.16b, v17.16b\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v14.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\tand\tv9.16b, v15.16b, v17.16b\n\tushr\tv8.16b, v15.16b, #4\n\ttbl\tv2.16b, {v20.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm2\n\ttbl\tv10.16b, {v20.16b},v9.16b\n\tld1\t{v5.2d}, [x10]\t\t\t// vmovdqa\t.Lk_mc_forward+48(%rip), %xmm5\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt+16(%rip), %xmm1 # ipthi\n\ttbl\tv0.16b, {v21.16b},v0.16b\t// vpshufb\t%xmm0,\t%xmm1,\t%xmm0\n\ttbl\tv8.16b, {v21.16b},v8.16b\n\teor\tv2.16b, v2.16b, v16.16b\t// vpxor\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv10.16b, v10.16b, v16.16b\n\teor\tv0.16b, v0.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\teor\tv8.16b, v8.16b, v10.16b\n\tb\t.Ldec_2x_entry\n\n.align\t4\n.Ldec_2x_loop:\n//\n// Inverse mix columns\n//\n\t\t\t\t\t\t// vmovdqa\t-0x20(%r10),%xmm4\t\t# 4 : sb9u\n\t\t\t\t\t\t// vmovdqa\t-0x10(%r10),%xmm1\t\t# 0 : sb9t\n\ttbl\tv4.16b, {v24.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sb9u\n\ttbl\tv12.16b, {v24.16b}, v10.16b\n\ttbl\tv1.16b, {v25.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sb9t\n\ttbl\tv9.16b, {v25.16b}, v11.16b\n\teor\tv0.16b, v4.16b, v16.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\n\teor\tv8.16b, v12.16b, v16.16b\n\t\t\t\t\t\t// vmovdqa\t0x00(%r10),%xmm4\t\t# 4 : sbdu\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x10(%r10),%xmm1\t\t# 0 : sbdt\n\n\ttbl\tv4.16b, {v26.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbdu\n\ttbl\tv12.16b, {v26.16b}, v10.16b\n\ttbl\tv0.16b, {v0.16b},v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv8.16b, {v8.16b},v5.16b\n\ttbl\tv1.16b, {v27.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbdt\n\ttbl\tv9.16b, {v27.16b}, v11.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\teor\tv8.16b, v8.16b, v12.16b\n\t\t\t\t\t\t// vmovdqa\t0x20(%r10),\t%xmm4\t\t# 4 : sbbu\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\n\t\t\t\t\t\t// vmovdqa\t0x30(%r10),\t%xmm1\t\t# 0 : sbbt\n\n\ttbl\tv4.16b, {v28.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbbu\n\ttbl\tv12.16b, {v28.16b}, v10.16b\n\ttbl\tv0.16b, {v0.16b},v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv8.16b, {v8.16b},v5.16b\n\ttbl\tv1.16b, {v29.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbbt\n\ttbl\tv9.16b, {v29.16b}, v11.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\teor\tv8.16b, v8.16b, v12.16b\n\t\t\t\t\t\t// vmovdqa\t0x40(%r10),\t%xmm4\t\t# 4 : sbeu\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\n\t\t\t\t\t\t// vmovdqa\t0x50(%r10),\t%xmm1\t\t# 0 : sbet\n\n\ttbl\tv4.16b, {v30.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbeu\n\ttbl\tv12.16b, {v30.16b}, v10.16b\n\ttbl\tv0.16b, {v0.16b},v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv8.16b, {v8.16b},v5.16b\n\ttbl\tv1.16b, {v31.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbet\n\ttbl\tv9.16b, {v31.16b}, v11.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\teor\tv8.16b, v8.16b, v12.16b\n\text\tv5.16b, v5.16b, v5.16b, #12\t// vpalignr $12,\t%xmm5,\t%xmm5,\t%xmm5\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\n\tsub\tw8, w8, #1\t\t\t// sub\t\t$1,%rax\t\t\t# nr--\n\n.Ldec_2x_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\t# 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\tand\tv9.16b, v8.16b, v17.16b\n\tushr\tv8.16b, v8.16b, #4\n\ttbl\tv2.16b, {v19.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm2\t# 2 = a/k\n\ttbl\tv10.16b, {v19.16b},v9.16b\n\teor\tv1.16b,\t v1.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\teor\tv9.16b,\t v9.16b, v8.16b\n\ttbl\tv3.16b, {v18.16b},v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3\t# 3 = 1/i\n\ttbl\tv11.16b, {v18.16b},v8.16b\n\ttbl\tv4.16b, {v18.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm10,\t%xmm4\t# 4 = 1/j\n\ttbl\tv12.16b, {v18.16b},v9.16b\n\teor\tv3.16b, v3.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv11.16b, v11.16b, v10.16b\n\teor\tv4.16b, v4.16b, v2.16b\t// vpxor\t%xmm2, \t%xmm4,\t%xmm4\t# 4 = jak = 1/j + a/k\n\teor\tv12.16b, v12.16b, v10.16b\n\ttbl\tv2.16b, {v18.16b},v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2\t# 2 = 1/iak\n\ttbl\tv10.16b, {v18.16b},v11.16b\n\ttbl\tv3.16b, {v18.16b},v4.16b\t// vpshufb\t%xmm4, %xmm10,\t%xmm3\t# 3 = 1/jak\n\ttbl\tv11.16b, {v18.16b},v12.16b\n\teor\tv2.16b, v2.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2\t# 2 = io\n\teor\tv10.16b, v10.16b, v9.16b\n\teor\tv3.16b, v3.16b, v0.16b\t// vpxor\t%xmm0, %xmm3,\t%xmm3\t# 3 = jo\n\teor\tv11.16b, v11.16b, v8.16b\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm0\n\tcbnz\tw8, .Ldec_2x_loop\n\n\t// middle of last round\n\t\t\t\t\t\t// vmovdqa\t0x60(%r10),\t%xmm4\t# 3 : sbou\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\ttbl\tv12.16b, {v22.16b}, v10.16b\n\t\t\t\t\t\t// vmovdqa\t0x70(%r10),\t%xmm1\t# 0 : sbot\n\ttbl\tv1.16b, {v23.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t# 0 = sb1t\n\ttbl\tv9.16b, {v23.16b}, v11.16b\n\tld1\t{v2.2d}, [x11]\t\t\t// vmovdqa\t-0x160(%r11),\t%xmm2\t# .Lk_sr-.Lk_dsbd=-0x160\n\teor\tv4.16b, v4.16b, v16.16b\t// vpxor\t%xmm0,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv12.16b, v12.16b, v16.16b\n\teor\tv0.16b, v1.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm1,\t%xmm0\t# 0 = A\n\teor\tv8.16b, v9.16b, v12.16b\n\ttbl\tv0.16b, {v0.16b},v2.16b\t// vpshufb\t%xmm2,\t%xmm0,\t%xmm0\n\ttbl\tv1.16b, {v8.16b},v2.16b\n\tret\n.size\t_vpaes_decrypt_2x,.-_vpaes_decrypt_2x\n########################################################\n## ##\n## AES key schedule ##\n## ##\n########################################################\n.type\t_vpaes_key_preheat,%function\n.align\t4\n_vpaes_key_preheat:\n\tadrp\tx10, .Lk_inv\n\tadd\tx10, x10, :lo12:.Lk_inv\n\tmovi\tv16.16b, #0x5b\t\t\t// .Lk_s63\n\tadrp\tx11, .Lk_sb1\n\tadd\tx11, x11, :lo12:.Lk_sb1\n\tmovi\tv17.16b, #0x0f\t\t\t// .Lk_s0F\n\tld1\t{v18.2d,v19.2d,v20.2d,v21.2d}, [x10]\t\t// .Lk_inv, .Lk_ipt\n\tadrp\tx10, .Lk_dksd\n\tadd\tx10, x10, :lo12:.Lk_dksd\n\tld1\t{v22.2d,v23.2d}, [x11]\t\t// .Lk_sb1\n\tadrp\tx11, .Lk_mc_forward\n\tadd\tx11, x11, :lo12:.Lk_mc_forward\n\tld1\t{v24.2d,v25.2d,v26.2d,v27.2d}, [x10],#64\t// .Lk_dksd, .Lk_dksb\n\tld1\t{v28.2d,v29.2d,v30.2d,v31.2d}, [x10],#64\t// .Lk_dkse, .Lk_dks9\n\tld1\t{v8.2d}, [x10]\t\t\t// .Lk_rcon\n\tld1\t{v9.2d}, [x11]\t\t\t// .Lk_mc_forward[0]\n\tret\n.size\t_vpaes_key_preheat,.-_vpaes_key_preheat\n\n.type\t_vpaes_schedule_core,%function\n.align\t4\n_vpaes_schedule_core:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29, x30, [sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tbl\t_vpaes_key_preheat\t\t// load the tables\n\n\tld1\t{v0.16b}, [x0],#16\t\t// vmovdqu\t(%rdi),\t%xmm0\t\t# load key (unaligned)\n\n\t// input transform\n\tmov\tv3.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm3\n\tbl\t_vpaes_schedule_transform\n\tmov\tv7.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm7\n\n\tadrp\tx10, .Lk_sr\t\t// lea\t.Lk_sr(%rip),%r10\n\tadd\tx10, x10, :lo12:.Lk_sr\n\n\tadd\tx8, x8, x10\n\tcbnz\tw3, .Lschedule_am_decrypting\n\n\t// encrypting, output zeroth round key after transform\n\tst1\t{v0.2d}, [x2]\t\t\t// vmovdqu\t%xmm0,\t(%rdx)\n\tb\t.Lschedule_go\n\n.Lschedule_am_decrypting:\n\t// decrypting, output zeroth round key after shiftrows\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),\t%xmm1\n\ttbl\tv3.16b, {v3.16b}, v1.16b\t// vpshufb %xmm1,\t%xmm3,\t%xmm3\n\tst1\t{v3.2d}, [x2]\t\t\t// vmovdqu\t%xmm3,\t(%rdx)\n\teor\tx8, x8, #0x30\t\t\t// xor\t$0x30, %r8\n\n.Lschedule_go:\n\tcmp\tw1, #192\t\t\t// cmp\t$192,\t%esi\n\tb.hi\t.Lschedule_256\n\tb.eq\t.Lschedule_192\n\t// 128: fall though\n\n##\n## .schedule_128\n##\n## 128-bit specific part of key schedule.\n##\n## This schedule is really simple, because all its parts\n## are accomplished by the subroutines.\n##\n.Lschedule_128:\n\tmov\tx0, #10\t\t\t// mov\t$10, %esi\n\n.Loop_schedule_128:\n\tsub\tx0, x0, #1\t\t\t// dec\t%esi\n\tbl\t_vpaes_schedule_round\n\tcbz\tx0, .Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\t\t// write output\n\tb\t.Loop_schedule_128\n\n##\n## .aes_schedule_192\n##\n## 192-bit specific part of key schedule.\n##\n## The main body of this schedule is the same as the 128-bit\n## schedule, but with more smearing. The long, high side is\n## stored in %xmm7 as before, and the short, low side is in\n## the high bits of %xmm6.\n##\n## This schedule is somewhat nastier, however, because each\n## round produces 192 bits of key material, or 1.5 round keys.\n## Therefore, on each cycle we do 2 rounds and produce 3 round\n## keys.\n##\n.align\t4\n.Lschedule_192:\n\tsub\tx0, x0, #8\n\tld1\t{v0.16b}, [x0]\t\t// vmovdqu\t8(%rdi),%xmm0\t\t# load key part 2 (very unaligned)\n\tbl\t_vpaes_schedule_transform\t// input transform\n\tmov\tv6.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm6\t\t# save short part\n\teor\tv4.16b, v4.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm4, %xmm4\t# clear 4\n\tins\tv6.d[0], v4.d[0]\t\t// vmovhlps\t%xmm4,\t%xmm6,\t%xmm6\t\t# clobber low side with zeros\n\tmov\tx0, #4\t\t\t// mov\t$4,\t%esi\n\n.Loop_schedule_192:\n\tsub\tx0, x0, #1\t\t\t// dec\t%esi\n\tbl\t_vpaes_schedule_round\n\text\tv0.16b, v6.16b, v0.16b, #8\t// vpalignr\t$8,%xmm6,%xmm0,%xmm0\n\tbl\t_vpaes_schedule_mangle\t\t// save key n\n\tbl\t_vpaes_schedule_192_smear\n\tbl\t_vpaes_schedule_mangle\t\t// save key n+1\n\tbl\t_vpaes_schedule_round\n\tcbz\tx0, .Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\t\t// save key n+2\n\tbl\t_vpaes_schedule_192_smear\n\tb\t.Loop_schedule_192\n\n##\n## .aes_schedule_256\n##\n## 256-bit specific part of key schedule.\n##\n## The structure here is very similar to the 128-bit\n## schedule, but with an additional \"low side\" in\n## %xmm6. The low side's rounds are the same as the\n## high side's, except no rcon and no rotation.\n##\n.align\t4\n.Lschedule_256:\n\tld1\t{v0.16b}, [x0]\t\t// vmovdqu\t16(%rdi),%xmm0\t\t# load key part 2 (unaligned)\n\tbl\t_vpaes_schedule_transform\t// input transform\n\tmov\tx0, #7\t\t\t// mov\t$7, %esi\n\n.Loop_schedule_256:\n\tsub\tx0, x0, #1\t\t\t// dec\t%esi\n\tbl\t_vpaes_schedule_mangle\t\t// output low result\n\tmov\tv6.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm6\t\t# save cur_lo in xmm6\n\n\t// high round\n\tbl\t_vpaes_schedule_round\n\tcbz\tx0, .Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\n\n\t// low round. swap xmm7 and xmm6\n\tdup\tv0.4s, v0.s[3]\t\t\t// vpshufd\t$0xFF,\t%xmm0,\t%xmm0\n\tmovi\tv4.16b, #0\n\tmov\tv5.16b, v7.16b\t\t\t// vmovdqa\t%xmm7,\t%xmm5\n\tmov\tv7.16b, v6.16b\t\t\t// vmovdqa\t%xmm6,\t%xmm7\n\tbl\t_vpaes_schedule_low_round\n\tmov\tv7.16b, v5.16b\t\t\t// vmovdqa\t%xmm5,\t%xmm7\n\n\tb\t.Loop_schedule_256\n\n##\n## .aes_schedule_mangle_last\n##\n## Mangler for last round of key schedule\n## Mangles %xmm0\n## when encrypting, outputs out(%xmm0) ^ 63\n## when decrypting, outputs unskew(%xmm0)\n##\n## Always called right before return... jumps to cleanup and exits\n##\n.align\t4\n.Lschedule_mangle_last:\n\t// schedule last round key from xmm0\n\tadrp\tx11, .Lk_deskew\t// lea\t.Lk_deskew(%rip),%r11\t# prepare to deskew\n\tadd\tx11, x11, :lo12:.Lk_deskew\n\n\tcbnz\tw3, .Lschedule_mangle_last_dec\n\n\t// encrypting\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),%xmm1\n\tadrp\tx11, .Lk_opt\t\t// lea\t.Lk_opt(%rip),\t%r11\t\t# prepare to output transform\n\tadd\tx11, x11, :lo12:.Lk_opt\n\tadd\tx2, x2, #32\t\t\t// add\t$32,\t%rdx\n\ttbl\tv0.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm0\t\t# output permute\n\n.Lschedule_mangle_last_dec:\n\tld1\t{v20.2d,v21.2d}, [x11]\t\t// reload constants\n\tsub\tx2, x2, #16\t\t\t// add\t$-16,\t%rdx\n\teor\tv0.16b, v0.16b, v16.16b\t\t// vpxor\t.Lk_s63(%rip),\t%xmm0,\t%xmm0\n\tbl\t_vpaes_schedule_transform\t// output transform\n\tst1\t{v0.2d}, [x2]\t\t\t// vmovdqu\t%xmm0,\t(%rdx)\t\t# save last key\n\n\t// cleanup\n\teor\tv0.16b, v0.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm0,\t%xmm0\n\teor\tv1.16b, v1.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm1,\t%xmm1\n\teor\tv2.16b, v2.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm2,\t%xmm2\n\teor\tv3.16b, v3.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm3,\t%xmm3\n\teor\tv4.16b, v4.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm4,\t%xmm4\n\teor\tv5.16b, v5.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm5,\t%xmm5\n\teor\tv6.16b, v6.16b, v6.16b\t\t// vpxor\t%xmm6,\t%xmm6,\t%xmm6\n\teor\tv7.16b, v7.16b, v7.16b\t\t// vpxor\t%xmm7,\t%xmm7,\t%xmm7\n\tldp\tx29, x30, [sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\t_vpaes_schedule_core,.-_vpaes_schedule_core\n\n##\n## .aes_schedule_192_smear\n##\n## Smear the short, low side in the 192-bit key schedule.\n##\n## Inputs:\n## %xmm7: high side, b a x y\n## %xmm6: low side, d c 0 0\n## %xmm13: 0\n##\n## Outputs:\n## %xmm6: b+c+d b+c 0 0\n## %xmm0: b+c+d b+c b a\n##\n.type\t_vpaes_schedule_192_smear,%function\n.align\t4\n_vpaes_schedule_192_smear:\n\tmovi\tv1.16b, #0\n\tdup\tv0.4s, v7.s[3]\n\tins\tv1.s[3], v6.s[2]\t// vpshufd\t$0x80,\t%xmm6,\t%xmm1\t# d c 0 0 -> c 0 0 0\n\tins\tv0.s[0], v7.s[2]\t// vpshufd\t$0xFE,\t%xmm7,\t%xmm0\t# b a _ _ -> b b b a\n\teor\tv6.16b, v6.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm6,\t%xmm6\t# -> c+d c 0 0\n\teor\tv1.16b, v1.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm1,\t%xmm1\n\teor\tv6.16b, v6.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm6,\t%xmm6\t# -> b+c+d b+c b a\n\tmov\tv0.16b, v6.16b\t\t// vmovdqa\t%xmm6,\t%xmm0\n\tins\tv6.d[0], v1.d[0]\t// vmovhlps\t%xmm1,\t%xmm6,\t%xmm6\t# clobber low side with zeros\n\tret\n.size\t_vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear\n\n##\n## .aes_schedule_round\n##\n## Runs one main round of the key schedule on %xmm0, %xmm7\n##\n## Specifically, runs subbytes on the high dword of %xmm0\n## then rotates it by one byte and xors into the low dword of\n## %xmm7.\n##\n## Adds rcon from low byte of %xmm8, then rotates %xmm8 for\n## next rcon.\n##\n## Smears the dwords of %xmm7 by xoring the low into the\n## second low, result into third, result into highest.\n##\n## Returns results in %xmm7 = %xmm0.\n## Clobbers %xmm1-%xmm4, %r11.\n##\n.type\t_vpaes_schedule_round,%function\n.align\t4\n_vpaes_schedule_round:\n\t// extract rcon from xmm8\n\tmovi\tv4.16b, #0\t\t\t// vpxor\t%xmm4,\t%xmm4,\t%xmm4\n\text\tv1.16b, v8.16b, v4.16b, #15\t// vpalignr\t$15,\t%xmm8,\t%xmm4,\t%xmm1\n\text\tv8.16b, v8.16b, v8.16b, #15\t// vpalignr\t$15,\t%xmm8,\t%xmm8,\t%xmm8\n\teor\tv7.16b, v7.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm7,\t%xmm7\n\n\t// rotate\n\tdup\tv0.4s, v0.s[3]\t\t\t// vpshufd\t$0xFF,\t%xmm0,\t%xmm0\n\text\tv0.16b, v0.16b, v0.16b, #1\t// vpalignr\t$1,\t%xmm0,\t%xmm0,\t%xmm0\n\n\t// fall through...\n\n\t// low round: same as high round, but no rotation and no rcon.\n_vpaes_schedule_low_round:\n\t// smear xmm7\n\text\tv1.16b, v4.16b, v7.16b, #12\t// vpslldq\t$4,\t%xmm7,\t%xmm1\n\teor\tv7.16b, v7.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm7,\t%xmm7\n\text\tv4.16b, v4.16b, v7.16b, #8\t// vpslldq\t$8,\t%xmm7,\t%xmm4\n\n\t// subbytes\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\t\t# 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t\t# 1 = i\n\teor\tv7.16b, v7.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm7,\t%xmm7\n\ttbl\tv2.16b, {v19.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm2\t\t# 2 = a/k\n\teor\tv1.16b, v1.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t\t# 0 = j\n\ttbl\tv3.16b, {v18.16b}, v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3\t\t# 3 = 1/i\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t\t# 3 = iak = 1/i + a/k\n\ttbl\tv4.16b, {v18.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm10,\t%xmm4\t\t# 4 = 1/j\n\teor\tv7.16b, v7.16b, v16.16b\t\t// vpxor\t.Lk_s63(%rip),\t%xmm7,\t%xmm7\n\ttbl\tv3.16b, {v18.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm3\t\t# 2 = 1/iak\n\teor\tv4.16b, v4.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = jak = 1/j + a/k\n\ttbl\tv2.16b, {v18.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm10,\t%xmm2\t\t# 3 = 1/jak\n\teor\tv3.16b, v3.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm3,\t%xmm3\t\t# 2 = io\n\teor\tv2.16b, v2.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm2,\t%xmm2\t\t# 3 = jo\n\ttbl\tv4.16b, {v23.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm13,\t%xmm4\t\t# 4 = sbou\n\ttbl\tv1.16b, {v22.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm12,\t%xmm1\t\t# 0 = sb1t\n\teor\tv1.16b, v1.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm1,\t%xmm1\t\t# 0 = sbox output\n\n\t// add in smeared stuff\n\teor\tv0.16b, v1.16b, v7.16b\t\t// vpxor\t%xmm7,\t%xmm1,\t%xmm0\n\teor\tv7.16b, v1.16b, v7.16b\t\t// vmovdqa\t%xmm0,\t%xmm7\n\tret\n.size\t_vpaes_schedule_round,.-_vpaes_schedule_round\n\n##\n## .aes_schedule_transform\n##\n## Linear-transform %xmm0 according to tables at (%r11)\n##\n## Requires that %xmm9 = 0x0F0F... as in preheat\n## Output in %xmm0\n## Clobbers %xmm1, %xmm2\n##\n.type\t_vpaes_schedule_transform,%function\n.align\t4\n_vpaes_schedule_transform:\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\t\t\t\t\t\t// vmovdqa\t(%r11),\t%xmm2 \t# lo\n\ttbl\tv2.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t16(%r11),\t%xmm1 # hi\n\ttbl\tv0.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm1,\t%xmm0\n\teor\tv0.16b, v0.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\tret\n.size\t_vpaes_schedule_transform,.-_vpaes_schedule_transform\n\n##\n## .aes_schedule_mangle\n##\n## Mangle xmm0 from (basis-transformed) standard version\n## to our version.\n##\n## On encrypt,\n## xor with 0x63\n## multiply by circulant 0,1,1,1\n## apply shiftrows transform\n##\n## On decrypt,\n## xor with 0x63\n## multiply by \"inverse mixcolumns\" circulant E,B,D,9\n## deskew\n## apply shiftrows transform\n##\n##\n## Writes out to (%rdx), and increments or decrements it\n## Keeps track of round number mod 4 in %r8\n## Preserves xmm0\n## Clobbers xmm1-xmm5\n##\n.type\t_vpaes_schedule_mangle,%function\n.align\t4\n_vpaes_schedule_mangle:\n\tmov\tv4.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm4\t# save xmm0 for later\n\t\t\t\t\t\t// vmovdqa\t.Lk_mc_forward(%rip),%xmm5\n\tcbnz\tw3, .Lschedule_mangle_dec\n\n\t// encrypting\n\teor\tv4.16b, v0.16b, v16.16b\t\t// vpxor\t.Lk_s63(%rip),\t%xmm0,\t%xmm4\n\tadd\tx2, x2, #16\t\t\t// add\t$16,\t%rdx\n\ttbl\tv4.16b, {v4.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm4,\t%xmm4\n\ttbl\tv1.16b, {v4.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm4,\t%xmm1\n\ttbl\tv3.16b, {v1.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm1,\t%xmm3\n\teor\tv4.16b, v4.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm4,\t%xmm4\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),\t%xmm1\n\teor\tv3.16b, v3.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm3,\t%xmm3\n\n\tb\t.Lschedule_mangle_both\n.align\t4\n.Lschedule_mangle_dec:\n\t// inverse mix columns\n\t\t\t\t\t\t// lea\t.Lk_dksd(%rip),%r11\n\tushr\tv1.16b, v4.16b, #4\t\t// vpsrlb\t$4,\t%xmm4,\t%xmm1\t# 1 = hi\n\tand\tv4.16b, v4.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm4,\t%xmm4\t# 4 = lo\n\n\t\t\t\t\t\t// vmovdqa\t0x00(%r11),\t%xmm2\n\ttbl\tv2.16b, {v24.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t0x10(%r11),\t%xmm3\n\ttbl\tv3.16b,\t{v25.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\n\ttbl\tv3.16b, {v3.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\n\t\t\t\t\t\t// vmovdqa\t0x20(%r11),\t%xmm2\n\ttbl\tv2.16b, {v26.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv2.16b, v2.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t0x30(%r11),\t%xmm3\n\ttbl\tv3.16b, {v27.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\n\ttbl\tv3.16b, {v3.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\n\t\t\t\t\t\t// vmovdqa\t0x40(%r11),\t%xmm2\n\ttbl\tv2.16b, {v28.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv2.16b, v2.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t0x50(%r11),\t%xmm3\n\ttbl\tv3.16b, {v29.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\n\n\t\t\t\t\t\t// vmovdqa\t0x60(%r11),\t%xmm2\n\ttbl\tv2.16b, {v30.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\ttbl\tv3.16b, {v3.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\t\t\t\t\t\t// vmovdqa\t0x70(%r11),\t%xmm4\n\ttbl\tv4.16b, {v31.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm4,\t%xmm4\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),\t%xmm1\n\teor\tv2.16b, v2.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm2,\t%xmm2\n\teor\tv3.16b, v4.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm4,\t%xmm3\n\n\tsub\tx2, x2, #16\t\t\t// add\t$-16,\t%rdx\n\n.Lschedule_mangle_both:\n\ttbl\tv3.16b, {v3.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\tadd\tx8, x8, #48\t\t\t// add\t$-16,\t%r8\n\tand\tx8, x8, #~(1<<6)\t\t// and\t$0x30,\t%r8\n\tst1\t{v3.2d}, [x2]\t\t\t// vmovdqu\t%xmm3,\t(%rdx)\n\tret\n.size\t_vpaes_schedule_mangle,.-_vpaes_schedule_mangle\n\n.globl\tvpaes_set_encrypt_key\n.hidden\tvpaes_set_encrypt_key\n.type\tvpaes_set_encrypt_key,%function\n.align\t4\nvpaes_set_encrypt_key:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\n\tlsr\tw9, w1, #5\t\t// shr\t$5,%eax\n\tadd\tw9, w9, #5\t\t// $5,%eax\n\tstr\tw9, [x2,#240]\t\t// mov\t%eax,240(%rdx)\t# AES_KEY->rounds = nbits/32+5;\n\n\tmov\tw3, #0\t\t// mov\t$0,%ecx\n\tmov\tx8, #0x30\t\t// mov\t$0x30,%r8d\n\tbl\t_vpaes_schedule_core\n\teor\tx0, x0, x0\n\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tvpaes_set_encrypt_key,.-vpaes_set_encrypt_key\n\n.globl\tvpaes_set_decrypt_key\n.hidden\tvpaes_set_decrypt_key\n.type\tvpaes_set_decrypt_key,%function\n.align\t4\nvpaes_set_decrypt_key:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\n\tlsr\tw9, w1, #5\t\t// shr\t$5,%eax\n\tadd\tw9, w9, #5\t\t// $5,%eax\n\tstr\tw9, [x2,#240]\t\t// mov\t%eax,240(%rdx)\t# AES_KEY->rounds = nbits/32+5;\n\tlsl\tw9, w9, #4\t\t// shl\t$4,%eax\n\tadd\tx2, x2, #16\t\t// lea\t16(%rdx,%rax),%rdx\n\tadd\tx2, x2, x9\n\n\tmov\tw3, #1\t\t// mov\t$1,%ecx\n\tlsr\tw8, w1, #1\t\t// shr\t$1,%r8d\n\tand\tx8, x8, #32\t\t// and\t$32,%r8d\n\teor\tx8, x8, #32\t\t// xor\t$32,%r8d\t# nbits==192?0:32\n\tbl\t_vpaes_schedule_core\n\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tvpaes_set_decrypt_key,.-vpaes_set_decrypt_key\n.globl\tvpaes_cbc_encrypt\n.hidden\tvpaes_cbc_encrypt\n.type\tvpaes_cbc_encrypt,%function\n.align\t4\nvpaes_cbc_encrypt:\n\tAARCH64_SIGN_LINK_REGISTER\n\tcbz\tx2, .Lcbc_abort\n\tcmp\tw5, #0\t\t\t// check direction\n\tb.eq\tvpaes_cbc_decrypt\n\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tmov\tx17, x2\t\t// reassign\n\tmov\tx2, x3\t\t// reassign\n\n\tld1\t{v0.16b}, [x4]\t// load ivec\n\tbl\t_vpaes_encrypt_preheat\n\tb\t.Lcbc_enc_loop\n\n.align\t4\n.Lcbc_enc_loop:\n\tld1\t{v7.16b}, [x0],#16\t// load input\n\teor\tv7.16b, v7.16b, v0.16b\t// xor with ivec\n\tbl\t_vpaes_encrypt_core\n\tst1\t{v0.16b}, [x1],#16\t// save output\n\tsubs\tx17, x17, #16\n\tb.hi\t.Lcbc_enc_loop\n\n\tst1\t{v0.16b}, [x4]\t// write ivec\n\n\tldp\tx29,x30,[sp],#16\n.Lcbc_abort:\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tvpaes_cbc_encrypt,.-vpaes_cbc_encrypt\n\n.type\tvpaes_cbc_decrypt,%function\n.align\t4\nvpaes_cbc_decrypt:\n\t// Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to\n\t// only from vpaes_cbc_encrypt which has already signed the return address.\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\tstp\td10,d11,[sp,#-16]!\n\tstp\td12,d13,[sp,#-16]!\n\tstp\td14,d15,[sp,#-16]!\n\n\tmov\tx17, x2\t\t// reassign\n\tmov\tx2, x3\t\t// reassign\n\tld1\t{v6.16b}, [x4]\t// load ivec\n\tbl\t_vpaes_decrypt_preheat\n\ttst\tx17, #16\n\tb.eq\t.Lcbc_dec_loop2x\n\n\tld1\t{v7.16b}, [x0], #16\t// load input\n\tbl\t_vpaes_decrypt_core\n\teor\tv0.16b, v0.16b, v6.16b\t// xor with ivec\n\torr\tv6.16b, v7.16b, v7.16b\t// next ivec value\n\tst1\t{v0.16b}, [x1], #16\n\tsubs\tx17, x17, #16\n\tb.ls\t.Lcbc_dec_done\n\n.align\t4\n.Lcbc_dec_loop2x:\n\tld1\t{v14.16b,v15.16b}, [x0], #32\n\tbl\t_vpaes_decrypt_2x\n\teor\tv0.16b, v0.16b, v6.16b\t// xor with ivec\n\teor\tv1.16b, v1.16b, v14.16b\n\torr\tv6.16b, v15.16b, v15.16b\n\tst1\t{v0.16b,v1.16b}, [x1], #32\n\tsubs\tx17, x17, #32\n\tb.hi\t.Lcbc_dec_loop2x\n\n.Lcbc_dec_done:\n\tst1\t{v6.16b}, [x4]\n\n\tldp\td14,d15,[sp],#16\n\tldp\td12,d13,[sp],#16\n\tldp\td10,d11,[sp],#16\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tvpaes_cbc_decrypt,.-vpaes_cbc_decrypt\n.globl\tvpaes_ctr32_encrypt_blocks\n.hidden\tvpaes_ctr32_encrypt_blocks\n.type\tvpaes_ctr32_encrypt_blocks,%function\n.align\t4\nvpaes_ctr32_encrypt_blocks:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\tstp\td10,d11,[sp,#-16]!\n\tstp\td12,d13,[sp,#-16]!\n\tstp\td14,d15,[sp,#-16]!\n\n\tcbz\tx2, .Lctr32_done\n\n\t// Note, unlike the other functions, x2 here is measured in blocks,\n\t// not bytes.\n\tmov\tx17, x2\n\tmov\tx2, x3\n\n\t// Load the IV and counter portion.\n\tldr\tw6, [x4, #12]\n\tld1\t{v7.16b}, [x4]\n\n\tbl\t_vpaes_encrypt_preheat\n\ttst\tx17, #1\n\trev\tw6, w6\t\t// The counter is big-endian.\n\tb.eq\t.Lctr32_prep_loop\n\n\t// Handle one block so the remaining block count is even for\n\t// _vpaes_encrypt_2x.\n\tld1\t{v6.16b}, [x0], #16\t// .Load input ahead of time\n\tbl\t_vpaes_encrypt_core\n\teor\tv0.16b, v0.16b, v6.16b\t// XOR input and result\n\tst1\t{v0.16b}, [x1], #16\n\tsubs\tx17, x17, #1\n\t// Update the counter.\n\tadd\tw6, w6, #1\n\trev\tw7, w6\n\tmov\tv7.s[3], w7\n\tb.ls\t.Lctr32_done\n\n.Lctr32_prep_loop:\n\t// _vpaes_encrypt_core takes its input from v7, while _vpaes_encrypt_2x\n\t// uses v14 and v15.\n\tmov\tv15.16b, v7.16b\n\tmov\tv14.16b, v7.16b\n\tadd\tw6, w6, #1\n\trev\tw7, w6\n\tmov\tv15.s[3], w7\n\n.Lctr32_loop:\n\tld1\t{v6.16b,v7.16b}, [x0], #32\t// .Load input ahead of time\n\tbl\t_vpaes_encrypt_2x\n\teor\tv0.16b, v0.16b, v6.16b\t\t// XOR input and result\n\teor\tv1.16b, v1.16b, v7.16b\t\t// XOR input and result (#2)\n\tst1\t{v0.16b,v1.16b}, [x1], #32\n\tsubs\tx17, x17, #2\n\t// Update the counter.\n\tadd\tw7, w6, #1\n\tadd\tw6, w6, #2\n\trev\tw7, w7\n\tmov\tv14.s[3], w7\n\trev\tw7, w6\n\tmov\tv15.s[3], w7\n\tb.hi\t.Lctr32_loop\n\n.Lctr32_done:\n\tldp\td14,d15,[sp],#16\n\tldp\td12,d13,[sp],#16\n\tldp\td10,d11,[sp],#16\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tvpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \n\n.section\t.rodata\n\n\n.align\t7\t// totally strategic alignment\n_vpaes_consts:\nLk_mc_forward:\t//\tmc_forward\n.quad\t0x0407060500030201, 0x0C0F0E0D080B0A09\n.quad\t0x080B0A0904070605, 0x000302010C0F0E0D\n.quad\t0x0C0F0E0D080B0A09, 0x0407060500030201\n.quad\t0x000302010C0F0E0D, 0x080B0A0904070605\nLk_mc_backward:\t//\tmc_backward\n.quad\t0x0605040702010003, 0x0E0D0C0F0A09080B\n.quad\t0x020100030E0D0C0F, 0x0A09080B06050407\n.quad\t0x0E0D0C0F0A09080B, 0x0605040702010003\n.quad\t0x0A09080B06050407, 0x020100030E0D0C0F\nLk_sr:\t//\tsr\n.quad\t0x0706050403020100, 0x0F0E0D0C0B0A0908\n.quad\t0x030E09040F0A0500, 0x0B06010C07020D08\n.quad\t0x0F060D040B020900, 0x070E050C030A0108\n.quad\t0x0B0E0104070A0D00, 0x0306090C0F020508\n\n//\n// \"Hot\" constants\n//\nLk_inv:\t//\tinv, inva\n.quad\t0x0E05060F0D080180, 0x040703090A0B0C02\n.quad\t0x01040A060F0B0780, 0x030D0E0C02050809\nLk_ipt:\t//\tinput transform (lo, hi)\n.quad\t0xC2B2E8985A2A7000, 0xCABAE09052227808\n.quad\t0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81\nLk_sbo:\t//\tsbou, sbot\n.quad\t0xD0D26D176FBDC700, 0x15AABF7AC502A878\n.quad\t0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA\nLk_sb1:\t//\tsb1u, sb1t\n.quad\t0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF\n.quad\t0xB19BE18FCB503E00, 0xA5DF7A6E142AF544\nLk_sb2:\t//\tsb2u, sb2t\n.quad\t0x69EB88400AE12900, 0xC2A163C8AB82234A\n.quad\t0xE27A93C60B712400, 0x5EB7E955BC982FCD\n\n//\n// Decryption stuff\n//\nLk_dipt:\t//\tdecryption input transform\n.quad\t0x0F505B040B545F00, 0x154A411E114E451A\n.quad\t0x86E383E660056500, 0x12771772F491F194\nLk_dsbo:\t//\tdecryption sbox final output\n.quad\t0x1387EA537EF94000, 0xC7AA6DB9D4943E2D\n.quad\t0x12D7560F93441D00, 0xCA4B8159D8C58E9C\nLk_dsb9:\t//\tdecryption sbox output *9*u, *9*t\n.quad\t0x851C03539A86D600, 0xCAD51F504F994CC9\n.quad\t0xC03B1789ECD74900, 0x725E2C9EB2FBA565\nLk_dsbd:\t//\tdecryption sbox output *D*u, *D*t\n.quad\t0x7D57CCDFE6B1A200, 0xF56E9B13882A4439\n.quad\t0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3\nLk_dsbb:\t//\tdecryption sbox output *B*u, *B*t\n.quad\t0xD022649296B44200, 0x602646F6B0F2D404\n.quad\t0xC19498A6CD596700, 0xF3FF0C3E3255AA6B\nLk_dsbe:\t//\tdecryption sbox output *E*u, *E*t\n.quad\t0x46F2929626D4D000, 0x2242600464B4F6B0\n.quad\t0x0C55A6CDFFAAC100, 0x9467F36B98593E32\n\n//\n// Key schedule constants\n//\nLk_dksd:\t//\tdecryption key schedule: invskew x*D\n.quad\t0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9\n.quad\t0x41C277F4B5368300, 0x5FDC69EAAB289D1E\nLk_dksb:\t//\tdecryption key schedule: invskew x*B\n.quad\t0x9A4FCA1F8550D500, 0x03D653861CC94C99\n.quad\t0x115BEDA7B6FC4A00, 0xD993256F7E3482C8\nLk_dkse:\t//\tdecryption key schedule: invskew x*E + 0x63\n.quad\t0xD5031CCA1FC9D600, 0x53859A4C994F5086\n.quad\t0xA23196054FDC7BE8, 0xCD5EF96A20B31487\nLk_dks9:\t//\tdecryption key schedule: invskew x*9\n.quad\t0xB6116FC87ED9A700, 0x4AED933482255BFC\n.quad\t0x4576516227143300, 0x8BB89FACE9DAFDCE\n\nLk_rcon:\t//\trcon\n.quad\t0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81\n\nLk_opt:\t//\toutput transform\n.quad\t0xFF9F4929D6B66000, 0xF7974121DEBE6808\n.quad\t0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0\nLk_deskew:\t//\tdeskew tables: inverts the sbox's \"skew\"\n.quad\t0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A\n.quad\t0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77\n\n.byte\t86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,65,82,77,118,56,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0\n.align\t2\n\n.align\t6\n\n.text\n##\n## _aes_preheat\n##\n## Fills register %r10 -> .aes_consts (so you can -fPIC)\n## and %xmm9-%xmm15 as specified below.\n##\n.def _vpaes_encrypt_preheat\n .type 32\n.endef\n.align\t4\n_vpaes_encrypt_preheat:\n\tadrp\tx10, Lk_inv\n\tadd\tx10, x10, :lo12:Lk_inv\n\tmovi\tv17.16b, #0x0f\n\tld1\t{v18.2d,v19.2d}, [x10],#32\t// Lk_inv\n\tld1\t{v20.2d,v21.2d,v22.2d,v23.2d}, [x10],#64\t// Lk_ipt, Lk_sbo\n\tld1\t{v24.2d,v25.2d,v26.2d,v27.2d}, [x10]\t\t// Lk_sb1, Lk_sb2\n\tret\n\n\n##\n## _aes_encrypt_core\n##\n## AES-encrypt %xmm0.\n##\n## Inputs:\n## %xmm0 = input\n## %xmm9-%xmm15 as in _vpaes_preheat\n## (%rdx) = scheduled keys\n##\n## Output in %xmm0\n## Clobbers %xmm1-%xmm5, %r9, %r10, %r11, %rax\n## Preserves %xmm6 - %xmm8 so you get some local vectors\n##\n##\n.def _vpaes_encrypt_core\n .type 32\n.endef\n.align\t4\n_vpaes_encrypt_core:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\tadrp\tx11, Lk_mc_forward+16\n\tadd\tx11, x11, :lo12:Lk_mc_forward+16\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt(%rip),\t%xmm2\t# iptlo\n\tld1\t{v16.2d}, [x9], #16\t\t// vmovdqu\t(%r9),\t%xmm5\t\t# round0 key\n\tand\tv1.16b, v7.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v7.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\ttbl\tv1.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm1\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt+16(%rip), %xmm3\t# ipthi\n\ttbl\tv2.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm3,\t%xmm2\n\teor\tv0.16b, v1.16b, v16.16b\t\t// vpxor\t%xmm5,\t%xmm1,\t%xmm0\n\teor\tv0.16b, v0.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\tb\tLenc_entry\n\n.align\t4\nLenc_loop:\n\t// middle of middle round\n\tadd\tx10, x11, #0x40\n\ttbl\tv4.16b, {v25.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm13,\t%xmm4\t# 4 = sb1u\n\tld1\t{v1.2d}, [x11], #16\t\t// vmovdqa\t-0x40(%r11,%r10), %xmm1\t# Lk_mc_forward[]\n\ttbl\tv0.16b, {v24.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm12,\t%xmm0\t# 0 = sb1t\n\teor\tv4.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\ttbl\tv5.16b,\t{v27.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm15,\t%xmm5\t# 4 = sb2u\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\ttbl\tv2.16b, {v26.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm14,\t%xmm2\t# 2 = sb2t\n\tld1\t{v4.2d}, [x10]\t\t\t// vmovdqa\t(%r11,%r10), %xmm4\t# Lk_mc_backward[]\n\ttbl\tv3.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm3\t# 0 = B\n\teor\tv2.16b, v2.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm2,\t%xmm2\t# 2 = 2A\n\ttbl\tv0.16b, {v0.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm0,\t%xmm0\t# 3 = D\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 0 = 2A+B\n\ttbl\tv4.16b, {v3.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm4\t# 0 = 2B+C\n\teor\tv0.16b, v0.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm0,\t%xmm0\t# 3 = 2A+B+D\n\tand\tx11, x11, #~(1<<6)\t\t// and\t\t$0x30,\t%r11\t\t# ... mod 4\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0, %xmm0\t# 0 = 2A+3B+C+D\n\tsub\tw8, w8, #1\t\t\t// nr--\n\nLenc_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm0,\t%xmm9,\t%xmm1 # 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\ttbl\tv5.16b, {v19.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm5\t# 2 = a/k\n\teor\tv1.16b, v1.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\ttbl\tv3.16b, {v18.16b}, v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3 \t# 3 = 1/i\n\ttbl\tv4.16b, {v18.16b}, v1.16b\t// vpshufb\t%xmm1, \t%xmm10,\t%xmm4 \t# 4 = 1/j\n\teor\tv3.16b, v3.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv4.16b, v4.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4 \t# 4 = jak = 1/j + a/k\n\ttbl\tv2.16b, {v18.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2 \t# 2 = 1/iak\n\ttbl\tv3.16b, {v18.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm10,\t%xmm3\t# 3 = 1/jak\n\teor\tv2.16b, v2.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2 \t# 2 = io\n\teor\tv3.16b, v3.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm3,\t%xmm3\t# 3 = jo\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm5\n\tcbnz\tw8, Lenc_loop\n\n\t// middle of last round\n\tadd\tx10, x11, #0x80\n\t\t\t\t\t\t// vmovdqa\t-0x60(%r10), %xmm4\t# 3 : sbou\t.Lk_sbo\n\t\t\t\t\t\t// vmovdqa\t-0x50(%r10), %xmm0\t# 0 : sbot\t.Lk_sbo+16\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\tld1\t{v1.2d}, [x10]\t\t\t// vmovdqa\t0x40(%r11,%r10), %xmm1\t# Lk_sr[]\n\ttbl\tv0.16b, {v23.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm0,\t%xmm0\t# 0 = sb1t\n\teor\tv4.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\ttbl\tv0.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm0\n\tret\n\n\n.globl\tvpaes_encrypt\n\n.def vpaes_encrypt\n .type 32\n.endef\n.align\t4\nvpaes_encrypt:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v7.16b}, [x0]\n\tbl\t_vpaes_encrypt_preheat\n\tbl\t_vpaes_encrypt_core\n\tst1\t{v0.16b}, [x1]\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.def _vpaes_encrypt_2x\n .type 32\n.endef\n.align\t4\n_vpaes_encrypt_2x:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\tadrp\tx11, Lk_mc_forward+16\n\tadd\tx11, x11, :lo12:Lk_mc_forward+16\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt(%rip),\t%xmm2\t# iptlo\n\tld1\t{v16.2d}, [x9], #16\t\t// vmovdqu\t(%r9),\t%xmm5\t\t# round0 key\n\tand\tv1.16b, v14.16b, v17.16b\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v14.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\tand\tv9.16b, v15.16b, v17.16b\n\tushr\tv8.16b, v15.16b, #4\n\ttbl\tv1.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm1\n\ttbl\tv9.16b, {v20.16b}, v9.16b\n\t\t\t\t\t\t// vmovdqa\t.Lk_ipt+16(%rip), %xmm3\t# ipthi\n\ttbl\tv2.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm3,\t%xmm2\n\ttbl\tv10.16b, {v21.16b}, v8.16b\n\teor\tv0.16b, v1.16b, v16.16b\t// vpxor\t%xmm5,\t%xmm1,\t%xmm0\n\teor\tv8.16b, v9.16b, v16.16b\n\teor\tv0.16b, v0.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\teor\tv8.16b, v8.16b, v10.16b\n\tb\tLenc_2x_entry\n\n.align\t4\nLenc_2x_loop:\n\t// middle of middle round\n\tadd\tx10, x11, #0x40\n\ttbl\tv4.16b, {v25.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm13,\t%xmm4\t# 4 = sb1u\n\ttbl\tv12.16b, {v25.16b}, v10.16b\n\tld1\t{v1.2d}, [x11], #16\t\t// vmovdqa\t-0x40(%r11,%r10), %xmm1\t# Lk_mc_forward[]\n\ttbl\tv0.16b, {v24.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm12,\t%xmm0\t# 0 = sb1t\n\ttbl\tv8.16b, {v24.16b}, v11.16b\n\teor\tv4.16b, v4.16b, v16.16b\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv12.16b, v12.16b, v16.16b\n\ttbl\tv5.16b,\t {v27.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm15,\t%xmm5\t# 4 = sb2u\n\ttbl\tv13.16b, {v27.16b}, v10.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\teor\tv8.16b, v8.16b, v12.16b\n\ttbl\tv2.16b, {v26.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm14,\t%xmm2\t# 2 = sb2t\n\ttbl\tv10.16b, {v26.16b}, v11.16b\n\tld1\t{v4.2d}, [x10]\t\t\t// vmovdqa\t(%r11,%r10), %xmm4\t# Lk_mc_backward[]\n\ttbl\tv3.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm3\t# 0 = B\n\ttbl\tv11.16b, {v8.16b}, v1.16b\n\teor\tv2.16b, v2.16b, v5.16b\t// vpxor\t%xmm5,\t%xmm2,\t%xmm2\t# 2 = 2A\n\teor\tv10.16b, v10.16b, v13.16b\n\ttbl\tv0.16b, {v0.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm0,\t%xmm0\t# 3 = D\n\ttbl\tv8.16b, {v8.16b}, v4.16b\n\teor\tv3.16b, v3.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 0 = 2A+B\n\teor\tv11.16b, v11.16b, v10.16b\n\ttbl\tv4.16b, {v3.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm4\t# 0 = 2B+C\n\ttbl\tv12.16b, {v11.16b},v1.16b\n\teor\tv0.16b, v0.16b, v3.16b\t// vpxor\t%xmm3,\t%xmm0,\t%xmm0\t# 3 = 2A+B+D\n\teor\tv8.16b, v8.16b, v11.16b\n\tand\tx11, x11, #~(1<<6)\t\t// and\t\t$0x30,\t%r11\t\t# ... mod 4\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0, %xmm0\t# 0 = 2A+3B+C+D\n\teor\tv8.16b, v8.16b, v12.16b\n\tsub\tw8, w8, #1\t\t\t// nr--\n\nLenc_2x_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t// vpand\t%xmm0,\t%xmm9,\t%xmm1 # 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\tand\tv9.16b, v8.16b, v17.16b\n\tushr\tv8.16b, v8.16b, #4\n\ttbl\tv5.16b, {v19.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm5\t# 2 = a/k\n\ttbl\tv13.16b, {v19.16b},v9.16b\n\teor\tv1.16b, v1.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\teor\tv9.16b, v9.16b, v8.16b\n\ttbl\tv3.16b, {v18.16b},v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3 \t# 3 = 1/i\n\ttbl\tv11.16b, {v18.16b},v8.16b\n\ttbl\tv4.16b, {v18.16b},v1.16b\t// vpshufb\t%xmm1, \t%xmm10,\t%xmm4 \t# 4 = 1/j\n\ttbl\tv12.16b, {v18.16b},v9.16b\n\teor\tv3.16b, v3.16b, v5.16b\t// vpxor\t%xmm5,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv11.16b, v11.16b, v13.16b\n\teor\tv4.16b, v4.16b, v5.16b\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4 \t# 4 = jak = 1/j + a/k\n\teor\tv12.16b, v12.16b, v13.16b\n\ttbl\tv2.16b, {v18.16b},v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2 \t# 2 = 1/iak\n\ttbl\tv10.16b, {v18.16b},v11.16b\n\ttbl\tv3.16b, {v18.16b},v4.16b\t// vpshufb\t%xmm4,\t%xmm10,\t%xmm3\t# 3 = 1/jak\n\ttbl\tv11.16b, {v18.16b},v12.16b\n\teor\tv2.16b, v2.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2 \t# 2 = io\n\teor\tv10.16b, v10.16b, v9.16b\n\teor\tv3.16b, v3.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm3,\t%xmm3\t# 3 = jo\n\teor\tv11.16b, v11.16b, v8.16b\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm5\n\tcbnz\tw8, Lenc_2x_loop\n\n\t// middle of last round\n\tadd\tx10, x11, #0x80\n\t\t\t\t\t\t// vmovdqa\t-0x60(%r10), %xmm4\t# 3 : sbou\t.Lk_sbo\n\t\t\t\t\t\t// vmovdqa\t-0x50(%r10), %xmm0\t# 0 : sbot\t.Lk_sbo+16\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\ttbl\tv12.16b, {v22.16b}, v10.16b\n\tld1\t{v1.2d}, [x10]\t\t\t// vmovdqa\t0x40(%r11,%r10), %xmm1\t# Lk_sr[]\n\ttbl\tv0.16b, {v23.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm0,\t%xmm0\t# 0 = sb1t\n\ttbl\tv8.16b, {v23.16b}, v11.16b\n\teor\tv4.16b, v4.16b, v16.16b\t// vpxor\t%xmm5,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv12.16b, v12.16b, v16.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t# 0 = A\n\teor\tv8.16b, v8.16b, v12.16b\n\ttbl\tv0.16b, {v0.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm0\n\ttbl\tv1.16b, {v8.16b},v1.16b\n\tret\n\n\n.def _vpaes_decrypt_preheat\n .type 32\n.endef\n.align\t4\n_vpaes_decrypt_preheat:\n\tadrp\tx10, Lk_inv\n\tadd\tx10, x10, :lo12:Lk_inv\n\tmovi\tv17.16b, #0x0f\n\tadrp\tx11, Lk_dipt\n\tadd\tx11, x11, :lo12:Lk_dipt\n\tld1\t{v18.2d,v19.2d}, [x10],#32\t// Lk_inv\n\tld1\t{v20.2d,v21.2d,v22.2d,v23.2d}, [x11],#64\t// Lk_dipt, Lk_dsbo\n\tld1\t{v24.2d,v25.2d,v26.2d,v27.2d}, [x11],#64\t// Lk_dsb9, Lk_dsbd\n\tld1\t{v28.2d,v29.2d,v30.2d,v31.2d}, [x11]\t\t// Lk_dsbb, Lk_dsbe\n\tret\n\n\n##\n## Decryption core\n##\n## Same API as encryption core.\n##\n.def _vpaes_decrypt_core\n .type 32\n.endef\n.align\t4\n_vpaes_decrypt_core:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt(%rip), %xmm2\t# iptlo\n\tlsl\tx11, x8, #4\t\t\t// mov\t%rax,\t%r11;\tshl\t$4, %r11\n\teor\tx11, x11, #0x30\t\t\t// xor\t\t$0x30,\t%r11\n\tadrp\tx10, Lk_sr\n\tadd\tx10, x10, :lo12:Lk_sr\n\tand\tx11, x11, #0x30\t\t\t// and\t\t$0x30,\t%r11\n\tadd\tx11, x11, x10\n\tadrp\tx10, Lk_mc_forward+48\n\tadd\tx10, x10, :lo12:Lk_mc_forward+48\n\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm4\t\t# round0 key\n\tand\tv1.16b, v7.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v7.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\ttbl\tv2.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm2\n\tld1\t{v5.2d}, [x10]\t\t\t// vmovdqa\tLk_mc_forward+48(%rip), %xmm5\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt+16(%rip), %xmm1 # ipthi\n\ttbl\tv0.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm1,\t%xmm0\n\teor\tv2.16b, v2.16b, v16.16b\t\t// vpxor\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv0.16b, v0.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\tb\tLdec_entry\n\n.align\t4\nLdec_loop:\n//\n// Inverse mix columns\n//\n\t\t\t\t\t\t// vmovdqa\t-0x20(%r10),%xmm4\t\t# 4 : sb9u\n\t\t\t\t\t\t// vmovdqa\t-0x10(%r10),%xmm1\t\t# 0 : sb9t\n\ttbl\tv4.16b, {v24.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sb9u\n\ttbl\tv1.16b, {v25.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sb9t\n\teor\tv0.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\n\t\t\t\t\t\t// vmovdqa\t0x00(%r10),%xmm4\t\t# 4 : sbdu\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x10(%r10),%xmm1\t\t# 0 : sbdt\n\n\ttbl\tv4.16b, {v26.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbdu\n\ttbl\tv0.16b, {v0.16b}, v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv1.16b, {v27.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbdt\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\t\t\t\t\t\t// vmovdqa\t0x20(%r10),\t%xmm4\t\t# 4 : sbbu\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x30(%r10),\t%xmm1\t\t# 0 : sbbt\n\n\ttbl\tv4.16b, {v28.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbbu\n\ttbl\tv0.16b, {v0.16b}, v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv1.16b, {v29.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbbt\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\t\t\t\t\t\t// vmovdqa\t0x40(%r10),\t%xmm4\t\t# 4 : sbeu\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x50(%r10),\t%xmm1\t\t# 0 : sbet\n\n\ttbl\tv4.16b, {v30.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbeu\n\ttbl\tv0.16b, {v0.16b}, v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv1.16b, {v31.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbet\n\teor\tv0.16b, v0.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\text\tv5.16b, v5.16b, v5.16b, #12\t// vpalignr $12,\t%xmm5,\t%xmm5,\t%xmm5\n\teor\tv0.16b, v0.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\tsub\tw8, w8, #1\t\t\t// sub\t\t$1,%rax\t\t\t# nr--\n\nLdec_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\t# 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\ttbl\tv2.16b, {v19.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm2\t# 2 = a/k\n\teor\tv1.16b,\tv1.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\ttbl\tv3.16b, {v18.16b}, v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3\t# 3 = 1/i\n\ttbl\tv4.16b, {v18.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm10,\t%xmm4\t# 4 = 1/j\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv4.16b, v4.16b, v2.16b\t\t// vpxor\t%xmm2, \t%xmm4,\t%xmm4\t# 4 = jak = 1/j + a/k\n\ttbl\tv2.16b, {v18.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2\t# 2 = 1/iak\n\ttbl\tv3.16b, {v18.16b}, v4.16b\t// vpshufb\t%xmm4, %xmm10,\t%xmm3\t# 3 = 1/jak\n\teor\tv2.16b, v2.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2\t# 2 = io\n\teor\tv3.16b, v3.16b, v0.16b\t\t// vpxor\t%xmm0, %xmm3,\t%xmm3\t# 3 = jo\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm0\n\tcbnz\tw8, Ldec_loop\n\n\t// middle of last round\n\t\t\t\t\t\t// vmovdqa\t0x60(%r10),\t%xmm4\t# 3 : sbou\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\t\t\t\t\t\t// vmovdqa\t0x70(%r10),\t%xmm1\t# 0 : sbot\n\tld1\t{v2.2d}, [x11]\t\t\t// vmovdqa\t-0x160(%r11),\t%xmm2\t# Lk_sr-Lk_dsbd=-0x160\n\ttbl\tv1.16b, {v23.16b}, v3.16b\t\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t# 0 = sb1t\n\teor\tv4.16b, v4.16b, v16.16b\t\t// vpxor\t%xmm0,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv0.16b, v1.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm1,\t%xmm0\t# 0 = A\n\ttbl\tv0.16b, {v0.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm0,\t%xmm0\n\tret\n\n\n.globl\tvpaes_decrypt\n\n.def vpaes_decrypt\n .type 32\n.endef\n.align\t4\nvpaes_decrypt:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tld1\t{v7.16b}, [x0]\n\tbl\t_vpaes_decrypt_preheat\n\tbl\t_vpaes_decrypt_core\n\tst1\t{v0.16b}, [x1]\n\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n// v14-v15 input, v0-v1 output\n.def _vpaes_decrypt_2x\n .type 32\n.endef\n.align\t4\n_vpaes_decrypt_2x:\n\tmov\tx9, x2\n\tldr\tw8, [x2,#240]\t\t\t// pull rounds\n\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt(%rip), %xmm2\t# iptlo\n\tlsl\tx11, x8, #4\t\t\t// mov\t%rax,\t%r11;\tshl\t$4, %r11\n\teor\tx11, x11, #0x30\t\t\t// xor\t\t$0x30,\t%r11\n\tadrp\tx10, Lk_sr\n\tadd\tx10, x10, :lo12:Lk_sr\n\tand\tx11, x11, #0x30\t\t\t// and\t\t$0x30,\t%r11\n\tadd\tx11, x11, x10\n\tadrp\tx10, Lk_mc_forward+48\n\tadd\tx10, x10, :lo12:Lk_mc_forward+48\n\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm4\t\t# round0 key\n\tand\tv1.16b, v14.16b, v17.16b\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v14.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\tand\tv9.16b, v15.16b, v17.16b\n\tushr\tv8.16b, v15.16b, #4\n\ttbl\tv2.16b, {v20.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm2\n\ttbl\tv10.16b, {v20.16b},v9.16b\n\tld1\t{v5.2d}, [x10]\t\t\t// vmovdqa\tLk_mc_forward+48(%rip), %xmm5\n\t\t\t\t\t\t// vmovdqa\t.Lk_dipt+16(%rip), %xmm1 # ipthi\n\ttbl\tv0.16b, {v21.16b},v0.16b\t// vpshufb\t%xmm0,\t%xmm1,\t%xmm0\n\ttbl\tv8.16b, {v21.16b},v8.16b\n\teor\tv2.16b, v2.16b, v16.16b\t// vpxor\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv10.16b, v10.16b, v16.16b\n\teor\tv0.16b, v0.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\teor\tv8.16b, v8.16b, v10.16b\n\tb\tLdec_2x_entry\n\n.align\t4\nLdec_2x_loop:\n//\n// Inverse mix columns\n//\n\t\t\t\t\t\t// vmovdqa\t-0x20(%r10),%xmm4\t\t# 4 : sb9u\n\t\t\t\t\t\t// vmovdqa\t-0x10(%r10),%xmm1\t\t# 0 : sb9t\n\ttbl\tv4.16b, {v24.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sb9u\n\ttbl\tv12.16b, {v24.16b}, v10.16b\n\ttbl\tv1.16b, {v25.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sb9t\n\ttbl\tv9.16b, {v25.16b}, v11.16b\n\teor\tv0.16b, v4.16b, v16.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\n\teor\tv8.16b, v12.16b, v16.16b\n\t\t\t\t\t\t// vmovdqa\t0x00(%r10),%xmm4\t\t# 4 : sbdu\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\t\t\t\t\t\t// vmovdqa\t0x10(%r10),%xmm1\t\t# 0 : sbdt\n\n\ttbl\tv4.16b, {v26.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbdu\n\ttbl\tv12.16b, {v26.16b}, v10.16b\n\ttbl\tv0.16b, {v0.16b},v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv8.16b, {v8.16b},v5.16b\n\ttbl\tv1.16b, {v27.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbdt\n\ttbl\tv9.16b, {v27.16b}, v11.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\teor\tv8.16b, v8.16b, v12.16b\n\t\t\t\t\t\t// vmovdqa\t0x20(%r10),\t%xmm4\t\t# 4 : sbbu\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\n\t\t\t\t\t\t// vmovdqa\t0x30(%r10),\t%xmm1\t\t# 0 : sbbt\n\n\ttbl\tv4.16b, {v28.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbbu\n\ttbl\tv12.16b, {v28.16b}, v10.16b\n\ttbl\tv0.16b, {v0.16b},v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv8.16b, {v8.16b},v5.16b\n\ttbl\tv1.16b, {v29.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbbt\n\ttbl\tv9.16b, {v29.16b}, v11.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\teor\tv8.16b, v8.16b, v12.16b\n\t\t\t\t\t\t// vmovdqa\t0x40(%r10),\t%xmm4\t\t# 4 : sbeu\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\n\t\t\t\t\t\t// vmovdqa\t0x50(%r10),\t%xmm1\t\t# 0 : sbet\n\n\ttbl\tv4.16b, {v30.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = sbeu\n\ttbl\tv12.16b, {v30.16b}, v10.16b\n\ttbl\tv0.16b, {v0.16b},v5.16b\t// vpshufb\t%xmm5,\t%xmm0,\t%xmm0\t\t# MC ch\n\ttbl\tv8.16b, {v8.16b},v5.16b\n\ttbl\tv1.16b, {v31.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t\t# 0 = sbet\n\ttbl\tv9.16b, {v31.16b}, v11.16b\n\teor\tv0.16b, v0.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm0,\t%xmm0\t\t# 4 = ch\n\teor\tv8.16b, v8.16b, v12.16b\n\text\tv5.16b, v5.16b, v5.16b, #12\t// vpalignr $12,\t%xmm5,\t%xmm5,\t%xmm5\n\teor\tv0.16b, v0.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm0,\t%xmm0\t\t# 0 = ch\n\teor\tv8.16b, v8.16b, v9.16b\n\tsub\tw8, w8, #1\t\t\t// sub\t\t$1,%rax\t\t\t# nr--\n\nLdec_2x_entry:\n\t// top of round\n\tand\tv1.16b, v0.16b, v17.16b\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\t# 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t# 1 = i\n\tand\tv9.16b, v8.16b, v17.16b\n\tushr\tv8.16b, v8.16b, #4\n\ttbl\tv2.16b, {v19.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm2\t# 2 = a/k\n\ttbl\tv10.16b, {v19.16b},v9.16b\n\teor\tv1.16b,\t v1.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t# 0 = j\n\teor\tv9.16b,\t v9.16b, v8.16b\n\ttbl\tv3.16b, {v18.16b},v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3\t# 3 = 1/i\n\ttbl\tv11.16b, {v18.16b},v8.16b\n\ttbl\tv4.16b, {v18.16b},v1.16b\t// vpshufb\t%xmm1,\t%xmm10,\t%xmm4\t# 4 = 1/j\n\ttbl\tv12.16b, {v18.16b},v9.16b\n\teor\tv3.16b, v3.16b, v2.16b\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t# 3 = iak = 1/i + a/k\n\teor\tv11.16b, v11.16b, v10.16b\n\teor\tv4.16b, v4.16b, v2.16b\t// vpxor\t%xmm2, \t%xmm4,\t%xmm4\t# 4 = jak = 1/j + a/k\n\teor\tv12.16b, v12.16b, v10.16b\n\ttbl\tv2.16b, {v18.16b},v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm2\t# 2 = 1/iak\n\ttbl\tv10.16b, {v18.16b},v11.16b\n\ttbl\tv3.16b, {v18.16b},v4.16b\t// vpshufb\t%xmm4, %xmm10,\t%xmm3\t# 3 = 1/jak\n\ttbl\tv11.16b, {v18.16b},v12.16b\n\teor\tv2.16b, v2.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm2,\t%xmm2\t# 2 = io\n\teor\tv10.16b, v10.16b, v9.16b\n\teor\tv3.16b, v3.16b, v0.16b\t// vpxor\t%xmm0, %xmm3,\t%xmm3\t# 3 = jo\n\teor\tv11.16b, v11.16b, v8.16b\n\tld1\t{v16.2d}, [x9],#16\t\t// vmovdqu\t(%r9),\t%xmm0\n\tcbnz\tw8, Ldec_2x_loop\n\n\t// middle of last round\n\t\t\t\t\t\t// vmovdqa\t0x60(%r10),\t%xmm4\t# 3 : sbou\n\ttbl\tv4.16b, {v22.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm4,\t%xmm4\t# 4 = sbou\n\ttbl\tv12.16b, {v22.16b}, v10.16b\n\t\t\t\t\t\t// vmovdqa\t0x70(%r10),\t%xmm1\t# 0 : sbot\n\ttbl\tv1.16b, {v23.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm1,\t%xmm1\t# 0 = sb1t\n\ttbl\tv9.16b, {v23.16b}, v11.16b\n\tld1\t{v2.2d}, [x11]\t\t\t// vmovdqa\t-0x160(%r11),\t%xmm2\t# Lk_sr-Lk_dsbd=-0x160\n\teor\tv4.16b, v4.16b, v16.16b\t// vpxor\t%xmm0,\t%xmm4,\t%xmm4\t# 4 = sb1u + k\n\teor\tv12.16b, v12.16b, v16.16b\n\teor\tv0.16b, v1.16b, v4.16b\t// vpxor\t%xmm4,\t%xmm1,\t%xmm0\t# 0 = A\n\teor\tv8.16b, v9.16b, v12.16b\n\ttbl\tv0.16b, {v0.16b},v2.16b\t// vpshufb\t%xmm2,\t%xmm0,\t%xmm0\n\ttbl\tv1.16b, {v8.16b},v2.16b\n\tret\n\n########################################################\n## ##\n## AES key schedule ##\n## ##\n########################################################\n.def _vpaes_key_preheat\n .type 32\n.endef\n.align\t4\n_vpaes_key_preheat:\n\tadrp\tx10, Lk_inv\n\tadd\tx10, x10, :lo12:Lk_inv\n\tmovi\tv16.16b, #0x5b\t\t\t// Lk_s63\n\tadrp\tx11, Lk_sb1\n\tadd\tx11, x11, :lo12:Lk_sb1\n\tmovi\tv17.16b, #0x0f\t\t\t// Lk_s0F\n\tld1\t{v18.2d,v19.2d,v20.2d,v21.2d}, [x10]\t\t// Lk_inv, Lk_ipt\n\tadrp\tx10, Lk_dksd\n\tadd\tx10, x10, :lo12:Lk_dksd\n\tld1\t{v22.2d,v23.2d}, [x11]\t\t// Lk_sb1\n\tadrp\tx11, Lk_mc_forward\n\tadd\tx11, x11, :lo12:Lk_mc_forward\n\tld1\t{v24.2d,v25.2d,v26.2d,v27.2d}, [x10],#64\t// Lk_dksd, Lk_dksb\n\tld1\t{v28.2d,v29.2d,v30.2d,v31.2d}, [x10],#64\t// Lk_dkse, Lk_dks9\n\tld1\t{v8.2d}, [x10]\t\t\t// Lk_rcon\n\tld1\t{v9.2d}, [x11]\t\t\t// Lk_mc_forward[0]\n\tret\n\n\n.def _vpaes_schedule_core\n .type 32\n.endef\n.align\t4\n_vpaes_schedule_core:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29, x30, [sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tbl\t_vpaes_key_preheat\t\t// load the tables\n\n\tld1\t{v0.16b}, [x0],#16\t\t// vmovdqu\t(%rdi),\t%xmm0\t\t# load key (unaligned)\n\n\t// input transform\n\tmov\tv3.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm3\n\tbl\t_vpaes_schedule_transform\n\tmov\tv7.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm7\n\n\tadrp\tx10, Lk_sr\t\t// lea\tLk_sr(%rip),%r10\n\tadd\tx10, x10, :lo12:Lk_sr\n\n\tadd\tx8, x8, x10\n\tcbnz\tw3, Lschedule_am_decrypting\n\n\t// encrypting, output zeroth round key after transform\n\tst1\t{v0.2d}, [x2]\t\t\t// vmovdqu\t%xmm0,\t(%rdx)\n\tb\tLschedule_go\n\nLschedule_am_decrypting:\n\t// decrypting, output zeroth round key after shiftrows\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),\t%xmm1\n\ttbl\tv3.16b, {v3.16b}, v1.16b\t// vpshufb %xmm1,\t%xmm3,\t%xmm3\n\tst1\t{v3.2d}, [x2]\t\t\t// vmovdqu\t%xmm3,\t(%rdx)\n\teor\tx8, x8, #0x30\t\t\t// xor\t$0x30, %r8\n\nLschedule_go:\n\tcmp\tw1, #192\t\t\t// cmp\t$192,\t%esi\n\tb.hi\tLschedule_256\n\tb.eq\tLschedule_192\n\t// 128: fall though\n\n##\n## .schedule_128\n##\n## 128-bit specific part of key schedule.\n##\n## This schedule is really simple, because all its parts\n## are accomplished by the subroutines.\n##\nLschedule_128:\n\tmov\tx0, #10\t\t\t// mov\t$10, %esi\n\nLoop_schedule_128:\n\tsub\tx0, x0, #1\t\t\t// dec\t%esi\n\tbl\t_vpaes_schedule_round\n\tcbz\tx0, Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\t\t// write output\n\tb\tLoop_schedule_128\n\n##\n## .aes_schedule_192\n##\n## 192-bit specific part of key schedule.\n##\n## The main body of this schedule is the same as the 128-bit\n## schedule, but with more smearing. The long, high side is\n## stored in %xmm7 as before, and the short, low side is in\n## the high bits of %xmm6.\n##\n## This schedule is somewhat nastier, however, because each\n## round produces 192 bits of key material, or 1.5 round keys.\n## Therefore, on each cycle we do 2 rounds and produce 3 round\n## keys.\n##\n.align\t4\nLschedule_192:\n\tsub\tx0, x0, #8\n\tld1\t{v0.16b}, [x0]\t\t// vmovdqu\t8(%rdi),%xmm0\t\t# load key part 2 (very unaligned)\n\tbl\t_vpaes_schedule_transform\t// input transform\n\tmov\tv6.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm6\t\t# save short part\n\teor\tv4.16b, v4.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm4, %xmm4\t# clear 4\n\tins\tv6.d[0], v4.d[0]\t\t// vmovhlps\t%xmm4,\t%xmm6,\t%xmm6\t\t# clobber low side with zeros\n\tmov\tx0, #4\t\t\t// mov\t$4,\t%esi\n\nLoop_schedule_192:\n\tsub\tx0, x0, #1\t\t\t// dec\t%esi\n\tbl\t_vpaes_schedule_round\n\text\tv0.16b, v6.16b, v0.16b, #8\t// vpalignr\t$8,%xmm6,%xmm0,%xmm0\n\tbl\t_vpaes_schedule_mangle\t\t// save key n\n\tbl\t_vpaes_schedule_192_smear\n\tbl\t_vpaes_schedule_mangle\t\t// save key n+1\n\tbl\t_vpaes_schedule_round\n\tcbz\tx0, Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\t\t// save key n+2\n\tbl\t_vpaes_schedule_192_smear\n\tb\tLoop_schedule_192\n\n##\n## .aes_schedule_256\n##\n## 256-bit specific part of key schedule.\n##\n## The structure here is very similar to the 128-bit\n## schedule, but with an additional \"low side\" in\n## %xmm6. The low side's rounds are the same as the\n## high side's, except no rcon and no rotation.\n##\n.align\t4\nLschedule_256:\n\tld1\t{v0.16b}, [x0]\t\t// vmovdqu\t16(%rdi),%xmm0\t\t# load key part 2 (unaligned)\n\tbl\t_vpaes_schedule_transform\t// input transform\n\tmov\tx0, #7\t\t\t// mov\t$7, %esi\n\nLoop_schedule_256:\n\tsub\tx0, x0, #1\t\t\t// dec\t%esi\n\tbl\t_vpaes_schedule_mangle\t\t// output low result\n\tmov\tv6.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm6\t\t# save cur_lo in xmm6\n\n\t// high round\n\tbl\t_vpaes_schedule_round\n\tcbz\tx0, Lschedule_mangle_last\n\tbl\t_vpaes_schedule_mangle\n\n\t// low round. swap xmm7 and xmm6\n\tdup\tv0.4s, v0.s[3]\t\t\t// vpshufd\t$0xFF,\t%xmm0,\t%xmm0\n\tmovi\tv4.16b, #0\n\tmov\tv5.16b, v7.16b\t\t\t// vmovdqa\t%xmm7,\t%xmm5\n\tmov\tv7.16b, v6.16b\t\t\t// vmovdqa\t%xmm6,\t%xmm7\n\tbl\t_vpaes_schedule_low_round\n\tmov\tv7.16b, v5.16b\t\t\t// vmovdqa\t%xmm5,\t%xmm7\n\n\tb\tLoop_schedule_256\n\n##\n## .aes_schedule_mangle_last\n##\n## Mangler for last round of key schedule\n## Mangles %xmm0\n## when encrypting, outputs out(%xmm0) ^ 63\n## when decrypting, outputs unskew(%xmm0)\n##\n## Always called right before return... jumps to cleanup and exits\n##\n.align\t4\nLschedule_mangle_last:\n\t// schedule last round key from xmm0\n\tadrp\tx11, Lk_deskew\t// lea\tLk_deskew(%rip),%r11\t# prepare to deskew\n\tadd\tx11, x11, :lo12:Lk_deskew\n\n\tcbnz\tw3, Lschedule_mangle_last_dec\n\n\t// encrypting\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),%xmm1\n\tadrp\tx11, Lk_opt\t\t// lea\tLk_opt(%rip),\t%r11\t\t# prepare to output transform\n\tadd\tx11, x11, :lo12:Lk_opt\n\tadd\tx2, x2, #32\t\t\t// add\t$32,\t%rdx\n\ttbl\tv0.16b, {v0.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm0,\t%xmm0\t\t# output permute\n\nLschedule_mangle_last_dec:\n\tld1\t{v20.2d,v21.2d}, [x11]\t\t// reload constants\n\tsub\tx2, x2, #16\t\t\t// add\t$-16,\t%rdx\n\teor\tv0.16b, v0.16b, v16.16b\t\t// vpxor\tLk_s63(%rip),\t%xmm0,\t%xmm0\n\tbl\t_vpaes_schedule_transform\t// output transform\n\tst1\t{v0.2d}, [x2]\t\t\t// vmovdqu\t%xmm0,\t(%rdx)\t\t# save last key\n\n\t// cleanup\n\teor\tv0.16b, v0.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm0,\t%xmm0\n\teor\tv1.16b, v1.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm1,\t%xmm1\n\teor\tv2.16b, v2.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm2,\t%xmm2\n\teor\tv3.16b, v3.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm3,\t%xmm3\n\teor\tv4.16b, v4.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm4,\t%xmm4\n\teor\tv5.16b, v5.16b, v5.16b\t\t// vpxor\t%xmm5,\t%xmm5,\t%xmm5\n\teor\tv6.16b, v6.16b, v6.16b\t\t// vpxor\t%xmm6,\t%xmm6,\t%xmm6\n\teor\tv7.16b, v7.16b, v7.16b\t\t// vpxor\t%xmm7,\t%xmm7,\t%xmm7\n\tldp\tx29, x30, [sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n##\n## .aes_schedule_192_smear\n##\n## Smear the short, low side in the 192-bit key schedule.\n##\n## Inputs:\n## %xmm7: high side, b a x y\n## %xmm6: low side, d c 0 0\n## %xmm13: 0\n##\n## Outputs:\n## %xmm6: b+c+d b+c 0 0\n## %xmm0: b+c+d b+c b a\n##\n.def _vpaes_schedule_192_smear\n .type 32\n.endef\n.align\t4\n_vpaes_schedule_192_smear:\n\tmovi\tv1.16b, #0\n\tdup\tv0.4s, v7.s[3]\n\tins\tv1.s[3], v6.s[2]\t// vpshufd\t$0x80,\t%xmm6,\t%xmm1\t# d c 0 0 -> c 0 0 0\n\tins\tv0.s[0], v7.s[2]\t// vpshufd\t$0xFE,\t%xmm7,\t%xmm0\t# b a _ _ -> b b b a\n\teor\tv6.16b, v6.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm6,\t%xmm6\t# -> c+d c 0 0\n\teor\tv1.16b, v1.16b, v1.16b\t// vpxor\t%xmm1,\t%xmm1,\t%xmm1\n\teor\tv6.16b, v6.16b, v0.16b\t// vpxor\t%xmm0,\t%xmm6,\t%xmm6\t# -> b+c+d b+c b a\n\tmov\tv0.16b, v6.16b\t\t// vmovdqa\t%xmm6,\t%xmm0\n\tins\tv6.d[0], v1.d[0]\t// vmovhlps\t%xmm1,\t%xmm6,\t%xmm6\t# clobber low side with zeros\n\tret\n\n\n##\n## .aes_schedule_round\n##\n## Runs one main round of the key schedule on %xmm0, %xmm7\n##\n## Specifically, runs subbytes on the high dword of %xmm0\n## then rotates it by one byte and xors into the low dword of\n## %xmm7.\n##\n## Adds rcon from low byte of %xmm8, then rotates %xmm8 for\n## next rcon.\n##\n## Smears the dwords of %xmm7 by xoring the low into the\n## second low, result into third, result into highest.\n##\n## Returns results in %xmm7 = %xmm0.\n## Clobbers %xmm1-%xmm4, %r11.\n##\n.def _vpaes_schedule_round\n .type 32\n.endef\n.align\t4\n_vpaes_schedule_round:\n\t// extract rcon from xmm8\n\tmovi\tv4.16b, #0\t\t\t// vpxor\t%xmm4,\t%xmm4,\t%xmm4\n\text\tv1.16b, v8.16b, v4.16b, #15\t// vpalignr\t$15,\t%xmm8,\t%xmm4,\t%xmm1\n\text\tv8.16b, v8.16b, v8.16b, #15\t// vpalignr\t$15,\t%xmm8,\t%xmm8,\t%xmm8\n\teor\tv7.16b, v7.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm7,\t%xmm7\n\n\t// rotate\n\tdup\tv0.4s, v0.s[3]\t\t\t// vpshufd\t$0xFF,\t%xmm0,\t%xmm0\n\text\tv0.16b, v0.16b, v0.16b, #1\t// vpalignr\t$1,\t%xmm0,\t%xmm0,\t%xmm0\n\n\t// fall through...\n\n\t// low round: same as high round, but no rotation and no rcon.\n_vpaes_schedule_low_round:\n\t// smear xmm7\n\text\tv1.16b, v4.16b, v7.16b, #12\t// vpslldq\t$4,\t%xmm7,\t%xmm1\n\teor\tv7.16b, v7.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm7,\t%xmm7\n\text\tv4.16b, v4.16b, v7.16b, #8\t// vpslldq\t$8,\t%xmm7,\t%xmm4\n\n\t// subbytes\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\t\t# 0 = k\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\t\t# 1 = i\n\teor\tv7.16b, v7.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm7,\t%xmm7\n\ttbl\tv2.16b, {v19.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm11,\t%xmm2\t\t# 2 = a/k\n\teor\tv1.16b, v1.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm1,\t%xmm1\t\t# 0 = j\n\ttbl\tv3.16b, {v18.16b}, v0.16b\t// vpshufb\t%xmm0, \t%xmm10,\t%xmm3\t\t# 3 = 1/i\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\t\t# 3 = iak = 1/i + a/k\n\ttbl\tv4.16b, {v18.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm10,\t%xmm4\t\t# 4 = 1/j\n\teor\tv7.16b, v7.16b, v16.16b\t\t// vpxor\tLk_s63(%rip),\t%xmm7,\t%xmm7\n\ttbl\tv3.16b, {v18.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm10,\t%xmm3\t\t# 2 = 1/iak\n\teor\tv4.16b, v4.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm4,\t%xmm4\t\t# 4 = jak = 1/j + a/k\n\ttbl\tv2.16b, {v18.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm10,\t%xmm2\t\t# 3 = 1/jak\n\teor\tv3.16b, v3.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm3,\t%xmm3\t\t# 2 = io\n\teor\tv2.16b, v2.16b, v0.16b\t\t// vpxor\t%xmm0,\t%xmm2,\t%xmm2\t\t# 3 = jo\n\ttbl\tv4.16b, {v23.16b}, v3.16b\t// vpshufb\t%xmm3,\t%xmm13,\t%xmm4\t\t# 4 = sbou\n\ttbl\tv1.16b, {v22.16b}, v2.16b\t// vpshufb\t%xmm2,\t%xmm12,\t%xmm1\t\t# 0 = sb1t\n\teor\tv1.16b, v1.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm1,\t%xmm1\t\t# 0 = sbox output\n\n\t// add in smeared stuff\n\teor\tv0.16b, v1.16b, v7.16b\t\t// vpxor\t%xmm7,\t%xmm1,\t%xmm0\n\teor\tv7.16b, v1.16b, v7.16b\t\t// vmovdqa\t%xmm0,\t%xmm7\n\tret\n\n\n##\n## .aes_schedule_transform\n##\n## Linear-transform %xmm0 according to tables at (%r11)\n##\n## Requires that %xmm9 = 0x0F0F... as in preheat\n## Output in %xmm0\n## Clobbers %xmm1, %xmm2\n##\n.def _vpaes_schedule_transform\n .type 32\n.endef\n.align\t4\n_vpaes_schedule_transform:\n\tand\tv1.16b, v0.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm0,\t%xmm1\n\tushr\tv0.16b, v0.16b, #4\t\t// vpsrlb\t$4,\t%xmm0,\t%xmm0\n\t\t\t\t\t\t// vmovdqa\t(%r11),\t%xmm2 \t# lo\n\ttbl\tv2.16b, {v20.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t16(%r11),\t%xmm1 # hi\n\ttbl\tv0.16b, {v21.16b}, v0.16b\t// vpshufb\t%xmm0,\t%xmm1,\t%xmm0\n\teor\tv0.16b, v0.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm0,\t%xmm0\n\tret\n\n\n##\n## .aes_schedule_mangle\n##\n## Mangle xmm0 from (basis-transformed) standard version\n## to our version.\n##\n## On encrypt,\n## xor with 0x63\n## multiply by circulant 0,1,1,1\n## apply shiftrows transform\n##\n## On decrypt,\n## xor with 0x63\n## multiply by \"inverse mixcolumns\" circulant E,B,D,9\n## deskew\n## apply shiftrows transform\n##\n##\n## Writes out to (%rdx), and increments or decrements it\n## Keeps track of round number mod 4 in %r8\n## Preserves xmm0\n## Clobbers xmm1-xmm5\n##\n.def _vpaes_schedule_mangle\n .type 32\n.endef\n.align\t4\n_vpaes_schedule_mangle:\n\tmov\tv4.16b, v0.16b\t\t\t// vmovdqa\t%xmm0,\t%xmm4\t# save xmm0 for later\n\t\t\t\t\t\t// vmovdqa\t.Lk_mc_forward(%rip),%xmm5\n\tcbnz\tw3, Lschedule_mangle_dec\n\n\t// encrypting\n\teor\tv4.16b, v0.16b, v16.16b\t\t// vpxor\tLk_s63(%rip),\t%xmm0,\t%xmm4\n\tadd\tx2, x2, #16\t\t\t// add\t$16,\t%rdx\n\ttbl\tv4.16b, {v4.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm4,\t%xmm4\n\ttbl\tv1.16b, {v4.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm4,\t%xmm1\n\ttbl\tv3.16b, {v1.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm1,\t%xmm3\n\teor\tv4.16b, v4.16b, v1.16b\t\t// vpxor\t%xmm1,\t%xmm4,\t%xmm4\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),\t%xmm1\n\teor\tv3.16b, v3.16b, v4.16b\t\t// vpxor\t%xmm4,\t%xmm3,\t%xmm3\n\n\tb\tLschedule_mangle_both\n.align\t4\nLschedule_mangle_dec:\n\t// inverse mix columns\n\t\t\t\t\t\t// lea\t.Lk_dksd(%rip),%r11\n\tushr\tv1.16b, v4.16b, #4\t\t// vpsrlb\t$4,\t%xmm4,\t%xmm1\t# 1 = hi\n\tand\tv4.16b, v4.16b, v17.16b\t\t// vpand\t%xmm9,\t%xmm4,\t%xmm4\t# 4 = lo\n\n\t\t\t\t\t\t// vmovdqa\t0x00(%r11),\t%xmm2\n\ttbl\tv2.16b, {v24.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t0x10(%r11),\t%xmm3\n\ttbl\tv3.16b,\t{v25.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\n\ttbl\tv3.16b, {v3.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\n\t\t\t\t\t\t// vmovdqa\t0x20(%r11),\t%xmm2\n\ttbl\tv2.16b, {v26.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv2.16b, v2.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t0x30(%r11),\t%xmm3\n\ttbl\tv3.16b, {v27.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\n\ttbl\tv3.16b, {v3.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\n\t\t\t\t\t\t// vmovdqa\t0x40(%r11),\t%xmm2\n\ttbl\tv2.16b, {v28.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\teor\tv2.16b, v2.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm2,\t%xmm2\n\t\t\t\t\t\t// vmovdqa\t0x50(%r11),\t%xmm3\n\ttbl\tv3.16b, {v29.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\teor\tv3.16b, v3.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm3,\t%xmm3\n\n\t\t\t\t\t\t// vmovdqa\t0x60(%r11),\t%xmm2\n\ttbl\tv2.16b, {v30.16b}, v4.16b\t// vpshufb\t%xmm4,\t%xmm2,\t%xmm2\n\ttbl\tv3.16b, {v3.16b}, v9.16b\t// vpshufb\t%xmm5,\t%xmm3,\t%xmm3\n\t\t\t\t\t\t// vmovdqa\t0x70(%r11),\t%xmm4\n\ttbl\tv4.16b, {v31.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm4,\t%xmm4\n\tld1\t{v1.2d}, [x8]\t\t\t// vmovdqa\t(%r8,%r10),\t%xmm1\n\teor\tv2.16b, v2.16b, v3.16b\t\t// vpxor\t%xmm3,\t%xmm2,\t%xmm2\n\teor\tv3.16b, v4.16b, v2.16b\t\t// vpxor\t%xmm2,\t%xmm4,\t%xmm3\n\n\tsub\tx2, x2, #16\t\t\t// add\t$-16,\t%rdx\n\nLschedule_mangle_both:\n\ttbl\tv3.16b, {v3.16b}, v1.16b\t// vpshufb\t%xmm1,\t%xmm3,\t%xmm3\n\tadd\tx8, x8, #48\t\t\t// add\t$-16,\t%r8\n\tand\tx8, x8, #~(1<<6)\t\t// and\t$0x30,\t%r8\n\tst1\t{v3.2d}, [x2]\t\t\t// vmovdqu\t%xmm3,\t(%rdx)\n\tret\n\n\n.globl\tvpaes_set_encrypt_key\n\n.def vpaes_set_encrypt_key\n .type 32\n.endef\n.align\t4\nvpaes_set_encrypt_key:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\n\tlsr\tw9, w1, #5\t\t// shr\t$5,%eax\n\tadd\tw9, w9, #5\t\t// $5,%eax\n\tstr\tw9, [x2,#240]\t\t// mov\t%eax,240(%rdx)\t# AES_KEY->rounds = nbits/32+5;\n\n\tmov\tw3, #0\t\t// mov\t$0,%ecx\n\tmov\tx8, #0x30\t\t// mov\t$0x30,%r8d\n\tbl\t_vpaes_schedule_core\n\teor\tx0, x0, x0\n\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.globl\tvpaes_set_decrypt_key\n\n.def vpaes_set_decrypt_key\n .type 32\n.endef\n.align\t4\nvpaes_set_decrypt_key:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\n\tlsr\tw9, w1, #5\t\t// shr\t$5,%eax\n\tadd\tw9, w9, #5\t\t// $5,%eax\n\tstr\tw9, [x2,#240]\t\t// mov\t%eax,240(%rdx)\t# AES_KEY->rounds = nbits/32+5;\n\tlsl\tw9, w9, #4\t\t// shl\t$4,%eax\n\tadd\tx2, x2, #16\t\t// lea\t16(%rdx,%rax),%rdx\n\tadd\tx2, x2, x9\n\n\tmov\tw3, #1\t\t// mov\t$1,%ecx\n\tlsr\tw8, w1, #1\t\t// shr\t$1,%r8d\n\tand\tx8, x8, #32\t\t// and\t$32,%r8d\n\teor\tx8, x8, #32\t\t// xor\t$32,%r8d\t# nbits==192?0:32\n\tbl\t_vpaes_schedule_core\n\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\tvpaes_cbc_encrypt\n\n.def vpaes_cbc_encrypt\n .type 32\n.endef\n.align\t4\nvpaes_cbc_encrypt:\n\tAARCH64_SIGN_LINK_REGISTER\n\tcbz\tx2, Lcbc_abort\n\tcmp\tw5, #0\t\t\t// check direction\n\tb.eq\tvpaes_cbc_decrypt\n\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\n\tmov\tx17, x2\t\t// reassign\n\tmov\tx2, x3\t\t// reassign\n\n\tld1\t{v0.16b}, [x4]\t// load ivec\n\tbl\t_vpaes_encrypt_preheat\n\tb\tLcbc_enc_loop\n\n.align\t4\nLcbc_enc_loop:\n\tld1\t{v7.16b}, [x0],#16\t// load input\n\teor\tv7.16b, v7.16b, v0.16b\t// xor with ivec\n\tbl\t_vpaes_encrypt_core\n\tst1\t{v0.16b}, [x1],#16\t// save output\n\tsubs\tx17, x17, #16\n\tb.hi\tLcbc_enc_loop\n\n\tst1\t{v0.16b}, [x4]\t// write ivec\n\n\tldp\tx29,x30,[sp],#16\nLcbc_abort:\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.def vpaes_cbc_decrypt\n .type 32\n.endef\n.align\t4\nvpaes_cbc_decrypt:\n\t// Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to\n\t// only from vpaes_cbc_encrypt which has already signed the return address.\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\tstp\td10,d11,[sp,#-16]!\n\tstp\td12,d13,[sp,#-16]!\n\tstp\td14,d15,[sp,#-16]!\n\n\tmov\tx17, x2\t\t// reassign\n\tmov\tx2, x3\t\t// reassign\n\tld1\t{v6.16b}, [x4]\t// load ivec\n\tbl\t_vpaes_decrypt_preheat\n\ttst\tx17, #16\n\tb.eq\tLcbc_dec_loop2x\n\n\tld1\t{v7.16b}, [x0], #16\t// load input\n\tbl\t_vpaes_decrypt_core\n\teor\tv0.16b, v0.16b, v6.16b\t// xor with ivec\n\torr\tv6.16b, v7.16b, v7.16b\t// next ivec value\n\tst1\t{v0.16b}, [x1], #16\n\tsubs\tx17, x17, #16\n\tb.ls\tLcbc_dec_done\n\n.align\t4\nLcbc_dec_loop2x:\n\tld1\t{v14.16b,v15.16b}, [x0], #32\n\tbl\t_vpaes_decrypt_2x\n\teor\tv0.16b, v0.16b, v6.16b\t// xor with ivec\n\teor\tv1.16b, v1.16b, v14.16b\n\torr\tv6.16b, v15.16b, v15.16b\n\tst1\t{v0.16b,v1.16b}, [x1], #32\n\tsubs\tx17, x17, #32\n\tb.hi\tLcbc_dec_loop2x\n\nLcbc_dec_done:\n\tst1\t{v6.16b}, [x4]\n\n\tldp\td14,d15,[sp],#16\n\tldp\td12,d13,[sp],#16\n\tldp\td10,d11,[sp],#16\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.globl\tvpaes_ctr32_encrypt_blocks\n\n.def vpaes_ctr32_encrypt_blocks\n .type 32\n.endef\n.align\t4\nvpaes_ctr32_encrypt_blocks:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-16]!\n\tadd\tx29,sp,#0\n\tstp\td8,d9,[sp,#-16]!\t// ABI spec says so\n\tstp\td10,d11,[sp,#-16]!\n\tstp\td12,d13,[sp,#-16]!\n\tstp\td14,d15,[sp,#-16]!\n\n\tcbz\tx2, Lctr32_done\n\n\t// Note, unlike the other functions, x2 here is measured in blocks,\n\t// not bytes.\n\tmov\tx17, x2\n\tmov\tx2, x3\n\n\t// Load the IV and counter portion.\n\tldr\tw6, [x4, #12]\n\tld1\t{v7.16b}, [x4]\n\n\tbl\t_vpaes_encrypt_preheat\n\ttst\tx17, #1\n\trev\tw6, w6\t\t// The counter is big-endian.\n\tb.eq\tLctr32_prep_loop\n\n\t// Handle one block so the remaining block count is even for\n\t// _vpaes_encrypt_2x.\n\tld1\t{v6.16b}, [x0], #16\t// Load input ahead of time\n\tbl\t_vpaes_encrypt_core\n\teor\tv0.16b, v0.16b, v6.16b\t// XOR input and result\n\tst1\t{v0.16b}, [x1], #16\n\tsubs\tx17, x17, #1\n\t// Update the counter.\n\tadd\tw6, w6, #1\n\trev\tw7, w6\n\tmov\tv7.s[3], w7\n\tb.ls\tLctr32_done\n\nLctr32_prep_loop:\n\t// _vpaes_encrypt_core takes its input from v7, while _vpaes_encrypt_2x\n\t// uses v14 and v15.\n\tmov\tv15.16b, v7.16b\n\tmov\tv14.16b, v7.16b\n\tadd\tw6, w6, #1\n\trev\tw7, w6\n\tmov\tv15.s[3], w7\n\nLctr32_loop:\n\tld1\t{v6.16b,v7.16b}, [x0], #32\t// Load input ahead of time\n\tbl\t_vpaes_encrypt_2x\n\teor\tv0.16b, v0.16b, v6.16b\t\t// XOR input and result\n\teor\tv1.16b, v1.16b, v7.16b\t\t// XOR input and result (#2)\n\tst1\t{v0.16b,v1.16b}, [x1], #32\n\tsubs\tx17, x17, #2\n\t// Update the counter.\n\tadd\tw7, w6, #1\n\tadd\tw6, w6, #2\n\trev\tw7, w7\n\tmov\tv14.s[3], w7\n\trev\tw7, w6\n\tmov\tv15.s[3], w7\n\tb.hi\tLctr32_loop\n\nLctr32_done:\n\tldp\td14,d15,[sp],#16\n\tldp\td12,d13,[sp],#16\n\tldp\td10,d11,[sp],#16\n\tldp\td8,d9,[sp],#16\n\tldp\tx29,x30,[sp],#16\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/vpaes-x86-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n#ifdef BORINGSSL_DISPATCH_TEST\n#endif\n.align\t6,0x90\nL_vpaes_consts:\n.long\t218628480,235210255,168496130,67568393\n.long\t252381056,17041926,33884169,51187212\n.long\t252645135,252645135,252645135,252645135\n.long\t1512730624,3266504856,1377990664,3401244816\n.long\t830229760,1275146365,2969422977,3447763452\n.long\t3411033600,2979783055,338359620,2782886510\n.long\t4209124096,907596821,221174255,1006095553\n.long\t191964160,3799684038,3164090317,1589111125\n.long\t182528256,1777043520,2877432650,3265356744\n.long\t1874708224,3503451415,3305285752,363511674\n.long\t1606117888,3487855781,1093350906,2384367825\n.long\t197121,67569157,134941193,202313229\n.long\t67569157,134941193,202313229,197121\n.long\t134941193,202313229,197121,67569157\n.long\t202313229,197121,67569157,134941193\n.long\t33619971,100992007,168364043,235736079\n.long\t235736079,33619971,100992007,168364043\n.long\t168364043,235736079,33619971,100992007\n.long\t100992007,168364043,235736079,33619971\n.long\t50462976,117835012,185207048,252579084\n.long\t252314880,51251460,117574920,184942860\n.long\t184682752,252054788,50987272,118359308\n.long\t118099200,185467140,251790600,50727180\n.long\t2946363062,528716217,1300004225,1881839624\n.long\t1532713819,1532713819,1532713819,1532713819\n.long\t3602276352,4288629033,3737020424,4153884961\n.long\t1354558464,32357713,2958822624,3775749553\n.long\t1201988352,132424512,1572796698,503232858\n.long\t2213177600,1597421020,4103937655,675398315\n.long\t2749646592,4273543773,1511898873,121693092\n.long\t3040248576,1103263732,2871565598,1608280554\n.long\t2236667136,2588920351,482954393,64377734\n.long\t3069987328,291237287,2117370568,3650299247\n.long\t533321216,3573750986,2572112006,1401264716\n.long\t1339849704,2721158661,548607111,3445553514\n.long\t2128193280,3054596040,2183486460,1257083700\n.long\t655635200,1165381986,3923443150,2344132524\n.long\t190078720,256924420,290342170,357187870\n.long\t1610966272,2263057382,4103205268,309794674\n.long\t2592527872,2233205587,1335446729,3402964816\n.long\t3973531904,3225098121,3002836325,1918774430\n.long\t3870401024,2102906079,2284471353,4117666579\n.long\t617007872,1021508343,366931923,691083277\n.long\t2528395776,3491914898,2968704004,1613121270\n.long\t3445188352,3247741094,844474987,4093578302\n.long\t651481088,1190302358,1689581232,574775300\n.long\t4289380608,206939853,2555985458,2489840491\n.long\t2130264064,327674451,3566485037,3349835193\n.long\t2470714624,316102159,3636825756,3393945945\n.byte\t86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105\n.byte\t111,110,32,65,69,83,32,102,111,114,32,120,56,54,47,83\n.byte\t83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117\n.byte\t114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105\n.byte\t118,101,114,115,105,116,121,41,0\n.align\t6,0x90\n.private_extern\t__vpaes_preheat\n.align\t4\n__vpaes_preheat:\n\taddl\t(%esp),%ebp\n\tmovdqa\t-48(%ebp),%xmm7\n\tmovdqa\t-16(%ebp),%xmm6\n\tret\n.private_extern\t__vpaes_encrypt_core\n.align\t4\n__vpaes_encrypt_core:\n\tmovl\t$16,%ecx\n\tmovl\t240(%edx),%eax\n\tmovdqa\t%xmm6,%xmm1\n\tmovdqa\t(%ebp),%xmm2\n\tpandn\t%xmm0,%xmm1\n\tpand\t%xmm6,%xmm0\n\tmovdqu\t(%edx),%xmm5\n.byte\t102,15,56,0,208\n\tmovdqa\t16(%ebp),%xmm0\n\tpxor\t%xmm5,%xmm2\n\tpsrld\t$4,%xmm1\n\taddl\t$16,%edx\n.byte\t102,15,56,0,193\n\tleal\t192(%ebp),%ebx\n\tpxor\t%xmm2,%xmm0\n\tjmp\tL000enc_entry\n.align\t4,0x90\nL001enc_loop:\n\tmovdqa\t32(%ebp),%xmm4\n\tmovdqa\t48(%ebp),%xmm0\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,195\n\tpxor\t%xmm5,%xmm4\n\tmovdqa\t64(%ebp),%xmm5\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t-64(%ebx,%ecx,1),%xmm1\n.byte\t102,15,56,0,234\n\tmovdqa\t80(%ebp),%xmm2\n\tmovdqa\t(%ebx,%ecx,1),%xmm4\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm0,%xmm3\n\tpxor\t%xmm5,%xmm2\n.byte\t102,15,56,0,193\n\taddl\t$16,%edx\n\tpxor\t%xmm2,%xmm0\n.byte\t102,15,56,0,220\n\taddl\t$16,%ecx\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,193\n\tandl\t$48,%ecx\n\tsubl\t$1,%eax\n\tpxor\t%xmm3,%xmm0\nL000enc_entry:\n\tmovdqa\t%xmm6,%xmm1\n\tmovdqa\t-32(%ebp),%xmm5\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm6,%xmm0\n.byte\t102,15,56,0,232\n\tmovdqa\t%xmm7,%xmm3\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,217\n\tmovdqa\t%xmm7,%xmm4\n\tpxor\t%xmm5,%xmm3\n.byte\t102,15,56,0,224\n\tmovdqa\t%xmm7,%xmm2\n\tpxor\t%xmm5,%xmm4\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm7,%xmm3\n\tpxor\t%xmm0,%xmm2\n.byte\t102,15,56,0,220\n\tmovdqu\t(%edx),%xmm5\n\tpxor\t%xmm1,%xmm3\n\tjnz\tL001enc_loop\n\tmovdqa\t96(%ebp),%xmm4\n\tmovdqa\t112(%ebp),%xmm0\n.byte\t102,15,56,0,226\n\tpxor\t%xmm5,%xmm4\n.byte\t102,15,56,0,195\n\tmovdqa\t64(%ebx,%ecx,1),%xmm1\n\tpxor\t%xmm4,%xmm0\n.byte\t102,15,56,0,193\n\tret\n.private_extern\t__vpaes_decrypt_core\n.align\t4\n__vpaes_decrypt_core:\n\tleal\t608(%ebp),%ebx\n\tmovl\t240(%edx),%eax\n\tmovdqa\t%xmm6,%xmm1\n\tmovdqa\t-64(%ebx),%xmm2\n\tpandn\t%xmm0,%xmm1\n\tmovl\t%eax,%ecx\n\tpsrld\t$4,%xmm1\n\tmovdqu\t(%edx),%xmm5\n\tshll\t$4,%ecx\n\tpand\t%xmm6,%xmm0\n.byte\t102,15,56,0,208\n\tmovdqa\t-48(%ebx),%xmm0\n\txorl\t$48,%ecx\n.byte\t102,15,56,0,193\n\tandl\t$48,%ecx\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t176(%ebp),%xmm5\n\tpxor\t%xmm2,%xmm0\n\taddl\t$16,%edx\n\tleal\t-352(%ebx,%ecx,1),%ecx\n\tjmp\tL002dec_entry\n.align\t4,0x90\nL003dec_loop:\n\tmovdqa\t-32(%ebx),%xmm4\n\tmovdqa\t-16(%ebx),%xmm1\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t(%ebx),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t16(%ebx),%xmm1\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t32(%ebx),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t48(%ebx),%xmm1\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t64(%ebx),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t80(%ebx),%xmm1\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\taddl\t$16,%edx\n.byte\t102,15,58,15,237,12\n\tpxor\t%xmm1,%xmm0\n\tsubl\t$1,%eax\nL002dec_entry:\n\tmovdqa\t%xmm6,%xmm1\n\tmovdqa\t-32(%ebp),%xmm2\n\tpandn\t%xmm0,%xmm1\n\tpand\t%xmm6,%xmm0\n\tpsrld\t$4,%xmm1\n.byte\t102,15,56,0,208\n\tmovdqa\t%xmm7,%xmm3\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,217\n\tmovdqa\t%xmm7,%xmm4\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,224\n\tpxor\t%xmm2,%xmm4\n\tmovdqa\t%xmm7,%xmm2\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm7,%xmm3\n\tpxor\t%xmm0,%xmm2\n.byte\t102,15,56,0,220\n\tmovdqu\t(%edx),%xmm0\n\tpxor\t%xmm1,%xmm3\n\tjnz\tL003dec_loop\n\tmovdqa\t96(%ebx),%xmm4\n.byte\t102,15,56,0,226\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t112(%ebx),%xmm0\n\tmovdqa\t(%ecx),%xmm2\n.byte\t102,15,56,0,195\n\tpxor\t%xmm4,%xmm0\n.byte\t102,15,56,0,194\n\tret\n.private_extern\t__vpaes_schedule_core\n.align\t4\n__vpaes_schedule_core:\n\taddl\t(%esp),%ebp\n\tmovdqu\t(%esi),%xmm0\n\tmovdqa\t320(%ebp),%xmm2\n\tmovdqa\t%xmm0,%xmm3\n\tleal\t(%ebp),%ebx\n\tmovdqa\t%xmm2,4(%esp)\n\tcall\t__vpaes_schedule_transform\n\tmovdqa\t%xmm0,%xmm7\n\ttestl\t%edi,%edi\n\tjnz\tL004schedule_am_decrypting\n\tmovdqu\t%xmm0,(%edx)\n\tjmp\tL005schedule_go\nL004schedule_am_decrypting:\n\tmovdqa\t256(%ebp,%ecx,1),%xmm1\n.byte\t102,15,56,0,217\n\tmovdqu\t%xmm3,(%edx)\n\txorl\t$48,%ecx\nL005schedule_go:\n\tcmpl\t$192,%eax\n\tja\tL006schedule_256\n\tje\tL007schedule_192\nL008schedule_128:\n\tmovl\t$10,%eax\nL009loop_schedule_128:\n\tcall\t__vpaes_schedule_round\n\tdecl\t%eax\n\tjz\tL010schedule_mangle_last\n\tcall\t__vpaes_schedule_mangle\n\tjmp\tL009loop_schedule_128\n.align\t4,0x90\nL007schedule_192:\n\tmovdqu\t8(%esi),%xmm0\n\tcall\t__vpaes_schedule_transform\n\tmovdqa\t%xmm0,%xmm6\n\tpxor\t%xmm4,%xmm4\n\tmovhlps\t%xmm4,%xmm6\n\tmovl\t$4,%eax\nL011loop_schedule_192:\n\tcall\t__vpaes_schedule_round\n.byte\t102,15,58,15,198,8\n\tcall\t__vpaes_schedule_mangle\n\tcall\t__vpaes_schedule_192_smear\n\tcall\t__vpaes_schedule_mangle\n\tcall\t__vpaes_schedule_round\n\tdecl\t%eax\n\tjz\tL010schedule_mangle_last\n\tcall\t__vpaes_schedule_mangle\n\tcall\t__vpaes_schedule_192_smear\n\tjmp\tL011loop_schedule_192\n.align\t4,0x90\nL006schedule_256:\n\tmovdqu\t16(%esi),%xmm0\n\tcall\t__vpaes_schedule_transform\n\tmovl\t$7,%eax\nL012loop_schedule_256:\n\tcall\t__vpaes_schedule_mangle\n\tmovdqa\t%xmm0,%xmm6\n\tcall\t__vpaes_schedule_round\n\tdecl\t%eax\n\tjz\tL010schedule_mangle_last\n\tcall\t__vpaes_schedule_mangle\n\tpshufd\t$255,%xmm0,%xmm0\n\tmovdqa\t%xmm7,20(%esp)\n\tmovdqa\t%xmm6,%xmm7\n\tcall\tL_vpaes_schedule_low_round\n\tmovdqa\t20(%esp),%xmm7\n\tjmp\tL012loop_schedule_256\n.align\t4,0x90\nL010schedule_mangle_last:\n\tleal\t384(%ebp),%ebx\n\ttestl\t%edi,%edi\n\tjnz\tL013schedule_mangle_last_dec\n\tmovdqa\t256(%ebp,%ecx,1),%xmm1\n.byte\t102,15,56,0,193\n\tleal\t352(%ebp),%ebx\n\taddl\t$32,%edx\nL013schedule_mangle_last_dec:\n\taddl\t$-16,%edx\n\tpxor\t336(%ebp),%xmm0\n\tcall\t__vpaes_schedule_transform\n\tmovdqu\t%xmm0,(%edx)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tret\n.private_extern\t__vpaes_schedule_192_smear\n.align\t4\n__vpaes_schedule_192_smear:\n\tpshufd\t$128,%xmm6,%xmm1\n\tpshufd\t$254,%xmm7,%xmm0\n\tpxor\t%xmm1,%xmm6\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm6,%xmm0\n\tmovhlps\t%xmm1,%xmm6\n\tret\n.private_extern\t__vpaes_schedule_round\n.align\t4\n__vpaes_schedule_round:\n\tmovdqa\t8(%esp),%xmm2\n\tpxor\t%xmm1,%xmm1\n.byte\t102,15,58,15,202,15\n.byte\t102,15,58,15,210,15\n\tpxor\t%xmm1,%xmm7\n\tpshufd\t$255,%xmm0,%xmm0\n.byte\t102,15,58,15,192,1\n\tmovdqa\t%xmm2,8(%esp)\nL_vpaes_schedule_low_round:\n\tmovdqa\t%xmm7,%xmm1\n\tpslldq\t$4,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm7,%xmm1\n\tpslldq\t$8,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tpxor\t336(%ebp),%xmm7\n\tmovdqa\t-16(%ebp),%xmm4\n\tmovdqa\t-48(%ebp),%xmm5\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm4,%xmm0\n\tmovdqa\t-32(%ebp),%xmm2\n.byte\t102,15,56,0,208\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm5,%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n\tmovdqa\t%xmm5,%xmm4\n.byte\t102,15,56,0,224\n\tpxor\t%xmm2,%xmm4\n\tmovdqa\t%xmm5,%xmm2\n.byte\t102,15,56,0,211\n\tpxor\t%xmm0,%xmm2\n\tmovdqa\t%xmm5,%xmm3\n.byte\t102,15,56,0,220\n\tpxor\t%xmm1,%xmm3\n\tmovdqa\t32(%ebp),%xmm4\n.byte\t102,15,56,0,226\n\tmovdqa\t48(%ebp),%xmm0\n.byte\t102,15,56,0,195\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm7,%xmm0\n\tmovdqa\t%xmm0,%xmm7\n\tret\n.private_extern\t__vpaes_schedule_transform\n.align\t4\n__vpaes_schedule_transform:\n\tmovdqa\t-16(%ebp),%xmm2\n\tmovdqa\t%xmm2,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm2,%xmm0\n\tmovdqa\t(%ebx),%xmm2\n.byte\t102,15,56,0,208\n\tmovdqa\t16(%ebx),%xmm0\n.byte\t102,15,56,0,193\n\tpxor\t%xmm2,%xmm0\n\tret\n.private_extern\t__vpaes_schedule_mangle\n.align\t4\n__vpaes_schedule_mangle:\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t128(%ebp),%xmm5\n\ttestl\t%edi,%edi\n\tjnz\tL014schedule_mangle_dec\n\taddl\t$16,%edx\n\tpxor\t336(%ebp),%xmm4\n.byte\t102,15,56,0,229\n\tmovdqa\t%xmm4,%xmm3\n.byte\t102,15,56,0,229\n\tpxor\t%xmm4,%xmm3\n.byte\t102,15,56,0,229\n\tpxor\t%xmm4,%xmm3\n\tjmp\tL015schedule_mangle_both\n.align\t4,0x90\nL014schedule_mangle_dec:\n\tmovdqa\t-16(%ebp),%xmm2\n\tleal\t416(%ebp),%esi\n\tmovdqa\t%xmm2,%xmm1\n\tpandn\t%xmm4,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm2,%xmm4\n\tmovdqa\t(%esi),%xmm2\n.byte\t102,15,56,0,212\n\tmovdqa\t16(%esi),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\tmovdqa\t32(%esi),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t48(%esi),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\tmovdqa\t64(%esi),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t80(%esi),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\tmovdqa\t96(%esi),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t112(%esi),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n\taddl\t$-16,%edx\nL015schedule_mangle_both:\n\tmovdqa\t256(%ebp,%ecx,1),%xmm1\n.byte\t102,15,56,0,217\n\taddl\t$-16,%ecx\n\tandl\t$48,%ecx\n\tmovdqu\t%xmm3,(%edx)\n\tret\n.globl\t_vpaes_set_encrypt_key\n.private_extern\t_vpaes_set_encrypt_key\n.align\t4\n_vpaes_set_encrypt_key:\nL_vpaes_set_encrypt_key_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\tL016pic_for_function_hit\nL016pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\t_BORINGSSL_function_hit+5-L016pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tmovl\t20(%esp),%esi\n\tleal\t-56(%esp),%ebx\n\tmovl\t24(%esp),%eax\n\tandl\t$-16,%ebx\n\tmovl\t28(%esp),%edx\n\txchgl\t%esp,%ebx\n\tmovl\t%ebx,48(%esp)\n\tmovl\t%eax,%ebx\n\tshrl\t$5,%ebx\n\taddl\t$5,%ebx\n\tmovl\t%ebx,240(%edx)\n\tmovl\t$48,%ecx\n\tmovl\t$0,%edi\n\tleal\tL_vpaes_consts+0x30-L017pic_point,%ebp\n\tcall\t__vpaes_schedule_core\nL017pic_point:\n\tmovl\t48(%esp),%esp\n\txorl\t%eax,%eax\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_vpaes_set_decrypt_key\n.private_extern\t_vpaes_set_decrypt_key\n.align\t4\n_vpaes_set_decrypt_key:\nL_vpaes_set_decrypt_key_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tleal\t-56(%esp),%ebx\n\tmovl\t24(%esp),%eax\n\tandl\t$-16,%ebx\n\tmovl\t28(%esp),%edx\n\txchgl\t%esp,%ebx\n\tmovl\t%ebx,48(%esp)\n\tmovl\t%eax,%ebx\n\tshrl\t$5,%ebx\n\taddl\t$5,%ebx\n\tmovl\t%ebx,240(%edx)\n\tshll\t$4,%ebx\n\tleal\t16(%edx,%ebx,1),%edx\n\tmovl\t$1,%edi\n\tmovl\t%eax,%ecx\n\tshrl\t$1,%ecx\n\tandl\t$32,%ecx\n\txorl\t$32,%ecx\n\tleal\tL_vpaes_consts+0x30-L018pic_point,%ebp\n\tcall\t__vpaes_schedule_core\nL018pic_point:\n\tmovl\t48(%esp),%esp\n\txorl\t%eax,%eax\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_vpaes_encrypt\n.private_extern\t_vpaes_encrypt\n.align\t4\n_vpaes_encrypt:\nL_vpaes_encrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\tL019pic_for_function_hit\nL019pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\t_BORINGSSL_function_hit+4-L019pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tleal\tL_vpaes_consts+0x30-L020pic_point,%ebp\n\tcall\t__vpaes_preheat\nL020pic_point:\n\tmovl\t20(%esp),%esi\n\tleal\t-56(%esp),%ebx\n\tmovl\t24(%esp),%edi\n\tandl\t$-16,%ebx\n\tmovl\t28(%esp),%edx\n\txchgl\t%esp,%ebx\n\tmovl\t%ebx,48(%esp)\n\tmovdqu\t(%esi),%xmm0\n\tcall\t__vpaes_encrypt_core\n\tmovdqu\t%xmm0,(%edi)\n\tmovl\t48(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_vpaes_decrypt\n.private_extern\t_vpaes_decrypt\n.align\t4\n_vpaes_decrypt:\nL_vpaes_decrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tleal\tL_vpaes_consts+0x30-L021pic_point,%ebp\n\tcall\t__vpaes_preheat\nL021pic_point:\n\tmovl\t20(%esp),%esi\n\tleal\t-56(%esp),%ebx\n\tmovl\t24(%esp),%edi\n\tandl\t$-16,%ebx\n\tmovl\t28(%esp),%edx\n\txchgl\t%esp,%ebx\n\tmovl\t%ebx,48(%esp)\n\tmovdqu\t(%esi),%xmm0\n\tcall\t__vpaes_decrypt_core\n\tmovdqu\t%xmm0,(%edi)\n\tmovl\t48(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_vpaes_cbc_encrypt\n.private_extern\t_vpaes_cbc_encrypt\n.align\t4\n_vpaes_cbc_encrypt:\nL_vpaes_cbc_encrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tsubl\t$16,%eax\n\tjc\tL022cbc_abort\n\tleal\t-56(%esp),%ebx\n\tmovl\t36(%esp),%ebp\n\tandl\t$-16,%ebx\n\tmovl\t40(%esp),%ecx\n\txchgl\t%esp,%ebx\n\tmovdqu\t(%ebp),%xmm1\n\tsubl\t%esi,%edi\n\tmovl\t%ebx,48(%esp)\n\tmovl\t%edi,(%esp)\n\tmovl\t%edx,4(%esp)\n\tmovl\t%ebp,8(%esp)\n\tmovl\t%eax,%edi\n\tleal\tL_vpaes_consts+0x30-L023pic_point,%ebp\n\tcall\t__vpaes_preheat\nL023pic_point:\n\tcmpl\t$0,%ecx\n\tje\tL024cbc_dec_loop\n\tjmp\tL025cbc_enc_loop\n.align\t4,0x90\nL025cbc_enc_loop:\n\tmovdqu\t(%esi),%xmm0\n\tpxor\t%xmm1,%xmm0\n\tcall\t__vpaes_encrypt_core\n\tmovl\t(%esp),%ebx\n\tmovl\t4(%esp),%edx\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqu\t%xmm0,(%ebx,%esi,1)\n\tleal\t16(%esi),%esi\n\tsubl\t$16,%edi\n\tjnc\tL025cbc_enc_loop\n\tjmp\tL026cbc_done\n.align\t4,0x90\nL024cbc_dec_loop:\n\tmovdqu\t(%esi),%xmm0\n\tmovdqa\t%xmm1,16(%esp)\n\tmovdqa\t%xmm0,32(%esp)\n\tcall\t__vpaes_decrypt_core\n\tmovl\t(%esp),%ebx\n\tmovl\t4(%esp),%edx\n\tpxor\t16(%esp),%xmm0\n\tmovdqa\t32(%esp),%xmm1\n\tmovdqu\t%xmm0,(%ebx,%esi,1)\n\tleal\t16(%esi),%esi\n\tsubl\t$16,%edi\n\tjnc\tL024cbc_dec_loop\nL026cbc_done:\n\tmovl\t8(%esp),%ebx\n\tmovl\t48(%esp),%esp\n\tmovdqu\t%xmm1,(%ebx)\nL022cbc_abort:\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/vpaes-x86-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n#ifdef BORINGSSL_DISPATCH_TEST\n#endif\n.align\t64\n.L_vpaes_consts:\n.long\t218628480,235210255,168496130,67568393\n.long\t252381056,17041926,33884169,51187212\n.long\t252645135,252645135,252645135,252645135\n.long\t1512730624,3266504856,1377990664,3401244816\n.long\t830229760,1275146365,2969422977,3447763452\n.long\t3411033600,2979783055,338359620,2782886510\n.long\t4209124096,907596821,221174255,1006095553\n.long\t191964160,3799684038,3164090317,1589111125\n.long\t182528256,1777043520,2877432650,3265356744\n.long\t1874708224,3503451415,3305285752,363511674\n.long\t1606117888,3487855781,1093350906,2384367825\n.long\t197121,67569157,134941193,202313229\n.long\t67569157,134941193,202313229,197121\n.long\t134941193,202313229,197121,67569157\n.long\t202313229,197121,67569157,134941193\n.long\t33619971,100992007,168364043,235736079\n.long\t235736079,33619971,100992007,168364043\n.long\t168364043,235736079,33619971,100992007\n.long\t100992007,168364043,235736079,33619971\n.long\t50462976,117835012,185207048,252579084\n.long\t252314880,51251460,117574920,184942860\n.long\t184682752,252054788,50987272,118359308\n.long\t118099200,185467140,251790600,50727180\n.long\t2946363062,528716217,1300004225,1881839624\n.long\t1532713819,1532713819,1532713819,1532713819\n.long\t3602276352,4288629033,3737020424,4153884961\n.long\t1354558464,32357713,2958822624,3775749553\n.long\t1201988352,132424512,1572796698,503232858\n.long\t2213177600,1597421020,4103937655,675398315\n.long\t2749646592,4273543773,1511898873,121693092\n.long\t3040248576,1103263732,2871565598,1608280554\n.long\t2236667136,2588920351,482954393,64377734\n.long\t3069987328,291237287,2117370568,3650299247\n.long\t533321216,3573750986,2572112006,1401264716\n.long\t1339849704,2721158661,548607111,3445553514\n.long\t2128193280,3054596040,2183486460,1257083700\n.long\t655635200,1165381986,3923443150,2344132524\n.long\t190078720,256924420,290342170,357187870\n.long\t1610966272,2263057382,4103205268,309794674\n.long\t2592527872,2233205587,1335446729,3402964816\n.long\t3973531904,3225098121,3002836325,1918774430\n.long\t3870401024,2102906079,2284471353,4117666579\n.long\t617007872,1021508343,366931923,691083277\n.long\t2528395776,3491914898,2968704004,1613121270\n.long\t3445188352,3247741094,844474987,4093578302\n.long\t651481088,1190302358,1689581232,574775300\n.long\t4289380608,206939853,2555985458,2489840491\n.long\t2130264064,327674451,3566485037,3349835193\n.long\t2470714624,316102159,3636825756,3393945945\n.byte\t86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105\n.byte\t111,110,32,65,69,83,32,102,111,114,32,120,56,54,47,83\n.byte\t83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117\n.byte\t114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105\n.byte\t118,101,114,115,105,116,121,41,0\n.align\t64\n.hidden\t_vpaes_preheat\n.type\t_vpaes_preheat,@function\n.align\t16\n_vpaes_preheat:\n\taddl\t(%esp),%ebp\n\tmovdqa\t-48(%ebp),%xmm7\n\tmovdqa\t-16(%ebp),%xmm6\n\tret\n.size\t_vpaes_preheat,.-_vpaes_preheat\n.hidden\t_vpaes_encrypt_core\n.type\t_vpaes_encrypt_core,@function\n.align\t16\n_vpaes_encrypt_core:\n\tmovl\t$16,%ecx\n\tmovl\t240(%edx),%eax\n\tmovdqa\t%xmm6,%xmm1\n\tmovdqa\t(%ebp),%xmm2\n\tpandn\t%xmm0,%xmm1\n\tpand\t%xmm6,%xmm0\n\tmovdqu\t(%edx),%xmm5\n.byte\t102,15,56,0,208\n\tmovdqa\t16(%ebp),%xmm0\n\tpxor\t%xmm5,%xmm2\n\tpsrld\t$4,%xmm1\n\taddl\t$16,%edx\n.byte\t102,15,56,0,193\n\tleal\t192(%ebp),%ebx\n\tpxor\t%xmm2,%xmm0\n\tjmp\t.L000enc_entry\n.align\t16\n.L001enc_loop:\n\tmovdqa\t32(%ebp),%xmm4\n\tmovdqa\t48(%ebp),%xmm0\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,195\n\tpxor\t%xmm5,%xmm4\n\tmovdqa\t64(%ebp),%xmm5\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t-64(%ebx,%ecx,1),%xmm1\n.byte\t102,15,56,0,234\n\tmovdqa\t80(%ebp),%xmm2\n\tmovdqa\t(%ebx,%ecx,1),%xmm4\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm0,%xmm3\n\tpxor\t%xmm5,%xmm2\n.byte\t102,15,56,0,193\n\taddl\t$16,%edx\n\tpxor\t%xmm2,%xmm0\n.byte\t102,15,56,0,220\n\taddl\t$16,%ecx\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,193\n\tandl\t$48,%ecx\n\tsubl\t$1,%eax\n\tpxor\t%xmm3,%xmm0\n.L000enc_entry:\n\tmovdqa\t%xmm6,%xmm1\n\tmovdqa\t-32(%ebp),%xmm5\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm6,%xmm0\n.byte\t102,15,56,0,232\n\tmovdqa\t%xmm7,%xmm3\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,217\n\tmovdqa\t%xmm7,%xmm4\n\tpxor\t%xmm5,%xmm3\n.byte\t102,15,56,0,224\n\tmovdqa\t%xmm7,%xmm2\n\tpxor\t%xmm5,%xmm4\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm7,%xmm3\n\tpxor\t%xmm0,%xmm2\n.byte\t102,15,56,0,220\n\tmovdqu\t(%edx),%xmm5\n\tpxor\t%xmm1,%xmm3\n\tjnz\t.L001enc_loop\n\tmovdqa\t96(%ebp),%xmm4\n\tmovdqa\t112(%ebp),%xmm0\n.byte\t102,15,56,0,226\n\tpxor\t%xmm5,%xmm4\n.byte\t102,15,56,0,195\n\tmovdqa\t64(%ebx,%ecx,1),%xmm1\n\tpxor\t%xmm4,%xmm0\n.byte\t102,15,56,0,193\n\tret\n.size\t_vpaes_encrypt_core,.-_vpaes_encrypt_core\n.hidden\t_vpaes_decrypt_core\n.type\t_vpaes_decrypt_core,@function\n.align\t16\n_vpaes_decrypt_core:\n\tleal\t608(%ebp),%ebx\n\tmovl\t240(%edx),%eax\n\tmovdqa\t%xmm6,%xmm1\n\tmovdqa\t-64(%ebx),%xmm2\n\tpandn\t%xmm0,%xmm1\n\tmovl\t%eax,%ecx\n\tpsrld\t$4,%xmm1\n\tmovdqu\t(%edx),%xmm5\n\tshll\t$4,%ecx\n\tpand\t%xmm6,%xmm0\n.byte\t102,15,56,0,208\n\tmovdqa\t-48(%ebx),%xmm0\n\txorl\t$48,%ecx\n.byte\t102,15,56,0,193\n\tandl\t$48,%ecx\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t176(%ebp),%xmm5\n\tpxor\t%xmm2,%xmm0\n\taddl\t$16,%edx\n\tleal\t-352(%ebx,%ecx,1),%ecx\n\tjmp\t.L002dec_entry\n.align\t16\n.L003dec_loop:\n\tmovdqa\t-32(%ebx),%xmm4\n\tmovdqa\t-16(%ebx),%xmm1\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t(%ebx),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t16(%ebx),%xmm1\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t32(%ebx),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t48(%ebx),%xmm1\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t64(%ebx),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t80(%ebx),%xmm1\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\taddl\t$16,%edx\n.byte\t102,15,58,15,237,12\n\tpxor\t%xmm1,%xmm0\n\tsubl\t$1,%eax\n.L002dec_entry:\n\tmovdqa\t%xmm6,%xmm1\n\tmovdqa\t-32(%ebp),%xmm2\n\tpandn\t%xmm0,%xmm1\n\tpand\t%xmm6,%xmm0\n\tpsrld\t$4,%xmm1\n.byte\t102,15,56,0,208\n\tmovdqa\t%xmm7,%xmm3\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,217\n\tmovdqa\t%xmm7,%xmm4\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,224\n\tpxor\t%xmm2,%xmm4\n\tmovdqa\t%xmm7,%xmm2\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm7,%xmm3\n\tpxor\t%xmm0,%xmm2\n.byte\t102,15,56,0,220\n\tmovdqu\t(%edx),%xmm0\n\tpxor\t%xmm1,%xmm3\n\tjnz\t.L003dec_loop\n\tmovdqa\t96(%ebx),%xmm4\n.byte\t102,15,56,0,226\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t112(%ebx),%xmm0\n\tmovdqa\t(%ecx),%xmm2\n.byte\t102,15,56,0,195\n\tpxor\t%xmm4,%xmm0\n.byte\t102,15,56,0,194\n\tret\n.size\t_vpaes_decrypt_core,.-_vpaes_decrypt_core\n.hidden\t_vpaes_schedule_core\n.type\t_vpaes_schedule_core,@function\n.align\t16\n_vpaes_schedule_core:\n\taddl\t(%esp),%ebp\n\tmovdqu\t(%esi),%xmm0\n\tmovdqa\t320(%ebp),%xmm2\n\tmovdqa\t%xmm0,%xmm3\n\tleal\t(%ebp),%ebx\n\tmovdqa\t%xmm2,4(%esp)\n\tcall\t_vpaes_schedule_transform\n\tmovdqa\t%xmm0,%xmm7\n\ttestl\t%edi,%edi\n\tjnz\t.L004schedule_am_decrypting\n\tmovdqu\t%xmm0,(%edx)\n\tjmp\t.L005schedule_go\n.L004schedule_am_decrypting:\n\tmovdqa\t256(%ebp,%ecx,1),%xmm1\n.byte\t102,15,56,0,217\n\tmovdqu\t%xmm3,(%edx)\n\txorl\t$48,%ecx\n.L005schedule_go:\n\tcmpl\t$192,%eax\n\tja\t.L006schedule_256\n\tje\t.L007schedule_192\n.L008schedule_128:\n\tmovl\t$10,%eax\n.L009loop_schedule_128:\n\tcall\t_vpaes_schedule_round\n\tdecl\t%eax\n\tjz\t.L010schedule_mangle_last\n\tcall\t_vpaes_schedule_mangle\n\tjmp\t.L009loop_schedule_128\n.align\t16\n.L007schedule_192:\n\tmovdqu\t8(%esi),%xmm0\n\tcall\t_vpaes_schedule_transform\n\tmovdqa\t%xmm0,%xmm6\n\tpxor\t%xmm4,%xmm4\n\tmovhlps\t%xmm4,%xmm6\n\tmovl\t$4,%eax\n.L011loop_schedule_192:\n\tcall\t_vpaes_schedule_round\n.byte\t102,15,58,15,198,8\n\tcall\t_vpaes_schedule_mangle\n\tcall\t_vpaes_schedule_192_smear\n\tcall\t_vpaes_schedule_mangle\n\tcall\t_vpaes_schedule_round\n\tdecl\t%eax\n\tjz\t.L010schedule_mangle_last\n\tcall\t_vpaes_schedule_mangle\n\tcall\t_vpaes_schedule_192_smear\n\tjmp\t.L011loop_schedule_192\n.align\t16\n.L006schedule_256:\n\tmovdqu\t16(%esi),%xmm0\n\tcall\t_vpaes_schedule_transform\n\tmovl\t$7,%eax\n.L012loop_schedule_256:\n\tcall\t_vpaes_schedule_mangle\n\tmovdqa\t%xmm0,%xmm6\n\tcall\t_vpaes_schedule_round\n\tdecl\t%eax\n\tjz\t.L010schedule_mangle_last\n\tcall\t_vpaes_schedule_mangle\n\tpshufd\t$255,%xmm0,%xmm0\n\tmovdqa\t%xmm7,20(%esp)\n\tmovdqa\t%xmm6,%xmm7\n\tcall\t.L_vpaes_schedule_low_round\n\tmovdqa\t20(%esp),%xmm7\n\tjmp\t.L012loop_schedule_256\n.align\t16\n.L010schedule_mangle_last:\n\tleal\t384(%ebp),%ebx\n\ttestl\t%edi,%edi\n\tjnz\t.L013schedule_mangle_last_dec\n\tmovdqa\t256(%ebp,%ecx,1),%xmm1\n.byte\t102,15,56,0,193\n\tleal\t352(%ebp),%ebx\n\taddl\t$32,%edx\n.L013schedule_mangle_last_dec:\n\taddl\t$-16,%edx\n\tpxor\t336(%ebp),%xmm0\n\tcall\t_vpaes_schedule_transform\n\tmovdqu\t%xmm0,(%edx)\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tret\n.size\t_vpaes_schedule_core,.-_vpaes_schedule_core\n.hidden\t_vpaes_schedule_192_smear\n.type\t_vpaes_schedule_192_smear,@function\n.align\t16\n_vpaes_schedule_192_smear:\n\tpshufd\t$128,%xmm6,%xmm1\n\tpshufd\t$254,%xmm7,%xmm0\n\tpxor\t%xmm1,%xmm6\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm6,%xmm0\n\tmovhlps\t%xmm1,%xmm6\n\tret\n.size\t_vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear\n.hidden\t_vpaes_schedule_round\n.type\t_vpaes_schedule_round,@function\n.align\t16\n_vpaes_schedule_round:\n\tmovdqa\t8(%esp),%xmm2\n\tpxor\t%xmm1,%xmm1\n.byte\t102,15,58,15,202,15\n.byte\t102,15,58,15,210,15\n\tpxor\t%xmm1,%xmm7\n\tpshufd\t$255,%xmm0,%xmm0\n.byte\t102,15,58,15,192,1\n\tmovdqa\t%xmm2,8(%esp)\n.L_vpaes_schedule_low_round:\n\tmovdqa\t%xmm7,%xmm1\n\tpslldq\t$4,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm7,%xmm1\n\tpslldq\t$8,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tpxor\t336(%ebp),%xmm7\n\tmovdqa\t-16(%ebp),%xmm4\n\tmovdqa\t-48(%ebp),%xmm5\n\tmovdqa\t%xmm4,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm4,%xmm0\n\tmovdqa\t-32(%ebp),%xmm2\n.byte\t102,15,56,0,208\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm5,%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n\tmovdqa\t%xmm5,%xmm4\n.byte\t102,15,56,0,224\n\tpxor\t%xmm2,%xmm4\n\tmovdqa\t%xmm5,%xmm2\n.byte\t102,15,56,0,211\n\tpxor\t%xmm0,%xmm2\n\tmovdqa\t%xmm5,%xmm3\n.byte\t102,15,56,0,220\n\tpxor\t%xmm1,%xmm3\n\tmovdqa\t32(%ebp),%xmm4\n.byte\t102,15,56,0,226\n\tmovdqa\t48(%ebp),%xmm0\n.byte\t102,15,56,0,195\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm7,%xmm0\n\tmovdqa\t%xmm0,%xmm7\n\tret\n.size\t_vpaes_schedule_round,.-_vpaes_schedule_round\n.hidden\t_vpaes_schedule_transform\n.type\t_vpaes_schedule_transform,@function\n.align\t16\n_vpaes_schedule_transform:\n\tmovdqa\t-16(%ebp),%xmm2\n\tmovdqa\t%xmm2,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm2,%xmm0\n\tmovdqa\t(%ebx),%xmm2\n.byte\t102,15,56,0,208\n\tmovdqa\t16(%ebx),%xmm0\n.byte\t102,15,56,0,193\n\tpxor\t%xmm2,%xmm0\n\tret\n.size\t_vpaes_schedule_transform,.-_vpaes_schedule_transform\n.hidden\t_vpaes_schedule_mangle\n.type\t_vpaes_schedule_mangle,@function\n.align\t16\n_vpaes_schedule_mangle:\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t128(%ebp),%xmm5\n\ttestl\t%edi,%edi\n\tjnz\t.L014schedule_mangle_dec\n\taddl\t$16,%edx\n\tpxor\t336(%ebp),%xmm4\n.byte\t102,15,56,0,229\n\tmovdqa\t%xmm4,%xmm3\n.byte\t102,15,56,0,229\n\tpxor\t%xmm4,%xmm3\n.byte\t102,15,56,0,229\n\tpxor\t%xmm4,%xmm3\n\tjmp\t.L015schedule_mangle_both\n.align\t16\n.L014schedule_mangle_dec:\n\tmovdqa\t-16(%ebp),%xmm2\n\tleal\t416(%ebp),%esi\n\tmovdqa\t%xmm2,%xmm1\n\tpandn\t%xmm4,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm2,%xmm4\n\tmovdqa\t(%esi),%xmm2\n.byte\t102,15,56,0,212\n\tmovdqa\t16(%esi),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\tmovdqa\t32(%esi),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t48(%esi),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\tmovdqa\t64(%esi),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t80(%esi),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\tmovdqa\t96(%esi),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t112(%esi),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n\taddl\t$-16,%edx\n.L015schedule_mangle_both:\n\tmovdqa\t256(%ebp,%ecx,1),%xmm1\n.byte\t102,15,56,0,217\n\taddl\t$-16,%ecx\n\tandl\t$48,%ecx\n\tmovdqu\t%xmm3,(%edx)\n\tret\n.size\t_vpaes_schedule_mangle,.-_vpaes_schedule_mangle\n.globl\tvpaes_set_encrypt_key\n.hidden\tvpaes_set_encrypt_key\n.type\tvpaes_set_encrypt_key,@function\n.align\t16\nvpaes_set_encrypt_key:\n.L_vpaes_set_encrypt_key_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\t.L016pic_for_function_hit\n.L016pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\tBORINGSSL_function_hit+5-.L016pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tmovl\t20(%esp),%esi\n\tleal\t-56(%esp),%ebx\n\tmovl\t24(%esp),%eax\n\tandl\t$-16,%ebx\n\tmovl\t28(%esp),%edx\n\txchgl\t%esp,%ebx\n\tmovl\t%ebx,48(%esp)\n\tmovl\t%eax,%ebx\n\tshrl\t$5,%ebx\n\taddl\t$5,%ebx\n\tmovl\t%ebx,240(%edx)\n\tmovl\t$48,%ecx\n\tmovl\t$0,%edi\n\tleal\t.L_vpaes_consts+0x30-.L017pic_point,%ebp\n\tcall\t_vpaes_schedule_core\n.L017pic_point:\n\tmovl\t48(%esp),%esp\n\txorl\t%eax,%eax\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tvpaes_set_encrypt_key,.-.L_vpaes_set_encrypt_key_begin\n.globl\tvpaes_set_decrypt_key\n.hidden\tvpaes_set_decrypt_key\n.type\tvpaes_set_decrypt_key,@function\n.align\t16\nvpaes_set_decrypt_key:\n.L_vpaes_set_decrypt_key_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tleal\t-56(%esp),%ebx\n\tmovl\t24(%esp),%eax\n\tandl\t$-16,%ebx\n\tmovl\t28(%esp),%edx\n\txchgl\t%esp,%ebx\n\tmovl\t%ebx,48(%esp)\n\tmovl\t%eax,%ebx\n\tshrl\t$5,%ebx\n\taddl\t$5,%ebx\n\tmovl\t%ebx,240(%edx)\n\tshll\t$4,%ebx\n\tleal\t16(%edx,%ebx,1),%edx\n\tmovl\t$1,%edi\n\tmovl\t%eax,%ecx\n\tshrl\t$1,%ecx\n\tandl\t$32,%ecx\n\txorl\t$32,%ecx\n\tleal\t.L_vpaes_consts+0x30-.L018pic_point,%ebp\n\tcall\t_vpaes_schedule_core\n.L018pic_point:\n\tmovl\t48(%esp),%esp\n\txorl\t%eax,%eax\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tvpaes_set_decrypt_key,.-.L_vpaes_set_decrypt_key_begin\n.globl\tvpaes_encrypt\n.hidden\tvpaes_encrypt\n.type\tvpaes_encrypt,@function\n.align\t16\nvpaes_encrypt:\n.L_vpaes_encrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n#ifdef BORINGSSL_DISPATCH_TEST\n\tpushl\t%ebx\n\tpushl\t%edx\n\tcall\t.L019pic_for_function_hit\n.L019pic_for_function_hit:\n\tpopl\t%ebx\n\tleal\tBORINGSSL_function_hit+4-.L019pic_for_function_hit(%ebx),%ebx\n\tmovl\t$1,%edx\n\tmovb\t%dl,(%ebx)\n\tpopl\t%edx\n\tpopl\t%ebx\n#endif\n\tleal\t.L_vpaes_consts+0x30-.L020pic_point,%ebp\n\tcall\t_vpaes_preheat\n.L020pic_point:\n\tmovl\t20(%esp),%esi\n\tleal\t-56(%esp),%ebx\n\tmovl\t24(%esp),%edi\n\tandl\t$-16,%ebx\n\tmovl\t28(%esp),%edx\n\txchgl\t%esp,%ebx\n\tmovl\t%ebx,48(%esp)\n\tmovdqu\t(%esi),%xmm0\n\tcall\t_vpaes_encrypt_core\n\tmovdqu\t%xmm0,(%edi)\n\tmovl\t48(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tvpaes_encrypt,.-.L_vpaes_encrypt_begin\n.globl\tvpaes_decrypt\n.hidden\tvpaes_decrypt\n.type\tvpaes_decrypt,@function\n.align\t16\nvpaes_decrypt:\n.L_vpaes_decrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tleal\t.L_vpaes_consts+0x30-.L021pic_point,%ebp\n\tcall\t_vpaes_preheat\n.L021pic_point:\n\tmovl\t20(%esp),%esi\n\tleal\t-56(%esp),%ebx\n\tmovl\t24(%esp),%edi\n\tandl\t$-16,%ebx\n\tmovl\t28(%esp),%edx\n\txchgl\t%esp,%ebx\n\tmovl\t%ebx,48(%esp)\n\tmovdqu\t(%esi),%xmm0\n\tcall\t_vpaes_decrypt_core\n\tmovdqu\t%xmm0,(%edi)\n\tmovl\t48(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tvpaes_decrypt,.-.L_vpaes_decrypt_begin\n.globl\tvpaes_cbc_encrypt\n.hidden\tvpaes_cbc_encrypt\n.type\tvpaes_cbc_encrypt,@function\n.align\t16\nvpaes_cbc_encrypt:\n.L_vpaes_cbc_encrypt_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t20(%esp),%esi\n\tmovl\t24(%esp),%edi\n\tmovl\t28(%esp),%eax\n\tmovl\t32(%esp),%edx\n\tsubl\t$16,%eax\n\tjc\t.L022cbc_abort\n\tleal\t-56(%esp),%ebx\n\tmovl\t36(%esp),%ebp\n\tandl\t$-16,%ebx\n\tmovl\t40(%esp),%ecx\n\txchgl\t%esp,%ebx\n\tmovdqu\t(%ebp),%xmm1\n\tsubl\t%esi,%edi\n\tmovl\t%ebx,48(%esp)\n\tmovl\t%edi,(%esp)\n\tmovl\t%edx,4(%esp)\n\tmovl\t%ebp,8(%esp)\n\tmovl\t%eax,%edi\n\tleal\t.L_vpaes_consts+0x30-.L023pic_point,%ebp\n\tcall\t_vpaes_preheat\n.L023pic_point:\n\tcmpl\t$0,%ecx\n\tje\t.L024cbc_dec_loop\n\tjmp\t.L025cbc_enc_loop\n.align\t16\n.L025cbc_enc_loop:\n\tmovdqu\t(%esi),%xmm0\n\tpxor\t%xmm1,%xmm0\n\tcall\t_vpaes_encrypt_core\n\tmovl\t(%esp),%ebx\n\tmovl\t4(%esp),%edx\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqu\t%xmm0,(%ebx,%esi,1)\n\tleal\t16(%esi),%esi\n\tsubl\t$16,%edi\n\tjnc\t.L025cbc_enc_loop\n\tjmp\t.L026cbc_done\n.align\t16\n.L024cbc_dec_loop:\n\tmovdqu\t(%esi),%xmm0\n\tmovdqa\t%xmm1,16(%esp)\n\tmovdqa\t%xmm0,32(%esp)\n\tcall\t_vpaes_decrypt_core\n\tmovl\t(%esp),%ebx\n\tmovl\t4(%esp),%edx\n\tpxor\t16(%esp),%xmm0\n\tmovdqa\t32(%esp),%xmm1\n\tmovdqu\t%xmm0,(%ebx,%esi,1)\n\tleal\t16(%esi),%esi\n\tsubl\t$16,%edi\n\tjnc\t.L024cbc_dec_loop\n.L026cbc_done:\n\tmovl\t8(%esp),%ebx\n\tmovl\t48(%esp),%esp\n\tmovdqu\t%xmm1,(%ebx)\n.L022cbc_abort:\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tvpaes_cbc_encrypt,.-.L_vpaes_cbc_encrypt_begin\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/vpaes-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.p2align\t4\n_vpaes_encrypt_core:\n\n\tmovq\t%rdx,%r9\n\tmovq\t$16,%r11\n\tmovl\t240(%rdx),%eax\n\tmovdqa\t%xmm9,%xmm1\n\tmovdqa\tL$k_ipt(%rip),%xmm2\n\tpandn\t%xmm0,%xmm1\n\tmovdqu\t(%r9),%xmm5\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm0\n.byte\t102,15,56,0,208\n\tmovdqa\tL$k_ipt+16(%rip),%xmm0\n.byte\t102,15,56,0,193\n\tpxor\t%xmm5,%xmm2\n\taddq\t$16,%r9\n\tpxor\t%xmm2,%xmm0\n\tleaq\tL$k_mc_backward(%rip),%r10\n\tjmp\tL$enc_entry\n\n.p2align\t4\nL$enc_loop:\n\n\tmovdqa\t%xmm13,%xmm4\n\tmovdqa\t%xmm12,%xmm0\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,195\n\tpxor\t%xmm5,%xmm4\n\tmovdqa\t%xmm15,%xmm5\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t-64(%r11,%r10,1),%xmm1\n.byte\t102,15,56,0,234\n\tmovdqa\t(%r11,%r10,1),%xmm4\n\tmovdqa\t%xmm14,%xmm2\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm0,%xmm3\n\tpxor\t%xmm5,%xmm2\n.byte\t102,15,56,0,193\n\taddq\t$16,%r9\n\tpxor\t%xmm2,%xmm0\n.byte\t102,15,56,0,220\n\taddq\t$16,%r11\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,193\n\tandq\t$0x30,%r11\n\tsubq\t$1,%rax\n\tpxor\t%xmm3,%xmm0\n\nL$enc_entry:\n\n\tmovdqa\t%xmm9,%xmm1\n\tmovdqa\t%xmm11,%xmm5\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm0\n.byte\t102,15,56,0,232\n\tmovdqa\t%xmm10,%xmm3\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,217\n\tmovdqa\t%xmm10,%xmm4\n\tpxor\t%xmm5,%xmm3\n.byte\t102,15,56,0,224\n\tmovdqa\t%xmm10,%xmm2\n\tpxor\t%xmm5,%xmm4\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm10,%xmm3\n\tpxor\t%xmm0,%xmm2\n.byte\t102,15,56,0,220\n\tmovdqu\t(%r9),%xmm5\n\tpxor\t%xmm1,%xmm3\n\tjnz\tL$enc_loop\n\n\n\tmovdqa\t-96(%r10),%xmm4\n\tmovdqa\t-80(%r10),%xmm0\n.byte\t102,15,56,0,226\n\tpxor\t%xmm5,%xmm4\n.byte\t102,15,56,0,195\n\tmovdqa\t64(%r11,%r10,1),%xmm1\n\tpxor\t%xmm4,%xmm0\n.byte\t102,15,56,0,193\n\tret\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.p2align\t4\n_vpaes_encrypt_core_2x:\n\n\tmovq\t%rdx,%r9\n\tmovq\t$16,%r11\n\tmovl\t240(%rdx),%eax\n\tmovdqa\t%xmm9,%xmm1\n\tmovdqa\t%xmm9,%xmm7\n\tmovdqa\tL$k_ipt(%rip),%xmm2\n\tmovdqa\t%xmm2,%xmm8\n\tpandn\t%xmm0,%xmm1\n\tpandn\t%xmm6,%xmm7\n\tmovdqu\t(%r9),%xmm5\n\n\tpsrld\t$4,%xmm1\n\tpsrld\t$4,%xmm7\n\tpand\t%xmm9,%xmm0\n\tpand\t%xmm9,%xmm6\n.byte\t102,15,56,0,208\n.byte\t102,68,15,56,0,198\n\tmovdqa\tL$k_ipt+16(%rip),%xmm0\n\tmovdqa\t%xmm0,%xmm6\n.byte\t102,15,56,0,193\n.byte\t102,15,56,0,247\n\tpxor\t%xmm5,%xmm2\n\tpxor\t%xmm5,%xmm8\n\taddq\t$16,%r9\n\tpxor\t%xmm2,%xmm0\n\tpxor\t%xmm8,%xmm6\n\tleaq\tL$k_mc_backward(%rip),%r10\n\tjmp\tL$enc2x_entry\n\n.p2align\t4\nL$enc2x_loop:\n\n\tmovdqa\tL$k_sb1(%rip),%xmm4\n\tmovdqa\tL$k_sb1+16(%rip),%xmm0\n\tmovdqa\t%xmm4,%xmm12\n\tmovdqa\t%xmm0,%xmm6\n.byte\t102,15,56,0,226\n.byte\t102,69,15,56,0,224\n.byte\t102,15,56,0,195\n.byte\t102,65,15,56,0,243\n\tpxor\t%xmm5,%xmm4\n\tpxor\t%xmm5,%xmm12\n\tmovdqa\tL$k_sb2(%rip),%xmm5\n\tmovdqa\t%xmm5,%xmm13\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm12,%xmm6\n\tmovdqa\t-64(%r11,%r10,1),%xmm1\n\n.byte\t102,15,56,0,234\n.byte\t102,69,15,56,0,232\n\tmovdqa\t(%r11,%r10,1),%xmm4\n\n\tmovdqa\tL$k_sb2+16(%rip),%xmm2\n\tmovdqa\t%xmm2,%xmm8\n.byte\t102,15,56,0,211\n.byte\t102,69,15,56,0,195\n\tmovdqa\t%xmm0,%xmm3\n\tmovdqa\t%xmm6,%xmm11\n\tpxor\t%xmm5,%xmm2\n\tpxor\t%xmm13,%xmm8\n.byte\t102,15,56,0,193\n.byte\t102,15,56,0,241\n\taddq\t$16,%r9\n\tpxor\t%xmm2,%xmm0\n\tpxor\t%xmm8,%xmm6\n.byte\t102,15,56,0,220\n.byte\t102,68,15,56,0,220\n\taddq\t$16,%r11\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm6,%xmm11\n.byte\t102,15,56,0,193\n.byte\t102,15,56,0,241\n\tandq\t$0x30,%r11\n\tsubq\t$1,%rax\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm11,%xmm6\n\nL$enc2x_entry:\n\n\tmovdqa\t%xmm9,%xmm1\n\tmovdqa\t%xmm9,%xmm7\n\tmovdqa\tL$k_inv+16(%rip),%xmm5\n\tmovdqa\t%xmm5,%xmm13\n\tpandn\t%xmm0,%xmm1\n\tpandn\t%xmm6,%xmm7\n\tpsrld\t$4,%xmm1\n\tpsrld\t$4,%xmm7\n\tpand\t%xmm9,%xmm0\n\tpand\t%xmm9,%xmm6\n.byte\t102,15,56,0,232\n.byte\t102,68,15,56,0,238\n\tmovdqa\t%xmm10,%xmm3\n\tmovdqa\t%xmm10,%xmm11\n\tpxor\t%xmm1,%xmm0\n\tpxor\t%xmm7,%xmm6\n.byte\t102,15,56,0,217\n.byte\t102,68,15,56,0,223\n\tmovdqa\t%xmm10,%xmm4\n\tmovdqa\t%xmm10,%xmm12\n\tpxor\t%xmm5,%xmm3\n\tpxor\t%xmm13,%xmm11\n.byte\t102,15,56,0,224\n.byte\t102,68,15,56,0,230\n\tmovdqa\t%xmm10,%xmm2\n\tmovdqa\t%xmm10,%xmm8\n\tpxor\t%xmm5,%xmm4\n\tpxor\t%xmm13,%xmm12\n.byte\t102,15,56,0,211\n.byte\t102,69,15,56,0,195\n\tmovdqa\t%xmm10,%xmm3\n\tmovdqa\t%xmm10,%xmm11\n\tpxor\t%xmm0,%xmm2\n\tpxor\t%xmm6,%xmm8\n.byte\t102,15,56,0,220\n.byte\t102,69,15,56,0,220\n\tmovdqu\t(%r9),%xmm5\n\n\tpxor\t%xmm1,%xmm3\n\tpxor\t%xmm7,%xmm11\n\tjnz\tL$enc2x_loop\n\n\n\tmovdqa\t-96(%r10),%xmm4\n\tmovdqa\t-80(%r10),%xmm0\n\tmovdqa\t%xmm4,%xmm12\n\tmovdqa\t%xmm0,%xmm6\n.byte\t102,15,56,0,226\n.byte\t102,69,15,56,0,224\n\tpxor\t%xmm5,%xmm4\n\tpxor\t%xmm5,%xmm12\n.byte\t102,15,56,0,195\n.byte\t102,65,15,56,0,243\n\tmovdqa\t64(%r11,%r10,1),%xmm1\n\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm12,%xmm6\n.byte\t102,15,56,0,193\n.byte\t102,15,56,0,241\n\tret\n\n\n\n\n\n\n\n\n\n.p2align\t4\n_vpaes_decrypt_core:\n\n\tmovq\t%rdx,%r9\n\tmovl\t240(%rdx),%eax\n\tmovdqa\t%xmm9,%xmm1\n\tmovdqa\tL$k_dipt(%rip),%xmm2\n\tpandn\t%xmm0,%xmm1\n\tmovq\t%rax,%r11\n\tpsrld\t$4,%xmm1\n\tmovdqu\t(%r9),%xmm5\n\tshlq\t$4,%r11\n\tpand\t%xmm9,%xmm0\n.byte\t102,15,56,0,208\n\tmovdqa\tL$k_dipt+16(%rip),%xmm0\n\txorq\t$0x30,%r11\n\tleaq\tL$k_dsbd(%rip),%r10\n.byte\t102,15,56,0,193\n\tandq\t$0x30,%r11\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\tL$k_mc_forward+48(%rip),%xmm5\n\tpxor\t%xmm2,%xmm0\n\taddq\t$16,%r9\n\taddq\t%r10,%r11\n\tjmp\tL$dec_entry\n\n.p2align\t4\nL$dec_loop:\n\n\n\n\tmovdqa\t-32(%r10),%xmm4\n\tmovdqa\t-16(%r10),%xmm1\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t0(%r10),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t16(%r10),%xmm1\n\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t32(%r10),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t48(%r10),%xmm1\n\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t64(%r10),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t80(%r10),%xmm1\n\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\taddq\t$16,%r9\n.byte\t102,15,58,15,237,12\n\tpxor\t%xmm1,%xmm0\n\tsubq\t$1,%rax\n\nL$dec_entry:\n\n\tmovdqa\t%xmm9,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tmovdqa\t%xmm11,%xmm2\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm0\n.byte\t102,15,56,0,208\n\tmovdqa\t%xmm10,%xmm3\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,217\n\tmovdqa\t%xmm10,%xmm4\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,224\n\tpxor\t%xmm2,%xmm4\n\tmovdqa\t%xmm10,%xmm2\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm10,%xmm3\n\tpxor\t%xmm0,%xmm2\n.byte\t102,15,56,0,220\n\tmovdqu\t(%r9),%xmm0\n\tpxor\t%xmm1,%xmm3\n\tjnz\tL$dec_loop\n\n\n\tmovdqa\t96(%r10),%xmm4\n.byte\t102,15,56,0,226\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t112(%r10),%xmm0\n\tmovdqa\t-352(%r11),%xmm2\n.byte\t102,15,56,0,195\n\tpxor\t%xmm4,%xmm0\n.byte\t102,15,56,0,194\n\tret\n\n\n\n\n\n\n\n\n\n.p2align\t4\n_vpaes_schedule_core:\n\n\n\n\n\n\n\tcall\t_vpaes_preheat\n\tmovdqa\tL$k_rcon(%rip),%xmm8\n\tmovdqu\t(%rdi),%xmm0\n\n\n\tmovdqa\t%xmm0,%xmm3\n\tleaq\tL$k_ipt(%rip),%r11\n\tcall\t_vpaes_schedule_transform\n\tmovdqa\t%xmm0,%xmm7\n\n\tleaq\tL$k_sr(%rip),%r10\n\ttestq\t%rcx,%rcx\n\tjnz\tL$schedule_am_decrypting\n\n\n\tmovdqu\t%xmm0,(%rdx)\n\tjmp\tL$schedule_go\n\nL$schedule_am_decrypting:\n\n\tmovdqa\t(%r8,%r10,1),%xmm1\n.byte\t102,15,56,0,217\n\tmovdqu\t%xmm3,(%rdx)\n\txorq\t$0x30,%r8\n\nL$schedule_go:\n\tcmpl\t$192,%esi\n\tja\tL$schedule_256\n\tje\tL$schedule_192\n\n\n\n\n\n\n\n\n\n\nL$schedule_128:\n\tmovl\t$10,%esi\n\nL$oop_schedule_128:\n\tcall\t_vpaes_schedule_round\n\tdecq\t%rsi\n\tjz\tL$schedule_mangle_last\n\tcall\t_vpaes_schedule_mangle\n\tjmp\tL$oop_schedule_128\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.p2align\t4\nL$schedule_192:\n\tmovdqu\t8(%rdi),%xmm0\n\tcall\t_vpaes_schedule_transform\n\tmovdqa\t%xmm0,%xmm6\n\tpxor\t%xmm4,%xmm4\n\tmovhlps\t%xmm4,%xmm6\n\tmovl\t$4,%esi\n\nL$oop_schedule_192:\n\tcall\t_vpaes_schedule_round\n.byte\t102,15,58,15,198,8\n\tcall\t_vpaes_schedule_mangle\n\tcall\t_vpaes_schedule_192_smear\n\tcall\t_vpaes_schedule_mangle\n\tcall\t_vpaes_schedule_round\n\tdecq\t%rsi\n\tjz\tL$schedule_mangle_last\n\tcall\t_vpaes_schedule_mangle\n\tcall\t_vpaes_schedule_192_smear\n\tjmp\tL$oop_schedule_192\n\n\n\n\n\n\n\n\n\n\n\n.p2align\t4\nL$schedule_256:\n\tmovdqu\t16(%rdi),%xmm0\n\tcall\t_vpaes_schedule_transform\n\tmovl\t$7,%esi\n\nL$oop_schedule_256:\n\tcall\t_vpaes_schedule_mangle\n\tmovdqa\t%xmm0,%xmm6\n\n\n\tcall\t_vpaes_schedule_round\n\tdecq\t%rsi\n\tjz\tL$schedule_mangle_last\n\tcall\t_vpaes_schedule_mangle\n\n\n\tpshufd\t$0xFF,%xmm0,%xmm0\n\tmovdqa\t%xmm7,%xmm5\n\tmovdqa\t%xmm6,%xmm7\n\tcall\t_vpaes_schedule_low_round\n\tmovdqa\t%xmm5,%xmm7\n\n\tjmp\tL$oop_schedule_256\n\n\n\n\n\n\n\n\n\n\n\n\n.p2align\t4\nL$schedule_mangle_last:\n\n\tleaq\tL$k_deskew(%rip),%r11\n\ttestq\t%rcx,%rcx\n\tjnz\tL$schedule_mangle_last_dec\n\n\n\tmovdqa\t(%r8,%r10,1),%xmm1\n.byte\t102,15,56,0,193\n\tleaq\tL$k_opt(%rip),%r11\n\taddq\t$32,%rdx\n\nL$schedule_mangle_last_dec:\n\taddq\t$-16,%rdx\n\tpxor\tL$k_s63(%rip),%xmm0\n\tcall\t_vpaes_schedule_transform\n\tmovdqu\t%xmm0,(%rdx)\n\n\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tret\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.p2align\t4\n_vpaes_schedule_192_smear:\n\n\tpshufd\t$0x80,%xmm6,%xmm1\n\tpshufd\t$0xFE,%xmm7,%xmm0\n\tpxor\t%xmm1,%xmm6\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm6,%xmm0\n\tmovhlps\t%xmm1,%xmm6\n\tret\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.p2align\t4\n_vpaes_schedule_round:\n\n\n\tpxor\t%xmm1,%xmm1\n.byte\t102,65,15,58,15,200,15\n.byte\t102,69,15,58,15,192,15\n\tpxor\t%xmm1,%xmm7\n\n\n\tpshufd\t$0xFF,%xmm0,%xmm0\n.byte\t102,15,58,15,192,1\n\n\n\n\n_vpaes_schedule_low_round:\n\n\tmovdqa\t%xmm7,%xmm1\n\tpslldq\t$4,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm7,%xmm1\n\tpslldq\t$8,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tpxor\tL$k_s63(%rip),%xmm7\n\n\n\tmovdqa\t%xmm9,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm0\n\tmovdqa\t%xmm11,%xmm2\n.byte\t102,15,56,0,208\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm10,%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n\tmovdqa\t%xmm10,%xmm4\n.byte\t102,15,56,0,224\n\tpxor\t%xmm2,%xmm4\n\tmovdqa\t%xmm10,%xmm2\n.byte\t102,15,56,0,211\n\tpxor\t%xmm0,%xmm2\n\tmovdqa\t%xmm10,%xmm3\n.byte\t102,15,56,0,220\n\tpxor\t%xmm1,%xmm3\n\tmovdqa\t%xmm13,%xmm4\n.byte\t102,15,56,0,226\n\tmovdqa\t%xmm12,%xmm0\n.byte\t102,15,56,0,195\n\tpxor\t%xmm4,%xmm0\n\n\n\tpxor\t%xmm7,%xmm0\n\tmovdqa\t%xmm0,%xmm7\n\tret\n\n\n\n\n\n\n\n\n\n\n\n\n\n.p2align\t4\n_vpaes_schedule_transform:\n\n\tmovdqa\t%xmm9,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm0\n\tmovdqa\t(%r11),%xmm2\n.byte\t102,15,56,0,208\n\tmovdqa\t16(%r11),%xmm0\n.byte\t102,15,56,0,193\n\tpxor\t%xmm2,%xmm0\n\tret\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.p2align\t4\n_vpaes_schedule_mangle:\n\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\tL$k_mc_forward(%rip),%xmm5\n\ttestq\t%rcx,%rcx\n\tjnz\tL$schedule_mangle_dec\n\n\n\taddq\t$16,%rdx\n\tpxor\tL$k_s63(%rip),%xmm4\n.byte\t102,15,56,0,229\n\tmovdqa\t%xmm4,%xmm3\n.byte\t102,15,56,0,229\n\tpxor\t%xmm4,%xmm3\n.byte\t102,15,56,0,229\n\tpxor\t%xmm4,%xmm3\n\n\tjmp\tL$schedule_mangle_both\n.p2align\t4\nL$schedule_mangle_dec:\n\n\tleaq\tL$k_dksd(%rip),%r11\n\tmovdqa\t%xmm9,%xmm1\n\tpandn\t%xmm4,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm4\n\n\tmovdqa\t0(%r11),%xmm2\n.byte\t102,15,56,0,212\n\tmovdqa\t16(%r11),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\n\tmovdqa\t32(%r11),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t48(%r11),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\n\tmovdqa\t64(%r11),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t80(%r11),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\n\tmovdqa\t96(%r11),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t112(%r11),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n\n\taddq\t$-16,%rdx\n\nL$schedule_mangle_both:\n\tmovdqa\t(%r8,%r10,1),%xmm1\n.byte\t102,15,56,0,217\n\taddq\t$-16,%r8\n\tandq\t$0x30,%r8\n\tmovdqu\t%xmm3,(%rdx)\n\tret\n\n\n\n\n\n\n.globl\t_vpaes_set_encrypt_key\n.private_extern _vpaes_set_encrypt_key\n\n.p2align\t4\n_vpaes_set_encrypt_key:\n\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n\n\tmovb\t$1,_BORINGSSL_function_hit+5(%rip)\n#endif\n\n\tmovl\t%esi,%eax\n\tshrl\t$5,%eax\n\taddl\t$5,%eax\n\tmovl\t%eax,240(%rdx)\n\n\tmovl\t$0,%ecx\n\tmovl\t$0x30,%r8d\n\tcall\t_vpaes_schedule_core\n\txorl\t%eax,%eax\n\tret\n\n\n\n.globl\t_vpaes_set_decrypt_key\n.private_extern _vpaes_set_decrypt_key\n\n.p2align\t4\n_vpaes_set_decrypt_key:\n\n_CET_ENDBR\n\tmovl\t%esi,%eax\n\tshrl\t$5,%eax\n\taddl\t$5,%eax\n\tmovl\t%eax,240(%rdx)\n\tshll\t$4,%eax\n\tleaq\t16(%rdx,%rax,1),%rdx\n\n\tmovl\t$1,%ecx\n\tmovl\t%esi,%r8d\n\tshrl\t$1,%r8d\n\tandl\t$32,%r8d\n\txorl\t$32,%r8d\n\tcall\t_vpaes_schedule_core\n\txorl\t%eax,%eax\n\tret\n\n\n\n.globl\t_vpaes_encrypt\n.private_extern _vpaes_encrypt\n\n.p2align\t4\n_vpaes_encrypt:\n\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n\n\tmovb\t$1,_BORINGSSL_function_hit+4(%rip)\n#endif\n\tmovdqu\t(%rdi),%xmm0\n\tcall\t_vpaes_preheat\n\tcall\t_vpaes_encrypt_core\n\tmovdqu\t%xmm0,(%rsi)\n\tret\n\n\n\n.globl\t_vpaes_decrypt\n.private_extern _vpaes_decrypt\n\n.p2align\t4\n_vpaes_decrypt:\n\n_CET_ENDBR\n\tmovdqu\t(%rdi),%xmm0\n\tcall\t_vpaes_preheat\n\tcall\t_vpaes_decrypt_core\n\tmovdqu\t%xmm0,(%rsi)\n\tret\n\n\n.globl\t_vpaes_cbc_encrypt\n.private_extern _vpaes_cbc_encrypt\n\n.p2align\t4\n_vpaes_cbc_encrypt:\n\n_CET_ENDBR\n\txchgq\t%rcx,%rdx\n\tsubq\t$16,%rcx\n\tjc\tL$cbc_abort\n\tmovdqu\t(%r8),%xmm6\n\tsubq\t%rdi,%rsi\n\tcall\t_vpaes_preheat\n\tcmpl\t$0,%r9d\n\tje\tL$cbc_dec_loop\n\tjmp\tL$cbc_enc_loop\n.p2align\t4\nL$cbc_enc_loop:\n\tmovdqu\t(%rdi),%xmm0\n\tpxor\t%xmm6,%xmm0\n\tcall\t_vpaes_encrypt_core\n\tmovdqa\t%xmm0,%xmm6\n\tmovdqu\t%xmm0,(%rsi,%rdi,1)\n\tleaq\t16(%rdi),%rdi\n\tsubq\t$16,%rcx\n\tjnc\tL$cbc_enc_loop\n\tjmp\tL$cbc_done\n.p2align\t4\nL$cbc_dec_loop:\n\tmovdqu\t(%rdi),%xmm0\n\tmovdqa\t%xmm0,%xmm7\n\tcall\t_vpaes_decrypt_core\n\tpxor\t%xmm6,%xmm0\n\tmovdqa\t%xmm7,%xmm6\n\tmovdqu\t%xmm0,(%rsi,%rdi,1)\n\tleaq\t16(%rdi),%rdi\n\tsubq\t$16,%rcx\n\tjnc\tL$cbc_dec_loop\nL$cbc_done:\n\tmovdqu\t%xmm6,(%r8)\nL$cbc_abort:\n\tret\n\n\n.globl\t_vpaes_ctr32_encrypt_blocks\n.private_extern _vpaes_ctr32_encrypt_blocks\n\n.p2align\t4\n_vpaes_ctr32_encrypt_blocks:\n\n_CET_ENDBR\n\n\txchgq\t%rcx,%rdx\n\ttestq\t%rcx,%rcx\n\tjz\tL$ctr32_abort\n\tmovdqu\t(%r8),%xmm0\n\tmovdqa\tL$ctr_add_one(%rip),%xmm8\n\tsubq\t%rdi,%rsi\n\tcall\t_vpaes_preheat\n\tmovdqa\t%xmm0,%xmm6\n\tpshufb\tL$rev_ctr(%rip),%xmm6\n\n\ttestq\t$1,%rcx\n\tjz\tL$ctr32_prep_loop\n\n\n\n\tmovdqu\t(%rdi),%xmm7\n\tcall\t_vpaes_encrypt_core\n\tpxor\t%xmm7,%xmm0\n\tpaddd\t%xmm8,%xmm6\n\tmovdqu\t%xmm0,(%rsi,%rdi,1)\n\tsubq\t$1,%rcx\n\tleaq\t16(%rdi),%rdi\n\tjz\tL$ctr32_done\n\nL$ctr32_prep_loop:\n\n\n\tmovdqa\t%xmm6,%xmm14\n\tmovdqa\t%xmm6,%xmm15\n\tpaddd\t%xmm8,%xmm15\n\nL$ctr32_loop:\n\tmovdqa\tL$rev_ctr(%rip),%xmm1\n\tmovdqa\t%xmm14,%xmm0\n\tmovdqa\t%xmm15,%xmm6\n.byte\t102,15,56,0,193\n.byte\t102,15,56,0,241\n\tcall\t_vpaes_encrypt_core_2x\n\tmovdqu\t(%rdi),%xmm1\n\tmovdqu\t16(%rdi),%xmm2\n\tmovdqa\tL$ctr_add_two(%rip),%xmm3\n\tpxor\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm6\n\tpaddd\t%xmm3,%xmm14\n\tpaddd\t%xmm3,%xmm15\n\tmovdqu\t%xmm0,(%rsi,%rdi,1)\n\tmovdqu\t%xmm6,16(%rsi,%rdi,1)\n\tsubq\t$2,%rcx\n\tleaq\t32(%rdi),%rdi\n\tjnz\tL$ctr32_loop\n\nL$ctr32_done:\nL$ctr32_abort:\n\tret\n\n\n\n\n\n\n\n\n\n.p2align\t4\n_vpaes_preheat:\n\n\tleaq\tL$k_s0F(%rip),%r10\n\tmovdqa\t-32(%r10),%xmm10\n\tmovdqa\t-16(%r10),%xmm11\n\tmovdqa\t0(%r10),%xmm9\n\tmovdqa\t48(%r10),%xmm13\n\tmovdqa\t64(%r10),%xmm12\n\tmovdqa\t80(%r10),%xmm15\n\tmovdqa\t96(%r10),%xmm14\n\tret\n\n\n\n\n\n\n\n\n.section\t__DATA,__const\n.p2align\t6\n_vpaes_consts:\nL$k_inv:\n.quad\t0x0E05060F0D080180, 0x040703090A0B0C02\n.quad\t0x01040A060F0B0780, 0x030D0E0C02050809\n\nL$k_s0F:\n.quad\t0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F\n\nL$k_ipt:\n.quad\t0xC2B2E8985A2A7000, 0xCABAE09052227808\n.quad\t0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81\n\nL$k_sb1:\n.quad\t0xB19BE18FCB503E00, 0xA5DF7A6E142AF544\n.quad\t0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF\nL$k_sb2:\n.quad\t0xE27A93C60B712400, 0x5EB7E955BC982FCD\n.quad\t0x69EB88400AE12900, 0xC2A163C8AB82234A\nL$k_sbo:\n.quad\t0xD0D26D176FBDC700, 0x15AABF7AC502A878\n.quad\t0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA\n\nL$k_mc_forward:\n.quad\t0x0407060500030201, 0x0C0F0E0D080B0A09\n.quad\t0x080B0A0904070605, 0x000302010C0F0E0D\n.quad\t0x0C0F0E0D080B0A09, 0x0407060500030201\n.quad\t0x000302010C0F0E0D, 0x080B0A0904070605\n\nL$k_mc_backward:\n.quad\t0x0605040702010003, 0x0E0D0C0F0A09080B\n.quad\t0x020100030E0D0C0F, 0x0A09080B06050407\n.quad\t0x0E0D0C0F0A09080B, 0x0605040702010003\n.quad\t0x0A09080B06050407, 0x020100030E0D0C0F\n\nL$k_sr:\n.quad\t0x0706050403020100, 0x0F0E0D0C0B0A0908\n.quad\t0x030E09040F0A0500, 0x0B06010C07020D08\n.quad\t0x0F060D040B020900, 0x070E050C030A0108\n.quad\t0x0B0E0104070A0D00, 0x0306090C0F020508\n\nL$k_rcon:\n.quad\t0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81\n\nL$k_s63:\n.quad\t0x5B5B5B5B5B5B5B5B, 0x5B5B5B5B5B5B5B5B\n\nL$k_opt:\n.quad\t0xFF9F4929D6B66000, 0xF7974121DEBE6808\n.quad\t0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0\n\nL$k_deskew:\n.quad\t0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A\n.quad\t0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77\n\n\n\n\n\nL$k_dksd:\n.quad\t0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9\n.quad\t0x41C277F4B5368300, 0x5FDC69EAAB289D1E\nL$k_dksb:\n.quad\t0x9A4FCA1F8550D500, 0x03D653861CC94C99\n.quad\t0x115BEDA7B6FC4A00, 0xD993256F7E3482C8\nL$k_dkse:\n.quad\t0xD5031CCA1FC9D600, 0x53859A4C994F5086\n.quad\t0xA23196054FDC7BE8, 0xCD5EF96A20B31487\nL$k_dks9:\n.quad\t0xB6116FC87ED9A700, 0x4AED933482255BFC\n.quad\t0x4576516227143300, 0x8BB89FACE9DAFDCE\n\n\n\n\n\nL$k_dipt:\n.quad\t0x0F505B040B545F00, 0x154A411E114E451A\n.quad\t0x86E383E660056500, 0x12771772F491F194\n\nL$k_dsb9:\n.quad\t0x851C03539A86D600, 0xCAD51F504F994CC9\n.quad\t0xC03B1789ECD74900, 0x725E2C9EB2FBA565\nL$k_dsbd:\n.quad\t0x7D57CCDFE6B1A200, 0xF56E9B13882A4439\n.quad\t0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3\nL$k_dsbb:\n.quad\t0xD022649296B44200, 0x602646F6B0F2D404\n.quad\t0xC19498A6CD596700, 0xF3FF0C3E3255AA6B\nL$k_dsbe:\n.quad\t0x46F2929626D4D000, 0x2242600464B4F6B0\n.quad\t0x0C55A6CDFFAAC100, 0x9467F36B98593E32\nL$k_dsbo:\n.quad\t0x1387EA537EF94000, 0xC7AA6DB9D4943E2D\n.quad\t0x12D7560F93441D00, 0xCA4B8159D8C58E9C\n\n\nL$rev_ctr:\n.quad\t0x0706050403020100, 0x0c0d0e0f0b0a0908\n\n\nL$ctr_add_one:\n.quad\t0x0000000000000000, 0x0000000100000000\nL$ctr_add_two:\n.quad\t0x0000000000000000, 0x0000000200000000\n\n.byte\t86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0\n.p2align\t6\n\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/vpaes-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.type\t_vpaes_encrypt_core,@function\n.align\t16\n_vpaes_encrypt_core:\n.cfi_startproc\t\n\tmovq\t%rdx,%r9\n\tmovq\t$16,%r11\n\tmovl\t240(%rdx),%eax\n\tmovdqa\t%xmm9,%xmm1\n\tmovdqa\t.Lk_ipt(%rip),%xmm2\n\tpandn\t%xmm0,%xmm1\n\tmovdqu\t(%r9),%xmm5\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm0\n.byte\t102,15,56,0,208\n\tmovdqa\t.Lk_ipt+16(%rip),%xmm0\n.byte\t102,15,56,0,193\n\tpxor\t%xmm5,%xmm2\n\taddq\t$16,%r9\n\tpxor\t%xmm2,%xmm0\n\tleaq\t.Lk_mc_backward(%rip),%r10\n\tjmp\t.Lenc_entry\n\n.align\t16\n.Lenc_loop:\n\n\tmovdqa\t%xmm13,%xmm4\n\tmovdqa\t%xmm12,%xmm0\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,195\n\tpxor\t%xmm5,%xmm4\n\tmovdqa\t%xmm15,%xmm5\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t-64(%r11,%r10,1),%xmm1\n.byte\t102,15,56,0,234\n\tmovdqa\t(%r11,%r10,1),%xmm4\n\tmovdqa\t%xmm14,%xmm2\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm0,%xmm3\n\tpxor\t%xmm5,%xmm2\n.byte\t102,15,56,0,193\n\taddq\t$16,%r9\n\tpxor\t%xmm2,%xmm0\n.byte\t102,15,56,0,220\n\taddq\t$16,%r11\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,193\n\tandq\t$0x30,%r11\n\tsubq\t$1,%rax\n\tpxor\t%xmm3,%xmm0\n\n.Lenc_entry:\n\n\tmovdqa\t%xmm9,%xmm1\n\tmovdqa\t%xmm11,%xmm5\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm0\n.byte\t102,15,56,0,232\n\tmovdqa\t%xmm10,%xmm3\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,217\n\tmovdqa\t%xmm10,%xmm4\n\tpxor\t%xmm5,%xmm3\n.byte\t102,15,56,0,224\n\tmovdqa\t%xmm10,%xmm2\n\tpxor\t%xmm5,%xmm4\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm10,%xmm3\n\tpxor\t%xmm0,%xmm2\n.byte\t102,15,56,0,220\n\tmovdqu\t(%r9),%xmm5\n\tpxor\t%xmm1,%xmm3\n\tjnz\t.Lenc_loop\n\n\n\tmovdqa\t-96(%r10),%xmm4\n\tmovdqa\t-80(%r10),%xmm0\n.byte\t102,15,56,0,226\n\tpxor\t%xmm5,%xmm4\n.byte\t102,15,56,0,195\n\tmovdqa\t64(%r11,%r10,1),%xmm1\n\tpxor\t%xmm4,%xmm0\n.byte\t102,15,56,0,193\n\tret\n.cfi_endproc\t\n.size\t_vpaes_encrypt_core,.-_vpaes_encrypt_core\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.type\t_vpaes_encrypt_core_2x,@function\n.align\t16\n_vpaes_encrypt_core_2x:\n.cfi_startproc\t\n\tmovq\t%rdx,%r9\n\tmovq\t$16,%r11\n\tmovl\t240(%rdx),%eax\n\tmovdqa\t%xmm9,%xmm1\n\tmovdqa\t%xmm9,%xmm7\n\tmovdqa\t.Lk_ipt(%rip),%xmm2\n\tmovdqa\t%xmm2,%xmm8\n\tpandn\t%xmm0,%xmm1\n\tpandn\t%xmm6,%xmm7\n\tmovdqu\t(%r9),%xmm5\n\n\tpsrld\t$4,%xmm1\n\tpsrld\t$4,%xmm7\n\tpand\t%xmm9,%xmm0\n\tpand\t%xmm9,%xmm6\n.byte\t102,15,56,0,208\n.byte\t102,68,15,56,0,198\n\tmovdqa\t.Lk_ipt+16(%rip),%xmm0\n\tmovdqa\t%xmm0,%xmm6\n.byte\t102,15,56,0,193\n.byte\t102,15,56,0,247\n\tpxor\t%xmm5,%xmm2\n\tpxor\t%xmm5,%xmm8\n\taddq\t$16,%r9\n\tpxor\t%xmm2,%xmm0\n\tpxor\t%xmm8,%xmm6\n\tleaq\t.Lk_mc_backward(%rip),%r10\n\tjmp\t.Lenc2x_entry\n\n.align\t16\n.Lenc2x_loop:\n\n\tmovdqa\t.Lk_sb1(%rip),%xmm4\n\tmovdqa\t.Lk_sb1+16(%rip),%xmm0\n\tmovdqa\t%xmm4,%xmm12\n\tmovdqa\t%xmm0,%xmm6\n.byte\t102,15,56,0,226\n.byte\t102,69,15,56,0,224\n.byte\t102,15,56,0,195\n.byte\t102,65,15,56,0,243\n\tpxor\t%xmm5,%xmm4\n\tpxor\t%xmm5,%xmm12\n\tmovdqa\t.Lk_sb2(%rip),%xmm5\n\tmovdqa\t%xmm5,%xmm13\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm12,%xmm6\n\tmovdqa\t-64(%r11,%r10,1),%xmm1\n\n.byte\t102,15,56,0,234\n.byte\t102,69,15,56,0,232\n\tmovdqa\t(%r11,%r10,1),%xmm4\n\n\tmovdqa\t.Lk_sb2+16(%rip),%xmm2\n\tmovdqa\t%xmm2,%xmm8\n.byte\t102,15,56,0,211\n.byte\t102,69,15,56,0,195\n\tmovdqa\t%xmm0,%xmm3\n\tmovdqa\t%xmm6,%xmm11\n\tpxor\t%xmm5,%xmm2\n\tpxor\t%xmm13,%xmm8\n.byte\t102,15,56,0,193\n.byte\t102,15,56,0,241\n\taddq\t$16,%r9\n\tpxor\t%xmm2,%xmm0\n\tpxor\t%xmm8,%xmm6\n.byte\t102,15,56,0,220\n.byte\t102,68,15,56,0,220\n\taddq\t$16,%r11\n\tpxor\t%xmm0,%xmm3\n\tpxor\t%xmm6,%xmm11\n.byte\t102,15,56,0,193\n.byte\t102,15,56,0,241\n\tandq\t$0x30,%r11\n\tsubq\t$1,%rax\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm11,%xmm6\n\n.Lenc2x_entry:\n\n\tmovdqa\t%xmm9,%xmm1\n\tmovdqa\t%xmm9,%xmm7\n\tmovdqa\t.Lk_inv+16(%rip),%xmm5\n\tmovdqa\t%xmm5,%xmm13\n\tpandn\t%xmm0,%xmm1\n\tpandn\t%xmm6,%xmm7\n\tpsrld\t$4,%xmm1\n\tpsrld\t$4,%xmm7\n\tpand\t%xmm9,%xmm0\n\tpand\t%xmm9,%xmm6\n.byte\t102,15,56,0,232\n.byte\t102,68,15,56,0,238\n\tmovdqa\t%xmm10,%xmm3\n\tmovdqa\t%xmm10,%xmm11\n\tpxor\t%xmm1,%xmm0\n\tpxor\t%xmm7,%xmm6\n.byte\t102,15,56,0,217\n.byte\t102,68,15,56,0,223\n\tmovdqa\t%xmm10,%xmm4\n\tmovdqa\t%xmm10,%xmm12\n\tpxor\t%xmm5,%xmm3\n\tpxor\t%xmm13,%xmm11\n.byte\t102,15,56,0,224\n.byte\t102,68,15,56,0,230\n\tmovdqa\t%xmm10,%xmm2\n\tmovdqa\t%xmm10,%xmm8\n\tpxor\t%xmm5,%xmm4\n\tpxor\t%xmm13,%xmm12\n.byte\t102,15,56,0,211\n.byte\t102,69,15,56,0,195\n\tmovdqa\t%xmm10,%xmm3\n\tmovdqa\t%xmm10,%xmm11\n\tpxor\t%xmm0,%xmm2\n\tpxor\t%xmm6,%xmm8\n.byte\t102,15,56,0,220\n.byte\t102,69,15,56,0,220\n\tmovdqu\t(%r9),%xmm5\n\n\tpxor\t%xmm1,%xmm3\n\tpxor\t%xmm7,%xmm11\n\tjnz\t.Lenc2x_loop\n\n\n\tmovdqa\t-96(%r10),%xmm4\n\tmovdqa\t-80(%r10),%xmm0\n\tmovdqa\t%xmm4,%xmm12\n\tmovdqa\t%xmm0,%xmm6\n.byte\t102,15,56,0,226\n.byte\t102,69,15,56,0,224\n\tpxor\t%xmm5,%xmm4\n\tpxor\t%xmm5,%xmm12\n.byte\t102,15,56,0,195\n.byte\t102,65,15,56,0,243\n\tmovdqa\t64(%r11,%r10,1),%xmm1\n\n\tpxor\t%xmm4,%xmm0\n\tpxor\t%xmm12,%xmm6\n.byte\t102,15,56,0,193\n.byte\t102,15,56,0,241\n\tret\n.cfi_endproc\t\n.size\t_vpaes_encrypt_core_2x,.-_vpaes_encrypt_core_2x\n\n\n\n\n\n\n.type\t_vpaes_decrypt_core,@function\n.align\t16\n_vpaes_decrypt_core:\n.cfi_startproc\t\n\tmovq\t%rdx,%r9\n\tmovl\t240(%rdx),%eax\n\tmovdqa\t%xmm9,%xmm1\n\tmovdqa\t.Lk_dipt(%rip),%xmm2\n\tpandn\t%xmm0,%xmm1\n\tmovq\t%rax,%r11\n\tpsrld\t$4,%xmm1\n\tmovdqu\t(%r9),%xmm5\n\tshlq\t$4,%r11\n\tpand\t%xmm9,%xmm0\n.byte\t102,15,56,0,208\n\tmovdqa\t.Lk_dipt+16(%rip),%xmm0\n\txorq\t$0x30,%r11\n\tleaq\t.Lk_dsbd(%rip),%r10\n.byte\t102,15,56,0,193\n\tandq\t$0x30,%r11\n\tpxor\t%xmm5,%xmm2\n\tmovdqa\t.Lk_mc_forward+48(%rip),%xmm5\n\tpxor\t%xmm2,%xmm0\n\taddq\t$16,%r9\n\taddq\t%r10,%r11\n\tjmp\t.Ldec_entry\n\n.align\t16\n.Ldec_loop:\n\n\n\n\tmovdqa\t-32(%r10),%xmm4\n\tmovdqa\t-16(%r10),%xmm1\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t0(%r10),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t16(%r10),%xmm1\n\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t32(%r10),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t48(%r10),%xmm1\n\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\tmovdqa\t64(%r10),%xmm4\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t80(%r10),%xmm1\n\n.byte\t102,15,56,0,226\n.byte\t102,15,56,0,197\n.byte\t102,15,56,0,203\n\tpxor\t%xmm4,%xmm0\n\taddq\t$16,%r9\n.byte\t102,15,58,15,237,12\n\tpxor\t%xmm1,%xmm0\n\tsubq\t$1,%rax\n\n.Ldec_entry:\n\n\tmovdqa\t%xmm9,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tmovdqa\t%xmm11,%xmm2\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm0\n.byte\t102,15,56,0,208\n\tmovdqa\t%xmm10,%xmm3\n\tpxor\t%xmm1,%xmm0\n.byte\t102,15,56,0,217\n\tmovdqa\t%xmm10,%xmm4\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,224\n\tpxor\t%xmm2,%xmm4\n\tmovdqa\t%xmm10,%xmm2\n.byte\t102,15,56,0,211\n\tmovdqa\t%xmm10,%xmm3\n\tpxor\t%xmm0,%xmm2\n.byte\t102,15,56,0,220\n\tmovdqu\t(%r9),%xmm0\n\tpxor\t%xmm1,%xmm3\n\tjnz\t.Ldec_loop\n\n\n\tmovdqa\t96(%r10),%xmm4\n.byte\t102,15,56,0,226\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t112(%r10),%xmm0\n\tmovdqa\t-352(%r11),%xmm2\n.byte\t102,15,56,0,195\n\tpxor\t%xmm4,%xmm0\n.byte\t102,15,56,0,194\n\tret\n.cfi_endproc\t\n.size\t_vpaes_decrypt_core,.-_vpaes_decrypt_core\n\n\n\n\n\n\n.type\t_vpaes_schedule_core,@function\n.align\t16\n_vpaes_schedule_core:\n.cfi_startproc\t\n\n\n\n\n\n\tcall\t_vpaes_preheat\n\tmovdqa\t.Lk_rcon(%rip),%xmm8\n\tmovdqu\t(%rdi),%xmm0\n\n\n\tmovdqa\t%xmm0,%xmm3\n\tleaq\t.Lk_ipt(%rip),%r11\n\tcall\t_vpaes_schedule_transform\n\tmovdqa\t%xmm0,%xmm7\n\n\tleaq\t.Lk_sr(%rip),%r10\n\ttestq\t%rcx,%rcx\n\tjnz\t.Lschedule_am_decrypting\n\n\n\tmovdqu\t%xmm0,(%rdx)\n\tjmp\t.Lschedule_go\n\n.Lschedule_am_decrypting:\n\n\tmovdqa\t(%r8,%r10,1),%xmm1\n.byte\t102,15,56,0,217\n\tmovdqu\t%xmm3,(%rdx)\n\txorq\t$0x30,%r8\n\n.Lschedule_go:\n\tcmpl\t$192,%esi\n\tja\t.Lschedule_256\n\tje\t.Lschedule_192\n\n\n\n\n\n\n\n\n\n\n.Lschedule_128:\n\tmovl\t$10,%esi\n\n.Loop_schedule_128:\n\tcall\t_vpaes_schedule_round\n\tdecq\t%rsi\n\tjz\t.Lschedule_mangle_last\n\tcall\t_vpaes_schedule_mangle\n\tjmp\t.Loop_schedule_128\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.align\t16\n.Lschedule_192:\n\tmovdqu\t8(%rdi),%xmm0\n\tcall\t_vpaes_schedule_transform\n\tmovdqa\t%xmm0,%xmm6\n\tpxor\t%xmm4,%xmm4\n\tmovhlps\t%xmm4,%xmm6\n\tmovl\t$4,%esi\n\n.Loop_schedule_192:\n\tcall\t_vpaes_schedule_round\n.byte\t102,15,58,15,198,8\n\tcall\t_vpaes_schedule_mangle\n\tcall\t_vpaes_schedule_192_smear\n\tcall\t_vpaes_schedule_mangle\n\tcall\t_vpaes_schedule_round\n\tdecq\t%rsi\n\tjz\t.Lschedule_mangle_last\n\tcall\t_vpaes_schedule_mangle\n\tcall\t_vpaes_schedule_192_smear\n\tjmp\t.Loop_schedule_192\n\n\n\n\n\n\n\n\n\n\n\n.align\t16\n.Lschedule_256:\n\tmovdqu\t16(%rdi),%xmm0\n\tcall\t_vpaes_schedule_transform\n\tmovl\t$7,%esi\n\n.Loop_schedule_256:\n\tcall\t_vpaes_schedule_mangle\n\tmovdqa\t%xmm0,%xmm6\n\n\n\tcall\t_vpaes_schedule_round\n\tdecq\t%rsi\n\tjz\t.Lschedule_mangle_last\n\tcall\t_vpaes_schedule_mangle\n\n\n\tpshufd\t$0xFF,%xmm0,%xmm0\n\tmovdqa\t%xmm7,%xmm5\n\tmovdqa\t%xmm6,%xmm7\n\tcall\t_vpaes_schedule_low_round\n\tmovdqa\t%xmm5,%xmm7\n\n\tjmp\t.Loop_schedule_256\n\n\n\n\n\n\n\n\n\n\n\n\n.align\t16\n.Lschedule_mangle_last:\n\n\tleaq\t.Lk_deskew(%rip),%r11\n\ttestq\t%rcx,%rcx\n\tjnz\t.Lschedule_mangle_last_dec\n\n\n\tmovdqa\t(%r8,%r10,1),%xmm1\n.byte\t102,15,56,0,193\n\tleaq\t.Lk_opt(%rip),%r11\n\taddq\t$32,%rdx\n\n.Lschedule_mangle_last_dec:\n\taddq\t$-16,%rdx\n\tpxor\t.Lk_s63(%rip),%xmm0\n\tcall\t_vpaes_schedule_transform\n\tmovdqu\t%xmm0,(%rdx)\n\n\n\tpxor\t%xmm0,%xmm0\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm2,%xmm2\n\tpxor\t%xmm3,%xmm3\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tpxor\t%xmm6,%xmm6\n\tpxor\t%xmm7,%xmm7\n\tret\n.cfi_endproc\t\n.size\t_vpaes_schedule_core,.-_vpaes_schedule_core\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.type\t_vpaes_schedule_192_smear,@function\n.align\t16\n_vpaes_schedule_192_smear:\n.cfi_startproc\t\n\tpshufd\t$0x80,%xmm6,%xmm1\n\tpshufd\t$0xFE,%xmm7,%xmm0\n\tpxor\t%xmm1,%xmm6\n\tpxor\t%xmm1,%xmm1\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm6,%xmm0\n\tmovhlps\t%xmm1,%xmm6\n\tret\n.cfi_endproc\t\n.size\t_vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.type\t_vpaes_schedule_round,@function\n.align\t16\n_vpaes_schedule_round:\n.cfi_startproc\t\n\n\tpxor\t%xmm1,%xmm1\n.byte\t102,65,15,58,15,200,15\n.byte\t102,69,15,58,15,192,15\n\tpxor\t%xmm1,%xmm7\n\n\n\tpshufd\t$0xFF,%xmm0,%xmm0\n.byte\t102,15,58,15,192,1\n\n\n\n\n_vpaes_schedule_low_round:\n\n\tmovdqa\t%xmm7,%xmm1\n\tpslldq\t$4,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm7,%xmm1\n\tpslldq\t$8,%xmm7\n\tpxor\t%xmm1,%xmm7\n\tpxor\t.Lk_s63(%rip),%xmm7\n\n\n\tmovdqa\t%xmm9,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm0\n\tmovdqa\t%xmm11,%xmm2\n.byte\t102,15,56,0,208\n\tpxor\t%xmm1,%xmm0\n\tmovdqa\t%xmm10,%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n\tmovdqa\t%xmm10,%xmm4\n.byte\t102,15,56,0,224\n\tpxor\t%xmm2,%xmm4\n\tmovdqa\t%xmm10,%xmm2\n.byte\t102,15,56,0,211\n\tpxor\t%xmm0,%xmm2\n\tmovdqa\t%xmm10,%xmm3\n.byte\t102,15,56,0,220\n\tpxor\t%xmm1,%xmm3\n\tmovdqa\t%xmm13,%xmm4\n.byte\t102,15,56,0,226\n\tmovdqa\t%xmm12,%xmm0\n.byte\t102,15,56,0,195\n\tpxor\t%xmm4,%xmm0\n\n\n\tpxor\t%xmm7,%xmm0\n\tmovdqa\t%xmm0,%xmm7\n\tret\n.cfi_endproc\t\n.size\t_vpaes_schedule_round,.-_vpaes_schedule_round\n\n\n\n\n\n\n\n\n\n\n.type\t_vpaes_schedule_transform,@function\n.align\t16\n_vpaes_schedule_transform:\n.cfi_startproc\t\n\tmovdqa\t%xmm9,%xmm1\n\tpandn\t%xmm0,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm0\n\tmovdqa\t(%r11),%xmm2\n.byte\t102,15,56,0,208\n\tmovdqa\t16(%r11),%xmm0\n.byte\t102,15,56,0,193\n\tpxor\t%xmm2,%xmm0\n\tret\n.cfi_endproc\t\n.size\t_vpaes_schedule_transform,.-_vpaes_schedule_transform\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n.type\t_vpaes_schedule_mangle,@function\n.align\t16\n_vpaes_schedule_mangle:\n.cfi_startproc\t\n\tmovdqa\t%xmm0,%xmm4\n\tmovdqa\t.Lk_mc_forward(%rip),%xmm5\n\ttestq\t%rcx,%rcx\n\tjnz\t.Lschedule_mangle_dec\n\n\n\taddq\t$16,%rdx\n\tpxor\t.Lk_s63(%rip),%xmm4\n.byte\t102,15,56,0,229\n\tmovdqa\t%xmm4,%xmm3\n.byte\t102,15,56,0,229\n\tpxor\t%xmm4,%xmm3\n.byte\t102,15,56,0,229\n\tpxor\t%xmm4,%xmm3\n\n\tjmp\t.Lschedule_mangle_both\n.align\t16\n.Lschedule_mangle_dec:\n\n\tleaq\t.Lk_dksd(%rip),%r11\n\tmovdqa\t%xmm9,%xmm1\n\tpandn\t%xmm4,%xmm1\n\tpsrld\t$4,%xmm1\n\tpand\t%xmm9,%xmm4\n\n\tmovdqa\t0(%r11),%xmm2\n.byte\t102,15,56,0,212\n\tmovdqa\t16(%r11),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\n\tmovdqa\t32(%r11),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t48(%r11),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\n\tmovdqa\t64(%r11),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t80(%r11),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n.byte\t102,15,56,0,221\n\n\tmovdqa\t96(%r11),%xmm2\n.byte\t102,15,56,0,212\n\tpxor\t%xmm3,%xmm2\n\tmovdqa\t112(%r11),%xmm3\n.byte\t102,15,56,0,217\n\tpxor\t%xmm2,%xmm3\n\n\taddq\t$-16,%rdx\n\n.Lschedule_mangle_both:\n\tmovdqa\t(%r8,%r10,1),%xmm1\n.byte\t102,15,56,0,217\n\taddq\t$-16,%r8\n\tandq\t$0x30,%r8\n\tmovdqu\t%xmm3,(%rdx)\n\tret\n.cfi_endproc\t\n.size\t_vpaes_schedule_mangle,.-_vpaes_schedule_mangle\n\n\n\n\n.globl\tvpaes_set_encrypt_key\n.hidden vpaes_set_encrypt_key\n.type\tvpaes_set_encrypt_key,@function\n.align\t16\nvpaes_set_encrypt_key:\n.cfi_startproc\t\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n.extern\tBORINGSSL_function_hit\n.hidden BORINGSSL_function_hit\n\tmovb\t$1,BORINGSSL_function_hit+5(%rip)\n#endif\n\n\tmovl\t%esi,%eax\n\tshrl\t$5,%eax\n\taddl\t$5,%eax\n\tmovl\t%eax,240(%rdx)\n\n\tmovl\t$0,%ecx\n\tmovl\t$0x30,%r8d\n\tcall\t_vpaes_schedule_core\n\txorl\t%eax,%eax\n\tret\n.cfi_endproc\t\n.size\tvpaes_set_encrypt_key,.-vpaes_set_encrypt_key\n\n.globl\tvpaes_set_decrypt_key\n.hidden vpaes_set_decrypt_key\n.type\tvpaes_set_decrypt_key,@function\n.align\t16\nvpaes_set_decrypt_key:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovl\t%esi,%eax\n\tshrl\t$5,%eax\n\taddl\t$5,%eax\n\tmovl\t%eax,240(%rdx)\n\tshll\t$4,%eax\n\tleaq\t16(%rdx,%rax,1),%rdx\n\n\tmovl\t$1,%ecx\n\tmovl\t%esi,%r8d\n\tshrl\t$1,%r8d\n\tandl\t$32,%r8d\n\txorl\t$32,%r8d\n\tcall\t_vpaes_schedule_core\n\txorl\t%eax,%eax\n\tret\n.cfi_endproc\t\n.size\tvpaes_set_decrypt_key,.-vpaes_set_decrypt_key\n\n.globl\tvpaes_encrypt\n.hidden vpaes_encrypt\n.type\tvpaes_encrypt,@function\n.align\t16\nvpaes_encrypt:\n.cfi_startproc\t\n_CET_ENDBR\n#ifdef BORINGSSL_DISPATCH_TEST\n.extern\tBORINGSSL_function_hit\n.hidden BORINGSSL_function_hit\n\tmovb\t$1,BORINGSSL_function_hit+4(%rip)\n#endif\n\tmovdqu\t(%rdi),%xmm0\n\tcall\t_vpaes_preheat\n\tcall\t_vpaes_encrypt_core\n\tmovdqu\t%xmm0,(%rsi)\n\tret\n.cfi_endproc\t\n.size\tvpaes_encrypt,.-vpaes_encrypt\n\n.globl\tvpaes_decrypt\n.hidden vpaes_decrypt\n.type\tvpaes_decrypt,@function\n.align\t16\nvpaes_decrypt:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovdqu\t(%rdi),%xmm0\n\tcall\t_vpaes_preheat\n\tcall\t_vpaes_decrypt_core\n\tmovdqu\t%xmm0,(%rsi)\n\tret\n.cfi_endproc\t\n.size\tvpaes_decrypt,.-vpaes_decrypt\n.globl\tvpaes_cbc_encrypt\n.hidden vpaes_cbc_encrypt\n.type\tvpaes_cbc_encrypt,@function\n.align\t16\nvpaes_cbc_encrypt:\n.cfi_startproc\t\n_CET_ENDBR\n\txchgq\t%rcx,%rdx\n\tsubq\t$16,%rcx\n\tjc\t.Lcbc_abort\n\tmovdqu\t(%r8),%xmm6\n\tsubq\t%rdi,%rsi\n\tcall\t_vpaes_preheat\n\tcmpl\t$0,%r9d\n\tje\t.Lcbc_dec_loop\n\tjmp\t.Lcbc_enc_loop\n.align\t16\n.Lcbc_enc_loop:\n\tmovdqu\t(%rdi),%xmm0\n\tpxor\t%xmm6,%xmm0\n\tcall\t_vpaes_encrypt_core\n\tmovdqa\t%xmm0,%xmm6\n\tmovdqu\t%xmm0,(%rsi,%rdi,1)\n\tleaq\t16(%rdi),%rdi\n\tsubq\t$16,%rcx\n\tjnc\t.Lcbc_enc_loop\n\tjmp\t.Lcbc_done\n.align\t16\n.Lcbc_dec_loop:\n\tmovdqu\t(%rdi),%xmm0\n\tmovdqa\t%xmm0,%xmm7\n\tcall\t_vpaes_decrypt_core\n\tpxor\t%xmm6,%xmm0\n\tmovdqa\t%xmm7,%xmm6\n\tmovdqu\t%xmm0,(%rsi,%rdi,1)\n\tleaq\t16(%rdi),%rdi\n\tsubq\t$16,%rcx\n\tjnc\t.Lcbc_dec_loop\n.Lcbc_done:\n\tmovdqu\t%xmm6,(%r8)\n.Lcbc_abort:\n\tret\n.cfi_endproc\t\n.size\tvpaes_cbc_encrypt,.-vpaes_cbc_encrypt\n.globl\tvpaes_ctr32_encrypt_blocks\n.hidden vpaes_ctr32_encrypt_blocks\n.type\tvpaes_ctr32_encrypt_blocks,@function\n.align\t16\nvpaes_ctr32_encrypt_blocks:\n.cfi_startproc\t\n_CET_ENDBR\n\n\txchgq\t%rcx,%rdx\n\ttestq\t%rcx,%rcx\n\tjz\t.Lctr32_abort\n\tmovdqu\t(%r8),%xmm0\n\tmovdqa\t.Lctr_add_one(%rip),%xmm8\n\tsubq\t%rdi,%rsi\n\tcall\t_vpaes_preheat\n\tmovdqa\t%xmm0,%xmm6\n\tpshufb\t.Lrev_ctr(%rip),%xmm6\n\n\ttestq\t$1,%rcx\n\tjz\t.Lctr32_prep_loop\n\n\n\n\tmovdqu\t(%rdi),%xmm7\n\tcall\t_vpaes_encrypt_core\n\tpxor\t%xmm7,%xmm0\n\tpaddd\t%xmm8,%xmm6\n\tmovdqu\t%xmm0,(%rsi,%rdi,1)\n\tsubq\t$1,%rcx\n\tleaq\t16(%rdi),%rdi\n\tjz\t.Lctr32_done\n\n.Lctr32_prep_loop:\n\n\n\tmovdqa\t%xmm6,%xmm14\n\tmovdqa\t%xmm6,%xmm15\n\tpaddd\t%xmm8,%xmm15\n\n.Lctr32_loop:\n\tmovdqa\t.Lrev_ctr(%rip),%xmm1\n\tmovdqa\t%xmm14,%xmm0\n\tmovdqa\t%xmm15,%xmm6\n.byte\t102,15,56,0,193\n.byte\t102,15,56,0,241\n\tcall\t_vpaes_encrypt_core_2x\n\tmovdqu\t(%rdi),%xmm1\n\tmovdqu\t16(%rdi),%xmm2\n\tmovdqa\t.Lctr_add_two(%rip),%xmm3\n\tpxor\t%xmm1,%xmm0\n\tpxor\t%xmm2,%xmm6\n\tpaddd\t%xmm3,%xmm14\n\tpaddd\t%xmm3,%xmm15\n\tmovdqu\t%xmm0,(%rsi,%rdi,1)\n\tmovdqu\t%xmm6,16(%rsi,%rdi,1)\n\tsubq\t$2,%rcx\n\tleaq\t32(%rdi),%rdi\n\tjnz\t.Lctr32_loop\n\n.Lctr32_done:\n.Lctr32_abort:\n\tret\n.cfi_endproc\t\n.size\tvpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks\n\n\n\n\n\n\n.type\t_vpaes_preheat,@function\n.align\t16\n_vpaes_preheat:\n.cfi_startproc\t\n\tleaq\t.Lk_s0F(%rip),%r10\n\tmovdqa\t-32(%r10),%xmm10\n\tmovdqa\t-16(%r10),%xmm11\n\tmovdqa\t0(%r10),%xmm9\n\tmovdqa\t48(%r10),%xmm13\n\tmovdqa\t64(%r10),%xmm12\n\tmovdqa\t80(%r10),%xmm15\n\tmovdqa\t96(%r10),%xmm14\n\tret\n.cfi_endproc\t\n.size\t_vpaes_preheat,.-_vpaes_preheat\n\n\n\n\n\n.type\t_vpaes_consts,@object\n.section\t.rodata\n.align\t64\n_vpaes_consts:\n.Lk_inv:\n.quad\t0x0E05060F0D080180, 0x040703090A0B0C02\n.quad\t0x01040A060F0B0780, 0x030D0E0C02050809\n\n.Lk_s0F:\n.quad\t0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F\n\n.Lk_ipt:\n.quad\t0xC2B2E8985A2A7000, 0xCABAE09052227808\n.quad\t0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81\n\n.Lk_sb1:\n.quad\t0xB19BE18FCB503E00, 0xA5DF7A6E142AF544\n.quad\t0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF\n.Lk_sb2:\n.quad\t0xE27A93C60B712400, 0x5EB7E955BC982FCD\n.quad\t0x69EB88400AE12900, 0xC2A163C8AB82234A\n.Lk_sbo:\n.quad\t0xD0D26D176FBDC700, 0x15AABF7AC502A878\n.quad\t0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA\n\n.Lk_mc_forward:\n.quad\t0x0407060500030201, 0x0C0F0E0D080B0A09\n.quad\t0x080B0A0904070605, 0x000302010C0F0E0D\n.quad\t0x0C0F0E0D080B0A09, 0x0407060500030201\n.quad\t0x000302010C0F0E0D, 0x080B0A0904070605\n\n.Lk_mc_backward:\n.quad\t0x0605040702010003, 0x0E0D0C0F0A09080B\n.quad\t0x020100030E0D0C0F, 0x0A09080B06050407\n.quad\t0x0E0D0C0F0A09080B, 0x0605040702010003\n.quad\t0x0A09080B06050407, 0x020100030E0D0C0F\n\n.Lk_sr:\n.quad\t0x0706050403020100, 0x0F0E0D0C0B0A0908\n.quad\t0x030E09040F0A0500, 0x0B06010C07020D08\n.quad\t0x0F060D040B020900, 0x070E050C030A0108\n.quad\t0x0B0E0104070A0D00, 0x0306090C0F020508\n\n.Lk_rcon:\n.quad\t0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81\n\n.Lk_s63:\n.quad\t0x5B5B5B5B5B5B5B5B, 0x5B5B5B5B5B5B5B5B\n\n.Lk_opt:\n.quad\t0xFF9F4929D6B66000, 0xF7974121DEBE6808\n.quad\t0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0\n\n.Lk_deskew:\n.quad\t0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A\n.quad\t0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77\n\n\n\n\n\n.Lk_dksd:\n.quad\t0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9\n.quad\t0x41C277F4B5368300, 0x5FDC69EAAB289D1E\n.Lk_dksb:\n.quad\t0x9A4FCA1F8550D500, 0x03D653861CC94C99\n.quad\t0x115BEDA7B6FC4A00, 0xD993256F7E3482C8\n.Lk_dkse:\n.quad\t0xD5031CCA1FC9D600, 0x53859A4C994F5086\n.quad\t0xA23196054FDC7BE8, 0xCD5EF96A20B31487\n.Lk_dks9:\n.quad\t0xB6116FC87ED9A700, 0x4AED933482255BFC\n.quad\t0x4576516227143300, 0x8BB89FACE9DAFDCE\n\n\n\n\n\n.Lk_dipt:\n.quad\t0x0F505B040B545F00, 0x154A411E114E451A\n.quad\t0x86E383E660056500, 0x12771772F491F194\n\n.Lk_dsb9:\n.quad\t0x851C03539A86D600, 0xCAD51F504F994CC9\n.quad\t0xC03B1789ECD74900, 0x725E2C9EB2FBA565\n.Lk_dsbd:\n.quad\t0x7D57CCDFE6B1A200, 0xF56E9B13882A4439\n.quad\t0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3\n.Lk_dsbb:\n.quad\t0xD022649296B44200, 0x602646F6B0F2D404\n.quad\t0xC19498A6CD596700, 0xF3FF0C3E3255AA6B\n.Lk_dsbe:\n.quad\t0x46F2929626D4D000, 0x2242600464B4F6B0\n.quad\t0x0C55A6CDFFAAC100, 0x9467F36B98593E32\n.Lk_dsbo:\n.quad\t0x1387EA537EF94000, 0xC7AA6DB9D4943E2D\n.quad\t0x12D7560F93441D00, 0xCA4B8159D8C58E9C\n\n\n.Lrev_ctr:\n.quad\t0x0706050403020100, 0x0c0d0e0f0b0a0908\n\n\n.Lctr_add_one:\n.quad\t0x0000000000000000, 0x0000000100000000\n.Lctr_add_two:\n.quad\t0x0000000000000000, 0x0000000200000000\n\n.byte\t86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0\n.align\t64\n.size\t_vpaes_consts,.-_vpaes_consts\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/x86-mont-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n.globl\t_bn_mul_mont\n.private_extern\t_bn_mul_mont\n.align\t4\n_bn_mul_mont:\nL_bn_mul_mont_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\txorl\t%eax,%eax\n\tmovl\t40(%esp),%edi\n\tcmpl\t$4,%edi\n\tjl\tL000just_leave\n\tleal\t20(%esp),%esi\n\tleal\t24(%esp),%edx\n\taddl\t$2,%edi\n\tnegl\t%edi\n\tleal\t-32(%esp,%edi,4),%ebp\n\tnegl\t%edi\n\tmovl\t%ebp,%eax\n\tsubl\t%edx,%eax\n\tandl\t$2047,%eax\n\tsubl\t%eax,%ebp\n\txorl\t%ebp,%edx\n\tandl\t$2048,%edx\n\txorl\t$2048,%edx\n\tsubl\t%edx,%ebp\n\tandl\t$-64,%ebp\n\tmovl\t%esp,%eax\n\tsubl\t%ebp,%eax\n\tandl\t$-4096,%eax\n\tmovl\t%esp,%edx\n\tleal\t(%ebp,%eax,1),%esp\n\tmovl\t(%esp),%eax\n\tcmpl\t%ebp,%esp\n\tja\tL001page_walk\n\tjmp\tL002page_walk_done\n.align\t4,0x90\nL001page_walk:\n\tleal\t-4096(%esp),%esp\n\tmovl\t(%esp),%eax\n\tcmpl\t%ebp,%esp\n\tja\tL001page_walk\nL002page_walk_done:\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%ebp\n\tmovl\t16(%esi),%esi\n\tmovl\t(%esi),%esi\n\tmovl\t%eax,4(%esp)\n\tmovl\t%ebx,8(%esp)\n\tmovl\t%ecx,12(%esp)\n\tmovl\t%ebp,16(%esp)\n\tmovl\t%esi,20(%esp)\n\tleal\t-3(%edi),%ebx\n\tmovl\t%edx,24(%esp)\n\tmovl\t$-1,%eax\n\tmovd\t%eax,%mm7\n\tmovl\t8(%esp),%esi\n\tmovl\t12(%esp),%edi\n\tmovl\t16(%esp),%ebp\n\txorl\t%edx,%edx\n\txorl\t%ecx,%ecx\n\tmovd\t(%edi),%mm4\n\tmovd\t(%esi),%mm5\n\tmovd\t(%ebp),%mm3\n\tpmuludq\t%mm4,%mm5\n\tmovq\t%mm5,%mm2\n\tmovq\t%mm5,%mm0\n\tpand\t%mm7,%mm0\n\tpmuludq\t20(%esp),%mm5\n\tpmuludq\t%mm5,%mm3\n\tpaddq\t%mm0,%mm3\n\tmovd\t4(%ebp),%mm1\n\tmovd\t4(%esi),%mm0\n\tpsrlq\t$32,%mm2\n\tpsrlq\t$32,%mm3\n\tincl\t%ecx\n.align\t4,0x90\nL0031st:\n\tpmuludq\t%mm4,%mm0\n\tpmuludq\t%mm5,%mm1\n\tpaddq\t%mm0,%mm2\n\tpaddq\t%mm1,%mm3\n\tmovq\t%mm2,%mm0\n\tpand\t%mm7,%mm0\n\tmovd\t4(%ebp,%ecx,4),%mm1\n\tpaddq\t%mm0,%mm3\n\tmovd\t4(%esi,%ecx,4),%mm0\n\tpsrlq\t$32,%mm2\n\tmovd\t%mm3,28(%esp,%ecx,4)\n\tpsrlq\t$32,%mm3\n\tleal\t1(%ecx),%ecx\n\tcmpl\t%ebx,%ecx\n\tjl\tL0031st\n\tpmuludq\t%mm4,%mm0\n\tpmuludq\t%mm5,%mm1\n\tpaddq\t%mm0,%mm2\n\tpaddq\t%mm1,%mm3\n\tmovq\t%mm2,%mm0\n\tpand\t%mm7,%mm0\n\tpaddq\t%mm0,%mm3\n\tmovd\t%mm3,28(%esp,%ecx,4)\n\tpsrlq\t$32,%mm2\n\tpsrlq\t$32,%mm3\n\tpaddq\t%mm2,%mm3\n\tmovq\t%mm3,32(%esp,%ebx,4)\n\tincl\t%edx\nL004outer:\n\txorl\t%ecx,%ecx\n\tmovd\t(%edi,%edx,4),%mm4\n\tmovd\t(%esi),%mm5\n\tmovd\t32(%esp),%mm6\n\tmovd\t(%ebp),%mm3\n\tpmuludq\t%mm4,%mm5\n\tpaddq\t%mm6,%mm5\n\tmovq\t%mm5,%mm0\n\tmovq\t%mm5,%mm2\n\tpand\t%mm7,%mm0\n\tpmuludq\t20(%esp),%mm5\n\tpmuludq\t%mm5,%mm3\n\tpaddq\t%mm0,%mm3\n\tmovd\t36(%esp),%mm6\n\tmovd\t4(%ebp),%mm1\n\tmovd\t4(%esi),%mm0\n\tpsrlq\t$32,%mm2\n\tpsrlq\t$32,%mm3\n\tpaddq\t%mm6,%mm2\n\tincl\t%ecx\n\tdecl\t%ebx\nL005inner:\n\tpmuludq\t%mm4,%mm0\n\tpmuludq\t%mm5,%mm1\n\tpaddq\t%mm0,%mm2\n\tpaddq\t%mm1,%mm3\n\tmovq\t%mm2,%mm0\n\tmovd\t36(%esp,%ecx,4),%mm6\n\tpand\t%mm7,%mm0\n\tmovd\t4(%ebp,%ecx,4),%mm1\n\tpaddq\t%mm0,%mm3\n\tmovd\t4(%esi,%ecx,4),%mm0\n\tpsrlq\t$32,%mm2\n\tmovd\t%mm3,28(%esp,%ecx,4)\n\tpsrlq\t$32,%mm3\n\tpaddq\t%mm6,%mm2\n\tdecl\t%ebx\n\tleal\t1(%ecx),%ecx\n\tjnz\tL005inner\n\tmovl\t%ecx,%ebx\n\tpmuludq\t%mm4,%mm0\n\tpmuludq\t%mm5,%mm1\n\tpaddq\t%mm0,%mm2\n\tpaddq\t%mm1,%mm3\n\tmovq\t%mm2,%mm0\n\tpand\t%mm7,%mm0\n\tpaddq\t%mm0,%mm3\n\tmovd\t%mm3,28(%esp,%ecx,4)\n\tpsrlq\t$32,%mm2\n\tpsrlq\t$32,%mm3\n\tmovd\t36(%esp,%ebx,4),%mm6\n\tpaddq\t%mm2,%mm3\n\tpaddq\t%mm6,%mm3\n\tmovq\t%mm3,32(%esp,%ebx,4)\n\tleal\t1(%edx),%edx\n\tcmpl\t%ebx,%edx\n\tjle\tL004outer\n\temms\n\tjmp\tL006common_tail\n.align\t4,0x90\nL006common_tail:\n\tmovl\t16(%esp),%ebp\n\tmovl\t4(%esp),%edi\n\tleal\t32(%esp),%esi\n\tmovl\t(%esi),%eax\n\tmovl\t%ebx,%ecx\n\txorl\t%edx,%edx\n.align\t4,0x90\nL007sub:\n\tsbbl\t(%ebp,%edx,4),%eax\n\tmovl\t%eax,(%edi,%edx,4)\n\tdecl\t%ecx\n\tmovl\t4(%esi,%edx,4),%eax\n\tleal\t1(%edx),%edx\n\tjge\tL007sub\n\tsbbl\t$0,%eax\n\tmovl\t$-1,%edx\n\txorl\t%eax,%edx\n\tjmp\tL008copy\n.align\t4,0x90\nL008copy:\n\tmovl\t32(%esp,%ebx,4),%esi\n\tmovl\t(%edi,%ebx,4),%ebp\n\tmovl\t%ecx,32(%esp,%ebx,4)\n\tandl\t%eax,%esi\n\tandl\t%edx,%ebp\n\torl\t%esi,%ebp\n\tmovl\t%ebp,(%edi,%ebx,4)\n\tdecl\t%ebx\n\tjge\tL008copy\n\tmovl\t24(%esp),%esp\n\tmovl\t$1,%eax\nL000just_leave:\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.byte\t77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105\n.byte\t112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56\n.byte\t54,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121\n.byte\t32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46\n.byte\t111,114,103,62,0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/x86-mont-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n.globl\tbn_mul_mont\n.hidden\tbn_mul_mont\n.type\tbn_mul_mont,@function\n.align\t16\nbn_mul_mont:\n.L_bn_mul_mont_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\txorl\t%eax,%eax\n\tmovl\t40(%esp),%edi\n\tcmpl\t$4,%edi\n\tjl\t.L000just_leave\n\tleal\t20(%esp),%esi\n\tleal\t24(%esp),%edx\n\taddl\t$2,%edi\n\tnegl\t%edi\n\tleal\t-32(%esp,%edi,4),%ebp\n\tnegl\t%edi\n\tmovl\t%ebp,%eax\n\tsubl\t%edx,%eax\n\tandl\t$2047,%eax\n\tsubl\t%eax,%ebp\n\txorl\t%ebp,%edx\n\tandl\t$2048,%edx\n\txorl\t$2048,%edx\n\tsubl\t%edx,%ebp\n\tandl\t$-64,%ebp\n\tmovl\t%esp,%eax\n\tsubl\t%ebp,%eax\n\tandl\t$-4096,%eax\n\tmovl\t%esp,%edx\n\tleal\t(%ebp,%eax,1),%esp\n\tmovl\t(%esp),%eax\n\tcmpl\t%ebp,%esp\n\tja\t.L001page_walk\n\tjmp\t.L002page_walk_done\n.align\t16\n.L001page_walk:\n\tleal\t-4096(%esp),%esp\n\tmovl\t(%esp),%eax\n\tcmpl\t%ebp,%esp\n\tja\t.L001page_walk\n.L002page_walk_done:\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%ebp\n\tmovl\t16(%esi),%esi\n\tmovl\t(%esi),%esi\n\tmovl\t%eax,4(%esp)\n\tmovl\t%ebx,8(%esp)\n\tmovl\t%ecx,12(%esp)\n\tmovl\t%ebp,16(%esp)\n\tmovl\t%esi,20(%esp)\n\tleal\t-3(%edi),%ebx\n\tmovl\t%edx,24(%esp)\n\tmovl\t$-1,%eax\n\tmovd\t%eax,%mm7\n\tmovl\t8(%esp),%esi\n\tmovl\t12(%esp),%edi\n\tmovl\t16(%esp),%ebp\n\txorl\t%edx,%edx\n\txorl\t%ecx,%ecx\n\tmovd\t(%edi),%mm4\n\tmovd\t(%esi),%mm5\n\tmovd\t(%ebp),%mm3\n\tpmuludq\t%mm4,%mm5\n\tmovq\t%mm5,%mm2\n\tmovq\t%mm5,%mm0\n\tpand\t%mm7,%mm0\n\tpmuludq\t20(%esp),%mm5\n\tpmuludq\t%mm5,%mm3\n\tpaddq\t%mm0,%mm3\n\tmovd\t4(%ebp),%mm1\n\tmovd\t4(%esi),%mm0\n\tpsrlq\t$32,%mm2\n\tpsrlq\t$32,%mm3\n\tincl\t%ecx\n.align\t16\n.L0031st:\n\tpmuludq\t%mm4,%mm0\n\tpmuludq\t%mm5,%mm1\n\tpaddq\t%mm0,%mm2\n\tpaddq\t%mm1,%mm3\n\tmovq\t%mm2,%mm0\n\tpand\t%mm7,%mm0\n\tmovd\t4(%ebp,%ecx,4),%mm1\n\tpaddq\t%mm0,%mm3\n\tmovd\t4(%esi,%ecx,4),%mm0\n\tpsrlq\t$32,%mm2\n\tmovd\t%mm3,28(%esp,%ecx,4)\n\tpsrlq\t$32,%mm3\n\tleal\t1(%ecx),%ecx\n\tcmpl\t%ebx,%ecx\n\tjl\t.L0031st\n\tpmuludq\t%mm4,%mm0\n\tpmuludq\t%mm5,%mm1\n\tpaddq\t%mm0,%mm2\n\tpaddq\t%mm1,%mm3\n\tmovq\t%mm2,%mm0\n\tpand\t%mm7,%mm0\n\tpaddq\t%mm0,%mm3\n\tmovd\t%mm3,28(%esp,%ecx,4)\n\tpsrlq\t$32,%mm2\n\tpsrlq\t$32,%mm3\n\tpaddq\t%mm2,%mm3\n\tmovq\t%mm3,32(%esp,%ebx,4)\n\tincl\t%edx\n.L004outer:\n\txorl\t%ecx,%ecx\n\tmovd\t(%edi,%edx,4),%mm4\n\tmovd\t(%esi),%mm5\n\tmovd\t32(%esp),%mm6\n\tmovd\t(%ebp),%mm3\n\tpmuludq\t%mm4,%mm5\n\tpaddq\t%mm6,%mm5\n\tmovq\t%mm5,%mm0\n\tmovq\t%mm5,%mm2\n\tpand\t%mm7,%mm0\n\tpmuludq\t20(%esp),%mm5\n\tpmuludq\t%mm5,%mm3\n\tpaddq\t%mm0,%mm3\n\tmovd\t36(%esp),%mm6\n\tmovd\t4(%ebp),%mm1\n\tmovd\t4(%esi),%mm0\n\tpsrlq\t$32,%mm2\n\tpsrlq\t$32,%mm3\n\tpaddq\t%mm6,%mm2\n\tincl\t%ecx\n\tdecl\t%ebx\n.L005inner:\n\tpmuludq\t%mm4,%mm0\n\tpmuludq\t%mm5,%mm1\n\tpaddq\t%mm0,%mm2\n\tpaddq\t%mm1,%mm3\n\tmovq\t%mm2,%mm0\n\tmovd\t36(%esp,%ecx,4),%mm6\n\tpand\t%mm7,%mm0\n\tmovd\t4(%ebp,%ecx,4),%mm1\n\tpaddq\t%mm0,%mm3\n\tmovd\t4(%esi,%ecx,4),%mm0\n\tpsrlq\t$32,%mm2\n\tmovd\t%mm3,28(%esp,%ecx,4)\n\tpsrlq\t$32,%mm3\n\tpaddq\t%mm6,%mm2\n\tdecl\t%ebx\n\tleal\t1(%ecx),%ecx\n\tjnz\t.L005inner\n\tmovl\t%ecx,%ebx\n\tpmuludq\t%mm4,%mm0\n\tpmuludq\t%mm5,%mm1\n\tpaddq\t%mm0,%mm2\n\tpaddq\t%mm1,%mm3\n\tmovq\t%mm2,%mm0\n\tpand\t%mm7,%mm0\n\tpaddq\t%mm0,%mm3\n\tmovd\t%mm3,28(%esp,%ecx,4)\n\tpsrlq\t$32,%mm2\n\tpsrlq\t$32,%mm3\n\tmovd\t36(%esp,%ebx,4),%mm6\n\tpaddq\t%mm2,%mm3\n\tpaddq\t%mm6,%mm3\n\tmovq\t%mm3,32(%esp,%ebx,4)\n\tleal\t1(%edx),%edx\n\tcmpl\t%ebx,%edx\n\tjle\t.L004outer\n\temms\n\tjmp\t.L006common_tail\n.align\t16\n.L006common_tail:\n\tmovl\t16(%esp),%ebp\n\tmovl\t4(%esp),%edi\n\tleal\t32(%esp),%esi\n\tmovl\t(%esi),%eax\n\tmovl\t%ebx,%ecx\n\txorl\t%edx,%edx\n.align\t16\n.L007sub:\n\tsbbl\t(%ebp,%edx,4),%eax\n\tmovl\t%eax,(%edi,%edx,4)\n\tdecl\t%ecx\n\tmovl\t4(%esi,%edx,4),%eax\n\tleal\t1(%edx),%edx\n\tjge\t.L007sub\n\tsbbl\t$0,%eax\n\tmovl\t$-1,%edx\n\txorl\t%eax,%edx\n\tjmp\t.L008copy\n.align\t16\n.L008copy:\n\tmovl\t32(%esp,%ebx,4),%esi\n\tmovl\t(%edi,%ebx,4),%ebp\n\tmovl\t%ecx,32(%esp,%ebx,4)\n\tandl\t%eax,%esi\n\tandl\t%edx,%ebp\n\torl\t%esi,%ebp\n\tmovl\t%ebp,(%edi,%ebx,4)\n\tdecl\t%ebx\n\tjge\t.L008copy\n\tmovl\t24(%esp),%esp\n\tmovl\t$1,%eax\n.L000just_leave:\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tbn_mul_mont,.-.L_bn_mul_mont_begin\n.byte\t77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105\n.byte\t112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56\n.byte\t54,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121\n.byte\t32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46\n.byte\t111,114,103,62,0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/x86_64-mont-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n.globl\t_bn_mul_mont_nohw\n.private_extern _bn_mul_mont_nohw\n\n.p2align\t4\n_bn_mul_mont_nohw:\n\n_CET_ENDBR\n\tmovl\t%r9d,%r9d\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\n\tnegq\t%r9\n\tmovq\t%rsp,%r11\n\tleaq\t-16(%rsp,%r9,8),%r10\n\tnegq\t%r9\n\tandq\t$-1024,%r10\n\n\n\n\n\n\n\n\n\n\tsubq\t%r10,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r10,%r11,1),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\tL$mul_page_walk\n\tjmp\tL$mul_page_walk_done\n\n.p2align\t4\nL$mul_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\tL$mul_page_walk\nL$mul_page_walk_done:\n\n\tmovq\t%rax,8(%rsp,%r9,8)\n\nL$mul_body:\n\tmovq\t%rdx,%r12\n\tmovq\t(%r8),%r8\n\tmovq\t(%r12),%rbx\n\tmovq\t(%rsi),%rax\n\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\tmovq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r13\n\n\tleaq\t1(%r15),%r15\n\tjmp\tL$1st_enter\n\n.p2align\t4\nL$1st:\n\taddq\t%rax,%r13\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tmovq\t%r10,%r11\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\nL$1st_enter:\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tleaq\t1(%r15),%r15\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\tcmpq\t%r9,%r15\n\tjne\tL$1st\n\n\taddq\t%rax,%r13\n\tmovq\t(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\tmovq\t%r10,%r11\n\n\txorq\t%rdx,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r9,8)\n\tmovq\t%rdx,(%rsp,%r9,8)\n\n\tleaq\t1(%r14),%r14\n\tjmp\tL$outer\n.p2align\t4\nL$outer:\n\tmovq\t(%r12,%r14,8),%rbx\n\txorq\t%r15,%r15\n\tmovq\t%r8,%rbp\n\tmovq\t(%rsp),%r10\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\tadcq\t$0,%rdx\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t8(%rsp),%r10\n\tmovq\t%rdx,%r13\n\n\tleaq\t1(%r15),%r15\n\tjmp\tL$inner_enter\n\n.p2align\t4\nL$inner:\n\taddq\t%rax,%r13\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tmovq\t(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\nL$inner_enter:\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\tleaq\t1(%r15),%r15\n\n\tmulq\t%rbp\n\tcmpq\t%r9,%r15\n\tjne\tL$inner\n\n\taddq\t%rax,%r13\n\tmovq\t(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tmovq\t(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n\txorq\t%rdx,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r9,8)\n\tmovq\t%rdx,(%rsp,%r9,8)\n\n\tleaq\t1(%r14),%r14\n\tcmpq\t%r9,%r14\n\tjb\tL$outer\n\n\txorq\t%r14,%r14\n\tmovq\t(%rsp),%rax\n\tmovq\t%r9,%r15\n\n.p2align\t4\nL$sub:\tsbbq\t(%rcx,%r14,8),%rax\n\tmovq\t%rax,(%rdi,%r14,8)\n\tmovq\t8(%rsp,%r14,8),%rax\n\tleaq\t1(%r14),%r14\n\tdecq\t%r15\n\tjnz\tL$sub\n\n\tsbbq\t$0,%rax\n\tmovq\t$-1,%rbx\n\txorq\t%rax,%rbx\n\txorq\t%r14,%r14\n\tmovq\t%r9,%r15\n\nL$copy:\n\tmovq\t(%rdi,%r14,8),%rcx\n\tmovq\t(%rsp,%r14,8),%rdx\n\tandq\t%rbx,%rcx\n\tandq\t%rax,%rdx\n\tmovq\t%r9,(%rsp,%r14,8)\n\torq\t%rcx,%rdx\n\tmovq\t%rdx,(%rdi,%r14,8)\n\tleaq\t1(%r14),%r14\n\tsubq\t$1,%r15\n\tjnz\tL$copy\n\n\tmovq\t8(%rsp,%r9,8),%rsi\n\n\tmovq\t$1,%rax\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$mul_epilogue:\n\tret\n\n\n.globl\t_bn_mul4x_mont\n.private_extern _bn_mul4x_mont\n\n.p2align\t4\n_bn_mul4x_mont:\n\n_CET_ENDBR\n\tmovl\t%r9d,%r9d\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\n\tnegq\t%r9\n\tmovq\t%rsp,%r11\n\tleaq\t-32(%rsp,%r9,8),%r10\n\tnegq\t%r9\n\tandq\t$-1024,%r10\n\n\tsubq\t%r10,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r10,%r11,1),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\tL$mul4x_page_walk\n\tjmp\tL$mul4x_page_walk_done\n\nL$mul4x_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\tL$mul4x_page_walk\nL$mul4x_page_walk_done:\n\n\tmovq\t%rax,8(%rsp,%r9,8)\n\nL$mul4x_body:\n\tmovq\t%rdi,16(%rsp,%r9,8)\n\tmovq\t%rdx,%r12\n\tmovq\t(%r8),%r8\n\tmovq\t(%r12),%rbx\n\tmovq\t(%rsi),%rax\n\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\tmovq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t4(%r15),%r15\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,(%rsp)\n\tmovq\t%rdx,%r13\n\tjmp\tL$1st4x\n.p2align\t4\nL$1st4x:\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tleaq\t4(%r15),%r15\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t-16(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-32(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\tcmpq\t%r9,%r15\n\tjb\tL$1st4x\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n\txorq\t%rdi,%rdi\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdi\n\tmovq\t%r13,-8(%rsp,%r15,8)\n\tmovq\t%rdi,(%rsp,%r15,8)\n\n\tleaq\t1(%r14),%r14\n.p2align\t2\nL$outer4x:\n\tmovq\t(%r12,%r14,8),%rbx\n\txorq\t%r15,%r15\n\tmovq\t(%rsp),%r10\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\tadcq\t$0,%rdx\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t8(%rsp),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t4(%r15),%r15\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,(%rsp)\n\tmovq\t%rdx,%r13\n\tjmp\tL$inner4x\n.p2align\t4\nL$inner4x:\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t-16(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t-8(%rsp,%r15,8),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t8(%rsp,%r15,8),%r11\n\tadcq\t$0,%rdx\n\tleaq\t4(%r15),%r15\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t-16(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-32(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\tcmpq\t%r9,%r15\n\tjb\tL$inner4x\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t-16(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t-8(%rsp,%r15,8),%r11\n\tadcq\t$0,%rdx\n\tleaq\t1(%r14),%r14\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n\txorq\t%rdi,%rdi\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdi\n\taddq\t(%rsp,%r9,8),%r13\n\tadcq\t$0,%rdi\n\tmovq\t%r13,-8(%rsp,%r15,8)\n\tmovq\t%rdi,(%rsp,%r15,8)\n\n\tcmpq\t%r9,%r14\n\tjb\tL$outer4x\n\tmovq\t16(%rsp,%r9,8),%rdi\n\tleaq\t-4(%r9),%r15\n\tmovq\t0(%rsp),%rax\n\tmovq\t8(%rsp),%rdx\n\tshrq\t$2,%r15\n\tleaq\t(%rsp),%rsi\n\txorq\t%r14,%r14\n\n\tsubq\t0(%rcx),%rax\n\tmovq\t16(%rsi),%rbx\n\tmovq\t24(%rsi),%rbp\n\tsbbq\t8(%rcx),%rdx\n\nL$sub4x:\n\tmovq\t%rax,0(%rdi,%r14,8)\n\tmovq\t%rdx,8(%rdi,%r14,8)\n\tsbbq\t16(%rcx,%r14,8),%rbx\n\tmovq\t32(%rsi,%r14,8),%rax\n\tmovq\t40(%rsi,%r14,8),%rdx\n\tsbbq\t24(%rcx,%r14,8),%rbp\n\tmovq\t%rbx,16(%rdi,%r14,8)\n\tmovq\t%rbp,24(%rdi,%r14,8)\n\tsbbq\t32(%rcx,%r14,8),%rax\n\tmovq\t48(%rsi,%r14,8),%rbx\n\tmovq\t56(%rsi,%r14,8),%rbp\n\tsbbq\t40(%rcx,%r14,8),%rdx\n\tleaq\t4(%r14),%r14\n\tdecq\t%r15\n\tjnz\tL$sub4x\n\n\tmovq\t%rax,0(%rdi,%r14,8)\n\tmovq\t32(%rsi,%r14,8),%rax\n\tsbbq\t16(%rcx,%r14,8),%rbx\n\tmovq\t%rdx,8(%rdi,%r14,8)\n\tsbbq\t24(%rcx,%r14,8),%rbp\n\tmovq\t%rbx,16(%rdi,%r14,8)\n\n\tsbbq\t$0,%rax\n\tmovq\t%rbp,24(%rdi,%r14,8)\n\tpxor\t%xmm0,%xmm0\n.byte\t102,72,15,110,224\n\tpcmpeqd\t%xmm5,%xmm5\n\tpshufd\t$0,%xmm4,%xmm4\n\tmovq\t%r9,%r15\n\tpxor\t%xmm4,%xmm5\n\tshrq\t$2,%r15\n\txorl\t%eax,%eax\n\n\tjmp\tL$copy4x\n.p2align\t4\nL$copy4x:\n\tmovdqa\t(%rsp,%rax,1),%xmm1\n\tmovdqu\t(%rdi,%rax,1),%xmm2\n\tpand\t%xmm4,%xmm1\n\tpand\t%xmm5,%xmm2\n\tmovdqa\t16(%rsp,%rax,1),%xmm3\n\tmovdqa\t%xmm0,(%rsp,%rax,1)\n\tpor\t%xmm2,%xmm1\n\tmovdqu\t16(%rdi,%rax,1),%xmm2\n\tmovdqu\t%xmm1,(%rdi,%rax,1)\n\tpand\t%xmm4,%xmm3\n\tpand\t%xmm5,%xmm2\n\tmovdqa\t%xmm0,16(%rsp,%rax,1)\n\tpor\t%xmm2,%xmm3\n\tmovdqu\t%xmm3,16(%rdi,%rax,1)\n\tleaq\t32(%rax),%rax\n\tdecq\t%r15\n\tjnz\tL$copy4x\n\tmovq\t8(%rsp,%r9,8),%rsi\n\n\tmovq\t$1,%rax\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$mul4x_epilogue:\n\tret\n\n\n\n\n\n.globl\t_bn_sqr8x_mont\n.private_extern _bn_sqr8x_mont\n\n.p2align\t5\n_bn_sqr8x_mont:\n\n_CET_ENDBR\n\tmovl\t%r9d,%r9d\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$sqr8x_prologue:\n\n\tmovl\t%r9d,%r10d\n\tshll\t$3,%r9d\n\tshlq\t$3+2,%r10\n\tnegq\t%r9\n\n\n\n\n\n\n\tleaq\t-64(%rsp,%r9,2),%r11\n\tmovq\t%rsp,%rbp\n\tmovq\t(%r8),%r8\n\tsubq\t%rsi,%r11\n\tandq\t$4095,%r11\n\tcmpq\t%r11,%r10\n\tjb\tL$sqr8x_sp_alt\n\tsubq\t%r11,%rbp\n\tleaq\t-64(%rbp,%r9,2),%rbp\n\tjmp\tL$sqr8x_sp_done\n\n.p2align\t5\nL$sqr8x_sp_alt:\n\tleaq\t4096-64(,%r9,2),%r10\n\tleaq\t-64(%rbp,%r9,2),%rbp\n\tsubq\t%r10,%r11\n\tmovq\t$0,%r10\n\tcmovcq\t%r10,%r11\n\tsubq\t%r11,%rbp\nL$sqr8x_sp_done:\n\tandq\t$-64,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$sqr8x_page_walk\n\tjmp\tL$sqr8x_page_walk_done\n\n.p2align\t4\nL$sqr8x_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$sqr8x_page_walk\nL$sqr8x_page_walk_done:\n\n\tmovq\t%r9,%r10\n\tnegq\t%r9\n\n\tmovq\t%r8,32(%rsp)\n\tmovq\t%rax,40(%rsp)\n\nL$sqr8x_body:\n\n.byte\t102,72,15,110,209\n\tpxor\t%xmm0,%xmm0\n.byte\t102,72,15,110,207\n.byte\t102,73,15,110,218\n\ttestq\t%rdx,%rdx\n\tjz\tL$sqr8x_nox\n\n\tcall\t_bn_sqrx8x_internal\n\n\n\n\n\tleaq\t(%r8,%rcx,1),%rbx\n\tmovq\t%rcx,%r9\n\tmovq\t%rcx,%rdx\n.byte\t102,72,15,126,207\n\tsarq\t$3+2,%rcx\n\tjmp\tL$sqr8x_sub\n\n.p2align\t5\nL$sqr8x_nox:\n\tcall\t_bn_sqr8x_internal\n\n\n\n\n\tleaq\t(%rdi,%r9,1),%rbx\n\tmovq\t%r9,%rcx\n\tmovq\t%r9,%rdx\n.byte\t102,72,15,126,207\n\tsarq\t$3+2,%rcx\n\tjmp\tL$sqr8x_sub\n\n.p2align\t5\nL$sqr8x_sub:\n\tmovq\t0(%rbx),%r12\n\tmovq\t8(%rbx),%r13\n\tmovq\t16(%rbx),%r14\n\tmovq\t24(%rbx),%r15\n\tleaq\t32(%rbx),%rbx\n\tsbbq\t0(%rbp),%r12\n\tsbbq\t8(%rbp),%r13\n\tsbbq\t16(%rbp),%r14\n\tsbbq\t24(%rbp),%r15\n\tleaq\t32(%rbp),%rbp\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\tleaq\t32(%rdi),%rdi\n\tincq\t%rcx\n\tjnz\tL$sqr8x_sub\n\n\tsbbq\t$0,%rax\n\tleaq\t(%rbx,%r9,1),%rbx\n\tleaq\t(%rdi,%r9,1),%rdi\n\n.byte\t102,72,15,110,200\n\tpxor\t%xmm0,%xmm0\n\tpshufd\t$0,%xmm1,%xmm1\n\tmovq\t40(%rsp),%rsi\n\n\tjmp\tL$sqr8x_cond_copy\n\n.p2align\t5\nL$sqr8x_cond_copy:\n\tmovdqa\t0(%rbx),%xmm2\n\tmovdqa\t16(%rbx),%xmm3\n\tleaq\t32(%rbx),%rbx\n\tmovdqu\t0(%rdi),%xmm4\n\tmovdqu\t16(%rdi),%xmm5\n\tleaq\t32(%rdi),%rdi\n\tmovdqa\t%xmm0,-32(%rbx)\n\tmovdqa\t%xmm0,-16(%rbx)\n\tmovdqa\t%xmm0,-32(%rbx,%rdx,1)\n\tmovdqa\t%xmm0,-16(%rbx,%rdx,1)\n\tpcmpeqd\t%xmm1,%xmm0\n\tpand\t%xmm1,%xmm2\n\tpand\t%xmm1,%xmm3\n\tpand\t%xmm0,%xmm4\n\tpand\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm0\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t%xmm4,-32(%rdi)\n\tmovdqu\t%xmm5,-16(%rdi)\n\taddq\t$32,%r9\n\tjnz\tL$sqr8x_cond_copy\n\n\tmovq\t$1,%rax\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$sqr8x_epilogue:\n\tret\n\n\n.globl\t_bn_mulx4x_mont\n.private_extern _bn_mulx4x_mont\n\n.p2align\t5\n_bn_mulx4x_mont:\n\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$mulx4x_prologue:\n\n\tshll\t$3,%r9d\n\txorq\t%r10,%r10\n\tsubq\t%r9,%r10\n\tmovq\t(%r8),%r8\n\tleaq\t-72(%rsp,%r10,1),%rbp\n\tandq\t$-128,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$mulx4x_page_walk\n\tjmp\tL$mulx4x_page_walk_done\n\n.p2align\t4\nL$mulx4x_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$mulx4x_page_walk\nL$mulx4x_page_walk_done:\n\n\tleaq\t(%rdx,%r9,1),%r10\n\n\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%r9,0(%rsp)\n\tshrq\t$5,%r9\n\tmovq\t%r10,16(%rsp)\n\tsubq\t$1,%r9\n\tmovq\t%r8,24(%rsp)\n\tmovq\t%rdi,32(%rsp)\n\tmovq\t%rax,40(%rsp)\n\n\tmovq\t%r9,48(%rsp)\n\tjmp\tL$mulx4x_body\n\n.p2align\t5\nL$mulx4x_body:\n\tleaq\t8(%rdx),%rdi\n\tmovq\t(%rdx),%rdx\n\tleaq\t64+32(%rsp),%rbx\n\tmovq\t%rdx,%r9\n\n\tmulxq\t0(%rsi),%r8,%rax\n\tmulxq\t8(%rsi),%r11,%r14\n\taddq\t%rax,%r11\n\tmovq\t%rdi,8(%rsp)\n\tmulxq\t16(%rsi),%r12,%r13\n\tadcq\t%r14,%r12\n\tadcq\t$0,%r13\n\n\tmovq\t%r8,%rdi\n\timulq\t24(%rsp),%r8\n\txorq\t%rbp,%rbp\n\n\tmulxq\t24(%rsi),%rax,%r14\n\tmovq\t%r8,%rdx\n\tleaq\t32(%rsi),%rsi\n\tadcxq\t%rax,%r13\n\tadcxq\t%rbp,%r14\n\n\tmulxq\t0(%rcx),%rax,%r10\n\tadcxq\t%rax,%rdi\n\tadoxq\t%r11,%r10\n\tmulxq\t8(%rcx),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n.byte\t0xc4,0x62,0xfb,0xf6,0xa1,0x10,0x00,0x00,0x00\n\tmovq\t48(%rsp),%rdi\n\tmovq\t%r10,-32(%rbx)\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r11,-24(%rbx)\n\tadcxq\t%rax,%r12\n\tadoxq\t%rbp,%r15\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r12,-16(%rbx)\n\n\tjmp\tL$mulx4x_1st\n\n.p2align\t5\nL$mulx4x_1st:\n\tadcxq\t%rbp,%r15\n\tmulxq\t0(%rsi),%r10,%rax\n\tadcxq\t%r14,%r10\n\tmulxq\t8(%rsi),%r11,%r14\n\tadcxq\t%rax,%r11\n\tmulxq\t16(%rsi),%r12,%rax\n\tadcxq\t%r14,%r12\n\tmulxq\t24(%rsi),%r13,%r14\n.byte\t0x67,0x67\n\tmovq\t%r8,%rdx\n\tadcxq\t%rax,%r13\n\tadcxq\t%rbp,%r14\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rbx),%rbx\n\n\tadoxq\t%r15,%r10\n\tmulxq\t0(%rcx),%rax,%r15\n\tadcxq\t%rax,%r10\n\tadoxq\t%r15,%r11\n\tmulxq\t8(%rcx),%rax,%r15\n\tadcxq\t%rax,%r11\n\tadoxq\t%r15,%r12\n\tmulxq\t16(%rcx),%rax,%r15\n\tmovq\t%r10,-40(%rbx)\n\tadcxq\t%rax,%r12\n\tmovq\t%r11,-32(%rbx)\n\tadoxq\t%r15,%r13\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r12,-24(%rbx)\n\tadcxq\t%rax,%r13\n\tadoxq\t%rbp,%r15\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r13,-16(%rbx)\n\n\tdecq\t%rdi\n\tjnz\tL$mulx4x_1st\n\n\tmovq\t0(%rsp),%rax\n\tmovq\t8(%rsp),%rdi\n\tadcq\t%rbp,%r15\n\taddq\t%r15,%r14\n\tsbbq\t%r15,%r15\n\tmovq\t%r14,-8(%rbx)\n\tjmp\tL$mulx4x_outer\n\n.p2align\t5\nL$mulx4x_outer:\n\tmovq\t(%rdi),%rdx\n\tleaq\t8(%rdi),%rdi\n\tsubq\t%rax,%rsi\n\tmovq\t%r15,(%rbx)\n\tleaq\t64+32(%rsp),%rbx\n\tsubq\t%rax,%rcx\n\n\tmulxq\t0(%rsi),%r8,%r11\n\txorl\t%ebp,%ebp\n\tmovq\t%rdx,%r9\n\tmulxq\t8(%rsi),%r14,%r12\n\tadoxq\t-32(%rbx),%r8\n\tadcxq\t%r14,%r11\n\tmulxq\t16(%rsi),%r15,%r13\n\tadoxq\t-24(%rbx),%r11\n\tadcxq\t%r15,%r12\n\tadoxq\t-16(%rbx),%r12\n\tadcxq\t%rbp,%r13\n\tadoxq\t%rbp,%r13\n\n\tmovq\t%rdi,8(%rsp)\n\tmovq\t%r8,%r15\n\timulq\t24(%rsp),%r8\n\txorl\t%ebp,%ebp\n\n\tmulxq\t24(%rsi),%rax,%r14\n\tmovq\t%r8,%rdx\n\tadcxq\t%rax,%r13\n\tadoxq\t-8(%rbx),%r13\n\tadcxq\t%rbp,%r14\n\tleaq\t32(%rsi),%rsi\n\tadoxq\t%rbp,%r14\n\n\tmulxq\t0(%rcx),%rax,%r10\n\tadcxq\t%rax,%r15\n\tadoxq\t%r11,%r10\n\tmulxq\t8(%rcx),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n\tmulxq\t16(%rcx),%rax,%r12\n\tmovq\t%r10,-32(%rbx)\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r11,-24(%rbx)\n\tleaq\t32(%rcx),%rcx\n\tadcxq\t%rax,%r12\n\tadoxq\t%rbp,%r15\n\tmovq\t48(%rsp),%rdi\n\tmovq\t%r12,-16(%rbx)\n\n\tjmp\tL$mulx4x_inner\n\n.p2align\t5\nL$mulx4x_inner:\n\tmulxq\t0(%rsi),%r10,%rax\n\tadcxq\t%rbp,%r15\n\tadoxq\t%r14,%r10\n\tmulxq\t8(%rsi),%r11,%r14\n\tadcxq\t0(%rbx),%r10\n\tadoxq\t%rax,%r11\n\tmulxq\t16(%rsi),%r12,%rax\n\tadcxq\t8(%rbx),%r11\n\tadoxq\t%r14,%r12\n\tmulxq\t24(%rsi),%r13,%r14\n\tmovq\t%r8,%rdx\n\tadcxq\t16(%rbx),%r12\n\tadoxq\t%rax,%r13\n\tadcxq\t24(%rbx),%r13\n\tadoxq\t%rbp,%r14\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rbx),%rbx\n\tadcxq\t%rbp,%r14\n\n\tadoxq\t%r15,%r10\n\tmulxq\t0(%rcx),%rax,%r15\n\tadcxq\t%rax,%r10\n\tadoxq\t%r15,%r11\n\tmulxq\t8(%rcx),%rax,%r15\n\tadcxq\t%rax,%r11\n\tadoxq\t%r15,%r12\n\tmulxq\t16(%rcx),%rax,%r15\n\tmovq\t%r10,-40(%rbx)\n\tadcxq\t%rax,%r12\n\tadoxq\t%r15,%r13\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r11,-32(%rbx)\n\tmovq\t%r12,-24(%rbx)\n\tadcxq\t%rax,%r13\n\tadoxq\t%rbp,%r15\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r13,-16(%rbx)\n\n\tdecq\t%rdi\n\tjnz\tL$mulx4x_inner\n\n\tmovq\t0(%rsp),%rax\n\tmovq\t8(%rsp),%rdi\n\tadcq\t%rbp,%r15\n\tsubq\t0(%rbx),%rbp\n\tadcq\t%r15,%r14\n\tsbbq\t%r15,%r15\n\tmovq\t%r14,-8(%rbx)\n\n\tcmpq\t16(%rsp),%rdi\n\tjne\tL$mulx4x_outer\n\n\tleaq\t64(%rsp),%rbx\n\tsubq\t%rax,%rcx\n\tnegq\t%r15\n\tmovq\t%rax,%rdx\n\tshrq\t$3+2,%rax\n\tmovq\t32(%rsp),%rdi\n\tjmp\tL$mulx4x_sub\n\n.p2align\t5\nL$mulx4x_sub:\n\tmovq\t0(%rbx),%r11\n\tmovq\t8(%rbx),%r12\n\tmovq\t16(%rbx),%r13\n\tmovq\t24(%rbx),%r14\n\tleaq\t32(%rbx),%rbx\n\tsbbq\t0(%rcx),%r11\n\tsbbq\t8(%rcx),%r12\n\tsbbq\t16(%rcx),%r13\n\tsbbq\t24(%rcx),%r14\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r11,0(%rdi)\n\tmovq\t%r12,8(%rdi)\n\tmovq\t%r13,16(%rdi)\n\tmovq\t%r14,24(%rdi)\n\tleaq\t32(%rdi),%rdi\n\tdecq\t%rax\n\tjnz\tL$mulx4x_sub\n\n\tsbbq\t$0,%r15\n\tleaq\t64(%rsp),%rbx\n\tsubq\t%rdx,%rdi\n\n.byte\t102,73,15,110,207\n\tpxor\t%xmm0,%xmm0\n\tpshufd\t$0,%xmm1,%xmm1\n\tmovq\t40(%rsp),%rsi\n\n\tjmp\tL$mulx4x_cond_copy\n\n.p2align\t5\nL$mulx4x_cond_copy:\n\tmovdqa\t0(%rbx),%xmm2\n\tmovdqa\t16(%rbx),%xmm3\n\tleaq\t32(%rbx),%rbx\n\tmovdqu\t0(%rdi),%xmm4\n\tmovdqu\t16(%rdi),%xmm5\n\tleaq\t32(%rdi),%rdi\n\tmovdqa\t%xmm0,-32(%rbx)\n\tmovdqa\t%xmm0,-16(%rbx)\n\tpcmpeqd\t%xmm1,%xmm0\n\tpand\t%xmm1,%xmm2\n\tpand\t%xmm1,%xmm3\n\tpand\t%xmm0,%xmm4\n\tpand\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm0\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t%xmm4,-32(%rdi)\n\tmovdqu\t%xmm5,-16(%rdi)\n\tsubq\t$32,%rdx\n\tjnz\tL$mulx4x_cond_copy\n\n\tmovq\t%rdx,(%rbx)\n\n\tmovq\t$1,%rax\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$mulx4x_epilogue:\n\tret\n\n\n.byte\t77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.p2align\t4\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/x86_64-mont-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n.globl\tbn_mul_mont_nohw\n.hidden bn_mul_mont_nohw\n.type\tbn_mul_mont_nohw,@function\n.align\t16\nbn_mul_mont_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovl\t%r9d,%r9d\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\n\tnegq\t%r9\n\tmovq\t%rsp,%r11\n\tleaq\t-16(%rsp,%r9,8),%r10\n\tnegq\t%r9\n\tandq\t$-1024,%r10\n\n\n\n\n\n\n\n\n\n\tsubq\t%r10,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r10,%r11,1),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\t.Lmul_page_walk\n\tjmp\t.Lmul_page_walk_done\n\n.align\t16\n.Lmul_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\t.Lmul_page_walk\n.Lmul_page_walk_done:\n\n\tmovq\t%rax,8(%rsp,%r9,8)\n.cfi_escape\t0x0f,0x0a,0x77,0x08,0x79,0x00,0x38,0x1e,0x22,0x06,0x23,0x08\n.Lmul_body:\n\tmovq\t%rdx,%r12\n\tmovq\t(%r8),%r8\n\tmovq\t(%r12),%rbx\n\tmovq\t(%rsi),%rax\n\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\tmovq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r13\n\n\tleaq\t1(%r15),%r15\n\tjmp\t.L1st_enter\n\n.align\t16\n.L1st:\n\taddq\t%rax,%r13\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tmovq\t%r10,%r11\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n.L1st_enter:\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tleaq\t1(%r15),%r15\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\tcmpq\t%r9,%r15\n\tjne\t.L1st\n\n\taddq\t%rax,%r13\n\tmovq\t(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\tmovq\t%r10,%r11\n\n\txorq\t%rdx,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r9,8)\n\tmovq\t%rdx,(%rsp,%r9,8)\n\n\tleaq\t1(%r14),%r14\n\tjmp\t.Louter\n.align\t16\n.Louter:\n\tmovq\t(%r12,%r14,8),%rbx\n\txorq\t%r15,%r15\n\tmovq\t%r8,%rbp\n\tmovq\t(%rsp),%r10\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\tadcq\t$0,%rdx\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t8(%rsp),%r10\n\tmovq\t%rdx,%r13\n\n\tleaq\t1(%r15),%r15\n\tjmp\t.Linner_enter\n\n.align\t16\n.Linner:\n\taddq\t%rax,%r13\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tmovq\t(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n.Linner_enter:\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\tleaq\t1(%r15),%r15\n\n\tmulq\t%rbp\n\tcmpq\t%r9,%r15\n\tjne\t.Linner\n\n\taddq\t%rax,%r13\n\tmovq\t(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tmovq\t(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n\txorq\t%rdx,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r9,8)\n\tmovq\t%rdx,(%rsp,%r9,8)\n\n\tleaq\t1(%r14),%r14\n\tcmpq\t%r9,%r14\n\tjb\t.Louter\n\n\txorq\t%r14,%r14\n\tmovq\t(%rsp),%rax\n\tmovq\t%r9,%r15\n\n.align\t16\n.Lsub:\tsbbq\t(%rcx,%r14,8),%rax\n\tmovq\t%rax,(%rdi,%r14,8)\n\tmovq\t8(%rsp,%r14,8),%rax\n\tleaq\t1(%r14),%r14\n\tdecq\t%r15\n\tjnz\t.Lsub\n\n\tsbbq\t$0,%rax\n\tmovq\t$-1,%rbx\n\txorq\t%rax,%rbx\n\txorq\t%r14,%r14\n\tmovq\t%r9,%r15\n\n.Lcopy:\n\tmovq\t(%rdi,%r14,8),%rcx\n\tmovq\t(%rsp,%r14,8),%rdx\n\tandq\t%rbx,%rcx\n\tandq\t%rax,%rdx\n\tmovq\t%r9,(%rsp,%r14,8)\n\torq\t%rcx,%rdx\n\tmovq\t%rdx,(%rdi,%r14,8)\n\tleaq\t1(%r14),%r14\n\tsubq\t$1,%r15\n\tjnz\t.Lcopy\n\n\tmovq\t8(%rsp,%r9,8),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t$1,%rax\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lmul_epilogue:\n\tret\n.cfi_endproc\t\n.size\tbn_mul_mont_nohw,.-bn_mul_mont_nohw\n.globl\tbn_mul4x_mont\n.hidden bn_mul4x_mont\n.type\tbn_mul4x_mont,@function\n.align\t16\nbn_mul4x_mont:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovl\t%r9d,%r9d\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\n\tnegq\t%r9\n\tmovq\t%rsp,%r11\n\tleaq\t-32(%rsp,%r9,8),%r10\n\tnegq\t%r9\n\tandq\t$-1024,%r10\n\n\tsubq\t%r10,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r10,%r11,1),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\t.Lmul4x_page_walk\n\tjmp\t.Lmul4x_page_walk_done\n\n.Lmul4x_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\t.Lmul4x_page_walk\n.Lmul4x_page_walk_done:\n\n\tmovq\t%rax,8(%rsp,%r9,8)\n.cfi_escape\t0x0f,0x0a,0x77,0x08,0x79,0x00,0x38,0x1e,0x22,0x06,0x23,0x08\n.Lmul4x_body:\n\tmovq\t%rdi,16(%rsp,%r9,8)\n\tmovq\t%rdx,%r12\n\tmovq\t(%r8),%r8\n\tmovq\t(%r12),%rbx\n\tmovq\t(%rsi),%rax\n\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\tmovq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t4(%r15),%r15\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,(%rsp)\n\tmovq\t%rdx,%r13\n\tjmp\t.L1st4x\n.align\t16\n.L1st4x:\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tleaq\t4(%r15),%r15\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t-16(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-32(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\tcmpq\t%r9,%r15\n\tjb\t.L1st4x\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n\txorq\t%rdi,%rdi\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdi\n\tmovq\t%r13,-8(%rsp,%r15,8)\n\tmovq\t%rdi,(%rsp,%r15,8)\n\n\tleaq\t1(%r14),%r14\n.align\t4\n.Louter4x:\n\tmovq\t(%r12,%r14,8),%rbx\n\txorq\t%r15,%r15\n\tmovq\t(%rsp),%r10\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\tadcq\t$0,%rdx\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t8(%rsp),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t4(%r15),%r15\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,(%rsp)\n\tmovq\t%rdx,%r13\n\tjmp\t.Linner4x\n.align\t16\n.Linner4x:\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t-16(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t-8(%rsp,%r15,8),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t8(%rsp,%r15,8),%r11\n\tadcq\t$0,%rdx\n\tleaq\t4(%r15),%r15\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t-16(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-32(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\tcmpq\t%r9,%r15\n\tjb\t.Linner4x\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t-16(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%rsp,%r15,8)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t-8(%rsp,%r15,8),%r11\n\tadcq\t$0,%rdx\n\tleaq\t1(%r14),%r14\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n\txorq\t%rdi,%rdi\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdi\n\taddq\t(%rsp,%r9,8),%r13\n\tadcq\t$0,%rdi\n\tmovq\t%r13,-8(%rsp,%r15,8)\n\tmovq\t%rdi,(%rsp,%r15,8)\n\n\tcmpq\t%r9,%r14\n\tjb\t.Louter4x\n\tmovq\t16(%rsp,%r9,8),%rdi\n\tleaq\t-4(%r9),%r15\n\tmovq\t0(%rsp),%rax\n\tmovq\t8(%rsp),%rdx\n\tshrq\t$2,%r15\n\tleaq\t(%rsp),%rsi\n\txorq\t%r14,%r14\n\n\tsubq\t0(%rcx),%rax\n\tmovq\t16(%rsi),%rbx\n\tmovq\t24(%rsi),%rbp\n\tsbbq\t8(%rcx),%rdx\n\n.Lsub4x:\n\tmovq\t%rax,0(%rdi,%r14,8)\n\tmovq\t%rdx,8(%rdi,%r14,8)\n\tsbbq\t16(%rcx,%r14,8),%rbx\n\tmovq\t32(%rsi,%r14,8),%rax\n\tmovq\t40(%rsi,%r14,8),%rdx\n\tsbbq\t24(%rcx,%r14,8),%rbp\n\tmovq\t%rbx,16(%rdi,%r14,8)\n\tmovq\t%rbp,24(%rdi,%r14,8)\n\tsbbq\t32(%rcx,%r14,8),%rax\n\tmovq\t48(%rsi,%r14,8),%rbx\n\tmovq\t56(%rsi,%r14,8),%rbp\n\tsbbq\t40(%rcx,%r14,8),%rdx\n\tleaq\t4(%r14),%r14\n\tdecq\t%r15\n\tjnz\t.Lsub4x\n\n\tmovq\t%rax,0(%rdi,%r14,8)\n\tmovq\t32(%rsi,%r14,8),%rax\n\tsbbq\t16(%rcx,%r14,8),%rbx\n\tmovq\t%rdx,8(%rdi,%r14,8)\n\tsbbq\t24(%rcx,%r14,8),%rbp\n\tmovq\t%rbx,16(%rdi,%r14,8)\n\n\tsbbq\t$0,%rax\n\tmovq\t%rbp,24(%rdi,%r14,8)\n\tpxor\t%xmm0,%xmm0\n.byte\t102,72,15,110,224\n\tpcmpeqd\t%xmm5,%xmm5\n\tpshufd\t$0,%xmm4,%xmm4\n\tmovq\t%r9,%r15\n\tpxor\t%xmm4,%xmm5\n\tshrq\t$2,%r15\n\txorl\t%eax,%eax\n\n\tjmp\t.Lcopy4x\n.align\t16\n.Lcopy4x:\n\tmovdqa\t(%rsp,%rax,1),%xmm1\n\tmovdqu\t(%rdi,%rax,1),%xmm2\n\tpand\t%xmm4,%xmm1\n\tpand\t%xmm5,%xmm2\n\tmovdqa\t16(%rsp,%rax,1),%xmm3\n\tmovdqa\t%xmm0,(%rsp,%rax,1)\n\tpor\t%xmm2,%xmm1\n\tmovdqu\t16(%rdi,%rax,1),%xmm2\n\tmovdqu\t%xmm1,(%rdi,%rax,1)\n\tpand\t%xmm4,%xmm3\n\tpand\t%xmm5,%xmm2\n\tmovdqa\t%xmm0,16(%rsp,%rax,1)\n\tpor\t%xmm2,%xmm3\n\tmovdqu\t%xmm3,16(%rdi,%rax,1)\n\tleaq\t32(%rax),%rax\n\tdecq\t%r15\n\tjnz\t.Lcopy4x\n\tmovq\t8(%rsp,%r9,8),%rsi\n.cfi_def_cfa\t%rsi, 8\n\tmovq\t$1,%rax\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lmul4x_epilogue:\n\tret\n.cfi_endproc\t\n.size\tbn_mul4x_mont,.-bn_mul4x_mont\n.extern\tbn_sqrx8x_internal\n.hidden bn_sqrx8x_internal\n.extern\tbn_sqr8x_internal\n.hidden bn_sqr8x_internal\n\n.globl\tbn_sqr8x_mont\n.hidden bn_sqr8x_mont\n.type\tbn_sqr8x_mont,@function\n.align\t32\nbn_sqr8x_mont:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovl\t%r9d,%r9d\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n.Lsqr8x_prologue:\n\n\tmovl\t%r9d,%r10d\n\tshll\t$3,%r9d\n\tshlq\t$3+2,%r10\n\tnegq\t%r9\n\n\n\n\n\n\n\tleaq\t-64(%rsp,%r9,2),%r11\n\tmovq\t%rsp,%rbp\n\tmovq\t(%r8),%r8\n\tsubq\t%rsi,%r11\n\tandq\t$4095,%r11\n\tcmpq\t%r11,%r10\n\tjb\t.Lsqr8x_sp_alt\n\tsubq\t%r11,%rbp\n\tleaq\t-64(%rbp,%r9,2),%rbp\n\tjmp\t.Lsqr8x_sp_done\n\n.align\t32\n.Lsqr8x_sp_alt:\n\tleaq\t4096-64(,%r9,2),%r10\n\tleaq\t-64(%rbp,%r9,2),%rbp\n\tsubq\t%r10,%r11\n\tmovq\t$0,%r10\n\tcmovcq\t%r10,%r11\n\tsubq\t%r11,%rbp\n.Lsqr8x_sp_done:\n\tandq\t$-64,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lsqr8x_page_walk\n\tjmp\t.Lsqr8x_page_walk_done\n\n.align\t16\n.Lsqr8x_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lsqr8x_page_walk\n.Lsqr8x_page_walk_done:\n\n\tmovq\t%r9,%r10\n\tnegq\t%r9\n\n\tmovq\t%r8,32(%rsp)\n\tmovq\t%rax,40(%rsp)\n.cfi_escape\t0x0f,0x05,0x77,0x28,0x06,0x23,0x08\n.Lsqr8x_body:\n\n.byte\t102,72,15,110,209\n\tpxor\t%xmm0,%xmm0\n.byte\t102,72,15,110,207\n.byte\t102,73,15,110,218\n\ttestq\t%rdx,%rdx\n\tjz\t.Lsqr8x_nox\n\n\tcall\tbn_sqrx8x_internal\n\n\n\n\n\tleaq\t(%r8,%rcx,1),%rbx\n\tmovq\t%rcx,%r9\n\tmovq\t%rcx,%rdx\n.byte\t102,72,15,126,207\n\tsarq\t$3+2,%rcx\n\tjmp\t.Lsqr8x_sub\n\n.align\t32\n.Lsqr8x_nox:\n\tcall\tbn_sqr8x_internal\n\n\n\n\n\tleaq\t(%rdi,%r9,1),%rbx\n\tmovq\t%r9,%rcx\n\tmovq\t%r9,%rdx\n.byte\t102,72,15,126,207\n\tsarq\t$3+2,%rcx\n\tjmp\t.Lsqr8x_sub\n\n.align\t32\n.Lsqr8x_sub:\n\tmovq\t0(%rbx),%r12\n\tmovq\t8(%rbx),%r13\n\tmovq\t16(%rbx),%r14\n\tmovq\t24(%rbx),%r15\n\tleaq\t32(%rbx),%rbx\n\tsbbq\t0(%rbp),%r12\n\tsbbq\t8(%rbp),%r13\n\tsbbq\t16(%rbp),%r14\n\tsbbq\t24(%rbp),%r15\n\tleaq\t32(%rbp),%rbp\n\tmovq\t%r12,0(%rdi)\n\tmovq\t%r13,8(%rdi)\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\tleaq\t32(%rdi),%rdi\n\tincq\t%rcx\n\tjnz\t.Lsqr8x_sub\n\n\tsbbq\t$0,%rax\n\tleaq\t(%rbx,%r9,1),%rbx\n\tleaq\t(%rdi,%r9,1),%rdi\n\n.byte\t102,72,15,110,200\n\tpxor\t%xmm0,%xmm0\n\tpshufd\t$0,%xmm1,%xmm1\n\tmovq\t40(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tjmp\t.Lsqr8x_cond_copy\n\n.align\t32\n.Lsqr8x_cond_copy:\n\tmovdqa\t0(%rbx),%xmm2\n\tmovdqa\t16(%rbx),%xmm3\n\tleaq\t32(%rbx),%rbx\n\tmovdqu\t0(%rdi),%xmm4\n\tmovdqu\t16(%rdi),%xmm5\n\tleaq\t32(%rdi),%rdi\n\tmovdqa\t%xmm0,-32(%rbx)\n\tmovdqa\t%xmm0,-16(%rbx)\n\tmovdqa\t%xmm0,-32(%rbx,%rdx,1)\n\tmovdqa\t%xmm0,-16(%rbx,%rdx,1)\n\tpcmpeqd\t%xmm1,%xmm0\n\tpand\t%xmm1,%xmm2\n\tpand\t%xmm1,%xmm3\n\tpand\t%xmm0,%xmm4\n\tpand\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm0\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t%xmm4,-32(%rdi)\n\tmovdqu\t%xmm5,-16(%rdi)\n\taddq\t$32,%r9\n\tjnz\t.Lsqr8x_cond_copy\n\n\tmovq\t$1,%rax\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lsqr8x_epilogue:\n\tret\n.cfi_endproc\t\n.size\tbn_sqr8x_mont,.-bn_sqr8x_mont\n.globl\tbn_mulx4x_mont\n.hidden bn_mulx4x_mont\n.type\tbn_mulx4x_mont,@function\n.align\t32\nbn_mulx4x_mont:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n.Lmulx4x_prologue:\n\n\tshll\t$3,%r9d\n\txorq\t%r10,%r10\n\tsubq\t%r9,%r10\n\tmovq\t(%r8),%r8\n\tleaq\t-72(%rsp,%r10,1),%rbp\n\tandq\t$-128,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lmulx4x_page_walk\n\tjmp\t.Lmulx4x_page_walk_done\n\n.align\t16\n.Lmulx4x_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lmulx4x_page_walk\n.Lmulx4x_page_walk_done:\n\n\tleaq\t(%rdx,%r9,1),%r10\n\n\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%r9,0(%rsp)\n\tshrq\t$5,%r9\n\tmovq\t%r10,16(%rsp)\n\tsubq\t$1,%r9\n\tmovq\t%r8,24(%rsp)\n\tmovq\t%rdi,32(%rsp)\n\tmovq\t%rax,40(%rsp)\n.cfi_escape\t0x0f,0x05,0x77,0x28,0x06,0x23,0x08\n\tmovq\t%r9,48(%rsp)\n\tjmp\t.Lmulx4x_body\n\n.align\t32\n.Lmulx4x_body:\n\tleaq\t8(%rdx),%rdi\n\tmovq\t(%rdx),%rdx\n\tleaq\t64+32(%rsp),%rbx\n\tmovq\t%rdx,%r9\n\n\tmulxq\t0(%rsi),%r8,%rax\n\tmulxq\t8(%rsi),%r11,%r14\n\taddq\t%rax,%r11\n\tmovq\t%rdi,8(%rsp)\n\tmulxq\t16(%rsi),%r12,%r13\n\tadcq\t%r14,%r12\n\tadcq\t$0,%r13\n\n\tmovq\t%r8,%rdi\n\timulq\t24(%rsp),%r8\n\txorq\t%rbp,%rbp\n\n\tmulxq\t24(%rsi),%rax,%r14\n\tmovq\t%r8,%rdx\n\tleaq\t32(%rsi),%rsi\n\tadcxq\t%rax,%r13\n\tadcxq\t%rbp,%r14\n\n\tmulxq\t0(%rcx),%rax,%r10\n\tadcxq\t%rax,%rdi\n\tadoxq\t%r11,%r10\n\tmulxq\t8(%rcx),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n.byte\t0xc4,0x62,0xfb,0xf6,0xa1,0x10,0x00,0x00,0x00\n\tmovq\t48(%rsp),%rdi\n\tmovq\t%r10,-32(%rbx)\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r11,-24(%rbx)\n\tadcxq\t%rax,%r12\n\tadoxq\t%rbp,%r15\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r12,-16(%rbx)\n\n\tjmp\t.Lmulx4x_1st\n\n.align\t32\n.Lmulx4x_1st:\n\tadcxq\t%rbp,%r15\n\tmulxq\t0(%rsi),%r10,%rax\n\tadcxq\t%r14,%r10\n\tmulxq\t8(%rsi),%r11,%r14\n\tadcxq\t%rax,%r11\n\tmulxq\t16(%rsi),%r12,%rax\n\tadcxq\t%r14,%r12\n\tmulxq\t24(%rsi),%r13,%r14\n.byte\t0x67,0x67\n\tmovq\t%r8,%rdx\n\tadcxq\t%rax,%r13\n\tadcxq\t%rbp,%r14\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rbx),%rbx\n\n\tadoxq\t%r15,%r10\n\tmulxq\t0(%rcx),%rax,%r15\n\tadcxq\t%rax,%r10\n\tadoxq\t%r15,%r11\n\tmulxq\t8(%rcx),%rax,%r15\n\tadcxq\t%rax,%r11\n\tadoxq\t%r15,%r12\n\tmulxq\t16(%rcx),%rax,%r15\n\tmovq\t%r10,-40(%rbx)\n\tadcxq\t%rax,%r12\n\tmovq\t%r11,-32(%rbx)\n\tadoxq\t%r15,%r13\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r12,-24(%rbx)\n\tadcxq\t%rax,%r13\n\tadoxq\t%rbp,%r15\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r13,-16(%rbx)\n\n\tdecq\t%rdi\n\tjnz\t.Lmulx4x_1st\n\n\tmovq\t0(%rsp),%rax\n\tmovq\t8(%rsp),%rdi\n\tadcq\t%rbp,%r15\n\taddq\t%r15,%r14\n\tsbbq\t%r15,%r15\n\tmovq\t%r14,-8(%rbx)\n\tjmp\t.Lmulx4x_outer\n\n.align\t32\n.Lmulx4x_outer:\n\tmovq\t(%rdi),%rdx\n\tleaq\t8(%rdi),%rdi\n\tsubq\t%rax,%rsi\n\tmovq\t%r15,(%rbx)\n\tleaq\t64+32(%rsp),%rbx\n\tsubq\t%rax,%rcx\n\n\tmulxq\t0(%rsi),%r8,%r11\n\txorl\t%ebp,%ebp\n\tmovq\t%rdx,%r9\n\tmulxq\t8(%rsi),%r14,%r12\n\tadoxq\t-32(%rbx),%r8\n\tadcxq\t%r14,%r11\n\tmulxq\t16(%rsi),%r15,%r13\n\tadoxq\t-24(%rbx),%r11\n\tadcxq\t%r15,%r12\n\tadoxq\t-16(%rbx),%r12\n\tadcxq\t%rbp,%r13\n\tadoxq\t%rbp,%r13\n\n\tmovq\t%rdi,8(%rsp)\n\tmovq\t%r8,%r15\n\timulq\t24(%rsp),%r8\n\txorl\t%ebp,%ebp\n\n\tmulxq\t24(%rsi),%rax,%r14\n\tmovq\t%r8,%rdx\n\tadcxq\t%rax,%r13\n\tadoxq\t-8(%rbx),%r13\n\tadcxq\t%rbp,%r14\n\tleaq\t32(%rsi),%rsi\n\tadoxq\t%rbp,%r14\n\n\tmulxq\t0(%rcx),%rax,%r10\n\tadcxq\t%rax,%r15\n\tadoxq\t%r11,%r10\n\tmulxq\t8(%rcx),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n\tmulxq\t16(%rcx),%rax,%r12\n\tmovq\t%r10,-32(%rbx)\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r11,-24(%rbx)\n\tleaq\t32(%rcx),%rcx\n\tadcxq\t%rax,%r12\n\tadoxq\t%rbp,%r15\n\tmovq\t48(%rsp),%rdi\n\tmovq\t%r12,-16(%rbx)\n\n\tjmp\t.Lmulx4x_inner\n\n.align\t32\n.Lmulx4x_inner:\n\tmulxq\t0(%rsi),%r10,%rax\n\tadcxq\t%rbp,%r15\n\tadoxq\t%r14,%r10\n\tmulxq\t8(%rsi),%r11,%r14\n\tadcxq\t0(%rbx),%r10\n\tadoxq\t%rax,%r11\n\tmulxq\t16(%rsi),%r12,%rax\n\tadcxq\t8(%rbx),%r11\n\tadoxq\t%r14,%r12\n\tmulxq\t24(%rsi),%r13,%r14\n\tmovq\t%r8,%rdx\n\tadcxq\t16(%rbx),%r12\n\tadoxq\t%rax,%r13\n\tadcxq\t24(%rbx),%r13\n\tadoxq\t%rbp,%r14\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rbx),%rbx\n\tadcxq\t%rbp,%r14\n\n\tadoxq\t%r15,%r10\n\tmulxq\t0(%rcx),%rax,%r15\n\tadcxq\t%rax,%r10\n\tadoxq\t%r15,%r11\n\tmulxq\t8(%rcx),%rax,%r15\n\tadcxq\t%rax,%r11\n\tadoxq\t%r15,%r12\n\tmulxq\t16(%rcx),%rax,%r15\n\tmovq\t%r10,-40(%rbx)\n\tadcxq\t%rax,%r12\n\tadoxq\t%r15,%r13\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r11,-32(%rbx)\n\tmovq\t%r12,-24(%rbx)\n\tadcxq\t%rax,%r13\n\tadoxq\t%rbp,%r15\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r13,-16(%rbx)\n\n\tdecq\t%rdi\n\tjnz\t.Lmulx4x_inner\n\n\tmovq\t0(%rsp),%rax\n\tmovq\t8(%rsp),%rdi\n\tadcq\t%rbp,%r15\n\tsubq\t0(%rbx),%rbp\n\tadcq\t%r15,%r14\n\tsbbq\t%r15,%r15\n\tmovq\t%r14,-8(%rbx)\n\n\tcmpq\t16(%rsp),%rdi\n\tjne\t.Lmulx4x_outer\n\n\tleaq\t64(%rsp),%rbx\n\tsubq\t%rax,%rcx\n\tnegq\t%r15\n\tmovq\t%rax,%rdx\n\tshrq\t$3+2,%rax\n\tmovq\t32(%rsp),%rdi\n\tjmp\t.Lmulx4x_sub\n\n.align\t32\n.Lmulx4x_sub:\n\tmovq\t0(%rbx),%r11\n\tmovq\t8(%rbx),%r12\n\tmovq\t16(%rbx),%r13\n\tmovq\t24(%rbx),%r14\n\tleaq\t32(%rbx),%rbx\n\tsbbq\t0(%rcx),%r11\n\tsbbq\t8(%rcx),%r12\n\tsbbq\t16(%rcx),%r13\n\tsbbq\t24(%rcx),%r14\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r11,0(%rdi)\n\tmovq\t%r12,8(%rdi)\n\tmovq\t%r13,16(%rdi)\n\tmovq\t%r14,24(%rdi)\n\tleaq\t32(%rdi),%rdi\n\tdecq\t%rax\n\tjnz\t.Lmulx4x_sub\n\n\tsbbq\t$0,%r15\n\tleaq\t64(%rsp),%rbx\n\tsubq\t%rdx,%rdi\n\n.byte\t102,73,15,110,207\n\tpxor\t%xmm0,%xmm0\n\tpshufd\t$0,%xmm1,%xmm1\n\tmovq\t40(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tjmp\t.Lmulx4x_cond_copy\n\n.align\t32\n.Lmulx4x_cond_copy:\n\tmovdqa\t0(%rbx),%xmm2\n\tmovdqa\t16(%rbx),%xmm3\n\tleaq\t32(%rbx),%rbx\n\tmovdqu\t0(%rdi),%xmm4\n\tmovdqu\t16(%rdi),%xmm5\n\tleaq\t32(%rdi),%rdi\n\tmovdqa\t%xmm0,-32(%rbx)\n\tmovdqa\t%xmm0,-16(%rbx)\n\tpcmpeqd\t%xmm1,%xmm0\n\tpand\t%xmm1,%xmm2\n\tpand\t%xmm1,%xmm3\n\tpand\t%xmm0,%xmm4\n\tpand\t%xmm0,%xmm5\n\tpxor\t%xmm0,%xmm0\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqu\t%xmm4,-32(%rdi)\n\tmovdqu\t%xmm5,-16(%rdi)\n\tsubq\t$32,%rdx\n\tjnz\t.Lmulx4x_cond_copy\n\n\tmovq\t%rdx,(%rbx)\n\n\tmovq\t$1,%rax\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lmulx4x_epilogue:\n\tret\n.cfi_endproc\t\n.size\tbn_mulx4x_mont,.-bn_mulx4x_mont\n.byte\t77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t16\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/x86_64-mont5-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n.globl\t_bn_mul_mont_gather5_nohw\n.private_extern _bn_mul_mont_gather5_nohw\n\n.p2align\t6\n_bn_mul_mont_gather5_nohw:\n\n_CET_ENDBR\n\n\n\tmovl\t%r9d,%r9d\n\tmovq\t%rsp,%rax\n\n\tmovd\t8(%rsp),%xmm5\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\n\tnegq\t%r9\n\tmovq\t%rsp,%r11\n\tleaq\t-280(%rsp,%r9,8),%r10\n\tnegq\t%r9\n\tandq\t$-1024,%r10\n\n\n\n\n\n\n\n\n\n\tsubq\t%r10,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r10,%r11,1),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\tL$mul_page_walk\n\tjmp\tL$mul_page_walk_done\n\nL$mul_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\tL$mul_page_walk\nL$mul_page_walk_done:\n\n\tleaq\tL$inc(%rip),%r10\n\tmovq\t%rax,8(%rsp,%r9,8)\n\nL$mul_body:\n\n\tleaq\t128(%rdx),%r12\n\tmovdqa\t0(%r10),%xmm0\n\tmovdqa\t16(%r10),%xmm1\n\tleaq\t24-112(%rsp,%r9,8),%r10\n\tandq\t$-16,%r10\n\n\tpshufd\t$0,%xmm5,%xmm5\n\tmovdqa\t%xmm1,%xmm4\n\tmovdqa\t%xmm1,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n.byte\t0x67\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,112(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,128(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,144(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,160(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,176(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,192(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,208(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,224(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,240(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,256(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,272(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,288(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,304(%r10)\n\n\tpaddd\t%xmm2,%xmm3\n.byte\t0x67\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,320(%r10)\n\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,336(%r10)\n\tpand\t64(%r12),%xmm0\n\n\tpand\t80(%r12),%xmm1\n\tpand\t96(%r12),%xmm2\n\tmovdqa\t%xmm3,352(%r10)\n\tpand\t112(%r12),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-128(%r12),%xmm4\n\tmovdqa\t-112(%r12),%xmm5\n\tmovdqa\t-96(%r12),%xmm2\n\tpand\t112(%r10),%xmm4\n\tmovdqa\t-80(%r12),%xmm3\n\tpand\t128(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t144(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t160(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-64(%r12),%xmm4\n\tmovdqa\t-48(%r12),%xmm5\n\tmovdqa\t-32(%r12),%xmm2\n\tpand\t176(%r10),%xmm4\n\tmovdqa\t-16(%r12),%xmm3\n\tpand\t192(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t208(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t224(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t0(%r12),%xmm4\n\tmovdqa\t16(%r12),%xmm5\n\tmovdqa\t32(%r12),%xmm2\n\tpand\t240(%r10),%xmm4\n\tmovdqa\t48(%r12),%xmm3\n\tpand\t256(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t272(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t288(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tpor\t%xmm1,%xmm0\n\n\tpshufd\t$0x4e,%xmm0,%xmm1\n\tpor\t%xmm1,%xmm0\n\tleaq\t256(%r12),%r12\n.byte\t102,72,15,126,195\n\n\tmovq\t(%r8),%r8\n\tmovq\t(%rsi),%rax\n\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\tmovq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r13\n\n\tleaq\t1(%r15),%r15\n\tjmp\tL$1st_enter\n\n.p2align\t4\nL$1st:\n\taddq\t%rax,%r13\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tmovq\t%r10,%r11\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\nL$1st_enter:\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tleaq\t1(%r15),%r15\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\tcmpq\t%r9,%r15\n\tjne\tL$1st\n\n\n\taddq\t%rax,%r13\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r9,8)\n\tmovq\t%rdx,%r13\n\tmovq\t%r10,%r11\n\n\txorq\t%rdx,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r9,8)\n\tmovq\t%rdx,(%rsp,%r9,8)\n\n\tleaq\t1(%r14),%r14\n\tjmp\tL$outer\n.p2align\t4\nL$outer:\n\tleaq\t24+128(%rsp,%r9,8),%rdx\n\tandq\t$-16,%rdx\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t-128(%r12),%xmm0\n\tmovdqa\t-112(%r12),%xmm1\n\tmovdqa\t-96(%r12),%xmm2\n\tmovdqa\t-80(%r12),%xmm3\n\tpand\t-128(%rdx),%xmm0\n\tpand\t-112(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-96(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-80(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t-64(%r12),%xmm0\n\tmovdqa\t-48(%r12),%xmm1\n\tmovdqa\t-32(%r12),%xmm2\n\tmovdqa\t-16(%r12),%xmm3\n\tpand\t-64(%rdx),%xmm0\n\tpand\t-48(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-32(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-16(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t0(%r12),%xmm0\n\tmovdqa\t16(%r12),%xmm1\n\tmovdqa\t32(%r12),%xmm2\n\tmovdqa\t48(%r12),%xmm3\n\tpand\t0(%rdx),%xmm0\n\tpand\t16(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t32(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t48(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t64(%r12),%xmm0\n\tmovdqa\t80(%r12),%xmm1\n\tmovdqa\t96(%r12),%xmm2\n\tmovdqa\t112(%r12),%xmm3\n\tpand\t64(%rdx),%xmm0\n\tpand\t80(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t96(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t112(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tpor\t%xmm5,%xmm4\n\n\tpshufd\t$0x4e,%xmm4,%xmm0\n\tpor\t%xmm4,%xmm0\n\tleaq\t256(%r12),%r12\n\n\tmovq\t(%rsi),%rax\n.byte\t102,72,15,126,195\n\n\txorq\t%r15,%r15\n\tmovq\t%r8,%rbp\n\tmovq\t(%rsp),%r10\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\tadcq\t$0,%rdx\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t8(%rsp),%r10\n\tmovq\t%rdx,%r13\n\n\tleaq\t1(%r15),%r15\n\tjmp\tL$inner_enter\n\n.p2align\t4\nL$inner:\n\taddq\t%rax,%r13\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tmovq\t(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\nL$inner_enter:\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\tleaq\t1(%r15),%r15\n\n\tmulq\t%rbp\n\tcmpq\t%r9,%r15\n\tjne\tL$inner\n\n\taddq\t%rax,%r13\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tmovq\t(%rsp,%r9,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r9,8)\n\tmovq\t%rdx,%r13\n\n\txorq\t%rdx,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r9,8)\n\tmovq\t%rdx,(%rsp,%r9,8)\n\n\tleaq\t1(%r14),%r14\n\tcmpq\t%r9,%r14\n\tjb\tL$outer\n\n\txorq\t%r14,%r14\n\tmovq\t(%rsp),%rax\n\tleaq\t(%rsp),%rsi\n\tmovq\t%r9,%r15\n\tjmp\tL$sub\n.p2align\t4\nL$sub:\tsbbq\t(%rcx,%r14,8),%rax\n\tmovq\t%rax,(%rdi,%r14,8)\n\tmovq\t8(%rsi,%r14,8),%rax\n\tleaq\t1(%r14),%r14\n\tdecq\t%r15\n\tjnz\tL$sub\n\n\tsbbq\t$0,%rax\n\tmovq\t$-1,%rbx\n\txorq\t%rax,%rbx\n\txorq\t%r14,%r14\n\tmovq\t%r9,%r15\n\nL$copy:\n\tmovq\t(%rdi,%r14,8),%rcx\n\tmovq\t(%rsp,%r14,8),%rdx\n\tandq\t%rbx,%rcx\n\tandq\t%rax,%rdx\n\tmovq\t%r14,(%rsp,%r14,8)\n\torq\t%rcx,%rdx\n\tmovq\t%rdx,(%rdi,%r14,8)\n\tleaq\t1(%r14),%r14\n\tsubq\t$1,%r15\n\tjnz\tL$copy\n\n\tmovq\t8(%rsp,%r9,8),%rsi\n\n\tmovq\t$1,%rax\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$mul_epilogue:\n\tret\n\n\n.globl\t_bn_mul4x_mont_gather5\n.private_extern _bn_mul4x_mont_gather5\n\n.p2align\t5\n_bn_mul4x_mont_gather5:\n\n_CET_ENDBR\n.byte\t0x67\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$mul4x_prologue:\n\n.byte\t0x67\n\n\n\n\tshll\t$3,%r9d\n\tleaq\t(%r9,%r9,2),%r10\n\tnegq\t%r9\n\n\n\n\n\n\n\n\n\n\n\tleaq\t-320(%rsp,%r9,2),%r11\n\tmovq\t%rsp,%rbp\n\tsubq\t%rdi,%r11\n\tandq\t$4095,%r11\n\tcmpq\t%r11,%r10\n\tjb\tL$mul4xsp_alt\n\tsubq\t%r11,%rbp\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tjmp\tL$mul4xsp_done\n\n.p2align\t5\nL$mul4xsp_alt:\n\tleaq\t4096-320(,%r9,2),%r10\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tsubq\t%r10,%r11\n\tmovq\t$0,%r10\n\tcmovcq\t%r10,%r11\n\tsubq\t%r11,%rbp\nL$mul4xsp_done:\n\tandq\t$-64,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$mul4x_page_walk\n\tjmp\tL$mul4x_page_walk_done\n\nL$mul4x_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$mul4x_page_walk\nL$mul4x_page_walk_done:\n\n\tnegq\t%r9\n\n\tmovq\t%rax,40(%rsp)\n\nL$mul4x_body:\n\n\tcall\tmul4x_internal\n\n\tmovq\t40(%rsp),%rsi\n\n\tmovq\t$1,%rax\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$mul4x_epilogue:\n\tret\n\n\n\n\n.p2align\t5\nmul4x_internal:\n\n\tshlq\t$5,%r9\n\tmovd\t8(%rax),%xmm5\n\tleaq\tL$inc(%rip),%rax\n\tleaq\t128(%rdx,%r9,1),%r13\n\tshrq\t$5,%r9\n\tmovdqa\t0(%rax),%xmm0\n\tmovdqa\t16(%rax),%xmm1\n\tleaq\t88-112(%rsp,%r9,1),%r10\n\tleaq\t128(%rdx),%r12\n\n\tpshufd\t$0,%xmm5,%xmm5\n\tmovdqa\t%xmm1,%xmm4\n.byte\t0x67,0x67\n\tmovdqa\t%xmm1,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n.byte\t0x67\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,112(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,128(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,144(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,160(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,176(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,192(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,208(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,224(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,240(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,256(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,272(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,288(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,304(%r10)\n\n\tpaddd\t%xmm2,%xmm3\n.byte\t0x67\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,320(%r10)\n\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,336(%r10)\n\tpand\t64(%r12),%xmm0\n\n\tpand\t80(%r12),%xmm1\n\tpand\t96(%r12),%xmm2\n\tmovdqa\t%xmm3,352(%r10)\n\tpand\t112(%r12),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-128(%r12),%xmm4\n\tmovdqa\t-112(%r12),%xmm5\n\tmovdqa\t-96(%r12),%xmm2\n\tpand\t112(%r10),%xmm4\n\tmovdqa\t-80(%r12),%xmm3\n\tpand\t128(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t144(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t160(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-64(%r12),%xmm4\n\tmovdqa\t-48(%r12),%xmm5\n\tmovdqa\t-32(%r12),%xmm2\n\tpand\t176(%r10),%xmm4\n\tmovdqa\t-16(%r12),%xmm3\n\tpand\t192(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t208(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t224(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t0(%r12),%xmm4\n\tmovdqa\t16(%r12),%xmm5\n\tmovdqa\t32(%r12),%xmm2\n\tpand\t240(%r10),%xmm4\n\tmovdqa\t48(%r12),%xmm3\n\tpand\t256(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t272(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t288(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tpor\t%xmm1,%xmm0\n\n\tpshufd\t$0x4e,%xmm0,%xmm1\n\tpor\t%xmm1,%xmm0\n\tleaq\t256(%r12),%r12\n.byte\t102,72,15,126,195\n\n\tmovq\t%r13,16+8(%rsp)\n\tmovq\t%rdi,56+8(%rsp)\n\n\tmovq\t(%r8),%r8\n\tmovq\t(%rsi),%rax\n\tleaq\t(%rsi,%r9,1),%rsi\n\tnegq\t%r9\n\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\tmovq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\n\timulq\t%r10,%rbp\n\tleaq\t64+8(%rsp),%r14\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t32(%r9),%r15\n\tleaq\t32(%rcx),%rcx\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,(%r14)\n\tmovq\t%rdx,%r13\n\tjmp\tL$1st4x\n\n.p2align\t5\nL$1st4x:\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx),%rax\n\tleaq\t32(%r14),%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%r14)\n\tmovq\t%rdx,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t0(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t8(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t32(%rcx),%rcx\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,(%r14)\n\tmovq\t%rdx,%r13\n\n\taddq\t$32,%r15\n\tjnz\tL$1st4x\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx),%rax\n\tleaq\t32(%r14),%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%r14)\n\tmovq\t%rdx,%r13\n\n\tleaq\t(%rcx,%r9,1),%rcx\n\n\txorq\t%rdi,%rdi\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdi\n\tmovq\t%r13,-8(%r14)\n\n\tjmp\tL$outer4x\n\n.p2align\t5\nL$outer4x:\n\tleaq\t16+128(%r14),%rdx\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t-128(%r12),%xmm0\n\tmovdqa\t-112(%r12),%xmm1\n\tmovdqa\t-96(%r12),%xmm2\n\tmovdqa\t-80(%r12),%xmm3\n\tpand\t-128(%rdx),%xmm0\n\tpand\t-112(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-96(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-80(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t-64(%r12),%xmm0\n\tmovdqa\t-48(%r12),%xmm1\n\tmovdqa\t-32(%r12),%xmm2\n\tmovdqa\t-16(%r12),%xmm3\n\tpand\t-64(%rdx),%xmm0\n\tpand\t-48(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-32(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-16(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t0(%r12),%xmm0\n\tmovdqa\t16(%r12),%xmm1\n\tmovdqa\t32(%r12),%xmm2\n\tmovdqa\t48(%r12),%xmm3\n\tpand\t0(%rdx),%xmm0\n\tpand\t16(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t32(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t48(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t64(%r12),%xmm0\n\tmovdqa\t80(%r12),%xmm1\n\tmovdqa\t96(%r12),%xmm2\n\tmovdqa\t112(%r12),%xmm3\n\tpand\t64(%rdx),%xmm0\n\tpand\t80(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t96(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t112(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tpor\t%xmm5,%xmm4\n\n\tpshufd\t$0x4e,%xmm4,%xmm0\n\tpor\t%xmm4,%xmm0\n\tleaq\t256(%r12),%r12\n.byte\t102,72,15,126,195\n\n\tmovq\t(%r14,%r9,1),%r10\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\tadcq\t$0,%rdx\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\tmovq\t%rdi,(%r14)\n\n\tleaq\t(%r14,%r9,1),%r14\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t8(%r14),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t32(%r9),%r15\n\tleaq\t32(%rcx),%rcx\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r13\n\tjmp\tL$inner4x\n\n.p2align\t5\nL$inner4x:\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t16(%r14),%r10\n\tleaq\t32(%r14),%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-32(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t-8(%r14),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%r14)\n\tmovq\t%rdx,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t0(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t(%r14),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t8(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t8(%r14),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t32(%rcx),%rcx\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%r14)\n\tmovq\t%rdx,%r13\n\n\taddq\t$32,%r15\n\tjnz\tL$inner4x\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t16(%r14),%r10\n\tleaq\t32(%r14),%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-32(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t%rbp,%rax\n\tmovq\t-8(%rcx),%rbp\n\tadcq\t$0,%rdx\n\taddq\t-8(%r14),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%r14)\n\tmovq\t%rdx,%r13\n\n\tmovq\t%rdi,-16(%r14)\n\tleaq\t(%rcx,%r9,1),%rcx\n\n\txorq\t%rdi,%rdi\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdi\n\taddq\t(%r14),%r13\n\tadcq\t$0,%rdi\n\tmovq\t%r13,-8(%r14)\n\n\tcmpq\t16+8(%rsp),%r12\n\tjb\tL$outer4x\n\txorq\t%rax,%rax\n\tsubq\t%r13,%rbp\n\tadcq\t%r15,%r15\n\torq\t%r15,%rdi\n\tsubq\t%rdi,%rax\n\tleaq\t(%r14,%r9,1),%rbx\n\tmovq\t(%rcx),%r12\n\tleaq\t(%rcx),%rbp\n\tmovq\t%r9,%rcx\n\tsarq\t$3+2,%rcx\n\tmovq\t56+8(%rsp),%rdi\n\tdecq\t%r12\n\txorq\t%r10,%r10\n\tmovq\t8(%rbp),%r13\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\n\tjmp\tL$sqr4x_sub_entry\n\n\n.globl\t_bn_power5_nohw\n.private_extern _bn_power5_nohw\n\n.p2align\t5\n_bn_power5_nohw:\n\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$power5_prologue:\n\n\n\n\n\tshll\t$3,%r9d\n\tleal\t(%r9,%r9,2),%r10d\n\tnegq\t%r9\n\tmovq\t(%r8),%r8\n\n\n\n\n\n\n\n\n\tleaq\t-320(%rsp,%r9,2),%r11\n\tmovq\t%rsp,%rbp\n\tsubq\t%rdi,%r11\n\tandq\t$4095,%r11\n\tcmpq\t%r11,%r10\n\tjb\tL$pwr_sp_alt\n\tsubq\t%r11,%rbp\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tjmp\tL$pwr_sp_done\n\n.p2align\t5\nL$pwr_sp_alt:\n\tleaq\t4096-320(,%r9,2),%r10\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tsubq\t%r10,%r11\n\tmovq\t$0,%r10\n\tcmovcq\t%r10,%r11\n\tsubq\t%r11,%rbp\nL$pwr_sp_done:\n\tandq\t$-64,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$pwr_page_walk\n\tjmp\tL$pwr_page_walk_done\n\nL$pwr_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$pwr_page_walk\nL$pwr_page_walk_done:\n\n\tmovq\t%r9,%r10\n\tnegq\t%r9\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%r8,32(%rsp)\n\tmovq\t%rax,40(%rsp)\n\nL$power5_body:\n.byte\t102,72,15,110,207\n.byte\t102,72,15,110,209\n.byte\t102,73,15,110,218\n.byte\t102,72,15,110,226\n\n\tcall\t__bn_sqr8x_internal\n\tcall\t__bn_post4x_internal\n\tcall\t__bn_sqr8x_internal\n\tcall\t__bn_post4x_internal\n\tcall\t__bn_sqr8x_internal\n\tcall\t__bn_post4x_internal\n\tcall\t__bn_sqr8x_internal\n\tcall\t__bn_post4x_internal\n\tcall\t__bn_sqr8x_internal\n\tcall\t__bn_post4x_internal\n\n.byte\t102,72,15,126,209\n.byte\t102,72,15,126,226\n\tmovq\t%rsi,%rdi\n\tmovq\t40(%rsp),%rax\n\tleaq\t32(%rsp),%r8\n\n\tcall\tmul4x_internal\n\n\tmovq\t40(%rsp),%rsi\n\n\tmovq\t$1,%rax\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$power5_epilogue:\n\tret\n\n\n\n.globl\t_bn_sqr8x_internal\n.private_extern _bn_sqr8x_internal\n.private_extern\t_bn_sqr8x_internal\n\n.p2align\t5\n_bn_sqr8x_internal:\n__bn_sqr8x_internal:\n\n_CET_ENDBR\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tleaq\t32(%r10),%rbp\n\tleaq\t(%rsi,%r9,1),%rsi\n\n\tmovq\t%r9,%rcx\n\n\n\tmovq\t-32(%rsi,%rbp,1),%r14\n\tleaq\t48+8(%rsp,%r9,2),%rdi\n\tmovq\t-24(%rsi,%rbp,1),%rax\n\tleaq\t-32(%rdi,%rbp,1),%rdi\n\tmovq\t-16(%rsi,%rbp,1),%rbx\n\tmovq\t%rax,%r15\n\n\tmulq\t%r14\n\tmovq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r11\n\tmovq\t%r10,-24(%rdi,%rbp,1)\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%r11,-16(%rdi,%rbp,1)\n\tmovq\t%rdx,%r10\n\n\n\tmovq\t-8(%rsi,%rbp,1),%rbx\n\tmulq\t%r15\n\tmovq\t%rax,%r12\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r13\n\n\tleaq\t(%rbp),%rcx\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\taddq\t%r12,%r10\n\tadcq\t$0,%r11\n\tmovq\t%r10,-8(%rdi,%rcx,1)\n\tjmp\tL$sqr4x_1st\n\n.p2align\t5\nL$sqr4x_1st:\n\tmovq\t(%rsi,%rcx,1),%rbx\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r12\n\tadcq\t$0,%r12\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tmovq\t8(%rsi,%rcx,1),%rbx\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\taddq\t%r13,%r11\n\tadcq\t$0,%r10\n\n\n\tmulq\t%r15\n\taddq\t%rax,%r12\n\tmovq\t%rbx,%rax\n\tmovq\t%r11,(%rdi,%rcx,1)\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t16(%rsi,%rcx,1),%rbx\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\taddq\t%r12,%r10\n\tadcq\t$0,%r11\n\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tmovq\t%rbx,%rax\n\tmovq\t%r10,8(%rdi,%rcx,1)\n\tmovq\t%rdx,%r12\n\tadcq\t$0,%r12\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tmovq\t24(%rsi,%rcx,1),%rbx\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\taddq\t%r13,%r11\n\tadcq\t$0,%r10\n\n\n\tmulq\t%r15\n\taddq\t%rax,%r12\n\tmovq\t%rbx,%rax\n\tmovq\t%r11,16(%rdi,%rcx,1)\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\tleaq\t32(%rcx),%rcx\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\taddq\t%r12,%r10\n\tadcq\t$0,%r11\n\tmovq\t%r10,-8(%rdi,%rcx,1)\n\n\tcmpq\t$0,%rcx\n\tjne\tL$sqr4x_1st\n\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tleaq\t16(%rbp),%rbp\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\n\tmovq\t%r13,(%rdi)\n\tmovq\t%rdx,%r12\n\tmovq\t%rdx,8(%rdi)\n\tjmp\tL$sqr4x_outer\n\n.p2align\t5\nL$sqr4x_outer:\n\tmovq\t-32(%rsi,%rbp,1),%r14\n\tleaq\t48+8(%rsp,%r9,2),%rdi\n\tmovq\t-24(%rsi,%rbp,1),%rax\n\tleaq\t-32(%rdi,%rbp,1),%rdi\n\tmovq\t-16(%rsi,%rbp,1),%rbx\n\tmovq\t%rax,%r15\n\n\tmulq\t%r14\n\tmovq\t-24(%rdi,%rbp,1),%r10\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%r10,-24(%rdi,%rbp,1)\n\tmovq\t%rdx,%r11\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\taddq\t-16(%rdi,%rbp,1),%r11\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\tmovq\t%r11,-16(%rdi,%rbp,1)\n\n\txorq\t%r12,%r12\n\n\tmovq\t-8(%rsi,%rbp,1),%rbx\n\tmulq\t%r15\n\taddq\t%rax,%r12\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\taddq\t-8(%rdi,%rbp,1),%r12\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\taddq\t%r12,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\tmovq\t%r10,-8(%rdi,%rbp,1)\n\n\tleaq\t(%rbp),%rcx\n\tjmp\tL$sqr4x_inner\n\n.p2align\t5\nL$sqr4x_inner:\n\tmovq\t(%rsi,%rcx,1),%rbx\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r12\n\tadcq\t$0,%r12\n\taddq\t(%rdi,%rcx,1),%r13\n\tadcq\t$0,%r12\n\n.byte\t0x67\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tmovq\t8(%rsi,%rcx,1),%rbx\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\taddq\t%r13,%r11\n\tadcq\t$0,%r10\n\n\tmulq\t%r15\n\taddq\t%rax,%r12\n\tmovq\t%r11,(%rdi,%rcx,1)\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\taddq\t8(%rdi,%rcx,1),%r12\n\tleaq\t16(%rcx),%rcx\n\tadcq\t$0,%r13\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\taddq\t%r12,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\tmovq\t%r10,-8(%rdi,%rcx,1)\n\n\tcmpq\t$0,%rcx\n\tjne\tL$sqr4x_inner\n\n.byte\t0x67\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\n\tmovq\t%r13,(%rdi)\n\tmovq\t%rdx,%r12\n\tmovq\t%rdx,8(%rdi)\n\n\taddq\t$16,%rbp\n\tjnz\tL$sqr4x_outer\n\n\n\tmovq\t-32(%rsi),%r14\n\tleaq\t48+8(%rsp,%r9,2),%rdi\n\tmovq\t-24(%rsi),%rax\n\tleaq\t-32(%rdi,%rbp,1),%rdi\n\tmovq\t-16(%rsi),%rbx\n\tmovq\t%rax,%r15\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tmovq\t%r10,-24(%rdi)\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\taddq\t%r13,%r11\n\tmovq\t-8(%rsi),%rbx\n\tadcq\t$0,%r10\n\n\tmulq\t%r15\n\taddq\t%rax,%r12\n\tmovq\t%rbx,%rax\n\tmovq\t%r11,-16(%rdi)\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\taddq\t%r12,%r10\n\tadcq\t$0,%r11\n\tmovq\t%r10,-8(%rdi)\n\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tmovq\t-16(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\n\tmovq\t%r13,(%rdi)\n\tmovq\t%rdx,%r12\n\tmovq\t%rdx,8(%rdi)\n\n\tmulq\t%rbx\n\taddq\t$16,%rbp\n\txorq\t%r14,%r14\n\tsubq\t%r9,%rbp\n\txorq\t%r15,%r15\n\n\taddq\t%r12,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rax,8(%rdi)\n\tmovq\t%rdx,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\n\tmovq\t-16(%rsi,%rbp,1),%rax\n\tleaq\t48+8(%rsp),%rdi\n\txorq\t%r10,%r10\n\tmovq\t8(%rdi),%r11\n\n\tleaq\t(%r14,%r10,2),%r12\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r13\n\tshrq\t$63,%r11\n\torq\t%r10,%r13\n\tmovq\t16(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t24(%rdi),%r11\n\tadcq\t%rax,%r12\n\tmovq\t-8(%rsi,%rbp,1),%rax\n\tmovq\t%r12,(%rdi)\n\tadcq\t%rdx,%r13\n\n\tleaq\t(%r14,%r10,2),%rbx\n\tmovq\t%r13,8(%rdi)\n\tsbbq\t%r15,%r15\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r8\n\tshrq\t$63,%r11\n\torq\t%r10,%r8\n\tmovq\t32(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t40(%rdi),%r11\n\tadcq\t%rax,%rbx\n\tmovq\t0(%rsi,%rbp,1),%rax\n\tmovq\t%rbx,16(%rdi)\n\tadcq\t%rdx,%r8\n\tleaq\t16(%rbp),%rbp\n\tmovq\t%r8,24(%rdi)\n\tsbbq\t%r15,%r15\n\tleaq\t64(%rdi),%rdi\n\tjmp\tL$sqr4x_shift_n_add\n\n.p2align\t5\nL$sqr4x_shift_n_add:\n\tleaq\t(%r14,%r10,2),%r12\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r13\n\tshrq\t$63,%r11\n\torq\t%r10,%r13\n\tmovq\t-16(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t-8(%rdi),%r11\n\tadcq\t%rax,%r12\n\tmovq\t-8(%rsi,%rbp,1),%rax\n\tmovq\t%r12,-32(%rdi)\n\tadcq\t%rdx,%r13\n\n\tleaq\t(%r14,%r10,2),%rbx\n\tmovq\t%r13,-24(%rdi)\n\tsbbq\t%r15,%r15\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r8\n\tshrq\t$63,%r11\n\torq\t%r10,%r8\n\tmovq\t0(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t8(%rdi),%r11\n\tadcq\t%rax,%rbx\n\tmovq\t0(%rsi,%rbp,1),%rax\n\tmovq\t%rbx,-16(%rdi)\n\tadcq\t%rdx,%r8\n\n\tleaq\t(%r14,%r10,2),%r12\n\tmovq\t%r8,-8(%rdi)\n\tsbbq\t%r15,%r15\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r13\n\tshrq\t$63,%r11\n\torq\t%r10,%r13\n\tmovq\t16(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t24(%rdi),%r11\n\tadcq\t%rax,%r12\n\tmovq\t8(%rsi,%rbp,1),%rax\n\tmovq\t%r12,0(%rdi)\n\tadcq\t%rdx,%r13\n\n\tleaq\t(%r14,%r10,2),%rbx\n\tmovq\t%r13,8(%rdi)\n\tsbbq\t%r15,%r15\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r8\n\tshrq\t$63,%r11\n\torq\t%r10,%r8\n\tmovq\t32(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t40(%rdi),%r11\n\tadcq\t%rax,%rbx\n\tmovq\t16(%rsi,%rbp,1),%rax\n\tmovq\t%rbx,16(%rdi)\n\tadcq\t%rdx,%r8\n\tmovq\t%r8,24(%rdi)\n\tsbbq\t%r15,%r15\n\tleaq\t64(%rdi),%rdi\n\taddq\t$32,%rbp\n\tjnz\tL$sqr4x_shift_n_add\n\n\tleaq\t(%r14,%r10,2),%r12\n.byte\t0x67\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r13\n\tshrq\t$63,%r11\n\torq\t%r10,%r13\n\tmovq\t-16(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t-8(%rdi),%r11\n\tadcq\t%rax,%r12\n\tmovq\t-8(%rsi),%rax\n\tmovq\t%r12,-32(%rdi)\n\tadcq\t%rdx,%r13\n\n\tleaq\t(%r14,%r10,2),%rbx\n\tmovq\t%r13,-24(%rdi)\n\tsbbq\t%r15,%r15\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r8\n\tshrq\t$63,%r11\n\torq\t%r10,%r8\n\tmulq\t%rax\n\tnegq\t%r15\n\tadcq\t%rax,%rbx\n\tadcq\t%rdx,%r8\n\tmovq\t%rbx,-16(%rdi)\n\tmovq\t%r8,-8(%rdi)\n.byte\t102,72,15,126,213\n__bn_sqr8x_reduction:\n\txorq\t%rax,%rax\n\tleaq\t(%r9,%rbp,1),%rcx\n\tleaq\t48+8(%rsp,%r9,2),%rdx\n\tmovq\t%rcx,0+8(%rsp)\n\tleaq\t48+8(%rsp,%r9,1),%rdi\n\tmovq\t%rdx,8+8(%rsp)\n\tnegq\t%r9\n\tjmp\tL$8x_reduction_loop\n\n.p2align\t5\nL$8x_reduction_loop:\n\tleaq\t(%rdi,%r9,1),%rdi\n.byte\t0x66\n\tmovq\t0(%rdi),%rbx\n\tmovq\t8(%rdi),%r9\n\tmovq\t16(%rdi),%r10\n\tmovq\t24(%rdi),%r11\n\tmovq\t32(%rdi),%r12\n\tmovq\t40(%rdi),%r13\n\tmovq\t48(%rdi),%r14\n\tmovq\t56(%rdi),%r15\n\tmovq\t%rax,(%rdx)\n\tleaq\t64(%rdi),%rdi\n\n.byte\t0x67\n\tmovq\t%rbx,%r8\n\timulq\t32+8(%rsp),%rbx\n\tmovq\t0(%rbp),%rax\n\tmovl\t$8,%ecx\n\tjmp\tL$8x_reduce\n\n.p2align\t5\nL$8x_reduce:\n\tmulq\t%rbx\n\tmovq\t8(%rbp),%rax\n\tnegq\t%r8\n\tmovq\t%rdx,%r8\n\tadcq\t$0,%r8\n\n\tmulq\t%rbx\n\taddq\t%rax,%r9\n\tmovq\t16(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r9,%r8\n\tmovq\t%rbx,48-8+8(%rsp,%rcx,8)\n\tmovq\t%rdx,%r9\n\tadcq\t$0,%r9\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t24(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r9\n\tmovq\t32+8(%rsp),%rsi\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t32(%rbp),%rax\n\tadcq\t$0,%rdx\n\timulq\t%r8,%rsi\n\taddq\t%r11,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\n\tmulq\t%rbx\n\taddq\t%rax,%r12\n\tmovq\t40(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r12,%r11\n\tmovq\t%rdx,%r12\n\tadcq\t$0,%r12\n\n\tmulq\t%rbx\n\taddq\t%rax,%r13\n\tmovq\t48(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r13,%r12\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r14\n\tmovq\t56(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r14,%r13\n\tmovq\t%rdx,%r14\n\tadcq\t$0,%r14\n\n\tmulq\t%rbx\n\tmovq\t%rsi,%rbx\n\taddq\t%rax,%r15\n\tmovq\t0(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r15,%r14\n\tmovq\t%rdx,%r15\n\tadcq\t$0,%r15\n\n\tdecl\t%ecx\n\tjnz\tL$8x_reduce\n\n\tleaq\t64(%rbp),%rbp\n\txorq\t%rax,%rax\n\tmovq\t8+8(%rsp),%rdx\n\tcmpq\t0+8(%rsp),%rbp\n\tjae\tL$8x_no_tail\n\n.byte\t0x66\n\taddq\t0(%rdi),%r8\n\tadcq\t8(%rdi),%r9\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tsbbq\t%rsi,%rsi\n\n\tmovq\t48+56+8(%rsp),%rbx\n\tmovl\t$8,%ecx\n\tmovq\t0(%rbp),%rax\n\tjmp\tL$8x_tail\n\n.p2align\t5\nL$8x_tail:\n\tmulq\t%rbx\n\taddq\t%rax,%r8\n\tmovq\t8(%rbp),%rax\n\tmovq\t%r8,(%rdi)\n\tmovq\t%rdx,%r8\n\tadcq\t$0,%r8\n\n\tmulq\t%rbx\n\taddq\t%rax,%r9\n\tmovq\t16(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r9,%r8\n\tleaq\t8(%rdi),%rdi\n\tmovq\t%rdx,%r9\n\tadcq\t$0,%r9\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t24(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r9\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t32(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\n\tmulq\t%rbx\n\taddq\t%rax,%r12\n\tmovq\t40(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r12,%r11\n\tmovq\t%rdx,%r12\n\tadcq\t$0,%r12\n\n\tmulq\t%rbx\n\taddq\t%rax,%r13\n\tmovq\t48(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r13,%r12\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r14\n\tmovq\t56(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r14,%r13\n\tmovq\t%rdx,%r14\n\tadcq\t$0,%r14\n\n\tmulq\t%rbx\n\tmovq\t48-16+8(%rsp,%rcx,8),%rbx\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\taddq\t%r15,%r14\n\tmovq\t0(%rbp),%rax\n\tmovq\t%rdx,%r15\n\tadcq\t$0,%r15\n\n\tdecl\t%ecx\n\tjnz\tL$8x_tail\n\n\tleaq\t64(%rbp),%rbp\n\tmovq\t8+8(%rsp),%rdx\n\tcmpq\t0+8(%rsp),%rbp\n\tjae\tL$8x_tail_done\n\n\tmovq\t48+56+8(%rsp),%rbx\n\tnegq\t%rsi\n\tmovq\t0(%rbp),%rax\n\tadcq\t0(%rdi),%r8\n\tadcq\t8(%rdi),%r9\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tsbbq\t%rsi,%rsi\n\n\tmovl\t$8,%ecx\n\tjmp\tL$8x_tail\n\n.p2align\t5\nL$8x_tail_done:\n\txorq\t%rax,%rax\n\taddq\t(%rdx),%r8\n\tadcq\t$0,%r9\n\tadcq\t$0,%r10\n\tadcq\t$0,%r11\n\tadcq\t$0,%r12\n\tadcq\t$0,%r13\n\tadcq\t$0,%r14\n\tadcq\t$0,%r15\n\tadcq\t$0,%rax\n\n\tnegq\t%rsi\nL$8x_no_tail:\n\tadcq\t0(%rdi),%r8\n\tadcq\t8(%rdi),%r9\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tadcq\t$0,%rax\n\tmovq\t-8(%rbp),%rcx\n\txorq\t%rsi,%rsi\n\n.byte\t102,72,15,126,213\n\n\tmovq\t%r8,0(%rdi)\n\tmovq\t%r9,8(%rdi)\n.byte\t102,73,15,126,217\n\tmovq\t%r10,16(%rdi)\n\tmovq\t%r11,24(%rdi)\n\tmovq\t%r12,32(%rdi)\n\tmovq\t%r13,40(%rdi)\n\tmovq\t%r14,48(%rdi)\n\tmovq\t%r15,56(%rdi)\n\tleaq\t64(%rdi),%rdi\n\n\tcmpq\t%rdx,%rdi\n\tjb\tL$8x_reduction_loop\n\tret\n\n\n\n.p2align\t5\n__bn_post4x_internal:\n\n\tmovq\t0(%rbp),%r12\n\tleaq\t(%rdi,%r9,1),%rbx\n\tmovq\t%r9,%rcx\n.byte\t102,72,15,126,207\n\tnegq\t%rax\n.byte\t102,72,15,126,206\n\tsarq\t$3+2,%rcx\n\tdecq\t%r12\n\txorq\t%r10,%r10\n\tmovq\t8(%rbp),%r13\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\n\tjmp\tL$sqr4x_sub_entry\n\n.p2align\t4\nL$sqr4x_sub:\n\tmovq\t0(%rbp),%r12\n\tmovq\t8(%rbp),%r13\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\nL$sqr4x_sub_entry:\n\tleaq\t32(%rbp),%rbp\n\tnotq\t%r12\n\tnotq\t%r13\n\tnotq\t%r14\n\tnotq\t%r15\n\tandq\t%rax,%r12\n\tandq\t%rax,%r13\n\tandq\t%rax,%r14\n\tandq\t%rax,%r15\n\n\tnegq\t%r10\n\tadcq\t0(%rbx),%r12\n\tadcq\t8(%rbx),%r13\n\tadcq\t16(%rbx),%r14\n\tadcq\t24(%rbx),%r15\n\tmovq\t%r12,0(%rdi)\n\tleaq\t32(%rbx),%rbx\n\tmovq\t%r13,8(%rdi)\n\tsbbq\t%r10,%r10\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\tleaq\t32(%rdi),%rdi\n\n\tincq\t%rcx\n\tjnz\tL$sqr4x_sub\n\n\tmovq\t%r9,%r10\n\tnegq\t%r9\n\tret\n\n\n.globl\t_bn_mulx4x_mont_gather5\n.private_extern _bn_mulx4x_mont_gather5\n\n.p2align\t5\n_bn_mulx4x_mont_gather5:\n\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$mulx4x_prologue:\n\n\n\n\n\tshll\t$3,%r9d\n\tleaq\t(%r9,%r9,2),%r10\n\tnegq\t%r9\n\tmovq\t(%r8),%r8\n\n\n\n\n\n\n\n\n\n\n\tleaq\t-320(%rsp,%r9,2),%r11\n\tmovq\t%rsp,%rbp\n\tsubq\t%rdi,%r11\n\tandq\t$4095,%r11\n\tcmpq\t%r11,%r10\n\tjb\tL$mulx4xsp_alt\n\tsubq\t%r11,%rbp\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tjmp\tL$mulx4xsp_done\n\nL$mulx4xsp_alt:\n\tleaq\t4096-320(,%r9,2),%r10\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tsubq\t%r10,%r11\n\tmovq\t$0,%r10\n\tcmovcq\t%r10,%r11\n\tsubq\t%r11,%rbp\nL$mulx4xsp_done:\n\tandq\t$-64,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$mulx4x_page_walk\n\tjmp\tL$mulx4x_page_walk_done\n\nL$mulx4x_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$mulx4x_page_walk\nL$mulx4x_page_walk_done:\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%r8,32(%rsp)\n\tmovq\t%rax,40(%rsp)\n\nL$mulx4x_body:\n\tcall\tmulx4x_internal\n\n\tmovq\t40(%rsp),%rsi\n\n\tmovq\t$1,%rax\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$mulx4x_epilogue:\n\tret\n\n\n\n\n.p2align\t5\nmulx4x_internal:\n\n\tmovq\t%r9,8(%rsp)\n\tmovq\t%r9,%r10\n\tnegq\t%r9\n\tshlq\t$5,%r9\n\tnegq\t%r10\n\tleaq\t128(%rdx,%r9,1),%r13\n\tshrq\t$5+5,%r9\n\tmovd\t8(%rax),%xmm5\n\tsubq\t$1,%r9\n\tleaq\tL$inc(%rip),%rax\n\tmovq\t%r13,16+8(%rsp)\n\tmovq\t%r9,24+8(%rsp)\n\tmovq\t%rdi,56+8(%rsp)\n\tmovdqa\t0(%rax),%xmm0\n\tmovdqa\t16(%rax),%xmm1\n\tleaq\t88-112(%rsp,%r10,1),%r10\n\tleaq\t128(%rdx),%rdi\n\n\tpshufd\t$0,%xmm5,%xmm5\n\tmovdqa\t%xmm1,%xmm4\n.byte\t0x67\n\tmovdqa\t%xmm1,%xmm2\n.byte\t0x67\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,112(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,128(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,144(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,160(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,176(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,192(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,208(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,224(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,240(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,256(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,272(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,288(%r10)\n\tmovdqa\t%xmm4,%xmm3\n.byte\t0x67\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,304(%r10)\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,320(%r10)\n\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,336(%r10)\n\n\tpand\t64(%rdi),%xmm0\n\tpand\t80(%rdi),%xmm1\n\tpand\t96(%rdi),%xmm2\n\tmovdqa\t%xmm3,352(%r10)\n\tpand\t112(%rdi),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-128(%rdi),%xmm4\n\tmovdqa\t-112(%rdi),%xmm5\n\tmovdqa\t-96(%rdi),%xmm2\n\tpand\t112(%r10),%xmm4\n\tmovdqa\t-80(%rdi),%xmm3\n\tpand\t128(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t144(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t160(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-64(%rdi),%xmm4\n\tmovdqa\t-48(%rdi),%xmm5\n\tmovdqa\t-32(%rdi),%xmm2\n\tpand\t176(%r10),%xmm4\n\tmovdqa\t-16(%rdi),%xmm3\n\tpand\t192(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t208(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t224(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t0(%rdi),%xmm4\n\tmovdqa\t16(%rdi),%xmm5\n\tmovdqa\t32(%rdi),%xmm2\n\tpand\t240(%r10),%xmm4\n\tmovdqa\t48(%rdi),%xmm3\n\tpand\t256(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t272(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t288(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tpxor\t%xmm1,%xmm0\n\n\tpshufd\t$0x4e,%xmm0,%xmm1\n\tpor\t%xmm1,%xmm0\n\tleaq\t256(%rdi),%rdi\n.byte\t102,72,15,126,194\n\tleaq\t64+32+8(%rsp),%rbx\n\n\tmovq\t%rdx,%r9\n\tmulxq\t0(%rsi),%r8,%rax\n\tmulxq\t8(%rsi),%r11,%r12\n\taddq\t%rax,%r11\n\tmulxq\t16(%rsi),%rax,%r13\n\tadcq\t%rax,%r12\n\tadcq\t$0,%r13\n\tmulxq\t24(%rsi),%rax,%r14\n\n\tmovq\t%r8,%r15\n\timulq\t32+8(%rsp),%r8\n\txorq\t%rbp,%rbp\n\tmovq\t%r8,%rdx\n\n\tmovq\t%rdi,8+8(%rsp)\n\n\tleaq\t32(%rsi),%rsi\n\tadcxq\t%rax,%r13\n\tadcxq\t%rbp,%r14\n\n\tmulxq\t0(%rcx),%rax,%r10\n\tadcxq\t%rax,%r15\n\tadoxq\t%r11,%r10\n\tmulxq\t8(%rcx),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n\tmulxq\t16(%rcx),%rax,%r12\n\tmovq\t24+8(%rsp),%rdi\n\tmovq\t%r10,-32(%rbx)\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r11,-24(%rbx)\n\tadcxq\t%rax,%r12\n\tadoxq\t%rbp,%r15\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r12,-16(%rbx)\n\tjmp\tL$mulx4x_1st\n\n.p2align\t5\nL$mulx4x_1st:\n\tadcxq\t%rbp,%r15\n\tmulxq\t0(%rsi),%r10,%rax\n\tadcxq\t%r14,%r10\n\tmulxq\t8(%rsi),%r11,%r14\n\tadcxq\t%rax,%r11\n\tmulxq\t16(%rsi),%r12,%rax\n\tadcxq\t%r14,%r12\n\tmulxq\t24(%rsi),%r13,%r14\n.byte\t0x67,0x67\n\tmovq\t%r8,%rdx\n\tadcxq\t%rax,%r13\n\tadcxq\t%rbp,%r14\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rbx),%rbx\n\n\tadoxq\t%r15,%r10\n\tmulxq\t0(%rcx),%rax,%r15\n\tadcxq\t%rax,%r10\n\tadoxq\t%r15,%r11\n\tmulxq\t8(%rcx),%rax,%r15\n\tadcxq\t%rax,%r11\n\tadoxq\t%r15,%r12\n\tmulxq\t16(%rcx),%rax,%r15\n\tmovq\t%r10,-40(%rbx)\n\tadcxq\t%rax,%r12\n\tmovq\t%r11,-32(%rbx)\n\tadoxq\t%r15,%r13\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r12,-24(%rbx)\n\tadcxq\t%rax,%r13\n\tadoxq\t%rbp,%r15\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r13,-16(%rbx)\n\n\tdecq\t%rdi\n\tjnz\tL$mulx4x_1st\n\n\tmovq\t8(%rsp),%rax\n\tadcq\t%rbp,%r15\n\tleaq\t(%rsi,%rax,1),%rsi\n\taddq\t%r15,%r14\n\tmovq\t8+8(%rsp),%rdi\n\tadcq\t%rbp,%rbp\n\tmovq\t%r14,-8(%rbx)\n\tjmp\tL$mulx4x_outer\n\n.p2align\t5\nL$mulx4x_outer:\n\tleaq\t16-256(%rbx),%r10\n\tpxor\t%xmm4,%xmm4\n.byte\t0x67,0x67\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t-128(%rdi),%xmm0\n\tmovdqa\t-112(%rdi),%xmm1\n\tmovdqa\t-96(%rdi),%xmm2\n\tpand\t256(%r10),%xmm0\n\tmovdqa\t-80(%rdi),%xmm3\n\tpand\t272(%r10),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t288(%r10),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t304(%r10),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t-64(%rdi),%xmm0\n\tmovdqa\t-48(%rdi),%xmm1\n\tmovdqa\t-32(%rdi),%xmm2\n\tpand\t320(%r10),%xmm0\n\tmovdqa\t-16(%rdi),%xmm3\n\tpand\t336(%r10),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t352(%r10),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t368(%r10),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t0(%rdi),%xmm0\n\tmovdqa\t16(%rdi),%xmm1\n\tmovdqa\t32(%rdi),%xmm2\n\tpand\t384(%r10),%xmm0\n\tmovdqa\t48(%rdi),%xmm3\n\tpand\t400(%r10),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t416(%r10),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t432(%r10),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t64(%rdi),%xmm0\n\tmovdqa\t80(%rdi),%xmm1\n\tmovdqa\t96(%rdi),%xmm2\n\tpand\t448(%r10),%xmm0\n\tmovdqa\t112(%rdi),%xmm3\n\tpand\t464(%r10),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t480(%r10),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t496(%r10),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tpor\t%xmm5,%xmm4\n\n\tpshufd\t$0x4e,%xmm4,%xmm0\n\tpor\t%xmm4,%xmm0\n\tleaq\t256(%rdi),%rdi\n.byte\t102,72,15,126,194\n\n\tmovq\t%rbp,(%rbx)\n\tleaq\t32(%rbx,%rax,1),%rbx\n\tmulxq\t0(%rsi),%r8,%r11\n\txorq\t%rbp,%rbp\n\tmovq\t%rdx,%r9\n\tmulxq\t8(%rsi),%r14,%r12\n\tadoxq\t-32(%rbx),%r8\n\tadcxq\t%r14,%r11\n\tmulxq\t16(%rsi),%r15,%r13\n\tadoxq\t-24(%rbx),%r11\n\tadcxq\t%r15,%r12\n\tmulxq\t24(%rsi),%rdx,%r14\n\tadoxq\t-16(%rbx),%r12\n\tadcxq\t%rdx,%r13\n\tleaq\t(%rcx,%rax,1),%rcx\n\tleaq\t32(%rsi),%rsi\n\tadoxq\t-8(%rbx),%r13\n\tadcxq\t%rbp,%r14\n\tadoxq\t%rbp,%r14\n\n\tmovq\t%r8,%r15\n\timulq\t32+8(%rsp),%r8\n\n\tmovq\t%r8,%rdx\n\txorq\t%rbp,%rbp\n\tmovq\t%rdi,8+8(%rsp)\n\n\tmulxq\t0(%rcx),%rax,%r10\n\tadcxq\t%rax,%r15\n\tadoxq\t%r11,%r10\n\tmulxq\t8(%rcx),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n\tmulxq\t16(%rcx),%rax,%r12\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t24+8(%rsp),%rdi\n\tmovq\t%r10,-32(%rbx)\n\tadcxq\t%rax,%r12\n\tmovq\t%r11,-24(%rbx)\n\tadoxq\t%rbp,%r15\n\tmovq\t%r12,-16(%rbx)\n\tleaq\t32(%rcx),%rcx\n\tjmp\tL$mulx4x_inner\n\n.p2align\t5\nL$mulx4x_inner:\n\tmulxq\t0(%rsi),%r10,%rax\n\tadcxq\t%rbp,%r15\n\tadoxq\t%r14,%r10\n\tmulxq\t8(%rsi),%r11,%r14\n\tadcxq\t0(%rbx),%r10\n\tadoxq\t%rax,%r11\n\tmulxq\t16(%rsi),%r12,%rax\n\tadcxq\t8(%rbx),%r11\n\tadoxq\t%r14,%r12\n\tmulxq\t24(%rsi),%r13,%r14\n\tmovq\t%r8,%rdx\n\tadcxq\t16(%rbx),%r12\n\tadoxq\t%rax,%r13\n\tadcxq\t24(%rbx),%r13\n\tadoxq\t%rbp,%r14\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rbx),%rbx\n\tadcxq\t%rbp,%r14\n\n\tadoxq\t%r15,%r10\n\tmulxq\t0(%rcx),%rax,%r15\n\tadcxq\t%rax,%r10\n\tadoxq\t%r15,%r11\n\tmulxq\t8(%rcx),%rax,%r15\n\tadcxq\t%rax,%r11\n\tadoxq\t%r15,%r12\n\tmulxq\t16(%rcx),%rax,%r15\n\tmovq\t%r10,-40(%rbx)\n\tadcxq\t%rax,%r12\n\tadoxq\t%r15,%r13\n\tmovq\t%r11,-32(%rbx)\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r12,-24(%rbx)\n\tadcxq\t%rax,%r13\n\tadoxq\t%rbp,%r15\n\tmovq\t%r13,-16(%rbx)\n\n\tdecq\t%rdi\n\tjnz\tL$mulx4x_inner\n\n\tmovq\t0+8(%rsp),%rax\n\tadcq\t%rbp,%r15\n\tsubq\t0(%rbx),%rdi\n\tmovq\t8+8(%rsp),%rdi\n\tmovq\t16+8(%rsp),%r10\n\tadcq\t%r15,%r14\n\tleaq\t(%rsi,%rax,1),%rsi\n\tadcq\t%rbp,%rbp\n\tmovq\t%r14,-8(%rbx)\n\n\tcmpq\t%r10,%rdi\n\tjb\tL$mulx4x_outer\n\n\tmovq\t-8(%rcx),%r10\n\tmovq\t%rbp,%r8\n\tmovq\t(%rcx,%rax,1),%r12\n\tleaq\t(%rcx,%rax,1),%rbp\n\tmovq\t%rax,%rcx\n\tleaq\t(%rbx,%rax,1),%rdi\n\txorl\t%eax,%eax\n\txorq\t%r15,%r15\n\tsubq\t%r14,%r10\n\tadcq\t%r15,%r15\n\torq\t%r15,%r8\n\tsarq\t$3+2,%rcx\n\tsubq\t%r8,%rax\n\tmovq\t56+8(%rsp),%rdx\n\tdecq\t%r12\n\tmovq\t8(%rbp),%r13\n\txorq\t%r8,%r8\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\n\tjmp\tL$sqrx4x_sub_entry\n\n\n.globl\t_bn_powerx5\n.private_extern _bn_powerx5\n\n.p2align\t5\n_bn_powerx5:\n\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$powerx5_prologue:\n\n\n\n\n\tshll\t$3,%r9d\n\tleaq\t(%r9,%r9,2),%r10\n\tnegq\t%r9\n\tmovq\t(%r8),%r8\n\n\n\n\n\n\n\n\n\tleaq\t-320(%rsp,%r9,2),%r11\n\tmovq\t%rsp,%rbp\n\tsubq\t%rdi,%r11\n\tandq\t$4095,%r11\n\tcmpq\t%r11,%r10\n\tjb\tL$pwrx_sp_alt\n\tsubq\t%r11,%rbp\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tjmp\tL$pwrx_sp_done\n\n.p2align\t5\nL$pwrx_sp_alt:\n\tleaq\t4096-320(,%r9,2),%r10\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tsubq\t%r10,%r11\n\tmovq\t$0,%r10\n\tcmovcq\t%r10,%r11\n\tsubq\t%r11,%rbp\nL$pwrx_sp_done:\n\tandq\t$-64,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$pwrx_page_walk\n\tjmp\tL$pwrx_page_walk_done\n\nL$pwrx_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\tL$pwrx_page_walk\nL$pwrx_page_walk_done:\n\n\tmovq\t%r9,%r10\n\tnegq\t%r9\n\n\n\n\n\n\n\n\n\n\n\n\n\tpxor\t%xmm0,%xmm0\n.byte\t102,72,15,110,207\n.byte\t102,72,15,110,209\n.byte\t102,73,15,110,218\n.byte\t102,72,15,110,226\n\tmovq\t%r8,32(%rsp)\n\tmovq\t%rax,40(%rsp)\n\nL$powerx5_body:\n\n\tcall\t__bn_sqrx8x_internal\n\tcall\t__bn_postx4x_internal\n\tcall\t__bn_sqrx8x_internal\n\tcall\t__bn_postx4x_internal\n\tcall\t__bn_sqrx8x_internal\n\tcall\t__bn_postx4x_internal\n\tcall\t__bn_sqrx8x_internal\n\tcall\t__bn_postx4x_internal\n\tcall\t__bn_sqrx8x_internal\n\tcall\t__bn_postx4x_internal\n\n\tmovq\t%r10,%r9\n\tmovq\t%rsi,%rdi\n.byte\t102,72,15,126,209\n.byte\t102,72,15,126,226\n\tmovq\t40(%rsp),%rax\n\n\tcall\tmulx4x_internal\n\n\tmovq\t40(%rsp),%rsi\n\n\tmovq\t$1,%rax\n\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$powerx5_epilogue:\n\tret\n\n\n\n.globl\t_bn_sqrx8x_internal\n.private_extern _bn_sqrx8x_internal\n.private_extern\t_bn_sqrx8x_internal\n\n.p2align\t5\n_bn_sqrx8x_internal:\n__bn_sqrx8x_internal:\n\n_CET_ENDBR\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tleaq\t48+8(%rsp),%rdi\n\tleaq\t(%rsi,%r9,1),%rbp\n\tmovq\t%r9,0+8(%rsp)\n\tmovq\t%rbp,8+8(%rsp)\n\tjmp\tL$sqr8x_zero_start\n\n.p2align\t5\n.byte\t0x66,0x66,0x66,0x2e,0x0f,0x1f,0x84,0x00,0x00,0x00,0x00,0x00\nL$sqrx8x_zero:\n.byte\t0x3e\n\tmovdqa\t%xmm0,0(%rdi)\n\tmovdqa\t%xmm0,16(%rdi)\n\tmovdqa\t%xmm0,32(%rdi)\n\tmovdqa\t%xmm0,48(%rdi)\nL$sqr8x_zero_start:\n\tmovdqa\t%xmm0,64(%rdi)\n\tmovdqa\t%xmm0,80(%rdi)\n\tmovdqa\t%xmm0,96(%rdi)\n\tmovdqa\t%xmm0,112(%rdi)\n\tleaq\t128(%rdi),%rdi\n\tsubq\t$64,%r9\n\tjnz\tL$sqrx8x_zero\n\n\tmovq\t0(%rsi),%rdx\n\n\txorq\t%r10,%r10\n\txorq\t%r11,%r11\n\txorq\t%r12,%r12\n\txorq\t%r13,%r13\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\tleaq\t48+8(%rsp),%rdi\n\txorq\t%rbp,%rbp\n\tjmp\tL$sqrx8x_outer_loop\n\n.p2align\t5\nL$sqrx8x_outer_loop:\n\tmulxq\t8(%rsi),%r8,%rax\n\tadcxq\t%r9,%r8\n\tadoxq\t%rax,%r10\n\tmulxq\t16(%rsi),%r9,%rax\n\tadcxq\t%r10,%r9\n\tadoxq\t%rax,%r11\n.byte\t0xc4,0xe2,0xab,0xf6,0x86,0x18,0x00,0x00,0x00\n\tadcxq\t%r11,%r10\n\tadoxq\t%rax,%r12\n.byte\t0xc4,0xe2,0xa3,0xf6,0x86,0x20,0x00,0x00,0x00\n\tadcxq\t%r12,%r11\n\tadoxq\t%rax,%r13\n\tmulxq\t40(%rsi),%r12,%rax\n\tadcxq\t%r13,%r12\n\tadoxq\t%rax,%r14\n\tmulxq\t48(%rsi),%r13,%rax\n\tadcxq\t%r14,%r13\n\tadoxq\t%r15,%rax\n\tmulxq\t56(%rsi),%r14,%r15\n\tmovq\t8(%rsi),%rdx\n\tadcxq\t%rax,%r14\n\tadoxq\t%rbp,%r15\n\tadcq\t64(%rdi),%r15\n\tmovq\t%r8,8(%rdi)\n\tmovq\t%r9,16(%rdi)\n\tsbbq\t%rcx,%rcx\n\txorq\t%rbp,%rbp\n\n\n\tmulxq\t16(%rsi),%r8,%rbx\n\tmulxq\t24(%rsi),%r9,%rax\n\tadcxq\t%r10,%r8\n\tadoxq\t%rbx,%r9\n\tmulxq\t32(%rsi),%r10,%rbx\n\tadcxq\t%r11,%r9\n\tadoxq\t%rax,%r10\n.byte\t0xc4,0xe2,0xa3,0xf6,0x86,0x28,0x00,0x00,0x00\n\tadcxq\t%r12,%r10\n\tadoxq\t%rbx,%r11\n.byte\t0xc4,0xe2,0x9b,0xf6,0x9e,0x30,0x00,0x00,0x00\n\tadcxq\t%r13,%r11\n\tadoxq\t%r14,%r12\n.byte\t0xc4,0x62,0x93,0xf6,0xb6,0x38,0x00,0x00,0x00\n\tmovq\t16(%rsi),%rdx\n\tadcxq\t%rax,%r12\n\tadoxq\t%rbx,%r13\n\tadcxq\t%r15,%r13\n\tadoxq\t%rbp,%r14\n\tadcxq\t%rbp,%r14\n\n\tmovq\t%r8,24(%rdi)\n\tmovq\t%r9,32(%rdi)\n\n\tmulxq\t24(%rsi),%r8,%rbx\n\tmulxq\t32(%rsi),%r9,%rax\n\tadcxq\t%r10,%r8\n\tadoxq\t%rbx,%r9\n\tmulxq\t40(%rsi),%r10,%rbx\n\tadcxq\t%r11,%r9\n\tadoxq\t%rax,%r10\n.byte\t0xc4,0xe2,0xa3,0xf6,0x86,0x30,0x00,0x00,0x00\n\tadcxq\t%r12,%r10\n\tadoxq\t%r13,%r11\n.byte\t0xc4,0x62,0x9b,0xf6,0xae,0x38,0x00,0x00,0x00\n.byte\t0x3e\n\tmovq\t24(%rsi),%rdx\n\tadcxq\t%rbx,%r11\n\tadoxq\t%rax,%r12\n\tadcxq\t%r14,%r12\n\tmovq\t%r8,40(%rdi)\n\tmovq\t%r9,48(%rdi)\n\tmulxq\t32(%rsi),%r8,%rax\n\tadoxq\t%rbp,%r13\n\tadcxq\t%rbp,%r13\n\n\tmulxq\t40(%rsi),%r9,%rbx\n\tadcxq\t%r10,%r8\n\tadoxq\t%rax,%r9\n\tmulxq\t48(%rsi),%r10,%rax\n\tadcxq\t%r11,%r9\n\tadoxq\t%r12,%r10\n\tmulxq\t56(%rsi),%r11,%r12\n\tmovq\t32(%rsi),%rdx\n\tmovq\t40(%rsi),%r14\n\tadcxq\t%rbx,%r10\n\tadoxq\t%rax,%r11\n\tmovq\t48(%rsi),%r15\n\tadcxq\t%r13,%r11\n\tadoxq\t%rbp,%r12\n\tadcxq\t%rbp,%r12\n\n\tmovq\t%r8,56(%rdi)\n\tmovq\t%r9,64(%rdi)\n\n\tmulxq\t%r14,%r9,%rax\n\tmovq\t56(%rsi),%r8\n\tadcxq\t%r10,%r9\n\tmulxq\t%r15,%r10,%rbx\n\tadoxq\t%rax,%r10\n\tadcxq\t%r11,%r10\n\tmulxq\t%r8,%r11,%rax\n\tmovq\t%r14,%rdx\n\tadoxq\t%rbx,%r11\n\tadcxq\t%r12,%r11\n\n\tadcxq\t%rbp,%rax\n\n\tmulxq\t%r15,%r14,%rbx\n\tmulxq\t%r8,%r12,%r13\n\tmovq\t%r15,%rdx\n\tleaq\t64(%rsi),%rsi\n\tadcxq\t%r14,%r11\n\tadoxq\t%rbx,%r12\n\tadcxq\t%rax,%r12\n\tadoxq\t%rbp,%r13\n\n.byte\t0x67,0x67\n\tmulxq\t%r8,%r8,%r14\n\tadcxq\t%r8,%r13\n\tadcxq\t%rbp,%r14\n\n\tcmpq\t8+8(%rsp),%rsi\n\tje\tL$sqrx8x_outer_break\n\n\tnegq\t%rcx\n\tmovq\t$-8,%rcx\n\tmovq\t%rbp,%r15\n\tmovq\t64(%rdi),%r8\n\tadcxq\t72(%rdi),%r9\n\tadcxq\t80(%rdi),%r10\n\tadcxq\t88(%rdi),%r11\n\tadcq\t96(%rdi),%r12\n\tadcq\t104(%rdi),%r13\n\tadcq\t112(%rdi),%r14\n\tadcq\t120(%rdi),%r15\n\tleaq\t(%rsi),%rbp\n\tleaq\t128(%rdi),%rdi\n\tsbbq\t%rax,%rax\n\n\tmovq\t-64(%rsi),%rdx\n\tmovq\t%rax,16+8(%rsp)\n\tmovq\t%rdi,24+8(%rsp)\n\n\n\txorl\t%eax,%eax\n\tjmp\tL$sqrx8x_loop\n\n.p2align\t5\nL$sqrx8x_loop:\n\tmovq\t%r8,%rbx\n\tmulxq\t0(%rbp),%rax,%r8\n\tadcxq\t%rax,%rbx\n\tadoxq\t%r9,%r8\n\n\tmulxq\t8(%rbp),%rax,%r9\n\tadcxq\t%rax,%r8\n\tadoxq\t%r10,%r9\n\n\tmulxq\t16(%rbp),%rax,%r10\n\tadcxq\t%rax,%r9\n\tadoxq\t%r11,%r10\n\n\tmulxq\t24(%rbp),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n\n.byte\t0xc4,0x62,0xfb,0xf6,0xa5,0x20,0x00,0x00,0x00\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\n\tmulxq\t40(%rbp),%rax,%r13\n\tadcxq\t%rax,%r12\n\tadoxq\t%r14,%r13\n\n\tmulxq\t48(%rbp),%rax,%r14\n\tmovq\t%rbx,(%rdi,%rcx,8)\n\tmovl\t$0,%ebx\n\tadcxq\t%rax,%r13\n\tadoxq\t%r15,%r14\n\n.byte\t0xc4,0x62,0xfb,0xf6,0xbd,0x38,0x00,0x00,0x00\n\tmovq\t8(%rsi,%rcx,8),%rdx\n\tadcxq\t%rax,%r14\n\tadoxq\t%rbx,%r15\n\tadcxq\t%rbx,%r15\n\n.byte\t0x67\n\tincq\t%rcx\n\tjnz\tL$sqrx8x_loop\n\n\tleaq\t64(%rbp),%rbp\n\tmovq\t$-8,%rcx\n\tcmpq\t8+8(%rsp),%rbp\n\tje\tL$sqrx8x_break\n\n\tsubq\t16+8(%rsp),%rbx\n.byte\t0x66\n\tmovq\t-64(%rsi),%rdx\n\tadcxq\t0(%rdi),%r8\n\tadcxq\t8(%rdi),%r9\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tleaq\t64(%rdi),%rdi\n.byte\t0x67\n\tsbbq\t%rax,%rax\n\txorl\t%ebx,%ebx\n\tmovq\t%rax,16+8(%rsp)\n\tjmp\tL$sqrx8x_loop\n\n.p2align\t5\nL$sqrx8x_break:\n\txorq\t%rbp,%rbp\n\tsubq\t16+8(%rsp),%rbx\n\tadcxq\t%rbp,%r8\n\tmovq\t24+8(%rsp),%rcx\n\tadcxq\t%rbp,%r9\n\tmovq\t0(%rsi),%rdx\n\tadcq\t$0,%r10\n\tmovq\t%r8,0(%rdi)\n\tadcq\t$0,%r11\n\tadcq\t$0,%r12\n\tadcq\t$0,%r13\n\tadcq\t$0,%r14\n\tadcq\t$0,%r15\n\tcmpq\t%rcx,%rdi\n\tje\tL$sqrx8x_outer_loop\n\n\tmovq\t%r9,8(%rdi)\n\tmovq\t8(%rcx),%r9\n\tmovq\t%r10,16(%rdi)\n\tmovq\t16(%rcx),%r10\n\tmovq\t%r11,24(%rdi)\n\tmovq\t24(%rcx),%r11\n\tmovq\t%r12,32(%rdi)\n\tmovq\t32(%rcx),%r12\n\tmovq\t%r13,40(%rdi)\n\tmovq\t40(%rcx),%r13\n\tmovq\t%r14,48(%rdi)\n\tmovq\t48(%rcx),%r14\n\tmovq\t%r15,56(%rdi)\n\tmovq\t56(%rcx),%r15\n\tmovq\t%rcx,%rdi\n\tjmp\tL$sqrx8x_outer_loop\n\n.p2align\t5\nL$sqrx8x_outer_break:\n\tmovq\t%r9,72(%rdi)\n.byte\t102,72,15,126,217\n\tmovq\t%r10,80(%rdi)\n\tmovq\t%r11,88(%rdi)\n\tmovq\t%r12,96(%rdi)\n\tmovq\t%r13,104(%rdi)\n\tmovq\t%r14,112(%rdi)\n\tleaq\t48+8(%rsp),%rdi\n\tmovq\t(%rsi,%rcx,1),%rdx\n\n\tmovq\t8(%rdi),%r11\n\txorq\t%r10,%r10\n\tmovq\t0+8(%rsp),%r9\n\tadoxq\t%r11,%r11\n\tmovq\t16(%rdi),%r12\n\tmovq\t24(%rdi),%r13\n\n\n.p2align\t5\nL$sqrx4x_shift_n_add:\n\tmulxq\t%rdx,%rax,%rbx\n\tadoxq\t%r12,%r12\n\tadcxq\t%r10,%rax\n.byte\t0x48,0x8b,0x94,0x0e,0x08,0x00,0x00,0x00\n.byte\t0x4c,0x8b,0x97,0x20,0x00,0x00,0x00\n\tadoxq\t%r13,%r13\n\tadcxq\t%r11,%rbx\n\tmovq\t40(%rdi),%r11\n\tmovq\t%rax,0(%rdi)\n\tmovq\t%rbx,8(%rdi)\n\n\tmulxq\t%rdx,%rax,%rbx\n\tadoxq\t%r10,%r10\n\tadcxq\t%r12,%rax\n\tmovq\t16(%rsi,%rcx,1),%rdx\n\tmovq\t48(%rdi),%r12\n\tadoxq\t%r11,%r11\n\tadcxq\t%r13,%rbx\n\tmovq\t56(%rdi),%r13\n\tmovq\t%rax,16(%rdi)\n\tmovq\t%rbx,24(%rdi)\n\n\tmulxq\t%rdx,%rax,%rbx\n\tadoxq\t%r12,%r12\n\tadcxq\t%r10,%rax\n\tmovq\t24(%rsi,%rcx,1),%rdx\n\tleaq\t32(%rcx),%rcx\n\tmovq\t64(%rdi),%r10\n\tadoxq\t%r13,%r13\n\tadcxq\t%r11,%rbx\n\tmovq\t72(%rdi),%r11\n\tmovq\t%rax,32(%rdi)\n\tmovq\t%rbx,40(%rdi)\n\n\tmulxq\t%rdx,%rax,%rbx\n\tadoxq\t%r10,%r10\n\tadcxq\t%r12,%rax\n\tjrcxz\tL$sqrx4x_shift_n_add_break\n.byte\t0x48,0x8b,0x94,0x0e,0x00,0x00,0x00,0x00\n\tadoxq\t%r11,%r11\n\tadcxq\t%r13,%rbx\n\tmovq\t80(%rdi),%r12\n\tmovq\t88(%rdi),%r13\n\tmovq\t%rax,48(%rdi)\n\tmovq\t%rbx,56(%rdi)\n\tleaq\t64(%rdi),%rdi\n\tnop\n\tjmp\tL$sqrx4x_shift_n_add\n\n.p2align\t5\nL$sqrx4x_shift_n_add_break:\n\tadcxq\t%r13,%rbx\n\tmovq\t%rax,48(%rdi)\n\tmovq\t%rbx,56(%rdi)\n\tleaq\t64(%rdi),%rdi\n.byte\t102,72,15,126,213\n__bn_sqrx8x_reduction:\n\txorl\t%eax,%eax\n\tmovq\t32+8(%rsp),%rbx\n\tmovq\t48+8(%rsp),%rdx\n\tleaq\t-64(%rbp,%r9,1),%rcx\n\n\tmovq\t%rcx,0+8(%rsp)\n\tmovq\t%rdi,8+8(%rsp)\n\n\tleaq\t48+8(%rsp),%rdi\n\tjmp\tL$sqrx8x_reduction_loop\n\n.p2align\t5\nL$sqrx8x_reduction_loop:\n\tmovq\t8(%rdi),%r9\n\tmovq\t16(%rdi),%r10\n\tmovq\t24(%rdi),%r11\n\tmovq\t32(%rdi),%r12\n\tmovq\t%rdx,%r8\n\timulq\t%rbx,%rdx\n\tmovq\t40(%rdi),%r13\n\tmovq\t48(%rdi),%r14\n\tmovq\t56(%rdi),%r15\n\tmovq\t%rax,24+8(%rsp)\n\n\tleaq\t64(%rdi),%rdi\n\txorq\t%rsi,%rsi\n\tmovq\t$-8,%rcx\n\tjmp\tL$sqrx8x_reduce\n\n.p2align\t5\nL$sqrx8x_reduce:\n\tmovq\t%r8,%rbx\n\tmulxq\t0(%rbp),%rax,%r8\n\tadcxq\t%rbx,%rax\n\tadoxq\t%r9,%r8\n\n\tmulxq\t8(%rbp),%rbx,%r9\n\tadcxq\t%rbx,%r8\n\tadoxq\t%r10,%r9\n\n\tmulxq\t16(%rbp),%rbx,%r10\n\tadcxq\t%rbx,%r9\n\tadoxq\t%r11,%r10\n\n\tmulxq\t24(%rbp),%rbx,%r11\n\tadcxq\t%rbx,%r10\n\tadoxq\t%r12,%r11\n\n.byte\t0xc4,0x62,0xe3,0xf6,0xa5,0x20,0x00,0x00,0x00\n\tmovq\t%rdx,%rax\n\tmovq\t%r8,%rdx\n\tadcxq\t%rbx,%r11\n\tadoxq\t%r13,%r12\n\n\tmulxq\t32+8(%rsp),%rbx,%rdx\n\tmovq\t%rax,%rdx\n\tmovq\t%rax,64+48+8(%rsp,%rcx,8)\n\n\tmulxq\t40(%rbp),%rax,%r13\n\tadcxq\t%rax,%r12\n\tadoxq\t%r14,%r13\n\n\tmulxq\t48(%rbp),%rax,%r14\n\tadcxq\t%rax,%r13\n\tadoxq\t%r15,%r14\n\n\tmulxq\t56(%rbp),%rax,%r15\n\tmovq\t%rbx,%rdx\n\tadcxq\t%rax,%r14\n\tadoxq\t%rsi,%r15\n\tadcxq\t%rsi,%r15\n\n.byte\t0x67,0x67,0x67\n\tincq\t%rcx\n\tjnz\tL$sqrx8x_reduce\n\n\tmovq\t%rsi,%rax\n\tcmpq\t0+8(%rsp),%rbp\n\tjae\tL$sqrx8x_no_tail\n\n\tmovq\t48+8(%rsp),%rdx\n\taddq\t0(%rdi),%r8\n\tleaq\t64(%rbp),%rbp\n\tmovq\t$-8,%rcx\n\tadcxq\t8(%rdi),%r9\n\tadcxq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tleaq\t64(%rdi),%rdi\n\tsbbq\t%rax,%rax\n\n\txorq\t%rsi,%rsi\n\tmovq\t%rax,16+8(%rsp)\n\tjmp\tL$sqrx8x_tail\n\n.p2align\t5\nL$sqrx8x_tail:\n\tmovq\t%r8,%rbx\n\tmulxq\t0(%rbp),%rax,%r8\n\tadcxq\t%rax,%rbx\n\tadoxq\t%r9,%r8\n\n\tmulxq\t8(%rbp),%rax,%r9\n\tadcxq\t%rax,%r8\n\tadoxq\t%r10,%r9\n\n\tmulxq\t16(%rbp),%rax,%r10\n\tadcxq\t%rax,%r9\n\tadoxq\t%r11,%r10\n\n\tmulxq\t24(%rbp),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n\n.byte\t0xc4,0x62,0xfb,0xf6,0xa5,0x20,0x00,0x00,0x00\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\n\tmulxq\t40(%rbp),%rax,%r13\n\tadcxq\t%rax,%r12\n\tadoxq\t%r14,%r13\n\n\tmulxq\t48(%rbp),%rax,%r14\n\tadcxq\t%rax,%r13\n\tadoxq\t%r15,%r14\n\n\tmulxq\t56(%rbp),%rax,%r15\n\tmovq\t72+48+8(%rsp,%rcx,8),%rdx\n\tadcxq\t%rax,%r14\n\tadoxq\t%rsi,%r15\n\tmovq\t%rbx,(%rdi,%rcx,8)\n\tmovq\t%r8,%rbx\n\tadcxq\t%rsi,%r15\n\n\tincq\t%rcx\n\tjnz\tL$sqrx8x_tail\n\n\tcmpq\t0+8(%rsp),%rbp\n\tjae\tL$sqrx8x_tail_done\n\n\tsubq\t16+8(%rsp),%rsi\n\tmovq\t48+8(%rsp),%rdx\n\tleaq\t64(%rbp),%rbp\n\tadcq\t0(%rdi),%r8\n\tadcq\t8(%rdi),%r9\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tleaq\t64(%rdi),%rdi\n\tsbbq\t%rax,%rax\n\tsubq\t$8,%rcx\n\n\txorq\t%rsi,%rsi\n\tmovq\t%rax,16+8(%rsp)\n\tjmp\tL$sqrx8x_tail\n\n.p2align\t5\nL$sqrx8x_tail_done:\n\txorq\t%rax,%rax\n\taddq\t24+8(%rsp),%r8\n\tadcq\t$0,%r9\n\tadcq\t$0,%r10\n\tadcq\t$0,%r11\n\tadcq\t$0,%r12\n\tadcq\t$0,%r13\n\tadcq\t$0,%r14\n\tadcq\t$0,%r15\n\tadcq\t$0,%rax\n\n\tsubq\t16+8(%rsp),%rsi\nL$sqrx8x_no_tail:\n\tadcq\t0(%rdi),%r8\n.byte\t102,72,15,126,217\n\tadcq\t8(%rdi),%r9\n\tmovq\t56(%rbp),%rsi\n.byte\t102,72,15,126,213\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tadcq\t$0,%rax\n\n\tmovq\t32+8(%rsp),%rbx\n\tmovq\t64(%rdi,%rcx,1),%rdx\n\n\tmovq\t%r8,0(%rdi)\n\tleaq\t64(%rdi),%r8\n\tmovq\t%r9,8(%rdi)\n\tmovq\t%r10,16(%rdi)\n\tmovq\t%r11,24(%rdi)\n\tmovq\t%r12,32(%rdi)\n\tmovq\t%r13,40(%rdi)\n\tmovq\t%r14,48(%rdi)\n\tmovq\t%r15,56(%rdi)\n\n\tleaq\t64(%rdi,%rcx,1),%rdi\n\tcmpq\t8+8(%rsp),%r8\n\tjb\tL$sqrx8x_reduction_loop\n\tret\n\n\n.p2align\t5\n\n__bn_postx4x_internal:\n\n\tmovq\t0(%rbp),%r12\n\tmovq\t%rcx,%r10\n\tmovq\t%rcx,%r9\n\tnegq\t%rax\n\tsarq\t$3+2,%rcx\n\n.byte\t102,72,15,126,202\n.byte\t102,72,15,126,206\n\tdecq\t%r12\n\tmovq\t8(%rbp),%r13\n\txorq\t%r8,%r8\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\n\tjmp\tL$sqrx4x_sub_entry\n\n.p2align\t4\nL$sqrx4x_sub:\n\tmovq\t0(%rbp),%r12\n\tmovq\t8(%rbp),%r13\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\nL$sqrx4x_sub_entry:\n\tandnq\t%rax,%r12,%r12\n\tleaq\t32(%rbp),%rbp\n\tandnq\t%rax,%r13,%r13\n\tandnq\t%rax,%r14,%r14\n\tandnq\t%rax,%r15,%r15\n\n\tnegq\t%r8\n\tadcq\t0(%rdi),%r12\n\tadcq\t8(%rdi),%r13\n\tadcq\t16(%rdi),%r14\n\tadcq\t24(%rdi),%r15\n\tmovq\t%r12,0(%rdx)\n\tleaq\t32(%rdi),%rdi\n\tmovq\t%r13,8(%rdx)\n\tsbbq\t%r8,%r8\n\tmovq\t%r14,16(%rdx)\n\tmovq\t%r15,24(%rdx)\n\tleaq\t32(%rdx),%rdx\n\n\tincq\t%rcx\n\tjnz\tL$sqrx4x_sub\n\n\tnegq\t%r9\n\n\tret\n\n\n.globl\t_bn_scatter5\n.private_extern _bn_scatter5\n\n.p2align\t4\n_bn_scatter5:\n\n_CET_ENDBR\n\tcmpl\t$0,%esi\n\tjz\tL$scatter_epilogue\n\n\n\n\n\n\n\n\n\n\tleaq\t(%rdx,%rcx,8),%rdx\nL$scatter:\n\tmovq\t(%rdi),%rax\n\tleaq\t8(%rdi),%rdi\n\tmovq\t%rax,(%rdx)\n\tleaq\t256(%rdx),%rdx\n\tsubl\t$1,%esi\n\tjnz\tL$scatter\nL$scatter_epilogue:\n\tret\n\n\n\n.globl\t_bn_gather5\n.private_extern _bn_gather5\n\n.p2align\t5\n_bn_gather5:\n\nL$SEH_begin_bn_gather5:\n_CET_ENDBR\n\n.byte\t0x4c,0x8d,0x14,0x24\n\n.byte\t0x48,0x81,0xec,0x08,0x01,0x00,0x00\n\tleaq\tL$inc(%rip),%rax\n\tandq\t$-16,%rsp\n\n\tmovd\t%ecx,%xmm5\n\tmovdqa\t0(%rax),%xmm0\n\tmovdqa\t16(%rax),%xmm1\n\tleaq\t128(%rdx),%r11\n\tleaq\t128(%rsp),%rax\n\n\tpshufd\t$0,%xmm5,%xmm5\n\tmovdqa\t%xmm1,%xmm4\n\tmovdqa\t%xmm1,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm4,%xmm3\n\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,-128(%rax)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,-112(%rax)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,-96(%rax)\n\tmovdqa\t%xmm4,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,-80(%rax)\n\tmovdqa\t%xmm4,%xmm3\n\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,-64(%rax)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,-48(%rax)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,-32(%rax)\n\tmovdqa\t%xmm4,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,-16(%rax)\n\tmovdqa\t%xmm4,%xmm3\n\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,0(%rax)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,16(%rax)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,32(%rax)\n\tmovdqa\t%xmm4,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,48(%rax)\n\tmovdqa\t%xmm4,%xmm3\n\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,64(%rax)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,80(%rax)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,96(%rax)\n\tmovdqa\t%xmm4,%xmm2\n\tmovdqa\t%xmm3,112(%rax)\n\tjmp\tL$gather\n\n.p2align\t5\nL$gather:\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t-128(%r11),%xmm0\n\tmovdqa\t-112(%r11),%xmm1\n\tmovdqa\t-96(%r11),%xmm2\n\tpand\t-128(%rax),%xmm0\n\tmovdqa\t-80(%r11),%xmm3\n\tpand\t-112(%rax),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-96(%rax),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-80(%rax),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t-64(%r11),%xmm0\n\tmovdqa\t-48(%r11),%xmm1\n\tmovdqa\t-32(%r11),%xmm2\n\tpand\t-64(%rax),%xmm0\n\tmovdqa\t-16(%r11),%xmm3\n\tpand\t-48(%rax),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-32(%rax),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-16(%rax),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t0(%r11),%xmm0\n\tmovdqa\t16(%r11),%xmm1\n\tmovdqa\t32(%r11),%xmm2\n\tpand\t0(%rax),%xmm0\n\tmovdqa\t48(%r11),%xmm3\n\tpand\t16(%rax),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t32(%rax),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t48(%rax),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t64(%r11),%xmm0\n\tmovdqa\t80(%r11),%xmm1\n\tmovdqa\t96(%r11),%xmm2\n\tpand\t64(%rax),%xmm0\n\tmovdqa\t112(%r11),%xmm3\n\tpand\t80(%rax),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t96(%rax),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t112(%rax),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tpor\t%xmm5,%xmm4\n\tleaq\t256(%r11),%r11\n\n\tpshufd\t$0x4e,%xmm4,%xmm0\n\tpor\t%xmm4,%xmm0\n\tmovq\t%xmm0,(%rdi)\n\tleaq\t8(%rdi),%rdi\n\tsubl\t$1,%esi\n\tjnz\tL$gather\n\n\tleaq\t(%r10),%rsp\n\n\tret\nL$SEH_end_bn_gather5:\n\n\n.section\t__DATA,__const\n.p2align\t6\nL$inc:\n.long\t0,0, 1,1\n.long\t2,2, 2,2\n.byte\t77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,119,105,116,104,32,115,99,97,116,116,101,114,47,103,97,116,104,101,114,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/bcm/x86_64-mont5-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n.globl\tbn_mul_mont_gather5_nohw\n.hidden bn_mul_mont_gather5_nohw\n.type\tbn_mul_mont_gather5_nohw,@function\n.align\t64\nbn_mul_mont_gather5_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\n\n\tmovl\t%r9d,%r9d\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tmovd\t8(%rsp),%xmm5\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n\n\tnegq\t%r9\n\tmovq\t%rsp,%r11\n\tleaq\t-280(%rsp,%r9,8),%r10\n\tnegq\t%r9\n\tandq\t$-1024,%r10\n\n\n\n\n\n\n\n\n\n\tsubq\t%r10,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r10,%r11,1),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\t.Lmul_page_walk\n\tjmp\t.Lmul_page_walk_done\n\n.Lmul_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r11\n\tcmpq\t%r10,%rsp\n\tja\t.Lmul_page_walk\n.Lmul_page_walk_done:\n\n\tleaq\t.Linc(%rip),%r10\n\tmovq\t%rax,8(%rsp,%r9,8)\n.cfi_escape\t0x0f,0x0a,0x77,0x08,0x79,0x00,0x38,0x1e,0x22,0x06,0x23,0x08\n.Lmul_body:\n\n\tleaq\t128(%rdx),%r12\n\tmovdqa\t0(%r10),%xmm0\n\tmovdqa\t16(%r10),%xmm1\n\tleaq\t24-112(%rsp,%r9,8),%r10\n\tandq\t$-16,%r10\n\n\tpshufd\t$0,%xmm5,%xmm5\n\tmovdqa\t%xmm1,%xmm4\n\tmovdqa\t%xmm1,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n.byte\t0x67\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,112(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,128(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,144(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,160(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,176(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,192(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,208(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,224(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,240(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,256(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,272(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,288(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,304(%r10)\n\n\tpaddd\t%xmm2,%xmm3\n.byte\t0x67\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,320(%r10)\n\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,336(%r10)\n\tpand\t64(%r12),%xmm0\n\n\tpand\t80(%r12),%xmm1\n\tpand\t96(%r12),%xmm2\n\tmovdqa\t%xmm3,352(%r10)\n\tpand\t112(%r12),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-128(%r12),%xmm4\n\tmovdqa\t-112(%r12),%xmm5\n\tmovdqa\t-96(%r12),%xmm2\n\tpand\t112(%r10),%xmm4\n\tmovdqa\t-80(%r12),%xmm3\n\tpand\t128(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t144(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t160(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-64(%r12),%xmm4\n\tmovdqa\t-48(%r12),%xmm5\n\tmovdqa\t-32(%r12),%xmm2\n\tpand\t176(%r10),%xmm4\n\tmovdqa\t-16(%r12),%xmm3\n\tpand\t192(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t208(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t224(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t0(%r12),%xmm4\n\tmovdqa\t16(%r12),%xmm5\n\tmovdqa\t32(%r12),%xmm2\n\tpand\t240(%r10),%xmm4\n\tmovdqa\t48(%r12),%xmm3\n\tpand\t256(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t272(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t288(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tpor\t%xmm1,%xmm0\n\n\tpshufd\t$0x4e,%xmm0,%xmm1\n\tpor\t%xmm1,%xmm0\n\tleaq\t256(%r12),%r12\n.byte\t102,72,15,126,195\n\n\tmovq\t(%r8),%r8\n\tmovq\t(%rsi),%rax\n\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\tmovq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r13\n\n\tleaq\t1(%r15),%r15\n\tjmp\t.L1st_enter\n\n.align\t16\n.L1st:\n\taddq\t%rax,%r13\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tmovq\t%r10,%r11\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n.L1st_enter:\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\tleaq\t1(%r15),%r15\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\tcmpq\t%r9,%r15\n\tjne\t.L1st\n\n\n\taddq\t%rax,%r13\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r9,8)\n\tmovq\t%rdx,%r13\n\tmovq\t%r10,%r11\n\n\txorq\t%rdx,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r9,8)\n\tmovq\t%rdx,(%rsp,%r9,8)\n\n\tleaq\t1(%r14),%r14\n\tjmp\t.Louter\n.align\t16\n.Louter:\n\tleaq\t24+128(%rsp,%r9,8),%rdx\n\tandq\t$-16,%rdx\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t-128(%r12),%xmm0\n\tmovdqa\t-112(%r12),%xmm1\n\tmovdqa\t-96(%r12),%xmm2\n\tmovdqa\t-80(%r12),%xmm3\n\tpand\t-128(%rdx),%xmm0\n\tpand\t-112(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-96(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-80(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t-64(%r12),%xmm0\n\tmovdqa\t-48(%r12),%xmm1\n\tmovdqa\t-32(%r12),%xmm2\n\tmovdqa\t-16(%r12),%xmm3\n\tpand\t-64(%rdx),%xmm0\n\tpand\t-48(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-32(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-16(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t0(%r12),%xmm0\n\tmovdqa\t16(%r12),%xmm1\n\tmovdqa\t32(%r12),%xmm2\n\tmovdqa\t48(%r12),%xmm3\n\tpand\t0(%rdx),%xmm0\n\tpand\t16(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t32(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t48(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t64(%r12),%xmm0\n\tmovdqa\t80(%r12),%xmm1\n\tmovdqa\t96(%r12),%xmm2\n\tmovdqa\t112(%r12),%xmm3\n\tpand\t64(%rdx),%xmm0\n\tpand\t80(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t96(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t112(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tpor\t%xmm5,%xmm4\n\n\tpshufd\t$0x4e,%xmm4,%xmm0\n\tpor\t%xmm4,%xmm0\n\tleaq\t256(%r12),%r12\n\n\tmovq\t(%rsi),%rax\n.byte\t102,72,15,126,195\n\n\txorq\t%r15,%r15\n\tmovq\t%r8,%rbp\n\tmovq\t(%rsp),%r10\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\tadcq\t$0,%rdx\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi),%rax\n\tadcq\t$0,%rdx\n\tmovq\t8(%rsp),%r10\n\tmovq\t%rdx,%r13\n\n\tleaq\t1(%r15),%r15\n\tjmp\t.Linner_enter\n\n.align\t16\n.Linner:\n\taddq\t%rax,%r13\n\tmovq\t(%rsi,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tmovq\t(%rsp,%r15,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r15,8)\n\tmovq\t%rdx,%r13\n\n.Linner_enter:\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t(%rcx,%r15,8),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\tleaq\t1(%r15),%r15\n\n\tmulq\t%rbp\n\tcmpq\t%r9,%r15\n\tjne\t.Linner\n\n\taddq\t%rax,%r13\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tmovq\t(%rsp,%r9,8),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-16(%rsp,%r9,8)\n\tmovq\t%rdx,%r13\n\n\txorq\t%rdx,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%rsp,%r9,8)\n\tmovq\t%rdx,(%rsp,%r9,8)\n\n\tleaq\t1(%r14),%r14\n\tcmpq\t%r9,%r14\n\tjb\t.Louter\n\n\txorq\t%r14,%r14\n\tmovq\t(%rsp),%rax\n\tleaq\t(%rsp),%rsi\n\tmovq\t%r9,%r15\n\tjmp\t.Lsub\n.align\t16\n.Lsub:\tsbbq\t(%rcx,%r14,8),%rax\n\tmovq\t%rax,(%rdi,%r14,8)\n\tmovq\t8(%rsi,%r14,8),%rax\n\tleaq\t1(%r14),%r14\n\tdecq\t%r15\n\tjnz\t.Lsub\n\n\tsbbq\t$0,%rax\n\tmovq\t$-1,%rbx\n\txorq\t%rax,%rbx\n\txorq\t%r14,%r14\n\tmovq\t%r9,%r15\n\n.Lcopy:\n\tmovq\t(%rdi,%r14,8),%rcx\n\tmovq\t(%rsp,%r14,8),%rdx\n\tandq\t%rbx,%rcx\n\tandq\t%rax,%rdx\n\tmovq\t%r14,(%rsp,%r14,8)\n\torq\t%rcx,%rdx\n\tmovq\t%rdx,(%rdi,%r14,8)\n\tleaq\t1(%r14),%r14\n\tsubq\t$1,%r15\n\tjnz\t.Lcopy\n\n\tmovq\t8(%rsp,%r9,8),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t$1,%rax\n\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lmul_epilogue:\n\tret\n.cfi_endproc\t\n.size\tbn_mul_mont_gather5_nohw,.-bn_mul_mont_gather5_nohw\n.globl\tbn_mul4x_mont_gather5\n.hidden bn_mul4x_mont_gather5\n.type\tbn_mul4x_mont_gather5,@function\n.align\t32\nbn_mul4x_mont_gather5:\n.cfi_startproc\t\n_CET_ENDBR\n.byte\t0x67\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n.Lmul4x_prologue:\n\n.byte\t0x67\n\n\n\n\tshll\t$3,%r9d\n\tleaq\t(%r9,%r9,2),%r10\n\tnegq\t%r9\n\n\n\n\n\n\n\n\n\n\n\tleaq\t-320(%rsp,%r9,2),%r11\n\tmovq\t%rsp,%rbp\n\tsubq\t%rdi,%r11\n\tandq\t$4095,%r11\n\tcmpq\t%r11,%r10\n\tjb\t.Lmul4xsp_alt\n\tsubq\t%r11,%rbp\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tjmp\t.Lmul4xsp_done\n\n.align\t32\n.Lmul4xsp_alt:\n\tleaq\t4096-320(,%r9,2),%r10\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tsubq\t%r10,%r11\n\tmovq\t$0,%r10\n\tcmovcq\t%r10,%r11\n\tsubq\t%r11,%rbp\n.Lmul4xsp_done:\n\tandq\t$-64,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lmul4x_page_walk\n\tjmp\t.Lmul4x_page_walk_done\n\n.Lmul4x_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lmul4x_page_walk\n.Lmul4x_page_walk_done:\n\n\tnegq\t%r9\n\n\tmovq\t%rax,40(%rsp)\n.cfi_escape\t0x0f,0x05,0x77,0x28,0x06,0x23,0x08\n.Lmul4x_body:\n\n\tcall\tmul4x_internal\n\n\tmovq\t40(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t$1,%rax\n\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lmul4x_epilogue:\n\tret\n.cfi_endproc\t\n.size\tbn_mul4x_mont_gather5,.-bn_mul4x_mont_gather5\n\n.type\tmul4x_internal,@function\n.align\t32\nmul4x_internal:\n.cfi_startproc\t\n\tshlq\t$5,%r9\n\tmovd\t8(%rax),%xmm5\n\tleaq\t.Linc(%rip),%rax\n\tleaq\t128(%rdx,%r9,1),%r13\n\tshrq\t$5,%r9\n\tmovdqa\t0(%rax),%xmm0\n\tmovdqa\t16(%rax),%xmm1\n\tleaq\t88-112(%rsp,%r9,1),%r10\n\tleaq\t128(%rdx),%r12\n\n\tpshufd\t$0,%xmm5,%xmm5\n\tmovdqa\t%xmm1,%xmm4\n.byte\t0x67,0x67\n\tmovdqa\t%xmm1,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n.byte\t0x67\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,112(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,128(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,144(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,160(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,176(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,192(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,208(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,224(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,240(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,256(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,272(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,288(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,304(%r10)\n\n\tpaddd\t%xmm2,%xmm3\n.byte\t0x67\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,320(%r10)\n\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,336(%r10)\n\tpand\t64(%r12),%xmm0\n\n\tpand\t80(%r12),%xmm1\n\tpand\t96(%r12),%xmm2\n\tmovdqa\t%xmm3,352(%r10)\n\tpand\t112(%r12),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-128(%r12),%xmm4\n\tmovdqa\t-112(%r12),%xmm5\n\tmovdqa\t-96(%r12),%xmm2\n\tpand\t112(%r10),%xmm4\n\tmovdqa\t-80(%r12),%xmm3\n\tpand\t128(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t144(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t160(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-64(%r12),%xmm4\n\tmovdqa\t-48(%r12),%xmm5\n\tmovdqa\t-32(%r12),%xmm2\n\tpand\t176(%r10),%xmm4\n\tmovdqa\t-16(%r12),%xmm3\n\tpand\t192(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t208(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t224(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t0(%r12),%xmm4\n\tmovdqa\t16(%r12),%xmm5\n\tmovdqa\t32(%r12),%xmm2\n\tpand\t240(%r10),%xmm4\n\tmovdqa\t48(%r12),%xmm3\n\tpand\t256(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t272(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t288(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tpor\t%xmm1,%xmm0\n\n\tpshufd\t$0x4e,%xmm0,%xmm1\n\tpor\t%xmm1,%xmm0\n\tleaq\t256(%r12),%r12\n.byte\t102,72,15,126,195\n\n\tmovq\t%r13,16+8(%rsp)\n\tmovq\t%rdi,56+8(%rsp)\n\n\tmovq\t(%r8),%r8\n\tmovq\t(%rsi),%rax\n\tleaq\t(%rsi,%r9,1),%rsi\n\tnegq\t%r9\n\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\tmovq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\n\timulq\t%r10,%rbp\n\tleaq\t64+8(%rsp),%r14\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t32(%r9),%r15\n\tleaq\t32(%rcx),%rcx\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,(%r14)\n\tmovq\t%rdx,%r13\n\tjmp\t.L1st4x\n\n.align\t32\n.L1st4x:\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx),%rax\n\tleaq\t32(%r14),%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%r14)\n\tmovq\t%rdx,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t0(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t8(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t32(%rcx),%rcx\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,(%r14)\n\tmovq\t%rdx,%r13\n\n\taddq\t$32,%r15\n\tjnz\t.L1st4x\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx),%rax\n\tleaq\t32(%r14),%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%r14)\n\tmovq\t%rdx,%r13\n\n\tleaq\t(%rcx,%r9,1),%rcx\n\n\txorq\t%rdi,%rdi\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdi\n\tmovq\t%r13,-8(%r14)\n\n\tjmp\t.Louter4x\n\n.align\t32\n.Louter4x:\n\tleaq\t16+128(%r14),%rdx\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t-128(%r12),%xmm0\n\tmovdqa\t-112(%r12),%xmm1\n\tmovdqa\t-96(%r12),%xmm2\n\tmovdqa\t-80(%r12),%xmm3\n\tpand\t-128(%rdx),%xmm0\n\tpand\t-112(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-96(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-80(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t-64(%r12),%xmm0\n\tmovdqa\t-48(%r12),%xmm1\n\tmovdqa\t-32(%r12),%xmm2\n\tmovdqa\t-16(%r12),%xmm3\n\tpand\t-64(%rdx),%xmm0\n\tpand\t-48(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-32(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-16(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t0(%r12),%xmm0\n\tmovdqa\t16(%r12),%xmm1\n\tmovdqa\t32(%r12),%xmm2\n\tmovdqa\t48(%r12),%xmm3\n\tpand\t0(%rdx),%xmm0\n\tpand\t16(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t32(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t48(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t64(%r12),%xmm0\n\tmovdqa\t80(%r12),%xmm1\n\tmovdqa\t96(%r12),%xmm2\n\tmovdqa\t112(%r12),%xmm3\n\tpand\t64(%rdx),%xmm0\n\tpand\t80(%rdx),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t96(%rdx),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t112(%rdx),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tpor\t%xmm5,%xmm4\n\n\tpshufd\t$0x4e,%xmm4,%xmm0\n\tpor\t%xmm4,%xmm0\n\tleaq\t256(%r12),%r12\n.byte\t102,72,15,126,195\n\n\tmovq\t(%r14,%r9,1),%r10\n\tmovq\t%r8,%rbp\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t(%rcx),%rax\n\tadcq\t$0,%rdx\n\n\timulq\t%r10,%rbp\n\tmovq\t%rdx,%r11\n\tmovq\t%rdi,(%r14)\n\n\tleaq\t(%r14,%r9,1),%r14\n\n\tmulq\t%rbp\n\taddq\t%rax,%r10\n\tmovq\t8(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t8(%r14),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t32(%r9),%r15\n\tleaq\t32(%rcx),%rcx\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r13\n\tjmp\t.Linner4x\n\n.align\t32\n.Linner4x:\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t16(%r14),%r10\n\tleaq\t32(%r14),%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-32(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t-8(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t-8(%r14),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%r14)\n\tmovq\t%rdx,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t0(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t(%r14),%r10\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t8(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-16(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t8(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t8(%r14),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t16(%rsi,%r15,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tleaq\t32(%rcx),%rcx\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-8(%r14)\n\tmovq\t%rdx,%r13\n\n\taddq\t$32,%r15\n\tjnz\t.Linner4x\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t-16(%rcx),%rax\n\tadcq\t$0,%rdx\n\taddq\t16(%r14),%r10\n\tleaq\t32(%r14),%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r11\n\n\tmulq\t%rbp\n\taddq\t%rax,%r13\n\tmovq\t-8(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdx\n\tmovq\t%rdi,-32(%r14)\n\tmovq\t%rdx,%rdi\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t%rbp,%rax\n\tmovq\t-8(%rcx),%rbp\n\tadcq\t$0,%rdx\n\taddq\t-8(%r14),%r11\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\n\tmulq\t%rbp\n\taddq\t%rax,%rdi\n\tmovq\t(%rsi,%r9,1),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%rdi\n\tadcq\t$0,%rdx\n\tmovq\t%r13,-24(%r14)\n\tmovq\t%rdx,%r13\n\n\tmovq\t%rdi,-16(%r14)\n\tleaq\t(%rcx,%r9,1),%rcx\n\n\txorq\t%rdi,%rdi\n\taddq\t%r10,%r13\n\tadcq\t$0,%rdi\n\taddq\t(%r14),%r13\n\tadcq\t$0,%rdi\n\tmovq\t%r13,-8(%r14)\n\n\tcmpq\t16+8(%rsp),%r12\n\tjb\t.Louter4x\n\txorq\t%rax,%rax\n\tsubq\t%r13,%rbp\n\tadcq\t%r15,%r15\n\torq\t%r15,%rdi\n\tsubq\t%rdi,%rax\n\tleaq\t(%r14,%r9,1),%rbx\n\tmovq\t(%rcx),%r12\n\tleaq\t(%rcx),%rbp\n\tmovq\t%r9,%rcx\n\tsarq\t$3+2,%rcx\n\tmovq\t56+8(%rsp),%rdi\n\tdecq\t%r12\n\txorq\t%r10,%r10\n\tmovq\t8(%rbp),%r13\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\n\tjmp\t.Lsqr4x_sub_entry\n.cfi_endproc\t\n.size\tmul4x_internal,.-mul4x_internal\n.globl\tbn_power5_nohw\n.hidden bn_power5_nohw\n.type\tbn_power5_nohw,@function\n.align\t32\nbn_power5_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n.Lpower5_prologue:\n\n\n\n\n\tshll\t$3,%r9d\n\tleal\t(%r9,%r9,2),%r10d\n\tnegq\t%r9\n\tmovq\t(%r8),%r8\n\n\n\n\n\n\n\n\n\tleaq\t-320(%rsp,%r9,2),%r11\n\tmovq\t%rsp,%rbp\n\tsubq\t%rdi,%r11\n\tandq\t$4095,%r11\n\tcmpq\t%r11,%r10\n\tjb\t.Lpwr_sp_alt\n\tsubq\t%r11,%rbp\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tjmp\t.Lpwr_sp_done\n\n.align\t32\n.Lpwr_sp_alt:\n\tleaq\t4096-320(,%r9,2),%r10\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tsubq\t%r10,%r11\n\tmovq\t$0,%r10\n\tcmovcq\t%r10,%r11\n\tsubq\t%r11,%rbp\n.Lpwr_sp_done:\n\tandq\t$-64,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lpwr_page_walk\n\tjmp\t.Lpwr_page_walk_done\n\n.Lpwr_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lpwr_page_walk\n.Lpwr_page_walk_done:\n\n\tmovq\t%r9,%r10\n\tnegq\t%r9\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%r8,32(%rsp)\n\tmovq\t%rax,40(%rsp)\n.cfi_escape\t0x0f,0x05,0x77,0x28,0x06,0x23,0x08\n.Lpower5_body:\n.byte\t102,72,15,110,207\n.byte\t102,72,15,110,209\n.byte\t102,73,15,110,218\n.byte\t102,72,15,110,226\n\n\tcall\t__bn_sqr8x_internal\n\tcall\t__bn_post4x_internal\n\tcall\t__bn_sqr8x_internal\n\tcall\t__bn_post4x_internal\n\tcall\t__bn_sqr8x_internal\n\tcall\t__bn_post4x_internal\n\tcall\t__bn_sqr8x_internal\n\tcall\t__bn_post4x_internal\n\tcall\t__bn_sqr8x_internal\n\tcall\t__bn_post4x_internal\n\n.byte\t102,72,15,126,209\n.byte\t102,72,15,126,226\n\tmovq\t%rsi,%rdi\n\tmovq\t40(%rsp),%rax\n\tleaq\t32(%rsp),%r8\n\n\tcall\tmul4x_internal\n\n\tmovq\t40(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t$1,%rax\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lpower5_epilogue:\n\tret\n.cfi_endproc\t\n.size\tbn_power5_nohw,.-bn_power5_nohw\n\n.globl\tbn_sqr8x_internal\n.hidden bn_sqr8x_internal\n.hidden\tbn_sqr8x_internal\n.type\tbn_sqr8x_internal,@function\n.align\t32\nbn_sqr8x_internal:\n__bn_sqr8x_internal:\n.cfi_startproc\t\n_CET_ENDBR\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tleaq\t32(%r10),%rbp\n\tleaq\t(%rsi,%r9,1),%rsi\n\n\tmovq\t%r9,%rcx\n\n\n\tmovq\t-32(%rsi,%rbp,1),%r14\n\tleaq\t48+8(%rsp,%r9,2),%rdi\n\tmovq\t-24(%rsi,%rbp,1),%rax\n\tleaq\t-32(%rdi,%rbp,1),%rdi\n\tmovq\t-16(%rsi,%rbp,1),%rbx\n\tmovq\t%rax,%r15\n\n\tmulq\t%r14\n\tmovq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r11\n\tmovq\t%r10,-24(%rdi,%rbp,1)\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%r11,-16(%rdi,%rbp,1)\n\tmovq\t%rdx,%r10\n\n\n\tmovq\t-8(%rsi,%rbp,1),%rbx\n\tmulq\t%r15\n\tmovq\t%rax,%r12\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r13\n\n\tleaq\t(%rbp),%rcx\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\taddq\t%r12,%r10\n\tadcq\t$0,%r11\n\tmovq\t%r10,-8(%rdi,%rcx,1)\n\tjmp\t.Lsqr4x_1st\n\n.align\t32\n.Lsqr4x_1st:\n\tmovq\t(%rsi,%rcx,1),%rbx\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r12\n\tadcq\t$0,%r12\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tmovq\t8(%rsi,%rcx,1),%rbx\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\taddq\t%r13,%r11\n\tadcq\t$0,%r10\n\n\n\tmulq\t%r15\n\taddq\t%rax,%r12\n\tmovq\t%rbx,%rax\n\tmovq\t%r11,(%rdi,%rcx,1)\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t16(%rsi,%rcx,1),%rbx\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\taddq\t%r12,%r10\n\tadcq\t$0,%r11\n\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tmovq\t%rbx,%rax\n\tmovq\t%r10,8(%rdi,%rcx,1)\n\tmovq\t%rdx,%r12\n\tadcq\t$0,%r12\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tmovq\t24(%rsi,%rcx,1),%rbx\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\taddq\t%r13,%r11\n\tadcq\t$0,%r10\n\n\n\tmulq\t%r15\n\taddq\t%rax,%r12\n\tmovq\t%rbx,%rax\n\tmovq\t%r11,16(%rdi,%rcx,1)\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\tleaq\t32(%rcx),%rcx\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\taddq\t%r12,%r10\n\tadcq\t$0,%r11\n\tmovq\t%r10,-8(%rdi,%rcx,1)\n\n\tcmpq\t$0,%rcx\n\tjne\t.Lsqr4x_1st\n\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tleaq\t16(%rbp),%rbp\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\n\tmovq\t%r13,(%rdi)\n\tmovq\t%rdx,%r12\n\tmovq\t%rdx,8(%rdi)\n\tjmp\t.Lsqr4x_outer\n\n.align\t32\n.Lsqr4x_outer:\n\tmovq\t-32(%rsi,%rbp,1),%r14\n\tleaq\t48+8(%rsp,%r9,2),%rdi\n\tmovq\t-24(%rsi,%rbp,1),%rax\n\tleaq\t-32(%rdi,%rbp,1),%rdi\n\tmovq\t-16(%rsi,%rbp,1),%rbx\n\tmovq\t%rax,%r15\n\n\tmulq\t%r14\n\tmovq\t-24(%rdi,%rbp,1),%r10\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%r10,-24(%rdi,%rbp,1)\n\tmovq\t%rdx,%r11\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\taddq\t-16(%rdi,%rbp,1),%r11\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\tmovq\t%r11,-16(%rdi,%rbp,1)\n\n\txorq\t%r12,%r12\n\n\tmovq\t-8(%rsi,%rbp,1),%rbx\n\tmulq\t%r15\n\taddq\t%rax,%r12\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\taddq\t-8(%rdi,%rbp,1),%r12\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\taddq\t%r12,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\tmovq\t%r10,-8(%rdi,%rbp,1)\n\n\tleaq\t(%rbp),%rcx\n\tjmp\t.Lsqr4x_inner\n\n.align\t32\n.Lsqr4x_inner:\n\tmovq\t(%rsi,%rcx,1),%rbx\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r12\n\tadcq\t$0,%r12\n\taddq\t(%rdi,%rcx,1),%r13\n\tadcq\t$0,%r12\n\n.byte\t0x67\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tmovq\t8(%rsi,%rcx,1),%rbx\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\taddq\t%r13,%r11\n\tadcq\t$0,%r10\n\n\tmulq\t%r15\n\taddq\t%rax,%r12\n\tmovq\t%r11,(%rdi,%rcx,1)\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\taddq\t8(%rdi,%rcx,1),%r12\n\tleaq\t16(%rcx),%rcx\n\tadcq\t$0,%r13\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tadcq\t$0,%rdx\n\taddq\t%r12,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\tmovq\t%r10,-8(%rdi,%rcx,1)\n\n\tcmpq\t$0,%rcx\n\tjne\t.Lsqr4x_inner\n\n.byte\t0x67\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\n\tmovq\t%r13,(%rdi)\n\tmovq\t%rdx,%r12\n\tmovq\t%rdx,8(%rdi)\n\n\taddq\t$16,%rbp\n\tjnz\t.Lsqr4x_outer\n\n\n\tmovq\t-32(%rsi),%r14\n\tleaq\t48+8(%rsp,%r9,2),%rdi\n\tmovq\t-24(%rsi),%rax\n\tleaq\t-32(%rdi,%rbp,1),%rdi\n\tmovq\t-16(%rsi),%rbx\n\tmovq\t%rax,%r15\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\n\tmulq\t%r14\n\taddq\t%rax,%r11\n\tmovq\t%rbx,%rax\n\tmovq\t%r10,-24(%rdi)\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\taddq\t%r13,%r11\n\tmovq\t-8(%rsi),%rbx\n\tadcq\t$0,%r10\n\n\tmulq\t%r15\n\taddq\t%rax,%r12\n\tmovq\t%rbx,%rax\n\tmovq\t%r11,-16(%rdi)\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\tmulq\t%r14\n\taddq\t%rax,%r10\n\tmovq\t%rbx,%rax\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\taddq\t%r12,%r10\n\tadcq\t$0,%r11\n\tmovq\t%r10,-8(%rdi)\n\n\tmulq\t%r15\n\taddq\t%rax,%r13\n\tmovq\t-16(%rsi),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r13\n\tadcq\t$0,%rdx\n\n\tmovq\t%r13,(%rdi)\n\tmovq\t%rdx,%r12\n\tmovq\t%rdx,8(%rdi)\n\n\tmulq\t%rbx\n\taddq\t$16,%rbp\n\txorq\t%r14,%r14\n\tsubq\t%r9,%rbp\n\txorq\t%r15,%r15\n\n\taddq\t%r12,%rax\n\tadcq\t$0,%rdx\n\tmovq\t%rax,8(%rdi)\n\tmovq\t%rdx,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\n\tmovq\t-16(%rsi,%rbp,1),%rax\n\tleaq\t48+8(%rsp),%rdi\n\txorq\t%r10,%r10\n\tmovq\t8(%rdi),%r11\n\n\tleaq\t(%r14,%r10,2),%r12\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r13\n\tshrq\t$63,%r11\n\torq\t%r10,%r13\n\tmovq\t16(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t24(%rdi),%r11\n\tadcq\t%rax,%r12\n\tmovq\t-8(%rsi,%rbp,1),%rax\n\tmovq\t%r12,(%rdi)\n\tadcq\t%rdx,%r13\n\n\tleaq\t(%r14,%r10,2),%rbx\n\tmovq\t%r13,8(%rdi)\n\tsbbq\t%r15,%r15\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r8\n\tshrq\t$63,%r11\n\torq\t%r10,%r8\n\tmovq\t32(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t40(%rdi),%r11\n\tadcq\t%rax,%rbx\n\tmovq\t0(%rsi,%rbp,1),%rax\n\tmovq\t%rbx,16(%rdi)\n\tadcq\t%rdx,%r8\n\tleaq\t16(%rbp),%rbp\n\tmovq\t%r8,24(%rdi)\n\tsbbq\t%r15,%r15\n\tleaq\t64(%rdi),%rdi\n\tjmp\t.Lsqr4x_shift_n_add\n\n.align\t32\n.Lsqr4x_shift_n_add:\n\tleaq\t(%r14,%r10,2),%r12\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r13\n\tshrq\t$63,%r11\n\torq\t%r10,%r13\n\tmovq\t-16(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t-8(%rdi),%r11\n\tadcq\t%rax,%r12\n\tmovq\t-8(%rsi,%rbp,1),%rax\n\tmovq\t%r12,-32(%rdi)\n\tadcq\t%rdx,%r13\n\n\tleaq\t(%r14,%r10,2),%rbx\n\tmovq\t%r13,-24(%rdi)\n\tsbbq\t%r15,%r15\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r8\n\tshrq\t$63,%r11\n\torq\t%r10,%r8\n\tmovq\t0(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t8(%rdi),%r11\n\tadcq\t%rax,%rbx\n\tmovq\t0(%rsi,%rbp,1),%rax\n\tmovq\t%rbx,-16(%rdi)\n\tadcq\t%rdx,%r8\n\n\tleaq\t(%r14,%r10,2),%r12\n\tmovq\t%r8,-8(%rdi)\n\tsbbq\t%r15,%r15\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r13\n\tshrq\t$63,%r11\n\torq\t%r10,%r13\n\tmovq\t16(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t24(%rdi),%r11\n\tadcq\t%rax,%r12\n\tmovq\t8(%rsi,%rbp,1),%rax\n\tmovq\t%r12,0(%rdi)\n\tadcq\t%rdx,%r13\n\n\tleaq\t(%r14,%r10,2),%rbx\n\tmovq\t%r13,8(%rdi)\n\tsbbq\t%r15,%r15\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r8\n\tshrq\t$63,%r11\n\torq\t%r10,%r8\n\tmovq\t32(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t40(%rdi),%r11\n\tadcq\t%rax,%rbx\n\tmovq\t16(%rsi,%rbp,1),%rax\n\tmovq\t%rbx,16(%rdi)\n\tadcq\t%rdx,%r8\n\tmovq\t%r8,24(%rdi)\n\tsbbq\t%r15,%r15\n\tleaq\t64(%rdi),%rdi\n\taddq\t$32,%rbp\n\tjnz\t.Lsqr4x_shift_n_add\n\n\tleaq\t(%r14,%r10,2),%r12\n.byte\t0x67\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r13\n\tshrq\t$63,%r11\n\torq\t%r10,%r13\n\tmovq\t-16(%rdi),%r10\n\tmovq\t%r11,%r14\n\tmulq\t%rax\n\tnegq\t%r15\n\tmovq\t-8(%rdi),%r11\n\tadcq\t%rax,%r12\n\tmovq\t-8(%rsi),%rax\n\tmovq\t%r12,-32(%rdi)\n\tadcq\t%rdx,%r13\n\n\tleaq\t(%r14,%r10,2),%rbx\n\tmovq\t%r13,-24(%rdi)\n\tsbbq\t%r15,%r15\n\tshrq\t$63,%r10\n\tleaq\t(%rcx,%r11,2),%r8\n\tshrq\t$63,%r11\n\torq\t%r10,%r8\n\tmulq\t%rax\n\tnegq\t%r15\n\tadcq\t%rax,%rbx\n\tadcq\t%rdx,%r8\n\tmovq\t%rbx,-16(%rdi)\n\tmovq\t%r8,-8(%rdi)\n.byte\t102,72,15,126,213\n__bn_sqr8x_reduction:\n\txorq\t%rax,%rax\n\tleaq\t(%r9,%rbp,1),%rcx\n\tleaq\t48+8(%rsp,%r9,2),%rdx\n\tmovq\t%rcx,0+8(%rsp)\n\tleaq\t48+8(%rsp,%r9,1),%rdi\n\tmovq\t%rdx,8+8(%rsp)\n\tnegq\t%r9\n\tjmp\t.L8x_reduction_loop\n\n.align\t32\n.L8x_reduction_loop:\n\tleaq\t(%rdi,%r9,1),%rdi\n.byte\t0x66\n\tmovq\t0(%rdi),%rbx\n\tmovq\t8(%rdi),%r9\n\tmovq\t16(%rdi),%r10\n\tmovq\t24(%rdi),%r11\n\tmovq\t32(%rdi),%r12\n\tmovq\t40(%rdi),%r13\n\tmovq\t48(%rdi),%r14\n\tmovq\t56(%rdi),%r15\n\tmovq\t%rax,(%rdx)\n\tleaq\t64(%rdi),%rdi\n\n.byte\t0x67\n\tmovq\t%rbx,%r8\n\timulq\t32+8(%rsp),%rbx\n\tmovq\t0(%rbp),%rax\n\tmovl\t$8,%ecx\n\tjmp\t.L8x_reduce\n\n.align\t32\n.L8x_reduce:\n\tmulq\t%rbx\n\tmovq\t8(%rbp),%rax\n\tnegq\t%r8\n\tmovq\t%rdx,%r8\n\tadcq\t$0,%r8\n\n\tmulq\t%rbx\n\taddq\t%rax,%r9\n\tmovq\t16(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r9,%r8\n\tmovq\t%rbx,48-8+8(%rsp,%rcx,8)\n\tmovq\t%rdx,%r9\n\tadcq\t$0,%r9\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t24(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r9\n\tmovq\t32+8(%rsp),%rsi\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t32(%rbp),%rax\n\tadcq\t$0,%rdx\n\timulq\t%r8,%rsi\n\taddq\t%r11,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\n\tmulq\t%rbx\n\taddq\t%rax,%r12\n\tmovq\t40(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r12,%r11\n\tmovq\t%rdx,%r12\n\tadcq\t$0,%r12\n\n\tmulq\t%rbx\n\taddq\t%rax,%r13\n\tmovq\t48(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r13,%r12\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r14\n\tmovq\t56(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r14,%r13\n\tmovq\t%rdx,%r14\n\tadcq\t$0,%r14\n\n\tmulq\t%rbx\n\tmovq\t%rsi,%rbx\n\taddq\t%rax,%r15\n\tmovq\t0(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r15,%r14\n\tmovq\t%rdx,%r15\n\tadcq\t$0,%r15\n\n\tdecl\t%ecx\n\tjnz\t.L8x_reduce\n\n\tleaq\t64(%rbp),%rbp\n\txorq\t%rax,%rax\n\tmovq\t8+8(%rsp),%rdx\n\tcmpq\t0+8(%rsp),%rbp\n\tjae\t.L8x_no_tail\n\n.byte\t0x66\n\taddq\t0(%rdi),%r8\n\tadcq\t8(%rdi),%r9\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tsbbq\t%rsi,%rsi\n\n\tmovq\t48+56+8(%rsp),%rbx\n\tmovl\t$8,%ecx\n\tmovq\t0(%rbp),%rax\n\tjmp\t.L8x_tail\n\n.align\t32\n.L8x_tail:\n\tmulq\t%rbx\n\taddq\t%rax,%r8\n\tmovq\t8(%rbp),%rax\n\tmovq\t%r8,(%rdi)\n\tmovq\t%rdx,%r8\n\tadcq\t$0,%r8\n\n\tmulq\t%rbx\n\taddq\t%rax,%r9\n\tmovq\t16(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r9,%r8\n\tleaq\t8(%rdi),%rdi\n\tmovq\t%rdx,%r9\n\tadcq\t$0,%r9\n\n\tmulq\t%rbx\n\taddq\t%rax,%r10\n\tmovq\t24(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r10,%r9\n\tmovq\t%rdx,%r10\n\tadcq\t$0,%r10\n\n\tmulq\t%rbx\n\taddq\t%rax,%r11\n\tmovq\t32(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r11,%r10\n\tmovq\t%rdx,%r11\n\tadcq\t$0,%r11\n\n\tmulq\t%rbx\n\taddq\t%rax,%r12\n\tmovq\t40(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r12,%r11\n\tmovq\t%rdx,%r12\n\tadcq\t$0,%r12\n\n\tmulq\t%rbx\n\taddq\t%rax,%r13\n\tmovq\t48(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r13,%r12\n\tmovq\t%rdx,%r13\n\tadcq\t$0,%r13\n\n\tmulq\t%rbx\n\taddq\t%rax,%r14\n\tmovq\t56(%rbp),%rax\n\tadcq\t$0,%rdx\n\taddq\t%r14,%r13\n\tmovq\t%rdx,%r14\n\tadcq\t$0,%r14\n\n\tmulq\t%rbx\n\tmovq\t48-16+8(%rsp,%rcx,8),%rbx\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\taddq\t%r15,%r14\n\tmovq\t0(%rbp),%rax\n\tmovq\t%rdx,%r15\n\tadcq\t$0,%r15\n\n\tdecl\t%ecx\n\tjnz\t.L8x_tail\n\n\tleaq\t64(%rbp),%rbp\n\tmovq\t8+8(%rsp),%rdx\n\tcmpq\t0+8(%rsp),%rbp\n\tjae\t.L8x_tail_done\n\n\tmovq\t48+56+8(%rsp),%rbx\n\tnegq\t%rsi\n\tmovq\t0(%rbp),%rax\n\tadcq\t0(%rdi),%r8\n\tadcq\t8(%rdi),%r9\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tsbbq\t%rsi,%rsi\n\n\tmovl\t$8,%ecx\n\tjmp\t.L8x_tail\n\n.align\t32\n.L8x_tail_done:\n\txorq\t%rax,%rax\n\taddq\t(%rdx),%r8\n\tadcq\t$0,%r9\n\tadcq\t$0,%r10\n\tadcq\t$0,%r11\n\tadcq\t$0,%r12\n\tadcq\t$0,%r13\n\tadcq\t$0,%r14\n\tadcq\t$0,%r15\n\tadcq\t$0,%rax\n\n\tnegq\t%rsi\n.L8x_no_tail:\n\tadcq\t0(%rdi),%r8\n\tadcq\t8(%rdi),%r9\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tadcq\t$0,%rax\n\tmovq\t-8(%rbp),%rcx\n\txorq\t%rsi,%rsi\n\n.byte\t102,72,15,126,213\n\n\tmovq\t%r8,0(%rdi)\n\tmovq\t%r9,8(%rdi)\n.byte\t102,73,15,126,217\n\tmovq\t%r10,16(%rdi)\n\tmovq\t%r11,24(%rdi)\n\tmovq\t%r12,32(%rdi)\n\tmovq\t%r13,40(%rdi)\n\tmovq\t%r14,48(%rdi)\n\tmovq\t%r15,56(%rdi)\n\tleaq\t64(%rdi),%rdi\n\n\tcmpq\t%rdx,%rdi\n\tjb\t.L8x_reduction_loop\n\tret\n.cfi_endproc\t\n.size\tbn_sqr8x_internal,.-bn_sqr8x_internal\n.type\t__bn_post4x_internal,@function\n.align\t32\n__bn_post4x_internal:\n.cfi_startproc\t\n\tmovq\t0(%rbp),%r12\n\tleaq\t(%rdi,%r9,1),%rbx\n\tmovq\t%r9,%rcx\n.byte\t102,72,15,126,207\n\tnegq\t%rax\n.byte\t102,72,15,126,206\n\tsarq\t$3+2,%rcx\n\tdecq\t%r12\n\txorq\t%r10,%r10\n\tmovq\t8(%rbp),%r13\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\n\tjmp\t.Lsqr4x_sub_entry\n\n.align\t16\n.Lsqr4x_sub:\n\tmovq\t0(%rbp),%r12\n\tmovq\t8(%rbp),%r13\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\n.Lsqr4x_sub_entry:\n\tleaq\t32(%rbp),%rbp\n\tnotq\t%r12\n\tnotq\t%r13\n\tnotq\t%r14\n\tnotq\t%r15\n\tandq\t%rax,%r12\n\tandq\t%rax,%r13\n\tandq\t%rax,%r14\n\tandq\t%rax,%r15\n\n\tnegq\t%r10\n\tadcq\t0(%rbx),%r12\n\tadcq\t8(%rbx),%r13\n\tadcq\t16(%rbx),%r14\n\tadcq\t24(%rbx),%r15\n\tmovq\t%r12,0(%rdi)\n\tleaq\t32(%rbx),%rbx\n\tmovq\t%r13,8(%rdi)\n\tsbbq\t%r10,%r10\n\tmovq\t%r14,16(%rdi)\n\tmovq\t%r15,24(%rdi)\n\tleaq\t32(%rdi),%rdi\n\n\tincq\t%rcx\n\tjnz\t.Lsqr4x_sub\n\n\tmovq\t%r9,%r10\n\tnegq\t%r9\n\tret\n.cfi_endproc\t\n.size\t__bn_post4x_internal,.-__bn_post4x_internal\n.globl\tbn_mulx4x_mont_gather5\n.hidden bn_mulx4x_mont_gather5\n.type\tbn_mulx4x_mont_gather5,@function\n.align\t32\nbn_mulx4x_mont_gather5:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n.Lmulx4x_prologue:\n\n\n\n\n\tshll\t$3,%r9d\n\tleaq\t(%r9,%r9,2),%r10\n\tnegq\t%r9\n\tmovq\t(%r8),%r8\n\n\n\n\n\n\n\n\n\n\n\tleaq\t-320(%rsp,%r9,2),%r11\n\tmovq\t%rsp,%rbp\n\tsubq\t%rdi,%r11\n\tandq\t$4095,%r11\n\tcmpq\t%r11,%r10\n\tjb\t.Lmulx4xsp_alt\n\tsubq\t%r11,%rbp\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tjmp\t.Lmulx4xsp_done\n\n.Lmulx4xsp_alt:\n\tleaq\t4096-320(,%r9,2),%r10\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tsubq\t%r10,%r11\n\tmovq\t$0,%r10\n\tcmovcq\t%r10,%r11\n\tsubq\t%r11,%rbp\n.Lmulx4xsp_done:\n\tandq\t$-64,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lmulx4x_page_walk\n\tjmp\t.Lmulx4x_page_walk_done\n\n.Lmulx4x_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lmulx4x_page_walk\n.Lmulx4x_page_walk_done:\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%r8,32(%rsp)\n\tmovq\t%rax,40(%rsp)\n.cfi_escape\t0x0f,0x05,0x77,0x28,0x06,0x23,0x08\n.Lmulx4x_body:\n\tcall\tmulx4x_internal\n\n\tmovq\t40(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t$1,%rax\n\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lmulx4x_epilogue:\n\tret\n.cfi_endproc\t\n.size\tbn_mulx4x_mont_gather5,.-bn_mulx4x_mont_gather5\n\n.type\tmulx4x_internal,@function\n.align\t32\nmulx4x_internal:\n.cfi_startproc\t\n\tmovq\t%r9,8(%rsp)\n\tmovq\t%r9,%r10\n\tnegq\t%r9\n\tshlq\t$5,%r9\n\tnegq\t%r10\n\tleaq\t128(%rdx,%r9,1),%r13\n\tshrq\t$5+5,%r9\n\tmovd\t8(%rax),%xmm5\n\tsubq\t$1,%r9\n\tleaq\t.Linc(%rip),%rax\n\tmovq\t%r13,16+8(%rsp)\n\tmovq\t%r9,24+8(%rsp)\n\tmovq\t%rdi,56+8(%rsp)\n\tmovdqa\t0(%rax),%xmm0\n\tmovdqa\t16(%rax),%xmm1\n\tleaq\t88-112(%rsp,%r10,1),%r10\n\tleaq\t128(%rdx),%rdi\n\n\tpshufd\t$0,%xmm5,%xmm5\n\tmovdqa\t%xmm1,%xmm4\n.byte\t0x67\n\tmovdqa\t%xmm1,%xmm2\n.byte\t0x67\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,112(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,128(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,144(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,160(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,176(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,192(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,208(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,224(%r10)\n\tmovdqa\t%xmm4,%xmm3\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,240(%r10)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,256(%r10)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,272(%r10)\n\tmovdqa\t%xmm4,%xmm2\n\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,288(%r10)\n\tmovdqa\t%xmm4,%xmm3\n.byte\t0x67\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,304(%r10)\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,320(%r10)\n\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,336(%r10)\n\n\tpand\t64(%rdi),%xmm0\n\tpand\t80(%rdi),%xmm1\n\tpand\t96(%rdi),%xmm2\n\tmovdqa\t%xmm3,352(%r10)\n\tpand\t112(%rdi),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-128(%rdi),%xmm4\n\tmovdqa\t-112(%rdi),%xmm5\n\tmovdqa\t-96(%rdi),%xmm2\n\tpand\t112(%r10),%xmm4\n\tmovdqa\t-80(%rdi),%xmm3\n\tpand\t128(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t144(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t160(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t-64(%rdi),%xmm4\n\tmovdqa\t-48(%rdi),%xmm5\n\tmovdqa\t-32(%rdi),%xmm2\n\tpand\t176(%r10),%xmm4\n\tmovdqa\t-16(%rdi),%xmm3\n\tpand\t192(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t208(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t224(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tmovdqa\t0(%rdi),%xmm4\n\tmovdqa\t16(%rdi),%xmm5\n\tmovdqa\t32(%rdi),%xmm2\n\tpand\t240(%r10),%xmm4\n\tmovdqa\t48(%rdi),%xmm3\n\tpand\t256(%r10),%xmm5\n\tpor\t%xmm4,%xmm0\n\tpand\t272(%r10),%xmm2\n\tpor\t%xmm5,%xmm1\n\tpand\t288(%r10),%xmm3\n\tpor\t%xmm2,%xmm0\n\tpor\t%xmm3,%xmm1\n\tpxor\t%xmm1,%xmm0\n\n\tpshufd\t$0x4e,%xmm0,%xmm1\n\tpor\t%xmm1,%xmm0\n\tleaq\t256(%rdi),%rdi\n.byte\t102,72,15,126,194\n\tleaq\t64+32+8(%rsp),%rbx\n\n\tmovq\t%rdx,%r9\n\tmulxq\t0(%rsi),%r8,%rax\n\tmulxq\t8(%rsi),%r11,%r12\n\taddq\t%rax,%r11\n\tmulxq\t16(%rsi),%rax,%r13\n\tadcq\t%rax,%r12\n\tadcq\t$0,%r13\n\tmulxq\t24(%rsi),%rax,%r14\n\n\tmovq\t%r8,%r15\n\timulq\t32+8(%rsp),%r8\n\txorq\t%rbp,%rbp\n\tmovq\t%r8,%rdx\n\n\tmovq\t%rdi,8+8(%rsp)\n\n\tleaq\t32(%rsi),%rsi\n\tadcxq\t%rax,%r13\n\tadcxq\t%rbp,%r14\n\n\tmulxq\t0(%rcx),%rax,%r10\n\tadcxq\t%rax,%r15\n\tadoxq\t%r11,%r10\n\tmulxq\t8(%rcx),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n\tmulxq\t16(%rcx),%rax,%r12\n\tmovq\t24+8(%rsp),%rdi\n\tmovq\t%r10,-32(%rbx)\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r11,-24(%rbx)\n\tadcxq\t%rax,%r12\n\tadoxq\t%rbp,%r15\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r12,-16(%rbx)\n\tjmp\t.Lmulx4x_1st\n\n.align\t32\n.Lmulx4x_1st:\n\tadcxq\t%rbp,%r15\n\tmulxq\t0(%rsi),%r10,%rax\n\tadcxq\t%r14,%r10\n\tmulxq\t8(%rsi),%r11,%r14\n\tadcxq\t%rax,%r11\n\tmulxq\t16(%rsi),%r12,%rax\n\tadcxq\t%r14,%r12\n\tmulxq\t24(%rsi),%r13,%r14\n.byte\t0x67,0x67\n\tmovq\t%r8,%rdx\n\tadcxq\t%rax,%r13\n\tadcxq\t%rbp,%r14\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rbx),%rbx\n\n\tadoxq\t%r15,%r10\n\tmulxq\t0(%rcx),%rax,%r15\n\tadcxq\t%rax,%r10\n\tadoxq\t%r15,%r11\n\tmulxq\t8(%rcx),%rax,%r15\n\tadcxq\t%rax,%r11\n\tadoxq\t%r15,%r12\n\tmulxq\t16(%rcx),%rax,%r15\n\tmovq\t%r10,-40(%rbx)\n\tadcxq\t%rax,%r12\n\tmovq\t%r11,-32(%rbx)\n\tadoxq\t%r15,%r13\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t%r12,-24(%rbx)\n\tadcxq\t%rax,%r13\n\tadoxq\t%rbp,%r15\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r13,-16(%rbx)\n\n\tdecq\t%rdi\n\tjnz\t.Lmulx4x_1st\n\n\tmovq\t8(%rsp),%rax\n\tadcq\t%rbp,%r15\n\tleaq\t(%rsi,%rax,1),%rsi\n\taddq\t%r15,%r14\n\tmovq\t8+8(%rsp),%rdi\n\tadcq\t%rbp,%rbp\n\tmovq\t%r14,-8(%rbx)\n\tjmp\t.Lmulx4x_outer\n\n.align\t32\n.Lmulx4x_outer:\n\tleaq\t16-256(%rbx),%r10\n\tpxor\t%xmm4,%xmm4\n.byte\t0x67,0x67\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t-128(%rdi),%xmm0\n\tmovdqa\t-112(%rdi),%xmm1\n\tmovdqa\t-96(%rdi),%xmm2\n\tpand\t256(%r10),%xmm0\n\tmovdqa\t-80(%rdi),%xmm3\n\tpand\t272(%r10),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t288(%r10),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t304(%r10),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t-64(%rdi),%xmm0\n\tmovdqa\t-48(%rdi),%xmm1\n\tmovdqa\t-32(%rdi),%xmm2\n\tpand\t320(%r10),%xmm0\n\tmovdqa\t-16(%rdi),%xmm3\n\tpand\t336(%r10),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t352(%r10),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t368(%r10),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t0(%rdi),%xmm0\n\tmovdqa\t16(%rdi),%xmm1\n\tmovdqa\t32(%rdi),%xmm2\n\tpand\t384(%r10),%xmm0\n\tmovdqa\t48(%rdi),%xmm3\n\tpand\t400(%r10),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t416(%r10),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t432(%r10),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t64(%rdi),%xmm0\n\tmovdqa\t80(%rdi),%xmm1\n\tmovdqa\t96(%rdi),%xmm2\n\tpand\t448(%r10),%xmm0\n\tmovdqa\t112(%rdi),%xmm3\n\tpand\t464(%r10),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t480(%r10),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t496(%r10),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tpor\t%xmm5,%xmm4\n\n\tpshufd\t$0x4e,%xmm4,%xmm0\n\tpor\t%xmm4,%xmm0\n\tleaq\t256(%rdi),%rdi\n.byte\t102,72,15,126,194\n\n\tmovq\t%rbp,(%rbx)\n\tleaq\t32(%rbx,%rax,1),%rbx\n\tmulxq\t0(%rsi),%r8,%r11\n\txorq\t%rbp,%rbp\n\tmovq\t%rdx,%r9\n\tmulxq\t8(%rsi),%r14,%r12\n\tadoxq\t-32(%rbx),%r8\n\tadcxq\t%r14,%r11\n\tmulxq\t16(%rsi),%r15,%r13\n\tadoxq\t-24(%rbx),%r11\n\tadcxq\t%r15,%r12\n\tmulxq\t24(%rsi),%rdx,%r14\n\tadoxq\t-16(%rbx),%r12\n\tadcxq\t%rdx,%r13\n\tleaq\t(%rcx,%rax,1),%rcx\n\tleaq\t32(%rsi),%rsi\n\tadoxq\t-8(%rbx),%r13\n\tadcxq\t%rbp,%r14\n\tadoxq\t%rbp,%r14\n\n\tmovq\t%r8,%r15\n\timulq\t32+8(%rsp),%r8\n\n\tmovq\t%r8,%rdx\n\txorq\t%rbp,%rbp\n\tmovq\t%rdi,8+8(%rsp)\n\n\tmulxq\t0(%rcx),%rax,%r10\n\tadcxq\t%rax,%r15\n\tadoxq\t%r11,%r10\n\tmulxq\t8(%rcx),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n\tmulxq\t16(%rcx),%rax,%r12\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tmovq\t24+8(%rsp),%rdi\n\tmovq\t%r10,-32(%rbx)\n\tadcxq\t%rax,%r12\n\tmovq\t%r11,-24(%rbx)\n\tadoxq\t%rbp,%r15\n\tmovq\t%r12,-16(%rbx)\n\tleaq\t32(%rcx),%rcx\n\tjmp\t.Lmulx4x_inner\n\n.align\t32\n.Lmulx4x_inner:\n\tmulxq\t0(%rsi),%r10,%rax\n\tadcxq\t%rbp,%r15\n\tadoxq\t%r14,%r10\n\tmulxq\t8(%rsi),%r11,%r14\n\tadcxq\t0(%rbx),%r10\n\tadoxq\t%rax,%r11\n\tmulxq\t16(%rsi),%r12,%rax\n\tadcxq\t8(%rbx),%r11\n\tadoxq\t%r14,%r12\n\tmulxq\t24(%rsi),%r13,%r14\n\tmovq\t%r8,%rdx\n\tadcxq\t16(%rbx),%r12\n\tadoxq\t%rax,%r13\n\tadcxq\t24(%rbx),%r13\n\tadoxq\t%rbp,%r14\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rbx),%rbx\n\tadcxq\t%rbp,%r14\n\n\tadoxq\t%r15,%r10\n\tmulxq\t0(%rcx),%rax,%r15\n\tadcxq\t%rax,%r10\n\tadoxq\t%r15,%r11\n\tmulxq\t8(%rcx),%rax,%r15\n\tadcxq\t%rax,%r11\n\tadoxq\t%r15,%r12\n\tmulxq\t16(%rcx),%rax,%r15\n\tmovq\t%r10,-40(%rbx)\n\tadcxq\t%rax,%r12\n\tadoxq\t%r15,%r13\n\tmovq\t%r11,-32(%rbx)\n\tmulxq\t24(%rcx),%rax,%r15\n\tmovq\t%r9,%rdx\n\tleaq\t32(%rcx),%rcx\n\tmovq\t%r12,-24(%rbx)\n\tadcxq\t%rax,%r13\n\tadoxq\t%rbp,%r15\n\tmovq\t%r13,-16(%rbx)\n\n\tdecq\t%rdi\n\tjnz\t.Lmulx4x_inner\n\n\tmovq\t0+8(%rsp),%rax\n\tadcq\t%rbp,%r15\n\tsubq\t0(%rbx),%rdi\n\tmovq\t8+8(%rsp),%rdi\n\tmovq\t16+8(%rsp),%r10\n\tadcq\t%r15,%r14\n\tleaq\t(%rsi,%rax,1),%rsi\n\tadcq\t%rbp,%rbp\n\tmovq\t%r14,-8(%rbx)\n\n\tcmpq\t%r10,%rdi\n\tjb\t.Lmulx4x_outer\n\n\tmovq\t-8(%rcx),%r10\n\tmovq\t%rbp,%r8\n\tmovq\t(%rcx,%rax,1),%r12\n\tleaq\t(%rcx,%rax,1),%rbp\n\tmovq\t%rax,%rcx\n\tleaq\t(%rbx,%rax,1),%rdi\n\txorl\t%eax,%eax\n\txorq\t%r15,%r15\n\tsubq\t%r14,%r10\n\tadcq\t%r15,%r15\n\torq\t%r15,%r8\n\tsarq\t$3+2,%rcx\n\tsubq\t%r8,%rax\n\tmovq\t56+8(%rsp),%rdx\n\tdecq\t%r12\n\tmovq\t8(%rbp),%r13\n\txorq\t%r8,%r8\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\n\tjmp\t.Lsqrx4x_sub_entry\n.cfi_endproc\t\n.size\tmulx4x_internal,.-mulx4x_internal\n.globl\tbn_powerx5\n.hidden bn_powerx5\n.type\tbn_powerx5,@function\n.align\t32\nbn_powerx5:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%rax\n.cfi_def_cfa_register\t%rax\n\tpushq\t%rbx\n.cfi_offset\t%rbx,-16\n\tpushq\t%rbp\n.cfi_offset\t%rbp,-24\n\tpushq\t%r12\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_offset\t%r15,-56\n.Lpowerx5_prologue:\n\n\n\n\n\tshll\t$3,%r9d\n\tleaq\t(%r9,%r9,2),%r10\n\tnegq\t%r9\n\tmovq\t(%r8),%r8\n\n\n\n\n\n\n\n\n\tleaq\t-320(%rsp,%r9,2),%r11\n\tmovq\t%rsp,%rbp\n\tsubq\t%rdi,%r11\n\tandq\t$4095,%r11\n\tcmpq\t%r11,%r10\n\tjb\t.Lpwrx_sp_alt\n\tsubq\t%r11,%rbp\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tjmp\t.Lpwrx_sp_done\n\n.align\t32\n.Lpwrx_sp_alt:\n\tleaq\t4096-320(,%r9,2),%r10\n\tleaq\t-320(%rbp,%r9,2),%rbp\n\tsubq\t%r10,%r11\n\tmovq\t$0,%r10\n\tcmovcq\t%r10,%r11\n\tsubq\t%r11,%rbp\n.Lpwrx_sp_done:\n\tandq\t$-64,%rbp\n\tmovq\t%rsp,%r11\n\tsubq\t%rbp,%r11\n\tandq\t$-4096,%r11\n\tleaq\t(%r11,%rbp,1),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lpwrx_page_walk\n\tjmp\t.Lpwrx_page_walk_done\n\n.Lpwrx_page_walk:\n\tleaq\t-4096(%rsp),%rsp\n\tmovq\t(%rsp),%r10\n\tcmpq\t%rbp,%rsp\n\tja\t.Lpwrx_page_walk\n.Lpwrx_page_walk_done:\n\n\tmovq\t%r9,%r10\n\tnegq\t%r9\n\n\n\n\n\n\n\n\n\n\n\n\n\tpxor\t%xmm0,%xmm0\n.byte\t102,72,15,110,207\n.byte\t102,72,15,110,209\n.byte\t102,73,15,110,218\n.byte\t102,72,15,110,226\n\tmovq\t%r8,32(%rsp)\n\tmovq\t%rax,40(%rsp)\n.cfi_escape\t0x0f,0x05,0x77,0x28,0x06,0x23,0x08\n.Lpowerx5_body:\n\n\tcall\t__bn_sqrx8x_internal\n\tcall\t__bn_postx4x_internal\n\tcall\t__bn_sqrx8x_internal\n\tcall\t__bn_postx4x_internal\n\tcall\t__bn_sqrx8x_internal\n\tcall\t__bn_postx4x_internal\n\tcall\t__bn_sqrx8x_internal\n\tcall\t__bn_postx4x_internal\n\tcall\t__bn_sqrx8x_internal\n\tcall\t__bn_postx4x_internal\n\n\tmovq\t%r10,%r9\n\tmovq\t%rsi,%rdi\n.byte\t102,72,15,126,209\n.byte\t102,72,15,126,226\n\tmovq\t40(%rsp),%rax\n\n\tcall\tmulx4x_internal\n\n\tmovq\t40(%rsp),%rsi\n.cfi_def_cfa\t%rsi,8\n\tmovq\t$1,%rax\n\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\t%r15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\t%r14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\t%r13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\t%r12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\t%rbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\t%rbx\n\tleaq\t(%rsi),%rsp\n.cfi_def_cfa_register\t%rsp\n.Lpowerx5_epilogue:\n\tret\n.cfi_endproc\t\n.size\tbn_powerx5,.-bn_powerx5\n\n.globl\tbn_sqrx8x_internal\n.hidden bn_sqrx8x_internal\n.hidden\tbn_sqrx8x_internal\n.type\tbn_sqrx8x_internal,@function\n.align\t32\nbn_sqrx8x_internal:\n__bn_sqrx8x_internal:\n.cfi_startproc\t\n_CET_ENDBR\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tleaq\t48+8(%rsp),%rdi\n\tleaq\t(%rsi,%r9,1),%rbp\n\tmovq\t%r9,0+8(%rsp)\n\tmovq\t%rbp,8+8(%rsp)\n\tjmp\t.Lsqr8x_zero_start\n\n.align\t32\n.byte\t0x66,0x66,0x66,0x2e,0x0f,0x1f,0x84,0x00,0x00,0x00,0x00,0x00\n.Lsqrx8x_zero:\n.byte\t0x3e\n\tmovdqa\t%xmm0,0(%rdi)\n\tmovdqa\t%xmm0,16(%rdi)\n\tmovdqa\t%xmm0,32(%rdi)\n\tmovdqa\t%xmm0,48(%rdi)\n.Lsqr8x_zero_start:\n\tmovdqa\t%xmm0,64(%rdi)\n\tmovdqa\t%xmm0,80(%rdi)\n\tmovdqa\t%xmm0,96(%rdi)\n\tmovdqa\t%xmm0,112(%rdi)\n\tleaq\t128(%rdi),%rdi\n\tsubq\t$64,%r9\n\tjnz\t.Lsqrx8x_zero\n\n\tmovq\t0(%rsi),%rdx\n\n\txorq\t%r10,%r10\n\txorq\t%r11,%r11\n\txorq\t%r12,%r12\n\txorq\t%r13,%r13\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\tleaq\t48+8(%rsp),%rdi\n\txorq\t%rbp,%rbp\n\tjmp\t.Lsqrx8x_outer_loop\n\n.align\t32\n.Lsqrx8x_outer_loop:\n\tmulxq\t8(%rsi),%r8,%rax\n\tadcxq\t%r9,%r8\n\tadoxq\t%rax,%r10\n\tmulxq\t16(%rsi),%r9,%rax\n\tadcxq\t%r10,%r9\n\tadoxq\t%rax,%r11\n.byte\t0xc4,0xe2,0xab,0xf6,0x86,0x18,0x00,0x00,0x00\n\tadcxq\t%r11,%r10\n\tadoxq\t%rax,%r12\n.byte\t0xc4,0xe2,0xa3,0xf6,0x86,0x20,0x00,0x00,0x00\n\tadcxq\t%r12,%r11\n\tadoxq\t%rax,%r13\n\tmulxq\t40(%rsi),%r12,%rax\n\tadcxq\t%r13,%r12\n\tadoxq\t%rax,%r14\n\tmulxq\t48(%rsi),%r13,%rax\n\tadcxq\t%r14,%r13\n\tadoxq\t%r15,%rax\n\tmulxq\t56(%rsi),%r14,%r15\n\tmovq\t8(%rsi),%rdx\n\tadcxq\t%rax,%r14\n\tadoxq\t%rbp,%r15\n\tadcq\t64(%rdi),%r15\n\tmovq\t%r8,8(%rdi)\n\tmovq\t%r9,16(%rdi)\n\tsbbq\t%rcx,%rcx\n\txorq\t%rbp,%rbp\n\n\n\tmulxq\t16(%rsi),%r8,%rbx\n\tmulxq\t24(%rsi),%r9,%rax\n\tadcxq\t%r10,%r8\n\tadoxq\t%rbx,%r9\n\tmulxq\t32(%rsi),%r10,%rbx\n\tadcxq\t%r11,%r9\n\tadoxq\t%rax,%r10\n.byte\t0xc4,0xe2,0xa3,0xf6,0x86,0x28,0x00,0x00,0x00\n\tadcxq\t%r12,%r10\n\tadoxq\t%rbx,%r11\n.byte\t0xc4,0xe2,0x9b,0xf6,0x9e,0x30,0x00,0x00,0x00\n\tadcxq\t%r13,%r11\n\tadoxq\t%r14,%r12\n.byte\t0xc4,0x62,0x93,0xf6,0xb6,0x38,0x00,0x00,0x00\n\tmovq\t16(%rsi),%rdx\n\tadcxq\t%rax,%r12\n\tadoxq\t%rbx,%r13\n\tadcxq\t%r15,%r13\n\tadoxq\t%rbp,%r14\n\tadcxq\t%rbp,%r14\n\n\tmovq\t%r8,24(%rdi)\n\tmovq\t%r9,32(%rdi)\n\n\tmulxq\t24(%rsi),%r8,%rbx\n\tmulxq\t32(%rsi),%r9,%rax\n\tadcxq\t%r10,%r8\n\tadoxq\t%rbx,%r9\n\tmulxq\t40(%rsi),%r10,%rbx\n\tadcxq\t%r11,%r9\n\tadoxq\t%rax,%r10\n.byte\t0xc4,0xe2,0xa3,0xf6,0x86,0x30,0x00,0x00,0x00\n\tadcxq\t%r12,%r10\n\tadoxq\t%r13,%r11\n.byte\t0xc4,0x62,0x9b,0xf6,0xae,0x38,0x00,0x00,0x00\n.byte\t0x3e\n\tmovq\t24(%rsi),%rdx\n\tadcxq\t%rbx,%r11\n\tadoxq\t%rax,%r12\n\tadcxq\t%r14,%r12\n\tmovq\t%r8,40(%rdi)\n\tmovq\t%r9,48(%rdi)\n\tmulxq\t32(%rsi),%r8,%rax\n\tadoxq\t%rbp,%r13\n\tadcxq\t%rbp,%r13\n\n\tmulxq\t40(%rsi),%r9,%rbx\n\tadcxq\t%r10,%r8\n\tadoxq\t%rax,%r9\n\tmulxq\t48(%rsi),%r10,%rax\n\tadcxq\t%r11,%r9\n\tadoxq\t%r12,%r10\n\tmulxq\t56(%rsi),%r11,%r12\n\tmovq\t32(%rsi),%rdx\n\tmovq\t40(%rsi),%r14\n\tadcxq\t%rbx,%r10\n\tadoxq\t%rax,%r11\n\tmovq\t48(%rsi),%r15\n\tadcxq\t%r13,%r11\n\tadoxq\t%rbp,%r12\n\tadcxq\t%rbp,%r12\n\n\tmovq\t%r8,56(%rdi)\n\tmovq\t%r9,64(%rdi)\n\n\tmulxq\t%r14,%r9,%rax\n\tmovq\t56(%rsi),%r8\n\tadcxq\t%r10,%r9\n\tmulxq\t%r15,%r10,%rbx\n\tadoxq\t%rax,%r10\n\tadcxq\t%r11,%r10\n\tmulxq\t%r8,%r11,%rax\n\tmovq\t%r14,%rdx\n\tadoxq\t%rbx,%r11\n\tadcxq\t%r12,%r11\n\n\tadcxq\t%rbp,%rax\n\n\tmulxq\t%r15,%r14,%rbx\n\tmulxq\t%r8,%r12,%r13\n\tmovq\t%r15,%rdx\n\tleaq\t64(%rsi),%rsi\n\tadcxq\t%r14,%r11\n\tadoxq\t%rbx,%r12\n\tadcxq\t%rax,%r12\n\tadoxq\t%rbp,%r13\n\n.byte\t0x67,0x67\n\tmulxq\t%r8,%r8,%r14\n\tadcxq\t%r8,%r13\n\tadcxq\t%rbp,%r14\n\n\tcmpq\t8+8(%rsp),%rsi\n\tje\t.Lsqrx8x_outer_break\n\n\tnegq\t%rcx\n\tmovq\t$-8,%rcx\n\tmovq\t%rbp,%r15\n\tmovq\t64(%rdi),%r8\n\tadcxq\t72(%rdi),%r9\n\tadcxq\t80(%rdi),%r10\n\tadcxq\t88(%rdi),%r11\n\tadcq\t96(%rdi),%r12\n\tadcq\t104(%rdi),%r13\n\tadcq\t112(%rdi),%r14\n\tadcq\t120(%rdi),%r15\n\tleaq\t(%rsi),%rbp\n\tleaq\t128(%rdi),%rdi\n\tsbbq\t%rax,%rax\n\n\tmovq\t-64(%rsi),%rdx\n\tmovq\t%rax,16+8(%rsp)\n\tmovq\t%rdi,24+8(%rsp)\n\n\n\txorl\t%eax,%eax\n\tjmp\t.Lsqrx8x_loop\n\n.align\t32\n.Lsqrx8x_loop:\n\tmovq\t%r8,%rbx\n\tmulxq\t0(%rbp),%rax,%r8\n\tadcxq\t%rax,%rbx\n\tadoxq\t%r9,%r8\n\n\tmulxq\t8(%rbp),%rax,%r9\n\tadcxq\t%rax,%r8\n\tadoxq\t%r10,%r9\n\n\tmulxq\t16(%rbp),%rax,%r10\n\tadcxq\t%rax,%r9\n\tadoxq\t%r11,%r10\n\n\tmulxq\t24(%rbp),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n\n.byte\t0xc4,0x62,0xfb,0xf6,0xa5,0x20,0x00,0x00,0x00\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\n\tmulxq\t40(%rbp),%rax,%r13\n\tadcxq\t%rax,%r12\n\tadoxq\t%r14,%r13\n\n\tmulxq\t48(%rbp),%rax,%r14\n\tmovq\t%rbx,(%rdi,%rcx,8)\n\tmovl\t$0,%ebx\n\tadcxq\t%rax,%r13\n\tadoxq\t%r15,%r14\n\n.byte\t0xc4,0x62,0xfb,0xf6,0xbd,0x38,0x00,0x00,0x00\n\tmovq\t8(%rsi,%rcx,8),%rdx\n\tadcxq\t%rax,%r14\n\tadoxq\t%rbx,%r15\n\tadcxq\t%rbx,%r15\n\n.byte\t0x67\n\tincq\t%rcx\n\tjnz\t.Lsqrx8x_loop\n\n\tleaq\t64(%rbp),%rbp\n\tmovq\t$-8,%rcx\n\tcmpq\t8+8(%rsp),%rbp\n\tje\t.Lsqrx8x_break\n\n\tsubq\t16+8(%rsp),%rbx\n.byte\t0x66\n\tmovq\t-64(%rsi),%rdx\n\tadcxq\t0(%rdi),%r8\n\tadcxq\t8(%rdi),%r9\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tleaq\t64(%rdi),%rdi\n.byte\t0x67\n\tsbbq\t%rax,%rax\n\txorl\t%ebx,%ebx\n\tmovq\t%rax,16+8(%rsp)\n\tjmp\t.Lsqrx8x_loop\n\n.align\t32\n.Lsqrx8x_break:\n\txorq\t%rbp,%rbp\n\tsubq\t16+8(%rsp),%rbx\n\tadcxq\t%rbp,%r8\n\tmovq\t24+8(%rsp),%rcx\n\tadcxq\t%rbp,%r9\n\tmovq\t0(%rsi),%rdx\n\tadcq\t$0,%r10\n\tmovq\t%r8,0(%rdi)\n\tadcq\t$0,%r11\n\tadcq\t$0,%r12\n\tadcq\t$0,%r13\n\tadcq\t$0,%r14\n\tadcq\t$0,%r15\n\tcmpq\t%rcx,%rdi\n\tje\t.Lsqrx8x_outer_loop\n\n\tmovq\t%r9,8(%rdi)\n\tmovq\t8(%rcx),%r9\n\tmovq\t%r10,16(%rdi)\n\tmovq\t16(%rcx),%r10\n\tmovq\t%r11,24(%rdi)\n\tmovq\t24(%rcx),%r11\n\tmovq\t%r12,32(%rdi)\n\tmovq\t32(%rcx),%r12\n\tmovq\t%r13,40(%rdi)\n\tmovq\t40(%rcx),%r13\n\tmovq\t%r14,48(%rdi)\n\tmovq\t48(%rcx),%r14\n\tmovq\t%r15,56(%rdi)\n\tmovq\t56(%rcx),%r15\n\tmovq\t%rcx,%rdi\n\tjmp\t.Lsqrx8x_outer_loop\n\n.align\t32\n.Lsqrx8x_outer_break:\n\tmovq\t%r9,72(%rdi)\n.byte\t102,72,15,126,217\n\tmovq\t%r10,80(%rdi)\n\tmovq\t%r11,88(%rdi)\n\tmovq\t%r12,96(%rdi)\n\tmovq\t%r13,104(%rdi)\n\tmovq\t%r14,112(%rdi)\n\tleaq\t48+8(%rsp),%rdi\n\tmovq\t(%rsi,%rcx,1),%rdx\n\n\tmovq\t8(%rdi),%r11\n\txorq\t%r10,%r10\n\tmovq\t0+8(%rsp),%r9\n\tadoxq\t%r11,%r11\n\tmovq\t16(%rdi),%r12\n\tmovq\t24(%rdi),%r13\n\n\n.align\t32\n.Lsqrx4x_shift_n_add:\n\tmulxq\t%rdx,%rax,%rbx\n\tadoxq\t%r12,%r12\n\tadcxq\t%r10,%rax\n.byte\t0x48,0x8b,0x94,0x0e,0x08,0x00,0x00,0x00\n.byte\t0x4c,0x8b,0x97,0x20,0x00,0x00,0x00\n\tadoxq\t%r13,%r13\n\tadcxq\t%r11,%rbx\n\tmovq\t40(%rdi),%r11\n\tmovq\t%rax,0(%rdi)\n\tmovq\t%rbx,8(%rdi)\n\n\tmulxq\t%rdx,%rax,%rbx\n\tadoxq\t%r10,%r10\n\tadcxq\t%r12,%rax\n\tmovq\t16(%rsi,%rcx,1),%rdx\n\tmovq\t48(%rdi),%r12\n\tadoxq\t%r11,%r11\n\tadcxq\t%r13,%rbx\n\tmovq\t56(%rdi),%r13\n\tmovq\t%rax,16(%rdi)\n\tmovq\t%rbx,24(%rdi)\n\n\tmulxq\t%rdx,%rax,%rbx\n\tadoxq\t%r12,%r12\n\tadcxq\t%r10,%rax\n\tmovq\t24(%rsi,%rcx,1),%rdx\n\tleaq\t32(%rcx),%rcx\n\tmovq\t64(%rdi),%r10\n\tadoxq\t%r13,%r13\n\tadcxq\t%r11,%rbx\n\tmovq\t72(%rdi),%r11\n\tmovq\t%rax,32(%rdi)\n\tmovq\t%rbx,40(%rdi)\n\n\tmulxq\t%rdx,%rax,%rbx\n\tadoxq\t%r10,%r10\n\tadcxq\t%r12,%rax\n\tjrcxz\t.Lsqrx4x_shift_n_add_break\n.byte\t0x48,0x8b,0x94,0x0e,0x00,0x00,0x00,0x00\n\tadoxq\t%r11,%r11\n\tadcxq\t%r13,%rbx\n\tmovq\t80(%rdi),%r12\n\tmovq\t88(%rdi),%r13\n\tmovq\t%rax,48(%rdi)\n\tmovq\t%rbx,56(%rdi)\n\tleaq\t64(%rdi),%rdi\n\tnop\n\tjmp\t.Lsqrx4x_shift_n_add\n\n.align\t32\n.Lsqrx4x_shift_n_add_break:\n\tadcxq\t%r13,%rbx\n\tmovq\t%rax,48(%rdi)\n\tmovq\t%rbx,56(%rdi)\n\tleaq\t64(%rdi),%rdi\n.byte\t102,72,15,126,213\n__bn_sqrx8x_reduction:\n\txorl\t%eax,%eax\n\tmovq\t32+8(%rsp),%rbx\n\tmovq\t48+8(%rsp),%rdx\n\tleaq\t-64(%rbp,%r9,1),%rcx\n\n\tmovq\t%rcx,0+8(%rsp)\n\tmovq\t%rdi,8+8(%rsp)\n\n\tleaq\t48+8(%rsp),%rdi\n\tjmp\t.Lsqrx8x_reduction_loop\n\n.align\t32\n.Lsqrx8x_reduction_loop:\n\tmovq\t8(%rdi),%r9\n\tmovq\t16(%rdi),%r10\n\tmovq\t24(%rdi),%r11\n\tmovq\t32(%rdi),%r12\n\tmovq\t%rdx,%r8\n\timulq\t%rbx,%rdx\n\tmovq\t40(%rdi),%r13\n\tmovq\t48(%rdi),%r14\n\tmovq\t56(%rdi),%r15\n\tmovq\t%rax,24+8(%rsp)\n\n\tleaq\t64(%rdi),%rdi\n\txorq\t%rsi,%rsi\n\tmovq\t$-8,%rcx\n\tjmp\t.Lsqrx8x_reduce\n\n.align\t32\n.Lsqrx8x_reduce:\n\tmovq\t%r8,%rbx\n\tmulxq\t0(%rbp),%rax,%r8\n\tadcxq\t%rbx,%rax\n\tadoxq\t%r9,%r8\n\n\tmulxq\t8(%rbp),%rbx,%r9\n\tadcxq\t%rbx,%r8\n\tadoxq\t%r10,%r9\n\n\tmulxq\t16(%rbp),%rbx,%r10\n\tadcxq\t%rbx,%r9\n\tadoxq\t%r11,%r10\n\n\tmulxq\t24(%rbp),%rbx,%r11\n\tadcxq\t%rbx,%r10\n\tadoxq\t%r12,%r11\n\n.byte\t0xc4,0x62,0xe3,0xf6,0xa5,0x20,0x00,0x00,0x00\n\tmovq\t%rdx,%rax\n\tmovq\t%r8,%rdx\n\tadcxq\t%rbx,%r11\n\tadoxq\t%r13,%r12\n\n\tmulxq\t32+8(%rsp),%rbx,%rdx\n\tmovq\t%rax,%rdx\n\tmovq\t%rax,64+48+8(%rsp,%rcx,8)\n\n\tmulxq\t40(%rbp),%rax,%r13\n\tadcxq\t%rax,%r12\n\tadoxq\t%r14,%r13\n\n\tmulxq\t48(%rbp),%rax,%r14\n\tadcxq\t%rax,%r13\n\tadoxq\t%r15,%r14\n\n\tmulxq\t56(%rbp),%rax,%r15\n\tmovq\t%rbx,%rdx\n\tadcxq\t%rax,%r14\n\tadoxq\t%rsi,%r15\n\tadcxq\t%rsi,%r15\n\n.byte\t0x67,0x67,0x67\n\tincq\t%rcx\n\tjnz\t.Lsqrx8x_reduce\n\n\tmovq\t%rsi,%rax\n\tcmpq\t0+8(%rsp),%rbp\n\tjae\t.Lsqrx8x_no_tail\n\n\tmovq\t48+8(%rsp),%rdx\n\taddq\t0(%rdi),%r8\n\tleaq\t64(%rbp),%rbp\n\tmovq\t$-8,%rcx\n\tadcxq\t8(%rdi),%r9\n\tadcxq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tleaq\t64(%rdi),%rdi\n\tsbbq\t%rax,%rax\n\n\txorq\t%rsi,%rsi\n\tmovq\t%rax,16+8(%rsp)\n\tjmp\t.Lsqrx8x_tail\n\n.align\t32\n.Lsqrx8x_tail:\n\tmovq\t%r8,%rbx\n\tmulxq\t0(%rbp),%rax,%r8\n\tadcxq\t%rax,%rbx\n\tadoxq\t%r9,%r8\n\n\tmulxq\t8(%rbp),%rax,%r9\n\tadcxq\t%rax,%r8\n\tadoxq\t%r10,%r9\n\n\tmulxq\t16(%rbp),%rax,%r10\n\tadcxq\t%rax,%r9\n\tadoxq\t%r11,%r10\n\n\tmulxq\t24(%rbp),%rax,%r11\n\tadcxq\t%rax,%r10\n\tadoxq\t%r12,%r11\n\n.byte\t0xc4,0x62,0xfb,0xf6,0xa5,0x20,0x00,0x00,0x00\n\tadcxq\t%rax,%r11\n\tadoxq\t%r13,%r12\n\n\tmulxq\t40(%rbp),%rax,%r13\n\tadcxq\t%rax,%r12\n\tadoxq\t%r14,%r13\n\n\tmulxq\t48(%rbp),%rax,%r14\n\tadcxq\t%rax,%r13\n\tadoxq\t%r15,%r14\n\n\tmulxq\t56(%rbp),%rax,%r15\n\tmovq\t72+48+8(%rsp,%rcx,8),%rdx\n\tadcxq\t%rax,%r14\n\tadoxq\t%rsi,%r15\n\tmovq\t%rbx,(%rdi,%rcx,8)\n\tmovq\t%r8,%rbx\n\tadcxq\t%rsi,%r15\n\n\tincq\t%rcx\n\tjnz\t.Lsqrx8x_tail\n\n\tcmpq\t0+8(%rsp),%rbp\n\tjae\t.Lsqrx8x_tail_done\n\n\tsubq\t16+8(%rsp),%rsi\n\tmovq\t48+8(%rsp),%rdx\n\tleaq\t64(%rbp),%rbp\n\tadcq\t0(%rdi),%r8\n\tadcq\t8(%rdi),%r9\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tleaq\t64(%rdi),%rdi\n\tsbbq\t%rax,%rax\n\tsubq\t$8,%rcx\n\n\txorq\t%rsi,%rsi\n\tmovq\t%rax,16+8(%rsp)\n\tjmp\t.Lsqrx8x_tail\n\n.align\t32\n.Lsqrx8x_tail_done:\n\txorq\t%rax,%rax\n\taddq\t24+8(%rsp),%r8\n\tadcq\t$0,%r9\n\tadcq\t$0,%r10\n\tadcq\t$0,%r11\n\tadcq\t$0,%r12\n\tadcq\t$0,%r13\n\tadcq\t$0,%r14\n\tadcq\t$0,%r15\n\tadcq\t$0,%rax\n\n\tsubq\t16+8(%rsp),%rsi\n.Lsqrx8x_no_tail:\n\tadcq\t0(%rdi),%r8\n.byte\t102,72,15,126,217\n\tadcq\t8(%rdi),%r9\n\tmovq\t56(%rbp),%rsi\n.byte\t102,72,15,126,213\n\tadcq\t16(%rdi),%r10\n\tadcq\t24(%rdi),%r11\n\tadcq\t32(%rdi),%r12\n\tadcq\t40(%rdi),%r13\n\tadcq\t48(%rdi),%r14\n\tadcq\t56(%rdi),%r15\n\tadcq\t$0,%rax\n\n\tmovq\t32+8(%rsp),%rbx\n\tmovq\t64(%rdi,%rcx,1),%rdx\n\n\tmovq\t%r8,0(%rdi)\n\tleaq\t64(%rdi),%r8\n\tmovq\t%r9,8(%rdi)\n\tmovq\t%r10,16(%rdi)\n\tmovq\t%r11,24(%rdi)\n\tmovq\t%r12,32(%rdi)\n\tmovq\t%r13,40(%rdi)\n\tmovq\t%r14,48(%rdi)\n\tmovq\t%r15,56(%rdi)\n\n\tleaq\t64(%rdi,%rcx,1),%rdi\n\tcmpq\t8+8(%rsp),%r8\n\tjb\t.Lsqrx8x_reduction_loop\n\tret\n.cfi_endproc\t\n.size\tbn_sqrx8x_internal,.-bn_sqrx8x_internal\n.align\t32\n.type\t__bn_postx4x_internal,@function\n__bn_postx4x_internal:\n.cfi_startproc\t\n\tmovq\t0(%rbp),%r12\n\tmovq\t%rcx,%r10\n\tmovq\t%rcx,%r9\n\tnegq\t%rax\n\tsarq\t$3+2,%rcx\n\n.byte\t102,72,15,126,202\n.byte\t102,72,15,126,206\n\tdecq\t%r12\n\tmovq\t8(%rbp),%r13\n\txorq\t%r8,%r8\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\n\tjmp\t.Lsqrx4x_sub_entry\n\n.align\t16\n.Lsqrx4x_sub:\n\tmovq\t0(%rbp),%r12\n\tmovq\t8(%rbp),%r13\n\tmovq\t16(%rbp),%r14\n\tmovq\t24(%rbp),%r15\n.Lsqrx4x_sub_entry:\n\tandnq\t%rax,%r12,%r12\n\tleaq\t32(%rbp),%rbp\n\tandnq\t%rax,%r13,%r13\n\tandnq\t%rax,%r14,%r14\n\tandnq\t%rax,%r15,%r15\n\n\tnegq\t%r8\n\tadcq\t0(%rdi),%r12\n\tadcq\t8(%rdi),%r13\n\tadcq\t16(%rdi),%r14\n\tadcq\t24(%rdi),%r15\n\tmovq\t%r12,0(%rdx)\n\tleaq\t32(%rdi),%rdi\n\tmovq\t%r13,8(%rdx)\n\tsbbq\t%r8,%r8\n\tmovq\t%r14,16(%rdx)\n\tmovq\t%r15,24(%rdx)\n\tleaq\t32(%rdx),%rdx\n\n\tincq\t%rcx\n\tjnz\t.Lsqrx4x_sub\n\n\tnegq\t%r9\n\n\tret\n.cfi_endproc\t\n.size\t__bn_postx4x_internal,.-__bn_postx4x_internal\n.globl\tbn_scatter5\n.hidden bn_scatter5\n.type\tbn_scatter5,@function\n.align\t16\nbn_scatter5:\n.cfi_startproc\t\n_CET_ENDBR\n\tcmpl\t$0,%esi\n\tjz\t.Lscatter_epilogue\n\n\n\n\n\n\n\n\n\n\tleaq\t(%rdx,%rcx,8),%rdx\n.Lscatter:\n\tmovq\t(%rdi),%rax\n\tleaq\t8(%rdi),%rdi\n\tmovq\t%rax,(%rdx)\n\tleaq\t256(%rdx),%rdx\n\tsubl\t$1,%esi\n\tjnz\t.Lscatter\n.Lscatter_epilogue:\n\tret\n.cfi_endproc\t\n.size\tbn_scatter5,.-bn_scatter5\n\n.globl\tbn_gather5\n.hidden bn_gather5\n.type\tbn_gather5,@function\n.align\t32\nbn_gather5:\n.cfi_startproc\t\n.LSEH_begin_bn_gather5:\n_CET_ENDBR\n\n.byte\t0x4c,0x8d,0x14,0x24\n.cfi_def_cfa_register\t%r10\n.byte\t0x48,0x81,0xec,0x08,0x01,0x00,0x00\n\tleaq\t.Linc(%rip),%rax\n\tandq\t$-16,%rsp\n\n\tmovd\t%ecx,%xmm5\n\tmovdqa\t0(%rax),%xmm0\n\tmovdqa\t16(%rax),%xmm1\n\tleaq\t128(%rdx),%r11\n\tleaq\t128(%rsp),%rax\n\n\tpshufd\t$0,%xmm5,%xmm5\n\tmovdqa\t%xmm1,%xmm4\n\tmovdqa\t%xmm1,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm4,%xmm3\n\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,-128(%rax)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,-112(%rax)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,-96(%rax)\n\tmovdqa\t%xmm4,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,-80(%rax)\n\tmovdqa\t%xmm4,%xmm3\n\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,-64(%rax)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,-48(%rax)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,-32(%rax)\n\tmovdqa\t%xmm4,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,-16(%rax)\n\tmovdqa\t%xmm4,%xmm3\n\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,0(%rax)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,16(%rax)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,32(%rax)\n\tmovdqa\t%xmm4,%xmm2\n\tpaddd\t%xmm0,%xmm1\n\tpcmpeqd\t%xmm5,%xmm0\n\tmovdqa\t%xmm3,48(%rax)\n\tmovdqa\t%xmm4,%xmm3\n\n\tpaddd\t%xmm1,%xmm2\n\tpcmpeqd\t%xmm5,%xmm1\n\tmovdqa\t%xmm0,64(%rax)\n\tmovdqa\t%xmm4,%xmm0\n\n\tpaddd\t%xmm2,%xmm3\n\tpcmpeqd\t%xmm5,%xmm2\n\tmovdqa\t%xmm1,80(%rax)\n\tmovdqa\t%xmm4,%xmm1\n\n\tpaddd\t%xmm3,%xmm0\n\tpcmpeqd\t%xmm5,%xmm3\n\tmovdqa\t%xmm2,96(%rax)\n\tmovdqa\t%xmm4,%xmm2\n\tmovdqa\t%xmm3,112(%rax)\n\tjmp\t.Lgather\n\n.align\t32\n.Lgather:\n\tpxor\t%xmm4,%xmm4\n\tpxor\t%xmm5,%xmm5\n\tmovdqa\t-128(%r11),%xmm0\n\tmovdqa\t-112(%r11),%xmm1\n\tmovdqa\t-96(%r11),%xmm2\n\tpand\t-128(%rax),%xmm0\n\tmovdqa\t-80(%r11),%xmm3\n\tpand\t-112(%rax),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-96(%rax),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-80(%rax),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t-64(%r11),%xmm0\n\tmovdqa\t-48(%r11),%xmm1\n\tmovdqa\t-32(%r11),%xmm2\n\tpand\t-64(%rax),%xmm0\n\tmovdqa\t-16(%r11),%xmm3\n\tpand\t-48(%rax),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t-32(%rax),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t-16(%rax),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t0(%r11),%xmm0\n\tmovdqa\t16(%r11),%xmm1\n\tmovdqa\t32(%r11),%xmm2\n\tpand\t0(%rax),%xmm0\n\tmovdqa\t48(%r11),%xmm3\n\tpand\t16(%rax),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t32(%rax),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t48(%rax),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tmovdqa\t64(%r11),%xmm0\n\tmovdqa\t80(%r11),%xmm1\n\tmovdqa\t96(%r11),%xmm2\n\tpand\t64(%rax),%xmm0\n\tmovdqa\t112(%r11),%xmm3\n\tpand\t80(%rax),%xmm1\n\tpor\t%xmm0,%xmm4\n\tpand\t96(%rax),%xmm2\n\tpor\t%xmm1,%xmm5\n\tpand\t112(%rax),%xmm3\n\tpor\t%xmm2,%xmm4\n\tpor\t%xmm3,%xmm5\n\tpor\t%xmm5,%xmm4\n\tleaq\t256(%r11),%r11\n\n\tpshufd\t$0x4e,%xmm4,%xmm0\n\tpor\t%xmm4,%xmm0\n\tmovq\t%xmm0,(%rdi)\n\tleaq\t8(%rdi),%rdi\n\tsubl\t$1,%esi\n\tjnz\t.Lgather\n\n\tleaq\t(%r10),%rsp\n.cfi_def_cfa_register\t%rsp\n\tret\n.LSEH_end_bn_gather5:\n.cfi_endproc\t\n.size\tbn_gather5,.-bn_gather5\n.section\t.rodata\n.align\t64\n.Linc:\n.long\t0,0, 1,1\n.long\t2,2, 2,2\n.byte\t77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,119,105,116,104,32,115,99,97,116,116,101,114,47,103,97,116,104,101,114,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.text\t\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/aes128gcmsiv-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.section\t__DATA,__const\n\n.p2align\t4\none:\n.quad\t1,0\ntwo:\n.quad\t2,0\nthree:\n.quad\t3,0\nfour:\n.quad\t4,0\nfive:\n.quad\t5,0\nsix:\n.quad\t6,0\nseven:\n.quad\t7,0\neight:\n.quad\t8,0\n\nOR_MASK:\n.long\t0x00000000,0x00000000,0x00000000,0x80000000\npoly:\n.quad\t0x1, 0xc200000000000000\nmask:\n.long\t0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d\ncon1:\n.long\t1,1,1,1\ncon2:\n.long\t0x1b,0x1b,0x1b,0x1b\ncon3:\n.byte\t-1,-1,-1,-1,-1,-1,-1,-1,4,5,6,7,4,5,6,7\nand_mask:\n.long\t0,0xffffffff, 0xffffffff, 0xffffffff\n.text\t\n\n.p2align\t4\nGFMUL:\n\n\tvpclmulqdq\t$0x00,%xmm1,%xmm0,%xmm2\n\tvpclmulqdq\t$0x11,%xmm1,%xmm0,%xmm5\n\tvpclmulqdq\t$0x10,%xmm1,%xmm0,%xmm3\n\tvpclmulqdq\t$0x01,%xmm1,%xmm0,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$8,%xmm3,%xmm4\n\tvpsrldq\t$8,%xmm3,%xmm3\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpxor\t%xmm3,%xmm5,%xmm5\n\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm2,%xmm3\n\tvpshufd\t$78,%xmm2,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm2\n\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm2,%xmm3\n\tvpshufd\t$78,%xmm2,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm2\n\n\tvpxor\t%xmm5,%xmm2,%xmm0\n\tret\n\n\n.globl\t_aesgcmsiv_htable_init\n.private_extern _aesgcmsiv_htable_init\n\n.p2align\t4\n_aesgcmsiv_htable_init:\n\n_CET_ENDBR\n\tvmovdqa\t(%rsi),%xmm0\n\tvmovdqa\t%xmm0,%xmm1\n\tvmovdqa\t%xmm0,(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,16(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,32(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,48(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,64(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,80(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,96(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,112(%rdi)\n\tret\n\n\n.globl\t_aesgcmsiv_htable6_init\n.private_extern _aesgcmsiv_htable6_init\n\n.p2align\t4\n_aesgcmsiv_htable6_init:\n\n_CET_ENDBR\n\tvmovdqa\t(%rsi),%xmm0\n\tvmovdqa\t%xmm0,%xmm1\n\tvmovdqa\t%xmm0,(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,16(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,32(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,48(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,64(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,80(%rdi)\n\tret\n\n\n.globl\t_aesgcmsiv_htable_polyval\n.private_extern _aesgcmsiv_htable_polyval\n\n.p2align\t4\n_aesgcmsiv_htable_polyval:\n\n_CET_ENDBR\n\ttestq\t%rdx,%rdx\n\tjnz\tL$htable_polyval_start\n\tret\n\nL$htable_polyval_start:\n\tvzeroall\n\n\n\n\tmovq\t%rdx,%r11\n\tandq\t$127,%r11\n\n\tjz\tL$htable_polyval_no_prefix\n\n\tvpxor\t%xmm9,%xmm9,%xmm9\n\tvmovdqa\t(%rcx),%xmm1\n\tsubq\t%r11,%rdx\n\n\tsubq\t$16,%r11\n\n\n\tvmovdqu\t(%rsi),%xmm0\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\n\tvpclmulqdq\t$0x01,(%rdi,%r11,1),%xmm0,%xmm5\n\tvpclmulqdq\t$0x00,(%rdi,%r11,1),%xmm0,%xmm3\n\tvpclmulqdq\t$0x11,(%rdi,%r11,1),%xmm0,%xmm4\n\tvpclmulqdq\t$0x10,(%rdi,%r11,1),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\tleaq\t16(%rsi),%rsi\n\ttestq\t%r11,%r11\n\tjnz\tL$htable_polyval_prefix_loop\n\tjmp\tL$htable_polyval_prefix_complete\n\n\n.p2align\t6\nL$htable_polyval_prefix_loop:\n\tsubq\t$16,%r11\n\n\tvmovdqu\t(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x00,(%rdi,%r11,1),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,(%rdi,%r11,1),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x01,(%rdi,%r11,1),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x10,(%rdi,%r11,1),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\ttestq\t%r11,%r11\n\n\tleaq\t16(%rsi),%rsi\n\n\tjnz\tL$htable_polyval_prefix_loop\n\nL$htable_polyval_prefix_complete:\n\tvpsrldq\t$8,%xmm5,%xmm6\n\tvpslldq\t$8,%xmm5,%xmm5\n\n\tvpxor\t%xmm6,%xmm4,%xmm9\n\tvpxor\t%xmm5,%xmm3,%xmm1\n\n\tjmp\tL$htable_polyval_main_loop\n\nL$htable_polyval_no_prefix:\n\n\n\n\n\tvpxor\t%xmm1,%xmm1,%xmm1\n\tvmovdqa\t(%rcx),%xmm9\n\n.p2align\t6\nL$htable_polyval_main_loop:\n\tsubq\t$0x80,%rdx\n\tjb\tL$htable_polyval_out\n\n\tvmovdqu\t112(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x01,(%rdi),%xmm0,%xmm5\n\tvpclmulqdq\t$0x00,(%rdi),%xmm0,%xmm3\n\tvpclmulqdq\t$0x11,(%rdi),%xmm0,%xmm4\n\tvpclmulqdq\t$0x10,(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvmovdqu\t96(%rsi),%xmm0\n\tvpclmulqdq\t$0x01,16(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,16(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,16(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,16(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\n\tvmovdqu\t80(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm1,%xmm7\n\tvpalignr\t$8,%xmm1,%xmm1,%xmm1\n\n\tvpclmulqdq\t$0x01,32(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,32(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,32(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,32(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvpxor\t%xmm7,%xmm1,%xmm1\n\n\tvmovdqu\t64(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x01,48(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,48(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,48(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,48(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvmovdqu\t48(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm1,%xmm7\n\tvpalignr\t$8,%xmm1,%xmm1,%xmm1\n\n\tvpclmulqdq\t$0x01,64(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,64(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,64(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,64(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvpxor\t%xmm7,%xmm1,%xmm1\n\n\tvmovdqu\t32(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x01,80(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,80(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,80(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,80(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvpxor\t%xmm9,%xmm1,%xmm1\n\n\tvmovdqu\t16(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x01,96(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,96(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,96(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,96(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvmovdqu\t0(%rsi),%xmm0\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\n\tvpclmulqdq\t$0x01,112(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,112(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,112(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,112(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvpsrldq\t$8,%xmm5,%xmm6\n\tvpslldq\t$8,%xmm5,%xmm5\n\n\tvpxor\t%xmm6,%xmm4,%xmm9\n\tvpxor\t%xmm5,%xmm3,%xmm1\n\n\tleaq\t128(%rsi),%rsi\n\tjmp\tL$htable_polyval_main_loop\n\n\n\nL$htable_polyval_out:\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm1,%xmm6\n\tvpalignr\t$8,%xmm1,%xmm1,%xmm1\n\tvpxor\t%xmm6,%xmm1,%xmm1\n\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm1,%xmm6\n\tvpalignr\t$8,%xmm1,%xmm1,%xmm1\n\tvpxor\t%xmm6,%xmm1,%xmm1\n\tvpxor\t%xmm9,%xmm1,%xmm1\n\n\tvmovdqu\t%xmm1,(%rcx)\n\tvzeroupper\n\tret\n\n\n.globl\t_aesgcmsiv_polyval_horner\n.private_extern _aesgcmsiv_polyval_horner\n\n.p2align\t4\n_aesgcmsiv_polyval_horner:\n\n_CET_ENDBR\n\ttestq\t%rcx,%rcx\n\tjnz\tL$polyval_horner_start\n\tret\n\nL$polyval_horner_start:\n\n\n\n\txorq\t%r10,%r10\n\tshlq\t$4,%rcx\n\n\tvmovdqa\t(%rsi),%xmm1\n\tvmovdqa\t(%rdi),%xmm0\n\nL$polyval_horner_loop:\n\tvpxor\t(%rdx,%r10,1),%xmm0,%xmm0\n\tcall\tGFMUL\n\n\taddq\t$16,%r10\n\tcmpq\t%r10,%rcx\n\tjne\tL$polyval_horner_loop\n\n\n\tvmovdqa\t%xmm0,(%rdi)\n\tret\n\n\n.globl\t_aes128gcmsiv_aes_ks\n.private_extern _aes128gcmsiv_aes_ks\n\n.p2align\t4\n_aes128gcmsiv_aes_ks:\n\n_CET_ENDBR\n\tvmovdqu\t(%rdi),%xmm1\n\tvmovdqa\t%xmm1,(%rsi)\n\n\tvmovdqa\tcon1(%rip),%xmm0\n\tvmovdqa\tmask(%rip),%xmm15\n\n\tmovq\t$8,%rax\n\nL$ks128_loop:\n\taddq\t$16,%rsi\n\tsubq\t$1,%rax\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm1,(%rsi)\n\tjne\tL$ks128_loop\n\n\tvmovdqa\tcon2(%rip),%xmm0\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm1,16(%rsi)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm1,32(%rsi)\n\tret\n\n\n.globl\t_aes256gcmsiv_aes_ks\n.private_extern _aes256gcmsiv_aes_ks\n\n.p2align\t4\n_aes256gcmsiv_aes_ks:\n\n_CET_ENDBR\n\tvmovdqu\t(%rdi),%xmm1\n\tvmovdqu\t16(%rdi),%xmm3\n\tvmovdqa\t%xmm1,(%rsi)\n\tvmovdqa\t%xmm3,16(%rsi)\n\tvmovdqa\tcon1(%rip),%xmm0\n\tvmovdqa\tmask(%rip),%xmm15\n\tvpxor\t%xmm14,%xmm14,%xmm14\n\tmovq\t$6,%rax\n\nL$ks256_loop:\n\taddq\t$32,%rsi\n\tsubq\t$1,%rax\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm1,(%rsi)\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpsllq\t$32,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpshufb\tcon3(%rip),%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvmovdqa\t%xmm3,16(%rsi)\n\tjne\tL$ks256_loop\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpsllq\t$32,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm1,32(%rsi)\n\tret\n\n.globl\t_aes128gcmsiv_aes_ks_enc_x1\n.private_extern _aes128gcmsiv_aes_ks_enc_x1\n\n.p2align\t4\n_aes128gcmsiv_aes_ks_enc_x1:\n\n_CET_ENDBR\n\tvmovdqa\t(%rcx),%xmm1\n\tvmovdqa\t0(%rdi),%xmm4\n\n\tvmovdqa\t%xmm1,(%rdx)\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\n\tvmovdqa\tcon1(%rip),%xmm0\n\tvmovdqa\tmask(%rip),%xmm15\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,16(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,32(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,48(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,64(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,80(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,96(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,112(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,128(%rdx)\n\n\n\tvmovdqa\tcon2(%rip),%xmm0\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,144(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenclast\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,160(%rdx)\n\n\n\tvmovdqa\t%xmm4,0(%rsi)\n\tret\n\n\n.globl\t_aes128gcmsiv_kdf\n.private_extern _aes128gcmsiv_kdf\n\n.p2align\t4\n_aes128gcmsiv_kdf:\n\n_CET_ENDBR\n\n\n\n\n\tvmovdqa\t(%rdx),%xmm1\n\tvmovdqa\t0(%rdi),%xmm9\n\tvmovdqa\tand_mask(%rip),%xmm12\n\tvmovdqa\tone(%rip),%xmm13\n\tvpshufd\t$0x90,%xmm9,%xmm9\n\tvpand\t%xmm12,%xmm9,%xmm9\n\tvpaddd\t%xmm13,%xmm9,%xmm10\n\tvpaddd\t%xmm13,%xmm10,%xmm11\n\tvpaddd\t%xmm13,%xmm11,%xmm12\n\n\tvpxor\t%xmm1,%xmm9,%xmm9\n\tvpxor\t%xmm1,%xmm10,%xmm10\n\tvpxor\t%xmm1,%xmm11,%xmm11\n\tvpxor\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t16(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t32(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm9,%xmm9\n\tvaesenc\t%xmm2,%xmm10,%xmm10\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\n\tvmovdqa\t48(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t64(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm9,%xmm9\n\tvaesenc\t%xmm2,%xmm10,%xmm10\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\n\tvmovdqa\t80(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t96(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm9,%xmm9\n\tvaesenc\t%xmm2,%xmm10,%xmm10\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\n\tvmovdqa\t112(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t128(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm9,%xmm9\n\tvaesenc\t%xmm2,%xmm10,%xmm10\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\n\tvmovdqa\t144(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t160(%rdx),%xmm2\n\tvaesenclast\t%xmm2,%xmm9,%xmm9\n\tvaesenclast\t%xmm2,%xmm10,%xmm10\n\tvaesenclast\t%xmm2,%xmm11,%xmm11\n\tvaesenclast\t%xmm2,%xmm12,%xmm12\n\n\n\tvmovdqa\t%xmm9,0(%rsi)\n\tvmovdqa\t%xmm10,16(%rsi)\n\tvmovdqa\t%xmm11,32(%rsi)\n\tvmovdqa\t%xmm12,48(%rsi)\n\tret\n\n\n.globl\t_aes128gcmsiv_enc_msg_x4\n.private_extern _aes128gcmsiv_enc_msg_x4\n\n.p2align\t4\n_aes128gcmsiv_enc_msg_x4:\n\n_CET_ENDBR\n\ttestq\t%r8,%r8\n\tjnz\tL$128_enc_msg_x4_start\n\tret\n\nL$128_enc_msg_x4_start:\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\n\tshrq\t$4,%r8\n\tmovq\t%r8,%r10\n\tshlq\t$62,%r10\n\tshrq\t$62,%r10\n\n\n\tvmovdqa\t(%rdx),%xmm15\n\tvpor\tOR_MASK(%rip),%xmm15,%xmm15\n\n\tvmovdqu\tfour(%rip),%xmm4\n\tvmovdqa\t%xmm15,%xmm0\n\tvpaddd\tone(%rip),%xmm15,%xmm1\n\tvpaddd\ttwo(%rip),%xmm15,%xmm2\n\tvpaddd\tthree(%rip),%xmm15,%xmm3\n\n\tshrq\t$2,%r8\n\tje\tL$128_enc_msg_x4_check_remainder\n\n\tsubq\t$64,%rsi\n\tsubq\t$64,%rdi\n\nL$128_enc_msg_x4_loop1:\n\taddq\t$64,%rsi\n\taddq\t$64,%rdi\n\n\tvmovdqa\t%xmm0,%xmm5\n\tvmovdqa\t%xmm1,%xmm6\n\tvmovdqa\t%xmm2,%xmm7\n\tvmovdqa\t%xmm3,%xmm8\n\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvpxor\t(%rcx),%xmm6,%xmm6\n\tvpxor\t(%rcx),%xmm7,%xmm7\n\tvpxor\t(%rcx),%xmm8,%xmm8\n\n\tvmovdqu\t16(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\tvmovdqu\t32(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm1,%xmm1\n\tvmovdqu\t48(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm2,%xmm2\n\tvmovdqu\t64(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm3,%xmm3\n\n\tvmovdqu\t80(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t96(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t112(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t128(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t144(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t160(%rcx),%xmm12\n\tvaesenclast\t%xmm12,%xmm5,%xmm5\n\tvaesenclast\t%xmm12,%xmm6,%xmm6\n\tvaesenclast\t%xmm12,%xmm7,%xmm7\n\tvaesenclast\t%xmm12,%xmm8,%xmm8\n\n\n\n\tvpxor\t0(%rdi),%xmm5,%xmm5\n\tvpxor\t16(%rdi),%xmm6,%xmm6\n\tvpxor\t32(%rdi),%xmm7,%xmm7\n\tvpxor\t48(%rdi),%xmm8,%xmm8\n\n\tsubq\t$1,%r8\n\n\tvmovdqu\t%xmm5,0(%rsi)\n\tvmovdqu\t%xmm6,16(%rsi)\n\tvmovdqu\t%xmm7,32(%rsi)\n\tvmovdqu\t%xmm8,48(%rsi)\n\n\tjne\tL$128_enc_msg_x4_loop1\n\n\taddq\t$64,%rsi\n\taddq\t$64,%rdi\n\nL$128_enc_msg_x4_check_remainder:\n\tcmpq\t$0,%r10\n\tje\tL$128_enc_msg_x4_out\n\nL$128_enc_msg_x4_loop2:\n\n\n\tvmovdqa\t%xmm0,%xmm5\n\tvpaddd\tone(%rip),%xmm0,%xmm0\n\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvaesenc\t16(%rcx),%xmm5,%xmm5\n\tvaesenc\t32(%rcx),%xmm5,%xmm5\n\tvaesenc\t48(%rcx),%xmm5,%xmm5\n\tvaesenc\t64(%rcx),%xmm5,%xmm5\n\tvaesenc\t80(%rcx),%xmm5,%xmm5\n\tvaesenc\t96(%rcx),%xmm5,%xmm5\n\tvaesenc\t112(%rcx),%xmm5,%xmm5\n\tvaesenc\t128(%rcx),%xmm5,%xmm5\n\tvaesenc\t144(%rcx),%xmm5,%xmm5\n\tvaesenclast\t160(%rcx),%xmm5,%xmm5\n\n\n\tvpxor\t(%rdi),%xmm5,%xmm5\n\tvmovdqu\t%xmm5,(%rsi)\n\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\n\tsubq\t$1,%r10\n\tjne\tL$128_enc_msg_x4_loop2\n\nL$128_enc_msg_x4_out:\n\tpopq\t%r13\n\n\tpopq\t%r12\n\n\tret\n\n\n.globl\t_aes128gcmsiv_enc_msg_x8\n.private_extern _aes128gcmsiv_enc_msg_x8\n\n.p2align\t4\n_aes128gcmsiv_enc_msg_x8:\n\n_CET_ENDBR\n\ttestq\t%r8,%r8\n\tjnz\tL$128_enc_msg_x8_start\n\tret\n\nL$128_enc_msg_x8_start:\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%rbp\n\n\tmovq\t%rsp,%rbp\n\n\n\n\tsubq\t$128,%rsp\n\tandq\t$-64,%rsp\n\n\tshrq\t$4,%r8\n\tmovq\t%r8,%r10\n\tshlq\t$61,%r10\n\tshrq\t$61,%r10\n\n\n\tvmovdqu\t(%rdx),%xmm1\n\tvpor\tOR_MASK(%rip),%xmm1,%xmm1\n\n\n\tvpaddd\tseven(%rip),%xmm1,%xmm0\n\tvmovdqu\t%xmm0,(%rsp)\n\tvpaddd\tone(%rip),%xmm1,%xmm9\n\tvpaddd\ttwo(%rip),%xmm1,%xmm10\n\tvpaddd\tthree(%rip),%xmm1,%xmm11\n\tvpaddd\tfour(%rip),%xmm1,%xmm12\n\tvpaddd\tfive(%rip),%xmm1,%xmm13\n\tvpaddd\tsix(%rip),%xmm1,%xmm14\n\tvmovdqa\t%xmm1,%xmm0\n\n\tshrq\t$3,%r8\n\tje\tL$128_enc_msg_x8_check_remainder\n\n\tsubq\t$128,%rsi\n\tsubq\t$128,%rdi\n\nL$128_enc_msg_x8_loop1:\n\taddq\t$128,%rsi\n\taddq\t$128,%rdi\n\n\tvmovdqa\t%xmm0,%xmm1\n\tvmovdqa\t%xmm9,%xmm2\n\tvmovdqa\t%xmm10,%xmm3\n\tvmovdqa\t%xmm11,%xmm4\n\tvmovdqa\t%xmm12,%xmm5\n\tvmovdqa\t%xmm13,%xmm6\n\tvmovdqa\t%xmm14,%xmm7\n\n\tvmovdqu\t(%rsp),%xmm8\n\n\tvpxor\t(%rcx),%xmm1,%xmm1\n\tvpxor\t(%rcx),%xmm2,%xmm2\n\tvpxor\t(%rcx),%xmm3,%xmm3\n\tvpxor\t(%rcx),%xmm4,%xmm4\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvpxor\t(%rcx),%xmm6,%xmm6\n\tvpxor\t(%rcx),%xmm7,%xmm7\n\tvpxor\t(%rcx),%xmm8,%xmm8\n\n\tvmovdqu\t16(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t(%rsp),%xmm14\n\tvpaddd\teight(%rip),%xmm14,%xmm14\n\tvmovdqu\t%xmm14,(%rsp)\n\tvmovdqu\t32(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpsubd\tone(%rip),%xmm14,%xmm14\n\tvmovdqu\t48(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm0,%xmm0\n\tvmovdqu\t64(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm9,%xmm9\n\tvmovdqu\t80(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm10,%xmm10\n\tvmovdqu\t96(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm11,%xmm11\n\tvmovdqu\t112(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm12,%xmm12\n\tvmovdqu\t128(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm13,%xmm13\n\tvmovdqu\t144(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t160(%rcx),%xmm15\n\tvaesenclast\t%xmm15,%xmm1,%xmm1\n\tvaesenclast\t%xmm15,%xmm2,%xmm2\n\tvaesenclast\t%xmm15,%xmm3,%xmm3\n\tvaesenclast\t%xmm15,%xmm4,%xmm4\n\tvaesenclast\t%xmm15,%xmm5,%xmm5\n\tvaesenclast\t%xmm15,%xmm6,%xmm6\n\tvaesenclast\t%xmm15,%xmm7,%xmm7\n\tvaesenclast\t%xmm15,%xmm8,%xmm8\n\n\n\n\tvpxor\t0(%rdi),%xmm1,%xmm1\n\tvpxor\t16(%rdi),%xmm2,%xmm2\n\tvpxor\t32(%rdi),%xmm3,%xmm3\n\tvpxor\t48(%rdi),%xmm4,%xmm4\n\tvpxor\t64(%rdi),%xmm5,%xmm5\n\tvpxor\t80(%rdi),%xmm6,%xmm6\n\tvpxor\t96(%rdi),%xmm7,%xmm7\n\tvpxor\t112(%rdi),%xmm8,%xmm8\n\n\tdecq\t%r8\n\n\tvmovdqu\t%xmm1,0(%rsi)\n\tvmovdqu\t%xmm2,16(%rsi)\n\tvmovdqu\t%xmm3,32(%rsi)\n\tvmovdqu\t%xmm4,48(%rsi)\n\tvmovdqu\t%xmm5,64(%rsi)\n\tvmovdqu\t%xmm6,80(%rsi)\n\tvmovdqu\t%xmm7,96(%rsi)\n\tvmovdqu\t%xmm8,112(%rsi)\n\n\tjne\tL$128_enc_msg_x8_loop1\n\n\taddq\t$128,%rsi\n\taddq\t$128,%rdi\n\nL$128_enc_msg_x8_check_remainder:\n\tcmpq\t$0,%r10\n\tje\tL$128_enc_msg_x8_out\n\nL$128_enc_msg_x8_loop2:\n\n\n\tvmovdqa\t%xmm0,%xmm1\n\tvpaddd\tone(%rip),%xmm0,%xmm0\n\n\tvpxor\t(%rcx),%xmm1,%xmm1\n\tvaesenc\t16(%rcx),%xmm1,%xmm1\n\tvaesenc\t32(%rcx),%xmm1,%xmm1\n\tvaesenc\t48(%rcx),%xmm1,%xmm1\n\tvaesenc\t64(%rcx),%xmm1,%xmm1\n\tvaesenc\t80(%rcx),%xmm1,%xmm1\n\tvaesenc\t96(%rcx),%xmm1,%xmm1\n\tvaesenc\t112(%rcx),%xmm1,%xmm1\n\tvaesenc\t128(%rcx),%xmm1,%xmm1\n\tvaesenc\t144(%rcx),%xmm1,%xmm1\n\tvaesenclast\t160(%rcx),%xmm1,%xmm1\n\n\n\tvpxor\t(%rdi),%xmm1,%xmm1\n\n\tvmovdqu\t%xmm1,(%rsi)\n\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\n\tdecq\t%r10\n\tjne\tL$128_enc_msg_x8_loop2\n\nL$128_enc_msg_x8_out:\n\tmovq\t%rbp,%rsp\n\n\tpopq\t%rbp\n\n\tpopq\t%r13\n\n\tpopq\t%r12\n\n\tret\n\n\n.globl\t_aes128gcmsiv_dec\n.private_extern _aes128gcmsiv_dec\n\n.p2align\t4\n_aes128gcmsiv_dec:\n\n_CET_ENDBR\n\ttestq\t$~15,%r9\n\tjnz\tL$128_dec_start\n\tret\n\nL$128_dec_start:\n\tvzeroupper\n\tvmovdqa\t(%rdx),%xmm0\n\n\n\tvmovdqu\t16(%rdx),%xmm15\n\tvpor\tOR_MASK(%rip),%xmm15,%xmm15\n\tmovq\t%rdx,%rax\n\n\tleaq\t32(%rax),%rax\n\tleaq\t32(%rcx),%rcx\n\n\tandq\t$~15,%r9\n\n\n\tcmpq\t$96,%r9\n\tjb\tL$128_dec_loop2\n\n\n\tsubq\t$96,%r9\n\tvmovdqa\t%xmm15,%xmm7\n\tvpaddd\tone(%rip),%xmm7,%xmm8\n\tvpaddd\ttwo(%rip),%xmm7,%xmm9\n\tvpaddd\tone(%rip),%xmm9,%xmm10\n\tvpaddd\ttwo(%rip),%xmm9,%xmm11\n\tvpaddd\tone(%rip),%xmm11,%xmm12\n\tvpaddd\ttwo(%rip),%xmm11,%xmm15\n\n\tvpxor\t(%r8),%xmm7,%xmm7\n\tvpxor\t(%r8),%xmm8,%xmm8\n\tvpxor\t(%r8),%xmm9,%xmm9\n\tvpxor\t(%r8),%xmm10,%xmm10\n\tvpxor\t(%r8),%xmm11,%xmm11\n\tvpxor\t(%r8),%xmm12,%xmm12\n\n\tvmovdqu\t16(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t32(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t48(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t64(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t80(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t96(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t112(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t128(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t144(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t160(%r8),%xmm4\n\tvaesenclast\t%xmm4,%xmm7,%xmm7\n\tvaesenclast\t%xmm4,%xmm8,%xmm8\n\tvaesenclast\t%xmm4,%xmm9,%xmm9\n\tvaesenclast\t%xmm4,%xmm10,%xmm10\n\tvaesenclast\t%xmm4,%xmm11,%xmm11\n\tvaesenclast\t%xmm4,%xmm12,%xmm12\n\n\n\tvpxor\t0(%rdi),%xmm7,%xmm7\n\tvpxor\t16(%rdi),%xmm8,%xmm8\n\tvpxor\t32(%rdi),%xmm9,%xmm9\n\tvpxor\t48(%rdi),%xmm10,%xmm10\n\tvpxor\t64(%rdi),%xmm11,%xmm11\n\tvpxor\t80(%rdi),%xmm12,%xmm12\n\n\tvmovdqu\t%xmm7,0(%rsi)\n\tvmovdqu\t%xmm8,16(%rsi)\n\tvmovdqu\t%xmm9,32(%rsi)\n\tvmovdqu\t%xmm10,48(%rsi)\n\tvmovdqu\t%xmm11,64(%rsi)\n\tvmovdqu\t%xmm12,80(%rsi)\n\n\taddq\t$96,%rdi\n\taddq\t$96,%rsi\n\tjmp\tL$128_dec_loop1\n\n\n.p2align\t6\nL$128_dec_loop1:\n\tcmpq\t$96,%r9\n\tjb\tL$128_dec_finish_96\n\tsubq\t$96,%r9\n\n\tvmovdqa\t%xmm12,%xmm6\n\tvmovdqa\t%xmm11,16-32(%rax)\n\tvmovdqa\t%xmm10,32-32(%rax)\n\tvmovdqa\t%xmm9,48-32(%rax)\n\tvmovdqa\t%xmm8,64-32(%rax)\n\tvmovdqa\t%xmm7,80-32(%rax)\n\n\tvmovdqa\t%xmm15,%xmm7\n\tvpaddd\tone(%rip),%xmm7,%xmm8\n\tvpaddd\ttwo(%rip),%xmm7,%xmm9\n\tvpaddd\tone(%rip),%xmm9,%xmm10\n\tvpaddd\ttwo(%rip),%xmm9,%xmm11\n\tvpaddd\tone(%rip),%xmm11,%xmm12\n\tvpaddd\ttwo(%rip),%xmm11,%xmm15\n\n\tvmovdqa\t(%r8),%xmm4\n\tvpxor\t%xmm4,%xmm7,%xmm7\n\tvpxor\t%xmm4,%xmm8,%xmm8\n\tvpxor\t%xmm4,%xmm9,%xmm9\n\tvpxor\t%xmm4,%xmm10,%xmm10\n\tvpxor\t%xmm4,%xmm11,%xmm11\n\tvpxor\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t0-32(%rcx),%xmm4\n\tvpclmulqdq\t$0x11,%xmm4,%xmm6,%xmm2\n\tvpclmulqdq\t$0x00,%xmm4,%xmm6,%xmm3\n\tvpclmulqdq\t$0x01,%xmm4,%xmm6,%xmm1\n\tvpclmulqdq\t$0x10,%xmm4,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t16(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t-16(%rax),%xmm6\n\tvmovdqu\t-16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t32(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t0(%rax),%xmm6\n\tvmovdqu\t0(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t48(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t16(%rax),%xmm6\n\tvmovdqu\t16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t64(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t32(%rax),%xmm6\n\tvmovdqu\t32(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t80(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t96(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t112(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\n\tvmovdqa\t80-32(%rax),%xmm6\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\tvmovdqu\t80-32(%rcx),%xmm5\n\n\tvpclmulqdq\t$0x01,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x10,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t128(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\n\tvpsrldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm5\n\tvpslldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm0\n\n\tvmovdqa\tpoly(%rip),%xmm3\n\n\tvmovdqu\t144(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t160(%r8),%xmm6\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpxor\t0(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm7,%xmm7\n\tvpxor\t16(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm8,%xmm8\n\tvpxor\t32(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm9,%xmm9\n\tvpxor\t48(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm10,%xmm10\n\tvpxor\t64(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm11,%xmm11\n\tvpxor\t80(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm12,%xmm12\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvmovdqu\t%xmm7,0(%rsi)\n\tvmovdqu\t%xmm8,16(%rsi)\n\tvmovdqu\t%xmm9,32(%rsi)\n\tvmovdqu\t%xmm10,48(%rsi)\n\tvmovdqu\t%xmm11,64(%rsi)\n\tvmovdqu\t%xmm12,80(%rsi)\n\n\tvpxor\t%xmm5,%xmm0,%xmm0\n\n\tleaq\t96(%rdi),%rdi\n\tleaq\t96(%rsi),%rsi\n\tjmp\tL$128_dec_loop1\n\nL$128_dec_finish_96:\n\tvmovdqa\t%xmm12,%xmm6\n\tvmovdqa\t%xmm11,16-32(%rax)\n\tvmovdqa\t%xmm10,32-32(%rax)\n\tvmovdqa\t%xmm9,48-32(%rax)\n\tvmovdqa\t%xmm8,64-32(%rax)\n\tvmovdqa\t%xmm7,80-32(%rax)\n\n\tvmovdqu\t0-32(%rcx),%xmm4\n\tvpclmulqdq\t$0x10,%xmm4,%xmm6,%xmm1\n\tvpclmulqdq\t$0x11,%xmm4,%xmm6,%xmm2\n\tvpclmulqdq\t$0x00,%xmm4,%xmm6,%xmm3\n\tvpclmulqdq\t$0x01,%xmm4,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t-16(%rax),%xmm6\n\tvmovdqu\t-16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t0(%rax),%xmm6\n\tvmovdqu\t0(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t16(%rax),%xmm6\n\tvmovdqu\t16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t32(%rax),%xmm6\n\tvmovdqu\t32(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t80-32(%rax),%xmm6\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\tvmovdqu\t80-32(%rcx),%xmm5\n\tvpclmulqdq\t$0x11,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x10,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x01,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvpsrldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm5\n\tvpslldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm0\n\n\tvmovdqa\tpoly(%rip),%xmm3\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpxor\t%xmm5,%xmm0,%xmm0\n\nL$128_dec_loop2:\n\n\n\n\tcmpq\t$16,%r9\n\tjb\tL$128_dec_out\n\tsubq\t$16,%r9\n\n\tvmovdqa\t%xmm15,%xmm2\n\tvpaddd\tone(%rip),%xmm15,%xmm15\n\n\tvpxor\t0(%r8),%xmm2,%xmm2\n\tvaesenc\t16(%r8),%xmm2,%xmm2\n\tvaesenc\t32(%r8),%xmm2,%xmm2\n\tvaesenc\t48(%r8),%xmm2,%xmm2\n\tvaesenc\t64(%r8),%xmm2,%xmm2\n\tvaesenc\t80(%r8),%xmm2,%xmm2\n\tvaesenc\t96(%r8),%xmm2,%xmm2\n\tvaesenc\t112(%r8),%xmm2,%xmm2\n\tvaesenc\t128(%r8),%xmm2,%xmm2\n\tvaesenc\t144(%r8),%xmm2,%xmm2\n\tvaesenclast\t160(%r8),%xmm2,%xmm2\n\tvpxor\t(%rdi),%xmm2,%xmm2\n\tvmovdqu\t%xmm2,(%rsi)\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\n\tvpxor\t%xmm2,%xmm0,%xmm0\n\tvmovdqa\t-32(%rcx),%xmm1\n\tcall\tGFMUL\n\n\tjmp\tL$128_dec_loop2\n\nL$128_dec_out:\n\tvmovdqu\t%xmm0,(%rdx)\n\tret\n\n\n.globl\t_aes128gcmsiv_ecb_enc_block\n.private_extern _aes128gcmsiv_ecb_enc_block\n\n.p2align\t4\n_aes128gcmsiv_ecb_enc_block:\n\n_CET_ENDBR\n\tvmovdqa\t(%rdi),%xmm1\n\n\tvpxor\t(%rdx),%xmm1,%xmm1\n\tvaesenc\t16(%rdx),%xmm1,%xmm1\n\tvaesenc\t32(%rdx),%xmm1,%xmm1\n\tvaesenc\t48(%rdx),%xmm1,%xmm1\n\tvaesenc\t64(%rdx),%xmm1,%xmm1\n\tvaesenc\t80(%rdx),%xmm1,%xmm1\n\tvaesenc\t96(%rdx),%xmm1,%xmm1\n\tvaesenc\t112(%rdx),%xmm1,%xmm1\n\tvaesenc\t128(%rdx),%xmm1,%xmm1\n\tvaesenc\t144(%rdx),%xmm1,%xmm1\n\tvaesenclast\t160(%rdx),%xmm1,%xmm1\n\n\tvmovdqa\t%xmm1,(%rsi)\n\n\tret\n\n\n.globl\t_aes256gcmsiv_aes_ks_enc_x1\n.private_extern _aes256gcmsiv_aes_ks_enc_x1\n\n.p2align\t4\n_aes256gcmsiv_aes_ks_enc_x1:\n\n_CET_ENDBR\n\tvmovdqa\tcon1(%rip),%xmm0\n\tvmovdqa\tmask(%rip),%xmm15\n\tvmovdqa\t(%rdi),%xmm8\n\tvmovdqa\t(%rcx),%xmm1\n\tvmovdqa\t16(%rcx),%xmm3\n\tvpxor\t%xmm1,%xmm8,%xmm8\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,(%rdx)\n\tvmovdqu\t%xmm3,16(%rdx)\n\tvpxor\t%xmm14,%xmm14,%xmm14\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,32(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,48(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,64(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,80(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,96(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,112(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,128(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,144(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,160(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,176(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,192(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,208(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenclast\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,224(%rdx)\n\n\tvmovdqa\t%xmm8,(%rsi)\n\tret\n\n\n.globl\t_aes256gcmsiv_ecb_enc_block\n.private_extern _aes256gcmsiv_ecb_enc_block\n\n.p2align\t4\n_aes256gcmsiv_ecb_enc_block:\n\n_CET_ENDBR\n\tvmovdqa\t(%rdi),%xmm1\n\tvpxor\t(%rdx),%xmm1,%xmm1\n\tvaesenc\t16(%rdx),%xmm1,%xmm1\n\tvaesenc\t32(%rdx),%xmm1,%xmm1\n\tvaesenc\t48(%rdx),%xmm1,%xmm1\n\tvaesenc\t64(%rdx),%xmm1,%xmm1\n\tvaesenc\t80(%rdx),%xmm1,%xmm1\n\tvaesenc\t96(%rdx),%xmm1,%xmm1\n\tvaesenc\t112(%rdx),%xmm1,%xmm1\n\tvaesenc\t128(%rdx),%xmm1,%xmm1\n\tvaesenc\t144(%rdx),%xmm1,%xmm1\n\tvaesenc\t160(%rdx),%xmm1,%xmm1\n\tvaesenc\t176(%rdx),%xmm1,%xmm1\n\tvaesenc\t192(%rdx),%xmm1,%xmm1\n\tvaesenc\t208(%rdx),%xmm1,%xmm1\n\tvaesenclast\t224(%rdx),%xmm1,%xmm1\n\tvmovdqa\t%xmm1,(%rsi)\n\tret\n\n\n.globl\t_aes256gcmsiv_enc_msg_x4\n.private_extern _aes256gcmsiv_enc_msg_x4\n\n.p2align\t4\n_aes256gcmsiv_enc_msg_x4:\n\n_CET_ENDBR\n\ttestq\t%r8,%r8\n\tjnz\tL$256_enc_msg_x4_start\n\tret\n\nL$256_enc_msg_x4_start:\n\tmovq\t%r8,%r10\n\tshrq\t$4,%r8\n\tshlq\t$60,%r10\n\tjz\tL$256_enc_msg_x4_start2\n\taddq\t$1,%r8\n\nL$256_enc_msg_x4_start2:\n\tmovq\t%r8,%r10\n\tshlq\t$62,%r10\n\tshrq\t$62,%r10\n\n\n\tvmovdqa\t(%rdx),%xmm15\n\tvpor\tOR_MASK(%rip),%xmm15,%xmm15\n\n\tvmovdqa\tfour(%rip),%xmm4\n\tvmovdqa\t%xmm15,%xmm0\n\tvpaddd\tone(%rip),%xmm15,%xmm1\n\tvpaddd\ttwo(%rip),%xmm15,%xmm2\n\tvpaddd\tthree(%rip),%xmm15,%xmm3\n\n\tshrq\t$2,%r8\n\tje\tL$256_enc_msg_x4_check_remainder\n\n\tsubq\t$64,%rsi\n\tsubq\t$64,%rdi\n\nL$256_enc_msg_x4_loop1:\n\taddq\t$64,%rsi\n\taddq\t$64,%rdi\n\n\tvmovdqa\t%xmm0,%xmm5\n\tvmovdqa\t%xmm1,%xmm6\n\tvmovdqa\t%xmm2,%xmm7\n\tvmovdqa\t%xmm3,%xmm8\n\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvpxor\t(%rcx),%xmm6,%xmm6\n\tvpxor\t(%rcx),%xmm7,%xmm7\n\tvpxor\t(%rcx),%xmm8,%xmm8\n\n\tvmovdqu\t16(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\tvmovdqu\t32(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm1,%xmm1\n\tvmovdqu\t48(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm2,%xmm2\n\tvmovdqu\t64(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm3,%xmm3\n\n\tvmovdqu\t80(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t96(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t112(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t128(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t144(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t160(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t176(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t192(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t208(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t224(%rcx),%xmm12\n\tvaesenclast\t%xmm12,%xmm5,%xmm5\n\tvaesenclast\t%xmm12,%xmm6,%xmm6\n\tvaesenclast\t%xmm12,%xmm7,%xmm7\n\tvaesenclast\t%xmm12,%xmm8,%xmm8\n\n\n\n\tvpxor\t0(%rdi),%xmm5,%xmm5\n\tvpxor\t16(%rdi),%xmm6,%xmm6\n\tvpxor\t32(%rdi),%xmm7,%xmm7\n\tvpxor\t48(%rdi),%xmm8,%xmm8\n\n\tsubq\t$1,%r8\n\n\tvmovdqu\t%xmm5,0(%rsi)\n\tvmovdqu\t%xmm6,16(%rsi)\n\tvmovdqu\t%xmm7,32(%rsi)\n\tvmovdqu\t%xmm8,48(%rsi)\n\n\tjne\tL$256_enc_msg_x4_loop1\n\n\taddq\t$64,%rsi\n\taddq\t$64,%rdi\n\nL$256_enc_msg_x4_check_remainder:\n\tcmpq\t$0,%r10\n\tje\tL$256_enc_msg_x4_out\n\nL$256_enc_msg_x4_loop2:\n\n\n\n\tvmovdqa\t%xmm0,%xmm5\n\tvpaddd\tone(%rip),%xmm0,%xmm0\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvaesenc\t16(%rcx),%xmm5,%xmm5\n\tvaesenc\t32(%rcx),%xmm5,%xmm5\n\tvaesenc\t48(%rcx),%xmm5,%xmm5\n\tvaesenc\t64(%rcx),%xmm5,%xmm5\n\tvaesenc\t80(%rcx),%xmm5,%xmm5\n\tvaesenc\t96(%rcx),%xmm5,%xmm5\n\tvaesenc\t112(%rcx),%xmm5,%xmm5\n\tvaesenc\t128(%rcx),%xmm5,%xmm5\n\tvaesenc\t144(%rcx),%xmm5,%xmm5\n\tvaesenc\t160(%rcx),%xmm5,%xmm5\n\tvaesenc\t176(%rcx),%xmm5,%xmm5\n\tvaesenc\t192(%rcx),%xmm5,%xmm5\n\tvaesenc\t208(%rcx),%xmm5,%xmm5\n\tvaesenclast\t224(%rcx),%xmm5,%xmm5\n\n\n\tvpxor\t(%rdi),%xmm5,%xmm5\n\n\tvmovdqu\t%xmm5,(%rsi)\n\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\n\tsubq\t$1,%r10\n\tjne\tL$256_enc_msg_x4_loop2\n\nL$256_enc_msg_x4_out:\n\tret\n\n\n.globl\t_aes256gcmsiv_enc_msg_x8\n.private_extern _aes256gcmsiv_enc_msg_x8\n\n.p2align\t4\n_aes256gcmsiv_enc_msg_x8:\n\n_CET_ENDBR\n\ttestq\t%r8,%r8\n\tjnz\tL$256_enc_msg_x8_start\n\tret\n\nL$256_enc_msg_x8_start:\n\n\tmovq\t%rsp,%r11\n\tsubq\t$16,%r11\n\tandq\t$-64,%r11\n\n\tmovq\t%r8,%r10\n\tshrq\t$4,%r8\n\tshlq\t$60,%r10\n\tjz\tL$256_enc_msg_x8_start2\n\taddq\t$1,%r8\n\nL$256_enc_msg_x8_start2:\n\tmovq\t%r8,%r10\n\tshlq\t$61,%r10\n\tshrq\t$61,%r10\n\n\n\tvmovdqa\t(%rdx),%xmm1\n\tvpor\tOR_MASK(%rip),%xmm1,%xmm1\n\n\n\tvpaddd\tseven(%rip),%xmm1,%xmm0\n\tvmovdqa\t%xmm0,(%r11)\n\tvpaddd\tone(%rip),%xmm1,%xmm9\n\tvpaddd\ttwo(%rip),%xmm1,%xmm10\n\tvpaddd\tthree(%rip),%xmm1,%xmm11\n\tvpaddd\tfour(%rip),%xmm1,%xmm12\n\tvpaddd\tfive(%rip),%xmm1,%xmm13\n\tvpaddd\tsix(%rip),%xmm1,%xmm14\n\tvmovdqa\t%xmm1,%xmm0\n\n\tshrq\t$3,%r8\n\tjz\tL$256_enc_msg_x8_check_remainder\n\n\tsubq\t$128,%rsi\n\tsubq\t$128,%rdi\n\nL$256_enc_msg_x8_loop1:\n\taddq\t$128,%rsi\n\taddq\t$128,%rdi\n\n\tvmovdqa\t%xmm0,%xmm1\n\tvmovdqa\t%xmm9,%xmm2\n\tvmovdqa\t%xmm10,%xmm3\n\tvmovdqa\t%xmm11,%xmm4\n\tvmovdqa\t%xmm12,%xmm5\n\tvmovdqa\t%xmm13,%xmm6\n\tvmovdqa\t%xmm14,%xmm7\n\n\tvmovdqa\t(%r11),%xmm8\n\n\tvpxor\t(%rcx),%xmm1,%xmm1\n\tvpxor\t(%rcx),%xmm2,%xmm2\n\tvpxor\t(%rcx),%xmm3,%xmm3\n\tvpxor\t(%rcx),%xmm4,%xmm4\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvpxor\t(%rcx),%xmm6,%xmm6\n\tvpxor\t(%rcx),%xmm7,%xmm7\n\tvpxor\t(%rcx),%xmm8,%xmm8\n\n\tvmovdqu\t16(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqa\t(%r11),%xmm14\n\tvpaddd\teight(%rip),%xmm14,%xmm14\n\tvmovdqa\t%xmm14,(%r11)\n\tvmovdqu\t32(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpsubd\tone(%rip),%xmm14,%xmm14\n\tvmovdqu\t48(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm0,%xmm0\n\tvmovdqu\t64(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm9,%xmm9\n\tvmovdqu\t80(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm10,%xmm10\n\tvmovdqu\t96(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm11,%xmm11\n\tvmovdqu\t112(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm12,%xmm12\n\tvmovdqu\t128(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm13,%xmm13\n\tvmovdqu\t144(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t160(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t176(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t192(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t208(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t224(%rcx),%xmm15\n\tvaesenclast\t%xmm15,%xmm1,%xmm1\n\tvaesenclast\t%xmm15,%xmm2,%xmm2\n\tvaesenclast\t%xmm15,%xmm3,%xmm3\n\tvaesenclast\t%xmm15,%xmm4,%xmm4\n\tvaesenclast\t%xmm15,%xmm5,%xmm5\n\tvaesenclast\t%xmm15,%xmm6,%xmm6\n\tvaesenclast\t%xmm15,%xmm7,%xmm7\n\tvaesenclast\t%xmm15,%xmm8,%xmm8\n\n\n\n\tvpxor\t0(%rdi),%xmm1,%xmm1\n\tvpxor\t16(%rdi),%xmm2,%xmm2\n\tvpxor\t32(%rdi),%xmm3,%xmm3\n\tvpxor\t48(%rdi),%xmm4,%xmm4\n\tvpxor\t64(%rdi),%xmm5,%xmm5\n\tvpxor\t80(%rdi),%xmm6,%xmm6\n\tvpxor\t96(%rdi),%xmm7,%xmm7\n\tvpxor\t112(%rdi),%xmm8,%xmm8\n\n\tsubq\t$1,%r8\n\n\tvmovdqu\t%xmm1,0(%rsi)\n\tvmovdqu\t%xmm2,16(%rsi)\n\tvmovdqu\t%xmm3,32(%rsi)\n\tvmovdqu\t%xmm4,48(%rsi)\n\tvmovdqu\t%xmm5,64(%rsi)\n\tvmovdqu\t%xmm6,80(%rsi)\n\tvmovdqu\t%xmm7,96(%rsi)\n\tvmovdqu\t%xmm8,112(%rsi)\n\n\tjne\tL$256_enc_msg_x8_loop1\n\n\taddq\t$128,%rsi\n\taddq\t$128,%rdi\n\nL$256_enc_msg_x8_check_remainder:\n\tcmpq\t$0,%r10\n\tje\tL$256_enc_msg_x8_out\n\nL$256_enc_msg_x8_loop2:\n\n\n\tvmovdqa\t%xmm0,%xmm1\n\tvpaddd\tone(%rip),%xmm0,%xmm0\n\n\tvpxor\t(%rcx),%xmm1,%xmm1\n\tvaesenc\t16(%rcx),%xmm1,%xmm1\n\tvaesenc\t32(%rcx),%xmm1,%xmm1\n\tvaesenc\t48(%rcx),%xmm1,%xmm1\n\tvaesenc\t64(%rcx),%xmm1,%xmm1\n\tvaesenc\t80(%rcx),%xmm1,%xmm1\n\tvaesenc\t96(%rcx),%xmm1,%xmm1\n\tvaesenc\t112(%rcx),%xmm1,%xmm1\n\tvaesenc\t128(%rcx),%xmm1,%xmm1\n\tvaesenc\t144(%rcx),%xmm1,%xmm1\n\tvaesenc\t160(%rcx),%xmm1,%xmm1\n\tvaesenc\t176(%rcx),%xmm1,%xmm1\n\tvaesenc\t192(%rcx),%xmm1,%xmm1\n\tvaesenc\t208(%rcx),%xmm1,%xmm1\n\tvaesenclast\t224(%rcx),%xmm1,%xmm1\n\n\n\tvpxor\t(%rdi),%xmm1,%xmm1\n\n\tvmovdqu\t%xmm1,(%rsi)\n\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\tsubq\t$1,%r10\n\tjnz\tL$256_enc_msg_x8_loop2\n\nL$256_enc_msg_x8_out:\n\tret\n\n\n\n.globl\t_aes256gcmsiv_dec\n.private_extern _aes256gcmsiv_dec\n\n.p2align\t4\n_aes256gcmsiv_dec:\n\n_CET_ENDBR\n\ttestq\t$~15,%r9\n\tjnz\tL$256_dec_start\n\tret\n\nL$256_dec_start:\n\tvzeroupper\n\tvmovdqa\t(%rdx),%xmm0\n\n\n\tvmovdqu\t16(%rdx),%xmm15\n\tvpor\tOR_MASK(%rip),%xmm15,%xmm15\n\tmovq\t%rdx,%rax\n\n\tleaq\t32(%rax),%rax\n\tleaq\t32(%rcx),%rcx\n\n\tandq\t$~15,%r9\n\n\n\tcmpq\t$96,%r9\n\tjb\tL$256_dec_loop2\n\n\n\tsubq\t$96,%r9\n\tvmovdqa\t%xmm15,%xmm7\n\tvpaddd\tone(%rip),%xmm7,%xmm8\n\tvpaddd\ttwo(%rip),%xmm7,%xmm9\n\tvpaddd\tone(%rip),%xmm9,%xmm10\n\tvpaddd\ttwo(%rip),%xmm9,%xmm11\n\tvpaddd\tone(%rip),%xmm11,%xmm12\n\tvpaddd\ttwo(%rip),%xmm11,%xmm15\n\n\tvpxor\t(%r8),%xmm7,%xmm7\n\tvpxor\t(%r8),%xmm8,%xmm8\n\tvpxor\t(%r8),%xmm9,%xmm9\n\tvpxor\t(%r8),%xmm10,%xmm10\n\tvpxor\t(%r8),%xmm11,%xmm11\n\tvpxor\t(%r8),%xmm12,%xmm12\n\n\tvmovdqu\t16(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t32(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t48(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t64(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t80(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t96(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t112(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t128(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t144(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t160(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t176(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t192(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t208(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t224(%r8),%xmm4\n\tvaesenclast\t%xmm4,%xmm7,%xmm7\n\tvaesenclast\t%xmm4,%xmm8,%xmm8\n\tvaesenclast\t%xmm4,%xmm9,%xmm9\n\tvaesenclast\t%xmm4,%xmm10,%xmm10\n\tvaesenclast\t%xmm4,%xmm11,%xmm11\n\tvaesenclast\t%xmm4,%xmm12,%xmm12\n\n\n\tvpxor\t0(%rdi),%xmm7,%xmm7\n\tvpxor\t16(%rdi),%xmm8,%xmm8\n\tvpxor\t32(%rdi),%xmm9,%xmm9\n\tvpxor\t48(%rdi),%xmm10,%xmm10\n\tvpxor\t64(%rdi),%xmm11,%xmm11\n\tvpxor\t80(%rdi),%xmm12,%xmm12\n\n\tvmovdqu\t%xmm7,0(%rsi)\n\tvmovdqu\t%xmm8,16(%rsi)\n\tvmovdqu\t%xmm9,32(%rsi)\n\tvmovdqu\t%xmm10,48(%rsi)\n\tvmovdqu\t%xmm11,64(%rsi)\n\tvmovdqu\t%xmm12,80(%rsi)\n\n\taddq\t$96,%rdi\n\taddq\t$96,%rsi\n\tjmp\tL$256_dec_loop1\n\n\n.p2align\t6\nL$256_dec_loop1:\n\tcmpq\t$96,%r9\n\tjb\tL$256_dec_finish_96\n\tsubq\t$96,%r9\n\n\tvmovdqa\t%xmm12,%xmm6\n\tvmovdqa\t%xmm11,16-32(%rax)\n\tvmovdqa\t%xmm10,32-32(%rax)\n\tvmovdqa\t%xmm9,48-32(%rax)\n\tvmovdqa\t%xmm8,64-32(%rax)\n\tvmovdqa\t%xmm7,80-32(%rax)\n\n\tvmovdqa\t%xmm15,%xmm7\n\tvpaddd\tone(%rip),%xmm7,%xmm8\n\tvpaddd\ttwo(%rip),%xmm7,%xmm9\n\tvpaddd\tone(%rip),%xmm9,%xmm10\n\tvpaddd\ttwo(%rip),%xmm9,%xmm11\n\tvpaddd\tone(%rip),%xmm11,%xmm12\n\tvpaddd\ttwo(%rip),%xmm11,%xmm15\n\n\tvmovdqa\t(%r8),%xmm4\n\tvpxor\t%xmm4,%xmm7,%xmm7\n\tvpxor\t%xmm4,%xmm8,%xmm8\n\tvpxor\t%xmm4,%xmm9,%xmm9\n\tvpxor\t%xmm4,%xmm10,%xmm10\n\tvpxor\t%xmm4,%xmm11,%xmm11\n\tvpxor\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t0-32(%rcx),%xmm4\n\tvpclmulqdq\t$0x11,%xmm4,%xmm6,%xmm2\n\tvpclmulqdq\t$0x00,%xmm4,%xmm6,%xmm3\n\tvpclmulqdq\t$0x01,%xmm4,%xmm6,%xmm1\n\tvpclmulqdq\t$0x10,%xmm4,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t16(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t-16(%rax),%xmm6\n\tvmovdqu\t-16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t32(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t0(%rax),%xmm6\n\tvmovdqu\t0(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t48(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t16(%rax),%xmm6\n\tvmovdqu\t16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t64(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t32(%rax),%xmm6\n\tvmovdqu\t32(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t80(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t96(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t112(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\n\tvmovdqa\t80-32(%rax),%xmm6\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\tvmovdqu\t80-32(%rcx),%xmm5\n\n\tvpclmulqdq\t$0x01,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x10,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t128(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\n\tvpsrldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm5\n\tvpslldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm0\n\n\tvmovdqa\tpoly(%rip),%xmm3\n\n\tvmovdqu\t144(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t160(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t176(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t192(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t208(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t224(%r8),%xmm6\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpxor\t0(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm7,%xmm7\n\tvpxor\t16(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm8,%xmm8\n\tvpxor\t32(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm9,%xmm9\n\tvpxor\t48(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm10,%xmm10\n\tvpxor\t64(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm11,%xmm11\n\tvpxor\t80(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm12,%xmm12\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvmovdqu\t%xmm7,0(%rsi)\n\tvmovdqu\t%xmm8,16(%rsi)\n\tvmovdqu\t%xmm9,32(%rsi)\n\tvmovdqu\t%xmm10,48(%rsi)\n\tvmovdqu\t%xmm11,64(%rsi)\n\tvmovdqu\t%xmm12,80(%rsi)\n\n\tvpxor\t%xmm5,%xmm0,%xmm0\n\n\tleaq\t96(%rdi),%rdi\n\tleaq\t96(%rsi),%rsi\n\tjmp\tL$256_dec_loop1\n\nL$256_dec_finish_96:\n\tvmovdqa\t%xmm12,%xmm6\n\tvmovdqa\t%xmm11,16-32(%rax)\n\tvmovdqa\t%xmm10,32-32(%rax)\n\tvmovdqa\t%xmm9,48-32(%rax)\n\tvmovdqa\t%xmm8,64-32(%rax)\n\tvmovdqa\t%xmm7,80-32(%rax)\n\n\tvmovdqu\t0-32(%rcx),%xmm4\n\tvpclmulqdq\t$0x10,%xmm4,%xmm6,%xmm1\n\tvpclmulqdq\t$0x11,%xmm4,%xmm6,%xmm2\n\tvpclmulqdq\t$0x00,%xmm4,%xmm6,%xmm3\n\tvpclmulqdq\t$0x01,%xmm4,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t-16(%rax),%xmm6\n\tvmovdqu\t-16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t0(%rax),%xmm6\n\tvmovdqu\t0(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t16(%rax),%xmm6\n\tvmovdqu\t16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t32(%rax),%xmm6\n\tvmovdqu\t32(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t80-32(%rax),%xmm6\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\tvmovdqu\t80-32(%rcx),%xmm5\n\tvpclmulqdq\t$0x11,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x10,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x01,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvpsrldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm5\n\tvpslldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm0\n\n\tvmovdqa\tpoly(%rip),%xmm3\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpxor\t%xmm5,%xmm0,%xmm0\n\nL$256_dec_loop2:\n\n\n\n\tcmpq\t$16,%r9\n\tjb\tL$256_dec_out\n\tsubq\t$16,%r9\n\n\tvmovdqa\t%xmm15,%xmm2\n\tvpaddd\tone(%rip),%xmm15,%xmm15\n\n\tvpxor\t0(%r8),%xmm2,%xmm2\n\tvaesenc\t16(%r8),%xmm2,%xmm2\n\tvaesenc\t32(%r8),%xmm2,%xmm2\n\tvaesenc\t48(%r8),%xmm2,%xmm2\n\tvaesenc\t64(%r8),%xmm2,%xmm2\n\tvaesenc\t80(%r8),%xmm2,%xmm2\n\tvaesenc\t96(%r8),%xmm2,%xmm2\n\tvaesenc\t112(%r8),%xmm2,%xmm2\n\tvaesenc\t128(%r8),%xmm2,%xmm2\n\tvaesenc\t144(%r8),%xmm2,%xmm2\n\tvaesenc\t160(%r8),%xmm2,%xmm2\n\tvaesenc\t176(%r8),%xmm2,%xmm2\n\tvaesenc\t192(%r8),%xmm2,%xmm2\n\tvaesenc\t208(%r8),%xmm2,%xmm2\n\tvaesenclast\t224(%r8),%xmm2,%xmm2\n\tvpxor\t(%rdi),%xmm2,%xmm2\n\tvmovdqu\t%xmm2,(%rsi)\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\n\tvpxor\t%xmm2,%xmm0,%xmm0\n\tvmovdqa\t-32(%rcx),%xmm1\n\tcall\tGFMUL\n\n\tjmp\tL$256_dec_loop2\n\nL$256_dec_out:\n\tvmovdqu\t%xmm0,(%rdx)\n\tret\n\n\n.globl\t_aes256gcmsiv_kdf\n.private_extern _aes256gcmsiv_kdf\n\n.p2align\t4\n_aes256gcmsiv_kdf:\n\n_CET_ENDBR\n\n\n\n\n\tvmovdqa\t(%rdx),%xmm1\n\tvmovdqa\t0(%rdi),%xmm4\n\tvmovdqa\tand_mask(%rip),%xmm11\n\tvmovdqa\tone(%rip),%xmm8\n\tvpshufd\t$0x90,%xmm4,%xmm4\n\tvpand\t%xmm11,%xmm4,%xmm4\n\tvpaddd\t%xmm8,%xmm4,%xmm6\n\tvpaddd\t%xmm8,%xmm6,%xmm7\n\tvpaddd\t%xmm8,%xmm7,%xmm11\n\tvpaddd\t%xmm8,%xmm11,%xmm12\n\tvpaddd\t%xmm8,%xmm12,%xmm13\n\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpxor\t%xmm1,%xmm6,%xmm6\n\tvpxor\t%xmm1,%xmm7,%xmm7\n\tvpxor\t%xmm1,%xmm11,%xmm11\n\tvpxor\t%xmm1,%xmm12,%xmm12\n\tvpxor\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t16(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t32(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t48(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t64(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t80(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t96(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t112(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t128(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t144(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t160(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t176(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t192(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t208(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t224(%rdx),%xmm2\n\tvaesenclast\t%xmm2,%xmm4,%xmm4\n\tvaesenclast\t%xmm2,%xmm6,%xmm6\n\tvaesenclast\t%xmm2,%xmm7,%xmm7\n\tvaesenclast\t%xmm2,%xmm11,%xmm11\n\tvaesenclast\t%xmm2,%xmm12,%xmm12\n\tvaesenclast\t%xmm2,%xmm13,%xmm13\n\n\n\tvmovdqa\t%xmm4,0(%rsi)\n\tvmovdqa\t%xmm6,16(%rsi)\n\tvmovdqa\t%xmm7,32(%rsi)\n\tvmovdqa\t%xmm11,48(%rsi)\n\tvmovdqa\t%xmm12,64(%rsi)\n\tvmovdqa\t%xmm13,80(%rsi)\n\tret\n\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/aes128gcmsiv-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.section\t.rodata\n\n.align\t16\none:\n.quad\t1,0\ntwo:\n.quad\t2,0\nthree:\n.quad\t3,0\nfour:\n.quad\t4,0\nfive:\n.quad\t5,0\nsix:\n.quad\t6,0\nseven:\n.quad\t7,0\neight:\n.quad\t8,0\n\nOR_MASK:\n.long\t0x00000000,0x00000000,0x00000000,0x80000000\npoly:\n.quad\t0x1, 0xc200000000000000\nmask:\n.long\t0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d\ncon1:\n.long\t1,1,1,1\ncon2:\n.long\t0x1b,0x1b,0x1b,0x1b\ncon3:\n.byte\t-1,-1,-1,-1,-1,-1,-1,-1,4,5,6,7,4,5,6,7\nand_mask:\n.long\t0,0xffffffff, 0xffffffff, 0xffffffff\n.text\t\n.type\tGFMUL,@function\n.align\t16\nGFMUL:\n.cfi_startproc\t\n\tvpclmulqdq\t$0x00,%xmm1,%xmm0,%xmm2\n\tvpclmulqdq\t$0x11,%xmm1,%xmm0,%xmm5\n\tvpclmulqdq\t$0x10,%xmm1,%xmm0,%xmm3\n\tvpclmulqdq\t$0x01,%xmm1,%xmm0,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$8,%xmm3,%xmm4\n\tvpsrldq\t$8,%xmm3,%xmm3\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpxor\t%xmm3,%xmm5,%xmm5\n\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm2,%xmm3\n\tvpshufd\t$78,%xmm2,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm2\n\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm2,%xmm3\n\tvpshufd\t$78,%xmm2,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm2\n\n\tvpxor\t%xmm5,%xmm2,%xmm0\n\tret\n.cfi_endproc\t\n.size\tGFMUL, .-GFMUL\n.globl\taesgcmsiv_htable_init\n.hidden aesgcmsiv_htable_init\n.type\taesgcmsiv_htable_init,@function\n.align\t16\naesgcmsiv_htable_init:\n.cfi_startproc\t\n_CET_ENDBR\n\tvmovdqa\t(%rsi),%xmm0\n\tvmovdqa\t%xmm0,%xmm1\n\tvmovdqa\t%xmm0,(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,16(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,32(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,48(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,64(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,80(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,96(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,112(%rdi)\n\tret\n.cfi_endproc\t\n.size\taesgcmsiv_htable_init, .-aesgcmsiv_htable_init\n.globl\taesgcmsiv_htable6_init\n.hidden aesgcmsiv_htable6_init\n.type\taesgcmsiv_htable6_init,@function\n.align\t16\naesgcmsiv_htable6_init:\n.cfi_startproc\t\n_CET_ENDBR\n\tvmovdqa\t(%rsi),%xmm0\n\tvmovdqa\t%xmm0,%xmm1\n\tvmovdqa\t%xmm0,(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,16(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,32(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,48(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,64(%rdi)\n\tcall\tGFMUL\n\tvmovdqa\t%xmm0,80(%rdi)\n\tret\n.cfi_endproc\t\n.size\taesgcmsiv_htable6_init, .-aesgcmsiv_htable6_init\n.globl\taesgcmsiv_htable_polyval\n.hidden aesgcmsiv_htable_polyval\n.type\taesgcmsiv_htable_polyval,@function\n.align\t16\naesgcmsiv_htable_polyval:\n.cfi_startproc\t\n_CET_ENDBR\n\ttestq\t%rdx,%rdx\n\tjnz\t.Lhtable_polyval_start\n\tret\n\n.Lhtable_polyval_start:\n\tvzeroall\n\n\n\n\tmovq\t%rdx,%r11\n\tandq\t$127,%r11\n\n\tjz\t.Lhtable_polyval_no_prefix\n\n\tvpxor\t%xmm9,%xmm9,%xmm9\n\tvmovdqa\t(%rcx),%xmm1\n\tsubq\t%r11,%rdx\n\n\tsubq\t$16,%r11\n\n\n\tvmovdqu\t(%rsi),%xmm0\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\n\tvpclmulqdq\t$0x01,(%rdi,%r11,1),%xmm0,%xmm5\n\tvpclmulqdq\t$0x00,(%rdi,%r11,1),%xmm0,%xmm3\n\tvpclmulqdq\t$0x11,(%rdi,%r11,1),%xmm0,%xmm4\n\tvpclmulqdq\t$0x10,(%rdi,%r11,1),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\tleaq\t16(%rsi),%rsi\n\ttestq\t%r11,%r11\n\tjnz\t.Lhtable_polyval_prefix_loop\n\tjmp\t.Lhtable_polyval_prefix_complete\n\n\n.align\t64\n.Lhtable_polyval_prefix_loop:\n\tsubq\t$16,%r11\n\n\tvmovdqu\t(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x00,(%rdi,%r11,1),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,(%rdi,%r11,1),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x01,(%rdi,%r11,1),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x10,(%rdi,%r11,1),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\ttestq\t%r11,%r11\n\n\tleaq\t16(%rsi),%rsi\n\n\tjnz\t.Lhtable_polyval_prefix_loop\n\n.Lhtable_polyval_prefix_complete:\n\tvpsrldq\t$8,%xmm5,%xmm6\n\tvpslldq\t$8,%xmm5,%xmm5\n\n\tvpxor\t%xmm6,%xmm4,%xmm9\n\tvpxor\t%xmm5,%xmm3,%xmm1\n\n\tjmp\t.Lhtable_polyval_main_loop\n\n.Lhtable_polyval_no_prefix:\n\n\n\n\n\tvpxor\t%xmm1,%xmm1,%xmm1\n\tvmovdqa\t(%rcx),%xmm9\n\n.align\t64\n.Lhtable_polyval_main_loop:\n\tsubq\t$0x80,%rdx\n\tjb\t.Lhtable_polyval_out\n\n\tvmovdqu\t112(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x01,(%rdi),%xmm0,%xmm5\n\tvpclmulqdq\t$0x00,(%rdi),%xmm0,%xmm3\n\tvpclmulqdq\t$0x11,(%rdi),%xmm0,%xmm4\n\tvpclmulqdq\t$0x10,(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvmovdqu\t96(%rsi),%xmm0\n\tvpclmulqdq\t$0x01,16(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,16(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,16(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,16(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\n\tvmovdqu\t80(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm1,%xmm7\n\tvpalignr\t$8,%xmm1,%xmm1,%xmm1\n\n\tvpclmulqdq\t$0x01,32(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,32(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,32(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,32(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvpxor\t%xmm7,%xmm1,%xmm1\n\n\tvmovdqu\t64(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x01,48(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,48(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,48(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,48(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvmovdqu\t48(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm1,%xmm7\n\tvpalignr\t$8,%xmm1,%xmm1,%xmm1\n\n\tvpclmulqdq\t$0x01,64(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,64(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,64(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,64(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvpxor\t%xmm7,%xmm1,%xmm1\n\n\tvmovdqu\t32(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x01,80(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,80(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,80(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,80(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvpxor\t%xmm9,%xmm1,%xmm1\n\n\tvmovdqu\t16(%rsi),%xmm0\n\n\tvpclmulqdq\t$0x01,96(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,96(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,96(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,96(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvmovdqu\t0(%rsi),%xmm0\n\tvpxor\t%xmm1,%xmm0,%xmm0\n\n\tvpclmulqdq\t$0x01,112(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\tvpclmulqdq\t$0x00,112(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm3,%xmm3\n\tvpclmulqdq\t$0x11,112(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm4,%xmm4\n\tvpclmulqdq\t$0x10,112(%rdi),%xmm0,%xmm6\n\tvpxor\t%xmm6,%xmm5,%xmm5\n\n\n\tvpsrldq\t$8,%xmm5,%xmm6\n\tvpslldq\t$8,%xmm5,%xmm5\n\n\tvpxor\t%xmm6,%xmm4,%xmm9\n\tvpxor\t%xmm5,%xmm3,%xmm1\n\n\tleaq\t128(%rsi),%rsi\n\tjmp\t.Lhtable_polyval_main_loop\n\n\n\n.Lhtable_polyval_out:\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm1,%xmm6\n\tvpalignr\t$8,%xmm1,%xmm1,%xmm1\n\tvpxor\t%xmm6,%xmm1,%xmm1\n\n\tvpclmulqdq\t$0x10,poly(%rip),%xmm1,%xmm6\n\tvpalignr\t$8,%xmm1,%xmm1,%xmm1\n\tvpxor\t%xmm6,%xmm1,%xmm1\n\tvpxor\t%xmm9,%xmm1,%xmm1\n\n\tvmovdqu\t%xmm1,(%rcx)\n\tvzeroupper\n\tret\n.cfi_endproc\t\n.size\taesgcmsiv_htable_polyval,.-aesgcmsiv_htable_polyval\n.globl\taesgcmsiv_polyval_horner\n.hidden aesgcmsiv_polyval_horner\n.type\taesgcmsiv_polyval_horner,@function\n.align\t16\naesgcmsiv_polyval_horner:\n.cfi_startproc\t\n_CET_ENDBR\n\ttestq\t%rcx,%rcx\n\tjnz\t.Lpolyval_horner_start\n\tret\n\n.Lpolyval_horner_start:\n\n\n\n\txorq\t%r10,%r10\n\tshlq\t$4,%rcx\n\n\tvmovdqa\t(%rsi),%xmm1\n\tvmovdqa\t(%rdi),%xmm0\n\n.Lpolyval_horner_loop:\n\tvpxor\t(%rdx,%r10,1),%xmm0,%xmm0\n\tcall\tGFMUL\n\n\taddq\t$16,%r10\n\tcmpq\t%r10,%rcx\n\tjne\t.Lpolyval_horner_loop\n\n\n\tvmovdqa\t%xmm0,(%rdi)\n\tret\n.cfi_endproc\t\n.size\taesgcmsiv_polyval_horner,.-aesgcmsiv_polyval_horner\n.globl\taes128gcmsiv_aes_ks\n.hidden aes128gcmsiv_aes_ks\n.type\taes128gcmsiv_aes_ks,@function\n.align\t16\naes128gcmsiv_aes_ks:\n.cfi_startproc\t\n_CET_ENDBR\n\tvmovdqu\t(%rdi),%xmm1\n\tvmovdqa\t%xmm1,(%rsi)\n\n\tvmovdqa\tcon1(%rip),%xmm0\n\tvmovdqa\tmask(%rip),%xmm15\n\n\tmovq\t$8,%rax\n\n.Lks128_loop:\n\taddq\t$16,%rsi\n\tsubq\t$1,%rax\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm1,(%rsi)\n\tjne\t.Lks128_loop\n\n\tvmovdqa\tcon2(%rip),%xmm0\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm1,16(%rsi)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm3,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm1,32(%rsi)\n\tret\n.cfi_endproc\t\n.size\taes128gcmsiv_aes_ks,.-aes128gcmsiv_aes_ks\n.globl\taes256gcmsiv_aes_ks\n.hidden aes256gcmsiv_aes_ks\n.type\taes256gcmsiv_aes_ks,@function\n.align\t16\naes256gcmsiv_aes_ks:\n.cfi_startproc\t\n_CET_ENDBR\n\tvmovdqu\t(%rdi),%xmm1\n\tvmovdqu\t16(%rdi),%xmm3\n\tvmovdqa\t%xmm1,(%rsi)\n\tvmovdqa\t%xmm3,16(%rsi)\n\tvmovdqa\tcon1(%rip),%xmm0\n\tvmovdqa\tmask(%rip),%xmm15\n\tvpxor\t%xmm14,%xmm14,%xmm14\n\tmovq\t$6,%rax\n\n.Lks256_loop:\n\taddq\t$32,%rsi\n\tsubq\t$1,%rax\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm1,(%rsi)\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpsllq\t$32,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpshufb\tcon3(%rip),%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvmovdqa\t%xmm3,16(%rsi)\n\tjne\t.Lks256_loop\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpsllq\t$32,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvmovdqa\t%xmm1,32(%rsi)\n\tret\n.cfi_endproc\t\n.globl\taes128gcmsiv_aes_ks_enc_x1\n.hidden aes128gcmsiv_aes_ks_enc_x1\n.type\taes128gcmsiv_aes_ks_enc_x1,@function\n.align\t16\naes128gcmsiv_aes_ks_enc_x1:\n.cfi_startproc\t\n_CET_ENDBR\n\tvmovdqa\t(%rcx),%xmm1\n\tvmovdqa\t0(%rdi),%xmm4\n\n\tvmovdqa\t%xmm1,(%rdx)\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\n\tvmovdqa\tcon1(%rip),%xmm0\n\tvmovdqa\tmask(%rip),%xmm15\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,16(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,32(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,48(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,64(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,80(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,96(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,112(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,128(%rdx)\n\n\n\tvmovdqa\tcon2(%rip),%xmm0\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,144(%rdx)\n\n\tvpshufb\t%xmm15,%xmm1,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpsllq\t$32,%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpshufb\tcon3(%rip),%xmm1,%xmm3\n\tvpxor\t%xmm3,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\n\tvaesenclast\t%xmm1,%xmm4,%xmm4\n\tvmovdqa\t%xmm1,160(%rdx)\n\n\n\tvmovdqa\t%xmm4,0(%rsi)\n\tret\n.cfi_endproc\t\n.size\taes128gcmsiv_aes_ks_enc_x1,.-aes128gcmsiv_aes_ks_enc_x1\n.globl\taes128gcmsiv_kdf\n.hidden aes128gcmsiv_kdf\n.type\taes128gcmsiv_kdf,@function\n.align\t16\naes128gcmsiv_kdf:\n.cfi_startproc\t\n_CET_ENDBR\n\n\n\n\n\tvmovdqa\t(%rdx),%xmm1\n\tvmovdqa\t0(%rdi),%xmm9\n\tvmovdqa\tand_mask(%rip),%xmm12\n\tvmovdqa\tone(%rip),%xmm13\n\tvpshufd\t$0x90,%xmm9,%xmm9\n\tvpand\t%xmm12,%xmm9,%xmm9\n\tvpaddd\t%xmm13,%xmm9,%xmm10\n\tvpaddd\t%xmm13,%xmm10,%xmm11\n\tvpaddd\t%xmm13,%xmm11,%xmm12\n\n\tvpxor\t%xmm1,%xmm9,%xmm9\n\tvpxor\t%xmm1,%xmm10,%xmm10\n\tvpxor\t%xmm1,%xmm11,%xmm11\n\tvpxor\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t16(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t32(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm9,%xmm9\n\tvaesenc\t%xmm2,%xmm10,%xmm10\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\n\tvmovdqa\t48(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t64(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm9,%xmm9\n\tvaesenc\t%xmm2,%xmm10,%xmm10\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\n\tvmovdqa\t80(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t96(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm9,%xmm9\n\tvaesenc\t%xmm2,%xmm10,%xmm10\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\n\tvmovdqa\t112(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t128(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm9,%xmm9\n\tvaesenc\t%xmm2,%xmm10,%xmm10\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\n\tvmovdqa\t144(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm9,%xmm9\n\tvaesenc\t%xmm1,%xmm10,%xmm10\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\n\tvmovdqa\t160(%rdx),%xmm2\n\tvaesenclast\t%xmm2,%xmm9,%xmm9\n\tvaesenclast\t%xmm2,%xmm10,%xmm10\n\tvaesenclast\t%xmm2,%xmm11,%xmm11\n\tvaesenclast\t%xmm2,%xmm12,%xmm12\n\n\n\tvmovdqa\t%xmm9,0(%rsi)\n\tvmovdqa\t%xmm10,16(%rsi)\n\tvmovdqa\t%xmm11,32(%rsi)\n\tvmovdqa\t%xmm12,48(%rsi)\n\tret\n.cfi_endproc\t\n.size\taes128gcmsiv_kdf,.-aes128gcmsiv_kdf\n.globl\taes128gcmsiv_enc_msg_x4\n.hidden aes128gcmsiv_enc_msg_x4\n.type\taes128gcmsiv_enc_msg_x4,@function\n.align\t16\naes128gcmsiv_enc_msg_x4:\n.cfi_startproc\t\n_CET_ENDBR\n\ttestq\t%r8,%r8\n\tjnz\t.L128_enc_msg_x4_start\n\tret\n\n.L128_enc_msg_x4_start:\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-16\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-24\n\n\tshrq\t$4,%r8\n\tmovq\t%r8,%r10\n\tshlq\t$62,%r10\n\tshrq\t$62,%r10\n\n\n\tvmovdqa\t(%rdx),%xmm15\n\tvpor\tOR_MASK(%rip),%xmm15,%xmm15\n\n\tvmovdqu\tfour(%rip),%xmm4\n\tvmovdqa\t%xmm15,%xmm0\n\tvpaddd\tone(%rip),%xmm15,%xmm1\n\tvpaddd\ttwo(%rip),%xmm15,%xmm2\n\tvpaddd\tthree(%rip),%xmm15,%xmm3\n\n\tshrq\t$2,%r8\n\tje\t.L128_enc_msg_x4_check_remainder\n\n\tsubq\t$64,%rsi\n\tsubq\t$64,%rdi\n\n.L128_enc_msg_x4_loop1:\n\taddq\t$64,%rsi\n\taddq\t$64,%rdi\n\n\tvmovdqa\t%xmm0,%xmm5\n\tvmovdqa\t%xmm1,%xmm6\n\tvmovdqa\t%xmm2,%xmm7\n\tvmovdqa\t%xmm3,%xmm8\n\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvpxor\t(%rcx),%xmm6,%xmm6\n\tvpxor\t(%rcx),%xmm7,%xmm7\n\tvpxor\t(%rcx),%xmm8,%xmm8\n\n\tvmovdqu\t16(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\tvmovdqu\t32(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm1,%xmm1\n\tvmovdqu\t48(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm2,%xmm2\n\tvmovdqu\t64(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm3,%xmm3\n\n\tvmovdqu\t80(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t96(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t112(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t128(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t144(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t160(%rcx),%xmm12\n\tvaesenclast\t%xmm12,%xmm5,%xmm5\n\tvaesenclast\t%xmm12,%xmm6,%xmm6\n\tvaesenclast\t%xmm12,%xmm7,%xmm7\n\tvaesenclast\t%xmm12,%xmm8,%xmm8\n\n\n\n\tvpxor\t0(%rdi),%xmm5,%xmm5\n\tvpxor\t16(%rdi),%xmm6,%xmm6\n\tvpxor\t32(%rdi),%xmm7,%xmm7\n\tvpxor\t48(%rdi),%xmm8,%xmm8\n\n\tsubq\t$1,%r8\n\n\tvmovdqu\t%xmm5,0(%rsi)\n\tvmovdqu\t%xmm6,16(%rsi)\n\tvmovdqu\t%xmm7,32(%rsi)\n\tvmovdqu\t%xmm8,48(%rsi)\n\n\tjne\t.L128_enc_msg_x4_loop1\n\n\taddq\t$64,%rsi\n\taddq\t$64,%rdi\n\n.L128_enc_msg_x4_check_remainder:\n\tcmpq\t$0,%r10\n\tje\t.L128_enc_msg_x4_out\n\n.L128_enc_msg_x4_loop2:\n\n\n\tvmovdqa\t%xmm0,%xmm5\n\tvpaddd\tone(%rip),%xmm0,%xmm0\n\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvaesenc\t16(%rcx),%xmm5,%xmm5\n\tvaesenc\t32(%rcx),%xmm5,%xmm5\n\tvaesenc\t48(%rcx),%xmm5,%xmm5\n\tvaesenc\t64(%rcx),%xmm5,%xmm5\n\tvaesenc\t80(%rcx),%xmm5,%xmm5\n\tvaesenc\t96(%rcx),%xmm5,%xmm5\n\tvaesenc\t112(%rcx),%xmm5,%xmm5\n\tvaesenc\t128(%rcx),%xmm5,%xmm5\n\tvaesenc\t144(%rcx),%xmm5,%xmm5\n\tvaesenclast\t160(%rcx),%xmm5,%xmm5\n\n\n\tvpxor\t(%rdi),%xmm5,%xmm5\n\tvmovdqu\t%xmm5,(%rsi)\n\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\n\tsubq\t$1,%r10\n\tjne\t.L128_enc_msg_x4_loop2\n\n.L128_enc_msg_x4_out:\n\tpopq\t%r13\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r13\n\tpopq\t%r12\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r12\n\tret\n.cfi_endproc\t\n.size\taes128gcmsiv_enc_msg_x4,.-aes128gcmsiv_enc_msg_x4\n.globl\taes128gcmsiv_enc_msg_x8\n.hidden aes128gcmsiv_enc_msg_x8\n.type\taes128gcmsiv_enc_msg_x8,@function\n.align\t16\naes128gcmsiv_enc_msg_x8:\n.cfi_startproc\t\n_CET_ENDBR\n\ttestq\t%r8,%r8\n\tjnz\t.L128_enc_msg_x8_start\n\tret\n\n.L128_enc_msg_x8_start:\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-16\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-24\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-32\n\tmovq\t%rsp,%rbp\n.cfi_def_cfa_register\trbp\n\n\n\tsubq\t$128,%rsp\n\tandq\t$-64,%rsp\n\n\tshrq\t$4,%r8\n\tmovq\t%r8,%r10\n\tshlq\t$61,%r10\n\tshrq\t$61,%r10\n\n\n\tvmovdqu\t(%rdx),%xmm1\n\tvpor\tOR_MASK(%rip),%xmm1,%xmm1\n\n\n\tvpaddd\tseven(%rip),%xmm1,%xmm0\n\tvmovdqu\t%xmm0,(%rsp)\n\tvpaddd\tone(%rip),%xmm1,%xmm9\n\tvpaddd\ttwo(%rip),%xmm1,%xmm10\n\tvpaddd\tthree(%rip),%xmm1,%xmm11\n\tvpaddd\tfour(%rip),%xmm1,%xmm12\n\tvpaddd\tfive(%rip),%xmm1,%xmm13\n\tvpaddd\tsix(%rip),%xmm1,%xmm14\n\tvmovdqa\t%xmm1,%xmm0\n\n\tshrq\t$3,%r8\n\tje\t.L128_enc_msg_x8_check_remainder\n\n\tsubq\t$128,%rsi\n\tsubq\t$128,%rdi\n\n.L128_enc_msg_x8_loop1:\n\taddq\t$128,%rsi\n\taddq\t$128,%rdi\n\n\tvmovdqa\t%xmm0,%xmm1\n\tvmovdqa\t%xmm9,%xmm2\n\tvmovdqa\t%xmm10,%xmm3\n\tvmovdqa\t%xmm11,%xmm4\n\tvmovdqa\t%xmm12,%xmm5\n\tvmovdqa\t%xmm13,%xmm6\n\tvmovdqa\t%xmm14,%xmm7\n\n\tvmovdqu\t(%rsp),%xmm8\n\n\tvpxor\t(%rcx),%xmm1,%xmm1\n\tvpxor\t(%rcx),%xmm2,%xmm2\n\tvpxor\t(%rcx),%xmm3,%xmm3\n\tvpxor\t(%rcx),%xmm4,%xmm4\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvpxor\t(%rcx),%xmm6,%xmm6\n\tvpxor\t(%rcx),%xmm7,%xmm7\n\tvpxor\t(%rcx),%xmm8,%xmm8\n\n\tvmovdqu\t16(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t(%rsp),%xmm14\n\tvpaddd\teight(%rip),%xmm14,%xmm14\n\tvmovdqu\t%xmm14,(%rsp)\n\tvmovdqu\t32(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpsubd\tone(%rip),%xmm14,%xmm14\n\tvmovdqu\t48(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm0,%xmm0\n\tvmovdqu\t64(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm9,%xmm9\n\tvmovdqu\t80(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm10,%xmm10\n\tvmovdqu\t96(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm11,%xmm11\n\tvmovdqu\t112(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm12,%xmm12\n\tvmovdqu\t128(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm13,%xmm13\n\tvmovdqu\t144(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t160(%rcx),%xmm15\n\tvaesenclast\t%xmm15,%xmm1,%xmm1\n\tvaesenclast\t%xmm15,%xmm2,%xmm2\n\tvaesenclast\t%xmm15,%xmm3,%xmm3\n\tvaesenclast\t%xmm15,%xmm4,%xmm4\n\tvaesenclast\t%xmm15,%xmm5,%xmm5\n\tvaesenclast\t%xmm15,%xmm6,%xmm6\n\tvaesenclast\t%xmm15,%xmm7,%xmm7\n\tvaesenclast\t%xmm15,%xmm8,%xmm8\n\n\n\n\tvpxor\t0(%rdi),%xmm1,%xmm1\n\tvpxor\t16(%rdi),%xmm2,%xmm2\n\tvpxor\t32(%rdi),%xmm3,%xmm3\n\tvpxor\t48(%rdi),%xmm4,%xmm4\n\tvpxor\t64(%rdi),%xmm5,%xmm5\n\tvpxor\t80(%rdi),%xmm6,%xmm6\n\tvpxor\t96(%rdi),%xmm7,%xmm7\n\tvpxor\t112(%rdi),%xmm8,%xmm8\n\n\tdecq\t%r8\n\n\tvmovdqu\t%xmm1,0(%rsi)\n\tvmovdqu\t%xmm2,16(%rsi)\n\tvmovdqu\t%xmm3,32(%rsi)\n\tvmovdqu\t%xmm4,48(%rsi)\n\tvmovdqu\t%xmm5,64(%rsi)\n\tvmovdqu\t%xmm6,80(%rsi)\n\tvmovdqu\t%xmm7,96(%rsi)\n\tvmovdqu\t%xmm8,112(%rsi)\n\n\tjne\t.L128_enc_msg_x8_loop1\n\n\taddq\t$128,%rsi\n\taddq\t$128,%rdi\n\n.L128_enc_msg_x8_check_remainder:\n\tcmpq\t$0,%r10\n\tje\t.L128_enc_msg_x8_out\n\n.L128_enc_msg_x8_loop2:\n\n\n\tvmovdqa\t%xmm0,%xmm1\n\tvpaddd\tone(%rip),%xmm0,%xmm0\n\n\tvpxor\t(%rcx),%xmm1,%xmm1\n\tvaesenc\t16(%rcx),%xmm1,%xmm1\n\tvaesenc\t32(%rcx),%xmm1,%xmm1\n\tvaesenc\t48(%rcx),%xmm1,%xmm1\n\tvaesenc\t64(%rcx),%xmm1,%xmm1\n\tvaesenc\t80(%rcx),%xmm1,%xmm1\n\tvaesenc\t96(%rcx),%xmm1,%xmm1\n\tvaesenc\t112(%rcx),%xmm1,%xmm1\n\tvaesenc\t128(%rcx),%xmm1,%xmm1\n\tvaesenc\t144(%rcx),%xmm1,%xmm1\n\tvaesenclast\t160(%rcx),%xmm1,%xmm1\n\n\n\tvpxor\t(%rdi),%xmm1,%xmm1\n\n\tvmovdqu\t%xmm1,(%rsi)\n\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\n\tdecq\t%r10\n\tjne\t.L128_enc_msg_x8_loop2\n\n.L128_enc_msg_x8_out:\n\tmovq\t%rbp,%rsp\n.cfi_def_cfa_register\t%rsp\n\tpopq\t%rbp\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%rbp\n\tpopq\t%r13\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r13\n\tpopq\t%r12\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r12\n\tret\n.cfi_endproc\t\n.size\taes128gcmsiv_enc_msg_x8,.-aes128gcmsiv_enc_msg_x8\n.globl\taes128gcmsiv_dec\n.hidden aes128gcmsiv_dec\n.type\taes128gcmsiv_dec,@function\n.align\t16\naes128gcmsiv_dec:\n.cfi_startproc\t\n_CET_ENDBR\n\ttestq\t$~15,%r9\n\tjnz\t.L128_dec_start\n\tret\n\n.L128_dec_start:\n\tvzeroupper\n\tvmovdqa\t(%rdx),%xmm0\n\n\n\tvmovdqu\t16(%rdx),%xmm15\n\tvpor\tOR_MASK(%rip),%xmm15,%xmm15\n\tmovq\t%rdx,%rax\n\n\tleaq\t32(%rax),%rax\n\tleaq\t32(%rcx),%rcx\n\n\tandq\t$~15,%r9\n\n\n\tcmpq\t$96,%r9\n\tjb\t.L128_dec_loop2\n\n\n\tsubq\t$96,%r9\n\tvmovdqa\t%xmm15,%xmm7\n\tvpaddd\tone(%rip),%xmm7,%xmm8\n\tvpaddd\ttwo(%rip),%xmm7,%xmm9\n\tvpaddd\tone(%rip),%xmm9,%xmm10\n\tvpaddd\ttwo(%rip),%xmm9,%xmm11\n\tvpaddd\tone(%rip),%xmm11,%xmm12\n\tvpaddd\ttwo(%rip),%xmm11,%xmm15\n\n\tvpxor\t(%r8),%xmm7,%xmm7\n\tvpxor\t(%r8),%xmm8,%xmm8\n\tvpxor\t(%r8),%xmm9,%xmm9\n\tvpxor\t(%r8),%xmm10,%xmm10\n\tvpxor\t(%r8),%xmm11,%xmm11\n\tvpxor\t(%r8),%xmm12,%xmm12\n\n\tvmovdqu\t16(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t32(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t48(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t64(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t80(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t96(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t112(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t128(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t144(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t160(%r8),%xmm4\n\tvaesenclast\t%xmm4,%xmm7,%xmm7\n\tvaesenclast\t%xmm4,%xmm8,%xmm8\n\tvaesenclast\t%xmm4,%xmm9,%xmm9\n\tvaesenclast\t%xmm4,%xmm10,%xmm10\n\tvaesenclast\t%xmm4,%xmm11,%xmm11\n\tvaesenclast\t%xmm4,%xmm12,%xmm12\n\n\n\tvpxor\t0(%rdi),%xmm7,%xmm7\n\tvpxor\t16(%rdi),%xmm8,%xmm8\n\tvpxor\t32(%rdi),%xmm9,%xmm9\n\tvpxor\t48(%rdi),%xmm10,%xmm10\n\tvpxor\t64(%rdi),%xmm11,%xmm11\n\tvpxor\t80(%rdi),%xmm12,%xmm12\n\n\tvmovdqu\t%xmm7,0(%rsi)\n\tvmovdqu\t%xmm8,16(%rsi)\n\tvmovdqu\t%xmm9,32(%rsi)\n\tvmovdqu\t%xmm10,48(%rsi)\n\tvmovdqu\t%xmm11,64(%rsi)\n\tvmovdqu\t%xmm12,80(%rsi)\n\n\taddq\t$96,%rdi\n\taddq\t$96,%rsi\n\tjmp\t.L128_dec_loop1\n\n\n.align\t64\n.L128_dec_loop1:\n\tcmpq\t$96,%r9\n\tjb\t.L128_dec_finish_96\n\tsubq\t$96,%r9\n\n\tvmovdqa\t%xmm12,%xmm6\n\tvmovdqa\t%xmm11,16-32(%rax)\n\tvmovdqa\t%xmm10,32-32(%rax)\n\tvmovdqa\t%xmm9,48-32(%rax)\n\tvmovdqa\t%xmm8,64-32(%rax)\n\tvmovdqa\t%xmm7,80-32(%rax)\n\n\tvmovdqa\t%xmm15,%xmm7\n\tvpaddd\tone(%rip),%xmm7,%xmm8\n\tvpaddd\ttwo(%rip),%xmm7,%xmm9\n\tvpaddd\tone(%rip),%xmm9,%xmm10\n\tvpaddd\ttwo(%rip),%xmm9,%xmm11\n\tvpaddd\tone(%rip),%xmm11,%xmm12\n\tvpaddd\ttwo(%rip),%xmm11,%xmm15\n\n\tvmovdqa\t(%r8),%xmm4\n\tvpxor\t%xmm4,%xmm7,%xmm7\n\tvpxor\t%xmm4,%xmm8,%xmm8\n\tvpxor\t%xmm4,%xmm9,%xmm9\n\tvpxor\t%xmm4,%xmm10,%xmm10\n\tvpxor\t%xmm4,%xmm11,%xmm11\n\tvpxor\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t0-32(%rcx),%xmm4\n\tvpclmulqdq\t$0x11,%xmm4,%xmm6,%xmm2\n\tvpclmulqdq\t$0x00,%xmm4,%xmm6,%xmm3\n\tvpclmulqdq\t$0x01,%xmm4,%xmm6,%xmm1\n\tvpclmulqdq\t$0x10,%xmm4,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t16(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t-16(%rax),%xmm6\n\tvmovdqu\t-16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t32(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t0(%rax),%xmm6\n\tvmovdqu\t0(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t48(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t16(%rax),%xmm6\n\tvmovdqu\t16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t64(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t32(%rax),%xmm6\n\tvmovdqu\t32(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t80(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t96(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t112(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\n\tvmovdqa\t80-32(%rax),%xmm6\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\tvmovdqu\t80-32(%rcx),%xmm5\n\n\tvpclmulqdq\t$0x01,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x10,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t128(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\n\tvpsrldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm5\n\tvpslldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm0\n\n\tvmovdqa\tpoly(%rip),%xmm3\n\n\tvmovdqu\t144(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t160(%r8),%xmm6\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpxor\t0(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm7,%xmm7\n\tvpxor\t16(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm8,%xmm8\n\tvpxor\t32(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm9,%xmm9\n\tvpxor\t48(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm10,%xmm10\n\tvpxor\t64(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm11,%xmm11\n\tvpxor\t80(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm12,%xmm12\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvmovdqu\t%xmm7,0(%rsi)\n\tvmovdqu\t%xmm8,16(%rsi)\n\tvmovdqu\t%xmm9,32(%rsi)\n\tvmovdqu\t%xmm10,48(%rsi)\n\tvmovdqu\t%xmm11,64(%rsi)\n\tvmovdqu\t%xmm12,80(%rsi)\n\n\tvpxor\t%xmm5,%xmm0,%xmm0\n\n\tleaq\t96(%rdi),%rdi\n\tleaq\t96(%rsi),%rsi\n\tjmp\t.L128_dec_loop1\n\n.L128_dec_finish_96:\n\tvmovdqa\t%xmm12,%xmm6\n\tvmovdqa\t%xmm11,16-32(%rax)\n\tvmovdqa\t%xmm10,32-32(%rax)\n\tvmovdqa\t%xmm9,48-32(%rax)\n\tvmovdqa\t%xmm8,64-32(%rax)\n\tvmovdqa\t%xmm7,80-32(%rax)\n\n\tvmovdqu\t0-32(%rcx),%xmm4\n\tvpclmulqdq\t$0x10,%xmm4,%xmm6,%xmm1\n\tvpclmulqdq\t$0x11,%xmm4,%xmm6,%xmm2\n\tvpclmulqdq\t$0x00,%xmm4,%xmm6,%xmm3\n\tvpclmulqdq\t$0x01,%xmm4,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t-16(%rax),%xmm6\n\tvmovdqu\t-16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t0(%rax),%xmm6\n\tvmovdqu\t0(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t16(%rax),%xmm6\n\tvmovdqu\t16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t32(%rax),%xmm6\n\tvmovdqu\t32(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t80-32(%rax),%xmm6\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\tvmovdqu\t80-32(%rcx),%xmm5\n\tvpclmulqdq\t$0x11,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x10,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x01,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvpsrldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm5\n\tvpslldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm0\n\n\tvmovdqa\tpoly(%rip),%xmm3\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpxor\t%xmm5,%xmm0,%xmm0\n\n.L128_dec_loop2:\n\n\n\n\tcmpq\t$16,%r9\n\tjb\t.L128_dec_out\n\tsubq\t$16,%r9\n\n\tvmovdqa\t%xmm15,%xmm2\n\tvpaddd\tone(%rip),%xmm15,%xmm15\n\n\tvpxor\t0(%r8),%xmm2,%xmm2\n\tvaesenc\t16(%r8),%xmm2,%xmm2\n\tvaesenc\t32(%r8),%xmm2,%xmm2\n\tvaesenc\t48(%r8),%xmm2,%xmm2\n\tvaesenc\t64(%r8),%xmm2,%xmm2\n\tvaesenc\t80(%r8),%xmm2,%xmm2\n\tvaesenc\t96(%r8),%xmm2,%xmm2\n\tvaesenc\t112(%r8),%xmm2,%xmm2\n\tvaesenc\t128(%r8),%xmm2,%xmm2\n\tvaesenc\t144(%r8),%xmm2,%xmm2\n\tvaesenclast\t160(%r8),%xmm2,%xmm2\n\tvpxor\t(%rdi),%xmm2,%xmm2\n\tvmovdqu\t%xmm2,(%rsi)\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\n\tvpxor\t%xmm2,%xmm0,%xmm0\n\tvmovdqa\t-32(%rcx),%xmm1\n\tcall\tGFMUL\n\n\tjmp\t.L128_dec_loop2\n\n.L128_dec_out:\n\tvmovdqu\t%xmm0,(%rdx)\n\tret\n.cfi_endproc\t\n.size\taes128gcmsiv_dec, .-aes128gcmsiv_dec\n.globl\taes128gcmsiv_ecb_enc_block\n.hidden aes128gcmsiv_ecb_enc_block\n.type\taes128gcmsiv_ecb_enc_block,@function\n.align\t16\naes128gcmsiv_ecb_enc_block:\n.cfi_startproc\t\n_CET_ENDBR\n\tvmovdqa\t(%rdi),%xmm1\n\n\tvpxor\t(%rdx),%xmm1,%xmm1\n\tvaesenc\t16(%rdx),%xmm1,%xmm1\n\tvaesenc\t32(%rdx),%xmm1,%xmm1\n\tvaesenc\t48(%rdx),%xmm1,%xmm1\n\tvaesenc\t64(%rdx),%xmm1,%xmm1\n\tvaesenc\t80(%rdx),%xmm1,%xmm1\n\tvaesenc\t96(%rdx),%xmm1,%xmm1\n\tvaesenc\t112(%rdx),%xmm1,%xmm1\n\tvaesenc\t128(%rdx),%xmm1,%xmm1\n\tvaesenc\t144(%rdx),%xmm1,%xmm1\n\tvaesenclast\t160(%rdx),%xmm1,%xmm1\n\n\tvmovdqa\t%xmm1,(%rsi)\n\n\tret\n.cfi_endproc\t\n.size\taes128gcmsiv_ecb_enc_block,.-aes128gcmsiv_ecb_enc_block\n.globl\taes256gcmsiv_aes_ks_enc_x1\n.hidden aes256gcmsiv_aes_ks_enc_x1\n.type\taes256gcmsiv_aes_ks_enc_x1,@function\n.align\t16\naes256gcmsiv_aes_ks_enc_x1:\n.cfi_startproc\t\n_CET_ENDBR\n\tvmovdqa\tcon1(%rip),%xmm0\n\tvmovdqa\tmask(%rip),%xmm15\n\tvmovdqa\t(%rdi),%xmm8\n\tvmovdqa\t(%rcx),%xmm1\n\tvmovdqa\t16(%rcx),%xmm3\n\tvpxor\t%xmm1,%xmm8,%xmm8\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,(%rdx)\n\tvmovdqu\t%xmm3,16(%rdx)\n\tvpxor\t%xmm14,%xmm14,%xmm14\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,32(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,48(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,64(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,80(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,96(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,112(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,128(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,144(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,160(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,176(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslld\t$1,%xmm0,%xmm0\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenc\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,192(%rdx)\n\n\tvpshufd\t$0xff,%xmm1,%xmm2\n\tvaesenclast\t%xmm14,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm3,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpxor\t%xmm2,%xmm3,%xmm3\n\tvaesenc\t%xmm3,%xmm8,%xmm8\n\tvmovdqu\t%xmm3,208(%rdx)\n\n\tvpshufb\t%xmm15,%xmm3,%xmm2\n\tvaesenclast\t%xmm0,%xmm2,%xmm2\n\tvpslldq\t$4,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpslldq\t$4,%xmm4,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpxor\t%xmm2,%xmm1,%xmm1\n\tvaesenclast\t%xmm1,%xmm8,%xmm8\n\tvmovdqu\t%xmm1,224(%rdx)\n\n\tvmovdqa\t%xmm8,(%rsi)\n\tret\n.cfi_endproc\t\n.size\taes256gcmsiv_aes_ks_enc_x1,.-aes256gcmsiv_aes_ks_enc_x1\n.globl\taes256gcmsiv_ecb_enc_block\n.hidden aes256gcmsiv_ecb_enc_block\n.type\taes256gcmsiv_ecb_enc_block,@function\n.align\t16\naes256gcmsiv_ecb_enc_block:\n.cfi_startproc\t\n_CET_ENDBR\n\tvmovdqa\t(%rdi),%xmm1\n\tvpxor\t(%rdx),%xmm1,%xmm1\n\tvaesenc\t16(%rdx),%xmm1,%xmm1\n\tvaesenc\t32(%rdx),%xmm1,%xmm1\n\tvaesenc\t48(%rdx),%xmm1,%xmm1\n\tvaesenc\t64(%rdx),%xmm1,%xmm1\n\tvaesenc\t80(%rdx),%xmm1,%xmm1\n\tvaesenc\t96(%rdx),%xmm1,%xmm1\n\tvaesenc\t112(%rdx),%xmm1,%xmm1\n\tvaesenc\t128(%rdx),%xmm1,%xmm1\n\tvaesenc\t144(%rdx),%xmm1,%xmm1\n\tvaesenc\t160(%rdx),%xmm1,%xmm1\n\tvaesenc\t176(%rdx),%xmm1,%xmm1\n\tvaesenc\t192(%rdx),%xmm1,%xmm1\n\tvaesenc\t208(%rdx),%xmm1,%xmm1\n\tvaesenclast\t224(%rdx),%xmm1,%xmm1\n\tvmovdqa\t%xmm1,(%rsi)\n\tret\n.cfi_endproc\t\n.size\taes256gcmsiv_ecb_enc_block,.-aes256gcmsiv_ecb_enc_block\n.globl\taes256gcmsiv_enc_msg_x4\n.hidden aes256gcmsiv_enc_msg_x4\n.type\taes256gcmsiv_enc_msg_x4,@function\n.align\t16\naes256gcmsiv_enc_msg_x4:\n.cfi_startproc\t\n_CET_ENDBR\n\ttestq\t%r8,%r8\n\tjnz\t.L256_enc_msg_x4_start\n\tret\n\n.L256_enc_msg_x4_start:\n\tmovq\t%r8,%r10\n\tshrq\t$4,%r8\n\tshlq\t$60,%r10\n\tjz\t.L256_enc_msg_x4_start2\n\taddq\t$1,%r8\n\n.L256_enc_msg_x4_start2:\n\tmovq\t%r8,%r10\n\tshlq\t$62,%r10\n\tshrq\t$62,%r10\n\n\n\tvmovdqa\t(%rdx),%xmm15\n\tvpor\tOR_MASK(%rip),%xmm15,%xmm15\n\n\tvmovdqa\tfour(%rip),%xmm4\n\tvmovdqa\t%xmm15,%xmm0\n\tvpaddd\tone(%rip),%xmm15,%xmm1\n\tvpaddd\ttwo(%rip),%xmm15,%xmm2\n\tvpaddd\tthree(%rip),%xmm15,%xmm3\n\n\tshrq\t$2,%r8\n\tje\t.L256_enc_msg_x4_check_remainder\n\n\tsubq\t$64,%rsi\n\tsubq\t$64,%rdi\n\n.L256_enc_msg_x4_loop1:\n\taddq\t$64,%rsi\n\taddq\t$64,%rdi\n\n\tvmovdqa\t%xmm0,%xmm5\n\tvmovdqa\t%xmm1,%xmm6\n\tvmovdqa\t%xmm2,%xmm7\n\tvmovdqa\t%xmm3,%xmm8\n\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvpxor\t(%rcx),%xmm6,%xmm6\n\tvpxor\t(%rcx),%xmm7,%xmm7\n\tvpxor\t(%rcx),%xmm8,%xmm8\n\n\tvmovdqu\t16(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm0,%xmm0\n\tvmovdqu\t32(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm1,%xmm1\n\tvmovdqu\t48(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm2,%xmm2\n\tvmovdqu\t64(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvpaddd\t%xmm4,%xmm3,%xmm3\n\n\tvmovdqu\t80(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t96(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t112(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t128(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t144(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t160(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t176(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t192(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t208(%rcx),%xmm12\n\tvaesenc\t%xmm12,%xmm5,%xmm5\n\tvaesenc\t%xmm12,%xmm6,%xmm6\n\tvaesenc\t%xmm12,%xmm7,%xmm7\n\tvaesenc\t%xmm12,%xmm8,%xmm8\n\n\tvmovdqu\t224(%rcx),%xmm12\n\tvaesenclast\t%xmm12,%xmm5,%xmm5\n\tvaesenclast\t%xmm12,%xmm6,%xmm6\n\tvaesenclast\t%xmm12,%xmm7,%xmm7\n\tvaesenclast\t%xmm12,%xmm8,%xmm8\n\n\n\n\tvpxor\t0(%rdi),%xmm5,%xmm5\n\tvpxor\t16(%rdi),%xmm6,%xmm6\n\tvpxor\t32(%rdi),%xmm7,%xmm7\n\tvpxor\t48(%rdi),%xmm8,%xmm8\n\n\tsubq\t$1,%r8\n\n\tvmovdqu\t%xmm5,0(%rsi)\n\tvmovdqu\t%xmm6,16(%rsi)\n\tvmovdqu\t%xmm7,32(%rsi)\n\tvmovdqu\t%xmm8,48(%rsi)\n\n\tjne\t.L256_enc_msg_x4_loop1\n\n\taddq\t$64,%rsi\n\taddq\t$64,%rdi\n\n.L256_enc_msg_x4_check_remainder:\n\tcmpq\t$0,%r10\n\tje\t.L256_enc_msg_x4_out\n\n.L256_enc_msg_x4_loop2:\n\n\n\n\tvmovdqa\t%xmm0,%xmm5\n\tvpaddd\tone(%rip),%xmm0,%xmm0\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvaesenc\t16(%rcx),%xmm5,%xmm5\n\tvaesenc\t32(%rcx),%xmm5,%xmm5\n\tvaesenc\t48(%rcx),%xmm5,%xmm5\n\tvaesenc\t64(%rcx),%xmm5,%xmm5\n\tvaesenc\t80(%rcx),%xmm5,%xmm5\n\tvaesenc\t96(%rcx),%xmm5,%xmm5\n\tvaesenc\t112(%rcx),%xmm5,%xmm5\n\tvaesenc\t128(%rcx),%xmm5,%xmm5\n\tvaesenc\t144(%rcx),%xmm5,%xmm5\n\tvaesenc\t160(%rcx),%xmm5,%xmm5\n\tvaesenc\t176(%rcx),%xmm5,%xmm5\n\tvaesenc\t192(%rcx),%xmm5,%xmm5\n\tvaesenc\t208(%rcx),%xmm5,%xmm5\n\tvaesenclast\t224(%rcx),%xmm5,%xmm5\n\n\n\tvpxor\t(%rdi),%xmm5,%xmm5\n\n\tvmovdqu\t%xmm5,(%rsi)\n\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\n\tsubq\t$1,%r10\n\tjne\t.L256_enc_msg_x4_loop2\n\n.L256_enc_msg_x4_out:\n\tret\n.cfi_endproc\t\n.size\taes256gcmsiv_enc_msg_x4,.-aes256gcmsiv_enc_msg_x4\n.globl\taes256gcmsiv_enc_msg_x8\n.hidden aes256gcmsiv_enc_msg_x8\n.type\taes256gcmsiv_enc_msg_x8,@function\n.align\t16\naes256gcmsiv_enc_msg_x8:\n.cfi_startproc\t\n_CET_ENDBR\n\ttestq\t%r8,%r8\n\tjnz\t.L256_enc_msg_x8_start\n\tret\n\n.L256_enc_msg_x8_start:\n\n\tmovq\t%rsp,%r11\n\tsubq\t$16,%r11\n\tandq\t$-64,%r11\n\n\tmovq\t%r8,%r10\n\tshrq\t$4,%r8\n\tshlq\t$60,%r10\n\tjz\t.L256_enc_msg_x8_start2\n\taddq\t$1,%r8\n\n.L256_enc_msg_x8_start2:\n\tmovq\t%r8,%r10\n\tshlq\t$61,%r10\n\tshrq\t$61,%r10\n\n\n\tvmovdqa\t(%rdx),%xmm1\n\tvpor\tOR_MASK(%rip),%xmm1,%xmm1\n\n\n\tvpaddd\tseven(%rip),%xmm1,%xmm0\n\tvmovdqa\t%xmm0,(%r11)\n\tvpaddd\tone(%rip),%xmm1,%xmm9\n\tvpaddd\ttwo(%rip),%xmm1,%xmm10\n\tvpaddd\tthree(%rip),%xmm1,%xmm11\n\tvpaddd\tfour(%rip),%xmm1,%xmm12\n\tvpaddd\tfive(%rip),%xmm1,%xmm13\n\tvpaddd\tsix(%rip),%xmm1,%xmm14\n\tvmovdqa\t%xmm1,%xmm0\n\n\tshrq\t$3,%r8\n\tjz\t.L256_enc_msg_x8_check_remainder\n\n\tsubq\t$128,%rsi\n\tsubq\t$128,%rdi\n\n.L256_enc_msg_x8_loop1:\n\taddq\t$128,%rsi\n\taddq\t$128,%rdi\n\n\tvmovdqa\t%xmm0,%xmm1\n\tvmovdqa\t%xmm9,%xmm2\n\tvmovdqa\t%xmm10,%xmm3\n\tvmovdqa\t%xmm11,%xmm4\n\tvmovdqa\t%xmm12,%xmm5\n\tvmovdqa\t%xmm13,%xmm6\n\tvmovdqa\t%xmm14,%xmm7\n\n\tvmovdqa\t(%r11),%xmm8\n\n\tvpxor\t(%rcx),%xmm1,%xmm1\n\tvpxor\t(%rcx),%xmm2,%xmm2\n\tvpxor\t(%rcx),%xmm3,%xmm3\n\tvpxor\t(%rcx),%xmm4,%xmm4\n\tvpxor\t(%rcx),%xmm5,%xmm5\n\tvpxor\t(%rcx),%xmm6,%xmm6\n\tvpxor\t(%rcx),%xmm7,%xmm7\n\tvpxor\t(%rcx),%xmm8,%xmm8\n\n\tvmovdqu\t16(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqa\t(%r11),%xmm14\n\tvpaddd\teight(%rip),%xmm14,%xmm14\n\tvmovdqa\t%xmm14,(%r11)\n\tvmovdqu\t32(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpsubd\tone(%rip),%xmm14,%xmm14\n\tvmovdqu\t48(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm0,%xmm0\n\tvmovdqu\t64(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm9,%xmm9\n\tvmovdqu\t80(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm10,%xmm10\n\tvmovdqu\t96(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm11,%xmm11\n\tvmovdqu\t112(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm12,%xmm12\n\tvmovdqu\t128(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvpaddd\teight(%rip),%xmm13,%xmm13\n\tvmovdqu\t144(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t160(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t176(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t192(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t208(%rcx),%xmm15\n\tvaesenc\t%xmm15,%xmm1,%xmm1\n\tvaesenc\t%xmm15,%xmm2,%xmm2\n\tvaesenc\t%xmm15,%xmm3,%xmm3\n\tvaesenc\t%xmm15,%xmm4,%xmm4\n\tvaesenc\t%xmm15,%xmm5,%xmm5\n\tvaesenc\t%xmm15,%xmm6,%xmm6\n\tvaesenc\t%xmm15,%xmm7,%xmm7\n\tvaesenc\t%xmm15,%xmm8,%xmm8\n\n\tvmovdqu\t224(%rcx),%xmm15\n\tvaesenclast\t%xmm15,%xmm1,%xmm1\n\tvaesenclast\t%xmm15,%xmm2,%xmm2\n\tvaesenclast\t%xmm15,%xmm3,%xmm3\n\tvaesenclast\t%xmm15,%xmm4,%xmm4\n\tvaesenclast\t%xmm15,%xmm5,%xmm5\n\tvaesenclast\t%xmm15,%xmm6,%xmm6\n\tvaesenclast\t%xmm15,%xmm7,%xmm7\n\tvaesenclast\t%xmm15,%xmm8,%xmm8\n\n\n\n\tvpxor\t0(%rdi),%xmm1,%xmm1\n\tvpxor\t16(%rdi),%xmm2,%xmm2\n\tvpxor\t32(%rdi),%xmm3,%xmm3\n\tvpxor\t48(%rdi),%xmm4,%xmm4\n\tvpxor\t64(%rdi),%xmm5,%xmm5\n\tvpxor\t80(%rdi),%xmm6,%xmm6\n\tvpxor\t96(%rdi),%xmm7,%xmm7\n\tvpxor\t112(%rdi),%xmm8,%xmm8\n\n\tsubq\t$1,%r8\n\n\tvmovdqu\t%xmm1,0(%rsi)\n\tvmovdqu\t%xmm2,16(%rsi)\n\tvmovdqu\t%xmm3,32(%rsi)\n\tvmovdqu\t%xmm4,48(%rsi)\n\tvmovdqu\t%xmm5,64(%rsi)\n\tvmovdqu\t%xmm6,80(%rsi)\n\tvmovdqu\t%xmm7,96(%rsi)\n\tvmovdqu\t%xmm8,112(%rsi)\n\n\tjne\t.L256_enc_msg_x8_loop1\n\n\taddq\t$128,%rsi\n\taddq\t$128,%rdi\n\n.L256_enc_msg_x8_check_remainder:\n\tcmpq\t$0,%r10\n\tje\t.L256_enc_msg_x8_out\n\n.L256_enc_msg_x8_loop2:\n\n\n\tvmovdqa\t%xmm0,%xmm1\n\tvpaddd\tone(%rip),%xmm0,%xmm0\n\n\tvpxor\t(%rcx),%xmm1,%xmm1\n\tvaesenc\t16(%rcx),%xmm1,%xmm1\n\tvaesenc\t32(%rcx),%xmm1,%xmm1\n\tvaesenc\t48(%rcx),%xmm1,%xmm1\n\tvaesenc\t64(%rcx),%xmm1,%xmm1\n\tvaesenc\t80(%rcx),%xmm1,%xmm1\n\tvaesenc\t96(%rcx),%xmm1,%xmm1\n\tvaesenc\t112(%rcx),%xmm1,%xmm1\n\tvaesenc\t128(%rcx),%xmm1,%xmm1\n\tvaesenc\t144(%rcx),%xmm1,%xmm1\n\tvaesenc\t160(%rcx),%xmm1,%xmm1\n\tvaesenc\t176(%rcx),%xmm1,%xmm1\n\tvaesenc\t192(%rcx),%xmm1,%xmm1\n\tvaesenc\t208(%rcx),%xmm1,%xmm1\n\tvaesenclast\t224(%rcx),%xmm1,%xmm1\n\n\n\tvpxor\t(%rdi),%xmm1,%xmm1\n\n\tvmovdqu\t%xmm1,(%rsi)\n\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\tsubq\t$1,%r10\n\tjnz\t.L256_enc_msg_x8_loop2\n\n.L256_enc_msg_x8_out:\n\tret\n\n.cfi_endproc\t\n.size\taes256gcmsiv_enc_msg_x8,.-aes256gcmsiv_enc_msg_x8\n.globl\taes256gcmsiv_dec\n.hidden aes256gcmsiv_dec\n.type\taes256gcmsiv_dec,@function\n.align\t16\naes256gcmsiv_dec:\n.cfi_startproc\t\n_CET_ENDBR\n\ttestq\t$~15,%r9\n\tjnz\t.L256_dec_start\n\tret\n\n.L256_dec_start:\n\tvzeroupper\n\tvmovdqa\t(%rdx),%xmm0\n\n\n\tvmovdqu\t16(%rdx),%xmm15\n\tvpor\tOR_MASK(%rip),%xmm15,%xmm15\n\tmovq\t%rdx,%rax\n\n\tleaq\t32(%rax),%rax\n\tleaq\t32(%rcx),%rcx\n\n\tandq\t$~15,%r9\n\n\n\tcmpq\t$96,%r9\n\tjb\t.L256_dec_loop2\n\n\n\tsubq\t$96,%r9\n\tvmovdqa\t%xmm15,%xmm7\n\tvpaddd\tone(%rip),%xmm7,%xmm8\n\tvpaddd\ttwo(%rip),%xmm7,%xmm9\n\tvpaddd\tone(%rip),%xmm9,%xmm10\n\tvpaddd\ttwo(%rip),%xmm9,%xmm11\n\tvpaddd\tone(%rip),%xmm11,%xmm12\n\tvpaddd\ttwo(%rip),%xmm11,%xmm15\n\n\tvpxor\t(%r8),%xmm7,%xmm7\n\tvpxor\t(%r8),%xmm8,%xmm8\n\tvpxor\t(%r8),%xmm9,%xmm9\n\tvpxor\t(%r8),%xmm10,%xmm10\n\tvpxor\t(%r8),%xmm11,%xmm11\n\tvpxor\t(%r8),%xmm12,%xmm12\n\n\tvmovdqu\t16(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t32(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t48(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t64(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t80(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t96(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t112(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t128(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t144(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t160(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t176(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t192(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t208(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t224(%r8),%xmm4\n\tvaesenclast\t%xmm4,%xmm7,%xmm7\n\tvaesenclast\t%xmm4,%xmm8,%xmm8\n\tvaesenclast\t%xmm4,%xmm9,%xmm9\n\tvaesenclast\t%xmm4,%xmm10,%xmm10\n\tvaesenclast\t%xmm4,%xmm11,%xmm11\n\tvaesenclast\t%xmm4,%xmm12,%xmm12\n\n\n\tvpxor\t0(%rdi),%xmm7,%xmm7\n\tvpxor\t16(%rdi),%xmm8,%xmm8\n\tvpxor\t32(%rdi),%xmm9,%xmm9\n\tvpxor\t48(%rdi),%xmm10,%xmm10\n\tvpxor\t64(%rdi),%xmm11,%xmm11\n\tvpxor\t80(%rdi),%xmm12,%xmm12\n\n\tvmovdqu\t%xmm7,0(%rsi)\n\tvmovdqu\t%xmm8,16(%rsi)\n\tvmovdqu\t%xmm9,32(%rsi)\n\tvmovdqu\t%xmm10,48(%rsi)\n\tvmovdqu\t%xmm11,64(%rsi)\n\tvmovdqu\t%xmm12,80(%rsi)\n\n\taddq\t$96,%rdi\n\taddq\t$96,%rsi\n\tjmp\t.L256_dec_loop1\n\n\n.align\t64\n.L256_dec_loop1:\n\tcmpq\t$96,%r9\n\tjb\t.L256_dec_finish_96\n\tsubq\t$96,%r9\n\n\tvmovdqa\t%xmm12,%xmm6\n\tvmovdqa\t%xmm11,16-32(%rax)\n\tvmovdqa\t%xmm10,32-32(%rax)\n\tvmovdqa\t%xmm9,48-32(%rax)\n\tvmovdqa\t%xmm8,64-32(%rax)\n\tvmovdqa\t%xmm7,80-32(%rax)\n\n\tvmovdqa\t%xmm15,%xmm7\n\tvpaddd\tone(%rip),%xmm7,%xmm8\n\tvpaddd\ttwo(%rip),%xmm7,%xmm9\n\tvpaddd\tone(%rip),%xmm9,%xmm10\n\tvpaddd\ttwo(%rip),%xmm9,%xmm11\n\tvpaddd\tone(%rip),%xmm11,%xmm12\n\tvpaddd\ttwo(%rip),%xmm11,%xmm15\n\n\tvmovdqa\t(%r8),%xmm4\n\tvpxor\t%xmm4,%xmm7,%xmm7\n\tvpxor\t%xmm4,%xmm8,%xmm8\n\tvpxor\t%xmm4,%xmm9,%xmm9\n\tvpxor\t%xmm4,%xmm10,%xmm10\n\tvpxor\t%xmm4,%xmm11,%xmm11\n\tvpxor\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t0-32(%rcx),%xmm4\n\tvpclmulqdq\t$0x11,%xmm4,%xmm6,%xmm2\n\tvpclmulqdq\t$0x00,%xmm4,%xmm6,%xmm3\n\tvpclmulqdq\t$0x01,%xmm4,%xmm6,%xmm1\n\tvpclmulqdq\t$0x10,%xmm4,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t16(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t-16(%rax),%xmm6\n\tvmovdqu\t-16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t32(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t0(%rax),%xmm6\n\tvmovdqu\t0(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t48(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t16(%rax),%xmm6\n\tvmovdqu\t16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t64(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t32(%rax),%xmm6\n\tvmovdqu\t32(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t80(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t96(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t112(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\n\tvmovdqa\t80-32(%rax),%xmm6\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\tvmovdqu\t80-32(%rcx),%xmm5\n\n\tvpclmulqdq\t$0x01,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x10,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t128(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\n\tvpsrldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm5\n\tvpslldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm0\n\n\tvmovdqa\tpoly(%rip),%xmm3\n\n\tvmovdqu\t144(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t160(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t176(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t192(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t208(%r8),%xmm4\n\tvaesenc\t%xmm4,%xmm7,%xmm7\n\tvaesenc\t%xmm4,%xmm8,%xmm8\n\tvaesenc\t%xmm4,%xmm9,%xmm9\n\tvaesenc\t%xmm4,%xmm10,%xmm10\n\tvaesenc\t%xmm4,%xmm11,%xmm11\n\tvaesenc\t%xmm4,%xmm12,%xmm12\n\n\tvmovdqu\t224(%r8),%xmm6\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpxor\t0(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm7,%xmm7\n\tvpxor\t16(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm8,%xmm8\n\tvpxor\t32(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm9,%xmm9\n\tvpxor\t48(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm10,%xmm10\n\tvpxor\t64(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm11,%xmm11\n\tvpxor\t80(%rdi),%xmm6,%xmm4\n\tvaesenclast\t%xmm4,%xmm12,%xmm12\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvmovdqu\t%xmm7,0(%rsi)\n\tvmovdqu\t%xmm8,16(%rsi)\n\tvmovdqu\t%xmm9,32(%rsi)\n\tvmovdqu\t%xmm10,48(%rsi)\n\tvmovdqu\t%xmm11,64(%rsi)\n\tvmovdqu\t%xmm12,80(%rsi)\n\n\tvpxor\t%xmm5,%xmm0,%xmm0\n\n\tleaq\t96(%rdi),%rdi\n\tleaq\t96(%rsi),%rsi\n\tjmp\t.L256_dec_loop1\n\n.L256_dec_finish_96:\n\tvmovdqa\t%xmm12,%xmm6\n\tvmovdqa\t%xmm11,16-32(%rax)\n\tvmovdqa\t%xmm10,32-32(%rax)\n\tvmovdqa\t%xmm9,48-32(%rax)\n\tvmovdqa\t%xmm8,64-32(%rax)\n\tvmovdqa\t%xmm7,80-32(%rax)\n\n\tvmovdqu\t0-32(%rcx),%xmm4\n\tvpclmulqdq\t$0x10,%xmm4,%xmm6,%xmm1\n\tvpclmulqdq\t$0x11,%xmm4,%xmm6,%xmm2\n\tvpclmulqdq\t$0x00,%xmm4,%xmm6,%xmm3\n\tvpclmulqdq\t$0x01,%xmm4,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t-16(%rax),%xmm6\n\tvmovdqu\t-16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t0(%rax),%xmm6\n\tvmovdqu\t0(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t16(%rax),%xmm6\n\tvmovdqu\t16(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvmovdqu\t32(%rax),%xmm6\n\tvmovdqu\t32(%rcx),%xmm13\n\n\tvpclmulqdq\t$0x10,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x11,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x01,%xmm13,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\n\tvmovdqu\t80-32(%rax),%xmm6\n\tvpxor\t%xmm0,%xmm6,%xmm6\n\tvmovdqu\t80-32(%rcx),%xmm5\n\tvpclmulqdq\t$0x11,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm2\n\tvpclmulqdq\t$0x00,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm3\n\tvpclmulqdq\t$0x10,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\tvpclmulqdq\t$0x01,%xmm5,%xmm6,%xmm4\n\tvpxor\t%xmm4,%xmm1,%xmm1\n\n\tvpsrldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm2,%xmm5\n\tvpslldq\t$8,%xmm1,%xmm4\n\tvpxor\t%xmm4,%xmm3,%xmm0\n\n\tvmovdqa\tpoly(%rip),%xmm3\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpalignr\t$8,%xmm0,%xmm0,%xmm2\n\tvpclmulqdq\t$0x10,%xmm3,%xmm0,%xmm0\n\tvpxor\t%xmm0,%xmm2,%xmm0\n\n\tvpxor\t%xmm5,%xmm0,%xmm0\n\n.L256_dec_loop2:\n\n\n\n\tcmpq\t$16,%r9\n\tjb\t.L256_dec_out\n\tsubq\t$16,%r9\n\n\tvmovdqa\t%xmm15,%xmm2\n\tvpaddd\tone(%rip),%xmm15,%xmm15\n\n\tvpxor\t0(%r8),%xmm2,%xmm2\n\tvaesenc\t16(%r8),%xmm2,%xmm2\n\tvaesenc\t32(%r8),%xmm2,%xmm2\n\tvaesenc\t48(%r8),%xmm2,%xmm2\n\tvaesenc\t64(%r8),%xmm2,%xmm2\n\tvaesenc\t80(%r8),%xmm2,%xmm2\n\tvaesenc\t96(%r8),%xmm2,%xmm2\n\tvaesenc\t112(%r8),%xmm2,%xmm2\n\tvaesenc\t128(%r8),%xmm2,%xmm2\n\tvaesenc\t144(%r8),%xmm2,%xmm2\n\tvaesenc\t160(%r8),%xmm2,%xmm2\n\tvaesenc\t176(%r8),%xmm2,%xmm2\n\tvaesenc\t192(%r8),%xmm2,%xmm2\n\tvaesenc\t208(%r8),%xmm2,%xmm2\n\tvaesenclast\t224(%r8),%xmm2,%xmm2\n\tvpxor\t(%rdi),%xmm2,%xmm2\n\tvmovdqu\t%xmm2,(%rsi)\n\taddq\t$16,%rdi\n\taddq\t$16,%rsi\n\n\tvpxor\t%xmm2,%xmm0,%xmm0\n\tvmovdqa\t-32(%rcx),%xmm1\n\tcall\tGFMUL\n\n\tjmp\t.L256_dec_loop2\n\n.L256_dec_out:\n\tvmovdqu\t%xmm0,(%rdx)\n\tret\n.cfi_endproc\t\n.size\taes256gcmsiv_dec, .-aes256gcmsiv_dec\n.globl\taes256gcmsiv_kdf\n.hidden aes256gcmsiv_kdf\n.type\taes256gcmsiv_kdf,@function\n.align\t16\naes256gcmsiv_kdf:\n.cfi_startproc\t\n_CET_ENDBR\n\n\n\n\n\tvmovdqa\t(%rdx),%xmm1\n\tvmovdqa\t0(%rdi),%xmm4\n\tvmovdqa\tand_mask(%rip),%xmm11\n\tvmovdqa\tone(%rip),%xmm8\n\tvpshufd\t$0x90,%xmm4,%xmm4\n\tvpand\t%xmm11,%xmm4,%xmm4\n\tvpaddd\t%xmm8,%xmm4,%xmm6\n\tvpaddd\t%xmm8,%xmm6,%xmm7\n\tvpaddd\t%xmm8,%xmm7,%xmm11\n\tvpaddd\t%xmm8,%xmm11,%xmm12\n\tvpaddd\t%xmm8,%xmm12,%xmm13\n\n\tvpxor\t%xmm1,%xmm4,%xmm4\n\tvpxor\t%xmm1,%xmm6,%xmm6\n\tvpxor\t%xmm1,%xmm7,%xmm7\n\tvpxor\t%xmm1,%xmm11,%xmm11\n\tvpxor\t%xmm1,%xmm12,%xmm12\n\tvpxor\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t16(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t32(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t48(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t64(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t80(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t96(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t112(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t128(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t144(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t160(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t176(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t192(%rdx),%xmm2\n\tvaesenc\t%xmm2,%xmm4,%xmm4\n\tvaesenc\t%xmm2,%xmm6,%xmm6\n\tvaesenc\t%xmm2,%xmm7,%xmm7\n\tvaesenc\t%xmm2,%xmm11,%xmm11\n\tvaesenc\t%xmm2,%xmm12,%xmm12\n\tvaesenc\t%xmm2,%xmm13,%xmm13\n\n\tvmovdqa\t208(%rdx),%xmm1\n\tvaesenc\t%xmm1,%xmm4,%xmm4\n\tvaesenc\t%xmm1,%xmm6,%xmm6\n\tvaesenc\t%xmm1,%xmm7,%xmm7\n\tvaesenc\t%xmm1,%xmm11,%xmm11\n\tvaesenc\t%xmm1,%xmm12,%xmm12\n\tvaesenc\t%xmm1,%xmm13,%xmm13\n\n\tvmovdqa\t224(%rdx),%xmm2\n\tvaesenclast\t%xmm2,%xmm4,%xmm4\n\tvaesenclast\t%xmm2,%xmm6,%xmm6\n\tvaesenclast\t%xmm2,%xmm7,%xmm7\n\tvaesenclast\t%xmm2,%xmm11,%xmm11\n\tvaesenclast\t%xmm2,%xmm12,%xmm12\n\tvaesenclast\t%xmm2,%xmm13,%xmm13\n\n\n\tvmovdqa\t%xmm4,0(%rsi)\n\tvmovdqa\t%xmm6,16(%rsi)\n\tvmovdqa\t%xmm7,32(%rsi)\n\tvmovdqa\t%xmm11,48(%rsi)\n\tvmovdqa\t%xmm12,64(%rsi)\n\tvmovdqa\t%xmm13,80(%rsi)\n\tret\n.cfi_endproc\t\n.size\taes256gcmsiv_kdf, .-aes256gcmsiv_kdf\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha-armv4-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__ELF__)\n#include \n\n@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both\n@ ARMv7 and ARMv8 processors and does not use ARMv8 instructions.\n.arch\tarmv7-a\n\n.text\n#if defined(__thumb2__) || defined(__clang__)\n.syntax\tunified\n#endif\n#if defined(__thumb2__)\n.thumb\n#else\n.code\t32\n#endif\n\n#if defined(__thumb2__) || defined(__clang__)\n#define ldrhsb\tldrbhs\n#endif\n\n.align\t5\n.Lsigma:\n.long\t0x61707865,0x3320646e,0x79622d32,0x6b206574\t@ endian-neutral\n.Lone:\n.long\t1,0,0,0\n\n.globl\tChaCha20_ctr32_nohw\n.hidden\tChaCha20_ctr32_nohw\n.type\tChaCha20_ctr32_nohw,%function\n.align\t5\nChaCha20_ctr32_nohw:\n\tldr\tr12,[sp,#0]\t\t@ pull pointer to counter and nonce\n\tstmdb\tsp!,{r0,r1,r2,r4-r11,lr}\n\tadr\tr14,.Lsigma\n\tldmia\tr12,{r4,r5,r6,r7}\t\t@ load counter and nonce\n\tsub\tsp,sp,#4*(16)\t\t@ off-load area\n\tstmdb\tsp!,{r4,r5,r6,r7}\t\t@ copy counter and nonce\n\tldmia\tr3,{r4,r5,r6,r7,r8,r9,r10,r11}\t\t@ load key\n\tldmia\tr14,{r0,r1,r2,r3}\t\t@ load sigma\n\tstmdb\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11}\t\t@ copy key\n\tstmdb\tsp!,{r0,r1,r2,r3}\t\t@ copy sigma\n\tstr\tr10,[sp,#4*(16+10)]\t@ off-load \"rx\"\n\tstr\tr11,[sp,#4*(16+11)]\t@ off-load \"rx\"\n\tb\t.Loop_outer_enter\n\n.align\t4\n.Loop_outer:\n\tldmia\tsp,{r0,r1,r2,r3,r4,r5,r6,r7,r8,r9}\t\t@ load key material\n\tstr\tr11,[sp,#4*(32+2)]\t@ save len\n\tstr\tr12, [sp,#4*(32+1)]\t@ save inp\n\tstr\tr14, [sp,#4*(32+0)]\t@ save out\n.Loop_outer_enter:\n\tldr\tr11, [sp,#4*(15)]\n\tldr\tr12,[sp,#4*(12)]\t@ modulo-scheduled load\n\tldr\tr10, [sp,#4*(13)]\n\tldr\tr14,[sp,#4*(14)]\n\tstr\tr11, [sp,#4*(16+15)]\n\tmov\tr11,#10\n\tb\t.Loop\n\n.align\t4\n.Loop:\n\tsubs\tr11,r11,#1\n\tadd\tr0,r0,r4\n\tmov\tr12,r12,ror#16\n\tadd\tr1,r1,r5\n\tmov\tr10,r10,ror#16\n\teor\tr12,r12,r0,ror#16\n\teor\tr10,r10,r1,ror#16\n\tadd\tr8,r8,r12\n\tmov\tr4,r4,ror#20\n\tadd\tr9,r9,r10\n\tmov\tr5,r5,ror#20\n\teor\tr4,r4,r8,ror#20\n\teor\tr5,r5,r9,ror#20\n\tadd\tr0,r0,r4\n\tmov\tr12,r12,ror#24\n\tadd\tr1,r1,r5\n\tmov\tr10,r10,ror#24\n\teor\tr12,r12,r0,ror#24\n\teor\tr10,r10,r1,ror#24\n\tadd\tr8,r8,r12\n\tmov\tr4,r4,ror#25\n\tadd\tr9,r9,r10\n\tmov\tr5,r5,ror#25\n\tstr\tr10,[sp,#4*(16+13)]\n\tldr\tr10,[sp,#4*(16+15)]\n\teor\tr4,r4,r8,ror#25\n\teor\tr5,r5,r9,ror#25\n\tstr\tr8,[sp,#4*(16+8)]\n\tldr\tr8,[sp,#4*(16+10)]\n\tadd\tr2,r2,r6\n\tmov\tr14,r14,ror#16\n\tstr\tr9,[sp,#4*(16+9)]\n\tldr\tr9,[sp,#4*(16+11)]\n\tadd\tr3,r3,r7\n\tmov\tr10,r10,ror#16\n\teor\tr14,r14,r2,ror#16\n\teor\tr10,r10,r3,ror#16\n\tadd\tr8,r8,r14\n\tmov\tr6,r6,ror#20\n\tadd\tr9,r9,r10\n\tmov\tr7,r7,ror#20\n\teor\tr6,r6,r8,ror#20\n\teor\tr7,r7,r9,ror#20\n\tadd\tr2,r2,r6\n\tmov\tr14,r14,ror#24\n\tadd\tr3,r3,r7\n\tmov\tr10,r10,ror#24\n\teor\tr14,r14,r2,ror#24\n\teor\tr10,r10,r3,ror#24\n\tadd\tr8,r8,r14\n\tmov\tr6,r6,ror#25\n\tadd\tr9,r9,r10\n\tmov\tr7,r7,ror#25\n\teor\tr6,r6,r8,ror#25\n\teor\tr7,r7,r9,ror#25\n\tadd\tr0,r0,r5\n\tmov\tr10,r10,ror#16\n\tadd\tr1,r1,r6\n\tmov\tr12,r12,ror#16\n\teor\tr10,r10,r0,ror#16\n\teor\tr12,r12,r1,ror#16\n\tadd\tr8,r8,r10\n\tmov\tr5,r5,ror#20\n\tadd\tr9,r9,r12\n\tmov\tr6,r6,ror#20\n\teor\tr5,r5,r8,ror#20\n\teor\tr6,r6,r9,ror#20\n\tadd\tr0,r0,r5\n\tmov\tr10,r10,ror#24\n\tadd\tr1,r1,r6\n\tmov\tr12,r12,ror#24\n\teor\tr10,r10,r0,ror#24\n\teor\tr12,r12,r1,ror#24\n\tadd\tr8,r8,r10\n\tmov\tr5,r5,ror#25\n\tstr\tr10,[sp,#4*(16+15)]\n\tldr\tr10,[sp,#4*(16+13)]\n\tadd\tr9,r9,r12\n\tmov\tr6,r6,ror#25\n\teor\tr5,r5,r8,ror#25\n\teor\tr6,r6,r9,ror#25\n\tstr\tr8,[sp,#4*(16+10)]\n\tldr\tr8,[sp,#4*(16+8)]\n\tadd\tr2,r2,r7\n\tmov\tr10,r10,ror#16\n\tstr\tr9,[sp,#4*(16+11)]\n\tldr\tr9,[sp,#4*(16+9)]\n\tadd\tr3,r3,r4\n\tmov\tr14,r14,ror#16\n\teor\tr10,r10,r2,ror#16\n\teor\tr14,r14,r3,ror#16\n\tadd\tr8,r8,r10\n\tmov\tr7,r7,ror#20\n\tadd\tr9,r9,r14\n\tmov\tr4,r4,ror#20\n\teor\tr7,r7,r8,ror#20\n\teor\tr4,r4,r9,ror#20\n\tadd\tr2,r2,r7\n\tmov\tr10,r10,ror#24\n\tadd\tr3,r3,r4\n\tmov\tr14,r14,ror#24\n\teor\tr10,r10,r2,ror#24\n\teor\tr14,r14,r3,ror#24\n\tadd\tr8,r8,r10\n\tmov\tr7,r7,ror#25\n\tadd\tr9,r9,r14\n\tmov\tr4,r4,ror#25\n\teor\tr7,r7,r8,ror#25\n\teor\tr4,r4,r9,ror#25\n\tbne\t.Loop\n\n\tldr\tr11,[sp,#4*(32+2)]\t@ load len\n\n\tstr\tr8, [sp,#4*(16+8)]\t@ modulo-scheduled store\n\tstr\tr9, [sp,#4*(16+9)]\n\tstr\tr12,[sp,#4*(16+12)]\n\tstr\tr10, [sp,#4*(16+13)]\n\tstr\tr14,[sp,#4*(16+14)]\n\n\t@ at this point we have first half of 512-bit result in\n\t@ rx and second half at sp+4*(16+8)\n\n\tcmp\tr11,#64\t\t@ done yet?\n#ifdef\t__thumb2__\n\titete\tlo\n#endif\n\taddlo\tr12,sp,#4*(0)\t\t@ shortcut or ...\n\tldrhs\tr12,[sp,#4*(32+1)]\t@ ... load inp\n\taddlo\tr14,sp,#4*(0)\t\t@ shortcut or ...\n\tldrhs\tr14,[sp,#4*(32+0)]\t@ ... load out\n\n\tldr\tr8,[sp,#4*(0)]\t@ load key material\n\tldr\tr9,[sp,#4*(1)]\n\n#if __ARM_ARCH>=6 || !defined(__ARMEB__)\n# if __ARM_ARCH<7\n\torr\tr10,r12,r14\n\ttst\tr10,#3\t\t@ are input and output aligned?\n\tldr\tr10,[sp,#4*(2)]\n\tbne\t.Lunaligned\n\tcmp\tr11,#64\t\t@ restore flags\n# else\n\tldr\tr10,[sp,#4*(2)]\n# endif\n\tldr\tr11,[sp,#4*(3)]\n\n\tadd\tr0,r0,r8\t@ accumulate key material\n\tadd\tr1,r1,r9\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhs\tr8,[r12],#16\t\t@ load input\n\tldrhs\tr9,[r12,#-12]\n\n\tadd\tr2,r2,r10\n\tadd\tr3,r3,r11\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhs\tr10,[r12,#-8]\n\tldrhs\tr11,[r12,#-4]\n# if __ARM_ARCH>=6 && defined(__ARMEB__)\n\trev\tr0,r0\n\trev\tr1,r1\n\trev\tr2,r2\n\trev\tr3,r3\n# endif\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\teorhs\tr0,r0,r8\t@ xor with input\n\teorhs\tr1,r1,r9\n\tadd\tr8,sp,#4*(4)\n\tstr\tr0,[r14],#16\t\t@ store output\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\teorhs\tr2,r2,r10\n\teorhs\tr3,r3,r11\n\tldmia\tr8,{r8,r9,r10,r11}\t@ load key material\n\tstr\tr1,[r14,#-12]\n\tstr\tr2,[r14,#-8]\n\tstr\tr3,[r14,#-4]\n\n\tadd\tr4,r4,r8\t@ accumulate key material\n\tadd\tr5,r5,r9\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhs\tr8,[r12],#16\t\t@ load input\n\tldrhs\tr9,[r12,#-12]\n\tadd\tr6,r6,r10\n\tadd\tr7,r7,r11\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhs\tr10,[r12,#-8]\n\tldrhs\tr11,[r12,#-4]\n# if __ARM_ARCH>=6 && defined(__ARMEB__)\n\trev\tr4,r4\n\trev\tr5,r5\n\trev\tr6,r6\n\trev\tr7,r7\n# endif\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\teorhs\tr4,r4,r8\n\teorhs\tr5,r5,r9\n\tadd\tr8,sp,#4*(8)\n\tstr\tr4,[r14],#16\t\t@ store output\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\teorhs\tr6,r6,r10\n\teorhs\tr7,r7,r11\n\tstr\tr5,[r14,#-12]\n\tldmia\tr8,{r8,r9,r10,r11}\t@ load key material\n\tstr\tr6,[r14,#-8]\n\tadd\tr0,sp,#4*(16+8)\n\tstr\tr7,[r14,#-4]\n\n\tldmia\tr0,{r0,r1,r2,r3,r4,r5,r6,r7}\t@ load second half\n\n\tadd\tr0,r0,r8\t@ accumulate key material\n\tadd\tr1,r1,r9\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhs\tr8,[r12],#16\t\t@ load input\n\tldrhs\tr9,[r12,#-12]\n# ifdef\t__thumb2__\n\titt\thi\n# endif\n\tstrhi\tr10,[sp,#4*(16+10)]\t@ copy \"rx\" while at it\n\tstrhi\tr11,[sp,#4*(16+11)]\t@ copy \"rx\" while at it\n\tadd\tr2,r2,r10\n\tadd\tr3,r3,r11\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhs\tr10,[r12,#-8]\n\tldrhs\tr11,[r12,#-4]\n# if __ARM_ARCH>=6 && defined(__ARMEB__)\n\trev\tr0,r0\n\trev\tr1,r1\n\trev\tr2,r2\n\trev\tr3,r3\n# endif\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\teorhs\tr0,r0,r8\n\teorhs\tr1,r1,r9\n\tadd\tr8,sp,#4*(12)\n\tstr\tr0,[r14],#16\t\t@ store output\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\teorhs\tr2,r2,r10\n\teorhs\tr3,r3,r11\n\tstr\tr1,[r14,#-12]\n\tldmia\tr8,{r8,r9,r10,r11}\t@ load key material\n\tstr\tr2,[r14,#-8]\n\tstr\tr3,[r14,#-4]\n\n\tadd\tr4,r4,r8\t@ accumulate key material\n\tadd\tr5,r5,r9\n# ifdef\t__thumb2__\n\titt\thi\n# endif\n\taddhi\tr8,r8,#1\t\t@ next counter value\n\tstrhi\tr8,[sp,#4*(12)]\t@ save next counter value\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhs\tr8,[r12],#16\t\t@ load input\n\tldrhs\tr9,[r12,#-12]\n\tadd\tr6,r6,r10\n\tadd\tr7,r7,r11\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhs\tr10,[r12,#-8]\n\tldrhs\tr11,[r12,#-4]\n# if __ARM_ARCH>=6 && defined(__ARMEB__)\n\trev\tr4,r4\n\trev\tr5,r5\n\trev\tr6,r6\n\trev\tr7,r7\n# endif\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\teorhs\tr4,r4,r8\n\teorhs\tr5,r5,r9\n# ifdef\t__thumb2__\n\tit\tne\n# endif\n\tldrne\tr8,[sp,#4*(32+2)]\t@ re-load len\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\teorhs\tr6,r6,r10\n\teorhs\tr7,r7,r11\n\tstr\tr4,[r14],#16\t\t@ store output\n\tstr\tr5,[r14,#-12]\n# ifdef\t__thumb2__\n\tit\ths\n# endif\n\tsubhs\tr11,r8,#64\t\t@ len-=64\n\tstr\tr6,[r14,#-8]\n\tstr\tr7,[r14,#-4]\n\tbhi\t.Loop_outer\n\n\tbeq\t.Ldone\n# if __ARM_ARCH<7\n\tb\t.Ltail\n\n.align\t4\n.Lunaligned:@ unaligned endian-neutral path\n\tcmp\tr11,#64\t\t@ restore flags\n# endif\n#endif\n#if __ARM_ARCH<7\n\tldr\tr11,[sp,#4*(3)]\n\tadd\tr0,r0,r8\t\t@ accumulate key material\n\tadd\tr1,r1,r9\n\tadd\tr2,r2,r10\n# ifdef\t__thumb2__\n\titete\tlo\n# endif\n\teorlo\tr8,r8,r8\t\t@ zero or ...\n\tldrhsb\tr8,[r12],#16\t\t\t@ ... load input\n\teorlo\tr9,r9,r9\n\tldrhsb\tr9,[r12,#-12]\n\n\tadd\tr3,r3,r11\n# ifdef\t__thumb2__\n\titete\tlo\n# endif\n\teorlo\tr10,r10,r10\n\tldrhsb\tr10,[r12,#-8]\n\teorlo\tr11,r11,r11\n\tldrhsb\tr11,[r12,#-4]\n\n\teor\tr0,r8,r0\t\t@ xor with input (or zero)\n\teor\tr1,r9,r1\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-15]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-11]\n\teor\tr2,r10,r2\n\tstrb\tr0,[r14],#16\t\t@ store output\n\teor\tr3,r11,r3\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-7]\n\tldrhsb\tr11,[r12,#-3]\n\tstrb\tr1,[r14,#-12]\n\teor\tr0,r8,r0,lsr#8\n\tstrb\tr2,[r14,#-8]\n\teor\tr1,r9,r1,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-14]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-10]\n\tstrb\tr3,[r14,#-4]\n\teor\tr2,r10,r2,lsr#8\n\tstrb\tr0,[r14,#-15]\n\teor\tr3,r11,r3,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-6]\n\tldrhsb\tr11,[r12,#-2]\n\tstrb\tr1,[r14,#-11]\n\teor\tr0,r8,r0,lsr#8\n\tstrb\tr2,[r14,#-7]\n\teor\tr1,r9,r1,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-13]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-9]\n\tstrb\tr3,[r14,#-3]\n\teor\tr2,r10,r2,lsr#8\n\tstrb\tr0,[r14,#-14]\n\teor\tr3,r11,r3,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-5]\n\tldrhsb\tr11,[r12,#-1]\n\tstrb\tr1,[r14,#-10]\n\tstrb\tr2,[r14,#-6]\n\teor\tr0,r8,r0,lsr#8\n\tstrb\tr3,[r14,#-2]\n\teor\tr1,r9,r1,lsr#8\n\tstrb\tr0,[r14,#-13]\n\teor\tr2,r10,r2,lsr#8\n\tstrb\tr1,[r14,#-9]\n\teor\tr3,r11,r3,lsr#8\n\tstrb\tr2,[r14,#-5]\n\tstrb\tr3,[r14,#-1]\n\tadd\tr8,sp,#4*(4+0)\n\tldmia\tr8,{r8,r9,r10,r11}\t\t@ load key material\n\tadd\tr0,sp,#4*(16+8)\n\tadd\tr4,r4,r8\t\t@ accumulate key material\n\tadd\tr5,r5,r9\n\tadd\tr6,r6,r10\n# ifdef\t__thumb2__\n\titete\tlo\n# endif\n\teorlo\tr8,r8,r8\t\t@ zero or ...\n\tldrhsb\tr8,[r12],#16\t\t\t@ ... load input\n\teorlo\tr9,r9,r9\n\tldrhsb\tr9,[r12,#-12]\n\n\tadd\tr7,r7,r11\n# ifdef\t__thumb2__\n\titete\tlo\n# endif\n\teorlo\tr10,r10,r10\n\tldrhsb\tr10,[r12,#-8]\n\teorlo\tr11,r11,r11\n\tldrhsb\tr11,[r12,#-4]\n\n\teor\tr4,r8,r4\t\t@ xor with input (or zero)\n\teor\tr5,r9,r5\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-15]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-11]\n\teor\tr6,r10,r6\n\tstrb\tr4,[r14],#16\t\t@ store output\n\teor\tr7,r11,r7\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-7]\n\tldrhsb\tr11,[r12,#-3]\n\tstrb\tr5,[r14,#-12]\n\teor\tr4,r8,r4,lsr#8\n\tstrb\tr6,[r14,#-8]\n\teor\tr5,r9,r5,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-14]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-10]\n\tstrb\tr7,[r14,#-4]\n\teor\tr6,r10,r6,lsr#8\n\tstrb\tr4,[r14,#-15]\n\teor\tr7,r11,r7,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-6]\n\tldrhsb\tr11,[r12,#-2]\n\tstrb\tr5,[r14,#-11]\n\teor\tr4,r8,r4,lsr#8\n\tstrb\tr6,[r14,#-7]\n\teor\tr5,r9,r5,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-13]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-9]\n\tstrb\tr7,[r14,#-3]\n\teor\tr6,r10,r6,lsr#8\n\tstrb\tr4,[r14,#-14]\n\teor\tr7,r11,r7,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-5]\n\tldrhsb\tr11,[r12,#-1]\n\tstrb\tr5,[r14,#-10]\n\tstrb\tr6,[r14,#-6]\n\teor\tr4,r8,r4,lsr#8\n\tstrb\tr7,[r14,#-2]\n\teor\tr5,r9,r5,lsr#8\n\tstrb\tr4,[r14,#-13]\n\teor\tr6,r10,r6,lsr#8\n\tstrb\tr5,[r14,#-9]\n\teor\tr7,r11,r7,lsr#8\n\tstrb\tr6,[r14,#-5]\n\tstrb\tr7,[r14,#-1]\n\tadd\tr8,sp,#4*(4+4)\n\tldmia\tr8,{r8,r9,r10,r11}\t\t@ load key material\n\tldmia\tr0,{r0,r1,r2,r3,r4,r5,r6,r7}\t\t@ load second half\n# ifdef\t__thumb2__\n\titt\thi\n# endif\n\tstrhi\tr10,[sp,#4*(16+10)]\t\t@ copy \"rx\"\n\tstrhi\tr11,[sp,#4*(16+11)]\t\t@ copy \"rx\"\n\tadd\tr0,r0,r8\t\t@ accumulate key material\n\tadd\tr1,r1,r9\n\tadd\tr2,r2,r10\n# ifdef\t__thumb2__\n\titete\tlo\n# endif\n\teorlo\tr8,r8,r8\t\t@ zero or ...\n\tldrhsb\tr8,[r12],#16\t\t\t@ ... load input\n\teorlo\tr9,r9,r9\n\tldrhsb\tr9,[r12,#-12]\n\n\tadd\tr3,r3,r11\n# ifdef\t__thumb2__\n\titete\tlo\n# endif\n\teorlo\tr10,r10,r10\n\tldrhsb\tr10,[r12,#-8]\n\teorlo\tr11,r11,r11\n\tldrhsb\tr11,[r12,#-4]\n\n\teor\tr0,r8,r0\t\t@ xor with input (or zero)\n\teor\tr1,r9,r1\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-15]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-11]\n\teor\tr2,r10,r2\n\tstrb\tr0,[r14],#16\t\t@ store output\n\teor\tr3,r11,r3\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-7]\n\tldrhsb\tr11,[r12,#-3]\n\tstrb\tr1,[r14,#-12]\n\teor\tr0,r8,r0,lsr#8\n\tstrb\tr2,[r14,#-8]\n\teor\tr1,r9,r1,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-14]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-10]\n\tstrb\tr3,[r14,#-4]\n\teor\tr2,r10,r2,lsr#8\n\tstrb\tr0,[r14,#-15]\n\teor\tr3,r11,r3,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-6]\n\tldrhsb\tr11,[r12,#-2]\n\tstrb\tr1,[r14,#-11]\n\teor\tr0,r8,r0,lsr#8\n\tstrb\tr2,[r14,#-7]\n\teor\tr1,r9,r1,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-13]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-9]\n\tstrb\tr3,[r14,#-3]\n\teor\tr2,r10,r2,lsr#8\n\tstrb\tr0,[r14,#-14]\n\teor\tr3,r11,r3,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-5]\n\tldrhsb\tr11,[r12,#-1]\n\tstrb\tr1,[r14,#-10]\n\tstrb\tr2,[r14,#-6]\n\teor\tr0,r8,r0,lsr#8\n\tstrb\tr3,[r14,#-2]\n\teor\tr1,r9,r1,lsr#8\n\tstrb\tr0,[r14,#-13]\n\teor\tr2,r10,r2,lsr#8\n\tstrb\tr1,[r14,#-9]\n\teor\tr3,r11,r3,lsr#8\n\tstrb\tr2,[r14,#-5]\n\tstrb\tr3,[r14,#-1]\n\tadd\tr8,sp,#4*(4+8)\n\tldmia\tr8,{r8,r9,r10,r11}\t\t@ load key material\n\tadd\tr4,r4,r8\t\t@ accumulate key material\n# ifdef\t__thumb2__\n\titt\thi\n# endif\n\taddhi\tr8,r8,#1\t\t\t@ next counter value\n\tstrhi\tr8,[sp,#4*(12)]\t\t@ save next counter value\n\tadd\tr5,r5,r9\n\tadd\tr6,r6,r10\n# ifdef\t__thumb2__\n\titete\tlo\n# endif\n\teorlo\tr8,r8,r8\t\t@ zero or ...\n\tldrhsb\tr8,[r12],#16\t\t\t@ ... load input\n\teorlo\tr9,r9,r9\n\tldrhsb\tr9,[r12,#-12]\n\n\tadd\tr7,r7,r11\n# ifdef\t__thumb2__\n\titete\tlo\n# endif\n\teorlo\tr10,r10,r10\n\tldrhsb\tr10,[r12,#-8]\n\teorlo\tr11,r11,r11\n\tldrhsb\tr11,[r12,#-4]\n\n\teor\tr4,r8,r4\t\t@ xor with input (or zero)\n\teor\tr5,r9,r5\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-15]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-11]\n\teor\tr6,r10,r6\n\tstrb\tr4,[r14],#16\t\t@ store output\n\teor\tr7,r11,r7\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-7]\n\tldrhsb\tr11,[r12,#-3]\n\tstrb\tr5,[r14,#-12]\n\teor\tr4,r8,r4,lsr#8\n\tstrb\tr6,[r14,#-8]\n\teor\tr5,r9,r5,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-14]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-10]\n\tstrb\tr7,[r14,#-4]\n\teor\tr6,r10,r6,lsr#8\n\tstrb\tr4,[r14,#-15]\n\teor\tr7,r11,r7,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-6]\n\tldrhsb\tr11,[r12,#-2]\n\tstrb\tr5,[r14,#-11]\n\teor\tr4,r8,r4,lsr#8\n\tstrb\tr6,[r14,#-7]\n\teor\tr5,r9,r5,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr8,[r12,#-13]\t\t@ load more input\n\tldrhsb\tr9,[r12,#-9]\n\tstrb\tr7,[r14,#-3]\n\teor\tr6,r10,r6,lsr#8\n\tstrb\tr4,[r14,#-14]\n\teor\tr7,r11,r7,lsr#8\n# ifdef\t__thumb2__\n\titt\ths\n# endif\n\tldrhsb\tr10,[r12,#-5]\n\tldrhsb\tr11,[r12,#-1]\n\tstrb\tr5,[r14,#-10]\n\tstrb\tr6,[r14,#-6]\n\teor\tr4,r8,r4,lsr#8\n\tstrb\tr7,[r14,#-2]\n\teor\tr5,r9,r5,lsr#8\n\tstrb\tr4,[r14,#-13]\n\teor\tr6,r10,r6,lsr#8\n\tstrb\tr5,[r14,#-9]\n\teor\tr7,r11,r7,lsr#8\n\tstrb\tr6,[r14,#-5]\n\tstrb\tr7,[r14,#-1]\n# ifdef\t__thumb2__\n\tit\tne\n# endif\n\tldrne\tr8,[sp,#4*(32+2)]\t\t@ re-load len\n# ifdef\t__thumb2__\n\tit\ths\n# endif\n\tsubhs\tr11,r8,#64\t\t\t@ len-=64\n\tbhi\t.Loop_outer\n\n\tbeq\t.Ldone\n#endif\n\n.Ltail:\n\tldr\tr12,[sp,#4*(32+1)]\t@ load inp\n\tadd\tr9,sp,#4*(0)\n\tldr\tr14,[sp,#4*(32+0)]\t@ load out\n\n.Loop_tail:\n\tldrb\tr10,[r9],#1\t@ read buffer on stack\n\tldrb\tr11,[r12],#1\t\t@ read input\n\tsubs\tr8,r8,#1\n\teor\tr11,r11,r10\n\tstrb\tr11,[r14],#1\t\t@ store output\n\tbne\t.Loop_tail\n\n.Ldone:\n\tadd\tsp,sp,#4*(32+3)\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc}\n.size\tChaCha20_ctr32_nohw,.-ChaCha20_ctr32_nohw\n#if __ARM_MAX_ARCH__>=7\n.arch\tarmv7-a\n.fpu\tneon\n\n.globl\tChaCha20_ctr32_neon\n.hidden\tChaCha20_ctr32_neon\n.type\tChaCha20_ctr32_neon,%function\n.align\t5\nChaCha20_ctr32_neon:\n\tldr\tr12,[sp,#0]\t\t@ pull pointer to counter and nonce\n\tstmdb\tsp!,{r0,r1,r2,r4-r11,lr}\n\tadr\tr14,.Lsigma\n\tvstmdb\tsp!,{d8,d9,d10,d11,d12,d13,d14,d15}\t\t@ ABI spec says so\n\tstmdb\tsp!,{r0,r1,r2,r3}\n\n\tvld1.32\t{q1,q2},[r3]\t\t@ load key\n\tldmia\tr3,{r4,r5,r6,r7,r8,r9,r10,r11}\t\t@ load key\n\n\tsub\tsp,sp,#4*(16+16)\n\tvld1.32\t{q3},[r12]\t\t@ load counter and nonce\n\tadd\tr12,sp,#4*8\n\tldmia\tr14,{r0,r1,r2,r3}\t\t@ load sigma\n\tvld1.32\t{q0},[r14]!\t\t@ load sigma\n\tvld1.32\t{q12},[r14]\t\t@ one\n\tvst1.32\t{q2,q3},[r12]\t\t@ copy 1/2key|counter|nonce\n\tvst1.32\t{q0,q1},[sp]\t\t@ copy sigma|1/2key\n\n\tstr\tr10,[sp,#4*(16+10)]\t@ off-load \"rx\"\n\tstr\tr11,[sp,#4*(16+11)]\t@ off-load \"rx\"\n\tvshl.i32\td26,d24,#1\t@ two\n\tvstr\td24,[sp,#4*(16+0)]\n\tvshl.i32\td28,d24,#2\t@ four\n\tvstr\td26,[sp,#4*(16+2)]\n\tvmov\tq4,q0\n\tvstr\td28,[sp,#4*(16+4)]\n\tvmov\tq8,q0\n\tvmov\tq5,q1\n\tvmov\tq9,q1\n\tb\t.Loop_neon_enter\n\n.align\t4\n.Loop_neon_outer:\n\tldmia\tsp,{r0,r1,r2,r3,r4,r5,r6,r7,r8,r9}\t\t@ load key material\n\tcmp\tr11,#64*2\t\t@ if len<=64*2\n\tbls\t.Lbreak_neon\t\t@ switch to integer-only\n\tvmov\tq4,q0\n\tstr\tr11,[sp,#4*(32+2)]\t@ save len\n\tvmov\tq8,q0\n\tstr\tr12, [sp,#4*(32+1)]\t@ save inp\n\tvmov\tq5,q1\n\tstr\tr14, [sp,#4*(32+0)]\t@ save out\n\tvmov\tq9,q1\n.Loop_neon_enter:\n\tldr\tr11, [sp,#4*(15)]\n\tvadd.i32\tq7,q3,q12\t\t@ counter+1\n\tldr\tr12,[sp,#4*(12)]\t@ modulo-scheduled load\n\tvmov\tq6,q2\n\tldr\tr10, [sp,#4*(13)]\n\tvmov\tq10,q2\n\tldr\tr14,[sp,#4*(14)]\n\tvadd.i32\tq11,q7,q12\t\t@ counter+2\n\tstr\tr11, [sp,#4*(16+15)]\n\tmov\tr11,#10\n\tadd\tr12,r12,#3\t@ counter+3\n\tb\t.Loop_neon\n\n.align\t4\n.Loop_neon:\n\tsubs\tr11,r11,#1\n\tvadd.i32\tq0,q0,q1\n\tadd\tr0,r0,r4\n\tvadd.i32\tq4,q4,q5\n\tmov\tr12,r12,ror#16\n\tvadd.i32\tq8,q8,q9\n\tadd\tr1,r1,r5\n\tveor\tq3,q3,q0\n\tmov\tr10,r10,ror#16\n\tveor\tq7,q7,q4\n\teor\tr12,r12,r0,ror#16\n\tveor\tq11,q11,q8\n\teor\tr10,r10,r1,ror#16\n\tvrev32.16\tq3,q3\n\tadd\tr8,r8,r12\n\tvrev32.16\tq7,q7\n\tmov\tr4,r4,ror#20\n\tvrev32.16\tq11,q11\n\tadd\tr9,r9,r10\n\tvadd.i32\tq2,q2,q3\n\tmov\tr5,r5,ror#20\n\tvadd.i32\tq6,q6,q7\n\teor\tr4,r4,r8,ror#20\n\tvadd.i32\tq10,q10,q11\n\teor\tr5,r5,r9,ror#20\n\tveor\tq12,q1,q2\n\tadd\tr0,r0,r4\n\tveor\tq13,q5,q6\n\tmov\tr12,r12,ror#24\n\tveor\tq14,q9,q10\n\tadd\tr1,r1,r5\n\tvshr.u32\tq1,q12,#20\n\tmov\tr10,r10,ror#24\n\tvshr.u32\tq5,q13,#20\n\teor\tr12,r12,r0,ror#24\n\tvshr.u32\tq9,q14,#20\n\teor\tr10,r10,r1,ror#24\n\tvsli.32\tq1,q12,#12\n\tadd\tr8,r8,r12\n\tvsli.32\tq5,q13,#12\n\tmov\tr4,r4,ror#25\n\tvsli.32\tq9,q14,#12\n\tadd\tr9,r9,r10\n\tvadd.i32\tq0,q0,q1\n\tmov\tr5,r5,ror#25\n\tvadd.i32\tq4,q4,q5\n\tstr\tr10,[sp,#4*(16+13)]\n\tvadd.i32\tq8,q8,q9\n\tldr\tr10,[sp,#4*(16+15)]\n\tveor\tq12,q3,q0\n\teor\tr4,r4,r8,ror#25\n\tveor\tq13,q7,q4\n\teor\tr5,r5,r9,ror#25\n\tveor\tq14,q11,q8\n\tstr\tr8,[sp,#4*(16+8)]\n\tvshr.u32\tq3,q12,#24\n\tldr\tr8,[sp,#4*(16+10)]\n\tvshr.u32\tq7,q13,#24\n\tadd\tr2,r2,r6\n\tvshr.u32\tq11,q14,#24\n\tmov\tr14,r14,ror#16\n\tvsli.32\tq3,q12,#8\n\tstr\tr9,[sp,#4*(16+9)]\n\tvsli.32\tq7,q13,#8\n\tldr\tr9,[sp,#4*(16+11)]\n\tvsli.32\tq11,q14,#8\n\tadd\tr3,r3,r7\n\tvadd.i32\tq2,q2,q3\n\tmov\tr10,r10,ror#16\n\tvadd.i32\tq6,q6,q7\n\teor\tr14,r14,r2,ror#16\n\tvadd.i32\tq10,q10,q11\n\teor\tr10,r10,r3,ror#16\n\tveor\tq12,q1,q2\n\tadd\tr8,r8,r14\n\tveor\tq13,q5,q6\n\tmov\tr6,r6,ror#20\n\tveor\tq14,q9,q10\n\tadd\tr9,r9,r10\n\tvshr.u32\tq1,q12,#25\n\tmov\tr7,r7,ror#20\n\tvshr.u32\tq5,q13,#25\n\teor\tr6,r6,r8,ror#20\n\tvshr.u32\tq9,q14,#25\n\teor\tr7,r7,r9,ror#20\n\tvsli.32\tq1,q12,#7\n\tadd\tr2,r2,r6\n\tvsli.32\tq5,q13,#7\n\tmov\tr14,r14,ror#24\n\tvsli.32\tq9,q14,#7\n\tadd\tr3,r3,r7\n\tvext.8\tq2,q2,q2,#8\n\tmov\tr10,r10,ror#24\n\tvext.8\tq6,q6,q6,#8\n\teor\tr14,r14,r2,ror#24\n\tvext.8\tq10,q10,q10,#8\n\teor\tr10,r10,r3,ror#24\n\tvext.8\tq1,q1,q1,#4\n\tadd\tr8,r8,r14\n\tvext.8\tq5,q5,q5,#4\n\tmov\tr6,r6,ror#25\n\tvext.8\tq9,q9,q9,#4\n\tadd\tr9,r9,r10\n\tvext.8\tq3,q3,q3,#12\n\tmov\tr7,r7,ror#25\n\tvext.8\tq7,q7,q7,#12\n\teor\tr6,r6,r8,ror#25\n\tvext.8\tq11,q11,q11,#12\n\teor\tr7,r7,r9,ror#25\n\tvadd.i32\tq0,q0,q1\n\tadd\tr0,r0,r5\n\tvadd.i32\tq4,q4,q5\n\tmov\tr10,r10,ror#16\n\tvadd.i32\tq8,q8,q9\n\tadd\tr1,r1,r6\n\tveor\tq3,q3,q0\n\tmov\tr12,r12,ror#16\n\tveor\tq7,q7,q4\n\teor\tr10,r10,r0,ror#16\n\tveor\tq11,q11,q8\n\teor\tr12,r12,r1,ror#16\n\tvrev32.16\tq3,q3\n\tadd\tr8,r8,r10\n\tvrev32.16\tq7,q7\n\tmov\tr5,r5,ror#20\n\tvrev32.16\tq11,q11\n\tadd\tr9,r9,r12\n\tvadd.i32\tq2,q2,q3\n\tmov\tr6,r6,ror#20\n\tvadd.i32\tq6,q6,q7\n\teor\tr5,r5,r8,ror#20\n\tvadd.i32\tq10,q10,q11\n\teor\tr6,r6,r9,ror#20\n\tveor\tq12,q1,q2\n\tadd\tr0,r0,r5\n\tveor\tq13,q5,q6\n\tmov\tr10,r10,ror#24\n\tveor\tq14,q9,q10\n\tadd\tr1,r1,r6\n\tvshr.u32\tq1,q12,#20\n\tmov\tr12,r12,ror#24\n\tvshr.u32\tq5,q13,#20\n\teor\tr10,r10,r0,ror#24\n\tvshr.u32\tq9,q14,#20\n\teor\tr12,r12,r1,ror#24\n\tvsli.32\tq1,q12,#12\n\tadd\tr8,r8,r10\n\tvsli.32\tq5,q13,#12\n\tmov\tr5,r5,ror#25\n\tvsli.32\tq9,q14,#12\n\tstr\tr10,[sp,#4*(16+15)]\n\tvadd.i32\tq0,q0,q1\n\tldr\tr10,[sp,#4*(16+13)]\n\tvadd.i32\tq4,q4,q5\n\tadd\tr9,r9,r12\n\tvadd.i32\tq8,q8,q9\n\tmov\tr6,r6,ror#25\n\tveor\tq12,q3,q0\n\teor\tr5,r5,r8,ror#25\n\tveor\tq13,q7,q4\n\teor\tr6,r6,r9,ror#25\n\tveor\tq14,q11,q8\n\tstr\tr8,[sp,#4*(16+10)]\n\tvshr.u32\tq3,q12,#24\n\tldr\tr8,[sp,#4*(16+8)]\n\tvshr.u32\tq7,q13,#24\n\tadd\tr2,r2,r7\n\tvshr.u32\tq11,q14,#24\n\tmov\tr10,r10,ror#16\n\tvsli.32\tq3,q12,#8\n\tstr\tr9,[sp,#4*(16+11)]\n\tvsli.32\tq7,q13,#8\n\tldr\tr9,[sp,#4*(16+9)]\n\tvsli.32\tq11,q14,#8\n\tadd\tr3,r3,r4\n\tvadd.i32\tq2,q2,q3\n\tmov\tr14,r14,ror#16\n\tvadd.i32\tq6,q6,q7\n\teor\tr10,r10,r2,ror#16\n\tvadd.i32\tq10,q10,q11\n\teor\tr14,r14,r3,ror#16\n\tveor\tq12,q1,q2\n\tadd\tr8,r8,r10\n\tveor\tq13,q5,q6\n\tmov\tr7,r7,ror#20\n\tveor\tq14,q9,q10\n\tadd\tr9,r9,r14\n\tvshr.u32\tq1,q12,#25\n\tmov\tr4,r4,ror#20\n\tvshr.u32\tq5,q13,#25\n\teor\tr7,r7,r8,ror#20\n\tvshr.u32\tq9,q14,#25\n\teor\tr4,r4,r9,ror#20\n\tvsli.32\tq1,q12,#7\n\tadd\tr2,r2,r7\n\tvsli.32\tq5,q13,#7\n\tmov\tr10,r10,ror#24\n\tvsli.32\tq9,q14,#7\n\tadd\tr3,r3,r4\n\tvext.8\tq2,q2,q2,#8\n\tmov\tr14,r14,ror#24\n\tvext.8\tq6,q6,q6,#8\n\teor\tr10,r10,r2,ror#24\n\tvext.8\tq10,q10,q10,#8\n\teor\tr14,r14,r3,ror#24\n\tvext.8\tq1,q1,q1,#12\n\tadd\tr8,r8,r10\n\tvext.8\tq5,q5,q5,#12\n\tmov\tr7,r7,ror#25\n\tvext.8\tq9,q9,q9,#12\n\tadd\tr9,r9,r14\n\tvext.8\tq3,q3,q3,#4\n\tmov\tr4,r4,ror#25\n\tvext.8\tq7,q7,q7,#4\n\teor\tr7,r7,r8,ror#25\n\tvext.8\tq11,q11,q11,#4\n\teor\tr4,r4,r9,ror#25\n\tbne\t.Loop_neon\n\n\tadd\tr11,sp,#32\n\tvld1.32\t{q12,q13},[sp]\t\t@ load key material\n\tvld1.32\t{q14,q15},[r11]\n\n\tldr\tr11,[sp,#4*(32+2)]\t@ load len\n\n\tstr\tr8, [sp,#4*(16+8)]\t@ modulo-scheduled store\n\tstr\tr9, [sp,#4*(16+9)]\n\tstr\tr12,[sp,#4*(16+12)]\n\tstr\tr10, [sp,#4*(16+13)]\n\tstr\tr14,[sp,#4*(16+14)]\n\n\t@ at this point we have first half of 512-bit result in\n\t@ rx and second half at sp+4*(16+8)\n\n\tldr\tr12,[sp,#4*(32+1)]\t@ load inp\n\tldr\tr14,[sp,#4*(32+0)]\t@ load out\n\n\tvadd.i32\tq0,q0,q12\t\t@ accumulate key material\n\tvadd.i32\tq4,q4,q12\n\tvadd.i32\tq8,q8,q12\n\tvldr\td24,[sp,#4*(16+0)]\t@ one\n\n\tvadd.i32\tq1,q1,q13\n\tvadd.i32\tq5,q5,q13\n\tvadd.i32\tq9,q9,q13\n\tvldr\td26,[sp,#4*(16+2)]\t@ two\n\n\tvadd.i32\tq2,q2,q14\n\tvadd.i32\tq6,q6,q14\n\tvadd.i32\tq10,q10,q14\n\tvadd.i32\td14,d14,d24\t@ counter+1\n\tvadd.i32\td22,d22,d26\t@ counter+2\n\n\tvadd.i32\tq3,q3,q15\n\tvadd.i32\tq7,q7,q15\n\tvadd.i32\tq11,q11,q15\n\n\tcmp\tr11,#64*4\n\tblo\t.Ltail_neon\n\n\tvld1.8\t{q12,q13},[r12]!\t@ load input\n\tmov\tr11,sp\n\tvld1.8\t{q14,q15},[r12]!\n\tveor\tq0,q0,q12\t\t@ xor with input\n\tveor\tq1,q1,q13\n\tvld1.8\t{q12,q13},[r12]!\n\tveor\tq2,q2,q14\n\tveor\tq3,q3,q15\n\tvld1.8\t{q14,q15},[r12]!\n\n\tveor\tq4,q4,q12\n\tvst1.8\t{q0,q1},[r14]!\t@ store output\n\tveor\tq5,q5,q13\n\tvld1.8\t{q12,q13},[r12]!\n\tveor\tq6,q6,q14\n\tvst1.8\t{q2,q3},[r14]!\n\tveor\tq7,q7,q15\n\tvld1.8\t{q14,q15},[r12]!\n\n\tveor\tq8,q8,q12\n\tvld1.32\t{q0,q1},[r11]!\t@ load for next iteration\n\tveor\td25,d25,d25\n\tvldr\td24,[sp,#4*(16+4)]\t@ four\n\tveor\tq9,q9,q13\n\tvld1.32\t{q2,q3},[r11]\n\tveor\tq10,q10,q14\n\tvst1.8\t{q4,q5},[r14]!\n\tveor\tq11,q11,q15\n\tvst1.8\t{q6,q7},[r14]!\n\n\tvadd.i32\td6,d6,d24\t@ next counter value\n\tvldr\td24,[sp,#4*(16+0)]\t@ one\n\n\tldmia\tsp,{r8,r9,r10,r11}\t@ load key material\n\tadd\tr0,r0,r8\t@ accumulate key material\n\tldr\tr8,[r12],#16\t\t@ load input\n\tvst1.8\t{q8,q9},[r14]!\n\tadd\tr1,r1,r9\n\tldr\tr9,[r12,#-12]\n\tvst1.8\t{q10,q11},[r14]!\n\tadd\tr2,r2,r10\n\tldr\tr10,[r12,#-8]\n\tadd\tr3,r3,r11\n\tldr\tr11,[r12,#-4]\n# ifdef\t__ARMEB__\n\trev\tr0,r0\n\trev\tr1,r1\n\trev\tr2,r2\n\trev\tr3,r3\n# endif\n\teor\tr0,r0,r8\t@ xor with input\n\tadd\tr8,sp,#4*(4)\n\teor\tr1,r1,r9\n\tstr\tr0,[r14],#16\t\t@ store output\n\teor\tr2,r2,r10\n\tstr\tr1,[r14,#-12]\n\teor\tr3,r3,r11\n\tldmia\tr8,{r8,r9,r10,r11}\t@ load key material\n\tstr\tr2,[r14,#-8]\n\tstr\tr3,[r14,#-4]\n\n\tadd\tr4,r4,r8\t@ accumulate key material\n\tldr\tr8,[r12],#16\t\t@ load input\n\tadd\tr5,r5,r9\n\tldr\tr9,[r12,#-12]\n\tadd\tr6,r6,r10\n\tldr\tr10,[r12,#-8]\n\tadd\tr7,r7,r11\n\tldr\tr11,[r12,#-4]\n# ifdef\t__ARMEB__\n\trev\tr4,r4\n\trev\tr5,r5\n\trev\tr6,r6\n\trev\tr7,r7\n# endif\n\teor\tr4,r4,r8\n\tadd\tr8,sp,#4*(8)\n\teor\tr5,r5,r9\n\tstr\tr4,[r14],#16\t\t@ store output\n\teor\tr6,r6,r10\n\tstr\tr5,[r14,#-12]\n\teor\tr7,r7,r11\n\tldmia\tr8,{r8,r9,r10,r11}\t@ load key material\n\tstr\tr6,[r14,#-8]\n\tadd\tr0,sp,#4*(16+8)\n\tstr\tr7,[r14,#-4]\n\n\tldmia\tr0,{r0,r1,r2,r3,r4,r5,r6,r7}\t@ load second half\n\n\tadd\tr0,r0,r8\t@ accumulate key material\n\tldr\tr8,[r12],#16\t\t@ load input\n\tadd\tr1,r1,r9\n\tldr\tr9,[r12,#-12]\n# ifdef\t__thumb2__\n\tit\thi\n# endif\n\tstrhi\tr10,[sp,#4*(16+10)]\t@ copy \"rx\" while at it\n\tadd\tr2,r2,r10\n\tldr\tr10,[r12,#-8]\n# ifdef\t__thumb2__\n\tit\thi\n# endif\n\tstrhi\tr11,[sp,#4*(16+11)]\t@ copy \"rx\" while at it\n\tadd\tr3,r3,r11\n\tldr\tr11,[r12,#-4]\n# ifdef\t__ARMEB__\n\trev\tr0,r0\n\trev\tr1,r1\n\trev\tr2,r2\n\trev\tr3,r3\n# endif\n\teor\tr0,r0,r8\n\tadd\tr8,sp,#4*(12)\n\teor\tr1,r1,r9\n\tstr\tr0,[r14],#16\t\t@ store output\n\teor\tr2,r2,r10\n\tstr\tr1,[r14,#-12]\n\teor\tr3,r3,r11\n\tldmia\tr8,{r8,r9,r10,r11}\t@ load key material\n\tstr\tr2,[r14,#-8]\n\tstr\tr3,[r14,#-4]\n\n\tadd\tr4,r4,r8\t@ accumulate key material\n\tadd\tr8,r8,#4\t\t@ next counter value\n\tadd\tr5,r5,r9\n\tstr\tr8,[sp,#4*(12)]\t@ save next counter value\n\tldr\tr8,[r12],#16\t\t@ load input\n\tadd\tr6,r6,r10\n\tadd\tr4,r4,#3\t\t@ counter+3\n\tldr\tr9,[r12,#-12]\n\tadd\tr7,r7,r11\n\tldr\tr10,[r12,#-8]\n\tldr\tr11,[r12,#-4]\n# ifdef\t__ARMEB__\n\trev\tr4,r4\n\trev\tr5,r5\n\trev\tr6,r6\n\trev\tr7,r7\n# endif\n\teor\tr4,r4,r8\n# ifdef\t__thumb2__\n\tit\thi\n# endif\n\tldrhi\tr8,[sp,#4*(32+2)]\t@ re-load len\n\teor\tr5,r5,r9\n\teor\tr6,r6,r10\n\tstr\tr4,[r14],#16\t\t@ store output\n\teor\tr7,r7,r11\n\tstr\tr5,[r14,#-12]\n\tsub\tr11,r8,#64*4\t@ len-=64*4\n\tstr\tr6,[r14,#-8]\n\tstr\tr7,[r14,#-4]\n\tbhi\t.Loop_neon_outer\n\n\tb\t.Ldone_neon\n\n.align\t4\n.Lbreak_neon:\n\t@ harmonize NEON and integer-only stack frames: load data\n\t@ from NEON frame, but save to integer-only one; distance\n\t@ between the two is 4*(32+4+16-32)=4*(20).\n\n\tstr\tr11, [sp,#4*(20+32+2)]\t@ save len\n\tadd\tr11,sp,#4*(32+4)\n\tstr\tr12, [sp,#4*(20+32+1)]\t@ save inp\n\tstr\tr14, [sp,#4*(20+32+0)]\t@ save out\n\n\tldr\tr12,[sp,#4*(16+10)]\n\tldr\tr14,[sp,#4*(16+11)]\n\tvldmia\tr11,{d8,d9,d10,d11,d12,d13,d14,d15}\t\t\t@ fulfill ABI requirement\n\tstr\tr12,[sp,#4*(20+16+10)]\t@ copy \"rx\"\n\tstr\tr14,[sp,#4*(20+16+11)]\t@ copy \"rx\"\n\n\tldr\tr11, [sp,#4*(15)]\n\tldr\tr12,[sp,#4*(12)]\t\t@ modulo-scheduled load\n\tldr\tr10, [sp,#4*(13)]\n\tldr\tr14,[sp,#4*(14)]\n\tstr\tr11, [sp,#4*(20+16+15)]\n\tadd\tr11,sp,#4*(20)\n\tvst1.32\t{q0,q1},[r11]!\t\t@ copy key\n\tadd\tsp,sp,#4*(20)\t\t\t@ switch frame\n\tvst1.32\t{q2,q3},[r11]\n\tmov\tr11,#10\n\tb\t.Loop\t\t\t\t@ go integer-only\n\n.align\t4\n.Ltail_neon:\n\tcmp\tr11,#64*3\n\tbhs\t.L192_or_more_neon\n\tcmp\tr11,#64*2\n\tbhs\t.L128_or_more_neon\n\tcmp\tr11,#64*1\n\tbhs\t.L64_or_more_neon\n\n\tadd\tr8,sp,#4*(8)\n\tvst1.8\t{q0,q1},[sp]\n\tadd\tr10,sp,#4*(0)\n\tvst1.8\t{q2,q3},[r8]\n\tb\t.Loop_tail_neon\n\n.align\t4\n.L64_or_more_neon:\n\tvld1.8\t{q12,q13},[r12]!\n\tvld1.8\t{q14,q15},[r12]!\n\tveor\tq0,q0,q12\n\tveor\tq1,q1,q13\n\tveor\tq2,q2,q14\n\tveor\tq3,q3,q15\n\tvst1.8\t{q0,q1},[r14]!\n\tvst1.8\t{q2,q3},[r14]!\n\n\tbeq\t.Ldone_neon\n\n\tadd\tr8,sp,#4*(8)\n\tvst1.8\t{q4,q5},[sp]\n\tadd\tr10,sp,#4*(0)\n\tvst1.8\t{q6,q7},[r8]\n\tsub\tr11,r11,#64*1\t@ len-=64*1\n\tb\t.Loop_tail_neon\n\n.align\t4\n.L128_or_more_neon:\n\tvld1.8\t{q12,q13},[r12]!\n\tvld1.8\t{q14,q15},[r12]!\n\tveor\tq0,q0,q12\n\tveor\tq1,q1,q13\n\tvld1.8\t{q12,q13},[r12]!\n\tveor\tq2,q2,q14\n\tveor\tq3,q3,q15\n\tvld1.8\t{q14,q15},[r12]!\n\n\tveor\tq4,q4,q12\n\tveor\tq5,q5,q13\n\tvst1.8\t{q0,q1},[r14]!\n\tveor\tq6,q6,q14\n\tvst1.8\t{q2,q3},[r14]!\n\tveor\tq7,q7,q15\n\tvst1.8\t{q4,q5},[r14]!\n\tvst1.8\t{q6,q7},[r14]!\n\n\tbeq\t.Ldone_neon\n\n\tadd\tr8,sp,#4*(8)\n\tvst1.8\t{q8,q9},[sp]\n\tadd\tr10,sp,#4*(0)\n\tvst1.8\t{q10,q11},[r8]\n\tsub\tr11,r11,#64*2\t@ len-=64*2\n\tb\t.Loop_tail_neon\n\n.align\t4\n.L192_or_more_neon:\n\tvld1.8\t{q12,q13},[r12]!\n\tvld1.8\t{q14,q15},[r12]!\n\tveor\tq0,q0,q12\n\tveor\tq1,q1,q13\n\tvld1.8\t{q12,q13},[r12]!\n\tveor\tq2,q2,q14\n\tveor\tq3,q3,q15\n\tvld1.8\t{q14,q15},[r12]!\n\n\tveor\tq4,q4,q12\n\tveor\tq5,q5,q13\n\tvld1.8\t{q12,q13},[r12]!\n\tveor\tq6,q6,q14\n\tvst1.8\t{q0,q1},[r14]!\n\tveor\tq7,q7,q15\n\tvld1.8\t{q14,q15},[r12]!\n\n\tveor\tq8,q8,q12\n\tvst1.8\t{q2,q3},[r14]!\n\tveor\tq9,q9,q13\n\tvst1.8\t{q4,q5},[r14]!\n\tveor\tq10,q10,q14\n\tvst1.8\t{q6,q7},[r14]!\n\tveor\tq11,q11,q15\n\tvst1.8\t{q8,q9},[r14]!\n\tvst1.8\t{q10,q11},[r14]!\n\n\tbeq\t.Ldone_neon\n\n\tldmia\tsp,{r8,r9,r10,r11}\t@ load key material\n\tadd\tr0,r0,r8\t@ accumulate key material\n\tadd\tr8,sp,#4*(4)\n\tadd\tr1,r1,r9\n\tadd\tr2,r2,r10\n\tadd\tr3,r3,r11\n\tldmia\tr8,{r8,r9,r10,r11}\t@ load key material\n\n\tadd\tr4,r4,r8\t@ accumulate key material\n\tadd\tr8,sp,#4*(8)\n\tadd\tr5,r5,r9\n\tadd\tr6,r6,r10\n\tadd\tr7,r7,r11\n\tldmia\tr8,{r8,r9,r10,r11}\t@ load key material\n# ifdef\t__ARMEB__\n\trev\tr0,r0\n\trev\tr1,r1\n\trev\tr2,r2\n\trev\tr3,r3\n\trev\tr4,r4\n\trev\tr5,r5\n\trev\tr6,r6\n\trev\tr7,r7\n# endif\n\tstmia\tsp,{r0,r1,r2,r3,r4,r5,r6,r7}\n\tadd\tr0,sp,#4*(16+8)\n\n\tldmia\tr0,{r0,r1,r2,r3,r4,r5,r6,r7}\t@ load second half\n\n\tadd\tr0,r0,r8\t@ accumulate key material\n\tadd\tr8,sp,#4*(12)\n\tadd\tr1,r1,r9\n\tadd\tr2,r2,r10\n\tadd\tr3,r3,r11\n\tldmia\tr8,{r8,r9,r10,r11}\t@ load key material\n\n\tadd\tr4,r4,r8\t@ accumulate key material\n\tadd\tr8,sp,#4*(8)\n\tadd\tr5,r5,r9\n\tadd\tr4,r4,#3\t\t@ counter+3\n\tadd\tr6,r6,r10\n\tadd\tr7,r7,r11\n\tldr\tr11,[sp,#4*(32+2)]\t@ re-load len\n# ifdef\t__ARMEB__\n\trev\tr0,r0\n\trev\tr1,r1\n\trev\tr2,r2\n\trev\tr3,r3\n\trev\tr4,r4\n\trev\tr5,r5\n\trev\tr6,r6\n\trev\tr7,r7\n# endif\n\tstmia\tr8,{r0,r1,r2,r3,r4,r5,r6,r7}\n\tadd\tr10,sp,#4*(0)\n\tsub\tr11,r11,#64*3\t@ len-=64*3\n\n.Loop_tail_neon:\n\tldrb\tr8,[r10],#1\t@ read buffer on stack\n\tldrb\tr9,[r12],#1\t\t@ read input\n\tsubs\tr11,r11,#1\n\teor\tr8,r8,r9\n\tstrb\tr8,[r14],#1\t\t@ store output\n\tbne\t.Loop_tail_neon\n\n.Ldone_neon:\n\tadd\tsp,sp,#4*(32+4)\n\tvldmia\tsp,{d8,d9,d10,d11,d12,d13,d14,d15}\n\tadd\tsp,sp,#4*(16+3)\n\tldmia\tsp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc}\n.size\tChaCha20_ctr32_neon,.-ChaCha20_ctr32_neon\n#endif\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \n\n.section\t__TEXT,__const\n\n.align\t5\nLsigma:\n.quad\t0x3320646e61707865,0x6b20657479622d32\t\t// endian-neutral\nLone:\n.long\t1,0,0,0\n.byte\t67,104,97,67,104,97,50,48,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n\n.text\n\n.globl\t_ChaCha20_ctr32_nohw\n.private_extern\t_ChaCha20_ctr32_nohw\n\n.align\t5\n_ChaCha20_ctr32_nohw:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx5,Lsigma@PAGE\n\tadd\tx5,x5,Lsigma@PAGEOFF\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#64\n\n\tldp\tx22,x23,[x5]\t\t// load sigma\n\tldp\tx24,x25,[x3]\t\t// load key\n\tldp\tx26,x27,[x3,#16]\n\tldp\tx28,x30,[x4]\t\t// load counter\n#ifdef\t__AARCH64EB__\n\tror\tx24,x24,#32\n\tror\tx25,x25,#32\n\tror\tx26,x26,#32\n\tror\tx27,x27,#32\n\tror\tx28,x28,#32\n\tror\tx30,x30,#32\n#endif\n\nLoop_outer:\n\tmov\tw5,w22\t\t\t// unpack key block\n\tlsr\tx6,x22,#32\n\tmov\tw7,w23\n\tlsr\tx8,x23,#32\n\tmov\tw9,w24\n\tlsr\tx10,x24,#32\n\tmov\tw11,w25\n\tlsr\tx12,x25,#32\n\tmov\tw13,w26\n\tlsr\tx14,x26,#32\n\tmov\tw15,w27\n\tlsr\tx16,x27,#32\n\tmov\tw17,w28\n\tlsr\tx19,x28,#32\n\tmov\tw20,w30\n\tlsr\tx21,x30,#32\n\n\tmov\tx4,#10\n\tsubs\tx2,x2,#64\nLoop:\n\tsub\tx4,x4,#1\n\tadd\tw5,w5,w9\n\tadd\tw6,w6,w10\n\tadd\tw7,w7,w11\n\tadd\tw8,w8,w12\n\teor\tw17,w17,w5\n\teor\tw19,w19,w6\n\teor\tw20,w20,w7\n\teor\tw21,w21,w8\n\tror\tw17,w17,#16\n\tror\tw19,w19,#16\n\tror\tw20,w20,#16\n\tror\tw21,w21,#16\n\tadd\tw13,w13,w17\n\tadd\tw14,w14,w19\n\tadd\tw15,w15,w20\n\tadd\tw16,w16,w21\n\teor\tw9,w9,w13\n\teor\tw10,w10,w14\n\teor\tw11,w11,w15\n\teor\tw12,w12,w16\n\tror\tw9,w9,#20\n\tror\tw10,w10,#20\n\tror\tw11,w11,#20\n\tror\tw12,w12,#20\n\tadd\tw5,w5,w9\n\tadd\tw6,w6,w10\n\tadd\tw7,w7,w11\n\tadd\tw8,w8,w12\n\teor\tw17,w17,w5\n\teor\tw19,w19,w6\n\teor\tw20,w20,w7\n\teor\tw21,w21,w8\n\tror\tw17,w17,#24\n\tror\tw19,w19,#24\n\tror\tw20,w20,#24\n\tror\tw21,w21,#24\n\tadd\tw13,w13,w17\n\tadd\tw14,w14,w19\n\tadd\tw15,w15,w20\n\tadd\tw16,w16,w21\n\teor\tw9,w9,w13\n\teor\tw10,w10,w14\n\teor\tw11,w11,w15\n\teor\tw12,w12,w16\n\tror\tw9,w9,#25\n\tror\tw10,w10,#25\n\tror\tw11,w11,#25\n\tror\tw12,w12,#25\n\tadd\tw5,w5,w10\n\tadd\tw6,w6,w11\n\tadd\tw7,w7,w12\n\tadd\tw8,w8,w9\n\teor\tw21,w21,w5\n\teor\tw17,w17,w6\n\teor\tw19,w19,w7\n\teor\tw20,w20,w8\n\tror\tw21,w21,#16\n\tror\tw17,w17,#16\n\tror\tw19,w19,#16\n\tror\tw20,w20,#16\n\tadd\tw15,w15,w21\n\tadd\tw16,w16,w17\n\tadd\tw13,w13,w19\n\tadd\tw14,w14,w20\n\teor\tw10,w10,w15\n\teor\tw11,w11,w16\n\teor\tw12,w12,w13\n\teor\tw9,w9,w14\n\tror\tw10,w10,#20\n\tror\tw11,w11,#20\n\tror\tw12,w12,#20\n\tror\tw9,w9,#20\n\tadd\tw5,w5,w10\n\tadd\tw6,w6,w11\n\tadd\tw7,w7,w12\n\tadd\tw8,w8,w9\n\teor\tw21,w21,w5\n\teor\tw17,w17,w6\n\teor\tw19,w19,w7\n\teor\tw20,w20,w8\n\tror\tw21,w21,#24\n\tror\tw17,w17,#24\n\tror\tw19,w19,#24\n\tror\tw20,w20,#24\n\tadd\tw15,w15,w21\n\tadd\tw16,w16,w17\n\tadd\tw13,w13,w19\n\tadd\tw14,w14,w20\n\teor\tw10,w10,w15\n\teor\tw11,w11,w16\n\teor\tw12,w12,w13\n\teor\tw9,w9,w14\n\tror\tw10,w10,#25\n\tror\tw11,w11,#25\n\tror\tw12,w12,#25\n\tror\tw9,w9,#25\n\tcbnz\tx4,Loop\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tadd\tx6,x6,x22,lsr#32\n\tadd\tw7,w7,w23\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tw9,w9,w24\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tw11,w11,w25\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tw13,w13,w26\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tw15,w15,w27\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tw17,w17,w28\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tw20,w20,w30\n\tadd\tx21,x21,x30,lsr#32\n\n\tb.lo\tLtail\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tx15,x15,x16\n\teor\tx17,x17,x19\n\teor\tx20,x20,x21\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#1\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tstp\tx13,x15,[x0,#32]\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\n\tb.hi\tLoop_outer\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.align\t4\nLtail:\n\tadd\tx2,x2,#64\nLess_than_64:\n\tsub\tx0,x0,#1\n\tadd\tx1,x1,x2\n\tadd\tx0,x0,x2\n\tadd\tx4,sp,x2\n\tneg\tx2,x2\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\tstp\tx5,x7,[sp,#0]\n\tstp\tx9,x11,[sp,#16]\n\tstp\tx13,x15,[sp,#32]\n\tstp\tx17,x20,[sp,#48]\n\nLoop_tail:\n\tldrb\tw10,[x1,x2]\n\tldrb\tw11,[x4,x2]\n\tadd\tx2,x2,#1\n\teor\tw10,w10,w11\n\tstrb\tw10,[x0,x2]\n\tcbnz\tx2,Loop_tail\n\n\tstp\txzr,xzr,[sp,#0]\n\tstp\txzr,xzr,[sp,#16]\n\tstp\txzr,xzr,[sp,#32]\n\tstp\txzr,xzr,[sp,#48]\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.globl\t_ChaCha20_ctr32_neon\n.private_extern\t_ChaCha20_ctr32_neon\n\n.align\t5\n_ChaCha20_ctr32_neon:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx5,Lsigma@PAGE\n\tadd\tx5,x5,Lsigma@PAGEOFF\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tcmp\tx2,#512\n\tb.hs\tL512_or_more_neon\n\n\tsub\tsp,sp,#64\n\n\tldp\tx22,x23,[x5]\t\t// load sigma\n\tld1\t{v24.4s},[x5],#16\n\tldp\tx24,x25,[x3]\t\t// load key\n\tldp\tx26,x27,[x3,#16]\n\tld1\t{v25.4s,v26.4s},[x3]\n\tldp\tx28,x30,[x4]\t\t// load counter\n\tld1\t{v27.4s},[x4]\n\tld1\t{v31.4s},[x5]\n#ifdef\t__AARCH64EB__\n\trev64\tv24.4s,v24.4s\n\tror\tx24,x24,#32\n\tror\tx25,x25,#32\n\tror\tx26,x26,#32\n\tror\tx27,x27,#32\n\tror\tx28,x28,#32\n\tror\tx30,x30,#32\n#endif\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// += 1\n\tadd\tv28.4s,v27.4s,v31.4s\n\tadd\tv29.4s,v28.4s,v31.4s\n\tshl\tv31.4s,v31.4s,#2\t\t\t// 1 -> 4\n\nLoop_outer_neon:\n\tmov\tw5,w22\t\t\t// unpack key block\n\tlsr\tx6,x22,#32\n\tmov\tv0.16b,v24.16b\n\tmov\tw7,w23\n\tlsr\tx8,x23,#32\n\tmov\tv4.16b,v24.16b\n\tmov\tw9,w24\n\tlsr\tx10,x24,#32\n\tmov\tv16.16b,v24.16b\n\tmov\tw11,w25\n\tmov\tv1.16b,v25.16b\n\tlsr\tx12,x25,#32\n\tmov\tv5.16b,v25.16b\n\tmov\tw13,w26\n\tmov\tv17.16b,v25.16b\n\tlsr\tx14,x26,#32\n\tmov\tv3.16b,v27.16b\n\tmov\tw15,w27\n\tmov\tv7.16b,v28.16b\n\tlsr\tx16,x27,#32\n\tmov\tv19.16b,v29.16b\n\tmov\tw17,w28\n\tmov\tv2.16b,v26.16b\n\tlsr\tx19,x28,#32\n\tmov\tv6.16b,v26.16b\n\tmov\tw20,w30\n\tmov\tv18.16b,v26.16b\n\tlsr\tx21,x30,#32\n\n\tmov\tx4,#10\n\tsubs\tx2,x2,#256\nLoop_neon:\n\tsub\tx4,x4,#1\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv16.4s,v16.4s,v17.4s\n\tadd\tw7,w7,w11\n\teor\tv3.16b,v3.16b,v0.16b\n\tadd\tw8,w8,w12\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw17,w17,w5\n\teor\tv19.16b,v19.16b,v16.16b\n\teor\tw19,w19,w6\n\trev32\tv3.8h,v3.8h\n\teor\tw20,w20,w7\n\trev32\tv7.8h,v7.8h\n\teor\tw21,w21,w8\n\trev32\tv19.8h,v19.8h\n\tror\tw17,w17,#16\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw19,w19,#16\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw20,w20,#16\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw21,w21,#16\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw13,w13,w17\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw14,w14,w19\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw15,w15,w20\n\tushr\tv1.4s,v20.4s,#20\n\tadd\tw16,w16,w21\n\tushr\tv5.4s,v21.4s,#20\n\teor\tw9,w9,w13\n\tushr\tv17.4s,v22.4s,#20\n\teor\tw10,w10,w14\n\tsli\tv1.4s,v20.4s,#12\n\teor\tw11,w11,w15\n\tsli\tv5.4s,v21.4s,#12\n\teor\tw12,w12,w16\n\tsli\tv17.4s,v22.4s,#12\n\tror\tw9,w9,#20\n\tadd\tv0.4s,v0.4s,v1.4s\n\tror\tw10,w10,#20\n\tadd\tv4.4s,v4.4s,v5.4s\n\tror\tw11,w11,#20\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw12,w12,#20\n\teor\tv20.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w9\n\teor\tv21.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w10\n\teor\tv22.16b,v19.16b,v16.16b\n\tadd\tw7,w7,w11\n\tushr\tv3.4s,v20.4s,#24\n\tadd\tw8,w8,w12\n\tushr\tv7.4s,v21.4s,#24\n\teor\tw17,w17,w5\n\tushr\tv19.4s,v22.4s,#24\n\teor\tw19,w19,w6\n\tsli\tv3.4s,v20.4s,#8\n\teor\tw20,w20,w7\n\tsli\tv7.4s,v21.4s,#8\n\teor\tw21,w21,w8\n\tsli\tv19.4s,v22.4s,#8\n\tror\tw17,w17,#24\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw19,w19,#24\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw20,w20,#24\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw21,w21,#24\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw13,w13,w17\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw14,w14,w19\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw15,w15,w20\n\tushr\tv1.4s,v20.4s,#25\n\tadd\tw16,w16,w21\n\tushr\tv5.4s,v21.4s,#25\n\teor\tw9,w9,w13\n\tushr\tv17.4s,v22.4s,#25\n\teor\tw10,w10,w14\n\tsli\tv1.4s,v20.4s,#7\n\teor\tw11,w11,w15\n\tsli\tv5.4s,v21.4s,#7\n\teor\tw12,w12,w16\n\tsli\tv17.4s,v22.4s,#7\n\tror\tw9,w9,#25\n\text\tv2.16b,v2.16b,v2.16b,#8\n\tror\tw10,w10,#25\n\text\tv6.16b,v6.16b,v6.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv3.16b,v3.16b,v3.16b,#12\n\text\tv7.16b,v7.16b,v7.16b,#12\n\text\tv19.16b,v19.16b,v19.16b,#12\n\text\tv1.16b,v1.16b,v1.16b,#4\n\text\tv5.16b,v5.16b,v5.16b,#4\n\text\tv17.16b,v17.16b,v17.16b,#4\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w10\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w11\n\tadd\tv16.4s,v16.4s,v17.4s\n\tadd\tw7,w7,w12\n\teor\tv3.16b,v3.16b,v0.16b\n\tadd\tw8,w8,w9\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w5\n\teor\tv19.16b,v19.16b,v16.16b\n\teor\tw17,w17,w6\n\trev32\tv3.8h,v3.8h\n\teor\tw19,w19,w7\n\trev32\tv7.8h,v7.8h\n\teor\tw20,w20,w8\n\trev32\tv19.8h,v19.8h\n\tror\tw21,w21,#16\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw17,w17,#16\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw19,w19,#16\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw20,w20,#16\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw15,w15,w21\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw16,w16,w17\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw13,w13,w19\n\tushr\tv1.4s,v20.4s,#20\n\tadd\tw14,w14,w20\n\tushr\tv5.4s,v21.4s,#20\n\teor\tw10,w10,w15\n\tushr\tv17.4s,v22.4s,#20\n\teor\tw11,w11,w16\n\tsli\tv1.4s,v20.4s,#12\n\teor\tw12,w12,w13\n\tsli\tv5.4s,v21.4s,#12\n\teor\tw9,w9,w14\n\tsli\tv17.4s,v22.4s,#12\n\tror\tw10,w10,#20\n\tadd\tv0.4s,v0.4s,v1.4s\n\tror\tw11,w11,#20\n\tadd\tv4.4s,v4.4s,v5.4s\n\tror\tw12,w12,#20\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw9,w9,#20\n\teor\tv20.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv21.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv22.16b,v19.16b,v16.16b\n\tadd\tw7,w7,w12\n\tushr\tv3.4s,v20.4s,#24\n\tadd\tw8,w8,w9\n\tushr\tv7.4s,v21.4s,#24\n\teor\tw21,w21,w5\n\tushr\tv19.4s,v22.4s,#24\n\teor\tw17,w17,w6\n\tsli\tv3.4s,v20.4s,#8\n\teor\tw19,w19,w7\n\tsli\tv7.4s,v21.4s,#8\n\teor\tw20,w20,w8\n\tsli\tv19.4s,v22.4s,#8\n\tror\tw21,w21,#24\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw17,w17,#24\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw19,w19,#24\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw20,w20,#24\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw15,w15,w21\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw16,w16,w17\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw13,w13,w19\n\tushr\tv1.4s,v20.4s,#25\n\tadd\tw14,w14,w20\n\tushr\tv5.4s,v21.4s,#25\n\teor\tw10,w10,w15\n\tushr\tv17.4s,v22.4s,#25\n\teor\tw11,w11,w16\n\tsli\tv1.4s,v20.4s,#7\n\teor\tw12,w12,w13\n\tsli\tv5.4s,v21.4s,#7\n\teor\tw9,w9,w14\n\tsli\tv17.4s,v22.4s,#7\n\tror\tw10,w10,#25\n\text\tv2.16b,v2.16b,v2.16b,#8\n\tror\tw11,w11,#25\n\text\tv6.16b,v6.16b,v6.16b,#8\n\tror\tw12,w12,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#4\n\text\tv7.16b,v7.16b,v7.16b,#4\n\text\tv19.16b,v19.16b,v19.16b,#4\n\text\tv1.16b,v1.16b,v1.16b,#12\n\text\tv5.16b,v5.16b,v5.16b,#12\n\text\tv17.16b,v17.16b,v17.16b,#12\n\tcbnz\tx4,Loop_neon\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tadd\tv0.4s,v0.4s,v24.4s\n\tadd\tx6,x6,x22,lsr#32\n\tadd\tv4.4s,v4.4s,v24.4s\n\tadd\tw7,w7,w23\n\tadd\tv16.4s,v16.4s,v24.4s\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tv2.4s,v2.4s,v26.4s\n\tadd\tw9,w9,w24\n\tadd\tv6.4s,v6.4s,v26.4s\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tv18.4s,v18.4s,v26.4s\n\tadd\tw11,w11,w25\n\tadd\tv3.4s,v3.4s,v27.4s\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tw13,w13,w26\n\tadd\tv7.4s,v7.4s,v28.4s\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tw15,w15,w27\n\tadd\tv19.4s,v19.4s,v29.4s\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tw17,w17,w28\n\tadd\tv1.4s,v1.4s,v25.4s\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tw20,w20,w30\n\tadd\tv5.4s,v5.4s,v25.4s\n\tadd\tx21,x21,x30,lsr#32\n\tadd\tv17.4s,v17.4s,v25.4s\n\n\tb.lo\tLtail_neon\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tv0.16b,v0.16b,v20.16b\n\teor\tx15,x15,x16\n\teor\tv1.16b,v1.16b,v21.16b\n\teor\tx17,x17,x19\n\teor\tv2.16b,v2.16b,v22.16b\n\teor\tx20,x20,x21\n\teor\tv3.16b,v3.16b,v23.16b\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#4\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// += 4\n\tstp\tx13,x15,[x0,#32]\n\tadd\tv28.4s,v28.4s,v31.4s\n\tstp\tx17,x20,[x0,#48]\n\tadd\tv29.4s,v29.4s,v31.4s\n\tadd\tx0,x0,#64\n\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64\n\tld1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x1],#64\n\n\teor\tv4.16b,v4.16b,v20.16b\n\teor\tv5.16b,v5.16b,v21.16b\n\teor\tv6.16b,v6.16b,v22.16b\n\teor\tv7.16b,v7.16b,v23.16b\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64\n\n\teor\tv16.16b,v16.16b,v0.16b\n\teor\tv17.16b,v17.16b,v1.16b\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv19.16b,v19.16b,v3.16b\n\tst1\t{v16.16b,v17.16b,v18.16b,v19.16b},[x0],#64\n\n\tb.hi\tLoop_outer_neon\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\nLtail_neon:\n\tadd\tx2,x2,#256\n\tcmp\tx2,#64\n\tb.lo\tLess_than_64\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tx15,x15,x16\n\teor\tx17,x17,x19\n\teor\tx20,x20,x21\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#4\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tstp\tx13,x15,[x0,#32]\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\tb.eq\tLdone_neon\n\tsub\tx2,x2,#64\n\tcmp\tx2,#64\n\tb.lo\tLess_than_128\n\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\teor\tv0.16b,v0.16b,v20.16b\n\teor\tv1.16b,v1.16b,v21.16b\n\teor\tv2.16b,v2.16b,v22.16b\n\teor\tv3.16b,v3.16b,v23.16b\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64\n\tb.eq\tLdone_neon\n\tsub\tx2,x2,#64\n\tcmp\tx2,#64\n\tb.lo\tLess_than_192\n\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\teor\tv4.16b,v4.16b,v20.16b\n\teor\tv5.16b,v5.16b,v21.16b\n\teor\tv6.16b,v6.16b,v22.16b\n\teor\tv7.16b,v7.16b,v23.16b\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64\n\tb.eq\tLdone_neon\n\tsub\tx2,x2,#64\n\n\tst1\t{v16.16b,v17.16b,v18.16b,v19.16b},[sp]\n\tb\tLast_neon\n\nLess_than_128:\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[sp]\n\tb\tLast_neon\nLess_than_192:\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[sp]\n\tb\tLast_neon\n\n.align\t4\nLast_neon:\n\tsub\tx0,x0,#1\n\tadd\tx1,x1,x2\n\tadd\tx0,x0,x2\n\tadd\tx4,sp,x2\n\tneg\tx2,x2\n\nLoop_tail_neon:\n\tldrb\tw10,[x1,x2]\n\tldrb\tw11,[x4,x2]\n\tadd\tx2,x2,#1\n\teor\tw10,w10,w11\n\tstrb\tw10,[x0,x2]\n\tcbnz\tx2,Loop_tail_neon\n\n\tstp\txzr,xzr,[sp,#0]\n\tstp\txzr,xzr,[sp,#16]\n\tstp\txzr,xzr,[sp,#32]\n\tstp\txzr,xzr,[sp,#48]\n\nLdone_neon:\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.align\t5\nChaCha20_512_neon:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx5,Lsigma@PAGE\n\tadd\tx5,x5,Lsigma@PAGEOFF\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\nL512_or_more_neon:\n\tsub\tsp,sp,#128+64\n\n\tldp\tx22,x23,[x5]\t\t// load sigma\n\tld1\t{v24.4s},[x5],#16\n\tldp\tx24,x25,[x3]\t\t// load key\n\tldp\tx26,x27,[x3,#16]\n\tld1\t{v25.4s,v26.4s},[x3]\n\tldp\tx28,x30,[x4]\t\t// load counter\n\tld1\t{v27.4s},[x4]\n\tld1\t{v31.4s},[x5]\n#ifdef\t__AARCH64EB__\n\trev64\tv24.4s,v24.4s\n\tror\tx24,x24,#32\n\tror\tx25,x25,#32\n\tror\tx26,x26,#32\n\tror\tx27,x27,#32\n\tror\tx28,x28,#32\n\tror\tx30,x30,#32\n#endif\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// += 1\n\tstp\tq24,q25,[sp,#0]\t\t// off-load key block, invariant part\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// not typo\n\tstr\tq26,[sp,#32]\n\tadd\tv28.4s,v27.4s,v31.4s\n\tadd\tv29.4s,v28.4s,v31.4s\n\tadd\tv30.4s,v29.4s,v31.4s\n\tshl\tv31.4s,v31.4s,#2\t\t\t// 1 -> 4\n\n\tstp\td8,d9,[sp,#128+0]\t\t// meet ABI requirements\n\tstp\td10,d11,[sp,#128+16]\n\tstp\td12,d13,[sp,#128+32]\n\tstp\td14,d15,[sp,#128+48]\n\n\tsub\tx2,x2,#512\t\t\t// not typo\n\nLoop_outer_512_neon:\n\tmov\tv0.16b,v24.16b\n\tmov\tv4.16b,v24.16b\n\tmov\tv8.16b,v24.16b\n\tmov\tv12.16b,v24.16b\n\tmov\tv16.16b,v24.16b\n\tmov\tv20.16b,v24.16b\n\tmov\tv1.16b,v25.16b\n\tmov\tw5,w22\t\t\t// unpack key block\n\tmov\tv5.16b,v25.16b\n\tlsr\tx6,x22,#32\n\tmov\tv9.16b,v25.16b\n\tmov\tw7,w23\n\tmov\tv13.16b,v25.16b\n\tlsr\tx8,x23,#32\n\tmov\tv17.16b,v25.16b\n\tmov\tw9,w24\n\tmov\tv21.16b,v25.16b\n\tlsr\tx10,x24,#32\n\tmov\tv3.16b,v27.16b\n\tmov\tw11,w25\n\tmov\tv7.16b,v28.16b\n\tlsr\tx12,x25,#32\n\tmov\tv11.16b,v29.16b\n\tmov\tw13,w26\n\tmov\tv15.16b,v30.16b\n\tlsr\tx14,x26,#32\n\tmov\tv2.16b,v26.16b\n\tmov\tw15,w27\n\tmov\tv6.16b,v26.16b\n\tlsr\tx16,x27,#32\n\tadd\tv19.4s,v3.4s,v31.4s\t\t\t// +4\n\tmov\tw17,w28\n\tadd\tv23.4s,v7.4s,v31.4s\t\t\t// +4\n\tlsr\tx19,x28,#32\n\tmov\tv10.16b,v26.16b\n\tmov\tw20,w30\n\tmov\tv14.16b,v26.16b\n\tlsr\tx21,x30,#32\n\tmov\tv18.16b,v26.16b\n\tstp\tq27,q28,[sp,#48]\t\t// off-load key block, variable part\n\tmov\tv22.16b,v26.16b\n\tstr\tq29,[sp,#80]\n\n\tmov\tx4,#5\n\tsubs\tx2,x2,#512\nLoop_upper_neon:\n\tsub\tx4,x4,#1\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#12\n\text\tv7.16b,v7.16b,v7.16b,#12\n\text\tv11.16b,v11.16b,v11.16b,#12\n\text\tv15.16b,v15.16b,v15.16b,#12\n\text\tv19.16b,v19.16b,v19.16b,#12\n\text\tv23.16b,v23.16b,v23.16b,#12\n\text\tv1.16b,v1.16b,v1.16b,#4\n\text\tv5.16b,v5.16b,v5.16b,#4\n\text\tv9.16b,v9.16b,v9.16b,#4\n\text\tv13.16b,v13.16b,v13.16b,#4\n\text\tv17.16b,v17.16b,v17.16b,#4\n\text\tv21.16b,v21.16b,v21.16b,#4\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#4\n\text\tv7.16b,v7.16b,v7.16b,#4\n\text\tv11.16b,v11.16b,v11.16b,#4\n\text\tv15.16b,v15.16b,v15.16b,#4\n\text\tv19.16b,v19.16b,v19.16b,#4\n\text\tv23.16b,v23.16b,v23.16b,#4\n\text\tv1.16b,v1.16b,v1.16b,#12\n\text\tv5.16b,v5.16b,v5.16b,#12\n\text\tv9.16b,v9.16b,v9.16b,#12\n\text\tv13.16b,v13.16b,v13.16b,#12\n\text\tv17.16b,v17.16b,v17.16b,#12\n\text\tv21.16b,v21.16b,v21.16b,#12\n\tcbnz\tx4,Loop_upper_neon\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tadd\tx6,x6,x22,lsr#32\n\tadd\tw7,w7,w23\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tw9,w9,w24\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tw11,w11,w25\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tw13,w13,w26\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tw15,w15,w27\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tw17,w17,w28\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tw20,w20,w30\n\tadd\tx21,x21,x30,lsr#32\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tx15,x15,x16\n\teor\tx17,x17,x19\n\teor\tx20,x20,x21\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#1\t\t\t// increment counter\n\tmov\tw5,w22\t\t\t// unpack key block\n\tlsr\tx6,x22,#32\n\tstp\tx9,x11,[x0,#16]\n\tmov\tw7,w23\n\tlsr\tx8,x23,#32\n\tstp\tx13,x15,[x0,#32]\n\tmov\tw9,w24\n\tlsr\tx10,x24,#32\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\tmov\tw11,w25\n\tlsr\tx12,x25,#32\n\tmov\tw13,w26\n\tlsr\tx14,x26,#32\n\tmov\tw15,w27\n\tlsr\tx16,x27,#32\n\tmov\tw17,w28\n\tlsr\tx19,x28,#32\n\tmov\tw20,w30\n\tlsr\tx21,x30,#32\n\n\tmov\tx4,#5\nLoop_lower_neon:\n\tsub\tx4,x4,#1\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#12\n\text\tv7.16b,v7.16b,v7.16b,#12\n\text\tv11.16b,v11.16b,v11.16b,#12\n\text\tv15.16b,v15.16b,v15.16b,#12\n\text\tv19.16b,v19.16b,v19.16b,#12\n\text\tv23.16b,v23.16b,v23.16b,#12\n\text\tv1.16b,v1.16b,v1.16b,#4\n\text\tv5.16b,v5.16b,v5.16b,#4\n\text\tv9.16b,v9.16b,v9.16b,#4\n\text\tv13.16b,v13.16b,v13.16b,#4\n\text\tv17.16b,v17.16b,v17.16b,#4\n\text\tv21.16b,v21.16b,v21.16b,#4\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#4\n\text\tv7.16b,v7.16b,v7.16b,#4\n\text\tv11.16b,v11.16b,v11.16b,#4\n\text\tv15.16b,v15.16b,v15.16b,#4\n\text\tv19.16b,v19.16b,v19.16b,#4\n\text\tv23.16b,v23.16b,v23.16b,#4\n\text\tv1.16b,v1.16b,v1.16b,#12\n\text\tv5.16b,v5.16b,v5.16b,#12\n\text\tv9.16b,v9.16b,v9.16b,#12\n\text\tv13.16b,v13.16b,v13.16b,#12\n\text\tv17.16b,v17.16b,v17.16b,#12\n\text\tv21.16b,v21.16b,v21.16b,#12\n\tcbnz\tx4,Loop_lower_neon\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tldp\tq24,q25,[sp,#0]\n\tadd\tx6,x6,x22,lsr#32\n\tldp\tq26,q27,[sp,#32]\n\tadd\tw7,w7,w23\n\tldp\tq28,q29,[sp,#64]\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tv0.4s,v0.4s,v24.4s\n\tadd\tw9,w9,w24\n\tadd\tv4.4s,v4.4s,v24.4s\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tv8.4s,v8.4s,v24.4s\n\tadd\tw11,w11,w25\n\tadd\tv12.4s,v12.4s,v24.4s\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tv16.4s,v16.4s,v24.4s\n\tadd\tw13,w13,w26\n\tadd\tv20.4s,v20.4s,v24.4s\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tv2.4s,v2.4s,v26.4s\n\tadd\tw15,w15,w27\n\tadd\tv6.4s,v6.4s,v26.4s\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tv10.4s,v10.4s,v26.4s\n\tadd\tw17,w17,w28\n\tadd\tv14.4s,v14.4s,v26.4s\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tv18.4s,v18.4s,v26.4s\n\tadd\tw20,w20,w30\n\tadd\tv22.4s,v22.4s,v26.4s\n\tadd\tx21,x21,x30,lsr#32\n\tadd\tv19.4s,v19.4s,v31.4s\t\t\t// +4\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tv23.4s,v23.4s,v31.4s\t\t\t// +4\n\tadd\tx7,x7,x8,lsl#32\n\tadd\tv3.4s,v3.4s,v27.4s\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tv7.4s,v7.4s,v28.4s\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tv11.4s,v11.4s,v29.4s\n\tadd\tx11,x11,x12,lsl#32\n\tadd\tv15.4s,v15.4s,v30.4s\n\tldp\tx10,x12,[x1,#16]\n\tadd\tv19.4s,v19.4s,v27.4s\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tv23.4s,v23.4s,v28.4s\n\tadd\tx15,x15,x16,lsl#32\n\tadd\tv1.4s,v1.4s,v25.4s\n\tldp\tx14,x16,[x1,#32]\n\tadd\tv5.4s,v5.4s,v25.4s\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tv9.4s,v9.4s,v25.4s\n\tadd\tx20,x20,x21,lsl#32\n\tadd\tv13.4s,v13.4s,v25.4s\n\tldp\tx19,x21,[x1,#48]\n\tadd\tv17.4s,v17.4s,v25.4s\n\tadd\tx1,x1,#64\n\tadd\tv21.4s,v21.4s,v25.4s\n\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\tld1\t{v24.16b,v25.16b,v26.16b,v27.16b},[x1],#64\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tv0.16b,v0.16b,v24.16b\n\teor\tx15,x15,x16\n\teor\tv1.16b,v1.16b,v25.16b\n\teor\tx17,x17,x19\n\teor\tv2.16b,v2.16b,v26.16b\n\teor\tx20,x20,x21\n\teor\tv3.16b,v3.16b,v27.16b\n\tld1\t{v24.16b,v25.16b,v26.16b,v27.16b},[x1],#64\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#7\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tstp\tx13,x15,[x0,#32]\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64\n\n\tld1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x1],#64\n\teor\tv4.16b,v4.16b,v24.16b\n\teor\tv5.16b,v5.16b,v25.16b\n\teor\tv6.16b,v6.16b,v26.16b\n\teor\tv7.16b,v7.16b,v27.16b\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64\n\n\tld1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64\n\teor\tv8.16b,v8.16b,v0.16b\n\tldp\tq24,q25,[sp,#0]\n\teor\tv9.16b,v9.16b,v1.16b\n\tldp\tq26,q27,[sp,#32]\n\teor\tv10.16b,v10.16b,v2.16b\n\teor\tv11.16b,v11.16b,v3.16b\n\tst1\t{v8.16b,v9.16b,v10.16b,v11.16b},[x0],#64\n\n\tld1\t{v8.16b,v9.16b,v10.16b,v11.16b},[x1],#64\n\teor\tv12.16b,v12.16b,v4.16b\n\teor\tv13.16b,v13.16b,v5.16b\n\teor\tv14.16b,v14.16b,v6.16b\n\teor\tv15.16b,v15.16b,v7.16b\n\tst1\t{v12.16b,v13.16b,v14.16b,v15.16b},[x0],#64\n\n\tld1\t{v12.16b,v13.16b,v14.16b,v15.16b},[x1],#64\n\teor\tv16.16b,v16.16b,v8.16b\n\teor\tv17.16b,v17.16b,v9.16b\n\teor\tv18.16b,v18.16b,v10.16b\n\teor\tv19.16b,v19.16b,v11.16b\n\tst1\t{v16.16b,v17.16b,v18.16b,v19.16b},[x0],#64\n\n\tshl\tv0.4s,v31.4s,#1\t\t\t// 4 -> 8\n\teor\tv20.16b,v20.16b,v12.16b\n\teor\tv21.16b,v21.16b,v13.16b\n\teor\tv22.16b,v22.16b,v14.16b\n\teor\tv23.16b,v23.16b,v15.16b\n\tst1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x0],#64\n\n\tadd\tv27.4s,v27.4s,v0.4s\t\t\t// += 8\n\tadd\tv28.4s,v28.4s,v0.4s\n\tadd\tv29.4s,v29.4s,v0.4s\n\tadd\tv30.4s,v30.4s,v0.4s\n\n\tb.hs\tLoop_outer_512_neon\n\n\tadds\tx2,x2,#512\n\tushr\tv0.4s,v31.4s,#2\t\t\t// 4 -> 1\n\n\tldp\td8,d9,[sp,#128+0]\t\t// meet ABI requirements\n\tldp\td10,d11,[sp,#128+16]\n\tldp\td12,d13,[sp,#128+32]\n\tldp\td14,d15,[sp,#128+48]\n\n\tstp\tq24,q31,[sp,#0]\t\t// wipe off-load area\n\tstp\tq24,q31,[sp,#32]\n\tstp\tq24,q31,[sp,#64]\n\n\tb.eq\tLdone_512_neon\n\n\tcmp\tx2,#192\n\tsub\tv27.4s,v27.4s,v0.4s\t\t\t// -= 1\n\tsub\tv28.4s,v28.4s,v0.4s\n\tsub\tv29.4s,v29.4s,v0.4s\n\tadd\tsp,sp,#128\n\tb.hs\tLoop_outer_neon\n\n\teor\tv25.16b,v25.16b,v25.16b\n\teor\tv26.16b,v26.16b,v26.16b\n\teor\tv27.16b,v27.16b,v27.16b\n\teor\tv28.16b,v28.16b,v28.16b\n\teor\tv29.16b,v29.16b,v29.16b\n\teor\tv30.16b,v30.16b,v30.16b\n\tb\tLoop_outer\n\nLdone_512_neon:\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#128+64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \n\n.section\t.rodata\n\n.align\t5\n.Lsigma:\n.quad\t0x3320646e61707865,0x6b20657479622d32\t\t// endian-neutral\n.Lone:\n.long\t1,0,0,0\n.byte\t67,104,97,67,104,97,50,48,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n\n.text\n\n.globl\tChaCha20_ctr32_nohw\n.hidden\tChaCha20_ctr32_nohw\n.type\tChaCha20_ctr32_nohw,%function\n.align\t5\nChaCha20_ctr32_nohw:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx5,.Lsigma\n\tadd\tx5,x5,:lo12:.Lsigma\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#64\n\n\tldp\tx22,x23,[x5]\t\t// load sigma\n\tldp\tx24,x25,[x3]\t\t// load key\n\tldp\tx26,x27,[x3,#16]\n\tldp\tx28,x30,[x4]\t\t// load counter\n#ifdef\t__AARCH64EB__\n\tror\tx24,x24,#32\n\tror\tx25,x25,#32\n\tror\tx26,x26,#32\n\tror\tx27,x27,#32\n\tror\tx28,x28,#32\n\tror\tx30,x30,#32\n#endif\n\n.Loop_outer:\n\tmov\tw5,w22\t\t\t// unpack key block\n\tlsr\tx6,x22,#32\n\tmov\tw7,w23\n\tlsr\tx8,x23,#32\n\tmov\tw9,w24\n\tlsr\tx10,x24,#32\n\tmov\tw11,w25\n\tlsr\tx12,x25,#32\n\tmov\tw13,w26\n\tlsr\tx14,x26,#32\n\tmov\tw15,w27\n\tlsr\tx16,x27,#32\n\tmov\tw17,w28\n\tlsr\tx19,x28,#32\n\tmov\tw20,w30\n\tlsr\tx21,x30,#32\n\n\tmov\tx4,#10\n\tsubs\tx2,x2,#64\n.Loop:\n\tsub\tx4,x4,#1\n\tadd\tw5,w5,w9\n\tadd\tw6,w6,w10\n\tadd\tw7,w7,w11\n\tadd\tw8,w8,w12\n\teor\tw17,w17,w5\n\teor\tw19,w19,w6\n\teor\tw20,w20,w7\n\teor\tw21,w21,w8\n\tror\tw17,w17,#16\n\tror\tw19,w19,#16\n\tror\tw20,w20,#16\n\tror\tw21,w21,#16\n\tadd\tw13,w13,w17\n\tadd\tw14,w14,w19\n\tadd\tw15,w15,w20\n\tadd\tw16,w16,w21\n\teor\tw9,w9,w13\n\teor\tw10,w10,w14\n\teor\tw11,w11,w15\n\teor\tw12,w12,w16\n\tror\tw9,w9,#20\n\tror\tw10,w10,#20\n\tror\tw11,w11,#20\n\tror\tw12,w12,#20\n\tadd\tw5,w5,w9\n\tadd\tw6,w6,w10\n\tadd\tw7,w7,w11\n\tadd\tw8,w8,w12\n\teor\tw17,w17,w5\n\teor\tw19,w19,w6\n\teor\tw20,w20,w7\n\teor\tw21,w21,w8\n\tror\tw17,w17,#24\n\tror\tw19,w19,#24\n\tror\tw20,w20,#24\n\tror\tw21,w21,#24\n\tadd\tw13,w13,w17\n\tadd\tw14,w14,w19\n\tadd\tw15,w15,w20\n\tadd\tw16,w16,w21\n\teor\tw9,w9,w13\n\teor\tw10,w10,w14\n\teor\tw11,w11,w15\n\teor\tw12,w12,w16\n\tror\tw9,w9,#25\n\tror\tw10,w10,#25\n\tror\tw11,w11,#25\n\tror\tw12,w12,#25\n\tadd\tw5,w5,w10\n\tadd\tw6,w6,w11\n\tadd\tw7,w7,w12\n\tadd\tw8,w8,w9\n\teor\tw21,w21,w5\n\teor\tw17,w17,w6\n\teor\tw19,w19,w7\n\teor\tw20,w20,w8\n\tror\tw21,w21,#16\n\tror\tw17,w17,#16\n\tror\tw19,w19,#16\n\tror\tw20,w20,#16\n\tadd\tw15,w15,w21\n\tadd\tw16,w16,w17\n\tadd\tw13,w13,w19\n\tadd\tw14,w14,w20\n\teor\tw10,w10,w15\n\teor\tw11,w11,w16\n\teor\tw12,w12,w13\n\teor\tw9,w9,w14\n\tror\tw10,w10,#20\n\tror\tw11,w11,#20\n\tror\tw12,w12,#20\n\tror\tw9,w9,#20\n\tadd\tw5,w5,w10\n\tadd\tw6,w6,w11\n\tadd\tw7,w7,w12\n\tadd\tw8,w8,w9\n\teor\tw21,w21,w5\n\teor\tw17,w17,w6\n\teor\tw19,w19,w7\n\teor\tw20,w20,w8\n\tror\tw21,w21,#24\n\tror\tw17,w17,#24\n\tror\tw19,w19,#24\n\tror\tw20,w20,#24\n\tadd\tw15,w15,w21\n\tadd\tw16,w16,w17\n\tadd\tw13,w13,w19\n\tadd\tw14,w14,w20\n\teor\tw10,w10,w15\n\teor\tw11,w11,w16\n\teor\tw12,w12,w13\n\teor\tw9,w9,w14\n\tror\tw10,w10,#25\n\tror\tw11,w11,#25\n\tror\tw12,w12,#25\n\tror\tw9,w9,#25\n\tcbnz\tx4,.Loop\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tadd\tx6,x6,x22,lsr#32\n\tadd\tw7,w7,w23\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tw9,w9,w24\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tw11,w11,w25\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tw13,w13,w26\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tw15,w15,w27\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tw17,w17,w28\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tw20,w20,w30\n\tadd\tx21,x21,x30,lsr#32\n\n\tb.lo\t.Ltail\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tx15,x15,x16\n\teor\tx17,x17,x19\n\teor\tx20,x20,x21\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#1\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tstp\tx13,x15,[x0,#32]\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\n\tb.hi\t.Loop_outer\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.align\t4\n.Ltail:\n\tadd\tx2,x2,#64\n.Less_than_64:\n\tsub\tx0,x0,#1\n\tadd\tx1,x1,x2\n\tadd\tx0,x0,x2\n\tadd\tx4,sp,x2\n\tneg\tx2,x2\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\tstp\tx5,x7,[sp,#0]\n\tstp\tx9,x11,[sp,#16]\n\tstp\tx13,x15,[sp,#32]\n\tstp\tx17,x20,[sp,#48]\n\n.Loop_tail:\n\tldrb\tw10,[x1,x2]\n\tldrb\tw11,[x4,x2]\n\tadd\tx2,x2,#1\n\teor\tw10,w10,w11\n\tstrb\tw10,[x0,x2]\n\tcbnz\tx2,.Loop_tail\n\n\tstp\txzr,xzr,[sp,#0]\n\tstp\txzr,xzr,[sp,#16]\n\tstp\txzr,xzr,[sp,#32]\n\tstp\txzr,xzr,[sp,#48]\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tChaCha20_ctr32_nohw,.-ChaCha20_ctr32_nohw\n\n.globl\tChaCha20_ctr32_neon\n.hidden\tChaCha20_ctr32_neon\n.type\tChaCha20_ctr32_neon,%function\n.align\t5\nChaCha20_ctr32_neon:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx5,.Lsigma\n\tadd\tx5,x5,:lo12:.Lsigma\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tcmp\tx2,#512\n\tb.hs\t.L512_or_more_neon\n\n\tsub\tsp,sp,#64\n\n\tldp\tx22,x23,[x5]\t\t// load sigma\n\tld1\t{v24.4s},[x5],#16\n\tldp\tx24,x25,[x3]\t\t// load key\n\tldp\tx26,x27,[x3,#16]\n\tld1\t{v25.4s,v26.4s},[x3]\n\tldp\tx28,x30,[x4]\t\t// load counter\n\tld1\t{v27.4s},[x4]\n\tld1\t{v31.4s},[x5]\n#ifdef\t__AARCH64EB__\n\trev64\tv24.4s,v24.4s\n\tror\tx24,x24,#32\n\tror\tx25,x25,#32\n\tror\tx26,x26,#32\n\tror\tx27,x27,#32\n\tror\tx28,x28,#32\n\tror\tx30,x30,#32\n#endif\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// += 1\n\tadd\tv28.4s,v27.4s,v31.4s\n\tadd\tv29.4s,v28.4s,v31.4s\n\tshl\tv31.4s,v31.4s,#2\t\t\t// 1 -> 4\n\n.Loop_outer_neon:\n\tmov\tw5,w22\t\t\t// unpack key block\n\tlsr\tx6,x22,#32\n\tmov\tv0.16b,v24.16b\n\tmov\tw7,w23\n\tlsr\tx8,x23,#32\n\tmov\tv4.16b,v24.16b\n\tmov\tw9,w24\n\tlsr\tx10,x24,#32\n\tmov\tv16.16b,v24.16b\n\tmov\tw11,w25\n\tmov\tv1.16b,v25.16b\n\tlsr\tx12,x25,#32\n\tmov\tv5.16b,v25.16b\n\tmov\tw13,w26\n\tmov\tv17.16b,v25.16b\n\tlsr\tx14,x26,#32\n\tmov\tv3.16b,v27.16b\n\tmov\tw15,w27\n\tmov\tv7.16b,v28.16b\n\tlsr\tx16,x27,#32\n\tmov\tv19.16b,v29.16b\n\tmov\tw17,w28\n\tmov\tv2.16b,v26.16b\n\tlsr\tx19,x28,#32\n\tmov\tv6.16b,v26.16b\n\tmov\tw20,w30\n\tmov\tv18.16b,v26.16b\n\tlsr\tx21,x30,#32\n\n\tmov\tx4,#10\n\tsubs\tx2,x2,#256\n.Loop_neon:\n\tsub\tx4,x4,#1\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv16.4s,v16.4s,v17.4s\n\tadd\tw7,w7,w11\n\teor\tv3.16b,v3.16b,v0.16b\n\tadd\tw8,w8,w12\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw17,w17,w5\n\teor\tv19.16b,v19.16b,v16.16b\n\teor\tw19,w19,w6\n\trev32\tv3.8h,v3.8h\n\teor\tw20,w20,w7\n\trev32\tv7.8h,v7.8h\n\teor\tw21,w21,w8\n\trev32\tv19.8h,v19.8h\n\tror\tw17,w17,#16\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw19,w19,#16\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw20,w20,#16\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw21,w21,#16\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw13,w13,w17\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw14,w14,w19\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw15,w15,w20\n\tushr\tv1.4s,v20.4s,#20\n\tadd\tw16,w16,w21\n\tushr\tv5.4s,v21.4s,#20\n\teor\tw9,w9,w13\n\tushr\tv17.4s,v22.4s,#20\n\teor\tw10,w10,w14\n\tsli\tv1.4s,v20.4s,#12\n\teor\tw11,w11,w15\n\tsli\tv5.4s,v21.4s,#12\n\teor\tw12,w12,w16\n\tsli\tv17.4s,v22.4s,#12\n\tror\tw9,w9,#20\n\tadd\tv0.4s,v0.4s,v1.4s\n\tror\tw10,w10,#20\n\tadd\tv4.4s,v4.4s,v5.4s\n\tror\tw11,w11,#20\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw12,w12,#20\n\teor\tv20.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w9\n\teor\tv21.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w10\n\teor\tv22.16b,v19.16b,v16.16b\n\tadd\tw7,w7,w11\n\tushr\tv3.4s,v20.4s,#24\n\tadd\tw8,w8,w12\n\tushr\tv7.4s,v21.4s,#24\n\teor\tw17,w17,w5\n\tushr\tv19.4s,v22.4s,#24\n\teor\tw19,w19,w6\n\tsli\tv3.4s,v20.4s,#8\n\teor\tw20,w20,w7\n\tsli\tv7.4s,v21.4s,#8\n\teor\tw21,w21,w8\n\tsli\tv19.4s,v22.4s,#8\n\tror\tw17,w17,#24\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw19,w19,#24\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw20,w20,#24\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw21,w21,#24\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw13,w13,w17\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw14,w14,w19\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw15,w15,w20\n\tushr\tv1.4s,v20.4s,#25\n\tadd\tw16,w16,w21\n\tushr\tv5.4s,v21.4s,#25\n\teor\tw9,w9,w13\n\tushr\tv17.4s,v22.4s,#25\n\teor\tw10,w10,w14\n\tsli\tv1.4s,v20.4s,#7\n\teor\tw11,w11,w15\n\tsli\tv5.4s,v21.4s,#7\n\teor\tw12,w12,w16\n\tsli\tv17.4s,v22.4s,#7\n\tror\tw9,w9,#25\n\text\tv2.16b,v2.16b,v2.16b,#8\n\tror\tw10,w10,#25\n\text\tv6.16b,v6.16b,v6.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv3.16b,v3.16b,v3.16b,#12\n\text\tv7.16b,v7.16b,v7.16b,#12\n\text\tv19.16b,v19.16b,v19.16b,#12\n\text\tv1.16b,v1.16b,v1.16b,#4\n\text\tv5.16b,v5.16b,v5.16b,#4\n\text\tv17.16b,v17.16b,v17.16b,#4\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w10\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w11\n\tadd\tv16.4s,v16.4s,v17.4s\n\tadd\tw7,w7,w12\n\teor\tv3.16b,v3.16b,v0.16b\n\tadd\tw8,w8,w9\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w5\n\teor\tv19.16b,v19.16b,v16.16b\n\teor\tw17,w17,w6\n\trev32\tv3.8h,v3.8h\n\teor\tw19,w19,w7\n\trev32\tv7.8h,v7.8h\n\teor\tw20,w20,w8\n\trev32\tv19.8h,v19.8h\n\tror\tw21,w21,#16\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw17,w17,#16\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw19,w19,#16\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw20,w20,#16\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw15,w15,w21\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw16,w16,w17\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw13,w13,w19\n\tushr\tv1.4s,v20.4s,#20\n\tadd\tw14,w14,w20\n\tushr\tv5.4s,v21.4s,#20\n\teor\tw10,w10,w15\n\tushr\tv17.4s,v22.4s,#20\n\teor\tw11,w11,w16\n\tsli\tv1.4s,v20.4s,#12\n\teor\tw12,w12,w13\n\tsli\tv5.4s,v21.4s,#12\n\teor\tw9,w9,w14\n\tsli\tv17.4s,v22.4s,#12\n\tror\tw10,w10,#20\n\tadd\tv0.4s,v0.4s,v1.4s\n\tror\tw11,w11,#20\n\tadd\tv4.4s,v4.4s,v5.4s\n\tror\tw12,w12,#20\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw9,w9,#20\n\teor\tv20.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv21.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv22.16b,v19.16b,v16.16b\n\tadd\tw7,w7,w12\n\tushr\tv3.4s,v20.4s,#24\n\tadd\tw8,w8,w9\n\tushr\tv7.4s,v21.4s,#24\n\teor\tw21,w21,w5\n\tushr\tv19.4s,v22.4s,#24\n\teor\tw17,w17,w6\n\tsli\tv3.4s,v20.4s,#8\n\teor\tw19,w19,w7\n\tsli\tv7.4s,v21.4s,#8\n\teor\tw20,w20,w8\n\tsli\tv19.4s,v22.4s,#8\n\tror\tw21,w21,#24\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw17,w17,#24\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw19,w19,#24\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw20,w20,#24\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw15,w15,w21\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw16,w16,w17\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw13,w13,w19\n\tushr\tv1.4s,v20.4s,#25\n\tadd\tw14,w14,w20\n\tushr\tv5.4s,v21.4s,#25\n\teor\tw10,w10,w15\n\tushr\tv17.4s,v22.4s,#25\n\teor\tw11,w11,w16\n\tsli\tv1.4s,v20.4s,#7\n\teor\tw12,w12,w13\n\tsli\tv5.4s,v21.4s,#7\n\teor\tw9,w9,w14\n\tsli\tv17.4s,v22.4s,#7\n\tror\tw10,w10,#25\n\text\tv2.16b,v2.16b,v2.16b,#8\n\tror\tw11,w11,#25\n\text\tv6.16b,v6.16b,v6.16b,#8\n\tror\tw12,w12,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#4\n\text\tv7.16b,v7.16b,v7.16b,#4\n\text\tv19.16b,v19.16b,v19.16b,#4\n\text\tv1.16b,v1.16b,v1.16b,#12\n\text\tv5.16b,v5.16b,v5.16b,#12\n\text\tv17.16b,v17.16b,v17.16b,#12\n\tcbnz\tx4,.Loop_neon\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tadd\tv0.4s,v0.4s,v24.4s\n\tadd\tx6,x6,x22,lsr#32\n\tadd\tv4.4s,v4.4s,v24.4s\n\tadd\tw7,w7,w23\n\tadd\tv16.4s,v16.4s,v24.4s\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tv2.4s,v2.4s,v26.4s\n\tadd\tw9,w9,w24\n\tadd\tv6.4s,v6.4s,v26.4s\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tv18.4s,v18.4s,v26.4s\n\tadd\tw11,w11,w25\n\tadd\tv3.4s,v3.4s,v27.4s\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tw13,w13,w26\n\tadd\tv7.4s,v7.4s,v28.4s\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tw15,w15,w27\n\tadd\tv19.4s,v19.4s,v29.4s\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tw17,w17,w28\n\tadd\tv1.4s,v1.4s,v25.4s\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tw20,w20,w30\n\tadd\tv5.4s,v5.4s,v25.4s\n\tadd\tx21,x21,x30,lsr#32\n\tadd\tv17.4s,v17.4s,v25.4s\n\n\tb.lo\t.Ltail_neon\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tv0.16b,v0.16b,v20.16b\n\teor\tx15,x15,x16\n\teor\tv1.16b,v1.16b,v21.16b\n\teor\tx17,x17,x19\n\teor\tv2.16b,v2.16b,v22.16b\n\teor\tx20,x20,x21\n\teor\tv3.16b,v3.16b,v23.16b\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#4\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// += 4\n\tstp\tx13,x15,[x0,#32]\n\tadd\tv28.4s,v28.4s,v31.4s\n\tstp\tx17,x20,[x0,#48]\n\tadd\tv29.4s,v29.4s,v31.4s\n\tadd\tx0,x0,#64\n\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64\n\tld1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x1],#64\n\n\teor\tv4.16b,v4.16b,v20.16b\n\teor\tv5.16b,v5.16b,v21.16b\n\teor\tv6.16b,v6.16b,v22.16b\n\teor\tv7.16b,v7.16b,v23.16b\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64\n\n\teor\tv16.16b,v16.16b,v0.16b\n\teor\tv17.16b,v17.16b,v1.16b\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv19.16b,v19.16b,v3.16b\n\tst1\t{v16.16b,v17.16b,v18.16b,v19.16b},[x0],#64\n\n\tb.hi\t.Loop_outer_neon\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.Ltail_neon:\n\tadd\tx2,x2,#256\n\tcmp\tx2,#64\n\tb.lo\t.Less_than_64\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tx15,x15,x16\n\teor\tx17,x17,x19\n\teor\tx20,x20,x21\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#4\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tstp\tx13,x15,[x0,#32]\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\tb.eq\t.Ldone_neon\n\tsub\tx2,x2,#64\n\tcmp\tx2,#64\n\tb.lo\t.Less_than_128\n\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\teor\tv0.16b,v0.16b,v20.16b\n\teor\tv1.16b,v1.16b,v21.16b\n\teor\tv2.16b,v2.16b,v22.16b\n\teor\tv3.16b,v3.16b,v23.16b\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64\n\tb.eq\t.Ldone_neon\n\tsub\tx2,x2,#64\n\tcmp\tx2,#64\n\tb.lo\t.Less_than_192\n\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\teor\tv4.16b,v4.16b,v20.16b\n\teor\tv5.16b,v5.16b,v21.16b\n\teor\tv6.16b,v6.16b,v22.16b\n\teor\tv7.16b,v7.16b,v23.16b\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64\n\tb.eq\t.Ldone_neon\n\tsub\tx2,x2,#64\n\n\tst1\t{v16.16b,v17.16b,v18.16b,v19.16b},[sp]\n\tb\t.Last_neon\n\n.Less_than_128:\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[sp]\n\tb\t.Last_neon\n.Less_than_192:\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[sp]\n\tb\t.Last_neon\n\n.align\t4\n.Last_neon:\n\tsub\tx0,x0,#1\n\tadd\tx1,x1,x2\n\tadd\tx0,x0,x2\n\tadd\tx4,sp,x2\n\tneg\tx2,x2\n\n.Loop_tail_neon:\n\tldrb\tw10,[x1,x2]\n\tldrb\tw11,[x4,x2]\n\tadd\tx2,x2,#1\n\teor\tw10,w10,w11\n\tstrb\tw10,[x0,x2]\n\tcbnz\tx2,.Loop_tail_neon\n\n\tstp\txzr,xzr,[sp,#0]\n\tstp\txzr,xzr,[sp,#16]\n\tstp\txzr,xzr,[sp,#32]\n\tstp\txzr,xzr,[sp,#48]\n\n.Ldone_neon:\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tChaCha20_ctr32_neon,.-ChaCha20_ctr32_neon\n.type\tChaCha20_512_neon,%function\n.align\t5\nChaCha20_512_neon:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx5,.Lsigma\n\tadd\tx5,x5,:lo12:.Lsigma\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\n.L512_or_more_neon:\n\tsub\tsp,sp,#128+64\n\n\tldp\tx22,x23,[x5]\t\t// load sigma\n\tld1\t{v24.4s},[x5],#16\n\tldp\tx24,x25,[x3]\t\t// load key\n\tldp\tx26,x27,[x3,#16]\n\tld1\t{v25.4s,v26.4s},[x3]\n\tldp\tx28,x30,[x4]\t\t// load counter\n\tld1\t{v27.4s},[x4]\n\tld1\t{v31.4s},[x5]\n#ifdef\t__AARCH64EB__\n\trev64\tv24.4s,v24.4s\n\tror\tx24,x24,#32\n\tror\tx25,x25,#32\n\tror\tx26,x26,#32\n\tror\tx27,x27,#32\n\tror\tx28,x28,#32\n\tror\tx30,x30,#32\n#endif\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// += 1\n\tstp\tq24,q25,[sp,#0]\t\t// off-load key block, invariant part\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// not typo\n\tstr\tq26,[sp,#32]\n\tadd\tv28.4s,v27.4s,v31.4s\n\tadd\tv29.4s,v28.4s,v31.4s\n\tadd\tv30.4s,v29.4s,v31.4s\n\tshl\tv31.4s,v31.4s,#2\t\t\t// 1 -> 4\n\n\tstp\td8,d9,[sp,#128+0]\t\t// meet ABI requirements\n\tstp\td10,d11,[sp,#128+16]\n\tstp\td12,d13,[sp,#128+32]\n\tstp\td14,d15,[sp,#128+48]\n\n\tsub\tx2,x2,#512\t\t\t// not typo\n\n.Loop_outer_512_neon:\n\tmov\tv0.16b,v24.16b\n\tmov\tv4.16b,v24.16b\n\tmov\tv8.16b,v24.16b\n\tmov\tv12.16b,v24.16b\n\tmov\tv16.16b,v24.16b\n\tmov\tv20.16b,v24.16b\n\tmov\tv1.16b,v25.16b\n\tmov\tw5,w22\t\t\t// unpack key block\n\tmov\tv5.16b,v25.16b\n\tlsr\tx6,x22,#32\n\tmov\tv9.16b,v25.16b\n\tmov\tw7,w23\n\tmov\tv13.16b,v25.16b\n\tlsr\tx8,x23,#32\n\tmov\tv17.16b,v25.16b\n\tmov\tw9,w24\n\tmov\tv21.16b,v25.16b\n\tlsr\tx10,x24,#32\n\tmov\tv3.16b,v27.16b\n\tmov\tw11,w25\n\tmov\tv7.16b,v28.16b\n\tlsr\tx12,x25,#32\n\tmov\tv11.16b,v29.16b\n\tmov\tw13,w26\n\tmov\tv15.16b,v30.16b\n\tlsr\tx14,x26,#32\n\tmov\tv2.16b,v26.16b\n\tmov\tw15,w27\n\tmov\tv6.16b,v26.16b\n\tlsr\tx16,x27,#32\n\tadd\tv19.4s,v3.4s,v31.4s\t\t\t// +4\n\tmov\tw17,w28\n\tadd\tv23.4s,v7.4s,v31.4s\t\t\t// +4\n\tlsr\tx19,x28,#32\n\tmov\tv10.16b,v26.16b\n\tmov\tw20,w30\n\tmov\tv14.16b,v26.16b\n\tlsr\tx21,x30,#32\n\tmov\tv18.16b,v26.16b\n\tstp\tq27,q28,[sp,#48]\t\t// off-load key block, variable part\n\tmov\tv22.16b,v26.16b\n\tstr\tq29,[sp,#80]\n\n\tmov\tx4,#5\n\tsubs\tx2,x2,#512\n.Loop_upper_neon:\n\tsub\tx4,x4,#1\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#12\n\text\tv7.16b,v7.16b,v7.16b,#12\n\text\tv11.16b,v11.16b,v11.16b,#12\n\text\tv15.16b,v15.16b,v15.16b,#12\n\text\tv19.16b,v19.16b,v19.16b,#12\n\text\tv23.16b,v23.16b,v23.16b,#12\n\text\tv1.16b,v1.16b,v1.16b,#4\n\text\tv5.16b,v5.16b,v5.16b,#4\n\text\tv9.16b,v9.16b,v9.16b,#4\n\text\tv13.16b,v13.16b,v13.16b,#4\n\text\tv17.16b,v17.16b,v17.16b,#4\n\text\tv21.16b,v21.16b,v21.16b,#4\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#4\n\text\tv7.16b,v7.16b,v7.16b,#4\n\text\tv11.16b,v11.16b,v11.16b,#4\n\text\tv15.16b,v15.16b,v15.16b,#4\n\text\tv19.16b,v19.16b,v19.16b,#4\n\text\tv23.16b,v23.16b,v23.16b,#4\n\text\tv1.16b,v1.16b,v1.16b,#12\n\text\tv5.16b,v5.16b,v5.16b,#12\n\text\tv9.16b,v9.16b,v9.16b,#12\n\text\tv13.16b,v13.16b,v13.16b,#12\n\text\tv17.16b,v17.16b,v17.16b,#12\n\text\tv21.16b,v21.16b,v21.16b,#12\n\tcbnz\tx4,.Loop_upper_neon\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tadd\tx6,x6,x22,lsr#32\n\tadd\tw7,w7,w23\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tw9,w9,w24\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tw11,w11,w25\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tw13,w13,w26\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tw15,w15,w27\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tw17,w17,w28\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tw20,w20,w30\n\tadd\tx21,x21,x30,lsr#32\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tx15,x15,x16\n\teor\tx17,x17,x19\n\teor\tx20,x20,x21\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#1\t\t\t// increment counter\n\tmov\tw5,w22\t\t\t// unpack key block\n\tlsr\tx6,x22,#32\n\tstp\tx9,x11,[x0,#16]\n\tmov\tw7,w23\n\tlsr\tx8,x23,#32\n\tstp\tx13,x15,[x0,#32]\n\tmov\tw9,w24\n\tlsr\tx10,x24,#32\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\tmov\tw11,w25\n\tlsr\tx12,x25,#32\n\tmov\tw13,w26\n\tlsr\tx14,x26,#32\n\tmov\tw15,w27\n\tlsr\tx16,x27,#32\n\tmov\tw17,w28\n\tlsr\tx19,x28,#32\n\tmov\tw20,w30\n\tlsr\tx21,x30,#32\n\n\tmov\tx4,#5\n.Loop_lower_neon:\n\tsub\tx4,x4,#1\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#12\n\text\tv7.16b,v7.16b,v7.16b,#12\n\text\tv11.16b,v11.16b,v11.16b,#12\n\text\tv15.16b,v15.16b,v15.16b,#12\n\text\tv19.16b,v19.16b,v19.16b,#12\n\text\tv23.16b,v23.16b,v23.16b,#12\n\text\tv1.16b,v1.16b,v1.16b,#4\n\text\tv5.16b,v5.16b,v5.16b,#4\n\text\tv9.16b,v9.16b,v9.16b,#4\n\text\tv13.16b,v13.16b,v13.16b,#4\n\text\tv17.16b,v17.16b,v17.16b,#4\n\text\tv21.16b,v21.16b,v21.16b,#4\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#4\n\text\tv7.16b,v7.16b,v7.16b,#4\n\text\tv11.16b,v11.16b,v11.16b,#4\n\text\tv15.16b,v15.16b,v15.16b,#4\n\text\tv19.16b,v19.16b,v19.16b,#4\n\text\tv23.16b,v23.16b,v23.16b,#4\n\text\tv1.16b,v1.16b,v1.16b,#12\n\text\tv5.16b,v5.16b,v5.16b,#12\n\text\tv9.16b,v9.16b,v9.16b,#12\n\text\tv13.16b,v13.16b,v13.16b,#12\n\text\tv17.16b,v17.16b,v17.16b,#12\n\text\tv21.16b,v21.16b,v21.16b,#12\n\tcbnz\tx4,.Loop_lower_neon\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tldp\tq24,q25,[sp,#0]\n\tadd\tx6,x6,x22,lsr#32\n\tldp\tq26,q27,[sp,#32]\n\tadd\tw7,w7,w23\n\tldp\tq28,q29,[sp,#64]\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tv0.4s,v0.4s,v24.4s\n\tadd\tw9,w9,w24\n\tadd\tv4.4s,v4.4s,v24.4s\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tv8.4s,v8.4s,v24.4s\n\tadd\tw11,w11,w25\n\tadd\tv12.4s,v12.4s,v24.4s\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tv16.4s,v16.4s,v24.4s\n\tadd\tw13,w13,w26\n\tadd\tv20.4s,v20.4s,v24.4s\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tv2.4s,v2.4s,v26.4s\n\tadd\tw15,w15,w27\n\tadd\tv6.4s,v6.4s,v26.4s\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tv10.4s,v10.4s,v26.4s\n\tadd\tw17,w17,w28\n\tadd\tv14.4s,v14.4s,v26.4s\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tv18.4s,v18.4s,v26.4s\n\tadd\tw20,w20,w30\n\tadd\tv22.4s,v22.4s,v26.4s\n\tadd\tx21,x21,x30,lsr#32\n\tadd\tv19.4s,v19.4s,v31.4s\t\t\t// +4\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tv23.4s,v23.4s,v31.4s\t\t\t// +4\n\tadd\tx7,x7,x8,lsl#32\n\tadd\tv3.4s,v3.4s,v27.4s\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tv7.4s,v7.4s,v28.4s\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tv11.4s,v11.4s,v29.4s\n\tadd\tx11,x11,x12,lsl#32\n\tadd\tv15.4s,v15.4s,v30.4s\n\tldp\tx10,x12,[x1,#16]\n\tadd\tv19.4s,v19.4s,v27.4s\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tv23.4s,v23.4s,v28.4s\n\tadd\tx15,x15,x16,lsl#32\n\tadd\tv1.4s,v1.4s,v25.4s\n\tldp\tx14,x16,[x1,#32]\n\tadd\tv5.4s,v5.4s,v25.4s\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tv9.4s,v9.4s,v25.4s\n\tadd\tx20,x20,x21,lsl#32\n\tadd\tv13.4s,v13.4s,v25.4s\n\tldp\tx19,x21,[x1,#48]\n\tadd\tv17.4s,v17.4s,v25.4s\n\tadd\tx1,x1,#64\n\tadd\tv21.4s,v21.4s,v25.4s\n\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\tld1\t{v24.16b,v25.16b,v26.16b,v27.16b},[x1],#64\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tv0.16b,v0.16b,v24.16b\n\teor\tx15,x15,x16\n\teor\tv1.16b,v1.16b,v25.16b\n\teor\tx17,x17,x19\n\teor\tv2.16b,v2.16b,v26.16b\n\teor\tx20,x20,x21\n\teor\tv3.16b,v3.16b,v27.16b\n\tld1\t{v24.16b,v25.16b,v26.16b,v27.16b},[x1],#64\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#7\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tstp\tx13,x15,[x0,#32]\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64\n\n\tld1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x1],#64\n\teor\tv4.16b,v4.16b,v24.16b\n\teor\tv5.16b,v5.16b,v25.16b\n\teor\tv6.16b,v6.16b,v26.16b\n\teor\tv7.16b,v7.16b,v27.16b\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64\n\n\tld1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64\n\teor\tv8.16b,v8.16b,v0.16b\n\tldp\tq24,q25,[sp,#0]\n\teor\tv9.16b,v9.16b,v1.16b\n\tldp\tq26,q27,[sp,#32]\n\teor\tv10.16b,v10.16b,v2.16b\n\teor\tv11.16b,v11.16b,v3.16b\n\tst1\t{v8.16b,v9.16b,v10.16b,v11.16b},[x0],#64\n\n\tld1\t{v8.16b,v9.16b,v10.16b,v11.16b},[x1],#64\n\teor\tv12.16b,v12.16b,v4.16b\n\teor\tv13.16b,v13.16b,v5.16b\n\teor\tv14.16b,v14.16b,v6.16b\n\teor\tv15.16b,v15.16b,v7.16b\n\tst1\t{v12.16b,v13.16b,v14.16b,v15.16b},[x0],#64\n\n\tld1\t{v12.16b,v13.16b,v14.16b,v15.16b},[x1],#64\n\teor\tv16.16b,v16.16b,v8.16b\n\teor\tv17.16b,v17.16b,v9.16b\n\teor\tv18.16b,v18.16b,v10.16b\n\teor\tv19.16b,v19.16b,v11.16b\n\tst1\t{v16.16b,v17.16b,v18.16b,v19.16b},[x0],#64\n\n\tshl\tv0.4s,v31.4s,#1\t\t\t// 4 -> 8\n\teor\tv20.16b,v20.16b,v12.16b\n\teor\tv21.16b,v21.16b,v13.16b\n\teor\tv22.16b,v22.16b,v14.16b\n\teor\tv23.16b,v23.16b,v15.16b\n\tst1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x0],#64\n\n\tadd\tv27.4s,v27.4s,v0.4s\t\t\t// += 8\n\tadd\tv28.4s,v28.4s,v0.4s\n\tadd\tv29.4s,v29.4s,v0.4s\n\tadd\tv30.4s,v30.4s,v0.4s\n\n\tb.hs\t.Loop_outer_512_neon\n\n\tadds\tx2,x2,#512\n\tushr\tv0.4s,v31.4s,#2\t\t\t// 4 -> 1\n\n\tldp\td8,d9,[sp,#128+0]\t\t// meet ABI requirements\n\tldp\td10,d11,[sp,#128+16]\n\tldp\td12,d13,[sp,#128+32]\n\tldp\td14,d15,[sp,#128+48]\n\n\tstp\tq24,q31,[sp,#0]\t\t// wipe off-load area\n\tstp\tq24,q31,[sp,#32]\n\tstp\tq24,q31,[sp,#64]\n\n\tb.eq\t.Ldone_512_neon\n\n\tcmp\tx2,#192\n\tsub\tv27.4s,v27.4s,v0.4s\t\t\t// -= 1\n\tsub\tv28.4s,v28.4s,v0.4s\n\tsub\tv29.4s,v29.4s,v0.4s\n\tadd\tsp,sp,#128\n\tb.hs\t.Loop_outer_neon\n\n\teor\tv25.16b,v25.16b,v25.16b\n\teor\tv26.16b,v26.16b,v26.16b\n\teor\tv27.16b,v27.16b,v27.16b\n\teor\tv28.16b,v28.16b,v28.16b\n\teor\tv29.16b,v29.16b,v29.16b\n\teor\tv30.16b,v30.16b,v30.16b\n\tb\t.Loop_outer\n\n.Ldone_512_neon:\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#128+64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n.size\tChaCha20_512_neon,.-ChaCha20_512_neon\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \n\n.section\t.rodata\n\n.align\t5\nLsigma:\n.quad\t0x3320646e61707865,0x6b20657479622d32\t\t// endian-neutral\nLone:\n.long\t1,0,0,0\n.byte\t67,104,97,67,104,97,50,48,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.align\t2\n\n.text\n\n.globl\tChaCha20_ctr32_nohw\n\n.def ChaCha20_ctr32_nohw\n .type 32\n.endef\n.align\t5\nChaCha20_ctr32_nohw:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx5,Lsigma\n\tadd\tx5,x5,:lo12:Lsigma\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tsub\tsp,sp,#64\n\n\tldp\tx22,x23,[x5]\t\t// load sigma\n\tldp\tx24,x25,[x3]\t\t// load key\n\tldp\tx26,x27,[x3,#16]\n\tldp\tx28,x30,[x4]\t\t// load counter\n#ifdef\t__AARCH64EB__\n\tror\tx24,x24,#32\n\tror\tx25,x25,#32\n\tror\tx26,x26,#32\n\tror\tx27,x27,#32\n\tror\tx28,x28,#32\n\tror\tx30,x30,#32\n#endif\n\nLoop_outer:\n\tmov\tw5,w22\t\t\t// unpack key block\n\tlsr\tx6,x22,#32\n\tmov\tw7,w23\n\tlsr\tx8,x23,#32\n\tmov\tw9,w24\n\tlsr\tx10,x24,#32\n\tmov\tw11,w25\n\tlsr\tx12,x25,#32\n\tmov\tw13,w26\n\tlsr\tx14,x26,#32\n\tmov\tw15,w27\n\tlsr\tx16,x27,#32\n\tmov\tw17,w28\n\tlsr\tx19,x28,#32\n\tmov\tw20,w30\n\tlsr\tx21,x30,#32\n\n\tmov\tx4,#10\n\tsubs\tx2,x2,#64\nLoop:\n\tsub\tx4,x4,#1\n\tadd\tw5,w5,w9\n\tadd\tw6,w6,w10\n\tadd\tw7,w7,w11\n\tadd\tw8,w8,w12\n\teor\tw17,w17,w5\n\teor\tw19,w19,w6\n\teor\tw20,w20,w7\n\teor\tw21,w21,w8\n\tror\tw17,w17,#16\n\tror\tw19,w19,#16\n\tror\tw20,w20,#16\n\tror\tw21,w21,#16\n\tadd\tw13,w13,w17\n\tadd\tw14,w14,w19\n\tadd\tw15,w15,w20\n\tadd\tw16,w16,w21\n\teor\tw9,w9,w13\n\teor\tw10,w10,w14\n\teor\tw11,w11,w15\n\teor\tw12,w12,w16\n\tror\tw9,w9,#20\n\tror\tw10,w10,#20\n\tror\tw11,w11,#20\n\tror\tw12,w12,#20\n\tadd\tw5,w5,w9\n\tadd\tw6,w6,w10\n\tadd\tw7,w7,w11\n\tadd\tw8,w8,w12\n\teor\tw17,w17,w5\n\teor\tw19,w19,w6\n\teor\tw20,w20,w7\n\teor\tw21,w21,w8\n\tror\tw17,w17,#24\n\tror\tw19,w19,#24\n\tror\tw20,w20,#24\n\tror\tw21,w21,#24\n\tadd\tw13,w13,w17\n\tadd\tw14,w14,w19\n\tadd\tw15,w15,w20\n\tadd\tw16,w16,w21\n\teor\tw9,w9,w13\n\teor\tw10,w10,w14\n\teor\tw11,w11,w15\n\teor\tw12,w12,w16\n\tror\tw9,w9,#25\n\tror\tw10,w10,#25\n\tror\tw11,w11,#25\n\tror\tw12,w12,#25\n\tadd\tw5,w5,w10\n\tadd\tw6,w6,w11\n\tadd\tw7,w7,w12\n\tadd\tw8,w8,w9\n\teor\tw21,w21,w5\n\teor\tw17,w17,w6\n\teor\tw19,w19,w7\n\teor\tw20,w20,w8\n\tror\tw21,w21,#16\n\tror\tw17,w17,#16\n\tror\tw19,w19,#16\n\tror\tw20,w20,#16\n\tadd\tw15,w15,w21\n\tadd\tw16,w16,w17\n\tadd\tw13,w13,w19\n\tadd\tw14,w14,w20\n\teor\tw10,w10,w15\n\teor\tw11,w11,w16\n\teor\tw12,w12,w13\n\teor\tw9,w9,w14\n\tror\tw10,w10,#20\n\tror\tw11,w11,#20\n\tror\tw12,w12,#20\n\tror\tw9,w9,#20\n\tadd\tw5,w5,w10\n\tadd\tw6,w6,w11\n\tadd\tw7,w7,w12\n\tadd\tw8,w8,w9\n\teor\tw21,w21,w5\n\teor\tw17,w17,w6\n\teor\tw19,w19,w7\n\teor\tw20,w20,w8\n\tror\tw21,w21,#24\n\tror\tw17,w17,#24\n\tror\tw19,w19,#24\n\tror\tw20,w20,#24\n\tadd\tw15,w15,w21\n\tadd\tw16,w16,w17\n\tadd\tw13,w13,w19\n\tadd\tw14,w14,w20\n\teor\tw10,w10,w15\n\teor\tw11,w11,w16\n\teor\tw12,w12,w13\n\teor\tw9,w9,w14\n\tror\tw10,w10,#25\n\tror\tw11,w11,#25\n\tror\tw12,w12,#25\n\tror\tw9,w9,#25\n\tcbnz\tx4,Loop\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tadd\tx6,x6,x22,lsr#32\n\tadd\tw7,w7,w23\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tw9,w9,w24\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tw11,w11,w25\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tw13,w13,w26\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tw15,w15,w27\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tw17,w17,w28\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tw20,w20,w30\n\tadd\tx21,x21,x30,lsr#32\n\n\tb.lo\tLtail\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tx15,x15,x16\n\teor\tx17,x17,x19\n\teor\tx20,x20,x21\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#1\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tstp\tx13,x15,[x0,#32]\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\n\tb.hi\tLoop_outer\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.align\t4\nLtail:\n\tadd\tx2,x2,#64\nLess_than_64:\n\tsub\tx0,x0,#1\n\tadd\tx1,x1,x2\n\tadd\tx0,x0,x2\n\tadd\tx4,sp,x2\n\tneg\tx2,x2\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\tstp\tx5,x7,[sp,#0]\n\tstp\tx9,x11,[sp,#16]\n\tstp\tx13,x15,[sp,#32]\n\tstp\tx17,x20,[sp,#48]\n\nLoop_tail:\n\tldrb\tw10,[x1,x2]\n\tldrb\tw11,[x4,x2]\n\tadd\tx2,x2,#1\n\teor\tw10,w10,w11\n\tstrb\tw10,[x0,x2]\n\tcbnz\tx2,Loop_tail\n\n\tstp\txzr,xzr,[sp,#0]\n\tstp\txzr,xzr,[sp,#16]\n\tstp\txzr,xzr,[sp,#32]\n\tstp\txzr,xzr,[sp,#48]\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n\n.globl\tChaCha20_ctr32_neon\n\n.def ChaCha20_ctr32_neon\n .type 32\n.endef\n.align\t5\nChaCha20_ctr32_neon:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx5,Lsigma\n\tadd\tx5,x5,:lo12:Lsigma\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\tcmp\tx2,#512\n\tb.hs\tL512_or_more_neon\n\n\tsub\tsp,sp,#64\n\n\tldp\tx22,x23,[x5]\t\t// load sigma\n\tld1\t{v24.4s},[x5],#16\n\tldp\tx24,x25,[x3]\t\t// load key\n\tldp\tx26,x27,[x3,#16]\n\tld1\t{v25.4s,v26.4s},[x3]\n\tldp\tx28,x30,[x4]\t\t// load counter\n\tld1\t{v27.4s},[x4]\n\tld1\t{v31.4s},[x5]\n#ifdef\t__AARCH64EB__\n\trev64\tv24.4s,v24.4s\n\tror\tx24,x24,#32\n\tror\tx25,x25,#32\n\tror\tx26,x26,#32\n\tror\tx27,x27,#32\n\tror\tx28,x28,#32\n\tror\tx30,x30,#32\n#endif\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// += 1\n\tadd\tv28.4s,v27.4s,v31.4s\n\tadd\tv29.4s,v28.4s,v31.4s\n\tshl\tv31.4s,v31.4s,#2\t\t\t// 1 -> 4\n\nLoop_outer_neon:\n\tmov\tw5,w22\t\t\t// unpack key block\n\tlsr\tx6,x22,#32\n\tmov\tv0.16b,v24.16b\n\tmov\tw7,w23\n\tlsr\tx8,x23,#32\n\tmov\tv4.16b,v24.16b\n\tmov\tw9,w24\n\tlsr\tx10,x24,#32\n\tmov\tv16.16b,v24.16b\n\tmov\tw11,w25\n\tmov\tv1.16b,v25.16b\n\tlsr\tx12,x25,#32\n\tmov\tv5.16b,v25.16b\n\tmov\tw13,w26\n\tmov\tv17.16b,v25.16b\n\tlsr\tx14,x26,#32\n\tmov\tv3.16b,v27.16b\n\tmov\tw15,w27\n\tmov\tv7.16b,v28.16b\n\tlsr\tx16,x27,#32\n\tmov\tv19.16b,v29.16b\n\tmov\tw17,w28\n\tmov\tv2.16b,v26.16b\n\tlsr\tx19,x28,#32\n\tmov\tv6.16b,v26.16b\n\tmov\tw20,w30\n\tmov\tv18.16b,v26.16b\n\tlsr\tx21,x30,#32\n\n\tmov\tx4,#10\n\tsubs\tx2,x2,#256\nLoop_neon:\n\tsub\tx4,x4,#1\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv16.4s,v16.4s,v17.4s\n\tadd\tw7,w7,w11\n\teor\tv3.16b,v3.16b,v0.16b\n\tadd\tw8,w8,w12\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw17,w17,w5\n\teor\tv19.16b,v19.16b,v16.16b\n\teor\tw19,w19,w6\n\trev32\tv3.8h,v3.8h\n\teor\tw20,w20,w7\n\trev32\tv7.8h,v7.8h\n\teor\tw21,w21,w8\n\trev32\tv19.8h,v19.8h\n\tror\tw17,w17,#16\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw19,w19,#16\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw20,w20,#16\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw21,w21,#16\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw13,w13,w17\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw14,w14,w19\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw15,w15,w20\n\tushr\tv1.4s,v20.4s,#20\n\tadd\tw16,w16,w21\n\tushr\tv5.4s,v21.4s,#20\n\teor\tw9,w9,w13\n\tushr\tv17.4s,v22.4s,#20\n\teor\tw10,w10,w14\n\tsli\tv1.4s,v20.4s,#12\n\teor\tw11,w11,w15\n\tsli\tv5.4s,v21.4s,#12\n\teor\tw12,w12,w16\n\tsli\tv17.4s,v22.4s,#12\n\tror\tw9,w9,#20\n\tadd\tv0.4s,v0.4s,v1.4s\n\tror\tw10,w10,#20\n\tadd\tv4.4s,v4.4s,v5.4s\n\tror\tw11,w11,#20\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw12,w12,#20\n\teor\tv20.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w9\n\teor\tv21.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w10\n\teor\tv22.16b,v19.16b,v16.16b\n\tadd\tw7,w7,w11\n\tushr\tv3.4s,v20.4s,#24\n\tadd\tw8,w8,w12\n\tushr\tv7.4s,v21.4s,#24\n\teor\tw17,w17,w5\n\tushr\tv19.4s,v22.4s,#24\n\teor\tw19,w19,w6\n\tsli\tv3.4s,v20.4s,#8\n\teor\tw20,w20,w7\n\tsli\tv7.4s,v21.4s,#8\n\teor\tw21,w21,w8\n\tsli\tv19.4s,v22.4s,#8\n\tror\tw17,w17,#24\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw19,w19,#24\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw20,w20,#24\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw21,w21,#24\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw13,w13,w17\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw14,w14,w19\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw15,w15,w20\n\tushr\tv1.4s,v20.4s,#25\n\tadd\tw16,w16,w21\n\tushr\tv5.4s,v21.4s,#25\n\teor\tw9,w9,w13\n\tushr\tv17.4s,v22.4s,#25\n\teor\tw10,w10,w14\n\tsli\tv1.4s,v20.4s,#7\n\teor\tw11,w11,w15\n\tsli\tv5.4s,v21.4s,#7\n\teor\tw12,w12,w16\n\tsli\tv17.4s,v22.4s,#7\n\tror\tw9,w9,#25\n\text\tv2.16b,v2.16b,v2.16b,#8\n\tror\tw10,w10,#25\n\text\tv6.16b,v6.16b,v6.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv3.16b,v3.16b,v3.16b,#12\n\text\tv7.16b,v7.16b,v7.16b,#12\n\text\tv19.16b,v19.16b,v19.16b,#12\n\text\tv1.16b,v1.16b,v1.16b,#4\n\text\tv5.16b,v5.16b,v5.16b,#4\n\text\tv17.16b,v17.16b,v17.16b,#4\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w10\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w11\n\tadd\tv16.4s,v16.4s,v17.4s\n\tadd\tw7,w7,w12\n\teor\tv3.16b,v3.16b,v0.16b\n\tadd\tw8,w8,w9\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w5\n\teor\tv19.16b,v19.16b,v16.16b\n\teor\tw17,w17,w6\n\trev32\tv3.8h,v3.8h\n\teor\tw19,w19,w7\n\trev32\tv7.8h,v7.8h\n\teor\tw20,w20,w8\n\trev32\tv19.8h,v19.8h\n\tror\tw21,w21,#16\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw17,w17,#16\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw19,w19,#16\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw20,w20,#16\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw15,w15,w21\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw16,w16,w17\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw13,w13,w19\n\tushr\tv1.4s,v20.4s,#20\n\tadd\tw14,w14,w20\n\tushr\tv5.4s,v21.4s,#20\n\teor\tw10,w10,w15\n\tushr\tv17.4s,v22.4s,#20\n\teor\tw11,w11,w16\n\tsli\tv1.4s,v20.4s,#12\n\teor\tw12,w12,w13\n\tsli\tv5.4s,v21.4s,#12\n\teor\tw9,w9,w14\n\tsli\tv17.4s,v22.4s,#12\n\tror\tw10,w10,#20\n\tadd\tv0.4s,v0.4s,v1.4s\n\tror\tw11,w11,#20\n\tadd\tv4.4s,v4.4s,v5.4s\n\tror\tw12,w12,#20\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw9,w9,#20\n\teor\tv20.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv21.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv22.16b,v19.16b,v16.16b\n\tadd\tw7,w7,w12\n\tushr\tv3.4s,v20.4s,#24\n\tadd\tw8,w8,w9\n\tushr\tv7.4s,v21.4s,#24\n\teor\tw21,w21,w5\n\tushr\tv19.4s,v22.4s,#24\n\teor\tw17,w17,w6\n\tsli\tv3.4s,v20.4s,#8\n\teor\tw19,w19,w7\n\tsli\tv7.4s,v21.4s,#8\n\teor\tw20,w20,w8\n\tsli\tv19.4s,v22.4s,#8\n\tror\tw21,w21,#24\n\tadd\tv2.4s,v2.4s,v3.4s\n\tror\tw17,w17,#24\n\tadd\tv6.4s,v6.4s,v7.4s\n\tror\tw19,w19,#24\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw20,w20,#24\n\teor\tv20.16b,v1.16b,v2.16b\n\tadd\tw15,w15,w21\n\teor\tv21.16b,v5.16b,v6.16b\n\tadd\tw16,w16,w17\n\teor\tv22.16b,v17.16b,v18.16b\n\tadd\tw13,w13,w19\n\tushr\tv1.4s,v20.4s,#25\n\tadd\tw14,w14,w20\n\tushr\tv5.4s,v21.4s,#25\n\teor\tw10,w10,w15\n\tushr\tv17.4s,v22.4s,#25\n\teor\tw11,w11,w16\n\tsli\tv1.4s,v20.4s,#7\n\teor\tw12,w12,w13\n\tsli\tv5.4s,v21.4s,#7\n\teor\tw9,w9,w14\n\tsli\tv17.4s,v22.4s,#7\n\tror\tw10,w10,#25\n\text\tv2.16b,v2.16b,v2.16b,#8\n\tror\tw11,w11,#25\n\text\tv6.16b,v6.16b,v6.16b,#8\n\tror\tw12,w12,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#4\n\text\tv7.16b,v7.16b,v7.16b,#4\n\text\tv19.16b,v19.16b,v19.16b,#4\n\text\tv1.16b,v1.16b,v1.16b,#12\n\text\tv5.16b,v5.16b,v5.16b,#12\n\text\tv17.16b,v17.16b,v17.16b,#12\n\tcbnz\tx4,Loop_neon\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tadd\tv0.4s,v0.4s,v24.4s\n\tadd\tx6,x6,x22,lsr#32\n\tadd\tv4.4s,v4.4s,v24.4s\n\tadd\tw7,w7,w23\n\tadd\tv16.4s,v16.4s,v24.4s\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tv2.4s,v2.4s,v26.4s\n\tadd\tw9,w9,w24\n\tadd\tv6.4s,v6.4s,v26.4s\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tv18.4s,v18.4s,v26.4s\n\tadd\tw11,w11,w25\n\tadd\tv3.4s,v3.4s,v27.4s\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tw13,w13,w26\n\tadd\tv7.4s,v7.4s,v28.4s\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tw15,w15,w27\n\tadd\tv19.4s,v19.4s,v29.4s\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tw17,w17,w28\n\tadd\tv1.4s,v1.4s,v25.4s\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tw20,w20,w30\n\tadd\tv5.4s,v5.4s,v25.4s\n\tadd\tx21,x21,x30,lsr#32\n\tadd\tv17.4s,v17.4s,v25.4s\n\n\tb.lo\tLtail_neon\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tv0.16b,v0.16b,v20.16b\n\teor\tx15,x15,x16\n\teor\tv1.16b,v1.16b,v21.16b\n\teor\tx17,x17,x19\n\teor\tv2.16b,v2.16b,v22.16b\n\teor\tx20,x20,x21\n\teor\tv3.16b,v3.16b,v23.16b\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#4\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// += 4\n\tstp\tx13,x15,[x0,#32]\n\tadd\tv28.4s,v28.4s,v31.4s\n\tstp\tx17,x20,[x0,#48]\n\tadd\tv29.4s,v29.4s,v31.4s\n\tadd\tx0,x0,#64\n\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64\n\tld1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x1],#64\n\n\teor\tv4.16b,v4.16b,v20.16b\n\teor\tv5.16b,v5.16b,v21.16b\n\teor\tv6.16b,v6.16b,v22.16b\n\teor\tv7.16b,v7.16b,v23.16b\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64\n\n\teor\tv16.16b,v16.16b,v0.16b\n\teor\tv17.16b,v17.16b,v1.16b\n\teor\tv18.16b,v18.16b,v2.16b\n\teor\tv19.16b,v19.16b,v3.16b\n\tst1\t{v16.16b,v17.16b,v18.16b,v19.16b},[x0],#64\n\n\tb.hi\tLoop_outer_neon\n\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\nLtail_neon:\n\tadd\tx2,x2,#256\n\tcmp\tx2,#64\n\tb.lo\tLess_than_64\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tx15,x15,x16\n\teor\tx17,x17,x19\n\teor\tx20,x20,x21\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#4\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tstp\tx13,x15,[x0,#32]\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\tb.eq\tLdone_neon\n\tsub\tx2,x2,#64\n\tcmp\tx2,#64\n\tb.lo\tLess_than_128\n\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\teor\tv0.16b,v0.16b,v20.16b\n\teor\tv1.16b,v1.16b,v21.16b\n\teor\tv2.16b,v2.16b,v22.16b\n\teor\tv3.16b,v3.16b,v23.16b\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64\n\tb.eq\tLdone_neon\n\tsub\tx2,x2,#64\n\tcmp\tx2,#64\n\tb.lo\tLess_than_192\n\n\tld1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64\n\teor\tv4.16b,v4.16b,v20.16b\n\teor\tv5.16b,v5.16b,v21.16b\n\teor\tv6.16b,v6.16b,v22.16b\n\teor\tv7.16b,v7.16b,v23.16b\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64\n\tb.eq\tLdone_neon\n\tsub\tx2,x2,#64\n\n\tst1\t{v16.16b,v17.16b,v18.16b,v19.16b},[sp]\n\tb\tLast_neon\n\nLess_than_128:\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[sp]\n\tb\tLast_neon\nLess_than_192:\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[sp]\n\tb\tLast_neon\n\n.align\t4\nLast_neon:\n\tsub\tx0,x0,#1\n\tadd\tx1,x1,x2\n\tadd\tx0,x0,x2\n\tadd\tx4,sp,x2\n\tneg\tx2,x2\n\nLoop_tail_neon:\n\tldrb\tw10,[x1,x2]\n\tldrb\tw11,[x4,x2]\n\tadd\tx2,x2,#1\n\teor\tw10,w10,w11\n\tstrb\tw10,[x0,x2]\n\tcbnz\tx2,Loop_tail_neon\n\n\tstp\txzr,xzr,[sp,#0]\n\tstp\txzr,xzr,[sp,#16]\n\tstp\txzr,xzr,[sp,#32]\n\tstp\txzr,xzr,[sp,#48]\n\nLdone_neon:\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.def ChaCha20_512_neon\n .type 32\n.endef\n.align\t5\nChaCha20_512_neon:\n\tAARCH64_SIGN_LINK_REGISTER\n\tstp\tx29,x30,[sp,#-96]!\n\tadd\tx29,sp,#0\n\n\tadrp\tx5,Lsigma\n\tadd\tx5,x5,:lo12:Lsigma\n\tstp\tx19,x20,[sp,#16]\n\tstp\tx21,x22,[sp,#32]\n\tstp\tx23,x24,[sp,#48]\n\tstp\tx25,x26,[sp,#64]\n\tstp\tx27,x28,[sp,#80]\n\nL512_or_more_neon:\n\tsub\tsp,sp,#128+64\n\n\tldp\tx22,x23,[x5]\t\t// load sigma\n\tld1\t{v24.4s},[x5],#16\n\tldp\tx24,x25,[x3]\t\t// load key\n\tldp\tx26,x27,[x3,#16]\n\tld1\t{v25.4s,v26.4s},[x3]\n\tldp\tx28,x30,[x4]\t\t// load counter\n\tld1\t{v27.4s},[x4]\n\tld1\t{v31.4s},[x5]\n#ifdef\t__AARCH64EB__\n\trev64\tv24.4s,v24.4s\n\tror\tx24,x24,#32\n\tror\tx25,x25,#32\n\tror\tx26,x26,#32\n\tror\tx27,x27,#32\n\tror\tx28,x28,#32\n\tror\tx30,x30,#32\n#endif\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// += 1\n\tstp\tq24,q25,[sp,#0]\t\t// off-load key block, invariant part\n\tadd\tv27.4s,v27.4s,v31.4s\t\t// not typo\n\tstr\tq26,[sp,#32]\n\tadd\tv28.4s,v27.4s,v31.4s\n\tadd\tv29.4s,v28.4s,v31.4s\n\tadd\tv30.4s,v29.4s,v31.4s\n\tshl\tv31.4s,v31.4s,#2\t\t\t// 1 -> 4\n\n\tstp\td8,d9,[sp,#128+0]\t\t// meet ABI requirements\n\tstp\td10,d11,[sp,#128+16]\n\tstp\td12,d13,[sp,#128+32]\n\tstp\td14,d15,[sp,#128+48]\n\n\tsub\tx2,x2,#512\t\t\t// not typo\n\nLoop_outer_512_neon:\n\tmov\tv0.16b,v24.16b\n\tmov\tv4.16b,v24.16b\n\tmov\tv8.16b,v24.16b\n\tmov\tv12.16b,v24.16b\n\tmov\tv16.16b,v24.16b\n\tmov\tv20.16b,v24.16b\n\tmov\tv1.16b,v25.16b\n\tmov\tw5,w22\t\t\t// unpack key block\n\tmov\tv5.16b,v25.16b\n\tlsr\tx6,x22,#32\n\tmov\tv9.16b,v25.16b\n\tmov\tw7,w23\n\tmov\tv13.16b,v25.16b\n\tlsr\tx8,x23,#32\n\tmov\tv17.16b,v25.16b\n\tmov\tw9,w24\n\tmov\tv21.16b,v25.16b\n\tlsr\tx10,x24,#32\n\tmov\tv3.16b,v27.16b\n\tmov\tw11,w25\n\tmov\tv7.16b,v28.16b\n\tlsr\tx12,x25,#32\n\tmov\tv11.16b,v29.16b\n\tmov\tw13,w26\n\tmov\tv15.16b,v30.16b\n\tlsr\tx14,x26,#32\n\tmov\tv2.16b,v26.16b\n\tmov\tw15,w27\n\tmov\tv6.16b,v26.16b\n\tlsr\tx16,x27,#32\n\tadd\tv19.4s,v3.4s,v31.4s\t\t\t// +4\n\tmov\tw17,w28\n\tadd\tv23.4s,v7.4s,v31.4s\t\t\t// +4\n\tlsr\tx19,x28,#32\n\tmov\tv10.16b,v26.16b\n\tmov\tw20,w30\n\tmov\tv14.16b,v26.16b\n\tlsr\tx21,x30,#32\n\tmov\tv18.16b,v26.16b\n\tstp\tq27,q28,[sp,#48]\t\t// off-load key block, variable part\n\tmov\tv22.16b,v26.16b\n\tstr\tq29,[sp,#80]\n\n\tmov\tx4,#5\n\tsubs\tx2,x2,#512\nLoop_upper_neon:\n\tsub\tx4,x4,#1\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#12\n\text\tv7.16b,v7.16b,v7.16b,#12\n\text\tv11.16b,v11.16b,v11.16b,#12\n\text\tv15.16b,v15.16b,v15.16b,#12\n\text\tv19.16b,v19.16b,v19.16b,#12\n\text\tv23.16b,v23.16b,v23.16b,#12\n\text\tv1.16b,v1.16b,v1.16b,#4\n\text\tv5.16b,v5.16b,v5.16b,#4\n\text\tv9.16b,v9.16b,v9.16b,#4\n\text\tv13.16b,v13.16b,v13.16b,#4\n\text\tv17.16b,v17.16b,v17.16b,#4\n\text\tv21.16b,v21.16b,v21.16b,#4\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#4\n\text\tv7.16b,v7.16b,v7.16b,#4\n\text\tv11.16b,v11.16b,v11.16b,#4\n\text\tv15.16b,v15.16b,v15.16b,#4\n\text\tv19.16b,v19.16b,v19.16b,#4\n\text\tv23.16b,v23.16b,v23.16b,#4\n\text\tv1.16b,v1.16b,v1.16b,#12\n\text\tv5.16b,v5.16b,v5.16b,#12\n\text\tv9.16b,v9.16b,v9.16b,#12\n\text\tv13.16b,v13.16b,v13.16b,#12\n\text\tv17.16b,v17.16b,v17.16b,#12\n\text\tv21.16b,v21.16b,v21.16b,#12\n\tcbnz\tx4,Loop_upper_neon\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tadd\tx6,x6,x22,lsr#32\n\tadd\tw7,w7,w23\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tw9,w9,w24\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tw11,w11,w25\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tw13,w13,w26\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tw15,w15,w27\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tw17,w17,w28\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tw20,w20,w30\n\tadd\tx21,x21,x30,lsr#32\n\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tx7,x7,x8,lsl#32\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tx11,x11,x12,lsl#32\n\tldp\tx10,x12,[x1,#16]\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tx15,x15,x16,lsl#32\n\tldp\tx14,x16,[x1,#32]\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tx20,x20,x21,lsl#32\n\tldp\tx19,x21,[x1,#48]\n\tadd\tx1,x1,#64\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tx15,x15,x16\n\teor\tx17,x17,x19\n\teor\tx20,x20,x21\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#1\t\t\t// increment counter\n\tmov\tw5,w22\t\t\t// unpack key block\n\tlsr\tx6,x22,#32\n\tstp\tx9,x11,[x0,#16]\n\tmov\tw7,w23\n\tlsr\tx8,x23,#32\n\tstp\tx13,x15,[x0,#32]\n\tmov\tw9,w24\n\tlsr\tx10,x24,#32\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\tmov\tw11,w25\n\tlsr\tx12,x25,#32\n\tmov\tw13,w26\n\tlsr\tx14,x26,#32\n\tmov\tw15,w27\n\tlsr\tx16,x27,#32\n\tmov\tw17,w28\n\tlsr\tx19,x28,#32\n\tmov\tw20,w30\n\tlsr\tx21,x30,#32\n\n\tmov\tx4,#5\nLoop_lower_neon:\n\tsub\tx4,x4,#1\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#12\n\text\tv7.16b,v7.16b,v7.16b,#12\n\text\tv11.16b,v11.16b,v11.16b,#12\n\text\tv15.16b,v15.16b,v15.16b,#12\n\text\tv19.16b,v19.16b,v19.16b,#12\n\text\tv23.16b,v23.16b,v23.16b,#12\n\text\tv1.16b,v1.16b,v1.16b,#4\n\text\tv5.16b,v5.16b,v5.16b,#4\n\text\tv9.16b,v9.16b,v9.16b,#4\n\text\tv13.16b,v13.16b,v13.16b,#4\n\text\tv17.16b,v17.16b,v17.16b,#4\n\text\tv21.16b,v21.16b,v21.16b,#4\n\tadd\tv0.4s,v0.4s,v1.4s\n\tadd\tw5,w5,w9\n\tadd\tv4.4s,v4.4s,v5.4s\n\tadd\tw6,w6,w10\n\tadd\tv8.4s,v8.4s,v9.4s\n\tadd\tw7,w7,w11\n\tadd\tv12.4s,v12.4s,v13.4s\n\tadd\tw8,w8,w12\n\tadd\tv16.4s,v16.4s,v17.4s\n\teor\tw17,w17,w5\n\tadd\tv20.4s,v20.4s,v21.4s\n\teor\tw19,w19,w6\n\teor\tv3.16b,v3.16b,v0.16b\n\teor\tw20,w20,w7\n\teor\tv7.16b,v7.16b,v4.16b\n\teor\tw21,w21,w8\n\teor\tv11.16b,v11.16b,v8.16b\n\tror\tw17,w17,#16\n\teor\tv15.16b,v15.16b,v12.16b\n\tror\tw19,w19,#16\n\teor\tv19.16b,v19.16b,v16.16b\n\tror\tw20,w20,#16\n\teor\tv23.16b,v23.16b,v20.16b\n\tror\tw21,w21,#16\n\trev32\tv3.8h,v3.8h\n\tadd\tw13,w13,w17\n\trev32\tv7.8h,v7.8h\n\tadd\tw14,w14,w19\n\trev32\tv11.8h,v11.8h\n\tadd\tw15,w15,w20\n\trev32\tv15.8h,v15.8h\n\tadd\tw16,w16,w21\n\trev32\tv19.8h,v19.8h\n\teor\tw9,w9,w13\n\trev32\tv23.8h,v23.8h\n\teor\tw10,w10,w14\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw11,w11,w15\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw12,w12,w16\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw9,w9,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw10,w10,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw11,w11,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw12,w12,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w9\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w10\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w11\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w12\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw17,w17,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw19,w19,w6\n\tushr\tv1.4s,v24.4s,#20\n\teor\tw20,w20,w7\n\tushr\tv5.4s,v25.4s,#20\n\teor\tw21,w21,w8\n\tushr\tv9.4s,v26.4s,#20\n\tror\tw17,w17,#24\n\tushr\tv13.4s,v27.4s,#20\n\tror\tw19,w19,#24\n\tushr\tv17.4s,v28.4s,#20\n\tror\tw20,w20,#24\n\tushr\tv21.4s,v29.4s,#20\n\tror\tw21,w21,#24\n\tsli\tv1.4s,v24.4s,#12\n\tadd\tw13,w13,w17\n\tsli\tv5.4s,v25.4s,#12\n\tadd\tw14,w14,w19\n\tsli\tv9.4s,v26.4s,#12\n\tadd\tw15,w15,w20\n\tsli\tv13.4s,v27.4s,#12\n\tadd\tw16,w16,w21\n\tsli\tv17.4s,v28.4s,#12\n\teor\tw9,w9,w13\n\tsli\tv21.4s,v29.4s,#12\n\teor\tw10,w10,w14\n\tadd\tv0.4s,v0.4s,v1.4s\n\teor\tw11,w11,w15\n\tadd\tv4.4s,v4.4s,v5.4s\n\teor\tw12,w12,w16\n\tadd\tv8.4s,v8.4s,v9.4s\n\tror\tw9,w9,#25\n\tadd\tv12.4s,v12.4s,v13.4s\n\tror\tw10,w10,#25\n\tadd\tv16.4s,v16.4s,v17.4s\n\tror\tw11,w11,#25\n\tadd\tv20.4s,v20.4s,v21.4s\n\tror\tw12,w12,#25\n\teor\tv24.16b,v3.16b,v0.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v7.16b,v4.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v11.16b,v8.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v15.16b,v12.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v19.16b,v16.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v23.16b,v20.16b\n\teor\tw17,w17,w6\n\tushr\tv3.4s,v24.4s,#24\n\teor\tw19,w19,w7\n\tushr\tv7.4s,v25.4s,#24\n\teor\tw20,w20,w8\n\tushr\tv11.4s,v26.4s,#24\n\tror\tw21,w21,#16\n\tushr\tv15.4s,v27.4s,#24\n\tror\tw17,w17,#16\n\tushr\tv19.4s,v28.4s,#24\n\tror\tw19,w19,#16\n\tushr\tv23.4s,v29.4s,#24\n\tror\tw20,w20,#16\n\tsli\tv3.4s,v24.4s,#8\n\tadd\tw15,w15,w21\n\tsli\tv7.4s,v25.4s,#8\n\tadd\tw16,w16,w17\n\tsli\tv11.4s,v26.4s,#8\n\tadd\tw13,w13,w19\n\tsli\tv15.4s,v27.4s,#8\n\tadd\tw14,w14,w20\n\tsli\tv19.4s,v28.4s,#8\n\teor\tw10,w10,w15\n\tsli\tv23.4s,v29.4s,#8\n\teor\tw11,w11,w16\n\tadd\tv2.4s,v2.4s,v3.4s\n\teor\tw12,w12,w13\n\tadd\tv6.4s,v6.4s,v7.4s\n\teor\tw9,w9,w14\n\tadd\tv10.4s,v10.4s,v11.4s\n\tror\tw10,w10,#20\n\tadd\tv14.4s,v14.4s,v15.4s\n\tror\tw11,w11,#20\n\tadd\tv18.4s,v18.4s,v19.4s\n\tror\tw12,w12,#20\n\tadd\tv22.4s,v22.4s,v23.4s\n\tror\tw9,w9,#20\n\teor\tv24.16b,v1.16b,v2.16b\n\tadd\tw5,w5,w10\n\teor\tv25.16b,v5.16b,v6.16b\n\tadd\tw6,w6,w11\n\teor\tv26.16b,v9.16b,v10.16b\n\tadd\tw7,w7,w12\n\teor\tv27.16b,v13.16b,v14.16b\n\tadd\tw8,w8,w9\n\teor\tv28.16b,v17.16b,v18.16b\n\teor\tw21,w21,w5\n\teor\tv29.16b,v21.16b,v22.16b\n\teor\tw17,w17,w6\n\tushr\tv1.4s,v24.4s,#25\n\teor\tw19,w19,w7\n\tushr\tv5.4s,v25.4s,#25\n\teor\tw20,w20,w8\n\tushr\tv9.4s,v26.4s,#25\n\tror\tw21,w21,#24\n\tushr\tv13.4s,v27.4s,#25\n\tror\tw17,w17,#24\n\tushr\tv17.4s,v28.4s,#25\n\tror\tw19,w19,#24\n\tushr\tv21.4s,v29.4s,#25\n\tror\tw20,w20,#24\n\tsli\tv1.4s,v24.4s,#7\n\tadd\tw15,w15,w21\n\tsli\tv5.4s,v25.4s,#7\n\tadd\tw16,w16,w17\n\tsli\tv9.4s,v26.4s,#7\n\tadd\tw13,w13,w19\n\tsli\tv13.4s,v27.4s,#7\n\tadd\tw14,w14,w20\n\tsli\tv17.4s,v28.4s,#7\n\teor\tw10,w10,w15\n\tsli\tv21.4s,v29.4s,#7\n\teor\tw11,w11,w16\n\text\tv2.16b,v2.16b,v2.16b,#8\n\teor\tw12,w12,w13\n\text\tv6.16b,v6.16b,v6.16b,#8\n\teor\tw9,w9,w14\n\text\tv10.16b,v10.16b,v10.16b,#8\n\tror\tw10,w10,#25\n\text\tv14.16b,v14.16b,v14.16b,#8\n\tror\tw11,w11,#25\n\text\tv18.16b,v18.16b,v18.16b,#8\n\tror\tw12,w12,#25\n\text\tv22.16b,v22.16b,v22.16b,#8\n\tror\tw9,w9,#25\n\text\tv3.16b,v3.16b,v3.16b,#4\n\text\tv7.16b,v7.16b,v7.16b,#4\n\text\tv11.16b,v11.16b,v11.16b,#4\n\text\tv15.16b,v15.16b,v15.16b,#4\n\text\tv19.16b,v19.16b,v19.16b,#4\n\text\tv23.16b,v23.16b,v23.16b,#4\n\text\tv1.16b,v1.16b,v1.16b,#12\n\text\tv5.16b,v5.16b,v5.16b,#12\n\text\tv9.16b,v9.16b,v9.16b,#12\n\text\tv13.16b,v13.16b,v13.16b,#12\n\text\tv17.16b,v17.16b,v17.16b,#12\n\text\tv21.16b,v21.16b,v21.16b,#12\n\tcbnz\tx4,Loop_lower_neon\n\n\tadd\tw5,w5,w22\t\t// accumulate key block\n\tldp\tq24,q25,[sp,#0]\n\tadd\tx6,x6,x22,lsr#32\n\tldp\tq26,q27,[sp,#32]\n\tadd\tw7,w7,w23\n\tldp\tq28,q29,[sp,#64]\n\tadd\tx8,x8,x23,lsr#32\n\tadd\tv0.4s,v0.4s,v24.4s\n\tadd\tw9,w9,w24\n\tadd\tv4.4s,v4.4s,v24.4s\n\tadd\tx10,x10,x24,lsr#32\n\tadd\tv8.4s,v8.4s,v24.4s\n\tadd\tw11,w11,w25\n\tadd\tv12.4s,v12.4s,v24.4s\n\tadd\tx12,x12,x25,lsr#32\n\tadd\tv16.4s,v16.4s,v24.4s\n\tadd\tw13,w13,w26\n\tadd\tv20.4s,v20.4s,v24.4s\n\tadd\tx14,x14,x26,lsr#32\n\tadd\tv2.4s,v2.4s,v26.4s\n\tadd\tw15,w15,w27\n\tadd\tv6.4s,v6.4s,v26.4s\n\tadd\tx16,x16,x27,lsr#32\n\tadd\tv10.4s,v10.4s,v26.4s\n\tadd\tw17,w17,w28\n\tadd\tv14.4s,v14.4s,v26.4s\n\tadd\tx19,x19,x28,lsr#32\n\tadd\tv18.4s,v18.4s,v26.4s\n\tadd\tw20,w20,w30\n\tadd\tv22.4s,v22.4s,v26.4s\n\tadd\tx21,x21,x30,lsr#32\n\tadd\tv19.4s,v19.4s,v31.4s\t\t\t// +4\n\tadd\tx5,x5,x6,lsl#32\t// pack\n\tadd\tv23.4s,v23.4s,v31.4s\t\t\t// +4\n\tadd\tx7,x7,x8,lsl#32\n\tadd\tv3.4s,v3.4s,v27.4s\n\tldp\tx6,x8,[x1,#0]\t\t// load input\n\tadd\tv7.4s,v7.4s,v28.4s\n\tadd\tx9,x9,x10,lsl#32\n\tadd\tv11.4s,v11.4s,v29.4s\n\tadd\tx11,x11,x12,lsl#32\n\tadd\tv15.4s,v15.4s,v30.4s\n\tldp\tx10,x12,[x1,#16]\n\tadd\tv19.4s,v19.4s,v27.4s\n\tadd\tx13,x13,x14,lsl#32\n\tadd\tv23.4s,v23.4s,v28.4s\n\tadd\tx15,x15,x16,lsl#32\n\tadd\tv1.4s,v1.4s,v25.4s\n\tldp\tx14,x16,[x1,#32]\n\tadd\tv5.4s,v5.4s,v25.4s\n\tadd\tx17,x17,x19,lsl#32\n\tadd\tv9.4s,v9.4s,v25.4s\n\tadd\tx20,x20,x21,lsl#32\n\tadd\tv13.4s,v13.4s,v25.4s\n\tldp\tx19,x21,[x1,#48]\n\tadd\tv17.4s,v17.4s,v25.4s\n\tadd\tx1,x1,#64\n\tadd\tv21.4s,v21.4s,v25.4s\n\n#ifdef\t__AARCH64EB__\n\trev\tx5,x5\n\trev\tx7,x7\n\trev\tx9,x9\n\trev\tx11,x11\n\trev\tx13,x13\n\trev\tx15,x15\n\trev\tx17,x17\n\trev\tx20,x20\n#endif\n\tld1\t{v24.16b,v25.16b,v26.16b,v27.16b},[x1],#64\n\teor\tx5,x5,x6\n\teor\tx7,x7,x8\n\teor\tx9,x9,x10\n\teor\tx11,x11,x12\n\teor\tx13,x13,x14\n\teor\tv0.16b,v0.16b,v24.16b\n\teor\tx15,x15,x16\n\teor\tv1.16b,v1.16b,v25.16b\n\teor\tx17,x17,x19\n\teor\tv2.16b,v2.16b,v26.16b\n\teor\tx20,x20,x21\n\teor\tv3.16b,v3.16b,v27.16b\n\tld1\t{v24.16b,v25.16b,v26.16b,v27.16b},[x1],#64\n\n\tstp\tx5,x7,[x0,#0]\t\t// store output\n\tadd\tx28,x28,#7\t\t\t// increment counter\n\tstp\tx9,x11,[x0,#16]\n\tstp\tx13,x15,[x0,#32]\n\tstp\tx17,x20,[x0,#48]\n\tadd\tx0,x0,#64\n\tst1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64\n\n\tld1\t{v0.16b,v1.16b,v2.16b,v3.16b},[x1],#64\n\teor\tv4.16b,v4.16b,v24.16b\n\teor\tv5.16b,v5.16b,v25.16b\n\teor\tv6.16b,v6.16b,v26.16b\n\teor\tv7.16b,v7.16b,v27.16b\n\tst1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64\n\n\tld1\t{v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64\n\teor\tv8.16b,v8.16b,v0.16b\n\tldp\tq24,q25,[sp,#0]\n\teor\tv9.16b,v9.16b,v1.16b\n\tldp\tq26,q27,[sp,#32]\n\teor\tv10.16b,v10.16b,v2.16b\n\teor\tv11.16b,v11.16b,v3.16b\n\tst1\t{v8.16b,v9.16b,v10.16b,v11.16b},[x0],#64\n\n\tld1\t{v8.16b,v9.16b,v10.16b,v11.16b},[x1],#64\n\teor\tv12.16b,v12.16b,v4.16b\n\teor\tv13.16b,v13.16b,v5.16b\n\teor\tv14.16b,v14.16b,v6.16b\n\teor\tv15.16b,v15.16b,v7.16b\n\tst1\t{v12.16b,v13.16b,v14.16b,v15.16b},[x0],#64\n\n\tld1\t{v12.16b,v13.16b,v14.16b,v15.16b},[x1],#64\n\teor\tv16.16b,v16.16b,v8.16b\n\teor\tv17.16b,v17.16b,v9.16b\n\teor\tv18.16b,v18.16b,v10.16b\n\teor\tv19.16b,v19.16b,v11.16b\n\tst1\t{v16.16b,v17.16b,v18.16b,v19.16b},[x0],#64\n\n\tshl\tv0.4s,v31.4s,#1\t\t\t// 4 -> 8\n\teor\tv20.16b,v20.16b,v12.16b\n\teor\tv21.16b,v21.16b,v13.16b\n\teor\tv22.16b,v22.16b,v14.16b\n\teor\tv23.16b,v23.16b,v15.16b\n\tst1\t{v20.16b,v21.16b,v22.16b,v23.16b},[x0],#64\n\n\tadd\tv27.4s,v27.4s,v0.4s\t\t\t// += 8\n\tadd\tv28.4s,v28.4s,v0.4s\n\tadd\tv29.4s,v29.4s,v0.4s\n\tadd\tv30.4s,v30.4s,v0.4s\n\n\tb.hs\tLoop_outer_512_neon\n\n\tadds\tx2,x2,#512\n\tushr\tv0.4s,v31.4s,#2\t\t\t// 4 -> 1\n\n\tldp\td8,d9,[sp,#128+0]\t\t// meet ABI requirements\n\tldp\td10,d11,[sp,#128+16]\n\tldp\td12,d13,[sp,#128+32]\n\tldp\td14,d15,[sp,#128+48]\n\n\tstp\tq24,q31,[sp,#0]\t\t// wipe off-load area\n\tstp\tq24,q31,[sp,#32]\n\tstp\tq24,q31,[sp,#64]\n\n\tb.eq\tLdone_512_neon\n\n\tcmp\tx2,#192\n\tsub\tv27.4s,v27.4s,v0.4s\t\t\t// -= 1\n\tsub\tv28.4s,v28.4s,v0.4s\n\tsub\tv29.4s,v29.4s,v0.4s\n\tadd\tsp,sp,#128\n\tb.hs\tLoop_outer_neon\n\n\teor\tv25.16b,v25.16b,v25.16b\n\teor\tv26.16b,v26.16b,v26.16b\n\teor\tv27.16b,v27.16b,v27.16b\n\teor\tv28.16b,v28.16b,v28.16b\n\teor\tv29.16b,v29.16b,v29.16b\n\teor\tv30.16b,v30.16b,v30.16b\n\tb\tLoop_outer\n\nLdone_512_neon:\n\tldp\tx19,x20,[x29,#16]\n\tadd\tsp,sp,#128+64\n\tldp\tx21,x22,[x29,#32]\n\tldp\tx23,x24,[x29,#48]\n\tldp\tx25,x26,[x29,#64]\n\tldp\tx27,x28,[x29,#80]\n\tldp\tx29,x30,[sp],#96\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha-x86-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n.globl\t_ChaCha20_ctr32_nohw\n.private_extern\t_ChaCha20_ctr32_nohw\n.align\t4\n_ChaCha20_ctr32_nohw:\nL_ChaCha20_ctr32_nohw_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t32(%esp),%esi\n\tmovl\t36(%esp),%edi\n\tsubl\t$132,%esp\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%edx\n\tmovl\t%eax,80(%esp)\n\tmovl\t%ebx,84(%esp)\n\tmovl\t%ecx,88(%esp)\n\tmovl\t%edx,92(%esp)\n\tmovl\t16(%esi),%eax\n\tmovl\t20(%esi),%ebx\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%edx\n\tmovl\t%eax,96(%esp)\n\tmovl\t%ebx,100(%esp)\n\tmovl\t%ecx,104(%esp)\n\tmovl\t%edx,108(%esp)\n\tmovl\t(%edi),%eax\n\tmovl\t4(%edi),%ebx\n\tmovl\t8(%edi),%ecx\n\tmovl\t12(%edi),%edx\n\tsubl\t$1,%eax\n\tmovl\t%eax,112(%esp)\n\tmovl\t%ebx,116(%esp)\n\tmovl\t%ecx,120(%esp)\n\tmovl\t%edx,124(%esp)\n\tjmp\tL000entry\n.align\t4,0x90\nL001outer_loop:\n\tmovl\t%ebx,156(%esp)\n\tmovl\t%eax,152(%esp)\n\tmovl\t%ecx,160(%esp)\nL000entry:\n\tmovl\t$1634760805,%eax\n\tmovl\t$857760878,4(%esp)\n\tmovl\t$2036477234,8(%esp)\n\tmovl\t$1797285236,12(%esp)\n\tmovl\t84(%esp),%ebx\n\tmovl\t88(%esp),%ebp\n\tmovl\t104(%esp),%ecx\n\tmovl\t108(%esp),%esi\n\tmovl\t116(%esp),%edx\n\tmovl\t120(%esp),%edi\n\tmovl\t%ebx,20(%esp)\n\tmovl\t%ebp,24(%esp)\n\tmovl\t%ecx,40(%esp)\n\tmovl\t%esi,44(%esp)\n\tmovl\t%edx,52(%esp)\n\tmovl\t%edi,56(%esp)\n\tmovl\t92(%esp),%ebx\n\tmovl\t124(%esp),%edi\n\tmovl\t112(%esp),%edx\n\tmovl\t80(%esp),%ebp\n\tmovl\t96(%esp),%ecx\n\tmovl\t100(%esp),%esi\n\taddl\t$1,%edx\n\tmovl\t%ebx,28(%esp)\n\tmovl\t%edi,60(%esp)\n\tmovl\t%edx,112(%esp)\n\tmovl\t$10,%ebx\n\tjmp\tL002loop\n.align\t4,0x90\nL002loop:\n\taddl\t%ebp,%eax\n\tmovl\t%ebx,128(%esp)\n\tmovl\t%ebp,%ebx\n\txorl\t%eax,%edx\n\troll\t$16,%edx\n\taddl\t%edx,%ecx\n\txorl\t%ecx,%ebx\n\tmovl\t52(%esp),%edi\n\troll\t$12,%ebx\n\tmovl\t20(%esp),%ebp\n\taddl\t%ebx,%eax\n\txorl\t%eax,%edx\n\tmovl\t%eax,(%esp)\n\troll\t$8,%edx\n\tmovl\t4(%esp),%eax\n\taddl\t%edx,%ecx\n\tmovl\t%edx,48(%esp)\n\txorl\t%ecx,%ebx\n\taddl\t%ebp,%eax\n\troll\t$7,%ebx\n\txorl\t%eax,%edi\n\tmovl\t%ecx,32(%esp)\n\troll\t$16,%edi\n\tmovl\t%ebx,16(%esp)\n\taddl\t%edi,%esi\n\tmovl\t40(%esp),%ecx\n\txorl\t%esi,%ebp\n\tmovl\t56(%esp),%edx\n\troll\t$12,%ebp\n\tmovl\t24(%esp),%ebx\n\taddl\t%ebp,%eax\n\txorl\t%eax,%edi\n\tmovl\t%eax,4(%esp)\n\troll\t$8,%edi\n\tmovl\t8(%esp),%eax\n\taddl\t%edi,%esi\n\tmovl\t%edi,52(%esp)\n\txorl\t%esi,%ebp\n\taddl\t%ebx,%eax\n\troll\t$7,%ebp\n\txorl\t%eax,%edx\n\tmovl\t%esi,36(%esp)\n\troll\t$16,%edx\n\tmovl\t%ebp,20(%esp)\n\taddl\t%edx,%ecx\n\tmovl\t44(%esp),%esi\n\txorl\t%ecx,%ebx\n\tmovl\t60(%esp),%edi\n\troll\t$12,%ebx\n\tmovl\t28(%esp),%ebp\n\taddl\t%ebx,%eax\n\txorl\t%eax,%edx\n\tmovl\t%eax,8(%esp)\n\troll\t$8,%edx\n\tmovl\t12(%esp),%eax\n\taddl\t%edx,%ecx\n\tmovl\t%edx,56(%esp)\n\txorl\t%ecx,%ebx\n\taddl\t%ebp,%eax\n\troll\t$7,%ebx\n\txorl\t%eax,%edi\n\troll\t$16,%edi\n\tmovl\t%ebx,24(%esp)\n\taddl\t%edi,%esi\n\txorl\t%esi,%ebp\n\troll\t$12,%ebp\n\tmovl\t20(%esp),%ebx\n\taddl\t%ebp,%eax\n\txorl\t%eax,%edi\n\tmovl\t%eax,12(%esp)\n\troll\t$8,%edi\n\tmovl\t(%esp),%eax\n\taddl\t%edi,%esi\n\tmovl\t%edi,%edx\n\txorl\t%esi,%ebp\n\taddl\t%ebx,%eax\n\troll\t$7,%ebp\n\txorl\t%eax,%edx\n\troll\t$16,%edx\n\tmovl\t%ebp,28(%esp)\n\taddl\t%edx,%ecx\n\txorl\t%ecx,%ebx\n\tmovl\t48(%esp),%edi\n\troll\t$12,%ebx\n\tmovl\t24(%esp),%ebp\n\taddl\t%ebx,%eax\n\txorl\t%eax,%edx\n\tmovl\t%eax,(%esp)\n\troll\t$8,%edx\n\tmovl\t4(%esp),%eax\n\taddl\t%edx,%ecx\n\tmovl\t%edx,60(%esp)\n\txorl\t%ecx,%ebx\n\taddl\t%ebp,%eax\n\troll\t$7,%ebx\n\txorl\t%eax,%edi\n\tmovl\t%ecx,40(%esp)\n\troll\t$16,%edi\n\tmovl\t%ebx,20(%esp)\n\taddl\t%edi,%esi\n\tmovl\t32(%esp),%ecx\n\txorl\t%esi,%ebp\n\tmovl\t52(%esp),%edx\n\troll\t$12,%ebp\n\tmovl\t28(%esp),%ebx\n\taddl\t%ebp,%eax\n\txorl\t%eax,%edi\n\tmovl\t%eax,4(%esp)\n\troll\t$8,%edi\n\tmovl\t8(%esp),%eax\n\taddl\t%edi,%esi\n\tmovl\t%edi,48(%esp)\n\txorl\t%esi,%ebp\n\taddl\t%ebx,%eax\n\troll\t$7,%ebp\n\txorl\t%eax,%edx\n\tmovl\t%esi,44(%esp)\n\troll\t$16,%edx\n\tmovl\t%ebp,24(%esp)\n\taddl\t%edx,%ecx\n\tmovl\t36(%esp),%esi\n\txorl\t%ecx,%ebx\n\tmovl\t56(%esp),%edi\n\troll\t$12,%ebx\n\tmovl\t16(%esp),%ebp\n\taddl\t%ebx,%eax\n\txorl\t%eax,%edx\n\tmovl\t%eax,8(%esp)\n\troll\t$8,%edx\n\tmovl\t12(%esp),%eax\n\taddl\t%edx,%ecx\n\tmovl\t%edx,52(%esp)\n\txorl\t%ecx,%ebx\n\taddl\t%ebp,%eax\n\troll\t$7,%ebx\n\txorl\t%eax,%edi\n\troll\t$16,%edi\n\tmovl\t%ebx,28(%esp)\n\taddl\t%edi,%esi\n\txorl\t%esi,%ebp\n\tmovl\t48(%esp),%edx\n\troll\t$12,%ebp\n\tmovl\t128(%esp),%ebx\n\taddl\t%ebp,%eax\n\txorl\t%eax,%edi\n\tmovl\t%eax,12(%esp)\n\troll\t$8,%edi\n\tmovl\t(%esp),%eax\n\taddl\t%edi,%esi\n\tmovl\t%edi,56(%esp)\n\txorl\t%esi,%ebp\n\troll\t$7,%ebp\n\tdecl\t%ebx\n\tjnz\tL002loop\n\tmovl\t160(%esp),%ebx\n\taddl\t$1634760805,%eax\n\taddl\t80(%esp),%ebp\n\taddl\t96(%esp),%ecx\n\taddl\t100(%esp),%esi\n\tcmpl\t$64,%ebx\n\tjb\tL003tail\n\tmovl\t156(%esp),%ebx\n\taddl\t112(%esp),%edx\n\taddl\t120(%esp),%edi\n\txorl\t(%ebx),%eax\n\txorl\t16(%ebx),%ebp\n\tmovl\t%eax,(%esp)\n\tmovl\t152(%esp),%eax\n\txorl\t32(%ebx),%ecx\n\txorl\t36(%ebx),%esi\n\txorl\t48(%ebx),%edx\n\txorl\t56(%ebx),%edi\n\tmovl\t%ebp,16(%eax)\n\tmovl\t%ecx,32(%eax)\n\tmovl\t%esi,36(%eax)\n\tmovl\t%edx,48(%eax)\n\tmovl\t%edi,56(%eax)\n\tmovl\t4(%esp),%ebp\n\tmovl\t8(%esp),%ecx\n\tmovl\t12(%esp),%esi\n\tmovl\t20(%esp),%edx\n\tmovl\t24(%esp),%edi\n\taddl\t$857760878,%ebp\n\taddl\t$2036477234,%ecx\n\taddl\t$1797285236,%esi\n\taddl\t84(%esp),%edx\n\taddl\t88(%esp),%edi\n\txorl\t4(%ebx),%ebp\n\txorl\t8(%ebx),%ecx\n\txorl\t12(%ebx),%esi\n\txorl\t20(%ebx),%edx\n\txorl\t24(%ebx),%edi\n\tmovl\t%ebp,4(%eax)\n\tmovl\t%ecx,8(%eax)\n\tmovl\t%esi,12(%eax)\n\tmovl\t%edx,20(%eax)\n\tmovl\t%edi,24(%eax)\n\tmovl\t28(%esp),%ebp\n\tmovl\t40(%esp),%ecx\n\tmovl\t44(%esp),%esi\n\tmovl\t52(%esp),%edx\n\tmovl\t60(%esp),%edi\n\taddl\t92(%esp),%ebp\n\taddl\t104(%esp),%ecx\n\taddl\t108(%esp),%esi\n\taddl\t116(%esp),%edx\n\taddl\t124(%esp),%edi\n\txorl\t28(%ebx),%ebp\n\txorl\t40(%ebx),%ecx\n\txorl\t44(%ebx),%esi\n\txorl\t52(%ebx),%edx\n\txorl\t60(%ebx),%edi\n\tleal\t64(%ebx),%ebx\n\tmovl\t%ebp,28(%eax)\n\tmovl\t(%esp),%ebp\n\tmovl\t%ecx,40(%eax)\n\tmovl\t160(%esp),%ecx\n\tmovl\t%esi,44(%eax)\n\tmovl\t%edx,52(%eax)\n\tmovl\t%edi,60(%eax)\n\tmovl\t%ebp,(%eax)\n\tleal\t64(%eax),%eax\n\tsubl\t$64,%ecx\n\tjnz\tL001outer_loop\n\tjmp\tL004done\nL003tail:\n\taddl\t112(%esp),%edx\n\taddl\t120(%esp),%edi\n\tmovl\t%eax,(%esp)\n\tmovl\t%ebp,16(%esp)\n\tmovl\t%ecx,32(%esp)\n\tmovl\t%esi,36(%esp)\n\tmovl\t%edx,48(%esp)\n\tmovl\t%edi,56(%esp)\n\tmovl\t4(%esp),%ebp\n\tmovl\t8(%esp),%ecx\n\tmovl\t12(%esp),%esi\n\tmovl\t20(%esp),%edx\n\tmovl\t24(%esp),%edi\n\taddl\t$857760878,%ebp\n\taddl\t$2036477234,%ecx\n\taddl\t$1797285236,%esi\n\taddl\t84(%esp),%edx\n\taddl\t88(%esp),%edi\n\tmovl\t%ebp,4(%esp)\n\tmovl\t%ecx,8(%esp)\n\tmovl\t%esi,12(%esp)\n\tmovl\t%edx,20(%esp)\n\tmovl\t%edi,24(%esp)\n\tmovl\t28(%esp),%ebp\n\tmovl\t40(%esp),%ecx\n\tmovl\t44(%esp),%esi\n\tmovl\t52(%esp),%edx\n\tmovl\t60(%esp),%edi\n\taddl\t92(%esp),%ebp\n\taddl\t104(%esp),%ecx\n\taddl\t108(%esp),%esi\n\taddl\t116(%esp),%edx\n\taddl\t124(%esp),%edi\n\tmovl\t%ebp,28(%esp)\n\tmovl\t156(%esp),%ebp\n\tmovl\t%ecx,40(%esp)\n\tmovl\t152(%esp),%ecx\n\tmovl\t%esi,44(%esp)\n\txorl\t%esi,%esi\n\tmovl\t%edx,52(%esp)\n\tmovl\t%edi,60(%esp)\n\txorl\t%eax,%eax\n\txorl\t%edx,%edx\nL005tail_loop:\n\tmovb\t(%esi,%ebp,1),%al\n\tmovb\t(%esp,%esi,1),%dl\n\tleal\t1(%esi),%esi\n\txorb\t%dl,%al\n\tmovb\t%al,-1(%ecx,%esi,1)\n\tdecl\t%ebx\n\tjnz\tL005tail_loop\nL004done:\n\taddl\t$132,%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.globl\t_ChaCha20_ctr32_ssse3\n.private_extern\t_ChaCha20_ctr32_ssse3\n.align\t4\n_ChaCha20_ctr32_ssse3:\nL_ChaCha20_ctr32_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tcall\tLpic_point\nLpic_point:\n\tpopl\t%eax\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%esi\n\tmovl\t28(%esp),%ecx\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebx\n\tmovl\t%esp,%ebp\n\tsubl\t$524,%esp\n\tandl\t$-64,%esp\n\tmovl\t%ebp,512(%esp)\n\tleal\tLssse3_data-Lpic_point(%eax),%eax\n\tmovdqu\t(%ebx),%xmm3\n\tcmpl\t$256,%ecx\n\tjb\tL0061x\n\tmovl\t%edx,516(%esp)\n\tmovl\t%ebx,520(%esp)\n\tsubl\t$256,%ecx\n\tleal\t384(%esp),%ebp\n\tmovdqu\t(%edx),%xmm7\n\tpshufd\t$0,%xmm3,%xmm0\n\tpshufd\t$85,%xmm3,%xmm1\n\tpshufd\t$170,%xmm3,%xmm2\n\tpshufd\t$255,%xmm3,%xmm3\n\tpaddd\t48(%eax),%xmm0\n\tpshufd\t$0,%xmm7,%xmm4\n\tpshufd\t$85,%xmm7,%xmm5\n\tpsubd\t64(%eax),%xmm0\n\tpshufd\t$170,%xmm7,%xmm6\n\tpshufd\t$255,%xmm7,%xmm7\n\tmovdqa\t%xmm0,64(%ebp)\n\tmovdqa\t%xmm1,80(%ebp)\n\tmovdqa\t%xmm2,96(%ebp)\n\tmovdqa\t%xmm3,112(%ebp)\n\tmovdqu\t16(%edx),%xmm3\n\tmovdqa\t%xmm4,-64(%ebp)\n\tmovdqa\t%xmm5,-48(%ebp)\n\tmovdqa\t%xmm6,-32(%ebp)\n\tmovdqa\t%xmm7,-16(%ebp)\n\tmovdqa\t32(%eax),%xmm7\n\tleal\t128(%esp),%ebx\n\tpshufd\t$0,%xmm3,%xmm0\n\tpshufd\t$85,%xmm3,%xmm1\n\tpshufd\t$170,%xmm3,%xmm2\n\tpshufd\t$255,%xmm3,%xmm3\n\tpshufd\t$0,%xmm7,%xmm4\n\tpshufd\t$85,%xmm7,%xmm5\n\tpshufd\t$170,%xmm7,%xmm6\n\tpshufd\t$255,%xmm7,%xmm7\n\tmovdqa\t%xmm0,(%ebp)\n\tmovdqa\t%xmm1,16(%ebp)\n\tmovdqa\t%xmm2,32(%ebp)\n\tmovdqa\t%xmm3,48(%ebp)\n\tmovdqa\t%xmm4,-128(%ebp)\n\tmovdqa\t%xmm5,-112(%ebp)\n\tmovdqa\t%xmm6,-96(%ebp)\n\tmovdqa\t%xmm7,-80(%ebp)\n\tleal\t128(%esi),%esi\n\tleal\t128(%edi),%edi\n\tjmp\tL007outer_loop\n.align\t4,0x90\nL007outer_loop:\n\tmovdqa\t-112(%ebp),%xmm1\n\tmovdqa\t-96(%ebp),%xmm2\n\tmovdqa\t-80(%ebp),%xmm3\n\tmovdqa\t-48(%ebp),%xmm5\n\tmovdqa\t-32(%ebp),%xmm6\n\tmovdqa\t-16(%ebp),%xmm7\n\tmovdqa\t%xmm1,-112(%ebx)\n\tmovdqa\t%xmm2,-96(%ebx)\n\tmovdqa\t%xmm3,-80(%ebx)\n\tmovdqa\t%xmm5,-48(%ebx)\n\tmovdqa\t%xmm6,-32(%ebx)\n\tmovdqa\t%xmm7,-16(%ebx)\n\tmovdqa\t32(%ebp),%xmm2\n\tmovdqa\t48(%ebp),%xmm3\n\tmovdqa\t64(%ebp),%xmm4\n\tmovdqa\t80(%ebp),%xmm5\n\tmovdqa\t96(%ebp),%xmm6\n\tmovdqa\t112(%ebp),%xmm7\n\tpaddd\t64(%eax),%xmm4\n\tmovdqa\t%xmm2,32(%ebx)\n\tmovdqa\t%xmm3,48(%ebx)\n\tmovdqa\t%xmm4,64(%ebx)\n\tmovdqa\t%xmm5,80(%ebx)\n\tmovdqa\t%xmm6,96(%ebx)\n\tmovdqa\t%xmm7,112(%ebx)\n\tmovdqa\t%xmm4,64(%ebp)\n\tmovdqa\t-128(%ebp),%xmm0\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t-64(%ebp),%xmm3\n\tmovdqa\t(%ebp),%xmm4\n\tmovdqa\t16(%ebp),%xmm5\n\tmovl\t$10,%edx\n\tnop\n.align\t4,0x90\nL008loop:\n\tpaddd\t%xmm3,%xmm0\n\tmovdqa\t%xmm3,%xmm2\n\tpxor\t%xmm0,%xmm6\n\tpshufb\t(%eax),%xmm6\n\tpaddd\t%xmm6,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tmovdqa\t-48(%ebx),%xmm3\n\tmovdqa\t%xmm2,%xmm1\n\tpslld\t$12,%xmm2\n\tpsrld\t$20,%xmm1\n\tpor\t%xmm1,%xmm2\n\tmovdqa\t-112(%ebx),%xmm1\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t80(%ebx),%xmm7\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm0,-128(%ebx)\n\tpshufb\t16(%eax),%xmm6\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t%xmm6,64(%ebx)\n\tpxor\t%xmm4,%xmm2\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t%xmm2,%xmm0\n\tpslld\t$7,%xmm2\n\tpsrld\t$25,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tpor\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,(%ebx)\n\tpshufb\t(%eax),%xmm7\n\tmovdqa\t%xmm2,-64(%ebx)\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t32(%ebx),%xmm4\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t-32(%ebx),%xmm2\n\tmovdqa\t%xmm3,%xmm0\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm0\n\tpor\t%xmm0,%xmm3\n\tmovdqa\t-96(%ebx),%xmm0\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t96(%ebx),%xmm6\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm1,-112(%ebx)\n\tpshufb\t16(%eax),%xmm7\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t%xmm7,80(%ebx)\n\tpxor\t%xmm5,%xmm3\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t%xmm3,%xmm1\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm1\n\tpxor\t%xmm0,%xmm6\n\tpor\t%xmm1,%xmm3\n\tmovdqa\t%xmm5,16(%ebx)\n\tpshufb\t(%eax),%xmm6\n\tmovdqa\t%xmm3,-48(%ebx)\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t48(%ebx),%xmm5\n\tpxor\t%xmm4,%xmm2\n\tmovdqa\t-16(%ebx),%xmm3\n\tmovdqa\t%xmm2,%xmm1\n\tpslld\t$12,%xmm2\n\tpsrld\t$20,%xmm1\n\tpor\t%xmm1,%xmm2\n\tmovdqa\t-80(%ebx),%xmm1\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t112(%ebx),%xmm7\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm0,-96(%ebx)\n\tpshufb\t16(%eax),%xmm6\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t%xmm6,96(%ebx)\n\tpxor\t%xmm4,%xmm2\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t%xmm2,%xmm0\n\tpslld\t$7,%xmm2\n\tpsrld\t$25,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tpor\t%xmm0,%xmm2\n\tpshufb\t(%eax),%xmm7\n\tmovdqa\t%xmm2,-32(%ebx)\n\tpaddd\t%xmm7,%xmm5\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t-48(%ebx),%xmm2\n\tmovdqa\t%xmm3,%xmm0\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm0\n\tpor\t%xmm0,%xmm3\n\tmovdqa\t-128(%ebx),%xmm0\n\tpaddd\t%xmm3,%xmm1\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm1,-80(%ebx)\n\tpshufb\t16(%eax),%xmm7\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t%xmm7,%xmm6\n\tpxor\t%xmm5,%xmm3\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t%xmm3,%xmm1\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm1\n\tpxor\t%xmm0,%xmm6\n\tpor\t%xmm1,%xmm3\n\tpshufb\t(%eax),%xmm6\n\tmovdqa\t%xmm3,-16(%ebx)\n\tpaddd\t%xmm6,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tmovdqa\t-32(%ebx),%xmm3\n\tmovdqa\t%xmm2,%xmm1\n\tpslld\t$12,%xmm2\n\tpsrld\t$20,%xmm1\n\tpor\t%xmm1,%xmm2\n\tmovdqa\t-112(%ebx),%xmm1\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t64(%ebx),%xmm7\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm0,-128(%ebx)\n\tpshufb\t16(%eax),%xmm6\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t%xmm6,112(%ebx)\n\tpxor\t%xmm4,%xmm2\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t%xmm2,%xmm0\n\tpslld\t$7,%xmm2\n\tpsrld\t$25,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tpor\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,32(%ebx)\n\tpshufb\t(%eax),%xmm7\n\tmovdqa\t%xmm2,-48(%ebx)\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t(%ebx),%xmm4\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t-16(%ebx),%xmm2\n\tmovdqa\t%xmm3,%xmm0\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm0\n\tpor\t%xmm0,%xmm3\n\tmovdqa\t-96(%ebx),%xmm0\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t80(%ebx),%xmm6\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm1,-112(%ebx)\n\tpshufb\t16(%eax),%xmm7\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t%xmm7,64(%ebx)\n\tpxor\t%xmm5,%xmm3\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t%xmm3,%xmm1\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm1\n\tpxor\t%xmm0,%xmm6\n\tpor\t%xmm1,%xmm3\n\tmovdqa\t%xmm5,48(%ebx)\n\tpshufb\t(%eax),%xmm6\n\tmovdqa\t%xmm3,-32(%ebx)\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t16(%ebx),%xmm5\n\tpxor\t%xmm4,%xmm2\n\tmovdqa\t-64(%ebx),%xmm3\n\tmovdqa\t%xmm2,%xmm1\n\tpslld\t$12,%xmm2\n\tpsrld\t$20,%xmm1\n\tpor\t%xmm1,%xmm2\n\tmovdqa\t-80(%ebx),%xmm1\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t96(%ebx),%xmm7\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm0,-96(%ebx)\n\tpshufb\t16(%eax),%xmm6\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t%xmm6,80(%ebx)\n\tpxor\t%xmm4,%xmm2\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t%xmm2,%xmm0\n\tpslld\t$7,%xmm2\n\tpsrld\t$25,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tpor\t%xmm0,%xmm2\n\tpshufb\t(%eax),%xmm7\n\tmovdqa\t%xmm2,-16(%ebx)\n\tpaddd\t%xmm7,%xmm5\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t%xmm3,%xmm0\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm0\n\tpor\t%xmm0,%xmm3\n\tmovdqa\t-128(%ebx),%xmm0\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t64(%ebx),%xmm6\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm1,-80(%ebx)\n\tpshufb\t16(%eax),%xmm7\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t%xmm7,96(%ebx)\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t%xmm3,%xmm1\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm1\n\tpor\t%xmm1,%xmm3\n\tdecl\t%edx\n\tjnz\tL008loop\n\tmovdqa\t%xmm3,-64(%ebx)\n\tmovdqa\t%xmm4,(%ebx)\n\tmovdqa\t%xmm5,16(%ebx)\n\tmovdqa\t%xmm6,64(%ebx)\n\tmovdqa\t%xmm7,96(%ebx)\n\tmovdqa\t-112(%ebx),%xmm1\n\tmovdqa\t-96(%ebx),%xmm2\n\tmovdqa\t-80(%ebx),%xmm3\n\tpaddd\t-128(%ebp),%xmm0\n\tpaddd\t-112(%ebp),%xmm1\n\tpaddd\t-96(%ebp),%xmm2\n\tpaddd\t-80(%ebp),%xmm3\n\tmovdqa\t%xmm0,%xmm6\n\tpunpckldq\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm7\n\tpunpckldq\t%xmm3,%xmm2\n\tpunpckhdq\t%xmm1,%xmm6\n\tpunpckhdq\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,%xmm1\n\tpunpcklqdq\t%xmm2,%xmm0\n\tmovdqa\t%xmm6,%xmm3\n\tpunpcklqdq\t%xmm7,%xmm6\n\tpunpckhqdq\t%xmm2,%xmm1\n\tpunpckhqdq\t%xmm7,%xmm3\n\tmovdqu\t-128(%esi),%xmm4\n\tmovdqu\t-64(%esi),%xmm5\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t64(%esi),%xmm7\n\tleal\t16(%esi),%esi\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t-64(%ebx),%xmm0\n\tpxor\t%xmm1,%xmm5\n\tmovdqa\t-48(%ebx),%xmm1\n\tpxor\t%xmm2,%xmm6\n\tmovdqa\t-32(%ebx),%xmm2\n\tpxor\t%xmm3,%xmm7\n\tmovdqa\t-16(%ebx),%xmm3\n\tmovdqu\t%xmm4,-128(%edi)\n\tmovdqu\t%xmm5,-64(%edi)\n\tmovdqu\t%xmm6,(%edi)\n\tmovdqu\t%xmm7,64(%edi)\n\tleal\t16(%edi),%edi\n\tpaddd\t-64(%ebp),%xmm0\n\tpaddd\t-48(%ebp),%xmm1\n\tpaddd\t-32(%ebp),%xmm2\n\tpaddd\t-16(%ebp),%xmm3\n\tmovdqa\t%xmm0,%xmm6\n\tpunpckldq\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm7\n\tpunpckldq\t%xmm3,%xmm2\n\tpunpckhdq\t%xmm1,%xmm6\n\tpunpckhdq\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,%xmm1\n\tpunpcklqdq\t%xmm2,%xmm0\n\tmovdqa\t%xmm6,%xmm3\n\tpunpcklqdq\t%xmm7,%xmm6\n\tpunpckhqdq\t%xmm2,%xmm1\n\tpunpckhqdq\t%xmm7,%xmm3\n\tmovdqu\t-128(%esi),%xmm4\n\tmovdqu\t-64(%esi),%xmm5\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t64(%esi),%xmm7\n\tleal\t16(%esi),%esi\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t(%ebx),%xmm0\n\tpxor\t%xmm1,%xmm5\n\tmovdqa\t16(%ebx),%xmm1\n\tpxor\t%xmm2,%xmm6\n\tmovdqa\t32(%ebx),%xmm2\n\tpxor\t%xmm3,%xmm7\n\tmovdqa\t48(%ebx),%xmm3\n\tmovdqu\t%xmm4,-128(%edi)\n\tmovdqu\t%xmm5,-64(%edi)\n\tmovdqu\t%xmm6,(%edi)\n\tmovdqu\t%xmm7,64(%edi)\n\tleal\t16(%edi),%edi\n\tpaddd\t(%ebp),%xmm0\n\tpaddd\t16(%ebp),%xmm1\n\tpaddd\t32(%ebp),%xmm2\n\tpaddd\t48(%ebp),%xmm3\n\tmovdqa\t%xmm0,%xmm6\n\tpunpckldq\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm7\n\tpunpckldq\t%xmm3,%xmm2\n\tpunpckhdq\t%xmm1,%xmm6\n\tpunpckhdq\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,%xmm1\n\tpunpcklqdq\t%xmm2,%xmm0\n\tmovdqa\t%xmm6,%xmm3\n\tpunpcklqdq\t%xmm7,%xmm6\n\tpunpckhqdq\t%xmm2,%xmm1\n\tpunpckhqdq\t%xmm7,%xmm3\n\tmovdqu\t-128(%esi),%xmm4\n\tmovdqu\t-64(%esi),%xmm5\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t64(%esi),%xmm7\n\tleal\t16(%esi),%esi\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t64(%ebx),%xmm0\n\tpxor\t%xmm1,%xmm5\n\tmovdqa\t80(%ebx),%xmm1\n\tpxor\t%xmm2,%xmm6\n\tmovdqa\t96(%ebx),%xmm2\n\tpxor\t%xmm3,%xmm7\n\tmovdqa\t112(%ebx),%xmm3\n\tmovdqu\t%xmm4,-128(%edi)\n\tmovdqu\t%xmm5,-64(%edi)\n\tmovdqu\t%xmm6,(%edi)\n\tmovdqu\t%xmm7,64(%edi)\n\tleal\t16(%edi),%edi\n\tpaddd\t64(%ebp),%xmm0\n\tpaddd\t80(%ebp),%xmm1\n\tpaddd\t96(%ebp),%xmm2\n\tpaddd\t112(%ebp),%xmm3\n\tmovdqa\t%xmm0,%xmm6\n\tpunpckldq\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm7\n\tpunpckldq\t%xmm3,%xmm2\n\tpunpckhdq\t%xmm1,%xmm6\n\tpunpckhdq\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,%xmm1\n\tpunpcklqdq\t%xmm2,%xmm0\n\tmovdqa\t%xmm6,%xmm3\n\tpunpcklqdq\t%xmm7,%xmm6\n\tpunpckhqdq\t%xmm2,%xmm1\n\tpunpckhqdq\t%xmm7,%xmm3\n\tmovdqu\t-128(%esi),%xmm4\n\tmovdqu\t-64(%esi),%xmm5\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t64(%esi),%xmm7\n\tleal\t208(%esi),%esi\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm1,%xmm5\n\tpxor\t%xmm2,%xmm6\n\tpxor\t%xmm3,%xmm7\n\tmovdqu\t%xmm4,-128(%edi)\n\tmovdqu\t%xmm5,-64(%edi)\n\tmovdqu\t%xmm6,(%edi)\n\tmovdqu\t%xmm7,64(%edi)\n\tleal\t208(%edi),%edi\n\tsubl\t$256,%ecx\n\tjnc\tL007outer_loop\n\taddl\t$256,%ecx\n\tjz\tL009done\n\tmovl\t520(%esp),%ebx\n\tleal\t-128(%esi),%esi\n\tmovl\t516(%esp),%edx\n\tleal\t-128(%edi),%edi\n\tmovd\t64(%ebp),%xmm2\n\tmovdqu\t(%ebx),%xmm3\n\tpaddd\t96(%eax),%xmm2\n\tpand\t112(%eax),%xmm3\n\tpor\t%xmm2,%xmm3\nL0061x:\n\tmovdqa\t32(%eax),%xmm0\n\tmovdqu\t(%edx),%xmm1\n\tmovdqu\t16(%edx),%xmm2\n\tmovdqa\t(%eax),%xmm6\n\tmovdqa\t16(%eax),%xmm7\n\tmovl\t%ebp,48(%esp)\n\tmovdqa\t%xmm0,(%esp)\n\tmovdqa\t%xmm1,16(%esp)\n\tmovdqa\t%xmm2,32(%esp)\n\tmovdqa\t%xmm3,48(%esp)\n\tmovl\t$10,%edx\n\tjmp\tL010loop1x\n.align\t4,0x90\nL011outer1x:\n\tmovdqa\t80(%eax),%xmm3\n\tmovdqa\t(%esp),%xmm0\n\tmovdqa\t16(%esp),%xmm1\n\tmovdqa\t32(%esp),%xmm2\n\tpaddd\t48(%esp),%xmm3\n\tmovl\t$10,%edx\n\tmovdqa\t%xmm3,48(%esp)\n\tjmp\tL010loop1x\n.align\t4,0x90\nL010loop1x:\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$20,%xmm1\n\tpslld\t$12,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,223\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$25,%xmm1\n\tpslld\t$7,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpshufd\t$78,%xmm2,%xmm2\n\tpshufd\t$57,%xmm1,%xmm1\n\tpshufd\t$147,%xmm3,%xmm3\n\tnop\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$20,%xmm1\n\tpslld\t$12,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,223\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$25,%xmm1\n\tpslld\t$7,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpshufd\t$78,%xmm2,%xmm2\n\tpshufd\t$147,%xmm1,%xmm1\n\tpshufd\t$57,%xmm3,%xmm3\n\tdecl\t%edx\n\tjnz\tL010loop1x\n\tpaddd\t(%esp),%xmm0\n\tpaddd\t16(%esp),%xmm1\n\tpaddd\t32(%esp),%xmm2\n\tpaddd\t48(%esp),%xmm3\n\tcmpl\t$64,%ecx\n\tjb\tL012tail\n\tmovdqu\t(%esi),%xmm4\n\tmovdqu\t16(%esi),%xmm5\n\tpxor\t%xmm4,%xmm0\n\tmovdqu\t32(%esi),%xmm4\n\tpxor\t%xmm5,%xmm1\n\tmovdqu\t48(%esi),%xmm5\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm5,%xmm3\n\tleal\t64(%esi),%esi\n\tmovdqu\t%xmm0,(%edi)\n\tmovdqu\t%xmm1,16(%edi)\n\tmovdqu\t%xmm2,32(%edi)\n\tmovdqu\t%xmm3,48(%edi)\n\tleal\t64(%edi),%edi\n\tsubl\t$64,%ecx\n\tjnz\tL011outer1x\n\tjmp\tL009done\nL012tail:\n\tmovdqa\t%xmm0,(%esp)\n\tmovdqa\t%xmm1,16(%esp)\n\tmovdqa\t%xmm2,32(%esp)\n\tmovdqa\t%xmm3,48(%esp)\n\txorl\t%eax,%eax\n\txorl\t%edx,%edx\n\txorl\t%ebp,%ebp\nL013tail_loop:\n\tmovb\t(%esp,%ebp,1),%al\n\tmovb\t(%esi,%ebp,1),%dl\n\tleal\t1(%ebp),%ebp\n\txorb\t%dl,%al\n\tmovb\t%al,-1(%edi,%ebp,1)\n\tdecl\t%ecx\n\tjnz\tL013tail_loop\nL009done:\n\tmovl\t512(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.align\t6,0x90\nLssse3_data:\n.byte\t2,3,0,1,6,7,4,5,10,11,8,9,14,15,12,13\n.byte\t3,0,1,2,7,4,5,6,11,8,9,10,15,12,13,14\n.long\t1634760805,857760878,2036477234,1797285236\n.long\t0,1,2,3\n.long\t4,4,4,4\n.long\t1,0,0,0\n.long\t4,0,0,0\n.long\t0,-1,-1,-1\n.align\t6,0x90\n.byte\t67,104,97,67,104,97,50,48,32,102,111,114,32,120,56,54\n.byte\t44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32\n.byte\t60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111\n.byte\t114,103,62,0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha-x86-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n.globl\tChaCha20_ctr32_nohw\n.hidden\tChaCha20_ctr32_nohw\n.type\tChaCha20_ctr32_nohw,@function\n.align\t16\nChaCha20_ctr32_nohw:\n.L_ChaCha20_ctr32_nohw_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t32(%esp),%esi\n\tmovl\t36(%esp),%edi\n\tsubl\t$132,%esp\n\tmovl\t(%esi),%eax\n\tmovl\t4(%esi),%ebx\n\tmovl\t8(%esi),%ecx\n\tmovl\t12(%esi),%edx\n\tmovl\t%eax,80(%esp)\n\tmovl\t%ebx,84(%esp)\n\tmovl\t%ecx,88(%esp)\n\tmovl\t%edx,92(%esp)\n\tmovl\t16(%esi),%eax\n\tmovl\t20(%esi),%ebx\n\tmovl\t24(%esi),%ecx\n\tmovl\t28(%esi),%edx\n\tmovl\t%eax,96(%esp)\n\tmovl\t%ebx,100(%esp)\n\tmovl\t%ecx,104(%esp)\n\tmovl\t%edx,108(%esp)\n\tmovl\t(%edi),%eax\n\tmovl\t4(%edi),%ebx\n\tmovl\t8(%edi),%ecx\n\tmovl\t12(%edi),%edx\n\tsubl\t$1,%eax\n\tmovl\t%eax,112(%esp)\n\tmovl\t%ebx,116(%esp)\n\tmovl\t%ecx,120(%esp)\n\tmovl\t%edx,124(%esp)\n\tjmp\t.L000entry\n.align\t16\n.L001outer_loop:\n\tmovl\t%ebx,156(%esp)\n\tmovl\t%eax,152(%esp)\n\tmovl\t%ecx,160(%esp)\n.L000entry:\n\tmovl\t$1634760805,%eax\n\tmovl\t$857760878,4(%esp)\n\tmovl\t$2036477234,8(%esp)\n\tmovl\t$1797285236,12(%esp)\n\tmovl\t84(%esp),%ebx\n\tmovl\t88(%esp),%ebp\n\tmovl\t104(%esp),%ecx\n\tmovl\t108(%esp),%esi\n\tmovl\t116(%esp),%edx\n\tmovl\t120(%esp),%edi\n\tmovl\t%ebx,20(%esp)\n\tmovl\t%ebp,24(%esp)\n\tmovl\t%ecx,40(%esp)\n\tmovl\t%esi,44(%esp)\n\tmovl\t%edx,52(%esp)\n\tmovl\t%edi,56(%esp)\n\tmovl\t92(%esp),%ebx\n\tmovl\t124(%esp),%edi\n\tmovl\t112(%esp),%edx\n\tmovl\t80(%esp),%ebp\n\tmovl\t96(%esp),%ecx\n\tmovl\t100(%esp),%esi\n\taddl\t$1,%edx\n\tmovl\t%ebx,28(%esp)\n\tmovl\t%edi,60(%esp)\n\tmovl\t%edx,112(%esp)\n\tmovl\t$10,%ebx\n\tjmp\t.L002loop\n.align\t16\n.L002loop:\n\taddl\t%ebp,%eax\n\tmovl\t%ebx,128(%esp)\n\tmovl\t%ebp,%ebx\n\txorl\t%eax,%edx\n\troll\t$16,%edx\n\taddl\t%edx,%ecx\n\txorl\t%ecx,%ebx\n\tmovl\t52(%esp),%edi\n\troll\t$12,%ebx\n\tmovl\t20(%esp),%ebp\n\taddl\t%ebx,%eax\n\txorl\t%eax,%edx\n\tmovl\t%eax,(%esp)\n\troll\t$8,%edx\n\tmovl\t4(%esp),%eax\n\taddl\t%edx,%ecx\n\tmovl\t%edx,48(%esp)\n\txorl\t%ecx,%ebx\n\taddl\t%ebp,%eax\n\troll\t$7,%ebx\n\txorl\t%eax,%edi\n\tmovl\t%ecx,32(%esp)\n\troll\t$16,%edi\n\tmovl\t%ebx,16(%esp)\n\taddl\t%edi,%esi\n\tmovl\t40(%esp),%ecx\n\txorl\t%esi,%ebp\n\tmovl\t56(%esp),%edx\n\troll\t$12,%ebp\n\tmovl\t24(%esp),%ebx\n\taddl\t%ebp,%eax\n\txorl\t%eax,%edi\n\tmovl\t%eax,4(%esp)\n\troll\t$8,%edi\n\tmovl\t8(%esp),%eax\n\taddl\t%edi,%esi\n\tmovl\t%edi,52(%esp)\n\txorl\t%esi,%ebp\n\taddl\t%ebx,%eax\n\troll\t$7,%ebp\n\txorl\t%eax,%edx\n\tmovl\t%esi,36(%esp)\n\troll\t$16,%edx\n\tmovl\t%ebp,20(%esp)\n\taddl\t%edx,%ecx\n\tmovl\t44(%esp),%esi\n\txorl\t%ecx,%ebx\n\tmovl\t60(%esp),%edi\n\troll\t$12,%ebx\n\tmovl\t28(%esp),%ebp\n\taddl\t%ebx,%eax\n\txorl\t%eax,%edx\n\tmovl\t%eax,8(%esp)\n\troll\t$8,%edx\n\tmovl\t12(%esp),%eax\n\taddl\t%edx,%ecx\n\tmovl\t%edx,56(%esp)\n\txorl\t%ecx,%ebx\n\taddl\t%ebp,%eax\n\troll\t$7,%ebx\n\txorl\t%eax,%edi\n\troll\t$16,%edi\n\tmovl\t%ebx,24(%esp)\n\taddl\t%edi,%esi\n\txorl\t%esi,%ebp\n\troll\t$12,%ebp\n\tmovl\t20(%esp),%ebx\n\taddl\t%ebp,%eax\n\txorl\t%eax,%edi\n\tmovl\t%eax,12(%esp)\n\troll\t$8,%edi\n\tmovl\t(%esp),%eax\n\taddl\t%edi,%esi\n\tmovl\t%edi,%edx\n\txorl\t%esi,%ebp\n\taddl\t%ebx,%eax\n\troll\t$7,%ebp\n\txorl\t%eax,%edx\n\troll\t$16,%edx\n\tmovl\t%ebp,28(%esp)\n\taddl\t%edx,%ecx\n\txorl\t%ecx,%ebx\n\tmovl\t48(%esp),%edi\n\troll\t$12,%ebx\n\tmovl\t24(%esp),%ebp\n\taddl\t%ebx,%eax\n\txorl\t%eax,%edx\n\tmovl\t%eax,(%esp)\n\troll\t$8,%edx\n\tmovl\t4(%esp),%eax\n\taddl\t%edx,%ecx\n\tmovl\t%edx,60(%esp)\n\txorl\t%ecx,%ebx\n\taddl\t%ebp,%eax\n\troll\t$7,%ebx\n\txorl\t%eax,%edi\n\tmovl\t%ecx,40(%esp)\n\troll\t$16,%edi\n\tmovl\t%ebx,20(%esp)\n\taddl\t%edi,%esi\n\tmovl\t32(%esp),%ecx\n\txorl\t%esi,%ebp\n\tmovl\t52(%esp),%edx\n\troll\t$12,%ebp\n\tmovl\t28(%esp),%ebx\n\taddl\t%ebp,%eax\n\txorl\t%eax,%edi\n\tmovl\t%eax,4(%esp)\n\troll\t$8,%edi\n\tmovl\t8(%esp),%eax\n\taddl\t%edi,%esi\n\tmovl\t%edi,48(%esp)\n\txorl\t%esi,%ebp\n\taddl\t%ebx,%eax\n\troll\t$7,%ebp\n\txorl\t%eax,%edx\n\tmovl\t%esi,44(%esp)\n\troll\t$16,%edx\n\tmovl\t%ebp,24(%esp)\n\taddl\t%edx,%ecx\n\tmovl\t36(%esp),%esi\n\txorl\t%ecx,%ebx\n\tmovl\t56(%esp),%edi\n\troll\t$12,%ebx\n\tmovl\t16(%esp),%ebp\n\taddl\t%ebx,%eax\n\txorl\t%eax,%edx\n\tmovl\t%eax,8(%esp)\n\troll\t$8,%edx\n\tmovl\t12(%esp),%eax\n\taddl\t%edx,%ecx\n\tmovl\t%edx,52(%esp)\n\txorl\t%ecx,%ebx\n\taddl\t%ebp,%eax\n\troll\t$7,%ebx\n\txorl\t%eax,%edi\n\troll\t$16,%edi\n\tmovl\t%ebx,28(%esp)\n\taddl\t%edi,%esi\n\txorl\t%esi,%ebp\n\tmovl\t48(%esp),%edx\n\troll\t$12,%ebp\n\tmovl\t128(%esp),%ebx\n\taddl\t%ebp,%eax\n\txorl\t%eax,%edi\n\tmovl\t%eax,12(%esp)\n\troll\t$8,%edi\n\tmovl\t(%esp),%eax\n\taddl\t%edi,%esi\n\tmovl\t%edi,56(%esp)\n\txorl\t%esi,%ebp\n\troll\t$7,%ebp\n\tdecl\t%ebx\n\tjnz\t.L002loop\n\tmovl\t160(%esp),%ebx\n\taddl\t$1634760805,%eax\n\taddl\t80(%esp),%ebp\n\taddl\t96(%esp),%ecx\n\taddl\t100(%esp),%esi\n\tcmpl\t$64,%ebx\n\tjb\t.L003tail\n\tmovl\t156(%esp),%ebx\n\taddl\t112(%esp),%edx\n\taddl\t120(%esp),%edi\n\txorl\t(%ebx),%eax\n\txorl\t16(%ebx),%ebp\n\tmovl\t%eax,(%esp)\n\tmovl\t152(%esp),%eax\n\txorl\t32(%ebx),%ecx\n\txorl\t36(%ebx),%esi\n\txorl\t48(%ebx),%edx\n\txorl\t56(%ebx),%edi\n\tmovl\t%ebp,16(%eax)\n\tmovl\t%ecx,32(%eax)\n\tmovl\t%esi,36(%eax)\n\tmovl\t%edx,48(%eax)\n\tmovl\t%edi,56(%eax)\n\tmovl\t4(%esp),%ebp\n\tmovl\t8(%esp),%ecx\n\tmovl\t12(%esp),%esi\n\tmovl\t20(%esp),%edx\n\tmovl\t24(%esp),%edi\n\taddl\t$857760878,%ebp\n\taddl\t$2036477234,%ecx\n\taddl\t$1797285236,%esi\n\taddl\t84(%esp),%edx\n\taddl\t88(%esp),%edi\n\txorl\t4(%ebx),%ebp\n\txorl\t8(%ebx),%ecx\n\txorl\t12(%ebx),%esi\n\txorl\t20(%ebx),%edx\n\txorl\t24(%ebx),%edi\n\tmovl\t%ebp,4(%eax)\n\tmovl\t%ecx,8(%eax)\n\tmovl\t%esi,12(%eax)\n\tmovl\t%edx,20(%eax)\n\tmovl\t%edi,24(%eax)\n\tmovl\t28(%esp),%ebp\n\tmovl\t40(%esp),%ecx\n\tmovl\t44(%esp),%esi\n\tmovl\t52(%esp),%edx\n\tmovl\t60(%esp),%edi\n\taddl\t92(%esp),%ebp\n\taddl\t104(%esp),%ecx\n\taddl\t108(%esp),%esi\n\taddl\t116(%esp),%edx\n\taddl\t124(%esp),%edi\n\txorl\t28(%ebx),%ebp\n\txorl\t40(%ebx),%ecx\n\txorl\t44(%ebx),%esi\n\txorl\t52(%ebx),%edx\n\txorl\t60(%ebx),%edi\n\tleal\t64(%ebx),%ebx\n\tmovl\t%ebp,28(%eax)\n\tmovl\t(%esp),%ebp\n\tmovl\t%ecx,40(%eax)\n\tmovl\t160(%esp),%ecx\n\tmovl\t%esi,44(%eax)\n\tmovl\t%edx,52(%eax)\n\tmovl\t%edi,60(%eax)\n\tmovl\t%ebp,(%eax)\n\tleal\t64(%eax),%eax\n\tsubl\t$64,%ecx\n\tjnz\t.L001outer_loop\n\tjmp\t.L004done\n.L003tail:\n\taddl\t112(%esp),%edx\n\taddl\t120(%esp),%edi\n\tmovl\t%eax,(%esp)\n\tmovl\t%ebp,16(%esp)\n\tmovl\t%ecx,32(%esp)\n\tmovl\t%esi,36(%esp)\n\tmovl\t%edx,48(%esp)\n\tmovl\t%edi,56(%esp)\n\tmovl\t4(%esp),%ebp\n\tmovl\t8(%esp),%ecx\n\tmovl\t12(%esp),%esi\n\tmovl\t20(%esp),%edx\n\tmovl\t24(%esp),%edi\n\taddl\t$857760878,%ebp\n\taddl\t$2036477234,%ecx\n\taddl\t$1797285236,%esi\n\taddl\t84(%esp),%edx\n\taddl\t88(%esp),%edi\n\tmovl\t%ebp,4(%esp)\n\tmovl\t%ecx,8(%esp)\n\tmovl\t%esi,12(%esp)\n\tmovl\t%edx,20(%esp)\n\tmovl\t%edi,24(%esp)\n\tmovl\t28(%esp),%ebp\n\tmovl\t40(%esp),%ecx\n\tmovl\t44(%esp),%esi\n\tmovl\t52(%esp),%edx\n\tmovl\t60(%esp),%edi\n\taddl\t92(%esp),%ebp\n\taddl\t104(%esp),%ecx\n\taddl\t108(%esp),%esi\n\taddl\t116(%esp),%edx\n\taddl\t124(%esp),%edi\n\tmovl\t%ebp,28(%esp)\n\tmovl\t156(%esp),%ebp\n\tmovl\t%ecx,40(%esp)\n\tmovl\t152(%esp),%ecx\n\tmovl\t%esi,44(%esp)\n\txorl\t%esi,%esi\n\tmovl\t%edx,52(%esp)\n\tmovl\t%edi,60(%esp)\n\txorl\t%eax,%eax\n\txorl\t%edx,%edx\n.L005tail_loop:\n\tmovb\t(%esi,%ebp,1),%al\n\tmovb\t(%esp,%esi,1),%dl\n\tleal\t1(%esi),%esi\n\txorb\t%dl,%al\n\tmovb\t%al,-1(%ecx,%esi,1)\n\tdecl\t%ebx\n\tjnz\t.L005tail_loop\n.L004done:\n\taddl\t$132,%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tChaCha20_ctr32_nohw,.-.L_ChaCha20_ctr32_nohw_begin\n.globl\tChaCha20_ctr32_ssse3\n.hidden\tChaCha20_ctr32_ssse3\n.type\tChaCha20_ctr32_ssse3,@function\n.align\t16\nChaCha20_ctr32_ssse3:\n.L_ChaCha20_ctr32_ssse3_begin:\n\tpushl\t%ebp\n\tpushl\t%ebx\n\tpushl\t%esi\n\tpushl\t%edi\n\tcall\t.Lpic_point\n.Lpic_point:\n\tpopl\t%eax\n\tmovl\t20(%esp),%edi\n\tmovl\t24(%esp),%esi\n\tmovl\t28(%esp),%ecx\n\tmovl\t32(%esp),%edx\n\tmovl\t36(%esp),%ebx\n\tmovl\t%esp,%ebp\n\tsubl\t$524,%esp\n\tandl\t$-64,%esp\n\tmovl\t%ebp,512(%esp)\n\tleal\t.Lssse3_data-.Lpic_point(%eax),%eax\n\tmovdqu\t(%ebx),%xmm3\n\tcmpl\t$256,%ecx\n\tjb\t.L0061x\n\tmovl\t%edx,516(%esp)\n\tmovl\t%ebx,520(%esp)\n\tsubl\t$256,%ecx\n\tleal\t384(%esp),%ebp\n\tmovdqu\t(%edx),%xmm7\n\tpshufd\t$0,%xmm3,%xmm0\n\tpshufd\t$85,%xmm3,%xmm1\n\tpshufd\t$170,%xmm3,%xmm2\n\tpshufd\t$255,%xmm3,%xmm3\n\tpaddd\t48(%eax),%xmm0\n\tpshufd\t$0,%xmm7,%xmm4\n\tpshufd\t$85,%xmm7,%xmm5\n\tpsubd\t64(%eax),%xmm0\n\tpshufd\t$170,%xmm7,%xmm6\n\tpshufd\t$255,%xmm7,%xmm7\n\tmovdqa\t%xmm0,64(%ebp)\n\tmovdqa\t%xmm1,80(%ebp)\n\tmovdqa\t%xmm2,96(%ebp)\n\tmovdqa\t%xmm3,112(%ebp)\n\tmovdqu\t16(%edx),%xmm3\n\tmovdqa\t%xmm4,-64(%ebp)\n\tmovdqa\t%xmm5,-48(%ebp)\n\tmovdqa\t%xmm6,-32(%ebp)\n\tmovdqa\t%xmm7,-16(%ebp)\n\tmovdqa\t32(%eax),%xmm7\n\tleal\t128(%esp),%ebx\n\tpshufd\t$0,%xmm3,%xmm0\n\tpshufd\t$85,%xmm3,%xmm1\n\tpshufd\t$170,%xmm3,%xmm2\n\tpshufd\t$255,%xmm3,%xmm3\n\tpshufd\t$0,%xmm7,%xmm4\n\tpshufd\t$85,%xmm7,%xmm5\n\tpshufd\t$170,%xmm7,%xmm6\n\tpshufd\t$255,%xmm7,%xmm7\n\tmovdqa\t%xmm0,(%ebp)\n\tmovdqa\t%xmm1,16(%ebp)\n\tmovdqa\t%xmm2,32(%ebp)\n\tmovdqa\t%xmm3,48(%ebp)\n\tmovdqa\t%xmm4,-128(%ebp)\n\tmovdqa\t%xmm5,-112(%ebp)\n\tmovdqa\t%xmm6,-96(%ebp)\n\tmovdqa\t%xmm7,-80(%ebp)\n\tleal\t128(%esi),%esi\n\tleal\t128(%edi),%edi\n\tjmp\t.L007outer_loop\n.align\t16\n.L007outer_loop:\n\tmovdqa\t-112(%ebp),%xmm1\n\tmovdqa\t-96(%ebp),%xmm2\n\tmovdqa\t-80(%ebp),%xmm3\n\tmovdqa\t-48(%ebp),%xmm5\n\tmovdqa\t-32(%ebp),%xmm6\n\tmovdqa\t-16(%ebp),%xmm7\n\tmovdqa\t%xmm1,-112(%ebx)\n\tmovdqa\t%xmm2,-96(%ebx)\n\tmovdqa\t%xmm3,-80(%ebx)\n\tmovdqa\t%xmm5,-48(%ebx)\n\tmovdqa\t%xmm6,-32(%ebx)\n\tmovdqa\t%xmm7,-16(%ebx)\n\tmovdqa\t32(%ebp),%xmm2\n\tmovdqa\t48(%ebp),%xmm3\n\tmovdqa\t64(%ebp),%xmm4\n\tmovdqa\t80(%ebp),%xmm5\n\tmovdqa\t96(%ebp),%xmm6\n\tmovdqa\t112(%ebp),%xmm7\n\tpaddd\t64(%eax),%xmm4\n\tmovdqa\t%xmm2,32(%ebx)\n\tmovdqa\t%xmm3,48(%ebx)\n\tmovdqa\t%xmm4,64(%ebx)\n\tmovdqa\t%xmm5,80(%ebx)\n\tmovdqa\t%xmm6,96(%ebx)\n\tmovdqa\t%xmm7,112(%ebx)\n\tmovdqa\t%xmm4,64(%ebp)\n\tmovdqa\t-128(%ebp),%xmm0\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t-64(%ebp),%xmm3\n\tmovdqa\t(%ebp),%xmm4\n\tmovdqa\t16(%ebp),%xmm5\n\tmovl\t$10,%edx\n\tnop\n.align\t16\n.L008loop:\n\tpaddd\t%xmm3,%xmm0\n\tmovdqa\t%xmm3,%xmm2\n\tpxor\t%xmm0,%xmm6\n\tpshufb\t(%eax),%xmm6\n\tpaddd\t%xmm6,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tmovdqa\t-48(%ebx),%xmm3\n\tmovdqa\t%xmm2,%xmm1\n\tpslld\t$12,%xmm2\n\tpsrld\t$20,%xmm1\n\tpor\t%xmm1,%xmm2\n\tmovdqa\t-112(%ebx),%xmm1\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t80(%ebx),%xmm7\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm0,-128(%ebx)\n\tpshufb\t16(%eax),%xmm6\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t%xmm6,64(%ebx)\n\tpxor\t%xmm4,%xmm2\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t%xmm2,%xmm0\n\tpslld\t$7,%xmm2\n\tpsrld\t$25,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tpor\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,(%ebx)\n\tpshufb\t(%eax),%xmm7\n\tmovdqa\t%xmm2,-64(%ebx)\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t32(%ebx),%xmm4\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t-32(%ebx),%xmm2\n\tmovdqa\t%xmm3,%xmm0\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm0\n\tpor\t%xmm0,%xmm3\n\tmovdqa\t-96(%ebx),%xmm0\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t96(%ebx),%xmm6\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm1,-112(%ebx)\n\tpshufb\t16(%eax),%xmm7\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t%xmm7,80(%ebx)\n\tpxor\t%xmm5,%xmm3\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t%xmm3,%xmm1\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm1\n\tpxor\t%xmm0,%xmm6\n\tpor\t%xmm1,%xmm3\n\tmovdqa\t%xmm5,16(%ebx)\n\tpshufb\t(%eax),%xmm6\n\tmovdqa\t%xmm3,-48(%ebx)\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t48(%ebx),%xmm5\n\tpxor\t%xmm4,%xmm2\n\tmovdqa\t-16(%ebx),%xmm3\n\tmovdqa\t%xmm2,%xmm1\n\tpslld\t$12,%xmm2\n\tpsrld\t$20,%xmm1\n\tpor\t%xmm1,%xmm2\n\tmovdqa\t-80(%ebx),%xmm1\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t112(%ebx),%xmm7\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm0,-96(%ebx)\n\tpshufb\t16(%eax),%xmm6\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t%xmm6,96(%ebx)\n\tpxor\t%xmm4,%xmm2\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t%xmm2,%xmm0\n\tpslld\t$7,%xmm2\n\tpsrld\t$25,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tpor\t%xmm0,%xmm2\n\tpshufb\t(%eax),%xmm7\n\tmovdqa\t%xmm2,-32(%ebx)\n\tpaddd\t%xmm7,%xmm5\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t-48(%ebx),%xmm2\n\tmovdqa\t%xmm3,%xmm0\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm0\n\tpor\t%xmm0,%xmm3\n\tmovdqa\t-128(%ebx),%xmm0\n\tpaddd\t%xmm3,%xmm1\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm1,-80(%ebx)\n\tpshufb\t16(%eax),%xmm7\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t%xmm7,%xmm6\n\tpxor\t%xmm5,%xmm3\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t%xmm3,%xmm1\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm1\n\tpxor\t%xmm0,%xmm6\n\tpor\t%xmm1,%xmm3\n\tpshufb\t(%eax),%xmm6\n\tmovdqa\t%xmm3,-16(%ebx)\n\tpaddd\t%xmm6,%xmm4\n\tpxor\t%xmm4,%xmm2\n\tmovdqa\t-32(%ebx),%xmm3\n\tmovdqa\t%xmm2,%xmm1\n\tpslld\t$12,%xmm2\n\tpsrld\t$20,%xmm1\n\tpor\t%xmm1,%xmm2\n\tmovdqa\t-112(%ebx),%xmm1\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t64(%ebx),%xmm7\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm0,-128(%ebx)\n\tpshufb\t16(%eax),%xmm6\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t%xmm6,112(%ebx)\n\tpxor\t%xmm4,%xmm2\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t%xmm2,%xmm0\n\tpslld\t$7,%xmm2\n\tpsrld\t$25,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tpor\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,32(%ebx)\n\tpshufb\t(%eax),%xmm7\n\tmovdqa\t%xmm2,-48(%ebx)\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t(%ebx),%xmm4\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t-16(%ebx),%xmm2\n\tmovdqa\t%xmm3,%xmm0\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm0\n\tpor\t%xmm0,%xmm3\n\tmovdqa\t-96(%ebx),%xmm0\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t80(%ebx),%xmm6\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm1,-112(%ebx)\n\tpshufb\t16(%eax),%xmm7\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t%xmm7,64(%ebx)\n\tpxor\t%xmm5,%xmm3\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t%xmm3,%xmm1\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm1\n\tpxor\t%xmm0,%xmm6\n\tpor\t%xmm1,%xmm3\n\tmovdqa\t%xmm5,48(%ebx)\n\tpshufb\t(%eax),%xmm6\n\tmovdqa\t%xmm3,-32(%ebx)\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t16(%ebx),%xmm5\n\tpxor\t%xmm4,%xmm2\n\tmovdqa\t-64(%ebx),%xmm3\n\tmovdqa\t%xmm2,%xmm1\n\tpslld\t$12,%xmm2\n\tpsrld\t$20,%xmm1\n\tpor\t%xmm1,%xmm2\n\tmovdqa\t-80(%ebx),%xmm1\n\tpaddd\t%xmm2,%xmm0\n\tmovdqa\t96(%ebx),%xmm7\n\tpxor\t%xmm0,%xmm6\n\tmovdqa\t%xmm0,-96(%ebx)\n\tpshufb\t16(%eax),%xmm6\n\tpaddd\t%xmm6,%xmm4\n\tmovdqa\t%xmm6,80(%ebx)\n\tpxor\t%xmm4,%xmm2\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t%xmm2,%xmm0\n\tpslld\t$7,%xmm2\n\tpsrld\t$25,%xmm0\n\tpxor\t%xmm1,%xmm7\n\tpor\t%xmm0,%xmm2\n\tpshufb\t(%eax),%xmm7\n\tmovdqa\t%xmm2,-16(%ebx)\n\tpaddd\t%xmm7,%xmm5\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t%xmm3,%xmm0\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm0\n\tpor\t%xmm0,%xmm3\n\tmovdqa\t-128(%ebx),%xmm0\n\tpaddd\t%xmm3,%xmm1\n\tmovdqa\t64(%ebx),%xmm6\n\tpxor\t%xmm1,%xmm7\n\tmovdqa\t%xmm1,-80(%ebx)\n\tpshufb\t16(%eax),%xmm7\n\tpaddd\t%xmm7,%xmm5\n\tmovdqa\t%xmm7,96(%ebx)\n\tpxor\t%xmm5,%xmm3\n\tmovdqa\t%xmm3,%xmm1\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm1\n\tpor\t%xmm1,%xmm3\n\tdecl\t%edx\n\tjnz\t.L008loop\n\tmovdqa\t%xmm3,-64(%ebx)\n\tmovdqa\t%xmm4,(%ebx)\n\tmovdqa\t%xmm5,16(%ebx)\n\tmovdqa\t%xmm6,64(%ebx)\n\tmovdqa\t%xmm7,96(%ebx)\n\tmovdqa\t-112(%ebx),%xmm1\n\tmovdqa\t-96(%ebx),%xmm2\n\tmovdqa\t-80(%ebx),%xmm3\n\tpaddd\t-128(%ebp),%xmm0\n\tpaddd\t-112(%ebp),%xmm1\n\tpaddd\t-96(%ebp),%xmm2\n\tpaddd\t-80(%ebp),%xmm3\n\tmovdqa\t%xmm0,%xmm6\n\tpunpckldq\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm7\n\tpunpckldq\t%xmm3,%xmm2\n\tpunpckhdq\t%xmm1,%xmm6\n\tpunpckhdq\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,%xmm1\n\tpunpcklqdq\t%xmm2,%xmm0\n\tmovdqa\t%xmm6,%xmm3\n\tpunpcklqdq\t%xmm7,%xmm6\n\tpunpckhqdq\t%xmm2,%xmm1\n\tpunpckhqdq\t%xmm7,%xmm3\n\tmovdqu\t-128(%esi),%xmm4\n\tmovdqu\t-64(%esi),%xmm5\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t64(%esi),%xmm7\n\tleal\t16(%esi),%esi\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t-64(%ebx),%xmm0\n\tpxor\t%xmm1,%xmm5\n\tmovdqa\t-48(%ebx),%xmm1\n\tpxor\t%xmm2,%xmm6\n\tmovdqa\t-32(%ebx),%xmm2\n\tpxor\t%xmm3,%xmm7\n\tmovdqa\t-16(%ebx),%xmm3\n\tmovdqu\t%xmm4,-128(%edi)\n\tmovdqu\t%xmm5,-64(%edi)\n\tmovdqu\t%xmm6,(%edi)\n\tmovdqu\t%xmm7,64(%edi)\n\tleal\t16(%edi),%edi\n\tpaddd\t-64(%ebp),%xmm0\n\tpaddd\t-48(%ebp),%xmm1\n\tpaddd\t-32(%ebp),%xmm2\n\tpaddd\t-16(%ebp),%xmm3\n\tmovdqa\t%xmm0,%xmm6\n\tpunpckldq\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm7\n\tpunpckldq\t%xmm3,%xmm2\n\tpunpckhdq\t%xmm1,%xmm6\n\tpunpckhdq\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,%xmm1\n\tpunpcklqdq\t%xmm2,%xmm0\n\tmovdqa\t%xmm6,%xmm3\n\tpunpcklqdq\t%xmm7,%xmm6\n\tpunpckhqdq\t%xmm2,%xmm1\n\tpunpckhqdq\t%xmm7,%xmm3\n\tmovdqu\t-128(%esi),%xmm4\n\tmovdqu\t-64(%esi),%xmm5\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t64(%esi),%xmm7\n\tleal\t16(%esi),%esi\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t(%ebx),%xmm0\n\tpxor\t%xmm1,%xmm5\n\tmovdqa\t16(%ebx),%xmm1\n\tpxor\t%xmm2,%xmm6\n\tmovdqa\t32(%ebx),%xmm2\n\tpxor\t%xmm3,%xmm7\n\tmovdqa\t48(%ebx),%xmm3\n\tmovdqu\t%xmm4,-128(%edi)\n\tmovdqu\t%xmm5,-64(%edi)\n\tmovdqu\t%xmm6,(%edi)\n\tmovdqu\t%xmm7,64(%edi)\n\tleal\t16(%edi),%edi\n\tpaddd\t(%ebp),%xmm0\n\tpaddd\t16(%ebp),%xmm1\n\tpaddd\t32(%ebp),%xmm2\n\tpaddd\t48(%ebp),%xmm3\n\tmovdqa\t%xmm0,%xmm6\n\tpunpckldq\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm7\n\tpunpckldq\t%xmm3,%xmm2\n\tpunpckhdq\t%xmm1,%xmm6\n\tpunpckhdq\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,%xmm1\n\tpunpcklqdq\t%xmm2,%xmm0\n\tmovdqa\t%xmm6,%xmm3\n\tpunpcklqdq\t%xmm7,%xmm6\n\tpunpckhqdq\t%xmm2,%xmm1\n\tpunpckhqdq\t%xmm7,%xmm3\n\tmovdqu\t-128(%esi),%xmm4\n\tmovdqu\t-64(%esi),%xmm5\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t64(%esi),%xmm7\n\tleal\t16(%esi),%esi\n\tpxor\t%xmm0,%xmm4\n\tmovdqa\t64(%ebx),%xmm0\n\tpxor\t%xmm1,%xmm5\n\tmovdqa\t80(%ebx),%xmm1\n\tpxor\t%xmm2,%xmm6\n\tmovdqa\t96(%ebx),%xmm2\n\tpxor\t%xmm3,%xmm7\n\tmovdqa\t112(%ebx),%xmm3\n\tmovdqu\t%xmm4,-128(%edi)\n\tmovdqu\t%xmm5,-64(%edi)\n\tmovdqu\t%xmm6,(%edi)\n\tmovdqu\t%xmm7,64(%edi)\n\tleal\t16(%edi),%edi\n\tpaddd\t64(%ebp),%xmm0\n\tpaddd\t80(%ebp),%xmm1\n\tpaddd\t96(%ebp),%xmm2\n\tpaddd\t112(%ebp),%xmm3\n\tmovdqa\t%xmm0,%xmm6\n\tpunpckldq\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm7\n\tpunpckldq\t%xmm3,%xmm2\n\tpunpckhdq\t%xmm1,%xmm6\n\tpunpckhdq\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,%xmm1\n\tpunpcklqdq\t%xmm2,%xmm0\n\tmovdqa\t%xmm6,%xmm3\n\tpunpcklqdq\t%xmm7,%xmm6\n\tpunpckhqdq\t%xmm2,%xmm1\n\tpunpckhqdq\t%xmm7,%xmm3\n\tmovdqu\t-128(%esi),%xmm4\n\tmovdqu\t-64(%esi),%xmm5\n\tmovdqu\t(%esi),%xmm2\n\tmovdqu\t64(%esi),%xmm7\n\tleal\t208(%esi),%esi\n\tpxor\t%xmm0,%xmm4\n\tpxor\t%xmm1,%xmm5\n\tpxor\t%xmm2,%xmm6\n\tpxor\t%xmm3,%xmm7\n\tmovdqu\t%xmm4,-128(%edi)\n\tmovdqu\t%xmm5,-64(%edi)\n\tmovdqu\t%xmm6,(%edi)\n\tmovdqu\t%xmm7,64(%edi)\n\tleal\t208(%edi),%edi\n\tsubl\t$256,%ecx\n\tjnc\t.L007outer_loop\n\taddl\t$256,%ecx\n\tjz\t.L009done\n\tmovl\t520(%esp),%ebx\n\tleal\t-128(%esi),%esi\n\tmovl\t516(%esp),%edx\n\tleal\t-128(%edi),%edi\n\tmovd\t64(%ebp),%xmm2\n\tmovdqu\t(%ebx),%xmm3\n\tpaddd\t96(%eax),%xmm2\n\tpand\t112(%eax),%xmm3\n\tpor\t%xmm2,%xmm3\n.L0061x:\n\tmovdqa\t32(%eax),%xmm0\n\tmovdqu\t(%edx),%xmm1\n\tmovdqu\t16(%edx),%xmm2\n\tmovdqa\t(%eax),%xmm6\n\tmovdqa\t16(%eax),%xmm7\n\tmovl\t%ebp,48(%esp)\n\tmovdqa\t%xmm0,(%esp)\n\tmovdqa\t%xmm1,16(%esp)\n\tmovdqa\t%xmm2,32(%esp)\n\tmovdqa\t%xmm3,48(%esp)\n\tmovl\t$10,%edx\n\tjmp\t.L010loop1x\n.align\t16\n.L011outer1x:\n\tmovdqa\t80(%eax),%xmm3\n\tmovdqa\t(%esp),%xmm0\n\tmovdqa\t16(%esp),%xmm1\n\tmovdqa\t32(%esp),%xmm2\n\tpaddd\t48(%esp),%xmm3\n\tmovl\t$10,%edx\n\tmovdqa\t%xmm3,48(%esp)\n\tjmp\t.L010loop1x\n.align\t16\n.L010loop1x:\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$20,%xmm1\n\tpslld\t$12,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,223\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$25,%xmm1\n\tpslld\t$7,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpshufd\t$78,%xmm2,%xmm2\n\tpshufd\t$57,%xmm1,%xmm1\n\tpshufd\t$147,%xmm3,%xmm3\n\tnop\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$20,%xmm1\n\tpslld\t$12,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,223\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$25,%xmm1\n\tpslld\t$7,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpshufd\t$78,%xmm2,%xmm2\n\tpshufd\t$147,%xmm1,%xmm1\n\tpshufd\t$57,%xmm3,%xmm3\n\tdecl\t%edx\n\tjnz\t.L010loop1x\n\tpaddd\t(%esp),%xmm0\n\tpaddd\t16(%esp),%xmm1\n\tpaddd\t32(%esp),%xmm2\n\tpaddd\t48(%esp),%xmm3\n\tcmpl\t$64,%ecx\n\tjb\t.L012tail\n\tmovdqu\t(%esi),%xmm4\n\tmovdqu\t16(%esi),%xmm5\n\tpxor\t%xmm4,%xmm0\n\tmovdqu\t32(%esi),%xmm4\n\tpxor\t%xmm5,%xmm1\n\tmovdqu\t48(%esi),%xmm5\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm5,%xmm3\n\tleal\t64(%esi),%esi\n\tmovdqu\t%xmm0,(%edi)\n\tmovdqu\t%xmm1,16(%edi)\n\tmovdqu\t%xmm2,32(%edi)\n\tmovdqu\t%xmm3,48(%edi)\n\tleal\t64(%edi),%edi\n\tsubl\t$64,%ecx\n\tjnz\t.L011outer1x\n\tjmp\t.L009done\n.L012tail:\n\tmovdqa\t%xmm0,(%esp)\n\tmovdqa\t%xmm1,16(%esp)\n\tmovdqa\t%xmm2,32(%esp)\n\tmovdqa\t%xmm3,48(%esp)\n\txorl\t%eax,%eax\n\txorl\t%edx,%edx\n\txorl\t%ebp,%ebp\n.L013tail_loop:\n\tmovb\t(%esp,%ebp,1),%al\n\tmovb\t(%esi,%ebp,1),%dl\n\tleal\t1(%ebp),%ebp\n\txorb\t%dl,%al\n\tmovb\t%al,-1(%edi,%ebp,1)\n\tdecl\t%ecx\n\tjnz\t.L013tail_loop\n.L009done:\n\tmovl\t512(%esp),%esp\n\tpopl\t%edi\n\tpopl\t%esi\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tret\n.size\tChaCha20_ctr32_ssse3,.-.L_ChaCha20_ctr32_ssse3_begin\n.align\t64\n.Lssse3_data:\n.byte\t2,3,0,1,6,7,4,5,10,11,8,9,14,15,12,13\n.byte\t3,0,1,2,7,4,5,6,11,8,9,10,15,12,13,14\n.long\t1634760805,857760878,2036477234,1797285236\n.long\t0,1,2,3\n.long\t4,4,4,4\n.long\t1,0,0,0\n.long\t4,0,0,0\n.long\t0,-1,-1,-1\n.align\t64\n.byte\t67,104,97,67,104,97,50,48,32,102,111,114,32,120,56,54\n.byte\t44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32\n.byte\t60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111\n.byte\t114,103,62,0\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n\n.section\t__DATA,__const\n.p2align\t6\nL$zero:\n.long\t0,0,0,0\nL$one:\n.long\t1,0,0,0\nL$inc:\n.long\t0,1,2,3\nL$four:\n.long\t4,4,4,4\nL$incy:\n.long\t0,2,4,6,1,3,5,7\nL$eight:\n.long\t8,8,8,8,8,8,8,8\nL$rot16:\n.byte\t0x2,0x3,0x0,0x1, 0x6,0x7,0x4,0x5, 0xa,0xb,0x8,0x9, 0xe,0xf,0xc,0xd\nL$rot24:\n.byte\t0x3,0x0,0x1,0x2, 0x7,0x4,0x5,0x6, 0xb,0x8,0x9,0xa, 0xf,0xc,0xd,0xe\nL$sigma:\n.byte\t101,120,112,97,110,100,32,51,50,45,98,121,116,101,32,107,0\n.p2align\t6\nL$zeroz:\n.long\t0,0,0,0, 1,0,0,0, 2,0,0,0, 3,0,0,0\nL$fourz:\n.long\t4,0,0,0, 4,0,0,0, 4,0,0,0, 4,0,0,0\nL$incz:\n.long\t0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15\nL$sixteen:\n.long\t16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16\n.byte\t67,104,97,67,104,97,50,48,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.text\t\n.globl\t_ChaCha20_ctr32_nohw\n.private_extern _ChaCha20_ctr32_nohw\n\n.p2align\t6\n_ChaCha20_ctr32_nohw:\n\n_CET_ENDBR\n\tpushq\t%rbx\n\n\tpushq\t%rbp\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\tsubq\t$64+24,%rsp\n\nL$ctr32_body:\n\n\n\tmovdqu\t(%rcx),%xmm1\n\tmovdqu\t16(%rcx),%xmm2\n\tmovdqu\t(%r8),%xmm3\n\tmovdqa\tL$one(%rip),%xmm4\n\n\n\tmovdqa\t%xmm1,16(%rsp)\n\tmovdqa\t%xmm2,32(%rsp)\n\tmovdqa\t%xmm3,48(%rsp)\n\tmovq\t%rdx,%rbp\n\tjmp\tL$oop_outer\n\n.p2align\t5\nL$oop_outer:\n\tmovl\t$0x61707865,%eax\n\tmovl\t$0x3320646e,%ebx\n\tmovl\t$0x79622d32,%ecx\n\tmovl\t$0x6b206574,%edx\n\tmovl\t16(%rsp),%r8d\n\tmovl\t20(%rsp),%r9d\n\tmovl\t24(%rsp),%r10d\n\tmovl\t28(%rsp),%r11d\n\tmovd\t%xmm3,%r12d\n\tmovl\t52(%rsp),%r13d\n\tmovl\t56(%rsp),%r14d\n\tmovl\t60(%rsp),%r15d\n\n\tmovq\t%rbp,64+0(%rsp)\n\tmovl\t$10,%ebp\n\tmovq\t%rsi,64+8(%rsp)\n.byte\t102,72,15,126,214\n\tmovq\t%rdi,64+16(%rsp)\n\tmovq\t%rsi,%rdi\n\tshrq\t$32,%rdi\n\tjmp\tL$oop\n\n.p2align\t5\nL$oop:\n\taddl\t%r8d,%eax\n\txorl\t%eax,%r12d\n\troll\t$16,%r12d\n\taddl\t%r9d,%ebx\n\txorl\t%ebx,%r13d\n\troll\t$16,%r13d\n\taddl\t%r12d,%esi\n\txorl\t%esi,%r8d\n\troll\t$12,%r8d\n\taddl\t%r13d,%edi\n\txorl\t%edi,%r9d\n\troll\t$12,%r9d\n\taddl\t%r8d,%eax\n\txorl\t%eax,%r12d\n\troll\t$8,%r12d\n\taddl\t%r9d,%ebx\n\txorl\t%ebx,%r13d\n\troll\t$8,%r13d\n\taddl\t%r12d,%esi\n\txorl\t%esi,%r8d\n\troll\t$7,%r8d\n\taddl\t%r13d,%edi\n\txorl\t%edi,%r9d\n\troll\t$7,%r9d\n\tmovl\t%esi,32(%rsp)\n\tmovl\t%edi,36(%rsp)\n\tmovl\t40(%rsp),%esi\n\tmovl\t44(%rsp),%edi\n\taddl\t%r10d,%ecx\n\txorl\t%ecx,%r14d\n\troll\t$16,%r14d\n\taddl\t%r11d,%edx\n\txorl\t%edx,%r15d\n\troll\t$16,%r15d\n\taddl\t%r14d,%esi\n\txorl\t%esi,%r10d\n\troll\t$12,%r10d\n\taddl\t%r15d,%edi\n\txorl\t%edi,%r11d\n\troll\t$12,%r11d\n\taddl\t%r10d,%ecx\n\txorl\t%ecx,%r14d\n\troll\t$8,%r14d\n\taddl\t%r11d,%edx\n\txorl\t%edx,%r15d\n\troll\t$8,%r15d\n\taddl\t%r14d,%esi\n\txorl\t%esi,%r10d\n\troll\t$7,%r10d\n\taddl\t%r15d,%edi\n\txorl\t%edi,%r11d\n\troll\t$7,%r11d\n\taddl\t%r9d,%eax\n\txorl\t%eax,%r15d\n\troll\t$16,%r15d\n\taddl\t%r10d,%ebx\n\txorl\t%ebx,%r12d\n\troll\t$16,%r12d\n\taddl\t%r15d,%esi\n\txorl\t%esi,%r9d\n\troll\t$12,%r9d\n\taddl\t%r12d,%edi\n\txorl\t%edi,%r10d\n\troll\t$12,%r10d\n\taddl\t%r9d,%eax\n\txorl\t%eax,%r15d\n\troll\t$8,%r15d\n\taddl\t%r10d,%ebx\n\txorl\t%ebx,%r12d\n\troll\t$8,%r12d\n\taddl\t%r15d,%esi\n\txorl\t%esi,%r9d\n\troll\t$7,%r9d\n\taddl\t%r12d,%edi\n\txorl\t%edi,%r10d\n\troll\t$7,%r10d\n\tmovl\t%esi,40(%rsp)\n\tmovl\t%edi,44(%rsp)\n\tmovl\t32(%rsp),%esi\n\tmovl\t36(%rsp),%edi\n\taddl\t%r11d,%ecx\n\txorl\t%ecx,%r13d\n\troll\t$16,%r13d\n\taddl\t%r8d,%edx\n\txorl\t%edx,%r14d\n\troll\t$16,%r14d\n\taddl\t%r13d,%esi\n\txorl\t%esi,%r11d\n\troll\t$12,%r11d\n\taddl\t%r14d,%edi\n\txorl\t%edi,%r8d\n\troll\t$12,%r8d\n\taddl\t%r11d,%ecx\n\txorl\t%ecx,%r13d\n\troll\t$8,%r13d\n\taddl\t%r8d,%edx\n\txorl\t%edx,%r14d\n\troll\t$8,%r14d\n\taddl\t%r13d,%esi\n\txorl\t%esi,%r11d\n\troll\t$7,%r11d\n\taddl\t%r14d,%edi\n\txorl\t%edi,%r8d\n\troll\t$7,%r8d\n\tdecl\t%ebp\n\tjnz\tL$oop\n\tmovl\t%edi,36(%rsp)\n\tmovl\t%esi,32(%rsp)\n\tmovq\t64(%rsp),%rbp\n\tmovdqa\t%xmm2,%xmm1\n\tmovq\t64+8(%rsp),%rsi\n\tpaddd\t%xmm4,%xmm3\n\tmovq\t64+16(%rsp),%rdi\n\n\taddl\t$0x61707865,%eax\n\taddl\t$0x3320646e,%ebx\n\taddl\t$0x79622d32,%ecx\n\taddl\t$0x6b206574,%edx\n\taddl\t16(%rsp),%r8d\n\taddl\t20(%rsp),%r9d\n\taddl\t24(%rsp),%r10d\n\taddl\t28(%rsp),%r11d\n\taddl\t48(%rsp),%r12d\n\taddl\t52(%rsp),%r13d\n\taddl\t56(%rsp),%r14d\n\taddl\t60(%rsp),%r15d\n\tpaddd\t32(%rsp),%xmm1\n\n\tcmpq\t$64,%rbp\n\tjb\tL$tail\n\n\txorl\t0(%rsi),%eax\n\txorl\t4(%rsi),%ebx\n\txorl\t8(%rsi),%ecx\n\txorl\t12(%rsi),%edx\n\txorl\t16(%rsi),%r8d\n\txorl\t20(%rsi),%r9d\n\txorl\t24(%rsi),%r10d\n\txorl\t28(%rsi),%r11d\n\tmovdqu\t32(%rsi),%xmm0\n\txorl\t48(%rsi),%r12d\n\txorl\t52(%rsi),%r13d\n\txorl\t56(%rsi),%r14d\n\txorl\t60(%rsi),%r15d\n\tleaq\t64(%rsi),%rsi\n\tpxor\t%xmm1,%xmm0\n\n\tmovdqa\t%xmm2,32(%rsp)\n\tmovd\t%xmm3,48(%rsp)\n\n\tmovl\t%eax,0(%rdi)\n\tmovl\t%ebx,4(%rdi)\n\tmovl\t%ecx,8(%rdi)\n\tmovl\t%edx,12(%rdi)\n\tmovl\t%r8d,16(%rdi)\n\tmovl\t%r9d,20(%rdi)\n\tmovl\t%r10d,24(%rdi)\n\tmovl\t%r11d,28(%rdi)\n\tmovdqu\t%xmm0,32(%rdi)\n\tmovl\t%r12d,48(%rdi)\n\tmovl\t%r13d,52(%rdi)\n\tmovl\t%r14d,56(%rdi)\n\tmovl\t%r15d,60(%rdi)\n\tleaq\t64(%rdi),%rdi\n\n\tsubq\t$64,%rbp\n\tjnz\tL$oop_outer\n\n\tjmp\tL$done\n\n.p2align\t4\nL$tail:\n\tmovl\t%eax,0(%rsp)\n\tmovl\t%ebx,4(%rsp)\n\txorq\t%rbx,%rbx\n\tmovl\t%ecx,8(%rsp)\n\tmovl\t%edx,12(%rsp)\n\tmovl\t%r8d,16(%rsp)\n\tmovl\t%r9d,20(%rsp)\n\tmovl\t%r10d,24(%rsp)\n\tmovl\t%r11d,28(%rsp)\n\tmovdqa\t%xmm1,32(%rsp)\n\tmovl\t%r12d,48(%rsp)\n\tmovl\t%r13d,52(%rsp)\n\tmovl\t%r14d,56(%rsp)\n\tmovl\t%r15d,60(%rsp)\n\nL$oop_tail:\n\tmovzbl\t(%rsi,%rbx,1),%eax\n\tmovzbl\t(%rsp,%rbx,1),%edx\n\tleaq\t1(%rbx),%rbx\n\txorl\t%edx,%eax\n\tmovb\t%al,-1(%rdi,%rbx,1)\n\tdecq\t%rbp\n\tjnz\tL$oop_tail\n\nL$done:\n\tleaq\t64+24+48(%rsp),%rsi\n\tmovq\t-48(%rsi),%r15\n\n\tmovq\t-40(%rsi),%r14\n\n\tmovq\t-32(%rsi),%r13\n\n\tmovq\t-24(%rsi),%r12\n\n\tmovq\t-16(%rsi),%rbp\n\n\tmovq\t-8(%rsi),%rbx\n\n\tleaq\t(%rsi),%rsp\n\nL$no_data:\n\tret\n\n\n.globl\t_ChaCha20_ctr32_ssse3\n.private_extern _ChaCha20_ctr32_ssse3\n\n.p2align\t5\n_ChaCha20_ctr32_ssse3:\n\n_CET_ENDBR\n\tmovq\t%rsp,%r9\n\n\tsubq\t$64+8,%rsp\n\tmovdqa\tL$sigma(%rip),%xmm0\n\tmovdqu\t(%rcx),%xmm1\n\tmovdqu\t16(%rcx),%xmm2\n\tmovdqu\t(%r8),%xmm3\n\tmovdqa\tL$rot16(%rip),%xmm6\n\tmovdqa\tL$rot24(%rip),%xmm7\n\n\tmovdqa\t%xmm0,0(%rsp)\n\tmovdqa\t%xmm1,16(%rsp)\n\tmovdqa\t%xmm2,32(%rsp)\n\tmovdqa\t%xmm3,48(%rsp)\n\tmovq\t$10,%r8\n\tjmp\tL$oop_ssse3\n\n.p2align\t5\nL$oop_outer_ssse3:\n\tmovdqa\tL$one(%rip),%xmm3\n\tmovdqa\t0(%rsp),%xmm0\n\tmovdqa\t16(%rsp),%xmm1\n\tmovdqa\t32(%rsp),%xmm2\n\tpaddd\t48(%rsp),%xmm3\n\tmovq\t$10,%r8\n\tmovdqa\t%xmm3,48(%rsp)\n\tjmp\tL$oop_ssse3\n\n.p2align\t5\nL$oop_ssse3:\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$20,%xmm1\n\tpslld\t$12,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,223\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$25,%xmm1\n\tpslld\t$7,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpshufd\t$78,%xmm2,%xmm2\n\tpshufd\t$57,%xmm1,%xmm1\n\tpshufd\t$147,%xmm3,%xmm3\n\tnop\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$20,%xmm1\n\tpslld\t$12,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,223\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$25,%xmm1\n\tpslld\t$7,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpshufd\t$78,%xmm2,%xmm2\n\tpshufd\t$147,%xmm1,%xmm1\n\tpshufd\t$57,%xmm3,%xmm3\n\tdecq\t%r8\n\tjnz\tL$oop_ssse3\n\tpaddd\t0(%rsp),%xmm0\n\tpaddd\t16(%rsp),%xmm1\n\tpaddd\t32(%rsp),%xmm2\n\tpaddd\t48(%rsp),%xmm3\n\n\tcmpq\t$64,%rdx\n\tjb\tL$tail_ssse3\n\n\tmovdqu\t0(%rsi),%xmm4\n\tmovdqu\t16(%rsi),%xmm5\n\tpxor\t%xmm4,%xmm0\n\tmovdqu\t32(%rsi),%xmm4\n\tpxor\t%xmm5,%xmm1\n\tmovdqu\t48(%rsi),%xmm5\n\tleaq\t64(%rsi),%rsi\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm5,%xmm3\n\n\tmovdqu\t%xmm0,0(%rdi)\n\tmovdqu\t%xmm1,16(%rdi)\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm3,48(%rdi)\n\tleaq\t64(%rdi),%rdi\n\n\tsubq\t$64,%rdx\n\tjnz\tL$oop_outer_ssse3\n\n\tjmp\tL$done_ssse3\n\n.p2align\t4\nL$tail_ssse3:\n\tmovdqa\t%xmm0,0(%rsp)\n\tmovdqa\t%xmm1,16(%rsp)\n\tmovdqa\t%xmm2,32(%rsp)\n\tmovdqa\t%xmm3,48(%rsp)\n\txorq\t%r8,%r8\n\nL$oop_tail_ssse3:\n\tmovzbl\t(%rsi,%r8,1),%eax\n\tmovzbl\t(%rsp,%r8,1),%ecx\n\tleaq\t1(%r8),%r8\n\txorl\t%ecx,%eax\n\tmovb\t%al,-1(%rdi,%r8,1)\n\tdecq\t%rdx\n\tjnz\tL$oop_tail_ssse3\n\nL$done_ssse3:\n\tleaq\t(%r9),%rsp\n\nL$ssse3_epilogue:\n\tret\n\n\n.globl\t_ChaCha20_ctr32_ssse3_4x\n.private_extern _ChaCha20_ctr32_ssse3_4x\n\n.p2align\t5\n_ChaCha20_ctr32_ssse3_4x:\n\n_CET_ENDBR\n\tmovq\t%rsp,%r9\n\n\tsubq\t$0x140+8,%rsp\n\tmovdqa\tL$sigma(%rip),%xmm11\n\tmovdqu\t(%rcx),%xmm15\n\tmovdqu\t16(%rcx),%xmm7\n\tmovdqu\t(%r8),%xmm3\n\tleaq\t256(%rsp),%rcx\n\tleaq\tL$rot16(%rip),%r10\n\tleaq\tL$rot24(%rip),%r11\n\n\tpshufd\t$0x00,%xmm11,%xmm8\n\tpshufd\t$0x55,%xmm11,%xmm9\n\tmovdqa\t%xmm8,64(%rsp)\n\tpshufd\t$0xaa,%xmm11,%xmm10\n\tmovdqa\t%xmm9,80(%rsp)\n\tpshufd\t$0xff,%xmm11,%xmm11\n\tmovdqa\t%xmm10,96(%rsp)\n\tmovdqa\t%xmm11,112(%rsp)\n\n\tpshufd\t$0x00,%xmm15,%xmm12\n\tpshufd\t$0x55,%xmm15,%xmm13\n\tmovdqa\t%xmm12,128-256(%rcx)\n\tpshufd\t$0xaa,%xmm15,%xmm14\n\tmovdqa\t%xmm13,144-256(%rcx)\n\tpshufd\t$0xff,%xmm15,%xmm15\n\tmovdqa\t%xmm14,160-256(%rcx)\n\tmovdqa\t%xmm15,176-256(%rcx)\n\n\tpshufd\t$0x00,%xmm7,%xmm4\n\tpshufd\t$0x55,%xmm7,%xmm5\n\tmovdqa\t%xmm4,192-256(%rcx)\n\tpshufd\t$0xaa,%xmm7,%xmm6\n\tmovdqa\t%xmm5,208-256(%rcx)\n\tpshufd\t$0xff,%xmm7,%xmm7\n\tmovdqa\t%xmm6,224-256(%rcx)\n\tmovdqa\t%xmm7,240-256(%rcx)\n\n\tpshufd\t$0x00,%xmm3,%xmm0\n\tpshufd\t$0x55,%xmm3,%xmm1\n\tpaddd\tL$inc(%rip),%xmm0\n\tpshufd\t$0xaa,%xmm3,%xmm2\n\tmovdqa\t%xmm1,272-256(%rcx)\n\tpshufd\t$0xff,%xmm3,%xmm3\n\tmovdqa\t%xmm2,288-256(%rcx)\n\tmovdqa\t%xmm3,304-256(%rcx)\n\n\tjmp\tL$oop_enter4x\n\n.p2align\t5\nL$oop_outer4x:\n\tmovdqa\t64(%rsp),%xmm8\n\tmovdqa\t80(%rsp),%xmm9\n\tmovdqa\t96(%rsp),%xmm10\n\tmovdqa\t112(%rsp),%xmm11\n\tmovdqa\t128-256(%rcx),%xmm12\n\tmovdqa\t144-256(%rcx),%xmm13\n\tmovdqa\t160-256(%rcx),%xmm14\n\tmovdqa\t176-256(%rcx),%xmm15\n\tmovdqa\t192-256(%rcx),%xmm4\n\tmovdqa\t208-256(%rcx),%xmm5\n\tmovdqa\t224-256(%rcx),%xmm6\n\tmovdqa\t240-256(%rcx),%xmm7\n\tmovdqa\t256-256(%rcx),%xmm0\n\tmovdqa\t272-256(%rcx),%xmm1\n\tmovdqa\t288-256(%rcx),%xmm2\n\tmovdqa\t304-256(%rcx),%xmm3\n\tpaddd\tL$four(%rip),%xmm0\n\nL$oop_enter4x:\n\tmovdqa\t%xmm6,32(%rsp)\n\tmovdqa\t%xmm7,48(%rsp)\n\tmovdqa\t(%r10),%xmm7\n\tmovl\t$10,%eax\n\tmovdqa\t%xmm0,256-256(%rcx)\n\tjmp\tL$oop4x\n\n.p2align\t5\nL$oop4x:\n\tpaddd\t%xmm12,%xmm8\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm8,%xmm0\n\tpxor\t%xmm9,%xmm1\n.byte\t102,15,56,0,199\n.byte\t102,15,56,0,207\n\tpaddd\t%xmm0,%xmm4\n\tpaddd\t%xmm1,%xmm5\n\tpxor\t%xmm4,%xmm12\n\tpxor\t%xmm5,%xmm13\n\tmovdqa\t%xmm12,%xmm6\n\tpslld\t$12,%xmm12\n\tpsrld\t$20,%xmm6\n\tmovdqa\t%xmm13,%xmm7\n\tpslld\t$12,%xmm13\n\tpor\t%xmm6,%xmm12\n\tpsrld\t$20,%xmm7\n\tmovdqa\t(%r11),%xmm6\n\tpor\t%xmm7,%xmm13\n\tpaddd\t%xmm12,%xmm8\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm8,%xmm0\n\tpxor\t%xmm9,%xmm1\n.byte\t102,15,56,0,198\n.byte\t102,15,56,0,206\n\tpaddd\t%xmm0,%xmm4\n\tpaddd\t%xmm1,%xmm5\n\tpxor\t%xmm4,%xmm12\n\tpxor\t%xmm5,%xmm13\n\tmovdqa\t%xmm12,%xmm7\n\tpslld\t$7,%xmm12\n\tpsrld\t$25,%xmm7\n\tmovdqa\t%xmm13,%xmm6\n\tpslld\t$7,%xmm13\n\tpor\t%xmm7,%xmm12\n\tpsrld\t$25,%xmm6\n\tmovdqa\t(%r10),%xmm7\n\tpor\t%xmm6,%xmm13\n\tmovdqa\t%xmm4,0(%rsp)\n\tmovdqa\t%xmm5,16(%rsp)\n\tmovdqa\t32(%rsp),%xmm4\n\tmovdqa\t48(%rsp),%xmm5\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm10,%xmm2\n\tpxor\t%xmm11,%xmm3\n.byte\t102,15,56,0,215\n.byte\t102,15,56,0,223\n\tpaddd\t%xmm2,%xmm4\n\tpaddd\t%xmm3,%xmm5\n\tpxor\t%xmm4,%xmm14\n\tpxor\t%xmm5,%xmm15\n\tmovdqa\t%xmm14,%xmm6\n\tpslld\t$12,%xmm14\n\tpsrld\t$20,%xmm6\n\tmovdqa\t%xmm15,%xmm7\n\tpslld\t$12,%xmm15\n\tpor\t%xmm6,%xmm14\n\tpsrld\t$20,%xmm7\n\tmovdqa\t(%r11),%xmm6\n\tpor\t%xmm7,%xmm15\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm10,%xmm2\n\tpxor\t%xmm11,%xmm3\n.byte\t102,15,56,0,214\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm2,%xmm4\n\tpaddd\t%xmm3,%xmm5\n\tpxor\t%xmm4,%xmm14\n\tpxor\t%xmm5,%xmm15\n\tmovdqa\t%xmm14,%xmm7\n\tpslld\t$7,%xmm14\n\tpsrld\t$25,%xmm7\n\tmovdqa\t%xmm15,%xmm6\n\tpslld\t$7,%xmm15\n\tpor\t%xmm7,%xmm14\n\tpsrld\t$25,%xmm6\n\tmovdqa\t(%r10),%xmm7\n\tpor\t%xmm6,%xmm15\n\tpaddd\t%xmm13,%xmm8\n\tpaddd\t%xmm14,%xmm9\n\tpxor\t%xmm8,%xmm3\n\tpxor\t%xmm9,%xmm0\n.byte\t102,15,56,0,223\n.byte\t102,15,56,0,199\n\tpaddd\t%xmm3,%xmm4\n\tpaddd\t%xmm0,%xmm5\n\tpxor\t%xmm4,%xmm13\n\tpxor\t%xmm5,%xmm14\n\tmovdqa\t%xmm13,%xmm6\n\tpslld\t$12,%xmm13\n\tpsrld\t$20,%xmm6\n\tmovdqa\t%xmm14,%xmm7\n\tpslld\t$12,%xmm14\n\tpor\t%xmm6,%xmm13\n\tpsrld\t$20,%xmm7\n\tmovdqa\t(%r11),%xmm6\n\tpor\t%xmm7,%xmm14\n\tpaddd\t%xmm13,%xmm8\n\tpaddd\t%xmm14,%xmm9\n\tpxor\t%xmm8,%xmm3\n\tpxor\t%xmm9,%xmm0\n.byte\t102,15,56,0,222\n.byte\t102,15,56,0,198\n\tpaddd\t%xmm3,%xmm4\n\tpaddd\t%xmm0,%xmm5\n\tpxor\t%xmm4,%xmm13\n\tpxor\t%xmm5,%xmm14\n\tmovdqa\t%xmm13,%xmm7\n\tpslld\t$7,%xmm13\n\tpsrld\t$25,%xmm7\n\tmovdqa\t%xmm14,%xmm6\n\tpslld\t$7,%xmm14\n\tpor\t%xmm7,%xmm13\n\tpsrld\t$25,%xmm6\n\tmovdqa\t(%r10),%xmm7\n\tpor\t%xmm6,%xmm14\n\tmovdqa\t%xmm4,32(%rsp)\n\tmovdqa\t%xmm5,48(%rsp)\n\tmovdqa\t0(%rsp),%xmm4\n\tmovdqa\t16(%rsp),%xmm5\n\tpaddd\t%xmm15,%xmm10\n\tpaddd\t%xmm12,%xmm11\n\tpxor\t%xmm10,%xmm1\n\tpxor\t%xmm11,%xmm2\n.byte\t102,15,56,0,207\n.byte\t102,15,56,0,215\n\tpaddd\t%xmm1,%xmm4\n\tpaddd\t%xmm2,%xmm5\n\tpxor\t%xmm4,%xmm15\n\tpxor\t%xmm5,%xmm12\n\tmovdqa\t%xmm15,%xmm6\n\tpslld\t$12,%xmm15\n\tpsrld\t$20,%xmm6\n\tmovdqa\t%xmm12,%xmm7\n\tpslld\t$12,%xmm12\n\tpor\t%xmm6,%xmm15\n\tpsrld\t$20,%xmm7\n\tmovdqa\t(%r11),%xmm6\n\tpor\t%xmm7,%xmm12\n\tpaddd\t%xmm15,%xmm10\n\tpaddd\t%xmm12,%xmm11\n\tpxor\t%xmm10,%xmm1\n\tpxor\t%xmm11,%xmm2\n.byte\t102,15,56,0,206\n.byte\t102,15,56,0,214\n\tpaddd\t%xmm1,%xmm4\n\tpaddd\t%xmm2,%xmm5\n\tpxor\t%xmm4,%xmm15\n\tpxor\t%xmm5,%xmm12\n\tmovdqa\t%xmm15,%xmm7\n\tpslld\t$7,%xmm15\n\tpsrld\t$25,%xmm7\n\tmovdqa\t%xmm12,%xmm6\n\tpslld\t$7,%xmm12\n\tpor\t%xmm7,%xmm15\n\tpsrld\t$25,%xmm6\n\tmovdqa\t(%r10),%xmm7\n\tpor\t%xmm6,%xmm12\n\tdecl\t%eax\n\tjnz\tL$oop4x\n\n\tpaddd\t64(%rsp),%xmm8\n\tpaddd\t80(%rsp),%xmm9\n\tpaddd\t96(%rsp),%xmm10\n\tpaddd\t112(%rsp),%xmm11\n\n\tmovdqa\t%xmm8,%xmm6\n\tpunpckldq\t%xmm9,%xmm8\n\tmovdqa\t%xmm10,%xmm7\n\tpunpckldq\t%xmm11,%xmm10\n\tpunpckhdq\t%xmm9,%xmm6\n\tpunpckhdq\t%xmm11,%xmm7\n\tmovdqa\t%xmm8,%xmm9\n\tpunpcklqdq\t%xmm10,%xmm8\n\tmovdqa\t%xmm6,%xmm11\n\tpunpcklqdq\t%xmm7,%xmm6\n\tpunpckhqdq\t%xmm10,%xmm9\n\tpunpckhqdq\t%xmm7,%xmm11\n\tpaddd\t128-256(%rcx),%xmm12\n\tpaddd\t144-256(%rcx),%xmm13\n\tpaddd\t160-256(%rcx),%xmm14\n\tpaddd\t176-256(%rcx),%xmm15\n\n\tmovdqa\t%xmm8,0(%rsp)\n\tmovdqa\t%xmm9,16(%rsp)\n\tmovdqa\t32(%rsp),%xmm8\n\tmovdqa\t48(%rsp),%xmm9\n\n\tmovdqa\t%xmm12,%xmm10\n\tpunpckldq\t%xmm13,%xmm12\n\tmovdqa\t%xmm14,%xmm7\n\tpunpckldq\t%xmm15,%xmm14\n\tpunpckhdq\t%xmm13,%xmm10\n\tpunpckhdq\t%xmm15,%xmm7\n\tmovdqa\t%xmm12,%xmm13\n\tpunpcklqdq\t%xmm14,%xmm12\n\tmovdqa\t%xmm10,%xmm15\n\tpunpcklqdq\t%xmm7,%xmm10\n\tpunpckhqdq\t%xmm14,%xmm13\n\tpunpckhqdq\t%xmm7,%xmm15\n\tpaddd\t192-256(%rcx),%xmm4\n\tpaddd\t208-256(%rcx),%xmm5\n\tpaddd\t224-256(%rcx),%xmm8\n\tpaddd\t240-256(%rcx),%xmm9\n\n\tmovdqa\t%xmm6,32(%rsp)\n\tmovdqa\t%xmm11,48(%rsp)\n\n\tmovdqa\t%xmm4,%xmm14\n\tpunpckldq\t%xmm5,%xmm4\n\tmovdqa\t%xmm8,%xmm7\n\tpunpckldq\t%xmm9,%xmm8\n\tpunpckhdq\t%xmm5,%xmm14\n\tpunpckhdq\t%xmm9,%xmm7\n\tmovdqa\t%xmm4,%xmm5\n\tpunpcklqdq\t%xmm8,%xmm4\n\tmovdqa\t%xmm14,%xmm9\n\tpunpcklqdq\t%xmm7,%xmm14\n\tpunpckhqdq\t%xmm8,%xmm5\n\tpunpckhqdq\t%xmm7,%xmm9\n\tpaddd\t256-256(%rcx),%xmm0\n\tpaddd\t272-256(%rcx),%xmm1\n\tpaddd\t288-256(%rcx),%xmm2\n\tpaddd\t304-256(%rcx),%xmm3\n\n\tmovdqa\t%xmm0,%xmm8\n\tpunpckldq\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm7\n\tpunpckldq\t%xmm3,%xmm2\n\tpunpckhdq\t%xmm1,%xmm8\n\tpunpckhdq\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,%xmm1\n\tpunpcklqdq\t%xmm2,%xmm0\n\tmovdqa\t%xmm8,%xmm3\n\tpunpcklqdq\t%xmm7,%xmm8\n\tpunpckhqdq\t%xmm2,%xmm1\n\tpunpckhqdq\t%xmm7,%xmm3\n\tcmpq\t$256,%rdx\n\tjb\tL$tail4x\n\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t0(%rsp),%xmm6\n\tpxor\t%xmm12,%xmm11\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm0,%xmm7\n\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t64(%rsi),%xmm6\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t80(%rsi),%xmm11\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t96(%rsi),%xmm2\n\tmovdqu\t%xmm7,48(%rdi)\n\tmovdqu\t112(%rsi),%xmm7\n\tleaq\t128(%rsi),%rsi\n\tpxor\t16(%rsp),%xmm6\n\tpxor\t%xmm13,%xmm11\n\tpxor\t%xmm5,%xmm2\n\tpxor\t%xmm1,%xmm7\n\n\tmovdqu\t%xmm6,64(%rdi)\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t%xmm11,80(%rdi)\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t%xmm2,96(%rdi)\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t%xmm7,112(%rdi)\n\tleaq\t128(%rdi),%rdi\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t32(%rsp),%xmm6\n\tpxor\t%xmm10,%xmm11\n\tpxor\t%xmm14,%xmm2\n\tpxor\t%xmm8,%xmm7\n\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t64(%rsi),%xmm6\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t80(%rsi),%xmm11\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t96(%rsi),%xmm2\n\tmovdqu\t%xmm7,48(%rdi)\n\tmovdqu\t112(%rsi),%xmm7\n\tleaq\t128(%rsi),%rsi\n\tpxor\t48(%rsp),%xmm6\n\tpxor\t%xmm15,%xmm11\n\tpxor\t%xmm9,%xmm2\n\tpxor\t%xmm3,%xmm7\n\tmovdqu\t%xmm6,64(%rdi)\n\tmovdqu\t%xmm11,80(%rdi)\n\tmovdqu\t%xmm2,96(%rdi)\n\tmovdqu\t%xmm7,112(%rdi)\n\tleaq\t128(%rdi),%rdi\n\n\tsubq\t$256,%rdx\n\tjnz\tL$oop_outer4x\n\n\tjmp\tL$done4x\n\nL$tail4x:\n\tcmpq\t$192,%rdx\n\tjae\tL$192_or_more4x\n\tcmpq\t$128,%rdx\n\tjae\tL$128_or_more4x\n\tcmpq\t$64,%rdx\n\tjae\tL$64_or_more4x\n\n\n\txorq\t%r10,%r10\n\n\tmovdqa\t%xmm12,16(%rsp)\n\tmovdqa\t%xmm4,32(%rsp)\n\tmovdqa\t%xmm0,48(%rsp)\n\tjmp\tL$oop_tail4x\n\n.p2align\t5\nL$64_or_more4x:\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t0(%rsp),%xmm6\n\tpxor\t%xmm12,%xmm11\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm0,%xmm7\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm7,48(%rdi)\n\tje\tL$done4x\n\n\tmovdqa\t16(%rsp),%xmm6\n\tleaq\t64(%rsi),%rsi\n\txorq\t%r10,%r10\n\tmovdqa\t%xmm6,0(%rsp)\n\tmovdqa\t%xmm13,16(%rsp)\n\tleaq\t64(%rdi),%rdi\n\tmovdqa\t%xmm5,32(%rsp)\n\tsubq\t$64,%rdx\n\tmovdqa\t%xmm1,48(%rsp)\n\tjmp\tL$oop_tail4x\n\n.p2align\t5\nL$128_or_more4x:\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t0(%rsp),%xmm6\n\tpxor\t%xmm12,%xmm11\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm0,%xmm7\n\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t64(%rsi),%xmm6\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t80(%rsi),%xmm11\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t96(%rsi),%xmm2\n\tmovdqu\t%xmm7,48(%rdi)\n\tmovdqu\t112(%rsi),%xmm7\n\tpxor\t16(%rsp),%xmm6\n\tpxor\t%xmm13,%xmm11\n\tpxor\t%xmm5,%xmm2\n\tpxor\t%xmm1,%xmm7\n\tmovdqu\t%xmm6,64(%rdi)\n\tmovdqu\t%xmm11,80(%rdi)\n\tmovdqu\t%xmm2,96(%rdi)\n\tmovdqu\t%xmm7,112(%rdi)\n\tje\tL$done4x\n\n\tmovdqa\t32(%rsp),%xmm6\n\tleaq\t128(%rsi),%rsi\n\txorq\t%r10,%r10\n\tmovdqa\t%xmm6,0(%rsp)\n\tmovdqa\t%xmm10,16(%rsp)\n\tleaq\t128(%rdi),%rdi\n\tmovdqa\t%xmm14,32(%rsp)\n\tsubq\t$128,%rdx\n\tmovdqa\t%xmm8,48(%rsp)\n\tjmp\tL$oop_tail4x\n\n.p2align\t5\nL$192_or_more4x:\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t0(%rsp),%xmm6\n\tpxor\t%xmm12,%xmm11\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm0,%xmm7\n\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t64(%rsi),%xmm6\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t80(%rsi),%xmm11\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t96(%rsi),%xmm2\n\tmovdqu\t%xmm7,48(%rdi)\n\tmovdqu\t112(%rsi),%xmm7\n\tleaq\t128(%rsi),%rsi\n\tpxor\t16(%rsp),%xmm6\n\tpxor\t%xmm13,%xmm11\n\tpxor\t%xmm5,%xmm2\n\tpxor\t%xmm1,%xmm7\n\n\tmovdqu\t%xmm6,64(%rdi)\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t%xmm11,80(%rdi)\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t%xmm2,96(%rdi)\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t%xmm7,112(%rdi)\n\tleaq\t128(%rdi),%rdi\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t32(%rsp),%xmm6\n\tpxor\t%xmm10,%xmm11\n\tpxor\t%xmm14,%xmm2\n\tpxor\t%xmm8,%xmm7\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm7,48(%rdi)\n\tje\tL$done4x\n\n\tmovdqa\t48(%rsp),%xmm6\n\tleaq\t64(%rsi),%rsi\n\txorq\t%r10,%r10\n\tmovdqa\t%xmm6,0(%rsp)\n\tmovdqa\t%xmm15,16(%rsp)\n\tleaq\t64(%rdi),%rdi\n\tmovdqa\t%xmm9,32(%rsp)\n\tsubq\t$192,%rdx\n\tmovdqa\t%xmm3,48(%rsp)\n\nL$oop_tail4x:\n\tmovzbl\t(%rsi,%r10,1),%eax\n\tmovzbl\t(%rsp,%r10,1),%ecx\n\tleaq\t1(%r10),%r10\n\txorl\t%ecx,%eax\n\tmovb\t%al,-1(%rdi,%r10,1)\n\tdecq\t%rdx\n\tjnz\tL$oop_tail4x\n\nL$done4x:\n\tleaq\t(%r9),%rsp\n\nL$4x_epilogue:\n\tret\n\n\n.globl\t_ChaCha20_ctr32_avx2\n.private_extern _ChaCha20_ctr32_avx2\n\n.p2align\t5\n_ChaCha20_ctr32_avx2:\n\n_CET_ENDBR\n\tmovq\t%rsp,%r9\n\n\tsubq\t$0x280+8,%rsp\n\tandq\t$-32,%rsp\n\tvzeroupper\n\n\n\n\n\n\n\n\n\n\n\tvbroadcasti128\tL$sigma(%rip),%ymm11\n\tvbroadcasti128\t(%rcx),%ymm3\n\tvbroadcasti128\t16(%rcx),%ymm15\n\tvbroadcasti128\t(%r8),%ymm7\n\tleaq\t256(%rsp),%rcx\n\tleaq\t512(%rsp),%rax\n\tleaq\tL$rot16(%rip),%r10\n\tleaq\tL$rot24(%rip),%r11\n\n\tvpshufd\t$0x00,%ymm11,%ymm8\n\tvpshufd\t$0x55,%ymm11,%ymm9\n\tvmovdqa\t%ymm8,128-256(%rcx)\n\tvpshufd\t$0xaa,%ymm11,%ymm10\n\tvmovdqa\t%ymm9,160-256(%rcx)\n\tvpshufd\t$0xff,%ymm11,%ymm11\n\tvmovdqa\t%ymm10,192-256(%rcx)\n\tvmovdqa\t%ymm11,224-256(%rcx)\n\n\tvpshufd\t$0x00,%ymm3,%ymm0\n\tvpshufd\t$0x55,%ymm3,%ymm1\n\tvmovdqa\t%ymm0,256-256(%rcx)\n\tvpshufd\t$0xaa,%ymm3,%ymm2\n\tvmovdqa\t%ymm1,288-256(%rcx)\n\tvpshufd\t$0xff,%ymm3,%ymm3\n\tvmovdqa\t%ymm2,320-256(%rcx)\n\tvmovdqa\t%ymm3,352-256(%rcx)\n\n\tvpshufd\t$0x00,%ymm15,%ymm12\n\tvpshufd\t$0x55,%ymm15,%ymm13\n\tvmovdqa\t%ymm12,384-512(%rax)\n\tvpshufd\t$0xaa,%ymm15,%ymm14\n\tvmovdqa\t%ymm13,416-512(%rax)\n\tvpshufd\t$0xff,%ymm15,%ymm15\n\tvmovdqa\t%ymm14,448-512(%rax)\n\tvmovdqa\t%ymm15,480-512(%rax)\n\n\tvpshufd\t$0x00,%ymm7,%ymm4\n\tvpshufd\t$0x55,%ymm7,%ymm5\n\tvpaddd\tL$incy(%rip),%ymm4,%ymm4\n\tvpshufd\t$0xaa,%ymm7,%ymm6\n\tvmovdqa\t%ymm5,544-512(%rax)\n\tvpshufd\t$0xff,%ymm7,%ymm7\n\tvmovdqa\t%ymm6,576-512(%rax)\n\tvmovdqa\t%ymm7,608-512(%rax)\n\n\tjmp\tL$oop_enter8x\n\n.p2align\t5\nL$oop_outer8x:\n\tvmovdqa\t128-256(%rcx),%ymm8\n\tvmovdqa\t160-256(%rcx),%ymm9\n\tvmovdqa\t192-256(%rcx),%ymm10\n\tvmovdqa\t224-256(%rcx),%ymm11\n\tvmovdqa\t256-256(%rcx),%ymm0\n\tvmovdqa\t288-256(%rcx),%ymm1\n\tvmovdqa\t320-256(%rcx),%ymm2\n\tvmovdqa\t352-256(%rcx),%ymm3\n\tvmovdqa\t384-512(%rax),%ymm12\n\tvmovdqa\t416-512(%rax),%ymm13\n\tvmovdqa\t448-512(%rax),%ymm14\n\tvmovdqa\t480-512(%rax),%ymm15\n\tvmovdqa\t512-512(%rax),%ymm4\n\tvmovdqa\t544-512(%rax),%ymm5\n\tvmovdqa\t576-512(%rax),%ymm6\n\tvmovdqa\t608-512(%rax),%ymm7\n\tvpaddd\tL$eight(%rip),%ymm4,%ymm4\n\nL$oop_enter8x:\n\tvmovdqa\t%ymm14,64(%rsp)\n\tvmovdqa\t%ymm15,96(%rsp)\n\tvbroadcasti128\t(%r10),%ymm15\n\tvmovdqa\t%ymm4,512-512(%rax)\n\tmovl\t$10,%eax\n\tjmp\tL$oop8x\n\n.p2align\t5\nL$oop8x:\n\tvpaddd\t%ymm0,%ymm8,%ymm8\n\tvpxor\t%ymm4,%ymm8,%ymm4\n\tvpshufb\t%ymm15,%ymm4,%ymm4\n\tvpaddd\t%ymm1,%ymm9,%ymm9\n\tvpxor\t%ymm5,%ymm9,%ymm5\n\tvpshufb\t%ymm15,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm12,%ymm12\n\tvpxor\t%ymm0,%ymm12,%ymm0\n\tvpslld\t$12,%ymm0,%ymm14\n\tvpsrld\t$20,%ymm0,%ymm0\n\tvpor\t%ymm0,%ymm14,%ymm0\n\tvbroadcasti128\t(%r11),%ymm14\n\tvpaddd\t%ymm5,%ymm13,%ymm13\n\tvpxor\t%ymm1,%ymm13,%ymm1\n\tvpslld\t$12,%ymm1,%ymm15\n\tvpsrld\t$20,%ymm1,%ymm1\n\tvpor\t%ymm1,%ymm15,%ymm1\n\tvpaddd\t%ymm0,%ymm8,%ymm8\n\tvpxor\t%ymm4,%ymm8,%ymm4\n\tvpshufb\t%ymm14,%ymm4,%ymm4\n\tvpaddd\t%ymm1,%ymm9,%ymm9\n\tvpxor\t%ymm5,%ymm9,%ymm5\n\tvpshufb\t%ymm14,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm12,%ymm12\n\tvpxor\t%ymm0,%ymm12,%ymm0\n\tvpslld\t$7,%ymm0,%ymm15\n\tvpsrld\t$25,%ymm0,%ymm0\n\tvpor\t%ymm0,%ymm15,%ymm0\n\tvbroadcasti128\t(%r10),%ymm15\n\tvpaddd\t%ymm5,%ymm13,%ymm13\n\tvpxor\t%ymm1,%ymm13,%ymm1\n\tvpslld\t$7,%ymm1,%ymm14\n\tvpsrld\t$25,%ymm1,%ymm1\n\tvpor\t%ymm1,%ymm14,%ymm1\n\tvmovdqa\t%ymm12,0(%rsp)\n\tvmovdqa\t%ymm13,32(%rsp)\n\tvmovdqa\t64(%rsp),%ymm12\n\tvmovdqa\t96(%rsp),%ymm13\n\tvpaddd\t%ymm2,%ymm10,%ymm10\n\tvpxor\t%ymm6,%ymm10,%ymm6\n\tvpshufb\t%ymm15,%ymm6,%ymm6\n\tvpaddd\t%ymm3,%ymm11,%ymm11\n\tvpxor\t%ymm7,%ymm11,%ymm7\n\tvpshufb\t%ymm15,%ymm7,%ymm7\n\tvpaddd\t%ymm6,%ymm12,%ymm12\n\tvpxor\t%ymm2,%ymm12,%ymm2\n\tvpslld\t$12,%ymm2,%ymm14\n\tvpsrld\t$20,%ymm2,%ymm2\n\tvpor\t%ymm2,%ymm14,%ymm2\n\tvbroadcasti128\t(%r11),%ymm14\n\tvpaddd\t%ymm7,%ymm13,%ymm13\n\tvpxor\t%ymm3,%ymm13,%ymm3\n\tvpslld\t$12,%ymm3,%ymm15\n\tvpsrld\t$20,%ymm3,%ymm3\n\tvpor\t%ymm3,%ymm15,%ymm3\n\tvpaddd\t%ymm2,%ymm10,%ymm10\n\tvpxor\t%ymm6,%ymm10,%ymm6\n\tvpshufb\t%ymm14,%ymm6,%ymm6\n\tvpaddd\t%ymm3,%ymm11,%ymm11\n\tvpxor\t%ymm7,%ymm11,%ymm7\n\tvpshufb\t%ymm14,%ymm7,%ymm7\n\tvpaddd\t%ymm6,%ymm12,%ymm12\n\tvpxor\t%ymm2,%ymm12,%ymm2\n\tvpslld\t$7,%ymm2,%ymm15\n\tvpsrld\t$25,%ymm2,%ymm2\n\tvpor\t%ymm2,%ymm15,%ymm2\n\tvbroadcasti128\t(%r10),%ymm15\n\tvpaddd\t%ymm7,%ymm13,%ymm13\n\tvpxor\t%ymm3,%ymm13,%ymm3\n\tvpslld\t$7,%ymm3,%ymm14\n\tvpsrld\t$25,%ymm3,%ymm3\n\tvpor\t%ymm3,%ymm14,%ymm3\n\tvpaddd\t%ymm1,%ymm8,%ymm8\n\tvpxor\t%ymm7,%ymm8,%ymm7\n\tvpshufb\t%ymm15,%ymm7,%ymm7\n\tvpaddd\t%ymm2,%ymm9,%ymm9\n\tvpxor\t%ymm4,%ymm9,%ymm4\n\tvpshufb\t%ymm15,%ymm4,%ymm4\n\tvpaddd\t%ymm7,%ymm12,%ymm12\n\tvpxor\t%ymm1,%ymm12,%ymm1\n\tvpslld\t$12,%ymm1,%ymm14\n\tvpsrld\t$20,%ymm1,%ymm1\n\tvpor\t%ymm1,%ymm14,%ymm1\n\tvbroadcasti128\t(%r11),%ymm14\n\tvpaddd\t%ymm4,%ymm13,%ymm13\n\tvpxor\t%ymm2,%ymm13,%ymm2\n\tvpslld\t$12,%ymm2,%ymm15\n\tvpsrld\t$20,%ymm2,%ymm2\n\tvpor\t%ymm2,%ymm15,%ymm2\n\tvpaddd\t%ymm1,%ymm8,%ymm8\n\tvpxor\t%ymm7,%ymm8,%ymm7\n\tvpshufb\t%ymm14,%ymm7,%ymm7\n\tvpaddd\t%ymm2,%ymm9,%ymm9\n\tvpxor\t%ymm4,%ymm9,%ymm4\n\tvpshufb\t%ymm14,%ymm4,%ymm4\n\tvpaddd\t%ymm7,%ymm12,%ymm12\n\tvpxor\t%ymm1,%ymm12,%ymm1\n\tvpslld\t$7,%ymm1,%ymm15\n\tvpsrld\t$25,%ymm1,%ymm1\n\tvpor\t%ymm1,%ymm15,%ymm1\n\tvbroadcasti128\t(%r10),%ymm15\n\tvpaddd\t%ymm4,%ymm13,%ymm13\n\tvpxor\t%ymm2,%ymm13,%ymm2\n\tvpslld\t$7,%ymm2,%ymm14\n\tvpsrld\t$25,%ymm2,%ymm2\n\tvpor\t%ymm2,%ymm14,%ymm2\n\tvmovdqa\t%ymm12,64(%rsp)\n\tvmovdqa\t%ymm13,96(%rsp)\n\tvmovdqa\t0(%rsp),%ymm12\n\tvmovdqa\t32(%rsp),%ymm13\n\tvpaddd\t%ymm3,%ymm10,%ymm10\n\tvpxor\t%ymm5,%ymm10,%ymm5\n\tvpshufb\t%ymm15,%ymm5,%ymm5\n\tvpaddd\t%ymm0,%ymm11,%ymm11\n\tvpxor\t%ymm6,%ymm11,%ymm6\n\tvpshufb\t%ymm15,%ymm6,%ymm6\n\tvpaddd\t%ymm5,%ymm12,%ymm12\n\tvpxor\t%ymm3,%ymm12,%ymm3\n\tvpslld\t$12,%ymm3,%ymm14\n\tvpsrld\t$20,%ymm3,%ymm3\n\tvpor\t%ymm3,%ymm14,%ymm3\n\tvbroadcasti128\t(%r11),%ymm14\n\tvpaddd\t%ymm6,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm13,%ymm0\n\tvpslld\t$12,%ymm0,%ymm15\n\tvpsrld\t$20,%ymm0,%ymm0\n\tvpor\t%ymm0,%ymm15,%ymm0\n\tvpaddd\t%ymm3,%ymm10,%ymm10\n\tvpxor\t%ymm5,%ymm10,%ymm5\n\tvpshufb\t%ymm14,%ymm5,%ymm5\n\tvpaddd\t%ymm0,%ymm11,%ymm11\n\tvpxor\t%ymm6,%ymm11,%ymm6\n\tvpshufb\t%ymm14,%ymm6,%ymm6\n\tvpaddd\t%ymm5,%ymm12,%ymm12\n\tvpxor\t%ymm3,%ymm12,%ymm3\n\tvpslld\t$7,%ymm3,%ymm15\n\tvpsrld\t$25,%ymm3,%ymm3\n\tvpor\t%ymm3,%ymm15,%ymm3\n\tvbroadcasti128\t(%r10),%ymm15\n\tvpaddd\t%ymm6,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm13,%ymm0\n\tvpslld\t$7,%ymm0,%ymm14\n\tvpsrld\t$25,%ymm0,%ymm0\n\tvpor\t%ymm0,%ymm14,%ymm0\n\tdecl\t%eax\n\tjnz\tL$oop8x\n\n\tleaq\t512(%rsp),%rax\n\tvpaddd\t128-256(%rcx),%ymm8,%ymm8\n\tvpaddd\t160-256(%rcx),%ymm9,%ymm9\n\tvpaddd\t192-256(%rcx),%ymm10,%ymm10\n\tvpaddd\t224-256(%rcx),%ymm11,%ymm11\n\n\tvpunpckldq\t%ymm9,%ymm8,%ymm14\n\tvpunpckldq\t%ymm11,%ymm10,%ymm15\n\tvpunpckhdq\t%ymm9,%ymm8,%ymm8\n\tvpunpckhdq\t%ymm11,%ymm10,%ymm10\n\tvpunpcklqdq\t%ymm15,%ymm14,%ymm9\n\tvpunpckhqdq\t%ymm15,%ymm14,%ymm14\n\tvpunpcklqdq\t%ymm10,%ymm8,%ymm11\n\tvpunpckhqdq\t%ymm10,%ymm8,%ymm8\n\tvpaddd\t256-256(%rcx),%ymm0,%ymm0\n\tvpaddd\t288-256(%rcx),%ymm1,%ymm1\n\tvpaddd\t320-256(%rcx),%ymm2,%ymm2\n\tvpaddd\t352-256(%rcx),%ymm3,%ymm3\n\n\tvpunpckldq\t%ymm1,%ymm0,%ymm10\n\tvpunpckldq\t%ymm3,%ymm2,%ymm15\n\tvpunpckhdq\t%ymm1,%ymm0,%ymm0\n\tvpunpckhdq\t%ymm3,%ymm2,%ymm2\n\tvpunpcklqdq\t%ymm15,%ymm10,%ymm1\n\tvpunpckhqdq\t%ymm15,%ymm10,%ymm10\n\tvpunpcklqdq\t%ymm2,%ymm0,%ymm3\n\tvpunpckhqdq\t%ymm2,%ymm0,%ymm0\n\tvperm2i128\t$0x20,%ymm1,%ymm9,%ymm15\n\tvperm2i128\t$0x31,%ymm1,%ymm9,%ymm1\n\tvperm2i128\t$0x20,%ymm10,%ymm14,%ymm9\n\tvperm2i128\t$0x31,%ymm10,%ymm14,%ymm10\n\tvperm2i128\t$0x20,%ymm3,%ymm11,%ymm14\n\tvperm2i128\t$0x31,%ymm3,%ymm11,%ymm3\n\tvperm2i128\t$0x20,%ymm0,%ymm8,%ymm11\n\tvperm2i128\t$0x31,%ymm0,%ymm8,%ymm0\n\tvmovdqa\t%ymm15,0(%rsp)\n\tvmovdqa\t%ymm9,32(%rsp)\n\tvmovdqa\t64(%rsp),%ymm15\n\tvmovdqa\t96(%rsp),%ymm9\n\n\tvpaddd\t384-512(%rax),%ymm12,%ymm12\n\tvpaddd\t416-512(%rax),%ymm13,%ymm13\n\tvpaddd\t448-512(%rax),%ymm15,%ymm15\n\tvpaddd\t480-512(%rax),%ymm9,%ymm9\n\n\tvpunpckldq\t%ymm13,%ymm12,%ymm2\n\tvpunpckldq\t%ymm9,%ymm15,%ymm8\n\tvpunpckhdq\t%ymm13,%ymm12,%ymm12\n\tvpunpckhdq\t%ymm9,%ymm15,%ymm15\n\tvpunpcklqdq\t%ymm8,%ymm2,%ymm13\n\tvpunpckhqdq\t%ymm8,%ymm2,%ymm2\n\tvpunpcklqdq\t%ymm15,%ymm12,%ymm9\n\tvpunpckhqdq\t%ymm15,%ymm12,%ymm12\n\tvpaddd\t512-512(%rax),%ymm4,%ymm4\n\tvpaddd\t544-512(%rax),%ymm5,%ymm5\n\tvpaddd\t576-512(%rax),%ymm6,%ymm6\n\tvpaddd\t608-512(%rax),%ymm7,%ymm7\n\n\tvpunpckldq\t%ymm5,%ymm4,%ymm15\n\tvpunpckldq\t%ymm7,%ymm6,%ymm8\n\tvpunpckhdq\t%ymm5,%ymm4,%ymm4\n\tvpunpckhdq\t%ymm7,%ymm6,%ymm6\n\tvpunpcklqdq\t%ymm8,%ymm15,%ymm5\n\tvpunpckhqdq\t%ymm8,%ymm15,%ymm15\n\tvpunpcklqdq\t%ymm6,%ymm4,%ymm7\n\tvpunpckhqdq\t%ymm6,%ymm4,%ymm4\n\tvperm2i128\t$0x20,%ymm5,%ymm13,%ymm8\n\tvperm2i128\t$0x31,%ymm5,%ymm13,%ymm5\n\tvperm2i128\t$0x20,%ymm15,%ymm2,%ymm13\n\tvperm2i128\t$0x31,%ymm15,%ymm2,%ymm15\n\tvperm2i128\t$0x20,%ymm7,%ymm9,%ymm2\n\tvperm2i128\t$0x31,%ymm7,%ymm9,%ymm7\n\tvperm2i128\t$0x20,%ymm4,%ymm12,%ymm9\n\tvperm2i128\t$0x31,%ymm4,%ymm12,%ymm4\n\tvmovdqa\t0(%rsp),%ymm6\n\tvmovdqa\t32(%rsp),%ymm12\n\n\tcmpq\t$512,%rdx\n\tjb\tL$tail8x\n\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tleaq\t128(%rsi),%rsi\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tleaq\t128(%rdi),%rdi\n\n\tvpxor\t0(%rsi),%ymm12,%ymm12\n\tvpxor\t32(%rsi),%ymm13,%ymm13\n\tvpxor\t64(%rsi),%ymm10,%ymm10\n\tvpxor\t96(%rsi),%ymm15,%ymm15\n\tleaq\t128(%rsi),%rsi\n\tvmovdqu\t%ymm12,0(%rdi)\n\tvmovdqu\t%ymm13,32(%rdi)\n\tvmovdqu\t%ymm10,64(%rdi)\n\tvmovdqu\t%ymm15,96(%rdi)\n\tleaq\t128(%rdi),%rdi\n\n\tvpxor\t0(%rsi),%ymm14,%ymm14\n\tvpxor\t32(%rsi),%ymm2,%ymm2\n\tvpxor\t64(%rsi),%ymm3,%ymm3\n\tvpxor\t96(%rsi),%ymm7,%ymm7\n\tleaq\t128(%rsi),%rsi\n\tvmovdqu\t%ymm14,0(%rdi)\n\tvmovdqu\t%ymm2,32(%rdi)\n\tvmovdqu\t%ymm3,64(%rdi)\n\tvmovdqu\t%ymm7,96(%rdi)\n\tleaq\t128(%rdi),%rdi\n\n\tvpxor\t0(%rsi),%ymm11,%ymm11\n\tvpxor\t32(%rsi),%ymm9,%ymm9\n\tvpxor\t64(%rsi),%ymm0,%ymm0\n\tvpxor\t96(%rsi),%ymm4,%ymm4\n\tleaq\t128(%rsi),%rsi\n\tvmovdqu\t%ymm11,0(%rdi)\n\tvmovdqu\t%ymm9,32(%rdi)\n\tvmovdqu\t%ymm0,64(%rdi)\n\tvmovdqu\t%ymm4,96(%rdi)\n\tleaq\t128(%rdi),%rdi\n\n\tsubq\t$512,%rdx\n\tjnz\tL$oop_outer8x\n\n\tjmp\tL$done8x\n\nL$tail8x:\n\tcmpq\t$448,%rdx\n\tjae\tL$448_or_more8x\n\tcmpq\t$384,%rdx\n\tjae\tL$384_or_more8x\n\tcmpq\t$320,%rdx\n\tjae\tL$320_or_more8x\n\tcmpq\t$256,%rdx\n\tjae\tL$256_or_more8x\n\tcmpq\t$192,%rdx\n\tjae\tL$192_or_more8x\n\tcmpq\t$128,%rdx\n\tjae\tL$128_or_more8x\n\tcmpq\t$64,%rdx\n\tjae\tL$64_or_more8x\n\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm6,0(%rsp)\n\tvmovdqa\t%ymm8,32(%rsp)\n\tjmp\tL$oop_tail8x\n\n.p2align\t5\nL$64_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tje\tL$done8x\n\n\tleaq\t64(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm1,0(%rsp)\n\tleaq\t64(%rdi),%rdi\n\tsubq\t$64,%rdx\n\tvmovdqa\t%ymm5,32(%rsp)\n\tjmp\tL$oop_tail8x\n\n.p2align\t5\nL$128_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tje\tL$done8x\n\n\tleaq\t128(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm12,0(%rsp)\n\tleaq\t128(%rdi),%rdi\n\tsubq\t$128,%rdx\n\tvmovdqa\t%ymm13,32(%rsp)\n\tjmp\tL$oop_tail8x\n\n.p2align\t5\nL$192_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvpxor\t128(%rsi),%ymm12,%ymm12\n\tvpxor\t160(%rsi),%ymm13,%ymm13\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tvmovdqu\t%ymm12,128(%rdi)\n\tvmovdqu\t%ymm13,160(%rdi)\n\tje\tL$done8x\n\n\tleaq\t192(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm10,0(%rsp)\n\tleaq\t192(%rdi),%rdi\n\tsubq\t$192,%rdx\n\tvmovdqa\t%ymm15,32(%rsp)\n\tjmp\tL$oop_tail8x\n\n.p2align\t5\nL$256_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvpxor\t128(%rsi),%ymm12,%ymm12\n\tvpxor\t160(%rsi),%ymm13,%ymm13\n\tvpxor\t192(%rsi),%ymm10,%ymm10\n\tvpxor\t224(%rsi),%ymm15,%ymm15\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tvmovdqu\t%ymm12,128(%rdi)\n\tvmovdqu\t%ymm13,160(%rdi)\n\tvmovdqu\t%ymm10,192(%rdi)\n\tvmovdqu\t%ymm15,224(%rdi)\n\tje\tL$done8x\n\n\tleaq\t256(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm14,0(%rsp)\n\tleaq\t256(%rdi),%rdi\n\tsubq\t$256,%rdx\n\tvmovdqa\t%ymm2,32(%rsp)\n\tjmp\tL$oop_tail8x\n\n.p2align\t5\nL$320_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvpxor\t128(%rsi),%ymm12,%ymm12\n\tvpxor\t160(%rsi),%ymm13,%ymm13\n\tvpxor\t192(%rsi),%ymm10,%ymm10\n\tvpxor\t224(%rsi),%ymm15,%ymm15\n\tvpxor\t256(%rsi),%ymm14,%ymm14\n\tvpxor\t288(%rsi),%ymm2,%ymm2\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tvmovdqu\t%ymm12,128(%rdi)\n\tvmovdqu\t%ymm13,160(%rdi)\n\tvmovdqu\t%ymm10,192(%rdi)\n\tvmovdqu\t%ymm15,224(%rdi)\n\tvmovdqu\t%ymm14,256(%rdi)\n\tvmovdqu\t%ymm2,288(%rdi)\n\tje\tL$done8x\n\n\tleaq\t320(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm3,0(%rsp)\n\tleaq\t320(%rdi),%rdi\n\tsubq\t$320,%rdx\n\tvmovdqa\t%ymm7,32(%rsp)\n\tjmp\tL$oop_tail8x\n\n.p2align\t5\nL$384_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvpxor\t128(%rsi),%ymm12,%ymm12\n\tvpxor\t160(%rsi),%ymm13,%ymm13\n\tvpxor\t192(%rsi),%ymm10,%ymm10\n\tvpxor\t224(%rsi),%ymm15,%ymm15\n\tvpxor\t256(%rsi),%ymm14,%ymm14\n\tvpxor\t288(%rsi),%ymm2,%ymm2\n\tvpxor\t320(%rsi),%ymm3,%ymm3\n\tvpxor\t352(%rsi),%ymm7,%ymm7\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tvmovdqu\t%ymm12,128(%rdi)\n\tvmovdqu\t%ymm13,160(%rdi)\n\tvmovdqu\t%ymm10,192(%rdi)\n\tvmovdqu\t%ymm15,224(%rdi)\n\tvmovdqu\t%ymm14,256(%rdi)\n\tvmovdqu\t%ymm2,288(%rdi)\n\tvmovdqu\t%ymm3,320(%rdi)\n\tvmovdqu\t%ymm7,352(%rdi)\n\tje\tL$done8x\n\n\tleaq\t384(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm11,0(%rsp)\n\tleaq\t384(%rdi),%rdi\n\tsubq\t$384,%rdx\n\tvmovdqa\t%ymm9,32(%rsp)\n\tjmp\tL$oop_tail8x\n\n.p2align\t5\nL$448_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvpxor\t128(%rsi),%ymm12,%ymm12\n\tvpxor\t160(%rsi),%ymm13,%ymm13\n\tvpxor\t192(%rsi),%ymm10,%ymm10\n\tvpxor\t224(%rsi),%ymm15,%ymm15\n\tvpxor\t256(%rsi),%ymm14,%ymm14\n\tvpxor\t288(%rsi),%ymm2,%ymm2\n\tvpxor\t320(%rsi),%ymm3,%ymm3\n\tvpxor\t352(%rsi),%ymm7,%ymm7\n\tvpxor\t384(%rsi),%ymm11,%ymm11\n\tvpxor\t416(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tvmovdqu\t%ymm12,128(%rdi)\n\tvmovdqu\t%ymm13,160(%rdi)\n\tvmovdqu\t%ymm10,192(%rdi)\n\tvmovdqu\t%ymm15,224(%rdi)\n\tvmovdqu\t%ymm14,256(%rdi)\n\tvmovdqu\t%ymm2,288(%rdi)\n\tvmovdqu\t%ymm3,320(%rdi)\n\tvmovdqu\t%ymm7,352(%rdi)\n\tvmovdqu\t%ymm11,384(%rdi)\n\tvmovdqu\t%ymm9,416(%rdi)\n\tje\tL$done8x\n\n\tleaq\t448(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm0,0(%rsp)\n\tleaq\t448(%rdi),%rdi\n\tsubq\t$448,%rdx\n\tvmovdqa\t%ymm4,32(%rsp)\n\nL$oop_tail8x:\n\tmovzbl\t(%rsi,%r10,1),%eax\n\tmovzbl\t(%rsp,%r10,1),%ecx\n\tleaq\t1(%r10),%r10\n\txorl\t%ecx,%eax\n\tmovb\t%al,-1(%rdi,%r10,1)\n\tdecq\t%rdx\n\tjnz\tL$oop_tail8x\n\nL$done8x:\n\tvzeroall\n\tleaq\t(%r9),%rsp\n\nL$8x_epilogue:\n\tret\n\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n\n.section\t.rodata\n.align\t64\n.Lzero:\n.long\t0,0,0,0\n.Lone:\n.long\t1,0,0,0\n.Linc:\n.long\t0,1,2,3\n.Lfour:\n.long\t4,4,4,4\n.Lincy:\n.long\t0,2,4,6,1,3,5,7\n.Leight:\n.long\t8,8,8,8,8,8,8,8\n.Lrot16:\n.byte\t0x2,0x3,0x0,0x1, 0x6,0x7,0x4,0x5, 0xa,0xb,0x8,0x9, 0xe,0xf,0xc,0xd\n.Lrot24:\n.byte\t0x3,0x0,0x1,0x2, 0x7,0x4,0x5,0x6, 0xb,0x8,0x9,0xa, 0xf,0xc,0xd,0xe\n.Lsigma:\n.byte\t101,120,112,97,110,100,32,51,50,45,98,121,116,101,32,107,0\n.align\t64\n.Lzeroz:\n.long\t0,0,0,0, 1,0,0,0, 2,0,0,0, 3,0,0,0\n.Lfourz:\n.long\t4,0,0,0, 4,0,0,0, 4,0,0,0, 4,0,0,0\n.Lincz:\n.long\t0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15\n.Lsixteen:\n.long\t16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16\n.byte\t67,104,97,67,104,97,50,48,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0\n.text\t\n.globl\tChaCha20_ctr32_nohw\n.hidden ChaCha20_ctr32_nohw\n.type\tChaCha20_ctr32_nohw,@function\n.align\t64\nChaCha20_ctr32_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\trbx,-16\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\trbp,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\tr12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\tr13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\tr14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\tr15,-56\n\tsubq\t$64+24,%rsp\n.cfi_adjust_cfa_offset\t88\n.Lctr32_body:\n\n\n\tmovdqu\t(%rcx),%xmm1\n\tmovdqu\t16(%rcx),%xmm2\n\tmovdqu\t(%r8),%xmm3\n\tmovdqa\t.Lone(%rip),%xmm4\n\n\n\tmovdqa\t%xmm1,16(%rsp)\n\tmovdqa\t%xmm2,32(%rsp)\n\tmovdqa\t%xmm3,48(%rsp)\n\tmovq\t%rdx,%rbp\n\tjmp\t.Loop_outer\n\n.align\t32\n.Loop_outer:\n\tmovl\t$0x61707865,%eax\n\tmovl\t$0x3320646e,%ebx\n\tmovl\t$0x79622d32,%ecx\n\tmovl\t$0x6b206574,%edx\n\tmovl\t16(%rsp),%r8d\n\tmovl\t20(%rsp),%r9d\n\tmovl\t24(%rsp),%r10d\n\tmovl\t28(%rsp),%r11d\n\tmovd\t%xmm3,%r12d\n\tmovl\t52(%rsp),%r13d\n\tmovl\t56(%rsp),%r14d\n\tmovl\t60(%rsp),%r15d\n\n\tmovq\t%rbp,64+0(%rsp)\n\tmovl\t$10,%ebp\n\tmovq\t%rsi,64+8(%rsp)\n.byte\t102,72,15,126,214\n\tmovq\t%rdi,64+16(%rsp)\n\tmovq\t%rsi,%rdi\n\tshrq\t$32,%rdi\n\tjmp\t.Loop\n\n.align\t32\n.Loop:\n\taddl\t%r8d,%eax\n\txorl\t%eax,%r12d\n\troll\t$16,%r12d\n\taddl\t%r9d,%ebx\n\txorl\t%ebx,%r13d\n\troll\t$16,%r13d\n\taddl\t%r12d,%esi\n\txorl\t%esi,%r8d\n\troll\t$12,%r8d\n\taddl\t%r13d,%edi\n\txorl\t%edi,%r9d\n\troll\t$12,%r9d\n\taddl\t%r8d,%eax\n\txorl\t%eax,%r12d\n\troll\t$8,%r12d\n\taddl\t%r9d,%ebx\n\txorl\t%ebx,%r13d\n\troll\t$8,%r13d\n\taddl\t%r12d,%esi\n\txorl\t%esi,%r8d\n\troll\t$7,%r8d\n\taddl\t%r13d,%edi\n\txorl\t%edi,%r9d\n\troll\t$7,%r9d\n\tmovl\t%esi,32(%rsp)\n\tmovl\t%edi,36(%rsp)\n\tmovl\t40(%rsp),%esi\n\tmovl\t44(%rsp),%edi\n\taddl\t%r10d,%ecx\n\txorl\t%ecx,%r14d\n\troll\t$16,%r14d\n\taddl\t%r11d,%edx\n\txorl\t%edx,%r15d\n\troll\t$16,%r15d\n\taddl\t%r14d,%esi\n\txorl\t%esi,%r10d\n\troll\t$12,%r10d\n\taddl\t%r15d,%edi\n\txorl\t%edi,%r11d\n\troll\t$12,%r11d\n\taddl\t%r10d,%ecx\n\txorl\t%ecx,%r14d\n\troll\t$8,%r14d\n\taddl\t%r11d,%edx\n\txorl\t%edx,%r15d\n\troll\t$8,%r15d\n\taddl\t%r14d,%esi\n\txorl\t%esi,%r10d\n\troll\t$7,%r10d\n\taddl\t%r15d,%edi\n\txorl\t%edi,%r11d\n\troll\t$7,%r11d\n\taddl\t%r9d,%eax\n\txorl\t%eax,%r15d\n\troll\t$16,%r15d\n\taddl\t%r10d,%ebx\n\txorl\t%ebx,%r12d\n\troll\t$16,%r12d\n\taddl\t%r15d,%esi\n\txorl\t%esi,%r9d\n\troll\t$12,%r9d\n\taddl\t%r12d,%edi\n\txorl\t%edi,%r10d\n\troll\t$12,%r10d\n\taddl\t%r9d,%eax\n\txorl\t%eax,%r15d\n\troll\t$8,%r15d\n\taddl\t%r10d,%ebx\n\txorl\t%ebx,%r12d\n\troll\t$8,%r12d\n\taddl\t%r15d,%esi\n\txorl\t%esi,%r9d\n\troll\t$7,%r9d\n\taddl\t%r12d,%edi\n\txorl\t%edi,%r10d\n\troll\t$7,%r10d\n\tmovl\t%esi,40(%rsp)\n\tmovl\t%edi,44(%rsp)\n\tmovl\t32(%rsp),%esi\n\tmovl\t36(%rsp),%edi\n\taddl\t%r11d,%ecx\n\txorl\t%ecx,%r13d\n\troll\t$16,%r13d\n\taddl\t%r8d,%edx\n\txorl\t%edx,%r14d\n\troll\t$16,%r14d\n\taddl\t%r13d,%esi\n\txorl\t%esi,%r11d\n\troll\t$12,%r11d\n\taddl\t%r14d,%edi\n\txorl\t%edi,%r8d\n\troll\t$12,%r8d\n\taddl\t%r11d,%ecx\n\txorl\t%ecx,%r13d\n\troll\t$8,%r13d\n\taddl\t%r8d,%edx\n\txorl\t%edx,%r14d\n\troll\t$8,%r14d\n\taddl\t%r13d,%esi\n\txorl\t%esi,%r11d\n\troll\t$7,%r11d\n\taddl\t%r14d,%edi\n\txorl\t%edi,%r8d\n\troll\t$7,%r8d\n\tdecl\t%ebp\n\tjnz\t.Loop\n\tmovl\t%edi,36(%rsp)\n\tmovl\t%esi,32(%rsp)\n\tmovq\t64(%rsp),%rbp\n\tmovdqa\t%xmm2,%xmm1\n\tmovq\t64+8(%rsp),%rsi\n\tpaddd\t%xmm4,%xmm3\n\tmovq\t64+16(%rsp),%rdi\n\n\taddl\t$0x61707865,%eax\n\taddl\t$0x3320646e,%ebx\n\taddl\t$0x79622d32,%ecx\n\taddl\t$0x6b206574,%edx\n\taddl\t16(%rsp),%r8d\n\taddl\t20(%rsp),%r9d\n\taddl\t24(%rsp),%r10d\n\taddl\t28(%rsp),%r11d\n\taddl\t48(%rsp),%r12d\n\taddl\t52(%rsp),%r13d\n\taddl\t56(%rsp),%r14d\n\taddl\t60(%rsp),%r15d\n\tpaddd\t32(%rsp),%xmm1\n\n\tcmpq\t$64,%rbp\n\tjb\t.Ltail\n\n\txorl\t0(%rsi),%eax\n\txorl\t4(%rsi),%ebx\n\txorl\t8(%rsi),%ecx\n\txorl\t12(%rsi),%edx\n\txorl\t16(%rsi),%r8d\n\txorl\t20(%rsi),%r9d\n\txorl\t24(%rsi),%r10d\n\txorl\t28(%rsi),%r11d\n\tmovdqu\t32(%rsi),%xmm0\n\txorl\t48(%rsi),%r12d\n\txorl\t52(%rsi),%r13d\n\txorl\t56(%rsi),%r14d\n\txorl\t60(%rsi),%r15d\n\tleaq\t64(%rsi),%rsi\n\tpxor\t%xmm1,%xmm0\n\n\tmovdqa\t%xmm2,32(%rsp)\n\tmovd\t%xmm3,48(%rsp)\n\n\tmovl\t%eax,0(%rdi)\n\tmovl\t%ebx,4(%rdi)\n\tmovl\t%ecx,8(%rdi)\n\tmovl\t%edx,12(%rdi)\n\tmovl\t%r8d,16(%rdi)\n\tmovl\t%r9d,20(%rdi)\n\tmovl\t%r10d,24(%rdi)\n\tmovl\t%r11d,28(%rdi)\n\tmovdqu\t%xmm0,32(%rdi)\n\tmovl\t%r12d,48(%rdi)\n\tmovl\t%r13d,52(%rdi)\n\tmovl\t%r14d,56(%rdi)\n\tmovl\t%r15d,60(%rdi)\n\tleaq\t64(%rdi),%rdi\n\n\tsubq\t$64,%rbp\n\tjnz\t.Loop_outer\n\n\tjmp\t.Ldone\n\n.align\t16\n.Ltail:\n\tmovl\t%eax,0(%rsp)\n\tmovl\t%ebx,4(%rsp)\n\txorq\t%rbx,%rbx\n\tmovl\t%ecx,8(%rsp)\n\tmovl\t%edx,12(%rsp)\n\tmovl\t%r8d,16(%rsp)\n\tmovl\t%r9d,20(%rsp)\n\tmovl\t%r10d,24(%rsp)\n\tmovl\t%r11d,28(%rsp)\n\tmovdqa\t%xmm1,32(%rsp)\n\tmovl\t%r12d,48(%rsp)\n\tmovl\t%r13d,52(%rsp)\n\tmovl\t%r14d,56(%rsp)\n\tmovl\t%r15d,60(%rsp)\n\n.Loop_tail:\n\tmovzbl\t(%rsi,%rbx,1),%eax\n\tmovzbl\t(%rsp,%rbx,1),%edx\n\tleaq\t1(%rbx),%rbx\n\txorl\t%edx,%eax\n\tmovb\t%al,-1(%rdi,%rbx,1)\n\tdecq\t%rbp\n\tjnz\t.Loop_tail\n\n.Ldone:\n\tleaq\t64+24+48(%rsp),%rsi\n\tmovq\t-48(%rsi),%r15\n.cfi_restore\tr15\n\tmovq\t-40(%rsi),%r14\n.cfi_restore\tr14\n\tmovq\t-32(%rsi),%r13\n.cfi_restore\tr13\n\tmovq\t-24(%rsi),%r12\n.cfi_restore\tr12\n\tmovq\t-16(%rsi),%rbp\n.cfi_restore\trbp\n\tmovq\t-8(%rsi),%rbx\n.cfi_restore\trbx\n\tleaq\t(%rsi),%rsp\n.cfi_adjust_cfa_offset\t-136\n.Lno_data:\n\tret\n.cfi_endproc\t\n.size\tChaCha20_ctr32_nohw,.-ChaCha20_ctr32_nohw\n.globl\tChaCha20_ctr32_ssse3\n.hidden ChaCha20_ctr32_ssse3\n.type\tChaCha20_ctr32_ssse3,@function\n.align\t32\nChaCha20_ctr32_ssse3:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%r9\n.cfi_def_cfa_register\tr9\n\tsubq\t$64+8,%rsp\n\tmovdqa\t.Lsigma(%rip),%xmm0\n\tmovdqu\t(%rcx),%xmm1\n\tmovdqu\t16(%rcx),%xmm2\n\tmovdqu\t(%r8),%xmm3\n\tmovdqa\t.Lrot16(%rip),%xmm6\n\tmovdqa\t.Lrot24(%rip),%xmm7\n\n\tmovdqa\t%xmm0,0(%rsp)\n\tmovdqa\t%xmm1,16(%rsp)\n\tmovdqa\t%xmm2,32(%rsp)\n\tmovdqa\t%xmm3,48(%rsp)\n\tmovq\t$10,%r8\n\tjmp\t.Loop_ssse3\n\n.align\t32\n.Loop_outer_ssse3:\n\tmovdqa\t.Lone(%rip),%xmm3\n\tmovdqa\t0(%rsp),%xmm0\n\tmovdqa\t16(%rsp),%xmm1\n\tmovdqa\t32(%rsp),%xmm2\n\tpaddd\t48(%rsp),%xmm3\n\tmovq\t$10,%r8\n\tmovdqa\t%xmm3,48(%rsp)\n\tjmp\t.Loop_ssse3\n\n.align\t32\n.Loop_ssse3:\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$20,%xmm1\n\tpslld\t$12,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,223\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$25,%xmm1\n\tpslld\t$7,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpshufd\t$78,%xmm2,%xmm2\n\tpshufd\t$57,%xmm1,%xmm1\n\tpshufd\t$147,%xmm3,%xmm3\n\tnop\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$20,%xmm1\n\tpslld\t$12,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpaddd\t%xmm1,%xmm0\n\tpxor\t%xmm0,%xmm3\n.byte\t102,15,56,0,223\n\tpaddd\t%xmm3,%xmm2\n\tpxor\t%xmm2,%xmm1\n\tmovdqa\t%xmm1,%xmm4\n\tpsrld\t$25,%xmm1\n\tpslld\t$7,%xmm4\n\tpor\t%xmm4,%xmm1\n\tpshufd\t$78,%xmm2,%xmm2\n\tpshufd\t$147,%xmm1,%xmm1\n\tpshufd\t$57,%xmm3,%xmm3\n\tdecq\t%r8\n\tjnz\t.Loop_ssse3\n\tpaddd\t0(%rsp),%xmm0\n\tpaddd\t16(%rsp),%xmm1\n\tpaddd\t32(%rsp),%xmm2\n\tpaddd\t48(%rsp),%xmm3\n\n\tcmpq\t$64,%rdx\n\tjb\t.Ltail_ssse3\n\n\tmovdqu\t0(%rsi),%xmm4\n\tmovdqu\t16(%rsi),%xmm5\n\tpxor\t%xmm4,%xmm0\n\tmovdqu\t32(%rsi),%xmm4\n\tpxor\t%xmm5,%xmm1\n\tmovdqu\t48(%rsi),%xmm5\n\tleaq\t64(%rsi),%rsi\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm5,%xmm3\n\n\tmovdqu\t%xmm0,0(%rdi)\n\tmovdqu\t%xmm1,16(%rdi)\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm3,48(%rdi)\n\tleaq\t64(%rdi),%rdi\n\n\tsubq\t$64,%rdx\n\tjnz\t.Loop_outer_ssse3\n\n\tjmp\t.Ldone_ssse3\n\n.align\t16\n.Ltail_ssse3:\n\tmovdqa\t%xmm0,0(%rsp)\n\tmovdqa\t%xmm1,16(%rsp)\n\tmovdqa\t%xmm2,32(%rsp)\n\tmovdqa\t%xmm3,48(%rsp)\n\txorq\t%r8,%r8\n\n.Loop_tail_ssse3:\n\tmovzbl\t(%rsi,%r8,1),%eax\n\tmovzbl\t(%rsp,%r8,1),%ecx\n\tleaq\t1(%r8),%r8\n\txorl\t%ecx,%eax\n\tmovb\t%al,-1(%rdi,%r8,1)\n\tdecq\t%rdx\n\tjnz\t.Loop_tail_ssse3\n\n.Ldone_ssse3:\n\tleaq\t(%r9),%rsp\n.cfi_def_cfa_register\trsp\n.Lssse3_epilogue:\n\tret\n.cfi_endproc\t\n.size\tChaCha20_ctr32_ssse3,.-ChaCha20_ctr32_ssse3\n.globl\tChaCha20_ctr32_ssse3_4x\n.hidden ChaCha20_ctr32_ssse3_4x\n.type\tChaCha20_ctr32_ssse3_4x,@function\n.align\t32\nChaCha20_ctr32_ssse3_4x:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%r9\n.cfi_def_cfa_register\tr9\n\tsubq\t$0x140+8,%rsp\n\tmovdqa\t.Lsigma(%rip),%xmm11\n\tmovdqu\t(%rcx),%xmm15\n\tmovdqu\t16(%rcx),%xmm7\n\tmovdqu\t(%r8),%xmm3\n\tleaq\t256(%rsp),%rcx\n\tleaq\t.Lrot16(%rip),%r10\n\tleaq\t.Lrot24(%rip),%r11\n\n\tpshufd\t$0x00,%xmm11,%xmm8\n\tpshufd\t$0x55,%xmm11,%xmm9\n\tmovdqa\t%xmm8,64(%rsp)\n\tpshufd\t$0xaa,%xmm11,%xmm10\n\tmovdqa\t%xmm9,80(%rsp)\n\tpshufd\t$0xff,%xmm11,%xmm11\n\tmovdqa\t%xmm10,96(%rsp)\n\tmovdqa\t%xmm11,112(%rsp)\n\n\tpshufd\t$0x00,%xmm15,%xmm12\n\tpshufd\t$0x55,%xmm15,%xmm13\n\tmovdqa\t%xmm12,128-256(%rcx)\n\tpshufd\t$0xaa,%xmm15,%xmm14\n\tmovdqa\t%xmm13,144-256(%rcx)\n\tpshufd\t$0xff,%xmm15,%xmm15\n\tmovdqa\t%xmm14,160-256(%rcx)\n\tmovdqa\t%xmm15,176-256(%rcx)\n\n\tpshufd\t$0x00,%xmm7,%xmm4\n\tpshufd\t$0x55,%xmm7,%xmm5\n\tmovdqa\t%xmm4,192-256(%rcx)\n\tpshufd\t$0xaa,%xmm7,%xmm6\n\tmovdqa\t%xmm5,208-256(%rcx)\n\tpshufd\t$0xff,%xmm7,%xmm7\n\tmovdqa\t%xmm6,224-256(%rcx)\n\tmovdqa\t%xmm7,240-256(%rcx)\n\n\tpshufd\t$0x00,%xmm3,%xmm0\n\tpshufd\t$0x55,%xmm3,%xmm1\n\tpaddd\t.Linc(%rip),%xmm0\n\tpshufd\t$0xaa,%xmm3,%xmm2\n\tmovdqa\t%xmm1,272-256(%rcx)\n\tpshufd\t$0xff,%xmm3,%xmm3\n\tmovdqa\t%xmm2,288-256(%rcx)\n\tmovdqa\t%xmm3,304-256(%rcx)\n\n\tjmp\t.Loop_enter4x\n\n.align\t32\n.Loop_outer4x:\n\tmovdqa\t64(%rsp),%xmm8\n\tmovdqa\t80(%rsp),%xmm9\n\tmovdqa\t96(%rsp),%xmm10\n\tmovdqa\t112(%rsp),%xmm11\n\tmovdqa\t128-256(%rcx),%xmm12\n\tmovdqa\t144-256(%rcx),%xmm13\n\tmovdqa\t160-256(%rcx),%xmm14\n\tmovdqa\t176-256(%rcx),%xmm15\n\tmovdqa\t192-256(%rcx),%xmm4\n\tmovdqa\t208-256(%rcx),%xmm5\n\tmovdqa\t224-256(%rcx),%xmm6\n\tmovdqa\t240-256(%rcx),%xmm7\n\tmovdqa\t256-256(%rcx),%xmm0\n\tmovdqa\t272-256(%rcx),%xmm1\n\tmovdqa\t288-256(%rcx),%xmm2\n\tmovdqa\t304-256(%rcx),%xmm3\n\tpaddd\t.Lfour(%rip),%xmm0\n\n.Loop_enter4x:\n\tmovdqa\t%xmm6,32(%rsp)\n\tmovdqa\t%xmm7,48(%rsp)\n\tmovdqa\t(%r10),%xmm7\n\tmovl\t$10,%eax\n\tmovdqa\t%xmm0,256-256(%rcx)\n\tjmp\t.Loop4x\n\n.align\t32\n.Loop4x:\n\tpaddd\t%xmm12,%xmm8\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm8,%xmm0\n\tpxor\t%xmm9,%xmm1\n.byte\t102,15,56,0,199\n.byte\t102,15,56,0,207\n\tpaddd\t%xmm0,%xmm4\n\tpaddd\t%xmm1,%xmm5\n\tpxor\t%xmm4,%xmm12\n\tpxor\t%xmm5,%xmm13\n\tmovdqa\t%xmm12,%xmm6\n\tpslld\t$12,%xmm12\n\tpsrld\t$20,%xmm6\n\tmovdqa\t%xmm13,%xmm7\n\tpslld\t$12,%xmm13\n\tpor\t%xmm6,%xmm12\n\tpsrld\t$20,%xmm7\n\tmovdqa\t(%r11),%xmm6\n\tpor\t%xmm7,%xmm13\n\tpaddd\t%xmm12,%xmm8\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm8,%xmm0\n\tpxor\t%xmm9,%xmm1\n.byte\t102,15,56,0,198\n.byte\t102,15,56,0,206\n\tpaddd\t%xmm0,%xmm4\n\tpaddd\t%xmm1,%xmm5\n\tpxor\t%xmm4,%xmm12\n\tpxor\t%xmm5,%xmm13\n\tmovdqa\t%xmm12,%xmm7\n\tpslld\t$7,%xmm12\n\tpsrld\t$25,%xmm7\n\tmovdqa\t%xmm13,%xmm6\n\tpslld\t$7,%xmm13\n\tpor\t%xmm7,%xmm12\n\tpsrld\t$25,%xmm6\n\tmovdqa\t(%r10),%xmm7\n\tpor\t%xmm6,%xmm13\n\tmovdqa\t%xmm4,0(%rsp)\n\tmovdqa\t%xmm5,16(%rsp)\n\tmovdqa\t32(%rsp),%xmm4\n\tmovdqa\t48(%rsp),%xmm5\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm10,%xmm2\n\tpxor\t%xmm11,%xmm3\n.byte\t102,15,56,0,215\n.byte\t102,15,56,0,223\n\tpaddd\t%xmm2,%xmm4\n\tpaddd\t%xmm3,%xmm5\n\tpxor\t%xmm4,%xmm14\n\tpxor\t%xmm5,%xmm15\n\tmovdqa\t%xmm14,%xmm6\n\tpslld\t$12,%xmm14\n\tpsrld\t$20,%xmm6\n\tmovdqa\t%xmm15,%xmm7\n\tpslld\t$12,%xmm15\n\tpor\t%xmm6,%xmm14\n\tpsrld\t$20,%xmm7\n\tmovdqa\t(%r11),%xmm6\n\tpor\t%xmm7,%xmm15\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm10,%xmm2\n\tpxor\t%xmm11,%xmm3\n.byte\t102,15,56,0,214\n.byte\t102,15,56,0,222\n\tpaddd\t%xmm2,%xmm4\n\tpaddd\t%xmm3,%xmm5\n\tpxor\t%xmm4,%xmm14\n\tpxor\t%xmm5,%xmm15\n\tmovdqa\t%xmm14,%xmm7\n\tpslld\t$7,%xmm14\n\tpsrld\t$25,%xmm7\n\tmovdqa\t%xmm15,%xmm6\n\tpslld\t$7,%xmm15\n\tpor\t%xmm7,%xmm14\n\tpsrld\t$25,%xmm6\n\tmovdqa\t(%r10),%xmm7\n\tpor\t%xmm6,%xmm15\n\tpaddd\t%xmm13,%xmm8\n\tpaddd\t%xmm14,%xmm9\n\tpxor\t%xmm8,%xmm3\n\tpxor\t%xmm9,%xmm0\n.byte\t102,15,56,0,223\n.byte\t102,15,56,0,199\n\tpaddd\t%xmm3,%xmm4\n\tpaddd\t%xmm0,%xmm5\n\tpxor\t%xmm4,%xmm13\n\tpxor\t%xmm5,%xmm14\n\tmovdqa\t%xmm13,%xmm6\n\tpslld\t$12,%xmm13\n\tpsrld\t$20,%xmm6\n\tmovdqa\t%xmm14,%xmm7\n\tpslld\t$12,%xmm14\n\tpor\t%xmm6,%xmm13\n\tpsrld\t$20,%xmm7\n\tmovdqa\t(%r11),%xmm6\n\tpor\t%xmm7,%xmm14\n\tpaddd\t%xmm13,%xmm8\n\tpaddd\t%xmm14,%xmm9\n\tpxor\t%xmm8,%xmm3\n\tpxor\t%xmm9,%xmm0\n.byte\t102,15,56,0,222\n.byte\t102,15,56,0,198\n\tpaddd\t%xmm3,%xmm4\n\tpaddd\t%xmm0,%xmm5\n\tpxor\t%xmm4,%xmm13\n\tpxor\t%xmm5,%xmm14\n\tmovdqa\t%xmm13,%xmm7\n\tpslld\t$7,%xmm13\n\tpsrld\t$25,%xmm7\n\tmovdqa\t%xmm14,%xmm6\n\tpslld\t$7,%xmm14\n\tpor\t%xmm7,%xmm13\n\tpsrld\t$25,%xmm6\n\tmovdqa\t(%r10),%xmm7\n\tpor\t%xmm6,%xmm14\n\tmovdqa\t%xmm4,32(%rsp)\n\tmovdqa\t%xmm5,48(%rsp)\n\tmovdqa\t0(%rsp),%xmm4\n\tmovdqa\t16(%rsp),%xmm5\n\tpaddd\t%xmm15,%xmm10\n\tpaddd\t%xmm12,%xmm11\n\tpxor\t%xmm10,%xmm1\n\tpxor\t%xmm11,%xmm2\n.byte\t102,15,56,0,207\n.byte\t102,15,56,0,215\n\tpaddd\t%xmm1,%xmm4\n\tpaddd\t%xmm2,%xmm5\n\tpxor\t%xmm4,%xmm15\n\tpxor\t%xmm5,%xmm12\n\tmovdqa\t%xmm15,%xmm6\n\tpslld\t$12,%xmm15\n\tpsrld\t$20,%xmm6\n\tmovdqa\t%xmm12,%xmm7\n\tpslld\t$12,%xmm12\n\tpor\t%xmm6,%xmm15\n\tpsrld\t$20,%xmm7\n\tmovdqa\t(%r11),%xmm6\n\tpor\t%xmm7,%xmm12\n\tpaddd\t%xmm15,%xmm10\n\tpaddd\t%xmm12,%xmm11\n\tpxor\t%xmm10,%xmm1\n\tpxor\t%xmm11,%xmm2\n.byte\t102,15,56,0,206\n.byte\t102,15,56,0,214\n\tpaddd\t%xmm1,%xmm4\n\tpaddd\t%xmm2,%xmm5\n\tpxor\t%xmm4,%xmm15\n\tpxor\t%xmm5,%xmm12\n\tmovdqa\t%xmm15,%xmm7\n\tpslld\t$7,%xmm15\n\tpsrld\t$25,%xmm7\n\tmovdqa\t%xmm12,%xmm6\n\tpslld\t$7,%xmm12\n\tpor\t%xmm7,%xmm15\n\tpsrld\t$25,%xmm6\n\tmovdqa\t(%r10),%xmm7\n\tpor\t%xmm6,%xmm12\n\tdecl\t%eax\n\tjnz\t.Loop4x\n\n\tpaddd\t64(%rsp),%xmm8\n\tpaddd\t80(%rsp),%xmm9\n\tpaddd\t96(%rsp),%xmm10\n\tpaddd\t112(%rsp),%xmm11\n\n\tmovdqa\t%xmm8,%xmm6\n\tpunpckldq\t%xmm9,%xmm8\n\tmovdqa\t%xmm10,%xmm7\n\tpunpckldq\t%xmm11,%xmm10\n\tpunpckhdq\t%xmm9,%xmm6\n\tpunpckhdq\t%xmm11,%xmm7\n\tmovdqa\t%xmm8,%xmm9\n\tpunpcklqdq\t%xmm10,%xmm8\n\tmovdqa\t%xmm6,%xmm11\n\tpunpcklqdq\t%xmm7,%xmm6\n\tpunpckhqdq\t%xmm10,%xmm9\n\tpunpckhqdq\t%xmm7,%xmm11\n\tpaddd\t128-256(%rcx),%xmm12\n\tpaddd\t144-256(%rcx),%xmm13\n\tpaddd\t160-256(%rcx),%xmm14\n\tpaddd\t176-256(%rcx),%xmm15\n\n\tmovdqa\t%xmm8,0(%rsp)\n\tmovdqa\t%xmm9,16(%rsp)\n\tmovdqa\t32(%rsp),%xmm8\n\tmovdqa\t48(%rsp),%xmm9\n\n\tmovdqa\t%xmm12,%xmm10\n\tpunpckldq\t%xmm13,%xmm12\n\tmovdqa\t%xmm14,%xmm7\n\tpunpckldq\t%xmm15,%xmm14\n\tpunpckhdq\t%xmm13,%xmm10\n\tpunpckhdq\t%xmm15,%xmm7\n\tmovdqa\t%xmm12,%xmm13\n\tpunpcklqdq\t%xmm14,%xmm12\n\tmovdqa\t%xmm10,%xmm15\n\tpunpcklqdq\t%xmm7,%xmm10\n\tpunpckhqdq\t%xmm14,%xmm13\n\tpunpckhqdq\t%xmm7,%xmm15\n\tpaddd\t192-256(%rcx),%xmm4\n\tpaddd\t208-256(%rcx),%xmm5\n\tpaddd\t224-256(%rcx),%xmm8\n\tpaddd\t240-256(%rcx),%xmm9\n\n\tmovdqa\t%xmm6,32(%rsp)\n\tmovdqa\t%xmm11,48(%rsp)\n\n\tmovdqa\t%xmm4,%xmm14\n\tpunpckldq\t%xmm5,%xmm4\n\tmovdqa\t%xmm8,%xmm7\n\tpunpckldq\t%xmm9,%xmm8\n\tpunpckhdq\t%xmm5,%xmm14\n\tpunpckhdq\t%xmm9,%xmm7\n\tmovdqa\t%xmm4,%xmm5\n\tpunpcklqdq\t%xmm8,%xmm4\n\tmovdqa\t%xmm14,%xmm9\n\tpunpcklqdq\t%xmm7,%xmm14\n\tpunpckhqdq\t%xmm8,%xmm5\n\tpunpckhqdq\t%xmm7,%xmm9\n\tpaddd\t256-256(%rcx),%xmm0\n\tpaddd\t272-256(%rcx),%xmm1\n\tpaddd\t288-256(%rcx),%xmm2\n\tpaddd\t304-256(%rcx),%xmm3\n\n\tmovdqa\t%xmm0,%xmm8\n\tpunpckldq\t%xmm1,%xmm0\n\tmovdqa\t%xmm2,%xmm7\n\tpunpckldq\t%xmm3,%xmm2\n\tpunpckhdq\t%xmm1,%xmm8\n\tpunpckhdq\t%xmm3,%xmm7\n\tmovdqa\t%xmm0,%xmm1\n\tpunpcklqdq\t%xmm2,%xmm0\n\tmovdqa\t%xmm8,%xmm3\n\tpunpcklqdq\t%xmm7,%xmm8\n\tpunpckhqdq\t%xmm2,%xmm1\n\tpunpckhqdq\t%xmm7,%xmm3\n\tcmpq\t$256,%rdx\n\tjb\t.Ltail4x\n\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t0(%rsp),%xmm6\n\tpxor\t%xmm12,%xmm11\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm0,%xmm7\n\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t64(%rsi),%xmm6\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t80(%rsi),%xmm11\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t96(%rsi),%xmm2\n\tmovdqu\t%xmm7,48(%rdi)\n\tmovdqu\t112(%rsi),%xmm7\n\tleaq\t128(%rsi),%rsi\n\tpxor\t16(%rsp),%xmm6\n\tpxor\t%xmm13,%xmm11\n\tpxor\t%xmm5,%xmm2\n\tpxor\t%xmm1,%xmm7\n\n\tmovdqu\t%xmm6,64(%rdi)\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t%xmm11,80(%rdi)\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t%xmm2,96(%rdi)\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t%xmm7,112(%rdi)\n\tleaq\t128(%rdi),%rdi\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t32(%rsp),%xmm6\n\tpxor\t%xmm10,%xmm11\n\tpxor\t%xmm14,%xmm2\n\tpxor\t%xmm8,%xmm7\n\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t64(%rsi),%xmm6\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t80(%rsi),%xmm11\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t96(%rsi),%xmm2\n\tmovdqu\t%xmm7,48(%rdi)\n\tmovdqu\t112(%rsi),%xmm7\n\tleaq\t128(%rsi),%rsi\n\tpxor\t48(%rsp),%xmm6\n\tpxor\t%xmm15,%xmm11\n\tpxor\t%xmm9,%xmm2\n\tpxor\t%xmm3,%xmm7\n\tmovdqu\t%xmm6,64(%rdi)\n\tmovdqu\t%xmm11,80(%rdi)\n\tmovdqu\t%xmm2,96(%rdi)\n\tmovdqu\t%xmm7,112(%rdi)\n\tleaq\t128(%rdi),%rdi\n\n\tsubq\t$256,%rdx\n\tjnz\t.Loop_outer4x\n\n\tjmp\t.Ldone4x\n\n.Ltail4x:\n\tcmpq\t$192,%rdx\n\tjae\t.L192_or_more4x\n\tcmpq\t$128,%rdx\n\tjae\t.L128_or_more4x\n\tcmpq\t$64,%rdx\n\tjae\t.L64_or_more4x\n\n\n\txorq\t%r10,%r10\n\n\tmovdqa\t%xmm12,16(%rsp)\n\tmovdqa\t%xmm4,32(%rsp)\n\tmovdqa\t%xmm0,48(%rsp)\n\tjmp\t.Loop_tail4x\n\n.align\t32\n.L64_or_more4x:\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t0(%rsp),%xmm6\n\tpxor\t%xmm12,%xmm11\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm0,%xmm7\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm7,48(%rdi)\n\tje\t.Ldone4x\n\n\tmovdqa\t16(%rsp),%xmm6\n\tleaq\t64(%rsi),%rsi\n\txorq\t%r10,%r10\n\tmovdqa\t%xmm6,0(%rsp)\n\tmovdqa\t%xmm13,16(%rsp)\n\tleaq\t64(%rdi),%rdi\n\tmovdqa\t%xmm5,32(%rsp)\n\tsubq\t$64,%rdx\n\tmovdqa\t%xmm1,48(%rsp)\n\tjmp\t.Loop_tail4x\n\n.align\t32\n.L128_or_more4x:\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t0(%rsp),%xmm6\n\tpxor\t%xmm12,%xmm11\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm0,%xmm7\n\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t64(%rsi),%xmm6\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t80(%rsi),%xmm11\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t96(%rsi),%xmm2\n\tmovdqu\t%xmm7,48(%rdi)\n\tmovdqu\t112(%rsi),%xmm7\n\tpxor\t16(%rsp),%xmm6\n\tpxor\t%xmm13,%xmm11\n\tpxor\t%xmm5,%xmm2\n\tpxor\t%xmm1,%xmm7\n\tmovdqu\t%xmm6,64(%rdi)\n\tmovdqu\t%xmm11,80(%rdi)\n\tmovdqu\t%xmm2,96(%rdi)\n\tmovdqu\t%xmm7,112(%rdi)\n\tje\t.Ldone4x\n\n\tmovdqa\t32(%rsp),%xmm6\n\tleaq\t128(%rsi),%rsi\n\txorq\t%r10,%r10\n\tmovdqa\t%xmm6,0(%rsp)\n\tmovdqa\t%xmm10,16(%rsp)\n\tleaq\t128(%rdi),%rdi\n\tmovdqa\t%xmm14,32(%rsp)\n\tsubq\t$128,%rdx\n\tmovdqa\t%xmm8,48(%rsp)\n\tjmp\t.Loop_tail4x\n\n.align\t32\n.L192_or_more4x:\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t0(%rsp),%xmm6\n\tpxor\t%xmm12,%xmm11\n\tpxor\t%xmm4,%xmm2\n\tpxor\t%xmm0,%xmm7\n\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t64(%rsi),%xmm6\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t80(%rsi),%xmm11\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t96(%rsi),%xmm2\n\tmovdqu\t%xmm7,48(%rdi)\n\tmovdqu\t112(%rsi),%xmm7\n\tleaq\t128(%rsi),%rsi\n\tpxor\t16(%rsp),%xmm6\n\tpxor\t%xmm13,%xmm11\n\tpxor\t%xmm5,%xmm2\n\tpxor\t%xmm1,%xmm7\n\n\tmovdqu\t%xmm6,64(%rdi)\n\tmovdqu\t0(%rsi),%xmm6\n\tmovdqu\t%xmm11,80(%rdi)\n\tmovdqu\t16(%rsi),%xmm11\n\tmovdqu\t%xmm2,96(%rdi)\n\tmovdqu\t32(%rsi),%xmm2\n\tmovdqu\t%xmm7,112(%rdi)\n\tleaq\t128(%rdi),%rdi\n\tmovdqu\t48(%rsi),%xmm7\n\tpxor\t32(%rsp),%xmm6\n\tpxor\t%xmm10,%xmm11\n\tpxor\t%xmm14,%xmm2\n\tpxor\t%xmm8,%xmm7\n\tmovdqu\t%xmm6,0(%rdi)\n\tmovdqu\t%xmm11,16(%rdi)\n\tmovdqu\t%xmm2,32(%rdi)\n\tmovdqu\t%xmm7,48(%rdi)\n\tje\t.Ldone4x\n\n\tmovdqa\t48(%rsp),%xmm6\n\tleaq\t64(%rsi),%rsi\n\txorq\t%r10,%r10\n\tmovdqa\t%xmm6,0(%rsp)\n\tmovdqa\t%xmm15,16(%rsp)\n\tleaq\t64(%rdi),%rdi\n\tmovdqa\t%xmm9,32(%rsp)\n\tsubq\t$192,%rdx\n\tmovdqa\t%xmm3,48(%rsp)\n\n.Loop_tail4x:\n\tmovzbl\t(%rsi,%r10,1),%eax\n\tmovzbl\t(%rsp,%r10,1),%ecx\n\tleaq\t1(%r10),%r10\n\txorl\t%ecx,%eax\n\tmovb\t%al,-1(%rdi,%r10,1)\n\tdecq\t%rdx\n\tjnz\t.Loop_tail4x\n\n.Ldone4x:\n\tleaq\t(%r9),%rsp\n.cfi_def_cfa_register\trsp\n.L4x_epilogue:\n\tret\n.cfi_endproc\t\n.size\tChaCha20_ctr32_ssse3_4x,.-ChaCha20_ctr32_ssse3_4x\n.globl\tChaCha20_ctr32_avx2\n.hidden ChaCha20_ctr32_avx2\n.type\tChaCha20_ctr32_avx2,@function\n.align\t32\nChaCha20_ctr32_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tmovq\t%rsp,%r9\n.cfi_def_cfa_register\tr9\n\tsubq\t$0x280+8,%rsp\n\tandq\t$-32,%rsp\n\tvzeroupper\n\n\n\n\n\n\n\n\n\n\n\tvbroadcasti128\t.Lsigma(%rip),%ymm11\n\tvbroadcasti128\t(%rcx),%ymm3\n\tvbroadcasti128\t16(%rcx),%ymm15\n\tvbroadcasti128\t(%r8),%ymm7\n\tleaq\t256(%rsp),%rcx\n\tleaq\t512(%rsp),%rax\n\tleaq\t.Lrot16(%rip),%r10\n\tleaq\t.Lrot24(%rip),%r11\n\n\tvpshufd\t$0x00,%ymm11,%ymm8\n\tvpshufd\t$0x55,%ymm11,%ymm9\n\tvmovdqa\t%ymm8,128-256(%rcx)\n\tvpshufd\t$0xaa,%ymm11,%ymm10\n\tvmovdqa\t%ymm9,160-256(%rcx)\n\tvpshufd\t$0xff,%ymm11,%ymm11\n\tvmovdqa\t%ymm10,192-256(%rcx)\n\tvmovdqa\t%ymm11,224-256(%rcx)\n\n\tvpshufd\t$0x00,%ymm3,%ymm0\n\tvpshufd\t$0x55,%ymm3,%ymm1\n\tvmovdqa\t%ymm0,256-256(%rcx)\n\tvpshufd\t$0xaa,%ymm3,%ymm2\n\tvmovdqa\t%ymm1,288-256(%rcx)\n\tvpshufd\t$0xff,%ymm3,%ymm3\n\tvmovdqa\t%ymm2,320-256(%rcx)\n\tvmovdqa\t%ymm3,352-256(%rcx)\n\n\tvpshufd\t$0x00,%ymm15,%ymm12\n\tvpshufd\t$0x55,%ymm15,%ymm13\n\tvmovdqa\t%ymm12,384-512(%rax)\n\tvpshufd\t$0xaa,%ymm15,%ymm14\n\tvmovdqa\t%ymm13,416-512(%rax)\n\tvpshufd\t$0xff,%ymm15,%ymm15\n\tvmovdqa\t%ymm14,448-512(%rax)\n\tvmovdqa\t%ymm15,480-512(%rax)\n\n\tvpshufd\t$0x00,%ymm7,%ymm4\n\tvpshufd\t$0x55,%ymm7,%ymm5\n\tvpaddd\t.Lincy(%rip),%ymm4,%ymm4\n\tvpshufd\t$0xaa,%ymm7,%ymm6\n\tvmovdqa\t%ymm5,544-512(%rax)\n\tvpshufd\t$0xff,%ymm7,%ymm7\n\tvmovdqa\t%ymm6,576-512(%rax)\n\tvmovdqa\t%ymm7,608-512(%rax)\n\n\tjmp\t.Loop_enter8x\n\n.align\t32\n.Loop_outer8x:\n\tvmovdqa\t128-256(%rcx),%ymm8\n\tvmovdqa\t160-256(%rcx),%ymm9\n\tvmovdqa\t192-256(%rcx),%ymm10\n\tvmovdqa\t224-256(%rcx),%ymm11\n\tvmovdqa\t256-256(%rcx),%ymm0\n\tvmovdqa\t288-256(%rcx),%ymm1\n\tvmovdqa\t320-256(%rcx),%ymm2\n\tvmovdqa\t352-256(%rcx),%ymm3\n\tvmovdqa\t384-512(%rax),%ymm12\n\tvmovdqa\t416-512(%rax),%ymm13\n\tvmovdqa\t448-512(%rax),%ymm14\n\tvmovdqa\t480-512(%rax),%ymm15\n\tvmovdqa\t512-512(%rax),%ymm4\n\tvmovdqa\t544-512(%rax),%ymm5\n\tvmovdqa\t576-512(%rax),%ymm6\n\tvmovdqa\t608-512(%rax),%ymm7\n\tvpaddd\t.Leight(%rip),%ymm4,%ymm4\n\n.Loop_enter8x:\n\tvmovdqa\t%ymm14,64(%rsp)\n\tvmovdqa\t%ymm15,96(%rsp)\n\tvbroadcasti128\t(%r10),%ymm15\n\tvmovdqa\t%ymm4,512-512(%rax)\n\tmovl\t$10,%eax\n\tjmp\t.Loop8x\n\n.align\t32\n.Loop8x:\n\tvpaddd\t%ymm0,%ymm8,%ymm8\n\tvpxor\t%ymm4,%ymm8,%ymm4\n\tvpshufb\t%ymm15,%ymm4,%ymm4\n\tvpaddd\t%ymm1,%ymm9,%ymm9\n\tvpxor\t%ymm5,%ymm9,%ymm5\n\tvpshufb\t%ymm15,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm12,%ymm12\n\tvpxor\t%ymm0,%ymm12,%ymm0\n\tvpslld\t$12,%ymm0,%ymm14\n\tvpsrld\t$20,%ymm0,%ymm0\n\tvpor\t%ymm0,%ymm14,%ymm0\n\tvbroadcasti128\t(%r11),%ymm14\n\tvpaddd\t%ymm5,%ymm13,%ymm13\n\tvpxor\t%ymm1,%ymm13,%ymm1\n\tvpslld\t$12,%ymm1,%ymm15\n\tvpsrld\t$20,%ymm1,%ymm1\n\tvpor\t%ymm1,%ymm15,%ymm1\n\tvpaddd\t%ymm0,%ymm8,%ymm8\n\tvpxor\t%ymm4,%ymm8,%ymm4\n\tvpshufb\t%ymm14,%ymm4,%ymm4\n\tvpaddd\t%ymm1,%ymm9,%ymm9\n\tvpxor\t%ymm5,%ymm9,%ymm5\n\tvpshufb\t%ymm14,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm12,%ymm12\n\tvpxor\t%ymm0,%ymm12,%ymm0\n\tvpslld\t$7,%ymm0,%ymm15\n\tvpsrld\t$25,%ymm0,%ymm0\n\tvpor\t%ymm0,%ymm15,%ymm0\n\tvbroadcasti128\t(%r10),%ymm15\n\tvpaddd\t%ymm5,%ymm13,%ymm13\n\tvpxor\t%ymm1,%ymm13,%ymm1\n\tvpslld\t$7,%ymm1,%ymm14\n\tvpsrld\t$25,%ymm1,%ymm1\n\tvpor\t%ymm1,%ymm14,%ymm1\n\tvmovdqa\t%ymm12,0(%rsp)\n\tvmovdqa\t%ymm13,32(%rsp)\n\tvmovdqa\t64(%rsp),%ymm12\n\tvmovdqa\t96(%rsp),%ymm13\n\tvpaddd\t%ymm2,%ymm10,%ymm10\n\tvpxor\t%ymm6,%ymm10,%ymm6\n\tvpshufb\t%ymm15,%ymm6,%ymm6\n\tvpaddd\t%ymm3,%ymm11,%ymm11\n\tvpxor\t%ymm7,%ymm11,%ymm7\n\tvpshufb\t%ymm15,%ymm7,%ymm7\n\tvpaddd\t%ymm6,%ymm12,%ymm12\n\tvpxor\t%ymm2,%ymm12,%ymm2\n\tvpslld\t$12,%ymm2,%ymm14\n\tvpsrld\t$20,%ymm2,%ymm2\n\tvpor\t%ymm2,%ymm14,%ymm2\n\tvbroadcasti128\t(%r11),%ymm14\n\tvpaddd\t%ymm7,%ymm13,%ymm13\n\tvpxor\t%ymm3,%ymm13,%ymm3\n\tvpslld\t$12,%ymm3,%ymm15\n\tvpsrld\t$20,%ymm3,%ymm3\n\tvpor\t%ymm3,%ymm15,%ymm3\n\tvpaddd\t%ymm2,%ymm10,%ymm10\n\tvpxor\t%ymm6,%ymm10,%ymm6\n\tvpshufb\t%ymm14,%ymm6,%ymm6\n\tvpaddd\t%ymm3,%ymm11,%ymm11\n\tvpxor\t%ymm7,%ymm11,%ymm7\n\tvpshufb\t%ymm14,%ymm7,%ymm7\n\tvpaddd\t%ymm6,%ymm12,%ymm12\n\tvpxor\t%ymm2,%ymm12,%ymm2\n\tvpslld\t$7,%ymm2,%ymm15\n\tvpsrld\t$25,%ymm2,%ymm2\n\tvpor\t%ymm2,%ymm15,%ymm2\n\tvbroadcasti128\t(%r10),%ymm15\n\tvpaddd\t%ymm7,%ymm13,%ymm13\n\tvpxor\t%ymm3,%ymm13,%ymm3\n\tvpslld\t$7,%ymm3,%ymm14\n\tvpsrld\t$25,%ymm3,%ymm3\n\tvpor\t%ymm3,%ymm14,%ymm3\n\tvpaddd\t%ymm1,%ymm8,%ymm8\n\tvpxor\t%ymm7,%ymm8,%ymm7\n\tvpshufb\t%ymm15,%ymm7,%ymm7\n\tvpaddd\t%ymm2,%ymm9,%ymm9\n\tvpxor\t%ymm4,%ymm9,%ymm4\n\tvpshufb\t%ymm15,%ymm4,%ymm4\n\tvpaddd\t%ymm7,%ymm12,%ymm12\n\tvpxor\t%ymm1,%ymm12,%ymm1\n\tvpslld\t$12,%ymm1,%ymm14\n\tvpsrld\t$20,%ymm1,%ymm1\n\tvpor\t%ymm1,%ymm14,%ymm1\n\tvbroadcasti128\t(%r11),%ymm14\n\tvpaddd\t%ymm4,%ymm13,%ymm13\n\tvpxor\t%ymm2,%ymm13,%ymm2\n\tvpslld\t$12,%ymm2,%ymm15\n\tvpsrld\t$20,%ymm2,%ymm2\n\tvpor\t%ymm2,%ymm15,%ymm2\n\tvpaddd\t%ymm1,%ymm8,%ymm8\n\tvpxor\t%ymm7,%ymm8,%ymm7\n\tvpshufb\t%ymm14,%ymm7,%ymm7\n\tvpaddd\t%ymm2,%ymm9,%ymm9\n\tvpxor\t%ymm4,%ymm9,%ymm4\n\tvpshufb\t%ymm14,%ymm4,%ymm4\n\tvpaddd\t%ymm7,%ymm12,%ymm12\n\tvpxor\t%ymm1,%ymm12,%ymm1\n\tvpslld\t$7,%ymm1,%ymm15\n\tvpsrld\t$25,%ymm1,%ymm1\n\tvpor\t%ymm1,%ymm15,%ymm1\n\tvbroadcasti128\t(%r10),%ymm15\n\tvpaddd\t%ymm4,%ymm13,%ymm13\n\tvpxor\t%ymm2,%ymm13,%ymm2\n\tvpslld\t$7,%ymm2,%ymm14\n\tvpsrld\t$25,%ymm2,%ymm2\n\tvpor\t%ymm2,%ymm14,%ymm2\n\tvmovdqa\t%ymm12,64(%rsp)\n\tvmovdqa\t%ymm13,96(%rsp)\n\tvmovdqa\t0(%rsp),%ymm12\n\tvmovdqa\t32(%rsp),%ymm13\n\tvpaddd\t%ymm3,%ymm10,%ymm10\n\tvpxor\t%ymm5,%ymm10,%ymm5\n\tvpshufb\t%ymm15,%ymm5,%ymm5\n\tvpaddd\t%ymm0,%ymm11,%ymm11\n\tvpxor\t%ymm6,%ymm11,%ymm6\n\tvpshufb\t%ymm15,%ymm6,%ymm6\n\tvpaddd\t%ymm5,%ymm12,%ymm12\n\tvpxor\t%ymm3,%ymm12,%ymm3\n\tvpslld\t$12,%ymm3,%ymm14\n\tvpsrld\t$20,%ymm3,%ymm3\n\tvpor\t%ymm3,%ymm14,%ymm3\n\tvbroadcasti128\t(%r11),%ymm14\n\tvpaddd\t%ymm6,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm13,%ymm0\n\tvpslld\t$12,%ymm0,%ymm15\n\tvpsrld\t$20,%ymm0,%ymm0\n\tvpor\t%ymm0,%ymm15,%ymm0\n\tvpaddd\t%ymm3,%ymm10,%ymm10\n\tvpxor\t%ymm5,%ymm10,%ymm5\n\tvpshufb\t%ymm14,%ymm5,%ymm5\n\tvpaddd\t%ymm0,%ymm11,%ymm11\n\tvpxor\t%ymm6,%ymm11,%ymm6\n\tvpshufb\t%ymm14,%ymm6,%ymm6\n\tvpaddd\t%ymm5,%ymm12,%ymm12\n\tvpxor\t%ymm3,%ymm12,%ymm3\n\tvpslld\t$7,%ymm3,%ymm15\n\tvpsrld\t$25,%ymm3,%ymm3\n\tvpor\t%ymm3,%ymm15,%ymm3\n\tvbroadcasti128\t(%r10),%ymm15\n\tvpaddd\t%ymm6,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm13,%ymm0\n\tvpslld\t$7,%ymm0,%ymm14\n\tvpsrld\t$25,%ymm0,%ymm0\n\tvpor\t%ymm0,%ymm14,%ymm0\n\tdecl\t%eax\n\tjnz\t.Loop8x\n\n\tleaq\t512(%rsp),%rax\n\tvpaddd\t128-256(%rcx),%ymm8,%ymm8\n\tvpaddd\t160-256(%rcx),%ymm9,%ymm9\n\tvpaddd\t192-256(%rcx),%ymm10,%ymm10\n\tvpaddd\t224-256(%rcx),%ymm11,%ymm11\n\n\tvpunpckldq\t%ymm9,%ymm8,%ymm14\n\tvpunpckldq\t%ymm11,%ymm10,%ymm15\n\tvpunpckhdq\t%ymm9,%ymm8,%ymm8\n\tvpunpckhdq\t%ymm11,%ymm10,%ymm10\n\tvpunpcklqdq\t%ymm15,%ymm14,%ymm9\n\tvpunpckhqdq\t%ymm15,%ymm14,%ymm14\n\tvpunpcklqdq\t%ymm10,%ymm8,%ymm11\n\tvpunpckhqdq\t%ymm10,%ymm8,%ymm8\n\tvpaddd\t256-256(%rcx),%ymm0,%ymm0\n\tvpaddd\t288-256(%rcx),%ymm1,%ymm1\n\tvpaddd\t320-256(%rcx),%ymm2,%ymm2\n\tvpaddd\t352-256(%rcx),%ymm3,%ymm3\n\n\tvpunpckldq\t%ymm1,%ymm0,%ymm10\n\tvpunpckldq\t%ymm3,%ymm2,%ymm15\n\tvpunpckhdq\t%ymm1,%ymm0,%ymm0\n\tvpunpckhdq\t%ymm3,%ymm2,%ymm2\n\tvpunpcklqdq\t%ymm15,%ymm10,%ymm1\n\tvpunpckhqdq\t%ymm15,%ymm10,%ymm10\n\tvpunpcklqdq\t%ymm2,%ymm0,%ymm3\n\tvpunpckhqdq\t%ymm2,%ymm0,%ymm0\n\tvperm2i128\t$0x20,%ymm1,%ymm9,%ymm15\n\tvperm2i128\t$0x31,%ymm1,%ymm9,%ymm1\n\tvperm2i128\t$0x20,%ymm10,%ymm14,%ymm9\n\tvperm2i128\t$0x31,%ymm10,%ymm14,%ymm10\n\tvperm2i128\t$0x20,%ymm3,%ymm11,%ymm14\n\tvperm2i128\t$0x31,%ymm3,%ymm11,%ymm3\n\tvperm2i128\t$0x20,%ymm0,%ymm8,%ymm11\n\tvperm2i128\t$0x31,%ymm0,%ymm8,%ymm0\n\tvmovdqa\t%ymm15,0(%rsp)\n\tvmovdqa\t%ymm9,32(%rsp)\n\tvmovdqa\t64(%rsp),%ymm15\n\tvmovdqa\t96(%rsp),%ymm9\n\n\tvpaddd\t384-512(%rax),%ymm12,%ymm12\n\tvpaddd\t416-512(%rax),%ymm13,%ymm13\n\tvpaddd\t448-512(%rax),%ymm15,%ymm15\n\tvpaddd\t480-512(%rax),%ymm9,%ymm9\n\n\tvpunpckldq\t%ymm13,%ymm12,%ymm2\n\tvpunpckldq\t%ymm9,%ymm15,%ymm8\n\tvpunpckhdq\t%ymm13,%ymm12,%ymm12\n\tvpunpckhdq\t%ymm9,%ymm15,%ymm15\n\tvpunpcklqdq\t%ymm8,%ymm2,%ymm13\n\tvpunpckhqdq\t%ymm8,%ymm2,%ymm2\n\tvpunpcklqdq\t%ymm15,%ymm12,%ymm9\n\tvpunpckhqdq\t%ymm15,%ymm12,%ymm12\n\tvpaddd\t512-512(%rax),%ymm4,%ymm4\n\tvpaddd\t544-512(%rax),%ymm5,%ymm5\n\tvpaddd\t576-512(%rax),%ymm6,%ymm6\n\tvpaddd\t608-512(%rax),%ymm7,%ymm7\n\n\tvpunpckldq\t%ymm5,%ymm4,%ymm15\n\tvpunpckldq\t%ymm7,%ymm6,%ymm8\n\tvpunpckhdq\t%ymm5,%ymm4,%ymm4\n\tvpunpckhdq\t%ymm7,%ymm6,%ymm6\n\tvpunpcklqdq\t%ymm8,%ymm15,%ymm5\n\tvpunpckhqdq\t%ymm8,%ymm15,%ymm15\n\tvpunpcklqdq\t%ymm6,%ymm4,%ymm7\n\tvpunpckhqdq\t%ymm6,%ymm4,%ymm4\n\tvperm2i128\t$0x20,%ymm5,%ymm13,%ymm8\n\tvperm2i128\t$0x31,%ymm5,%ymm13,%ymm5\n\tvperm2i128\t$0x20,%ymm15,%ymm2,%ymm13\n\tvperm2i128\t$0x31,%ymm15,%ymm2,%ymm15\n\tvperm2i128\t$0x20,%ymm7,%ymm9,%ymm2\n\tvperm2i128\t$0x31,%ymm7,%ymm9,%ymm7\n\tvperm2i128\t$0x20,%ymm4,%ymm12,%ymm9\n\tvperm2i128\t$0x31,%ymm4,%ymm12,%ymm4\n\tvmovdqa\t0(%rsp),%ymm6\n\tvmovdqa\t32(%rsp),%ymm12\n\n\tcmpq\t$512,%rdx\n\tjb\t.Ltail8x\n\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tleaq\t128(%rsi),%rsi\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tleaq\t128(%rdi),%rdi\n\n\tvpxor\t0(%rsi),%ymm12,%ymm12\n\tvpxor\t32(%rsi),%ymm13,%ymm13\n\tvpxor\t64(%rsi),%ymm10,%ymm10\n\tvpxor\t96(%rsi),%ymm15,%ymm15\n\tleaq\t128(%rsi),%rsi\n\tvmovdqu\t%ymm12,0(%rdi)\n\tvmovdqu\t%ymm13,32(%rdi)\n\tvmovdqu\t%ymm10,64(%rdi)\n\tvmovdqu\t%ymm15,96(%rdi)\n\tleaq\t128(%rdi),%rdi\n\n\tvpxor\t0(%rsi),%ymm14,%ymm14\n\tvpxor\t32(%rsi),%ymm2,%ymm2\n\tvpxor\t64(%rsi),%ymm3,%ymm3\n\tvpxor\t96(%rsi),%ymm7,%ymm7\n\tleaq\t128(%rsi),%rsi\n\tvmovdqu\t%ymm14,0(%rdi)\n\tvmovdqu\t%ymm2,32(%rdi)\n\tvmovdqu\t%ymm3,64(%rdi)\n\tvmovdqu\t%ymm7,96(%rdi)\n\tleaq\t128(%rdi),%rdi\n\n\tvpxor\t0(%rsi),%ymm11,%ymm11\n\tvpxor\t32(%rsi),%ymm9,%ymm9\n\tvpxor\t64(%rsi),%ymm0,%ymm0\n\tvpxor\t96(%rsi),%ymm4,%ymm4\n\tleaq\t128(%rsi),%rsi\n\tvmovdqu\t%ymm11,0(%rdi)\n\tvmovdqu\t%ymm9,32(%rdi)\n\tvmovdqu\t%ymm0,64(%rdi)\n\tvmovdqu\t%ymm4,96(%rdi)\n\tleaq\t128(%rdi),%rdi\n\n\tsubq\t$512,%rdx\n\tjnz\t.Loop_outer8x\n\n\tjmp\t.Ldone8x\n\n.Ltail8x:\n\tcmpq\t$448,%rdx\n\tjae\t.L448_or_more8x\n\tcmpq\t$384,%rdx\n\tjae\t.L384_or_more8x\n\tcmpq\t$320,%rdx\n\tjae\t.L320_or_more8x\n\tcmpq\t$256,%rdx\n\tjae\t.L256_or_more8x\n\tcmpq\t$192,%rdx\n\tjae\t.L192_or_more8x\n\tcmpq\t$128,%rdx\n\tjae\t.L128_or_more8x\n\tcmpq\t$64,%rdx\n\tjae\t.L64_or_more8x\n\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm6,0(%rsp)\n\tvmovdqa\t%ymm8,32(%rsp)\n\tjmp\t.Loop_tail8x\n\n.align\t32\n.L64_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tje\t.Ldone8x\n\n\tleaq\t64(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm1,0(%rsp)\n\tleaq\t64(%rdi),%rdi\n\tsubq\t$64,%rdx\n\tvmovdqa\t%ymm5,32(%rsp)\n\tjmp\t.Loop_tail8x\n\n.align\t32\n.L128_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tje\t.Ldone8x\n\n\tleaq\t128(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm12,0(%rsp)\n\tleaq\t128(%rdi),%rdi\n\tsubq\t$128,%rdx\n\tvmovdqa\t%ymm13,32(%rsp)\n\tjmp\t.Loop_tail8x\n\n.align\t32\n.L192_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvpxor\t128(%rsi),%ymm12,%ymm12\n\tvpxor\t160(%rsi),%ymm13,%ymm13\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tvmovdqu\t%ymm12,128(%rdi)\n\tvmovdqu\t%ymm13,160(%rdi)\n\tje\t.Ldone8x\n\n\tleaq\t192(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm10,0(%rsp)\n\tleaq\t192(%rdi),%rdi\n\tsubq\t$192,%rdx\n\tvmovdqa\t%ymm15,32(%rsp)\n\tjmp\t.Loop_tail8x\n\n.align\t32\n.L256_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvpxor\t128(%rsi),%ymm12,%ymm12\n\tvpxor\t160(%rsi),%ymm13,%ymm13\n\tvpxor\t192(%rsi),%ymm10,%ymm10\n\tvpxor\t224(%rsi),%ymm15,%ymm15\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tvmovdqu\t%ymm12,128(%rdi)\n\tvmovdqu\t%ymm13,160(%rdi)\n\tvmovdqu\t%ymm10,192(%rdi)\n\tvmovdqu\t%ymm15,224(%rdi)\n\tje\t.Ldone8x\n\n\tleaq\t256(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm14,0(%rsp)\n\tleaq\t256(%rdi),%rdi\n\tsubq\t$256,%rdx\n\tvmovdqa\t%ymm2,32(%rsp)\n\tjmp\t.Loop_tail8x\n\n.align\t32\n.L320_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvpxor\t128(%rsi),%ymm12,%ymm12\n\tvpxor\t160(%rsi),%ymm13,%ymm13\n\tvpxor\t192(%rsi),%ymm10,%ymm10\n\tvpxor\t224(%rsi),%ymm15,%ymm15\n\tvpxor\t256(%rsi),%ymm14,%ymm14\n\tvpxor\t288(%rsi),%ymm2,%ymm2\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tvmovdqu\t%ymm12,128(%rdi)\n\tvmovdqu\t%ymm13,160(%rdi)\n\tvmovdqu\t%ymm10,192(%rdi)\n\tvmovdqu\t%ymm15,224(%rdi)\n\tvmovdqu\t%ymm14,256(%rdi)\n\tvmovdqu\t%ymm2,288(%rdi)\n\tje\t.Ldone8x\n\n\tleaq\t320(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm3,0(%rsp)\n\tleaq\t320(%rdi),%rdi\n\tsubq\t$320,%rdx\n\tvmovdqa\t%ymm7,32(%rsp)\n\tjmp\t.Loop_tail8x\n\n.align\t32\n.L384_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvpxor\t128(%rsi),%ymm12,%ymm12\n\tvpxor\t160(%rsi),%ymm13,%ymm13\n\tvpxor\t192(%rsi),%ymm10,%ymm10\n\tvpxor\t224(%rsi),%ymm15,%ymm15\n\tvpxor\t256(%rsi),%ymm14,%ymm14\n\tvpxor\t288(%rsi),%ymm2,%ymm2\n\tvpxor\t320(%rsi),%ymm3,%ymm3\n\tvpxor\t352(%rsi),%ymm7,%ymm7\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tvmovdqu\t%ymm12,128(%rdi)\n\tvmovdqu\t%ymm13,160(%rdi)\n\tvmovdqu\t%ymm10,192(%rdi)\n\tvmovdqu\t%ymm15,224(%rdi)\n\tvmovdqu\t%ymm14,256(%rdi)\n\tvmovdqu\t%ymm2,288(%rdi)\n\tvmovdqu\t%ymm3,320(%rdi)\n\tvmovdqu\t%ymm7,352(%rdi)\n\tje\t.Ldone8x\n\n\tleaq\t384(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm11,0(%rsp)\n\tleaq\t384(%rdi),%rdi\n\tsubq\t$384,%rdx\n\tvmovdqa\t%ymm9,32(%rsp)\n\tjmp\t.Loop_tail8x\n\n.align\t32\n.L448_or_more8x:\n\tvpxor\t0(%rsi),%ymm6,%ymm6\n\tvpxor\t32(%rsi),%ymm8,%ymm8\n\tvpxor\t64(%rsi),%ymm1,%ymm1\n\tvpxor\t96(%rsi),%ymm5,%ymm5\n\tvpxor\t128(%rsi),%ymm12,%ymm12\n\tvpxor\t160(%rsi),%ymm13,%ymm13\n\tvpxor\t192(%rsi),%ymm10,%ymm10\n\tvpxor\t224(%rsi),%ymm15,%ymm15\n\tvpxor\t256(%rsi),%ymm14,%ymm14\n\tvpxor\t288(%rsi),%ymm2,%ymm2\n\tvpxor\t320(%rsi),%ymm3,%ymm3\n\tvpxor\t352(%rsi),%ymm7,%ymm7\n\tvpxor\t384(%rsi),%ymm11,%ymm11\n\tvpxor\t416(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm6,0(%rdi)\n\tvmovdqu\t%ymm8,32(%rdi)\n\tvmovdqu\t%ymm1,64(%rdi)\n\tvmovdqu\t%ymm5,96(%rdi)\n\tvmovdqu\t%ymm12,128(%rdi)\n\tvmovdqu\t%ymm13,160(%rdi)\n\tvmovdqu\t%ymm10,192(%rdi)\n\tvmovdqu\t%ymm15,224(%rdi)\n\tvmovdqu\t%ymm14,256(%rdi)\n\tvmovdqu\t%ymm2,288(%rdi)\n\tvmovdqu\t%ymm3,320(%rdi)\n\tvmovdqu\t%ymm7,352(%rdi)\n\tvmovdqu\t%ymm11,384(%rdi)\n\tvmovdqu\t%ymm9,416(%rdi)\n\tje\t.Ldone8x\n\n\tleaq\t448(%rsi),%rsi\n\txorq\t%r10,%r10\n\tvmovdqa\t%ymm0,0(%rsp)\n\tleaq\t448(%rdi),%rdi\n\tsubq\t$448,%rdx\n\tvmovdqa\t%ymm4,32(%rsp)\n\n.Loop_tail8x:\n\tmovzbl\t(%rsi,%r10,1),%eax\n\tmovzbl\t(%rsp,%r10,1),%ecx\n\tleaq\t1(%r10),%r10\n\txorl\t%ecx,%eax\n\tmovb\t%al,-1(%rdi,%r10,1)\n\tdecq\t%rdx\n\tjnz\t.Loop_tail8x\n\n.Ldone8x:\n\tvzeroall\n\tleaq\t(%r9),%rsp\n.cfi_def_cfa_register\trsp\n.L8x_epilogue:\n\tret\n.cfi_endproc\t\n.size\tChaCha20_ctr32_avx2,.-ChaCha20_ctr32_avx2\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#include \n.section\t__TEXT,__const\n\n.align\t7\nLchacha20_consts:\n.byte\t'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'\nLinc:\n.long\t1,2,3,4\nLrol8:\n.byte\t3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14\nLclamp:\n.quad\t0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC\n\n.text\n\n\n.align\t6\nLpoly_hash_ad_internal:\n.cfi_startproc\n\tcbnz\tx4, Lpoly_hash_intro\n\tret\n\nLpoly_hash_intro:\n\tcmp\tx4, #16\n\tb.lt\tLpoly_hash_ad_tail\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #16\n\tb\tLpoly_hash_ad_internal\n\nLpoly_hash_ad_tail:\n\tcbz\tx4, Lpoly_hash_ad_ret\n\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the AAD\n\tsub\tx4, x4, #1\n\nLpoly_hash_tail_16_compose:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x3, x4]\n\tmov\tv20.b[0], w11\n\tsubs\tx4, x4, #1\n\tb.ge\tLpoly_hash_tail_16_compose\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\nLpoly_hash_ad_ret:\n\tret\n.cfi_endproc\n\n\n/////////////////////////////////\n//\n// void chacha20_poly1305_seal(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *seal_data);\n//\n.globl\t_chacha20_poly1305_seal\n.private_extern\t_chacha20_poly1305_seal\n\n.align\t6\n_chacha20_poly1305_seal:\n\tAARCH64_SIGN_LINK_REGISTER\n.cfi_startproc\n\tstp\tx29, x30, [sp, #-80]!\n.cfi_def_cfa_offset\t80\n.cfi_offset\tw30, -72\n.cfi_offset\tw29, -80\n\tmov\tx29, sp\n // We probably could do .cfi_def_cfa w29, 80 at this point, but since\n // we don't actually use the frame pointer like that, it's probably not\n // worth bothering.\n\tstp\td8, d9, [sp, #16]\n\tstp\td10, d11, [sp, #32]\n\tstp\td12, d13, [sp, #48]\n\tstp\td14, d15, [sp, #64]\n.cfi_offset\tb15, -8\n.cfi_offset\tb14, -16\n.cfi_offset\tb13, -24\n.cfi_offset\tb12, -32\n.cfi_offset\tb11, -40\n.cfi_offset\tb10, -48\n.cfi_offset\tb9, -56\n.cfi_offset\tb8, -64\n\n\tadrp\tx11, Lchacha20_consts@PAGE\n\tadd\tx11, x11, Lchacha20_consts@PAGEOFF\n\n\tld1\t{v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values\n\tld1\t{v28.16b - v30.16b}, [x5]\n\n\tmov\tx15, #1 // Prepare the Poly1305 state\n\tmov\tx8, #0\n\tmov\tx9, #0\n\tmov\tx10, #0\n\n\tldr\tx12, [x5, #56] // The total cipher text length includes extra_in_len\n\tadd\tx12, x12, x2\n\tmov\tv31.d[0], x4 // Store the input and aad lengths\n\tmov\tv31.d[1], x12\n\n\tcmp\tx2, #128\n\tb.le\tLseal_128 // Optimization for smaller buffers\n\n // Initially we prepare 5 ChaCha20 blocks. Four to encrypt up to 4 blocks (256 bytes) of plaintext,\n // and one for the Poly1305 R and S keys. The first four blocks (A0-A3..D0-D3) are computed vertically,\n // the fifth block (A4-D4) horizontally.\n\tld4r\t{v0.4s,v1.4s,v2.4s,v3.4s}, [x11]\n\tmov\tv4.16b, v24.16b\n\n\tld4r\t{v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16\n\tmov\tv9.16b, v28.16b\n\n\tld4r\t{v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16\n\tmov\tv14.16b, v29.16b\n\n\tld4r\t{v15.4s,v16.4s,v17.4s,v18.4s}, [x5]\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tv19.16b, v30.16b\n\n\tsub\tx5, x5, #32\n\n\tmov\tx6, #10\n\n.align\t5\nLseal_init_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv18.8h, v18.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\teor\tv8.16b, v8.16b, v13.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v9.4s, #20\n\tsli\tv8.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\tadd\tv3.4s, v3.4s, v7.4s\n\tadd\tv4.4s, v4.4s, v8.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v14.16b\n\n\tushr\tv9.4s, v8.4s, #25\n\tsli\tv9.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #4\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #12\n\tadd\tv0.4s, v0.4s, v6.4s\n\tadd\tv1.4s, v1.4s, v7.4s\n\tadd\tv2.4s, v2.4s, v8.4s\n\tadd\tv3.4s, v3.4s, v5.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv18.8h, v18.8h\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v5.4s, #20\n\tsli\tv8.4s, v5.4s, #12\n\tushr\tv5.4s, v9.4s, #20\n\tsli\tv5.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v5.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v12.16b\n\teor\tv6.16b, v6.16b, v13.16b\n\teor\tv7.16b, v7.16b, v10.16b\n\teor\tv8.16b, v8.16b, v11.16b\n\teor\tv5.16b, v5.16b, v14.16b\n\n\tushr\tv9.4s, v5.4s, #25\n\tsli\tv9.4s, v5.4s, #7\n\tushr\tv5.4s, v8.4s, #25\n\tsli\tv5.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #12\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\tLseal_init_rounds\n\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tx11, #4\n\tdup\tv20.4s, w11\n\tadd\tv25.4s, v25.4s, v20.4s\n\n\tzip1\tv20.4s, v0.4s, v1.4s\n\tzip2\tv21.4s, v0.4s, v1.4s\n\tzip1\tv22.4s, v2.4s, v3.4s\n\tzip2\tv23.4s, v2.4s, v3.4s\n\n\tzip1\tv0.2d, v20.2d, v22.2d\n\tzip2\tv1.2d, v20.2d, v22.2d\n\tzip1\tv2.2d, v21.2d, v23.2d\n\tzip2\tv3.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v5.4s, v6.4s\n\tzip2\tv21.4s, v5.4s, v6.4s\n\tzip1\tv22.4s, v7.4s, v8.4s\n\tzip2\tv23.4s, v7.4s, v8.4s\n\n\tzip1\tv5.2d, v20.2d, v22.2d\n\tzip2\tv6.2d, v20.2d, v22.2d\n\tzip1\tv7.2d, v21.2d, v23.2d\n\tzip2\tv8.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v10.4s, v11.4s\n\tzip2\tv21.4s, v10.4s, v11.4s\n\tzip1\tv22.4s, v12.4s, v13.4s\n\tzip2\tv23.4s, v12.4s, v13.4s\n\n\tzip1\tv10.2d, v20.2d, v22.2d\n\tzip2\tv11.2d, v20.2d, v22.2d\n\tzip1\tv12.2d, v21.2d, v23.2d\n\tzip2\tv13.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v15.4s, v16.4s\n\tzip2\tv21.4s, v15.4s, v16.4s\n\tzip1\tv22.4s, v17.4s, v18.4s\n\tzip2\tv23.4s, v17.4s, v18.4s\n\n\tzip1\tv15.2d, v20.2d, v22.2d\n\tzip2\tv16.2d, v20.2d, v22.2d\n\tzip1\tv17.2d, v21.2d, v23.2d\n\tzip2\tv18.2d, v21.2d, v23.2d\n\n\tadd\tv4.4s, v4.4s, v24.4s\n\tadd\tv9.4s, v9.4s, v28.4s\n\tand\tv4.16b, v4.16b, v27.16b\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv3.4s, v3.4s, v24.4s\n\tadd\tv8.4s, v8.4s, v28.4s\n\tadd\tv13.4s, v13.4s, v29.4s\n\tadd\tv18.4s, v18.4s, v30.4s\n\n\tmov\tx16, v4.d[0] // Move the R key to GPRs\n\tmov\tx17, v4.d[1]\n\tmov\tv27.16b, v9.16b // Store the S key\n\n\tbl\tLpoly_hash_ad_internal\n\n\tmov\tx3, x0\n\tcmp\tx2, #256\n\tb.le\tLseal_tail\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v3.16b\n\teor\tv21.16b, v21.16b, v8.16b\n\teor\tv22.16b, v22.16b, v13.16b\n\teor\tv23.16b, v23.16b, v18.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #256\n\n\tmov\tx6, #4 // In the first run of the loop we need to hash 256 bytes, therefore we hash one block for the first 4 rounds\n\tmov\tx7, #6 // and two blocks for the remaining 6, for a total of (1 * 4 + 2 * 6) * 16 = 256\n\nLseal_main_loop:\n\tadrp\tx11, Lchacha20_consts@PAGE\n\tadd\tx11, x11, Lchacha20_consts@PAGEOFF\n\n\tld4r\t{v0.4s,v1.4s,v2.4s,v3.4s}, [x11]\n\tmov\tv4.16b, v24.16b\n\n\tld4r\t{v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16\n\tmov\tv9.16b, v28.16b\n\n\tld4r\t{v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16\n\tmov\tv14.16b, v29.16b\n\n\tld4r\t{v15.4s,v16.4s,v17.4s,v18.4s}, [x5]\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tv19.16b, v30.16b\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tsub\tx5, x5, #32\n.align\t5\nLseal_main_loop_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv18.8h, v18.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\teor\tv8.16b, v8.16b, v13.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v9.4s, #20\n\tsli\tv8.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\tadd\tv3.4s, v3.4s, v7.4s\n\tadd\tv4.4s, v4.4s, v8.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v14.16b\n\n\tushr\tv9.4s, v8.4s, #25\n\tsli\tv9.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #4\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #12\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tadd\tv0.4s, v0.4s, v6.4s\n\tadd\tv1.4s, v1.4s, v7.4s\n\tadd\tv2.4s, v2.4s, v8.4s\n\tadd\tv3.4s, v3.4s, v5.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv18.8h, v18.8h\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v5.4s, #20\n\tsli\tv8.4s, v5.4s, #12\n\tushr\tv5.4s, v9.4s, #20\n\tsli\tv5.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v5.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v12.16b\n\teor\tv6.16b, v6.16b, v13.16b\n\teor\tv7.16b, v7.16b, v10.16b\n\teor\tv8.16b, v8.16b, v11.16b\n\teor\tv5.16b, v5.16b, v14.16b\n\n\tushr\tv9.4s, v5.4s, #25\n\tsli\tv9.4s, v5.4s, #7\n\tushr\tv5.4s, v8.4s, #25\n\tsli\tv5.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #12\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #4\n\tsubs\tx6, x6, #1\n\tb.ge\tLseal_main_loop_rounds\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsubs\tx7, x7, #1\n\tb.gt\tLseal_main_loop_rounds\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tx11, #5\n\tdup\tv20.4s, w11\n\tadd\tv25.4s, v25.4s, v20.4s\n\n\tzip1\tv20.4s, v0.4s, v1.4s\n\tzip2\tv21.4s, v0.4s, v1.4s\n\tzip1\tv22.4s, v2.4s, v3.4s\n\tzip2\tv23.4s, v2.4s, v3.4s\n\n\tzip1\tv0.2d, v20.2d, v22.2d\n\tzip2\tv1.2d, v20.2d, v22.2d\n\tzip1\tv2.2d, v21.2d, v23.2d\n\tzip2\tv3.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v5.4s, v6.4s\n\tzip2\tv21.4s, v5.4s, v6.4s\n\tzip1\tv22.4s, v7.4s, v8.4s\n\tzip2\tv23.4s, v7.4s, v8.4s\n\n\tzip1\tv5.2d, v20.2d, v22.2d\n\tzip2\tv6.2d, v20.2d, v22.2d\n\tzip1\tv7.2d, v21.2d, v23.2d\n\tzip2\tv8.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v10.4s, v11.4s\n\tzip2\tv21.4s, v10.4s, v11.4s\n\tzip1\tv22.4s, v12.4s, v13.4s\n\tzip2\tv23.4s, v12.4s, v13.4s\n\n\tzip1\tv10.2d, v20.2d, v22.2d\n\tzip2\tv11.2d, v20.2d, v22.2d\n\tzip1\tv12.2d, v21.2d, v23.2d\n\tzip2\tv13.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v15.4s, v16.4s\n\tzip2\tv21.4s, v15.4s, v16.4s\n\tzip1\tv22.4s, v17.4s, v18.4s\n\tzip2\tv23.4s, v17.4s, v18.4s\n\n\tzip1\tv15.2d, v20.2d, v22.2d\n\tzip2\tv16.2d, v20.2d, v22.2d\n\tzip1\tv17.2d, v21.2d, v23.2d\n\tzip2\tv18.2d, v21.2d, v23.2d\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv3.4s, v3.4s, v24.4s\n\tadd\tv8.4s, v8.4s, v28.4s\n\tadd\tv13.4s, v13.4s, v29.4s\n\tadd\tv18.4s, v18.4s, v30.4s\n\n\tadd\tv4.4s, v4.4s, v24.4s\n\tadd\tv9.4s, v9.4s, v28.4s\n\tadd\tv14.4s, v14.4s, v29.4s\n\tadd\tv19.4s, v19.4s, v30.4s\n\n\tcmp\tx2, #320\n\tb.le\tLseal_tail\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v3.16b\n\teor\tv21.16b, v21.16b, v8.16b\n\teor\tv22.16b, v22.16b, v13.16b\n\teor\tv23.16b, v23.16b, v18.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v4.16b\n\teor\tv21.16b, v21.16b, v9.16b\n\teor\tv22.16b, v22.16b, v14.16b\n\teor\tv23.16b, v23.16b, v19.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #320\n\n\tmov\tx6, #0\n\tmov\tx7, #10 // For the remainder of the loop we always hash and encrypt 320 bytes per iteration\n\n\tb\tLseal_main_loop\n\nLseal_tail:\n // This part of the function handles the storage and authentication of the last [0,320) bytes\n // We assume A0-A4 ... D0-D4 hold at least inl (320 max) bytes of the stream data.\n\tcmp\tx2, #64\n\tb.lt\tLseal_tail_64\n\n // Store and authenticate 64B blocks per iteration\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v21.d[0]\n\tmov\tx12, v21.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v22.d[0]\n\tmov\tx12, v22.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v23.d[0]\n\tmov\tx12, v23.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\tsub\tx2, x2, #64\n\n // Shift the state left by 64 bytes for the next iteration of the loop\n\tmov\tv0.16b, v1.16b\n\tmov\tv5.16b, v6.16b\n\tmov\tv10.16b, v11.16b\n\tmov\tv15.16b, v16.16b\n\n\tmov\tv1.16b, v2.16b\n\tmov\tv6.16b, v7.16b\n\tmov\tv11.16b, v12.16b\n\tmov\tv16.16b, v17.16b\n\n\tmov\tv2.16b, v3.16b\n\tmov\tv7.16b, v8.16b\n\tmov\tv12.16b, v13.16b\n\tmov\tv17.16b, v18.16b\n\n\tmov\tv3.16b, v4.16b\n\tmov\tv8.16b, v9.16b\n\tmov\tv13.16b, v14.16b\n\tmov\tv18.16b, v19.16b\n\n\tb\tLseal_tail\n\nLseal_tail_64:\n\tldp\tx3, x4, [x5, #48] // extra_in_len and extra_in_ptr\n\n // Here we handle the last [0,64) bytes of plaintext\n\tcmp\tx2, #16\n\tb.lt\tLseal_tail_16\n // Each iteration encrypt and authenticate a 16B block\n\tld1\t{v20.16b}, [x1], #16\n\teor\tv20.16b, v20.16b, v0.16b\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tst1\t{v20.16b}, [x0], #16\n\n\tsub\tx2, x2, #16\n\n // Shift the state left by 16 bytes for the next iteration of the loop\n\tmov\tv0.16b, v5.16b\n\tmov\tv5.16b, v10.16b\n\tmov\tv10.16b, v15.16b\n\n\tb\tLseal_tail_64\n\nLseal_tail_16:\n // Here we handle the last [0,16) bytes of ciphertext that require a padded block\n\tcbz\tx2, Lseal_hash_extra\n\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the plaintext/extra in\n\teor\tv21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask that will only mask the ciphertext bytes\n\tnot\tv22.16b, v20.16b\n\n\tmov\tx6, x2\n\tadd\tx1, x1, x2\n\n\tcbz\tx4, Lseal_tail_16_compose // No extra data to pad with, zero padding\n\n\tmov\tx7, #16 // We need to load some extra_in first for padding\n\tsub\tx7, x7, x2\n\tcmp\tx4, x7\n\tcsel\tx7, x4, x7, lt // Load the minimum of extra_in_len and the amount needed to fill the register\n\tmov\tx12, x7\n\tadd\tx3, x3, x7\n\tsub\tx4, x4, x7\n\nLseal_tail16_compose_extra_in:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x3, #-1]!\n\tmov\tv20.b[0], w11\n\tsubs\tx7, x7, #1\n\tb.gt\tLseal_tail16_compose_extra_in\n\n\tadd\tx3, x3, x12\n\nLseal_tail_16_compose:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x1, #-1]!\n\tmov\tv20.b[0], w11\n\text\tv21.16b, v22.16b, v21.16b, #15\n\tsubs\tx2, x2, #1\n\tb.gt\tLseal_tail_16_compose\n\n\tand\tv0.16b, v0.16b, v21.16b\n\teor\tv20.16b, v20.16b, v0.16b\n\tmov\tv21.16b, v20.16b\n\nLseal_tail_16_store:\n\tumov\tw11, v20.b[0]\n\tstrb\tw11, [x0], #1\n\text\tv20.16b, v20.16b, v20.16b, #1\n\tsubs\tx6, x6, #1\n\tb.gt\tLseal_tail_16_store\n\n // Hash in the final ct block concatenated with extra_in\n\tmov\tx11, v21.d[0]\n\tmov\tx12, v21.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\nLseal_hash_extra:\n\tcbz\tx4, Lseal_finalize\n\nLseal_hash_extra_loop:\n\tcmp\tx4, #16\n\tb.lt\tLseal_hash_extra_tail\n\tld1\t{v20.16b}, [x3], #16\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #16\n\tb\tLseal_hash_extra_loop\n\nLseal_hash_extra_tail:\n\tcbz\tx4, Lseal_finalize\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the remaining extra ciphertext\n\tadd\tx3, x3, x4\n\nLseal_hash_extra_load:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x3, #-1]!\n\tmov\tv20.b[0], w11\n\tsubs\tx4, x4, #1\n\tb.gt\tLseal_hash_extra_load\n\n // Hash in the final padded extra_in blcok\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\nLseal_finalize:\n\tmov\tx11, v31.d[0]\n\tmov\tx12, v31.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n // Final reduction step\n\tsub\tx12, xzr, x15\n\torr\tx13, xzr, #3\n\tsubs\tx11, x8, #-5\n\tsbcs\tx12, x9, x12\n\tsbcs\tx13, x10, x13\n\tcsel\tx8, x11, x8, cs\n\tcsel\tx9, x12, x9, cs\n\tcsel\tx10, x13, x10, cs\n\tmov\tx11, v27.d[0]\n\tmov\tx12, v27.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\n\tstp\tx8, x9, [x5]\n\n\tldp\td8, d9, [sp, #16]\n\tldp\td10, d11, [sp, #32]\n\tldp\td12, d13, [sp, #48]\n\tldp\td14, d15, [sp, #64]\n.cfi_restore\tb15\n.cfi_restore\tb14\n.cfi_restore\tb13\n.cfi_restore\tb12\n.cfi_restore\tb11\n.cfi_restore\tb10\n.cfi_restore\tb9\n.cfi_restore\tb8\n\tldp\tx29, x30, [sp], 80\n.cfi_restore\tw29\n.cfi_restore\tw30\n.cfi_def_cfa_offset\t0\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\nLseal_128:\n // On some architectures preparing 5 blocks for small buffers is wasteful\n\teor\tv25.16b, v25.16b, v25.16b\n\tmov\tx11, #1\n\tmov\tv25.s[0], w11\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv2.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv7.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv12.16b, v29.16b\n\tmov\tv17.16b, v30.16b\n\tadd\tv15.4s, v17.4s, v25.4s\n\tadd\tv16.4s, v15.4s, v25.4s\n\n\tmov\tx6, #10\n\nLseal_128_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv7.16b, v7.16b, v7.16b, #4\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #12\n\text\tv16.16b, v16.16b, v16.16b, #12\n\text\tv17.16b, v17.16b, v17.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv7.16b, v7.16b, v7.16b, #12\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #4\n\text\tv16.16b, v16.16b, v16.16b, #4\n\text\tv17.16b, v17.16b, v17.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\tLseal_128_rounds\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv2.4s, v2.4s, v24.4s\n\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\n // Only the first 32 bytes of the third block (counter = 0) are needed,\n // so skip updating v12 and v17.\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tand\tv2.16b, v2.16b, v27.16b\n\tmov\tx16, v2.d[0] // Move the R key to GPRs\n\tmov\tx17, v2.d[1]\n\tmov\tv27.16b, v7.16b // Store the S key\n\n\tbl\tLpoly_hash_ad_internal\n\tb\tLseal_tail\n.cfi_endproc\n\n\n/////////////////////////////////\n//\n// void chacha20_poly1305_open(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *aead_data);\n//\n.globl\t_chacha20_poly1305_open\n.private_extern\t_chacha20_poly1305_open\n\n.align\t6\n_chacha20_poly1305_open:\n\tAARCH64_SIGN_LINK_REGISTER\n.cfi_startproc\n\tstp\tx29, x30, [sp, #-80]!\n.cfi_def_cfa_offset\t80\n.cfi_offset\tw30, -72\n.cfi_offset\tw29, -80\n\tmov\tx29, sp\n // We probably could do .cfi_def_cfa w29, 80 at this point, but since\n // we don't actually use the frame pointer like that, it's probably not\n // worth bothering.\n\tstp\td8, d9, [sp, #16]\n\tstp\td10, d11, [sp, #32]\n\tstp\td12, d13, [sp, #48]\n\tstp\td14, d15, [sp, #64]\n.cfi_offset\tb15, -8\n.cfi_offset\tb14, -16\n.cfi_offset\tb13, -24\n.cfi_offset\tb12, -32\n.cfi_offset\tb11, -40\n.cfi_offset\tb10, -48\n.cfi_offset\tb9, -56\n.cfi_offset\tb8, -64\n\n\tadrp\tx11, Lchacha20_consts@PAGE\n\tadd\tx11, x11, Lchacha20_consts@PAGEOFF\n\n\tld1\t{v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values\n\tld1\t{v28.16b - v30.16b}, [x5]\n\n\tmov\tx15, #1 // Prepare the Poly1305 state\n\tmov\tx8, #0\n\tmov\tx9, #0\n\tmov\tx10, #0\n\n\tmov\tv31.d[0], x4 // Store the input and aad lengths\n\tmov\tv31.d[1], x2\n\n\tcmp\tx2, #128\n\tb.le\tLopen_128 // Optimization for smaller buffers\n\n // Initially we prepare a single ChaCha20 block for the Poly1305 R and S keys\n\tmov\tv0.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\n\tmov\tx6, #10\n\n.align\t5\nLopen_init_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\tLopen_init_rounds\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\n\tand\tv0.16b, v0.16b, v27.16b\n\tmov\tx16, v0.d[0] // Move the R key to GPRs\n\tmov\tx17, v0.d[1]\n\tmov\tv27.16b, v5.16b // Store the S key\n\n\tbl\tLpoly_hash_ad_internal\n\nLopen_ad_done:\n\tmov\tx3, x1\n\n// Each iteration of the loop hash 320 bytes, and prepare stream for 320 bytes\nLopen_main_loop:\n\n\tcmp\tx2, #192\n\tb.lt\tLopen_tail\n\n\tadrp\tx11, Lchacha20_consts@PAGE\n\tadd\tx11, x11, Lchacha20_consts@PAGEOFF\n\n\tld4r\t{v0.4s,v1.4s,v2.4s,v3.4s}, [x11]\n\tmov\tv4.16b, v24.16b\n\n\tld4r\t{v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16\n\tmov\tv9.16b, v28.16b\n\n\tld4r\t{v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16\n\tmov\tv14.16b, v29.16b\n\n\tld4r\t{v15.4s,v16.4s,v17.4s,v18.4s}, [x5]\n\tsub\tx5, x5, #32\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tv19.16b, v30.16b\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tlsr\tx4, x2, #4 // How many whole blocks we have to hash, will always be at least 12\n\tsub\tx4, x4, #10\n\n\tmov\tx7, #10\n\tsubs\tx6, x7, x4\n\tsubs\tx6, x7, x4 // itr1 can be negative if we have more than 320 bytes to hash\n\tcsel\tx7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are full\n\n\tcbz\tx7, Lopen_main_loop_rounds_short\n\n.align\t5\nLopen_main_loop_rounds:\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\nLopen_main_loop_rounds_short:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv18.8h, v18.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\teor\tv8.16b, v8.16b, v13.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v9.4s, #20\n\tsli\tv8.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\tadd\tv3.4s, v3.4s, v7.4s\n\tadd\tv4.4s, v4.4s, v8.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v14.16b\n\n\tushr\tv9.4s, v8.4s, #25\n\tsli\tv9.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #4\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #12\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tadd\tv0.4s, v0.4s, v6.4s\n\tadd\tv1.4s, v1.4s, v7.4s\n\tadd\tv2.4s, v2.4s, v8.4s\n\tadd\tv3.4s, v3.4s, v5.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv18.8h, v18.8h\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v5.4s, #20\n\tsli\tv8.4s, v5.4s, #12\n\tushr\tv5.4s, v9.4s, #20\n\tsli\tv5.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v5.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v12.16b\n\teor\tv6.16b, v6.16b, v13.16b\n\teor\tv7.16b, v7.16b, v10.16b\n\teor\tv8.16b, v8.16b, v11.16b\n\teor\tv5.16b, v5.16b, v14.16b\n\n\tushr\tv9.4s, v5.4s, #25\n\tsli\tv9.4s, v5.4s, #7\n\tushr\tv5.4s, v8.4s, #25\n\tsli\tv5.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #12\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #4\n\tsubs\tx7, x7, #1\n\tb.gt\tLopen_main_loop_rounds\n\tsubs\tx6, x6, #1\n\tb.ge\tLopen_main_loop_rounds_short\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tx11, #5\n\tdup\tv20.4s, w11\n\tadd\tv25.4s, v25.4s, v20.4s\n\n\tzip1\tv20.4s, v0.4s, v1.4s\n\tzip2\tv21.4s, v0.4s, v1.4s\n\tzip1\tv22.4s, v2.4s, v3.4s\n\tzip2\tv23.4s, v2.4s, v3.4s\n\n\tzip1\tv0.2d, v20.2d, v22.2d\n\tzip2\tv1.2d, v20.2d, v22.2d\n\tzip1\tv2.2d, v21.2d, v23.2d\n\tzip2\tv3.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v5.4s, v6.4s\n\tzip2\tv21.4s, v5.4s, v6.4s\n\tzip1\tv22.4s, v7.4s, v8.4s\n\tzip2\tv23.4s, v7.4s, v8.4s\n\n\tzip1\tv5.2d, v20.2d, v22.2d\n\tzip2\tv6.2d, v20.2d, v22.2d\n\tzip1\tv7.2d, v21.2d, v23.2d\n\tzip2\tv8.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v10.4s, v11.4s\n\tzip2\tv21.4s, v10.4s, v11.4s\n\tzip1\tv22.4s, v12.4s, v13.4s\n\tzip2\tv23.4s, v12.4s, v13.4s\n\n\tzip1\tv10.2d, v20.2d, v22.2d\n\tzip2\tv11.2d, v20.2d, v22.2d\n\tzip1\tv12.2d, v21.2d, v23.2d\n\tzip2\tv13.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v15.4s, v16.4s\n\tzip2\tv21.4s, v15.4s, v16.4s\n\tzip1\tv22.4s, v17.4s, v18.4s\n\tzip2\tv23.4s, v17.4s, v18.4s\n\n\tzip1\tv15.2d, v20.2d, v22.2d\n\tzip2\tv16.2d, v20.2d, v22.2d\n\tzip1\tv17.2d, v21.2d, v23.2d\n\tzip2\tv18.2d, v21.2d, v23.2d\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv3.4s, v3.4s, v24.4s\n\tadd\tv8.4s, v8.4s, v28.4s\n\tadd\tv13.4s, v13.4s, v29.4s\n\tadd\tv18.4s, v18.4s, v30.4s\n\n\tadd\tv4.4s, v4.4s, v24.4s\n\tadd\tv9.4s, v9.4s, v28.4s\n\tadd\tv14.4s, v14.4s, v29.4s\n\tadd\tv19.4s, v19.4s, v30.4s\n\n // We can always safely store 192 bytes\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #192\n\n\tmov\tv0.16b, v3.16b\n\tmov\tv5.16b, v8.16b\n\tmov\tv10.16b, v13.16b\n\tmov\tv15.16b, v18.16b\n\n\tcmp\tx2, #64\n\tb.lt\tLopen_tail_64_store\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v3.16b\n\teor\tv21.16b, v21.16b, v8.16b\n\teor\tv22.16b, v22.16b, v13.16b\n\teor\tv23.16b, v23.16b, v18.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #64\n\n\tmov\tv0.16b, v4.16b\n\tmov\tv5.16b, v9.16b\n\tmov\tv10.16b, v14.16b\n\tmov\tv15.16b, v19.16b\n\n\tcmp\tx2, #64\n\tb.lt\tLopen_tail_64_store\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v4.16b\n\teor\tv21.16b, v21.16b, v9.16b\n\teor\tv22.16b, v22.16b, v14.16b\n\teor\tv23.16b, v23.16b, v19.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #64\n\tb\tLopen_main_loop\n\nLopen_tail:\n\n\tcbz\tx2, Lopen_finalize\n\n\tlsr\tx4, x2, #4 // How many whole blocks we have to hash\n\n\tcmp\tx2, #64\n\tb.le\tLopen_tail_64\n\tcmp\tx2, #128\n\tb.le\tLopen_tail_128\n\nLopen_tail_192:\n // We need three more blocks\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv2.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv7.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv12.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\tmov\tv16.16b, v30.16b\n\tmov\tv17.16b, v30.16b\n\teor\tv23.16b, v23.16b, v23.16b\n\teor\tv21.16b, v21.16b, v21.16b\n\tins\tv23.s[0], v25.s[0]\n\tins\tv21.d[0], x15\n\n\tadd\tv22.4s, v23.4s, v21.4s\n\tadd\tv21.4s, v22.4s, v21.4s\n\n\tadd\tv15.4s, v15.4s, v21.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\tadd\tv17.4s, v17.4s, v22.4s\n\n\tmov\tx7, #10\n\tsubs\tx6, x7, x4 // itr1 can be negative if we have more than 160 bytes to hash\n\tcsel\tx7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are hashing\n\tsub\tx4, x4, x7\n\n\tcbz\tx7, Lopen_tail_192_rounds_no_hash\n\nLopen_tail_192_rounds:\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\nLopen_tail_192_rounds_no_hash:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv7.16b, v7.16b, v7.16b, #4\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #12\n\text\tv16.16b, v16.16b, v16.16b, #12\n\text\tv17.16b, v17.16b, v17.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv7.16b, v7.16b, v7.16b, #12\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #4\n\text\tv16.16b, v16.16b, v16.16b, #4\n\text\tv17.16b, v17.16b, v17.16b, #4\n\tsubs\tx7, x7, #1\n\tb.gt\tLopen_tail_192_rounds\n\tsubs\tx6, x6, #1\n\tb.ge\tLopen_tail_192_rounds_no_hash\n\n // We hashed 160 bytes at most, may still have 32 bytes left\nLopen_tail_192_hash:\n\tcbz\tx4, Lopen_tail_192_hash_done\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #1\n\tb\tLopen_tail_192_hash\n\nLopen_tail_192_hash_done:\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv15.4s, v15.4s, v21.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\tadd\tv17.4s, v17.4s, v22.4s\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #128\n\tb\tLopen_tail_64_store\n\nLopen_tail_128:\n // We need two more blocks\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\tmov\tv16.16b, v30.16b\n\teor\tv23.16b, v23.16b, v23.16b\n\teor\tv22.16b, v22.16b, v22.16b\n\tins\tv23.s[0], v25.s[0]\n\tins\tv22.d[0], x15\n\tadd\tv22.4s, v22.4s, v23.4s\n\n\tadd\tv15.4s, v15.4s, v22.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\n\tmov\tx6, #10\n\tsub\tx6, x6, x4\n\nLopen_tail_128_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #12\n\tadd\tv1.4s, v1.4s, v6.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\trev32\tv16.8h, v16.8h\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv6.16b, v6.16b, v11.16b\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tadd\tv1.4s, v1.4s, v20.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv20.16b, v20.16b, v11.16b\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv16.16b, v16.16b, v16.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #4\n\tadd\tv1.4s, v1.4s, v6.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\trev32\tv16.8h, v16.8h\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv6.16b, v6.16b, v11.16b\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tadd\tv1.4s, v1.4s, v20.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv20.16b, v20.16b, v11.16b\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv16.16b, v16.16b, v16.16b, #4\n\tsubs\tx6, x6, #1\n\tb.gt\tLopen_tail_128_rounds\n\tcbz\tx4, Lopen_tail_128_rounds_done\n\tsubs\tx4, x4, #1\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tb\tLopen_tail_128_rounds\n\nLopen_tail_128_rounds_done:\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\tadd\tv15.4s, v15.4s, v22.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\tsub\tx2, x2, #64\n\n\tb\tLopen_tail_64_store\n\nLopen_tail_64:\n // We just need a single block\n\tmov\tv0.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\teor\tv23.16b, v23.16b, v23.16b\n\tins\tv23.s[0], v25.s[0]\n\tadd\tv15.4s, v15.4s, v23.4s\n\n\tmov\tx6, #10\n\tsub\tx6, x6, x4\n\nLopen_tail_64_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #4\n\tsubs\tx6, x6, #1\n\tb.gt\tLopen_tail_64_rounds\n\tcbz\tx4, Lopen_tail_64_rounds_done\n\tsubs\tx4, x4, #1\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tb\tLopen_tail_64_rounds\n\nLopen_tail_64_rounds_done:\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv15.4s, v15.4s, v23.4s\n\nLopen_tail_64_store:\n\tcmp\tx2, #16\n\tb.lt\tLopen_tail_16\n\n\tld1\t{v20.16b}, [x1], #16\n\teor\tv20.16b, v20.16b, v0.16b\n\tst1\t{v20.16b}, [x0], #16\n\tmov\tv0.16b, v5.16b\n\tmov\tv5.16b, v10.16b\n\tmov\tv10.16b, v15.16b\n\tsub\tx2, x2, #16\n\tb\tLopen_tail_64_store\n\nLopen_tail_16:\n // Here we handle the last [0,16) bytes that require a padded block\n\tcbz\tx2, Lopen_finalize\n\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the ciphertext\n\teor\tv21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask\n\tnot\tv22.16b, v20.16b\n\n\tadd\tx7, x1, x2\n\tmov\tx6, x2\n\nLopen_tail_16_compose:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x7, #-1]!\n\tmov\tv20.b[0], w11\n\text\tv21.16b, v22.16b, v21.16b, #15\n\tsubs\tx2, x2, #1\n\tb.gt\tLopen_tail_16_compose\n\n\tand\tv20.16b, v20.16b, v21.16b\n // Hash in the final padded block\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\teor\tv20.16b, v20.16b, v0.16b\n\nLopen_tail_16_store:\n\tumov\tw11, v20.b[0]\n\tstrb\tw11, [x0], #1\n\text\tv20.16b, v20.16b, v20.16b, #1\n\tsubs\tx6, x6, #1\n\tb.gt\tLopen_tail_16_store\n\nLopen_finalize:\n\tmov\tx11, v31.d[0]\n\tmov\tx12, v31.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n // Final reduction step\n\tsub\tx12, xzr, x15\n\torr\tx13, xzr, #3\n\tsubs\tx11, x8, #-5\n\tsbcs\tx12, x9, x12\n\tsbcs\tx13, x10, x13\n\tcsel\tx8, x11, x8, cs\n\tcsel\tx9, x12, x9, cs\n\tcsel\tx10, x13, x10, cs\n\tmov\tx11, v27.d[0]\n\tmov\tx12, v27.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\n\tstp\tx8, x9, [x5]\n\n\tldp\td8, d9, [sp, #16]\n\tldp\td10, d11, [sp, #32]\n\tldp\td12, d13, [sp, #48]\n\tldp\td14, d15, [sp, #64]\n.cfi_restore\tb15\n.cfi_restore\tb14\n.cfi_restore\tb13\n.cfi_restore\tb12\n.cfi_restore\tb11\n.cfi_restore\tb10\n.cfi_restore\tb9\n.cfi_restore\tb8\n\tldp\tx29, x30, [sp], 80\n.cfi_restore\tw29\n.cfi_restore\tw30\n.cfi_def_cfa_offset\t0\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\nLopen_128:\n // On some architectures preparing 5 blocks for small buffers is wasteful\n\teor\tv25.16b, v25.16b, v25.16b\n\tmov\tx11, #1\n\tmov\tv25.s[0], w11\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv2.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv7.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv12.16b, v29.16b\n\tmov\tv17.16b, v30.16b\n\tadd\tv15.4s, v17.4s, v25.4s\n\tadd\tv16.4s, v15.4s, v25.4s\n\n\tmov\tx6, #10\n\nLopen_128_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv7.16b, v7.16b, v7.16b, #4\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #12\n\text\tv16.16b, v16.16b, v16.16b, #12\n\text\tv17.16b, v17.16b, v17.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv7.16b, v7.16b, v7.16b, #12\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #4\n\text\tv16.16b, v16.16b, v16.16b, #4\n\text\tv17.16b, v17.16b, v17.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\tLopen_128_rounds\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv2.4s, v2.4s, v24.4s\n\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tand\tv2.16b, v2.16b, v27.16b\n\tmov\tx16, v2.d[0] // Move the R key to GPRs\n\tmov\tx17, v2.d[1]\n\tmov\tv27.16b, v7.16b // Store the S key\n\n\tbl\tLpoly_hash_ad_internal\n\nLopen_128_store:\n\tcmp\tx2, #64\n\tb.lt\tLopen_128_store_64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v21.d[0]\n\tmov\tx12, v21.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v22.d[0]\n\tmov\tx12, v22.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v23.d[0]\n\tmov\tx12, v23.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #64\n\n\tmov\tv0.16b, v1.16b\n\tmov\tv5.16b, v6.16b\n\tmov\tv10.16b, v11.16b\n\tmov\tv15.16b, v16.16b\n\nLopen_128_store_64:\n\n\tlsr\tx4, x2, #4\n\tmov\tx3, x1\n\nLopen_128_hash_64:\n\tcbz\tx4, Lopen_tail_64_store\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #1\n\tb\tLopen_128_hash_64\n.cfi_endproc\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#include \n.section\t.rodata\n\n.align\t7\n.Lchacha20_consts:\n.byte\t'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'\n.Linc:\n.long\t1,2,3,4\n.Lrol8:\n.byte\t3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14\n.Lclamp:\n.quad\t0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC\n\n.text\n\n.type\t.Lpoly_hash_ad_internal,%function\n.align\t6\n.Lpoly_hash_ad_internal:\n.cfi_startproc\n\tcbnz\tx4, .Lpoly_hash_intro\n\tret\n\n.Lpoly_hash_intro:\n\tcmp\tx4, #16\n\tb.lt\t.Lpoly_hash_ad_tail\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #16\n\tb\t.Lpoly_hash_ad_internal\n\n.Lpoly_hash_ad_tail:\n\tcbz\tx4, .Lpoly_hash_ad_ret\n\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the AAD\n\tsub\tx4, x4, #1\n\n.Lpoly_hash_tail_16_compose:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x3, x4]\n\tmov\tv20.b[0], w11\n\tsubs\tx4, x4, #1\n\tb.ge\t.Lpoly_hash_tail_16_compose\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\n.Lpoly_hash_ad_ret:\n\tret\n.cfi_endproc\n.size\t.Lpoly_hash_ad_internal, .-.Lpoly_hash_ad_internal\n\n/////////////////////////////////\n//\n// void chacha20_poly1305_seal(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *seal_data);\n//\n.globl\tchacha20_poly1305_seal\n.hidden\tchacha20_poly1305_seal\n.type\tchacha20_poly1305_seal,%function\n.align\t6\nchacha20_poly1305_seal:\n\tAARCH64_SIGN_LINK_REGISTER\n.cfi_startproc\n\tstp\tx29, x30, [sp, #-80]!\n.cfi_def_cfa_offset\t80\n.cfi_offset\tw30, -72\n.cfi_offset\tw29, -80\n\tmov\tx29, sp\n // We probably could do .cfi_def_cfa w29, 80 at this point, but since\n // we don't actually use the frame pointer like that, it's probably not\n // worth bothering.\n\tstp\td8, d9, [sp, #16]\n\tstp\td10, d11, [sp, #32]\n\tstp\td12, d13, [sp, #48]\n\tstp\td14, d15, [sp, #64]\n.cfi_offset\tb15, -8\n.cfi_offset\tb14, -16\n.cfi_offset\tb13, -24\n.cfi_offset\tb12, -32\n.cfi_offset\tb11, -40\n.cfi_offset\tb10, -48\n.cfi_offset\tb9, -56\n.cfi_offset\tb8, -64\n\n\tadrp\tx11, .Lchacha20_consts\n\tadd\tx11, x11, :lo12:.Lchacha20_consts\n\n\tld1\t{v24.16b - v27.16b}, [x11] // .Load the CONSTS, INC, ROL8 and CLAMP values\n\tld1\t{v28.16b - v30.16b}, [x5]\n\n\tmov\tx15, #1 // Prepare the Poly1305 state\n\tmov\tx8, #0\n\tmov\tx9, #0\n\tmov\tx10, #0\n\n\tldr\tx12, [x5, #56] // The total cipher text length includes extra_in_len\n\tadd\tx12, x12, x2\n\tmov\tv31.d[0], x4 // Store the input and aad lengths\n\tmov\tv31.d[1], x12\n\n\tcmp\tx2, #128\n\tb.le\t.Lseal_128 // Optimization for smaller buffers\n\n // Initially we prepare 5 ChaCha20 blocks. Four to encrypt up to 4 blocks (256 bytes) of plaintext,\n // and one for the Poly1305 R and S keys. The first four blocks (A0-A3..D0-D3) are computed vertically,\n // the fifth block (A4-D4) horizontally.\n\tld4r\t{v0.4s,v1.4s,v2.4s,v3.4s}, [x11]\n\tmov\tv4.16b, v24.16b\n\n\tld4r\t{v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16\n\tmov\tv9.16b, v28.16b\n\n\tld4r\t{v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16\n\tmov\tv14.16b, v29.16b\n\n\tld4r\t{v15.4s,v16.4s,v17.4s,v18.4s}, [x5]\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tv19.16b, v30.16b\n\n\tsub\tx5, x5, #32\n\n\tmov\tx6, #10\n\n.align\t5\n.Lseal_init_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv18.8h, v18.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\teor\tv8.16b, v8.16b, v13.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v9.4s, #20\n\tsli\tv8.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\tadd\tv3.4s, v3.4s, v7.4s\n\tadd\tv4.4s, v4.4s, v8.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v14.16b\n\n\tushr\tv9.4s, v8.4s, #25\n\tsli\tv9.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #4\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #12\n\tadd\tv0.4s, v0.4s, v6.4s\n\tadd\tv1.4s, v1.4s, v7.4s\n\tadd\tv2.4s, v2.4s, v8.4s\n\tadd\tv3.4s, v3.4s, v5.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv18.8h, v18.8h\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v5.4s, #20\n\tsli\tv8.4s, v5.4s, #12\n\tushr\tv5.4s, v9.4s, #20\n\tsli\tv5.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v5.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v12.16b\n\teor\tv6.16b, v6.16b, v13.16b\n\teor\tv7.16b, v7.16b, v10.16b\n\teor\tv8.16b, v8.16b, v11.16b\n\teor\tv5.16b, v5.16b, v14.16b\n\n\tushr\tv9.4s, v5.4s, #25\n\tsli\tv9.4s, v5.4s, #7\n\tushr\tv5.4s, v8.4s, #25\n\tsli\tv5.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #12\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\t.Lseal_init_rounds\n\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tx11, #4\n\tdup\tv20.4s, w11\n\tadd\tv25.4s, v25.4s, v20.4s\n\n\tzip1\tv20.4s, v0.4s, v1.4s\n\tzip2\tv21.4s, v0.4s, v1.4s\n\tzip1\tv22.4s, v2.4s, v3.4s\n\tzip2\tv23.4s, v2.4s, v3.4s\n\n\tzip1\tv0.2d, v20.2d, v22.2d\n\tzip2\tv1.2d, v20.2d, v22.2d\n\tzip1\tv2.2d, v21.2d, v23.2d\n\tzip2\tv3.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v5.4s, v6.4s\n\tzip2\tv21.4s, v5.4s, v6.4s\n\tzip1\tv22.4s, v7.4s, v8.4s\n\tzip2\tv23.4s, v7.4s, v8.4s\n\n\tzip1\tv5.2d, v20.2d, v22.2d\n\tzip2\tv6.2d, v20.2d, v22.2d\n\tzip1\tv7.2d, v21.2d, v23.2d\n\tzip2\tv8.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v10.4s, v11.4s\n\tzip2\tv21.4s, v10.4s, v11.4s\n\tzip1\tv22.4s, v12.4s, v13.4s\n\tzip2\tv23.4s, v12.4s, v13.4s\n\n\tzip1\tv10.2d, v20.2d, v22.2d\n\tzip2\tv11.2d, v20.2d, v22.2d\n\tzip1\tv12.2d, v21.2d, v23.2d\n\tzip2\tv13.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v15.4s, v16.4s\n\tzip2\tv21.4s, v15.4s, v16.4s\n\tzip1\tv22.4s, v17.4s, v18.4s\n\tzip2\tv23.4s, v17.4s, v18.4s\n\n\tzip1\tv15.2d, v20.2d, v22.2d\n\tzip2\tv16.2d, v20.2d, v22.2d\n\tzip1\tv17.2d, v21.2d, v23.2d\n\tzip2\tv18.2d, v21.2d, v23.2d\n\n\tadd\tv4.4s, v4.4s, v24.4s\n\tadd\tv9.4s, v9.4s, v28.4s\n\tand\tv4.16b, v4.16b, v27.16b\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv3.4s, v3.4s, v24.4s\n\tadd\tv8.4s, v8.4s, v28.4s\n\tadd\tv13.4s, v13.4s, v29.4s\n\tadd\tv18.4s, v18.4s, v30.4s\n\n\tmov\tx16, v4.d[0] // Move the R key to GPRs\n\tmov\tx17, v4.d[1]\n\tmov\tv27.16b, v9.16b // Store the S key\n\n\tbl\t.Lpoly_hash_ad_internal\n\n\tmov\tx3, x0\n\tcmp\tx2, #256\n\tb.le\t.Lseal_tail\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v3.16b\n\teor\tv21.16b, v21.16b, v8.16b\n\teor\tv22.16b, v22.16b, v13.16b\n\teor\tv23.16b, v23.16b, v18.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #256\n\n\tmov\tx6, #4 // In the first run of the loop we need to hash 256 bytes, therefore we hash one block for the first 4 rounds\n\tmov\tx7, #6 // and two blocks for the remaining 6, for a total of (1 * 4 + 2 * 6) * 16 = 256\n\n.Lseal_main_loop:\n\tadrp\tx11, .Lchacha20_consts\n\tadd\tx11, x11, :lo12:.Lchacha20_consts\n\n\tld4r\t{v0.4s,v1.4s,v2.4s,v3.4s}, [x11]\n\tmov\tv4.16b, v24.16b\n\n\tld4r\t{v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16\n\tmov\tv9.16b, v28.16b\n\n\tld4r\t{v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16\n\tmov\tv14.16b, v29.16b\n\n\tld4r\t{v15.4s,v16.4s,v17.4s,v18.4s}, [x5]\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tv19.16b, v30.16b\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tsub\tx5, x5, #32\n.align\t5\n.Lseal_main_loop_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv18.8h, v18.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\teor\tv8.16b, v8.16b, v13.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v9.4s, #20\n\tsli\tv8.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\tadd\tv3.4s, v3.4s, v7.4s\n\tadd\tv4.4s, v4.4s, v8.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v14.16b\n\n\tushr\tv9.4s, v8.4s, #25\n\tsli\tv9.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #4\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #12\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tadd\tv0.4s, v0.4s, v6.4s\n\tadd\tv1.4s, v1.4s, v7.4s\n\tadd\tv2.4s, v2.4s, v8.4s\n\tadd\tv3.4s, v3.4s, v5.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv18.8h, v18.8h\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v5.4s, #20\n\tsli\tv8.4s, v5.4s, #12\n\tushr\tv5.4s, v9.4s, #20\n\tsli\tv5.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v5.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v12.16b\n\teor\tv6.16b, v6.16b, v13.16b\n\teor\tv7.16b, v7.16b, v10.16b\n\teor\tv8.16b, v8.16b, v11.16b\n\teor\tv5.16b, v5.16b, v14.16b\n\n\tushr\tv9.4s, v5.4s, #25\n\tsli\tv9.4s, v5.4s, #7\n\tushr\tv5.4s, v8.4s, #25\n\tsli\tv5.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #12\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #4\n\tsubs\tx6, x6, #1\n\tb.ge\t.Lseal_main_loop_rounds\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsubs\tx7, x7, #1\n\tb.gt\t.Lseal_main_loop_rounds\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tx11, #5\n\tdup\tv20.4s, w11\n\tadd\tv25.4s, v25.4s, v20.4s\n\n\tzip1\tv20.4s, v0.4s, v1.4s\n\tzip2\tv21.4s, v0.4s, v1.4s\n\tzip1\tv22.4s, v2.4s, v3.4s\n\tzip2\tv23.4s, v2.4s, v3.4s\n\n\tzip1\tv0.2d, v20.2d, v22.2d\n\tzip2\tv1.2d, v20.2d, v22.2d\n\tzip1\tv2.2d, v21.2d, v23.2d\n\tzip2\tv3.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v5.4s, v6.4s\n\tzip2\tv21.4s, v5.4s, v6.4s\n\tzip1\tv22.4s, v7.4s, v8.4s\n\tzip2\tv23.4s, v7.4s, v8.4s\n\n\tzip1\tv5.2d, v20.2d, v22.2d\n\tzip2\tv6.2d, v20.2d, v22.2d\n\tzip1\tv7.2d, v21.2d, v23.2d\n\tzip2\tv8.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v10.4s, v11.4s\n\tzip2\tv21.4s, v10.4s, v11.4s\n\tzip1\tv22.4s, v12.4s, v13.4s\n\tzip2\tv23.4s, v12.4s, v13.4s\n\n\tzip1\tv10.2d, v20.2d, v22.2d\n\tzip2\tv11.2d, v20.2d, v22.2d\n\tzip1\tv12.2d, v21.2d, v23.2d\n\tzip2\tv13.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v15.4s, v16.4s\n\tzip2\tv21.4s, v15.4s, v16.4s\n\tzip1\tv22.4s, v17.4s, v18.4s\n\tzip2\tv23.4s, v17.4s, v18.4s\n\n\tzip1\tv15.2d, v20.2d, v22.2d\n\tzip2\tv16.2d, v20.2d, v22.2d\n\tzip1\tv17.2d, v21.2d, v23.2d\n\tzip2\tv18.2d, v21.2d, v23.2d\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv3.4s, v3.4s, v24.4s\n\tadd\tv8.4s, v8.4s, v28.4s\n\tadd\tv13.4s, v13.4s, v29.4s\n\tadd\tv18.4s, v18.4s, v30.4s\n\n\tadd\tv4.4s, v4.4s, v24.4s\n\tadd\tv9.4s, v9.4s, v28.4s\n\tadd\tv14.4s, v14.4s, v29.4s\n\tadd\tv19.4s, v19.4s, v30.4s\n\n\tcmp\tx2, #320\n\tb.le\t.Lseal_tail\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v3.16b\n\teor\tv21.16b, v21.16b, v8.16b\n\teor\tv22.16b, v22.16b, v13.16b\n\teor\tv23.16b, v23.16b, v18.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v4.16b\n\teor\tv21.16b, v21.16b, v9.16b\n\teor\tv22.16b, v22.16b, v14.16b\n\teor\tv23.16b, v23.16b, v19.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #320\n\n\tmov\tx6, #0\n\tmov\tx7, #10 // For the remainder of the loop we always hash and encrypt 320 bytes per iteration\n\n\tb\t.Lseal_main_loop\n\n.Lseal_tail:\n // This part of the function handles the storage and authentication of the last [0,320) bytes\n // We assume A0-A4 ... D0-D4 hold at least inl (320 max) bytes of the stream data.\n\tcmp\tx2, #64\n\tb.lt\t.Lseal_tail_64\n\n // Store and authenticate 64B blocks per iteration\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v21.d[0]\n\tmov\tx12, v21.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v22.d[0]\n\tmov\tx12, v22.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v23.d[0]\n\tmov\tx12, v23.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\tsub\tx2, x2, #64\n\n // Shift the state left by 64 bytes for the next iteration of the loop\n\tmov\tv0.16b, v1.16b\n\tmov\tv5.16b, v6.16b\n\tmov\tv10.16b, v11.16b\n\tmov\tv15.16b, v16.16b\n\n\tmov\tv1.16b, v2.16b\n\tmov\tv6.16b, v7.16b\n\tmov\tv11.16b, v12.16b\n\tmov\tv16.16b, v17.16b\n\n\tmov\tv2.16b, v3.16b\n\tmov\tv7.16b, v8.16b\n\tmov\tv12.16b, v13.16b\n\tmov\tv17.16b, v18.16b\n\n\tmov\tv3.16b, v4.16b\n\tmov\tv8.16b, v9.16b\n\tmov\tv13.16b, v14.16b\n\tmov\tv18.16b, v19.16b\n\n\tb\t.Lseal_tail\n\n.Lseal_tail_64:\n\tldp\tx3, x4, [x5, #48] // extra_in_len and extra_in_ptr\n\n // Here we handle the last [0,64) bytes of plaintext\n\tcmp\tx2, #16\n\tb.lt\t.Lseal_tail_16\n // Each iteration encrypt and authenticate a 16B block\n\tld1\t{v20.16b}, [x1], #16\n\teor\tv20.16b, v20.16b, v0.16b\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tst1\t{v20.16b}, [x0], #16\n\n\tsub\tx2, x2, #16\n\n // Shift the state left by 16 bytes for the next iteration of the loop\n\tmov\tv0.16b, v5.16b\n\tmov\tv5.16b, v10.16b\n\tmov\tv10.16b, v15.16b\n\n\tb\t.Lseal_tail_64\n\n.Lseal_tail_16:\n // Here we handle the last [0,16) bytes of ciphertext that require a padded block\n\tcbz\tx2, .Lseal_hash_extra\n\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the plaintext/extra in\n\teor\tv21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask that will only mask the ciphertext bytes\n\tnot\tv22.16b, v20.16b\n\n\tmov\tx6, x2\n\tadd\tx1, x1, x2\n\n\tcbz\tx4, .Lseal_tail_16_compose // No extra data to pad with, zero padding\n\n\tmov\tx7, #16 // We need to load some extra_in first for padding\n\tsub\tx7, x7, x2\n\tcmp\tx4, x7\n\tcsel\tx7, x4, x7, lt // .Load the minimum of extra_in_len and the amount needed to fill the register\n\tmov\tx12, x7\n\tadd\tx3, x3, x7\n\tsub\tx4, x4, x7\n\n.Lseal_tail16_compose_extra_in:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x3, #-1]!\n\tmov\tv20.b[0], w11\n\tsubs\tx7, x7, #1\n\tb.gt\t.Lseal_tail16_compose_extra_in\n\n\tadd\tx3, x3, x12\n\n.Lseal_tail_16_compose:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x1, #-1]!\n\tmov\tv20.b[0], w11\n\text\tv21.16b, v22.16b, v21.16b, #15\n\tsubs\tx2, x2, #1\n\tb.gt\t.Lseal_tail_16_compose\n\n\tand\tv0.16b, v0.16b, v21.16b\n\teor\tv20.16b, v20.16b, v0.16b\n\tmov\tv21.16b, v20.16b\n\n.Lseal_tail_16_store:\n\tumov\tw11, v20.b[0]\n\tstrb\tw11, [x0], #1\n\text\tv20.16b, v20.16b, v20.16b, #1\n\tsubs\tx6, x6, #1\n\tb.gt\t.Lseal_tail_16_store\n\n // Hash in the final ct block concatenated with extra_in\n\tmov\tx11, v21.d[0]\n\tmov\tx12, v21.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\n.Lseal_hash_extra:\n\tcbz\tx4, .Lseal_finalize\n\n.Lseal_hash_extra_loop:\n\tcmp\tx4, #16\n\tb.lt\t.Lseal_hash_extra_tail\n\tld1\t{v20.16b}, [x3], #16\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #16\n\tb\t.Lseal_hash_extra_loop\n\n.Lseal_hash_extra_tail:\n\tcbz\tx4, .Lseal_finalize\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the remaining extra ciphertext\n\tadd\tx3, x3, x4\n\n.Lseal_hash_extra_load:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x3, #-1]!\n\tmov\tv20.b[0], w11\n\tsubs\tx4, x4, #1\n\tb.gt\t.Lseal_hash_extra_load\n\n // Hash in the final padded extra_in blcok\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\n.Lseal_finalize:\n\tmov\tx11, v31.d[0]\n\tmov\tx12, v31.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n // Final reduction step\n\tsub\tx12, xzr, x15\n\torr\tx13, xzr, #3\n\tsubs\tx11, x8, #-5\n\tsbcs\tx12, x9, x12\n\tsbcs\tx13, x10, x13\n\tcsel\tx8, x11, x8, cs\n\tcsel\tx9, x12, x9, cs\n\tcsel\tx10, x13, x10, cs\n\tmov\tx11, v27.d[0]\n\tmov\tx12, v27.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\n\tstp\tx8, x9, [x5]\n\n\tldp\td8, d9, [sp, #16]\n\tldp\td10, d11, [sp, #32]\n\tldp\td12, d13, [sp, #48]\n\tldp\td14, d15, [sp, #64]\n.cfi_restore\tb15\n.cfi_restore\tb14\n.cfi_restore\tb13\n.cfi_restore\tb12\n.cfi_restore\tb11\n.cfi_restore\tb10\n.cfi_restore\tb9\n.cfi_restore\tb8\n\tldp\tx29, x30, [sp], 80\n.cfi_restore\tw29\n.cfi_restore\tw30\n.cfi_def_cfa_offset\t0\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.Lseal_128:\n // On some architectures preparing 5 blocks for small buffers is wasteful\n\teor\tv25.16b, v25.16b, v25.16b\n\tmov\tx11, #1\n\tmov\tv25.s[0], w11\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv2.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv7.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv12.16b, v29.16b\n\tmov\tv17.16b, v30.16b\n\tadd\tv15.4s, v17.4s, v25.4s\n\tadd\tv16.4s, v15.4s, v25.4s\n\n\tmov\tx6, #10\n\n.Lseal_128_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv7.16b, v7.16b, v7.16b, #4\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #12\n\text\tv16.16b, v16.16b, v16.16b, #12\n\text\tv17.16b, v17.16b, v17.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv7.16b, v7.16b, v7.16b, #12\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #4\n\text\tv16.16b, v16.16b, v16.16b, #4\n\text\tv17.16b, v17.16b, v17.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\t.Lseal_128_rounds\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv2.4s, v2.4s, v24.4s\n\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\n // Only the first 32 bytes of the third block (counter = 0) are needed,\n // so skip updating v12 and v17.\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tand\tv2.16b, v2.16b, v27.16b\n\tmov\tx16, v2.d[0] // Move the R key to GPRs\n\tmov\tx17, v2.d[1]\n\tmov\tv27.16b, v7.16b // Store the S key\n\n\tbl\t.Lpoly_hash_ad_internal\n\tb\t.Lseal_tail\n.cfi_endproc\n.size\tchacha20_poly1305_seal,.-chacha20_poly1305_seal\n\n/////////////////////////////////\n//\n// void chacha20_poly1305_open(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *aead_data);\n//\n.globl\tchacha20_poly1305_open\n.hidden\tchacha20_poly1305_open\n.type\tchacha20_poly1305_open,%function\n.align\t6\nchacha20_poly1305_open:\n\tAARCH64_SIGN_LINK_REGISTER\n.cfi_startproc\n\tstp\tx29, x30, [sp, #-80]!\n.cfi_def_cfa_offset\t80\n.cfi_offset\tw30, -72\n.cfi_offset\tw29, -80\n\tmov\tx29, sp\n // We probably could do .cfi_def_cfa w29, 80 at this point, but since\n // we don't actually use the frame pointer like that, it's probably not\n // worth bothering.\n\tstp\td8, d9, [sp, #16]\n\tstp\td10, d11, [sp, #32]\n\tstp\td12, d13, [sp, #48]\n\tstp\td14, d15, [sp, #64]\n.cfi_offset\tb15, -8\n.cfi_offset\tb14, -16\n.cfi_offset\tb13, -24\n.cfi_offset\tb12, -32\n.cfi_offset\tb11, -40\n.cfi_offset\tb10, -48\n.cfi_offset\tb9, -56\n.cfi_offset\tb8, -64\n\n\tadrp\tx11, .Lchacha20_consts\n\tadd\tx11, x11, :lo12:.Lchacha20_consts\n\n\tld1\t{v24.16b - v27.16b}, [x11] // .Load the CONSTS, INC, ROL8 and CLAMP values\n\tld1\t{v28.16b - v30.16b}, [x5]\n\n\tmov\tx15, #1 // Prepare the Poly1305 state\n\tmov\tx8, #0\n\tmov\tx9, #0\n\tmov\tx10, #0\n\n\tmov\tv31.d[0], x4 // Store the input and aad lengths\n\tmov\tv31.d[1], x2\n\n\tcmp\tx2, #128\n\tb.le\t.Lopen_128 // Optimization for smaller buffers\n\n // Initially we prepare a single ChaCha20 block for the Poly1305 R and S keys\n\tmov\tv0.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\n\tmov\tx6, #10\n\n.align\t5\n.Lopen_init_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\t.Lopen_init_rounds\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\n\tand\tv0.16b, v0.16b, v27.16b\n\tmov\tx16, v0.d[0] // Move the R key to GPRs\n\tmov\tx17, v0.d[1]\n\tmov\tv27.16b, v5.16b // Store the S key\n\n\tbl\t.Lpoly_hash_ad_internal\n\n.Lopen_ad_done:\n\tmov\tx3, x1\n\n// Each iteration of the loop hash 320 bytes, and prepare stream for 320 bytes\n.Lopen_main_loop:\n\n\tcmp\tx2, #192\n\tb.lt\t.Lopen_tail\n\n\tadrp\tx11, .Lchacha20_consts\n\tadd\tx11, x11, :lo12:.Lchacha20_consts\n\n\tld4r\t{v0.4s,v1.4s,v2.4s,v3.4s}, [x11]\n\tmov\tv4.16b, v24.16b\n\n\tld4r\t{v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16\n\tmov\tv9.16b, v28.16b\n\n\tld4r\t{v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16\n\tmov\tv14.16b, v29.16b\n\n\tld4r\t{v15.4s,v16.4s,v17.4s,v18.4s}, [x5]\n\tsub\tx5, x5, #32\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tv19.16b, v30.16b\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tlsr\tx4, x2, #4 // How many whole blocks we have to hash, will always be at least 12\n\tsub\tx4, x4, #10\n\n\tmov\tx7, #10\n\tsubs\tx6, x7, x4\n\tsubs\tx6, x7, x4 // itr1 can be negative if we have more than 320 bytes to hash\n\tcsel\tx7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are full\n\n\tcbz\tx7, .Lopen_main_loop_rounds_short\n\n.align\t5\n.Lopen_main_loop_rounds:\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n.Lopen_main_loop_rounds_short:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv18.8h, v18.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\teor\tv8.16b, v8.16b, v13.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v9.4s, #20\n\tsli\tv8.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\tadd\tv3.4s, v3.4s, v7.4s\n\tadd\tv4.4s, v4.4s, v8.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v14.16b\n\n\tushr\tv9.4s, v8.4s, #25\n\tsli\tv9.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #4\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #12\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tadd\tv0.4s, v0.4s, v6.4s\n\tadd\tv1.4s, v1.4s, v7.4s\n\tadd\tv2.4s, v2.4s, v8.4s\n\tadd\tv3.4s, v3.4s, v5.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv18.8h, v18.8h\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v5.4s, #20\n\tsli\tv8.4s, v5.4s, #12\n\tushr\tv5.4s, v9.4s, #20\n\tsli\tv5.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v5.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v12.16b\n\teor\tv6.16b, v6.16b, v13.16b\n\teor\tv7.16b, v7.16b, v10.16b\n\teor\tv8.16b, v8.16b, v11.16b\n\teor\tv5.16b, v5.16b, v14.16b\n\n\tushr\tv9.4s, v5.4s, #25\n\tsli\tv9.4s, v5.4s, #7\n\tushr\tv5.4s, v8.4s, #25\n\tsli\tv5.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #12\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #4\n\tsubs\tx7, x7, #1\n\tb.gt\t.Lopen_main_loop_rounds\n\tsubs\tx6, x6, #1\n\tb.ge\t.Lopen_main_loop_rounds_short\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tx11, #5\n\tdup\tv20.4s, w11\n\tadd\tv25.4s, v25.4s, v20.4s\n\n\tzip1\tv20.4s, v0.4s, v1.4s\n\tzip2\tv21.4s, v0.4s, v1.4s\n\tzip1\tv22.4s, v2.4s, v3.4s\n\tzip2\tv23.4s, v2.4s, v3.4s\n\n\tzip1\tv0.2d, v20.2d, v22.2d\n\tzip2\tv1.2d, v20.2d, v22.2d\n\tzip1\tv2.2d, v21.2d, v23.2d\n\tzip2\tv3.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v5.4s, v6.4s\n\tzip2\tv21.4s, v5.4s, v6.4s\n\tzip1\tv22.4s, v7.4s, v8.4s\n\tzip2\tv23.4s, v7.4s, v8.4s\n\n\tzip1\tv5.2d, v20.2d, v22.2d\n\tzip2\tv6.2d, v20.2d, v22.2d\n\tzip1\tv7.2d, v21.2d, v23.2d\n\tzip2\tv8.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v10.4s, v11.4s\n\tzip2\tv21.4s, v10.4s, v11.4s\n\tzip1\tv22.4s, v12.4s, v13.4s\n\tzip2\tv23.4s, v12.4s, v13.4s\n\n\tzip1\tv10.2d, v20.2d, v22.2d\n\tzip2\tv11.2d, v20.2d, v22.2d\n\tzip1\tv12.2d, v21.2d, v23.2d\n\tzip2\tv13.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v15.4s, v16.4s\n\tzip2\tv21.4s, v15.4s, v16.4s\n\tzip1\tv22.4s, v17.4s, v18.4s\n\tzip2\tv23.4s, v17.4s, v18.4s\n\n\tzip1\tv15.2d, v20.2d, v22.2d\n\tzip2\tv16.2d, v20.2d, v22.2d\n\tzip1\tv17.2d, v21.2d, v23.2d\n\tzip2\tv18.2d, v21.2d, v23.2d\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv3.4s, v3.4s, v24.4s\n\tadd\tv8.4s, v8.4s, v28.4s\n\tadd\tv13.4s, v13.4s, v29.4s\n\tadd\tv18.4s, v18.4s, v30.4s\n\n\tadd\tv4.4s, v4.4s, v24.4s\n\tadd\tv9.4s, v9.4s, v28.4s\n\tadd\tv14.4s, v14.4s, v29.4s\n\tadd\tv19.4s, v19.4s, v30.4s\n\n // We can always safely store 192 bytes\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #192\n\n\tmov\tv0.16b, v3.16b\n\tmov\tv5.16b, v8.16b\n\tmov\tv10.16b, v13.16b\n\tmov\tv15.16b, v18.16b\n\n\tcmp\tx2, #64\n\tb.lt\t.Lopen_tail_64_store\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v3.16b\n\teor\tv21.16b, v21.16b, v8.16b\n\teor\tv22.16b, v22.16b, v13.16b\n\teor\tv23.16b, v23.16b, v18.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #64\n\n\tmov\tv0.16b, v4.16b\n\tmov\tv5.16b, v9.16b\n\tmov\tv10.16b, v14.16b\n\tmov\tv15.16b, v19.16b\n\n\tcmp\tx2, #64\n\tb.lt\t.Lopen_tail_64_store\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v4.16b\n\teor\tv21.16b, v21.16b, v9.16b\n\teor\tv22.16b, v22.16b, v14.16b\n\teor\tv23.16b, v23.16b, v19.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #64\n\tb\t.Lopen_main_loop\n\n.Lopen_tail:\n\n\tcbz\tx2, .Lopen_finalize\n\n\tlsr\tx4, x2, #4 // How many whole blocks we have to hash\n\n\tcmp\tx2, #64\n\tb.le\t.Lopen_tail_64\n\tcmp\tx2, #128\n\tb.le\t.Lopen_tail_128\n\n.Lopen_tail_192:\n // We need three more blocks\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv2.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv7.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv12.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\tmov\tv16.16b, v30.16b\n\tmov\tv17.16b, v30.16b\n\teor\tv23.16b, v23.16b, v23.16b\n\teor\tv21.16b, v21.16b, v21.16b\n\tins\tv23.s[0], v25.s[0]\n\tins\tv21.d[0], x15\n\n\tadd\tv22.4s, v23.4s, v21.4s\n\tadd\tv21.4s, v22.4s, v21.4s\n\n\tadd\tv15.4s, v15.4s, v21.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\tadd\tv17.4s, v17.4s, v22.4s\n\n\tmov\tx7, #10\n\tsubs\tx6, x7, x4 // itr1 can be negative if we have more than 160 bytes to hash\n\tcsel\tx7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are hashing\n\tsub\tx4, x4, x7\n\n\tcbz\tx7, .Lopen_tail_192_rounds_no_hash\n\n.Lopen_tail_192_rounds:\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n.Lopen_tail_192_rounds_no_hash:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv7.16b, v7.16b, v7.16b, #4\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #12\n\text\tv16.16b, v16.16b, v16.16b, #12\n\text\tv17.16b, v17.16b, v17.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv7.16b, v7.16b, v7.16b, #12\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #4\n\text\tv16.16b, v16.16b, v16.16b, #4\n\text\tv17.16b, v17.16b, v17.16b, #4\n\tsubs\tx7, x7, #1\n\tb.gt\t.Lopen_tail_192_rounds\n\tsubs\tx6, x6, #1\n\tb.ge\t.Lopen_tail_192_rounds_no_hash\n\n // We hashed 160 bytes at most, may still have 32 bytes left\n.Lopen_tail_192_hash:\n\tcbz\tx4, .Lopen_tail_192_hash_done\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #1\n\tb\t.Lopen_tail_192_hash\n\n.Lopen_tail_192_hash_done:\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv15.4s, v15.4s, v21.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\tadd\tv17.4s, v17.4s, v22.4s\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #128\n\tb\t.Lopen_tail_64_store\n\n.Lopen_tail_128:\n // We need two more blocks\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\tmov\tv16.16b, v30.16b\n\teor\tv23.16b, v23.16b, v23.16b\n\teor\tv22.16b, v22.16b, v22.16b\n\tins\tv23.s[0], v25.s[0]\n\tins\tv22.d[0], x15\n\tadd\tv22.4s, v22.4s, v23.4s\n\n\tadd\tv15.4s, v15.4s, v22.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\n\tmov\tx6, #10\n\tsub\tx6, x6, x4\n\n.Lopen_tail_128_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #12\n\tadd\tv1.4s, v1.4s, v6.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\trev32\tv16.8h, v16.8h\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv6.16b, v6.16b, v11.16b\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tadd\tv1.4s, v1.4s, v20.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv20.16b, v20.16b, v11.16b\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv16.16b, v16.16b, v16.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #4\n\tadd\tv1.4s, v1.4s, v6.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\trev32\tv16.8h, v16.8h\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv6.16b, v6.16b, v11.16b\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tadd\tv1.4s, v1.4s, v20.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv20.16b, v20.16b, v11.16b\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv16.16b, v16.16b, v16.16b, #4\n\tsubs\tx6, x6, #1\n\tb.gt\t.Lopen_tail_128_rounds\n\tcbz\tx4, .Lopen_tail_128_rounds_done\n\tsubs\tx4, x4, #1\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tb\t.Lopen_tail_128_rounds\n\n.Lopen_tail_128_rounds_done:\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\tadd\tv15.4s, v15.4s, v22.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\tsub\tx2, x2, #64\n\n\tb\t.Lopen_tail_64_store\n\n.Lopen_tail_64:\n // We just need a single block\n\tmov\tv0.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\teor\tv23.16b, v23.16b, v23.16b\n\tins\tv23.s[0], v25.s[0]\n\tadd\tv15.4s, v15.4s, v23.4s\n\n\tmov\tx6, #10\n\tsub\tx6, x6, x4\n\n.Lopen_tail_64_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #4\n\tsubs\tx6, x6, #1\n\tb.gt\t.Lopen_tail_64_rounds\n\tcbz\tx4, .Lopen_tail_64_rounds_done\n\tsubs\tx4, x4, #1\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tb\t.Lopen_tail_64_rounds\n\n.Lopen_tail_64_rounds_done:\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv15.4s, v15.4s, v23.4s\n\n.Lopen_tail_64_store:\n\tcmp\tx2, #16\n\tb.lt\t.Lopen_tail_16\n\n\tld1\t{v20.16b}, [x1], #16\n\teor\tv20.16b, v20.16b, v0.16b\n\tst1\t{v20.16b}, [x0], #16\n\tmov\tv0.16b, v5.16b\n\tmov\tv5.16b, v10.16b\n\tmov\tv10.16b, v15.16b\n\tsub\tx2, x2, #16\n\tb\t.Lopen_tail_64_store\n\n.Lopen_tail_16:\n // Here we handle the last [0,16) bytes that require a padded block\n\tcbz\tx2, .Lopen_finalize\n\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the ciphertext\n\teor\tv21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask\n\tnot\tv22.16b, v20.16b\n\n\tadd\tx7, x1, x2\n\tmov\tx6, x2\n\n.Lopen_tail_16_compose:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x7, #-1]!\n\tmov\tv20.b[0], w11\n\text\tv21.16b, v22.16b, v21.16b, #15\n\tsubs\tx2, x2, #1\n\tb.gt\t.Lopen_tail_16_compose\n\n\tand\tv20.16b, v20.16b, v21.16b\n // Hash in the final padded block\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\teor\tv20.16b, v20.16b, v0.16b\n\n.Lopen_tail_16_store:\n\tumov\tw11, v20.b[0]\n\tstrb\tw11, [x0], #1\n\text\tv20.16b, v20.16b, v20.16b, #1\n\tsubs\tx6, x6, #1\n\tb.gt\t.Lopen_tail_16_store\n\n.Lopen_finalize:\n\tmov\tx11, v31.d[0]\n\tmov\tx12, v31.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n // Final reduction step\n\tsub\tx12, xzr, x15\n\torr\tx13, xzr, #3\n\tsubs\tx11, x8, #-5\n\tsbcs\tx12, x9, x12\n\tsbcs\tx13, x10, x13\n\tcsel\tx8, x11, x8, cs\n\tcsel\tx9, x12, x9, cs\n\tcsel\tx10, x13, x10, cs\n\tmov\tx11, v27.d[0]\n\tmov\tx12, v27.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\n\tstp\tx8, x9, [x5]\n\n\tldp\td8, d9, [sp, #16]\n\tldp\td10, d11, [sp, #32]\n\tldp\td12, d13, [sp, #48]\n\tldp\td14, d15, [sp, #64]\n.cfi_restore\tb15\n.cfi_restore\tb14\n.cfi_restore\tb13\n.cfi_restore\tb12\n.cfi_restore\tb11\n.cfi_restore\tb10\n.cfi_restore\tb9\n.cfi_restore\tb8\n\tldp\tx29, x30, [sp], 80\n.cfi_restore\tw29\n.cfi_restore\tw30\n.cfi_def_cfa_offset\t0\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\n.Lopen_128:\n // On some architectures preparing 5 blocks for small buffers is wasteful\n\teor\tv25.16b, v25.16b, v25.16b\n\tmov\tx11, #1\n\tmov\tv25.s[0], w11\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv2.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv7.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv12.16b, v29.16b\n\tmov\tv17.16b, v30.16b\n\tadd\tv15.4s, v17.4s, v25.4s\n\tadd\tv16.4s, v15.4s, v25.4s\n\n\tmov\tx6, #10\n\n.Lopen_128_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv7.16b, v7.16b, v7.16b, #4\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #12\n\text\tv16.16b, v16.16b, v16.16b, #12\n\text\tv17.16b, v17.16b, v17.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv7.16b, v7.16b, v7.16b, #12\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #4\n\text\tv16.16b, v16.16b, v16.16b, #4\n\text\tv17.16b, v17.16b, v17.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\t.Lopen_128_rounds\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv2.4s, v2.4s, v24.4s\n\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tand\tv2.16b, v2.16b, v27.16b\n\tmov\tx16, v2.d[0] // Move the R key to GPRs\n\tmov\tx17, v2.d[1]\n\tmov\tv27.16b, v7.16b // Store the S key\n\n\tbl\t.Lpoly_hash_ad_internal\n\n.Lopen_128_store:\n\tcmp\tx2, #64\n\tb.lt\t.Lopen_128_store_64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v21.d[0]\n\tmov\tx12, v21.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v22.d[0]\n\tmov\tx12, v22.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v23.d[0]\n\tmov\tx12, v23.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #64\n\n\tmov\tv0.16b, v1.16b\n\tmov\tv5.16b, v6.16b\n\tmov\tv10.16b, v11.16b\n\tmov\tv15.16b, v16.16b\n\n.Lopen_128_store_64:\n\n\tlsr\tx4, x2, #4\n\tmov\tx3, x1\n\n.Lopen_128_hash_64:\n\tcbz\tx4, .Lopen_tail_64_store\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #1\n\tb\t.Lopen_128_hash_64\n.cfi_endproc\n.size\tchacha20_poly1305_open,.-chacha20_poly1305_open\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-win.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#include \n.section\t.rodata\n\n.align\t7\nLchacha20_consts:\n.byte\t'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'\nLinc:\n.long\t1,2,3,4\nLrol8:\n.byte\t3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14\nLclamp:\n.quad\t0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC\n\n.text\n\n.def Lpoly_hash_ad_internal\n .type 32\n.endef\n.align\t6\nLpoly_hash_ad_internal:\n.cfi_startproc\n\tcbnz\tx4, Lpoly_hash_intro\n\tret\n\nLpoly_hash_intro:\n\tcmp\tx4, #16\n\tb.lt\tLpoly_hash_ad_tail\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #16\n\tb\tLpoly_hash_ad_internal\n\nLpoly_hash_ad_tail:\n\tcbz\tx4, Lpoly_hash_ad_ret\n\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the AAD\n\tsub\tx4, x4, #1\n\nLpoly_hash_tail_16_compose:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x3, x4]\n\tmov\tv20.b[0], w11\n\tsubs\tx4, x4, #1\n\tb.ge\tLpoly_hash_tail_16_compose\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\nLpoly_hash_ad_ret:\n\tret\n.cfi_endproc\n\n\n/////////////////////////////////\n//\n// void chacha20_poly1305_seal(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *seal_data);\n//\n.globl\tchacha20_poly1305_seal\n\n.def chacha20_poly1305_seal\n .type 32\n.endef\n.align\t6\nchacha20_poly1305_seal:\n\tAARCH64_SIGN_LINK_REGISTER\n.cfi_startproc\n\tstp\tx29, x30, [sp, #-80]!\n.cfi_def_cfa_offset\t80\n.cfi_offset\tw30, -72\n.cfi_offset\tw29, -80\n\tmov\tx29, sp\n // We probably could do .cfi_def_cfa w29, 80 at this point, but since\n // we don't actually use the frame pointer like that, it's probably not\n // worth bothering.\n\tstp\td8, d9, [sp, #16]\n\tstp\td10, d11, [sp, #32]\n\tstp\td12, d13, [sp, #48]\n\tstp\td14, d15, [sp, #64]\n.cfi_offset\tb15, -8\n.cfi_offset\tb14, -16\n.cfi_offset\tb13, -24\n.cfi_offset\tb12, -32\n.cfi_offset\tb11, -40\n.cfi_offset\tb10, -48\n.cfi_offset\tb9, -56\n.cfi_offset\tb8, -64\n\n\tadrp\tx11, Lchacha20_consts\n\tadd\tx11, x11, :lo12:Lchacha20_consts\n\n\tld1\t{v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values\n\tld1\t{v28.16b - v30.16b}, [x5]\n\n\tmov\tx15, #1 // Prepare the Poly1305 state\n\tmov\tx8, #0\n\tmov\tx9, #0\n\tmov\tx10, #0\n\n\tldr\tx12, [x5, #56] // The total cipher text length includes extra_in_len\n\tadd\tx12, x12, x2\n\tmov\tv31.d[0], x4 // Store the input and aad lengths\n\tmov\tv31.d[1], x12\n\n\tcmp\tx2, #128\n\tb.le\tLseal_128 // Optimization for smaller buffers\n\n // Initially we prepare 5 ChaCha20 blocks. Four to encrypt up to 4 blocks (256 bytes) of plaintext,\n // and one for the Poly1305 R and S keys. The first four blocks (A0-A3..D0-D3) are computed vertically,\n // the fifth block (A4-D4) horizontally.\n\tld4r\t{v0.4s,v1.4s,v2.4s,v3.4s}, [x11]\n\tmov\tv4.16b, v24.16b\n\n\tld4r\t{v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16\n\tmov\tv9.16b, v28.16b\n\n\tld4r\t{v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16\n\tmov\tv14.16b, v29.16b\n\n\tld4r\t{v15.4s,v16.4s,v17.4s,v18.4s}, [x5]\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tv19.16b, v30.16b\n\n\tsub\tx5, x5, #32\n\n\tmov\tx6, #10\n\n.align\t5\nLseal_init_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv18.8h, v18.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\teor\tv8.16b, v8.16b, v13.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v9.4s, #20\n\tsli\tv8.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\tadd\tv3.4s, v3.4s, v7.4s\n\tadd\tv4.4s, v4.4s, v8.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v14.16b\n\n\tushr\tv9.4s, v8.4s, #25\n\tsli\tv9.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #4\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #12\n\tadd\tv0.4s, v0.4s, v6.4s\n\tadd\tv1.4s, v1.4s, v7.4s\n\tadd\tv2.4s, v2.4s, v8.4s\n\tadd\tv3.4s, v3.4s, v5.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv18.8h, v18.8h\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v5.4s, #20\n\tsli\tv8.4s, v5.4s, #12\n\tushr\tv5.4s, v9.4s, #20\n\tsli\tv5.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v5.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v12.16b\n\teor\tv6.16b, v6.16b, v13.16b\n\teor\tv7.16b, v7.16b, v10.16b\n\teor\tv8.16b, v8.16b, v11.16b\n\teor\tv5.16b, v5.16b, v14.16b\n\n\tushr\tv9.4s, v5.4s, #25\n\tsli\tv9.4s, v5.4s, #7\n\tushr\tv5.4s, v8.4s, #25\n\tsli\tv5.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #12\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\tLseal_init_rounds\n\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tx11, #4\n\tdup\tv20.4s, w11\n\tadd\tv25.4s, v25.4s, v20.4s\n\n\tzip1\tv20.4s, v0.4s, v1.4s\n\tzip2\tv21.4s, v0.4s, v1.4s\n\tzip1\tv22.4s, v2.4s, v3.4s\n\tzip2\tv23.4s, v2.4s, v3.4s\n\n\tzip1\tv0.2d, v20.2d, v22.2d\n\tzip2\tv1.2d, v20.2d, v22.2d\n\tzip1\tv2.2d, v21.2d, v23.2d\n\tzip2\tv3.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v5.4s, v6.4s\n\tzip2\tv21.4s, v5.4s, v6.4s\n\tzip1\tv22.4s, v7.4s, v8.4s\n\tzip2\tv23.4s, v7.4s, v8.4s\n\n\tzip1\tv5.2d, v20.2d, v22.2d\n\tzip2\tv6.2d, v20.2d, v22.2d\n\tzip1\tv7.2d, v21.2d, v23.2d\n\tzip2\tv8.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v10.4s, v11.4s\n\tzip2\tv21.4s, v10.4s, v11.4s\n\tzip1\tv22.4s, v12.4s, v13.4s\n\tzip2\tv23.4s, v12.4s, v13.4s\n\n\tzip1\tv10.2d, v20.2d, v22.2d\n\tzip2\tv11.2d, v20.2d, v22.2d\n\tzip1\tv12.2d, v21.2d, v23.2d\n\tzip2\tv13.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v15.4s, v16.4s\n\tzip2\tv21.4s, v15.4s, v16.4s\n\tzip1\tv22.4s, v17.4s, v18.4s\n\tzip2\tv23.4s, v17.4s, v18.4s\n\n\tzip1\tv15.2d, v20.2d, v22.2d\n\tzip2\tv16.2d, v20.2d, v22.2d\n\tzip1\tv17.2d, v21.2d, v23.2d\n\tzip2\tv18.2d, v21.2d, v23.2d\n\n\tadd\tv4.4s, v4.4s, v24.4s\n\tadd\tv9.4s, v9.4s, v28.4s\n\tand\tv4.16b, v4.16b, v27.16b\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv3.4s, v3.4s, v24.4s\n\tadd\tv8.4s, v8.4s, v28.4s\n\tadd\tv13.4s, v13.4s, v29.4s\n\tadd\tv18.4s, v18.4s, v30.4s\n\n\tmov\tx16, v4.d[0] // Move the R key to GPRs\n\tmov\tx17, v4.d[1]\n\tmov\tv27.16b, v9.16b // Store the S key\n\n\tbl\tLpoly_hash_ad_internal\n\n\tmov\tx3, x0\n\tcmp\tx2, #256\n\tb.le\tLseal_tail\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v3.16b\n\teor\tv21.16b, v21.16b, v8.16b\n\teor\tv22.16b, v22.16b, v13.16b\n\teor\tv23.16b, v23.16b, v18.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #256\n\n\tmov\tx6, #4 // In the first run of the loop we need to hash 256 bytes, therefore we hash one block for the first 4 rounds\n\tmov\tx7, #6 // and two blocks for the remaining 6, for a total of (1 * 4 + 2 * 6) * 16 = 256\n\nLseal_main_loop:\n\tadrp\tx11, Lchacha20_consts\n\tadd\tx11, x11, :lo12:Lchacha20_consts\n\n\tld4r\t{v0.4s,v1.4s,v2.4s,v3.4s}, [x11]\n\tmov\tv4.16b, v24.16b\n\n\tld4r\t{v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16\n\tmov\tv9.16b, v28.16b\n\n\tld4r\t{v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16\n\tmov\tv14.16b, v29.16b\n\n\tld4r\t{v15.4s,v16.4s,v17.4s,v18.4s}, [x5]\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tv19.16b, v30.16b\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tsub\tx5, x5, #32\n.align\t5\nLseal_main_loop_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv18.8h, v18.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\teor\tv8.16b, v8.16b, v13.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v9.4s, #20\n\tsli\tv8.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\tadd\tv3.4s, v3.4s, v7.4s\n\tadd\tv4.4s, v4.4s, v8.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v14.16b\n\n\tushr\tv9.4s, v8.4s, #25\n\tsli\tv9.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #4\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #12\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tadd\tv0.4s, v0.4s, v6.4s\n\tadd\tv1.4s, v1.4s, v7.4s\n\tadd\tv2.4s, v2.4s, v8.4s\n\tadd\tv3.4s, v3.4s, v5.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv18.8h, v18.8h\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v5.4s, #20\n\tsli\tv8.4s, v5.4s, #12\n\tushr\tv5.4s, v9.4s, #20\n\tsli\tv5.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v5.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v12.16b\n\teor\tv6.16b, v6.16b, v13.16b\n\teor\tv7.16b, v7.16b, v10.16b\n\teor\tv8.16b, v8.16b, v11.16b\n\teor\tv5.16b, v5.16b, v14.16b\n\n\tushr\tv9.4s, v5.4s, #25\n\tsli\tv9.4s, v5.4s, #7\n\tushr\tv5.4s, v8.4s, #25\n\tsli\tv5.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #12\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #4\n\tsubs\tx6, x6, #1\n\tb.ge\tLseal_main_loop_rounds\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsubs\tx7, x7, #1\n\tb.gt\tLseal_main_loop_rounds\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tx11, #5\n\tdup\tv20.4s, w11\n\tadd\tv25.4s, v25.4s, v20.4s\n\n\tzip1\tv20.4s, v0.4s, v1.4s\n\tzip2\tv21.4s, v0.4s, v1.4s\n\tzip1\tv22.4s, v2.4s, v3.4s\n\tzip2\tv23.4s, v2.4s, v3.4s\n\n\tzip1\tv0.2d, v20.2d, v22.2d\n\tzip2\tv1.2d, v20.2d, v22.2d\n\tzip1\tv2.2d, v21.2d, v23.2d\n\tzip2\tv3.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v5.4s, v6.4s\n\tzip2\tv21.4s, v5.4s, v6.4s\n\tzip1\tv22.4s, v7.4s, v8.4s\n\tzip2\tv23.4s, v7.4s, v8.4s\n\n\tzip1\tv5.2d, v20.2d, v22.2d\n\tzip2\tv6.2d, v20.2d, v22.2d\n\tzip1\tv7.2d, v21.2d, v23.2d\n\tzip2\tv8.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v10.4s, v11.4s\n\tzip2\tv21.4s, v10.4s, v11.4s\n\tzip1\tv22.4s, v12.4s, v13.4s\n\tzip2\tv23.4s, v12.4s, v13.4s\n\n\tzip1\tv10.2d, v20.2d, v22.2d\n\tzip2\tv11.2d, v20.2d, v22.2d\n\tzip1\tv12.2d, v21.2d, v23.2d\n\tzip2\tv13.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v15.4s, v16.4s\n\tzip2\tv21.4s, v15.4s, v16.4s\n\tzip1\tv22.4s, v17.4s, v18.4s\n\tzip2\tv23.4s, v17.4s, v18.4s\n\n\tzip1\tv15.2d, v20.2d, v22.2d\n\tzip2\tv16.2d, v20.2d, v22.2d\n\tzip1\tv17.2d, v21.2d, v23.2d\n\tzip2\tv18.2d, v21.2d, v23.2d\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv3.4s, v3.4s, v24.4s\n\tadd\tv8.4s, v8.4s, v28.4s\n\tadd\tv13.4s, v13.4s, v29.4s\n\tadd\tv18.4s, v18.4s, v30.4s\n\n\tadd\tv4.4s, v4.4s, v24.4s\n\tadd\tv9.4s, v9.4s, v28.4s\n\tadd\tv14.4s, v14.4s, v29.4s\n\tadd\tv19.4s, v19.4s, v30.4s\n\n\tcmp\tx2, #320\n\tb.le\tLseal_tail\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v3.16b\n\teor\tv21.16b, v21.16b, v8.16b\n\teor\tv22.16b, v22.16b, v13.16b\n\teor\tv23.16b, v23.16b, v18.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v4.16b\n\teor\tv21.16b, v21.16b, v9.16b\n\teor\tv22.16b, v22.16b, v14.16b\n\teor\tv23.16b, v23.16b, v19.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #320\n\n\tmov\tx6, #0\n\tmov\tx7, #10 // For the remainder of the loop we always hash and encrypt 320 bytes per iteration\n\n\tb\tLseal_main_loop\n\nLseal_tail:\n // This part of the function handles the storage and authentication of the last [0,320) bytes\n // We assume A0-A4 ... D0-D4 hold at least inl (320 max) bytes of the stream data.\n\tcmp\tx2, #64\n\tb.lt\tLseal_tail_64\n\n // Store and authenticate 64B blocks per iteration\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v21.d[0]\n\tmov\tx12, v21.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v22.d[0]\n\tmov\tx12, v22.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v23.d[0]\n\tmov\tx12, v23.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\tsub\tx2, x2, #64\n\n // Shift the state left by 64 bytes for the next iteration of the loop\n\tmov\tv0.16b, v1.16b\n\tmov\tv5.16b, v6.16b\n\tmov\tv10.16b, v11.16b\n\tmov\tv15.16b, v16.16b\n\n\tmov\tv1.16b, v2.16b\n\tmov\tv6.16b, v7.16b\n\tmov\tv11.16b, v12.16b\n\tmov\tv16.16b, v17.16b\n\n\tmov\tv2.16b, v3.16b\n\tmov\tv7.16b, v8.16b\n\tmov\tv12.16b, v13.16b\n\tmov\tv17.16b, v18.16b\n\n\tmov\tv3.16b, v4.16b\n\tmov\tv8.16b, v9.16b\n\tmov\tv13.16b, v14.16b\n\tmov\tv18.16b, v19.16b\n\n\tb\tLseal_tail\n\nLseal_tail_64:\n\tldp\tx3, x4, [x5, #48] // extra_in_len and extra_in_ptr\n\n // Here we handle the last [0,64) bytes of plaintext\n\tcmp\tx2, #16\n\tb.lt\tLseal_tail_16\n // Each iteration encrypt and authenticate a 16B block\n\tld1\t{v20.16b}, [x1], #16\n\teor\tv20.16b, v20.16b, v0.16b\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tst1\t{v20.16b}, [x0], #16\n\n\tsub\tx2, x2, #16\n\n // Shift the state left by 16 bytes for the next iteration of the loop\n\tmov\tv0.16b, v5.16b\n\tmov\tv5.16b, v10.16b\n\tmov\tv10.16b, v15.16b\n\n\tb\tLseal_tail_64\n\nLseal_tail_16:\n // Here we handle the last [0,16) bytes of ciphertext that require a padded block\n\tcbz\tx2, Lseal_hash_extra\n\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the plaintext/extra in\n\teor\tv21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask that will only mask the ciphertext bytes\n\tnot\tv22.16b, v20.16b\n\n\tmov\tx6, x2\n\tadd\tx1, x1, x2\n\n\tcbz\tx4, Lseal_tail_16_compose // No extra data to pad with, zero padding\n\n\tmov\tx7, #16 // We need to load some extra_in first for padding\n\tsub\tx7, x7, x2\n\tcmp\tx4, x7\n\tcsel\tx7, x4, x7, lt // Load the minimum of extra_in_len and the amount needed to fill the register\n\tmov\tx12, x7\n\tadd\tx3, x3, x7\n\tsub\tx4, x4, x7\n\nLseal_tail16_compose_extra_in:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x3, #-1]!\n\tmov\tv20.b[0], w11\n\tsubs\tx7, x7, #1\n\tb.gt\tLseal_tail16_compose_extra_in\n\n\tadd\tx3, x3, x12\n\nLseal_tail_16_compose:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x1, #-1]!\n\tmov\tv20.b[0], w11\n\text\tv21.16b, v22.16b, v21.16b, #15\n\tsubs\tx2, x2, #1\n\tb.gt\tLseal_tail_16_compose\n\n\tand\tv0.16b, v0.16b, v21.16b\n\teor\tv20.16b, v20.16b, v0.16b\n\tmov\tv21.16b, v20.16b\n\nLseal_tail_16_store:\n\tumov\tw11, v20.b[0]\n\tstrb\tw11, [x0], #1\n\text\tv20.16b, v20.16b, v20.16b, #1\n\tsubs\tx6, x6, #1\n\tb.gt\tLseal_tail_16_store\n\n // Hash in the final ct block concatenated with extra_in\n\tmov\tx11, v21.d[0]\n\tmov\tx12, v21.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\nLseal_hash_extra:\n\tcbz\tx4, Lseal_finalize\n\nLseal_hash_extra_loop:\n\tcmp\tx4, #16\n\tb.lt\tLseal_hash_extra_tail\n\tld1\t{v20.16b}, [x3], #16\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #16\n\tb\tLseal_hash_extra_loop\n\nLseal_hash_extra_tail:\n\tcbz\tx4, Lseal_finalize\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the remaining extra ciphertext\n\tadd\tx3, x3, x4\n\nLseal_hash_extra_load:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x3, #-1]!\n\tmov\tv20.b[0], w11\n\tsubs\tx4, x4, #1\n\tb.gt\tLseal_hash_extra_load\n\n // Hash in the final padded extra_in blcok\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\nLseal_finalize:\n\tmov\tx11, v31.d[0]\n\tmov\tx12, v31.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n // Final reduction step\n\tsub\tx12, xzr, x15\n\torr\tx13, xzr, #3\n\tsubs\tx11, x8, #-5\n\tsbcs\tx12, x9, x12\n\tsbcs\tx13, x10, x13\n\tcsel\tx8, x11, x8, cs\n\tcsel\tx9, x12, x9, cs\n\tcsel\tx10, x13, x10, cs\n\tmov\tx11, v27.d[0]\n\tmov\tx12, v27.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\n\tstp\tx8, x9, [x5]\n\n\tldp\td8, d9, [sp, #16]\n\tldp\td10, d11, [sp, #32]\n\tldp\td12, d13, [sp, #48]\n\tldp\td14, d15, [sp, #64]\n.cfi_restore\tb15\n.cfi_restore\tb14\n.cfi_restore\tb13\n.cfi_restore\tb12\n.cfi_restore\tb11\n.cfi_restore\tb10\n.cfi_restore\tb9\n.cfi_restore\tb8\n\tldp\tx29, x30, [sp], 80\n.cfi_restore\tw29\n.cfi_restore\tw30\n.cfi_def_cfa_offset\t0\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\nLseal_128:\n // On some architectures preparing 5 blocks for small buffers is wasteful\n\teor\tv25.16b, v25.16b, v25.16b\n\tmov\tx11, #1\n\tmov\tv25.s[0], w11\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv2.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv7.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv12.16b, v29.16b\n\tmov\tv17.16b, v30.16b\n\tadd\tv15.4s, v17.4s, v25.4s\n\tadd\tv16.4s, v15.4s, v25.4s\n\n\tmov\tx6, #10\n\nLseal_128_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv7.16b, v7.16b, v7.16b, #4\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #12\n\text\tv16.16b, v16.16b, v16.16b, #12\n\text\tv17.16b, v17.16b, v17.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv7.16b, v7.16b, v7.16b, #12\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #4\n\text\tv16.16b, v16.16b, v16.16b, #4\n\text\tv17.16b, v17.16b, v17.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\tLseal_128_rounds\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv2.4s, v2.4s, v24.4s\n\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\n // Only the first 32 bytes of the third block (counter = 0) are needed,\n // so skip updating v12 and v17.\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tand\tv2.16b, v2.16b, v27.16b\n\tmov\tx16, v2.d[0] // Move the R key to GPRs\n\tmov\tx17, v2.d[1]\n\tmov\tv27.16b, v7.16b // Store the S key\n\n\tbl\tLpoly_hash_ad_internal\n\tb\tLseal_tail\n.cfi_endproc\n\n\n/////////////////////////////////\n//\n// void chacha20_poly1305_open(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *aead_data);\n//\n.globl\tchacha20_poly1305_open\n\n.def chacha20_poly1305_open\n .type 32\n.endef\n.align\t6\nchacha20_poly1305_open:\n\tAARCH64_SIGN_LINK_REGISTER\n.cfi_startproc\n\tstp\tx29, x30, [sp, #-80]!\n.cfi_def_cfa_offset\t80\n.cfi_offset\tw30, -72\n.cfi_offset\tw29, -80\n\tmov\tx29, sp\n // We probably could do .cfi_def_cfa w29, 80 at this point, but since\n // we don't actually use the frame pointer like that, it's probably not\n // worth bothering.\n\tstp\td8, d9, [sp, #16]\n\tstp\td10, d11, [sp, #32]\n\tstp\td12, d13, [sp, #48]\n\tstp\td14, d15, [sp, #64]\n.cfi_offset\tb15, -8\n.cfi_offset\tb14, -16\n.cfi_offset\tb13, -24\n.cfi_offset\tb12, -32\n.cfi_offset\tb11, -40\n.cfi_offset\tb10, -48\n.cfi_offset\tb9, -56\n.cfi_offset\tb8, -64\n\n\tadrp\tx11, Lchacha20_consts\n\tadd\tx11, x11, :lo12:Lchacha20_consts\n\n\tld1\t{v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values\n\tld1\t{v28.16b - v30.16b}, [x5]\n\n\tmov\tx15, #1 // Prepare the Poly1305 state\n\tmov\tx8, #0\n\tmov\tx9, #0\n\tmov\tx10, #0\n\n\tmov\tv31.d[0], x4 // Store the input and aad lengths\n\tmov\tv31.d[1], x2\n\n\tcmp\tx2, #128\n\tb.le\tLopen_128 // Optimization for smaller buffers\n\n // Initially we prepare a single ChaCha20 block for the Poly1305 R and S keys\n\tmov\tv0.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\n\tmov\tx6, #10\n\n.align\t5\nLopen_init_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\tLopen_init_rounds\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\n\tand\tv0.16b, v0.16b, v27.16b\n\tmov\tx16, v0.d[0] // Move the R key to GPRs\n\tmov\tx17, v0.d[1]\n\tmov\tv27.16b, v5.16b // Store the S key\n\n\tbl\tLpoly_hash_ad_internal\n\nLopen_ad_done:\n\tmov\tx3, x1\n\n// Each iteration of the loop hash 320 bytes, and prepare stream for 320 bytes\nLopen_main_loop:\n\n\tcmp\tx2, #192\n\tb.lt\tLopen_tail\n\n\tadrp\tx11, Lchacha20_consts\n\tadd\tx11, x11, :lo12:Lchacha20_consts\n\n\tld4r\t{v0.4s,v1.4s,v2.4s,v3.4s}, [x11]\n\tmov\tv4.16b, v24.16b\n\n\tld4r\t{v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16\n\tmov\tv9.16b, v28.16b\n\n\tld4r\t{v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16\n\tmov\tv14.16b, v29.16b\n\n\tld4r\t{v15.4s,v16.4s,v17.4s,v18.4s}, [x5]\n\tsub\tx5, x5, #32\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tv19.16b, v30.16b\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tlsr\tx4, x2, #4 // How many whole blocks we have to hash, will always be at least 12\n\tsub\tx4, x4, #10\n\n\tmov\tx7, #10\n\tsubs\tx6, x7, x4\n\tsubs\tx6, x7, x4 // itr1 can be negative if we have more than 320 bytes to hash\n\tcsel\tx7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are full\n\n\tcbz\tx7, Lopen_main_loop_rounds_short\n\n.align\t5\nLopen_main_loop_rounds:\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\nLopen_main_loop_rounds_short:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv18.8h, v18.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\teor\tv8.16b, v8.16b, v13.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v9.4s, #20\n\tsli\tv8.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\tadd\tv3.4s, v3.4s, v7.4s\n\tadd\tv4.4s, v4.4s, v8.4s\n\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\teor\tv18.16b, v18.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\tadd\tv13.4s, v13.4s, v18.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v14.16b\n\n\tushr\tv9.4s, v8.4s, #25\n\tsli\tv9.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #4\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #12\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tadd\tv0.4s, v0.4s, v6.4s\n\tadd\tv1.4s, v1.4s, v7.4s\n\tadd\tv2.4s, v2.4s, v8.4s\n\tadd\tv3.4s, v3.4s, v5.4s\n\tadd\tv4.4s, v4.4s, v9.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\trev32\tv18.8h, v18.8h\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\trev32\tv19.8h, v19.8h\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv6.16b, v6.16b, v12.16b\n\teor\tv7.16b, v7.16b, v13.16b\n\teor\tv8.16b, v8.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv9.16b, v9.16b, v14.16b\n\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\tushr\tv7.4s, v8.4s, #20\n\tsli\tv7.4s, v8.4s, #12\n\tushr\tv8.4s, v5.4s, #20\n\tsli\tv8.4s, v5.4s, #12\n\tushr\tv5.4s, v9.4s, #20\n\tsli\tv5.4s, v9.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\tadd\tv3.4s, v3.4s, v8.4s\n\tadd\tv4.4s, v4.4s, v5.4s\n\n\teor\tv18.16b, v18.16b, v0.16b\n\teor\tv15.16b, v15.16b, v1.16b\n\teor\tv16.16b, v16.16b, v2.16b\n\teor\tv17.16b, v17.16b, v3.16b\n\teor\tv19.16b, v19.16b, v4.16b\n\n\ttbl\tv18.16b, {v18.16b}, v26.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\ttbl\tv19.16b, {v19.16b}, v26.16b\n\n\tadd\tv12.4s, v12.4s, v18.4s\n\tadd\tv13.4s, v13.4s, v15.4s\n\tadd\tv10.4s, v10.4s, v16.4s\n\tadd\tv11.4s, v11.4s, v17.4s\n\tadd\tv14.4s, v14.4s, v19.4s\n\n\teor\tv20.16b, v20.16b, v12.16b\n\teor\tv6.16b, v6.16b, v13.16b\n\teor\tv7.16b, v7.16b, v10.16b\n\teor\tv8.16b, v8.16b, v11.16b\n\teor\tv5.16b, v5.16b, v14.16b\n\n\tushr\tv9.4s, v5.4s, #25\n\tsli\tv9.4s, v5.4s, #7\n\tushr\tv5.4s, v8.4s, #25\n\tsli\tv5.4s, v8.4s, #7\n\tushr\tv8.4s, v7.4s, #25\n\tsli\tv8.4s, v7.4s, #7\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\n\text\tv9.16b, v9.16b, v9.16b, #12\n\text\tv14.16b, v14.16b, v14.16b, #8\n\text\tv19.16b, v19.16b, v19.16b, #4\n\tsubs\tx7, x7, #1\n\tb.gt\tLopen_main_loop_rounds\n\tsubs\tx6, x6, #1\n\tb.ge\tLopen_main_loop_rounds_short\n\n\teor\tv20.16b, v20.16b, v20.16b //zero\n\tnot\tv21.16b, v20.16b // -1\n\tsub\tv21.4s, v25.4s, v21.4s // Add +1\n\text\tv20.16b, v21.16b, v20.16b, #12 // Get the last element (counter)\n\tadd\tv19.4s, v19.4s, v20.4s\n\n\tadd\tv15.4s, v15.4s, v25.4s\n\tmov\tx11, #5\n\tdup\tv20.4s, w11\n\tadd\tv25.4s, v25.4s, v20.4s\n\n\tzip1\tv20.4s, v0.4s, v1.4s\n\tzip2\tv21.4s, v0.4s, v1.4s\n\tzip1\tv22.4s, v2.4s, v3.4s\n\tzip2\tv23.4s, v2.4s, v3.4s\n\n\tzip1\tv0.2d, v20.2d, v22.2d\n\tzip2\tv1.2d, v20.2d, v22.2d\n\tzip1\tv2.2d, v21.2d, v23.2d\n\tzip2\tv3.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v5.4s, v6.4s\n\tzip2\tv21.4s, v5.4s, v6.4s\n\tzip1\tv22.4s, v7.4s, v8.4s\n\tzip2\tv23.4s, v7.4s, v8.4s\n\n\tzip1\tv5.2d, v20.2d, v22.2d\n\tzip2\tv6.2d, v20.2d, v22.2d\n\tzip1\tv7.2d, v21.2d, v23.2d\n\tzip2\tv8.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v10.4s, v11.4s\n\tzip2\tv21.4s, v10.4s, v11.4s\n\tzip1\tv22.4s, v12.4s, v13.4s\n\tzip2\tv23.4s, v12.4s, v13.4s\n\n\tzip1\tv10.2d, v20.2d, v22.2d\n\tzip2\tv11.2d, v20.2d, v22.2d\n\tzip1\tv12.2d, v21.2d, v23.2d\n\tzip2\tv13.2d, v21.2d, v23.2d\n\n\tzip1\tv20.4s, v15.4s, v16.4s\n\tzip2\tv21.4s, v15.4s, v16.4s\n\tzip1\tv22.4s, v17.4s, v18.4s\n\tzip2\tv23.4s, v17.4s, v18.4s\n\n\tzip1\tv15.2d, v20.2d, v22.2d\n\tzip2\tv16.2d, v20.2d, v22.2d\n\tzip1\tv17.2d, v21.2d, v23.2d\n\tzip2\tv18.2d, v21.2d, v23.2d\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv3.4s, v3.4s, v24.4s\n\tadd\tv8.4s, v8.4s, v28.4s\n\tadd\tv13.4s, v13.4s, v29.4s\n\tadd\tv18.4s, v18.4s, v30.4s\n\n\tadd\tv4.4s, v4.4s, v24.4s\n\tadd\tv9.4s, v9.4s, v28.4s\n\tadd\tv14.4s, v14.4s, v29.4s\n\tadd\tv19.4s, v19.4s, v30.4s\n\n // We can always safely store 192 bytes\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #192\n\n\tmov\tv0.16b, v3.16b\n\tmov\tv5.16b, v8.16b\n\tmov\tv10.16b, v13.16b\n\tmov\tv15.16b, v18.16b\n\n\tcmp\tx2, #64\n\tb.lt\tLopen_tail_64_store\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v3.16b\n\teor\tv21.16b, v21.16b, v8.16b\n\teor\tv22.16b, v22.16b, v13.16b\n\teor\tv23.16b, v23.16b, v18.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #64\n\n\tmov\tv0.16b, v4.16b\n\tmov\tv5.16b, v9.16b\n\tmov\tv10.16b, v14.16b\n\tmov\tv15.16b, v19.16b\n\n\tcmp\tx2, #64\n\tb.lt\tLopen_tail_64_store\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\teor\tv20.16b, v20.16b, v4.16b\n\teor\tv21.16b, v21.16b, v9.16b\n\teor\tv22.16b, v22.16b, v14.16b\n\teor\tv23.16b, v23.16b, v19.16b\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #64\n\tb\tLopen_main_loop\n\nLopen_tail:\n\n\tcbz\tx2, Lopen_finalize\n\n\tlsr\tx4, x2, #4 // How many whole blocks we have to hash\n\n\tcmp\tx2, #64\n\tb.le\tLopen_tail_64\n\tcmp\tx2, #128\n\tb.le\tLopen_tail_128\n\nLopen_tail_192:\n // We need three more blocks\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv2.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv7.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv12.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\tmov\tv16.16b, v30.16b\n\tmov\tv17.16b, v30.16b\n\teor\tv23.16b, v23.16b, v23.16b\n\teor\tv21.16b, v21.16b, v21.16b\n\tins\tv23.s[0], v25.s[0]\n\tins\tv21.d[0], x15\n\n\tadd\tv22.4s, v23.4s, v21.4s\n\tadd\tv21.4s, v22.4s, v21.4s\n\n\tadd\tv15.4s, v15.4s, v21.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\tadd\tv17.4s, v17.4s, v22.4s\n\n\tmov\tx7, #10\n\tsubs\tx6, x7, x4 // itr1 can be negative if we have more than 160 bytes to hash\n\tcsel\tx7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are hashing\n\tsub\tx4, x4, x7\n\n\tcbz\tx7, Lopen_tail_192_rounds_no_hash\n\nLopen_tail_192_rounds:\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\nLopen_tail_192_rounds_no_hash:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv7.16b, v7.16b, v7.16b, #4\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #12\n\text\tv16.16b, v16.16b, v16.16b, #12\n\text\tv17.16b, v17.16b, v17.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv7.16b, v7.16b, v7.16b, #12\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #4\n\text\tv16.16b, v16.16b, v16.16b, #4\n\text\tv17.16b, v17.16b, v17.16b, #4\n\tsubs\tx7, x7, #1\n\tb.gt\tLopen_tail_192_rounds\n\tsubs\tx6, x6, #1\n\tb.ge\tLopen_tail_192_rounds_no_hash\n\n // We hashed 160 bytes at most, may still have 32 bytes left\nLopen_tail_192_hash:\n\tcbz\tx4, Lopen_tail_192_hash_done\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #1\n\tb\tLopen_tail_192_hash\n\nLopen_tail_192_hash_done:\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv2.4s, v2.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv12.4s, v12.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\tadd\tv17.4s, v17.4s, v30.4s\n\n\tadd\tv15.4s, v15.4s, v21.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\tadd\tv17.4s, v17.4s, v22.4s\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v2.16b\n\teor\tv21.16b, v21.16b, v7.16b\n\teor\tv22.16b, v22.16b, v12.16b\n\teor\tv23.16b, v23.16b, v17.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #128\n\tb\tLopen_tail_64_store\n\nLopen_tail_128:\n // We need two more blocks\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\tmov\tv16.16b, v30.16b\n\teor\tv23.16b, v23.16b, v23.16b\n\teor\tv22.16b, v22.16b, v22.16b\n\tins\tv23.s[0], v25.s[0]\n\tins\tv22.d[0], x15\n\tadd\tv22.4s, v22.4s, v23.4s\n\n\tadd\tv15.4s, v15.4s, v22.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\n\tmov\tx6, #10\n\tsub\tx6, x6, x4\n\nLopen_tail_128_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #12\n\tadd\tv1.4s, v1.4s, v6.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\trev32\tv16.8h, v16.8h\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv6.16b, v6.16b, v11.16b\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tadd\tv1.4s, v1.4s, v20.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv20.16b, v20.16b, v11.16b\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv16.16b, v16.16b, v16.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #4\n\tadd\tv1.4s, v1.4s, v6.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\trev32\tv16.8h, v16.8h\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv6.16b, v6.16b, v11.16b\n\tushr\tv20.4s, v6.4s, #20\n\tsli\tv20.4s, v6.4s, #12\n\tadd\tv1.4s, v1.4s, v20.4s\n\teor\tv16.16b, v16.16b, v1.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\n\tadd\tv11.4s, v11.4s, v16.4s\n\teor\tv20.16b, v20.16b, v11.16b\n\tushr\tv6.4s, v20.4s, #25\n\tsli\tv6.4s, v20.4s, #7\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv16.16b, v16.16b, v16.16b, #4\n\tsubs\tx6, x6, #1\n\tb.gt\tLopen_tail_128_rounds\n\tcbz\tx4, Lopen_tail_128_rounds_done\n\tsubs\tx4, x4, #1\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tb\tLopen_tail_128_rounds\n\nLopen_tail_128_rounds_done:\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\tadd\tv15.4s, v15.4s, v22.4s\n\tadd\tv16.4s, v16.4s, v23.4s\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\teor\tv20.16b, v20.16b, v1.16b\n\teor\tv21.16b, v21.16b, v6.16b\n\teor\tv22.16b, v22.16b, v11.16b\n\teor\tv23.16b, v23.16b, v16.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\tsub\tx2, x2, #64\n\n\tb\tLopen_tail_64_store\n\nLopen_tail_64:\n // We just need a single block\n\tmov\tv0.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv15.16b, v30.16b\n\teor\tv23.16b, v23.16b, v23.16b\n\tins\tv23.s[0], v25.s[0]\n\tadd\tv15.4s, v15.4s, v23.4s\n\n\tmov\tx6, #10\n\tsub\tx6, x6, x4\n\nLopen_tail_64_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\trev32\tv15.8h, v15.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tadd\tv0.4s, v0.4s, v20.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv15.16b, v15.16b, v15.16b, #4\n\tsubs\tx6, x6, #1\n\tb.gt\tLopen_tail_64_rounds\n\tcbz\tx4, Lopen_tail_64_rounds_done\n\tsubs\tx4, x4, #1\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tb\tLopen_tail_64_rounds\n\nLopen_tail_64_rounds_done:\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv15.4s, v15.4s, v23.4s\n\nLopen_tail_64_store:\n\tcmp\tx2, #16\n\tb.lt\tLopen_tail_16\n\n\tld1\t{v20.16b}, [x1], #16\n\teor\tv20.16b, v20.16b, v0.16b\n\tst1\t{v20.16b}, [x0], #16\n\tmov\tv0.16b, v5.16b\n\tmov\tv5.16b, v10.16b\n\tmov\tv10.16b, v15.16b\n\tsub\tx2, x2, #16\n\tb\tLopen_tail_64_store\n\nLopen_tail_16:\n // Here we handle the last [0,16) bytes that require a padded block\n\tcbz\tx2, Lopen_finalize\n\n\teor\tv20.16b, v20.16b, v20.16b // Use T0 to load the ciphertext\n\teor\tv21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask\n\tnot\tv22.16b, v20.16b\n\n\tadd\tx7, x1, x2\n\tmov\tx6, x2\n\nLopen_tail_16_compose:\n\text\tv20.16b, v20.16b, v20.16b, #15\n\tldrb\tw11, [x7, #-1]!\n\tmov\tv20.b[0], w11\n\text\tv21.16b, v22.16b, v21.16b, #15\n\tsubs\tx2, x2, #1\n\tb.gt\tLopen_tail_16_compose\n\n\tand\tv20.16b, v20.16b, v21.16b\n // Hash in the final padded block\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\teor\tv20.16b, v20.16b, v0.16b\n\nLopen_tail_16_store:\n\tumov\tw11, v20.b[0]\n\tstrb\tw11, [x0], #1\n\text\tv20.16b, v20.16b, v20.16b, #1\n\tsubs\tx6, x6, #1\n\tb.gt\tLopen_tail_16_store\n\nLopen_finalize:\n\tmov\tx11, v31.d[0]\n\tmov\tx12, v31.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n // Final reduction step\n\tsub\tx12, xzr, x15\n\torr\tx13, xzr, #3\n\tsubs\tx11, x8, #-5\n\tsbcs\tx12, x9, x12\n\tsbcs\tx13, x10, x13\n\tcsel\tx8, x11, x8, cs\n\tcsel\tx9, x12, x9, cs\n\tcsel\tx10, x13, x10, cs\n\tmov\tx11, v27.d[0]\n\tmov\tx12, v27.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\n\tstp\tx8, x9, [x5]\n\n\tldp\td8, d9, [sp, #16]\n\tldp\td10, d11, [sp, #32]\n\tldp\td12, d13, [sp, #48]\n\tldp\td14, d15, [sp, #64]\n.cfi_restore\tb15\n.cfi_restore\tb14\n.cfi_restore\tb13\n.cfi_restore\tb12\n.cfi_restore\tb11\n.cfi_restore\tb10\n.cfi_restore\tb9\n.cfi_restore\tb8\n\tldp\tx29, x30, [sp], 80\n.cfi_restore\tw29\n.cfi_restore\tw30\n.cfi_def_cfa_offset\t0\n\tAARCH64_VALIDATE_LINK_REGISTER\n\tret\n\nLopen_128:\n // On some architectures preparing 5 blocks for small buffers is wasteful\n\teor\tv25.16b, v25.16b, v25.16b\n\tmov\tx11, #1\n\tmov\tv25.s[0], w11\n\tmov\tv0.16b, v24.16b\n\tmov\tv1.16b, v24.16b\n\tmov\tv2.16b, v24.16b\n\tmov\tv5.16b, v28.16b\n\tmov\tv6.16b, v28.16b\n\tmov\tv7.16b, v28.16b\n\tmov\tv10.16b, v29.16b\n\tmov\tv11.16b, v29.16b\n\tmov\tv12.16b, v29.16b\n\tmov\tv17.16b, v30.16b\n\tadd\tv15.4s, v17.4s, v25.4s\n\tadd\tv16.4s, v15.4s, v25.4s\n\n\tmov\tx6, #10\n\nLopen_128_rounds:\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #4\n\text\tv6.16b, v6.16b, v6.16b, #4\n\text\tv7.16b, v7.16b, v7.16b, #4\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #12\n\text\tv16.16b, v16.16b, v16.16b, #12\n\text\tv17.16b, v17.16b, v17.16b, #12\n\tadd\tv0.4s, v0.4s, v5.4s\n\tadd\tv1.4s, v1.4s, v6.4s\n\tadd\tv2.4s, v2.4s, v7.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\trev32\tv15.8h, v15.8h\n\trev32\tv16.8h, v16.8h\n\trev32\tv17.8h, v17.8h\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv5.16b, v5.16b, v10.16b\n\teor\tv6.16b, v6.16b, v11.16b\n\teor\tv7.16b, v7.16b, v12.16b\n\tushr\tv20.4s, v5.4s, #20\n\tsli\tv20.4s, v5.4s, #12\n\tushr\tv5.4s, v6.4s, #20\n\tsli\tv5.4s, v6.4s, #12\n\tushr\tv6.4s, v7.4s, #20\n\tsli\tv6.4s, v7.4s, #12\n\n\tadd\tv0.4s, v0.4s, v20.4s\n\tadd\tv1.4s, v1.4s, v5.4s\n\tadd\tv2.4s, v2.4s, v6.4s\n\teor\tv15.16b, v15.16b, v0.16b\n\teor\tv16.16b, v16.16b, v1.16b\n\teor\tv17.16b, v17.16b, v2.16b\n\ttbl\tv15.16b, {v15.16b}, v26.16b\n\ttbl\tv16.16b, {v16.16b}, v26.16b\n\ttbl\tv17.16b, {v17.16b}, v26.16b\n\n\tadd\tv10.4s, v10.4s, v15.4s\n\tadd\tv11.4s, v11.4s, v16.4s\n\tadd\tv12.4s, v12.4s, v17.4s\n\teor\tv20.16b, v20.16b, v10.16b\n\teor\tv5.16b, v5.16b, v11.16b\n\teor\tv6.16b, v6.16b, v12.16b\n\tushr\tv7.4s, v6.4s, #25\n\tsli\tv7.4s, v6.4s, #7\n\tushr\tv6.4s, v5.4s, #25\n\tsli\tv6.4s, v5.4s, #7\n\tushr\tv5.4s, v20.4s, #25\n\tsli\tv5.4s, v20.4s, #7\n\n\text\tv5.16b, v5.16b, v5.16b, #12\n\text\tv6.16b, v6.16b, v6.16b, #12\n\text\tv7.16b, v7.16b, v7.16b, #12\n\n\text\tv10.16b, v10.16b, v10.16b, #8\n\text\tv11.16b, v11.16b, v11.16b, #8\n\text\tv12.16b, v12.16b, v12.16b, #8\n\n\text\tv15.16b, v15.16b, v15.16b, #4\n\text\tv16.16b, v16.16b, v16.16b, #4\n\text\tv17.16b, v17.16b, v17.16b, #4\n\tsubs\tx6, x6, #1\n\tb.hi\tLopen_128_rounds\n\n\tadd\tv0.4s, v0.4s, v24.4s\n\tadd\tv1.4s, v1.4s, v24.4s\n\tadd\tv2.4s, v2.4s, v24.4s\n\n\tadd\tv5.4s, v5.4s, v28.4s\n\tadd\tv6.4s, v6.4s, v28.4s\n\tadd\tv7.4s, v7.4s, v28.4s\n\n\tadd\tv10.4s, v10.4s, v29.4s\n\tadd\tv11.4s, v11.4s, v29.4s\n\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv15.4s, v15.4s, v30.4s\n\tadd\tv30.4s, v30.4s, v25.4s\n\tadd\tv16.4s, v16.4s, v30.4s\n\n\tand\tv2.16b, v2.16b, v27.16b\n\tmov\tx16, v2.d[0] // Move the R key to GPRs\n\tmov\tx17, v2.d[1]\n\tmov\tv27.16b, v7.16b // Store the S key\n\n\tbl\tLpoly_hash_ad_internal\n\nLopen_128_store:\n\tcmp\tx2, #64\n\tb.lt\tLopen_128_store_64\n\n\tld1\t{v20.16b - v23.16b}, [x1], #64\n\n\tmov\tx11, v20.d[0]\n\tmov\tx12, v20.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v21.d[0]\n\tmov\tx12, v21.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v22.d[0]\n\tmov\tx12, v22.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tmov\tx11, v23.d[0]\n\tmov\tx12, v23.d[1]\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\n\teor\tv20.16b, v20.16b, v0.16b\n\teor\tv21.16b, v21.16b, v5.16b\n\teor\tv22.16b, v22.16b, v10.16b\n\teor\tv23.16b, v23.16b, v15.16b\n\n\tst1\t{v20.16b - v23.16b}, [x0], #64\n\n\tsub\tx2, x2, #64\n\n\tmov\tv0.16b, v1.16b\n\tmov\tv5.16b, v6.16b\n\tmov\tv10.16b, v11.16b\n\tmov\tv15.16b, v16.16b\n\nLopen_128_store_64:\n\n\tlsr\tx4, x2, #4\n\tmov\tx3, x1\n\nLopen_128_hash_64:\n\tcbz\tx4, Lopen_tail_64_store\n\tldp\tx11, x12, [x3], 16\n\tadds\tx8, x8, x11\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, x15\n\tmul\tx11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0\n\tumulh\tx12, x8, x16\n\tmul\tx13, x9, x16\n\tumulh\tx14, x9, x16\n\tadds\tx12, x12, x13\n\tmul\tx13, x10, x16\n\tadc\tx13, x13, x14\n\tmul\tx14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0]\n\tumulh\tx8, x8, x17\n\tadds\tx12, x12, x14\n\tmul\tx14, x9, x17\n\tumulh\tx9, x9, x17\n\tadcs\tx14, x14, x8\n\tmul\tx10, x10, x17\n\tadc\tx10, x10, x9\n\tadds\tx13, x13, x14\n\tadc\tx14, x10, xzr\n\tand\tx10, x13, #3 // At this point acc2 is 2 bits at most (value of 3)\n\tand\tx8, x13, #-4\n\textr\tx13, x14, x13, #2\n\tadds\tx8, x8, x11\n\tlsr\tx11, x14, #2\n\tadc\tx9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits\n\tadds\tx8, x8, x13\n\tadcs\tx9, x9, x12\n\tadc\tx10, x10, xzr // At this point acc2 has the value of 4 at most\n\tsub\tx4, x4, #1\n\tb\tLopen_128_hash_64\n.cfi_endproc\n\n#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.section\t__DATA,__const\n.p2align\t6\nchacha20_poly1305_constants:\nL$chacha20_consts:\n.byte\t'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'\n.byte\t'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'\nL$rol8:\n.byte\t3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14\n.byte\t3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14\nL$rol16:\n.byte\t2,3,0,1, 6,7,4,5, 10,11,8,9, 14,15,12,13\n.byte\t2,3,0,1, 6,7,4,5, 10,11,8,9, 14,15,12,13\nL$avx2_init:\n.long\t0,0,0,0\nL$sse_inc:\n.long\t1,0,0,0\nL$avx2_inc:\n.long\t2,0,0,0,2,0,0,0\nL$clamp:\n.quad\t0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC\n.quad\t0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF\n.p2align\t4\nL$and_masks:\n.byte\t0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff\n.text\t\n\n\n.p2align\t6\npoly_hash_ad_internal:\n\n\n\txorq\t%r10,%r10\n\txorq\t%r11,%r11\n\txorq\t%r12,%r12\n\tcmpq\t$13,%r8\n\tjne\tL$hash_ad_loop\nL$poly_fast_tls_ad:\n\n\tmovq\t(%rcx),%r10\n\tmovq\t5(%rcx),%r11\n\tshrq\t$24,%r11\n\tmovq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tret\nL$hash_ad_loop:\n\n\tcmpq\t$16,%r8\n\tjb\tL$hash_ad_tail\n\taddq\t0+0(%rcx),%r10\n\tadcq\t8+0(%rcx),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rcx),%rcx\n\tsubq\t$16,%r8\n\tjmp\tL$hash_ad_loop\nL$hash_ad_tail:\n\tcmpq\t$0,%r8\n\tje\tL$hash_ad_done\n\n\txorq\t%r13,%r13\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\taddq\t%r8,%rcx\nL$hash_ad_tail_loop:\n\tshldq\t$8,%r13,%r14\n\tshlq\t$8,%r13\n\tmovzbq\t-1(%rcx),%r15\n\txorq\t%r15,%r13\n\tdecq\t%rcx\n\tdecq\t%r8\n\tjne\tL$hash_ad_tail_loop\n\n\taddq\t%r13,%r10\n\tadcq\t%r14,%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\nL$hash_ad_done:\n\tret\n\n\n\n.globl\t_chacha20_poly1305_open_nohw\n.private_extern _chacha20_poly1305_open_nohw\n\n.p2align\t6\n_chacha20_poly1305_open_nohw:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\n\n\tpushq\t%r9\n\n\tsubq\t$288 + 0 + 32,%rsp\n\n\n\tleaq\t32(%rsp),%rbp\n\tandq\t$-32,%rbp\n\n\tmovq\t%rdx,%rbx\n\tmovq\t%r8,0+0+32(%rbp)\n\tmovq\t%rbx,8+0+32(%rbp)\n\n\tcmpq\t$128,%rbx\n\tjbe\tL$open_sse_128\n\n\tmovdqa\tL$chacha20_consts(%rip),%xmm0\n\tmovdqu\t0(%r9),%xmm4\n\tmovdqu\t16(%r9),%xmm8\n\tmovdqu\t32(%r9),%xmm12\n\n\tmovdqa\t%xmm12,%xmm7\n\n\tmovdqa\t%xmm4,0+48(%rbp)\n\tmovdqa\t%xmm8,0+64(%rbp)\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovq\t$10,%r10\nL$open_sse_init_rounds:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\n\tdecq\t%r10\n\tjne\tL$open_sse_init_rounds\n\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\n\tpand\tL$clamp(%rip),%xmm0\n\tmovdqa\t%xmm0,0+0(%rbp)\n\tmovdqa\t%xmm4,0+16(%rbp)\n\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\nL$open_sse_main_loop:\n\tcmpq\t$256,%rbx\n\tjb\tL$open_sse_tail\n\n\tmovdqa\tL$chacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t%xmm0,%xmm3\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t0+96(%rbp),%xmm15\n\tpaddd\tL$sse_inc(%rip),%xmm15\n\tmovdqa\t%xmm15,%xmm14\n\tpaddd\tL$sse_inc(%rip),%xmm14\n\tmovdqa\t%xmm14,%xmm13\n\tpaddd\tL$sse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\tmovdqa\t%xmm15,0+144(%rbp)\n\n\n\n\tmovq\t$4,%rcx\n\tmovq\t%rsi,%r8\nL$open_sse_main_loop_rounds:\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\tL$rol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\n\tleaq\t16(%r8),%r8\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovdqa\tL$rol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n.byte\t102,15,58,15,255,4\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,12\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\tL$rol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\tL$rol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n.byte\t102,15,58,15,255,12\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,4\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\n\tdecq\t%rcx\n\tjge\tL$open_sse_main_loop_rounds\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%r8),%r8\n\tcmpq\t$-6,%rcx\n\tjg\tL$open_sse_main_loop_rounds\n\tpaddd\tL$chacha20_consts(%rip),%xmm3\n\tpaddd\t0+48(%rbp),%xmm7\n\tpaddd\t0+64(%rbp),%xmm11\n\tpaddd\t0+144(%rbp),%xmm15\n\tpaddd\tL$chacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\tL$chacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqa\t%xmm12,0+80(%rbp)\n\tmovdqu\t0 + 0(%rsi),%xmm12\n\tpxor\t%xmm3,%xmm12\n\tmovdqu\t%xmm12,0 + 0(%rdi)\n\tmovdqu\t16 + 0(%rsi),%xmm12\n\tpxor\t%xmm7,%xmm12\n\tmovdqu\t%xmm12,16 + 0(%rdi)\n\tmovdqu\t32 + 0(%rsi),%xmm12\n\tpxor\t%xmm11,%xmm12\n\tmovdqu\t%xmm12,32 + 0(%rdi)\n\tmovdqu\t48 + 0(%rsi),%xmm12\n\tpxor\t%xmm15,%xmm12\n\tmovdqu\t%xmm12,48 + 0(%rdi)\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 64(%rdi)\n\tmovdqu\t%xmm6,16 + 64(%rdi)\n\tmovdqu\t%xmm10,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\tmovdqu\t0 + 128(%rsi),%xmm3\n\tmovdqu\t16 + 128(%rsi),%xmm7\n\tmovdqu\t32 + 128(%rsi),%xmm11\n\tmovdqu\t48 + 128(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 128(%rdi)\n\tmovdqu\t%xmm5,16 + 128(%rdi)\n\tmovdqu\t%xmm9,32 + 128(%rdi)\n\tmovdqu\t%xmm15,48 + 128(%rdi)\n\tmovdqu\t0 + 192(%rsi),%xmm3\n\tmovdqu\t16 + 192(%rsi),%xmm7\n\tmovdqu\t32 + 192(%rsi),%xmm11\n\tmovdqu\t48 + 192(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm7,%xmm4\n\tpxor\t%xmm11,%xmm8\n\tpxor\t0+80(%rbp),%xmm15\n\tmovdqu\t%xmm0,0 + 192(%rdi)\n\tmovdqu\t%xmm4,16 + 192(%rdi)\n\tmovdqu\t%xmm8,32 + 192(%rdi)\n\tmovdqu\t%xmm15,48 + 192(%rdi)\n\n\tleaq\t256(%rsi),%rsi\n\tleaq\t256(%rdi),%rdi\n\tsubq\t$256,%rbx\n\tjmp\tL$open_sse_main_loop\nL$open_sse_tail:\n\n\ttestq\t%rbx,%rbx\n\tjz\tL$open_sse_finalize\n\tcmpq\t$192,%rbx\n\tja\tL$open_sse_tail_256\n\tcmpq\t$128,%rbx\n\tja\tL$open_sse_tail_192\n\tcmpq\t$64,%rbx\n\tja\tL$open_sse_tail_128\n\tmovdqa\tL$chacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t0+96(%rbp),%xmm12\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\n\txorq\t%r8,%r8\n\tmovq\t%rbx,%rcx\n\tcmpq\t$16,%rcx\n\tjb\tL$open_sse_tail_64_rounds\nL$open_sse_tail_64_rounds_and_x1hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tsubq\t$16,%rcx\nL$open_sse_tail_64_rounds:\n\taddq\t$16,%r8\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\n\tcmpq\t$16,%rcx\n\tjae\tL$open_sse_tail_64_rounds_and_x1hash\n\tcmpq\t$160,%r8\n\tjne\tL$open_sse_tail_64_rounds\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\n\tjmp\tL$open_sse_tail_64_dec_loop\n\nL$open_sse_tail_128:\n\tmovdqa\tL$chacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t0+96(%rbp),%xmm13\n\tpaddd\tL$sse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\n\tmovq\t%rbx,%rcx\n\tandq\t$-16,%rcx\n\txorq\t%r8,%r8\nL$open_sse_tail_128_rounds_and_x1hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\nL$open_sse_tail_128_rounds:\n\taddq\t$16,%r8\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\n\tcmpq\t%rcx,%r8\n\tjb\tL$open_sse_tail_128_rounds_and_x1hash\n\tcmpq\t$160,%r8\n\tjne\tL$open_sse_tail_128_rounds\n\tpaddd\tL$chacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqu\t0 + 0(%rsi),%xmm3\n\tmovdqu\t16 + 0(%rsi),%xmm7\n\tmovdqu\t32 + 0(%rsi),%xmm11\n\tmovdqu\t48 + 0(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 0(%rdi)\n\tmovdqu\t%xmm5,16 + 0(%rdi)\n\tmovdqu\t%xmm9,32 + 0(%rdi)\n\tmovdqu\t%xmm15,48 + 0(%rdi)\n\n\tsubq\t$64,%rbx\n\tleaq\t64(%rsi),%rsi\n\tleaq\t64(%rdi),%rdi\n\tjmp\tL$open_sse_tail_64_dec_loop\n\nL$open_sse_tail_192:\n\tmovdqa\tL$chacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t0+96(%rbp),%xmm14\n\tpaddd\tL$sse_inc(%rip),%xmm14\n\tmovdqa\t%xmm14,%xmm13\n\tpaddd\tL$sse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\n\tmovq\t%rbx,%rcx\n\tmovq\t$160,%r8\n\tcmpq\t$160,%rcx\n\tcmovgq\t%r8,%rcx\n\tandq\t$-16,%rcx\n\txorq\t%r8,%r8\nL$open_sse_tail_192_rounds_and_x1hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\nL$open_sse_tail_192_rounds:\n\taddq\t$16,%r8\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n\n\tcmpq\t%rcx,%r8\n\tjb\tL$open_sse_tail_192_rounds_and_x1hash\n\tcmpq\t$160,%r8\n\tjne\tL$open_sse_tail_192_rounds\n\tcmpq\t$176,%rbx\n\tjb\tL$open_sse_tail_192_finish\n\taddq\t0+160(%rsi),%r10\n\tadcq\t8+160(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tcmpq\t$192,%rbx\n\tjb\tL$open_sse_tail_192_finish\n\taddq\t0+176(%rsi),%r10\n\tadcq\t8+176(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\nL$open_sse_tail_192_finish:\n\tpaddd\tL$chacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\tL$chacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqu\t0 + 0(%rsi),%xmm3\n\tmovdqu\t16 + 0(%rsi),%xmm7\n\tmovdqu\t32 + 0(%rsi),%xmm11\n\tmovdqu\t48 + 0(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 0(%rdi)\n\tmovdqu\t%xmm6,16 + 0(%rdi)\n\tmovdqu\t%xmm10,32 + 0(%rdi)\n\tmovdqu\t%xmm15,48 + 0(%rdi)\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 64(%rdi)\n\tmovdqu\t%xmm5,16 + 64(%rdi)\n\tmovdqu\t%xmm9,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\n\tsubq\t$128,%rbx\n\tleaq\t128(%rsi),%rsi\n\tleaq\t128(%rdi),%rdi\n\tjmp\tL$open_sse_tail_64_dec_loop\n\nL$open_sse_tail_256:\n\tmovdqa\tL$chacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t%xmm0,%xmm3\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t0+96(%rbp),%xmm15\n\tpaddd\tL$sse_inc(%rip),%xmm15\n\tmovdqa\t%xmm15,%xmm14\n\tpaddd\tL$sse_inc(%rip),%xmm14\n\tmovdqa\t%xmm14,%xmm13\n\tpaddd\tL$sse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\tmovdqa\t%xmm15,0+144(%rbp)\n\n\txorq\t%r8,%r8\nL$open_sse_tail_256_rounds_and_x1hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovdqa\t%xmm11,0+80(%rbp)\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm11,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm11,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm11,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm11,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm11,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm11,%xmm6\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n\tmovdqa\t0+80(%rbp),%xmm11\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovdqa\t%xmm9,0+80(%rbp)\n\tpaddd\t%xmm7,%xmm3\n\tpxor\t%xmm3,%xmm15\n\tpshufb\tL$rol16(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm11,%xmm7\n\tmovdqa\t%xmm7,%xmm9\n\tpslld\t$12,%xmm9\n\tpsrld\t$20,%xmm7\n\tpxor\t%xmm9,%xmm7\n\tpaddd\t%xmm7,%xmm3\n\tpxor\t%xmm3,%xmm15\n\tpshufb\tL$rol8(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm11,%xmm7\n\tmovdqa\t%xmm7,%xmm9\n\tpslld\t$7,%xmm9\n\tpsrld\t$25,%xmm7\n\tpxor\t%xmm9,%xmm7\n.byte\t102,15,58,15,255,4\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,12\n\tmovdqa\t0+80(%rbp),%xmm9\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\tmovdqa\t%xmm11,0+80(%rbp)\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm11,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm11,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm11,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm11,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm11,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm11,%xmm6\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n\tmovdqa\t0+80(%rbp),%xmm11\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tmovdqa\t%xmm9,0+80(%rbp)\n\tpaddd\t%xmm7,%xmm3\n\tpxor\t%xmm3,%xmm15\n\tpshufb\tL$rol16(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm11,%xmm7\n\tmovdqa\t%xmm7,%xmm9\n\tpslld\t$12,%xmm9\n\tpsrld\t$20,%xmm7\n\tpxor\t%xmm9,%xmm7\n\tpaddd\t%xmm7,%xmm3\n\tpxor\t%xmm3,%xmm15\n\tpshufb\tL$rol8(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm11,%xmm7\n\tmovdqa\t%xmm7,%xmm9\n\tpslld\t$7,%xmm9\n\tpsrld\t$25,%xmm7\n\tpxor\t%xmm9,%xmm7\n.byte\t102,15,58,15,255,12\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,4\n\tmovdqa\t0+80(%rbp),%xmm9\n\n\taddq\t$16,%r8\n\tcmpq\t$160,%r8\n\tjb\tL$open_sse_tail_256_rounds_and_x1hash\n\n\tmovq\t%rbx,%rcx\n\tandq\t$-16,%rcx\nL$open_sse_tail_256_hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\taddq\t$16,%r8\n\tcmpq\t%rcx,%r8\n\tjb\tL$open_sse_tail_256_hash\n\tpaddd\tL$chacha20_consts(%rip),%xmm3\n\tpaddd\t0+48(%rbp),%xmm7\n\tpaddd\t0+64(%rbp),%xmm11\n\tpaddd\t0+144(%rbp),%xmm15\n\tpaddd\tL$chacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\tL$chacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqa\t%xmm12,0+80(%rbp)\n\tmovdqu\t0 + 0(%rsi),%xmm12\n\tpxor\t%xmm3,%xmm12\n\tmovdqu\t%xmm12,0 + 0(%rdi)\n\tmovdqu\t16 + 0(%rsi),%xmm12\n\tpxor\t%xmm7,%xmm12\n\tmovdqu\t%xmm12,16 + 0(%rdi)\n\tmovdqu\t32 + 0(%rsi),%xmm12\n\tpxor\t%xmm11,%xmm12\n\tmovdqu\t%xmm12,32 + 0(%rdi)\n\tmovdqu\t48 + 0(%rsi),%xmm12\n\tpxor\t%xmm15,%xmm12\n\tmovdqu\t%xmm12,48 + 0(%rdi)\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 64(%rdi)\n\tmovdqu\t%xmm6,16 + 64(%rdi)\n\tmovdqu\t%xmm10,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\tmovdqu\t0 + 128(%rsi),%xmm3\n\tmovdqu\t16 + 128(%rsi),%xmm7\n\tmovdqu\t32 + 128(%rsi),%xmm11\n\tmovdqu\t48 + 128(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 128(%rdi)\n\tmovdqu\t%xmm5,16 + 128(%rdi)\n\tmovdqu\t%xmm9,32 + 128(%rdi)\n\tmovdqu\t%xmm15,48 + 128(%rdi)\n\n\tmovdqa\t0+80(%rbp),%xmm12\n\tsubq\t$192,%rbx\n\tleaq\t192(%rsi),%rsi\n\tleaq\t192(%rdi),%rdi\n\n\nL$open_sse_tail_64_dec_loop:\n\tcmpq\t$16,%rbx\n\tjb\tL$open_sse_tail_16_init\n\tsubq\t$16,%rbx\n\tmovdqu\t(%rsi),%xmm3\n\tpxor\t%xmm3,%xmm0\n\tmovdqu\t%xmm0,(%rdi)\n\tleaq\t16(%rsi),%rsi\n\tleaq\t16(%rdi),%rdi\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm8,%xmm4\n\tmovdqa\t%xmm12,%xmm8\n\tjmp\tL$open_sse_tail_64_dec_loop\nL$open_sse_tail_16_init:\n\tmovdqa\t%xmm0,%xmm1\n\n\nL$open_sse_tail_16:\n\ttestq\t%rbx,%rbx\n\tjz\tL$open_sse_finalize\n\n\n\n\tpxor\t%xmm3,%xmm3\n\tleaq\t-1(%rsi,%rbx,1),%rsi\n\tmovq\t%rbx,%r8\nL$open_sse_tail_16_compose:\n\tpslldq\t$1,%xmm3\n\tpinsrb\t$0,(%rsi),%xmm3\n\tsubq\t$1,%rsi\n\tsubq\t$1,%r8\n\tjnz\tL$open_sse_tail_16_compose\n\n.byte\t102,73,15,126,221\n\tpextrq\t$1,%xmm3,%r14\n\n\tpxor\t%xmm1,%xmm3\n\n\nL$open_sse_tail_16_extract:\n\tpextrb\t$0,%xmm3,(%rdi)\n\tpsrldq\t$1,%xmm3\n\taddq\t$1,%rdi\n\tsubq\t$1,%rbx\n\tjne\tL$open_sse_tail_16_extract\n\n\taddq\t%r13,%r10\n\tadcq\t%r14,%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\nL$open_sse_finalize:\n\taddq\t0+0+32(%rbp),%r10\n\tadcq\t8+0+32(%rbp),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n\tmovq\t%r10,%r13\n\tmovq\t%r11,%r14\n\tmovq\t%r12,%r15\n\tsubq\t$-5,%r10\n\tsbbq\t$-1,%r11\n\tsbbq\t$3,%r12\n\tcmovcq\t%r13,%r10\n\tcmovcq\t%r14,%r11\n\tcmovcq\t%r15,%r12\n\n\taddq\t0+0+16(%rbp),%r10\n\tadcq\t8+0+16(%rbp),%r11\n\n\n\taddq\t$288 + 0 + 32,%rsp\n\n\n\tpopq\t%r9\n\n\tmovq\t%r10,(%r9)\n\tmovq\t%r11,8(%r9)\n\tpopq\t%r15\n\n\tpopq\t%r14\n\n\tpopq\t%r13\n\n\tpopq\t%r12\n\n\tpopq\t%rbx\n\n\tpopq\t%rbp\n\n\tret\n\nL$open_sse_128:\n\n\tmovdqu\tL$chacha20_consts(%rip),%xmm0\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqu\t0(%r9),%xmm4\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqu\t16(%r9),%xmm8\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqu\t32(%r9),%xmm12\n\tmovdqa\t%xmm12,%xmm13\n\tpaddd\tL$sse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm14\n\tpaddd\tL$sse_inc(%rip),%xmm14\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t%xmm13,%xmm15\n\tmovq\t$10,%r10\n\nL$open_sse_128_rounds:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n\n\tdecq\t%r10\n\tjnz\tL$open_sse_128_rounds\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\tL$chacha20_consts(%rip),%xmm1\n\tpaddd\tL$chacha20_consts(%rip),%xmm2\n\tpaddd\t%xmm7,%xmm4\n\tpaddd\t%xmm7,%xmm5\n\tpaddd\t%xmm7,%xmm6\n\tpaddd\t%xmm11,%xmm9\n\tpaddd\t%xmm11,%xmm10\n\tpaddd\t%xmm15,%xmm13\n\tpaddd\tL$sse_inc(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm14\n\n\tpand\tL$clamp(%rip),%xmm0\n\tmovdqa\t%xmm0,0+0(%rbp)\n\tmovdqa\t%xmm4,0+16(%rbp)\n\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\nL$open_sse_128_xor_hash:\n\tcmpq\t$16,%rbx\n\tjb\tL$open_sse_tail_16\n\tsubq\t$16,%rbx\n\taddq\t0+0(%rsi),%r10\n\tadcq\t8+0(%rsi),%r11\n\tadcq\t$1,%r12\n\n\n\tmovdqu\t0(%rsi),%xmm3\n\tpxor\t%xmm3,%xmm1\n\tmovdqu\t%xmm1,0(%rdi)\n\tleaq\t16(%rsi),%rsi\n\tleaq\t16(%rdi),%rdi\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n\tmovdqa\t%xmm5,%xmm1\n\tmovdqa\t%xmm9,%xmm5\n\tmovdqa\t%xmm13,%xmm9\n\tmovdqa\t%xmm2,%xmm13\n\tmovdqa\t%xmm6,%xmm2\n\tmovdqa\t%xmm10,%xmm6\n\tmovdqa\t%xmm14,%xmm10\n\tjmp\tL$open_sse_128_xor_hash\n\n\n\n\n\n\n\n\n\n.globl\t_chacha20_poly1305_seal_nohw\n.private_extern _chacha20_poly1305_seal_nohw\n\n.p2align\t6\n_chacha20_poly1305_seal_nohw:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\n\n\tpushq\t%r9\n\n\tsubq\t$288 + 0 + 32,%rsp\n\n\tleaq\t32(%rsp),%rbp\n\tandq\t$-32,%rbp\n\n\tmovq\t56(%r9),%rbx\n\taddq\t%rdx,%rbx\n\tmovq\t%r8,0+0+32(%rbp)\n\tmovq\t%rbx,8+0+32(%rbp)\n\tmovq\t%rdx,%rbx\n\n\tcmpq\t$128,%rbx\n\tjbe\tL$seal_sse_128\n\n\tmovdqa\tL$chacha20_consts(%rip),%xmm0\n\tmovdqu\t0(%r9),%xmm4\n\tmovdqu\t16(%r9),%xmm8\n\tmovdqu\t32(%r9),%xmm12\n\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm0,%xmm3\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t%xmm12,%xmm15\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,%xmm14\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,%xmm13\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\n\tmovdqa\t%xmm4,0+48(%rbp)\n\tmovdqa\t%xmm8,0+64(%rbp)\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\tmovdqa\t%xmm15,0+144(%rbp)\n\tmovq\t$10,%r10\nL$seal_sse_init_rounds:\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\tL$rol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\tL$rol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n.byte\t102,15,58,15,255,4\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,12\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\tL$rol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\tL$rol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n.byte\t102,15,58,15,255,12\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,4\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\n\tdecq\t%r10\n\tjnz\tL$seal_sse_init_rounds\n\tpaddd\tL$chacha20_consts(%rip),%xmm3\n\tpaddd\t0+48(%rbp),%xmm7\n\tpaddd\t0+64(%rbp),%xmm11\n\tpaddd\t0+144(%rbp),%xmm15\n\tpaddd\tL$chacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\tL$chacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\n\n\tpand\tL$clamp(%rip),%xmm3\n\tmovdqa\t%xmm3,0+0(%rbp)\n\tmovdqa\t%xmm7,0+16(%rbp)\n\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n\tmovdqu\t0 + 0(%rsi),%xmm3\n\tmovdqu\t16 + 0(%rsi),%xmm7\n\tmovdqu\t32 + 0(%rsi),%xmm11\n\tmovdqu\t48 + 0(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 0(%rdi)\n\tmovdqu\t%xmm6,16 + 0(%rdi)\n\tmovdqu\t%xmm10,32 + 0(%rdi)\n\tmovdqu\t%xmm15,48 + 0(%rdi)\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 64(%rdi)\n\tmovdqu\t%xmm5,16 + 64(%rdi)\n\tmovdqu\t%xmm9,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\n\tcmpq\t$192,%rbx\n\tja\tL$seal_sse_main_init\n\tmovq\t$128,%rcx\n\tsubq\t$128,%rbx\n\tleaq\t128(%rsi),%rsi\n\tjmp\tL$seal_sse_128_tail_hash\nL$seal_sse_main_init:\n\tmovdqu\t0 + 128(%rsi),%xmm3\n\tmovdqu\t16 + 128(%rsi),%xmm7\n\tmovdqu\t32 + 128(%rsi),%xmm11\n\tmovdqu\t48 + 128(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm7,%xmm4\n\tpxor\t%xmm11,%xmm8\n\tpxor\t%xmm12,%xmm15\n\tmovdqu\t%xmm0,0 + 128(%rdi)\n\tmovdqu\t%xmm4,16 + 128(%rdi)\n\tmovdqu\t%xmm8,32 + 128(%rdi)\n\tmovdqu\t%xmm15,48 + 128(%rdi)\n\n\tmovq\t$192,%rcx\n\tsubq\t$192,%rbx\n\tleaq\t192(%rsi),%rsi\n\tmovq\t$2,%rcx\n\tmovq\t$8,%r8\n\tcmpq\t$64,%rbx\n\tjbe\tL$seal_sse_tail_64\n\tcmpq\t$128,%rbx\n\tjbe\tL$seal_sse_tail_128\n\tcmpq\t$192,%rbx\n\tjbe\tL$seal_sse_tail_192\n\nL$seal_sse_main_loop:\n\tmovdqa\tL$chacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t%xmm0,%xmm3\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t0+96(%rbp),%xmm15\n\tpaddd\tL$sse_inc(%rip),%xmm15\n\tmovdqa\t%xmm15,%xmm14\n\tpaddd\tL$sse_inc(%rip),%xmm14\n\tmovdqa\t%xmm14,%xmm13\n\tpaddd\tL$sse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\tmovdqa\t%xmm15,0+144(%rbp)\n\n.p2align\t5\nL$seal_sse_main_rounds:\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\tL$rol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovdqa\tL$rol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n.byte\t102,15,58,15,255,4\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,12\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\tL$rol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\tL$rol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n.byte\t102,15,58,15,255,12\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,4\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\n\tleaq\t16(%rdi),%rdi\n\tdecq\t%r8\n\tjge\tL$seal_sse_main_rounds\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\tL$seal_sse_main_rounds\n\tpaddd\tL$chacha20_consts(%rip),%xmm3\n\tpaddd\t0+48(%rbp),%xmm7\n\tpaddd\t0+64(%rbp),%xmm11\n\tpaddd\t0+144(%rbp),%xmm15\n\tpaddd\tL$chacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\tL$chacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\n\tmovdqa\t%xmm14,0+80(%rbp)\n\tmovdqa\t%xmm14,0+80(%rbp)\n\tmovdqu\t0 + 0(%rsi),%xmm14\n\tpxor\t%xmm3,%xmm14\n\tmovdqu\t%xmm14,0 + 0(%rdi)\n\tmovdqu\t16 + 0(%rsi),%xmm14\n\tpxor\t%xmm7,%xmm14\n\tmovdqu\t%xmm14,16 + 0(%rdi)\n\tmovdqu\t32 + 0(%rsi),%xmm14\n\tpxor\t%xmm11,%xmm14\n\tmovdqu\t%xmm14,32 + 0(%rdi)\n\tmovdqu\t48 + 0(%rsi),%xmm14\n\tpxor\t%xmm15,%xmm14\n\tmovdqu\t%xmm14,48 + 0(%rdi)\n\n\tmovdqa\t0+80(%rbp),%xmm14\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 64(%rdi)\n\tmovdqu\t%xmm6,16 + 64(%rdi)\n\tmovdqu\t%xmm10,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\tmovdqu\t0 + 128(%rsi),%xmm3\n\tmovdqu\t16 + 128(%rsi),%xmm7\n\tmovdqu\t32 + 128(%rsi),%xmm11\n\tmovdqu\t48 + 128(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 128(%rdi)\n\tmovdqu\t%xmm5,16 + 128(%rdi)\n\tmovdqu\t%xmm9,32 + 128(%rdi)\n\tmovdqu\t%xmm15,48 + 128(%rdi)\n\n\tcmpq\t$256,%rbx\n\tja\tL$seal_sse_main_loop_xor\n\n\tmovq\t$192,%rcx\n\tsubq\t$192,%rbx\n\tleaq\t192(%rsi),%rsi\n\tjmp\tL$seal_sse_128_tail_hash\nL$seal_sse_main_loop_xor:\n\tmovdqu\t0 + 192(%rsi),%xmm3\n\tmovdqu\t16 + 192(%rsi),%xmm7\n\tmovdqu\t32 + 192(%rsi),%xmm11\n\tmovdqu\t48 + 192(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm7,%xmm4\n\tpxor\t%xmm11,%xmm8\n\tpxor\t%xmm12,%xmm15\n\tmovdqu\t%xmm0,0 + 192(%rdi)\n\tmovdqu\t%xmm4,16 + 192(%rdi)\n\tmovdqu\t%xmm8,32 + 192(%rdi)\n\tmovdqu\t%xmm15,48 + 192(%rdi)\n\n\tleaq\t256(%rsi),%rsi\n\tsubq\t$256,%rbx\n\tmovq\t$6,%rcx\n\tmovq\t$4,%r8\n\tcmpq\t$192,%rbx\n\tjg\tL$seal_sse_main_loop\n\tmovq\t%rbx,%rcx\n\ttestq\t%rbx,%rbx\n\tje\tL$seal_sse_128_tail_hash\n\tmovq\t$6,%rcx\n\tcmpq\t$128,%rbx\n\tja\tL$seal_sse_tail_192\n\tcmpq\t$64,%rbx\n\tja\tL$seal_sse_tail_128\n\nL$seal_sse_tail_64:\n\tmovdqa\tL$chacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t0+96(%rbp),%xmm12\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\nL$seal_sse_tail_64_rounds_and_x2hash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\nL$seal_sse_tail_64_rounds_and_x1hash:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\tL$seal_sse_tail_64_rounds_and_x2hash\n\tdecq\t%r8\n\tjge\tL$seal_sse_tail_64_rounds_and_x1hash\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\n\tjmp\tL$seal_sse_128_tail_xor\n\nL$seal_sse_tail_128:\n\tmovdqa\tL$chacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t0+96(%rbp),%xmm13\n\tpaddd\tL$sse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\nL$seal_sse_tail_128_rounds_and_x2hash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\nL$seal_sse_tail_128_rounds_and_x1hash:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\n\tleaq\t16(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\tL$seal_sse_tail_128_rounds_and_x2hash\n\tdecq\t%r8\n\tjge\tL$seal_sse_tail_128_rounds_and_x1hash\n\tpaddd\tL$chacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqu\t0 + 0(%rsi),%xmm3\n\tmovdqu\t16 + 0(%rsi),%xmm7\n\tmovdqu\t32 + 0(%rsi),%xmm11\n\tmovdqu\t48 + 0(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 0(%rdi)\n\tmovdqu\t%xmm5,16 + 0(%rdi)\n\tmovdqu\t%xmm9,32 + 0(%rdi)\n\tmovdqu\t%xmm15,48 + 0(%rdi)\n\n\tmovq\t$64,%rcx\n\tsubq\t$64,%rbx\n\tleaq\t64(%rsi),%rsi\n\tjmp\tL$seal_sse_128_tail_hash\n\nL$seal_sse_tail_192:\n\tmovdqa\tL$chacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t0+96(%rbp),%xmm14\n\tpaddd\tL$sse_inc(%rip),%xmm14\n\tmovdqa\t%xmm14,%xmm13\n\tpaddd\tL$sse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\nL$seal_sse_tail_192_rounds_and_x2hash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\nL$seal_sse_tail_192_rounds_and_x1hash:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n\n\tleaq\t16(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\tL$seal_sse_tail_192_rounds_and_x2hash\n\tdecq\t%r8\n\tjge\tL$seal_sse_tail_192_rounds_and_x1hash\n\tpaddd\tL$chacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\tL$chacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqu\t0 + 0(%rsi),%xmm3\n\tmovdqu\t16 + 0(%rsi),%xmm7\n\tmovdqu\t32 + 0(%rsi),%xmm11\n\tmovdqu\t48 + 0(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 0(%rdi)\n\tmovdqu\t%xmm6,16 + 0(%rdi)\n\tmovdqu\t%xmm10,32 + 0(%rdi)\n\tmovdqu\t%xmm15,48 + 0(%rdi)\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 64(%rdi)\n\tmovdqu\t%xmm5,16 + 64(%rdi)\n\tmovdqu\t%xmm9,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\n\tmovq\t$128,%rcx\n\tsubq\t$128,%rbx\n\tleaq\t128(%rsi),%rsi\n\nL$seal_sse_128_tail_hash:\n\tcmpq\t$16,%rcx\n\tjb\tL$seal_sse_128_tail_xor\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tsubq\t$16,%rcx\n\tleaq\t16(%rdi),%rdi\n\tjmp\tL$seal_sse_128_tail_hash\n\nL$seal_sse_128_tail_xor:\n\tcmpq\t$16,%rbx\n\tjb\tL$seal_sse_tail_16\n\tsubq\t$16,%rbx\n\n\tmovdqu\t0(%rsi),%xmm3\n\tpxor\t%xmm3,%xmm0\n\tmovdqu\t%xmm0,0(%rdi)\n\n\taddq\t0(%rdi),%r10\n\tadcq\t8(%rdi),%r11\n\tadcq\t$1,%r12\n\tleaq\t16(%rsi),%rsi\n\tleaq\t16(%rdi),%rdi\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm8,%xmm4\n\tmovdqa\t%xmm12,%xmm8\n\tmovdqa\t%xmm1,%xmm12\n\tmovdqa\t%xmm5,%xmm1\n\tmovdqa\t%xmm9,%xmm5\n\tmovdqa\t%xmm13,%xmm9\n\tjmp\tL$seal_sse_128_tail_xor\n\nL$seal_sse_tail_16:\n\ttestq\t%rbx,%rbx\n\tjz\tL$process_blocks_of_extra_in\n\n\tmovq\t%rbx,%r8\n\tmovq\t%rbx,%rcx\n\tleaq\t-1(%rsi,%rbx,1),%rsi\n\tpxor\t%xmm15,%xmm15\nL$seal_sse_tail_16_compose:\n\tpslldq\t$1,%xmm15\n\tpinsrb\t$0,(%rsi),%xmm15\n\tleaq\t-1(%rsi),%rsi\n\tdecq\t%rcx\n\tjne\tL$seal_sse_tail_16_compose\n\n\n\tpxor\t%xmm0,%xmm15\n\n\n\tmovq\t%rbx,%rcx\n\tmovdqu\t%xmm15,%xmm0\nL$seal_sse_tail_16_extract:\n\tpextrb\t$0,%xmm0,(%rdi)\n\tpsrldq\t$1,%xmm0\n\taddq\t$1,%rdi\n\tsubq\t$1,%rcx\n\tjnz\tL$seal_sse_tail_16_extract\n\n\n\n\n\n\n\n\n\tmovq\t288 + 0 + 32(%rsp),%r9\n\tmovq\t56(%r9),%r14\n\tmovq\t48(%r9),%r13\n\ttestq\t%r14,%r14\n\tjz\tL$process_partial_block\n\n\tmovq\t$16,%r15\n\tsubq\t%rbx,%r15\n\tcmpq\t%r15,%r14\n\n\tjge\tL$load_extra_in\n\tmovq\t%r14,%r15\n\nL$load_extra_in:\n\n\n\tleaq\t-1(%r13,%r15,1),%rsi\n\n\n\taddq\t%r15,%r13\n\tsubq\t%r15,%r14\n\tmovq\t%r13,48(%r9)\n\tmovq\t%r14,56(%r9)\n\n\n\n\taddq\t%r15,%r8\n\n\n\tpxor\t%xmm11,%xmm11\nL$load_extra_load_loop:\n\tpslldq\t$1,%xmm11\n\tpinsrb\t$0,(%rsi),%xmm11\n\tleaq\t-1(%rsi),%rsi\n\tsubq\t$1,%r15\n\tjnz\tL$load_extra_load_loop\n\n\n\n\n\tmovq\t%rbx,%r15\n\nL$load_extra_shift_loop:\n\tpslldq\t$1,%xmm11\n\tsubq\t$1,%r15\n\tjnz\tL$load_extra_shift_loop\n\n\n\n\n\tleaq\tL$and_masks(%rip),%r15\n\tshlq\t$4,%rbx\n\tpand\t-16(%r15,%rbx,1),%xmm15\n\n\n\tpor\t%xmm11,%xmm15\n\n\n\n.byte\t102,77,15,126,253\n\tpextrq\t$1,%xmm15,%r14\n\taddq\t%r13,%r10\n\tadcq\t%r14,%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\nL$process_blocks_of_extra_in:\n\n\tmovq\t288+32+0 (%rsp),%r9\n\tmovq\t48(%r9),%rsi\n\tmovq\t56(%r9),%r8\n\tmovq\t%r8,%rcx\n\tshrq\t$4,%r8\n\nL$process_extra_hash_loop:\n\tjz\tprocess_extra_in_trailer\n\taddq\t0+0(%rsi),%r10\n\tadcq\t8+0(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rsi),%rsi\n\tsubq\t$1,%r8\n\tjmp\tL$process_extra_hash_loop\nprocess_extra_in_trailer:\n\tandq\t$15,%rcx\n\tmovq\t%rcx,%rbx\n\tjz\tL$do_length_block\n\tleaq\t-1(%rsi,%rcx,1),%rsi\n\nL$process_extra_in_trailer_load:\n\tpslldq\t$1,%xmm15\n\tpinsrb\t$0,(%rsi),%xmm15\n\tleaq\t-1(%rsi),%rsi\n\tsubq\t$1,%rcx\n\tjnz\tL$process_extra_in_trailer_load\n\nL$process_partial_block:\n\n\tleaq\tL$and_masks(%rip),%r15\n\tshlq\t$4,%rbx\n\tpand\t-16(%r15,%rbx,1),%xmm15\n.byte\t102,77,15,126,253\n\tpextrq\t$1,%xmm15,%r14\n\taddq\t%r13,%r10\n\tadcq\t%r14,%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\nL$do_length_block:\n\taddq\t0+0+32(%rbp),%r10\n\tadcq\t8+0+32(%rbp),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n\tmovq\t%r10,%r13\n\tmovq\t%r11,%r14\n\tmovq\t%r12,%r15\n\tsubq\t$-5,%r10\n\tsbbq\t$-1,%r11\n\tsbbq\t$3,%r12\n\tcmovcq\t%r13,%r10\n\tcmovcq\t%r14,%r11\n\tcmovcq\t%r15,%r12\n\n\taddq\t0+0+16(%rbp),%r10\n\tadcq\t8+0+16(%rbp),%r11\n\n\n\taddq\t$288 + 0 + 32,%rsp\n\n\n\tpopq\t%r9\n\n\tmovq\t%r10,(%r9)\n\tmovq\t%r11,8(%r9)\n\tpopq\t%r15\n\n\tpopq\t%r14\n\n\tpopq\t%r13\n\n\tpopq\t%r12\n\n\tpopq\t%rbx\n\n\tpopq\t%rbp\n\n\tret\n\nL$seal_sse_128:\n\n\tmovdqu\tL$chacha20_consts(%rip),%xmm0\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqu\t0(%r9),%xmm4\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqu\t16(%r9),%xmm8\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqu\t32(%r9),%xmm14\n\tmovdqa\t%xmm14,%xmm12\n\tpaddd\tL$sse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,%xmm13\n\tpaddd\tL$sse_inc(%rip),%xmm13\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t%xmm12,%xmm15\n\tmovq\t$10,%r10\n\nL$seal_sse_128_rounds:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\tL$rol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\tL$rol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\tL$rol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n\n\tdecq\t%r10\n\tjnz\tL$seal_sse_128_rounds\n\tpaddd\tL$chacha20_consts(%rip),%xmm0\n\tpaddd\tL$chacha20_consts(%rip),%xmm1\n\tpaddd\tL$chacha20_consts(%rip),%xmm2\n\tpaddd\t%xmm7,%xmm4\n\tpaddd\t%xmm7,%xmm5\n\tpaddd\t%xmm7,%xmm6\n\tpaddd\t%xmm11,%xmm8\n\tpaddd\t%xmm11,%xmm9\n\tpaddd\t%xmm15,%xmm12\n\tpaddd\tL$sse_inc(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm13\n\n\tpand\tL$clamp(%rip),%xmm2\n\tmovdqa\t%xmm2,0+0(%rbp)\n\tmovdqa\t%xmm6,0+16(%rbp)\n\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n\tjmp\tL$seal_sse_128_tail_xor\n\n\n\n\n.globl\t_chacha20_poly1305_open_avx2\n.private_extern _chacha20_poly1305_open_avx2\n\n.p2align\t6\n_chacha20_poly1305_open_avx2:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\n\n\tpushq\t%r9\n\n\tsubq\t$288 + 0 + 32,%rsp\n\n\n\tleaq\t32(%rsp),%rbp\n\tandq\t$-32,%rbp\n\n\tmovq\t%rdx,%rbx\n\tmovq\t%r8,0+0+32(%rbp)\n\tmovq\t%rbx,8+0+32(%rbp)\n\n\tvzeroupper\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvbroadcasti128\t0(%r9),%ymm4\n\tvbroadcasti128\t16(%r9),%ymm8\n\tvbroadcasti128\t32(%r9),%ymm12\n\tvpaddd\tL$avx2_init(%rip),%ymm12,%ymm12\n\tcmpq\t$192,%rbx\n\tjbe\tL$open_avx2_192\n\tcmpq\t$320,%rbx\n\tjbe\tL$open_avx2_320\n\n\tvmovdqa\t%ymm4,0+64(%rbp)\n\tvmovdqa\t%ymm8,0+96(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tmovq\t$10,%r10\nL$open_avx2_init_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\n\tdecq\t%r10\n\tjne\tL$open_avx2_init_rounds\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\n\tvpand\tL$clamp(%rip),%ymm3,%ymm3\n\tvmovdqa\t%ymm3,0+0(%rbp)\n\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm4\n\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n\n\txorq\t%rcx,%rcx\nL$open_avx2_init_hash:\n\taddq\t0+0(%rsi,%rcx,1),%r10\n\tadcq\t8+0(%rsi,%rcx,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\taddq\t$16,%rcx\n\tcmpq\t$64,%rcx\n\tjne\tL$open_avx2_init_hash\n\n\tvpxor\t0(%rsi),%ymm0,%ymm0\n\tvpxor\t32(%rsi),%ymm4,%ymm4\n\n\tvmovdqu\t%ymm0,0(%rdi)\n\tvmovdqu\t%ymm4,32(%rdi)\n\tleaq\t64(%rsi),%rsi\n\tleaq\t64(%rdi),%rdi\n\tsubq\t$64,%rbx\nL$open_avx2_main_loop:\n\n\tcmpq\t$512,%rbx\n\tjb\tL$open_avx2_main_loop_done\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\tL$avx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm15\n\tvpaddd\t%ymm15,%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\n\txorq\t%rcx,%rcx\nL$open_avx2_main_loop_rounds:\n\taddq\t0+0(%rsi,%rcx,1),%r10\n\tadcq\t8+0(%rsi,%rcx,1),%r11\n\tadcq\t$1,%r12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\taddq\t0+16(%rsi,%rcx,1),%r10\n\tadcq\t8+16(%rsi,%rcx,1),%r11\n\tadcq\t$1,%r12\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\taddq\t0+32(%rsi,%rcx,1),%r10\n\tadcq\t8+32(%rsi,%rcx,1),%r11\n\tadcq\t$1,%r12\n\n\tleaq\t48(%rcx),%rcx\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\n\tcmpq\t$60*8,%rcx\n\tjne\tL$open_avx2_main_loop_rounds\n\tvpaddd\tL$chacha20_consts(%rip),%ymm3,%ymm3\n\tvpaddd\t0+64(%rbp),%ymm7,%ymm7\n\tvpaddd\t0+96(%rbp),%ymm11,%ymm11\n\tvpaddd\t0+256(%rbp),%ymm15,%ymm15\n\tvpaddd\tL$chacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\tL$chacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvmovdqa\t%ymm0,0+128(%rbp)\n\taddq\t0+60*8(%rsi),%r10\n\tadcq\t8+60*8(%rsi),%r11\n\tadcq\t$1,%r12\n\tvperm2i128\t$0x02,%ymm3,%ymm7,%ymm0\n\tvperm2i128\t$0x13,%ymm3,%ymm7,%ymm7\n\tvperm2i128\t$0x02,%ymm11,%ymm15,%ymm3\n\tvperm2i128\t$0x13,%ymm11,%ymm15,%ymm11\n\tvpxor\t0+0(%rsi),%ymm0,%ymm0\n\tvpxor\t32+0(%rsi),%ymm3,%ymm3\n\tvpxor\t64+0(%rsi),%ymm7,%ymm7\n\tvpxor\t96+0(%rsi),%ymm11,%ymm11\n\tvmovdqu\t%ymm0,0+0(%rdi)\n\tvmovdqu\t%ymm3,32+0(%rdi)\n\tvmovdqu\t%ymm7,64+0(%rdi)\n\tvmovdqu\t%ymm11,96+0(%rdi)\n\n\tvmovdqa\t0+128(%rbp),%ymm0\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm2,%ymm2\n\tvpxor\t64+128(%rsi),%ymm6,%ymm6\n\tvpxor\t96+128(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm2,32+128(%rdi)\n\tvmovdqu\t%ymm6,64+128(%rdi)\n\tvmovdqu\t%ymm10,96+128(%rdi)\n\taddq\t0+60*8+16(%rsi),%r10\n\tadcq\t8+60*8+16(%rsi),%r11\n\tadcq\t$1,%r12\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+256(%rsi),%ymm3,%ymm3\n\tvpxor\t32+256(%rsi),%ymm1,%ymm1\n\tvpxor\t64+256(%rsi),%ymm5,%ymm5\n\tvpxor\t96+256(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+256(%rdi)\n\tvmovdqu\t%ymm1,32+256(%rdi)\n\tvmovdqu\t%ymm5,64+256(%rdi)\n\tvmovdqu\t%ymm9,96+256(%rdi)\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm4\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm8\n\tvpxor\t0+384(%rsi),%ymm3,%ymm3\n\tvpxor\t32+384(%rsi),%ymm0,%ymm0\n\tvpxor\t64+384(%rsi),%ymm4,%ymm4\n\tvpxor\t96+384(%rsi),%ymm8,%ymm8\n\tvmovdqu\t%ymm3,0+384(%rdi)\n\tvmovdqu\t%ymm0,32+384(%rdi)\n\tvmovdqu\t%ymm4,64+384(%rdi)\n\tvmovdqu\t%ymm8,96+384(%rdi)\n\n\tleaq\t512(%rsi),%rsi\n\tleaq\t512(%rdi),%rdi\n\tsubq\t$512,%rbx\n\tjmp\tL$open_avx2_main_loop\nL$open_avx2_main_loop_done:\n\ttestq\t%rbx,%rbx\n\tvzeroupper\n\tje\tL$open_sse_finalize\n\n\tcmpq\t$384,%rbx\n\tja\tL$open_avx2_tail_512\n\tcmpq\t$256,%rbx\n\tja\tL$open_avx2_tail_384\n\tcmpq\t$128,%rbx\n\tja\tL$open_avx2_tail_256\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\tL$avx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\n\txorq\t%r8,%r8\n\tmovq\t%rbx,%rcx\n\tandq\t$-16,%rcx\n\ttestq\t%rcx,%rcx\n\tje\tL$open_avx2_tail_128_rounds\nL$open_avx2_tail_128_rounds_and_x1hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\nL$open_avx2_tail_128_rounds:\n\taddq\t$16,%r8\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\n\tcmpq\t%rcx,%r8\n\tjb\tL$open_avx2_tail_128_rounds_and_x1hash\n\tcmpq\t$160,%r8\n\tjne\tL$open_avx2_tail_128_rounds\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tjmp\tL$open_avx2_tail_128_xor\n\nL$open_avx2_tail_256:\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\tL$avx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\n\tmovq\t%rbx,0+128(%rbp)\n\tmovq\t%rbx,%rcx\n\tsubq\t$128,%rcx\n\tshrq\t$4,%rcx\n\tmovq\t$10,%r8\n\tcmpq\t$10,%rcx\n\tcmovgq\t%r8,%rcx\n\tmovq\t%rsi,%rbx\n\txorq\t%r8,%r8\nL$open_avx2_tail_256_rounds_and_x1hash:\n\taddq\t0+0(%rbx),%r10\n\tadcq\t8+0(%rbx),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rbx),%rbx\nL$open_avx2_tail_256_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\n\tincq\t%r8\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\n\tcmpq\t%rcx,%r8\n\tjb\tL$open_avx2_tail_256_rounds_and_x1hash\n\tcmpq\t$10,%r8\n\tjne\tL$open_avx2_tail_256_rounds\n\tmovq\t%rbx,%r8\n\tsubq\t%rsi,%rbx\n\tmovq\t%rbx,%rcx\n\tmovq\t0+128(%rbp),%rbx\nL$open_avx2_tail_256_hash:\n\taddq\t$16,%rcx\n\tcmpq\t%rbx,%rcx\n\tjg\tL$open_avx2_tail_256_done\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%r8),%r8\n\tjmp\tL$open_avx2_tail_256_hash\nL$open_avx2_tail_256_done:\n\tvpaddd\tL$chacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+0(%rsi),%ymm3,%ymm3\n\tvpxor\t32+0(%rsi),%ymm1,%ymm1\n\tvpxor\t64+0(%rsi),%ymm5,%ymm5\n\tvpxor\t96+0(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+0(%rdi)\n\tvmovdqu\t%ymm1,32+0(%rdi)\n\tvmovdqu\t%ymm5,64+0(%rdi)\n\tvmovdqu\t%ymm9,96+0(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tleaq\t128(%rsi),%rsi\n\tleaq\t128(%rdi),%rdi\n\tsubq\t$128,%rbx\n\tjmp\tL$open_avx2_tail_128_xor\n\nL$open_avx2_tail_384:\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\tL$avx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\n\tmovq\t%rbx,0+128(%rbp)\n\tmovq\t%rbx,%rcx\n\tsubq\t$256,%rcx\n\tshrq\t$4,%rcx\n\taddq\t$6,%rcx\n\tmovq\t$10,%r8\n\tcmpq\t$10,%rcx\n\tcmovgq\t%r8,%rcx\n\tmovq\t%rsi,%rbx\n\txorq\t%r8,%r8\nL$open_avx2_tail_384_rounds_and_x2hash:\n\taddq\t0+0(%rbx),%r10\n\tadcq\t8+0(%rbx),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rbx),%rbx\nL$open_avx2_tail_384_rounds_and_x1hash:\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\taddq\t0+0(%rbx),%r10\n\tadcq\t8+0(%rbx),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rbx),%rbx\n\tincq\t%r8\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\n\tcmpq\t%rcx,%r8\n\tjb\tL$open_avx2_tail_384_rounds_and_x2hash\n\tcmpq\t$10,%r8\n\tjne\tL$open_avx2_tail_384_rounds_and_x1hash\n\tmovq\t%rbx,%r8\n\tsubq\t%rsi,%rbx\n\tmovq\t%rbx,%rcx\n\tmovq\t0+128(%rbp),%rbx\nL$open_avx2_384_tail_hash:\n\taddq\t$16,%rcx\n\tcmpq\t%rbx,%rcx\n\tjg\tL$open_avx2_384_tail_done\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%r8),%r8\n\tjmp\tL$open_avx2_384_tail_hash\nL$open_avx2_384_tail_done:\n\tvpaddd\tL$chacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\tL$chacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+0(%rsi),%ymm3,%ymm3\n\tvpxor\t32+0(%rsi),%ymm2,%ymm2\n\tvpxor\t64+0(%rsi),%ymm6,%ymm6\n\tvpxor\t96+0(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+0(%rdi)\n\tvmovdqu\t%ymm2,32+0(%rdi)\n\tvmovdqu\t%ymm6,64+0(%rdi)\n\tvmovdqu\t%ymm10,96+0(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm1,%ymm1\n\tvpxor\t64+128(%rsi),%ymm5,%ymm5\n\tvpxor\t96+128(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm1,32+128(%rdi)\n\tvmovdqu\t%ymm5,64+128(%rdi)\n\tvmovdqu\t%ymm9,96+128(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tleaq\t256(%rsi),%rsi\n\tleaq\t256(%rdi),%rdi\n\tsubq\t$256,%rbx\n\tjmp\tL$open_avx2_tail_128_xor\n\nL$open_avx2_tail_512:\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\tL$avx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm15\n\tvpaddd\t%ymm15,%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\n\txorq\t%rcx,%rcx\n\tmovq\t%rsi,%r8\nL$open_avx2_tail_512_rounds_and_x2hash:\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%r8),%r8\nL$open_avx2_tail_512_rounds_and_x1hash:\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\taddq\t0+16(%r8),%r10\n\tadcq\t8+16(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%r8),%r8\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\n\tincq\t%rcx\n\tcmpq\t$4,%rcx\n\tjl\tL$open_avx2_tail_512_rounds_and_x2hash\n\tcmpq\t$10,%rcx\n\tjne\tL$open_avx2_tail_512_rounds_and_x1hash\n\tmovq\t%rbx,%rcx\n\tsubq\t$384,%rcx\n\tandq\t$-16,%rcx\nL$open_avx2_tail_512_hash:\n\ttestq\t%rcx,%rcx\n\tje\tL$open_avx2_tail_512_done\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%r8),%r8\n\tsubq\t$16,%rcx\n\tjmp\tL$open_avx2_tail_512_hash\nL$open_avx2_tail_512_done:\n\tvpaddd\tL$chacha20_consts(%rip),%ymm3,%ymm3\n\tvpaddd\t0+64(%rbp),%ymm7,%ymm7\n\tvpaddd\t0+96(%rbp),%ymm11,%ymm11\n\tvpaddd\t0+256(%rbp),%ymm15,%ymm15\n\tvpaddd\tL$chacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\tL$chacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvmovdqa\t%ymm0,0+128(%rbp)\n\tvperm2i128\t$0x02,%ymm3,%ymm7,%ymm0\n\tvperm2i128\t$0x13,%ymm3,%ymm7,%ymm7\n\tvperm2i128\t$0x02,%ymm11,%ymm15,%ymm3\n\tvperm2i128\t$0x13,%ymm11,%ymm15,%ymm11\n\tvpxor\t0+0(%rsi),%ymm0,%ymm0\n\tvpxor\t32+0(%rsi),%ymm3,%ymm3\n\tvpxor\t64+0(%rsi),%ymm7,%ymm7\n\tvpxor\t96+0(%rsi),%ymm11,%ymm11\n\tvmovdqu\t%ymm0,0+0(%rdi)\n\tvmovdqu\t%ymm3,32+0(%rdi)\n\tvmovdqu\t%ymm7,64+0(%rdi)\n\tvmovdqu\t%ymm11,96+0(%rdi)\n\n\tvmovdqa\t0+128(%rbp),%ymm0\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm2,%ymm2\n\tvpxor\t64+128(%rsi),%ymm6,%ymm6\n\tvpxor\t96+128(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm2,32+128(%rdi)\n\tvmovdqu\t%ymm6,64+128(%rdi)\n\tvmovdqu\t%ymm10,96+128(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+256(%rsi),%ymm3,%ymm3\n\tvpxor\t32+256(%rsi),%ymm1,%ymm1\n\tvpxor\t64+256(%rsi),%ymm5,%ymm5\n\tvpxor\t96+256(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+256(%rdi)\n\tvmovdqu\t%ymm1,32+256(%rdi)\n\tvmovdqu\t%ymm5,64+256(%rdi)\n\tvmovdqu\t%ymm9,96+256(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tleaq\t384(%rsi),%rsi\n\tleaq\t384(%rdi),%rdi\n\tsubq\t$384,%rbx\nL$open_avx2_tail_128_xor:\n\tcmpq\t$32,%rbx\n\tjb\tL$open_avx2_tail_32_xor\n\tsubq\t$32,%rbx\n\tvpxor\t(%rsi),%ymm0,%ymm0\n\tvmovdqu\t%ymm0,(%rdi)\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rdi),%rdi\n\tvmovdqa\t%ymm4,%ymm0\n\tvmovdqa\t%ymm8,%ymm4\n\tvmovdqa\t%ymm12,%ymm8\n\tjmp\tL$open_avx2_tail_128_xor\nL$open_avx2_tail_32_xor:\n\tcmpq\t$16,%rbx\n\tvmovdqa\t%xmm0,%xmm1\n\tjb\tL$open_avx2_exit\n\tsubq\t$16,%rbx\n\n\tvpxor\t(%rsi),%xmm0,%xmm1\n\tvmovdqu\t%xmm1,(%rdi)\n\tleaq\t16(%rsi),%rsi\n\tleaq\t16(%rdi),%rdi\n\tvperm2i128\t$0x11,%ymm0,%ymm0,%ymm0\n\tvmovdqa\t%xmm0,%xmm1\nL$open_avx2_exit:\n\tvzeroupper\n\tjmp\tL$open_sse_tail_16\n\nL$open_avx2_192:\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm8,%ymm10\n\tvpaddd\tL$avx2_inc(%rip),%ymm12,%ymm13\n\tvmovdqa\t%ymm12,%ymm11\n\tvmovdqa\t%ymm13,%ymm15\n\tmovq\t$10,%r10\nL$open_avx2_192_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\n\tdecq\t%r10\n\tjne\tL$open_avx2_192_rounds\n\tvpaddd\t%ymm2,%ymm0,%ymm0\n\tvpaddd\t%ymm2,%ymm1,%ymm1\n\tvpaddd\t%ymm6,%ymm4,%ymm4\n\tvpaddd\t%ymm6,%ymm5,%ymm5\n\tvpaddd\t%ymm10,%ymm8,%ymm8\n\tvpaddd\t%ymm10,%ymm9,%ymm9\n\tvpaddd\t%ymm11,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm13,%ymm13\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\n\tvpand\tL$clamp(%rip),%ymm3,%ymm3\n\tvmovdqa\t%ymm3,0+0(%rbp)\n\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm8\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm12\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm5\nL$open_avx2_short:\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\nL$open_avx2_short_hash_and_xor_loop:\n\tcmpq\t$32,%rbx\n\tjb\tL$open_avx2_short_tail_32\n\tsubq\t$32,%rbx\n\taddq\t0+0(%rsi),%r10\n\tadcq\t8+0(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\taddq\t0+16(%rsi),%r10\n\tadcq\t8+16(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n\tvpxor\t(%rsi),%ymm0,%ymm0\n\tvmovdqu\t%ymm0,(%rdi)\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rdi),%rdi\n\n\tvmovdqa\t%ymm4,%ymm0\n\tvmovdqa\t%ymm8,%ymm4\n\tvmovdqa\t%ymm12,%ymm8\n\tvmovdqa\t%ymm1,%ymm12\n\tvmovdqa\t%ymm5,%ymm1\n\tvmovdqa\t%ymm9,%ymm5\n\tvmovdqa\t%ymm13,%ymm9\n\tvmovdqa\t%ymm2,%ymm13\n\tvmovdqa\t%ymm6,%ymm2\n\tjmp\tL$open_avx2_short_hash_and_xor_loop\nL$open_avx2_short_tail_32:\n\tcmpq\t$16,%rbx\n\tvmovdqa\t%xmm0,%xmm1\n\tjb\tL$open_avx2_short_tail_32_exit\n\tsubq\t$16,%rbx\n\taddq\t0+0(%rsi),%r10\n\tadcq\t8+0(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tvpxor\t(%rsi),%xmm0,%xmm3\n\tvmovdqu\t%xmm3,(%rdi)\n\tleaq\t16(%rsi),%rsi\n\tleaq\t16(%rdi),%rdi\n\tvextracti128\t$1,%ymm0,%xmm1\nL$open_avx2_short_tail_32_exit:\n\tvzeroupper\n\tjmp\tL$open_sse_tail_16\n\nL$open_avx2_320:\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm8,%ymm10\n\tvpaddd\tL$avx2_inc(%rip),%ymm12,%ymm13\n\tvpaddd\tL$avx2_inc(%rip),%ymm13,%ymm14\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tmovq\t$10,%r10\nL$open_avx2_320_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\n\tdecq\t%r10\n\tjne\tL$open_avx2_320_rounds\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\tL$chacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\tL$chacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t%ymm7,%ymm4,%ymm4\n\tvpaddd\t%ymm7,%ymm5,%ymm5\n\tvpaddd\t%ymm7,%ymm6,%ymm6\n\tvpaddd\t%ymm11,%ymm8,%ymm8\n\tvpaddd\t%ymm11,%ymm9,%ymm9\n\tvpaddd\t%ymm11,%ymm10,%ymm10\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\n\tvpand\tL$clamp(%rip),%ymm3,%ymm3\n\tvmovdqa\t%ymm3,0+0(%rbp)\n\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm8\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm12\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm5\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm9\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm13\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm6\n\tjmp\tL$open_avx2_short\n\n\n\n\n.globl\t_chacha20_poly1305_seal_avx2\n.private_extern _chacha20_poly1305_seal_avx2\n\n.p2align\t6\n_chacha20_poly1305_seal_avx2:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r13\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\n\n\n\tpushq\t%r9\n\n\tsubq\t$288 + 0 + 32,%rsp\n\n\tleaq\t32(%rsp),%rbp\n\tandq\t$-32,%rbp\n\n\tmovq\t56(%r9),%rbx\n\taddq\t%rdx,%rbx\n\tmovq\t%r8,0+0+32(%rbp)\n\tmovq\t%rbx,8+0+32(%rbp)\n\tmovq\t%rdx,%rbx\n\n\tvzeroupper\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvbroadcasti128\t0(%r9),%ymm4\n\tvbroadcasti128\t16(%r9),%ymm8\n\tvbroadcasti128\t32(%r9),%ymm12\n\tvpaddd\tL$avx2_init(%rip),%ymm12,%ymm12\n\tcmpq\t$192,%rbx\n\tjbe\tL$seal_avx2_192\n\tcmpq\t$320,%rbx\n\tjbe\tL$seal_avx2_320\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm4,0+64(%rbp)\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\t%ymm8,0+96(%rbp)\n\tvmovdqa\t%ymm12,%ymm15\n\tvpaddd\tL$avx2_inc(%rip),%ymm15,%ymm14\n\tvpaddd\tL$avx2_inc(%rip),%ymm14,%ymm13\n\tvpaddd\tL$avx2_inc(%rip),%ymm13,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tmovq\t$10,%r10\nL$seal_avx2_init_rounds:\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\n\tdecq\t%r10\n\tjnz\tL$seal_avx2_init_rounds\n\tvpaddd\tL$chacha20_consts(%rip),%ymm3,%ymm3\n\tvpaddd\t0+64(%rbp),%ymm7,%ymm7\n\tvpaddd\t0+96(%rbp),%ymm11,%ymm11\n\tvpaddd\t0+256(%rbp),%ymm15,%ymm15\n\tvpaddd\tL$chacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\tL$chacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvperm2i128\t$0x13,%ymm11,%ymm15,%ymm11\n\tvperm2i128\t$0x02,%ymm3,%ymm7,%ymm15\n\tvperm2i128\t$0x13,%ymm3,%ymm7,%ymm3\n\tvpand\tL$clamp(%rip),%ymm15,%ymm15\n\tvmovdqa\t%ymm15,0+0(%rbp)\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n\n\tvpxor\t0(%rsi),%ymm3,%ymm3\n\tvpxor\t32(%rsi),%ymm11,%ymm11\n\tvmovdqu\t%ymm3,0(%rdi)\n\tvmovdqu\t%ymm11,32(%rdi)\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm15\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+64(%rsi),%ymm15,%ymm15\n\tvpxor\t32+64(%rsi),%ymm2,%ymm2\n\tvpxor\t64+64(%rsi),%ymm6,%ymm6\n\tvpxor\t96+64(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm15,0+64(%rdi)\n\tvmovdqu\t%ymm2,32+64(%rdi)\n\tvmovdqu\t%ymm6,64+64(%rdi)\n\tvmovdqu\t%ymm10,96+64(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm15\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+192(%rsi),%ymm15,%ymm15\n\tvpxor\t32+192(%rsi),%ymm1,%ymm1\n\tvpxor\t64+192(%rsi),%ymm5,%ymm5\n\tvpxor\t96+192(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm15,0+192(%rdi)\n\tvmovdqu\t%ymm1,32+192(%rdi)\n\tvmovdqu\t%ymm5,64+192(%rdi)\n\tvmovdqu\t%ymm9,96+192(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm15\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,%ymm8\n\n\tleaq\t320(%rsi),%rsi\n\tsubq\t$320,%rbx\n\tmovq\t$320,%rcx\n\tcmpq\t$128,%rbx\n\tjbe\tL$seal_avx2_short_hash_remainder\n\tvpxor\t0(%rsi),%ymm0,%ymm0\n\tvpxor\t32(%rsi),%ymm4,%ymm4\n\tvpxor\t64(%rsi),%ymm8,%ymm8\n\tvpxor\t96(%rsi),%ymm12,%ymm12\n\tvmovdqu\t%ymm0,320(%rdi)\n\tvmovdqu\t%ymm4,352(%rdi)\n\tvmovdqu\t%ymm8,384(%rdi)\n\tvmovdqu\t%ymm12,416(%rdi)\n\tleaq\t128(%rsi),%rsi\n\tsubq\t$128,%rbx\n\tmovq\t$8,%rcx\n\tmovq\t$2,%r8\n\tcmpq\t$128,%rbx\n\tjbe\tL$seal_avx2_tail_128\n\tcmpq\t$256,%rbx\n\tjbe\tL$seal_avx2_tail_256\n\tcmpq\t$384,%rbx\n\tjbe\tL$seal_avx2_tail_384\n\tcmpq\t$512,%rbx\n\tjbe\tL$seal_avx2_tail_512\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\tL$avx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm15\n\tvpaddd\t%ymm15,%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\n\tsubq\t$16,%rdi\n\tmovq\t$9,%rcx\n\tjmp\tL$seal_avx2_main_loop_rounds_entry\n.p2align\t5\nL$seal_avx2_main_loop:\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\tL$avx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm15\n\tvpaddd\t%ymm15,%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\n\tmovq\t$10,%rcx\n.p2align\t5\nL$seal_avx2_main_loop_rounds:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\nL$seal_avx2_main_loop_rounds_entry:\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\taddq\t0+32(%rdi),%r10\n\tadcq\t8+32(%rdi),%r11\n\tadcq\t$1,%r12\n\n\tleaq\t48(%rdi),%rdi\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\n\tdecq\t%rcx\n\tjne\tL$seal_avx2_main_loop_rounds\n\tvpaddd\tL$chacha20_consts(%rip),%ymm3,%ymm3\n\tvpaddd\t0+64(%rbp),%ymm7,%ymm7\n\tvpaddd\t0+96(%rbp),%ymm11,%ymm11\n\tvpaddd\t0+256(%rbp),%ymm15,%ymm15\n\tvpaddd\tL$chacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\tL$chacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvmovdqa\t%ymm0,0+128(%rbp)\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\tvperm2i128\t$0x02,%ymm3,%ymm7,%ymm0\n\tvperm2i128\t$0x13,%ymm3,%ymm7,%ymm7\n\tvperm2i128\t$0x02,%ymm11,%ymm15,%ymm3\n\tvperm2i128\t$0x13,%ymm11,%ymm15,%ymm11\n\tvpxor\t0+0(%rsi),%ymm0,%ymm0\n\tvpxor\t32+0(%rsi),%ymm3,%ymm3\n\tvpxor\t64+0(%rsi),%ymm7,%ymm7\n\tvpxor\t96+0(%rsi),%ymm11,%ymm11\n\tvmovdqu\t%ymm0,0+0(%rdi)\n\tvmovdqu\t%ymm3,32+0(%rdi)\n\tvmovdqu\t%ymm7,64+0(%rdi)\n\tvmovdqu\t%ymm11,96+0(%rdi)\n\n\tvmovdqa\t0+128(%rbp),%ymm0\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm2,%ymm2\n\tvpxor\t64+128(%rsi),%ymm6,%ymm6\n\tvpxor\t96+128(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm2,32+128(%rdi)\n\tvmovdqu\t%ymm6,64+128(%rdi)\n\tvmovdqu\t%ymm10,96+128(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+256(%rsi),%ymm3,%ymm3\n\tvpxor\t32+256(%rsi),%ymm1,%ymm1\n\tvpxor\t64+256(%rsi),%ymm5,%ymm5\n\tvpxor\t96+256(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+256(%rdi)\n\tvmovdqu\t%ymm1,32+256(%rdi)\n\tvmovdqu\t%ymm5,64+256(%rdi)\n\tvmovdqu\t%ymm9,96+256(%rdi)\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm4\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm8\n\tvpxor\t0+384(%rsi),%ymm3,%ymm3\n\tvpxor\t32+384(%rsi),%ymm0,%ymm0\n\tvpxor\t64+384(%rsi),%ymm4,%ymm4\n\tvpxor\t96+384(%rsi),%ymm8,%ymm8\n\tvmovdqu\t%ymm3,0+384(%rdi)\n\tvmovdqu\t%ymm0,32+384(%rdi)\n\tvmovdqu\t%ymm4,64+384(%rdi)\n\tvmovdqu\t%ymm8,96+384(%rdi)\n\n\tleaq\t512(%rsi),%rsi\n\tsubq\t$512,%rbx\n\tcmpq\t$512,%rbx\n\tjg\tL$seal_avx2_main_loop\n\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\tmovq\t$10,%rcx\n\txorq\t%r8,%r8\n\n\tcmpq\t$384,%rbx\n\tja\tL$seal_avx2_tail_512\n\tcmpq\t$256,%rbx\n\tja\tL$seal_avx2_tail_384\n\tcmpq\t$128,%rbx\n\tja\tL$seal_avx2_tail_256\n\nL$seal_avx2_tail_128:\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\tL$avx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\nL$seal_avx2_tail_128_rounds_and_3xhash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\nL$seal_avx2_tail_128_rounds_and_2xhash:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\tL$seal_avx2_tail_128_rounds_and_3xhash\n\tdecq\t%r8\n\tjge\tL$seal_avx2_tail_128_rounds_and_2xhash\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tjmp\tL$seal_avx2_short_loop\n\nL$seal_avx2_tail_256:\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\tL$avx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\nL$seal_avx2_tail_256_rounds_and_3xhash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\nL$seal_avx2_tail_256_rounds_and_2xhash:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\tL$seal_avx2_tail_256_rounds_and_3xhash\n\tdecq\t%r8\n\tjge\tL$seal_avx2_tail_256_rounds_and_2xhash\n\tvpaddd\tL$chacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+0(%rsi),%ymm3,%ymm3\n\tvpxor\t32+0(%rsi),%ymm1,%ymm1\n\tvpxor\t64+0(%rsi),%ymm5,%ymm5\n\tvpxor\t96+0(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+0(%rdi)\n\tvmovdqu\t%ymm1,32+0(%rdi)\n\tvmovdqu\t%ymm5,64+0(%rdi)\n\tvmovdqu\t%ymm9,96+0(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tmovq\t$128,%rcx\n\tleaq\t128(%rsi),%rsi\n\tsubq\t$128,%rbx\n\tjmp\tL$seal_avx2_short_hash_remainder\n\nL$seal_avx2_tail_384:\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\tL$avx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\nL$seal_avx2_tail_384_rounds_and_3xhash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\nL$seal_avx2_tail_384_rounds_and_2xhash:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\n\tleaq\t32(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\tL$seal_avx2_tail_384_rounds_and_3xhash\n\tdecq\t%r8\n\tjge\tL$seal_avx2_tail_384_rounds_and_2xhash\n\tvpaddd\tL$chacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\tL$chacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+0(%rsi),%ymm3,%ymm3\n\tvpxor\t32+0(%rsi),%ymm2,%ymm2\n\tvpxor\t64+0(%rsi),%ymm6,%ymm6\n\tvpxor\t96+0(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+0(%rdi)\n\tvmovdqu\t%ymm2,32+0(%rdi)\n\tvmovdqu\t%ymm6,64+0(%rdi)\n\tvmovdqu\t%ymm10,96+0(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm1,%ymm1\n\tvpxor\t64+128(%rsi),%ymm5,%ymm5\n\tvpxor\t96+128(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm1,32+128(%rdi)\n\tvmovdqu\t%ymm5,64+128(%rdi)\n\tvmovdqu\t%ymm9,96+128(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tmovq\t$256,%rcx\n\tleaq\t256(%rsi),%rsi\n\tsubq\t$256,%rbx\n\tjmp\tL$seal_avx2_short_hash_remainder\n\nL$seal_avx2_tail_512:\n\tvmovdqa\tL$chacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\tL$avx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm15\n\tvpaddd\t%ymm15,%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\nL$seal_avx2_tail_512_rounds_and_3xhash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\nL$seal_avx2_tail_512_rounds_and_2xhash:\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\tL$rol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\tL$rol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\tL$seal_avx2_tail_512_rounds_and_3xhash\n\tdecq\t%r8\n\tjge\tL$seal_avx2_tail_512_rounds_and_2xhash\n\tvpaddd\tL$chacha20_consts(%rip),%ymm3,%ymm3\n\tvpaddd\t0+64(%rbp),%ymm7,%ymm7\n\tvpaddd\t0+96(%rbp),%ymm11,%ymm11\n\tvpaddd\t0+256(%rbp),%ymm15,%ymm15\n\tvpaddd\tL$chacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\tL$chacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvmovdqa\t%ymm0,0+128(%rbp)\n\tvperm2i128\t$0x02,%ymm3,%ymm7,%ymm0\n\tvperm2i128\t$0x13,%ymm3,%ymm7,%ymm7\n\tvperm2i128\t$0x02,%ymm11,%ymm15,%ymm3\n\tvperm2i128\t$0x13,%ymm11,%ymm15,%ymm11\n\tvpxor\t0+0(%rsi),%ymm0,%ymm0\n\tvpxor\t32+0(%rsi),%ymm3,%ymm3\n\tvpxor\t64+0(%rsi),%ymm7,%ymm7\n\tvpxor\t96+0(%rsi),%ymm11,%ymm11\n\tvmovdqu\t%ymm0,0+0(%rdi)\n\tvmovdqu\t%ymm3,32+0(%rdi)\n\tvmovdqu\t%ymm7,64+0(%rdi)\n\tvmovdqu\t%ymm11,96+0(%rdi)\n\n\tvmovdqa\t0+128(%rbp),%ymm0\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm2,%ymm2\n\tvpxor\t64+128(%rsi),%ymm6,%ymm6\n\tvpxor\t96+128(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm2,32+128(%rdi)\n\tvmovdqu\t%ymm6,64+128(%rdi)\n\tvmovdqu\t%ymm10,96+128(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+256(%rsi),%ymm3,%ymm3\n\tvpxor\t32+256(%rsi),%ymm1,%ymm1\n\tvpxor\t64+256(%rsi),%ymm5,%ymm5\n\tvpxor\t96+256(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+256(%rdi)\n\tvmovdqu\t%ymm1,32+256(%rdi)\n\tvmovdqu\t%ymm5,64+256(%rdi)\n\tvmovdqu\t%ymm9,96+256(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tmovq\t$384,%rcx\n\tleaq\t384(%rsi),%rsi\n\tsubq\t$384,%rbx\n\tjmp\tL$seal_avx2_short_hash_remainder\n\nL$seal_avx2_320:\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm8,%ymm10\n\tvpaddd\tL$avx2_inc(%rip),%ymm12,%ymm13\n\tvpaddd\tL$avx2_inc(%rip),%ymm13,%ymm14\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tmovq\t$10,%r10\nL$seal_avx2_320_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\tL$rol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\n\tdecq\t%r10\n\tjne\tL$seal_avx2_320_rounds\n\tvpaddd\tL$chacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\tL$chacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\tL$chacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t%ymm7,%ymm4,%ymm4\n\tvpaddd\t%ymm7,%ymm5,%ymm5\n\tvpaddd\t%ymm7,%ymm6,%ymm6\n\tvpaddd\t%ymm11,%ymm8,%ymm8\n\tvpaddd\t%ymm11,%ymm9,%ymm9\n\tvpaddd\t%ymm11,%ymm10,%ymm10\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\n\tvpand\tL$clamp(%rip),%ymm3,%ymm3\n\tvmovdqa\t%ymm3,0+0(%rbp)\n\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm8\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm12\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm5\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm9\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm13\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm6\n\tjmp\tL$seal_avx2_short\n\nL$seal_avx2_192:\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm8,%ymm10\n\tvpaddd\tL$avx2_inc(%rip),%ymm12,%ymm13\n\tvmovdqa\t%ymm12,%ymm11\n\tvmovdqa\t%ymm13,%ymm15\n\tmovq\t$10,%r10\nL$seal_avx2_192_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\tL$rol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\tL$rol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\n\tdecq\t%r10\n\tjne\tL$seal_avx2_192_rounds\n\tvpaddd\t%ymm2,%ymm0,%ymm0\n\tvpaddd\t%ymm2,%ymm1,%ymm1\n\tvpaddd\t%ymm6,%ymm4,%ymm4\n\tvpaddd\t%ymm6,%ymm5,%ymm5\n\tvpaddd\t%ymm10,%ymm8,%ymm8\n\tvpaddd\t%ymm10,%ymm9,%ymm9\n\tvpaddd\t%ymm11,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm13,%ymm13\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\n\tvpand\tL$clamp(%rip),%ymm3,%ymm3\n\tvmovdqa\t%ymm3,0+0(%rbp)\n\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm8\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm12\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm5\nL$seal_avx2_short:\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n\txorq\t%rcx,%rcx\nL$seal_avx2_short_hash_remainder:\n\tcmpq\t$16,%rcx\n\tjb\tL$seal_avx2_short_loop\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tsubq\t$16,%rcx\n\taddq\t$16,%rdi\n\tjmp\tL$seal_avx2_short_hash_remainder\nL$seal_avx2_short_loop:\n\tcmpq\t$32,%rbx\n\tjb\tL$seal_avx2_short_tail\n\tsubq\t$32,%rbx\n\n\tvpxor\t(%rsi),%ymm0,%ymm0\n\tvmovdqu\t%ymm0,(%rdi)\n\tleaq\t32(%rsi),%rsi\n\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\n\tvmovdqa\t%ymm4,%ymm0\n\tvmovdqa\t%ymm8,%ymm4\n\tvmovdqa\t%ymm12,%ymm8\n\tvmovdqa\t%ymm1,%ymm12\n\tvmovdqa\t%ymm5,%ymm1\n\tvmovdqa\t%ymm9,%ymm5\n\tvmovdqa\t%ymm13,%ymm9\n\tvmovdqa\t%ymm2,%ymm13\n\tvmovdqa\t%ymm6,%ymm2\n\tjmp\tL$seal_avx2_short_loop\nL$seal_avx2_short_tail:\n\tcmpq\t$16,%rbx\n\tjb\tL$seal_avx2_exit\n\tsubq\t$16,%rbx\n\tvpxor\t(%rsi),%xmm0,%xmm3\n\tvmovdqu\t%xmm3,(%rdi)\n\tleaq\t16(%rsi),%rsi\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n\tvextracti128\t$1,%ymm0,%xmm0\nL$seal_avx2_exit:\n\tvzeroupper\n\tjmp\tL$seal_sse_tail_16\n\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.section\t.rodata\n.align\t64\nchacha20_poly1305_constants:\n.Lchacha20_consts:\n.byte\t'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'\n.byte\t'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k'\n.Lrol8:\n.byte\t3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14\n.byte\t3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14\n.Lrol16:\n.byte\t2,3,0,1, 6,7,4,5, 10,11,8,9, 14,15,12,13\n.byte\t2,3,0,1, 6,7,4,5, 10,11,8,9, 14,15,12,13\n.Lavx2_init:\n.long\t0,0,0,0\n.Lsse_inc:\n.long\t1,0,0,0\n.Lavx2_inc:\n.long\t2,0,0,0,2,0,0,0\n.Lclamp:\n.quad\t0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC\n.quad\t0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF\n.align\t16\n.Land_masks:\n.byte\t0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x00\n.byte\t0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff\n.text\t\n\n.type\tpoly_hash_ad_internal,@function\n.align\t64\npoly_hash_ad_internal:\n.cfi_startproc\t\n.cfi_def_cfa\trsp, 8\n\txorq\t%r10,%r10\n\txorq\t%r11,%r11\n\txorq\t%r12,%r12\n\tcmpq\t$13,%r8\n\tjne\t.Lhash_ad_loop\n.Lpoly_fast_tls_ad:\n\n\tmovq\t(%rcx),%r10\n\tmovq\t5(%rcx),%r11\n\tshrq\t$24,%r11\n\tmovq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tret\n.Lhash_ad_loop:\n\n\tcmpq\t$16,%r8\n\tjb\t.Lhash_ad_tail\n\taddq\t0+0(%rcx),%r10\n\tadcq\t8+0(%rcx),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rcx),%rcx\n\tsubq\t$16,%r8\n\tjmp\t.Lhash_ad_loop\n.Lhash_ad_tail:\n\tcmpq\t$0,%r8\n\tje\t.Lhash_ad_done\n\n\txorq\t%r13,%r13\n\txorq\t%r14,%r14\n\txorq\t%r15,%r15\n\taddq\t%r8,%rcx\n.Lhash_ad_tail_loop:\n\tshldq\t$8,%r13,%r14\n\tshlq\t$8,%r13\n\tmovzbq\t-1(%rcx),%r15\n\txorq\t%r15,%r13\n\tdecq\t%rcx\n\tdecq\t%r8\n\tjne\t.Lhash_ad_tail_loop\n\n\taddq\t%r13,%r10\n\tadcq\t%r14,%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n.Lhash_ad_done:\n\tret\n.cfi_endproc\t\n.size\tpoly_hash_ad_internal, .-poly_hash_ad_internal\n\n.globl\tchacha20_poly1305_open_nohw\n.hidden chacha20_poly1305_open_nohw\n.type\tchacha20_poly1305_open_nohw,@function\n.align\t64\nchacha20_poly1305_open_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n\n\n\tpushq\t%r9\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r9,-64\n\tsubq\t$288 + 0 + 32,%rsp\n.cfi_adjust_cfa_offset\t288 + 32\n\n\tleaq\t32(%rsp),%rbp\n\tandq\t$-32,%rbp\n\n\tmovq\t%rdx,%rbx\n\tmovq\t%r8,0+0+32(%rbp)\n\tmovq\t%rbx,8+0+32(%rbp)\n\n\tcmpq\t$128,%rbx\n\tjbe\t.Lopen_sse_128\n\n\tmovdqa\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqu\t0(%r9),%xmm4\n\tmovdqu\t16(%r9),%xmm8\n\tmovdqu\t32(%r9),%xmm12\n\n\tmovdqa\t%xmm12,%xmm7\n\n\tmovdqa\t%xmm4,0+48(%rbp)\n\tmovdqa\t%xmm8,0+64(%rbp)\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovq\t$10,%r10\n.Lopen_sse_init_rounds:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\n\tdecq\t%r10\n\tjne\t.Lopen_sse_init_rounds\n\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\n\tpand\t.Lclamp(%rip),%xmm0\n\tmovdqa\t%xmm0,0+0(%rbp)\n\tmovdqa\t%xmm4,0+16(%rbp)\n\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n.Lopen_sse_main_loop:\n\tcmpq\t$256,%rbx\n\tjb\t.Lopen_sse_tail\n\n\tmovdqa\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t%xmm0,%xmm3\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t0+96(%rbp),%xmm15\n\tpaddd\t.Lsse_inc(%rip),%xmm15\n\tmovdqa\t%xmm15,%xmm14\n\tpaddd\t.Lsse_inc(%rip),%xmm14\n\tmovdqa\t%xmm14,%xmm13\n\tpaddd\t.Lsse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\tmovdqa\t%xmm15,0+144(%rbp)\n\n\n\n\tmovq\t$4,%rcx\n\tmovq\t%rsi,%r8\n.Lopen_sse_main_loop_rounds:\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t.Lrol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\n\tleaq\t16(%r8),%r8\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovdqa\t.Lrol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n.byte\t102,15,58,15,255,4\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,12\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t.Lrol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t.Lrol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n.byte\t102,15,58,15,255,12\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,4\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\n\tdecq\t%rcx\n\tjge\t.Lopen_sse_main_loop_rounds\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%r8),%r8\n\tcmpq\t$-6,%rcx\n\tjg\t.Lopen_sse_main_loop_rounds\n\tpaddd\t.Lchacha20_consts(%rip),%xmm3\n\tpaddd\t0+48(%rbp),%xmm7\n\tpaddd\t0+64(%rbp),%xmm11\n\tpaddd\t0+144(%rbp),%xmm15\n\tpaddd\t.Lchacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\t.Lchacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqa\t%xmm12,0+80(%rbp)\n\tmovdqu\t0 + 0(%rsi),%xmm12\n\tpxor\t%xmm3,%xmm12\n\tmovdqu\t%xmm12,0 + 0(%rdi)\n\tmovdqu\t16 + 0(%rsi),%xmm12\n\tpxor\t%xmm7,%xmm12\n\tmovdqu\t%xmm12,16 + 0(%rdi)\n\tmovdqu\t32 + 0(%rsi),%xmm12\n\tpxor\t%xmm11,%xmm12\n\tmovdqu\t%xmm12,32 + 0(%rdi)\n\tmovdqu\t48 + 0(%rsi),%xmm12\n\tpxor\t%xmm15,%xmm12\n\tmovdqu\t%xmm12,48 + 0(%rdi)\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 64(%rdi)\n\tmovdqu\t%xmm6,16 + 64(%rdi)\n\tmovdqu\t%xmm10,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\tmovdqu\t0 + 128(%rsi),%xmm3\n\tmovdqu\t16 + 128(%rsi),%xmm7\n\tmovdqu\t32 + 128(%rsi),%xmm11\n\tmovdqu\t48 + 128(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 128(%rdi)\n\tmovdqu\t%xmm5,16 + 128(%rdi)\n\tmovdqu\t%xmm9,32 + 128(%rdi)\n\tmovdqu\t%xmm15,48 + 128(%rdi)\n\tmovdqu\t0 + 192(%rsi),%xmm3\n\tmovdqu\t16 + 192(%rsi),%xmm7\n\tmovdqu\t32 + 192(%rsi),%xmm11\n\tmovdqu\t48 + 192(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm7,%xmm4\n\tpxor\t%xmm11,%xmm8\n\tpxor\t0+80(%rbp),%xmm15\n\tmovdqu\t%xmm0,0 + 192(%rdi)\n\tmovdqu\t%xmm4,16 + 192(%rdi)\n\tmovdqu\t%xmm8,32 + 192(%rdi)\n\tmovdqu\t%xmm15,48 + 192(%rdi)\n\n\tleaq\t256(%rsi),%rsi\n\tleaq\t256(%rdi),%rdi\n\tsubq\t$256,%rbx\n\tjmp\t.Lopen_sse_main_loop\n.Lopen_sse_tail:\n\n\ttestq\t%rbx,%rbx\n\tjz\t.Lopen_sse_finalize\n\tcmpq\t$192,%rbx\n\tja\t.Lopen_sse_tail_256\n\tcmpq\t$128,%rbx\n\tja\t.Lopen_sse_tail_192\n\tcmpq\t$64,%rbx\n\tja\t.Lopen_sse_tail_128\n\tmovdqa\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t0+96(%rbp),%xmm12\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\n\txorq\t%r8,%r8\n\tmovq\t%rbx,%rcx\n\tcmpq\t$16,%rcx\n\tjb\t.Lopen_sse_tail_64_rounds\n.Lopen_sse_tail_64_rounds_and_x1hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tsubq\t$16,%rcx\n.Lopen_sse_tail_64_rounds:\n\taddq\t$16,%r8\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\n\tcmpq\t$16,%rcx\n\tjae\t.Lopen_sse_tail_64_rounds_and_x1hash\n\tcmpq\t$160,%r8\n\tjne\t.Lopen_sse_tail_64_rounds\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\n\tjmp\t.Lopen_sse_tail_64_dec_loop\n\n.Lopen_sse_tail_128:\n\tmovdqa\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t0+96(%rbp),%xmm13\n\tpaddd\t.Lsse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\n\tmovq\t%rbx,%rcx\n\tandq\t$-16,%rcx\n\txorq\t%r8,%r8\n.Lopen_sse_tail_128_rounds_and_x1hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n.Lopen_sse_tail_128_rounds:\n\taddq\t$16,%r8\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\n\tcmpq\t%rcx,%r8\n\tjb\t.Lopen_sse_tail_128_rounds_and_x1hash\n\tcmpq\t$160,%r8\n\tjne\t.Lopen_sse_tail_128_rounds\n\tpaddd\t.Lchacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqu\t0 + 0(%rsi),%xmm3\n\tmovdqu\t16 + 0(%rsi),%xmm7\n\tmovdqu\t32 + 0(%rsi),%xmm11\n\tmovdqu\t48 + 0(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 0(%rdi)\n\tmovdqu\t%xmm5,16 + 0(%rdi)\n\tmovdqu\t%xmm9,32 + 0(%rdi)\n\tmovdqu\t%xmm15,48 + 0(%rdi)\n\n\tsubq\t$64,%rbx\n\tleaq\t64(%rsi),%rsi\n\tleaq\t64(%rdi),%rdi\n\tjmp\t.Lopen_sse_tail_64_dec_loop\n\n.Lopen_sse_tail_192:\n\tmovdqa\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t0+96(%rbp),%xmm14\n\tpaddd\t.Lsse_inc(%rip),%xmm14\n\tmovdqa\t%xmm14,%xmm13\n\tpaddd\t.Lsse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\n\tmovq\t%rbx,%rcx\n\tmovq\t$160,%r8\n\tcmpq\t$160,%rcx\n\tcmovgq\t%r8,%rcx\n\tandq\t$-16,%rcx\n\txorq\t%r8,%r8\n.Lopen_sse_tail_192_rounds_and_x1hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n.Lopen_sse_tail_192_rounds:\n\taddq\t$16,%r8\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n\n\tcmpq\t%rcx,%r8\n\tjb\t.Lopen_sse_tail_192_rounds_and_x1hash\n\tcmpq\t$160,%r8\n\tjne\t.Lopen_sse_tail_192_rounds\n\tcmpq\t$176,%rbx\n\tjb\t.Lopen_sse_tail_192_finish\n\taddq\t0+160(%rsi),%r10\n\tadcq\t8+160(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tcmpq\t$192,%rbx\n\tjb\t.Lopen_sse_tail_192_finish\n\taddq\t0+176(%rsi),%r10\n\tadcq\t8+176(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n.Lopen_sse_tail_192_finish:\n\tpaddd\t.Lchacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\t.Lchacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqu\t0 + 0(%rsi),%xmm3\n\tmovdqu\t16 + 0(%rsi),%xmm7\n\tmovdqu\t32 + 0(%rsi),%xmm11\n\tmovdqu\t48 + 0(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 0(%rdi)\n\tmovdqu\t%xmm6,16 + 0(%rdi)\n\tmovdqu\t%xmm10,32 + 0(%rdi)\n\tmovdqu\t%xmm15,48 + 0(%rdi)\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 64(%rdi)\n\tmovdqu\t%xmm5,16 + 64(%rdi)\n\tmovdqu\t%xmm9,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\n\tsubq\t$128,%rbx\n\tleaq\t128(%rsi),%rsi\n\tleaq\t128(%rdi),%rdi\n\tjmp\t.Lopen_sse_tail_64_dec_loop\n\n.Lopen_sse_tail_256:\n\tmovdqa\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t%xmm0,%xmm3\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t0+96(%rbp),%xmm15\n\tpaddd\t.Lsse_inc(%rip),%xmm15\n\tmovdqa\t%xmm15,%xmm14\n\tpaddd\t.Lsse_inc(%rip),%xmm14\n\tmovdqa\t%xmm14,%xmm13\n\tpaddd\t.Lsse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\tmovdqa\t%xmm15,0+144(%rbp)\n\n\txorq\t%r8,%r8\n.Lopen_sse_tail_256_rounds_and_x1hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovdqa\t%xmm11,0+80(%rbp)\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm11,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm11,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm11,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm11,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm11,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm11,%xmm6\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n\tmovdqa\t0+80(%rbp),%xmm11\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovdqa\t%xmm9,0+80(%rbp)\n\tpaddd\t%xmm7,%xmm3\n\tpxor\t%xmm3,%xmm15\n\tpshufb\t.Lrol16(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm11,%xmm7\n\tmovdqa\t%xmm7,%xmm9\n\tpslld\t$12,%xmm9\n\tpsrld\t$20,%xmm7\n\tpxor\t%xmm9,%xmm7\n\tpaddd\t%xmm7,%xmm3\n\tpxor\t%xmm3,%xmm15\n\tpshufb\t.Lrol8(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm11,%xmm7\n\tmovdqa\t%xmm7,%xmm9\n\tpslld\t$7,%xmm9\n\tpsrld\t$25,%xmm7\n\tpxor\t%xmm9,%xmm7\n.byte\t102,15,58,15,255,4\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,12\n\tmovdqa\t0+80(%rbp),%xmm9\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\tmovdqa\t%xmm11,0+80(%rbp)\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm11,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm11,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm11,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm11,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm11\n\tpslld\t$12,%xmm11\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm11,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm11\n\tpslld\t$7,%xmm11\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm11,%xmm6\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n\tmovdqa\t0+80(%rbp),%xmm11\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tmovdqa\t%xmm9,0+80(%rbp)\n\tpaddd\t%xmm7,%xmm3\n\tpxor\t%xmm3,%xmm15\n\tpshufb\t.Lrol16(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm11,%xmm7\n\tmovdqa\t%xmm7,%xmm9\n\tpslld\t$12,%xmm9\n\tpsrld\t$20,%xmm7\n\tpxor\t%xmm9,%xmm7\n\tpaddd\t%xmm7,%xmm3\n\tpxor\t%xmm3,%xmm15\n\tpshufb\t.Lrol8(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm11\n\tpxor\t%xmm11,%xmm7\n\tmovdqa\t%xmm7,%xmm9\n\tpslld\t$7,%xmm9\n\tpsrld\t$25,%xmm7\n\tpxor\t%xmm9,%xmm7\n.byte\t102,15,58,15,255,12\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,4\n\tmovdqa\t0+80(%rbp),%xmm9\n\n\taddq\t$16,%r8\n\tcmpq\t$160,%r8\n\tjb\t.Lopen_sse_tail_256_rounds_and_x1hash\n\n\tmovq\t%rbx,%rcx\n\tandq\t$-16,%rcx\n.Lopen_sse_tail_256_hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\taddq\t$16,%r8\n\tcmpq\t%rcx,%r8\n\tjb\t.Lopen_sse_tail_256_hash\n\tpaddd\t.Lchacha20_consts(%rip),%xmm3\n\tpaddd\t0+48(%rbp),%xmm7\n\tpaddd\t0+64(%rbp),%xmm11\n\tpaddd\t0+144(%rbp),%xmm15\n\tpaddd\t.Lchacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\t.Lchacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqa\t%xmm12,0+80(%rbp)\n\tmovdqu\t0 + 0(%rsi),%xmm12\n\tpxor\t%xmm3,%xmm12\n\tmovdqu\t%xmm12,0 + 0(%rdi)\n\tmovdqu\t16 + 0(%rsi),%xmm12\n\tpxor\t%xmm7,%xmm12\n\tmovdqu\t%xmm12,16 + 0(%rdi)\n\tmovdqu\t32 + 0(%rsi),%xmm12\n\tpxor\t%xmm11,%xmm12\n\tmovdqu\t%xmm12,32 + 0(%rdi)\n\tmovdqu\t48 + 0(%rsi),%xmm12\n\tpxor\t%xmm15,%xmm12\n\tmovdqu\t%xmm12,48 + 0(%rdi)\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 64(%rdi)\n\tmovdqu\t%xmm6,16 + 64(%rdi)\n\tmovdqu\t%xmm10,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\tmovdqu\t0 + 128(%rsi),%xmm3\n\tmovdqu\t16 + 128(%rsi),%xmm7\n\tmovdqu\t32 + 128(%rsi),%xmm11\n\tmovdqu\t48 + 128(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 128(%rdi)\n\tmovdqu\t%xmm5,16 + 128(%rdi)\n\tmovdqu\t%xmm9,32 + 128(%rdi)\n\tmovdqu\t%xmm15,48 + 128(%rdi)\n\n\tmovdqa\t0+80(%rbp),%xmm12\n\tsubq\t$192,%rbx\n\tleaq\t192(%rsi),%rsi\n\tleaq\t192(%rdi),%rdi\n\n\n.Lopen_sse_tail_64_dec_loop:\n\tcmpq\t$16,%rbx\n\tjb\t.Lopen_sse_tail_16_init\n\tsubq\t$16,%rbx\n\tmovdqu\t(%rsi),%xmm3\n\tpxor\t%xmm3,%xmm0\n\tmovdqu\t%xmm0,(%rdi)\n\tleaq\t16(%rsi),%rsi\n\tleaq\t16(%rdi),%rdi\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm8,%xmm4\n\tmovdqa\t%xmm12,%xmm8\n\tjmp\t.Lopen_sse_tail_64_dec_loop\n.Lopen_sse_tail_16_init:\n\tmovdqa\t%xmm0,%xmm1\n\n\n.Lopen_sse_tail_16:\n\ttestq\t%rbx,%rbx\n\tjz\t.Lopen_sse_finalize\n\n\n\n\tpxor\t%xmm3,%xmm3\n\tleaq\t-1(%rsi,%rbx,1),%rsi\n\tmovq\t%rbx,%r8\n.Lopen_sse_tail_16_compose:\n\tpslldq\t$1,%xmm3\n\tpinsrb\t$0,(%rsi),%xmm3\n\tsubq\t$1,%rsi\n\tsubq\t$1,%r8\n\tjnz\t.Lopen_sse_tail_16_compose\n\n.byte\t102,73,15,126,221\n\tpextrq\t$1,%xmm3,%r14\n\n\tpxor\t%xmm1,%xmm3\n\n\n.Lopen_sse_tail_16_extract:\n\tpextrb\t$0,%xmm3,(%rdi)\n\tpsrldq\t$1,%xmm3\n\taddq\t$1,%rdi\n\tsubq\t$1,%rbx\n\tjne\t.Lopen_sse_tail_16_extract\n\n\taddq\t%r13,%r10\n\tadcq\t%r14,%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n.Lopen_sse_finalize:\n\taddq\t0+0+32(%rbp),%r10\n\tadcq\t8+0+32(%rbp),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n\tmovq\t%r10,%r13\n\tmovq\t%r11,%r14\n\tmovq\t%r12,%r15\n\tsubq\t$-5,%r10\n\tsbbq\t$-1,%r11\n\tsbbq\t$3,%r12\n\tcmovcq\t%r13,%r10\n\tcmovcq\t%r14,%r11\n\tcmovcq\t%r15,%r12\n\n\taddq\t0+0+16(%rbp),%r10\n\tadcq\t8+0+16(%rbp),%r11\n\n.cfi_remember_state\t\n\taddq\t$288 + 0 + 32,%rsp\n.cfi_adjust_cfa_offset\t-(288 + 32)\n\n\tpopq\t%r9\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r9\n\tmovq\t%r10,(%r9)\n\tmovq\t%r11,8(%r9)\n\tpopq\t%r15\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r15\n\tpopq\t%r14\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r14\n\tpopq\t%r13\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r13\n\tpopq\t%r12\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r12\n\tpopq\t%rbx\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%rbx\n\tpopq\t%rbp\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%rbp\n\tret\n\n.Lopen_sse_128:\n.cfi_restore_state\t\n\tmovdqu\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqu\t0(%r9),%xmm4\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqu\t16(%r9),%xmm8\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqu\t32(%r9),%xmm12\n\tmovdqa\t%xmm12,%xmm13\n\tpaddd\t.Lsse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm14\n\tpaddd\t.Lsse_inc(%rip),%xmm14\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t%xmm13,%xmm15\n\tmovq\t$10,%r10\n\n.Lopen_sse_128_rounds:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n\n\tdecq\t%r10\n\tjnz\t.Lopen_sse_128_rounds\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t.Lchacha20_consts(%rip),%xmm1\n\tpaddd\t.Lchacha20_consts(%rip),%xmm2\n\tpaddd\t%xmm7,%xmm4\n\tpaddd\t%xmm7,%xmm5\n\tpaddd\t%xmm7,%xmm6\n\tpaddd\t%xmm11,%xmm9\n\tpaddd\t%xmm11,%xmm10\n\tpaddd\t%xmm15,%xmm13\n\tpaddd\t.Lsse_inc(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm14\n\n\tpand\t.Lclamp(%rip),%xmm0\n\tmovdqa\t%xmm0,0+0(%rbp)\n\tmovdqa\t%xmm4,0+16(%rbp)\n\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n.Lopen_sse_128_xor_hash:\n\tcmpq\t$16,%rbx\n\tjb\t.Lopen_sse_tail_16\n\tsubq\t$16,%rbx\n\taddq\t0+0(%rsi),%r10\n\tadcq\t8+0(%rsi),%r11\n\tadcq\t$1,%r12\n\n\n\tmovdqu\t0(%rsi),%xmm3\n\tpxor\t%xmm3,%xmm1\n\tmovdqu\t%xmm1,0(%rdi)\n\tleaq\t16(%rsi),%rsi\n\tleaq\t16(%rdi),%rdi\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n\tmovdqa\t%xmm5,%xmm1\n\tmovdqa\t%xmm9,%xmm5\n\tmovdqa\t%xmm13,%xmm9\n\tmovdqa\t%xmm2,%xmm13\n\tmovdqa\t%xmm6,%xmm2\n\tmovdqa\t%xmm10,%xmm6\n\tmovdqa\t%xmm14,%xmm10\n\tjmp\t.Lopen_sse_128_xor_hash\n.size\tchacha20_poly1305_open_nohw, .-chacha20_poly1305_open_nohw\n.cfi_endproc\t\n\n\n\n\n\n\n\n.globl\tchacha20_poly1305_seal_nohw\n.hidden chacha20_poly1305_seal_nohw\n.type\tchacha20_poly1305_seal_nohw,@function\n.align\t64\nchacha20_poly1305_seal_nohw:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n\n\n\tpushq\t%r9\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r9,-64\n\tsubq\t$288 + 0 + 32,%rsp\n.cfi_adjust_cfa_offset\t288 + 32\n\tleaq\t32(%rsp),%rbp\n\tandq\t$-32,%rbp\n\n\tmovq\t56(%r9),%rbx\n\taddq\t%rdx,%rbx\n\tmovq\t%r8,0+0+32(%rbp)\n\tmovq\t%rbx,8+0+32(%rbp)\n\tmovq\t%rdx,%rbx\n\n\tcmpq\t$128,%rbx\n\tjbe\t.Lseal_sse_128\n\n\tmovdqa\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqu\t0(%r9),%xmm4\n\tmovdqu\t16(%r9),%xmm8\n\tmovdqu\t32(%r9),%xmm12\n\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm0,%xmm3\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t%xmm12,%xmm15\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,%xmm14\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,%xmm13\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\n\tmovdqa\t%xmm4,0+48(%rbp)\n\tmovdqa\t%xmm8,0+64(%rbp)\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\tmovdqa\t%xmm15,0+144(%rbp)\n\tmovq\t$10,%r10\n.Lseal_sse_init_rounds:\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t.Lrol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t.Lrol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n.byte\t102,15,58,15,255,4\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,12\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t.Lrol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t.Lrol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n.byte\t102,15,58,15,255,12\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,4\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\n\tdecq\t%r10\n\tjnz\t.Lseal_sse_init_rounds\n\tpaddd\t.Lchacha20_consts(%rip),%xmm3\n\tpaddd\t0+48(%rbp),%xmm7\n\tpaddd\t0+64(%rbp),%xmm11\n\tpaddd\t0+144(%rbp),%xmm15\n\tpaddd\t.Lchacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\t.Lchacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\n\n\tpand\t.Lclamp(%rip),%xmm3\n\tmovdqa\t%xmm3,0+0(%rbp)\n\tmovdqa\t%xmm7,0+16(%rbp)\n\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n\tmovdqu\t0 + 0(%rsi),%xmm3\n\tmovdqu\t16 + 0(%rsi),%xmm7\n\tmovdqu\t32 + 0(%rsi),%xmm11\n\tmovdqu\t48 + 0(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 0(%rdi)\n\tmovdqu\t%xmm6,16 + 0(%rdi)\n\tmovdqu\t%xmm10,32 + 0(%rdi)\n\tmovdqu\t%xmm15,48 + 0(%rdi)\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 64(%rdi)\n\tmovdqu\t%xmm5,16 + 64(%rdi)\n\tmovdqu\t%xmm9,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\n\tcmpq\t$192,%rbx\n\tja\t.Lseal_sse_main_init\n\tmovq\t$128,%rcx\n\tsubq\t$128,%rbx\n\tleaq\t128(%rsi),%rsi\n\tjmp\t.Lseal_sse_128_tail_hash\n.Lseal_sse_main_init:\n\tmovdqu\t0 + 128(%rsi),%xmm3\n\tmovdqu\t16 + 128(%rsi),%xmm7\n\tmovdqu\t32 + 128(%rsi),%xmm11\n\tmovdqu\t48 + 128(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm7,%xmm4\n\tpxor\t%xmm11,%xmm8\n\tpxor\t%xmm12,%xmm15\n\tmovdqu\t%xmm0,0 + 128(%rdi)\n\tmovdqu\t%xmm4,16 + 128(%rdi)\n\tmovdqu\t%xmm8,32 + 128(%rdi)\n\tmovdqu\t%xmm15,48 + 128(%rdi)\n\n\tmovq\t$192,%rcx\n\tsubq\t$192,%rbx\n\tleaq\t192(%rsi),%rsi\n\tmovq\t$2,%rcx\n\tmovq\t$8,%r8\n\tcmpq\t$64,%rbx\n\tjbe\t.Lseal_sse_tail_64\n\tcmpq\t$128,%rbx\n\tjbe\t.Lseal_sse_tail_128\n\tcmpq\t$192,%rbx\n\tjbe\t.Lseal_sse_tail_192\n\n.Lseal_sse_main_loop:\n\tmovdqa\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t%xmm0,%xmm3\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t0+96(%rbp),%xmm15\n\tpaddd\t.Lsse_inc(%rip),%xmm15\n\tmovdqa\t%xmm15,%xmm14\n\tpaddd\t.Lsse_inc(%rip),%xmm14\n\tmovdqa\t%xmm14,%xmm13\n\tpaddd\t.Lsse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\tmovdqa\t%xmm15,0+144(%rbp)\n\n.align\t32\n.Lseal_sse_main_rounds:\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t.Lrol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovdqa\t.Lrol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n.byte\t102,15,58,15,255,4\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,12\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t.Lrol16(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$20,%xmm8\n\tpslld\t$32-20,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t.Lrol8(%rip),%xmm8\n\tpaddd\t%xmm7,%xmm3\n\tpaddd\t%xmm6,%xmm2\n\tpaddd\t%xmm5,%xmm1\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm3,%xmm15\n\tpxor\t%xmm2,%xmm14\n\tpxor\t%xmm1,%xmm13\n\tpxor\t%xmm0,%xmm12\n.byte\t102,69,15,56,0,248\n.byte\t102,69,15,56,0,240\n.byte\t102,69,15,56,0,232\n.byte\t102,69,15,56,0,224\n\tmovdqa\t0+80(%rbp),%xmm8\n\tpaddd\t%xmm15,%xmm11\n\tpaddd\t%xmm14,%xmm10\n\tpaddd\t%xmm13,%xmm9\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm11,%xmm7\n\tpxor\t%xmm10,%xmm6\n\tpxor\t%xmm9,%xmm5\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm8,0+80(%rbp)\n\tmovdqa\t%xmm7,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm7\n\tpxor\t%xmm8,%xmm7\n\tmovdqa\t%xmm6,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm6\n\tpxor\t%xmm8,%xmm6\n\tmovdqa\t%xmm5,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm5\n\tpxor\t%xmm8,%xmm5\n\tmovdqa\t%xmm4,%xmm8\n\tpsrld\t$25,%xmm8\n\tpslld\t$32-25,%xmm4\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t0+80(%rbp),%xmm8\n.byte\t102,15,58,15,255,12\n.byte\t102,69,15,58,15,219,8\n.byte\t102,69,15,58,15,255,4\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\n\tleaq\t16(%rdi),%rdi\n\tdecq\t%r8\n\tjge\t.Lseal_sse_main_rounds\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\t.Lseal_sse_main_rounds\n\tpaddd\t.Lchacha20_consts(%rip),%xmm3\n\tpaddd\t0+48(%rbp),%xmm7\n\tpaddd\t0+64(%rbp),%xmm11\n\tpaddd\t0+144(%rbp),%xmm15\n\tpaddd\t.Lchacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\t.Lchacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\n\tmovdqa\t%xmm14,0+80(%rbp)\n\tmovdqa\t%xmm14,0+80(%rbp)\n\tmovdqu\t0 + 0(%rsi),%xmm14\n\tpxor\t%xmm3,%xmm14\n\tmovdqu\t%xmm14,0 + 0(%rdi)\n\tmovdqu\t16 + 0(%rsi),%xmm14\n\tpxor\t%xmm7,%xmm14\n\tmovdqu\t%xmm14,16 + 0(%rdi)\n\tmovdqu\t32 + 0(%rsi),%xmm14\n\tpxor\t%xmm11,%xmm14\n\tmovdqu\t%xmm14,32 + 0(%rdi)\n\tmovdqu\t48 + 0(%rsi),%xmm14\n\tpxor\t%xmm15,%xmm14\n\tmovdqu\t%xmm14,48 + 0(%rdi)\n\n\tmovdqa\t0+80(%rbp),%xmm14\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 64(%rdi)\n\tmovdqu\t%xmm6,16 + 64(%rdi)\n\tmovdqu\t%xmm10,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\tmovdqu\t0 + 128(%rsi),%xmm3\n\tmovdqu\t16 + 128(%rsi),%xmm7\n\tmovdqu\t32 + 128(%rsi),%xmm11\n\tmovdqu\t48 + 128(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 128(%rdi)\n\tmovdqu\t%xmm5,16 + 128(%rdi)\n\tmovdqu\t%xmm9,32 + 128(%rdi)\n\tmovdqu\t%xmm15,48 + 128(%rdi)\n\n\tcmpq\t$256,%rbx\n\tja\t.Lseal_sse_main_loop_xor\n\n\tmovq\t$192,%rcx\n\tsubq\t$192,%rbx\n\tleaq\t192(%rsi),%rsi\n\tjmp\t.Lseal_sse_128_tail_hash\n.Lseal_sse_main_loop_xor:\n\tmovdqu\t0 + 192(%rsi),%xmm3\n\tmovdqu\t16 + 192(%rsi),%xmm7\n\tmovdqu\t32 + 192(%rsi),%xmm11\n\tmovdqu\t48 + 192(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm0\n\tpxor\t%xmm7,%xmm4\n\tpxor\t%xmm11,%xmm8\n\tpxor\t%xmm12,%xmm15\n\tmovdqu\t%xmm0,0 + 192(%rdi)\n\tmovdqu\t%xmm4,16 + 192(%rdi)\n\tmovdqu\t%xmm8,32 + 192(%rdi)\n\tmovdqu\t%xmm15,48 + 192(%rdi)\n\n\tleaq\t256(%rsi),%rsi\n\tsubq\t$256,%rbx\n\tmovq\t$6,%rcx\n\tmovq\t$4,%r8\n\tcmpq\t$192,%rbx\n\tjg\t.Lseal_sse_main_loop\n\tmovq\t%rbx,%rcx\n\ttestq\t%rbx,%rbx\n\tje\t.Lseal_sse_128_tail_hash\n\tmovq\t$6,%rcx\n\tcmpq\t$128,%rbx\n\tja\t.Lseal_sse_tail_192\n\tcmpq\t$64,%rbx\n\tja\t.Lseal_sse_tail_128\n\n.Lseal_sse_tail_64:\n\tmovdqa\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t0+96(%rbp),%xmm12\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\n.Lseal_sse_tail_64_rounds_and_x2hash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n.Lseal_sse_tail_64_rounds_and_x1hash:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\t.Lseal_sse_tail_64_rounds_and_x2hash\n\tdecq\t%r8\n\tjge\t.Lseal_sse_tail_64_rounds_and_x1hash\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\n\tjmp\t.Lseal_sse_128_tail_xor\n\n.Lseal_sse_tail_128:\n\tmovdqa\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t0+96(%rbp),%xmm13\n\tpaddd\t.Lsse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\n.Lseal_sse_tail_128_rounds_and_x2hash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n.Lseal_sse_tail_128_rounds_and_x1hash:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\n\tleaq\t16(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\t.Lseal_sse_tail_128_rounds_and_x2hash\n\tdecq\t%r8\n\tjge\t.Lseal_sse_tail_128_rounds_and_x1hash\n\tpaddd\t.Lchacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqu\t0 + 0(%rsi),%xmm3\n\tmovdqu\t16 + 0(%rsi),%xmm7\n\tmovdqu\t32 + 0(%rsi),%xmm11\n\tmovdqu\t48 + 0(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 0(%rdi)\n\tmovdqu\t%xmm5,16 + 0(%rdi)\n\tmovdqu\t%xmm9,32 + 0(%rdi)\n\tmovdqu\t%xmm15,48 + 0(%rdi)\n\n\tmovq\t$64,%rcx\n\tsubq\t$64,%rbx\n\tleaq\t64(%rsi),%rsi\n\tjmp\t.Lseal_sse_128_tail_hash\n\n.Lseal_sse_tail_192:\n\tmovdqa\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqa\t0+48(%rbp),%xmm4\n\tmovdqa\t0+64(%rbp),%xmm8\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqa\t0+96(%rbp),%xmm14\n\tpaddd\t.Lsse_inc(%rip),%xmm14\n\tmovdqa\t%xmm14,%xmm13\n\tpaddd\t.Lsse_inc(%rip),%xmm13\n\tmovdqa\t%xmm13,%xmm12\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,0+96(%rbp)\n\tmovdqa\t%xmm13,0+112(%rbp)\n\tmovdqa\t%xmm14,0+128(%rbp)\n\n.Lseal_sse_tail_192_rounds_and_x2hash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n.Lseal_sse_tail_192_rounds_and_x1hash:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n\n\tleaq\t16(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\t.Lseal_sse_tail_192_rounds_and_x2hash\n\tdecq\t%r8\n\tjge\t.Lseal_sse_tail_192_rounds_and_x1hash\n\tpaddd\t.Lchacha20_consts(%rip),%xmm2\n\tpaddd\t0+48(%rbp),%xmm6\n\tpaddd\t0+64(%rbp),%xmm10\n\tpaddd\t0+128(%rbp),%xmm14\n\tpaddd\t.Lchacha20_consts(%rip),%xmm1\n\tpaddd\t0+48(%rbp),%xmm5\n\tpaddd\t0+64(%rbp),%xmm9\n\tpaddd\t0+112(%rbp),%xmm13\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t0+48(%rbp),%xmm4\n\tpaddd\t0+64(%rbp),%xmm8\n\tpaddd\t0+96(%rbp),%xmm12\n\tmovdqu\t0 + 0(%rsi),%xmm3\n\tmovdqu\t16 + 0(%rsi),%xmm7\n\tmovdqu\t32 + 0(%rsi),%xmm11\n\tmovdqu\t48 + 0(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm2\n\tpxor\t%xmm7,%xmm6\n\tpxor\t%xmm11,%xmm10\n\tpxor\t%xmm14,%xmm15\n\tmovdqu\t%xmm2,0 + 0(%rdi)\n\tmovdqu\t%xmm6,16 + 0(%rdi)\n\tmovdqu\t%xmm10,32 + 0(%rdi)\n\tmovdqu\t%xmm15,48 + 0(%rdi)\n\tmovdqu\t0 + 64(%rsi),%xmm3\n\tmovdqu\t16 + 64(%rsi),%xmm7\n\tmovdqu\t32 + 64(%rsi),%xmm11\n\tmovdqu\t48 + 64(%rsi),%xmm15\n\tpxor\t%xmm3,%xmm1\n\tpxor\t%xmm7,%xmm5\n\tpxor\t%xmm11,%xmm9\n\tpxor\t%xmm13,%xmm15\n\tmovdqu\t%xmm1,0 + 64(%rdi)\n\tmovdqu\t%xmm5,16 + 64(%rdi)\n\tmovdqu\t%xmm9,32 + 64(%rdi)\n\tmovdqu\t%xmm15,48 + 64(%rdi)\n\n\tmovq\t$128,%rcx\n\tsubq\t$128,%rbx\n\tleaq\t128(%rsi),%rsi\n\n.Lseal_sse_128_tail_hash:\n\tcmpq\t$16,%rcx\n\tjb\t.Lseal_sse_128_tail_xor\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tsubq\t$16,%rcx\n\tleaq\t16(%rdi),%rdi\n\tjmp\t.Lseal_sse_128_tail_hash\n\n.Lseal_sse_128_tail_xor:\n\tcmpq\t$16,%rbx\n\tjb\t.Lseal_sse_tail_16\n\tsubq\t$16,%rbx\n\n\tmovdqu\t0(%rsi),%xmm3\n\tpxor\t%xmm3,%xmm0\n\tmovdqu\t%xmm0,0(%rdi)\n\n\taddq\t0(%rdi),%r10\n\tadcq\t8(%rdi),%r11\n\tadcq\t$1,%r12\n\tleaq\t16(%rsi),%rsi\n\tleaq\t16(%rdi),%rdi\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n\tmovdqa\t%xmm4,%xmm0\n\tmovdqa\t%xmm8,%xmm4\n\tmovdqa\t%xmm12,%xmm8\n\tmovdqa\t%xmm1,%xmm12\n\tmovdqa\t%xmm5,%xmm1\n\tmovdqa\t%xmm9,%xmm5\n\tmovdqa\t%xmm13,%xmm9\n\tjmp\t.Lseal_sse_128_tail_xor\n\n.Lseal_sse_tail_16:\n\ttestq\t%rbx,%rbx\n\tjz\t.Lprocess_blocks_of_extra_in\n\n\tmovq\t%rbx,%r8\n\tmovq\t%rbx,%rcx\n\tleaq\t-1(%rsi,%rbx,1),%rsi\n\tpxor\t%xmm15,%xmm15\n.Lseal_sse_tail_16_compose:\n\tpslldq\t$1,%xmm15\n\tpinsrb\t$0,(%rsi),%xmm15\n\tleaq\t-1(%rsi),%rsi\n\tdecq\t%rcx\n\tjne\t.Lseal_sse_tail_16_compose\n\n\n\tpxor\t%xmm0,%xmm15\n\n\n\tmovq\t%rbx,%rcx\n\tmovdqu\t%xmm15,%xmm0\n.Lseal_sse_tail_16_extract:\n\tpextrb\t$0,%xmm0,(%rdi)\n\tpsrldq\t$1,%xmm0\n\taddq\t$1,%rdi\n\tsubq\t$1,%rcx\n\tjnz\t.Lseal_sse_tail_16_extract\n\n\n\n\n\n\n\n\n\tmovq\t288 + 0 + 32(%rsp),%r9\n\tmovq\t56(%r9),%r14\n\tmovq\t48(%r9),%r13\n\ttestq\t%r14,%r14\n\tjz\t.Lprocess_partial_block\n\n\tmovq\t$16,%r15\n\tsubq\t%rbx,%r15\n\tcmpq\t%r15,%r14\n\n\tjge\t.Lload_extra_in\n\tmovq\t%r14,%r15\n\n.Lload_extra_in:\n\n\n\tleaq\t-1(%r13,%r15,1),%rsi\n\n\n\taddq\t%r15,%r13\n\tsubq\t%r15,%r14\n\tmovq\t%r13,48(%r9)\n\tmovq\t%r14,56(%r9)\n\n\n\n\taddq\t%r15,%r8\n\n\n\tpxor\t%xmm11,%xmm11\n.Lload_extra_load_loop:\n\tpslldq\t$1,%xmm11\n\tpinsrb\t$0,(%rsi),%xmm11\n\tleaq\t-1(%rsi),%rsi\n\tsubq\t$1,%r15\n\tjnz\t.Lload_extra_load_loop\n\n\n\n\n\tmovq\t%rbx,%r15\n\n.Lload_extra_shift_loop:\n\tpslldq\t$1,%xmm11\n\tsubq\t$1,%r15\n\tjnz\t.Lload_extra_shift_loop\n\n\n\n\n\tleaq\t.Land_masks(%rip),%r15\n\tshlq\t$4,%rbx\n\tpand\t-16(%r15,%rbx,1),%xmm15\n\n\n\tpor\t%xmm11,%xmm15\n\n\n\n.byte\t102,77,15,126,253\n\tpextrq\t$1,%xmm15,%r14\n\taddq\t%r13,%r10\n\tadcq\t%r14,%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n.Lprocess_blocks_of_extra_in:\n\n\tmovq\t288+32+0 (%rsp),%r9\n\tmovq\t48(%r9),%rsi\n\tmovq\t56(%r9),%r8\n\tmovq\t%r8,%rcx\n\tshrq\t$4,%r8\n\n.Lprocess_extra_hash_loop:\n\tjz\tprocess_extra_in_trailer\n\taddq\t0+0(%rsi),%r10\n\tadcq\t8+0(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rsi),%rsi\n\tsubq\t$1,%r8\n\tjmp\t.Lprocess_extra_hash_loop\nprocess_extra_in_trailer:\n\tandq\t$15,%rcx\n\tmovq\t%rcx,%rbx\n\tjz\t.Ldo_length_block\n\tleaq\t-1(%rsi,%rcx,1),%rsi\n\n.Lprocess_extra_in_trailer_load:\n\tpslldq\t$1,%xmm15\n\tpinsrb\t$0,(%rsi),%xmm15\n\tleaq\t-1(%rsi),%rsi\n\tsubq\t$1,%rcx\n\tjnz\t.Lprocess_extra_in_trailer_load\n\n.Lprocess_partial_block:\n\n\tleaq\t.Land_masks(%rip),%r15\n\tshlq\t$4,%rbx\n\tpand\t-16(%r15,%rbx,1),%xmm15\n.byte\t102,77,15,126,253\n\tpextrq\t$1,%xmm15,%r14\n\taddq\t%r13,%r10\n\tadcq\t%r14,%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n.Ldo_length_block:\n\taddq\t0+0+32(%rbp),%r10\n\tadcq\t8+0+32(%rbp),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n\tmovq\t%r10,%r13\n\tmovq\t%r11,%r14\n\tmovq\t%r12,%r15\n\tsubq\t$-5,%r10\n\tsbbq\t$-1,%r11\n\tsbbq\t$3,%r12\n\tcmovcq\t%r13,%r10\n\tcmovcq\t%r14,%r11\n\tcmovcq\t%r15,%r12\n\n\taddq\t0+0+16(%rbp),%r10\n\tadcq\t8+0+16(%rbp),%r11\n\n.cfi_remember_state\t\n\taddq\t$288 + 0 + 32,%rsp\n.cfi_adjust_cfa_offset\t-(288 + 32)\n\n\tpopq\t%r9\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r9\n\tmovq\t%r10,(%r9)\n\tmovq\t%r11,8(%r9)\n\tpopq\t%r15\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r15\n\tpopq\t%r14\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r14\n\tpopq\t%r13\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r13\n\tpopq\t%r12\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%r12\n\tpopq\t%rbx\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%rbx\n\tpopq\t%rbp\n.cfi_adjust_cfa_offset\t-8\n.cfi_restore\t%rbp\n\tret\n\n.Lseal_sse_128:\n.cfi_restore_state\t\n\tmovdqu\t.Lchacha20_consts(%rip),%xmm0\n\tmovdqa\t%xmm0,%xmm1\n\tmovdqa\t%xmm0,%xmm2\n\tmovdqu\t0(%r9),%xmm4\n\tmovdqa\t%xmm4,%xmm5\n\tmovdqa\t%xmm4,%xmm6\n\tmovdqu\t16(%r9),%xmm8\n\tmovdqa\t%xmm8,%xmm9\n\tmovdqa\t%xmm8,%xmm10\n\tmovdqu\t32(%r9),%xmm14\n\tmovdqa\t%xmm14,%xmm12\n\tpaddd\t.Lsse_inc(%rip),%xmm12\n\tmovdqa\t%xmm12,%xmm13\n\tpaddd\t.Lsse_inc(%rip),%xmm13\n\tmovdqa\t%xmm4,%xmm7\n\tmovdqa\t%xmm8,%xmm11\n\tmovdqa\t%xmm12,%xmm15\n\tmovq\t$10,%r10\n\n.Lseal_sse_128_rounds:\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,4\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,12\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,4\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,12\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,4\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,12\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol16(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm4\n\tpxor\t%xmm3,%xmm4\n\tpaddd\t%xmm4,%xmm0\n\tpxor\t%xmm0,%xmm12\n\tpshufb\t.Lrol8(%rip),%xmm12\n\tpaddd\t%xmm12,%xmm8\n\tpxor\t%xmm8,%xmm4\n\tmovdqa\t%xmm4,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm4\n\tpxor\t%xmm3,%xmm4\n.byte\t102,15,58,15,228,12\n.byte\t102,69,15,58,15,192,8\n.byte\t102,69,15,58,15,228,4\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol16(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm5\n\tpxor\t%xmm3,%xmm5\n\tpaddd\t%xmm5,%xmm1\n\tpxor\t%xmm1,%xmm13\n\tpshufb\t.Lrol8(%rip),%xmm13\n\tpaddd\t%xmm13,%xmm9\n\tpxor\t%xmm9,%xmm5\n\tmovdqa\t%xmm5,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm5\n\tpxor\t%xmm3,%xmm5\n.byte\t102,15,58,15,237,12\n.byte\t102,69,15,58,15,201,8\n.byte\t102,69,15,58,15,237,4\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol16(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$12,%xmm3\n\tpsrld\t$20,%xmm6\n\tpxor\t%xmm3,%xmm6\n\tpaddd\t%xmm6,%xmm2\n\tpxor\t%xmm2,%xmm14\n\tpshufb\t.Lrol8(%rip),%xmm14\n\tpaddd\t%xmm14,%xmm10\n\tpxor\t%xmm10,%xmm6\n\tmovdqa\t%xmm6,%xmm3\n\tpslld\t$7,%xmm3\n\tpsrld\t$25,%xmm6\n\tpxor\t%xmm3,%xmm6\n.byte\t102,15,58,15,246,12\n.byte\t102,69,15,58,15,210,8\n.byte\t102,69,15,58,15,246,4\n\n\tdecq\t%r10\n\tjnz\t.Lseal_sse_128_rounds\n\tpaddd\t.Lchacha20_consts(%rip),%xmm0\n\tpaddd\t.Lchacha20_consts(%rip),%xmm1\n\tpaddd\t.Lchacha20_consts(%rip),%xmm2\n\tpaddd\t%xmm7,%xmm4\n\tpaddd\t%xmm7,%xmm5\n\tpaddd\t%xmm7,%xmm6\n\tpaddd\t%xmm11,%xmm8\n\tpaddd\t%xmm11,%xmm9\n\tpaddd\t%xmm15,%xmm12\n\tpaddd\t.Lsse_inc(%rip),%xmm15\n\tpaddd\t%xmm15,%xmm13\n\n\tpand\t.Lclamp(%rip),%xmm2\n\tmovdqa\t%xmm2,0+0(%rbp)\n\tmovdqa\t%xmm6,0+16(%rbp)\n\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n\tjmp\t.Lseal_sse_128_tail_xor\n.size\tchacha20_poly1305_seal_nohw, .-chacha20_poly1305_seal_nohw\n.cfi_endproc\t\n\n\n.globl\tchacha20_poly1305_open_avx2\n.hidden chacha20_poly1305_open_avx2\n.type\tchacha20_poly1305_open_avx2,@function\n.align\t64\nchacha20_poly1305_open_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n\n\n\tpushq\t%r9\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r9,-64\n\tsubq\t$288 + 0 + 32,%rsp\n.cfi_adjust_cfa_offset\t288 + 32\n\n\tleaq\t32(%rsp),%rbp\n\tandq\t$-32,%rbp\n\n\tmovq\t%rdx,%rbx\n\tmovq\t%r8,0+0+32(%rbp)\n\tmovq\t%rbx,8+0+32(%rbp)\n\n\tvzeroupper\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvbroadcasti128\t0(%r9),%ymm4\n\tvbroadcasti128\t16(%r9),%ymm8\n\tvbroadcasti128\t32(%r9),%ymm12\n\tvpaddd\t.Lavx2_init(%rip),%ymm12,%ymm12\n\tcmpq\t$192,%rbx\n\tjbe\t.Lopen_avx2_192\n\tcmpq\t$320,%rbx\n\tjbe\t.Lopen_avx2_320\n\n\tvmovdqa\t%ymm4,0+64(%rbp)\n\tvmovdqa\t%ymm8,0+96(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tmovq\t$10,%r10\n.Lopen_avx2_init_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\n\tdecq\t%r10\n\tjne\t.Lopen_avx2_init_rounds\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\n\tvpand\t.Lclamp(%rip),%ymm3,%ymm3\n\tvmovdqa\t%ymm3,0+0(%rbp)\n\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm4\n\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n\n\txorq\t%rcx,%rcx\n.Lopen_avx2_init_hash:\n\taddq\t0+0(%rsi,%rcx,1),%r10\n\tadcq\t8+0(%rsi,%rcx,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\taddq\t$16,%rcx\n\tcmpq\t$64,%rcx\n\tjne\t.Lopen_avx2_init_hash\n\n\tvpxor\t0(%rsi),%ymm0,%ymm0\n\tvpxor\t32(%rsi),%ymm4,%ymm4\n\n\tvmovdqu\t%ymm0,0(%rdi)\n\tvmovdqu\t%ymm4,32(%rdi)\n\tleaq\t64(%rsi),%rsi\n\tleaq\t64(%rdi),%rdi\n\tsubq\t$64,%rbx\n.Lopen_avx2_main_loop:\n\n\tcmpq\t$512,%rbx\n\tjb\t.Lopen_avx2_main_loop_done\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\t.Lavx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm15\n\tvpaddd\t%ymm15,%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\n\txorq\t%rcx,%rcx\n.Lopen_avx2_main_loop_rounds:\n\taddq\t0+0(%rsi,%rcx,1),%r10\n\tadcq\t8+0(%rsi,%rcx,1),%r11\n\tadcq\t$1,%r12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\taddq\t0+16(%rsi,%rcx,1),%r10\n\tadcq\t8+16(%rsi,%rcx,1),%r11\n\tadcq\t$1,%r12\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\taddq\t0+32(%rsi,%rcx,1),%r10\n\tadcq\t8+32(%rsi,%rcx,1),%r11\n\tadcq\t$1,%r12\n\n\tleaq\t48(%rcx),%rcx\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\n\tcmpq\t$60*8,%rcx\n\tjne\t.Lopen_avx2_main_loop_rounds\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm3,%ymm3\n\tvpaddd\t0+64(%rbp),%ymm7,%ymm7\n\tvpaddd\t0+96(%rbp),%ymm11,%ymm11\n\tvpaddd\t0+256(%rbp),%ymm15,%ymm15\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvmovdqa\t%ymm0,0+128(%rbp)\n\taddq\t0+60*8(%rsi),%r10\n\tadcq\t8+60*8(%rsi),%r11\n\tadcq\t$1,%r12\n\tvperm2i128\t$0x02,%ymm3,%ymm7,%ymm0\n\tvperm2i128\t$0x13,%ymm3,%ymm7,%ymm7\n\tvperm2i128\t$0x02,%ymm11,%ymm15,%ymm3\n\tvperm2i128\t$0x13,%ymm11,%ymm15,%ymm11\n\tvpxor\t0+0(%rsi),%ymm0,%ymm0\n\tvpxor\t32+0(%rsi),%ymm3,%ymm3\n\tvpxor\t64+0(%rsi),%ymm7,%ymm7\n\tvpxor\t96+0(%rsi),%ymm11,%ymm11\n\tvmovdqu\t%ymm0,0+0(%rdi)\n\tvmovdqu\t%ymm3,32+0(%rdi)\n\tvmovdqu\t%ymm7,64+0(%rdi)\n\tvmovdqu\t%ymm11,96+0(%rdi)\n\n\tvmovdqa\t0+128(%rbp),%ymm0\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm2,%ymm2\n\tvpxor\t64+128(%rsi),%ymm6,%ymm6\n\tvpxor\t96+128(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm2,32+128(%rdi)\n\tvmovdqu\t%ymm6,64+128(%rdi)\n\tvmovdqu\t%ymm10,96+128(%rdi)\n\taddq\t0+60*8+16(%rsi),%r10\n\tadcq\t8+60*8+16(%rsi),%r11\n\tadcq\t$1,%r12\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+256(%rsi),%ymm3,%ymm3\n\tvpxor\t32+256(%rsi),%ymm1,%ymm1\n\tvpxor\t64+256(%rsi),%ymm5,%ymm5\n\tvpxor\t96+256(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+256(%rdi)\n\tvmovdqu\t%ymm1,32+256(%rdi)\n\tvmovdqu\t%ymm5,64+256(%rdi)\n\tvmovdqu\t%ymm9,96+256(%rdi)\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm4\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm8\n\tvpxor\t0+384(%rsi),%ymm3,%ymm3\n\tvpxor\t32+384(%rsi),%ymm0,%ymm0\n\tvpxor\t64+384(%rsi),%ymm4,%ymm4\n\tvpxor\t96+384(%rsi),%ymm8,%ymm8\n\tvmovdqu\t%ymm3,0+384(%rdi)\n\tvmovdqu\t%ymm0,32+384(%rdi)\n\tvmovdqu\t%ymm4,64+384(%rdi)\n\tvmovdqu\t%ymm8,96+384(%rdi)\n\n\tleaq\t512(%rsi),%rsi\n\tleaq\t512(%rdi),%rdi\n\tsubq\t$512,%rbx\n\tjmp\t.Lopen_avx2_main_loop\n.Lopen_avx2_main_loop_done:\n\ttestq\t%rbx,%rbx\n\tvzeroupper\n\tje\t.Lopen_sse_finalize\n\n\tcmpq\t$384,%rbx\n\tja\t.Lopen_avx2_tail_512\n\tcmpq\t$256,%rbx\n\tja\t.Lopen_avx2_tail_384\n\tcmpq\t$128,%rbx\n\tja\t.Lopen_avx2_tail_256\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t.Lavx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\n\txorq\t%r8,%r8\n\tmovq\t%rbx,%rcx\n\tandq\t$-16,%rcx\n\ttestq\t%rcx,%rcx\n\tje\t.Lopen_avx2_tail_128_rounds\n.Lopen_avx2_tail_128_rounds_and_x1hash:\n\taddq\t0+0(%rsi,%r8,1),%r10\n\tadcq\t8+0(%rsi,%r8,1),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n.Lopen_avx2_tail_128_rounds:\n\taddq\t$16,%r8\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\n\tcmpq\t%rcx,%r8\n\tjb\t.Lopen_avx2_tail_128_rounds_and_x1hash\n\tcmpq\t$160,%r8\n\tjne\t.Lopen_avx2_tail_128_rounds\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tjmp\t.Lopen_avx2_tail_128_xor\n\n.Lopen_avx2_tail_256:\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t.Lavx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\n\tmovq\t%rbx,0+128(%rbp)\n\tmovq\t%rbx,%rcx\n\tsubq\t$128,%rcx\n\tshrq\t$4,%rcx\n\tmovq\t$10,%r8\n\tcmpq\t$10,%rcx\n\tcmovgq\t%r8,%rcx\n\tmovq\t%rsi,%rbx\n\txorq\t%r8,%r8\n.Lopen_avx2_tail_256_rounds_and_x1hash:\n\taddq\t0+0(%rbx),%r10\n\tadcq\t8+0(%rbx),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rbx),%rbx\n.Lopen_avx2_tail_256_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\n\tincq\t%r8\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\n\tcmpq\t%rcx,%r8\n\tjb\t.Lopen_avx2_tail_256_rounds_and_x1hash\n\tcmpq\t$10,%r8\n\tjne\t.Lopen_avx2_tail_256_rounds\n\tmovq\t%rbx,%r8\n\tsubq\t%rsi,%rbx\n\tmovq\t%rbx,%rcx\n\tmovq\t0+128(%rbp),%rbx\n.Lopen_avx2_tail_256_hash:\n\taddq\t$16,%rcx\n\tcmpq\t%rbx,%rcx\n\tjg\t.Lopen_avx2_tail_256_done\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%r8),%r8\n\tjmp\t.Lopen_avx2_tail_256_hash\n.Lopen_avx2_tail_256_done:\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+0(%rsi),%ymm3,%ymm3\n\tvpxor\t32+0(%rsi),%ymm1,%ymm1\n\tvpxor\t64+0(%rsi),%ymm5,%ymm5\n\tvpxor\t96+0(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+0(%rdi)\n\tvmovdqu\t%ymm1,32+0(%rdi)\n\tvmovdqu\t%ymm5,64+0(%rdi)\n\tvmovdqu\t%ymm9,96+0(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tleaq\t128(%rsi),%rsi\n\tleaq\t128(%rdi),%rdi\n\tsubq\t$128,%rbx\n\tjmp\t.Lopen_avx2_tail_128_xor\n\n.Lopen_avx2_tail_384:\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t.Lavx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\n\tmovq\t%rbx,0+128(%rbp)\n\tmovq\t%rbx,%rcx\n\tsubq\t$256,%rcx\n\tshrq\t$4,%rcx\n\taddq\t$6,%rcx\n\tmovq\t$10,%r8\n\tcmpq\t$10,%rcx\n\tcmovgq\t%r8,%rcx\n\tmovq\t%rsi,%rbx\n\txorq\t%r8,%r8\n.Lopen_avx2_tail_384_rounds_and_x2hash:\n\taddq\t0+0(%rbx),%r10\n\tadcq\t8+0(%rbx),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rbx),%rbx\n.Lopen_avx2_tail_384_rounds_and_x1hash:\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\taddq\t0+0(%rbx),%r10\n\tadcq\t8+0(%rbx),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rbx),%rbx\n\tincq\t%r8\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\n\tcmpq\t%rcx,%r8\n\tjb\t.Lopen_avx2_tail_384_rounds_and_x2hash\n\tcmpq\t$10,%r8\n\tjne\t.Lopen_avx2_tail_384_rounds_and_x1hash\n\tmovq\t%rbx,%r8\n\tsubq\t%rsi,%rbx\n\tmovq\t%rbx,%rcx\n\tmovq\t0+128(%rbp),%rbx\n.Lopen_avx2_384_tail_hash:\n\taddq\t$16,%rcx\n\tcmpq\t%rbx,%rcx\n\tjg\t.Lopen_avx2_384_tail_done\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%r8),%r8\n\tjmp\t.Lopen_avx2_384_tail_hash\n.Lopen_avx2_384_tail_done:\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+0(%rsi),%ymm3,%ymm3\n\tvpxor\t32+0(%rsi),%ymm2,%ymm2\n\tvpxor\t64+0(%rsi),%ymm6,%ymm6\n\tvpxor\t96+0(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+0(%rdi)\n\tvmovdqu\t%ymm2,32+0(%rdi)\n\tvmovdqu\t%ymm6,64+0(%rdi)\n\tvmovdqu\t%ymm10,96+0(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm1,%ymm1\n\tvpxor\t64+128(%rsi),%ymm5,%ymm5\n\tvpxor\t96+128(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm1,32+128(%rdi)\n\tvmovdqu\t%ymm5,64+128(%rdi)\n\tvmovdqu\t%ymm9,96+128(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tleaq\t256(%rsi),%rsi\n\tleaq\t256(%rdi),%rdi\n\tsubq\t$256,%rbx\n\tjmp\t.Lopen_avx2_tail_128_xor\n\n.Lopen_avx2_tail_512:\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\t.Lavx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm15\n\tvpaddd\t%ymm15,%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\n\txorq\t%rcx,%rcx\n\tmovq\t%rsi,%r8\n.Lopen_avx2_tail_512_rounds_and_x2hash:\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%r8),%r8\n.Lopen_avx2_tail_512_rounds_and_x1hash:\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\taddq\t0+16(%r8),%r10\n\tadcq\t8+16(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%r8),%r8\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\n\tincq\t%rcx\n\tcmpq\t$4,%rcx\n\tjl\t.Lopen_avx2_tail_512_rounds_and_x2hash\n\tcmpq\t$10,%rcx\n\tjne\t.Lopen_avx2_tail_512_rounds_and_x1hash\n\tmovq\t%rbx,%rcx\n\tsubq\t$384,%rcx\n\tandq\t$-16,%rcx\n.Lopen_avx2_tail_512_hash:\n\ttestq\t%rcx,%rcx\n\tje\t.Lopen_avx2_tail_512_done\n\taddq\t0+0(%r8),%r10\n\tadcq\t8+0(%r8),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%r8),%r8\n\tsubq\t$16,%rcx\n\tjmp\t.Lopen_avx2_tail_512_hash\n.Lopen_avx2_tail_512_done:\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm3,%ymm3\n\tvpaddd\t0+64(%rbp),%ymm7,%ymm7\n\tvpaddd\t0+96(%rbp),%ymm11,%ymm11\n\tvpaddd\t0+256(%rbp),%ymm15,%ymm15\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvmovdqa\t%ymm0,0+128(%rbp)\n\tvperm2i128\t$0x02,%ymm3,%ymm7,%ymm0\n\tvperm2i128\t$0x13,%ymm3,%ymm7,%ymm7\n\tvperm2i128\t$0x02,%ymm11,%ymm15,%ymm3\n\tvperm2i128\t$0x13,%ymm11,%ymm15,%ymm11\n\tvpxor\t0+0(%rsi),%ymm0,%ymm0\n\tvpxor\t32+0(%rsi),%ymm3,%ymm3\n\tvpxor\t64+0(%rsi),%ymm7,%ymm7\n\tvpxor\t96+0(%rsi),%ymm11,%ymm11\n\tvmovdqu\t%ymm0,0+0(%rdi)\n\tvmovdqu\t%ymm3,32+0(%rdi)\n\tvmovdqu\t%ymm7,64+0(%rdi)\n\tvmovdqu\t%ymm11,96+0(%rdi)\n\n\tvmovdqa\t0+128(%rbp),%ymm0\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm2,%ymm2\n\tvpxor\t64+128(%rsi),%ymm6,%ymm6\n\tvpxor\t96+128(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm2,32+128(%rdi)\n\tvmovdqu\t%ymm6,64+128(%rdi)\n\tvmovdqu\t%ymm10,96+128(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+256(%rsi),%ymm3,%ymm3\n\tvpxor\t32+256(%rsi),%ymm1,%ymm1\n\tvpxor\t64+256(%rsi),%ymm5,%ymm5\n\tvpxor\t96+256(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+256(%rdi)\n\tvmovdqu\t%ymm1,32+256(%rdi)\n\tvmovdqu\t%ymm5,64+256(%rdi)\n\tvmovdqu\t%ymm9,96+256(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tleaq\t384(%rsi),%rsi\n\tleaq\t384(%rdi),%rdi\n\tsubq\t$384,%rbx\n.Lopen_avx2_tail_128_xor:\n\tcmpq\t$32,%rbx\n\tjb\t.Lopen_avx2_tail_32_xor\n\tsubq\t$32,%rbx\n\tvpxor\t(%rsi),%ymm0,%ymm0\n\tvmovdqu\t%ymm0,(%rdi)\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rdi),%rdi\n\tvmovdqa\t%ymm4,%ymm0\n\tvmovdqa\t%ymm8,%ymm4\n\tvmovdqa\t%ymm12,%ymm8\n\tjmp\t.Lopen_avx2_tail_128_xor\n.Lopen_avx2_tail_32_xor:\n\tcmpq\t$16,%rbx\n\tvmovdqa\t%xmm0,%xmm1\n\tjb\t.Lopen_avx2_exit\n\tsubq\t$16,%rbx\n\n\tvpxor\t(%rsi),%xmm0,%xmm1\n\tvmovdqu\t%xmm1,(%rdi)\n\tleaq\t16(%rsi),%rsi\n\tleaq\t16(%rdi),%rdi\n\tvperm2i128\t$0x11,%ymm0,%ymm0,%ymm0\n\tvmovdqa\t%xmm0,%xmm1\n.Lopen_avx2_exit:\n\tvzeroupper\n\tjmp\t.Lopen_sse_tail_16\n\n.Lopen_avx2_192:\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm8,%ymm10\n\tvpaddd\t.Lavx2_inc(%rip),%ymm12,%ymm13\n\tvmovdqa\t%ymm12,%ymm11\n\tvmovdqa\t%ymm13,%ymm15\n\tmovq\t$10,%r10\n.Lopen_avx2_192_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\n\tdecq\t%r10\n\tjne\t.Lopen_avx2_192_rounds\n\tvpaddd\t%ymm2,%ymm0,%ymm0\n\tvpaddd\t%ymm2,%ymm1,%ymm1\n\tvpaddd\t%ymm6,%ymm4,%ymm4\n\tvpaddd\t%ymm6,%ymm5,%ymm5\n\tvpaddd\t%ymm10,%ymm8,%ymm8\n\tvpaddd\t%ymm10,%ymm9,%ymm9\n\tvpaddd\t%ymm11,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm13,%ymm13\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\n\tvpand\t.Lclamp(%rip),%ymm3,%ymm3\n\tvmovdqa\t%ymm3,0+0(%rbp)\n\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm8\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm12\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm5\n.Lopen_avx2_short:\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n.Lopen_avx2_short_hash_and_xor_loop:\n\tcmpq\t$32,%rbx\n\tjb\t.Lopen_avx2_short_tail_32\n\tsubq\t$32,%rbx\n\taddq\t0+0(%rsi),%r10\n\tadcq\t8+0(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\taddq\t0+16(%rsi),%r10\n\tadcq\t8+16(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\n\tvpxor\t(%rsi),%ymm0,%ymm0\n\tvmovdqu\t%ymm0,(%rdi)\n\tleaq\t32(%rsi),%rsi\n\tleaq\t32(%rdi),%rdi\n\n\tvmovdqa\t%ymm4,%ymm0\n\tvmovdqa\t%ymm8,%ymm4\n\tvmovdqa\t%ymm12,%ymm8\n\tvmovdqa\t%ymm1,%ymm12\n\tvmovdqa\t%ymm5,%ymm1\n\tvmovdqa\t%ymm9,%ymm5\n\tvmovdqa\t%ymm13,%ymm9\n\tvmovdqa\t%ymm2,%ymm13\n\tvmovdqa\t%ymm6,%ymm2\n\tjmp\t.Lopen_avx2_short_hash_and_xor_loop\n.Lopen_avx2_short_tail_32:\n\tcmpq\t$16,%rbx\n\tvmovdqa\t%xmm0,%xmm1\n\tjb\t.Lopen_avx2_short_tail_32_exit\n\tsubq\t$16,%rbx\n\taddq\t0+0(%rsi),%r10\n\tadcq\t8+0(%rsi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tvpxor\t(%rsi),%xmm0,%xmm3\n\tvmovdqu\t%xmm3,(%rdi)\n\tleaq\t16(%rsi),%rsi\n\tleaq\t16(%rdi),%rdi\n\tvextracti128\t$1,%ymm0,%xmm1\n.Lopen_avx2_short_tail_32_exit:\n\tvzeroupper\n\tjmp\t.Lopen_sse_tail_16\n\n.Lopen_avx2_320:\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm8,%ymm10\n\tvpaddd\t.Lavx2_inc(%rip),%ymm12,%ymm13\n\tvpaddd\t.Lavx2_inc(%rip),%ymm13,%ymm14\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tmovq\t$10,%r10\n.Lopen_avx2_320_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\n\tdecq\t%r10\n\tjne\t.Lopen_avx2_320_rounds\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t%ymm7,%ymm4,%ymm4\n\tvpaddd\t%ymm7,%ymm5,%ymm5\n\tvpaddd\t%ymm7,%ymm6,%ymm6\n\tvpaddd\t%ymm11,%ymm8,%ymm8\n\tvpaddd\t%ymm11,%ymm9,%ymm9\n\tvpaddd\t%ymm11,%ymm10,%ymm10\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\n\tvpand\t.Lclamp(%rip),%ymm3,%ymm3\n\tvmovdqa\t%ymm3,0+0(%rbp)\n\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm8\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm12\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm5\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm9\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm13\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm6\n\tjmp\t.Lopen_avx2_short\n.size\tchacha20_poly1305_open_avx2, .-chacha20_poly1305_open_avx2\n.cfi_endproc\t\n\n\n.globl\tchacha20_poly1305_seal_avx2\n.hidden chacha20_poly1305_seal_avx2\n.type\tchacha20_poly1305_seal_avx2,@function\n.align\t64\nchacha20_poly1305_seal_avx2:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%rbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r12,-32\n\tpushq\t%r13\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r13,-40\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r14,-48\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r15,-56\n\n\n\tpushq\t%r9\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\t%r9,-64\n\tsubq\t$288 + 0 + 32,%rsp\n.cfi_adjust_cfa_offset\t288 + 32\n\tleaq\t32(%rsp),%rbp\n\tandq\t$-32,%rbp\n\n\tmovq\t56(%r9),%rbx\n\taddq\t%rdx,%rbx\n\tmovq\t%r8,0+0+32(%rbp)\n\tmovq\t%rbx,8+0+32(%rbp)\n\tmovq\t%rdx,%rbx\n\n\tvzeroupper\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvbroadcasti128\t0(%r9),%ymm4\n\tvbroadcasti128\t16(%r9),%ymm8\n\tvbroadcasti128\t32(%r9),%ymm12\n\tvpaddd\t.Lavx2_init(%rip),%ymm12,%ymm12\n\tcmpq\t$192,%rbx\n\tjbe\t.Lseal_avx2_192\n\tcmpq\t$320,%rbx\n\tjbe\t.Lseal_avx2_320\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm4,0+64(%rbp)\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\t%ymm8,0+96(%rbp)\n\tvmovdqa\t%ymm12,%ymm15\n\tvpaddd\t.Lavx2_inc(%rip),%ymm15,%ymm14\n\tvpaddd\t.Lavx2_inc(%rip),%ymm14,%ymm13\n\tvpaddd\t.Lavx2_inc(%rip),%ymm13,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tmovq\t$10,%r10\n.Lseal_avx2_init_rounds:\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\n\tdecq\t%r10\n\tjnz\t.Lseal_avx2_init_rounds\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm3,%ymm3\n\tvpaddd\t0+64(%rbp),%ymm7,%ymm7\n\tvpaddd\t0+96(%rbp),%ymm11,%ymm11\n\tvpaddd\t0+256(%rbp),%ymm15,%ymm15\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvperm2i128\t$0x13,%ymm11,%ymm15,%ymm11\n\tvperm2i128\t$0x02,%ymm3,%ymm7,%ymm15\n\tvperm2i128\t$0x13,%ymm3,%ymm7,%ymm3\n\tvpand\t.Lclamp(%rip),%ymm15,%ymm15\n\tvmovdqa\t%ymm15,0+0(%rbp)\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n\n\tvpxor\t0(%rsi),%ymm3,%ymm3\n\tvpxor\t32(%rsi),%ymm11,%ymm11\n\tvmovdqu\t%ymm3,0(%rdi)\n\tvmovdqu\t%ymm11,32(%rdi)\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm15\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+64(%rsi),%ymm15,%ymm15\n\tvpxor\t32+64(%rsi),%ymm2,%ymm2\n\tvpxor\t64+64(%rsi),%ymm6,%ymm6\n\tvpxor\t96+64(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm15,0+64(%rdi)\n\tvmovdqu\t%ymm2,32+64(%rdi)\n\tvmovdqu\t%ymm6,64+64(%rdi)\n\tvmovdqu\t%ymm10,96+64(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm15\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+192(%rsi),%ymm15,%ymm15\n\tvpxor\t32+192(%rsi),%ymm1,%ymm1\n\tvpxor\t64+192(%rsi),%ymm5,%ymm5\n\tvpxor\t96+192(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm15,0+192(%rdi)\n\tvmovdqu\t%ymm1,32+192(%rdi)\n\tvmovdqu\t%ymm5,64+192(%rdi)\n\tvmovdqu\t%ymm9,96+192(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm15\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,%ymm8\n\n\tleaq\t320(%rsi),%rsi\n\tsubq\t$320,%rbx\n\tmovq\t$320,%rcx\n\tcmpq\t$128,%rbx\n\tjbe\t.Lseal_avx2_short_hash_remainder\n\tvpxor\t0(%rsi),%ymm0,%ymm0\n\tvpxor\t32(%rsi),%ymm4,%ymm4\n\tvpxor\t64(%rsi),%ymm8,%ymm8\n\tvpxor\t96(%rsi),%ymm12,%ymm12\n\tvmovdqu\t%ymm0,320(%rdi)\n\tvmovdqu\t%ymm4,352(%rdi)\n\tvmovdqu\t%ymm8,384(%rdi)\n\tvmovdqu\t%ymm12,416(%rdi)\n\tleaq\t128(%rsi),%rsi\n\tsubq\t$128,%rbx\n\tmovq\t$8,%rcx\n\tmovq\t$2,%r8\n\tcmpq\t$128,%rbx\n\tjbe\t.Lseal_avx2_tail_128\n\tcmpq\t$256,%rbx\n\tjbe\t.Lseal_avx2_tail_256\n\tcmpq\t$384,%rbx\n\tjbe\t.Lseal_avx2_tail_384\n\tcmpq\t$512,%rbx\n\tjbe\t.Lseal_avx2_tail_512\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\t.Lavx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm15\n\tvpaddd\t%ymm15,%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\n\tsubq\t$16,%rdi\n\tmovq\t$9,%rcx\n\tjmp\t.Lseal_avx2_main_loop_rounds_entry\n.align\t32\n.Lseal_avx2_main_loop:\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\t.Lavx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm15\n\tvpaddd\t%ymm15,%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\n\tmovq\t$10,%rcx\n.align\t32\n.Lseal_avx2_main_loop_rounds:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n.Lseal_avx2_main_loop_rounds_entry:\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\taddq\t0+32(%rdi),%r10\n\tadcq\t8+32(%rdi),%r11\n\tadcq\t$1,%r12\n\n\tleaq\t48(%rdi),%rdi\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\n\tdecq\t%rcx\n\tjne\t.Lseal_avx2_main_loop_rounds\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm3,%ymm3\n\tvpaddd\t0+64(%rbp),%ymm7,%ymm7\n\tvpaddd\t0+96(%rbp),%ymm11,%ymm11\n\tvpaddd\t0+256(%rbp),%ymm15,%ymm15\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvmovdqa\t%ymm0,0+128(%rbp)\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\tvperm2i128\t$0x02,%ymm3,%ymm7,%ymm0\n\tvperm2i128\t$0x13,%ymm3,%ymm7,%ymm7\n\tvperm2i128\t$0x02,%ymm11,%ymm15,%ymm3\n\tvperm2i128\t$0x13,%ymm11,%ymm15,%ymm11\n\tvpxor\t0+0(%rsi),%ymm0,%ymm0\n\tvpxor\t32+0(%rsi),%ymm3,%ymm3\n\tvpxor\t64+0(%rsi),%ymm7,%ymm7\n\tvpxor\t96+0(%rsi),%ymm11,%ymm11\n\tvmovdqu\t%ymm0,0+0(%rdi)\n\tvmovdqu\t%ymm3,32+0(%rdi)\n\tvmovdqu\t%ymm7,64+0(%rdi)\n\tvmovdqu\t%ymm11,96+0(%rdi)\n\n\tvmovdqa\t0+128(%rbp),%ymm0\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm2,%ymm2\n\tvpxor\t64+128(%rsi),%ymm6,%ymm6\n\tvpxor\t96+128(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm2,32+128(%rdi)\n\tvmovdqu\t%ymm6,64+128(%rdi)\n\tvmovdqu\t%ymm10,96+128(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+256(%rsi),%ymm3,%ymm3\n\tvpxor\t32+256(%rsi),%ymm1,%ymm1\n\tvpxor\t64+256(%rsi),%ymm5,%ymm5\n\tvpxor\t96+256(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+256(%rdi)\n\tvmovdqu\t%ymm1,32+256(%rdi)\n\tvmovdqu\t%ymm5,64+256(%rdi)\n\tvmovdqu\t%ymm9,96+256(%rdi)\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm4\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm8\n\tvpxor\t0+384(%rsi),%ymm3,%ymm3\n\tvpxor\t32+384(%rsi),%ymm0,%ymm0\n\tvpxor\t64+384(%rsi),%ymm4,%ymm4\n\tvpxor\t96+384(%rsi),%ymm8,%ymm8\n\tvmovdqu\t%ymm3,0+384(%rdi)\n\tvmovdqu\t%ymm0,32+384(%rdi)\n\tvmovdqu\t%ymm4,64+384(%rdi)\n\tvmovdqu\t%ymm8,96+384(%rdi)\n\n\tleaq\t512(%rsi),%rsi\n\tsubq\t$512,%rbx\n\tcmpq\t$512,%rbx\n\tjg\t.Lseal_avx2_main_loop\n\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\tmovq\t$10,%rcx\n\txorq\t%r8,%r8\n\n\tcmpq\t$384,%rbx\n\tja\t.Lseal_avx2_tail_512\n\tcmpq\t$256,%rbx\n\tja\t.Lseal_avx2_tail_384\n\tcmpq\t$128,%rbx\n\tja\t.Lseal_avx2_tail_256\n\n.Lseal_avx2_tail_128:\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t.Lavx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\n.Lseal_avx2_tail_128_rounds_and_3xhash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n.Lseal_avx2_tail_128_rounds_and_2xhash:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\t.Lseal_avx2_tail_128_rounds_and_3xhash\n\tdecq\t%r8\n\tjge\t.Lseal_avx2_tail_128_rounds_and_2xhash\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tjmp\t.Lseal_avx2_short_loop\n\n.Lseal_avx2_tail_256:\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t.Lavx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\n.Lseal_avx2_tail_256_rounds_and_3xhash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n.Lseal_avx2_tail_256_rounds_and_2xhash:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\t.Lseal_avx2_tail_256_rounds_and_3xhash\n\tdecq\t%r8\n\tjge\t.Lseal_avx2_tail_256_rounds_and_2xhash\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+0(%rsi),%ymm3,%ymm3\n\tvpxor\t32+0(%rsi),%ymm1,%ymm1\n\tvpxor\t64+0(%rsi),%ymm5,%ymm5\n\tvpxor\t96+0(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+0(%rdi)\n\tvmovdqu\t%ymm1,32+0(%rdi)\n\tvmovdqu\t%ymm5,64+0(%rdi)\n\tvmovdqu\t%ymm9,96+0(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tmovq\t$128,%rcx\n\tleaq\t128(%rsi),%rsi\n\tsubq\t$128,%rbx\n\tjmp\t.Lseal_avx2_short_hash_remainder\n\n.Lseal_avx2_tail_384:\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t.Lavx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\n.Lseal_avx2_tail_384_rounds_and_3xhash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n.Lseal_avx2_tail_384_rounds_and_2xhash:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\n\tleaq\t32(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\t.Lseal_avx2_tail_384_rounds_and_3xhash\n\tdecq\t%r8\n\tjge\t.Lseal_avx2_tail_384_rounds_and_2xhash\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+0(%rsi),%ymm3,%ymm3\n\tvpxor\t32+0(%rsi),%ymm2,%ymm2\n\tvpxor\t64+0(%rsi),%ymm6,%ymm6\n\tvpxor\t96+0(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+0(%rdi)\n\tvmovdqu\t%ymm2,32+0(%rdi)\n\tvmovdqu\t%ymm6,64+0(%rdi)\n\tvmovdqu\t%ymm10,96+0(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm1,%ymm1\n\tvpxor\t64+128(%rsi),%ymm5,%ymm5\n\tvpxor\t96+128(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm1,32+128(%rdi)\n\tvmovdqu\t%ymm5,64+128(%rdi)\n\tvmovdqu\t%ymm9,96+128(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tmovq\t$256,%rcx\n\tleaq\t256(%rsi),%rsi\n\tsubq\t$256,%rbx\n\tjmp\t.Lseal_avx2_short_hash_remainder\n\n.Lseal_avx2_tail_512:\n\tvmovdqa\t.Lchacha20_consts(%rip),%ymm0\n\tvmovdqa\t0+64(%rbp),%ymm4\n\tvmovdqa\t0+96(%rbp),%ymm8\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm10\n\tvmovdqa\t%ymm0,%ymm3\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\t.Lavx2_inc(%rip),%ymm12\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm15\n\tvpaddd\t%ymm15,%ymm12,%ymm14\n\tvpaddd\t%ymm14,%ymm12,%ymm13\n\tvpaddd\t%ymm13,%ymm12,%ymm12\n\tvmovdqa\t%ymm15,0+256(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\n.Lseal_avx2_tail_512_rounds_and_3xhash:\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n.Lseal_avx2_tail_512_rounds_and_2xhash:\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$4,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$12,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvmovdqa\t.Lrol16(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$20,%ymm7,%ymm8\n\tvpslld\t$32-20,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$20,%ymm6,%ymm8\n\tvpslld\t$32-20,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm5,%ymm8\n\tvpslld\t$32-20,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm4,%ymm8\n\tvpslld\t$32-20,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t.Lrol8(%rip),%ymm8\n\tvpaddd\t%ymm7,%ymm3,%ymm3\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm3,%ymm15,%ymm15\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t%ymm8,%ymm15,%ymm15\n\tvpshufb\t%ymm8,%ymm14,%ymm14\n\tvpshufb\t%ymm8,%ymm13,%ymm13\n\tvpshufb\t%ymm8,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm11,%ymm11\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpaddd\t0+128(%rbp),%ymm12,%ymm8\n\tvpxor\t%ymm11,%ymm7,%ymm7\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t%ymm8,0+128(%rbp)\n\tvpsrld\t$25,%ymm7,%ymm8\n\tmovq\t0+0+0(%rbp),%rdx\n\tmovq\t%rdx,%r15\n\tmulxq\t%r10,%r13,%r14\n\tmulxq\t%r11,%rax,%rdx\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tvpslld\t$32-25,%ymm7,%ymm7\n\tvpxor\t%ymm8,%ymm7,%ymm7\n\tvpsrld\t$25,%ymm6,%ymm8\n\tvpslld\t$32-25,%ymm6,%ymm6\n\tvpxor\t%ymm8,%ymm6,%ymm6\n\tvpsrld\t$25,%ymm5,%ymm8\n\tvpslld\t$32-25,%ymm5,%ymm5\n\tvpxor\t%ymm8,%ymm5,%ymm5\n\tvpsrld\t$25,%ymm4,%ymm8\n\tvpslld\t$32-25,%ymm4,%ymm4\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvmovdqa\t0+128(%rbp),%ymm8\n\tvpalignr\t$12,%ymm7,%ymm7,%ymm7\n\tvpalignr\t$8,%ymm11,%ymm11,%ymm11\n\tvpalignr\t$4,%ymm15,%ymm15,%ymm15\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tmovq\t8+0+0(%rbp),%rdx\n\tmulxq\t%r10,%r10,%rax\n\taddq\t%r10,%r14\n\tmulxq\t%r11,%r11,%r9\n\tadcq\t%r11,%r15\n\tadcq\t$0,%r9\n\timulq\t%r12,%rdx\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\taddq\t%rax,%r15\n\tadcq\t%rdx,%r9\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\tdecq\t%rcx\n\tjg\t.Lseal_avx2_tail_512_rounds_and_3xhash\n\tdecq\t%r8\n\tjge\t.Lseal_avx2_tail_512_rounds_and_2xhash\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm3,%ymm3\n\tvpaddd\t0+64(%rbp),%ymm7,%ymm7\n\tvpaddd\t0+96(%rbp),%ymm11,%ymm11\n\tvpaddd\t0+256(%rbp),%ymm15,%ymm15\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t0+64(%rbp),%ymm6,%ymm6\n\tvpaddd\t0+96(%rbp),%ymm10,%ymm10\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t0+64(%rbp),%ymm5,%ymm5\n\tvpaddd\t0+96(%rbp),%ymm9,%ymm9\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t0+64(%rbp),%ymm4,%ymm4\n\tvpaddd\t0+96(%rbp),%ymm8,%ymm8\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\n\tvmovdqa\t%ymm0,0+128(%rbp)\n\tvperm2i128\t$0x02,%ymm3,%ymm7,%ymm0\n\tvperm2i128\t$0x13,%ymm3,%ymm7,%ymm7\n\tvperm2i128\t$0x02,%ymm11,%ymm15,%ymm3\n\tvperm2i128\t$0x13,%ymm11,%ymm15,%ymm11\n\tvpxor\t0+0(%rsi),%ymm0,%ymm0\n\tvpxor\t32+0(%rsi),%ymm3,%ymm3\n\tvpxor\t64+0(%rsi),%ymm7,%ymm7\n\tvpxor\t96+0(%rsi),%ymm11,%ymm11\n\tvmovdqu\t%ymm0,0+0(%rdi)\n\tvmovdqu\t%ymm3,32+0(%rdi)\n\tvmovdqu\t%ymm7,64+0(%rdi)\n\tvmovdqu\t%ymm11,96+0(%rdi)\n\n\tvmovdqa\t0+128(%rbp),%ymm0\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm3\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm6\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm10\n\tvpxor\t0+128(%rsi),%ymm3,%ymm3\n\tvpxor\t32+128(%rsi),%ymm2,%ymm2\n\tvpxor\t64+128(%rsi),%ymm6,%ymm6\n\tvpxor\t96+128(%rsi),%ymm10,%ymm10\n\tvmovdqu\t%ymm3,0+128(%rdi)\n\tvmovdqu\t%ymm2,32+128(%rdi)\n\tvmovdqu\t%ymm6,64+128(%rdi)\n\tvmovdqu\t%ymm10,96+128(%rdi)\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm3\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm5\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm9\n\tvpxor\t0+256(%rsi),%ymm3,%ymm3\n\tvpxor\t32+256(%rsi),%ymm1,%ymm1\n\tvpxor\t64+256(%rsi),%ymm5,%ymm5\n\tvpxor\t96+256(%rsi),%ymm9,%ymm9\n\tvmovdqu\t%ymm3,0+256(%rdi)\n\tvmovdqu\t%ymm1,32+256(%rdi)\n\tvmovdqu\t%ymm5,64+256(%rdi)\n\tvmovdqu\t%ymm9,96+256(%rdi)\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm3\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x02,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm12\n\tvmovdqa\t%ymm3,%ymm8\n\n\tmovq\t$384,%rcx\n\tleaq\t384(%rsi),%rsi\n\tsubq\t$384,%rbx\n\tjmp\t.Lseal_avx2_short_hash_remainder\n\n.Lseal_avx2_320:\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm8,%ymm10\n\tvpaddd\t.Lavx2_inc(%rip),%ymm12,%ymm13\n\tvpaddd\t.Lavx2_inc(%rip),%ymm13,%ymm14\n\tvmovdqa\t%ymm4,%ymm7\n\tvmovdqa\t%ymm8,%ymm11\n\tvmovdqa\t%ymm12,0+160(%rbp)\n\tvmovdqa\t%ymm13,0+192(%rbp)\n\tvmovdqa\t%ymm14,0+224(%rbp)\n\tmovq\t$10,%r10\n.Lseal_avx2_320_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$12,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$4,%ymm6,%ymm6,%ymm6\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol16(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpsrld\t$20,%ymm6,%ymm3\n\tvpslld\t$12,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpaddd\t%ymm6,%ymm2,%ymm2\n\tvpxor\t%ymm2,%ymm14,%ymm14\n\tvpshufb\t.Lrol8(%rip),%ymm14,%ymm14\n\tvpaddd\t%ymm14,%ymm10,%ymm10\n\tvpxor\t%ymm10,%ymm6,%ymm6\n\tvpslld\t$7,%ymm6,%ymm3\n\tvpsrld\t$25,%ymm6,%ymm6\n\tvpxor\t%ymm3,%ymm6,%ymm6\n\tvpalignr\t$4,%ymm14,%ymm14,%ymm14\n\tvpalignr\t$8,%ymm10,%ymm10,%ymm10\n\tvpalignr\t$12,%ymm6,%ymm6,%ymm6\n\n\tdecq\t%r10\n\tjne\t.Lseal_avx2_320_rounds\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm0,%ymm0\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm1,%ymm1\n\tvpaddd\t.Lchacha20_consts(%rip),%ymm2,%ymm2\n\tvpaddd\t%ymm7,%ymm4,%ymm4\n\tvpaddd\t%ymm7,%ymm5,%ymm5\n\tvpaddd\t%ymm7,%ymm6,%ymm6\n\tvpaddd\t%ymm11,%ymm8,%ymm8\n\tvpaddd\t%ymm11,%ymm9,%ymm9\n\tvpaddd\t%ymm11,%ymm10,%ymm10\n\tvpaddd\t0+160(%rbp),%ymm12,%ymm12\n\tvpaddd\t0+192(%rbp),%ymm13,%ymm13\n\tvpaddd\t0+224(%rbp),%ymm14,%ymm14\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\n\tvpand\t.Lclamp(%rip),%ymm3,%ymm3\n\tvmovdqa\t%ymm3,0+0(%rbp)\n\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm8\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm12\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm5\n\tvperm2i128\t$0x02,%ymm2,%ymm6,%ymm9\n\tvperm2i128\t$0x02,%ymm10,%ymm14,%ymm13\n\tvperm2i128\t$0x13,%ymm2,%ymm6,%ymm2\n\tvperm2i128\t$0x13,%ymm10,%ymm14,%ymm6\n\tjmp\t.Lseal_avx2_short\n\n.Lseal_avx2_192:\n\tvmovdqa\t%ymm0,%ymm1\n\tvmovdqa\t%ymm0,%ymm2\n\tvmovdqa\t%ymm4,%ymm5\n\tvmovdqa\t%ymm4,%ymm6\n\tvmovdqa\t%ymm8,%ymm9\n\tvmovdqa\t%ymm8,%ymm10\n\tvpaddd\t.Lavx2_inc(%rip),%ymm12,%ymm13\n\tvmovdqa\t%ymm12,%ymm11\n\tvmovdqa\t%ymm13,%ymm15\n\tmovq\t$10,%r10\n.Lseal_avx2_192_rounds:\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$12,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$4,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$12,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$4,%ymm5,%ymm5,%ymm5\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol16(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpsrld\t$20,%ymm4,%ymm3\n\tvpslld\t$12,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpaddd\t%ymm4,%ymm0,%ymm0\n\tvpxor\t%ymm0,%ymm12,%ymm12\n\tvpshufb\t.Lrol8(%rip),%ymm12,%ymm12\n\tvpaddd\t%ymm12,%ymm8,%ymm8\n\tvpxor\t%ymm8,%ymm4,%ymm4\n\tvpslld\t$7,%ymm4,%ymm3\n\tvpsrld\t$25,%ymm4,%ymm4\n\tvpxor\t%ymm3,%ymm4,%ymm4\n\tvpalignr\t$4,%ymm12,%ymm12,%ymm12\n\tvpalignr\t$8,%ymm8,%ymm8,%ymm8\n\tvpalignr\t$12,%ymm4,%ymm4,%ymm4\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol16(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpsrld\t$20,%ymm5,%ymm3\n\tvpslld\t$12,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpaddd\t%ymm5,%ymm1,%ymm1\n\tvpxor\t%ymm1,%ymm13,%ymm13\n\tvpshufb\t.Lrol8(%rip),%ymm13,%ymm13\n\tvpaddd\t%ymm13,%ymm9,%ymm9\n\tvpxor\t%ymm9,%ymm5,%ymm5\n\tvpslld\t$7,%ymm5,%ymm3\n\tvpsrld\t$25,%ymm5,%ymm5\n\tvpxor\t%ymm3,%ymm5,%ymm5\n\tvpalignr\t$4,%ymm13,%ymm13,%ymm13\n\tvpalignr\t$8,%ymm9,%ymm9,%ymm9\n\tvpalignr\t$12,%ymm5,%ymm5,%ymm5\n\n\tdecq\t%r10\n\tjne\t.Lseal_avx2_192_rounds\n\tvpaddd\t%ymm2,%ymm0,%ymm0\n\tvpaddd\t%ymm2,%ymm1,%ymm1\n\tvpaddd\t%ymm6,%ymm4,%ymm4\n\tvpaddd\t%ymm6,%ymm5,%ymm5\n\tvpaddd\t%ymm10,%ymm8,%ymm8\n\tvpaddd\t%ymm10,%ymm9,%ymm9\n\tvpaddd\t%ymm11,%ymm12,%ymm12\n\tvpaddd\t%ymm15,%ymm13,%ymm13\n\tvperm2i128\t$0x02,%ymm0,%ymm4,%ymm3\n\n\tvpand\t.Lclamp(%rip),%ymm3,%ymm3\n\tvmovdqa\t%ymm3,0+0(%rbp)\n\n\tvperm2i128\t$0x13,%ymm0,%ymm4,%ymm0\n\tvperm2i128\t$0x13,%ymm8,%ymm12,%ymm4\n\tvperm2i128\t$0x02,%ymm1,%ymm5,%ymm8\n\tvperm2i128\t$0x02,%ymm9,%ymm13,%ymm12\n\tvperm2i128\t$0x13,%ymm1,%ymm5,%ymm1\n\tvperm2i128\t$0x13,%ymm9,%ymm13,%ymm5\n.Lseal_avx2_short:\n\tmovq\t%r8,%r8\n\tcall\tpoly_hash_ad_internal\n\txorq\t%rcx,%rcx\n.Lseal_avx2_short_hash_remainder:\n\tcmpq\t$16,%rcx\n\tjb\t.Lseal_avx2_short_loop\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tsubq\t$16,%rcx\n\taddq\t$16,%rdi\n\tjmp\t.Lseal_avx2_short_hash_remainder\n.Lseal_avx2_short_loop:\n\tcmpq\t$32,%rbx\n\tjb\t.Lseal_avx2_short_tail\n\tsubq\t$32,%rbx\n\n\tvpxor\t(%rsi),%ymm0,%ymm0\n\tvmovdqu\t%ymm0,(%rdi)\n\tleaq\t32(%rsi),%rsi\n\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\taddq\t0+16(%rdi),%r10\n\tadcq\t8+16(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t32(%rdi),%rdi\n\n\tvmovdqa\t%ymm4,%ymm0\n\tvmovdqa\t%ymm8,%ymm4\n\tvmovdqa\t%ymm12,%ymm8\n\tvmovdqa\t%ymm1,%ymm12\n\tvmovdqa\t%ymm5,%ymm1\n\tvmovdqa\t%ymm9,%ymm5\n\tvmovdqa\t%ymm13,%ymm9\n\tvmovdqa\t%ymm2,%ymm13\n\tvmovdqa\t%ymm6,%ymm2\n\tjmp\t.Lseal_avx2_short_loop\n.Lseal_avx2_short_tail:\n\tcmpq\t$16,%rbx\n\tjb\t.Lseal_avx2_exit\n\tsubq\t$16,%rbx\n\tvpxor\t(%rsi),%xmm0,%xmm3\n\tvmovdqu\t%xmm3,(%rdi)\n\tleaq\t16(%rsi),%rsi\n\taddq\t0+0(%rdi),%r10\n\tadcq\t8+0(%rdi),%r11\n\tadcq\t$1,%r12\n\tmovq\t0+0+0(%rbp),%rax\n\tmovq\t%rax,%r15\n\tmulq\t%r10\n\tmovq\t%rax,%r13\n\tmovq\t%rdx,%r14\n\tmovq\t0+0+0(%rbp),%rax\n\tmulq\t%r11\n\timulq\t%r12,%r15\n\taddq\t%rax,%r14\n\tadcq\t%rdx,%r15\n\tmovq\t8+0+0(%rbp),%rax\n\tmovq\t%rax,%r9\n\tmulq\t%r10\n\taddq\t%rax,%r14\n\tadcq\t$0,%rdx\n\tmovq\t%rdx,%r10\n\tmovq\t8+0+0(%rbp),%rax\n\tmulq\t%r11\n\taddq\t%rax,%r15\n\tadcq\t$0,%rdx\n\timulq\t%r12,%r9\n\taddq\t%r10,%r15\n\tadcq\t%rdx,%r9\n\tmovq\t%r13,%r10\n\tmovq\t%r14,%r11\n\tmovq\t%r15,%r12\n\tandq\t$3,%r12\n\tmovq\t%r15,%r13\n\tandq\t$-4,%r13\n\tmovq\t%r9,%r14\n\tshrdq\t$2,%r9,%r15\n\tshrq\t$2,%r9\n\taddq\t%r13,%r15\n\tadcq\t%r14,%r9\n\taddq\t%r15,%r10\n\tadcq\t%r9,%r11\n\tadcq\t$0,%r12\n\n\tleaq\t16(%rdi),%rdi\n\tvextracti128\t$1,%ymm0,%xmm0\n.Lseal_avx2_exit:\n\tvzeroupper\n\tjmp\t.Lseal_sse_tail_16\n.cfi_endproc\t\n.size\tchacha20_poly1305_seal_avx2, .-chacha20_poly1305_seal_avx2\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/err_data.cc", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n /* This file was generated by go run ./util/pregenerate. */\n\n#include \n#include \n\n#include \n\nstatic_assert(ERR_LIB_NONE == 1, \"library value changed\");\nstatic_assert(ERR_LIB_SYS == 2, \"library value changed\");\nstatic_assert(ERR_LIB_BN == 3, \"library value changed\");\nstatic_assert(ERR_LIB_RSA == 4, \"library value changed\");\nstatic_assert(ERR_LIB_DH == 5, \"library value changed\");\nstatic_assert(ERR_LIB_EVP == 6, \"library value changed\");\nstatic_assert(ERR_LIB_BUF == 7, \"library value changed\");\nstatic_assert(ERR_LIB_OBJ == 8, \"library value changed\");\nstatic_assert(ERR_LIB_PEM == 9, \"library value changed\");\nstatic_assert(ERR_LIB_DSA == 10, \"library value changed\");\nstatic_assert(ERR_LIB_X509 == 11, \"library value changed\");\nstatic_assert(ERR_LIB_ASN1 == 12, \"library value changed\");\nstatic_assert(ERR_LIB_CONF == 13, \"library value changed\");\nstatic_assert(ERR_LIB_CRYPTO == 14, \"library value changed\");\nstatic_assert(ERR_LIB_EC == 15, \"library value changed\");\nstatic_assert(ERR_LIB_SSL == 16, \"library value changed\");\nstatic_assert(ERR_LIB_BIO == 17, \"library value changed\");\nstatic_assert(ERR_LIB_PKCS7 == 18, \"library value changed\");\nstatic_assert(ERR_LIB_PKCS8 == 19, \"library value changed\");\nstatic_assert(ERR_LIB_X509V3 == 20, \"library value changed\");\nstatic_assert(ERR_LIB_RAND == 21, \"library value changed\");\nstatic_assert(ERR_LIB_ENGINE == 22, \"library value changed\");\nstatic_assert(ERR_LIB_OCSP == 23, \"library value changed\");\nstatic_assert(ERR_LIB_UI == 24, \"library value changed\");\nstatic_assert(ERR_LIB_COMP == 25, \"library value changed\");\nstatic_assert(ERR_LIB_ECDSA == 26, \"library value changed\");\nstatic_assert(ERR_LIB_ECDH == 27, \"library value changed\");\nstatic_assert(ERR_LIB_HMAC == 28, \"library value changed\");\nstatic_assert(ERR_LIB_DIGEST == 29, \"library value changed\");\nstatic_assert(ERR_LIB_CIPHER == 30, \"library value changed\");\nstatic_assert(ERR_LIB_HKDF == 31, \"library value changed\");\nstatic_assert(ERR_LIB_TRUST_TOKEN == 32, \"library value changed\");\nstatic_assert(ERR_LIB_USER == 33, \"library value changed\");\nstatic_assert(ERR_NUM_LIBS == 34, \"number of libraries changed\");\n\nextern const uint32_t kOpenSSLReasonValues[];\nconst uint32_t kOpenSSLReasonValues[] = {\n 0xc320885,\n 0xc32889f,\n 0xc3308ae,\n 0xc3388be,\n 0xc3408cd,\n 0xc3488e6,\n 0xc3508f2,\n 0xc35890f,\n 0xc36092f,\n 0xc36893d,\n 0xc37094d,\n 0xc37895a,\n 0xc38096a,\n 0xc388975,\n 0xc39098b,\n 0xc39899a,\n 0xc3a09ae,\n 0xc3a8892,\n 0xc3b00f7,\n 0xc3b8921,\n 0x10320892,\n 0x10329672,\n 0x1033167e,\n 0x10339697,\n 0x103416aa,\n 0x10348f93,\n 0x10350cdf,\n 0x103596bd,\n 0x103616e7,\n 0x103696fa,\n 0x10371719,\n 0x10379732,\n 0x10381747,\n 0x10389765,\n 0x10391774,\n 0x10399790,\n 0x103a17ab,\n 0x103a97ba,\n 0x103b17d6,\n 0x103b97f1,\n 0x103c1817,\n 0x103c80f7,\n 0x103d1828,\n 0x103d983c,\n 0x103e185b,\n 0x103e986a,\n 0x103f1881,\n 0x103f9894,\n 0x10400ca3,\n 0x104098a7,\n 0x104118c5,\n 0x104198d8,\n 0x104218f2,\n 0x10429902,\n 0x10431916,\n 0x1043992c,\n 0x10441944,\n 0x10449959,\n 0x1045196d,\n 0x1045997f,\n 0x10460635,\n 0x1046899a,\n 0x10471994,\n 0x104799ab,\n 0x104819c0,\n 0x104899ce,\n 0x10490edf,\n 0x10499808,\n 0x104a16d2,\n 0x14320c73,\n 0x14328c94,\n 0x14330ca3,\n 0x14338cb5,\n 0x143400b9,\n 0x143480f7,\n 0x14350c81,\n 0x18320090,\n 0x18328fe9,\n 0x183300b9,\n 0x18338fff,\n 0x18341013,\n 0x183480f7,\n 0x18351032,\n 0x1835904a,\n 0x18361072,\n 0x18369086,\n 0x183710be,\n 0x183790d4,\n 0x183810e8,\n 0x183890f8,\n 0x18390ac0,\n 0x18399108,\n 0x183a112e,\n 0x183a9154,\n 0x183b0ceb,\n 0x183b91a3,\n 0x183c11b5,\n 0x183c91c0,\n 0x183d11d0,\n 0x183d91e1,\n 0x183e11f2,\n 0x183e9204,\n 0x183f122d,\n 0x183f9246,\n 0x1840125e,\n 0x1840870d,\n 0x18411177,\n 0x18419142,\n 0x18421161,\n 0x18428c81,\n 0x1843111d,\n 0x18439189,\n 0x18441028,\n 0x184490aa,\n 0x1845105f,\n 0x20321298,\n 0x20329285,\n 0x243212a4,\n 0x243289e0,\n 0x243312b6,\n 0x243392c3,\n 0x243412d0,\n 0x243492e2,\n 0x243512f1,\n 0x2435930e,\n 0x2436131b,\n 0x24369329,\n 0x24371337,\n 0x24379345,\n 0x2438134e,\n 0x2438935b,\n 0x2439136e,\n 0x24399385,\n 0x28320cd3,\n 0x28328ceb,\n 0x28330ca3,\n 0x28338cfe,\n 0x28340cdf,\n 0x283480b9,\n 0x283500f7,\n 0x28358c81,\n 0x2836099a,\n 0x2c323305,\n 0x2c3293a3,\n 0x2c333313,\n 0x2c33b325,\n 0x2c343339,\n 0x2c34b34b,\n 0x2c353366,\n 0x2c35b378,\n 0x2c3633a8,\n 0x2c36833a,\n 0x2c3733b5,\n 0x2c37b3e1,\n 0x2c38341f,\n 0x2c38b436,\n 0x2c393454,\n 0x2c39b464,\n 0x2c3a3476,\n 0x2c3ab48a,\n 0x2c3b349b,\n 0x2c3bb4ba,\n 0x2c3c13b5,\n 0x2c3c93cb,\n 0x2c3d34ff,\n 0x2c3d93e4,\n 0x2c3e3529,\n 0x2c3eb537,\n 0x2c3f354f,\n 0x2c3fb567,\n 0x2c403591,\n 0x2c409298,\n 0x2c4135a2,\n 0x2c41b5b5,\n 0x2c42125e,\n 0x2c42b5c6,\n 0x2c43076d,\n 0x2c43b4ac,\n 0x2c4433f4,\n 0x2c44b574,\n 0x2c45338b,\n 0x2c45b3c7,\n 0x2c463444,\n 0x2c46b4ce,\n 0x2c4734e3,\n 0x2c47b51c,\n 0x2c483406,\n 0x30320000,\n 0x30328015,\n 0x3033001f,\n 0x30338038,\n 0x30340057,\n 0x30348071,\n 0x30350078,\n 0x30358090,\n 0x303600a1,\n 0x303680b9,\n 0x303700c6,\n 0x303780d5,\n 0x303800f7,\n 0x30388104,\n 0x30390117,\n 0x30398132,\n 0x303a0147,\n 0x303a815b,\n 0x303b016f,\n 0x303b8180,\n 0x303c0199,\n 0x303c81b6,\n 0x303d01c4,\n 0x303d81d8,\n 0x303e01e8,\n 0x303e8201,\n 0x303f0211,\n 0x303f8224,\n 0x30400233,\n 0x3040823f,\n 0x30410254,\n 0x30418264,\n 0x3042027b,\n 0x30428288,\n 0x3043029b,\n 0x304382aa,\n 0x304402bf,\n 0x304482e0,\n 0x304502f3,\n 0x30458306,\n 0x3046031f,\n 0x3046833a,\n 0x30470372,\n 0x30478384,\n 0x304803a2,\n 0x304883b3,\n 0x304903c2,\n 0x304983da,\n 0x304a03ec,\n 0x304a8400,\n 0x304b0418,\n 0x304b842b,\n 0x304c0436,\n 0x304c8447,\n 0x304d0453,\n 0x304d8469,\n 0x304e0477,\n 0x304e848d,\n 0x304f049f,\n 0x304f84b1,\n 0x305004d4,\n 0x305084e7,\n 0x305104f8,\n 0x30518508,\n 0x30520520,\n 0x30528535,\n 0x3053054d,\n 0x30538561,\n 0x30540579,\n 0x30548592,\n 0x305505ab,\n 0x305585c8,\n 0x305605d3,\n 0x305685eb,\n 0x305705fb,\n 0x3057860c,\n 0x3058061f,\n 0x30588635,\n 0x3059063e,\n 0x30598653,\n 0x305a0666,\n 0x305a8675,\n 0x305b0695,\n 0x305b86a4,\n 0x305c06c5,\n 0x305c86e1,\n 0x305d06ed,\n 0x305d870d,\n 0x305e0729,\n 0x305e874d,\n 0x305f0763,\n 0x305f876d,\n 0x306004c4,\n 0x3060804a,\n 0x30610357,\n 0x3061873a,\n 0x30620392,\n 0x34320bb0,\n 0x34328bc4,\n 0x34330be1,\n 0x34338bf4,\n 0x34340c03,\n 0x34348c5d,\n 0x34350c41,\n 0x34358c20,\n 0x3c320090,\n 0x3c328d28,\n 0x3c330d41,\n 0x3c338d5c,\n 0x3c340d79,\n 0x3c348da3,\n 0x3c350dbe,\n 0x3c358de4,\n 0x3c360dfd,\n 0x3c368e15,\n 0x3c370e26,\n 0x3c378e34,\n 0x3c380e41,\n 0x3c388e55,\n 0x3c390ceb,\n 0x3c398e78,\n 0x3c3a0e8c,\n 0x3c3a895a,\n 0x3c3b0e9c,\n 0x3c3b8eb7,\n 0x3c3c0ec9,\n 0x3c3c8efc,\n 0x3c3d0f06,\n 0x3c3d8f1a,\n 0x3c3e0f28,\n 0x3c3e8f4d,\n 0x3c3f0d14,\n 0x3c3f8f36,\n 0x3c4000b9,\n 0x3c4080f7,\n 0x3c410d94,\n 0x3c418dd3,\n 0x3c420edf,\n 0x3c428e69,\n 0x40321a3a,\n 0x40329a50,\n 0x40331a7e,\n 0x40339a88,\n 0x40341a9f,\n 0x40349abd,\n 0x40351acd,\n 0x40359adf,\n 0x40361aec,\n 0x40369af8,\n 0x40371b0d,\n 0x40379b1f,\n 0x40381b2a,\n 0x40389b3c,\n 0x40390f93,\n 0x40399b4c,\n 0x403a1b5f,\n 0x403a9b80,\n 0x403b1b91,\n 0x403b9ba1,\n 0x403c0071,\n 0x403c8090,\n 0x403d1c02,\n 0x403d9c18,\n 0x403e1c27,\n 0x403e9c5f,\n 0x403f1c79,\n 0x403f9ca1,\n 0x40401cb6,\n 0x40409cca,\n 0x40411d05,\n 0x40419d20,\n 0x40421d39,\n 0x40429d4c,\n 0x40431d60,\n 0x40439d8e,\n 0x40441da5,\n 0x404480b9,\n 0x40451dba,\n 0x40459dcc,\n 0x40461df0,\n 0x40469e10,\n 0x40471e1e,\n 0x40479e45,\n 0x40481eb6,\n 0x40489f70,\n 0x40491f87,\n 0x40499fa1,\n 0x404a1fb8,\n 0x404a9fd6,\n 0x404b1fee,\n 0x404ba01b,\n 0x404c2031,\n 0x404ca043,\n 0x404d2064,\n 0x404da09d,\n 0x404e20b1,\n 0x404ea0be,\n 0x404f216f,\n 0x404fa1e5,\n 0x40502254,\n 0x4050a268,\n 0x4051229b,\n 0x405222ab,\n 0x4052a2cf,\n 0x405322e7,\n 0x4053a2fa,\n 0x4054230f,\n 0x4054a332,\n 0x4055235d,\n 0x4055a39a,\n 0x405623bf,\n 0x4056a3d8,\n 0x405723f0,\n 0x4057a403,\n 0x40582418,\n 0x4058a43f,\n 0x4059246e,\n 0x4059a4ae,\n 0x405aa4c2,\n 0x405b24da,\n 0x405ba4eb,\n 0x405c24fe,\n 0x405ca53d,\n 0x405d254a,\n 0x405da56f,\n 0x405e25ad,\n 0x405e8afe,\n 0x405f25ce,\n 0x405fa5db,\n 0x406025e9,\n 0x4060a60b,\n 0x4061266c,\n 0x4061a6a4,\n 0x406226bb,\n 0x4062a6cc,\n 0x40632719,\n 0x4063a72e,\n 0x40642745,\n 0x4064a771,\n 0x4065278c,\n 0x4065a7a3,\n 0x406627bb,\n 0x4066a7e5,\n 0x40672810,\n 0x4067a855,\n 0x4068289d,\n 0x4068a8be,\n 0x406928f0,\n 0x4069a91e,\n 0x406a293f,\n 0x406aa95f,\n 0x406b2ae7,\n 0x406bab0a,\n 0x406c2b20,\n 0x406cae2a,\n 0x406d2e59,\n 0x406dae81,\n 0x406e2eaf,\n 0x406eaefc,\n 0x406f2f55,\n 0x406faf8d,\n 0x40702fa0,\n 0x4070afbd,\n 0x4071084d,\n 0x4071afcf,\n 0x40722fe2,\n 0x4072b018,\n 0x40733030,\n 0x407395cd,\n 0x40743044,\n 0x4074b05e,\n 0x4075306f,\n 0x4075b083,\n 0x40763091,\n 0x4076935b,\n 0x407730b6,\n 0x4077b0f6,\n 0x40783111,\n 0x4078b14a,\n 0x40793161,\n 0x4079b177,\n 0x407a31a3,\n 0x407ab1b6,\n 0x407b31cb,\n 0x407bb1dd,\n 0x407c320e,\n 0x407cb217,\n 0x407d28d9,\n 0x407da20d,\n 0x407e3126,\n 0x407ea44f,\n 0x407f1e32,\n 0x407fa005,\n 0x4080217f,\n 0x40809e5a,\n 0x408122bd,\n 0x4081a10c,\n 0x40822e9a,\n 0x40829bad,\n 0x4083242a,\n 0x4083a756,\n 0x40841e6e,\n 0x4084a487,\n 0x4085250f,\n 0x4085a633,\n 0x4086258f,\n 0x4086a227,\n 0x40872ee0,\n 0x4087a681,\n 0x40881beb,\n 0x4088a868,\n 0x40891c3a,\n 0x40899bc7,\n 0x408a2b58,\n 0x408a99e5,\n 0x408b31f2,\n 0x408baf6a,\n 0x408c251f,\n 0x408d1f56,\n 0x408d9ea0,\n 0x408e2086,\n 0x408ea37a,\n 0x408f287c,\n 0x408fa64f,\n 0x40902831,\n 0x4090a561,\n 0x40912b40,\n 0x40919a1d,\n 0x40921c87,\n 0x4092af1b,\n 0x40932ffb,\n 0x4093a238,\n 0x40941e82,\n 0x4094ab71,\n 0x409526dd,\n 0x4095b183,\n 0x40962ec7,\n 0x4096a198,\n 0x40972283,\n 0x4097a0d5,\n 0x40981ce7,\n 0x4098a6f1,\n 0x40992f37,\n 0x4099a3a7,\n 0x409a2340,\n 0x409a9a01,\n 0x409b1edc,\n 0x409b9f07,\n 0x409c30d8,\n 0x409c9f2f,\n 0x409d2154,\n 0x409da122,\n 0x409e1d78,\n 0x409ea1cd,\n 0x409f21b5,\n 0x409f9ecf,\n 0x40a021f5,\n 0x40a0a0ef,\n 0x40a1213d,\n 0x40a1a49b,\n 0x41f42a12,\n 0x41f92aa4,\n 0x41fe2997,\n 0x41feac4d,\n 0x41ff2d7b,\n 0x42032a2b,\n 0x42082a4d,\n 0x4208aa89,\n 0x4209297b,\n 0x4209aac3,\n 0x420a29d2,\n 0x420aa9b2,\n 0x420b29f2,\n 0x420baa6b,\n 0x420c2d97,\n 0x420cab81,\n 0x420d2c34,\n 0x420dac6b,\n 0x42122c9e,\n 0x42172d5e,\n 0x4217ace0,\n 0x421c2d02,\n 0x421f2cbd,\n 0x42212e0f,\n 0x42262d41,\n 0x422b2ded,\n 0x422bac0f,\n 0x422c2dcf,\n 0x422cabc2,\n 0x422d2b9b,\n 0x422dadae,\n 0x422e2bee,\n 0x42302d1d,\n 0x4230ac85,\n 0x44320778,\n 0x44328787,\n 0x44330793,\n 0x443387a1,\n 0x443407b4,\n 0x443487c5,\n 0x443507cc,\n 0x443587d6,\n 0x443607e9,\n 0x443687ff,\n 0x44370811,\n 0x4437881e,\n 0x4438082d,\n 0x44388835,\n 0x4439084d,\n 0x4439885b,\n 0x443a086e,\n 0x483213a3,\n 0x483293b5,\n 0x483313cb,\n 0x483393e4,\n 0x4c321421,\n 0x4c329431,\n 0x4c331444,\n 0x4c339464,\n 0x4c3400b9,\n 0x4c3480f7,\n 0x4c351470,\n 0x4c35947e,\n 0x4c36149a,\n 0x4c3694c0,\n 0x4c3714cf,\n 0x4c3794dd,\n 0x4c3814f2,\n 0x4c3894fe,\n 0x4c39151e,\n 0x4c399548,\n 0x4c3a1561,\n 0x4c3a957a,\n 0x4c3b0635,\n 0x4c3b9593,\n 0x4c3c15a5,\n 0x4c3c95b4,\n 0x4c3d15cd,\n 0x4c3d8cc6,\n 0x4c3e163a,\n 0x4c3e95dc,\n 0x4c3f165c,\n 0x4c3f935b,\n 0x4c4015f2,\n 0x4c40940d,\n 0x4c41162a,\n 0x4c4194ad,\n 0x4c421616,\n 0x4c4293f5,\n 0x503235d8,\n 0x5032b5e7,\n 0x503335f2,\n 0x5033b602,\n 0x5034361b,\n 0x5034b635,\n 0x50353643,\n 0x5035b659,\n 0x5036366b,\n 0x5036b681,\n 0x5037369a,\n 0x5037b6ad,\n 0x503836c5,\n 0x5038b6d6,\n 0x503936eb,\n 0x5039b6ff,\n 0x503a371f,\n 0x503ab735,\n 0x503b374d,\n 0x503bb75f,\n 0x503c377b,\n 0x503cb792,\n 0x503d37ab,\n 0x503db7c1,\n 0x503e37ce,\n 0x503eb7e4,\n 0x503f37f6,\n 0x503f83b3,\n 0x50403809,\n 0x5040b819,\n 0x50413833,\n 0x5041b842,\n 0x5042385c,\n 0x5042b879,\n 0x50433889,\n 0x5043b899,\n 0x504438b6,\n 0x50448469,\n 0x504538ca,\n 0x5045b8e8,\n 0x504638fb,\n 0x5046b911,\n 0x50473923,\n 0x5047b938,\n 0x5048395e,\n 0x5048b96c,\n 0x5049397f,\n 0x5049b994,\n 0x504a39aa,\n 0x504ab9ba,\n 0x504b39da,\n 0x504bb9ed,\n 0x504c3a10,\n 0x504cba3e,\n 0x504d3a6b,\n 0x504dba88,\n 0x504e3aa3,\n 0x504ebabf,\n 0x504f3ad1,\n 0x504fbae8,\n 0x50503af7,\n 0x50508729,\n 0x50513b0a,\n 0x5051b8a8,\n 0x50523a50,\n 0x58320fd1,\n 0x68320f93,\n 0x68328ceb,\n 0x68330cfe,\n 0x68338fa1,\n 0x68340fb1,\n 0x683480f7,\n 0x6835099a,\n 0x6c320f59,\n 0x6c328cb5,\n 0x6c330f64,\n 0x6c338f7d,\n 0x74320a66,\n 0x743280b9,\n 0x74330cc6,\n 0x783209cb,\n 0x783289e0,\n 0x783309ec,\n 0x78338090,\n 0x783409fb,\n 0x78348a10,\n 0x78350a2f,\n 0x78358a51,\n 0x78360a66,\n 0x78368a7c,\n 0x78370a8c,\n 0x78378aad,\n 0x78380ac0,\n 0x78388ad2,\n 0x78390adf,\n 0x78398afe,\n 0x783a0b13,\n 0x783a8b21,\n 0x783b0b2b,\n 0x783b8b3f,\n 0x783c0b56,\n 0x783c8b6b,\n 0x783d0b82,\n 0x783d8b97,\n 0x783e0aed,\n 0x783e8a9f,\n 0x7c321274,\n 0x803214c0,\n 0x80328090,\n 0x803332d4,\n 0x803380b9,\n 0x803432e3,\n 0x8034b24b,\n 0x80353269,\n 0x8035b2f7,\n 0x803632ab,\n 0x8036b25a,\n 0x8037329d,\n 0x8037b238,\n 0x803832be,\n 0x8038b27a,\n 0x8039328f,\n};\n\nextern const size_t kOpenSSLReasonValuesLen;\nconst size_t kOpenSSLReasonValuesLen = sizeof(kOpenSSLReasonValues) / sizeof(kOpenSSLReasonValues[0]);\n\nextern const char kOpenSSLReasonStringData[];\nconst char kOpenSSLReasonStringData[] =\n \"ASN1_LENGTH_MISMATCH\\0\"\n \"AUX_ERROR\\0\"\n \"BAD_GET_ASN1_OBJECT_CALL\\0\"\n \"BAD_OBJECT_HEADER\\0\"\n \"BAD_TEMPLATE\\0\"\n \"BMPSTRING_IS_WRONG_LENGTH\\0\"\n \"BN_LIB\\0\"\n \"BOOLEAN_IS_WRONG_LENGTH\\0\"\n \"BUFFER_TOO_SMALL\\0\"\n \"CONTEXT_NOT_INITIALISED\\0\"\n \"DECODE_ERROR\\0\"\n \"DEPTH_EXCEEDED\\0\"\n \"DIGEST_AND_KEY_TYPE_NOT_SUPPORTED\\0\"\n \"ENCODE_ERROR\\0\"\n \"ERROR_GETTING_TIME\\0\"\n \"EXPECTING_AN_ASN1_SEQUENCE\\0\"\n \"EXPECTING_AN_INTEGER\\0\"\n \"EXPECTING_AN_OBJECT\\0\"\n \"EXPECTING_A_BOOLEAN\\0\"\n \"EXPECTING_A_TIME\\0\"\n \"EXPLICIT_LENGTH_MISMATCH\\0\"\n \"EXPLICIT_TAG_NOT_CONSTRUCTED\\0\"\n \"FIELD_MISSING\\0\"\n \"FIRST_NUM_TOO_LARGE\\0\"\n \"HEADER_TOO_LONG\\0\"\n \"ILLEGAL_BITSTRING_FORMAT\\0\"\n \"ILLEGAL_BOOLEAN\\0\"\n \"ILLEGAL_CHARACTERS\\0\"\n \"ILLEGAL_FORMAT\\0\"\n \"ILLEGAL_HEX\\0\"\n \"ILLEGAL_IMPLICIT_TAG\\0\"\n \"ILLEGAL_INTEGER\\0\"\n \"ILLEGAL_NESTED_TAGGING\\0\"\n \"ILLEGAL_NULL\\0\"\n \"ILLEGAL_NULL_VALUE\\0\"\n \"ILLEGAL_OBJECT\\0\"\n \"ILLEGAL_OPTIONAL_ANY\\0\"\n \"ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE\\0\"\n \"ILLEGAL_TAGGED_ANY\\0\"\n \"ILLEGAL_TIME_VALUE\\0\"\n \"INTEGER_NOT_ASCII_FORMAT\\0\"\n \"INTEGER_TOO_LARGE_FOR_LONG\\0\"\n \"INVALID_BIT_STRING_BITS_LEFT\\0\"\n \"INVALID_BIT_STRING_PADDING\\0\"\n \"INVALID_BMPSTRING\\0\"\n \"INVALID_DIGIT\\0\"\n \"INVALID_INTEGER\\0\"\n \"INVALID_MODIFIER\\0\"\n \"INVALID_NUMBER\\0\"\n \"INVALID_OBJECT_ENCODING\\0\"\n \"INVALID_SEPARATOR\\0\"\n \"INVALID_TIME_FORMAT\\0\"\n \"INVALID_UNIVERSALSTRING\\0\"\n \"INVALID_UTF8STRING\\0\"\n \"LIST_ERROR\\0\"\n \"MISSING_ASN1_EOS\\0\"\n \"MISSING_EOC\\0\"\n \"MISSING_SECOND_NUMBER\\0\"\n \"MISSING_VALUE\\0\"\n \"MSTRING_NOT_UNIVERSAL\\0\"\n \"MSTRING_WRONG_TAG\\0\"\n \"NESTED_ASN1_ERROR\\0\"\n \"NESTED_ASN1_STRING\\0\"\n \"NESTED_TOO_DEEP\\0\"\n \"NON_HEX_CHARACTERS\\0\"\n \"NOT_ASCII_FORMAT\\0\"\n \"NOT_ENOUGH_DATA\\0\"\n \"NO_MATCHING_CHOICE_TYPE\\0\"\n \"NULL_IS_WRONG_LENGTH\\0\"\n \"OBJECT_NOT_ASCII_FORMAT\\0\"\n \"ODD_NUMBER_OF_CHARS\\0\"\n \"SECOND_NUMBER_TOO_LARGE\\0\"\n \"SEQUENCE_LENGTH_MISMATCH\\0\"\n \"SEQUENCE_NOT_CONSTRUCTED\\0\"\n \"SEQUENCE_OR_SET_NEEDS_CONFIG\\0\"\n \"SHORT_LINE\\0\"\n \"STREAMING_NOT_SUPPORTED\\0\"\n \"STRING_TOO_LONG\\0\"\n \"STRING_TOO_SHORT\\0\"\n \"TAG_VALUE_TOO_HIGH\\0\"\n \"TIME_NOT_ASCII_FORMAT\\0\"\n \"TOO_LONG\\0\"\n \"TYPE_NOT_CONSTRUCTED\\0\"\n \"TYPE_NOT_PRIMITIVE\\0\"\n \"UNEXPECTED_EOC\\0\"\n \"UNIVERSALSTRING_IS_WRONG_LENGTH\\0\"\n \"UNKNOWN_FORMAT\\0\"\n \"UNKNOWN_MESSAGE_DIGEST_ALGORITHM\\0\"\n \"UNKNOWN_SIGNATURE_ALGORITHM\\0\"\n \"UNKNOWN_TAG\\0\"\n \"UNSUPPORTED_ANY_DEFINED_BY_TYPE\\0\"\n \"UNSUPPORTED_PUBLIC_KEY_TYPE\\0\"\n \"UNSUPPORTED_TYPE\\0\"\n \"WRONG_INTEGER_TYPE\\0\"\n \"WRONG_PUBLIC_KEY_TYPE\\0\"\n \"WRONG_TAG\\0\"\n \"WRONG_TYPE\\0\"\n \"BAD_FOPEN_MODE\\0\"\n \"BROKEN_PIPE\\0\"\n \"CONNECT_ERROR\\0\"\n \"ERROR_SETTING_NBIO\\0\"\n \"INVALID_ARGUMENT\\0\"\n \"IN_USE\\0\"\n \"KEEPALIVE\\0\"\n \"NBIO_CONNECT_ERROR\\0\"\n \"NO_HOSTNAME_SPECIFIED\\0\"\n \"NO_PORT_SPECIFIED\\0\"\n \"NO_SUCH_FILE\\0\"\n \"NULL_PARAMETER\\0\"\n \"SYS_LIB\\0\"\n \"UNABLE_TO_CREATE_SOCKET\\0\"\n \"UNINITIALIZED\\0\"\n \"UNSUPPORTED_METHOD\\0\"\n \"WRITE_TO_READ_ONLY_BIO\\0\"\n \"ARG2_LT_ARG3\\0\"\n \"BAD_ENCODING\\0\"\n \"BAD_RECIPROCAL\\0\"\n \"BIGNUM_TOO_LONG\\0\"\n \"BITS_TOO_SMALL\\0\"\n \"CALLED_WITH_EVEN_MODULUS\\0\"\n \"DIV_BY_ZERO\\0\"\n \"EXPAND_ON_STATIC_BIGNUM_DATA\\0\"\n \"INPUT_NOT_REDUCED\\0\"\n \"INVALID_INPUT\\0\"\n \"INVALID_RANGE\\0\"\n \"NEGATIVE_NUMBER\\0\"\n \"NOT_A_SQUARE\\0\"\n \"NOT_INITIALIZED\\0\"\n \"NO_INVERSE\\0\"\n \"PRIVATE_KEY_TOO_LARGE\\0\"\n \"P_IS_NOT_PRIME\\0\"\n \"TOO_MANY_ITERATIONS\\0\"\n \"TOO_MANY_TEMPORARY_VARIABLES\\0\"\n \"AES_KEY_SETUP_FAILED\\0\"\n \"BAD_DECRYPT\\0\"\n \"BAD_KEY_LENGTH\\0\"\n \"CTRL_NOT_IMPLEMENTED\\0\"\n \"CTRL_OPERATION_NOT_IMPLEMENTED\\0\"\n \"DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH\\0\"\n \"INITIALIZATION_ERROR\\0\"\n \"INPUT_NOT_INITIALIZED\\0\"\n \"INVALID_AD_SIZE\\0\"\n \"INVALID_KEY_LENGTH\\0\"\n \"INVALID_NONCE\\0\"\n \"INVALID_NONCE_SIZE\\0\"\n \"INVALID_OPERATION\\0\"\n \"IV_TOO_LARGE\\0\"\n \"NO_CIPHER_SET\\0\"\n \"NO_DIRECTION_SET\\0\"\n \"OUTPUT_ALIASES_INPUT\\0\"\n \"TAG_TOO_LARGE\\0\"\n \"TOO_LARGE\\0\"\n \"UNSUPPORTED_AD_SIZE\\0\"\n \"UNSUPPORTED_INPUT_SIZE\\0\"\n \"UNSUPPORTED_KEY_SIZE\\0\"\n \"UNSUPPORTED_NONCE_SIZE\\0\"\n \"UNSUPPORTED_TAG_SIZE\\0\"\n \"WRONG_FINAL_BLOCK_LENGTH\\0\"\n \"LIST_CANNOT_BE_NULL\\0\"\n \"MISSING_CLOSE_SQUARE_BRACKET\\0\"\n \"MISSING_EQUAL_SIGN\\0\"\n \"NO_CLOSE_BRACE\\0\"\n \"UNABLE_TO_CREATE_NEW_SECTION\\0\"\n \"VARIABLE_EXPANSION_NOT_SUPPORTED\\0\"\n \"VARIABLE_EXPANSION_TOO_LONG\\0\"\n \"VARIABLE_HAS_NO_VALUE\\0\"\n \"BAD_GENERATOR\\0\"\n \"INVALID_PARAMETERS\\0\"\n \"INVALID_PUBKEY\\0\"\n \"MODULUS_TOO_LARGE\\0\"\n \"NO_PRIVATE_VALUE\\0\"\n \"UNKNOWN_HASH\\0\"\n \"BAD_Q_VALUE\\0\"\n \"BAD_VERSION\\0\"\n \"MISSING_PARAMETERS\\0\"\n \"NEED_NEW_SETUP_VALUES\\0\"\n \"BIGNUM_OUT_OF_RANGE\\0\"\n \"COORDINATES_OUT_OF_RANGE\\0\"\n \"D2I_ECPKPARAMETERS_FAILURE\\0\"\n \"EC_GROUP_NEW_BY_NAME_FAILURE\\0\"\n \"GROUP2PKPARAMETERS_FAILURE\\0\"\n \"GROUP_MISMATCH\\0\"\n \"I2D_ECPKPARAMETERS_FAILURE\\0\"\n \"INCOMPATIBLE_OBJECTS\\0\"\n \"INVALID_COFACTOR\\0\"\n \"INVALID_COMPRESSED_POINT\\0\"\n \"INVALID_COMPRESSION_BIT\\0\"\n \"INVALID_ENCODING\\0\"\n \"INVALID_FIELD\\0\"\n \"INVALID_FORM\\0\"\n \"INVALID_GROUP_ORDER\\0\"\n \"INVALID_PRIVATE_KEY\\0\"\n \"INVALID_SCALAR\\0\"\n \"MISSING_PRIVATE_KEY\\0\"\n \"NON_NAMED_CURVE\\0\"\n \"PKPARAMETERS2GROUP_FAILURE\\0\"\n \"POINT_AT_INFINITY\\0\"\n \"POINT_IS_NOT_ON_CURVE\\0\"\n \"PUBLIC_KEY_VALIDATION_FAILED\\0\"\n \"SLOT_FULL\\0\"\n \"UNDEFINED_GENERATOR\\0\"\n \"UNKNOWN_GROUP\\0\"\n \"UNKNOWN_ORDER\\0\"\n \"WRONG_CURVE_PARAMETERS\\0\"\n \"WRONG_ORDER\\0\"\n \"KDF_FAILED\\0\"\n \"POINT_ARITHMETIC_FAILURE\\0\"\n \"UNKNOWN_DIGEST_LENGTH\\0\"\n \"BAD_SIGNATURE\\0\"\n \"NOT_IMPLEMENTED\\0\"\n \"RANDOM_NUMBER_GENERATION_FAILED\\0\"\n \"OPERATION_NOT_SUPPORTED\\0\"\n \"COMMAND_NOT_SUPPORTED\\0\"\n \"DIFFERENT_KEY_TYPES\\0\"\n \"DIFFERENT_PARAMETERS\\0\"\n \"EMPTY_PSK\\0\"\n \"EXPECTING_AN_EC_KEY_KEY\\0\"\n \"EXPECTING_AN_RSA_KEY\\0\"\n \"EXPECTING_A_DH_KEY\\0\"\n \"EXPECTING_A_DSA_KEY\\0\"\n \"ILLEGAL_OR_UNSUPPORTED_PADDING_MODE\\0\"\n \"INVALID_BUFFER_SIZE\\0\"\n \"INVALID_DIGEST_LENGTH\\0\"\n \"INVALID_DIGEST_TYPE\\0\"\n \"INVALID_KEYBITS\\0\"\n \"INVALID_MGF1_MD\\0\"\n \"INVALID_PADDING_MODE\\0\"\n \"INVALID_PEER_KEY\\0\"\n \"INVALID_PSS_SALTLEN\\0\"\n \"INVALID_SIGNATURE\\0\"\n \"KEYS_NOT_SET\\0\"\n \"MEMORY_LIMIT_EXCEEDED\\0\"\n \"NOT_A_PRIVATE_KEY\\0\"\n \"NOT_XOF_OR_INVALID_LENGTH\\0\"\n \"NO_DEFAULT_DIGEST\\0\"\n \"NO_KEY_SET\\0\"\n \"NO_MDC2_SUPPORT\\0\"\n \"NO_NID_FOR_CURVE\\0\"\n \"NO_OPERATION_SET\\0\"\n \"NO_PARAMETERS_SET\\0\"\n \"OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE\\0\"\n \"OPERATON_NOT_INITIALIZED\\0\"\n \"UNKNOWN_PUBLIC_KEY_TYPE\\0\"\n \"UNSUPPORTED_ALGORITHM\\0\"\n \"OUTPUT_TOO_LARGE\\0\"\n \"INVALID_OID_STRING\\0\"\n \"UNKNOWN_NID\\0\"\n \"BAD_BASE64_DECODE\\0\"\n \"BAD_END_LINE\\0\"\n \"BAD_IV_CHARS\\0\"\n \"BAD_PASSWORD_READ\\0\"\n \"CIPHER_IS_NULL\\0\"\n \"ERROR_CONVERTING_PRIVATE_KEY\\0\"\n \"NOT_DEK_INFO\\0\"\n \"NOT_ENCRYPTED\\0\"\n \"NOT_PROC_TYPE\\0\"\n \"NO_START_LINE\\0\"\n \"READ_KEY\\0\"\n \"SHORT_HEADER\\0\"\n \"UNSUPPORTED_CIPHER\\0\"\n \"UNSUPPORTED_ENCRYPTION\\0\"\n \"UNSUPPORTED_PROC_TYPE_VERSION\\0\"\n \"BAD_PKCS7_VERSION\\0\"\n \"NOT_PKCS7_SIGNED_DATA\\0\"\n \"NO_CERTIFICATES_INCLUDED\\0\"\n \"NO_CRLS_INCLUDED\\0\"\n \"AMBIGUOUS_FRIENDLY_NAME\\0\"\n \"BAD_ITERATION_COUNT\\0\"\n \"BAD_PKCS12_DATA\\0\"\n \"BAD_PKCS12_VERSION\\0\"\n \"CIPHER_HAS_NO_OBJECT_IDENTIFIER\\0\"\n \"CRYPT_ERROR\\0\"\n \"ENCRYPT_ERROR\\0\"\n \"ERROR_SETTING_CIPHER_PARAMS\\0\"\n \"INCORRECT_PASSWORD\\0\"\n \"INVALID_CHARACTERS\\0\"\n \"KEYGEN_FAILURE\\0\"\n \"KEY_GEN_ERROR\\0\"\n \"METHOD_NOT_SUPPORTED\\0\"\n \"MISSING_MAC\\0\"\n \"MULTIPLE_PRIVATE_KEYS_IN_PKCS12\\0\"\n \"PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED\\0\"\n \"PKCS12_TOO_DEEPLY_NESTED\\0\"\n \"PRIVATE_KEY_DECODE_ERROR\\0\"\n \"PRIVATE_KEY_ENCODE_ERROR\\0\"\n \"UNKNOWN_ALGORITHM\\0\"\n \"UNKNOWN_CIPHER\\0\"\n \"UNKNOWN_CIPHER_ALGORITHM\\0\"\n \"UNKNOWN_DIGEST\\0\"\n \"UNSUPPORTED_KEYLENGTH\\0\"\n \"UNSUPPORTED_KEY_DERIVATION_FUNCTION\\0\"\n \"UNSUPPORTED_OPTIONS\\0\"\n \"UNSUPPORTED_PRF\\0\"\n \"UNSUPPORTED_PRIVATE_KEY_ALGORITHM\\0\"\n \"UNSUPPORTED_SALT_TYPE\\0\"\n \"BAD_E_VALUE\\0\"\n \"BAD_FIXED_HEADER_DECRYPT\\0\"\n \"BAD_PAD_BYTE_COUNT\\0\"\n \"BAD_RSA_PARAMETERS\\0\"\n \"BLOCK_TYPE_IS_NOT_01\\0\"\n \"BLOCK_TYPE_IS_NOT_02\\0\"\n \"BN_NOT_INITIALIZED\\0\"\n \"CANNOT_RECOVER_MULTI_PRIME_KEY\\0\"\n \"CRT_PARAMS_ALREADY_GIVEN\\0\"\n \"CRT_VALUES_INCORRECT\\0\"\n \"DATA_LEN_NOT_EQUAL_TO_MOD_LEN\\0\"\n \"DATA_TOO_LARGE\\0\"\n \"DATA_TOO_LARGE_FOR_KEY_SIZE\\0\"\n \"DATA_TOO_LARGE_FOR_MODULUS\\0\"\n \"DATA_TOO_SMALL\\0\"\n \"DATA_TOO_SMALL_FOR_KEY_SIZE\\0\"\n \"DIGEST_TOO_BIG_FOR_RSA_KEY\\0\"\n \"D_E_NOT_CONGRUENT_TO_1\\0\"\n \"D_OUT_OF_RANGE\\0\"\n \"EMPTY_PUBLIC_KEY\\0\"\n \"FIRST_OCTET_INVALID\\0\"\n \"INCONSISTENT_SET_OF_CRT_VALUES\\0\"\n \"INTERNAL_ERROR\\0\"\n \"INVALID_MESSAGE_LENGTH\\0\"\n \"KEY_SIZE_TOO_SMALL\\0\"\n \"LAST_OCTET_INVALID\\0\"\n \"MUST_HAVE_AT_LEAST_TWO_PRIMES\\0\"\n \"NO_PUBLIC_EXPONENT\\0\"\n \"NULL_BEFORE_BLOCK_MISSING\\0\"\n \"N_NOT_EQUAL_P_Q\\0\"\n \"OAEP_DECODING_ERROR\\0\"\n \"ONLY_ONE_OF_P_Q_GIVEN\\0\"\n \"OUTPUT_BUFFER_TOO_SMALL\\0\"\n \"PADDING_CHECK_FAILED\\0\"\n \"PKCS_DECODING_ERROR\\0\"\n \"SLEN_CHECK_FAILED\\0\"\n \"SLEN_RECOVERY_FAILED\\0\"\n \"UNKNOWN_ALGORITHM_TYPE\\0\"\n \"UNKNOWN_PADDING_TYPE\\0\"\n \"VALUE_MISSING\\0\"\n \"WRONG_SIGNATURE_LENGTH\\0\"\n \"ALPN_MISMATCH_ON_EARLY_DATA\\0\"\n \"ALPS_MISMATCH_ON_EARLY_DATA\\0\"\n \"APPLICATION_DATA_ON_SHUTDOWN\\0\"\n \"APP_DATA_IN_HANDSHAKE\\0\"\n \"ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT\\0\"\n \"BAD_ALERT\\0\"\n \"BAD_CHANGE_CIPHER_SPEC\\0\"\n \"BAD_DATA_RETURNED_BY_CALLBACK\\0\"\n \"BAD_DH_P_LENGTH\\0\"\n \"BAD_DIGEST_LENGTH\\0\"\n \"BAD_ECC_CERT\\0\"\n \"BAD_ECPOINT\\0\"\n \"BAD_HANDSHAKE_RECORD\\0\"\n \"BAD_HELLO_REQUEST\\0\"\n \"BAD_LENGTH\\0\"\n \"BAD_PACKET_LENGTH\\0\"\n \"BAD_RSA_ENCRYPT\\0\"\n \"BAD_SRTP_MKI_VALUE\\0\"\n \"BAD_SRTP_PROTECTION_PROFILE_LIST\\0\"\n \"BAD_SSL_FILETYPE\\0\"\n \"BAD_WRITE_RETRY\\0\"\n \"BIO_NOT_SET\\0\"\n \"BLOCK_CIPHER_PAD_IS_WRONG\\0\"\n \"CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD\\0\"\n \"CANNOT_PARSE_LEAF_CERT\\0\"\n \"CA_DN_LENGTH_MISMATCH\\0\"\n \"CA_DN_TOO_LONG\\0\"\n \"CCS_RECEIVED_EARLY\\0\"\n \"CERTIFICATE_AND_PRIVATE_KEY_MISMATCH\\0\"\n \"CERTIFICATE_VERIFY_FAILED\\0\"\n \"CERT_CB_ERROR\\0\"\n \"CERT_DECOMPRESSION_FAILED\\0\"\n \"CERT_LENGTH_MISMATCH\\0\"\n \"CHANNEL_ID_NOT_P256\\0\"\n \"CHANNEL_ID_SIGNATURE_INVALID\\0\"\n \"CIPHER_MISMATCH_ON_EARLY_DATA\\0\"\n \"CIPHER_OR_HASH_UNAVAILABLE\\0\"\n \"CLIENTHELLO_PARSE_FAILED\\0\"\n \"CLIENTHELLO_TLSEXT\\0\"\n \"CONNECTION_REJECTED\\0\"\n \"CONNECTION_TYPE_NOT_SET\\0\"\n \"COULD_NOT_PARSE_HINTS\\0\"\n \"CUSTOM_EXTENSION_ERROR\\0\"\n \"DATA_LENGTH_TOO_LONG\\0\"\n \"DECRYPTION_FAILED\\0\"\n \"DECRYPTION_FAILED_OR_BAD_RECORD_MAC\\0\"\n \"DH_PUBLIC_VALUE_LENGTH_IS_WRONG\\0\"\n \"DH_P_TOO_LONG\\0\"\n \"DIGEST_CHECK_FAILED\\0\"\n \"DOWNGRADE_DETECTED\\0\"\n \"DTLS_MESSAGE_TOO_BIG\\0\"\n \"DUPLICATE_EXTENSION\\0\"\n \"DUPLICATE_KEY_SHARE\\0\"\n \"DUPLICATE_SIGNATURE_ALGORITHM\\0\"\n \"EARLY_DATA_NOT_IN_USE\\0\"\n \"ECC_CERT_NOT_FOR_SIGNING\\0\"\n \"ECH_REJECTED\\0\"\n \"ECH_SERVER_CONFIG_AND_PRIVATE_KEY_MISMATCH\\0\"\n \"ECH_SERVER_CONFIG_UNSUPPORTED_EXTENSION\\0\"\n \"ECH_SERVER_WOULD_HAVE_NO_RETRY_CONFIGS\\0\"\n \"EMPTY_HELLO_RETRY_REQUEST\\0\"\n \"EMS_STATE_INCONSISTENT\\0\"\n \"ENCRYPTED_LENGTH_TOO_LONG\\0\"\n \"ERROR_ADDING_EXTENSION\\0\"\n \"ERROR_IN_RECEIVED_CIPHER_LIST\\0\"\n \"ERROR_PARSING_EXTENSION\\0\"\n \"EXCESSIVE_MESSAGE_SIZE\\0\"\n \"EXCESS_HANDSHAKE_DATA\\0\"\n \"EXTRA_DATA_IN_MESSAGE\\0\"\n \"FRAGMENT_MISMATCH\\0\"\n \"GOT_NEXT_PROTO_WITHOUT_EXTENSION\\0\"\n \"HANDSHAKE_FAILURE_ON_CLIENT_HELLO\\0\"\n \"HANDSHAKE_NOT_COMPLETE\\0\"\n \"HTTPS_PROXY_REQUEST\\0\"\n \"HTTP_REQUEST\\0\"\n \"INAPPROPRIATE_FALLBACK\\0\"\n \"INCONSISTENT_CLIENT_HELLO\\0\"\n \"INCONSISTENT_ECH_NEGOTIATION\\0\"\n \"INVALID_ALPN_PROTOCOL\\0\"\n \"INVALID_ALPN_PROTOCOL_LIST\\0\"\n \"INVALID_ALPS_CODEPOINT\\0\"\n \"INVALID_CLIENT_HELLO_INNER\\0\"\n \"INVALID_COMMAND\\0\"\n \"INVALID_COMPRESSION_LIST\\0\"\n \"INVALID_DELEGATED_CREDENTIAL\\0\"\n \"INVALID_ECH_CONFIG_LIST\\0\"\n \"INVALID_ECH_PUBLIC_NAME\\0\"\n \"INVALID_MESSAGE\\0\"\n \"INVALID_OUTER_EXTENSION\\0\"\n \"INVALID_OUTER_RECORD_TYPE\\0\"\n \"INVALID_SCT_LIST\\0\"\n \"INVALID_SIGNATURE_ALGORITHM\\0\"\n \"INVALID_SSL_SESSION\\0\"\n \"INVALID_TICKET_KEYS_LENGTH\\0\"\n \"KEY_USAGE_BIT_INCORRECT\\0\"\n \"LENGTH_MISMATCH\\0\"\n \"MISSING_EXTENSION\\0\"\n \"MISSING_KEY_SHARE\\0\"\n \"MISSING_RSA_CERTIFICATE\\0\"\n \"MISSING_TMP_DH_KEY\\0\"\n \"MISSING_TMP_ECDH_KEY\\0\"\n \"MIXED_SPECIAL_OPERATOR_WITH_GROUPS\\0\"\n \"MTU_TOO_SMALL\\0\"\n \"NEGOTIATED_ALPS_WITHOUT_ALPN\\0\"\n \"NEGOTIATED_BOTH_NPN_AND_ALPN\\0\"\n \"NEGOTIATED_TB_WITHOUT_EMS_OR_RI\\0\"\n \"NESTED_GROUP\\0\"\n \"NO_APPLICATION_PROTOCOL\\0\"\n \"NO_CERTIFICATES_RETURNED\\0\"\n \"NO_CERTIFICATE_ASSIGNED\\0\"\n \"NO_CERTIFICATE_SET\\0\"\n \"NO_CIPHERS_AVAILABLE\\0\"\n \"NO_CIPHERS_PASSED\\0\"\n \"NO_CIPHERS_SPECIFIED\\0\"\n \"NO_CIPHER_MATCH\\0\"\n \"NO_COMMON_SIGNATURE_ALGORITHMS\\0\"\n \"NO_COMPRESSION_SPECIFIED\\0\"\n \"NO_GROUPS_SPECIFIED\\0\"\n \"NO_MATCHING_ISSUER\\0\"\n \"NO_METHOD_SPECIFIED\\0\"\n \"NO_PRIVATE_KEY_ASSIGNED\\0\"\n \"NO_RENEGOTIATION\\0\"\n \"NO_REQUIRED_DIGEST\\0\"\n \"NO_SHARED_CIPHER\\0\"\n \"NO_SHARED_GROUP\\0\"\n \"NO_SUPPORTED_VERSIONS_ENABLED\\0\"\n \"NULL_SSL_CTX\\0\"\n \"NULL_SSL_METHOD_PASSED\\0\"\n \"OCSP_CB_ERROR\\0\"\n \"OLD_SESSION_CIPHER_NOT_RETURNED\\0\"\n \"OLD_SESSION_PRF_HASH_MISMATCH\\0\"\n \"OLD_SESSION_VERSION_NOT_RETURNED\\0\"\n \"PARSE_TLSEXT\\0\"\n \"PATH_TOO_LONG\\0\"\n \"PEER_DID_NOT_RETURN_A_CERTIFICATE\\0\"\n \"PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE\\0\"\n \"PRE_SHARED_KEY_MUST_BE_LAST\\0\"\n \"PRIVATE_KEY_OPERATION_FAILED\\0\"\n \"PROTOCOL_IS_SHUTDOWN\\0\"\n \"PSK_IDENTITY_BINDER_COUNT_MISMATCH\\0\"\n \"PSK_IDENTITY_NOT_FOUND\\0\"\n \"PSK_NO_CLIENT_CB\\0\"\n \"PSK_NO_SERVER_CB\\0\"\n \"QUIC_INTERNAL_ERROR\\0\"\n \"QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED\\0\"\n \"READ_TIMEOUT_EXPIRED\\0\"\n \"RECORD_LENGTH_MISMATCH\\0\"\n \"RECORD_TOO_LARGE\\0\"\n \"RENEGOTIATION_EMS_MISMATCH\\0\"\n \"RENEGOTIATION_ENCODING_ERR\\0\"\n \"RENEGOTIATION_MISMATCH\\0\"\n \"REQUIRED_CIPHER_MISSING\\0\"\n \"RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION\\0\"\n \"RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION\\0\"\n \"SCSV_RECEIVED_WHEN_RENEGOTIATING\\0\"\n \"SECOND_SERVERHELLO_VERSION_MISMATCH\\0\"\n \"SERVERHELLO_TLSEXT\\0\"\n \"SERVER_CERT_CHANGED\\0\"\n \"SERVER_ECHOED_INVALID_SESSION_ID\\0\"\n \"SESSION_ID_CONTEXT_UNINITIALIZED\\0\"\n \"SESSION_MAY_NOT_BE_CREATED\\0\"\n \"SHUTDOWN_WHILE_IN_INIT\\0\"\n \"SIGNATURE_ALGORITHMS_EXTENSION_SENT_BY_SERVER\\0\"\n \"SRTP_COULD_NOT_ALLOCATE_PROFILES\\0\"\n \"SRTP_UNKNOWN_PROTECTION_PROFILE\\0\"\n \"SSL3_EXT_INVALID_SERVERNAME\\0\"\n \"SSLV3_ALERT_BAD_CERTIFICATE\\0\"\n \"SSLV3_ALERT_BAD_RECORD_MAC\\0\"\n \"SSLV3_ALERT_CERTIFICATE_EXPIRED\\0\"\n \"SSLV3_ALERT_CERTIFICATE_REVOKED\\0\"\n \"SSLV3_ALERT_CERTIFICATE_UNKNOWN\\0\"\n \"SSLV3_ALERT_CLOSE_NOTIFY\\0\"\n \"SSLV3_ALERT_DECOMPRESSION_FAILURE\\0\"\n \"SSLV3_ALERT_HANDSHAKE_FAILURE\\0\"\n \"SSLV3_ALERT_ILLEGAL_PARAMETER\\0\"\n \"SSLV3_ALERT_NO_CERTIFICATE\\0\"\n \"SSLV3_ALERT_UNEXPECTED_MESSAGE\\0\"\n \"SSLV3_ALERT_UNSUPPORTED_CERTIFICATE\\0\"\n \"SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION\\0\"\n \"SSL_HANDSHAKE_FAILURE\\0\"\n \"SSL_SESSION_ID_CONTEXT_TOO_LONG\\0\"\n \"SSL_SESSION_ID_TOO_LONG\\0\"\n \"TICKET_ENCRYPTION_FAILED\\0\"\n \"TLS13_DOWNGRADE\\0\"\n \"TLSV1_ALERT_ACCESS_DENIED\\0\"\n \"TLSV1_ALERT_BAD_CERTIFICATE_HASH_VALUE\\0\"\n \"TLSV1_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE\\0\"\n \"TLSV1_ALERT_CERTIFICATE_REQUIRED\\0\"\n \"TLSV1_ALERT_CERTIFICATE_UNOBTAINABLE\\0\"\n \"TLSV1_ALERT_DECODE_ERROR\\0\"\n \"TLSV1_ALERT_DECRYPTION_FAILED\\0\"\n \"TLSV1_ALERT_DECRYPT_ERROR\\0\"\n \"TLSV1_ALERT_ECH_REQUIRED\\0\"\n \"TLSV1_ALERT_EXPORT_RESTRICTION\\0\"\n \"TLSV1_ALERT_INAPPROPRIATE_FALLBACK\\0\"\n \"TLSV1_ALERT_INSUFFICIENT_SECURITY\\0\"\n \"TLSV1_ALERT_INTERNAL_ERROR\\0\"\n \"TLSV1_ALERT_NO_APPLICATION_PROTOCOL\\0\"\n \"TLSV1_ALERT_NO_RENEGOTIATION\\0\"\n \"TLSV1_ALERT_PROTOCOL_VERSION\\0\"\n \"TLSV1_ALERT_RECORD_OVERFLOW\\0\"\n \"TLSV1_ALERT_UNKNOWN_CA\\0\"\n \"TLSV1_ALERT_UNKNOWN_PSK_IDENTITY\\0\"\n \"TLSV1_ALERT_UNRECOGNIZED_NAME\\0\"\n \"TLSV1_ALERT_UNSUPPORTED_EXTENSION\\0\"\n \"TLSV1_ALERT_USER_CANCELLED\\0\"\n \"TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST\\0\"\n \"TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG\\0\"\n \"TOO_MANY_EMPTY_FRAGMENTS\\0\"\n \"TOO_MANY_KEY_UPDATES\\0\"\n \"TOO_MANY_WARNING_ALERTS\\0\"\n \"TOO_MUCH_READ_EARLY_DATA\\0\"\n \"TOO_MUCH_SKIPPED_EARLY_DATA\\0\"\n \"UNABLE_TO_FIND_ECDH_PARAMETERS\\0\"\n \"UNCOMPRESSED_CERT_TOO_LARGE\\0\"\n \"UNEXPECTED_COMPATIBILITY_MODE\\0\"\n \"UNEXPECTED_EXTENSION\\0\"\n \"UNEXPECTED_EXTENSION_ON_EARLY_DATA\\0\"\n \"UNEXPECTED_MESSAGE\\0\"\n \"UNEXPECTED_OPERATOR_IN_GROUP\\0\"\n \"UNEXPECTED_RECORD\\0\"\n \"UNKNOWN_ALERT_TYPE\\0\"\n \"UNKNOWN_CERTIFICATE_TYPE\\0\"\n \"UNKNOWN_CERT_COMPRESSION_ALG\\0\"\n \"UNKNOWN_CIPHER_RETURNED\\0\"\n \"UNKNOWN_CIPHER_TYPE\\0\"\n \"UNKNOWN_KEY_EXCHANGE_TYPE\\0\"\n \"UNKNOWN_PROTOCOL\\0\"\n \"UNKNOWN_SSL_VERSION\\0\"\n \"UNKNOWN_STATE\\0\"\n \"UNSAFE_LEGACY_RENEGOTIATION_DISABLED\\0\"\n \"UNSUPPORTED_COMPRESSION_ALGORITHM\\0\"\n \"UNSUPPORTED_ECH_SERVER_CONFIG\\0\"\n \"UNSUPPORTED_ELLIPTIC_CURVE\\0\"\n \"UNSUPPORTED_PROTOCOL\\0\"\n \"UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY\\0\"\n \"WRONG_CERTIFICATE_TYPE\\0\"\n \"WRONG_CIPHER_RETURNED\\0\"\n \"WRONG_CURVE\\0\"\n \"WRONG_ENCRYPTION_LEVEL_RECEIVED\\0\"\n \"WRONG_MESSAGE_TYPE\\0\"\n \"WRONG_SIGNATURE_TYPE\\0\"\n \"WRONG_SSL_VERSION\\0\"\n \"WRONG_VERSION_NUMBER\\0\"\n \"WRONG_VERSION_ON_EARLY_DATA\\0\"\n \"X509_LIB\\0\"\n \"X509_VERIFICATION_SETUP_PROBLEMS\\0\"\n \"BAD_VALIDITY_CHECK\\0\"\n \"DECODE_FAILURE\\0\"\n \"INVALID_KEY_ID\\0\"\n \"INVALID_METADATA\\0\"\n \"INVALID_METADATA_KEY\\0\"\n \"INVALID_PROOF\\0\"\n \"INVALID_TOKEN\\0\"\n \"NO_KEYS_CONFIGURED\\0\"\n \"NO_SRR_KEY_CONFIGURED\\0\"\n \"OVER_BATCHSIZE\\0\"\n \"SRR_SIGNATURE_ERROR\\0\"\n \"TOO_MANY_KEYS\\0\"\n \"AKID_MISMATCH\\0\"\n \"BAD_X509_FILETYPE\\0\"\n \"BASE64_DECODE_ERROR\\0\"\n \"CANT_CHECK_DH_KEY\\0\"\n \"CERT_ALREADY_IN_HASH_TABLE\\0\"\n \"CRL_ALREADY_DELTA\\0\"\n \"CRL_VERIFY_FAILURE\\0\"\n \"DELTA_CRL_WITHOUT_CRL_NUMBER\\0\"\n \"IDP_MISMATCH\\0\"\n \"INVALID_DIRECTORY\\0\"\n \"INVALID_FIELD_FOR_VERSION\\0\"\n \"INVALID_FIELD_NAME\\0\"\n \"INVALID_PARAMETER\\0\"\n \"INVALID_POLICY_EXTENSION\\0\"\n \"INVALID_PSS_PARAMETERS\\0\"\n \"INVALID_TRUST\\0\"\n \"INVALID_VERSION\\0\"\n \"ISSUER_MISMATCH\\0\"\n \"KEY_TYPE_MISMATCH\\0\"\n \"KEY_VALUES_MISMATCH\\0\"\n \"LOADING_CERT_DIR\\0\"\n \"LOADING_DEFAULTS\\0\"\n \"NAME_TOO_LONG\\0\"\n \"NEWER_CRL_NOT_NEWER\\0\"\n \"NO_CERTIFICATE_FOUND\\0\"\n \"NO_CERTIFICATE_OR_CRL_FOUND\\0\"\n \"NO_CERT_SET_FOR_US_TO_VERIFY\\0\"\n \"NO_CRL_FOUND\\0\"\n \"NO_CRL_NUMBER\\0\"\n \"PUBLIC_KEY_DECODE_ERROR\\0\"\n \"PUBLIC_KEY_ENCODE_ERROR\\0\"\n \"SHOULD_RETRY\\0\"\n \"SIGNATURE_ALGORITHM_MISMATCH\\0\"\n \"UNKNOWN_KEY_TYPE\\0\"\n \"UNKNOWN_PURPOSE_ID\\0\"\n \"UNKNOWN_TRUST_ID\\0\"\n \"WRONG_LOOKUP_TYPE\\0\"\n \"BAD_IP_ADDRESS\\0\"\n \"BAD_OBJECT\\0\"\n \"BN_DEC2BN_ERROR\\0\"\n \"BN_TO_ASN1_INTEGER_ERROR\\0\"\n \"CANNOT_FIND_FREE_FUNCTION\\0\"\n \"DIRNAME_ERROR\\0\"\n \"DISTPOINT_ALREADY_SET\\0\"\n \"DUPLICATE_ZONE_ID\\0\"\n \"ERROR_CONVERTING_ZONE\\0\"\n \"ERROR_CREATING_EXTENSION\\0\"\n \"ERROR_IN_EXTENSION\\0\"\n \"EXPECTED_A_SECTION_NAME\\0\"\n \"EXTENSION_EXISTS\\0\"\n \"EXTENSION_NAME_ERROR\\0\"\n \"EXTENSION_NOT_FOUND\\0\"\n \"EXTENSION_SETTING_NOT_SUPPORTED\\0\"\n \"EXTENSION_VALUE_ERROR\\0\"\n \"ILLEGAL_EMPTY_EXTENSION\\0\"\n \"ILLEGAL_HEX_DIGIT\\0\"\n \"INCORRECT_POLICY_SYNTAX_TAG\\0\"\n \"INVALID_BOOLEAN_STRING\\0\"\n \"INVALID_EXTENSION_STRING\\0\"\n \"INVALID_MULTIPLE_RDNS\\0\"\n \"INVALID_NAME\\0\"\n \"INVALID_NULL_ARGUMENT\\0\"\n \"INVALID_NULL_NAME\\0\"\n \"INVALID_NULL_VALUE\\0\"\n \"INVALID_NUMBERS\\0\"\n \"INVALID_OBJECT_IDENTIFIER\\0\"\n \"INVALID_OPTION\\0\"\n \"INVALID_POLICY_IDENTIFIER\\0\"\n \"INVALID_PROXY_POLICY_SETTING\\0\"\n \"INVALID_PURPOSE\\0\"\n \"INVALID_SECTION\\0\"\n \"INVALID_SYNTAX\\0\"\n \"INVALID_VALUE\\0\"\n \"ISSUER_DECODE_ERROR\\0\"\n \"NEED_ORGANIZATION_AND_NUMBERS\\0\"\n \"NO_CONFIG_DATABASE\\0\"\n \"NO_ISSUER_CERTIFICATE\\0\"\n \"NO_ISSUER_DETAILS\\0\"\n \"NO_POLICY_IDENTIFIER\\0\"\n \"NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED\\0\"\n \"NO_PUBLIC_KEY\\0\"\n \"NO_SUBJECT_DETAILS\\0\"\n \"ODD_NUMBER_OF_DIGITS\\0\"\n \"OPERATION_NOT_DEFINED\\0\"\n \"OTHERNAME_ERROR\\0\"\n \"POLICY_LANGUAGE_ALREADY_DEFINED\\0\"\n \"POLICY_PATH_LENGTH\\0\"\n \"POLICY_PATH_LENGTH_ALREADY_DEFINED\\0\"\n \"POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY\\0\"\n \"SECTION_NOT_FOUND\\0\"\n \"TRAILING_DATA_IN_EXTENSION\\0\"\n \"UNABLE_TO_GET_ISSUER_DETAILS\\0\"\n \"UNABLE_TO_GET_ISSUER_KEYID\\0\"\n \"UNKNOWN_BIT_STRING_ARGUMENT\\0\"\n \"UNKNOWN_EXTENSION\\0\"\n \"UNKNOWN_EXTENSION_NAME\\0\"\n \"UNKNOWN_OPTION\\0\"\n \"UNSUPPORTED_OPTION\\0\"\n \"USER_TOO_LONG\\0\"\n \"\";\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/md5-586-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n.text\n.globl\t_md5_block_asm_data_order\n.private_extern\t_md5_block_asm_data_order\n.align\t4\n_md5_block_asm_data_order:\nL_md5_block_asm_data_order_begin:\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t12(%esp),%edi\n\tmovl\t16(%esp),%esi\n\tmovl\t20(%esp),%ecx\n\tpushl\t%ebp\n\tshll\t$6,%ecx\n\tpushl\t%ebx\n\taddl\t%esi,%ecx\n\tsubl\t$64,%ecx\n\tmovl\t(%edi),%eax\n\tpushl\t%ecx\n\tmovl\t4(%edi),%ebx\n\tmovl\t8(%edi),%ecx\n\tmovl\t12(%edi),%edx\nL000start:\n\n\t# R0 section \n\tmovl\t%ecx,%edi\n\tmovl\t(%esi),%ebp\n\t# R0 0 \n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tleal\t3614090360(%eax,%ebp,1),%eax\n\txorl\t%edx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$7,%eax\n\tmovl\t4(%esi),%ebp\n\taddl\t%ebx,%eax\n\t# R0 1 \n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tleal\t3905402710(%edx,%ebp,1),%edx\n\txorl\t%ecx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$12,%edx\n\tmovl\t8(%esi),%ebp\n\taddl\t%eax,%edx\n\t# R0 2 \n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tleal\t606105819(%ecx,%ebp,1),%ecx\n\txorl\t%ebx,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$17,%ecx\n\tmovl\t12(%esi),%ebp\n\taddl\t%edx,%ecx\n\t# R0 3 \n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tleal\t3250441966(%ebx,%ebp,1),%ebx\n\txorl\t%eax,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$22,%ebx\n\tmovl\t16(%esi),%ebp\n\taddl\t%ecx,%ebx\n\t# R0 4 \n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tleal\t4118548399(%eax,%ebp,1),%eax\n\txorl\t%edx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$7,%eax\n\tmovl\t20(%esi),%ebp\n\taddl\t%ebx,%eax\n\t# R0 5 \n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tleal\t1200080426(%edx,%ebp,1),%edx\n\txorl\t%ecx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$12,%edx\n\tmovl\t24(%esi),%ebp\n\taddl\t%eax,%edx\n\t# R0 6 \n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tleal\t2821735955(%ecx,%ebp,1),%ecx\n\txorl\t%ebx,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$17,%ecx\n\tmovl\t28(%esi),%ebp\n\taddl\t%edx,%ecx\n\t# R0 7 \n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tleal\t4249261313(%ebx,%ebp,1),%ebx\n\txorl\t%eax,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$22,%ebx\n\tmovl\t32(%esi),%ebp\n\taddl\t%ecx,%ebx\n\t# R0 8 \n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tleal\t1770035416(%eax,%ebp,1),%eax\n\txorl\t%edx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$7,%eax\n\tmovl\t36(%esi),%ebp\n\taddl\t%ebx,%eax\n\t# R0 9 \n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tleal\t2336552879(%edx,%ebp,1),%edx\n\txorl\t%ecx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$12,%edx\n\tmovl\t40(%esi),%ebp\n\taddl\t%eax,%edx\n\t# R0 10 \n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tleal\t4294925233(%ecx,%ebp,1),%ecx\n\txorl\t%ebx,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$17,%ecx\n\tmovl\t44(%esi),%ebp\n\taddl\t%edx,%ecx\n\t# R0 11 \n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tleal\t2304563134(%ebx,%ebp,1),%ebx\n\txorl\t%eax,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$22,%ebx\n\tmovl\t48(%esi),%ebp\n\taddl\t%ecx,%ebx\n\t# R0 12 \n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tleal\t1804603682(%eax,%ebp,1),%eax\n\txorl\t%edx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$7,%eax\n\tmovl\t52(%esi),%ebp\n\taddl\t%ebx,%eax\n\t# R0 13 \n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tleal\t4254626195(%edx,%ebp,1),%edx\n\txorl\t%ecx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$12,%edx\n\tmovl\t56(%esi),%ebp\n\taddl\t%eax,%edx\n\t# R0 14 \n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tleal\t2792965006(%ecx,%ebp,1),%ecx\n\txorl\t%ebx,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$17,%ecx\n\tmovl\t60(%esi),%ebp\n\taddl\t%edx,%ecx\n\t# R0 15 \n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tleal\t1236535329(%ebx,%ebp,1),%ebx\n\txorl\t%eax,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$22,%ebx\n\tmovl\t4(%esi),%ebp\n\taddl\t%ecx,%ebx\n\n\t# R1 section \n\t# R1 16 \n\tleal\t4129170786(%eax,%ebp,1),%eax\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tmovl\t24(%esi),%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\t# R1 17 \n\tleal\t3225465664(%edx,%ebp,1),%edx\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tmovl\t44(%esi),%ebp\n\txorl\t%ebx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\t# R1 18 \n\tleal\t643717713(%ecx,%ebp,1),%ecx\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tmovl\t(%esi),%ebp\n\txorl\t%eax,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\t# R1 19 \n\tleal\t3921069994(%ebx,%ebp,1),%ebx\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tmovl\t20(%esi),%ebp\n\txorl\t%edx,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\t# R1 20 \n\tleal\t3593408605(%eax,%ebp,1),%eax\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tmovl\t40(%esi),%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\t# R1 21 \n\tleal\t38016083(%edx,%ebp,1),%edx\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tmovl\t60(%esi),%ebp\n\txorl\t%ebx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\t# R1 22 \n\tleal\t3634488961(%ecx,%ebp,1),%ecx\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tmovl\t16(%esi),%ebp\n\txorl\t%eax,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\t# R1 23 \n\tleal\t3889429448(%ebx,%ebp,1),%ebx\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tmovl\t36(%esi),%ebp\n\txorl\t%edx,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\t# R1 24 \n\tleal\t568446438(%eax,%ebp,1),%eax\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tmovl\t56(%esi),%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\t# R1 25 \n\tleal\t3275163606(%edx,%ebp,1),%edx\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tmovl\t12(%esi),%ebp\n\txorl\t%ebx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\t# R1 26 \n\tleal\t4107603335(%ecx,%ebp,1),%ecx\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tmovl\t32(%esi),%ebp\n\txorl\t%eax,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\t# R1 27 \n\tleal\t1163531501(%ebx,%ebp,1),%ebx\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tmovl\t52(%esi),%ebp\n\txorl\t%edx,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\t# R1 28 \n\tleal\t2850285829(%eax,%ebp,1),%eax\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tmovl\t8(%esi),%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\t# R1 29 \n\tleal\t4243563512(%edx,%ebp,1),%edx\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tmovl\t28(%esi),%ebp\n\txorl\t%ebx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\t# R1 30 \n\tleal\t1735328473(%ecx,%ebp,1),%ecx\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tmovl\t48(%esi),%ebp\n\txorl\t%eax,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\t# R1 31 \n\tleal\t2368359562(%ebx,%ebp,1),%ebx\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tmovl\t20(%esi),%ebp\n\txorl\t%edx,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\n\t# R2 section \n\t# R2 32 \n\txorl\t%edx,%edi\n\txorl\t%ebx,%edi\n\tleal\t4294588738(%eax,%ebp,1),%eax\n\taddl\t%edi,%eax\n\troll\t$4,%eax\n\tmovl\t32(%esi),%ebp\n\tmovl\t%ebx,%edi\n\t# R2 33 \n\tleal\t2272392833(%edx,%ebp,1),%edx\n\taddl\t%ebx,%eax\n\txorl\t%ecx,%edi\n\txorl\t%eax,%edi\n\tmovl\t44(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$11,%edx\n\taddl\t%eax,%edx\n\t# R2 34 \n\txorl\t%ebx,%edi\n\txorl\t%edx,%edi\n\tleal\t1839030562(%ecx,%ebp,1),%ecx\n\taddl\t%edi,%ecx\n\troll\t$16,%ecx\n\tmovl\t56(%esi),%ebp\n\tmovl\t%edx,%edi\n\t# R2 35 \n\tleal\t4259657740(%ebx,%ebp,1),%ebx\n\taddl\t%edx,%ecx\n\txorl\t%eax,%edi\n\txorl\t%ecx,%edi\n\tmovl\t4(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$23,%ebx\n\taddl\t%ecx,%ebx\n\t# R2 36 \n\txorl\t%edx,%edi\n\txorl\t%ebx,%edi\n\tleal\t2763975236(%eax,%ebp,1),%eax\n\taddl\t%edi,%eax\n\troll\t$4,%eax\n\tmovl\t16(%esi),%ebp\n\tmovl\t%ebx,%edi\n\t# R2 37 \n\tleal\t1272893353(%edx,%ebp,1),%edx\n\taddl\t%ebx,%eax\n\txorl\t%ecx,%edi\n\txorl\t%eax,%edi\n\tmovl\t28(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$11,%edx\n\taddl\t%eax,%edx\n\t# R2 38 \n\txorl\t%ebx,%edi\n\txorl\t%edx,%edi\n\tleal\t4139469664(%ecx,%ebp,1),%ecx\n\taddl\t%edi,%ecx\n\troll\t$16,%ecx\n\tmovl\t40(%esi),%ebp\n\tmovl\t%edx,%edi\n\t# R2 39 \n\tleal\t3200236656(%ebx,%ebp,1),%ebx\n\taddl\t%edx,%ecx\n\txorl\t%eax,%edi\n\txorl\t%ecx,%edi\n\tmovl\t52(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$23,%ebx\n\taddl\t%ecx,%ebx\n\t# R2 40 \n\txorl\t%edx,%edi\n\txorl\t%ebx,%edi\n\tleal\t681279174(%eax,%ebp,1),%eax\n\taddl\t%edi,%eax\n\troll\t$4,%eax\n\tmovl\t(%esi),%ebp\n\tmovl\t%ebx,%edi\n\t# R2 41 \n\tleal\t3936430074(%edx,%ebp,1),%edx\n\taddl\t%ebx,%eax\n\txorl\t%ecx,%edi\n\txorl\t%eax,%edi\n\tmovl\t12(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$11,%edx\n\taddl\t%eax,%edx\n\t# R2 42 \n\txorl\t%ebx,%edi\n\txorl\t%edx,%edi\n\tleal\t3572445317(%ecx,%ebp,1),%ecx\n\taddl\t%edi,%ecx\n\troll\t$16,%ecx\n\tmovl\t24(%esi),%ebp\n\tmovl\t%edx,%edi\n\t# R2 43 \n\tleal\t76029189(%ebx,%ebp,1),%ebx\n\taddl\t%edx,%ecx\n\txorl\t%eax,%edi\n\txorl\t%ecx,%edi\n\tmovl\t36(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$23,%ebx\n\taddl\t%ecx,%ebx\n\t# R2 44 \n\txorl\t%edx,%edi\n\txorl\t%ebx,%edi\n\tleal\t3654602809(%eax,%ebp,1),%eax\n\taddl\t%edi,%eax\n\troll\t$4,%eax\n\tmovl\t48(%esi),%ebp\n\tmovl\t%ebx,%edi\n\t# R2 45 \n\tleal\t3873151461(%edx,%ebp,1),%edx\n\taddl\t%ebx,%eax\n\txorl\t%ecx,%edi\n\txorl\t%eax,%edi\n\tmovl\t60(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$11,%edx\n\taddl\t%eax,%edx\n\t# R2 46 \n\txorl\t%ebx,%edi\n\txorl\t%edx,%edi\n\tleal\t530742520(%ecx,%ebp,1),%ecx\n\taddl\t%edi,%ecx\n\troll\t$16,%ecx\n\tmovl\t8(%esi),%ebp\n\tmovl\t%edx,%edi\n\t# R2 47 \n\tleal\t3299628645(%ebx,%ebp,1),%ebx\n\taddl\t%edx,%ecx\n\txorl\t%eax,%edi\n\txorl\t%ecx,%edi\n\tmovl\t(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t$-1,%edi\n\troll\t$23,%ebx\n\taddl\t%ecx,%ebx\n\n\t# R3 section \n\t# R3 48 \n\txorl\t%edx,%edi\n\torl\t%ebx,%edi\n\tleal\t4096336452(%eax,%ebp,1),%eax\n\txorl\t%ecx,%edi\n\tmovl\t28(%esi),%ebp\n\taddl\t%edi,%eax\n\tmovl\t$-1,%edi\n\troll\t$6,%eax\n\txorl\t%ecx,%edi\n\taddl\t%ebx,%eax\n\t# R3 49 \n\torl\t%eax,%edi\n\tleal\t1126891415(%edx,%ebp,1),%edx\n\txorl\t%ebx,%edi\n\tmovl\t56(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t$-1,%edi\n\troll\t$10,%edx\n\txorl\t%ebx,%edi\n\taddl\t%eax,%edx\n\t# R3 50 \n\torl\t%edx,%edi\n\tleal\t2878612391(%ecx,%ebp,1),%ecx\n\txorl\t%eax,%edi\n\tmovl\t20(%esi),%ebp\n\taddl\t%edi,%ecx\n\tmovl\t$-1,%edi\n\troll\t$15,%ecx\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\t# R3 51 \n\torl\t%ecx,%edi\n\tleal\t4237533241(%ebx,%ebp,1),%ebx\n\txorl\t%edx,%edi\n\tmovl\t48(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t$-1,%edi\n\troll\t$21,%ebx\n\txorl\t%edx,%edi\n\taddl\t%ecx,%ebx\n\t# R3 52 \n\torl\t%ebx,%edi\n\tleal\t1700485571(%eax,%ebp,1),%eax\n\txorl\t%ecx,%edi\n\tmovl\t12(%esi),%ebp\n\taddl\t%edi,%eax\n\tmovl\t$-1,%edi\n\troll\t$6,%eax\n\txorl\t%ecx,%edi\n\taddl\t%ebx,%eax\n\t# R3 53 \n\torl\t%eax,%edi\n\tleal\t2399980690(%edx,%ebp,1),%edx\n\txorl\t%ebx,%edi\n\tmovl\t40(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t$-1,%edi\n\troll\t$10,%edx\n\txorl\t%ebx,%edi\n\taddl\t%eax,%edx\n\t# R3 54 \n\torl\t%edx,%edi\n\tleal\t4293915773(%ecx,%ebp,1),%ecx\n\txorl\t%eax,%edi\n\tmovl\t4(%esi),%ebp\n\taddl\t%edi,%ecx\n\tmovl\t$-1,%edi\n\troll\t$15,%ecx\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\t# R3 55 \n\torl\t%ecx,%edi\n\tleal\t2240044497(%ebx,%ebp,1),%ebx\n\txorl\t%edx,%edi\n\tmovl\t32(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t$-1,%edi\n\troll\t$21,%ebx\n\txorl\t%edx,%edi\n\taddl\t%ecx,%ebx\n\t# R3 56 \n\torl\t%ebx,%edi\n\tleal\t1873313359(%eax,%ebp,1),%eax\n\txorl\t%ecx,%edi\n\tmovl\t60(%esi),%ebp\n\taddl\t%edi,%eax\n\tmovl\t$-1,%edi\n\troll\t$6,%eax\n\txorl\t%ecx,%edi\n\taddl\t%ebx,%eax\n\t# R3 57 \n\torl\t%eax,%edi\n\tleal\t4264355552(%edx,%ebp,1),%edx\n\txorl\t%ebx,%edi\n\tmovl\t24(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t$-1,%edi\n\troll\t$10,%edx\n\txorl\t%ebx,%edi\n\taddl\t%eax,%edx\n\t# R3 58 \n\torl\t%edx,%edi\n\tleal\t2734768916(%ecx,%ebp,1),%ecx\n\txorl\t%eax,%edi\n\tmovl\t52(%esi),%ebp\n\taddl\t%edi,%ecx\n\tmovl\t$-1,%edi\n\troll\t$15,%ecx\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\t# R3 59 \n\torl\t%ecx,%edi\n\tleal\t1309151649(%ebx,%ebp,1),%ebx\n\txorl\t%edx,%edi\n\tmovl\t16(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t$-1,%edi\n\troll\t$21,%ebx\n\txorl\t%edx,%edi\n\taddl\t%ecx,%ebx\n\t# R3 60 \n\torl\t%ebx,%edi\n\tleal\t4149444226(%eax,%ebp,1),%eax\n\txorl\t%ecx,%edi\n\tmovl\t44(%esi),%ebp\n\taddl\t%edi,%eax\n\tmovl\t$-1,%edi\n\troll\t$6,%eax\n\txorl\t%ecx,%edi\n\taddl\t%ebx,%eax\n\t# R3 61 \n\torl\t%eax,%edi\n\tleal\t3174756917(%edx,%ebp,1),%edx\n\txorl\t%ebx,%edi\n\tmovl\t8(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t$-1,%edi\n\troll\t$10,%edx\n\txorl\t%ebx,%edi\n\taddl\t%eax,%edx\n\t# R3 62 \n\torl\t%edx,%edi\n\tleal\t718787259(%ecx,%ebp,1),%ecx\n\txorl\t%eax,%edi\n\tmovl\t36(%esi),%ebp\n\taddl\t%edi,%ecx\n\tmovl\t$-1,%edi\n\troll\t$15,%ecx\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\t# R3 63 \n\torl\t%ecx,%edi\n\tleal\t3951481745(%ebx,%ebp,1),%ebx\n\txorl\t%edx,%edi\n\tmovl\t24(%esp),%ebp\n\taddl\t%edi,%ebx\n\taddl\t$64,%esi\n\troll\t$21,%ebx\n\tmovl\t(%ebp),%edi\n\taddl\t%ecx,%ebx\n\taddl\t%edi,%eax\n\tmovl\t4(%ebp),%edi\n\taddl\t%edi,%ebx\n\tmovl\t8(%ebp),%edi\n\taddl\t%edi,%ecx\n\tmovl\t12(%ebp),%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,(%ebp)\n\tmovl\t%ebx,4(%ebp)\n\tmovl\t(%esp),%edi\n\tmovl\t%ecx,8(%ebp)\n\tmovl\t%edx,12(%ebp)\n\tcmpl\t%esi,%edi\n\tjae\tL000start\n\tpopl\t%eax\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tpopl\t%edi\n\tpopl\t%esi\n\tret\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/md5-586-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n.text\n.globl\tmd5_block_asm_data_order\n.hidden\tmd5_block_asm_data_order\n.type\tmd5_block_asm_data_order,@function\n.align\t16\nmd5_block_asm_data_order:\n.L_md5_block_asm_data_order_begin:\n\tpushl\t%esi\n\tpushl\t%edi\n\tmovl\t12(%esp),%edi\n\tmovl\t16(%esp),%esi\n\tmovl\t20(%esp),%ecx\n\tpushl\t%ebp\n\tshll\t$6,%ecx\n\tpushl\t%ebx\n\taddl\t%esi,%ecx\n\tsubl\t$64,%ecx\n\tmovl\t(%edi),%eax\n\tpushl\t%ecx\n\tmovl\t4(%edi),%ebx\n\tmovl\t8(%edi),%ecx\n\tmovl\t12(%edi),%edx\n.L000start:\n\n\n\tmovl\t%ecx,%edi\n\tmovl\t(%esi),%ebp\n\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tleal\t3614090360(%eax,%ebp,1),%eax\n\txorl\t%edx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$7,%eax\n\tmovl\t4(%esi),%ebp\n\taddl\t%ebx,%eax\n\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tleal\t3905402710(%edx,%ebp,1),%edx\n\txorl\t%ecx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$12,%edx\n\tmovl\t8(%esi),%ebp\n\taddl\t%eax,%edx\n\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tleal\t606105819(%ecx,%ebp,1),%ecx\n\txorl\t%ebx,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$17,%ecx\n\tmovl\t12(%esi),%ebp\n\taddl\t%edx,%ecx\n\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tleal\t3250441966(%ebx,%ebp,1),%ebx\n\txorl\t%eax,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$22,%ebx\n\tmovl\t16(%esi),%ebp\n\taddl\t%ecx,%ebx\n\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tleal\t4118548399(%eax,%ebp,1),%eax\n\txorl\t%edx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$7,%eax\n\tmovl\t20(%esi),%ebp\n\taddl\t%ebx,%eax\n\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tleal\t1200080426(%edx,%ebp,1),%edx\n\txorl\t%ecx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$12,%edx\n\tmovl\t24(%esi),%ebp\n\taddl\t%eax,%edx\n\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tleal\t2821735955(%ecx,%ebp,1),%ecx\n\txorl\t%ebx,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$17,%ecx\n\tmovl\t28(%esi),%ebp\n\taddl\t%edx,%ecx\n\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tleal\t4249261313(%ebx,%ebp,1),%ebx\n\txorl\t%eax,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$22,%ebx\n\tmovl\t32(%esi),%ebp\n\taddl\t%ecx,%ebx\n\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tleal\t1770035416(%eax,%ebp,1),%eax\n\txorl\t%edx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$7,%eax\n\tmovl\t36(%esi),%ebp\n\taddl\t%ebx,%eax\n\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tleal\t2336552879(%edx,%ebp,1),%edx\n\txorl\t%ecx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$12,%edx\n\tmovl\t40(%esi),%ebp\n\taddl\t%eax,%edx\n\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tleal\t4294925233(%ecx,%ebp,1),%ecx\n\txorl\t%ebx,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$17,%ecx\n\tmovl\t44(%esi),%ebp\n\taddl\t%edx,%ecx\n\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tleal\t2304563134(%ebx,%ebp,1),%ebx\n\txorl\t%eax,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$22,%ebx\n\tmovl\t48(%esi),%ebp\n\taddl\t%ecx,%ebx\n\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tleal\t1804603682(%eax,%ebp,1),%eax\n\txorl\t%edx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$7,%eax\n\tmovl\t52(%esi),%ebp\n\taddl\t%ebx,%eax\n\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tleal\t4254626195(%edx,%ebp,1),%edx\n\txorl\t%ecx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$12,%edx\n\tmovl\t56(%esi),%ebp\n\taddl\t%eax,%edx\n\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tleal\t2792965006(%ecx,%ebp,1),%ecx\n\txorl\t%ebx,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$17,%ecx\n\tmovl\t60(%esi),%ebp\n\taddl\t%edx,%ecx\n\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tleal\t1236535329(%ebx,%ebp,1),%ebx\n\txorl\t%eax,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$22,%ebx\n\tmovl\t4(%esi),%ebp\n\taddl\t%ecx,%ebx\n\n\n\n\tleal\t4129170786(%eax,%ebp,1),%eax\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tmovl\t24(%esi),%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\n\tleal\t3225465664(%edx,%ebp,1),%edx\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tmovl\t44(%esi),%ebp\n\txorl\t%ebx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\n\tleal\t643717713(%ecx,%ebp,1),%ecx\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tmovl\t(%esi),%ebp\n\txorl\t%eax,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\n\tleal\t3921069994(%ebx,%ebp,1),%ebx\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tmovl\t20(%esi),%ebp\n\txorl\t%edx,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\n\tleal\t3593408605(%eax,%ebp,1),%eax\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tmovl\t40(%esi),%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\n\tleal\t38016083(%edx,%ebp,1),%edx\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tmovl\t60(%esi),%ebp\n\txorl\t%ebx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\n\tleal\t3634488961(%ecx,%ebp,1),%ecx\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tmovl\t16(%esi),%ebp\n\txorl\t%eax,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\n\tleal\t3889429448(%ebx,%ebp,1),%ebx\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tmovl\t36(%esi),%ebp\n\txorl\t%edx,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\n\tleal\t568446438(%eax,%ebp,1),%eax\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tmovl\t56(%esi),%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\n\tleal\t3275163606(%edx,%ebp,1),%edx\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tmovl\t12(%esi),%ebp\n\txorl\t%ebx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\n\tleal\t4107603335(%ecx,%ebp,1),%ecx\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tmovl\t32(%esi),%ebp\n\txorl\t%eax,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\n\tleal\t1163531501(%ebx,%ebp,1),%ebx\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tmovl\t52(%esi),%ebp\n\txorl\t%edx,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\n\tleal\t2850285829(%eax,%ebp,1),%eax\n\txorl\t%ebx,%edi\n\tandl\t%edx,%edi\n\tmovl\t8(%esi),%ebp\n\txorl\t%ecx,%edi\n\taddl\t%edi,%eax\n\tmovl\t%ebx,%edi\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\n\tleal\t4243563512(%edx,%ebp,1),%edx\n\txorl\t%eax,%edi\n\tandl\t%ecx,%edi\n\tmovl\t28(%esi),%ebp\n\txorl\t%ebx,%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\n\tleal\t1735328473(%ecx,%ebp,1),%ecx\n\txorl\t%edx,%edi\n\tandl\t%ebx,%edi\n\tmovl\t48(%esi),%ebp\n\txorl\t%eax,%edi\n\taddl\t%edi,%ecx\n\tmovl\t%edx,%edi\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\n\tleal\t2368359562(%ebx,%ebp,1),%ebx\n\txorl\t%ecx,%edi\n\tandl\t%eax,%edi\n\tmovl\t20(%esi),%ebp\n\txorl\t%edx,%edi\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\n\n\n\txorl\t%edx,%edi\n\txorl\t%ebx,%edi\n\tleal\t4294588738(%eax,%ebp,1),%eax\n\taddl\t%edi,%eax\n\troll\t$4,%eax\n\tmovl\t32(%esi),%ebp\n\tmovl\t%ebx,%edi\n\n\tleal\t2272392833(%edx,%ebp,1),%edx\n\taddl\t%ebx,%eax\n\txorl\t%ecx,%edi\n\txorl\t%eax,%edi\n\tmovl\t44(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$11,%edx\n\taddl\t%eax,%edx\n\n\txorl\t%ebx,%edi\n\txorl\t%edx,%edi\n\tleal\t1839030562(%ecx,%ebp,1),%ecx\n\taddl\t%edi,%ecx\n\troll\t$16,%ecx\n\tmovl\t56(%esi),%ebp\n\tmovl\t%edx,%edi\n\n\tleal\t4259657740(%ebx,%ebp,1),%ebx\n\taddl\t%edx,%ecx\n\txorl\t%eax,%edi\n\txorl\t%ecx,%edi\n\tmovl\t4(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$23,%ebx\n\taddl\t%ecx,%ebx\n\n\txorl\t%edx,%edi\n\txorl\t%ebx,%edi\n\tleal\t2763975236(%eax,%ebp,1),%eax\n\taddl\t%edi,%eax\n\troll\t$4,%eax\n\tmovl\t16(%esi),%ebp\n\tmovl\t%ebx,%edi\n\n\tleal\t1272893353(%edx,%ebp,1),%edx\n\taddl\t%ebx,%eax\n\txorl\t%ecx,%edi\n\txorl\t%eax,%edi\n\tmovl\t28(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$11,%edx\n\taddl\t%eax,%edx\n\n\txorl\t%ebx,%edi\n\txorl\t%edx,%edi\n\tleal\t4139469664(%ecx,%ebp,1),%ecx\n\taddl\t%edi,%ecx\n\troll\t$16,%ecx\n\tmovl\t40(%esi),%ebp\n\tmovl\t%edx,%edi\n\n\tleal\t3200236656(%ebx,%ebp,1),%ebx\n\taddl\t%edx,%ecx\n\txorl\t%eax,%edi\n\txorl\t%ecx,%edi\n\tmovl\t52(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$23,%ebx\n\taddl\t%ecx,%ebx\n\n\txorl\t%edx,%edi\n\txorl\t%ebx,%edi\n\tleal\t681279174(%eax,%ebp,1),%eax\n\taddl\t%edi,%eax\n\troll\t$4,%eax\n\tmovl\t(%esi),%ebp\n\tmovl\t%ebx,%edi\n\n\tleal\t3936430074(%edx,%ebp,1),%edx\n\taddl\t%ebx,%eax\n\txorl\t%ecx,%edi\n\txorl\t%eax,%edi\n\tmovl\t12(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$11,%edx\n\taddl\t%eax,%edx\n\n\txorl\t%ebx,%edi\n\txorl\t%edx,%edi\n\tleal\t3572445317(%ecx,%ebp,1),%ecx\n\taddl\t%edi,%ecx\n\troll\t$16,%ecx\n\tmovl\t24(%esi),%ebp\n\tmovl\t%edx,%edi\n\n\tleal\t76029189(%ebx,%ebp,1),%ebx\n\taddl\t%edx,%ecx\n\txorl\t%eax,%edi\n\txorl\t%ecx,%edi\n\tmovl\t36(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t%ecx,%edi\n\troll\t$23,%ebx\n\taddl\t%ecx,%ebx\n\n\txorl\t%edx,%edi\n\txorl\t%ebx,%edi\n\tleal\t3654602809(%eax,%ebp,1),%eax\n\taddl\t%edi,%eax\n\troll\t$4,%eax\n\tmovl\t48(%esi),%ebp\n\tmovl\t%ebx,%edi\n\n\tleal\t3873151461(%edx,%ebp,1),%edx\n\taddl\t%ebx,%eax\n\txorl\t%ecx,%edi\n\txorl\t%eax,%edi\n\tmovl\t60(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t%eax,%edi\n\troll\t$11,%edx\n\taddl\t%eax,%edx\n\n\txorl\t%ebx,%edi\n\txorl\t%edx,%edi\n\tleal\t530742520(%ecx,%ebp,1),%ecx\n\taddl\t%edi,%ecx\n\troll\t$16,%ecx\n\tmovl\t8(%esi),%ebp\n\tmovl\t%edx,%edi\n\n\tleal\t3299628645(%ebx,%ebp,1),%ebx\n\taddl\t%edx,%ecx\n\txorl\t%eax,%edi\n\txorl\t%ecx,%edi\n\tmovl\t(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t$-1,%edi\n\troll\t$23,%ebx\n\taddl\t%ecx,%ebx\n\n\n\n\txorl\t%edx,%edi\n\torl\t%ebx,%edi\n\tleal\t4096336452(%eax,%ebp,1),%eax\n\txorl\t%ecx,%edi\n\tmovl\t28(%esi),%ebp\n\taddl\t%edi,%eax\n\tmovl\t$-1,%edi\n\troll\t$6,%eax\n\txorl\t%ecx,%edi\n\taddl\t%ebx,%eax\n\n\torl\t%eax,%edi\n\tleal\t1126891415(%edx,%ebp,1),%edx\n\txorl\t%ebx,%edi\n\tmovl\t56(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t$-1,%edi\n\troll\t$10,%edx\n\txorl\t%ebx,%edi\n\taddl\t%eax,%edx\n\n\torl\t%edx,%edi\n\tleal\t2878612391(%ecx,%ebp,1),%ecx\n\txorl\t%eax,%edi\n\tmovl\t20(%esi),%ebp\n\taddl\t%edi,%ecx\n\tmovl\t$-1,%edi\n\troll\t$15,%ecx\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\n\torl\t%ecx,%edi\n\tleal\t4237533241(%ebx,%ebp,1),%ebx\n\txorl\t%edx,%edi\n\tmovl\t48(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t$-1,%edi\n\troll\t$21,%ebx\n\txorl\t%edx,%edi\n\taddl\t%ecx,%ebx\n\n\torl\t%ebx,%edi\n\tleal\t1700485571(%eax,%ebp,1),%eax\n\txorl\t%ecx,%edi\n\tmovl\t12(%esi),%ebp\n\taddl\t%edi,%eax\n\tmovl\t$-1,%edi\n\troll\t$6,%eax\n\txorl\t%ecx,%edi\n\taddl\t%ebx,%eax\n\n\torl\t%eax,%edi\n\tleal\t2399980690(%edx,%ebp,1),%edx\n\txorl\t%ebx,%edi\n\tmovl\t40(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t$-1,%edi\n\troll\t$10,%edx\n\txorl\t%ebx,%edi\n\taddl\t%eax,%edx\n\n\torl\t%edx,%edi\n\tleal\t4293915773(%ecx,%ebp,1),%ecx\n\txorl\t%eax,%edi\n\tmovl\t4(%esi),%ebp\n\taddl\t%edi,%ecx\n\tmovl\t$-1,%edi\n\troll\t$15,%ecx\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\n\torl\t%ecx,%edi\n\tleal\t2240044497(%ebx,%ebp,1),%ebx\n\txorl\t%edx,%edi\n\tmovl\t32(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t$-1,%edi\n\troll\t$21,%ebx\n\txorl\t%edx,%edi\n\taddl\t%ecx,%ebx\n\n\torl\t%ebx,%edi\n\tleal\t1873313359(%eax,%ebp,1),%eax\n\txorl\t%ecx,%edi\n\tmovl\t60(%esi),%ebp\n\taddl\t%edi,%eax\n\tmovl\t$-1,%edi\n\troll\t$6,%eax\n\txorl\t%ecx,%edi\n\taddl\t%ebx,%eax\n\n\torl\t%eax,%edi\n\tleal\t4264355552(%edx,%ebp,1),%edx\n\txorl\t%ebx,%edi\n\tmovl\t24(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t$-1,%edi\n\troll\t$10,%edx\n\txorl\t%ebx,%edi\n\taddl\t%eax,%edx\n\n\torl\t%edx,%edi\n\tleal\t2734768916(%ecx,%ebp,1),%ecx\n\txorl\t%eax,%edi\n\tmovl\t52(%esi),%ebp\n\taddl\t%edi,%ecx\n\tmovl\t$-1,%edi\n\troll\t$15,%ecx\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\n\torl\t%ecx,%edi\n\tleal\t1309151649(%ebx,%ebp,1),%ebx\n\txorl\t%edx,%edi\n\tmovl\t16(%esi),%ebp\n\taddl\t%edi,%ebx\n\tmovl\t$-1,%edi\n\troll\t$21,%ebx\n\txorl\t%edx,%edi\n\taddl\t%ecx,%ebx\n\n\torl\t%ebx,%edi\n\tleal\t4149444226(%eax,%ebp,1),%eax\n\txorl\t%ecx,%edi\n\tmovl\t44(%esi),%ebp\n\taddl\t%edi,%eax\n\tmovl\t$-1,%edi\n\troll\t$6,%eax\n\txorl\t%ecx,%edi\n\taddl\t%ebx,%eax\n\n\torl\t%eax,%edi\n\tleal\t3174756917(%edx,%ebp,1),%edx\n\txorl\t%ebx,%edi\n\tmovl\t8(%esi),%ebp\n\taddl\t%edi,%edx\n\tmovl\t$-1,%edi\n\troll\t$10,%edx\n\txorl\t%ebx,%edi\n\taddl\t%eax,%edx\n\n\torl\t%edx,%edi\n\tleal\t718787259(%ecx,%ebp,1),%ecx\n\txorl\t%eax,%edi\n\tmovl\t36(%esi),%ebp\n\taddl\t%edi,%ecx\n\tmovl\t$-1,%edi\n\troll\t$15,%ecx\n\txorl\t%eax,%edi\n\taddl\t%edx,%ecx\n\n\torl\t%ecx,%edi\n\tleal\t3951481745(%ebx,%ebp,1),%ebx\n\txorl\t%edx,%edi\n\tmovl\t24(%esp),%ebp\n\taddl\t%edi,%ebx\n\taddl\t$64,%esi\n\troll\t$21,%ebx\n\tmovl\t(%ebp),%edi\n\taddl\t%ecx,%ebx\n\taddl\t%edi,%eax\n\tmovl\t4(%ebp),%edi\n\taddl\t%edi,%ebx\n\tmovl\t8(%ebp),%edi\n\taddl\t%edi,%ecx\n\tmovl\t12(%ebp),%edi\n\taddl\t%edi,%edx\n\tmovl\t%eax,(%ebp)\n\tmovl\t%ebx,4(%ebp)\n\tmovl\t(%esp),%edi\n\tmovl\t%ecx,8(%ebp)\n\tmovl\t%edx,12(%ebp)\n\tcmpl\t%esi,%edi\n\tjae\t.L000start\n\tpopl\t%eax\n\tpopl\t%ebx\n\tpopl\t%ebp\n\tpopl\t%edi\n\tpopl\t%esi\n\tret\n.size\tmd5_block_asm_data_order,.-.L_md5_block_asm_data_order_begin\n#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__)\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/md5-x86_64-apple.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__)\n.text\t\n.p2align\t4\n\n.globl\t_md5_block_asm_data_order\n.private_extern _md5_block_asm_data_order\n\n_md5_block_asm_data_order:\n\n_CET_ENDBR\n\tpushq\t%rbp\n\n\tpushq\t%rbx\n\n\tpushq\t%r12\n\n\tpushq\t%r14\n\n\tpushq\t%r15\n\nL$prologue:\n\n\n\n\n\tmovq\t%rdi,%rbp\n\tshlq\t$6,%rdx\n\tleaq\t(%rsi,%rdx,1),%rdi\n\tmovl\t0(%rbp),%eax\n\tmovl\t4(%rbp),%ebx\n\tmovl\t8(%rbp),%ecx\n\tmovl\t12(%rbp),%edx\n\n\n\n\n\n\n\n\tcmpq\t%rdi,%rsi\n\tje\tL$end\n\n\nL$loop:\n\tmovl\t%eax,%r8d\n\tmovl\t%ebx,%r9d\n\tmovl\t%ecx,%r14d\n\tmovl\t%edx,%r15d\n\tmovl\t0(%rsi),%r10d\n\tmovl\t%edx,%r11d\n\txorl\t%ecx,%r11d\n\tleal\t-680876936(%rax,%r10,1),%eax\n\tandl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\tmovl\t4(%rsi),%r10d\n\taddl\t%r11d,%eax\n\troll\t$7,%eax\n\tmovl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\txorl\t%ebx,%r11d\n\tleal\t-389564586(%rdx,%r10,1),%edx\n\tandl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\tmovl\t8(%rsi),%r10d\n\taddl\t%r11d,%edx\n\troll\t$12,%edx\n\tmovl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\txorl\t%eax,%r11d\n\tleal\t606105819(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\tmovl\t12(%rsi),%r10d\n\taddl\t%r11d,%ecx\n\troll\t$17,%ecx\n\tmovl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\txorl\t%edx,%r11d\n\tleal\t-1044525330(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\tmovl\t16(%rsi),%r10d\n\taddl\t%r11d,%ebx\n\troll\t$22,%ebx\n\tmovl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\txorl\t%ecx,%r11d\n\tleal\t-176418897(%rax,%r10,1),%eax\n\tandl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\tmovl\t20(%rsi),%r10d\n\taddl\t%r11d,%eax\n\troll\t$7,%eax\n\tmovl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\txorl\t%ebx,%r11d\n\tleal\t1200080426(%rdx,%r10,1),%edx\n\tandl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\tmovl\t24(%rsi),%r10d\n\taddl\t%r11d,%edx\n\troll\t$12,%edx\n\tmovl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\txorl\t%eax,%r11d\n\tleal\t-1473231341(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\tmovl\t28(%rsi),%r10d\n\taddl\t%r11d,%ecx\n\troll\t$17,%ecx\n\tmovl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\txorl\t%edx,%r11d\n\tleal\t-45705983(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\tmovl\t32(%rsi),%r10d\n\taddl\t%r11d,%ebx\n\troll\t$22,%ebx\n\tmovl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\txorl\t%ecx,%r11d\n\tleal\t1770035416(%rax,%r10,1),%eax\n\tandl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\tmovl\t36(%rsi),%r10d\n\taddl\t%r11d,%eax\n\troll\t$7,%eax\n\tmovl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\txorl\t%ebx,%r11d\n\tleal\t-1958414417(%rdx,%r10,1),%edx\n\tandl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\tmovl\t40(%rsi),%r10d\n\taddl\t%r11d,%edx\n\troll\t$12,%edx\n\tmovl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\txorl\t%eax,%r11d\n\tleal\t-42063(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\tmovl\t44(%rsi),%r10d\n\taddl\t%r11d,%ecx\n\troll\t$17,%ecx\n\tmovl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\txorl\t%edx,%r11d\n\tleal\t-1990404162(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\tmovl\t48(%rsi),%r10d\n\taddl\t%r11d,%ebx\n\troll\t$22,%ebx\n\tmovl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\txorl\t%ecx,%r11d\n\tleal\t1804603682(%rax,%r10,1),%eax\n\tandl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\tmovl\t52(%rsi),%r10d\n\taddl\t%r11d,%eax\n\troll\t$7,%eax\n\tmovl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\txorl\t%ebx,%r11d\n\tleal\t-40341101(%rdx,%r10,1),%edx\n\tandl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\tmovl\t56(%rsi),%r10d\n\taddl\t%r11d,%edx\n\troll\t$12,%edx\n\tmovl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\txorl\t%eax,%r11d\n\tleal\t-1502002290(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\tmovl\t60(%rsi),%r10d\n\taddl\t%r11d,%ecx\n\troll\t$17,%ecx\n\tmovl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\txorl\t%edx,%r11d\n\tleal\t1236535329(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\tmovl\t0(%rsi),%r10d\n\taddl\t%r11d,%ebx\n\troll\t$22,%ebx\n\tmovl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\tmovl\t4(%rsi),%r10d\n\tmovl\t%edx,%r11d\n\tmovl\t%edx,%r12d\n\tnotl\t%r11d\n\tleal\t-165796510(%rax,%r10,1),%eax\n\tandl\t%ebx,%r12d\n\tandl\t%ecx,%r11d\n\tmovl\t24(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ecx,%r11d\n\taddl\t%r12d,%eax\n\tmovl\t%ecx,%r12d\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\tnotl\t%r11d\n\tleal\t-1069501632(%rdx,%r10,1),%edx\n\tandl\t%eax,%r12d\n\tandl\t%ebx,%r11d\n\tmovl\t44(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ebx,%r11d\n\taddl\t%r12d,%edx\n\tmovl\t%ebx,%r12d\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\tnotl\t%r11d\n\tleal\t643717713(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r12d\n\tandl\t%eax,%r11d\n\tmovl\t0(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%eax,%r11d\n\taddl\t%r12d,%ecx\n\tmovl\t%eax,%r12d\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\tnotl\t%r11d\n\tleal\t-373897302(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r12d\n\tandl\t%edx,%r11d\n\tmovl\t20(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%edx,%r11d\n\taddl\t%r12d,%ebx\n\tmovl\t%edx,%r12d\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\tnotl\t%r11d\n\tleal\t-701558691(%rax,%r10,1),%eax\n\tandl\t%ebx,%r12d\n\tandl\t%ecx,%r11d\n\tmovl\t40(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ecx,%r11d\n\taddl\t%r12d,%eax\n\tmovl\t%ecx,%r12d\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\tnotl\t%r11d\n\tleal\t38016083(%rdx,%r10,1),%edx\n\tandl\t%eax,%r12d\n\tandl\t%ebx,%r11d\n\tmovl\t60(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ebx,%r11d\n\taddl\t%r12d,%edx\n\tmovl\t%ebx,%r12d\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\tnotl\t%r11d\n\tleal\t-660478335(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r12d\n\tandl\t%eax,%r11d\n\tmovl\t16(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%eax,%r11d\n\taddl\t%r12d,%ecx\n\tmovl\t%eax,%r12d\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\tnotl\t%r11d\n\tleal\t-405537848(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r12d\n\tandl\t%edx,%r11d\n\tmovl\t36(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%edx,%r11d\n\taddl\t%r12d,%ebx\n\tmovl\t%edx,%r12d\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\tnotl\t%r11d\n\tleal\t568446438(%rax,%r10,1),%eax\n\tandl\t%ebx,%r12d\n\tandl\t%ecx,%r11d\n\tmovl\t56(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ecx,%r11d\n\taddl\t%r12d,%eax\n\tmovl\t%ecx,%r12d\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\tnotl\t%r11d\n\tleal\t-1019803690(%rdx,%r10,1),%edx\n\tandl\t%eax,%r12d\n\tandl\t%ebx,%r11d\n\tmovl\t12(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ebx,%r11d\n\taddl\t%r12d,%edx\n\tmovl\t%ebx,%r12d\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\tnotl\t%r11d\n\tleal\t-187363961(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r12d\n\tandl\t%eax,%r11d\n\tmovl\t32(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%eax,%r11d\n\taddl\t%r12d,%ecx\n\tmovl\t%eax,%r12d\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\tnotl\t%r11d\n\tleal\t1163531501(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r12d\n\tandl\t%edx,%r11d\n\tmovl\t52(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%edx,%r11d\n\taddl\t%r12d,%ebx\n\tmovl\t%edx,%r12d\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\tnotl\t%r11d\n\tleal\t-1444681467(%rax,%r10,1),%eax\n\tandl\t%ebx,%r12d\n\tandl\t%ecx,%r11d\n\tmovl\t8(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ecx,%r11d\n\taddl\t%r12d,%eax\n\tmovl\t%ecx,%r12d\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\tnotl\t%r11d\n\tleal\t-51403784(%rdx,%r10,1),%edx\n\tandl\t%eax,%r12d\n\tandl\t%ebx,%r11d\n\tmovl\t28(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ebx,%r11d\n\taddl\t%r12d,%edx\n\tmovl\t%ebx,%r12d\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\tnotl\t%r11d\n\tleal\t1735328473(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r12d\n\tandl\t%eax,%r11d\n\tmovl\t48(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%eax,%r11d\n\taddl\t%r12d,%ecx\n\tmovl\t%eax,%r12d\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\tnotl\t%r11d\n\tleal\t-1926607734(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r12d\n\tandl\t%edx,%r11d\n\tmovl\t0(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%edx,%r11d\n\taddl\t%r12d,%ebx\n\tmovl\t%edx,%r12d\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\tmovl\t20(%rsi),%r10d\n\tmovl\t%ecx,%r11d\n\tleal\t-378558(%rax,%r10,1),%eax\n\tmovl\t32(%rsi),%r10d\n\txorl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%eax\n\troll\t$4,%eax\n\tmovl\t%ebx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-2022574463(%rdx,%r10,1),%edx\n\tmovl\t44(%rsi),%r10d\n\txorl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%edx\n\troll\t$11,%edx\n\tmovl\t%eax,%r11d\n\taddl\t%eax,%edx\n\tleal\t1839030562(%rcx,%r10,1),%ecx\n\tmovl\t56(%rsi),%r10d\n\txorl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ecx\n\troll\t$16,%ecx\n\tmovl\t%edx,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-35309556(%rbx,%r10,1),%ebx\n\tmovl\t4(%rsi),%r10d\n\txorl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%ebx\n\troll\t$23,%ebx\n\tmovl\t%ecx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t-1530992060(%rax,%r10,1),%eax\n\tmovl\t16(%rsi),%r10d\n\txorl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%eax\n\troll\t$4,%eax\n\tmovl\t%ebx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t1272893353(%rdx,%r10,1),%edx\n\tmovl\t28(%rsi),%r10d\n\txorl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%edx\n\troll\t$11,%edx\n\tmovl\t%eax,%r11d\n\taddl\t%eax,%edx\n\tleal\t-155497632(%rcx,%r10,1),%ecx\n\tmovl\t40(%rsi),%r10d\n\txorl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ecx\n\troll\t$16,%ecx\n\tmovl\t%edx,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-1094730640(%rbx,%r10,1),%ebx\n\tmovl\t52(%rsi),%r10d\n\txorl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%ebx\n\troll\t$23,%ebx\n\tmovl\t%ecx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t681279174(%rax,%r10,1),%eax\n\tmovl\t0(%rsi),%r10d\n\txorl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%eax\n\troll\t$4,%eax\n\tmovl\t%ebx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-358537222(%rdx,%r10,1),%edx\n\tmovl\t12(%rsi),%r10d\n\txorl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%edx\n\troll\t$11,%edx\n\tmovl\t%eax,%r11d\n\taddl\t%eax,%edx\n\tleal\t-722521979(%rcx,%r10,1),%ecx\n\tmovl\t24(%rsi),%r10d\n\txorl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ecx\n\troll\t$16,%ecx\n\tmovl\t%edx,%r11d\n\taddl\t%edx,%ecx\n\tleal\t76029189(%rbx,%r10,1),%ebx\n\tmovl\t36(%rsi),%r10d\n\txorl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%ebx\n\troll\t$23,%ebx\n\tmovl\t%ecx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t-640364487(%rax,%r10,1),%eax\n\tmovl\t48(%rsi),%r10d\n\txorl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%eax\n\troll\t$4,%eax\n\tmovl\t%ebx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-421815835(%rdx,%r10,1),%edx\n\tmovl\t60(%rsi),%r10d\n\txorl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%edx\n\troll\t$11,%edx\n\tmovl\t%eax,%r11d\n\taddl\t%eax,%edx\n\tleal\t530742520(%rcx,%r10,1),%ecx\n\tmovl\t8(%rsi),%r10d\n\txorl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ecx\n\troll\t$16,%ecx\n\tmovl\t%edx,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-995338651(%rbx,%r10,1),%ebx\n\tmovl\t0(%rsi),%r10d\n\txorl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%ebx\n\troll\t$23,%ebx\n\tmovl\t%ecx,%r11d\n\taddl\t%ecx,%ebx\n\tmovl\t0(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\txorl\t%edx,%r11d\n\tleal\t-198630844(%rax,%r10,1),%eax\n\torl\t%ebx,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%eax\n\tmovl\t28(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$6,%eax\n\txorl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t1126891415(%rdx,%r10,1),%edx\n\torl\t%eax,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%edx\n\tmovl\t56(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$10,%edx\n\txorl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\tleal\t-1416354905(%rcx,%r10,1),%ecx\n\torl\t%edx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%ecx\n\tmovl\t20(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$15,%ecx\n\txorl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-57434055(%rbx,%r10,1),%ebx\n\torl\t%ecx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ebx\n\tmovl\t48(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$21,%ebx\n\txorl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t1700485571(%rax,%r10,1),%eax\n\torl\t%ebx,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%eax\n\tmovl\t12(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$6,%eax\n\txorl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-1894986606(%rdx,%r10,1),%edx\n\torl\t%eax,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%edx\n\tmovl\t40(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$10,%edx\n\txorl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\tleal\t-1051523(%rcx,%r10,1),%ecx\n\torl\t%edx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%ecx\n\tmovl\t4(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$15,%ecx\n\txorl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-2054922799(%rbx,%r10,1),%ebx\n\torl\t%ecx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ebx\n\tmovl\t32(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$21,%ebx\n\txorl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t1873313359(%rax,%r10,1),%eax\n\torl\t%ebx,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%eax\n\tmovl\t60(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$6,%eax\n\txorl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-30611744(%rdx,%r10,1),%edx\n\torl\t%eax,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%edx\n\tmovl\t24(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$10,%edx\n\txorl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\tleal\t-1560198380(%rcx,%r10,1),%ecx\n\torl\t%edx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%ecx\n\tmovl\t52(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$15,%ecx\n\txorl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\tleal\t1309151649(%rbx,%r10,1),%ebx\n\torl\t%ecx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ebx\n\tmovl\t16(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$21,%ebx\n\txorl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t-145523070(%rax,%r10,1),%eax\n\torl\t%ebx,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%eax\n\tmovl\t44(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$6,%eax\n\txorl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-1120210379(%rdx,%r10,1),%edx\n\torl\t%eax,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%edx\n\tmovl\t8(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$10,%edx\n\txorl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\tleal\t718787259(%rcx,%r10,1),%ecx\n\torl\t%edx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%ecx\n\tmovl\t36(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$15,%ecx\n\txorl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-343485551(%rbx,%r10,1),%ebx\n\torl\t%ecx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ebx\n\tmovl\t0(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$21,%ebx\n\txorl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\n\taddl\t%r8d,%eax\n\taddl\t%r9d,%ebx\n\taddl\t%r14d,%ecx\n\taddl\t%r15d,%edx\n\n\n\taddq\t$64,%rsi\n\tcmpq\t%rdi,%rsi\n\tjb\tL$loop\n\n\nL$end:\n\tmovl\t%eax,0(%rbp)\n\tmovl\t%ebx,4(%rbp)\n\tmovl\t%ecx,8(%rbp)\n\tmovl\t%edx,12(%rbp)\n\n\tmovq\t(%rsp),%r15\n\n\tmovq\t8(%rsp),%r14\n\n\tmovq\t16(%rsp),%r12\n\n\tmovq\t24(%rsp),%rbx\n\n\tmovq\t32(%rsp),%rbp\n\n\taddq\t$40,%rsp\n\nL$epilogue:\n\tret\n\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/gen/crypto/md5-x86_64-linux.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n// This file is generated from a similarly-named Perl script in the BoringSSL\n// source tree. Do not edit by hand.\n\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__)\n.text\t\n.align\t16\n\n.globl\tmd5_block_asm_data_order\n.hidden md5_block_asm_data_order\n.type\tmd5_block_asm_data_order,@function\nmd5_block_asm_data_order:\n.cfi_startproc\t\n_CET_ENDBR\n\tpushq\t%rbp\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\trbp,-16\n\tpushq\t%rbx\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\trbx,-24\n\tpushq\t%r12\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\tr12,-32\n\tpushq\t%r14\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\tr14,-40\n\tpushq\t%r15\n.cfi_adjust_cfa_offset\t8\n.cfi_offset\tr15,-48\n.Lprologue:\n\n\n\n\n\tmovq\t%rdi,%rbp\n\tshlq\t$6,%rdx\n\tleaq\t(%rsi,%rdx,1),%rdi\n\tmovl\t0(%rbp),%eax\n\tmovl\t4(%rbp),%ebx\n\tmovl\t8(%rbp),%ecx\n\tmovl\t12(%rbp),%edx\n\n\n\n\n\n\n\n\tcmpq\t%rdi,%rsi\n\tje\t.Lend\n\n\n.Lloop:\n\tmovl\t%eax,%r8d\n\tmovl\t%ebx,%r9d\n\tmovl\t%ecx,%r14d\n\tmovl\t%edx,%r15d\n\tmovl\t0(%rsi),%r10d\n\tmovl\t%edx,%r11d\n\txorl\t%ecx,%r11d\n\tleal\t-680876936(%rax,%r10,1),%eax\n\tandl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\tmovl\t4(%rsi),%r10d\n\taddl\t%r11d,%eax\n\troll\t$7,%eax\n\tmovl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\txorl\t%ebx,%r11d\n\tleal\t-389564586(%rdx,%r10,1),%edx\n\tandl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\tmovl\t8(%rsi),%r10d\n\taddl\t%r11d,%edx\n\troll\t$12,%edx\n\tmovl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\txorl\t%eax,%r11d\n\tleal\t606105819(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\tmovl\t12(%rsi),%r10d\n\taddl\t%r11d,%ecx\n\troll\t$17,%ecx\n\tmovl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\txorl\t%edx,%r11d\n\tleal\t-1044525330(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\tmovl\t16(%rsi),%r10d\n\taddl\t%r11d,%ebx\n\troll\t$22,%ebx\n\tmovl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\txorl\t%ecx,%r11d\n\tleal\t-176418897(%rax,%r10,1),%eax\n\tandl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\tmovl\t20(%rsi),%r10d\n\taddl\t%r11d,%eax\n\troll\t$7,%eax\n\tmovl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\txorl\t%ebx,%r11d\n\tleal\t1200080426(%rdx,%r10,1),%edx\n\tandl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\tmovl\t24(%rsi),%r10d\n\taddl\t%r11d,%edx\n\troll\t$12,%edx\n\tmovl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\txorl\t%eax,%r11d\n\tleal\t-1473231341(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\tmovl\t28(%rsi),%r10d\n\taddl\t%r11d,%ecx\n\troll\t$17,%ecx\n\tmovl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\txorl\t%edx,%r11d\n\tleal\t-45705983(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\tmovl\t32(%rsi),%r10d\n\taddl\t%r11d,%ebx\n\troll\t$22,%ebx\n\tmovl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\txorl\t%ecx,%r11d\n\tleal\t1770035416(%rax,%r10,1),%eax\n\tandl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\tmovl\t36(%rsi),%r10d\n\taddl\t%r11d,%eax\n\troll\t$7,%eax\n\tmovl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\txorl\t%ebx,%r11d\n\tleal\t-1958414417(%rdx,%r10,1),%edx\n\tandl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\tmovl\t40(%rsi),%r10d\n\taddl\t%r11d,%edx\n\troll\t$12,%edx\n\tmovl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\txorl\t%eax,%r11d\n\tleal\t-42063(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\tmovl\t44(%rsi),%r10d\n\taddl\t%r11d,%ecx\n\troll\t$17,%ecx\n\tmovl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\txorl\t%edx,%r11d\n\tleal\t-1990404162(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\tmovl\t48(%rsi),%r10d\n\taddl\t%r11d,%ebx\n\troll\t$22,%ebx\n\tmovl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\txorl\t%ecx,%r11d\n\tleal\t1804603682(%rax,%r10,1),%eax\n\tandl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\tmovl\t52(%rsi),%r10d\n\taddl\t%r11d,%eax\n\troll\t$7,%eax\n\tmovl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\txorl\t%ebx,%r11d\n\tleal\t-40341101(%rdx,%r10,1),%edx\n\tandl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\tmovl\t56(%rsi),%r10d\n\taddl\t%r11d,%edx\n\troll\t$12,%edx\n\tmovl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\txorl\t%eax,%r11d\n\tleal\t-1502002290(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\tmovl\t60(%rsi),%r10d\n\taddl\t%r11d,%ecx\n\troll\t$17,%ecx\n\tmovl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\txorl\t%edx,%r11d\n\tleal\t1236535329(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\tmovl\t0(%rsi),%r10d\n\taddl\t%r11d,%ebx\n\troll\t$22,%ebx\n\tmovl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\tmovl\t4(%rsi),%r10d\n\tmovl\t%edx,%r11d\n\tmovl\t%edx,%r12d\n\tnotl\t%r11d\n\tleal\t-165796510(%rax,%r10,1),%eax\n\tandl\t%ebx,%r12d\n\tandl\t%ecx,%r11d\n\tmovl\t24(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ecx,%r11d\n\taddl\t%r12d,%eax\n\tmovl\t%ecx,%r12d\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\tnotl\t%r11d\n\tleal\t-1069501632(%rdx,%r10,1),%edx\n\tandl\t%eax,%r12d\n\tandl\t%ebx,%r11d\n\tmovl\t44(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ebx,%r11d\n\taddl\t%r12d,%edx\n\tmovl\t%ebx,%r12d\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\tnotl\t%r11d\n\tleal\t643717713(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r12d\n\tandl\t%eax,%r11d\n\tmovl\t0(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%eax,%r11d\n\taddl\t%r12d,%ecx\n\tmovl\t%eax,%r12d\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\tnotl\t%r11d\n\tleal\t-373897302(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r12d\n\tandl\t%edx,%r11d\n\tmovl\t20(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%edx,%r11d\n\taddl\t%r12d,%ebx\n\tmovl\t%edx,%r12d\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\tnotl\t%r11d\n\tleal\t-701558691(%rax,%r10,1),%eax\n\tandl\t%ebx,%r12d\n\tandl\t%ecx,%r11d\n\tmovl\t40(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ecx,%r11d\n\taddl\t%r12d,%eax\n\tmovl\t%ecx,%r12d\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\tnotl\t%r11d\n\tleal\t38016083(%rdx,%r10,1),%edx\n\tandl\t%eax,%r12d\n\tandl\t%ebx,%r11d\n\tmovl\t60(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ebx,%r11d\n\taddl\t%r12d,%edx\n\tmovl\t%ebx,%r12d\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\tnotl\t%r11d\n\tleal\t-660478335(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r12d\n\tandl\t%eax,%r11d\n\tmovl\t16(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%eax,%r11d\n\taddl\t%r12d,%ecx\n\tmovl\t%eax,%r12d\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\tnotl\t%r11d\n\tleal\t-405537848(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r12d\n\tandl\t%edx,%r11d\n\tmovl\t36(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%edx,%r11d\n\taddl\t%r12d,%ebx\n\tmovl\t%edx,%r12d\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\tnotl\t%r11d\n\tleal\t568446438(%rax,%r10,1),%eax\n\tandl\t%ebx,%r12d\n\tandl\t%ecx,%r11d\n\tmovl\t56(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ecx,%r11d\n\taddl\t%r12d,%eax\n\tmovl\t%ecx,%r12d\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\tnotl\t%r11d\n\tleal\t-1019803690(%rdx,%r10,1),%edx\n\tandl\t%eax,%r12d\n\tandl\t%ebx,%r11d\n\tmovl\t12(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ebx,%r11d\n\taddl\t%r12d,%edx\n\tmovl\t%ebx,%r12d\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\tnotl\t%r11d\n\tleal\t-187363961(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r12d\n\tandl\t%eax,%r11d\n\tmovl\t32(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%eax,%r11d\n\taddl\t%r12d,%ecx\n\tmovl\t%eax,%r12d\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\tnotl\t%r11d\n\tleal\t1163531501(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r12d\n\tandl\t%edx,%r11d\n\tmovl\t52(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%edx,%r11d\n\taddl\t%r12d,%ebx\n\tmovl\t%edx,%r12d\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\tnotl\t%r11d\n\tleal\t-1444681467(%rax,%r10,1),%eax\n\tandl\t%ebx,%r12d\n\tandl\t%ecx,%r11d\n\tmovl\t8(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ecx,%r11d\n\taddl\t%r12d,%eax\n\tmovl\t%ecx,%r12d\n\troll\t$5,%eax\n\taddl\t%ebx,%eax\n\tnotl\t%r11d\n\tleal\t-51403784(%rdx,%r10,1),%edx\n\tandl\t%eax,%r12d\n\tandl\t%ebx,%r11d\n\tmovl\t28(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%ebx,%r11d\n\taddl\t%r12d,%edx\n\tmovl\t%ebx,%r12d\n\troll\t$9,%edx\n\taddl\t%eax,%edx\n\tnotl\t%r11d\n\tleal\t1735328473(%rcx,%r10,1),%ecx\n\tandl\t%edx,%r12d\n\tandl\t%eax,%r11d\n\tmovl\t48(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%eax,%r11d\n\taddl\t%r12d,%ecx\n\tmovl\t%eax,%r12d\n\troll\t$14,%ecx\n\taddl\t%edx,%ecx\n\tnotl\t%r11d\n\tleal\t-1926607734(%rbx,%r10,1),%ebx\n\tandl\t%ecx,%r12d\n\tandl\t%edx,%r11d\n\tmovl\t0(%rsi),%r10d\n\torl\t%r11d,%r12d\n\tmovl\t%edx,%r11d\n\taddl\t%r12d,%ebx\n\tmovl\t%edx,%r12d\n\troll\t$20,%ebx\n\taddl\t%ecx,%ebx\n\tmovl\t20(%rsi),%r10d\n\tmovl\t%ecx,%r11d\n\tleal\t-378558(%rax,%r10,1),%eax\n\tmovl\t32(%rsi),%r10d\n\txorl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%eax\n\troll\t$4,%eax\n\tmovl\t%ebx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-2022574463(%rdx,%r10,1),%edx\n\tmovl\t44(%rsi),%r10d\n\txorl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%edx\n\troll\t$11,%edx\n\tmovl\t%eax,%r11d\n\taddl\t%eax,%edx\n\tleal\t1839030562(%rcx,%r10,1),%ecx\n\tmovl\t56(%rsi),%r10d\n\txorl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ecx\n\troll\t$16,%ecx\n\tmovl\t%edx,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-35309556(%rbx,%r10,1),%ebx\n\tmovl\t4(%rsi),%r10d\n\txorl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%ebx\n\troll\t$23,%ebx\n\tmovl\t%ecx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t-1530992060(%rax,%r10,1),%eax\n\tmovl\t16(%rsi),%r10d\n\txorl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%eax\n\troll\t$4,%eax\n\tmovl\t%ebx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t1272893353(%rdx,%r10,1),%edx\n\tmovl\t28(%rsi),%r10d\n\txorl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%edx\n\troll\t$11,%edx\n\tmovl\t%eax,%r11d\n\taddl\t%eax,%edx\n\tleal\t-155497632(%rcx,%r10,1),%ecx\n\tmovl\t40(%rsi),%r10d\n\txorl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ecx\n\troll\t$16,%ecx\n\tmovl\t%edx,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-1094730640(%rbx,%r10,1),%ebx\n\tmovl\t52(%rsi),%r10d\n\txorl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%ebx\n\troll\t$23,%ebx\n\tmovl\t%ecx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t681279174(%rax,%r10,1),%eax\n\tmovl\t0(%rsi),%r10d\n\txorl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%eax\n\troll\t$4,%eax\n\tmovl\t%ebx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-358537222(%rdx,%r10,1),%edx\n\tmovl\t12(%rsi),%r10d\n\txorl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%edx\n\troll\t$11,%edx\n\tmovl\t%eax,%r11d\n\taddl\t%eax,%edx\n\tleal\t-722521979(%rcx,%r10,1),%ecx\n\tmovl\t24(%rsi),%r10d\n\txorl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ecx\n\troll\t$16,%ecx\n\tmovl\t%edx,%r11d\n\taddl\t%edx,%ecx\n\tleal\t76029189(%rbx,%r10,1),%ebx\n\tmovl\t36(%rsi),%r10d\n\txorl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%ebx\n\troll\t$23,%ebx\n\tmovl\t%ecx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t-640364487(%rax,%r10,1),%eax\n\tmovl\t48(%rsi),%r10d\n\txorl\t%edx,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%eax\n\troll\t$4,%eax\n\tmovl\t%ebx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-421815835(%rdx,%r10,1),%edx\n\tmovl\t60(%rsi),%r10d\n\txorl\t%ecx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%edx\n\troll\t$11,%edx\n\tmovl\t%eax,%r11d\n\taddl\t%eax,%edx\n\tleal\t530742520(%rcx,%r10,1),%ecx\n\tmovl\t8(%rsi),%r10d\n\txorl\t%ebx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ecx\n\troll\t$16,%ecx\n\tmovl\t%edx,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-995338651(%rbx,%r10,1),%ebx\n\tmovl\t0(%rsi),%r10d\n\txorl\t%eax,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%ebx\n\troll\t$23,%ebx\n\tmovl\t%ecx,%r11d\n\taddl\t%ecx,%ebx\n\tmovl\t0(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\txorl\t%edx,%r11d\n\tleal\t-198630844(%rax,%r10,1),%eax\n\torl\t%ebx,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%eax\n\tmovl\t28(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$6,%eax\n\txorl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t1126891415(%rdx,%r10,1),%edx\n\torl\t%eax,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%edx\n\tmovl\t56(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$10,%edx\n\txorl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\tleal\t-1416354905(%rcx,%r10,1),%ecx\n\torl\t%edx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%ecx\n\tmovl\t20(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$15,%ecx\n\txorl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-57434055(%rbx,%r10,1),%ebx\n\torl\t%ecx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ebx\n\tmovl\t48(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$21,%ebx\n\txorl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t1700485571(%rax,%r10,1),%eax\n\torl\t%ebx,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%eax\n\tmovl\t12(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$6,%eax\n\txorl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-1894986606(%rdx,%r10,1),%edx\n\torl\t%eax,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%edx\n\tmovl\t40(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$10,%edx\n\txorl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\tleal\t-1051523(%rcx,%r10,1),%ecx\n\torl\t%edx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%ecx\n\tmovl\t4(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$15,%ecx\n\txorl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-2054922799(%rbx,%r10,1),%ebx\n\torl\t%ecx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ebx\n\tmovl\t32(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$21,%ebx\n\txorl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t1873313359(%rax,%r10,1),%eax\n\torl\t%ebx,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%eax\n\tmovl\t60(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$6,%eax\n\txorl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-30611744(%rdx,%r10,1),%edx\n\torl\t%eax,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%edx\n\tmovl\t24(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$10,%edx\n\txorl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\tleal\t-1560198380(%rcx,%r10,1),%ecx\n\torl\t%edx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%ecx\n\tmovl\t52(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$15,%ecx\n\txorl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\tleal\t1309151649(%rbx,%r10,1),%ebx\n\torl\t%ecx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ebx\n\tmovl\t16(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$21,%ebx\n\txorl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\tleal\t-145523070(%rax,%r10,1),%eax\n\torl\t%ebx,%r11d\n\txorl\t%ecx,%r11d\n\taddl\t%r11d,%eax\n\tmovl\t44(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$6,%eax\n\txorl\t%ecx,%r11d\n\taddl\t%ebx,%eax\n\tleal\t-1120210379(%rdx,%r10,1),%edx\n\torl\t%eax,%r11d\n\txorl\t%ebx,%r11d\n\taddl\t%r11d,%edx\n\tmovl\t8(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$10,%edx\n\txorl\t%ebx,%r11d\n\taddl\t%eax,%edx\n\tleal\t718787259(%rcx,%r10,1),%ecx\n\torl\t%edx,%r11d\n\txorl\t%eax,%r11d\n\taddl\t%r11d,%ecx\n\tmovl\t36(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$15,%ecx\n\txorl\t%eax,%r11d\n\taddl\t%edx,%ecx\n\tleal\t-343485551(%rbx,%r10,1),%ebx\n\torl\t%ecx,%r11d\n\txorl\t%edx,%r11d\n\taddl\t%r11d,%ebx\n\tmovl\t0(%rsi),%r10d\n\tmovl\t$0xffffffff,%r11d\n\troll\t$21,%ebx\n\txorl\t%edx,%r11d\n\taddl\t%ecx,%ebx\n\n\taddl\t%r8d,%eax\n\taddl\t%r9d,%ebx\n\taddl\t%r14d,%ecx\n\taddl\t%r15d,%edx\n\n\n\taddq\t$64,%rsi\n\tcmpq\t%rdi,%rsi\n\tjb\t.Lloop\n\n\n.Lend:\n\tmovl\t%eax,0(%rbp)\n\tmovl\t%ebx,4(%rbp)\n\tmovl\t%ecx,8(%rbp)\n\tmovl\t%edx,12(%rbp)\n\n\tmovq\t(%rsp),%r15\n.cfi_restore\tr15\n\tmovq\t8(%rsp),%r14\n.cfi_restore\tr14\n\tmovq\t16(%rsp),%r12\n.cfi_restore\tr12\n\tmovq\t24(%rsp),%rbx\n.cfi_restore\trbx\n\tmovq\t32(%rsp),%rbp\n.cfi_restore\trbp\n\taddq\t$40,%rsp\n.cfi_adjust_cfa_offset\t-40\n.Lepilogue:\n\tret\n.cfi_endproc\t\n.size\tmd5_block_asm_data_order,.-md5_block_asm_data_order\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/hash.txt", "content": "This directory is derived from BoringSSL cloned from https://boringssl.googlesource.com/boringssl at revision 817ab07ebb53da35afea409ab9328f578492832d\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL.h", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2019 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n#ifndef C_NIO_BORINGSSL_H\n#define C_NIO_BORINGSSL_H\n\n#include \"CNIOBoringSSL_aead.h\"\n#include \"CNIOBoringSSL_aes.h\"\n#include \"CNIOBoringSSL_arm_arch.h\"\n#include \"CNIOBoringSSL_asm_base.h\"\n#include \"CNIOBoringSSL_asn1_mac.h\"\n#include \"CNIOBoringSSL_asn1t.h\"\n#include \"CNIOBoringSSL_base.h\"\n#include \"CNIOBoringSSL_bio.h\"\n#include \"CNIOBoringSSL_blake2.h\"\n#include \"CNIOBoringSSL_blowfish.h\"\n#include \"CNIOBoringSSL_bn.h\"\n#include \"CNIOBoringSSL_boringssl_prefix_symbols.h\"\n#include \"CNIOBoringSSL_boringssl_prefix_symbols_asm.h\"\n#include \"CNIOBoringSSL_cast.h\"\n#include \"CNIOBoringSSL_chacha.h\"\n#include \"CNIOBoringSSL_ctrdrbg.h\"\n#include \"CNIOBoringSSL_cmac.h\"\n#include \"CNIOBoringSSL_conf.h\"\n#include \"CNIOBoringSSL_cpu.h\"\n#include \"CNIOBoringSSL_curve25519.h\"\n#include \"CNIOBoringSSL_des.h\"\n#include \"CNIOBoringSSL_dtls1.h\"\n#include \"CNIOBoringSSL_e_os2.h\"\n#include \"CNIOBoringSSL_ec.h\"\n#include \"CNIOBoringSSL_ec_key.h\"\n#include \"CNIOBoringSSL_ecdsa.h\"\n#include \"CNIOBoringSSL_err.h\"\n#include \"CNIOBoringSSL_evp.h\"\n#include \"CNIOBoringSSL_hkdf.h\"\n#include \"CNIOBoringSSL_hmac.h\"\n#include \"CNIOBoringSSL_hpke.h\"\n#include \"CNIOBoringSSL_hrss.h\"\n#include \"CNIOBoringSSL_kdf.h\"\n#include \"CNIOBoringSSL_md4.h\"\n#include \"CNIOBoringSSL_md5.h\"\n#include \"CNIOBoringSSL_mldsa.h\"\n#include \"CNIOBoringSSL_mlkem.h\"\n#include \"CNIOBoringSSL_obj_mac.h\"\n#include \"CNIOBoringSSL_objects.h\"\n#include \"CNIOBoringSSL_opensslv.h\"\n#include \"CNIOBoringSSL_ossl_typ.h\"\n#include \"CNIOBoringSSL_pkcs12.h\"\n#include \"CNIOBoringSSL_poly1305.h\"\n#include \"CNIOBoringSSL_rand.h\"\n#include \"CNIOBoringSSL_rc4.h\"\n#include \"CNIOBoringSSL_ripemd.h\"\n#include \"CNIOBoringSSL_rsa.h\"\n#include \"CNIOBoringSSL_safestack.h\"\n#include \"CNIOBoringSSL_service_indicator.h\"\n#include \"CNIOBoringSSL_sha.h\"\n#include \"CNIOBoringSSL_siphash.h\"\n#include \"CNIOBoringSSL_slhdsa.h\"\n#include \"CNIOBoringSSL_srtp.h\"\n#include \"CNIOBoringSSL_ssl.h\"\n#include \"CNIOBoringSSL_time.h\"\n#include \"CNIOBoringSSL_trust_token.h\"\n#include \"CNIOBoringSSL_type_check.h\"\n#include \"CNIOBoringSSL_x509_vfy.h\"\n#include \"CNIOBoringSSL_x509v3.h\"\n#include \"experimental/CNIOBoringSSL_kyber.h\"\n\n#endif // C_NIO_BORINGSSL_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_aead.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_AEAD_H\n#define OPENSSL_HEADER_AEAD_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Authenticated Encryption with Additional Data.\n//\n// AEAD couples confidentiality and integrity in a single primitive. AEAD\n// algorithms take a key and then can seal and open individual messages. Each\n// message has a unique, per-message nonce and, optionally, additional data\n// which is authenticated but not included in the ciphertext.\n//\n// The |EVP_AEAD_CTX_init| function initialises an |EVP_AEAD_CTX| structure and\n// performs any precomputation needed to use |aead| with |key|. The length of\n// the key, |key_len|, is given in bytes.\n//\n// The |tag_len| argument contains the length of the tags, in bytes, and allows\n// for the processing of truncated authenticators. A zero value indicates that\n// the default tag length should be used and this is defined as\n// |EVP_AEAD_DEFAULT_TAG_LENGTH| in order to make the code clear. Using\n// truncated tags increases an attacker's chance of creating a valid forgery.\n// Be aware that the attacker's chance may increase more than exponentially as\n// would naively be expected.\n//\n// When no longer needed, the initialised |EVP_AEAD_CTX| structure must be\n// passed to |EVP_AEAD_CTX_cleanup|, which will deallocate any memory used.\n//\n// With an |EVP_AEAD_CTX| in hand, one can seal and open messages. These\n// operations are intended to meet the standard notions of privacy and\n// authenticity for authenticated encryption. For formal definitions see\n// Bellare and Namprempre, \"Authenticated encryption: relations among notions\n// and analysis of the generic composition paradigm,\" Lecture Notes in Computer\n// Science B<1976> (2000), 531–545,\n// http://www-cse.ucsd.edu/~mihir/papers/oem.html.\n//\n// When sealing messages, a nonce must be given. The length of the nonce is\n// fixed by the AEAD in use and is returned by |EVP_AEAD_nonce_length|. *The\n// nonce must be unique for all messages with the same key*. This is critically\n// important - nonce reuse may completely undermine the security of the AEAD.\n// Nonces may be predictable and public, so long as they are unique. Uniqueness\n// may be achieved with a simple counter or, if large enough, may be generated\n// randomly. The nonce must be passed into the \"open\" operation by the receiver\n// so must either be implicit (e.g. a counter), or must be transmitted along\n// with the sealed message.\n//\n// The \"seal\" and \"open\" operations are atomic - an entire message must be\n// encrypted or decrypted in a single call. Large messages may have to be split\n// up in order to accommodate this. When doing so, be mindful of the need not to\n// repeat nonces and the possibility that an attacker could duplicate, reorder\n// or drop message chunks. For example, using a single key for a given (large)\n// message and sealing chunks with nonces counting from zero would be secure as\n// long as the number of chunks was securely transmitted. (Otherwise an\n// attacker could truncate the message by dropping chunks from the end.)\n//\n// The number of chunks could be transmitted by prefixing it to the plaintext,\n// for example. This also assumes that no other message would ever use the same\n// key otherwise the rule that nonces must be unique for a given key would be\n// violated.\n//\n// The \"seal\" and \"open\" operations also permit additional data to be\n// authenticated via the |ad| parameter. This data is not included in the\n// ciphertext and must be identical for both the \"seal\" and \"open\" call. This\n// permits implicit context to be authenticated but may be empty if not needed.\n//\n// The \"seal\" and \"open\" operations may work in-place if the |out| and |in|\n// arguments are equal. Otherwise, if |out| and |in| alias, input data may be\n// overwritten before it is read. This situation will cause an error.\n//\n// The \"seal\" and \"open\" operations return one on success and zero on error.\n\n\n// AEAD algorithms.\n\n// EVP_aead_aes_128_gcm is AES-128 in Galois Counter Mode.\n//\n// Note: AES-GCM should only be used with 12-byte (96-bit) nonces. Although it\n// is specified to take a variable-length nonce, nonces with other lengths are\n// effectively randomized, which means one must consider collisions. Unless\n// implementing an existing protocol which has already specified incorrect\n// parameters, only use 12-byte nonces.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm(void);\n\n// EVP_aead_aes_192_gcm is AES-192 in Galois Counter Mode.\n//\n// WARNING: AES-192 is superfluous and shouldn't exist. NIST should never have\n// defined it. Use only when interop with another system requires it, never\n// de novo.\n//\n// Note: AES-GCM should only be used with 12-byte (96-bit) nonces. Although it\n// is specified to take a variable-length nonce, nonces with other lengths are\n// effectively randomized, which means one must consider collisions. Unless\n// implementing an existing protocol which has already specified incorrect\n// parameters, only use 12-byte nonces.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_192_gcm(void);\n\n// EVP_aead_aes_256_gcm is AES-256 in Galois Counter Mode.\n//\n// Note: AES-GCM should only be used with 12-byte (96-bit) nonces. Although it\n// is specified to take a variable-length nonce, nonces with other lengths are\n// effectively randomized, which means one must consider collisions. Unless\n// implementing an existing protocol which has already specified incorrect\n// parameters, only use 12-byte nonces.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm(void);\n\n// EVP_aead_chacha20_poly1305 is the AEAD built from ChaCha20 and\n// Poly1305 as described in RFC 8439.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_chacha20_poly1305(void);\n\n// EVP_aead_xchacha20_poly1305 is ChaCha20-Poly1305 with an extended nonce that\n// makes random generation of nonces safe.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_xchacha20_poly1305(void);\n\n// EVP_aead_aes_128_ctr_hmac_sha256 is AES-128 in CTR mode with HMAC-SHA256 for\n// authentication. The nonce is 12 bytes; the bottom 32-bits are used as the\n// block counter, thus the maximum plaintext size is 64GB.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void);\n\n// EVP_aead_aes_256_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for\n// authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void);\n\n// EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See RFC 8452.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void);\n\n// EVP_aead_aes_256_gcm_siv is AES-256 in GCM-SIV mode. See RFC 8452.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void);\n\n// EVP_aead_aes_128_gcm_randnonce is AES-128 in Galois Counter Mode with\n// internal nonce generation. The 12-byte nonce is appended to the tag\n// and is generated internally. The \"tag\", for the purpurses of the API, is thus\n// 12 bytes larger. The nonce parameter when using this AEAD must be\n// zero-length. Since the nonce is random, a single key should not be used for\n// more than 2^32 seal operations.\n//\n// Warning: this is for use for FIPS compliance only. It is probably not\n// suitable for other uses. Using standard AES-GCM AEADs allows one to achieve\n// the same effect, but gives more control over nonce storage.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_randnonce(void);\n\n// EVP_aead_aes_256_gcm_randnonce is AES-256 in Galois Counter Mode with\n// internal nonce generation. The 12-byte nonce is appended to the tag\n// and is generated internally. The \"tag\", for the purpurses of the API, is thus\n// 12 bytes larger. The nonce parameter when using this AEAD must be\n// zero-length. Since the nonce is random, a single key should not be used for\n// more than 2^32 seal operations.\n//\n// Warning: this is for use for FIPS compliance only. It is probably not\n// suitable for other uses. Using standard AES-GCM AEADs allows one to achieve\n// the same effect, but gives more control over nonce storage.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_randnonce(void);\n\n// EVP_aead_aes_128_ccm_bluetooth is AES-128-CCM with M=4 and L=2 (4-byte tags\n// and 13-byte nonces), as decribed in the Bluetooth Core Specification v5.0,\n// Volume 6, Part E, Section 1.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth(void);\n\n// EVP_aead_aes_128_ccm_bluetooth_8 is AES-128-CCM with M=8 and L=2 (8-byte tags\n// and 13-byte nonces), as used in the Bluetooth Mesh Networking Specification\n// v1.0.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ccm_bluetooth_8(void);\n\n// EVP_aead_aes_128_ccm_matter is AES-128-CCM with M=16 and L=2 (16-byte tags\n// and 13-byte nonces), as used in the Matter specification.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ccm_matter(void);\n\n// EVP_has_aes_hardware returns one if we enable hardware support for fast and\n// constant-time AES-GCM.\nOPENSSL_EXPORT int EVP_has_aes_hardware(void);\n\n\n// Utility functions.\n\n// EVP_AEAD_key_length returns the length, in bytes, of the keys used by\n// |aead|.\nOPENSSL_EXPORT size_t EVP_AEAD_key_length(const EVP_AEAD *aead);\n\n// EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce\n// for |aead|.\nOPENSSL_EXPORT size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead);\n\n// EVP_AEAD_max_overhead returns the maximum number of additional bytes added\n// by the act of sealing data with |aead|.\nOPENSSL_EXPORT size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead);\n\n// EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This\n// is the largest value that can be passed as |tag_len| to\n// |EVP_AEAD_CTX_init|.\nOPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead);\n\n\n// AEAD operations.\n\nunion evp_aead_ctx_st_state {\n uint8_t opaque[564];\n uint64_t alignment;\n};\n\n// An evp_aead_ctx_st (typedefed as |EVP_AEAD_CTX| in base.h) represents an AEAD\n// algorithm configured with a specific key and message-independent IV.\nstruct evp_aead_ctx_st {\n const EVP_AEAD *aead;\n union evp_aead_ctx_st_state state;\n // tag_len may contain the actual length of the authentication tag if it is\n // known at initialization time.\n uint8_t tag_len;\n};\n\n// EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by\n// any AEAD defined in this header.\n#define EVP_AEAD_MAX_KEY_LENGTH 80\n\n// EVP_AEAD_MAX_NONCE_LENGTH contains the maximum nonce length used by\n// any AEAD defined in this header.\n#define EVP_AEAD_MAX_NONCE_LENGTH 24\n\n// EVP_AEAD_MAX_OVERHEAD contains the maximum overhead used by any AEAD\n// defined in this header.\n#define EVP_AEAD_MAX_OVERHEAD 64\n\n// EVP_AEAD_DEFAULT_TAG_LENGTH is a magic value that can be passed to\n// EVP_AEAD_CTX_init to indicate that the default tag length for an AEAD should\n// be used.\n#define EVP_AEAD_DEFAULT_TAG_LENGTH 0\n\n// EVP_AEAD_CTX_zero sets an uninitialized |ctx| to the zero state. It must be\n// initialized with |EVP_AEAD_CTX_init| before use. It is safe, but not\n// necessary, to call |EVP_AEAD_CTX_cleanup| in this state. This may be used for\n// more uniform cleanup of |EVP_AEAD_CTX|.\nOPENSSL_EXPORT void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx);\n\n// EVP_AEAD_CTX_new allocates an |EVP_AEAD_CTX|, calls |EVP_AEAD_CTX_init| and\n// returns the |EVP_AEAD_CTX|, or NULL on error.\nOPENSSL_EXPORT EVP_AEAD_CTX *EVP_AEAD_CTX_new(const EVP_AEAD *aead,\n const uint8_t *key,\n size_t key_len, size_t tag_len);\n\n// EVP_AEAD_CTX_free calls |EVP_AEAD_CTX_cleanup| and |OPENSSL_free| on\n// |ctx|.\nOPENSSL_EXPORT void EVP_AEAD_CTX_free(EVP_AEAD_CTX *ctx);\n\n// EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm. The |impl|\n// argument is ignored and should be NULL. Authentication tags may be truncated\n// by passing a size as |tag_len|. A |tag_len| of zero indicates the default\n// tag length and this is defined as EVP_AEAD_DEFAULT_TAG_LENGTH for\n// readability.\n//\n// Returns 1 on success. Otherwise returns 0 and pushes to the error stack. In\n// the error case, you do not need to call |EVP_AEAD_CTX_cleanup|, but it's\n// harmless to do so.\nOPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead,\n const uint8_t *key, size_t key_len,\n size_t tag_len, ENGINE *impl);\n\n// EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to\n// call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to\n// all zeros.\nOPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx);\n\n// EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and\n// authenticates |ad_len| bytes from |ad| and writes the result to |out|. It\n// returns one on success and zero otherwise.\n//\n// This function may be called concurrently with itself or any other seal/open\n// function on the same |EVP_AEAD_CTX|.\n//\n// At most |max_out_len| bytes are written to |out| and, in order to ensure\n// success, |max_out_len| should be |in_len| plus the result of\n// |EVP_AEAD_max_overhead|. On successful return, |*out_len| is set to the\n// actual number of bytes written.\n//\n// The length of |nonce|, |nonce_len|, must be equal to the result of\n// |EVP_AEAD_nonce_length| for this AEAD.\n//\n// |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is\n// insufficient, zero will be returned. If any error occurs, |out| will be\n// filled with zero bytes and |*out_len| set to zero.\n//\n// If |in| and |out| alias then |out| must be == |in|.\nOPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out,\n size_t *out_len, size_t max_out_len,\n const uint8_t *nonce, size_t nonce_len,\n const uint8_t *in, size_t in_len,\n const uint8_t *ad, size_t ad_len);\n\n// EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes\n// from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on\n// success and zero otherwise.\n//\n// This function may be called concurrently with itself or any other seal/open\n// function on the same |EVP_AEAD_CTX|.\n//\n// At most |in_len| bytes are written to |out|. In order to ensure success,\n// |max_out_len| should be at least |in_len|. On successful return, |*out_len|\n// is set to the the actual number of bytes written.\n//\n// The length of |nonce|, |nonce_len|, must be equal to the result of\n// |EVP_AEAD_nonce_length| for this AEAD.\n//\n// |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is\n// insufficient, zero will be returned. If any error occurs, |out| will be\n// filled with zero bytes and |*out_len| set to zero.\n//\n// If |in| and |out| alias then |out| must be == |in|.\nOPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out,\n size_t *out_len, size_t max_out_len,\n const uint8_t *nonce, size_t nonce_len,\n const uint8_t *in, size_t in_len,\n const uint8_t *ad, size_t ad_len);\n\n// EVP_AEAD_CTX_seal_scatter encrypts and authenticates |in_len| bytes from |in|\n// and authenticates |ad_len| bytes from |ad|. It writes |in_len| bytes of\n// ciphertext to |out| and the authentication tag to |out_tag|. It returns one\n// on success and zero otherwise.\n//\n// This function may be called concurrently with itself or any other seal/open\n// function on the same |EVP_AEAD_CTX|.\n//\n// Exactly |in_len| bytes are written to |out|, and up to\n// |EVP_AEAD_max_overhead+extra_in_len| bytes to |out_tag|. On successful\n// return, |*out_tag_len| is set to the actual number of bytes written to\n// |out_tag|.\n//\n// |extra_in| may point to an additional plaintext input buffer if the cipher\n// supports it. If present, |extra_in_len| additional bytes of plaintext are\n// encrypted and authenticated, and the ciphertext is written (before the tag)\n// to |out_tag|. |max_out_tag_len| must be sized to allow for the additional\n// |extra_in_len| bytes.\n//\n// The length of |nonce|, |nonce_len|, must be equal to the result of\n// |EVP_AEAD_nonce_length| for this AEAD.\n//\n// |EVP_AEAD_CTX_seal_scatter| never results in a partial output. If\n// |max_out_tag_len| is insufficient, zero will be returned. If any error\n// occurs, |out| and |out_tag| will be filled with zero bytes and |*out_tag_len|\n// set to zero.\n//\n// If |in| and |out| alias then |out| must be == |in|. |out_tag| may not alias\n// any other argument.\nOPENSSL_EXPORT int EVP_AEAD_CTX_seal_scatter(\n const EVP_AEAD_CTX *ctx, uint8_t *out,\n uint8_t *out_tag, size_t *out_tag_len, size_t max_out_tag_len,\n const uint8_t *nonce, size_t nonce_len,\n const uint8_t *in, size_t in_len,\n const uint8_t *extra_in, size_t extra_in_len,\n const uint8_t *ad, size_t ad_len);\n\n// EVP_AEAD_CTX_open_gather decrypts and authenticates |in_len| bytes from |in|\n// and authenticates |ad_len| bytes from |ad| using |in_tag_len| bytes of\n// authentication tag from |in_tag|. If successful, it writes |in_len| bytes of\n// plaintext to |out|. It returns one on success and zero otherwise.\n//\n// This function may be called concurrently with itself or any other seal/open\n// function on the same |EVP_AEAD_CTX|.\n//\n// The length of |nonce|, |nonce_len|, must be equal to the result of\n// |EVP_AEAD_nonce_length| for this AEAD.\n//\n// |EVP_AEAD_CTX_open_gather| never results in a partial output. If any error\n// occurs, |out| will be filled with zero bytes.\n//\n// If |in| and |out| alias then |out| must be == |in|.\nOPENSSL_EXPORT int EVP_AEAD_CTX_open_gather(\n const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce,\n size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag,\n size_t in_tag_len, const uint8_t *ad, size_t ad_len);\n\n// EVP_AEAD_CTX_aead returns the underlying AEAD for |ctx|, or NULL if one has\n// not been set.\nOPENSSL_EXPORT const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx);\n\n\n// TLS-specific AEAD algorithms.\n//\n// These AEAD primitives do not meet the definition of generic AEADs. They are\n// all specific to TLS and should not be used outside of that context. They must\n// be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may\n// not be used concurrently. Any nonces are used as IVs, so they must be\n// unpredictable. They only accept an |ad| parameter of length 11 (the standard\n// TLS one with length omitted).\n\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void);\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void);\n\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void);\n\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void);\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void);\n\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void);\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void);\n\n// EVP_aead_aes_128_gcm_tls12 is AES-128 in Galois Counter Mode using the TLS\n// 1.2 nonce construction.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls12(void);\n\n// EVP_aead_aes_256_gcm_tls12 is AES-256 in Galois Counter Mode using the TLS\n// 1.2 nonce construction.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls12(void);\n\n// EVP_aead_aes_128_gcm_tls13 is AES-128 in Galois Counter Mode using the TLS\n// 1.3 nonce construction.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls13(void);\n\n// EVP_aead_aes_256_gcm_tls13 is AES-256 in Galois Counter Mode using the TLS\n// 1.3 nonce construction.\nOPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls13(void);\n\n\n// Obscure functions.\n\n// evp_aead_direction_t denotes the direction of an AEAD operation.\nenum evp_aead_direction_t {\n evp_aead_open,\n evp_aead_seal,\n};\n\n// EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal\n// AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a\n// given direction.\nOPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction(\n EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len,\n size_t tag_len, enum evp_aead_direction_t dir);\n\n// EVP_AEAD_CTX_get_iv sets |*out_len| to the length of the IV for |ctx| and\n// sets |*out_iv| to point to that many bytes of the current IV. This is only\n// meaningful for AEADs with implicit IVs (i.e. CBC mode in TLS 1.0).\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx,\n const uint8_t **out_iv, size_t *out_len);\n\n// EVP_AEAD_CTX_tag_len computes the exact byte length of the tag written by\n// |EVP_AEAD_CTX_seal_scatter| and writes it to |*out_tag_len|. It returns one\n// on success or zero on error. |in_len| and |extra_in_len| must equal the\n// arguments of the same names passed to |EVP_AEAD_CTX_seal_scatter|.\nOPENSSL_EXPORT int EVP_AEAD_CTX_tag_len(const EVP_AEAD_CTX *ctx,\n size_t *out_tag_len,\n const size_t in_len,\n const size_t extra_in_len);\n\n\n#if defined(__cplusplus)\n} // extern C\n\n#if !defined(BORINGSSL_NO_CXX)\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nusing ScopedEVP_AEAD_CTX =\n internal::StackAllocated;\n\nBORINGSSL_MAKE_DELETER(EVP_AEAD_CTX, EVP_AEAD_CTX_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n#endif\n\n#endif\n\n#endif // OPENSSL_HEADER_AEAD_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_aes.h", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_AES_H\n#define OPENSSL_HEADER_AES_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Raw AES functions.\n\n\n#define AES_ENCRYPT 1\n#define AES_DECRYPT 0\n\n// AES_MAXNR is the maximum number of AES rounds.\n#define AES_MAXNR 14\n\n#define AES_BLOCK_SIZE 16\n\n// aes_key_st should be an opaque type, but EVP requires that the size be\n// known.\nstruct aes_key_st {\n uint32_t rd_key[4 * (AES_MAXNR + 1)];\n unsigned rounds;\n};\ntypedef struct aes_key_st AES_KEY;\n\n// AES_set_encrypt_key configures |aeskey| to encrypt with the |bits|-bit key,\n// |key|. |key| must point to |bits|/8 bytes. It returns zero on success and a\n// negative number if |bits| is an invalid AES key size.\n//\n// WARNING: this function breaks the usual return value convention.\nOPENSSL_EXPORT int AES_set_encrypt_key(const uint8_t *key, unsigned bits,\n AES_KEY *aeskey);\n\n// AES_set_decrypt_key configures |aeskey| to decrypt with the |bits|-bit key,\n// |key|. |key| must point to |bits|/8 bytes. It returns zero on success and a\n// negative number if |bits| is an invalid AES key size.\n//\n// WARNING: this function breaks the usual return value convention.\nOPENSSL_EXPORT int AES_set_decrypt_key(const uint8_t *key, unsigned bits,\n AES_KEY *aeskey);\n\n// AES_encrypt encrypts a single block from |in| to |out| with |key|. The |in|\n// and |out| pointers may overlap.\nOPENSSL_EXPORT void AES_encrypt(const uint8_t *in, uint8_t *out,\n const AES_KEY *key);\n\n// AES_decrypt decrypts a single block from |in| to |out| with |key|. The |in|\n// and |out| pointers may overlap.\nOPENSSL_EXPORT void AES_decrypt(const uint8_t *in, uint8_t *out,\n const AES_KEY *key);\n\n\n// Block cipher modes.\n\n// AES_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode) |len|\n// bytes from |in| to |out|. The |num| parameter must be set to zero on the\n// first call and |ivec| will be incremented. This function may be called\n// in-place with |in| equal to |out|, but otherwise the buffers may not\n// partially overlap. A partial overlap may overwrite input data before it is\n// read.\nOPENSSL_EXPORT void AES_ctr128_encrypt(const uint8_t *in, uint8_t *out,\n size_t len, const AES_KEY *key,\n uint8_t ivec[AES_BLOCK_SIZE],\n uint8_t ecount_buf[AES_BLOCK_SIZE],\n unsigned int *num);\n\n// AES_ecb_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) a single,\n// 16 byte block from |in| to |out|. This function may be called in-place with\n// |in| equal to |out|, but otherwise the buffers may not partially overlap. A\n// partial overlap may overwrite input data before it is read.\nOPENSSL_EXPORT void AES_ecb_encrypt(const uint8_t *in, uint8_t *out,\n const AES_KEY *key, const int enc);\n\n// AES_cbc_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) |len|\n// bytes from |in| to |out|. The length must be a multiple of the block size.\n// This function may be called in-place with |in| equal to |out|, but otherwise\n// the buffers may not partially overlap. A partial overlap may overwrite input\n// data before it is read.\nOPENSSL_EXPORT void AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len,\n const AES_KEY *key, uint8_t *ivec,\n const int enc);\n\n// AES_ofb128_encrypt encrypts (or decrypts, it's the same in OFB mode) |len|\n// bytes from |in| to |out|. The |num| parameter must be set to zero on the\n// first call. This function may be called in-place with |in| equal to |out|,\n// but otherwise the buffers may not partially overlap. A partial overlap may\n// overwrite input data before it is read.\nOPENSSL_EXPORT void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out,\n size_t len, const AES_KEY *key,\n uint8_t *ivec, int *num);\n\n// AES_cfb128_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) |len|\n// bytes from |in| to |out|. The |num| parameter must be set to zero on the\n// first call. This function may be called in-place with |in| equal to |out|,\n// but otherwise the buffers may not partially overlap. A partial overlap may\n// overwrite input data before it is read.\nOPENSSL_EXPORT void AES_cfb128_encrypt(const uint8_t *in, uint8_t *out,\n size_t len, const AES_KEY *key,\n uint8_t *ivec, int *num, int enc);\n\n\n// AES key wrap.\n//\n// These functions implement AES Key Wrap mode, as defined in RFC 3394. They\n// should never be used except to interoperate with existing systems that use\n// this mode.\n\n// AES_wrap_key performs AES key wrap on |in| which must be a multiple of 8\n// bytes. |iv| must point to an 8 byte value or be NULL to use the default IV.\n// |key| must have been configured for encryption. On success, it writes\n// |in_len| + 8 bytes to |out| and returns |in_len| + 8. Otherwise, it returns\n// -1.\nOPENSSL_EXPORT int AES_wrap_key(const AES_KEY *key, const uint8_t *iv,\n uint8_t *out, const uint8_t *in, size_t in_len);\n\n// AES_unwrap_key performs AES key unwrap on |in| which must be a multiple of 8\n// bytes. |iv| must point to an 8 byte value or be NULL to use the default IV.\n// |key| must have been configured for decryption. On success, it writes\n// |in_len| - 8 bytes to |out| and returns |in_len| - 8. Otherwise, it returns\n// -1.\nOPENSSL_EXPORT int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv,\n uint8_t *out, const uint8_t *in,\n size_t in_len);\n\n\n// AES key wrap with padding.\n//\n// These functions implement AES Key Wrap with Padding mode, as defined in RFC\n// 5649. They should never be used except to interoperate with existing systems\n// that use this mode.\n\n// AES_wrap_key_padded performs a padded AES key wrap on |in| which must be\n// between 1 and 2^32-1 bytes. |key| must have been configured for encryption.\n// On success it writes at most |max_out| bytes of ciphertext to |out|, sets\n// |*out_len| to the number of bytes written, and returns one. On failure it\n// returns zero. To ensure success, set |max_out| to at least |in_len| + 15.\nOPENSSL_EXPORT int AES_wrap_key_padded(const AES_KEY *key, uint8_t *out,\n size_t *out_len, size_t max_out,\n const uint8_t *in, size_t in_len);\n\n// AES_unwrap_key_padded performs a padded AES key unwrap on |in| which must be\n// a multiple of 8 bytes. |key| must have been configured for decryption. On\n// success it writes at most |max_out| bytes to |out|, sets |*out_len| to the\n// number of bytes written, and returns one. On failure it returns zero. Setting\n// |max_out| to |in_len| is a sensible estimate.\nOPENSSL_EXPORT int AES_unwrap_key_padded(const AES_KEY *key, uint8_t *out,\n size_t *out_len, size_t max_out,\n const uint8_t *in, size_t in_len);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_AES_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_arm_arch.h", "content": "/*\n * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_ARM_ARCH_H\n#define OPENSSL_HEADER_ARM_ARCH_H\n\n#include \"CNIOBoringSSL_target.h\"\n\n// arm_arch.h contains symbols used by ARM assembly, and the C code that calls\n// it. It is included as a public header to simplify the build, but is not\n// intended for external use.\n\n#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)\n\n// ARMV7_NEON is true when a NEON unit is present in the current CPU.\n#define ARMV7_NEON (1 << 0)\n\n// ARMV8_AES indicates support for hardware AES instructions.\n#define ARMV8_AES (1 << 2)\n\n// ARMV8_SHA1 indicates support for hardware SHA-1 instructions.\n#define ARMV8_SHA1 (1 << 3)\n\n// ARMV8_SHA256 indicates support for hardware SHA-256 instructions.\n#define ARMV8_SHA256 (1 << 4)\n\n// ARMV8_PMULL indicates support for carryless multiplication.\n#define ARMV8_PMULL (1 << 5)\n\n// ARMV8_SHA512 indicates support for hardware SHA-512 instructions.\n#define ARMV8_SHA512 (1 << 6)\n\n#endif // ARM || AARCH64\n\n#endif // OPENSSL_HEADER_ARM_ARCH_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_asm_base.h", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_ASM_BASE_H\n#define OPENSSL_HEADER_ASM_BASE_H\n\n#include \"CNIOBoringSSL_target.h\"\n\n\n// This header contains symbols and common sections used by assembly files. It\n// is included as a public header to simplify the build, but is not intended for\n// external use.\n//\n// Every assembly file must include this header. Some linker features require\n// all object files to be tagged with some section metadata. This header file,\n// when included in assembly, adds that metadata. It also makes defines like\n// |OPENSSL_X86_64| available and includes the prefixing macros.\n//\n// Including this header in an assembly file imples:\n//\n// - The file does not require an executable stack.\n//\n// - The file, on aarch64, uses the macros defined below to be compatible with\n// BTI and PAC.\n//\n// - The file, on x86_64, requires the program to be compatible with Intel IBT\n// and SHSTK\n\n#if defined(__ASSEMBLER__)\n\n#if defined(BORINGSSL_PREFIX)\n#include \"CNIOBoringSSL_boringssl_prefix_symbols_asm.h\"\n#endif\n\n#if defined(__ELF__)\n// Every ELF object file, even empty ones, should disable executable stacks. See\n// https://www.airs.com/blog/archives/518.\n.pushsection .note.GNU-stack, \"\", %progbits\n.popsection\n#endif\n\n#if defined(__CET__) && defined(OPENSSL_X86_64)\n// Clang and GCC define __CET__ and provide when they support Intel's\n// Indirect Branch Tracking.\n// https://lpc.events/event/7/contributions/729/attachments/496/903/CET-LPC-2020.pdf\n//\n// cet.h defines _CET_ENDBR which is used to mark function entry points for IBT.\n// and adds the assembly marker. The value of _CET_ENDBR is made dependant on if\n// '-fcf-protection' is passed to the compiler. _CET_ENDBR is only required when\n// the function is the target of an indirect jump, but BoringSSL chooses to mark\n// all assembly entry points because it is easier, and allows BoringSSL's ABI\n// tester to call the assembly entry points via an indirect jump.\n#include \n#else\n#define _CET_ENDBR\n#endif\n\n#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)\n\n// We require the ARM assembler provide |__ARM_ARCH| from Arm C Language\n// Extensions (ACLE). This is supported in GCC 4.8+ and Clang 3.2+. MSVC does\n// not implement ACLE, but we require Clang's assembler on Windows.\n#if !defined(__ARM_ARCH)\n#error \"ARM assembler must define __ARM_ARCH\"\n#endif\n\n// Even when building for 32-bit ARM, support for aarch64 crypto instructions\n// will be included.\n//\n// TODO(davidben): Remove this and the corresponding ifdefs? This is only\n// defined because some OpenSSL assembly files would allow disabling the NEON\n// code entirely. I think we'd prefer to do that by lifting the dispatch to C\n// anyway.\n#define __ARM_MAX_ARCH__ 8\n\n// Support macros for\n// - Armv8.3-A Pointer Authentication and\n// - Armv8.5-A Branch Target Identification\n// features which require emitting a .note.gnu.property section with the\n// appropriate architecture-dependent feature bits set.\n//\n// |AARCH64_SIGN_LINK_REGISTER| and |AARCH64_VALIDATE_LINK_REGISTER| expand to\n// PACIxSP and AUTIxSP, respectively. |AARCH64_SIGN_LINK_REGISTER| should be\n// used immediately before saving the LR register (x30) to the stack.\n// |AARCH64_VALIDATE_LINK_REGISTER| should be used immediately after restoring\n// it. Note |AARCH64_SIGN_LINK_REGISTER|'s modifications to LR must be undone\n// with |AARCH64_VALIDATE_LINK_REGISTER| before RET. The SP register must also\n// have the same value at the two points. For example:\n//\n// .global f\n// f:\n// AARCH64_SIGN_LINK_REGISTER\n// stp x29, x30, [sp, #-96]!\n// mov x29, sp\n// ...\n// ldp x29, x30, [sp], #96\n// AARCH64_VALIDATE_LINK_REGISTER\n// ret\n//\n// |AARCH64_VALID_CALL_TARGET| expands to BTI 'c'. Either it, or\n// |AARCH64_SIGN_LINK_REGISTER|, must be used at every point that may be an\n// indirect call target. In particular, all symbols exported from a file must\n// begin with one of these macros. For example, a leaf function that does not\n// save LR can instead use |AARCH64_VALID_CALL_TARGET|:\n//\n// .globl return_zero\n// return_zero:\n// AARCH64_VALID_CALL_TARGET\n// mov x0, #0\n// ret\n//\n// A non-leaf function which does not immediately save LR may need both macros\n// because |AARCH64_SIGN_LINK_REGISTER| appears late. For example, the function\n// may jump to an alternate implementation before setting up the stack:\n//\n// .globl with_early_jump\n// with_early_jump:\n// AARCH64_VALID_CALL_TARGET\n// cmp x0, #128\n// b.lt .Lwith_early_jump_128\n// AARCH64_SIGN_LINK_REGISTER\n// stp x29, x30, [sp, #-96]!\n// mov x29, sp\n// ...\n// ldp x29, x30, [sp], #96\n// AARCH64_VALIDATE_LINK_REGISTER\n// ret\n//\n// .Lwith_early_jump_128:\n// ...\n// ret\n//\n// These annotations are only required with indirect calls. Private symbols that\n// are only the target of direct calls do not require annotations. Also note\n// that |AARCH64_VALID_CALL_TARGET| is only valid for indirect calls (BLR), not\n// indirect jumps (BR). Indirect jumps in assembly are currently not supported\n// and would require a macro for BTI 'j'.\n//\n// Although not necessary, it is safe to use these macros in 32-bit ARM\n// assembly. This may be used to simplify dual 32-bit and 64-bit files.\n//\n// References:\n// - \"ELF for the Arm® 64-bit Architecture\"\n// https://github.com/ARM-software/abi-aa/blob/main/aaelf64/aaelf64.rst\n// - \"Providing protection for complex software\"\n// https://developer.arm.com/architectures/learn-the-architecture/providing-protection-for-complex-software\n\n#if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1\n#define GNU_PROPERTY_AARCH64_BTI (1 << 0) // Has Branch Target Identification\n#define AARCH64_VALID_CALL_TARGET hint #34 // BTI 'c'\n#else\n#define GNU_PROPERTY_AARCH64_BTI 0 // No Branch Target Identification\n#define AARCH64_VALID_CALL_TARGET\n#endif\n\n#if defined(__ARM_FEATURE_PAC_DEFAULT) && \\\n (__ARM_FEATURE_PAC_DEFAULT & 1) == 1 // Signed with A-key\n#define GNU_PROPERTY_AARCH64_POINTER_AUTH \\\n (1 << 1) // Has Pointer Authentication\n#define AARCH64_SIGN_LINK_REGISTER hint #25 // PACIASP\n#define AARCH64_VALIDATE_LINK_REGISTER hint #29 // AUTIASP\n#elif defined(__ARM_FEATURE_PAC_DEFAULT) && \\\n (__ARM_FEATURE_PAC_DEFAULT & 2) == 2 // Signed with B-key\n#define GNU_PROPERTY_AARCH64_POINTER_AUTH \\\n (1 << 1) // Has Pointer Authentication\n#define AARCH64_SIGN_LINK_REGISTER hint #27 // PACIBSP\n#define AARCH64_VALIDATE_LINK_REGISTER hint #31 // AUTIBSP\n#else\n#define GNU_PROPERTY_AARCH64_POINTER_AUTH 0 // No Pointer Authentication\n#if GNU_PROPERTY_AARCH64_BTI != 0\n#define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET\n#else\n#define AARCH64_SIGN_LINK_REGISTER\n#endif\n#define AARCH64_VALIDATE_LINK_REGISTER\n#endif\n\n#if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0\n.pushsection .note.gnu.property, \"a\";\n.balign 8;\n.long 4;\n.long 0x10;\n.long 0x5;\n.asciz \"GNU\";\n.long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */\n.long 4;\n.long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI);\n.long 0;\n.popsection;\n#endif\n#endif // ARM || AARCH64\n\n#endif // __ASSEMBLER__\n\n#endif // OPENSSL_HEADER_ASM_BASE_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_asn1.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_ASN1_H\n#define OPENSSL_HEADER_ASN1_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \n\n#include \"CNIOBoringSSL_bio.h\"\n#include \"CNIOBoringSSL_bn.h\"\n#include \"CNIOBoringSSL_stack.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Legacy ASN.1 library.\n//\n// This header is part of OpenSSL's ASN.1 implementation. It is retained for\n// compatibility but should not be used by new code. The functions are difficult\n// to use correctly, and have buggy or non-standard behaviors. They are thus\n// particularly prone to behavior changes and API removals, as BoringSSL\n// iterates on these issues.\n//\n// Use the new |CBS| and |CBB| library in instead.\n\n\n// Tag constants.\n//\n// These constants are used in various APIs to specify ASN.1 types and tag\n// components. See the specific API's documentation for details on which values\n// are used and how.\n\n// The following constants are tag classes.\n#define V_ASN1_UNIVERSAL 0x00\n#define V_ASN1_APPLICATION 0x40\n#define V_ASN1_CONTEXT_SPECIFIC 0x80\n#define V_ASN1_PRIVATE 0xc0\n\n// V_ASN1_CONSTRUCTED indicates an element is constructed, rather than\n// primitive.\n#define V_ASN1_CONSTRUCTED 0x20\n\n// V_ASN1_PRIMITIVE_TAG is the highest tag number which can be encoded in a\n// single byte. Note this is unrelated to whether an element is constructed or\n// primitive.\n//\n// TODO(davidben): Make this private.\n#define V_ASN1_PRIMITIVE_TAG 0x1f\n\n// V_ASN1_MAX_UNIVERSAL is the highest supported universal tag number. It is\n// necessary to avoid ambiguity with |V_ASN1_NEG| and |MBSTRING_FLAG|.\n//\n// TODO(davidben): Make this private.\n#define V_ASN1_MAX_UNIVERSAL 0xff\n\n// V_ASN1_UNDEF is used in some APIs to indicate an ASN.1 element is omitted.\n#define V_ASN1_UNDEF (-1)\n\n// V_ASN1_OTHER is used in |ASN1_TYPE| to indicate a non-universal ASN.1 type.\n#define V_ASN1_OTHER (-3)\n\n// V_ASN1_ANY is used by the ASN.1 templates to indicate an ANY type.\n#define V_ASN1_ANY (-4)\n\n// The following constants are tag numbers for universal types.\n#define V_ASN1_EOC 0\n#define V_ASN1_BOOLEAN 1\n#define V_ASN1_INTEGER 2\n#define V_ASN1_BIT_STRING 3\n#define V_ASN1_OCTET_STRING 4\n#define V_ASN1_NULL 5\n#define V_ASN1_OBJECT 6\n#define V_ASN1_OBJECT_DESCRIPTOR 7\n#define V_ASN1_EXTERNAL 8\n#define V_ASN1_REAL 9\n#define V_ASN1_ENUMERATED 10\n#define V_ASN1_UTF8STRING 12\n#define V_ASN1_SEQUENCE 16\n#define V_ASN1_SET 17\n#define V_ASN1_NUMERICSTRING 18\n#define V_ASN1_PRINTABLESTRING 19\n#define V_ASN1_T61STRING 20\n#define V_ASN1_TELETEXSTRING 20\n#define V_ASN1_VIDEOTEXSTRING 21\n#define V_ASN1_IA5STRING 22\n#define V_ASN1_UTCTIME 23\n#define V_ASN1_GENERALIZEDTIME 24\n#define V_ASN1_GRAPHICSTRING 25\n#define V_ASN1_ISO64STRING 26\n#define V_ASN1_VISIBLESTRING 26\n#define V_ASN1_GENERALSTRING 27\n#define V_ASN1_UNIVERSALSTRING 28\n#define V_ASN1_BMPSTRING 30\n\n// The following constants are used for |ASN1_STRING| values that represent\n// negative INTEGER and ENUMERATED values. See |ASN1_STRING| for more details.\n#define V_ASN1_NEG 0x100\n#define V_ASN1_NEG_INTEGER (V_ASN1_INTEGER | V_ASN1_NEG)\n#define V_ASN1_NEG_ENUMERATED (V_ASN1_ENUMERATED | V_ASN1_NEG)\n\n// The following constants are bitmask representations of ASN.1 types.\n#define B_ASN1_NUMERICSTRING 0x0001\n#define B_ASN1_PRINTABLESTRING 0x0002\n#define B_ASN1_T61STRING 0x0004\n#define B_ASN1_TELETEXSTRING 0x0004\n#define B_ASN1_VIDEOTEXSTRING 0x0008\n#define B_ASN1_IA5STRING 0x0010\n#define B_ASN1_GRAPHICSTRING 0x0020\n#define B_ASN1_ISO64STRING 0x0040\n#define B_ASN1_VISIBLESTRING 0x0040\n#define B_ASN1_GENERALSTRING 0x0080\n#define B_ASN1_UNIVERSALSTRING 0x0100\n#define B_ASN1_OCTET_STRING 0x0200\n#define B_ASN1_BIT_STRING 0x0400\n#define B_ASN1_BMPSTRING 0x0800\n#define B_ASN1_UNKNOWN 0x1000\n#define B_ASN1_UTF8STRING 0x2000\n#define B_ASN1_UTCTIME 0x4000\n#define B_ASN1_GENERALIZEDTIME 0x8000\n#define B_ASN1_SEQUENCE 0x10000\n\n// ASN1_tag2bit converts |tag| from the tag number of a universal type to a\n// corresponding |B_ASN1_*| constant, |B_ASN1_UNKNOWN|, or zero. If the\n// |B_ASN1_*| constant above is defined, it will map the corresponding\n// |V_ASN1_*| constant to it. Otherwise, whether it returns |B_ASN1_UNKNOWN| or\n// zero is ill-defined and callers should not rely on it.\n//\n// TODO(https://crbug.com/boringssl/412): Figure out what |B_ASN1_UNNOWN| vs\n// zero is meant to be. The main impact is what values go in |B_ASN1_PRINTABLE|.\n// To that end, we must return zero on types that can't go in |ASN1_STRING|.\nOPENSSL_EXPORT unsigned long ASN1_tag2bit(int tag);\n\n// ASN1_tag2str returns a string representation of |tag|, interpret as a tag\n// number for a universal type, or |V_ASN1_NEG_*|.\nOPENSSL_EXPORT const char *ASN1_tag2str(int tag);\n\n\n// API conventions.\n//\n// The following sample functions document the calling conventions used by\n// legacy ASN.1 APIs.\n\n#if 0 // Sample functions\n\n// d2i_SAMPLE parses a structure from up to |len| bytes at |*inp|. On success,\n// it advances |*inp| by the number of bytes read and returns a newly-allocated\n// |SAMPLE| object containing the parsed structure. If |out| is non-NULL, it\n// additionally frees the previous value at |*out| and updates |*out| to the\n// result. If parsing or allocating the result fails, it returns NULL.\n//\n// This function does not reject trailing data in the input. This allows the\n// caller to parse a sequence of concatenated structures. Callers parsing only\n// one structure should check for trailing data by comparing the updated |*inp|\n// with the end of the input.\n//\n// Note: If |out| and |*out| are both non-NULL, the object at |*out| is not\n// updated in-place. Instead, it is freed, and the pointer is updated to the\n// new object. This differs from OpenSSL. Callers are recommended to set |out|\n// to NULL and instead use the return value.\nSAMPLE *d2i_SAMPLE(SAMPLE **out, const uint8_t **inp, long len);\n\n// i2d_SAMPLE marshals |in|. On error, it returns a negative value. On success,\n// it returns the length of the result and outputs it via |outp| as follows:\n//\n// If |outp| is NULL, the function writes nothing. This mode can be used to size\n// buffers.\n//\n// If |outp| is non-NULL but |*outp| is NULL, the function sets |*outp| to a\n// newly-allocated buffer containing the result. The caller is responsible for\n// releasing |*outp| with |OPENSSL_free|. This mode is recommended for most\n// callers.\n//\n// If |outp| and |*outp| are non-NULL, the function writes the result to\n// |*outp|, which must have enough space available, and advances |*outp| just\n// past the output.\n//\n// WARNING: In the third mode, the function does not internally check output\n// bounds. Failing to correctly size the buffer will result in a potentially\n// exploitable memory error.\nint i2d_SAMPLE(const SAMPLE *in, uint8_t **outp);\n\n#endif // Sample functions\n\n// The following typedefs are sometimes used for pointers to functions like\n// |d2i_SAMPLE| and |i2d_SAMPLE|. Note, however, that these act on |void*|.\n// Calling a function with a different pointer type is undefined in C, so this\n// is only valid with a wrapper.\ntypedef void *d2i_of_void(void **, const unsigned char **, long);\ntypedef int i2d_of_void(const void *, unsigned char **);\n\n\n// ASN.1 types.\n//\n// An |ASN1_ITEM| represents an ASN.1 type and allows working with ASN.1 types\n// generically.\n//\n// |ASN1_ITEM|s use a different namespace from C types and are accessed via\n// |ASN1_ITEM_*| macros. So, for example, |ASN1_OCTET_STRING| is both a C type\n// and the name of an |ASN1_ITEM|, referenced as\n// |ASN1_ITEM_rptr(ASN1_OCTET_STRING)|.\n//\n// Each |ASN1_ITEM| has a corresponding C type, typically with the same name,\n// which represents values in the ASN.1 type. This type is either a pointer type\n// or |ASN1_BOOLEAN|. When it is a pointer, NULL pointers represent omitted\n// values. For example, an OCTET STRING value is declared with the C type\n// |ASN1_OCTET_STRING*| and uses the |ASN1_ITEM| named |ASN1_OCTET_STRING|. An\n// OPTIONAL OCTET STRING uses the same C type and represents an omitted value\n// with a NULL pointer. |ASN1_BOOLEAN| is described in a later section.\n\n// DECLARE_ASN1_ITEM declares an |ASN1_ITEM| with name |name|. The |ASN1_ITEM|\n// may be referenced with |ASN1_ITEM_rptr|. Uses of this macro should document\n// the corresponding ASN.1 and C types.\n#define DECLARE_ASN1_ITEM(name) extern OPENSSL_EXPORT const ASN1_ITEM name##_it;\n\n// ASN1_ITEM_rptr returns the |const ASN1_ITEM *| named |name|.\n#define ASN1_ITEM_rptr(name) (&(name##_it))\n\n// ASN1_ITEM_EXP is an abstraction for referencing an |ASN1_ITEM| in a\n// constant-initialized structure, such as a method table. It exists because, on\n// some OpenSSL platforms, |ASN1_ITEM| references are indirected through\n// functions. Structures reference the |ASN1_ITEM| by declaring a field like\n// |ASN1_ITEM_EXP *item| and initializing it with |ASN1_ITEM_ref|.\ntypedef const ASN1_ITEM ASN1_ITEM_EXP;\n\n// ASN1_ITEM_ref returns an |ASN1_ITEM_EXP*| for the |ASN1_ITEM| named |name|.\n#define ASN1_ITEM_ref(name) (&(name##_it))\n\n// ASN1_ITEM_ptr converts |iptr|, which must be an |ASN1_ITEM_EXP*| to a\n// |const ASN1_ITEM*|.\n#define ASN1_ITEM_ptr(iptr) (iptr)\n\n// ASN1_VALUE_st (aka |ASN1_VALUE|) is an opaque type used as a placeholder for\n// the C type corresponding to an |ASN1_ITEM|.\ntypedef struct ASN1_VALUE_st ASN1_VALUE;\n\n// ASN1_item_new allocates a new value of the C type corresponding to |it|, or\n// NULL on error. On success, the caller must release the value with\n// |ASN1_item_free|, or the corresponding C type's free function, when done. The\n// new value will initialize fields of the value to some default state, such as\n// an empty string. Note, however, that this default state sometimes omits\n// required values, such as with CHOICE types.\n//\n// This function may not be used with |ASN1_ITEM|s whose C type is\n// |ASN1_BOOLEAN|.\n//\n// WARNING: Casting the result of this function to the wrong type is a\n// potentially exploitable memory error. Callers must ensure the value is used\n// consistently with |it|. Prefer using type-specific functions such as\n// |ASN1_OCTET_STRING_new|.\nOPENSSL_EXPORT ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it);\n\n// ASN1_item_free releases memory associated with |val|, which must be an object\n// of the C type corresponding to |it|.\n//\n// This function may not be used with |ASN1_ITEM|s whose C type is\n// |ASN1_BOOLEAN|.\n//\n// WARNING: Passing a pointer of the wrong type into this function is a\n// potentially exploitable memory error. Callers must ensure |val| is consistent\n// with |it|. Prefer using type-specific functions such as\n// |ASN1_OCTET_STRING_free|.\nOPENSSL_EXPORT void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it);\n\n// ASN1_item_d2i parses the ASN.1 type |it| from up to |len| bytes at |*inp|.\n// It behaves like |d2i_SAMPLE|, except that |out| and the return value are cast\n// to |ASN1_VALUE| pointers.\n//\n// TODO(https://crbug.com/boringssl/444): C strict aliasing forbids type-punning\n// |T*| and |ASN1_VALUE*| the way this function signature does. When that bug is\n// resolved, we will need to pick which type |*out| is (probably |T*|). Do not\n// use a non-NULL |out| to avoid ending up on the wrong side of this question.\n//\n// This function may not be used with |ASN1_ITEM|s whose C type is\n// |ASN1_BOOLEAN|.\n//\n// WARNING: Casting the result of this function to the wrong type, or passing a\n// pointer of the wrong type into this function, are potentially exploitable\n// memory errors. Callers must ensure |out| is consistent with |it|. Prefer\n// using type-specific functions such as |d2i_ASN1_OCTET_STRING|.\nOPENSSL_EXPORT ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **out,\n const unsigned char **inp, long len,\n const ASN1_ITEM *it);\n\n// ASN1_item_i2d marshals |val| as the ASN.1 type associated with |it|, as\n// described in |i2d_SAMPLE|.\n//\n// This function may not be used with |ASN1_ITEM|s whose C type is\n// |ASN1_BOOLEAN|.\n//\n// WARNING: Passing a pointer of the wrong type into this function is a\n// potentially exploitable memory error. Callers must ensure |val| is consistent\n// with |it|. Prefer using type-specific functions such as\n// |i2d_ASN1_OCTET_STRING|.\nOPENSSL_EXPORT int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **outp,\n const ASN1_ITEM *it);\n\n// ASN1_item_dup returns a newly-allocated copy of |x|, or NULL on error. |x|\n// must be an object of |it|'s C type.\n//\n// This function may not be used with |ASN1_ITEM|s whose C type is\n// |ASN1_BOOLEAN|.\n//\n// WARNING: Casting the result of this function to the wrong type, or passing a\n// pointer of the wrong type into this function, are potentially exploitable\n// memory errors. Prefer using type-specific functions such as\n// |ASN1_STRING_dup|.\nOPENSSL_EXPORT void *ASN1_item_dup(const ASN1_ITEM *it, void *x);\n\n// The following functions behave like |ASN1_item_d2i| but read from |in|\n// instead. |out| is the same parameter as in |ASN1_item_d2i|, but written with\n// |void*| instead. The return values similarly match.\n//\n// These functions may not be used with |ASN1_ITEM|s whose C type is\n// |ASN1_BOOLEAN|.\n//\n// WARNING: These functions do not bound how much data is read from |in|.\n// Parsing an untrusted input could consume unbounded memory.\nOPENSSL_EXPORT void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *out);\nOPENSSL_EXPORT void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *out);\n\n// The following functions behave like |ASN1_item_i2d| but write to |out|\n// instead. |in| is the same parameter as in |ASN1_item_i2d|, but written with\n// |void*| instead.\n//\n// These functions may not be used with |ASN1_ITEM|s whose C type is\n// |ASN1_BOOLEAN|.\nOPENSSL_EXPORT int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *in);\nOPENSSL_EXPORT int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *in);\n\n// ASN1_item_unpack parses |oct|'s contents as |it|'s ASN.1 type. It returns a\n// newly-allocated instance of |it|'s C type on success, or NULL on error.\n//\n// This function may not be used with |ASN1_ITEM|s whose C type is\n// |ASN1_BOOLEAN|.\n//\n// WARNING: Casting the result of this function to the wrong type is a\n// potentially exploitable memory error. Callers must ensure the value is used\n// consistently with |it|.\nOPENSSL_EXPORT void *ASN1_item_unpack(const ASN1_STRING *oct,\n const ASN1_ITEM *it);\n\n// ASN1_item_pack marshals |obj| as |it|'s ASN.1 type. If |out| is NULL, it\n// returns a newly-allocated |ASN1_STRING| with the result, or NULL on error.\n// If |out| is non-NULL, but |*out| is NULL, it does the same but additionally\n// sets |*out| to the result. If both |out| and |*out| are non-NULL, it writes\n// the result to |*out| and returns |*out| on success or NULL on error.\n//\n// This function may not be used with |ASN1_ITEM|s whose C type is\n// |ASN1_BOOLEAN|.\n//\n// WARNING: Passing a pointer of the wrong type into this function is a\n// potentially exploitable memory error. Callers must ensure |val| is consistent\n// with |it|.\nOPENSSL_EXPORT ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it,\n ASN1_STRING **out);\n\n\n// Booleans.\n//\n// This library represents ASN.1 BOOLEAN values with |ASN1_BOOLEAN|, which is an\n// integer type. FALSE is zero, TRUE is 0xff, and an omitted OPTIONAL BOOLEAN is\n// -1.\n\n// ASN1_BOOLEAN_FALSE is FALSE as an |ASN1_BOOLEAN|.\n#define ASN1_BOOLEAN_FALSE 0\n\n// ASN1_BOOLEAN_TRUE is TRUE as an |ASN1_BOOLEAN|. Some code incorrectly uses\n// 1, so prefer |b != ASN1_BOOLEAN_FALSE| over |b == ASN1_BOOLEAN_TRUE|.\n#define ASN1_BOOLEAN_TRUE 0xff\n\n// ASN1_BOOLEAN_NONE, in contexts where the |ASN1_BOOLEAN| represents an\n// OPTIONAL BOOLEAN, is an omitted value. Using this value in other contexts is\n// undefined and may be misinterpreted as TRUE.\n#define ASN1_BOOLEAN_NONE (-1)\n\n// d2i_ASN1_BOOLEAN parses a DER-encoded ASN.1 BOOLEAN from up to |len| bytes at\n// |*inp|. On success, it advances |*inp| by the number of bytes read and\n// returns the result. If |out| is non-NULL, it additionally writes the result\n// to |*out|. On error, it returns |ASN1_BOOLEAN_NONE|.\n//\n// This function does not reject trailing data in the input. This allows the\n// caller to parse a sequence of concatenated structures. Callers parsing only\n// one structure should check for trailing data by comparing the updated |*inp|\n// with the end of the input.\n//\n// WARNING: This function's is slightly different from other |d2i_*| functions\n// because |ASN1_BOOLEAN| is not a pointer type.\nOPENSSL_EXPORT ASN1_BOOLEAN d2i_ASN1_BOOLEAN(ASN1_BOOLEAN *out,\n const unsigned char **inp,\n long len);\n\n// i2d_ASN1_BOOLEAN marshals |a| as a DER-encoded ASN.1 BOOLEAN, as described in\n// |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_BOOLEAN(ASN1_BOOLEAN a, unsigned char **outp);\n\n// The following |ASN1_ITEM|s have ASN.1 type BOOLEAN and C type |ASN1_BOOLEAN|.\n// |ASN1_TBOOLEAN| and |ASN1_FBOOLEAN| must be marked OPTIONAL. When omitted,\n// they are parsed as TRUE and FALSE, respectively, rather than\n// |ASN1_BOOLEAN_NONE|.\nDECLARE_ASN1_ITEM(ASN1_BOOLEAN)\nDECLARE_ASN1_ITEM(ASN1_TBOOLEAN)\nDECLARE_ASN1_ITEM(ASN1_FBOOLEAN)\n\n\n// Strings.\n//\n// ASN.1 contains a myriad of string types, as well as types that contain data\n// that may be encoded into a string. This library uses a single type,\n// |ASN1_STRING|, to represent most values.\n\n// An asn1_string_st (aka |ASN1_STRING|) represents a value of a string-like\n// ASN.1 type. It contains a |type| field, and a byte string |data| field with a\n// type-specific representation. This type-specific representation does not\n// always correspond to the DER encoding of the type.\n//\n// If |type| is one of |V_ASN1_OCTET_STRING|, |V_ASN1_UTF8STRING|,\n// |V_ASN1_NUMERICSTRING|, |V_ASN1_PRINTABLESTRING|, |V_ASN1_T61STRING|,\n// |V_ASN1_VIDEOTEXSTRING|, |V_ASN1_IA5STRING|, |V_ASN1_GRAPHICSTRING|,\n// |V_ASN1_ISO64STRING|, |V_ASN1_VISIBLESTRING|, |V_ASN1_GENERALSTRING|,\n// |V_ASN1_UNIVERSALSTRING|, or |V_ASN1_BMPSTRING|, the object represents an\n// ASN.1 string type. The data contains the byte representation of the\n// string.\n//\n// If |type| is |V_ASN1_BIT_STRING|, the object represents a BIT STRING value.\n// See bit string documentation below for the data and flags.\n//\n// If |type| is one of |V_ASN1_INTEGER|, |V_ASN1_NEG_INTEGER|,\n// |V_ASN1_ENUMERATED|, or |V_ASN1_NEG_ENUMERATED|, the object represents an\n// INTEGER or ENUMERATED value. See integer documentation below for details.\n//\n// If |type| is |V_ASN1_GENERALIZEDTIME| or |V_ASN1_UTCTIME|, the object\n// represents a GeneralizedTime or UTCTime value, respectively. The data\n// contains the DER encoding of the value. For example, the UNIX epoch would be\n// \"19700101000000Z\" for a GeneralizedTime and \"700101000000Z\" for a UTCTime.\n//\n// If |type| is |V_ASN1_SEQUENCE|, |V_ASN1_SET|, or |V_ASN1_OTHER|, the object\n// represents a SEQUENCE, SET, or arbitrary ASN.1 value, respectively. Unlike\n// the above cases, the data contains the DER encoding of the entire structure,\n// including the header. If the value is explicitly or implicitly tagged, this\n// too will be reflected in the data field. As this case handles unknown types,\n// the contents are not checked when parsing or serializing.\n//\n// Other values of |type| do not represent a valid ASN.1 value, though\n// default-constructed objects may set |type| to -1. Such objects cannot be\n// serialized.\n//\n// |ASN1_STRING| additionally has the following typedefs: |ASN1_BIT_STRING|,\n// |ASN1_BMPSTRING|, |ASN1_ENUMERATED|, |ASN1_GENERALIZEDTIME|,\n// |ASN1_GENERALSTRING|, |ASN1_IA5STRING|, |ASN1_INTEGER|, |ASN1_OCTET_STRING|,\n// |ASN1_PRINTABLESTRING|, |ASN1_T61STRING|, |ASN1_TIME|,\n// |ASN1_UNIVERSALSTRING|, |ASN1_UTCTIME|, |ASN1_UTF8STRING|, and\n// |ASN1_VISIBLESTRING|. Other than |ASN1_TIME|, these correspond to universal\n// ASN.1 types. |ASN1_TIME| represents a CHOICE of UTCTime and GeneralizedTime,\n// with a cutoff of 2049, as used in Section 4.1.2.5 of RFC 5280.\n//\n// For clarity, callers are encouraged to use the appropriate typedef when\n// available. They are the same type as |ASN1_STRING|, so a caller may freely\n// pass them into functions expecting |ASN1_STRING|, such as\n// |ASN1_STRING_length|.\n//\n// If a function returns an |ASN1_STRING| where the typedef or ASN.1 structure\n// implies constraints on |type|, callers may assume that |type| is correct.\n// However, if a function takes an |ASN1_STRING| as input, callers must ensure\n// |type| matches. These invariants are not captured by the C type system and\n// may not be checked at runtime. For example, callers may assume the output of\n// |X509_get0_serialNumber| has type |V_ASN1_INTEGER| or |V_ASN1_NEG_INTEGER|.\n// Callers must not pass a string of type |V_ASN1_OCTET_STRING| to\n// |X509_set_serialNumber|. Doing so may break invariants on the |X509| object\n// and break the |X509_get0_serialNumber| invariant.\n//\n// TODO(https://crbug.com/boringssl/445): This is very unfriendly. Getting the\n// type field wrong should not cause memory errors, but it may do strange\n// things. We should add runtime checks to anything that consumes |ASN1_STRING|s\n// from the caller.\nstruct asn1_string_st {\n int length;\n int type;\n unsigned char *data;\n long flags;\n};\n\n// ASN1_STRING_FLAG_BITS_LEFT indicates, in a BIT STRING |ASN1_STRING|, that\n// flags & 0x7 contains the number of padding bits added to the BIT STRING\n// value. When not set, all trailing zero bits in the last byte are implicitly\n// treated as padding. This behavior is deprecated and should not be used.\n#define ASN1_STRING_FLAG_BITS_LEFT 0x08\n\n// ASN1_STRING_type_new returns a newly-allocated empty |ASN1_STRING| object of\n// type |type|, or NULL on error.\nOPENSSL_EXPORT ASN1_STRING *ASN1_STRING_type_new(int type);\n\n// ASN1_STRING_new returns a newly-allocated empty |ASN1_STRING| object with an\n// arbitrary type. Prefer one of the type-specific constructors, such as\n// |ASN1_OCTET_STRING_new|, or |ASN1_STRING_type_new|.\nOPENSSL_EXPORT ASN1_STRING *ASN1_STRING_new(void);\n\n// ASN1_STRING_free releases memory associated with |str|.\nOPENSSL_EXPORT void ASN1_STRING_free(ASN1_STRING *str);\n\n// ASN1_STRING_copy sets |dst| to a copy of |str|. It returns one on success and\n// zero on error.\nOPENSSL_EXPORT int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str);\n\n// ASN1_STRING_dup returns a newly-allocated copy of |str|, or NULL on error.\nOPENSSL_EXPORT ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *str);\n\n// ASN1_STRING_type returns the type of |str|. This value will be one of the\n// |V_ASN1_*| constants.\nOPENSSL_EXPORT int ASN1_STRING_type(const ASN1_STRING *str);\n\n// ASN1_STRING_get0_data returns a pointer to |str|'s contents. Callers should\n// use |ASN1_STRING_length| to determine the length of the string. The string\n// may have embedded NUL bytes and may not be NUL-terminated.\n//\n// The contents of an |ASN1_STRING| encode the value in some type-specific\n// representation that does not always correspond to the DER encoding of the\n// type. See the documentation for |ASN1_STRING| for details.\nOPENSSL_EXPORT const unsigned char *ASN1_STRING_get0_data(\n const ASN1_STRING *str);\n\n// ASN1_STRING_data returns a mutable pointer to |str|'s contents. Callers\n// should use |ASN1_STRING_length| to determine the length of the string. The\n// string may have embedded NUL bytes and may not be NUL-terminated.\n//\n// The contents of an |ASN1_STRING| encode the value in some type-specific\n// representation that does not always correspond to the DER encoding of the\n// type. See the documentation for |ASN1_STRING| for details.\n//\n// Prefer |ASN1_STRING_get0_data|.\nOPENSSL_EXPORT unsigned char *ASN1_STRING_data(ASN1_STRING *str);\n\n// ASN1_STRING_length returns the length of |str|, in bytes.\n//\n// The contents of an |ASN1_STRING| encode the value in some type-specific\n// representation that does not always correspond to the DER encoding of the\n// type. See the documentation for |ASN1_STRING| for details.\nOPENSSL_EXPORT int ASN1_STRING_length(const ASN1_STRING *str);\n\n// ASN1_STRING_cmp compares |a| and |b|'s type and contents. It returns an\n// integer equal to, less than, or greater than zero if |a| is equal to, less\n// than, or greater than |b|, respectively. This function compares by length,\n// then data, then type. Note the data compared is the |ASN1_STRING| internal\n// representation and the type order is arbitrary. While this comparison is\n// suitable for sorting, callers should not rely on the exact order when |a|\n// and |b| are different types.\n//\n// Note that, if |a| and |b| are INTEGERs, this comparison does not order the\n// values numerically. For a numerical comparison, use |ASN1_INTEGER_cmp|.\nOPENSSL_EXPORT int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b);\n\n// ASN1_STRING_set sets the contents of |str| to a copy of |len| bytes from\n// |data|. It returns one on success and zero on error. If |data| is NULL, it\n// updates the length and allocates the buffer as needed, but does not\n// initialize the contents.\nOPENSSL_EXPORT int ASN1_STRING_set(ASN1_STRING *str, const void *data,\n ossl_ssize_t len);\n\n// ASN1_STRING_set0 sets the contents of |str| to |len| bytes from |data|. It\n// takes ownership of |data|, which must have been allocated with\n// |OPENSSL_malloc|.\nOPENSSL_EXPORT void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len);\n\n// The following functions call |ASN1_STRING_type_new| with the corresponding\n// |V_ASN1_*| constant.\nOPENSSL_EXPORT ASN1_BMPSTRING *ASN1_BMPSTRING_new(void);\nOPENSSL_EXPORT ASN1_GENERALSTRING *ASN1_GENERALSTRING_new(void);\nOPENSSL_EXPORT ASN1_IA5STRING *ASN1_IA5STRING_new(void);\nOPENSSL_EXPORT ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(void);\nOPENSSL_EXPORT ASN1_PRINTABLESTRING *ASN1_PRINTABLESTRING_new(void);\nOPENSSL_EXPORT ASN1_T61STRING *ASN1_T61STRING_new(void);\nOPENSSL_EXPORT ASN1_UNIVERSALSTRING *ASN1_UNIVERSALSTRING_new(void);\nOPENSSL_EXPORT ASN1_UTF8STRING *ASN1_UTF8STRING_new(void);\nOPENSSL_EXPORT ASN1_VISIBLESTRING *ASN1_VISIBLESTRING_new(void);\n\n// The following functions call |ASN1_STRING_free|.\nOPENSSL_EXPORT void ASN1_BMPSTRING_free(ASN1_BMPSTRING *str);\nOPENSSL_EXPORT void ASN1_GENERALSTRING_free(ASN1_GENERALSTRING *str);\nOPENSSL_EXPORT void ASN1_IA5STRING_free(ASN1_IA5STRING *str);\nOPENSSL_EXPORT void ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *str);\nOPENSSL_EXPORT void ASN1_PRINTABLESTRING_free(ASN1_PRINTABLESTRING *str);\nOPENSSL_EXPORT void ASN1_T61STRING_free(ASN1_T61STRING *str);\nOPENSSL_EXPORT void ASN1_UNIVERSALSTRING_free(ASN1_UNIVERSALSTRING *str);\nOPENSSL_EXPORT void ASN1_UTF8STRING_free(ASN1_UTF8STRING *str);\nOPENSSL_EXPORT void ASN1_VISIBLESTRING_free(ASN1_VISIBLESTRING *str);\n\n// The following functions parse up to |len| bytes from |*inp| as a\n// DER-encoded ASN.1 value of the corresponding type, as described in\n// |d2i_SAMPLE|.\nOPENSSL_EXPORT ASN1_BMPSTRING *d2i_ASN1_BMPSTRING(ASN1_BMPSTRING **out,\n const uint8_t **inp,\n long len);\nOPENSSL_EXPORT ASN1_GENERALSTRING *d2i_ASN1_GENERALSTRING(\n ASN1_GENERALSTRING **out, const uint8_t **inp, long len);\nOPENSSL_EXPORT ASN1_IA5STRING *d2i_ASN1_IA5STRING(ASN1_IA5STRING **out,\n const uint8_t **inp,\n long len);\nOPENSSL_EXPORT ASN1_OCTET_STRING *d2i_ASN1_OCTET_STRING(ASN1_OCTET_STRING **out,\n const uint8_t **inp,\n long len);\nOPENSSL_EXPORT ASN1_PRINTABLESTRING *d2i_ASN1_PRINTABLESTRING(\n ASN1_PRINTABLESTRING **out, const uint8_t **inp, long len);\nOPENSSL_EXPORT ASN1_T61STRING *d2i_ASN1_T61STRING(ASN1_T61STRING **out,\n const uint8_t **inp,\n long len);\nOPENSSL_EXPORT ASN1_UNIVERSALSTRING *d2i_ASN1_UNIVERSALSTRING(\n ASN1_UNIVERSALSTRING **out, const uint8_t **inp, long len);\nOPENSSL_EXPORT ASN1_UTF8STRING *d2i_ASN1_UTF8STRING(ASN1_UTF8STRING **out,\n const uint8_t **inp,\n long len);\nOPENSSL_EXPORT ASN1_VISIBLESTRING *d2i_ASN1_VISIBLESTRING(\n ASN1_VISIBLESTRING **out, const uint8_t **inp, long len);\n\n// The following functions marshal |in| as a DER-encoded ASN.1 value of the\n// corresponding type, as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_BMPSTRING(const ASN1_BMPSTRING *in, uint8_t **outp);\nOPENSSL_EXPORT int i2d_ASN1_GENERALSTRING(const ASN1_GENERALSTRING *in,\n uint8_t **outp);\nOPENSSL_EXPORT int i2d_ASN1_IA5STRING(const ASN1_IA5STRING *in, uint8_t **outp);\nOPENSSL_EXPORT int i2d_ASN1_OCTET_STRING(const ASN1_OCTET_STRING *in,\n uint8_t **outp);\nOPENSSL_EXPORT int i2d_ASN1_PRINTABLESTRING(const ASN1_PRINTABLESTRING *in,\n uint8_t **outp);\nOPENSSL_EXPORT int i2d_ASN1_T61STRING(const ASN1_T61STRING *in, uint8_t **outp);\nOPENSSL_EXPORT int i2d_ASN1_UNIVERSALSTRING(const ASN1_UNIVERSALSTRING *in,\n uint8_t **outp);\nOPENSSL_EXPORT int i2d_ASN1_UTF8STRING(const ASN1_UTF8STRING *in,\n uint8_t **outp);\nOPENSSL_EXPORT int i2d_ASN1_VISIBLESTRING(const ASN1_VISIBLESTRING *in,\n uint8_t **outp);\n\n// The following |ASN1_ITEM|s have the ASN.1 type referred to in their name and\n// C type |ASN1_STRING*|. The C type may also be written as the corresponding\n// typedef.\nDECLARE_ASN1_ITEM(ASN1_BMPSTRING)\nDECLARE_ASN1_ITEM(ASN1_GENERALSTRING)\nDECLARE_ASN1_ITEM(ASN1_IA5STRING)\nDECLARE_ASN1_ITEM(ASN1_OCTET_STRING)\nDECLARE_ASN1_ITEM(ASN1_PRINTABLESTRING)\nDECLARE_ASN1_ITEM(ASN1_T61STRING)\nDECLARE_ASN1_ITEM(ASN1_UNIVERSALSTRING)\nDECLARE_ASN1_ITEM(ASN1_UTF8STRING)\nDECLARE_ASN1_ITEM(ASN1_VISIBLESTRING)\n\n// ASN1_OCTET_STRING_dup calls |ASN1_STRING_dup|.\nOPENSSL_EXPORT ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(\n const ASN1_OCTET_STRING *a);\n\n// ASN1_OCTET_STRING_cmp calls |ASN1_STRING_cmp|.\nOPENSSL_EXPORT int ASN1_OCTET_STRING_cmp(const ASN1_OCTET_STRING *a,\n const ASN1_OCTET_STRING *b);\n\n// ASN1_OCTET_STRING_set calls |ASN1_STRING_set|.\nOPENSSL_EXPORT int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str,\n const unsigned char *data, int len);\n\n// ASN1_STRING_to_UTF8 converts |in| to UTF-8. On success, sets |*out| to a\n// newly-allocated buffer containing the resulting string and returns the length\n// of the string. The caller must call |OPENSSL_free| to release |*out| when\n// done. On error, it returns a negative number.\nOPENSSL_EXPORT int ASN1_STRING_to_UTF8(unsigned char **out,\n const ASN1_STRING *in);\n\n// The following formats define encodings for use with functions like\n// |ASN1_mbstring_copy|. Note |MBSTRING_ASC| refers to Latin-1, not ASCII.\n#define MBSTRING_FLAG 0x1000\n#define MBSTRING_UTF8 (MBSTRING_FLAG)\n#define MBSTRING_ASC (MBSTRING_FLAG | 1)\n#define MBSTRING_BMP (MBSTRING_FLAG | 2)\n#define MBSTRING_UNIV (MBSTRING_FLAG | 4)\n\n// DIRSTRING_TYPE contains the valid string types in an X.509 DirectoryString.\n#define DIRSTRING_TYPE \\\n (B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | B_ASN1_BMPSTRING | \\\n B_ASN1_UTF8STRING)\n\n// PKCS9STRING_TYPE contains the valid string types in a PKCS9String.\n#define PKCS9STRING_TYPE (DIRSTRING_TYPE | B_ASN1_IA5STRING)\n\n// ASN1_mbstring_copy converts |len| bytes from |in| to an ASN.1 string. If\n// |len| is -1, |in| must be NUL-terminated and the length is determined by\n// |strlen|. |in| is decoded according to |inform|, which must be one of\n// |MBSTRING_*|. |mask| determines the set of valid output types and is a\n// bitmask containing a subset of |B_ASN1_PRINTABLESTRING|, |B_ASN1_IA5STRING|,\n// |B_ASN1_T61STRING|, |B_ASN1_BMPSTRING|, |B_ASN1_UNIVERSALSTRING|, and\n// |B_ASN1_UTF8STRING|, in that preference order. This function chooses the\n// first output type in |mask| which can represent |in|. It interprets T61String\n// as Latin-1, rather than T.61.\n//\n// If |mask| is zero, |DIRSTRING_TYPE| is used by default.\n//\n// On success, this function returns the |V_ASN1_*| constant corresponding to\n// the selected output type and, if |out| and |*out| are both non-NULL, updates\n// the object at |*out| with the result. If |out| is non-NULL and |*out| is\n// NULL, it instead sets |*out| to a newly-allocated |ASN1_STRING| containing\n// the result. If |out| is NULL, it returns the selected output type without\n// constructing an |ASN1_STRING|. On error, this function returns -1.\nOPENSSL_EXPORT int ASN1_mbstring_copy(ASN1_STRING **out, const uint8_t *in,\n ossl_ssize_t len, int inform,\n unsigned long mask);\n\n// ASN1_mbstring_ncopy behaves like |ASN1_mbstring_copy| but returns an error if\n// the input is less than |minsize| or greater than |maxsize| codepoints long. A\n// |maxsize| value of zero is ignored. Note the sizes are measured in\n// codepoints, not output bytes.\nOPENSSL_EXPORT int ASN1_mbstring_ncopy(ASN1_STRING **out, const uint8_t *in,\n ossl_ssize_t len, int inform,\n unsigned long mask, ossl_ssize_t minsize,\n ossl_ssize_t maxsize);\n\n// ASN1_STRING_set_by_NID behaves like |ASN1_mbstring_ncopy|, but determines\n// |mask|, |minsize|, and |maxsize| based on |nid|. When |nid| is a recognized\n// X.509 attribute type, it will pick a suitable ASN.1 string type and bounds.\n// For most attribute types, it preferentially chooses UTF8String. If |nid| is\n// unrecognized, it uses UTF8String by default.\n//\n// Slightly unlike |ASN1_mbstring_ncopy|, this function interprets |out| and\n// returns its result as follows: If |out| is NULL, it returns a newly-allocated\n// |ASN1_STRING| containing the result. If |out| is non-NULL and\n// |*out| is NULL, it additionally sets |*out| to the result. If both |out| and\n// |*out| are non-NULL, it instead updates the object at |*out| and returns\n// |*out|. In all cases, it returns NULL on error.\n//\n// This function supports the following NIDs: |NID_countryName|,\n// |NID_dnQualifier|, |NID_domainComponent|, |NID_friendlyName|,\n// |NID_givenName|, |NID_initials|, |NID_localityName|, |NID_ms_csp_name|,\n// |NID_name|, |NID_organizationalUnitName|, |NID_organizationName|,\n// |NID_pkcs9_challengePassword|, |NID_pkcs9_emailAddress|,\n// |NID_pkcs9_unstructuredAddress|, |NID_pkcs9_unstructuredName|,\n// |NID_serialNumber|, |NID_stateOrProvinceName|, and |NID_surname|. Additional\n// NIDs may be registered with |ASN1_STRING_set_by_NID|, but it is recommended\n// to call |ASN1_mbstring_ncopy| directly instead.\nOPENSSL_EXPORT ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out,\n const unsigned char *in,\n ossl_ssize_t len, int inform,\n int nid);\n\n// STABLE_NO_MASK causes |ASN1_STRING_TABLE_add| to allow types other than\n// UTF8String.\n#define STABLE_NO_MASK 0x02\n\n// ASN1_STRING_TABLE_add registers the corresponding parameters with |nid|, for\n// use with |ASN1_STRING_set_by_NID|. It returns one on success and zero on\n// error. It is an error to call this function if |nid| is a built-in NID, or\n// was already registered by a previous call.\n//\n// WARNING: This function affects global state in the library. If two libraries\n// in the same address space register information for the same OID, one call\n// will fail. Prefer directly passing the desired parametrs to\n// |ASN1_mbstring_copy| or |ASN1_mbstring_ncopy| instead.\nOPENSSL_EXPORT int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize,\n unsigned long mask,\n unsigned long flags);\n\n\n// Multi-strings.\n//\n// A multi-string, or \"MSTRING\", is an |ASN1_STRING| that represents a CHOICE of\n// several string or string-like types, such as X.509's DirectoryString. The\n// |ASN1_STRING|'s type field determines which type is used.\n//\n// Multi-string types are associated with a bitmask, using the |B_ASN1_*|\n// constants, which defines which types are valid.\n\n// B_ASN1_DIRECTORYSTRING is a bitmask of types allowed in an X.509\n// DirectoryString (RFC 5280).\n#define B_ASN1_DIRECTORYSTRING \\\n (B_ASN1_PRINTABLESTRING | B_ASN1_TELETEXSTRING | B_ASN1_BMPSTRING | \\\n B_ASN1_UNIVERSALSTRING | B_ASN1_UTF8STRING)\n\n// DIRECTORYSTRING_new returns a newly-allocated |ASN1_STRING| with type -1, or\n// NULL on error. The resulting |ASN1_STRING| is not a valid X.509\n// DirectoryString until initialized with a value.\nOPENSSL_EXPORT ASN1_STRING *DIRECTORYSTRING_new(void);\n\n// DIRECTORYSTRING_free calls |ASN1_STRING_free|.\nOPENSSL_EXPORT void DIRECTORYSTRING_free(ASN1_STRING *str);\n\n// d2i_DIRECTORYSTRING parses up to |len| bytes from |*inp| as a DER-encoded\n// X.509 DirectoryString (RFC 5280), as described in |d2i_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/354): This function currently also accepts\n// BER, but this will be removed in the future.\n//\n// TODO(https://crbug.com/boringssl/449): DirectoryString's non-empty string\n// requirement is not currently enforced.\nOPENSSL_EXPORT ASN1_STRING *d2i_DIRECTORYSTRING(ASN1_STRING **out,\n const uint8_t **inp, long len);\n\n// i2d_DIRECTORYSTRING marshals |in| as a DER-encoded X.509 DirectoryString (RFC\n// 5280), as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_DIRECTORYSTRING(const ASN1_STRING *in, uint8_t **outp);\n\n// DIRECTORYSTRING is an |ASN1_ITEM| whose ASN.1 type is X.509 DirectoryString\n// (RFC 5280) and C type is |ASN1_STRING*|.\nDECLARE_ASN1_ITEM(DIRECTORYSTRING)\n\n// B_ASN1_DISPLAYTEXT is a bitmask of types allowed in an X.509 DisplayText (RFC\n// 5280).\n#define B_ASN1_DISPLAYTEXT \\\n (B_ASN1_IA5STRING | B_ASN1_VISIBLESTRING | B_ASN1_BMPSTRING | \\\n B_ASN1_UTF8STRING)\n\n// DISPLAYTEXT_new returns a newly-allocated |ASN1_STRING| with type -1, or NULL\n// on error. The resulting |ASN1_STRING| is not a valid X.509 DisplayText until\n// initialized with a value.\nOPENSSL_EXPORT ASN1_STRING *DISPLAYTEXT_new(void);\n\n// DISPLAYTEXT_free calls |ASN1_STRING_free|.\nOPENSSL_EXPORT void DISPLAYTEXT_free(ASN1_STRING *str);\n\n// d2i_DISPLAYTEXT parses up to |len| bytes from |*inp| as a DER-encoded X.509\n// DisplayText (RFC 5280), as described in |d2i_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/354): This function currently also accepts\n// BER, but this will be removed in the future.\n//\n// TODO(https://crbug.com/boringssl/449): DisplayText's size limits are not\n// currently enforced.\nOPENSSL_EXPORT ASN1_STRING *d2i_DISPLAYTEXT(ASN1_STRING **out,\n const uint8_t **inp, long len);\n\n// i2d_DISPLAYTEXT marshals |in| as a DER-encoded X.509 DisplayText (RFC 5280),\n// as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_DISPLAYTEXT(const ASN1_STRING *in, uint8_t **outp);\n\n// DISPLAYTEXT is an |ASN1_ITEM| whose ASN.1 type is X.509 DisplayText (RFC\n// 5280) and C type is |ASN1_STRING*|.\nDECLARE_ASN1_ITEM(DISPLAYTEXT)\n\n\n// Bit strings.\n//\n// An ASN.1 BIT STRING type represents a string of bits. The string may not\n// necessarily be a whole number of bytes. BIT STRINGs occur in ASN.1 structures\n// in several forms:\n//\n// Some BIT STRINGs represent a bitmask of named bits, such as the X.509 key\n// usage extension in RFC 5280, section 4.2.1.3. For such bit strings, DER\n// imposes an additional restriction that trailing zero bits are removed. Some\n// functions like |ASN1_BIT_STRING_set_bit| help in maintaining this.\n//\n// Other BIT STRINGs are arbitrary strings of bits used as identifiers and do\n// not have this constraint, such as the X.509 issuerUniqueID field.\n//\n// Finally, some structures use BIT STRINGs as a container for byte strings. For\n// example, the signatureValue field in X.509 and the subjectPublicKey field in\n// SubjectPublicKeyInfo are defined as BIT STRINGs with a value specific to the\n// AlgorithmIdentifier. While some unknown algorithm could choose to store\n// arbitrary bit strings, all supported algorithms use a byte string, with bit\n// order matching the DER encoding. Callers interpreting a BIT STRING as a byte\n// string should use |ASN1_BIT_STRING_num_bytes| instead of |ASN1_STRING_length|\n// and reject bit strings that are not a whole number of bytes.\n//\n// This library represents BIT STRINGs as |ASN1_STRING|s with type\n// |V_ASN1_BIT_STRING|. The data contains the encoded form of the BIT STRING,\n// including any padding bits added to round to a whole number of bytes, but\n// excluding the leading byte containing the number of padding bits. If\n// |ASN1_STRING_FLAG_BITS_LEFT| is set, the bottom three bits contains the\n// number of padding bits. For example, DER encodes the BIT STRING {1, 0} as\n// {0x06, 0x80 = 0b10_000000}. The |ASN1_STRING| representation has data of\n// {0x80} and flags of ASN1_STRING_FLAG_BITS_LEFT | 6. If\n// |ASN1_STRING_FLAG_BITS_LEFT| is unset, trailing zero bits are implicitly\n// removed. Callers should not rely this representation when constructing bit\n// strings. The padding bits in the |ASN1_STRING| data must be zero.\n\n// ASN1_BIT_STRING_new calls |ASN1_STRING_type_new| with |V_ASN1_BIT_STRING|.\nOPENSSL_EXPORT ASN1_BIT_STRING *ASN1_BIT_STRING_new(void);\n\n// ASN1_BIT_STRING_free calls |ASN1_STRING_free|.\nOPENSSL_EXPORT void ASN1_BIT_STRING_free(ASN1_BIT_STRING *str);\n\n// d2i_ASN1_BIT_STRING parses up to |len| bytes from |*inp| as a DER-encoded\n// ASN.1 BIT STRING, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **out,\n const uint8_t **inp,\n long len);\n\n// i2d_ASN1_BIT_STRING marshals |in| as a DER-encoded ASN.1 BIT STRING, as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_BIT_STRING(const ASN1_BIT_STRING *in,\n uint8_t **outp);\n\n// c2i_ASN1_BIT_STRING decodes |len| bytes from |*inp| as the contents of a\n// DER-encoded BIT STRING, excluding the tag and length. It behaves like\n// |d2i_SAMPLE| except, on success, it always consumes all |len| bytes.\nOPENSSL_EXPORT ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **out,\n const uint8_t **inp,\n long len);\n\n// i2c_ASN1_BIT_STRING encodes |in| as the contents of a DER-encoded BIT STRING,\n// excluding the tag and length. If |outp| is non-NULL, it writes the result to\n// |*outp|, advances |*outp| just past the output, and returns the number of\n// bytes written. |*outp| must have space available for the result. If |outp| is\n// NULL, it returns the number of bytes without writing anything. On error, it\n// returns a value <= 0.\n//\n// Note this function differs slightly from |i2d_SAMPLE|. If |outp| is non-NULL\n// and |*outp| is NULL, it does not allocate a new buffer.\n//\n// TODO(davidben): This function currently returns zero on error instead of -1,\n// but it is also mostly infallible. I've currently documented <= 0 to suggest\n// callers work with both.\nOPENSSL_EXPORT int i2c_ASN1_BIT_STRING(const ASN1_BIT_STRING *in,\n uint8_t **outp);\n\n// ASN1_BIT_STRING is an |ASN1_ITEM| with ASN.1 type BIT STRING and C type\n// |ASN1_BIT_STRING*|.\nDECLARE_ASN1_ITEM(ASN1_BIT_STRING)\n\n// ASN1_BIT_STRING_num_bytes computes the length of |str| in bytes. If |str|'s\n// bit length is a multiple of 8, it sets |*out| to the byte length and returns\n// one. Otherwise, it returns zero.\n//\n// This function may be used with |ASN1_STRING_get0_data| to interpret |str| as\n// a byte string.\nOPENSSL_EXPORT int ASN1_BIT_STRING_num_bytes(const ASN1_BIT_STRING *str,\n size_t *out);\n\n// ASN1_BIT_STRING_set calls |ASN1_STRING_set|. It leaves flags unchanged, so\n// the caller must set the number of unused bits.\n//\n// TODO(davidben): Maybe it should? Wrapping a byte string in a bit string is a\n// common use case.\nOPENSSL_EXPORT int ASN1_BIT_STRING_set(ASN1_BIT_STRING *str,\n const unsigned char *d,\n ossl_ssize_t length);\n\n// ASN1_BIT_STRING_set_bit sets bit |n| of |str| to one if |value| is non-zero\n// and zero if |value| is zero, resizing |str| as needed. It then truncates\n// trailing zeros in |str| to align with the DER represention for a bit string\n// with named bits. It returns one on success and zero on error. |n| is indexed\n// beginning from zero.\nOPENSSL_EXPORT int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *str, int n,\n int value);\n\n// ASN1_BIT_STRING_get_bit returns one if bit |n| of |a| is in bounds and set,\n// and zero otherwise. |n| is indexed beginning from zero.\nOPENSSL_EXPORT int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *str, int n);\n\n// ASN1_BIT_STRING_check returns one if |str| only contains bits that are set in\n// the |flags_len| bytes pointed by |flags|. Otherwise it returns zero. Bits in\n// |flags| are arranged according to the DER representation, so bit 0\n// corresponds to the MSB of |flags[0]|.\nOPENSSL_EXPORT int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *str,\n const unsigned char *flags,\n int flags_len);\n\n\n// Integers and enumerated values.\n//\n// INTEGER and ENUMERATED values are represented as |ASN1_STRING|s where the\n// data contains the big-endian encoding of the absolute value of the integer.\n// The sign bit is encoded in the type: non-negative values have a type of\n// |V_ASN1_INTEGER| or |V_ASN1_ENUMERATED|, while negative values have a type of\n// |V_ASN1_NEG_INTEGER| or |V_ASN1_NEG_ENUMERATED|. Note this differs from DER's\n// two's complement representation.\n//\n// The data in the |ASN1_STRING| may not have leading zeros. Note this means\n// zero is represented as the empty string. Parsing functions will never return\n// invalid representations. If an invalid input is constructed, the marshaling\n// functions will skip leading zeros, however other functions, such as\n// |ASN1_INTEGER_cmp| or |ASN1_INTEGER_get|, may not return the correct result.\n\nDEFINE_STACK_OF(ASN1_INTEGER)\n\n// ASN1_INTEGER_new calls |ASN1_STRING_type_new| with |V_ASN1_INTEGER|. The\n// resulting object has value zero.\nOPENSSL_EXPORT ASN1_INTEGER *ASN1_INTEGER_new(void);\n\n// ASN1_INTEGER_free calls |ASN1_STRING_free|.\nOPENSSL_EXPORT void ASN1_INTEGER_free(ASN1_INTEGER *str);\n\n// ASN1_INTEGER_dup calls |ASN1_STRING_dup|.\nOPENSSL_EXPORT ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x);\n\n// d2i_ASN1_INTEGER parses up to |len| bytes from |*inp| as a DER-encoded\n// ASN.1 INTEGER, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **out,\n const uint8_t **inp, long len);\n\n// i2d_ASN1_INTEGER marshals |in| as a DER-encoded ASN.1 INTEGER, as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_INTEGER(const ASN1_INTEGER *in, uint8_t **outp);\n\n// c2i_ASN1_INTEGER decodes |len| bytes from |*inp| as the contents of a\n// DER-encoded INTEGER, excluding the tag and length. It behaves like\n// |d2i_SAMPLE| except, on success, it always consumes all |len| bytes.\nOPENSSL_EXPORT ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **in,\n const uint8_t **outp, long len);\n\n// i2c_ASN1_INTEGER encodes |in| as the contents of a DER-encoded INTEGER,\n// excluding the tag and length. If |outp| is non-NULL, it writes the result to\n// |*outp|, advances |*outp| just past the output, and returns the number of\n// bytes written. |*outp| must have space available for the result. If |outp| is\n// NULL, it returns the number of bytes without writing anything. On error, it\n// returns a value <= 0.\n//\n// Note this function differs slightly from |i2d_SAMPLE|. If |outp| is non-NULL\n// and |*outp| is NULL, it does not allocate a new buffer.\n//\n// TODO(davidben): This function currently returns zero on error instead of -1,\n// but it is also mostly infallible. I've currently documented <= 0 to suggest\n// callers work with both.\nOPENSSL_EXPORT int i2c_ASN1_INTEGER(const ASN1_INTEGER *in, uint8_t **outp);\n\n// ASN1_INTEGER is an |ASN1_ITEM| with ASN.1 type INTEGER and C type\n// |ASN1_INTEGER*|.\nDECLARE_ASN1_ITEM(ASN1_INTEGER)\n\n// ASN1_INTEGER_set_uint64 sets |a| to an INTEGER with value |v|. It returns one\n// on success and zero on error.\nOPENSSL_EXPORT int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v);\n\n// ASN1_INTEGER_set_int64 sets |a| to an INTEGER with value |v|. It returns one\n// on success and zero on error.\nOPENSSL_EXPORT int ASN1_INTEGER_set_int64(ASN1_INTEGER *out, int64_t v);\n\n// ASN1_INTEGER_get_uint64 converts |a| to a |uint64_t|. On success, it returns\n// one and sets |*out| to the result. If |a| did not fit or has the wrong type,\n// it returns zero.\nOPENSSL_EXPORT int ASN1_INTEGER_get_uint64(uint64_t *out,\n const ASN1_INTEGER *a);\n\n// ASN1_INTEGER_get_int64 converts |a| to a |int64_t|. On success, it returns\n// one and sets |*out| to the result. If |a| did not fit or has the wrong type,\n// it returns zero.\nOPENSSL_EXPORT int ASN1_INTEGER_get_int64(int64_t *out, const ASN1_INTEGER *a);\n\n// BN_to_ASN1_INTEGER sets |ai| to an INTEGER with value |bn| and returns |ai|\n// on success or NULL or error. If |ai| is NULL, it returns a newly-allocated\n// |ASN1_INTEGER| on success instead, which the caller must release with\n// |ASN1_INTEGER_free|.\nOPENSSL_EXPORT ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn,\n ASN1_INTEGER *ai);\n\n// ASN1_INTEGER_to_BN sets |bn| to the value of |ai| and returns |bn| on success\n// or NULL or error. If |bn| is NULL, it returns a newly-allocated |BIGNUM| on\n// success instead, which the caller must release with |BN_free|.\nOPENSSL_EXPORT BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn);\n\n// ASN1_INTEGER_cmp compares the values of |x| and |y|. It returns an integer\n// equal to, less than, or greater than zero if |x| is equal to, less than, or\n// greater than |y|, respectively.\nOPENSSL_EXPORT int ASN1_INTEGER_cmp(const ASN1_INTEGER *x,\n const ASN1_INTEGER *y);\n\n// ASN1_ENUMERATED_new calls |ASN1_STRING_type_new| with |V_ASN1_ENUMERATED|.\n// The resulting object has value zero.\nOPENSSL_EXPORT ASN1_ENUMERATED *ASN1_ENUMERATED_new(void);\n\n// ASN1_ENUMERATED_free calls |ASN1_STRING_free|.\nOPENSSL_EXPORT void ASN1_ENUMERATED_free(ASN1_ENUMERATED *str);\n\n// d2i_ASN1_ENUMERATED parses up to |len| bytes from |*inp| as a DER-encoded\n// ASN.1 ENUMERATED, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **out,\n const uint8_t **inp,\n long len);\n\n// i2d_ASN1_ENUMERATED marshals |in| as a DER-encoded ASN.1 ENUMERATED, as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_ENUMERATED(const ASN1_ENUMERATED *in,\n uint8_t **outp);\n\n// ASN1_ENUMERATED is an |ASN1_ITEM| with ASN.1 type ENUMERATED and C type\n// |ASN1_ENUMERATED*|.\nDECLARE_ASN1_ITEM(ASN1_ENUMERATED)\n\n// ASN1_ENUMERATED_set_uint64 sets |a| to an ENUMERATED with value |v|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int ASN1_ENUMERATED_set_uint64(ASN1_ENUMERATED *out, uint64_t v);\n\n// ASN1_ENUMERATED_set_int64 sets |a| to an ENUMERATED with value |v|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *out, int64_t v);\n\n// ASN1_ENUMERATED_get_uint64 converts |a| to a |uint64_t|. On success, it\n// returns one and sets |*out| to the result. If |a| did not fit or has the\n// wrong type, it returns zero.\nOPENSSL_EXPORT int ASN1_ENUMERATED_get_uint64(uint64_t *out,\n const ASN1_ENUMERATED *a);\n\n// ASN1_ENUMERATED_get_int64 converts |a| to a |int64_t|. On success, it\n// returns one and sets |*out| to the result. If |a| did not fit or has the\n// wrong type, it returns zero.\nOPENSSL_EXPORT int ASN1_ENUMERATED_get_int64(int64_t *out,\n const ASN1_ENUMERATED *a);\n\n// BN_to_ASN1_ENUMERATED sets |ai| to an ENUMERATED with value |bn| and returns\n// |ai| on success or NULL or error. If |ai| is NULL, it returns a\n// newly-allocated |ASN1_ENUMERATED| on success instead, which the caller must\n// release with |ASN1_ENUMERATED_free|.\nOPENSSL_EXPORT ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn,\n ASN1_ENUMERATED *ai);\n\n// ASN1_ENUMERATED_to_BN sets |bn| to the value of |ai| and returns |bn| on\n// success or NULL or error. If |bn| is NULL, it returns a newly-allocated\n// |BIGNUM| on success instead, which the caller must release with |BN_free|.\nOPENSSL_EXPORT BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai,\n BIGNUM *bn);\n\n\n// Time.\n//\n// GeneralizedTime and UTCTime values are represented as |ASN1_STRING|s. The\n// type field is |V_ASN1_GENERALIZEDTIME| or |V_ASN1_UTCTIME|, respectively. The\n// data field contains the DER encoding of the value. For example, the UNIX\n// epoch would be \"19700101000000Z\" for a GeneralizedTime and \"700101000000Z\"\n// for a UTCTime.\n//\n// ASN.1 does not define how to interpret UTCTime's two-digit year. RFC 5280\n// defines it as a range from 1950 to 2049 for X.509. The library uses the\n// RFC 5280 interpretation. It does not currently enforce the restrictions from\n// BER, and the additional restrictions from RFC 5280, but future versions may.\n// Callers should not rely on fractional seconds and non-UTC time zones.\n//\n// The |ASN1_TIME| typedef is a multi-string representing the X.509 Time type,\n// which is a CHOICE of GeneralizedTime and UTCTime, using UTCTime when the\n// value is in range.\n\n// ASN1_UTCTIME_new calls |ASN1_STRING_type_new| with |V_ASN1_UTCTIME|. The\n// resulting object contains empty contents and must be initialized to be a\n// valid UTCTime.\nOPENSSL_EXPORT ASN1_UTCTIME *ASN1_UTCTIME_new(void);\n\n// ASN1_UTCTIME_free calls |ASN1_STRING_free|.\nOPENSSL_EXPORT void ASN1_UTCTIME_free(ASN1_UTCTIME *str);\n\n// d2i_ASN1_UTCTIME parses up to |len| bytes from |*inp| as a DER-encoded\n// ASN.1 UTCTime, as described in |d2i_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/354): This function currently also accepts\n// BER, but this will be removed in the future.\nOPENSSL_EXPORT ASN1_UTCTIME *d2i_ASN1_UTCTIME(ASN1_UTCTIME **out,\n const uint8_t **inp, long len);\n\n// i2d_ASN1_UTCTIME marshals |in| as a DER-encoded ASN.1 UTCTime, as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_UTCTIME(const ASN1_UTCTIME *in, uint8_t **outp);\n\n// ASN1_UTCTIME is an |ASN1_ITEM| with ASN.1 type UTCTime and C type\n// |ASN1_UTCTIME*|.\nDECLARE_ASN1_ITEM(ASN1_UTCTIME)\n\n// ASN1_UTCTIME_check returns one if |a| is a valid UTCTime and zero otherwise.\nOPENSSL_EXPORT int ASN1_UTCTIME_check(const ASN1_UTCTIME *a);\n\n// ASN1_UTCTIME_set represents |posix_time| as a UTCTime and writes the result\n// to |s|. It returns |s| on success and NULL on error. If |s| is NULL, it\n// returns a newly-allocated |ASN1_UTCTIME| instead.\n//\n// Note this function may fail if the time is out of range for UTCTime.\nOPENSSL_EXPORT ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,\n int64_t posix_time);\n\n// ASN1_UTCTIME_adj adds |offset_day| days and |offset_sec| seconds to\n// |posix_time| and writes the result to |s| as a UTCTime. It returns |s| on\n// success and NULL on error. If |s| is NULL, it returns a newly-allocated\n// |ASN1_UTCTIME| instead.\n//\n// Note this function may fail if the time overflows or is out of range for\n// UTCTime.\nOPENSSL_EXPORT ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s,\n int64_t posix_time,\n int offset_day, long offset_sec);\n\n// ASN1_UTCTIME_set_string sets |s| to a UTCTime whose contents are a copy of\n// |str|. It returns one on success and zero on error or if |str| is not a valid\n// UTCTime.\n//\n// If |s| is NULL, this function validates |str| without copying it.\nOPENSSL_EXPORT int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str);\n\n// ASN1_GENERALIZEDTIME_new calls |ASN1_STRING_type_new| with\n// |V_ASN1_GENERALIZEDTIME|. The resulting object contains empty contents and\n// must be initialized to be a valid GeneralizedTime.\nOPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_new(void);\n\n// ASN1_GENERALIZEDTIME_free calls |ASN1_STRING_free|.\nOPENSSL_EXPORT void ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *str);\n\n// d2i_ASN1_GENERALIZEDTIME parses up to |len| bytes from |*inp| as a\n// DER-encoded ASN.1 GeneralizedTime, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT ASN1_GENERALIZEDTIME *d2i_ASN1_GENERALIZEDTIME(\n ASN1_GENERALIZEDTIME **out, const uint8_t **inp, long len);\n\n// i2d_ASN1_GENERALIZEDTIME marshals |in| as a DER-encoded ASN.1\n// GeneralizedTime, as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_GENERALIZEDTIME(const ASN1_GENERALIZEDTIME *in,\n uint8_t **outp);\n\n// ASN1_GENERALIZEDTIME is an |ASN1_ITEM| with ASN.1 type GeneralizedTime and C\n// type |ASN1_GENERALIZEDTIME*|.\nDECLARE_ASN1_ITEM(ASN1_GENERALIZEDTIME)\n\n// ASN1_GENERALIZEDTIME_check returns one if |a| is a valid GeneralizedTime and\n// zero otherwise.\nOPENSSL_EXPORT int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a);\n\n// ASN1_GENERALIZEDTIME_set represents |posix_time| as a GeneralizedTime and\n// writes the result to |s|. It returns |s| on success and NULL on error. If |s|\n// is NULL, it returns a newly-allocated |ASN1_GENERALIZEDTIME| instead.\n//\n// Note this function may fail if the time is out of range for GeneralizedTime.\nOPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(\n ASN1_GENERALIZEDTIME *s, int64_t posix_time);\n\n// ASN1_GENERALIZEDTIME_adj adds |offset_day| days and |offset_sec| seconds to\n// |posix_time| and writes the result to |s| as a GeneralizedTime. It returns\n// |s| on success and NULL on error. If |s| is NULL, it returns a\n// newly-allocated |ASN1_GENERALIZEDTIME| instead.\n//\n// Note this function may fail if the time overflows or is out of range for\n// GeneralizedTime.\nOPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(\n ASN1_GENERALIZEDTIME *s, int64_t posix_time, int offset_day,\n long offset_sec);\n\n// ASN1_GENERALIZEDTIME_set_string sets |s| to a GeneralizedTime whose contents\n// are a copy of |str|. It returns one on success and zero on error or if |str|\n// is not a valid GeneralizedTime.\n//\n// If |s| is NULL, this function validates |str| without copying it.\nOPENSSL_EXPORT int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s,\n const char *str);\n\n// B_ASN1_TIME is a bitmask of types allowed in an X.509 Time.\n#define B_ASN1_TIME (B_ASN1_UTCTIME | B_ASN1_GENERALIZEDTIME)\n\n// ASN1_TIME_new returns a newly-allocated |ASN1_TIME| with type -1, or NULL on\n// error. The resulting |ASN1_TIME| is not a valid X.509 Time until initialized\n// with a value.\nOPENSSL_EXPORT ASN1_TIME *ASN1_TIME_new(void);\n\n// ASN1_TIME_free releases memory associated with |str|.\nOPENSSL_EXPORT void ASN1_TIME_free(ASN1_TIME *str);\n\n// d2i_ASN1_TIME parses up to |len| bytes from |*inp| as a DER-encoded X.509\n// Time (RFC 5280), as described in |d2i_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/354): This function currently also accepts\n// BER, but this will be removed in the future.\nOPENSSL_EXPORT ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **out, const uint8_t **inp,\n long len);\n\n// i2d_ASN1_TIME marshals |in| as a DER-encoded X.509 Time (RFC 5280), as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_TIME(const ASN1_TIME *in, uint8_t **outp);\n\n// ASN1_TIME is an |ASN1_ITEM| whose ASN.1 type is X.509 Time (RFC 5280) and C\n// type is |ASN1_TIME*|.\nDECLARE_ASN1_ITEM(ASN1_TIME)\n\n// ASN1_TIME_diff computes |to| - |from|. On success, it sets |*out_days| to the\n// difference in days, rounded towards zero, sets |*out_seconds| to the\n// remainder, and returns one. On error, it returns zero.\n//\n// If |from| is before |to|, both outputs will be <= 0, with at least one\n// negative. If |from| is after |to|, both will be >= 0, with at least one\n// positive. If they are equal, ignoring fractional seconds, both will be zero.\n//\n// Note this function may fail on overflow, or if |from| or |to| cannot be\n// decoded.\nOPENSSL_EXPORT int ASN1_TIME_diff(int *out_days, int *out_seconds,\n const ASN1_TIME *from, const ASN1_TIME *to);\n\n// ASN1_TIME_set_posix represents |posix_time| as a GeneralizedTime or UTCTime\n// and writes the result to |s|. As in RFC 5280, section 4.1.2.5, it uses\n// UTCTime when the time fits and GeneralizedTime otherwise. It returns |s| on\n// success and NULL on error. If |s| is NULL, it returns a newly-allocated\n// |ASN1_TIME| instead.\n//\n// Note this function may fail if the time is out of range for GeneralizedTime.\nOPENSSL_EXPORT ASN1_TIME *ASN1_TIME_set_posix(ASN1_TIME *s, int64_t posix_time);\n\n// ASN1_TIME_set is exactly the same as |ASN1_TIME_set_posix| but with a\n// time_t as input for compatibility.\nOPENSSL_EXPORT ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t time);\n\n// ASN1_TIME_adj adds |offset_day| days and |offset_sec| seconds to\n// |posix_time| and writes the result to |s|. As in RFC 5280, section 4.1.2.5,\n// it uses UTCTime when the time fits and GeneralizedTime otherwise. It returns\n// |s| on success and NULL on error. If |s| is NULL, it returns a\n// newly-allocated |ASN1_GENERALIZEDTIME| instead.\n//\n// Note this function may fail if the time overflows or is out of range for\n// GeneralizedTime.\nOPENSSL_EXPORT ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, int64_t posix_time,\n int offset_day, long offset_sec);\n\n// ASN1_TIME_check returns one if |t| is a valid UTCTime or GeneralizedTime, and\n// zero otherwise. |t|'s type determines which check is performed. This\n// function does not enforce that UTCTime was used when possible.\nOPENSSL_EXPORT int ASN1_TIME_check(const ASN1_TIME *t);\n\n// ASN1_TIME_to_generalizedtime converts |t| to a GeneralizedTime. If |out| is\n// NULL, it returns a newly-allocated |ASN1_GENERALIZEDTIME| on success, or NULL\n// on error. If |out| is non-NULL and |*out| is NULL, it additionally sets\n// |*out| to the result. If |out| and |*out| are non-NULL, it instead updates\n// the object pointed by |*out| and returns |*out| on success or NULL on error.\nOPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(\n const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);\n\n// ASN1_TIME_set_string behaves like |ASN1_UTCTIME_set_string| if |str| is a\n// valid UTCTime, and |ASN1_GENERALIZEDTIME_set_string| if |str| is a valid\n// GeneralizedTime. If |str| is neither, it returns zero.\nOPENSSL_EXPORT int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);\n\n// ASN1_TIME_set_string_X509 behaves like |ASN1_TIME_set_string| except it\n// additionally converts GeneralizedTime to UTCTime if it is in the range where\n// UTCTime is used. See RFC 5280, section 4.1.2.5.\nOPENSSL_EXPORT int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str);\n\n// ASN1_TIME_to_time_t converts |t| to a time_t value in |out|. On\n// success, one is returned. On failure, zero is returned. This function\n// will fail if the time can not be represented in a time_t.\nOPENSSL_EXPORT int ASN1_TIME_to_time_t(const ASN1_TIME *t, time_t *out);\n\n// ASN1_TIME_to_posix converts |t| to a POSIX time value in |out|. On\n// success, one is returned. On failure, zero is returned.\nOPENSSL_EXPORT int ASN1_TIME_to_posix(const ASN1_TIME *t, int64_t *out);\n\n// ASN1_TIME_to_posix_nonstandard converts |t| to a POSIX time value in\n// |out|. It is exactly the same as |ASN1_TIME_to_posix| but allows for\n// non-standard four-digit timezone offsets on UTC times. On success, one is\n// returned. On failure, zero is returned. |ASN1_TIME_to_posix| should normally\n// be used instead of this function.\nOPENSSL_EXPORT int ASN1_TIME_to_posix_nonstandard(\n const ASN1_TIME *t, int64_t *out);\n\n// TODO(davidben): Expand and document function prototypes generated in macros.\n\n\n// NULL values.\n//\n// This library represents the ASN.1 NULL value by a non-NULL pointer to the\n// opaque type |ASN1_NULL|. An omitted OPTIONAL ASN.1 NULL value is a NULL\n// pointer. Unlike other pointer types, it is not necessary to free |ASN1_NULL|\n// pointers, but it is safe to do so.\n\n// ASN1_NULL_new returns an opaque, non-NULL pointer. It is safe to call\n// |ASN1_NULL_free| on the result, but not necessary.\nOPENSSL_EXPORT ASN1_NULL *ASN1_NULL_new(void);\n\n// ASN1_NULL_free does nothing.\nOPENSSL_EXPORT void ASN1_NULL_free(ASN1_NULL *null);\n\n// d2i_ASN1_NULL parses a DER-encoded ASN.1 NULL value from up to |len| bytes\n// at |*inp|, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT ASN1_NULL *d2i_ASN1_NULL(ASN1_NULL **out, const uint8_t **inp,\n long len);\n\n// i2d_ASN1_NULL marshals |in| as a DER-encoded ASN.1 NULL value, as described\n// in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_NULL(const ASN1_NULL *in, uint8_t **outp);\n\n// ASN1_NULL is an |ASN1_ITEM| with ASN.1 type NULL and C type |ASN1_NULL*|.\nDECLARE_ASN1_ITEM(ASN1_NULL)\n\n\n// Object identifiers.\n//\n// An |ASN1_OBJECT| represents a ASN.1 OBJECT IDENTIFIER. See also obj.h for\n// additional functions relating to |ASN1_OBJECT|.\n//\n// TODO(davidben): What's the relationship between asn1.h and obj.h? Most of\n// obj.h deals with the large NID table, but then functions like |OBJ_get0_data|\n// or |OBJ_dup| are general |ASN1_OBJECT| functions.\n\nDEFINE_STACK_OF(ASN1_OBJECT)\n\n// ASN1_OBJECT_create returns a newly-allocated |ASN1_OBJECT| with |len| bytes\n// from |data| as the encoded OID, or NULL on error. |data| should contain the\n// DER-encoded identifier, excluding the tag and length.\n//\n// |nid| should be |NID_undef|. Passing a NID value that does not match |data|\n// will cause some functions to misbehave. |sn| and |ln| should be NULL. If\n// non-NULL, they are stored as short and long names, respectively, but these\n// values have no effect for |ASN1_OBJECT|s created through this function.\n//\n// TODO(davidben): Should we just ignore all those parameters? NIDs and names\n// are only relevant for |ASN1_OBJECT|s in the obj.h table.\nOPENSSL_EXPORT ASN1_OBJECT *ASN1_OBJECT_create(int nid, const uint8_t *data,\n size_t len, const char *sn,\n const char *ln);\n\n// ASN1_OBJECT_free releases memory associated with |a|. If |a| is a static\n// |ASN1_OBJECT|, returned from |OBJ_nid2obj|, this function does nothing.\nOPENSSL_EXPORT void ASN1_OBJECT_free(ASN1_OBJECT *a);\n\n// d2i_ASN1_OBJECT parses a DER-encoded ASN.1 OBJECT IDENTIFIER from up to |len|\n// bytes at |*inp|, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **out,\n const uint8_t **inp, long len);\n\n// i2d_ASN1_OBJECT marshals |in| as a DER-encoded ASN.1 OBJECT IDENTIFIER, as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_OBJECT(const ASN1_OBJECT *in, uint8_t **outp);\n\n// c2i_ASN1_OBJECT decodes |len| bytes from |*inp| as the contents of a\n// DER-encoded OBJECT IDENTIFIER, excluding the tag and length. It behaves like\n// |d2i_SAMPLE| except, on success, it always consumes all |len| bytes.\nOPENSSL_EXPORT ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **out,\n const uint8_t **inp, long len);\n\n// ASN1_OBJECT is an |ASN1_ITEM| with ASN.1 type OBJECT IDENTIFIER and C type\n// |ASN1_OBJECT*|.\nDECLARE_ASN1_ITEM(ASN1_OBJECT)\n\n\n// Arbitrary elements.\n\n// An asn1_type_st (aka |ASN1_TYPE|) represents an arbitrary ASN.1 element,\n// typically used for ANY types. It contains a |type| field and a |value| union\n// dependent on |type|.\n//\n// WARNING: This struct has a complex representation. Callers must not construct\n// |ASN1_TYPE| values manually. Use |ASN1_TYPE_set| and |ASN1_TYPE_set1|\n// instead. Additionally, callers performing non-trivial operations on this type\n// are encouraged to use |CBS| and |CBB| from , and\n// convert to or from |ASN1_TYPE| with |d2i_ASN1_TYPE| or |i2d_ASN1_TYPE|.\n//\n// The |type| field corresponds to the tag of the ASN.1 element being\n// represented:\n//\n// If |type| is a |V_ASN1_*| constant for an ASN.1 string-like type, as defined\n// by |ASN1_STRING|, the tag matches the constant. |value| contains an\n// |ASN1_STRING| pointer (equivalently, one of the more specific typedefs). See\n// |ASN1_STRING| for details on the representation. Unlike |ASN1_STRING|,\n// |ASN1_TYPE| does not use the |V_ASN1_NEG| flag for negative INTEGER and\n// ENUMERATE values. For a negative value, the |ASN1_TYPE|'s |type| will be\n// |V_ASN1_INTEGER| or |V_ASN1_ENUMERATED|, but |value| will an |ASN1_STRING|\n// whose |type| is |V_ASN1_NEG_INTEGER| or |V_ASN1_NEG_ENUMERATED|.\n//\n// If |type| is |V_ASN1_OBJECT|, the tag is OBJECT IDENTIFIER and |value|\n// contains an |ASN1_OBJECT| pointer.\n//\n// If |type| is |V_ASN1_NULL|, the tag is NULL. |value| contains a NULL pointer.\n//\n// If |type| is |V_ASN1_BOOLEAN|, the tag is BOOLEAN. |value| contains an\n// |ASN1_BOOLEAN|.\n//\n// If |type| is |V_ASN1_SEQUENCE|, |V_ASN1_SET|, or |V_ASN1_OTHER|, the tag is\n// SEQUENCE, SET, or some arbitrary tag, respectively. |value| uses the\n// corresponding |ASN1_STRING| representation. Although any type may be\n// represented in |V_ASN1_OTHER|, the parser will always return the more\n// specific encoding when available.\n//\n// Other values of |type| do not represent a valid ASN.1 value, though\n// default-constructed objects may set |type| to -1. Such objects cannot be\n// serialized.\nstruct asn1_type_st {\n int type;\n union {\n char *ptr;\n ASN1_BOOLEAN boolean;\n ASN1_STRING *asn1_string;\n ASN1_OBJECT *object;\n ASN1_INTEGER *integer;\n ASN1_ENUMERATED *enumerated;\n ASN1_BIT_STRING *bit_string;\n ASN1_OCTET_STRING *octet_string;\n ASN1_PRINTABLESTRING *printablestring;\n ASN1_T61STRING *t61string;\n ASN1_IA5STRING *ia5string;\n ASN1_GENERALSTRING *generalstring;\n ASN1_BMPSTRING *bmpstring;\n ASN1_UNIVERSALSTRING *universalstring;\n ASN1_UTCTIME *utctime;\n ASN1_GENERALIZEDTIME *generalizedtime;\n ASN1_VISIBLESTRING *visiblestring;\n ASN1_UTF8STRING *utf8string;\n // set and sequence are left complete and still contain the entire element.\n ASN1_STRING *set;\n ASN1_STRING *sequence;\n ASN1_VALUE *asn1_value;\n } value;\n};\n\nDEFINE_STACK_OF(ASN1_TYPE)\n\n// ASN1_TYPE_new returns a newly-allocated |ASN1_TYPE|, or NULL on allocation\n// failure. The resulting object has type -1 and must be initialized to be\n// a valid ANY value.\nOPENSSL_EXPORT ASN1_TYPE *ASN1_TYPE_new(void);\n\n// ASN1_TYPE_free releases memory associated with |a|.\nOPENSSL_EXPORT void ASN1_TYPE_free(ASN1_TYPE *a);\n\n// d2i_ASN1_TYPE parses up to |len| bytes from |*inp| as an ASN.1 value of any\n// type, as described in |d2i_SAMPLE|. Note this function only validates\n// primitive, universal types supported by this library. Values of type\n// |V_ASN1_SEQUENCE|, |V_ASN1_SET|, |V_ASN1_OTHER|, or an unsupported primitive\n// type must be validated by the caller when interpreting.\n//\n// TODO(https://crbug.com/boringssl/354): This function currently also accepts\n// BER, but this will be removed in the future.\nOPENSSL_EXPORT ASN1_TYPE *d2i_ASN1_TYPE(ASN1_TYPE **out, const uint8_t **inp,\n long len);\n\n// i2d_ASN1_TYPE marshals |in| as DER, as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_TYPE(const ASN1_TYPE *in, uint8_t **outp);\n\n// ASN1_ANY is an |ASN1_ITEM| with ASN.1 type ANY and C type |ASN1_TYPE*|. Note\n// the |ASN1_ITEM| name and C type do not match.\nDECLARE_ASN1_ITEM(ASN1_ANY)\n\n// ASN1_TYPE_get returns the type of |a|, which will be one of the |V_ASN1_*|\n// constants, or zero if |a| is not fully initialized.\nOPENSSL_EXPORT int ASN1_TYPE_get(const ASN1_TYPE *a);\n\n// ASN1_TYPE_set sets |a| to an |ASN1_TYPE| of type |type| and value |value|,\n// releasing the previous contents of |a|.\n//\n// If |type| is |V_ASN1_BOOLEAN|, |a| is set to FALSE if |value| is NULL and\n// TRUE otherwise. If setting |a| to TRUE, |value| may be an invalid pointer,\n// such as (void*)1.\n//\n// If |type| is |V_ASN1_NULL|, |value| must be NULL.\n//\n// For other values of |type|, this function takes ownership of |value|, which\n// must point to an object of the corresponding type. See |ASN1_TYPE| for\n// details.\nOPENSSL_EXPORT void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);\n\n// ASN1_TYPE_set1 behaves like |ASN1_TYPE_set| except it does not take ownership\n// of |value|. It returns one on success and zero on error.\nOPENSSL_EXPORT int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);\n\n// ASN1_TYPE_cmp returns zero if |a| and |b| are equal and some non-zero value\n// otherwise. Note this function can only be used for equality checks, not an\n// ordering.\nOPENSSL_EXPORT int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);\n\ntypedef STACK_OF(ASN1_TYPE) ASN1_SEQUENCE_ANY;\n\n// d2i_ASN1_SEQUENCE_ANY parses up to |len| bytes from |*inp| as a DER-encoded\n// ASN.1 SEQUENCE OF ANY structure, as described in |d2i_SAMPLE|. The resulting\n// |ASN1_SEQUENCE_ANY| owns its contents and thus must be released with\n// |sk_ASN1_TYPE_pop_free| and |ASN1_TYPE_free|, not |sk_ASN1_TYPE_free|.\n//\n// TODO(https://crbug.com/boringssl/354): This function currently also accepts\n// BER, but this will be removed in the future.\nOPENSSL_EXPORT ASN1_SEQUENCE_ANY *d2i_ASN1_SEQUENCE_ANY(ASN1_SEQUENCE_ANY **out,\n const uint8_t **inp,\n long len);\n\n// i2d_ASN1_SEQUENCE_ANY marshals |in| as a DER-encoded SEQUENCE OF ANY\n// structure, as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_SEQUENCE_ANY(const ASN1_SEQUENCE_ANY *in,\n uint8_t **outp);\n\n// d2i_ASN1_SET_ANY parses up to |len| bytes from |*inp| as a DER-encoded ASN.1\n// SET OF ANY structure, as described in |d2i_SAMPLE|. The resulting\n// |ASN1_SEQUENCE_ANY| owns its contents and thus must be released with\n// |sk_ASN1_TYPE_pop_free| and |ASN1_TYPE_free|, not |sk_ASN1_TYPE_free|.\n//\n// TODO(https://crbug.com/boringssl/354): This function currently also accepts\n// BER, but this will be removed in the future.\nOPENSSL_EXPORT ASN1_SEQUENCE_ANY *d2i_ASN1_SET_ANY(ASN1_SEQUENCE_ANY **out,\n const uint8_t **inp,\n long len);\n\n// i2d_ASN1_SET_ANY marshals |in| as a DER-encoded SET OF ANY structure, as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_ASN1_SET_ANY(const ASN1_SEQUENCE_ANY *in,\n uint8_t **outp);\n\n\n// Human-readable output.\n//\n// The following functions output types in some human-readable format. These\n// functions may be used for debugging and logging. However, the output should\n// not be consumed programmatically. They may be ambiguous or lose information.\n\n// ASN1_UTCTIME_print writes a human-readable representation of |a| to |out|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int ASN1_UTCTIME_print(BIO *out, const ASN1_UTCTIME *a);\n\n// ASN1_GENERALIZEDTIME_print writes a human-readable representation of |a| to\n// |out|. It returns one on success and zero on error.\nOPENSSL_EXPORT int ASN1_GENERALIZEDTIME_print(BIO *out,\n const ASN1_GENERALIZEDTIME *a);\n\n// ASN1_TIME_print writes a human-readable representation of |a| to |out|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int ASN1_TIME_print(BIO *out, const ASN1_TIME *a);\n\n// ASN1_STRING_print writes a human-readable representation of |str| to |out|.\n// It returns one on success and zero on error. Unprintable characters are\n// replaced with '.'.\nOPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str);\n\n// The following flags must not collide with |XN_FLAG_*|.\n\n// ASN1_STRFLGS_ESC_2253 causes characters to be escaped as in RFC 2253, section\n// 2.4.\n#define ASN1_STRFLGS_ESC_2253 1ul\n\n// ASN1_STRFLGS_ESC_CTRL causes all control characters to be escaped.\n#define ASN1_STRFLGS_ESC_CTRL 2ul\n\n// ASN1_STRFLGS_ESC_MSB causes all characters above 127 to be escaped.\n#define ASN1_STRFLGS_ESC_MSB 4ul\n\n// ASN1_STRFLGS_ESC_QUOTE causes the string to be surrounded by quotes, rather\n// than using backslashes, when characters are escaped. Fewer characters will\n// require escapes in this case.\n#define ASN1_STRFLGS_ESC_QUOTE 8ul\n\n// ASN1_STRFLGS_UTF8_CONVERT causes the string to be encoded as UTF-8, with each\n// byte in the UTF-8 encoding treated as an individual character for purposes of\n// escape sequences. If not set, each Unicode codepoint in the string is treated\n// as a character, with wide characters escaped as \"\\Uxxxx\" or \"\\Wxxxxxxxx\".\n// Note this can be ambiguous if |ASN1_STRFLGS_ESC_*| are all unset. In that\n// case, backslashes are not escaped, but wide characters are.\n#define ASN1_STRFLGS_UTF8_CONVERT 0x10ul\n\n// ASN1_STRFLGS_IGNORE_TYPE causes the string type to be ignored. The\n// |ASN1_STRING| in-memory representation will be printed directly.\n#define ASN1_STRFLGS_IGNORE_TYPE 0x20ul\n\n// ASN1_STRFLGS_SHOW_TYPE causes the string type to be included in the output.\n#define ASN1_STRFLGS_SHOW_TYPE 0x40ul\n\n// ASN1_STRFLGS_DUMP_ALL causes all strings to be printed as a hexdump, using\n// RFC 2253 hexstring notation, such as \"#0123456789ABCDEF\".\n#define ASN1_STRFLGS_DUMP_ALL 0x80ul\n\n// ASN1_STRFLGS_DUMP_UNKNOWN behaves like |ASN1_STRFLGS_DUMP_ALL| but only\n// applies to values of unknown type. If unset, unknown values will print\n// their contents as single-byte characters with escape sequences.\n#define ASN1_STRFLGS_DUMP_UNKNOWN 0x100ul\n\n// ASN1_STRFLGS_DUMP_DER causes hexdumped strings (as determined by\n// |ASN1_STRFLGS_DUMP_ALL| or |ASN1_STRFLGS_DUMP_UNKNOWN|) to print the entire\n// DER element as in RFC 2253, rather than only the contents of the\n// |ASN1_STRING|.\n#define ASN1_STRFLGS_DUMP_DER 0x200ul\n\n// ASN1_STRFLGS_RFC2253 causes the string to be escaped as in RFC 2253,\n// additionally escaping control characters.\n#define ASN1_STRFLGS_RFC2253 \\\n (ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | \\\n ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_DUMP_UNKNOWN | \\\n ASN1_STRFLGS_DUMP_DER)\n\n// ASN1_STRING_print_ex writes a human-readable representation of |str| to\n// |out|. It returns the number of bytes written on success and -1 on error. If\n// |out| is NULL, it returns the number of bytes it would have written, without\n// writing anything.\n//\n// The |flags| should be a combination of combination of |ASN1_STRFLGS_*|\n// constants. See the documentation for each flag for how it controls the\n// output. If unsure, use |ASN1_STRFLGS_RFC2253|.\nOPENSSL_EXPORT int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str,\n unsigned long flags);\n\n// ASN1_STRING_print_ex_fp behaves like |ASN1_STRING_print_ex| but writes to a\n// |FILE| rather than a |BIO|.\nOPENSSL_EXPORT int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str,\n unsigned long flags);\n\n// i2a_ASN1_INTEGER writes a human-readable representation of |a| to |bp|. It\n// returns the number of bytes written on success, or a negative number on\n// error. On error, this function may have written a partial output to |bp|.\nOPENSSL_EXPORT int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a);\n\n// i2a_ASN1_ENUMERATED writes a human-readable representation of |a| to |bp|. It\n// returns the number of bytes written on success, or a negative number on\n// error. On error, this function may have written a partial output to |bp|.\nOPENSSL_EXPORT int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a);\n\n// i2a_ASN1_OBJECT writes a human-readable representation of |a| to |bp|. It\n// returns the number of bytes written on success, or a negative number on\n// error. On error, this function may have written a partial output to |bp|.\nOPENSSL_EXPORT int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a);\n\n// i2a_ASN1_STRING writes a text representation of |a|'s contents to |bp|. It\n// returns the number of bytes written on success, or a negative number on\n// error. On error, this function may have written a partial output to |bp|.\n// |type| is ignored.\n//\n// This function does not decode |a| into a Unicode string. It only hex-encodes\n// the internal representation of |a|. This is suitable for printing an OCTET\n// STRING, but may not be human-readable for any other string type.\nOPENSSL_EXPORT int i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type);\n\n// i2t_ASN1_OBJECT calls |OBJ_obj2txt| with |always_return_oid| set to zero.\nOPENSSL_EXPORT int i2t_ASN1_OBJECT(char *buf, int buf_len,\n const ASN1_OBJECT *a);\n\n\n// Low-level encoding functions.\n\n// ASN1_get_object parses a BER element from up to |max_len| bytes at |*inp|. It\n// returns |V_ASN1_CONSTRUCTED| if it successfully parsed a constructed element,\n// zero if it successfully parsed a primitive element, and 0x80 on error. On\n// success, it additionally advances |*inp| to the element body, sets\n// |*out_length|, |*out_tag|, and |*out_class| to the element's length, tag\n// number, and tag class, respectively,\n//\n// Unlike OpenSSL, this function only supports DER. Indefinite and non-minimal\n// lengths are rejected.\n//\n// This function is difficult to use correctly. Use |CBS_get_asn1| and related\n// functions from bytestring.h.\nOPENSSL_EXPORT int ASN1_get_object(const unsigned char **inp, long *out_length,\n int *out_tag, int *out_class, long max_len);\n\n// ASN1_put_object writes the header for a DER or BER element to |*outp| and\n// advances |*outp| by the number of bytes written. The caller is responsible\n// for ensuring |*outp| has enough space for the output. The header describes an\n// element with length |length|, tag number |tag|, and class |xclass|. |xclass|\n// should be one of the |V_ASN1_*| tag class constants. The element is primitive\n// if |constructed| is zero and constructed if it is one or two. If\n// |constructed| is two, |length| is ignored and the element uses\n// indefinite-length encoding.\n//\n// Use |CBB_add_asn1| instead.\nOPENSSL_EXPORT void ASN1_put_object(unsigned char **outp, int constructed,\n int length, int tag, int xclass);\n\n// ASN1_put_eoc writes two zero bytes to |*outp|, advances |*outp| to point past\n// those bytes, and returns two.\n//\n// Use definite-length encoding instead.\nOPENSSL_EXPORT int ASN1_put_eoc(unsigned char **outp);\n\n// ASN1_object_size returns the number of bytes needed to encode a DER or BER\n// value with length |length| and tag number |tag|, or -1 on error. |tag| should\n// not include the constructed bit or tag class. If |constructed| is zero or\n// one, the result uses a definite-length encoding with minimally-encoded\n// length, as in DER. If |constructed| is two, the result uses BER\n// indefinite-length encoding.\n//\n// Use |CBB_add_asn1| instead.\nOPENSSL_EXPORT int ASN1_object_size(int constructed, int length, int tag);\n\n\n// Function declaration macros.\n//\n// The following macros declare functions for ASN.1 types. Prefer writing the\n// prototypes directly. Particularly when |type|, |itname|, or |name| differ,\n// the macros can be difficult to understand.\n\n#define DECLARE_ASN1_FUNCTIONS(type) DECLARE_ASN1_FUNCTIONS_name(type, type)\n\n#define DECLARE_ASN1_ALLOC_FUNCTIONS(type) \\\n DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, type)\n\n#define DECLARE_ASN1_FUNCTIONS_name(type, name) \\\n DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \\\n DECLARE_ASN1_ENCODE_FUNCTIONS(type, name, name)\n\n#define DECLARE_ASN1_FUNCTIONS_fname(type, itname, name) \\\n DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \\\n DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name)\n\n#define DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name) \\\n OPENSSL_EXPORT type *d2i_##name(type **a, const unsigned char **in, \\\n long len); \\\n OPENSSL_EXPORT int i2d_##name(type *a, unsigned char **out); \\\n DECLARE_ASN1_ITEM(itname)\n\n#define DECLARE_ASN1_ENCODE_FUNCTIONS_const(type, name) \\\n OPENSSL_EXPORT type *d2i_##name(type **a, const unsigned char **in, \\\n long len); \\\n OPENSSL_EXPORT int i2d_##name(const type *a, unsigned char **out); \\\n DECLARE_ASN1_ITEM(name)\n\n#define DECLARE_ASN1_FUNCTIONS_const(name) \\\n DECLARE_ASN1_ALLOC_FUNCTIONS(name) \\\n DECLARE_ASN1_ENCODE_FUNCTIONS_const(name, name)\n\n#define DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \\\n OPENSSL_EXPORT type *name##_new(void); \\\n OPENSSL_EXPORT void name##_free(type *a);\n\n\n// Deprecated functions.\n\n// ASN1_STRING_set_default_mask does nothing.\nOPENSSL_EXPORT void ASN1_STRING_set_default_mask(unsigned long mask);\n\n// ASN1_STRING_set_default_mask_asc returns one.\nOPENSSL_EXPORT int ASN1_STRING_set_default_mask_asc(const char *p);\n\n// ASN1_STRING_get_default_mask returns |B_ASN1_UTF8STRING|.\nOPENSSL_EXPORT unsigned long ASN1_STRING_get_default_mask(void);\n\n// ASN1_STRING_TABLE_cleanup does nothing.\nOPENSSL_EXPORT void ASN1_STRING_TABLE_cleanup(void);\n\n// M_ASN1_* are legacy aliases for various |ASN1_STRING| functions. Use the\n// functions themselves.\n#define M_ASN1_STRING_length(x) ASN1_STRING_length(x)\n#define M_ASN1_STRING_type(x) ASN1_STRING_type(x)\n#define M_ASN1_STRING_data(x) ASN1_STRING_data(x)\n#define M_ASN1_BIT_STRING_new() ASN1_BIT_STRING_new()\n#define M_ASN1_BIT_STRING_free(a) ASN1_BIT_STRING_free(a)\n#define M_ASN1_BIT_STRING_dup(a) ASN1_STRING_dup(a)\n#define M_ASN1_BIT_STRING_cmp(a, b) ASN1_STRING_cmp(a, b)\n#define M_ASN1_BIT_STRING_set(a, b, c) ASN1_BIT_STRING_set(a, b, c)\n#define M_ASN1_INTEGER_new() ASN1_INTEGER_new()\n#define M_ASN1_INTEGER_free(a) ASN1_INTEGER_free(a)\n#define M_ASN1_INTEGER_dup(a) ASN1_INTEGER_dup(a)\n#define M_ASN1_INTEGER_cmp(a, b) ASN1_INTEGER_cmp(a, b)\n#define M_ASN1_ENUMERATED_new() ASN1_ENUMERATED_new()\n#define M_ASN1_ENUMERATED_free(a) ASN1_ENUMERATED_free(a)\n#define M_ASN1_ENUMERATED_dup(a) ASN1_STRING_dup(a)\n#define M_ASN1_ENUMERATED_cmp(a, b) ASN1_STRING_cmp(a, b)\n#define M_ASN1_OCTET_STRING_new() ASN1_OCTET_STRING_new()\n#define M_ASN1_OCTET_STRING_free(a) ASN1_OCTET_STRING_free()\n#define M_ASN1_OCTET_STRING_dup(a) ASN1_OCTET_STRING_dup(a)\n#define M_ASN1_OCTET_STRING_cmp(a, b) ASN1_OCTET_STRING_cmp(a, b)\n#define M_ASN1_OCTET_STRING_set(a, b, c) ASN1_OCTET_STRING_set(a, b, c)\n#define M_ASN1_OCTET_STRING_print(a, b) ASN1_STRING_print(a, b)\n#define M_ASN1_PRINTABLESTRING_new() ASN1_PRINTABLESTRING_new()\n#define M_ASN1_PRINTABLESTRING_free(a) ASN1_PRINTABLESTRING_free(a)\n#define M_ASN1_IA5STRING_new() ASN1_IA5STRING_new()\n#define M_ASN1_IA5STRING_free(a) ASN1_IA5STRING_free(a)\n#define M_ASN1_IA5STRING_dup(a) ASN1_STRING_dup(a)\n#define M_ASN1_UTCTIME_new() ASN1_UTCTIME_new()\n#define M_ASN1_UTCTIME_free(a) ASN1_UTCTIME_free(a)\n#define M_ASN1_UTCTIME_dup(a) ASN1_STRING_dup(a)\n#define M_ASN1_T61STRING_new() ASN1_T61STRING_new()\n#define M_ASN1_T61STRING_free(a) ASN1_T61STRING_free(a)\n#define M_ASN1_GENERALIZEDTIME_new() ASN1_GENERALIZEDTIME_new()\n#define M_ASN1_GENERALIZEDTIME_free(a) ASN1_GENERALIZEDTIME_free(a)\n#define M_ASN1_GENERALIZEDTIME_dup(a) ASN1_STRING_dup(a)\n#define M_ASN1_GENERALSTRING_new() ASN1_GENERALSTRING_new()\n#define M_ASN1_GENERALSTRING_free(a) ASN1_GENERALSTRING_free(a)\n#define M_ASN1_UNIVERSALSTRING_new() ASN1_UNIVERSALSTRING_new()\n#define M_ASN1_UNIVERSALSTRING_free(a) ASN1_UNIVERSALSTRING_free(a)\n#define M_ASN1_BMPSTRING_new() ASN1_BMPSTRING_new()\n#define M_ASN1_BMPSTRING_free(a) ASN1_BMPSTRING_free(a)\n#define M_ASN1_VISIBLESTRING_new() ASN1_VISIBLESTRING_new()\n#define M_ASN1_VISIBLESTRING_free(a) ASN1_VISIBLESTRING_free(a)\n#define M_ASN1_UTF8STRING_new() ASN1_UTF8STRING_new()\n#define M_ASN1_UTF8STRING_free(a) ASN1_UTF8STRING_free(a)\n\n// B_ASN1_PRINTABLE is a bitmask for an ad-hoc subset of string-like types. Note\n// the presence of |B_ASN1_UNKNOWN| means it includes types which |ASN1_tag2bit|\n// maps to |B_ASN1_UNKNOWN|.\n//\n// Do not use this. Despite the name, it has no connection to PrintableString or\n// printable characters. See https://crbug.com/boringssl/412.\n#define B_ASN1_PRINTABLE \\\n (B_ASN1_NUMERICSTRING | B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | \\\n B_ASN1_IA5STRING | B_ASN1_BIT_STRING | B_ASN1_UNIVERSALSTRING | \\\n B_ASN1_BMPSTRING | B_ASN1_UTF8STRING | B_ASN1_SEQUENCE | B_ASN1_UNKNOWN)\n\n// ASN1_PRINTABLE_new returns a newly-allocated |ASN1_STRING| with type -1, or\n// NULL on error. The resulting |ASN1_STRING| is not a valid ASN.1 value until\n// initialized with a value.\nOPENSSL_EXPORT ASN1_STRING *ASN1_PRINTABLE_new(void);\n\n// ASN1_PRINTABLE_free calls |ASN1_STRING_free|.\nOPENSSL_EXPORT void ASN1_PRINTABLE_free(ASN1_STRING *str);\n\n// d2i_ASN1_PRINTABLE parses up to |len| bytes from |*inp| as a DER-encoded\n// CHOICE of an ad-hoc subset of string-like types, as described in\n// |d2i_SAMPLE|.\n//\n// Do not use this. Despite, the name it has no connection to PrintableString or\n// printable characters. See https://crbug.com/boringssl/412.\n//\n// TODO(https://crbug.com/boringssl/354): This function currently also accepts\n// BER, but this will be removed in the future.\nOPENSSL_EXPORT ASN1_STRING *d2i_ASN1_PRINTABLE(ASN1_STRING **out,\n const uint8_t **inp, long len);\n\n// i2d_ASN1_PRINTABLE marshals |in| as DER, as described in |i2d_SAMPLE|.\n//\n// Do not use this. Despite the name, it has no connection to PrintableString or\n// printable characters. See https://crbug.com/boringssl/412.\nOPENSSL_EXPORT int i2d_ASN1_PRINTABLE(const ASN1_STRING *in, uint8_t **outp);\n\n// ASN1_PRINTABLE is an |ASN1_ITEM| whose ASN.1 type is a CHOICE of an ad-hoc\n// subset of string-like types, and whose C type is |ASN1_STRING*|.\n//\n// Do not use this. Despite the name, it has no connection to PrintableString or\n// printable characters. See https://crbug.com/boringssl/412.\nDECLARE_ASN1_ITEM(ASN1_PRINTABLE)\n\n// ASN1_INTEGER_set sets |a| to an INTEGER with value |v|. It returns one on\n// success and zero on error.\n//\n// Use |ASN1_INTEGER_set_uint64| and |ASN1_INTEGER_set_int64| instead.\nOPENSSL_EXPORT int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);\n\n// ASN1_ENUMERATED_set sets |a| to an ENUMERATED with value |v|. It returns one\n// on success and zero on error.\n//\n// Use |ASN1_ENUMERATED_set_uint64| and |ASN1_ENUMERATED_set_int64| instead.\nOPENSSL_EXPORT int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v);\n\n// ASN1_INTEGER_get returns the value of |a| as a |long|, or -1 if |a| is out of\n// range or the wrong type.\n//\n// WARNING: This function's return value cannot distinguish errors from -1.\n// Use |ASN1_INTEGER_get_uint64| and |ASN1_INTEGER_get_int64| instead.\nOPENSSL_EXPORT long ASN1_INTEGER_get(const ASN1_INTEGER *a);\n\n// ASN1_ENUMERATED_get returns the value of |a| as a |long|, or -1 if |a| is out\n// of range or the wrong type.\n//\n// WARNING: This function's return value cannot distinguish errors from -1.\n// Use |ASN1_ENUMERATED_get_uint64| and |ASN1_ENUMERATED_get_int64| instead.\nOPENSSL_EXPORT long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(ASN1_OBJECT, ASN1_OBJECT_free)\nBORINGSSL_MAKE_DELETER(ASN1_STRING, ASN1_STRING_free)\nBORINGSSL_MAKE_DELETER(ASN1_TYPE, ASN1_TYPE_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#define ASN1_R_ASN1_LENGTH_MISMATCH 100\n#define ASN1_R_AUX_ERROR 101\n#define ASN1_R_BAD_GET_ASN1_OBJECT_CALL 102\n#define ASN1_R_BAD_OBJECT_HEADER 103\n#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 104\n#define ASN1_R_BN_LIB 105\n#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106\n#define ASN1_R_BUFFER_TOO_SMALL 107\n#define ASN1_R_CONTEXT_NOT_INITIALISED 108\n#define ASN1_R_DECODE_ERROR 109\n#define ASN1_R_DEPTH_EXCEEDED 110\n#define ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED 111\n#define ASN1_R_ENCODE_ERROR 112\n#define ASN1_R_ERROR_GETTING_TIME 113\n#define ASN1_R_EXPECTING_AN_ASN1_SEQUENCE 114\n#define ASN1_R_EXPECTING_AN_INTEGER 115\n#define ASN1_R_EXPECTING_AN_OBJECT 116\n#define ASN1_R_EXPECTING_A_BOOLEAN 117\n#define ASN1_R_EXPECTING_A_TIME 118\n#define ASN1_R_EXPLICIT_LENGTH_MISMATCH 119\n#define ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED 120\n#define ASN1_R_FIELD_MISSING 121\n#define ASN1_R_FIRST_NUM_TOO_LARGE 122\n#define ASN1_R_HEADER_TOO_LONG 123\n#define ASN1_R_ILLEGAL_BITSTRING_FORMAT 124\n#define ASN1_R_ILLEGAL_BOOLEAN 125\n#define ASN1_R_ILLEGAL_CHARACTERS 126\n#define ASN1_R_ILLEGAL_FORMAT 127\n#define ASN1_R_ILLEGAL_HEX 128\n#define ASN1_R_ILLEGAL_IMPLICIT_TAG 129\n#define ASN1_R_ILLEGAL_INTEGER 130\n#define ASN1_R_ILLEGAL_NESTED_TAGGING 131\n#define ASN1_R_ILLEGAL_NULL 132\n#define ASN1_R_ILLEGAL_NULL_VALUE 133\n#define ASN1_R_ILLEGAL_OBJECT 134\n#define ASN1_R_ILLEGAL_OPTIONAL_ANY 135\n#define ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE 136\n#define ASN1_R_ILLEGAL_TAGGED_ANY 137\n#define ASN1_R_ILLEGAL_TIME_VALUE 138\n#define ASN1_R_INTEGER_NOT_ASCII_FORMAT 139\n#define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 140\n#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 141\n#define ASN1_R_INVALID_BMPSTRING 142\n#define ASN1_R_INVALID_DIGIT 143\n#define ASN1_R_INVALID_MODIFIER 144\n#define ASN1_R_INVALID_NUMBER 145\n#define ASN1_R_INVALID_OBJECT_ENCODING 146\n#define ASN1_R_INVALID_SEPARATOR 147\n#define ASN1_R_INVALID_TIME_FORMAT 148\n#define ASN1_R_INVALID_UNIVERSALSTRING 149\n#define ASN1_R_INVALID_UTF8STRING 150\n#define ASN1_R_LIST_ERROR 151\n#define ASN1_R_MISSING_ASN1_EOS 152\n#define ASN1_R_MISSING_EOC 153\n#define ASN1_R_MISSING_SECOND_NUMBER 154\n#define ASN1_R_MISSING_VALUE 155\n#define ASN1_R_MSTRING_NOT_UNIVERSAL 156\n#define ASN1_R_MSTRING_WRONG_TAG 157\n#define ASN1_R_NESTED_ASN1_ERROR 158\n#define ASN1_R_NESTED_ASN1_STRING 159\n#define ASN1_R_NON_HEX_CHARACTERS 160\n#define ASN1_R_NOT_ASCII_FORMAT 161\n#define ASN1_R_NOT_ENOUGH_DATA 162\n#define ASN1_R_NO_MATCHING_CHOICE_TYPE 163\n#define ASN1_R_NULL_IS_WRONG_LENGTH 164\n#define ASN1_R_OBJECT_NOT_ASCII_FORMAT 165\n#define ASN1_R_ODD_NUMBER_OF_CHARS 166\n#define ASN1_R_SECOND_NUMBER_TOO_LARGE 167\n#define ASN1_R_SEQUENCE_LENGTH_MISMATCH 168\n#define ASN1_R_SEQUENCE_NOT_CONSTRUCTED 169\n#define ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG 170\n#define ASN1_R_SHORT_LINE 171\n#define ASN1_R_STREAMING_NOT_SUPPORTED 172\n#define ASN1_R_STRING_TOO_LONG 173\n#define ASN1_R_STRING_TOO_SHORT 174\n#define ASN1_R_TAG_VALUE_TOO_HIGH 175\n#define ASN1_R_TIME_NOT_ASCII_FORMAT 176\n#define ASN1_R_TOO_LONG 177\n#define ASN1_R_TYPE_NOT_CONSTRUCTED 178\n#define ASN1_R_TYPE_NOT_PRIMITIVE 179\n#define ASN1_R_UNEXPECTED_EOC 180\n#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 181\n#define ASN1_R_UNKNOWN_FORMAT 182\n#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 183\n#define ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM 184\n#define ASN1_R_UNKNOWN_TAG 185\n#define ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE 186\n#define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE 187\n#define ASN1_R_UNSUPPORTED_TYPE 188\n#define ASN1_R_WRONG_PUBLIC_KEY_TYPE 189\n#define ASN1_R_WRONG_TAG 190\n#define ASN1_R_WRONG_TYPE 191\n#define ASN1_R_NESTED_TOO_DEEP 192\n#define ASN1_R_BAD_TEMPLATE 193\n#define ASN1_R_INVALID_BIT_STRING_PADDING 194\n#define ASN1_R_WRONG_INTEGER_TYPE 195\n#define ASN1_R_INVALID_INTEGER 196\n\n#endif // OPENSSL_HEADER_ASN1_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_asn1_mac.h", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n\n#include \"CNIOBoringSSL_asn1.h\"\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_asn1t.h", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_ASN1T_H\n#define OPENSSL_HEADER_ASN1T_H\n\n#include \"CNIOBoringSSL_asn1.h\"\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n/* Legacy ASN.1 library template definitions.\n *\n * This header is used to define new types in OpenSSL's ASN.1 implementation. It\n * is deprecated and will be unexported from the library. Use the new |CBS| and\n * |CBB| library in instead. */\n\n\ntypedef struct ASN1_TEMPLATE_st ASN1_TEMPLATE;\ntypedef struct ASN1_TLC_st ASN1_TLC;\n\n/* Macro to obtain ASN1_ADB pointer from a type (only used internally) */\n#define ASN1_ADB_ptr(iptr) ((const ASN1_ADB *)(iptr))\n\n\n/* Macros for start and end of ASN1_ITEM definition */\n\n#define ASN1_ITEM_start(itname) const ASN1_ITEM itname##_it = {\n#define ASN1_ITEM_end(itname) \\\n } \\\n ;\n\n/* Macros to aid ASN1 template writing */\n\n#define ASN1_ITEM_TEMPLATE(tname) static const ASN1_TEMPLATE tname##_item_tt\n\n#define ASN1_ITEM_TEMPLATE_END(tname) \\\n ; \\\n ASN1_ITEM_start(tname) ASN1_ITYPE_PRIMITIVE, -1, &tname##_item_tt, 0, NULL, \\\n 0, #tname ASN1_ITEM_end(tname)\n\n\n/* This is a ASN1 type which just embeds a template */\n\n/* This pair helps declare a SEQUENCE. We can do:\n *\n * \tASN1_SEQUENCE(stname) = {\n * \t\t... SEQUENCE components ...\n * \t} ASN1_SEQUENCE_END(stname)\n *\n * \tThis will produce an ASN1_ITEM called stname_it\n *\tfor a structure called stname.\n *\n * \tIf you want the same structure but a different\n *\tname then use:\n *\n * \tASN1_SEQUENCE(itname) = {\n * \t\t... SEQUENCE components ...\n * \t} ASN1_SEQUENCE_END_name(stname, itname)\n *\n *\tThis will create an item called itname_it using\n *\ta structure called stname.\n */\n\n#define ASN1_SEQUENCE(tname) static const ASN1_TEMPLATE tname##_seq_tt[]\n\n#define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname)\n\n#define ASN1_SEQUENCE_END_name(stname, tname) \\\n ; \\\n ASN1_ITEM_start(tname) ASN1_ITYPE_SEQUENCE, V_ASN1_SEQUENCE, tname##_seq_tt, \\\n sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE), NULL, sizeof(stname), \\\n #stname ASN1_ITEM_end(tname)\n\n#define ASN1_SEQUENCE_cb(tname, cb) \\\n static const ASN1_AUX tname##_aux = {NULL, 0, 0, cb, 0}; \\\n ASN1_SEQUENCE(tname)\n\n#define ASN1_SEQUENCE_ref(tname, cb) \\\n static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, \\\n offsetof(tname, references), cb, 0}; \\\n ASN1_SEQUENCE(tname)\n\n#define ASN1_SEQUENCE_enc(tname, enc, cb) \\\n static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, cb, \\\n offsetof(tname, enc)}; \\\n ASN1_SEQUENCE(tname)\n\n#define ASN1_SEQUENCE_END_enc(stname, tname) \\\n ASN1_SEQUENCE_END_ref(stname, tname)\n\n#define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)\n\n#define ASN1_SEQUENCE_END_ref(stname, tname) \\\n ; \\\n ASN1_ITEM_start(tname) ASN1_ITYPE_SEQUENCE, V_ASN1_SEQUENCE, tname##_seq_tt, \\\n sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE), &tname##_aux, \\\n sizeof(stname), #stname ASN1_ITEM_end(tname)\n\n\n/* This pair helps declare a CHOICE type. We can do:\n *\n * \tASN1_CHOICE(chname) = {\n * \t\t... CHOICE options ...\n * \tASN1_CHOICE_END(chname)\n *\n * \tThis will produce an ASN1_ITEM called chname_it\n *\tfor a structure called chname. The structure\n *\tdefinition must look like this:\n *\ttypedef struct {\n *\t\tint type;\n *\t\tunion {\n *\t\t\tASN1_SOMETHING *opt1;\n *\t\t\tASN1_SOMEOTHER *opt2;\n *\t\t} value;\n *\t} chname;\n *\n *\tthe name of the selector must be 'type'.\n * \tto use an alternative selector name use the\n * ASN1_CHOICE_END_selector() version.\n */\n\n#define ASN1_CHOICE(tname) static const ASN1_TEMPLATE tname##_ch_tt[]\n\n#define ASN1_CHOICE_cb(tname, cb) \\\n static const ASN1_AUX tname##_aux = {NULL, 0, 0, cb, 0}; \\\n ASN1_CHOICE(tname)\n\n#define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname)\n\n#define ASN1_CHOICE_END_name(stname, tname) \\\n ASN1_CHOICE_END_selector(stname, tname, type)\n\n#define ASN1_CHOICE_END_selector(stname, tname, selname) \\\n ; \\\n ASN1_ITEM_start(tname) ASN1_ITYPE_CHOICE, offsetof(stname, selname), \\\n tname##_ch_tt, sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE), NULL, \\\n sizeof(stname), #stname ASN1_ITEM_end(tname)\n\n#define ASN1_CHOICE_END_cb(stname, tname, selname) \\\n ; \\\n ASN1_ITEM_start(tname) ASN1_ITYPE_CHOICE, offsetof(stname, selname), \\\n tname##_ch_tt, sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE), \\\n &tname##_aux, sizeof(stname), #stname ASN1_ITEM_end(tname)\n\n/* This helps with the template wrapper form of ASN1_ITEM */\n\n#define ASN1_EX_TEMPLATE_TYPE(flags, tag, name, type) \\\n { (flags), (tag), 0, #name, ASN1_ITEM_ref(type) }\n\n/* These help with SEQUENCE or CHOICE components */\n\n/* used to declare other types */\n\n#define ASN1_EX_TYPE(flags, tag, stname, field, type) \\\n { (flags), (tag), offsetof(stname, field), #field, ASN1_ITEM_ref(type) }\n\n/* implicit and explicit helper macros */\n\n#define ASN1_IMP_EX(stname, field, type, tag, ex) \\\n ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | ex, tag, stname, field, type)\n\n#define ASN1_EXP_EX(stname, field, type, tag, ex) \\\n ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | ex, tag, stname, field, type)\n\n/* Any defined by macros: the field used is in the table itself */\n\n#define ASN1_ADB_OBJECT(tblname) \\\n { ASN1_TFLG_ADB_OID, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) }\n/* Plain simple type */\n#define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0, 0, stname, field, type)\n\n/* OPTIONAL simple type */\n#define ASN1_OPT(stname, field, type) \\\n ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type)\n\n/* IMPLICIT tagged simple type */\n#define ASN1_IMP(stname, field, type, tag) \\\n ASN1_IMP_EX(stname, field, type, tag, 0)\n\n/* IMPLICIT tagged OPTIONAL simple type */\n#define ASN1_IMP_OPT(stname, field, type, tag) \\\n ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)\n\n/* Same as above but EXPLICIT */\n\n#define ASN1_EXP(stname, field, type, tag) \\\n ASN1_EXP_EX(stname, field, type, tag, 0)\n#define ASN1_EXP_OPT(stname, field, type, tag) \\\n ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)\n\n/* SEQUENCE OF type */\n#define ASN1_SEQUENCE_OF(stname, field, type) \\\n ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type)\n\n/* OPTIONAL SEQUENCE OF */\n#define ASN1_SEQUENCE_OF_OPT(stname, field, type) \\\n ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, 0, stname, field, \\\n type)\n\n/* Same as above but for SET OF */\n\n#define ASN1_SET_OF(stname, field, type) \\\n ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type)\n\n#define ASN1_SET_OF_OPT(stname, field, type) \\\n ASN1_EX_TYPE(ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, 0, stname, field, type)\n\n/* Finally compound types of SEQUENCE, SET, IMPLICIT, EXPLICIT and OPTIONAL */\n\n#define ASN1_IMP_SET_OF(stname, field, type, tag) \\\n ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)\n\n#define ASN1_EXP_SET_OF(stname, field, type, tag) \\\n ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)\n\n#define ASN1_IMP_SET_OF_OPT(stname, field, type, tag) \\\n ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL)\n\n#define ASN1_EXP_SET_OF_OPT(stname, field, type, tag) \\\n ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL)\n\n#define ASN1_IMP_SEQUENCE_OF(stname, field, type, tag) \\\n ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)\n\n#define ASN1_IMP_SEQUENCE_OF_OPT(stname, field, type, tag) \\\n ASN1_IMP_EX(stname, field, type, tag, \\\n ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL)\n\n#define ASN1_EXP_SEQUENCE_OF(stname, field, type, tag) \\\n ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)\n\n#define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \\\n ASN1_EXP_EX(stname, field, type, tag, \\\n ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL)\n\n/* Macros for the ASN1_ADB structure */\n\n#define ASN1_ADB(name) static const ASN1_ADB_TABLE name##_adbtbl[]\n\n#define ASN1_ADB_END(name, flags, field, app_table, def, none) \\\n ; \\\n static const ASN1_ADB name##_adb = { \\\n flags, \\\n offsetof(name, field), \\\n app_table, \\\n name##_adbtbl, \\\n sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE), \\\n def, \\\n none}\n\n#define ADB_ENTRY(val, template) \\\n { val, template }\n\n#define ASN1_ADB_TEMPLATE(name) static const ASN1_TEMPLATE name##_tt\n\n/* This is the ASN1 template structure that defines\n * a wrapper round the actual type. It determines the\n * actual position of the field in the value structure,\n * various flags such as OPTIONAL and the field name.\n */\n\nstruct ASN1_TEMPLATE_st {\n uint32_t flags; /* Various flags */\n int tag; /* tag, not used if no tagging */\n unsigned long offset; /* Offset of this field in structure */\n const char *field_name; /* Field name */\n ASN1_ITEM_EXP *item; /* Relevant ASN1_ITEM or ASN1_ADB */\n};\n\n/* Macro to extract ASN1_ITEM and ASN1_ADB pointer from ASN1_TEMPLATE */\n\n#define ASN1_TEMPLATE_item(t) (t->item_ptr)\n#define ASN1_TEMPLATE_adb(t) (t->item_ptr)\n\ntypedef struct ASN1_ADB_TABLE_st ASN1_ADB_TABLE;\ntypedef struct ASN1_ADB_st ASN1_ADB;\n\ntypedef struct asn1_must_be_null_st ASN1_MUST_BE_NULL;\n\nstruct ASN1_ADB_st {\n uint32_t flags; /* Various flags */\n unsigned long offset; /* Offset of selector field */\n ASN1_MUST_BE_NULL *unused;\n const ASN1_ADB_TABLE *tbl; /* Table of possible types */\n long tblcount; /* Number of entries in tbl */\n const ASN1_TEMPLATE *default_tt; /* Type to use if no match */\n const ASN1_TEMPLATE *null_tt; /* Type to use if selector is NULL */\n};\n\nstruct ASN1_ADB_TABLE_st {\n int value; /* NID for an object */\n const ASN1_TEMPLATE tt; /* item for this value */\n};\n\n/* template flags */\n\n/* Field is optional */\n#define ASN1_TFLG_OPTIONAL (0x1)\n\n/* Field is a SET OF */\n#define ASN1_TFLG_SET_OF (0x1 << 1)\n\n/* Field is a SEQUENCE OF */\n#define ASN1_TFLG_SEQUENCE_OF (0x2 << 1)\n\n/* Mask for SET OF or SEQUENCE OF */\n#define ASN1_TFLG_SK_MASK (0x3 << 1)\n\n/* These flags mean the tag should be taken from the\n * tag field. If EXPLICIT then the underlying type\n * is used for the inner tag.\n */\n\n/* IMPLICIT tagging */\n#define ASN1_TFLG_IMPTAG (0x1 << 3)\n\n\n/* EXPLICIT tagging, inner tag from underlying type */\n#define ASN1_TFLG_EXPTAG (0x2 << 3)\n\n#define ASN1_TFLG_TAG_MASK (0x3 << 3)\n\n/* context specific IMPLICIT */\n#define ASN1_TFLG_IMPLICIT ASN1_TFLG_IMPTAG | ASN1_TFLG_CONTEXT\n\n/* context specific EXPLICIT */\n#define ASN1_TFLG_EXPLICIT ASN1_TFLG_EXPTAG | ASN1_TFLG_CONTEXT\n\n/* If tagging is in force these determine the\n * type of tag to use. Otherwise the tag is\n * determined by the underlying type. These\n * values reflect the actual octet format.\n */\n\n/* Universal tag */\n#define ASN1_TFLG_UNIVERSAL (0x0 << 6)\n/* Application tag */\n#define ASN1_TFLG_APPLICATION (0x1 << 6)\n/* Context specific tag */\n#define ASN1_TFLG_CONTEXT (0x2 << 6)\n/* Private tag */\n#define ASN1_TFLG_PRIVATE (0x3 << 6)\n\n#define ASN1_TFLG_TAG_CLASS (0x3 << 6)\n\n/* These are for ANY DEFINED BY type. In this case\n * the 'item' field points to an ASN1_ADB structure\n * which contains a table of values to decode the\n * relevant type\n */\n\n#define ASN1_TFLG_ADB_MASK (0x3 << 8)\n\n#define ASN1_TFLG_ADB_OID (0x1 << 8)\n\n/* This is the actual ASN1 item itself */\n\nstruct ASN1_ITEM_st {\n char itype; /* The item type, primitive, SEQUENCE, CHOICE or extern */\n int utype; /* underlying type */\n const ASN1_TEMPLATE\n *templates; /* If SEQUENCE or CHOICE this contains the contents */\n long tcount; /* Number of templates if SEQUENCE or CHOICE */\n const void *funcs; /* functions that handle this type */\n long size; /* Structure size (usually)*/\n const char *sname; /* Structure name */\n};\n\n/* These are values for the itype field and\n * determine how the type is interpreted.\n *\n * For PRIMITIVE types the underlying type\n * determines the behaviour if items is NULL.\n *\n * Otherwise templates must contain a single\n * template and the type is treated in the\n * same way as the type specified in the template.\n *\n * For SEQUENCE types the templates field points\n * to the members, the size field is the\n * structure size.\n *\n * For CHOICE types the templates field points\n * to each possible member (typically a union)\n * and the 'size' field is the offset of the\n * selector.\n *\n * The 'funcs' field is used for application\n * specific functions.\n *\n * The EXTERN type uses a new style d2i/i2d.\n * The new style should be used where possible\n * because it avoids things like the d2i IMPLICIT\n * hack.\n *\n * MSTRING is a multiple string type, it is used\n * for a CHOICE of character strings where the\n * actual strings all occupy an ASN1_STRING\n * structure. In this case the 'utype' field\n * has a special meaning, it is used as a mask\n * of acceptable types using the B_ASN1 constants.\n *\n */\n\n#define ASN1_ITYPE_PRIMITIVE 0x0\n\n#define ASN1_ITYPE_SEQUENCE 0x1\n\n#define ASN1_ITYPE_CHOICE 0x2\n\n#define ASN1_ITYPE_EXTERN 0x4\n\n#define ASN1_ITYPE_MSTRING 0x5\n\n/* Deprecated tag and length cache */\nstruct ASN1_TLC_st;\n\n/* This is the ASN1_AUX structure: it handles various\n * miscellaneous requirements. For example the use of\n * reference counts and an informational callback.\n *\n * The \"informational callback\" is called at various\n * points during the ASN1 encoding and decoding. It can\n * be used to provide minor customisation of the structures\n * used. This is most useful where the supplied routines\n * *almost* do the right thing but need some extra help\n * at a few points. If the callback returns zero then\n * it is assumed a fatal error has occurred and the\n * main operation should be abandoned.\n *\n * If major changes in the default behaviour are required\n * then an external type is more appropriate.\n */\n\ntypedef int ASN1_aux_cb(int operation, ASN1_VALUE **in, const ASN1_ITEM *it,\n void *exarg);\n\ntypedef struct ASN1_AUX_st {\n void *app_data;\n uint32_t flags;\n int ref_offset; /* Offset of reference value */\n ASN1_aux_cb *asn1_cb;\n int enc_offset; /* Offset of ASN1_ENCODING structure */\n} ASN1_AUX;\n\n/* Flags in ASN1_AUX */\n\n/* Use a reference count */\n#define ASN1_AFLG_REFCOUNT 1\n/* Save the encoding of structure (useful for signatures) */\n#define ASN1_AFLG_ENCODING 2\n\n/* operation values for asn1_cb */\n\n#define ASN1_OP_NEW_PRE 0\n#define ASN1_OP_NEW_POST 1\n#define ASN1_OP_FREE_PRE 2\n#define ASN1_OP_FREE_POST 3\n#define ASN1_OP_D2I_PRE 4\n#define ASN1_OP_D2I_POST 5\n/* ASN1_OP_I2D_PRE and ASN1_OP_I2D_POST are not supported. We leave the\n * constants undefined so code relying on them does not accidentally compile. */\n#define ASN1_OP_PRINT_PRE 8\n#define ASN1_OP_PRINT_POST 9\n#define ASN1_OP_STREAM_PRE 10\n#define ASN1_OP_STREAM_POST 11\n#define ASN1_OP_DETACHED_PRE 12\n#define ASN1_OP_DETACHED_POST 13\n\n/* Macro to implement a primitive type */\n#define IMPLEMENT_ASN1_TYPE(stname) IMPLEMENT_ASN1_TYPE_ex(stname, stname, 0)\n#define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex) \\\n ASN1_ITEM_start(itname) ASN1_ITYPE_PRIMITIVE, V_##vname, NULL, 0, NULL, ex, \\\n #itname ASN1_ITEM_end(itname)\n\n/* Macro to implement a multi string type */\n#define IMPLEMENT_ASN1_MSTRING(itname, mask) \\\n ASN1_ITEM_start(itname) ASN1_ITYPE_MSTRING, mask, NULL, 0, NULL, \\\n sizeof(ASN1_STRING), #itname ASN1_ITEM_end(itname)\n\n#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs) \\\n ASN1_ITEM_start(sname) ASN1_ITYPE_EXTERN, tag, NULL, 0, &fptrs, 0, \\\n #sname ASN1_ITEM_end(sname)\n\n/* Macro to implement standard functions in terms of ASN1_ITEM structures */\n\n#define IMPLEMENT_ASN1_FUNCTIONS(stname) \\\n IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname)\n\n#define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname) \\\n IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname)\n\n#define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname) \\\n IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname)\n\n#define IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(stname) \\\n IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(static, stname, stname, stname)\n\n#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS(stname) \\\n IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, stname, stname)\n\n#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(pre, stname, itname, fname) \\\n pre stname *fname##_new(void) { \\\n return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \\\n } \\\n pre void fname##_free(stname *a) { \\\n ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \\\n }\n\n#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) \\\n stname *fname##_new(void) { \\\n return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \\\n } \\\n void fname##_free(stname *a) { \\\n ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \\\n }\n\n#define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname) \\\n IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \\\n IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)\n\n#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \\\n stname *d2i_##fname(stname **a, const unsigned char **in, long len) { \\\n return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, \\\n ASN1_ITEM_rptr(itname)); \\\n } \\\n int i2d_##fname(stname *a, unsigned char **out) { \\\n return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname)); \\\n }\n\n/* This includes evil casts to remove const: they will go away when full\n * ASN1 constification is done.\n */\n#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \\\n stname *d2i_##fname(stname **a, const unsigned char **in, long len) { \\\n return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, \\\n ASN1_ITEM_rptr(itname)); \\\n } \\\n int i2d_##fname(const stname *a, unsigned char **out) { \\\n return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname)); \\\n }\n\n#define IMPLEMENT_ASN1_DUP_FUNCTION(stname) \\\n stname *stname##_dup(stname *x) { \\\n return (stname *)ASN1_item_dup(ASN1_ITEM_rptr(stname), x); \\\n }\n\n#define IMPLEMENT_ASN1_DUP_FUNCTION_const(stname) \\\n stname *stname##_dup(const stname *x) { \\\n return (stname *)ASN1_item_dup(ASN1_ITEM_rptr(stname), (void *)x); \\\n }\n\n#define IMPLEMENT_ASN1_FUNCTIONS_const(name) \\\n IMPLEMENT_ASN1_FUNCTIONS_const_fname(name, name, name)\n\n#define IMPLEMENT_ASN1_FUNCTIONS_const_fname(stname, itname, fname) \\\n IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \\\n IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)\n\n/* external definitions for primitive types */\n\nDECLARE_ASN1_ITEM(ASN1_SEQUENCE)\n\nDEFINE_STACK_OF(ASN1_VALUE)\n\n\n#if defined(__cplusplus)\n} // extern \"C\"\n#endif\n\n#endif // OPENSSL_HEADER_ASN1T_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_base.h", "content": "/*\n * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_BASE_H\n#define OPENSSL_HEADER_BASE_H\n\n#define BORINGSSL_PREFIX CNIOBoringSSL\n\n\n// This file should be the first included by all BoringSSL headers.\n\n#include \n#include \n#include \n#include \n\n#if defined(__MINGW32__)\n// stdio.h is needed on MinGW for __MINGW_PRINTF_FORMAT.\n#include \n#endif\n\n#if defined(__APPLE__)\n#include \n#endif\n\n// Include a BoringSSL-only header so consumers including this header without\n// setting up include paths do not accidentally pick up the system\n// opensslconf.h.\n#include \"CNIOBoringSSL_is_boringssl.h\"\n#include \"CNIOBoringSSL_opensslconf.h\"\n#include \"CNIOBoringSSL_target.h\" // IWYU pragma: export\n\n#if defined(BORINGSSL_PREFIX)\n#include \"CNIOBoringSSL_boringssl_prefix_symbols.h\"\n#endif\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n#if defined(__APPLE__)\n// Note |TARGET_OS_MAC| is set for all Apple OS variants. |TARGET_OS_OSX|\n// targets macOS specifically.\n#if defined(TARGET_OS_OSX) && TARGET_OS_OSX\n#define OPENSSL_MACOS\n#endif\n#if defined(TARGET_OS_IPHONE) && TARGET_OS_IPHONE\n#define OPENSSL_IOS\n#endif\n#endif\n\n#define OPENSSL_IS_BORINGSSL\n#define OPENSSL_VERSION_NUMBER 0x1010107f\n#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER\n\n// BORINGSSL_API_VERSION is a positive integer that increments as BoringSSL\n// changes over time. The value itself is not meaningful. It will be incremented\n// whenever is convenient to coordinate an API change with consumers. This will\n// not denote any special point in development.\n//\n// A consumer may use this symbol in the preprocessor to temporarily build\n// against multiple revisions of BoringSSL at the same time. It is not\n// recommended to do so for longer than is necessary.\n#define BORINGSSL_API_VERSION 34\n\n#if defined(BORINGSSL_SHARED_LIBRARY)\n\n#if defined(OPENSSL_WINDOWS)\n\n#if defined(BORINGSSL_IMPLEMENTATION)\n#define OPENSSL_EXPORT __declspec(dllexport)\n#else\n#define OPENSSL_EXPORT __declspec(dllimport)\n#endif\n\n#else // defined(OPENSSL_WINDOWS)\n\n#if defined(BORINGSSL_IMPLEMENTATION)\n#define OPENSSL_EXPORT __attribute__((visibility(\"default\")))\n#else\n#define OPENSSL_EXPORT\n#endif\n\n#endif // defined(OPENSSL_WINDOWS)\n\n#else // defined(BORINGSSL_SHARED_LIBRARY)\n\n#define OPENSSL_EXPORT\n\n#endif // defined(BORINGSSL_SHARED_LIBRARY)\n\n#if defined(_MSC_VER)\n\n// OPENSSL_DEPRECATED is used to mark a function as deprecated. Use\n// of any functions so marked in caller code will produce a warning.\n// OPENSSL_BEGIN_ALLOW_DEPRECATED and OPENSSL_END_ALLOW_DEPRECATED\n// can be used to suppress the warning in regions of caller code.\n#define OPENSSL_DEPRECATED __declspec(deprecated)\n#define OPENSSL_BEGIN_ALLOW_DEPRECATED \\\n __pragma(warning(push)) __pragma(warning(disable : 4996))\n#define OPENSSL_END_ALLOW_DEPRECATED __pragma(warning(pop))\n\n#elif defined(__GNUC__) || defined(__clang__)\n\n#define OPENSSL_DEPRECATED __attribute__((__deprecated__))\n#define OPENSSL_BEGIN_ALLOW_DEPRECATED \\\n _Pragma(\"GCC diagnostic push\") \\\n _Pragma(\"GCC diagnostic ignored \\\"-Wdeprecated-declarations\\\"\")\n#define OPENSSL_END_ALLOW_DEPRECATED _Pragma(\"GCC diagnostic pop\")\n\n#else\n\n#define OPENSSL_DEPRECATED\n#define OPENSSL_BEGIN_ALLOW_DEPRECATED\n#define OPENSSL_END_ALLOW_DEPRECATED\n\n#endif\n\n\n#if defined(__GNUC__) || defined(__clang__)\n// MinGW has two different printf implementations. Ensure the format macro\n// matches the selected implementation. See\n// https://sourceforge.net/p/mingw-w64/wiki2/gnu%20printf/.\n#if defined(__MINGW_PRINTF_FORMAT)\n#define OPENSSL_PRINTF_FORMAT_FUNC(string_index, first_to_check) \\\n __attribute__(( \\\n __format__(__MINGW_PRINTF_FORMAT, string_index, first_to_check)))\n#else\n#define OPENSSL_PRINTF_FORMAT_FUNC(string_index, first_to_check) \\\n __attribute__((__format__(__printf__, string_index, first_to_check)))\n#endif\n#else\n#define OPENSSL_PRINTF_FORMAT_FUNC(string_index, first_to_check)\n#endif\n\n// OPENSSL_CLANG_PRAGMA emits a pragma on clang and nothing on other compilers.\n#if defined(__clang__)\n#define OPENSSL_CLANG_PRAGMA(arg) _Pragma(arg)\n#else\n#define OPENSSL_CLANG_PRAGMA(arg)\n#endif\n\n// OPENSSL_MSVC_PRAGMA emits a pragma on MSVC and nothing on other compilers.\n#if defined(_MSC_VER)\n#define OPENSSL_MSVC_PRAGMA(arg) __pragma(arg)\n#else\n#define OPENSSL_MSVC_PRAGMA(arg)\n#endif\n\n#if defined(__GNUC__) || defined(__clang__)\n#define OPENSSL_UNUSED __attribute__((unused))\n#elif defined(_MSC_VER)\n// __pragma wants to be on a separate line. The following is what it takes to\n// stop clang-format from messing with that.\n// clang-format off\n#define OPENSSL_UNUSED __pragma(warning(suppress : 4505)) \\\n/* */\n// clang-format on\n#else\n#define OPENSSL_UNUSED\n#endif\n\n// C and C++ handle inline functions differently. In C++, an inline function is\n// defined in just the header file, potentially emitted in multiple compilation\n// units (in cases the compiler did not inline), but each copy must be identical\n// to satsify ODR. In C, a non-static inline must be manually emitted in exactly\n// one compilation unit with a separate extern inline declaration.\n//\n// In both languages, exported inline functions referencing file-local symbols\n// are problematic. C forbids this altogether (though GCC and Clang seem not to\n// enforce it). It works in C++, but ODR requires the definitions be identical,\n// including all names in the definitions resolving to the \"same entity\". In\n// practice, this is unlikely to be a problem, but an inline function that\n// returns a pointer to a file-local symbol\n// could compile oddly.\n//\n// Historically, we used static inline in headers. However, to satisfy ODR, use\n// plain inline in C++, to allow inline consumer functions to call our header\n// functions. Plain inline would also work better with C99 inline, but that is\n// not used much in practice, extern inline is tedious, and there are conflicts\n// with the old gnu89 model:\n// https://stackoverflow.com/questions/216510/extern-inline\n#if defined(__cplusplus)\n#define OPENSSL_INLINE inline\n#else\n// Add OPENSSL_UNUSED so that, should an inline function be emitted via macro\n// (e.g. a |STACK_OF(T)| implementation) in a source file without tripping\n// clang's -Wunused-function.\n#define OPENSSL_INLINE static inline OPENSSL_UNUSED\n#endif\n\n#if defined(__cplusplus)\n// enums can be predeclared, but only in C++ and only if given an explicit type.\n// C doesn't support setting an explicit type for enums thus a #define is used\n// to do this only for C++. However, the ABI type between C and C++ need to have\n// equal sizes, which is confirmed in a unittest.\n#define BORINGSSL_ENUM_INT : int\nenum ssl_early_data_reason_t BORINGSSL_ENUM_INT;\nenum ssl_encryption_level_t BORINGSSL_ENUM_INT;\nenum ssl_private_key_result_t BORINGSSL_ENUM_INT;\nenum ssl_renegotiate_mode_t BORINGSSL_ENUM_INT;\nenum ssl_select_cert_result_t BORINGSSL_ENUM_INT;\nenum ssl_select_cert_result_t BORINGSSL_ENUM_INT;\nenum ssl_ticket_aead_result_t BORINGSSL_ENUM_INT;\nenum ssl_verify_result_t BORINGSSL_ENUM_INT;\n#else\n#define BORINGSSL_ENUM_INT\n#endif\n\n// ossl_ssize_t is a signed type which is large enough to fit the size of any\n// valid memory allocation. We prefer using |size_t|, but sometimes we need a\n// signed type for OpenSSL API compatibility. This type can be used in such\n// cases to avoid overflow.\n//\n// Not all |size_t| values fit in |ossl_ssize_t|, but all |size_t| values that\n// are sizes of or indices into C objects, can be converted without overflow.\ntypedef ptrdiff_t ossl_ssize_t;\n\n// CBS_ASN1_TAG is the type used by |CBS| and |CBB| for ASN.1 tags. See that\n// header for details. This type is defined in base.h as a forward declaration.\ntypedef uint32_t CBS_ASN1_TAG;\n\n// CRYPTO_THREADID is a dummy value.\ntypedef int CRYPTO_THREADID;\n\n// An |ASN1_NULL| is an opaque type. asn1.h represents the ASN.1 NULL value as\n// an opaque, non-NULL |ASN1_NULL*| pointer.\ntypedef struct asn1_null_st ASN1_NULL;\n\ntypedef int ASN1_BOOLEAN;\ntypedef struct ASN1_ITEM_st ASN1_ITEM;\ntypedef struct asn1_object_st ASN1_OBJECT;\ntypedef struct asn1_pctx_st ASN1_PCTX;\ntypedef struct asn1_string_st ASN1_BIT_STRING;\ntypedef struct asn1_string_st ASN1_BMPSTRING;\ntypedef struct asn1_string_st ASN1_ENUMERATED;\ntypedef struct asn1_string_st ASN1_GENERALIZEDTIME;\ntypedef struct asn1_string_st ASN1_GENERALSTRING;\ntypedef struct asn1_string_st ASN1_IA5STRING;\ntypedef struct asn1_string_st ASN1_INTEGER;\ntypedef struct asn1_string_st ASN1_OCTET_STRING;\ntypedef struct asn1_string_st ASN1_PRINTABLESTRING;\ntypedef struct asn1_string_st ASN1_STRING;\ntypedef struct asn1_string_st ASN1_T61STRING;\ntypedef struct asn1_string_st ASN1_TIME;\ntypedef struct asn1_string_st ASN1_UNIVERSALSTRING;\ntypedef struct asn1_string_st ASN1_UTCTIME;\ntypedef struct asn1_string_st ASN1_UTF8STRING;\ntypedef struct asn1_string_st ASN1_VISIBLESTRING;\ntypedef struct asn1_type_st ASN1_TYPE;\ntypedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID;\ntypedef struct BASIC_CONSTRAINTS_st BASIC_CONSTRAINTS;\ntypedef struct DIST_POINT_st DIST_POINT;\ntypedef struct DSA_SIG_st DSA_SIG;\ntypedef struct GENERAL_NAME_st GENERAL_NAME;\ntypedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT;\ntypedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS;\ntypedef struct Netscape_spkac_st NETSCAPE_SPKAC;\ntypedef struct Netscape_spki_st NETSCAPE_SPKI;\ntypedef struct RIPEMD160state_st RIPEMD160_CTX;\ntypedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM;\ntypedef struct X509_algor_st X509_ALGOR;\ntypedef struct X509_crl_st X509_CRL;\ntypedef struct X509_extension_st X509_EXTENSION;\ntypedef struct X509_info_st X509_INFO;\ntypedef struct X509_name_entry_st X509_NAME_ENTRY;\ntypedef struct X509_name_st X509_NAME;\ntypedef struct X509_pubkey_st X509_PUBKEY;\ntypedef struct X509_req_st X509_REQ;\ntypedef struct X509_sig_st X509_SIG;\ntypedef struct bignum_ctx BN_CTX;\ntypedef struct bignum_st BIGNUM;\ntypedef struct bio_method_st BIO_METHOD;\ntypedef struct bio_st BIO;\ntypedef struct blake2b_state_st BLAKE2B_CTX;\ntypedef struct bn_gencb_st BN_GENCB;\ntypedef struct bn_mont_ctx_st BN_MONT_CTX;\ntypedef struct buf_mem_st BUF_MEM;\ntypedef struct cbb_st CBB;\ntypedef struct cbs_st CBS;\ntypedef struct cmac_ctx_st CMAC_CTX;\ntypedef struct conf_st CONF;\ntypedef struct conf_value_st CONF_VALUE;\ntypedef struct crypto_buffer_pool_st CRYPTO_BUFFER_POOL;\ntypedef struct crypto_buffer_st CRYPTO_BUFFER;\ntypedef struct ctr_drbg_state_st CTR_DRBG_STATE;\ntypedef struct dh_st DH;\ntypedef struct dsa_st DSA;\ntypedef struct ec_group_st EC_GROUP;\ntypedef struct ec_key_st EC_KEY;\ntypedef struct ec_point_st EC_POINT;\ntypedef struct ecdsa_method_st ECDSA_METHOD;\ntypedef struct ecdsa_sig_st ECDSA_SIG;\ntypedef struct engine_st ENGINE;\ntypedef struct env_md_ctx_st EVP_MD_CTX;\ntypedef struct env_md_st EVP_MD;\ntypedef struct evp_aead_st EVP_AEAD;\ntypedef struct evp_aead_ctx_st EVP_AEAD_CTX;\ntypedef struct evp_cipher_ctx_st EVP_CIPHER_CTX;\ntypedef struct evp_cipher_st EVP_CIPHER;\ntypedef struct evp_encode_ctx_st EVP_ENCODE_CTX;\ntypedef struct evp_hpke_aead_st EVP_HPKE_AEAD;\ntypedef struct evp_hpke_ctx_st EVP_HPKE_CTX;\ntypedef struct evp_hpke_kdf_st EVP_HPKE_KDF;\ntypedef struct evp_hpke_kem_st EVP_HPKE_KEM;\ntypedef struct evp_hpke_key_st EVP_HPKE_KEY;\ntypedef struct evp_pkey_ctx_st EVP_PKEY_CTX;\ntypedef struct evp_pkey_st EVP_PKEY;\ntypedef struct hmac_ctx_st HMAC_CTX;\ntypedef struct md4_state_st MD4_CTX;\ntypedef struct md5_state_st MD5_CTX;\ntypedef struct ossl_init_settings_st OPENSSL_INIT_SETTINGS;\ntypedef struct pkcs12_st PKCS12;\ntypedef struct pkcs8_priv_key_info_st PKCS8_PRIV_KEY_INFO;\ntypedef struct private_key_st X509_PKEY;\ntypedef struct rand_meth_st RAND_METHOD;\ntypedef struct rc4_key_st RC4_KEY;\ntypedef struct rsa_meth_st RSA_METHOD;\ntypedef struct rsa_pss_params_st RSA_PSS_PARAMS;\ntypedef struct rsa_st RSA;\ntypedef struct sha256_state_st SHA256_CTX;\ntypedef struct sha512_state_st SHA512_CTX;\ntypedef struct sha_state_st SHA_CTX;\ntypedef struct spake2_ctx_st SPAKE2_CTX;\ntypedef struct srtp_protection_profile_st SRTP_PROTECTION_PROFILE;\ntypedef struct ssl_cipher_st SSL_CIPHER;\ntypedef struct ssl_credential_st SSL_CREDENTIAL;\ntypedef struct ssl_ctx_st SSL_CTX;\ntypedef struct ssl_early_callback_ctx SSL_CLIENT_HELLO;\ntypedef struct ssl_ech_keys_st SSL_ECH_KEYS;\ntypedef struct ssl_method_st SSL_METHOD;\ntypedef struct ssl_private_key_method_st SSL_PRIVATE_KEY_METHOD;\ntypedef struct ssl_quic_method_st SSL_QUIC_METHOD;\ntypedef struct ssl_session_st SSL_SESSION;\ntypedef struct ssl_st SSL;\ntypedef struct ssl_ticket_aead_method_st SSL_TICKET_AEAD_METHOD;\ntypedef struct st_ERR_FNS ERR_FNS;\ntypedef struct trust_token_st TRUST_TOKEN;\ntypedef struct trust_token_client_st TRUST_TOKEN_CLIENT;\ntypedef struct trust_token_issuer_st TRUST_TOKEN_ISSUER;\ntypedef struct trust_token_method_st TRUST_TOKEN_METHOD;\ntypedef struct v3_ext_ctx X509V3_CTX;\ntypedef struct v3_ext_method X509V3_EXT_METHOD;\ntypedef struct x509_attributes_st X509_ATTRIBUTE;\ntypedef struct x509_lookup_st X509_LOOKUP;\ntypedef struct x509_lookup_method_st X509_LOOKUP_METHOD;\ntypedef struct x509_object_st X509_OBJECT;\ntypedef struct x509_purpose_st X509_PURPOSE;\ntypedef struct x509_revoked_st X509_REVOKED;\ntypedef struct x509_st X509;\ntypedef struct x509_store_ctx_st X509_STORE_CTX;\ntypedef struct x509_store_st X509_STORE;\n\ntypedef void *OPENSSL_BLOCK;\n\n// BSSL_CHECK aborts if |condition| is not true.\n#define BSSL_CHECK(condition) \\\n do { \\\n if (!(condition)) { \\\n abort(); \\\n } \\\n } while (0);\n\n#if defined(__cplusplus)\n} // extern C\n#elif !defined(BORINGSSL_NO_CXX)\n#define BORINGSSL_NO_CXX\n#endif\n\n#if defined(BORINGSSL_PREFIX)\n#define BSSL_NAMESPACE_BEGIN \\\n namespace bssl { \\\n inline namespace BORINGSSL_PREFIX {\n#define BSSL_NAMESPACE_END \\\n } \\\n }\n#else\n#define BSSL_NAMESPACE_BEGIN namespace bssl {\n#define BSSL_NAMESPACE_END }\n#endif\n\n// MSVC doesn't set __cplusplus to 201103 to indicate C++11 support (see\n// https://connect.microsoft.com/VisualStudio/feedback/details/763051/a-value-of-predefined-macro-cplusplus-is-still-199711l)\n// so MSVC is just assumed to support C++11.\n#if !defined(BORINGSSL_NO_CXX) && __cplusplus < 201103L && !defined(_MSC_VER)\n#define BORINGSSL_NO_CXX\n#endif\n\n#if !defined(BORINGSSL_NO_CXX)\n\nextern \"C++\" {\n\n#include \n\n// STLPort, used by some Android consumers, not have std::unique_ptr.\n#if defined(_STLPORT_VERSION)\n#define BORINGSSL_NO_CXX\n#endif\n\n} // extern C++\n#endif // !BORINGSSL_NO_CXX\n\n#if defined(BORINGSSL_NO_CXX)\n\n#define BORINGSSL_MAKE_DELETER(type, deleter)\n#define BORINGSSL_MAKE_UP_REF(type, up_ref_func)\n\n#else\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nnamespace internal {\n\n// The Enable parameter is ignored and only exists so specializations can use\n// SFINAE.\ntemplate \nstruct DeleterImpl {};\n\nstruct Deleter {\n template \n void operator()(T *ptr) {\n // Rather than specialize Deleter for each type, we specialize\n // DeleterImpl. This allows bssl::UniquePtr to be used while only\n // including base.h as long as the destructor is not emitted. This matches\n // std::unique_ptr's behavior on forward-declared types.\n //\n // DeleterImpl itself is specialized in the corresponding module's header\n // and must be included to release an object. If not included, the compiler\n // will error that DeleterImpl does not have a method Free.\n DeleterImpl::Free(ptr);\n }\n};\n\ntemplate \nclass StackAllocated {\n public:\n StackAllocated() { init(&ctx_); }\n ~StackAllocated() { cleanup(&ctx_); }\n\n StackAllocated(const StackAllocated &) = delete;\n StackAllocated &operator=(const StackAllocated &) = delete;\n\n T *get() { return &ctx_; }\n const T *get() const { return &ctx_; }\n\n T *operator->() { return &ctx_; }\n const T *operator->() const { return &ctx_; }\n\n void Reset() {\n cleanup(&ctx_);\n init(&ctx_);\n }\n\n private:\n T ctx_;\n};\n\ntemplate \nclass StackAllocatedMovable {\n public:\n StackAllocatedMovable() { init(&ctx_); }\n ~StackAllocatedMovable() { cleanup(&ctx_); }\n\n StackAllocatedMovable(StackAllocatedMovable &&other) {\n init(&ctx_);\n move(&ctx_, &other.ctx_);\n }\n StackAllocatedMovable &operator=(StackAllocatedMovable &&other) {\n move(&ctx_, &other.ctx_);\n return *this;\n }\n\n T *get() { return &ctx_; }\n const T *get() const { return &ctx_; }\n\n T *operator->() { return &ctx_; }\n const T *operator->() const { return &ctx_; }\n\n void Reset() {\n cleanup(&ctx_);\n init(&ctx_);\n }\n\n private:\n T ctx_;\n};\n\n} // namespace internal\n\n#define BORINGSSL_MAKE_DELETER(type, deleter) \\\n namespace internal { \\\n template <> \\\n struct DeleterImpl { \\\n static void Free(type *ptr) { deleter(ptr); } \\\n }; \\\n }\n\n// Holds ownership of heap-allocated BoringSSL structures. Sample usage:\n// bssl::UniquePtr rsa(RSA_new());\n// bssl::UniquePtr bio(BIO_new(BIO_s_mem()));\ntemplate \nusing UniquePtr = std::unique_ptr;\n\n#define BORINGSSL_MAKE_UP_REF(type, up_ref_func) \\\n inline UniquePtr UpRef(type *v) { \\\n if (v != nullptr) { \\\n up_ref_func(v); \\\n } \\\n return UniquePtr(v); \\\n } \\\n \\\n inline UniquePtr UpRef(const UniquePtr &ptr) { \\\n return UpRef(ptr.get()); \\\n }\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif // !BORINGSSL_NO_CXX\n\n#endif // OPENSSL_HEADER_BASE_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_base64.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_BASE64_H\n#define OPENSSL_HEADER_BASE64_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// base64 functions.\n//\n// For historical reasons, these functions have the EVP_ prefix but just do\n// base64 encoding and decoding. Note that BoringSSL is a cryptography library,\n// so these functions are implemented with side channel protections, at a\n// performance cost. For other base64 uses, use a general-purpose base64\n// implementation.\n\n\n// Encoding\n\n// EVP_EncodeBlock encodes |src_len| bytes from |src| and writes the\n// result to |dst| with a trailing NUL. It returns the number of bytes\n// written, not including this trailing NUL.\nOPENSSL_EXPORT size_t EVP_EncodeBlock(uint8_t *dst, const uint8_t *src,\n size_t src_len);\n\n// EVP_EncodedLength sets |*out_len| to the number of bytes that will be needed\n// to call |EVP_EncodeBlock| on an input of length |len|. This includes the\n// final NUL that |EVP_EncodeBlock| writes. It returns one on success or zero\n// on error.\nOPENSSL_EXPORT int EVP_EncodedLength(size_t *out_len, size_t len);\n\n\n// Decoding\n\n// EVP_DecodedLength sets |*out_len| to the maximum number of bytes that will\n// be needed to call |EVP_DecodeBase64| on an input of length |len|. It returns\n// one on success or zero if |len| is not a valid length for a base64-encoded\n// string.\nOPENSSL_EXPORT int EVP_DecodedLength(size_t *out_len, size_t len);\n\n// EVP_DecodeBase64 decodes |in_len| bytes from base64 and writes\n// |*out_len| bytes to |out|. |max_out| is the size of the output\n// buffer. If it is not enough for the maximum output size, the\n// operation fails. It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_DecodeBase64(uint8_t *out, size_t *out_len,\n size_t max_out, const uint8_t *in,\n size_t in_len);\n\n\n// Deprecated functions.\n//\n// OpenSSL provides a streaming base64 implementation, however its behavior is\n// very specific to PEM. It is also very lenient of invalid input. Use of any of\n// these functions is thus deprecated.\n\n// EVP_ENCODE_CTX_new returns a newly-allocated |EVP_ENCODE_CTX| or NULL on\n// error. The caller must release the result with |EVP_ENCODE_CTX_free| when\n// done.\nOPENSSL_EXPORT EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void);\n\n// EVP_ENCODE_CTX_free releases memory associated with |ctx|.\nOPENSSL_EXPORT void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx);\n\n// EVP_EncodeInit initialises |*ctx|, which is typically stack\n// allocated, for an encoding operation.\n//\n// NOTE: The encoding operation breaks its output with newlines every\n// 64 characters of output (48 characters of input). Use\n// EVP_EncodeBlock to encode raw base64.\nOPENSSL_EXPORT void EVP_EncodeInit(EVP_ENCODE_CTX *ctx);\n\n// EVP_EncodeUpdate encodes |in_len| bytes from |in| and writes an encoded\n// version of them to |out| and sets |*out_len| to the number of bytes written.\n// Some state may be contained in |ctx| so |EVP_EncodeFinal| must be used to\n// flush it before using the encoded data.\nOPENSSL_EXPORT void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out,\n int *out_len, const uint8_t *in,\n size_t in_len);\n\n// EVP_EncodeFinal flushes any remaining output bytes from |ctx| to |out| and\n// sets |*out_len| to the number of bytes written.\nOPENSSL_EXPORT void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out,\n int *out_len);\n\n// EVP_DecodeInit initialises |*ctx|, which is typically stack allocated, for\n// a decoding operation.\n//\n// TODO(davidben): This isn't a straight-up base64 decode either. Document\n// and/or fix exactly what's going on here; maximum line length and such.\nOPENSSL_EXPORT void EVP_DecodeInit(EVP_ENCODE_CTX *ctx);\n\n// EVP_DecodeUpdate decodes |in_len| bytes from |in| and writes the decoded\n// data to |out| and sets |*out_len| to the number of bytes written. Some state\n// may be contained in |ctx| so |EVP_DecodeFinal| must be used to flush it\n// before using the encoded data.\n//\n// It returns -1 on error, one if a full line of input was processed and zero\n// if the line was short (i.e. it was the last line).\nOPENSSL_EXPORT int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out,\n int *out_len, const uint8_t *in,\n size_t in_len);\n\n// EVP_DecodeFinal flushes any remaining output bytes from |ctx| to |out| and\n// sets |*out_len| to the number of bytes written. It returns one on success\n// and minus one on error.\nOPENSSL_EXPORT int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out,\n int *out_len);\n\n// EVP_DecodeBlock encodes |src_len| bytes from |src| and writes the result to\n// |dst|. It returns the number of bytes written or -1 on error.\n//\n// WARNING: EVP_DecodeBlock's return value does not take padding into\n// account. It also strips leading whitespace and trailing\n// whitespace and minuses.\nOPENSSL_EXPORT int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src,\n size_t src_len);\n\n\nstruct evp_encode_ctx_st {\n // data_used indicates the number of bytes of |data| that are valid. When\n // encoding, |data| will be filled and encoded as a lump. When decoding, only\n // the first four bytes of |data| will be used.\n unsigned data_used;\n uint8_t data[48];\n\n // eof_seen indicates that the end of the base64 data has been seen when\n // decoding. Only whitespace can follow.\n char eof_seen;\n\n // error_encountered indicates that invalid base64 data was found. This will\n // cause all future calls to fail.\n char error_encountered;\n};\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_BASE64_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_bcm_public.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_BCM_PUBLIC_H_\n#define OPENSSL_HEADER_BCM_PUBLIC_H_\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n// Public types referenced by BoringCrypto\n//\n// This header contains public types referenced by BCM. Such types are difficult\n// to hide from the libcrypto interface, so we treat them as part of BCM.\n\n// BCM_SHA_CBLOCK is the block size of SHA-1.\n#define BCM_SHA_CBLOCK 64\n\n// SHA_CTX\nstruct sha_state_st {\n#if defined(__cplusplus) || defined(OPENSSL_WINDOWS)\n uint32_t h[5];\n#else\n // wpa_supplicant accesses |h0|..|h4| so we must support those names for\n // compatibility with it until it can be updated. Anonymous unions are only\n // standard in C11, so disable this workaround in C++.\n union {\n uint32_t h[5];\n struct {\n uint32_t h0;\n uint32_t h1;\n uint32_t h2;\n uint32_t h3;\n uint32_t h4;\n };\n };\n#endif\n uint32_t Nl, Nh;\n uint8_t data[BCM_SHA_CBLOCK];\n unsigned num;\n};\n\n// SHA256_CBLOCK is the block size of SHA-256.\n#define BCM_SHA256_CBLOCK 64\n\n// SHA256_CTX\nstruct sha256_state_st {\n uint32_t h[8];\n uint32_t Nl, Nh;\n uint8_t data[BCM_SHA256_CBLOCK];\n unsigned num, md_len;\n};\n\n// BCM_SHA512_CBLOCK is the block size of SHA-512.\n#define BCM_SHA512_CBLOCK 128\n\nstruct sha512_state_st {\n uint64_t h[8];\n uint64_t Nl, Nh;\n uint8_t p[BCM_SHA512_CBLOCK];\n unsigned num, md_len;\n};\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_BCM_PUBLIC_H_\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_bio.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_BIO_H\n#define OPENSSL_HEADER_BIO_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include // For FILE\n\n#include \"CNIOBoringSSL_buffer.h\"\n#include \"CNIOBoringSSL_err.h\" // for ERR_print_errors_fp\n#include \"CNIOBoringSSL_ex_data.h\"\n#include \"CNIOBoringSSL_stack.h\"\n#include \"CNIOBoringSSL_thread.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// BIO abstracts over a file-descriptor like interface.\n\n\n// Allocation and freeing.\n\nDEFINE_STACK_OF(BIO)\n\n// BIO_new creates a new BIO with the given method and a reference count of one.\n// It returns the fresh |BIO|, or NULL on error.\nOPENSSL_EXPORT BIO *BIO_new(const BIO_METHOD *method);\n\n// BIO_free decrements the reference count of |bio|. If the reference count\n// drops to zero, it calls the destroy callback, if present, on the method and\n// frees |bio| itself. It then repeats that for the next BIO in the chain, if\n// any.\n//\n// It returns one on success or zero otherwise.\nOPENSSL_EXPORT int BIO_free(BIO *bio);\n\n// BIO_vfree performs the same actions as |BIO_free|, but has a void return\n// value. This is provided for API-compat.\n//\n// TODO(fork): remove.\nOPENSSL_EXPORT void BIO_vfree(BIO *bio);\n\n// BIO_up_ref increments the reference count of |bio| and returns one.\nOPENSSL_EXPORT int BIO_up_ref(BIO *bio);\n\n\n// Basic I/O.\n\n// BIO_read attempts to read |len| bytes into |data|. It returns the number of\n// bytes read, zero on EOF, or a negative number on error.\nOPENSSL_EXPORT int BIO_read(BIO *bio, void *data, int len);\n\n// BIO_gets reads a line from |bio| and writes at most |size| bytes into |buf|.\n// It returns the number of bytes read or a negative number on error. This\n// function's output always includes a trailing NUL byte, so it will read at\n// most |size - 1| bytes.\n//\n// If the function read a complete line, the output will include the newline\n// character, '\\n'. If no newline was found before |size - 1| bytes or EOF, it\n// outputs the bytes which were available.\nOPENSSL_EXPORT int BIO_gets(BIO *bio, char *buf, int size);\n\n// BIO_write writes |len| bytes from |data| to |bio|. It returns the number of\n// bytes written or a negative number on error.\nOPENSSL_EXPORT int BIO_write(BIO *bio, const void *data, int len);\n\n// BIO_write_all writes |len| bytes from |data| to |bio|, looping as necessary.\n// It returns one if all bytes were successfully written and zero on error.\nOPENSSL_EXPORT int BIO_write_all(BIO *bio, const void *data, size_t len);\n\n// BIO_puts writes a NUL terminated string from |buf| to |bio|. It returns the\n// number of bytes written or a negative number on error.\nOPENSSL_EXPORT int BIO_puts(BIO *bio, const char *buf);\n\n// BIO_flush flushes any buffered output. It returns one on success and zero\n// otherwise.\nOPENSSL_EXPORT int BIO_flush(BIO *bio);\n\n\n// Low-level control functions.\n//\n// These are generic functions for sending control requests to a BIO. In\n// general one should use the wrapper functions like |BIO_get_close|.\n\n// BIO_ctrl sends the control request |cmd| to |bio|. The |cmd| argument should\n// be one of the |BIO_C_*| values.\nOPENSSL_EXPORT long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg);\n\n// BIO_ptr_ctrl acts like |BIO_ctrl| but passes the address of a |void*|\n// pointer as |parg| and returns the value that is written to it, or NULL if\n// the control request returns <= 0.\nOPENSSL_EXPORT char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg);\n\n// BIO_int_ctrl acts like |BIO_ctrl| but passes the address of a copy of |iarg|\n// as |parg|.\nOPENSSL_EXPORT long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg);\n\n// BIO_reset resets |bio| to its initial state, the precise meaning of which\n// depends on the concrete type of |bio|. It returns one on success and zero\n// otherwise.\nOPENSSL_EXPORT int BIO_reset(BIO *bio);\n\n// BIO_eof returns non-zero when |bio| has reached end-of-file. The precise\n// meaning of which depends on the concrete type of |bio|. Note that in the\n// case of BIO_pair this always returns non-zero.\nOPENSSL_EXPORT int BIO_eof(BIO *bio);\n\n// BIO_set_flags ORs |flags| with |bio->flags|.\nOPENSSL_EXPORT void BIO_set_flags(BIO *bio, int flags);\n\n// BIO_test_flags returns |bio->flags| AND |flags|.\nOPENSSL_EXPORT int BIO_test_flags(const BIO *bio, int flags);\n\n// BIO_should_read returns non-zero if |bio| encountered a temporary error\n// while reading (i.e. EAGAIN), indicating that the caller should retry the\n// read.\nOPENSSL_EXPORT int BIO_should_read(const BIO *bio);\n\n// BIO_should_write returns non-zero if |bio| encountered a temporary error\n// while writing (i.e. EAGAIN), indicating that the caller should retry the\n// write.\nOPENSSL_EXPORT int BIO_should_write(const BIO *bio);\n\n// BIO_should_retry returns non-zero if the reason that caused a failed I/O\n// operation is temporary and thus the operation should be retried. Otherwise,\n// it was a permanent error and it returns zero.\nOPENSSL_EXPORT int BIO_should_retry(const BIO *bio);\n\n// BIO_should_io_special returns non-zero if |bio| encountered a temporary\n// error while performing a special I/O operation, indicating that the caller\n// should retry. The operation that caused the error is returned by\n// |BIO_get_retry_reason|.\nOPENSSL_EXPORT int BIO_should_io_special(const BIO *bio);\n\n// BIO_RR_CONNECT indicates that a connect would have blocked\n#define BIO_RR_CONNECT 0x02\n\n// BIO_RR_ACCEPT indicates that an accept would have blocked\n#define BIO_RR_ACCEPT 0x03\n\n// BIO_get_retry_reason returns the special I/O operation that needs to be\n// retried. The return value is one of the |BIO_RR_*| values.\nOPENSSL_EXPORT int BIO_get_retry_reason(const BIO *bio);\n\n// BIO_set_retry_reason sets the special I/O operation that needs to be retried\n// to |reason|, which should be one of the |BIO_RR_*| values.\nOPENSSL_EXPORT void BIO_set_retry_reason(BIO *bio, int reason);\n\n// BIO_clear_flags ANDs |bio->flags| with the bitwise-complement of |flags|.\nOPENSSL_EXPORT void BIO_clear_flags(BIO *bio, int flags);\n\n// BIO_set_retry_read sets the |BIO_FLAGS_READ| and |BIO_FLAGS_SHOULD_RETRY|\n// flags on |bio|.\nOPENSSL_EXPORT void BIO_set_retry_read(BIO *bio);\n\n// BIO_set_retry_write sets the |BIO_FLAGS_WRITE| and |BIO_FLAGS_SHOULD_RETRY|\n// flags on |bio|.\nOPENSSL_EXPORT void BIO_set_retry_write(BIO *bio);\n\n// BIO_get_retry_flags gets the |BIO_FLAGS_READ|, |BIO_FLAGS_WRITE|,\n// |BIO_FLAGS_IO_SPECIAL| and |BIO_FLAGS_SHOULD_RETRY| flags from |bio|.\nOPENSSL_EXPORT int BIO_get_retry_flags(BIO *bio);\n\n// BIO_clear_retry_flags clears the |BIO_FLAGS_READ|, |BIO_FLAGS_WRITE|,\n// |BIO_FLAGS_IO_SPECIAL| and |BIO_FLAGS_SHOULD_RETRY| flags from |bio|.\nOPENSSL_EXPORT void BIO_clear_retry_flags(BIO *bio);\n\n// BIO_method_type returns the type of |bio|, which is one of the |BIO_TYPE_*|\n// values.\nOPENSSL_EXPORT int BIO_method_type(const BIO *bio);\n\n// These are passed to the BIO callback\n#define BIO_CB_FREE 0x01\n#define BIO_CB_READ 0x02\n#define BIO_CB_WRITE 0x03\n#define BIO_CB_PUTS 0x04\n#define BIO_CB_GETS 0x05\n#define BIO_CB_CTRL 0x06\n\n// The callback is called before and after the underling operation,\n// The BIO_CB_RETURN flag indicates if it is after the call\n#define BIO_CB_RETURN 0x80\n\n// bio_info_cb is the type of a callback function that can be called for most\n// BIO operations. The |event| argument is one of |BIO_CB_*| and can be ORed\n// with |BIO_CB_RETURN| if the callback is being made after the operation in\n// question. In that case, |return_value| will contain the return value from\n// the operation.\ntypedef long (*bio_info_cb)(BIO *bio, int event, const char *parg, int cmd,\n long larg, long return_value);\n\n// BIO_callback_ctrl allows the callback function to be manipulated. The |cmd|\n// arg will generally be |BIO_CTRL_SET_CALLBACK| but arbitrary command values\n// can be interpreted by the |BIO|.\nOPENSSL_EXPORT long BIO_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp);\n\n// BIO_pending returns the number of bytes pending to be read.\nOPENSSL_EXPORT size_t BIO_pending(const BIO *bio);\n\n// BIO_ctrl_pending calls |BIO_pending| and exists only for compatibility with\n// OpenSSL.\nOPENSSL_EXPORT size_t BIO_ctrl_pending(const BIO *bio);\n\n// BIO_wpending returns the number of bytes pending to be written.\nOPENSSL_EXPORT size_t BIO_wpending(const BIO *bio);\n\n// BIO_set_close sets the close flag for |bio|. The meaning of which depends on\n// the type of |bio| but, for example, a memory BIO interprets the close flag\n// as meaning that it owns its buffer. It returns one on success and zero\n// otherwise.\nOPENSSL_EXPORT int BIO_set_close(BIO *bio, int close_flag);\n\n// BIO_number_read returns the number of bytes that have been read from\n// |bio|.\nOPENSSL_EXPORT uint64_t BIO_number_read(const BIO *bio);\n\n// BIO_number_written returns the number of bytes that have been written to\n// |bio|.\nOPENSSL_EXPORT uint64_t BIO_number_written(const BIO *bio);\n\n\n// Managing chains of BIOs.\n//\n// BIOs can be put into chains where the output of one is used as the input of\n// the next etc. The most common case is a buffering BIO, which accepts and\n// buffers writes until flushed into the next BIO in the chain.\n\n// BIO_push adds |appended_bio| to the end of the chain with |bio| at the head.\n// It returns |bio|. Note that |appended_bio| may be the head of a chain itself\n// and thus this function can be used to join two chains.\n//\n// BIO_push takes ownership of the caller's reference to |appended_bio|.\nOPENSSL_EXPORT BIO *BIO_push(BIO *bio, BIO *appended_bio);\n\n// BIO_pop removes |bio| from the head of a chain and returns the next BIO in\n// the chain, or NULL if there is no next BIO.\n//\n// The caller takes ownership of the chain's reference to |bio|.\nOPENSSL_EXPORT BIO *BIO_pop(BIO *bio);\n\n// BIO_next returns the next BIO in the chain after |bio|, or NULL if there is\n// no such BIO.\nOPENSSL_EXPORT BIO *BIO_next(BIO *bio);\n\n// BIO_free_all calls |BIO_free|.\n//\n// TODO(fork): update callers and remove.\nOPENSSL_EXPORT void BIO_free_all(BIO *bio);\n\n// BIO_find_type walks a chain of BIOs and returns the first that matches\n// |type|, which is one of the |BIO_TYPE_*| values.\nOPENSSL_EXPORT BIO *BIO_find_type(BIO *bio, int type);\n\n// BIO_copy_next_retry sets the retry flags and |retry_reason| of |bio| from\n// the next BIO in the chain.\nOPENSSL_EXPORT void BIO_copy_next_retry(BIO *bio);\n\n\n// Printf functions.\n\n// BIO_printf behaves like |printf| but outputs to |bio| rather than a |FILE|.\n// It returns the number of bytes written or a negative number on error.\nOPENSSL_EXPORT int BIO_printf(BIO *bio, const char *format, ...)\n OPENSSL_PRINTF_FORMAT_FUNC(2, 3);\n\n\n// Utility functions.\n\n// BIO_indent prints min(|indent|, |max_indent|) spaces. It returns one on\n// success and zero otherwise.\nOPENSSL_EXPORT int BIO_indent(BIO *bio, unsigned indent, unsigned max_indent);\n\n// BIO_hexdump writes a hex dump of |data| to |bio|. Each line will be indented\n// by |indent| spaces. It returns one on success and zero otherwise.\nOPENSSL_EXPORT int BIO_hexdump(BIO *bio, const uint8_t *data, size_t len,\n unsigned indent);\n\n// ERR_print_errors prints the current contents of the error stack to |bio|\n// using human readable strings where possible.\nOPENSSL_EXPORT void ERR_print_errors(BIO *bio);\n\n// BIO_read_asn1 reads a single ASN.1 object from |bio|. If successful it sets\n// |*out| to be an allocated buffer (that should be freed with |OPENSSL_free|),\n// |*out_size| to the length, in bytes, of that buffer and returns one.\n// Otherwise it returns zero.\n//\n// If the length of the object is greater than |max_len| or 2^32 then the\n// function will fail. Long-form tags are not supported. If the length of the\n// object is indefinite the full contents of |bio| are read, unless it would be\n// greater than |max_len|, in which case the function fails.\n//\n// If the function fails then some unknown amount of data may have been read\n// from |bio|.\nOPENSSL_EXPORT int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len,\n size_t max_len);\n\n\n// Memory BIOs.\n//\n// Memory BIOs can be used as a read-only source (with |BIO_new_mem_buf|) or a\n// writable sink (with |BIO_new|, |BIO_s_mem| and |BIO_mem_contents|). Data\n// written to a writable, memory BIO can be recalled by reading from it.\n//\n// Calling |BIO_reset| on a read-only BIO resets it to the original contents.\n// On a writable BIO, it clears any data.\n//\n// If the close flag is set to |BIO_NOCLOSE| (not the default) then the\n// underlying |BUF_MEM| will not be freed when the |BIO| is freed.\n//\n// Memory BIOs support |BIO_gets| and |BIO_puts|.\n//\n// |BIO_ctrl_pending| returns the number of bytes currently stored.\n\n// BIO_NOCLOSE and |BIO_CLOSE| can be used as symbolic arguments when a \"close\n// flag\" is passed to a BIO function.\n#define BIO_NOCLOSE 0\n#define BIO_CLOSE 1\n\n// BIO_s_mem returns a |BIO_METHOD| that uses a in-memory buffer.\nOPENSSL_EXPORT const BIO_METHOD *BIO_s_mem(void);\n\n// BIO_new_mem_buf creates read-only BIO that reads from |len| bytes at |buf|.\n// It returns the BIO or NULL on error. This function does not copy or take\n// ownership of |buf|. The caller must ensure the memory pointed to by |buf|\n// outlives the |BIO|.\n//\n// If |len| is negative, then |buf| is treated as a NUL-terminated string, but\n// don't depend on this in new code.\nOPENSSL_EXPORT BIO *BIO_new_mem_buf(const void *buf, ossl_ssize_t len);\n\n// BIO_mem_contents sets |*out_contents| to point to the current contents of\n// |bio| and |*out_len| to contain the length of that data. It returns one on\n// success and zero otherwise.\nOPENSSL_EXPORT int BIO_mem_contents(const BIO *bio,\n const uint8_t **out_contents,\n size_t *out_len);\n\n// BIO_get_mem_data sets |*contents| to point to the current contents of |bio|\n// and returns the length of the data.\n//\n// WARNING: don't use this, use |BIO_mem_contents|. A return value of zero from\n// this function can mean either that it failed or that the memory buffer is\n// empty.\nOPENSSL_EXPORT long BIO_get_mem_data(BIO *bio, char **contents);\n\n// BIO_get_mem_ptr sets |*out| to a BUF_MEM containing the current contents of\n// |bio|. It returns one on success or zero on error.\nOPENSSL_EXPORT int BIO_get_mem_ptr(BIO *bio, BUF_MEM **out);\n\n// BIO_set_mem_buf sets |b| as the contents of |bio|. If |take_ownership| is\n// non-zero, then |b| will be freed when |bio| is closed. Returns one on\n// success or zero otherwise.\nOPENSSL_EXPORT int BIO_set_mem_buf(BIO *bio, BUF_MEM *b, int take_ownership);\n\n// BIO_set_mem_eof_return sets the value that will be returned from reading\n// |bio| when empty. If |eof_value| is zero then an empty memory BIO will\n// return EOF (that is it will return zero and |BIO_should_retry| will be\n// false). If |eof_value| is non zero then it will return |eof_value| when it\n// is empty and it will set the read retry flag (that is |BIO_read_retry| is\n// true). To avoid ambiguity with a normal positive return value, |eof_value|\n// should be set to a negative value, typically -1.\n//\n// For a read-only BIO, the default is zero (EOF). For a writable BIO, the\n// default is -1 so that additional data can be written once exhausted.\nOPENSSL_EXPORT int BIO_set_mem_eof_return(BIO *bio, int eof_value);\n\n\n// File descriptor BIOs.\n//\n// File descriptor BIOs are wrappers around the system's |read| and |write|\n// functions. If the close flag is set then then |close| is called on the\n// underlying file descriptor when the BIO is freed.\n//\n// |BIO_reset| attempts to seek the file pointer to the start of file using\n// |lseek|.\n\n#if !defined(OPENSSL_NO_POSIX_IO)\n// BIO_s_fd returns a |BIO_METHOD| for file descriptor fds.\nOPENSSL_EXPORT const BIO_METHOD *BIO_s_fd(void);\n\n// BIO_new_fd creates a new file descriptor BIO wrapping |fd|. If |close_flag|\n// is non-zero, then |fd| will be closed when the BIO is.\nOPENSSL_EXPORT BIO *BIO_new_fd(int fd, int close_flag);\n#endif\n\n// BIO_set_fd sets the file descriptor of |bio| to |fd|. If |close_flag| is\n// non-zero then |fd| will be closed when |bio| is. It returns one on success\n// or zero on error.\n//\n// This function may also be used with socket BIOs (see |BIO_s_socket| and\n// |BIO_new_socket|).\nOPENSSL_EXPORT int BIO_set_fd(BIO *bio, int fd, int close_flag);\n\n// BIO_get_fd returns the file descriptor currently in use by |bio| or -1 if\n// |bio| does not wrap a file descriptor. If there is a file descriptor and\n// |out_fd| is not NULL, it also sets |*out_fd| to the file descriptor.\n//\n// This function may also be used with socket BIOs (see |BIO_s_socket| and\n// |BIO_new_socket|).\nOPENSSL_EXPORT int BIO_get_fd(BIO *bio, int *out_fd);\n\n\n// File BIOs.\n//\n// File BIOs are wrappers around a C |FILE| object.\n//\n// |BIO_flush| on a file BIO calls |fflush| on the wrapped stream.\n//\n// |BIO_reset| attempts to seek the file pointer to the start of file using\n// |fseek|.\n//\n// Setting the close flag causes |fclose| to be called on the stream when the\n// BIO is freed.\n\n// BIO_s_file returns a BIO_METHOD that wraps a |FILE|.\nOPENSSL_EXPORT const BIO_METHOD *BIO_s_file(void);\n\n// BIO_new_file creates a file BIO by opening |filename| with the given mode.\n// See the |fopen| manual page for details of the mode argument. On Windows,\n// files may be opened in either binary or text mode so, as in |fopen|, callers\n// must specify the desired option in |mode|.\nOPENSSL_EXPORT BIO *BIO_new_file(const char *filename, const char *mode);\n\n// BIO_FP_TEXT indicates the |FILE| should be switched to text mode on Windows.\n// It has no effect on non-Windows platforms.\n#define BIO_FP_TEXT 0x10\n\n// BIO_new_fp creates a new file BIO that wraps |file|. If |flags| contains\n// |BIO_CLOSE|, then |fclose| will be called on |file| when the BIO is closed.\n//\n// On Windows, if |flags| contains |BIO_FP_TEXT|, this function will\n// additionally switch |file| to text mode. This is not recommended, but may be\n// required for OpenSSL compatibility. If |file| was not already in text mode,\n// mode changes can cause unflushed data in |file| to be written in unexpected\n// ways. See |_setmode| in Windows documentation for details.\n//\n// Unlike OpenSSL, if |flags| does not contain |BIO_FP_TEXT|, the translation\n// mode of |file| is left as-is. In OpenSSL, |file| will be set to binary, with\n// the same pitfalls as above. BoringSSL does not do this so that wrapping a\n// |FILE| in a |BIO| will not inadvertently change its state.\n//\n// To avoid these pitfalls, callers should set the desired translation mode when\n// opening the file. If targeting just BoringSSL, this is sufficient. If\n// targeting both OpenSSL and BoringSSL, callers should set |BIO_FP_TEXT| to\n// match the desired state of the file.\nOPENSSL_EXPORT BIO *BIO_new_fp(FILE *file, int flags);\n\n// BIO_get_fp sets |*out_file| to the current |FILE| for |bio|. It returns one\n// on success and zero otherwise.\nOPENSSL_EXPORT int BIO_get_fp(BIO *bio, FILE **out_file);\n\n// BIO_set_fp sets the |FILE| for |bio|. If |flags| contains |BIO_CLOSE| then\n// |fclose| will be called on |file| when |bio| is closed. It returns one on\n// success and zero otherwise.\n//\n// On Windows, if |flags| contains |BIO_FP_TEXT|, this function will\n// additionally switch |file| to text mode. This is not recommended, but may be\n// required for OpenSSL compatibility. If |file| was not already in text mode,\n// mode changes can cause unflushed data in |file| to be written in unexpected\n// ways. See |_setmode| in Windows documentation for details.\n//\n// Unlike OpenSSL, if |flags| does not contain |BIO_FP_TEXT|, the translation\n// mode of |file| is left as-is. In OpenSSL, |file| will be set to binary, with\n// the same pitfalls as above. BoringSSL does not do this so that wrapping a\n// |FILE| in a |BIO| will not inadvertently change its state.\n//\n// To avoid these pitfalls, callers should set the desired translation mode when\n// opening the file. If targeting just BoringSSL, this is sufficient. If\n// targeting both OpenSSL and BoringSSL, callers should set |BIO_FP_TEXT| to\n// match the desired state of the file.\nOPENSSL_EXPORT int BIO_set_fp(BIO *bio, FILE *file, int flags);\n\n// BIO_read_filename opens |filename| for reading and sets the result as the\n// |FILE| for |bio|. It returns one on success and zero otherwise. The |FILE|\n// will be closed when |bio| is freed. On Windows, the file is opened in binary\n// mode.\nOPENSSL_EXPORT int BIO_read_filename(BIO *bio, const char *filename);\n\n// BIO_write_filename opens |filename| for writing and sets the result as the\n// |FILE| for |bio|. It returns one on success and zero otherwise. The |FILE|\n// will be closed when |bio| is freed. On Windows, the file is opened in binary\n// mode.\nOPENSSL_EXPORT int BIO_write_filename(BIO *bio, const char *filename);\n\n// BIO_append_filename opens |filename| for appending and sets the result as\n// the |FILE| for |bio|. It returns one on success and zero otherwise. The\n// |FILE| will be closed when |bio| is freed. On Windows, the file is opened in\n// binary mode.\nOPENSSL_EXPORT int BIO_append_filename(BIO *bio, const char *filename);\n\n// BIO_rw_filename opens |filename| for reading and writing and sets the result\n// as the |FILE| for |bio|. It returns one on success and zero otherwise. The\n// |FILE| will be closed when |bio| is freed. On Windows, the file is opened in\n// binary mode.\nOPENSSL_EXPORT int BIO_rw_filename(BIO *bio, const char *filename);\n\n// BIO_tell returns the file offset of |bio|, or a negative number on error or\n// if |bio| does not support the operation.\n//\n// TODO(https://crbug.com/boringssl/465): On platforms where |long| is 32-bit,\n// this function cannot report 64-bit offsets.\nOPENSSL_EXPORT long BIO_tell(BIO *bio);\n\n// BIO_seek sets the file offset of |bio| to |offset|. It returns a non-negative\n// number on success and a negative number on error. If |bio| is a file\n// descriptor |BIO|, it returns the resulting file offset on success. If |bio|\n// is a file |BIO|, it returns zero on success.\n//\n// WARNING: This function's return value conventions differs from most functions\n// in this library.\n//\n// TODO(https://crbug.com/boringssl/465): On platforms where |long| is 32-bit,\n// this function cannot handle 64-bit offsets.\nOPENSSL_EXPORT long BIO_seek(BIO *bio, long offset);\n\n\n// Socket BIOs.\n//\n// Socket BIOs behave like file descriptor BIOs but, on Windows systems, wrap\n// the system's |recv| and |send| functions instead of |read| and |write|. On\n// Windows, file descriptors are provided by C runtime and are not\n// interchangeable with sockets.\n//\n// Socket BIOs may be used with |BIO_set_fd| and |BIO_get_fd|.\n//\n// TODO(davidben): Add separate APIs and fix the internals to use |SOCKET|s\n// around rather than rely on int casts.\n\n#if !defined(OPENSSL_NO_SOCK)\nOPENSSL_EXPORT const BIO_METHOD *BIO_s_socket(void);\n\n// BIO_new_socket allocates and initialises a fresh BIO which will read and\n// write to the socket |fd|. If |close_flag| is |BIO_CLOSE| then closing the\n// BIO will close |fd|. It returns the fresh |BIO| or NULL on error.\nOPENSSL_EXPORT BIO *BIO_new_socket(int fd, int close_flag);\n#endif // !OPENSSL_NO_SOCK\n\n\n// Connect BIOs.\n//\n// A connection BIO creates a network connection and transfers data over the\n// resulting socket.\n\n#if !defined(OPENSSL_NO_SOCK)\nOPENSSL_EXPORT const BIO_METHOD *BIO_s_connect(void);\n\n// BIO_new_connect returns a BIO that connects to the given hostname and port.\n// The |host_and_optional_port| argument should be of the form\n// \"www.example.com\" or \"www.example.com:443\". If the port is omitted, it must\n// be provided with |BIO_set_conn_port|.\n//\n// It returns the new BIO on success, or NULL on error.\nOPENSSL_EXPORT BIO *BIO_new_connect(const char *host_and_optional_port);\n\n// BIO_set_conn_hostname sets |host_and_optional_port| as the hostname and\n// optional port that |bio| will connect to. If the port is omitted, it must be\n// provided with |BIO_set_conn_port|.\n//\n// It returns one on success and zero otherwise.\nOPENSSL_EXPORT int BIO_set_conn_hostname(BIO *bio,\n const char *host_and_optional_port);\n\n// BIO_set_conn_port sets |port_str| as the port or service name that |bio|\n// will connect to. It returns one on success and zero otherwise.\nOPENSSL_EXPORT int BIO_set_conn_port(BIO *bio, const char *port_str);\n\n// BIO_set_conn_int_port sets |*port| as the port that |bio| will connect to.\n// It returns one on success and zero otherwise.\nOPENSSL_EXPORT int BIO_set_conn_int_port(BIO *bio, const int *port);\n\n// BIO_set_nbio sets whether |bio| will use non-blocking I/O operations. It\n// returns one on success and zero otherwise. This only works for connect BIOs\n// and must be called before |bio| is connected to take effect.\n//\n// For socket and fd BIOs, callers must configure blocking vs. non-blocking I/O\n// using the underlying platform APIs.\nOPENSSL_EXPORT int BIO_set_nbio(BIO *bio, int on);\n\n// BIO_do_connect connects |bio| if it has not been connected yet. It returns\n// one on success and <= 0 otherwise.\nOPENSSL_EXPORT int BIO_do_connect(BIO *bio);\n#endif // !OPENSSL_NO_SOCK\n\n\n// Datagram BIOs.\n//\n// TODO(fork): not implemented.\n\n#define BIO_CTRL_DGRAM_QUERY_MTU 40 // as kernel for current MTU\n\n#define BIO_CTRL_DGRAM_SET_MTU 42 /* set cached value for MTU. want to use\n this if asking the kernel fails */\n\n#define BIO_CTRL_DGRAM_MTU_EXCEEDED 43 /* check whether the MTU was exceed in\n the previous write operation. */\n\n// BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT is unsupported as it is unused by consumers\n// and depends on |timeval|, which is not 2038-clean on all platforms.\n\n#define BIO_CTRL_DGRAM_GET_PEER 46\n\n#define BIO_CTRL_DGRAM_GET_FALLBACK_MTU 47\n\n\n// BIO Pairs.\n//\n// BIO pairs provide a \"loopback\" like system: a pair of BIOs where data\n// written to one can be read from the other and vice versa.\n\n// BIO_new_bio_pair sets |*out1| and |*out2| to two freshly created BIOs where\n// data written to one can be read from the other and vice versa. The\n// |writebuf1| argument gives the size of the buffer used in |*out1| and\n// |writebuf2| for |*out2|. It returns one on success and zero on error.\nOPENSSL_EXPORT int BIO_new_bio_pair(BIO **out1, size_t writebuf1, BIO **out2,\n size_t writebuf2);\n\n// BIO_ctrl_get_read_request returns the number of bytes that the other side of\n// |bio| tried (unsuccessfully) to read.\nOPENSSL_EXPORT size_t BIO_ctrl_get_read_request(BIO *bio);\n\n// BIO_ctrl_get_write_guarantee returns the number of bytes that |bio| (which\n// must have been returned by |BIO_new_bio_pair|) will accept on the next\n// |BIO_write| call.\nOPENSSL_EXPORT size_t BIO_ctrl_get_write_guarantee(BIO *bio);\n\n// BIO_shutdown_wr marks |bio| as closed, from the point of view of the other\n// side of the pair. Future |BIO_write| calls on |bio| will fail. It returns\n// one on success and zero otherwise.\nOPENSSL_EXPORT int BIO_shutdown_wr(BIO *bio);\n\n\n// Custom BIOs.\n//\n// Consumers can create custom |BIO|s by filling in a |BIO_METHOD| and using\n// low-level control functions to set state.\n\n// BIO_get_new_index returns a new \"type\" value for a custom |BIO|.\nOPENSSL_EXPORT int BIO_get_new_index(void);\n\n// BIO_meth_new returns a newly-allocated |BIO_METHOD| or NULL on allocation\n// error. The |type| specifies the type that will be returned by\n// |BIO_method_type|. If this is unnecessary, this value may be zero. The |name|\n// parameter is vestigial and may be NULL.\n//\n// Use the |BIO_meth_set_*| functions below to initialize the |BIO_METHOD|. The\n// function implementations may use |BIO_set_data| and |BIO_get_data| to add\n// method-specific state to associated |BIO|s. Additionally, |BIO_set_init| must\n// be called after an associated |BIO| is fully initialized. State set via\n// |BIO_set_data| may be released by configuring a destructor with\n// |BIO_meth_set_destroy|.\nOPENSSL_EXPORT BIO_METHOD *BIO_meth_new(int type, const char *name);\n\n// BIO_meth_free releases memory associated with |method|.\nOPENSSL_EXPORT void BIO_meth_free(BIO_METHOD *method);\n\n// BIO_meth_set_create sets a function to be called on |BIO_new| for |method|\n// and returns one. The function should return one on success and zero on\n// error.\nOPENSSL_EXPORT int BIO_meth_set_create(BIO_METHOD *method,\n int (*create_func)(BIO *));\n\n// BIO_meth_set_destroy sets a function to release data associated with a |BIO|\n// and returns one. The function's return value is ignored.\nOPENSSL_EXPORT int BIO_meth_set_destroy(BIO_METHOD *method,\n int (*destroy_func)(BIO *));\n\n// BIO_meth_set_write sets the implementation of |BIO_write| for |method| and\n// returns one. |BIO_METHOD|s which implement |BIO_write| should also implement\n// |BIO_CTRL_FLUSH|. (See |BIO_meth_set_ctrl|.)\nOPENSSL_EXPORT int BIO_meth_set_write(BIO_METHOD *method,\n int (*write_func)(BIO *, const char *,\n int));\n\n// BIO_meth_set_read sets the implementation of |BIO_read| for |method| and\n// returns one.\nOPENSSL_EXPORT int BIO_meth_set_read(BIO_METHOD *method,\n int (*read_func)(BIO *, char *, int));\n\n// BIO_meth_set_gets sets the implementation of |BIO_gets| for |method| and\n// returns one.\nOPENSSL_EXPORT int BIO_meth_set_gets(BIO_METHOD *method,\n int (*gets_func)(BIO *, char *, int));\n\n// BIO_meth_set_ctrl sets the implementation of |BIO_ctrl| for |method| and\n// returns one.\nOPENSSL_EXPORT int BIO_meth_set_ctrl(BIO_METHOD *method,\n long (*ctrl_func)(BIO *, int, long,\n void *));\n\n// BIO_set_data sets custom data on |bio|. It may be retried with\n// |BIO_get_data|.\n//\n// This function should only be called by the implementation of a custom |BIO|.\n// In particular, the data pointer of a built-in |BIO| is private to the\n// library. For other uses, see |BIO_set_ex_data| and |BIO_set_app_data|.\nOPENSSL_EXPORT void BIO_set_data(BIO *bio, void *ptr);\n\n// BIO_get_data returns custom data on |bio| set by |BIO_get_data|.\n//\n// This function should only be called by the implementation of a custom |BIO|.\n// In particular, the data pointer of a built-in |BIO| is private to the\n// library. For other uses, see |BIO_get_ex_data| and |BIO_get_app_data|.\nOPENSSL_EXPORT void *BIO_get_data(BIO *bio);\n\n// BIO_set_init sets whether |bio| has been fully initialized. Until fully\n// initialized, |BIO_read| and |BIO_write| will fail.\nOPENSSL_EXPORT void BIO_set_init(BIO *bio, int init);\n\n// BIO_get_init returns whether |bio| has been fully initialized.\nOPENSSL_EXPORT int BIO_get_init(BIO *bio);\n\n// These are values of the |cmd| argument to |BIO_ctrl|.\n\n// BIO_CTRL_RESET implements |BIO_reset|. The arguments are unused.\n#define BIO_CTRL_RESET 1\n\n// BIO_CTRL_EOF implements |BIO_eof|. The arguments are unused.\n#define BIO_CTRL_EOF 2\n\n// BIO_CTRL_INFO is a legacy command that returns information specific to the\n// type of |BIO|. It is not safe to call generically and should not be\n// implemented in new |BIO| types.\n#define BIO_CTRL_INFO 3\n\n// BIO_CTRL_GET_CLOSE returns the close flag set by |BIO_CTRL_SET_CLOSE|. The\n// arguments are unused.\n#define BIO_CTRL_GET_CLOSE 8\n\n// BIO_CTRL_SET_CLOSE implements |BIO_set_close|. The |larg| argument is the\n// close flag.\n#define BIO_CTRL_SET_CLOSE 9\n\n// BIO_CTRL_PENDING implements |BIO_pending|. The arguments are unused.\n#define BIO_CTRL_PENDING 10\n\n// BIO_CTRL_FLUSH implements |BIO_flush|. The arguments are unused.\n#define BIO_CTRL_FLUSH 11\n\n// BIO_CTRL_WPENDING implements |BIO_wpending|. The arguments are unused.\n#define BIO_CTRL_WPENDING 13\n\n// BIO_CTRL_SET_CALLBACK sets an informational callback of type\n// int cb(BIO *bio, int state, int ret)\n#define BIO_CTRL_SET_CALLBACK 14\n\n// BIO_CTRL_GET_CALLBACK returns the callback set by |BIO_CTRL_SET_CALLBACK|.\n#define BIO_CTRL_GET_CALLBACK 15\n\n// The following are never used, but are defined to aid porting existing code.\n#define BIO_CTRL_SET 4\n#define BIO_CTRL_GET 5\n#define BIO_CTRL_PUSH 6\n#define BIO_CTRL_POP 7\n#define BIO_CTRL_DUP 12\n#define BIO_CTRL_SET_FILENAME 30\n\n\n// ex_data functions.\n//\n// See |ex_data.h| for details.\n\nOPENSSL_EXPORT int BIO_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func);\nOPENSSL_EXPORT int BIO_set_ex_data(BIO *bio, int idx, void *arg);\nOPENSSL_EXPORT void *BIO_get_ex_data(const BIO *bio, int idx);\n\n#define BIO_set_app_data(bio, arg) (BIO_set_ex_data(bio, 0, (char *)(arg)))\n#define BIO_get_app_data(bio) (BIO_get_ex_data(bio, 0))\n\n\n// Deprecated functions.\n\n// BIO_f_base64 returns a filter |BIO| that base64-encodes data written into\n// it, and decodes data read from it. |BIO_gets| is not supported. Call\n// |BIO_flush| when done writing, to signal that no more data are to be\n// encoded. The flag |BIO_FLAGS_BASE64_NO_NL| may be set to encode all the data\n// on one line.\n//\n// Use |EVP_EncodeBlock| and |EVP_DecodeBase64| instead.\nOPENSSL_EXPORT const BIO_METHOD *BIO_f_base64(void);\n\nOPENSSL_EXPORT void BIO_set_retry_special(BIO *bio);\n\n// BIO_set_write_buffer_size returns zero.\nOPENSSL_EXPORT int BIO_set_write_buffer_size(BIO *bio, int buffer_size);\n\n// BIO_set_shutdown sets a method-specific \"shutdown\" bit on |bio|.\nOPENSSL_EXPORT void BIO_set_shutdown(BIO *bio, int shutdown);\n\n// BIO_get_shutdown returns the method-specific \"shutdown\" bit.\nOPENSSL_EXPORT int BIO_get_shutdown(BIO *bio);\n\n// BIO_meth_set_puts returns one. |BIO_puts| is implemented with |BIO_write| in\n// BoringSSL.\nOPENSSL_EXPORT int BIO_meth_set_puts(BIO_METHOD *method,\n int (*puts)(BIO *, const char *));\n\n\n// Private functions\n\n#define BIO_FLAGS_READ 0x01\n#define BIO_FLAGS_WRITE 0x02\n#define BIO_FLAGS_IO_SPECIAL 0x04\n#define BIO_FLAGS_RWS (BIO_FLAGS_READ | BIO_FLAGS_WRITE | BIO_FLAGS_IO_SPECIAL)\n#define BIO_FLAGS_SHOULD_RETRY 0x08\n#define BIO_FLAGS_BASE64_NO_NL 0x100\n// BIO_FLAGS_MEM_RDONLY is used with memory BIOs. It means we shouldn't free up\n// or change the data in any way.\n#define BIO_FLAGS_MEM_RDONLY 0x200\n\n// BIO_TYPE_DESCRIPTOR denotes that the |BIO| responds to the |BIO_C_SET_FD|\n// (|BIO_set_fd|) and |BIO_C_GET_FD| (|BIO_get_fd|) control hooks.\n#define BIO_TYPE_DESCRIPTOR 0x0100 // socket, fd, connect or accept\n#define BIO_TYPE_FILTER 0x0200\n#define BIO_TYPE_SOURCE_SINK 0x0400\n\n// These are the 'types' of BIOs\n#define BIO_TYPE_NONE 0\n#define BIO_TYPE_MEM (1 | BIO_TYPE_SOURCE_SINK)\n#define BIO_TYPE_FILE (2 | BIO_TYPE_SOURCE_SINK)\n#define BIO_TYPE_FD (4 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR)\n#define BIO_TYPE_SOCKET (5 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR)\n#define BIO_TYPE_NULL (6 | BIO_TYPE_SOURCE_SINK)\n#define BIO_TYPE_SSL (7 | BIO_TYPE_FILTER)\n#define BIO_TYPE_MD (8 | BIO_TYPE_FILTER)\n#define BIO_TYPE_BUFFER (9 | BIO_TYPE_FILTER)\n#define BIO_TYPE_CIPHER (10 | BIO_TYPE_FILTER)\n#define BIO_TYPE_BASE64 (11 | BIO_TYPE_FILTER)\n#define BIO_TYPE_CONNECT (12 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR)\n#define BIO_TYPE_ACCEPT (13 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR)\n#define BIO_TYPE_PROXY_CLIENT (14 | BIO_TYPE_FILTER)\n#define BIO_TYPE_PROXY_SERVER (15 | BIO_TYPE_FILTER)\n#define BIO_TYPE_NBIO_TEST (16 | BIO_TYPE_FILTER)\n#define BIO_TYPE_NULL_FILTER (17 | BIO_TYPE_FILTER)\n#define BIO_TYPE_BER (18 | BIO_TYPE_FILTER) // BER -> bin filter\n#define BIO_TYPE_BIO (19 | BIO_TYPE_SOURCE_SINK) // (half a) BIO pair\n#define BIO_TYPE_LINEBUFFER (20 | BIO_TYPE_FILTER)\n#define BIO_TYPE_DGRAM (21 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR)\n#define BIO_TYPE_ASN1 (22 | BIO_TYPE_FILTER)\n#define BIO_TYPE_COMP (23 | BIO_TYPE_FILTER)\n\n// BIO_TYPE_START is the first user-allocated |BIO| type. No pre-defined type,\n// flag bits aside, may exceed this value.\n#define BIO_TYPE_START 128\n\nstruct bio_method_st {\n int type;\n const char *name;\n int (*bwrite)(BIO *, const char *, int);\n int (*bread)(BIO *, char *, int);\n // TODO(fork): remove bputs.\n int (*bputs)(BIO *, const char *);\n int (*bgets)(BIO *, char *, int);\n long (*ctrl)(BIO *, int, long, void *);\n int (*create)(BIO *);\n int (*destroy)(BIO *);\n long (*callback_ctrl)(BIO *, int, bio_info_cb);\n};\n\nstruct bio_st {\n const BIO_METHOD *method;\n CRYPTO_EX_DATA ex_data;\n\n // init is non-zero if this |BIO| has been initialised.\n int init;\n // shutdown is often used by specific |BIO_METHOD|s to determine whether\n // they own some underlying resource. This flag can often by controlled by\n // |BIO_set_close|. For example, whether an fd BIO closes the underlying fd\n // when it, itself, is closed.\n int shutdown;\n int flags;\n int retry_reason;\n // num is a BIO-specific value. For example, in fd BIOs it's used to store a\n // file descriptor.\n int num;\n CRYPTO_refcount_t references;\n void *ptr;\n // next_bio points to the next |BIO| in a chain. This |BIO| owns a reference\n // to |next_bio|.\n BIO *next_bio; // used by filter BIOs\n uint64_t num_read, num_write;\n};\n\n#define BIO_C_SET_CONNECT 100\n#define BIO_C_DO_STATE_MACHINE 101\n#define BIO_C_SET_NBIO 102\n#define BIO_C_SET_PROXY_PARAM 103\n#define BIO_C_SET_FD 104\n#define BIO_C_GET_FD 105\n#define BIO_C_SET_FILE_PTR 106\n#define BIO_C_GET_FILE_PTR 107\n#define BIO_C_SET_FILENAME 108\n#define BIO_C_SET_SSL 109\n#define BIO_C_SET_MD 111\n#define BIO_C_GET_MD 112\n#define BIO_C_GET_CIPHER_STATUS 113\n#define BIO_C_SET_BUF_MEM 114\n#define BIO_C_GET_BUF_MEM_PTR 115\n#define BIO_C_GET_BUFF_NUM_LINES 116\n#define BIO_C_SET_BUFF_SIZE 117\n#define BIO_C_SET_ACCEPT 118\n#define BIO_C_SSL_MODE 119\n#define BIO_C_GET_MD_CTX 120\n#define BIO_C_GET_PROXY_PARAM 121\n#define BIO_C_SET_BUFF_READ_DATA 122 // data to read first\n#define BIO_C_GET_ACCEPT 124\n#define BIO_C_FILE_SEEK 128\n#define BIO_C_GET_CIPHER_CTX 129\n#define BIO_C_SET_BUF_MEM_EOF_RETURN 130 // return end of input value\n#define BIO_C_SET_BIND_MODE 131\n#define BIO_C_GET_BIND_MODE 132\n#define BIO_C_FILE_TELL 133\n#define BIO_C_GET_SOCKS 134\n#define BIO_C_SET_SOCKS 135\n\n#define BIO_C_SET_WRITE_BUF_SIZE 136 // for BIO_s_bio\n#define BIO_C_GET_WRITE_BUF_SIZE 137\n#define BIO_C_GET_WRITE_GUARANTEE 140\n#define BIO_C_GET_READ_REQUEST 141\n#define BIO_C_SHUTDOWN_WR 142\n#define BIO_C_NREAD0 143\n#define BIO_C_NREAD 144\n#define BIO_C_NWRITE0 145\n#define BIO_C_NWRITE 146\n#define BIO_C_RESET_READ_REQUEST 147\n#define BIO_C_SET_MD_CTX 148\n\n#define BIO_C_SET_PREFIX 149\n#define BIO_C_GET_PREFIX 150\n#define BIO_C_SET_SUFFIX 151\n#define BIO_C_GET_SUFFIX 152\n\n#define BIO_C_SET_EX_ARG 153\n#define BIO_C_GET_EX_ARG 154\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(BIO, BIO_free)\nBORINGSSL_MAKE_UP_REF(BIO, BIO_up_ref)\nBORINGSSL_MAKE_DELETER(BIO_METHOD, BIO_meth_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#define BIO_R_BAD_FOPEN_MODE 100\n#define BIO_R_BROKEN_PIPE 101\n#define BIO_R_CONNECT_ERROR 102\n#define BIO_R_ERROR_SETTING_NBIO 103\n#define BIO_R_INVALID_ARGUMENT 104\n#define BIO_R_IN_USE 105\n#define BIO_R_KEEPALIVE 106\n#define BIO_R_NBIO_CONNECT_ERROR 107\n#define BIO_R_NO_HOSTNAME_SPECIFIED 108\n#define BIO_R_NO_PORT_SPECIFIED 109\n#define BIO_R_NO_SUCH_FILE 110\n#define BIO_R_NULL_PARAMETER 111\n#define BIO_R_SYS_LIB 112\n#define BIO_R_UNABLE_TO_CREATE_SOCKET 113\n#define BIO_R_UNINITIALIZED 114\n#define BIO_R_UNSUPPORTED_METHOD 115\n#define BIO_R_WRITE_TO_READ_ONLY_BIO 116\n\n#endif // OPENSSL_HEADER_BIO_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_blake2.h", "content": "/* Copyright 2021 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_BLAKE2_H\n#define OPENSSL_HEADER_BLAKE2_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n#define BLAKE2B256_DIGEST_LENGTH (256 / 8)\n#define BLAKE2B_CBLOCK 128\n\nstruct blake2b_state_st {\n uint64_t h[8];\n uint64_t t_low, t_high;\n uint8_t block[BLAKE2B_CBLOCK];\n size_t block_used;\n};\n\n// BLAKE2B256_Init initialises |b2b| to perform a BLAKE2b-256 hash. There are no\n// pointers inside |b2b| thus release of |b2b| is purely managed by the caller.\nOPENSSL_EXPORT void BLAKE2B256_Init(BLAKE2B_CTX *b2b);\n\n// BLAKE2B256_Update appends |len| bytes from |data| to the digest being\n// calculated by |b2b|.\nOPENSSL_EXPORT void BLAKE2B256_Update(BLAKE2B_CTX *b2b, const void *data,\n size_t len);\n\n// BLAKE2B256_Final completes the digest calculated by |b2b| and writes\n// |BLAKE2B256_DIGEST_LENGTH| bytes to |out|.\nOPENSSL_EXPORT void BLAKE2B256_Final(uint8_t out[BLAKE2B256_DIGEST_LENGTH],\n BLAKE2B_CTX *b2b);\n\n// BLAKE2B256 writes the BLAKE2b-256 digset of |len| bytes from |data| to\n// |out|.\nOPENSSL_EXPORT void BLAKE2B256(const uint8_t *data, size_t len,\n uint8_t out[BLAKE2B256_DIGEST_LENGTH]);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_BLAKE2_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_blowfish.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_BLOWFISH_H\n#define OPENSSL_HEADER_BLOWFISH_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n\n#define BF_ENCRYPT 1\n#define BF_DECRYPT 0\n\n#define BF_ROUNDS 16\n#define BF_BLOCK 8\n\ntypedef struct bf_key_st {\n uint32_t P[BF_ROUNDS + 2];\n uint32_t S[4 * 256];\n} BF_KEY;\n\nOPENSSL_EXPORT void BF_set_key(BF_KEY *key, size_t len, const uint8_t *data);\nOPENSSL_EXPORT void BF_encrypt(uint32_t *data, const BF_KEY *key);\nOPENSSL_EXPORT void BF_decrypt(uint32_t *data, const BF_KEY *key);\n\nOPENSSL_EXPORT void BF_ecb_encrypt(const uint8_t *in, uint8_t *out,\n const BF_KEY *key, int enc);\nOPENSSL_EXPORT void BF_cbc_encrypt(const uint8_t *in, uint8_t *out,\n size_t length, const BF_KEY *schedule,\n uint8_t *ivec, int enc);\n\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif // OPENSSL_HEADER_BLOWFISH_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_BN_H\n#define OPENSSL_HEADER_BN_H\n\n#include \"CNIOBoringSSL_base.h\"\n#include \"CNIOBoringSSL_thread.h\"\n\n#include \n#include // for FILE*\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// BN provides support for working with arbitrary sized integers. For example,\n// although the largest integer supported by the compiler might be 64 bits, BN\n// will allow you to work with much larger numbers.\n//\n// This library is developed for use inside BoringSSL, and uses implementation\n// strategies that may not be ideal for other applications. Non-cryptographic\n// uses should use a more general-purpose integer library, especially if\n// performance-sensitive.\n//\n// Many functions in BN scale quadratically or higher in the bit length of their\n// input. Callers at this layer are assumed to have capped input sizes within\n// their performance tolerances.\n\n\n// BN_ULONG is the native word size when working with big integers.\n//\n// Note: on some platforms, inttypes.h does not define print format macros in\n// C++ unless |__STDC_FORMAT_MACROS| defined. This is due to text in C99 which\n// was never adopted in any C++ standard and explicitly overruled in C++11. As\n// this is a public header, bn.h does not define |__STDC_FORMAT_MACROS| itself.\n// Projects which use |BN_*_FMT*| with outdated C headers may need to define it\n// externally.\n#if defined(OPENSSL_64_BIT)\ntypedef uint64_t BN_ULONG;\n#define BN_BITS2 64\n#define BN_DEC_FMT1 \"%\" PRIu64\n#define BN_HEX_FMT1 \"%\" PRIx64\n#define BN_HEX_FMT2 \"%016\" PRIx64\n#elif defined(OPENSSL_32_BIT)\ntypedef uint32_t BN_ULONG;\n#define BN_BITS2 32\n#define BN_DEC_FMT1 \"%\" PRIu32\n#define BN_HEX_FMT1 \"%\" PRIx32\n#define BN_HEX_FMT2 \"%08\" PRIx32\n#else\n#error \"Must define either OPENSSL_32_BIT or OPENSSL_64_BIT\"\n#endif\n\n\n// Allocation and freeing.\n\n// BN_new creates a new, allocated BIGNUM and initialises it.\nOPENSSL_EXPORT BIGNUM *BN_new(void);\n\n// BN_init initialises a stack allocated |BIGNUM|.\nOPENSSL_EXPORT void BN_init(BIGNUM *bn);\n\n// BN_free frees the data referenced by |bn| and, if |bn| was originally\n// allocated on the heap, frees |bn| also.\nOPENSSL_EXPORT void BN_free(BIGNUM *bn);\n\n// BN_clear_free erases and frees the data referenced by |bn| and, if |bn| was\n// originally allocated on the heap, frees |bn| also.\nOPENSSL_EXPORT void BN_clear_free(BIGNUM *bn);\n\n// BN_dup allocates a new BIGNUM and sets it equal to |src|. It returns the\n// allocated BIGNUM on success or NULL otherwise.\nOPENSSL_EXPORT BIGNUM *BN_dup(const BIGNUM *src);\n\n// BN_copy sets |dest| equal to |src| and returns |dest| or NULL on allocation\n// failure.\nOPENSSL_EXPORT BIGNUM *BN_copy(BIGNUM *dest, const BIGNUM *src);\n\n// BN_clear sets |bn| to zero and erases the old data.\nOPENSSL_EXPORT void BN_clear(BIGNUM *bn);\n\n// BN_value_one returns a static BIGNUM with value 1.\nOPENSSL_EXPORT const BIGNUM *BN_value_one(void);\n\n\n// Basic functions.\n\n// BN_num_bits returns the minimum number of bits needed to represent the\n// absolute value of |bn|.\nOPENSSL_EXPORT unsigned BN_num_bits(const BIGNUM *bn);\n\n// BN_num_bytes returns the minimum number of bytes needed to represent the\n// absolute value of |bn|.\n//\n// While |size_t| is the preferred type for byte counts, callers can assume that\n// |BIGNUM|s are bounded such that this value, and its corresponding bit count,\n// will always fit in |int|.\nOPENSSL_EXPORT unsigned BN_num_bytes(const BIGNUM *bn);\n\n// BN_zero sets |bn| to zero.\nOPENSSL_EXPORT void BN_zero(BIGNUM *bn);\n\n// BN_one sets |bn| to one. It returns one on success or zero on allocation\n// failure.\nOPENSSL_EXPORT int BN_one(BIGNUM *bn);\n\n// BN_set_word sets |bn| to |value|. It returns one on success or zero on\n// allocation failure.\nOPENSSL_EXPORT int BN_set_word(BIGNUM *bn, BN_ULONG value);\n\n// BN_set_u64 sets |bn| to |value|. It returns one on success or zero on\n// allocation failure.\nOPENSSL_EXPORT int BN_set_u64(BIGNUM *bn, uint64_t value);\n\n// BN_set_negative sets the sign of |bn|.\nOPENSSL_EXPORT void BN_set_negative(BIGNUM *bn, int sign);\n\n// BN_is_negative returns one if |bn| is negative and zero otherwise.\nOPENSSL_EXPORT int BN_is_negative(const BIGNUM *bn);\n\n\n// Conversion functions.\n\n// BN_bin2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as\n// a big-endian number, and returns |ret|. If |ret| is NULL then a fresh\n// |BIGNUM| is allocated and returned. It returns NULL on allocation\n// failure.\nOPENSSL_EXPORT BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret);\n\n// BN_bn2bin serialises the absolute value of |in| to |out| as a big-endian\n// integer, which must have |BN_num_bytes| of space available. It returns the\n// number of bytes written. Note this function leaks the magnitude of |in|. If\n// |in| is secret, use |BN_bn2bin_padded| instead.\nOPENSSL_EXPORT size_t BN_bn2bin(const BIGNUM *in, uint8_t *out);\n\n// BN_lebin2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as\n// a little-endian number, and returns |ret|. If |ret| is NULL then a fresh\n// |BIGNUM| is allocated and returned. It returns NULL on allocation\n// failure.\nOPENSSL_EXPORT BIGNUM *BN_lebin2bn(const uint8_t *in, size_t len, BIGNUM *ret);\n\n// BN_bn2le_padded serialises the absolute value of |in| to |out| as a\n// little-endian integer, which must have |len| of space available, padding\n// out the remainder of out with zeros. If |len| is smaller than |BN_num_bytes|,\n// the function fails and returns 0. Otherwise, it returns 1.\nOPENSSL_EXPORT int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in);\n\n// BN_bn2bin_padded serialises the absolute value of |in| to |out| as a\n// big-endian integer. The integer is padded with leading zeros up to size\n// |len|. If |len| is smaller than |BN_num_bytes|, the function fails and\n// returns 0. Otherwise, it returns 1.\nOPENSSL_EXPORT int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in);\n\n// BN_bn2cbb_padded behaves like |BN_bn2bin_padded| but writes to a |CBB|.\nOPENSSL_EXPORT int BN_bn2cbb_padded(CBB *out, size_t len, const BIGNUM *in);\n\n// BN_bn2hex returns an allocated string that contains a NUL-terminated, hex\n// representation of |bn|. If |bn| is negative, the first char in the resulting\n// string will be '-'. Returns NULL on allocation failure.\nOPENSSL_EXPORT char *BN_bn2hex(const BIGNUM *bn);\n\n// BN_hex2bn parses the leading hex number from |in|, which may be proceeded by\n// a '-' to indicate a negative number and may contain trailing, non-hex data.\n// If |outp| is not NULL, it constructs a BIGNUM equal to the hex number and\n// stores it in |*outp|. If |*outp| is NULL then it allocates a new BIGNUM and\n// updates |*outp|. It returns the number of bytes of |in| processed or zero on\n// error.\nOPENSSL_EXPORT int BN_hex2bn(BIGNUM **outp, const char *in);\n\n// BN_bn2dec returns an allocated string that contains a NUL-terminated,\n// decimal representation of |bn|. If |bn| is negative, the first char in the\n// resulting string will be '-'. Returns NULL on allocation failure.\n//\n// Converting an arbitrarily large integer to decimal is quadratic in the bit\n// length of |a|. This function assumes the caller has capped the input within\n// performance tolerances.\nOPENSSL_EXPORT char *BN_bn2dec(const BIGNUM *a);\n\n// BN_dec2bn parses the leading decimal number from |in|, which may be\n// proceeded by a '-' to indicate a negative number and may contain trailing,\n// non-decimal data. If |outp| is not NULL, it constructs a BIGNUM equal to the\n// decimal number and stores it in |*outp|. If |*outp| is NULL then it\n// allocates a new BIGNUM and updates |*outp|. It returns the number of bytes\n// of |in| processed or zero on error.\n//\n// Converting an arbitrarily large integer to decimal is quadratic in the bit\n// length of |a|. This function assumes the caller has capped the input within\n// performance tolerances.\nOPENSSL_EXPORT int BN_dec2bn(BIGNUM **outp, const char *in);\n\n// BN_asc2bn acts like |BN_dec2bn| or |BN_hex2bn| depending on whether |in|\n// begins with \"0X\" or \"0x\" (indicating hex) or not (indicating decimal). A\n// leading '-' is still permitted and comes before the optional 0X/0x. It\n// returns one on success or zero on error.\nOPENSSL_EXPORT int BN_asc2bn(BIGNUM **outp, const char *in);\n\n// BN_print writes a hex encoding of |a| to |bio|. It returns one on success\n// and zero on error.\nOPENSSL_EXPORT int BN_print(BIO *bio, const BIGNUM *a);\n\n// BN_print_fp acts like |BIO_print|, but wraps |fp| in a |BIO| first.\nOPENSSL_EXPORT int BN_print_fp(FILE *fp, const BIGNUM *a);\n\n// BN_get_word returns the absolute value of |bn| as a single word. If |bn| is\n// too large to be represented as a single word, the maximum possible value\n// will be returned.\nOPENSSL_EXPORT BN_ULONG BN_get_word(const BIGNUM *bn);\n\n// BN_get_u64 sets |*out| to the absolute value of |bn| as a |uint64_t| and\n// returns one. If |bn| is too large to be represented as a |uint64_t|, it\n// returns zero.\nOPENSSL_EXPORT int BN_get_u64(const BIGNUM *bn, uint64_t *out);\n\n\n// ASN.1 functions.\n\n// BN_parse_asn1_unsigned parses a non-negative DER INTEGER from |cbs| writes\n// the result to |ret|. It returns one on success and zero on failure.\nOPENSSL_EXPORT int BN_parse_asn1_unsigned(CBS *cbs, BIGNUM *ret);\n\n// BN_marshal_asn1 marshals |bn| as a non-negative DER INTEGER and appends the\n// result to |cbb|. It returns one on success and zero on failure.\nOPENSSL_EXPORT int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn);\n\n\n// BIGNUM pools.\n//\n// Certain BIGNUM operations need to use many temporary variables and\n// allocating and freeing them can be quite slow. Thus such operations typically\n// take a |BN_CTX| parameter, which contains a pool of |BIGNUMs|. The |ctx|\n// argument to a public function may be NULL, in which case a local |BN_CTX|\n// will be created just for the lifetime of that call.\n//\n// A function must call |BN_CTX_start| first. Then, |BN_CTX_get| may be called\n// repeatedly to obtain temporary |BIGNUM|s. All |BN_CTX_get| calls must be made\n// before calling any other functions that use the |ctx| as an argument.\n//\n// Finally, |BN_CTX_end| must be called before returning from the function.\n// When |BN_CTX_end| is called, the |BIGNUM| pointers obtained from\n// |BN_CTX_get| become invalid.\n\n// BN_CTX_new returns a new, empty BN_CTX or NULL on allocation failure.\nOPENSSL_EXPORT BN_CTX *BN_CTX_new(void);\n\n// BN_CTX_free frees all BIGNUMs contained in |ctx| and then frees |ctx|\n// itself.\nOPENSSL_EXPORT void BN_CTX_free(BN_CTX *ctx);\n\n// BN_CTX_start \"pushes\" a new entry onto the |ctx| stack and allows future\n// calls to |BN_CTX_get|.\nOPENSSL_EXPORT void BN_CTX_start(BN_CTX *ctx);\n\n// BN_CTX_get returns a new |BIGNUM|, or NULL on allocation failure. Once\n// |BN_CTX_get| has returned NULL, all future calls will also return NULL until\n// |BN_CTX_end| is called.\nOPENSSL_EXPORT BIGNUM *BN_CTX_get(BN_CTX *ctx);\n\n// BN_CTX_end invalidates all |BIGNUM|s returned from |BN_CTX_get| since the\n// matching |BN_CTX_start| call.\nOPENSSL_EXPORT void BN_CTX_end(BN_CTX *ctx);\n\n\n// Simple arithmetic\n\n// BN_add sets |r| = |a| + |b|, where |r| may be the same pointer as either |a|\n// or |b|. It returns one on success and zero on allocation failure.\nOPENSSL_EXPORT int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);\n\n// BN_uadd sets |r| = |a| + |b|, considering only the absolute values of |a| and\n// |b|. |r| may be the same pointer as either |a| or |b|. It returns one on\n// success and zero on allocation failure.\nOPENSSL_EXPORT int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);\n\n// BN_add_word adds |w| to |a|. It returns one on success and zero otherwise.\nOPENSSL_EXPORT int BN_add_word(BIGNUM *a, BN_ULONG w);\n\n// BN_sub sets |r| = |a| - |b|, where |r| may be the same pointer as either |a|\n// or |b|. It returns one on success and zero on allocation failure.\nOPENSSL_EXPORT int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);\n\n// BN_usub sets |r| = |a| - |b|, considering only the absolute values of |a| and\n// |b|. The result must be non-negative, i.e. |b| <= |a|. |r| may be the same\n// pointer as either |a| or |b|. It returns one on success and zero on error.\nOPENSSL_EXPORT int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);\n\n// BN_sub_word subtracts |w| from |a|. It returns one on success and zero on\n// allocation failure.\nOPENSSL_EXPORT int BN_sub_word(BIGNUM *a, BN_ULONG w);\n\n// BN_mul sets |r| = |a| * |b|, where |r| may be the same pointer as |a| or\n// |b|. Returns one on success and zero otherwise.\nOPENSSL_EXPORT int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n BN_CTX *ctx);\n\n// BN_mul_word sets |bn| = |bn| * |w|. It returns one on success or zero on\n// allocation failure.\nOPENSSL_EXPORT int BN_mul_word(BIGNUM *bn, BN_ULONG w);\n\n// BN_sqr sets |r| = |a|^2 (i.e. squares), where |r| may be the same pointer as\n// |a|. Returns one on success and zero otherwise. This is more efficient than\n// BN_mul(r, a, a, ctx).\nOPENSSL_EXPORT int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);\n\n// BN_div divides |numerator| by |divisor| and places the result in |quotient|\n// and the remainder in |rem|. Either of |quotient| or |rem| may be NULL, in\n// which case the respective value is not returned. It returns one on success or\n// zero on error. It is an error condition if |divisor| is zero.\n//\n// The outputs will be such that |quotient| * |divisor| + |rem| = |numerator|,\n// with the quotient rounded towards zero. Thus, if |numerator| is negative,\n// |rem| will be zero or negative. If |divisor| is negative, the sign of\n// |quotient| will be flipped to compensate but otherwise rounding will be as if\n// |divisor| were its absolute value.\nOPENSSL_EXPORT int BN_div(BIGNUM *quotient, BIGNUM *rem,\n const BIGNUM *numerator, const BIGNUM *divisor,\n BN_CTX *ctx);\n\n// BN_div_word sets |numerator| = |numerator|/|divisor| and returns the\n// remainder or (BN_ULONG)-1 on error.\nOPENSSL_EXPORT BN_ULONG BN_div_word(BIGNUM *numerator, BN_ULONG divisor);\n\n// BN_sqrt sets |*out_sqrt| (which may be the same |BIGNUM| as |in|) to the\n// square root of |in|, using |ctx|. It returns one on success or zero on\n// error. Negative numbers and non-square numbers will result in an error with\n// appropriate errors on the error queue.\nOPENSSL_EXPORT int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx);\n\n\n// Comparison functions\n\n// BN_cmp returns a value less than, equal to or greater than zero if |a| is\n// less than, equal to or greater than |b|, respectively.\nOPENSSL_EXPORT int BN_cmp(const BIGNUM *a, const BIGNUM *b);\n\n// BN_cmp_word is like |BN_cmp| except it takes its second argument as a\n// |BN_ULONG| instead of a |BIGNUM|.\nOPENSSL_EXPORT int BN_cmp_word(const BIGNUM *a, BN_ULONG b);\n\n// BN_ucmp returns a value less than, equal to or greater than zero if the\n// absolute value of |a| is less than, equal to or greater than the absolute\n// value of |b|, respectively.\nOPENSSL_EXPORT int BN_ucmp(const BIGNUM *a, const BIGNUM *b);\n\n// BN_equal_consttime returns one if |a| is equal to |b|, and zero otherwise.\n// It takes an amount of time dependent on the sizes of |a| and |b|, but\n// independent of the contents (including the signs) of |a| and |b|.\nOPENSSL_EXPORT int BN_equal_consttime(const BIGNUM *a, const BIGNUM *b);\n\n// BN_abs_is_word returns one if the absolute value of |bn| equals |w| and zero\n// otherwise.\nOPENSSL_EXPORT int BN_abs_is_word(const BIGNUM *bn, BN_ULONG w);\n\n// BN_is_zero returns one if |bn| is zero and zero otherwise.\nOPENSSL_EXPORT int BN_is_zero(const BIGNUM *bn);\n\n// BN_is_one returns one if |bn| equals one and zero otherwise.\nOPENSSL_EXPORT int BN_is_one(const BIGNUM *bn);\n\n// BN_is_word returns one if |bn| is exactly |w| and zero otherwise.\nOPENSSL_EXPORT int BN_is_word(const BIGNUM *bn, BN_ULONG w);\n\n// BN_is_odd returns one if |bn| is odd and zero otherwise.\nOPENSSL_EXPORT int BN_is_odd(const BIGNUM *bn);\n\n// BN_is_pow2 returns 1 if |a| is a power of two, and 0 otherwise.\nOPENSSL_EXPORT int BN_is_pow2(const BIGNUM *a);\n\n\n// Bitwise operations.\n\n// BN_lshift sets |r| equal to |a| << n. The |a| and |r| arguments may be the\n// same |BIGNUM|. It returns one on success and zero on allocation failure.\nOPENSSL_EXPORT int BN_lshift(BIGNUM *r, const BIGNUM *a, int n);\n\n// BN_lshift1 sets |r| equal to |a| << 1, where |r| and |a| may be the same\n// pointer. It returns one on success and zero on allocation failure.\nOPENSSL_EXPORT int BN_lshift1(BIGNUM *r, const BIGNUM *a);\n\n// BN_rshift sets |r| equal to |a| >> n, where |r| and |a| may be the same\n// pointer. It returns one on success and zero on allocation failure.\nOPENSSL_EXPORT int BN_rshift(BIGNUM *r, const BIGNUM *a, int n);\n\n// BN_rshift1 sets |r| equal to |a| >> 1, where |r| and |a| may be the same\n// pointer. It returns one on success and zero on allocation failure.\nOPENSSL_EXPORT int BN_rshift1(BIGNUM *r, const BIGNUM *a);\n\n// BN_set_bit sets the |n|th, least-significant bit in |a|. For example, if |a|\n// is 2 then setting bit zero will make it 3. It returns one on success or zero\n// on allocation failure.\nOPENSSL_EXPORT int BN_set_bit(BIGNUM *a, int n);\n\n// BN_clear_bit clears the |n|th, least-significant bit in |a|. For example, if\n// |a| is 3, clearing bit zero will make it two. It returns one on success or\n// zero on allocation failure.\nOPENSSL_EXPORT int BN_clear_bit(BIGNUM *a, int n);\n\n// BN_is_bit_set returns one if the |n|th least-significant bit in |a| exists\n// and is set. Otherwise, it returns zero.\nOPENSSL_EXPORT int BN_is_bit_set(const BIGNUM *a, int n);\n\n// BN_mask_bits truncates |a| so that it is only |n| bits long. It returns one\n// on success or zero if |n| is negative.\n//\n// This differs from OpenSSL which additionally returns zero if |a|'s word\n// length is less than or equal to |n|, rounded down to a number of words. Note\n// word size is platform-dependent, so this behavior is also difficult to rely\n// on in OpenSSL and not very useful.\nOPENSSL_EXPORT int BN_mask_bits(BIGNUM *a, int n);\n\n// BN_count_low_zero_bits returns the number of low-order zero bits in |bn|, or\n// the number of factors of two which divide it. It returns zero if |bn| is\n// zero.\nOPENSSL_EXPORT int BN_count_low_zero_bits(const BIGNUM *bn);\n\n\n// Modulo arithmetic.\n\n// BN_mod_word returns |a| mod |w| or (BN_ULONG)-1 on error.\nOPENSSL_EXPORT BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w);\n\n// BN_mod_pow2 sets |r| = |a| mod 2^|e|. It returns 1 on success and\n// 0 on error.\nOPENSSL_EXPORT int BN_mod_pow2(BIGNUM *r, const BIGNUM *a, size_t e);\n\n// BN_nnmod_pow2 sets |r| = |a| mod 2^|e| where |r| is always positive.\n// It returns 1 on success and 0 on error.\nOPENSSL_EXPORT int BN_nnmod_pow2(BIGNUM *r, const BIGNUM *a, size_t e);\n\n// BN_mod is a helper macro that calls |BN_div| and discards the quotient.\n#define BN_mod(rem, numerator, divisor, ctx) \\\n BN_div(NULL, (rem), (numerator), (divisor), (ctx))\n\n// BN_nnmod is a non-negative modulo function. It acts like |BN_mod|, but 0 <=\n// |rem| < |divisor| is always true. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT int BN_nnmod(BIGNUM *rem, const BIGNUM *numerator,\n const BIGNUM *divisor, BN_CTX *ctx);\n\n// BN_mod_add sets |r| = |a| + |b| mod |m|. It returns one on success and zero\n// on error.\nOPENSSL_EXPORT int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BIGNUM *m, BN_CTX *ctx);\n\n// BN_mod_add_quick acts like |BN_mod_add| but requires that |a| and |b| be\n// non-negative and less than |m|.\nOPENSSL_EXPORT int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BIGNUM *m);\n\n// BN_mod_sub sets |r| = |a| - |b| mod |m|. It returns one on success and zero\n// on error.\nOPENSSL_EXPORT int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BIGNUM *m, BN_CTX *ctx);\n\n// BN_mod_sub_quick acts like |BN_mod_sub| but requires that |a| and |b| be\n// non-negative and less than |m|.\nOPENSSL_EXPORT int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BIGNUM *m);\n\n// BN_mod_mul sets |r| = |a|*|b| mod |m|. It returns one on success and zero\n// on error.\nOPENSSL_EXPORT int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n const BIGNUM *m, BN_CTX *ctx);\n\n// BN_mod_sqr sets |r| = |a|^2 mod |m|. It returns one on success and zero\n// on error.\nOPENSSL_EXPORT int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m,\n BN_CTX *ctx);\n\n// BN_mod_lshift sets |r| = (|a| << n) mod |m|, where |r| and |a| may be the\n// same pointer. It returns one on success and zero on error.\nOPENSSL_EXPORT int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n,\n const BIGNUM *m, BN_CTX *ctx);\n\n// BN_mod_lshift_quick acts like |BN_mod_lshift| but requires that |a| be\n// non-negative and less than |m|.\nOPENSSL_EXPORT int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n,\n const BIGNUM *m);\n\n// BN_mod_lshift1 sets |r| = (|a| << 1) mod |m|, where |r| and |a| may be the\n// same pointer. It returns one on success and zero on error.\nOPENSSL_EXPORT int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m,\n BN_CTX *ctx);\n\n// BN_mod_lshift1_quick acts like |BN_mod_lshift1| but requires that |a| be\n// non-negative and less than |m|.\nOPENSSL_EXPORT int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a,\n const BIGNUM *m);\n\n// BN_mod_sqrt returns a newly-allocated |BIGNUM|, r, such that\n// r^2 == a (mod p). It returns NULL on error or if |a| is not a square mod |p|.\n// In the latter case, it will add |BN_R_NOT_A_SQUARE| to the error queue.\n// If |a| is a square and |p| > 2, there are two possible square roots. This\n// function may return either and may even select one non-deterministically.\n//\n// This function only works if |p| is a prime. If |p| is composite, it may fail\n// or return an arbitrary value. Callers should not pass attacker-controlled\n// values of |p|.\nOPENSSL_EXPORT BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p,\n BN_CTX *ctx);\n\n\n// Random and prime number generation.\n\n// The following are values for the |top| parameter of |BN_rand|.\n#define BN_RAND_TOP_ANY (-1)\n#define BN_RAND_TOP_ONE 0\n#define BN_RAND_TOP_TWO 1\n\n// The following are values for the |bottom| parameter of |BN_rand|.\n#define BN_RAND_BOTTOM_ANY 0\n#define BN_RAND_BOTTOM_ODD 1\n\n// BN_rand sets |rnd| to a random number of length |bits|. It returns one on\n// success and zero otherwise.\n//\n// |top| must be one of the |BN_RAND_TOP_*| values. If |BN_RAND_TOP_ONE|, the\n// most-significant bit, if any, will be set. If |BN_RAND_TOP_TWO|, the two\n// most significant bits, if any, will be set. If |BN_RAND_TOP_ANY|, no extra\n// action will be taken and |BN_num_bits(rnd)| may not equal |bits| if the most\n// significant bits randomly ended up as zeros.\n//\n// |bottom| must be one of the |BN_RAND_BOTTOM_*| values. If\n// |BN_RAND_BOTTOM_ODD|, the least-significant bit, if any, will be set. If\n// |BN_RAND_BOTTOM_ANY|, no extra action will be taken.\nOPENSSL_EXPORT int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);\n\n// BN_pseudo_rand is an alias for |BN_rand|.\nOPENSSL_EXPORT int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom);\n\n// BN_rand_range is equivalent to |BN_rand_range_ex| with |min_inclusive| set\n// to zero and |max_exclusive| set to |range|.\nOPENSSL_EXPORT int BN_rand_range(BIGNUM *rnd, const BIGNUM *range);\n\n// BN_rand_range_ex sets |rnd| to a random value in\n// [min_inclusive..max_exclusive). It returns one on success and zero\n// otherwise.\nOPENSSL_EXPORT int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive,\n const BIGNUM *max_exclusive);\n\n// BN_pseudo_rand_range is an alias for BN_rand_range.\nOPENSSL_EXPORT int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);\n\n#define BN_GENCB_GENERATED 0\n#define BN_GENCB_PRIME_TEST 1\n\n// bn_gencb_st, or |BN_GENCB|, holds a callback function that is used by\n// generation functions that can take a very long time to complete. Use\n// |BN_GENCB_set| to initialise a |BN_GENCB| structure.\n//\n// The callback receives the address of that |BN_GENCB| structure as its last\n// argument and the user is free to put an arbitrary pointer in |arg|. The other\n// arguments are set as follows:\n// - event=BN_GENCB_GENERATED, n=i: after generating the i'th possible prime\n// number.\n// - event=BN_GENCB_PRIME_TEST, n=-1: when finished trial division primality\n// checks.\n// - event=BN_GENCB_PRIME_TEST, n=i: when the i'th primality test has finished.\n//\n// The callback can return zero to abort the generation progress or one to\n// allow it to continue.\n//\n// When other code needs to call a BN generation function it will often take a\n// BN_GENCB argument and may call the function with other argument values.\nstruct bn_gencb_st {\n void *arg; // callback-specific data\n int (*callback)(int event, int n, struct bn_gencb_st *);\n};\n\n// BN_GENCB_new returns a newly-allocated |BN_GENCB| object, or NULL on\n// allocation failure. The result must be released with |BN_GENCB_free| when\n// done.\nOPENSSL_EXPORT BN_GENCB *BN_GENCB_new(void);\n\n// BN_GENCB_free releases memory associated with |callback|.\nOPENSSL_EXPORT void BN_GENCB_free(BN_GENCB *callback);\n\n// BN_GENCB_set configures |callback| to call |f| and sets |callout->arg| to\n// |arg|.\nOPENSSL_EXPORT void BN_GENCB_set(BN_GENCB *callback,\n int (*f)(int event, int n, BN_GENCB *),\n void *arg);\n\n// BN_GENCB_call calls |callback|, if not NULL, and returns the return value of\n// the callback, or 1 if |callback| is NULL.\nOPENSSL_EXPORT int BN_GENCB_call(BN_GENCB *callback, int event, int n);\n\n// BN_GENCB_get_arg returns |callback->arg|.\nOPENSSL_EXPORT void *BN_GENCB_get_arg(const BN_GENCB *callback);\n\n// BN_generate_prime_ex sets |ret| to a prime number of |bits| length. If safe\n// is non-zero then the prime will be such that (ret-1)/2 is also a prime.\n// (This is needed for Diffie-Hellman groups to ensure that the only subgroups\n// are of size 2 and (p-1)/2.).\n//\n// If |add| is not NULL, the prime will fulfill the condition |ret| % |add| ==\n// |rem| in order to suit a given generator. (If |rem| is NULL then |ret| %\n// |add| == 1.)\n//\n// If |cb| is not NULL, it will be called during processing to give an\n// indication of progress. See the comments for |BN_GENCB|. It returns one on\n// success and zero otherwise.\nOPENSSL_EXPORT int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe,\n const BIGNUM *add, const BIGNUM *rem,\n BN_GENCB *cb);\n\n// BN_prime_checks_for_validation can be used as the |checks| argument to the\n// primarily testing functions when validating an externally-supplied candidate\n// prime. It gives a false positive rate of at most 2^{-128}. (The worst case\n// false positive rate for a single iteration is 1/4 per\n// https://eprint.iacr.org/2018/749. (1/4)^64 = 2^{-128}.)\n#define BN_prime_checks_for_validation 64\n\n// BN_prime_checks_for_generation can be used as the |checks| argument to the\n// primality testing functions when generating random primes. It gives a false\n// positive rate at most the security level of the corresponding RSA key size.\n//\n// Note this value only performs enough checks if the candidate prime was\n// selected randomly. If validating an externally-supplied candidate, especially\n// one that may be selected adversarially, use |BN_prime_checks_for_validation|\n// instead.\n#define BN_prime_checks_for_generation 0\n\n// bn_primality_result_t enumerates the outcomes of primality-testing.\nenum bn_primality_result_t {\n bn_probably_prime,\n bn_composite,\n bn_non_prime_power_composite,\n};\n\n// BN_enhanced_miller_rabin_primality_test tests whether |w| is probably a prime\n// number using the Enhanced Miller-Rabin Test (FIPS 186-4 C.3.2) with\n// |checks| iterations and returns the result in |out_result|. Enhanced\n// Miller-Rabin tests primality for odd integers greater than 3, returning\n// |bn_probably_prime| if the number is probably prime,\n// |bn_non_prime_power_composite| if the number is a composite that is not the\n// power of a single prime, and |bn_composite| otherwise. It returns one on\n// success and zero on failure. If |cb| is not NULL, then it is called during\n// each iteration of the primality test.\n//\n// See |BN_prime_checks_for_validation| and |BN_prime_checks_for_generation| for\n// recommended values of |checks|.\nOPENSSL_EXPORT int BN_enhanced_miller_rabin_primality_test(\n enum bn_primality_result_t *out_result, const BIGNUM *w, int checks,\n BN_CTX *ctx, BN_GENCB *cb);\n\n// BN_primality_test sets |*is_probably_prime| to one if |candidate| is\n// probably a prime number by the Miller-Rabin test or zero if it's certainly\n// not.\n//\n// If |do_trial_division| is non-zero then |candidate| will be tested against a\n// list of small primes before Miller-Rabin tests. The probability of this\n// function returning a false positive is at most 2^{2*checks}. See\n// |BN_prime_checks_for_validation| and |BN_prime_checks_for_generation| for\n// recommended values of |checks|.\n//\n// If |cb| is not NULL then it is called during the checking process. See the\n// comment above |BN_GENCB|.\n//\n// The function returns one on success and zero on error.\nOPENSSL_EXPORT int BN_primality_test(int *is_probably_prime,\n const BIGNUM *candidate, int checks,\n BN_CTX *ctx, int do_trial_division,\n BN_GENCB *cb);\n\n// BN_is_prime_fasttest_ex returns one if |candidate| is probably a prime\n// number by the Miller-Rabin test, zero if it's certainly not and -1 on error.\n//\n// If |do_trial_division| is non-zero then |candidate| will be tested against a\n// list of small primes before Miller-Rabin tests. The probability of this\n// function returning one when |candidate| is composite is at most 2^{2*checks}.\n// See |BN_prime_checks_for_validation| and |BN_prime_checks_for_generation| for\n// recommended values of |checks|.\n//\n// If |cb| is not NULL then it is called during the checking process. See the\n// comment above |BN_GENCB|.\n//\n// WARNING: deprecated. Use |BN_primality_test|.\nOPENSSL_EXPORT int BN_is_prime_fasttest_ex(const BIGNUM *candidate, int checks,\n BN_CTX *ctx, int do_trial_division,\n BN_GENCB *cb);\n\n// BN_is_prime_ex acts the same as |BN_is_prime_fasttest_ex| with\n// |do_trial_division| set to zero.\n//\n// WARNING: deprecated: Use |BN_primality_test|.\nOPENSSL_EXPORT int BN_is_prime_ex(const BIGNUM *candidate, int checks,\n BN_CTX *ctx, BN_GENCB *cb);\n\n\n// Number theory functions\n\n// BN_gcd sets |r| = gcd(|a|, |b|). It returns one on success and zero\n// otherwise.\nOPENSSL_EXPORT int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,\n BN_CTX *ctx);\n\n// BN_mod_inverse sets |out| equal to |a|^-1, mod |n|. If |out| is NULL, a\n// fresh BIGNUM is allocated. It returns the result or NULL on error.\n//\n// If |n| is even then the operation is performed using an algorithm that avoids\n// some branches but which isn't constant-time. This function shouldn't be used\n// for secret values; use |BN_mod_inverse_blinded| instead. Or, if |n| is\n// guaranteed to be prime, use\n// |BN_mod_exp_mont_consttime(out, a, m_minus_2, m, ctx, m_mont)|, taking\n// advantage of Fermat's Little Theorem.\nOPENSSL_EXPORT BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a,\n const BIGNUM *n, BN_CTX *ctx);\n\n// BN_mod_inverse_blinded sets |out| equal to |a|^-1, mod |n|, where |n| is the\n// Montgomery modulus for |mont|. |a| must be non-negative and must be less\n// than |n|. |n| must be greater than 1. |a| is blinded (masked by a random\n// value) to protect it against side-channel attacks. On failure, if the failure\n// was caused by |a| having no inverse mod |n| then |*out_no_inverse| will be\n// set to one; otherwise it will be set to zero.\n//\n// Note this function may incorrectly report |a| has no inverse if the random\n// blinding value has no inverse. It should only be used when |n| has few\n// non-invertible elements, such as an RSA modulus.\nOPENSSL_EXPORT int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse,\n const BIGNUM *a,\n const BN_MONT_CTX *mont, BN_CTX *ctx);\n\n// BN_mod_inverse_odd sets |out| equal to |a|^-1, mod |n|. |a| must be\n// non-negative and must be less than |n|. |n| must be odd. This function\n// shouldn't be used for secret values; use |BN_mod_inverse_blinded| instead.\n// Or, if |n| is guaranteed to be prime, use\n// |BN_mod_exp_mont_consttime(out, a, m_minus_2, m, ctx, m_mont)|, taking\n// advantage of Fermat's Little Theorem. It returns one on success or zero on\n// failure. On failure, if the failure was caused by |a| having no inverse mod\n// |n| then |*out_no_inverse| will be set to one; otherwise it will be set to\n// zero.\nint BN_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,\n const BIGNUM *n, BN_CTX *ctx);\n\n\n// Montgomery arithmetic.\n\n// BN_MONT_CTX contains the precomputed values needed to work in a specific\n// Montgomery domain.\n\n// BN_MONT_CTX_new_for_modulus returns a fresh |BN_MONT_CTX| given the modulus,\n// |mod| or NULL on error. Note this function assumes |mod| is public.\nOPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_new_for_modulus(const BIGNUM *mod,\n BN_CTX *ctx);\n\n// BN_MONT_CTX_new_consttime behaves like |BN_MONT_CTX_new_for_modulus| but\n// treats |mod| as secret.\nOPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_new_consttime(const BIGNUM *mod,\n BN_CTX *ctx);\n\n// BN_MONT_CTX_free frees memory associated with |mont|.\nOPENSSL_EXPORT void BN_MONT_CTX_free(BN_MONT_CTX *mont);\n\n// BN_MONT_CTX_copy sets |to| equal to |from|. It returns |to| on success or\n// NULL on error.\nOPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,\n const BN_MONT_CTX *from);\n\n// BN_to_montgomery sets |ret| equal to |a| in the Montgomery domain. |a| is\n// assumed to be in the range [0, n), where |n| is the Montgomery modulus. It\n// returns one on success or zero on error.\nOPENSSL_EXPORT int BN_to_montgomery(BIGNUM *ret, const BIGNUM *a,\n const BN_MONT_CTX *mont, BN_CTX *ctx);\n\n// BN_from_montgomery sets |ret| equal to |a| * R^-1, i.e. translates values out\n// of the Montgomery domain. |a| is assumed to be in the range [0, n*R), where\n// |n| is the Montgomery modulus. Note n < R, so inputs in the range [0, n*n)\n// are valid. This function returns one on success or zero on error.\nOPENSSL_EXPORT int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a,\n const BN_MONT_CTX *mont, BN_CTX *ctx);\n\n// BN_mod_mul_montgomery set |r| equal to |a| * |b|, in the Montgomery domain.\n// Both |a| and |b| must already be in the Montgomery domain (by\n// |BN_to_montgomery|). In particular, |a| and |b| are assumed to be in the\n// range [0, n), where |n| is the Montgomery modulus. It returns one on success\n// or zero on error.\nOPENSSL_EXPORT int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a,\n const BIGNUM *b,\n const BN_MONT_CTX *mont, BN_CTX *ctx);\n\n\n// Exponentiation.\n\n// BN_exp sets |r| equal to |a|^{|p|}. It does so with a square-and-multiply\n// algorithm that leaks side-channel information. It returns one on success or\n// zero otherwise.\nOPENSSL_EXPORT int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,\n BN_CTX *ctx);\n\n// BN_mod_exp sets |r| equal to |a|^{|p|} mod |m|. It does so with the best\n// algorithm for the values provided. It returns one on success or zero\n// otherwise. The |BN_mod_exp_mont_consttime| variant must be used if the\n// exponent is secret.\nOPENSSL_EXPORT int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,\n const BIGNUM *m, BN_CTX *ctx);\n\n// BN_mod_exp_mont behaves like |BN_mod_exp| but treats |a| as secret and\n// requires 0 <= |a| < |m|.\nOPENSSL_EXPORT int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,\n const BIGNUM *m, BN_CTX *ctx,\n const BN_MONT_CTX *mont);\n\n// BN_mod_exp_mont_consttime behaves like |BN_mod_exp| but treats |a|, |p|, and\n// |m| as secret and requires 0 <= |a| < |m|.\nOPENSSL_EXPORT int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a,\n const BIGNUM *p, const BIGNUM *m,\n BN_CTX *ctx,\n const BN_MONT_CTX *mont);\n\n\n// Deprecated functions\n\n// BN_bn2mpi serialises the value of |in| to |out|, using a format that consists\n// of the number's length in bytes represented as a 4-byte big-endian number,\n// and the number itself in big-endian format, where the most significant bit\n// signals a negative number. (The representation of numbers with the MSB set is\n// prefixed with null byte). |out| must have sufficient space available; to\n// find the needed amount of space, call the function with |out| set to NULL.\nOPENSSL_EXPORT size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out);\n\n// BN_mpi2bn parses |len| bytes from |in| and returns the resulting value. The\n// bytes at |in| are expected to be in the format emitted by |BN_bn2mpi|.\n//\n// If |out| is NULL then a fresh |BIGNUM| is allocated and returned, otherwise\n// |out| is reused and returned. On error, NULL is returned and the error queue\n// is updated.\nOPENSSL_EXPORT BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out);\n\n// BN_mod_exp_mont_word is like |BN_mod_exp_mont| except that the base |a| is\n// given as a |BN_ULONG| instead of a |BIGNUM *|. It returns one on success\n// or zero otherwise.\nOPENSSL_EXPORT int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p,\n const BIGNUM *m, BN_CTX *ctx,\n const BN_MONT_CTX *mont);\n\n// BN_mod_exp2_mont calculates (a1^p1) * (a2^p2) mod m. It returns 1 on success\n// or zero otherwise.\nOPENSSL_EXPORT int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1,\n const BIGNUM *p1, const BIGNUM *a2,\n const BIGNUM *p2, const BIGNUM *m,\n BN_CTX *ctx, const BN_MONT_CTX *mont);\n\n// BN_MONT_CTX_new returns a fresh |BN_MONT_CTX| or NULL on allocation failure.\n// Use |BN_MONT_CTX_new_for_modulus| instead.\nOPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_new(void);\n\n// BN_MONT_CTX_set sets up a Montgomery context given the modulus, |mod|. It\n// returns one on success and zero on error. Use |BN_MONT_CTX_new_for_modulus|\n// instead.\nOPENSSL_EXPORT int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod,\n BN_CTX *ctx);\n\n// BN_bn2binpad behaves like |BN_bn2bin_padded|, but it returns |len| on success\n// and -1 on error.\n//\n// Use |BN_bn2bin_padded| instead. It is |size_t|-clean.\nOPENSSL_EXPORT int BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len);\n\n// BN_bn2lebinpad behaves like |BN_bn2le_padded|, but it returns |len| on\n// success and -1 on error.\n//\n// Use |BN_bn2le_padded| instead. It is |size_t|-clean.\nOPENSSL_EXPORT int BN_bn2lebinpad(const BIGNUM *in, uint8_t *out, int len);\n\n// BN_prime_checks is a deprecated alias for |BN_prime_checks_for_validation|.\n// Use |BN_prime_checks_for_generation| or |BN_prime_checks_for_validation|\n// instead. (This defaults to the |_for_validation| value in order to be\n// conservative.)\n#define BN_prime_checks BN_prime_checks_for_validation\n\n// BN_secure_new calls |BN_new|.\nOPENSSL_EXPORT BIGNUM *BN_secure_new(void);\n\n// BN_le2bn calls |BN_lebin2bn|.\nOPENSSL_EXPORT BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret);\n\n\n// Private functions\n\nstruct bignum_st {\n // d is a pointer to an array of |width| |BN_BITS2|-bit chunks in\n // little-endian order. This stores the absolute value of the number.\n BN_ULONG *d;\n // width is the number of elements of |d| which are valid. This value is not\n // necessarily minimal; the most-significant words of |d| may be zero.\n // |width| determines a potentially loose upper-bound on the absolute value\n // of the |BIGNUM|.\n //\n // Functions taking |BIGNUM| inputs must compute the same answer for all\n // possible widths. |bn_minimal_width|, |bn_set_minimal_width|, and other\n // helpers may be used to recover the minimal width, provided it is not\n // secret. If it is secret, use a different algorithm. Functions may output\n // minimal or non-minimal |BIGNUM|s depending on secrecy requirements, but\n // those which cause widths to unboundedly grow beyond the minimal value\n // should be documented such.\n //\n // Note this is different from historical |BIGNUM| semantics.\n int width;\n // dmax is number of elements of |d| which are allocated.\n int dmax;\n // neg is one if the number if negative and zero otherwise.\n int neg;\n // flags is a bitmask of |BN_FLG_*| values\n int flags;\n};\n\nstruct bn_mont_ctx_st {\n // RR is R^2, reduced modulo |N|. It is used to convert to Montgomery form. It\n // is guaranteed to have the same width as |N|.\n BIGNUM RR;\n // N is the modulus. It is always stored in minimal form, so |N.width|\n // determines R.\n BIGNUM N;\n BN_ULONG n0[2]; // least significant words of (R*Ri-1)/N\n};\n\nOPENSSL_EXPORT unsigned BN_num_bits_word(BN_ULONG l);\n\n#define BN_FLG_MALLOCED 0x01\n#define BN_FLG_STATIC_DATA 0x02\n// |BN_FLG_CONSTTIME| has been removed and intentionally omitted so code relying\n// on it will not compile. Consumers outside BoringSSL should use the\n// higher-level cryptographic algorithms exposed by other modules. Consumers\n// within the library should call the appropriate timing-sensitive algorithm\n// directly.\n\n\n#if defined(__cplusplus)\n} // extern C\n\n#if !defined(BORINGSSL_NO_CXX)\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(BIGNUM, BN_free)\nBORINGSSL_MAKE_DELETER(BN_CTX, BN_CTX_free)\nBORINGSSL_MAKE_DELETER(BN_MONT_CTX, BN_MONT_CTX_free)\n\nclass BN_CTXScope {\n public:\n BN_CTXScope(BN_CTX *ctx) : ctx_(ctx) { BN_CTX_start(ctx_); }\n ~BN_CTXScope() { BN_CTX_end(ctx_); }\n\n private:\n BN_CTX *ctx_;\n\n BN_CTXScope(BN_CTXScope &) = delete;\n BN_CTXScope &operator=(BN_CTXScope &) = delete;\n};\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n#endif\n\n#endif\n\n#define BN_R_ARG2_LT_ARG3 100\n#define BN_R_BAD_RECIPROCAL 101\n#define BN_R_BIGNUM_TOO_LONG 102\n#define BN_R_BITS_TOO_SMALL 103\n#define BN_R_CALLED_WITH_EVEN_MODULUS 104\n#define BN_R_DIV_BY_ZERO 105\n#define BN_R_EXPAND_ON_STATIC_BIGNUM_DATA 106\n#define BN_R_INPUT_NOT_REDUCED 107\n#define BN_R_INVALID_RANGE 108\n#define BN_R_NEGATIVE_NUMBER 109\n#define BN_R_NOT_A_SQUARE 110\n#define BN_R_NOT_INITIALIZED 111\n#define BN_R_NO_INVERSE 112\n#define BN_R_PRIVATE_KEY_TOO_LARGE 113\n#define BN_R_P_IS_NOT_PRIME 114\n#define BN_R_TOO_MANY_ITERATIONS 115\n#define BN_R_TOO_MANY_TEMPORARY_VARIABLES 116\n#define BN_R_BAD_ENCODING 117\n#define BN_R_ENCODE_ERROR 118\n#define BN_R_INVALID_INPUT 119\n\n#endif // OPENSSL_HEADER_BN_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols.h", "content": "// Copyright 2018 The BoringSSL Authors\n//\n// Permission to use, copy, modify, and/or distribute this software for any\n// purpose with or without fee is hereby granted, provided that the above\n// copyright notice and this permission notice appear in all copies.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n\n// BORINGSSL_ADD_PREFIX pastes two identifiers into one. It performs one\n// iteration of macro expansion on its arguments before pasting.\n#define BORINGSSL_ADD_PREFIX(a, b) BORINGSSL_ADD_PREFIX_INNER(a, b)\n#define BORINGSSL_ADD_PREFIX_INNER(a, b) a ## _ ## b\n\n#define ACCESS_DESCRIPTION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ACCESS_DESCRIPTION_free)\n#define ACCESS_DESCRIPTION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ACCESS_DESCRIPTION_new)\n#define AES_CMAC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_CMAC)\n#define AES_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_cbc_encrypt)\n#define AES_cfb128_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_cfb128_encrypt)\n#define AES_ctr128_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_ctr128_encrypt)\n#define AES_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_decrypt)\n#define AES_ecb_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_ecb_encrypt)\n#define AES_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_encrypt)\n#define AES_ofb128_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_ofb128_encrypt)\n#define AES_set_decrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_set_decrypt_key)\n#define AES_set_encrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_set_encrypt_key)\n#define AES_unwrap_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_unwrap_key)\n#define AES_unwrap_key_padded BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_unwrap_key_padded)\n#define AES_wrap_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_wrap_key)\n#define AES_wrap_key_padded BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AES_wrap_key_padded)\n#define ASN1_ANY_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ANY_it)\n#define ASN1_BIT_STRING_check BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BIT_STRING_check)\n#define ASN1_BIT_STRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BIT_STRING_free)\n#define ASN1_BIT_STRING_get_bit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BIT_STRING_get_bit)\n#define ASN1_BIT_STRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BIT_STRING_it)\n#define ASN1_BIT_STRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BIT_STRING_new)\n#define ASN1_BIT_STRING_num_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BIT_STRING_num_bytes)\n#define ASN1_BIT_STRING_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BIT_STRING_set)\n#define ASN1_BIT_STRING_set_bit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BIT_STRING_set_bit)\n#define ASN1_BMPSTRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BMPSTRING_free)\n#define ASN1_BMPSTRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BMPSTRING_it)\n#define ASN1_BMPSTRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BMPSTRING_new)\n#define ASN1_BOOLEAN_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BOOLEAN_it)\n#define ASN1_ENUMERATED_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_free)\n#define ASN1_ENUMERATED_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_get)\n#define ASN1_ENUMERATED_get_int64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_get_int64)\n#define ASN1_ENUMERATED_get_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_get_uint64)\n#define ASN1_ENUMERATED_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_it)\n#define ASN1_ENUMERATED_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_new)\n#define ASN1_ENUMERATED_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_set)\n#define ASN1_ENUMERATED_set_int64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_set_int64)\n#define ASN1_ENUMERATED_set_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_set_uint64)\n#define ASN1_ENUMERATED_to_BN BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_to_BN)\n#define ASN1_FBOOLEAN_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_FBOOLEAN_it)\n#define ASN1_GENERALIZEDTIME_adj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_adj)\n#define ASN1_GENERALIZEDTIME_check BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_check)\n#define ASN1_GENERALIZEDTIME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_free)\n#define ASN1_GENERALIZEDTIME_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_it)\n#define ASN1_GENERALIZEDTIME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_new)\n#define ASN1_GENERALIZEDTIME_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_print)\n#define ASN1_GENERALIZEDTIME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_set)\n#define ASN1_GENERALIZEDTIME_set_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_set_string)\n#define ASN1_GENERALSTRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALSTRING_free)\n#define ASN1_GENERALSTRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALSTRING_it)\n#define ASN1_GENERALSTRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALSTRING_new)\n#define ASN1_IA5STRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_IA5STRING_free)\n#define ASN1_IA5STRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_IA5STRING_it)\n#define ASN1_IA5STRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_IA5STRING_new)\n#define ASN1_INTEGER_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_cmp)\n#define ASN1_INTEGER_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_dup)\n#define ASN1_INTEGER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_free)\n#define ASN1_INTEGER_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_get)\n#define ASN1_INTEGER_get_int64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_get_int64)\n#define ASN1_INTEGER_get_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_get_uint64)\n#define ASN1_INTEGER_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_it)\n#define ASN1_INTEGER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_new)\n#define ASN1_INTEGER_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_set)\n#define ASN1_INTEGER_set_int64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_set_int64)\n#define ASN1_INTEGER_set_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_set_uint64)\n#define ASN1_INTEGER_to_BN BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_to_BN)\n#define ASN1_NULL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_NULL_free)\n#define ASN1_NULL_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_NULL_it)\n#define ASN1_NULL_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_NULL_new)\n#define ASN1_OBJECT_create BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_OBJECT_create)\n#define ASN1_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_OBJECT_free)\n#define ASN1_OBJECT_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_OBJECT_it)\n#define ASN1_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_OBJECT_new)\n#define ASN1_OCTET_STRING_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_OCTET_STRING_cmp)\n#define ASN1_OCTET_STRING_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_OCTET_STRING_dup)\n#define ASN1_OCTET_STRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_OCTET_STRING_free)\n#define ASN1_OCTET_STRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_OCTET_STRING_it)\n#define ASN1_OCTET_STRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_OCTET_STRING_new)\n#define ASN1_OCTET_STRING_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_OCTET_STRING_set)\n#define ASN1_PRINTABLESTRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_PRINTABLESTRING_free)\n#define ASN1_PRINTABLESTRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_PRINTABLESTRING_it)\n#define ASN1_PRINTABLESTRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_PRINTABLESTRING_new)\n#define ASN1_PRINTABLE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_PRINTABLE_free)\n#define ASN1_PRINTABLE_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_PRINTABLE_it)\n#define ASN1_PRINTABLE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_PRINTABLE_new)\n#define ASN1_SEQUENCE_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_SEQUENCE_it)\n#define ASN1_STRING_TABLE_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_TABLE_add)\n#define ASN1_STRING_TABLE_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_TABLE_cleanup)\n#define ASN1_STRING_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_cmp)\n#define ASN1_STRING_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_copy)\n#define ASN1_STRING_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_data)\n#define ASN1_STRING_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_dup)\n#define ASN1_STRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_free)\n#define ASN1_STRING_get0_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_get0_data)\n#define ASN1_STRING_get_default_mask BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_get_default_mask)\n#define ASN1_STRING_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_length)\n#define ASN1_STRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_new)\n#define ASN1_STRING_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_print)\n#define ASN1_STRING_print_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_print_ex)\n#define ASN1_STRING_print_ex_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_print_ex_fp)\n#define ASN1_STRING_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_set)\n#define ASN1_STRING_set0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_set0)\n#define ASN1_STRING_set_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_set_by_NID)\n#define ASN1_STRING_set_default_mask BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_set_default_mask)\n#define ASN1_STRING_set_default_mask_asc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_set_default_mask_asc)\n#define ASN1_STRING_to_UTF8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_to_UTF8)\n#define ASN1_STRING_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_type)\n#define ASN1_STRING_type_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_type_new)\n#define ASN1_T61STRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_T61STRING_free)\n#define ASN1_T61STRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_T61STRING_it)\n#define ASN1_T61STRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_T61STRING_new)\n#define ASN1_TBOOLEAN_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TBOOLEAN_it)\n#define ASN1_TIME_adj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_adj)\n#define ASN1_TIME_check BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_check)\n#define ASN1_TIME_diff BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_diff)\n#define ASN1_TIME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_free)\n#define ASN1_TIME_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_it)\n#define ASN1_TIME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_new)\n#define ASN1_TIME_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_print)\n#define ASN1_TIME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_set)\n#define ASN1_TIME_set_posix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_set_posix)\n#define ASN1_TIME_set_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_set_string)\n#define ASN1_TIME_set_string_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_set_string_X509)\n#define ASN1_TIME_to_generalizedtime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_to_generalizedtime)\n#define ASN1_TIME_to_posix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_to_posix)\n#define ASN1_TIME_to_posix_nonstandard BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_to_posix_nonstandard)\n#define ASN1_TIME_to_time_t BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TIME_to_time_t)\n#define ASN1_TYPE_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TYPE_cmp)\n#define ASN1_TYPE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TYPE_free)\n#define ASN1_TYPE_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TYPE_get)\n#define ASN1_TYPE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TYPE_new)\n#define ASN1_TYPE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TYPE_set)\n#define ASN1_TYPE_set1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_TYPE_set1)\n#define ASN1_UNIVERSALSTRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UNIVERSALSTRING_free)\n#define ASN1_UNIVERSALSTRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UNIVERSALSTRING_it)\n#define ASN1_UNIVERSALSTRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UNIVERSALSTRING_new)\n#define ASN1_UTCTIME_adj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UTCTIME_adj)\n#define ASN1_UTCTIME_check BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UTCTIME_check)\n#define ASN1_UTCTIME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UTCTIME_free)\n#define ASN1_UTCTIME_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UTCTIME_it)\n#define ASN1_UTCTIME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UTCTIME_new)\n#define ASN1_UTCTIME_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UTCTIME_print)\n#define ASN1_UTCTIME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UTCTIME_set)\n#define ASN1_UTCTIME_set_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UTCTIME_set_string)\n#define ASN1_UTF8STRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UTF8STRING_free)\n#define ASN1_UTF8STRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UTF8STRING_it)\n#define ASN1_UTF8STRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_UTF8STRING_new)\n#define ASN1_VISIBLESTRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_VISIBLESTRING_free)\n#define ASN1_VISIBLESTRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_VISIBLESTRING_it)\n#define ASN1_VISIBLESTRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_VISIBLESTRING_new)\n#define ASN1_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_digest)\n#define ASN1_generate_v3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_generate_v3)\n#define ASN1_get_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_get_object)\n#define ASN1_item_d2i BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_d2i)\n#define ASN1_item_d2i_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_d2i_bio)\n#define ASN1_item_d2i_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_d2i_fp)\n#define ASN1_item_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_digest)\n#define ASN1_item_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_dup)\n#define ASN1_item_ex_d2i BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_ex_d2i)\n#define ASN1_item_ex_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_ex_free)\n#define ASN1_item_ex_i2d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_ex_i2d)\n#define ASN1_item_ex_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_ex_new)\n#define ASN1_item_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_free)\n#define ASN1_item_i2d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_i2d)\n#define ASN1_item_i2d_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_i2d_bio)\n#define ASN1_item_i2d_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_i2d_fp)\n#define ASN1_item_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_new)\n#define ASN1_item_pack BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_pack)\n#define ASN1_item_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_sign)\n#define ASN1_item_sign_ctx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_sign_ctx)\n#define ASN1_item_unpack BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_unpack)\n#define ASN1_item_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_verify)\n#define ASN1_mbstring_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_mbstring_copy)\n#define ASN1_mbstring_ncopy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_mbstring_ncopy)\n#define ASN1_object_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_object_size)\n#define ASN1_primitive_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_primitive_free)\n#define ASN1_put_eoc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_put_eoc)\n#define ASN1_put_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_put_object)\n#define ASN1_tag2bit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_tag2bit)\n#define ASN1_tag2str BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_tag2str)\n#define ASN1_template_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_template_free)\n#define AUTHORITY_INFO_ACCESS_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AUTHORITY_INFO_ACCESS_free)\n#define AUTHORITY_INFO_ACCESS_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AUTHORITY_INFO_ACCESS_it)\n#define AUTHORITY_INFO_ACCESS_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AUTHORITY_INFO_ACCESS_new)\n#define AUTHORITY_KEYID_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AUTHORITY_KEYID_free)\n#define AUTHORITY_KEYID_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AUTHORITY_KEYID_it)\n#define AUTHORITY_KEYID_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, AUTHORITY_KEYID_new)\n#define BASIC_CONSTRAINTS_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_free)\n#define BASIC_CONSTRAINTS_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_it)\n#define BASIC_CONSTRAINTS_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_new)\n#define BCM_fips_186_2_prf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_fips_186_2_prf)\n#define BCM_mldsa65_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_generate_key)\n#define BCM_mldsa65_generate_key_external_entropy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_generate_key_external_entropy)\n#define BCM_mldsa65_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_marshal_private_key)\n#define BCM_mldsa65_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_marshal_public_key)\n#define BCM_mldsa65_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_parse_private_key)\n#define BCM_mldsa65_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_parse_public_key)\n#define BCM_mldsa65_private_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_private_key_from_seed)\n#define BCM_mldsa65_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_public_from_private)\n#define BCM_mldsa65_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_sign)\n#define BCM_mldsa65_sign_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_sign_internal)\n#define BCM_mldsa65_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_verify)\n#define BCM_mldsa65_verify_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa65_verify_internal)\n#define BCM_mldsa87_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_generate_key)\n#define BCM_mldsa87_generate_key_external_entropy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_generate_key_external_entropy)\n#define BCM_mldsa87_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_marshal_private_key)\n#define BCM_mldsa87_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_marshal_public_key)\n#define BCM_mldsa87_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_parse_private_key)\n#define BCM_mldsa87_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_parse_public_key)\n#define BCM_mldsa87_private_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_private_key_from_seed)\n#define BCM_mldsa87_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_public_from_private)\n#define BCM_mldsa87_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_sign)\n#define BCM_mldsa87_sign_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_sign_internal)\n#define BCM_mldsa87_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_verify)\n#define BCM_mldsa87_verify_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mldsa87_verify_internal)\n#define BCM_mlkem1024_decap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem1024_decap)\n#define BCM_mlkem1024_encap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem1024_encap)\n#define BCM_mlkem1024_encap_external_entropy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem1024_encap_external_entropy)\n#define BCM_mlkem1024_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem1024_generate_key)\n#define BCM_mlkem1024_generate_key_external_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem1024_generate_key_external_seed)\n#define BCM_mlkem1024_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem1024_marshal_private_key)\n#define BCM_mlkem1024_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem1024_marshal_public_key)\n#define BCM_mlkem1024_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem1024_parse_private_key)\n#define BCM_mlkem1024_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem1024_parse_public_key)\n#define BCM_mlkem1024_private_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem1024_private_key_from_seed)\n#define BCM_mlkem1024_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem1024_public_from_private)\n#define BCM_mlkem768_decap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem768_decap)\n#define BCM_mlkem768_encap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem768_encap)\n#define BCM_mlkem768_encap_external_entropy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem768_encap_external_entropy)\n#define BCM_mlkem768_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem768_generate_key)\n#define BCM_mlkem768_generate_key_external_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem768_generate_key_external_seed)\n#define BCM_mlkem768_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem768_marshal_private_key)\n#define BCM_mlkem768_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem768_marshal_public_key)\n#define BCM_mlkem768_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem768_parse_private_key)\n#define BCM_mlkem768_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem768_parse_public_key)\n#define BCM_mlkem768_private_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem768_private_key_from_seed)\n#define BCM_mlkem768_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_mlkem768_public_from_private)\n#define BCM_rand_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_rand_bytes)\n#define BCM_rand_bytes_hwrng BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_rand_bytes_hwrng)\n#define BCM_rand_bytes_with_additional_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_rand_bytes_with_additional_data)\n#define BCM_sha1_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha1_final)\n#define BCM_sha1_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha1_init)\n#define BCM_sha1_transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha1_transform)\n#define BCM_sha1_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha1_update)\n#define BCM_sha224_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha224_final)\n#define BCM_sha224_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha224_init)\n#define BCM_sha224_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha224_update)\n#define BCM_sha256_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha256_final)\n#define BCM_sha256_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha256_init)\n#define BCM_sha256_transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha256_transform)\n#define BCM_sha256_transform_blocks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha256_transform_blocks)\n#define BCM_sha256_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha256_update)\n#define BCM_sha384_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha384_final)\n#define BCM_sha384_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha384_init)\n#define BCM_sha384_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha384_update)\n#define BCM_sha512_256_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_256_final)\n#define BCM_sha512_256_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_256_init)\n#define BCM_sha512_256_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_256_update)\n#define BCM_sha512_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_final)\n#define BCM_sha512_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_init)\n#define BCM_sha512_transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_transform)\n#define BCM_sha512_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_update)\n#define BCM_slhdsa_sha2_128s_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_generate_key)\n#define BCM_slhdsa_sha2_128s_generate_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_generate_key_from_seed)\n#define BCM_slhdsa_sha2_128s_prehash_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_prehash_sign)\n#define BCM_slhdsa_sha2_128s_prehash_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_prehash_verify)\n#define BCM_slhdsa_sha2_128s_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_public_from_private)\n#define BCM_slhdsa_sha2_128s_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_sign)\n#define BCM_slhdsa_sha2_128s_sign_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_sign_internal)\n#define BCM_slhdsa_sha2_128s_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_verify)\n#define BCM_slhdsa_sha2_128s_verify_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_verify_internal)\n#define BIO_append_filename BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_append_filename)\n#define BIO_callback_ctrl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_callback_ctrl)\n#define BIO_clear_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_clear_flags)\n#define BIO_clear_retry_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_clear_retry_flags)\n#define BIO_copy_next_retry BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_copy_next_retry)\n#define BIO_ctrl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_ctrl)\n#define BIO_ctrl_get_read_request BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_ctrl_get_read_request)\n#define BIO_ctrl_get_write_guarantee BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_ctrl_get_write_guarantee)\n#define BIO_ctrl_pending BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_ctrl_pending)\n#define BIO_do_connect BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_do_connect)\n#define BIO_eof BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_eof)\n#define BIO_f_ssl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_f_ssl)\n#define BIO_find_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_find_type)\n#define BIO_flush BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_flush)\n#define BIO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_free)\n#define BIO_free_all BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_free_all)\n#define BIO_get_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_data)\n#define BIO_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_ex_data)\n#define BIO_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_ex_new_index)\n#define BIO_get_fd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_fd)\n#define BIO_get_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_fp)\n#define BIO_get_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_init)\n#define BIO_get_mem_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_mem_data)\n#define BIO_get_mem_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_mem_ptr)\n#define BIO_get_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_new_index)\n#define BIO_get_retry_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_retry_flags)\n#define BIO_get_retry_reason BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_retry_reason)\n#define BIO_get_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_shutdown)\n#define BIO_gets BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_gets)\n#define BIO_hexdump BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_hexdump)\n#define BIO_indent BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_indent)\n#define BIO_int_ctrl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_int_ctrl)\n#define BIO_mem_contents BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_mem_contents)\n#define BIO_meth_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_meth_free)\n#define BIO_meth_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_meth_new)\n#define BIO_meth_set_create BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_meth_set_create)\n#define BIO_meth_set_ctrl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_meth_set_ctrl)\n#define BIO_meth_set_destroy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_meth_set_destroy)\n#define BIO_meth_set_gets BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_meth_set_gets)\n#define BIO_meth_set_puts BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_meth_set_puts)\n#define BIO_meth_set_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_meth_set_read)\n#define BIO_meth_set_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_meth_set_write)\n#define BIO_method_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_method_type)\n#define BIO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_new)\n#define BIO_new_bio_pair BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_new_bio_pair)\n#define BIO_new_connect BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_new_connect)\n#define BIO_new_fd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_new_fd)\n#define BIO_new_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_new_file)\n#define BIO_new_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_new_fp)\n#define BIO_new_mem_buf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_new_mem_buf)\n#define BIO_new_socket BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_new_socket)\n#define BIO_next BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_next)\n#define BIO_number_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_number_read)\n#define BIO_number_written BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_number_written)\n#define BIO_pending BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_pending)\n#define BIO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_pop)\n#define BIO_printf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_printf)\n#define BIO_ptr_ctrl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_ptr_ctrl)\n#define BIO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_push)\n#define BIO_puts BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_puts)\n#define BIO_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_read)\n#define BIO_read_asn1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_read_asn1)\n#define BIO_read_filename BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_read_filename)\n#define BIO_reset BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_reset)\n#define BIO_rw_filename BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_rw_filename)\n#define BIO_s_connect BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_s_connect)\n#define BIO_s_fd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_s_fd)\n#define BIO_s_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_s_file)\n#define BIO_s_mem BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_s_mem)\n#define BIO_s_socket BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_s_socket)\n#define BIO_seek BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_seek)\n#define BIO_set_close BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_close)\n#define BIO_set_conn_hostname BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_conn_hostname)\n#define BIO_set_conn_int_port BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_conn_int_port)\n#define BIO_set_conn_port BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_conn_port)\n#define BIO_set_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_data)\n#define BIO_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_ex_data)\n#define BIO_set_fd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_fd)\n#define BIO_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_flags)\n#define BIO_set_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_fp)\n#define BIO_set_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_init)\n#define BIO_set_mem_buf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_mem_buf)\n#define BIO_set_mem_eof_return BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_mem_eof_return)\n#define BIO_set_nbio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_nbio)\n#define BIO_set_retry_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_retry_read)\n#define BIO_set_retry_reason BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_retry_reason)\n#define BIO_set_retry_special BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_retry_special)\n#define BIO_set_retry_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_retry_write)\n#define BIO_set_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_shutdown)\n#define BIO_set_ssl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_ssl)\n#define BIO_set_write_buffer_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_write_buffer_size)\n#define BIO_should_io_special BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_should_io_special)\n#define BIO_should_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_should_read)\n#define BIO_should_retry BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_should_retry)\n#define BIO_should_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_should_write)\n#define BIO_shutdown_wr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_shutdown_wr)\n#define BIO_snprintf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_snprintf)\n#define BIO_tell BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_tell)\n#define BIO_test_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_test_flags)\n#define BIO_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_up_ref)\n#define BIO_vfree BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_vfree)\n#define BIO_vsnprintf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_vsnprintf)\n#define BIO_wpending BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_wpending)\n#define BIO_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_write)\n#define BIO_write_all BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_write_all)\n#define BIO_write_filename BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_write_filename)\n#define BLAKE2B256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BLAKE2B256)\n#define BLAKE2B256_Final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BLAKE2B256_Final)\n#define BLAKE2B256_Init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BLAKE2B256_Init)\n#define BLAKE2B256_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BLAKE2B256_Update)\n#define BN_BLINDING_convert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_BLINDING_convert)\n#define BN_BLINDING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_BLINDING_free)\n#define BN_BLINDING_invalidate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_BLINDING_invalidate)\n#define BN_BLINDING_invert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_BLINDING_invert)\n#define BN_BLINDING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_BLINDING_new)\n#define BN_CTX_end BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_CTX_end)\n#define BN_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_CTX_free)\n#define BN_CTX_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_CTX_get)\n#define BN_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_CTX_new)\n#define BN_CTX_start BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_CTX_start)\n#define BN_GENCB_call BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_GENCB_call)\n#define BN_GENCB_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_GENCB_free)\n#define BN_GENCB_get_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_GENCB_get_arg)\n#define BN_GENCB_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_GENCB_new)\n#define BN_GENCB_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_GENCB_set)\n#define BN_MONT_CTX_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_MONT_CTX_copy)\n#define BN_MONT_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_MONT_CTX_free)\n#define BN_MONT_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_MONT_CTX_new)\n#define BN_MONT_CTX_new_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_MONT_CTX_new_consttime)\n#define BN_MONT_CTX_new_for_modulus BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_MONT_CTX_new_for_modulus)\n#define BN_MONT_CTX_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_MONT_CTX_set)\n#define BN_MONT_CTX_set_locked BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_MONT_CTX_set_locked)\n#define BN_abs_is_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_abs_is_word)\n#define BN_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_add)\n#define BN_add_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_add_word)\n#define BN_asc2bn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_asc2bn)\n#define BN_bin2bn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bin2bn)\n#define BN_bn2bin BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2bin)\n#define BN_bn2bin_padded BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2bin_padded)\n#define BN_bn2binpad BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2binpad)\n#define BN_bn2cbb_padded BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2cbb_padded)\n#define BN_bn2dec BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2dec)\n#define BN_bn2hex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2hex)\n#define BN_bn2le_padded BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2le_padded)\n#define BN_bn2lebinpad BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2lebinpad)\n#define BN_bn2mpi BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_bn2mpi)\n#define BN_clear BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_clear)\n#define BN_clear_bit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_clear_bit)\n#define BN_clear_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_clear_free)\n#define BN_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_cmp)\n#define BN_cmp_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_cmp_word)\n#define BN_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_copy)\n#define BN_count_low_zero_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_count_low_zero_bits)\n#define BN_dec2bn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_dec2bn)\n#define BN_div BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_div)\n#define BN_div_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_div_word)\n#define BN_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_dup)\n#define BN_enhanced_miller_rabin_primality_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_enhanced_miller_rabin_primality_test)\n#define BN_equal_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_equal_consttime)\n#define BN_exp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_exp)\n#define BN_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_free)\n#define BN_from_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_from_montgomery)\n#define BN_gcd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_gcd)\n#define BN_generate_prime_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_generate_prime_ex)\n#define BN_get_rfc3526_prime_1536 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_get_rfc3526_prime_1536)\n#define BN_get_rfc3526_prime_2048 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_get_rfc3526_prime_2048)\n#define BN_get_rfc3526_prime_3072 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_get_rfc3526_prime_3072)\n#define BN_get_rfc3526_prime_4096 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_get_rfc3526_prime_4096)\n#define BN_get_rfc3526_prime_6144 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_get_rfc3526_prime_6144)\n#define BN_get_rfc3526_prime_8192 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_get_rfc3526_prime_8192)\n#define BN_get_u64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_get_u64)\n#define BN_get_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_get_word)\n#define BN_hex2bn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_hex2bn)\n#define BN_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_init)\n#define BN_is_bit_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_is_bit_set)\n#define BN_is_negative BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_is_negative)\n#define BN_is_odd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_is_odd)\n#define BN_is_one BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_is_one)\n#define BN_is_pow2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_is_pow2)\n#define BN_is_prime_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_is_prime_ex)\n#define BN_is_prime_fasttest_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_is_prime_fasttest_ex)\n#define BN_is_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_is_word)\n#define BN_is_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_is_zero)\n#define BN_le2bn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_le2bn)\n#define BN_lebin2bn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_lebin2bn)\n#define BN_lshift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_lshift)\n#define BN_lshift1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_lshift1)\n#define BN_marshal_asn1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_marshal_asn1)\n#define BN_mask_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mask_bits)\n#define BN_mod_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_add)\n#define BN_mod_add_quick BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_add_quick)\n#define BN_mod_exp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_exp)\n#define BN_mod_exp2_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_exp2_mont)\n#define BN_mod_exp_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_exp_mont)\n#define BN_mod_exp_mont_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_exp_mont_consttime)\n#define BN_mod_exp_mont_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_exp_mont_word)\n#define BN_mod_inverse BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_inverse)\n#define BN_mod_inverse_blinded BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_inverse_blinded)\n#define BN_mod_inverse_odd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_inverse_odd)\n#define BN_mod_lshift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_lshift)\n#define BN_mod_lshift1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_lshift1)\n#define BN_mod_lshift1_quick BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_lshift1_quick)\n#define BN_mod_lshift_quick BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_lshift_quick)\n#define BN_mod_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_mul)\n#define BN_mod_mul_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_mul_montgomery)\n#define BN_mod_pow2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_pow2)\n#define BN_mod_sqr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_sqr)\n#define BN_mod_sqrt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_sqrt)\n#define BN_mod_sub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_sub)\n#define BN_mod_sub_quick BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_sub_quick)\n#define BN_mod_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mod_word)\n#define BN_mpi2bn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mpi2bn)\n#define BN_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mul)\n#define BN_mul_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_mul_word)\n#define BN_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_new)\n#define BN_nnmod BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_nnmod)\n#define BN_nnmod_pow2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_nnmod_pow2)\n#define BN_num_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_num_bits)\n#define BN_num_bits_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_num_bits_word)\n#define BN_num_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_num_bytes)\n#define BN_one BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_one)\n#define BN_parse_asn1_unsigned BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_parse_asn1_unsigned)\n#define BN_primality_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_primality_test)\n#define BN_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_print)\n#define BN_print_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_print_fp)\n#define BN_pseudo_rand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_pseudo_rand)\n#define BN_pseudo_rand_range BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_pseudo_rand_range)\n#define BN_rand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_rand)\n#define BN_rand_range BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_rand_range)\n#define BN_rand_range_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_rand_range_ex)\n#define BN_rshift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_rshift)\n#define BN_rshift1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_rshift1)\n#define BN_secure_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_secure_new)\n#define BN_set_bit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_set_bit)\n#define BN_set_negative BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_set_negative)\n#define BN_set_u64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_set_u64)\n#define BN_set_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_set_word)\n#define BN_sqr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_sqr)\n#define BN_sqrt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_sqrt)\n#define BN_sub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_sub)\n#define BN_sub_word BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_sub_word)\n#define BN_to_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_to_ASN1_ENUMERATED)\n#define BN_to_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_to_ASN1_INTEGER)\n#define BN_to_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_to_montgomery)\n#define BN_uadd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_uadd)\n#define BN_ucmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_ucmp)\n#define BN_usub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_usub)\n#define BN_value_one BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_value_one)\n#define BN_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_zero)\n#define BORINGSSL_keccak BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BORINGSSL_keccak)\n#define BORINGSSL_keccak_absorb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BORINGSSL_keccak_absorb)\n#define BORINGSSL_keccak_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BORINGSSL_keccak_init)\n#define BORINGSSL_keccak_squeeze BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BORINGSSL_keccak_squeeze)\n#define BORINGSSL_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BORINGSSL_self_test)\n#define BUF_MEM_append BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_MEM_append)\n#define BUF_MEM_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_MEM_free)\n#define BUF_MEM_grow BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_MEM_grow)\n#define BUF_MEM_grow_clean BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_MEM_grow_clean)\n#define BUF_MEM_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_MEM_new)\n#define BUF_MEM_reserve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_MEM_reserve)\n#define BUF_memdup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_memdup)\n#define BUF_strdup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_strdup)\n#define BUF_strlcat BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_strlcat)\n#define BUF_strlcpy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_strlcpy)\n#define BUF_strndup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_strndup)\n#define BUF_strnlen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BUF_strnlen)\n#define CBB_add_asn1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_asn1)\n#define CBB_add_asn1_bool BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_asn1_bool)\n#define CBB_add_asn1_int64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_asn1_int64)\n#define CBB_add_asn1_int64_with_tag BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_asn1_int64_with_tag)\n#define CBB_add_asn1_octet_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_asn1_octet_string)\n#define CBB_add_asn1_oid_from_text BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_asn1_oid_from_text)\n#define CBB_add_asn1_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_asn1_uint64)\n#define CBB_add_asn1_uint64_with_tag BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_asn1_uint64_with_tag)\n#define CBB_add_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_bytes)\n#define CBB_add_latin1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_latin1)\n#define CBB_add_space BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_space)\n#define CBB_add_u16 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u16)\n#define CBB_add_u16_length_prefixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u16_length_prefixed)\n#define CBB_add_u16le BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u16le)\n#define CBB_add_u24 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u24)\n#define CBB_add_u24_length_prefixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u24_length_prefixed)\n#define CBB_add_u32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u32)\n#define CBB_add_u32le BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u32le)\n#define CBB_add_u64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u64)\n#define CBB_add_u64le BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u64le)\n#define CBB_add_u8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u8)\n#define CBB_add_u8_length_prefixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u8_length_prefixed)\n#define CBB_add_ucs2_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_ucs2_be)\n#define CBB_add_utf32_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_utf32_be)\n#define CBB_add_utf8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_utf8)\n#define CBB_add_zeros BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_zeros)\n#define CBB_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_cleanup)\n#define CBB_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_data)\n#define CBB_did_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_did_write)\n#define CBB_discard_child BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_discard_child)\n#define CBB_finish BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_finish)\n#define CBB_finish_i2d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_finish_i2d)\n#define CBB_flush BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_flush)\n#define CBB_flush_asn1_set_of BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_flush_asn1_set_of)\n#define CBB_get_utf8_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_get_utf8_len)\n#define CBB_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_init)\n#define CBB_init_fixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_init_fixed)\n#define CBB_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_len)\n#define CBB_reserve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_reserve)\n#define CBB_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_zero)\n#define CBS_asn1_ber_to_der BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_asn1_ber_to_der)\n#define CBS_asn1_bitstring_has_bit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_asn1_bitstring_has_bit)\n#define CBS_asn1_oid_to_text BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_asn1_oid_to_text)\n#define CBS_contains_zero_byte BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_contains_zero_byte)\n#define CBS_copy_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_copy_bytes)\n#define CBS_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_data)\n#define CBS_get_any_asn1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_any_asn1)\n#define CBS_get_any_asn1_element BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_any_asn1_element)\n#define CBS_get_any_ber_asn1_element BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_any_ber_asn1_element)\n#define CBS_get_asn1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_asn1)\n#define CBS_get_asn1_bool BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_asn1_bool)\n#define CBS_get_asn1_element BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_asn1_element)\n#define CBS_get_asn1_implicit_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_asn1_implicit_string)\n#define CBS_get_asn1_int64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_asn1_int64)\n#define CBS_get_asn1_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_asn1_uint64)\n#define CBS_get_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_bytes)\n#define CBS_get_last_u8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_last_u8)\n#define CBS_get_latin1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_latin1)\n#define CBS_get_optional_asn1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_optional_asn1)\n#define CBS_get_optional_asn1_bool BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_optional_asn1_bool)\n#define CBS_get_optional_asn1_octet_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_optional_asn1_octet_string)\n#define CBS_get_optional_asn1_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_optional_asn1_uint64)\n#define CBS_get_u16 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u16)\n#define CBS_get_u16_length_prefixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u16_length_prefixed)\n#define CBS_get_u16le BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u16le)\n#define CBS_get_u24 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u24)\n#define CBS_get_u24_length_prefixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u24_length_prefixed)\n#define CBS_get_u32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u32)\n#define CBS_get_u32le BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u32le)\n#define CBS_get_u64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u64)\n#define CBS_get_u64_decimal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u64_decimal)\n#define CBS_get_u64le BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u64le)\n#define CBS_get_u8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u8)\n#define CBS_get_u8_length_prefixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u8_length_prefixed)\n#define CBS_get_ucs2_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_ucs2_be)\n#define CBS_get_until_first BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_until_first)\n#define CBS_get_utf32_be BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_utf32_be)\n#define CBS_get_utf8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_utf8)\n#define CBS_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_init)\n#define CBS_is_unsigned_asn1_integer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_is_unsigned_asn1_integer)\n#define CBS_is_valid_asn1_bitstring BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_is_valid_asn1_bitstring)\n#define CBS_is_valid_asn1_integer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_is_valid_asn1_integer)\n#define CBS_is_valid_asn1_oid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_is_valid_asn1_oid)\n#define CBS_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_len)\n#define CBS_mem_equal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_mem_equal)\n#define CBS_parse_generalized_time BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_parse_generalized_time)\n#define CBS_parse_utc_time BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_parse_utc_time)\n#define CBS_peek_asn1_tag BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_peek_asn1_tag)\n#define CBS_skip BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_skip)\n#define CBS_stow BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_stow)\n#define CBS_strdup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_strdup)\n#define CERTIFICATEPOLICIES_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CERTIFICATEPOLICIES_free)\n#define CERTIFICATEPOLICIES_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CERTIFICATEPOLICIES_it)\n#define CERTIFICATEPOLICIES_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CERTIFICATEPOLICIES_new)\n#define CMAC_CTX_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CMAC_CTX_copy)\n#define CMAC_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CMAC_CTX_free)\n#define CMAC_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CMAC_CTX_new)\n#define CMAC_Final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CMAC_Final)\n#define CMAC_Init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CMAC_Init)\n#define CMAC_Reset BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CMAC_Reset)\n#define CMAC_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CMAC_Update)\n#define CONF_VALUE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CONF_VALUE_new)\n#define CONF_modules_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CONF_modules_free)\n#define CONF_modules_load_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CONF_modules_load_file)\n#define CONF_parse_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CONF_parse_list)\n#define CRL_DIST_POINTS_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRL_DIST_POINTS_free)\n#define CRL_DIST_POINTS_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRL_DIST_POINTS_it)\n#define CRL_DIST_POINTS_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRL_DIST_POINTS_new)\n#define CRYPTO_BUFFER_POOL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_POOL_free)\n#define CRYPTO_BUFFER_POOL_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_POOL_new)\n#define CRYPTO_BUFFER_alloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_alloc)\n#define CRYPTO_BUFFER_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_data)\n#define CRYPTO_BUFFER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_free)\n#define CRYPTO_BUFFER_init_CBS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_init_CBS)\n#define CRYPTO_BUFFER_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_len)\n#define CRYPTO_BUFFER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_new)\n#define CRYPTO_BUFFER_new_from_CBS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_new_from_CBS)\n#define CRYPTO_BUFFER_new_from_static_data_unsafe BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_new_from_static_data_unsafe)\n#define CRYPTO_BUFFER_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_up_ref)\n#define CRYPTO_MUTEX_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_MUTEX_cleanup)\n#define CRYPTO_MUTEX_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_MUTEX_init)\n#define CRYPTO_MUTEX_lock_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_MUTEX_lock_read)\n#define CRYPTO_MUTEX_lock_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_MUTEX_lock_write)\n#define CRYPTO_MUTEX_unlock_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_MUTEX_unlock_read)\n#define CRYPTO_MUTEX_unlock_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_MUTEX_unlock_write)\n#define CRYPTO_POLYVAL_finish BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_POLYVAL_finish)\n#define CRYPTO_POLYVAL_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_POLYVAL_init)\n#define CRYPTO_POLYVAL_update_blocks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_POLYVAL_update_blocks)\n#define CRYPTO_THREADID_current BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_THREADID_current)\n#define CRYPTO_THREADID_set_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_THREADID_set_callback)\n#define CRYPTO_THREADID_set_numeric BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_THREADID_set_numeric)\n#define CRYPTO_THREADID_set_pointer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_THREADID_set_pointer)\n#define CRYPTO_atomic_compare_exchange_weak_u32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_atomic_compare_exchange_weak_u32)\n#define CRYPTO_atomic_load_u32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_atomic_load_u32)\n#define CRYPTO_atomic_store_u32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_atomic_store_u32)\n#define CRYPTO_cbc128_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_cbc128_decrypt)\n#define CRYPTO_cbc128_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_cbc128_encrypt)\n#define CRYPTO_cfb128_1_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_cfb128_1_encrypt)\n#define CRYPTO_cfb128_8_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_cfb128_8_encrypt)\n#define CRYPTO_cfb128_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_cfb128_encrypt)\n#define CRYPTO_chacha_20 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_chacha_20)\n#define CRYPTO_cleanup_all_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_cleanup_all_ex_data)\n#define CRYPTO_cpu_avoid_zmm_registers BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_cpu_avoid_zmm_registers)\n#define CRYPTO_cpu_perf_is_like_silvermont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_cpu_perf_is_like_silvermont)\n#define CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt_ctr32)\n#define CRYPTO_fips_186_2_prf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_fips_186_2_prf)\n#define CRYPTO_fork_detect_force_madv_wipeonfork_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_fork_detect_force_madv_wipeonfork_for_testing)\n#define CRYPTO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_free)\n#define CRYPTO_free_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_free_ex_data)\n#define CRYPTO_gcm128_aad BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_gcm128_aad)\n#define CRYPTO_gcm128_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_gcm128_decrypt)\n#define CRYPTO_gcm128_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_gcm128_encrypt)\n#define CRYPTO_gcm128_finish BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_gcm128_finish)\n#define CRYPTO_gcm128_init_aes_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_gcm128_init_aes_key)\n#define CRYPTO_gcm128_init_ctx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_gcm128_init_ctx)\n#define CRYPTO_gcm128_tag BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_gcm128_tag)\n#define CRYPTO_get_dynlock_create_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_dynlock_create_callback)\n#define CRYPTO_get_dynlock_destroy_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_dynlock_destroy_callback)\n#define CRYPTO_get_dynlock_lock_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_dynlock_lock_callback)\n#define CRYPTO_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_ex_data)\n#define CRYPTO_get_ex_new_index_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_ex_new_index_ex)\n#define CRYPTO_get_fork_generation BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_fork_generation)\n#define CRYPTO_get_lock_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_lock_name)\n#define CRYPTO_get_locking_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_locking_callback)\n#define CRYPTO_get_stderr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_stderr)\n#define CRYPTO_get_thread_local BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_thread_local)\n#define CRYPTO_ghash_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_ghash_init)\n#define CRYPTO_has_asm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_has_asm)\n#define CRYPTO_hchacha20 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_hchacha20)\n#define CRYPTO_init_sysrand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_init_sysrand)\n#define CRYPTO_is_ADX_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_ADX_capable)\n#define CRYPTO_is_AESNI_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_AESNI_capable)\n#define CRYPTO_is_ARMv8_AES_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_AES_capable)\n#define CRYPTO_is_ARMv8_PMULL_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_PMULL_capable)\n#define CRYPTO_is_ARMv8_SHA1_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_SHA1_capable)\n#define CRYPTO_is_ARMv8_SHA256_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_SHA256_capable)\n#define CRYPTO_is_ARMv8_SHA512_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_SHA512_capable)\n#define CRYPTO_is_AVX2_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_AVX2_capable)\n#define CRYPTO_is_AVX512BW_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_AVX512BW_capable)\n#define CRYPTO_is_AVX512VL_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_AVX512VL_capable)\n#define CRYPTO_is_AVX_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_AVX_capable)\n#define CRYPTO_is_BMI1_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_BMI1_capable)\n#define CRYPTO_is_BMI2_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_BMI2_capable)\n#define CRYPTO_is_FXSR_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_FXSR_capable)\n#define CRYPTO_is_MOVBE_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_MOVBE_capable)\n#define CRYPTO_is_NEON_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_NEON_capable)\n#define CRYPTO_is_PCLMUL_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_PCLMUL_capable)\n#define CRYPTO_is_RDRAND_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_RDRAND_capable)\n#define CRYPTO_is_SSE4_1_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_SSE4_1_capable)\n#define CRYPTO_is_SSSE3_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_SSSE3_capable)\n#define CRYPTO_is_VAES_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_VAES_capable)\n#define CRYPTO_is_VPCLMULQDQ_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_VPCLMULQDQ_capable)\n#define CRYPTO_is_confidential_build BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_confidential_build)\n#define CRYPTO_is_intel_cpu BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_intel_cpu)\n#define CRYPTO_is_x86_SHA_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_x86_SHA_capable)\n#define CRYPTO_library_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_library_init)\n#define CRYPTO_malloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_malloc)\n#define CRYPTO_malloc_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_malloc_init)\n#define CRYPTO_memcmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_memcmp)\n#define CRYPTO_new_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_new_ex_data)\n#define CRYPTO_num_locks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_num_locks)\n#define CRYPTO_ofb128_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_ofb128_encrypt)\n#define CRYPTO_once BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_once)\n#define CRYPTO_poly1305_finish BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_poly1305_finish)\n#define CRYPTO_poly1305_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_poly1305_init)\n#define CRYPTO_poly1305_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_poly1305_update)\n#define CRYPTO_pre_sandbox_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_pre_sandbox_init)\n#define CRYPTO_rdrand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_rdrand)\n#define CRYPTO_rdrand_multiple8_buf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_rdrand_multiple8_buf)\n#define CRYPTO_realloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_realloc)\n#define CRYPTO_refcount_dec_and_test_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_refcount_dec_and_test_zero)\n#define CRYPTO_refcount_inc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_refcount_inc)\n#define CRYPTO_secure_malloc_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_secure_malloc_init)\n#define CRYPTO_secure_malloc_initialized BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_secure_malloc_initialized)\n#define CRYPTO_secure_used BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_secure_used)\n#define CRYPTO_set_add_lock_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_set_add_lock_callback)\n#define CRYPTO_set_dynlock_create_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_set_dynlock_create_callback)\n#define CRYPTO_set_dynlock_destroy_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_set_dynlock_destroy_callback)\n#define CRYPTO_set_dynlock_lock_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_set_dynlock_lock_callback)\n#define CRYPTO_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_set_ex_data)\n#define CRYPTO_set_id_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_set_id_callback)\n#define CRYPTO_set_locking_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_set_locking_callback)\n#define CRYPTO_set_thread_local BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_set_thread_local)\n#define CRYPTO_sysrand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_sysrand)\n#define CRYPTO_sysrand_for_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_sysrand_for_seed)\n#define CRYPTO_sysrand_if_available BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_sysrand_if_available)\n#define CRYPTO_tls13_hkdf_expand_label BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_tls13_hkdf_expand_label)\n#define CRYPTO_tls1_prf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_tls1_prf)\n#define CRYPTO_xor16 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_xor16)\n#define CTR_DRBG_clear BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_clear)\n#define CTR_DRBG_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_free)\n#define CTR_DRBG_generate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_generate)\n#define CTR_DRBG_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_init)\n#define CTR_DRBG_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_new)\n#define CTR_DRBG_reseed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_reseed)\n#define ChaCha20_ctr32_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_avx2)\n#define ChaCha20_ctr32_avx2_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_avx2_capable)\n#define ChaCha20_ctr32_neon BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_neon)\n#define ChaCha20_ctr32_neon_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_neon_capable)\n#define ChaCha20_ctr32_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_nohw)\n#define ChaCha20_ctr32_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3)\n#define ChaCha20_ctr32_ssse3_4x BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3_4x)\n#define ChaCha20_ctr32_ssse3_4x_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3_4x_capable)\n#define ChaCha20_ctr32_ssse3_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3_capable)\n#define DES_decrypt3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_decrypt3)\n#define DES_ecb3_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb3_encrypt)\n#define DES_ecb3_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb3_encrypt_ex)\n#define DES_ecb_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb_encrypt)\n#define DES_ecb_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb_encrypt_ex)\n#define DES_ede2_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ede2_cbc_encrypt)\n#define DES_ede3_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt)\n#define DES_ede3_cbc_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt_ex)\n#define DES_encrypt3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_encrypt3)\n#define DES_ncbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ncbc_encrypt)\n#define DES_ncbc_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ncbc_encrypt_ex)\n#define DES_set_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_key)\n#define DES_set_key_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_key_ex)\n#define DES_set_key_unchecked BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_key_unchecked)\n#define DES_set_odd_parity BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_odd_parity)\n#define DH_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_bits)\n#define DH_check BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_check)\n#define DH_check_pub_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_check_pub_key)\n#define DH_compute_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_compute_key)\n#define DH_compute_key_hashed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_compute_key_hashed)\n#define DH_compute_key_padded BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_compute_key_padded)\n#define DH_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_free)\n#define DH_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_generate_key)\n#define DH_generate_parameters_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_generate_parameters_ex)\n#define DH_get0_g BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_get0_g)\n#define DH_get0_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_get0_key)\n#define DH_get0_p BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_get0_p)\n#define DH_get0_pqg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_get0_pqg)\n#define DH_get0_priv_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_get0_priv_key)\n#define DH_get0_pub_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_get0_pub_key)\n#define DH_get0_q BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_get0_q)\n#define DH_get_rfc7919_2048 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_get_rfc7919_2048)\n#define DH_marshal_parameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_marshal_parameters)\n#define DH_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_new)\n#define DH_num_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_num_bits)\n#define DH_parse_parameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_parse_parameters)\n#define DH_set0_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_set0_key)\n#define DH_set0_pqg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_set0_pqg)\n#define DH_set_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_set_length)\n#define DH_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_size)\n#define DH_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_up_ref)\n#define DHparams_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DHparams_dup)\n#define DIRECTORYSTRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIRECTORYSTRING_free)\n#define DIRECTORYSTRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIRECTORYSTRING_it)\n#define DIRECTORYSTRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIRECTORYSTRING_new)\n#define DISPLAYTEXT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DISPLAYTEXT_free)\n#define DISPLAYTEXT_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DISPLAYTEXT_it)\n#define DISPLAYTEXT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DISPLAYTEXT_new)\n#define DIST_POINT_NAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIST_POINT_NAME_free)\n#define DIST_POINT_NAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIST_POINT_NAME_new)\n#define DIST_POINT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIST_POINT_free)\n#define DIST_POINT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIST_POINT_new)\n#define DIST_POINT_set_dpname BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIST_POINT_set_dpname)\n#define DSA_SIG_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_free)\n#define DSA_SIG_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_get0)\n#define DSA_SIG_marshal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_marshal)\n#define DSA_SIG_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_new)\n#define DSA_SIG_parse BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_parse)\n#define DSA_SIG_set0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_set0)\n#define DSA_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_bits)\n#define DSA_check_signature BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_check_signature)\n#define DSA_do_check_signature BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_do_check_signature)\n#define DSA_do_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_do_sign)\n#define DSA_do_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_do_verify)\n#define DSA_dup_DH BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_dup_DH)\n#define DSA_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_free)\n#define DSA_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_generate_key)\n#define DSA_generate_parameters_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_generate_parameters_ex)\n#define DSA_get0_g BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_get0_g)\n#define DSA_get0_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_get0_key)\n#define DSA_get0_p BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_get0_p)\n#define DSA_get0_pqg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_get0_pqg)\n#define DSA_get0_priv_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_get0_priv_key)\n#define DSA_get0_pub_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_get0_pub_key)\n#define DSA_get0_q BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_get0_q)\n#define DSA_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_get_ex_data)\n#define DSA_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_get_ex_new_index)\n#define DSA_marshal_parameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_marshal_parameters)\n#define DSA_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_marshal_private_key)\n#define DSA_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_marshal_public_key)\n#define DSA_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_new)\n#define DSA_parse_parameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_parse_parameters)\n#define DSA_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_parse_private_key)\n#define DSA_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_parse_public_key)\n#define DSA_set0_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_set0_key)\n#define DSA_set0_pqg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_set0_pqg)\n#define DSA_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_set_ex_data)\n#define DSA_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_sign)\n#define DSA_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_size)\n#define DSA_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_up_ref)\n#define DSA_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_verify)\n#define DSAparams_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSAparams_dup)\n#define DTLS_client_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLS_client_method)\n#define DTLS_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLS_method)\n#define DTLS_server_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLS_server_method)\n#define DTLS_with_buffers_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLS_with_buffers_method)\n#define DTLSv1_2_client_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLSv1_2_client_method)\n#define DTLSv1_2_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLSv1_2_method)\n#define DTLSv1_2_server_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLSv1_2_server_method)\n#define DTLSv1_client_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLSv1_client_method)\n#define DTLSv1_get_timeout BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLSv1_get_timeout)\n#define DTLSv1_handle_timeout BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLSv1_handle_timeout)\n#define DTLSv1_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLSv1_method)\n#define DTLSv1_server_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLSv1_server_method)\n#define DTLSv1_set_initial_timeout_duration BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DTLSv1_set_initial_timeout_duration)\n#define ECDH_compute_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDH_compute_key)\n#define ECDH_compute_key_fips BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDH_compute_key_fips)\n#define ECDSA_SIG_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_SIG_free)\n#define ECDSA_SIG_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_SIG_from_bytes)\n#define ECDSA_SIG_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_SIG_get0)\n#define ECDSA_SIG_get0_r BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_SIG_get0_r)\n#define ECDSA_SIG_get0_s BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_SIG_get0_s)\n#define ECDSA_SIG_marshal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_SIG_marshal)\n#define ECDSA_SIG_max_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_SIG_max_len)\n#define ECDSA_SIG_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_SIG_new)\n#define ECDSA_SIG_parse BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_SIG_parse)\n#define ECDSA_SIG_set0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_SIG_set0)\n#define ECDSA_SIG_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_SIG_to_bytes)\n#define ECDSA_do_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_do_sign)\n#define ECDSA_do_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_do_verify)\n#define ECDSA_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_sign)\n#define ECDSA_sign_with_nonce_and_leak_private_key_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_sign_with_nonce_and_leak_private_key_for_testing)\n#define ECDSA_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_size)\n#define ECDSA_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ECDSA_verify)\n#define EC_GFp_mont_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GFp_mont_method)\n#define EC_GFp_nistp224_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GFp_nistp224_method)\n#define EC_GFp_nistp256_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GFp_nistp256_method)\n#define EC_GFp_nistz256_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GFp_nistz256_method)\n#define EC_GROUP_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_cmp)\n#define EC_GROUP_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_dup)\n#define EC_GROUP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_free)\n#define EC_GROUP_get0_generator BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_get0_generator)\n#define EC_GROUP_get0_order BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_get0_order)\n#define EC_GROUP_get_asn1_flag BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_get_asn1_flag)\n#define EC_GROUP_get_cofactor BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_get_cofactor)\n#define EC_GROUP_get_curve_GFp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_get_curve_GFp)\n#define EC_GROUP_get_curve_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_get_curve_name)\n#define EC_GROUP_get_degree BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_get_degree)\n#define EC_GROUP_get_order BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_get_order)\n#define EC_GROUP_method_of BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_method_of)\n#define EC_GROUP_new_by_curve_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_new_by_curve_name)\n#define EC_GROUP_new_curve_GFp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_new_curve_GFp)\n#define EC_GROUP_order_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_order_bits)\n#define EC_GROUP_set_asn1_flag BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_set_asn1_flag)\n#define EC_GROUP_set_generator BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_set_generator)\n#define EC_GROUP_set_point_conversion_form BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_GROUP_set_point_conversion_form)\n#define EC_KEY_check_fips BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_check_fips)\n#define EC_KEY_check_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_check_key)\n#define EC_KEY_derive_from_secret BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_derive_from_secret)\n#define EC_KEY_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_dup)\n#define EC_KEY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_free)\n#define EC_KEY_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_generate_key)\n#define EC_KEY_generate_key_fips BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_generate_key_fips)\n#define EC_KEY_get0_group BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_get0_group)\n#define EC_KEY_get0_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_get0_private_key)\n#define EC_KEY_get0_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_get0_public_key)\n#define EC_KEY_get_conv_form BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_get_conv_form)\n#define EC_KEY_get_enc_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_get_enc_flags)\n#define EC_KEY_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_get_ex_data)\n#define EC_KEY_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_get_ex_new_index)\n#define EC_KEY_is_opaque BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_is_opaque)\n#define EC_KEY_key2buf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_key2buf)\n#define EC_KEY_marshal_curve_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_marshal_curve_name)\n#define EC_KEY_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_marshal_private_key)\n#define EC_KEY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_new)\n#define EC_KEY_new_by_curve_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_new_by_curve_name)\n#define EC_KEY_new_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_new_method)\n#define EC_KEY_oct2key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_oct2key)\n#define EC_KEY_oct2priv BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_oct2priv)\n#define EC_KEY_parse_curve_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_parse_curve_name)\n#define EC_KEY_parse_parameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_parse_parameters)\n#define EC_KEY_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_parse_private_key)\n#define EC_KEY_priv2buf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_priv2buf)\n#define EC_KEY_priv2oct BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_priv2oct)\n#define EC_KEY_set_asn1_flag BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_set_asn1_flag)\n#define EC_KEY_set_conv_form BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_set_conv_form)\n#define EC_KEY_set_enc_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_set_enc_flags)\n#define EC_KEY_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_set_ex_data)\n#define EC_KEY_set_group BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_set_group)\n#define EC_KEY_set_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_set_private_key)\n#define EC_KEY_set_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_set_public_key)\n#define EC_KEY_set_public_key_affine_coordinates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_set_public_key_affine_coordinates)\n#define EC_KEY_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_KEY_up_ref)\n#define EC_METHOD_get_field_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_METHOD_get_field_type)\n#define EC_POINT_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_add)\n#define EC_POINT_clear_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_clear_free)\n#define EC_POINT_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_cmp)\n#define EC_POINT_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_copy)\n#define EC_POINT_dbl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_dbl)\n#define EC_POINT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_dup)\n#define EC_POINT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_free)\n#define EC_POINT_get_affine_coordinates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_get_affine_coordinates)\n#define EC_POINT_get_affine_coordinates_GFp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_get_affine_coordinates_GFp)\n#define EC_POINT_invert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_invert)\n#define EC_POINT_is_at_infinity BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_is_at_infinity)\n#define EC_POINT_is_on_curve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_is_on_curve)\n#define EC_POINT_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_mul)\n#define EC_POINT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_new)\n#define EC_POINT_oct2point BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_oct2point)\n#define EC_POINT_point2buf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_point2buf)\n#define EC_POINT_point2cbb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_point2cbb)\n#define EC_POINT_point2oct BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_point2oct)\n#define EC_POINT_set_affine_coordinates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_set_affine_coordinates)\n#define EC_POINT_set_affine_coordinates_GFp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_set_affine_coordinates_GFp)\n#define EC_POINT_set_compressed_coordinates_GFp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_set_compressed_coordinates_GFp)\n#define EC_POINT_set_to_infinity BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_POINT_set_to_infinity)\n#define EC_curve_nid2nist BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_curve_nid2nist)\n#define EC_curve_nist2nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_curve_nist2nid)\n#define EC_get_builtin_curves BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_get_builtin_curves)\n#define EC_group_p224 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_group_p224)\n#define EC_group_p256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_group_p256)\n#define EC_group_p384 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_group_p384)\n#define EC_group_p521 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_group_p521)\n#define EC_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_hash_to_curve_p256_xmd_sha256_sswu)\n#define EC_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EC_hash_to_curve_p384_xmd_sha384_sswu)\n#define ED25519_keypair BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ED25519_keypair)\n#define ED25519_keypair_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ED25519_keypair_from_seed)\n#define ED25519_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ED25519_sign)\n#define ED25519_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ED25519_verify)\n#define EDIPARTYNAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EDIPARTYNAME_free)\n#define EDIPARTYNAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EDIPARTYNAME_new)\n#define ENGINE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ENGINE_free)\n#define ENGINE_get_ECDSA_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ENGINE_get_ECDSA_method)\n#define ENGINE_get_RSA_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ENGINE_get_RSA_method)\n#define ENGINE_load_builtin_engines BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ENGINE_load_builtin_engines)\n#define ENGINE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ENGINE_new)\n#define ENGINE_register_all_complete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ENGINE_register_all_complete)\n#define ENGINE_set_ECDSA_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ENGINE_set_ECDSA_method)\n#define ENGINE_set_RSA_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ENGINE_set_RSA_method)\n#define ERR_GET_LIB BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_GET_LIB)\n#define ERR_GET_REASON BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_GET_REASON)\n#define ERR_SAVE_STATE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_SAVE_STATE_free)\n#define ERR_add_error_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_add_error_data)\n#define ERR_add_error_dataf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_add_error_dataf)\n#define ERR_clear_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_clear_error)\n#define ERR_clear_system_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_clear_system_error)\n#define ERR_error_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_error_string)\n#define ERR_error_string_n BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_error_string_n)\n#define ERR_free_strings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_free_strings)\n#define ERR_func_error_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_func_error_string)\n#define ERR_get_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_get_error)\n#define ERR_get_error_line BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_get_error_line)\n#define ERR_get_error_line_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_get_error_line_data)\n#define ERR_get_next_error_library BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_get_next_error_library)\n#define ERR_lib_error_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_lib_error_string)\n#define ERR_lib_symbol_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_lib_symbol_name)\n#define ERR_load_BIO_strings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_load_BIO_strings)\n#define ERR_load_ERR_strings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_load_ERR_strings)\n#define ERR_load_RAND_strings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_load_RAND_strings)\n#define ERR_load_SSL_strings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_load_SSL_strings)\n#define ERR_load_crypto_strings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_load_crypto_strings)\n#define ERR_peek_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_peek_error)\n#define ERR_peek_error_line BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_peek_error_line)\n#define ERR_peek_error_line_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_peek_error_line_data)\n#define ERR_peek_last_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_peek_last_error)\n#define ERR_peek_last_error_line BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_peek_last_error_line)\n#define ERR_peek_last_error_line_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_peek_last_error_line_data)\n#define ERR_pop_to_mark BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_pop_to_mark)\n#define ERR_print_errors BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_print_errors)\n#define ERR_print_errors_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_print_errors_cb)\n#define ERR_print_errors_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_print_errors_fp)\n#define ERR_put_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_put_error)\n#define ERR_reason_error_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_reason_error_string)\n#define ERR_reason_symbol_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_reason_symbol_name)\n#define ERR_remove_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_remove_state)\n#define ERR_remove_thread_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_remove_thread_state)\n#define ERR_restore_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_restore_state)\n#define ERR_save_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_save_state)\n#define ERR_set_error_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_set_error_data)\n#define ERR_set_mark BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_set_mark)\n#define EVP_AEAD_CTX_aead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_aead)\n#define EVP_AEAD_CTX_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_cleanup)\n#define EVP_AEAD_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_free)\n#define EVP_AEAD_CTX_get_iv BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_get_iv)\n#define EVP_AEAD_CTX_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_init)\n#define EVP_AEAD_CTX_init_with_direction BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_init_with_direction)\n#define EVP_AEAD_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_new)\n#define EVP_AEAD_CTX_open BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_open)\n#define EVP_AEAD_CTX_open_gather BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_open_gather)\n#define EVP_AEAD_CTX_seal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_seal)\n#define EVP_AEAD_CTX_seal_scatter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_seal_scatter)\n#define EVP_AEAD_CTX_tag_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_tag_len)\n#define EVP_AEAD_CTX_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_zero)\n#define EVP_AEAD_key_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_key_length)\n#define EVP_AEAD_max_overhead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_max_overhead)\n#define EVP_AEAD_max_tag_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_max_tag_len)\n#define EVP_AEAD_nonce_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_nonce_length)\n#define EVP_BytesToKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_BytesToKey)\n#define EVP_CIPHER_CTX_block_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_block_size)\n#define EVP_CIPHER_CTX_cipher BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_cipher)\n#define EVP_CIPHER_CTX_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_cleanup)\n#define EVP_CIPHER_CTX_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_copy)\n#define EVP_CIPHER_CTX_ctrl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_ctrl)\n#define EVP_CIPHER_CTX_encrypting BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_encrypting)\n#define EVP_CIPHER_CTX_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_flags)\n#define EVP_CIPHER_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_free)\n#define EVP_CIPHER_CTX_get_app_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_get_app_data)\n#define EVP_CIPHER_CTX_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_init)\n#define EVP_CIPHER_CTX_iv_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_iv_length)\n#define EVP_CIPHER_CTX_key_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_key_length)\n#define EVP_CIPHER_CTX_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_mode)\n#define EVP_CIPHER_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_new)\n#define EVP_CIPHER_CTX_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_nid)\n#define EVP_CIPHER_CTX_reset BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_reset)\n#define EVP_CIPHER_CTX_set_app_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_set_app_data)\n#define EVP_CIPHER_CTX_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_set_flags)\n#define EVP_CIPHER_CTX_set_key_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_set_key_length)\n#define EVP_CIPHER_CTX_set_padding BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_CTX_set_padding)\n#define EVP_CIPHER_block_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_block_size)\n#define EVP_CIPHER_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_flags)\n#define EVP_CIPHER_iv_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_iv_length)\n#define EVP_CIPHER_key_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_key_length)\n#define EVP_CIPHER_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_mode)\n#define EVP_CIPHER_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_nid)\n#define EVP_Cipher BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_Cipher)\n#define EVP_CipherFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CipherFinal)\n#define EVP_CipherFinal_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CipherFinal_ex)\n#define EVP_CipherInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CipherInit)\n#define EVP_CipherInit_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CipherInit_ex)\n#define EVP_CipherUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CipherUpdate)\n#define EVP_DecodeBase64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecodeBase64)\n#define EVP_DecodeBlock BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecodeBlock)\n#define EVP_DecodeFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecodeFinal)\n#define EVP_DecodeInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecodeInit)\n#define EVP_DecodeUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecodeUpdate)\n#define EVP_DecodedLength BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecodedLength)\n#define EVP_DecryptFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecryptFinal)\n#define EVP_DecryptFinal_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecryptFinal_ex)\n#define EVP_DecryptInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecryptInit)\n#define EVP_DecryptInit_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecryptInit_ex)\n#define EVP_DecryptUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecryptUpdate)\n#define EVP_Digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_Digest)\n#define EVP_DigestFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestFinal)\n#define EVP_DigestFinalXOF BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestFinalXOF)\n#define EVP_DigestFinal_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestFinal_ex)\n#define EVP_DigestInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestInit)\n#define EVP_DigestInit_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestInit_ex)\n#define EVP_DigestSign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestSign)\n#define EVP_DigestSignFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestSignFinal)\n#define EVP_DigestSignInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestSignInit)\n#define EVP_DigestSignUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestSignUpdate)\n#define EVP_DigestUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestUpdate)\n#define EVP_DigestVerify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestVerify)\n#define EVP_DigestVerifyFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestVerifyFinal)\n#define EVP_DigestVerifyInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestVerifyInit)\n#define EVP_DigestVerifyUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestVerifyUpdate)\n#define EVP_ENCODE_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_ENCODE_CTX_free)\n#define EVP_ENCODE_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_ENCODE_CTX_new)\n#define EVP_EncodeBlock BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncodeBlock)\n#define EVP_EncodeFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncodeFinal)\n#define EVP_EncodeInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncodeInit)\n#define EVP_EncodeUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncodeUpdate)\n#define EVP_EncodedLength BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncodedLength)\n#define EVP_EncryptFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncryptFinal)\n#define EVP_EncryptFinal_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncryptFinal_ex)\n#define EVP_EncryptInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncryptInit)\n#define EVP_EncryptInit_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncryptInit_ex)\n#define EVP_EncryptUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncryptUpdate)\n#define EVP_HPKE_AEAD_aead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_AEAD_aead)\n#define EVP_HPKE_AEAD_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_AEAD_id)\n#define EVP_HPKE_CTX_aead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_aead)\n#define EVP_HPKE_CTX_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_cleanup)\n#define EVP_HPKE_CTX_export BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_export)\n#define EVP_HPKE_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_free)\n#define EVP_HPKE_CTX_kdf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_kdf)\n#define EVP_HPKE_CTX_kem BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_kem)\n#define EVP_HPKE_CTX_max_overhead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_max_overhead)\n#define EVP_HPKE_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_new)\n#define EVP_HPKE_CTX_open BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_open)\n#define EVP_HPKE_CTX_seal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_seal)\n#define EVP_HPKE_CTX_setup_auth_recipient BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_auth_recipient)\n#define EVP_HPKE_CTX_setup_auth_sender BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_auth_sender)\n#define EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing)\n#define EVP_HPKE_CTX_setup_recipient BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_recipient)\n#define EVP_HPKE_CTX_setup_sender BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_sender)\n#define EVP_HPKE_CTX_setup_sender_with_seed_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_sender_with_seed_for_testing)\n#define EVP_HPKE_CTX_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_CTX_zero)\n#define EVP_HPKE_KDF_hkdf_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KDF_hkdf_md)\n#define EVP_HPKE_KDF_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KDF_id)\n#define EVP_HPKE_KEM_enc_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEM_enc_len)\n#define EVP_HPKE_KEM_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEM_id)\n#define EVP_HPKE_KEM_private_key_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEM_private_key_len)\n#define EVP_HPKE_KEM_public_key_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEM_public_key_len)\n#define EVP_HPKE_KEY_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_cleanup)\n#define EVP_HPKE_KEY_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_copy)\n#define EVP_HPKE_KEY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_free)\n#define EVP_HPKE_KEY_generate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_generate)\n#define EVP_HPKE_KEY_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_init)\n#define EVP_HPKE_KEY_kem BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_kem)\n#define EVP_HPKE_KEY_move BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_move)\n#define EVP_HPKE_KEY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_new)\n#define EVP_HPKE_KEY_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_private_key)\n#define EVP_HPKE_KEY_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_public_key)\n#define EVP_HPKE_KEY_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_zero)\n#define EVP_MD_CTX_block_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_block_size)\n#define EVP_MD_CTX_cleanse BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_cleanse)\n#define EVP_MD_CTX_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_cleanup)\n#define EVP_MD_CTX_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_copy)\n#define EVP_MD_CTX_copy_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_copy_ex)\n#define EVP_MD_CTX_create BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_create)\n#define EVP_MD_CTX_destroy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_destroy)\n#define EVP_MD_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_free)\n#define EVP_MD_CTX_get0_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_get0_md)\n#define EVP_MD_CTX_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_init)\n#define EVP_MD_CTX_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_md)\n#define EVP_MD_CTX_move BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_move)\n#define EVP_MD_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_new)\n#define EVP_MD_CTX_reset BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_reset)\n#define EVP_MD_CTX_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_set_flags)\n#define EVP_MD_CTX_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_size)\n#define EVP_MD_CTX_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_type)\n#define EVP_MD_block_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_block_size)\n#define EVP_MD_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_flags)\n#define EVP_MD_meth_get_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_meth_get_flags)\n#define EVP_MD_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_nid)\n#define EVP_MD_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_size)\n#define EVP_MD_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_type)\n#define EVP_PBE_scrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PBE_scrypt)\n#define EVP_PKCS82PKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKCS82PKEY)\n#define EVP_PKEY2PKCS8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY2PKCS8)\n#define EVP_PKEY_CTX_add1_hkdf_info BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_add1_hkdf_info)\n#define EVP_PKEY_CTX_ctrl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_ctrl)\n#define EVP_PKEY_CTX_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_dup)\n#define EVP_PKEY_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_free)\n#define EVP_PKEY_CTX_get0_pkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_get0_pkey)\n#define EVP_PKEY_CTX_get0_rsa_oaep_label BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_get0_rsa_oaep_label)\n#define EVP_PKEY_CTX_get_rsa_mgf1_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_get_rsa_mgf1_md)\n#define EVP_PKEY_CTX_get_rsa_oaep_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_get_rsa_oaep_md)\n#define EVP_PKEY_CTX_get_rsa_padding BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_get_rsa_padding)\n#define EVP_PKEY_CTX_get_rsa_pss_saltlen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_get_rsa_pss_saltlen)\n#define EVP_PKEY_CTX_get_signature_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_get_signature_md)\n#define EVP_PKEY_CTX_hkdf_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_hkdf_mode)\n#define EVP_PKEY_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_new)\n#define EVP_PKEY_CTX_new_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_new_id)\n#define EVP_PKEY_CTX_set0_rsa_oaep_label BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set0_rsa_oaep_label)\n#define EVP_PKEY_CTX_set1_hkdf_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set1_hkdf_key)\n#define EVP_PKEY_CTX_set1_hkdf_salt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set1_hkdf_salt)\n#define EVP_PKEY_CTX_set_dh_pad BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dh_pad)\n#define EVP_PKEY_CTX_set_dsa_paramgen_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dsa_paramgen_bits)\n#define EVP_PKEY_CTX_set_dsa_paramgen_q_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dsa_paramgen_q_bits)\n#define EVP_PKEY_CTX_set_ec_param_enc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_ec_param_enc)\n#define EVP_PKEY_CTX_set_ec_paramgen_curve_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_ec_paramgen_curve_nid)\n#define EVP_PKEY_CTX_set_hkdf_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_hkdf_md)\n#define EVP_PKEY_CTX_set_rsa_keygen_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_keygen_bits)\n#define EVP_PKEY_CTX_set_rsa_keygen_pubexp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_keygen_pubexp)\n#define EVP_PKEY_CTX_set_rsa_mgf1_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_mgf1_md)\n#define EVP_PKEY_CTX_set_rsa_oaep_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_oaep_md)\n#define EVP_PKEY_CTX_set_rsa_padding BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_padding)\n#define EVP_PKEY_CTX_set_rsa_pss_keygen_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_pss_keygen_md)\n#define EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md)\n#define EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen)\n#define EVP_PKEY_CTX_set_rsa_pss_saltlen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_pss_saltlen)\n#define EVP_PKEY_CTX_set_signature_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_signature_md)\n#define EVP_PKEY_assign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_assign)\n#define EVP_PKEY_assign_DH BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_assign_DH)\n#define EVP_PKEY_assign_DSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_assign_DSA)\n#define EVP_PKEY_assign_EC_KEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_assign_EC_KEY)\n#define EVP_PKEY_assign_RSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_assign_RSA)\n#define EVP_PKEY_base_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_base_id)\n#define EVP_PKEY_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_bits)\n#define EVP_PKEY_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_cmp)\n#define EVP_PKEY_cmp_parameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_cmp_parameters)\n#define EVP_PKEY_copy_parameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_copy_parameters)\n#define EVP_PKEY_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_decrypt)\n#define EVP_PKEY_decrypt_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_decrypt_init)\n#define EVP_PKEY_derive BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_derive)\n#define EVP_PKEY_derive_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_derive_init)\n#define EVP_PKEY_derive_set_peer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_derive_set_peer)\n#define EVP_PKEY_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_encrypt)\n#define EVP_PKEY_encrypt_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_encrypt_init)\n#define EVP_PKEY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_free)\n#define EVP_PKEY_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get0)\n#define EVP_PKEY_get0_DH BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get0_DH)\n#define EVP_PKEY_get0_DSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get0_DSA)\n#define EVP_PKEY_get0_EC_KEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get0_EC_KEY)\n#define EVP_PKEY_get0_RSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get0_RSA)\n#define EVP_PKEY_get1_DH BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get1_DH)\n#define EVP_PKEY_get1_DSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get1_DSA)\n#define EVP_PKEY_get1_EC_KEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get1_EC_KEY)\n#define EVP_PKEY_get1_RSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get1_RSA)\n#define EVP_PKEY_get1_tls_encodedpoint BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get1_tls_encodedpoint)\n#define EVP_PKEY_get_raw_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get_raw_private_key)\n#define EVP_PKEY_get_raw_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_get_raw_public_key)\n#define EVP_PKEY_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_id)\n#define EVP_PKEY_is_opaque BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_is_opaque)\n#define EVP_PKEY_keygen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_keygen)\n#define EVP_PKEY_keygen_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_keygen_init)\n#define EVP_PKEY_missing_parameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_missing_parameters)\n#define EVP_PKEY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_new)\n#define EVP_PKEY_new_raw_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_new_raw_private_key)\n#define EVP_PKEY_new_raw_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_new_raw_public_key)\n#define EVP_PKEY_paramgen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_paramgen)\n#define EVP_PKEY_paramgen_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_paramgen_init)\n#define EVP_PKEY_print_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_print_params)\n#define EVP_PKEY_print_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_print_private)\n#define EVP_PKEY_print_public BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_print_public)\n#define EVP_PKEY_set1_DH BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_set1_DH)\n#define EVP_PKEY_set1_DSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_set1_DSA)\n#define EVP_PKEY_set1_EC_KEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_set1_EC_KEY)\n#define EVP_PKEY_set1_RSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_set1_RSA)\n#define EVP_PKEY_set1_tls_encodedpoint BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_set1_tls_encodedpoint)\n#define EVP_PKEY_set_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_set_type)\n#define EVP_PKEY_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_sign)\n#define EVP_PKEY_sign_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_sign_init)\n#define EVP_PKEY_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_size)\n#define EVP_PKEY_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_type)\n#define EVP_PKEY_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_up_ref)\n#define EVP_PKEY_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_verify)\n#define EVP_PKEY_verify_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_verify_init)\n#define EVP_PKEY_verify_recover BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_verify_recover)\n#define EVP_PKEY_verify_recover_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_verify_recover_init)\n#define EVP_SignFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_SignFinal)\n#define EVP_SignInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_SignInit)\n#define EVP_SignInit_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_SignInit_ex)\n#define EVP_SignUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_SignUpdate)\n#define EVP_VerifyFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_VerifyFinal)\n#define EVP_VerifyInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_VerifyInit)\n#define EVP_VerifyInit_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_VerifyInit_ex)\n#define EVP_VerifyUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_VerifyUpdate)\n#define EVP_add_cipher_alias BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_add_cipher_alias)\n#define EVP_add_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_add_digest)\n#define EVP_aead_aes_128_cbc_sha1_tls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_cbc_sha1_tls)\n#define EVP_aead_aes_128_cbc_sha1_tls_implicit_iv BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_cbc_sha1_tls_implicit_iv)\n#define EVP_aead_aes_128_cbc_sha256_tls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_cbc_sha256_tls)\n#define EVP_aead_aes_128_ccm_bluetooth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_ccm_bluetooth)\n#define EVP_aead_aes_128_ccm_bluetooth_8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_ccm_bluetooth_8)\n#define EVP_aead_aes_128_ccm_matter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_ccm_matter)\n#define EVP_aead_aes_128_ctr_hmac_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_ctr_hmac_sha256)\n#define EVP_aead_aes_128_gcm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_gcm)\n#define EVP_aead_aes_128_gcm_randnonce BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_gcm_randnonce)\n#define EVP_aead_aes_128_gcm_siv BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_gcm_siv)\n#define EVP_aead_aes_128_gcm_tls12 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_gcm_tls12)\n#define EVP_aead_aes_128_gcm_tls13 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_128_gcm_tls13)\n#define EVP_aead_aes_192_gcm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_192_gcm)\n#define EVP_aead_aes_256_cbc_sha1_tls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_256_cbc_sha1_tls)\n#define EVP_aead_aes_256_cbc_sha1_tls_implicit_iv BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_256_cbc_sha1_tls_implicit_iv)\n#define EVP_aead_aes_256_ctr_hmac_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_256_ctr_hmac_sha256)\n#define EVP_aead_aes_256_gcm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_256_gcm)\n#define EVP_aead_aes_256_gcm_randnonce BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_256_gcm_randnonce)\n#define EVP_aead_aes_256_gcm_siv BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_256_gcm_siv)\n#define EVP_aead_aes_256_gcm_tls12 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_256_gcm_tls12)\n#define EVP_aead_aes_256_gcm_tls13 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_aes_256_gcm_tls13)\n#define EVP_aead_chacha20_poly1305 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_chacha20_poly1305)\n#define EVP_aead_des_ede3_cbc_sha1_tls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_des_ede3_cbc_sha1_tls)\n#define EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv)\n#define EVP_aead_xchacha20_poly1305 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aead_xchacha20_poly1305)\n#define EVP_aes_128_cbc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_128_cbc)\n#define EVP_aes_128_ctr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_128_ctr)\n#define EVP_aes_128_ecb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_128_ecb)\n#define EVP_aes_128_gcm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_128_gcm)\n#define EVP_aes_128_ofb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_128_ofb)\n#define EVP_aes_192_cbc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_192_cbc)\n#define EVP_aes_192_ctr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_192_ctr)\n#define EVP_aes_192_ecb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_192_ecb)\n#define EVP_aes_192_gcm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_192_gcm)\n#define EVP_aes_192_ofb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_192_ofb)\n#define EVP_aes_256_cbc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_256_cbc)\n#define EVP_aes_256_ctr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_256_ctr)\n#define EVP_aes_256_ecb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_256_ecb)\n#define EVP_aes_256_gcm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_256_gcm)\n#define EVP_aes_256_ofb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_aes_256_ofb)\n#define EVP_blake2b256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_blake2b256)\n#define EVP_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_cleanup)\n#define EVP_des_cbc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_des_cbc)\n#define EVP_des_ecb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_des_ecb)\n#define EVP_des_ede BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_des_ede)\n#define EVP_des_ede3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_des_ede3)\n#define EVP_des_ede3_cbc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_des_ede3_cbc)\n#define EVP_des_ede3_ecb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_des_ede3_ecb)\n#define EVP_des_ede_cbc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_des_ede_cbc)\n#define EVP_enc_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_enc_null)\n#define EVP_get_cipherbyname BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_get_cipherbyname)\n#define EVP_get_cipherbynid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_get_cipherbynid)\n#define EVP_get_digestbyname BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_get_digestbyname)\n#define EVP_get_digestbynid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_get_digestbynid)\n#define EVP_get_digestbyobj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_get_digestbyobj)\n#define EVP_has_aes_hardware BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_has_aes_hardware)\n#define EVP_hpke_aes_128_gcm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_hpke_aes_128_gcm)\n#define EVP_hpke_aes_256_gcm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_hpke_aes_256_gcm)\n#define EVP_hpke_chacha20_poly1305 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_hpke_chacha20_poly1305)\n#define EVP_hpke_hkdf_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_hpke_hkdf_sha256)\n#define EVP_hpke_p256_hkdf_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_hpke_p256_hkdf_sha256)\n#define EVP_hpke_x25519_hkdf_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_hpke_x25519_hkdf_sha256)\n#define EVP_marshal_digest_algorithm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_marshal_digest_algorithm)\n#define EVP_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_marshal_private_key)\n#define EVP_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_marshal_public_key)\n#define EVP_md4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_md4)\n#define EVP_md5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_md5)\n#define EVP_md5_sha1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_md5_sha1)\n#define EVP_parse_digest_algorithm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_parse_digest_algorithm)\n#define EVP_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_parse_private_key)\n#define EVP_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_parse_public_key)\n#define EVP_rc2_40_cbc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_rc2_40_cbc)\n#define EVP_rc2_cbc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_rc2_cbc)\n#define EVP_rc4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_rc4)\n#define EVP_sha1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_sha1)\n#define EVP_sha1_final_with_secret_suffix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_sha1_final_with_secret_suffix)\n#define EVP_sha224 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_sha224)\n#define EVP_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_sha256)\n#define EVP_sha256_final_with_secret_suffix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_sha256_final_with_secret_suffix)\n#define EVP_sha384 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_sha384)\n#define EVP_sha512 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_sha512)\n#define EVP_sha512_256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_sha512_256)\n#define EVP_tls_cbc_copy_mac BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_tls_cbc_copy_mac)\n#define EVP_tls_cbc_digest_record BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_tls_cbc_digest_record)\n#define EVP_tls_cbc_record_digest_supported BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_tls_cbc_record_digest_supported)\n#define EVP_tls_cbc_remove_padding BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_tls_cbc_remove_padding)\n#define EXTENDED_KEY_USAGE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EXTENDED_KEY_USAGE_free)\n#define EXTENDED_KEY_USAGE_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EXTENDED_KEY_USAGE_it)\n#define EXTENDED_KEY_USAGE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EXTENDED_KEY_USAGE_new)\n#define FIPS_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_mode)\n#define FIPS_mode_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_mode_set)\n#define FIPS_module_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_module_name)\n#define FIPS_query_algorithm_status BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_query_algorithm_status)\n#define FIPS_read_counter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_read_counter)\n#define FIPS_service_indicator_after_call BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_service_indicator_after_call)\n#define FIPS_service_indicator_before_call BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_service_indicator_before_call)\n#define FIPS_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_version)\n#define GENERAL_NAMES_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAMES_free)\n#define GENERAL_NAMES_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAMES_it)\n#define GENERAL_NAMES_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAMES_new)\n#define GENERAL_NAME_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAME_cmp)\n#define GENERAL_NAME_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAME_dup)\n#define GENERAL_NAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAME_free)\n#define GENERAL_NAME_get0_otherName BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAME_get0_otherName)\n#define GENERAL_NAME_get0_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAME_get0_value)\n#define GENERAL_NAME_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAME_it)\n#define GENERAL_NAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAME_new)\n#define GENERAL_NAME_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAME_print)\n#define GENERAL_NAME_set0_othername BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAME_set0_othername)\n#define GENERAL_NAME_set0_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAME_set0_value)\n#define GENERAL_SUBTREE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_SUBTREE_free)\n#define GENERAL_SUBTREE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_SUBTREE_new)\n#define HKDF BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HKDF)\n#define HKDF_expand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HKDF_expand)\n#define HKDF_extract BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HKDF_extract)\n#define HMAC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC)\n#define HMAC_CTX_cleanse BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_cleanse)\n#define HMAC_CTX_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_cleanup)\n#define HMAC_CTX_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_copy)\n#define HMAC_CTX_copy_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_copy_ex)\n#define HMAC_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_free)\n#define HMAC_CTX_get_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_get_md)\n#define HMAC_CTX_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_init)\n#define HMAC_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_new)\n#define HMAC_CTX_reset BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_reset)\n#define HMAC_Final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_Final)\n#define HMAC_Init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_Init)\n#define HMAC_Init_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_Init_ex)\n#define HMAC_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_Update)\n#define HMAC_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_size)\n#define HRSS_decap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HRSS_decap)\n#define HRSS_encap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HRSS_encap)\n#define HRSS_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HRSS_generate_key)\n#define HRSS_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HRSS_marshal_public_key)\n#define HRSS_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HRSS_parse_public_key)\n#define HRSS_poly3_invert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HRSS_poly3_invert)\n#define HRSS_poly3_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HRSS_poly3_mul)\n#define ISSUING_DIST_POINT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ISSUING_DIST_POINT_free)\n#define ISSUING_DIST_POINT_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ISSUING_DIST_POINT_it)\n#define ISSUING_DIST_POINT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ISSUING_DIST_POINT_new)\n#define KYBER_decap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, KYBER_decap)\n#define KYBER_encap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, KYBER_encap)\n#define KYBER_encap_external_entropy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, KYBER_encap_external_entropy)\n#define KYBER_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, KYBER_generate_key)\n#define KYBER_generate_key_external_entropy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, KYBER_generate_key_external_entropy)\n#define KYBER_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, KYBER_marshal_private_key)\n#define KYBER_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, KYBER_marshal_public_key)\n#define KYBER_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, KYBER_parse_private_key)\n#define KYBER_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, KYBER_parse_public_key)\n#define KYBER_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, KYBER_public_from_private)\n#define MD4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MD4)\n#define MD4_Final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MD4_Final)\n#define MD4_Init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MD4_Init)\n#define MD4_Transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MD4_Transform)\n#define MD4_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MD4_Update)\n#define MD5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MD5)\n#define MD5_Final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MD5_Final)\n#define MD5_Init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MD5_Init)\n#define MD5_Transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MD5_Transform)\n#define MD5_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MD5_Update)\n#define METHOD_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, METHOD_ref)\n#define METHOD_unref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, METHOD_unref)\n#define MLDSA65_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_generate_key)\n#define MLDSA65_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_marshal_public_key)\n#define MLDSA65_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_parse_public_key)\n#define MLDSA65_private_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_private_key_from_seed)\n#define MLDSA65_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_public_from_private)\n#define MLDSA65_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_sign)\n#define MLDSA65_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_verify)\n#define MLKEM1024_decap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_decap)\n#define MLKEM1024_encap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_encap)\n#define MLKEM1024_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_generate_key)\n#define MLKEM1024_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_marshal_public_key)\n#define MLKEM1024_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_parse_public_key)\n#define MLKEM1024_private_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_private_key_from_seed)\n#define MLKEM1024_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_public_from_private)\n#define MLKEM768_decap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_decap)\n#define MLKEM768_encap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_encap)\n#define MLKEM768_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_generate_key)\n#define MLKEM768_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_marshal_public_key)\n#define MLKEM768_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_parse_public_key)\n#define MLKEM768_private_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_private_key_from_seed)\n#define MLKEM768_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_public_from_private)\n#define NAME_CONSTRAINTS_check BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NAME_CONSTRAINTS_check)\n#define NAME_CONSTRAINTS_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NAME_CONSTRAINTS_free)\n#define NAME_CONSTRAINTS_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NAME_CONSTRAINTS_it)\n#define NAME_CONSTRAINTS_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NAME_CONSTRAINTS_new)\n#define NCONF_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NCONF_free)\n#define NCONF_get_section BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NCONF_get_section)\n#define NCONF_get_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NCONF_get_string)\n#define NCONF_load BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NCONF_load)\n#define NCONF_load_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NCONF_load_bio)\n#define NCONF_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NCONF_new)\n#define NETSCAPE_SPKAC_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKAC_free)\n#define NETSCAPE_SPKAC_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKAC_it)\n#define NETSCAPE_SPKAC_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKAC_new)\n#define NETSCAPE_SPKI_b64_decode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKI_b64_decode)\n#define NETSCAPE_SPKI_b64_encode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKI_b64_encode)\n#define NETSCAPE_SPKI_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKI_free)\n#define NETSCAPE_SPKI_get_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKI_get_pubkey)\n#define NETSCAPE_SPKI_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKI_it)\n#define NETSCAPE_SPKI_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKI_new)\n#define NETSCAPE_SPKI_set_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKI_set_pubkey)\n#define NETSCAPE_SPKI_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKI_sign)\n#define NETSCAPE_SPKI_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NETSCAPE_SPKI_verify)\n#define NOTICEREF_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NOTICEREF_free)\n#define NOTICEREF_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NOTICEREF_it)\n#define NOTICEREF_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NOTICEREF_new)\n#define OBJ_cbs2nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_cbs2nid)\n#define OBJ_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_cleanup)\n#define OBJ_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_cmp)\n#define OBJ_create BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_create)\n#define OBJ_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_dup)\n#define OBJ_find_sigid_algs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_find_sigid_algs)\n#define OBJ_find_sigid_by_algs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_find_sigid_by_algs)\n#define OBJ_get0_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_get0_data)\n#define OBJ_get_undef BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_get_undef)\n#define OBJ_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_length)\n#define OBJ_ln2nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_ln2nid)\n#define OBJ_nid2cbb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_nid2cbb)\n#define OBJ_nid2ln BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_nid2ln)\n#define OBJ_nid2obj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_nid2obj)\n#define OBJ_nid2sn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_nid2sn)\n#define OBJ_obj2nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_obj2nid)\n#define OBJ_obj2txt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_obj2txt)\n#define OBJ_sn2nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_sn2nid)\n#define OBJ_txt2nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_txt2nid)\n#define OBJ_txt2obj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OBJ_txt2obj)\n#define OPENSSL_add_all_algorithms_conf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_add_all_algorithms_conf)\n#define OPENSSL_armcap_P BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_armcap_P)\n#define OPENSSL_asprintf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_asprintf)\n#define OPENSSL_calloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_calloc)\n#define OPENSSL_cleanse BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_cleanse)\n#define OPENSSL_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_cleanup)\n#define OPENSSL_clear_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_clear_free)\n#define OPENSSL_config BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_config)\n#define OPENSSL_cpuid_setup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_cpuid_setup)\n#define OPENSSL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_free)\n#define OPENSSL_fromxdigit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_fromxdigit)\n#define OPENSSL_get_armcap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_get_armcap)\n#define OPENSSL_get_armcap_pointer_for_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_get_armcap_pointer_for_test)\n#define OPENSSL_get_ia32cap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_get_ia32cap)\n#define OPENSSL_gmtime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_gmtime)\n#define OPENSSL_gmtime_adj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_gmtime_adj)\n#define OPENSSL_gmtime_diff BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_gmtime_diff)\n#define OPENSSL_hash32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_hash32)\n#define OPENSSL_ia32cap_P BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_ia32cap_P)\n#define OPENSSL_init_cpuid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_init_cpuid)\n#define OPENSSL_init_crypto BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_init_crypto)\n#define OPENSSL_init_ssl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_init_ssl)\n#define OPENSSL_isalnum BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_isalnum)\n#define OPENSSL_isalpha BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_isalpha)\n#define OPENSSL_isdigit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_isdigit)\n#define OPENSSL_isspace BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_isspace)\n#define OPENSSL_isxdigit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_isxdigit)\n#define OPENSSL_lh_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_lh_delete)\n#define OPENSSL_lh_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_lh_doall_arg)\n#define OPENSSL_lh_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_lh_free)\n#define OPENSSL_lh_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_lh_insert)\n#define OPENSSL_lh_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_lh_new)\n#define OPENSSL_lh_num_items BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_lh_num_items)\n#define OPENSSL_lh_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_lh_retrieve)\n#define OPENSSL_lh_retrieve_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_lh_retrieve_key)\n#define OPENSSL_load_builtin_modules BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_load_builtin_modules)\n#define OPENSSL_malloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_malloc)\n#define OPENSSL_malloc_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_malloc_init)\n#define OPENSSL_memdup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_memdup)\n#define OPENSSL_no_config BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_no_config)\n#define OPENSSL_posix_to_tm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_posix_to_tm)\n#define OPENSSL_realloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_realloc)\n#define OPENSSL_secure_clear_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_secure_clear_free)\n#define OPENSSL_secure_malloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_secure_malloc)\n#define OPENSSL_sk_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_deep_copy)\n#define OPENSSL_sk_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_delete)\n#define OPENSSL_sk_delete_if BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_delete_if)\n#define OPENSSL_sk_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_delete_ptr)\n#define OPENSSL_sk_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_dup)\n#define OPENSSL_sk_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_find)\n#define OPENSSL_sk_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_free)\n#define OPENSSL_sk_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_insert)\n#define OPENSSL_sk_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_is_sorted)\n#define OPENSSL_sk_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_new)\n#define OPENSSL_sk_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_new_null)\n#define OPENSSL_sk_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_num)\n#define OPENSSL_sk_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_pop)\n#define OPENSSL_sk_pop_free_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_pop_free_ex)\n#define OPENSSL_sk_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_push)\n#define OPENSSL_sk_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_set)\n#define OPENSSL_sk_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_set_cmp_func)\n#define OPENSSL_sk_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_shift)\n#define OPENSSL_sk_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_sort)\n#define OPENSSL_sk_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_value)\n#define OPENSSL_sk_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_sk_zero)\n#define OPENSSL_strcasecmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_strcasecmp)\n#define OPENSSL_strdup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_strdup)\n#define OPENSSL_strhash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_strhash)\n#define OPENSSL_strlcat BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_strlcat)\n#define OPENSSL_strlcpy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_strlcpy)\n#define OPENSSL_strncasecmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_strncasecmp)\n#define OPENSSL_strndup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_strndup)\n#define OPENSSL_strnlen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_strnlen)\n#define OPENSSL_timegm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_timegm)\n#define OPENSSL_tm_to_posix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_tm_to_posix)\n#define OPENSSL_tolower BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_tolower)\n#define OPENSSL_vasprintf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_vasprintf)\n#define OPENSSL_vasprintf_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_vasprintf_internal)\n#define OPENSSL_zalloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_zalloc)\n#define OTHERNAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OTHERNAME_free)\n#define OTHERNAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OTHERNAME_new)\n#define OpenSSL_add_all_algorithms BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OpenSSL_add_all_algorithms)\n#define OpenSSL_add_all_ciphers BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OpenSSL_add_all_ciphers)\n#define OpenSSL_add_all_digests BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OpenSSL_add_all_digests)\n#define OpenSSL_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OpenSSL_version)\n#define OpenSSL_version_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OpenSSL_version_num)\n#define PEM_ASN1_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_ASN1_read)\n#define PEM_ASN1_read_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_ASN1_read_bio)\n#define PEM_ASN1_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_ASN1_write)\n#define PEM_ASN1_write_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_ASN1_write_bio)\n#define PEM_X509_INFO_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_X509_INFO_read)\n#define PEM_X509_INFO_read_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_X509_INFO_read_bio)\n#define PEM_bytes_read_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_bytes_read_bio)\n#define PEM_def_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_def_callback)\n#define PEM_do_header BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_do_header)\n#define PEM_get_EVP_CIPHER_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_get_EVP_CIPHER_INFO)\n#define PEM_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read)\n#define PEM_read_DHparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_DHparams)\n#define PEM_read_DSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_DSAPrivateKey)\n#define PEM_read_DSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_DSA_PUBKEY)\n#define PEM_read_DSAparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_DSAparams)\n#define PEM_read_ECPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_ECPrivateKey)\n#define PEM_read_EC_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_EC_PUBKEY)\n#define PEM_read_PKCS7 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_PKCS7)\n#define PEM_read_PKCS8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_PKCS8)\n#define PEM_read_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_PKCS8_PRIV_KEY_INFO)\n#define PEM_read_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_PUBKEY)\n#define PEM_read_PrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_PrivateKey)\n#define PEM_read_RSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_RSAPrivateKey)\n#define PEM_read_RSAPublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_RSAPublicKey)\n#define PEM_read_RSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_RSA_PUBKEY)\n#define PEM_read_SSL_SESSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_SSL_SESSION)\n#define PEM_read_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_X509)\n#define PEM_read_X509_AUX BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_X509_AUX)\n#define PEM_read_X509_CRL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_X509_CRL)\n#define PEM_read_X509_REQ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_X509_REQ)\n#define PEM_read_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio)\n#define PEM_read_bio_DHparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_DHparams)\n#define PEM_read_bio_DSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_DSAPrivateKey)\n#define PEM_read_bio_DSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_DSA_PUBKEY)\n#define PEM_read_bio_DSAparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_DSAparams)\n#define PEM_read_bio_ECPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_ECPrivateKey)\n#define PEM_read_bio_EC_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_EC_PUBKEY)\n#define PEM_read_bio_PKCS7 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_PKCS7)\n#define PEM_read_bio_PKCS8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_PKCS8)\n#define PEM_read_bio_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_PKCS8_PRIV_KEY_INFO)\n#define PEM_read_bio_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_PUBKEY)\n#define PEM_read_bio_PrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_PrivateKey)\n#define PEM_read_bio_RSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_RSAPrivateKey)\n#define PEM_read_bio_RSAPublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_RSAPublicKey)\n#define PEM_read_bio_RSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_RSA_PUBKEY)\n#define PEM_read_bio_SSL_SESSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_SSL_SESSION)\n#define PEM_read_bio_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_X509)\n#define PEM_read_bio_X509_AUX BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_X509_AUX)\n#define PEM_read_bio_X509_CRL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_X509_CRL)\n#define PEM_read_bio_X509_REQ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_read_bio_X509_REQ)\n#define PEM_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write)\n#define PEM_write_DHparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_DHparams)\n#define PEM_write_DSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_DSAPrivateKey)\n#define PEM_write_DSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_DSA_PUBKEY)\n#define PEM_write_DSAparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_DSAparams)\n#define PEM_write_ECPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_ECPrivateKey)\n#define PEM_write_EC_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_EC_PUBKEY)\n#define PEM_write_PKCS7 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_PKCS7)\n#define PEM_write_PKCS8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_PKCS8)\n#define PEM_write_PKCS8PrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_PKCS8PrivateKey)\n#define PEM_write_PKCS8PrivateKey_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_PKCS8PrivateKey_nid)\n#define PEM_write_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_PKCS8_PRIV_KEY_INFO)\n#define PEM_write_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_PUBKEY)\n#define PEM_write_PrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_PrivateKey)\n#define PEM_write_RSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_RSAPrivateKey)\n#define PEM_write_RSAPublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_RSAPublicKey)\n#define PEM_write_RSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_RSA_PUBKEY)\n#define PEM_write_SSL_SESSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_SSL_SESSION)\n#define PEM_write_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_X509)\n#define PEM_write_X509_AUX BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_X509_AUX)\n#define PEM_write_X509_CRL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_X509_CRL)\n#define PEM_write_X509_REQ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_X509_REQ)\n#define PEM_write_X509_REQ_NEW BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_X509_REQ_NEW)\n#define PEM_write_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio)\n#define PEM_write_bio_DHparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_DHparams)\n#define PEM_write_bio_DSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_DSAPrivateKey)\n#define PEM_write_bio_DSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_DSA_PUBKEY)\n#define PEM_write_bio_DSAparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_DSAparams)\n#define PEM_write_bio_ECPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_ECPrivateKey)\n#define PEM_write_bio_EC_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_EC_PUBKEY)\n#define PEM_write_bio_PKCS7 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_PKCS7)\n#define PEM_write_bio_PKCS8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_PKCS8)\n#define PEM_write_bio_PKCS8PrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_PKCS8PrivateKey)\n#define PEM_write_bio_PKCS8PrivateKey_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_PKCS8PrivateKey_nid)\n#define PEM_write_bio_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_PKCS8_PRIV_KEY_INFO)\n#define PEM_write_bio_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_PUBKEY)\n#define PEM_write_bio_PrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_PrivateKey)\n#define PEM_write_bio_RSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_RSAPrivateKey)\n#define PEM_write_bio_RSAPublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_RSAPublicKey)\n#define PEM_write_bio_RSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_RSA_PUBKEY)\n#define PEM_write_bio_SSL_SESSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_SSL_SESSION)\n#define PEM_write_bio_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_X509)\n#define PEM_write_bio_X509_AUX BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_X509_AUX)\n#define PEM_write_bio_X509_CRL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_X509_CRL)\n#define PEM_write_bio_X509_REQ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_X509_REQ)\n#define PEM_write_bio_X509_REQ_NEW BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PEM_write_bio_X509_REQ_NEW)\n#define PKCS12_PBE_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS12_PBE_add)\n#define PKCS12_create BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS12_create)\n#define PKCS12_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS12_free)\n#define PKCS12_get_key_and_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS12_get_key_and_certs)\n#define PKCS12_parse BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS12_parse)\n#define PKCS12_verify_mac BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS12_verify_mac)\n#define PKCS1_MGF1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS1_MGF1)\n#define PKCS5_PBKDF2_HMAC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS5_PBKDF2_HMAC)\n#define PKCS5_PBKDF2_HMAC_SHA1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS5_PBKDF2_HMAC_SHA1)\n#define PKCS5_pbe2_decrypt_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS5_pbe2_decrypt_init)\n#define PKCS5_pbe2_encrypt_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS5_pbe2_encrypt_init)\n#define PKCS7_bundle_CRLs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_bundle_CRLs)\n#define PKCS7_bundle_certificates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_bundle_certificates)\n#define PKCS7_bundle_raw_certificates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_bundle_raw_certificates)\n#define PKCS7_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_free)\n#define PKCS7_get_CRLs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_get_CRLs)\n#define PKCS7_get_PEM_CRLs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_get_PEM_CRLs)\n#define PKCS7_get_PEM_certificates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_get_PEM_certificates)\n#define PKCS7_get_certificates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_get_certificates)\n#define PKCS7_get_raw_certificates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_get_raw_certificates)\n#define PKCS7_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_sign)\n#define PKCS7_type_is_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_type_is_data)\n#define PKCS7_type_is_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_type_is_digest)\n#define PKCS7_type_is_encrypted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_type_is_encrypted)\n#define PKCS7_type_is_enveloped BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_type_is_enveloped)\n#define PKCS7_type_is_signed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_type_is_signed)\n#define PKCS7_type_is_signedAndEnveloped BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_type_is_signedAndEnveloped)\n#define PKCS8_PRIV_KEY_INFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS8_PRIV_KEY_INFO_free)\n#define PKCS8_PRIV_KEY_INFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS8_PRIV_KEY_INFO_new)\n#define PKCS8_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS8_decrypt)\n#define PKCS8_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS8_encrypt)\n#define PKCS8_marshal_encrypted_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS8_marshal_encrypted_private_key)\n#define PKCS8_parse_encrypted_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS8_parse_encrypted_private_key)\n#define POLICYINFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICYINFO_free)\n#define POLICYINFO_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICYINFO_it)\n#define POLICYINFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICYINFO_new)\n#define POLICYQUALINFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICYQUALINFO_free)\n#define POLICYQUALINFO_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICYQUALINFO_it)\n#define POLICYQUALINFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICYQUALINFO_new)\n#define POLICY_CONSTRAINTS_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICY_CONSTRAINTS_free)\n#define POLICY_CONSTRAINTS_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICY_CONSTRAINTS_it)\n#define POLICY_CONSTRAINTS_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICY_CONSTRAINTS_new)\n#define POLICY_MAPPINGS_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICY_MAPPINGS_it)\n#define POLICY_MAPPING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICY_MAPPING_free)\n#define POLICY_MAPPING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICY_MAPPING_new)\n#define RAND_OpenSSL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_OpenSSL)\n#define RAND_SSLeay BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_SSLeay)\n#define RAND_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_add)\n#define RAND_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_bytes)\n#define RAND_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_cleanup)\n#define RAND_disable_fork_unsafe_buffering BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_disable_fork_unsafe_buffering)\n#define RAND_egd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_egd)\n#define RAND_enable_fork_unsafe_buffering BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_enable_fork_unsafe_buffering)\n#define RAND_file_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_file_name)\n#define RAND_get_rand_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_get_rand_method)\n#define RAND_get_system_entropy_for_custom_prng BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_get_system_entropy_for_custom_prng)\n#define RAND_load_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_load_file)\n#define RAND_poll BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_poll)\n#define RAND_pseudo_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_pseudo_bytes)\n#define RAND_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_seed)\n#define RAND_set_rand_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_set_rand_method)\n#define RAND_status BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_status)\n#define RC4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RC4)\n#define RC4_set_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RC4_set_key)\n#define RSAPrivateKey_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSAPrivateKey_dup)\n#define RSAPublicKey_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSAPublicKey_dup)\n#define RSAZ_1024_mod_exp_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSAZ_1024_mod_exp_avx2)\n#define RSA_PSS_PARAMS_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_PSS_PARAMS_free)\n#define RSA_PSS_PARAMS_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_PSS_PARAMS_it)\n#define RSA_PSS_PARAMS_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_PSS_PARAMS_new)\n#define RSA_add_pkcs1_prefix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_add_pkcs1_prefix)\n#define RSA_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_bits)\n#define RSA_blinding_off BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_blinding_off)\n#define RSA_blinding_on BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_blinding_on)\n#define RSA_check_fips BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_check_fips)\n#define RSA_check_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_check_key)\n#define RSA_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_decrypt)\n#define RSA_default_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_default_method)\n#define RSA_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_encrypt)\n#define RSA_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_flags)\n#define RSA_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_free)\n#define RSA_generate_key_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_generate_key_ex)\n#define RSA_generate_key_fips BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_generate_key_fips)\n#define RSA_get0_crt_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_crt_params)\n#define RSA_get0_d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_d)\n#define RSA_get0_dmp1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_dmp1)\n#define RSA_get0_dmq1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_dmq1)\n#define RSA_get0_e BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_e)\n#define RSA_get0_factors BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_factors)\n#define RSA_get0_iqmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_iqmp)\n#define RSA_get0_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_key)\n#define RSA_get0_n BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_n)\n#define RSA_get0_p BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_p)\n#define RSA_get0_pss_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_pss_params)\n#define RSA_get0_q BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_q)\n#define RSA_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get_ex_data)\n#define RSA_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get_ex_new_index)\n#define RSA_is_opaque BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_is_opaque)\n#define RSA_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_marshal_private_key)\n#define RSA_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_marshal_public_key)\n#define RSA_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_new)\n#define RSA_new_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_new_method)\n#define RSA_new_method_no_e BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_new_method_no_e)\n#define RSA_new_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_new_private_key)\n#define RSA_new_private_key_large_e BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_new_private_key_large_e)\n#define RSA_new_private_key_no_crt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_new_private_key_no_crt)\n#define RSA_new_private_key_no_e BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_new_private_key_no_e)\n#define RSA_new_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_new_public_key)\n#define RSA_new_public_key_large_e BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_new_public_key_large_e)\n#define RSA_padding_add_PKCS1_OAEP_mgf1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_padding_add_PKCS1_OAEP_mgf1)\n#define RSA_padding_add_PKCS1_PSS_mgf1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_padding_add_PKCS1_PSS_mgf1)\n#define RSA_padding_add_PKCS1_type_1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_padding_add_PKCS1_type_1)\n#define RSA_padding_add_none BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_padding_add_none)\n#define RSA_padding_check_PKCS1_OAEP_mgf1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_padding_check_PKCS1_OAEP_mgf1)\n#define RSA_padding_check_PKCS1_type_1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_padding_check_PKCS1_type_1)\n#define RSA_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_parse_private_key)\n#define RSA_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_parse_public_key)\n#define RSA_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_print)\n#define RSA_private_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_private_decrypt)\n#define RSA_private_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_private_encrypt)\n#define RSA_private_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_private_key_from_bytes)\n#define RSA_private_key_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_private_key_to_bytes)\n#define RSA_public_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_public_decrypt)\n#define RSA_public_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_public_encrypt)\n#define RSA_public_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_public_key_from_bytes)\n#define RSA_public_key_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_public_key_to_bytes)\n#define RSA_set0_crt_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_set0_crt_params)\n#define RSA_set0_factors BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_set0_factors)\n#define RSA_set0_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_set0_key)\n#define RSA_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_set_ex_data)\n#define RSA_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_sign)\n#define RSA_sign_pss_mgf1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_sign_pss_mgf1)\n#define RSA_sign_raw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_sign_raw)\n#define RSA_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_size)\n#define RSA_test_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_test_flags)\n#define RSA_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_up_ref)\n#define RSA_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_verify)\n#define RSA_verify_PKCS1_PSS_mgf1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_verify_PKCS1_PSS_mgf1)\n#define RSA_verify_pss_mgf1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_verify_pss_mgf1)\n#define RSA_verify_raw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_verify_raw)\n#define SHA1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA1)\n#define SHA1_Final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA1_Final)\n#define SHA1_Init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA1_Init)\n#define SHA1_Transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA1_Transform)\n#define SHA1_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA1_Update)\n#define SHA224 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA224)\n#define SHA224_Final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA224_Final)\n#define SHA224_Init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA224_Init)\n#define SHA224_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA224_Update)\n#define SHA256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA256)\n#define SHA256_Final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA256_Final)\n#define SHA256_Init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA256_Init)\n#define SHA256_Transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA256_Transform)\n#define SHA256_TransformBlocks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA256_TransformBlocks)\n#define SHA256_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA256_Update)\n#define SHA384 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA384)\n#define SHA384_Final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA384_Final)\n#define SHA384_Init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA384_Init)\n#define SHA384_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA384_Update)\n#define SHA512 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA512)\n#define SHA512_256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA512_256)\n#define SHA512_256_Final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA512_256_Final)\n#define SHA512_256_Init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA512_256_Init)\n#define SHA512_256_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA512_256_Update)\n#define SHA512_Final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA512_Final)\n#define SHA512_Init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA512_Init)\n#define SHA512_Transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA512_Transform)\n#define SHA512_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA512_Update)\n#define SIPHASH_24 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SIPHASH_24)\n#define SLHDSA_SHA2_128S_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_generate_key)\n#define SLHDSA_SHA2_128S_prehash_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_prehash_sign)\n#define SLHDSA_SHA2_128S_prehash_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_prehash_verify)\n#define SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign)\n#define SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify)\n#define SLHDSA_SHA2_128S_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_public_from_private)\n#define SLHDSA_SHA2_128S_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_sign)\n#define SLHDSA_SHA2_128S_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_verify)\n#define SPAKE2_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPAKE2_CTX_free)\n#define SPAKE2_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPAKE2_CTX_new)\n#define SPAKE2_generate_msg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPAKE2_generate_msg)\n#define SPAKE2_process_msg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPAKE2_process_msg)\n#define SSL_CIPHER_description BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_description)\n#define SSL_CIPHER_get_auth_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_auth_nid)\n#define SSL_CIPHER_get_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_bits)\n#define SSL_CIPHER_get_cipher_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_cipher_nid)\n#define SSL_CIPHER_get_digest_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_digest_nid)\n#define SSL_CIPHER_get_handshake_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_handshake_digest)\n#define SSL_CIPHER_get_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_id)\n#define SSL_CIPHER_get_kx_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_kx_name)\n#define SSL_CIPHER_get_kx_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_kx_nid)\n#define SSL_CIPHER_get_max_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_max_version)\n#define SSL_CIPHER_get_min_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_min_version)\n#define SSL_CIPHER_get_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_name)\n#define SSL_CIPHER_get_prf_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_prf_nid)\n#define SSL_CIPHER_get_protocol_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_protocol_id)\n#define SSL_CIPHER_get_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_version)\n#define SSL_CIPHER_is_aead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_is_aead)\n#define SSL_CIPHER_is_block_cipher BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_is_block_cipher)\n#define SSL_CIPHER_standard_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_standard_name)\n#define SSL_COMP_add_compression_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_COMP_add_compression_method)\n#define SSL_COMP_free_compression_methods BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_COMP_free_compression_methods)\n#define SSL_COMP_get0_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_COMP_get0_name)\n#define SSL_COMP_get_compression_methods BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_COMP_get_compression_methods)\n#define SSL_COMP_get_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_COMP_get_id)\n#define SSL_COMP_get_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_COMP_get_name)\n#define SSL_CREDENTIAL_clear_must_match_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_clear_must_match_issuer)\n#define SSL_CREDENTIAL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_free)\n#define SSL_CREDENTIAL_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_get_ex_data)\n#define SSL_CREDENTIAL_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_get_ex_new_index)\n#define SSL_CREDENTIAL_must_match_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_must_match_issuer)\n#define SSL_CREDENTIAL_new_delegated BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_new_delegated)\n#define SSL_CREDENTIAL_new_x509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_new_x509)\n#define SSL_CREDENTIAL_set1_cert_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_cert_chain)\n#define SSL_CREDENTIAL_set1_delegated_credential BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_delegated_credential)\n#define SSL_CREDENTIAL_set1_ocsp_response BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_ocsp_response)\n#define SSL_CREDENTIAL_set1_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_private_key)\n#define SSL_CREDENTIAL_set1_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_signed_cert_timestamp_list)\n#define SSL_CREDENTIAL_set1_signing_algorithm_prefs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_signing_algorithm_prefs)\n#define SSL_CREDENTIAL_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set_ex_data)\n#define SSL_CREDENTIAL_set_must_match_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set_must_match_issuer)\n#define SSL_CREDENTIAL_set_private_key_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set_private_key_method)\n#define SSL_CREDENTIAL_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_up_ref)\n#define SSL_CTX_add0_chain_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add0_chain_cert)\n#define SSL_CTX_add1_chain_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add1_chain_cert)\n#define SSL_CTX_add1_credential BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add1_credential)\n#define SSL_CTX_add_cert_compression_alg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add_cert_compression_alg)\n#define SSL_CTX_add_client_CA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add_client_CA)\n#define SSL_CTX_add_extra_chain_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add_extra_chain_cert)\n#define SSL_CTX_add_session BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add_session)\n#define SSL_CTX_check_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_check_private_key)\n#define SSL_CTX_cipher_in_group BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_cipher_in_group)\n#define SSL_CTX_clear_chain_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_clear_chain_certs)\n#define SSL_CTX_clear_extra_chain_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_clear_extra_chain_certs)\n#define SSL_CTX_clear_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_clear_mode)\n#define SSL_CTX_clear_options BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_clear_options)\n#define SSL_CTX_enable_ocsp_stapling BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_enable_ocsp_stapling)\n#define SSL_CTX_enable_signed_cert_timestamps BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_enable_signed_cert_timestamps)\n#define SSL_CTX_enable_tls_channel_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_enable_tls_channel_id)\n#define SSL_CTX_flush_sessions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_flush_sessions)\n#define SSL_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_free)\n#define SSL_CTX_get0_certificate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get0_certificate)\n#define SSL_CTX_get0_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get0_chain)\n#define SSL_CTX_get0_chain_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get0_chain_certs)\n#define SSL_CTX_get0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get0_param)\n#define SSL_CTX_get0_privatekey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get0_privatekey)\n#define SSL_CTX_get_cert_store BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_cert_store)\n#define SSL_CTX_get_ciphers BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_ciphers)\n#define SSL_CTX_get_client_CA_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_client_CA_list)\n#define SSL_CTX_get_compliance_policy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_compliance_policy)\n#define SSL_CTX_get_default_passwd_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_default_passwd_cb)\n#define SSL_CTX_get_default_passwd_cb_userdata BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_default_passwd_cb_userdata)\n#define SSL_CTX_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_ex_data)\n#define SSL_CTX_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_ex_new_index)\n#define SSL_CTX_get_extra_chain_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_extra_chain_certs)\n#define SSL_CTX_get_info_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_info_callback)\n#define SSL_CTX_get_keylog_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_keylog_callback)\n#define SSL_CTX_get_max_cert_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_max_cert_list)\n#define SSL_CTX_get_max_proto_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_max_proto_version)\n#define SSL_CTX_get_min_proto_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_min_proto_version)\n#define SSL_CTX_get_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_mode)\n#define SSL_CTX_get_num_tickets BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_num_tickets)\n#define SSL_CTX_get_options BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_options)\n#define SSL_CTX_get_quiet_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_quiet_shutdown)\n#define SSL_CTX_get_read_ahead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_read_ahead)\n#define SSL_CTX_get_session_cache_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_session_cache_mode)\n#define SSL_CTX_get_timeout BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_timeout)\n#define SSL_CTX_get_tlsext_ticket_keys BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_tlsext_ticket_keys)\n#define SSL_CTX_get_verify_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_verify_callback)\n#define SSL_CTX_get_verify_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_verify_depth)\n#define SSL_CTX_get_verify_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_get_verify_mode)\n#define SSL_CTX_load_verify_locations BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_load_verify_locations)\n#define SSL_CTX_need_tmp_RSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_need_tmp_RSA)\n#define SSL_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_new)\n#define SSL_CTX_remove_session BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_remove_session)\n#define SSL_CTX_sess_accept BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_accept)\n#define SSL_CTX_sess_accept_good BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_accept_good)\n#define SSL_CTX_sess_accept_renegotiate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_accept_renegotiate)\n#define SSL_CTX_sess_cache_full BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_cache_full)\n#define SSL_CTX_sess_cb_hits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_cb_hits)\n#define SSL_CTX_sess_connect BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_connect)\n#define SSL_CTX_sess_connect_good BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_connect_good)\n#define SSL_CTX_sess_connect_renegotiate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_connect_renegotiate)\n#define SSL_CTX_sess_get_cache_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_get_cache_size)\n#define SSL_CTX_sess_get_get_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_get_get_cb)\n#define SSL_CTX_sess_get_new_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_get_new_cb)\n#define SSL_CTX_sess_get_remove_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_get_remove_cb)\n#define SSL_CTX_sess_hits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_hits)\n#define SSL_CTX_sess_misses BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_misses)\n#define SSL_CTX_sess_number BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_number)\n#define SSL_CTX_sess_set_cache_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_set_cache_size)\n#define SSL_CTX_sess_set_get_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_set_get_cb)\n#define SSL_CTX_sess_set_new_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_set_new_cb)\n#define SSL_CTX_sess_set_remove_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_set_remove_cb)\n#define SSL_CTX_sess_timeouts BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_sess_timeouts)\n#define SSL_CTX_set0_buffer_pool BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set0_buffer_pool)\n#define SSL_CTX_set0_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set0_chain)\n#define SSL_CTX_set0_client_CAs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set0_client_CAs)\n#define SSL_CTX_set0_verify_cert_store BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set0_verify_cert_store)\n#define SSL_CTX_set1_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_chain)\n#define SSL_CTX_set1_curves BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_curves)\n#define SSL_CTX_set1_curves_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_curves_list)\n#define SSL_CTX_set1_ech_keys BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_ech_keys)\n#define SSL_CTX_set1_group_ids BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_group_ids)\n#define SSL_CTX_set1_groups BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_groups)\n#define SSL_CTX_set1_groups_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_groups_list)\n#define SSL_CTX_set1_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_param)\n#define SSL_CTX_set1_sigalgs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_sigalgs)\n#define SSL_CTX_set1_sigalgs_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_sigalgs_list)\n#define SSL_CTX_set1_tls_channel_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_tls_channel_id)\n#define SSL_CTX_set1_verify_cert_store BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set1_verify_cert_store)\n#define SSL_CTX_set_allow_unknown_alpn_protos BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_allow_unknown_alpn_protos)\n#define SSL_CTX_set_alpn_protos BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_alpn_protos)\n#define SSL_CTX_set_alpn_select_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_alpn_select_cb)\n#define SSL_CTX_set_cert_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_cert_cb)\n#define SSL_CTX_set_cert_store BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_cert_store)\n#define SSL_CTX_set_cert_verify_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_cert_verify_callback)\n#define SSL_CTX_set_chain_and_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_chain_and_key)\n#define SSL_CTX_set_cipher_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_cipher_list)\n#define SSL_CTX_set_client_CA_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_client_CA_list)\n#define SSL_CTX_set_client_cert_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_client_cert_cb)\n#define SSL_CTX_set_compliance_policy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_compliance_policy)\n#define SSL_CTX_set_current_time_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_current_time_cb)\n#define SSL_CTX_set_custom_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_custom_verify)\n#define SSL_CTX_set_default_passwd_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_default_passwd_cb)\n#define SSL_CTX_set_default_passwd_cb_userdata BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_default_passwd_cb_userdata)\n#define SSL_CTX_set_default_verify_paths BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_default_verify_paths)\n#define SSL_CTX_set_dos_protection_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_dos_protection_cb)\n#define SSL_CTX_set_early_data_enabled BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_early_data_enabled)\n#define SSL_CTX_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_ex_data)\n#define SSL_CTX_set_false_start_allowed_without_alpn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_false_start_allowed_without_alpn)\n#define SSL_CTX_set_grease_enabled BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_grease_enabled)\n#define SSL_CTX_set_info_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_info_callback)\n#define SSL_CTX_set_keylog_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_keylog_callback)\n#define SSL_CTX_set_max_cert_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_max_cert_list)\n#define SSL_CTX_set_max_proto_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_max_proto_version)\n#define SSL_CTX_set_max_send_fragment BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_max_send_fragment)\n#define SSL_CTX_set_min_proto_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_min_proto_version)\n#define SSL_CTX_set_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_mode)\n#define SSL_CTX_set_msg_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_msg_callback)\n#define SSL_CTX_set_msg_callback_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_msg_callback_arg)\n#define SSL_CTX_set_next_proto_select_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_next_proto_select_cb)\n#define SSL_CTX_set_next_protos_advertised_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_next_protos_advertised_cb)\n#define SSL_CTX_set_num_tickets BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_num_tickets)\n#define SSL_CTX_set_ocsp_response BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_ocsp_response)\n#define SSL_CTX_set_options BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_options)\n#define SSL_CTX_set_permute_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_permute_extensions)\n#define SSL_CTX_set_private_key_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_private_key_method)\n#define SSL_CTX_set_psk_client_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_psk_client_callback)\n#define SSL_CTX_set_psk_server_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_psk_server_callback)\n#define SSL_CTX_set_purpose BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_purpose)\n#define SSL_CTX_set_quic_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_quic_method)\n#define SSL_CTX_set_quiet_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_quiet_shutdown)\n#define SSL_CTX_set_read_ahead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_read_ahead)\n#define SSL_CTX_set_record_protocol_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_record_protocol_version)\n#define SSL_CTX_set_retain_only_sha256_of_client_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_retain_only_sha256_of_client_certs)\n#define SSL_CTX_set_reverify_on_resume BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_reverify_on_resume)\n#define SSL_CTX_set_select_certificate_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_select_certificate_cb)\n#define SSL_CTX_set_session_cache_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_session_cache_mode)\n#define SSL_CTX_set_session_id_context BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_session_id_context)\n#define SSL_CTX_set_session_psk_dhe_timeout BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_session_psk_dhe_timeout)\n#define SSL_CTX_set_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_signed_cert_timestamp_list)\n#define SSL_CTX_set_signing_algorithm_prefs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_signing_algorithm_prefs)\n#define SSL_CTX_set_srtp_profiles BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_srtp_profiles)\n#define SSL_CTX_set_strict_cipher_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_strict_cipher_list)\n#define SSL_CTX_set_ticket_aead_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_ticket_aead_method)\n#define SSL_CTX_set_timeout BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_timeout)\n#define SSL_CTX_set_tls_channel_id_enabled BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tls_channel_id_enabled)\n#define SSL_CTX_set_tlsext_servername_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_servername_arg)\n#define SSL_CTX_set_tlsext_servername_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_servername_callback)\n#define SSL_CTX_set_tlsext_status_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_status_arg)\n#define SSL_CTX_set_tlsext_status_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_status_cb)\n#define SSL_CTX_set_tlsext_ticket_key_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_ticket_key_cb)\n#define SSL_CTX_set_tlsext_ticket_keys BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_ticket_keys)\n#define SSL_CTX_set_tlsext_use_srtp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_use_srtp)\n#define SSL_CTX_set_tmp_dh BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tmp_dh)\n#define SSL_CTX_set_tmp_dh_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tmp_dh_callback)\n#define SSL_CTX_set_tmp_ecdh BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tmp_ecdh)\n#define SSL_CTX_set_tmp_rsa BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tmp_rsa)\n#define SSL_CTX_set_tmp_rsa_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_tmp_rsa_callback)\n#define SSL_CTX_set_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_trust)\n#define SSL_CTX_set_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_verify)\n#define SSL_CTX_set_verify_algorithm_prefs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_verify_algorithm_prefs)\n#define SSL_CTX_set_verify_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_set_verify_depth)\n#define SSL_CTX_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_up_ref)\n#define SSL_CTX_use_PrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_use_PrivateKey)\n#define SSL_CTX_use_PrivateKey_ASN1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_use_PrivateKey_ASN1)\n#define SSL_CTX_use_PrivateKey_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_use_PrivateKey_file)\n#define SSL_CTX_use_RSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_use_RSAPrivateKey)\n#define SSL_CTX_use_RSAPrivateKey_ASN1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_use_RSAPrivateKey_ASN1)\n#define SSL_CTX_use_RSAPrivateKey_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_use_RSAPrivateKey_file)\n#define SSL_CTX_use_certificate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_use_certificate)\n#define SSL_CTX_use_certificate_ASN1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_use_certificate_ASN1)\n#define SSL_CTX_use_certificate_chain_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_use_certificate_chain_file)\n#define SSL_CTX_use_certificate_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_use_certificate_file)\n#define SSL_CTX_use_psk_identity_hint BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_use_psk_identity_hint)\n#define SSL_ECH_KEYS_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_ECH_KEYS_add)\n#define SSL_ECH_KEYS_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_ECH_KEYS_free)\n#define SSL_ECH_KEYS_has_duplicate_config_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_ECH_KEYS_has_duplicate_config_id)\n#define SSL_ECH_KEYS_marshal_retry_configs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_ECH_KEYS_marshal_retry_configs)\n#define SSL_ECH_KEYS_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_ECH_KEYS_new)\n#define SSL_ECH_KEYS_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_ECH_KEYS_up_ref)\n#define SSL_SESSION_copy_without_early_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_copy_without_early_data)\n#define SSL_SESSION_early_data_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_early_data_capable)\n#define SSL_SESSION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_free)\n#define SSL_SESSION_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_from_bytes)\n#define SSL_SESSION_get0_cipher BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get0_cipher)\n#define SSL_SESSION_get0_id_context BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get0_id_context)\n#define SSL_SESSION_get0_ocsp_response BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get0_ocsp_response)\n#define SSL_SESSION_get0_peer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get0_peer)\n#define SSL_SESSION_get0_peer_certificates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get0_peer_certificates)\n#define SSL_SESSION_get0_peer_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get0_peer_sha256)\n#define SSL_SESSION_get0_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get0_signed_cert_timestamp_list)\n#define SSL_SESSION_get0_ticket BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get0_ticket)\n#define SSL_SESSION_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get_ex_data)\n#define SSL_SESSION_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get_ex_new_index)\n#define SSL_SESSION_get_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get_id)\n#define SSL_SESSION_get_master_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get_master_key)\n#define SSL_SESSION_get_protocol_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get_protocol_version)\n#define SSL_SESSION_get_ticket_lifetime_hint BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get_ticket_lifetime_hint)\n#define SSL_SESSION_get_time BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get_time)\n#define SSL_SESSION_get_timeout BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get_timeout)\n#define SSL_SESSION_get_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_get_version)\n#define SSL_SESSION_has_peer_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_has_peer_sha256)\n#define SSL_SESSION_has_ticket BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_has_ticket)\n#define SSL_SESSION_is_resumable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_is_resumable)\n#define SSL_SESSION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_new)\n#define SSL_SESSION_set1_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_set1_id)\n#define SSL_SESSION_set1_id_context BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_set1_id_context)\n#define SSL_SESSION_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_set_ex_data)\n#define SSL_SESSION_set_protocol_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_set_protocol_version)\n#define SSL_SESSION_set_ticket BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_set_ticket)\n#define SSL_SESSION_set_time BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_set_time)\n#define SSL_SESSION_set_timeout BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_set_timeout)\n#define SSL_SESSION_should_be_single_use BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_should_be_single_use)\n#define SSL_SESSION_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_to_bytes)\n#define SSL_SESSION_to_bytes_for_ticket BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_to_bytes_for_ticket)\n#define SSL_SESSION_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_SESSION_up_ref)\n#define SSL_accept BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_accept)\n#define SSL_add0_chain_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add0_chain_cert)\n#define SSL_add1_chain_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add1_chain_cert)\n#define SSL_add1_credential BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add1_credential)\n#define SSL_add_application_settings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add_application_settings)\n#define SSL_add_bio_cert_subjects_to_stack BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add_bio_cert_subjects_to_stack)\n#define SSL_add_client_CA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add_client_CA)\n#define SSL_add_file_cert_subjects_to_stack BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add_file_cert_subjects_to_stack)\n#define SSL_alert_desc_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_alert_desc_string)\n#define SSL_alert_desc_string_long BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_alert_desc_string_long)\n#define SSL_alert_from_verify_result BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_alert_from_verify_result)\n#define SSL_alert_type_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_alert_type_string)\n#define SSL_alert_type_string_long BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_alert_type_string_long)\n#define SSL_cache_hit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_cache_hit)\n#define SSL_can_release_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_can_release_private_key)\n#define SSL_certs_clear BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_certs_clear)\n#define SSL_check_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_check_private_key)\n#define SSL_clear BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_clear)\n#define SSL_clear_chain_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_clear_chain_certs)\n#define SSL_clear_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_clear_mode)\n#define SSL_clear_options BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_clear_options)\n#define SSL_connect BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_connect)\n#define SSL_cutthrough_complete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_cutthrough_complete)\n#define SSL_do_handshake BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_do_handshake)\n#define SSL_dup_CA_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_dup_CA_list)\n#define SSL_early_callback_ctx_extension_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_early_callback_ctx_extension_get)\n#define SSL_early_data_accepted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_early_data_accepted)\n#define SSL_early_data_reason_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_early_data_reason_string)\n#define SSL_ech_accepted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_ech_accepted)\n#define SSL_enable_ocsp_stapling BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_enable_ocsp_stapling)\n#define SSL_enable_signed_cert_timestamps BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_enable_signed_cert_timestamps)\n#define SSL_enable_tls_channel_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_enable_tls_channel_id)\n#define SSL_error_description BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_error_description)\n#define SSL_export_keying_material BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_export_keying_material)\n#define SSL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_free)\n#define SSL_generate_key_block BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_generate_key_block)\n#define SSL_get0_alpn_selected BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_alpn_selected)\n#define SSL_get0_certificate_types BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_certificate_types)\n#define SSL_get0_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_chain)\n#define SSL_get0_chain_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_chain_certs)\n#define SSL_get0_ech_name_override BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_ech_name_override)\n#define SSL_get0_ech_retry_configs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_ech_retry_configs)\n#define SSL_get0_next_proto_negotiated BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_next_proto_negotiated)\n#define SSL_get0_ocsp_response BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_ocsp_response)\n#define SSL_get0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_param)\n#define SSL_get0_peer_application_settings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_peer_application_settings)\n#define SSL_get0_peer_certificates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_peer_certificates)\n#define SSL_get0_peer_delegation_algorithms BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_peer_delegation_algorithms)\n#define SSL_get0_peer_verify_algorithms BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_peer_verify_algorithms)\n#define SSL_get0_selected_credential BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_selected_credential)\n#define SSL_get0_server_requested_CAs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_server_requested_CAs)\n#define SSL_get0_session_id_context BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_session_id_context)\n#define SSL_get0_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_signed_cert_timestamp_list)\n#define SSL_get1_session BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get1_session)\n#define SSL_get_SSL_CTX BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_SSL_CTX)\n#define SSL_get_all_cipher_names BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_all_cipher_names)\n#define SSL_get_all_curve_names BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_all_curve_names)\n#define SSL_get_all_group_names BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_all_group_names)\n#define SSL_get_all_signature_algorithm_names BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_all_signature_algorithm_names)\n#define SSL_get_all_standard_cipher_names BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_all_standard_cipher_names)\n#define SSL_get_all_version_names BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_all_version_names)\n#define SSL_get_certificate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_certificate)\n#define SSL_get_cipher_by_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_cipher_by_value)\n#define SSL_get_cipher_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_cipher_list)\n#define SSL_get_ciphers BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_ciphers)\n#define SSL_get_client_CA_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_client_CA_list)\n#define SSL_get_client_random BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_client_random)\n#define SSL_get_compliance_policy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_compliance_policy)\n#define SSL_get_current_cipher BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_current_cipher)\n#define SSL_get_current_compression BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_current_compression)\n#define SSL_get_current_expansion BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_current_expansion)\n#define SSL_get_curve_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_curve_id)\n#define SSL_get_curve_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_curve_name)\n#define SSL_get_default_timeout BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_default_timeout)\n#define SSL_get_early_data_reason BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_early_data_reason)\n#define SSL_get_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_error)\n#define SSL_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_ex_data)\n#define SSL_get_ex_data_X509_STORE_CTX_idx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_ex_data_X509_STORE_CTX_idx)\n#define SSL_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_ex_new_index)\n#define SSL_get_extms_support BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_extms_support)\n#define SSL_get_fd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_fd)\n#define SSL_get_finished BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_finished)\n#define SSL_get_group_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_group_id)\n#define SSL_get_group_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_group_name)\n#define SSL_get_info_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_info_callback)\n#define SSL_get_ivs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_ivs)\n#define SSL_get_key_block_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_key_block_len)\n#define SSL_get_max_cert_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_max_cert_list)\n#define SSL_get_max_proto_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_max_proto_version)\n#define SSL_get_min_proto_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_min_proto_version)\n#define SSL_get_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_mode)\n#define SSL_get_negotiated_group BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_negotiated_group)\n#define SSL_get_options BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_options)\n#define SSL_get_peer_cert_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_peer_cert_chain)\n#define SSL_get_peer_certificate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_peer_certificate)\n#define SSL_get_peer_finished BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_peer_finished)\n#define SSL_get_peer_full_cert_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_peer_full_cert_chain)\n#define SSL_get_peer_quic_transport_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_peer_quic_transport_params)\n#define SSL_get_peer_signature_algorithm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_peer_signature_algorithm)\n#define SSL_get_pending_cipher BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_pending_cipher)\n#define SSL_get_privatekey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_privatekey)\n#define SSL_get_psk_identity BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_psk_identity)\n#define SSL_get_psk_identity_hint BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_psk_identity_hint)\n#define SSL_get_quiet_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_quiet_shutdown)\n#define SSL_get_rbio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_rbio)\n#define SSL_get_read_ahead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_read_ahead)\n#define SSL_get_read_sequence BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_read_sequence)\n#define SSL_get_rfd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_rfd)\n#define SSL_get_secure_renegotiation_support BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_secure_renegotiation_support)\n#define SSL_get_selected_srtp_profile BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_selected_srtp_profile)\n#define SSL_get_server_random BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_server_random)\n#define SSL_get_server_tmp_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_server_tmp_key)\n#define SSL_get_servername BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_servername)\n#define SSL_get_servername_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_servername_type)\n#define SSL_get_session BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_session)\n#define SSL_get_shared_ciphers BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_shared_ciphers)\n#define SSL_get_shared_sigalgs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_shared_sigalgs)\n#define SSL_get_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_shutdown)\n#define SSL_get_signature_algorithm_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_signature_algorithm_digest)\n#define SSL_get_signature_algorithm_key_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_signature_algorithm_key_type)\n#define SSL_get_signature_algorithm_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_signature_algorithm_name)\n#define SSL_get_srtp_profiles BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_srtp_profiles)\n#define SSL_get_ticket_age_skew BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_ticket_age_skew)\n#define SSL_get_tls_channel_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_tls_channel_id)\n#define SSL_get_tls_unique BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_tls_unique)\n#define SSL_get_tlsext_status_ocsp_resp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_tlsext_status_ocsp_resp)\n#define SSL_get_tlsext_status_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_tlsext_status_type)\n#define SSL_get_verify_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_verify_callback)\n#define SSL_get_verify_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_verify_depth)\n#define SSL_get_verify_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_verify_mode)\n#define SSL_get_verify_result BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_verify_result)\n#define SSL_get_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_version)\n#define SSL_get_wbio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_wbio)\n#define SSL_get_wfd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_wfd)\n#define SSL_get_write_sequence BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get_write_sequence)\n#define SSL_has_application_settings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_has_application_settings)\n#define SSL_has_pending BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_has_pending)\n#define SSL_in_early_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_in_early_data)\n#define SSL_in_false_start BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_in_false_start)\n#define SSL_in_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_in_init)\n#define SSL_is_dtls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_is_dtls)\n#define SSL_is_init_finished BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_is_init_finished)\n#define SSL_is_quic BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_is_quic)\n#define SSL_is_server BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_is_server)\n#define SSL_is_signature_algorithm_rsa_pss BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_is_signature_algorithm_rsa_pss)\n#define SSL_key_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_key_update)\n#define SSL_library_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_library_init)\n#define SSL_load_client_CA_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_load_client_CA_file)\n#define SSL_load_error_strings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_load_error_strings)\n#define SSL_magic_pending_session_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_magic_pending_session_ptr)\n#define SSL_marshal_ech_config BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_marshal_ech_config)\n#define SSL_max_seal_overhead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_max_seal_overhead)\n#define SSL_need_tmp_RSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_need_tmp_RSA)\n#define SSL_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_new)\n#define SSL_num_renegotiations BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_num_renegotiations)\n#define SSL_peek BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_peek)\n#define SSL_pending BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_pending)\n#define SSL_process_quic_post_handshake BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_process_quic_post_handshake)\n#define SSL_process_tls13_new_session_ticket BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_process_tls13_new_session_ticket)\n#define SSL_provide_quic_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_provide_quic_data)\n#define SSL_quic_max_handshake_flight_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_quic_max_handshake_flight_len)\n#define SSL_quic_read_level BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_quic_read_level)\n#define SSL_quic_write_level BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_quic_write_level)\n#define SSL_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_read)\n#define SSL_renegotiate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_renegotiate)\n#define SSL_renegotiate_pending BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_renegotiate_pending)\n#define SSL_request_handshake_hints BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_request_handshake_hints)\n#define SSL_reset_early_data_reject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_reset_early_data_reject)\n#define SSL_select_next_proto BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_select_next_proto)\n#define SSL_send_fatal_alert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_send_fatal_alert)\n#define SSL_serialize_capabilities BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_serialize_capabilities)\n#define SSL_serialize_handshake_hints BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_serialize_handshake_hints)\n#define SSL_session_reused BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_session_reused)\n#define SSL_set0_CA_names BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set0_CA_names)\n#define SSL_set0_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set0_chain)\n#define SSL_set0_client_CAs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set0_client_CAs)\n#define SSL_set0_rbio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set0_rbio)\n#define SSL_set0_verify_cert_store BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set0_verify_cert_store)\n#define SSL_set0_wbio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set0_wbio)\n#define SSL_set1_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_chain)\n#define SSL_set1_curves BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_curves)\n#define SSL_set1_curves_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_curves_list)\n#define SSL_set1_ech_config_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_ech_config_list)\n#define SSL_set1_group_ids BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_group_ids)\n#define SSL_set1_groups BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_groups)\n#define SSL_set1_groups_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_groups_list)\n#define SSL_set1_host BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_host)\n#define SSL_set1_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_param)\n#define SSL_set1_sigalgs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_sigalgs)\n#define SSL_set1_sigalgs_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_sigalgs_list)\n#define SSL_set1_tls_channel_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_tls_channel_id)\n#define SSL_set1_verify_cert_store BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_verify_cert_store)\n#define SSL_set_SSL_CTX BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_SSL_CTX)\n#define SSL_set_accept_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_accept_state)\n#define SSL_set_alpn_protos BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_alpn_protos)\n#define SSL_set_alps_use_new_codepoint BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_alps_use_new_codepoint)\n#define SSL_set_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_bio)\n#define SSL_set_cert_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_cert_cb)\n#define SSL_set_chain_and_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_chain_and_key)\n#define SSL_set_check_client_certificate_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_check_client_certificate_type)\n#define SSL_set_check_ecdsa_curve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_check_ecdsa_curve)\n#define SSL_set_cipher_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_cipher_list)\n#define SSL_set_client_CA_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_client_CA_list)\n#define SSL_set_compliance_policy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_compliance_policy)\n#define SSL_set_connect_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_connect_state)\n#define SSL_set_custom_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_custom_verify)\n#define SSL_set_early_data_enabled BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_early_data_enabled)\n#define SSL_set_enable_ech_grease BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_enable_ech_grease)\n#define SSL_set_enforce_rsa_key_usage BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_enforce_rsa_key_usage)\n#define SSL_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_ex_data)\n#define SSL_set_fd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_fd)\n#define SSL_set_handshake_hints BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_handshake_hints)\n#define SSL_set_hostflags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_hostflags)\n#define SSL_set_info_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_info_callback)\n#define SSL_set_jdk11_workaround BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_jdk11_workaround)\n#define SSL_set_max_cert_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_max_cert_list)\n#define SSL_set_max_proto_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_max_proto_version)\n#define SSL_set_max_send_fragment BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_max_send_fragment)\n#define SSL_set_min_proto_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_min_proto_version)\n#define SSL_set_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_mode)\n#define SSL_set_msg_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_msg_callback)\n#define SSL_set_msg_callback_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_msg_callback_arg)\n#define SSL_set_mtu BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_mtu)\n#define SSL_set_ocsp_response BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_ocsp_response)\n#define SSL_set_options BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_options)\n#define SSL_set_permute_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_permute_extensions)\n#define SSL_set_private_key_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_private_key_method)\n#define SSL_set_psk_client_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_psk_client_callback)\n#define SSL_set_psk_server_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_psk_server_callback)\n#define SSL_set_purpose BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_purpose)\n#define SSL_set_quic_early_data_context BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_quic_early_data_context)\n#define SSL_set_quic_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_quic_method)\n#define SSL_set_quic_transport_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_quic_transport_params)\n#define SSL_set_quic_use_legacy_codepoint BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_quic_use_legacy_codepoint)\n#define SSL_set_quiet_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_quiet_shutdown)\n#define SSL_set_read_ahead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_read_ahead)\n#define SSL_set_renegotiate_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_renegotiate_mode)\n#define SSL_set_retain_only_sha256_of_client_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_retain_only_sha256_of_client_certs)\n#define SSL_set_rfd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_rfd)\n#define SSL_set_session BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_session)\n#define SSL_set_session_id_context BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_session_id_context)\n#define SSL_set_shed_handshake_config BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_shed_handshake_config)\n#define SSL_set_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_shutdown)\n#define SSL_set_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_signed_cert_timestamp_list)\n#define SSL_set_signing_algorithm_prefs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_signing_algorithm_prefs)\n#define SSL_set_srtp_profiles BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_srtp_profiles)\n#define SSL_set_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_state)\n#define SSL_set_strict_cipher_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_strict_cipher_list)\n#define SSL_set_tls_channel_id_enabled BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_tls_channel_id_enabled)\n#define SSL_set_tlsext_host_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_tlsext_host_name)\n#define SSL_set_tlsext_status_ocsp_resp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_tlsext_status_ocsp_resp)\n#define SSL_set_tlsext_status_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_tlsext_status_type)\n#define SSL_set_tlsext_use_srtp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_tlsext_use_srtp)\n#define SSL_set_tmp_dh BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_tmp_dh)\n#define SSL_set_tmp_dh_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_tmp_dh_callback)\n#define SSL_set_tmp_ecdh BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_tmp_ecdh)\n#define SSL_set_tmp_rsa BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_tmp_rsa)\n#define SSL_set_tmp_rsa_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_tmp_rsa_callback)\n#define SSL_set_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_trust)\n#define SSL_set_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_verify)\n#define SSL_set_verify_algorithm_prefs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_verify_algorithm_prefs)\n#define SSL_set_verify_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_verify_depth)\n#define SSL_set_wfd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_wfd)\n#define SSL_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_shutdown)\n#define SSL_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_state)\n#define SSL_state_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_state_string)\n#define SSL_state_string_long BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_state_string_long)\n#define SSL_total_renegotiations BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_total_renegotiations)\n#define SSL_use_PrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_use_PrivateKey)\n#define SSL_use_PrivateKey_ASN1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_use_PrivateKey_ASN1)\n#define SSL_use_PrivateKey_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_use_PrivateKey_file)\n#define SSL_use_RSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_use_RSAPrivateKey)\n#define SSL_use_RSAPrivateKey_ASN1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_use_RSAPrivateKey_ASN1)\n#define SSL_use_RSAPrivateKey_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_use_RSAPrivateKey_file)\n#define SSL_use_certificate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_use_certificate)\n#define SSL_use_certificate_ASN1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_use_certificate_ASN1)\n#define SSL_use_certificate_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_use_certificate_file)\n#define SSL_use_psk_identity_hint BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_use_psk_identity_hint)\n#define SSL_used_hello_retry_request BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_used_hello_retry_request)\n#define SSL_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_version)\n#define SSL_want BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_want)\n#define SSL_was_key_usage_invalid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_was_key_usage_invalid)\n#define SSL_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_write)\n#define SSLeay BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSLeay)\n#define SSLeay_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSLeay_version)\n#define SSLv23_client_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSLv23_client_method)\n#define SSLv23_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSLv23_method)\n#define SSLv23_server_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSLv23_server_method)\n#define TLS_client_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLS_client_method)\n#define TLS_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLS_method)\n#define TLS_server_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLS_server_method)\n#define TLS_with_buffers_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLS_with_buffers_method)\n#define TLSv1_1_client_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLSv1_1_client_method)\n#define TLSv1_1_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLSv1_1_method)\n#define TLSv1_1_server_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLSv1_1_server_method)\n#define TLSv1_2_client_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLSv1_2_client_method)\n#define TLSv1_2_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLSv1_2_method)\n#define TLSv1_2_server_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLSv1_2_server_method)\n#define TLSv1_client_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLSv1_client_method)\n#define TLSv1_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLSv1_method)\n#define TLSv1_server_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TLSv1_server_method)\n#define TRUST_TOKEN_CLIENT_add_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_add_key)\n#define TRUST_TOKEN_CLIENT_begin_issuance BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_begin_issuance)\n#define TRUST_TOKEN_CLIENT_begin_issuance_over_message BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_begin_issuance_over_message)\n#define TRUST_TOKEN_CLIENT_begin_redemption BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_begin_redemption)\n#define TRUST_TOKEN_CLIENT_finish_issuance BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_finish_issuance)\n#define TRUST_TOKEN_CLIENT_finish_redemption BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_finish_redemption)\n#define TRUST_TOKEN_CLIENT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_free)\n#define TRUST_TOKEN_CLIENT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_new)\n#define TRUST_TOKEN_CLIENT_set_srr_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_set_srr_key)\n#define TRUST_TOKEN_ISSUER_add_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_add_key)\n#define TRUST_TOKEN_ISSUER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_free)\n#define TRUST_TOKEN_ISSUER_issue BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_issue)\n#define TRUST_TOKEN_ISSUER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_new)\n#define TRUST_TOKEN_ISSUER_redeem BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_redeem)\n#define TRUST_TOKEN_ISSUER_redeem_over_message BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_redeem_over_message)\n#define TRUST_TOKEN_ISSUER_set_metadata_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_set_metadata_key)\n#define TRUST_TOKEN_ISSUER_set_srr_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_set_srr_key)\n#define TRUST_TOKEN_PRETOKEN_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_PRETOKEN_free)\n#define TRUST_TOKEN_decode_private_metadata BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_decode_private_metadata)\n#define TRUST_TOKEN_derive_key_from_secret BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_derive_key_from_secret)\n#define TRUST_TOKEN_experiment_v1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v1)\n#define TRUST_TOKEN_experiment_v2_pmb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v2_pmb)\n#define TRUST_TOKEN_experiment_v2_voprf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v2_voprf)\n#define TRUST_TOKEN_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_free)\n#define TRUST_TOKEN_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_generate_key)\n#define TRUST_TOKEN_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_new)\n#define TRUST_TOKEN_pst_v1_pmb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_pst_v1_pmb)\n#define TRUST_TOKEN_pst_v1_voprf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_pst_v1_voprf)\n#define USERNOTICE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, USERNOTICE_free)\n#define USERNOTICE_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, USERNOTICE_it)\n#define USERNOTICE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, USERNOTICE_new)\n#define X25519 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X25519)\n#define X25519_keypair BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X25519_keypair)\n#define X25519_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X25519_public_from_private)\n#define X509V3_EXT_CRL_add_nconf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_CRL_add_nconf)\n#define X509V3_EXT_REQ_add_nconf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_REQ_add_nconf)\n#define X509V3_EXT_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_add)\n#define X509V3_EXT_add_alias BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_add_alias)\n#define X509V3_EXT_add_nconf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_add_nconf)\n#define X509V3_EXT_add_nconf_sk BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_add_nconf_sk)\n#define X509V3_EXT_d2i BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_d2i)\n#define X509V3_EXT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_free)\n#define X509V3_EXT_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_get)\n#define X509V3_EXT_get_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_get_nid)\n#define X509V3_EXT_i2d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_i2d)\n#define X509V3_EXT_nconf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_nconf)\n#define X509V3_EXT_nconf_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_nconf_nid)\n#define X509V3_EXT_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_print)\n#define X509V3_EXT_print_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_print_fp)\n#define X509V3_NAME_from_section BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_NAME_from_section)\n#define X509V3_add1_i2d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_add1_i2d)\n#define X509V3_add_standard_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_add_standard_extensions)\n#define X509V3_add_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_add_value)\n#define X509V3_add_value_bool BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_add_value_bool)\n#define X509V3_add_value_int BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_add_value_int)\n#define X509V3_bool_from_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_bool_from_string)\n#define X509V3_conf_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_conf_free)\n#define X509V3_extensions_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_extensions_print)\n#define X509V3_get_d2i BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_get_d2i)\n#define X509V3_get_section BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_get_section)\n#define X509V3_get_value_bool BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_get_value_bool)\n#define X509V3_get_value_int BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_get_value_int)\n#define X509V3_parse_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_parse_list)\n#define X509V3_set_ctx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_set_ctx)\n#define X509V3_set_nconf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_set_nconf)\n#define X509_ALGOR_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ALGOR_cmp)\n#define X509_ALGOR_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ALGOR_dup)\n#define X509_ALGOR_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ALGOR_free)\n#define X509_ALGOR_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ALGOR_get0)\n#define X509_ALGOR_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ALGOR_it)\n#define X509_ALGOR_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ALGOR_new)\n#define X509_ALGOR_set0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ALGOR_set0)\n#define X509_ALGOR_set_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ALGOR_set_md)\n#define X509_ATTRIBUTE_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_count)\n#define X509_ATTRIBUTE_create BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_create)\n#define X509_ATTRIBUTE_create_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_create_by_NID)\n#define X509_ATTRIBUTE_create_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_create_by_OBJ)\n#define X509_ATTRIBUTE_create_by_txt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_create_by_txt)\n#define X509_ATTRIBUTE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_dup)\n#define X509_ATTRIBUTE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_free)\n#define X509_ATTRIBUTE_get0_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_get0_data)\n#define X509_ATTRIBUTE_get0_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_get0_object)\n#define X509_ATTRIBUTE_get0_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_get0_type)\n#define X509_ATTRIBUTE_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_it)\n#define X509_ATTRIBUTE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_new)\n#define X509_ATTRIBUTE_set1_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_set1_data)\n#define X509_ATTRIBUTE_set1_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_ATTRIBUTE_set1_object)\n#define X509_CERT_AUX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CERT_AUX_free)\n#define X509_CERT_AUX_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CERT_AUX_it)\n#define X509_CERT_AUX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CERT_AUX_new)\n#define X509_CERT_AUX_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CERT_AUX_print)\n#define X509_CINF_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CINF_free)\n#define X509_CINF_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CINF_it)\n#define X509_CINF_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CINF_new)\n#define X509_CRL_INFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_INFO_free)\n#define X509_CRL_INFO_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_INFO_it)\n#define X509_CRL_INFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_INFO_new)\n#define X509_CRL_add0_revoked BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_add0_revoked)\n#define X509_CRL_add1_ext_i2d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_add1_ext_i2d)\n#define X509_CRL_add_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_add_ext)\n#define X509_CRL_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_cmp)\n#define X509_CRL_delete_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_delete_ext)\n#define X509_CRL_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_digest)\n#define X509_CRL_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_dup)\n#define X509_CRL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_free)\n#define X509_CRL_get0_by_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get0_by_cert)\n#define X509_CRL_get0_by_serial BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get0_by_serial)\n#define X509_CRL_get0_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get0_extensions)\n#define X509_CRL_get0_lastUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get0_lastUpdate)\n#define X509_CRL_get0_nextUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get0_nextUpdate)\n#define X509_CRL_get0_signature BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get0_signature)\n#define X509_CRL_get_REVOKED BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_REVOKED)\n#define X509_CRL_get_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_ext)\n#define X509_CRL_get_ext_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_ext_by_NID)\n#define X509_CRL_get_ext_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_ext_by_OBJ)\n#define X509_CRL_get_ext_by_critical BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_ext_by_critical)\n#define X509_CRL_get_ext_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_ext_count)\n#define X509_CRL_get_ext_d2i BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_ext_d2i)\n#define X509_CRL_get_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_issuer)\n#define X509_CRL_get_lastUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_lastUpdate)\n#define X509_CRL_get_nextUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_nextUpdate)\n#define X509_CRL_get_signature_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_signature_nid)\n#define X509_CRL_get_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_get_version)\n#define X509_CRL_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_it)\n#define X509_CRL_match BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_match)\n#define X509_CRL_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_new)\n#define X509_CRL_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_print)\n#define X509_CRL_print_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_print_fp)\n#define X509_CRL_set1_lastUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_set1_lastUpdate)\n#define X509_CRL_set1_nextUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_set1_nextUpdate)\n#define X509_CRL_set1_signature_algo BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_set1_signature_algo)\n#define X509_CRL_set1_signature_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_set1_signature_value)\n#define X509_CRL_set_issuer_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_set_issuer_name)\n#define X509_CRL_set_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_set_version)\n#define X509_CRL_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_sign)\n#define X509_CRL_sign_ctx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_sign_ctx)\n#define X509_CRL_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_sort)\n#define X509_CRL_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_up_ref)\n#define X509_CRL_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_verify)\n#define X509_EXTENSIONS_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSIONS_it)\n#define X509_EXTENSION_create_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_create_by_NID)\n#define X509_EXTENSION_create_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_create_by_OBJ)\n#define X509_EXTENSION_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_dup)\n#define X509_EXTENSION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_free)\n#define X509_EXTENSION_get_critical BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_get_critical)\n#define X509_EXTENSION_get_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_get_data)\n#define X509_EXTENSION_get_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_get_object)\n#define X509_EXTENSION_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_it)\n#define X509_EXTENSION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_new)\n#define X509_EXTENSION_set_critical BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_set_critical)\n#define X509_EXTENSION_set_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_set_data)\n#define X509_EXTENSION_set_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_set_object)\n#define X509_INFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_INFO_free)\n#define X509_LOOKUP_add_dir BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_add_dir)\n#define X509_LOOKUP_ctrl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_ctrl)\n#define X509_LOOKUP_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_file)\n#define X509_LOOKUP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_free)\n#define X509_LOOKUP_hash_dir BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_hash_dir)\n#define X509_LOOKUP_load_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_load_file)\n#define X509_NAME_ENTRY_create_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_NID)\n#define X509_NAME_ENTRY_create_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_OBJ)\n#define X509_NAME_ENTRY_create_by_txt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_txt)\n#define X509_NAME_ENTRY_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_dup)\n#define X509_NAME_ENTRY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_free)\n#define X509_NAME_ENTRY_get_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_get_data)\n#define X509_NAME_ENTRY_get_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_get_object)\n#define X509_NAME_ENTRY_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_it)\n#define X509_NAME_ENTRY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_new)\n#define X509_NAME_ENTRY_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_set)\n#define X509_NAME_ENTRY_set_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_set_data)\n#define X509_NAME_ENTRY_set_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_set_object)\n#define X509_NAME_add_entry BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_add_entry)\n#define X509_NAME_add_entry_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_add_entry_by_NID)\n#define X509_NAME_add_entry_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_add_entry_by_OBJ)\n#define X509_NAME_add_entry_by_txt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_add_entry_by_txt)\n#define X509_NAME_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_cmp)\n#define X509_NAME_delete_entry BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_delete_entry)\n#define X509_NAME_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_digest)\n#define X509_NAME_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_dup)\n#define X509_NAME_entry_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_entry_count)\n#define X509_NAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_free)\n#define X509_NAME_get0_der BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_get0_der)\n#define X509_NAME_get_entry BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_get_entry)\n#define X509_NAME_get_index_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_get_index_by_NID)\n#define X509_NAME_get_index_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_get_index_by_OBJ)\n#define X509_NAME_get_text_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_get_text_by_NID)\n#define X509_NAME_get_text_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_get_text_by_OBJ)\n#define X509_NAME_hash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_hash)\n#define X509_NAME_hash_old BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_hash_old)\n#define X509_NAME_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_it)\n#define X509_NAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_new)\n#define X509_NAME_oneline BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_oneline)\n#define X509_NAME_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_print)\n#define X509_NAME_print_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_print_ex)\n#define X509_NAME_print_ex_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_print_ex_fp)\n#define X509_NAME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_set)\n#define X509_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_free)\n#define X509_OBJECT_free_contents BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_free_contents)\n#define X509_OBJECT_get0_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_get0_X509)\n#define X509_OBJECT_get_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_get_type)\n#define X509_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_new)\n#define X509_PUBKEY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_free)\n#define X509_PUBKEY_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get)\n#define X509_PUBKEY_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get0)\n#define X509_PUBKEY_get0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get0_param)\n#define X509_PUBKEY_get0_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get0_public_key)\n#define X509_PUBKEY_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_it)\n#define X509_PUBKEY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_new)\n#define X509_PUBKEY_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_set)\n#define X509_PUBKEY_set0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_set0_param)\n#define X509_PURPOSE_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get0)\n#define X509_PURPOSE_get_by_sname BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get_by_sname)\n#define X509_PURPOSE_get_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get_id)\n#define X509_PURPOSE_get_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get_trust)\n#define X509_REQ_INFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_INFO_free)\n#define X509_REQ_INFO_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_INFO_it)\n#define X509_REQ_INFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_INFO_new)\n#define X509_REQ_add1_attr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_add1_attr)\n#define X509_REQ_add1_attr_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_add1_attr_by_NID)\n#define X509_REQ_add1_attr_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_add1_attr_by_OBJ)\n#define X509_REQ_add1_attr_by_txt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_add1_attr_by_txt)\n#define X509_REQ_add_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_add_extensions)\n#define X509_REQ_add_extensions_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_add_extensions_nid)\n#define X509_REQ_check_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_check_private_key)\n#define X509_REQ_delete_attr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_delete_attr)\n#define X509_REQ_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_digest)\n#define X509_REQ_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_dup)\n#define X509_REQ_extension_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_extension_nid)\n#define X509_REQ_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_free)\n#define X509_REQ_get0_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get0_pubkey)\n#define X509_REQ_get0_signature BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get0_signature)\n#define X509_REQ_get1_email BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get1_email)\n#define X509_REQ_get_attr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get_attr)\n#define X509_REQ_get_attr_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get_attr_by_NID)\n#define X509_REQ_get_attr_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get_attr_by_OBJ)\n#define X509_REQ_get_attr_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get_attr_count)\n#define X509_REQ_get_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get_extensions)\n#define X509_REQ_get_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get_pubkey)\n#define X509_REQ_get_signature_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get_signature_nid)\n#define X509_REQ_get_subject_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get_subject_name)\n#define X509_REQ_get_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get_version)\n#define X509_REQ_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_it)\n#define X509_REQ_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_new)\n#define X509_REQ_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_print)\n#define X509_REQ_print_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_print_ex)\n#define X509_REQ_print_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_print_fp)\n#define X509_REQ_set1_signature_algo BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_set1_signature_algo)\n#define X509_REQ_set1_signature_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_set1_signature_value)\n#define X509_REQ_set_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_set_pubkey)\n#define X509_REQ_set_subject_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_set_subject_name)\n#define X509_REQ_set_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_set_version)\n#define X509_REQ_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_sign)\n#define X509_REQ_sign_ctx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_sign_ctx)\n#define X509_REQ_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_verify)\n#define X509_REVOKED_add1_ext_i2d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_add1_ext_i2d)\n#define X509_REVOKED_add_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_add_ext)\n#define X509_REVOKED_delete_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_delete_ext)\n#define X509_REVOKED_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_dup)\n#define X509_REVOKED_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_free)\n#define X509_REVOKED_get0_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_get0_extensions)\n#define X509_REVOKED_get0_revocationDate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_get0_revocationDate)\n#define X509_REVOKED_get0_serialNumber BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_get0_serialNumber)\n#define X509_REVOKED_get_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_get_ext)\n#define X509_REVOKED_get_ext_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_get_ext_by_NID)\n#define X509_REVOKED_get_ext_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_get_ext_by_OBJ)\n#define X509_REVOKED_get_ext_by_critical BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_get_ext_by_critical)\n#define X509_REVOKED_get_ext_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_get_ext_count)\n#define X509_REVOKED_get_ext_d2i BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_get_ext_d2i)\n#define X509_REVOKED_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_it)\n#define X509_REVOKED_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_new)\n#define X509_REVOKED_set_revocationDate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_set_revocationDate)\n#define X509_REVOKED_set_serialNumber BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REVOKED_set_serialNumber)\n#define X509_SIG_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_SIG_free)\n#define X509_SIG_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_SIG_get0)\n#define X509_SIG_getm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_SIG_getm)\n#define X509_SIG_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_SIG_new)\n#define X509_STORE_CTX_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_cleanup)\n#define X509_STORE_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_free)\n#define X509_STORE_CTX_get0_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_cert)\n#define X509_STORE_CTX_get0_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_chain)\n#define X509_STORE_CTX_get0_current_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_current_crl)\n#define X509_STORE_CTX_get0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_param)\n#define X509_STORE_CTX_get0_parent_ctx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_parent_ctx)\n#define X509_STORE_CTX_get0_store BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_store)\n#define X509_STORE_CTX_get0_untrusted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_untrusted)\n#define X509_STORE_CTX_get1_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_certs)\n#define X509_STORE_CTX_get1_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_chain)\n#define X509_STORE_CTX_get1_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_crls)\n#define X509_STORE_CTX_get1_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_issuer)\n#define X509_STORE_CTX_get_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_by_subject)\n#define X509_STORE_CTX_get_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_chain)\n#define X509_STORE_CTX_get_current_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_current_cert)\n#define X509_STORE_CTX_get_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_error)\n#define X509_STORE_CTX_get_error_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_error_depth)\n#define X509_STORE_CTX_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_ex_data)\n#define X509_STORE_CTX_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_ex_new_index)\n#define X509_STORE_CTX_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_init)\n#define X509_STORE_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_new)\n#define X509_STORE_CTX_set0_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set0_crls)\n#define X509_STORE_CTX_set0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set0_param)\n#define X509_STORE_CTX_set0_trusted_stack BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set0_trusted_stack)\n#define X509_STORE_CTX_set_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_chain)\n#define X509_STORE_CTX_set_default BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_default)\n#define X509_STORE_CTX_set_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_depth)\n#define X509_STORE_CTX_set_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_error)\n#define X509_STORE_CTX_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_ex_data)\n#define X509_STORE_CTX_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_flags)\n#define X509_STORE_CTX_set_purpose BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_purpose)\n#define X509_STORE_CTX_set_time BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_time)\n#define X509_STORE_CTX_set_time_posix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_time_posix)\n#define X509_STORE_CTX_set_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_trust)\n#define X509_STORE_CTX_set_verify_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_verify_cb)\n#define X509_STORE_CTX_trusted_stack BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_trusted_stack)\n#define X509_STORE_add_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_add_cert)\n#define X509_STORE_add_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_add_crl)\n#define X509_STORE_add_lookup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_add_lookup)\n#define X509_STORE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_free)\n#define X509_STORE_get0_objects BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get0_objects)\n#define X509_STORE_get0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get0_param)\n#define X509_STORE_get1_objects BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get1_objects)\n#define X509_STORE_load_locations BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_load_locations)\n#define X509_STORE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_new)\n#define X509_STORE_set1_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set1_param)\n#define X509_STORE_set_default_paths BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_default_paths)\n#define X509_STORE_set_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_depth)\n#define X509_STORE_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_flags)\n#define X509_STORE_set_purpose BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_purpose)\n#define X509_STORE_set_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_trust)\n#define X509_STORE_set_verify_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_verify_cb)\n#define X509_STORE_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_up_ref)\n#define X509_VAL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VAL_free)\n#define X509_VAL_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VAL_it)\n#define X509_VAL_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VAL_new)\n#define X509_VERIFY_PARAM_add0_policy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_add0_policy)\n#define X509_VERIFY_PARAM_add1_host BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_add1_host)\n#define X509_VERIFY_PARAM_clear_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_clear_flags)\n#define X509_VERIFY_PARAM_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_free)\n#define X509_VERIFY_PARAM_get_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_depth)\n#define X509_VERIFY_PARAM_get_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_flags)\n#define X509_VERIFY_PARAM_inherit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_inherit)\n#define X509_VERIFY_PARAM_lookup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_lookup)\n#define X509_VERIFY_PARAM_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_new)\n#define X509_VERIFY_PARAM_set1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1)\n#define X509_VERIFY_PARAM_set1_email BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_email)\n#define X509_VERIFY_PARAM_set1_host BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_host)\n#define X509_VERIFY_PARAM_set1_ip BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip)\n#define X509_VERIFY_PARAM_set1_ip_asc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip_asc)\n#define X509_VERIFY_PARAM_set1_policies BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_policies)\n#define X509_VERIFY_PARAM_set_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_depth)\n#define X509_VERIFY_PARAM_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_flags)\n#define X509_VERIFY_PARAM_set_hostflags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_hostflags)\n#define X509_VERIFY_PARAM_set_purpose BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_purpose)\n#define X509_VERIFY_PARAM_set_time BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_time)\n#define X509_VERIFY_PARAM_set_time_posix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_time_posix)\n#define X509_VERIFY_PARAM_set_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_trust)\n#define X509_add1_ext_i2d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_add1_ext_i2d)\n#define X509_add1_reject_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_add1_reject_object)\n#define X509_add1_trust_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_add1_trust_object)\n#define X509_add_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_add_ext)\n#define X509_alias_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_alias_get0)\n#define X509_alias_set1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_alias_set1)\n#define X509_chain_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_chain_up_ref)\n#define X509_check_akid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_check_akid)\n#define X509_check_ca BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_check_ca)\n#define X509_check_email BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_check_email)\n#define X509_check_host BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_check_host)\n#define X509_check_ip BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_check_ip)\n#define X509_check_ip_asc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_check_ip_asc)\n#define X509_check_issued BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_check_issued)\n#define X509_check_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_check_private_key)\n#define X509_check_purpose BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_check_purpose)\n#define X509_check_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_check_trust)\n#define X509_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_cmp)\n#define X509_cmp_current_time BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_cmp_current_time)\n#define X509_cmp_time BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_cmp_time)\n#define X509_cmp_time_posix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_cmp_time_posix)\n#define X509_delete_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_delete_ext)\n#define X509_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_digest)\n#define X509_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_dup)\n#define X509_email_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_email_free)\n#define X509_find_by_issuer_and_serial BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_find_by_issuer_and_serial)\n#define X509_find_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_find_by_subject)\n#define X509_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_free)\n#define X509_get0_authority_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_authority_issuer)\n#define X509_get0_authority_key_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_authority_key_id)\n#define X509_get0_authority_serial BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_authority_serial)\n#define X509_get0_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_extensions)\n#define X509_get0_notAfter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_notAfter)\n#define X509_get0_notBefore BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_notBefore)\n#define X509_get0_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_pubkey)\n#define X509_get0_pubkey_bitstr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_pubkey_bitstr)\n#define X509_get0_serialNumber BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_serialNumber)\n#define X509_get0_signature BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_signature)\n#define X509_get0_subject_key_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_subject_key_id)\n#define X509_get0_tbs_sigalg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_tbs_sigalg)\n#define X509_get0_uids BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_uids)\n#define X509_get1_email BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get1_email)\n#define X509_get1_ocsp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get1_ocsp)\n#define X509_get_X509_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_X509_PUBKEY)\n#define X509_get_default_cert_area BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_default_cert_area)\n#define X509_get_default_cert_dir BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_default_cert_dir)\n#define X509_get_default_cert_dir_env BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_default_cert_dir_env)\n#define X509_get_default_cert_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_default_cert_file)\n#define X509_get_default_cert_file_env BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_default_cert_file_env)\n#define X509_get_default_private_dir BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_default_private_dir)\n#define X509_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_ex_data)\n#define X509_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_ex_new_index)\n#define X509_get_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_ext)\n#define X509_get_ext_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_ext_by_NID)\n#define X509_get_ext_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_ext_by_OBJ)\n#define X509_get_ext_by_critical BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_ext_by_critical)\n#define X509_get_ext_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_ext_count)\n#define X509_get_ext_d2i BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_ext_d2i)\n#define X509_get_extended_key_usage BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_extended_key_usage)\n#define X509_get_extension_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_extension_flags)\n#define X509_get_issuer_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_issuer_name)\n#define X509_get_key_usage BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_key_usage)\n#define X509_get_notAfter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_notAfter)\n#define X509_get_notBefore BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_notBefore)\n#define X509_get_pathlen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_pathlen)\n#define X509_get_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_pubkey)\n#define X509_get_serialNumber BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_serialNumber)\n#define X509_get_signature_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_signature_nid)\n#define X509_get_subject_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_subject_name)\n#define X509_get_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get_version)\n#define X509_getm_notAfter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_getm_notAfter)\n#define X509_getm_notBefore BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_getm_notBefore)\n#define X509_gmtime_adj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_gmtime_adj)\n#define X509_is_valid_trust_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_is_valid_trust_id)\n#define X509_issuer_name_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_issuer_name_cmp)\n#define X509_issuer_name_hash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_issuer_name_hash)\n#define X509_issuer_name_hash_old BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_issuer_name_hash_old)\n#define X509_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_it)\n#define X509_keyid_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_keyid_get0)\n#define X509_keyid_set1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_keyid_set1)\n#define X509_load_cert_crl_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_load_cert_crl_file)\n#define X509_load_cert_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_load_cert_file)\n#define X509_load_crl_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_load_crl_file)\n#define X509_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_new)\n#define X509_parse_from_buffer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_parse_from_buffer)\n#define X509_policy_check BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_policy_check)\n#define X509_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_print)\n#define X509_print_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_print_ex)\n#define X509_print_ex_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_print_ex_fp)\n#define X509_print_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_print_fp)\n#define X509_pubkey_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_pubkey_digest)\n#define X509_reject_clear BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_reject_clear)\n#define X509_set1_notAfter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set1_notAfter)\n#define X509_set1_notBefore BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set1_notBefore)\n#define X509_set1_signature_algo BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set1_signature_algo)\n#define X509_set1_signature_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set1_signature_value)\n#define X509_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set_ex_data)\n#define X509_set_issuer_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set_issuer_name)\n#define X509_set_notAfter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set_notAfter)\n#define X509_set_notBefore BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set_notBefore)\n#define X509_set_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set_pubkey)\n#define X509_set_serialNumber BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set_serialNumber)\n#define X509_set_subject_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set_subject_name)\n#define X509_set_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_set_version)\n#define X509_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_sign)\n#define X509_sign_ctx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_sign_ctx)\n#define X509_signature_dump BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_signature_dump)\n#define X509_signature_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_signature_print)\n#define X509_subject_name_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_subject_name_cmp)\n#define X509_subject_name_hash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_subject_name_hash)\n#define X509_subject_name_hash_old BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_subject_name_hash_old)\n#define X509_supported_extension BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_supported_extension)\n#define X509_time_adj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_time_adj)\n#define X509_time_adj_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_time_adj_ex)\n#define X509_trust_clear BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_trust_clear)\n#define X509_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_up_ref)\n#define X509_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_verify)\n#define X509_verify_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_verify_cert)\n#define X509_verify_cert_error_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_verify_cert_error_string)\n#define X509v3_add_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_add_ext)\n#define X509v3_delete_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_delete_ext)\n#define X509v3_get_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_get_ext)\n#define X509v3_get_ext_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_get_ext_by_NID)\n#define X509v3_get_ext_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_get_ext_by_OBJ)\n#define X509v3_get_ext_by_critical BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_get_ext_by_critical)\n#define X509v3_get_ext_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_get_ext_count)\n#define __clang_call_terminate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, __clang_call_terminate)\n#define a2i_IPADDRESS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, a2i_IPADDRESS)\n#define a2i_IPADDRESS_NC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, a2i_IPADDRESS_NC)\n#define aes128gcmsiv_aes_ks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes128gcmsiv_aes_ks)\n#define aes128gcmsiv_aes_ks_enc_x1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes128gcmsiv_aes_ks_enc_x1)\n#define aes128gcmsiv_dec BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes128gcmsiv_dec)\n#define aes128gcmsiv_ecb_enc_block BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes128gcmsiv_ecb_enc_block)\n#define aes128gcmsiv_enc_msg_x4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes128gcmsiv_enc_msg_x4)\n#define aes128gcmsiv_enc_msg_x8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes128gcmsiv_enc_msg_x8)\n#define aes128gcmsiv_kdf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes128gcmsiv_kdf)\n#define aes256gcmsiv_aes_ks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes256gcmsiv_aes_ks)\n#define aes256gcmsiv_aes_ks_enc_x1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes256gcmsiv_aes_ks_enc_x1)\n#define aes256gcmsiv_dec BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes256gcmsiv_dec)\n#define aes256gcmsiv_ecb_enc_block BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes256gcmsiv_ecb_enc_block)\n#define aes256gcmsiv_enc_msg_x4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes256gcmsiv_enc_msg_x4)\n#define aes256gcmsiv_enc_msg_x8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes256gcmsiv_enc_msg_x8)\n#define aes256gcmsiv_kdf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes256gcmsiv_kdf)\n#define aes_ctr_set_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_ctr_set_key)\n#define aes_gcm_dec_kernel BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_gcm_dec_kernel)\n#define aes_gcm_dec_update_vaes_avx10_512 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_gcm_dec_update_vaes_avx10_512)\n#define aes_gcm_dec_update_vaes_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_gcm_dec_update_vaes_avx2)\n#define aes_gcm_enc_kernel BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_gcm_enc_kernel)\n#define aes_gcm_enc_update_vaes_avx10_512 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_gcm_enc_update_vaes_avx10_512)\n#define aes_gcm_enc_update_vaes_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_gcm_enc_update_vaes_avx2)\n#define aes_hw_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_cbc_encrypt)\n#define aes_hw_ctr32_encrypt_blocks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_ctr32_encrypt_blocks)\n#define aes_hw_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_decrypt)\n#define aes_hw_ecb_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_ecb_encrypt)\n#define aes_hw_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_encrypt)\n#define aes_hw_encrypt_key_to_decrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_encrypt_key_to_decrypt_key)\n#define aes_hw_set_decrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_set_decrypt_key)\n#define aes_hw_set_encrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_set_encrypt_key)\n#define aes_hw_set_encrypt_key_alt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_set_encrypt_key_alt)\n#define aes_hw_set_encrypt_key_alt_preferred BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_set_encrypt_key_alt_preferred)\n#define aes_hw_set_encrypt_key_base BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_set_encrypt_key_base)\n#define aes_nohw_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_nohw_cbc_encrypt)\n#define aes_nohw_ctr32_encrypt_blocks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_nohw_ctr32_encrypt_blocks)\n#define aes_nohw_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_nohw_decrypt)\n#define aes_nohw_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_nohw_encrypt)\n#define aes_nohw_set_decrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_nohw_set_decrypt_key)\n#define aes_nohw_set_encrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_nohw_set_encrypt_key)\n#define aesgcmsiv_htable6_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aesgcmsiv_htable6_init)\n#define aesgcmsiv_htable_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aesgcmsiv_htable_init)\n#define aesgcmsiv_htable_polyval BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aesgcmsiv_htable_polyval)\n#define aesgcmsiv_polyval_horner BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aesgcmsiv_polyval_horner)\n#define aesni_gcm_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aesni_gcm_decrypt)\n#define aesni_gcm_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aesni_gcm_encrypt)\n#define asn1_bit_string_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_bit_string_length)\n#define asn1_do_adb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_do_adb)\n#define asn1_enc_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_enc_free)\n#define asn1_enc_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_enc_init)\n#define asn1_enc_restore BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_enc_restore)\n#define asn1_enc_save BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_enc_save)\n#define asn1_encoding_clear BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_encoding_clear)\n#define asn1_generalizedtime_to_tm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_generalizedtime_to_tm)\n#define asn1_get_choice_selector BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_get_choice_selector)\n#define asn1_get_field_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_get_field_ptr)\n#define asn1_get_string_table_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_get_string_table_for_testing)\n#define asn1_is_printable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_is_printable)\n#define asn1_refcount_dec_and_test_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_refcount_dec_and_test_zero)\n#define asn1_refcount_set_one BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_refcount_set_one)\n#define asn1_set_choice_selector BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_set_choice_selector)\n#define asn1_type_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_type_cleanup)\n#define asn1_type_set0_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_type_set0_string)\n#define asn1_type_value_as_pointer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_type_value_as_pointer)\n#define asn1_utctime_to_tm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_utctime_to_tm)\n#define bcm_as_approved_status BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bcm_as_approved_status)\n#define bcm_success BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bcm_success)\n#define beeu_mod_inverse_vartime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, beeu_mod_inverse_vartime)\n#define bio_clear_socket_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_clear_socket_error)\n#define bio_errno_should_retry BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_errno_should_retry)\n#define bio_ip_and_port_to_socket_and_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_ip_and_port_to_socket_and_addr)\n#define bio_sock_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_sock_error)\n#define bio_socket_nbio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_socket_nbio)\n#define bio_socket_should_retry BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_socket_should_retry)\n#define bn_abs_sub_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_abs_sub_consttime)\n#define bn_add_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_add_words)\n#define bn_assert_fits_in_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_assert_fits_in_bytes)\n#define bn_big_endian_to_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_big_endian_to_words)\n#define bn_copy_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_copy_words)\n#define bn_declassify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_declassify)\n#define bn_div_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_div_consttime)\n#define bn_expand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_expand)\n#define bn_fits_in_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_fits_in_words)\n#define bn_from_montgomery_small BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_from_montgomery_small)\n#define bn_gather5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_gather5)\n#define bn_in_range_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_in_range_words)\n#define bn_is_bit_set_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_is_bit_set_words)\n#define bn_is_relatively_prime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_is_relatively_prime)\n#define bn_jacobi BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_jacobi)\n#define bn_lcm_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_lcm_consttime)\n#define bn_less_than_montgomery_R BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_less_than_montgomery_R)\n#define bn_less_than_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_less_than_words)\n#define bn_miller_rabin_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_miller_rabin_init)\n#define bn_miller_rabin_iteration BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_miller_rabin_iteration)\n#define bn_minimal_width BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_minimal_width)\n#define bn_mod_add_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_add_consttime)\n#define bn_mod_add_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_add_words)\n#define bn_mod_exp_mont_small BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_exp_mont_small)\n#define bn_mod_inverse0_prime_mont_small BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_inverse0_prime_mont_small)\n#define bn_mod_inverse_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_inverse_consttime)\n#define bn_mod_inverse_prime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_inverse_prime)\n#define bn_mod_inverse_secret_prime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_inverse_secret_prime)\n#define bn_mod_lshift1_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_lshift1_consttime)\n#define bn_mod_lshift_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_lshift_consttime)\n#define bn_mod_mul_montgomery_small BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_mul_montgomery_small)\n#define bn_mod_sub_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_sub_consttime)\n#define bn_mod_sub_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_sub_words)\n#define bn_mod_u16_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mod_u16_consttime)\n#define bn_mont_ctx_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mont_ctx_cleanup)\n#define bn_mont_ctx_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mont_ctx_init)\n#define bn_mont_ctx_set_RR_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mont_ctx_set_RR_consttime)\n#define bn_mont_n0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mont_n0)\n#define bn_mul4x_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul4x_mont)\n#define bn_mul4x_mont_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul4x_mont_capable)\n#define bn_mul4x_mont_gather5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul4x_mont_gather5)\n#define bn_mul4x_mont_gather5_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul4x_mont_gather5_capable)\n#define bn_mul_add_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_add_words)\n#define bn_mul_comba4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_comba4)\n#define bn_mul_comba8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_comba8)\n#define bn_mul_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_consttime)\n#define bn_mul_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_mont)\n#define bn_mul_mont_gather5_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_mont_gather5_nohw)\n#define bn_mul_mont_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_mont_nohw)\n#define bn_mul_small BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_small)\n#define bn_mul_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_words)\n#define bn_mulx4x_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mulx4x_mont)\n#define bn_mulx4x_mont_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mulx4x_mont_capable)\n#define bn_mulx4x_mont_gather5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mulx4x_mont_gather5)\n#define bn_mulx4x_mont_gather5_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mulx4x_mont_gather5_capable)\n#define bn_mulx_adx_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mulx_adx_capable)\n#define bn_odd_number_is_obviously_composite BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_odd_number_is_obviously_composite)\n#define bn_one_to_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_one_to_montgomery)\n#define bn_power5_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_power5_capable)\n#define bn_power5_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_power5_nohw)\n#define bn_powerx5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_powerx5)\n#define bn_powerx5_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_powerx5_capable)\n#define bn_rand_range_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_rand_range_words)\n#define bn_rand_secret_range BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_rand_secret_range)\n#define bn_reduce_once BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_reduce_once)\n#define bn_reduce_once_in_place BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_reduce_once_in_place)\n#define bn_resize_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_resize_words)\n#define bn_rshift1_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_rshift1_words)\n#define bn_rshift_secret_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_rshift_secret_shift)\n#define bn_rshift_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_rshift_words)\n#define bn_scatter5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_scatter5)\n#define bn_secret BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_secret)\n#define bn_select_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_select_words)\n#define bn_set_minimal_width BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_set_minimal_width)\n#define bn_set_static_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_set_static_words)\n#define bn_set_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_set_words)\n#define bn_sqr8x_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr8x_internal)\n#define bn_sqr8x_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr8x_mont)\n#define bn_sqr8x_mont_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr8x_mont_capable)\n#define bn_sqr_comba4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr_comba4)\n#define bn_sqr_comba8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr_comba8)\n#define bn_sqr_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr_consttime)\n#define bn_sqr_small BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr_small)\n#define bn_sqr_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr_words)\n#define bn_sqrx8x_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqrx8x_internal)\n#define bn_sub_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sub_words)\n#define bn_to_montgomery_small BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_to_montgomery_small)\n#define bn_uadd_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_uadd_consttime)\n#define bn_usub_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_usub_consttime)\n#define bn_wexpand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_wexpand)\n#define bn_words_to_big_endian BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_words_to_big_endian)\n#define boringssl_ensure_ecc_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_ensure_ecc_self_test)\n#define boringssl_ensure_ffdh_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_ensure_ffdh_self_test)\n#define boringssl_ensure_rsa_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_ensure_rsa_self_test)\n#define boringssl_fips_break_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_fips_break_test)\n#define boringssl_fips_inc_counter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_fips_inc_counter)\n#define boringssl_self_test_hmac_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_self_test_hmac_sha256)\n#define boringssl_self_test_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_self_test_sha256)\n#define boringssl_self_test_sha512 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_self_test_sha512)\n#define bsaes_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bsaes_capable)\n#define bsaes_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bsaes_cbc_encrypt)\n#define c2i_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, c2i_ASN1_BIT_STRING)\n#define c2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, c2i_ASN1_INTEGER)\n#define c2i_ASN1_OBJECT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, c2i_ASN1_OBJECT)\n#define chacha20_poly1305_asm_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_asm_capable)\n#define chacha20_poly1305_open BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_open)\n#define chacha20_poly1305_open_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_open_avx2)\n#define chacha20_poly1305_open_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_open_nohw)\n#define chacha20_poly1305_seal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_seal)\n#define chacha20_poly1305_seal_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_seal_avx2)\n#define chacha20_poly1305_seal_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_seal_nohw)\n#define crypto_gcm_clmul_enabled BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, crypto_gcm_clmul_enabled)\n#define d2i_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_BIT_STRING)\n#define d2i_ASN1_BMPSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_BMPSTRING)\n#define d2i_ASN1_BOOLEAN BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_BOOLEAN)\n#define d2i_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_ENUMERATED)\n#define d2i_ASN1_GENERALIZEDTIME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_GENERALIZEDTIME)\n#define d2i_ASN1_GENERALSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_GENERALSTRING)\n#define d2i_ASN1_IA5STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_IA5STRING)\n#define d2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_INTEGER)\n#define d2i_ASN1_NULL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_NULL)\n#define d2i_ASN1_OBJECT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_OBJECT)\n#define d2i_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_OCTET_STRING)\n#define d2i_ASN1_PRINTABLE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_PRINTABLE)\n#define d2i_ASN1_PRINTABLESTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_PRINTABLESTRING)\n#define d2i_ASN1_SEQUENCE_ANY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_SEQUENCE_ANY)\n#define d2i_ASN1_SET_ANY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_SET_ANY)\n#define d2i_ASN1_T61STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_T61STRING)\n#define d2i_ASN1_TIME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_TIME)\n#define d2i_ASN1_TYPE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_TYPE)\n#define d2i_ASN1_UNIVERSALSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_UNIVERSALSTRING)\n#define d2i_ASN1_UTCTIME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_UTCTIME)\n#define d2i_ASN1_UTF8STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_UTF8STRING)\n#define d2i_ASN1_VISIBLESTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_VISIBLESTRING)\n#define d2i_AUTHORITY_INFO_ACCESS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_AUTHORITY_INFO_ACCESS)\n#define d2i_AUTHORITY_KEYID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_AUTHORITY_KEYID)\n#define d2i_AutoPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_AutoPrivateKey)\n#define d2i_BASIC_CONSTRAINTS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_BASIC_CONSTRAINTS)\n#define d2i_CERTIFICATEPOLICIES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_CERTIFICATEPOLICIES)\n#define d2i_CRL_DIST_POINTS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_CRL_DIST_POINTS)\n#define d2i_DHparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DHparams)\n#define d2i_DHparams_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DHparams_bio)\n#define d2i_DIRECTORYSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DIRECTORYSTRING)\n#define d2i_DISPLAYTEXT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DISPLAYTEXT)\n#define d2i_DSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSAPrivateKey)\n#define d2i_DSAPrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSAPrivateKey_bio)\n#define d2i_DSAPrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSAPrivateKey_fp)\n#define d2i_DSAPublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSAPublicKey)\n#define d2i_DSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSA_PUBKEY)\n#define d2i_DSA_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSA_PUBKEY_bio)\n#define d2i_DSA_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSA_PUBKEY_fp)\n#define d2i_DSA_SIG BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSA_SIG)\n#define d2i_DSAparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSAparams)\n#define d2i_ECDSA_SIG BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ECDSA_SIG)\n#define d2i_ECPKParameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ECPKParameters)\n#define d2i_ECParameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ECParameters)\n#define d2i_ECPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ECPrivateKey)\n#define d2i_ECPrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ECPrivateKey_bio)\n#define d2i_ECPrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ECPrivateKey_fp)\n#define d2i_EC_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EC_PUBKEY)\n#define d2i_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EC_PUBKEY_bio)\n#define d2i_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EC_PUBKEY_fp)\n#define d2i_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EXTENDED_KEY_USAGE)\n#define d2i_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_GENERAL_NAME)\n#define d2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_GENERAL_NAMES)\n#define d2i_ISSUING_DIST_POINT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ISSUING_DIST_POINT)\n#define d2i_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKAC)\n#define d2i_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKI)\n#define d2i_PKCS12 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS12)\n#define d2i_PKCS12_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS12_bio)\n#define d2i_PKCS12_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS12_fp)\n#define d2i_PKCS7 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS7)\n#define d2i_PKCS7_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS7_bio)\n#define d2i_PKCS8PrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS8PrivateKey_bio)\n#define d2i_PKCS8PrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS8PrivateKey_fp)\n#define d2i_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS8_PRIV_KEY_INFO)\n#define d2i_PKCS8_PRIV_KEY_INFO_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS8_PRIV_KEY_INFO_bio)\n#define d2i_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS8_PRIV_KEY_INFO_fp)\n#define d2i_PKCS8_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS8_bio)\n#define d2i_PKCS8_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS8_fp)\n#define d2i_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PUBKEY)\n#define d2i_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PUBKEY_bio)\n#define d2i_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PUBKEY_fp)\n#define d2i_PrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PrivateKey)\n#define d2i_PrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PrivateKey_bio)\n#define d2i_PrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PrivateKey_fp)\n#define d2i_PublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PublicKey)\n#define d2i_RSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_RSAPrivateKey)\n#define d2i_RSAPrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_RSAPrivateKey_bio)\n#define d2i_RSAPrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_RSAPrivateKey_fp)\n#define d2i_RSAPublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_RSAPublicKey)\n#define d2i_RSAPublicKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_RSAPublicKey_bio)\n#define d2i_RSAPublicKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_RSAPublicKey_fp)\n#define d2i_RSA_PSS_PARAMS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_RSA_PSS_PARAMS)\n#define d2i_RSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_RSA_PUBKEY)\n#define d2i_RSA_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_RSA_PUBKEY_bio)\n#define d2i_RSA_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_RSA_PUBKEY_fp)\n#define d2i_SSL_SESSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_SSL_SESSION)\n#define d2i_SSL_SESSION_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_SSL_SESSION_bio)\n#define d2i_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509)\n#define d2i_X509_ALGOR BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_ALGOR)\n#define d2i_X509_ATTRIBUTE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_ATTRIBUTE)\n#define d2i_X509_AUX BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_AUX)\n#define d2i_X509_CERT_AUX BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_CERT_AUX)\n#define d2i_X509_CINF BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_CINF)\n#define d2i_X509_CRL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_CRL)\n#define d2i_X509_CRL_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_CRL_INFO)\n#define d2i_X509_CRL_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_CRL_bio)\n#define d2i_X509_CRL_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_CRL_fp)\n#define d2i_X509_EXTENSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_EXTENSION)\n#define d2i_X509_EXTENSIONS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_EXTENSIONS)\n#define d2i_X509_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_NAME)\n#define d2i_X509_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_PUBKEY)\n#define d2i_X509_REQ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_REQ)\n#define d2i_X509_REQ_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_REQ_INFO)\n#define d2i_X509_REQ_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_REQ_bio)\n#define d2i_X509_REQ_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_REQ_fp)\n#define d2i_X509_REVOKED BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_REVOKED)\n#define d2i_X509_SIG BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_SIG)\n#define d2i_X509_VAL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_VAL)\n#define d2i_X509_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_bio)\n#define d2i_X509_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_fp)\n#define dh_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dh_asn1_meth)\n#define dh_check_params_fast BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dh_check_params_fast)\n#define dh_compute_key_padded_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dh_compute_key_padded_no_self_test)\n#define dh_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dh_pkey_meth)\n#define dsa_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dsa_asn1_meth)\n#define dsa_check_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dsa_check_key)\n#define ec_GFp_mont_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_add)\n#define ec_GFp_mont_dbl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_dbl)\n#define ec_GFp_mont_felem_exp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_felem_exp)\n#define ec_GFp_mont_felem_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_felem_from_bytes)\n#define ec_GFp_mont_felem_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_felem_mul)\n#define ec_GFp_mont_felem_reduce BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_felem_reduce)\n#define ec_GFp_mont_felem_sqr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_felem_sqr)\n#define ec_GFp_mont_felem_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_felem_to_bytes)\n#define ec_GFp_mont_init_precomp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_init_precomp)\n#define ec_GFp_mont_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_mul)\n#define ec_GFp_mont_mul_base BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_mul_base)\n#define ec_GFp_mont_mul_batch BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_mul_batch)\n#define ec_GFp_mont_mul_precomp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_mul_precomp)\n#define ec_GFp_mont_mul_public_batch BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_mul_public_batch)\n#define ec_GFp_nistp_recode_scalar_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_nistp_recode_scalar_bits)\n#define ec_GFp_simple_cmp_x_coordinate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_cmp_x_coordinate)\n#define ec_GFp_simple_felem_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_felem_from_bytes)\n#define ec_GFp_simple_felem_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_felem_to_bytes)\n#define ec_GFp_simple_group_get_curve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_group_get_curve)\n#define ec_GFp_simple_group_set_curve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_group_set_curve)\n#define ec_GFp_simple_invert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_invert)\n#define ec_GFp_simple_is_at_infinity BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_is_at_infinity)\n#define ec_GFp_simple_is_on_curve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_is_on_curve)\n#define ec_GFp_simple_point_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_point_copy)\n#define ec_GFp_simple_point_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_point_init)\n#define ec_GFp_simple_point_set_to_infinity BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_point_set_to_infinity)\n#define ec_GFp_simple_points_equal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_simple_points_equal)\n#define ec_affine_jacobian_equal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_affine_jacobian_equal)\n#define ec_affine_select BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_affine_select)\n#define ec_affine_to_jacobian BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_affine_to_jacobian)\n#define ec_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_asn1_meth)\n#define ec_bignum_to_felem BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_bignum_to_felem)\n#define ec_bignum_to_scalar BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_bignum_to_scalar)\n#define ec_cmp_x_coordinate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_cmp_x_coordinate)\n#define ec_compute_wNAF BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_compute_wNAF)\n#define ec_felem_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_add)\n#define ec_felem_equal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_equal)\n#define ec_felem_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_from_bytes)\n#define ec_felem_neg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_neg)\n#define ec_felem_non_zero_mask BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_non_zero_mask)\n#define ec_felem_one BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_one)\n#define ec_felem_select BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_select)\n#define ec_felem_sub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_sub)\n#define ec_felem_to_bignum BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_to_bignum)\n#define ec_felem_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_felem_to_bytes)\n#define ec_get_x_coordinate_as_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_get_x_coordinate_as_bytes)\n#define ec_get_x_coordinate_as_scalar BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_get_x_coordinate_as_scalar)\n#define ec_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_hash_to_curve_p256_xmd_sha256_sswu)\n#define ec_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_hash_to_curve_p384_xmd_sha384_sswu)\n#define ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_hash_to_curve_p384_xmd_sha512_sswu_draft07)\n#define ec_hash_to_scalar_p384_xmd_sha384 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_hash_to_scalar_p384_xmd_sha384)\n#define ec_hash_to_scalar_p384_xmd_sha512_draft07 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_hash_to_scalar_p384_xmd_sha512_draft07)\n#define ec_init_precomp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_init_precomp)\n#define ec_jacobian_to_affine BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_jacobian_to_affine)\n#define ec_jacobian_to_affine_batch BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_jacobian_to_affine_batch)\n#define ec_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_pkey_meth)\n#define ec_point_byte_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_byte_len)\n#define ec_point_from_uncompressed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_from_uncompressed)\n#define ec_point_mul_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_mul_no_self_test)\n#define ec_point_mul_scalar BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_mul_scalar)\n#define ec_point_mul_scalar_base BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_mul_scalar_base)\n#define ec_point_mul_scalar_batch BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_mul_scalar_batch)\n#define ec_point_mul_scalar_precomp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_mul_scalar_precomp)\n#define ec_point_mul_scalar_public BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_mul_scalar_public)\n#define ec_point_mul_scalar_public_batch BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_mul_scalar_public_batch)\n#define ec_point_select BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_select)\n#define ec_point_set_affine_coordinates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_set_affine_coordinates)\n#define ec_point_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_to_bytes)\n#define ec_precomp_select BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_precomp_select)\n#define ec_random_nonzero_scalar BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_random_nonzero_scalar)\n#define ec_random_scalar BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_random_scalar)\n#define ec_scalar_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_add)\n#define ec_scalar_equal_vartime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_equal_vartime)\n#define ec_scalar_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_from_bytes)\n#define ec_scalar_from_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_from_montgomery)\n#define ec_scalar_inv0_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_inv0_montgomery)\n#define ec_scalar_is_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_is_zero)\n#define ec_scalar_mul_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_mul_montgomery)\n#define ec_scalar_neg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_neg)\n#define ec_scalar_reduce BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_reduce)\n#define ec_scalar_select BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_select)\n#define ec_scalar_sub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_sub)\n#define ec_scalar_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_to_bytes)\n#define ec_scalar_to_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_to_montgomery)\n#define ec_scalar_to_montgomery_inv_vartime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_scalar_to_montgomery_inv_vartime)\n#define ec_set_to_safe_point BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_set_to_safe_point)\n#define ec_simple_scalar_inv0_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_simple_scalar_inv0_montgomery)\n#define ec_simple_scalar_to_montgomery_inv_vartime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_simple_scalar_to_montgomery_inv_vartime)\n#define ecdsa_sign_fixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_sign_fixed)\n#define ecdsa_sign_fixed_with_nonce_for_known_answer_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_sign_fixed_with_nonce_for_known_answer_test)\n#define ecdsa_verify_fixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_verify_fixed)\n#define ecdsa_verify_fixed_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_verify_fixed_no_self_test)\n#define ecp_nistz256_div_by_2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_div_by_2)\n#define ecp_nistz256_mul_by_2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_by_2)\n#define ecp_nistz256_mul_by_3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_by_3)\n#define ecp_nistz256_mul_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_mont)\n#define ecp_nistz256_mul_mont_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_mont_adx)\n#define ecp_nistz256_mul_mont_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_mont_nohw)\n#define ecp_nistz256_neg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_neg)\n#define ecp_nistz256_ord_mul_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont)\n#define ecp_nistz256_ord_mul_mont_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont_adx)\n#define ecp_nistz256_ord_mul_mont_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont_nohw)\n#define ecp_nistz256_ord_sqr_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont)\n#define ecp_nistz256_ord_sqr_mont_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont_adx)\n#define ecp_nistz256_ord_sqr_mont_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont_nohw)\n#define ecp_nistz256_point_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add)\n#define ecp_nistz256_point_add_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add_adx)\n#define ecp_nistz256_point_add_affine BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine)\n#define ecp_nistz256_point_add_affine_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine_adx)\n#define ecp_nistz256_point_add_affine_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine_nohw)\n#define ecp_nistz256_point_add_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add_nohw)\n#define ecp_nistz256_point_double BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_double)\n#define ecp_nistz256_point_double_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_double_adx)\n#define ecp_nistz256_point_double_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_double_nohw)\n#define ecp_nistz256_select_w5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w5)\n#define ecp_nistz256_select_w5_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w5_avx2)\n#define ecp_nistz256_select_w5_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w5_nohw)\n#define ecp_nistz256_select_w7 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w7)\n#define ecp_nistz256_select_w7_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w7_avx2)\n#define ecp_nistz256_select_w7_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w7_nohw)\n#define ecp_nistz256_sqr_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont)\n#define ecp_nistz256_sqr_mont_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont_adx)\n#define ecp_nistz256_sqr_mont_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont_nohw)\n#define ecp_nistz256_sub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_sub)\n#define ed25519_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ed25519_asn1_meth)\n#define ed25519_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ed25519_pkey_meth)\n#define evp_pkey_set_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, evp_pkey_set_method)\n#define fiat_curve25519_adx_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, fiat_curve25519_adx_mul)\n#define fiat_curve25519_adx_square BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, fiat_curve25519_adx_square)\n#define fiat_p256_adx_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, fiat_p256_adx_mul)\n#define fiat_p256_adx_sqr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, fiat_p256_adx_sqr)\n#define gcm_ghash_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_avx)\n#define gcm_ghash_clmul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_clmul)\n#define gcm_ghash_neon BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_neon)\n#define gcm_ghash_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_nohw)\n#define gcm_ghash_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_ssse3)\n#define gcm_ghash_v8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_v8)\n#define gcm_ghash_vpclmulqdq_avx10_512 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_vpclmulqdq_avx10_512)\n#define gcm_ghash_vpclmulqdq_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_vpclmulqdq_avx2)\n#define gcm_gmult_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_gmult_avx)\n#define gcm_gmult_clmul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_gmult_clmul)\n#define gcm_gmult_neon BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_gmult_neon)\n#define gcm_gmult_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_gmult_nohw)\n#define gcm_gmult_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_gmult_ssse3)\n#define gcm_gmult_v8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_gmult_v8)\n#define gcm_gmult_vpclmulqdq_avx10 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_gmult_vpclmulqdq_avx10)\n#define gcm_gmult_vpclmulqdq_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_gmult_vpclmulqdq_avx2)\n#define gcm_init_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_avx)\n#define gcm_init_clmul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_clmul)\n#define gcm_init_neon BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_neon)\n#define gcm_init_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_nohw)\n#define gcm_init_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_ssse3)\n#define gcm_init_v8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_v8)\n#define gcm_init_vpclmulqdq_avx10_512 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_vpclmulqdq_avx10_512)\n#define gcm_init_vpclmulqdq_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_vpclmulqdq_avx2)\n#define gcm_neon_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_neon_capable)\n#define gcm_pmull_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_pmull_capable)\n#define have_fast_rdrand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, have_fast_rdrand)\n#define have_rdrand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, have_rdrand)\n#define hkdf_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, hkdf_pkey_meth)\n#define hwaes_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, hwaes_capable)\n#define i2a_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ASN1_ENUMERATED)\n#define i2a_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ASN1_INTEGER)\n#define i2a_ASN1_OBJECT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ASN1_OBJECT)\n#define i2a_ASN1_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ASN1_STRING)\n#define i2c_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2c_ASN1_BIT_STRING)\n#define i2c_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2c_ASN1_INTEGER)\n#define i2d_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_BIT_STRING)\n#define i2d_ASN1_BMPSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_BMPSTRING)\n#define i2d_ASN1_BOOLEAN BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_BOOLEAN)\n#define i2d_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_ENUMERATED)\n#define i2d_ASN1_GENERALIZEDTIME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_GENERALIZEDTIME)\n#define i2d_ASN1_GENERALSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_GENERALSTRING)\n#define i2d_ASN1_IA5STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_IA5STRING)\n#define i2d_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_INTEGER)\n#define i2d_ASN1_NULL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_NULL)\n#define i2d_ASN1_OBJECT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_OBJECT)\n#define i2d_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_OCTET_STRING)\n#define i2d_ASN1_PRINTABLE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_PRINTABLE)\n#define i2d_ASN1_PRINTABLESTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_PRINTABLESTRING)\n#define i2d_ASN1_SEQUENCE_ANY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_SEQUENCE_ANY)\n#define i2d_ASN1_SET_ANY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_SET_ANY)\n#define i2d_ASN1_T61STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_T61STRING)\n#define i2d_ASN1_TIME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_TIME)\n#define i2d_ASN1_TYPE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_TYPE)\n#define i2d_ASN1_UNIVERSALSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_UNIVERSALSTRING)\n#define i2d_ASN1_UTCTIME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_UTCTIME)\n#define i2d_ASN1_UTF8STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_UTF8STRING)\n#define i2d_ASN1_VISIBLESTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_VISIBLESTRING)\n#define i2d_AUTHORITY_INFO_ACCESS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_AUTHORITY_INFO_ACCESS)\n#define i2d_AUTHORITY_KEYID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_AUTHORITY_KEYID)\n#define i2d_BASIC_CONSTRAINTS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_BASIC_CONSTRAINTS)\n#define i2d_CERTIFICATEPOLICIES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_CERTIFICATEPOLICIES)\n#define i2d_CRL_DIST_POINTS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_CRL_DIST_POINTS)\n#define i2d_DHparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DHparams)\n#define i2d_DHparams_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DHparams_bio)\n#define i2d_DIRECTORYSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DIRECTORYSTRING)\n#define i2d_DISPLAYTEXT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DISPLAYTEXT)\n#define i2d_DSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSAPrivateKey)\n#define i2d_DSAPrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSAPrivateKey_bio)\n#define i2d_DSAPrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSAPrivateKey_fp)\n#define i2d_DSAPublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSAPublicKey)\n#define i2d_DSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSA_PUBKEY)\n#define i2d_DSA_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSA_PUBKEY_bio)\n#define i2d_DSA_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSA_PUBKEY_fp)\n#define i2d_DSA_SIG BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSA_SIG)\n#define i2d_DSAparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSAparams)\n#define i2d_ECDSA_SIG BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ECDSA_SIG)\n#define i2d_ECPKParameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ECPKParameters)\n#define i2d_ECParameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ECParameters)\n#define i2d_ECPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ECPrivateKey)\n#define i2d_ECPrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ECPrivateKey_bio)\n#define i2d_ECPrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ECPrivateKey_fp)\n#define i2d_EC_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EC_PUBKEY)\n#define i2d_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EC_PUBKEY_bio)\n#define i2d_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EC_PUBKEY_fp)\n#define i2d_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EXTENDED_KEY_USAGE)\n#define i2d_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_GENERAL_NAME)\n#define i2d_GENERAL_NAMES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_GENERAL_NAMES)\n#define i2d_ISSUING_DIST_POINT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ISSUING_DIST_POINT)\n#define i2d_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKAC)\n#define i2d_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKI)\n#define i2d_PKCS12 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS12)\n#define i2d_PKCS12_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS12_bio)\n#define i2d_PKCS12_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS12_fp)\n#define i2d_PKCS7 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS7)\n#define i2d_PKCS7_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS7_bio)\n#define i2d_PKCS8PrivateKeyInfo_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8PrivateKeyInfo_bio)\n#define i2d_PKCS8PrivateKeyInfo_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8PrivateKeyInfo_fp)\n#define i2d_PKCS8PrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8PrivateKey_bio)\n#define i2d_PKCS8PrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8PrivateKey_fp)\n#define i2d_PKCS8PrivateKey_nid_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8PrivateKey_nid_bio)\n#define i2d_PKCS8PrivateKey_nid_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8PrivateKey_nid_fp)\n#define i2d_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8_PRIV_KEY_INFO)\n#define i2d_PKCS8_PRIV_KEY_INFO_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8_PRIV_KEY_INFO_bio)\n#define i2d_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8_PRIV_KEY_INFO_fp)\n#define i2d_PKCS8_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8_bio)\n#define i2d_PKCS8_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8_fp)\n#define i2d_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PUBKEY)\n#define i2d_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PUBKEY_bio)\n#define i2d_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PUBKEY_fp)\n#define i2d_PrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PrivateKey)\n#define i2d_PrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PrivateKey_bio)\n#define i2d_PrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PrivateKey_fp)\n#define i2d_PublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PublicKey)\n#define i2d_RSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_RSAPrivateKey)\n#define i2d_RSAPrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_RSAPrivateKey_bio)\n#define i2d_RSAPrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_RSAPrivateKey_fp)\n#define i2d_RSAPublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_RSAPublicKey)\n#define i2d_RSAPublicKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_RSAPublicKey_bio)\n#define i2d_RSAPublicKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_RSAPublicKey_fp)\n#define i2d_RSA_PSS_PARAMS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_RSA_PSS_PARAMS)\n#define i2d_RSA_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_RSA_PUBKEY)\n#define i2d_RSA_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_RSA_PUBKEY_bio)\n#define i2d_RSA_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_RSA_PUBKEY_fp)\n#define i2d_SSL_SESSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_SSL_SESSION)\n#define i2d_SSL_SESSION_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_SSL_SESSION_bio)\n#define i2d_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509)\n#define i2d_X509_ALGOR BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_ALGOR)\n#define i2d_X509_ATTRIBUTE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_ATTRIBUTE)\n#define i2d_X509_AUX BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_AUX)\n#define i2d_X509_CERT_AUX BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_CERT_AUX)\n#define i2d_X509_CINF BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_CINF)\n#define i2d_X509_CRL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_CRL)\n#define i2d_X509_CRL_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_CRL_INFO)\n#define i2d_X509_CRL_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_CRL_bio)\n#define i2d_X509_CRL_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_CRL_fp)\n#define i2d_X509_CRL_tbs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_CRL_tbs)\n#define i2d_X509_EXTENSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_EXTENSION)\n#define i2d_X509_EXTENSIONS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_EXTENSIONS)\n#define i2d_X509_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_NAME)\n#define i2d_X509_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_PUBKEY)\n#define i2d_X509_REQ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_REQ)\n#define i2d_X509_REQ_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_REQ_INFO)\n#define i2d_X509_REQ_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_REQ_bio)\n#define i2d_X509_REQ_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_REQ_fp)\n#define i2d_X509_REVOKED BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_REVOKED)\n#define i2d_X509_SIG BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_SIG)\n#define i2d_X509_VAL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_VAL)\n#define i2d_X509_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_bio)\n#define i2d_X509_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_fp)\n#define i2d_X509_tbs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_tbs)\n#define i2d_re_X509_CRL_tbs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_re_X509_CRL_tbs)\n#define i2d_re_X509_REQ_tbs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_re_X509_REQ_tbs)\n#define i2d_re_X509_tbs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_re_X509_tbs)\n#define i2o_ECPublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2o_ECPublicKey)\n#define i2s_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2s_ASN1_ENUMERATED)\n#define i2s_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2s_ASN1_INTEGER)\n#define i2s_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2s_ASN1_OCTET_STRING)\n#define i2t_ASN1_OBJECT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2t_ASN1_OBJECT)\n#define i2v_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2v_GENERAL_NAME)\n#define i2v_GENERAL_NAMES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2v_GENERAL_NAMES)\n#define k25519Precomp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, k25519Precomp)\n#define kBoringSSLRSASqrtTwo BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, kBoringSSLRSASqrtTwo)\n#define kBoringSSLRSASqrtTwoLen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, kBoringSSLRSASqrtTwoLen)\n#define kOpenSSLReasonStringData BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, kOpenSSLReasonStringData)\n#define kOpenSSLReasonValues BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, kOpenSSLReasonValues)\n#define kOpenSSLReasonValuesLen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, kOpenSSLReasonValuesLen)\n#define lh_CONF_SECTION_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_cmp_func)\n#define lh_CONF_SECTION_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_doall_arg)\n#define lh_CONF_SECTION_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_hash_func)\n#define lh_CONF_SECTION_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_doall_arg)\n#define lh_CONF_SECTION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_free)\n#define lh_CONF_SECTION_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_insert)\n#define lh_CONF_SECTION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_new)\n#define lh_CONF_SECTION_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_retrieve)\n#define lh_CONF_VALUE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_cmp_func)\n#define lh_CONF_VALUE_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_doall_arg)\n#define lh_CONF_VALUE_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_hash_func)\n#define lh_CONF_VALUE_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_doall_arg)\n#define lh_CONF_VALUE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_free)\n#define lh_CONF_VALUE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_insert)\n#define lh_CONF_VALUE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_new)\n#define lh_CONF_VALUE_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_retrieve)\n#define lh_CRYPTO_BUFFER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_call_cmp_func)\n#define lh_CRYPTO_BUFFER_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_call_hash_func)\n#define lh_CRYPTO_BUFFER_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_delete)\n#define lh_CRYPTO_BUFFER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_free)\n#define lh_CRYPTO_BUFFER_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_insert)\n#define lh_CRYPTO_BUFFER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_new)\n#define lh_CRYPTO_BUFFER_num_items BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_num_items)\n#define lh_CRYPTO_BUFFER_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_retrieve)\n#define md5_block_asm_data_order BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, md5_block_asm_data_order)\n#define o2i_ECPublicKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, o2i_ECPublicKey)\n#define pkcs12_iterations_acceptable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs12_iterations_acceptable)\n#define pkcs12_key_gen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs12_key_gen)\n#define pkcs12_pbe_encrypt_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs12_pbe_encrypt_init)\n#define pkcs7_add_signed_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs7_add_signed_data)\n#define pkcs7_parse_header BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs7_parse_header)\n#define pkcs8_pbe_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs8_pbe_decrypt)\n#define pmbtoken_exp1_blind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp1_blind)\n#define pmbtoken_exp1_client_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp1_client_key_from_bytes)\n#define pmbtoken_exp1_derive_key_from_secret BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp1_derive_key_from_secret)\n#define pmbtoken_exp1_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp1_generate_key)\n#define pmbtoken_exp1_get_h_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp1_get_h_for_testing)\n#define pmbtoken_exp1_issuer_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp1_issuer_key_from_bytes)\n#define pmbtoken_exp1_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp1_read)\n#define pmbtoken_exp1_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp1_sign)\n#define pmbtoken_exp1_unblind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp1_unblind)\n#define pmbtoken_exp2_blind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp2_blind)\n#define pmbtoken_exp2_client_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp2_client_key_from_bytes)\n#define pmbtoken_exp2_derive_key_from_secret BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp2_derive_key_from_secret)\n#define pmbtoken_exp2_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp2_generate_key)\n#define pmbtoken_exp2_get_h_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp2_get_h_for_testing)\n#define pmbtoken_exp2_issuer_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp2_issuer_key_from_bytes)\n#define pmbtoken_exp2_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp2_read)\n#define pmbtoken_exp2_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp2_sign)\n#define pmbtoken_exp2_unblind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp2_unblind)\n#define pmbtoken_pst1_blind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_pst1_blind)\n#define pmbtoken_pst1_client_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_pst1_client_key_from_bytes)\n#define pmbtoken_pst1_derive_key_from_secret BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_pst1_derive_key_from_secret)\n#define pmbtoken_pst1_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_pst1_generate_key)\n#define pmbtoken_pst1_get_h_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_pst1_get_h_for_testing)\n#define pmbtoken_pst1_issuer_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_pst1_issuer_key_from_bytes)\n#define pmbtoken_pst1_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_pst1_read)\n#define pmbtoken_pst1_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_pst1_sign)\n#define pmbtoken_pst1_unblind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_pst1_unblind)\n#define poly_Rq_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, poly_Rq_mul)\n#define rand_fork_unsafe_buffering_enabled BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rand_fork_unsafe_buffering_enabled)\n#define rsa_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_asn1_meth)\n#define rsa_check_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_check_public_key)\n#define rsa_default_private_transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_default_private_transform)\n#define rsa_default_sign_raw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_default_sign_raw)\n#define rsa_invalidate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_invalidate_key)\n#define rsa_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_pkey_meth)\n#define rsa_private_transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_private_transform)\n#define rsa_private_transform_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_private_transform_no_self_test)\n#define rsa_sign_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_sign_no_self_test)\n#define rsa_verify_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_verify_no_self_test)\n#define rsa_verify_raw_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_verify_raw_no_self_test)\n#define rsaz_1024_gather5_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_1024_gather5_avx2)\n#define rsaz_1024_mul_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_1024_mul_avx2)\n#define rsaz_1024_norm2red_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_1024_norm2red_avx2)\n#define rsaz_1024_red2norm_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_1024_red2norm_avx2)\n#define rsaz_1024_scatter5_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_1024_scatter5_avx2)\n#define rsaz_1024_sqr_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_1024_sqr_avx2)\n#define rsaz_avx2_preferred BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_avx2_preferred)\n#define s2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, s2i_ASN1_INTEGER)\n#define s2i_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, s2i_ASN1_OCTET_STRING)\n#define sha1_avx2_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_avx2_capable)\n#define sha1_avx_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_avx_capable)\n#define sha1_block_data_order_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_avx)\n#define sha1_block_data_order_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_avx2)\n#define sha1_block_data_order_hw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_hw)\n#define sha1_block_data_order_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_nohw)\n#define sha1_block_data_order_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_ssse3)\n#define sha1_hw_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_hw_capable)\n#define sha1_ssse3_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_ssse3_capable)\n#define sha256_avx_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_avx_capable)\n#define sha256_block_data_order_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_avx)\n#define sha256_block_data_order_hw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_hw)\n#define sha256_block_data_order_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_nohw)\n#define sha256_block_data_order_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_ssse3)\n#define sha256_hw_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_hw_capable)\n#define sha256_ssse3_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_ssse3_capable)\n#define sha512_avx_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_avx_capable)\n#define sha512_block_data_order_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_block_data_order_avx)\n#define sha512_block_data_order_hw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_block_data_order_hw)\n#define sha512_block_data_order_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_block_data_order_nohw)\n#define sha512_hw_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_hw_capable)\n#define sk_ACCESS_DESCRIPTION_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_free_func)\n#define sk_ACCESS_DESCRIPTION_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_new_null)\n#define sk_ACCESS_DESCRIPTION_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_num)\n#define sk_ACCESS_DESCRIPTION_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_pop_free)\n#define sk_ACCESS_DESCRIPTION_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_push)\n#define sk_ACCESS_DESCRIPTION_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_value)\n#define sk_ASN1_INTEGER_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_num)\n#define sk_ASN1_INTEGER_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_push)\n#define sk_ASN1_INTEGER_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_value)\n#define sk_ASN1_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_cmp_func)\n#define sk_ASN1_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_copy_func)\n#define sk_ASN1_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_free_func)\n#define sk_ASN1_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_deep_copy)\n#define sk_ASN1_OBJECT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_dup)\n#define sk_ASN1_OBJECT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_find)\n#define sk_ASN1_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_free)\n#define sk_ASN1_OBJECT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_is_sorted)\n#define sk_ASN1_OBJECT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new_null)\n#define sk_ASN1_OBJECT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_num)\n#define sk_ASN1_OBJECT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop_free)\n#define sk_ASN1_OBJECT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_push)\n#define sk_ASN1_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set_cmp_func)\n#define sk_ASN1_OBJECT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_sort)\n#define sk_ASN1_OBJECT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_value)\n#define sk_ASN1_TYPE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_num)\n#define sk_ASN1_TYPE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_push)\n#define sk_ASN1_TYPE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_value)\n#define sk_ASN1_VALUE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_free)\n#define sk_ASN1_VALUE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_new_null)\n#define sk_ASN1_VALUE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_num)\n#define sk_ASN1_VALUE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_pop)\n#define sk_ASN1_VALUE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_push)\n#define sk_ASN1_VALUE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_value)\n#define sk_CONF_VALUE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_call_free_func)\n#define sk_CONF_VALUE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_delete_ptr)\n#define sk_CONF_VALUE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_free)\n#define sk_CONF_VALUE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_new_null)\n#define sk_CONF_VALUE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_num)\n#define sk_CONF_VALUE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_pop)\n#define sk_CONF_VALUE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_pop_free)\n#define sk_CONF_VALUE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_push)\n#define sk_CONF_VALUE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_value)\n#define sk_CRYPTO_BUFFER_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_copy_func)\n#define sk_CRYPTO_BUFFER_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_free_func)\n#define sk_CRYPTO_BUFFER_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_deep_copy)\n#define sk_CRYPTO_BUFFER_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_new_null)\n#define sk_CRYPTO_BUFFER_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_num)\n#define sk_CRYPTO_BUFFER_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop)\n#define sk_CRYPTO_BUFFER_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop_free)\n#define sk_CRYPTO_BUFFER_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_push)\n#define sk_CRYPTO_BUFFER_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_set)\n#define sk_CRYPTO_BUFFER_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_value)\n#define sk_DIST_POINT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_call_free_func)\n#define sk_DIST_POINT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_new_null)\n#define sk_DIST_POINT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_num)\n#define sk_DIST_POINT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_pop_free)\n#define sk_DIST_POINT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_push)\n#define sk_DIST_POINT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_value)\n#define sk_GENERAL_NAME_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_free_func)\n#define sk_GENERAL_NAME_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_new_null)\n#define sk_GENERAL_NAME_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_num)\n#define sk_GENERAL_NAME_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop_free)\n#define sk_GENERAL_NAME_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_push)\n#define sk_GENERAL_NAME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_set)\n#define sk_GENERAL_NAME_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_value)\n#define sk_GENERAL_SUBTREE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_new_null)\n#define sk_GENERAL_SUBTREE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_num)\n#define sk_GENERAL_SUBTREE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_push)\n#define sk_GENERAL_SUBTREE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_value)\n#define sk_OPENSSL_STRING_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_call_cmp_func)\n#define sk_OPENSSL_STRING_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_call_copy_func)\n#define sk_OPENSSL_STRING_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_call_free_func)\n#define sk_OPENSSL_STRING_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_deep_copy)\n#define sk_OPENSSL_STRING_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_find)\n#define sk_OPENSSL_STRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_free)\n#define sk_OPENSSL_STRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_new)\n#define sk_OPENSSL_STRING_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_new_null)\n#define sk_OPENSSL_STRING_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_num)\n#define sk_OPENSSL_STRING_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_pop_free)\n#define sk_OPENSSL_STRING_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_push)\n#define sk_OPENSSL_STRING_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_sort)\n#define sk_OPENSSL_STRING_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_value)\n#define sk_POLICYINFO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_call_cmp_func)\n#define sk_POLICYINFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_call_free_func)\n#define sk_POLICYINFO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_find)\n#define sk_POLICYINFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_is_sorted)\n#define sk_POLICYINFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_new_null)\n#define sk_POLICYINFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_num)\n#define sk_POLICYINFO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_pop_free)\n#define sk_POLICYINFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_push)\n#define sk_POLICYINFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_set_cmp_func)\n#define sk_POLICYINFO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_sort)\n#define sk_POLICYINFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_value)\n#define sk_POLICYQUALINFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_new_null)\n#define sk_POLICYQUALINFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_num)\n#define sk_POLICYQUALINFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_push)\n#define sk_POLICYQUALINFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_value)\n#define sk_POLICY_MAPPING_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_cmp_func)\n#define sk_POLICY_MAPPING_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_free_func)\n#define sk_POLICY_MAPPING_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_find)\n#define sk_POLICY_MAPPING_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_is_sorted)\n#define sk_POLICY_MAPPING_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_new_null)\n#define sk_POLICY_MAPPING_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_num)\n#define sk_POLICY_MAPPING_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_pop_free)\n#define sk_POLICY_MAPPING_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_push)\n#define sk_POLICY_MAPPING_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_set_cmp_func)\n#define sk_POLICY_MAPPING_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_sort)\n#define sk_POLICY_MAPPING_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_value)\n#define sk_SRTP_PROTECTION_PROFILE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SRTP_PROTECTION_PROFILE_new_null)\n#define sk_SRTP_PROTECTION_PROFILE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SRTP_PROTECTION_PROFILE_num)\n#define sk_SRTP_PROTECTION_PROFILE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SRTP_PROTECTION_PROFILE_push)\n#define sk_SSL_CIPHER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_CIPHER_call_cmp_func)\n#define sk_SSL_CIPHER_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_CIPHER_delete)\n#define sk_SSL_CIPHER_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_CIPHER_dup)\n#define sk_SSL_CIPHER_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_CIPHER_find)\n#define sk_SSL_CIPHER_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_CIPHER_new_null)\n#define sk_SSL_CIPHER_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_CIPHER_num)\n#define sk_SSL_CIPHER_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_CIPHER_push)\n#define sk_SSL_CIPHER_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_CIPHER_value)\n#define sk_TRUST_TOKEN_PRETOKEN_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_call_free_func)\n#define sk_TRUST_TOKEN_PRETOKEN_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_new_null)\n#define sk_TRUST_TOKEN_PRETOKEN_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_num)\n#define sk_TRUST_TOKEN_PRETOKEN_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_pop_free)\n#define sk_TRUST_TOKEN_PRETOKEN_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_push)\n#define sk_TRUST_TOKEN_PRETOKEN_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_value)\n#define sk_TRUST_TOKEN_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_call_free_func)\n#define sk_TRUST_TOKEN_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_new_null)\n#define sk_TRUST_TOKEN_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_pop_free)\n#define sk_TRUST_TOKEN_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_push)\n#define sk_X509_ATTRIBUTE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_delete)\n#define sk_X509_ATTRIBUTE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_new_null)\n#define sk_X509_ATTRIBUTE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_num)\n#define sk_X509_ATTRIBUTE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_push)\n#define sk_X509_ATTRIBUTE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_value)\n#define sk_X509_CRL_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_call_free_func)\n#define sk_X509_CRL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_free)\n#define sk_X509_CRL_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_new_null)\n#define sk_X509_CRL_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_num)\n#define sk_X509_CRL_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_pop)\n#define sk_X509_CRL_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_pop_free)\n#define sk_X509_CRL_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_push)\n#define sk_X509_CRL_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_value)\n#define sk_X509_EXTENSION_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_call_free_func)\n#define sk_X509_EXTENSION_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_delete)\n#define sk_X509_EXTENSION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_free)\n#define sk_X509_EXTENSION_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_insert)\n#define sk_X509_EXTENSION_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_new_null)\n#define sk_X509_EXTENSION_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_num)\n#define sk_X509_EXTENSION_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_pop_free)\n#define sk_X509_EXTENSION_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_push)\n#define sk_X509_EXTENSION_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_set)\n#define sk_X509_EXTENSION_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_value)\n#define sk_X509_INFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_free_func)\n#define sk_X509_INFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_free)\n#define sk_X509_INFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_new_null)\n#define sk_X509_INFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_num)\n#define sk_X509_INFO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_pop)\n#define sk_X509_INFO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_pop_free)\n#define sk_X509_INFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_push)\n#define sk_X509_INFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_value)\n#define sk_X509_LOOKUP_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_free_func)\n#define sk_X509_LOOKUP_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new_null)\n#define sk_X509_LOOKUP_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_num)\n#define sk_X509_LOOKUP_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop_free)\n#define sk_X509_LOOKUP_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_push)\n#define sk_X509_LOOKUP_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_value)\n#define sk_X509_NAME_ENTRY_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_call_free_func)\n#define sk_X509_NAME_ENTRY_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_delete)\n#define sk_X509_NAME_ENTRY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_free)\n#define sk_X509_NAME_ENTRY_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_insert)\n#define sk_X509_NAME_ENTRY_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_new_null)\n#define sk_X509_NAME_ENTRY_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_num)\n#define sk_X509_NAME_ENTRY_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_pop_free)\n#define sk_X509_NAME_ENTRY_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_push)\n#define sk_X509_NAME_ENTRY_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_set)\n#define sk_X509_NAME_ENTRY_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_value)\n#define sk_X509_NAME_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_call_cmp_func)\n#define sk_X509_NAME_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_call_copy_func)\n#define sk_X509_NAME_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_call_free_func)\n#define sk_X509_NAME_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_deep_copy)\n#define sk_X509_NAME_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_find)\n#define sk_X509_NAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_new)\n#define sk_X509_NAME_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_new_null)\n#define sk_X509_NAME_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_num)\n#define sk_X509_NAME_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_pop_free)\n#define sk_X509_NAME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_set)\n#define sk_X509_NAME_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_set_cmp_func)\n#define sk_X509_NAME_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_sort)\n#define sk_X509_NAME_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_value)\n#define sk_X509_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_cmp_func)\n#define sk_X509_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_copy_func)\n#define sk_X509_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_free_func)\n#define sk_X509_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_deep_copy)\n#define sk_X509_OBJECT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_find)\n#define sk_X509_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_new)\n#define sk_X509_OBJECT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_num)\n#define sk_X509_OBJECT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_pop_free)\n#define sk_X509_OBJECT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_push)\n#define sk_X509_OBJECT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_sort)\n#define sk_X509_OBJECT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_value)\n#define sk_X509_REVOKED_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_cmp_func)\n#define sk_X509_REVOKED_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_find)\n#define sk_X509_REVOKED_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_is_sorted)\n#define sk_X509_REVOKED_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_new)\n#define sk_X509_REVOKED_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_num)\n#define sk_X509_REVOKED_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_push)\n#define sk_X509_REVOKED_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_set_cmp_func)\n#define sk_X509_REVOKED_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_sort)\n#define sk_X509_REVOKED_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_value)\n#define sk_X509_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_call_free_func)\n#define sk_X509_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_delete)\n#define sk_X509_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_delete_ptr)\n#define sk_X509_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_dup)\n#define sk_X509_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_free)\n#define sk_X509_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_new_null)\n#define sk_X509_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_num)\n#define sk_X509_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_pop)\n#define sk_X509_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_pop_free)\n#define sk_X509_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_push)\n#define sk_X509_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_set)\n#define sk_X509_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_shift)\n#define sk_X509_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_value)\n#define sk_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_free)\n#define sk_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_new_null)\n#define sk_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_num)\n#define sk_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_pop)\n#define sk_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_pop_free)\n#define sk_pop_free_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_pop_free_ex)\n#define sk_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_push)\n#define sk_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_value)\n#define sk_void_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_free)\n#define sk_void_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_new_null)\n#define sk_void_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_num)\n#define sk_void_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_push)\n#define sk_void_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_set)\n#define sk_void_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_value)\n#define slhdsa_copy_keypair_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_copy_keypair_addr)\n#define slhdsa_fors_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_fors_pk_from_sig)\n#define slhdsa_fors_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_fors_sign)\n#define slhdsa_fors_sk_gen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_fors_sk_gen)\n#define slhdsa_fors_treehash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_fors_treehash)\n#define slhdsa_get_tree_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_get_tree_index)\n#define slhdsa_ht_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_ht_sign)\n#define slhdsa_ht_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_ht_verify)\n#define slhdsa_set_chain_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_set_chain_addr)\n#define slhdsa_set_hash_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_set_hash_addr)\n#define slhdsa_set_keypair_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_set_keypair_addr)\n#define slhdsa_set_layer_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_set_layer_addr)\n#define slhdsa_set_tree_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_set_tree_addr)\n#define slhdsa_set_tree_height BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_set_tree_height)\n#define slhdsa_set_tree_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_set_tree_index)\n#define slhdsa_set_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_set_type)\n#define slhdsa_thash_f BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_f)\n#define slhdsa_thash_h BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_h)\n#define slhdsa_thash_hmsg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_hmsg)\n#define slhdsa_thash_prf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_prf)\n#define slhdsa_thash_prfmsg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_prfmsg)\n#define slhdsa_thash_tk BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_tk)\n#define slhdsa_thash_tl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_tl)\n#define slhdsa_treehash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_treehash)\n#define slhdsa_wots_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_wots_pk_from_sig)\n#define slhdsa_wots_pk_gen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_wots_pk_gen)\n#define slhdsa_wots_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_wots_sign)\n#define slhdsa_xmss_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_xmss_pk_from_sig)\n#define slhdsa_xmss_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_xmss_sign)\n#define v2i_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v2i_GENERAL_NAME)\n#define v2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v2i_GENERAL_NAMES)\n#define v2i_GENERAL_NAME_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v2i_GENERAL_NAME_ex)\n#define v3_akey_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_akey_id)\n#define v3_alt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_alt)\n#define v3_bcons BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_bcons)\n#define v3_cpols BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_cpols)\n#define v3_crl_invdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_crl_invdate)\n#define v3_crl_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_crl_num)\n#define v3_crl_reason BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_crl_reason)\n#define v3_crld BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_crld)\n#define v3_delta_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_delta_crl)\n#define v3_ext_ku BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_ext_ku)\n#define v3_freshest_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_freshest_crl)\n#define v3_idp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_idp)\n#define v3_info BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_info)\n#define v3_inhibit_anyp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_inhibit_anyp)\n#define v3_key_usage BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_key_usage)\n#define v3_name_constraints BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_name_constraints)\n#define v3_ns_ia5_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_ns_ia5_list)\n#define v3_nscert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_nscert)\n#define v3_ocsp_accresp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_ocsp_accresp)\n#define v3_ocsp_nocheck BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_ocsp_nocheck)\n#define v3_policy_constraints BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_policy_constraints)\n#define v3_policy_mappings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_policy_mappings)\n#define v3_sinfo BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_sinfo)\n#define v3_skey_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_skey_id)\n#define voprf_exp2_blind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_blind)\n#define voprf_exp2_client_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_client_key_from_bytes)\n#define voprf_exp2_derive_key_from_secret BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_derive_key_from_secret)\n#define voprf_exp2_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_generate_key)\n#define voprf_exp2_issuer_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_issuer_key_from_bytes)\n#define voprf_exp2_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_read)\n#define voprf_exp2_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_sign)\n#define voprf_exp2_unblind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_unblind)\n#define voprf_pst1_blind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_pst1_blind)\n#define voprf_pst1_client_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_pst1_client_key_from_bytes)\n#define voprf_pst1_derive_key_from_secret BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_pst1_derive_key_from_secret)\n#define voprf_pst1_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_pst1_generate_key)\n#define voprf_pst1_issuer_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_pst1_issuer_key_from_bytes)\n#define voprf_pst1_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_pst1_read)\n#define voprf_pst1_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_pst1_sign)\n#define voprf_pst1_sign_with_proof_scalar_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_pst1_sign_with_proof_scalar_for_testing)\n#define voprf_pst1_unblind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_pst1_unblind)\n#define vpaes_capable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, vpaes_capable)\n#define vpaes_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, vpaes_cbc_encrypt)\n#define vpaes_ctr32_encrypt_blocks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, vpaes_ctr32_encrypt_blocks)\n#define vpaes_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, vpaes_decrypt)\n#define vpaes_decrypt_key_to_bsaes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, vpaes_decrypt_key_to_bsaes)\n#define vpaes_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, vpaes_encrypt)\n#define vpaes_set_decrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, vpaes_set_decrypt_key)\n#define vpaes_set_encrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, vpaes_set_encrypt_key)\n#define x25519_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_asn1_meth)\n#define x25519_ge_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_add)\n#define x25519_ge_frombytes_vartime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_frombytes_vartime)\n#define x25519_ge_p1p1_to_p2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_p1p1_to_p2)\n#define x25519_ge_p1p1_to_p3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_p1p1_to_p3)\n#define x25519_ge_p3_to_cached BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_p3_to_cached)\n#define x25519_ge_scalarmult BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_scalarmult)\n#define x25519_ge_scalarmult_base BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_scalarmult_base)\n#define x25519_ge_scalarmult_base_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_scalarmult_base_adx)\n#define x25519_ge_scalarmult_small_precomp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_scalarmult_small_precomp)\n#define x25519_ge_sub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_sub)\n#define x25519_ge_tobytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_tobytes)\n#define x25519_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_pkey_meth)\n#define x25519_sc_reduce BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_sc_reduce)\n#define x25519_scalar_mult_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_scalar_mult_adx)\n#define x509V3_add_value_asn1_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509V3_add_value_asn1_string)\n#define x509_check_issued_with_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_check_issued_with_callback)\n#define x509_digest_sign_algorithm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_digest_sign_algorithm)\n#define x509_digest_verify_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_digest_verify_init)\n#define x509_print_rsa_pss_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_print_rsa_pss_params)\n#define x509_rsa_ctx_to_pss BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_rsa_ctx_to_pss)\n#define x509_rsa_pss_to_ctx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_rsa_pss_to_ctx)\n#define x509v3_a2i_ipadd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509v3_a2i_ipadd)\n#define x509v3_bytes_to_hex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509v3_bytes_to_hex)\n#define x509v3_cache_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509v3_cache_extensions)\n#define x509v3_conf_name_matches BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509v3_conf_name_matches)\n#define x509v3_hex_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509v3_hex_to_bytes)\n#define x509v3_looks_like_dns_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509v3_looks_like_dns_name)\n#define sk_TRUST_TOKEN_PRETOKEN_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_call_free_func)\n#define sk_TRUST_TOKEN_PRETOKEN_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_call_copy_func)\n#define sk_TRUST_TOKEN_PRETOKEN_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_call_cmp_func)\n#define sk_TRUST_TOKEN_PRETOKEN_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_new)\n#define sk_TRUST_TOKEN_PRETOKEN_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_new_null)\n#define sk_TRUST_TOKEN_PRETOKEN_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_num)\n#define sk_TRUST_TOKEN_PRETOKEN_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_zero)\n#define sk_TRUST_TOKEN_PRETOKEN_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_value)\n#define sk_TRUST_TOKEN_PRETOKEN_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_set)\n#define sk_TRUST_TOKEN_PRETOKEN_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_free)\n#define sk_TRUST_TOKEN_PRETOKEN_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_pop_free)\n#define sk_TRUST_TOKEN_PRETOKEN_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_insert)\n#define sk_TRUST_TOKEN_PRETOKEN_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_delete)\n#define sk_TRUST_TOKEN_PRETOKEN_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_delete_ptr)\n#define sk_TRUST_TOKEN_PRETOKEN_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_find)\n#define sk_TRUST_TOKEN_PRETOKEN_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_shift)\n#define sk_TRUST_TOKEN_PRETOKEN_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_push)\n#define sk_TRUST_TOKEN_PRETOKEN_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_pop)\n#define sk_TRUST_TOKEN_PRETOKEN_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_dup)\n#define sk_TRUST_TOKEN_PRETOKEN_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_sort)\n#define sk_TRUST_TOKEN_PRETOKEN_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_is_sorted)\n#define sk_TRUST_TOKEN_PRETOKEN_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_set_cmp_func)\n#define sk_TRUST_TOKEN_PRETOKEN_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_deep_copy)\n#define sk_BIGNUM_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_call_free_func)\n#define sk_BIGNUM_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_call_copy_func)\n#define sk_BIGNUM_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_call_cmp_func)\n#define sk_BIGNUM_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_new)\n#define sk_BIGNUM_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_new_null)\n#define sk_BIGNUM_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_num)\n#define sk_BIGNUM_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_zero)\n#define sk_BIGNUM_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_value)\n#define sk_BIGNUM_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_set)\n#define sk_BIGNUM_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_free)\n#define sk_BIGNUM_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_pop_free)\n#define sk_BIGNUM_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_insert)\n#define sk_BIGNUM_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_delete)\n#define sk_BIGNUM_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_delete_ptr)\n#define sk_BIGNUM_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_find)\n#define sk_BIGNUM_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_shift)\n#define sk_BIGNUM_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_push)\n#define sk_BIGNUM_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_pop)\n#define sk_BIGNUM_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_dup)\n#define sk_BIGNUM_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_sort)\n#define sk_BIGNUM_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_is_sorted)\n#define sk_BIGNUM_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_set_cmp_func)\n#define sk_BIGNUM_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_deep_copy)\n#define sk_X509_LOOKUP_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_free_func)\n#define sk_X509_LOOKUP_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_copy_func)\n#define sk_X509_LOOKUP_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_cmp_func)\n#define sk_X509_LOOKUP_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new)\n#define sk_X509_LOOKUP_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new_null)\n#define sk_X509_LOOKUP_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_num)\n#define sk_X509_LOOKUP_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_zero)\n#define sk_X509_LOOKUP_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_value)\n#define sk_X509_LOOKUP_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set)\n#define sk_X509_LOOKUP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_free)\n#define sk_X509_LOOKUP_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop_free)\n#define sk_X509_LOOKUP_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_insert)\n#define sk_X509_LOOKUP_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete)\n#define sk_X509_LOOKUP_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete_ptr)\n#define sk_X509_LOOKUP_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_find)\n#define sk_X509_LOOKUP_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_shift)\n#define sk_X509_LOOKUP_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_push)\n#define sk_X509_LOOKUP_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop)\n#define sk_X509_LOOKUP_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_dup)\n#define sk_X509_LOOKUP_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_sort)\n#define sk_X509_LOOKUP_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_is_sorted)\n#define sk_X509_LOOKUP_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set_cmp_func)\n#define sk_X509_LOOKUP_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_deep_copy)\n#define sk_BY_DIR_HASH_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_call_free_func)\n#define sk_BY_DIR_HASH_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_call_copy_func)\n#define sk_BY_DIR_HASH_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_call_cmp_func)\n#define sk_BY_DIR_HASH_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_new)\n#define sk_BY_DIR_HASH_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_new_null)\n#define sk_BY_DIR_HASH_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_num)\n#define sk_BY_DIR_HASH_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_zero)\n#define sk_BY_DIR_HASH_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_value)\n#define sk_BY_DIR_HASH_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_set)\n#define sk_BY_DIR_HASH_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_free)\n#define sk_BY_DIR_HASH_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_pop_free)\n#define sk_BY_DIR_HASH_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_insert)\n#define sk_BY_DIR_HASH_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_delete)\n#define sk_BY_DIR_HASH_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_delete_ptr)\n#define sk_BY_DIR_HASH_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_find)\n#define sk_BY_DIR_HASH_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_shift)\n#define sk_BY_DIR_HASH_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_push)\n#define sk_BY_DIR_HASH_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_pop)\n#define sk_BY_DIR_HASH_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_dup)\n#define sk_BY_DIR_HASH_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_sort)\n#define sk_BY_DIR_HASH_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_is_sorted)\n#define sk_BY_DIR_HASH_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_set_cmp_func)\n#define sk_BY_DIR_HASH_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_HASH_deep_copy)\n#define sk_BY_DIR_ENTRY_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_call_free_func)\n#define sk_BY_DIR_ENTRY_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_call_copy_func)\n#define sk_BY_DIR_ENTRY_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_call_cmp_func)\n#define sk_BY_DIR_ENTRY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_new)\n#define sk_BY_DIR_ENTRY_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_new_null)\n#define sk_BY_DIR_ENTRY_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_num)\n#define sk_BY_DIR_ENTRY_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_zero)\n#define sk_BY_DIR_ENTRY_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_value)\n#define sk_BY_DIR_ENTRY_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_set)\n#define sk_BY_DIR_ENTRY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_free)\n#define sk_BY_DIR_ENTRY_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_pop_free)\n#define sk_BY_DIR_ENTRY_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_insert)\n#define sk_BY_DIR_ENTRY_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_delete)\n#define sk_BY_DIR_ENTRY_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_delete_ptr)\n#define sk_BY_DIR_ENTRY_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_find)\n#define sk_BY_DIR_ENTRY_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_shift)\n#define sk_BY_DIR_ENTRY_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_push)\n#define sk_BY_DIR_ENTRY_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_pop)\n#define sk_BY_DIR_ENTRY_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_dup)\n#define sk_BY_DIR_ENTRY_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_sort)\n#define sk_BY_DIR_ENTRY_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_is_sorted)\n#define sk_BY_DIR_ENTRY_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_set_cmp_func)\n#define sk_BY_DIR_ENTRY_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BY_DIR_ENTRY_deep_copy)\n#define sk_X509V3_EXT_METHOD_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_free_func)\n#define sk_X509V3_EXT_METHOD_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_copy_func)\n#define sk_X509V3_EXT_METHOD_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_cmp_func)\n#define sk_X509V3_EXT_METHOD_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_new)\n#define sk_X509V3_EXT_METHOD_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_new_null)\n#define sk_X509V3_EXT_METHOD_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_num)\n#define sk_X509V3_EXT_METHOD_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_zero)\n#define sk_X509V3_EXT_METHOD_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_value)\n#define sk_X509V3_EXT_METHOD_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_set)\n#define sk_X509V3_EXT_METHOD_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_free)\n#define sk_X509V3_EXT_METHOD_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_pop_free)\n#define sk_X509V3_EXT_METHOD_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_insert)\n#define sk_X509V3_EXT_METHOD_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_delete)\n#define sk_X509V3_EXT_METHOD_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_delete_ptr)\n#define sk_X509V3_EXT_METHOD_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_find)\n#define sk_X509V3_EXT_METHOD_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_shift)\n#define sk_X509V3_EXT_METHOD_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_push)\n#define sk_X509V3_EXT_METHOD_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_pop)\n#define sk_X509V3_EXT_METHOD_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_dup)\n#define sk_X509V3_EXT_METHOD_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_sort)\n#define sk_X509V3_EXT_METHOD_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_is_sorted)\n#define sk_X509V3_EXT_METHOD_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_set_cmp_func)\n#define sk_X509V3_EXT_METHOD_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_deep_copy)\n#define sk_X509_POLICY_NODE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_call_free_func)\n#define sk_X509_POLICY_NODE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_call_copy_func)\n#define sk_X509_POLICY_NODE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_call_cmp_func)\n#define sk_X509_POLICY_NODE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_new)\n#define sk_X509_POLICY_NODE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_new_null)\n#define sk_X509_POLICY_NODE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_num)\n#define sk_X509_POLICY_NODE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_zero)\n#define sk_X509_POLICY_NODE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_value)\n#define sk_X509_POLICY_NODE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_set)\n#define sk_X509_POLICY_NODE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_free)\n#define sk_X509_POLICY_NODE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_pop_free)\n#define sk_X509_POLICY_NODE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_insert)\n#define sk_X509_POLICY_NODE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_delete)\n#define sk_X509_POLICY_NODE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_delete_ptr)\n#define sk_X509_POLICY_NODE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_find)\n#define sk_X509_POLICY_NODE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_shift)\n#define sk_X509_POLICY_NODE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_push)\n#define sk_X509_POLICY_NODE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_pop)\n#define sk_X509_POLICY_NODE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_dup)\n#define sk_X509_POLICY_NODE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_sort)\n#define sk_X509_POLICY_NODE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_is_sorted)\n#define sk_X509_POLICY_NODE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_set_cmp_func)\n#define sk_X509_POLICY_NODE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_NODE_deep_copy)\n#define sk_X509_POLICY_LEVEL_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_call_free_func)\n#define sk_X509_POLICY_LEVEL_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_call_copy_func)\n#define sk_X509_POLICY_LEVEL_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_call_cmp_func)\n#define sk_X509_POLICY_LEVEL_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_new)\n#define sk_X509_POLICY_LEVEL_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_new_null)\n#define sk_X509_POLICY_LEVEL_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_num)\n#define sk_X509_POLICY_LEVEL_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_zero)\n#define sk_X509_POLICY_LEVEL_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_value)\n#define sk_X509_POLICY_LEVEL_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_set)\n#define sk_X509_POLICY_LEVEL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_free)\n#define sk_X509_POLICY_LEVEL_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_pop_free)\n#define sk_X509_POLICY_LEVEL_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_insert)\n#define sk_X509_POLICY_LEVEL_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_delete)\n#define sk_X509_POLICY_LEVEL_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_delete_ptr)\n#define sk_X509_POLICY_LEVEL_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_find)\n#define sk_X509_POLICY_LEVEL_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_shift)\n#define sk_X509_POLICY_LEVEL_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_push)\n#define sk_X509_POLICY_LEVEL_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_pop)\n#define sk_X509_POLICY_LEVEL_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_dup)\n#define sk_X509_POLICY_LEVEL_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_sort)\n#define sk_X509_POLICY_LEVEL_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_is_sorted)\n#define sk_X509_POLICY_LEVEL_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_set_cmp_func)\n#define sk_X509_POLICY_LEVEL_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_POLICY_LEVEL_deep_copy)\n#define sk_STACK_OF_X509_NAME_ENTRY_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_call_free_func)\n#define sk_STACK_OF_X509_NAME_ENTRY_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_call_copy_func)\n#define sk_STACK_OF_X509_NAME_ENTRY_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_call_cmp_func)\n#define sk_STACK_OF_X509_NAME_ENTRY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_new)\n#define sk_STACK_OF_X509_NAME_ENTRY_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_new_null)\n#define sk_STACK_OF_X509_NAME_ENTRY_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_num)\n#define sk_STACK_OF_X509_NAME_ENTRY_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_zero)\n#define sk_STACK_OF_X509_NAME_ENTRY_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_value)\n#define sk_STACK_OF_X509_NAME_ENTRY_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_set)\n#define sk_STACK_OF_X509_NAME_ENTRY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_free)\n#define sk_STACK_OF_X509_NAME_ENTRY_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_pop_free)\n#define sk_STACK_OF_X509_NAME_ENTRY_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_insert)\n#define sk_STACK_OF_X509_NAME_ENTRY_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_delete)\n#define sk_STACK_OF_X509_NAME_ENTRY_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_delete_ptr)\n#define sk_STACK_OF_X509_NAME_ENTRY_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_find)\n#define sk_STACK_OF_X509_NAME_ENTRY_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_shift)\n#define sk_STACK_OF_X509_NAME_ENTRY_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_push)\n#define sk_STACK_OF_X509_NAME_ENTRY_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_pop)\n#define sk_STACK_OF_X509_NAME_ENTRY_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_dup)\n#define sk_STACK_OF_X509_NAME_ENTRY_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_sort)\n#define sk_STACK_OF_X509_NAME_ENTRY_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_is_sorted)\n#define sk_STACK_OF_X509_NAME_ENTRY_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_set_cmp_func)\n#define sk_STACK_OF_X509_NAME_ENTRY_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_deep_copy)\n#define sk_CRYPTO_EX_DATA_FUNCS_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_call_free_func)\n#define sk_CRYPTO_EX_DATA_FUNCS_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_call_copy_func)\n#define sk_CRYPTO_EX_DATA_FUNCS_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_call_cmp_func)\n#define sk_CRYPTO_EX_DATA_FUNCS_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_new)\n#define sk_CRYPTO_EX_DATA_FUNCS_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_new_null)\n#define sk_CRYPTO_EX_DATA_FUNCS_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_num)\n#define sk_CRYPTO_EX_DATA_FUNCS_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_zero)\n#define sk_CRYPTO_EX_DATA_FUNCS_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_value)\n#define sk_CRYPTO_EX_DATA_FUNCS_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_set)\n#define sk_CRYPTO_EX_DATA_FUNCS_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_free)\n#define sk_CRYPTO_EX_DATA_FUNCS_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_pop_free)\n#define sk_CRYPTO_EX_DATA_FUNCS_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_insert)\n#define sk_CRYPTO_EX_DATA_FUNCS_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_delete)\n#define sk_CRYPTO_EX_DATA_FUNCS_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_delete_ptr)\n#define sk_CRYPTO_EX_DATA_FUNCS_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_find)\n#define sk_CRYPTO_EX_DATA_FUNCS_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_shift)\n#define sk_CRYPTO_EX_DATA_FUNCS_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_push)\n#define sk_CRYPTO_EX_DATA_FUNCS_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_pop)\n#define sk_CRYPTO_EX_DATA_FUNCS_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_dup)\n#define sk_CRYPTO_EX_DATA_FUNCS_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_sort)\n#define sk_CRYPTO_EX_DATA_FUNCS_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_is_sorted)\n#define sk_CRYPTO_EX_DATA_FUNCS_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_set_cmp_func)\n#define sk_CRYPTO_EX_DATA_FUNCS_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_deep_copy)\n#define sk_X509_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_call_free_func)\n#define sk_X509_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_call_copy_func)\n#define sk_X509_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_call_cmp_func)\n#define sk_X509_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_new)\n#define sk_X509_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_new_null)\n#define sk_X509_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_num)\n#define sk_X509_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_zero)\n#define sk_X509_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_value)\n#define sk_X509_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_set)\n#define sk_X509_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_free)\n#define sk_X509_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_pop_free)\n#define sk_X509_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_insert)\n#define sk_X509_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_delete)\n#define sk_X509_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_delete_ptr)\n#define sk_X509_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_find)\n#define sk_X509_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_shift)\n#define sk_X509_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_push)\n#define sk_X509_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_pop)\n#define sk_X509_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_dup)\n#define sk_X509_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_sort)\n#define sk_X509_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_is_sorted)\n#define sk_X509_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_set_cmp_func)\n#define sk_X509_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_deep_copy)\n#define sk_GENERAL_NAME_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_free_func)\n#define sk_GENERAL_NAME_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_copy_func)\n#define sk_GENERAL_NAME_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_cmp_func)\n#define sk_GENERAL_NAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_new)\n#define sk_GENERAL_NAME_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_new_null)\n#define sk_GENERAL_NAME_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_num)\n#define sk_GENERAL_NAME_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_zero)\n#define sk_GENERAL_NAME_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_value)\n#define sk_GENERAL_NAME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_set)\n#define sk_GENERAL_NAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_free)\n#define sk_GENERAL_NAME_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop_free)\n#define sk_GENERAL_NAME_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_insert)\n#define sk_GENERAL_NAME_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_delete)\n#define sk_GENERAL_NAME_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_delete_ptr)\n#define sk_GENERAL_NAME_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_find)\n#define sk_GENERAL_NAME_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_shift)\n#define sk_GENERAL_NAME_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_push)\n#define sk_GENERAL_NAME_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop)\n#define sk_GENERAL_NAME_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_dup)\n#define sk_GENERAL_NAME_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_sort)\n#define sk_GENERAL_NAME_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_is_sorted)\n#define sk_GENERAL_NAME_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_set_cmp_func)\n#define sk_GENERAL_NAME_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_deep_copy)\n#define sk_X509_CRL_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_call_free_func)\n#define sk_X509_CRL_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_call_copy_func)\n#define sk_X509_CRL_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_call_cmp_func)\n#define sk_X509_CRL_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_new)\n#define sk_X509_CRL_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_new_null)\n#define sk_X509_CRL_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_num)\n#define sk_X509_CRL_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_zero)\n#define sk_X509_CRL_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_value)\n#define sk_X509_CRL_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_set)\n#define sk_X509_CRL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_free)\n#define sk_X509_CRL_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_pop_free)\n#define sk_X509_CRL_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_insert)\n#define sk_X509_CRL_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_delete)\n#define sk_X509_CRL_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_delete_ptr)\n#define sk_X509_CRL_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_find)\n#define sk_X509_CRL_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_shift)\n#define sk_X509_CRL_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_push)\n#define sk_X509_CRL_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_pop)\n#define sk_X509_CRL_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_dup)\n#define sk_X509_CRL_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_sort)\n#define sk_X509_CRL_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_is_sorted)\n#define sk_X509_CRL_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_set_cmp_func)\n#define sk_X509_CRL_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_deep_copy)\n#define sk_X509_REVOKED_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_free_func)\n#define sk_X509_REVOKED_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_copy_func)\n#define sk_X509_REVOKED_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_cmp_func)\n#define sk_X509_REVOKED_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_new)\n#define sk_X509_REVOKED_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_new_null)\n#define sk_X509_REVOKED_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_num)\n#define sk_X509_REVOKED_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_zero)\n#define sk_X509_REVOKED_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_value)\n#define sk_X509_REVOKED_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_set)\n#define sk_X509_REVOKED_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_free)\n#define sk_X509_REVOKED_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_pop_free)\n#define sk_X509_REVOKED_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_insert)\n#define sk_X509_REVOKED_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_delete)\n#define sk_X509_REVOKED_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_delete_ptr)\n#define sk_X509_REVOKED_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_find)\n#define sk_X509_REVOKED_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_shift)\n#define sk_X509_REVOKED_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_push)\n#define sk_X509_REVOKED_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_pop)\n#define sk_X509_REVOKED_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_dup)\n#define sk_X509_REVOKED_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_sort)\n#define sk_X509_REVOKED_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_is_sorted)\n#define sk_X509_REVOKED_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_set_cmp_func)\n#define sk_X509_REVOKED_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_deep_copy)\n#define sk_X509_NAME_ENTRY_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_call_free_func)\n#define sk_X509_NAME_ENTRY_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_call_copy_func)\n#define sk_X509_NAME_ENTRY_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_call_cmp_func)\n#define sk_X509_NAME_ENTRY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_new)\n#define sk_X509_NAME_ENTRY_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_new_null)\n#define sk_X509_NAME_ENTRY_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_num)\n#define sk_X509_NAME_ENTRY_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_zero)\n#define sk_X509_NAME_ENTRY_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_value)\n#define sk_X509_NAME_ENTRY_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_set)\n#define sk_X509_NAME_ENTRY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_free)\n#define sk_X509_NAME_ENTRY_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_pop_free)\n#define sk_X509_NAME_ENTRY_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_insert)\n#define sk_X509_NAME_ENTRY_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_delete)\n#define sk_X509_NAME_ENTRY_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_delete_ptr)\n#define sk_X509_NAME_ENTRY_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_find)\n#define sk_X509_NAME_ENTRY_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_shift)\n#define sk_X509_NAME_ENTRY_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_push)\n#define sk_X509_NAME_ENTRY_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_pop)\n#define sk_X509_NAME_ENTRY_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_dup)\n#define sk_X509_NAME_ENTRY_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_sort)\n#define sk_X509_NAME_ENTRY_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_is_sorted)\n#define sk_X509_NAME_ENTRY_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_set_cmp_func)\n#define sk_X509_NAME_ENTRY_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_deep_copy)\n#define sk_X509_NAME_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_call_free_func)\n#define sk_X509_NAME_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_call_copy_func)\n#define sk_X509_NAME_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_call_cmp_func)\n#define sk_X509_NAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_new)\n#define sk_X509_NAME_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_new_null)\n#define sk_X509_NAME_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_num)\n#define sk_X509_NAME_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_zero)\n#define sk_X509_NAME_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_value)\n#define sk_X509_NAME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_set)\n#define sk_X509_NAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_free)\n#define sk_X509_NAME_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_pop_free)\n#define sk_X509_NAME_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_insert)\n#define sk_X509_NAME_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_delete)\n#define sk_X509_NAME_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_delete_ptr)\n#define sk_X509_NAME_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_find)\n#define sk_X509_NAME_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_shift)\n#define sk_X509_NAME_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_push)\n#define sk_X509_NAME_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_pop)\n#define sk_X509_NAME_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_dup)\n#define sk_X509_NAME_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_sort)\n#define sk_X509_NAME_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_is_sorted)\n#define sk_X509_NAME_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_set_cmp_func)\n#define sk_X509_NAME_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_deep_copy)\n#define sk_X509_EXTENSION_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_call_free_func)\n#define sk_X509_EXTENSION_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_call_copy_func)\n#define sk_X509_EXTENSION_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_call_cmp_func)\n#define sk_X509_EXTENSION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_new)\n#define sk_X509_EXTENSION_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_new_null)\n#define sk_X509_EXTENSION_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_num)\n#define sk_X509_EXTENSION_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_zero)\n#define sk_X509_EXTENSION_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_value)\n#define sk_X509_EXTENSION_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_set)\n#define sk_X509_EXTENSION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_free)\n#define sk_X509_EXTENSION_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_pop_free)\n#define sk_X509_EXTENSION_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_insert)\n#define sk_X509_EXTENSION_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_delete)\n#define sk_X509_EXTENSION_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_delete_ptr)\n#define sk_X509_EXTENSION_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_find)\n#define sk_X509_EXTENSION_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_shift)\n#define sk_X509_EXTENSION_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_push)\n#define sk_X509_EXTENSION_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_pop)\n#define sk_X509_EXTENSION_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_dup)\n#define sk_X509_EXTENSION_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_sort)\n#define sk_X509_EXTENSION_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_is_sorted)\n#define sk_X509_EXTENSION_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_set_cmp_func)\n#define sk_X509_EXTENSION_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_deep_copy)\n#define sk_GENERAL_SUBTREE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_call_free_func)\n#define sk_GENERAL_SUBTREE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_call_copy_func)\n#define sk_GENERAL_SUBTREE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_call_cmp_func)\n#define sk_GENERAL_SUBTREE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_new)\n#define sk_GENERAL_SUBTREE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_new_null)\n#define sk_GENERAL_SUBTREE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_num)\n#define sk_GENERAL_SUBTREE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_zero)\n#define sk_GENERAL_SUBTREE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_value)\n#define sk_GENERAL_SUBTREE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_set)\n#define sk_GENERAL_SUBTREE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_free)\n#define sk_GENERAL_SUBTREE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_pop_free)\n#define sk_GENERAL_SUBTREE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_insert)\n#define sk_GENERAL_SUBTREE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_delete)\n#define sk_GENERAL_SUBTREE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_delete_ptr)\n#define sk_GENERAL_SUBTREE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_find)\n#define sk_GENERAL_SUBTREE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_shift)\n#define sk_GENERAL_SUBTREE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_push)\n#define sk_GENERAL_SUBTREE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_pop)\n#define sk_GENERAL_SUBTREE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_dup)\n#define sk_GENERAL_SUBTREE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_sort)\n#define sk_GENERAL_SUBTREE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_is_sorted)\n#define sk_GENERAL_SUBTREE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_set_cmp_func)\n#define sk_GENERAL_SUBTREE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_deep_copy)\n#define sk_ACCESS_DESCRIPTION_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_free_func)\n#define sk_ACCESS_DESCRIPTION_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_copy_func)\n#define sk_ACCESS_DESCRIPTION_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_cmp_func)\n#define sk_ACCESS_DESCRIPTION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_new)\n#define sk_ACCESS_DESCRIPTION_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_new_null)\n#define sk_ACCESS_DESCRIPTION_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_num)\n#define sk_ACCESS_DESCRIPTION_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_zero)\n#define sk_ACCESS_DESCRIPTION_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_value)\n#define sk_ACCESS_DESCRIPTION_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_set)\n#define sk_ACCESS_DESCRIPTION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_free)\n#define sk_ACCESS_DESCRIPTION_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_pop_free)\n#define sk_ACCESS_DESCRIPTION_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_insert)\n#define sk_ACCESS_DESCRIPTION_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_delete)\n#define sk_ACCESS_DESCRIPTION_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_delete_ptr)\n#define sk_ACCESS_DESCRIPTION_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_find)\n#define sk_ACCESS_DESCRIPTION_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_shift)\n#define sk_ACCESS_DESCRIPTION_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_push)\n#define sk_ACCESS_DESCRIPTION_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_pop)\n#define sk_ACCESS_DESCRIPTION_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_dup)\n#define sk_ACCESS_DESCRIPTION_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_sort)\n#define sk_ACCESS_DESCRIPTION_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_is_sorted)\n#define sk_ACCESS_DESCRIPTION_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_set_cmp_func)\n#define sk_ACCESS_DESCRIPTION_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_deep_copy)\n#define sk_DIST_POINT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_call_free_func)\n#define sk_DIST_POINT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_call_copy_func)\n#define sk_DIST_POINT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_call_cmp_func)\n#define sk_DIST_POINT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_new)\n#define sk_DIST_POINT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_new_null)\n#define sk_DIST_POINT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_num)\n#define sk_DIST_POINT_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_zero)\n#define sk_DIST_POINT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_value)\n#define sk_DIST_POINT_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_set)\n#define sk_DIST_POINT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_free)\n#define sk_DIST_POINT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_pop_free)\n#define sk_DIST_POINT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_insert)\n#define sk_DIST_POINT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_delete)\n#define sk_DIST_POINT_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_delete_ptr)\n#define sk_DIST_POINT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_find)\n#define sk_DIST_POINT_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_shift)\n#define sk_DIST_POINT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_push)\n#define sk_DIST_POINT_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_pop)\n#define sk_DIST_POINT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_dup)\n#define sk_DIST_POINT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_sort)\n#define sk_DIST_POINT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_is_sorted)\n#define sk_DIST_POINT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_set_cmp_func)\n#define sk_DIST_POINT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_deep_copy)\n#define sk_POLICYQUALINFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_call_free_func)\n#define sk_POLICYQUALINFO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_call_copy_func)\n#define sk_POLICYQUALINFO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_call_cmp_func)\n#define sk_POLICYQUALINFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_new)\n#define sk_POLICYQUALINFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_new_null)\n#define sk_POLICYQUALINFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_num)\n#define sk_POLICYQUALINFO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_zero)\n#define sk_POLICYQUALINFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_value)\n#define sk_POLICYQUALINFO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_set)\n#define sk_POLICYQUALINFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_free)\n#define sk_POLICYQUALINFO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_pop_free)\n#define sk_POLICYQUALINFO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_insert)\n#define sk_POLICYQUALINFO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_delete)\n#define sk_POLICYQUALINFO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_delete_ptr)\n#define sk_POLICYQUALINFO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_find)\n#define sk_POLICYQUALINFO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_shift)\n#define sk_POLICYQUALINFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_push)\n#define sk_POLICYQUALINFO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_pop)\n#define sk_POLICYQUALINFO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_dup)\n#define sk_POLICYQUALINFO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_sort)\n#define sk_POLICYQUALINFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_is_sorted)\n#define sk_POLICYQUALINFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_set_cmp_func)\n#define sk_POLICYQUALINFO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_deep_copy)\n#define sk_POLICYINFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_call_free_func)\n#define sk_POLICYINFO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_call_copy_func)\n#define sk_POLICYINFO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_call_cmp_func)\n#define sk_POLICYINFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_new)\n#define sk_POLICYINFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_new_null)\n#define sk_POLICYINFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_num)\n#define sk_POLICYINFO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_zero)\n#define sk_POLICYINFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_value)\n#define sk_POLICYINFO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_set)\n#define sk_POLICYINFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_free)\n#define sk_POLICYINFO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_pop_free)\n#define sk_POLICYINFO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_insert)\n#define sk_POLICYINFO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_delete)\n#define sk_POLICYINFO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_delete_ptr)\n#define sk_POLICYINFO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_find)\n#define sk_POLICYINFO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_shift)\n#define sk_POLICYINFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_push)\n#define sk_POLICYINFO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_pop)\n#define sk_POLICYINFO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_dup)\n#define sk_POLICYINFO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_sort)\n#define sk_POLICYINFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_is_sorted)\n#define sk_POLICYINFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_set_cmp_func)\n#define sk_POLICYINFO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_deep_copy)\n#define sk_POLICY_MAPPING_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_free_func)\n#define sk_POLICY_MAPPING_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_copy_func)\n#define sk_POLICY_MAPPING_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_cmp_func)\n#define sk_POLICY_MAPPING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_new)\n#define sk_POLICY_MAPPING_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_new_null)\n#define sk_POLICY_MAPPING_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_num)\n#define sk_POLICY_MAPPING_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_zero)\n#define sk_POLICY_MAPPING_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_value)\n#define sk_POLICY_MAPPING_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_set)\n#define sk_POLICY_MAPPING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_free)\n#define sk_POLICY_MAPPING_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_pop_free)\n#define sk_POLICY_MAPPING_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_insert)\n#define sk_POLICY_MAPPING_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_delete)\n#define sk_POLICY_MAPPING_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_delete_ptr)\n#define sk_POLICY_MAPPING_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_find)\n#define sk_POLICY_MAPPING_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_shift)\n#define sk_POLICY_MAPPING_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_push)\n#define sk_POLICY_MAPPING_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_pop)\n#define sk_POLICY_MAPPING_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_dup)\n#define sk_POLICY_MAPPING_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_sort)\n#define sk_POLICY_MAPPING_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_is_sorted)\n#define sk_POLICY_MAPPING_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_set_cmp_func)\n#define sk_POLICY_MAPPING_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_deep_copy)\n#define sk_X509_ALGOR_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_call_free_func)\n#define sk_X509_ALGOR_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_call_copy_func)\n#define sk_X509_ALGOR_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_call_cmp_func)\n#define sk_X509_ALGOR_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_new)\n#define sk_X509_ALGOR_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_new_null)\n#define sk_X509_ALGOR_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_num)\n#define sk_X509_ALGOR_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_zero)\n#define sk_X509_ALGOR_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_value)\n#define sk_X509_ALGOR_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_set)\n#define sk_X509_ALGOR_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_free)\n#define sk_X509_ALGOR_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_pop_free)\n#define sk_X509_ALGOR_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_insert)\n#define sk_X509_ALGOR_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_delete)\n#define sk_X509_ALGOR_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_delete_ptr)\n#define sk_X509_ALGOR_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_find)\n#define sk_X509_ALGOR_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_shift)\n#define sk_X509_ALGOR_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_push)\n#define sk_X509_ALGOR_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_pop)\n#define sk_X509_ALGOR_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_dup)\n#define sk_X509_ALGOR_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_sort)\n#define sk_X509_ALGOR_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_is_sorted)\n#define sk_X509_ALGOR_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_set_cmp_func)\n#define sk_X509_ALGOR_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_deep_copy)\n#define sk_X509_ATTRIBUTE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_call_free_func)\n#define sk_X509_ATTRIBUTE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_call_copy_func)\n#define sk_X509_ATTRIBUTE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_call_cmp_func)\n#define sk_X509_ATTRIBUTE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_new)\n#define sk_X509_ATTRIBUTE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_new_null)\n#define sk_X509_ATTRIBUTE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_num)\n#define sk_X509_ATTRIBUTE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_zero)\n#define sk_X509_ATTRIBUTE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_value)\n#define sk_X509_ATTRIBUTE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_set)\n#define sk_X509_ATTRIBUTE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_free)\n#define sk_X509_ATTRIBUTE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_pop_free)\n#define sk_X509_ATTRIBUTE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_insert)\n#define sk_X509_ATTRIBUTE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_delete)\n#define sk_X509_ATTRIBUTE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_delete_ptr)\n#define sk_X509_ATTRIBUTE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_find)\n#define sk_X509_ATTRIBUTE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_shift)\n#define sk_X509_ATTRIBUTE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_push)\n#define sk_X509_ATTRIBUTE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_pop)\n#define sk_X509_ATTRIBUTE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_dup)\n#define sk_X509_ATTRIBUTE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_sort)\n#define sk_X509_ATTRIBUTE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_is_sorted)\n#define sk_X509_ATTRIBUTE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_set_cmp_func)\n#define sk_X509_ATTRIBUTE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_deep_copy)\n#define sk_X509_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_free_func)\n#define sk_X509_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_copy_func)\n#define sk_X509_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_cmp_func)\n#define sk_X509_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_new)\n#define sk_X509_OBJECT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_new_null)\n#define sk_X509_OBJECT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_num)\n#define sk_X509_OBJECT_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_zero)\n#define sk_X509_OBJECT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_value)\n#define sk_X509_OBJECT_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_set)\n#define sk_X509_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_free)\n#define sk_X509_OBJECT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_pop_free)\n#define sk_X509_OBJECT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_insert)\n#define sk_X509_OBJECT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_delete)\n#define sk_X509_OBJECT_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_delete_ptr)\n#define sk_X509_OBJECT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_find)\n#define sk_X509_OBJECT_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_shift)\n#define sk_X509_OBJECT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_push)\n#define sk_X509_OBJECT_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_pop)\n#define sk_X509_OBJECT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_dup)\n#define sk_X509_OBJECT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_sort)\n#define sk_X509_OBJECT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_is_sorted)\n#define sk_X509_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_set_cmp_func)\n#define sk_X509_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_deep_copy)\n#define sk_X509_INFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_free_func)\n#define sk_X509_INFO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_copy_func)\n#define sk_X509_INFO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_cmp_func)\n#define sk_X509_INFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_new)\n#define sk_X509_INFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_new_null)\n#define sk_X509_INFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_num)\n#define sk_X509_INFO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_zero)\n#define sk_X509_INFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_value)\n#define sk_X509_INFO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_set)\n#define sk_X509_INFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_free)\n#define sk_X509_INFO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_pop_free)\n#define sk_X509_INFO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_insert)\n#define sk_X509_INFO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_delete)\n#define sk_X509_INFO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_delete_ptr)\n#define sk_X509_INFO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_find)\n#define sk_X509_INFO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_shift)\n#define sk_X509_INFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_push)\n#define sk_X509_INFO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_pop)\n#define sk_X509_INFO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_dup)\n#define sk_X509_INFO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_sort)\n#define sk_X509_INFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_is_sorted)\n#define sk_X509_INFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_set_cmp_func)\n#define sk_X509_INFO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_deep_copy)\n#define sk_CRYPTO_BUFFER_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_free_func)\n#define sk_CRYPTO_BUFFER_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_copy_func)\n#define sk_CRYPTO_BUFFER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_cmp_func)\n#define sk_CRYPTO_BUFFER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_new)\n#define sk_CRYPTO_BUFFER_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_new_null)\n#define sk_CRYPTO_BUFFER_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_num)\n#define sk_CRYPTO_BUFFER_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_zero)\n#define sk_CRYPTO_BUFFER_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_value)\n#define sk_CRYPTO_BUFFER_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_set)\n#define sk_CRYPTO_BUFFER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_free)\n#define sk_CRYPTO_BUFFER_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop_free)\n#define sk_CRYPTO_BUFFER_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_insert)\n#define sk_CRYPTO_BUFFER_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_delete)\n#define sk_CRYPTO_BUFFER_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_delete_ptr)\n#define sk_CRYPTO_BUFFER_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_find)\n#define sk_CRYPTO_BUFFER_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_shift)\n#define sk_CRYPTO_BUFFER_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_push)\n#define sk_CRYPTO_BUFFER_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop)\n#define sk_CRYPTO_BUFFER_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_dup)\n#define sk_CRYPTO_BUFFER_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_sort)\n#define sk_CRYPTO_BUFFER_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_is_sorted)\n#define sk_CRYPTO_BUFFER_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_set_cmp_func)\n#define sk_CRYPTO_BUFFER_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_deep_copy)\n#define sk_ASN1_INTEGER_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_free_func)\n#define sk_ASN1_INTEGER_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_copy_func)\n#define sk_ASN1_INTEGER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_cmp_func)\n#define sk_ASN1_INTEGER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_new)\n#define sk_ASN1_INTEGER_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_new_null)\n#define sk_ASN1_INTEGER_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_num)\n#define sk_ASN1_INTEGER_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_zero)\n#define sk_ASN1_INTEGER_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_value)\n#define sk_ASN1_INTEGER_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_set)\n#define sk_ASN1_INTEGER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_free)\n#define sk_ASN1_INTEGER_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_pop_free)\n#define sk_ASN1_INTEGER_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_insert)\n#define sk_ASN1_INTEGER_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_delete)\n#define sk_ASN1_INTEGER_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_delete_ptr)\n#define sk_ASN1_INTEGER_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_find)\n#define sk_ASN1_INTEGER_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_shift)\n#define sk_ASN1_INTEGER_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_push)\n#define sk_ASN1_INTEGER_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_pop)\n#define sk_ASN1_INTEGER_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_dup)\n#define sk_ASN1_INTEGER_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_sort)\n#define sk_ASN1_INTEGER_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_is_sorted)\n#define sk_ASN1_INTEGER_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_set_cmp_func)\n#define sk_ASN1_INTEGER_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_deep_copy)\n#define sk_ASN1_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_free_func)\n#define sk_ASN1_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_copy_func)\n#define sk_ASN1_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_cmp_func)\n#define sk_ASN1_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new)\n#define sk_ASN1_OBJECT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new_null)\n#define sk_ASN1_OBJECT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_num)\n#define sk_ASN1_OBJECT_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_zero)\n#define sk_ASN1_OBJECT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_value)\n#define sk_ASN1_OBJECT_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set)\n#define sk_ASN1_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_free)\n#define sk_ASN1_OBJECT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop_free)\n#define sk_ASN1_OBJECT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_insert)\n#define sk_ASN1_OBJECT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_delete)\n#define sk_ASN1_OBJECT_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_delete_ptr)\n#define sk_ASN1_OBJECT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_find)\n#define sk_ASN1_OBJECT_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_shift)\n#define sk_ASN1_OBJECT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_push)\n#define sk_ASN1_OBJECT_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop)\n#define sk_ASN1_OBJECT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_dup)\n#define sk_ASN1_OBJECT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_sort)\n#define sk_ASN1_OBJECT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_is_sorted)\n#define sk_ASN1_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set_cmp_func)\n#define sk_ASN1_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_deep_copy)\n#define sk_ASN1_TYPE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_free_func)\n#define sk_ASN1_TYPE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_copy_func)\n#define sk_ASN1_TYPE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_cmp_func)\n#define sk_ASN1_TYPE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_new)\n#define sk_ASN1_TYPE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_new_null)\n#define sk_ASN1_TYPE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_num)\n#define sk_ASN1_TYPE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_zero)\n#define sk_ASN1_TYPE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_value)\n#define sk_ASN1_TYPE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_set)\n#define sk_ASN1_TYPE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_free)\n#define sk_ASN1_TYPE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_pop_free)\n#define sk_ASN1_TYPE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_insert)\n#define sk_ASN1_TYPE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_delete)\n#define sk_ASN1_TYPE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_delete_ptr)\n#define sk_ASN1_TYPE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_find)\n#define sk_ASN1_TYPE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_shift)\n#define sk_ASN1_TYPE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_push)\n#define sk_ASN1_TYPE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_pop)\n#define sk_ASN1_TYPE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_dup)\n#define sk_ASN1_TYPE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_sort)\n#define sk_ASN1_TYPE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_is_sorted)\n#define sk_ASN1_TYPE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_set_cmp_func)\n#define sk_ASN1_TYPE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_deep_copy)\n#define sk_BIO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_call_free_func)\n#define sk_BIO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_call_copy_func)\n#define sk_BIO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_call_cmp_func)\n#define sk_BIO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_new)\n#define sk_BIO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_new_null)\n#define sk_BIO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_num)\n#define sk_BIO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_zero)\n#define sk_BIO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_value)\n#define sk_BIO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_set)\n#define sk_BIO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_free)\n#define sk_BIO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_pop_free)\n#define sk_BIO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_insert)\n#define sk_BIO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_delete)\n#define sk_BIO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_delete_ptr)\n#define sk_BIO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_find)\n#define sk_BIO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_shift)\n#define sk_BIO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_push)\n#define sk_BIO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_pop)\n#define sk_BIO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_dup)\n#define sk_BIO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_sort)\n#define sk_BIO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_is_sorted)\n#define sk_BIO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_set_cmp_func)\n#define sk_BIO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_deep_copy)\n#define sk_CONF_VALUE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_call_free_func)\n#define sk_CONF_VALUE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_call_copy_func)\n#define sk_CONF_VALUE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_call_cmp_func)\n#define sk_CONF_VALUE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_new)\n#define sk_CONF_VALUE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_new_null)\n#define sk_CONF_VALUE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_num)\n#define sk_CONF_VALUE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_zero)\n#define sk_CONF_VALUE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_value)\n#define sk_CONF_VALUE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_set)\n#define sk_CONF_VALUE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_free)\n#define sk_CONF_VALUE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_pop_free)\n#define sk_CONF_VALUE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_insert)\n#define sk_CONF_VALUE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_delete)\n#define sk_CONF_VALUE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_delete_ptr)\n#define sk_CONF_VALUE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_find)\n#define sk_CONF_VALUE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_shift)\n#define sk_CONF_VALUE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_push)\n#define sk_CONF_VALUE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_pop)\n#define sk_CONF_VALUE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_dup)\n#define sk_CONF_VALUE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_sort)\n#define sk_CONF_VALUE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_is_sorted)\n#define sk_CONF_VALUE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_set_cmp_func)\n#define sk_CONF_VALUE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_deep_copy)\n#define sk_SSL_COMP_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_call_free_func)\n#define sk_SSL_COMP_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_call_copy_func)\n#define sk_SSL_COMP_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_call_cmp_func)\n#define sk_SSL_COMP_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_new)\n#define sk_SSL_COMP_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_new_null)\n#define sk_SSL_COMP_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_num)\n#define sk_SSL_COMP_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_zero)\n#define sk_SSL_COMP_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_value)\n#define sk_SSL_COMP_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_set)\n#define sk_SSL_COMP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_free)\n#define sk_SSL_COMP_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_pop_free)\n#define sk_SSL_COMP_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_insert)\n#define sk_SSL_COMP_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_delete)\n#define sk_SSL_COMP_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_delete_ptr)\n#define sk_SSL_COMP_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_find)\n#define sk_SSL_COMP_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_shift)\n#define sk_SSL_COMP_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_push)\n#define sk_SSL_COMP_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_pop)\n#define sk_SSL_COMP_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_dup)\n#define sk_SSL_COMP_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_sort)\n#define sk_SSL_COMP_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_is_sorted)\n#define sk_SSL_COMP_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_set_cmp_func)\n#define sk_SSL_COMP_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_SSL_COMP_deep_copy)\n#define sk_void_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_call_free_func)\n#define sk_void_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_call_copy_func)\n#define sk_void_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_call_cmp_func)\n#define sk_void_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_new)\n#define sk_void_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_new_null)\n#define sk_void_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_num)\n#define sk_void_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_zero)\n#define sk_void_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_value)\n#define sk_void_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_set)\n#define sk_void_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_free)\n#define sk_void_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_pop_free)\n#define sk_void_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_insert)\n#define sk_void_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_delete)\n#define sk_void_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_delete_ptr)\n#define sk_void_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_find)\n#define sk_void_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_shift)\n#define sk_void_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_push)\n#define sk_void_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_pop)\n#define sk_void_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_dup)\n#define sk_void_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_sort)\n#define sk_void_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_is_sorted)\n#define sk_void_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_set_cmp_func)\n#define sk_void_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_deep_copy)\n#define sk_OPENSSL_STRING_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_call_free_func)\n#define sk_OPENSSL_STRING_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_call_copy_func)\n#define sk_OPENSSL_STRING_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_call_cmp_func)\n#define sk_OPENSSL_STRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_new)\n#define sk_OPENSSL_STRING_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_new_null)\n#define sk_OPENSSL_STRING_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_num)\n#define sk_OPENSSL_STRING_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_zero)\n#define sk_OPENSSL_STRING_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_value)\n#define sk_OPENSSL_STRING_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_set)\n#define sk_OPENSSL_STRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_free)\n#define sk_OPENSSL_STRING_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_pop_free)\n#define sk_OPENSSL_STRING_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_insert)\n#define sk_OPENSSL_STRING_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_delete)\n#define sk_OPENSSL_STRING_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_delete_ptr)\n#define sk_OPENSSL_STRING_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_find)\n#define sk_OPENSSL_STRING_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_shift)\n#define sk_OPENSSL_STRING_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_push)\n#define sk_OPENSSL_STRING_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_pop)\n#define sk_OPENSSL_STRING_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_dup)\n#define sk_OPENSSL_STRING_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_sort)\n#define sk_OPENSSL_STRING_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_is_sorted)\n#define sk_OPENSSL_STRING_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_set_cmp_func)\n#define sk_OPENSSL_STRING_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_OPENSSL_STRING_deep_copy)\n#define sk_TRUST_TOKEN_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_call_free_func)\n#define sk_TRUST_TOKEN_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_call_copy_func)\n#define sk_TRUST_TOKEN_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_call_cmp_func)\n#define sk_TRUST_TOKEN_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_new)\n#define sk_TRUST_TOKEN_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_new_null)\n#define sk_TRUST_TOKEN_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_num)\n#define sk_TRUST_TOKEN_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_zero)\n#define sk_TRUST_TOKEN_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_value)\n#define sk_TRUST_TOKEN_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_set)\n#define sk_TRUST_TOKEN_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_free)\n#define sk_TRUST_TOKEN_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_pop_free)\n#define sk_TRUST_TOKEN_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_insert)\n#define sk_TRUST_TOKEN_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_delete)\n#define sk_TRUST_TOKEN_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_delete_ptr)\n#define sk_TRUST_TOKEN_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_find)\n#define sk_TRUST_TOKEN_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_shift)\n#define sk_TRUST_TOKEN_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_push)\n#define sk_TRUST_TOKEN_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_pop)\n#define sk_TRUST_TOKEN_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_dup)\n#define sk_TRUST_TOKEN_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_sort)\n#define sk_TRUST_TOKEN_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_is_sorted)\n#define sk_TRUST_TOKEN_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_set_cmp_func)\n#define sk_TRUST_TOKEN_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_deep_copy)\n#define sk_ASN1_VALUE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_call_free_func)\n#define sk_ASN1_VALUE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_call_copy_func)\n#define sk_ASN1_VALUE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_call_cmp_func)\n#define sk_ASN1_VALUE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_new)\n#define sk_ASN1_VALUE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_new_null)\n#define sk_ASN1_VALUE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_num)\n#define sk_ASN1_VALUE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_zero)\n#define sk_ASN1_VALUE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_value)\n#define sk_ASN1_VALUE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_set)\n#define sk_ASN1_VALUE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_free)\n#define sk_ASN1_VALUE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_pop_free)\n#define sk_ASN1_VALUE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_insert)\n#define sk_ASN1_VALUE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_delete)\n#define sk_ASN1_VALUE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_delete_ptr)\n#define sk_ASN1_VALUE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_find)\n#define sk_ASN1_VALUE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_shift)\n#define sk_ASN1_VALUE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_push)\n#define sk_ASN1_VALUE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_pop)\n#define sk_ASN1_VALUE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_dup)\n#define sk_ASN1_VALUE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_sort)\n#define sk_ASN1_VALUE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_is_sorted)\n#define sk_ASN1_VALUE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_set_cmp_func)\n#define sk_ASN1_VALUE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_deep_copy)\n#define lh_ASN1_STRING_TABLE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_call_cmp_func)\n#define lh_ASN1_STRING_TABLE_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_call_hash_func)\n#define lh_ASN1_STRING_TABLE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_new)\n#define lh_ASN1_STRING_TABLE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_free)\n#define lh_ASN1_STRING_TABLE_num_items BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_num_items)\n#define lh_ASN1_STRING_TABLE_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_retrieve)\n#define lh_ASN1_STRING_TABLE_call_cmp_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_call_cmp_key)\n#define lh_ASN1_STRING_TABLE_retrieve_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_retrieve_key)\n#define lh_ASN1_STRING_TABLE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_insert)\n#define lh_ASN1_STRING_TABLE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_delete)\n#define lh_ASN1_STRING_TABLE_call_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_call_doall)\n#define lh_ASN1_STRING_TABLE_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_call_doall_arg)\n#define lh_ASN1_STRING_TABLE_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_doall)\n#define lh_ASN1_STRING_TABLE_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_doall_arg)\n#define lh_ASN1_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_call_cmp_func)\n#define lh_ASN1_OBJECT_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_call_hash_func)\n#define lh_ASN1_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_new)\n#define lh_ASN1_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_free)\n#define lh_ASN1_OBJECT_num_items BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_num_items)\n#define lh_ASN1_OBJECT_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_retrieve)\n#define lh_ASN1_OBJECT_call_cmp_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_call_cmp_key)\n#define lh_ASN1_OBJECT_retrieve_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_retrieve_key)\n#define lh_ASN1_OBJECT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_insert)\n#define lh_ASN1_OBJECT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_delete)\n#define lh_ASN1_OBJECT_call_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_call_doall)\n#define lh_ASN1_OBJECT_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_call_doall_arg)\n#define lh_ASN1_OBJECT_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_doall)\n#define lh_ASN1_OBJECT_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_doall_arg)\n#define lh_CONF_SECTION_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_cmp_func)\n#define lh_CONF_SECTION_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_hash_func)\n#define lh_CONF_SECTION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_new)\n#define lh_CONF_SECTION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_free)\n#define lh_CONF_SECTION_num_items BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_num_items)\n#define lh_CONF_SECTION_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_retrieve)\n#define lh_CONF_SECTION_call_cmp_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_cmp_key)\n#define lh_CONF_SECTION_retrieve_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_retrieve_key)\n#define lh_CONF_SECTION_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_insert)\n#define lh_CONF_SECTION_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_delete)\n#define lh_CONF_SECTION_call_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_doall)\n#define lh_CONF_SECTION_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_doall_arg)\n#define lh_CONF_SECTION_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_doall)\n#define lh_CONF_SECTION_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_doall_arg)\n#define lh_CONF_VALUE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_cmp_func)\n#define lh_CONF_VALUE_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_hash_func)\n#define lh_CONF_VALUE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_new)\n#define lh_CONF_VALUE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_free)\n#define lh_CONF_VALUE_num_items BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_num_items)\n#define lh_CONF_VALUE_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_retrieve)\n#define lh_CONF_VALUE_call_cmp_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_cmp_key)\n#define lh_CONF_VALUE_retrieve_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_retrieve_key)\n#define lh_CONF_VALUE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_insert)\n#define lh_CONF_VALUE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_delete)\n#define lh_CONF_VALUE_call_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_doall)\n#define lh_CONF_VALUE_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_doall_arg)\n#define lh_CONF_VALUE_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_doall)\n#define lh_CONF_VALUE_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_doall_arg)\n#define lh_CRYPTO_BUFFER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_call_cmp_func)\n#define lh_CRYPTO_BUFFER_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_call_hash_func)\n#define lh_CRYPTO_BUFFER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_new)\n#define lh_CRYPTO_BUFFER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_free)\n#define lh_CRYPTO_BUFFER_num_items BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_num_items)\n#define lh_CRYPTO_BUFFER_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_retrieve)\n#define lh_CRYPTO_BUFFER_call_cmp_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_call_cmp_key)\n#define lh_CRYPTO_BUFFER_retrieve_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_retrieve_key)\n#define lh_CRYPTO_BUFFER_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_insert)\n#define lh_CRYPTO_BUFFER_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_delete)\n#define lh_CRYPTO_BUFFER_call_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_call_doall)\n#define lh_CRYPTO_BUFFER_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_call_doall_arg)\n#define lh_CRYPTO_BUFFER_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_doall)\n#define lh_CRYPTO_BUFFER_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_doall_arg)\n#define lh_SSL_SESSION_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_call_cmp_func)\n#define lh_SSL_SESSION_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_call_hash_func)\n#define lh_SSL_SESSION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_new)\n#define lh_SSL_SESSION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_free)\n#define lh_SSL_SESSION_num_items BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_num_items)\n#define lh_SSL_SESSION_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_retrieve)\n#define lh_SSL_SESSION_call_cmp_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_call_cmp_key)\n#define lh_SSL_SESSION_retrieve_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_retrieve_key)\n#define lh_SSL_SESSION_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_insert)\n#define lh_SSL_SESSION_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_delete)\n#define lh_SSL_SESSION_call_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_call_doall)\n#define lh_SSL_SESSION_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_call_doall_arg)\n#define lh_SSL_SESSION_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_doall)\n#define lh_SSL_SESSION_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_doall_arg)\n#define ssl_credential_st BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ssl_credential_st)\n#define ssl_ctx_st BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ssl_ctx_st)\n#define ssl_ech_keys_st BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ssl_ech_keys_st)\n#define ssl_session_st BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ssl_session_st)\n#define ssl_st BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ssl_st)\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols_asm.h", "content": "// Copyright 2018 The BoringSSL Authors\n//\n// Permission to use, copy, modify, and/or distribute this software for any\n// purpose with or without fee is hereby granted, provided that the above\n// copyright notice and this permission notice appear in all copies.\n//\n// THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n\n#if !defined(__APPLE__)\n#include \"CNIOBoringSSL_boringssl_prefix_symbols.h\"\n#else\n// On iOS and macOS, we need to treat assembly symbols differently from other\n// symbols. The linker expects symbols to be prefixed with an underscore.\n// Perlasm thus generates symbol with this underscore applied. Our macros must,\n// in turn, incorporate it.\n#define BORINGSSL_ADD_PREFIX_MAC_ASM(a, b) BORINGSSL_ADD_PREFIX_INNER_MAC_ASM(a, b)\n#define BORINGSSL_ADD_PREFIX_INNER_MAC_ASM(a, b) _ ## a ## _ ## b\n\n#define _ACCESS_DESCRIPTION_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ACCESS_DESCRIPTION_free)\n#define _ACCESS_DESCRIPTION_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ACCESS_DESCRIPTION_new)\n#define _AES_CMAC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_CMAC)\n#define _AES_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_cbc_encrypt)\n#define _AES_cfb128_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_cfb128_encrypt)\n#define _AES_ctr128_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_ctr128_encrypt)\n#define _AES_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_decrypt)\n#define _AES_ecb_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_ecb_encrypt)\n#define _AES_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_encrypt)\n#define _AES_ofb128_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_ofb128_encrypt)\n#define _AES_set_decrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_set_decrypt_key)\n#define _AES_set_encrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_set_encrypt_key)\n#define _AES_unwrap_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_unwrap_key)\n#define _AES_unwrap_key_padded BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_unwrap_key_padded)\n#define _AES_wrap_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_wrap_key)\n#define _AES_wrap_key_padded BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AES_wrap_key_padded)\n#define _ASN1_ANY_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ANY_it)\n#define _ASN1_BIT_STRING_check BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BIT_STRING_check)\n#define _ASN1_BIT_STRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BIT_STRING_free)\n#define _ASN1_BIT_STRING_get_bit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BIT_STRING_get_bit)\n#define _ASN1_BIT_STRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BIT_STRING_it)\n#define _ASN1_BIT_STRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BIT_STRING_new)\n#define _ASN1_BIT_STRING_num_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BIT_STRING_num_bytes)\n#define _ASN1_BIT_STRING_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BIT_STRING_set)\n#define _ASN1_BIT_STRING_set_bit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BIT_STRING_set_bit)\n#define _ASN1_BMPSTRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BMPSTRING_free)\n#define _ASN1_BMPSTRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BMPSTRING_it)\n#define _ASN1_BMPSTRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BMPSTRING_new)\n#define _ASN1_BOOLEAN_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BOOLEAN_it)\n#define _ASN1_ENUMERATED_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_free)\n#define _ASN1_ENUMERATED_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_get)\n#define _ASN1_ENUMERATED_get_int64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_get_int64)\n#define _ASN1_ENUMERATED_get_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_get_uint64)\n#define _ASN1_ENUMERATED_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_it)\n#define _ASN1_ENUMERATED_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_new)\n#define _ASN1_ENUMERATED_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_set)\n#define _ASN1_ENUMERATED_set_int64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_set_int64)\n#define _ASN1_ENUMERATED_set_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_set_uint64)\n#define _ASN1_ENUMERATED_to_BN BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_to_BN)\n#define _ASN1_FBOOLEAN_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_FBOOLEAN_it)\n#define _ASN1_GENERALIZEDTIME_adj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_adj)\n#define _ASN1_GENERALIZEDTIME_check BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_check)\n#define _ASN1_GENERALIZEDTIME_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_free)\n#define _ASN1_GENERALIZEDTIME_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_it)\n#define _ASN1_GENERALIZEDTIME_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_new)\n#define _ASN1_GENERALIZEDTIME_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_print)\n#define _ASN1_GENERALIZEDTIME_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_set)\n#define _ASN1_GENERALIZEDTIME_set_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_set_string)\n#define _ASN1_GENERALSTRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALSTRING_free)\n#define _ASN1_GENERALSTRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALSTRING_it)\n#define _ASN1_GENERALSTRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALSTRING_new)\n#define _ASN1_IA5STRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_IA5STRING_free)\n#define _ASN1_IA5STRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_IA5STRING_it)\n#define _ASN1_IA5STRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_IA5STRING_new)\n#define _ASN1_INTEGER_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_cmp)\n#define _ASN1_INTEGER_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_dup)\n#define _ASN1_INTEGER_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_free)\n#define _ASN1_INTEGER_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_get)\n#define _ASN1_INTEGER_get_int64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_get_int64)\n#define _ASN1_INTEGER_get_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_get_uint64)\n#define _ASN1_INTEGER_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_it)\n#define _ASN1_INTEGER_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_new)\n#define _ASN1_INTEGER_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_set)\n#define _ASN1_INTEGER_set_int64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_set_int64)\n#define _ASN1_INTEGER_set_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_set_uint64)\n#define _ASN1_INTEGER_to_BN BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_to_BN)\n#define _ASN1_NULL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_NULL_free)\n#define _ASN1_NULL_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_NULL_it)\n#define _ASN1_NULL_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_NULL_new)\n#define _ASN1_OBJECT_create BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_OBJECT_create)\n#define _ASN1_OBJECT_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_OBJECT_free)\n#define _ASN1_OBJECT_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_OBJECT_it)\n#define _ASN1_OBJECT_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_OBJECT_new)\n#define _ASN1_OCTET_STRING_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_OCTET_STRING_cmp)\n#define _ASN1_OCTET_STRING_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_OCTET_STRING_dup)\n#define _ASN1_OCTET_STRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_OCTET_STRING_free)\n#define _ASN1_OCTET_STRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_OCTET_STRING_it)\n#define _ASN1_OCTET_STRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_OCTET_STRING_new)\n#define _ASN1_OCTET_STRING_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_OCTET_STRING_set)\n#define _ASN1_PRINTABLESTRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_PRINTABLESTRING_free)\n#define _ASN1_PRINTABLESTRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_PRINTABLESTRING_it)\n#define _ASN1_PRINTABLESTRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_PRINTABLESTRING_new)\n#define _ASN1_PRINTABLE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_PRINTABLE_free)\n#define _ASN1_PRINTABLE_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_PRINTABLE_it)\n#define _ASN1_PRINTABLE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_PRINTABLE_new)\n#define _ASN1_SEQUENCE_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_SEQUENCE_it)\n#define _ASN1_STRING_TABLE_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_TABLE_add)\n#define _ASN1_STRING_TABLE_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_TABLE_cleanup)\n#define _ASN1_STRING_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_cmp)\n#define _ASN1_STRING_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_copy)\n#define _ASN1_STRING_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_data)\n#define _ASN1_STRING_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_dup)\n#define _ASN1_STRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_free)\n#define _ASN1_STRING_get0_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_get0_data)\n#define _ASN1_STRING_get_default_mask BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_get_default_mask)\n#define _ASN1_STRING_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_length)\n#define _ASN1_STRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_new)\n#define _ASN1_STRING_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_print)\n#define _ASN1_STRING_print_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_print_ex)\n#define _ASN1_STRING_print_ex_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_print_ex_fp)\n#define _ASN1_STRING_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_set)\n#define _ASN1_STRING_set0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_set0)\n#define _ASN1_STRING_set_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_set_by_NID)\n#define _ASN1_STRING_set_default_mask BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_set_default_mask)\n#define _ASN1_STRING_set_default_mask_asc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_set_default_mask_asc)\n#define _ASN1_STRING_to_UTF8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_to_UTF8)\n#define _ASN1_STRING_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_type)\n#define _ASN1_STRING_type_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_type_new)\n#define _ASN1_T61STRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_T61STRING_free)\n#define _ASN1_T61STRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_T61STRING_it)\n#define _ASN1_T61STRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_T61STRING_new)\n#define _ASN1_TBOOLEAN_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TBOOLEAN_it)\n#define _ASN1_TIME_adj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_adj)\n#define _ASN1_TIME_check BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_check)\n#define _ASN1_TIME_diff BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_diff)\n#define _ASN1_TIME_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_free)\n#define _ASN1_TIME_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_it)\n#define _ASN1_TIME_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_new)\n#define _ASN1_TIME_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_print)\n#define _ASN1_TIME_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_set)\n#define _ASN1_TIME_set_posix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_set_posix)\n#define _ASN1_TIME_set_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_set_string)\n#define _ASN1_TIME_set_string_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_set_string_X509)\n#define _ASN1_TIME_to_generalizedtime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_to_generalizedtime)\n#define _ASN1_TIME_to_posix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_to_posix)\n#define _ASN1_TIME_to_posix_nonstandard BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_to_posix_nonstandard)\n#define _ASN1_TIME_to_time_t BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TIME_to_time_t)\n#define _ASN1_TYPE_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TYPE_cmp)\n#define _ASN1_TYPE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TYPE_free)\n#define _ASN1_TYPE_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TYPE_get)\n#define _ASN1_TYPE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TYPE_new)\n#define _ASN1_TYPE_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TYPE_set)\n#define _ASN1_TYPE_set1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_TYPE_set1)\n#define _ASN1_UNIVERSALSTRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UNIVERSALSTRING_free)\n#define _ASN1_UNIVERSALSTRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UNIVERSALSTRING_it)\n#define _ASN1_UNIVERSALSTRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UNIVERSALSTRING_new)\n#define _ASN1_UTCTIME_adj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UTCTIME_adj)\n#define _ASN1_UTCTIME_check BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UTCTIME_check)\n#define _ASN1_UTCTIME_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UTCTIME_free)\n#define _ASN1_UTCTIME_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UTCTIME_it)\n#define _ASN1_UTCTIME_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UTCTIME_new)\n#define _ASN1_UTCTIME_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UTCTIME_print)\n#define _ASN1_UTCTIME_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UTCTIME_set)\n#define _ASN1_UTCTIME_set_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UTCTIME_set_string)\n#define _ASN1_UTF8STRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UTF8STRING_free)\n#define _ASN1_UTF8STRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UTF8STRING_it)\n#define _ASN1_UTF8STRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_UTF8STRING_new)\n#define _ASN1_VISIBLESTRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_VISIBLESTRING_free)\n#define _ASN1_VISIBLESTRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_VISIBLESTRING_it)\n#define _ASN1_VISIBLESTRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_VISIBLESTRING_new)\n#define _ASN1_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_digest)\n#define _ASN1_generate_v3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_generate_v3)\n#define _ASN1_get_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_get_object)\n#define _ASN1_item_d2i BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_d2i)\n#define _ASN1_item_d2i_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_d2i_bio)\n#define _ASN1_item_d2i_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_d2i_fp)\n#define _ASN1_item_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_digest)\n#define _ASN1_item_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_dup)\n#define _ASN1_item_ex_d2i BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_ex_d2i)\n#define _ASN1_item_ex_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_ex_free)\n#define _ASN1_item_ex_i2d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_ex_i2d)\n#define _ASN1_item_ex_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_ex_new)\n#define _ASN1_item_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_free)\n#define _ASN1_item_i2d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_i2d)\n#define _ASN1_item_i2d_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_i2d_bio)\n#define _ASN1_item_i2d_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_i2d_fp)\n#define _ASN1_item_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_new)\n#define _ASN1_item_pack BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_pack)\n#define _ASN1_item_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_sign)\n#define _ASN1_item_sign_ctx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_sign_ctx)\n#define _ASN1_item_unpack BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_unpack)\n#define _ASN1_item_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_verify)\n#define _ASN1_mbstring_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_mbstring_copy)\n#define _ASN1_mbstring_ncopy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_mbstring_ncopy)\n#define _ASN1_object_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_object_size)\n#define _ASN1_primitive_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_primitive_free)\n#define _ASN1_put_eoc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_put_eoc)\n#define _ASN1_put_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_put_object)\n#define _ASN1_tag2bit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_tag2bit)\n#define _ASN1_tag2str BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_tag2str)\n#define _ASN1_template_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_template_free)\n#define _AUTHORITY_INFO_ACCESS_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AUTHORITY_INFO_ACCESS_free)\n#define _AUTHORITY_INFO_ACCESS_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AUTHORITY_INFO_ACCESS_it)\n#define _AUTHORITY_INFO_ACCESS_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AUTHORITY_INFO_ACCESS_new)\n#define _AUTHORITY_KEYID_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AUTHORITY_KEYID_free)\n#define _AUTHORITY_KEYID_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AUTHORITY_KEYID_it)\n#define _AUTHORITY_KEYID_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, AUTHORITY_KEYID_new)\n#define _BASIC_CONSTRAINTS_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_free)\n#define _BASIC_CONSTRAINTS_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_it)\n#define _BASIC_CONSTRAINTS_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_new)\n#define _BCM_fips_186_2_prf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_fips_186_2_prf)\n#define _BCM_mldsa65_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_generate_key)\n#define _BCM_mldsa65_generate_key_external_entropy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_generate_key_external_entropy)\n#define _BCM_mldsa65_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_marshal_private_key)\n#define _BCM_mldsa65_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_marshal_public_key)\n#define _BCM_mldsa65_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_parse_private_key)\n#define _BCM_mldsa65_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_parse_public_key)\n#define _BCM_mldsa65_private_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_private_key_from_seed)\n#define _BCM_mldsa65_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_public_from_private)\n#define _BCM_mldsa65_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_sign)\n#define _BCM_mldsa65_sign_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_sign_internal)\n#define _BCM_mldsa65_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_verify)\n#define _BCM_mldsa65_verify_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa65_verify_internal)\n#define _BCM_mldsa87_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_generate_key)\n#define _BCM_mldsa87_generate_key_external_entropy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_generate_key_external_entropy)\n#define _BCM_mldsa87_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_marshal_private_key)\n#define _BCM_mldsa87_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_marshal_public_key)\n#define _BCM_mldsa87_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_parse_private_key)\n#define _BCM_mldsa87_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_parse_public_key)\n#define _BCM_mldsa87_private_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_private_key_from_seed)\n#define _BCM_mldsa87_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_public_from_private)\n#define _BCM_mldsa87_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_sign)\n#define _BCM_mldsa87_sign_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_sign_internal)\n#define _BCM_mldsa87_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_verify)\n#define _BCM_mldsa87_verify_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mldsa87_verify_internal)\n#define _BCM_mlkem1024_decap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem1024_decap)\n#define _BCM_mlkem1024_encap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem1024_encap)\n#define _BCM_mlkem1024_encap_external_entropy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem1024_encap_external_entropy)\n#define _BCM_mlkem1024_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem1024_generate_key)\n#define _BCM_mlkem1024_generate_key_external_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem1024_generate_key_external_seed)\n#define _BCM_mlkem1024_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem1024_marshal_private_key)\n#define _BCM_mlkem1024_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem1024_marshal_public_key)\n#define _BCM_mlkem1024_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem1024_parse_private_key)\n#define _BCM_mlkem1024_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem1024_parse_public_key)\n#define _BCM_mlkem1024_private_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem1024_private_key_from_seed)\n#define _BCM_mlkem1024_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem1024_public_from_private)\n#define _BCM_mlkem768_decap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem768_decap)\n#define _BCM_mlkem768_encap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem768_encap)\n#define _BCM_mlkem768_encap_external_entropy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem768_encap_external_entropy)\n#define _BCM_mlkem768_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem768_generate_key)\n#define _BCM_mlkem768_generate_key_external_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem768_generate_key_external_seed)\n#define _BCM_mlkem768_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem768_marshal_private_key)\n#define _BCM_mlkem768_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem768_marshal_public_key)\n#define _BCM_mlkem768_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem768_parse_private_key)\n#define _BCM_mlkem768_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem768_parse_public_key)\n#define _BCM_mlkem768_private_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem768_private_key_from_seed)\n#define _BCM_mlkem768_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_mlkem768_public_from_private)\n#define _BCM_rand_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_rand_bytes)\n#define _BCM_rand_bytes_hwrng BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_rand_bytes_hwrng)\n#define _BCM_rand_bytes_with_additional_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_rand_bytes_with_additional_data)\n#define _BCM_sha1_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha1_final)\n#define _BCM_sha1_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha1_init)\n#define _BCM_sha1_transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha1_transform)\n#define _BCM_sha1_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha1_update)\n#define _BCM_sha224_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha224_final)\n#define _BCM_sha224_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha224_init)\n#define _BCM_sha224_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha224_update)\n#define _BCM_sha256_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha256_final)\n#define _BCM_sha256_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha256_init)\n#define _BCM_sha256_transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha256_transform)\n#define _BCM_sha256_transform_blocks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha256_transform_blocks)\n#define _BCM_sha256_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha256_update)\n#define _BCM_sha384_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha384_final)\n#define _BCM_sha384_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha384_init)\n#define _BCM_sha384_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha384_update)\n#define _BCM_sha512_256_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_256_final)\n#define _BCM_sha512_256_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_256_init)\n#define _BCM_sha512_256_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_256_update)\n#define _BCM_sha512_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_final)\n#define _BCM_sha512_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_init)\n#define _BCM_sha512_transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_transform)\n#define _BCM_sha512_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_update)\n#define _BCM_slhdsa_sha2_128s_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_generate_key)\n#define _BCM_slhdsa_sha2_128s_generate_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_generate_key_from_seed)\n#define _BCM_slhdsa_sha2_128s_prehash_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_prehash_sign)\n#define _BCM_slhdsa_sha2_128s_prehash_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_prehash_verify)\n#define _BCM_slhdsa_sha2_128s_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_public_from_private)\n#define _BCM_slhdsa_sha2_128s_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_sign)\n#define _BCM_slhdsa_sha2_128s_sign_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_sign_internal)\n#define _BCM_slhdsa_sha2_128s_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_verify)\n#define _BCM_slhdsa_sha2_128s_verify_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_slhdsa_sha2_128s_verify_internal)\n#define _BIO_append_filename BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_append_filename)\n#define _BIO_callback_ctrl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_callback_ctrl)\n#define _BIO_clear_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_clear_flags)\n#define _BIO_clear_retry_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_clear_retry_flags)\n#define _BIO_copy_next_retry BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_copy_next_retry)\n#define _BIO_ctrl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_ctrl)\n#define _BIO_ctrl_get_read_request BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_ctrl_get_read_request)\n#define _BIO_ctrl_get_write_guarantee BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_ctrl_get_write_guarantee)\n#define _BIO_ctrl_pending BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_ctrl_pending)\n#define _BIO_do_connect BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_do_connect)\n#define _BIO_eof BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_eof)\n#define _BIO_f_ssl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_f_ssl)\n#define _BIO_find_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_find_type)\n#define _BIO_flush BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_flush)\n#define _BIO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_free)\n#define _BIO_free_all BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_free_all)\n#define _BIO_get_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_data)\n#define _BIO_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_ex_data)\n#define _BIO_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_ex_new_index)\n#define _BIO_get_fd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_fd)\n#define _BIO_get_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_fp)\n#define _BIO_get_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_init)\n#define _BIO_get_mem_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_mem_data)\n#define _BIO_get_mem_ptr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_mem_ptr)\n#define _BIO_get_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_new_index)\n#define _BIO_get_retry_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_retry_flags)\n#define _BIO_get_retry_reason BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_retry_reason)\n#define _BIO_get_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_shutdown)\n#define _BIO_gets BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_gets)\n#define _BIO_hexdump BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_hexdump)\n#define _BIO_indent BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_indent)\n#define _BIO_int_ctrl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_int_ctrl)\n#define _BIO_mem_contents BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_mem_contents)\n#define _BIO_meth_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_meth_free)\n#define _BIO_meth_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_meth_new)\n#define _BIO_meth_set_create BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_meth_set_create)\n#define _BIO_meth_set_ctrl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_meth_set_ctrl)\n#define _BIO_meth_set_destroy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_meth_set_destroy)\n#define _BIO_meth_set_gets BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_meth_set_gets)\n#define _BIO_meth_set_puts BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_meth_set_puts)\n#define _BIO_meth_set_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_meth_set_read)\n#define _BIO_meth_set_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_meth_set_write)\n#define _BIO_method_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_method_type)\n#define _BIO_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_new)\n#define _BIO_new_bio_pair BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_new_bio_pair)\n#define _BIO_new_connect BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_new_connect)\n#define _BIO_new_fd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_new_fd)\n#define _BIO_new_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_new_file)\n#define _BIO_new_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_new_fp)\n#define _BIO_new_mem_buf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_new_mem_buf)\n#define _BIO_new_socket BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_new_socket)\n#define _BIO_next BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_next)\n#define _BIO_number_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_number_read)\n#define _BIO_number_written BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_number_written)\n#define _BIO_pending BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_pending)\n#define _BIO_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_pop)\n#define _BIO_printf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_printf)\n#define _BIO_ptr_ctrl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_ptr_ctrl)\n#define _BIO_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_push)\n#define _BIO_puts BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_puts)\n#define _BIO_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_read)\n#define _BIO_read_asn1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_read_asn1)\n#define _BIO_read_filename BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_read_filename)\n#define _BIO_reset BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_reset)\n#define _BIO_rw_filename BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_rw_filename)\n#define _BIO_s_connect BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_s_connect)\n#define _BIO_s_fd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_s_fd)\n#define _BIO_s_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_s_file)\n#define _BIO_s_mem BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_s_mem)\n#define _BIO_s_socket BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_s_socket)\n#define _BIO_seek BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_seek)\n#define _BIO_set_close BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_close)\n#define _BIO_set_conn_hostname BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_conn_hostname)\n#define _BIO_set_conn_int_port BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_conn_int_port)\n#define _BIO_set_conn_port BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_conn_port)\n#define _BIO_set_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_data)\n#define _BIO_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_ex_data)\n#define _BIO_set_fd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_fd)\n#define _BIO_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_flags)\n#define _BIO_set_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_fp)\n#define _BIO_set_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_init)\n#define _BIO_set_mem_buf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_mem_buf)\n#define _BIO_set_mem_eof_return BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_mem_eof_return)\n#define _BIO_set_nbio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_nbio)\n#define _BIO_set_retry_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_retry_read)\n#define _BIO_set_retry_reason BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_retry_reason)\n#define _BIO_set_retry_special BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_retry_special)\n#define _BIO_set_retry_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_retry_write)\n#define _BIO_set_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_shutdown)\n#define _BIO_set_ssl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_ssl)\n#define _BIO_set_write_buffer_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_write_buffer_size)\n#define _BIO_should_io_special BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_should_io_special)\n#define _BIO_should_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_should_read)\n#define _BIO_should_retry BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_should_retry)\n#define _BIO_should_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_should_write)\n#define _BIO_shutdown_wr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_shutdown_wr)\n#define _BIO_snprintf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_snprintf)\n#define _BIO_tell BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_tell)\n#define _BIO_test_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_test_flags)\n#define _BIO_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_up_ref)\n#define _BIO_vfree BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_vfree)\n#define _BIO_vsnprintf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_vsnprintf)\n#define _BIO_wpending BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_wpending)\n#define _BIO_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_write)\n#define _BIO_write_all BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_write_all)\n#define _BIO_write_filename BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_write_filename)\n#define _BLAKE2B256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BLAKE2B256)\n#define _BLAKE2B256_Final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BLAKE2B256_Final)\n#define _BLAKE2B256_Init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BLAKE2B256_Init)\n#define _BLAKE2B256_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BLAKE2B256_Update)\n#define _BN_BLINDING_convert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_BLINDING_convert)\n#define _BN_BLINDING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_BLINDING_free)\n#define _BN_BLINDING_invalidate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_BLINDING_invalidate)\n#define _BN_BLINDING_invert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_BLINDING_invert)\n#define _BN_BLINDING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_BLINDING_new)\n#define _BN_CTX_end BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_CTX_end)\n#define _BN_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_CTX_free)\n#define _BN_CTX_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_CTX_get)\n#define _BN_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_CTX_new)\n#define _BN_CTX_start BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_CTX_start)\n#define _BN_GENCB_call BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_GENCB_call)\n#define _BN_GENCB_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_GENCB_free)\n#define _BN_GENCB_get_arg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_GENCB_get_arg)\n#define _BN_GENCB_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_GENCB_new)\n#define _BN_GENCB_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_GENCB_set)\n#define _BN_MONT_CTX_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_MONT_CTX_copy)\n#define _BN_MONT_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_MONT_CTX_free)\n#define _BN_MONT_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_MONT_CTX_new)\n#define _BN_MONT_CTX_new_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_MONT_CTX_new_consttime)\n#define _BN_MONT_CTX_new_for_modulus BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_MONT_CTX_new_for_modulus)\n#define _BN_MONT_CTX_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_MONT_CTX_set)\n#define _BN_MONT_CTX_set_locked BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_MONT_CTX_set_locked)\n#define _BN_abs_is_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_abs_is_word)\n#define _BN_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_add)\n#define _BN_add_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_add_word)\n#define _BN_asc2bn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_asc2bn)\n#define _BN_bin2bn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bin2bn)\n#define _BN_bn2bin BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2bin)\n#define _BN_bn2bin_padded BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2bin_padded)\n#define _BN_bn2binpad BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2binpad)\n#define _BN_bn2cbb_padded BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2cbb_padded)\n#define _BN_bn2dec BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2dec)\n#define _BN_bn2hex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2hex)\n#define _BN_bn2le_padded BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2le_padded)\n#define _BN_bn2lebinpad BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2lebinpad)\n#define _BN_bn2mpi BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_bn2mpi)\n#define _BN_clear BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_clear)\n#define _BN_clear_bit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_clear_bit)\n#define _BN_clear_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_clear_free)\n#define _BN_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_cmp)\n#define _BN_cmp_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_cmp_word)\n#define _BN_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_copy)\n#define _BN_count_low_zero_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_count_low_zero_bits)\n#define _BN_dec2bn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_dec2bn)\n#define _BN_div BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_div)\n#define _BN_div_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_div_word)\n#define _BN_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_dup)\n#define _BN_enhanced_miller_rabin_primality_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_enhanced_miller_rabin_primality_test)\n#define _BN_equal_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_equal_consttime)\n#define _BN_exp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_exp)\n#define _BN_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_free)\n#define _BN_from_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_from_montgomery)\n#define _BN_gcd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_gcd)\n#define _BN_generate_prime_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_generate_prime_ex)\n#define _BN_get_rfc3526_prime_1536 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_get_rfc3526_prime_1536)\n#define _BN_get_rfc3526_prime_2048 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_get_rfc3526_prime_2048)\n#define _BN_get_rfc3526_prime_3072 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_get_rfc3526_prime_3072)\n#define _BN_get_rfc3526_prime_4096 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_get_rfc3526_prime_4096)\n#define _BN_get_rfc3526_prime_6144 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_get_rfc3526_prime_6144)\n#define _BN_get_rfc3526_prime_8192 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_get_rfc3526_prime_8192)\n#define _BN_get_u64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_get_u64)\n#define _BN_get_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_get_word)\n#define _BN_hex2bn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_hex2bn)\n#define _BN_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_init)\n#define _BN_is_bit_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_is_bit_set)\n#define _BN_is_negative BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_is_negative)\n#define _BN_is_odd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_is_odd)\n#define _BN_is_one BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_is_one)\n#define _BN_is_pow2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_is_pow2)\n#define _BN_is_prime_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_is_prime_ex)\n#define _BN_is_prime_fasttest_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_is_prime_fasttest_ex)\n#define _BN_is_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_is_word)\n#define _BN_is_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_is_zero)\n#define _BN_le2bn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_le2bn)\n#define _BN_lebin2bn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_lebin2bn)\n#define _BN_lshift BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_lshift)\n#define _BN_lshift1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_lshift1)\n#define _BN_marshal_asn1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_marshal_asn1)\n#define _BN_mask_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mask_bits)\n#define _BN_mod_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_add)\n#define _BN_mod_add_quick BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_add_quick)\n#define _BN_mod_exp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_exp)\n#define _BN_mod_exp2_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_exp2_mont)\n#define _BN_mod_exp_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_exp_mont)\n#define _BN_mod_exp_mont_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_exp_mont_consttime)\n#define _BN_mod_exp_mont_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_exp_mont_word)\n#define _BN_mod_inverse BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_inverse)\n#define _BN_mod_inverse_blinded BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_inverse_blinded)\n#define _BN_mod_inverse_odd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_inverse_odd)\n#define _BN_mod_lshift BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_lshift)\n#define _BN_mod_lshift1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_lshift1)\n#define _BN_mod_lshift1_quick BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_lshift1_quick)\n#define _BN_mod_lshift_quick BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_lshift_quick)\n#define _BN_mod_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_mul)\n#define _BN_mod_mul_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_mul_montgomery)\n#define _BN_mod_pow2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_pow2)\n#define _BN_mod_sqr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_sqr)\n#define _BN_mod_sqrt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_sqrt)\n#define _BN_mod_sub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_sub)\n#define _BN_mod_sub_quick BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_sub_quick)\n#define _BN_mod_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mod_word)\n#define _BN_mpi2bn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mpi2bn)\n#define _BN_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mul)\n#define _BN_mul_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_mul_word)\n#define _BN_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_new)\n#define _BN_nnmod BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_nnmod)\n#define _BN_nnmod_pow2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_nnmod_pow2)\n#define _BN_num_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_num_bits)\n#define _BN_num_bits_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_num_bits_word)\n#define _BN_num_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_num_bytes)\n#define _BN_one BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_one)\n#define _BN_parse_asn1_unsigned BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_parse_asn1_unsigned)\n#define _BN_primality_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_primality_test)\n#define _BN_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_print)\n#define _BN_print_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_print_fp)\n#define _BN_pseudo_rand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_pseudo_rand)\n#define _BN_pseudo_rand_range BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_pseudo_rand_range)\n#define _BN_rand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_rand)\n#define _BN_rand_range BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_rand_range)\n#define _BN_rand_range_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_rand_range_ex)\n#define _BN_rshift BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_rshift)\n#define _BN_rshift1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_rshift1)\n#define _BN_secure_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_secure_new)\n#define _BN_set_bit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_set_bit)\n#define _BN_set_negative BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_set_negative)\n#define _BN_set_u64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_set_u64)\n#define _BN_set_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_set_word)\n#define _BN_sqr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_sqr)\n#define _BN_sqrt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_sqrt)\n#define _BN_sub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_sub)\n#define _BN_sub_word BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_sub_word)\n#define _BN_to_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_to_ASN1_ENUMERATED)\n#define _BN_to_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_to_ASN1_INTEGER)\n#define _BN_to_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_to_montgomery)\n#define _BN_uadd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_uadd)\n#define _BN_ucmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_ucmp)\n#define _BN_usub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_usub)\n#define _BN_value_one BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_value_one)\n#define _BN_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_zero)\n#define _BORINGSSL_keccak BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BORINGSSL_keccak)\n#define _BORINGSSL_keccak_absorb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BORINGSSL_keccak_absorb)\n#define _BORINGSSL_keccak_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BORINGSSL_keccak_init)\n#define _BORINGSSL_keccak_squeeze BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BORINGSSL_keccak_squeeze)\n#define _BORINGSSL_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BORINGSSL_self_test)\n#define _BUF_MEM_append BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_MEM_append)\n#define _BUF_MEM_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_MEM_free)\n#define _BUF_MEM_grow BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_MEM_grow)\n#define _BUF_MEM_grow_clean BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_MEM_grow_clean)\n#define _BUF_MEM_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_MEM_new)\n#define _BUF_MEM_reserve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_MEM_reserve)\n#define _BUF_memdup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_memdup)\n#define _BUF_strdup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_strdup)\n#define _BUF_strlcat BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_strlcat)\n#define _BUF_strlcpy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_strlcpy)\n#define _BUF_strndup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_strndup)\n#define _BUF_strnlen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BUF_strnlen)\n#define _CBB_add_asn1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_asn1)\n#define _CBB_add_asn1_bool BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_asn1_bool)\n#define _CBB_add_asn1_int64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_asn1_int64)\n#define _CBB_add_asn1_int64_with_tag BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_asn1_int64_with_tag)\n#define _CBB_add_asn1_octet_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_asn1_octet_string)\n#define _CBB_add_asn1_oid_from_text BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_asn1_oid_from_text)\n#define _CBB_add_asn1_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_asn1_uint64)\n#define _CBB_add_asn1_uint64_with_tag BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_asn1_uint64_with_tag)\n#define _CBB_add_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_bytes)\n#define _CBB_add_latin1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_latin1)\n#define _CBB_add_space BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_space)\n#define _CBB_add_u16 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u16)\n#define _CBB_add_u16_length_prefixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u16_length_prefixed)\n#define _CBB_add_u16le BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u16le)\n#define _CBB_add_u24 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u24)\n#define _CBB_add_u24_length_prefixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u24_length_prefixed)\n#define _CBB_add_u32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u32)\n#define _CBB_add_u32le BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u32le)\n#define _CBB_add_u64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u64)\n#define _CBB_add_u64le BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u64le)\n#define _CBB_add_u8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u8)\n#define _CBB_add_u8_length_prefixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u8_length_prefixed)\n#define _CBB_add_ucs2_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_ucs2_be)\n#define _CBB_add_utf32_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_utf32_be)\n#define _CBB_add_utf8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_utf8)\n#define _CBB_add_zeros BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_zeros)\n#define _CBB_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_cleanup)\n#define _CBB_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_data)\n#define _CBB_did_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_did_write)\n#define _CBB_discard_child BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_discard_child)\n#define _CBB_finish BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_finish)\n#define _CBB_finish_i2d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_finish_i2d)\n#define _CBB_flush BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_flush)\n#define _CBB_flush_asn1_set_of BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_flush_asn1_set_of)\n#define _CBB_get_utf8_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_get_utf8_len)\n#define _CBB_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_init)\n#define _CBB_init_fixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_init_fixed)\n#define _CBB_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_len)\n#define _CBB_reserve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_reserve)\n#define _CBB_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_zero)\n#define _CBS_asn1_ber_to_der BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_asn1_ber_to_der)\n#define _CBS_asn1_bitstring_has_bit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_asn1_bitstring_has_bit)\n#define _CBS_asn1_oid_to_text BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_asn1_oid_to_text)\n#define _CBS_contains_zero_byte BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_contains_zero_byte)\n#define _CBS_copy_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_copy_bytes)\n#define _CBS_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_data)\n#define _CBS_get_any_asn1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_any_asn1)\n#define _CBS_get_any_asn1_element BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_any_asn1_element)\n#define _CBS_get_any_ber_asn1_element BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_any_ber_asn1_element)\n#define _CBS_get_asn1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_asn1)\n#define _CBS_get_asn1_bool BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_asn1_bool)\n#define _CBS_get_asn1_element BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_asn1_element)\n#define _CBS_get_asn1_implicit_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_asn1_implicit_string)\n#define _CBS_get_asn1_int64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_asn1_int64)\n#define _CBS_get_asn1_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_asn1_uint64)\n#define _CBS_get_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_bytes)\n#define _CBS_get_last_u8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_last_u8)\n#define _CBS_get_latin1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_latin1)\n#define _CBS_get_optional_asn1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_optional_asn1)\n#define _CBS_get_optional_asn1_bool BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_optional_asn1_bool)\n#define _CBS_get_optional_asn1_octet_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_optional_asn1_octet_string)\n#define _CBS_get_optional_asn1_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_optional_asn1_uint64)\n#define _CBS_get_u16 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u16)\n#define _CBS_get_u16_length_prefixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u16_length_prefixed)\n#define _CBS_get_u16le BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u16le)\n#define _CBS_get_u24 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u24)\n#define _CBS_get_u24_length_prefixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u24_length_prefixed)\n#define _CBS_get_u32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u32)\n#define _CBS_get_u32le BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u32le)\n#define _CBS_get_u64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u64)\n#define _CBS_get_u64_decimal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u64_decimal)\n#define _CBS_get_u64le BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u64le)\n#define _CBS_get_u8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u8)\n#define _CBS_get_u8_length_prefixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u8_length_prefixed)\n#define _CBS_get_ucs2_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_ucs2_be)\n#define _CBS_get_until_first BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_until_first)\n#define _CBS_get_utf32_be BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_utf32_be)\n#define _CBS_get_utf8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_utf8)\n#define _CBS_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_init)\n#define _CBS_is_unsigned_asn1_integer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_is_unsigned_asn1_integer)\n#define _CBS_is_valid_asn1_bitstring BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_is_valid_asn1_bitstring)\n#define _CBS_is_valid_asn1_integer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_is_valid_asn1_integer)\n#define _CBS_is_valid_asn1_oid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_is_valid_asn1_oid)\n#define _CBS_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_len)\n#define _CBS_mem_equal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_mem_equal)\n#define _CBS_parse_generalized_time BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_parse_generalized_time)\n#define _CBS_parse_utc_time BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_parse_utc_time)\n#define _CBS_peek_asn1_tag BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_peek_asn1_tag)\n#define _CBS_skip BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_skip)\n#define _CBS_stow BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_stow)\n#define _CBS_strdup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_strdup)\n#define _CERTIFICATEPOLICIES_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CERTIFICATEPOLICIES_free)\n#define _CERTIFICATEPOLICIES_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CERTIFICATEPOLICIES_it)\n#define _CERTIFICATEPOLICIES_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CERTIFICATEPOLICIES_new)\n#define _CMAC_CTX_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CMAC_CTX_copy)\n#define _CMAC_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CMAC_CTX_free)\n#define _CMAC_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CMAC_CTX_new)\n#define _CMAC_Final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CMAC_Final)\n#define _CMAC_Init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CMAC_Init)\n#define _CMAC_Reset BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CMAC_Reset)\n#define _CMAC_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CMAC_Update)\n#define _CONF_VALUE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CONF_VALUE_new)\n#define _CONF_modules_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CONF_modules_free)\n#define _CONF_modules_load_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CONF_modules_load_file)\n#define _CONF_parse_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CONF_parse_list)\n#define _CRL_DIST_POINTS_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRL_DIST_POINTS_free)\n#define _CRL_DIST_POINTS_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRL_DIST_POINTS_it)\n#define _CRL_DIST_POINTS_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRL_DIST_POINTS_new)\n#define _CRYPTO_BUFFER_POOL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_POOL_free)\n#define _CRYPTO_BUFFER_POOL_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_POOL_new)\n#define _CRYPTO_BUFFER_alloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_alloc)\n#define _CRYPTO_BUFFER_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_data)\n#define _CRYPTO_BUFFER_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_free)\n#define _CRYPTO_BUFFER_init_CBS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_init_CBS)\n#define _CRYPTO_BUFFER_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_len)\n#define _CRYPTO_BUFFER_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_new)\n#define _CRYPTO_BUFFER_new_from_CBS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_new_from_CBS)\n#define _CRYPTO_BUFFER_new_from_static_data_unsafe BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_new_from_static_data_unsafe)\n#define _CRYPTO_BUFFER_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_up_ref)\n#define _CRYPTO_MUTEX_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_MUTEX_cleanup)\n#define _CRYPTO_MUTEX_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_MUTEX_init)\n#define _CRYPTO_MUTEX_lock_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_MUTEX_lock_read)\n#define _CRYPTO_MUTEX_lock_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_MUTEX_lock_write)\n#define _CRYPTO_MUTEX_unlock_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_MUTEX_unlock_read)\n#define _CRYPTO_MUTEX_unlock_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_MUTEX_unlock_write)\n#define _CRYPTO_POLYVAL_finish BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_POLYVAL_finish)\n#define _CRYPTO_POLYVAL_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_POLYVAL_init)\n#define _CRYPTO_POLYVAL_update_blocks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_POLYVAL_update_blocks)\n#define _CRYPTO_THREADID_current BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_THREADID_current)\n#define _CRYPTO_THREADID_set_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_THREADID_set_callback)\n#define _CRYPTO_THREADID_set_numeric BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_THREADID_set_numeric)\n#define _CRYPTO_THREADID_set_pointer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_THREADID_set_pointer)\n#define _CRYPTO_atomic_compare_exchange_weak_u32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_atomic_compare_exchange_weak_u32)\n#define _CRYPTO_atomic_load_u32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_atomic_load_u32)\n#define _CRYPTO_atomic_store_u32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_atomic_store_u32)\n#define _CRYPTO_cbc128_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_cbc128_decrypt)\n#define _CRYPTO_cbc128_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_cbc128_encrypt)\n#define _CRYPTO_cfb128_1_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_cfb128_1_encrypt)\n#define _CRYPTO_cfb128_8_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_cfb128_8_encrypt)\n#define _CRYPTO_cfb128_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_cfb128_encrypt)\n#define _CRYPTO_chacha_20 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_chacha_20)\n#define _CRYPTO_cleanup_all_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_cleanup_all_ex_data)\n#define _CRYPTO_cpu_avoid_zmm_registers BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_cpu_avoid_zmm_registers)\n#define _CRYPTO_cpu_perf_is_like_silvermont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_cpu_perf_is_like_silvermont)\n#define _CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt_ctr32)\n#define _CRYPTO_fips_186_2_prf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_fips_186_2_prf)\n#define _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_fork_detect_force_madv_wipeonfork_for_testing)\n#define _CRYPTO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_free)\n#define _CRYPTO_free_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_free_ex_data)\n#define _CRYPTO_gcm128_aad BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_gcm128_aad)\n#define _CRYPTO_gcm128_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_gcm128_decrypt)\n#define _CRYPTO_gcm128_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_gcm128_encrypt)\n#define _CRYPTO_gcm128_finish BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_gcm128_finish)\n#define _CRYPTO_gcm128_init_aes_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_gcm128_init_aes_key)\n#define _CRYPTO_gcm128_init_ctx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_gcm128_init_ctx)\n#define _CRYPTO_gcm128_tag BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_gcm128_tag)\n#define _CRYPTO_get_dynlock_create_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_dynlock_create_callback)\n#define _CRYPTO_get_dynlock_destroy_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_dynlock_destroy_callback)\n#define _CRYPTO_get_dynlock_lock_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_dynlock_lock_callback)\n#define _CRYPTO_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_ex_data)\n#define _CRYPTO_get_ex_new_index_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_ex_new_index_ex)\n#define _CRYPTO_get_fork_generation BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_fork_generation)\n#define _CRYPTO_get_lock_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_lock_name)\n#define _CRYPTO_get_locking_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_locking_callback)\n#define _CRYPTO_get_stderr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_stderr)\n#define _CRYPTO_get_thread_local BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_thread_local)\n#define _CRYPTO_ghash_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_ghash_init)\n#define _CRYPTO_has_asm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_has_asm)\n#define _CRYPTO_hchacha20 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_hchacha20)\n#define _CRYPTO_init_sysrand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_init_sysrand)\n#define _CRYPTO_is_ADX_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_ADX_capable)\n#define _CRYPTO_is_AESNI_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_AESNI_capable)\n#define _CRYPTO_is_ARMv8_AES_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_AES_capable)\n#define _CRYPTO_is_ARMv8_PMULL_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_PMULL_capable)\n#define _CRYPTO_is_ARMv8_SHA1_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_SHA1_capable)\n#define _CRYPTO_is_ARMv8_SHA256_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_SHA256_capable)\n#define _CRYPTO_is_ARMv8_SHA512_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_ARMv8_SHA512_capable)\n#define _CRYPTO_is_AVX2_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_AVX2_capable)\n#define _CRYPTO_is_AVX512BW_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_AVX512BW_capable)\n#define _CRYPTO_is_AVX512VL_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_AVX512VL_capable)\n#define _CRYPTO_is_AVX_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_AVX_capable)\n#define _CRYPTO_is_BMI1_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_BMI1_capable)\n#define _CRYPTO_is_BMI2_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_BMI2_capable)\n#define _CRYPTO_is_FXSR_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_FXSR_capable)\n#define _CRYPTO_is_MOVBE_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_MOVBE_capable)\n#define _CRYPTO_is_NEON_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_NEON_capable)\n#define _CRYPTO_is_PCLMUL_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_PCLMUL_capable)\n#define _CRYPTO_is_RDRAND_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_RDRAND_capable)\n#define _CRYPTO_is_SSE4_1_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_SSE4_1_capable)\n#define _CRYPTO_is_SSSE3_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_SSSE3_capable)\n#define _CRYPTO_is_VAES_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_VAES_capable)\n#define _CRYPTO_is_VPCLMULQDQ_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_VPCLMULQDQ_capable)\n#define _CRYPTO_is_confidential_build BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_confidential_build)\n#define _CRYPTO_is_intel_cpu BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_intel_cpu)\n#define _CRYPTO_is_x86_SHA_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_x86_SHA_capable)\n#define _CRYPTO_library_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_library_init)\n#define _CRYPTO_malloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_malloc)\n#define _CRYPTO_malloc_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_malloc_init)\n#define _CRYPTO_memcmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_memcmp)\n#define _CRYPTO_new_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_new_ex_data)\n#define _CRYPTO_num_locks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_num_locks)\n#define _CRYPTO_ofb128_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_ofb128_encrypt)\n#define _CRYPTO_once BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_once)\n#define _CRYPTO_poly1305_finish BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_poly1305_finish)\n#define _CRYPTO_poly1305_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_poly1305_init)\n#define _CRYPTO_poly1305_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_poly1305_update)\n#define _CRYPTO_pre_sandbox_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_pre_sandbox_init)\n#define _CRYPTO_rdrand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_rdrand)\n#define _CRYPTO_rdrand_multiple8_buf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_rdrand_multiple8_buf)\n#define _CRYPTO_realloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_realloc)\n#define _CRYPTO_refcount_dec_and_test_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_refcount_dec_and_test_zero)\n#define _CRYPTO_refcount_inc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_refcount_inc)\n#define _CRYPTO_secure_malloc_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_secure_malloc_init)\n#define _CRYPTO_secure_malloc_initialized BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_secure_malloc_initialized)\n#define _CRYPTO_secure_used BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_secure_used)\n#define _CRYPTO_set_add_lock_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_set_add_lock_callback)\n#define _CRYPTO_set_dynlock_create_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_set_dynlock_create_callback)\n#define _CRYPTO_set_dynlock_destroy_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_set_dynlock_destroy_callback)\n#define _CRYPTO_set_dynlock_lock_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_set_dynlock_lock_callback)\n#define _CRYPTO_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_set_ex_data)\n#define _CRYPTO_set_id_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_set_id_callback)\n#define _CRYPTO_set_locking_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_set_locking_callback)\n#define _CRYPTO_set_thread_local BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_set_thread_local)\n#define _CRYPTO_sysrand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_sysrand)\n#define _CRYPTO_sysrand_for_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_sysrand_for_seed)\n#define _CRYPTO_sysrand_if_available BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_sysrand_if_available)\n#define _CRYPTO_tls13_hkdf_expand_label BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_tls13_hkdf_expand_label)\n#define _CRYPTO_tls1_prf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_tls1_prf)\n#define _CRYPTO_xor16 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_xor16)\n#define _CTR_DRBG_clear BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_clear)\n#define _CTR_DRBG_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_free)\n#define _CTR_DRBG_generate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_generate)\n#define _CTR_DRBG_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_init)\n#define _CTR_DRBG_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_new)\n#define _CTR_DRBG_reseed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_reseed)\n#define _ChaCha20_ctr32_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_avx2)\n#define _ChaCha20_ctr32_avx2_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_avx2_capable)\n#define _ChaCha20_ctr32_neon BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_neon)\n#define _ChaCha20_ctr32_neon_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_neon_capable)\n#define _ChaCha20_ctr32_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_nohw)\n#define _ChaCha20_ctr32_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3)\n#define _ChaCha20_ctr32_ssse3_4x BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3_4x)\n#define _ChaCha20_ctr32_ssse3_4x_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3_4x_capable)\n#define _ChaCha20_ctr32_ssse3_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3_capable)\n#define _DES_decrypt3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_decrypt3)\n#define _DES_ecb3_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb3_encrypt)\n#define _DES_ecb3_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb3_encrypt_ex)\n#define _DES_ecb_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb_encrypt)\n#define _DES_ecb_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb_encrypt_ex)\n#define _DES_ede2_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ede2_cbc_encrypt)\n#define _DES_ede3_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt)\n#define _DES_ede3_cbc_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt_ex)\n#define _DES_encrypt3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_encrypt3)\n#define _DES_ncbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ncbc_encrypt)\n#define _DES_ncbc_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ncbc_encrypt_ex)\n#define _DES_set_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_key)\n#define _DES_set_key_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_key_ex)\n#define _DES_set_key_unchecked BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_key_unchecked)\n#define _DES_set_odd_parity BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_odd_parity)\n#define _DH_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_bits)\n#define _DH_check BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_check)\n#define _DH_check_pub_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_check_pub_key)\n#define _DH_compute_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_compute_key)\n#define _DH_compute_key_hashed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_compute_key_hashed)\n#define _DH_compute_key_padded BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_compute_key_padded)\n#define _DH_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_free)\n#define _DH_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_generate_key)\n#define _DH_generate_parameters_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_generate_parameters_ex)\n#define _DH_get0_g BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_get0_g)\n#define _DH_get0_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_get0_key)\n#define _DH_get0_p BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_get0_p)\n#define _DH_get0_pqg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_get0_pqg)\n#define _DH_get0_priv_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_get0_priv_key)\n#define _DH_get0_pub_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_get0_pub_key)\n#define _DH_get0_q BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_get0_q)\n#define _DH_get_rfc7919_2048 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_get_rfc7919_2048)\n#define _DH_marshal_parameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_marshal_parameters)\n#define _DH_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_new)\n#define _DH_num_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_num_bits)\n#define _DH_parse_parameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_parse_parameters)\n#define _DH_set0_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_set0_key)\n#define _DH_set0_pqg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_set0_pqg)\n#define _DH_set_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_set_length)\n#define _DH_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_size)\n#define _DH_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_up_ref)\n#define _DHparams_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DHparams_dup)\n#define _DIRECTORYSTRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIRECTORYSTRING_free)\n#define _DIRECTORYSTRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIRECTORYSTRING_it)\n#define _DIRECTORYSTRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIRECTORYSTRING_new)\n#define _DISPLAYTEXT_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DISPLAYTEXT_free)\n#define _DISPLAYTEXT_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DISPLAYTEXT_it)\n#define _DISPLAYTEXT_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DISPLAYTEXT_new)\n#define _DIST_POINT_NAME_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIST_POINT_NAME_free)\n#define _DIST_POINT_NAME_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIST_POINT_NAME_new)\n#define _DIST_POINT_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIST_POINT_free)\n#define _DIST_POINT_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIST_POINT_new)\n#define _DIST_POINT_set_dpname BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIST_POINT_set_dpname)\n#define _DSA_SIG_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_free)\n#define _DSA_SIG_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_get0)\n#define _DSA_SIG_marshal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_marshal)\n#define _DSA_SIG_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_new)\n#define _DSA_SIG_parse BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_parse)\n#define _DSA_SIG_set0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_set0)\n#define _DSA_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_bits)\n#define _DSA_check_signature BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_check_signature)\n#define _DSA_do_check_signature BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_do_check_signature)\n#define _DSA_do_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_do_sign)\n#define _DSA_do_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_do_verify)\n#define _DSA_dup_DH BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_dup_DH)\n#define _DSA_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_free)\n#define _DSA_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_generate_key)\n#define _DSA_generate_parameters_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_generate_parameters_ex)\n#define _DSA_get0_g BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_get0_g)\n#define _DSA_get0_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_get0_key)\n#define _DSA_get0_p BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_get0_p)\n#define _DSA_get0_pqg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_get0_pqg)\n#define _DSA_get0_priv_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_get0_priv_key)\n#define _DSA_get0_pub_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_get0_pub_key)\n#define _DSA_get0_q BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_get0_q)\n#define _DSA_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_get_ex_data)\n#define _DSA_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_get_ex_new_index)\n#define _DSA_marshal_parameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_marshal_parameters)\n#define _DSA_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_marshal_private_key)\n#define _DSA_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_marshal_public_key)\n#define _DSA_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_new)\n#define _DSA_parse_parameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_parse_parameters)\n#define _DSA_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_parse_private_key)\n#define _DSA_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_parse_public_key)\n#define _DSA_set0_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_set0_key)\n#define _DSA_set0_pqg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_set0_pqg)\n#define _DSA_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_set_ex_data)\n#define _DSA_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_sign)\n#define _DSA_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_size)\n#define _DSA_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_up_ref)\n#define _DSA_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_verify)\n#define _DSAparams_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSAparams_dup)\n#define _DTLS_client_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLS_client_method)\n#define _DTLS_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLS_method)\n#define _DTLS_server_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLS_server_method)\n#define _DTLS_with_buffers_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLS_with_buffers_method)\n#define _DTLSv1_2_client_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLSv1_2_client_method)\n#define _DTLSv1_2_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLSv1_2_method)\n#define _DTLSv1_2_server_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLSv1_2_server_method)\n#define _DTLSv1_client_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLSv1_client_method)\n#define _DTLSv1_get_timeout BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLSv1_get_timeout)\n#define _DTLSv1_handle_timeout BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLSv1_handle_timeout)\n#define _DTLSv1_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLSv1_method)\n#define _DTLSv1_server_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLSv1_server_method)\n#define _DTLSv1_set_initial_timeout_duration BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DTLSv1_set_initial_timeout_duration)\n#define _ECDH_compute_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDH_compute_key)\n#define _ECDH_compute_key_fips BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDH_compute_key_fips)\n#define _ECDSA_SIG_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_SIG_free)\n#define _ECDSA_SIG_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_SIG_from_bytes)\n#define _ECDSA_SIG_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_SIG_get0)\n#define _ECDSA_SIG_get0_r BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_SIG_get0_r)\n#define _ECDSA_SIG_get0_s BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_SIG_get0_s)\n#define _ECDSA_SIG_marshal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_SIG_marshal)\n#define _ECDSA_SIG_max_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_SIG_max_len)\n#define _ECDSA_SIG_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_SIG_new)\n#define _ECDSA_SIG_parse BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_SIG_parse)\n#define _ECDSA_SIG_set0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_SIG_set0)\n#define _ECDSA_SIG_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_SIG_to_bytes)\n#define _ECDSA_do_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_do_sign)\n#define _ECDSA_do_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_do_verify)\n#define _ECDSA_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_sign)\n#define _ECDSA_sign_with_nonce_and_leak_private_key_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_sign_with_nonce_and_leak_private_key_for_testing)\n#define _ECDSA_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_size)\n#define _ECDSA_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ECDSA_verify)\n#define _EC_GFp_mont_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GFp_mont_method)\n#define _EC_GFp_nistp224_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GFp_nistp224_method)\n#define _EC_GFp_nistp256_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GFp_nistp256_method)\n#define _EC_GFp_nistz256_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GFp_nistz256_method)\n#define _EC_GROUP_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_cmp)\n#define _EC_GROUP_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_dup)\n#define _EC_GROUP_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_free)\n#define _EC_GROUP_get0_generator BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_get0_generator)\n#define _EC_GROUP_get0_order BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_get0_order)\n#define _EC_GROUP_get_asn1_flag BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_get_asn1_flag)\n#define _EC_GROUP_get_cofactor BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_get_cofactor)\n#define _EC_GROUP_get_curve_GFp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_get_curve_GFp)\n#define _EC_GROUP_get_curve_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_get_curve_name)\n#define _EC_GROUP_get_degree BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_get_degree)\n#define _EC_GROUP_get_order BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_get_order)\n#define _EC_GROUP_method_of BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_method_of)\n#define _EC_GROUP_new_by_curve_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_new_by_curve_name)\n#define _EC_GROUP_new_curve_GFp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_new_curve_GFp)\n#define _EC_GROUP_order_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_order_bits)\n#define _EC_GROUP_set_asn1_flag BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_set_asn1_flag)\n#define _EC_GROUP_set_generator BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_set_generator)\n#define _EC_GROUP_set_point_conversion_form BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_GROUP_set_point_conversion_form)\n#define _EC_KEY_check_fips BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_check_fips)\n#define _EC_KEY_check_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_check_key)\n#define _EC_KEY_derive_from_secret BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_derive_from_secret)\n#define _EC_KEY_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_dup)\n#define _EC_KEY_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_free)\n#define _EC_KEY_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_generate_key)\n#define _EC_KEY_generate_key_fips BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_generate_key_fips)\n#define _EC_KEY_get0_group BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_get0_group)\n#define _EC_KEY_get0_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_get0_private_key)\n#define _EC_KEY_get0_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_get0_public_key)\n#define _EC_KEY_get_conv_form BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_get_conv_form)\n#define _EC_KEY_get_enc_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_get_enc_flags)\n#define _EC_KEY_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_get_ex_data)\n#define _EC_KEY_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_get_ex_new_index)\n#define _EC_KEY_is_opaque BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_is_opaque)\n#define _EC_KEY_key2buf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_key2buf)\n#define _EC_KEY_marshal_curve_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_marshal_curve_name)\n#define _EC_KEY_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_marshal_private_key)\n#define _EC_KEY_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_new)\n#define _EC_KEY_new_by_curve_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_new_by_curve_name)\n#define _EC_KEY_new_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_new_method)\n#define _EC_KEY_oct2key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_oct2key)\n#define _EC_KEY_oct2priv BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_oct2priv)\n#define _EC_KEY_parse_curve_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_parse_curve_name)\n#define _EC_KEY_parse_parameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_parse_parameters)\n#define _EC_KEY_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_parse_private_key)\n#define _EC_KEY_priv2buf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_priv2buf)\n#define _EC_KEY_priv2oct BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_priv2oct)\n#define _EC_KEY_set_asn1_flag BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_set_asn1_flag)\n#define _EC_KEY_set_conv_form BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_set_conv_form)\n#define _EC_KEY_set_enc_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_set_enc_flags)\n#define _EC_KEY_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_set_ex_data)\n#define _EC_KEY_set_group BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_set_group)\n#define _EC_KEY_set_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_set_private_key)\n#define _EC_KEY_set_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_set_public_key)\n#define _EC_KEY_set_public_key_affine_coordinates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_set_public_key_affine_coordinates)\n#define _EC_KEY_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_KEY_up_ref)\n#define _EC_METHOD_get_field_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_METHOD_get_field_type)\n#define _EC_POINT_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_add)\n#define _EC_POINT_clear_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_clear_free)\n#define _EC_POINT_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_cmp)\n#define _EC_POINT_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_copy)\n#define _EC_POINT_dbl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_dbl)\n#define _EC_POINT_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_dup)\n#define _EC_POINT_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_free)\n#define _EC_POINT_get_affine_coordinates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_get_affine_coordinates)\n#define _EC_POINT_get_affine_coordinates_GFp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_get_affine_coordinates_GFp)\n#define _EC_POINT_invert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_invert)\n#define _EC_POINT_is_at_infinity BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_is_at_infinity)\n#define _EC_POINT_is_on_curve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_is_on_curve)\n#define _EC_POINT_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_mul)\n#define _EC_POINT_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_new)\n#define _EC_POINT_oct2point BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_oct2point)\n#define _EC_POINT_point2buf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_point2buf)\n#define _EC_POINT_point2cbb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_point2cbb)\n#define _EC_POINT_point2oct BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_point2oct)\n#define _EC_POINT_set_affine_coordinates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_set_affine_coordinates)\n#define _EC_POINT_set_affine_coordinates_GFp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_set_affine_coordinates_GFp)\n#define _EC_POINT_set_compressed_coordinates_GFp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_set_compressed_coordinates_GFp)\n#define _EC_POINT_set_to_infinity BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_POINT_set_to_infinity)\n#define _EC_curve_nid2nist BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_curve_nid2nist)\n#define _EC_curve_nist2nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_curve_nist2nid)\n#define _EC_get_builtin_curves BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_get_builtin_curves)\n#define _EC_group_p224 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_group_p224)\n#define _EC_group_p256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_group_p256)\n#define _EC_group_p384 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_group_p384)\n#define _EC_group_p521 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_group_p521)\n#define _EC_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_hash_to_curve_p256_xmd_sha256_sswu)\n#define _EC_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EC_hash_to_curve_p384_xmd_sha384_sswu)\n#define _ED25519_keypair BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ED25519_keypair)\n#define _ED25519_keypair_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ED25519_keypair_from_seed)\n#define _ED25519_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ED25519_sign)\n#define _ED25519_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ED25519_verify)\n#define _EDIPARTYNAME_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EDIPARTYNAME_free)\n#define _EDIPARTYNAME_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EDIPARTYNAME_new)\n#define _ENGINE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ENGINE_free)\n#define _ENGINE_get_ECDSA_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ENGINE_get_ECDSA_method)\n#define _ENGINE_get_RSA_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ENGINE_get_RSA_method)\n#define _ENGINE_load_builtin_engines BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ENGINE_load_builtin_engines)\n#define _ENGINE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ENGINE_new)\n#define _ENGINE_register_all_complete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ENGINE_register_all_complete)\n#define _ENGINE_set_ECDSA_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ENGINE_set_ECDSA_method)\n#define _ENGINE_set_RSA_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ENGINE_set_RSA_method)\n#define _ERR_GET_LIB BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_GET_LIB)\n#define _ERR_GET_REASON BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_GET_REASON)\n#define _ERR_SAVE_STATE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_SAVE_STATE_free)\n#define _ERR_add_error_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_add_error_data)\n#define _ERR_add_error_dataf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_add_error_dataf)\n#define _ERR_clear_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_clear_error)\n#define _ERR_clear_system_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_clear_system_error)\n#define _ERR_error_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_error_string)\n#define _ERR_error_string_n BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_error_string_n)\n#define _ERR_free_strings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_free_strings)\n#define _ERR_func_error_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_func_error_string)\n#define _ERR_get_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_get_error)\n#define _ERR_get_error_line BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_get_error_line)\n#define _ERR_get_error_line_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_get_error_line_data)\n#define _ERR_get_next_error_library BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_get_next_error_library)\n#define _ERR_lib_error_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_lib_error_string)\n#define _ERR_lib_symbol_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_lib_symbol_name)\n#define _ERR_load_BIO_strings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_load_BIO_strings)\n#define _ERR_load_ERR_strings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_load_ERR_strings)\n#define _ERR_load_RAND_strings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_load_RAND_strings)\n#define _ERR_load_SSL_strings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_load_SSL_strings)\n#define _ERR_load_crypto_strings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_load_crypto_strings)\n#define _ERR_peek_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_peek_error)\n#define _ERR_peek_error_line BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_peek_error_line)\n#define _ERR_peek_error_line_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_peek_error_line_data)\n#define _ERR_peek_last_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_peek_last_error)\n#define _ERR_peek_last_error_line BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_peek_last_error_line)\n#define _ERR_peek_last_error_line_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_peek_last_error_line_data)\n#define _ERR_pop_to_mark BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_pop_to_mark)\n#define _ERR_print_errors BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_print_errors)\n#define _ERR_print_errors_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_print_errors_cb)\n#define _ERR_print_errors_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_print_errors_fp)\n#define _ERR_put_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_put_error)\n#define _ERR_reason_error_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_reason_error_string)\n#define _ERR_reason_symbol_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_reason_symbol_name)\n#define _ERR_remove_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_remove_state)\n#define _ERR_remove_thread_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_remove_thread_state)\n#define _ERR_restore_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_restore_state)\n#define _ERR_save_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_save_state)\n#define _ERR_set_error_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_set_error_data)\n#define _ERR_set_mark BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_set_mark)\n#define _EVP_AEAD_CTX_aead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_aead)\n#define _EVP_AEAD_CTX_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_cleanup)\n#define _EVP_AEAD_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_free)\n#define _EVP_AEAD_CTX_get_iv BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_get_iv)\n#define _EVP_AEAD_CTX_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_init)\n#define _EVP_AEAD_CTX_init_with_direction BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_init_with_direction)\n#define _EVP_AEAD_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_new)\n#define _EVP_AEAD_CTX_open BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_open)\n#define _EVP_AEAD_CTX_open_gather BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_open_gather)\n#define _EVP_AEAD_CTX_seal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_seal)\n#define _EVP_AEAD_CTX_seal_scatter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_seal_scatter)\n#define _EVP_AEAD_CTX_tag_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_tag_len)\n#define _EVP_AEAD_CTX_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_zero)\n#define _EVP_AEAD_key_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_key_length)\n#define _EVP_AEAD_max_overhead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_max_overhead)\n#define _EVP_AEAD_max_tag_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_max_tag_len)\n#define _EVP_AEAD_nonce_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_nonce_length)\n#define _EVP_BytesToKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_BytesToKey)\n#define _EVP_CIPHER_CTX_block_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_block_size)\n#define _EVP_CIPHER_CTX_cipher BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_cipher)\n#define _EVP_CIPHER_CTX_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_cleanup)\n#define _EVP_CIPHER_CTX_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_copy)\n#define _EVP_CIPHER_CTX_ctrl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_ctrl)\n#define _EVP_CIPHER_CTX_encrypting BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_encrypting)\n#define _EVP_CIPHER_CTX_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_flags)\n#define _EVP_CIPHER_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_free)\n#define _EVP_CIPHER_CTX_get_app_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_get_app_data)\n#define _EVP_CIPHER_CTX_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_init)\n#define _EVP_CIPHER_CTX_iv_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_iv_length)\n#define _EVP_CIPHER_CTX_key_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_key_length)\n#define _EVP_CIPHER_CTX_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_mode)\n#define _EVP_CIPHER_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_new)\n#define _EVP_CIPHER_CTX_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_nid)\n#define _EVP_CIPHER_CTX_reset BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_reset)\n#define _EVP_CIPHER_CTX_set_app_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_set_app_data)\n#define _EVP_CIPHER_CTX_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_set_flags)\n#define _EVP_CIPHER_CTX_set_key_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_set_key_length)\n#define _EVP_CIPHER_CTX_set_padding BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_CTX_set_padding)\n#define _EVP_CIPHER_block_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_block_size)\n#define _EVP_CIPHER_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_flags)\n#define _EVP_CIPHER_iv_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_iv_length)\n#define _EVP_CIPHER_key_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_key_length)\n#define _EVP_CIPHER_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_mode)\n#define _EVP_CIPHER_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_nid)\n#define _EVP_Cipher BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_Cipher)\n#define _EVP_CipherFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CipherFinal)\n#define _EVP_CipherFinal_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CipherFinal_ex)\n#define _EVP_CipherInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CipherInit)\n#define _EVP_CipherInit_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CipherInit_ex)\n#define _EVP_CipherUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CipherUpdate)\n#define _EVP_DecodeBase64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecodeBase64)\n#define _EVP_DecodeBlock BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecodeBlock)\n#define _EVP_DecodeFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecodeFinal)\n#define _EVP_DecodeInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecodeInit)\n#define _EVP_DecodeUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecodeUpdate)\n#define _EVP_DecodedLength BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecodedLength)\n#define _EVP_DecryptFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecryptFinal)\n#define _EVP_DecryptFinal_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecryptFinal_ex)\n#define _EVP_DecryptInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecryptInit)\n#define _EVP_DecryptInit_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecryptInit_ex)\n#define _EVP_DecryptUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecryptUpdate)\n#define _EVP_Digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_Digest)\n#define _EVP_DigestFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestFinal)\n#define _EVP_DigestFinalXOF BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestFinalXOF)\n#define _EVP_DigestFinal_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestFinal_ex)\n#define _EVP_DigestInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestInit)\n#define _EVP_DigestInit_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestInit_ex)\n#define _EVP_DigestSign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestSign)\n#define _EVP_DigestSignFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestSignFinal)\n#define _EVP_DigestSignInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestSignInit)\n#define _EVP_DigestSignUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestSignUpdate)\n#define _EVP_DigestUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestUpdate)\n#define _EVP_DigestVerify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestVerify)\n#define _EVP_DigestVerifyFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestVerifyFinal)\n#define _EVP_DigestVerifyInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestVerifyInit)\n#define _EVP_DigestVerifyUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestVerifyUpdate)\n#define _EVP_ENCODE_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_ENCODE_CTX_free)\n#define _EVP_ENCODE_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_ENCODE_CTX_new)\n#define _EVP_EncodeBlock BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncodeBlock)\n#define _EVP_EncodeFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncodeFinal)\n#define _EVP_EncodeInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncodeInit)\n#define _EVP_EncodeUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncodeUpdate)\n#define _EVP_EncodedLength BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncodedLength)\n#define _EVP_EncryptFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncryptFinal)\n#define _EVP_EncryptFinal_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncryptFinal_ex)\n#define _EVP_EncryptInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncryptInit)\n#define _EVP_EncryptInit_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncryptInit_ex)\n#define _EVP_EncryptUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncryptUpdate)\n#define _EVP_HPKE_AEAD_aead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_AEAD_aead)\n#define _EVP_HPKE_AEAD_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_AEAD_id)\n#define _EVP_HPKE_CTX_aead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_aead)\n#define _EVP_HPKE_CTX_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_cleanup)\n#define _EVP_HPKE_CTX_export BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_export)\n#define _EVP_HPKE_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_free)\n#define _EVP_HPKE_CTX_kdf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_kdf)\n#define _EVP_HPKE_CTX_kem BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_kem)\n#define _EVP_HPKE_CTX_max_overhead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_max_overhead)\n#define _EVP_HPKE_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_new)\n#define _EVP_HPKE_CTX_open BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_open)\n#define _EVP_HPKE_CTX_seal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_seal)\n#define _EVP_HPKE_CTX_setup_auth_recipient BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_auth_recipient)\n#define _EVP_HPKE_CTX_setup_auth_sender BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_auth_sender)\n#define _EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing)\n#define _EVP_HPKE_CTX_setup_recipient BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_recipient)\n#define _EVP_HPKE_CTX_setup_sender BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_sender)\n#define _EVP_HPKE_CTX_setup_sender_with_seed_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_setup_sender_with_seed_for_testing)\n#define _EVP_HPKE_CTX_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_CTX_zero)\n#define _EVP_HPKE_KDF_hkdf_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KDF_hkdf_md)\n#define _EVP_HPKE_KDF_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KDF_id)\n#define _EVP_HPKE_KEM_enc_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEM_enc_len)\n#define _EVP_HPKE_KEM_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEM_id)\n#define _EVP_HPKE_KEM_private_key_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEM_private_key_len)\n#define _EVP_HPKE_KEM_public_key_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEM_public_key_len)\n#define _EVP_HPKE_KEY_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_cleanup)\n#define _EVP_HPKE_KEY_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_copy)\n#define _EVP_HPKE_KEY_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_free)\n#define _EVP_HPKE_KEY_generate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_generate)\n#define _EVP_HPKE_KEY_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_init)\n#define _EVP_HPKE_KEY_kem BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_kem)\n#define _EVP_HPKE_KEY_move BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_move)\n#define _EVP_HPKE_KEY_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_new)\n#define _EVP_HPKE_KEY_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_private_key)\n#define _EVP_HPKE_KEY_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_public_key)\n#define _EVP_HPKE_KEY_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_zero)\n#define _EVP_MD_CTX_block_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_block_size)\n#define _EVP_MD_CTX_cleanse BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_cleanse)\n#define _EVP_MD_CTX_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_cleanup)\n#define _EVP_MD_CTX_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_copy)\n#define _EVP_MD_CTX_copy_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_copy_ex)\n#define _EVP_MD_CTX_create BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_create)\n#define _EVP_MD_CTX_destroy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_destroy)\n#define _EVP_MD_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_free)\n#define _EVP_MD_CTX_get0_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_get0_md)\n#define _EVP_MD_CTX_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_init)\n#define _EVP_MD_CTX_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_md)\n#define _EVP_MD_CTX_move BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_move)\n#define _EVP_MD_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_new)\n#define _EVP_MD_CTX_reset BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_reset)\n#define _EVP_MD_CTX_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_set_flags)\n#define _EVP_MD_CTX_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_size)\n#define _EVP_MD_CTX_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_type)\n#define _EVP_MD_block_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_block_size)\n#define _EVP_MD_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_flags)\n#define _EVP_MD_meth_get_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_meth_get_flags)\n#define _EVP_MD_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_nid)\n#define _EVP_MD_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_size)\n#define _EVP_MD_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_type)\n#define _EVP_PBE_scrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PBE_scrypt)\n#define _EVP_PKCS82PKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKCS82PKEY)\n#define _EVP_PKEY2PKCS8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY2PKCS8)\n#define _EVP_PKEY_CTX_add1_hkdf_info BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_add1_hkdf_info)\n#define _EVP_PKEY_CTX_ctrl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_ctrl)\n#define _EVP_PKEY_CTX_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_dup)\n#define _EVP_PKEY_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_free)\n#define _EVP_PKEY_CTX_get0_pkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_get0_pkey)\n#define _EVP_PKEY_CTX_get0_rsa_oaep_label BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_get0_rsa_oaep_label)\n#define _EVP_PKEY_CTX_get_rsa_mgf1_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_get_rsa_mgf1_md)\n#define _EVP_PKEY_CTX_get_rsa_oaep_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_get_rsa_oaep_md)\n#define _EVP_PKEY_CTX_get_rsa_padding BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_get_rsa_padding)\n#define _EVP_PKEY_CTX_get_rsa_pss_saltlen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_get_rsa_pss_saltlen)\n#define _EVP_PKEY_CTX_get_signature_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_get_signature_md)\n#define _EVP_PKEY_CTX_hkdf_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_hkdf_mode)\n#define _EVP_PKEY_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_new)\n#define _EVP_PKEY_CTX_new_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_new_id)\n#define _EVP_PKEY_CTX_set0_rsa_oaep_label BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set0_rsa_oaep_label)\n#define _EVP_PKEY_CTX_set1_hkdf_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set1_hkdf_key)\n#define _EVP_PKEY_CTX_set1_hkdf_salt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set1_hkdf_salt)\n#define _EVP_PKEY_CTX_set_dh_pad BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dh_pad)\n#define _EVP_PKEY_CTX_set_dsa_paramgen_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dsa_paramgen_bits)\n#define _EVP_PKEY_CTX_set_dsa_paramgen_q_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dsa_paramgen_q_bits)\n#define _EVP_PKEY_CTX_set_ec_param_enc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_ec_param_enc)\n#define _EVP_PKEY_CTX_set_ec_paramgen_curve_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_ec_paramgen_curve_nid)\n#define _EVP_PKEY_CTX_set_hkdf_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_hkdf_md)\n#define _EVP_PKEY_CTX_set_rsa_keygen_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_keygen_bits)\n#define _EVP_PKEY_CTX_set_rsa_keygen_pubexp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_keygen_pubexp)\n#define _EVP_PKEY_CTX_set_rsa_mgf1_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_mgf1_md)\n#define _EVP_PKEY_CTX_set_rsa_oaep_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_oaep_md)\n#define _EVP_PKEY_CTX_set_rsa_padding BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_padding)\n#define _EVP_PKEY_CTX_set_rsa_pss_keygen_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_pss_keygen_md)\n#define _EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md)\n#define _EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen)\n#define _EVP_PKEY_CTX_set_rsa_pss_saltlen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_pss_saltlen)\n#define _EVP_PKEY_CTX_set_signature_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_signature_md)\n#define _EVP_PKEY_assign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_assign)\n#define _EVP_PKEY_assign_DH BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_assign_DH)\n#define _EVP_PKEY_assign_DSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_assign_DSA)\n#define _EVP_PKEY_assign_EC_KEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_assign_EC_KEY)\n#define _EVP_PKEY_assign_RSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_assign_RSA)\n#define _EVP_PKEY_base_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_base_id)\n#define _EVP_PKEY_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_bits)\n#define _EVP_PKEY_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_cmp)\n#define _EVP_PKEY_cmp_parameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_cmp_parameters)\n#define _EVP_PKEY_copy_parameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_copy_parameters)\n#define _EVP_PKEY_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_decrypt)\n#define _EVP_PKEY_decrypt_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_decrypt_init)\n#define _EVP_PKEY_derive BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_derive)\n#define _EVP_PKEY_derive_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_derive_init)\n#define _EVP_PKEY_derive_set_peer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_derive_set_peer)\n#define _EVP_PKEY_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_encrypt)\n#define _EVP_PKEY_encrypt_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_encrypt_init)\n#define _EVP_PKEY_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_free)\n#define _EVP_PKEY_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get0)\n#define _EVP_PKEY_get0_DH BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get0_DH)\n#define _EVP_PKEY_get0_DSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get0_DSA)\n#define _EVP_PKEY_get0_EC_KEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get0_EC_KEY)\n#define _EVP_PKEY_get0_RSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get0_RSA)\n#define _EVP_PKEY_get1_DH BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get1_DH)\n#define _EVP_PKEY_get1_DSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get1_DSA)\n#define _EVP_PKEY_get1_EC_KEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get1_EC_KEY)\n#define _EVP_PKEY_get1_RSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get1_RSA)\n#define _EVP_PKEY_get1_tls_encodedpoint BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get1_tls_encodedpoint)\n#define _EVP_PKEY_get_raw_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get_raw_private_key)\n#define _EVP_PKEY_get_raw_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_get_raw_public_key)\n#define _EVP_PKEY_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_id)\n#define _EVP_PKEY_is_opaque BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_is_opaque)\n#define _EVP_PKEY_keygen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_keygen)\n#define _EVP_PKEY_keygen_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_keygen_init)\n#define _EVP_PKEY_missing_parameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_missing_parameters)\n#define _EVP_PKEY_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_new)\n#define _EVP_PKEY_new_raw_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_new_raw_private_key)\n#define _EVP_PKEY_new_raw_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_new_raw_public_key)\n#define _EVP_PKEY_paramgen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_paramgen)\n#define _EVP_PKEY_paramgen_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_paramgen_init)\n#define _EVP_PKEY_print_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_print_params)\n#define _EVP_PKEY_print_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_print_private)\n#define _EVP_PKEY_print_public BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_print_public)\n#define _EVP_PKEY_set1_DH BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_set1_DH)\n#define _EVP_PKEY_set1_DSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_set1_DSA)\n#define _EVP_PKEY_set1_EC_KEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_set1_EC_KEY)\n#define _EVP_PKEY_set1_RSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_set1_RSA)\n#define _EVP_PKEY_set1_tls_encodedpoint BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_set1_tls_encodedpoint)\n#define _EVP_PKEY_set_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_set_type)\n#define _EVP_PKEY_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_sign)\n#define _EVP_PKEY_sign_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_sign_init)\n#define _EVP_PKEY_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_size)\n#define _EVP_PKEY_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_type)\n#define _EVP_PKEY_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_up_ref)\n#define _EVP_PKEY_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_verify)\n#define _EVP_PKEY_verify_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_verify_init)\n#define _EVP_PKEY_verify_recover BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_verify_recover)\n#define _EVP_PKEY_verify_recover_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_verify_recover_init)\n#define _EVP_SignFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_SignFinal)\n#define _EVP_SignInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_SignInit)\n#define _EVP_SignInit_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_SignInit_ex)\n#define _EVP_SignUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_SignUpdate)\n#define _EVP_VerifyFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_VerifyFinal)\n#define _EVP_VerifyInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_VerifyInit)\n#define _EVP_VerifyInit_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_VerifyInit_ex)\n#define _EVP_VerifyUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_VerifyUpdate)\n#define _EVP_add_cipher_alias BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_add_cipher_alias)\n#define _EVP_add_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_add_digest)\n#define _EVP_aead_aes_128_cbc_sha1_tls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_cbc_sha1_tls)\n#define _EVP_aead_aes_128_cbc_sha1_tls_implicit_iv BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_cbc_sha1_tls_implicit_iv)\n#define _EVP_aead_aes_128_cbc_sha256_tls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_cbc_sha256_tls)\n#define _EVP_aead_aes_128_ccm_bluetooth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_ccm_bluetooth)\n#define _EVP_aead_aes_128_ccm_bluetooth_8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_ccm_bluetooth_8)\n#define _EVP_aead_aes_128_ccm_matter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_ccm_matter)\n#define _EVP_aead_aes_128_ctr_hmac_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_ctr_hmac_sha256)\n#define _EVP_aead_aes_128_gcm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_gcm)\n#define _EVP_aead_aes_128_gcm_randnonce BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_gcm_randnonce)\n#define _EVP_aead_aes_128_gcm_siv BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_gcm_siv)\n#define _EVP_aead_aes_128_gcm_tls12 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_gcm_tls12)\n#define _EVP_aead_aes_128_gcm_tls13 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_128_gcm_tls13)\n#define _EVP_aead_aes_192_gcm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_192_gcm)\n#define _EVP_aead_aes_256_cbc_sha1_tls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_256_cbc_sha1_tls)\n#define _EVP_aead_aes_256_cbc_sha1_tls_implicit_iv BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_256_cbc_sha1_tls_implicit_iv)\n#define _EVP_aead_aes_256_ctr_hmac_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_256_ctr_hmac_sha256)\n#define _EVP_aead_aes_256_gcm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_256_gcm)\n#define _EVP_aead_aes_256_gcm_randnonce BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_256_gcm_randnonce)\n#define _EVP_aead_aes_256_gcm_siv BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_256_gcm_siv)\n#define _EVP_aead_aes_256_gcm_tls12 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_256_gcm_tls12)\n#define _EVP_aead_aes_256_gcm_tls13 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_aes_256_gcm_tls13)\n#define _EVP_aead_chacha20_poly1305 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_chacha20_poly1305)\n#define _EVP_aead_des_ede3_cbc_sha1_tls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_des_ede3_cbc_sha1_tls)\n#define _EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv)\n#define _EVP_aead_xchacha20_poly1305 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aead_xchacha20_poly1305)\n#define _EVP_aes_128_cbc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_128_cbc)\n#define _EVP_aes_128_ctr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_128_ctr)\n#define _EVP_aes_128_ecb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_128_ecb)\n#define _EVP_aes_128_gcm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_128_gcm)\n#define _EVP_aes_128_ofb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_128_ofb)\n#define _EVP_aes_192_cbc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_192_cbc)\n#define _EVP_aes_192_ctr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_192_ctr)\n#define _EVP_aes_192_ecb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_192_ecb)\n#define _EVP_aes_192_gcm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_192_gcm)\n#define _EVP_aes_192_ofb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_192_ofb)\n#define _EVP_aes_256_cbc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_256_cbc)\n#define _EVP_aes_256_ctr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_256_ctr)\n#define _EVP_aes_256_ecb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_256_ecb)\n#define _EVP_aes_256_gcm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_256_gcm)\n#define _EVP_aes_256_ofb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_aes_256_ofb)\n#define _EVP_blake2b256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_blake2b256)\n#define _EVP_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_cleanup)\n#define _EVP_des_cbc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_des_cbc)\n#define _EVP_des_ecb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_des_ecb)\n#define _EVP_des_ede BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_des_ede)\n#define _EVP_des_ede3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_des_ede3)\n#define _EVP_des_ede3_cbc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_des_ede3_cbc)\n#define _EVP_des_ede3_ecb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_des_ede3_ecb)\n#define _EVP_des_ede_cbc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_des_ede_cbc)\n#define _EVP_enc_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_enc_null)\n#define _EVP_get_cipherbyname BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_get_cipherbyname)\n#define _EVP_get_cipherbynid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_get_cipherbynid)\n#define _EVP_get_digestbyname BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_get_digestbyname)\n#define _EVP_get_digestbynid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_get_digestbynid)\n#define _EVP_get_digestbyobj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_get_digestbyobj)\n#define _EVP_has_aes_hardware BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_has_aes_hardware)\n#define _EVP_hpke_aes_128_gcm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_hpke_aes_128_gcm)\n#define _EVP_hpke_aes_256_gcm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_hpke_aes_256_gcm)\n#define _EVP_hpke_chacha20_poly1305 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_hpke_chacha20_poly1305)\n#define _EVP_hpke_hkdf_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_hpke_hkdf_sha256)\n#define _EVP_hpke_p256_hkdf_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_hpke_p256_hkdf_sha256)\n#define _EVP_hpke_x25519_hkdf_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_hpke_x25519_hkdf_sha256)\n#define _EVP_marshal_digest_algorithm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_marshal_digest_algorithm)\n#define _EVP_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_marshal_private_key)\n#define _EVP_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_marshal_public_key)\n#define _EVP_md4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_md4)\n#define _EVP_md5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_md5)\n#define _EVP_md5_sha1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_md5_sha1)\n#define _EVP_parse_digest_algorithm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_parse_digest_algorithm)\n#define _EVP_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_parse_private_key)\n#define _EVP_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_parse_public_key)\n#define _EVP_rc2_40_cbc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_rc2_40_cbc)\n#define _EVP_rc2_cbc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_rc2_cbc)\n#define _EVP_rc4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_rc4)\n#define _EVP_sha1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_sha1)\n#define _EVP_sha1_final_with_secret_suffix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_sha1_final_with_secret_suffix)\n#define _EVP_sha224 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_sha224)\n#define _EVP_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_sha256)\n#define _EVP_sha256_final_with_secret_suffix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_sha256_final_with_secret_suffix)\n#define _EVP_sha384 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_sha384)\n#define _EVP_sha512 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_sha512)\n#define _EVP_sha512_256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_sha512_256)\n#define _EVP_tls_cbc_copy_mac BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_tls_cbc_copy_mac)\n#define _EVP_tls_cbc_digest_record BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_tls_cbc_digest_record)\n#define _EVP_tls_cbc_record_digest_supported BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_tls_cbc_record_digest_supported)\n#define _EVP_tls_cbc_remove_padding BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_tls_cbc_remove_padding)\n#define _EXTENDED_KEY_USAGE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EXTENDED_KEY_USAGE_free)\n#define _EXTENDED_KEY_USAGE_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EXTENDED_KEY_USAGE_it)\n#define _EXTENDED_KEY_USAGE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EXTENDED_KEY_USAGE_new)\n#define _FIPS_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_mode)\n#define _FIPS_mode_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_mode_set)\n#define _FIPS_module_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_module_name)\n#define _FIPS_query_algorithm_status BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_query_algorithm_status)\n#define _FIPS_read_counter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_read_counter)\n#define _FIPS_service_indicator_after_call BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_service_indicator_after_call)\n#define _FIPS_service_indicator_before_call BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_service_indicator_before_call)\n#define _FIPS_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_version)\n#define _GENERAL_NAMES_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAMES_free)\n#define _GENERAL_NAMES_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAMES_it)\n#define _GENERAL_NAMES_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAMES_new)\n#define _GENERAL_NAME_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAME_cmp)\n#define _GENERAL_NAME_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAME_dup)\n#define _GENERAL_NAME_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAME_free)\n#define _GENERAL_NAME_get0_otherName BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAME_get0_otherName)\n#define _GENERAL_NAME_get0_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAME_get0_value)\n#define _GENERAL_NAME_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAME_it)\n#define _GENERAL_NAME_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAME_new)\n#define _GENERAL_NAME_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAME_print)\n#define _GENERAL_NAME_set0_othername BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAME_set0_othername)\n#define _GENERAL_NAME_set0_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAME_set0_value)\n#define _GENERAL_SUBTREE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_SUBTREE_free)\n#define _GENERAL_SUBTREE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_SUBTREE_new)\n#define _HKDF BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HKDF)\n#define _HKDF_expand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HKDF_expand)\n#define _HKDF_extract BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HKDF_extract)\n#define _HMAC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC)\n#define _HMAC_CTX_cleanse BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_cleanse)\n#define _HMAC_CTX_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_cleanup)\n#define _HMAC_CTX_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_copy)\n#define _HMAC_CTX_copy_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_copy_ex)\n#define _HMAC_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_free)\n#define _HMAC_CTX_get_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_get_md)\n#define _HMAC_CTX_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_init)\n#define _HMAC_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_new)\n#define _HMAC_CTX_reset BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_reset)\n#define _HMAC_Final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_Final)\n#define _HMAC_Init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_Init)\n#define _HMAC_Init_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_Init_ex)\n#define _HMAC_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_Update)\n#define _HMAC_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_size)\n#define _HRSS_decap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HRSS_decap)\n#define _HRSS_encap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HRSS_encap)\n#define _HRSS_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HRSS_generate_key)\n#define _HRSS_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HRSS_marshal_public_key)\n#define _HRSS_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HRSS_parse_public_key)\n#define _HRSS_poly3_invert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HRSS_poly3_invert)\n#define _HRSS_poly3_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HRSS_poly3_mul)\n#define _ISSUING_DIST_POINT_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ISSUING_DIST_POINT_free)\n#define _ISSUING_DIST_POINT_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ISSUING_DIST_POINT_it)\n#define _ISSUING_DIST_POINT_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ISSUING_DIST_POINT_new)\n#define _KYBER_decap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, KYBER_decap)\n#define _KYBER_encap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, KYBER_encap)\n#define _KYBER_encap_external_entropy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, KYBER_encap_external_entropy)\n#define _KYBER_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, KYBER_generate_key)\n#define _KYBER_generate_key_external_entropy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, KYBER_generate_key_external_entropy)\n#define _KYBER_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, KYBER_marshal_private_key)\n#define _KYBER_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, KYBER_marshal_public_key)\n#define _KYBER_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, KYBER_parse_private_key)\n#define _KYBER_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, KYBER_parse_public_key)\n#define _KYBER_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, KYBER_public_from_private)\n#define _MD4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MD4)\n#define _MD4_Final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MD4_Final)\n#define _MD4_Init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MD4_Init)\n#define _MD4_Transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MD4_Transform)\n#define _MD4_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MD4_Update)\n#define _MD5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MD5)\n#define _MD5_Final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MD5_Final)\n#define _MD5_Init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MD5_Init)\n#define _MD5_Transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MD5_Transform)\n#define _MD5_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MD5_Update)\n#define _METHOD_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, METHOD_ref)\n#define _METHOD_unref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, METHOD_unref)\n#define _MLDSA65_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_generate_key)\n#define _MLDSA65_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_marshal_public_key)\n#define _MLDSA65_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_parse_public_key)\n#define _MLDSA65_private_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_private_key_from_seed)\n#define _MLDSA65_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_public_from_private)\n#define _MLDSA65_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_sign)\n#define _MLDSA65_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_verify)\n#define _MLKEM1024_decap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_decap)\n#define _MLKEM1024_encap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_encap)\n#define _MLKEM1024_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_generate_key)\n#define _MLKEM1024_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_marshal_public_key)\n#define _MLKEM1024_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_parse_public_key)\n#define _MLKEM1024_private_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_private_key_from_seed)\n#define _MLKEM1024_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_public_from_private)\n#define _MLKEM768_decap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_decap)\n#define _MLKEM768_encap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_encap)\n#define _MLKEM768_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_generate_key)\n#define _MLKEM768_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_marshal_public_key)\n#define _MLKEM768_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_parse_public_key)\n#define _MLKEM768_private_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_private_key_from_seed)\n#define _MLKEM768_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_public_from_private)\n#define _NAME_CONSTRAINTS_check BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NAME_CONSTRAINTS_check)\n#define _NAME_CONSTRAINTS_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NAME_CONSTRAINTS_free)\n#define _NAME_CONSTRAINTS_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NAME_CONSTRAINTS_it)\n#define _NAME_CONSTRAINTS_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NAME_CONSTRAINTS_new)\n#define _NCONF_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NCONF_free)\n#define _NCONF_get_section BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NCONF_get_section)\n#define _NCONF_get_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NCONF_get_string)\n#define _NCONF_load BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NCONF_load)\n#define _NCONF_load_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NCONF_load_bio)\n#define _NCONF_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NCONF_new)\n#define _NETSCAPE_SPKAC_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKAC_free)\n#define _NETSCAPE_SPKAC_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKAC_it)\n#define _NETSCAPE_SPKAC_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKAC_new)\n#define _NETSCAPE_SPKI_b64_decode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKI_b64_decode)\n#define _NETSCAPE_SPKI_b64_encode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKI_b64_encode)\n#define _NETSCAPE_SPKI_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKI_free)\n#define _NETSCAPE_SPKI_get_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKI_get_pubkey)\n#define _NETSCAPE_SPKI_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKI_it)\n#define _NETSCAPE_SPKI_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKI_new)\n#define _NETSCAPE_SPKI_set_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKI_set_pubkey)\n#define _NETSCAPE_SPKI_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKI_sign)\n#define _NETSCAPE_SPKI_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NETSCAPE_SPKI_verify)\n#define _NOTICEREF_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NOTICEREF_free)\n#define _NOTICEREF_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NOTICEREF_it)\n#define _NOTICEREF_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NOTICEREF_new)\n#define _OBJ_cbs2nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_cbs2nid)\n#define _OBJ_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_cleanup)\n#define _OBJ_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_cmp)\n#define _OBJ_create BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_create)\n#define _OBJ_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_dup)\n#define _OBJ_find_sigid_algs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_find_sigid_algs)\n#define _OBJ_find_sigid_by_algs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_find_sigid_by_algs)\n#define _OBJ_get0_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_get0_data)\n#define _OBJ_get_undef BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_get_undef)\n#define _OBJ_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_length)\n#define _OBJ_ln2nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_ln2nid)\n#define _OBJ_nid2cbb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_nid2cbb)\n#define _OBJ_nid2ln BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_nid2ln)\n#define _OBJ_nid2obj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_nid2obj)\n#define _OBJ_nid2sn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_nid2sn)\n#define _OBJ_obj2nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_obj2nid)\n#define _OBJ_obj2txt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_obj2txt)\n#define _OBJ_sn2nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_sn2nid)\n#define _OBJ_txt2nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_txt2nid)\n#define _OBJ_txt2obj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OBJ_txt2obj)\n#define _OPENSSL_add_all_algorithms_conf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_add_all_algorithms_conf)\n#define _OPENSSL_armcap_P BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_armcap_P)\n#define _OPENSSL_asprintf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_asprintf)\n#define _OPENSSL_calloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_calloc)\n#define _OPENSSL_cleanse BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_cleanse)\n#define _OPENSSL_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_cleanup)\n#define _OPENSSL_clear_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_clear_free)\n#define _OPENSSL_config BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_config)\n#define _OPENSSL_cpuid_setup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_cpuid_setup)\n#define _OPENSSL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_free)\n#define _OPENSSL_fromxdigit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_fromxdigit)\n#define _OPENSSL_get_armcap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_get_armcap)\n#define _OPENSSL_get_armcap_pointer_for_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_get_armcap_pointer_for_test)\n#define _OPENSSL_get_ia32cap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_get_ia32cap)\n#define _OPENSSL_gmtime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_gmtime)\n#define _OPENSSL_gmtime_adj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_gmtime_adj)\n#define _OPENSSL_gmtime_diff BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_gmtime_diff)\n#define _OPENSSL_hash32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_hash32)\n#define _OPENSSL_ia32cap_P BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_ia32cap_P)\n#define _OPENSSL_init_cpuid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_init_cpuid)\n#define _OPENSSL_init_crypto BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_init_crypto)\n#define _OPENSSL_init_ssl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_init_ssl)\n#define _OPENSSL_isalnum BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_isalnum)\n#define _OPENSSL_isalpha BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_isalpha)\n#define _OPENSSL_isdigit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_isdigit)\n#define _OPENSSL_isspace BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_isspace)\n#define _OPENSSL_isxdigit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_isxdigit)\n#define _OPENSSL_lh_delete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_lh_delete)\n#define _OPENSSL_lh_doall_arg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_lh_doall_arg)\n#define _OPENSSL_lh_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_lh_free)\n#define _OPENSSL_lh_insert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_lh_insert)\n#define _OPENSSL_lh_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_lh_new)\n#define _OPENSSL_lh_num_items BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_lh_num_items)\n#define _OPENSSL_lh_retrieve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_lh_retrieve)\n#define _OPENSSL_lh_retrieve_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_lh_retrieve_key)\n#define _OPENSSL_load_builtin_modules BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_load_builtin_modules)\n#define _OPENSSL_malloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_malloc)\n#define _OPENSSL_malloc_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_malloc_init)\n#define _OPENSSL_memdup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_memdup)\n#define _OPENSSL_no_config BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_no_config)\n#define _OPENSSL_posix_to_tm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_posix_to_tm)\n#define _OPENSSL_realloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_realloc)\n#define _OPENSSL_secure_clear_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_secure_clear_free)\n#define _OPENSSL_secure_malloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_secure_malloc)\n#define _OPENSSL_sk_deep_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_deep_copy)\n#define _OPENSSL_sk_delete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_delete)\n#define _OPENSSL_sk_delete_if BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_delete_if)\n#define _OPENSSL_sk_delete_ptr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_delete_ptr)\n#define _OPENSSL_sk_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_dup)\n#define _OPENSSL_sk_find BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_find)\n#define _OPENSSL_sk_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_free)\n#define _OPENSSL_sk_insert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_insert)\n#define _OPENSSL_sk_is_sorted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_is_sorted)\n#define _OPENSSL_sk_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_new)\n#define _OPENSSL_sk_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_new_null)\n#define _OPENSSL_sk_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_num)\n#define _OPENSSL_sk_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_pop)\n#define _OPENSSL_sk_pop_free_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_pop_free_ex)\n#define _OPENSSL_sk_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_push)\n#define _OPENSSL_sk_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_set)\n#define _OPENSSL_sk_set_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_set_cmp_func)\n#define _OPENSSL_sk_shift BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_shift)\n#define _OPENSSL_sk_sort BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_sort)\n#define _OPENSSL_sk_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_value)\n#define _OPENSSL_sk_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_sk_zero)\n#define _OPENSSL_strcasecmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_strcasecmp)\n#define _OPENSSL_strdup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_strdup)\n#define _OPENSSL_strhash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_strhash)\n#define _OPENSSL_strlcat BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_strlcat)\n#define _OPENSSL_strlcpy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_strlcpy)\n#define _OPENSSL_strncasecmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_strncasecmp)\n#define _OPENSSL_strndup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_strndup)\n#define _OPENSSL_strnlen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_strnlen)\n#define _OPENSSL_timegm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_timegm)\n#define _OPENSSL_tm_to_posix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_tm_to_posix)\n#define _OPENSSL_tolower BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_tolower)\n#define _OPENSSL_vasprintf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_vasprintf)\n#define _OPENSSL_vasprintf_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_vasprintf_internal)\n#define _OPENSSL_zalloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_zalloc)\n#define _OTHERNAME_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OTHERNAME_free)\n#define _OTHERNAME_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OTHERNAME_new)\n#define _OpenSSL_add_all_algorithms BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OpenSSL_add_all_algorithms)\n#define _OpenSSL_add_all_ciphers BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OpenSSL_add_all_ciphers)\n#define _OpenSSL_add_all_digests BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OpenSSL_add_all_digests)\n#define _OpenSSL_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OpenSSL_version)\n#define _OpenSSL_version_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OpenSSL_version_num)\n#define _PEM_ASN1_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_ASN1_read)\n#define _PEM_ASN1_read_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_ASN1_read_bio)\n#define _PEM_ASN1_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_ASN1_write)\n#define _PEM_ASN1_write_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_ASN1_write_bio)\n#define _PEM_X509_INFO_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_X509_INFO_read)\n#define _PEM_X509_INFO_read_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_X509_INFO_read_bio)\n#define _PEM_bytes_read_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_bytes_read_bio)\n#define _PEM_def_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_def_callback)\n#define _PEM_do_header BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_do_header)\n#define _PEM_get_EVP_CIPHER_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_get_EVP_CIPHER_INFO)\n#define _PEM_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read)\n#define _PEM_read_DHparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_DHparams)\n#define _PEM_read_DSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_DSAPrivateKey)\n#define _PEM_read_DSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_DSA_PUBKEY)\n#define _PEM_read_DSAparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_DSAparams)\n#define _PEM_read_ECPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_ECPrivateKey)\n#define _PEM_read_EC_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_EC_PUBKEY)\n#define _PEM_read_PKCS7 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_PKCS7)\n#define _PEM_read_PKCS8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_PKCS8)\n#define _PEM_read_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_PKCS8_PRIV_KEY_INFO)\n#define _PEM_read_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_PUBKEY)\n#define _PEM_read_PrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_PrivateKey)\n#define _PEM_read_RSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_RSAPrivateKey)\n#define _PEM_read_RSAPublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_RSAPublicKey)\n#define _PEM_read_RSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_RSA_PUBKEY)\n#define _PEM_read_SSL_SESSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_SSL_SESSION)\n#define _PEM_read_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_X509)\n#define _PEM_read_X509_AUX BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_X509_AUX)\n#define _PEM_read_X509_CRL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_X509_CRL)\n#define _PEM_read_X509_REQ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_X509_REQ)\n#define _PEM_read_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio)\n#define _PEM_read_bio_DHparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_DHparams)\n#define _PEM_read_bio_DSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_DSAPrivateKey)\n#define _PEM_read_bio_DSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_DSA_PUBKEY)\n#define _PEM_read_bio_DSAparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_DSAparams)\n#define _PEM_read_bio_ECPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_ECPrivateKey)\n#define _PEM_read_bio_EC_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_EC_PUBKEY)\n#define _PEM_read_bio_PKCS7 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_PKCS7)\n#define _PEM_read_bio_PKCS8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_PKCS8)\n#define _PEM_read_bio_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_PKCS8_PRIV_KEY_INFO)\n#define _PEM_read_bio_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_PUBKEY)\n#define _PEM_read_bio_PrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_PrivateKey)\n#define _PEM_read_bio_RSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_RSAPrivateKey)\n#define _PEM_read_bio_RSAPublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_RSAPublicKey)\n#define _PEM_read_bio_RSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_RSA_PUBKEY)\n#define _PEM_read_bio_SSL_SESSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_SSL_SESSION)\n#define _PEM_read_bio_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_X509)\n#define _PEM_read_bio_X509_AUX BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_X509_AUX)\n#define _PEM_read_bio_X509_CRL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_X509_CRL)\n#define _PEM_read_bio_X509_REQ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_read_bio_X509_REQ)\n#define _PEM_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write)\n#define _PEM_write_DHparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_DHparams)\n#define _PEM_write_DSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_DSAPrivateKey)\n#define _PEM_write_DSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_DSA_PUBKEY)\n#define _PEM_write_DSAparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_DSAparams)\n#define _PEM_write_ECPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_ECPrivateKey)\n#define _PEM_write_EC_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_EC_PUBKEY)\n#define _PEM_write_PKCS7 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_PKCS7)\n#define _PEM_write_PKCS8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_PKCS8)\n#define _PEM_write_PKCS8PrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_PKCS8PrivateKey)\n#define _PEM_write_PKCS8PrivateKey_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_PKCS8PrivateKey_nid)\n#define _PEM_write_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_PKCS8_PRIV_KEY_INFO)\n#define _PEM_write_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_PUBKEY)\n#define _PEM_write_PrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_PrivateKey)\n#define _PEM_write_RSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_RSAPrivateKey)\n#define _PEM_write_RSAPublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_RSAPublicKey)\n#define _PEM_write_RSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_RSA_PUBKEY)\n#define _PEM_write_SSL_SESSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_SSL_SESSION)\n#define _PEM_write_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_X509)\n#define _PEM_write_X509_AUX BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_X509_AUX)\n#define _PEM_write_X509_CRL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_X509_CRL)\n#define _PEM_write_X509_REQ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_X509_REQ)\n#define _PEM_write_X509_REQ_NEW BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_X509_REQ_NEW)\n#define _PEM_write_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio)\n#define _PEM_write_bio_DHparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_DHparams)\n#define _PEM_write_bio_DSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_DSAPrivateKey)\n#define _PEM_write_bio_DSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_DSA_PUBKEY)\n#define _PEM_write_bio_DSAparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_DSAparams)\n#define _PEM_write_bio_ECPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_ECPrivateKey)\n#define _PEM_write_bio_EC_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_EC_PUBKEY)\n#define _PEM_write_bio_PKCS7 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_PKCS7)\n#define _PEM_write_bio_PKCS8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_PKCS8)\n#define _PEM_write_bio_PKCS8PrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_PKCS8PrivateKey)\n#define _PEM_write_bio_PKCS8PrivateKey_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_PKCS8PrivateKey_nid)\n#define _PEM_write_bio_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_PKCS8_PRIV_KEY_INFO)\n#define _PEM_write_bio_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_PUBKEY)\n#define _PEM_write_bio_PrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_PrivateKey)\n#define _PEM_write_bio_RSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_RSAPrivateKey)\n#define _PEM_write_bio_RSAPublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_RSAPublicKey)\n#define _PEM_write_bio_RSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_RSA_PUBKEY)\n#define _PEM_write_bio_SSL_SESSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_SSL_SESSION)\n#define _PEM_write_bio_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_X509)\n#define _PEM_write_bio_X509_AUX BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_X509_AUX)\n#define _PEM_write_bio_X509_CRL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_X509_CRL)\n#define _PEM_write_bio_X509_REQ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_X509_REQ)\n#define _PEM_write_bio_X509_REQ_NEW BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PEM_write_bio_X509_REQ_NEW)\n#define _PKCS12_PBE_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS12_PBE_add)\n#define _PKCS12_create BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS12_create)\n#define _PKCS12_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS12_free)\n#define _PKCS12_get_key_and_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS12_get_key_and_certs)\n#define _PKCS12_parse BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS12_parse)\n#define _PKCS12_verify_mac BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS12_verify_mac)\n#define _PKCS1_MGF1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS1_MGF1)\n#define _PKCS5_PBKDF2_HMAC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS5_PBKDF2_HMAC)\n#define _PKCS5_PBKDF2_HMAC_SHA1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS5_PBKDF2_HMAC_SHA1)\n#define _PKCS5_pbe2_decrypt_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS5_pbe2_decrypt_init)\n#define _PKCS5_pbe2_encrypt_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS5_pbe2_encrypt_init)\n#define _PKCS7_bundle_CRLs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_bundle_CRLs)\n#define _PKCS7_bundle_certificates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_bundle_certificates)\n#define _PKCS7_bundle_raw_certificates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_bundle_raw_certificates)\n#define _PKCS7_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_free)\n#define _PKCS7_get_CRLs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_get_CRLs)\n#define _PKCS7_get_PEM_CRLs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_get_PEM_CRLs)\n#define _PKCS7_get_PEM_certificates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_get_PEM_certificates)\n#define _PKCS7_get_certificates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_get_certificates)\n#define _PKCS7_get_raw_certificates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_get_raw_certificates)\n#define _PKCS7_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_sign)\n#define _PKCS7_type_is_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_type_is_data)\n#define _PKCS7_type_is_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_type_is_digest)\n#define _PKCS7_type_is_encrypted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_type_is_encrypted)\n#define _PKCS7_type_is_enveloped BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_type_is_enveloped)\n#define _PKCS7_type_is_signed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_type_is_signed)\n#define _PKCS7_type_is_signedAndEnveloped BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_type_is_signedAndEnveloped)\n#define _PKCS8_PRIV_KEY_INFO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS8_PRIV_KEY_INFO_free)\n#define _PKCS8_PRIV_KEY_INFO_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS8_PRIV_KEY_INFO_new)\n#define _PKCS8_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS8_decrypt)\n#define _PKCS8_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS8_encrypt)\n#define _PKCS8_marshal_encrypted_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS8_marshal_encrypted_private_key)\n#define _PKCS8_parse_encrypted_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS8_parse_encrypted_private_key)\n#define _POLICYINFO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICYINFO_free)\n#define _POLICYINFO_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICYINFO_it)\n#define _POLICYINFO_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICYINFO_new)\n#define _POLICYQUALINFO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICYQUALINFO_free)\n#define _POLICYQUALINFO_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICYQUALINFO_it)\n#define _POLICYQUALINFO_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICYQUALINFO_new)\n#define _POLICY_CONSTRAINTS_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICY_CONSTRAINTS_free)\n#define _POLICY_CONSTRAINTS_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICY_CONSTRAINTS_it)\n#define _POLICY_CONSTRAINTS_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICY_CONSTRAINTS_new)\n#define _POLICY_MAPPINGS_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICY_MAPPINGS_it)\n#define _POLICY_MAPPING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICY_MAPPING_free)\n#define _POLICY_MAPPING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICY_MAPPING_new)\n#define _RAND_OpenSSL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_OpenSSL)\n#define _RAND_SSLeay BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_SSLeay)\n#define _RAND_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_add)\n#define _RAND_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_bytes)\n#define _RAND_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_cleanup)\n#define _RAND_disable_fork_unsafe_buffering BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_disable_fork_unsafe_buffering)\n#define _RAND_egd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_egd)\n#define _RAND_enable_fork_unsafe_buffering BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_enable_fork_unsafe_buffering)\n#define _RAND_file_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_file_name)\n#define _RAND_get_rand_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_get_rand_method)\n#define _RAND_get_system_entropy_for_custom_prng BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_get_system_entropy_for_custom_prng)\n#define _RAND_load_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_load_file)\n#define _RAND_poll BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_poll)\n#define _RAND_pseudo_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_pseudo_bytes)\n#define _RAND_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_seed)\n#define _RAND_set_rand_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_set_rand_method)\n#define _RAND_status BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_status)\n#define _RC4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RC4)\n#define _RC4_set_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RC4_set_key)\n#define _RSAPrivateKey_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSAPrivateKey_dup)\n#define _RSAPublicKey_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSAPublicKey_dup)\n#define _RSAZ_1024_mod_exp_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSAZ_1024_mod_exp_avx2)\n#define _RSA_PSS_PARAMS_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_PSS_PARAMS_free)\n#define _RSA_PSS_PARAMS_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_PSS_PARAMS_it)\n#define _RSA_PSS_PARAMS_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_PSS_PARAMS_new)\n#define _RSA_add_pkcs1_prefix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_add_pkcs1_prefix)\n#define _RSA_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_bits)\n#define _RSA_blinding_off BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_blinding_off)\n#define _RSA_blinding_on BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_blinding_on)\n#define _RSA_check_fips BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_check_fips)\n#define _RSA_check_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_check_key)\n#define _RSA_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_decrypt)\n#define _RSA_default_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_default_method)\n#define _RSA_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_encrypt)\n#define _RSA_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_flags)\n#define _RSA_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_free)\n#define _RSA_generate_key_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_generate_key_ex)\n#define _RSA_generate_key_fips BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_generate_key_fips)\n#define _RSA_get0_crt_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_crt_params)\n#define _RSA_get0_d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_d)\n#define _RSA_get0_dmp1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_dmp1)\n#define _RSA_get0_dmq1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_dmq1)\n#define _RSA_get0_e BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_e)\n#define _RSA_get0_factors BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_factors)\n#define _RSA_get0_iqmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_iqmp)\n#define _RSA_get0_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_key)\n#define _RSA_get0_n BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_n)\n#define _RSA_get0_p BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_p)\n#define _RSA_get0_pss_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_pss_params)\n#define _RSA_get0_q BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_q)\n#define _RSA_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get_ex_data)\n#define _RSA_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get_ex_new_index)\n#define _RSA_is_opaque BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_is_opaque)\n#define _RSA_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_marshal_private_key)\n#define _RSA_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_marshal_public_key)\n#define _RSA_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_new)\n#define _RSA_new_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_new_method)\n#define _RSA_new_method_no_e BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_new_method_no_e)\n#define _RSA_new_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_new_private_key)\n#define _RSA_new_private_key_large_e BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_new_private_key_large_e)\n#define _RSA_new_private_key_no_crt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_new_private_key_no_crt)\n#define _RSA_new_private_key_no_e BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_new_private_key_no_e)\n#define _RSA_new_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_new_public_key)\n#define _RSA_new_public_key_large_e BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_new_public_key_large_e)\n#define _RSA_padding_add_PKCS1_OAEP_mgf1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_padding_add_PKCS1_OAEP_mgf1)\n#define _RSA_padding_add_PKCS1_PSS_mgf1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_padding_add_PKCS1_PSS_mgf1)\n#define _RSA_padding_add_PKCS1_type_1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_padding_add_PKCS1_type_1)\n#define _RSA_padding_add_none BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_padding_add_none)\n#define _RSA_padding_check_PKCS1_OAEP_mgf1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_padding_check_PKCS1_OAEP_mgf1)\n#define _RSA_padding_check_PKCS1_type_1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_padding_check_PKCS1_type_1)\n#define _RSA_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_parse_private_key)\n#define _RSA_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_parse_public_key)\n#define _RSA_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_print)\n#define _RSA_private_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_private_decrypt)\n#define _RSA_private_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_private_encrypt)\n#define _RSA_private_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_private_key_from_bytes)\n#define _RSA_private_key_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_private_key_to_bytes)\n#define _RSA_public_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_public_decrypt)\n#define _RSA_public_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_public_encrypt)\n#define _RSA_public_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_public_key_from_bytes)\n#define _RSA_public_key_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_public_key_to_bytes)\n#define _RSA_set0_crt_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_set0_crt_params)\n#define _RSA_set0_factors BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_set0_factors)\n#define _RSA_set0_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_set0_key)\n#define _RSA_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_set_ex_data)\n#define _RSA_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_sign)\n#define _RSA_sign_pss_mgf1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_sign_pss_mgf1)\n#define _RSA_sign_raw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_sign_raw)\n#define _RSA_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_size)\n#define _RSA_test_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_test_flags)\n#define _RSA_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_up_ref)\n#define _RSA_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_verify)\n#define _RSA_verify_PKCS1_PSS_mgf1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_verify_PKCS1_PSS_mgf1)\n#define _RSA_verify_pss_mgf1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_verify_pss_mgf1)\n#define _RSA_verify_raw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_verify_raw)\n#define _SHA1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA1)\n#define _SHA1_Final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA1_Final)\n#define _SHA1_Init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA1_Init)\n#define _SHA1_Transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA1_Transform)\n#define _SHA1_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA1_Update)\n#define _SHA224 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA224)\n#define _SHA224_Final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA224_Final)\n#define _SHA224_Init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA224_Init)\n#define _SHA224_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA224_Update)\n#define _SHA256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA256)\n#define _SHA256_Final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA256_Final)\n#define _SHA256_Init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA256_Init)\n#define _SHA256_Transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA256_Transform)\n#define _SHA256_TransformBlocks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA256_TransformBlocks)\n#define _SHA256_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA256_Update)\n#define _SHA384 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA384)\n#define _SHA384_Final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA384_Final)\n#define _SHA384_Init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA384_Init)\n#define _SHA384_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA384_Update)\n#define _SHA512 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA512)\n#define _SHA512_256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA512_256)\n#define _SHA512_256_Final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA512_256_Final)\n#define _SHA512_256_Init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA512_256_Init)\n#define _SHA512_256_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA512_256_Update)\n#define _SHA512_Final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA512_Final)\n#define _SHA512_Init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA512_Init)\n#define _SHA512_Transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA512_Transform)\n#define _SHA512_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA512_Update)\n#define _SIPHASH_24 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SIPHASH_24)\n#define _SLHDSA_SHA2_128S_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_generate_key)\n#define _SLHDSA_SHA2_128S_prehash_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_prehash_sign)\n#define _SLHDSA_SHA2_128S_prehash_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_prehash_verify)\n#define _SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign)\n#define _SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify)\n#define _SLHDSA_SHA2_128S_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_public_from_private)\n#define _SLHDSA_SHA2_128S_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_sign)\n#define _SLHDSA_SHA2_128S_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_verify)\n#define _SPAKE2_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPAKE2_CTX_free)\n#define _SPAKE2_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPAKE2_CTX_new)\n#define _SPAKE2_generate_msg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPAKE2_generate_msg)\n#define _SPAKE2_process_msg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPAKE2_process_msg)\n#define _SSL_CIPHER_description BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_description)\n#define _SSL_CIPHER_get_auth_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_auth_nid)\n#define _SSL_CIPHER_get_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_bits)\n#define _SSL_CIPHER_get_cipher_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_cipher_nid)\n#define _SSL_CIPHER_get_digest_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_digest_nid)\n#define _SSL_CIPHER_get_handshake_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_handshake_digest)\n#define _SSL_CIPHER_get_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_id)\n#define _SSL_CIPHER_get_kx_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_kx_name)\n#define _SSL_CIPHER_get_kx_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_kx_nid)\n#define _SSL_CIPHER_get_max_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_max_version)\n#define _SSL_CIPHER_get_min_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_min_version)\n#define _SSL_CIPHER_get_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_name)\n#define _SSL_CIPHER_get_prf_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_prf_nid)\n#define _SSL_CIPHER_get_protocol_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_protocol_id)\n#define _SSL_CIPHER_get_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_version)\n#define _SSL_CIPHER_is_aead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_is_aead)\n#define _SSL_CIPHER_is_block_cipher BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_is_block_cipher)\n#define _SSL_CIPHER_standard_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_standard_name)\n#define _SSL_COMP_add_compression_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_COMP_add_compression_method)\n#define _SSL_COMP_free_compression_methods BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_COMP_free_compression_methods)\n#define _SSL_COMP_get0_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_COMP_get0_name)\n#define _SSL_COMP_get_compression_methods BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_COMP_get_compression_methods)\n#define _SSL_COMP_get_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_COMP_get_id)\n#define _SSL_COMP_get_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_COMP_get_name)\n#define _SSL_CREDENTIAL_clear_must_match_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_clear_must_match_issuer)\n#define _SSL_CREDENTIAL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_free)\n#define _SSL_CREDENTIAL_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_get_ex_data)\n#define _SSL_CREDENTIAL_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_get_ex_new_index)\n#define _SSL_CREDENTIAL_must_match_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_must_match_issuer)\n#define _SSL_CREDENTIAL_new_delegated BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_new_delegated)\n#define _SSL_CREDENTIAL_new_x509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_new_x509)\n#define _SSL_CREDENTIAL_set1_cert_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_cert_chain)\n#define _SSL_CREDENTIAL_set1_delegated_credential BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_delegated_credential)\n#define _SSL_CREDENTIAL_set1_ocsp_response BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_ocsp_response)\n#define _SSL_CREDENTIAL_set1_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_private_key)\n#define _SSL_CREDENTIAL_set1_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_signed_cert_timestamp_list)\n#define _SSL_CREDENTIAL_set1_signing_algorithm_prefs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_signing_algorithm_prefs)\n#define _SSL_CREDENTIAL_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set_ex_data)\n#define _SSL_CREDENTIAL_set_must_match_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set_must_match_issuer)\n#define _SSL_CREDENTIAL_set_private_key_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set_private_key_method)\n#define _SSL_CREDENTIAL_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_up_ref)\n#define _SSL_CTX_add0_chain_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add0_chain_cert)\n#define _SSL_CTX_add1_chain_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add1_chain_cert)\n#define _SSL_CTX_add1_credential BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add1_credential)\n#define _SSL_CTX_add_cert_compression_alg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add_cert_compression_alg)\n#define _SSL_CTX_add_client_CA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add_client_CA)\n#define _SSL_CTX_add_extra_chain_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add_extra_chain_cert)\n#define _SSL_CTX_add_session BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add_session)\n#define _SSL_CTX_check_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_check_private_key)\n#define _SSL_CTX_cipher_in_group BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_cipher_in_group)\n#define _SSL_CTX_clear_chain_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_clear_chain_certs)\n#define _SSL_CTX_clear_extra_chain_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_clear_extra_chain_certs)\n#define _SSL_CTX_clear_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_clear_mode)\n#define _SSL_CTX_clear_options BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_clear_options)\n#define _SSL_CTX_enable_ocsp_stapling BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_enable_ocsp_stapling)\n#define _SSL_CTX_enable_signed_cert_timestamps BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_enable_signed_cert_timestamps)\n#define _SSL_CTX_enable_tls_channel_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_enable_tls_channel_id)\n#define _SSL_CTX_flush_sessions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_flush_sessions)\n#define _SSL_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_free)\n#define _SSL_CTX_get0_certificate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get0_certificate)\n#define _SSL_CTX_get0_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get0_chain)\n#define _SSL_CTX_get0_chain_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get0_chain_certs)\n#define _SSL_CTX_get0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get0_param)\n#define _SSL_CTX_get0_privatekey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get0_privatekey)\n#define _SSL_CTX_get_cert_store BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_cert_store)\n#define _SSL_CTX_get_ciphers BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_ciphers)\n#define _SSL_CTX_get_client_CA_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_client_CA_list)\n#define _SSL_CTX_get_compliance_policy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_compliance_policy)\n#define _SSL_CTX_get_default_passwd_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_default_passwd_cb)\n#define _SSL_CTX_get_default_passwd_cb_userdata BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_default_passwd_cb_userdata)\n#define _SSL_CTX_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_ex_data)\n#define _SSL_CTX_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_ex_new_index)\n#define _SSL_CTX_get_extra_chain_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_extra_chain_certs)\n#define _SSL_CTX_get_info_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_info_callback)\n#define _SSL_CTX_get_keylog_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_keylog_callback)\n#define _SSL_CTX_get_max_cert_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_max_cert_list)\n#define _SSL_CTX_get_max_proto_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_max_proto_version)\n#define _SSL_CTX_get_min_proto_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_min_proto_version)\n#define _SSL_CTX_get_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_mode)\n#define _SSL_CTX_get_num_tickets BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_num_tickets)\n#define _SSL_CTX_get_options BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_options)\n#define _SSL_CTX_get_quiet_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_quiet_shutdown)\n#define _SSL_CTX_get_read_ahead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_read_ahead)\n#define _SSL_CTX_get_session_cache_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_session_cache_mode)\n#define _SSL_CTX_get_timeout BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_timeout)\n#define _SSL_CTX_get_tlsext_ticket_keys BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_tlsext_ticket_keys)\n#define _SSL_CTX_get_verify_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_verify_callback)\n#define _SSL_CTX_get_verify_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_verify_depth)\n#define _SSL_CTX_get_verify_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_get_verify_mode)\n#define _SSL_CTX_load_verify_locations BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_load_verify_locations)\n#define _SSL_CTX_need_tmp_RSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_need_tmp_RSA)\n#define _SSL_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_new)\n#define _SSL_CTX_remove_session BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_remove_session)\n#define _SSL_CTX_sess_accept BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_accept)\n#define _SSL_CTX_sess_accept_good BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_accept_good)\n#define _SSL_CTX_sess_accept_renegotiate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_accept_renegotiate)\n#define _SSL_CTX_sess_cache_full BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_cache_full)\n#define _SSL_CTX_sess_cb_hits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_cb_hits)\n#define _SSL_CTX_sess_connect BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_connect)\n#define _SSL_CTX_sess_connect_good BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_connect_good)\n#define _SSL_CTX_sess_connect_renegotiate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_connect_renegotiate)\n#define _SSL_CTX_sess_get_cache_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_get_cache_size)\n#define _SSL_CTX_sess_get_get_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_get_get_cb)\n#define _SSL_CTX_sess_get_new_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_get_new_cb)\n#define _SSL_CTX_sess_get_remove_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_get_remove_cb)\n#define _SSL_CTX_sess_hits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_hits)\n#define _SSL_CTX_sess_misses BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_misses)\n#define _SSL_CTX_sess_number BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_number)\n#define _SSL_CTX_sess_set_cache_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_set_cache_size)\n#define _SSL_CTX_sess_set_get_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_set_get_cb)\n#define _SSL_CTX_sess_set_new_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_set_new_cb)\n#define _SSL_CTX_sess_set_remove_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_set_remove_cb)\n#define _SSL_CTX_sess_timeouts BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_sess_timeouts)\n#define _SSL_CTX_set0_buffer_pool BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set0_buffer_pool)\n#define _SSL_CTX_set0_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set0_chain)\n#define _SSL_CTX_set0_client_CAs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set0_client_CAs)\n#define _SSL_CTX_set0_verify_cert_store BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set0_verify_cert_store)\n#define _SSL_CTX_set1_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_chain)\n#define _SSL_CTX_set1_curves BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_curves)\n#define _SSL_CTX_set1_curves_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_curves_list)\n#define _SSL_CTX_set1_ech_keys BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_ech_keys)\n#define _SSL_CTX_set1_group_ids BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_group_ids)\n#define _SSL_CTX_set1_groups BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_groups)\n#define _SSL_CTX_set1_groups_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_groups_list)\n#define _SSL_CTX_set1_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_param)\n#define _SSL_CTX_set1_sigalgs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_sigalgs)\n#define _SSL_CTX_set1_sigalgs_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_sigalgs_list)\n#define _SSL_CTX_set1_tls_channel_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_tls_channel_id)\n#define _SSL_CTX_set1_verify_cert_store BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set1_verify_cert_store)\n#define _SSL_CTX_set_allow_unknown_alpn_protos BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_allow_unknown_alpn_protos)\n#define _SSL_CTX_set_alpn_protos BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_alpn_protos)\n#define _SSL_CTX_set_alpn_select_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_alpn_select_cb)\n#define _SSL_CTX_set_cert_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_cert_cb)\n#define _SSL_CTX_set_cert_store BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_cert_store)\n#define _SSL_CTX_set_cert_verify_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_cert_verify_callback)\n#define _SSL_CTX_set_chain_and_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_chain_and_key)\n#define _SSL_CTX_set_cipher_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_cipher_list)\n#define _SSL_CTX_set_client_CA_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_client_CA_list)\n#define _SSL_CTX_set_client_cert_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_client_cert_cb)\n#define _SSL_CTX_set_compliance_policy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_compliance_policy)\n#define _SSL_CTX_set_current_time_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_current_time_cb)\n#define _SSL_CTX_set_custom_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_custom_verify)\n#define _SSL_CTX_set_default_passwd_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_default_passwd_cb)\n#define _SSL_CTX_set_default_passwd_cb_userdata BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_default_passwd_cb_userdata)\n#define _SSL_CTX_set_default_verify_paths BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_default_verify_paths)\n#define _SSL_CTX_set_dos_protection_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_dos_protection_cb)\n#define _SSL_CTX_set_early_data_enabled BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_early_data_enabled)\n#define _SSL_CTX_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_ex_data)\n#define _SSL_CTX_set_false_start_allowed_without_alpn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_false_start_allowed_without_alpn)\n#define _SSL_CTX_set_grease_enabled BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_grease_enabled)\n#define _SSL_CTX_set_info_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_info_callback)\n#define _SSL_CTX_set_keylog_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_keylog_callback)\n#define _SSL_CTX_set_max_cert_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_max_cert_list)\n#define _SSL_CTX_set_max_proto_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_max_proto_version)\n#define _SSL_CTX_set_max_send_fragment BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_max_send_fragment)\n#define _SSL_CTX_set_min_proto_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_min_proto_version)\n#define _SSL_CTX_set_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_mode)\n#define _SSL_CTX_set_msg_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_msg_callback)\n#define _SSL_CTX_set_msg_callback_arg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_msg_callback_arg)\n#define _SSL_CTX_set_next_proto_select_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_next_proto_select_cb)\n#define _SSL_CTX_set_next_protos_advertised_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_next_protos_advertised_cb)\n#define _SSL_CTX_set_num_tickets BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_num_tickets)\n#define _SSL_CTX_set_ocsp_response BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_ocsp_response)\n#define _SSL_CTX_set_options BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_options)\n#define _SSL_CTX_set_permute_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_permute_extensions)\n#define _SSL_CTX_set_private_key_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_private_key_method)\n#define _SSL_CTX_set_psk_client_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_psk_client_callback)\n#define _SSL_CTX_set_psk_server_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_psk_server_callback)\n#define _SSL_CTX_set_purpose BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_purpose)\n#define _SSL_CTX_set_quic_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_quic_method)\n#define _SSL_CTX_set_quiet_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_quiet_shutdown)\n#define _SSL_CTX_set_read_ahead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_read_ahead)\n#define _SSL_CTX_set_record_protocol_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_record_protocol_version)\n#define _SSL_CTX_set_retain_only_sha256_of_client_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_retain_only_sha256_of_client_certs)\n#define _SSL_CTX_set_reverify_on_resume BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_reverify_on_resume)\n#define _SSL_CTX_set_select_certificate_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_select_certificate_cb)\n#define _SSL_CTX_set_session_cache_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_session_cache_mode)\n#define _SSL_CTX_set_session_id_context BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_session_id_context)\n#define _SSL_CTX_set_session_psk_dhe_timeout BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_session_psk_dhe_timeout)\n#define _SSL_CTX_set_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_signed_cert_timestamp_list)\n#define _SSL_CTX_set_signing_algorithm_prefs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_signing_algorithm_prefs)\n#define _SSL_CTX_set_srtp_profiles BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_srtp_profiles)\n#define _SSL_CTX_set_strict_cipher_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_strict_cipher_list)\n#define _SSL_CTX_set_ticket_aead_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_ticket_aead_method)\n#define _SSL_CTX_set_timeout BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_timeout)\n#define _SSL_CTX_set_tls_channel_id_enabled BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tls_channel_id_enabled)\n#define _SSL_CTX_set_tlsext_servername_arg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_servername_arg)\n#define _SSL_CTX_set_tlsext_servername_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_servername_callback)\n#define _SSL_CTX_set_tlsext_status_arg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_status_arg)\n#define _SSL_CTX_set_tlsext_status_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_status_cb)\n#define _SSL_CTX_set_tlsext_ticket_key_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_ticket_key_cb)\n#define _SSL_CTX_set_tlsext_ticket_keys BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_ticket_keys)\n#define _SSL_CTX_set_tlsext_use_srtp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tlsext_use_srtp)\n#define _SSL_CTX_set_tmp_dh BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tmp_dh)\n#define _SSL_CTX_set_tmp_dh_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tmp_dh_callback)\n#define _SSL_CTX_set_tmp_ecdh BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tmp_ecdh)\n#define _SSL_CTX_set_tmp_rsa BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tmp_rsa)\n#define _SSL_CTX_set_tmp_rsa_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_tmp_rsa_callback)\n#define _SSL_CTX_set_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_trust)\n#define _SSL_CTX_set_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_verify)\n#define _SSL_CTX_set_verify_algorithm_prefs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_verify_algorithm_prefs)\n#define _SSL_CTX_set_verify_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_set_verify_depth)\n#define _SSL_CTX_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_up_ref)\n#define _SSL_CTX_use_PrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_use_PrivateKey)\n#define _SSL_CTX_use_PrivateKey_ASN1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_use_PrivateKey_ASN1)\n#define _SSL_CTX_use_PrivateKey_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_use_PrivateKey_file)\n#define _SSL_CTX_use_RSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_use_RSAPrivateKey)\n#define _SSL_CTX_use_RSAPrivateKey_ASN1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_use_RSAPrivateKey_ASN1)\n#define _SSL_CTX_use_RSAPrivateKey_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_use_RSAPrivateKey_file)\n#define _SSL_CTX_use_certificate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_use_certificate)\n#define _SSL_CTX_use_certificate_ASN1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_use_certificate_ASN1)\n#define _SSL_CTX_use_certificate_chain_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_use_certificate_chain_file)\n#define _SSL_CTX_use_certificate_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_use_certificate_file)\n#define _SSL_CTX_use_psk_identity_hint BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_use_psk_identity_hint)\n#define _SSL_ECH_KEYS_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_ECH_KEYS_add)\n#define _SSL_ECH_KEYS_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_ECH_KEYS_free)\n#define _SSL_ECH_KEYS_has_duplicate_config_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_ECH_KEYS_has_duplicate_config_id)\n#define _SSL_ECH_KEYS_marshal_retry_configs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_ECH_KEYS_marshal_retry_configs)\n#define _SSL_ECH_KEYS_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_ECH_KEYS_new)\n#define _SSL_ECH_KEYS_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_ECH_KEYS_up_ref)\n#define _SSL_SESSION_copy_without_early_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_copy_without_early_data)\n#define _SSL_SESSION_early_data_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_early_data_capable)\n#define _SSL_SESSION_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_free)\n#define _SSL_SESSION_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_from_bytes)\n#define _SSL_SESSION_get0_cipher BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get0_cipher)\n#define _SSL_SESSION_get0_id_context BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get0_id_context)\n#define _SSL_SESSION_get0_ocsp_response BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get0_ocsp_response)\n#define _SSL_SESSION_get0_peer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get0_peer)\n#define _SSL_SESSION_get0_peer_certificates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get0_peer_certificates)\n#define _SSL_SESSION_get0_peer_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get0_peer_sha256)\n#define _SSL_SESSION_get0_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get0_signed_cert_timestamp_list)\n#define _SSL_SESSION_get0_ticket BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get0_ticket)\n#define _SSL_SESSION_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get_ex_data)\n#define _SSL_SESSION_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get_ex_new_index)\n#define _SSL_SESSION_get_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get_id)\n#define _SSL_SESSION_get_master_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get_master_key)\n#define _SSL_SESSION_get_protocol_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get_protocol_version)\n#define _SSL_SESSION_get_ticket_lifetime_hint BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get_ticket_lifetime_hint)\n#define _SSL_SESSION_get_time BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get_time)\n#define _SSL_SESSION_get_timeout BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get_timeout)\n#define _SSL_SESSION_get_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_get_version)\n#define _SSL_SESSION_has_peer_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_has_peer_sha256)\n#define _SSL_SESSION_has_ticket BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_has_ticket)\n#define _SSL_SESSION_is_resumable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_is_resumable)\n#define _SSL_SESSION_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_new)\n#define _SSL_SESSION_set1_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_set1_id)\n#define _SSL_SESSION_set1_id_context BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_set1_id_context)\n#define _SSL_SESSION_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_set_ex_data)\n#define _SSL_SESSION_set_protocol_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_set_protocol_version)\n#define _SSL_SESSION_set_ticket BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_set_ticket)\n#define _SSL_SESSION_set_time BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_set_time)\n#define _SSL_SESSION_set_timeout BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_set_timeout)\n#define _SSL_SESSION_should_be_single_use BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_should_be_single_use)\n#define _SSL_SESSION_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_to_bytes)\n#define _SSL_SESSION_to_bytes_for_ticket BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_to_bytes_for_ticket)\n#define _SSL_SESSION_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_SESSION_up_ref)\n#define _SSL_accept BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_accept)\n#define _SSL_add0_chain_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add0_chain_cert)\n#define _SSL_add1_chain_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add1_chain_cert)\n#define _SSL_add1_credential BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add1_credential)\n#define _SSL_add_application_settings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add_application_settings)\n#define _SSL_add_bio_cert_subjects_to_stack BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add_bio_cert_subjects_to_stack)\n#define _SSL_add_client_CA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add_client_CA)\n#define _SSL_add_file_cert_subjects_to_stack BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add_file_cert_subjects_to_stack)\n#define _SSL_alert_desc_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_alert_desc_string)\n#define _SSL_alert_desc_string_long BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_alert_desc_string_long)\n#define _SSL_alert_from_verify_result BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_alert_from_verify_result)\n#define _SSL_alert_type_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_alert_type_string)\n#define _SSL_alert_type_string_long BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_alert_type_string_long)\n#define _SSL_cache_hit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_cache_hit)\n#define _SSL_can_release_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_can_release_private_key)\n#define _SSL_certs_clear BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_certs_clear)\n#define _SSL_check_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_check_private_key)\n#define _SSL_clear BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_clear)\n#define _SSL_clear_chain_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_clear_chain_certs)\n#define _SSL_clear_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_clear_mode)\n#define _SSL_clear_options BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_clear_options)\n#define _SSL_connect BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_connect)\n#define _SSL_cutthrough_complete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_cutthrough_complete)\n#define _SSL_do_handshake BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_do_handshake)\n#define _SSL_dup_CA_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_dup_CA_list)\n#define _SSL_early_callback_ctx_extension_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_early_callback_ctx_extension_get)\n#define _SSL_early_data_accepted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_early_data_accepted)\n#define _SSL_early_data_reason_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_early_data_reason_string)\n#define _SSL_ech_accepted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_ech_accepted)\n#define _SSL_enable_ocsp_stapling BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_enable_ocsp_stapling)\n#define _SSL_enable_signed_cert_timestamps BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_enable_signed_cert_timestamps)\n#define _SSL_enable_tls_channel_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_enable_tls_channel_id)\n#define _SSL_error_description BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_error_description)\n#define _SSL_export_keying_material BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_export_keying_material)\n#define _SSL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_free)\n#define _SSL_generate_key_block BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_generate_key_block)\n#define _SSL_get0_alpn_selected BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_alpn_selected)\n#define _SSL_get0_certificate_types BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_certificate_types)\n#define _SSL_get0_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_chain)\n#define _SSL_get0_chain_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_chain_certs)\n#define _SSL_get0_ech_name_override BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_ech_name_override)\n#define _SSL_get0_ech_retry_configs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_ech_retry_configs)\n#define _SSL_get0_next_proto_negotiated BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_next_proto_negotiated)\n#define _SSL_get0_ocsp_response BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_ocsp_response)\n#define _SSL_get0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_param)\n#define _SSL_get0_peer_application_settings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_peer_application_settings)\n#define _SSL_get0_peer_certificates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_peer_certificates)\n#define _SSL_get0_peer_delegation_algorithms BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_peer_delegation_algorithms)\n#define _SSL_get0_peer_verify_algorithms BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_peer_verify_algorithms)\n#define _SSL_get0_selected_credential BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_selected_credential)\n#define _SSL_get0_server_requested_CAs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_server_requested_CAs)\n#define _SSL_get0_session_id_context BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_session_id_context)\n#define _SSL_get0_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_signed_cert_timestamp_list)\n#define _SSL_get1_session BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get1_session)\n#define _SSL_get_SSL_CTX BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_SSL_CTX)\n#define _SSL_get_all_cipher_names BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_all_cipher_names)\n#define _SSL_get_all_curve_names BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_all_curve_names)\n#define _SSL_get_all_group_names BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_all_group_names)\n#define _SSL_get_all_signature_algorithm_names BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_all_signature_algorithm_names)\n#define _SSL_get_all_standard_cipher_names BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_all_standard_cipher_names)\n#define _SSL_get_all_version_names BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_all_version_names)\n#define _SSL_get_certificate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_certificate)\n#define _SSL_get_cipher_by_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_cipher_by_value)\n#define _SSL_get_cipher_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_cipher_list)\n#define _SSL_get_ciphers BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_ciphers)\n#define _SSL_get_client_CA_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_client_CA_list)\n#define _SSL_get_client_random BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_client_random)\n#define _SSL_get_compliance_policy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_compliance_policy)\n#define _SSL_get_current_cipher BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_current_cipher)\n#define _SSL_get_current_compression BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_current_compression)\n#define _SSL_get_current_expansion BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_current_expansion)\n#define _SSL_get_curve_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_curve_id)\n#define _SSL_get_curve_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_curve_name)\n#define _SSL_get_default_timeout BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_default_timeout)\n#define _SSL_get_early_data_reason BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_early_data_reason)\n#define _SSL_get_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_error)\n#define _SSL_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_ex_data)\n#define _SSL_get_ex_data_X509_STORE_CTX_idx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_ex_data_X509_STORE_CTX_idx)\n#define _SSL_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_ex_new_index)\n#define _SSL_get_extms_support BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_extms_support)\n#define _SSL_get_fd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_fd)\n#define _SSL_get_finished BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_finished)\n#define _SSL_get_group_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_group_id)\n#define _SSL_get_group_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_group_name)\n#define _SSL_get_info_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_info_callback)\n#define _SSL_get_ivs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_ivs)\n#define _SSL_get_key_block_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_key_block_len)\n#define _SSL_get_max_cert_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_max_cert_list)\n#define _SSL_get_max_proto_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_max_proto_version)\n#define _SSL_get_min_proto_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_min_proto_version)\n#define _SSL_get_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_mode)\n#define _SSL_get_negotiated_group BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_negotiated_group)\n#define _SSL_get_options BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_options)\n#define _SSL_get_peer_cert_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_peer_cert_chain)\n#define _SSL_get_peer_certificate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_peer_certificate)\n#define _SSL_get_peer_finished BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_peer_finished)\n#define _SSL_get_peer_full_cert_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_peer_full_cert_chain)\n#define _SSL_get_peer_quic_transport_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_peer_quic_transport_params)\n#define _SSL_get_peer_signature_algorithm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_peer_signature_algorithm)\n#define _SSL_get_pending_cipher BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_pending_cipher)\n#define _SSL_get_privatekey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_privatekey)\n#define _SSL_get_psk_identity BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_psk_identity)\n#define _SSL_get_psk_identity_hint BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_psk_identity_hint)\n#define _SSL_get_quiet_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_quiet_shutdown)\n#define _SSL_get_rbio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_rbio)\n#define _SSL_get_read_ahead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_read_ahead)\n#define _SSL_get_read_sequence BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_read_sequence)\n#define _SSL_get_rfd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_rfd)\n#define _SSL_get_secure_renegotiation_support BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_secure_renegotiation_support)\n#define _SSL_get_selected_srtp_profile BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_selected_srtp_profile)\n#define _SSL_get_server_random BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_server_random)\n#define _SSL_get_server_tmp_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_server_tmp_key)\n#define _SSL_get_servername BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_servername)\n#define _SSL_get_servername_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_servername_type)\n#define _SSL_get_session BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_session)\n#define _SSL_get_shared_ciphers BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_shared_ciphers)\n#define _SSL_get_shared_sigalgs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_shared_sigalgs)\n#define _SSL_get_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_shutdown)\n#define _SSL_get_signature_algorithm_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_signature_algorithm_digest)\n#define _SSL_get_signature_algorithm_key_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_signature_algorithm_key_type)\n#define _SSL_get_signature_algorithm_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_signature_algorithm_name)\n#define _SSL_get_srtp_profiles BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_srtp_profiles)\n#define _SSL_get_ticket_age_skew BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_ticket_age_skew)\n#define _SSL_get_tls_channel_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_tls_channel_id)\n#define _SSL_get_tls_unique BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_tls_unique)\n#define _SSL_get_tlsext_status_ocsp_resp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_tlsext_status_ocsp_resp)\n#define _SSL_get_tlsext_status_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_tlsext_status_type)\n#define _SSL_get_verify_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_verify_callback)\n#define _SSL_get_verify_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_verify_depth)\n#define _SSL_get_verify_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_verify_mode)\n#define _SSL_get_verify_result BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_verify_result)\n#define _SSL_get_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_version)\n#define _SSL_get_wbio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_wbio)\n#define _SSL_get_wfd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_wfd)\n#define _SSL_get_write_sequence BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get_write_sequence)\n#define _SSL_has_application_settings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_has_application_settings)\n#define _SSL_has_pending BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_has_pending)\n#define _SSL_in_early_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_in_early_data)\n#define _SSL_in_false_start BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_in_false_start)\n#define _SSL_in_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_in_init)\n#define _SSL_is_dtls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_is_dtls)\n#define _SSL_is_init_finished BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_is_init_finished)\n#define _SSL_is_quic BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_is_quic)\n#define _SSL_is_server BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_is_server)\n#define _SSL_is_signature_algorithm_rsa_pss BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_is_signature_algorithm_rsa_pss)\n#define _SSL_key_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_key_update)\n#define _SSL_library_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_library_init)\n#define _SSL_load_client_CA_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_load_client_CA_file)\n#define _SSL_load_error_strings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_load_error_strings)\n#define _SSL_magic_pending_session_ptr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_magic_pending_session_ptr)\n#define _SSL_marshal_ech_config BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_marshal_ech_config)\n#define _SSL_max_seal_overhead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_max_seal_overhead)\n#define _SSL_need_tmp_RSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_need_tmp_RSA)\n#define _SSL_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_new)\n#define _SSL_num_renegotiations BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_num_renegotiations)\n#define _SSL_peek BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_peek)\n#define _SSL_pending BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_pending)\n#define _SSL_process_quic_post_handshake BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_process_quic_post_handshake)\n#define _SSL_process_tls13_new_session_ticket BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_process_tls13_new_session_ticket)\n#define _SSL_provide_quic_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_provide_quic_data)\n#define _SSL_quic_max_handshake_flight_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_quic_max_handshake_flight_len)\n#define _SSL_quic_read_level BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_quic_read_level)\n#define _SSL_quic_write_level BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_quic_write_level)\n#define _SSL_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_read)\n#define _SSL_renegotiate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_renegotiate)\n#define _SSL_renegotiate_pending BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_renegotiate_pending)\n#define _SSL_request_handshake_hints BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_request_handshake_hints)\n#define _SSL_reset_early_data_reject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_reset_early_data_reject)\n#define _SSL_select_next_proto BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_select_next_proto)\n#define _SSL_send_fatal_alert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_send_fatal_alert)\n#define _SSL_serialize_capabilities BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_serialize_capabilities)\n#define _SSL_serialize_handshake_hints BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_serialize_handshake_hints)\n#define _SSL_session_reused BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_session_reused)\n#define _SSL_set0_CA_names BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set0_CA_names)\n#define _SSL_set0_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set0_chain)\n#define _SSL_set0_client_CAs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set0_client_CAs)\n#define _SSL_set0_rbio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set0_rbio)\n#define _SSL_set0_verify_cert_store BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set0_verify_cert_store)\n#define _SSL_set0_wbio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set0_wbio)\n#define _SSL_set1_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_chain)\n#define _SSL_set1_curves BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_curves)\n#define _SSL_set1_curves_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_curves_list)\n#define _SSL_set1_ech_config_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_ech_config_list)\n#define _SSL_set1_group_ids BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_group_ids)\n#define _SSL_set1_groups BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_groups)\n#define _SSL_set1_groups_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_groups_list)\n#define _SSL_set1_host BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_host)\n#define _SSL_set1_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_param)\n#define _SSL_set1_sigalgs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_sigalgs)\n#define _SSL_set1_sigalgs_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_sigalgs_list)\n#define _SSL_set1_tls_channel_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_tls_channel_id)\n#define _SSL_set1_verify_cert_store BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_verify_cert_store)\n#define _SSL_set_SSL_CTX BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_SSL_CTX)\n#define _SSL_set_accept_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_accept_state)\n#define _SSL_set_alpn_protos BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_alpn_protos)\n#define _SSL_set_alps_use_new_codepoint BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_alps_use_new_codepoint)\n#define _SSL_set_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_bio)\n#define _SSL_set_cert_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_cert_cb)\n#define _SSL_set_chain_and_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_chain_and_key)\n#define _SSL_set_check_client_certificate_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_check_client_certificate_type)\n#define _SSL_set_check_ecdsa_curve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_check_ecdsa_curve)\n#define _SSL_set_cipher_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_cipher_list)\n#define _SSL_set_client_CA_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_client_CA_list)\n#define _SSL_set_compliance_policy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_compliance_policy)\n#define _SSL_set_connect_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_connect_state)\n#define _SSL_set_custom_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_custom_verify)\n#define _SSL_set_early_data_enabled BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_early_data_enabled)\n#define _SSL_set_enable_ech_grease BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_enable_ech_grease)\n#define _SSL_set_enforce_rsa_key_usage BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_enforce_rsa_key_usage)\n#define _SSL_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_ex_data)\n#define _SSL_set_fd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_fd)\n#define _SSL_set_handshake_hints BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_handshake_hints)\n#define _SSL_set_hostflags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_hostflags)\n#define _SSL_set_info_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_info_callback)\n#define _SSL_set_jdk11_workaround BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_jdk11_workaround)\n#define _SSL_set_max_cert_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_max_cert_list)\n#define _SSL_set_max_proto_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_max_proto_version)\n#define _SSL_set_max_send_fragment BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_max_send_fragment)\n#define _SSL_set_min_proto_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_min_proto_version)\n#define _SSL_set_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_mode)\n#define _SSL_set_msg_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_msg_callback)\n#define _SSL_set_msg_callback_arg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_msg_callback_arg)\n#define _SSL_set_mtu BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_mtu)\n#define _SSL_set_ocsp_response BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_ocsp_response)\n#define _SSL_set_options BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_options)\n#define _SSL_set_permute_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_permute_extensions)\n#define _SSL_set_private_key_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_private_key_method)\n#define _SSL_set_psk_client_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_psk_client_callback)\n#define _SSL_set_psk_server_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_psk_server_callback)\n#define _SSL_set_purpose BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_purpose)\n#define _SSL_set_quic_early_data_context BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_quic_early_data_context)\n#define _SSL_set_quic_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_quic_method)\n#define _SSL_set_quic_transport_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_quic_transport_params)\n#define _SSL_set_quic_use_legacy_codepoint BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_quic_use_legacy_codepoint)\n#define _SSL_set_quiet_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_quiet_shutdown)\n#define _SSL_set_read_ahead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_read_ahead)\n#define _SSL_set_renegotiate_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_renegotiate_mode)\n#define _SSL_set_retain_only_sha256_of_client_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_retain_only_sha256_of_client_certs)\n#define _SSL_set_rfd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_rfd)\n#define _SSL_set_session BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_session)\n#define _SSL_set_session_id_context BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_session_id_context)\n#define _SSL_set_shed_handshake_config BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_shed_handshake_config)\n#define _SSL_set_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_shutdown)\n#define _SSL_set_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_signed_cert_timestamp_list)\n#define _SSL_set_signing_algorithm_prefs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_signing_algorithm_prefs)\n#define _SSL_set_srtp_profiles BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_srtp_profiles)\n#define _SSL_set_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_state)\n#define _SSL_set_strict_cipher_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_strict_cipher_list)\n#define _SSL_set_tls_channel_id_enabled BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_tls_channel_id_enabled)\n#define _SSL_set_tlsext_host_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_tlsext_host_name)\n#define _SSL_set_tlsext_status_ocsp_resp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_tlsext_status_ocsp_resp)\n#define _SSL_set_tlsext_status_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_tlsext_status_type)\n#define _SSL_set_tlsext_use_srtp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_tlsext_use_srtp)\n#define _SSL_set_tmp_dh BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_tmp_dh)\n#define _SSL_set_tmp_dh_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_tmp_dh_callback)\n#define _SSL_set_tmp_ecdh BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_tmp_ecdh)\n#define _SSL_set_tmp_rsa BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_tmp_rsa)\n#define _SSL_set_tmp_rsa_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_tmp_rsa_callback)\n#define _SSL_set_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_trust)\n#define _SSL_set_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_verify)\n#define _SSL_set_verify_algorithm_prefs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_verify_algorithm_prefs)\n#define _SSL_set_verify_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_verify_depth)\n#define _SSL_set_wfd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_wfd)\n#define _SSL_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_shutdown)\n#define _SSL_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_state)\n#define _SSL_state_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_state_string)\n#define _SSL_state_string_long BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_state_string_long)\n#define _SSL_total_renegotiations BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_total_renegotiations)\n#define _SSL_use_PrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_use_PrivateKey)\n#define _SSL_use_PrivateKey_ASN1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_use_PrivateKey_ASN1)\n#define _SSL_use_PrivateKey_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_use_PrivateKey_file)\n#define _SSL_use_RSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_use_RSAPrivateKey)\n#define _SSL_use_RSAPrivateKey_ASN1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_use_RSAPrivateKey_ASN1)\n#define _SSL_use_RSAPrivateKey_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_use_RSAPrivateKey_file)\n#define _SSL_use_certificate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_use_certificate)\n#define _SSL_use_certificate_ASN1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_use_certificate_ASN1)\n#define _SSL_use_certificate_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_use_certificate_file)\n#define _SSL_use_psk_identity_hint BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_use_psk_identity_hint)\n#define _SSL_used_hello_retry_request BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_used_hello_retry_request)\n#define _SSL_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_version)\n#define _SSL_want BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_want)\n#define _SSL_was_key_usage_invalid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_was_key_usage_invalid)\n#define _SSL_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_write)\n#define _SSLeay BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSLeay)\n#define _SSLeay_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSLeay_version)\n#define _SSLv23_client_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSLv23_client_method)\n#define _SSLv23_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSLv23_method)\n#define _SSLv23_server_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSLv23_server_method)\n#define _TLS_client_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLS_client_method)\n#define _TLS_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLS_method)\n#define _TLS_server_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLS_server_method)\n#define _TLS_with_buffers_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLS_with_buffers_method)\n#define _TLSv1_1_client_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLSv1_1_client_method)\n#define _TLSv1_1_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLSv1_1_method)\n#define _TLSv1_1_server_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLSv1_1_server_method)\n#define _TLSv1_2_client_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLSv1_2_client_method)\n#define _TLSv1_2_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLSv1_2_method)\n#define _TLSv1_2_server_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLSv1_2_server_method)\n#define _TLSv1_client_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLSv1_client_method)\n#define _TLSv1_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLSv1_method)\n#define _TLSv1_server_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TLSv1_server_method)\n#define _TRUST_TOKEN_CLIENT_add_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_add_key)\n#define _TRUST_TOKEN_CLIENT_begin_issuance BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_begin_issuance)\n#define _TRUST_TOKEN_CLIENT_begin_issuance_over_message BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_begin_issuance_over_message)\n#define _TRUST_TOKEN_CLIENT_begin_redemption BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_begin_redemption)\n#define _TRUST_TOKEN_CLIENT_finish_issuance BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_finish_issuance)\n#define _TRUST_TOKEN_CLIENT_finish_redemption BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_finish_redemption)\n#define _TRUST_TOKEN_CLIENT_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_free)\n#define _TRUST_TOKEN_CLIENT_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_new)\n#define _TRUST_TOKEN_CLIENT_set_srr_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_CLIENT_set_srr_key)\n#define _TRUST_TOKEN_ISSUER_add_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_add_key)\n#define _TRUST_TOKEN_ISSUER_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_free)\n#define _TRUST_TOKEN_ISSUER_issue BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_issue)\n#define _TRUST_TOKEN_ISSUER_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_new)\n#define _TRUST_TOKEN_ISSUER_redeem BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_redeem)\n#define _TRUST_TOKEN_ISSUER_redeem_over_message BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_redeem_over_message)\n#define _TRUST_TOKEN_ISSUER_set_metadata_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_set_metadata_key)\n#define _TRUST_TOKEN_ISSUER_set_srr_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_set_srr_key)\n#define _TRUST_TOKEN_PRETOKEN_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_PRETOKEN_free)\n#define _TRUST_TOKEN_decode_private_metadata BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_decode_private_metadata)\n#define _TRUST_TOKEN_derive_key_from_secret BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_derive_key_from_secret)\n#define _TRUST_TOKEN_experiment_v1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v1)\n#define _TRUST_TOKEN_experiment_v2_pmb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v2_pmb)\n#define _TRUST_TOKEN_experiment_v2_voprf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v2_voprf)\n#define _TRUST_TOKEN_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_free)\n#define _TRUST_TOKEN_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_generate_key)\n#define _TRUST_TOKEN_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_new)\n#define _TRUST_TOKEN_pst_v1_pmb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_pst_v1_pmb)\n#define _TRUST_TOKEN_pst_v1_voprf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_pst_v1_voprf)\n#define _USERNOTICE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, USERNOTICE_free)\n#define _USERNOTICE_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, USERNOTICE_it)\n#define _USERNOTICE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, USERNOTICE_new)\n#define _X25519 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X25519)\n#define _X25519_keypair BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X25519_keypair)\n#define _X25519_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X25519_public_from_private)\n#define _X509V3_EXT_CRL_add_nconf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_CRL_add_nconf)\n#define _X509V3_EXT_REQ_add_nconf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_REQ_add_nconf)\n#define _X509V3_EXT_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_add)\n#define _X509V3_EXT_add_alias BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_add_alias)\n#define _X509V3_EXT_add_nconf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_add_nconf)\n#define _X509V3_EXT_add_nconf_sk BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_add_nconf_sk)\n#define _X509V3_EXT_d2i BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_d2i)\n#define _X509V3_EXT_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_free)\n#define _X509V3_EXT_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_get)\n#define _X509V3_EXT_get_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_get_nid)\n#define _X509V3_EXT_i2d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_i2d)\n#define _X509V3_EXT_nconf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_nconf)\n#define _X509V3_EXT_nconf_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_nconf_nid)\n#define _X509V3_EXT_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_print)\n#define _X509V3_EXT_print_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_print_fp)\n#define _X509V3_NAME_from_section BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_NAME_from_section)\n#define _X509V3_add1_i2d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_add1_i2d)\n#define _X509V3_add_standard_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_add_standard_extensions)\n#define _X509V3_add_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_add_value)\n#define _X509V3_add_value_bool BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_add_value_bool)\n#define _X509V3_add_value_int BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_add_value_int)\n#define _X509V3_bool_from_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_bool_from_string)\n#define _X509V3_conf_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_conf_free)\n#define _X509V3_extensions_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_extensions_print)\n#define _X509V3_get_d2i BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_get_d2i)\n#define _X509V3_get_section BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_get_section)\n#define _X509V3_get_value_bool BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_get_value_bool)\n#define _X509V3_get_value_int BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_get_value_int)\n#define _X509V3_parse_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_parse_list)\n#define _X509V3_set_ctx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_set_ctx)\n#define _X509V3_set_nconf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_set_nconf)\n#define _X509_ALGOR_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ALGOR_cmp)\n#define _X509_ALGOR_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ALGOR_dup)\n#define _X509_ALGOR_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ALGOR_free)\n#define _X509_ALGOR_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ALGOR_get0)\n#define _X509_ALGOR_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ALGOR_it)\n#define _X509_ALGOR_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ALGOR_new)\n#define _X509_ALGOR_set0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ALGOR_set0)\n#define _X509_ALGOR_set_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ALGOR_set_md)\n#define _X509_ATTRIBUTE_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_count)\n#define _X509_ATTRIBUTE_create BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_create)\n#define _X509_ATTRIBUTE_create_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_create_by_NID)\n#define _X509_ATTRIBUTE_create_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_create_by_OBJ)\n#define _X509_ATTRIBUTE_create_by_txt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_create_by_txt)\n#define _X509_ATTRIBUTE_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_dup)\n#define _X509_ATTRIBUTE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_free)\n#define _X509_ATTRIBUTE_get0_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_get0_data)\n#define _X509_ATTRIBUTE_get0_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_get0_object)\n#define _X509_ATTRIBUTE_get0_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_get0_type)\n#define _X509_ATTRIBUTE_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_it)\n#define _X509_ATTRIBUTE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_new)\n#define _X509_ATTRIBUTE_set1_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_set1_data)\n#define _X509_ATTRIBUTE_set1_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_ATTRIBUTE_set1_object)\n#define _X509_CERT_AUX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CERT_AUX_free)\n#define _X509_CERT_AUX_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CERT_AUX_it)\n#define _X509_CERT_AUX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CERT_AUX_new)\n#define _X509_CERT_AUX_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CERT_AUX_print)\n#define _X509_CINF_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CINF_free)\n#define _X509_CINF_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CINF_it)\n#define _X509_CINF_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CINF_new)\n#define _X509_CRL_INFO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_INFO_free)\n#define _X509_CRL_INFO_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_INFO_it)\n#define _X509_CRL_INFO_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_INFO_new)\n#define _X509_CRL_add0_revoked BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_add0_revoked)\n#define _X509_CRL_add1_ext_i2d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_add1_ext_i2d)\n#define _X509_CRL_add_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_add_ext)\n#define _X509_CRL_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_cmp)\n#define _X509_CRL_delete_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_delete_ext)\n#define _X509_CRL_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_digest)\n#define _X509_CRL_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_dup)\n#define _X509_CRL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_free)\n#define _X509_CRL_get0_by_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get0_by_cert)\n#define _X509_CRL_get0_by_serial BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get0_by_serial)\n#define _X509_CRL_get0_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get0_extensions)\n#define _X509_CRL_get0_lastUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get0_lastUpdate)\n#define _X509_CRL_get0_nextUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get0_nextUpdate)\n#define _X509_CRL_get0_signature BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get0_signature)\n#define _X509_CRL_get_REVOKED BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_REVOKED)\n#define _X509_CRL_get_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_ext)\n#define _X509_CRL_get_ext_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_ext_by_NID)\n#define _X509_CRL_get_ext_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_ext_by_OBJ)\n#define _X509_CRL_get_ext_by_critical BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_ext_by_critical)\n#define _X509_CRL_get_ext_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_ext_count)\n#define _X509_CRL_get_ext_d2i BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_ext_d2i)\n#define _X509_CRL_get_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_issuer)\n#define _X509_CRL_get_lastUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_lastUpdate)\n#define _X509_CRL_get_nextUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_nextUpdate)\n#define _X509_CRL_get_signature_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_signature_nid)\n#define _X509_CRL_get_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_get_version)\n#define _X509_CRL_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_it)\n#define _X509_CRL_match BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_match)\n#define _X509_CRL_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_new)\n#define _X509_CRL_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_print)\n#define _X509_CRL_print_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_print_fp)\n#define _X509_CRL_set1_lastUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_set1_lastUpdate)\n#define _X509_CRL_set1_nextUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_set1_nextUpdate)\n#define _X509_CRL_set1_signature_algo BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_set1_signature_algo)\n#define _X509_CRL_set1_signature_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_set1_signature_value)\n#define _X509_CRL_set_issuer_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_set_issuer_name)\n#define _X509_CRL_set_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_set_version)\n#define _X509_CRL_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_sign)\n#define _X509_CRL_sign_ctx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_sign_ctx)\n#define _X509_CRL_sort BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_sort)\n#define _X509_CRL_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_up_ref)\n#define _X509_CRL_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_verify)\n#define _X509_EXTENSIONS_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSIONS_it)\n#define _X509_EXTENSION_create_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_create_by_NID)\n#define _X509_EXTENSION_create_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_create_by_OBJ)\n#define _X509_EXTENSION_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_dup)\n#define _X509_EXTENSION_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_free)\n#define _X509_EXTENSION_get_critical BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_get_critical)\n#define _X509_EXTENSION_get_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_get_data)\n#define _X509_EXTENSION_get_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_get_object)\n#define _X509_EXTENSION_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_it)\n#define _X509_EXTENSION_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_new)\n#define _X509_EXTENSION_set_critical BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_set_critical)\n#define _X509_EXTENSION_set_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_set_data)\n#define _X509_EXTENSION_set_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_set_object)\n#define _X509_INFO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_INFO_free)\n#define _X509_LOOKUP_add_dir BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_add_dir)\n#define _X509_LOOKUP_ctrl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_ctrl)\n#define _X509_LOOKUP_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_file)\n#define _X509_LOOKUP_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_free)\n#define _X509_LOOKUP_hash_dir BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_hash_dir)\n#define _X509_LOOKUP_load_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_load_file)\n#define _X509_NAME_ENTRY_create_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_NID)\n#define _X509_NAME_ENTRY_create_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_OBJ)\n#define _X509_NAME_ENTRY_create_by_txt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_txt)\n#define _X509_NAME_ENTRY_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_dup)\n#define _X509_NAME_ENTRY_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_free)\n#define _X509_NAME_ENTRY_get_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_get_data)\n#define _X509_NAME_ENTRY_get_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_get_object)\n#define _X509_NAME_ENTRY_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_it)\n#define _X509_NAME_ENTRY_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_new)\n#define _X509_NAME_ENTRY_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_set)\n#define _X509_NAME_ENTRY_set_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_set_data)\n#define _X509_NAME_ENTRY_set_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_set_object)\n#define _X509_NAME_add_entry BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_add_entry)\n#define _X509_NAME_add_entry_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_add_entry_by_NID)\n#define _X509_NAME_add_entry_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_add_entry_by_OBJ)\n#define _X509_NAME_add_entry_by_txt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_add_entry_by_txt)\n#define _X509_NAME_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_cmp)\n#define _X509_NAME_delete_entry BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_delete_entry)\n#define _X509_NAME_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_digest)\n#define _X509_NAME_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_dup)\n#define _X509_NAME_entry_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_entry_count)\n#define _X509_NAME_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_free)\n#define _X509_NAME_get0_der BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_get0_der)\n#define _X509_NAME_get_entry BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_get_entry)\n#define _X509_NAME_get_index_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_get_index_by_NID)\n#define _X509_NAME_get_index_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_get_index_by_OBJ)\n#define _X509_NAME_get_text_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_get_text_by_NID)\n#define _X509_NAME_get_text_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_get_text_by_OBJ)\n#define _X509_NAME_hash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_hash)\n#define _X509_NAME_hash_old BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_hash_old)\n#define _X509_NAME_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_it)\n#define _X509_NAME_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_new)\n#define _X509_NAME_oneline BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_oneline)\n#define _X509_NAME_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_print)\n#define _X509_NAME_print_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_print_ex)\n#define _X509_NAME_print_ex_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_print_ex_fp)\n#define _X509_NAME_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_set)\n#define _X509_OBJECT_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_free)\n#define _X509_OBJECT_free_contents BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_free_contents)\n#define _X509_OBJECT_get0_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_get0_X509)\n#define _X509_OBJECT_get_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_get_type)\n#define _X509_OBJECT_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_new)\n#define _X509_PUBKEY_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_free)\n#define _X509_PUBKEY_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get)\n#define _X509_PUBKEY_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get0)\n#define _X509_PUBKEY_get0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get0_param)\n#define _X509_PUBKEY_get0_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get0_public_key)\n#define _X509_PUBKEY_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_it)\n#define _X509_PUBKEY_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_new)\n#define _X509_PUBKEY_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_set)\n#define _X509_PUBKEY_set0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_set0_param)\n#define _X509_PURPOSE_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get0)\n#define _X509_PURPOSE_get_by_sname BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get_by_sname)\n#define _X509_PURPOSE_get_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get_id)\n#define _X509_PURPOSE_get_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get_trust)\n#define _X509_REQ_INFO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_INFO_free)\n#define _X509_REQ_INFO_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_INFO_it)\n#define _X509_REQ_INFO_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_INFO_new)\n#define _X509_REQ_add1_attr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_add1_attr)\n#define _X509_REQ_add1_attr_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_add1_attr_by_NID)\n#define _X509_REQ_add1_attr_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_add1_attr_by_OBJ)\n#define _X509_REQ_add1_attr_by_txt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_add1_attr_by_txt)\n#define _X509_REQ_add_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_add_extensions)\n#define _X509_REQ_add_extensions_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_add_extensions_nid)\n#define _X509_REQ_check_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_check_private_key)\n#define _X509_REQ_delete_attr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_delete_attr)\n#define _X509_REQ_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_digest)\n#define _X509_REQ_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_dup)\n#define _X509_REQ_extension_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_extension_nid)\n#define _X509_REQ_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_free)\n#define _X509_REQ_get0_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get0_pubkey)\n#define _X509_REQ_get0_signature BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get0_signature)\n#define _X509_REQ_get1_email BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get1_email)\n#define _X509_REQ_get_attr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get_attr)\n#define _X509_REQ_get_attr_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get_attr_by_NID)\n#define _X509_REQ_get_attr_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get_attr_by_OBJ)\n#define _X509_REQ_get_attr_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get_attr_count)\n#define _X509_REQ_get_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get_extensions)\n#define _X509_REQ_get_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get_pubkey)\n#define _X509_REQ_get_signature_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get_signature_nid)\n#define _X509_REQ_get_subject_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get_subject_name)\n#define _X509_REQ_get_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get_version)\n#define _X509_REQ_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_it)\n#define _X509_REQ_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_new)\n#define _X509_REQ_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_print)\n#define _X509_REQ_print_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_print_ex)\n#define _X509_REQ_print_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_print_fp)\n#define _X509_REQ_set1_signature_algo BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_set1_signature_algo)\n#define _X509_REQ_set1_signature_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_set1_signature_value)\n#define _X509_REQ_set_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_set_pubkey)\n#define _X509_REQ_set_subject_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_set_subject_name)\n#define _X509_REQ_set_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_set_version)\n#define _X509_REQ_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_sign)\n#define _X509_REQ_sign_ctx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_sign_ctx)\n#define _X509_REQ_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_verify)\n#define _X509_REVOKED_add1_ext_i2d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_add1_ext_i2d)\n#define _X509_REVOKED_add_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_add_ext)\n#define _X509_REVOKED_delete_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_delete_ext)\n#define _X509_REVOKED_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_dup)\n#define _X509_REVOKED_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_free)\n#define _X509_REVOKED_get0_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_get0_extensions)\n#define _X509_REVOKED_get0_revocationDate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_get0_revocationDate)\n#define _X509_REVOKED_get0_serialNumber BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_get0_serialNumber)\n#define _X509_REVOKED_get_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_get_ext)\n#define _X509_REVOKED_get_ext_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_get_ext_by_NID)\n#define _X509_REVOKED_get_ext_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_get_ext_by_OBJ)\n#define _X509_REVOKED_get_ext_by_critical BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_get_ext_by_critical)\n#define _X509_REVOKED_get_ext_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_get_ext_count)\n#define _X509_REVOKED_get_ext_d2i BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_get_ext_d2i)\n#define _X509_REVOKED_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_it)\n#define _X509_REVOKED_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_new)\n#define _X509_REVOKED_set_revocationDate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_set_revocationDate)\n#define _X509_REVOKED_set_serialNumber BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REVOKED_set_serialNumber)\n#define _X509_SIG_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_SIG_free)\n#define _X509_SIG_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_SIG_get0)\n#define _X509_SIG_getm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_SIG_getm)\n#define _X509_SIG_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_SIG_new)\n#define _X509_STORE_CTX_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_cleanup)\n#define _X509_STORE_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_free)\n#define _X509_STORE_CTX_get0_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_cert)\n#define _X509_STORE_CTX_get0_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_chain)\n#define _X509_STORE_CTX_get0_current_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_current_crl)\n#define _X509_STORE_CTX_get0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_param)\n#define _X509_STORE_CTX_get0_parent_ctx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_parent_ctx)\n#define _X509_STORE_CTX_get0_store BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_store)\n#define _X509_STORE_CTX_get0_untrusted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_untrusted)\n#define _X509_STORE_CTX_get1_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_certs)\n#define _X509_STORE_CTX_get1_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_chain)\n#define _X509_STORE_CTX_get1_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_crls)\n#define _X509_STORE_CTX_get1_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_issuer)\n#define _X509_STORE_CTX_get_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_by_subject)\n#define _X509_STORE_CTX_get_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_chain)\n#define _X509_STORE_CTX_get_current_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_current_cert)\n#define _X509_STORE_CTX_get_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_error)\n#define _X509_STORE_CTX_get_error_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_error_depth)\n#define _X509_STORE_CTX_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_ex_data)\n#define _X509_STORE_CTX_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_ex_new_index)\n#define _X509_STORE_CTX_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_init)\n#define _X509_STORE_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_new)\n#define _X509_STORE_CTX_set0_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set0_crls)\n#define _X509_STORE_CTX_set0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set0_param)\n#define _X509_STORE_CTX_set0_trusted_stack BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set0_trusted_stack)\n#define _X509_STORE_CTX_set_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_chain)\n#define _X509_STORE_CTX_set_default BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_default)\n#define _X509_STORE_CTX_set_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_depth)\n#define _X509_STORE_CTX_set_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_error)\n#define _X509_STORE_CTX_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_ex_data)\n#define _X509_STORE_CTX_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_flags)\n#define _X509_STORE_CTX_set_purpose BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_purpose)\n#define _X509_STORE_CTX_set_time BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_time)\n#define _X509_STORE_CTX_set_time_posix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_time_posix)\n#define _X509_STORE_CTX_set_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_trust)\n#define _X509_STORE_CTX_set_verify_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_verify_cb)\n#define _X509_STORE_CTX_trusted_stack BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_trusted_stack)\n#define _X509_STORE_add_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_add_cert)\n#define _X509_STORE_add_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_add_crl)\n#define _X509_STORE_add_lookup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_add_lookup)\n#define _X509_STORE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_free)\n#define _X509_STORE_get0_objects BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get0_objects)\n#define _X509_STORE_get0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get0_param)\n#define _X509_STORE_get1_objects BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get1_objects)\n#define _X509_STORE_load_locations BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_load_locations)\n#define _X509_STORE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_new)\n#define _X509_STORE_set1_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set1_param)\n#define _X509_STORE_set_default_paths BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_default_paths)\n#define _X509_STORE_set_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_depth)\n#define _X509_STORE_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_flags)\n#define _X509_STORE_set_purpose BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_purpose)\n#define _X509_STORE_set_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_trust)\n#define _X509_STORE_set_verify_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_verify_cb)\n#define _X509_STORE_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_up_ref)\n#define _X509_VAL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VAL_free)\n#define _X509_VAL_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VAL_it)\n#define _X509_VAL_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VAL_new)\n#define _X509_VERIFY_PARAM_add0_policy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_add0_policy)\n#define _X509_VERIFY_PARAM_add1_host BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_add1_host)\n#define _X509_VERIFY_PARAM_clear_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_clear_flags)\n#define _X509_VERIFY_PARAM_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_free)\n#define _X509_VERIFY_PARAM_get_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_depth)\n#define _X509_VERIFY_PARAM_get_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_flags)\n#define _X509_VERIFY_PARAM_inherit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_inherit)\n#define _X509_VERIFY_PARAM_lookup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_lookup)\n#define _X509_VERIFY_PARAM_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_new)\n#define _X509_VERIFY_PARAM_set1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1)\n#define _X509_VERIFY_PARAM_set1_email BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_email)\n#define _X509_VERIFY_PARAM_set1_host BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_host)\n#define _X509_VERIFY_PARAM_set1_ip BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip)\n#define _X509_VERIFY_PARAM_set1_ip_asc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip_asc)\n#define _X509_VERIFY_PARAM_set1_policies BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_policies)\n#define _X509_VERIFY_PARAM_set_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_depth)\n#define _X509_VERIFY_PARAM_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_flags)\n#define _X509_VERIFY_PARAM_set_hostflags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_hostflags)\n#define _X509_VERIFY_PARAM_set_purpose BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_purpose)\n#define _X509_VERIFY_PARAM_set_time BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_time)\n#define _X509_VERIFY_PARAM_set_time_posix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_time_posix)\n#define _X509_VERIFY_PARAM_set_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_trust)\n#define _X509_add1_ext_i2d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_add1_ext_i2d)\n#define _X509_add1_reject_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_add1_reject_object)\n#define _X509_add1_trust_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_add1_trust_object)\n#define _X509_add_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_add_ext)\n#define _X509_alias_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_alias_get0)\n#define _X509_alias_set1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_alias_set1)\n#define _X509_chain_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_chain_up_ref)\n#define _X509_check_akid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_check_akid)\n#define _X509_check_ca BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_check_ca)\n#define _X509_check_email BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_check_email)\n#define _X509_check_host BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_check_host)\n#define _X509_check_ip BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_check_ip)\n#define _X509_check_ip_asc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_check_ip_asc)\n#define _X509_check_issued BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_check_issued)\n#define _X509_check_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_check_private_key)\n#define _X509_check_purpose BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_check_purpose)\n#define _X509_check_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_check_trust)\n#define _X509_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_cmp)\n#define _X509_cmp_current_time BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_cmp_current_time)\n#define _X509_cmp_time BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_cmp_time)\n#define _X509_cmp_time_posix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_cmp_time_posix)\n#define _X509_delete_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_delete_ext)\n#define _X509_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_digest)\n#define _X509_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_dup)\n#define _X509_email_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_email_free)\n#define _X509_find_by_issuer_and_serial BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_find_by_issuer_and_serial)\n#define _X509_find_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_find_by_subject)\n#define _X509_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_free)\n#define _X509_get0_authority_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_authority_issuer)\n#define _X509_get0_authority_key_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_authority_key_id)\n#define _X509_get0_authority_serial BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_authority_serial)\n#define _X509_get0_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_extensions)\n#define _X509_get0_notAfter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_notAfter)\n#define _X509_get0_notBefore BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_notBefore)\n#define _X509_get0_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_pubkey)\n#define _X509_get0_pubkey_bitstr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_pubkey_bitstr)\n#define _X509_get0_serialNumber BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_serialNumber)\n#define _X509_get0_signature BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_signature)\n#define _X509_get0_subject_key_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_subject_key_id)\n#define _X509_get0_tbs_sigalg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_tbs_sigalg)\n#define _X509_get0_uids BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_uids)\n#define _X509_get1_email BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get1_email)\n#define _X509_get1_ocsp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get1_ocsp)\n#define _X509_get_X509_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_X509_PUBKEY)\n#define _X509_get_default_cert_area BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_default_cert_area)\n#define _X509_get_default_cert_dir BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_default_cert_dir)\n#define _X509_get_default_cert_dir_env BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_default_cert_dir_env)\n#define _X509_get_default_cert_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_default_cert_file)\n#define _X509_get_default_cert_file_env BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_default_cert_file_env)\n#define _X509_get_default_private_dir BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_default_private_dir)\n#define _X509_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_ex_data)\n#define _X509_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_ex_new_index)\n#define _X509_get_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_ext)\n#define _X509_get_ext_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_ext_by_NID)\n#define _X509_get_ext_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_ext_by_OBJ)\n#define _X509_get_ext_by_critical BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_ext_by_critical)\n#define _X509_get_ext_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_ext_count)\n#define _X509_get_ext_d2i BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_ext_d2i)\n#define _X509_get_extended_key_usage BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_extended_key_usage)\n#define _X509_get_extension_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_extension_flags)\n#define _X509_get_issuer_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_issuer_name)\n#define _X509_get_key_usage BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_key_usage)\n#define _X509_get_notAfter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_notAfter)\n#define _X509_get_notBefore BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_notBefore)\n#define _X509_get_pathlen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_pathlen)\n#define _X509_get_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_pubkey)\n#define _X509_get_serialNumber BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_serialNumber)\n#define _X509_get_signature_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_signature_nid)\n#define _X509_get_subject_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_subject_name)\n#define _X509_get_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get_version)\n#define _X509_getm_notAfter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_getm_notAfter)\n#define _X509_getm_notBefore BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_getm_notBefore)\n#define _X509_gmtime_adj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_gmtime_adj)\n#define _X509_is_valid_trust_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_is_valid_trust_id)\n#define _X509_issuer_name_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_issuer_name_cmp)\n#define _X509_issuer_name_hash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_issuer_name_hash)\n#define _X509_issuer_name_hash_old BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_issuer_name_hash_old)\n#define _X509_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_it)\n#define _X509_keyid_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_keyid_get0)\n#define _X509_keyid_set1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_keyid_set1)\n#define _X509_load_cert_crl_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_load_cert_crl_file)\n#define _X509_load_cert_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_load_cert_file)\n#define _X509_load_crl_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_load_crl_file)\n#define _X509_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_new)\n#define _X509_parse_from_buffer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_parse_from_buffer)\n#define _X509_policy_check BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_policy_check)\n#define _X509_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_print)\n#define _X509_print_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_print_ex)\n#define _X509_print_ex_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_print_ex_fp)\n#define _X509_print_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_print_fp)\n#define _X509_pubkey_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_pubkey_digest)\n#define _X509_reject_clear BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_reject_clear)\n#define _X509_set1_notAfter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set1_notAfter)\n#define _X509_set1_notBefore BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set1_notBefore)\n#define _X509_set1_signature_algo BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set1_signature_algo)\n#define _X509_set1_signature_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set1_signature_value)\n#define _X509_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set_ex_data)\n#define _X509_set_issuer_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set_issuer_name)\n#define _X509_set_notAfter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set_notAfter)\n#define _X509_set_notBefore BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set_notBefore)\n#define _X509_set_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set_pubkey)\n#define _X509_set_serialNumber BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set_serialNumber)\n#define _X509_set_subject_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set_subject_name)\n#define _X509_set_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_set_version)\n#define _X509_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_sign)\n#define _X509_sign_ctx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_sign_ctx)\n#define _X509_signature_dump BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_signature_dump)\n#define _X509_signature_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_signature_print)\n#define _X509_subject_name_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_subject_name_cmp)\n#define _X509_subject_name_hash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_subject_name_hash)\n#define _X509_subject_name_hash_old BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_subject_name_hash_old)\n#define _X509_supported_extension BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_supported_extension)\n#define _X509_time_adj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_time_adj)\n#define _X509_time_adj_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_time_adj_ex)\n#define _X509_trust_clear BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_trust_clear)\n#define _X509_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_up_ref)\n#define _X509_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_verify)\n#define _X509_verify_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_verify_cert)\n#define _X509_verify_cert_error_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_verify_cert_error_string)\n#define _X509v3_add_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_add_ext)\n#define _X509v3_delete_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_delete_ext)\n#define _X509v3_get_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_get_ext)\n#define _X509v3_get_ext_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_get_ext_by_NID)\n#define _X509v3_get_ext_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_get_ext_by_OBJ)\n#define _X509v3_get_ext_by_critical BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_get_ext_by_critical)\n#define _X509v3_get_ext_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_get_ext_count)\n#define ___clang_call_terminate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, __clang_call_terminate)\n#define _a2i_IPADDRESS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, a2i_IPADDRESS)\n#define _a2i_IPADDRESS_NC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, a2i_IPADDRESS_NC)\n#define _aes128gcmsiv_aes_ks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes128gcmsiv_aes_ks)\n#define _aes128gcmsiv_aes_ks_enc_x1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes128gcmsiv_aes_ks_enc_x1)\n#define _aes128gcmsiv_dec BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes128gcmsiv_dec)\n#define _aes128gcmsiv_ecb_enc_block BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes128gcmsiv_ecb_enc_block)\n#define _aes128gcmsiv_enc_msg_x4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes128gcmsiv_enc_msg_x4)\n#define _aes128gcmsiv_enc_msg_x8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes128gcmsiv_enc_msg_x8)\n#define _aes128gcmsiv_kdf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes128gcmsiv_kdf)\n#define _aes256gcmsiv_aes_ks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes256gcmsiv_aes_ks)\n#define _aes256gcmsiv_aes_ks_enc_x1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes256gcmsiv_aes_ks_enc_x1)\n#define _aes256gcmsiv_dec BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes256gcmsiv_dec)\n#define _aes256gcmsiv_ecb_enc_block BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes256gcmsiv_ecb_enc_block)\n#define _aes256gcmsiv_enc_msg_x4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes256gcmsiv_enc_msg_x4)\n#define _aes256gcmsiv_enc_msg_x8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes256gcmsiv_enc_msg_x8)\n#define _aes256gcmsiv_kdf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes256gcmsiv_kdf)\n#define _aes_ctr_set_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_ctr_set_key)\n#define _aes_gcm_dec_kernel BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_gcm_dec_kernel)\n#define _aes_gcm_dec_update_vaes_avx10_512 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_gcm_dec_update_vaes_avx10_512)\n#define _aes_gcm_dec_update_vaes_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_gcm_dec_update_vaes_avx2)\n#define _aes_gcm_enc_kernel BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_gcm_enc_kernel)\n#define _aes_gcm_enc_update_vaes_avx10_512 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_gcm_enc_update_vaes_avx10_512)\n#define _aes_gcm_enc_update_vaes_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_gcm_enc_update_vaes_avx2)\n#define _aes_hw_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_cbc_encrypt)\n#define _aes_hw_ctr32_encrypt_blocks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_ctr32_encrypt_blocks)\n#define _aes_hw_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_decrypt)\n#define _aes_hw_ecb_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_ecb_encrypt)\n#define _aes_hw_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_encrypt)\n#define _aes_hw_encrypt_key_to_decrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_encrypt_key_to_decrypt_key)\n#define _aes_hw_set_decrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_set_decrypt_key)\n#define _aes_hw_set_encrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_set_encrypt_key)\n#define _aes_hw_set_encrypt_key_alt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_set_encrypt_key_alt)\n#define _aes_hw_set_encrypt_key_alt_preferred BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_set_encrypt_key_alt_preferred)\n#define _aes_hw_set_encrypt_key_base BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_set_encrypt_key_base)\n#define _aes_nohw_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_nohw_cbc_encrypt)\n#define _aes_nohw_ctr32_encrypt_blocks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_nohw_ctr32_encrypt_blocks)\n#define _aes_nohw_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_nohw_decrypt)\n#define _aes_nohw_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_nohw_encrypt)\n#define _aes_nohw_set_decrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_nohw_set_decrypt_key)\n#define _aes_nohw_set_encrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_nohw_set_encrypt_key)\n#define _aesgcmsiv_htable6_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aesgcmsiv_htable6_init)\n#define _aesgcmsiv_htable_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aesgcmsiv_htable_init)\n#define _aesgcmsiv_htable_polyval BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aesgcmsiv_htable_polyval)\n#define _aesgcmsiv_polyval_horner BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aesgcmsiv_polyval_horner)\n#define _aesni_gcm_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aesni_gcm_decrypt)\n#define _aesni_gcm_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aesni_gcm_encrypt)\n#define _asn1_bit_string_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_bit_string_length)\n#define _asn1_do_adb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_do_adb)\n#define _asn1_enc_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_enc_free)\n#define _asn1_enc_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_enc_init)\n#define _asn1_enc_restore BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_enc_restore)\n#define _asn1_enc_save BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_enc_save)\n#define _asn1_encoding_clear BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_encoding_clear)\n#define _asn1_generalizedtime_to_tm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_generalizedtime_to_tm)\n#define _asn1_get_choice_selector BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_get_choice_selector)\n#define _asn1_get_field_ptr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_get_field_ptr)\n#define _asn1_get_string_table_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_get_string_table_for_testing)\n#define _asn1_is_printable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_is_printable)\n#define _asn1_refcount_dec_and_test_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_refcount_dec_and_test_zero)\n#define _asn1_refcount_set_one BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_refcount_set_one)\n#define _asn1_set_choice_selector BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_set_choice_selector)\n#define _asn1_type_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_type_cleanup)\n#define _asn1_type_set0_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_type_set0_string)\n#define _asn1_type_value_as_pointer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_type_value_as_pointer)\n#define _asn1_utctime_to_tm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_utctime_to_tm)\n#define _bcm_as_approved_status BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bcm_as_approved_status)\n#define _bcm_success BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bcm_success)\n#define _beeu_mod_inverse_vartime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, beeu_mod_inverse_vartime)\n#define _bio_clear_socket_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_clear_socket_error)\n#define _bio_errno_should_retry BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_errno_should_retry)\n#define _bio_ip_and_port_to_socket_and_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_ip_and_port_to_socket_and_addr)\n#define _bio_sock_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_sock_error)\n#define _bio_socket_nbio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_socket_nbio)\n#define _bio_socket_should_retry BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_socket_should_retry)\n#define _bn_abs_sub_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_abs_sub_consttime)\n#define _bn_add_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_add_words)\n#define _bn_assert_fits_in_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_assert_fits_in_bytes)\n#define _bn_big_endian_to_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_big_endian_to_words)\n#define _bn_copy_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_copy_words)\n#define _bn_declassify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_declassify)\n#define _bn_div_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_div_consttime)\n#define _bn_expand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_expand)\n#define _bn_fits_in_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_fits_in_words)\n#define _bn_from_montgomery_small BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_from_montgomery_small)\n#define _bn_gather5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_gather5)\n#define _bn_in_range_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_in_range_words)\n#define _bn_is_bit_set_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_is_bit_set_words)\n#define _bn_is_relatively_prime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_is_relatively_prime)\n#define _bn_jacobi BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_jacobi)\n#define _bn_lcm_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_lcm_consttime)\n#define _bn_less_than_montgomery_R BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_less_than_montgomery_R)\n#define _bn_less_than_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_less_than_words)\n#define _bn_miller_rabin_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_miller_rabin_init)\n#define _bn_miller_rabin_iteration BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_miller_rabin_iteration)\n#define _bn_minimal_width BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_minimal_width)\n#define _bn_mod_add_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_add_consttime)\n#define _bn_mod_add_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_add_words)\n#define _bn_mod_exp_mont_small BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_exp_mont_small)\n#define _bn_mod_inverse0_prime_mont_small BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_inverse0_prime_mont_small)\n#define _bn_mod_inverse_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_inverse_consttime)\n#define _bn_mod_inverse_prime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_inverse_prime)\n#define _bn_mod_inverse_secret_prime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_inverse_secret_prime)\n#define _bn_mod_lshift1_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_lshift1_consttime)\n#define _bn_mod_lshift_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_lshift_consttime)\n#define _bn_mod_mul_montgomery_small BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_mul_montgomery_small)\n#define _bn_mod_sub_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_sub_consttime)\n#define _bn_mod_sub_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_sub_words)\n#define _bn_mod_u16_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mod_u16_consttime)\n#define _bn_mont_ctx_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mont_ctx_cleanup)\n#define _bn_mont_ctx_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mont_ctx_init)\n#define _bn_mont_ctx_set_RR_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mont_ctx_set_RR_consttime)\n#define _bn_mont_n0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mont_n0)\n#define _bn_mul4x_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul4x_mont)\n#define _bn_mul4x_mont_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul4x_mont_capable)\n#define _bn_mul4x_mont_gather5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul4x_mont_gather5)\n#define _bn_mul4x_mont_gather5_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul4x_mont_gather5_capable)\n#define _bn_mul_add_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_add_words)\n#define _bn_mul_comba4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_comba4)\n#define _bn_mul_comba8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_comba8)\n#define _bn_mul_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_consttime)\n#define _bn_mul_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_mont)\n#define _bn_mul_mont_gather5_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_mont_gather5_nohw)\n#define _bn_mul_mont_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_mont_nohw)\n#define _bn_mul_small BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_small)\n#define _bn_mul_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_words)\n#define _bn_mulx4x_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mulx4x_mont)\n#define _bn_mulx4x_mont_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mulx4x_mont_capable)\n#define _bn_mulx4x_mont_gather5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mulx4x_mont_gather5)\n#define _bn_mulx4x_mont_gather5_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mulx4x_mont_gather5_capable)\n#define _bn_mulx_adx_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mulx_adx_capable)\n#define _bn_odd_number_is_obviously_composite BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_odd_number_is_obviously_composite)\n#define _bn_one_to_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_one_to_montgomery)\n#define _bn_power5_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_power5_capable)\n#define _bn_power5_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_power5_nohw)\n#define _bn_powerx5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_powerx5)\n#define _bn_powerx5_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_powerx5_capable)\n#define _bn_rand_range_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_rand_range_words)\n#define _bn_rand_secret_range BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_rand_secret_range)\n#define _bn_reduce_once BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_reduce_once)\n#define _bn_reduce_once_in_place BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_reduce_once_in_place)\n#define _bn_resize_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_resize_words)\n#define _bn_rshift1_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_rshift1_words)\n#define _bn_rshift_secret_shift BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_rshift_secret_shift)\n#define _bn_rshift_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_rshift_words)\n#define _bn_scatter5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_scatter5)\n#define _bn_secret BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_secret)\n#define _bn_select_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_select_words)\n#define _bn_set_minimal_width BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_set_minimal_width)\n#define _bn_set_static_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_set_static_words)\n#define _bn_set_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_set_words)\n#define _bn_sqr8x_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr8x_internal)\n#define _bn_sqr8x_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr8x_mont)\n#define _bn_sqr8x_mont_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr8x_mont_capable)\n#define _bn_sqr_comba4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr_comba4)\n#define _bn_sqr_comba8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr_comba8)\n#define _bn_sqr_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr_consttime)\n#define _bn_sqr_small BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr_small)\n#define _bn_sqr_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr_words)\n#define _bn_sqrx8x_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqrx8x_internal)\n#define _bn_sub_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sub_words)\n#define _bn_to_montgomery_small BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_to_montgomery_small)\n#define _bn_uadd_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_uadd_consttime)\n#define _bn_usub_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_usub_consttime)\n#define _bn_wexpand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_wexpand)\n#define _bn_words_to_big_endian BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_words_to_big_endian)\n#define _boringssl_ensure_ecc_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_ensure_ecc_self_test)\n#define _boringssl_ensure_ffdh_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_ensure_ffdh_self_test)\n#define _boringssl_ensure_rsa_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_ensure_rsa_self_test)\n#define _boringssl_fips_break_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_fips_break_test)\n#define _boringssl_fips_inc_counter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_fips_inc_counter)\n#define _boringssl_self_test_hmac_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_self_test_hmac_sha256)\n#define _boringssl_self_test_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_self_test_sha256)\n#define _boringssl_self_test_sha512 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_self_test_sha512)\n#define _bsaes_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bsaes_capable)\n#define _bsaes_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bsaes_cbc_encrypt)\n#define _c2i_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, c2i_ASN1_BIT_STRING)\n#define _c2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, c2i_ASN1_INTEGER)\n#define _c2i_ASN1_OBJECT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, c2i_ASN1_OBJECT)\n#define _chacha20_poly1305_asm_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_asm_capable)\n#define _chacha20_poly1305_open BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_open)\n#define _chacha20_poly1305_open_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_open_avx2)\n#define _chacha20_poly1305_open_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_open_nohw)\n#define _chacha20_poly1305_seal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_seal)\n#define _chacha20_poly1305_seal_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_seal_avx2)\n#define _chacha20_poly1305_seal_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_seal_nohw)\n#define _crypto_gcm_clmul_enabled BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, crypto_gcm_clmul_enabled)\n#define _d2i_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_BIT_STRING)\n#define _d2i_ASN1_BMPSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_BMPSTRING)\n#define _d2i_ASN1_BOOLEAN BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_BOOLEAN)\n#define _d2i_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_ENUMERATED)\n#define _d2i_ASN1_GENERALIZEDTIME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_GENERALIZEDTIME)\n#define _d2i_ASN1_GENERALSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_GENERALSTRING)\n#define _d2i_ASN1_IA5STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_IA5STRING)\n#define _d2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_INTEGER)\n#define _d2i_ASN1_NULL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_NULL)\n#define _d2i_ASN1_OBJECT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_OBJECT)\n#define _d2i_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_OCTET_STRING)\n#define _d2i_ASN1_PRINTABLE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_PRINTABLE)\n#define _d2i_ASN1_PRINTABLESTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_PRINTABLESTRING)\n#define _d2i_ASN1_SEQUENCE_ANY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_SEQUENCE_ANY)\n#define _d2i_ASN1_SET_ANY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_SET_ANY)\n#define _d2i_ASN1_T61STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_T61STRING)\n#define _d2i_ASN1_TIME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_TIME)\n#define _d2i_ASN1_TYPE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_TYPE)\n#define _d2i_ASN1_UNIVERSALSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_UNIVERSALSTRING)\n#define _d2i_ASN1_UTCTIME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_UTCTIME)\n#define _d2i_ASN1_UTF8STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_UTF8STRING)\n#define _d2i_ASN1_VISIBLESTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_VISIBLESTRING)\n#define _d2i_AUTHORITY_INFO_ACCESS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_AUTHORITY_INFO_ACCESS)\n#define _d2i_AUTHORITY_KEYID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_AUTHORITY_KEYID)\n#define _d2i_AutoPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_AutoPrivateKey)\n#define _d2i_BASIC_CONSTRAINTS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_BASIC_CONSTRAINTS)\n#define _d2i_CERTIFICATEPOLICIES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_CERTIFICATEPOLICIES)\n#define _d2i_CRL_DIST_POINTS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_CRL_DIST_POINTS)\n#define _d2i_DHparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DHparams)\n#define _d2i_DHparams_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DHparams_bio)\n#define _d2i_DIRECTORYSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DIRECTORYSTRING)\n#define _d2i_DISPLAYTEXT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DISPLAYTEXT)\n#define _d2i_DSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSAPrivateKey)\n#define _d2i_DSAPrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSAPrivateKey_bio)\n#define _d2i_DSAPrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSAPrivateKey_fp)\n#define _d2i_DSAPublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSAPublicKey)\n#define _d2i_DSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSA_PUBKEY)\n#define _d2i_DSA_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSA_PUBKEY_bio)\n#define _d2i_DSA_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSA_PUBKEY_fp)\n#define _d2i_DSA_SIG BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSA_SIG)\n#define _d2i_DSAparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSAparams)\n#define _d2i_ECDSA_SIG BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ECDSA_SIG)\n#define _d2i_ECPKParameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ECPKParameters)\n#define _d2i_ECParameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ECParameters)\n#define _d2i_ECPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ECPrivateKey)\n#define _d2i_ECPrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ECPrivateKey_bio)\n#define _d2i_ECPrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ECPrivateKey_fp)\n#define _d2i_EC_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EC_PUBKEY)\n#define _d2i_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EC_PUBKEY_bio)\n#define _d2i_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EC_PUBKEY_fp)\n#define _d2i_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EXTENDED_KEY_USAGE)\n#define _d2i_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_GENERAL_NAME)\n#define _d2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_GENERAL_NAMES)\n#define _d2i_ISSUING_DIST_POINT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ISSUING_DIST_POINT)\n#define _d2i_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKAC)\n#define _d2i_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKI)\n#define _d2i_PKCS12 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS12)\n#define _d2i_PKCS12_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS12_bio)\n#define _d2i_PKCS12_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS12_fp)\n#define _d2i_PKCS7 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS7)\n#define _d2i_PKCS7_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS7_bio)\n#define _d2i_PKCS8PrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS8PrivateKey_bio)\n#define _d2i_PKCS8PrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS8PrivateKey_fp)\n#define _d2i_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS8_PRIV_KEY_INFO)\n#define _d2i_PKCS8_PRIV_KEY_INFO_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS8_PRIV_KEY_INFO_bio)\n#define _d2i_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS8_PRIV_KEY_INFO_fp)\n#define _d2i_PKCS8_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS8_bio)\n#define _d2i_PKCS8_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS8_fp)\n#define _d2i_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PUBKEY)\n#define _d2i_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PUBKEY_bio)\n#define _d2i_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PUBKEY_fp)\n#define _d2i_PrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PrivateKey)\n#define _d2i_PrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PrivateKey_bio)\n#define _d2i_PrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PrivateKey_fp)\n#define _d2i_PublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PublicKey)\n#define _d2i_RSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_RSAPrivateKey)\n#define _d2i_RSAPrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_RSAPrivateKey_bio)\n#define _d2i_RSAPrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_RSAPrivateKey_fp)\n#define _d2i_RSAPublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_RSAPublicKey)\n#define _d2i_RSAPublicKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_RSAPublicKey_bio)\n#define _d2i_RSAPublicKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_RSAPublicKey_fp)\n#define _d2i_RSA_PSS_PARAMS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_RSA_PSS_PARAMS)\n#define _d2i_RSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_RSA_PUBKEY)\n#define _d2i_RSA_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_RSA_PUBKEY_bio)\n#define _d2i_RSA_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_RSA_PUBKEY_fp)\n#define _d2i_SSL_SESSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_SSL_SESSION)\n#define _d2i_SSL_SESSION_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_SSL_SESSION_bio)\n#define _d2i_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509)\n#define _d2i_X509_ALGOR BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_ALGOR)\n#define _d2i_X509_ATTRIBUTE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_ATTRIBUTE)\n#define _d2i_X509_AUX BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_AUX)\n#define _d2i_X509_CERT_AUX BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_CERT_AUX)\n#define _d2i_X509_CINF BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_CINF)\n#define _d2i_X509_CRL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_CRL)\n#define _d2i_X509_CRL_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_CRL_INFO)\n#define _d2i_X509_CRL_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_CRL_bio)\n#define _d2i_X509_CRL_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_CRL_fp)\n#define _d2i_X509_EXTENSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_EXTENSION)\n#define _d2i_X509_EXTENSIONS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_EXTENSIONS)\n#define _d2i_X509_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_NAME)\n#define _d2i_X509_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_PUBKEY)\n#define _d2i_X509_REQ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_REQ)\n#define _d2i_X509_REQ_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_REQ_INFO)\n#define _d2i_X509_REQ_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_REQ_bio)\n#define _d2i_X509_REQ_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_REQ_fp)\n#define _d2i_X509_REVOKED BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_REVOKED)\n#define _d2i_X509_SIG BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_SIG)\n#define _d2i_X509_VAL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_VAL)\n#define _d2i_X509_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_bio)\n#define _d2i_X509_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_fp)\n#define _dh_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dh_asn1_meth)\n#define _dh_check_params_fast BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dh_check_params_fast)\n#define _dh_compute_key_padded_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dh_compute_key_padded_no_self_test)\n#define _dh_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dh_pkey_meth)\n#define _dsa_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dsa_asn1_meth)\n#define _dsa_check_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dsa_check_key)\n#define _ec_GFp_mont_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_add)\n#define _ec_GFp_mont_dbl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_dbl)\n#define _ec_GFp_mont_felem_exp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_felem_exp)\n#define _ec_GFp_mont_felem_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_felem_from_bytes)\n#define _ec_GFp_mont_felem_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_felem_mul)\n#define _ec_GFp_mont_felem_reduce BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_felem_reduce)\n#define _ec_GFp_mont_felem_sqr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_felem_sqr)\n#define _ec_GFp_mont_felem_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_felem_to_bytes)\n#define _ec_GFp_mont_init_precomp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_init_precomp)\n#define _ec_GFp_mont_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_mul)\n#define _ec_GFp_mont_mul_base BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_mul_base)\n#define _ec_GFp_mont_mul_batch BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_mul_batch)\n#define _ec_GFp_mont_mul_precomp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_mul_precomp)\n#define _ec_GFp_mont_mul_public_batch BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_mul_public_batch)\n#define _ec_GFp_nistp_recode_scalar_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_nistp_recode_scalar_bits)\n#define _ec_GFp_simple_cmp_x_coordinate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_cmp_x_coordinate)\n#define _ec_GFp_simple_felem_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_felem_from_bytes)\n#define _ec_GFp_simple_felem_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_felem_to_bytes)\n#define _ec_GFp_simple_group_get_curve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_group_get_curve)\n#define _ec_GFp_simple_group_set_curve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_group_set_curve)\n#define _ec_GFp_simple_invert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_invert)\n#define _ec_GFp_simple_is_at_infinity BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_is_at_infinity)\n#define _ec_GFp_simple_is_on_curve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_is_on_curve)\n#define _ec_GFp_simple_point_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_point_copy)\n#define _ec_GFp_simple_point_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_point_init)\n#define _ec_GFp_simple_point_set_to_infinity BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_point_set_to_infinity)\n#define _ec_GFp_simple_points_equal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_simple_points_equal)\n#define _ec_affine_jacobian_equal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_affine_jacobian_equal)\n#define _ec_affine_select BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_affine_select)\n#define _ec_affine_to_jacobian BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_affine_to_jacobian)\n#define _ec_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_asn1_meth)\n#define _ec_bignum_to_felem BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_bignum_to_felem)\n#define _ec_bignum_to_scalar BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_bignum_to_scalar)\n#define _ec_cmp_x_coordinate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_cmp_x_coordinate)\n#define _ec_compute_wNAF BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_compute_wNAF)\n#define _ec_felem_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_add)\n#define _ec_felem_equal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_equal)\n#define _ec_felem_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_from_bytes)\n#define _ec_felem_neg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_neg)\n#define _ec_felem_non_zero_mask BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_non_zero_mask)\n#define _ec_felem_one BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_one)\n#define _ec_felem_select BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_select)\n#define _ec_felem_sub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_sub)\n#define _ec_felem_to_bignum BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_to_bignum)\n#define _ec_felem_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_felem_to_bytes)\n#define _ec_get_x_coordinate_as_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_get_x_coordinate_as_bytes)\n#define _ec_get_x_coordinate_as_scalar BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_get_x_coordinate_as_scalar)\n#define _ec_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_hash_to_curve_p256_xmd_sha256_sswu)\n#define _ec_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_hash_to_curve_p384_xmd_sha384_sswu)\n#define _ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_hash_to_curve_p384_xmd_sha512_sswu_draft07)\n#define _ec_hash_to_scalar_p384_xmd_sha384 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_hash_to_scalar_p384_xmd_sha384)\n#define _ec_hash_to_scalar_p384_xmd_sha512_draft07 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_hash_to_scalar_p384_xmd_sha512_draft07)\n#define _ec_init_precomp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_init_precomp)\n#define _ec_jacobian_to_affine BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_jacobian_to_affine)\n#define _ec_jacobian_to_affine_batch BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_jacobian_to_affine_batch)\n#define _ec_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_pkey_meth)\n#define _ec_point_byte_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_byte_len)\n#define _ec_point_from_uncompressed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_from_uncompressed)\n#define _ec_point_mul_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_mul_no_self_test)\n#define _ec_point_mul_scalar BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_mul_scalar)\n#define _ec_point_mul_scalar_base BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_mul_scalar_base)\n#define _ec_point_mul_scalar_batch BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_mul_scalar_batch)\n#define _ec_point_mul_scalar_precomp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_mul_scalar_precomp)\n#define _ec_point_mul_scalar_public BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_mul_scalar_public)\n#define _ec_point_mul_scalar_public_batch BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_mul_scalar_public_batch)\n#define _ec_point_select BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_select)\n#define _ec_point_set_affine_coordinates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_set_affine_coordinates)\n#define _ec_point_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_to_bytes)\n#define _ec_precomp_select BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_precomp_select)\n#define _ec_random_nonzero_scalar BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_random_nonzero_scalar)\n#define _ec_random_scalar BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_random_scalar)\n#define _ec_scalar_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_add)\n#define _ec_scalar_equal_vartime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_equal_vartime)\n#define _ec_scalar_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_from_bytes)\n#define _ec_scalar_from_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_from_montgomery)\n#define _ec_scalar_inv0_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_inv0_montgomery)\n#define _ec_scalar_is_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_is_zero)\n#define _ec_scalar_mul_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_mul_montgomery)\n#define _ec_scalar_neg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_neg)\n#define _ec_scalar_reduce BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_reduce)\n#define _ec_scalar_select BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_select)\n#define _ec_scalar_sub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_sub)\n#define _ec_scalar_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_to_bytes)\n#define _ec_scalar_to_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_to_montgomery)\n#define _ec_scalar_to_montgomery_inv_vartime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_scalar_to_montgomery_inv_vartime)\n#define _ec_set_to_safe_point BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_set_to_safe_point)\n#define _ec_simple_scalar_inv0_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_simple_scalar_inv0_montgomery)\n#define _ec_simple_scalar_to_montgomery_inv_vartime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_simple_scalar_to_montgomery_inv_vartime)\n#define _ecdsa_sign_fixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_sign_fixed)\n#define _ecdsa_sign_fixed_with_nonce_for_known_answer_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_sign_fixed_with_nonce_for_known_answer_test)\n#define _ecdsa_verify_fixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_verify_fixed)\n#define _ecdsa_verify_fixed_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_verify_fixed_no_self_test)\n#define _ecp_nistz256_div_by_2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_div_by_2)\n#define _ecp_nistz256_mul_by_2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_by_2)\n#define _ecp_nistz256_mul_by_3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_by_3)\n#define _ecp_nistz256_mul_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_mont)\n#define _ecp_nistz256_mul_mont_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_mont_adx)\n#define _ecp_nistz256_mul_mont_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_mont_nohw)\n#define _ecp_nistz256_neg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_neg)\n#define _ecp_nistz256_ord_mul_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont)\n#define _ecp_nistz256_ord_mul_mont_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont_adx)\n#define _ecp_nistz256_ord_mul_mont_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont_nohw)\n#define _ecp_nistz256_ord_sqr_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont)\n#define _ecp_nistz256_ord_sqr_mont_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont_adx)\n#define _ecp_nistz256_ord_sqr_mont_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont_nohw)\n#define _ecp_nistz256_point_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add)\n#define _ecp_nistz256_point_add_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add_adx)\n#define _ecp_nistz256_point_add_affine BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine)\n#define _ecp_nistz256_point_add_affine_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine_adx)\n#define _ecp_nistz256_point_add_affine_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine_nohw)\n#define _ecp_nistz256_point_add_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add_nohw)\n#define _ecp_nistz256_point_double BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_double)\n#define _ecp_nistz256_point_double_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_double_adx)\n#define _ecp_nistz256_point_double_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_double_nohw)\n#define _ecp_nistz256_select_w5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w5)\n#define _ecp_nistz256_select_w5_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w5_avx2)\n#define _ecp_nistz256_select_w5_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w5_nohw)\n#define _ecp_nistz256_select_w7 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w7)\n#define _ecp_nistz256_select_w7_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w7_avx2)\n#define _ecp_nistz256_select_w7_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w7_nohw)\n#define _ecp_nistz256_sqr_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont)\n#define _ecp_nistz256_sqr_mont_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont_adx)\n#define _ecp_nistz256_sqr_mont_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont_nohw)\n#define _ecp_nistz256_sub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_sub)\n#define _ed25519_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ed25519_asn1_meth)\n#define _ed25519_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ed25519_pkey_meth)\n#define _evp_pkey_set_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, evp_pkey_set_method)\n#define _fiat_curve25519_adx_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, fiat_curve25519_adx_mul)\n#define _fiat_curve25519_adx_square BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, fiat_curve25519_adx_square)\n#define _fiat_p256_adx_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, fiat_p256_adx_mul)\n#define _fiat_p256_adx_sqr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, fiat_p256_adx_sqr)\n#define _gcm_ghash_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_avx)\n#define _gcm_ghash_clmul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_clmul)\n#define _gcm_ghash_neon BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_neon)\n#define _gcm_ghash_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_nohw)\n#define _gcm_ghash_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_ssse3)\n#define _gcm_ghash_v8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_v8)\n#define _gcm_ghash_vpclmulqdq_avx10_512 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_vpclmulqdq_avx10_512)\n#define _gcm_ghash_vpclmulqdq_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_vpclmulqdq_avx2)\n#define _gcm_gmult_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_gmult_avx)\n#define _gcm_gmult_clmul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_gmult_clmul)\n#define _gcm_gmult_neon BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_gmult_neon)\n#define _gcm_gmult_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_gmult_nohw)\n#define _gcm_gmult_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_gmult_ssse3)\n#define _gcm_gmult_v8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_gmult_v8)\n#define _gcm_gmult_vpclmulqdq_avx10 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_gmult_vpclmulqdq_avx10)\n#define _gcm_gmult_vpclmulqdq_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_gmult_vpclmulqdq_avx2)\n#define _gcm_init_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_avx)\n#define _gcm_init_clmul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_clmul)\n#define _gcm_init_neon BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_neon)\n#define _gcm_init_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_nohw)\n#define _gcm_init_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_ssse3)\n#define _gcm_init_v8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_v8)\n#define _gcm_init_vpclmulqdq_avx10_512 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_vpclmulqdq_avx10_512)\n#define _gcm_init_vpclmulqdq_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_vpclmulqdq_avx2)\n#define _gcm_neon_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_neon_capable)\n#define _gcm_pmull_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_pmull_capable)\n#define _have_fast_rdrand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, have_fast_rdrand)\n#define _have_rdrand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, have_rdrand)\n#define _hkdf_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, hkdf_pkey_meth)\n#define _hwaes_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, hwaes_capable)\n#define _i2a_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ASN1_ENUMERATED)\n#define _i2a_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ASN1_INTEGER)\n#define _i2a_ASN1_OBJECT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ASN1_OBJECT)\n#define _i2a_ASN1_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ASN1_STRING)\n#define _i2c_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2c_ASN1_BIT_STRING)\n#define _i2c_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2c_ASN1_INTEGER)\n#define _i2d_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_BIT_STRING)\n#define _i2d_ASN1_BMPSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_BMPSTRING)\n#define _i2d_ASN1_BOOLEAN BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_BOOLEAN)\n#define _i2d_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_ENUMERATED)\n#define _i2d_ASN1_GENERALIZEDTIME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_GENERALIZEDTIME)\n#define _i2d_ASN1_GENERALSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_GENERALSTRING)\n#define _i2d_ASN1_IA5STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_IA5STRING)\n#define _i2d_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_INTEGER)\n#define _i2d_ASN1_NULL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_NULL)\n#define _i2d_ASN1_OBJECT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_OBJECT)\n#define _i2d_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_OCTET_STRING)\n#define _i2d_ASN1_PRINTABLE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_PRINTABLE)\n#define _i2d_ASN1_PRINTABLESTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_PRINTABLESTRING)\n#define _i2d_ASN1_SEQUENCE_ANY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_SEQUENCE_ANY)\n#define _i2d_ASN1_SET_ANY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_SET_ANY)\n#define _i2d_ASN1_T61STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_T61STRING)\n#define _i2d_ASN1_TIME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_TIME)\n#define _i2d_ASN1_TYPE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_TYPE)\n#define _i2d_ASN1_UNIVERSALSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_UNIVERSALSTRING)\n#define _i2d_ASN1_UTCTIME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_UTCTIME)\n#define _i2d_ASN1_UTF8STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_UTF8STRING)\n#define _i2d_ASN1_VISIBLESTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_VISIBLESTRING)\n#define _i2d_AUTHORITY_INFO_ACCESS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_AUTHORITY_INFO_ACCESS)\n#define _i2d_AUTHORITY_KEYID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_AUTHORITY_KEYID)\n#define _i2d_BASIC_CONSTRAINTS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_BASIC_CONSTRAINTS)\n#define _i2d_CERTIFICATEPOLICIES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_CERTIFICATEPOLICIES)\n#define _i2d_CRL_DIST_POINTS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_CRL_DIST_POINTS)\n#define _i2d_DHparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DHparams)\n#define _i2d_DHparams_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DHparams_bio)\n#define _i2d_DIRECTORYSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DIRECTORYSTRING)\n#define _i2d_DISPLAYTEXT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DISPLAYTEXT)\n#define _i2d_DSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSAPrivateKey)\n#define _i2d_DSAPrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSAPrivateKey_bio)\n#define _i2d_DSAPrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSAPrivateKey_fp)\n#define _i2d_DSAPublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSAPublicKey)\n#define _i2d_DSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSA_PUBKEY)\n#define _i2d_DSA_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSA_PUBKEY_bio)\n#define _i2d_DSA_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSA_PUBKEY_fp)\n#define _i2d_DSA_SIG BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSA_SIG)\n#define _i2d_DSAparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSAparams)\n#define _i2d_ECDSA_SIG BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ECDSA_SIG)\n#define _i2d_ECPKParameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ECPKParameters)\n#define _i2d_ECParameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ECParameters)\n#define _i2d_ECPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ECPrivateKey)\n#define _i2d_ECPrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ECPrivateKey_bio)\n#define _i2d_ECPrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ECPrivateKey_fp)\n#define _i2d_EC_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EC_PUBKEY)\n#define _i2d_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EC_PUBKEY_bio)\n#define _i2d_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EC_PUBKEY_fp)\n#define _i2d_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EXTENDED_KEY_USAGE)\n#define _i2d_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_GENERAL_NAME)\n#define _i2d_GENERAL_NAMES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_GENERAL_NAMES)\n#define _i2d_ISSUING_DIST_POINT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ISSUING_DIST_POINT)\n#define _i2d_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKAC)\n#define _i2d_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKI)\n#define _i2d_PKCS12 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS12)\n#define _i2d_PKCS12_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS12_bio)\n#define _i2d_PKCS12_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS12_fp)\n#define _i2d_PKCS7 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS7)\n#define _i2d_PKCS7_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS7_bio)\n#define _i2d_PKCS8PrivateKeyInfo_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8PrivateKeyInfo_bio)\n#define _i2d_PKCS8PrivateKeyInfo_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8PrivateKeyInfo_fp)\n#define _i2d_PKCS8PrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8PrivateKey_bio)\n#define _i2d_PKCS8PrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8PrivateKey_fp)\n#define _i2d_PKCS8PrivateKey_nid_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8PrivateKey_nid_bio)\n#define _i2d_PKCS8PrivateKey_nid_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8PrivateKey_nid_fp)\n#define _i2d_PKCS8_PRIV_KEY_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8_PRIV_KEY_INFO)\n#define _i2d_PKCS8_PRIV_KEY_INFO_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8_PRIV_KEY_INFO_bio)\n#define _i2d_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8_PRIV_KEY_INFO_fp)\n#define _i2d_PKCS8_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8_bio)\n#define _i2d_PKCS8_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8_fp)\n#define _i2d_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PUBKEY)\n#define _i2d_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PUBKEY_bio)\n#define _i2d_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PUBKEY_fp)\n#define _i2d_PrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PrivateKey)\n#define _i2d_PrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PrivateKey_bio)\n#define _i2d_PrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PrivateKey_fp)\n#define _i2d_PublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PublicKey)\n#define _i2d_RSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_RSAPrivateKey)\n#define _i2d_RSAPrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_RSAPrivateKey_bio)\n#define _i2d_RSAPrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_RSAPrivateKey_fp)\n#define _i2d_RSAPublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_RSAPublicKey)\n#define _i2d_RSAPublicKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_RSAPublicKey_bio)\n#define _i2d_RSAPublicKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_RSAPublicKey_fp)\n#define _i2d_RSA_PSS_PARAMS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_RSA_PSS_PARAMS)\n#define _i2d_RSA_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_RSA_PUBKEY)\n#define _i2d_RSA_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_RSA_PUBKEY_bio)\n#define _i2d_RSA_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_RSA_PUBKEY_fp)\n#define _i2d_SSL_SESSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_SSL_SESSION)\n#define _i2d_SSL_SESSION_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_SSL_SESSION_bio)\n#define _i2d_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509)\n#define _i2d_X509_ALGOR BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_ALGOR)\n#define _i2d_X509_ATTRIBUTE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_ATTRIBUTE)\n#define _i2d_X509_AUX BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_AUX)\n#define _i2d_X509_CERT_AUX BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_CERT_AUX)\n#define _i2d_X509_CINF BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_CINF)\n#define _i2d_X509_CRL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_CRL)\n#define _i2d_X509_CRL_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_CRL_INFO)\n#define _i2d_X509_CRL_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_CRL_bio)\n#define _i2d_X509_CRL_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_CRL_fp)\n#define _i2d_X509_CRL_tbs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_CRL_tbs)\n#define _i2d_X509_EXTENSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_EXTENSION)\n#define _i2d_X509_EXTENSIONS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_EXTENSIONS)\n#define _i2d_X509_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_NAME)\n#define _i2d_X509_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_PUBKEY)\n#define _i2d_X509_REQ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_REQ)\n#define _i2d_X509_REQ_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_REQ_INFO)\n#define _i2d_X509_REQ_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_REQ_bio)\n#define _i2d_X509_REQ_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_REQ_fp)\n#define _i2d_X509_REVOKED BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_REVOKED)\n#define _i2d_X509_SIG BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_SIG)\n#define _i2d_X509_VAL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_VAL)\n#define _i2d_X509_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_bio)\n#define _i2d_X509_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_fp)\n#define _i2d_X509_tbs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_tbs)\n#define _i2d_re_X509_CRL_tbs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_re_X509_CRL_tbs)\n#define _i2d_re_X509_REQ_tbs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_re_X509_REQ_tbs)\n#define _i2d_re_X509_tbs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_re_X509_tbs)\n#define _i2o_ECPublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2o_ECPublicKey)\n#define _i2s_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2s_ASN1_ENUMERATED)\n#define _i2s_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2s_ASN1_INTEGER)\n#define _i2s_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2s_ASN1_OCTET_STRING)\n#define _i2t_ASN1_OBJECT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2t_ASN1_OBJECT)\n#define _i2v_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2v_GENERAL_NAME)\n#define _i2v_GENERAL_NAMES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2v_GENERAL_NAMES)\n#define _k25519Precomp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, k25519Precomp)\n#define _kBoringSSLRSASqrtTwo BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, kBoringSSLRSASqrtTwo)\n#define _kBoringSSLRSASqrtTwoLen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, kBoringSSLRSASqrtTwoLen)\n#define _kOpenSSLReasonStringData BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, kOpenSSLReasonStringData)\n#define _kOpenSSLReasonValues BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, kOpenSSLReasonValues)\n#define _kOpenSSLReasonValuesLen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, kOpenSSLReasonValuesLen)\n#define _lh_CONF_SECTION_call_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_SECTION_call_cmp_func)\n#define _lh_CONF_SECTION_call_doall_arg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_SECTION_call_doall_arg)\n#define _lh_CONF_SECTION_call_hash_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_SECTION_call_hash_func)\n#define _lh_CONF_SECTION_doall_arg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_SECTION_doall_arg)\n#define _lh_CONF_SECTION_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_SECTION_free)\n#define _lh_CONF_SECTION_insert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_SECTION_insert)\n#define _lh_CONF_SECTION_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_SECTION_new)\n#define _lh_CONF_SECTION_retrieve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_SECTION_retrieve)\n#define _lh_CONF_VALUE_call_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_VALUE_call_cmp_func)\n#define _lh_CONF_VALUE_call_doall_arg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_VALUE_call_doall_arg)\n#define _lh_CONF_VALUE_call_hash_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_VALUE_call_hash_func)\n#define _lh_CONF_VALUE_doall_arg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_VALUE_doall_arg)\n#define _lh_CONF_VALUE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_VALUE_free)\n#define _lh_CONF_VALUE_insert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_VALUE_insert)\n#define _lh_CONF_VALUE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_VALUE_new)\n#define _lh_CONF_VALUE_retrieve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CONF_VALUE_retrieve)\n#define _lh_CRYPTO_BUFFER_call_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_call_cmp_func)\n#define _lh_CRYPTO_BUFFER_call_hash_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_call_hash_func)\n#define _lh_CRYPTO_BUFFER_delete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_delete)\n#define _lh_CRYPTO_BUFFER_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_free)\n#define _lh_CRYPTO_BUFFER_insert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_insert)\n#define _lh_CRYPTO_BUFFER_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_new)\n#define _lh_CRYPTO_BUFFER_num_items BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_num_items)\n#define _lh_CRYPTO_BUFFER_retrieve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, lh_CRYPTO_BUFFER_retrieve)\n#define _md5_block_asm_data_order BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, md5_block_asm_data_order)\n#define _o2i_ECPublicKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, o2i_ECPublicKey)\n#define _pkcs12_iterations_acceptable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs12_iterations_acceptable)\n#define _pkcs12_key_gen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs12_key_gen)\n#define _pkcs12_pbe_encrypt_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs12_pbe_encrypt_init)\n#define _pkcs7_add_signed_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs7_add_signed_data)\n#define _pkcs7_parse_header BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs7_parse_header)\n#define _pkcs8_pbe_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs8_pbe_decrypt)\n#define _pmbtoken_exp1_blind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp1_blind)\n#define _pmbtoken_exp1_client_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp1_client_key_from_bytes)\n#define _pmbtoken_exp1_derive_key_from_secret BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp1_derive_key_from_secret)\n#define _pmbtoken_exp1_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp1_generate_key)\n#define _pmbtoken_exp1_get_h_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp1_get_h_for_testing)\n#define _pmbtoken_exp1_issuer_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp1_issuer_key_from_bytes)\n#define _pmbtoken_exp1_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp1_read)\n#define _pmbtoken_exp1_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp1_sign)\n#define _pmbtoken_exp1_unblind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp1_unblind)\n#define _pmbtoken_exp2_blind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp2_blind)\n#define _pmbtoken_exp2_client_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp2_client_key_from_bytes)\n#define _pmbtoken_exp2_derive_key_from_secret BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp2_derive_key_from_secret)\n#define _pmbtoken_exp2_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp2_generate_key)\n#define _pmbtoken_exp2_get_h_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp2_get_h_for_testing)\n#define _pmbtoken_exp2_issuer_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp2_issuer_key_from_bytes)\n#define _pmbtoken_exp2_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp2_read)\n#define _pmbtoken_exp2_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp2_sign)\n#define _pmbtoken_exp2_unblind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp2_unblind)\n#define _pmbtoken_pst1_blind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_pst1_blind)\n#define _pmbtoken_pst1_client_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_pst1_client_key_from_bytes)\n#define _pmbtoken_pst1_derive_key_from_secret BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_pst1_derive_key_from_secret)\n#define _pmbtoken_pst1_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_pst1_generate_key)\n#define _pmbtoken_pst1_get_h_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_pst1_get_h_for_testing)\n#define _pmbtoken_pst1_issuer_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_pst1_issuer_key_from_bytes)\n#define _pmbtoken_pst1_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_pst1_read)\n#define _pmbtoken_pst1_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_pst1_sign)\n#define _pmbtoken_pst1_unblind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_pst1_unblind)\n#define _poly_Rq_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, poly_Rq_mul)\n#define _rand_fork_unsafe_buffering_enabled BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rand_fork_unsafe_buffering_enabled)\n#define _rsa_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_asn1_meth)\n#define _rsa_check_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_check_public_key)\n#define _rsa_default_private_transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_default_private_transform)\n#define _rsa_default_sign_raw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_default_sign_raw)\n#define _rsa_invalidate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_invalidate_key)\n#define _rsa_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_pkey_meth)\n#define _rsa_private_transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_private_transform)\n#define _rsa_private_transform_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_private_transform_no_self_test)\n#define _rsa_sign_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_sign_no_self_test)\n#define _rsa_verify_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_verify_no_self_test)\n#define _rsa_verify_raw_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_verify_raw_no_self_test)\n#define _rsaz_1024_gather5_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_1024_gather5_avx2)\n#define _rsaz_1024_mul_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_1024_mul_avx2)\n#define _rsaz_1024_norm2red_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_1024_norm2red_avx2)\n#define _rsaz_1024_red2norm_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_1024_red2norm_avx2)\n#define _rsaz_1024_scatter5_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_1024_scatter5_avx2)\n#define _rsaz_1024_sqr_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_1024_sqr_avx2)\n#define _rsaz_avx2_preferred BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_avx2_preferred)\n#define _s2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, s2i_ASN1_INTEGER)\n#define _s2i_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, s2i_ASN1_OCTET_STRING)\n#define _sha1_avx2_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_avx2_capable)\n#define _sha1_avx_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_avx_capable)\n#define _sha1_block_data_order_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_avx)\n#define _sha1_block_data_order_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_avx2)\n#define _sha1_block_data_order_hw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_hw)\n#define _sha1_block_data_order_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_nohw)\n#define _sha1_block_data_order_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_ssse3)\n#define _sha1_hw_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_hw_capable)\n#define _sha1_ssse3_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_ssse3_capable)\n#define _sha256_avx_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_avx_capable)\n#define _sha256_block_data_order_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_avx)\n#define _sha256_block_data_order_hw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_hw)\n#define _sha256_block_data_order_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_nohw)\n#define _sha256_block_data_order_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_ssse3)\n#define _sha256_hw_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_hw_capable)\n#define _sha256_ssse3_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_ssse3_capable)\n#define _sha512_avx_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_avx_capable)\n#define _sha512_block_data_order_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_block_data_order_avx)\n#define _sha512_block_data_order_hw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_block_data_order_hw)\n#define _sha512_block_data_order_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_block_data_order_nohw)\n#define _sha512_hw_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_hw_capable)\n#define _sk_ACCESS_DESCRIPTION_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_free_func)\n#define _sk_ACCESS_DESCRIPTION_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_new_null)\n#define _sk_ACCESS_DESCRIPTION_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_num)\n#define _sk_ACCESS_DESCRIPTION_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_pop_free)\n#define _sk_ACCESS_DESCRIPTION_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_push)\n#define _sk_ACCESS_DESCRIPTION_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_value)\n#define _sk_ASN1_INTEGER_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_INTEGER_num)\n#define _sk_ASN1_INTEGER_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_INTEGER_push)\n#define _sk_ASN1_INTEGER_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_INTEGER_value)\n#define _sk_ASN1_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_cmp_func)\n#define _sk_ASN1_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_copy_func)\n#define _sk_ASN1_OBJECT_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_free_func)\n#define _sk_ASN1_OBJECT_deep_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_deep_copy)\n#define _sk_ASN1_OBJECT_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_dup)\n#define _sk_ASN1_OBJECT_find BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_find)\n#define _sk_ASN1_OBJECT_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_free)\n#define _sk_ASN1_OBJECT_is_sorted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_is_sorted)\n#define _sk_ASN1_OBJECT_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new_null)\n#define _sk_ASN1_OBJECT_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_num)\n#define _sk_ASN1_OBJECT_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop_free)\n#define _sk_ASN1_OBJECT_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_push)\n#define _sk_ASN1_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set_cmp_func)\n#define _sk_ASN1_OBJECT_sort BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_sort)\n#define _sk_ASN1_OBJECT_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_OBJECT_value)\n#define _sk_ASN1_TYPE_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_TYPE_num)\n#define _sk_ASN1_TYPE_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_TYPE_push)\n#define _sk_ASN1_TYPE_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_TYPE_value)\n#define _sk_ASN1_VALUE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_VALUE_free)\n#define _sk_ASN1_VALUE_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_VALUE_new_null)\n#define _sk_ASN1_VALUE_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_VALUE_num)\n#define _sk_ASN1_VALUE_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_VALUE_pop)\n#define _sk_ASN1_VALUE_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_VALUE_push)\n#define _sk_ASN1_VALUE_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_ASN1_VALUE_value)\n#define _sk_CONF_VALUE_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CONF_VALUE_call_free_func)\n#define _sk_CONF_VALUE_delete_ptr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CONF_VALUE_delete_ptr)\n#define _sk_CONF_VALUE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CONF_VALUE_free)\n#define _sk_CONF_VALUE_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CONF_VALUE_new_null)\n#define _sk_CONF_VALUE_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CONF_VALUE_num)\n#define _sk_CONF_VALUE_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CONF_VALUE_pop)\n#define _sk_CONF_VALUE_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CONF_VALUE_pop_free)\n#define _sk_CONF_VALUE_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CONF_VALUE_push)\n#define _sk_CONF_VALUE_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CONF_VALUE_value)\n#define _sk_CRYPTO_BUFFER_call_copy_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_copy_func)\n#define _sk_CRYPTO_BUFFER_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_free_func)\n#define _sk_CRYPTO_BUFFER_deep_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_deep_copy)\n#define _sk_CRYPTO_BUFFER_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_new_null)\n#define _sk_CRYPTO_BUFFER_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_num)\n#define _sk_CRYPTO_BUFFER_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop)\n#define _sk_CRYPTO_BUFFER_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop_free)\n#define _sk_CRYPTO_BUFFER_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_push)\n#define _sk_CRYPTO_BUFFER_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_set)\n#define _sk_CRYPTO_BUFFER_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_value)\n#define _sk_DIST_POINT_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_DIST_POINT_call_free_func)\n#define _sk_DIST_POINT_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_DIST_POINT_new_null)\n#define _sk_DIST_POINT_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_DIST_POINT_num)\n#define _sk_DIST_POINT_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_DIST_POINT_pop_free)\n#define _sk_DIST_POINT_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_DIST_POINT_push)\n#define _sk_DIST_POINT_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_DIST_POINT_value)\n#define _sk_GENERAL_NAME_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_free_func)\n#define _sk_GENERAL_NAME_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_GENERAL_NAME_new_null)\n#define _sk_GENERAL_NAME_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_GENERAL_NAME_num)\n#define _sk_GENERAL_NAME_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop_free)\n#define _sk_GENERAL_NAME_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_GENERAL_NAME_push)\n#define _sk_GENERAL_NAME_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_GENERAL_NAME_set)\n#define _sk_GENERAL_NAME_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_GENERAL_NAME_value)\n#define _sk_GENERAL_SUBTREE_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_new_null)\n#define _sk_GENERAL_SUBTREE_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_num)\n#define _sk_GENERAL_SUBTREE_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_push)\n#define _sk_GENERAL_SUBTREE_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_value)\n#define _sk_OPENSSL_STRING_call_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_call_cmp_func)\n#define _sk_OPENSSL_STRING_call_copy_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_call_copy_func)\n#define _sk_OPENSSL_STRING_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_call_free_func)\n#define _sk_OPENSSL_STRING_deep_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_deep_copy)\n#define _sk_OPENSSL_STRING_find BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_find)\n#define _sk_OPENSSL_STRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_free)\n#define _sk_OPENSSL_STRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_new)\n#define _sk_OPENSSL_STRING_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_new_null)\n#define _sk_OPENSSL_STRING_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_num)\n#define _sk_OPENSSL_STRING_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_pop_free)\n#define _sk_OPENSSL_STRING_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_push)\n#define _sk_OPENSSL_STRING_sort BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_sort)\n#define _sk_OPENSSL_STRING_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_OPENSSL_STRING_value)\n#define _sk_POLICYINFO_call_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYINFO_call_cmp_func)\n#define _sk_POLICYINFO_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYINFO_call_free_func)\n#define _sk_POLICYINFO_find BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYINFO_find)\n#define _sk_POLICYINFO_is_sorted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYINFO_is_sorted)\n#define _sk_POLICYINFO_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYINFO_new_null)\n#define _sk_POLICYINFO_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYINFO_num)\n#define _sk_POLICYINFO_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYINFO_pop_free)\n#define _sk_POLICYINFO_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYINFO_push)\n#define _sk_POLICYINFO_set_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYINFO_set_cmp_func)\n#define _sk_POLICYINFO_sort BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYINFO_sort)\n#define _sk_POLICYINFO_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYINFO_value)\n#define _sk_POLICYQUALINFO_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYQUALINFO_new_null)\n#define _sk_POLICYQUALINFO_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYQUALINFO_num)\n#define _sk_POLICYQUALINFO_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYQUALINFO_push)\n#define _sk_POLICYQUALINFO_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICYQUALINFO_value)\n#define _sk_POLICY_MAPPING_call_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_cmp_func)\n#define _sk_POLICY_MAPPING_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_free_func)\n#define _sk_POLICY_MAPPING_find BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICY_MAPPING_find)\n#define _sk_POLICY_MAPPING_is_sorted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICY_MAPPING_is_sorted)\n#define _sk_POLICY_MAPPING_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICY_MAPPING_new_null)\n#define _sk_POLICY_MAPPING_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICY_MAPPING_num)\n#define _sk_POLICY_MAPPING_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICY_MAPPING_pop_free)\n#define _sk_POLICY_MAPPING_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICY_MAPPING_push)\n#define _sk_POLICY_MAPPING_set_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICY_MAPPING_set_cmp_func)\n#define _sk_POLICY_MAPPING_sort BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICY_MAPPING_sort)\n#define _sk_POLICY_MAPPING_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_POLICY_MAPPING_value)\n#define _sk_SRTP_PROTECTION_PROFILE_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_SRTP_PROTECTION_PROFILE_new_null)\n#define _sk_SRTP_PROTECTION_PROFILE_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_SRTP_PROTECTION_PROFILE_num)\n#define _sk_SRTP_PROTECTION_PROFILE_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_SRTP_PROTECTION_PROFILE_push)\n#define _sk_SSL_CIPHER_call_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_SSL_CIPHER_call_cmp_func)\n#define _sk_SSL_CIPHER_delete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_SSL_CIPHER_delete)\n#define _sk_SSL_CIPHER_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_SSL_CIPHER_dup)\n#define _sk_SSL_CIPHER_find BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_SSL_CIPHER_find)\n#define _sk_SSL_CIPHER_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_SSL_CIPHER_new_null)\n#define _sk_SSL_CIPHER_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_SSL_CIPHER_num)\n#define _sk_SSL_CIPHER_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_SSL_CIPHER_push)\n#define _sk_SSL_CIPHER_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_SSL_CIPHER_value)\n#define _sk_TRUST_TOKEN_PRETOKEN_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_call_free_func)\n#define _sk_TRUST_TOKEN_PRETOKEN_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_new_null)\n#define _sk_TRUST_TOKEN_PRETOKEN_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_num)\n#define _sk_TRUST_TOKEN_PRETOKEN_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_pop_free)\n#define _sk_TRUST_TOKEN_PRETOKEN_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_push)\n#define _sk_TRUST_TOKEN_PRETOKEN_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_value)\n#define _sk_TRUST_TOKEN_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_TRUST_TOKEN_call_free_func)\n#define _sk_TRUST_TOKEN_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_TRUST_TOKEN_new_null)\n#define _sk_TRUST_TOKEN_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_TRUST_TOKEN_pop_free)\n#define _sk_TRUST_TOKEN_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_TRUST_TOKEN_push)\n#define _sk_X509_ATTRIBUTE_delete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_delete)\n#define _sk_X509_ATTRIBUTE_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_new_null)\n#define _sk_X509_ATTRIBUTE_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_num)\n#define _sk_X509_ATTRIBUTE_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_push)\n#define _sk_X509_ATTRIBUTE_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_value)\n#define _sk_X509_CRL_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_CRL_call_free_func)\n#define _sk_X509_CRL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_CRL_free)\n#define _sk_X509_CRL_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_CRL_new_null)\n#define _sk_X509_CRL_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_CRL_num)\n#define _sk_X509_CRL_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_CRL_pop)\n#define _sk_X509_CRL_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_CRL_pop_free)\n#define _sk_X509_CRL_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_CRL_push)\n#define _sk_X509_CRL_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_CRL_value)\n#define _sk_X509_EXTENSION_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_EXTENSION_call_free_func)\n#define _sk_X509_EXTENSION_delete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_EXTENSION_delete)\n#define _sk_X509_EXTENSION_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_EXTENSION_free)\n#define _sk_X509_EXTENSION_insert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_EXTENSION_insert)\n#define _sk_X509_EXTENSION_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_EXTENSION_new_null)\n#define _sk_X509_EXTENSION_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_EXTENSION_num)\n#define _sk_X509_EXTENSION_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_EXTENSION_pop_free)\n#define _sk_X509_EXTENSION_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_EXTENSION_push)\n#define _sk_X509_EXTENSION_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_EXTENSION_set)\n#define _sk_X509_EXTENSION_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_EXTENSION_value)\n#define _sk_X509_INFO_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_INFO_call_free_func)\n#define _sk_X509_INFO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_INFO_free)\n#define _sk_X509_INFO_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_INFO_new_null)\n#define _sk_X509_INFO_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_INFO_num)\n#define _sk_X509_INFO_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_INFO_pop)\n#define _sk_X509_INFO_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_INFO_pop_free)\n#define _sk_X509_INFO_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_INFO_push)\n#define _sk_X509_INFO_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_INFO_value)\n#define _sk_X509_LOOKUP_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_free_func)\n#define _sk_X509_LOOKUP_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_LOOKUP_new_null)\n#define _sk_X509_LOOKUP_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_LOOKUP_num)\n#define _sk_X509_LOOKUP_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop_free)\n#define _sk_X509_LOOKUP_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_LOOKUP_push)\n#define _sk_X509_LOOKUP_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_LOOKUP_value)\n#define _sk_X509_NAME_ENTRY_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_call_free_func)\n#define _sk_X509_NAME_ENTRY_delete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_delete)\n#define _sk_X509_NAME_ENTRY_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_free)\n#define _sk_X509_NAME_ENTRY_insert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_insert)\n#define _sk_X509_NAME_ENTRY_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_new_null)\n#define _sk_X509_NAME_ENTRY_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_num)\n#define _sk_X509_NAME_ENTRY_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_pop_free)\n#define _sk_X509_NAME_ENTRY_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_push)\n#define _sk_X509_NAME_ENTRY_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_set)\n#define _sk_X509_NAME_ENTRY_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_value)\n#define _sk_X509_NAME_call_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_call_cmp_func)\n#define _sk_X509_NAME_call_copy_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_call_copy_func)\n#define _sk_X509_NAME_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_call_free_func)\n#define _sk_X509_NAME_deep_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_deep_copy)\n#define _sk_X509_NAME_find BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_find)\n#define _sk_X509_NAME_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_new)\n#define _sk_X509_NAME_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_new_null)\n#define _sk_X509_NAME_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_num)\n#define _sk_X509_NAME_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_pop_free)\n#define _sk_X509_NAME_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_set)\n#define _sk_X509_NAME_set_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_set_cmp_func)\n#define _sk_X509_NAME_sort BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_sort)\n#define _sk_X509_NAME_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_NAME_value)\n#define _sk_X509_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_OBJECT_call_cmp_func)\n#define _sk_X509_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_OBJECT_call_copy_func)\n#define _sk_X509_OBJECT_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_OBJECT_call_free_func)\n#define _sk_X509_OBJECT_deep_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_OBJECT_deep_copy)\n#define _sk_X509_OBJECT_find BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_OBJECT_find)\n#define _sk_X509_OBJECT_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_OBJECT_new)\n#define _sk_X509_OBJECT_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_OBJECT_num)\n#define _sk_X509_OBJECT_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_OBJECT_pop_free)\n#define _sk_X509_OBJECT_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_OBJECT_push)\n#define _sk_X509_OBJECT_sort BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_OBJECT_sort)\n#define _sk_X509_OBJECT_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_OBJECT_value)\n#define _sk_X509_REVOKED_call_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_REVOKED_call_cmp_func)\n#define _sk_X509_REVOKED_find BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_REVOKED_find)\n#define _sk_X509_REVOKED_is_sorted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_REVOKED_is_sorted)\n#define _sk_X509_REVOKED_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_REVOKED_new)\n#define _sk_X509_REVOKED_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_REVOKED_num)\n#define _sk_X509_REVOKED_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_REVOKED_push)\n#define _sk_X509_REVOKED_set_cmp_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_REVOKED_set_cmp_func)\n#define _sk_X509_REVOKED_sort BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_REVOKED_sort)\n#define _sk_X509_REVOKED_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_REVOKED_value)\n#define _sk_X509_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_call_free_func)\n#define _sk_X509_delete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_delete)\n#define _sk_X509_delete_ptr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_delete_ptr)\n#define _sk_X509_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_dup)\n#define _sk_X509_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_free)\n#define _sk_X509_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_new_null)\n#define _sk_X509_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_num)\n#define _sk_X509_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_pop)\n#define _sk_X509_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_pop_free)\n#define _sk_X509_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_push)\n#define _sk_X509_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_set)\n#define _sk_X509_shift BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_shift)\n#define _sk_X509_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_X509_value)\n#define _sk_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_free)\n#define _sk_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_new_null)\n#define _sk_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_num)\n#define _sk_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_pop)\n#define _sk_pop_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_pop_free)\n#define _sk_pop_free_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_pop_free_ex)\n#define _sk_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_push)\n#define _sk_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_value)\n#define _sk_void_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_void_free)\n#define _sk_void_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_void_new_null)\n#define _sk_void_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_void_num)\n#define _sk_void_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_void_push)\n#define _sk_void_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_void_set)\n#define _sk_void_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_void_value)\n#define _slhdsa_copy_keypair_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_copy_keypair_addr)\n#define _slhdsa_fors_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_fors_pk_from_sig)\n#define _slhdsa_fors_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_fors_sign)\n#define _slhdsa_fors_sk_gen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_fors_sk_gen)\n#define _slhdsa_fors_treehash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_fors_treehash)\n#define _slhdsa_get_tree_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_get_tree_index)\n#define _slhdsa_ht_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_ht_sign)\n#define _slhdsa_ht_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_ht_verify)\n#define _slhdsa_set_chain_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_set_chain_addr)\n#define _slhdsa_set_hash_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_set_hash_addr)\n#define _slhdsa_set_keypair_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_set_keypair_addr)\n#define _slhdsa_set_layer_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_set_layer_addr)\n#define _slhdsa_set_tree_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_set_tree_addr)\n#define _slhdsa_set_tree_height BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_set_tree_height)\n#define _slhdsa_set_tree_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_set_tree_index)\n#define _slhdsa_set_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_set_type)\n#define _slhdsa_thash_f BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_f)\n#define _slhdsa_thash_h BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_h)\n#define _slhdsa_thash_hmsg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_hmsg)\n#define _slhdsa_thash_prf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_prf)\n#define _slhdsa_thash_prfmsg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_prfmsg)\n#define _slhdsa_thash_tk BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_tk)\n#define _slhdsa_thash_tl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_tl)\n#define _slhdsa_treehash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_treehash)\n#define _slhdsa_wots_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_wots_pk_from_sig)\n#define _slhdsa_wots_pk_gen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_wots_pk_gen)\n#define _slhdsa_wots_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_wots_sign)\n#define _slhdsa_xmss_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_xmss_pk_from_sig)\n#define _slhdsa_xmss_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_xmss_sign)\n#define _v2i_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v2i_GENERAL_NAME)\n#define _v2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v2i_GENERAL_NAMES)\n#define _v2i_GENERAL_NAME_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v2i_GENERAL_NAME_ex)\n#define _v3_akey_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_akey_id)\n#define _v3_alt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_alt)\n#define _v3_bcons BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_bcons)\n#define _v3_cpols BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_cpols)\n#define _v3_crl_invdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_crl_invdate)\n#define _v3_crl_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_crl_num)\n#define _v3_crl_reason BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_crl_reason)\n#define _v3_crld BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_crld)\n#define _v3_delta_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_delta_crl)\n#define _v3_ext_ku BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_ext_ku)\n#define _v3_freshest_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_freshest_crl)\n#define _v3_idp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_idp)\n#define _v3_info BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_info)\n#define _v3_inhibit_anyp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_inhibit_anyp)\n#define _v3_key_usage BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_key_usage)\n#define _v3_name_constraints BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_name_constraints)\n#define _v3_ns_ia5_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_ns_ia5_list)\n#define _v3_nscert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_nscert)\n#define _v3_ocsp_accresp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_ocsp_accresp)\n#define _v3_ocsp_nocheck BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_ocsp_nocheck)\n#define _v3_policy_constraints BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_policy_constraints)\n#define _v3_policy_mappings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_policy_mappings)\n#define _v3_sinfo BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_sinfo)\n#define _v3_skey_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_skey_id)\n#define _voprf_exp2_blind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_blind)\n#define _voprf_exp2_client_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_client_key_from_bytes)\n#define _voprf_exp2_derive_key_from_secret BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_derive_key_from_secret)\n#define _voprf_exp2_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_generate_key)\n#define _voprf_exp2_issuer_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_issuer_key_from_bytes)\n#define _voprf_exp2_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_read)\n#define _voprf_exp2_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_sign)\n#define _voprf_exp2_unblind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_unblind)\n#define _voprf_pst1_blind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_pst1_blind)\n#define _voprf_pst1_client_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_pst1_client_key_from_bytes)\n#define _voprf_pst1_derive_key_from_secret BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_pst1_derive_key_from_secret)\n#define _voprf_pst1_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_pst1_generate_key)\n#define _voprf_pst1_issuer_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_pst1_issuer_key_from_bytes)\n#define _voprf_pst1_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_pst1_read)\n#define _voprf_pst1_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_pst1_sign)\n#define _voprf_pst1_sign_with_proof_scalar_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_pst1_sign_with_proof_scalar_for_testing)\n#define _voprf_pst1_unblind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_pst1_unblind)\n#define _vpaes_capable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, vpaes_capable)\n#define _vpaes_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, vpaes_cbc_encrypt)\n#define _vpaes_ctr32_encrypt_blocks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, vpaes_ctr32_encrypt_blocks)\n#define _vpaes_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, vpaes_decrypt)\n#define _vpaes_decrypt_key_to_bsaes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, vpaes_decrypt_key_to_bsaes)\n#define _vpaes_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, vpaes_encrypt)\n#define _vpaes_set_decrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, vpaes_set_decrypt_key)\n#define _vpaes_set_encrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, vpaes_set_encrypt_key)\n#define _x25519_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_asn1_meth)\n#define _x25519_ge_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_add)\n#define _x25519_ge_frombytes_vartime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_frombytes_vartime)\n#define _x25519_ge_p1p1_to_p2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_p1p1_to_p2)\n#define _x25519_ge_p1p1_to_p3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_p1p1_to_p3)\n#define _x25519_ge_p3_to_cached BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_p3_to_cached)\n#define _x25519_ge_scalarmult BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_scalarmult)\n#define _x25519_ge_scalarmult_base BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_scalarmult_base)\n#define _x25519_ge_scalarmult_base_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_scalarmult_base_adx)\n#define _x25519_ge_scalarmult_small_precomp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_scalarmult_small_precomp)\n#define _x25519_ge_sub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_sub)\n#define _x25519_ge_tobytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_tobytes)\n#define _x25519_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_pkey_meth)\n#define _x25519_sc_reduce BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_sc_reduce)\n#define _x25519_scalar_mult_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_scalar_mult_adx)\n#define _x509V3_add_value_asn1_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509V3_add_value_asn1_string)\n#define _x509_check_issued_with_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_check_issued_with_callback)\n#define _x509_digest_sign_algorithm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_digest_sign_algorithm)\n#define _x509_digest_verify_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_digest_verify_init)\n#define _x509_print_rsa_pss_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_print_rsa_pss_params)\n#define _x509_rsa_ctx_to_pss BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_rsa_ctx_to_pss)\n#define _x509_rsa_pss_to_ctx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_rsa_pss_to_ctx)\n#define _x509v3_a2i_ipadd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509v3_a2i_ipadd)\n#define _x509v3_bytes_to_hex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509v3_bytes_to_hex)\n#define _x509v3_cache_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509v3_cache_extensions)\n#define _x509v3_conf_name_matches BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509v3_conf_name_matches)\n#define _x509v3_hex_to_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509v3_hex_to_bytes)\n#define _x509v3_looks_like_dns_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509v3_looks_like_dns_name)\n#endif\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_buf.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_BUFFER_H\n#define OPENSSL_HEADER_BUFFER_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Memory and string functions, see also mem.h.\n\n\n// buf_mem_st (aka |BUF_MEM|) is a generic buffer object used by OpenSSL.\nstruct buf_mem_st {\n size_t length; // current number of bytes\n char *data;\n size_t max; // size of buffer\n};\n\n// BUF_MEM_new creates a new BUF_MEM which has no allocated data buffer.\nOPENSSL_EXPORT BUF_MEM *BUF_MEM_new(void);\n\n// BUF_MEM_free frees |buf->data| if needed and then frees |buf| itself.\nOPENSSL_EXPORT void BUF_MEM_free(BUF_MEM *buf);\n\n// BUF_MEM_reserve ensures |buf| has capacity |cap| and allocates memory if\n// needed. It returns one on success and zero on error.\nOPENSSL_EXPORT int BUF_MEM_reserve(BUF_MEM *buf, size_t cap);\n\n// BUF_MEM_grow ensures that |buf| has length |len| and allocates memory if\n// needed. If the length of |buf| increased, the new bytes are filled with\n// zeros. It returns the length of |buf|, or zero if there's an error.\nOPENSSL_EXPORT size_t BUF_MEM_grow(BUF_MEM *buf, size_t len);\n\n// BUF_MEM_grow_clean calls |BUF_MEM_grow|. BoringSSL always zeros memory\n// allocated memory on free.\nOPENSSL_EXPORT size_t BUF_MEM_grow_clean(BUF_MEM *buf, size_t len);\n\n// BUF_MEM_append appends |in| to |buf|. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT int BUF_MEM_append(BUF_MEM *buf, const void *in, size_t len);\n\n\n// Deprecated functions.\n\n// BUF_strdup calls |OPENSSL_strdup|.\nOPENSSL_EXPORT char *BUF_strdup(const char *str);\n\n// BUF_strnlen calls |OPENSSL_strnlen|.\nOPENSSL_EXPORT size_t BUF_strnlen(const char *str, size_t max_len);\n\n// BUF_strndup calls |OPENSSL_strndup|.\nOPENSSL_EXPORT char *BUF_strndup(const char *str, size_t size);\n\n// BUF_memdup calls |OPENSSL_memdup|.\nOPENSSL_EXPORT void *BUF_memdup(const void *data, size_t size);\n\n// BUF_strlcpy calls |OPENSSL_strlcpy|.\nOPENSSL_EXPORT size_t BUF_strlcpy(char *dst, const char *src, size_t dst_size);\n\n// BUF_strlcat calls |OPENSSL_strlcat|.\nOPENSSL_EXPORT size_t BUF_strlcat(char *dst, const char *src, size_t dst_size);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(BUF_MEM, BUF_MEM_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#endif // OPENSSL_HEADER_BUFFER_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_buffer.h", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n\n#include \"CNIOBoringSSL_buf.h\"\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_bytestring.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_BYTESTRING_H\n#define OPENSSL_HEADER_BYTESTRING_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_span.h\"\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Bytestrings are used for parsing and building TLS and ASN.1 messages.\n//\n// A \"CBS\" (CRYPTO ByteString) represents a string of bytes in memory and\n// provides utility functions for safely parsing length-prefixed structures\n// like TLS and ASN.1 from it.\n//\n// A \"CBB\" (CRYPTO ByteBuilder) is a memory buffer that grows as needed and\n// provides utility functions for building length-prefixed messages.\n\n\n// CRYPTO ByteString\n\nstruct cbs_st {\n const uint8_t *data;\n size_t len;\n\n#if !defined(BORINGSSL_NO_CXX)\n // Allow implicit conversions to and from bssl::Span.\n cbs_st(bssl::Span span)\n : data(span.data()), len(span.size()) {}\n operator bssl::Span() const { return bssl::Span(data, len); }\n\n // Defining any constructors requires we explicitly default the others.\n cbs_st() = default;\n cbs_st(const cbs_st &) = default;\n cbs_st &operator=(const cbs_st &) = default;\n#endif\n};\n\n// CBS_init sets |cbs| to point to |data|. It does not take ownership of\n// |data|.\nOPENSSL_INLINE void CBS_init(CBS *cbs, const uint8_t *data, size_t len) {\n cbs->data = data;\n cbs->len = len;\n}\n\n// CBS_skip advances |cbs| by |len| bytes. It returns one on success and zero\n// otherwise.\nOPENSSL_EXPORT int CBS_skip(CBS *cbs, size_t len);\n\n// CBS_data returns a pointer to the contents of |cbs|.\nOPENSSL_INLINE const uint8_t *CBS_data(const CBS *cbs) { return cbs->data; }\n\n// CBS_len returns the number of bytes remaining in |cbs|.\nOPENSSL_INLINE size_t CBS_len(const CBS *cbs) { return cbs->len; }\n\n// CBS_stow copies the current contents of |cbs| into |*out_ptr| and\n// |*out_len|. If |*out_ptr| is not NULL, the contents are freed with\n// OPENSSL_free. It returns one on success and zero on allocation failure. On\n// success, |*out_ptr| should be freed with OPENSSL_free. If |cbs| is empty,\n// |*out_ptr| will be NULL.\nOPENSSL_EXPORT int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len);\n\n// CBS_strdup copies the current contents of |cbs| into |*out_ptr| as a\n// NUL-terminated C string. If |*out_ptr| is not NULL, the contents are freed\n// with OPENSSL_free. It returns one on success and zero on allocation\n// failure. On success, |*out_ptr| should be freed with OPENSSL_free.\n//\n// NOTE: If |cbs| contains NUL bytes, the string will be truncated. Call\n// |CBS_contains_zero_byte(cbs)| to check for NUL bytes.\nOPENSSL_EXPORT int CBS_strdup(const CBS *cbs, char **out_ptr);\n\n// CBS_contains_zero_byte returns one if the current contents of |cbs| contains\n// a NUL byte and zero otherwise.\nOPENSSL_EXPORT int CBS_contains_zero_byte(const CBS *cbs);\n\n// CBS_mem_equal compares the current contents of |cbs| with the |len| bytes\n// starting at |data|. If they're equal, it returns one, otherwise zero. If the\n// lengths match, it uses a constant-time comparison.\nOPENSSL_EXPORT int CBS_mem_equal(const CBS *cbs, const uint8_t *data,\n size_t len);\n\n// CBS_get_u8 sets |*out| to the next uint8_t from |cbs| and advances |cbs|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_u8(CBS *cbs, uint8_t *out);\n\n// CBS_get_u16 sets |*out| to the next, big-endian uint16_t from |cbs| and\n// advances |cbs|. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_u16(CBS *cbs, uint16_t *out);\n\n// CBS_get_u16le sets |*out| to the next, little-endian uint16_t from |cbs| and\n// advances |cbs|. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_u16le(CBS *cbs, uint16_t *out);\n\n// CBS_get_u24 sets |*out| to the next, big-endian 24-bit value from |cbs| and\n// advances |cbs|. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_u24(CBS *cbs, uint32_t *out);\n\n// CBS_get_u32 sets |*out| to the next, big-endian uint32_t value from |cbs|\n// and advances |cbs|. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_u32(CBS *cbs, uint32_t *out);\n\n// CBS_get_u32le sets |*out| to the next, little-endian uint32_t value from\n// |cbs| and advances |cbs|. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_u32le(CBS *cbs, uint32_t *out);\n\n// CBS_get_u64 sets |*out| to the next, big-endian uint64_t value from |cbs|\n// and advances |cbs|. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_u64(CBS *cbs, uint64_t *out);\n\n// CBS_get_u64le sets |*out| to the next, little-endian uint64_t value from\n// |cbs| and advances |cbs|. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_u64le(CBS *cbs, uint64_t *out);\n\n// CBS_get_last_u8 sets |*out| to the last uint8_t from |cbs| and shortens\n// |cbs|. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_last_u8(CBS *cbs, uint8_t *out);\n\n// CBS_get_bytes sets |*out| to the next |len| bytes from |cbs| and advances\n// |cbs|. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_bytes(CBS *cbs, CBS *out, size_t len);\n\n// CBS_copy_bytes copies the next |len| bytes from |cbs| to |out| and advances\n// |cbs|. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_copy_bytes(CBS *cbs, uint8_t *out, size_t len);\n\n// CBS_get_u8_length_prefixed sets |*out| to the contents of an 8-bit,\n// length-prefixed value from |cbs| and advances |cbs| over it. It returns one\n// on success and zero on error.\nOPENSSL_EXPORT int CBS_get_u8_length_prefixed(CBS *cbs, CBS *out);\n\n// CBS_get_u16_length_prefixed sets |*out| to the contents of a 16-bit,\n// big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_u16_length_prefixed(CBS *cbs, CBS *out);\n\n// CBS_get_u24_length_prefixed sets |*out| to the contents of a 24-bit,\n// big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out);\n\n// CBS_get_until_first finds the first instance of |c| in |cbs|. If found, it\n// sets |*out| to the text before the match, advances |cbs| over it, and returns\n// one. Otherwise, it returns zero and leaves |cbs| unmodified.\nOPENSSL_EXPORT int CBS_get_until_first(CBS *cbs, CBS *out, uint8_t c);\n\n// CBS_get_u64_decimal reads a decimal integer from |cbs| and writes it to\n// |*out|. It stops reading at the end of the string, or the first non-digit\n// character. It returns one on success and zero on error. This function behaves\n// analogously to |strtoul| except it does not accept empty inputs, leading\n// zeros, or negative values.\nOPENSSL_EXPORT int CBS_get_u64_decimal(CBS *cbs, uint64_t *out);\n\n\n// Parsing ASN.1\n//\n// |CBS| may be used to parse DER structures. Rather than using a schema\n// compiler, the following functions act on tag-length-value elements in the\n// serialization itself. Thus the caller is responsible for looping over a\n// SEQUENCE, branching on CHOICEs or OPTIONAL fields, checking for trailing\n// data, and handling explict vs. implicit tagging.\n//\n// Tags are represented as |CBS_ASN1_TAG| values in memory. The upper few bits\n// store the class and constructed bit, and the remaining bits store the tag\n// number. Note this differs from the DER serialization, to support tag numbers\n// beyond 31. Consumers must use the constants defined below to decompose or\n// assemble tags.\n//\n// This library treats an element's constructed bit as part of its tag. In DER,\n// the constructed bit is computable from the type. The constants for universal\n// types have the bit set. Callers must set it correctly for tagged types.\n// Explicitly-tagged types are always constructed, and implicitly-tagged types\n// inherit the underlying type's bit.\n\n// CBS_ASN1_TAG_SHIFT is how much the in-memory representation shifts the class\n// and constructed bits from the DER serialization.\n#define CBS_ASN1_TAG_SHIFT 24\n\n// CBS_ASN1_CONSTRUCTED may be ORed into a tag to set the constructed bit.\n#define CBS_ASN1_CONSTRUCTED (0x20u << CBS_ASN1_TAG_SHIFT)\n\n// The following values specify the tag class and may be ORed into a tag number\n// to produce the final tag. If none is used, the tag will be UNIVERSAL.\n#define CBS_ASN1_UNIVERSAL (0u << CBS_ASN1_TAG_SHIFT)\n#define CBS_ASN1_APPLICATION (0x40u << CBS_ASN1_TAG_SHIFT)\n#define CBS_ASN1_CONTEXT_SPECIFIC (0x80u << CBS_ASN1_TAG_SHIFT)\n#define CBS_ASN1_PRIVATE (0xc0u << CBS_ASN1_TAG_SHIFT)\n\n// CBS_ASN1_CLASS_MASK may be ANDed with a tag to query its class. This will\n// give one of the four values above.\n#define CBS_ASN1_CLASS_MASK (0xc0u << CBS_ASN1_TAG_SHIFT)\n\n// CBS_ASN1_TAG_NUMBER_MASK may be ANDed with a tag to query its number.\n#define CBS_ASN1_TAG_NUMBER_MASK ((1u << (5 + CBS_ASN1_TAG_SHIFT)) - 1)\n\n// The following values are constants for UNIVERSAL tags. Note these constants\n// include the constructed bit.\n#define CBS_ASN1_BOOLEAN 0x1u\n#define CBS_ASN1_INTEGER 0x2u\n#define CBS_ASN1_BITSTRING 0x3u\n#define CBS_ASN1_OCTETSTRING 0x4u\n#define CBS_ASN1_NULL 0x5u\n#define CBS_ASN1_OBJECT 0x6u\n#define CBS_ASN1_ENUMERATED 0xau\n#define CBS_ASN1_UTF8STRING 0xcu\n#define CBS_ASN1_SEQUENCE (0x10u | CBS_ASN1_CONSTRUCTED)\n#define CBS_ASN1_SET (0x11u | CBS_ASN1_CONSTRUCTED)\n#define CBS_ASN1_NUMERICSTRING 0x12u\n#define CBS_ASN1_PRINTABLESTRING 0x13u\n#define CBS_ASN1_T61STRING 0x14u\n#define CBS_ASN1_VIDEOTEXSTRING 0x15u\n#define CBS_ASN1_IA5STRING 0x16u\n#define CBS_ASN1_UTCTIME 0x17u\n#define CBS_ASN1_GENERALIZEDTIME 0x18u\n#define CBS_ASN1_GRAPHICSTRING 0x19u\n#define CBS_ASN1_VISIBLESTRING 0x1au\n#define CBS_ASN1_GENERALSTRING 0x1bu\n#define CBS_ASN1_UNIVERSALSTRING 0x1cu\n#define CBS_ASN1_BMPSTRING 0x1eu\n\n// CBS_get_asn1 sets |*out| to the contents of DER-encoded, ASN.1 element (not\n// including tag and length bytes) and advances |cbs| over it. The ASN.1\n// element must match |tag_value|. It returns one on success and zero\n// on error.\nOPENSSL_EXPORT int CBS_get_asn1(CBS *cbs, CBS *out, CBS_ASN1_TAG tag_value);\n\n// CBS_get_asn1_element acts like |CBS_get_asn1| but |out| will include the\n// ASN.1 header bytes too.\nOPENSSL_EXPORT int CBS_get_asn1_element(CBS *cbs, CBS *out,\n CBS_ASN1_TAG tag_value);\n\n// CBS_peek_asn1_tag looks ahead at the next ASN.1 tag and returns one\n// if the next ASN.1 element on |cbs| would have tag |tag_value|. If\n// |cbs| is empty or the tag does not match, it returns zero. Note: if\n// it returns one, CBS_get_asn1 may still fail if the rest of the\n// element is malformed.\nOPENSSL_EXPORT int CBS_peek_asn1_tag(const CBS *cbs, CBS_ASN1_TAG tag_value);\n\n// CBS_get_any_asn1 sets |*out| to contain the next ASN.1 element from |*cbs|\n// (not including tag and length bytes), sets |*out_tag| to the tag number, and\n// advances |*cbs|. It returns one on success and zero on error. Either of |out|\n// and |out_tag| may be NULL to ignore the value.\nOPENSSL_EXPORT int CBS_get_any_asn1(CBS *cbs, CBS *out,\n CBS_ASN1_TAG *out_tag);\n\n// CBS_get_any_asn1_element sets |*out| to contain the next ASN.1 element from\n// |*cbs| (including header bytes) and advances |*cbs|. It sets |*out_tag| to\n// the tag number and |*out_header_len| to the length of the ASN.1 header. Each\n// of |out|, |out_tag|, and |out_header_len| may be NULL to ignore the value.\nOPENSSL_EXPORT int CBS_get_any_asn1_element(CBS *cbs, CBS *out,\n CBS_ASN1_TAG *out_tag,\n size_t *out_header_len);\n\n// CBS_get_any_ber_asn1_element acts the same as |CBS_get_any_asn1_element| but\n// also allows indefinite-length elements to be returned and does not enforce\n// that lengths are minimal. It sets |*out_indefinite| to one if the length was\n// indefinite and zero otherwise. If indefinite, |*out_header_len| and\n// |CBS_len(out)| will be equal as only the header is returned (although this is\n// also true for empty elements so |*out_indefinite| should be checked). If\n// |out_ber_found| is not NULL then it is set to one if any case of invalid DER\n// but valid BER is found, and to zero otherwise.\n//\n// This function will not successfully parse an end-of-contents (EOC) as an\n// element. Callers parsing indefinite-length encoding must check for EOC\n// separately.\nOPENSSL_EXPORT int CBS_get_any_ber_asn1_element(CBS *cbs, CBS *out,\n CBS_ASN1_TAG *out_tag,\n size_t *out_header_len,\n int *out_ber_found,\n int *out_indefinite);\n\n// CBS_get_asn1_uint64 gets an ASN.1 INTEGER from |cbs| using |CBS_get_asn1|\n// and sets |*out| to its value. It returns one on success and zero on error,\n// where error includes the integer being negative, or too large to represent\n// in 64 bits.\nOPENSSL_EXPORT int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out);\n\n// CBS_get_asn1_int64 gets an ASN.1 INTEGER from |cbs| using |CBS_get_asn1|\n// and sets |*out| to its value. It returns one on success and zero on error,\n// where error includes the integer being too large to represent in 64 bits.\nOPENSSL_EXPORT int CBS_get_asn1_int64(CBS *cbs, int64_t *out);\n\n// CBS_get_asn1_bool gets an ASN.1 BOOLEAN from |cbs| and sets |*out| to zero\n// or one based on its value. It returns one on success or zero on error.\nOPENSSL_EXPORT int CBS_get_asn1_bool(CBS *cbs, int *out);\n\n// CBS_get_optional_asn1 gets an optional explicitly-tagged element from |cbs|\n// tagged with |tag| and sets |*out| to its contents, or ignores it if |out| is\n// NULL. If present and if |out_present| is not NULL, it sets |*out_present| to\n// one, otherwise zero. It returns one on success, whether or not the element\n// was present, and zero on decode failure.\nOPENSSL_EXPORT int CBS_get_optional_asn1(CBS *cbs, CBS *out, int *out_present,\n CBS_ASN1_TAG tag);\n\n// CBS_get_optional_asn1_octet_string gets an optional\n// explicitly-tagged OCTET STRING from |cbs|. If present, it sets\n// |*out| to the string and |*out_present| to one. Otherwise, it sets\n// |*out| to empty and |*out_present| to zero. |out_present| may be\n// NULL. It returns one on success, whether or not the element was\n// present, and zero on decode failure.\nOPENSSL_EXPORT int CBS_get_optional_asn1_octet_string(CBS *cbs, CBS *out,\n int *out_present,\n CBS_ASN1_TAG tag);\n\n// CBS_get_optional_asn1_uint64 gets an optional explicitly-tagged\n// INTEGER from |cbs|. If present, it sets |*out| to the\n// value. Otherwise, it sets |*out| to |default_value|. It returns one\n// on success, whether or not the element was present, and zero on\n// decode failure.\nOPENSSL_EXPORT int CBS_get_optional_asn1_uint64(CBS *cbs, uint64_t *out,\n CBS_ASN1_TAG tag,\n uint64_t default_value);\n\n// CBS_get_optional_asn1_bool gets an optional, explicitly-tagged BOOLEAN from\n// |cbs|. If present, it sets |*out| to either zero or one, based on the\n// boolean. Otherwise, it sets |*out| to |default_value|. It returns one on\n// success, whether or not the element was present, and zero on decode\n// failure.\nOPENSSL_EXPORT int CBS_get_optional_asn1_bool(CBS *cbs, int *out,\n CBS_ASN1_TAG tag,\n int default_value);\n\n// CBS_is_valid_asn1_bitstring returns one if |cbs| is a valid ASN.1 BIT STRING\n// body and zero otherwise.\nOPENSSL_EXPORT int CBS_is_valid_asn1_bitstring(const CBS *cbs);\n\n// CBS_asn1_bitstring_has_bit returns one if |cbs| is a valid ASN.1 BIT STRING\n// body and the specified bit is present and set. Otherwise, it returns zero.\n// |bit| is indexed starting from zero.\nOPENSSL_EXPORT int CBS_asn1_bitstring_has_bit(const CBS *cbs, unsigned bit);\n\n// CBS_is_valid_asn1_integer returns one if |cbs| is a valid ASN.1 INTEGER,\n// body and zero otherwise. On success, if |out_is_negative| is non-NULL,\n// |*out_is_negative| will be set to one if |cbs| is negative and zero\n// otherwise.\nOPENSSL_EXPORT int CBS_is_valid_asn1_integer(const CBS *cbs,\n int *out_is_negative);\n\n// CBS_is_unsigned_asn1_integer returns one if |cbs| is a valid non-negative\n// ASN.1 INTEGER body and zero otherwise.\nOPENSSL_EXPORT int CBS_is_unsigned_asn1_integer(const CBS *cbs);\n\n// CBS_is_valid_asn1_oid returns one if |cbs| is a valid DER-encoded ASN.1\n// OBJECT IDENTIFIER contents (not including the element framing) and zero\n// otherwise. This function tolerates arbitrarily large OID components.\nOPENSSL_EXPORT int CBS_is_valid_asn1_oid(const CBS *cbs);\n\n// CBS_asn1_oid_to_text interprets |cbs| as DER-encoded ASN.1 OBJECT IDENTIFIER\n// contents (not including the element framing) and returns the ASCII\n// representation (e.g., \"1.2.840.113554.4.1.72585\") in a newly-allocated\n// string, or NULL on failure. The caller must release the result with\n// |OPENSSL_free|.\n//\n// This function may fail if |cbs| is an invalid OBJECT IDENTIFIER, or if any\n// OID components are too large.\nOPENSSL_EXPORT char *CBS_asn1_oid_to_text(const CBS *cbs);\n\n\n// CBS_parse_generalized_time returns one if |cbs| is a valid DER-encoded, ASN.1\n// GeneralizedTime body within the limitations imposed by RFC 5280, or zero\n// otherwise. If |allow_timezone_offset| is non-zero, four-digit timezone\n// offsets, which would not be allowed by DER, are permitted. On success, if\n// |out_tm| is non-NULL, |*out_tm| will be zeroed, and then set to the\n// corresponding time in UTC. This function does not compute |out_tm->tm_wday|\n// or |out_tm->tm_yday|.\nOPENSSL_EXPORT int CBS_parse_generalized_time(const CBS *cbs, struct tm *out_tm,\n int allow_timezone_offset);\n\n// CBS_parse_utc_time returns one if |cbs| is a valid DER-encoded, ASN.1\n// UTCTime body within the limitations imposed by RFC 5280, or zero otherwise.\n// If |allow_timezone_offset| is non-zero, four-digit timezone offsets, which\n// would not be allowed by DER, are permitted. On success, if |out_tm| is\n// non-NULL, |*out_tm| will be zeroed, and then set to the corresponding time\n// in UTC. This function does not compute |out_tm->tm_wday| or\n// |out_tm->tm_yday|.\nOPENSSL_EXPORT int CBS_parse_utc_time(const CBS *cbs, struct tm *out_tm,\n int allow_timezone_offset);\n\n// CRYPTO ByteBuilder.\n//\n// |CBB| objects allow one to build length-prefixed serialisations. A |CBB|\n// object is associated with a buffer and new buffers are created with\n// |CBB_init|. Several |CBB| objects can point at the same buffer when a\n// length-prefix is pending, however only a single |CBB| can be 'current' at\n// any one time. For example, if one calls |CBB_add_u8_length_prefixed| then\n// the new |CBB| points at the same buffer as the original. But if the original\n// |CBB| is used then the length prefix is written out and the new |CBB| must\n// not be used again.\n//\n// If one needs to force a length prefix to be written out because a |CBB| is\n// going out of scope, use |CBB_flush|. If an operation on a |CBB| fails, it is\n// in an undefined state and must not be used except to call |CBB_cleanup|.\n\nstruct cbb_buffer_st {\n uint8_t *buf;\n // len is the number of valid bytes in |buf|.\n size_t len;\n // cap is the size of |buf|.\n size_t cap;\n // can_resize is one iff |buf| is owned by this object. If not then |buf|\n // cannot be resized.\n unsigned can_resize : 1;\n // error is one if there was an error writing to this CBB. All future\n // operations will fail.\n unsigned error : 1;\n};\n\nstruct cbb_child_st {\n // base is a pointer to the buffer this |CBB| writes to.\n struct cbb_buffer_st *base;\n // offset is the number of bytes from the start of |base->buf| to this |CBB|'s\n // pending length prefix.\n size_t offset;\n // pending_len_len contains the number of bytes in this |CBB|'s pending\n // length-prefix, or zero if no length-prefix is pending.\n uint8_t pending_len_len;\n unsigned pending_is_asn1 : 1;\n};\n\nstruct cbb_st {\n // child points to a child CBB if a length-prefix is pending.\n CBB *child;\n // is_child is one if this is a child |CBB| and zero if it is a top-level\n // |CBB|. This determines which arm of the union is valid.\n char is_child;\n union {\n struct cbb_buffer_st base;\n struct cbb_child_st child;\n } u;\n};\n\n// CBB_zero sets an uninitialised |cbb| to the zero state. It must be\n// initialised with |CBB_init| or |CBB_init_fixed| before use, but it is safe to\n// call |CBB_cleanup| without a successful |CBB_init|. This may be used for more\n// uniform cleanup of a |CBB|.\nOPENSSL_EXPORT void CBB_zero(CBB *cbb);\n\n// CBB_init initialises |cbb| with |initial_capacity|. Since a |CBB| grows as\n// needed, the |initial_capacity| is just a hint. It returns one on success or\n// zero on allocation failure.\nOPENSSL_EXPORT int CBB_init(CBB *cbb, size_t initial_capacity);\n\n// CBB_init_fixed initialises |cbb| to write to |len| bytes at |buf|. Since\n// |buf| cannot grow, trying to write more than |len| bytes will cause CBB\n// functions to fail. This function is infallible and always returns one. It is\n// safe, but not necessary, to call |CBB_cleanup| on |cbb|.\nOPENSSL_EXPORT int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len);\n\n// CBB_cleanup frees all resources owned by |cbb| and other |CBB| objects\n// writing to the same buffer. This should be used in an error case where a\n// serialisation is abandoned.\n//\n// This function can only be called on a \"top level\" |CBB|, i.e. one initialised\n// with |CBB_init| or |CBB_init_fixed|, or a |CBB| set to the zero state with\n// |CBB_zero|.\nOPENSSL_EXPORT void CBB_cleanup(CBB *cbb);\n\n// CBB_finish completes any pending length prefix and sets |*out_data| to a\n// malloced buffer and |*out_len| to the length of that buffer. The caller\n// takes ownership of the buffer and, unless the buffer was fixed with\n// |CBB_init_fixed|, must call |OPENSSL_free| when done.\n//\n// It can only be called on a \"top level\" |CBB|, i.e. one initialised with\n// |CBB_init| or |CBB_init_fixed|. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len);\n\n// CBB_flush causes any pending length prefixes to be written out and any child\n// |CBB| objects of |cbb| to be invalidated. This allows |cbb| to continue to be\n// used after the children go out of scope, e.g. when local |CBB| objects are\n// added as children to a |CBB| that persists after a function returns. This\n// function returns one on success or zero on error.\nOPENSSL_EXPORT int CBB_flush(CBB *cbb);\n\n// CBB_data returns a pointer to the bytes written to |cbb|. It does not flush\n// |cbb|. The pointer is valid until the next operation to |cbb|.\n//\n// To avoid unfinalized length prefixes, it is a fatal error to call this on a\n// CBB with any active children.\nOPENSSL_EXPORT const uint8_t *CBB_data(const CBB *cbb);\n\n// CBB_len returns the number of bytes written to |cbb|. It does not flush\n// |cbb|.\n//\n// To avoid unfinalized length prefixes, it is a fatal error to call this on a\n// CBB with any active children.\nOPENSSL_EXPORT size_t CBB_len(const CBB *cbb);\n\n// CBB_add_u8_length_prefixed sets |*out_contents| to a new child of |cbb|. The\n// data written to |*out_contents| will be prefixed in |cbb| with an 8-bit\n// length. It returns one on success or zero on error.\nOPENSSL_EXPORT int CBB_add_u8_length_prefixed(CBB *cbb, CBB *out_contents);\n\n// CBB_add_u16_length_prefixed sets |*out_contents| to a new child of |cbb|.\n// The data written to |*out_contents| will be prefixed in |cbb| with a 16-bit,\n// big-endian length. It returns one on success or zero on error.\nOPENSSL_EXPORT int CBB_add_u16_length_prefixed(CBB *cbb, CBB *out_contents);\n\n// CBB_add_u24_length_prefixed sets |*out_contents| to a new child of |cbb|.\n// The data written to |*out_contents| will be prefixed in |cbb| with a 24-bit,\n// big-endian length. It returns one on success or zero on error.\nOPENSSL_EXPORT int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents);\n\n// CBB_add_asn1 sets |*out_contents| to a |CBB| into which the contents of an\n// ASN.1 object can be written. The |tag| argument will be used as the tag for\n// the object. It returns one on success or zero on error.\nOPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, CBS_ASN1_TAG tag);\n\n// CBB_add_bytes appends |len| bytes from |data| to |cbb|. It returns one on\n// success and zero otherwise.\nOPENSSL_EXPORT int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len);\n\n// CBB_add_zeros append |len| bytes with value zero to |cbb|. It returns one on\n// success and zero otherwise.\nOPENSSL_EXPORT int CBB_add_zeros(CBB *cbb, size_t len);\n\n// CBB_add_space appends |len| bytes to |cbb| and sets |*out_data| to point to\n// the beginning of that space. The caller must then write |len| bytes of\n// actual contents to |*out_data|. It returns one on success and zero\n// otherwise.\nOPENSSL_EXPORT int CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len);\n\n// CBB_reserve ensures |cbb| has room for |len| additional bytes and sets\n// |*out_data| to point to the beginning of that space. It returns one on\n// success and zero otherwise. The caller may write up to |len| bytes to\n// |*out_data| and call |CBB_did_write| to complete the write. |*out_data| is\n// valid until the next operation on |cbb| or an ancestor |CBB|.\nOPENSSL_EXPORT int CBB_reserve(CBB *cbb, uint8_t **out_data, size_t len);\n\n// CBB_did_write advances |cbb| by |len| bytes, assuming the space has been\n// written to by the caller. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBB_did_write(CBB *cbb, size_t len);\n\n// CBB_add_u8 appends an 8-bit number from |value| to |cbb|. It returns one on\n// success and zero otherwise.\nOPENSSL_EXPORT int CBB_add_u8(CBB *cbb, uint8_t value);\n\n// CBB_add_u16 appends a 16-bit, big-endian number from |value| to |cbb|. It\n// returns one on success and zero otherwise.\nOPENSSL_EXPORT int CBB_add_u16(CBB *cbb, uint16_t value);\n\n// CBB_add_u16le appends a 16-bit, little-endian number from |value| to |cbb|.\n// It returns one on success and zero otherwise.\nOPENSSL_EXPORT int CBB_add_u16le(CBB *cbb, uint16_t value);\n\n// CBB_add_u24 appends a 24-bit, big-endian number from |value| to |cbb|. It\n// returns one on success and zero otherwise.\nOPENSSL_EXPORT int CBB_add_u24(CBB *cbb, uint32_t value);\n\n// CBB_add_u32 appends a 32-bit, big-endian number from |value| to |cbb|. It\n// returns one on success and zero otherwise.\nOPENSSL_EXPORT int CBB_add_u32(CBB *cbb, uint32_t value);\n\n// CBB_add_u32le appends a 32-bit, little-endian number from |value| to |cbb|.\n// It returns one on success and zero otherwise.\nOPENSSL_EXPORT int CBB_add_u32le(CBB *cbb, uint32_t value);\n\n// CBB_add_u64 appends a 64-bit, big-endian number from |value| to |cbb|. It\n// returns one on success and zero otherwise.\nOPENSSL_EXPORT int CBB_add_u64(CBB *cbb, uint64_t value);\n\n// CBB_add_u64le appends a 64-bit, little-endian number from |value| to |cbb|.\n// It returns one on success and zero otherwise.\nOPENSSL_EXPORT int CBB_add_u64le(CBB *cbb, uint64_t value);\n\n// CBB_discard_child discards the current unflushed child of |cbb|. Neither the\n// child's contents nor the length prefix will be included in the output.\nOPENSSL_EXPORT void CBB_discard_child(CBB *cbb);\n\n// CBB_add_asn1_uint64 writes an ASN.1 INTEGER into |cbb| using |CBB_add_asn1|\n// and writes |value| in its contents. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT int CBB_add_asn1_uint64(CBB *cbb, uint64_t value);\n\n// CBB_add_asn1_uint64_with_tag behaves like |CBB_add_asn1_uint64| but uses\n// |tag| as the tag instead of INTEGER. This is useful if the INTEGER type uses\n// implicit tagging.\nOPENSSL_EXPORT int CBB_add_asn1_uint64_with_tag(CBB *cbb, uint64_t value,\n CBS_ASN1_TAG tag);\n\n// CBB_add_asn1_int64 writes an ASN.1 INTEGER into |cbb| using |CBB_add_asn1|\n// and writes |value| in its contents. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT int CBB_add_asn1_int64(CBB *cbb, int64_t value);\n\n// CBB_add_asn1_int64_with_tag behaves like |CBB_add_asn1_int64| but uses |tag|\n// as the tag instead of INTEGER. This is useful if the INTEGER type uses\n// implicit tagging.\nOPENSSL_EXPORT int CBB_add_asn1_int64_with_tag(CBB *cbb, int64_t value,\n CBS_ASN1_TAG tag);\n\n// CBB_add_asn1_octet_string writes an ASN.1 OCTET STRING into |cbb| with the\n// given contents. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBB_add_asn1_octet_string(CBB *cbb, const uint8_t *data,\n size_t data_len);\n\n// CBB_add_asn1_bool writes an ASN.1 BOOLEAN into |cbb| which is true iff\n// |value| is non-zero. It returns one on success and zero on error.\nOPENSSL_EXPORT int CBB_add_asn1_bool(CBB *cbb, int value);\n\n// CBB_add_asn1_oid_from_text decodes |len| bytes from |text| as an ASCII OID\n// representation, e.g. \"1.2.840.113554.4.1.72585\", and writes the DER-encoded\n// contents to |cbb|. It returns one on success and zero on malloc failure or if\n// |text| was invalid. It does not include the OBJECT IDENTIFER framing, only\n// the element's contents.\n//\n// This function considers OID strings with components which do not fit in a\n// |uint64_t| to be invalid.\nOPENSSL_EXPORT int CBB_add_asn1_oid_from_text(CBB *cbb, const char *text,\n size_t len);\n\n// CBB_flush_asn1_set_of calls |CBB_flush| on |cbb| and then reorders the\n// contents for a DER-encoded ASN.1 SET OF type. It returns one on success and\n// zero on failure. DER canonicalizes SET OF contents by sorting\n// lexicographically by encoding. Call this function when encoding a SET OF\n// type in an order that is not already known to be canonical.\n//\n// Note a SET type has a slightly different ordering than a SET OF.\nOPENSSL_EXPORT int CBB_flush_asn1_set_of(CBB *cbb);\n\n\n// Unicode utilities.\n//\n// These functions consider noncharacters (see section 23.7 from Unicode 15.0.0)\n// to be invalid code points and will treat them as an error condition.\n\n// The following functions read one Unicode code point from |cbs| with the\n// corresponding encoding and store it in |*out|. They return one on success and\n// zero on error.\nOPENSSL_EXPORT int CBS_get_utf8(CBS *cbs, uint32_t *out);\nOPENSSL_EXPORT int CBS_get_latin1(CBS *cbs, uint32_t *out);\nOPENSSL_EXPORT int CBS_get_ucs2_be(CBS *cbs, uint32_t *out);\nOPENSSL_EXPORT int CBS_get_utf32_be(CBS *cbs, uint32_t *out);\n\n// CBB_get_utf8_len returns the number of bytes needed to represent |u| in\n// UTF-8.\nOPENSSL_EXPORT size_t CBB_get_utf8_len(uint32_t u);\n\n// The following functions encode |u| to |cbb| with the corresponding\n// encoding. They return one on success and zero on error. Error conditions\n// include |u| being an invalid code point, or |u| being unencodable in the\n// specified encoding.\nOPENSSL_EXPORT int CBB_add_utf8(CBB *cbb, uint32_t u);\nOPENSSL_EXPORT int CBB_add_latin1(CBB *cbb, uint32_t u);\nOPENSSL_EXPORT int CBB_add_ucs2_be(CBB *cbb, uint32_t u);\nOPENSSL_EXPORT int CBB_add_utf32_be(CBB *cbb, uint32_t u);\n\n\n#if defined(__cplusplus)\n} // extern C\n\n\n#if !defined(BORINGSSL_NO_CXX)\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nusing ScopedCBB = internal::StackAllocated;\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n#endif\n\n#endif\n\n#endif // OPENSSL_HEADER_BYTESTRING_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_cast.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_CAST_H\n#define OPENSSL_HEADER_CAST_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n\n#define CAST_ENCRYPT 1\n#define CAST_DECRYPT 0\n\n#define CAST_BLOCK 8\n#define CAST_KEY_LENGTH 16\n\ntypedef struct cast_key_st {\n uint32_t data[32];\n int short_key; // Use reduced rounds for short key\n} CAST_KEY;\n\nOPENSSL_EXPORT void CAST_set_key(CAST_KEY *key, size_t len,\n const uint8_t *data);\nOPENSSL_EXPORT void CAST_ecb_encrypt(const uint8_t *in, uint8_t *out,\n const CAST_KEY *key, int enc);\nOPENSSL_EXPORT void CAST_encrypt(uint32_t *data, const CAST_KEY *key);\nOPENSSL_EXPORT void CAST_decrypt(uint32_t *data, const CAST_KEY *key);\nOPENSSL_EXPORT void CAST_cbc_encrypt(const uint8_t *in, uint8_t *out,\n size_t length, const CAST_KEY *ks,\n uint8_t *iv, int enc);\n\nOPENSSL_EXPORT void CAST_cfb64_encrypt(const uint8_t *in, uint8_t *out,\n size_t length, const CAST_KEY *schedule,\n uint8_t *ivec, int *num, int enc);\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif // OPENSSL_HEADER_CAST_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_chacha.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CHACHA_H\n#define OPENSSL_HEADER_CHACHA_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n// ChaCha20.\n//\n// ChaCha20 is a stream cipher. See https://tools.ietf.org/html/rfc8439.\n\n\n// CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and\n// nonce and writes the result to |out|. If |in| and |out| alias, they must be\n// equal. The initial block counter is specified by |counter|.\n//\n// This function implements a 32-bit block counter as in RFC 8439. On overflow,\n// the counter wraps. Reusing a key, nonce, and block counter combination is not\n// secure, so wrapping is usually a bug in the caller. While it is possible to\n// wrap without reuse with a large initial block counter, this is not\n// recommended and may not be portable to other ChaCha20 implementations.\nOPENSSL_EXPORT void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in,\n size_t in_len, const uint8_t key[32],\n const uint8_t nonce[12], uint32_t counter);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CHACHA_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_cipher.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_CIPHER_H\n#define OPENSSL_HEADER_CIPHER_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Ciphers.\n\n\n// Cipher primitives.\n//\n// The following functions return |EVP_CIPHER| objects that implement the named\n// cipher algorithm.\n\nOPENSSL_EXPORT const EVP_CIPHER *EVP_rc4(void);\n\nOPENSSL_EXPORT const EVP_CIPHER *EVP_des_cbc(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_des_ecb(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede3(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede_cbc(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede3_cbc(void);\n\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_ecb(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cbc(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_ctr(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_ofb(void);\n\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_ecb(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cbc(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_ctr(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_ofb(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_xts(void);\n\n// EVP_enc_null returns a 'cipher' that passes plaintext through as\n// ciphertext.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_enc_null(void);\n\n// EVP_rc2_cbc returns a cipher that implements 128-bit RC2 in CBC mode.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_rc2_cbc(void);\n\n// EVP_rc2_40_cbc returns a cipher that implements 40-bit RC2 in CBC mode. This\n// is obviously very, very weak and is included only in order to read PKCS#12\n// files, which often encrypt the certificate chain using this cipher. It is\n// deliberately not exported.\nconst EVP_CIPHER *EVP_rc2_40_cbc(void);\n\n// EVP_get_cipherbynid returns the cipher corresponding to the given NID, or\n// NULL if no such cipher is known. Note using this function links almost every\n// cipher implemented by BoringSSL into the binary, whether the caller uses them\n// or not. Size-conscious callers, such as client software, should not use this\n// function.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_get_cipherbynid(int nid);\n\n\n// Cipher context allocation.\n//\n// An |EVP_CIPHER_CTX| represents the state of an encryption or decryption in\n// progress.\n\n// EVP_CIPHER_CTX_init initialises an, already allocated, |EVP_CIPHER_CTX|.\nOPENSSL_EXPORT void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_new allocates a fresh |EVP_CIPHER_CTX|, calls\n// |EVP_CIPHER_CTX_init| and returns it, or NULL on allocation failure.\nOPENSSL_EXPORT EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void);\n\n// EVP_CIPHER_CTX_cleanup frees any memory referenced by |ctx|. It returns\n// one.\nOPENSSL_EXPORT int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_free calls |EVP_CIPHER_CTX_cleanup| on |ctx| and then frees\n// |ctx| itself.\nOPENSSL_EXPORT void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_copy sets |out| to be a duplicate of the current state of\n// |in|. The |out| argument must have been previously initialised.\nOPENSSL_EXPORT int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out,\n const EVP_CIPHER_CTX *in);\n\n// EVP_CIPHER_CTX_reset calls |EVP_CIPHER_CTX_cleanup| followed by\n// |EVP_CIPHER_CTX_init| and returns one.\nOPENSSL_EXPORT int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx);\n\n\n// Cipher context configuration.\n\n// EVP_CipherInit_ex configures |ctx| for a fresh encryption (or decryption, if\n// |enc| is zero) operation using |cipher|. If |ctx| has been previously\n// configured with a cipher then |cipher|, |key| and |iv| may be |NULL| and\n// |enc| may be -1 to reuse the previous values. The operation will use |key|\n// as the key and |iv| as the IV (if any). These should have the correct\n// lengths given by |EVP_CIPHER_key_length| and |EVP_CIPHER_iv_length|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx,\n const EVP_CIPHER *cipher, ENGINE *engine,\n const uint8_t *key, const uint8_t *iv,\n int enc);\n\n// EVP_EncryptInit_ex calls |EVP_CipherInit_ex| with |enc| equal to one.\nOPENSSL_EXPORT int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,\n const EVP_CIPHER *cipher, ENGINE *impl,\n const uint8_t *key, const uint8_t *iv);\n\n// EVP_DecryptInit_ex calls |EVP_CipherInit_ex| with |enc| equal to zero.\nOPENSSL_EXPORT int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx,\n const EVP_CIPHER *cipher, ENGINE *impl,\n const uint8_t *key, const uint8_t *iv);\n\n\n// Cipher operations.\n\n// EVP_EncryptUpdate encrypts |in_len| bytes from |in| to |out|. The number\n// of output bytes may be up to |in_len| plus the block length minus one and\n// |out| must have sufficient space. The number of bytes actually output is\n// written to |*out_len|. It returns one on success and zero otherwise.\n//\n// If |ctx| is an AEAD cipher, e.g. |EVP_aes_128_gcm|, and |out| is NULL, this\n// function instead adds |in_len| bytes from |in| to the AAD and sets |*out_len|\n// to |in_len|. The AAD must be fully specified in this way before this function\n// is used to encrypt plaintext.\nOPENSSL_EXPORT int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out,\n int *out_len, const uint8_t *in,\n int in_len);\n\n// EVP_EncryptFinal_ex writes at most a block of ciphertext to |out| and sets\n// |*out_len| to the number of bytes written. If padding is enabled (the\n// default) then standard padding is applied to create the final block. If\n// padding is disabled (with |EVP_CIPHER_CTX_set_padding|) then any partial\n// block remaining will cause an error. The function returns one on success and\n// zero otherwise.\nOPENSSL_EXPORT int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out,\n int *out_len);\n\n// EVP_DecryptUpdate decrypts |in_len| bytes from |in| to |out|. The number of\n// output bytes may be up to |in_len| plus the block length minus one and |out|\n// must have sufficient space. The number of bytes actually output is written\n// to |*out_len|. It returns one on success and zero otherwise.\n//\n// If |ctx| is an AEAD cipher, e.g. |EVP_aes_128_gcm|, and |out| is NULL, this\n// function instead adds |in_len| bytes from |in| to the AAD and sets |*out_len|\n// to |in_len|. The AAD must be fully specified in this way before this function\n// is used to decrypt ciphertext.\nOPENSSL_EXPORT int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out,\n int *out_len, const uint8_t *in,\n int in_len);\n\n// EVP_DecryptFinal_ex writes at most a block of ciphertext to |out| and sets\n// |*out_len| to the number of bytes written. If padding is enabled (the\n// default) then padding is removed from the final block.\n//\n// WARNING: it is unsafe to call this function with unauthenticated\n// ciphertext if padding is enabled.\nOPENSSL_EXPORT int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out,\n int *out_len);\n\n// EVP_CipherUpdate calls either |EVP_EncryptUpdate| or |EVP_DecryptUpdate|\n// depending on how |ctx| has been setup.\nOPENSSL_EXPORT int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out,\n int *out_len, const uint8_t *in,\n int in_len);\n\n// EVP_CipherFinal_ex calls either |EVP_EncryptFinal_ex| or\n// |EVP_DecryptFinal_ex| depending on how |ctx| has been setup.\nOPENSSL_EXPORT int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out,\n int *out_len);\n\n\n// Cipher context accessors.\n\n// EVP_CIPHER_CTX_cipher returns the |EVP_CIPHER| underlying |ctx|, or NULL if\n// none has been set.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_CIPHER_CTX_cipher(\n const EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_nid returns a NID identifying the |EVP_CIPHER| underlying\n// |ctx| (e.g. |NID_aes_128_gcm|). It will crash if no cipher has been\n// configured.\nOPENSSL_EXPORT int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_encrypting returns one if |ctx| is configured for encryption\n// and zero otherwise.\nOPENSSL_EXPORT int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_block_size returns the block size, in bytes, of the cipher\n// underlying |ctx|, or one if the cipher is a stream cipher. It will crash if\n// no cipher has been configured.\nOPENSSL_EXPORT unsigned EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_key_length returns the key size, in bytes, of the cipher\n// underlying |ctx| or zero if no cipher has been configured.\nOPENSSL_EXPORT unsigned EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_iv_length returns the IV size, in bytes, of the cipher\n// underlying |ctx|. It will crash if no cipher has been configured.\nOPENSSL_EXPORT unsigned EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_get_app_data returns the opaque, application data pointer for\n// |ctx|, or NULL if none has been set.\nOPENSSL_EXPORT void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_set_app_data sets the opaque, application data pointer for\n// |ctx| to |data|.\nOPENSSL_EXPORT void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx,\n void *data);\n\n// EVP_CIPHER_CTX_flags returns a value which is the OR of zero or more\n// |EVP_CIPH_*| flags. It will crash if no cipher has been configured.\nOPENSSL_EXPORT uint32_t EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_mode returns one of the |EVP_CIPH_*| cipher mode values\n// enumerated below. It will crash if no cipher has been configured.\nOPENSSL_EXPORT uint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx);\n\n// EVP_CIPHER_CTX_ctrl is an |ioctl| like function. The |command| argument\n// should be one of the |EVP_CTRL_*| values. The |arg| and |ptr| arguments are\n// specific to the command in question.\nOPENSSL_EXPORT int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command,\n int arg, void *ptr);\n\n// EVP_CIPHER_CTX_set_padding sets whether padding is enabled for |ctx| and\n// returns one. Pass a non-zero |pad| to enable padding (the default) or zero\n// to disable.\nOPENSSL_EXPORT int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad);\n\n// EVP_CIPHER_CTX_set_key_length sets the key length for |ctx|. This is only\n// valid for ciphers that can take a variable length key. It returns one on\n// success and zero on error.\nOPENSSL_EXPORT int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *ctx,\n unsigned key_len);\n\n\n// Cipher accessors.\n\n// EVP_CIPHER_nid returns a NID identifying |cipher|. (For example,\n// |NID_aes_128_gcm|.)\nOPENSSL_EXPORT int EVP_CIPHER_nid(const EVP_CIPHER *cipher);\n\n// EVP_CIPHER_block_size returns the block size, in bytes, for |cipher|, or one\n// if |cipher| is a stream cipher.\nOPENSSL_EXPORT unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher);\n\n// EVP_CIPHER_key_length returns the key size, in bytes, for |cipher|. If\n// |cipher| can take a variable key length then this function returns the\n// default key length and |EVP_CIPHER_flags| will return a value with\n// |EVP_CIPH_VARIABLE_LENGTH| set.\nOPENSSL_EXPORT unsigned EVP_CIPHER_key_length(const EVP_CIPHER *cipher);\n\n// EVP_CIPHER_iv_length returns the IV size, in bytes, of |cipher|, or zero if\n// |cipher| doesn't take an IV.\nOPENSSL_EXPORT unsigned EVP_CIPHER_iv_length(const EVP_CIPHER *cipher);\n\n// EVP_CIPHER_flags returns a value which is the OR of zero or more\n// |EVP_CIPH_*| flags.\nOPENSSL_EXPORT uint32_t EVP_CIPHER_flags(const EVP_CIPHER *cipher);\n\n// EVP_CIPHER_mode returns one of the cipher mode values enumerated below.\nOPENSSL_EXPORT uint32_t EVP_CIPHER_mode(const EVP_CIPHER *cipher);\n\n\n// Key derivation.\n\n// EVP_BytesToKey generates a key and IV for the cipher |type| by iterating\n// |md| |count| times using |data| and an optional |salt|, writing the result to\n// |key| and |iv|. If not NULL, the |key| and |iv| buffers must have enough\n// space to hold a key and IV for |type|, as returned by |EVP_CIPHER_key_length|\n// and |EVP_CIPHER_iv_length|. This function returns the length of the key\n// (without the IV) on success or zero on error.\n//\n// If |salt| is NULL, the empty string is used as the salt. Salt lengths other\n// than 0 and 8 are not supported by this function. Either of |key| or |iv| may\n// be NULL to skip that output.\n//\n// When the total data derived is less than the size of |md|, this function\n// implements PBKDF1 from RFC 8018. Otherwise, it generalizes PBKDF1 by\n// computing prepending the previous output to |data| and re-running PBKDF1 for\n// further output.\n//\n// This function is provided for compatibility with legacy uses of PBKDF1. New\n// applications should use a more modern algorithm, such as |EVP_PBE_scrypt|.\nOPENSSL_EXPORT int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,\n const uint8_t salt[8], const uint8_t *data,\n size_t data_len, unsigned count, uint8_t *key,\n uint8_t *iv);\n\n\n// Cipher modes (for |EVP_CIPHER_mode|).\n\n#define EVP_CIPH_STREAM_CIPHER 0x0\n#define EVP_CIPH_ECB_MODE 0x1\n#define EVP_CIPH_CBC_MODE 0x2\n#define EVP_CIPH_CFB_MODE 0x3\n#define EVP_CIPH_OFB_MODE 0x4\n#define EVP_CIPH_CTR_MODE 0x5\n#define EVP_CIPH_GCM_MODE 0x6\n#define EVP_CIPH_XTS_MODE 0x7\n\n// The following values are never returned from |EVP_CIPHER_mode| and are\n// included only to make it easier to compile code with BoringSSL.\n#define EVP_CIPH_CCM_MODE 0x8\n#define EVP_CIPH_OCB_MODE 0x9\n#define EVP_CIPH_WRAP_MODE 0xa\n\n\n// Cipher flags (for |EVP_CIPHER_flags|).\n\n// EVP_CIPH_VARIABLE_LENGTH indicates that the cipher takes a variable length\n// key.\n#define EVP_CIPH_VARIABLE_LENGTH 0x40\n\n// EVP_CIPH_ALWAYS_CALL_INIT indicates that the |init| function for the cipher\n// should always be called when initialising a new operation, even if the key\n// is NULL to indicate that the same key is being used.\n#define EVP_CIPH_ALWAYS_CALL_INIT 0x80\n\n// EVP_CIPH_CUSTOM_IV indicates that the cipher manages the IV itself rather\n// than keeping it in the |iv| member of |EVP_CIPHER_CTX|.\n#define EVP_CIPH_CUSTOM_IV 0x100\n\n// EVP_CIPH_CTRL_INIT indicates that EVP_CTRL_INIT should be used when\n// initialising an |EVP_CIPHER_CTX|.\n#define EVP_CIPH_CTRL_INIT 0x200\n\n// EVP_CIPH_FLAG_CUSTOM_CIPHER indicates that the cipher manages blocking\n// itself. This causes EVP_(En|De)crypt_ex to be simple wrapper functions.\n#define EVP_CIPH_FLAG_CUSTOM_CIPHER 0x400\n\n// EVP_CIPH_FLAG_AEAD_CIPHER specifies that the cipher is an AEAD. This is an\n// older version of the proper AEAD interface. See aead.h for the current\n// one.\n#define EVP_CIPH_FLAG_AEAD_CIPHER 0x800\n\n// EVP_CIPH_CUSTOM_COPY indicates that the |ctrl| callback should be called\n// with |EVP_CTRL_COPY| at the end of normal |EVP_CIPHER_CTX_copy|\n// processing.\n#define EVP_CIPH_CUSTOM_COPY 0x1000\n\n// EVP_CIPH_FLAG_NON_FIPS_ALLOW is meaningless. In OpenSSL it permits non-FIPS\n// algorithms in FIPS mode. But BoringSSL FIPS mode doesn't prohibit algorithms\n// (it's up the the caller to use the FIPS module in a fashion compliant with\n// their needs). Thus this exists only to allow code to compile.\n#define EVP_CIPH_FLAG_NON_FIPS_ALLOW 0\n\n\n// Deprecated functions\n\n// EVP_CipherInit acts like EVP_CipherInit_ex except that |EVP_CIPHER_CTX_init|\n// is called on |cipher| first, if |cipher| is not NULL.\nOPENSSL_EXPORT int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,\n const uint8_t *key, const uint8_t *iv,\n int enc);\n\n// EVP_EncryptInit calls |EVP_CipherInit| with |enc| equal to one.\nOPENSSL_EXPORT int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,\n const EVP_CIPHER *cipher, const uint8_t *key,\n const uint8_t *iv);\n\n// EVP_DecryptInit calls |EVP_CipherInit| with |enc| equal to zero.\nOPENSSL_EXPORT int EVP_DecryptInit(EVP_CIPHER_CTX *ctx,\n const EVP_CIPHER *cipher, const uint8_t *key,\n const uint8_t *iv);\n\n// EVP_CipherFinal calls |EVP_CipherFinal_ex|.\nOPENSSL_EXPORT int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, uint8_t *out,\n int *out_len);\n\n// EVP_EncryptFinal calls |EVP_EncryptFinal_ex|.\nOPENSSL_EXPORT int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out,\n int *out_len);\n\n// EVP_DecryptFinal calls |EVP_DecryptFinal_ex|.\nOPENSSL_EXPORT int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out,\n int *out_len);\n\n// EVP_Cipher historically exposed an internal implementation detail of |ctx|\n// and should not be used. Use |EVP_CipherUpdate| and |EVP_CipherFinal_ex|\n// instead.\n//\n// If |ctx|'s cipher does not have the |EVP_CIPH_FLAG_CUSTOM_CIPHER| flag, it\n// encrypts or decrypts |in_len| bytes from |in| and writes the resulting\n// |in_len| bytes to |out|. It returns one on success and zero on error.\n// |in_len| must be a multiple of the cipher's block size, or the behavior is\n// undefined.\n//\n// TODO(davidben): Rather than being undefined (it'll often round the length up\n// and likely read past the buffer), just fail the operation.\n//\n// If |ctx|'s cipher has the |EVP_CIPH_FLAG_CUSTOM_CIPHER| flag, it runs in one\n// of two modes: If |in| is non-NULL, it behaves like |EVP_CipherUpdate|. If\n// |in| is NULL, it behaves like |EVP_CipherFinal_ex|. In both cases, it returns\n// |*out_len| on success and -1 on error.\n//\n// WARNING: The two possible calling conventions of this function signal errors\n// incompatibly. In the first, zero indicates an error. In the second, zero\n// indicates success with zero bytes of output.\nOPENSSL_EXPORT int EVP_Cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,\n const uint8_t *in, size_t in_len);\n\n// EVP_add_cipher_alias does nothing and returns one.\nOPENSSL_EXPORT int EVP_add_cipher_alias(const char *a, const char *b);\n\n// EVP_get_cipherbyname returns an |EVP_CIPHER| given a human readable name in\n// |name|, or NULL if the name is unknown. Note using this function links almost\n// every cipher implemented by BoringSSL into the binary, not just the ones the\n// caller requests. Size-conscious callers, such as client software, should not\n// use this function.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_get_cipherbyname(const char *name);\n\n// These AEADs are deprecated AES-GCM implementations that set\n// |EVP_CIPH_FLAG_CUSTOM_CIPHER|. Use |EVP_aead_aes_128_gcm| and\n// |EVP_aead_aes_256_gcm| instead.\n//\n// WARNING: Although these APIs allow streaming an individual AES-GCM operation,\n// this is not secure. Until calling |EVP_DecryptFinal_ex|, the tag has not yet\n// been checked and output released by |EVP_DecryptUpdate| is unauthenticated\n// and easily manipulated by attackers. Callers must buffer the output and may\n// not act on it until the entire operation is complete.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_gcm(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_gcm(void);\n\n// These are deprecated, 192-bit version of AES.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ecb(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_cbc(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ctr(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_gcm(void);\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ofb(void);\n\n// EVP_des_ede3_ecb is an alias for |EVP_des_ede3|. Use the former instead.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede3_ecb(void);\n\n// EVP_aes_128_cfb128 is only available in decrepit.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cfb128(void);\n\n// EVP_aes_128_cfb is an alias for |EVP_aes_128_cfb128| and is only available in\n// decrepit.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cfb(void);\n\n// EVP_aes_192_cfb128 is only available in decrepit.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_cfb128(void);\n\n// EVP_aes_192_cfb is an alias for |EVP_aes_192_cfb128| and is only available in\n// decrepit.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_cfb(void);\n\n// EVP_aes_256_cfb128 is only available in decrepit.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cfb128(void);\n\n// EVP_aes_256_cfb is an alias for |EVP_aes_256_cfb128| and is only available in\n// decrepit.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cfb(void);\n\n// EVP_bf_ecb is Blowfish in ECB mode and is only available in decrepit.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_bf_ecb(void);\n\n// EVP_bf_cbc is Blowfish in CBC mode and is only available in decrepit.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_bf_cbc(void);\n\n// EVP_bf_cfb is Blowfish in 64-bit CFB mode and is only available in decrepit.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_bf_cfb(void);\n\n// EVP_cast5_ecb is CAST5 in ECB mode and is only available in decrepit.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_cast5_ecb(void);\n\n// EVP_cast5_cbc is CAST5 in CBC mode and is only available in decrepit.\nOPENSSL_EXPORT const EVP_CIPHER *EVP_cast5_cbc(void);\n\n// The following flags do nothing and are included only to make it easier to\n// compile code with BoringSSL.\n#define EVP_CIPHER_CTX_FLAG_WRAP_ALLOW 0\n\n// EVP_CIPHER_CTX_set_flags does nothing.\nOPENSSL_EXPORT void EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx,\n uint32_t flags);\n\n\n// Private functions.\n\n// EVP_CIPH_NO_PADDING disables padding in block ciphers.\n#define EVP_CIPH_NO_PADDING 0x800\n\n// The following are |EVP_CIPHER_CTX_ctrl| commands.\n#define EVP_CTRL_INIT 0x0\n#define EVP_CTRL_SET_KEY_LENGTH 0x1\n#define EVP_CTRL_GET_RC2_KEY_BITS 0x2\n#define EVP_CTRL_SET_RC2_KEY_BITS 0x3\n#define EVP_CTRL_GET_RC5_ROUNDS 0x4\n#define EVP_CTRL_SET_RC5_ROUNDS 0x5\n#define EVP_CTRL_RAND_KEY 0x6\n#define EVP_CTRL_PBE_PRF_NID 0x7\n#define EVP_CTRL_COPY 0x8\n#define EVP_CTRL_AEAD_SET_IVLEN 0x9\n#define EVP_CTRL_AEAD_GET_TAG 0x10\n#define EVP_CTRL_AEAD_SET_TAG 0x11\n#define EVP_CTRL_AEAD_SET_IV_FIXED 0x12\n#define EVP_CTRL_GCM_IV_GEN 0x13\n#define EVP_CTRL_AEAD_SET_MAC_KEY 0x17\n// EVP_CTRL_GCM_SET_IV_INV sets the GCM invocation field, decrypt only\n#define EVP_CTRL_GCM_SET_IV_INV 0x18\n#define EVP_CTRL_GET_IVLEN 0x19\n\n// The following constants are unused.\n#define EVP_GCM_TLS_FIXED_IV_LEN 4\n#define EVP_GCM_TLS_EXPLICIT_IV_LEN 8\n#define EVP_GCM_TLS_TAG_LEN 16\n\n// The following are legacy aliases for AEAD |EVP_CIPHER_CTX_ctrl| values.\n#define EVP_CTRL_GCM_SET_IVLEN EVP_CTRL_AEAD_SET_IVLEN\n#define EVP_CTRL_GCM_GET_TAG EVP_CTRL_AEAD_GET_TAG\n#define EVP_CTRL_GCM_SET_TAG EVP_CTRL_AEAD_SET_TAG\n#define EVP_CTRL_GCM_SET_IV_FIXED EVP_CTRL_AEAD_SET_IV_FIXED\n\n#define EVP_MAX_KEY_LENGTH 64\n#define EVP_MAX_IV_LENGTH 16\n#define EVP_MAX_BLOCK_LENGTH 32\n\nstruct evp_cipher_ctx_st {\n // cipher contains the underlying cipher for this context.\n const EVP_CIPHER *cipher;\n\n // app_data is a pointer to opaque, user data.\n void *app_data; // application stuff\n\n // cipher_data points to the |cipher| specific state.\n void *cipher_data;\n\n // key_len contains the length of the key, which may differ from\n // |cipher->key_len| if the cipher can take a variable key length.\n unsigned key_len;\n\n // encrypt is one if encrypting and zero if decrypting.\n int encrypt;\n\n // flags contains the OR of zero or more |EVP_CIPH_*| flags, above.\n uint32_t flags;\n\n // oiv contains the original IV value.\n uint8_t oiv[EVP_MAX_IV_LENGTH];\n\n // iv contains the current IV value, which may have been updated.\n uint8_t iv[EVP_MAX_IV_LENGTH];\n\n // buf contains a partial block which is used by, for example, CTR mode to\n // store unused keystream bytes.\n uint8_t buf[EVP_MAX_BLOCK_LENGTH];\n\n // buf_len contains the number of bytes of a partial block contained in\n // |buf|.\n int buf_len;\n\n // num contains the number of bytes of |iv| which are valid for modes that\n // manage partial blocks themselves.\n unsigned num;\n\n // final_used is non-zero if the |final| buffer contains plaintext.\n int final_used;\n\n uint8_t final[EVP_MAX_BLOCK_LENGTH]; // possible final block\n\n // Has this structure been rendered unusable by a failure.\n int poisoned;\n} /* EVP_CIPHER_CTX */;\n\ntypedef struct evp_cipher_info_st {\n const EVP_CIPHER *cipher;\n unsigned char iv[EVP_MAX_IV_LENGTH];\n} EVP_CIPHER_INFO;\n\n\n#if defined(__cplusplus)\n} // extern C\n\n#if !defined(BORINGSSL_NO_CXX)\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(EVP_CIPHER_CTX, EVP_CIPHER_CTX_free)\n\nusing ScopedEVP_CIPHER_CTX =\n internal::StackAllocated;\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n#endif\n\n#endif\n\n#define CIPHER_R_AES_KEY_SETUP_FAILED 100\n#define CIPHER_R_BAD_DECRYPT 101\n#define CIPHER_R_BAD_KEY_LENGTH 102\n#define CIPHER_R_BUFFER_TOO_SMALL 103\n#define CIPHER_R_CTRL_NOT_IMPLEMENTED 104\n#define CIPHER_R_CTRL_OPERATION_NOT_IMPLEMENTED 105\n#define CIPHER_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 106\n#define CIPHER_R_INITIALIZATION_ERROR 107\n#define CIPHER_R_INPUT_NOT_INITIALIZED 108\n#define CIPHER_R_INVALID_AD_SIZE 109\n#define CIPHER_R_INVALID_KEY_LENGTH 110\n#define CIPHER_R_INVALID_NONCE_SIZE 111\n#define CIPHER_R_INVALID_OPERATION 112\n#define CIPHER_R_IV_TOO_LARGE 113\n#define CIPHER_R_NO_CIPHER_SET 114\n#define CIPHER_R_OUTPUT_ALIASES_INPUT 115\n#define CIPHER_R_TAG_TOO_LARGE 116\n#define CIPHER_R_TOO_LARGE 117\n#define CIPHER_R_UNSUPPORTED_AD_SIZE 118\n#define CIPHER_R_UNSUPPORTED_INPUT_SIZE 119\n#define CIPHER_R_UNSUPPORTED_KEY_SIZE 120\n#define CIPHER_R_UNSUPPORTED_NONCE_SIZE 121\n#define CIPHER_R_UNSUPPORTED_TAG_SIZE 122\n#define CIPHER_R_WRONG_FINAL_BLOCK_LENGTH 123\n#define CIPHER_R_NO_DIRECTION_SET 124\n#define CIPHER_R_INVALID_NONCE 125\n\n#endif // OPENSSL_HEADER_CIPHER_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_cmac.h", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CMAC_H\n#define OPENSSL_HEADER_CMAC_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// CMAC.\n//\n// CMAC is a MAC based on AES-CBC and defined in\n// https://tools.ietf.org/html/rfc4493#section-2.3.\n\n\n// One-shot functions.\n\n// AES_CMAC calculates the 16-byte, CMAC authenticator of |in_len| bytes of\n// |in| and writes it to |out|. The |key_len| may be 16 or 32 bytes to select\n// between AES-128 and AES-256. It returns one on success or zero on error.\nOPENSSL_EXPORT int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len,\n const uint8_t *in, size_t in_len);\n\n\n// Incremental interface.\n\n// CMAC_CTX_new allocates a fresh |CMAC_CTX| and returns it, or NULL on\n// error.\nOPENSSL_EXPORT CMAC_CTX *CMAC_CTX_new(void);\n\n// CMAC_CTX_free frees a |CMAC_CTX|.\nOPENSSL_EXPORT void CMAC_CTX_free(CMAC_CTX *ctx);\n\n// CMAC_CTX_copy sets |out| to be a duplicate of the current state |in|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in);\n\n// CMAC_Init configures |ctx| to use the given |key| and |cipher|. The CMAC RFC\n// only specifies the use of AES-128 thus |key_len| should be 16 and |cipher|\n// should be |EVP_aes_128_cbc()|. However, this implementation also supports\n// AES-256 by setting |key_len| to 32 and |cipher| to |EVP_aes_256_cbc()|. The\n// |engine| argument is ignored.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len,\n const EVP_CIPHER *cipher, ENGINE *engine);\n\n\n// CMAC_Reset resets |ctx| so that a fresh message can be authenticated.\nOPENSSL_EXPORT int CMAC_Reset(CMAC_CTX *ctx);\n\n// CMAC_Update processes |in_len| bytes of message from |in|. It returns one on\n// success or zero on error.\nOPENSSL_EXPORT int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len);\n\n// CMAC_Final sets |*out_len| to 16 and, if |out| is not NULL, writes 16 bytes\n// of authenticator to it. It returns one on success or zero on error.\nOPENSSL_EXPORT int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(CMAC_CTX, CMAC_CTX_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#endif // OPENSSL_HEADER_CMAC_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_conf.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_CONF_H\n#define OPENSSL_HEADER_CONF_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_stack.h\"\n#include \"CNIOBoringSSL_lhash.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Config files.\n//\n// This library handles OpenSSL's config files, which look like:\n//\n// # Comment\n//\n// # This key is in the default section.\n// key=value\n//\n// [section_name]\n// key2=value2\n//\n// Config files are represented by a |CONF|. Use of this module is strongly\n// discouraged. It is a remnant of the OpenSSL command-line tool. Parsing an\n// untrusted input as a config file risks string injection and denial of service\n// vulnerabilities.\n\n\nstruct conf_value_st {\n char *section;\n char *name;\n char *value;\n};\n\nDEFINE_STACK_OF(CONF_VALUE)\nDECLARE_LHASH_OF(CONF_VALUE)\n\n\n// NCONF_new returns a fresh, empty |CONF|, or NULL on error. The |method|\n// argument must be NULL.\nOPENSSL_EXPORT CONF *NCONF_new(void *method);\n\n// NCONF_free frees all the data owned by |conf| and then |conf| itself.\nOPENSSL_EXPORT void NCONF_free(CONF *conf);\n\n// NCONF_load parses the file named |filename| and adds the values found to\n// |conf|. It returns one on success and zero on error. In the event of an\n// error, if |out_error_line| is not NULL, |*out_error_line| is set to the\n// number of the line that contained the error.\nOPENSSL_EXPORT int NCONF_load(CONF *conf, const char *filename,\n long *out_error_line);\n\n// NCONF_load_bio acts like |NCONF_load| but reads from |bio| rather than from\n// a named file.\nOPENSSL_EXPORT int NCONF_load_bio(CONF *conf, BIO *bio, long *out_error_line);\n\n// NCONF_get_section returns a stack of values for a given section in |conf|.\n// If |section| is NULL, the default section is returned. It returns NULL on\n// error.\nOPENSSL_EXPORT const STACK_OF(CONF_VALUE) *NCONF_get_section(\n const CONF *conf, const char *section);\n\n// NCONF_get_string returns the value of the key |name|, in section |section|.\n// The |section| argument may be NULL to indicate the default section. It\n// returns the value or NULL on error.\nOPENSSL_EXPORT const char *NCONF_get_string(const CONF *conf,\n const char *section,\n const char *name);\n\n\n// Deprecated functions\n\n// These defines do nothing but are provided to make old code easier to\n// compile.\n#define CONF_MFLAGS_DEFAULT_SECTION 0\n#define CONF_MFLAGS_IGNORE_MISSING_FILE 0\n\n// CONF_modules_load_file returns one. BoringSSL is defined to have no config\n// file options, thus loading from |filename| always succeeds by doing nothing.\nOPENSSL_EXPORT int CONF_modules_load_file(const char *filename,\n const char *appname,\n unsigned long flags);\n\n// CONF_modules_free does nothing.\nOPENSSL_EXPORT void CONF_modules_free(void);\n\n// OPENSSL_config does nothing.\nOPENSSL_EXPORT void OPENSSL_config(const char *config_name);\n\n// OPENSSL_no_config does nothing.\nOPENSSL_EXPORT void OPENSSL_no_config(void);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(CONF, NCONF_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#define CONF_R_LIST_CANNOT_BE_NULL 100\n#define CONF_R_MISSING_CLOSE_SQUARE_BRACKET 101\n#define CONF_R_MISSING_EQUAL_SIGN 102\n#define CONF_R_NO_CLOSE_BRACE 103\n#define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 104\n#define CONF_R_VARIABLE_HAS_NO_VALUE 105\n#define CONF_R_VARIABLE_EXPANSION_TOO_LONG 106\n#define CONF_R_VARIABLE_EXPANSION_NOT_SUPPORTED 107\n\n#endif // OPENSSL_HEADER_THREAD_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_cpu.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// This header is provided for compatibility with older revisions of BoringSSL.\n// TODO(davidben): Remove this header.\n\n#include \"CNIOBoringSSL_crypto.h\"\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_crypto.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_H\n#define OPENSSL_HEADER_CRYPTO_H\n\n#include \"CNIOBoringSSL_base.h\"\n#include \"CNIOBoringSSL_sha.h\"\n\n// Upstream OpenSSL defines |OPENSSL_malloc|, etc., in crypto.h rather than\n// mem.h.\n#include \"CNIOBoringSSL_mem.h\"\n\n// Upstream OpenSSL defines |CRYPTO_LOCK|, etc., in crypto.h rather than\n// thread.h.\n#include \"CNIOBoringSSL_thread.h\"\n\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// crypto.h contains functions for library-wide initialization and properties.\n\n\n// CRYPTO_is_confidential_build returns one if the linked version of BoringSSL\n// has been built with the BORINGSSL_CONFIDENTIAL define and zero otherwise.\n//\n// This is used by some consumers to identify whether they are using an\n// internal version of BoringSSL.\nOPENSSL_EXPORT int CRYPTO_is_confidential_build(void);\n\n// CRYPTO_has_asm returns one unless BoringSSL was built with OPENSSL_NO_ASM,\n// in which case it returns zero.\nOPENSSL_EXPORT int CRYPTO_has_asm(void);\n\n// BORINGSSL_self_test triggers the FIPS KAT-based self tests. It returns one on\n// success and zero on error.\nOPENSSL_EXPORT int BORINGSSL_self_test(void);\n\n// BORINGSSL_integrity_test triggers the module's integrity test where the code\n// and data of the module is matched against a hash injected at build time. It\n// returns one on success or zero if there's a mismatch. This function only\n// exists if the module was built in FIPS mode without ASAN.\nOPENSSL_EXPORT int BORINGSSL_integrity_test(void);\n\n// CRYPTO_pre_sandbox_init initializes the crypto library, pre-acquiring some\n// unusual resources to aid running in sandboxed environments. It is safe to\n// call this function multiple times and concurrently from multiple threads.\n//\n// For more details on using BoringSSL in a sandboxed environment, see\n// SANDBOXING.md in the source tree.\nOPENSSL_EXPORT void CRYPTO_pre_sandbox_init(void);\n\n#if defined(OPENSSL_ARM) && defined(OPENSSL_LINUX) && \\\n !defined(OPENSSL_STATIC_ARMCAP)\n// CRYPTO_needs_hwcap2_workaround returns one if the ARMv8 AArch32 AT_HWCAP2\n// workaround was needed. See https://crbug.com/boringssl/46.\nOPENSSL_EXPORT int CRYPTO_needs_hwcap2_workaround(void);\n#endif // OPENSSL_ARM && OPENSSL_LINUX && !OPENSSL_STATIC_ARMCAP\n\n\n// FIPS monitoring\n\n// FIPS_mode returns zero unless BoringSSL is built with BORINGSSL_FIPS, in\n// which case it returns one.\nOPENSSL_EXPORT int FIPS_mode(void);\n\n// fips_counter_t denotes specific APIs/algorithms. A counter is maintained for\n// each in FIPS mode so that tests can be written to assert that the expected,\n// FIPS functions are being called by a certain peice of code.\nenum fips_counter_t {\n fips_counter_evp_aes_128_gcm = 0,\n fips_counter_evp_aes_256_gcm = 1,\n fips_counter_evp_aes_128_ctr = 2,\n fips_counter_evp_aes_256_ctr = 3,\n\n fips_counter_max = 3,\n};\n\n// FIPS_read_counter returns a counter of the number of times the specific\n// function denoted by |counter| has been used. This always returns zero unless\n// BoringSSL was built with BORINGSSL_FIPS_COUNTERS defined.\nOPENSSL_EXPORT size_t FIPS_read_counter(enum fips_counter_t counter);\n\n\n// Deprecated functions.\n\n// OPENSSL_VERSION_TEXT contains a string the identifies the version of\n// “OpenSSL”. node.js requires a version number in this text.\n#define OPENSSL_VERSION_TEXT \"OpenSSL 1.1.1 (compatible; BoringSSL)\"\n\n#define OPENSSL_VERSION 0\n#define OPENSSL_CFLAGS 1\n#define OPENSSL_BUILT_ON 2\n#define OPENSSL_PLATFORM 3\n#define OPENSSL_DIR 4\n\n// OpenSSL_version is a compatibility function that returns the string\n// \"BoringSSL\" if |which| is |OPENSSL_VERSION| and placeholder strings\n// otherwise.\nOPENSSL_EXPORT const char *OpenSSL_version(int which);\n\n#define SSLEAY_VERSION OPENSSL_VERSION\n#define SSLEAY_CFLAGS OPENSSL_CFLAGS\n#define SSLEAY_BUILT_ON OPENSSL_BUILT_ON\n#define SSLEAY_PLATFORM OPENSSL_PLATFORM\n#define SSLEAY_DIR OPENSSL_DIR\n\n// SSLeay_version calls |OpenSSL_version|.\nOPENSSL_EXPORT const char *SSLeay_version(int which);\n\n// SSLeay is a compatibility function that returns OPENSSL_VERSION_NUMBER from\n// base.h.\nOPENSSL_EXPORT unsigned long SSLeay(void);\n\n// OpenSSL_version_num is a compatibility function that returns\n// OPENSSL_VERSION_NUMBER from base.h.\nOPENSSL_EXPORT unsigned long OpenSSL_version_num(void);\n\n// CRYPTO_malloc_init returns one.\nOPENSSL_EXPORT int CRYPTO_malloc_init(void);\n\n// OPENSSL_malloc_init returns one.\nOPENSSL_EXPORT int OPENSSL_malloc_init(void);\n\n// ENGINE_load_builtin_engines does nothing.\nOPENSSL_EXPORT void ENGINE_load_builtin_engines(void);\n\n// ENGINE_register_all_complete returns one.\nOPENSSL_EXPORT int ENGINE_register_all_complete(void);\n\n// OPENSSL_load_builtin_modules does nothing.\nOPENSSL_EXPORT void OPENSSL_load_builtin_modules(void);\n\n// OPENSSL_INIT_* are options in OpenSSL to configure the library. In BoringSSL,\n// they do nothing.\n#define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 0\n#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0\n#define OPENSSL_INIT_ADD_ALL_CIPHERS 0\n#define OPENSSL_INIT_ADD_ALL_DIGESTS 0\n#define OPENSSL_INIT_NO_ADD_ALL_CIPHERS 0\n#define OPENSSL_INIT_NO_ADD_ALL_DIGESTS 0\n#define OPENSSL_INIT_LOAD_CONFIG 0\n#define OPENSSL_INIT_NO_LOAD_CONFIG 0\n#define OPENSSL_INIT_NO_ATEXIT 0\n#define OPENSSL_INIT_ATFORK 0\n#define OPENSSL_INIT_ENGINE_RDRAND 0\n#define OPENSSL_INIT_ENGINE_DYNAMIC 0\n#define OPENSSL_INIT_ENGINE_OPENSSL 0\n#define OPENSSL_INIT_ENGINE_CRYPTODEV 0\n#define OPENSSL_INIT_ENGINE_CAPI 0\n#define OPENSSL_INIT_ENGINE_PADLOCK 0\n#define OPENSSL_INIT_ENGINE_AFALG 0\n#define OPENSSL_INIT_ENGINE_ALL_BUILTIN 0\n\n// OPENSSL_init_crypto returns one.\nOPENSSL_EXPORT int OPENSSL_init_crypto(uint64_t opts,\n const OPENSSL_INIT_SETTINGS *settings);\n\n// OPENSSL_cleanup does nothing.\nOPENSSL_EXPORT void OPENSSL_cleanup(void);\n\n// FIPS_mode_set returns one if |on| matches whether BoringSSL was built with\n// |BORINGSSL_FIPS| and zero otherwise.\nOPENSSL_EXPORT int FIPS_mode_set(int on);\n\n// FIPS_module_name returns the name of the FIPS module.\nOPENSSL_EXPORT const char *FIPS_module_name(void);\n\n// FIPS_module_hash returns the 32-byte hash of the FIPS module.\nOPENSSL_EXPORT const uint8_t *FIPS_module_hash(void);\n\n// FIPS_version returns the version of the FIPS module, or zero if the build\n// isn't exactly at a verified version. The version, expressed in base 10, will\n// be a date in the form yyyymmddXX where XX is often \"00\", but can be\n// incremented if multiple versions are defined on a single day.\n//\n// (This format exceeds a |uint32_t| in the year 4294.)\nOPENSSL_EXPORT uint32_t FIPS_version(void);\n\n// FIPS_query_algorithm_status returns one if |algorithm| is FIPS validated in\n// the current BoringSSL and zero otherwise.\nOPENSSL_EXPORT int FIPS_query_algorithm_status(const char *algorithm);\n\n#if defined(OPENSSL_ARM) && defined(OPENSSL_LINUX) && \\\n !defined(OPENSSL_STATIC_ARMCAP)\n// CRYPTO_has_broken_NEON returns zero.\nOPENSSL_EXPORT int CRYPTO_has_broken_NEON(void);\n#endif\n\n// CRYPTO_library_init does nothing. Historically, it was needed in some build\n// configurations to initialization the library. This is no longer necessary.\nOPENSSL_EXPORT void CRYPTO_library_init(void);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_ctrdrbg.h", "content": "/* Copyright 2022 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CTRDRBG_H\n#define OPENSSL_HEADER_CTRDRBG_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// FIPS pseudo-random number generator.\n\n\n// CTR-DRBG state objects.\n//\n// CTR_DRBG_STATE contains the state of a FIPS AES-CTR-based pseudo-random\n// number generator. If BoringSSL was built in FIPS mode then this is a FIPS\n// Approved algorithm.\n\n// CTR_DRBG_ENTROPY_LEN is the number of bytes of input entropy. See SP\n// 800-90Ar1, table 3.\n#define CTR_DRBG_ENTROPY_LEN 48\n\n// CTR_DRBG_MAX_GENERATE_LENGTH is the maximum number of bytes that can be\n// generated in a single call to |CTR_DRBG_generate|.\n#define CTR_DRBG_MAX_GENERATE_LENGTH 65536\n\n// CTR_DRBG_new returns an initialized |CTR_DRBG_STATE|, or NULL if either\n// allocation failed or if |personalization_len| is invalid.\nOPENSSL_EXPORT CTR_DRBG_STATE *CTR_DRBG_new(\n const uint8_t entropy[CTR_DRBG_ENTROPY_LEN], const uint8_t *personalization,\n size_t personalization_len);\n\n// CTR_DRBG_free frees |state| if non-NULL, or else does nothing.\nOPENSSL_EXPORT void CTR_DRBG_free(CTR_DRBG_STATE* state);\n\n// CTR_DRBG_reseed reseeds |drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of entropy\n// in |entropy| and, optionally, up to |CTR_DRBG_ENTROPY_LEN| bytes of\n// additional data. It returns one on success or zero on error.\nOPENSSL_EXPORT int CTR_DRBG_reseed(CTR_DRBG_STATE *drbg,\n const uint8_t entropy[CTR_DRBG_ENTROPY_LEN],\n const uint8_t *additional_data,\n size_t additional_data_len);\n\n// CTR_DRBG_generate processes to up |CTR_DRBG_ENTROPY_LEN| bytes of additional\n// data (if any) and then writes |out_len| random bytes to |out|, where\n// |out_len| <= |CTR_DRBG_MAX_GENERATE_LENGTH|. It returns one on success or\n// zero on error.\nOPENSSL_EXPORT int CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out,\n size_t out_len,\n const uint8_t *additional_data,\n size_t additional_data_len);\n\n// CTR_DRBG_clear zeroises the state of |drbg|.\nOPENSSL_EXPORT void CTR_DRBG_clear(CTR_DRBG_STATE *drbg);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\nBSSL_NAMESPACE_BEGIN\nBORINGSSL_MAKE_DELETER(CTR_DRBG_STATE, CTR_DRBG_free)\nBSSL_NAMESPACE_END\n} // extern C++\n#endif\n\n#endif // OPENSSL_HEADER_CTRDRBG_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_curve25519.h", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CURVE25519_H\n#define OPENSSL_HEADER_CURVE25519_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Curve25519.\n//\n// Curve25519 is an elliptic curve. See https://tools.ietf.org/html/rfc7748.\n\n\n// X25519.\n//\n// X25519 is the Diffie-Hellman primitive built from curve25519. It is\n// sometimes referred to as “curve25519”, but “X25519” is a more precise name.\n// See http://cr.yp.to/ecdh.html and https://tools.ietf.org/html/rfc7748.\n\n#define X25519_PRIVATE_KEY_LEN 32\n#define X25519_PUBLIC_VALUE_LEN 32\n#define X25519_SHARED_KEY_LEN 32\n\n// X25519_keypair sets |out_public_value| and |out_private_key| to a freshly\n// generated, public–private key pair.\nOPENSSL_EXPORT void X25519_keypair(uint8_t out_public_value[32],\n uint8_t out_private_key[32]);\n\n// X25519 writes a shared key to |out_shared_key| that is calculated from the\n// given private key and the peer's public value. It returns one on success and\n// zero on error.\n//\n// Don't use the shared key directly, rather use a KDF and also include the two\n// public values as inputs.\nOPENSSL_EXPORT int X25519(uint8_t out_shared_key[32],\n const uint8_t private_key[32],\n const uint8_t peer_public_value[32]);\n\n// X25519_public_from_private calculates a Diffie-Hellman public value from the\n// given private key and writes it to |out_public_value|.\nOPENSSL_EXPORT void X25519_public_from_private(uint8_t out_public_value[32],\n const uint8_t private_key[32]);\n\n\n// Ed25519.\n//\n// Ed25519 is a signature scheme using a twisted-Edwards curve that is\n// birationally equivalent to curve25519.\n//\n// Note that, unlike RFC 8032's formulation, our private key representation\n// includes a public key suffix to make multiple key signing operations with the\n// same key more efficient. The RFC 8032 private key is referred to in this\n// implementation as the \"seed\" and is the first 32 bytes of our private key.\n\n#define ED25519_PRIVATE_KEY_LEN 64\n#define ED25519_PUBLIC_KEY_LEN 32\n#define ED25519_SIGNATURE_LEN 64\n\n// ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly\n// generated, public–private key pair.\nOPENSSL_EXPORT void ED25519_keypair(uint8_t out_public_key[32],\n uint8_t out_private_key[64]);\n\n// ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from\n// |message| using |private_key|. It returns one on success or zero on\n// allocation failure.\nOPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[64], const uint8_t *message,\n size_t message_len,\n const uint8_t private_key[64]);\n\n// ED25519_verify returns one iff |signature| is a valid signature, by\n// |public_key| of |message_len| bytes from |message|. It returns zero\n// otherwise.\nOPENSSL_EXPORT int ED25519_verify(const uint8_t *message, size_t message_len,\n const uint8_t signature[64],\n const uint8_t public_key[32]);\n\n// ED25519_keypair_from_seed calculates a public and private key from an\n// Ed25519 “seed”. Seed values are not exposed by this API (although they\n// happen to be the first 32 bytes of a private key) so this function is for\n// interoperating with systems that may store just a seed instead of a full\n// private key.\nOPENSSL_EXPORT void ED25519_keypair_from_seed(uint8_t out_public_key[32],\n uint8_t out_private_key[64],\n const uint8_t seed[32]);\n\n\n// SPAKE2.\n//\n// SPAKE2 is a password-authenticated key-exchange. It allows two parties,\n// who share a low-entropy secret (i.e. password), to agree on a shared key.\n// An attacker can only make one guess of the password per execution of the\n// protocol.\n//\n// See https://tools.ietf.org/html/draft-irtf-cfrg-spake2-02.\n\n// spake2_role_t enumerates the different “roles” in SPAKE2. The protocol\n// requires that the symmetry of the two parties be broken so one participant\n// must be “Alice” and the other be “Bob”.\nenum spake2_role_t {\n spake2_role_alice,\n spake2_role_bob,\n};\n\n// SPAKE2_CTX_new creates a new |SPAKE2_CTX| (which can only be used for a\n// single execution of the protocol). SPAKE2 requires the symmetry of the two\n// parties to be broken which is indicated via |my_role| – each party must pass\n// a different value for this argument.\n//\n// The |my_name| and |their_name| arguments allow optional, opaque names to be\n// bound into the protocol. For example MAC addresses, hostnames, usernames\n// etc. These values are not exposed and can avoid context-confusion attacks\n// when a password is shared between several devices.\nOPENSSL_EXPORT SPAKE2_CTX *SPAKE2_CTX_new(\n enum spake2_role_t my_role,\n const uint8_t *my_name, size_t my_name_len,\n const uint8_t *their_name, size_t their_name_len);\n\n// SPAKE2_CTX_free frees |ctx| and all the resources that it has allocated.\nOPENSSL_EXPORT void SPAKE2_CTX_free(SPAKE2_CTX *ctx);\n\n// SPAKE2_MAX_MSG_SIZE is the maximum size of a SPAKE2 message.\n#define SPAKE2_MAX_MSG_SIZE 32\n\n// SPAKE2_generate_msg generates a SPAKE2 message given |password|, writes\n// it to |out| and sets |*out_len| to the number of bytes written.\n//\n// At most |max_out_len| bytes are written to |out| and, in order to ensure\n// success, |max_out_len| should be at least |SPAKE2_MAX_MSG_SIZE| bytes.\n//\n// This function can only be called once for a given |SPAKE2_CTX|.\n//\n// It returns one on success and zero on error.\nOPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out,\n size_t *out_len, size_t max_out_len,\n const uint8_t *password,\n size_t password_len);\n\n// SPAKE2_MAX_KEY_SIZE is the maximum amount of key material that SPAKE2 will\n// produce.\n#define SPAKE2_MAX_KEY_SIZE 64\n\n// SPAKE2_process_msg completes the SPAKE2 exchange given the peer's message in\n// |their_msg|, writes at most |max_out_key_len| bytes to |out_key| and sets\n// |*out_key_len| to the number of bytes written.\n//\n// The resulting keying material is suitable for:\n// - Using directly in a key-confirmation step: i.e. each side could\n// transmit a hash of their role, a channel-binding value and the key\n// material to prove to the other side that they know the shared key.\n// - Using as input keying material to HKDF to generate a variety of subkeys\n// for encryption etc.\n//\n// If |max_out_key_key| is smaller than the amount of key material generated\n// then the key is silently truncated. If you want to ensure that no truncation\n// occurs then |max_out_key| should be at least |SPAKE2_MAX_KEY_SIZE|.\n//\n// You must call |SPAKE2_generate_msg| on a given |SPAKE2_CTX| before calling\n// this function. On successful return, |ctx| is complete and calling\n// |SPAKE2_CTX_free| is the only acceptable operation on it.\n//\n// Returns one on success or zero on error.\nOPENSSL_EXPORT int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key,\n size_t *out_key_len,\n size_t max_out_key_len,\n const uint8_t *their_msg,\n size_t their_msg_len);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(SPAKE2_CTX, SPAKE2_CTX_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#endif // OPENSSL_HEADER_CURVE25519_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_des.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_DES_H\n#define OPENSSL_HEADER_DES_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// DES.\n//\n// This module is deprecated and retained for legacy reasons only. It is slow\n// and may leak key material with timing or cache side channels. Moreover,\n// single-keyed DES is broken and can be brute-forced in under a day.\n//\n// Use a modern cipher, such as AES-GCM or ChaCha20-Poly1305, instead.\n\n\ntypedef struct DES_cblock_st {\n uint8_t bytes[8];\n} DES_cblock;\n\ntypedef struct DES_ks {\n uint32_t subkeys[16][2];\n} DES_key_schedule;\n\n\n#define DES_KEY_SZ (sizeof(DES_cblock))\n#define DES_SCHEDULE_SZ (sizeof(DES_key_schedule))\n\n#define DES_ENCRYPT 1\n#define DES_DECRYPT 0\n\n#define DES_CBC_MODE 0\n#define DES_PCBC_MODE 1\n\n// DES_set_key performs a key schedule and initialises |schedule| with |key|.\nOPENSSL_EXPORT void DES_set_key(const DES_cblock *key,\n DES_key_schedule *schedule);\n\n// DES_set_odd_parity sets the parity bits (the least-significant bits in each\n// byte) of |key| given the other bits in each byte.\nOPENSSL_EXPORT void DES_set_odd_parity(DES_cblock *key);\n\n// DES_ecb_encrypt encrypts (or decrypts, if |is_encrypt| is |DES_DECRYPT|) a\n// single DES block (8 bytes) from in to out, using the key configured in\n// |schedule|.\nOPENSSL_EXPORT void DES_ecb_encrypt(const DES_cblock *in, DES_cblock *out,\n const DES_key_schedule *schedule,\n int is_encrypt);\n\n// DES_ncbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len|\n// bytes from |in| to |out| with DES in CBC mode.\nOPENSSL_EXPORT void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out,\n size_t len,\n const DES_key_schedule *schedule,\n DES_cblock *ivec, int enc);\n\n// DES_ecb3_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) a single\n// block (8 bytes) of data from |input| to |output| using 3DES.\nOPENSSL_EXPORT void DES_ecb3_encrypt(const DES_cblock *input,\n DES_cblock *output,\n const DES_key_schedule *ks1,\n const DES_key_schedule *ks2,\n const DES_key_schedule *ks3,\n int enc);\n\n// DES_ede3_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len|\n// bytes from |in| to |out| with 3DES in CBC mode. 3DES uses three keys, thus\n// the function takes three different |DES_key_schedule|s.\nOPENSSL_EXPORT void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out,\n size_t len,\n const DES_key_schedule *ks1,\n const DES_key_schedule *ks2,\n const DES_key_schedule *ks3,\n DES_cblock *ivec, int enc);\n\n// DES_ede2_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len|\n// bytes from |in| to |out| with 3DES in CBC mode. With this keying option, the\n// first and third 3DES keys are identical. Thus, this function takes only two\n// different |DES_key_schedule|s.\nOPENSSL_EXPORT void DES_ede2_cbc_encrypt(const uint8_t *in, uint8_t *out,\n size_t len,\n const DES_key_schedule *ks1,\n const DES_key_schedule *ks2,\n DES_cblock *ivec, int enc);\n\n\n// Deprecated functions.\n\n// DES_set_key_unchecked calls |DES_set_key|.\nOPENSSL_EXPORT void DES_set_key_unchecked(const DES_cblock *key,\n DES_key_schedule *schedule);\n\nOPENSSL_EXPORT void DES_ede3_cfb64_encrypt(const uint8_t *in, uint8_t *out,\n long length, DES_key_schedule *ks1,\n DES_key_schedule *ks2,\n DES_key_schedule *ks3,\n DES_cblock *ivec, int *num, int enc);\n\nOPENSSL_EXPORT void DES_ede3_cfb_encrypt(const uint8_t *in, uint8_t *out,\n int numbits, long length,\n DES_key_schedule *ks1,\n DES_key_schedule *ks2,\n DES_key_schedule *ks3,\n DES_cblock *ivec, int enc);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_DES_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_dh.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_DH_H\n#define OPENSSL_HEADER_DH_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_thread.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// DH contains functions for performing Diffie-Hellman key agreement in\n// multiplicative groups.\n//\n// This module is deprecated and retained for legacy reasons only. It is not\n// considered a priority for performance or hardening work. Do not use it in\n// new code. Use X25519 or ECDH with P-256 instead.\n\n\n// Allocation and destruction.\n//\n// A |DH| object represents a Diffie-Hellman key or group parameters. A given\n// object may be used concurrently on multiple threads by non-mutating\n// functions, provided no other thread is concurrently calling a mutating\n// function. Unless otherwise documented, functions which take a |const| pointer\n// are non-mutating and functions which take a non-|const| pointer are mutating.\n\n// DH_new returns a new, empty DH object or NULL on error.\nOPENSSL_EXPORT DH *DH_new(void);\n\n// DH_free decrements the reference count of |dh| and frees it if the reference\n// count drops to zero.\nOPENSSL_EXPORT void DH_free(DH *dh);\n\n// DH_up_ref increments the reference count of |dh| and returns one. It does not\n// mutate |dh| for thread-safety purposes and may be used concurrently.\nOPENSSL_EXPORT int DH_up_ref(DH *dh);\n\n\n// Properties.\n\n// OPENSSL_DH_MAX_MODULUS_BITS is the maximum supported Diffie-Hellman group\n// modulus, in bits.\n#define OPENSSL_DH_MAX_MODULUS_BITS 10000\n\n// DH_bits returns the size of |dh|'s group modulus, in bits.\nOPENSSL_EXPORT unsigned DH_bits(const DH *dh);\n\n// DH_get0_pub_key returns |dh|'s public key.\nOPENSSL_EXPORT const BIGNUM *DH_get0_pub_key(const DH *dh);\n\n// DH_get0_priv_key returns |dh|'s private key, or NULL if |dh| is a public key.\nOPENSSL_EXPORT const BIGNUM *DH_get0_priv_key(const DH *dh);\n\n// DH_get0_p returns |dh|'s group modulus.\nOPENSSL_EXPORT const BIGNUM *DH_get0_p(const DH *dh);\n\n// DH_get0_q returns the size of |dh|'s subgroup, or NULL if it is unset.\nOPENSSL_EXPORT const BIGNUM *DH_get0_q(const DH *dh);\n\n// DH_get0_g returns |dh|'s group generator.\nOPENSSL_EXPORT const BIGNUM *DH_get0_g(const DH *dh);\n\n// DH_get0_key sets |*out_pub_key| and |*out_priv_key|, if non-NULL, to |dh|'s\n// public and private key, respectively. If |dh| is a public key, the private\n// key will be set to NULL.\nOPENSSL_EXPORT void DH_get0_key(const DH *dh, const BIGNUM **out_pub_key,\n const BIGNUM **out_priv_key);\n\n// DH_set0_key sets |dh|'s public and private key to the specified values. If\n// NULL, the field is left unchanged. On success, it takes ownership of each\n// argument and returns one. Otherwise, it returns zero.\nOPENSSL_EXPORT int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);\n\n// DH_get0_pqg sets |*out_p|, |*out_q|, and |*out_g|, if non-NULL, to |dh|'s p,\n// q, and g parameters, respectively.\nOPENSSL_EXPORT void DH_get0_pqg(const DH *dh, const BIGNUM **out_p,\n const BIGNUM **out_q, const BIGNUM **out_g);\n\n// DH_set0_pqg sets |dh|'s p, q, and g parameters to the specified values. If\n// NULL, the field is left unchanged. On success, it takes ownership of each\n// argument and returns one. Otherwise, it returns zero. |q| may be NULL, but\n// |p| and |g| must either be specified or already configured on |dh|.\nOPENSSL_EXPORT int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);\n\n// DH_set_length sets the number of bits to use for the secret exponent when\n// calling |DH_generate_key| on |dh| and returns one. If unset,\n// |DH_generate_key| will use the bit length of p.\nOPENSSL_EXPORT int DH_set_length(DH *dh, unsigned priv_length);\n\n\n// Standard parameters.\n\n// DH_get_rfc7919_2048 returns the group `ffdhe2048` from\n// https://tools.ietf.org/html/rfc7919#appendix-A.1. It returns NULL if out\n// of memory.\nOPENSSL_EXPORT DH *DH_get_rfc7919_2048(void);\n\n// BN_get_rfc3526_prime_1536 sets |*ret| to the 1536-bit MODP group from RFC\n// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated\n// and returned. It returns NULL on allocation failure.\nOPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *ret);\n\n// BN_get_rfc3526_prime_2048 sets |*ret| to the 2048-bit MODP group from RFC\n// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated\n// and returned. It returns NULL on allocation failure.\nOPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *ret);\n\n// BN_get_rfc3526_prime_3072 sets |*ret| to the 3072-bit MODP group from RFC\n// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated\n// and returned. It returns NULL on allocation failure.\nOPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *ret);\n\n// BN_get_rfc3526_prime_4096 sets |*ret| to the 4096-bit MODP group from RFC\n// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated\n// and returned. It returns NULL on allocation failure.\nOPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *ret);\n\n// BN_get_rfc3526_prime_6144 sets |*ret| to the 6144-bit MODP group from RFC\n// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated\n// and returned. It returns NULL on allocation failure.\nOPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *ret);\n\n// BN_get_rfc3526_prime_8192 sets |*ret| to the 8192-bit MODP group from RFC\n// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated\n// and returned. It returns NULL on allocation failure.\nOPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *ret);\n\n\n// Parameter generation.\n\n#define DH_GENERATOR_2 2\n#define DH_GENERATOR_5 5\n\n// DH_generate_parameters_ex generates a suitable Diffie-Hellman group with a\n// prime that is |prime_bits| long and stores it in |dh|. The generator of the\n// group will be |generator|, which should be |DH_GENERATOR_2| unless there's a\n// good reason to use a different value. The |cb| argument contains a callback\n// function that will be called during the generation. See the documentation in\n// |bn.h| about this. In addition to the callback invocations from |BN|, |cb|\n// will also be called with |event| equal to three when the generation is\n// complete.\nOPENSSL_EXPORT int DH_generate_parameters_ex(DH *dh, int prime_bits,\n int generator, BN_GENCB *cb);\n\n\n// Diffie-Hellman operations.\n\n// DH_generate_key generates a new, random, private key and stores it in\n// |dh|, if |dh| does not already have a private key. Otherwise, it updates\n// |dh|'s public key to match the private key. It returns one on success and\n// zero on error.\nOPENSSL_EXPORT int DH_generate_key(DH *dh);\n\n// DH_compute_key_padded calculates the shared key between |dh| and |peers_key|\n// and writes it as a big-endian integer into |out|, padded up to |DH_size|\n// bytes. It returns the number of bytes written, which is always |DH_size|, or\n// a negative number on error. |out| must have |DH_size| bytes of space.\n//\n// WARNING: this differs from the usual BoringSSL return-value convention.\n//\n// Note this function differs from |DH_compute_key| in that it preserves leading\n// zeros in the secret. This function is the preferred variant. It matches PKCS\n// #3 and avoids some side channel attacks. However, the two functions are not\n// drop-in replacements for each other. Using a different variant than the\n// application expects will result in sporadic key mismatches.\n//\n// Callers that expect a fixed-width secret should use this function over\n// |DH_compute_key|. Callers that use either function should migrate to a modern\n// primitive such as X25519 or ECDH with P-256 instead.\n//\n// This function does not mutate |dh| for thread-safety purposes and may be used\n// concurrently.\nOPENSSL_EXPORT int DH_compute_key_padded(uint8_t *out, const BIGNUM *peers_key,\n DH *dh);\n\n// DH_compute_key_hashed calculates the shared key between |dh| and |peers_key|\n// and hashes it with the given |digest|. If the hash output is less than\n// |max_out_len| bytes then it writes the hash output to |out| and sets\n// |*out_len| to the number of bytes written. Otherwise it signals an error. It\n// returns one on success or zero on error.\n//\n// NOTE: this follows the usual BoringSSL return-value convention, but that's\n// different from |DH_compute_key| and |DH_compute_key_padded|.\n//\n// This function does not mutate |dh| for thread-safety purposes and may be used\n// concurrently.\nOPENSSL_EXPORT int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len,\n size_t max_out_len,\n const BIGNUM *peers_key,\n const EVP_MD *digest);\n\n\n// Utility functions.\n\n// DH_size returns the number of bytes in the DH group's prime.\nOPENSSL_EXPORT int DH_size(const DH *dh);\n\n// DH_num_bits returns the minimum number of bits needed to represent the\n// absolute value of the DH group's prime.\nOPENSSL_EXPORT unsigned DH_num_bits(const DH *dh);\n\n#define DH_CHECK_P_NOT_PRIME 0x01\n#define DH_CHECK_P_NOT_SAFE_PRIME 0x02\n#define DH_CHECK_UNABLE_TO_CHECK_GENERATOR 0x04\n#define DH_CHECK_NOT_SUITABLE_GENERATOR 0x08\n#define DH_CHECK_Q_NOT_PRIME 0x10\n#define DH_CHECK_INVALID_Q_VALUE 0x20\n\n// These are compatibility defines.\n#define DH_NOT_SUITABLE_GENERATOR DH_CHECK_NOT_SUITABLE_GENERATOR\n#define DH_UNABLE_TO_CHECK_GENERATOR DH_CHECK_UNABLE_TO_CHECK_GENERATOR\n\n// DH_check checks the suitability of |dh| as a Diffie-Hellman group. and sets\n// |DH_CHECK_*| flags in |*out_flags| if it finds any errors. It returns one if\n// |*out_flags| was successfully set and zero on error.\n//\n// Note: these checks may be quite computationally expensive.\nOPENSSL_EXPORT int DH_check(const DH *dh, int *out_flags);\n\n#define DH_CHECK_PUBKEY_TOO_SMALL 0x1\n#define DH_CHECK_PUBKEY_TOO_LARGE 0x2\n#define DH_CHECK_PUBKEY_INVALID 0x4\n\n// DH_check_pub_key checks the suitability of |pub_key| as a public key for the\n// DH group in |dh| and sets |DH_CHECK_PUBKEY_*| flags in |*out_flags| if it\n// finds any errors. It returns one if |*out_flags| was successfully set and\n// zero on error.\nOPENSSL_EXPORT int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key,\n int *out_flags);\n\n// DHparams_dup allocates a fresh |DH| and copies the parameters from |dh| into\n// it. It returns the new |DH| or NULL on error.\nOPENSSL_EXPORT DH *DHparams_dup(const DH *dh);\n\n\n// ASN.1 functions.\n\n// DH_parse_parameters decodes a DER-encoded DHParameter structure (PKCS #3)\n// from |cbs| and advances |cbs|. It returns a newly-allocated |DH| or NULL on\n// error.\nOPENSSL_EXPORT DH *DH_parse_parameters(CBS *cbs);\n\n// DH_marshal_parameters marshals |dh| as a DER-encoded DHParameter structure\n// (PKCS #3) and appends the result to |cbb|. It returns one on success and zero\n// on error.\nOPENSSL_EXPORT int DH_marshal_parameters(CBB *cbb, const DH *dh);\n\n\n// Deprecated functions.\n\n// DH_generate_parameters behaves like |DH_generate_parameters_ex|, which is\n// what you should use instead. It returns NULL on error, or a newly-allocated\n// |DH| on success. This function is provided for compatibility only.\nOPENSSL_EXPORT DH *DH_generate_parameters(int prime_len, int generator,\n void (*callback)(int, int, void *),\n void *cb_arg);\n\n// d2i_DHparams parses a DER-encoded DHParameter structure (PKCS #3) from |len|\n// bytes at |*inp|, as in |d2i_SAMPLE|.\n//\n// Use |DH_parse_parameters| instead.\nOPENSSL_EXPORT DH *d2i_DHparams(DH **ret, const unsigned char **inp, long len);\n\n// i2d_DHparams marshals |in| to a DER-encoded DHParameter structure (PKCS #3),\n// as described in |i2d_SAMPLE|.\n//\n// Use |DH_marshal_parameters| instead.\nOPENSSL_EXPORT int i2d_DHparams(const DH *in, unsigned char **outp);\n\n// DH_compute_key behaves like |DH_compute_key_padded| but, contrary to PKCS #3,\n// returns a variable-length shared key with leading zeros. It returns the\n// number of bytes written, or a negative number on error. |out| must have\n// |DH_size| bytes of space.\n//\n// WARNING: this differs from the usual BoringSSL return-value convention.\n//\n// Note this function's running time and memory access pattern leaks information\n// about the shared secret. Particularly if |dh| is reused, this may result in\n// side channel attacks such as https://raccoon-attack.com/.\n//\n// |DH_compute_key_padded| is the preferred variant and avoids the above\n// attacks. However, the two functions are not drop-in replacements for each\n// other. Using a different variant than the application expects will result in\n// sporadic key mismatches.\n//\n// Callers that expect a fixed-width secret should use |DH_compute_key_padded|\n// instead. Callers that use either function should migrate to a modern\n// primitive such as X25519 or ECDH with P-256 instead.\n//\n// This function does not mutate |dh| for thread-safety purposes and may be used\n// concurrently.\nOPENSSL_EXPORT int DH_compute_key(uint8_t *out, const BIGNUM *peers_key,\n DH *dh);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(DH, DH_free)\nBORINGSSL_MAKE_UP_REF(DH, DH_up_ref)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#define DH_R_BAD_GENERATOR 100\n#define DH_R_INVALID_PUBKEY 101\n#define DH_R_MODULUS_TOO_LARGE 102\n#define DH_R_NO_PRIVATE_VALUE 103\n#define DH_R_DECODE_ERROR 104\n#define DH_R_ENCODE_ERROR 105\n#define DH_R_INVALID_PARAMETERS 106\n\n#endif // OPENSSL_HEADER_DH_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_digest.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_DIGEST_H\n#define OPENSSL_HEADER_DIGEST_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Digest functions.\n//\n// An EVP_MD abstracts the details of a specific hash function allowing code to\n// deal with the concept of a \"hash function\" without needing to know exactly\n// which hash function it is.\n\n\n// Hash algorithms.\n//\n// The following functions return |EVP_MD| objects that implement the named hash\n// function.\n\nOPENSSL_EXPORT const EVP_MD *EVP_md4(void);\nOPENSSL_EXPORT const EVP_MD *EVP_md5(void);\nOPENSSL_EXPORT const EVP_MD *EVP_sha1(void);\nOPENSSL_EXPORT const EVP_MD *EVP_sha224(void);\nOPENSSL_EXPORT const EVP_MD *EVP_sha256(void);\nOPENSSL_EXPORT const EVP_MD *EVP_sha384(void);\nOPENSSL_EXPORT const EVP_MD *EVP_sha512(void);\nOPENSSL_EXPORT const EVP_MD *EVP_sha512_256(void);\nOPENSSL_EXPORT const EVP_MD *EVP_blake2b256(void);\n\n// EVP_md5_sha1 is a TLS-specific |EVP_MD| which computes the concatenation of\n// MD5 and SHA-1, as used in TLS 1.1 and below.\nOPENSSL_EXPORT const EVP_MD *EVP_md5_sha1(void);\n\n// EVP_get_digestbynid returns an |EVP_MD| for the given NID, or NULL if no\n// such digest is known.\nOPENSSL_EXPORT const EVP_MD *EVP_get_digestbynid(int nid);\n\n// EVP_get_digestbyobj returns an |EVP_MD| for the given |ASN1_OBJECT|, or NULL\n// if no such digest is known.\nOPENSSL_EXPORT const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj);\n\n\n// Digest contexts.\n//\n// An EVP_MD_CTX represents the state of a specific digest operation in\n// progress.\n\n// EVP_MD_CTX_init initialises an, already allocated, |EVP_MD_CTX|. This is the\n// same as setting the structure to zero.\nOPENSSL_EXPORT void EVP_MD_CTX_init(EVP_MD_CTX *ctx);\n\n// EVP_MD_CTX_new allocates and initialises a fresh |EVP_MD_CTX| and returns\n// it, or NULL on allocation failure. The caller must use |EVP_MD_CTX_free| to\n// release the resulting object.\nOPENSSL_EXPORT EVP_MD_CTX *EVP_MD_CTX_new(void);\n\n// EVP_MD_CTX_cleanup frees any resources owned by |ctx| and resets it to a\n// freshly initialised state. It does not free |ctx| itself. It returns one.\nOPENSSL_EXPORT int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx);\n\n// EVP_MD_CTX_cleanse zeros the digest state in |ctx| and then performs the\n// actions of |EVP_MD_CTX_cleanup|. Note that some |EVP_MD_CTX| objects contain\n// more than just a digest (e.g. those resulting from |EVP_DigestSignInit|) but\n// this function does not zero out more than just the digest state even in that\n// case.\nOPENSSL_EXPORT void EVP_MD_CTX_cleanse(EVP_MD_CTX *ctx);\n\n// EVP_MD_CTX_free calls |EVP_MD_CTX_cleanup| and then frees |ctx| itself.\nOPENSSL_EXPORT void EVP_MD_CTX_free(EVP_MD_CTX *ctx);\n\n// EVP_MD_CTX_copy_ex sets |out|, which must already be initialised, to be a\n// copy of |in|. It returns one on success and zero on allocation failure.\nOPENSSL_EXPORT int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in);\n\n// EVP_MD_CTX_move sets |out|, which must already be initialised, to the hash\n// state in |in|. |in| is mutated and left in an empty state.\nOPENSSL_EXPORT void EVP_MD_CTX_move(EVP_MD_CTX *out, EVP_MD_CTX *in);\n\n// EVP_MD_CTX_reset calls |EVP_MD_CTX_cleanup| followed by |EVP_MD_CTX_init|. It\n// returns one.\nOPENSSL_EXPORT int EVP_MD_CTX_reset(EVP_MD_CTX *ctx);\n\n\n// Digest operations.\n\n// EVP_DigestInit_ex configures |ctx|, which must already have been\n// initialised, for a fresh hashing operation using |type|. It returns one on\n// success and zero on allocation failure.\nOPENSSL_EXPORT int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type,\n ENGINE *engine);\n\n// EVP_DigestInit acts like |EVP_DigestInit_ex| except that |ctx| is\n// initialised before use.\nOPENSSL_EXPORT int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type);\n\n// EVP_DigestUpdate hashes |len| bytes from |data| into the hashing operation\n// in |ctx|. It returns one.\nOPENSSL_EXPORT int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data,\n size_t len);\n\n// EVP_MAX_MD_SIZE is the largest digest size supported, in bytes.\n// Functions that output a digest generally require the buffer have\n// at least this much space.\n#define EVP_MAX_MD_SIZE 64 // SHA-512 is the longest so far.\n\n// EVP_MAX_MD_BLOCK_SIZE is the largest digest block size supported, in\n// bytes.\n#define EVP_MAX_MD_BLOCK_SIZE 128 // SHA-512 is the longest so far.\n\n// EVP_DigestFinal_ex finishes the digest in |ctx| and writes the output to\n// |md_out|. |EVP_MD_CTX_size| bytes are written, which is at most\n// |EVP_MAX_MD_SIZE|. If |out_size| is not NULL then |*out_size| is set to the\n// number of bytes written. It returns one. After this call, the hash cannot be\n// updated or finished again until |EVP_DigestInit_ex| is called to start\n// another hashing operation.\nOPENSSL_EXPORT int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, uint8_t *md_out,\n unsigned int *out_size);\n\n// EVP_DigestFinal acts like |EVP_DigestFinal_ex| except that\n// |EVP_MD_CTX_cleanup| is called on |ctx| before returning.\nOPENSSL_EXPORT int EVP_DigestFinal(EVP_MD_CTX *ctx, uint8_t *md_out,\n unsigned int *out_size);\n\n// EVP_Digest performs a complete hashing operation in one call. It hashes |len|\n// bytes from |data| and writes the digest to |md_out|. |EVP_MD_CTX_size| bytes\n// are written, which is at most |EVP_MAX_MD_SIZE|. If |out_size| is not NULL\n// then |*out_size| is set to the number of bytes written. It returns one on\n// success and zero otherwise.\nOPENSSL_EXPORT int EVP_Digest(const void *data, size_t len, uint8_t *md_out,\n unsigned int *md_out_size, const EVP_MD *type,\n ENGINE *impl);\n\n\n// Digest function accessors.\n//\n// These functions allow code to learn details about an abstract hash\n// function.\n\n// EVP_MD_type returns a NID identifying |md|. (For example, |NID_sha256|.)\nOPENSSL_EXPORT int EVP_MD_type(const EVP_MD *md);\n\n// EVP_MD_flags returns the flags for |md|, which is a set of |EVP_MD_FLAG_*|\n// values, ORed together.\nOPENSSL_EXPORT uint32_t EVP_MD_flags(const EVP_MD *md);\n\n// EVP_MD_size returns the digest size of |md|, in bytes.\nOPENSSL_EXPORT size_t EVP_MD_size(const EVP_MD *md);\n\n// EVP_MD_block_size returns the native block-size of |md|, in bytes.\nOPENSSL_EXPORT size_t EVP_MD_block_size(const EVP_MD *md);\n\n// EVP_MD_FLAG_PKEY_DIGEST indicates that the digest function is used with a\n// specific public key in order to verify signatures. (For example,\n// EVP_dss1.)\n#define EVP_MD_FLAG_PKEY_DIGEST 1\n\n// EVP_MD_FLAG_DIGALGID_ABSENT indicates that the parameter type in an X.509\n// DigestAlgorithmIdentifier representing this digest function should be\n// undefined rather than NULL.\n#define EVP_MD_FLAG_DIGALGID_ABSENT 2\n\n// EVP_MD_FLAG_XOF indicates that the digest is an extensible-output function\n// (XOF). This flag is defined for compatibility and will never be set in any\n// |EVP_MD| in BoringSSL.\n#define EVP_MD_FLAG_XOF 4\n\n\n// Digest operation accessors.\n\n// EVP_MD_CTX_get0_md returns the underlying digest function, or NULL if one has\n// not been set.\nOPENSSL_EXPORT const EVP_MD *EVP_MD_CTX_get0_md(const EVP_MD_CTX *ctx);\n\n// EVP_MD_CTX_md returns the underlying digest function, or NULL if one has not\n// been set. (This is the same as |EVP_MD_CTX_get0_md| but OpenSSL has\n// deprecated this spelling.)\nOPENSSL_EXPORT const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);\n\n// EVP_MD_CTX_size returns the digest size of |ctx|, in bytes. It\n// will crash if a digest hasn't been set on |ctx|.\nOPENSSL_EXPORT size_t EVP_MD_CTX_size(const EVP_MD_CTX *ctx);\n\n// EVP_MD_CTX_block_size returns the block size of the digest function used by\n// |ctx|, in bytes. It will crash if a digest hasn't been set on |ctx|.\nOPENSSL_EXPORT size_t EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx);\n\n// EVP_MD_CTX_type returns a NID describing the digest function used by |ctx|.\n// (For example, |NID_sha256|.) It will crash if a digest hasn't been set on\n// |ctx|.\nOPENSSL_EXPORT int EVP_MD_CTX_type(const EVP_MD_CTX *ctx);\n\n\n// ASN.1 functions.\n//\n// These functions allow code to parse and serialize AlgorithmIdentifiers for\n// hash functions.\n\n// EVP_parse_digest_algorithm parses an AlgorithmIdentifier structure containing\n// a hash function OID (for example, 2.16.840.1.101.3.4.2.1 is SHA-256) and\n// advances |cbs|. The parameters field may either be omitted or a NULL. It\n// returns the digest function or NULL on error.\nOPENSSL_EXPORT const EVP_MD *EVP_parse_digest_algorithm(CBS *cbs);\n\n// EVP_marshal_digest_algorithm marshals |md| as an AlgorithmIdentifier\n// structure and appends the result to |cbb|. It returns one on success and zero\n// on error.\nOPENSSL_EXPORT int EVP_marshal_digest_algorithm(CBB *cbb, const EVP_MD *md);\n\n\n// Deprecated functions.\n\n// EVP_MD_CTX_copy sets |out|, which must /not/ be initialised, to be a copy of\n// |in|. It returns one on success and zero on error.\nOPENSSL_EXPORT int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in);\n\n// EVP_add_digest does nothing and returns one. It exists only for\n// compatibility with OpenSSL.\nOPENSSL_EXPORT int EVP_add_digest(const EVP_MD *digest);\n\n// EVP_get_digestbyname returns an |EVP_MD| given a human readable name in\n// |name|, or NULL if the name is unknown.\nOPENSSL_EXPORT const EVP_MD *EVP_get_digestbyname(const char *);\n\n// EVP_dss1 returns the value of EVP_sha1(). This was provided by OpenSSL to\n// specifiy the original DSA signatures, which were fixed to use SHA-1. Note,\n// however, that attempting to sign or verify DSA signatures with the EVP\n// interface will always fail.\nOPENSSL_EXPORT const EVP_MD *EVP_dss1(void);\n\n// EVP_MD_CTX_create calls |EVP_MD_CTX_new|.\nOPENSSL_EXPORT EVP_MD_CTX *EVP_MD_CTX_create(void);\n\n// EVP_MD_CTX_destroy calls |EVP_MD_CTX_free|.\nOPENSSL_EXPORT void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx);\n\n// EVP_DigestFinalXOF returns zero and adds an error to the error queue.\n// BoringSSL does not support any XOF digests.\nOPENSSL_EXPORT int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, uint8_t *out,\n size_t len);\n\n// EVP_MD_meth_get_flags calls |EVP_MD_flags|.\nOPENSSL_EXPORT uint32_t EVP_MD_meth_get_flags(const EVP_MD *md);\n\n// EVP_MD_CTX_set_flags does nothing.\nOPENSSL_EXPORT void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags);\n\n// EVP_MD_CTX_FLAG_NON_FIPS_ALLOW is meaningless. In OpenSSL it permits non-FIPS\n// algorithms in FIPS mode. But BoringSSL FIPS mode doesn't prohibit algorithms\n// (it's up the the caller to use the FIPS module in a fashion compliant with\n// their needs). Thus this exists only to allow code to compile.\n#define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0\n\n// EVP_MD_nid calls |EVP_MD_type|.\nOPENSSL_EXPORT int EVP_MD_nid(const EVP_MD *md);\n\n\nstruct evp_md_pctx_ops;\n\nstruct env_md_ctx_st {\n // digest is the underlying digest function, or NULL if not set.\n const EVP_MD *digest;\n // md_data points to a block of memory that contains the hash-specific\n // context.\n void *md_data;\n\n // pctx is an opaque (at this layer) pointer to additional context that\n // EVP_PKEY functions may store in this object.\n EVP_PKEY_CTX *pctx;\n\n // pctx_ops, if not NULL, points to a vtable that contains functions to\n // manipulate |pctx|.\n const struct evp_md_pctx_ops *pctx_ops;\n} /* EVP_MD_CTX */;\n\n\n#if defined(__cplusplus)\n} // extern C\n\n#if !defined(BORINGSSL_NO_CXX)\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(EVP_MD_CTX, EVP_MD_CTX_free)\n\nusing ScopedEVP_MD_CTX =\n internal::StackAllocatedMovable;\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n#endif\n\n#endif\n\n#define DIGEST_R_INPUT_NOT_INITIALIZED 100\n#define DIGEST_R_DECODE_ERROR 101\n#define DIGEST_R_UNKNOWN_HASH 102\n\n#endif // OPENSSL_HEADER_DIGEST_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_dsa.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_DSA_H\n#define OPENSSL_HEADER_DSA_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_ex_data.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// DSA contains functions for signing and verifying with the Digital Signature\n// Algorithm.\n//\n// This module is deprecated and retained for legacy reasons only. It is not\n// considered a priority for performance or hardening work. Do not use it in\n// new code. Use Ed25519, ECDSA with P-256, or RSA instead.\n\n\n// Allocation and destruction.\n//\n// A |DSA| object represents a DSA key or group parameters. A given object may\n// be used concurrently on multiple threads by non-mutating functions, provided\n// no other thread is concurrently calling a mutating function. Unless otherwise\n// documented, functions which take a |const| pointer are non-mutating and\n// functions which take a non-|const| pointer are mutating.\n\n// DSA_new returns a new, empty DSA object or NULL on error.\nOPENSSL_EXPORT DSA *DSA_new(void);\n\n// DSA_free decrements the reference count of |dsa| and frees it if the\n// reference count drops to zero.\nOPENSSL_EXPORT void DSA_free(DSA *dsa);\n\n// DSA_up_ref increments the reference count of |dsa| and returns one. It does\n// not mutate |dsa| for thread-safety purposes and may be used concurrently.\nOPENSSL_EXPORT int DSA_up_ref(DSA *dsa);\n\n\n// Properties.\n\n// OPENSSL_DSA_MAX_MODULUS_BITS is the maximum supported DSA group modulus, in\n// bits.\n#define OPENSSL_DSA_MAX_MODULUS_BITS 10000\n\n// DSA_bits returns the size of |dsa|'s group modulus, in bits.\nOPENSSL_EXPORT unsigned DSA_bits(const DSA *dsa);\n\n// DSA_get0_pub_key returns |dsa|'s public key.\nOPENSSL_EXPORT const BIGNUM *DSA_get0_pub_key(const DSA *dsa);\n\n// DSA_get0_priv_key returns |dsa|'s private key, or NULL if |dsa| is a public\n// key.\nOPENSSL_EXPORT const BIGNUM *DSA_get0_priv_key(const DSA *dsa);\n\n// DSA_get0_p returns |dsa|'s group modulus.\nOPENSSL_EXPORT const BIGNUM *DSA_get0_p(const DSA *dsa);\n\n// DSA_get0_q returns the size of |dsa|'s subgroup.\nOPENSSL_EXPORT const BIGNUM *DSA_get0_q(const DSA *dsa);\n\n// DSA_get0_g returns |dsa|'s group generator.\nOPENSSL_EXPORT const BIGNUM *DSA_get0_g(const DSA *dsa);\n\n// DSA_get0_key sets |*out_pub_key| and |*out_priv_key|, if non-NULL, to |dsa|'s\n// public and private key, respectively. If |dsa| is a public key, the private\n// key will be set to NULL.\nOPENSSL_EXPORT void DSA_get0_key(const DSA *dsa, const BIGNUM **out_pub_key,\n const BIGNUM **out_priv_key);\n\n// DSA_get0_pqg sets |*out_p|, |*out_q|, and |*out_g|, if non-NULL, to |dsa|'s\n// p, q, and g parameters, respectively.\nOPENSSL_EXPORT void DSA_get0_pqg(const DSA *dsa, const BIGNUM **out_p,\n const BIGNUM **out_q, const BIGNUM **out_g);\n\n// DSA_set0_key sets |dsa|'s public and private key to |pub_key| and |priv_key|,\n// respectively, if non-NULL. On success, it takes ownership of each argument\n// and returns one. Otherwise, it returns zero.\n//\n// |priv_key| may be NULL, but |pub_key| must either be non-NULL or already\n// configured on |dsa|.\nOPENSSL_EXPORT int DSA_set0_key(DSA *dsa, BIGNUM *pub_key, BIGNUM *priv_key);\n\n// DSA_set0_pqg sets |dsa|'s parameters to |p|, |q|, and |g|, if non-NULL, and\n// takes ownership of them. On success, it takes ownership of each argument and\n// returns one. Otherwise, it returns zero.\n//\n// Each argument must either be non-NULL or already configured on |dsa|.\nOPENSSL_EXPORT int DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g);\n\n\n// Parameter generation.\n\n// DSA_generate_parameters_ex generates a set of DSA parameters by following\n// the procedure given in FIPS 186-4, appendix A.\n// (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf)\n//\n// The larger prime will have a length of |bits| (e.g. 2048). The |seed| value\n// allows others to generate and verify the same parameters and should be\n// random input which is kept for reference. If |out_counter| or |out_h| are\n// not NULL then the counter and h value used in the generation are written to\n// them.\n//\n// The |cb| argument is passed to |BN_generate_prime_ex| and is thus called\n// during the generation process in order to indicate progress. See the\n// comments for that function for details. In addition to the calls made by\n// |BN_generate_prime_ex|, |DSA_generate_parameters_ex| will call it with\n// |event| equal to 2 and 3 at different stages of the process.\n//\n// It returns one on success and zero otherwise.\nOPENSSL_EXPORT int DSA_generate_parameters_ex(DSA *dsa, unsigned bits,\n const uint8_t *seed,\n size_t seed_len, int *out_counter,\n unsigned long *out_h,\n BN_GENCB *cb);\n\n// DSAparams_dup returns a freshly allocated |DSA| that contains a copy of the\n// parameters from |dsa|. It returns NULL on error.\nOPENSSL_EXPORT DSA *DSAparams_dup(const DSA *dsa);\n\n\n// Key generation.\n\n// DSA_generate_key generates a public/private key pair in |dsa|, which must\n// already have parameters setup. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT int DSA_generate_key(DSA *dsa);\n\n\n// Signatures.\n\n// DSA_SIG_st (aka |DSA_SIG|) contains a DSA signature as a pair of integers.\nstruct DSA_SIG_st {\n BIGNUM *r, *s;\n};\n\n// DSA_SIG_new returns a freshly allocated, DIG_SIG structure or NULL on error.\n// Both |r| and |s| in the signature will be NULL.\nOPENSSL_EXPORT DSA_SIG *DSA_SIG_new(void);\n\n// DSA_SIG_free frees the contents of |sig| and then frees |sig| itself.\nOPENSSL_EXPORT void DSA_SIG_free(DSA_SIG *sig);\n\n// DSA_SIG_get0 sets |*out_r| and |*out_s|, if non-NULL, to the two components\n// of |sig|.\nOPENSSL_EXPORT void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **out_r,\n const BIGNUM **out_s);\n\n// DSA_SIG_set0 sets |sig|'s components to |r| and |s|, neither of which may be\n// NULL. On success, it takes ownership of each argument and returns one.\n// Otherwise, it returns zero.\nOPENSSL_EXPORT int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);\n\n// DSA_do_sign returns a signature of the hash in |digest| by the key in |dsa|\n// and returns an allocated, DSA_SIG structure, or NULL on error.\nOPENSSL_EXPORT DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len,\n const DSA *dsa);\n\n// DSA_do_verify verifies that |sig| is a valid signature, by the public key in\n// |dsa|, of the hash in |digest|. It returns one if so, zero if invalid and -1\n// on error.\n//\n// WARNING: do not use. This function returns -1 for error, 0 for invalid and 1\n// for valid. However, this is dangerously different to the usual OpenSSL\n// convention and could be a disaster if a user did |if (DSA_do_verify(...))|.\n// Because of this, |DSA_check_signature| is a safer version of this.\n//\n// TODO(fork): deprecate.\nOPENSSL_EXPORT int DSA_do_verify(const uint8_t *digest, size_t digest_len,\n const DSA_SIG *sig, const DSA *dsa);\n\n// DSA_do_check_signature sets |*out_valid| to zero. Then it verifies that |sig|\n// is a valid signature, by the public key in |dsa| of the hash in |digest|\n// and, if so, it sets |*out_valid| to one.\n//\n// It returns one if it was able to verify the signature as valid or invalid,\n// and zero on error.\nOPENSSL_EXPORT int DSA_do_check_signature(int *out_valid, const uint8_t *digest,\n size_t digest_len, const DSA_SIG *sig,\n const DSA *dsa);\n\n\n// ASN.1 signatures.\n//\n// These functions also perform DSA signature operations, but deal with ASN.1\n// encoded signatures as opposed to raw |BIGNUM|s. If you don't know what\n// encoding a DSA signature is in, it's probably ASN.1.\n\n// DSA_sign signs |digest| with the key in |dsa| and writes the resulting\n// signature, in ASN.1 form, to |out_sig| and the length of the signature to\n// |*out_siglen|. There must be, at least, |DSA_size(dsa)| bytes of space in\n// |out_sig|. It returns one on success and zero otherwise.\n//\n// (The |type| argument is ignored.)\nOPENSSL_EXPORT int DSA_sign(int type, const uint8_t *digest, size_t digest_len,\n uint8_t *out_sig, unsigned int *out_siglen,\n const DSA *dsa);\n\n// DSA_verify verifies that |sig| is a valid, ASN.1 signature, by the public\n// key in |dsa|, of the hash in |digest|. It returns one if so, zero if invalid\n// and -1 on error.\n//\n// (The |type| argument is ignored.)\n//\n// WARNING: do not use. This function returns -1 for error, 0 for invalid and 1\n// for valid. However, this is dangerously different to the usual OpenSSL\n// convention and could be a disaster if a user did |if (DSA_do_verify(...))|.\n// Because of this, |DSA_check_signature| is a safer version of this.\n//\n// TODO(fork): deprecate.\nOPENSSL_EXPORT int DSA_verify(int type, const uint8_t *digest,\n size_t digest_len, const uint8_t *sig,\n size_t sig_len, const DSA *dsa);\n\n// DSA_check_signature sets |*out_valid| to zero. Then it verifies that |sig|\n// is a valid, ASN.1 signature, by the public key in |dsa|, of the hash in\n// |digest|. If so, it sets |*out_valid| to one.\n//\n// It returns one if it was able to verify the signature as valid or invalid,\n// and zero on error.\nOPENSSL_EXPORT int DSA_check_signature(int *out_valid, const uint8_t *digest,\n size_t digest_len, const uint8_t *sig,\n size_t sig_len, const DSA *dsa);\n\n// DSA_size returns the size, in bytes, of an ASN.1 encoded, DSA signature\n// generated by |dsa|. Parameters must already have been setup in |dsa|.\nOPENSSL_EXPORT int DSA_size(const DSA *dsa);\n\n\n// ASN.1 encoding.\n\n// DSA_SIG_parse parses a DER-encoded DSA-Sig-Value structure from |cbs| and\n// advances |cbs|. It returns a newly-allocated |DSA_SIG| or NULL on error.\nOPENSSL_EXPORT DSA_SIG *DSA_SIG_parse(CBS *cbs);\n\n// DSA_SIG_marshal marshals |sig| as a DER-encoded DSA-Sig-Value and appends the\n// result to |cbb|. It returns one on success and zero on error.\nOPENSSL_EXPORT int DSA_SIG_marshal(CBB *cbb, const DSA_SIG *sig);\n\n// DSA_parse_public_key parses a DER-encoded DSA public key from |cbs| and\n// advances |cbs|. It returns a newly-allocated |DSA| or NULL on error.\nOPENSSL_EXPORT DSA *DSA_parse_public_key(CBS *cbs);\n\n// DSA_marshal_public_key marshals |dsa| as a DER-encoded DSA public key and\n// appends the result to |cbb|. It returns one on success and zero on\n// failure.\nOPENSSL_EXPORT int DSA_marshal_public_key(CBB *cbb, const DSA *dsa);\n\n// DSA_parse_private_key parses a DER-encoded DSA private key from |cbs| and\n// advances |cbs|. It returns a newly-allocated |DSA| or NULL on error.\nOPENSSL_EXPORT DSA *DSA_parse_private_key(CBS *cbs);\n\n// DSA_marshal_private_key marshals |dsa| as a DER-encoded DSA private key and\n// appends the result to |cbb|. It returns one on success and zero on\n// failure.\nOPENSSL_EXPORT int DSA_marshal_private_key(CBB *cbb, const DSA *dsa);\n\n// DSA_parse_parameters parses a DER-encoded Dss-Parms structure (RFC 3279)\n// from |cbs| and advances |cbs|. It returns a newly-allocated |DSA| or NULL on\n// error.\nOPENSSL_EXPORT DSA *DSA_parse_parameters(CBS *cbs);\n\n// DSA_marshal_parameters marshals |dsa| as a DER-encoded Dss-Parms structure\n// (RFC 3279) and appends the result to |cbb|. It returns one on success and\n// zero on failure.\nOPENSSL_EXPORT int DSA_marshal_parameters(CBB *cbb, const DSA *dsa);\n\n\n// Conversion.\n\n// DSA_dup_DH returns a |DH| constructed from the parameters of |dsa|. This is\n// sometimes needed when Diffie-Hellman parameters are stored in the form of\n// DSA parameters. It returns an allocated |DH| on success or NULL on error.\nOPENSSL_EXPORT DH *DSA_dup_DH(const DSA *dsa);\n\n\n// ex_data functions.\n//\n// See |ex_data.h| for details.\n\nOPENSSL_EXPORT int DSA_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func);\nOPENSSL_EXPORT int DSA_set_ex_data(DSA *dsa, int idx, void *arg);\nOPENSSL_EXPORT void *DSA_get_ex_data(const DSA *dsa, int idx);\n\n\n// Deprecated functions.\n\n// d2i_DSA_SIG parses a DER-encoded DSA-Sig-Value structure from |len| bytes at\n// |*inp|, as described in |d2i_SAMPLE|.\n//\n// Use |DSA_SIG_parse| instead.\nOPENSSL_EXPORT DSA_SIG *d2i_DSA_SIG(DSA_SIG **out_sig, const uint8_t **inp,\n long len);\n\n// i2d_DSA_SIG marshals |in| to a DER-encoded DSA-Sig-Value structure, as\n// described in |i2d_SAMPLE|.\n//\n// Use |DSA_SIG_marshal| instead.\nOPENSSL_EXPORT int i2d_DSA_SIG(const DSA_SIG *in, uint8_t **outp);\n\n// d2i_DSAPublicKey parses a DER-encoded DSA public key from |len| bytes at\n// |*inp|, as described in |d2i_SAMPLE|.\n//\n// Use |DSA_parse_public_key| instead.\nOPENSSL_EXPORT DSA *d2i_DSAPublicKey(DSA **out, const uint8_t **inp, long len);\n\n// i2d_DSAPublicKey marshals |in| as a DER-encoded DSA public key, as described\n// in |i2d_SAMPLE|.\n//\n// Use |DSA_marshal_public_key| instead.\nOPENSSL_EXPORT int i2d_DSAPublicKey(const DSA *in, uint8_t **outp);\n\n// d2i_DSAPrivateKey parses a DER-encoded DSA private key from |len| bytes at\n// |*inp|, as described in |d2i_SAMPLE|.\n//\n// Use |DSA_parse_private_key| instead.\nOPENSSL_EXPORT DSA *d2i_DSAPrivateKey(DSA **out, const uint8_t **inp, long len);\n\n// i2d_DSAPrivateKey marshals |in| as a DER-encoded DSA private key, as\n// described in |i2d_SAMPLE|.\n//\n// Use |DSA_marshal_private_key| instead.\nOPENSSL_EXPORT int i2d_DSAPrivateKey(const DSA *in, uint8_t **outp);\n\n// d2i_DSAparams parses a DER-encoded Dss-Parms structure (RFC 3279) from |len|\n// bytes at |*inp|, as described in |d2i_SAMPLE|.\n//\n// Use |DSA_parse_parameters| instead.\nOPENSSL_EXPORT DSA *d2i_DSAparams(DSA **out, const uint8_t **inp, long len);\n\n// i2d_DSAparams marshals |in|'s parameters as a DER-encoded Dss-Parms structure\n// (RFC 3279), as described in |i2d_SAMPLE|.\n//\n// Use |DSA_marshal_parameters| instead.\nOPENSSL_EXPORT int i2d_DSAparams(const DSA *in, uint8_t **outp);\n\n// DSA_generate_parameters is a deprecated version of\n// |DSA_generate_parameters_ex| that creates and returns a |DSA*|. Don't use\n// it.\nOPENSSL_EXPORT DSA *DSA_generate_parameters(int bits, unsigned char *seed,\n int seed_len, int *counter_ret,\n unsigned long *h_ret,\n void (*callback)(int, int, void *),\n void *cb_arg);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(DSA, DSA_free)\nBORINGSSL_MAKE_UP_REF(DSA, DSA_up_ref)\nBORINGSSL_MAKE_DELETER(DSA_SIG, DSA_SIG_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#define DSA_R_BAD_Q_VALUE 100\n#define DSA_R_MISSING_PARAMETERS 101\n#define DSA_R_MODULUS_TOO_LARGE 102\n#define DSA_R_NEED_NEW_SETUP_VALUES 103\n#define DSA_R_BAD_VERSION 104\n#define DSA_R_DECODE_ERROR 105\n#define DSA_R_ENCODE_ERROR 106\n#define DSA_R_INVALID_PARAMETERS 107\n#define DSA_R_TOO_MANY_ITERATIONS 108\n\n#endif // OPENSSL_HEADER_DSA_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_dtls1.h", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_e_os2.h", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n\n#include \"CNIOBoringSSL_base.h\"\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_ec.h", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_EC_H\n#define OPENSSL_HEADER_EC_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Low-level operations on elliptic curves.\n\n\n// point_conversion_form_t enumerates forms, as defined in X9.62 (ECDSA), for\n// the encoding of a elliptic curve point (x,y)\ntypedef enum {\n // POINT_CONVERSION_COMPRESSED indicates that the point is encoded as z||x,\n // where the octet z specifies which solution of the quadratic equation y\n // is.\n POINT_CONVERSION_COMPRESSED = 2,\n\n // POINT_CONVERSION_UNCOMPRESSED indicates that the point is encoded as\n // z||x||y, where z is the octet 0x04.\n POINT_CONVERSION_UNCOMPRESSED = 4,\n\n // POINT_CONVERSION_HYBRID indicates that the point is encoded as z||x||y,\n // where z specifies which solution of the quadratic equation y is. This is\n // not supported by the code and has never been observed in use.\n //\n // TODO(agl): remove once node.js no longer references this.\n POINT_CONVERSION_HYBRID = 6,\n} point_conversion_form_t;\n\n\n// Elliptic curve groups.\n//\n// Elliptic curve groups are represented by |EC_GROUP| objects. Unlike OpenSSL,\n// if limited to the APIs in this section, callers may treat |EC_GROUP|s as\n// static, immutable objects which do not need to be copied or released. In\n// BoringSSL, only custom |EC_GROUP|s created by |EC_GROUP_new_curve_GFp|\n// (deprecated) are dynamic.\n//\n// Callers may cast away |const| and use |EC_GROUP_dup| and |EC_GROUP_free| with\n// static groups, for compatibility with OpenSSL or dynamic groups, but it is\n// otherwise unnecessary.\n\n// EC_group_p224 returns an |EC_GROUP| for P-224, also known as secp224r1.\nOPENSSL_EXPORT const EC_GROUP *EC_group_p224(void);\n\n// EC_group_p256 returns an |EC_GROUP| for P-256, also known as secp256r1 or\n// prime256v1.\nOPENSSL_EXPORT const EC_GROUP *EC_group_p256(void);\n\n// EC_group_p384 returns an |EC_GROUP| for P-384, also known as secp384r1.\nOPENSSL_EXPORT const EC_GROUP *EC_group_p384(void);\n\n// EC_group_p521 returns an |EC_GROUP| for P-521, also known as secp521r1.\nOPENSSL_EXPORT const EC_GROUP *EC_group_p521(void);\n\n// EC_GROUP_new_by_curve_name returns the |EC_GROUP| object for the elliptic\n// curve specified by |nid|, or NULL on unsupported NID. For OpenSSL\n// compatibility, this function returns a non-const pointer which may be passed\n// to |EC_GROUP_free|. However, the resulting object is actually static and\n// calling |EC_GROUP_free| is optional.\n//\n// The supported NIDs are:\n// - |NID_secp224r1| (P-224)\n// - |NID_X9_62_prime256v1| (P-256)\n// - |NID_secp384r1| (P-384)\n// - |NID_secp521r1| (P-521)\n//\n// Calling this function causes all four curves to be linked into the binary.\n// Prefer calling |EC_group_*| to allow the static linker to drop unused curves.\n//\n// If in doubt, use |NID_X9_62_prime256v1|, or see the curve25519.h header for\n// more modern primitives.\nOPENSSL_EXPORT EC_GROUP *EC_GROUP_new_by_curve_name(int nid);\n\n// EC_GROUP_cmp returns zero if |a| and |b| are the same group and non-zero\n// otherwise.\nOPENSSL_EXPORT int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b,\n BN_CTX *ignored);\n\n// EC_GROUP_get0_generator returns a pointer to the internal |EC_POINT| object\n// in |group| that specifies the generator for the group.\nOPENSSL_EXPORT const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group);\n\n// EC_GROUP_get0_order returns a pointer to the internal |BIGNUM| object in\n// |group| that specifies the order of the group.\nOPENSSL_EXPORT const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group);\n\n// EC_GROUP_order_bits returns the number of bits of the order of |group|.\nOPENSSL_EXPORT int EC_GROUP_order_bits(const EC_GROUP *group);\n\n// EC_GROUP_get_cofactor sets |*cofactor| to the cofactor of |group| using\n// |ctx|, if it's not NULL. It returns one on success and zero otherwise.\nOPENSSL_EXPORT int EC_GROUP_get_cofactor(const EC_GROUP *group,\n BIGNUM *cofactor, BN_CTX *ctx);\n\n// EC_GROUP_get_curve_GFp gets various parameters about a group. It sets\n// |*out_p| to the order of the coordinate field and |*out_a| and |*out_b| to\n// the parameters of the curve when expressed as y² = x³ + ax + b. Any of the\n// output parameters can be NULL. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *out_p,\n BIGNUM *out_a, BIGNUM *out_b,\n BN_CTX *ctx);\n\n// EC_GROUP_get_curve_name returns a NID that identifies |group|.\nOPENSSL_EXPORT int EC_GROUP_get_curve_name(const EC_GROUP *group);\n\n// EC_GROUP_get_degree returns the number of bits needed to represent an\n// element of the field underlying |group|.\nOPENSSL_EXPORT unsigned EC_GROUP_get_degree(const EC_GROUP *group);\n\n// EC_curve_nid2nist returns the NIST name of the elliptic curve specified by\n// |nid|, or NULL if |nid| is not a NIST curve. For example, it returns \"P-256\"\n// for |NID_X9_62_prime256v1|.\nOPENSSL_EXPORT const char *EC_curve_nid2nist(int nid);\n\n// EC_curve_nist2nid returns the NID of the elliptic curve specified by the NIST\n// name |name|, or |NID_undef| if |name| is not a recognized name. For example,\n// it returns |NID_X9_62_prime256v1| for \"P-256\".\nOPENSSL_EXPORT int EC_curve_nist2nid(const char *name);\n\n\n// Points on elliptic curves.\n\n// EC_POINT_new returns a fresh |EC_POINT| object in the given group, or NULL\n// on error.\nOPENSSL_EXPORT EC_POINT *EC_POINT_new(const EC_GROUP *group);\n\n// EC_POINT_free frees |point| and the data that it points to.\nOPENSSL_EXPORT void EC_POINT_free(EC_POINT *point);\n\n// EC_POINT_copy sets |*dest| equal to |*src|. It returns one on success and\n// zero otherwise.\nOPENSSL_EXPORT int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src);\n\n// EC_POINT_dup returns a fresh |EC_POINT| that contains the same values as\n// |src|, or NULL on error.\nOPENSSL_EXPORT EC_POINT *EC_POINT_dup(const EC_POINT *src,\n const EC_GROUP *group);\n\n// EC_POINT_set_to_infinity sets |point| to be the \"point at infinity\" for the\n// given group.\nOPENSSL_EXPORT int EC_POINT_set_to_infinity(const EC_GROUP *group,\n EC_POINT *point);\n\n// EC_POINT_is_at_infinity returns one iff |point| is the point at infinity and\n// zero otherwise.\nOPENSSL_EXPORT int EC_POINT_is_at_infinity(const EC_GROUP *group,\n const EC_POINT *point);\n\n// EC_POINT_is_on_curve returns one if |point| is an element of |group| and\n// and zero otherwise or when an error occurs. This is different from OpenSSL,\n// which returns -1 on error. If |ctx| is non-NULL, it may be used.\nOPENSSL_EXPORT int EC_POINT_is_on_curve(const EC_GROUP *group,\n const EC_POINT *point, BN_CTX *ctx);\n\n// EC_POINT_cmp returns zero if |a| is equal to |b|, greater than zero if\n// not equal and -1 on error. If |ctx| is not NULL, it may be used.\nOPENSSL_EXPORT int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a,\n const EC_POINT *b, BN_CTX *ctx);\n\n\n// Point conversion.\n\n// EC_POINT_get_affine_coordinates_GFp sets |x| and |y| to the affine value of\n// |point| using |ctx|, if it's not NULL. It returns one on success and zero\n// otherwise.\n//\n// Either |x| or |y| may be NULL to skip computing that coordinate. This is\n// slightly faster in the common case where only the x-coordinate is needed.\nOPENSSL_EXPORT int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,\n const EC_POINT *point,\n BIGNUM *x, BIGNUM *y,\n BN_CTX *ctx);\n\n// EC_POINT_get_affine_coordinates is an alias of\n// |EC_POINT_get_affine_coordinates_GFp|.\nOPENSSL_EXPORT int EC_POINT_get_affine_coordinates(const EC_GROUP *group,\n const EC_POINT *point,\n BIGNUM *x, BIGNUM *y,\n BN_CTX *ctx);\n\n// EC_POINT_set_affine_coordinates_GFp sets the value of |point| to be\n// (|x|, |y|). The |ctx| argument may be used if not NULL. It returns one\n// on success or zero on error. It's considered an error if the point is not on\n// the curve.\n//\n// Note that the corresponding function in OpenSSL versions prior to 1.0.2s does\n// not check if the point is on the curve. This is a security-critical check, so\n// code additionally supporting OpenSSL should repeat the check with\n// |EC_POINT_is_on_curve| or check for older OpenSSL versions with\n// |OPENSSL_VERSION_NUMBER|.\nOPENSSL_EXPORT int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group,\n EC_POINT *point,\n const BIGNUM *x,\n const BIGNUM *y,\n BN_CTX *ctx);\n\n// EC_POINT_set_affine_coordinates is an alias of\n// |EC_POINT_set_affine_coordinates_GFp|.\nOPENSSL_EXPORT int EC_POINT_set_affine_coordinates(const EC_GROUP *group,\n EC_POINT *point,\n const BIGNUM *x,\n const BIGNUM *y,\n BN_CTX *ctx);\n\n// EC_POINT_point2oct serialises |point| into the X9.62 form given by |form|\n// into, at most, |max_out| bytes at |buf|. It returns the number of bytes\n// written or zero on error if |buf| is non-NULL, else the number of bytes\n// needed. The |ctx| argument may be used if not NULL.\nOPENSSL_EXPORT size_t EC_POINT_point2oct(const EC_GROUP *group,\n const EC_POINT *point,\n point_conversion_form_t form,\n uint8_t *buf, size_t max_out,\n BN_CTX *ctx);\n\n// EC_POINT_point2buf serialises |point| into the X9.62 form given by |form| to\n// a newly-allocated buffer and sets |*out_buf| to point to it. It returns the\n// length of the result on success or zero on error. The caller must release\n// |*out_buf| with |OPENSSL_free| when done.\nOPENSSL_EXPORT size_t EC_POINT_point2buf(const EC_GROUP *group,\n const EC_POINT *point,\n point_conversion_form_t form,\n uint8_t **out_buf, BN_CTX *ctx);\n\n// EC_POINT_point2cbb behaves like |EC_POINT_point2oct| but appends the\n// serialised point to |cbb|. It returns one on success and zero on error.\nOPENSSL_EXPORT int EC_POINT_point2cbb(CBB *out, const EC_GROUP *group,\n const EC_POINT *point,\n point_conversion_form_t form,\n BN_CTX *ctx);\n\n// EC_POINT_oct2point sets |point| from |len| bytes of X9.62 format\n// serialisation in |buf|. It returns one on success and zero on error. The\n// |ctx| argument may be used if not NULL. It's considered an error if |buf|\n// does not represent a point on the curve.\nOPENSSL_EXPORT int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,\n const uint8_t *buf, size_t len,\n BN_CTX *ctx);\n\n// EC_POINT_set_compressed_coordinates_GFp sets |point| to equal the point with\n// the given |x| coordinate and the y coordinate specified by |y_bit| (see\n// X9.62). It returns one on success and zero otherwise.\nOPENSSL_EXPORT int EC_POINT_set_compressed_coordinates_GFp(\n const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, int y_bit,\n BN_CTX *ctx);\n\n\n// Group operations.\n\n// EC_POINT_add sets |r| equal to |a| plus |b|. It returns one on success and\n// zero otherwise. If |ctx| is not NULL, it may be used.\nOPENSSL_EXPORT int EC_POINT_add(const EC_GROUP *group, EC_POINT *r,\n const EC_POINT *a, const EC_POINT *b,\n BN_CTX *ctx);\n\n// EC_POINT_dbl sets |r| equal to |a| plus |a|. It returns one on success and\n// zero otherwise. If |ctx| is not NULL, it may be used.\nOPENSSL_EXPORT int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r,\n const EC_POINT *a, BN_CTX *ctx);\n\n// EC_POINT_invert sets |a| equal to minus |a|. It returns one on success and\n// zero otherwise. If |ctx| is not NULL, it may be used.\nOPENSSL_EXPORT int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a,\n BN_CTX *ctx);\n\n// EC_POINT_mul sets r = generator*n + q*m. It returns one on success and zero\n// otherwise. If |ctx| is not NULL, it may be used.\nOPENSSL_EXPORT int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r,\n const BIGNUM *n, const EC_POINT *q,\n const BIGNUM *m, BN_CTX *ctx);\n\n\n// Hash-to-curve.\n//\n// The following functions implement primitives from RFC 9380. The |dst|\n// parameter in each function is the domain separation tag and must be unique\n// for each protocol and between the |hash_to_curve| and |hash_to_scalar|\n// variants. See section 3.1 of the spec for additional guidance on this\n// parameter.\n\n// EC_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and\n// writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite\n// from RFC 9380. It returns one on success and zero on error.\nOPENSSL_EXPORT int EC_hash_to_curve_p256_xmd_sha256_sswu(\n const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len);\n\n// EC_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and\n// writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite\n// from RFC 9380. It returns one on success and zero on error.\nOPENSSL_EXPORT int EC_hash_to_curve_p384_xmd_sha384_sswu(\n const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len,\n const uint8_t *msg, size_t msg_len);\n\n\n// Deprecated functions.\n\n// EC_GROUP_free releases a reference to |group|, if |group| was created by\n// |EC_GROUP_new_curve_GFp|. If |group| is static, it does nothing.\n//\n// This function exists for OpenSSL compatibilty, and to manage dynamic\n// |EC_GROUP|s constructed by |EC_GROUP_new_curve_GFp|. Callers that do not need\n// either may ignore this function.\nOPENSSL_EXPORT void EC_GROUP_free(EC_GROUP *group);\n\n// EC_GROUP_dup increments |group|'s reference count and returns it, if |group|\n// was created by |EC_GROUP_new_curve_GFp|. If |group| is static, it simply\n// returns |group|.\n//\n// This function exists for OpenSSL compatibilty, and to manage dynamic\n// |EC_GROUP|s constructed by |EC_GROUP_new_curve_GFp|. Callers that do not need\n// either may ignore this function.\nOPENSSL_EXPORT EC_GROUP *EC_GROUP_dup(const EC_GROUP *group);\n\n// EC_GROUP_new_curve_GFp creates a new, arbitrary elliptic curve group based\n// on the equation y² = x³ + a·x + b. It returns the new group or NULL on\n// error. The lifetime of the resulting object must be managed with\n// |EC_GROUP_dup| and |EC_GROUP_free|.\n//\n// This new group has no generator. It is an error to use a generator-less group\n// with any functions except for |EC_GROUP_free|, |EC_POINT_new|,\n// |EC_POINT_set_affine_coordinates_GFp|, and |EC_GROUP_set_generator|.\n//\n// |EC_GROUP|s returned by this function will always compare as unequal via\n// |EC_GROUP_cmp| (even to themselves). |EC_GROUP_get_curve_name| will always\n// return |NID_undef|.\n//\n// This function is provided for compatibility with some legacy applications\n// only. Avoid using arbitrary curves and use |EC_GROUP_new_by_curve_name|\n// instead. This ensures the result meets preconditions necessary for\n// elliptic curve algorithms to function correctly and securely.\n//\n// Given invalid parameters, this function may fail or it may return an\n// |EC_GROUP| which breaks these preconditions. Subsequent operations may then\n// return arbitrary, incorrect values. Callers should not pass\n// attacker-controlled values to this function.\nOPENSSL_EXPORT EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p,\n const BIGNUM *a,\n const BIGNUM *b, BN_CTX *ctx);\n\n// EC_GROUP_set_generator sets the generator for |group| to |generator|, which\n// must have the given order and cofactor. It may only be used with |EC_GROUP|\n// objects returned by |EC_GROUP_new_curve_GFp| and may only be used once on\n// each group. |generator| must have been created using |group|.\nOPENSSL_EXPORT int EC_GROUP_set_generator(EC_GROUP *group,\n const EC_POINT *generator,\n const BIGNUM *order,\n const BIGNUM *cofactor);\n\n// EC_GROUP_get_order sets |*order| to the order of |group|, if it's not\n// NULL. It returns one on success and zero otherwise. |ctx| is ignored. Use\n// |EC_GROUP_get0_order| instead.\nOPENSSL_EXPORT int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order,\n BN_CTX *ctx);\n\n#define OPENSSL_EC_EXPLICIT_CURVE 0\n#define OPENSSL_EC_NAMED_CURVE 1\n\n// EC_GROUP_set_asn1_flag does nothing.\nOPENSSL_EXPORT void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);\n\n// EC_GROUP_get_asn1_flag returns |OPENSSL_EC_NAMED_CURVE|.\nOPENSSL_EXPORT int EC_GROUP_get_asn1_flag(const EC_GROUP *group);\n\ntypedef struct ec_method_st EC_METHOD;\n\n// EC_GROUP_method_of returns a dummy non-NULL pointer.\nOPENSSL_EXPORT const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group);\n\n// EC_METHOD_get_field_type returns NID_X9_62_prime_field.\nOPENSSL_EXPORT int EC_METHOD_get_field_type(const EC_METHOD *meth);\n\n// EC_GROUP_set_point_conversion_form aborts the process if |form| is not\n// |POINT_CONVERSION_UNCOMPRESSED| and otherwise does nothing.\nOPENSSL_EXPORT void EC_GROUP_set_point_conversion_form(\n EC_GROUP *group, point_conversion_form_t form);\n\n// EC_builtin_curve describes a supported elliptic curve.\ntypedef struct {\n int nid;\n const char *comment;\n} EC_builtin_curve;\n\n// EC_get_builtin_curves writes at most |max_num_curves| elements to\n// |out_curves| and returns the total number that it would have written, had\n// |max_num_curves| been large enough.\n//\n// The |EC_builtin_curve| items describe the supported elliptic curves.\nOPENSSL_EXPORT size_t EC_get_builtin_curves(EC_builtin_curve *out_curves,\n size_t max_num_curves);\n\n// EC_POINT_clear_free calls |EC_POINT_free|.\nOPENSSL_EXPORT void EC_POINT_clear_free(EC_POINT *point);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n// Old code expects to get EC_KEY from ec.h.\n#include \"CNIOBoringSSL_ec_key.h\"\n\n#if defined(__cplusplus)\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(EC_POINT, EC_POINT_free)\nBORINGSSL_MAKE_DELETER(EC_GROUP, EC_GROUP_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#define EC_R_BUFFER_TOO_SMALL 100\n#define EC_R_COORDINATES_OUT_OF_RANGE 101\n#define EC_R_D2I_ECPKPARAMETERS_FAILURE 102\n#define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 103\n#define EC_R_GROUP2PKPARAMETERS_FAILURE 104\n#define EC_R_I2D_ECPKPARAMETERS_FAILURE 105\n#define EC_R_INCOMPATIBLE_OBJECTS 106\n#define EC_R_INVALID_COMPRESSED_POINT 107\n#define EC_R_INVALID_COMPRESSION_BIT 108\n#define EC_R_INVALID_ENCODING 109\n#define EC_R_INVALID_FIELD 110\n#define EC_R_INVALID_FORM 111\n#define EC_R_INVALID_GROUP_ORDER 112\n#define EC_R_INVALID_PRIVATE_KEY 113\n#define EC_R_MISSING_PARAMETERS 114\n#define EC_R_MISSING_PRIVATE_KEY 115\n#define EC_R_NON_NAMED_CURVE 116\n#define EC_R_NOT_INITIALIZED 117\n#define EC_R_PKPARAMETERS2GROUP_FAILURE 118\n#define EC_R_POINT_AT_INFINITY 119\n#define EC_R_POINT_IS_NOT_ON_CURVE 120\n#define EC_R_SLOT_FULL 121\n#define EC_R_UNDEFINED_GENERATOR 122\n#define EC_R_UNKNOWN_GROUP 123\n#define EC_R_UNKNOWN_ORDER 124\n#define EC_R_WRONG_ORDER 125\n#define EC_R_BIGNUM_OUT_OF_RANGE 126\n#define EC_R_WRONG_CURVE_PARAMETERS 127\n#define EC_R_DECODE_ERROR 128\n#define EC_R_ENCODE_ERROR 129\n#define EC_R_GROUP_MISMATCH 130\n#define EC_R_INVALID_COFACTOR 131\n#define EC_R_PUBLIC_KEY_VALIDATION_FAILED 132\n#define EC_R_INVALID_SCALAR 133\n\n#endif // OPENSSL_HEADER_EC_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_ec_key.h", "content": "/*\n * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_EC_KEY_H\n#define OPENSSL_HEADER_EC_KEY_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_ec.h\"\n#include \"CNIOBoringSSL_engine.h\"\n#include \"CNIOBoringSSL_ex_data.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// ec_key.h contains functions that handle elliptic-curve points that are\n// public/private keys.\n\n\n// EC key objects.\n//\n// An |EC_KEY| object represents a public or private EC key. A given object may\n// be used concurrently on multiple threads by non-mutating functions, provided\n// no other thread is concurrently calling a mutating function. Unless otherwise\n// documented, functions which take a |const| pointer are non-mutating and\n// functions which take a non-|const| pointer are mutating.\n\n// EC_KEY_new returns a fresh |EC_KEY| object or NULL on error.\nOPENSSL_EXPORT EC_KEY *EC_KEY_new(void);\n\n// EC_KEY_new_method acts the same as |EC_KEY_new|, but takes an explicit\n// |ENGINE|.\nOPENSSL_EXPORT EC_KEY *EC_KEY_new_method(const ENGINE *engine);\n\n// EC_KEY_new_by_curve_name returns a fresh EC_KEY for group specified by |nid|\n// or NULL on error.\nOPENSSL_EXPORT EC_KEY *EC_KEY_new_by_curve_name(int nid);\n\n// EC_KEY_free frees all the data owned by |key| and |key| itself.\nOPENSSL_EXPORT void EC_KEY_free(EC_KEY *key);\n\n// EC_KEY_dup returns a fresh copy of |src| or NULL on error.\nOPENSSL_EXPORT EC_KEY *EC_KEY_dup(const EC_KEY *src);\n\n// EC_KEY_up_ref increases the reference count of |key| and returns one. It does\n// not mutate |key| for thread-safety purposes and may be used concurrently.\nOPENSSL_EXPORT int EC_KEY_up_ref(EC_KEY *key);\n\n// EC_KEY_is_opaque returns one if |key| is opaque and doesn't expose its key\n// material. Otherwise it return zero.\nOPENSSL_EXPORT int EC_KEY_is_opaque(const EC_KEY *key);\n\n// EC_KEY_get0_group returns a pointer to the |EC_GROUP| object inside |key|.\nOPENSSL_EXPORT const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);\n\n// EC_KEY_set_group sets the |EC_GROUP| object that |key| will use to |group|.\n// It returns one on success and zero if |key| is already configured with a\n// different group.\nOPENSSL_EXPORT int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);\n\n// EC_KEY_get0_private_key returns a pointer to the private key inside |key|.\nOPENSSL_EXPORT const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);\n\n// EC_KEY_set_private_key sets the private key of |key| to |priv|. It returns\n// one on success and zero otherwise. |key| must already have had a group\n// configured (see |EC_KEY_set_group| and |EC_KEY_new_by_curve_name|).\nOPENSSL_EXPORT int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv);\n\n// EC_KEY_get0_public_key returns a pointer to the public key point inside\n// |key|.\nOPENSSL_EXPORT const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);\n\n// EC_KEY_set_public_key sets the public key of |key| to |pub|, by copying it.\n// It returns one on success and zero otherwise. |key| must already have had a\n// group configured (see |EC_KEY_set_group| and |EC_KEY_new_by_curve_name|), and\n// |pub| must also belong to that group.\nOPENSSL_EXPORT int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);\n\n#define EC_PKEY_NO_PARAMETERS 0x001\n#define EC_PKEY_NO_PUBKEY 0x002\n\n// EC_KEY_get_enc_flags returns the encoding flags for |key|, which is a\n// bitwise-OR of |EC_PKEY_*| values.\nOPENSSL_EXPORT unsigned EC_KEY_get_enc_flags(const EC_KEY *key);\n\n// EC_KEY_set_enc_flags sets the encoding flags for |key|, which is a\n// bitwise-OR of |EC_PKEY_*| values.\nOPENSSL_EXPORT void EC_KEY_set_enc_flags(EC_KEY *key, unsigned flags);\n\n// EC_KEY_get_conv_form returns the conversation form that will be used by\n// |key|.\nOPENSSL_EXPORT point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);\n\n// EC_KEY_set_conv_form sets the conversion form to be used by |key|.\nOPENSSL_EXPORT void EC_KEY_set_conv_form(EC_KEY *key,\n point_conversion_form_t cform);\n\n// EC_KEY_check_key performs several checks on |key| (possibly including an\n// expensive check that the public key is in the primary subgroup). It returns\n// one if all checks pass and zero otherwise. If it returns zero then detail\n// about the problem can be found on the error stack.\nOPENSSL_EXPORT int EC_KEY_check_key(const EC_KEY *key);\n\n// EC_KEY_check_fips performs both a signing pairwise consistency test\n// (FIPS 140-2 4.9.2) and the consistency test from SP 800-56Ar3 section\n// 5.6.2.1.4. It returns one if it passes and zero otherwise.\nOPENSSL_EXPORT int EC_KEY_check_fips(const EC_KEY *key);\n\n// EC_KEY_set_public_key_affine_coordinates sets the public key in |key| to\n// (|x|, |y|). It returns one on success and zero on error. It's considered an\n// error if |x| and |y| do not represent a point on |key|'s curve.\nOPENSSL_EXPORT int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key,\n const BIGNUM *x,\n const BIGNUM *y);\n\n// EC_KEY_oct2key decodes |len| bytes from |in| as an EC public key in X9.62\n// form. |key| must already have a group configured. On success, it sets the\n// public key in |key| to the result and returns one. Otherwise, it returns\n// zero.\nOPENSSL_EXPORT int EC_KEY_oct2key(EC_KEY *key, const uint8_t *in, size_t len,\n BN_CTX *ctx);\n\n// EC_KEY_key2buf behaves like |EC_POINT_point2buf|, except it encodes the\n// public key in |key|.\nOPENSSL_EXPORT size_t EC_KEY_key2buf(const EC_KEY *key,\n point_conversion_form_t form,\n uint8_t **out_buf, BN_CTX *ctx);\n\n// EC_KEY_oct2priv decodes a big-endian, zero-padded integer from |len| bytes\n// from |in| and sets |key|'s private key to the result. It returns one on\n// success and zero on error. The input must be padded to the size of |key|'s\n// group order.\nOPENSSL_EXPORT int EC_KEY_oct2priv(EC_KEY *key, const uint8_t *in, size_t len);\n\n// EC_KEY_priv2oct serializes |key|'s private key as a big-endian integer,\n// zero-padded to the size of |key|'s group order and writes the result to at\n// most |max_out| bytes of |out|. It returns the number of bytes written on\n// success and zero on error. If |out| is NULL, it returns the number of bytes\n// needed without writing anything.\nOPENSSL_EXPORT size_t EC_KEY_priv2oct(const EC_KEY *key, uint8_t *out,\n size_t max_out);\n\n// EC_KEY_priv2buf behaves like |EC_KEY_priv2oct| but sets |*out_buf| to a\n// newly-allocated buffer containing the result. It returns the size of the\n// result on success and zero on error. The caller must release |*out_buf| with\n// |OPENSSL_free| when done.\nOPENSSL_EXPORT size_t EC_KEY_priv2buf(const EC_KEY *key, uint8_t **out_buf);\n\n\n// Key generation.\n\n// EC_KEY_generate_key generates a random, private key, calculates the\n// corresponding public key and stores both in |key|. It returns one on success\n// or zero otherwise.\nOPENSSL_EXPORT int EC_KEY_generate_key(EC_KEY *key);\n\n// EC_KEY_generate_key_fips behaves like |EC_KEY_generate_key| but performs\n// additional checks for FIPS compliance. This function is applicable when\n// generating keys for either signing/verification or key agreement because\n// both types of consistency check (PCT) are performed.\nOPENSSL_EXPORT int EC_KEY_generate_key_fips(EC_KEY *key);\n\n// EC_KEY_derive_from_secret deterministically derives a private key for |group|\n// from an input secret using HKDF-SHA256. It returns a newly-allocated |EC_KEY|\n// on success or NULL on error. |secret| must not be used in any other\n// algorithm. If using a base secret for multiple operations, derive separate\n// values with a KDF such as HKDF first.\n//\n// Note this function implements an arbitrary derivation scheme, rather than any\n// particular standard one. New protocols are recommended to use X25519 and\n// Ed25519, which have standard byte import functions. See\n// |X25519_public_from_private| and |ED25519_keypair_from_seed|.\nOPENSSL_EXPORT EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group,\n const uint8_t *secret,\n size_t secret_len);\n\n\n// Serialisation.\n\n// EC_KEY_parse_private_key parses a DER-encoded ECPrivateKey structure (RFC\n// 5915) from |cbs| and advances |cbs|. It returns a newly-allocated |EC_KEY| or\n// NULL on error. If |group| is non-null, the parameters field of the\n// ECPrivateKey may be omitted (but must match |group| if present). Otherwise,\n// the parameters field is required.\nOPENSSL_EXPORT EC_KEY *EC_KEY_parse_private_key(CBS *cbs,\n const EC_GROUP *group);\n\n// EC_KEY_marshal_private_key marshals |key| as a DER-encoded ECPrivateKey\n// structure (RFC 5915) and appends the result to |cbb|. It returns one on\n// success and zero on failure. |enc_flags| is a combination of |EC_PKEY_*|\n// values and controls whether corresponding fields are omitted.\nOPENSSL_EXPORT int EC_KEY_marshal_private_key(CBB *cbb, const EC_KEY *key,\n unsigned enc_flags);\n\n// EC_KEY_parse_curve_name parses a DER-encoded OBJECT IDENTIFIER as a curve\n// name from |cbs| and advances |cbs|. It returns the decoded |EC_GROUP| or NULL\n// on error.\n//\n// This function returns a non-const pointer which may be passed to\n// |EC_GROUP_free|. However, the resulting object is actually static and calling\n// |EC_GROUP_free| is optional.\n//\n// TODO(davidben): Make this return a const pointer, if it does not break too\n// many callers.\nOPENSSL_EXPORT EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs);\n\n// EC_KEY_marshal_curve_name marshals |group| as a DER-encoded OBJECT IDENTIFIER\n// and appends the result to |cbb|. It returns one on success and zero on\n// failure.\nOPENSSL_EXPORT int EC_KEY_marshal_curve_name(CBB *cbb, const EC_GROUP *group);\n\n// EC_KEY_parse_parameters parses a DER-encoded ECParameters structure (RFC\n// 5480) from |cbs| and advances |cbs|. It returns the resulting |EC_GROUP| or\n// NULL on error. It supports the namedCurve and specifiedCurve options, but use\n// of specifiedCurve is deprecated. Use |EC_KEY_parse_curve_name| instead.\n//\n// This function returns a non-const pointer which may be passed to\n// |EC_GROUP_free|. However, the resulting object is actually static and calling\n// |EC_GROUP_free| is optional.\n//\n// TODO(davidben): Make this return a const pointer, if it does not break too\n// many callers.\nOPENSSL_EXPORT EC_GROUP *EC_KEY_parse_parameters(CBS *cbs);\n\n\n// ex_data functions.\n//\n// These functions are wrappers. See |ex_data.h| for details.\n\nOPENSSL_EXPORT int EC_KEY_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func);\nOPENSSL_EXPORT int EC_KEY_set_ex_data(EC_KEY *r, int idx, void *arg);\nOPENSSL_EXPORT void *EC_KEY_get_ex_data(const EC_KEY *r, int idx);\n\n\n// ECDSA method.\n\n// ECDSA_FLAG_OPAQUE specifies that this ECDSA_METHOD does not expose its key\n// material. This may be set if, for instance, it is wrapping some other crypto\n// API, like a platform key store.\n#define ECDSA_FLAG_OPAQUE 1\n\n// ecdsa_method_st is a structure of function pointers for implementing ECDSA.\n// See engine.h.\nstruct ecdsa_method_st {\n struct openssl_method_common_st common;\n\n void *app_data;\n\n int (*init)(EC_KEY *key);\n int (*finish)(EC_KEY *key);\n\n // sign matches the arguments and behaviour of |ECDSA_sign|.\n int (*sign)(const uint8_t *digest, size_t digest_len, uint8_t *sig,\n unsigned int *sig_len, EC_KEY *eckey);\n\n int flags;\n};\n\n\n// Deprecated functions.\n\n// EC_KEY_set_asn1_flag does nothing.\nOPENSSL_EXPORT void EC_KEY_set_asn1_flag(EC_KEY *key, int flag);\n\n// d2i_ECPrivateKey parses a DER-encoded ECPrivateKey structure (RFC 5915) from\n// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. On input, if |*out_key|\n// is non-NULL and has a group configured, the parameters field may be omitted\n// but must match that group if present.\n//\n// Use |EC_KEY_parse_private_key| instead.\nOPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey(EC_KEY **out_key, const uint8_t **inp,\n long len);\n\n// i2d_ECPrivateKey marshals |key| as a DER-encoded ECPrivateKey structure (RFC\n// 5915), as described in |i2d_SAMPLE|.\n//\n// Use |EC_KEY_marshal_private_key| instead.\nOPENSSL_EXPORT int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp);\n\n// d2i_ECPKParameters parses a DER-encoded ECParameters structure (RFC 5480)\n// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|. For legacy reasons,\n// it recognizes the specifiedCurve form, but only for curves that are already\n// supported as named curves.\n//\n// Use |EC_KEY_parse_parameters| or |EC_KEY_parse_curve_name| instead.\nOPENSSL_EXPORT EC_GROUP *d2i_ECPKParameters(EC_GROUP **out, const uint8_t **inp,\n long len);\n\n// i2d_ECPKParameters marshals |group| as a DER-encoded ECParameters structure\n// (RFC 5480), as described in |i2d_SAMPLE|.\n//\n// Use |EC_KEY_marshal_curve_name| instead.\nOPENSSL_EXPORT int i2d_ECPKParameters(const EC_GROUP *group, uint8_t **outp);\n\n// d2i_ECParameters parses a DER-encoded ECParameters structure (RFC 5480) from\n// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. It returns the result as\n// an |EC_KEY| with parameters, but no key, configured.\n//\n// Use |EC_KEY_parse_parameters| or |EC_KEY_parse_curve_name| instead.\nOPENSSL_EXPORT EC_KEY *d2i_ECParameters(EC_KEY **out_key, const uint8_t **inp,\n long len);\n\n// i2d_ECParameters marshals |key|'s parameters as a DER-encoded OBJECT\n// IDENTIFIER, as described in |i2d_SAMPLE|.\n//\n// Use |EC_KEY_marshal_curve_name| instead.\nOPENSSL_EXPORT int i2d_ECParameters(const EC_KEY *key, uint8_t **outp);\n\n// o2i_ECPublicKey parses an EC point from |len| bytes at |*inp| into\n// |*out_key|. Note that this differs from the d2i format in that |*out_key|\n// must be non-NULL with a group set. On successful exit, |*inp| is advanced by\n// |len| bytes. It returns |*out_key| or NULL on error.\n//\n// Use |EC_POINT_oct2point| instead.\nOPENSSL_EXPORT EC_KEY *o2i_ECPublicKey(EC_KEY **out_key, const uint8_t **inp,\n long len);\n\n// i2o_ECPublicKey marshals an EC point from |key|, as described in\n// |i2d_SAMPLE|, except it returns zero on error instead of a negative value.\n//\n// Use |EC_POINT_point2cbb| instead.\nOPENSSL_EXPORT int i2o_ECPublicKey(const EC_KEY *key, unsigned char **outp);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(EC_KEY, EC_KEY_free)\nBORINGSSL_MAKE_UP_REF(EC_KEY, EC_KEY_up_ref)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#endif // OPENSSL_HEADER_EC_KEY_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_ecdh.h", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_ECDH_H\n#define OPENSSL_HEADER_ECDH_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_ec_key.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Elliptic curve Diffie-Hellman.\n\n\n// ECDH_compute_key calculates the shared key between |pub_key| and |priv_key|.\n// If |kdf| is not NULL, then it is called with the bytes of the shared key and\n// the parameter |out|. When |kdf| returns, the value of |*outlen| becomes the\n// return value. Otherwise, as many bytes of the shared key as will fit are\n// copied directly to, at most, |outlen| bytes at |out|. It returns the number\n// of bytes written to |out|, or -1 on error.\nOPENSSL_EXPORT int ECDH_compute_key(\n void *out, size_t outlen, const EC_POINT *pub_key, const EC_KEY *priv_key,\n void *(*kdf)(const void *in, size_t inlen, void *out, size_t *outlen));\n\n// ECDH_compute_key_fips calculates the shared key between |pub_key| and\n// |priv_key| and hashes it with the appropriate SHA function for |out_len|. The\n// only value values for |out_len| are thus 24 (SHA-224), 32 (SHA-256), 48\n// (SHA-384), and 64 (SHA-512). It returns one on success and zero on error.\n//\n// Note that the return value is different to |ECDH_compute_key|: it returns an\n// error flag (as is common for BoringSSL) rather than the number of bytes\n// written.\n//\n// This function allows the FIPS module to compute an ECDH and KDF within the\n// module boundary without taking an arbitrary function pointer for the KDF,\n// which isn't very FIPSy.\nOPENSSL_EXPORT int ECDH_compute_key_fips(uint8_t *out, size_t out_len,\n const EC_POINT *pub_key,\n const EC_KEY *priv_key);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#define ECDH_R_KDF_FAILED 100\n#define ECDH_R_NO_PRIVATE_VALUE 101\n#define ECDH_R_POINT_ARITHMETIC_FAILURE 102\n#define ECDH_R_UNKNOWN_DIGEST_LENGTH 103\n\n#endif // OPENSSL_HEADER_ECDH_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_ecdsa.h", "content": "/*\n * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_ECDSA_H\n#define OPENSSL_HEADER_ECDSA_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_ec_key.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// ECDSA contains functions for signing and verifying with the Digital Signature\n// Algorithm over elliptic curves.\n\n\n// Signing and verifying.\n\n// ECDSA_sign signs |digest_len| bytes from |digest| with |key| and writes the\n// resulting signature to |sig|, which must have |ECDSA_size(key)| bytes of\n// space. On successful exit, |*sig_len| is set to the actual number of bytes\n// written. The |type| argument should be zero. It returns one on success and\n// zero otherwise.\n//\n// WARNING: |digest| must be the output of some hash function on the data to be\n// signed. Passing unhashed inputs will not result in a secure signature scheme.\nOPENSSL_EXPORT int ECDSA_sign(int type, const uint8_t *digest,\n size_t digest_len, uint8_t *sig,\n unsigned int *sig_len, const EC_KEY *key);\n\n// ECDSA_verify verifies that |sig_len| bytes from |sig| constitute a valid\n// signature by |key| of |digest|. (The |type| argument should be zero.) It\n// returns one on success or zero if the signature is invalid or an error\n// occurred.\n//\n// WARNING: |digest| must be the output of some hash function on the data to be\n// verified. Passing unhashed inputs will not result in a secure signature\n// scheme.\nOPENSSL_EXPORT int ECDSA_verify(int type, const uint8_t *digest,\n size_t digest_len, const uint8_t *sig,\n size_t sig_len, const EC_KEY *key);\n\n// ECDSA_size returns the maximum size of an ECDSA signature using |key|. It\n// returns zero if |key| is NULL or if it doesn't have a group set.\nOPENSSL_EXPORT size_t ECDSA_size(const EC_KEY *key);\n\n\n// Low-level signing and verification.\n//\n// Low-level functions handle signatures as |ECDSA_SIG| structures which allow\n// the two values in an ECDSA signature to be handled separately.\n\nstruct ecdsa_sig_st {\n BIGNUM *r;\n BIGNUM *s;\n};\n\n// ECDSA_SIG_new returns a fresh |ECDSA_SIG| structure or NULL on error.\nOPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_new(void);\n\n// ECDSA_SIG_free frees |sig| its member |BIGNUM|s.\nOPENSSL_EXPORT void ECDSA_SIG_free(ECDSA_SIG *sig);\n\n// ECDSA_SIG_get0_r returns the r component of |sig|.\nOPENSSL_EXPORT const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig);\n\n// ECDSA_SIG_get0_s returns the s component of |sig|.\nOPENSSL_EXPORT const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig);\n\n// ECDSA_SIG_get0 sets |*out_r| and |*out_s|, if non-NULL, to the two\n// components of |sig|.\nOPENSSL_EXPORT void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r,\n const BIGNUM **out_s);\n\n// ECDSA_SIG_set0 sets |sig|'s components to |r| and |s|, neither of which may\n// be NULL. On success, it takes ownership of each argument and returns one.\n// Otherwise, it returns zero.\nOPENSSL_EXPORT int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);\n\n// ECDSA_do_sign signs |digest_len| bytes from |digest| with |key| and returns\n// the resulting signature structure, or NULL on error.\n//\n// WARNING: |digest| must be the output of some hash function on the data to be\n// signed. Passing unhashed inputs will not result in a secure signature scheme.\nOPENSSL_EXPORT ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest,\n size_t digest_len, const EC_KEY *key);\n\n// ECDSA_do_verify verifies that |sig| constitutes a valid signature by |key|\n// of |digest|. It returns one on success or zero if the signature is invalid\n// or on error.\n//\n// WARNING: |digest| must be the output of some hash function on the data to be\n// verified. Passing unhashed inputs will not result in a secure signature\n// scheme.\nOPENSSL_EXPORT int ECDSA_do_verify(const uint8_t *digest, size_t digest_len,\n const ECDSA_SIG *sig, const EC_KEY *key);\n\n\n// ASN.1 functions.\n\n// ECDSA_SIG_parse parses a DER-encoded ECDSA-Sig-Value structure from |cbs| and\n// advances |cbs|. It returns a newly-allocated |ECDSA_SIG| or NULL on error.\nOPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_parse(CBS *cbs);\n\n// ECDSA_SIG_from_bytes parses |in| as a DER-encoded ECDSA-Sig-Value structure.\n// It returns a newly-allocated |ECDSA_SIG| structure or NULL on error.\nOPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in,\n size_t in_len);\n\n// ECDSA_SIG_marshal marshals |sig| as a DER-encoded ECDSA-Sig-Value and appends\n// the result to |cbb|. It returns one on success and zero on error.\nOPENSSL_EXPORT int ECDSA_SIG_marshal(CBB *cbb, const ECDSA_SIG *sig);\n\n// ECDSA_SIG_to_bytes marshals |sig| as a DER-encoded ECDSA-Sig-Value and, on\n// success, sets |*out_bytes| to a newly allocated buffer containing the result\n// and returns one. Otherwise, it returns zero. The result should be freed with\n// |OPENSSL_free|.\nOPENSSL_EXPORT int ECDSA_SIG_to_bytes(uint8_t **out_bytes, size_t *out_len,\n const ECDSA_SIG *sig);\n\n// ECDSA_SIG_max_len returns the maximum length of a DER-encoded ECDSA-Sig-Value\n// structure for a group whose order is represented in |order_len| bytes, or\n// zero on overflow.\nOPENSSL_EXPORT size_t ECDSA_SIG_max_len(size_t order_len);\n\n\n// Testing-only functions.\n\n// ECDSA_sign_with_nonce_and_leak_private_key_for_testing behaves like\n// |ECDSA_do_sign| but uses |nonce| for the ECDSA nonce 'k', instead of a random\n// value. |nonce| is interpreted as a big-endian integer. It must be reduced\n// modulo the group order and padded with zeros up to |BN_num_bytes(order)|\n// bytes.\n//\n// WARNING: This function is only exported for testing purposes, when using test\n// vectors or fuzzing strategies. It must not be used outside tests and may leak\n// any private keys it is used with.\nOPENSSL_EXPORT ECDSA_SIG *\nECDSA_sign_with_nonce_and_leak_private_key_for_testing(const uint8_t *digest,\n size_t digest_len,\n const EC_KEY *eckey,\n const uint8_t *nonce,\n size_t nonce_len);\n\n\n// Deprecated functions.\n\n// d2i_ECDSA_SIG parses aa DER-encoded ECDSA-Sig-Value structure from |len|\n// bytes at |*inp|, as described in |d2i_SAMPLE|.\n//\n// Use |ECDSA_SIG_parse| instead.\nOPENSSL_EXPORT ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **out, const uint8_t **inp,\n long len);\n\n// i2d_ECDSA_SIG marshals |sig| as a DER-encoded ECDSA-Sig-Value, as described\n// in |i2d_SAMPLE|.\n//\n// Use |ECDSA_SIG_marshal| instead.\nOPENSSL_EXPORT int i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(ECDSA_SIG, ECDSA_SIG_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#define ECDSA_R_BAD_SIGNATURE 100\n#define ECDSA_R_MISSING_PARAMETERS 101\n#define ECDSA_R_NEED_NEW_SETUP_VALUES 102\n#define ECDSA_R_NOT_IMPLEMENTED 103\n#define ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED 104\n#define ECDSA_R_ENCODE_ERROR 105\n#define ECDSA_R_TOO_MANY_ITERATIONS 106\n\n#endif // OPENSSL_HEADER_ECDSA_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_engine.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_ENGINE_H\n#define OPENSSL_HEADER_ENGINE_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Engines are collections of methods. Methods are tables of function pointers,\n// defined for certain algorithms, that allow operations on those algorithms to\n// be overridden via a callback. This can be used, for example, to implement an\n// RSA* that forwards operations to a hardware module.\n//\n// Methods are reference counted but |ENGINE|s are not. When creating a method,\n// you should zero the whole structure and fill in the function pointers that\n// you wish before setting it on an |ENGINE|. Any functions pointers that\n// are NULL indicate that the default behaviour should be used.\n\n\n// Allocation and destruction.\n\n// ENGINE_new returns an empty ENGINE that uses the default method for all\n// algorithms.\nOPENSSL_EXPORT ENGINE *ENGINE_new(void);\n\n// ENGINE_free decrements the reference counts for all methods linked from\n// |engine| and frees |engine| itself. It returns one.\nOPENSSL_EXPORT int ENGINE_free(ENGINE *engine);\n\n\n// Method accessors.\n//\n// Method accessors take a method pointer and the size of the structure. The\n// size allows for ABI compatibility in the case that the method structure is\n// extended with extra elements at the end. Methods are always copied by the\n// set functions.\n//\n// Set functions return one on success and zero on allocation failure.\n\nOPENSSL_EXPORT int ENGINE_set_RSA_method(ENGINE *engine,\n const RSA_METHOD *method,\n size_t method_size);\nOPENSSL_EXPORT RSA_METHOD *ENGINE_get_RSA_method(const ENGINE *engine);\n\nOPENSSL_EXPORT int ENGINE_set_ECDSA_method(ENGINE *engine,\n const ECDSA_METHOD *method,\n size_t method_size);\nOPENSSL_EXPORT ECDSA_METHOD *ENGINE_get_ECDSA_method(const ENGINE *engine);\n\n\n// Generic method functions.\n//\n// These functions take a void* type but actually operate on all method\n// structures.\n\n// METHOD_ref increments the reference count of |method|. This is a no-op for\n// now because all methods are currently static.\nvoid METHOD_ref(void *method);\n\n// METHOD_unref decrements the reference count of |method| and frees it if the\n// reference count drops to zero. This is a no-op for now because all methods\n// are currently static.\nvoid METHOD_unref(void *method);\n\n\n// Private functions.\n\n// openssl_method_common_st contains the common part of all method structures.\n// This must be the first member of all method structures.\nstruct openssl_method_common_st {\n int references; // dummy – not used.\n char is_static;\n};\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(ENGINE, ENGINE_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#define ENGINE_R_OPERATION_NOT_SUPPORTED 100\n\n#endif // OPENSSL_HEADER_ENGINE_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_err.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_ERR_H\n#define OPENSSL_HEADER_ERR_H\n\n#include \n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Error queue handling functions.\n//\n// Errors in OpenSSL are generally signaled by the return value of a function.\n// When a function fails it may add an entry to a per-thread error queue,\n// which is managed by the functions in this header.\n//\n// Each error contains:\n// 1) The library (i.e. ec, pem, rsa) which created it.\n// 2) The file and line number of the call that added the error.\n// 3) A pointer to some error specific data, which may be NULL.\n//\n// The library identifier and reason code are packed in a uint32_t and there\n// exist various functions for unpacking it.\n//\n// The typical behaviour is that an error will occur deep in a call queue and\n// that code will push an error onto the error queue. As the error queue\n// unwinds, other functions will push their own errors. Thus, the \"least\n// recent\" error is the most specific and the other errors will provide a\n// backtrace of sorts.\n\n\n// Startup and shutdown.\n\n// ERR_load_BIO_strings does nothing.\n//\n// TODO(fork): remove. libjingle calls this.\nOPENSSL_EXPORT void ERR_load_BIO_strings(void);\n\n// ERR_load_ERR_strings does nothing.\nOPENSSL_EXPORT void ERR_load_ERR_strings(void);\n\n// ERR_load_crypto_strings does nothing.\nOPENSSL_EXPORT void ERR_load_crypto_strings(void);\n\n// ERR_load_RAND_strings does nothing.\nOPENSSL_EXPORT void ERR_load_RAND_strings(void);\n\n// ERR_free_strings does nothing.\nOPENSSL_EXPORT void ERR_free_strings(void);\n\n\n// Reading and formatting errors.\n\n// ERR_GET_LIB returns the library code for the error. This is one of\n// the |ERR_LIB_*| values.\nOPENSSL_INLINE int ERR_GET_LIB(uint32_t packed_error) {\n return (int)((packed_error >> 24) & 0xff);\n}\n\n// ERR_GET_REASON returns the reason code for the error. This is one of\n// library-specific |LIB_R_*| values where |LIB| is the library (see\n// |ERR_GET_LIB|). Note that reason codes are specific to the library.\nOPENSSL_INLINE int ERR_GET_REASON(uint32_t packed_error) {\n return (int)(packed_error & 0xfff);\n}\n\n// ERR_get_error gets the packed error code for the least recent error and\n// removes that error from the queue. If there are no errors in the queue then\n// it returns zero.\nOPENSSL_EXPORT uint32_t ERR_get_error(void);\n\n// ERR_get_error_line acts like |ERR_get_error|, except that the file and line\n// number of the call that added the error are also returned.\nOPENSSL_EXPORT uint32_t ERR_get_error_line(const char **file, int *line);\n\n// ERR_FLAG_STRING means that the |data| member is a NUL-terminated string that\n// can be printed. This is always set if |data| is non-NULL.\n#define ERR_FLAG_STRING 1\n\n// ERR_FLAG_MALLOCED is passed into |ERR_set_error_data| to indicate that |data|\n// was allocated with |OPENSSL_malloc|.\n//\n// It is, separately, returned in |*flags| from |ERR_get_error_line_data| to\n// indicate that |*data| has a non-static lifetime, but this lifetime is still\n// managed by the library. The caller must not call |OPENSSL_free| or |free| on\n// |data|.\n#define ERR_FLAG_MALLOCED 2\n\n// ERR_get_error_line_data acts like |ERR_get_error_line|, but also returns the\n// error-specific data pointer and flags. The flags are a bitwise-OR of\n// |ERR_FLAG_*| values. The error-specific data is owned by the error queue\n// and the pointer becomes invalid after the next call that affects the same\n// thread's error queue. If |*flags| contains |ERR_FLAG_STRING| then |*data| is\n// human-readable.\nOPENSSL_EXPORT uint32_t ERR_get_error_line_data(const char **file, int *line,\n const char **data, int *flags);\n\n// The \"peek\" functions act like the |ERR_get_error| functions, above, but they\n// do not remove the error from the queue.\nOPENSSL_EXPORT uint32_t ERR_peek_error(void);\nOPENSSL_EXPORT uint32_t ERR_peek_error_line(const char **file, int *line);\nOPENSSL_EXPORT uint32_t ERR_peek_error_line_data(const char **file, int *line,\n const char **data, int *flags);\n\n// The \"peek last\" functions act like the \"peek\" functions, above, except that\n// they return the most recent error.\nOPENSSL_EXPORT uint32_t ERR_peek_last_error(void);\nOPENSSL_EXPORT uint32_t ERR_peek_last_error_line(const char **file, int *line);\nOPENSSL_EXPORT uint32_t ERR_peek_last_error_line_data(const char **file,\n int *line,\n const char **data,\n int *flags);\n\n// ERR_error_string_n generates a human-readable string representing\n// |packed_error|, places it at |buf|, and returns |buf|. It writes at most\n// |len| bytes (including the terminating NUL) and truncates the string if\n// necessary. If |len| is greater than zero then |buf| is always NUL terminated.\n//\n// The string will have the following format:\n//\n// error:[error code]:[library name]:OPENSSL_internal:[reason string]\n//\n// error code is an 8 digit hexadecimal number; library name and reason string\n// are ASCII text.\nOPENSSL_EXPORT char *ERR_error_string_n(uint32_t packed_error, char *buf,\n size_t len);\n\n// ERR_lib_error_string returns a string representation of the library that\n// generated |packed_error|, or a placeholder string is the library is\n// unrecognized.\nOPENSSL_EXPORT const char *ERR_lib_error_string(uint32_t packed_error);\n\n// ERR_reason_error_string returns a string representation of the reason for\n// |packed_error|, or a placeholder string if the reason is unrecognized.\nOPENSSL_EXPORT const char *ERR_reason_error_string(uint32_t packed_error);\n\n// ERR_lib_symbol_name returns the symbol name of library that generated\n// |packed_error|, or NULL if unrecognized. For example, an error from\n// |ERR_LIB_EVP| would return \"EVP\".\nOPENSSL_EXPORT const char *ERR_lib_symbol_name(uint32_t packed_error);\n\n// ERR_reason_symbol_name returns the symbol name of the reason for\n// |packed_error|, or NULL if unrecognized. For example, |ERR_R_INTERNAL_ERROR|\n// would return \"INTERNAL_ERROR\".\n//\n// Errors from the |ERR_LIB_SYS| library are typically |errno| values and will\n// return NULL. User-defined errors will also return NULL.\nOPENSSL_EXPORT const char *ERR_reason_symbol_name(uint32_t packed_error);\n\n// ERR_print_errors_callback_t is the type of a function used by\n// |ERR_print_errors_cb|. It takes a pointer to a human readable string (and\n// its length) that describes an entry in the error queue. The |ctx| argument\n// is an opaque pointer given to |ERR_print_errors_cb|.\n//\n// It should return one on success or zero on error, which will stop the\n// iteration over the error queue.\ntypedef int (*ERR_print_errors_callback_t)(const char *str, size_t len,\n void *ctx);\n\n// ERR_print_errors_cb clears the current thread's error queue, calling\n// |callback| with a string representation of each error, from the least recent\n// to the most recent error.\n//\n// The string will have the following format (which differs from\n// |ERR_error_string|):\n//\n// [thread id]:error:[error code]:[library name]:OPENSSL_internal:[reason string]:[file]:[line number]:[optional string data]\n//\n// The callback can return one to continue the iteration or zero to stop it.\n// The |ctx| argument is an opaque value that is passed through to the\n// callback.\nOPENSSL_EXPORT void ERR_print_errors_cb(ERR_print_errors_callback_t callback,\n void *ctx);\n\n// ERR_print_errors_fp clears the current thread's error queue, printing each\n// error to |file|. See |ERR_print_errors_cb| for the format.\nOPENSSL_EXPORT void ERR_print_errors_fp(FILE *file);\n\n\n// Clearing errors.\n\n// ERR_clear_error clears the error queue for the current thread.\nOPENSSL_EXPORT void ERR_clear_error(void);\n\n// ERR_set_mark \"marks\" the most recent error for use with |ERR_pop_to_mark|.\n// It returns one if an error was marked and zero if there are no errors.\nOPENSSL_EXPORT int ERR_set_mark(void);\n\n// ERR_pop_to_mark removes errors from the most recent to the least recent\n// until (and not including) a \"marked\" error. It returns zero if no marked\n// error was found (and thus all errors were removed) and one otherwise. Errors\n// are marked using |ERR_set_mark|.\nOPENSSL_EXPORT int ERR_pop_to_mark(void);\n\n\n// Custom errors.\n\n// ERR_get_next_error_library returns a value suitable for passing as the\n// |library| argument to |ERR_put_error|. This is intended for code that wishes\n// to push its own, non-standard errors to the error queue.\nOPENSSL_EXPORT int ERR_get_next_error_library(void);\n\n\n// Built-in library and reason codes.\n\n// The following values are built-in library codes.\nenum {\n ERR_LIB_NONE = 1,\n ERR_LIB_SYS,\n ERR_LIB_BN,\n ERR_LIB_RSA,\n ERR_LIB_DH,\n ERR_LIB_EVP,\n ERR_LIB_BUF,\n ERR_LIB_OBJ,\n ERR_LIB_PEM,\n ERR_LIB_DSA,\n ERR_LIB_X509,\n ERR_LIB_ASN1,\n ERR_LIB_CONF,\n ERR_LIB_CRYPTO,\n ERR_LIB_EC,\n ERR_LIB_SSL,\n ERR_LIB_BIO,\n ERR_LIB_PKCS7,\n ERR_LIB_PKCS8,\n ERR_LIB_X509V3,\n ERR_LIB_RAND,\n ERR_LIB_ENGINE,\n ERR_LIB_OCSP,\n ERR_LIB_UI,\n ERR_LIB_COMP,\n ERR_LIB_ECDSA,\n ERR_LIB_ECDH,\n ERR_LIB_HMAC,\n ERR_LIB_DIGEST,\n ERR_LIB_CIPHER,\n ERR_LIB_HKDF,\n ERR_LIB_TRUST_TOKEN,\n ERR_LIB_USER,\n ERR_NUM_LIBS\n};\n\n// The following reason codes used to denote an error occuring in another\n// library. They are sometimes used for a stack trace.\n#define ERR_R_SYS_LIB ERR_LIB_SYS\n#define ERR_R_BN_LIB ERR_LIB_BN\n#define ERR_R_RSA_LIB ERR_LIB_RSA\n#define ERR_R_DH_LIB ERR_LIB_DH\n#define ERR_R_EVP_LIB ERR_LIB_EVP\n#define ERR_R_BUF_LIB ERR_LIB_BUF\n#define ERR_R_OBJ_LIB ERR_LIB_OBJ\n#define ERR_R_PEM_LIB ERR_LIB_PEM\n#define ERR_R_DSA_LIB ERR_LIB_DSA\n#define ERR_R_X509_LIB ERR_LIB_X509\n#define ERR_R_ASN1_LIB ERR_LIB_ASN1\n#define ERR_R_CONF_LIB ERR_LIB_CONF\n#define ERR_R_CRYPTO_LIB ERR_LIB_CRYPTO\n#define ERR_R_EC_LIB ERR_LIB_EC\n#define ERR_R_SSL_LIB ERR_LIB_SSL\n#define ERR_R_BIO_LIB ERR_LIB_BIO\n#define ERR_R_PKCS7_LIB ERR_LIB_PKCS7\n#define ERR_R_PKCS8_LIB ERR_LIB_PKCS8\n#define ERR_R_X509V3_LIB ERR_LIB_X509V3\n#define ERR_R_RAND_LIB ERR_LIB_RAND\n#define ERR_R_DSO_LIB ERR_LIB_DSO\n#define ERR_R_ENGINE_LIB ERR_LIB_ENGINE\n#define ERR_R_OCSP_LIB ERR_LIB_OCSP\n#define ERR_R_UI_LIB ERR_LIB_UI\n#define ERR_R_COMP_LIB ERR_LIB_COMP\n#define ERR_R_ECDSA_LIB ERR_LIB_ECDSA\n#define ERR_R_ECDH_LIB ERR_LIB_ECDH\n#define ERR_R_STORE_LIB ERR_LIB_STORE\n#define ERR_R_FIPS_LIB ERR_LIB_FIPS\n#define ERR_R_CMS_LIB ERR_LIB_CMS\n#define ERR_R_TS_LIB ERR_LIB_TS\n#define ERR_R_HMAC_LIB ERR_LIB_HMAC\n#define ERR_R_JPAKE_LIB ERR_LIB_JPAKE\n#define ERR_R_USER_LIB ERR_LIB_USER\n#define ERR_R_DIGEST_LIB ERR_LIB_DIGEST\n#define ERR_R_CIPHER_LIB ERR_LIB_CIPHER\n#define ERR_R_HKDF_LIB ERR_LIB_HKDF\n#define ERR_R_TRUST_TOKEN_LIB ERR_LIB_TRUST_TOKEN\n\n// The following values are global reason codes. They may occur in any library.\n#define ERR_R_FATAL 64\n#define ERR_R_MALLOC_FAILURE (1 | ERR_R_FATAL)\n#define ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED (2 | ERR_R_FATAL)\n#define ERR_R_PASSED_NULL_PARAMETER (3 | ERR_R_FATAL)\n#define ERR_R_INTERNAL_ERROR (4 | ERR_R_FATAL)\n#define ERR_R_OVERFLOW (5 | ERR_R_FATAL)\n\n\n// Deprecated functions.\n\n// ERR_remove_state calls |ERR_clear_error|.\nOPENSSL_EXPORT void ERR_remove_state(unsigned long pid);\n\n// ERR_remove_thread_state clears the error queue for the current thread if\n// |tid| is NULL. Otherwise it calls |assert(0)|, because it's no longer\n// possible to delete the error queue for other threads.\n//\n// Use |ERR_clear_error| instead. Note error queues are deleted automatically on\n// thread exit. You do not need to call this function to release memory.\nOPENSSL_EXPORT void ERR_remove_thread_state(const CRYPTO_THREADID *tid);\n\n// ERR_func_error_string returns the string \"OPENSSL_internal\".\nOPENSSL_EXPORT const char *ERR_func_error_string(uint32_t packed_error);\n\n// ERR_error_string behaves like |ERR_error_string_n| but |len| is implicitly\n// |ERR_ERROR_STRING_BUF_LEN|.\n//\n// Additionally, if |buf| is NULL, the error string is placed in a static buffer\n// which is returned. This is not thread-safe and only exists for backwards\n// compatibility with legacy callers. The static buffer will be overridden by\n// calls in other threads.\n//\n// Use |ERR_error_string_n| instead.\n//\n// TODO(fork): remove this function.\nOPENSSL_EXPORT char *ERR_error_string(uint32_t packed_error, char *buf);\n#define ERR_ERROR_STRING_BUF_LEN 120\n\n// ERR_GET_FUNC returns zero. BoringSSL errors do not report a function code.\nOPENSSL_INLINE int ERR_GET_FUNC(uint32_t packed_error) {\n (void)packed_error;\n return 0;\n}\n\n// ERR_TXT_* are provided for compatibility with code that assumes that it's\n// using OpenSSL.\n#define ERR_TXT_STRING ERR_FLAG_STRING\n#define ERR_TXT_MALLOCED ERR_FLAG_MALLOCED\n\n\n// Private functions.\n\n// ERR_clear_system_error clears the system's error value (i.e. errno).\nOPENSSL_EXPORT void ERR_clear_system_error(void);\n\n// OPENSSL_PUT_ERROR is used by OpenSSL code to add an error to the error\n// queue.\n#define OPENSSL_PUT_ERROR(library, reason) \\\n ERR_put_error(ERR_LIB_##library, 0, reason, __FILE__, __LINE__)\n\n// OPENSSL_PUT_SYSTEM_ERROR is used by OpenSSL code to add an error from the\n// operating system to the error queue.\n// TODO(fork): include errno.\n#define OPENSSL_PUT_SYSTEM_ERROR() \\\n ERR_put_error(ERR_LIB_SYS, 0, 0, __FILE__, __LINE__);\n\n// ERR_put_error adds an error to the error queue, dropping the least recent\n// error if necessary for space reasons.\nOPENSSL_EXPORT void ERR_put_error(int library, int unused, int reason,\n const char *file, unsigned line);\n\n// ERR_add_error_data takes a variable number (|count|) of const char*\n// pointers, concatenates them and sets the result as the data on the most\n// recent error.\nOPENSSL_EXPORT void ERR_add_error_data(unsigned count, ...);\n\n// ERR_add_error_dataf takes a printf-style format and arguments, and sets the\n// result as the data on the most recent error.\nOPENSSL_EXPORT void ERR_add_error_dataf(const char *format, ...)\n OPENSSL_PRINTF_FORMAT_FUNC(1, 2);\n\n// ERR_set_error_data sets the data on the most recent error to |data|, which\n// must be a NUL-terminated string. |flags| must contain |ERR_FLAG_STRING|. If\n// |flags| contains |ERR_FLAG_MALLOCED|, this function takes ownership of\n// |data|, which must have been allocated with |OPENSSL_malloc|. Otherwise, it\n// saves a copy of |data|.\n//\n// Note this differs from OpenSSL which, when |ERR_FLAG_MALLOCED| is unset,\n// saves the pointer as-is and requires it remain valid for the lifetime of the\n// address space.\nOPENSSL_EXPORT void ERR_set_error_data(char *data, int flags);\n\n// ERR_NUM_ERRORS is one more than the limit of the number of errors in the\n// queue.\n#define ERR_NUM_ERRORS 16\n\n#define ERR_PACK(lib, reason) \\\n (((((uint32_t)(lib)) & 0xff) << 24) | ((((uint32_t)(reason)) & 0xfff)))\n\n// OPENSSL_DECLARE_ERROR_REASON is used by util/make_errors.h (which generates\n// the error defines) to recognise that an additional reason value is needed.\n// This is needed when the reason value is used outside of an\n// |OPENSSL_PUT_ERROR| macro. The resulting define will be\n// ${lib}_R_${reason}.\n#define OPENSSL_DECLARE_ERROR_REASON(lib, reason)\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_ERR_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_evp.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_EVP_H\n#define OPENSSL_HEADER_EVP_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_evp_errors.h\" // IWYU pragma: export\n#include \"CNIOBoringSSL_thread.h\"\n\n// OpenSSL included digest and cipher functions in this header so we include\n// them for users that still expect that.\n//\n// TODO(fork): clean up callers so that they include what they use.\n#include \"CNIOBoringSSL_aead.h\"\n#include \"CNIOBoringSSL_base64.h\"\n#include \"CNIOBoringSSL_cipher.h\"\n#include \"CNIOBoringSSL_digest.h\"\n#include \"CNIOBoringSSL_nid.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// EVP abstracts over public/private key algorithms.\n\n\n// Public key objects.\n//\n// An |EVP_PKEY| object represents a public or private key. A given object may\n// be used concurrently on multiple threads by non-mutating functions, provided\n// no other thread is concurrently calling a mutating function. Unless otherwise\n// documented, functions which take a |const| pointer are non-mutating and\n// functions which take a non-|const| pointer are mutating.\n\n// EVP_PKEY_new creates a new, empty public-key object and returns it or NULL\n// on allocation failure.\nOPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new(void);\n\n// EVP_PKEY_free frees all data referenced by |pkey| and then frees |pkey|\n// itself.\nOPENSSL_EXPORT void EVP_PKEY_free(EVP_PKEY *pkey);\n\n// EVP_PKEY_up_ref increments the reference count of |pkey| and returns one. It\n// does not mutate |pkey| for thread-safety purposes and may be used\n// concurrently.\nOPENSSL_EXPORT int EVP_PKEY_up_ref(EVP_PKEY *pkey);\n\n// EVP_PKEY_is_opaque returns one if |pkey| is opaque. Opaque keys are backed by\n// custom implementations which do not expose key material and parameters. It is\n// an error to attempt to duplicate, export, or compare an opaque key.\nOPENSSL_EXPORT int EVP_PKEY_is_opaque(const EVP_PKEY *pkey);\n\n// EVP_PKEY_cmp compares |a| and |b| and returns one if they are equal, zero if\n// not and a negative number on error.\n//\n// WARNING: this differs from the traditional return value of a \"cmp\"\n// function.\nOPENSSL_EXPORT int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b);\n\n// EVP_PKEY_copy_parameters sets the parameters of |to| to equal the parameters\n// of |from|. It returns one on success and zero on error.\nOPENSSL_EXPORT int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from);\n\n// EVP_PKEY_missing_parameters returns one if |pkey| is missing needed\n// parameters or zero if not, or if the algorithm doesn't take parameters.\nOPENSSL_EXPORT int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey);\n\n// EVP_PKEY_size returns the maximum size, in bytes, of a signature signed by\n// |pkey|. For an RSA key, this returns the number of bytes needed to represent\n// the modulus. For an EC key, this returns the maximum size of a DER-encoded\n// ECDSA signature.\nOPENSSL_EXPORT int EVP_PKEY_size(const EVP_PKEY *pkey);\n\n// EVP_PKEY_bits returns the \"size\", in bits, of |pkey|. For an RSA key, this\n// returns the bit length of the modulus. For an EC key, this returns the bit\n// length of the group order.\nOPENSSL_EXPORT int EVP_PKEY_bits(const EVP_PKEY *pkey);\n\n// EVP_PKEY_id returns the type of |pkey|, which is one of the |EVP_PKEY_*|\n// values.\nOPENSSL_EXPORT int EVP_PKEY_id(const EVP_PKEY *pkey);\n\n\n// Getting and setting concrete public key types.\n//\n// The following functions get and set the underlying public key in an\n// |EVP_PKEY| object. The |set1| functions take an additional reference to the\n// underlying key and return one on success or zero if |key| is NULL. The\n// |assign| functions adopt the caller's reference and return one on success or\n// zero if |key| is NULL. The |get1| functions return a fresh reference to the\n// underlying object or NULL if |pkey| is not of the correct type. The |get0|\n// functions behave the same but return a non-owning pointer.\n//\n// The |get0| and |get1| functions take |const| pointers and are thus\n// non-mutating for thread-safety purposes, but mutating functions on the\n// returned lower-level objects are considered to also mutate the |EVP_PKEY| and\n// may not be called concurrently with other operations on the |EVP_PKEY|.\n\nOPENSSL_EXPORT int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key);\nOPENSSL_EXPORT int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key);\nOPENSSL_EXPORT RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey);\nOPENSSL_EXPORT RSA *EVP_PKEY_get1_RSA(const EVP_PKEY *pkey);\n\nOPENSSL_EXPORT int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key);\nOPENSSL_EXPORT int EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key);\nOPENSSL_EXPORT DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey);\nOPENSSL_EXPORT DSA *EVP_PKEY_get1_DSA(const EVP_PKEY *pkey);\n\nOPENSSL_EXPORT int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key);\nOPENSSL_EXPORT int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key);\nOPENSSL_EXPORT EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey);\nOPENSSL_EXPORT EC_KEY *EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey);\n\nOPENSSL_EXPORT int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key);\nOPENSSL_EXPORT int EVP_PKEY_assign_DH(EVP_PKEY *pkey, DH *key);\nOPENSSL_EXPORT DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey);\nOPENSSL_EXPORT DH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey);\n\n#define EVP_PKEY_NONE NID_undef\n#define EVP_PKEY_RSA NID_rsaEncryption\n#define EVP_PKEY_RSA_PSS NID_rsassaPss\n#define EVP_PKEY_DSA NID_dsa\n#define EVP_PKEY_EC NID_X9_62_id_ecPublicKey\n#define EVP_PKEY_ED25519 NID_ED25519\n#define EVP_PKEY_X25519 NID_X25519\n#define EVP_PKEY_HKDF NID_hkdf\n#define EVP_PKEY_DH NID_dhKeyAgreement\n\n// EVP_PKEY_set_type sets the type of |pkey| to |type|. It returns one if\n// successful or zero if the |type| argument is not one of the |EVP_PKEY_*|\n// values. If |pkey| is NULL, it simply reports whether the type is known.\nOPENSSL_EXPORT int EVP_PKEY_set_type(EVP_PKEY *pkey, int type);\n\n// EVP_PKEY_cmp_parameters compares the parameters of |a| and |b|. It returns\n// one if they match, zero if not, or a negative number of on error.\n//\n// WARNING: the return value differs from the usual return value convention.\nOPENSSL_EXPORT int EVP_PKEY_cmp_parameters(const EVP_PKEY *a,\n const EVP_PKEY *b);\n\n\n// ASN.1 functions\n\n// EVP_parse_public_key decodes a DER-encoded SubjectPublicKeyInfo structure\n// (RFC 5280) from |cbs| and advances |cbs|. It returns a newly-allocated\n// |EVP_PKEY| or NULL on error. If the key is an EC key, the curve is guaranteed\n// to be set.\n//\n// The caller must check the type of the parsed public key to ensure it is\n// suitable and validate other desired key properties such as RSA modulus size\n// or EC curve.\nOPENSSL_EXPORT EVP_PKEY *EVP_parse_public_key(CBS *cbs);\n\n// EVP_marshal_public_key marshals |key| as a DER-encoded SubjectPublicKeyInfo\n// structure (RFC 5280) and appends the result to |cbb|. It returns one on\n// success and zero on error.\nOPENSSL_EXPORT int EVP_marshal_public_key(CBB *cbb, const EVP_PKEY *key);\n\n// EVP_parse_private_key decodes a DER-encoded PrivateKeyInfo structure (RFC\n// 5208) from |cbs| and advances |cbs|. It returns a newly-allocated |EVP_PKEY|\n// or NULL on error.\n//\n// The caller must check the type of the parsed private key to ensure it is\n// suitable and validate other desired key properties such as RSA modulus size\n// or EC curve. In particular, RSA private key operations scale cubicly, so\n// applications accepting RSA private keys from external sources may need to\n// bound key sizes (use |EVP_PKEY_bits| or |RSA_bits|) to avoid a DoS vector.\n//\n// A PrivateKeyInfo ends with an optional set of attributes. These are not\n// processed and so this function will silently ignore any trailing data in the\n// structure.\nOPENSSL_EXPORT EVP_PKEY *EVP_parse_private_key(CBS *cbs);\n\n// EVP_marshal_private_key marshals |key| as a DER-encoded PrivateKeyInfo\n// structure (RFC 5208) and appends the result to |cbb|. It returns one on\n// success and zero on error.\nOPENSSL_EXPORT int EVP_marshal_private_key(CBB *cbb, const EVP_PKEY *key);\n\n\n// Raw keys\n//\n// Some keys types support a \"raw\" serialization. Currently the only supported\n// raw formats are X25519 and Ed25519, where the formats are those specified in\n// RFC 7748 and RFC 8032, respectively. Note the RFC 8032 private key format is\n// the 32-byte prefix of |ED25519_sign|'s 64-byte private key.\n\n// EVP_PKEY_new_raw_private_key returns a newly allocated |EVP_PKEY| wrapping a\n// private key of the specified type. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *unused,\n const uint8_t *in,\n size_t len);\n\n// EVP_PKEY_new_raw_public_key returns a newly allocated |EVP_PKEY| wrapping a\n// public key of the specified type. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *unused,\n const uint8_t *in,\n size_t len);\n\n// EVP_PKEY_get_raw_private_key outputs the private key for |pkey| in raw form.\n// If |out| is NULL, it sets |*out_len| to the size of the raw private key.\n// Otherwise, it writes at most |*out_len| bytes to |out| and sets |*out_len| to\n// the number of bytes written.\n//\n// It returns one on success and zero if |pkey| has no private key, the key\n// type does not support a raw format, or the buffer is too small.\nOPENSSL_EXPORT int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey,\n uint8_t *out, size_t *out_len);\n\n// EVP_PKEY_get_raw_public_key outputs the public key for |pkey| in raw form.\n// If |out| is NULL, it sets |*out_len| to the size of the raw public key.\n// Otherwise, it writes at most |*out_len| bytes to |out| and sets |*out_len| to\n// the number of bytes written.\n//\n// It returns one on success and zero if |pkey| has no public key, the key\n// type does not support a raw format, or the buffer is too small.\nOPENSSL_EXPORT int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey,\n uint8_t *out, size_t *out_len);\n\n\n// Signing\n\n// EVP_DigestSignInit sets up |ctx| for a signing operation with |type| and\n// |pkey|. The |ctx| argument must have been initialised with\n// |EVP_MD_CTX_init|. If |pctx| is not NULL, the |EVP_PKEY_CTX| of the signing\n// operation will be written to |*pctx|; this can be used to set alternative\n// signing options.\n//\n// For single-shot signing algorithms which do not use a pre-hash, such as\n// Ed25519, |type| should be NULL. The |EVP_MD_CTX| itself is unused but is\n// present so the API is uniform. See |EVP_DigestSign|.\n//\n// This function does not mutate |pkey| for thread-safety purposes and may be\n// used concurrently with other non-mutating functions on |pkey|.\n//\n// It returns one on success, or zero on error.\nOPENSSL_EXPORT int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,\n const EVP_MD *type, ENGINE *e,\n EVP_PKEY *pkey);\n\n// EVP_DigestSignUpdate appends |len| bytes from |data| to the data which will\n// be signed in |EVP_DigestSignFinal|. It returns one.\n//\n// This function performs a streaming signing operation and will fail for\n// signature algorithms which do not support this. Use |EVP_DigestSign| for a\n// single-shot operation.\nOPENSSL_EXPORT int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data,\n size_t len);\n\n// EVP_DigestSignFinal signs the data that has been included by one or more\n// calls to |EVP_DigestSignUpdate|. If |out_sig| is NULL then |*out_sig_len| is\n// set to the maximum number of output bytes. Otherwise, on entry,\n// |*out_sig_len| must contain the length of the |out_sig| buffer. If the call\n// is successful, the signature is written to |out_sig| and |*out_sig_len| is\n// set to its length.\n//\n// This function performs a streaming signing operation and will fail for\n// signature algorithms which do not support this. Use |EVP_DigestSign| for a\n// single-shot operation.\n//\n// It returns one on success, or zero on error.\nOPENSSL_EXPORT int EVP_DigestSignFinal(EVP_MD_CTX *ctx, uint8_t *out_sig,\n size_t *out_sig_len);\n\n// EVP_DigestSign signs |data_len| bytes from |data| using |ctx|. If |out_sig|\n// is NULL then |*out_sig_len| is set to the maximum number of output\n// bytes. Otherwise, on entry, |*out_sig_len| must contain the length of the\n// |out_sig| buffer. If the call is successful, the signature is written to\n// |out_sig| and |*out_sig_len| is set to its length.\n//\n// It returns one on success and zero on error.\nOPENSSL_EXPORT int EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig,\n size_t *out_sig_len, const uint8_t *data,\n size_t data_len);\n\n\n// Verifying\n\n// EVP_DigestVerifyInit sets up |ctx| for a signature verification operation\n// with |type| and |pkey|. The |ctx| argument must have been initialised with\n// |EVP_MD_CTX_init|. If |pctx| is not NULL, the |EVP_PKEY_CTX| of the signing\n// operation will be written to |*pctx|; this can be used to set alternative\n// signing options.\n//\n// For single-shot signing algorithms which do not use a pre-hash, such as\n// Ed25519, |type| should be NULL. The |EVP_MD_CTX| itself is unused but is\n// present so the API is uniform. See |EVP_DigestVerify|.\n//\n// This function does not mutate |pkey| for thread-safety purposes and may be\n// used concurrently with other non-mutating functions on |pkey|.\n//\n// It returns one on success, or zero on error.\nOPENSSL_EXPORT int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,\n const EVP_MD *type, ENGINE *e,\n EVP_PKEY *pkey);\n\n// EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which\n// will be verified by |EVP_DigestVerifyFinal|. It returns one.\n//\n// This function performs streaming signature verification and will fail for\n// signature algorithms which do not support this. Use |EVP_PKEY_verify_message|\n// for a single-shot verification.\nOPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data,\n size_t len);\n\n// EVP_DigestVerifyFinal verifies that |sig_len| bytes of |sig| are a valid\n// signature for the data that has been included by one or more calls to\n// |EVP_DigestVerifyUpdate|. It returns one on success and zero otherwise.\n//\n// This function performs streaming signature verification and will fail for\n// signature algorithms which do not support this. Use |EVP_PKEY_verify_message|\n// for a single-shot verification.\nOPENSSL_EXPORT int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig,\n size_t sig_len);\n\n// EVP_DigestVerify verifies that |sig_len| bytes from |sig| are a valid\n// signature for |data|. It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_DigestVerify(EVP_MD_CTX *ctx, const uint8_t *sig,\n size_t sig_len, const uint8_t *data,\n size_t len);\n\n\n// Signing (old functions)\n\n// EVP_SignInit_ex configures |ctx|, which must already have been initialised,\n// for a fresh signing operation using the hash function |type|. It returns one\n// on success and zero otherwise.\n//\n// (In order to initialise |ctx|, either obtain it initialised with\n// |EVP_MD_CTX_create|, or use |EVP_MD_CTX_init|.)\nOPENSSL_EXPORT int EVP_SignInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type,\n ENGINE *impl);\n\n// EVP_SignInit is a deprecated version of |EVP_SignInit_ex|.\n//\n// TODO(fork): remove.\nOPENSSL_EXPORT int EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type);\n\n// EVP_SignUpdate appends |len| bytes from |data| to the data which will be\n// signed in |EVP_SignFinal|.\nOPENSSL_EXPORT int EVP_SignUpdate(EVP_MD_CTX *ctx, const void *data,\n size_t len);\n\n// EVP_SignFinal signs the data that has been included by one or more calls to\n// |EVP_SignUpdate|, using the key |pkey|, and writes it to |sig|. On entry,\n// |sig| must point to at least |EVP_PKEY_size(pkey)| bytes of space. The\n// actual size of the signature is written to |*out_sig_len|.\n//\n// It returns one on success and zero otherwise.\n//\n// It does not modify |ctx|, thus it's possible to continue to use |ctx| in\n// order to sign a longer message. It also does not mutate |pkey| for\n// thread-safety purposes and may be used concurrently with other non-mutating\n// functions on |pkey|.\nOPENSSL_EXPORT int EVP_SignFinal(const EVP_MD_CTX *ctx, uint8_t *sig,\n unsigned int *out_sig_len, EVP_PKEY *pkey);\n\n\n// Verifying (old functions)\n\n// EVP_VerifyInit_ex configures |ctx|, which must already have been\n// initialised, for a fresh signature verification operation using the hash\n// function |type|. It returns one on success and zero otherwise.\n//\n// (In order to initialise |ctx|, either obtain it initialised with\n// |EVP_MD_CTX_create|, or use |EVP_MD_CTX_init|.)\nOPENSSL_EXPORT int EVP_VerifyInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type,\n ENGINE *impl);\n\n// EVP_VerifyInit is a deprecated version of |EVP_VerifyInit_ex|.\n//\n// TODO(fork): remove.\nOPENSSL_EXPORT int EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type);\n\n// EVP_VerifyUpdate appends |len| bytes from |data| to the data which will be\n// signed in |EVP_VerifyFinal|.\nOPENSSL_EXPORT int EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *data,\n size_t len);\n\n// EVP_VerifyFinal verifies that |sig_len| bytes of |sig| are a valid\n// signature, by |pkey|, for the data that has been included by one or more\n// calls to |EVP_VerifyUpdate|.\n//\n// It returns one on success and zero otherwise.\n//\n// It does not modify |ctx|, thus it's possible to continue to use |ctx| in\n// order to verify a longer message. It also does not mutate |pkey| for\n// thread-safety purposes and may be used concurrently with other non-mutating\n// functions on |pkey|.\nOPENSSL_EXPORT int EVP_VerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig,\n size_t sig_len, EVP_PKEY *pkey);\n\n\n// Printing\n\n// EVP_PKEY_print_public prints a textual representation of the public key in\n// |pkey| to |out|. Returns one on success or zero otherwise.\nOPENSSL_EXPORT int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey,\n int indent, ASN1_PCTX *pctx);\n\n// EVP_PKEY_print_private prints a textual representation of the private key in\n// |pkey| to |out|. Returns one on success or zero otherwise.\nOPENSSL_EXPORT int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey,\n int indent, ASN1_PCTX *pctx);\n\n// EVP_PKEY_print_params prints a textual representation of the parameters in\n// |pkey| to |out|. Returns one on success or zero otherwise.\nOPENSSL_EXPORT int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey,\n int indent, ASN1_PCTX *pctx);\n\n\n// Password stretching.\n//\n// Password stretching functions take a low-entropy password and apply a slow\n// function that results in a key suitable for use in symmetric\n// cryptography.\n\n// PKCS5_PBKDF2_HMAC computes |iterations| iterations of PBKDF2 of |password|\n// and |salt|, using |digest|, and outputs |key_len| bytes to |out_key|. It\n// returns one on success and zero on allocation failure or if iterations is 0.\nOPENSSL_EXPORT int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len,\n const uint8_t *salt, size_t salt_len,\n uint32_t iterations, const EVP_MD *digest,\n size_t key_len, uint8_t *out_key);\n\n// PKCS5_PBKDF2_HMAC_SHA1 is the same as PKCS5_PBKDF2_HMAC, but with |digest|\n// fixed to |EVP_sha1|.\nOPENSSL_EXPORT int PKCS5_PBKDF2_HMAC_SHA1(const char *password,\n size_t password_len,\n const uint8_t *salt, size_t salt_len,\n uint32_t iterations, size_t key_len,\n uint8_t *out_key);\n\n// EVP_PBE_scrypt expands |password| into a secret key of length |key_len| using\n// scrypt, as described in RFC 7914, and writes the result to |out_key|. It\n// returns one on success and zero on allocation failure, if the memory required\n// for the operation exceeds |max_mem|, or if any of the parameters are invalid\n// as described below.\n//\n// |N|, |r|, and |p| are as described in RFC 7914 section 6. They determine the\n// cost of the operation. If |max_mem| is zero, a default limit of 32MiB will be\n// used.\n//\n// The parameters are considered invalid under any of the following conditions:\n// - |r| or |p| are zero\n// - |p| > (2^30 - 1) / |r|\n// - |N| is not a power of two\n// - |N| > 2^32\n// - |N| > 2^(128 * |r| / 8)\nOPENSSL_EXPORT int EVP_PBE_scrypt(const char *password, size_t password_len,\n const uint8_t *salt, size_t salt_len,\n uint64_t N, uint64_t r, uint64_t p,\n size_t max_mem, uint8_t *out_key,\n size_t key_len);\n\n\n// Public key contexts.\n//\n// |EVP_PKEY_CTX| objects hold the context of an operation (e.g. signing or\n// encrypting) that uses a public key.\n\n// EVP_PKEY_CTX_new allocates a fresh |EVP_PKEY_CTX| for use with |pkey|. It\n// returns the context or NULL on error.\nOPENSSL_EXPORT EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e);\n\n// EVP_PKEY_CTX_new_id allocates a fresh |EVP_PKEY_CTX| for a key of type |id|\n// (e.g. |EVP_PKEY_HMAC|). This can be used for key generation where\n// |EVP_PKEY_CTX_new| can't be used because there isn't an |EVP_PKEY| to pass\n// it. It returns the context or NULL on error.\nOPENSSL_EXPORT EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e);\n\n// EVP_PKEY_CTX_free frees |ctx| and the data it owns.\nOPENSSL_EXPORT void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx);\n\n// EVP_PKEY_CTX_dup allocates a fresh |EVP_PKEY_CTX| and sets it equal to the\n// state of |ctx|. It returns the fresh |EVP_PKEY_CTX| or NULL on error.\nOPENSSL_EXPORT EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *ctx);\n\n// EVP_PKEY_CTX_get0_pkey returns the |EVP_PKEY| associated with |ctx|.\nOPENSSL_EXPORT EVP_PKEY *EVP_PKEY_CTX_get0_pkey(EVP_PKEY_CTX *ctx);\n\n// EVP_PKEY_sign_init initialises an |EVP_PKEY_CTX| for a signing operation. It\n// should be called before |EVP_PKEY_sign|.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx);\n\n// EVP_PKEY_sign signs |digest_len| bytes from |digest| using |ctx|. If |sig| is\n// NULL, the maximum size of the signature is written to |out_sig_len|.\n// Otherwise, |*sig_len| must contain the number of bytes of space available at\n// |sig|. If sufficient, the signature will be written to |sig| and |*sig_len|\n// updated with the true length. This function will fail for signature\n// algorithms like Ed25519 that do not support signing pre-hashed inputs.\n//\n// WARNING: |digest| must be the output of some hash function on the data to be\n// signed. Passing unhashed inputs will not result in a secure signature scheme.\n// Use |EVP_DigestSignInit| to sign an unhashed input.\n//\n// WARNING: Setting |sig| to NULL only gives the maximum size of the\n// signature. The actual signature may be smaller.\n//\n// It returns one on success or zero on error. (Note: this differs from\n// OpenSSL, which can also return negative values to indicate an error. )\nOPENSSL_EXPORT int EVP_PKEY_sign(EVP_PKEY_CTX *ctx, uint8_t *sig,\n size_t *sig_len, const uint8_t *digest,\n size_t digest_len);\n\n// EVP_PKEY_verify_init initialises an |EVP_PKEY_CTX| for a signature\n// verification operation. It should be called before |EVP_PKEY_verify|.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx);\n\n// EVP_PKEY_verify verifies that |sig_len| bytes from |sig| are a valid\n// signature for |digest|. This function will fail for signature\n// algorithms like Ed25519 that do not support signing pre-hashed inputs.\n//\n// WARNING: |digest| must be the output of some hash function on the data to be\n// verified. Passing unhashed inputs will not result in a secure signature\n// scheme. Use |EVP_DigestVerifyInit| to verify a signature given the unhashed\n// input.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig,\n size_t sig_len, const uint8_t *digest,\n size_t digest_len);\n\n// EVP_PKEY_encrypt_init initialises an |EVP_PKEY_CTX| for an encryption\n// operation. It should be called before |EVP_PKEY_encrypt|.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx);\n\n// EVP_PKEY_encrypt encrypts |in_len| bytes from |in|. If |out| is NULL, the\n// maximum size of the ciphertext is written to |out_len|. Otherwise, |*out_len|\n// must contain the number of bytes of space available at |out|. If sufficient,\n// the ciphertext will be written to |out| and |*out_len| updated with the true\n// length.\n//\n// WARNING: Setting |out| to NULL only gives the maximum size of the\n// ciphertext. The actual ciphertext may be smaller.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out,\n size_t *out_len, const uint8_t *in,\n size_t in_len);\n\n// EVP_PKEY_decrypt_init initialises an |EVP_PKEY_CTX| for a decryption\n// operation. It should be called before |EVP_PKEY_decrypt|.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx);\n\n// EVP_PKEY_decrypt decrypts |in_len| bytes from |in|. If |out| is NULL, the\n// maximum size of the plaintext is written to |out_len|. Otherwise, |*out_len|\n// must contain the number of bytes of space available at |out|. If sufficient,\n// the ciphertext will be written to |out| and |*out_len| updated with the true\n// length.\n//\n// WARNING: Setting |out| to NULL only gives the maximum size of the\n// plaintext. The actual plaintext may be smaller.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out,\n size_t *out_len, const uint8_t *in,\n size_t in_len);\n\n// EVP_PKEY_verify_recover_init initialises an |EVP_PKEY_CTX| for a public-key\n// decryption operation. It should be called before |EVP_PKEY_verify_recover|.\n//\n// Public-key decryption is a very obscure operation that is only implemented\n// by RSA keys. It is effectively a signature verification operation that\n// returns the signed message directly. It is almost certainly not what you\n// want.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);\n\n// EVP_PKEY_verify_recover decrypts |sig_len| bytes from |sig|. If |out| is\n// NULL, the maximum size of the plaintext is written to |out_len|. Otherwise,\n// |*out_len| must contain the number of bytes of space available at |out|. If\n// sufficient, the ciphertext will be written to |out| and |*out_len| updated\n// with the true length.\n//\n// WARNING: Setting |out| to NULL only gives the maximum size of the\n// plaintext. The actual plaintext may be smaller.\n//\n// See the warning about this operation in |EVP_PKEY_verify_recover_init|. It\n// is probably not what you want.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out,\n size_t *out_len, const uint8_t *sig,\n size_t siglen);\n\n// EVP_PKEY_derive_init initialises an |EVP_PKEY_CTX| for a key derivation\n// operation. It should be called before |EVP_PKEY_derive_set_peer| and\n// |EVP_PKEY_derive|.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx);\n\n// EVP_PKEY_derive_set_peer sets the peer's key to be used for key derivation\n// by |ctx| to |peer|. It should be called after |EVP_PKEY_derive_init|. (For\n// example, this is used to set the peer's key in (EC)DH.) It returns one on\n// success and zero on error.\nOPENSSL_EXPORT int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer);\n\n// EVP_PKEY_derive derives a shared key from |ctx|. If |key| is non-NULL then,\n// on entry, |out_key_len| must contain the amount of space at |key|. If\n// sufficient then the shared key will be written to |key| and |*out_key_len|\n// will be set to the length. If |key| is NULL then |out_key_len| will be set to\n// the maximum length.\n//\n// WARNING: Setting |out| to NULL only gives the maximum size of the key. The\n// actual key may be smaller.\n//\n// It returns one on success and zero on error.\nOPENSSL_EXPORT int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, uint8_t *key,\n size_t *out_key_len);\n\n// EVP_PKEY_keygen_init initialises an |EVP_PKEY_CTX| for a key generation\n// operation. It should be called before |EVP_PKEY_keygen|.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);\n\n// EVP_PKEY_keygen performs a key generation operation using the values from\n// |ctx|. If |*out_pkey| is non-NULL, it overwrites |*out_pkey| with the\n// resulting key. Otherwise, it sets |*out_pkey| to a newly-allocated |EVP_PKEY|\n// containing the result. It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey);\n\n// EVP_PKEY_paramgen_init initialises an |EVP_PKEY_CTX| for a parameter\n// generation operation. It should be called before |EVP_PKEY_paramgen|.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx);\n\n// EVP_PKEY_paramgen performs a parameter generation using the values from\n// |ctx|. If |*out_pkey| is non-NULL, it overwrites |*out_pkey| with the\n// resulting parameters, but no key. Otherwise, it sets |*out_pkey| to a\n// newly-allocated |EVP_PKEY| containing the result. It returns one on success\n// or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey);\n\n\n// Generic control functions.\n\n// EVP_PKEY_CTX_set_signature_md sets |md| as the digest to be used in a\n// signature operation. It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx,\n const EVP_MD *md);\n\n// EVP_PKEY_CTX_get_signature_md sets |*out_md| to the digest to be used in a\n// signature operation. It returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx,\n const EVP_MD **out_md);\n\n\n// RSA specific control functions.\n\n// EVP_PKEY_CTX_set_rsa_padding sets the padding type to use. It should be one\n// of the |RSA_*_PADDING| values. Returns one on success or zero on error. By\n// default, the padding is |RSA_PKCS1_PADDING|.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding);\n\n// EVP_PKEY_CTX_get_rsa_padding sets |*out_padding| to the current padding\n// value, which is one of the |RSA_*_PADDING| values. Returns one on success or\n// zero on error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx,\n int *out_padding);\n\n// EVP_PKEY_CTX_set_rsa_pss_saltlen sets the length of the salt in a PSS-padded\n// signature. A value of -1 cause the salt to be the same length as the digest\n// in the signature. A value of -2 causes the salt to be the maximum length\n// that will fit when signing and recovered from the signature when verifying.\n// Otherwise the value gives the size of the salt in bytes.\n//\n// If unsure, use -1.\n//\n// Returns one on success or zero on error.\n//\n// TODO(davidben): The default is currently -2. Switch it to -1.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx,\n int salt_len);\n\n// EVP_PKEY_CTX_get_rsa_pss_saltlen sets |*out_salt_len| to the salt length of\n// a PSS-padded signature. See the documentation for\n// |EVP_PKEY_CTX_set_rsa_pss_saltlen| for details of the special values that it\n// can take.\n//\n// Returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx,\n int *out_salt_len);\n\n// EVP_PKEY_CTX_set_rsa_keygen_bits sets the size of the desired RSA modulus,\n// in bits, for key generation. Returns one on success or zero on\n// error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx,\n int bits);\n\n// EVP_PKEY_CTX_set_rsa_keygen_pubexp sets |e| as the public exponent for key\n// generation. Returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx,\n BIGNUM *e);\n\n// EVP_PKEY_CTX_set_rsa_oaep_md sets |md| as the digest used in OAEP padding.\n// Returns one on success or zero on error. If unset, the default is SHA-1.\n// Callers are recommended to overwrite this default.\n//\n// TODO(davidben): Remove the default and require callers specify this.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx,\n const EVP_MD *md);\n\n// EVP_PKEY_CTX_get_rsa_oaep_md sets |*out_md| to the digest function used in\n// OAEP padding. Returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx,\n const EVP_MD **out_md);\n\n// EVP_PKEY_CTX_set_rsa_mgf1_md sets |md| as the digest used in MGF1. Returns\n// one on success or zero on error.\n//\n// If unset, the default is the signing hash for |RSA_PKCS1_PSS_PADDING| and the\n// OAEP hash for |RSA_PKCS1_OAEP_PADDING|. Callers are recommended to use this\n// default and not call this function.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx,\n const EVP_MD *md);\n\n// EVP_PKEY_CTX_get_rsa_mgf1_md sets |*out_md| to the digest function used in\n// MGF1. Returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx,\n const EVP_MD **out_md);\n\n// EVP_PKEY_CTX_set0_rsa_oaep_label sets |label_len| bytes from |label| as the\n// label used in OAEP. DANGER: On success, this call takes ownership of |label|\n// and will call |OPENSSL_free| on it when |ctx| is destroyed.\n//\n// Returns one on success or zero on error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx,\n uint8_t *label,\n size_t label_len);\n\n// EVP_PKEY_CTX_get0_rsa_oaep_label sets |*out_label| to point to the internal\n// buffer containing the OAEP label (which may be NULL) and returns the length\n// of the label or a negative value on error.\n//\n// WARNING: the return value differs from the usual return value convention.\nOPENSSL_EXPORT int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,\n const uint8_t **out_label);\n\n\n// EC specific control functions.\n\n// EVP_PKEY_CTX_set_ec_paramgen_curve_nid sets the curve used for\n// |EVP_PKEY_keygen| or |EVP_PKEY_paramgen| operations to |nid|. It returns one\n// on success and zero on error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx,\n int nid);\n\n\n// Diffie-Hellman-specific control functions.\n\n// EVP_PKEY_CTX_set_dh_pad configures configures whether |ctx|, which must be an\n// |EVP_PKEY_derive| operation, configures the handling of leading zeros in the\n// Diffie-Hellman shared secret. If |pad| is zero, leading zeros are removed\n// from the secret. If |pad| is non-zero, the fixed-width shared secret is used\n// unmodified, as in PKCS #3. If this function is not called, the default is to\n// remove leading zeros.\n//\n// WARNING: The behavior when |pad| is zero leaks information about the shared\n// secret. This may result in side channel attacks such as\n// https://raccoon-attack.com/, particularly when the same private key is used\n// for multiple operations.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad);\n\n\n// Deprecated functions.\n\n// EVP_PKEY_RSA2 was historically an alternate form for RSA public keys (OID\n// 2.5.8.1.1), but is no longer accepted.\n#define EVP_PKEY_RSA2 NID_rsa\n\n// EVP_PKEY_X448 is defined for OpenSSL compatibility, but we do not support\n// X448 and attempts to create keys will fail.\n#define EVP_PKEY_X448 NID_X448\n\n// EVP_PKEY_ED448 is defined for OpenSSL compatibility, but we do not support\n// Ed448 and attempts to create keys will fail.\n#define EVP_PKEY_ED448 NID_ED448\n\n// EVP_PKEY_get0 returns NULL. This function is provided for compatibility with\n// OpenSSL but does not return anything. Use the typed |EVP_PKEY_get0_*|\n// functions instead.\nOPENSSL_EXPORT void *EVP_PKEY_get0(const EVP_PKEY *pkey);\n\n// OpenSSL_add_all_algorithms does nothing.\nOPENSSL_EXPORT void OpenSSL_add_all_algorithms(void);\n\n// OPENSSL_add_all_algorithms_conf does nothing.\nOPENSSL_EXPORT void OPENSSL_add_all_algorithms_conf(void);\n\n// OpenSSL_add_all_ciphers does nothing.\nOPENSSL_EXPORT void OpenSSL_add_all_ciphers(void);\n\n// OpenSSL_add_all_digests does nothing.\nOPENSSL_EXPORT void OpenSSL_add_all_digests(void);\n\n// EVP_cleanup does nothing.\nOPENSSL_EXPORT void EVP_cleanup(void);\n\nOPENSSL_EXPORT void EVP_CIPHER_do_all_sorted(\n void (*callback)(const EVP_CIPHER *cipher, const char *name,\n const char *unused, void *arg),\n void *arg);\n\nOPENSSL_EXPORT void EVP_MD_do_all_sorted(void (*callback)(const EVP_MD *cipher,\n const char *name,\n const char *unused,\n void *arg),\n void *arg);\n\nOPENSSL_EXPORT void EVP_MD_do_all(void (*callback)(const EVP_MD *cipher,\n const char *name,\n const char *unused,\n void *arg),\n void *arg);\n\n// i2d_PrivateKey marshals a private key from |key| to type-specific format, as\n// described in |i2d_SAMPLE|.\n//\n// RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 8017) structure.\n// EC keys are serialized as a DER-encoded ECPrivateKey (RFC 5915) structure.\n//\n// Use |RSA_marshal_private_key| or |EC_KEY_marshal_private_key| instead.\nOPENSSL_EXPORT int i2d_PrivateKey(const EVP_PKEY *key, uint8_t **outp);\n\n// i2d_PublicKey marshals a public key from |key| to a type-specific format, as\n// described in |i2d_SAMPLE|.\n//\n// RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 8017) structure.\n// EC keys are serialized as an EC point per SEC 1.\n//\n// Use |RSA_marshal_public_key| or |EC_POINT_point2cbb| instead.\nOPENSSL_EXPORT int i2d_PublicKey(const EVP_PKEY *key, uint8_t **outp);\n\n// d2i_PrivateKey parses a DER-encoded private key from |len| bytes at |*inp|,\n// as described in |d2i_SAMPLE|. The private key must have type |type|,\n// otherwise it will be rejected.\n//\n// This function tries to detect one of several formats. Instead, use\n// |EVP_parse_private_key| for a PrivateKeyInfo, |RSA_parse_private_key| for an\n// RSAPrivateKey, and |EC_parse_private_key| for an ECPrivateKey.\nOPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out,\n const uint8_t **inp, long len);\n\n// d2i_AutoPrivateKey acts the same as |d2i_PrivateKey|, but detects the type\n// of the private key.\n//\n// This function tries to detect one of several formats. Instead, use\n// |EVP_parse_private_key| for a PrivateKeyInfo, |RSA_parse_private_key| for an\n// RSAPrivateKey, and |EC_parse_private_key| for an ECPrivateKey.\nOPENSSL_EXPORT EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **out, const uint8_t **inp,\n long len);\n\n// d2i_PublicKey parses a public key from |len| bytes at |*inp| in a type-\n// specific format specified by |type|, as described in |d2i_SAMPLE|.\n//\n// The only supported value for |type| is |EVP_PKEY_RSA|, which parses a\n// DER-encoded RSAPublicKey (RFC 8017) structure. Parsing EC keys is not\n// supported by this function.\n//\n// Use |RSA_parse_public_key| instead.\nOPENSSL_EXPORT EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **out,\n const uint8_t **inp, long len);\n\n// EVP_PKEY_CTX_set_ec_param_enc returns one if |encoding| is\n// |OPENSSL_EC_NAMED_CURVE| or zero with an error otherwise.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx,\n int encoding);\n\n// EVP_PKEY_set1_tls_encodedpoint replaces |pkey| with a public key encoded by\n// |in|. It returns one on success and zero on error.\n//\n// If |pkey| is an EC key, the format is an X9.62 point and |pkey| must already\n// have an EC group configured. If it is an X25519 key, it is the 32-byte X25519\n// public key representation. This function is not supported for other key types\n// and will fail.\nOPENSSL_EXPORT int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey,\n const uint8_t *in,\n size_t len);\n\n// EVP_PKEY_get1_tls_encodedpoint sets |*out_ptr| to a newly-allocated buffer\n// containing the raw encoded public key for |pkey|. The caller must call\n// |OPENSSL_free| to release this buffer. The function returns the length of the\n// buffer on success and zero on error.\n//\n// If |pkey| is an EC key, the format is an X9.62 point with uncompressed\n// coordinates. If it is an X25519 key, it is the 32-byte X25519 public key\n// representation. This function is not supported for other key types and will\n// fail.\nOPENSSL_EXPORT size_t EVP_PKEY_get1_tls_encodedpoint(const EVP_PKEY *pkey,\n uint8_t **out_ptr);\n\n// EVP_PKEY_base_id calls |EVP_PKEY_id|.\nOPENSSL_EXPORT int EVP_PKEY_base_id(const EVP_PKEY *pkey);\n\n// EVP_PKEY_CTX_set_rsa_pss_keygen_md returns 0.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx,\n const EVP_MD *md);\n\n// EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen returns 0.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx,\n int salt_len);\n\n// EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md returns 0.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx,\n const EVP_MD *md);\n\n// i2d_PUBKEY marshals |pkey| as a DER-encoded SubjectPublicKeyInfo, as\n// described in |i2d_SAMPLE|.\n//\n// Use |EVP_marshal_public_key| instead.\nOPENSSL_EXPORT int i2d_PUBKEY(const EVP_PKEY *pkey, uint8_t **outp);\n\n// d2i_PUBKEY parses a DER-encoded SubjectPublicKeyInfo from |len| bytes at\n// |*inp|, as described in |d2i_SAMPLE|.\n//\n// Use |EVP_parse_public_key| instead.\nOPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY(EVP_PKEY **out, const uint8_t **inp,\n long len);\n\n// i2d_RSA_PUBKEY marshals |rsa| as a DER-encoded SubjectPublicKeyInfo\n// structure, as described in |i2d_SAMPLE|.\n//\n// Use |EVP_marshal_public_key| instead.\nOPENSSL_EXPORT int i2d_RSA_PUBKEY(const RSA *rsa, uint8_t **outp);\n\n// d2i_RSA_PUBKEY parses an RSA public key as a DER-encoded SubjectPublicKeyInfo\n// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|.\n// SubjectPublicKeyInfo structures containing other key types are rejected.\n//\n// Use |EVP_parse_public_key| instead.\nOPENSSL_EXPORT RSA *d2i_RSA_PUBKEY(RSA **out, const uint8_t **inp, long len);\n\n// i2d_DSA_PUBKEY marshals |dsa| as a DER-encoded SubjectPublicKeyInfo, as\n// described in |i2d_SAMPLE|.\n//\n// Use |EVP_marshal_public_key| instead.\nOPENSSL_EXPORT int i2d_DSA_PUBKEY(const DSA *dsa, uint8_t **outp);\n\n// d2i_DSA_PUBKEY parses a DSA public key as a DER-encoded SubjectPublicKeyInfo\n// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|.\n// SubjectPublicKeyInfo structures containing other key types are rejected.\n//\n// Use |EVP_parse_public_key| instead.\nOPENSSL_EXPORT DSA *d2i_DSA_PUBKEY(DSA **out, const uint8_t **inp, long len);\n\n// i2d_EC_PUBKEY marshals |ec_key| as a DER-encoded SubjectPublicKeyInfo, as\n// described in |i2d_SAMPLE|.\n//\n// Use |EVP_marshal_public_key| instead.\nOPENSSL_EXPORT int i2d_EC_PUBKEY(const EC_KEY *ec_key, uint8_t **outp);\n\n// d2i_EC_PUBKEY parses an EC public key as a DER-encoded SubjectPublicKeyInfo\n// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|.\n// SubjectPublicKeyInfo structures containing other key types are rejected.\n//\n// Use |EVP_parse_public_key| instead.\nOPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY(EC_KEY **out, const uint8_t **inp,\n long len);\n\n// EVP_PKEY_CTX_set_dsa_paramgen_bits returns zero.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx,\n int nbits);\n\n// EVP_PKEY_CTX_set_dsa_paramgen_q_bits returns zero.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx,\n int qbits);\n\n// EVP_PKEY_assign sets the underlying key of |pkey| to |key|, which must be of\n// the given type. If successful, it returns one. If the |type| argument\n// is not one of |EVP_PKEY_RSA|, |EVP_PKEY_DSA|, or |EVP_PKEY_EC| values or if\n// |key| is NULL, it returns zero. This function may not be used with other\n// |EVP_PKEY_*| types.\n//\n// Use the |EVP_PKEY_assign_*| functions instead.\nOPENSSL_EXPORT int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key);\n\n// EVP_PKEY_type returns |nid|.\nOPENSSL_EXPORT int EVP_PKEY_type(int nid);\n\n\n// Preprocessor compatibility section (hidden).\n//\n// Historically, a number of APIs were implemented in OpenSSL as macros and\n// constants to 'ctrl' functions. To avoid breaking #ifdefs in consumers, this\n// section defines a number of legacy macros.\n\n// |BORINGSSL_PREFIX| already makes each of these symbols into macros, so there\n// is no need to define conflicting macros.\n#if !defined(BORINGSSL_PREFIX)\n#define EVP_PKEY_CTX_set_rsa_oaep_md EVP_PKEY_CTX_set_rsa_oaep_md\n#define EVP_PKEY_CTX_set0_rsa_oaep_label EVP_PKEY_CTX_set0_rsa_oaep_label\n#endif\n\n\n// Nodejs compatibility section (hidden).\n//\n// These defines exist for node.js, with the hope that we can eliminate the\n// need for them over time.\n\n#define EVPerr(function, reason) \\\n ERR_put_error(ERR_LIB_EVP, 0, reason, __FILE__, __LINE__)\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(EVP_PKEY, EVP_PKEY_free)\nBORINGSSL_MAKE_UP_REF(EVP_PKEY, EVP_PKEY_up_ref)\nBORINGSSL_MAKE_DELETER(EVP_PKEY_CTX, EVP_PKEY_CTX_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#endif // OPENSSL_HEADER_EVP_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_evp_errors.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_EVP_ERRORS_H\n#define OPENSSL_HEADER_EVP_ERRORS_H\n\n#define EVP_R_BUFFER_TOO_SMALL 100\n#define EVP_R_COMMAND_NOT_SUPPORTED 101\n#define EVP_R_DECODE_ERROR 102\n#define EVP_R_DIFFERENT_KEY_TYPES 103\n#define EVP_R_DIFFERENT_PARAMETERS 104\n#define EVP_R_ENCODE_ERROR 105\n#define EVP_R_EXPECTING_AN_EC_KEY_KEY 106\n#define EVP_R_EXPECTING_AN_RSA_KEY 107\n#define EVP_R_EXPECTING_A_DSA_KEY 108\n#define EVP_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 109\n#define EVP_R_INVALID_DIGEST_LENGTH 110\n#define EVP_R_INVALID_DIGEST_TYPE 111\n#define EVP_R_INVALID_KEYBITS 112\n#define EVP_R_INVALID_MGF1_MD 113\n#define EVP_R_INVALID_OPERATION 114\n#define EVP_R_INVALID_PADDING_MODE 115\n#define EVP_R_INVALID_PSS_SALTLEN 116\n#define EVP_R_KEYS_NOT_SET 117\n#define EVP_R_MISSING_PARAMETERS 118\n#define EVP_R_NO_DEFAULT_DIGEST 119\n#define EVP_R_NO_KEY_SET 120\n#define EVP_R_NO_MDC2_SUPPORT 121\n#define EVP_R_NO_NID_FOR_CURVE 122\n#define EVP_R_NO_OPERATION_SET 123\n#define EVP_R_NO_PARAMETERS_SET 124\n#define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 125\n#define EVP_R_OPERATON_NOT_INITIALIZED 126\n#define EVP_R_UNKNOWN_PUBLIC_KEY_TYPE 127\n#define EVP_R_UNSUPPORTED_ALGORITHM 128\n#define EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE 129\n#define EVP_R_NOT_A_PRIVATE_KEY 130\n#define EVP_R_INVALID_SIGNATURE 131\n#define EVP_R_MEMORY_LIMIT_EXCEEDED 132\n#define EVP_R_INVALID_PARAMETERS 133\n#define EVP_R_INVALID_PEER_KEY 134\n#define EVP_R_NOT_XOF_OR_INVALID_LENGTH 135\n#define EVP_R_EMPTY_PSK 136\n#define EVP_R_INVALID_BUFFER_SIZE 137\n#define EVP_R_EXPECTING_A_DH_KEY 138\n\n#endif // OPENSSL_HEADER_EVP_ERRORS_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_ex_data.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_EX_DATA_H\n#define OPENSSL_HEADER_EX_DATA_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_stack.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// ex_data is a mechanism for associating arbitrary extra data with objects.\n// For each type of object that supports ex_data, different users can be\n// assigned indexes in which to store their data. Each index has callback\n// functions that are called when an object of that type is freed or\n// duplicated.\n\n\ntypedef struct crypto_ex_data_st CRYPTO_EX_DATA;\n\n\n// Type-specific functions.\n\n#if 0 // Sample\n\n// Each type that supports ex_data provides three functions:\n\n// TYPE_get_ex_new_index allocates a new index for |TYPE|. An optional\n// |free_func| argument may be provided which is called when the owning object\n// is destroyed. See |CRYPTO_EX_free| for details. The |argl| and |argp|\n// arguments are opaque values that are passed to the callback. It returns the\n// new index or a negative number on error.\nOPENSSL_EXPORT int TYPE_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func);\n\n// TYPE_set_ex_data sets an extra data pointer on |t|. The |index| argument\n// must have been returned from a previous call to |TYPE_get_ex_new_index|.\nOPENSSL_EXPORT int TYPE_set_ex_data(TYPE *t, int index, void *arg);\n\n// TYPE_get_ex_data returns an extra data pointer for |t|, or NULL if no such\n// pointer exists. The |index| argument should have been returned from a\n// previous call to |TYPE_get_ex_new_index|.\nOPENSSL_EXPORT void *TYPE_get_ex_data(const TYPE *t, int index);\n\n// Some types additionally preallocate index zero, with all callbacks set to\n// NULL. Applications that do not need the general ex_data machinery may use\n// this instead.\n\n// TYPE_set_app_data sets |t|'s application data pointer to |arg|. It returns\n// one on success and zero on error.\nOPENSSL_EXPORT int TYPE_set_app_data(TYPE *t, void *arg);\n\n// TYPE_get_app_data returns the application data pointer for |t|, or NULL if no\n// such pointer exists.\nOPENSSL_EXPORT void *TYPE_get_app_data(const TYPE *t);\n\n#endif // Sample\n\n\n// Callback types.\n\n// CRYPTO_EX_free is a callback function that is called when an object of the\n// class with extra data pointers is being destroyed. For example, if this\n// callback has been passed to |SSL_get_ex_new_index| then it may be called each\n// time an |SSL*| is destroyed.\n//\n// The callback is passed the to-be-destroyed object (i.e. the |SSL*|) in\n// |parent|. As |parent| will shortly be destroyed, callers must not perform\n// operations that would increment its reference count, pass ownership, or\n// assume the object outlives the function call. The arguments |argl| and |argp|\n// contain opaque values that were given to |CRYPTO_get_ex_new_index_ex|.\n//\n// This callback may be called with a NULL value for |ptr| if |parent| has no\n// value set for this index. However, the callbacks may also be skipped entirely\n// if no extra data pointers are set on |parent| at all.\ntypedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad,\n int index, long argl, void *argp);\n\n\n// Deprecated functions.\n\n// CRYPTO_cleanup_all_ex_data does nothing.\nOPENSSL_EXPORT void CRYPTO_cleanup_all_ex_data(void);\n\n// CRYPTO_EX_dup is a legacy callback function type which is ignored.\ntypedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,\n void **from_d, int index, long argl, void *argp);\n\n\n// Private structures.\n\n// CRYPTO_EX_unused is a placeholder for an unused callback. It is aliased to\n// int to ensure non-NULL callers fail to compile rather than fail silently.\ntypedef int CRYPTO_EX_unused;\n\nstruct crypto_ex_data_st {\n STACK_OF(void) *sk;\n};\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_EX_DATA_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_hkdf.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_HKDF_H\n#define OPENSSL_HEADER_HKDF_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// HKDF.\n\n\n// HKDF computes HKDF (as specified by RFC 5869) of initial keying material\n// |secret| with |salt| and |info| using |digest|, and outputs |out_len| bytes\n// to |out_key|. It returns one on success and zero on error.\n//\n// HKDF is an Extract-and-Expand algorithm. It does not do any key stretching,\n// and as such, is not suited to be used alone to generate a key from a\n// password.\nOPENSSL_EXPORT int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,\n const uint8_t *secret, size_t secret_len,\n const uint8_t *salt, size_t salt_len,\n const uint8_t *info, size_t info_len);\n\n// HKDF_extract computes a HKDF PRK (as specified by RFC 5869) from initial\n// keying material |secret| and salt |salt| using |digest|, and outputs\n// |out_len| bytes to |out_key|. The maximum output size is |EVP_MAX_MD_SIZE|.\n// It returns one on success and zero on error.\n//\n// WARNING: This function orders the inputs differently from RFC 5869\n// specification. Double-check which parameter is the secret/IKM and which is\n// the salt when using.\nOPENSSL_EXPORT int HKDF_extract(uint8_t *out_key, size_t *out_len,\n const EVP_MD *digest, const uint8_t *secret,\n size_t secret_len, const uint8_t *salt,\n size_t salt_len);\n\n// HKDF_expand computes a HKDF OKM (as specified by RFC 5869) of length\n// |out_len| from the PRK |prk| and info |info| using |digest|, and outputs\n// the result to |out_key|. It returns one on success and zero on error.\nOPENSSL_EXPORT int HKDF_expand(uint8_t *out_key, size_t out_len,\n const EVP_MD *digest, const uint8_t *prk,\n size_t prk_len, const uint8_t *info,\n size_t info_len);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#define HKDF_R_OUTPUT_TOO_LARGE 100\n\n#endif // OPENSSL_HEADER_HKDF_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_hmac.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_HMAC_H\n#define OPENSSL_HEADER_HMAC_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_digest.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// HMAC contains functions for constructing PRFs from Merkle–Damgård hash\n// functions using HMAC.\n\n\n// One-shot operation.\n\n// HMAC calculates the HMAC of |data_len| bytes of |data|, using the given key\n// and hash function, and writes the result to |out|. On entry, |out| must\n// contain at least |EVP_MD_size| bytes of space. The actual length of the\n// result is written to |*out_len|. An output size of |EVP_MAX_MD_SIZE| will\n// always be large enough. It returns |out| or NULL on error.\nOPENSSL_EXPORT uint8_t *HMAC(const EVP_MD *evp_md, const void *key,\n size_t key_len, const uint8_t *data,\n size_t data_len, uint8_t *out,\n unsigned int *out_len);\n\n\n// Incremental operation.\n\n// HMAC_CTX_init initialises |ctx| for use in an HMAC operation. It's assumed\n// that HMAC_CTX objects will be allocated on the stack thus no allocation\n// function is provided.\nOPENSSL_EXPORT void HMAC_CTX_init(HMAC_CTX *ctx);\n\n// HMAC_CTX_new allocates and initialises a new |HMAC_CTX| and returns it, or\n// NULL on allocation failure. The caller must use |HMAC_CTX_free| to release\n// the resulting object.\nOPENSSL_EXPORT HMAC_CTX *HMAC_CTX_new(void);\n\n// HMAC_CTX_cleanup frees data owned by |ctx|. It does not free |ctx| itself.\nOPENSSL_EXPORT void HMAC_CTX_cleanup(HMAC_CTX *ctx);\n\n// HMAC_CTX_cleanse zeros the digest state from |ctx| and then performs the\n// actions of |HMAC_CTX_cleanup|.\nOPENSSL_EXPORT void HMAC_CTX_cleanse(HMAC_CTX *ctx);\n\n// HMAC_CTX_free calls |HMAC_CTX_cleanup| and then frees |ctx| itself.\nOPENSSL_EXPORT void HMAC_CTX_free(HMAC_CTX *ctx);\n\n// HMAC_Init_ex sets up an initialised |HMAC_CTX| to use |md| as the hash\n// function and |key| as the key. For a non-initial call, |md| may be NULL, in\n// which case the previous hash function will be used. If the hash function has\n// not changed and |key| is NULL, |ctx| reuses the previous key. It returns one\n// on success or zero on allocation failure.\n//\n// WARNING: NULL and empty keys are ambiguous on non-initial calls. Passing NULL\n// |key| but repeating the previous |md| reuses the previous key rather than the\n// empty key.\nOPENSSL_EXPORT int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,\n const EVP_MD *md, ENGINE *impl);\n\n// HMAC_Update hashes |data_len| bytes from |data| into the current HMAC\n// operation in |ctx|. It returns one.\nOPENSSL_EXPORT int HMAC_Update(HMAC_CTX *ctx, const uint8_t *data,\n size_t data_len);\n\n// HMAC_Final completes the HMAC operation in |ctx| and writes the result to\n// |out| and the sets |*out_len| to the length of the result. On entry, |out|\n// must contain at least |HMAC_size| bytes of space. An output size of\n// |EVP_MAX_MD_SIZE| will always be large enough. It returns one on success or\n// zero on allocation failure.\nOPENSSL_EXPORT int HMAC_Final(HMAC_CTX *ctx, uint8_t *out,\n unsigned int *out_len);\n\n\n// Utility functions.\n\n// HMAC_size returns the size, in bytes, of the HMAC that will be produced by\n// |ctx|. On entry, |ctx| must have been setup with |HMAC_Init_ex|.\nOPENSSL_EXPORT size_t HMAC_size(const HMAC_CTX *ctx);\n\n// HMAC_CTX_get_md returns |ctx|'s hash function.\nOPENSSL_EXPORT const EVP_MD *HMAC_CTX_get_md(const HMAC_CTX *ctx);\n\n// HMAC_CTX_copy_ex sets |dest| equal to |src|. On entry, |dest| must have been\n// initialised by calling |HMAC_CTX_init|. It returns one on success and zero\n// on error.\nOPENSSL_EXPORT int HMAC_CTX_copy_ex(HMAC_CTX *dest, const HMAC_CTX *src);\n\n// HMAC_CTX_reset calls |HMAC_CTX_cleanup| followed by |HMAC_CTX_init|.\nOPENSSL_EXPORT void HMAC_CTX_reset(HMAC_CTX *ctx);\n\n\n// Deprecated functions.\n\nOPENSSL_EXPORT int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,\n const EVP_MD *md);\n\n// HMAC_CTX_copy calls |HMAC_CTX_init| on |dest| and then sets it equal to\n// |src|. On entry, |dest| must /not/ be initialised for an operation with\n// |HMAC_Init_ex|. It returns one on success and zero on error.\nOPENSSL_EXPORT int HMAC_CTX_copy(HMAC_CTX *dest, const HMAC_CTX *src);\n\n\n// Private functions\n\nstruct hmac_ctx_st {\n const EVP_MD *md;\n EVP_MD_CTX md_ctx;\n EVP_MD_CTX i_ctx;\n EVP_MD_CTX o_ctx;\n} /* HMAC_CTX */;\n\n\n#if defined(__cplusplus)\n} // extern C\n\n#if !defined(BORINGSSL_NO_CXX)\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(HMAC_CTX, HMAC_CTX_free)\n\nusing ScopedHMAC_CTX =\n internal::StackAllocated;\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n#endif\n\n#endif\n\n#endif // OPENSSL_HEADER_HMAC_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_hpke.h", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_CRYPTO_HPKE_INTERNAL_H\n#define OPENSSL_HEADER_CRYPTO_HPKE_INTERNAL_H\n\n#include \"CNIOBoringSSL_aead.h\"\n#include \"CNIOBoringSSL_base.h\"\n#include \"CNIOBoringSSL_curve25519.h\"\n#include \"CNIOBoringSSL_digest.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Hybrid Public Key Encryption.\n//\n// Hybrid Public Key Encryption (HPKE) enables a sender to encrypt messages to a\n// receiver with a public key.\n//\n// See RFC 9180.\n\n\n// Parameters.\n//\n// An HPKE context is parameterized by KEM, KDF, and AEAD algorithms,\n// represented by |EVP_HPKE_KEM|, |EVP_HPKE_KDF|, and |EVP_HPKE_AEAD| types,\n// respectively.\n\n// The following constants are KEM identifiers.\n#define EVP_HPKE_DHKEM_P256_HKDF_SHA256 0x0010\n#define EVP_HPKE_DHKEM_X25519_HKDF_SHA256 0x0020\n\n// The following functions are KEM algorithms which may be used with HPKE. Note\n// that, while some HPKE KEMs use KDFs internally, this is separate from the\n// |EVP_HPKE_KDF| selection.\nOPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void);\nOPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_p256_hkdf_sha256(void);\n\n// EVP_HPKE_KEM_id returns the HPKE KEM identifier for |kem|, which\n// will be one of the |EVP_HPKE_KEM_*| constants.\nOPENSSL_EXPORT uint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem);\n\n// EVP_HPKE_MAX_PUBLIC_KEY_LENGTH is the maximum length of an encoded public key\n// for all KEMs currently supported by this library.\n#define EVP_HPKE_MAX_PUBLIC_KEY_LENGTH 65\n\n// EVP_HPKE_KEM_public_key_len returns the length of a public key for |kem|.\n// This value will be at most |EVP_HPKE_MAX_PUBLIC_KEY_LENGTH|.\nOPENSSL_EXPORT size_t EVP_HPKE_KEM_public_key_len(const EVP_HPKE_KEM *kem);\n\n// EVP_HPKE_MAX_PRIVATE_KEY_LENGTH is the maximum length of an encoded private\n// key for all KEMs currently supported by this library.\n#define EVP_HPKE_MAX_PRIVATE_KEY_LENGTH 32\n\n// EVP_HPKE_KEM_private_key_len returns the length of a private key for |kem|.\n// This value will be at most |EVP_HPKE_MAX_PRIVATE_KEY_LENGTH|.\nOPENSSL_EXPORT size_t EVP_HPKE_KEM_private_key_len(const EVP_HPKE_KEM *kem);\n\n// EVP_HPKE_MAX_ENC_LENGTH is the maximum length of \"enc\", the encapsulated\n// shared secret, for all KEMs currently supported by this library.\n#define EVP_HPKE_MAX_ENC_LENGTH 65\n\n// EVP_HPKE_KEM_enc_len returns the length of the \"enc\", the encapsulated shared\n// secret, for |kem|. This value will be at most |EVP_HPKE_MAX_ENC_LENGTH|.\nOPENSSL_EXPORT size_t EVP_HPKE_KEM_enc_len(const EVP_HPKE_KEM *kem);\n\n// The following constants are KDF identifiers.\n#define EVP_HPKE_HKDF_SHA256 0x0001\n\n// The following functions are KDF algorithms which may be used with HPKE.\nOPENSSL_EXPORT const EVP_HPKE_KDF *EVP_hpke_hkdf_sha256(void);\n\n// EVP_HPKE_KDF_id returns the HPKE KDF identifier for |kdf|.\nOPENSSL_EXPORT uint16_t EVP_HPKE_KDF_id(const EVP_HPKE_KDF *kdf);\n\n// EVP_HPKE_KDF_hkdf_md returns the HKDF hash function corresponding to |kdf|,\n// or NULL if |kdf| is not an HKDF-based KDF. All currently supported KDFs are\n// HKDF-based.\nOPENSSL_EXPORT const EVP_MD *EVP_HPKE_KDF_hkdf_md(const EVP_HPKE_KDF *kdf);\n\n// The following constants are AEAD identifiers.\n#define EVP_HPKE_AES_128_GCM 0x0001\n#define EVP_HPKE_AES_256_GCM 0x0002\n#define EVP_HPKE_CHACHA20_POLY1305 0x0003\n\n// The following functions are AEAD algorithms which may be used with HPKE.\nOPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_hpke_aes_128_gcm(void);\nOPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_hpke_aes_256_gcm(void);\nOPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_hpke_chacha20_poly1305(void);\n\n// EVP_HPKE_AEAD_id returns the HPKE AEAD identifier for |aead|.\nOPENSSL_EXPORT uint16_t EVP_HPKE_AEAD_id(const EVP_HPKE_AEAD *aead);\n\n// EVP_HPKE_AEAD_aead returns the |EVP_AEAD| corresponding to |aead|.\nOPENSSL_EXPORT const EVP_AEAD *EVP_HPKE_AEAD_aead(const EVP_HPKE_AEAD *aead);\n\n\n// Recipient keys.\n//\n// An HPKE recipient maintains a long-term KEM key. This library represents keys\n// with the |EVP_HPKE_KEY| type.\n\n// EVP_HPKE_KEY_zero sets an uninitialized |EVP_HPKE_KEY| to the zero state. The\n// caller should then use |EVP_HPKE_KEY_init|, |EVP_HPKE_KEY_copy|, or\n// |EVP_HPKE_KEY_generate| to finish initializing |key|.\n//\n// It is safe, but not necessary to call |EVP_HPKE_KEY_cleanup| in this state.\n// This may be used for more uniform cleanup of |EVP_HPKE_KEY|.\nOPENSSL_EXPORT void EVP_HPKE_KEY_zero(EVP_HPKE_KEY *key);\n\n// EVP_HPKE_KEY_cleanup releases memory referenced by |key|.\nOPENSSL_EXPORT void EVP_HPKE_KEY_cleanup(EVP_HPKE_KEY *key);\n\n// EVP_HPKE_KEY_new returns a newly-allocated |EVP_HPKE_KEY|, or NULL on error.\n// The caller must call |EVP_HPKE_KEY_free| on the result to release it.\n//\n// This is a convenience function for callers that need a heap-allocated\n// |EVP_HPKE_KEY|.\nOPENSSL_EXPORT EVP_HPKE_KEY *EVP_HPKE_KEY_new(void);\n\n// EVP_HPKE_KEY_free releases memory associated with |key|, which must have been\n// created with |EVP_HPKE_KEY_new|.\nOPENSSL_EXPORT void EVP_HPKE_KEY_free(EVP_HPKE_KEY *key);\n\n// EVP_HPKE_KEY_copy sets |dst| to a copy of |src|. It returns one on success\n// and zero on error. On success, the caller must call |EVP_HPKE_KEY_cleanup| to\n// release |dst|. On failure, calling |EVP_HPKE_KEY_cleanup| is safe, but not\n// necessary.\nOPENSSL_EXPORT int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst,\n const EVP_HPKE_KEY *src);\n\n// EVP_HPKE_KEY_move sets |out|, which must be initialized or in the zero state,\n// to the key in |in|. |in| is mutated and left in the zero state.\nOPENSSL_EXPORT void EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in);\n\n// EVP_HPKE_KEY_init decodes |priv_key| as a private key for |kem| and\n// initializes |key| with the result. It returns one on success and zero if\n// |priv_key| was invalid. On success, the caller must call\n// |EVP_HPKE_KEY_cleanup| to release the key. On failure, calling\n// |EVP_HPKE_KEY_cleanup| is safe, but not necessary.\nOPENSSL_EXPORT int EVP_HPKE_KEY_init(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem,\n const uint8_t *priv_key,\n size_t priv_key_len);\n\n// EVP_HPKE_KEY_generate sets |key| to a newly-generated key using |kem|.\nOPENSSL_EXPORT int EVP_HPKE_KEY_generate(EVP_HPKE_KEY *key,\n const EVP_HPKE_KEM *kem);\n\n// EVP_HPKE_KEY_kem returns the HPKE KEM used by |key|.\nOPENSSL_EXPORT const EVP_HPKE_KEM *EVP_HPKE_KEY_kem(const EVP_HPKE_KEY *key);\n\n// EVP_HPKE_KEY_public_key writes |key|'s public key to |out| and sets\n// |*out_len| to the number of bytes written. On success, it returns one and\n// writes at most |max_out| bytes. If |max_out| is too small, it returns zero.\n// Setting |max_out| to |EVP_HPKE_MAX_PUBLIC_KEY_LENGTH| will ensure the public\n// key fits. An exact size can also be determined by\n// |EVP_HPKE_KEM_public_key_len|.\nOPENSSL_EXPORT int EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY *key,\n uint8_t *out, size_t *out_len,\n size_t max_out);\n\n// EVP_HPKE_KEY_private_key writes |key|'s private key to |out| and sets\n// |*out_len| to the number of bytes written. On success, it returns one and\n// writes at most |max_out| bytes. If |max_out| is too small, it returns zero.\n// Setting |max_out| to |EVP_HPKE_MAX_PRIVATE_KEY_LENGTH| will ensure the\n// private key fits. An exact size can also be determined by\n// |EVP_HPKE_KEM_private_key_len|.\nOPENSSL_EXPORT int EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key,\n uint8_t *out, size_t *out_len,\n size_t max_out);\n\n\n// Encryption contexts.\n//\n// An HPKE encryption context is represented by the |EVP_HPKE_CTX| type.\n\n// EVP_HPKE_CTX_zero sets an uninitialized |EVP_HPKE_CTX| to the zero state. The\n// caller should then use one of the |EVP_HPKE_CTX_setup_*| functions to finish\n// setting up |ctx|.\n//\n// It is safe, but not necessary to call |EVP_HPKE_CTX_cleanup| in this state.\n// This may be used for more uniform cleanup of |EVP_HPKE_CTX|.\nOPENSSL_EXPORT void EVP_HPKE_CTX_zero(EVP_HPKE_CTX *ctx);\n\n// EVP_HPKE_CTX_cleanup releases memory referenced by |ctx|. |ctx| must have\n// been initialized with |EVP_HPKE_CTX_zero| or one of the\n// |EVP_HPKE_CTX_setup_*| functions.\nOPENSSL_EXPORT void EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX *ctx);\n\n// EVP_HPKE_CTX_new returns a newly-allocated |EVP_HPKE_CTX|, or NULL on error.\n// The caller must call |EVP_HPKE_CTX_free| on the result to release it.\n//\n// This is a convenience function for callers that need a heap-allocated\n// |EVP_HPKE_CTX|.\nOPENSSL_EXPORT EVP_HPKE_CTX *EVP_HPKE_CTX_new(void);\n\n// EVP_HPKE_CTX_free releases memory associated with |ctx|, which must have been\n// created with |EVP_HPKE_CTX_new|.\nOPENSSL_EXPORT void EVP_HPKE_CTX_free(EVP_HPKE_CTX *ctx);\n\n// EVP_HPKE_CTX_setup_sender implements the SetupBaseS HPKE operation. It\n// encapsulates a shared secret for |peer_public_key| and sets up |ctx| as a\n// sender context. It writes the encapsulated shared secret to |out_enc| and\n// sets |*out_enc_len| to the number of bytes written. It writes at most\n// |max_enc| bytes and fails if the buffer is too small. Setting |max_enc| to at\n// least |EVP_HPKE_MAX_ENC_LENGTH| will ensure the buffer is large enough. An\n// exact size may also be determined by |EVP_PKEY_KEM_enc_len|.\n//\n// This function returns one on success and zero on error. Note that\n// |peer_public_key| may be invalid, in which case this function will return an\n// error.\n//\n// On success, callers may call |EVP_HPKE_CTX_seal| to encrypt messages for the\n// recipient. Callers must then call |EVP_HPKE_CTX_cleanup| when done. On\n// failure, calling |EVP_HPKE_CTX_cleanup| is safe, but not required.\nOPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender(\n EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,\n const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,\n const uint8_t *peer_public_key, size_t peer_public_key_len,\n const uint8_t *info, size_t info_len);\n\n// EVP_HPKE_CTX_setup_sender_with_seed_for_testing behaves like\n// |EVP_HPKE_CTX_setup_sender|, but takes a seed to behave deterministically.\n// The seed's format depends on |kem|. For X25519, it is the sender's\n// ephemeral private key. For P256, it's an HKDF input.\nOPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender_with_seed_for_testing(\n EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,\n const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,\n const uint8_t *peer_public_key, size_t peer_public_key_len,\n const uint8_t *info, size_t info_len, const uint8_t *seed, size_t seed_len);\n\n// EVP_HPKE_CTX_setup_recipient implements the SetupBaseR HPKE operation. It\n// decapsulates the shared secret in |enc| with |key| and sets up |ctx| as a\n// recipient context. It returns one on success and zero on failure. Note that\n// |enc| may be invalid, in which case this function will return an error.\n//\n// On success, callers may call |EVP_HPKE_CTX_open| to decrypt messages from the\n// sender. Callers must then call |EVP_HPKE_CTX_cleanup| when done. On failure,\n// calling |EVP_HPKE_CTX_cleanup| is safe, but not required.\nOPENSSL_EXPORT int EVP_HPKE_CTX_setup_recipient(\n EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf,\n const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len,\n const uint8_t *info, size_t info_len);\n\n// EVP_HPKE_CTX_setup_auth_sender implements the SetupAuthS HPKE operation. It\n// behaves like |EVP_HPKE_CTX_setup_sender| but authenticates the resulting\n// context with |key|.\nOPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender(\n EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,\n const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,\n const uint8_t *peer_public_key, size_t peer_public_key_len,\n const uint8_t *info, size_t info_len);\n\n// EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing behaves like\n// |EVP_HPKE_CTX_setup_auth_sender|, but takes a seed to behave\n// deterministically. The seed's format depends on |kem|. For X25519, it is the\n// sender's ephemeral private key. For P256, it's an HKDF input.\nOPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing(\n EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc,\n const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead,\n const uint8_t *peer_public_key, size_t peer_public_key_len,\n const uint8_t *info, size_t info_len, const uint8_t *seed, size_t seed_len);\n\n// EVP_HPKE_CTX_setup_auth_recipient implements the SetupAuthR HPKE operation.\n// It behaves like |EVP_HPKE_CTX_setup_recipient| but checks the resulting\n// context was authenticated with |peer_public_key|.\nOPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_recipient(\n EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf,\n const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len,\n const uint8_t *info, size_t info_len, const uint8_t *peer_public_key,\n size_t peer_public_key_len);\n\n\n// Using an HPKE context.\n//\n// Once set up, callers may encrypt or decrypt with an |EVP_HPKE_CTX| using the\n// following functions.\n\n// EVP_HPKE_CTX_open uses the HPKE context |ctx| to authenticate |in_len| bytes\n// from |in| and |ad_len| bytes from |ad| and to decrypt at most |in_len| bytes\n// into |out|. It returns one on success, and zero otherwise.\n//\n// This operation will fail if the |ctx| context is not set up as a receiver.\n//\n// Note that HPKE encryption is stateful and ordered. The sender's first call to\n// |EVP_HPKE_CTX_seal| must correspond to the recipient's first call to\n// |EVP_HPKE_CTX_open|, etc.\n//\n// At most |in_len| bytes are written to |out|. In order to ensure success,\n// |max_out_len| should be at least |in_len|. On successful return, |*out_len|\n// is set to the actual number of bytes written.\nOPENSSL_EXPORT int EVP_HPKE_CTX_open(EVP_HPKE_CTX *ctx, uint8_t *out,\n size_t *out_len, size_t max_out_len,\n const uint8_t *in, size_t in_len,\n const uint8_t *ad, size_t ad_len);\n\n// EVP_HPKE_CTX_seal uses the HPKE context |ctx| to encrypt and authenticate\n// |in_len| bytes of ciphertext |in| and authenticate |ad_len| bytes from |ad|,\n// writing the result to |out|. It returns one on success and zero otherwise.\n//\n// This operation will fail if the |ctx| context is not set up as a sender.\n//\n// Note that HPKE encryption is stateful and ordered. The sender's first call to\n// |EVP_HPKE_CTX_seal| must correspond to the recipient's first call to\n// |EVP_HPKE_CTX_open|, etc.\n//\n// At most, |max_out_len| encrypted bytes are written to |out|. On successful\n// return, |*out_len| is set to the actual number of bytes written.\n//\n// To ensure success, |max_out_len| should be |in_len| plus the result of\n// |EVP_HPKE_CTX_max_overhead| or |EVP_HPKE_MAX_OVERHEAD|.\nOPENSSL_EXPORT int EVP_HPKE_CTX_seal(EVP_HPKE_CTX *ctx, uint8_t *out,\n size_t *out_len, size_t max_out_len,\n const uint8_t *in, size_t in_len,\n const uint8_t *ad, size_t ad_len);\n\n// EVP_HPKE_CTX_export uses the HPKE context |ctx| to export a secret of\n// |secret_len| bytes into |out|. This function uses |context_len| bytes from\n// |context| as a context string for the secret. This is necessary to separate\n// different uses of exported secrets and bind relevant caller-specific context\n// into the output. It returns one on success and zero otherwise.\nOPENSSL_EXPORT int EVP_HPKE_CTX_export(const EVP_HPKE_CTX *ctx, uint8_t *out,\n size_t secret_len,\n const uint8_t *context,\n size_t context_len);\n\n// EVP_HPKE_MAX_OVERHEAD contains the largest value that\n// |EVP_HPKE_CTX_max_overhead| would ever return for any context.\n#define EVP_HPKE_MAX_OVERHEAD EVP_AEAD_MAX_OVERHEAD\n\n// EVP_HPKE_CTX_max_overhead returns the maximum number of additional bytes\n// added by sealing data with |EVP_HPKE_CTX_seal|. The |ctx| context must be set\n// up as a sender.\nOPENSSL_EXPORT size_t EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX *ctx);\n\n// EVP_HPKE_CTX_kem returns |ctx|'s configured KEM, or NULL if the context has\n// not been set up.\nOPENSSL_EXPORT const EVP_HPKE_KEM *EVP_HPKE_CTX_kem(const EVP_HPKE_CTX *ctx);\n\n// EVP_HPKE_CTX_aead returns |ctx|'s configured AEAD, or NULL if the context has\n// not been set up.\nOPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_HPKE_CTX_aead(const EVP_HPKE_CTX *ctx);\n\n// EVP_HPKE_CTX_kdf returns |ctx|'s configured KDF, or NULL if the context has\n// not been set up.\nOPENSSL_EXPORT const EVP_HPKE_KDF *EVP_HPKE_CTX_kdf(const EVP_HPKE_CTX *ctx);\n\n\n// Private structures.\n//\n// The following structures are exported so their types are stack-allocatable,\n// but accessing or modifying their fields is forbidden.\n\nstruct evp_hpke_ctx_st {\n const EVP_HPKE_KEM *kem;\n const EVP_HPKE_AEAD *aead;\n const EVP_HPKE_KDF *kdf;\n EVP_AEAD_CTX aead_ctx;\n uint8_t base_nonce[EVP_AEAD_MAX_NONCE_LENGTH];\n uint8_t exporter_secret[EVP_MAX_MD_SIZE];\n uint64_t seq;\n int is_sender;\n};\n\nstruct evp_hpke_key_st {\n const EVP_HPKE_KEM *kem;\n uint8_t private_key[EVP_HPKE_MAX_PRIVATE_KEY_LENGTH];\n uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH];\n};\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#if !defined(BORINGSSL_NO_CXX)\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nusing ScopedEVP_HPKE_CTX =\n internal::StackAllocated;\nusing ScopedEVP_HPKE_KEY =\n internal::StackAllocatedMovable;\n\nBORINGSSL_MAKE_DELETER(EVP_HPKE_CTX, EVP_HPKE_CTX_free)\nBORINGSSL_MAKE_DELETER(EVP_HPKE_KEY, EVP_HPKE_KEY_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n#endif\n\n#endif // OPENSSL_HEADER_CRYPTO_HPKE_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_hrss.h", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_HRSS_H\n#define OPENSSL_HEADER_HRSS_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n// HRSS\n//\n// HRSS is a structured-lattice-based post-quantum key encapsulation mechanism.\n// The best exposition is https://eprint.iacr.org/2017/667.pdf although this\n// implementation uses a different KEM construction based on\n// https://eprint.iacr.org/2017/1005.pdf.\n\nstruct HRSS_private_key {\n uint8_t opaque[1808];\n};\n\nstruct HRSS_public_key {\n uint8_t opaque[1424];\n};\n\n// HRSS_SAMPLE_BYTES is the number of bytes of entropy needed to generate a\n// short vector. There are 701 coefficients, but the final one is always set to\n// zero when sampling. Otherwise, we need one byte of input per coefficient.\n#define HRSS_SAMPLE_BYTES (701 - 1)\n// HRSS_GENERATE_KEY_BYTES is the number of bytes of entropy needed to generate\n// an HRSS key pair.\n#define HRSS_GENERATE_KEY_BYTES (HRSS_SAMPLE_BYTES + HRSS_SAMPLE_BYTES + 32)\n// HRSS_ENCAP_BYTES is the number of bytes of entropy needed to encapsulate a\n// session key.\n#define HRSS_ENCAP_BYTES (HRSS_SAMPLE_BYTES + HRSS_SAMPLE_BYTES)\n// HRSS_PUBLIC_KEY_BYTES is the number of bytes in a public key.\n#define HRSS_PUBLIC_KEY_BYTES 1138\n// HRSS_CIPHERTEXT_BYTES is the number of bytes in a ciphertext.\n#define HRSS_CIPHERTEXT_BYTES 1138\n// HRSS_KEY_BYTES is the number of bytes in a shared key.\n#define HRSS_KEY_BYTES 32\n// HRSS_POLY3_BYTES is the number of bytes needed to serialise a mod 3\n// polynomial.\n#define HRSS_POLY3_BYTES 140\n#define HRSS_PRIVATE_KEY_BYTES \\\n (HRSS_POLY3_BYTES * 2 + HRSS_PUBLIC_KEY_BYTES + 2 + 32)\n\n// HRSS_generate_key is a deterministic function that outputs a public and\n// private key based on the given entropy. It returns one on success or zero\n// on malloc failure.\nOPENSSL_EXPORT int HRSS_generate_key(\n struct HRSS_public_key *out_pub, struct HRSS_private_key *out_priv,\n const uint8_t input[HRSS_GENERATE_KEY_BYTES]);\n\n// HRSS_encap is a deterministic function the generates and encrypts a random\n// session key from the given entropy, writing those values to |out_shared_key|\n// and |out_ciphertext|, respectively. It returns one on success or zero on\n// malloc failure.\nOPENSSL_EXPORT int HRSS_encap(uint8_t out_ciphertext[HRSS_CIPHERTEXT_BYTES],\n uint8_t out_shared_key[HRSS_KEY_BYTES],\n const struct HRSS_public_key *in_pub,\n const uint8_t in[HRSS_ENCAP_BYTES]);\n\n// HRSS_decap decrypts a session key from |ciphertext_len| bytes of\n// |ciphertext|. If the ciphertext is valid, the decrypted key is written to\n// |out_shared_key|. Otherwise the HMAC of |ciphertext| under a secret key (kept\n// in |in_priv|) is written. If the ciphertext is the wrong length then it will\n// leak which was done via side-channels. Otherwise it should perform either\n// action in constant-time. It returns one on success (whether the ciphertext\n// was valid or not) and zero on malloc failure.\nOPENSSL_EXPORT int HRSS_decap(uint8_t out_shared_key[HRSS_KEY_BYTES],\n const struct HRSS_private_key *in_priv,\n const uint8_t *ciphertext, size_t ciphertext_len);\n\n// HRSS_marshal_public_key serialises |in_pub| to |out|.\nOPENSSL_EXPORT void HRSS_marshal_public_key(\n uint8_t out[HRSS_PUBLIC_KEY_BYTES], const struct HRSS_public_key *in_pub);\n\n// HRSS_parse_public_key sets |*out| to the public-key encoded in |in|. It\n// returns true on success and zero on error.\nOPENSSL_EXPORT int HRSS_parse_public_key(\n struct HRSS_public_key *out, const uint8_t in[HRSS_PUBLIC_KEY_BYTES]);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_HRSS_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_is_boringssl.h", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n// This header is provided in order to catch include path errors in consuming\n// BoringSSL.\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_kdf.h", "content": "/* Copyright 2022 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_KDF_H\n#define OPENSSL_HEADER_KDF_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// KDF support for EVP.\n\n\n// HKDF-specific functions.\n//\n// The following functions are provided for OpenSSL compatibility. Prefer the\n// HKDF functions in . In each, |ctx| must be created with\n// |EVP_PKEY_CTX_new_id| with |EVP_PKEY_HKDF| and then initialized with\n// |EVP_PKEY_derive_init|.\n\n// EVP_PKEY_HKDEF_MODE_* define \"modes\" for use with |EVP_PKEY_CTX_hkdf_mode|.\n// The mispelling of \"HKDF\" as \"HKDEF\" is intentional for OpenSSL compatibility.\n#define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND 0\n#define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY 1\n#define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY 2\n\n// EVP_PKEY_CTX_hkdf_mode configures which HKDF operation to run. It returns one\n// on success and zero on error. |mode| must be one of |EVP_PKEY_HKDEF_MODE_*|.\n// By default, the mode is |EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND|.\n//\n// If |mode| is |EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND| or\n// |EVP_PKEY_HKDEF_MODE_EXPAND_ONLY|, the output is variable-length.\n// |EVP_PKEY_derive| uses the size of the output buffer as the output length for\n// HKDF-Expand.\n//\n// WARNING: Although this API calls it a \"mode\", HKDF-Extract and HKDF-Expand\n// are distinct operations with distinct inputs and distinct kinds of keys.\n// Callers should not pass input secrets for one operation into the other.\nOPENSSL_EXPORT int EVP_PKEY_CTX_hkdf_mode(EVP_PKEY_CTX *ctx, int mode);\n\n// EVP_PKEY_CTX_set_hkdf_md sets |md| as the digest to use with HKDF. It returns\n// one on success and zero on error.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set_hkdf_md(EVP_PKEY_CTX *ctx,\n const EVP_MD *md);\n\n// EVP_PKEY_CTX_set1_hkdf_key configures HKDF to use |key_len| bytes from |key|\n// as the \"key\", described below. It returns one on success and zero on error.\n//\n// Which input is the key depends on the \"mode\" (see |EVP_PKEY_CTX_hkdf_mode|).\n// If |EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND| or\n// |EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY|, this function specifies the input keying\n// material (IKM) for HKDF-Extract. If |EVP_PKEY_HKDEF_MODE_EXPAND_ONLY|, it\n// instead specifies the pseudorandom key (PRK) for HKDF-Expand.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx,\n const uint8_t *key,\n size_t key_len);\n\n// EVP_PKEY_CTX_set1_hkdf_salt configures HKDF to use |salt_len| bytes from\n// |salt| as the salt parameter to HKDF-Extract. It returns one on success and\n// zero on error. If performing HKDF-Expand only, this parameter is ignored.\nOPENSSL_EXPORT int EVP_PKEY_CTX_set1_hkdf_salt(EVP_PKEY_CTX *ctx,\n const uint8_t *salt,\n size_t salt_len);\n\n// EVP_PKEY_CTX_add1_hkdf_info appends |info_len| bytes from |info| to the info\n// parameter used with HKDF-Expand. It returns one on success and zero on error.\n// If performing HKDF-Extract only, this parameter is ignored.\nOPENSSL_EXPORT int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx,\n const uint8_t *info,\n size_t info_len);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_KDF_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_lhash.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_LHASH_H\n#define OPENSSL_HEADER_LHASH_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// lhash is an internal library and not exported for use outside BoringSSL. This\n// header is provided for compatibility with code that expects OpenSSL.\n\n\n// These two macros are exported for compatibility with existing callers of\n// |X509V3_EXT_conf_nid|. Do not use these symbols outside BoringSSL.\n#define LHASH_OF(type) struct lhash_st_##type\n#define DECLARE_LHASH_OF(type) LHASH_OF(type);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_LHASH_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_md4.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_MD4_H\n#define OPENSSL_HEADER_MD4_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// MD4.\n\n// MD4_CBLOCK is the block size of MD4.\n#define MD4_CBLOCK 64\n\n// MD4_DIGEST_LENGTH is the length of an MD4 digest.\n#define MD4_DIGEST_LENGTH 16\n\n// MD4_Init initialises |md4| and returns one.\nOPENSSL_EXPORT int MD4_Init(MD4_CTX *md4);\n\n// MD4_Update adds |len| bytes from |data| to |md4| and returns one.\nOPENSSL_EXPORT int MD4_Update(MD4_CTX *md4, const void *data, size_t len);\n\n// MD4_Final adds the final padding to |md4| and writes the resulting digest to\n// |out|, which must have at least |MD4_DIGEST_LENGTH| bytes of space. It\n// returns one.\nOPENSSL_EXPORT int MD4_Final(uint8_t out[MD4_DIGEST_LENGTH], MD4_CTX *md4);\n\n// MD4 writes the digest of |len| bytes from |data| to |out| and returns |out|.\n// There must be at least |MD4_DIGEST_LENGTH| bytes of space in |out|.\nOPENSSL_EXPORT uint8_t *MD4(const uint8_t *data, size_t len,\n uint8_t out[MD4_DIGEST_LENGTH]);\n\n// MD4_Transform is a low-level function that performs a single, MD4 block\n// transformation using the state from |md4| and 64 bytes from |block|.\nOPENSSL_EXPORT void MD4_Transform(MD4_CTX *md4,\n const uint8_t block[MD4_CBLOCK]);\n\nstruct md4_state_st {\n uint32_t h[4];\n uint32_t Nl, Nh;\n uint8_t data[MD4_CBLOCK];\n unsigned num;\n};\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_MD4_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_md5.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_MD5_H\n#define OPENSSL_HEADER_MD5_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// MD5.\n\n\n// MD5_CBLOCK is the block size of MD5.\n#define MD5_CBLOCK 64\n\n// MD5_DIGEST_LENGTH is the length of an MD5 digest.\n#define MD5_DIGEST_LENGTH 16\n\n// MD5_Init initialises |md5| and returns one.\nOPENSSL_EXPORT int MD5_Init(MD5_CTX *md5);\n\n// MD5_Update adds |len| bytes from |data| to |md5| and returns one.\nOPENSSL_EXPORT int MD5_Update(MD5_CTX *md5, const void *data, size_t len);\n\n// MD5_Final adds the final padding to |md5| and writes the resulting digest to\n// |out|, which must have at least |MD5_DIGEST_LENGTH| bytes of space. It\n// returns one.\nOPENSSL_EXPORT int MD5_Final(uint8_t out[MD5_DIGEST_LENGTH], MD5_CTX *md5);\n\n// MD5 writes the digest of |len| bytes from |data| to |out| and returns |out|.\n// There must be at least |MD5_DIGEST_LENGTH| bytes of space in |out|.\nOPENSSL_EXPORT uint8_t *MD5(const uint8_t *data, size_t len,\n uint8_t out[MD5_DIGEST_LENGTH]);\n\n// MD5_Transform is a low-level function that performs a single, MD5 block\n// transformation using the state from |md5| and 64 bytes from |block|.\nOPENSSL_EXPORT void MD5_Transform(MD5_CTX *md5,\n const uint8_t block[MD5_CBLOCK]);\n\nstruct md5_state_st {\n uint32_t h[4];\n uint32_t Nl, Nh;\n uint8_t data[MD5_CBLOCK];\n unsigned num;\n};\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_MD5_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_mem.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_MEM_H\n#define OPENSSL_HEADER_MEM_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Memory and string functions, see also buf.h.\n//\n// BoringSSL has its own set of allocation functions, which keep track of\n// allocation lengths and zero them out before freeing. All memory returned by\n// BoringSSL API calls must therefore generally be freed using |OPENSSL_free|\n// unless stated otherwise.\n\n\n#ifndef _BORINGSSL_PROHIBIT_OPENSSL_MALLOC\n// OPENSSL_malloc is similar to a regular |malloc|, but allocates additional\n// private data. The resulting pointer must be freed with |OPENSSL_free|. In\n// the case of a malloc failure, prior to returning NULL |OPENSSL_malloc| will\n// push |ERR_R_MALLOC_FAILURE| onto the openssl error stack.\nOPENSSL_EXPORT void *OPENSSL_malloc(size_t size);\n\n// OPENSSL_zalloc behaves like |OPENSSL_malloc| except it also initializes the\n// resulting memory to zero.\nOPENSSL_EXPORT void *OPENSSL_zalloc(size_t size);\n\n// OPENSSL_calloc is similar to a regular |calloc|, but allocates data with\n// |OPENSSL_malloc|. On overflow, it will push |ERR_R_OVERFLOW| onto the error\n// queue.\nOPENSSL_EXPORT void *OPENSSL_calloc(size_t num, size_t size);\n\n// OPENSSL_realloc returns a pointer to a buffer of |new_size| bytes that\n// contains the contents of |ptr|. Unlike |realloc|, a new buffer is always\n// allocated and the data at |ptr| is always wiped and freed. Memory is\n// allocated with |OPENSSL_malloc| and must be freed with |OPENSSL_free|.\nOPENSSL_EXPORT void *OPENSSL_realloc(void *ptr, size_t new_size);\n#endif // !_BORINGSSL_PROHIBIT_OPENSSL_MALLOC\n\n// OPENSSL_free does nothing if |ptr| is NULL. Otherwise it zeros out the\n// memory allocated at |ptr| and frees it along with the private data.\n// It must only be used on on |ptr| values obtained from |OPENSSL_malloc|\nOPENSSL_EXPORT void OPENSSL_free(void *ptr);\n\n// OPENSSL_cleanse zeros out |len| bytes of memory at |ptr|. This is similar to\n// |memset_s| from C11.\nOPENSSL_EXPORT void OPENSSL_cleanse(void *ptr, size_t len);\n\n// CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It\n// takes an amount of time dependent on |len|, but independent of the contents\n// of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a\n// defined order as the return value when a != b is undefined, other than to be\n// non-zero.\nOPENSSL_EXPORT int CRYPTO_memcmp(const void *a, const void *b, size_t len);\n\n// OPENSSL_hash32 implements the 32 bit, FNV-1a hash.\nOPENSSL_EXPORT uint32_t OPENSSL_hash32(const void *ptr, size_t len);\n\n// OPENSSL_strhash calls |OPENSSL_hash32| on the NUL-terminated string |s|.\nOPENSSL_EXPORT uint32_t OPENSSL_strhash(const char *s);\n\n// OPENSSL_strdup has the same behaviour as strdup(3).\nOPENSSL_EXPORT char *OPENSSL_strdup(const char *s);\n\n// OPENSSL_strnlen has the same behaviour as strnlen(3).\nOPENSSL_EXPORT size_t OPENSSL_strnlen(const char *s, size_t len);\n\n// OPENSSL_isalpha is a locale-independent, ASCII-only version of isalpha(3), It\n// only recognizes 'a' through 'z' and 'A' through 'Z' as alphabetic.\nOPENSSL_EXPORT int OPENSSL_isalpha(int c);\n\n// OPENSSL_isdigit is a locale-independent, ASCII-only version of isdigit(3), It\n// only recognizes '0' through '9' as digits.\nOPENSSL_EXPORT int OPENSSL_isdigit(int c);\n\n// OPENSSL_isxdigit is a locale-independent, ASCII-only version of isxdigit(3),\n// It only recognizes '0' through '9', 'a' through 'f', and 'A through 'F' as\n// digits.\nOPENSSL_EXPORT int OPENSSL_isxdigit(int c);\n\n// OPENSSL_fromxdigit returns one if |c| is a hexadecimal digit as recognized\n// by OPENSSL_isxdigit, and sets |out| to the corresponding value. Otherwise\n// zero is returned.\nOPENSSL_EXPORT int OPENSSL_fromxdigit(uint8_t *out, int c);\n\n// OPENSSL_isalnum is a locale-independent, ASCII-only version of isalnum(3), It\n// only recognizes what |OPENSSL_isalpha| and |OPENSSL_isdigit| recognize.\nOPENSSL_EXPORT int OPENSSL_isalnum(int c);\n\n// OPENSSL_tolower is a locale-independent, ASCII-only version of tolower(3). It\n// only lowercases ASCII values. Other values are returned as-is.\nOPENSSL_EXPORT int OPENSSL_tolower(int c);\n\n// OPENSSL_isspace is a locale-independent, ASCII-only version of isspace(3). It\n// only recognizes '\\t', '\\n', '\\v', '\\f', '\\r', and ' '.\nOPENSSL_EXPORT int OPENSSL_isspace(int c);\n\n// OPENSSL_strcasecmp is a locale-independent, ASCII-only version of\n// strcasecmp(3).\nOPENSSL_EXPORT int OPENSSL_strcasecmp(const char *a, const char *b);\n\n// OPENSSL_strncasecmp is a locale-independent, ASCII-only version of\n// strncasecmp(3).\nOPENSSL_EXPORT int OPENSSL_strncasecmp(const char *a, const char *b, size_t n);\n\n// DECIMAL_SIZE returns an upper bound for the length of the decimal\n// representation of the given type.\n#define DECIMAL_SIZE(type)\t((sizeof(type)*8+2)/3+1)\n\n// BIO_snprintf has the same behavior as snprintf(3).\nOPENSSL_EXPORT int BIO_snprintf(char *buf, size_t n, const char *format, ...)\n OPENSSL_PRINTF_FORMAT_FUNC(3, 4);\n\n// BIO_vsnprintf has the same behavior as vsnprintf(3).\nOPENSSL_EXPORT int BIO_vsnprintf(char *buf, size_t n, const char *format,\n va_list args) OPENSSL_PRINTF_FORMAT_FUNC(3, 0);\n\n// OPENSSL_vasprintf has the same behavior as vasprintf(3), except that\n// memory allocated in a returned string must be freed with |OPENSSL_free|.\nOPENSSL_EXPORT int OPENSSL_vasprintf(char **str, const char *format,\n va_list args)\n OPENSSL_PRINTF_FORMAT_FUNC(2, 0);\n\n// OPENSSL_asprintf has the same behavior as asprintf(3), except that\n// memory allocated in a returned string must be freed with |OPENSSL_free|.\nOPENSSL_EXPORT int OPENSSL_asprintf(char **str, const char *format, ...)\n OPENSSL_PRINTF_FORMAT_FUNC(2, 3);\n\n// OPENSSL_strndup returns an allocated, duplicate of |str|, which is, at most,\n// |size| bytes. The result is always NUL terminated. The memory allocated\n// must be freed with |OPENSSL_free|.\nOPENSSL_EXPORT char *OPENSSL_strndup(const char *str, size_t size);\n\n// OPENSSL_memdup returns an allocated, duplicate of |size| bytes from |data| or\n// NULL on allocation failure. The memory allocated must be freed with\n// |OPENSSL_free|.\nOPENSSL_EXPORT void *OPENSSL_memdup(const void *data, size_t size);\n\n// OPENSSL_strlcpy acts like strlcpy(3).\nOPENSSL_EXPORT size_t OPENSSL_strlcpy(char *dst, const char *src,\n size_t dst_size);\n\n// OPENSSL_strlcat acts like strlcat(3).\nOPENSSL_EXPORT size_t OPENSSL_strlcat(char *dst, const char *src,\n size_t dst_size);\n\n\n// Deprecated functions.\n\n// CRYPTO_malloc calls |OPENSSL_malloc|. |file| and |line| are ignored.\nOPENSSL_EXPORT void *CRYPTO_malloc(size_t size, const char *file, int line);\n\n// CRYPTO_realloc calls |OPENSSL_realloc|. |file| and |line| are ignored.\nOPENSSL_EXPORT void *CRYPTO_realloc(void *ptr, size_t new_size,\n const char *file, int line);\n\n// CRYPTO_free calls |OPENSSL_free|. |file| and |line| are ignored.\nOPENSSL_EXPORT void CRYPTO_free(void *ptr, const char *file, int line);\n\n// OPENSSL_clear_free calls |OPENSSL_free|. BoringSSL automatically clears all\n// allocations on free, but we define |OPENSSL_clear_free| for compatibility.\nOPENSSL_EXPORT void OPENSSL_clear_free(void *ptr, size_t len);\n\n// CRYPTO_secure_malloc_init returns zero.\nOPENSSL_EXPORT int CRYPTO_secure_malloc_init(size_t size, size_t min_size);\n\n// CRYPTO_secure_malloc_initialized returns zero.\nOPENSSL_EXPORT int CRYPTO_secure_malloc_initialized(void);\n\n// CRYPTO_secure_used returns zero.\nOPENSSL_EXPORT size_t CRYPTO_secure_used(void);\n\n// OPENSSL_secure_malloc calls |OPENSSL_malloc|.\nOPENSSL_EXPORT void *OPENSSL_secure_malloc(size_t size);\n\n// OPENSSL_secure_clear_free calls |OPENSSL_clear_free|.\nOPENSSL_EXPORT void OPENSSL_secure_clear_free(void *ptr, size_t len);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(char, OPENSSL_free)\nBORINGSSL_MAKE_DELETER(uint8_t, OPENSSL_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#endif // OPENSSL_HEADER_MEM_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_mldsa.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_MLDSA_H_\n#define OPENSSL_HEADER_MLDSA_H_\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// ML-DSA.\n//\n// This implements the Module-Lattice-Based Digital Signature Standard from\n// https://csrc.nist.gov/pubs/fips/204/final\n\n\n// MLDSA_SEED_BYTES is the number of bytes in an ML-DSA seed value.\n#define MLDSA_SEED_BYTES 32\n\n\n// ML-DSA-65.\n\n// MLDSA65_private_key contains an ML-DSA-65 private key. The contents of this\n// object should never leave the address space since the format is unstable.\nstruct MLDSA65_private_key {\n union {\n uint8_t bytes[32 + 32 + 64 + 256 * 4 * (5 + 6 + 6)];\n uint32_t alignment;\n } opaque;\n};\n\n// MLDSA65_public_key contains an ML-DSA-65 public key. The contents of this\n// object should never leave the address space since the format is unstable.\nstruct MLDSA65_public_key {\n union {\n uint8_t bytes[32 + 64 + 256 * 4 * 6];\n uint32_t alignment;\n } opaque;\n};\n\n// MLDSA65_PRIVATE_KEY_BYTES is the number of bytes in an encoded ML-DSA-65\n// private key.\n#define MLDSA65_PRIVATE_KEY_BYTES 4032\n\n// MLDSA65_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-DSA-65\n// public key.\n#define MLDSA65_PUBLIC_KEY_BYTES 1952\n\n// MLDSA65_SIGNATURE_BYTES is the number of bytes in an encoded ML-DSA-65\n// signature.\n#define MLDSA65_SIGNATURE_BYTES 3309\n\n// MLDSA65_generate_key generates a random public/private key pair, writes the\n// encoded public key to |out_encoded_public_key|, writes the seed to\n// |out_seed|, and sets |out_private_key| to the private key. Returns 1 on\n// success and 0 on allocation failure.\nOPENSSL_EXPORT int MLDSA65_generate_key(\n uint8_t out_encoded_public_key[MLDSA65_PUBLIC_KEY_BYTES],\n uint8_t out_seed[MLDSA_SEED_BYTES],\n struct MLDSA65_private_key *out_private_key);\n\n// MLDSA65_private_key_from_seed regenerates a private key from a seed value\n// that was generated by |MLDSA65_generate_key|. Returns 1 on success and 0 on\n// allocation failure or if |seed_len| is incorrect.\nOPENSSL_EXPORT int MLDSA65_private_key_from_seed(\n struct MLDSA65_private_key *out_private_key, const uint8_t *seed,\n size_t seed_len);\n\n// MLDSA65_public_from_private sets |*out_public_key| to the public key that\n// corresponds to |private_key|. Returns 1 on success and 0 on failure.\nOPENSSL_EXPORT int MLDSA65_public_from_private(\n struct MLDSA65_public_key *out_public_key,\n const struct MLDSA65_private_key *private_key);\n\n// MLDSA65_sign generates a signature for the message |msg| of length\n// |msg_len| using |private_key| (following the randomized algorithm), and\n// writes the encoded signature to |out_encoded_signature|. The |context|\n// argument is also signed over and can be used to include implicit contextual\n// information that isn't included in |msg|. The same value of |context| must be\n// presented to |MLDSA65_verify| in order for the generated signature to be\n// considered valid. |context| and |context_len| may be |NULL| and 0 to use an\n// empty context (this is common). Returns 1 on success and 0 on failure.\nOPENSSL_EXPORT int MLDSA65_sign(\n uint8_t out_encoded_signature[MLDSA65_SIGNATURE_BYTES],\n const struct MLDSA65_private_key *private_key, const uint8_t *msg,\n size_t msg_len, const uint8_t *context, size_t context_len);\n\n// MLDSA65_verify verifies that |signature| constitutes a valid\n// signature for the message |msg| of length |msg_len| using |public_key|. The\n// value of |context| must equal the value that was passed to |MLDSA65_sign|\n// when the signature was generated. Returns 1 on success or 0 on error.\nOPENSSL_EXPORT int MLDSA65_verify(const struct MLDSA65_public_key *public_key,\n const uint8_t *signature,\n size_t signature_len, const uint8_t *msg,\n size_t msg_len, const uint8_t *context,\n size_t context_len);\n\n// MLDSA65_marshal_public_key serializes |public_key| to |out| in the standard\n// format for ML-DSA-65 public keys. It returns 1 on success or 0 on\n// allocation error.\nOPENSSL_EXPORT int MLDSA65_marshal_public_key(\n CBB *out, const struct MLDSA65_public_key *public_key);\n\n// MLDSA65_parse_public_key parses a public key, in the format generated by\n// |MLDSA65_marshal_public_key|, from |in| and writes the result to\n// |out_public_key|. It returns 1 on success or 0 on parse error or if\n// there are trailing bytes in |in|.\nOPENSSL_EXPORT int MLDSA65_parse_public_key(\n struct MLDSA65_public_key *public_key, CBS *in);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_MLDSA_H_\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_mlkem.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_MLKEM_H\n#define OPENSSL_HEADER_MLKEM_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// ML-KEM-768.\n//\n// This implements the Module-Lattice-Based Key-Encapsulation Mechanism from\n// https://csrc.nist.gov/pubs/fips/204/final\n\n\n// MLKEM768_public_key contains an ML-KEM-768 public key. The contents of this\n// object should never leave the address space since the format is unstable.\nstruct MLKEM768_public_key {\n union {\n uint8_t bytes[512 * (3 + 9) + 32 + 32];\n uint16_t alignment;\n } opaque;\n};\n\n// MLKEM768_private_key contains an ML-KEM-768 private key. The contents of this\n// object should never leave the address space since the format is unstable.\nstruct MLKEM768_private_key {\n union {\n uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32];\n uint16_t alignment;\n } opaque;\n};\n\n// MLKEM768_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-768\n// public key.\n#define MLKEM768_PUBLIC_KEY_BYTES 1184\n\n// MLKEM_SEED_BYTES is the number of bytes in an ML-KEM seed.\n#define MLKEM_SEED_BYTES 64\n\n// MLKEM768_generate_key generates a random public/private key pair, writes the\n// encoded public key to |out_encoded_public_key| and sets |out_private_key| to\n// the private key. If |optional_out_seed| is not NULL then the seed used to\n// generate the private key is written to it.\nOPENSSL_EXPORT void MLKEM768_generate_key(\n uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],\n uint8_t optional_out_seed[MLKEM_SEED_BYTES],\n struct MLKEM768_private_key *out_private_key);\n\n// MLKEM768_private_key_from_seed derives a private key from a seed that was\n// generated by |MLKEM768_generate_key|. It fails and returns 0 if |seed_len| is\n// incorrect, otherwise it writes |*out_private_key| and returns 1.\nOPENSSL_EXPORT int MLKEM768_private_key_from_seed(\n struct MLKEM768_private_key *out_private_key, const uint8_t *seed,\n size_t seed_len);\n\n// MLKEM768_public_from_private sets |*out_public_key| to the public key that\n// corresponds to |private_key|. (This is faster than parsing the output of\n// |MLKEM768_generate_key| if, for some reason, you need to encapsulate to a key\n// that was just generated.)\nOPENSSL_EXPORT void MLKEM768_public_from_private(\n struct MLKEM768_public_key *out_public_key,\n const struct MLKEM768_private_key *private_key);\n\n// MLKEM768_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-768 ciphertext.\n#define MLKEM768_CIPHERTEXT_BYTES 1088\n\n// MLKEM_SHARED_SECRET_BYTES is the number of bytes in an ML-KEM shared secret.\n#define MLKEM_SHARED_SECRET_BYTES 32\n\n// MLKEM768_encap encrypts a random shared secret for |public_key|, writes the\n// ciphertext to |out_ciphertext|, and writes the random shared secret to\n// |out_shared_secret|.\nOPENSSL_EXPORT void MLKEM768_encap(\n uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],\n const struct MLKEM768_public_key *public_key);\n\n// MLKEM768_decap decrypts a shared secret from |ciphertext| using |private_key|\n// and writes it to |out_shared_secret|. If |ciphertext_len| is incorrect it\n// returns 0, otherwise it returns 1. If |ciphertext| is invalid (but of the\n// correct length), |out_shared_secret| is filled with a key that will always be\n// the same for the same |ciphertext| and |private_key|, but which appears to be\n// random unless one has access to |private_key|. These alternatives occur in\n// constant time. Any subsequent symmetric encryption using |out_shared_secret|\n// must use an authenticated encryption scheme in order to discover the\n// decapsulation failure.\nOPENSSL_EXPORT int MLKEM768_decap(\n uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],\n const uint8_t *ciphertext, size_t ciphertext_len,\n const struct MLKEM768_private_key *private_key);\n\n\n// Serialisation of keys.\n\n// MLKEM768_marshal_public_key serializes |public_key| to |out| in the standard\n// format for ML-KEM-768 public keys. It returns one on success or zero on\n// allocation error.\nOPENSSL_EXPORT int MLKEM768_marshal_public_key(\n CBB *out, const struct MLKEM768_public_key *public_key);\n\n// MLKEM768_parse_public_key parses a public key, in the format generated by\n// |MLKEM768_marshal_public_key|, from |in| and writes the result to\n// |out_public_key|. It returns one on success or zero on parse error or if\n// there are trailing bytes in |in|.\nOPENSSL_EXPORT int MLKEM768_parse_public_key(\n struct MLKEM768_public_key *out_public_key, CBS *in);\n\n\n// ML-KEM-1024\n//\n// ML-KEM-1024 also exists. You should prefer ML-KEM-768 where possible.\n\n// MLKEM1024_public_key contains an ML-KEM-1024 public key. The contents of this\n// object should never leave the address space since the format is unstable.\nstruct MLKEM1024_public_key {\n union {\n uint8_t bytes[512 * (4 + 16) + 32 + 32];\n uint16_t alignment;\n } opaque;\n};\n\n// MLKEM1024_private_key contains a ML-KEM-1024 private key. The contents of\n// this object should never leave the address space since the format is\n// unstable.\nstruct MLKEM1024_private_key {\n union {\n uint8_t bytes[512 * (4 + 4 + 16) + 32 + 32 + 32];\n uint16_t alignment;\n } opaque;\n};\n\n// MLKEM1024_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-1024\n// public key.\n#define MLKEM1024_PUBLIC_KEY_BYTES 1568\n\n// MLKEM1024_generate_key generates a random public/private key pair, writes the\n// encoded public key to |out_encoded_public_key| and sets |out_private_key| to\n// the private key. If |optional_out_seed| is not NULL then the seed used to\n// generate the private key is written to it.\nOPENSSL_EXPORT void MLKEM1024_generate_key(\n uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],\n uint8_t optional_out_seed[MLKEM_SEED_BYTES],\n struct MLKEM1024_private_key *out_private_key);\n\n// MLKEM1024_private_key_from_seed derives a private key from a seed that was\n// generated by |MLKEM1024_generate_key|. It fails and returns 0 if |seed_len|\n// is incorrect, otherwise it writes |*out_private_key| and returns 1.\nOPENSSL_EXPORT int MLKEM1024_private_key_from_seed(\n struct MLKEM1024_private_key *out_private_key, const uint8_t *seed,\n size_t seed_len);\n\n// MLKEM1024_public_from_private sets |*out_public_key| to the public key that\n// corresponds to |private_key|. (This is faster than parsing the output of\n// |MLKEM1024_generate_key| if, for some reason, you need to encapsulate to a\n// key that was just generated.)\nOPENSSL_EXPORT void MLKEM1024_public_from_private(\n struct MLKEM1024_public_key *out_public_key,\n const struct MLKEM1024_private_key *private_key);\n\n// MLKEM1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024 ciphertext.\n#define MLKEM1024_CIPHERTEXT_BYTES 1568\n\n// MLKEM1024_encap encrypts a random shared secret for |public_key|, writes the\n// ciphertext to |out_ciphertext|, and writes the random shared secret to\n// |out_shared_secret|.\nOPENSSL_EXPORT void MLKEM1024_encap(\n uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],\n const struct MLKEM1024_public_key *public_key);\n\n// MLKEM1024_decap decrypts a shared secret from |ciphertext| using\n// |private_key| and writes it to |out_shared_secret|. If |ciphertext_len| is\n// incorrect it returns 0, otherwise it returns 1. If |ciphertext| is invalid\n// (but of the correct length), |out_shared_secret| is filled with a key that\n// will always be the same for the same |ciphertext| and |private_key|, but\n// which appears to be random unless one has access to |private_key|. These\n// alternatives occur in constant time. Any subsequent symmetric encryption\n// using |out_shared_secret| must use an authenticated encryption scheme in\n// order to discover the decapsulation failure.\nOPENSSL_EXPORT int MLKEM1024_decap(\n uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],\n const uint8_t *ciphertext, size_t ciphertext_len,\n const struct MLKEM1024_private_key *private_key);\n\n\n// Serialisation of ML-KEM-1024 keys.\n\n// MLKEM1024_marshal_public_key serializes |public_key| to |out| in the standard\n// format for ML-KEM-1024 public keys. It returns one on success or zero on\n// allocation error.\nOPENSSL_EXPORT int MLKEM1024_marshal_public_key(\n CBB *out, const struct MLKEM1024_public_key *public_key);\n\n// MLKEM1024_parse_public_key parses a public key, in the format generated by\n// |MLKEM1024_marshal_public_key|, from |in| and writes the result to\n// |out_public_key|. It returns one on success or zero on parse error or if\n// there are trailing bytes in |in|.\nOPENSSL_EXPORT int MLKEM1024_parse_public_key(\n struct MLKEM1024_public_key *out_public_key, CBS *in);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_MLKEM_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_nid.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n/* This file is generated by crypto/obj/objects.go. */\n\n#ifndef OPENSSL_HEADER_NID_H\n#define OPENSSL_HEADER_NID_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n/* The nid library provides numbered values for ASN.1 object identifiers and\n * other symbols. These values are used by other libraries to identify\n * cryptographic primitives.\n *\n * A separate objects library, obj.h, provides functions for converting between\n * nids and object identifiers. However it depends on large internal tables with\n * the encodings of every nid defined. Consumers concerned with binary size\n * should instead embed the encodings of the few consumed OIDs and compare\n * against those.\n *\n * These values should not be used outside of a single process; they are not\n * stable identifiers. */\n\n\n#define SN_undef \"UNDEF\"\n#define LN_undef \"undefined\"\n#define NID_undef 0\n#define OBJ_undef 0L\n\n#define SN_rsadsi \"rsadsi\"\n#define LN_rsadsi \"RSA Data Security, Inc.\"\n#define NID_rsadsi 1\n#define OBJ_rsadsi 1L, 2L, 840L, 113549L\n\n#define SN_pkcs \"pkcs\"\n#define LN_pkcs \"RSA Data Security, Inc. PKCS\"\n#define NID_pkcs 2\n#define OBJ_pkcs 1L, 2L, 840L, 113549L, 1L\n\n#define SN_md2 \"MD2\"\n#define LN_md2 \"md2\"\n#define NID_md2 3\n#define OBJ_md2 1L, 2L, 840L, 113549L, 2L, 2L\n\n#define SN_md5 \"MD5\"\n#define LN_md5 \"md5\"\n#define NID_md5 4\n#define OBJ_md5 1L, 2L, 840L, 113549L, 2L, 5L\n\n#define SN_rc4 \"RC4\"\n#define LN_rc4 \"rc4\"\n#define NID_rc4 5\n#define OBJ_rc4 1L, 2L, 840L, 113549L, 3L, 4L\n\n#define LN_rsaEncryption \"rsaEncryption\"\n#define NID_rsaEncryption 6\n#define OBJ_rsaEncryption 1L, 2L, 840L, 113549L, 1L, 1L, 1L\n\n#define SN_md2WithRSAEncryption \"RSA-MD2\"\n#define LN_md2WithRSAEncryption \"md2WithRSAEncryption\"\n#define NID_md2WithRSAEncryption 7\n#define OBJ_md2WithRSAEncryption 1L, 2L, 840L, 113549L, 1L, 1L, 2L\n\n#define SN_md5WithRSAEncryption \"RSA-MD5\"\n#define LN_md5WithRSAEncryption \"md5WithRSAEncryption\"\n#define NID_md5WithRSAEncryption 8\n#define OBJ_md5WithRSAEncryption 1L, 2L, 840L, 113549L, 1L, 1L, 4L\n\n#define SN_pbeWithMD2AndDES_CBC \"PBE-MD2-DES\"\n#define LN_pbeWithMD2AndDES_CBC \"pbeWithMD2AndDES-CBC\"\n#define NID_pbeWithMD2AndDES_CBC 9\n#define OBJ_pbeWithMD2AndDES_CBC 1L, 2L, 840L, 113549L, 1L, 5L, 1L\n\n#define SN_pbeWithMD5AndDES_CBC \"PBE-MD5-DES\"\n#define LN_pbeWithMD5AndDES_CBC \"pbeWithMD5AndDES-CBC\"\n#define NID_pbeWithMD5AndDES_CBC 10\n#define OBJ_pbeWithMD5AndDES_CBC 1L, 2L, 840L, 113549L, 1L, 5L, 3L\n\n#define SN_X500 \"X500\"\n#define LN_X500 \"directory services (X.500)\"\n#define NID_X500 11\n#define OBJ_X500 2L, 5L\n\n#define SN_X509 \"X509\"\n#define NID_X509 12\n#define OBJ_X509 2L, 5L, 4L\n\n#define SN_commonName \"CN\"\n#define LN_commonName \"commonName\"\n#define NID_commonName 13\n#define OBJ_commonName 2L, 5L, 4L, 3L\n\n#define SN_countryName \"C\"\n#define LN_countryName \"countryName\"\n#define NID_countryName 14\n#define OBJ_countryName 2L, 5L, 4L, 6L\n\n#define SN_localityName \"L\"\n#define LN_localityName \"localityName\"\n#define NID_localityName 15\n#define OBJ_localityName 2L, 5L, 4L, 7L\n\n#define SN_stateOrProvinceName \"ST\"\n#define LN_stateOrProvinceName \"stateOrProvinceName\"\n#define NID_stateOrProvinceName 16\n#define OBJ_stateOrProvinceName 2L, 5L, 4L, 8L\n\n#define SN_organizationName \"O\"\n#define LN_organizationName \"organizationName\"\n#define NID_organizationName 17\n#define OBJ_organizationName 2L, 5L, 4L, 10L\n\n#define SN_organizationalUnitName \"OU\"\n#define LN_organizationalUnitName \"organizationalUnitName\"\n#define NID_organizationalUnitName 18\n#define OBJ_organizationalUnitName 2L, 5L, 4L, 11L\n\n#define SN_rsa \"RSA\"\n#define LN_rsa \"rsa\"\n#define NID_rsa 19\n#define OBJ_rsa 2L, 5L, 8L, 1L, 1L\n\n#define SN_pkcs7 \"pkcs7\"\n#define NID_pkcs7 20\n#define OBJ_pkcs7 1L, 2L, 840L, 113549L, 1L, 7L\n\n#define LN_pkcs7_data \"pkcs7-data\"\n#define NID_pkcs7_data 21\n#define OBJ_pkcs7_data 1L, 2L, 840L, 113549L, 1L, 7L, 1L\n\n#define LN_pkcs7_signed \"pkcs7-signedData\"\n#define NID_pkcs7_signed 22\n#define OBJ_pkcs7_signed 1L, 2L, 840L, 113549L, 1L, 7L, 2L\n\n#define LN_pkcs7_enveloped \"pkcs7-envelopedData\"\n#define NID_pkcs7_enveloped 23\n#define OBJ_pkcs7_enveloped 1L, 2L, 840L, 113549L, 1L, 7L, 3L\n\n#define LN_pkcs7_signedAndEnveloped \"pkcs7-signedAndEnvelopedData\"\n#define NID_pkcs7_signedAndEnveloped 24\n#define OBJ_pkcs7_signedAndEnveloped 1L, 2L, 840L, 113549L, 1L, 7L, 4L\n\n#define LN_pkcs7_digest \"pkcs7-digestData\"\n#define NID_pkcs7_digest 25\n#define OBJ_pkcs7_digest 1L, 2L, 840L, 113549L, 1L, 7L, 5L\n\n#define LN_pkcs7_encrypted \"pkcs7-encryptedData\"\n#define NID_pkcs7_encrypted 26\n#define OBJ_pkcs7_encrypted 1L, 2L, 840L, 113549L, 1L, 7L, 6L\n\n#define SN_pkcs3 \"pkcs3\"\n#define NID_pkcs3 27\n#define OBJ_pkcs3 1L, 2L, 840L, 113549L, 1L, 3L\n\n#define LN_dhKeyAgreement \"dhKeyAgreement\"\n#define NID_dhKeyAgreement 28\n#define OBJ_dhKeyAgreement 1L, 2L, 840L, 113549L, 1L, 3L, 1L\n\n#define SN_des_ecb \"DES-ECB\"\n#define LN_des_ecb \"des-ecb\"\n#define NID_des_ecb 29\n#define OBJ_des_ecb 1L, 3L, 14L, 3L, 2L, 6L\n\n#define SN_des_cfb64 \"DES-CFB\"\n#define LN_des_cfb64 \"des-cfb\"\n#define NID_des_cfb64 30\n#define OBJ_des_cfb64 1L, 3L, 14L, 3L, 2L, 9L\n\n#define SN_des_cbc \"DES-CBC\"\n#define LN_des_cbc \"des-cbc\"\n#define NID_des_cbc 31\n#define OBJ_des_cbc 1L, 3L, 14L, 3L, 2L, 7L\n\n#define SN_des_ede_ecb \"DES-EDE\"\n#define LN_des_ede_ecb \"des-ede\"\n#define NID_des_ede_ecb 32\n#define OBJ_des_ede_ecb 1L, 3L, 14L, 3L, 2L, 17L\n\n#define SN_des_ede3_ecb \"DES-EDE3\"\n#define LN_des_ede3_ecb \"des-ede3\"\n#define NID_des_ede3_ecb 33\n\n#define SN_idea_cbc \"IDEA-CBC\"\n#define LN_idea_cbc \"idea-cbc\"\n#define NID_idea_cbc 34\n#define OBJ_idea_cbc 1L, 3L, 6L, 1L, 4L, 1L, 188L, 7L, 1L, 1L, 2L\n\n#define SN_idea_cfb64 \"IDEA-CFB\"\n#define LN_idea_cfb64 \"idea-cfb\"\n#define NID_idea_cfb64 35\n\n#define SN_idea_ecb \"IDEA-ECB\"\n#define LN_idea_ecb \"idea-ecb\"\n#define NID_idea_ecb 36\n\n#define SN_rc2_cbc \"RC2-CBC\"\n#define LN_rc2_cbc \"rc2-cbc\"\n#define NID_rc2_cbc 37\n#define OBJ_rc2_cbc 1L, 2L, 840L, 113549L, 3L, 2L\n\n#define SN_rc2_ecb \"RC2-ECB\"\n#define LN_rc2_ecb \"rc2-ecb\"\n#define NID_rc2_ecb 38\n\n#define SN_rc2_cfb64 \"RC2-CFB\"\n#define LN_rc2_cfb64 \"rc2-cfb\"\n#define NID_rc2_cfb64 39\n\n#define SN_rc2_ofb64 \"RC2-OFB\"\n#define LN_rc2_ofb64 \"rc2-ofb\"\n#define NID_rc2_ofb64 40\n\n#define SN_sha \"SHA\"\n#define LN_sha \"sha\"\n#define NID_sha 41\n#define OBJ_sha 1L, 3L, 14L, 3L, 2L, 18L\n\n#define SN_shaWithRSAEncryption \"RSA-SHA\"\n#define LN_shaWithRSAEncryption \"shaWithRSAEncryption\"\n#define NID_shaWithRSAEncryption 42\n#define OBJ_shaWithRSAEncryption 1L, 3L, 14L, 3L, 2L, 15L\n\n#define SN_des_ede_cbc \"DES-EDE-CBC\"\n#define LN_des_ede_cbc \"des-ede-cbc\"\n#define NID_des_ede_cbc 43\n\n#define SN_des_ede3_cbc \"DES-EDE3-CBC\"\n#define LN_des_ede3_cbc \"des-ede3-cbc\"\n#define NID_des_ede3_cbc 44\n#define OBJ_des_ede3_cbc 1L, 2L, 840L, 113549L, 3L, 7L\n\n#define SN_des_ofb64 \"DES-OFB\"\n#define LN_des_ofb64 \"des-ofb\"\n#define NID_des_ofb64 45\n#define OBJ_des_ofb64 1L, 3L, 14L, 3L, 2L, 8L\n\n#define SN_idea_ofb64 \"IDEA-OFB\"\n#define LN_idea_ofb64 \"idea-ofb\"\n#define NID_idea_ofb64 46\n\n#define SN_pkcs9 \"pkcs9\"\n#define NID_pkcs9 47\n#define OBJ_pkcs9 1L, 2L, 840L, 113549L, 1L, 9L\n\n#define LN_pkcs9_emailAddress \"emailAddress\"\n#define NID_pkcs9_emailAddress 48\n#define OBJ_pkcs9_emailAddress 1L, 2L, 840L, 113549L, 1L, 9L, 1L\n\n#define LN_pkcs9_unstructuredName \"unstructuredName\"\n#define NID_pkcs9_unstructuredName 49\n#define OBJ_pkcs9_unstructuredName 1L, 2L, 840L, 113549L, 1L, 9L, 2L\n\n#define LN_pkcs9_contentType \"contentType\"\n#define NID_pkcs9_contentType 50\n#define OBJ_pkcs9_contentType 1L, 2L, 840L, 113549L, 1L, 9L, 3L\n\n#define LN_pkcs9_messageDigest \"messageDigest\"\n#define NID_pkcs9_messageDigest 51\n#define OBJ_pkcs9_messageDigest 1L, 2L, 840L, 113549L, 1L, 9L, 4L\n\n#define LN_pkcs9_signingTime \"signingTime\"\n#define NID_pkcs9_signingTime 52\n#define OBJ_pkcs9_signingTime 1L, 2L, 840L, 113549L, 1L, 9L, 5L\n\n#define LN_pkcs9_countersignature \"countersignature\"\n#define NID_pkcs9_countersignature 53\n#define OBJ_pkcs9_countersignature 1L, 2L, 840L, 113549L, 1L, 9L, 6L\n\n#define LN_pkcs9_challengePassword \"challengePassword\"\n#define NID_pkcs9_challengePassword 54\n#define OBJ_pkcs9_challengePassword 1L, 2L, 840L, 113549L, 1L, 9L, 7L\n\n#define LN_pkcs9_unstructuredAddress \"unstructuredAddress\"\n#define NID_pkcs9_unstructuredAddress 55\n#define OBJ_pkcs9_unstructuredAddress 1L, 2L, 840L, 113549L, 1L, 9L, 8L\n\n#define LN_pkcs9_extCertAttributes \"extendedCertificateAttributes\"\n#define NID_pkcs9_extCertAttributes 56\n#define OBJ_pkcs9_extCertAttributes 1L, 2L, 840L, 113549L, 1L, 9L, 9L\n\n#define SN_netscape \"Netscape\"\n#define LN_netscape \"Netscape Communications Corp.\"\n#define NID_netscape 57\n#define OBJ_netscape 2L, 16L, 840L, 1L, 113730L\n\n#define SN_netscape_cert_extension \"nsCertExt\"\n#define LN_netscape_cert_extension \"Netscape Certificate Extension\"\n#define NID_netscape_cert_extension 58\n#define OBJ_netscape_cert_extension 2L, 16L, 840L, 1L, 113730L, 1L\n\n#define SN_netscape_data_type \"nsDataType\"\n#define LN_netscape_data_type \"Netscape Data Type\"\n#define NID_netscape_data_type 59\n#define OBJ_netscape_data_type 2L, 16L, 840L, 1L, 113730L, 2L\n\n#define SN_des_ede_cfb64 \"DES-EDE-CFB\"\n#define LN_des_ede_cfb64 \"des-ede-cfb\"\n#define NID_des_ede_cfb64 60\n\n#define SN_des_ede3_cfb64 \"DES-EDE3-CFB\"\n#define LN_des_ede3_cfb64 \"des-ede3-cfb\"\n#define NID_des_ede3_cfb64 61\n\n#define SN_des_ede_ofb64 \"DES-EDE-OFB\"\n#define LN_des_ede_ofb64 \"des-ede-ofb\"\n#define NID_des_ede_ofb64 62\n\n#define SN_des_ede3_ofb64 \"DES-EDE3-OFB\"\n#define LN_des_ede3_ofb64 \"des-ede3-ofb\"\n#define NID_des_ede3_ofb64 63\n\n#define SN_sha1 \"SHA1\"\n#define LN_sha1 \"sha1\"\n#define NID_sha1 64\n#define OBJ_sha1 1L, 3L, 14L, 3L, 2L, 26L\n\n#define SN_sha1WithRSAEncryption \"RSA-SHA1\"\n#define LN_sha1WithRSAEncryption \"sha1WithRSAEncryption\"\n#define NID_sha1WithRSAEncryption 65\n#define OBJ_sha1WithRSAEncryption 1L, 2L, 840L, 113549L, 1L, 1L, 5L\n\n#define SN_dsaWithSHA \"DSA-SHA\"\n#define LN_dsaWithSHA \"dsaWithSHA\"\n#define NID_dsaWithSHA 66\n#define OBJ_dsaWithSHA 1L, 3L, 14L, 3L, 2L, 13L\n\n#define SN_dsa_2 \"DSA-old\"\n#define LN_dsa_2 \"dsaEncryption-old\"\n#define NID_dsa_2 67\n#define OBJ_dsa_2 1L, 3L, 14L, 3L, 2L, 12L\n\n#define SN_pbeWithSHA1AndRC2_CBC \"PBE-SHA1-RC2-64\"\n#define LN_pbeWithSHA1AndRC2_CBC \"pbeWithSHA1AndRC2-CBC\"\n#define NID_pbeWithSHA1AndRC2_CBC 68\n#define OBJ_pbeWithSHA1AndRC2_CBC 1L, 2L, 840L, 113549L, 1L, 5L, 11L\n\n#define LN_id_pbkdf2 \"PBKDF2\"\n#define NID_id_pbkdf2 69\n#define OBJ_id_pbkdf2 1L, 2L, 840L, 113549L, 1L, 5L, 12L\n\n#define SN_dsaWithSHA1_2 \"DSA-SHA1-old\"\n#define LN_dsaWithSHA1_2 \"dsaWithSHA1-old\"\n#define NID_dsaWithSHA1_2 70\n#define OBJ_dsaWithSHA1_2 1L, 3L, 14L, 3L, 2L, 27L\n\n#define SN_netscape_cert_type \"nsCertType\"\n#define LN_netscape_cert_type \"Netscape Cert Type\"\n#define NID_netscape_cert_type 71\n#define OBJ_netscape_cert_type 2L, 16L, 840L, 1L, 113730L, 1L, 1L\n\n#define SN_netscape_base_url \"nsBaseUrl\"\n#define LN_netscape_base_url \"Netscape Base Url\"\n#define NID_netscape_base_url 72\n#define OBJ_netscape_base_url 2L, 16L, 840L, 1L, 113730L, 1L, 2L\n\n#define SN_netscape_revocation_url \"nsRevocationUrl\"\n#define LN_netscape_revocation_url \"Netscape Revocation Url\"\n#define NID_netscape_revocation_url 73\n#define OBJ_netscape_revocation_url 2L, 16L, 840L, 1L, 113730L, 1L, 3L\n\n#define SN_netscape_ca_revocation_url \"nsCaRevocationUrl\"\n#define LN_netscape_ca_revocation_url \"Netscape CA Revocation Url\"\n#define NID_netscape_ca_revocation_url 74\n#define OBJ_netscape_ca_revocation_url 2L, 16L, 840L, 1L, 113730L, 1L, 4L\n\n#define SN_netscape_renewal_url \"nsRenewalUrl\"\n#define LN_netscape_renewal_url \"Netscape Renewal Url\"\n#define NID_netscape_renewal_url 75\n#define OBJ_netscape_renewal_url 2L, 16L, 840L, 1L, 113730L, 1L, 7L\n\n#define SN_netscape_ca_policy_url \"nsCaPolicyUrl\"\n#define LN_netscape_ca_policy_url \"Netscape CA Policy Url\"\n#define NID_netscape_ca_policy_url 76\n#define OBJ_netscape_ca_policy_url 2L, 16L, 840L, 1L, 113730L, 1L, 8L\n\n#define SN_netscape_ssl_server_name \"nsSslServerName\"\n#define LN_netscape_ssl_server_name \"Netscape SSL Server Name\"\n#define NID_netscape_ssl_server_name 77\n#define OBJ_netscape_ssl_server_name 2L, 16L, 840L, 1L, 113730L, 1L, 12L\n\n#define SN_netscape_comment \"nsComment\"\n#define LN_netscape_comment \"Netscape Comment\"\n#define NID_netscape_comment 78\n#define OBJ_netscape_comment 2L, 16L, 840L, 1L, 113730L, 1L, 13L\n\n#define SN_netscape_cert_sequence \"nsCertSequence\"\n#define LN_netscape_cert_sequence \"Netscape Certificate Sequence\"\n#define NID_netscape_cert_sequence 79\n#define OBJ_netscape_cert_sequence 2L, 16L, 840L, 1L, 113730L, 2L, 5L\n\n#define SN_desx_cbc \"DESX-CBC\"\n#define LN_desx_cbc \"desx-cbc\"\n#define NID_desx_cbc 80\n\n#define SN_id_ce \"id-ce\"\n#define NID_id_ce 81\n#define OBJ_id_ce 2L, 5L, 29L\n\n#define SN_subject_key_identifier \"subjectKeyIdentifier\"\n#define LN_subject_key_identifier \"X509v3 Subject Key Identifier\"\n#define NID_subject_key_identifier 82\n#define OBJ_subject_key_identifier 2L, 5L, 29L, 14L\n\n#define SN_key_usage \"keyUsage\"\n#define LN_key_usage \"X509v3 Key Usage\"\n#define NID_key_usage 83\n#define OBJ_key_usage 2L, 5L, 29L, 15L\n\n#define SN_private_key_usage_period \"privateKeyUsagePeriod\"\n#define LN_private_key_usage_period \"X509v3 Private Key Usage Period\"\n#define NID_private_key_usage_period 84\n#define OBJ_private_key_usage_period 2L, 5L, 29L, 16L\n\n#define SN_subject_alt_name \"subjectAltName\"\n#define LN_subject_alt_name \"X509v3 Subject Alternative Name\"\n#define NID_subject_alt_name 85\n#define OBJ_subject_alt_name 2L, 5L, 29L, 17L\n\n#define SN_issuer_alt_name \"issuerAltName\"\n#define LN_issuer_alt_name \"X509v3 Issuer Alternative Name\"\n#define NID_issuer_alt_name 86\n#define OBJ_issuer_alt_name 2L, 5L, 29L, 18L\n\n#define SN_basic_constraints \"basicConstraints\"\n#define LN_basic_constraints \"X509v3 Basic Constraints\"\n#define NID_basic_constraints 87\n#define OBJ_basic_constraints 2L, 5L, 29L, 19L\n\n#define SN_crl_number \"crlNumber\"\n#define LN_crl_number \"X509v3 CRL Number\"\n#define NID_crl_number 88\n#define OBJ_crl_number 2L, 5L, 29L, 20L\n\n#define SN_certificate_policies \"certificatePolicies\"\n#define LN_certificate_policies \"X509v3 Certificate Policies\"\n#define NID_certificate_policies 89\n#define OBJ_certificate_policies 2L, 5L, 29L, 32L\n\n#define SN_authority_key_identifier \"authorityKeyIdentifier\"\n#define LN_authority_key_identifier \"X509v3 Authority Key Identifier\"\n#define NID_authority_key_identifier 90\n#define OBJ_authority_key_identifier 2L, 5L, 29L, 35L\n\n#define SN_bf_cbc \"BF-CBC\"\n#define LN_bf_cbc \"bf-cbc\"\n#define NID_bf_cbc 91\n#define OBJ_bf_cbc 1L, 3L, 6L, 1L, 4L, 1L, 3029L, 1L, 2L\n\n#define SN_bf_ecb \"BF-ECB\"\n#define LN_bf_ecb \"bf-ecb\"\n#define NID_bf_ecb 92\n\n#define SN_bf_cfb64 \"BF-CFB\"\n#define LN_bf_cfb64 \"bf-cfb\"\n#define NID_bf_cfb64 93\n\n#define SN_bf_ofb64 \"BF-OFB\"\n#define LN_bf_ofb64 \"bf-ofb\"\n#define NID_bf_ofb64 94\n\n#define SN_mdc2 \"MDC2\"\n#define LN_mdc2 \"mdc2\"\n#define NID_mdc2 95\n#define OBJ_mdc2 2L, 5L, 8L, 3L, 101L\n\n#define SN_mdc2WithRSA \"RSA-MDC2\"\n#define LN_mdc2WithRSA \"mdc2WithRSA\"\n#define NID_mdc2WithRSA 96\n#define OBJ_mdc2WithRSA 2L, 5L, 8L, 3L, 100L\n\n#define SN_rc4_40 \"RC4-40\"\n#define LN_rc4_40 \"rc4-40\"\n#define NID_rc4_40 97\n\n#define SN_rc2_40_cbc \"RC2-40-CBC\"\n#define LN_rc2_40_cbc \"rc2-40-cbc\"\n#define NID_rc2_40_cbc 98\n\n#define SN_givenName \"GN\"\n#define LN_givenName \"givenName\"\n#define NID_givenName 99\n#define OBJ_givenName 2L, 5L, 4L, 42L\n\n#define SN_surname \"SN\"\n#define LN_surname \"surname\"\n#define NID_surname 100\n#define OBJ_surname 2L, 5L, 4L, 4L\n\n#define SN_initials \"initials\"\n#define LN_initials \"initials\"\n#define NID_initials 101\n#define OBJ_initials 2L, 5L, 4L, 43L\n\n#define SN_crl_distribution_points \"crlDistributionPoints\"\n#define LN_crl_distribution_points \"X509v3 CRL Distribution Points\"\n#define NID_crl_distribution_points 103\n#define OBJ_crl_distribution_points 2L, 5L, 29L, 31L\n\n#define SN_md5WithRSA \"RSA-NP-MD5\"\n#define LN_md5WithRSA \"md5WithRSA\"\n#define NID_md5WithRSA 104\n#define OBJ_md5WithRSA 1L, 3L, 14L, 3L, 2L, 3L\n\n#define LN_serialNumber \"serialNumber\"\n#define NID_serialNumber 105\n#define OBJ_serialNumber 2L, 5L, 4L, 5L\n\n#define SN_title \"title\"\n#define LN_title \"title\"\n#define NID_title 106\n#define OBJ_title 2L, 5L, 4L, 12L\n\n#define LN_description \"description\"\n#define NID_description 107\n#define OBJ_description 2L, 5L, 4L, 13L\n\n#define SN_cast5_cbc \"CAST5-CBC\"\n#define LN_cast5_cbc \"cast5-cbc\"\n#define NID_cast5_cbc 108\n#define OBJ_cast5_cbc 1L, 2L, 840L, 113533L, 7L, 66L, 10L\n\n#define SN_cast5_ecb \"CAST5-ECB\"\n#define LN_cast5_ecb \"cast5-ecb\"\n#define NID_cast5_ecb 109\n\n#define SN_cast5_cfb64 \"CAST5-CFB\"\n#define LN_cast5_cfb64 \"cast5-cfb\"\n#define NID_cast5_cfb64 110\n\n#define SN_cast5_ofb64 \"CAST5-OFB\"\n#define LN_cast5_ofb64 \"cast5-ofb\"\n#define NID_cast5_ofb64 111\n\n#define LN_pbeWithMD5AndCast5_CBC \"pbeWithMD5AndCast5CBC\"\n#define NID_pbeWithMD5AndCast5_CBC 112\n#define OBJ_pbeWithMD5AndCast5_CBC 1L, 2L, 840L, 113533L, 7L, 66L, 12L\n\n#define SN_dsaWithSHA1 \"DSA-SHA1\"\n#define LN_dsaWithSHA1 \"dsaWithSHA1\"\n#define NID_dsaWithSHA1 113\n#define OBJ_dsaWithSHA1 1L, 2L, 840L, 10040L, 4L, 3L\n\n#define SN_md5_sha1 \"MD5-SHA1\"\n#define LN_md5_sha1 \"md5-sha1\"\n#define NID_md5_sha1 114\n\n#define SN_sha1WithRSA \"RSA-SHA1-2\"\n#define LN_sha1WithRSA \"sha1WithRSA\"\n#define NID_sha1WithRSA 115\n#define OBJ_sha1WithRSA 1L, 3L, 14L, 3L, 2L, 29L\n\n#define SN_dsa \"DSA\"\n#define LN_dsa \"dsaEncryption\"\n#define NID_dsa 116\n#define OBJ_dsa 1L, 2L, 840L, 10040L, 4L, 1L\n\n#define SN_ripemd160 \"RIPEMD160\"\n#define LN_ripemd160 \"ripemd160\"\n#define NID_ripemd160 117\n#define OBJ_ripemd160 1L, 3L, 36L, 3L, 2L, 1L\n\n#define SN_ripemd160WithRSA \"RSA-RIPEMD160\"\n#define LN_ripemd160WithRSA \"ripemd160WithRSA\"\n#define NID_ripemd160WithRSA 119\n#define OBJ_ripemd160WithRSA 1L, 3L, 36L, 3L, 3L, 1L, 2L\n\n#define SN_rc5_cbc \"RC5-CBC\"\n#define LN_rc5_cbc \"rc5-cbc\"\n#define NID_rc5_cbc 120\n#define OBJ_rc5_cbc 1L, 2L, 840L, 113549L, 3L, 8L\n\n#define SN_rc5_ecb \"RC5-ECB\"\n#define LN_rc5_ecb \"rc5-ecb\"\n#define NID_rc5_ecb 121\n\n#define SN_rc5_cfb64 \"RC5-CFB\"\n#define LN_rc5_cfb64 \"rc5-cfb\"\n#define NID_rc5_cfb64 122\n\n#define SN_rc5_ofb64 \"RC5-OFB\"\n#define LN_rc5_ofb64 \"rc5-ofb\"\n#define NID_rc5_ofb64 123\n\n#define SN_zlib_compression \"ZLIB\"\n#define LN_zlib_compression \"zlib compression\"\n#define NID_zlib_compression 125\n#define OBJ_zlib_compression 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 3L, 8L\n\n#define SN_ext_key_usage \"extendedKeyUsage\"\n#define LN_ext_key_usage \"X509v3 Extended Key Usage\"\n#define NID_ext_key_usage 126\n#define OBJ_ext_key_usage 2L, 5L, 29L, 37L\n\n#define SN_id_pkix \"PKIX\"\n#define NID_id_pkix 127\n#define OBJ_id_pkix 1L, 3L, 6L, 1L, 5L, 5L, 7L\n\n#define SN_id_kp \"id-kp\"\n#define NID_id_kp 128\n#define OBJ_id_kp 1L, 3L, 6L, 1L, 5L, 5L, 7L, 3L\n\n#define SN_server_auth \"serverAuth\"\n#define LN_server_auth \"TLS Web Server Authentication\"\n#define NID_server_auth 129\n#define OBJ_server_auth 1L, 3L, 6L, 1L, 5L, 5L, 7L, 3L, 1L\n\n#define SN_client_auth \"clientAuth\"\n#define LN_client_auth \"TLS Web Client Authentication\"\n#define NID_client_auth 130\n#define OBJ_client_auth 1L, 3L, 6L, 1L, 5L, 5L, 7L, 3L, 2L\n\n#define SN_code_sign \"codeSigning\"\n#define LN_code_sign \"Code Signing\"\n#define NID_code_sign 131\n#define OBJ_code_sign 1L, 3L, 6L, 1L, 5L, 5L, 7L, 3L, 3L\n\n#define SN_email_protect \"emailProtection\"\n#define LN_email_protect \"E-mail Protection\"\n#define NID_email_protect 132\n#define OBJ_email_protect 1L, 3L, 6L, 1L, 5L, 5L, 7L, 3L, 4L\n\n#define SN_time_stamp \"timeStamping\"\n#define LN_time_stamp \"Time Stamping\"\n#define NID_time_stamp 133\n#define OBJ_time_stamp 1L, 3L, 6L, 1L, 5L, 5L, 7L, 3L, 8L\n\n#define SN_ms_code_ind \"msCodeInd\"\n#define LN_ms_code_ind \"Microsoft Individual Code Signing\"\n#define NID_ms_code_ind 134\n#define OBJ_ms_code_ind 1L, 3L, 6L, 1L, 4L, 1L, 311L, 2L, 1L, 21L\n\n#define SN_ms_code_com \"msCodeCom\"\n#define LN_ms_code_com \"Microsoft Commercial Code Signing\"\n#define NID_ms_code_com 135\n#define OBJ_ms_code_com 1L, 3L, 6L, 1L, 4L, 1L, 311L, 2L, 1L, 22L\n\n#define SN_ms_ctl_sign \"msCTLSign\"\n#define LN_ms_ctl_sign \"Microsoft Trust List Signing\"\n#define NID_ms_ctl_sign 136\n#define OBJ_ms_ctl_sign 1L, 3L, 6L, 1L, 4L, 1L, 311L, 10L, 3L, 1L\n\n#define SN_ms_sgc \"msSGC\"\n#define LN_ms_sgc \"Microsoft Server Gated Crypto\"\n#define NID_ms_sgc 137\n#define OBJ_ms_sgc 1L, 3L, 6L, 1L, 4L, 1L, 311L, 10L, 3L, 3L\n\n#define SN_ms_efs \"msEFS\"\n#define LN_ms_efs \"Microsoft Encrypted File System\"\n#define NID_ms_efs 138\n#define OBJ_ms_efs 1L, 3L, 6L, 1L, 4L, 1L, 311L, 10L, 3L, 4L\n\n#define SN_ns_sgc \"nsSGC\"\n#define LN_ns_sgc \"Netscape Server Gated Crypto\"\n#define NID_ns_sgc 139\n#define OBJ_ns_sgc 2L, 16L, 840L, 1L, 113730L, 4L, 1L\n\n#define SN_delta_crl \"deltaCRL\"\n#define LN_delta_crl \"X509v3 Delta CRL Indicator\"\n#define NID_delta_crl 140\n#define OBJ_delta_crl 2L, 5L, 29L, 27L\n\n#define SN_crl_reason \"CRLReason\"\n#define LN_crl_reason \"X509v3 CRL Reason Code\"\n#define NID_crl_reason 141\n#define OBJ_crl_reason 2L, 5L, 29L, 21L\n\n#define SN_invalidity_date \"invalidityDate\"\n#define LN_invalidity_date \"Invalidity Date\"\n#define NID_invalidity_date 142\n#define OBJ_invalidity_date 2L, 5L, 29L, 24L\n\n#define SN_sxnet \"SXNetID\"\n#define LN_sxnet \"Strong Extranet ID\"\n#define NID_sxnet 143\n#define OBJ_sxnet 1L, 3L, 101L, 1L, 4L, 1L\n\n#define SN_pbe_WithSHA1And128BitRC4 \"PBE-SHA1-RC4-128\"\n#define LN_pbe_WithSHA1And128BitRC4 \"pbeWithSHA1And128BitRC4\"\n#define NID_pbe_WithSHA1And128BitRC4 144\n#define OBJ_pbe_WithSHA1And128BitRC4 1L, 2L, 840L, 113549L, 1L, 12L, 1L, 1L\n\n#define SN_pbe_WithSHA1And40BitRC4 \"PBE-SHA1-RC4-40\"\n#define LN_pbe_WithSHA1And40BitRC4 \"pbeWithSHA1And40BitRC4\"\n#define NID_pbe_WithSHA1And40BitRC4 145\n#define OBJ_pbe_WithSHA1And40BitRC4 1L, 2L, 840L, 113549L, 1L, 12L, 1L, 2L\n\n#define SN_pbe_WithSHA1And3_Key_TripleDES_CBC \"PBE-SHA1-3DES\"\n#define LN_pbe_WithSHA1And3_Key_TripleDES_CBC \"pbeWithSHA1And3-KeyTripleDES-CBC\"\n#define NID_pbe_WithSHA1And3_Key_TripleDES_CBC 146\n#define OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC \\\n 1L, 2L, 840L, 113549L, 1L, 12L, 1L, 3L\n\n#define SN_pbe_WithSHA1And2_Key_TripleDES_CBC \"PBE-SHA1-2DES\"\n#define LN_pbe_WithSHA1And2_Key_TripleDES_CBC \"pbeWithSHA1And2-KeyTripleDES-CBC\"\n#define NID_pbe_WithSHA1And2_Key_TripleDES_CBC 147\n#define OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC \\\n 1L, 2L, 840L, 113549L, 1L, 12L, 1L, 4L\n\n#define SN_pbe_WithSHA1And128BitRC2_CBC \"PBE-SHA1-RC2-128\"\n#define LN_pbe_WithSHA1And128BitRC2_CBC \"pbeWithSHA1And128BitRC2-CBC\"\n#define NID_pbe_WithSHA1And128BitRC2_CBC 148\n#define OBJ_pbe_WithSHA1And128BitRC2_CBC 1L, 2L, 840L, 113549L, 1L, 12L, 1L, 5L\n\n#define SN_pbe_WithSHA1And40BitRC2_CBC \"PBE-SHA1-RC2-40\"\n#define LN_pbe_WithSHA1And40BitRC2_CBC \"pbeWithSHA1And40BitRC2-CBC\"\n#define NID_pbe_WithSHA1And40BitRC2_CBC 149\n#define OBJ_pbe_WithSHA1And40BitRC2_CBC 1L, 2L, 840L, 113549L, 1L, 12L, 1L, 6L\n\n#define LN_keyBag \"keyBag\"\n#define NID_keyBag 150\n#define OBJ_keyBag 1L, 2L, 840L, 113549L, 1L, 12L, 10L, 1L, 1L\n\n#define LN_pkcs8ShroudedKeyBag \"pkcs8ShroudedKeyBag\"\n#define NID_pkcs8ShroudedKeyBag 151\n#define OBJ_pkcs8ShroudedKeyBag 1L, 2L, 840L, 113549L, 1L, 12L, 10L, 1L, 2L\n\n#define LN_certBag \"certBag\"\n#define NID_certBag 152\n#define OBJ_certBag 1L, 2L, 840L, 113549L, 1L, 12L, 10L, 1L, 3L\n\n#define LN_crlBag \"crlBag\"\n#define NID_crlBag 153\n#define OBJ_crlBag 1L, 2L, 840L, 113549L, 1L, 12L, 10L, 1L, 4L\n\n#define LN_secretBag \"secretBag\"\n#define NID_secretBag 154\n#define OBJ_secretBag 1L, 2L, 840L, 113549L, 1L, 12L, 10L, 1L, 5L\n\n#define LN_safeContentsBag \"safeContentsBag\"\n#define NID_safeContentsBag 155\n#define OBJ_safeContentsBag 1L, 2L, 840L, 113549L, 1L, 12L, 10L, 1L, 6L\n\n#define LN_friendlyName \"friendlyName\"\n#define NID_friendlyName 156\n#define OBJ_friendlyName 1L, 2L, 840L, 113549L, 1L, 9L, 20L\n\n#define LN_localKeyID \"localKeyID\"\n#define NID_localKeyID 157\n#define OBJ_localKeyID 1L, 2L, 840L, 113549L, 1L, 9L, 21L\n\n#define LN_x509Certificate \"x509Certificate\"\n#define NID_x509Certificate 158\n#define OBJ_x509Certificate 1L, 2L, 840L, 113549L, 1L, 9L, 22L, 1L\n\n#define LN_sdsiCertificate \"sdsiCertificate\"\n#define NID_sdsiCertificate 159\n#define OBJ_sdsiCertificate 1L, 2L, 840L, 113549L, 1L, 9L, 22L, 2L\n\n#define LN_x509Crl \"x509Crl\"\n#define NID_x509Crl 160\n#define OBJ_x509Crl 1L, 2L, 840L, 113549L, 1L, 9L, 23L, 1L\n\n#define LN_pbes2 \"PBES2\"\n#define NID_pbes2 161\n#define OBJ_pbes2 1L, 2L, 840L, 113549L, 1L, 5L, 13L\n\n#define LN_pbmac1 \"PBMAC1\"\n#define NID_pbmac1 162\n#define OBJ_pbmac1 1L, 2L, 840L, 113549L, 1L, 5L, 14L\n\n#define LN_hmacWithSHA1 \"hmacWithSHA1\"\n#define NID_hmacWithSHA1 163\n#define OBJ_hmacWithSHA1 1L, 2L, 840L, 113549L, 2L, 7L\n\n#define SN_id_qt_cps \"id-qt-cps\"\n#define LN_id_qt_cps \"Policy Qualifier CPS\"\n#define NID_id_qt_cps 164\n#define OBJ_id_qt_cps 1L, 3L, 6L, 1L, 5L, 5L, 7L, 2L, 1L\n\n#define SN_id_qt_unotice \"id-qt-unotice\"\n#define LN_id_qt_unotice \"Policy Qualifier User Notice\"\n#define NID_id_qt_unotice 165\n#define OBJ_id_qt_unotice 1L, 3L, 6L, 1L, 5L, 5L, 7L, 2L, 2L\n\n#define SN_rc2_64_cbc \"RC2-64-CBC\"\n#define LN_rc2_64_cbc \"rc2-64-cbc\"\n#define NID_rc2_64_cbc 166\n\n#define SN_SMIMECapabilities \"SMIME-CAPS\"\n#define LN_SMIMECapabilities \"S/MIME Capabilities\"\n#define NID_SMIMECapabilities 167\n#define OBJ_SMIMECapabilities 1L, 2L, 840L, 113549L, 1L, 9L, 15L\n\n#define SN_pbeWithMD2AndRC2_CBC \"PBE-MD2-RC2-64\"\n#define LN_pbeWithMD2AndRC2_CBC \"pbeWithMD2AndRC2-CBC\"\n#define NID_pbeWithMD2AndRC2_CBC 168\n#define OBJ_pbeWithMD2AndRC2_CBC 1L, 2L, 840L, 113549L, 1L, 5L, 4L\n\n#define SN_pbeWithMD5AndRC2_CBC \"PBE-MD5-RC2-64\"\n#define LN_pbeWithMD5AndRC2_CBC \"pbeWithMD5AndRC2-CBC\"\n#define NID_pbeWithMD5AndRC2_CBC 169\n#define OBJ_pbeWithMD5AndRC2_CBC 1L, 2L, 840L, 113549L, 1L, 5L, 6L\n\n#define SN_pbeWithSHA1AndDES_CBC \"PBE-SHA1-DES\"\n#define LN_pbeWithSHA1AndDES_CBC \"pbeWithSHA1AndDES-CBC\"\n#define NID_pbeWithSHA1AndDES_CBC 170\n#define OBJ_pbeWithSHA1AndDES_CBC 1L, 2L, 840L, 113549L, 1L, 5L, 10L\n\n#define SN_ms_ext_req \"msExtReq\"\n#define LN_ms_ext_req \"Microsoft Extension Request\"\n#define NID_ms_ext_req 171\n#define OBJ_ms_ext_req 1L, 3L, 6L, 1L, 4L, 1L, 311L, 2L, 1L, 14L\n\n#define SN_ext_req \"extReq\"\n#define LN_ext_req \"Extension Request\"\n#define NID_ext_req 172\n#define OBJ_ext_req 1L, 2L, 840L, 113549L, 1L, 9L, 14L\n\n#define SN_name \"name\"\n#define LN_name \"name\"\n#define NID_name 173\n#define OBJ_name 2L, 5L, 4L, 41L\n\n#define SN_dnQualifier \"dnQualifier\"\n#define LN_dnQualifier \"dnQualifier\"\n#define NID_dnQualifier 174\n#define OBJ_dnQualifier 2L, 5L, 4L, 46L\n\n#define SN_id_pe \"id-pe\"\n#define NID_id_pe 175\n#define OBJ_id_pe 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L\n\n#define SN_id_ad \"id-ad\"\n#define NID_id_ad 176\n#define OBJ_id_ad 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L\n\n#define SN_info_access \"authorityInfoAccess\"\n#define LN_info_access \"Authority Information Access\"\n#define NID_info_access 177\n#define OBJ_info_access 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 1L\n\n#define SN_ad_OCSP \"OCSP\"\n#define LN_ad_OCSP \"OCSP\"\n#define NID_ad_OCSP 178\n#define OBJ_ad_OCSP 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L\n\n#define SN_ad_ca_issuers \"caIssuers\"\n#define LN_ad_ca_issuers \"CA Issuers\"\n#define NID_ad_ca_issuers 179\n#define OBJ_ad_ca_issuers 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 2L\n\n#define SN_OCSP_sign \"OCSPSigning\"\n#define LN_OCSP_sign \"OCSP Signing\"\n#define NID_OCSP_sign 180\n#define OBJ_OCSP_sign 1L, 3L, 6L, 1L, 5L, 5L, 7L, 3L, 9L\n\n#define SN_iso \"ISO\"\n#define LN_iso \"iso\"\n#define NID_iso 181\n#define OBJ_iso 1L\n\n#define SN_member_body \"member-body\"\n#define LN_member_body \"ISO Member Body\"\n#define NID_member_body 182\n#define OBJ_member_body 1L, 2L\n\n#define SN_ISO_US \"ISO-US\"\n#define LN_ISO_US \"ISO US Member Body\"\n#define NID_ISO_US 183\n#define OBJ_ISO_US 1L, 2L, 840L\n\n#define SN_X9_57 \"X9-57\"\n#define LN_X9_57 \"X9.57\"\n#define NID_X9_57 184\n#define OBJ_X9_57 1L, 2L, 840L, 10040L\n\n#define SN_X9cm \"X9cm\"\n#define LN_X9cm \"X9.57 CM ?\"\n#define NID_X9cm 185\n#define OBJ_X9cm 1L, 2L, 840L, 10040L, 4L\n\n#define SN_pkcs1 \"pkcs1\"\n#define NID_pkcs1 186\n#define OBJ_pkcs1 1L, 2L, 840L, 113549L, 1L, 1L\n\n#define SN_pkcs5 \"pkcs5\"\n#define NID_pkcs5 187\n#define OBJ_pkcs5 1L, 2L, 840L, 113549L, 1L, 5L\n\n#define SN_SMIME \"SMIME\"\n#define LN_SMIME \"S/MIME\"\n#define NID_SMIME 188\n#define OBJ_SMIME 1L, 2L, 840L, 113549L, 1L, 9L, 16L\n\n#define SN_id_smime_mod \"id-smime-mod\"\n#define NID_id_smime_mod 189\n#define OBJ_id_smime_mod 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 0L\n\n#define SN_id_smime_ct \"id-smime-ct\"\n#define NID_id_smime_ct 190\n#define OBJ_id_smime_ct 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 1L\n\n#define SN_id_smime_aa \"id-smime-aa\"\n#define NID_id_smime_aa 191\n#define OBJ_id_smime_aa 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L\n\n#define SN_id_smime_alg \"id-smime-alg\"\n#define NID_id_smime_alg 192\n#define OBJ_id_smime_alg 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 3L\n\n#define SN_id_smime_cd \"id-smime-cd\"\n#define NID_id_smime_cd 193\n#define OBJ_id_smime_cd 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 4L\n\n#define SN_id_smime_spq \"id-smime-spq\"\n#define NID_id_smime_spq 194\n#define OBJ_id_smime_spq 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 5L\n\n#define SN_id_smime_cti \"id-smime-cti\"\n#define NID_id_smime_cti 195\n#define OBJ_id_smime_cti 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 6L\n\n#define SN_id_smime_mod_cms \"id-smime-mod-cms\"\n#define NID_id_smime_mod_cms 196\n#define OBJ_id_smime_mod_cms 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 0L, 1L\n\n#define SN_id_smime_mod_ess \"id-smime-mod-ess\"\n#define NID_id_smime_mod_ess 197\n#define OBJ_id_smime_mod_ess 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 0L, 2L\n\n#define SN_id_smime_mod_oid \"id-smime-mod-oid\"\n#define NID_id_smime_mod_oid 198\n#define OBJ_id_smime_mod_oid 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 0L, 3L\n\n#define SN_id_smime_mod_msg_v3 \"id-smime-mod-msg-v3\"\n#define NID_id_smime_mod_msg_v3 199\n#define OBJ_id_smime_mod_msg_v3 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 0L, 4L\n\n#define SN_id_smime_mod_ets_eSignature_88 \"id-smime-mod-ets-eSignature-88\"\n#define NID_id_smime_mod_ets_eSignature_88 200\n#define OBJ_id_smime_mod_ets_eSignature_88 \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 0L, 5L\n\n#define SN_id_smime_mod_ets_eSignature_97 \"id-smime-mod-ets-eSignature-97\"\n#define NID_id_smime_mod_ets_eSignature_97 201\n#define OBJ_id_smime_mod_ets_eSignature_97 \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 0L, 6L\n\n#define SN_id_smime_mod_ets_eSigPolicy_88 \"id-smime-mod-ets-eSigPolicy-88\"\n#define NID_id_smime_mod_ets_eSigPolicy_88 202\n#define OBJ_id_smime_mod_ets_eSigPolicy_88 \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 0L, 7L\n\n#define SN_id_smime_mod_ets_eSigPolicy_97 \"id-smime-mod-ets-eSigPolicy-97\"\n#define NID_id_smime_mod_ets_eSigPolicy_97 203\n#define OBJ_id_smime_mod_ets_eSigPolicy_97 \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 0L, 8L\n\n#define SN_id_smime_ct_receipt \"id-smime-ct-receipt\"\n#define NID_id_smime_ct_receipt 204\n#define OBJ_id_smime_ct_receipt 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 1L, 1L\n\n#define SN_id_smime_ct_authData \"id-smime-ct-authData\"\n#define NID_id_smime_ct_authData 205\n#define OBJ_id_smime_ct_authData 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 1L, 2L\n\n#define SN_id_smime_ct_publishCert \"id-smime-ct-publishCert\"\n#define NID_id_smime_ct_publishCert 206\n#define OBJ_id_smime_ct_publishCert 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 1L, 3L\n\n#define SN_id_smime_ct_TSTInfo \"id-smime-ct-TSTInfo\"\n#define NID_id_smime_ct_TSTInfo 207\n#define OBJ_id_smime_ct_TSTInfo 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 1L, 4L\n\n#define SN_id_smime_ct_TDTInfo \"id-smime-ct-TDTInfo\"\n#define NID_id_smime_ct_TDTInfo 208\n#define OBJ_id_smime_ct_TDTInfo 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 1L, 5L\n\n#define SN_id_smime_ct_contentInfo \"id-smime-ct-contentInfo\"\n#define NID_id_smime_ct_contentInfo 209\n#define OBJ_id_smime_ct_contentInfo 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 1L, 6L\n\n#define SN_id_smime_ct_DVCSRequestData \"id-smime-ct-DVCSRequestData\"\n#define NID_id_smime_ct_DVCSRequestData 210\n#define OBJ_id_smime_ct_DVCSRequestData \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 1L, 7L\n\n#define SN_id_smime_ct_DVCSResponseData \"id-smime-ct-DVCSResponseData\"\n#define NID_id_smime_ct_DVCSResponseData 211\n#define OBJ_id_smime_ct_DVCSResponseData \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 1L, 8L\n\n#define SN_id_smime_aa_receiptRequest \"id-smime-aa-receiptRequest\"\n#define NID_id_smime_aa_receiptRequest 212\n#define OBJ_id_smime_aa_receiptRequest \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 1L\n\n#define SN_id_smime_aa_securityLabel \"id-smime-aa-securityLabel\"\n#define NID_id_smime_aa_securityLabel 213\n#define OBJ_id_smime_aa_securityLabel 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 2L\n\n#define SN_id_smime_aa_mlExpandHistory \"id-smime-aa-mlExpandHistory\"\n#define NID_id_smime_aa_mlExpandHistory 214\n#define OBJ_id_smime_aa_mlExpandHistory \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 3L\n\n#define SN_id_smime_aa_contentHint \"id-smime-aa-contentHint\"\n#define NID_id_smime_aa_contentHint 215\n#define OBJ_id_smime_aa_contentHint 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 4L\n\n#define SN_id_smime_aa_msgSigDigest \"id-smime-aa-msgSigDigest\"\n#define NID_id_smime_aa_msgSigDigest 216\n#define OBJ_id_smime_aa_msgSigDigest 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 5L\n\n#define SN_id_smime_aa_encapContentType \"id-smime-aa-encapContentType\"\n#define NID_id_smime_aa_encapContentType 217\n#define OBJ_id_smime_aa_encapContentType \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 6L\n\n#define SN_id_smime_aa_contentIdentifier \"id-smime-aa-contentIdentifier\"\n#define NID_id_smime_aa_contentIdentifier 218\n#define OBJ_id_smime_aa_contentIdentifier \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 7L\n\n#define SN_id_smime_aa_macValue \"id-smime-aa-macValue\"\n#define NID_id_smime_aa_macValue 219\n#define OBJ_id_smime_aa_macValue 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 8L\n\n#define SN_id_smime_aa_equivalentLabels \"id-smime-aa-equivalentLabels\"\n#define NID_id_smime_aa_equivalentLabels 220\n#define OBJ_id_smime_aa_equivalentLabels \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 9L\n\n#define SN_id_smime_aa_contentReference \"id-smime-aa-contentReference\"\n#define NID_id_smime_aa_contentReference 221\n#define OBJ_id_smime_aa_contentReference \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 10L\n\n#define SN_id_smime_aa_encrypKeyPref \"id-smime-aa-encrypKeyPref\"\n#define NID_id_smime_aa_encrypKeyPref 222\n#define OBJ_id_smime_aa_encrypKeyPref \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 11L\n\n#define SN_id_smime_aa_signingCertificate \"id-smime-aa-signingCertificate\"\n#define NID_id_smime_aa_signingCertificate 223\n#define OBJ_id_smime_aa_signingCertificate \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 12L\n\n#define SN_id_smime_aa_smimeEncryptCerts \"id-smime-aa-smimeEncryptCerts\"\n#define NID_id_smime_aa_smimeEncryptCerts 224\n#define OBJ_id_smime_aa_smimeEncryptCerts \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 13L\n\n#define SN_id_smime_aa_timeStampToken \"id-smime-aa-timeStampToken\"\n#define NID_id_smime_aa_timeStampToken 225\n#define OBJ_id_smime_aa_timeStampToken \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 14L\n\n#define SN_id_smime_aa_ets_sigPolicyId \"id-smime-aa-ets-sigPolicyId\"\n#define NID_id_smime_aa_ets_sigPolicyId 226\n#define OBJ_id_smime_aa_ets_sigPolicyId \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 15L\n\n#define SN_id_smime_aa_ets_commitmentType \"id-smime-aa-ets-commitmentType\"\n#define NID_id_smime_aa_ets_commitmentType 227\n#define OBJ_id_smime_aa_ets_commitmentType \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 16L\n\n#define SN_id_smime_aa_ets_signerLocation \"id-smime-aa-ets-signerLocation\"\n#define NID_id_smime_aa_ets_signerLocation 228\n#define OBJ_id_smime_aa_ets_signerLocation \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 17L\n\n#define SN_id_smime_aa_ets_signerAttr \"id-smime-aa-ets-signerAttr\"\n#define NID_id_smime_aa_ets_signerAttr 229\n#define OBJ_id_smime_aa_ets_signerAttr \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 18L\n\n#define SN_id_smime_aa_ets_otherSigCert \"id-smime-aa-ets-otherSigCert\"\n#define NID_id_smime_aa_ets_otherSigCert 230\n#define OBJ_id_smime_aa_ets_otherSigCert \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 19L\n\n#define SN_id_smime_aa_ets_contentTimestamp \"id-smime-aa-ets-contentTimestamp\"\n#define NID_id_smime_aa_ets_contentTimestamp 231\n#define OBJ_id_smime_aa_ets_contentTimestamp \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 20L\n\n#define SN_id_smime_aa_ets_CertificateRefs \"id-smime-aa-ets-CertificateRefs\"\n#define NID_id_smime_aa_ets_CertificateRefs 232\n#define OBJ_id_smime_aa_ets_CertificateRefs \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 21L\n\n#define SN_id_smime_aa_ets_RevocationRefs \"id-smime-aa-ets-RevocationRefs\"\n#define NID_id_smime_aa_ets_RevocationRefs 233\n#define OBJ_id_smime_aa_ets_RevocationRefs \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 22L\n\n#define SN_id_smime_aa_ets_certValues \"id-smime-aa-ets-certValues\"\n#define NID_id_smime_aa_ets_certValues 234\n#define OBJ_id_smime_aa_ets_certValues \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 23L\n\n#define SN_id_smime_aa_ets_revocationValues \"id-smime-aa-ets-revocationValues\"\n#define NID_id_smime_aa_ets_revocationValues 235\n#define OBJ_id_smime_aa_ets_revocationValues \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 24L\n\n#define SN_id_smime_aa_ets_escTimeStamp \"id-smime-aa-ets-escTimeStamp\"\n#define NID_id_smime_aa_ets_escTimeStamp 236\n#define OBJ_id_smime_aa_ets_escTimeStamp \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 25L\n\n#define SN_id_smime_aa_ets_certCRLTimestamp \"id-smime-aa-ets-certCRLTimestamp\"\n#define NID_id_smime_aa_ets_certCRLTimestamp 237\n#define OBJ_id_smime_aa_ets_certCRLTimestamp \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 26L\n\n#define SN_id_smime_aa_ets_archiveTimeStamp \"id-smime-aa-ets-archiveTimeStamp\"\n#define NID_id_smime_aa_ets_archiveTimeStamp 238\n#define OBJ_id_smime_aa_ets_archiveTimeStamp \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 27L\n\n#define SN_id_smime_aa_signatureType \"id-smime-aa-signatureType\"\n#define NID_id_smime_aa_signatureType 239\n#define OBJ_id_smime_aa_signatureType \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 28L\n\n#define SN_id_smime_aa_dvcs_dvc \"id-smime-aa-dvcs-dvc\"\n#define NID_id_smime_aa_dvcs_dvc 240\n#define OBJ_id_smime_aa_dvcs_dvc 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 2L, 29L\n\n#define SN_id_smime_alg_ESDHwith3DES \"id-smime-alg-ESDHwith3DES\"\n#define NID_id_smime_alg_ESDHwith3DES 241\n#define OBJ_id_smime_alg_ESDHwith3DES 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 3L, 1L\n\n#define SN_id_smime_alg_ESDHwithRC2 \"id-smime-alg-ESDHwithRC2\"\n#define NID_id_smime_alg_ESDHwithRC2 242\n#define OBJ_id_smime_alg_ESDHwithRC2 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 3L, 2L\n\n#define SN_id_smime_alg_3DESwrap \"id-smime-alg-3DESwrap\"\n#define NID_id_smime_alg_3DESwrap 243\n#define OBJ_id_smime_alg_3DESwrap 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 3L, 3L\n\n#define SN_id_smime_alg_RC2wrap \"id-smime-alg-RC2wrap\"\n#define NID_id_smime_alg_RC2wrap 244\n#define OBJ_id_smime_alg_RC2wrap 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 3L, 4L\n\n#define SN_id_smime_alg_ESDH \"id-smime-alg-ESDH\"\n#define NID_id_smime_alg_ESDH 245\n#define OBJ_id_smime_alg_ESDH 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 3L, 5L\n\n#define SN_id_smime_alg_CMS3DESwrap \"id-smime-alg-CMS3DESwrap\"\n#define NID_id_smime_alg_CMS3DESwrap 246\n#define OBJ_id_smime_alg_CMS3DESwrap 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 3L, 6L\n\n#define SN_id_smime_alg_CMSRC2wrap \"id-smime-alg-CMSRC2wrap\"\n#define NID_id_smime_alg_CMSRC2wrap 247\n#define OBJ_id_smime_alg_CMSRC2wrap 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 3L, 7L\n\n#define SN_id_smime_cd_ldap \"id-smime-cd-ldap\"\n#define NID_id_smime_cd_ldap 248\n#define OBJ_id_smime_cd_ldap 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 4L, 1L\n\n#define SN_id_smime_spq_ets_sqt_uri \"id-smime-spq-ets-sqt-uri\"\n#define NID_id_smime_spq_ets_sqt_uri 249\n#define OBJ_id_smime_spq_ets_sqt_uri 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 5L, 1L\n\n#define SN_id_smime_spq_ets_sqt_unotice \"id-smime-spq-ets-sqt-unotice\"\n#define NID_id_smime_spq_ets_sqt_unotice 250\n#define OBJ_id_smime_spq_ets_sqt_unotice \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 5L, 2L\n\n#define SN_id_smime_cti_ets_proofOfOrigin \"id-smime-cti-ets-proofOfOrigin\"\n#define NID_id_smime_cti_ets_proofOfOrigin 251\n#define OBJ_id_smime_cti_ets_proofOfOrigin \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 6L, 1L\n\n#define SN_id_smime_cti_ets_proofOfReceipt \"id-smime-cti-ets-proofOfReceipt\"\n#define NID_id_smime_cti_ets_proofOfReceipt 252\n#define OBJ_id_smime_cti_ets_proofOfReceipt \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 6L, 2L\n\n#define SN_id_smime_cti_ets_proofOfDelivery \"id-smime-cti-ets-proofOfDelivery\"\n#define NID_id_smime_cti_ets_proofOfDelivery 253\n#define OBJ_id_smime_cti_ets_proofOfDelivery \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 6L, 3L\n\n#define SN_id_smime_cti_ets_proofOfSender \"id-smime-cti-ets-proofOfSender\"\n#define NID_id_smime_cti_ets_proofOfSender 254\n#define OBJ_id_smime_cti_ets_proofOfSender \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 6L, 4L\n\n#define SN_id_smime_cti_ets_proofOfApproval \"id-smime-cti-ets-proofOfApproval\"\n#define NID_id_smime_cti_ets_proofOfApproval 255\n#define OBJ_id_smime_cti_ets_proofOfApproval \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 6L, 5L\n\n#define SN_id_smime_cti_ets_proofOfCreation \"id-smime-cti-ets-proofOfCreation\"\n#define NID_id_smime_cti_ets_proofOfCreation 256\n#define OBJ_id_smime_cti_ets_proofOfCreation \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 6L, 6L\n\n#define SN_md4 \"MD4\"\n#define LN_md4 \"md4\"\n#define NID_md4 257\n#define OBJ_md4 1L, 2L, 840L, 113549L, 2L, 4L\n\n#define SN_id_pkix_mod \"id-pkix-mod\"\n#define NID_id_pkix_mod 258\n#define OBJ_id_pkix_mod 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L\n\n#define SN_id_qt \"id-qt\"\n#define NID_id_qt 259\n#define OBJ_id_qt 1L, 3L, 6L, 1L, 5L, 5L, 7L, 2L\n\n#define SN_id_it \"id-it\"\n#define NID_id_it 260\n#define OBJ_id_it 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L\n\n#define SN_id_pkip \"id-pkip\"\n#define NID_id_pkip 261\n#define OBJ_id_pkip 1L, 3L, 6L, 1L, 5L, 5L, 7L, 5L\n\n#define SN_id_alg \"id-alg\"\n#define NID_id_alg 262\n#define OBJ_id_alg 1L, 3L, 6L, 1L, 5L, 5L, 7L, 6L\n\n#define SN_id_cmc \"id-cmc\"\n#define NID_id_cmc 263\n#define OBJ_id_cmc 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L\n\n#define SN_id_on \"id-on\"\n#define NID_id_on 264\n#define OBJ_id_on 1L, 3L, 6L, 1L, 5L, 5L, 7L, 8L\n\n#define SN_id_pda \"id-pda\"\n#define NID_id_pda 265\n#define OBJ_id_pda 1L, 3L, 6L, 1L, 5L, 5L, 7L, 9L\n\n#define SN_id_aca \"id-aca\"\n#define NID_id_aca 266\n#define OBJ_id_aca 1L, 3L, 6L, 1L, 5L, 5L, 7L, 10L\n\n#define SN_id_qcs \"id-qcs\"\n#define NID_id_qcs 267\n#define OBJ_id_qcs 1L, 3L, 6L, 1L, 5L, 5L, 7L, 11L\n\n#define SN_id_cct \"id-cct\"\n#define NID_id_cct 268\n#define OBJ_id_cct 1L, 3L, 6L, 1L, 5L, 5L, 7L, 12L\n\n#define SN_id_pkix1_explicit_88 \"id-pkix1-explicit-88\"\n#define NID_id_pkix1_explicit_88 269\n#define OBJ_id_pkix1_explicit_88 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 1L\n\n#define SN_id_pkix1_implicit_88 \"id-pkix1-implicit-88\"\n#define NID_id_pkix1_implicit_88 270\n#define OBJ_id_pkix1_implicit_88 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 2L\n\n#define SN_id_pkix1_explicit_93 \"id-pkix1-explicit-93\"\n#define NID_id_pkix1_explicit_93 271\n#define OBJ_id_pkix1_explicit_93 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 3L\n\n#define SN_id_pkix1_implicit_93 \"id-pkix1-implicit-93\"\n#define NID_id_pkix1_implicit_93 272\n#define OBJ_id_pkix1_implicit_93 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 4L\n\n#define SN_id_mod_crmf \"id-mod-crmf\"\n#define NID_id_mod_crmf 273\n#define OBJ_id_mod_crmf 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 5L\n\n#define SN_id_mod_cmc \"id-mod-cmc\"\n#define NID_id_mod_cmc 274\n#define OBJ_id_mod_cmc 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 6L\n\n#define SN_id_mod_kea_profile_88 \"id-mod-kea-profile-88\"\n#define NID_id_mod_kea_profile_88 275\n#define OBJ_id_mod_kea_profile_88 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 7L\n\n#define SN_id_mod_kea_profile_93 \"id-mod-kea-profile-93\"\n#define NID_id_mod_kea_profile_93 276\n#define OBJ_id_mod_kea_profile_93 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 8L\n\n#define SN_id_mod_cmp \"id-mod-cmp\"\n#define NID_id_mod_cmp 277\n#define OBJ_id_mod_cmp 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 9L\n\n#define SN_id_mod_qualified_cert_88 \"id-mod-qualified-cert-88\"\n#define NID_id_mod_qualified_cert_88 278\n#define OBJ_id_mod_qualified_cert_88 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 10L\n\n#define SN_id_mod_qualified_cert_93 \"id-mod-qualified-cert-93\"\n#define NID_id_mod_qualified_cert_93 279\n#define OBJ_id_mod_qualified_cert_93 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 11L\n\n#define SN_id_mod_attribute_cert \"id-mod-attribute-cert\"\n#define NID_id_mod_attribute_cert 280\n#define OBJ_id_mod_attribute_cert 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 12L\n\n#define SN_id_mod_timestamp_protocol \"id-mod-timestamp-protocol\"\n#define NID_id_mod_timestamp_protocol 281\n#define OBJ_id_mod_timestamp_protocol 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 13L\n\n#define SN_id_mod_ocsp \"id-mod-ocsp\"\n#define NID_id_mod_ocsp 282\n#define OBJ_id_mod_ocsp 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 14L\n\n#define SN_id_mod_dvcs \"id-mod-dvcs\"\n#define NID_id_mod_dvcs 283\n#define OBJ_id_mod_dvcs 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 15L\n\n#define SN_id_mod_cmp2000 \"id-mod-cmp2000\"\n#define NID_id_mod_cmp2000 284\n#define OBJ_id_mod_cmp2000 1L, 3L, 6L, 1L, 5L, 5L, 7L, 0L, 16L\n\n#define SN_biometricInfo \"biometricInfo\"\n#define LN_biometricInfo \"Biometric Info\"\n#define NID_biometricInfo 285\n#define OBJ_biometricInfo 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 2L\n\n#define SN_qcStatements \"qcStatements\"\n#define NID_qcStatements 286\n#define OBJ_qcStatements 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 3L\n\n#define SN_ac_auditEntity \"ac-auditEntity\"\n#define NID_ac_auditEntity 287\n#define OBJ_ac_auditEntity 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 4L\n\n#define SN_ac_targeting \"ac-targeting\"\n#define NID_ac_targeting 288\n#define OBJ_ac_targeting 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 5L\n\n#define SN_aaControls \"aaControls\"\n#define NID_aaControls 289\n#define OBJ_aaControls 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 6L\n\n#define SN_sbgp_ipAddrBlock \"sbgp-ipAddrBlock\"\n#define NID_sbgp_ipAddrBlock 290\n#define OBJ_sbgp_ipAddrBlock 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 7L\n\n#define SN_sbgp_autonomousSysNum \"sbgp-autonomousSysNum\"\n#define NID_sbgp_autonomousSysNum 291\n#define OBJ_sbgp_autonomousSysNum 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 8L\n\n#define SN_sbgp_routerIdentifier \"sbgp-routerIdentifier\"\n#define NID_sbgp_routerIdentifier 292\n#define OBJ_sbgp_routerIdentifier 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 9L\n\n#define SN_textNotice \"textNotice\"\n#define NID_textNotice 293\n#define OBJ_textNotice 1L, 3L, 6L, 1L, 5L, 5L, 7L, 2L, 3L\n\n#define SN_ipsecEndSystem \"ipsecEndSystem\"\n#define LN_ipsecEndSystem \"IPSec End System\"\n#define NID_ipsecEndSystem 294\n#define OBJ_ipsecEndSystem 1L, 3L, 6L, 1L, 5L, 5L, 7L, 3L, 5L\n\n#define SN_ipsecTunnel \"ipsecTunnel\"\n#define LN_ipsecTunnel \"IPSec Tunnel\"\n#define NID_ipsecTunnel 295\n#define OBJ_ipsecTunnel 1L, 3L, 6L, 1L, 5L, 5L, 7L, 3L, 6L\n\n#define SN_ipsecUser \"ipsecUser\"\n#define LN_ipsecUser \"IPSec User\"\n#define NID_ipsecUser 296\n#define OBJ_ipsecUser 1L, 3L, 6L, 1L, 5L, 5L, 7L, 3L, 7L\n\n#define SN_dvcs \"DVCS\"\n#define LN_dvcs \"dvcs\"\n#define NID_dvcs 297\n#define OBJ_dvcs 1L, 3L, 6L, 1L, 5L, 5L, 7L, 3L, 10L\n\n#define SN_id_it_caProtEncCert \"id-it-caProtEncCert\"\n#define NID_id_it_caProtEncCert 298\n#define OBJ_id_it_caProtEncCert 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 1L\n\n#define SN_id_it_signKeyPairTypes \"id-it-signKeyPairTypes\"\n#define NID_id_it_signKeyPairTypes 299\n#define OBJ_id_it_signKeyPairTypes 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 2L\n\n#define SN_id_it_encKeyPairTypes \"id-it-encKeyPairTypes\"\n#define NID_id_it_encKeyPairTypes 300\n#define OBJ_id_it_encKeyPairTypes 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 3L\n\n#define SN_id_it_preferredSymmAlg \"id-it-preferredSymmAlg\"\n#define NID_id_it_preferredSymmAlg 301\n#define OBJ_id_it_preferredSymmAlg 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 4L\n\n#define SN_id_it_caKeyUpdateInfo \"id-it-caKeyUpdateInfo\"\n#define NID_id_it_caKeyUpdateInfo 302\n#define OBJ_id_it_caKeyUpdateInfo 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 5L\n\n#define SN_id_it_currentCRL \"id-it-currentCRL\"\n#define NID_id_it_currentCRL 303\n#define OBJ_id_it_currentCRL 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 6L\n\n#define SN_id_it_unsupportedOIDs \"id-it-unsupportedOIDs\"\n#define NID_id_it_unsupportedOIDs 304\n#define OBJ_id_it_unsupportedOIDs 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 7L\n\n#define SN_id_it_subscriptionRequest \"id-it-subscriptionRequest\"\n#define NID_id_it_subscriptionRequest 305\n#define OBJ_id_it_subscriptionRequest 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 8L\n\n#define SN_id_it_subscriptionResponse \"id-it-subscriptionResponse\"\n#define NID_id_it_subscriptionResponse 306\n#define OBJ_id_it_subscriptionResponse 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 9L\n\n#define SN_id_it_keyPairParamReq \"id-it-keyPairParamReq\"\n#define NID_id_it_keyPairParamReq 307\n#define OBJ_id_it_keyPairParamReq 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 10L\n\n#define SN_id_it_keyPairParamRep \"id-it-keyPairParamRep\"\n#define NID_id_it_keyPairParamRep 308\n#define OBJ_id_it_keyPairParamRep 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 11L\n\n#define SN_id_it_revPassphrase \"id-it-revPassphrase\"\n#define NID_id_it_revPassphrase 309\n#define OBJ_id_it_revPassphrase 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 12L\n\n#define SN_id_it_implicitConfirm \"id-it-implicitConfirm\"\n#define NID_id_it_implicitConfirm 310\n#define OBJ_id_it_implicitConfirm 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 13L\n\n#define SN_id_it_confirmWaitTime \"id-it-confirmWaitTime\"\n#define NID_id_it_confirmWaitTime 311\n#define OBJ_id_it_confirmWaitTime 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 14L\n\n#define SN_id_it_origPKIMessage \"id-it-origPKIMessage\"\n#define NID_id_it_origPKIMessage 312\n#define OBJ_id_it_origPKIMessage 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 15L\n\n#define SN_id_regCtrl \"id-regCtrl\"\n#define NID_id_regCtrl 313\n#define OBJ_id_regCtrl 1L, 3L, 6L, 1L, 5L, 5L, 7L, 5L, 1L\n\n#define SN_id_regInfo \"id-regInfo\"\n#define NID_id_regInfo 314\n#define OBJ_id_regInfo 1L, 3L, 6L, 1L, 5L, 5L, 7L, 5L, 2L\n\n#define SN_id_regCtrl_regToken \"id-regCtrl-regToken\"\n#define NID_id_regCtrl_regToken 315\n#define OBJ_id_regCtrl_regToken 1L, 3L, 6L, 1L, 5L, 5L, 7L, 5L, 1L, 1L\n\n#define SN_id_regCtrl_authenticator \"id-regCtrl-authenticator\"\n#define NID_id_regCtrl_authenticator 316\n#define OBJ_id_regCtrl_authenticator 1L, 3L, 6L, 1L, 5L, 5L, 7L, 5L, 1L, 2L\n\n#define SN_id_regCtrl_pkiPublicationInfo \"id-regCtrl-pkiPublicationInfo\"\n#define NID_id_regCtrl_pkiPublicationInfo 317\n#define OBJ_id_regCtrl_pkiPublicationInfo 1L, 3L, 6L, 1L, 5L, 5L, 7L, 5L, 1L, 3L\n\n#define SN_id_regCtrl_pkiArchiveOptions \"id-regCtrl-pkiArchiveOptions\"\n#define NID_id_regCtrl_pkiArchiveOptions 318\n#define OBJ_id_regCtrl_pkiArchiveOptions 1L, 3L, 6L, 1L, 5L, 5L, 7L, 5L, 1L, 4L\n\n#define SN_id_regCtrl_oldCertID \"id-regCtrl-oldCertID\"\n#define NID_id_regCtrl_oldCertID 319\n#define OBJ_id_regCtrl_oldCertID 1L, 3L, 6L, 1L, 5L, 5L, 7L, 5L, 1L, 5L\n\n#define SN_id_regCtrl_protocolEncrKey \"id-regCtrl-protocolEncrKey\"\n#define NID_id_regCtrl_protocolEncrKey 320\n#define OBJ_id_regCtrl_protocolEncrKey 1L, 3L, 6L, 1L, 5L, 5L, 7L, 5L, 1L, 6L\n\n#define SN_id_regInfo_utf8Pairs \"id-regInfo-utf8Pairs\"\n#define NID_id_regInfo_utf8Pairs 321\n#define OBJ_id_regInfo_utf8Pairs 1L, 3L, 6L, 1L, 5L, 5L, 7L, 5L, 2L, 1L\n\n#define SN_id_regInfo_certReq \"id-regInfo-certReq\"\n#define NID_id_regInfo_certReq 322\n#define OBJ_id_regInfo_certReq 1L, 3L, 6L, 1L, 5L, 5L, 7L, 5L, 2L, 2L\n\n#define SN_id_alg_des40 \"id-alg-des40\"\n#define NID_id_alg_des40 323\n#define OBJ_id_alg_des40 1L, 3L, 6L, 1L, 5L, 5L, 7L, 6L, 1L\n\n#define SN_id_alg_noSignature \"id-alg-noSignature\"\n#define NID_id_alg_noSignature 324\n#define OBJ_id_alg_noSignature 1L, 3L, 6L, 1L, 5L, 5L, 7L, 6L, 2L\n\n#define SN_id_alg_dh_sig_hmac_sha1 \"id-alg-dh-sig-hmac-sha1\"\n#define NID_id_alg_dh_sig_hmac_sha1 325\n#define OBJ_id_alg_dh_sig_hmac_sha1 1L, 3L, 6L, 1L, 5L, 5L, 7L, 6L, 3L\n\n#define SN_id_alg_dh_pop \"id-alg-dh-pop\"\n#define NID_id_alg_dh_pop 326\n#define OBJ_id_alg_dh_pop 1L, 3L, 6L, 1L, 5L, 5L, 7L, 6L, 4L\n\n#define SN_id_cmc_statusInfo \"id-cmc-statusInfo\"\n#define NID_id_cmc_statusInfo 327\n#define OBJ_id_cmc_statusInfo 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 1L\n\n#define SN_id_cmc_identification \"id-cmc-identification\"\n#define NID_id_cmc_identification 328\n#define OBJ_id_cmc_identification 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 2L\n\n#define SN_id_cmc_identityProof \"id-cmc-identityProof\"\n#define NID_id_cmc_identityProof 329\n#define OBJ_id_cmc_identityProof 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 3L\n\n#define SN_id_cmc_dataReturn \"id-cmc-dataReturn\"\n#define NID_id_cmc_dataReturn 330\n#define OBJ_id_cmc_dataReturn 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 4L\n\n#define SN_id_cmc_transactionId \"id-cmc-transactionId\"\n#define NID_id_cmc_transactionId 331\n#define OBJ_id_cmc_transactionId 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 5L\n\n#define SN_id_cmc_senderNonce \"id-cmc-senderNonce\"\n#define NID_id_cmc_senderNonce 332\n#define OBJ_id_cmc_senderNonce 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 6L\n\n#define SN_id_cmc_recipientNonce \"id-cmc-recipientNonce\"\n#define NID_id_cmc_recipientNonce 333\n#define OBJ_id_cmc_recipientNonce 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 7L\n\n#define SN_id_cmc_addExtensions \"id-cmc-addExtensions\"\n#define NID_id_cmc_addExtensions 334\n#define OBJ_id_cmc_addExtensions 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 8L\n\n#define SN_id_cmc_encryptedPOP \"id-cmc-encryptedPOP\"\n#define NID_id_cmc_encryptedPOP 335\n#define OBJ_id_cmc_encryptedPOP 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 9L\n\n#define SN_id_cmc_decryptedPOP \"id-cmc-decryptedPOP\"\n#define NID_id_cmc_decryptedPOP 336\n#define OBJ_id_cmc_decryptedPOP 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 10L\n\n#define SN_id_cmc_lraPOPWitness \"id-cmc-lraPOPWitness\"\n#define NID_id_cmc_lraPOPWitness 337\n#define OBJ_id_cmc_lraPOPWitness 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 11L\n\n#define SN_id_cmc_getCert \"id-cmc-getCert\"\n#define NID_id_cmc_getCert 338\n#define OBJ_id_cmc_getCert 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 15L\n\n#define SN_id_cmc_getCRL \"id-cmc-getCRL\"\n#define NID_id_cmc_getCRL 339\n#define OBJ_id_cmc_getCRL 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 16L\n\n#define SN_id_cmc_revokeRequest \"id-cmc-revokeRequest\"\n#define NID_id_cmc_revokeRequest 340\n#define OBJ_id_cmc_revokeRequest 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 17L\n\n#define SN_id_cmc_regInfo \"id-cmc-regInfo\"\n#define NID_id_cmc_regInfo 341\n#define OBJ_id_cmc_regInfo 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 18L\n\n#define SN_id_cmc_responseInfo \"id-cmc-responseInfo\"\n#define NID_id_cmc_responseInfo 342\n#define OBJ_id_cmc_responseInfo 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 19L\n\n#define SN_id_cmc_queryPending \"id-cmc-queryPending\"\n#define NID_id_cmc_queryPending 343\n#define OBJ_id_cmc_queryPending 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 21L\n\n#define SN_id_cmc_popLinkRandom \"id-cmc-popLinkRandom\"\n#define NID_id_cmc_popLinkRandom 344\n#define OBJ_id_cmc_popLinkRandom 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 22L\n\n#define SN_id_cmc_popLinkWitness \"id-cmc-popLinkWitness\"\n#define NID_id_cmc_popLinkWitness 345\n#define OBJ_id_cmc_popLinkWitness 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 23L\n\n#define SN_id_cmc_confirmCertAcceptance \"id-cmc-confirmCertAcceptance\"\n#define NID_id_cmc_confirmCertAcceptance 346\n#define OBJ_id_cmc_confirmCertAcceptance 1L, 3L, 6L, 1L, 5L, 5L, 7L, 7L, 24L\n\n#define SN_id_on_personalData \"id-on-personalData\"\n#define NID_id_on_personalData 347\n#define OBJ_id_on_personalData 1L, 3L, 6L, 1L, 5L, 5L, 7L, 8L, 1L\n\n#define SN_id_pda_dateOfBirth \"id-pda-dateOfBirth\"\n#define NID_id_pda_dateOfBirth 348\n#define OBJ_id_pda_dateOfBirth 1L, 3L, 6L, 1L, 5L, 5L, 7L, 9L, 1L\n\n#define SN_id_pda_placeOfBirth \"id-pda-placeOfBirth\"\n#define NID_id_pda_placeOfBirth 349\n#define OBJ_id_pda_placeOfBirth 1L, 3L, 6L, 1L, 5L, 5L, 7L, 9L, 2L\n\n#define SN_id_pda_gender \"id-pda-gender\"\n#define NID_id_pda_gender 351\n#define OBJ_id_pda_gender 1L, 3L, 6L, 1L, 5L, 5L, 7L, 9L, 3L\n\n#define SN_id_pda_countryOfCitizenship \"id-pda-countryOfCitizenship\"\n#define NID_id_pda_countryOfCitizenship 352\n#define OBJ_id_pda_countryOfCitizenship 1L, 3L, 6L, 1L, 5L, 5L, 7L, 9L, 4L\n\n#define SN_id_pda_countryOfResidence \"id-pda-countryOfResidence\"\n#define NID_id_pda_countryOfResidence 353\n#define OBJ_id_pda_countryOfResidence 1L, 3L, 6L, 1L, 5L, 5L, 7L, 9L, 5L\n\n#define SN_id_aca_authenticationInfo \"id-aca-authenticationInfo\"\n#define NID_id_aca_authenticationInfo 354\n#define OBJ_id_aca_authenticationInfo 1L, 3L, 6L, 1L, 5L, 5L, 7L, 10L, 1L\n\n#define SN_id_aca_accessIdentity \"id-aca-accessIdentity\"\n#define NID_id_aca_accessIdentity 355\n#define OBJ_id_aca_accessIdentity 1L, 3L, 6L, 1L, 5L, 5L, 7L, 10L, 2L\n\n#define SN_id_aca_chargingIdentity \"id-aca-chargingIdentity\"\n#define NID_id_aca_chargingIdentity 356\n#define OBJ_id_aca_chargingIdentity 1L, 3L, 6L, 1L, 5L, 5L, 7L, 10L, 3L\n\n#define SN_id_aca_group \"id-aca-group\"\n#define NID_id_aca_group 357\n#define OBJ_id_aca_group 1L, 3L, 6L, 1L, 5L, 5L, 7L, 10L, 4L\n\n#define SN_id_aca_role \"id-aca-role\"\n#define NID_id_aca_role 358\n#define OBJ_id_aca_role 1L, 3L, 6L, 1L, 5L, 5L, 7L, 10L, 5L\n\n#define SN_id_qcs_pkixQCSyntax_v1 \"id-qcs-pkixQCSyntax-v1\"\n#define NID_id_qcs_pkixQCSyntax_v1 359\n#define OBJ_id_qcs_pkixQCSyntax_v1 1L, 3L, 6L, 1L, 5L, 5L, 7L, 11L, 1L\n\n#define SN_id_cct_crs \"id-cct-crs\"\n#define NID_id_cct_crs 360\n#define OBJ_id_cct_crs 1L, 3L, 6L, 1L, 5L, 5L, 7L, 12L, 1L\n\n#define SN_id_cct_PKIData \"id-cct-PKIData\"\n#define NID_id_cct_PKIData 361\n#define OBJ_id_cct_PKIData 1L, 3L, 6L, 1L, 5L, 5L, 7L, 12L, 2L\n\n#define SN_id_cct_PKIResponse \"id-cct-PKIResponse\"\n#define NID_id_cct_PKIResponse 362\n#define OBJ_id_cct_PKIResponse 1L, 3L, 6L, 1L, 5L, 5L, 7L, 12L, 3L\n\n#define SN_ad_timeStamping \"ad_timestamping\"\n#define LN_ad_timeStamping \"AD Time Stamping\"\n#define NID_ad_timeStamping 363\n#define OBJ_ad_timeStamping 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 3L\n\n#define SN_ad_dvcs \"AD_DVCS\"\n#define LN_ad_dvcs \"ad dvcs\"\n#define NID_ad_dvcs 364\n#define OBJ_ad_dvcs 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 4L\n\n#define SN_id_pkix_OCSP_basic \"basicOCSPResponse\"\n#define LN_id_pkix_OCSP_basic \"Basic OCSP Response\"\n#define NID_id_pkix_OCSP_basic 365\n#define OBJ_id_pkix_OCSP_basic 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L, 1L\n\n#define SN_id_pkix_OCSP_Nonce \"Nonce\"\n#define LN_id_pkix_OCSP_Nonce \"OCSP Nonce\"\n#define NID_id_pkix_OCSP_Nonce 366\n#define OBJ_id_pkix_OCSP_Nonce 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L, 2L\n\n#define SN_id_pkix_OCSP_CrlID \"CrlID\"\n#define LN_id_pkix_OCSP_CrlID \"OCSP CRL ID\"\n#define NID_id_pkix_OCSP_CrlID 367\n#define OBJ_id_pkix_OCSP_CrlID 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L, 3L\n\n#define SN_id_pkix_OCSP_acceptableResponses \"acceptableResponses\"\n#define LN_id_pkix_OCSP_acceptableResponses \"Acceptable OCSP Responses\"\n#define NID_id_pkix_OCSP_acceptableResponses 368\n#define OBJ_id_pkix_OCSP_acceptableResponses \\\n 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L, 4L\n\n#define SN_id_pkix_OCSP_noCheck \"noCheck\"\n#define LN_id_pkix_OCSP_noCheck \"OCSP No Check\"\n#define NID_id_pkix_OCSP_noCheck 369\n#define OBJ_id_pkix_OCSP_noCheck 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L, 5L\n\n#define SN_id_pkix_OCSP_archiveCutoff \"archiveCutoff\"\n#define LN_id_pkix_OCSP_archiveCutoff \"OCSP Archive Cutoff\"\n#define NID_id_pkix_OCSP_archiveCutoff 370\n#define OBJ_id_pkix_OCSP_archiveCutoff 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L, 6L\n\n#define SN_id_pkix_OCSP_serviceLocator \"serviceLocator\"\n#define LN_id_pkix_OCSP_serviceLocator \"OCSP Service Locator\"\n#define NID_id_pkix_OCSP_serviceLocator 371\n#define OBJ_id_pkix_OCSP_serviceLocator 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L, 7L\n\n#define SN_id_pkix_OCSP_extendedStatus \"extendedStatus\"\n#define LN_id_pkix_OCSP_extendedStatus \"Extended OCSP Status\"\n#define NID_id_pkix_OCSP_extendedStatus 372\n#define OBJ_id_pkix_OCSP_extendedStatus 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L, 8L\n\n#define SN_id_pkix_OCSP_valid \"valid\"\n#define NID_id_pkix_OCSP_valid 373\n#define OBJ_id_pkix_OCSP_valid 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L, 9L\n\n#define SN_id_pkix_OCSP_path \"path\"\n#define NID_id_pkix_OCSP_path 374\n#define OBJ_id_pkix_OCSP_path 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L, 10L\n\n#define SN_id_pkix_OCSP_trustRoot \"trustRoot\"\n#define LN_id_pkix_OCSP_trustRoot \"Trust Root\"\n#define NID_id_pkix_OCSP_trustRoot 375\n#define OBJ_id_pkix_OCSP_trustRoot 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 1L, 11L\n\n#define SN_algorithm \"algorithm\"\n#define LN_algorithm \"algorithm\"\n#define NID_algorithm 376\n#define OBJ_algorithm 1L, 3L, 14L, 3L, 2L\n\n#define SN_rsaSignature \"rsaSignature\"\n#define NID_rsaSignature 377\n#define OBJ_rsaSignature 1L, 3L, 14L, 3L, 2L, 11L\n\n#define SN_X500algorithms \"X500algorithms\"\n#define LN_X500algorithms \"directory services - algorithms\"\n#define NID_X500algorithms 378\n#define OBJ_X500algorithms 2L, 5L, 8L\n\n#define SN_org \"ORG\"\n#define LN_org \"org\"\n#define NID_org 379\n#define OBJ_org 1L, 3L\n\n#define SN_dod \"DOD\"\n#define LN_dod \"dod\"\n#define NID_dod 380\n#define OBJ_dod 1L, 3L, 6L\n\n#define SN_iana \"IANA\"\n#define LN_iana \"iana\"\n#define NID_iana 381\n#define OBJ_iana 1L, 3L, 6L, 1L\n\n#define SN_Directory \"directory\"\n#define LN_Directory \"Directory\"\n#define NID_Directory 382\n#define OBJ_Directory 1L, 3L, 6L, 1L, 1L\n\n#define SN_Management \"mgmt\"\n#define LN_Management \"Management\"\n#define NID_Management 383\n#define OBJ_Management 1L, 3L, 6L, 1L, 2L\n\n#define SN_Experimental \"experimental\"\n#define LN_Experimental \"Experimental\"\n#define NID_Experimental 384\n#define OBJ_Experimental 1L, 3L, 6L, 1L, 3L\n\n#define SN_Private \"private\"\n#define LN_Private \"Private\"\n#define NID_Private 385\n#define OBJ_Private 1L, 3L, 6L, 1L, 4L\n\n#define SN_Security \"security\"\n#define LN_Security \"Security\"\n#define NID_Security 386\n#define OBJ_Security 1L, 3L, 6L, 1L, 5L\n\n#define SN_SNMPv2 \"snmpv2\"\n#define LN_SNMPv2 \"SNMPv2\"\n#define NID_SNMPv2 387\n#define OBJ_SNMPv2 1L, 3L, 6L, 1L, 6L\n\n#define LN_Mail \"Mail\"\n#define NID_Mail 388\n#define OBJ_Mail 1L, 3L, 6L, 1L, 7L\n\n#define SN_Enterprises \"enterprises\"\n#define LN_Enterprises \"Enterprises\"\n#define NID_Enterprises 389\n#define OBJ_Enterprises 1L, 3L, 6L, 1L, 4L, 1L\n\n#define SN_dcObject \"dcobject\"\n#define LN_dcObject \"dcObject\"\n#define NID_dcObject 390\n#define OBJ_dcObject 1L, 3L, 6L, 1L, 4L, 1L, 1466L, 344L\n\n#define SN_domainComponent \"DC\"\n#define LN_domainComponent \"domainComponent\"\n#define NID_domainComponent 391\n#define OBJ_domainComponent 0L, 9L, 2342L, 19200300L, 100L, 1L, 25L\n\n#define SN_Domain \"domain\"\n#define LN_Domain \"Domain\"\n#define NID_Domain 392\n#define OBJ_Domain 0L, 9L, 2342L, 19200300L, 100L, 4L, 13L\n\n#define SN_selected_attribute_types \"selected-attribute-types\"\n#define LN_selected_attribute_types \"Selected Attribute Types\"\n#define NID_selected_attribute_types 394\n#define OBJ_selected_attribute_types 2L, 5L, 1L, 5L\n\n#define SN_clearance \"clearance\"\n#define NID_clearance 395\n#define OBJ_clearance 2L, 5L, 1L, 5L, 55L\n\n#define SN_md4WithRSAEncryption \"RSA-MD4\"\n#define LN_md4WithRSAEncryption \"md4WithRSAEncryption\"\n#define NID_md4WithRSAEncryption 396\n#define OBJ_md4WithRSAEncryption 1L, 2L, 840L, 113549L, 1L, 1L, 3L\n\n#define SN_ac_proxying \"ac-proxying\"\n#define NID_ac_proxying 397\n#define OBJ_ac_proxying 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 10L\n\n#define SN_sinfo_access \"subjectInfoAccess\"\n#define LN_sinfo_access \"Subject Information Access\"\n#define NID_sinfo_access 398\n#define OBJ_sinfo_access 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 11L\n\n#define SN_id_aca_encAttrs \"id-aca-encAttrs\"\n#define NID_id_aca_encAttrs 399\n#define OBJ_id_aca_encAttrs 1L, 3L, 6L, 1L, 5L, 5L, 7L, 10L, 6L\n\n#define SN_role \"role\"\n#define LN_role \"role\"\n#define NID_role 400\n#define OBJ_role 2L, 5L, 4L, 72L\n\n#define SN_policy_constraints \"policyConstraints\"\n#define LN_policy_constraints \"X509v3 Policy Constraints\"\n#define NID_policy_constraints 401\n#define OBJ_policy_constraints 2L, 5L, 29L, 36L\n\n#define SN_target_information \"targetInformation\"\n#define LN_target_information \"X509v3 AC Targeting\"\n#define NID_target_information 402\n#define OBJ_target_information 2L, 5L, 29L, 55L\n\n#define SN_no_rev_avail \"noRevAvail\"\n#define LN_no_rev_avail \"X509v3 No Revocation Available\"\n#define NID_no_rev_avail 403\n#define OBJ_no_rev_avail 2L, 5L, 29L, 56L\n\n#define SN_ansi_X9_62 \"ansi-X9-62\"\n#define LN_ansi_X9_62 \"ANSI X9.62\"\n#define NID_ansi_X9_62 405\n#define OBJ_ansi_X9_62 1L, 2L, 840L, 10045L\n\n#define SN_X9_62_prime_field \"prime-field\"\n#define NID_X9_62_prime_field 406\n#define OBJ_X9_62_prime_field 1L, 2L, 840L, 10045L, 1L, 1L\n\n#define SN_X9_62_characteristic_two_field \"characteristic-two-field\"\n#define NID_X9_62_characteristic_two_field 407\n#define OBJ_X9_62_characteristic_two_field 1L, 2L, 840L, 10045L, 1L, 2L\n\n#define SN_X9_62_id_ecPublicKey \"id-ecPublicKey\"\n#define NID_X9_62_id_ecPublicKey 408\n#define OBJ_X9_62_id_ecPublicKey 1L, 2L, 840L, 10045L, 2L, 1L\n\n#define SN_X9_62_prime192v1 \"prime192v1\"\n#define NID_X9_62_prime192v1 409\n#define OBJ_X9_62_prime192v1 1L, 2L, 840L, 10045L, 3L, 1L, 1L\n\n#define SN_X9_62_prime192v2 \"prime192v2\"\n#define NID_X9_62_prime192v2 410\n#define OBJ_X9_62_prime192v2 1L, 2L, 840L, 10045L, 3L, 1L, 2L\n\n#define SN_X9_62_prime192v3 \"prime192v3\"\n#define NID_X9_62_prime192v3 411\n#define OBJ_X9_62_prime192v3 1L, 2L, 840L, 10045L, 3L, 1L, 3L\n\n#define SN_X9_62_prime239v1 \"prime239v1\"\n#define NID_X9_62_prime239v1 412\n#define OBJ_X9_62_prime239v1 1L, 2L, 840L, 10045L, 3L, 1L, 4L\n\n#define SN_X9_62_prime239v2 \"prime239v2\"\n#define NID_X9_62_prime239v2 413\n#define OBJ_X9_62_prime239v2 1L, 2L, 840L, 10045L, 3L, 1L, 5L\n\n#define SN_X9_62_prime239v3 \"prime239v3\"\n#define NID_X9_62_prime239v3 414\n#define OBJ_X9_62_prime239v3 1L, 2L, 840L, 10045L, 3L, 1L, 6L\n\n#define SN_X9_62_prime256v1 \"prime256v1\"\n#define NID_X9_62_prime256v1 415\n#define OBJ_X9_62_prime256v1 1L, 2L, 840L, 10045L, 3L, 1L, 7L\n\n#define SN_ecdsa_with_SHA1 \"ecdsa-with-SHA1\"\n#define NID_ecdsa_with_SHA1 416\n#define OBJ_ecdsa_with_SHA1 1L, 2L, 840L, 10045L, 4L, 1L\n\n#define SN_ms_csp_name \"CSPName\"\n#define LN_ms_csp_name \"Microsoft CSP Name\"\n#define NID_ms_csp_name 417\n#define OBJ_ms_csp_name 1L, 3L, 6L, 1L, 4L, 1L, 311L, 17L, 1L\n\n#define SN_aes_128_ecb \"AES-128-ECB\"\n#define LN_aes_128_ecb \"aes-128-ecb\"\n#define NID_aes_128_ecb 418\n#define OBJ_aes_128_ecb 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 1L\n\n#define SN_aes_128_cbc \"AES-128-CBC\"\n#define LN_aes_128_cbc \"aes-128-cbc\"\n#define NID_aes_128_cbc 419\n#define OBJ_aes_128_cbc 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 2L\n\n#define SN_aes_128_ofb128 \"AES-128-OFB\"\n#define LN_aes_128_ofb128 \"aes-128-ofb\"\n#define NID_aes_128_ofb128 420\n#define OBJ_aes_128_ofb128 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 3L\n\n#define SN_aes_128_cfb128 \"AES-128-CFB\"\n#define LN_aes_128_cfb128 \"aes-128-cfb\"\n#define NID_aes_128_cfb128 421\n#define OBJ_aes_128_cfb128 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 4L\n\n#define SN_aes_192_ecb \"AES-192-ECB\"\n#define LN_aes_192_ecb \"aes-192-ecb\"\n#define NID_aes_192_ecb 422\n#define OBJ_aes_192_ecb 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 21L\n\n#define SN_aes_192_cbc \"AES-192-CBC\"\n#define LN_aes_192_cbc \"aes-192-cbc\"\n#define NID_aes_192_cbc 423\n#define OBJ_aes_192_cbc 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 22L\n\n#define SN_aes_192_ofb128 \"AES-192-OFB\"\n#define LN_aes_192_ofb128 \"aes-192-ofb\"\n#define NID_aes_192_ofb128 424\n#define OBJ_aes_192_ofb128 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 23L\n\n#define SN_aes_192_cfb128 \"AES-192-CFB\"\n#define LN_aes_192_cfb128 \"aes-192-cfb\"\n#define NID_aes_192_cfb128 425\n#define OBJ_aes_192_cfb128 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 24L\n\n#define SN_aes_256_ecb \"AES-256-ECB\"\n#define LN_aes_256_ecb \"aes-256-ecb\"\n#define NID_aes_256_ecb 426\n#define OBJ_aes_256_ecb 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 41L\n\n#define SN_aes_256_cbc \"AES-256-CBC\"\n#define LN_aes_256_cbc \"aes-256-cbc\"\n#define NID_aes_256_cbc 427\n#define OBJ_aes_256_cbc 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 42L\n\n#define SN_aes_256_ofb128 \"AES-256-OFB\"\n#define LN_aes_256_ofb128 \"aes-256-ofb\"\n#define NID_aes_256_ofb128 428\n#define OBJ_aes_256_ofb128 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 43L\n\n#define SN_aes_256_cfb128 \"AES-256-CFB\"\n#define LN_aes_256_cfb128 \"aes-256-cfb\"\n#define NID_aes_256_cfb128 429\n#define OBJ_aes_256_cfb128 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 44L\n\n#define SN_hold_instruction_code \"holdInstructionCode\"\n#define LN_hold_instruction_code \"Hold Instruction Code\"\n#define NID_hold_instruction_code 430\n#define OBJ_hold_instruction_code 2L, 5L, 29L, 23L\n\n#define SN_hold_instruction_none \"holdInstructionNone\"\n#define LN_hold_instruction_none \"Hold Instruction None\"\n#define NID_hold_instruction_none 431\n#define OBJ_hold_instruction_none 1L, 2L, 840L, 10040L, 2L, 1L\n\n#define SN_hold_instruction_call_issuer \"holdInstructionCallIssuer\"\n#define LN_hold_instruction_call_issuer \"Hold Instruction Call Issuer\"\n#define NID_hold_instruction_call_issuer 432\n#define OBJ_hold_instruction_call_issuer 1L, 2L, 840L, 10040L, 2L, 2L\n\n#define SN_hold_instruction_reject \"holdInstructionReject\"\n#define LN_hold_instruction_reject \"Hold Instruction Reject\"\n#define NID_hold_instruction_reject 433\n#define OBJ_hold_instruction_reject 1L, 2L, 840L, 10040L, 2L, 3L\n\n#define SN_data \"data\"\n#define NID_data 434\n#define OBJ_data 0L, 9L\n\n#define SN_pss \"pss\"\n#define NID_pss 435\n#define OBJ_pss 0L, 9L, 2342L\n\n#define SN_ucl \"ucl\"\n#define NID_ucl 436\n#define OBJ_ucl 0L, 9L, 2342L, 19200300L\n\n#define SN_pilot \"pilot\"\n#define NID_pilot 437\n#define OBJ_pilot 0L, 9L, 2342L, 19200300L, 100L\n\n#define LN_pilotAttributeType \"pilotAttributeType\"\n#define NID_pilotAttributeType 438\n#define OBJ_pilotAttributeType 0L, 9L, 2342L, 19200300L, 100L, 1L\n\n#define LN_pilotAttributeSyntax \"pilotAttributeSyntax\"\n#define NID_pilotAttributeSyntax 439\n#define OBJ_pilotAttributeSyntax 0L, 9L, 2342L, 19200300L, 100L, 3L\n\n#define LN_pilotObjectClass \"pilotObjectClass\"\n#define NID_pilotObjectClass 440\n#define OBJ_pilotObjectClass 0L, 9L, 2342L, 19200300L, 100L, 4L\n\n#define LN_pilotGroups \"pilotGroups\"\n#define NID_pilotGroups 441\n#define OBJ_pilotGroups 0L, 9L, 2342L, 19200300L, 100L, 10L\n\n#define LN_iA5StringSyntax \"iA5StringSyntax\"\n#define NID_iA5StringSyntax 442\n#define OBJ_iA5StringSyntax 0L, 9L, 2342L, 19200300L, 100L, 3L, 4L\n\n#define LN_caseIgnoreIA5StringSyntax \"caseIgnoreIA5StringSyntax\"\n#define NID_caseIgnoreIA5StringSyntax 443\n#define OBJ_caseIgnoreIA5StringSyntax 0L, 9L, 2342L, 19200300L, 100L, 3L, 5L\n\n#define LN_pilotObject \"pilotObject\"\n#define NID_pilotObject 444\n#define OBJ_pilotObject 0L, 9L, 2342L, 19200300L, 100L, 4L, 3L\n\n#define LN_pilotPerson \"pilotPerson\"\n#define NID_pilotPerson 445\n#define OBJ_pilotPerson 0L, 9L, 2342L, 19200300L, 100L, 4L, 4L\n\n#define SN_account \"account\"\n#define NID_account 446\n#define OBJ_account 0L, 9L, 2342L, 19200300L, 100L, 4L, 5L\n\n#define SN_document \"document\"\n#define NID_document 447\n#define OBJ_document 0L, 9L, 2342L, 19200300L, 100L, 4L, 6L\n\n#define SN_room \"room\"\n#define NID_room 448\n#define OBJ_room 0L, 9L, 2342L, 19200300L, 100L, 4L, 7L\n\n#define LN_documentSeries \"documentSeries\"\n#define NID_documentSeries 449\n#define OBJ_documentSeries 0L, 9L, 2342L, 19200300L, 100L, 4L, 9L\n\n#define LN_rFC822localPart \"rFC822localPart\"\n#define NID_rFC822localPart 450\n#define OBJ_rFC822localPart 0L, 9L, 2342L, 19200300L, 100L, 4L, 14L\n\n#define LN_dNSDomain \"dNSDomain\"\n#define NID_dNSDomain 451\n#define OBJ_dNSDomain 0L, 9L, 2342L, 19200300L, 100L, 4L, 15L\n\n#define LN_domainRelatedObject \"domainRelatedObject\"\n#define NID_domainRelatedObject 452\n#define OBJ_domainRelatedObject 0L, 9L, 2342L, 19200300L, 100L, 4L, 17L\n\n#define LN_friendlyCountry \"friendlyCountry\"\n#define NID_friendlyCountry 453\n#define OBJ_friendlyCountry 0L, 9L, 2342L, 19200300L, 100L, 4L, 18L\n\n#define LN_simpleSecurityObject \"simpleSecurityObject\"\n#define NID_simpleSecurityObject 454\n#define OBJ_simpleSecurityObject 0L, 9L, 2342L, 19200300L, 100L, 4L, 19L\n\n#define LN_pilotOrganization \"pilotOrganization\"\n#define NID_pilotOrganization 455\n#define OBJ_pilotOrganization 0L, 9L, 2342L, 19200300L, 100L, 4L, 20L\n\n#define LN_pilotDSA \"pilotDSA\"\n#define NID_pilotDSA 456\n#define OBJ_pilotDSA 0L, 9L, 2342L, 19200300L, 100L, 4L, 21L\n\n#define LN_qualityLabelledData \"qualityLabelledData\"\n#define NID_qualityLabelledData 457\n#define OBJ_qualityLabelledData 0L, 9L, 2342L, 19200300L, 100L, 4L, 22L\n\n#define SN_userId \"UID\"\n#define LN_userId \"userId\"\n#define NID_userId 458\n#define OBJ_userId 0L, 9L, 2342L, 19200300L, 100L, 1L, 1L\n\n#define LN_textEncodedORAddress \"textEncodedORAddress\"\n#define NID_textEncodedORAddress 459\n#define OBJ_textEncodedORAddress 0L, 9L, 2342L, 19200300L, 100L, 1L, 2L\n\n#define SN_rfc822Mailbox \"mail\"\n#define LN_rfc822Mailbox \"rfc822Mailbox\"\n#define NID_rfc822Mailbox 460\n#define OBJ_rfc822Mailbox 0L, 9L, 2342L, 19200300L, 100L, 1L, 3L\n\n#define SN_info \"info\"\n#define NID_info 461\n#define OBJ_info 0L, 9L, 2342L, 19200300L, 100L, 1L, 4L\n\n#define LN_favouriteDrink \"favouriteDrink\"\n#define NID_favouriteDrink 462\n#define OBJ_favouriteDrink 0L, 9L, 2342L, 19200300L, 100L, 1L, 5L\n\n#define LN_roomNumber \"roomNumber\"\n#define NID_roomNumber 463\n#define OBJ_roomNumber 0L, 9L, 2342L, 19200300L, 100L, 1L, 6L\n\n#define SN_photo \"photo\"\n#define NID_photo 464\n#define OBJ_photo 0L, 9L, 2342L, 19200300L, 100L, 1L, 7L\n\n#define LN_userClass \"userClass\"\n#define NID_userClass 465\n#define OBJ_userClass 0L, 9L, 2342L, 19200300L, 100L, 1L, 8L\n\n#define SN_host \"host\"\n#define NID_host 466\n#define OBJ_host 0L, 9L, 2342L, 19200300L, 100L, 1L, 9L\n\n#define SN_manager \"manager\"\n#define NID_manager 467\n#define OBJ_manager 0L, 9L, 2342L, 19200300L, 100L, 1L, 10L\n\n#define LN_documentIdentifier \"documentIdentifier\"\n#define NID_documentIdentifier 468\n#define OBJ_documentIdentifier 0L, 9L, 2342L, 19200300L, 100L, 1L, 11L\n\n#define LN_documentTitle \"documentTitle\"\n#define NID_documentTitle 469\n#define OBJ_documentTitle 0L, 9L, 2342L, 19200300L, 100L, 1L, 12L\n\n#define LN_documentVersion \"documentVersion\"\n#define NID_documentVersion 470\n#define OBJ_documentVersion 0L, 9L, 2342L, 19200300L, 100L, 1L, 13L\n\n#define LN_documentAuthor \"documentAuthor\"\n#define NID_documentAuthor 471\n#define OBJ_documentAuthor 0L, 9L, 2342L, 19200300L, 100L, 1L, 14L\n\n#define LN_documentLocation \"documentLocation\"\n#define NID_documentLocation 472\n#define OBJ_documentLocation 0L, 9L, 2342L, 19200300L, 100L, 1L, 15L\n\n#define LN_homeTelephoneNumber \"homeTelephoneNumber\"\n#define NID_homeTelephoneNumber 473\n#define OBJ_homeTelephoneNumber 0L, 9L, 2342L, 19200300L, 100L, 1L, 20L\n\n#define SN_secretary \"secretary\"\n#define NID_secretary 474\n#define OBJ_secretary 0L, 9L, 2342L, 19200300L, 100L, 1L, 21L\n\n#define LN_otherMailbox \"otherMailbox\"\n#define NID_otherMailbox 475\n#define OBJ_otherMailbox 0L, 9L, 2342L, 19200300L, 100L, 1L, 22L\n\n#define LN_lastModifiedTime \"lastModifiedTime\"\n#define NID_lastModifiedTime 476\n#define OBJ_lastModifiedTime 0L, 9L, 2342L, 19200300L, 100L, 1L, 23L\n\n#define LN_lastModifiedBy \"lastModifiedBy\"\n#define NID_lastModifiedBy 477\n#define OBJ_lastModifiedBy 0L, 9L, 2342L, 19200300L, 100L, 1L, 24L\n\n#define LN_aRecord \"aRecord\"\n#define NID_aRecord 478\n#define OBJ_aRecord 0L, 9L, 2342L, 19200300L, 100L, 1L, 26L\n\n#define LN_pilotAttributeType27 \"pilotAttributeType27\"\n#define NID_pilotAttributeType27 479\n#define OBJ_pilotAttributeType27 0L, 9L, 2342L, 19200300L, 100L, 1L, 27L\n\n#define LN_mXRecord \"mXRecord\"\n#define NID_mXRecord 480\n#define OBJ_mXRecord 0L, 9L, 2342L, 19200300L, 100L, 1L, 28L\n\n#define LN_nSRecord \"nSRecord\"\n#define NID_nSRecord 481\n#define OBJ_nSRecord 0L, 9L, 2342L, 19200300L, 100L, 1L, 29L\n\n#define LN_sOARecord \"sOARecord\"\n#define NID_sOARecord 482\n#define OBJ_sOARecord 0L, 9L, 2342L, 19200300L, 100L, 1L, 30L\n\n#define LN_cNAMERecord \"cNAMERecord\"\n#define NID_cNAMERecord 483\n#define OBJ_cNAMERecord 0L, 9L, 2342L, 19200300L, 100L, 1L, 31L\n\n#define LN_associatedDomain \"associatedDomain\"\n#define NID_associatedDomain 484\n#define OBJ_associatedDomain 0L, 9L, 2342L, 19200300L, 100L, 1L, 37L\n\n#define LN_associatedName \"associatedName\"\n#define NID_associatedName 485\n#define OBJ_associatedName 0L, 9L, 2342L, 19200300L, 100L, 1L, 38L\n\n#define LN_homePostalAddress \"homePostalAddress\"\n#define NID_homePostalAddress 486\n#define OBJ_homePostalAddress 0L, 9L, 2342L, 19200300L, 100L, 1L, 39L\n\n#define LN_personalTitle \"personalTitle\"\n#define NID_personalTitle 487\n#define OBJ_personalTitle 0L, 9L, 2342L, 19200300L, 100L, 1L, 40L\n\n#define LN_mobileTelephoneNumber \"mobileTelephoneNumber\"\n#define NID_mobileTelephoneNumber 488\n#define OBJ_mobileTelephoneNumber 0L, 9L, 2342L, 19200300L, 100L, 1L, 41L\n\n#define LN_pagerTelephoneNumber \"pagerTelephoneNumber\"\n#define NID_pagerTelephoneNumber 489\n#define OBJ_pagerTelephoneNumber 0L, 9L, 2342L, 19200300L, 100L, 1L, 42L\n\n#define LN_friendlyCountryName \"friendlyCountryName\"\n#define NID_friendlyCountryName 490\n#define OBJ_friendlyCountryName 0L, 9L, 2342L, 19200300L, 100L, 1L, 43L\n\n#define LN_organizationalStatus \"organizationalStatus\"\n#define NID_organizationalStatus 491\n#define OBJ_organizationalStatus 0L, 9L, 2342L, 19200300L, 100L, 1L, 45L\n\n#define LN_janetMailbox \"janetMailbox\"\n#define NID_janetMailbox 492\n#define OBJ_janetMailbox 0L, 9L, 2342L, 19200300L, 100L, 1L, 46L\n\n#define LN_mailPreferenceOption \"mailPreferenceOption\"\n#define NID_mailPreferenceOption 493\n#define OBJ_mailPreferenceOption 0L, 9L, 2342L, 19200300L, 100L, 1L, 47L\n\n#define LN_buildingName \"buildingName\"\n#define NID_buildingName 494\n#define OBJ_buildingName 0L, 9L, 2342L, 19200300L, 100L, 1L, 48L\n\n#define LN_dSAQuality \"dSAQuality\"\n#define NID_dSAQuality 495\n#define OBJ_dSAQuality 0L, 9L, 2342L, 19200300L, 100L, 1L, 49L\n\n#define LN_singleLevelQuality \"singleLevelQuality\"\n#define NID_singleLevelQuality 496\n#define OBJ_singleLevelQuality 0L, 9L, 2342L, 19200300L, 100L, 1L, 50L\n\n#define LN_subtreeMinimumQuality \"subtreeMinimumQuality\"\n#define NID_subtreeMinimumQuality 497\n#define OBJ_subtreeMinimumQuality 0L, 9L, 2342L, 19200300L, 100L, 1L, 51L\n\n#define LN_subtreeMaximumQuality \"subtreeMaximumQuality\"\n#define NID_subtreeMaximumQuality 498\n#define OBJ_subtreeMaximumQuality 0L, 9L, 2342L, 19200300L, 100L, 1L, 52L\n\n#define LN_personalSignature \"personalSignature\"\n#define NID_personalSignature 499\n#define OBJ_personalSignature 0L, 9L, 2342L, 19200300L, 100L, 1L, 53L\n\n#define LN_dITRedirect \"dITRedirect\"\n#define NID_dITRedirect 500\n#define OBJ_dITRedirect 0L, 9L, 2342L, 19200300L, 100L, 1L, 54L\n\n#define SN_audio \"audio\"\n#define NID_audio 501\n#define OBJ_audio 0L, 9L, 2342L, 19200300L, 100L, 1L, 55L\n\n#define LN_documentPublisher \"documentPublisher\"\n#define NID_documentPublisher 502\n#define OBJ_documentPublisher 0L, 9L, 2342L, 19200300L, 100L, 1L, 56L\n\n#define LN_x500UniqueIdentifier \"x500UniqueIdentifier\"\n#define NID_x500UniqueIdentifier 503\n#define OBJ_x500UniqueIdentifier 2L, 5L, 4L, 45L\n\n#define SN_mime_mhs \"mime-mhs\"\n#define LN_mime_mhs \"MIME MHS\"\n#define NID_mime_mhs 504\n#define OBJ_mime_mhs 1L, 3L, 6L, 1L, 7L, 1L\n\n#define SN_mime_mhs_headings \"mime-mhs-headings\"\n#define LN_mime_mhs_headings \"mime-mhs-headings\"\n#define NID_mime_mhs_headings 505\n#define OBJ_mime_mhs_headings 1L, 3L, 6L, 1L, 7L, 1L, 1L\n\n#define SN_mime_mhs_bodies \"mime-mhs-bodies\"\n#define LN_mime_mhs_bodies \"mime-mhs-bodies\"\n#define NID_mime_mhs_bodies 506\n#define OBJ_mime_mhs_bodies 1L, 3L, 6L, 1L, 7L, 1L, 2L\n\n#define SN_id_hex_partial_message \"id-hex-partial-message\"\n#define LN_id_hex_partial_message \"id-hex-partial-message\"\n#define NID_id_hex_partial_message 507\n#define OBJ_id_hex_partial_message 1L, 3L, 6L, 1L, 7L, 1L, 1L, 1L\n\n#define SN_id_hex_multipart_message \"id-hex-multipart-message\"\n#define LN_id_hex_multipart_message \"id-hex-multipart-message\"\n#define NID_id_hex_multipart_message 508\n#define OBJ_id_hex_multipart_message 1L, 3L, 6L, 1L, 7L, 1L, 1L, 2L\n\n#define LN_generationQualifier \"generationQualifier\"\n#define NID_generationQualifier 509\n#define OBJ_generationQualifier 2L, 5L, 4L, 44L\n\n#define LN_pseudonym \"pseudonym\"\n#define NID_pseudonym 510\n#define OBJ_pseudonym 2L, 5L, 4L, 65L\n\n#define SN_id_set \"id-set\"\n#define LN_id_set \"Secure Electronic Transactions\"\n#define NID_id_set 512\n#define OBJ_id_set 2L, 23L, 42L\n\n#define SN_set_ctype \"set-ctype\"\n#define LN_set_ctype \"content types\"\n#define NID_set_ctype 513\n#define OBJ_set_ctype 2L, 23L, 42L, 0L\n\n#define SN_set_msgExt \"set-msgExt\"\n#define LN_set_msgExt \"message extensions\"\n#define NID_set_msgExt 514\n#define OBJ_set_msgExt 2L, 23L, 42L, 1L\n\n#define SN_set_attr \"set-attr\"\n#define NID_set_attr 515\n#define OBJ_set_attr 2L, 23L, 42L, 3L\n\n#define SN_set_policy \"set-policy\"\n#define NID_set_policy 516\n#define OBJ_set_policy 2L, 23L, 42L, 5L\n\n#define SN_set_certExt \"set-certExt\"\n#define LN_set_certExt \"certificate extensions\"\n#define NID_set_certExt 517\n#define OBJ_set_certExt 2L, 23L, 42L, 7L\n\n#define SN_set_brand \"set-brand\"\n#define NID_set_brand 518\n#define OBJ_set_brand 2L, 23L, 42L, 8L\n\n#define SN_setct_PANData \"setct-PANData\"\n#define NID_setct_PANData 519\n#define OBJ_setct_PANData 2L, 23L, 42L, 0L, 0L\n\n#define SN_setct_PANToken \"setct-PANToken\"\n#define NID_setct_PANToken 520\n#define OBJ_setct_PANToken 2L, 23L, 42L, 0L, 1L\n\n#define SN_setct_PANOnly \"setct-PANOnly\"\n#define NID_setct_PANOnly 521\n#define OBJ_setct_PANOnly 2L, 23L, 42L, 0L, 2L\n\n#define SN_setct_OIData \"setct-OIData\"\n#define NID_setct_OIData 522\n#define OBJ_setct_OIData 2L, 23L, 42L, 0L, 3L\n\n#define SN_setct_PI \"setct-PI\"\n#define NID_setct_PI 523\n#define OBJ_setct_PI 2L, 23L, 42L, 0L, 4L\n\n#define SN_setct_PIData \"setct-PIData\"\n#define NID_setct_PIData 524\n#define OBJ_setct_PIData 2L, 23L, 42L, 0L, 5L\n\n#define SN_setct_PIDataUnsigned \"setct-PIDataUnsigned\"\n#define NID_setct_PIDataUnsigned 525\n#define OBJ_setct_PIDataUnsigned 2L, 23L, 42L, 0L, 6L\n\n#define SN_setct_HODInput \"setct-HODInput\"\n#define NID_setct_HODInput 526\n#define OBJ_setct_HODInput 2L, 23L, 42L, 0L, 7L\n\n#define SN_setct_AuthResBaggage \"setct-AuthResBaggage\"\n#define NID_setct_AuthResBaggage 527\n#define OBJ_setct_AuthResBaggage 2L, 23L, 42L, 0L, 8L\n\n#define SN_setct_AuthRevReqBaggage \"setct-AuthRevReqBaggage\"\n#define NID_setct_AuthRevReqBaggage 528\n#define OBJ_setct_AuthRevReqBaggage 2L, 23L, 42L, 0L, 9L\n\n#define SN_setct_AuthRevResBaggage \"setct-AuthRevResBaggage\"\n#define NID_setct_AuthRevResBaggage 529\n#define OBJ_setct_AuthRevResBaggage 2L, 23L, 42L, 0L, 10L\n\n#define SN_setct_CapTokenSeq \"setct-CapTokenSeq\"\n#define NID_setct_CapTokenSeq 530\n#define OBJ_setct_CapTokenSeq 2L, 23L, 42L, 0L, 11L\n\n#define SN_setct_PInitResData \"setct-PInitResData\"\n#define NID_setct_PInitResData 531\n#define OBJ_setct_PInitResData 2L, 23L, 42L, 0L, 12L\n\n#define SN_setct_PI_TBS \"setct-PI-TBS\"\n#define NID_setct_PI_TBS 532\n#define OBJ_setct_PI_TBS 2L, 23L, 42L, 0L, 13L\n\n#define SN_setct_PResData \"setct-PResData\"\n#define NID_setct_PResData 533\n#define OBJ_setct_PResData 2L, 23L, 42L, 0L, 14L\n\n#define SN_setct_AuthReqTBS \"setct-AuthReqTBS\"\n#define NID_setct_AuthReqTBS 534\n#define OBJ_setct_AuthReqTBS 2L, 23L, 42L, 0L, 16L\n\n#define SN_setct_AuthResTBS \"setct-AuthResTBS\"\n#define NID_setct_AuthResTBS 535\n#define OBJ_setct_AuthResTBS 2L, 23L, 42L, 0L, 17L\n\n#define SN_setct_AuthResTBSX \"setct-AuthResTBSX\"\n#define NID_setct_AuthResTBSX 536\n#define OBJ_setct_AuthResTBSX 2L, 23L, 42L, 0L, 18L\n\n#define SN_setct_AuthTokenTBS \"setct-AuthTokenTBS\"\n#define NID_setct_AuthTokenTBS 537\n#define OBJ_setct_AuthTokenTBS 2L, 23L, 42L, 0L, 19L\n\n#define SN_setct_CapTokenData \"setct-CapTokenData\"\n#define NID_setct_CapTokenData 538\n#define OBJ_setct_CapTokenData 2L, 23L, 42L, 0L, 20L\n\n#define SN_setct_CapTokenTBS \"setct-CapTokenTBS\"\n#define NID_setct_CapTokenTBS 539\n#define OBJ_setct_CapTokenTBS 2L, 23L, 42L, 0L, 21L\n\n#define SN_setct_AcqCardCodeMsg \"setct-AcqCardCodeMsg\"\n#define NID_setct_AcqCardCodeMsg 540\n#define OBJ_setct_AcqCardCodeMsg 2L, 23L, 42L, 0L, 22L\n\n#define SN_setct_AuthRevReqTBS \"setct-AuthRevReqTBS\"\n#define NID_setct_AuthRevReqTBS 541\n#define OBJ_setct_AuthRevReqTBS 2L, 23L, 42L, 0L, 23L\n\n#define SN_setct_AuthRevResData \"setct-AuthRevResData\"\n#define NID_setct_AuthRevResData 542\n#define OBJ_setct_AuthRevResData 2L, 23L, 42L, 0L, 24L\n\n#define SN_setct_AuthRevResTBS \"setct-AuthRevResTBS\"\n#define NID_setct_AuthRevResTBS 543\n#define OBJ_setct_AuthRevResTBS 2L, 23L, 42L, 0L, 25L\n\n#define SN_setct_CapReqTBS \"setct-CapReqTBS\"\n#define NID_setct_CapReqTBS 544\n#define OBJ_setct_CapReqTBS 2L, 23L, 42L, 0L, 26L\n\n#define SN_setct_CapReqTBSX \"setct-CapReqTBSX\"\n#define NID_setct_CapReqTBSX 545\n#define OBJ_setct_CapReqTBSX 2L, 23L, 42L, 0L, 27L\n\n#define SN_setct_CapResData \"setct-CapResData\"\n#define NID_setct_CapResData 546\n#define OBJ_setct_CapResData 2L, 23L, 42L, 0L, 28L\n\n#define SN_setct_CapRevReqTBS \"setct-CapRevReqTBS\"\n#define NID_setct_CapRevReqTBS 547\n#define OBJ_setct_CapRevReqTBS 2L, 23L, 42L, 0L, 29L\n\n#define SN_setct_CapRevReqTBSX \"setct-CapRevReqTBSX\"\n#define NID_setct_CapRevReqTBSX 548\n#define OBJ_setct_CapRevReqTBSX 2L, 23L, 42L, 0L, 30L\n\n#define SN_setct_CapRevResData \"setct-CapRevResData\"\n#define NID_setct_CapRevResData 549\n#define OBJ_setct_CapRevResData 2L, 23L, 42L, 0L, 31L\n\n#define SN_setct_CredReqTBS \"setct-CredReqTBS\"\n#define NID_setct_CredReqTBS 550\n#define OBJ_setct_CredReqTBS 2L, 23L, 42L, 0L, 32L\n\n#define SN_setct_CredReqTBSX \"setct-CredReqTBSX\"\n#define NID_setct_CredReqTBSX 551\n#define OBJ_setct_CredReqTBSX 2L, 23L, 42L, 0L, 33L\n\n#define SN_setct_CredResData \"setct-CredResData\"\n#define NID_setct_CredResData 552\n#define OBJ_setct_CredResData 2L, 23L, 42L, 0L, 34L\n\n#define SN_setct_CredRevReqTBS \"setct-CredRevReqTBS\"\n#define NID_setct_CredRevReqTBS 553\n#define OBJ_setct_CredRevReqTBS 2L, 23L, 42L, 0L, 35L\n\n#define SN_setct_CredRevReqTBSX \"setct-CredRevReqTBSX\"\n#define NID_setct_CredRevReqTBSX 554\n#define OBJ_setct_CredRevReqTBSX 2L, 23L, 42L, 0L, 36L\n\n#define SN_setct_CredRevResData \"setct-CredRevResData\"\n#define NID_setct_CredRevResData 555\n#define OBJ_setct_CredRevResData 2L, 23L, 42L, 0L, 37L\n\n#define SN_setct_PCertReqData \"setct-PCertReqData\"\n#define NID_setct_PCertReqData 556\n#define OBJ_setct_PCertReqData 2L, 23L, 42L, 0L, 38L\n\n#define SN_setct_PCertResTBS \"setct-PCertResTBS\"\n#define NID_setct_PCertResTBS 557\n#define OBJ_setct_PCertResTBS 2L, 23L, 42L, 0L, 39L\n\n#define SN_setct_BatchAdminReqData \"setct-BatchAdminReqData\"\n#define NID_setct_BatchAdminReqData 558\n#define OBJ_setct_BatchAdminReqData 2L, 23L, 42L, 0L, 40L\n\n#define SN_setct_BatchAdminResData \"setct-BatchAdminResData\"\n#define NID_setct_BatchAdminResData 559\n#define OBJ_setct_BatchAdminResData 2L, 23L, 42L, 0L, 41L\n\n#define SN_setct_CardCInitResTBS \"setct-CardCInitResTBS\"\n#define NID_setct_CardCInitResTBS 560\n#define OBJ_setct_CardCInitResTBS 2L, 23L, 42L, 0L, 42L\n\n#define SN_setct_MeAqCInitResTBS \"setct-MeAqCInitResTBS\"\n#define NID_setct_MeAqCInitResTBS 561\n#define OBJ_setct_MeAqCInitResTBS 2L, 23L, 42L, 0L, 43L\n\n#define SN_setct_RegFormResTBS \"setct-RegFormResTBS\"\n#define NID_setct_RegFormResTBS 562\n#define OBJ_setct_RegFormResTBS 2L, 23L, 42L, 0L, 44L\n\n#define SN_setct_CertReqData \"setct-CertReqData\"\n#define NID_setct_CertReqData 563\n#define OBJ_setct_CertReqData 2L, 23L, 42L, 0L, 45L\n\n#define SN_setct_CertReqTBS \"setct-CertReqTBS\"\n#define NID_setct_CertReqTBS 564\n#define OBJ_setct_CertReqTBS 2L, 23L, 42L, 0L, 46L\n\n#define SN_setct_CertResData \"setct-CertResData\"\n#define NID_setct_CertResData 565\n#define OBJ_setct_CertResData 2L, 23L, 42L, 0L, 47L\n\n#define SN_setct_CertInqReqTBS \"setct-CertInqReqTBS\"\n#define NID_setct_CertInqReqTBS 566\n#define OBJ_setct_CertInqReqTBS 2L, 23L, 42L, 0L, 48L\n\n#define SN_setct_ErrorTBS \"setct-ErrorTBS\"\n#define NID_setct_ErrorTBS 567\n#define OBJ_setct_ErrorTBS 2L, 23L, 42L, 0L, 49L\n\n#define SN_setct_PIDualSignedTBE \"setct-PIDualSignedTBE\"\n#define NID_setct_PIDualSignedTBE 568\n#define OBJ_setct_PIDualSignedTBE 2L, 23L, 42L, 0L, 50L\n\n#define SN_setct_PIUnsignedTBE \"setct-PIUnsignedTBE\"\n#define NID_setct_PIUnsignedTBE 569\n#define OBJ_setct_PIUnsignedTBE 2L, 23L, 42L, 0L, 51L\n\n#define SN_setct_AuthReqTBE \"setct-AuthReqTBE\"\n#define NID_setct_AuthReqTBE 570\n#define OBJ_setct_AuthReqTBE 2L, 23L, 42L, 0L, 52L\n\n#define SN_setct_AuthResTBE \"setct-AuthResTBE\"\n#define NID_setct_AuthResTBE 571\n#define OBJ_setct_AuthResTBE 2L, 23L, 42L, 0L, 53L\n\n#define SN_setct_AuthResTBEX \"setct-AuthResTBEX\"\n#define NID_setct_AuthResTBEX 572\n#define OBJ_setct_AuthResTBEX 2L, 23L, 42L, 0L, 54L\n\n#define SN_setct_AuthTokenTBE \"setct-AuthTokenTBE\"\n#define NID_setct_AuthTokenTBE 573\n#define OBJ_setct_AuthTokenTBE 2L, 23L, 42L, 0L, 55L\n\n#define SN_setct_CapTokenTBE \"setct-CapTokenTBE\"\n#define NID_setct_CapTokenTBE 574\n#define OBJ_setct_CapTokenTBE 2L, 23L, 42L, 0L, 56L\n\n#define SN_setct_CapTokenTBEX \"setct-CapTokenTBEX\"\n#define NID_setct_CapTokenTBEX 575\n#define OBJ_setct_CapTokenTBEX 2L, 23L, 42L, 0L, 57L\n\n#define SN_setct_AcqCardCodeMsgTBE \"setct-AcqCardCodeMsgTBE\"\n#define NID_setct_AcqCardCodeMsgTBE 576\n#define OBJ_setct_AcqCardCodeMsgTBE 2L, 23L, 42L, 0L, 58L\n\n#define SN_setct_AuthRevReqTBE \"setct-AuthRevReqTBE\"\n#define NID_setct_AuthRevReqTBE 577\n#define OBJ_setct_AuthRevReqTBE 2L, 23L, 42L, 0L, 59L\n\n#define SN_setct_AuthRevResTBE \"setct-AuthRevResTBE\"\n#define NID_setct_AuthRevResTBE 578\n#define OBJ_setct_AuthRevResTBE 2L, 23L, 42L, 0L, 60L\n\n#define SN_setct_AuthRevResTBEB \"setct-AuthRevResTBEB\"\n#define NID_setct_AuthRevResTBEB 579\n#define OBJ_setct_AuthRevResTBEB 2L, 23L, 42L, 0L, 61L\n\n#define SN_setct_CapReqTBE \"setct-CapReqTBE\"\n#define NID_setct_CapReqTBE 580\n#define OBJ_setct_CapReqTBE 2L, 23L, 42L, 0L, 62L\n\n#define SN_setct_CapReqTBEX \"setct-CapReqTBEX\"\n#define NID_setct_CapReqTBEX 581\n#define OBJ_setct_CapReqTBEX 2L, 23L, 42L, 0L, 63L\n\n#define SN_setct_CapResTBE \"setct-CapResTBE\"\n#define NID_setct_CapResTBE 582\n#define OBJ_setct_CapResTBE 2L, 23L, 42L, 0L, 64L\n\n#define SN_setct_CapRevReqTBE \"setct-CapRevReqTBE\"\n#define NID_setct_CapRevReqTBE 583\n#define OBJ_setct_CapRevReqTBE 2L, 23L, 42L, 0L, 65L\n\n#define SN_setct_CapRevReqTBEX \"setct-CapRevReqTBEX\"\n#define NID_setct_CapRevReqTBEX 584\n#define OBJ_setct_CapRevReqTBEX 2L, 23L, 42L, 0L, 66L\n\n#define SN_setct_CapRevResTBE \"setct-CapRevResTBE\"\n#define NID_setct_CapRevResTBE 585\n#define OBJ_setct_CapRevResTBE 2L, 23L, 42L, 0L, 67L\n\n#define SN_setct_CredReqTBE \"setct-CredReqTBE\"\n#define NID_setct_CredReqTBE 586\n#define OBJ_setct_CredReqTBE 2L, 23L, 42L, 0L, 68L\n\n#define SN_setct_CredReqTBEX \"setct-CredReqTBEX\"\n#define NID_setct_CredReqTBEX 587\n#define OBJ_setct_CredReqTBEX 2L, 23L, 42L, 0L, 69L\n\n#define SN_setct_CredResTBE \"setct-CredResTBE\"\n#define NID_setct_CredResTBE 588\n#define OBJ_setct_CredResTBE 2L, 23L, 42L, 0L, 70L\n\n#define SN_setct_CredRevReqTBE \"setct-CredRevReqTBE\"\n#define NID_setct_CredRevReqTBE 589\n#define OBJ_setct_CredRevReqTBE 2L, 23L, 42L, 0L, 71L\n\n#define SN_setct_CredRevReqTBEX \"setct-CredRevReqTBEX\"\n#define NID_setct_CredRevReqTBEX 590\n#define OBJ_setct_CredRevReqTBEX 2L, 23L, 42L, 0L, 72L\n\n#define SN_setct_CredRevResTBE \"setct-CredRevResTBE\"\n#define NID_setct_CredRevResTBE 591\n#define OBJ_setct_CredRevResTBE 2L, 23L, 42L, 0L, 73L\n\n#define SN_setct_BatchAdminReqTBE \"setct-BatchAdminReqTBE\"\n#define NID_setct_BatchAdminReqTBE 592\n#define OBJ_setct_BatchAdminReqTBE 2L, 23L, 42L, 0L, 74L\n\n#define SN_setct_BatchAdminResTBE \"setct-BatchAdminResTBE\"\n#define NID_setct_BatchAdminResTBE 593\n#define OBJ_setct_BatchAdminResTBE 2L, 23L, 42L, 0L, 75L\n\n#define SN_setct_RegFormReqTBE \"setct-RegFormReqTBE\"\n#define NID_setct_RegFormReqTBE 594\n#define OBJ_setct_RegFormReqTBE 2L, 23L, 42L, 0L, 76L\n\n#define SN_setct_CertReqTBE \"setct-CertReqTBE\"\n#define NID_setct_CertReqTBE 595\n#define OBJ_setct_CertReqTBE 2L, 23L, 42L, 0L, 77L\n\n#define SN_setct_CertReqTBEX \"setct-CertReqTBEX\"\n#define NID_setct_CertReqTBEX 596\n#define OBJ_setct_CertReqTBEX 2L, 23L, 42L, 0L, 78L\n\n#define SN_setct_CertResTBE \"setct-CertResTBE\"\n#define NID_setct_CertResTBE 597\n#define OBJ_setct_CertResTBE 2L, 23L, 42L, 0L, 79L\n\n#define SN_setct_CRLNotificationTBS \"setct-CRLNotificationTBS\"\n#define NID_setct_CRLNotificationTBS 598\n#define OBJ_setct_CRLNotificationTBS 2L, 23L, 42L, 0L, 80L\n\n#define SN_setct_CRLNotificationResTBS \"setct-CRLNotificationResTBS\"\n#define NID_setct_CRLNotificationResTBS 599\n#define OBJ_setct_CRLNotificationResTBS 2L, 23L, 42L, 0L, 81L\n\n#define SN_setct_BCIDistributionTBS \"setct-BCIDistributionTBS\"\n#define NID_setct_BCIDistributionTBS 600\n#define OBJ_setct_BCIDistributionTBS 2L, 23L, 42L, 0L, 82L\n\n#define SN_setext_genCrypt \"setext-genCrypt\"\n#define LN_setext_genCrypt \"generic cryptogram\"\n#define NID_setext_genCrypt 601\n#define OBJ_setext_genCrypt 2L, 23L, 42L, 1L, 1L\n\n#define SN_setext_miAuth \"setext-miAuth\"\n#define LN_setext_miAuth \"merchant initiated auth\"\n#define NID_setext_miAuth 602\n#define OBJ_setext_miAuth 2L, 23L, 42L, 1L, 3L\n\n#define SN_setext_pinSecure \"setext-pinSecure\"\n#define NID_setext_pinSecure 603\n#define OBJ_setext_pinSecure 2L, 23L, 42L, 1L, 4L\n\n#define SN_setext_pinAny \"setext-pinAny\"\n#define NID_setext_pinAny 604\n#define OBJ_setext_pinAny 2L, 23L, 42L, 1L, 5L\n\n#define SN_setext_track2 \"setext-track2\"\n#define NID_setext_track2 605\n#define OBJ_setext_track2 2L, 23L, 42L, 1L, 7L\n\n#define SN_setext_cv \"setext-cv\"\n#define LN_setext_cv \"additional verification\"\n#define NID_setext_cv 606\n#define OBJ_setext_cv 2L, 23L, 42L, 1L, 8L\n\n#define SN_set_policy_root \"set-policy-root\"\n#define NID_set_policy_root 607\n#define OBJ_set_policy_root 2L, 23L, 42L, 5L, 0L\n\n#define SN_setCext_hashedRoot \"setCext-hashedRoot\"\n#define NID_setCext_hashedRoot 608\n#define OBJ_setCext_hashedRoot 2L, 23L, 42L, 7L, 0L\n\n#define SN_setCext_certType \"setCext-certType\"\n#define NID_setCext_certType 609\n#define OBJ_setCext_certType 2L, 23L, 42L, 7L, 1L\n\n#define SN_setCext_merchData \"setCext-merchData\"\n#define NID_setCext_merchData 610\n#define OBJ_setCext_merchData 2L, 23L, 42L, 7L, 2L\n\n#define SN_setCext_cCertRequired \"setCext-cCertRequired\"\n#define NID_setCext_cCertRequired 611\n#define OBJ_setCext_cCertRequired 2L, 23L, 42L, 7L, 3L\n\n#define SN_setCext_tunneling \"setCext-tunneling\"\n#define NID_setCext_tunneling 612\n#define OBJ_setCext_tunneling 2L, 23L, 42L, 7L, 4L\n\n#define SN_setCext_setExt \"setCext-setExt\"\n#define NID_setCext_setExt 613\n#define OBJ_setCext_setExt 2L, 23L, 42L, 7L, 5L\n\n#define SN_setCext_setQualf \"setCext-setQualf\"\n#define NID_setCext_setQualf 614\n#define OBJ_setCext_setQualf 2L, 23L, 42L, 7L, 6L\n\n#define SN_setCext_PGWYcapabilities \"setCext-PGWYcapabilities\"\n#define NID_setCext_PGWYcapabilities 615\n#define OBJ_setCext_PGWYcapabilities 2L, 23L, 42L, 7L, 7L\n\n#define SN_setCext_TokenIdentifier \"setCext-TokenIdentifier\"\n#define NID_setCext_TokenIdentifier 616\n#define OBJ_setCext_TokenIdentifier 2L, 23L, 42L, 7L, 8L\n\n#define SN_setCext_Track2Data \"setCext-Track2Data\"\n#define NID_setCext_Track2Data 617\n#define OBJ_setCext_Track2Data 2L, 23L, 42L, 7L, 9L\n\n#define SN_setCext_TokenType \"setCext-TokenType\"\n#define NID_setCext_TokenType 618\n#define OBJ_setCext_TokenType 2L, 23L, 42L, 7L, 10L\n\n#define SN_setCext_IssuerCapabilities \"setCext-IssuerCapabilities\"\n#define NID_setCext_IssuerCapabilities 619\n#define OBJ_setCext_IssuerCapabilities 2L, 23L, 42L, 7L, 11L\n\n#define SN_setAttr_Cert \"setAttr-Cert\"\n#define NID_setAttr_Cert 620\n#define OBJ_setAttr_Cert 2L, 23L, 42L, 3L, 0L\n\n#define SN_setAttr_PGWYcap \"setAttr-PGWYcap\"\n#define LN_setAttr_PGWYcap \"payment gateway capabilities\"\n#define NID_setAttr_PGWYcap 621\n#define OBJ_setAttr_PGWYcap 2L, 23L, 42L, 3L, 1L\n\n#define SN_setAttr_TokenType \"setAttr-TokenType\"\n#define NID_setAttr_TokenType 622\n#define OBJ_setAttr_TokenType 2L, 23L, 42L, 3L, 2L\n\n#define SN_setAttr_IssCap \"setAttr-IssCap\"\n#define LN_setAttr_IssCap \"issuer capabilities\"\n#define NID_setAttr_IssCap 623\n#define OBJ_setAttr_IssCap 2L, 23L, 42L, 3L, 3L\n\n#define SN_set_rootKeyThumb \"set-rootKeyThumb\"\n#define NID_set_rootKeyThumb 624\n#define OBJ_set_rootKeyThumb 2L, 23L, 42L, 3L, 0L, 0L\n\n#define SN_set_addPolicy \"set-addPolicy\"\n#define NID_set_addPolicy 625\n#define OBJ_set_addPolicy 2L, 23L, 42L, 3L, 0L, 1L\n\n#define SN_setAttr_Token_EMV \"setAttr-Token-EMV\"\n#define NID_setAttr_Token_EMV 626\n#define OBJ_setAttr_Token_EMV 2L, 23L, 42L, 3L, 2L, 1L\n\n#define SN_setAttr_Token_B0Prime \"setAttr-Token-B0Prime\"\n#define NID_setAttr_Token_B0Prime 627\n#define OBJ_setAttr_Token_B0Prime 2L, 23L, 42L, 3L, 2L, 2L\n\n#define SN_setAttr_IssCap_CVM \"setAttr-IssCap-CVM\"\n#define NID_setAttr_IssCap_CVM 628\n#define OBJ_setAttr_IssCap_CVM 2L, 23L, 42L, 3L, 3L, 3L\n\n#define SN_setAttr_IssCap_T2 \"setAttr-IssCap-T2\"\n#define NID_setAttr_IssCap_T2 629\n#define OBJ_setAttr_IssCap_T2 2L, 23L, 42L, 3L, 3L, 4L\n\n#define SN_setAttr_IssCap_Sig \"setAttr-IssCap-Sig\"\n#define NID_setAttr_IssCap_Sig 630\n#define OBJ_setAttr_IssCap_Sig 2L, 23L, 42L, 3L, 3L, 5L\n\n#define SN_setAttr_GenCryptgrm \"setAttr-GenCryptgrm\"\n#define LN_setAttr_GenCryptgrm \"generate cryptogram\"\n#define NID_setAttr_GenCryptgrm 631\n#define OBJ_setAttr_GenCryptgrm 2L, 23L, 42L, 3L, 3L, 3L, 1L\n\n#define SN_setAttr_T2Enc \"setAttr-T2Enc\"\n#define LN_setAttr_T2Enc \"encrypted track 2\"\n#define NID_setAttr_T2Enc 632\n#define OBJ_setAttr_T2Enc 2L, 23L, 42L, 3L, 3L, 4L, 1L\n\n#define SN_setAttr_T2cleartxt \"setAttr-T2cleartxt\"\n#define LN_setAttr_T2cleartxt \"cleartext track 2\"\n#define NID_setAttr_T2cleartxt 633\n#define OBJ_setAttr_T2cleartxt 2L, 23L, 42L, 3L, 3L, 4L, 2L\n\n#define SN_setAttr_TokICCsig \"setAttr-TokICCsig\"\n#define LN_setAttr_TokICCsig \"ICC or token signature\"\n#define NID_setAttr_TokICCsig 634\n#define OBJ_setAttr_TokICCsig 2L, 23L, 42L, 3L, 3L, 5L, 1L\n\n#define SN_setAttr_SecDevSig \"setAttr-SecDevSig\"\n#define LN_setAttr_SecDevSig \"secure device signature\"\n#define NID_setAttr_SecDevSig 635\n#define OBJ_setAttr_SecDevSig 2L, 23L, 42L, 3L, 3L, 5L, 2L\n\n#define SN_set_brand_IATA_ATA \"set-brand-IATA-ATA\"\n#define NID_set_brand_IATA_ATA 636\n#define OBJ_set_brand_IATA_ATA 2L, 23L, 42L, 8L, 1L\n\n#define SN_set_brand_Diners \"set-brand-Diners\"\n#define NID_set_brand_Diners 637\n#define OBJ_set_brand_Diners 2L, 23L, 42L, 8L, 30L\n\n#define SN_set_brand_AmericanExpress \"set-brand-AmericanExpress\"\n#define NID_set_brand_AmericanExpress 638\n#define OBJ_set_brand_AmericanExpress 2L, 23L, 42L, 8L, 34L\n\n#define SN_set_brand_JCB \"set-brand-JCB\"\n#define NID_set_brand_JCB 639\n#define OBJ_set_brand_JCB 2L, 23L, 42L, 8L, 35L\n\n#define SN_set_brand_Visa \"set-brand-Visa\"\n#define NID_set_brand_Visa 640\n#define OBJ_set_brand_Visa 2L, 23L, 42L, 8L, 4L\n\n#define SN_set_brand_MasterCard \"set-brand-MasterCard\"\n#define NID_set_brand_MasterCard 641\n#define OBJ_set_brand_MasterCard 2L, 23L, 42L, 8L, 5L\n\n#define SN_set_brand_Novus \"set-brand-Novus\"\n#define NID_set_brand_Novus 642\n#define OBJ_set_brand_Novus 2L, 23L, 42L, 8L, 6011L\n\n#define SN_des_cdmf \"DES-CDMF\"\n#define LN_des_cdmf \"des-cdmf\"\n#define NID_des_cdmf 643\n#define OBJ_des_cdmf 1L, 2L, 840L, 113549L, 3L, 10L\n\n#define SN_rsaOAEPEncryptionSET \"rsaOAEPEncryptionSET\"\n#define NID_rsaOAEPEncryptionSET 644\n#define OBJ_rsaOAEPEncryptionSET 1L, 2L, 840L, 113549L, 1L, 1L, 6L\n\n#define SN_itu_t \"ITU-T\"\n#define LN_itu_t \"itu-t\"\n#define NID_itu_t 645\n#define OBJ_itu_t 0L\n\n#define SN_joint_iso_itu_t \"JOINT-ISO-ITU-T\"\n#define LN_joint_iso_itu_t \"joint-iso-itu-t\"\n#define NID_joint_iso_itu_t 646\n#define OBJ_joint_iso_itu_t 2L\n\n#define SN_international_organizations \"international-organizations\"\n#define LN_international_organizations \"International Organizations\"\n#define NID_international_organizations 647\n#define OBJ_international_organizations 2L, 23L\n\n#define SN_ms_smartcard_login \"msSmartcardLogin\"\n#define LN_ms_smartcard_login \"Microsoft Smartcardlogin\"\n#define NID_ms_smartcard_login 648\n#define OBJ_ms_smartcard_login 1L, 3L, 6L, 1L, 4L, 1L, 311L, 20L, 2L, 2L\n\n#define SN_ms_upn \"msUPN\"\n#define LN_ms_upn \"Microsoft Universal Principal Name\"\n#define NID_ms_upn 649\n#define OBJ_ms_upn 1L, 3L, 6L, 1L, 4L, 1L, 311L, 20L, 2L, 3L\n\n#define SN_aes_128_cfb1 \"AES-128-CFB1\"\n#define LN_aes_128_cfb1 \"aes-128-cfb1\"\n#define NID_aes_128_cfb1 650\n\n#define SN_aes_192_cfb1 \"AES-192-CFB1\"\n#define LN_aes_192_cfb1 \"aes-192-cfb1\"\n#define NID_aes_192_cfb1 651\n\n#define SN_aes_256_cfb1 \"AES-256-CFB1\"\n#define LN_aes_256_cfb1 \"aes-256-cfb1\"\n#define NID_aes_256_cfb1 652\n\n#define SN_aes_128_cfb8 \"AES-128-CFB8\"\n#define LN_aes_128_cfb8 \"aes-128-cfb8\"\n#define NID_aes_128_cfb8 653\n\n#define SN_aes_192_cfb8 \"AES-192-CFB8\"\n#define LN_aes_192_cfb8 \"aes-192-cfb8\"\n#define NID_aes_192_cfb8 654\n\n#define SN_aes_256_cfb8 \"AES-256-CFB8\"\n#define LN_aes_256_cfb8 \"aes-256-cfb8\"\n#define NID_aes_256_cfb8 655\n\n#define SN_des_cfb1 \"DES-CFB1\"\n#define LN_des_cfb1 \"des-cfb1\"\n#define NID_des_cfb1 656\n\n#define SN_des_cfb8 \"DES-CFB8\"\n#define LN_des_cfb8 \"des-cfb8\"\n#define NID_des_cfb8 657\n\n#define SN_des_ede3_cfb1 \"DES-EDE3-CFB1\"\n#define LN_des_ede3_cfb1 \"des-ede3-cfb1\"\n#define NID_des_ede3_cfb1 658\n\n#define SN_des_ede3_cfb8 \"DES-EDE3-CFB8\"\n#define LN_des_ede3_cfb8 \"des-ede3-cfb8\"\n#define NID_des_ede3_cfb8 659\n\n#define SN_streetAddress \"street\"\n#define LN_streetAddress \"streetAddress\"\n#define NID_streetAddress 660\n#define OBJ_streetAddress 2L, 5L, 4L, 9L\n\n#define LN_postalCode \"postalCode\"\n#define NID_postalCode 661\n#define OBJ_postalCode 2L, 5L, 4L, 17L\n\n#define SN_id_ppl \"id-ppl\"\n#define NID_id_ppl 662\n#define OBJ_id_ppl 1L, 3L, 6L, 1L, 5L, 5L, 7L, 21L\n\n#define SN_proxyCertInfo \"proxyCertInfo\"\n#define LN_proxyCertInfo \"Proxy Certificate Information\"\n#define NID_proxyCertInfo 663\n#define OBJ_proxyCertInfo 1L, 3L, 6L, 1L, 5L, 5L, 7L, 1L, 14L\n\n#define SN_id_ppl_anyLanguage \"id-ppl-anyLanguage\"\n#define LN_id_ppl_anyLanguage \"Any language\"\n#define NID_id_ppl_anyLanguage 664\n#define OBJ_id_ppl_anyLanguage 1L, 3L, 6L, 1L, 5L, 5L, 7L, 21L, 0L\n\n#define SN_id_ppl_inheritAll \"id-ppl-inheritAll\"\n#define LN_id_ppl_inheritAll \"Inherit all\"\n#define NID_id_ppl_inheritAll 665\n#define OBJ_id_ppl_inheritAll 1L, 3L, 6L, 1L, 5L, 5L, 7L, 21L, 1L\n\n#define SN_name_constraints \"nameConstraints\"\n#define LN_name_constraints \"X509v3 Name Constraints\"\n#define NID_name_constraints 666\n#define OBJ_name_constraints 2L, 5L, 29L, 30L\n\n#define SN_Independent \"id-ppl-independent\"\n#define LN_Independent \"Independent\"\n#define NID_Independent 667\n#define OBJ_Independent 1L, 3L, 6L, 1L, 5L, 5L, 7L, 21L, 2L\n\n#define SN_sha256WithRSAEncryption \"RSA-SHA256\"\n#define LN_sha256WithRSAEncryption \"sha256WithRSAEncryption\"\n#define NID_sha256WithRSAEncryption 668\n#define OBJ_sha256WithRSAEncryption 1L, 2L, 840L, 113549L, 1L, 1L, 11L\n\n#define SN_sha384WithRSAEncryption \"RSA-SHA384\"\n#define LN_sha384WithRSAEncryption \"sha384WithRSAEncryption\"\n#define NID_sha384WithRSAEncryption 669\n#define OBJ_sha384WithRSAEncryption 1L, 2L, 840L, 113549L, 1L, 1L, 12L\n\n#define SN_sha512WithRSAEncryption \"RSA-SHA512\"\n#define LN_sha512WithRSAEncryption \"sha512WithRSAEncryption\"\n#define NID_sha512WithRSAEncryption 670\n#define OBJ_sha512WithRSAEncryption 1L, 2L, 840L, 113549L, 1L, 1L, 13L\n\n#define SN_sha224WithRSAEncryption \"RSA-SHA224\"\n#define LN_sha224WithRSAEncryption \"sha224WithRSAEncryption\"\n#define NID_sha224WithRSAEncryption 671\n#define OBJ_sha224WithRSAEncryption 1L, 2L, 840L, 113549L, 1L, 1L, 14L\n\n#define SN_sha256 \"SHA256\"\n#define LN_sha256 \"sha256\"\n#define NID_sha256 672\n#define OBJ_sha256 2L, 16L, 840L, 1L, 101L, 3L, 4L, 2L, 1L\n\n#define SN_sha384 \"SHA384\"\n#define LN_sha384 \"sha384\"\n#define NID_sha384 673\n#define OBJ_sha384 2L, 16L, 840L, 1L, 101L, 3L, 4L, 2L, 2L\n\n#define SN_sha512 \"SHA512\"\n#define LN_sha512 \"sha512\"\n#define NID_sha512 674\n#define OBJ_sha512 2L, 16L, 840L, 1L, 101L, 3L, 4L, 2L, 3L\n\n#define SN_sha224 \"SHA224\"\n#define LN_sha224 \"sha224\"\n#define NID_sha224 675\n#define OBJ_sha224 2L, 16L, 840L, 1L, 101L, 3L, 4L, 2L, 4L\n\n#define SN_identified_organization \"identified-organization\"\n#define NID_identified_organization 676\n#define OBJ_identified_organization 1L, 3L\n\n#define SN_certicom_arc \"certicom-arc\"\n#define NID_certicom_arc 677\n#define OBJ_certicom_arc 1L, 3L, 132L\n\n#define SN_wap \"wap\"\n#define NID_wap 678\n#define OBJ_wap 2L, 23L, 43L\n\n#define SN_wap_wsg \"wap-wsg\"\n#define NID_wap_wsg 679\n#define OBJ_wap_wsg 2L, 23L, 43L, 1L\n\n#define SN_X9_62_id_characteristic_two_basis \"id-characteristic-two-basis\"\n#define NID_X9_62_id_characteristic_two_basis 680\n#define OBJ_X9_62_id_characteristic_two_basis 1L, 2L, 840L, 10045L, 1L, 2L, 3L\n\n#define SN_X9_62_onBasis \"onBasis\"\n#define NID_X9_62_onBasis 681\n#define OBJ_X9_62_onBasis 1L, 2L, 840L, 10045L, 1L, 2L, 3L, 1L\n\n#define SN_X9_62_tpBasis \"tpBasis\"\n#define NID_X9_62_tpBasis 682\n#define OBJ_X9_62_tpBasis 1L, 2L, 840L, 10045L, 1L, 2L, 3L, 2L\n\n#define SN_X9_62_ppBasis \"ppBasis\"\n#define NID_X9_62_ppBasis 683\n#define OBJ_X9_62_ppBasis 1L, 2L, 840L, 10045L, 1L, 2L, 3L, 3L\n\n#define SN_X9_62_c2pnb163v1 \"c2pnb163v1\"\n#define NID_X9_62_c2pnb163v1 684\n#define OBJ_X9_62_c2pnb163v1 1L, 2L, 840L, 10045L, 3L, 0L, 1L\n\n#define SN_X9_62_c2pnb163v2 \"c2pnb163v2\"\n#define NID_X9_62_c2pnb163v2 685\n#define OBJ_X9_62_c2pnb163v2 1L, 2L, 840L, 10045L, 3L, 0L, 2L\n\n#define SN_X9_62_c2pnb163v3 \"c2pnb163v3\"\n#define NID_X9_62_c2pnb163v3 686\n#define OBJ_X9_62_c2pnb163v3 1L, 2L, 840L, 10045L, 3L, 0L, 3L\n\n#define SN_X9_62_c2pnb176v1 \"c2pnb176v1\"\n#define NID_X9_62_c2pnb176v1 687\n#define OBJ_X9_62_c2pnb176v1 1L, 2L, 840L, 10045L, 3L, 0L, 4L\n\n#define SN_X9_62_c2tnb191v1 \"c2tnb191v1\"\n#define NID_X9_62_c2tnb191v1 688\n#define OBJ_X9_62_c2tnb191v1 1L, 2L, 840L, 10045L, 3L, 0L, 5L\n\n#define SN_X9_62_c2tnb191v2 \"c2tnb191v2\"\n#define NID_X9_62_c2tnb191v2 689\n#define OBJ_X9_62_c2tnb191v2 1L, 2L, 840L, 10045L, 3L, 0L, 6L\n\n#define SN_X9_62_c2tnb191v3 \"c2tnb191v3\"\n#define NID_X9_62_c2tnb191v3 690\n#define OBJ_X9_62_c2tnb191v3 1L, 2L, 840L, 10045L, 3L, 0L, 7L\n\n#define SN_X9_62_c2onb191v4 \"c2onb191v4\"\n#define NID_X9_62_c2onb191v4 691\n#define OBJ_X9_62_c2onb191v4 1L, 2L, 840L, 10045L, 3L, 0L, 8L\n\n#define SN_X9_62_c2onb191v5 \"c2onb191v5\"\n#define NID_X9_62_c2onb191v5 692\n#define OBJ_X9_62_c2onb191v5 1L, 2L, 840L, 10045L, 3L, 0L, 9L\n\n#define SN_X9_62_c2pnb208w1 \"c2pnb208w1\"\n#define NID_X9_62_c2pnb208w1 693\n#define OBJ_X9_62_c2pnb208w1 1L, 2L, 840L, 10045L, 3L, 0L, 10L\n\n#define SN_X9_62_c2tnb239v1 \"c2tnb239v1\"\n#define NID_X9_62_c2tnb239v1 694\n#define OBJ_X9_62_c2tnb239v1 1L, 2L, 840L, 10045L, 3L, 0L, 11L\n\n#define SN_X9_62_c2tnb239v2 \"c2tnb239v2\"\n#define NID_X9_62_c2tnb239v2 695\n#define OBJ_X9_62_c2tnb239v2 1L, 2L, 840L, 10045L, 3L, 0L, 12L\n\n#define SN_X9_62_c2tnb239v3 \"c2tnb239v3\"\n#define NID_X9_62_c2tnb239v3 696\n#define OBJ_X9_62_c2tnb239v3 1L, 2L, 840L, 10045L, 3L, 0L, 13L\n\n#define SN_X9_62_c2onb239v4 \"c2onb239v4\"\n#define NID_X9_62_c2onb239v4 697\n#define OBJ_X9_62_c2onb239v4 1L, 2L, 840L, 10045L, 3L, 0L, 14L\n\n#define SN_X9_62_c2onb239v5 \"c2onb239v5\"\n#define NID_X9_62_c2onb239v5 698\n#define OBJ_X9_62_c2onb239v5 1L, 2L, 840L, 10045L, 3L, 0L, 15L\n\n#define SN_X9_62_c2pnb272w1 \"c2pnb272w1\"\n#define NID_X9_62_c2pnb272w1 699\n#define OBJ_X9_62_c2pnb272w1 1L, 2L, 840L, 10045L, 3L, 0L, 16L\n\n#define SN_X9_62_c2pnb304w1 \"c2pnb304w1\"\n#define NID_X9_62_c2pnb304w1 700\n#define OBJ_X9_62_c2pnb304w1 1L, 2L, 840L, 10045L, 3L, 0L, 17L\n\n#define SN_X9_62_c2tnb359v1 \"c2tnb359v1\"\n#define NID_X9_62_c2tnb359v1 701\n#define OBJ_X9_62_c2tnb359v1 1L, 2L, 840L, 10045L, 3L, 0L, 18L\n\n#define SN_X9_62_c2pnb368w1 \"c2pnb368w1\"\n#define NID_X9_62_c2pnb368w1 702\n#define OBJ_X9_62_c2pnb368w1 1L, 2L, 840L, 10045L, 3L, 0L, 19L\n\n#define SN_X9_62_c2tnb431r1 \"c2tnb431r1\"\n#define NID_X9_62_c2tnb431r1 703\n#define OBJ_X9_62_c2tnb431r1 1L, 2L, 840L, 10045L, 3L, 0L, 20L\n\n#define SN_secp112r1 \"secp112r1\"\n#define NID_secp112r1 704\n#define OBJ_secp112r1 1L, 3L, 132L, 0L, 6L\n\n#define SN_secp112r2 \"secp112r2\"\n#define NID_secp112r2 705\n#define OBJ_secp112r2 1L, 3L, 132L, 0L, 7L\n\n#define SN_secp128r1 \"secp128r1\"\n#define NID_secp128r1 706\n#define OBJ_secp128r1 1L, 3L, 132L, 0L, 28L\n\n#define SN_secp128r2 \"secp128r2\"\n#define NID_secp128r2 707\n#define OBJ_secp128r2 1L, 3L, 132L, 0L, 29L\n\n#define SN_secp160k1 \"secp160k1\"\n#define NID_secp160k1 708\n#define OBJ_secp160k1 1L, 3L, 132L, 0L, 9L\n\n#define SN_secp160r1 \"secp160r1\"\n#define NID_secp160r1 709\n#define OBJ_secp160r1 1L, 3L, 132L, 0L, 8L\n\n#define SN_secp160r2 \"secp160r2\"\n#define NID_secp160r2 710\n#define OBJ_secp160r2 1L, 3L, 132L, 0L, 30L\n\n#define SN_secp192k1 \"secp192k1\"\n#define NID_secp192k1 711\n#define OBJ_secp192k1 1L, 3L, 132L, 0L, 31L\n\n#define SN_secp224k1 \"secp224k1\"\n#define NID_secp224k1 712\n#define OBJ_secp224k1 1L, 3L, 132L, 0L, 32L\n\n#define SN_secp224r1 \"secp224r1\"\n#define NID_secp224r1 713\n#define OBJ_secp224r1 1L, 3L, 132L, 0L, 33L\n\n#define SN_secp256k1 \"secp256k1\"\n#define NID_secp256k1 714\n#define OBJ_secp256k1 1L, 3L, 132L, 0L, 10L\n\n#define SN_secp384r1 \"secp384r1\"\n#define NID_secp384r1 715\n#define OBJ_secp384r1 1L, 3L, 132L, 0L, 34L\n\n#define SN_secp521r1 \"secp521r1\"\n#define NID_secp521r1 716\n#define OBJ_secp521r1 1L, 3L, 132L, 0L, 35L\n\n#define SN_sect113r1 \"sect113r1\"\n#define NID_sect113r1 717\n#define OBJ_sect113r1 1L, 3L, 132L, 0L, 4L\n\n#define SN_sect113r2 \"sect113r2\"\n#define NID_sect113r2 718\n#define OBJ_sect113r2 1L, 3L, 132L, 0L, 5L\n\n#define SN_sect131r1 \"sect131r1\"\n#define NID_sect131r1 719\n#define OBJ_sect131r1 1L, 3L, 132L, 0L, 22L\n\n#define SN_sect131r2 \"sect131r2\"\n#define NID_sect131r2 720\n#define OBJ_sect131r2 1L, 3L, 132L, 0L, 23L\n\n#define SN_sect163k1 \"sect163k1\"\n#define NID_sect163k1 721\n#define OBJ_sect163k1 1L, 3L, 132L, 0L, 1L\n\n#define SN_sect163r1 \"sect163r1\"\n#define NID_sect163r1 722\n#define OBJ_sect163r1 1L, 3L, 132L, 0L, 2L\n\n#define SN_sect163r2 \"sect163r2\"\n#define NID_sect163r2 723\n#define OBJ_sect163r2 1L, 3L, 132L, 0L, 15L\n\n#define SN_sect193r1 \"sect193r1\"\n#define NID_sect193r1 724\n#define OBJ_sect193r1 1L, 3L, 132L, 0L, 24L\n\n#define SN_sect193r2 \"sect193r2\"\n#define NID_sect193r2 725\n#define OBJ_sect193r2 1L, 3L, 132L, 0L, 25L\n\n#define SN_sect233k1 \"sect233k1\"\n#define NID_sect233k1 726\n#define OBJ_sect233k1 1L, 3L, 132L, 0L, 26L\n\n#define SN_sect233r1 \"sect233r1\"\n#define NID_sect233r1 727\n#define OBJ_sect233r1 1L, 3L, 132L, 0L, 27L\n\n#define SN_sect239k1 \"sect239k1\"\n#define NID_sect239k1 728\n#define OBJ_sect239k1 1L, 3L, 132L, 0L, 3L\n\n#define SN_sect283k1 \"sect283k1\"\n#define NID_sect283k1 729\n#define OBJ_sect283k1 1L, 3L, 132L, 0L, 16L\n\n#define SN_sect283r1 \"sect283r1\"\n#define NID_sect283r1 730\n#define OBJ_sect283r1 1L, 3L, 132L, 0L, 17L\n\n#define SN_sect409k1 \"sect409k1\"\n#define NID_sect409k1 731\n#define OBJ_sect409k1 1L, 3L, 132L, 0L, 36L\n\n#define SN_sect409r1 \"sect409r1\"\n#define NID_sect409r1 732\n#define OBJ_sect409r1 1L, 3L, 132L, 0L, 37L\n\n#define SN_sect571k1 \"sect571k1\"\n#define NID_sect571k1 733\n#define OBJ_sect571k1 1L, 3L, 132L, 0L, 38L\n\n#define SN_sect571r1 \"sect571r1\"\n#define NID_sect571r1 734\n#define OBJ_sect571r1 1L, 3L, 132L, 0L, 39L\n\n#define SN_wap_wsg_idm_ecid_wtls1 \"wap-wsg-idm-ecid-wtls1\"\n#define NID_wap_wsg_idm_ecid_wtls1 735\n#define OBJ_wap_wsg_idm_ecid_wtls1 2L, 23L, 43L, 1L, 4L, 1L\n\n#define SN_wap_wsg_idm_ecid_wtls3 \"wap-wsg-idm-ecid-wtls3\"\n#define NID_wap_wsg_idm_ecid_wtls3 736\n#define OBJ_wap_wsg_idm_ecid_wtls3 2L, 23L, 43L, 1L, 4L, 3L\n\n#define SN_wap_wsg_idm_ecid_wtls4 \"wap-wsg-idm-ecid-wtls4\"\n#define NID_wap_wsg_idm_ecid_wtls4 737\n#define OBJ_wap_wsg_idm_ecid_wtls4 2L, 23L, 43L, 1L, 4L, 4L\n\n#define SN_wap_wsg_idm_ecid_wtls5 \"wap-wsg-idm-ecid-wtls5\"\n#define NID_wap_wsg_idm_ecid_wtls5 738\n#define OBJ_wap_wsg_idm_ecid_wtls5 2L, 23L, 43L, 1L, 4L, 5L\n\n#define SN_wap_wsg_idm_ecid_wtls6 \"wap-wsg-idm-ecid-wtls6\"\n#define NID_wap_wsg_idm_ecid_wtls6 739\n#define OBJ_wap_wsg_idm_ecid_wtls6 2L, 23L, 43L, 1L, 4L, 6L\n\n#define SN_wap_wsg_idm_ecid_wtls7 \"wap-wsg-idm-ecid-wtls7\"\n#define NID_wap_wsg_idm_ecid_wtls7 740\n#define OBJ_wap_wsg_idm_ecid_wtls7 2L, 23L, 43L, 1L, 4L, 7L\n\n#define SN_wap_wsg_idm_ecid_wtls8 \"wap-wsg-idm-ecid-wtls8\"\n#define NID_wap_wsg_idm_ecid_wtls8 741\n#define OBJ_wap_wsg_idm_ecid_wtls8 2L, 23L, 43L, 1L, 4L, 8L\n\n#define SN_wap_wsg_idm_ecid_wtls9 \"wap-wsg-idm-ecid-wtls9\"\n#define NID_wap_wsg_idm_ecid_wtls9 742\n#define OBJ_wap_wsg_idm_ecid_wtls9 2L, 23L, 43L, 1L, 4L, 9L\n\n#define SN_wap_wsg_idm_ecid_wtls10 \"wap-wsg-idm-ecid-wtls10\"\n#define NID_wap_wsg_idm_ecid_wtls10 743\n#define OBJ_wap_wsg_idm_ecid_wtls10 2L, 23L, 43L, 1L, 4L, 10L\n\n#define SN_wap_wsg_idm_ecid_wtls11 \"wap-wsg-idm-ecid-wtls11\"\n#define NID_wap_wsg_idm_ecid_wtls11 744\n#define OBJ_wap_wsg_idm_ecid_wtls11 2L, 23L, 43L, 1L, 4L, 11L\n\n#define SN_wap_wsg_idm_ecid_wtls12 \"wap-wsg-idm-ecid-wtls12\"\n#define NID_wap_wsg_idm_ecid_wtls12 745\n#define OBJ_wap_wsg_idm_ecid_wtls12 2L, 23L, 43L, 1L, 4L, 12L\n\n#define SN_any_policy \"anyPolicy\"\n#define LN_any_policy \"X509v3 Any Policy\"\n#define NID_any_policy 746\n#define OBJ_any_policy 2L, 5L, 29L, 32L, 0L\n\n#define SN_policy_mappings \"policyMappings\"\n#define LN_policy_mappings \"X509v3 Policy Mappings\"\n#define NID_policy_mappings 747\n#define OBJ_policy_mappings 2L, 5L, 29L, 33L\n\n#define SN_inhibit_any_policy \"inhibitAnyPolicy\"\n#define LN_inhibit_any_policy \"X509v3 Inhibit Any Policy\"\n#define NID_inhibit_any_policy 748\n#define OBJ_inhibit_any_policy 2L, 5L, 29L, 54L\n\n#define SN_ipsec3 \"Oakley-EC2N-3\"\n#define LN_ipsec3 \"ipsec3\"\n#define NID_ipsec3 749\n\n#define SN_ipsec4 \"Oakley-EC2N-4\"\n#define LN_ipsec4 \"ipsec4\"\n#define NID_ipsec4 750\n\n#define SN_camellia_128_cbc \"CAMELLIA-128-CBC\"\n#define LN_camellia_128_cbc \"camellia-128-cbc\"\n#define NID_camellia_128_cbc 751\n#define OBJ_camellia_128_cbc 1L, 2L, 392L, 200011L, 61L, 1L, 1L, 1L, 2L\n\n#define SN_camellia_192_cbc \"CAMELLIA-192-CBC\"\n#define LN_camellia_192_cbc \"camellia-192-cbc\"\n#define NID_camellia_192_cbc 752\n#define OBJ_camellia_192_cbc 1L, 2L, 392L, 200011L, 61L, 1L, 1L, 1L, 3L\n\n#define SN_camellia_256_cbc \"CAMELLIA-256-CBC\"\n#define LN_camellia_256_cbc \"camellia-256-cbc\"\n#define NID_camellia_256_cbc 753\n#define OBJ_camellia_256_cbc 1L, 2L, 392L, 200011L, 61L, 1L, 1L, 1L, 4L\n\n#define SN_camellia_128_ecb \"CAMELLIA-128-ECB\"\n#define LN_camellia_128_ecb \"camellia-128-ecb\"\n#define NID_camellia_128_ecb 754\n#define OBJ_camellia_128_ecb 0L, 3L, 4401L, 5L, 3L, 1L, 9L, 1L\n\n#define SN_camellia_192_ecb \"CAMELLIA-192-ECB\"\n#define LN_camellia_192_ecb \"camellia-192-ecb\"\n#define NID_camellia_192_ecb 755\n#define OBJ_camellia_192_ecb 0L, 3L, 4401L, 5L, 3L, 1L, 9L, 21L\n\n#define SN_camellia_256_ecb \"CAMELLIA-256-ECB\"\n#define LN_camellia_256_ecb \"camellia-256-ecb\"\n#define NID_camellia_256_ecb 756\n#define OBJ_camellia_256_ecb 0L, 3L, 4401L, 5L, 3L, 1L, 9L, 41L\n\n#define SN_camellia_128_cfb128 \"CAMELLIA-128-CFB\"\n#define LN_camellia_128_cfb128 \"camellia-128-cfb\"\n#define NID_camellia_128_cfb128 757\n#define OBJ_camellia_128_cfb128 0L, 3L, 4401L, 5L, 3L, 1L, 9L, 4L\n\n#define SN_camellia_192_cfb128 \"CAMELLIA-192-CFB\"\n#define LN_camellia_192_cfb128 \"camellia-192-cfb\"\n#define NID_camellia_192_cfb128 758\n#define OBJ_camellia_192_cfb128 0L, 3L, 4401L, 5L, 3L, 1L, 9L, 24L\n\n#define SN_camellia_256_cfb128 \"CAMELLIA-256-CFB\"\n#define LN_camellia_256_cfb128 \"camellia-256-cfb\"\n#define NID_camellia_256_cfb128 759\n#define OBJ_camellia_256_cfb128 0L, 3L, 4401L, 5L, 3L, 1L, 9L, 44L\n\n#define SN_camellia_128_cfb1 \"CAMELLIA-128-CFB1\"\n#define LN_camellia_128_cfb1 \"camellia-128-cfb1\"\n#define NID_camellia_128_cfb1 760\n\n#define SN_camellia_192_cfb1 \"CAMELLIA-192-CFB1\"\n#define LN_camellia_192_cfb1 \"camellia-192-cfb1\"\n#define NID_camellia_192_cfb1 761\n\n#define SN_camellia_256_cfb1 \"CAMELLIA-256-CFB1\"\n#define LN_camellia_256_cfb1 \"camellia-256-cfb1\"\n#define NID_camellia_256_cfb1 762\n\n#define SN_camellia_128_cfb8 \"CAMELLIA-128-CFB8\"\n#define LN_camellia_128_cfb8 \"camellia-128-cfb8\"\n#define NID_camellia_128_cfb8 763\n\n#define SN_camellia_192_cfb8 \"CAMELLIA-192-CFB8\"\n#define LN_camellia_192_cfb8 \"camellia-192-cfb8\"\n#define NID_camellia_192_cfb8 764\n\n#define SN_camellia_256_cfb8 \"CAMELLIA-256-CFB8\"\n#define LN_camellia_256_cfb8 \"camellia-256-cfb8\"\n#define NID_camellia_256_cfb8 765\n\n#define SN_camellia_128_ofb128 \"CAMELLIA-128-OFB\"\n#define LN_camellia_128_ofb128 \"camellia-128-ofb\"\n#define NID_camellia_128_ofb128 766\n#define OBJ_camellia_128_ofb128 0L, 3L, 4401L, 5L, 3L, 1L, 9L, 3L\n\n#define SN_camellia_192_ofb128 \"CAMELLIA-192-OFB\"\n#define LN_camellia_192_ofb128 \"camellia-192-ofb\"\n#define NID_camellia_192_ofb128 767\n#define OBJ_camellia_192_ofb128 0L, 3L, 4401L, 5L, 3L, 1L, 9L, 23L\n\n#define SN_camellia_256_ofb128 \"CAMELLIA-256-OFB\"\n#define LN_camellia_256_ofb128 \"camellia-256-ofb\"\n#define NID_camellia_256_ofb128 768\n#define OBJ_camellia_256_ofb128 0L, 3L, 4401L, 5L, 3L, 1L, 9L, 43L\n\n#define SN_subject_directory_attributes \"subjectDirectoryAttributes\"\n#define LN_subject_directory_attributes \"X509v3 Subject Directory Attributes\"\n#define NID_subject_directory_attributes 769\n#define OBJ_subject_directory_attributes 2L, 5L, 29L, 9L\n\n#define SN_issuing_distribution_point \"issuingDistributionPoint\"\n#define LN_issuing_distribution_point \"X509v3 Issuing Distribution Point\"\n#define NID_issuing_distribution_point 770\n#define OBJ_issuing_distribution_point 2L, 5L, 29L, 28L\n\n#define SN_certificate_issuer \"certificateIssuer\"\n#define LN_certificate_issuer \"X509v3 Certificate Issuer\"\n#define NID_certificate_issuer 771\n#define OBJ_certificate_issuer 2L, 5L, 29L, 29L\n\n#define SN_kisa \"KISA\"\n#define LN_kisa \"kisa\"\n#define NID_kisa 773\n#define OBJ_kisa 1L, 2L, 410L, 200004L\n\n#define SN_seed_ecb \"SEED-ECB\"\n#define LN_seed_ecb \"seed-ecb\"\n#define NID_seed_ecb 776\n#define OBJ_seed_ecb 1L, 2L, 410L, 200004L, 1L, 3L\n\n#define SN_seed_cbc \"SEED-CBC\"\n#define LN_seed_cbc \"seed-cbc\"\n#define NID_seed_cbc 777\n#define OBJ_seed_cbc 1L, 2L, 410L, 200004L, 1L, 4L\n\n#define SN_seed_ofb128 \"SEED-OFB\"\n#define LN_seed_ofb128 \"seed-ofb\"\n#define NID_seed_ofb128 778\n#define OBJ_seed_ofb128 1L, 2L, 410L, 200004L, 1L, 6L\n\n#define SN_seed_cfb128 \"SEED-CFB\"\n#define LN_seed_cfb128 \"seed-cfb\"\n#define NID_seed_cfb128 779\n#define OBJ_seed_cfb128 1L, 2L, 410L, 200004L, 1L, 5L\n\n#define SN_hmac_md5 \"HMAC-MD5\"\n#define LN_hmac_md5 \"hmac-md5\"\n#define NID_hmac_md5 780\n#define OBJ_hmac_md5 1L, 3L, 6L, 1L, 5L, 5L, 8L, 1L, 1L\n\n#define SN_hmac_sha1 \"HMAC-SHA1\"\n#define LN_hmac_sha1 \"hmac-sha1\"\n#define NID_hmac_sha1 781\n#define OBJ_hmac_sha1 1L, 3L, 6L, 1L, 5L, 5L, 8L, 1L, 2L\n\n#define SN_id_PasswordBasedMAC \"id-PasswordBasedMAC\"\n#define LN_id_PasswordBasedMAC \"password based MAC\"\n#define NID_id_PasswordBasedMAC 782\n#define OBJ_id_PasswordBasedMAC 1L, 2L, 840L, 113533L, 7L, 66L, 13L\n\n#define SN_id_DHBasedMac \"id-DHBasedMac\"\n#define LN_id_DHBasedMac \"Diffie-Hellman based MAC\"\n#define NID_id_DHBasedMac 783\n#define OBJ_id_DHBasedMac 1L, 2L, 840L, 113533L, 7L, 66L, 30L\n\n#define SN_id_it_suppLangTags \"id-it-suppLangTags\"\n#define NID_id_it_suppLangTags 784\n#define OBJ_id_it_suppLangTags 1L, 3L, 6L, 1L, 5L, 5L, 7L, 4L, 16L\n\n#define SN_caRepository \"caRepository\"\n#define LN_caRepository \"CA Repository\"\n#define NID_caRepository 785\n#define OBJ_caRepository 1L, 3L, 6L, 1L, 5L, 5L, 7L, 48L, 5L\n\n#define SN_id_smime_ct_compressedData \"id-smime-ct-compressedData\"\n#define NID_id_smime_ct_compressedData 786\n#define OBJ_id_smime_ct_compressedData \\\n 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 1L, 9L\n\n#define SN_id_ct_asciiTextWithCRLF \"id-ct-asciiTextWithCRLF\"\n#define NID_id_ct_asciiTextWithCRLF 787\n#define OBJ_id_ct_asciiTextWithCRLF 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 1L, 27L\n\n#define SN_id_aes128_wrap \"id-aes128-wrap\"\n#define NID_id_aes128_wrap 788\n#define OBJ_id_aes128_wrap 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 5L\n\n#define SN_id_aes192_wrap \"id-aes192-wrap\"\n#define NID_id_aes192_wrap 789\n#define OBJ_id_aes192_wrap 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 25L\n\n#define SN_id_aes256_wrap \"id-aes256-wrap\"\n#define NID_id_aes256_wrap 790\n#define OBJ_id_aes256_wrap 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 45L\n\n#define SN_ecdsa_with_Recommended \"ecdsa-with-Recommended\"\n#define NID_ecdsa_with_Recommended 791\n#define OBJ_ecdsa_with_Recommended 1L, 2L, 840L, 10045L, 4L, 2L\n\n#define SN_ecdsa_with_Specified \"ecdsa-with-Specified\"\n#define NID_ecdsa_with_Specified 792\n#define OBJ_ecdsa_with_Specified 1L, 2L, 840L, 10045L, 4L, 3L\n\n#define SN_ecdsa_with_SHA224 \"ecdsa-with-SHA224\"\n#define NID_ecdsa_with_SHA224 793\n#define OBJ_ecdsa_with_SHA224 1L, 2L, 840L, 10045L, 4L, 3L, 1L\n\n#define SN_ecdsa_with_SHA256 \"ecdsa-with-SHA256\"\n#define NID_ecdsa_with_SHA256 794\n#define OBJ_ecdsa_with_SHA256 1L, 2L, 840L, 10045L, 4L, 3L, 2L\n\n#define SN_ecdsa_with_SHA384 \"ecdsa-with-SHA384\"\n#define NID_ecdsa_with_SHA384 795\n#define OBJ_ecdsa_with_SHA384 1L, 2L, 840L, 10045L, 4L, 3L, 3L\n\n#define SN_ecdsa_with_SHA512 \"ecdsa-with-SHA512\"\n#define NID_ecdsa_with_SHA512 796\n#define OBJ_ecdsa_with_SHA512 1L, 2L, 840L, 10045L, 4L, 3L, 4L\n\n#define LN_hmacWithMD5 \"hmacWithMD5\"\n#define NID_hmacWithMD5 797\n#define OBJ_hmacWithMD5 1L, 2L, 840L, 113549L, 2L, 6L\n\n#define LN_hmacWithSHA224 \"hmacWithSHA224\"\n#define NID_hmacWithSHA224 798\n#define OBJ_hmacWithSHA224 1L, 2L, 840L, 113549L, 2L, 8L\n\n#define LN_hmacWithSHA256 \"hmacWithSHA256\"\n#define NID_hmacWithSHA256 799\n#define OBJ_hmacWithSHA256 1L, 2L, 840L, 113549L, 2L, 9L\n\n#define LN_hmacWithSHA384 \"hmacWithSHA384\"\n#define NID_hmacWithSHA384 800\n#define OBJ_hmacWithSHA384 1L, 2L, 840L, 113549L, 2L, 10L\n\n#define LN_hmacWithSHA512 \"hmacWithSHA512\"\n#define NID_hmacWithSHA512 801\n#define OBJ_hmacWithSHA512 1L, 2L, 840L, 113549L, 2L, 11L\n\n#define SN_dsa_with_SHA224 \"dsa_with_SHA224\"\n#define NID_dsa_with_SHA224 802\n#define OBJ_dsa_with_SHA224 2L, 16L, 840L, 1L, 101L, 3L, 4L, 3L, 1L\n\n#define SN_dsa_with_SHA256 \"dsa_with_SHA256\"\n#define NID_dsa_with_SHA256 803\n#define OBJ_dsa_with_SHA256 2L, 16L, 840L, 1L, 101L, 3L, 4L, 3L, 2L\n\n#define SN_whirlpool \"whirlpool\"\n#define NID_whirlpool 804\n#define OBJ_whirlpool 1L, 0L, 10118L, 3L, 0L, 55L\n\n#define SN_cryptopro \"cryptopro\"\n#define NID_cryptopro 805\n#define OBJ_cryptopro 1L, 2L, 643L, 2L, 2L\n\n#define SN_cryptocom \"cryptocom\"\n#define NID_cryptocom 806\n#define OBJ_cryptocom 1L, 2L, 643L, 2L, 9L\n\n#define SN_id_GostR3411_94_with_GostR3410_2001 \\\n \"id-GostR3411-94-with-GostR3410-2001\"\n#define LN_id_GostR3411_94_with_GostR3410_2001 \\\n \"GOST R 34.11-94 with GOST R 34.10-2001\"\n#define NID_id_GostR3411_94_with_GostR3410_2001 807\n#define OBJ_id_GostR3411_94_with_GostR3410_2001 1L, 2L, 643L, 2L, 2L, 3L\n\n#define SN_id_GostR3411_94_with_GostR3410_94 \"id-GostR3411-94-with-GostR3410-94\"\n#define LN_id_GostR3411_94_with_GostR3410_94 \\\n \"GOST R 34.11-94 with GOST R 34.10-94\"\n#define NID_id_GostR3411_94_with_GostR3410_94 808\n#define OBJ_id_GostR3411_94_with_GostR3410_94 1L, 2L, 643L, 2L, 2L, 4L\n\n#define SN_id_GostR3411_94 \"md_gost94\"\n#define LN_id_GostR3411_94 \"GOST R 34.11-94\"\n#define NID_id_GostR3411_94 809\n#define OBJ_id_GostR3411_94 1L, 2L, 643L, 2L, 2L, 9L\n\n#define SN_id_HMACGostR3411_94 \"id-HMACGostR3411-94\"\n#define LN_id_HMACGostR3411_94 \"HMAC GOST 34.11-94\"\n#define NID_id_HMACGostR3411_94 810\n#define OBJ_id_HMACGostR3411_94 1L, 2L, 643L, 2L, 2L, 10L\n\n#define SN_id_GostR3410_2001 \"gost2001\"\n#define LN_id_GostR3410_2001 \"GOST R 34.10-2001\"\n#define NID_id_GostR3410_2001 811\n#define OBJ_id_GostR3410_2001 1L, 2L, 643L, 2L, 2L, 19L\n\n#define SN_id_GostR3410_94 \"gost94\"\n#define LN_id_GostR3410_94 \"GOST R 34.10-94\"\n#define NID_id_GostR3410_94 812\n#define OBJ_id_GostR3410_94 1L, 2L, 643L, 2L, 2L, 20L\n\n#define SN_id_Gost28147_89 \"gost89\"\n#define LN_id_Gost28147_89 \"GOST 28147-89\"\n#define NID_id_Gost28147_89 813\n#define OBJ_id_Gost28147_89 1L, 2L, 643L, 2L, 2L, 21L\n\n#define SN_gost89_cnt \"gost89-cnt\"\n#define NID_gost89_cnt 814\n\n#define SN_id_Gost28147_89_MAC \"gost-mac\"\n#define LN_id_Gost28147_89_MAC \"GOST 28147-89 MAC\"\n#define NID_id_Gost28147_89_MAC 815\n#define OBJ_id_Gost28147_89_MAC 1L, 2L, 643L, 2L, 2L, 22L\n\n#define SN_id_GostR3411_94_prf \"prf-gostr3411-94\"\n#define LN_id_GostR3411_94_prf \"GOST R 34.11-94 PRF\"\n#define NID_id_GostR3411_94_prf 816\n#define OBJ_id_GostR3411_94_prf 1L, 2L, 643L, 2L, 2L, 23L\n\n#define SN_id_GostR3410_2001DH \"id-GostR3410-2001DH\"\n#define LN_id_GostR3410_2001DH \"GOST R 34.10-2001 DH\"\n#define NID_id_GostR3410_2001DH 817\n#define OBJ_id_GostR3410_2001DH 1L, 2L, 643L, 2L, 2L, 98L\n\n#define SN_id_GostR3410_94DH \"id-GostR3410-94DH\"\n#define LN_id_GostR3410_94DH \"GOST R 34.10-94 DH\"\n#define NID_id_GostR3410_94DH 818\n#define OBJ_id_GostR3410_94DH 1L, 2L, 643L, 2L, 2L, 99L\n\n#define SN_id_Gost28147_89_CryptoPro_KeyMeshing \\\n \"id-Gost28147-89-CryptoPro-KeyMeshing\"\n#define NID_id_Gost28147_89_CryptoPro_KeyMeshing 819\n#define OBJ_id_Gost28147_89_CryptoPro_KeyMeshing 1L, 2L, 643L, 2L, 2L, 14L, 1L\n\n#define SN_id_Gost28147_89_None_KeyMeshing \"id-Gost28147-89-None-KeyMeshing\"\n#define NID_id_Gost28147_89_None_KeyMeshing 820\n#define OBJ_id_Gost28147_89_None_KeyMeshing 1L, 2L, 643L, 2L, 2L, 14L, 0L\n\n#define SN_id_GostR3411_94_TestParamSet \"id-GostR3411-94-TestParamSet\"\n#define NID_id_GostR3411_94_TestParamSet 821\n#define OBJ_id_GostR3411_94_TestParamSet 1L, 2L, 643L, 2L, 2L, 30L, 0L\n\n#define SN_id_GostR3411_94_CryptoProParamSet \"id-GostR3411-94-CryptoProParamSet\"\n#define NID_id_GostR3411_94_CryptoProParamSet 822\n#define OBJ_id_GostR3411_94_CryptoProParamSet 1L, 2L, 643L, 2L, 2L, 30L, 1L\n\n#define SN_id_Gost28147_89_TestParamSet \"id-Gost28147-89-TestParamSet\"\n#define NID_id_Gost28147_89_TestParamSet 823\n#define OBJ_id_Gost28147_89_TestParamSet 1L, 2L, 643L, 2L, 2L, 31L, 0L\n\n#define SN_id_Gost28147_89_CryptoPro_A_ParamSet \\\n \"id-Gost28147-89-CryptoPro-A-ParamSet\"\n#define NID_id_Gost28147_89_CryptoPro_A_ParamSet 824\n#define OBJ_id_Gost28147_89_CryptoPro_A_ParamSet 1L, 2L, 643L, 2L, 2L, 31L, 1L\n\n#define SN_id_Gost28147_89_CryptoPro_B_ParamSet \\\n \"id-Gost28147-89-CryptoPro-B-ParamSet\"\n#define NID_id_Gost28147_89_CryptoPro_B_ParamSet 825\n#define OBJ_id_Gost28147_89_CryptoPro_B_ParamSet 1L, 2L, 643L, 2L, 2L, 31L, 2L\n\n#define SN_id_Gost28147_89_CryptoPro_C_ParamSet \\\n \"id-Gost28147-89-CryptoPro-C-ParamSet\"\n#define NID_id_Gost28147_89_CryptoPro_C_ParamSet 826\n#define OBJ_id_Gost28147_89_CryptoPro_C_ParamSet 1L, 2L, 643L, 2L, 2L, 31L, 3L\n\n#define SN_id_Gost28147_89_CryptoPro_D_ParamSet \\\n \"id-Gost28147-89-CryptoPro-D-ParamSet\"\n#define NID_id_Gost28147_89_CryptoPro_D_ParamSet 827\n#define OBJ_id_Gost28147_89_CryptoPro_D_ParamSet 1L, 2L, 643L, 2L, 2L, 31L, 4L\n\n#define SN_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet \\\n \"id-Gost28147-89-CryptoPro-Oscar-1-1-ParamSet\"\n#define NID_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet 828\n#define OBJ_id_Gost28147_89_CryptoPro_Oscar_1_1_ParamSet \\\n 1L, 2L, 643L, 2L, 2L, 31L, 5L\n\n#define SN_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet \\\n \"id-Gost28147-89-CryptoPro-Oscar-1-0-ParamSet\"\n#define NID_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet 829\n#define OBJ_id_Gost28147_89_CryptoPro_Oscar_1_0_ParamSet \\\n 1L, 2L, 643L, 2L, 2L, 31L, 6L\n\n#define SN_id_Gost28147_89_CryptoPro_RIC_1_ParamSet \\\n \"id-Gost28147-89-CryptoPro-RIC-1-ParamSet\"\n#define NID_id_Gost28147_89_CryptoPro_RIC_1_ParamSet 830\n#define OBJ_id_Gost28147_89_CryptoPro_RIC_1_ParamSet \\\n 1L, 2L, 643L, 2L, 2L, 31L, 7L\n\n#define SN_id_GostR3410_94_TestParamSet \"id-GostR3410-94-TestParamSet\"\n#define NID_id_GostR3410_94_TestParamSet 831\n#define OBJ_id_GostR3410_94_TestParamSet 1L, 2L, 643L, 2L, 2L, 32L, 0L\n\n#define SN_id_GostR3410_94_CryptoPro_A_ParamSet \\\n \"id-GostR3410-94-CryptoPro-A-ParamSet\"\n#define NID_id_GostR3410_94_CryptoPro_A_ParamSet 832\n#define OBJ_id_GostR3410_94_CryptoPro_A_ParamSet 1L, 2L, 643L, 2L, 2L, 32L, 2L\n\n#define SN_id_GostR3410_94_CryptoPro_B_ParamSet \\\n \"id-GostR3410-94-CryptoPro-B-ParamSet\"\n#define NID_id_GostR3410_94_CryptoPro_B_ParamSet 833\n#define OBJ_id_GostR3410_94_CryptoPro_B_ParamSet 1L, 2L, 643L, 2L, 2L, 32L, 3L\n\n#define SN_id_GostR3410_94_CryptoPro_C_ParamSet \\\n \"id-GostR3410-94-CryptoPro-C-ParamSet\"\n#define NID_id_GostR3410_94_CryptoPro_C_ParamSet 834\n#define OBJ_id_GostR3410_94_CryptoPro_C_ParamSet 1L, 2L, 643L, 2L, 2L, 32L, 4L\n\n#define SN_id_GostR3410_94_CryptoPro_D_ParamSet \\\n \"id-GostR3410-94-CryptoPro-D-ParamSet\"\n#define NID_id_GostR3410_94_CryptoPro_D_ParamSet 835\n#define OBJ_id_GostR3410_94_CryptoPro_D_ParamSet 1L, 2L, 643L, 2L, 2L, 32L, 5L\n\n#define SN_id_GostR3410_94_CryptoPro_XchA_ParamSet \\\n \"id-GostR3410-94-CryptoPro-XchA-ParamSet\"\n#define NID_id_GostR3410_94_CryptoPro_XchA_ParamSet 836\n#define OBJ_id_GostR3410_94_CryptoPro_XchA_ParamSet \\\n 1L, 2L, 643L, 2L, 2L, 33L, 1L\n\n#define SN_id_GostR3410_94_CryptoPro_XchB_ParamSet \\\n \"id-GostR3410-94-CryptoPro-XchB-ParamSet\"\n#define NID_id_GostR3410_94_CryptoPro_XchB_ParamSet 837\n#define OBJ_id_GostR3410_94_CryptoPro_XchB_ParamSet \\\n 1L, 2L, 643L, 2L, 2L, 33L, 2L\n\n#define SN_id_GostR3410_94_CryptoPro_XchC_ParamSet \\\n \"id-GostR3410-94-CryptoPro-XchC-ParamSet\"\n#define NID_id_GostR3410_94_CryptoPro_XchC_ParamSet 838\n#define OBJ_id_GostR3410_94_CryptoPro_XchC_ParamSet \\\n 1L, 2L, 643L, 2L, 2L, 33L, 3L\n\n#define SN_id_GostR3410_2001_TestParamSet \"id-GostR3410-2001-TestParamSet\"\n#define NID_id_GostR3410_2001_TestParamSet 839\n#define OBJ_id_GostR3410_2001_TestParamSet 1L, 2L, 643L, 2L, 2L, 35L, 0L\n\n#define SN_id_GostR3410_2001_CryptoPro_A_ParamSet \\\n \"id-GostR3410-2001-CryptoPro-A-ParamSet\"\n#define NID_id_GostR3410_2001_CryptoPro_A_ParamSet 840\n#define OBJ_id_GostR3410_2001_CryptoPro_A_ParamSet 1L, 2L, 643L, 2L, 2L, 35L, 1L\n\n#define SN_id_GostR3410_2001_CryptoPro_B_ParamSet \\\n \"id-GostR3410-2001-CryptoPro-B-ParamSet\"\n#define NID_id_GostR3410_2001_CryptoPro_B_ParamSet 841\n#define OBJ_id_GostR3410_2001_CryptoPro_B_ParamSet 1L, 2L, 643L, 2L, 2L, 35L, 2L\n\n#define SN_id_GostR3410_2001_CryptoPro_C_ParamSet \\\n \"id-GostR3410-2001-CryptoPro-C-ParamSet\"\n#define NID_id_GostR3410_2001_CryptoPro_C_ParamSet 842\n#define OBJ_id_GostR3410_2001_CryptoPro_C_ParamSet 1L, 2L, 643L, 2L, 2L, 35L, 3L\n\n#define SN_id_GostR3410_2001_CryptoPro_XchA_ParamSet \\\n \"id-GostR3410-2001-CryptoPro-XchA-ParamSet\"\n#define NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet 843\n#define OBJ_id_GostR3410_2001_CryptoPro_XchA_ParamSet \\\n 1L, 2L, 643L, 2L, 2L, 36L, 0L\n\n#define SN_id_GostR3410_2001_CryptoPro_XchB_ParamSet \\\n \"id-GostR3410-2001-CryptoPro-XchB-ParamSet\"\n#define NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet 844\n#define OBJ_id_GostR3410_2001_CryptoPro_XchB_ParamSet \\\n 1L, 2L, 643L, 2L, 2L, 36L, 1L\n\n#define SN_id_GostR3410_94_a \"id-GostR3410-94-a\"\n#define NID_id_GostR3410_94_a 845\n#define OBJ_id_GostR3410_94_a 1L, 2L, 643L, 2L, 2L, 20L, 1L\n\n#define SN_id_GostR3410_94_aBis \"id-GostR3410-94-aBis\"\n#define NID_id_GostR3410_94_aBis 846\n#define OBJ_id_GostR3410_94_aBis 1L, 2L, 643L, 2L, 2L, 20L, 2L\n\n#define SN_id_GostR3410_94_b \"id-GostR3410-94-b\"\n#define NID_id_GostR3410_94_b 847\n#define OBJ_id_GostR3410_94_b 1L, 2L, 643L, 2L, 2L, 20L, 3L\n\n#define SN_id_GostR3410_94_bBis \"id-GostR3410-94-bBis\"\n#define NID_id_GostR3410_94_bBis 848\n#define OBJ_id_GostR3410_94_bBis 1L, 2L, 643L, 2L, 2L, 20L, 4L\n\n#define SN_id_Gost28147_89_cc \"id-Gost28147-89-cc\"\n#define LN_id_Gost28147_89_cc \"GOST 28147-89 Cryptocom ParamSet\"\n#define NID_id_Gost28147_89_cc 849\n#define OBJ_id_Gost28147_89_cc 1L, 2L, 643L, 2L, 9L, 1L, 6L, 1L\n\n#define SN_id_GostR3410_94_cc \"gost94cc\"\n#define LN_id_GostR3410_94_cc \"GOST 34.10-94 Cryptocom\"\n#define NID_id_GostR3410_94_cc 850\n#define OBJ_id_GostR3410_94_cc 1L, 2L, 643L, 2L, 9L, 1L, 5L, 3L\n\n#define SN_id_GostR3410_2001_cc \"gost2001cc\"\n#define LN_id_GostR3410_2001_cc \"GOST 34.10-2001 Cryptocom\"\n#define NID_id_GostR3410_2001_cc 851\n#define OBJ_id_GostR3410_2001_cc 1L, 2L, 643L, 2L, 9L, 1L, 5L, 4L\n\n#define SN_id_GostR3411_94_with_GostR3410_94_cc \\\n \"id-GostR3411-94-with-GostR3410-94-cc\"\n#define LN_id_GostR3411_94_with_GostR3410_94_cc \\\n \"GOST R 34.11-94 with GOST R 34.10-94 Cryptocom\"\n#define NID_id_GostR3411_94_with_GostR3410_94_cc 852\n#define OBJ_id_GostR3411_94_with_GostR3410_94_cc \\\n 1L, 2L, 643L, 2L, 9L, 1L, 3L, 3L\n\n#define SN_id_GostR3411_94_with_GostR3410_2001_cc \\\n \"id-GostR3411-94-with-GostR3410-2001-cc\"\n#define LN_id_GostR3411_94_with_GostR3410_2001_cc \\\n \"GOST R 34.11-94 with GOST R 34.10-2001 Cryptocom\"\n#define NID_id_GostR3411_94_with_GostR3410_2001_cc 853\n#define OBJ_id_GostR3411_94_with_GostR3410_2001_cc \\\n 1L, 2L, 643L, 2L, 9L, 1L, 3L, 4L\n\n#define SN_id_GostR3410_2001_ParamSet_cc \"id-GostR3410-2001-ParamSet-cc\"\n#define LN_id_GostR3410_2001_ParamSet_cc \\\n \"GOST R 3410-2001 Parameter Set Cryptocom\"\n#define NID_id_GostR3410_2001_ParamSet_cc 854\n#define OBJ_id_GostR3410_2001_ParamSet_cc 1L, 2L, 643L, 2L, 9L, 1L, 8L, 1L\n\n#define SN_hmac \"HMAC\"\n#define LN_hmac \"hmac\"\n#define NID_hmac 855\n\n#define SN_LocalKeySet \"LocalKeySet\"\n#define LN_LocalKeySet \"Microsoft Local Key set\"\n#define NID_LocalKeySet 856\n#define OBJ_LocalKeySet 1L, 3L, 6L, 1L, 4L, 1L, 311L, 17L, 2L\n\n#define SN_freshest_crl \"freshestCRL\"\n#define LN_freshest_crl \"X509v3 Freshest CRL\"\n#define NID_freshest_crl 857\n#define OBJ_freshest_crl 2L, 5L, 29L, 46L\n\n#define SN_id_on_permanentIdentifier \"id-on-permanentIdentifier\"\n#define LN_id_on_permanentIdentifier \"Permanent Identifier\"\n#define NID_id_on_permanentIdentifier 858\n#define OBJ_id_on_permanentIdentifier 1L, 3L, 6L, 1L, 5L, 5L, 7L, 8L, 3L\n\n#define LN_searchGuide \"searchGuide\"\n#define NID_searchGuide 859\n#define OBJ_searchGuide 2L, 5L, 4L, 14L\n\n#define LN_businessCategory \"businessCategory\"\n#define NID_businessCategory 860\n#define OBJ_businessCategory 2L, 5L, 4L, 15L\n\n#define LN_postalAddress \"postalAddress\"\n#define NID_postalAddress 861\n#define OBJ_postalAddress 2L, 5L, 4L, 16L\n\n#define LN_postOfficeBox \"postOfficeBox\"\n#define NID_postOfficeBox 862\n#define OBJ_postOfficeBox 2L, 5L, 4L, 18L\n\n#define LN_physicalDeliveryOfficeName \"physicalDeliveryOfficeName\"\n#define NID_physicalDeliveryOfficeName 863\n#define OBJ_physicalDeliveryOfficeName 2L, 5L, 4L, 19L\n\n#define LN_telephoneNumber \"telephoneNumber\"\n#define NID_telephoneNumber 864\n#define OBJ_telephoneNumber 2L, 5L, 4L, 20L\n\n#define LN_telexNumber \"telexNumber\"\n#define NID_telexNumber 865\n#define OBJ_telexNumber 2L, 5L, 4L, 21L\n\n#define LN_teletexTerminalIdentifier \"teletexTerminalIdentifier\"\n#define NID_teletexTerminalIdentifier 866\n#define OBJ_teletexTerminalIdentifier 2L, 5L, 4L, 22L\n\n#define LN_facsimileTelephoneNumber \"facsimileTelephoneNumber\"\n#define NID_facsimileTelephoneNumber 867\n#define OBJ_facsimileTelephoneNumber 2L, 5L, 4L, 23L\n\n#define LN_x121Address \"x121Address\"\n#define NID_x121Address 868\n#define OBJ_x121Address 2L, 5L, 4L, 24L\n\n#define LN_internationaliSDNNumber \"internationaliSDNNumber\"\n#define NID_internationaliSDNNumber 869\n#define OBJ_internationaliSDNNumber 2L, 5L, 4L, 25L\n\n#define LN_registeredAddress \"registeredAddress\"\n#define NID_registeredAddress 870\n#define OBJ_registeredAddress 2L, 5L, 4L, 26L\n\n#define LN_destinationIndicator \"destinationIndicator\"\n#define NID_destinationIndicator 871\n#define OBJ_destinationIndicator 2L, 5L, 4L, 27L\n\n#define LN_preferredDeliveryMethod \"preferredDeliveryMethod\"\n#define NID_preferredDeliveryMethod 872\n#define OBJ_preferredDeliveryMethod 2L, 5L, 4L, 28L\n\n#define LN_presentationAddress \"presentationAddress\"\n#define NID_presentationAddress 873\n#define OBJ_presentationAddress 2L, 5L, 4L, 29L\n\n#define LN_supportedApplicationContext \"supportedApplicationContext\"\n#define NID_supportedApplicationContext 874\n#define OBJ_supportedApplicationContext 2L, 5L, 4L, 30L\n\n#define SN_member \"member\"\n#define NID_member 875\n#define OBJ_member 2L, 5L, 4L, 31L\n\n#define SN_owner \"owner\"\n#define NID_owner 876\n#define OBJ_owner 2L, 5L, 4L, 32L\n\n#define LN_roleOccupant \"roleOccupant\"\n#define NID_roleOccupant 877\n#define OBJ_roleOccupant 2L, 5L, 4L, 33L\n\n#define SN_seeAlso \"seeAlso\"\n#define NID_seeAlso 878\n#define OBJ_seeAlso 2L, 5L, 4L, 34L\n\n#define LN_userPassword \"userPassword\"\n#define NID_userPassword 879\n#define OBJ_userPassword 2L, 5L, 4L, 35L\n\n#define LN_userCertificate \"userCertificate\"\n#define NID_userCertificate 880\n#define OBJ_userCertificate 2L, 5L, 4L, 36L\n\n#define LN_cACertificate \"cACertificate\"\n#define NID_cACertificate 881\n#define OBJ_cACertificate 2L, 5L, 4L, 37L\n\n#define LN_authorityRevocationList \"authorityRevocationList\"\n#define NID_authorityRevocationList 882\n#define OBJ_authorityRevocationList 2L, 5L, 4L, 38L\n\n#define LN_certificateRevocationList \"certificateRevocationList\"\n#define NID_certificateRevocationList 883\n#define OBJ_certificateRevocationList 2L, 5L, 4L, 39L\n\n#define LN_crossCertificatePair \"crossCertificatePair\"\n#define NID_crossCertificatePair 884\n#define OBJ_crossCertificatePair 2L, 5L, 4L, 40L\n\n#define LN_enhancedSearchGuide \"enhancedSearchGuide\"\n#define NID_enhancedSearchGuide 885\n#define OBJ_enhancedSearchGuide 2L, 5L, 4L, 47L\n\n#define LN_protocolInformation \"protocolInformation\"\n#define NID_protocolInformation 886\n#define OBJ_protocolInformation 2L, 5L, 4L, 48L\n\n#define LN_distinguishedName \"distinguishedName\"\n#define NID_distinguishedName 887\n#define OBJ_distinguishedName 2L, 5L, 4L, 49L\n\n#define LN_uniqueMember \"uniqueMember\"\n#define NID_uniqueMember 888\n#define OBJ_uniqueMember 2L, 5L, 4L, 50L\n\n#define LN_houseIdentifier \"houseIdentifier\"\n#define NID_houseIdentifier 889\n#define OBJ_houseIdentifier 2L, 5L, 4L, 51L\n\n#define LN_supportedAlgorithms \"supportedAlgorithms\"\n#define NID_supportedAlgorithms 890\n#define OBJ_supportedAlgorithms 2L, 5L, 4L, 52L\n\n#define LN_deltaRevocationList \"deltaRevocationList\"\n#define NID_deltaRevocationList 891\n#define OBJ_deltaRevocationList 2L, 5L, 4L, 53L\n\n#define SN_dmdName \"dmdName\"\n#define NID_dmdName 892\n#define OBJ_dmdName 2L, 5L, 4L, 54L\n\n#define SN_id_alg_PWRI_KEK \"id-alg-PWRI-KEK\"\n#define NID_id_alg_PWRI_KEK 893\n#define OBJ_id_alg_PWRI_KEK 1L, 2L, 840L, 113549L, 1L, 9L, 16L, 3L, 9L\n\n#define SN_cmac \"CMAC\"\n#define LN_cmac \"cmac\"\n#define NID_cmac 894\n\n#define SN_aes_128_gcm \"id-aes128-GCM\"\n#define LN_aes_128_gcm \"aes-128-gcm\"\n#define NID_aes_128_gcm 895\n#define OBJ_aes_128_gcm 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 6L\n\n#define SN_aes_128_ccm \"id-aes128-CCM\"\n#define LN_aes_128_ccm \"aes-128-ccm\"\n#define NID_aes_128_ccm 896\n#define OBJ_aes_128_ccm 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 7L\n\n#define SN_id_aes128_wrap_pad \"id-aes128-wrap-pad\"\n#define NID_id_aes128_wrap_pad 897\n#define OBJ_id_aes128_wrap_pad 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 8L\n\n#define SN_aes_192_gcm \"id-aes192-GCM\"\n#define LN_aes_192_gcm \"aes-192-gcm\"\n#define NID_aes_192_gcm 898\n#define OBJ_aes_192_gcm 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 26L\n\n#define SN_aes_192_ccm \"id-aes192-CCM\"\n#define LN_aes_192_ccm \"aes-192-ccm\"\n#define NID_aes_192_ccm 899\n#define OBJ_aes_192_ccm 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 27L\n\n#define SN_id_aes192_wrap_pad \"id-aes192-wrap-pad\"\n#define NID_id_aes192_wrap_pad 900\n#define OBJ_id_aes192_wrap_pad 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 28L\n\n#define SN_aes_256_gcm \"id-aes256-GCM\"\n#define LN_aes_256_gcm \"aes-256-gcm\"\n#define NID_aes_256_gcm 901\n#define OBJ_aes_256_gcm 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 46L\n\n#define SN_aes_256_ccm \"id-aes256-CCM\"\n#define LN_aes_256_ccm \"aes-256-ccm\"\n#define NID_aes_256_ccm 902\n#define OBJ_aes_256_ccm 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 47L\n\n#define SN_id_aes256_wrap_pad \"id-aes256-wrap-pad\"\n#define NID_id_aes256_wrap_pad 903\n#define OBJ_id_aes256_wrap_pad 2L, 16L, 840L, 1L, 101L, 3L, 4L, 1L, 48L\n\n#define SN_aes_128_ctr \"AES-128-CTR\"\n#define LN_aes_128_ctr \"aes-128-ctr\"\n#define NID_aes_128_ctr 904\n\n#define SN_aes_192_ctr \"AES-192-CTR\"\n#define LN_aes_192_ctr \"aes-192-ctr\"\n#define NID_aes_192_ctr 905\n\n#define SN_aes_256_ctr \"AES-256-CTR\"\n#define LN_aes_256_ctr \"aes-256-ctr\"\n#define NID_aes_256_ctr 906\n\n#define SN_id_camellia128_wrap \"id-camellia128-wrap\"\n#define NID_id_camellia128_wrap 907\n#define OBJ_id_camellia128_wrap 1L, 2L, 392L, 200011L, 61L, 1L, 1L, 3L, 2L\n\n#define SN_id_camellia192_wrap \"id-camellia192-wrap\"\n#define NID_id_camellia192_wrap 908\n#define OBJ_id_camellia192_wrap 1L, 2L, 392L, 200011L, 61L, 1L, 1L, 3L, 3L\n\n#define SN_id_camellia256_wrap \"id-camellia256-wrap\"\n#define NID_id_camellia256_wrap 909\n#define OBJ_id_camellia256_wrap 1L, 2L, 392L, 200011L, 61L, 1L, 1L, 3L, 4L\n\n#define SN_anyExtendedKeyUsage \"anyExtendedKeyUsage\"\n#define LN_anyExtendedKeyUsage \"Any Extended Key Usage\"\n#define NID_anyExtendedKeyUsage 910\n#define OBJ_anyExtendedKeyUsage 2L, 5L, 29L, 37L, 0L\n\n#define SN_mgf1 \"MGF1\"\n#define LN_mgf1 \"mgf1\"\n#define NID_mgf1 911\n#define OBJ_mgf1 1L, 2L, 840L, 113549L, 1L, 1L, 8L\n\n#define SN_rsassaPss \"RSASSA-PSS\"\n#define LN_rsassaPss \"rsassaPss\"\n#define NID_rsassaPss 912\n#define OBJ_rsassaPss 1L, 2L, 840L, 113549L, 1L, 1L, 10L\n\n#define SN_aes_128_xts \"AES-128-XTS\"\n#define LN_aes_128_xts \"aes-128-xts\"\n#define NID_aes_128_xts 913\n\n#define SN_aes_256_xts \"AES-256-XTS\"\n#define LN_aes_256_xts \"aes-256-xts\"\n#define NID_aes_256_xts 914\n\n#define SN_rc4_hmac_md5 \"RC4-HMAC-MD5\"\n#define LN_rc4_hmac_md5 \"rc4-hmac-md5\"\n#define NID_rc4_hmac_md5 915\n\n#define SN_aes_128_cbc_hmac_sha1 \"AES-128-CBC-HMAC-SHA1\"\n#define LN_aes_128_cbc_hmac_sha1 \"aes-128-cbc-hmac-sha1\"\n#define NID_aes_128_cbc_hmac_sha1 916\n\n#define SN_aes_192_cbc_hmac_sha1 \"AES-192-CBC-HMAC-SHA1\"\n#define LN_aes_192_cbc_hmac_sha1 \"aes-192-cbc-hmac-sha1\"\n#define NID_aes_192_cbc_hmac_sha1 917\n\n#define SN_aes_256_cbc_hmac_sha1 \"AES-256-CBC-HMAC-SHA1\"\n#define LN_aes_256_cbc_hmac_sha1 \"aes-256-cbc-hmac-sha1\"\n#define NID_aes_256_cbc_hmac_sha1 918\n\n#define SN_rsaesOaep \"RSAES-OAEP\"\n#define LN_rsaesOaep \"rsaesOaep\"\n#define NID_rsaesOaep 919\n#define OBJ_rsaesOaep 1L, 2L, 840L, 113549L, 1L, 1L, 7L\n\n#define SN_dhpublicnumber \"dhpublicnumber\"\n#define LN_dhpublicnumber \"X9.42 DH\"\n#define NID_dhpublicnumber 920\n#define OBJ_dhpublicnumber 1L, 2L, 840L, 10046L, 2L, 1L\n\n#define SN_brainpoolP160r1 \"brainpoolP160r1\"\n#define NID_brainpoolP160r1 921\n#define OBJ_brainpoolP160r1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 1L\n\n#define SN_brainpoolP160t1 \"brainpoolP160t1\"\n#define NID_brainpoolP160t1 922\n#define OBJ_brainpoolP160t1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 2L\n\n#define SN_brainpoolP192r1 \"brainpoolP192r1\"\n#define NID_brainpoolP192r1 923\n#define OBJ_brainpoolP192r1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 3L\n\n#define SN_brainpoolP192t1 \"brainpoolP192t1\"\n#define NID_brainpoolP192t1 924\n#define OBJ_brainpoolP192t1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 4L\n\n#define SN_brainpoolP224r1 \"brainpoolP224r1\"\n#define NID_brainpoolP224r1 925\n#define OBJ_brainpoolP224r1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 5L\n\n#define SN_brainpoolP224t1 \"brainpoolP224t1\"\n#define NID_brainpoolP224t1 926\n#define OBJ_brainpoolP224t1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 6L\n\n#define SN_brainpoolP256r1 \"brainpoolP256r1\"\n#define NID_brainpoolP256r1 927\n#define OBJ_brainpoolP256r1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 7L\n\n#define SN_brainpoolP256t1 \"brainpoolP256t1\"\n#define NID_brainpoolP256t1 928\n#define OBJ_brainpoolP256t1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 8L\n\n#define SN_brainpoolP320r1 \"brainpoolP320r1\"\n#define NID_brainpoolP320r1 929\n#define OBJ_brainpoolP320r1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 9L\n\n#define SN_brainpoolP320t1 \"brainpoolP320t1\"\n#define NID_brainpoolP320t1 930\n#define OBJ_brainpoolP320t1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 10L\n\n#define SN_brainpoolP384r1 \"brainpoolP384r1\"\n#define NID_brainpoolP384r1 931\n#define OBJ_brainpoolP384r1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 11L\n\n#define SN_brainpoolP384t1 \"brainpoolP384t1\"\n#define NID_brainpoolP384t1 932\n#define OBJ_brainpoolP384t1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 12L\n\n#define SN_brainpoolP512r1 \"brainpoolP512r1\"\n#define NID_brainpoolP512r1 933\n#define OBJ_brainpoolP512r1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 13L\n\n#define SN_brainpoolP512t1 \"brainpoolP512t1\"\n#define NID_brainpoolP512t1 934\n#define OBJ_brainpoolP512t1 1L, 3L, 36L, 3L, 3L, 2L, 8L, 1L, 1L, 14L\n\n#define SN_pSpecified \"PSPECIFIED\"\n#define LN_pSpecified \"pSpecified\"\n#define NID_pSpecified 935\n#define OBJ_pSpecified 1L, 2L, 840L, 113549L, 1L, 1L, 9L\n\n#define SN_dhSinglePass_stdDH_sha1kdf_scheme \"dhSinglePass-stdDH-sha1kdf-scheme\"\n#define NID_dhSinglePass_stdDH_sha1kdf_scheme 936\n#define OBJ_dhSinglePass_stdDH_sha1kdf_scheme \\\n 1L, 3L, 133L, 16L, 840L, 63L, 0L, 2L\n\n#define SN_dhSinglePass_stdDH_sha224kdf_scheme \\\n \"dhSinglePass-stdDH-sha224kdf-scheme\"\n#define NID_dhSinglePass_stdDH_sha224kdf_scheme 937\n#define OBJ_dhSinglePass_stdDH_sha224kdf_scheme 1L, 3L, 132L, 1L, 11L, 0L\n\n#define SN_dhSinglePass_stdDH_sha256kdf_scheme \\\n \"dhSinglePass-stdDH-sha256kdf-scheme\"\n#define NID_dhSinglePass_stdDH_sha256kdf_scheme 938\n#define OBJ_dhSinglePass_stdDH_sha256kdf_scheme 1L, 3L, 132L, 1L, 11L, 1L\n\n#define SN_dhSinglePass_stdDH_sha384kdf_scheme \\\n \"dhSinglePass-stdDH-sha384kdf-scheme\"\n#define NID_dhSinglePass_stdDH_sha384kdf_scheme 939\n#define OBJ_dhSinglePass_stdDH_sha384kdf_scheme 1L, 3L, 132L, 1L, 11L, 2L\n\n#define SN_dhSinglePass_stdDH_sha512kdf_scheme \\\n \"dhSinglePass-stdDH-sha512kdf-scheme\"\n#define NID_dhSinglePass_stdDH_sha512kdf_scheme 940\n#define OBJ_dhSinglePass_stdDH_sha512kdf_scheme 1L, 3L, 132L, 1L, 11L, 3L\n\n#define SN_dhSinglePass_cofactorDH_sha1kdf_scheme \\\n \"dhSinglePass-cofactorDH-sha1kdf-scheme\"\n#define NID_dhSinglePass_cofactorDH_sha1kdf_scheme 941\n#define OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme \\\n 1L, 3L, 133L, 16L, 840L, 63L, 0L, 3L\n\n#define SN_dhSinglePass_cofactorDH_sha224kdf_scheme \\\n \"dhSinglePass-cofactorDH-sha224kdf-scheme\"\n#define NID_dhSinglePass_cofactorDH_sha224kdf_scheme 942\n#define OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme 1L, 3L, 132L, 1L, 14L, 0L\n\n#define SN_dhSinglePass_cofactorDH_sha256kdf_scheme \\\n \"dhSinglePass-cofactorDH-sha256kdf-scheme\"\n#define NID_dhSinglePass_cofactorDH_sha256kdf_scheme 943\n#define OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme 1L, 3L, 132L, 1L, 14L, 1L\n\n#define SN_dhSinglePass_cofactorDH_sha384kdf_scheme \\\n \"dhSinglePass-cofactorDH-sha384kdf-scheme\"\n#define NID_dhSinglePass_cofactorDH_sha384kdf_scheme 944\n#define OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme 1L, 3L, 132L, 1L, 14L, 2L\n\n#define SN_dhSinglePass_cofactorDH_sha512kdf_scheme \\\n \"dhSinglePass-cofactorDH-sha512kdf-scheme\"\n#define NID_dhSinglePass_cofactorDH_sha512kdf_scheme 945\n#define OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme 1L, 3L, 132L, 1L, 14L, 3L\n\n#define SN_dh_std_kdf \"dh-std-kdf\"\n#define NID_dh_std_kdf 946\n\n#define SN_dh_cofactor_kdf \"dh-cofactor-kdf\"\n#define NID_dh_cofactor_kdf 947\n\n#define SN_X25519 \"X25519\"\n#define NID_X25519 948\n#define OBJ_X25519 1L, 3L, 101L, 110L\n\n#define SN_ED25519 \"ED25519\"\n#define NID_ED25519 949\n#define OBJ_ED25519 1L, 3L, 101L, 112L\n\n#define SN_chacha20_poly1305 \"ChaCha20-Poly1305\"\n#define LN_chacha20_poly1305 \"chacha20-poly1305\"\n#define NID_chacha20_poly1305 950\n\n#define SN_kx_rsa \"KxRSA\"\n#define LN_kx_rsa \"kx-rsa\"\n#define NID_kx_rsa 951\n\n#define SN_kx_ecdhe \"KxECDHE\"\n#define LN_kx_ecdhe \"kx-ecdhe\"\n#define NID_kx_ecdhe 952\n\n#define SN_kx_psk \"KxPSK\"\n#define LN_kx_psk \"kx-psk\"\n#define NID_kx_psk 953\n\n#define SN_auth_rsa \"AuthRSA\"\n#define LN_auth_rsa \"auth-rsa\"\n#define NID_auth_rsa 954\n\n#define SN_auth_ecdsa \"AuthECDSA\"\n#define LN_auth_ecdsa \"auth-ecdsa\"\n#define NID_auth_ecdsa 955\n\n#define SN_auth_psk \"AuthPSK\"\n#define LN_auth_psk \"auth-psk\"\n#define NID_auth_psk 956\n\n#define SN_kx_any \"KxANY\"\n#define LN_kx_any \"kx-any\"\n#define NID_kx_any 957\n\n#define SN_auth_any \"AuthANY\"\n#define LN_auth_any \"auth-any\"\n#define NID_auth_any 958\n\n#define SN_ED448 \"ED448\"\n#define NID_ED448 960\n#define OBJ_ED448 1L, 3L, 101L, 113L\n\n#define SN_X448 \"X448\"\n#define NID_X448 961\n#define OBJ_X448 1L, 3L, 101L, 111L\n\n#define SN_sha512_256 \"SHA512-256\"\n#define LN_sha512_256 \"sha512-256\"\n#define NID_sha512_256 962\n#define OBJ_sha512_256 2L, 16L, 840L, 1L, 101L, 3L, 4L, 2L, 6L\n\n#define SN_hkdf \"HKDF\"\n#define LN_hkdf \"hkdf\"\n#define NID_hkdf 963\n\n#define SN_X25519Kyber768Draft00 \"X25519Kyber768Draft00\"\n#define NID_X25519Kyber768Draft00 964\n\n#define SN_X25519MLKEM768 \"X25519MLKEM768\"\n#define NID_X25519MLKEM768 965\n\n\n#if defined(__cplusplus)\n} /* extern C */\n#endif\n\n#endif /* OPENSSL_HEADER_NID_H */\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_obj.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_OBJ_H\n#define OPENSSL_HEADER_OBJ_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_bytestring.h\"\n#include \"CNIOBoringSSL_nid.h\" // IWYU pragma: export\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// The objects library deals with the registration and indexing of ASN.1 object\n// identifiers. These values are often written as a dotted sequence of numbers,\n// e.g. 1.2.840.113549.1.9.16.3.9.\n//\n// Internally, OpenSSL likes to deal with these values by numbering them with\n// numbers called \"nids\". OpenSSL has a large, built-in database of common\n// object identifiers and also has both short and long names for them.\n//\n// This library provides functions for translating between object identifiers,\n// nids, short names and long names.\n//\n// The nid values should not be used outside of a single process: they are not\n// stable identifiers.\n\n\n// Basic operations.\n\n// OBJ_dup returns a duplicate copy of |obj| or NULL on allocation failure. The\n// caller must call |ASN1_OBJECT_free| on the result to release it.\nOPENSSL_EXPORT ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *obj);\n\n// OBJ_cmp returns a value less than, equal to or greater than zero if |a| is\n// less than, equal to or greater than |b|, respectively.\nOPENSSL_EXPORT int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b);\n\n// OBJ_get0_data returns a pointer to the DER representation of |obj|. This is\n// the contents of the DER-encoded identifier, not including the tag and length.\n// If |obj| does not have an associated object identifier (i.e. it is a nid-only\n// value), this value is the empty string.\nOPENSSL_EXPORT const uint8_t *OBJ_get0_data(const ASN1_OBJECT *obj);\n\n// OBJ_length returns the length of the DER representation of |obj|. This is the\n// contents of the DER-encoded identifier, not including the tag and length. If\n// |obj| does not have an associated object identifier (i.e. it is a nid-only\n// value), this value is the empty string.\nOPENSSL_EXPORT size_t OBJ_length(const ASN1_OBJECT *obj);\n\n\n// Looking up nids.\n\n// OBJ_obj2nid returns the nid corresponding to |obj|, or |NID_undef| if no\n// such object is known.\nOPENSSL_EXPORT int OBJ_obj2nid(const ASN1_OBJECT *obj);\n\n// OBJ_cbs2nid returns the nid corresponding to the DER data in |cbs|, or\n// |NID_undef| if no such object is known.\nOPENSSL_EXPORT int OBJ_cbs2nid(const CBS *cbs);\n\n// OBJ_sn2nid returns the nid corresponding to |short_name|, or |NID_undef| if\n// no such short name is known.\nOPENSSL_EXPORT int OBJ_sn2nid(const char *short_name);\n\n// OBJ_ln2nid returns the nid corresponding to |long_name|, or |NID_undef| if\n// no such long name is known.\nOPENSSL_EXPORT int OBJ_ln2nid(const char *long_name);\n\n// OBJ_txt2nid returns the nid corresponding to |s|, which may be a short name,\n// long name, or an ASCII string containing a dotted sequence of numbers. It\n// returns the nid or NID_undef if unknown.\nOPENSSL_EXPORT int OBJ_txt2nid(const char *s);\n\n\n// Getting information about nids.\n\n// OBJ_nid2obj returns the |ASN1_OBJECT| corresponding to |nid|, or NULL if\n// |nid| is unknown.\n//\n// Although the output is not const, this function returns a static, immutable\n// |ASN1_OBJECT|. It is not necessary to release the object with\n// |ASN1_OBJECT_free|.\n//\n// However, functions like |X509_ALGOR_set0| expect to take ownership of a\n// possibly dynamically-allocated |ASN1_OBJECT|. |ASN1_OBJECT_free| is a no-op\n// for static |ASN1_OBJECT|s, so |OBJ_nid2obj| is compatible with such\n// functions.\n//\n// Callers are encouraged to store the result of this function in a const\n// pointer. However, if using functions like |X509_ALGOR_set0|, callers may use\n// a non-const pointer and manage ownership.\nOPENSSL_EXPORT ASN1_OBJECT *OBJ_nid2obj(int nid);\n\n// OBJ_get_undef returns the object for |NID_undef|. Prefer this function over\n// |OBJ_nid2obj| to avoid pulling in the full OID table.\nOPENSSL_EXPORT const ASN1_OBJECT *OBJ_get_undef(void);\n\n// OBJ_nid2sn returns the short name for |nid|, or NULL if |nid| is unknown.\nOPENSSL_EXPORT const char *OBJ_nid2sn(int nid);\n\n// OBJ_nid2ln returns the long name for |nid|, or NULL if |nid| is unknown.\nOPENSSL_EXPORT const char *OBJ_nid2ln(int nid);\n\n// OBJ_nid2cbb writes |nid| as an ASN.1 OBJECT IDENTIFIER to |out|. It returns\n// one on success or zero otherwise.\nOPENSSL_EXPORT int OBJ_nid2cbb(CBB *out, int nid);\n\n\n// Dealing with textual representations of object identifiers.\n\n// OBJ_txt2obj returns an ASN1_OBJECT for the textual representation in |s|.\n// If |dont_search_names| is zero, then |s| will be matched against the long\n// and short names of a known objects to find a match. Otherwise |s| must\n// contain an ASCII string with a dotted sequence of numbers. The resulting\n// object need not be previously known. It returns a freshly allocated\n// |ASN1_OBJECT| or NULL on error.\nOPENSSL_EXPORT ASN1_OBJECT *OBJ_txt2obj(const char *s, int dont_search_names);\n\n// OBJ_obj2txt converts |obj| to a textual representation. If\n// |always_return_oid| is zero then |obj| will be matched against known objects\n// and the long (preferably) or short name will be used if found. Otherwise\n// |obj| will be converted into a dotted sequence of integers. If |out| is not\n// NULL, then at most |out_len| bytes of the textual form will be written\n// there. If |out_len| is at least one, then string written to |out| will\n// always be NUL terminated. It returns the number of characters that could\n// have been written, not including the final NUL, or -1 on error.\nOPENSSL_EXPORT int OBJ_obj2txt(char *out, int out_len, const ASN1_OBJECT *obj,\n int always_return_oid);\n\n\n// Adding objects at runtime.\n\n// OBJ_create adds a known object and returns the NID of the new object, or\n// NID_undef on error.\n//\n// WARNING: This function modifies global state. The table cannot contain\n// duplicate OIDs, short names, or long names. If two callers in the same\n// address space add conflicting values, only one registration will take effect.\n// Avoid this function if possible. Instead, callers can process OIDs unknown to\n// BoringSSL by acting on the byte representation directly. See\n// |ASN1_OBJECT_create|, |OBJ_get0_data|, and |OBJ_length|.\nOPENSSL_EXPORT int OBJ_create(const char *oid, const char *short_name,\n const char *long_name);\n\n\n// Handling signature algorithm identifiers.\n//\n// Some NIDs (e.g. sha256WithRSAEncryption) specify both a digest algorithm and\n// a public key algorithm. The following functions map between pairs of digest\n// and public-key algorithms and the NIDs that specify their combination.\n//\n// Sometimes the combination NID leaves the digest unspecified (e.g.\n// rsassaPss). In these cases, the digest NID is |NID_undef|.\n\n// OBJ_find_sigid_algs finds the digest and public-key NIDs that correspond to\n// the signing algorithm |sign_nid|. If successful, it sets |*out_digest_nid|\n// and |*out_pkey_nid| and returns one. Otherwise it returns zero. Any of\n// |out_digest_nid| or |out_pkey_nid| can be NULL if the caller doesn't need\n// that output value.\nOPENSSL_EXPORT int OBJ_find_sigid_algs(int sign_nid, int *out_digest_nid,\n int *out_pkey_nid);\n\n// OBJ_find_sigid_by_algs finds the signature NID that corresponds to the\n// combination of |digest_nid| and |pkey_nid|. If success, it sets\n// |*out_sign_nid| and returns one. Otherwise it returns zero. The\n// |out_sign_nid| argument can be NULL if the caller only wishes to learn\n// whether the combination is valid.\nOPENSSL_EXPORT int OBJ_find_sigid_by_algs(int *out_sign_nid, int digest_nid,\n int pkey_nid);\n\n\n// Deprecated functions.\n\ntypedef struct obj_name_st {\n int type;\n int alias;\n const char *name;\n const char *data;\n} OBJ_NAME;\n\n#define OBJ_NAME_TYPE_MD_METH 1\n#define OBJ_NAME_TYPE_CIPHER_METH 2\n\n// OBJ_NAME_do_all_sorted calls |callback| zero or more times, each time with\n// the name of a different primitive. If |type| is |OBJ_NAME_TYPE_MD_METH| then\n// the primitives will be hash functions, alternatively if |type| is\n// |OBJ_NAME_TYPE_CIPHER_METH| then the primitives will be ciphers or cipher\n// modes.\n//\n// This function is ill-specified and should never be used.\nOPENSSL_EXPORT void OBJ_NAME_do_all_sorted(\n int type, void (*callback)(const OBJ_NAME *, void *arg), void *arg);\n\n// OBJ_NAME_do_all calls |OBJ_NAME_do_all_sorted|.\nOPENSSL_EXPORT void OBJ_NAME_do_all(int type, void (*callback)(const OBJ_NAME *,\n void *arg),\n void *arg);\n\n// OBJ_cleanup does nothing.\nOPENSSL_EXPORT void OBJ_cleanup(void);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#define OBJ_R_UNKNOWN_NID 100\n#define OBJ_R_INVALID_OID_STRING 101\n\n#endif // OPENSSL_HEADER_OBJ_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_obj_mac.h", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n\n#include \"CNIOBoringSSL_nid.h\"\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_objects.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n\n#include \"CNIOBoringSSL_obj.h\"\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_opensslconf.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n\n#ifndef OPENSSL_HEADER_OPENSSLCONF_H\n#define OPENSSL_HEADER_OPENSSLCONF_H\n\n/* Keep in sync with the list in rust/bssl-sys/build.rs */\n\n#define OPENSSL_NO_ASYNC\n#define OPENSSL_NO_BF\n#define OPENSSL_NO_BLAKE2\n#define OPENSSL_NO_BUF_FREELISTS\n#define OPENSSL_NO_CAMELLIA\n#define OPENSSL_NO_CAPIENG\n#define OPENSSL_NO_CAST\n#define OPENSSL_NO_CMS\n#define OPENSSL_NO_COMP\n#define OPENSSL_NO_CT\n#define OPENSSL_NO_DANE\n#define OPENSSL_NO_DEPRECATED\n#define OPENSSL_NO_DGRAM\n#define OPENSSL_NO_DYNAMIC_ENGINE\n#define OPENSSL_NO_EC_NISTP_64_GCC_128\n#define OPENSSL_NO_EC2M\n#define OPENSSL_NO_EGD\n#define OPENSSL_NO_ENGINE\n#define OPENSSL_NO_GMP\n#define OPENSSL_NO_GOST\n#define OPENSSL_NO_HEARTBEATS\n#define OPENSSL_NO_HW\n#define OPENSSL_NO_IDEA\n#define OPENSSL_NO_JPAKE\n#define OPENSSL_NO_KRB5\n#define OPENSSL_NO_MD2\n#define OPENSSL_NO_MDC2\n#define OPENSSL_NO_OCB\n#define OPENSSL_NO_OCSP\n#define OPENSSL_NO_RC2\n#define OPENSSL_NO_RC5\n#define OPENSSL_NO_RFC3779\n#define OPENSSL_NO_RIPEMD\n#define OPENSSL_NO_RMD160\n#define OPENSSL_NO_SCTP\n#define OPENSSL_NO_SEED\n#define OPENSSL_NO_SM2\n#define OPENSSL_NO_SM3\n#define OPENSSL_NO_SM4\n#define OPENSSL_NO_SRP\n#define OPENSSL_NO_SSL_TRACE\n#define OPENSSL_NO_SSL2\n#define OPENSSL_NO_SSL3\n#define OPENSSL_NO_SSL3_METHOD\n#define OPENSSL_NO_STATIC_ENGINE\n#define OPENSSL_NO_STORE\n#define OPENSSL_NO_WHIRLPOOL\n\n\n#endif // OPENSSL_HEADER_OPENSSLCONF_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_opensslv.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n\n#include \"CNIOBoringSSL_crypto.h\"\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_ossl_typ.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n\n#include \"CNIOBoringSSL_base.h\"\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_pem.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_PEM_H\n#define OPENSSL_HEADER_PEM_H\n\n#include \"CNIOBoringSSL_base64.h\"\n#include \"CNIOBoringSSL_bio.h\"\n#include \"CNIOBoringSSL_cipher.h\"\n#include \"CNIOBoringSSL_digest.h\"\n#include \"CNIOBoringSSL_evp.h\"\n#include \"CNIOBoringSSL_pkcs7.h\"\n#include \"CNIOBoringSSL_stack.h\"\n#include \"CNIOBoringSSL_x509.h\"\n\n// For compatibility with open-iscsi, which assumes that it can get\n// |OPENSSL_malloc| from pem.h or err.h\n#include \"CNIOBoringSSL_crypto.h\"\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n\n#define PEM_BUFSIZE 1024\n\n#define PEM_STRING_X509_OLD \"X509 CERTIFICATE\"\n#define PEM_STRING_X509 \"CERTIFICATE\"\n#define PEM_STRING_X509_PAIR \"CERTIFICATE PAIR\"\n#define PEM_STRING_X509_TRUSTED \"TRUSTED CERTIFICATE\"\n#define PEM_STRING_X509_REQ_OLD \"NEW CERTIFICATE REQUEST\"\n#define PEM_STRING_X509_REQ \"CERTIFICATE REQUEST\"\n#define PEM_STRING_X509_CRL \"X509 CRL\"\n#define PEM_STRING_EVP_PKEY \"ANY PRIVATE KEY\"\n#define PEM_STRING_PUBLIC \"PUBLIC KEY\"\n#define PEM_STRING_RSA \"RSA PRIVATE KEY\"\n#define PEM_STRING_RSA_PUBLIC \"RSA PUBLIC KEY\"\n#define PEM_STRING_DSA \"DSA PRIVATE KEY\"\n#define PEM_STRING_DSA_PUBLIC \"DSA PUBLIC KEY\"\n#define PEM_STRING_EC \"EC PRIVATE KEY\"\n#define PEM_STRING_PKCS7 \"PKCS7\"\n#define PEM_STRING_PKCS7_SIGNED \"PKCS #7 SIGNED DATA\"\n#define PEM_STRING_PKCS8 \"ENCRYPTED PRIVATE KEY\"\n#define PEM_STRING_PKCS8INF \"PRIVATE KEY\"\n#define PEM_STRING_DHPARAMS \"DH PARAMETERS\"\n#define PEM_STRING_SSL_SESSION \"SSL SESSION PARAMETERS\"\n#define PEM_STRING_DSAPARAMS \"DSA PARAMETERS\"\n#define PEM_STRING_ECDSA_PUBLIC \"ECDSA PUBLIC KEY\"\n#define PEM_STRING_ECPRIVATEKEY \"EC PRIVATE KEY\"\n#define PEM_STRING_CMS \"CMS\"\n\n// enc_type is one off\n#define PEM_TYPE_ENCRYPTED 10\n#define PEM_TYPE_MIC_ONLY 20\n#define PEM_TYPE_MIC_CLEAR 30\n#define PEM_TYPE_CLEAR 40\n\n// These macros make the PEM_read/PEM_write functions easier to maintain and\n// write. Now they are all implemented with either:\n// IMPLEMENT_PEM_rw(...) or IMPLEMENT_PEM_rw_cb(...)\n\n\n#define IMPLEMENT_PEM_read_fp(name, type, str, asn1) \\\n static void *pem_read_##name##_d2i(void **x, const unsigned char **inp, \\\n long len) { \\\n return d2i_##asn1((type **)x, inp, len); \\\n } \\\n OPENSSL_EXPORT type *PEM_read_##name(FILE *fp, type **x, \\\n pem_password_cb *cb, void *u) { \\\n return (type *)PEM_ASN1_read(pem_read_##name##_d2i, str, fp, (void **)x, \\\n cb, u); \\\n }\n\n#define IMPLEMENT_PEM_write_fp(name, type, str, asn1) \\\n static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \\\n return i2d_##asn1((type *)x, outp); \\\n } \\\n OPENSSL_EXPORT int PEM_write_##name(FILE *fp, type *x) { \\\n return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, x, NULL, NULL, 0, \\\n NULL, NULL); \\\n }\n\n#define IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) \\\n static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \\\n return i2d_##asn1((const type *)x, outp); \\\n } \\\n OPENSSL_EXPORT int PEM_write_##name(FILE *fp, const type *x) { \\\n return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, (void *)x, NULL, \\\n NULL, 0, NULL, NULL); \\\n }\n\n#define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) \\\n static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \\\n return i2d_##asn1((type *)x, outp); \\\n } \\\n OPENSSL_EXPORT int PEM_write_##name( \\\n FILE *fp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \\\n int pass_len, pem_password_cb *cb, void *u) { \\\n return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, x, enc, pass, \\\n pass_len, cb, u); \\\n }\n\n#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) \\\n static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \\\n return i2d_##asn1((const type *)x, outp); \\\n } \\\n OPENSSL_EXPORT int PEM_write_##name( \\\n FILE *fp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \\\n int pass_len, pem_password_cb *cb, void *u) { \\\n return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, x, enc, pass, \\\n pass_len, cb, u); \\\n }\n\n\n#define IMPLEMENT_PEM_read_bio(name, type, str, asn1) \\\n static void *pem_read_bio_##name##_d2i(void **x, const unsigned char **inp, \\\n long len) { \\\n return d2i_##asn1((type **)x, inp, len); \\\n } \\\n OPENSSL_EXPORT type *PEM_read_bio_##name(BIO *bp, type **x, \\\n pem_password_cb *cb, void *u) { \\\n return (type *)PEM_ASN1_read_bio(pem_read_bio_##name##_d2i, str, bp, \\\n (void **)x, cb, u); \\\n }\n\n#define IMPLEMENT_PEM_write_bio(name, type, str, asn1) \\\n static int pem_write_bio_##name##_i2d(const void *x, unsigned char **outp) { \\\n return i2d_##asn1((type *)x, outp); \\\n } \\\n OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, type *x) { \\\n return PEM_ASN1_write_bio(pem_write_bio_##name##_i2d, str, bp, x, NULL, \\\n NULL, 0, NULL, NULL); \\\n }\n\n#define IMPLEMENT_PEM_write_bio_const(name, type, str, asn1) \\\n static int pem_write_bio_##name##_i2d(const void *x, unsigned char **outp) { \\\n return i2d_##asn1((const type *)x, outp); \\\n } \\\n OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, const type *x) { \\\n return PEM_ASN1_write_bio(pem_write_bio_##name##_i2d, str, bp, (void *)x, \\\n NULL, NULL, 0, NULL, NULL); \\\n }\n\n#define IMPLEMENT_PEM_write_cb_bio(name, type, str, asn1) \\\n static int pem_write_bio_##name##_i2d(const void *x, unsigned char **outp) { \\\n return i2d_##asn1((type *)x, outp); \\\n } \\\n OPENSSL_EXPORT int PEM_write_bio_##name( \\\n BIO *bp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \\\n int pass_len, pem_password_cb *cb, void *u) { \\\n return PEM_ASN1_write_bio(pem_write_bio_##name##_i2d, str, bp, x, enc, \\\n pass, pass_len, cb, u); \\\n }\n\n#define IMPLEMENT_PEM_write_cb_bio_const(name, type, str, asn1) \\\n static int pem_write_bio_##name##_i2d(const void *x, unsigned char **outp) { \\\n return i2d_##asn1((const type *)x, outp); \\\n } \\\n OPENSSL_EXPORT int PEM_write_bio_##name( \\\n BIO *bp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \\\n int pass_len, pem_password_cb *cb, void *u) { \\\n return PEM_ASN1_write_bio(pem_write_bio_##name##_i2d, str, bp, (void *)x, \\\n enc, pass, pass_len, cb, u); \\\n }\n\n#define IMPLEMENT_PEM_write(name, type, str, asn1) \\\n IMPLEMENT_PEM_write_bio(name, type, str, asn1) \\\n IMPLEMENT_PEM_write_fp(name, type, str, asn1)\n\n#define IMPLEMENT_PEM_write_const(name, type, str, asn1) \\\n IMPLEMENT_PEM_write_bio_const(name, type, str, asn1) \\\n IMPLEMENT_PEM_write_fp_const(name, type, str, asn1)\n\n#define IMPLEMENT_PEM_write_cb(name, type, str, asn1) \\\n IMPLEMENT_PEM_write_cb_bio(name, type, str, asn1) \\\n IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1)\n\n#define IMPLEMENT_PEM_write_cb_const(name, type, str, asn1) \\\n IMPLEMENT_PEM_write_cb_bio_const(name, type, str, asn1) \\\n IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1)\n\n#define IMPLEMENT_PEM_read(name, type, str, asn1) \\\n IMPLEMENT_PEM_read_bio(name, type, str, asn1) \\\n IMPLEMENT_PEM_read_fp(name, type, str, asn1)\n\n#define IMPLEMENT_PEM_rw(name, type, str, asn1) \\\n IMPLEMENT_PEM_read(name, type, str, asn1) \\\n IMPLEMENT_PEM_write(name, type, str, asn1)\n\n#define IMPLEMENT_PEM_rw_const(name, type, str, asn1) \\\n IMPLEMENT_PEM_read(name, type, str, asn1) \\\n IMPLEMENT_PEM_write_const(name, type, str, asn1)\n\n#define IMPLEMENT_PEM_rw_cb(name, type, str, asn1) \\\n IMPLEMENT_PEM_read(name, type, str, asn1) \\\n IMPLEMENT_PEM_write_cb(name, type, str, asn1)\n\n// These are the same except they are for the declarations\n\n#define DECLARE_PEM_read_fp(name, type) \\\n OPENSSL_EXPORT type *PEM_read_##name(FILE *fp, type **x, \\\n pem_password_cb *cb, void *u);\n\n#define DECLARE_PEM_write_fp(name, type) \\\n OPENSSL_EXPORT int PEM_write_##name(FILE *fp, type *x);\n\n#define DECLARE_PEM_write_fp_const(name, type) \\\n OPENSSL_EXPORT int PEM_write_##name(FILE *fp, const type *x);\n\n#define DECLARE_PEM_write_cb_fp(name, type) \\\n OPENSSL_EXPORT int PEM_write_##name( \\\n FILE *fp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \\\n int pass_len, pem_password_cb *cb, void *u);\n\n#define DECLARE_PEM_read_bio(name, type) \\\n OPENSSL_EXPORT type *PEM_read_bio_##name(BIO *bp, type **x, \\\n pem_password_cb *cb, void *u);\n\n#define DECLARE_PEM_write_bio(name, type) \\\n OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, type *x);\n\n#define DECLARE_PEM_write_bio_const(name, type) \\\n OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, const type *x);\n\n#define DECLARE_PEM_write_cb_bio(name, type) \\\n OPENSSL_EXPORT int PEM_write_bio_##name( \\\n BIO *bp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \\\n int pass_len, pem_password_cb *cb, void *u);\n\n\n#define DECLARE_PEM_write(name, type) \\\n DECLARE_PEM_write_bio(name, type) \\\n DECLARE_PEM_write_fp(name, type)\n\n#define DECLARE_PEM_write_const(name, type) \\\n DECLARE_PEM_write_bio_const(name, type) \\\n DECLARE_PEM_write_fp_const(name, type)\n\n#define DECLARE_PEM_write_cb(name, type) \\\n DECLARE_PEM_write_cb_bio(name, type) \\\n DECLARE_PEM_write_cb_fp(name, type)\n\n#define DECLARE_PEM_read(name, type) \\\n DECLARE_PEM_read_bio(name, type) \\\n DECLARE_PEM_read_fp(name, type)\n\n#define DECLARE_PEM_rw(name, type) \\\n DECLARE_PEM_read(name, type) \\\n DECLARE_PEM_write(name, type)\n\n#define DECLARE_PEM_rw_const(name, type) \\\n DECLARE_PEM_read(name, type) \\\n DECLARE_PEM_write_const(name, type)\n\n#define DECLARE_PEM_rw_cb(name, type) \\\n DECLARE_PEM_read(name, type) \\\n DECLARE_PEM_write_cb(name, type)\n\n// \"userdata\": new with OpenSSL 0.9.4\ntypedef int pem_password_cb(char *buf, int size, int rwflag, void *userdata);\n\n// PEM_read_bio reads from |bp|, until the next PEM block. If one is found, it\n// returns one and sets |*name|, |*header|, and |*data| to newly-allocated\n// buffers containing the PEM type, the header block, and the decoded data,\n// respectively. |*name| and |*header| are NUL-terminated C strings, while\n// |*data| has |*len| bytes. The caller must release each of |*name|, |*header|,\n// and |*data| with |OPENSSL_free| when done. If no PEM block is found, this\n// function returns zero and pushes |PEM_R_NO_START_LINE| to the error queue. If\n// one is found, but there is an error decoding it, it returns zero and pushes\n// some other error to the error queue.\nOPENSSL_EXPORT int PEM_read_bio(BIO *bp, char **name, char **header,\n unsigned char **data, long *len);\n\n// PEM_write_bio writes a PEM block to |bp|, containing |len| bytes from |data|\n// as data. |name| and |hdr| are NUL-terminated C strings containing the PEM\n// type and header block, respectively. This function returns zero on error and\n// the number of bytes written on success.\nOPENSSL_EXPORT int PEM_write_bio(BIO *bp, const char *name, const char *hdr,\n const unsigned char *data, long len);\n\nOPENSSL_EXPORT int PEM_bytes_read_bio(unsigned char **pdata, long *plen,\n char **pnm, const char *name, BIO *bp,\n pem_password_cb *cb, void *u);\nOPENSSL_EXPORT void *PEM_ASN1_read_bio(d2i_of_void *d2i, const char *name,\n BIO *bp, void **x, pem_password_cb *cb,\n void *u);\nOPENSSL_EXPORT int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name,\n BIO *bp, void *x, const EVP_CIPHER *enc,\n const unsigned char *pass, int pass_len,\n pem_password_cb *cb, void *u);\n\n// PEM_X509_INFO_read_bio reads PEM blocks from |bp| and decodes any\n// certificates, CRLs, and private keys found. It returns a\n// |STACK_OF(X509_INFO)| structure containing the results, or NULL on error.\n//\n// If |sk| is NULL, the result on success will be a newly-allocated\n// |STACK_OF(X509_INFO)| structure which should be released with\n// |sk_X509_INFO_pop_free| and |X509_INFO_free| when done.\n//\n// If |sk| is non-NULL, it appends the results to |sk| instead and returns |sk|\n// on success. In this case, the caller retains ownership of |sk| in both\n// success and failure.\n//\n// This function will decrypt any encrypted certificates in |bp|, using |cb|,\n// but it will not decrypt encrypted private keys. Encrypted private keys are\n// instead represented as placeholder |X509_INFO| objects with an empty |x_pkey|\n// field. This allows this function to be used with inputs with unencrypted\n// certificates, but encrypted passwords, without knowing the password. However,\n// it also means that this function cannot be used to decrypt the private key\n// when the password is known.\n//\n// WARNING: If the input contains \"TRUSTED CERTIFICATE\" PEM blocks, this\n// function parses auxiliary properties as in |d2i_X509_AUX|. Passing untrusted\n// input to this function allows an attacker to influence those properties. See\n// |d2i_X509_AUX| for details.\nOPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(\n BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u);\n\n// PEM_X509_INFO_read behaves like |PEM_X509_INFO_read_bio| but reads from a\n// |FILE|.\nOPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp,\n STACK_OF(X509_INFO) *sk,\n pem_password_cb *cb,\n void *u);\n\nOPENSSL_EXPORT int PEM_read(FILE *fp, char **name, char **header,\n unsigned char **data, long *len);\nOPENSSL_EXPORT int PEM_write(FILE *fp, const char *name, const char *hdr,\n const unsigned char *data, long len);\nOPENSSL_EXPORT void *PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp,\n void **x, pem_password_cb *cb, void *u);\nOPENSSL_EXPORT int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,\n void *x, const EVP_CIPHER *enc,\n const unsigned char *pass, int pass_len,\n pem_password_cb *callback, void *u);\n\n// PEM_def_callback treats |userdata| as a string and copies it into |buf|,\n// assuming its |size| is sufficient. Returns the length of the string, or -1 on\n// error. Error cases the buffer being too small, or |buf| and |userdata| being\n// NULL. Note that this is different from OpenSSL, which prompts for a password.\nOPENSSL_EXPORT int PEM_def_callback(char *buf, int size, int rwflag,\n void *userdata);\n\n\nDECLARE_PEM_rw(X509, X509)\n\n// TODO(crbug.com/boringssl/426): When documenting these, copy the warning\n// about auxiliary properties from |PEM_X509_INFO_read_bio|.\nDECLARE_PEM_rw(X509_AUX, X509)\n\nDECLARE_PEM_rw(X509_REQ, X509_REQ)\nDECLARE_PEM_write(X509_REQ_NEW, X509_REQ)\n\nDECLARE_PEM_rw(X509_CRL, X509_CRL)\n\nDECLARE_PEM_rw(PKCS7, PKCS7)\nDECLARE_PEM_rw(PKCS8, X509_SIG)\n\nDECLARE_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)\n\nDECLARE_PEM_rw_cb(RSAPrivateKey, RSA)\n\nDECLARE_PEM_rw_const(RSAPublicKey, RSA)\nDECLARE_PEM_rw(RSA_PUBKEY, RSA)\n\n#ifndef OPENSSL_NO_DSA\n\nDECLARE_PEM_rw_cb(DSAPrivateKey, DSA)\n\nDECLARE_PEM_rw(DSA_PUBKEY, DSA)\n\nDECLARE_PEM_rw_const(DSAparams, DSA)\n\n#endif\n\nDECLARE_PEM_rw_cb(ECPrivateKey, EC_KEY)\nDECLARE_PEM_rw(EC_PUBKEY, EC_KEY)\n\n\nDECLARE_PEM_rw_const(DHparams, DH)\n\n\nDECLARE_PEM_rw_cb(PrivateKey, EVP_PKEY)\n\nDECLARE_PEM_rw(PUBKEY, EVP_PKEY)\n\nOPENSSL_EXPORT int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, const EVP_PKEY *x,\n int nid, const char *pass,\n int pass_len,\n pem_password_cb *cb,\n void *u);\nOPENSSL_EXPORT int PEM_write_bio_PKCS8PrivateKey(BIO *bp, const EVP_PKEY *x,\n const EVP_CIPHER *enc,\n const char *pass, int pass_len,\n pem_password_cb *cb, void *u);\nOPENSSL_EXPORT int i2d_PKCS8PrivateKey_bio(BIO *bp, const EVP_PKEY *x,\n const EVP_CIPHER *enc,\n const char *pass, int pass_len,\n pem_password_cb *cb, void *u);\nOPENSSL_EXPORT int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, const EVP_PKEY *x,\n int nid, const char *pass,\n int pass_len,\n pem_password_cb *cb, void *u);\nOPENSSL_EXPORT EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x,\n pem_password_cb *cb, void *u);\n\nOPENSSL_EXPORT int i2d_PKCS8PrivateKey_fp(FILE *fp, const EVP_PKEY *x,\n const EVP_CIPHER *enc,\n const char *pass, int pass_len,\n pem_password_cb *cb, void *u);\nOPENSSL_EXPORT int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, const EVP_PKEY *x,\n int nid, const char *pass,\n int pass_len, pem_password_cb *cb,\n void *u);\nOPENSSL_EXPORT int PEM_write_PKCS8PrivateKey_nid(FILE *fp, const EVP_PKEY *x,\n int nid, const char *pass,\n int pass_len,\n pem_password_cb *cb, void *u);\n\nOPENSSL_EXPORT EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x,\n pem_password_cb *cb, void *u);\n\nOPENSSL_EXPORT int PEM_write_PKCS8PrivateKey(FILE *fp, const EVP_PKEY *x,\n const EVP_CIPHER *enc,\n const char *pass, int pass_len,\n pem_password_cb *cd, void *u);\n\n\n#ifdef __cplusplus\n} // extern \"C\"\n#endif\n\n#define PEM_R_BAD_BASE64_DECODE 100\n#define PEM_R_BAD_DECRYPT 101\n#define PEM_R_BAD_END_LINE 102\n#define PEM_R_BAD_IV_CHARS 103\n#define PEM_R_BAD_PASSWORD_READ 104\n#define PEM_R_CIPHER_IS_NULL 105\n#define PEM_R_ERROR_CONVERTING_PRIVATE_KEY 106\n#define PEM_R_NOT_DEK_INFO 107\n#define PEM_R_NOT_ENCRYPTED 108\n#define PEM_R_NOT_PROC_TYPE 109\n#define PEM_R_NO_START_LINE 110\n#define PEM_R_READ_KEY 111\n#define PEM_R_SHORT_HEADER 112\n#define PEM_R_UNSUPPORTED_CIPHER 113\n#define PEM_R_UNSUPPORTED_ENCRYPTION 114\n#define PEM_R_UNSUPPORTED_PROC_TYPE_VERSION 115\n\n#endif // OPENSSL_HEADER_PEM_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_pkcs12.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n\n#include \"CNIOBoringSSL_pkcs8.h\"\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_pkcs7.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_PKCS7_H\n#define OPENSSL_HEADER_PKCS7_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_stack.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// PKCS#7.\n//\n// This library contains functions for extracting information from PKCS#7\n// structures (RFC 2315).\n\nDECLARE_STACK_OF(CRYPTO_BUFFER)\nDECLARE_STACK_OF(X509)\nDECLARE_STACK_OF(X509_CRL)\n\n// PKCS7_get_raw_certificates parses a PKCS#7, SignedData structure from |cbs|\n// and appends the included certificates to |out_certs|. It returns one on\n// success and zero on error. |cbs| is advanced passed the structure.\n//\n// Note that a SignedData structure may contain no certificates, in which case\n// this function succeeds but does not append any certificates. Additionally,\n// certificates in SignedData structures are unordered. Callers should not\n// assume a particular order in |*out_certs| and may need to search for matches\n// or run path-building algorithms.\nOPENSSL_EXPORT int PKCS7_get_raw_certificates(\n STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs, CRYPTO_BUFFER_POOL *pool);\n\n// PKCS7_get_certificates behaves like |PKCS7_get_raw_certificates| but parses\n// them into |X509| objects.\nOPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs);\n\n// PKCS7_bundle_raw_certificates appends a PKCS#7, SignedData structure\n// containing |certs| to |out|. It returns one on success and zero on error.\n// Note that certificates in SignedData structures are unordered. The order in\n// |certs| will not be preserved.\nOPENSSL_EXPORT int PKCS7_bundle_raw_certificates(\n CBB *out, const STACK_OF(CRYPTO_BUFFER) *certs);\n\n// PKCS7_bundle_certificates behaves like |PKCS7_bundle_raw_certificates| but\n// takes |X509| objects as input.\nOPENSSL_EXPORT int PKCS7_bundle_certificates(\n CBB *out, const STACK_OF(X509) *certs);\n\n// PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends\n// the included CRLs to |out_crls|. It returns one on success and zero on error.\n// |cbs| is advanced passed the structure.\n//\n// Note that a SignedData structure may contain no CRLs, in which case this\n// function succeeds but does not append any CRLs. Additionally, CRLs in\n// SignedData structures are unordered. Callers should not assume an order in\n// |*out_crls| and may need to search for matches.\nOPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs);\n\n// PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing\n// |crls| to |out|. It returns one on success and zero on error. Note that CRLs\n// in SignedData structures are unordered. The order in |crls| will not be\n// preserved.\nOPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls);\n\n// PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure\n// from |pem_bio| and appends the included certificates to |out_certs|. It\n// returns one on success and zero on error.\n//\n// Note that a SignedData structure may contain no certificates, in which case\n// this function succeeds but does not append any certificates. Additionally,\n// certificates in SignedData structures are unordered. Callers should not\n// assume a particular order in |*out_certs| and may need to search for matches\n// or run path-building algorithms.\nOPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs,\n BIO *pem_bio);\n\n// PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from\n// |pem_bio| and appends the included CRLs to |out_crls|. It returns one on\n// success and zero on error.\n//\n// Note that a SignedData structure may contain no CRLs, in which case this\n// function succeeds but does not append any CRLs. Additionally, CRLs in\n// SignedData structures are unordered. Callers should not assume an order in\n// |*out_crls| and may need to search for matches.\nOPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,\n BIO *pem_bio);\n\n\n// Deprecated functions.\n//\n// These functions are a compatibility layer over a subset of OpenSSL's PKCS#7\n// API. It intentionally does not implement the whole thing, only the minimum\n// needed to build cryptography.io.\n\ntypedef struct {\n STACK_OF(X509) *cert;\n STACK_OF(X509_CRL) *crl;\n} PKCS7_SIGNED;\n\ntypedef struct {\n STACK_OF(X509) *cert;\n STACK_OF(X509_CRL) *crl;\n} PKCS7_SIGN_ENVELOPE;\n\ntypedef void PKCS7_ENVELOPE;\ntypedef void PKCS7_DIGEST;\ntypedef void PKCS7_ENCRYPT;\ntypedef void PKCS7_SIGNER_INFO;\n\ntypedef struct {\n uint8_t *ber_bytes;\n size_t ber_len;\n\n // Unlike OpenSSL, the following fields are immutable. They filled in when the\n // object is parsed and ignored in serialization.\n ASN1_OBJECT *type;\n union {\n char *ptr;\n ASN1_OCTET_STRING *data;\n PKCS7_SIGNED *sign;\n PKCS7_ENVELOPE *enveloped;\n PKCS7_SIGN_ENVELOPE *signed_and_enveloped;\n PKCS7_DIGEST *digest;\n PKCS7_ENCRYPT *encrypted;\n ASN1_TYPE *other;\n } d;\n} PKCS7;\n\n// d2i_PKCS7 parses a BER-encoded, PKCS#7 signed data ContentInfo structure from\n// |len| bytes at |*inp|, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT PKCS7 *d2i_PKCS7(PKCS7 **out, const uint8_t **inp,\n size_t len);\n\n// d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|. If\n// the length of the object is indefinite the full contents of |bio| are read.\n//\n// If the function fails then some unknown amount of data may have been read\n// from |bio|.\nOPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out);\n\n// i2d_PKCS7 marshals |p7| as a DER-encoded PKCS#7 ContentInfo structure, as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_PKCS7(const PKCS7 *p7, uint8_t **out);\n\n// i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7);\n\n// PKCS7_free releases memory associated with |p7|.\nOPENSSL_EXPORT void PKCS7_free(PKCS7 *p7);\n\n// PKCS7_type_is_data returns zero.\nOPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7);\n\n// PKCS7_type_is_digest returns zero.\nOPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7);\n\n// PKCS7_type_is_encrypted returns zero.\nOPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7);\n\n// PKCS7_type_is_enveloped returns zero.\nOPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7);\n\n// PKCS7_type_is_signed returns one. (We only supporte signed data\n// ContentInfos.)\nOPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7);\n\n// PKCS7_type_is_signedAndEnveloped returns zero.\nOPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7);\n\n// PKCS7_DETACHED indicates that the PKCS#7 file specifies its data externally.\n#define PKCS7_DETACHED 0x40\n\n// The following flags cause |PKCS7_sign| to fail.\n#define PKCS7_TEXT 0x1\n#define PKCS7_NOCERTS 0x2\n#define PKCS7_NOSIGS 0x4\n#define PKCS7_NOCHAIN 0x8\n#define PKCS7_NOINTERN 0x10\n#define PKCS7_NOVERIFY 0x20\n#define PKCS7_BINARY 0x80\n#define PKCS7_NOATTR 0x100\n#define PKCS7_NOSMIMECAP 0x200\n#define PKCS7_STREAM 0x1000\n#define PKCS7_PARTIAL 0x4000\n\n// PKCS7_sign can operate in two modes to provide some backwards compatibility:\n//\n// The first mode assembles |certs| into a PKCS#7 signed data ContentInfo with\n// external data and no signatures. It returns a newly-allocated |PKCS7| on\n// success or NULL on error. |sign_cert| and |pkey| must be NULL. |data| is\n// ignored. |flags| must be equal to |PKCS7_DETACHED|. Additionally,\n// certificates in SignedData structures are unordered. The order of |certs|\n// will not be preserved.\n//\n// The second mode generates a detached RSA SHA-256 signature of |data| using\n// |pkey| and produces a PKCS#7 SignedData structure containing it. |certs|\n// must be NULL and |flags| must be exactly |PKCS7_NOATTR | PKCS7_BINARY |\n// PKCS7_NOCERTS | PKCS7_DETACHED|.\n//\n// Note this function only implements a subset of the corresponding OpenSSL\n// function. It is provided for backwards compatibility only.\nOPENSSL_EXPORT PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey,\n STACK_OF(X509) *certs, BIO *data, int flags);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(PKCS7, PKCS7_free)\n\nBSSL_NAMESPACE_END\n} // extern C++\n#endif\n\n#define PKCS7_R_BAD_PKCS7_VERSION 100\n#define PKCS7_R_NOT_PKCS7_SIGNED_DATA 101\n#define PKCS7_R_NO_CERTIFICATES_INCLUDED 102\n#define PKCS7_R_NO_CRLS_INCLUDED 103\n\n#endif // OPENSSL_HEADER_PKCS7_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_pkcs8.h", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_PKCS8_H\n#define OPENSSL_HEADER_PKCS8_H\n\n#include \"CNIOBoringSSL_base.h\"\n#include \"CNIOBoringSSL_x509.h\"\n\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// PKCS8_encrypt serializes and encrypts a PKCS8_PRIV_KEY_INFO with PBES1 or\n// PBES2 as defined in PKCS #5. Only pbeWithSHAAnd128BitRC4,\n// pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHA1And40BitRC2, defined in PKCS\n// #12, and PBES2, are supported. PBES2 is selected by setting |cipher| and\n// passing -1 for |pbe_nid|. Otherwise, PBES1 is used and |cipher| is ignored.\n//\n// |pass| is used as the password. If a PBES1 scheme from PKCS #12 is used, this\n// will be converted to a raw byte string as specified in B.1 of PKCS #12. If\n// |pass| is NULL, it will be encoded as the empty byte string rather than two\n// zero bytes, the PKCS #12 encoding of the empty string.\n//\n// If |salt| is NULL, a random salt of |salt_len| bytes is generated. If\n// |salt_len| is zero, a default salt length is used instead.\n//\n// The resulting structure is stored in an |X509_SIG| which must be freed by the\n// caller.\nOPENSSL_EXPORT X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,\n const char *pass, int pass_len,\n const uint8_t *salt, size_t salt_len,\n int iterations,\n PKCS8_PRIV_KEY_INFO *p8inf);\n\n// PKCS8_marshal_encrypted_private_key behaves like |PKCS8_encrypt| but encrypts\n// an |EVP_PKEY| and writes the serialized EncryptedPrivateKeyInfo to |out|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int PKCS8_marshal_encrypted_private_key(\n CBB *out, int pbe_nid, const EVP_CIPHER *cipher, const char *pass,\n size_t pass_len, const uint8_t *salt, size_t salt_len, int iterations,\n const EVP_PKEY *pkey);\n\n// PKCS8_decrypt decrypts and decodes a PKCS8_PRIV_KEY_INFO with PBES1 or PBES2\n// as defined in PKCS #5. Only pbeWithSHAAnd128BitRC4,\n// pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHA1And40BitRC2, and PBES2,\n// defined in PKCS #12, are supported.\n//\n// |pass| is used as the password. If a PBES1 scheme from PKCS #12 is used, this\n// will be converted to a raw byte string as specified in B.1 of PKCS #12. If\n// |pass| is NULL, it will be encoded as the empty byte string rather than two\n// zero bytes, the PKCS #12 encoding of the empty string.\n//\n// The resulting structure must be freed by the caller.\nOPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8,\n const char *pass,\n int pass_len);\n\n// PKCS8_parse_encrypted_private_key behaves like |PKCS8_decrypt| but it parses\n// the EncryptedPrivateKeyInfo structure from |cbs| and advances |cbs|. It\n// returns a newly-allocated |EVP_PKEY| on success and zero on error.\nOPENSSL_EXPORT EVP_PKEY *PKCS8_parse_encrypted_private_key(CBS *cbs,\n const char *pass,\n size_t pass_len);\n\n// PKCS12_get_key_and_certs parses a PKCS#12 structure from |in|, authenticates\n// and decrypts it using |password|, sets |*out_key| to the included private\n// key and appends the included certificates to |out_certs|. It returns one on\n// success and zero on error. The caller takes ownership of the outputs.\n// Any friendlyName attributes (RFC 2985) in the PKCS#12 structure will be\n// returned on the |X509| objects as aliases. See also |X509_alias_get0|.\nOPENSSL_EXPORT int PKCS12_get_key_and_certs(EVP_PKEY **out_key,\n STACK_OF(X509) *out_certs,\n CBS *in, const char *password);\n\n\n// Deprecated functions.\n\n// PKCS12_PBE_add does nothing. It exists for compatibility with OpenSSL.\nOPENSSL_EXPORT void PKCS12_PBE_add(void);\n\n// d2i_PKCS12 is a dummy function that copies |*ber_bytes| into a\n// |PKCS12| structure. The |out_p12| argument should be NULL(✝). On exit,\n// |*ber_bytes| will be advanced by |ber_len|. It returns a fresh |PKCS12|\n// structure or NULL on error.\n//\n// Note: unlike other d2i functions, |d2i_PKCS12| will always consume |ber_len|\n// bytes.\n//\n// (✝) If |out_p12| is not NULL and the function is successful, |*out_p12| will\n// be freed if not NULL itself and the result will be written to |*out_p12|.\n// New code should not depend on this.\nOPENSSL_EXPORT PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes,\n size_t ber_len);\n\n// d2i_PKCS12_bio acts like |d2i_PKCS12| but reads from a |BIO|.\nOPENSSL_EXPORT PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12);\n\n// d2i_PKCS12_fp acts like |d2i_PKCS12| but reads from a |FILE|.\nOPENSSL_EXPORT PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12);\n\n// i2d_PKCS12 is a dummy function which copies the contents of |p12|. If |out|\n// is not NULL then the result is written to |*out| and |*out| is advanced just\n// past the output. It returns the number of bytes in the result, whether\n// written or not, or a negative value on error.\nOPENSSL_EXPORT int i2d_PKCS12(const PKCS12 *p12, uint8_t **out);\n\n// i2d_PKCS12_bio writes the contents of |p12| to |bio|. It returns one on\n// success and zero on error.\nOPENSSL_EXPORT int i2d_PKCS12_bio(BIO *bio, const PKCS12 *p12);\n\n// i2d_PKCS12_fp writes the contents of |p12| to |fp|. It returns one on\n// success and zero on error.\nOPENSSL_EXPORT int i2d_PKCS12_fp(FILE *fp, const PKCS12 *p12);\n\n// PKCS12_parse calls |PKCS12_get_key_and_certs| on the ASN.1 data stored in\n// |p12|. The |out_pkey| and |out_cert| arguments must not be NULL and, on\n// successful exit, the private key and matching certificate will be stored in\n// them. The |out_ca_certs| argument may be NULL but, if not, then any extra\n// certificates will be appended to |*out_ca_certs|. If |*out_ca_certs| is NULL\n// then it will be set to a freshly allocated stack containing the extra certs.\n//\n// Note if |p12| does not contain a private key, both |*out_pkey| and\n// |*out_cert| will be set to NULL and all certificates will be returned via\n// |*out_ca_certs|. Also note this function differs from OpenSSL in that extra\n// certificates are returned in the order they appear in the file. OpenSSL 1.1.1\n// returns them in reverse order, but this will be fixed in OpenSSL 3.0.\n//\n// It returns one on success and zero on error.\n//\n// Use |PKCS12_get_key_and_certs| instead.\nOPENSSL_EXPORT int PKCS12_parse(const PKCS12 *p12, const char *password,\n EVP_PKEY **out_pkey, X509 **out_cert,\n STACK_OF(X509) **out_ca_certs);\n\n// PKCS12_verify_mac returns one if |password| is a valid password for |p12|\n// and zero otherwise. Since |PKCS12_parse| doesn't take a length parameter,\n// it's not actually possible to use a non-NUL-terminated password to actually\n// get anything from a |PKCS12|. Thus |password| and |password_len| may be\n// |NULL| and zero, respectively, or else |password_len| may be -1, or else\n// |password[password_len]| must be zero and no other NUL bytes may appear in\n// |password|. If the |password_len| checks fail, zero is returned\n// immediately.\nOPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password,\n int password_len);\n\n// PKCS12_DEFAULT_ITER is the default number of KDF iterations used when\n// creating a |PKCS12| object.\n#define PKCS12_DEFAULT_ITER 2048\n\n// PKCS12_create returns a newly-allocated |PKCS12| object containing |pkey|,\n// |cert|, and |chain|, encrypted with the specified password. |name|, if not\n// NULL, specifies a user-friendly name to encode with the key and\n// certificate. The key and certificates are encrypted with |key_nid| and\n// |cert_nid|, respectively, using |iterations| iterations in the\n// KDF. |mac_iterations| is the number of iterations when deriving the MAC\n// key. |key_type| must be zero. |pkey| and |cert| may be NULL to omit them.\n//\n// Each of |key_nid|, |cert_nid|, |iterations|, and |mac_iterations| may be zero\n// to use defaults, which are |NID_pbe_WithSHA1And3_Key_TripleDES_CBC|,\n// |NID_pbe_WithSHA1And40BitRC2_CBC|, |PKCS12_DEFAULT_ITER|, and one,\n// respectively.\n//\n// |key_nid| or |cert_nid| may also be -1 to disable encryption of the key or\n// certificate, respectively. This option is not recommended and is only\n// implemented for compatibility with external packages. Note the output still\n// requires a password for the MAC. Unencrypted keys in PKCS#12 are also not\n// widely supported and may not open in other implementations.\n//\n// If |cert| or |chain| have associated aliases (see |X509_alias_set1|), they\n// will be included in the output as friendlyName attributes (RFC 2985). It is\n// an error to specify both an alias on |cert| and a non-NULL |name|\n// parameter.\nOPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name,\n const EVP_PKEY *pkey, X509 *cert,\n const STACK_OF(X509) *chain, int key_nid,\n int cert_nid, int iterations,\n int mac_iterations, int key_type);\n\n// PKCS12_free frees |p12| and its contents.\nOPENSSL_EXPORT void PKCS12_free(PKCS12 *p12);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(PKCS12, PKCS12_free)\nBORINGSSL_MAKE_DELETER(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#define PKCS8_R_BAD_PKCS12_DATA 100\n#define PKCS8_R_BAD_PKCS12_VERSION 101\n#define PKCS8_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 102\n#define PKCS8_R_CRYPT_ERROR 103\n#define PKCS8_R_DECODE_ERROR 104\n#define PKCS8_R_ENCODE_ERROR 105\n#define PKCS8_R_ENCRYPT_ERROR 106\n#define PKCS8_R_ERROR_SETTING_CIPHER_PARAMS 107\n#define PKCS8_R_INCORRECT_PASSWORD 108\n#define PKCS8_R_KEYGEN_FAILURE 109\n#define PKCS8_R_KEY_GEN_ERROR 110\n#define PKCS8_R_METHOD_NOT_SUPPORTED 111\n#define PKCS8_R_MISSING_MAC 112\n#define PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12 113\n#define PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED 114\n#define PKCS8_R_PKCS12_TOO_DEEPLY_NESTED 115\n#define PKCS8_R_PRIVATE_KEY_DECODE_ERROR 116\n#define PKCS8_R_PRIVATE_KEY_ENCODE_ERROR 117\n#define PKCS8_R_TOO_LONG 118\n#define PKCS8_R_UNKNOWN_ALGORITHM 119\n#define PKCS8_R_UNKNOWN_CIPHER 120\n#define PKCS8_R_UNKNOWN_CIPHER_ALGORITHM 121\n#define PKCS8_R_UNKNOWN_DIGEST 122\n#define PKCS8_R_UNKNOWN_HASH 123\n#define PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM 124\n#define PKCS8_R_UNSUPPORTED_KEYLENGTH 125\n#define PKCS8_R_UNSUPPORTED_SALT_TYPE 126\n#define PKCS8_R_UNSUPPORTED_CIPHER 127\n#define PKCS8_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION 128\n#define PKCS8_R_BAD_ITERATION_COUNT 129\n#define PKCS8_R_UNSUPPORTED_PRF 130\n#define PKCS8_R_INVALID_CHARACTERS 131\n#define PKCS8_R_UNSUPPORTED_OPTIONS 132\n#define PKCS8_R_AMBIGUOUS_FRIENDLY_NAME 133\n\n#endif // OPENSSL_HEADER_PKCS8_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_poly1305.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_POLY1305_H\n#define OPENSSL_HEADER_POLY1305_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n\ntypedef uint8_t poly1305_state[512];\n\n// CRYPTO_poly1305_init sets up |state| so that it can be used to calculate an\n// authentication tag with the one-time key |key|. Note that |key| is a\n// one-time key and therefore there is no `reset' method because that would\n// enable several messages to be authenticated with the same key.\nOPENSSL_EXPORT void CRYPTO_poly1305_init(poly1305_state *state,\n const uint8_t key[32]);\n\n// CRYPTO_poly1305_update processes |in_len| bytes from |in|. It can be called\n// zero or more times after poly1305_init.\nOPENSSL_EXPORT void CRYPTO_poly1305_update(poly1305_state *state,\n const uint8_t *in, size_t in_len);\n\n// CRYPTO_poly1305_finish completes the poly1305 calculation and writes a 16\n// byte authentication tag to |mac|.\nOPENSSL_EXPORT void CRYPTO_poly1305_finish(poly1305_state *state,\n uint8_t mac[16]);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_POLY1305_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_pool.h", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_POOL_H\n#define OPENSSL_HEADER_POOL_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_stack.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Buffers and buffer pools.\n//\n// |CRYPTO_BUFFER|s are simply reference-counted blobs. A |CRYPTO_BUFFER_POOL|\n// is an intern table for |CRYPTO_BUFFER|s. This allows for a single copy of a\n// given blob to be kept in memory and referenced from multiple places.\n\n\nDEFINE_STACK_OF(CRYPTO_BUFFER)\n\n// CRYPTO_BUFFER_POOL_new returns a freshly allocated |CRYPTO_BUFFER_POOL| or\n// NULL on error.\nOPENSSL_EXPORT CRYPTO_BUFFER_POOL* CRYPTO_BUFFER_POOL_new(void);\n\n// CRYPTO_BUFFER_POOL_free frees |pool|, which must be empty.\nOPENSSL_EXPORT void CRYPTO_BUFFER_POOL_free(CRYPTO_BUFFER_POOL *pool);\n\n// CRYPTO_BUFFER_new returns a |CRYPTO_BUFFER| containing a copy of |data|, or\n// else NULL on error. If |pool| is not NULL then the returned value may be a\n// reference to a previously existing |CRYPTO_BUFFER| that contained the same\n// data. Otherwise, the returned, fresh |CRYPTO_BUFFER| will be added to the\n// pool.\nOPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len,\n CRYPTO_BUFFER_POOL *pool);\n\n// CRYPTO_BUFFER_alloc creates an unpooled |CRYPTO_BUFFER| of the given size and\n// writes the underlying data pointer to |*out_data|. It returns NULL on error.\n//\n// After calling this function, |len| bytes of contents must be written to\n// |out_data| before passing the returned pointer to any other BoringSSL\n// functions. Once initialized, the |CRYPTO_BUFFER| should be treated as\n// immutable.\nOPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_alloc(uint8_t **out_data,\n size_t len);\n\n// CRYPTO_BUFFER_new_from_CBS acts the same as |CRYPTO_BUFFER_new|.\nOPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new_from_CBS(\n const CBS *cbs, CRYPTO_BUFFER_POOL *pool);\n\n// CRYPTO_BUFFER_new_from_static_data_unsafe behaves like |CRYPTO_BUFFER_new|\n// but does not copy |data|. |data| must be immutable and last for the lifetime\n// of the address space.\nOPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new_from_static_data_unsafe(\n const uint8_t *data, size_t len, CRYPTO_BUFFER_POOL *pool);\n\n// CRYPTO_BUFFER_free decrements the reference count of |buf|. If there are no\n// other references, or if the only remaining reference is from a pool, then\n// |buf| will be freed.\nOPENSSL_EXPORT void CRYPTO_BUFFER_free(CRYPTO_BUFFER *buf);\n\n// CRYPTO_BUFFER_up_ref increments the reference count of |buf| and returns\n// one.\nOPENSSL_EXPORT int CRYPTO_BUFFER_up_ref(CRYPTO_BUFFER *buf);\n\n// CRYPTO_BUFFER_data returns a pointer to the data contained in |buf|.\nOPENSSL_EXPORT const uint8_t *CRYPTO_BUFFER_data(const CRYPTO_BUFFER *buf);\n\n// CRYPTO_BUFFER_len returns the length, in bytes, of the data contained in\n// |buf|.\nOPENSSL_EXPORT size_t CRYPTO_BUFFER_len(const CRYPTO_BUFFER *buf);\n\n// CRYPTO_BUFFER_init_CBS initialises |out| to point at the data from |buf|.\nOPENSSL_EXPORT void CRYPTO_BUFFER_init_CBS(const CRYPTO_BUFFER *buf, CBS *out);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(CRYPTO_BUFFER_POOL, CRYPTO_BUFFER_POOL_free)\nBORINGSSL_MAKE_DELETER(CRYPTO_BUFFER, CRYPTO_BUFFER_free)\nBORINGSSL_MAKE_UP_REF(CRYPTO_BUFFER, CRYPTO_BUFFER_up_ref)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#endif // OPENSSL_HEADER_POOL_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_posix_time.h", "content": "/* Copyright 2022 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_POSIX_TIME_H\n#define OPENSSL_HEADER_POSIX_TIME_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Time functions.\n\n\n// OPENSSL_posix_to_tm converts a int64_t POSIX time value in |time|, which must\n// be in the range of year 0000 to 9999, to a broken out time value in |tm|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int OPENSSL_posix_to_tm(int64_t time, struct tm *out_tm);\n\n// OPENSSL_tm_to_posix converts a time value between the years 0 and 9999 in\n// |tm| to a POSIX time value in |out|. One is returned on success, zero is\n// returned on failure. It is a failure if |tm| contains out of range values.\nOPENSSL_EXPORT int OPENSSL_tm_to_posix(const struct tm *tm, int64_t *out);\n\n// OPENSSL_timegm converts a time value between the years 0 and 9999 in |tm| to\n// a time_t value in |out|. One is returned on success, zero is returned on\n// failure. It is a failure if the converted time can not be represented in a\n// time_t, or if the tm contains out of range values.\nOPENSSL_EXPORT int OPENSSL_timegm(const struct tm *tm, time_t *out);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_POSIX_TIME_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_rand.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_RAND_H\n#define OPENSSL_HEADER_RAND_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Random number generation.\n\n\n// RAND_bytes writes |len| bytes of random data to |buf| and returns one. In the\n// event that sufficient random data can not be obtained, |abort| is called.\nOPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len);\n\n\n// Obscure functions.\n\n#if !defined(OPENSSL_WINDOWS)\n// RAND_enable_fork_unsafe_buffering indicates that clones of the address space,\n// e.g. via |fork|, will never call into BoringSSL. It may be used to disable\n// BoringSSL's more expensive fork-safety measures. However, calling this\n// function and then using BoringSSL across |fork| calls will leak secret keys.\n// |fd| must be -1.\n//\n// WARNING: This function affects BoringSSL for the entire address space. Thus\n// this function should never be called by library code, only by code with\n// global knowledge of the application's use of BoringSSL.\n//\n// Do not use this function unless a performance issue was measured with the\n// default behavior. BoringSSL can efficiently detect forks on most platforms,\n// in which case this function is a no-op and is unnecessary. In particular,\n// Linux kernel versions 4.14 or later provide |MADV_WIPEONFORK|. Future\n// versions of BoringSSL will remove this functionality when older kernels are\n// sufficiently rare.\n//\n// This function has an unusual name because it historically controlled internal\n// buffers, but no longer does.\nOPENSSL_EXPORT void RAND_enable_fork_unsafe_buffering(int fd);\n\n// RAND_disable_fork_unsafe_buffering restores BoringSSL's default fork-safety\n// protections. See also |RAND_enable_fork_unsafe_buffering|.\nOPENSSL_EXPORT void RAND_disable_fork_unsafe_buffering(void);\n#endif\n\n#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)\n// RAND_reset_for_fuzzing resets the fuzzer-only deterministic RNG. This\n// function is only defined in the fuzzer-only build configuration.\nOPENSSL_EXPORT void RAND_reset_for_fuzzing(void);\n#endif\n\n// RAND_get_system_entropy_for_custom_prng writes |len| bytes of random data\n// from a system entropy source to |buf|. The maximum length of entropy which\n// may be requested is 256 bytes. If more than 256 bytes of data is requested,\n// or if sufficient random data can not be obtained, |abort| is called.\n// |RAND_bytes| should normally be used instead of this function. This function\n// should only be used for seed values or where |malloc| should not be called\n// from BoringSSL. This function is not FIPS compliant.\nOPENSSL_EXPORT void RAND_get_system_entropy_for_custom_prng(uint8_t *buf,\n size_t len);\n\n\n// Deprecated functions\n\n// RAND_pseudo_bytes is a wrapper around |RAND_bytes|.\nOPENSSL_EXPORT int RAND_pseudo_bytes(uint8_t *buf, size_t len);\n\n// RAND_seed reads a single byte of random data to ensure that any file\n// descriptors etc are opened.\nOPENSSL_EXPORT void RAND_seed(const void *buf, int num);\n\n// RAND_load_file returns a nonnegative number.\nOPENSSL_EXPORT int RAND_load_file(const char *path, long num);\n\n// RAND_file_name returns NULL.\nOPENSSL_EXPORT const char *RAND_file_name(char *buf, size_t num);\n\n// RAND_add does nothing.\nOPENSSL_EXPORT void RAND_add(const void *buf, int num, double entropy);\n\n// RAND_egd returns 255.\nOPENSSL_EXPORT int RAND_egd(const char *);\n\n// RAND_poll returns one.\nOPENSSL_EXPORT int RAND_poll(void);\n\n// RAND_status returns one.\nOPENSSL_EXPORT int RAND_status(void);\n\n// RAND_cleanup does nothing.\nOPENSSL_EXPORT void RAND_cleanup(void);\n\n// rand_meth_st is typedefed to |RAND_METHOD| in base.h. It isn't used; it\n// exists only to be the return type of |RAND_SSLeay|. It's\n// external so that variables of this type can be initialized.\nstruct rand_meth_st {\n void (*seed) (const void *buf, int num);\n int (*bytes) (uint8_t *buf, size_t num);\n void (*cleanup) (void);\n void (*add) (const void *buf, int num, double entropy);\n int (*pseudorand) (uint8_t *buf, size_t num);\n int (*status) (void);\n};\n\n// RAND_SSLeay returns a pointer to a dummy |RAND_METHOD|.\nOPENSSL_EXPORT RAND_METHOD *RAND_SSLeay(void);\n\n// RAND_OpenSSL returns a pointer to a dummy |RAND_METHOD|.\nOPENSSL_EXPORT RAND_METHOD *RAND_OpenSSL(void);\n\n// RAND_get_rand_method returns |RAND_SSLeay()|.\nOPENSSL_EXPORT const RAND_METHOD *RAND_get_rand_method(void);\n\n// RAND_set_rand_method returns one.\nOPENSSL_EXPORT int RAND_set_rand_method(const RAND_METHOD *);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_RAND_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_rc4.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_RC4_H\n#define OPENSSL_HEADER_RC4_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// RC4.\n\n\nstruct rc4_key_st {\n uint32_t x, y;\n uint32_t data[256];\n} /* RC4_KEY */;\n\n// RC4_set_key performs an RC4 key schedule and initialises |rc4key| with |len|\n// bytes of key material from |key|.\nOPENSSL_EXPORT void RC4_set_key(RC4_KEY *rc4key, unsigned len,\n const uint8_t *key);\n\n// RC4 encrypts (or decrypts, it's the same with RC4) |len| bytes from |in| to\n// |out|.\nOPENSSL_EXPORT void RC4(RC4_KEY *key, size_t len, const uint8_t *in,\n uint8_t *out);\n\n\n// Deprecated functions.\n\n// RC4_options returns the string \"rc4(ptr,int)\".\nOPENSSL_EXPORT const char *RC4_options(void);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_RC4_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_ripemd.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_RIPEMD_H\n#define OPENSSL_HEADER_RIPEMD_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n\n# define RIPEMD160_CBLOCK 64\n# define RIPEMD160_LBLOCK (RIPEMD160_CBLOCK/4)\n# define RIPEMD160_DIGEST_LENGTH 20\n\nstruct RIPEMD160state_st {\n uint32_t h[5];\n uint32_t Nl, Nh;\n uint8_t data[RIPEMD160_CBLOCK];\n unsigned num;\n};\n\n// RIPEMD160_Init initialises |ctx| and returns one.\nOPENSSL_EXPORT int RIPEMD160_Init(RIPEMD160_CTX *ctx);\n\n// RIPEMD160_Update adds |len| bytes from |data| to |ctx| and returns one.\nOPENSSL_EXPORT int RIPEMD160_Update(RIPEMD160_CTX *ctx, const void *data,\n size_t len);\n\n// RIPEMD160_Final adds the final padding to |ctx| and writes the resulting\n// digest to |out|, which must have at least |RIPEMD160_DIGEST_LENGTH| bytes of\n// space. It returns one.\nOPENSSL_EXPORT int RIPEMD160_Final(uint8_t out[RIPEMD160_DIGEST_LENGTH],\n RIPEMD160_CTX *ctx);\n\n// RIPEMD160 writes the digest of |len| bytes from |data| to |out| and returns\n// |out|. There must be at least |RIPEMD160_DIGEST_LENGTH| bytes of space in\n// |out|.\nOPENSSL_EXPORT uint8_t *RIPEMD160(const uint8_t *data, size_t len,\n uint8_t out[RIPEMD160_DIGEST_LENGTH]);\n\n// RIPEMD160_Transform is a low-level function that performs a single,\n// RIPEMD160 block transformation using the state from |ctx| and 64 bytes from\n// |block|.\nOPENSSL_EXPORT void RIPEMD160_Transform(RIPEMD160_CTX *ctx,\n const uint8_t block[RIPEMD160_CBLOCK]);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_RIPEMD_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_rsa.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_RSA_H\n#define OPENSSL_HEADER_RSA_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_engine.h\"\n#include \"CNIOBoringSSL_ex_data.h\"\n#include \"CNIOBoringSSL_thread.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// rsa.h contains functions for handling encryption and signature using RSA.\n\n\n// Allocation and destruction.\n//\n// An |RSA| object represents a public or private RSA key. A given object may be\n// used concurrently on multiple threads by non-mutating functions, provided no\n// other thread is concurrently calling a mutating function. Unless otherwise\n// documented, functions which take a |const| pointer are non-mutating and\n// functions which take a non-|const| pointer are mutating.\n\n// RSA_new_public_key returns a new |RSA| object containing a public key with\n// the specified parameters, or NULL on error or invalid input.\nOPENSSL_EXPORT RSA *RSA_new_public_key(const BIGNUM *n, const BIGNUM *e);\n\n// RSA_new_private_key returns a new |RSA| object containing a private key with\n// the specified parameters, or NULL on error or invalid input. All parameters\n// are mandatory and may not be NULL.\n//\n// This function creates standard RSA private keys with CRT parameters.\nOPENSSL_EXPORT RSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e,\n const BIGNUM *d, const BIGNUM *p,\n const BIGNUM *q, const BIGNUM *dmp1,\n const BIGNUM *dmq1, const BIGNUM *iqmp);\n\n// RSA_new returns a new, empty |RSA| object or NULL on error. Prefer using\n// |RSA_new_public_key| or |RSA_new_private_key| to import an RSA key.\nOPENSSL_EXPORT RSA *RSA_new(void);\n\n// RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|.\nOPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine);\n\n// RSA_free decrements the reference count of |rsa| and frees it if the\n// reference count drops to zero.\nOPENSSL_EXPORT void RSA_free(RSA *rsa);\n\n// RSA_up_ref increments the reference count of |rsa| and returns one. It does\n// not mutate |rsa| for thread-safety purposes and may be used concurrently.\nOPENSSL_EXPORT int RSA_up_ref(RSA *rsa);\n\n\n// Properties.\n\n// OPENSSL_RSA_MAX_MODULUS_BITS is the maximum supported RSA modulus, in bits.\n//\n// TODO(davidben): Reduce this to 8192.\n#define OPENSSL_RSA_MAX_MODULUS_BITS 16384\n\n// RSA_bits returns the size of |rsa|, in bits.\nOPENSSL_EXPORT unsigned RSA_bits(const RSA *rsa);\n\n// RSA_get0_n returns |rsa|'s public modulus.\nOPENSSL_EXPORT const BIGNUM *RSA_get0_n(const RSA *rsa);\n\n// RSA_get0_e returns |rsa|'s public exponent.\nOPENSSL_EXPORT const BIGNUM *RSA_get0_e(const RSA *rsa);\n\n// RSA_get0_d returns |rsa|'s private exponent. If |rsa| is a public key, this\n// value will be NULL.\nOPENSSL_EXPORT const BIGNUM *RSA_get0_d(const RSA *rsa);\n\n// RSA_get0_p returns |rsa|'s first private prime factor. If |rsa| is a public\n// key or lacks its prime factors, this value will be NULL.\nOPENSSL_EXPORT const BIGNUM *RSA_get0_p(const RSA *rsa);\n\n// RSA_get0_q returns |rsa|'s second private prime factor. If |rsa| is a public\n// key or lacks its prime factors, this value will be NULL.\nOPENSSL_EXPORT const BIGNUM *RSA_get0_q(const RSA *rsa);\n\n// RSA_get0_dmp1 returns d (mod p-1) for |rsa|. If |rsa| is a public key or\n// lacks CRT parameters, this value will be NULL.\nOPENSSL_EXPORT const BIGNUM *RSA_get0_dmp1(const RSA *rsa);\n\n// RSA_get0_dmq1 returns d (mod q-1) for |rsa|. If |rsa| is a public key or\n// lacks CRT parameters, this value will be NULL.\nOPENSSL_EXPORT const BIGNUM *RSA_get0_dmq1(const RSA *rsa);\n\n// RSA_get0_iqmp returns q^-1 (mod p). If |rsa| is a public key or lacks CRT\n// parameters, this value will be NULL.\nOPENSSL_EXPORT const BIGNUM *RSA_get0_iqmp(const RSA *rsa);\n\n// RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s\n// modulus, public exponent, and private exponent, respectively. If |rsa| is a\n// public key, the private exponent will be set to NULL.\nOPENSSL_EXPORT void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n,\n const BIGNUM **out_e, const BIGNUM **out_d);\n\n// RSA_get0_factors sets |*out_p| and |*out_q|, if non-NULL, to |rsa|'s prime\n// factors. If |rsa| is a public key, they will be set to NULL.\nOPENSSL_EXPORT void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p,\n const BIGNUM **out_q);\n\n// RSA_get0_crt_params sets |*out_dmp1|, |*out_dmq1|, and |*out_iqmp|, if\n// non-NULL, to |rsa|'s CRT parameters. These are d (mod p-1), d (mod q-1) and\n// q^-1 (mod p), respectively. If |rsa| is a public key, each parameter will be\n// set to NULL.\nOPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1,\n const BIGNUM **out_dmq1,\n const BIGNUM **out_iqmp);\n\n\n// Setting individual properties.\n//\n// These functions allow setting individual properties of an |RSA| object. This\n// is typically used with |RSA_new| to construct an RSA key field by field.\n// Prefer instead to use |RSA_new_public_key| and |RSA_new_private_key|. These\n// functions defer some initialization to the first use of an |RSA| object. This\n// means invalid inputs may be caught late.\n//\n// TODO(crbug.com/boringssl/316): This deferred initialization also causes\n// performance problems in multi-threaded applications. The preferred APIs\n// currently have the same issues, but they will initialize eagerly in the\n// future.\n\n// RSA_set0_key sets |rsa|'s modulus, public exponent, and private exponent to\n// |n|, |e|, and |d| respectively, if non-NULL. On success, it takes ownership\n// of each argument and returns one. Otherwise, it returns zero.\n//\n// |d| may be NULL, but |n| and |e| must either be non-NULL or already\n// configured on |rsa|.\n//\n// It is an error to call this function after |rsa| has been used for a\n// cryptographic operation. Construct a new |RSA| object instead.\nOPENSSL_EXPORT int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d);\n\n// RSA_set0_factors sets |rsa|'s prime factors to |p| and |q|, if non-NULL, and\n// takes ownership of them. On success, it takes ownership of each argument and\n// returns one. Otherwise, it returns zero.\n//\n// Each argument must either be non-NULL or already configured on |rsa|.\n//\n// It is an error to call this function after |rsa| has been used for a\n// cryptographic operation. Construct a new |RSA| object instead.\nOPENSSL_EXPORT int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q);\n\n// RSA_set0_crt_params sets |rsa|'s CRT parameters to |dmp1|, |dmq1|, and\n// |iqmp|, if non-NULL, and takes ownership of them. On success, it takes\n// ownership of its parameters and returns one. Otherwise, it returns zero.\n//\n// Each argument must either be non-NULL or already configured on |rsa|.\n//\n// It is an error to call this function after |rsa| has been used for a\n// cryptographic operation. Construct a new |RSA| object instead.\nOPENSSL_EXPORT int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1,\n BIGNUM *iqmp);\n\n\n// Key generation.\n\n// RSA_generate_key_ex generates a new RSA key where the modulus has size\n// |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value\n// for |e|. If |cb| is not NULL then it is called during the key generation\n// process. In addition to the calls documented for |BN_generate_prime_ex|, it\n// is called with event=2 when the n'th prime is rejected as unsuitable and\n// with event=3 when a suitable value for |p| is found.\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,\n BN_GENCB *cb);\n\n// RSA_generate_key_fips behaves like |RSA_generate_key_ex| but performs\n// additional checks for FIPS compliance. The public exponent is always 65537\n// and |bits| must be either 2048 or 3072.\nOPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb);\n\n\n// Encryption / Decryption\n//\n// These functions are considered non-mutating for thread-safety purposes and\n// may be used concurrently.\n\n// RSA_PKCS1_PADDING denotes PKCS#1 v1.5 padding. When used with encryption,\n// this is RSAES-PKCS1-v1_5. When used with signing, this is RSASSA-PKCS1-v1_5.\n//\n// WARNING: The RSAES-PKCS1-v1_5 encryption scheme is vulnerable to a\n// chosen-ciphertext attack. Decrypting attacker-supplied ciphertext with\n// RSAES-PKCS1-v1_5 may give the attacker control over your private key. This\n// does not impact the RSASSA-PKCS1-v1_5 signature scheme. See \"Chosen\n// Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard\n// PKCS #1\", Daniel Bleichenbacher, Advances in Cryptology (Crypto '98).\n#define RSA_PKCS1_PADDING 1\n\n// RSA_NO_PADDING denotes a raw RSA operation.\n#define RSA_NO_PADDING 3\n\n// RSA_PKCS1_OAEP_PADDING denotes the RSAES-OAEP encryption scheme.\n#define RSA_PKCS1_OAEP_PADDING 4\n\n// RSA_PKCS1_PSS_PADDING denotes the RSASSA-PSS signature scheme. This value may\n// not be passed into |RSA_sign_raw|, only |EVP_PKEY_CTX_set_rsa_padding|. See\n// also |RSA_sign_pss_mgf1| and |RSA_verify_pss_mgf1|.\n#define RSA_PKCS1_PSS_PADDING 6\n\n// RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa|\n// and writes, at most, |max_out| bytes of encrypted data to |out|. The\n// |max_out| argument must be, at least, |RSA_size| in order to ensure success.\n//\n// It returns 1 on success or zero on error.\n//\n// The |padding| argument must be one of the |RSA_*_PADDING| values. If in\n// doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols.\nOPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out,\n size_t max_out, const uint8_t *in, size_t in_len,\n int padding);\n\n// RSA_decrypt decrypts |in_len| bytes from |in| with the private key from\n// |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The\n// |max_out| argument must be, at least, |RSA_size| in order to ensure success.\n//\n// It returns 1 on success or zero on error.\n//\n// The |padding| argument must be one of the |RSA_*_PADDING| values. If in\n// doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols.\n//\n// WARNING: Passing |RSA_PKCS1_PADDING| into this function is deprecated and\n// insecure. RSAES-PKCS1-v1_5 is vulnerable to a chosen-ciphertext attack.\n// Decrypting attacker-supplied ciphertext with RSAES-PKCS1-v1_5 may give the\n// attacker control over your private key. See \"Chosen Ciphertext Attacks\n// Against Protocols Based on the RSA Encryption Standard PKCS #1\", Daniel\n// Bleichenbacher, Advances in Cryptology (Crypto '98).\n//\n// In some limited cases, such as TLS RSA key exchange, it is possible to\n// mitigate this flaw with custom, protocol-specific padding logic. This\n// should be implemented with |RSA_NO_PADDING|, not |RSA_PKCS1_PADDING|.\nOPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out,\n size_t max_out, const uint8_t *in, size_t in_len,\n int padding);\n\n// RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in\n// |rsa| and writes the encrypted data to |to|. The |to| buffer must have at\n// least |RSA_size| bytes of space. It returns the number of bytes written, or\n// -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|\n// values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols.\n//\n// WARNING: this function is dangerous because it breaks the usual return value\n// convention. Use |RSA_encrypt| instead.\nOPENSSL_EXPORT int RSA_public_encrypt(size_t flen, const uint8_t *from,\n uint8_t *to, RSA *rsa, int padding);\n\n// RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in\n// |rsa| and writes the plaintext to |to|. The |to| buffer must have at least\n// |RSA_size| bytes of space. It returns the number of bytes written, or -1 on\n// error. The |padding| argument must be one of the |RSA_*_PADDING| values. If\n// in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. Passing\n// |RSA_PKCS1_PADDING| into this function is deprecated and insecure. See\n// |RSA_decrypt|.\n//\n// WARNING: this function is dangerous because it breaks the usual return value\n// convention. Use |RSA_decrypt| instead.\nOPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from,\n uint8_t *to, RSA *rsa, int padding);\n\n\n// Signing / Verification\n//\n// These functions are considered non-mutating for thread-safety purposes and\n// may be used concurrently.\n\n// RSA_sign signs |digest_len| bytes of digest from |digest| with |rsa| using\n// RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On\n// successful return, the actual number of bytes written is written to\n// |*out_len|.\n//\n// The |hash_nid| argument identifies the hash function used to calculate\n// |digest| and is embedded in the resulting signature. For example, it might be\n// |NID_sha256|.\n//\n// It returns 1 on success and zero on error.\n//\n// WARNING: |digest| must be the result of hashing the data to be signed with\n// |hash_nid|. Passing unhashed inputs will not result in a secure signature\n// scheme.\nOPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *digest,\n size_t digest_len, uint8_t *out, unsigned *out_len,\n RSA *rsa);\n\n// RSA_sign_pss_mgf1 signs |digest_len| bytes from |digest| with the public key\n// from |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It\n// writes, at most, |max_out| bytes of signature data to |out|. The |max_out|\n// argument must be, at least, |RSA_size| in order to ensure success. It returns\n// 1 on success or zero on error.\n//\n// The |md| and |mgf1_md| arguments identify the hash used to calculate |digest|\n// and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is\n// used.\n//\n// |salt_len| specifies the expected salt length in bytes. If |salt_len| is -1,\n// then the salt length is the same as the hash length. If -2, then the salt\n// length is maximal given the size of |rsa|. If unsure, use -1.\n//\n// WARNING: |digest| must be the result of hashing the data to be signed with\n// |md|. Passing unhashed inputs will not result in a secure signature scheme.\nOPENSSL_EXPORT int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out,\n size_t max_out, const uint8_t *digest,\n size_t digest_len, const EVP_MD *md,\n const EVP_MD *mgf1_md, int salt_len);\n\n// RSA_sign_raw performs the private key portion of computing a signature with\n// |rsa|. It writes, at most, |max_out| bytes of signature data to |out|. The\n// |max_out| argument must be, at least, |RSA_size| in order to ensure the\n// output fits. It returns 1 on success or zero on error.\n//\n// If |padding| is |RSA_PKCS1_PADDING|, this function wraps |in| with the\n// padding portion of RSASSA-PKCS1-v1_5 and then performs the raw private key\n// operation. The caller is responsible for hashing the input and wrapping it in\n// a DigestInfo structure.\n//\n// If |padding| is |RSA_NO_PADDING|, this function only performs the raw private\n// key operation, interpreting |in| as a integer modulo n. The caller is\n// responsible for hashing the input and encoding it for the signature scheme\n// being implemented.\n//\n// WARNING: This function is a building block for a signature scheme, not a\n// complete one. |in| must be the result of hashing and encoding the data as\n// needed for the scheme being implemented. Passing in arbitrary inputs will not\n// result in a secure signature scheme.\nOPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out,\n size_t max_out, const uint8_t *in,\n size_t in_len, int padding);\n\n// RSA_verify verifies that |sig_len| bytes from |sig| are a valid,\n// RSASSA-PKCS1-v1_5 signature of |digest_len| bytes at |digest| by |rsa|.\n//\n// The |hash_nid| argument identifies the hash function used to calculate\n// |digest| and is embedded in the resulting signature in order to prevent hash\n// confusion attacks. For example, it might be |NID_sha256|.\n//\n// It returns one if the signature is valid and zero otherwise.\n//\n// WARNING: this differs from the original, OpenSSL function which additionally\n// returned -1 on error.\n//\n// WARNING: |digest| must be the result of hashing the data to be verified with\n// |hash_nid|. Passing unhashed input will not result in a secure signature\n// scheme.\nOPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *digest,\n size_t digest_len, const uint8_t *sig,\n size_t sig_len, RSA *rsa);\n\n// RSA_verify_pss_mgf1 verifies that |sig_len| bytes from |sig| are a valid,\n// RSASSA-PSS signature of |digest_len| bytes at |digest| by |rsa|. It returns\n// one if the signature is valid and zero otherwise. MGF1 is used as the mask\n// generation function.\n//\n// The |md| and |mgf1_md| arguments identify the hash used to calculate |digest|\n// and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is\n// used. |salt_len| specifies the expected salt length in bytes.\n//\n// If |salt_len| is -1, then the salt length is the same as the hash length. If\n// -2, then the salt length is recovered and all values accepted. If unsure, use\n// -1.\n//\n// WARNING: |digest| must be the result of hashing the data to be verified with\n// |md|. Passing unhashed input will not result in a secure signature scheme.\nOPENSSL_EXPORT int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest,\n size_t digest_len, const EVP_MD *md,\n const EVP_MD *mgf1_md, int salt_len,\n const uint8_t *sig, size_t sig_len);\n\n// RSA_verify_raw performs the public key portion of verifying |in_len| bytes of\n// signature from |in| using the public key from |rsa|. On success, it returns\n// one and writes, at most, |max_out| bytes of output to |out|. The |max_out|\n// argument must be, at least, |RSA_size| in order to ensure the output fits. On\n// failure or invalid input, it returns zero.\n//\n// If |padding| is |RSA_PKCS1_PADDING|, this function checks the padding portion\n// of RSASSA-PKCS1-v1_5 and outputs the remainder of the encoded digest. The\n// caller is responsible for checking the output is a DigestInfo-wrapped digest\n// of the message.\n//\n// If |padding| is |RSA_NO_PADDING|, this function only performs the raw public\n// key operation. The caller is responsible for checking the output is a valid\n// result for the signature scheme being implemented.\n//\n// WARNING: This function is a building block for a signature scheme, not a\n// complete one. Checking for arbitrary strings in |out| will not result in a\n// secure signature scheme.\nOPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out,\n size_t max_out, const uint8_t *in,\n size_t in_len, int padding);\n\n// RSA_private_encrypt performs the private key portion of computing a signature\n// with |rsa|. It takes |flen| bytes from |from| as input and writes the result\n// to |to|. The |to| buffer must have at least |RSA_size| bytes of space. It\n// returns the number of bytes written, or -1 on error.\n//\n// For the interpretation of |padding| and the input, see |RSA_sign_raw|.\n//\n// WARNING: This function is a building block for a signature scheme, not a\n// complete one. See |RSA_sign_raw| for details.\n//\n// WARNING: This function is dangerous because it breaks the usual return value\n// convention. Use |RSA_sign_raw| instead.\nOPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from,\n uint8_t *to, RSA *rsa, int padding);\n\n// RSA_public_decrypt performs the public key portion of verifying |flen| bytes\n// of signature from |from| using the public key from |rsa|. It writes the\n// result to |to|, which must have at least |RSA_size| bytes of space. It\n// returns the number of bytes written, or -1 on error.\n//\n// For the interpretation of |padding| and the result, see |RSA_verify_raw|.\n//\n// WARNING: This function is a building block for a signature scheme, not a\n// complete one. See |RSA_verify_raw| for details.\n//\n// WARNING: This function is dangerous because it breaks the usual return value\n// convention. Use |RSA_verify_raw| instead.\nOPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from,\n uint8_t *to, RSA *rsa, int padding);\n\n\n// Utility functions.\n\n// RSA_size returns the number of bytes in the modulus, which is also the size\n// of a signature or encrypted value using |rsa|.\nOPENSSL_EXPORT unsigned RSA_size(const RSA *rsa);\n\n// RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key\n// material. Otherwise it returns zero.\nOPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa);\n\n// RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from\n// |rsa| into it. It returns the fresh |RSA| object, or NULL on error.\nOPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa);\n\n// RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from\n// |rsa| into it. It returns the fresh |RSA| object, or NULL on error.\nOPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa);\n\n// RSA_check_key performs basic validity tests on |rsa|. It returns one if\n// they pass and zero otherwise. Opaque keys and public keys always pass. If it\n// returns zero then a more detailed error is available on the error queue.\nOPENSSL_EXPORT int RSA_check_key(const RSA *rsa);\n\n// RSA_check_fips performs public key validity tests on |key|. It returns one if\n// they pass and zero otherwise. Opaque keys always fail. This function does not\n// mutate |rsa| for thread-safety purposes and may be used concurrently.\nOPENSSL_EXPORT int RSA_check_fips(RSA *key);\n\n// RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of\n// |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to\n// exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the\n// hash function for generating the mask. If NULL, |Hash| is used. The |sLen|\n// argument specifies the expected salt length in bytes. If |sLen| is -1 then\n// the salt length is the same as the hash length. If -2, then the salt length\n// is recovered and all values accepted.\n//\n// If unsure, use -1.\n//\n// It returns one on success or zero on error.\n//\n// This function implements only the low-level padding logic. Use\n// |RSA_verify_pss_mgf1| instead.\nOPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa,\n const uint8_t *mHash,\n const EVP_MD *Hash,\n const EVP_MD *mgf1Hash,\n const uint8_t *EM, int sLen);\n\n// RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|,\n// where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of\n// output will be written to |EM|. The |mgf1Hash| argument specifies the hash\n// function for generating the mask. If NULL, |Hash| is used. The |sLen|\n// argument specifies the expected salt length in bytes. If |sLen| is -1 then\n// the salt length is the same as the hash length. If -2, then the salt length\n// is maximal given the space in |EM|.\n//\n// It returns one on success or zero on error.\n//\n// This function implements only the low-level padding logic. Use\n// |RSA_sign_pss_mgf1| instead.\nOPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, uint8_t *EM,\n const uint8_t *mHash,\n const EVP_MD *Hash,\n const EVP_MD *mgf1Hash,\n int sLen);\n\n// RSA_padding_add_PKCS1_OAEP_mgf1 writes an OAEP padding of |from| to |to|\n// with the given parameters and hash functions. If |md| is NULL then SHA-1 is\n// used. If |mgf1md| is NULL then the value of |md| is used (which means SHA-1\n// if that, in turn, is NULL).\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1(\n uint8_t *to, size_t to_len, const uint8_t *from, size_t from_len,\n const uint8_t *param, size_t param_len, const EVP_MD *md,\n const EVP_MD *mgf1md);\n\n// RSA_add_pkcs1_prefix builds a version of |digest| prefixed with the\n// DigestInfo header for the given hash function and sets |out_msg| to point to\n// it. On successful return, if |*is_alloced| is one, the caller must release\n// |*out_msg| with |OPENSSL_free|.\nOPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len,\n int *is_alloced, int hash_nid,\n const uint8_t *digest,\n size_t digest_len);\n\n\n// ASN.1 functions.\n\n// RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 8017)\n// from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on\n// error.\nOPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs);\n\n// RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure\n// (RFC 8017). It returns a newly-allocated |RSA| or NULL on error.\nOPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len);\n\n// RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure\n// (RFC 8017) and appends the result to |cbb|. It returns one on success and\n// zero on failure.\nOPENSSL_EXPORT int RSA_marshal_public_key(CBB *cbb, const RSA *rsa);\n\n// RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey\n// structure (RFC 8017) and, on success, sets |*out_bytes| to a newly allocated\n// buffer containing the result and returns one. Otherwise, it returns zero. The\n// result should be freed with |OPENSSL_free|.\nOPENSSL_EXPORT int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len,\n const RSA *rsa);\n\n// RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 8017)\n// from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on\n// error.\nOPENSSL_EXPORT RSA *RSA_parse_private_key(CBS *cbs);\n\n// RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey\n// structure (RFC 8017). It returns a newly-allocated |RSA| or NULL on error.\nOPENSSL_EXPORT RSA *RSA_private_key_from_bytes(const uint8_t *in,\n size_t in_len);\n\n// RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey\n// structure (RFC 8017) and appends the result to |cbb|. It returns one on\n// success and zero on failure.\nOPENSSL_EXPORT int RSA_marshal_private_key(CBB *cbb, const RSA *rsa);\n\n// RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey\n// structure (RFC 8017) and, on success, sets |*out_bytes| to a newly allocated\n// buffer containing the result and returns one. Otherwise, it returns zero. The\n// result should be freed with |OPENSSL_free|.\nOPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes,\n size_t *out_len, const RSA *rsa);\n\n\n// Obscure RSA variants.\n//\n// These functions allow creating RSA keys with obscure combinations of\n// parameters.\n\n// RSA_new_private_key_no_crt behaves like |RSA_new_private_key| but constructs\n// an RSA key without CRT coefficients.\n//\n// Keys created by this function will be less performant and cannot be\n// serialized.\nOPENSSL_EXPORT RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e,\n const BIGNUM *d);\n\n// RSA_new_private_key_no_e behaves like |RSA_new_private_key| but constructs an\n// RSA key without CRT parameters or public exponent.\n//\n// Keys created by this function will be less performant, cannot be serialized,\n// and lack hardening measures that protect against side channels and fault\n// attacks.\nOPENSSL_EXPORT RSA *RSA_new_private_key_no_e(const BIGNUM *n, const BIGNUM *d);\n\n// RSA_new_public_key_large_e behaves like |RSA_new_public_key| but allows any\n// |e| up to |n|.\n//\n// BoringSSL typically bounds public exponents as a denial-of-service\n// mitigation. Keys created by this function may perform worse than those\n// created by |RSA_new_public_key|.\nOPENSSL_EXPORT RSA *RSA_new_public_key_large_e(const BIGNUM *n,\n const BIGNUM *e);\n\n// RSA_new_private_key_large_e behaves like |RSA_new_private_key| but allows any\n// |e| up to |n|.\n//\n// BoringSSL typically bounds public exponents as a denial-of-service\n// mitigation. Keys created by this function may perform worse than those\n// created by |RSA_new_private_key|.\nOPENSSL_EXPORT RSA *RSA_new_private_key_large_e(\n const BIGNUM *n, const BIGNUM *e, const BIGNUM *d, const BIGNUM *p,\n const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1,\n const BIGNUM *iqmp);\n\n\n// ex_data functions.\n//\n// See |ex_data.h| for details.\n\nOPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func);\nOPENSSL_EXPORT int RSA_set_ex_data(RSA *rsa, int idx, void *arg);\nOPENSSL_EXPORT void *RSA_get_ex_data(const RSA *rsa, int idx);\n\n\n// Flags.\n\n// RSA_FLAG_OPAQUE specifies that this RSA_METHOD does not expose its key\n// material. This may be set if, for instance, it is wrapping some other crypto\n// API, like a platform key store.\n#define RSA_FLAG_OPAQUE 1\n\n// RSA_FLAG_NO_BLINDING disables blinding of private operations, which is a\n// dangerous thing to do. This flag is set internally as part of self-tests but\n// is otherwise impossible to set externally.\n#define RSA_FLAG_NO_BLINDING 8\n\n// RSA_FLAG_EXT_PKEY is deprecated and ignored.\n#define RSA_FLAG_EXT_PKEY 0x20\n\n// RSA_FLAG_NO_PUBLIC_EXPONENT indicates that private keys without a public\n// exponent are allowed. This is an internal constant. Use\n// |RSA_new_private_key_no_e| to construct such keys.\n#define RSA_FLAG_NO_PUBLIC_EXPONENT 0x40\n\n// RSA_FLAG_LARGE_PUBLIC_EXPONENT indicates that keys with a large public\n// exponent are allowed. This is an internal constant. Use\n// |RSA_new_public_key_large_e| and |RSA_new_private_key_large_e| to construct\n// such keys.\n#define RSA_FLAG_LARGE_PUBLIC_EXPONENT 0x80\n\n\n// RSA public exponent values.\n\n#define RSA_3 0x3\n#define RSA_F4 0x10001\n\n\n// Deprecated functions.\n\n#define RSA_METHOD_FLAG_NO_CHECK RSA_FLAG_OPAQUE\n\n// RSA_flags returns the flags for |rsa|. These are a bitwise OR of |RSA_FLAG_*|\n// constants.\nOPENSSL_EXPORT int RSA_flags(const RSA *rsa);\n\n// RSA_test_flags returns the subset of flags in |flags| which are set in |rsa|.\nOPENSSL_EXPORT int RSA_test_flags(const RSA *rsa, int flags);\n\n// RSA_blinding_on returns one.\nOPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);\n\n// RSA_blinding_off does nothing.\nOPENSSL_EXPORT void RSA_blinding_off(RSA *rsa);\n\n// RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you\n// should use instead. It returns NULL on error, or a newly-allocated |RSA| on\n// success. This function is provided for compatibility only. The |callback|\n// and |cb_arg| parameters must be NULL.\nOPENSSL_EXPORT RSA *RSA_generate_key(int bits, uint64_t e, void *callback,\n void *cb_arg);\n\n// d2i_RSAPublicKey parses a DER-encoded RSAPublicKey structure (RFC 8017) from\n// |len| bytes at |*inp|, as described in |d2i_SAMPLE|.\n//\n// Use |RSA_parse_public_key| instead.\nOPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len);\n\n// i2d_RSAPublicKey marshals |in| to a DER-encoded RSAPublicKey structure (RFC\n// 8017), as described in |i2d_SAMPLE|.\n//\n// Use |RSA_marshal_public_key| instead.\nOPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp);\n\n// d2i_RSAPrivateKey parses a DER-encoded RSAPrivateKey structure (RFC 8017)\n// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|.\n//\n// Use |RSA_parse_private_key| instead.\nOPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len);\n\n// i2d_RSAPrivateKey marshals |in| to a DER-encoded RSAPrivateKey structure (RFC\n// 8017), as described in |i2d_SAMPLE|.\n//\n// Use |RSA_marshal_private_key| instead.\nOPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp);\n\n// RSA_padding_add_PKCS1_PSS acts like |RSA_padding_add_PKCS1_PSS_mgf1| but the\n// |mgf1Hash| parameter of the latter is implicitly set to |Hash|.\n//\n// This function implements only the low-level padding logic. Use\n// |RSA_sign_pss_mgf1| instead.\nOPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(const RSA *rsa, uint8_t *EM,\n const uint8_t *mHash,\n const EVP_MD *Hash, int sLen);\n\n// RSA_verify_PKCS1_PSS acts like |RSA_verify_PKCS1_PSS_mgf1| but the\n// |mgf1Hash| parameter of the latter is implicitly set to |Hash|.\n//\n// This function implements only the low-level padding logic. Use\n// |RSA_verify_pss_mgf1| instead.\nOPENSSL_EXPORT int RSA_verify_PKCS1_PSS(const RSA *rsa, const uint8_t *mHash,\n const EVP_MD *Hash, const uint8_t *EM,\n int sLen);\n\n// RSA_padding_add_PKCS1_OAEP acts like |RSA_padding_add_PKCS1_OAEP_mgf1| but\n// the |md| and |mgf1md| parameters of the latter are implicitly set to NULL,\n// which means SHA-1.\nOPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len,\n const uint8_t *from,\n size_t from_len,\n const uint8_t *param,\n size_t param_len);\n\n// RSA_print prints a textual representation of |rsa| to |bio|. It returns one\n// on success or zero otherwise.\nOPENSSL_EXPORT int RSA_print(BIO *bio, const RSA *rsa, int indent);\n\n// RSA_get0_pss_params returns NULL. In OpenSSL, this function retries RSA-PSS\n// parameters associated with |RSA| objects, but BoringSSL does not support\n// the id-RSASSA-PSS key encoding.\nOPENSSL_EXPORT const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa);\n\n// RSA_new_method_no_e returns a newly-allocated |RSA| object backed by\n// |engine|, with a public modulus of |n| and no known public exponent.\n//\n// Do not use this function. It exists only to support Conscrypt, whose use\n// should be replaced with a more sound mechanism. See\n// https://crbug.com/boringssl/602.\nOPENSSL_EXPORT RSA *RSA_new_method_no_e(const ENGINE *engine, const BIGNUM *n);\n\n\nstruct rsa_meth_st {\n struct openssl_method_common_st common;\n\n void *app_data;\n\n int (*init)(RSA *rsa);\n int (*finish)(RSA *rsa);\n\n int (*sign)(int type, const uint8_t *m, unsigned int m_length,\n uint8_t *sigret, unsigned int *siglen, const RSA *rsa);\n\n // These functions mirror the |RSA_*| functions of the same name.\n int (*sign_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,\n const uint8_t *in, size_t in_len, int padding);\n int (*decrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out,\n const uint8_t *in, size_t in_len, int padding);\n\n // private_transform takes a big-endian integer from |in|, calculates the\n // d'th power of it, modulo the RSA modulus and writes the result as a\n // big-endian integer to |out|. Both |in| and |out| are |len| bytes long and\n // |len| is always equal to |RSA_size(rsa)|. If the result of the transform\n // can be represented in fewer than |len| bytes, then |out| must be zero\n // padded on the left.\n //\n // It returns one on success and zero otherwise.\n //\n // RSA decrypt and sign operations will call this, thus an ENGINE might wish\n // to override it in order to avoid having to implement the padding\n // functionality demanded by those, higher level, operations.\n int (*private_transform)(RSA *rsa, uint8_t *out, const uint8_t *in,\n size_t len);\n\n int flags;\n};\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(RSA, RSA_free)\nBORINGSSL_MAKE_UP_REF(RSA, RSA_up_ref)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif\n\n#define RSA_R_BAD_ENCODING 100\n#define RSA_R_BAD_E_VALUE 101\n#define RSA_R_BAD_FIXED_HEADER_DECRYPT 102\n#define RSA_R_BAD_PAD_BYTE_COUNT 103\n#define RSA_R_BAD_RSA_PARAMETERS 104\n#define RSA_R_BAD_SIGNATURE 105\n#define RSA_R_BAD_VERSION 106\n#define RSA_R_BLOCK_TYPE_IS_NOT_01 107\n#define RSA_R_BN_NOT_INITIALIZED 108\n#define RSA_R_CANNOT_RECOVER_MULTI_PRIME_KEY 109\n#define RSA_R_CRT_PARAMS_ALREADY_GIVEN 110\n#define RSA_R_CRT_VALUES_INCORRECT 111\n#define RSA_R_DATA_LEN_NOT_EQUAL_TO_MOD_LEN 112\n#define RSA_R_DATA_TOO_LARGE 113\n#define RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 114\n#define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 115\n#define RSA_R_DATA_TOO_SMALL 116\n#define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 117\n#define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 118\n#define RSA_R_D_E_NOT_CONGRUENT_TO_1 119\n#define RSA_R_EMPTY_PUBLIC_KEY 120\n#define RSA_R_ENCODE_ERROR 121\n#define RSA_R_FIRST_OCTET_INVALID 122\n#define RSA_R_INCONSISTENT_SET_OF_CRT_VALUES 123\n#define RSA_R_INTERNAL_ERROR 124\n#define RSA_R_INVALID_MESSAGE_LENGTH 125\n#define RSA_R_KEY_SIZE_TOO_SMALL 126\n#define RSA_R_LAST_OCTET_INVALID 127\n#define RSA_R_MODULUS_TOO_LARGE 128\n#define RSA_R_MUST_HAVE_AT_LEAST_TWO_PRIMES 129\n#define RSA_R_NO_PUBLIC_EXPONENT 130\n#define RSA_R_NULL_BEFORE_BLOCK_MISSING 131\n#define RSA_R_N_NOT_EQUAL_P_Q 132\n#define RSA_R_OAEP_DECODING_ERROR 133\n#define RSA_R_ONLY_ONE_OF_P_Q_GIVEN 134\n#define RSA_R_OUTPUT_BUFFER_TOO_SMALL 135\n#define RSA_R_PADDING_CHECK_FAILED 136\n#define RSA_R_PKCS_DECODING_ERROR 137\n#define RSA_R_SLEN_CHECK_FAILED 138\n#define RSA_R_SLEN_RECOVERY_FAILED 139\n#define RSA_R_TOO_LONG 140\n#define RSA_R_TOO_MANY_ITERATIONS 141\n#define RSA_R_UNKNOWN_ALGORITHM_TYPE 142\n#define RSA_R_UNKNOWN_PADDING_TYPE 143\n#define RSA_R_VALUE_MISSING 144\n#define RSA_R_WRONG_SIGNATURE_LENGTH 145\n#define RSA_R_PUBLIC_KEY_VALIDATION_FAILED 146\n#define RSA_R_D_OUT_OF_RANGE 147\n#define RSA_R_BLOCK_TYPE_IS_NOT_02 148\n\n#endif // OPENSSL_HEADER_RSA_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_safestack.h", "content": "/* Copyright 2014 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_service_indicator.h", "content": "/* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_SERVICE_INDICATOR_H\n#define OPENSSL_HEADER_SERVICE_INDICATOR_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n// FIPS_service_indicator_before_call and |FIPS_service_indicator_after_call|\n// both currently return the same local thread counter which is slowly\n// incremented whenever approved services are called. The\n// |CALL_SERVICE_AND_CHECK_APPROVED| macro is strongly recommended over calling\n// these functions directly.\n//\n// |FIPS_service_indicator_before_call| is intended to be called immediately\n// before an approved service, while |FIPS_service_indicator_after_call| should\n// be called immediately after. If the values returned from these two functions\n// are not equal, this means that the service called inbetween is deemed to be\n// approved. If the values are still the same, this means the counter has not\n// been incremented, and the service called is not approved for FIPS.\n//\n// In non-FIPS builds, |FIPS_service_indicator_before_call| always returns zero\n// and |FIPS_service_indicator_after_call| always returns one. Thus calls always\n// appear to be approved. This is intended to simplify testing.\nOPENSSL_EXPORT uint64_t FIPS_service_indicator_before_call(void);\nOPENSSL_EXPORT uint64_t FIPS_service_indicator_after_call(void);\n\n#if defined(__cplusplus)\n}\n\n#if !defined(BORINGSSL_NO_CXX)\n\nextern \"C++\" {\n\n// CALL_SERVICE_AND_CHECK_APPROVED runs |func| and sets |approved| to one of the\n// |FIPSStatus*| values, above, depending on whether |func| invoked an\n// approved service. The result of |func| becomes the result of this macro.\n#define CALL_SERVICE_AND_CHECK_APPROVED(approved, func) \\\n [&] { \\\n bssl::FIPSIndicatorHelper fips_indicator_helper(&approved); \\\n return func; \\\n }()\n\nBSSL_NAMESPACE_BEGIN\n\nenum class FIPSStatus {\n NOT_APPROVED = 0,\n APPROVED = 1,\n};\n\n// FIPSIndicatorHelper records whether the service indicator counter advanced\n// during its lifetime.\nclass FIPSIndicatorHelper {\n public:\n FIPSIndicatorHelper(FIPSStatus *result)\n : result_(result), before_(FIPS_service_indicator_before_call()) {\n *result_ = FIPSStatus::NOT_APPROVED;\n }\n\n ~FIPSIndicatorHelper() {\n uint64_t after = FIPS_service_indicator_after_call();\n if (after != before_) {\n *result_ = FIPSStatus::APPROVED;\n }\n }\n\n FIPSIndicatorHelper(const FIPSIndicatorHelper&) = delete;\n FIPSIndicatorHelper &operator=(const FIPSIndicatorHelper &) = delete;\n\n private:\n FIPSStatus *const result_;\n const uint64_t before_;\n};\n\nBSSL_NAMESPACE_END\n} // extern \"C++\"\n\n#endif // !BORINGSSL_NO_CXX\n#endif // __cplusplus\n\n#endif // OPENSSL_HEADER_SERVICE_INDICATOR_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_sha.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_SHA_H\n#define OPENSSL_HEADER_SHA_H\n\n#include \"CNIOBoringSSL_base.h\"\n#include \"CNIOBoringSSL_bcm_public.h\" // IWYU pragma: export\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// The SHA family of hash functions (SHA-1 and SHA-2).\n\n\n// SHA_CBLOCK is the block size of SHA-1.\n#define SHA_CBLOCK 64\n\n// SHA_DIGEST_LENGTH is the length of a SHA-1 digest.\n#define SHA_DIGEST_LENGTH 20\n\n// SHA1_Init initialises |sha| and returns one.\nOPENSSL_EXPORT int SHA1_Init(SHA_CTX *sha);\n\n// SHA1_Update adds |len| bytes from |data| to |sha| and returns one.\nOPENSSL_EXPORT int SHA1_Update(SHA_CTX *sha, const void *data, size_t len);\n\n// SHA1_Final adds the final padding to |sha| and writes the resulting digest to\n// |out|, which must have at least |SHA_DIGEST_LENGTH| bytes of space. It\n// returns one.\nOPENSSL_EXPORT int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *sha);\n\n// SHA1 writes the digest of |len| bytes from |data| to |out| and returns\n// |out|. There must be at least |SHA_DIGEST_LENGTH| bytes of space in\n// |out|.\nOPENSSL_EXPORT uint8_t *SHA1(const uint8_t *data, size_t len,\n uint8_t out[SHA_DIGEST_LENGTH]);\n\n// SHA1_Transform is a low-level function that performs a single, SHA-1 block\n// transformation using the state from |sha| and |SHA_CBLOCK| bytes from\n// |block|.\nOPENSSL_EXPORT void SHA1_Transform(SHA_CTX *sha,\n const uint8_t block[SHA_CBLOCK]);\n\n// CRYPTO_fips_186_2_prf derives |out_len| bytes from |xkey| using the PRF\n// defined in FIPS 186-2, Appendix 3.1, with change notice 1 applied. The b\n// parameter is 160 and seed, XKEY, is also 160 bits. The optional XSEED user\n// input is all zeros.\n//\n// The PRF generates a sequence of 320-bit numbers. Each number is encoded as a\n// 40-byte string in big-endian and then concatenated to form |out|. If\n// |out_len| is not a multiple of 40, the result is truncated. This matches the\n// construction used in Section 7 of RFC 4186 and Section 7 of RFC 4187.\n//\n// This PRF is based on SHA-1, a weak hash function, and should not be used\n// in new protocols. It is provided for compatibility with some legacy EAP\n// methods.\nOPENSSL_EXPORT void CRYPTO_fips_186_2_prf(\n uint8_t *out, size_t out_len, const uint8_t xkey[SHA_DIGEST_LENGTH]);\n\n\n// SHA-224.\n\n// SHA224_CBLOCK is the block size of SHA-224.\n#define SHA224_CBLOCK 64\n\n// SHA224_DIGEST_LENGTH is the length of a SHA-224 digest.\n#define SHA224_DIGEST_LENGTH 28\n\n// SHA224_Init initialises |sha| and returns 1.\nOPENSSL_EXPORT int SHA224_Init(SHA256_CTX *sha);\n\n// SHA224_Update adds |len| bytes from |data| to |sha| and returns 1.\nOPENSSL_EXPORT int SHA224_Update(SHA256_CTX *sha, const void *data, size_t len);\n\n// SHA224_Final adds the final padding to |sha| and writes the resulting digest\n// to |out|, which must have at least |SHA224_DIGEST_LENGTH| bytes of space. It\n// returns 1.\nOPENSSL_EXPORT int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH],\n SHA256_CTX *sha);\n\n// SHA224 writes the digest of |len| bytes from |data| to |out| and returns\n// |out|. There must be at least |SHA224_DIGEST_LENGTH| bytes of space in\n// |out|.\nOPENSSL_EXPORT uint8_t *SHA224(const uint8_t *data, size_t len,\n uint8_t out[SHA224_DIGEST_LENGTH]);\n\n\n// SHA-256.\n\n// SHA256_CBLOCK is the block size of SHA-256.\n#define SHA256_CBLOCK 64\n\n// SHA256_DIGEST_LENGTH is the length of a SHA-256 digest.\n#define SHA256_DIGEST_LENGTH 32\n\n// SHA256_Init initialises |sha| and returns 1.\nOPENSSL_EXPORT int SHA256_Init(SHA256_CTX *sha);\n\n// SHA256_Update adds |len| bytes from |data| to |sha| and returns 1.\nOPENSSL_EXPORT int SHA256_Update(SHA256_CTX *sha, const void *data, size_t len);\n\n// SHA256_Final adds the final padding to |sha| and writes the resulting digest\n// to |out|, which must have at least |SHA256_DIGEST_LENGTH| bytes of space. It\n// returns one on success and zero on programmer error.\nOPENSSL_EXPORT int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH],\n SHA256_CTX *sha);\n\n// SHA256 writes the digest of |len| bytes from |data| to |out| and returns\n// |out|. There must be at least |SHA256_DIGEST_LENGTH| bytes of space in\n// |out|.\nOPENSSL_EXPORT uint8_t *SHA256(const uint8_t *data, size_t len,\n uint8_t out[SHA256_DIGEST_LENGTH]);\n\n// SHA256_Transform is a low-level function that performs a single, SHA-256\n// block transformation using the state from |sha| and |SHA256_CBLOCK| bytes\n// from |block|.\nOPENSSL_EXPORT void SHA256_Transform(SHA256_CTX *sha,\n const uint8_t block[SHA256_CBLOCK]);\n\n// SHA256_TransformBlocks is a low-level function that takes |num_blocks| *\n// |SHA256_CBLOCK| bytes of data and performs SHA-256 transforms on it to update\n// |state|. You should not use this function unless you are implementing a\n// derivative of SHA-256.\nOPENSSL_EXPORT void SHA256_TransformBlocks(uint32_t state[8],\n const uint8_t *data,\n size_t num_blocks);\n\n// SHA-384.\n\n// SHA384_CBLOCK is the block size of SHA-384.\n#define SHA384_CBLOCK 128\n\n// SHA384_DIGEST_LENGTH is the length of a SHA-384 digest.\n#define SHA384_DIGEST_LENGTH 48\n\n// SHA384_Init initialises |sha| and returns 1.\nOPENSSL_EXPORT int SHA384_Init(SHA512_CTX *sha);\n\n// SHA384_Update adds |len| bytes from |data| to |sha| and returns 1.\nOPENSSL_EXPORT int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len);\n\n// SHA384_Final adds the final padding to |sha| and writes the resulting digest\n// to |out|, which must have at least |SHA384_DIGEST_LENGTH| bytes of space. It\n// returns one on success and zero on programmer error.\nOPENSSL_EXPORT int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH],\n SHA512_CTX *sha);\n\n// SHA384 writes the digest of |len| bytes from |data| to |out| and returns\n// |out|. There must be at least |SHA384_DIGEST_LENGTH| bytes of space in\n// |out|.\nOPENSSL_EXPORT uint8_t *SHA384(const uint8_t *data, size_t len,\n uint8_t out[SHA384_DIGEST_LENGTH]);\n\n\n// SHA-512.\n\n// SHA512_CBLOCK is the block size of SHA-512.\n#define SHA512_CBLOCK 128\n\n// SHA512_DIGEST_LENGTH is the length of a SHA-512 digest.\n#define SHA512_DIGEST_LENGTH 64\n\n// SHA512_Init initialises |sha| and returns 1.\nOPENSSL_EXPORT int SHA512_Init(SHA512_CTX *sha);\n\n// SHA512_Update adds |len| bytes from |data| to |sha| and returns 1.\nOPENSSL_EXPORT int SHA512_Update(SHA512_CTX *sha, const void *data, size_t len);\n\n// SHA512_Final adds the final padding to |sha| and writes the resulting digest\n// to |out|, which must have at least |SHA512_DIGEST_LENGTH| bytes of space. It\n// returns one on success and zero on programmer error.\nOPENSSL_EXPORT int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH],\n SHA512_CTX *sha);\n\n// SHA512 writes the digest of |len| bytes from |data| to |out| and returns\n// |out|. There must be at least |SHA512_DIGEST_LENGTH| bytes of space in\n// |out|.\nOPENSSL_EXPORT uint8_t *SHA512(const uint8_t *data, size_t len,\n uint8_t out[SHA512_DIGEST_LENGTH]);\n\n// SHA512_Transform is a low-level function that performs a single, SHA-512\n// block transformation using the state from |sha| and |SHA512_CBLOCK| bytes\n// from |block|.\nOPENSSL_EXPORT void SHA512_Transform(SHA512_CTX *sha,\n const uint8_t block[SHA512_CBLOCK]);\n\n// SHA-512-256\n//\n// See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf section 5.3.6\n\n#define SHA512_256_DIGEST_LENGTH 32\n\n// SHA512_256_Init initialises |sha| and returns 1.\nOPENSSL_EXPORT int SHA512_256_Init(SHA512_CTX *sha);\n\n// SHA512_256_Update adds |len| bytes from |data| to |sha| and returns 1.\nOPENSSL_EXPORT int SHA512_256_Update(SHA512_CTX *sha, const void *data,\n size_t len);\n\n// SHA512_256_Final adds the final padding to |sha| and writes the resulting\n// digest to |out|, which must have at least |SHA512_256_DIGEST_LENGTH| bytes of\n// space. It returns one on success and zero on programmer error.\nOPENSSL_EXPORT int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH],\n SHA512_CTX *sha);\n\n// SHA512_256 writes the digest of |len| bytes from |data| to |out| and returns\n// |out|. There must be at least |SHA512_256_DIGEST_LENGTH| bytes of space in\n// |out|.\nOPENSSL_EXPORT uint8_t *SHA512_256(const uint8_t *data, size_t len,\n uint8_t out[SHA512_256_DIGEST_LENGTH]);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_SHA_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_siphash.h", "content": "/* Copyright 2019 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_SIPHASH_H\n#define OPENSSL_HEADER_SIPHASH_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// SipHash is a fast, secure PRF that is often used for hash tables.\n\n\n// SIPHASH_24 implements SipHash-2-4. See https://131002.net/siphash/siphash.pdf\nOPENSSL_EXPORT uint64_t SIPHASH_24(const uint64_t key[2], const uint8_t *input,\n size_t input_len);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_SIPHASH_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_slhdsa.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_SLHDSA_H\n#define OPENSSL_HEADER_SLHDSA_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES is the number of bytes in an\n// SLH-DSA-SHA2-128s public key.\n#define SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES 32\n\n// SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES is the number of bytes in an\n// SLH-DSA-SHA2-128s private key.\n#define SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES 64\n\n// SLHDSA_SHA2_128S_SIGNATURE_BYTES is the number of bytes in an\n// SLH-DSA-SHA2-128s signature.\n#define SLHDSA_SHA2_128S_SIGNATURE_BYTES 7856\n\n// SLHDSA_SHA2_128S_generate_key generates a SLH-DSA-SHA2-128s key pair and\n// writes the result to |out_public_key| and |out_private_key|.\nOPENSSL_EXPORT void SLHDSA_SHA2_128S_generate_key(\n uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n uint8_t out_private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]);\n\n// SLHDSA_SHA2_128S_public_from_private writes the public key corresponding to\n// |private_key| to |out_public_key|.\nOPENSSL_EXPORT void SLHDSA_SHA2_128S_public_from_private(\n uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]);\n\n// SLHDSA_SHA2_128S_sign slowly generates a SLH-DSA-SHA2-128s signature of |msg|\n// using |private_key| and writes it to |out_signature|. The |context| argument\n// is also signed over and can be used to include implicit contextual\n// information that isn't included in |msg|. The same value of |context| must be\n// presented to |SLHDSA_SHA2_128S_verify| in order for the generated signature\n// to be considered valid. |context| and |context_len| may be |NULL| and 0 to\n// use an empty context (this is common). It returns 1 on success and 0 if\n// |context_len| is larger than 255.\nOPENSSL_EXPORT int SLHDSA_SHA2_128S_sign(\n uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context,\n size_t context_len);\n\n// SLHDSA_SHA2_128S_verify verifies that |signature| is a valid\n// SLH-DSA-SHA2-128s signature of |msg| by |public_key|. The value of |context|\n// must equal the value that was passed to |SLHDSA_SHA2_128S_sign| when the\n// signature was generated. It returns 1 if the signature is valid and 0\n// otherwise.\nOPENSSL_EXPORT int SLHDSA_SHA2_128S_verify(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t *msg, size_t msg_len, const uint8_t *context,\n size_t context_len);\n\n\n// Prehashed SLH-DSA-SHA2-128s.\n//\n// These functions sign the hash of a message. They should generally not be\n// used. The general functions are perfectly capable of signing a hash if you\n// wish. These functions should only be used when:\n//\n// a) Compatibility with an external system that uses prehashed messages is\n// required. (The general signature of a hash is not compatible with a\n// \"prehash\" signature of the same hash.)\n// b) A single private key is used to sign both prehashed and raw messages,\n// and there's no other way to prevent ambiguity.\n\n// SLHDSA_SHA2_128S_prehash_sign slowly generates a SLH-DSA-SHA2-128s signature\n// of the prehashed |hashed_msg| using |private_key| and writes it to\n// |out_signature|. The |context| argument is also signed over and can be used\n// to include implicit contextual information that isn't included in\n// |hashed_msg|. The same value of |context| must be presented to\n// |SLHDSA_SHA2_128S_prehash_verify| in order for the generated signature to be\n// considered valid. |context| and |context_len| may be |NULL| and 0 to use an\n// empty context (this is common).\n//\n// The |hash_nid| argument must specify the hash function that was used to\n// generate |hashed_msg|. This function only accepts hash functions listed in\n// FIPS 205.\n//\n// This function returns 1 on success and 0 if |context_len| is larger than 255,\n// if the hash function is not supported, or if |hashed_msg| is the wrong\n// length.\nOPENSSL_EXPORT int SLHDSA_SHA2_128S_prehash_sign(\n uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len);\n\n// SLHDSA_SHA2_128S_prehash_verify verifies that |signature| is a valid\n// SLH-DSA-SHA2-128s signature of the prehashed |hashed_msg| by |public_key|,\n// using the hash algorithm identified by |hash_nid|. The value of |context|\n// must equal the value that was passed to |SLHDSA_SHA2_128S_prehash_sign| when\n// the signature was generated.\n//\n// The |hash_nid| argument must specify the hash function that was used to\n// generate |hashed_msg|. This function only accepts hash functions that are\n// listed in FIPS 205.\n//\n// This function returns 1 if the signature is valid and 0 if the signature is\n// invalid, the hash function is not supported, or if |hashed_msg| is the wrong\n// length.\nOPENSSL_EXPORT int SLHDSA_SHA2_128S_prehash_verify(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len);\n\n// SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign slowly generates a\n// SLH-DSA-SHA2-128s signature of the prehashed |hashed_msg| using |private_key|\n// and writes it to |out_signature|. The |context| argument is also signed over\n// and can be used to include implicit contextual information that isn't\n// included in |hashed_msg|. The same value of |context| must be presented to\n// |SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify| in order for the\n// generated signature to be considered valid. |context| and |context_len| may\n// be |NULL| and 0 to use an empty context (this is common).\n//\n// The |hash_nid| argument must specify the hash function that was used to\n// generate |hashed_msg|. This function only accepts non-standard hash functions\n// that are not compliant with FIPS 205.\n//\n// This function returns 1 on success and 0 if |context_len| is larger than 255,\n// if the hash function is not supported, or if |hashed_msg| is the wrong\n// length.\nOPENSSL_EXPORT int SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign(\n uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES],\n const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len);\n\n// SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify verifies that |signature|\n// is a valid SLH-DSA-SHA2-128s signature of the prehashed |hashed_msg| by\n// |public_key|, using the hash algorithm identified by |hash_nid|. The value of\n// |context| must equal the value that was passed to\n// |SLHDSA_SHA2_128S_prehash_sign| when the signature was generated.\n//\n// The |hash_nid| argument must specify the hash function that was used to\n// generate |hashed_msg|. This function only accepts non-standard hash functions\n// that are not compliant with FIPS 205.\n//\n// This function returns 1 if the signature is valid and 0 if the signature is\n// invalid, the hash function is not supported, or if |hashed_msg| is the wrong\n// length.\nOPENSSL_EXPORT int SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify(\n const uint8_t *signature, size_t signature_len,\n const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES],\n const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid,\n const uint8_t *context, size_t context_len);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_SLHDSA_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_span.h", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_SSL_SPAN_H\n#define OPENSSL_HEADER_SSL_SPAN_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if !defined(BORINGSSL_NO_CXX)\n\nextern \"C++\" {\n\n#include \n\n#include \n#include \n#include \n\n#if __has_include()\n#include \n#endif\n\n#if defined(__cpp_lib_ranges) && __cpp_lib_ranges >= 201911L\n#include \nBSSL_NAMESPACE_BEGIN\ntemplate \nclass Span;\nBSSL_NAMESPACE_END\n\n// Mark `Span` as satisfying the `view` and `borrowed_range` concepts. This\n// should be done before the definition of `Span`, so that any inlined calls to\n// range functionality use the correct specializations.\ntemplate \ninline constexpr bool std::ranges::enable_view> = true;\ntemplate \ninline constexpr bool std::ranges::enable_borrowed_range> = true;\n#endif\n\nBSSL_NAMESPACE_BEGIN\n\ntemplate \nclass Span;\n\nnamespace internal {\ntemplate \nclass SpanBase {\n // Put comparison operator implementations into a base class with const T, so\n // they can be used with any type that implicitly converts into a Span.\n static_assert(std::is_const::value,\n \"Span must be derived from SpanBase\");\n\n friend bool operator==(Span lhs, Span rhs) {\n return std::equal(lhs.begin(), lhs.end(), rhs.begin(), rhs.end());\n }\n\n friend bool operator!=(Span lhs, Span rhs) { return !(lhs == rhs); }\n};\n\n// Heuristically test whether C is a container type that can be converted into\n// a Span by checking for data() and size() member functions.\ntemplate \nusing EnableIfContainer = std::enable_if_t<\n std::is_convertible_v().data()), T *> &&\n std::is_integral_v().size())>>;\n\n} // namespace internal\n\n// A Span is a non-owning reference to a contiguous array of objects of type\n// |T|. Conceptually, a Span is a simple a pointer to |T| and a count of\n// elements accessible via that pointer. The elements referenced by the Span can\n// be mutated if |T| is mutable.\n//\n// A Span can be constructed from container types implementing |data()| and\n// |size()| methods. If |T| is constant, construction from a container type is\n// implicit. This allows writing methods that accept data from some unspecified\n// container type:\n//\n// // Foo views data referenced by v.\n// void Foo(bssl::Span v) { ... }\n//\n// std::vector vec;\n// Foo(vec);\n//\n// For mutable Spans, conversion is explicit:\n//\n// // FooMutate mutates data referenced by v.\n// void FooMutate(bssl::Span v) { ... }\n//\n// FooMutate(bssl::Span(vec));\n//\n// You can also use C++17 class template argument deduction to construct Spans\n// in order to deduce the type of the Span automatically.\n//\n// FooMutate(bssl::Span(vec));\n//\n// Note that Spans have value type sematics. They are cheap to construct and\n// copy, and should be passed by value whenever a method would otherwise accept\n// a reference or pointer to a container or array.\ntemplate \nclass Span : private internal::SpanBase {\n public:\n static const size_t npos = static_cast(-1);\n\n using element_type = T;\n using value_type = std::remove_cv_t;\n using size_type = size_t;\n using difference_type = ptrdiff_t;\n using pointer = T *;\n using const_pointer = const T *;\n using reference = T &;\n using const_reference = const T &;\n using iterator = T *;\n using const_iterator = const T *;\n\n constexpr Span() : Span(nullptr, 0) {}\n constexpr Span(T *ptr, size_t len) : data_(ptr), size_(len) {}\n\n template \n constexpr Span(T (&array)[N]) : Span(array, N) {}\n\n template ,\n typename = std::enable_if_t::value, C>>\n constexpr Span(const C &container)\n : data_(container.data()), size_(container.size()) {}\n\n template ,\n typename = std::enable_if_t::value, C>>\n constexpr explicit Span(C &container)\n : data_(container.data()), size_(container.size()) {}\n\n constexpr T *data() const { return data_; }\n constexpr size_t size() const { return size_; }\n constexpr bool empty() const { return size_ == 0; }\n\n constexpr iterator begin() const { return data_; }\n constexpr const_iterator cbegin() const { return data_; }\n constexpr iterator end() const { return data_ + size_; }\n constexpr const_iterator cend() const { return end(); }\n\n constexpr T &front() const {\n if (size_ == 0) {\n abort();\n }\n return data_[0];\n }\n constexpr T &back() const {\n if (size_ == 0) {\n abort();\n }\n return data_[size_ - 1];\n }\n\n constexpr T &operator[](size_t i) const {\n if (i >= size_) {\n abort();\n }\n return data_[i];\n }\n T &at(size_t i) const { return (*this)[i]; }\n\n constexpr Span subspan(size_t pos = 0, size_t len = npos) const {\n if (pos > size_) {\n // absl::Span throws an exception here. Note std::span and Chromium\n // base::span additionally forbid pos + len being out of range, with a\n // special case at npos/dynamic_extent, while absl::Span::subspan clips\n // the span. For now, we align with absl::Span in case we switch to it in\n // the future.\n abort();\n }\n return Span(data_ + pos, std::min(size_ - pos, len));\n }\n\n constexpr Span first(size_t len) const {\n if (len > size_) {\n abort();\n }\n return Span(data_, len);\n }\n\n constexpr Span last(size_t len) const {\n if (len > size_) {\n abort();\n }\n return Span(data_ + size_ - len, len);\n }\n\n private:\n T *data_;\n size_t size_;\n};\n\ntemplate \nconst size_t Span::npos;\n\ntemplate \nSpan(T *, size_t) -> Span;\ntemplate \nSpan(T (&array)[size]) -> Span;\ntemplate <\n typename C,\n typename T = std::remove_pointer_t().data())>,\n typename = internal::EnableIfContainer>\nSpan(C &) -> Span;\n\ntemplate \nconstexpr Span MakeSpan(T *ptr, size_t size) {\n return Span(ptr, size);\n}\n\ntemplate \nconstexpr auto MakeSpan(C &c) -> decltype(MakeSpan(c.data(), c.size())) {\n return MakeSpan(c.data(), c.size());\n}\n\ntemplate \nconstexpr Span MakeSpan(T (&array)[N]) {\n return Span(array, N);\n}\n\ntemplate \nconstexpr Span MakeConstSpan(T *ptr, size_t size) {\n return Span(ptr, size);\n}\n\ntemplate \nconstexpr auto MakeConstSpan(const C &c)\n -> decltype(MakeConstSpan(c.data(), c.size())) {\n return MakeConstSpan(c.data(), c.size());\n}\n\ntemplate \nconstexpr Span MakeConstSpan(T (&array)[size]) {\n return array;\n}\n\ninline Span StringAsBytes(std::string_view s) {\n return MakeConstSpan(reinterpret_cast(s.data()), s.size());\n}\n\ninline std::string_view BytesAsStringView(bssl::Span b) {\n return std::string_view(reinterpret_cast(b.data()), b.size());\n}\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif // !defined(BORINGSSL_NO_CXX)\n\n#endif // OPENSSL_HEADER_SSL_SPAN_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_srtp.h", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n\n#include \"CNIOBoringSSL_ssl.h\"\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_ssl.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_SSL_H\n#define OPENSSL_HEADER_SSL_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \"CNIOBoringSSL_bio.h\"\n#include \"CNIOBoringSSL_buf.h\"\n#include \"CNIOBoringSSL_pem.h\"\n#include \"CNIOBoringSSL_span.h\"\n#include \"CNIOBoringSSL_ssl3.h\"\n#include \"CNIOBoringSSL_thread.h\"\n#include \"CNIOBoringSSL_tls1.h\"\n#include \"CNIOBoringSSL_x509.h\"\n\n#if !defined(OPENSSL_WINDOWS)\n#include \n#endif\n\n// Forward-declare struct timeval. On Windows, it is defined in winsock2.h and\n// Windows headers define too many macros to be included in public headers.\n// However, only a forward declaration is needed.\nstruct timeval;\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// SSL implementation.\n\n\n// SSL contexts.\n//\n// |SSL_CTX| objects manage shared state and configuration between multiple TLS\n// or DTLS connections. Whether the connections are TLS or DTLS is selected by\n// an |SSL_METHOD| on creation.\n//\n// |SSL_CTX| are reference-counted and may be shared by connections across\n// multiple threads. Once shared, functions which change the |SSL_CTX|'s\n// configuration may not be used.\n\n// TLS_method is the |SSL_METHOD| used for TLS connections.\nOPENSSL_EXPORT const SSL_METHOD *TLS_method(void);\n\n// DTLS_method is the |SSL_METHOD| used for DTLS connections.\nOPENSSL_EXPORT const SSL_METHOD *DTLS_method(void);\n\n// TLS_with_buffers_method is like |TLS_method|, but avoids all use of\n// crypto/x509. All client connections created with |TLS_with_buffers_method|\n// will fail unless a certificate verifier is installed with\n// |SSL_set_custom_verify| or |SSL_CTX_set_custom_verify|.\nOPENSSL_EXPORT const SSL_METHOD *TLS_with_buffers_method(void);\n\n// DTLS_with_buffers_method is like |DTLS_method|, but avoids all use of\n// crypto/x509.\nOPENSSL_EXPORT const SSL_METHOD *DTLS_with_buffers_method(void);\n\n// SSL_CTX_new returns a newly-allocated |SSL_CTX| with default settings or NULL\n// on error.\nOPENSSL_EXPORT SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);\n\n// SSL_CTX_up_ref increments the reference count of |ctx|. It returns one.\nOPENSSL_EXPORT int SSL_CTX_up_ref(SSL_CTX *ctx);\n\n// SSL_CTX_free releases memory associated with |ctx|.\nOPENSSL_EXPORT void SSL_CTX_free(SSL_CTX *ctx);\n\n\n// SSL connections.\n//\n// An |SSL| object represents a single TLS or DTLS connection. Although the\n// shared |SSL_CTX| is thread-safe, an |SSL| is not thread-safe and may only be\n// used on one thread at a time.\n\n// SSL_new returns a newly-allocated |SSL| using |ctx| or NULL on error. The new\n// connection inherits settings from |ctx| at the time of creation. Settings may\n// also be individually configured on the connection.\n//\n// On creation, an |SSL| is not configured to be either a client or server. Call\n// |SSL_set_connect_state| or |SSL_set_accept_state| to set this.\nOPENSSL_EXPORT SSL *SSL_new(SSL_CTX *ctx);\n\n// SSL_free releases memory associated with |ssl|.\nOPENSSL_EXPORT void SSL_free(SSL *ssl);\n\n// SSL_get_SSL_CTX returns the |SSL_CTX| associated with |ssl|. If\n// |SSL_set_SSL_CTX| is called, it returns the new |SSL_CTX|, not the initial\n// one.\nOPENSSL_EXPORT SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);\n\n// SSL_set_connect_state configures |ssl| to be a client.\nOPENSSL_EXPORT void SSL_set_connect_state(SSL *ssl);\n\n// SSL_set_accept_state configures |ssl| to be a server.\nOPENSSL_EXPORT void SSL_set_accept_state(SSL *ssl);\n\n// SSL_is_server returns one if |ssl| is configured as a server and zero\n// otherwise.\nOPENSSL_EXPORT int SSL_is_server(const SSL *ssl);\n\n// SSL_is_dtls returns one if |ssl| is a DTLS connection and zero otherwise.\nOPENSSL_EXPORT int SSL_is_dtls(const SSL *ssl);\n\n// SSL_is_quic returns one if |ssl| is a QUIC connection and zero otherwise.\nOPENSSL_EXPORT int SSL_is_quic(const SSL *ssl);\n\n// SSL_set_bio configures |ssl| to read from |rbio| and write to |wbio|. |ssl|\n// takes ownership of the two |BIO|s. If |rbio| and |wbio| are the same, |ssl|\n// only takes ownership of one reference. See |SSL_set0_rbio| and\n// |SSL_set0_wbio| for requirements on |rbio| and |wbio|, respectively.\n//\n// If |rbio| is the same as the currently configured |BIO| for reading, that\n// side is left untouched and is not freed.\n//\n// If |wbio| is the same as the currently configured |BIO| for writing AND |ssl|\n// is not currently configured to read from and write to the same |BIO|, that\n// side is left untouched and is not freed. This asymmetry is present for\n// historical reasons.\n//\n// Due to the very complex historical behavior of this function, calling this\n// function if |ssl| already has |BIO|s configured is deprecated. Prefer\n// |SSL_set0_rbio| and |SSL_set0_wbio| instead.\nOPENSSL_EXPORT void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);\n\n// SSL_set0_rbio configures |ssl| to read from |rbio|. It takes ownership of\n// |rbio|. |rbio| may be a custom |BIO|, in which case it must implement\n// |BIO_read| with |BIO_meth_set_read|. In DTLS, |rbio| must be non-blocking to\n// properly handle timeouts and retransmits.\n//\n// Note that, although this function and |SSL_set0_wbio| may be called on the\n// same |BIO|, each call takes a reference. Use |BIO_up_ref| to balance this.\nOPENSSL_EXPORT void SSL_set0_rbio(SSL *ssl, BIO *rbio);\n\n// SSL_set0_wbio configures |ssl| to write to |wbio|. It takes ownership of\n// |wbio|. |wbio| may be a custom |BIO|, in which case it must implement\n// |BIO_write| with |BIO_meth_set_write|. It must additionally implement\n// |BIO_flush| with |BIO_meth_set_ctrl| and |BIO_CTRL_FLUSH|. If flushing is\n// unnecessary with |wbio|, |BIO_flush| should return one and do nothing.\n//\n// Note that, although this function and |SSL_set0_rbio| may be called on the\n// same |BIO|, each call takes a reference. Use |BIO_up_ref| to balance this.\nOPENSSL_EXPORT void SSL_set0_wbio(SSL *ssl, BIO *wbio);\n\n// SSL_get_rbio returns the |BIO| that |ssl| reads from.\nOPENSSL_EXPORT BIO *SSL_get_rbio(const SSL *ssl);\n\n// SSL_get_wbio returns the |BIO| that |ssl| writes to.\nOPENSSL_EXPORT BIO *SSL_get_wbio(const SSL *ssl);\n\n// SSL_get_fd calls |SSL_get_rfd|.\nOPENSSL_EXPORT int SSL_get_fd(const SSL *ssl);\n\n// SSL_get_rfd returns the file descriptor that |ssl| is configured to read\n// from. If |ssl|'s read |BIO| is not configured or doesn't wrap a file\n// descriptor then it returns -1.\n//\n// Note: On Windows, this may return either a file descriptor or a socket (cast\n// to int), depending on whether |ssl| was configured with a file descriptor or\n// socket |BIO|.\nOPENSSL_EXPORT int SSL_get_rfd(const SSL *ssl);\n\n// SSL_get_wfd returns the file descriptor that |ssl| is configured to write\n// to. If |ssl|'s write |BIO| is not configured or doesn't wrap a file\n// descriptor then it returns -1.\n//\n// Note: On Windows, this may return either a file descriptor or a socket (cast\n// to int), depending on whether |ssl| was configured with a file descriptor or\n// socket |BIO|.\nOPENSSL_EXPORT int SSL_get_wfd(const SSL *ssl);\n\n#if !defined(OPENSSL_NO_SOCK)\n// SSL_set_fd configures |ssl| to read from and write to |fd|. It returns one\n// on success and zero on allocation error. The caller retains ownership of\n// |fd|.\n//\n// On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs.\nOPENSSL_EXPORT int SSL_set_fd(SSL *ssl, int fd);\n\n// SSL_set_rfd configures |ssl| to read from |fd|. It returns one on success and\n// zero on allocation error. The caller retains ownership of |fd|.\n//\n// On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs.\nOPENSSL_EXPORT int SSL_set_rfd(SSL *ssl, int fd);\n\n// SSL_set_wfd configures |ssl| to write to |fd|. It returns one on success and\n// zero on allocation error. The caller retains ownership of |fd|.\n//\n// On Windows, |fd| is cast to a |SOCKET| and used with Winsock APIs.\nOPENSSL_EXPORT int SSL_set_wfd(SSL *ssl, int fd);\n#endif // !OPENSSL_NO_SOCK\n\n// SSL_do_handshake continues the current handshake. If there is none or the\n// handshake has completed or False Started, it returns one. Otherwise, it\n// returns <= 0. The caller should pass the value into |SSL_get_error| to\n// determine how to proceed.\n//\n// In DTLS, the caller must drive retransmissions and timeouts. After calling\n// this function, the caller must use |DTLSv1_get_timeout| to determine the\n// current timeout, if any. If it expires before the application next calls into\n// |ssl|, call |DTLSv1_handle_timeout|. Note that DTLS handshake retransmissions\n// use fresh sequence numbers, so it is not sufficient to replay packets at the\n// transport.\n//\n// After the DTLS handshake, some retransmissions may remain. If |ssl| wrote\n// last in the handshake, it may need to retransmit the final flight in case of\n// packet loss. Additionally, in DTLS 1.3, it may need to retransmit\n// post-handshake messages. To handle these, the caller must always be prepared\n// to receive packets and process them with |SSL_read|, even when the\n// application protocol would otherwise not read from the connection.\n//\n// TODO(davidben): Ensure 0 is only returned on transport EOF.\n// https://crbug.com/466303.\nOPENSSL_EXPORT int SSL_do_handshake(SSL *ssl);\n\n// SSL_connect configures |ssl| as a client, if unconfigured, and calls\n// |SSL_do_handshake|.\nOPENSSL_EXPORT int SSL_connect(SSL *ssl);\n\n// SSL_accept configures |ssl| as a server, if unconfigured, and calls\n// |SSL_do_handshake|.\nOPENSSL_EXPORT int SSL_accept(SSL *ssl);\n\n// SSL_read reads up to |num| bytes from |ssl| into |buf|. It implicitly runs\n// any pending handshakes, including renegotiations when enabled. On success, it\n// returns the number of bytes read. Otherwise, it returns <= 0. The caller\n// should pass the value into |SSL_get_error| to determine how to proceed.\n//\n// In DTLS 1.3, the caller must also drive timeouts from retransmitting the\n// final flight of the handshake, as well as post-handshake messages. After\n// calling this function, the caller must use |DTLSv1_get_timeout| to determine\n// the current timeout, if any. If it expires before the application next calls\n// into |ssl|, call |DTLSv1_handle_timeout|.\n//\n// TODO(davidben): Ensure 0 is only returned on transport EOF.\n// https://crbug.com/466303.\nOPENSSL_EXPORT int SSL_read(SSL *ssl, void *buf, int num);\n\n// SSL_peek behaves like |SSL_read| but does not consume any bytes returned.\nOPENSSL_EXPORT int SSL_peek(SSL *ssl, void *buf, int num);\n\n// SSL_pending returns the number of buffered, decrypted bytes available for\n// read in |ssl|. It does not read from the transport.\n//\n// In DTLS, it is possible for this function to return zero while there is\n// buffered, undecrypted data from the transport in |ssl|. For example,\n// |SSL_read| may read a datagram with two records, decrypt the first, and leave\n// the second buffered for a subsequent call to |SSL_read|. Callers that wish to\n// detect this case can use |SSL_has_pending|.\nOPENSSL_EXPORT int SSL_pending(const SSL *ssl);\n\n// SSL_has_pending returns one if |ssl| has buffered, decrypted bytes available\n// for read, or if |ssl| has buffered data from the transport that has not yet\n// been decrypted. If |ssl| has neither, this function returns zero.\n//\n// In TLS, BoringSSL does not implement read-ahead, so this function returns one\n// if and only if |SSL_pending| would return a non-zero value. In DTLS, it is\n// possible for this function to return one while |SSL_pending| returns zero.\n// For example, |SSL_read| may read a datagram with two records, decrypt the\n// first, and leave the second buffered for a subsequent call to |SSL_read|.\n//\n// As a result, if this function returns one, the next call to |SSL_read| may\n// still fail, read from the transport, or both. The buffered, undecrypted data\n// may be invalid or incomplete.\nOPENSSL_EXPORT int SSL_has_pending(const SSL *ssl);\n\n// SSL_write writes up to |num| bytes from |buf| into |ssl|. It implicitly runs\n// any pending handshakes, including renegotiations when enabled. On success, it\n// returns the number of bytes written. Otherwise, it returns <= 0. The caller\n// should pass the value into |SSL_get_error| to determine how to proceed.\n//\n// In TLS, a non-blocking |SSL_write| differs from non-blocking |write| in that\n// a failed |SSL_write| still commits to the data passed in. When retrying, the\n// caller must supply the original write buffer (or a larger one containing the\n// original as a prefix). By default, retries will fail if they also do not\n// reuse the same |buf| pointer. This may be relaxed with\n// |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, but the buffer contents still must be\n// unchanged.\n//\n// By default, in TLS, |SSL_write| will not return success until all |num| bytes\n// are written. This may be relaxed with |SSL_MODE_ENABLE_PARTIAL_WRITE|. It\n// allows |SSL_write| to complete with a partial result when only part of the\n// input was written in a single record.\n//\n// In DTLS, neither |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER| and\n// |SSL_MODE_ENABLE_PARTIAL_WRITE| do anything. The caller may retry with a\n// different buffer freely. A single call to |SSL_write| only ever writes a\n// single record in a single packet, so |num| must be at most\n// |SSL3_RT_MAX_PLAIN_LENGTH|.\n//\n// TODO(davidben): Ensure 0 is only returned on transport EOF.\n// https://crbug.com/466303.\nOPENSSL_EXPORT int SSL_write(SSL *ssl, const void *buf, int num);\n\n// SSL_KEY_UPDATE_REQUESTED indicates that the peer should reply to a KeyUpdate\n// message with its own, thus updating traffic secrets for both directions on\n// the connection.\n#define SSL_KEY_UPDATE_REQUESTED 1\n\n// SSL_KEY_UPDATE_NOT_REQUESTED indicates that the peer should not reply with\n// it's own KeyUpdate message.\n#define SSL_KEY_UPDATE_NOT_REQUESTED 0\n\n// SSL_key_update queues a TLS 1.3 KeyUpdate message to be sent on |ssl|\n// if one is not already queued. The |request_type| argument must one of the\n// |SSL_KEY_UPDATE_*| values. This function requires that |ssl| have completed a\n// TLS >= 1.3 handshake. It returns one on success or zero on error.\n//\n// Note that this function does not _send_ the message itself. The next call to\n// |SSL_write| will cause the message to be sent. |SSL_write| may be called with\n// a zero length to flush a KeyUpdate message when no application data is\n// pending.\nOPENSSL_EXPORT int SSL_key_update(SSL *ssl, int request_type);\n\n// SSL_shutdown shuts down |ssl|. It runs in two stages. First, it sends\n// close_notify and returns zero or one on success or -1 on failure. Zero\n// indicates that close_notify was sent, but not received, and one additionally\n// indicates that the peer's close_notify had already been received.\n//\n// To then wait for the peer's close_notify, run |SSL_shutdown| to completion a\n// second time. This returns 1 on success and -1 on failure. Application data\n// is considered a fatal error at this point. To process or discard it, read\n// until close_notify with |SSL_read| instead.\n//\n// In both cases, on failure, pass the return value into |SSL_get_error| to\n// determine how to proceed.\n//\n// Most callers should stop at the first stage. Reading for close_notify is\n// primarily used for uncommon protocols where the underlying transport is\n// reused after TLS completes. Additionally, DTLS uses an unordered transport\n// and is unordered, so the second stage is a no-op in DTLS.\nOPENSSL_EXPORT int SSL_shutdown(SSL *ssl);\n\n// SSL_CTX_set_quiet_shutdown sets quiet shutdown on |ctx| to |mode|. If\n// enabled, |SSL_shutdown| will not send a close_notify alert or wait for one\n// from the peer. It will instead synchronously return one.\nOPENSSL_EXPORT void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);\n\n// SSL_CTX_get_quiet_shutdown returns whether quiet shutdown is enabled for\n// |ctx|.\nOPENSSL_EXPORT int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);\n\n// SSL_set_quiet_shutdown sets quiet shutdown on |ssl| to |mode|. If enabled,\n// |SSL_shutdown| will not send a close_notify alert or wait for one from the\n// peer. It will instead synchronously return one.\nOPENSSL_EXPORT void SSL_set_quiet_shutdown(SSL *ssl, int mode);\n\n// SSL_get_quiet_shutdown returns whether quiet shutdown is enabled for\n// |ssl|.\nOPENSSL_EXPORT int SSL_get_quiet_shutdown(const SSL *ssl);\n\n// SSL_get_error returns a |SSL_ERROR_*| value for the most recent operation on\n// |ssl|. It should be called after an operation failed to determine whether the\n// error was fatal and, if not, when to retry.\nOPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code);\n\n// SSL_ERROR_NONE indicates the operation succeeded.\n#define SSL_ERROR_NONE 0\n\n// SSL_ERROR_SSL indicates the operation failed within the library. The caller\n// may inspect the error queue (see |ERR_get_error|) for more information.\n#define SSL_ERROR_SSL 1\n\n// SSL_ERROR_WANT_READ indicates the operation failed attempting to read from\n// the transport. The caller may retry the operation when the transport is ready\n// for reading.\n#define SSL_ERROR_WANT_READ 2\n\n// SSL_ERROR_WANT_WRITE indicates the operation failed attempting to write to\n// the transport. The caller may retry the operation when the transport is ready\n// for writing.\n#define SSL_ERROR_WANT_WRITE 3\n\n// SSL_ERROR_WANT_X509_LOOKUP indicates the operation failed in calling the\n// |cert_cb| or |client_cert_cb|. The caller may retry the operation when the\n// callback is ready to return a certificate or one has been configured\n// externally.\n//\n// See also |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb|.\n#define SSL_ERROR_WANT_X509_LOOKUP 4\n\n// SSL_ERROR_SYSCALL indicates the operation failed externally to the library.\n// The caller should consult the system-specific error mechanism. This is\n// typically |errno| but may be something custom if using a custom |BIO|. It\n// may also be signaled if the transport returned EOF, in which case the\n// operation's return value will be zero.\n#define SSL_ERROR_SYSCALL 5\n\n// SSL_ERROR_ZERO_RETURN indicates the operation failed because the connection\n// was cleanly shut down with a close_notify alert.\n#define SSL_ERROR_ZERO_RETURN 6\n\n// SSL_ERROR_WANT_CONNECT indicates the operation failed attempting to connect\n// the transport (the |BIO| signaled |BIO_RR_CONNECT|). The caller may retry the\n// operation when the transport is ready.\n#define SSL_ERROR_WANT_CONNECT 7\n\n// SSL_ERROR_WANT_ACCEPT indicates the operation failed attempting to accept a\n// connection from the transport (the |BIO| signaled |BIO_RR_ACCEPT|). The\n// caller may retry the operation when the transport is ready.\n//\n// TODO(davidben): Remove this. It's used by accept BIOs which are bizarre.\n#define SSL_ERROR_WANT_ACCEPT 8\n\n// SSL_ERROR_WANT_CHANNEL_ID_LOOKUP is never used.\n//\n// TODO(davidben): Remove this. Some callers reference it when stringifying\n// errors. They should use |SSL_error_description| instead.\n#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9\n\n// SSL_ERROR_PENDING_SESSION indicates the operation failed because the session\n// lookup callback indicated the session was unavailable. The caller may retry\n// the operation when lookup has completed.\n//\n// See also |SSL_CTX_sess_set_get_cb| and |SSL_magic_pending_session_ptr|.\n#define SSL_ERROR_PENDING_SESSION 11\n\n// SSL_ERROR_PENDING_CERTIFICATE indicates the operation failed because the\n// early callback indicated certificate lookup was incomplete. The caller may\n// retry the operation when lookup has completed.\n//\n// See also |SSL_CTX_set_select_certificate_cb|.\n#define SSL_ERROR_PENDING_CERTIFICATE 12\n\n// SSL_ERROR_WANT_PRIVATE_KEY_OPERATION indicates the operation failed because\n// a private key operation was unfinished. The caller may retry the operation\n// when the private key operation is complete.\n//\n// See also |SSL_set_private_key_method|, |SSL_CTX_set_private_key_method|, and\n// |SSL_CREDENTIAL_set_private_key_method|.\n#define SSL_ERROR_WANT_PRIVATE_KEY_OPERATION 13\n\n// SSL_ERROR_PENDING_TICKET indicates that a ticket decryption is pending. The\n// caller may retry the operation when the decryption is ready.\n//\n// See also |SSL_CTX_set_ticket_aead_method|.\n#define SSL_ERROR_PENDING_TICKET 14\n\n// SSL_ERROR_EARLY_DATA_REJECTED indicates that early data was rejected. The\n// caller should treat this as a connection failure and retry any operations\n// associated with the rejected early data. |SSL_reset_early_data_reject| may be\n// used to reuse the underlying connection for the retry.\n#define SSL_ERROR_EARLY_DATA_REJECTED 15\n\n// SSL_ERROR_WANT_CERTIFICATE_VERIFY indicates the operation failed because\n// certificate verification was incomplete. The caller may retry the operation\n// when certificate verification is complete.\n//\n// See also |SSL_CTX_set_custom_verify|.\n#define SSL_ERROR_WANT_CERTIFICATE_VERIFY 16\n\n#define SSL_ERROR_HANDOFF 17\n#define SSL_ERROR_HANDBACK 18\n\n// SSL_ERROR_WANT_RENEGOTIATE indicates the operation is pending a response to\n// a renegotiation request from the server. The caller may call\n// |SSL_renegotiate| to schedule a renegotiation and retry the operation.\n//\n// See also |ssl_renegotiate_explicit|.\n#define SSL_ERROR_WANT_RENEGOTIATE 19\n\n// SSL_ERROR_HANDSHAKE_HINTS_READY indicates the handshake has progressed enough\n// for |SSL_serialize_handshake_hints| to be called. See also\n// |SSL_request_handshake_hints|.\n#define SSL_ERROR_HANDSHAKE_HINTS_READY 20\n\n// SSL_error_description returns a string representation of |err|, where |err|\n// is one of the |SSL_ERROR_*| constants returned by |SSL_get_error|, or NULL\n// if the value is unrecognized.\nOPENSSL_EXPORT const char *SSL_error_description(int err);\n\n// SSL_set_mtu sets the |ssl|'s MTU in DTLS to |mtu|. It returns one on success\n// and zero on failure.\nOPENSSL_EXPORT int SSL_set_mtu(SSL *ssl, unsigned mtu);\n\n// DTLSv1_set_initial_timeout_duration sets the initial duration for a DTLS\n// handshake timeout.\n//\n// This duration overrides the default of 400 milliseconds, which is\n// recommendation of RFC 9147 for real-time protocols.\nOPENSSL_EXPORT void DTLSv1_set_initial_timeout_duration(SSL *ssl,\n uint32_t duration_ms);\n\n// DTLSv1_get_timeout queries the running DTLS timers. If there are any in\n// progress, it sets |*out| to the time remaining until the first timer expires\n// and returns one. Otherwise, it returns zero. Timers may be scheduled both\n// during and after the handshake.\n//\n// When the timeout expires, call |DTLSv1_handle_timeout| to handle the\n// retransmit behavior.\n//\n// NOTE: This function must be queried again whenever the state machine changes,\n// including when |DTLSv1_handle_timeout| is called.\nOPENSSL_EXPORT int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out);\n\n// DTLSv1_handle_timeout is called when a DTLS timeout expires. If no timeout\n// had expired, it returns 0. Otherwise, it handles the timeout and returns 1 on\n// success or -1 on error.\n//\n// This function may write to the transport (e.g. to retransmit messages) or\n// update |ssl|'s internal state and schedule an updated timer.\n//\n// The caller's external timer should be compatible with the one |ssl| queries\n// within some fudge factor. Otherwise, the call will be a no-op, but\n// |DTLSv1_get_timeout| will return an updated timeout.\n//\n// If the function returns -1, checking if |SSL_get_error| returns\n// |SSL_ERROR_WANT_WRITE| may be used to determine if the retransmit failed due\n// to a non-fatal error at the write |BIO|. In this case, when the |BIO| is\n// writable, the operation may be retried by calling the original function,\n// |SSL_do_handshake| or |SSL_read|.\n//\n// WARNING: This function breaks the usual return value convention.\n//\n// TODO(davidben): We can make this function entirely optional by just checking\n// the timers in |SSL_do_handshake| or |SSL_read|. Then timers behave like any\n// other retry condition: rerun the operation and the library will make what\n// progress it can.\nOPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl);\n\n\n// Protocol versions.\n\n#define DTLS1_VERSION_MAJOR 0xfe\n#define SSL3_VERSION_MAJOR 0x03\n\n#define SSL3_VERSION 0x0300\n#define TLS1_VERSION 0x0301\n#define TLS1_1_VERSION 0x0302\n#define TLS1_2_VERSION 0x0303\n#define TLS1_3_VERSION 0x0304\n\n#define DTLS1_VERSION 0xfeff\n#define DTLS1_2_VERSION 0xfefd\n#define DTLS1_3_VERSION 0xfefc\n\n// SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to\n// |version|. If |version| is zero, the default minimum version is used. It\n// returns one on success and zero if |version| is invalid.\nOPENSSL_EXPORT int SSL_CTX_set_min_proto_version(SSL_CTX *ctx,\n uint16_t version);\n\n// SSL_CTX_set_max_proto_version sets the maximum protocol version for |ctx| to\n// |version|. If |version| is zero, the default maximum version is used. It\n// returns one on success and zero if |version| is invalid.\nOPENSSL_EXPORT int SSL_CTX_set_max_proto_version(SSL_CTX *ctx,\n uint16_t version);\n\n// SSL_CTX_get_min_proto_version returns the minimum protocol version for |ctx|\nOPENSSL_EXPORT uint16_t SSL_CTX_get_min_proto_version(const SSL_CTX *ctx);\n\n// SSL_CTX_get_max_proto_version returns the maximum protocol version for |ctx|\nOPENSSL_EXPORT uint16_t SSL_CTX_get_max_proto_version(const SSL_CTX *ctx);\n\n// SSL_set_min_proto_version sets the minimum protocol version for |ssl| to\n// |version|. If |version| is zero, the default minimum version is used. It\n// returns one on success and zero if |version| is invalid.\nOPENSSL_EXPORT int SSL_set_min_proto_version(SSL *ssl, uint16_t version);\n\n// SSL_set_max_proto_version sets the maximum protocol version for |ssl| to\n// |version|. If |version| is zero, the default maximum version is used. It\n// returns one on success and zero if |version| is invalid.\nOPENSSL_EXPORT int SSL_set_max_proto_version(SSL *ssl, uint16_t version);\n\n// SSL_get_min_proto_version returns the minimum protocol version for |ssl|. If\n// the connection's configuration has been shed, 0 is returned.\nOPENSSL_EXPORT uint16_t SSL_get_min_proto_version(const SSL *ssl);\n\n// SSL_get_max_proto_version returns the maximum protocol version for |ssl|. If\n// the connection's configuration has been shed, 0 is returned.\nOPENSSL_EXPORT uint16_t SSL_get_max_proto_version(const SSL *ssl);\n\n// SSL_version returns the TLS or DTLS protocol version used by |ssl|, which is\n// one of the |*_VERSION| values. (E.g. |TLS1_2_VERSION|.) Before the version\n// is negotiated, the result is undefined.\nOPENSSL_EXPORT int SSL_version(const SSL *ssl);\n\n\n// Options.\n//\n// Options configure protocol behavior.\n\n// SSL_OP_NO_QUERY_MTU, in DTLS, disables querying the MTU from the underlying\n// |BIO|. Instead, the MTU is configured with |SSL_set_mtu|.\n#define SSL_OP_NO_QUERY_MTU 0x00001000L\n\n// SSL_OP_NO_TICKET disables session ticket support (RFC 5077).\n#define SSL_OP_NO_TICKET 0x00004000L\n\n// SSL_OP_CIPHER_SERVER_PREFERENCE configures servers to select ciphers and\n// ECDHE curves according to the server's preferences instead of the\n// client's.\n#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L\n\n// The following flags toggle individual protocol versions. This is deprecated.\n// Use |SSL_CTX_set_min_proto_version| and |SSL_CTX_set_max_proto_version|\n// instead.\n#define SSL_OP_NO_TLSv1 0x04000000L\n#define SSL_OP_NO_TLSv1_2 0x08000000L\n#define SSL_OP_NO_TLSv1_1 0x10000000L\n#define SSL_OP_NO_TLSv1_3 0x20000000L\n#define SSL_OP_NO_DTLSv1 SSL_OP_NO_TLSv1\n#define SSL_OP_NO_DTLSv1_2 SSL_OP_NO_TLSv1_2\n\n// SSL_CTX_set_options enables all options set in |options| (which should be one\n// or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a\n// bitmask representing the resulting enabled options.\nOPENSSL_EXPORT uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options);\n\n// SSL_CTX_clear_options disables all options set in |options| (which should be\n// one or more of the |SSL_OP_*| values, ORed together) in |ctx|. It returns a\n// bitmask representing the resulting enabled options.\nOPENSSL_EXPORT uint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options);\n\n// SSL_CTX_get_options returns a bitmask of |SSL_OP_*| values that represent all\n// the options enabled for |ctx|.\nOPENSSL_EXPORT uint32_t SSL_CTX_get_options(const SSL_CTX *ctx);\n\n// SSL_set_options enables all options set in |options| (which should be one or\n// more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a bitmask\n// representing the resulting enabled options.\nOPENSSL_EXPORT uint32_t SSL_set_options(SSL *ssl, uint32_t options);\n\n// SSL_clear_options disables all options set in |options| (which should be one\n// or more of the |SSL_OP_*| values, ORed together) in |ssl|. It returns a\n// bitmask representing the resulting enabled options.\nOPENSSL_EXPORT uint32_t SSL_clear_options(SSL *ssl, uint32_t options);\n\n// SSL_get_options returns a bitmask of |SSL_OP_*| values that represent all the\n// options enabled for |ssl|.\nOPENSSL_EXPORT uint32_t SSL_get_options(const SSL *ssl);\n\n\n// Modes.\n//\n// Modes configure API behavior.\n\n// SSL_MODE_ENABLE_PARTIAL_WRITE, in TLS, allows |SSL_write| to complete with a\n// partial result when the only part of the input was written in a single\n// record. In DTLS, it does nothing.\n#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L\n\n// SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, in TLS, allows retrying an incomplete\n// |SSL_write| with a different buffer. However, |SSL_write| still assumes the\n// buffer contents are unchanged. This is not the default to avoid the\n// misconception that non-blocking |SSL_write| behaves like non-blocking\n// |write|. In DTLS, it does nothing.\n#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L\n\n// SSL_MODE_NO_AUTO_CHAIN disables automatically building a certificate chain\n// before sending certificates to the peer. This flag is set (and the feature\n// disabled) by default.\n// TODO(davidben): Remove this behavior. https://crbug.com/boringssl/42.\n#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L\n\n// SSL_MODE_ENABLE_FALSE_START allows clients to send application data before\n// receipt of ChangeCipherSpec and Finished. This mode enables full handshakes\n// to 'complete' in one RTT. See RFC 7918.\n//\n// When False Start is enabled, |SSL_do_handshake| may succeed before the\n// handshake has completely finished. |SSL_write| will function at this point,\n// and |SSL_read| will transparently wait for the final handshake leg before\n// returning application data. To determine if False Start occurred or when the\n// handshake is completely finished, see |SSL_in_false_start|, |SSL_in_init|,\n// and |SSL_CB_HANDSHAKE_DONE| from |SSL_CTX_set_info_callback|.\n#define SSL_MODE_ENABLE_FALSE_START 0x00000080L\n\n// SSL_MODE_CBC_RECORD_SPLITTING causes multi-byte CBC records in TLS 1.0 to be\n// split in two: the first record will contain a single byte and the second will\n// contain the remainder. This effectively randomises the IV and prevents BEAST\n// attacks.\n#define SSL_MODE_CBC_RECORD_SPLITTING 0x00000100L\n\n// SSL_MODE_NO_SESSION_CREATION will cause any attempts to create a session to\n// fail with SSL_R_SESSION_MAY_NOT_BE_CREATED. This can be used to enforce that\n// session resumption is used for a given SSL*.\n#define SSL_MODE_NO_SESSION_CREATION 0x00000200L\n\n// SSL_MODE_SEND_FALLBACK_SCSV sends TLS_FALLBACK_SCSV in the ClientHello.\n// To be set only by applications that reconnect with a downgraded protocol\n// version; see RFC 7507 for details.\n//\n// DO NOT ENABLE THIS if your application attempts a normal handshake. Only use\n// this in explicit fallback retries, following the guidance in RFC 7507.\n#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000400L\n\n// SSL_CTX_set_mode enables all modes set in |mode| (which should be one or more\n// of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a bitmask\n// representing the resulting enabled modes.\nOPENSSL_EXPORT uint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode);\n\n// SSL_CTX_clear_mode disables all modes set in |mode| (which should be one or\n// more of the |SSL_MODE_*| values, ORed together) in |ctx|. It returns a\n// bitmask representing the resulting enabled modes.\nOPENSSL_EXPORT uint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode);\n\n// SSL_CTX_get_mode returns a bitmask of |SSL_MODE_*| values that represent all\n// the modes enabled for |ssl|.\nOPENSSL_EXPORT uint32_t SSL_CTX_get_mode(const SSL_CTX *ctx);\n\n// SSL_set_mode enables all modes set in |mode| (which should be one or more of\n// the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask\n// representing the resulting enabled modes.\nOPENSSL_EXPORT uint32_t SSL_set_mode(SSL *ssl, uint32_t mode);\n\n// SSL_clear_mode disables all modes set in |mode| (which should be one or more\n// of the |SSL_MODE_*| values, ORed together) in |ssl|. It returns a bitmask\n// representing the resulting enabled modes.\nOPENSSL_EXPORT uint32_t SSL_clear_mode(SSL *ssl, uint32_t mode);\n\n// SSL_get_mode returns a bitmask of |SSL_MODE_*| values that represent all the\n// modes enabled for |ssl|.\nOPENSSL_EXPORT uint32_t SSL_get_mode(const SSL *ssl);\n\n// SSL_CTX_set0_buffer_pool sets a |CRYPTO_BUFFER_POOL| that will be used to\n// store certificates. This can allow multiple connections to share\n// certificates and thus save memory.\n//\n// The SSL_CTX does not take ownership of |pool| and the caller must ensure\n// that |pool| outlives |ctx| and all objects linked to it, including |SSL|,\n// |X509| and |SSL_SESSION| objects. Basically, don't ever free |pool|.\nOPENSSL_EXPORT void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx,\n CRYPTO_BUFFER_POOL *pool);\n\n\n// Credentials.\n//\n// TLS endpoints may present authentication during the handshake, usually using\n// X.509 certificates. This is typically required for servers and optional for\n// clients. BoringSSL uses the |SSL_CREDENTIAL| object to abstract between\n// different kinds of credentials, as well as configure automatic selection\n// between multiple credentials. This may be used to select between ECDSA and\n// RSA certificates.\n//\n// |SSL_CTX| and |SSL| objects maintain lists of credentials in preference\n// order. During the handshake, BoringSSL will select the first usable\n// credential from the list. Non-credential APIs, such as\n// |SSL_CTX_use_certificate|, configure a \"legacy credential\", which is\n// appended to this list if configured. Using the legacy credential is the same\n// as configuring an equivalent credential with the |SSL_CREDENTIAL| API.\n//\n// When selecting credentials, BoringSSL considers the credential's type, its\n// cryptographic capabilities, and capabilities advertised by the peer. This\n// varies between TLS versions but includes:\n//\n// - Whether the peer supports the leaf certificate key\n// - Whether there is a common signature algorithm that is compatible with the\n// credential\n// - Whether there is a common cipher suite that is compatible with the\n// credential\n//\n// WARNING: In TLS 1.2 and below, there is no mechanism for servers to advertise\n// supported ECDSA curves to the client. BoringSSL clients will assume the\n// server accepts all ECDSA curves in client certificates.\n//\n// By default, BoringSSL does not check the following, though we may add APIs\n// in the future to enable them on a per-credential basis.\n//\n// - Whether the peer supports the signature algorithms in the certificate chain\n// - Whether the a server certificate is compatible with the server_name\n// extension (SNI)\n// - Whether the peer supports the certificate authority that issued the\n// certificate\n//\n// Credentials may be configured before the handshake or dynamically in the\n// early callback (see |SSL_CTX_set_select_certificate_cb|) and certificate\n// callback (see |SSL_CTX_set_cert_cb|). These callbacks allow applications to\n// use BoringSSL's built-in selection logic in tandem with custom logic. For\n// example, a callback could evaluate application-specific SNI rules to filter\n// down to an ECDSA and RSA credential, then configure both for BoringSSL to\n// select between the two.\n\n// SSL_CREDENTIAL_new_x509 returns a new, empty X.509 credential, or NULL on\n// error. Callers should release the result with |SSL_CREDENTIAL_free| when\n// done.\n//\n// Callers should configure a certificate chain and private key on the\n// credential, along with other properties, then add it with\n// |SSL_CTX_add1_credential|.\nOPENSSL_EXPORT SSL_CREDENTIAL *SSL_CREDENTIAL_new_x509(void);\n\n// SSL_CREDENTIAL_up_ref increments the reference count of |cred|.\nOPENSSL_EXPORT void SSL_CREDENTIAL_up_ref(SSL_CREDENTIAL *cred);\n\n// SSL_CREDENTIAL_free decrements the reference count of |cred|. If it reaches\n// zero, all data referenced by |cred| and |cred| itself are released.\nOPENSSL_EXPORT void SSL_CREDENTIAL_free(SSL_CREDENTIAL *cred);\n\n// SSL_CREDENTIAL_set1_private_key sets |cred|'s private key to |cred|. It\n// returns one on success and zero on failure.\nOPENSSL_EXPORT int SSL_CREDENTIAL_set1_private_key(SSL_CREDENTIAL *cred,\n EVP_PKEY *key);\n\n// SSL_CREDENTIAL_set1_signing_algorithm_prefs configures |cred| to use |prefs|\n// as the preference list when signing with |cred|'s private key. It returns one\n// on success and zero on error. |prefs| should not include the internal-only\n// value |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.\n//\n// It is an error to call this function with delegated credentials (see\n// |SSL_CREDENTIAL_new_delegated|) because delegated credentials already\n// constrain the key to a single algorithm.\nOPENSSL_EXPORT int SSL_CREDENTIAL_set1_signing_algorithm_prefs(\n SSL_CREDENTIAL *cred, const uint16_t *prefs, size_t num_prefs);\n\n// SSL_CREDENTIAL_set1_cert_chain sets |cred|'s certificate chain, starting from\n// the leaf, to |num_cert|s certificates from |certs|. It returns one on success\n// and zero on error.\nOPENSSL_EXPORT int SSL_CREDENTIAL_set1_cert_chain(SSL_CREDENTIAL *cred,\n CRYPTO_BUFFER *const *certs,\n size_t num_certs);\n\n// SSL_CREDENTIAL_set1_ocsp_response sets |cred|'s stapled OCSP response to\n// |ocsp|. It returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_CREDENTIAL_set1_ocsp_response(SSL_CREDENTIAL *cred,\n CRYPTO_BUFFER *ocsp);\n\n// SSL_CREDENTIAL_set1_signed_cert_timestamp_list sets |cred|'s list of signed\n// certificate timestamps |sct_list|. |sct_list| must contain one or more SCT\n// structures serialised as a SignedCertificateTimestampList (see\n// https://tools.ietf.org/html/rfc6962#section-3.3) – i.e. each SCT is prefixed\n// by a big-endian, uint16 length and the concatenation of one or more such\n// prefixed SCTs are themselves also prefixed by a uint16 length. It returns one\n// on success and zero on error.\nOPENSSL_EXPORT int SSL_CREDENTIAL_set1_signed_cert_timestamp_list(\n SSL_CREDENTIAL *cred, CRYPTO_BUFFER *sct_list);\n\n// SSL_CTX_add1_credential appends |cred| to |ctx|'s credential list. It returns\n// one on success and zero on error. The credential list is maintained in order\n// of decreasing preference, so earlier calls are preferred over later calls.\n//\n// After calling this function, it is an error to modify |cred|. Doing so may\n// result in inconsistent handshake behavior or race conditions.\nOPENSSL_EXPORT int SSL_CTX_add1_credential(SSL_CTX *ctx, SSL_CREDENTIAL *cred);\n\n// SSL_add1_credential appends |cred| to |ssl|'s credential list. It returns one\n// on success and zero on error. The credential list is maintained in order of\n// decreasing preference, so earlier calls are preferred over later calls.\n//\n// After calling this function, it is an error to modify |cred|. Doing so may\n// result in inconsistent handshake behavior or race conditions.\nOPENSSL_EXPORT int SSL_add1_credential(SSL *ssl, SSL_CREDENTIAL *cred);\n\n// SSL_certs_clear removes all credentials configured on |ssl|. It also removes\n// the certificate chain and private key on the legacy credential.\nOPENSSL_EXPORT void SSL_certs_clear(SSL *ssl);\n\n// SSL_get0_selected_credential returns the credential in use in the current\n// handshake on |ssl|. If there is current handshake on |ssl| or if the\n// handshake has not progressed to this point, it returns NULL.\n//\n// This function is intended for use with |SSL_CREDENTIAL_get_ex_data|. It may\n// be called from handshake callbacks, such as those in\n// |SSL_PRIVATE_KEY_METHOD|, to trigger credential-specific behavior.\n//\n// In applications that use the older APIs, such as |SSL_use_certificate|, this\n// function may return an internal |SSL_CREDENTIAL| object. This internal object\n// will have no ex_data installed. To avoid this, it is recommended that callers\n// moving to |SSL_CREDENTIAL| use the new APIs consistently.\nOPENSSL_EXPORT const SSL_CREDENTIAL *SSL_get0_selected_credential(\n const SSL *ssl);\n\n\n// Configuring certificates and private keys.\n//\n// These functions configure the connection's leaf certificate, private key, and\n// certificate chain. The certificate chain is ordered leaf to root (as sent on\n// the wire) but does not include the leaf. Both client and server certificates\n// use these functions.\n//\n// Prefer to configure the certificate before the private key. If configured in\n// the other order, inconsistent private keys will be silently dropped, rather\n// than return an error. Additionally, overwriting a previously-configured\n// certificate and key pair only works if the certificate is configured first.\n//\n// Each of these functions configures the single \"legacy credential\" on the\n// |SSL_CTX| or |SSL|. To select between multiple certificates, use\n// |SSL_CREDENTIAL_new_x509| and other APIs to configure a list of credentials.\n\n// SSL_CTX_use_certificate sets |ctx|'s leaf certificate to |x509|. It returns\n// one on success and zero on failure. If |ctx| has a private key which is\n// inconsistent with |x509|, the private key is silently dropped.\nOPENSSL_EXPORT int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x509);\n\n// SSL_use_certificate sets |ssl|'s leaf certificate to |x509|. It returns one\n// on success and zero on failure. If |ssl| has a private key which is\n// inconsistent with |x509|, the private key is silently dropped.\nOPENSSL_EXPORT int SSL_use_certificate(SSL *ssl, X509 *x509);\n\n// SSL_CTX_use_PrivateKey sets |ctx|'s private key to |pkey|. It returns one on\n// success and zero on failure. If |ctx| had a private key or\n// |SSL_PRIVATE_KEY_METHOD| previously configured, it is replaced.\nOPENSSL_EXPORT int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);\n\n// SSL_use_PrivateKey sets |ssl|'s private key to |pkey|. It returns one on\n// success and zero on failure. If |ssl| had a private key or\n// |SSL_PRIVATE_KEY_METHOD| previously configured, it is replaced.\nOPENSSL_EXPORT int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);\n\n// SSL_CTX_set0_chain sets |ctx|'s certificate chain, excluding the leaf, to\n// |chain|. On success, it returns one and takes ownership of |chain|.\n// Otherwise, it returns zero.\nOPENSSL_EXPORT int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);\n\n// SSL_CTX_set1_chain sets |ctx|'s certificate chain, excluding the leaf, to\n// |chain|. It returns one on success and zero on failure. The caller retains\n// ownership of |chain| and may release it freely.\nOPENSSL_EXPORT int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain);\n\n// SSL_set0_chain sets |ssl|'s certificate chain, excluding the leaf, to\n// |chain|. On success, it returns one and takes ownership of |chain|.\n// Otherwise, it returns zero.\nOPENSSL_EXPORT int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain);\n\n// SSL_set1_chain sets |ssl|'s certificate chain, excluding the leaf, to\n// |chain|. It returns one on success and zero on failure. The caller retains\n// ownership of |chain| and may release it freely.\nOPENSSL_EXPORT int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain);\n\n// SSL_CTX_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On\n// success, it returns one and takes ownership of |x509|. Otherwise, it returns\n// zero.\nOPENSSL_EXPORT int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509);\n\n// SSL_CTX_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It\n// returns one on success and zero on failure. The caller retains ownership of\n// |x509| and may release it freely.\nOPENSSL_EXPORT int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509);\n\n// SSL_add0_chain_cert appends |x509| to |ctx|'s certificate chain. On success,\n// it returns one and takes ownership of |x509|. Otherwise, it returns zero.\nOPENSSL_EXPORT int SSL_add0_chain_cert(SSL *ssl, X509 *x509);\n\n// SSL_CTX_add_extra_chain_cert calls |SSL_CTX_add0_chain_cert|.\nOPENSSL_EXPORT int SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);\n\n// SSL_add1_chain_cert appends |x509| to |ctx|'s certificate chain. It returns\n// one on success and zero on failure. The caller retains ownership of |x509|\n// and may release it freely.\nOPENSSL_EXPORT int SSL_add1_chain_cert(SSL *ssl, X509 *x509);\n\n// SSL_CTX_clear_chain_certs clears |ctx|'s certificate chain and returns\n// one.\nOPENSSL_EXPORT int SSL_CTX_clear_chain_certs(SSL_CTX *ctx);\n\n// SSL_CTX_clear_extra_chain_certs calls |SSL_CTX_clear_chain_certs|.\nOPENSSL_EXPORT int SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx);\n\n// SSL_clear_chain_certs clears |ssl|'s certificate chain and returns one.\nOPENSSL_EXPORT int SSL_clear_chain_certs(SSL *ssl);\n\n// SSL_CTX_set_cert_cb sets a callback that is called to select a certificate.\n// The callback returns one on success, zero on internal error, and a negative\n// number on failure or to pause the handshake. If the handshake is paused,\n// |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|.\n//\n// On the client, the callback may call |SSL_get0_certificate_types| and\n// |SSL_get_client_CA_list| for information on the server's certificate\n// request.\n//\n// On the server, the callback will be called after extensions have been\n// processed, but before the resumption decision has been made. This differs\n// from OpenSSL which handles resumption before selecting the certificate.\nOPENSSL_EXPORT void SSL_CTX_set_cert_cb(SSL_CTX *ctx,\n int (*cb)(SSL *ssl, void *arg),\n void *arg);\n\n// SSL_set_cert_cb sets a callback that is called to select a certificate. The\n// callback returns one on success, zero on internal error, and a negative\n// number on failure or to pause the handshake. If the handshake is paused,\n// |SSL_get_error| will return |SSL_ERROR_WANT_X509_LOOKUP|.\n//\n// On the client, the callback may call |SSL_get0_certificate_types| and\n// |SSL_get_client_CA_list| for information on the server's certificate\n// request.\n//\n// On the server, the callback will be called after extensions have been\n// processed, but before the resumption decision has been made. This differs\n// from OpenSSL which handles resumption before selecting the certificate.\nOPENSSL_EXPORT void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg),\n void *arg);\n\n// SSL_get0_certificate_types, for a client, sets |*out_types| to an array\n// containing the client certificate types requested by a server. It returns the\n// length of the array. Note this list is always empty in TLS 1.3. The server\n// will instead send signature algorithms. See\n// |SSL_get0_peer_verify_algorithms|.\n//\n// The behavior of this function is undefined except during the callbacks set by\n// by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or when the\n// handshake is paused because of them.\nOPENSSL_EXPORT size_t SSL_get0_certificate_types(const SSL *ssl,\n const uint8_t **out_types);\n\n// SSL_get0_peer_verify_algorithms sets |*out_sigalgs| to an array containing\n// the signature algorithms the peer is able to verify. It returns the length of\n// the array. Note these values are only sent starting TLS 1.2 and only\n// mandatory starting TLS 1.3. If not sent, the empty array is returned. For the\n// historical client certificate types list, see |SSL_get0_certificate_types|.\n//\n// The behavior of this function is undefined except during the callbacks set by\n// by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or when the\n// handshake is paused because of them.\nOPENSSL_EXPORT size_t\nSSL_get0_peer_verify_algorithms(const SSL *ssl, const uint16_t **out_sigalgs);\n\n// SSL_get0_peer_delegation_algorithms sets |*out_sigalgs| to an array\n// containing the signature algorithms the peer is willing to use with delegated\n// credentials. It returns the length of the array. If not sent, the empty\n// array is returned.\n//\n// The behavior of this function is undefined except during the callbacks set by\n// by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or when the\n// handshake is paused because of them.\nOPENSSL_EXPORT size_t SSL_get0_peer_delegation_algorithms(\n const SSL *ssl, const uint16_t **out_sigalgs);\n\n// SSL_CTX_get0_certificate returns |ctx|'s leaf certificate.\nOPENSSL_EXPORT X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);\n\n// SSL_get_certificate returns |ssl|'s leaf certificate.\nOPENSSL_EXPORT X509 *SSL_get_certificate(const SSL *ssl);\n\n// SSL_CTX_get0_privatekey returns |ctx|'s private key.\nOPENSSL_EXPORT EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);\n\n// SSL_get_privatekey returns |ssl|'s private key.\nOPENSSL_EXPORT EVP_PKEY *SSL_get_privatekey(const SSL *ssl);\n\n// SSL_CTX_get0_chain_certs sets |*out_chain| to |ctx|'s certificate chain and\n// returns one.\nOPENSSL_EXPORT int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx,\n STACK_OF(X509) **out_chain);\n\n// SSL_CTX_get_extra_chain_certs calls |SSL_CTX_get0_chain_certs|.\nOPENSSL_EXPORT int SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx,\n STACK_OF(X509) **out_chain);\n\n// SSL_get0_chain_certs sets |*out_chain| to |ssl|'s certificate chain and\n// returns one.\nOPENSSL_EXPORT int SSL_get0_chain_certs(const SSL *ssl,\n STACK_OF(X509) **out_chain);\n\n// SSL_CTX_set_signed_cert_timestamp_list sets the list of signed certificate\n// timestamps that is sent to clients that request it. The |list| argument must\n// contain one or more SCT structures serialised as a SignedCertificateTimestamp\n// List (see https://tools.ietf.org/html/rfc6962#section-3.3) – i.e. each SCT\n// is prefixed by a big-endian, uint16 length and the concatenation of one or\n// more such prefixed SCTs are themselves also prefixed by a uint16 length. It\n// returns one on success and zero on error. The caller retains ownership of\n// |list|.\nOPENSSL_EXPORT int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx,\n const uint8_t *list,\n size_t list_len);\n\n// SSL_set_signed_cert_timestamp_list sets the list of signed certificate\n// timestamps that is sent to clients that request is. The same format as the\n// one used for |SSL_CTX_set_signed_cert_timestamp_list| applies. The caller\n// retains ownership of |list|.\nOPENSSL_EXPORT int SSL_set_signed_cert_timestamp_list(SSL *ctx,\n const uint8_t *list,\n size_t list_len);\n\n// SSL_CTX_set_ocsp_response sets the OCSP response that is sent to clients\n// which request it. It returns one on success and zero on error. The caller\n// retains ownership of |response|.\nOPENSSL_EXPORT int SSL_CTX_set_ocsp_response(SSL_CTX *ctx,\n const uint8_t *response,\n size_t response_len);\n\n// SSL_set_ocsp_response sets the OCSP response that is sent to clients which\n// request it. It returns one on success and zero on error. The caller retains\n// ownership of |response|.\nOPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response,\n size_t response_len);\n\n// SSL_SIGN_* are signature algorithm values as defined in TLS 1.3.\n#define SSL_SIGN_RSA_PKCS1_SHA1 0x0201\n#define SSL_SIGN_RSA_PKCS1_SHA256 0x0401\n#define SSL_SIGN_RSA_PKCS1_SHA384 0x0501\n#define SSL_SIGN_RSA_PKCS1_SHA512 0x0601\n#define SSL_SIGN_ECDSA_SHA1 0x0203\n#define SSL_SIGN_ECDSA_SECP256R1_SHA256 0x0403\n#define SSL_SIGN_ECDSA_SECP384R1_SHA384 0x0503\n#define SSL_SIGN_ECDSA_SECP521R1_SHA512 0x0603\n#define SSL_SIGN_RSA_PSS_RSAE_SHA256 0x0804\n#define SSL_SIGN_RSA_PSS_RSAE_SHA384 0x0805\n#define SSL_SIGN_RSA_PSS_RSAE_SHA512 0x0806\n#define SSL_SIGN_ED25519 0x0807\n\n// SSL_SIGN_RSA_PKCS1_SHA256_LEGACY is a backport of RSASSA-PKCS1-v1_5 with\n// SHA-256 to TLS 1.3. It is disabled by default and only defined for client\n// certificates.\n#define SSL_SIGN_RSA_PKCS1_SHA256_LEGACY 0x0420\n\n// SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal signature algorithm used to\n// specify raw RSASSA-PKCS1-v1_5 with an MD5/SHA-1 concatenation, as used in TLS\n// before TLS 1.2.\n#define SSL_SIGN_RSA_PKCS1_MD5_SHA1 0xff01\n\n// SSL_get_signature_algorithm_name returns a human-readable name for |sigalg|,\n// or NULL if unknown. If |include_curve| is one, the curve for ECDSA algorithms\n// is included as in TLS 1.3. Otherwise, it is excluded as in TLS 1.2.\nOPENSSL_EXPORT const char *SSL_get_signature_algorithm_name(uint16_t sigalg,\n int include_curve);\n\n// SSL_get_all_signature_algorithm_names outputs a list of possible strings\n// |SSL_get_signature_algorithm_name| may return in this version of BoringSSL.\n// It writes at most |max_out| entries to |out| and returns the total number it\n// would have written, if |max_out| had been large enough. |max_out| may be\n// initially set to zero to size the output.\n//\n// This function is only intended to help initialize tables in callers that want\n// possible strings pre-declared. This list would not be suitable to set a list\n// of supported features. It is in no particular order, and may contain\n// placeholder, experimental, or deprecated values that do not apply to every\n// caller. Future versions of BoringSSL may also return strings not in this\n// list, so this does not apply if, say, sending strings across services.\nOPENSSL_EXPORT size_t SSL_get_all_signature_algorithm_names(const char **out,\n size_t max_out);\n\n// SSL_get_signature_algorithm_key_type returns the key type associated with\n// |sigalg| as an |EVP_PKEY_*| constant or |EVP_PKEY_NONE| if unknown.\nOPENSSL_EXPORT int SSL_get_signature_algorithm_key_type(uint16_t sigalg);\n\n// SSL_get_signature_algorithm_digest returns the digest function associated\n// with |sigalg| or |NULL| if |sigalg| has no prehash (Ed25519) or is unknown.\nOPENSSL_EXPORT const EVP_MD *SSL_get_signature_algorithm_digest(\n uint16_t sigalg);\n\n// SSL_is_signature_algorithm_rsa_pss returns one if |sigalg| is an RSA-PSS\n// signature algorithm and zero otherwise.\nOPENSSL_EXPORT int SSL_is_signature_algorithm_rsa_pss(uint16_t sigalg);\n\n// SSL_CTX_set_signing_algorithm_prefs configures |ctx| to use |prefs| as the\n// preference list when signing with |ctx|'s private key. It returns one on\n// success and zero on error. |prefs| should not include the internal-only value\n// |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.\nOPENSSL_EXPORT int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx,\n const uint16_t *prefs,\n size_t num_prefs);\n\n// SSL_set_signing_algorithm_prefs configures |ssl| to use |prefs| as the\n// preference list when signing with |ssl|'s private key. It returns one on\n// success and zero on error. |prefs| should not include the internal-only value\n// |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.\nOPENSSL_EXPORT int SSL_set_signing_algorithm_prefs(SSL *ssl,\n const uint16_t *prefs,\n size_t num_prefs);\n\n\n// Certificate and private key convenience functions.\n\n// SSL_CTX_set_chain_and_key sets the certificate chain and private key for a\n// TLS client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY|\n// objects are added as needed. Exactly one of |privkey| or |privkey_method|\n// may be non-NULL. Returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_CTX_set_chain_and_key(\n SSL_CTX *ctx, CRYPTO_BUFFER *const *certs, size_t num_certs,\n EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method);\n\n// SSL_set_chain_and_key sets the certificate chain and private key for a TLS\n// client or server. References to the given |CRYPTO_BUFFER| and |EVP_PKEY|\n// objects are added as needed. Exactly one of |privkey| or |privkey_method|\n// may be non-NULL. Returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_set_chain_and_key(\n SSL *ssl, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY *privkey,\n const SSL_PRIVATE_KEY_METHOD *privkey_method);\n\n// SSL_CTX_get0_chain returns the list of |CRYPTO_BUFFER|s that were set by\n// |SSL_CTX_set_chain_and_key|. Reference counts are not incremented by this\n// call. The return value may be |NULL| if no chain has been set.\n//\n// (Note: if a chain was configured by non-|CRYPTO_BUFFER|-based functions then\n// the return value is undefined and, even if not NULL, the stack itself may\n// contain nullptrs. Thus you shouldn't mix this function with\n// non-|CRYPTO_BUFFER| functions for manipulating the chain.)\nOPENSSL_EXPORT const STACK_OF(CRYPTO_BUFFER) *SSL_CTX_get0_chain(\n const SSL_CTX *ctx);\n\n// SSL_get0_chain returns the list of |CRYPTO_BUFFER|s that were set by\n// |SSL_set_chain_and_key|, unless they have been discarded. Reference counts\n// are not incremented by this call. The return value may be |NULL| if no chain\n// has been set.\n//\n// (Note: if a chain was configured by non-|CRYPTO_BUFFER|-based functions then\n// the return value is undefined and, even if not NULL, the stack itself may\n// contain nullptrs. Thus you shouldn't mix this function with\n// non-|CRYPTO_BUFFER| functions for manipulating the chain.)\n//\n// This function may return nullptr if a handshake has completed even if\n// |SSL_set_chain_and_key| was previously called, since the configuration\n// containing the certificates is typically cleared after handshake completion.\nOPENSSL_EXPORT const STACK_OF(CRYPTO_BUFFER) *SSL_get0_chain(const SSL *ssl);\n\n// SSL_CTX_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one\n// on success and zero on failure.\nOPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);\n\n// SSL_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one on\n// success and zero on failure.\nOPENSSL_EXPORT int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);\n\n// The following functions configure certificates or private keys but take as\n// input DER-encoded structures. They return one on success and zero on\n// failure.\n\nOPENSSL_EXPORT int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,\n const uint8_t *der);\nOPENSSL_EXPORT int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der,\n size_t der_len);\n\nOPENSSL_EXPORT int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx,\n const uint8_t *der,\n size_t der_len);\nOPENSSL_EXPORT int SSL_use_PrivateKey_ASN1(int type, SSL *ssl,\n const uint8_t *der, size_t der_len);\n\nOPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx,\n const uint8_t *der,\n size_t der_len);\nOPENSSL_EXPORT int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der,\n size_t der_len);\n\n// The following functions configure certificates or private keys but take as\n// input files to read from. They return one on success and zero on failure. The\n// |type| parameter is one of the |SSL_FILETYPE_*| values and determines whether\n// the file's contents are read as PEM or DER.\n\n#define SSL_FILETYPE_PEM 1\n#define SSL_FILETYPE_ASN1 2\n\nOPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx,\n const char *file, int type);\nOPENSSL_EXPORT int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file,\n int type);\n\nOPENSSL_EXPORT int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file,\n int type);\nOPENSSL_EXPORT int SSL_use_certificate_file(SSL *ssl, const char *file,\n int type);\n\nOPENSSL_EXPORT int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file,\n int type);\nOPENSSL_EXPORT int SSL_use_PrivateKey_file(SSL *ssl, const char *file,\n int type);\n\n// SSL_CTX_use_certificate_chain_file configures certificates for |ctx|. It\n// reads the contents of |file| as a PEM-encoded leaf certificate followed\n// optionally by the certificate chain to send to the peer. It returns one on\n// success and zero on failure.\n//\n// WARNING: If the input contains \"TRUSTED CERTIFICATE\" PEM blocks, this\n// function parses auxiliary properties as in |d2i_X509_AUX|. Passing untrusted\n// input to this function allows an attacker to influence those properties. See\n// |d2i_X509_AUX| for details.\nOPENSSL_EXPORT int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx,\n const char *file);\n\n// SSL_CTX_set_default_passwd_cb sets the password callback for PEM-based\n// convenience functions called on |ctx|.\nOPENSSL_EXPORT void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx,\n pem_password_cb *cb);\n\n// SSL_CTX_get_default_passwd_cb returns the callback set by\n// |SSL_CTX_set_default_passwd_cb|.\nOPENSSL_EXPORT pem_password_cb *SSL_CTX_get_default_passwd_cb(\n const SSL_CTX *ctx);\n\n// SSL_CTX_set_default_passwd_cb_userdata sets the userdata parameter for\n// |ctx|'s password callback.\nOPENSSL_EXPORT void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx,\n void *data);\n\n// SSL_CTX_get_default_passwd_cb_userdata returns the userdata parameter set by\n// |SSL_CTX_set_default_passwd_cb_userdata|.\nOPENSSL_EXPORT void *SSL_CTX_get_default_passwd_cb_userdata(const SSL_CTX *ctx);\n\n\n// Custom private keys.\n\nenum ssl_private_key_result_t BORINGSSL_ENUM_INT {\n ssl_private_key_success,\n ssl_private_key_retry,\n ssl_private_key_failure,\n};\n\n// ssl_private_key_method_st (aka |SSL_PRIVATE_KEY_METHOD|) describes private\n// key hooks. This is used to off-load signing operations to a custom,\n// potentially asynchronous, backend. Metadata about the key such as the type\n// and size are parsed out of the certificate.\nstruct ssl_private_key_method_st {\n // sign signs the message |in| in using the specified signature algorithm. On\n // success, it returns |ssl_private_key_success| and writes at most |max_out|\n // bytes of signature data to |out| and sets |*out_len| to the number of bytes\n // written. On failure, it returns |ssl_private_key_failure|. If the operation\n // has not completed, it returns |ssl_private_key_retry|. |sign| should\n // arrange for the high-level operation on |ssl| to be retried when the\n // operation is completed. This will result in a call to |complete|.\n //\n // |signature_algorithm| is one of the |SSL_SIGN_*| values, as defined in TLS\n // 1.3. Note that, in TLS 1.2, ECDSA algorithms do not require that curve\n // sizes match hash sizes, so the curve portion of |SSL_SIGN_ECDSA_*| values\n // must be ignored. BoringSSL will internally handle the curve matching logic\n // where appropriate.\n //\n // It is an error to call |sign| while another private key operation is in\n // progress on |ssl|.\n enum ssl_private_key_result_t (*sign)(SSL *ssl, uint8_t *out, size_t *out_len,\n size_t max_out,\n uint16_t signature_algorithm,\n const uint8_t *in, size_t in_len);\n\n // decrypt decrypts |in_len| bytes of encrypted data from |in|. On success it\n // returns |ssl_private_key_success|, writes at most |max_out| bytes of\n // decrypted data to |out| and sets |*out_len| to the actual number of bytes\n // written. On failure it returns |ssl_private_key_failure|. If the operation\n // has not completed, it returns |ssl_private_key_retry|. The caller should\n // arrange for the high-level operation on |ssl| to be retried when the\n // operation is completed, which will result in a call to |complete|. This\n // function only works with RSA keys and should perform a raw RSA decryption\n // operation with no padding.\n //\n // It is an error to call |decrypt| while another private key operation is in\n // progress on |ssl|.\n enum ssl_private_key_result_t (*decrypt)(SSL *ssl, uint8_t *out,\n size_t *out_len, size_t max_out,\n const uint8_t *in, size_t in_len);\n\n // complete completes a pending operation. If the operation has completed, it\n // returns |ssl_private_key_success| and writes the result to |out| as in\n // |sign|. Otherwise, it returns |ssl_private_key_failure| on failure and\n // |ssl_private_key_retry| if the operation is still in progress.\n //\n // |complete| may be called arbitrarily many times before completion, but it\n // is an error to call |complete| if there is no pending operation in progress\n // on |ssl|.\n enum ssl_private_key_result_t (*complete)(SSL *ssl, uint8_t *out,\n size_t *out_len, size_t max_out);\n};\n\n// SSL_set_private_key_method configures a custom private key on |ssl|.\n// |key_method| must remain valid for the lifetime of |ssl|.\n//\n// If using an RSA or ECDSA key, callers should configure signing capabilities\n// with |SSL_set_signing_algorithm_prefs|. Otherwise, BoringSSL may select a\n// signature algorithm that |key_method| does not support.\nOPENSSL_EXPORT void SSL_set_private_key_method(\n SSL *ssl, const SSL_PRIVATE_KEY_METHOD *key_method);\n\n// SSL_CTX_set_private_key_method configures a custom private key on |ctx|.\n// |key_method| must remain valid for the lifetime of |ctx|.\n//\n// If using an RSA or ECDSA key, callers should configure signing capabilities\n// with |SSL_CTX_set_signing_algorithm_prefs|. Otherwise, BoringSSL may select a\n// signature algorithm that |key_method| does not support.\nOPENSSL_EXPORT void SSL_CTX_set_private_key_method(\n SSL_CTX *ctx, const SSL_PRIVATE_KEY_METHOD *key_method);\n\n// SSL_CREDENTIAL_set_private_key_method configures a custom private key on\n// |cred|. |key_method| must remain valid for the lifetime of |cred|. It returns\n// one on success and zero if |cred| does not use private keys.\n//\n// If using an RSA or ECDSA key, callers should configure signing capabilities\n// with |SSL_CREDENTIAL_set1_signing_algorithm_prefs|. Otherwise, BoringSSL may\n// select a signature algorithm that |key_method| does not support. This is not\n// necessary for delegated credentials (see |SSL_CREDENTIAL_new_delegated|)\n// because delegated credentials only support a single signature algorithm.\n//\n// Functions in |key_method| will be passed an |SSL| object, but not |cred|\n// directly. Use |SSL_get0_selected_credential| to determine the selected\n// credential. From there, |SSL_CREDENTIAL_get_ex_data| can be used to look up\n// credential-specific state, such as a handle to the private key.\nOPENSSL_EXPORT int SSL_CREDENTIAL_set_private_key_method(\n SSL_CREDENTIAL *cred, const SSL_PRIVATE_KEY_METHOD *key_method);\n\n// SSL_CREDENTIAL_set_must_match_issuer sets the flag that this credential\n// should be considered only when it matches a peer request for a particular\n// issuer via a negotiation mechanism (such as the certificate_authorities\n// extension).\nOPENSSL_EXPORT void SSL_CREDENTIAL_set_must_match_issuer(SSL_CREDENTIAL *cred);\n\n// SSL_CREDENTIAL_clear_must_match_issuer clears the flag requiring issuer\n// matching, indicating this credential should be considered regardless of peer\n// issuer matching requests. (This is the default).\nOPENSSL_EXPORT void SSL_CREDENTIAL_clear_must_match_issuer(\n SSL_CREDENTIAL *cred);\n\n// SSL_CREDENTIAL_must_match_issuer returns the value of the flag indicating\n// that this credential should be considered only when it matches a peer request\n// for a particular issuer via a negotiation mechanism (such as the\n// certificate_authorities extension).\nOPENSSL_EXPORT int SSL_CREDENTIAL_must_match_issuer(const SSL_CREDENTIAL *cred);\n\n// SSL_can_release_private_key returns one if |ssl| will no longer call into the\n// private key and zero otherwise. If the function returns one, the caller can\n// release state associated with the private key.\n//\n// NOTE: This function assumes the caller does not use |SSL_clear| to reuse\n// |ssl| for a second connection. If |SSL_clear| is used, BoringSSL may still\n// use the private key on the second connection.\nOPENSSL_EXPORT int SSL_can_release_private_key(const SSL *ssl);\n\n\n// Cipher suites.\n//\n// |SSL_CIPHER| objects represent cipher suites.\n\nDEFINE_CONST_STACK_OF(SSL_CIPHER)\n\n// SSL_get_cipher_by_value returns the structure representing a TLS cipher\n// suite based on its assigned number, or NULL if unknown. See\n// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4.\nOPENSSL_EXPORT const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value);\n\n// SSL_CIPHER_get_id returns |cipher|'s non-IANA id. This is not its\n// IANA-assigned number, which is called the \"value\" here, although it may be\n// cast to a |uint16_t| to get it.\nOPENSSL_EXPORT uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_protocol_id returns |cipher|'s IANA-assigned number.\nOPENSSL_EXPORT uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_is_aead returns one if |cipher| uses an AEAD cipher.\nOPENSSL_EXPORT int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_is_block_cipher returns one if |cipher| is a block cipher.\nOPENSSL_EXPORT int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_cipher_nid returns the NID for |cipher|'s bulk\n// cipher. Possible values are |NID_aes_128_gcm|, |NID_aes_256_gcm|,\n// |NID_chacha20_poly1305|, |NID_aes_128_cbc|, |NID_aes_256_cbc|, and\n// |NID_des_ede3_cbc|.\nOPENSSL_EXPORT int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_digest_nid returns the NID for |cipher|'s HMAC if it is a\n// legacy cipher suite. For modern AEAD-based ciphers (see\n// |SSL_CIPHER_is_aead|), it returns |NID_undef|.\n//\n// Note this function only returns the legacy HMAC digest, not the PRF hash.\nOPENSSL_EXPORT int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_kx_nid returns the NID for |cipher|'s key exchange. This may\n// be |NID_kx_rsa|, |NID_kx_ecdhe|, or |NID_kx_psk| for TLS 1.2. In TLS 1.3,\n// cipher suites do not specify the key exchange, so this function returns\n// |NID_kx_any|.\nOPENSSL_EXPORT int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_auth_nid returns the NID for |cipher|'s authentication\n// type. This may be |NID_auth_rsa|, |NID_auth_ecdsa|, or |NID_auth_psk| for TLS\n// 1.2. In TLS 1.3, cipher suites do not specify authentication, so this\n// function returns |NID_auth_any|.\nOPENSSL_EXPORT int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_handshake_digest returns |cipher|'s PRF hash. If |cipher|\n// is a pre-TLS-1.2 cipher, it returns |EVP_md5_sha1| but note these ciphers use\n// SHA-256 in TLS 1.2. Other return values may be treated uniformly in all\n// applicable versions.\nOPENSSL_EXPORT const EVP_MD *SSL_CIPHER_get_handshake_digest(\n const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_prf_nid behaves like |SSL_CIPHER_get_handshake_digest| but\n// returns the NID constant. Use |SSL_CIPHER_get_handshake_digest| instead.\nOPENSSL_EXPORT int SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_min_version returns the minimum protocol version required\n// for |cipher|.\nOPENSSL_EXPORT uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_max_version returns the maximum protocol version that\n// supports |cipher|.\nOPENSSL_EXPORT uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_standard_name returns the standard IETF name for |cipher|. For\n// example, \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\".\nOPENSSL_EXPORT const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_name returns the OpenSSL name of |cipher|. For example,\n// \"ECDHE-RSA-AES128-GCM-SHA256\". Callers are recommended to use\n// |SSL_CIPHER_standard_name| instead.\nOPENSSL_EXPORT const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_kx_name returns a string that describes the key-exchange\n// method used by |cipher|. For example, \"ECDHE_ECDSA\". TLS 1.3 AEAD-only\n// ciphers return the string \"GENERIC\".\nOPENSSL_EXPORT const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher);\n\n// SSL_CIPHER_get_bits returns the strength, in bits, of |cipher|. If\n// |out_alg_bits| is not NULL, it writes the number of bits consumed by the\n// symmetric algorithm to |*out_alg_bits|.\nOPENSSL_EXPORT int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher,\n int *out_alg_bits);\n\n// SSL_get_all_cipher_names outputs a list of possible strings\n// |SSL_CIPHER_get_name| may return in this version of BoringSSL. It writes at\n// most |max_out| entries to |out| and returns the total number it would have\n// written, if |max_out| had been large enough. |max_out| may be initially set\n// to zero to size the output.\n//\n// This function is only intended to help initialize tables in callers that want\n// possible strings pre-declared. This list would not be suitable to set a list\n// of supported features. It is in no particular order, and may contain\n// placeholder, experimental, or deprecated values that do not apply to every\n// caller. Future versions of BoringSSL may also return strings not in this\n// list, so this does not apply if, say, sending strings across services.\nOPENSSL_EXPORT size_t SSL_get_all_cipher_names(const char **out,\n size_t max_out);\n\n\n// SSL_get_all_standard_cipher_names outputs a list of possible strings\n// |SSL_CIPHER_standard_name| may return in this version of BoringSSL. It writes\n// at most |max_out| entries to |out| and returns the total number it would have\n// written, if |max_out| had been large enough. |max_out| may be initially set\n// to zero to size the output.\n//\n// This function is only intended to help initialize tables in callers that want\n// possible strings pre-declared. This list would not be suitable to set a list\n// of supported features. It is in no particular order, and may contain\n// placeholder, experimental, or deprecated values that do not apply to every\n// caller. Future versions of BoringSSL may also return strings not in this\n// list, so this does not apply if, say, sending strings across services.\nOPENSSL_EXPORT size_t SSL_get_all_standard_cipher_names(const char **out,\n size_t max_out);\n\n\n// Cipher suite configuration.\n//\n// OpenSSL uses a mini-language to configure cipher suites. The language\n// maintains an ordered list of enabled ciphers, along with an ordered list of\n// disabled but available ciphers. Initially, all ciphers are disabled with a\n// default ordering. The cipher string is then interpreted as a sequence of\n// directives, separated by colons, each of which modifies this state.\n//\n// Most directives consist of a one character or empty opcode followed by a\n// selector which matches a subset of available ciphers.\n//\n// Available opcodes are:\n//\n// - The empty opcode enables and appends all matching disabled ciphers to the\n// end of the enabled list. The newly appended ciphers are ordered relative to\n// each other matching their order in the disabled list.\n//\n// - |-| disables all matching enabled ciphers and prepends them to the disabled\n// list, with relative order from the enabled list preserved. This means the\n// most recently disabled ciphers get highest preference relative to other\n// disabled ciphers if re-enabled.\n//\n// - |+| moves all matching enabled ciphers to the end of the enabled list, with\n// relative order preserved.\n//\n// - |!| deletes all matching ciphers, enabled or not, from either list. Deleted\n// ciphers will not matched by future operations.\n//\n// A selector may be a specific cipher (using either the standard or OpenSSL\n// name for the cipher) or one or more rules separated by |+|. The final\n// selector matches the intersection of each rule. For instance, |AESGCM+aECDSA|\n// matches ECDSA-authenticated AES-GCM ciphers.\n//\n// Available cipher rules are:\n//\n// - |ALL| matches all ciphers, except for deprecated ciphers which must be\n// named explicitly.\n//\n// - |kRSA|, |kDHE|, |kECDHE|, and |kPSK| match ciphers using plain RSA, DHE,\n// ECDHE, and plain PSK key exchanges, respectively. Note that ECDHE_PSK is\n// matched by |kECDHE| and not |kPSK|.\n//\n// - |aRSA|, |aECDSA|, and |aPSK| match ciphers authenticated by RSA, ECDSA, and\n// a pre-shared key, respectively.\n//\n// - |RSA|, |DHE|, |ECDHE|, |PSK|, |ECDSA|, and |PSK| are aliases for the\n// corresponding |k*| or |a*| cipher rule. |RSA| is an alias for |kRSA|, not\n// |aRSA|.\n//\n// - |3DES|, |AES128|, |AES256|, |AES|, |AESGCM|, |CHACHA20| match ciphers\n// whose bulk cipher use the corresponding encryption scheme. Note that\n// |AES|, |AES128|, and |AES256| match both CBC and GCM ciphers.\n//\n// - |SHA1|, and its alias |SHA|, match legacy cipher suites using HMAC-SHA1.\n//\n// Deprecated cipher rules:\n//\n// - |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|,\n// |kECDHE|, and |ECDHE|, respectively.\n//\n// - |HIGH| is an alias for |ALL|.\n//\n// - |FIPS| is an alias for |HIGH|.\n//\n// - |SSLv3| and |TLSv1| match ciphers available in TLS 1.1 or earlier.\n// |TLSv1_2| matches ciphers new in TLS 1.2. This is confusing and should not\n// be used.\n//\n// Unknown rules are silently ignored by legacy APIs, and rejected by APIs with\n// \"strict\" in the name, which should be preferred. Cipher lists can be long\n// and it's easy to commit typos. Strict functions will also reject the use of\n// spaces, semi-colons and commas as alternative separators.\n//\n// The special |@STRENGTH| directive will sort all enabled ciphers by strength.\n//\n// The |DEFAULT| directive, when appearing at the front of the string, expands\n// to the default ordering of available ciphers.\n//\n// If configuring a server, one may also configure equal-preference groups to\n// partially respect the client's preferences when\n// |SSL_OP_CIPHER_SERVER_PREFERENCE| is enabled. Ciphers in an equal-preference\n// group have equal priority and use the client order. This may be used to\n// enforce that AEADs are preferred but select AES-GCM vs. ChaCha20-Poly1305\n// based on client preferences. An equal-preference is specified with square\n// brackets, combining multiple selectors separated by |. For example:\n//\n// [TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]\n//\n// Once an equal-preference group is used, future directives must be\n// opcode-less. Inside an equal-preference group, spaces are not allowed.\n//\n// TLS 1.3 ciphers do not participate in this mechanism and instead have a\n// built-in preference order. Functions to set cipher lists do not affect TLS\n// 1.3, and functions to query the cipher list do not include TLS 1.3 ciphers.\n\n// SSL_DEFAULT_CIPHER_LIST is the default cipher suite configuration. It is\n// substituted when a cipher string starts with 'DEFAULT'.\n#define SSL_DEFAULT_CIPHER_LIST \"ALL\"\n\n// SSL_CTX_set_strict_cipher_list configures the cipher list for |ctx|,\n// evaluating |str| as a cipher string and returning error if |str| contains\n// anything meaningless. It returns one on success and zero on failure.\nOPENSSL_EXPORT int SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx,\n const char *str);\n\n// SSL_CTX_set_cipher_list configures the cipher list for |ctx|, evaluating\n// |str| as a cipher string. It returns one on success and zero on failure.\n//\n// Prefer to use |SSL_CTX_set_strict_cipher_list|. This function tolerates\n// garbage inputs, unless an empty cipher list results.\nOPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str);\n\n// SSL_set_strict_cipher_list configures the cipher list for |ssl|, evaluating\n// |str| as a cipher string and returning error if |str| contains anything\n// meaningless. It returns one on success and zero on failure.\nOPENSSL_EXPORT int SSL_set_strict_cipher_list(SSL *ssl, const char *str);\n\n// SSL_set_cipher_list configures the cipher list for |ssl|, evaluating |str| as\n// a cipher string. It returns one on success and zero on failure.\n//\n// Prefer to use |SSL_set_strict_cipher_list|. This function tolerates garbage\n// inputs, unless an empty cipher list results.\nOPENSSL_EXPORT int SSL_set_cipher_list(SSL *ssl, const char *str);\n\n// SSL_CTX_get_ciphers returns the cipher list for |ctx|, in order of\n// preference.\nOPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx);\n\n// SSL_CTX_cipher_in_group returns one if the |i|th cipher (see\n// |SSL_CTX_get_ciphers|) is in the same equipreference group as the one\n// following it and zero otherwise.\nOPENSSL_EXPORT int SSL_CTX_cipher_in_group(const SSL_CTX *ctx, size_t i);\n\n// SSL_get_ciphers returns the cipher list for |ssl|, in order of preference.\nOPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl);\n\n\n// Connection information.\n\n// SSL_is_init_finished returns one if |ssl| has completed its initial handshake\n// and has no pending handshake. It returns zero otherwise.\nOPENSSL_EXPORT int SSL_is_init_finished(const SSL *ssl);\n\n// SSL_in_init returns one if |ssl| has a pending handshake and zero\n// otherwise.\nOPENSSL_EXPORT int SSL_in_init(const SSL *ssl);\n\n// SSL_in_false_start returns one if |ssl| has a pending handshake that is in\n// False Start. |SSL_write| may be called at this point without waiting for the\n// peer, but |SSL_read| will complete the handshake before accepting application\n// data.\n//\n// See also |SSL_MODE_ENABLE_FALSE_START|.\nOPENSSL_EXPORT int SSL_in_false_start(const SSL *ssl);\n\n// SSL_get_peer_certificate returns the peer's leaf certificate or NULL if the\n// peer did not use certificates. The caller must call |X509_free| on the\n// result to release it.\nOPENSSL_EXPORT X509 *SSL_get_peer_certificate(const SSL *ssl);\n\n// SSL_get_peer_cert_chain returns the peer's certificate chain or NULL if\n// unavailable or the peer did not use certificates. This is the unverified list\n// of certificates as sent by the peer, not the final chain built during\n// verification. The caller does not take ownership of the result.\n//\n// WARNING: This function behaves differently between client and server. If\n// |ssl| is a server, the returned chain does not include the leaf certificate.\n// If a client, it does.\nOPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);\n\n// SSL_get_peer_full_cert_chain returns the peer's certificate chain, or NULL if\n// unavailable or the peer did not use certificates. This is the unverified list\n// of certificates as sent by the peer, not the final chain built during\n// verification. The caller does not take ownership of the result.\n//\n// This is the same as |SSL_get_peer_cert_chain| except that this function\n// always returns the full chain, i.e. the first element of the return value\n// (if any) will be the leaf certificate. In constrast,\n// |SSL_get_peer_cert_chain| returns only the intermediate certificates if the\n// |ssl| is a server.\nOPENSSL_EXPORT STACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl);\n\n// SSL_get0_peer_certificates returns the peer's certificate chain, or NULL if\n// unavailable or the peer did not use certificates. This is the unverified list\n// of certificates as sent by the peer, not the final chain built during\n// verification. The caller does not take ownership of the result.\n//\n// This is the |CRYPTO_BUFFER| variant of |SSL_get_peer_full_cert_chain|.\nOPENSSL_EXPORT const STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(\n const SSL *ssl);\n\n// SSL_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to point to\n// |*out_len| bytes of SCT information from the server. This is only valid if\n// |ssl| is a client. The SCT information is a SignedCertificateTimestampList\n// (including the two leading length bytes).\n// See https://tools.ietf.org/html/rfc6962#section-3.3\n// If no SCT was received then |*out_len| will be zero on return.\n//\n// WARNING: the returned data is not guaranteed to be well formed.\nOPENSSL_EXPORT void SSL_get0_signed_cert_timestamp_list(const SSL *ssl,\n const uint8_t **out,\n size_t *out_len);\n\n// SSL_get0_ocsp_response sets |*out| and |*out_len| to point to |*out_len|\n// bytes of an OCSP response from the server. This is the DER encoding of an\n// OCSPResponse type as defined in RFC 2560.\n//\n// WARNING: the returned data is not guaranteed to be well formed.\nOPENSSL_EXPORT void SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,\n size_t *out_len);\n\n// SSL_get_tls_unique writes at most |max_out| bytes of the tls-unique value\n// for |ssl| to |out| and sets |*out_len| to the number of bytes written. It\n// returns one on success or zero on error. In general |max_out| should be at\n// least 12.\n//\n// This function will always fail if the initial handshake has not completed.\n// The tls-unique value will change after a renegotiation but, since\n// renegotiations can be initiated by the server at any point, the higher-level\n// protocol must either leave them disabled or define states in which the\n// tls-unique value can be read.\n//\n// The tls-unique value is defined by\n// https://tools.ietf.org/html/rfc5929#section-3.1. Due to a weakness in the\n// TLS protocol, tls-unique is broken for resumed connections unless the\n// Extended Master Secret extension is negotiated. Thus this function will\n// return zero if |ssl| performed session resumption unless EMS was used when\n// negotiating the original session.\nOPENSSL_EXPORT int SSL_get_tls_unique(const SSL *ssl, uint8_t *out,\n size_t *out_len, size_t max_out);\n\n// SSL_get_extms_support returns one if the Extended Master Secret extension or\n// TLS 1.3 was negotiated. Otherwise, it returns zero.\nOPENSSL_EXPORT int SSL_get_extms_support(const SSL *ssl);\n\n// SSL_get_current_cipher returns cipher suite used by |ssl|, or NULL if it has\n// not been negotiated yet.\nOPENSSL_EXPORT const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl);\n\n// SSL_session_reused returns one if |ssl| performed an abbreviated handshake\n// and zero otherwise.\n//\n// TODO(davidben): Hammer down the semantics of this API while a handshake,\n// initial or renego, is in progress.\nOPENSSL_EXPORT int SSL_session_reused(const SSL *ssl);\n\n// SSL_get_secure_renegotiation_support returns one if the peer supports secure\n// renegotiation (RFC 5746) or TLS 1.3. Otherwise, it returns zero.\nOPENSSL_EXPORT int SSL_get_secure_renegotiation_support(const SSL *ssl);\n\n// SSL_export_keying_material exports a connection-specific secret from |ssl|,\n// as specified in RFC 5705. It writes |out_len| bytes to |out| given a label\n// and optional context. If |use_context| is zero, the |context| parameter is\n// ignored. Prior to TLS 1.3, using a zero-length context and using no context\n// would give different output.\n//\n// It returns one on success and zero otherwise.\nOPENSSL_EXPORT int SSL_export_keying_material(\n SSL *ssl, uint8_t *out, size_t out_len, const char *label, size_t label_len,\n const uint8_t *context, size_t context_len, int use_context);\n\n\n// Sessions.\n//\n// An |SSL_SESSION| represents an SSL session that may be resumed in an\n// abbreviated handshake. It is reference-counted and immutable. Once\n// established, an |SSL_SESSION| may be shared by multiple |SSL| objects on\n// different threads and must not be modified.\n//\n// Note the TLS notion of \"session\" is not suitable for application-level\n// session state. It is an optional caching mechanism for the handshake. Not all\n// connections within an application-level session will reuse TLS sessions. TLS\n// sessions may be dropped by the client or ignored by the server at any time.\n\nDECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)\n\n// SSL_SESSION_new returns a newly-allocated blank |SSL_SESSION| or NULL on\n// error. This may be useful when writing tests but should otherwise not be\n// used.\nOPENSSL_EXPORT SSL_SESSION *SSL_SESSION_new(const SSL_CTX *ctx);\n\n// SSL_SESSION_up_ref increments the reference count of |session| and returns\n// one.\nOPENSSL_EXPORT int SSL_SESSION_up_ref(SSL_SESSION *session);\n\n// SSL_SESSION_free decrements the reference count of |session|. If it reaches\n// zero, all data referenced by |session| and |session| itself are released.\nOPENSSL_EXPORT void SSL_SESSION_free(SSL_SESSION *session);\n\n// SSL_SESSION_to_bytes serializes |in| into a newly allocated buffer and sets\n// |*out_data| to that buffer and |*out_len| to its length. The caller takes\n// ownership of the buffer and must call |OPENSSL_free| when done. It returns\n// one on success and zero on error.\nOPENSSL_EXPORT int SSL_SESSION_to_bytes(const SSL_SESSION *in,\n uint8_t **out_data, size_t *out_len);\n\n// SSL_SESSION_to_bytes_for_ticket serializes |in|, but excludes the session\n// identification information, namely the session ID and ticket.\nOPENSSL_EXPORT int SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION *in,\n uint8_t **out_data,\n size_t *out_len);\n\n// SSL_SESSION_from_bytes parses |in_len| bytes from |in| as an SSL_SESSION. It\n// returns a newly-allocated |SSL_SESSION| on success or NULL on error.\nOPENSSL_EXPORT SSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in,\n size_t in_len,\n const SSL_CTX *ctx);\n\n// SSL_SESSION_get_version returns a string describing the TLS or DTLS version\n// |session| was established at. For example, \"TLSv1.2\" or \"DTLSv1\".\nOPENSSL_EXPORT const char *SSL_SESSION_get_version(const SSL_SESSION *session);\n\n// SSL_SESSION_get_protocol_version returns the TLS or DTLS version |session|\n// was established at.\nOPENSSL_EXPORT uint16_t\nSSL_SESSION_get_protocol_version(const SSL_SESSION *session);\n\n// SSL_SESSION_set_protocol_version sets |session|'s TLS or DTLS version to\n// |version|. This may be useful when writing tests but should otherwise not be\n// used. It returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_SESSION_set_protocol_version(SSL_SESSION *session,\n uint16_t version);\n\n// SSL_MAX_SSL_SESSION_ID_LENGTH is the maximum length of an SSL session ID.\n#define SSL_MAX_SSL_SESSION_ID_LENGTH 32\n\n// SSL_SESSION_get_id returns a pointer to a buffer containing |session|'s\n// session ID and sets |*out_len| to its length.\n//\n// This function should only be used for implementing a TLS session cache. TLS\n// sessions are not suitable for application-level session state, and a session\n// ID is an implementation detail of the TLS resumption handshake mechanism. Not\n// all resumption flows use session IDs, and not all connections within an\n// application-level session will reuse TLS sessions.\n//\n// To determine if resumption occurred, use |SSL_session_reused| instead.\n// Comparing session IDs will not give the right result in all cases.\n//\n// As a workaround for some broken applications, BoringSSL sometimes synthesizes\n// arbitrary session IDs for non-ID-based sessions. This behavior may be\n// removed in the future.\nOPENSSL_EXPORT const uint8_t *SSL_SESSION_get_id(const SSL_SESSION *session,\n unsigned *out_len);\n\n// SSL_SESSION_set1_id sets |session|'s session ID to |sid|, It returns one on\n// success and zero on error. This function may be useful in writing tests but\n// otherwise should not be used.\nOPENSSL_EXPORT int SSL_SESSION_set1_id(SSL_SESSION *session, const uint8_t *sid,\n size_t sid_len);\n\n// SSL_SESSION_get_time returns the time at which |session| was established in\n// seconds since the UNIX epoch.\nOPENSSL_EXPORT uint64_t SSL_SESSION_get_time(const SSL_SESSION *session);\n\n// SSL_SESSION_get_timeout returns the lifetime of |session| in seconds.\nOPENSSL_EXPORT uint32_t SSL_SESSION_get_timeout(const SSL_SESSION *session);\n\n// SSL_SESSION_get0_peer returns the peer leaf certificate stored in\n// |session|.\n//\n// TODO(davidben): This should return a const X509 *.\nOPENSSL_EXPORT X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session);\n\n// SSL_SESSION_get0_peer_certificates returns the peer certificate chain stored\n// in |session|, or NULL if the peer did not use certificates. This is the\n// unverified list of certificates as sent by the peer, not the final chain\n// built during verification. The caller does not take ownership of the result.\nOPENSSL_EXPORT const STACK_OF(CRYPTO_BUFFER) *\nSSL_SESSION_get0_peer_certificates(const SSL_SESSION *session);\n\n// SSL_SESSION_get0_signed_cert_timestamp_list sets |*out| and |*out_len| to\n// point to |*out_len| bytes of SCT information stored in |session|. This is\n// only valid for client sessions. The SCT information is a\n// SignedCertificateTimestampList (including the two leading length bytes). See\n// https://tools.ietf.org/html/rfc6962#section-3.3 If no SCT was received then\n// |*out_len| will be zero on return.\n//\n// WARNING: the returned data is not guaranteed to be well formed.\nOPENSSL_EXPORT void SSL_SESSION_get0_signed_cert_timestamp_list(\n const SSL_SESSION *session, const uint8_t **out, size_t *out_len);\n\n// SSL_SESSION_get0_ocsp_response sets |*out| and |*out_len| to point to\n// |*out_len| bytes of an OCSP response from the server. This is the DER\n// encoding of an OCSPResponse type as defined in RFC 2560.\n//\n// WARNING: the returned data is not guaranteed to be well formed.\nOPENSSL_EXPORT void SSL_SESSION_get0_ocsp_response(const SSL_SESSION *session,\n const uint8_t **out,\n size_t *out_len);\n\n// SSL_MAX_MASTER_KEY_LENGTH is the maximum length of a master secret.\n#define SSL_MAX_MASTER_KEY_LENGTH 48\n\n// SSL_SESSION_get_master_key writes up to |max_out| bytes of |session|'s secret\n// to |out| and returns the number of bytes written. If |max_out| is zero, it\n// returns the size of the secret.\nOPENSSL_EXPORT size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,\n uint8_t *out, size_t max_out);\n\n// SSL_SESSION_set_time sets |session|'s creation time to |time| and returns\n// |time|. This function may be useful in writing tests but otherwise should not\n// be used.\nOPENSSL_EXPORT uint64_t SSL_SESSION_set_time(SSL_SESSION *session,\n uint64_t time);\n\n// SSL_SESSION_set_timeout sets |session|'s timeout to |timeout| and returns\n// one. This function may be useful in writing tests but otherwise should not\n// be used.\nOPENSSL_EXPORT uint32_t SSL_SESSION_set_timeout(SSL_SESSION *session,\n uint32_t timeout);\n\n// SSL_SESSION_get0_id_context returns a pointer to a buffer containing\n// |session|'s session ID context (see |SSL_CTX_set_session_id_context|) and\n// sets |*out_len| to its length.\nOPENSSL_EXPORT const uint8_t *SSL_SESSION_get0_id_context(\n const SSL_SESSION *session, unsigned *out_len);\n\n// SSL_SESSION_set1_id_context sets |session|'s session ID context (see\n// |SSL_CTX_set_session_id_context|) to |sid_ctx|. It returns one on success and\n// zero on error. This function may be useful in writing tests but otherwise\n// should not be used.\nOPENSSL_EXPORT int SSL_SESSION_set1_id_context(SSL_SESSION *session,\n const uint8_t *sid_ctx,\n size_t sid_ctx_len);\n\n// SSL_SESSION_should_be_single_use returns one if |session| should be\n// single-use (TLS 1.3 and later) and zero otherwise.\n//\n// If this function returns one, clients retain multiple sessions and use each\n// only once. This prevents passive observers from correlating connections with\n// tickets. See RFC 8446, appendix C.4. If it returns zero, |session| cannot be\n// used without leaking a correlator.\nOPENSSL_EXPORT int SSL_SESSION_should_be_single_use(const SSL_SESSION *session);\n\n// SSL_SESSION_is_resumable returns one if |session| is complete and contains a\n// session ID or ticket. It returns zero otherwise. Note this function does not\n// ensure |session| will be resumed. It may be expired, dropped by the server,\n// or associated with incompatible parameters.\nOPENSSL_EXPORT int SSL_SESSION_is_resumable(const SSL_SESSION *session);\n\n// SSL_SESSION_has_ticket returns one if |session| has a ticket and zero\n// otherwise.\nOPENSSL_EXPORT int SSL_SESSION_has_ticket(const SSL_SESSION *session);\n\n// SSL_SESSION_get0_ticket sets |*out_ticket| and |*out_len| to |session|'s\n// ticket, or NULL and zero if it does not have one. |out_ticket| may be NULL\n// if only the ticket length is needed.\nOPENSSL_EXPORT void SSL_SESSION_get0_ticket(const SSL_SESSION *session,\n const uint8_t **out_ticket,\n size_t *out_len);\n\n// SSL_SESSION_set_ticket sets |session|'s ticket to |ticket|. It returns one on\n// success and zero on error. This function may be useful in writing tests but\n// otherwise should not be used.\nOPENSSL_EXPORT int SSL_SESSION_set_ticket(SSL_SESSION *session,\n const uint8_t *ticket,\n size_t ticket_len);\n\n// SSL_SESSION_get_ticket_lifetime_hint returns ticket lifetime hint of\n// |session| in seconds or zero if none was set.\nOPENSSL_EXPORT uint32_t\nSSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *session);\n\n// SSL_SESSION_get0_cipher returns the cipher negotiated by the connection which\n// established |session|.\n//\n// Note that, in TLS 1.3, there is no guarantee that resumptions with |session|\n// will use that cipher. Prefer calling |SSL_get_current_cipher| on the |SSL|\n// instead.\nOPENSSL_EXPORT const SSL_CIPHER *SSL_SESSION_get0_cipher(\n const SSL_SESSION *session);\n\n// SSL_SESSION_has_peer_sha256 returns one if |session| has a SHA-256 hash of\n// the peer's certificate retained and zero if the peer did not present a\n// certificate or if this was not enabled when |session| was created. See also\n// |SSL_CTX_set_retain_only_sha256_of_client_certs|.\nOPENSSL_EXPORT int SSL_SESSION_has_peer_sha256(const SSL_SESSION *session);\n\n// SSL_SESSION_get0_peer_sha256 sets |*out_ptr| and |*out_len| to the SHA-256\n// hash of the peer certificate retained in |session|, or NULL and zero if it\n// does not have one. See also |SSL_CTX_set_retain_only_sha256_of_client_certs|.\nOPENSSL_EXPORT void SSL_SESSION_get0_peer_sha256(const SSL_SESSION *session,\n const uint8_t **out_ptr,\n size_t *out_len);\n\n\n// Session caching.\n//\n// Session caching allows connections to be established more efficiently based\n// on saved parameters from a previous connection, called a session (see\n// |SSL_SESSION|). The client offers a saved session, using an opaque identifier\n// from a previous connection. The server may accept the session, if it has the\n// parameters available. Otherwise, it will decline and continue with a full\n// handshake.\n//\n// This requires both the client and the server to retain session state. A\n// client does so with a stateful session cache. A server may do the same or, if\n// supported by both sides, statelessly using session tickets. For more\n// information on the latter, see the next section.\n//\n// For a server, the library implements a built-in internal session cache as an\n// in-memory hash table. Servers may also use |SSL_CTX_sess_set_get_cb| and\n// |SSL_CTX_sess_set_new_cb| to implement a custom external session cache. In\n// particular, this may be used to share a session cache between multiple\n// servers in a large deployment. An external cache may be used in addition to\n// or instead of the internal one. Use |SSL_CTX_set_session_cache_mode| to\n// toggle the internal cache.\n//\n// For a client, the only option is an external session cache. Clients may use\n// |SSL_CTX_sess_set_new_cb| to register a callback for when new sessions are\n// available. These may be cached and, in subsequent compatible connections,\n// configured with |SSL_set_session|.\n//\n// Note that offering or accepting a session short-circuits certificate\n// verification and most parameter negotiation. Resuming sessions across\n// different contexts may result in security failures and surprising\n// behavior. For a typical client, this means sessions for different hosts must\n// be cached under different keys. A client that connects to the same host with,\n// e.g., different cipher suite settings or client certificates should also use\n// separate session caches between those contexts. Servers should also partition\n// session caches between SNI hosts with |SSL_CTX_set_session_id_context|.\n//\n// Note also, in TLS 1.2 and earlier, offering sessions allows passive observers\n// to correlate different client connections. TLS 1.3 and later fix this,\n// provided clients use sessions at most once. Session caches are managed by the\n// caller in BoringSSL, so this must be implemented externally. See\n// |SSL_SESSION_should_be_single_use| for details.\n\n// SSL_SESS_CACHE_OFF disables all session caching.\n#define SSL_SESS_CACHE_OFF 0x0000\n\n// SSL_SESS_CACHE_CLIENT enables session caching for a client. The internal\n// cache is never used on a client, so this only enables the callbacks.\n#define SSL_SESS_CACHE_CLIENT 0x0001\n\n// SSL_SESS_CACHE_SERVER enables session caching for a server.\n#define SSL_SESS_CACHE_SERVER 0x0002\n\n// SSL_SESS_CACHE_BOTH enables session caching for both client and server.\n#define SSL_SESS_CACHE_BOTH (SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_SERVER)\n\n// SSL_SESS_CACHE_NO_AUTO_CLEAR disables automatically calling\n// |SSL_CTX_flush_sessions| every 255 connections.\n#define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080\n\n// SSL_SESS_CACHE_NO_INTERNAL_LOOKUP, on a server, disables looking up a session\n// from the internal session cache.\n#define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 0x0100\n\n// SSL_SESS_CACHE_NO_INTERNAL_STORE, on a server, disables storing sessions in\n// the internal session cache.\n#define SSL_SESS_CACHE_NO_INTERNAL_STORE 0x0200\n\n// SSL_SESS_CACHE_NO_INTERNAL, on a server, disables the internal session\n// cache.\n#define SSL_SESS_CACHE_NO_INTERNAL \\\n (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP | SSL_SESS_CACHE_NO_INTERNAL_STORE)\n\n// SSL_CTX_set_session_cache_mode sets the session cache mode bits for |ctx| to\n// |mode|. It returns the previous value.\nOPENSSL_EXPORT int SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode);\n\n// SSL_CTX_get_session_cache_mode returns the session cache mode bits for\n// |ctx|\nOPENSSL_EXPORT int SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx);\n\n// SSL_set_session, for a client, configures |ssl| to offer to resume |session|\n// in the initial handshake and returns one. The caller retains ownership of\n// |session|. Note that configuring a session assumes the authentication in the\n// session is valid. For callers that wish to revalidate the session before\n// offering, see |SSL_SESSION_get0_peer_certificates|,\n// |SSL_SESSION_get0_signed_cert_timestamp_list|, and\n// |SSL_SESSION_get0_ocsp_response|.\n//\n// It is an error to call this function after the handshake has begun.\nOPENSSL_EXPORT int SSL_set_session(SSL *ssl, SSL_SESSION *session);\n\n// SSL_DEFAULT_SESSION_TIMEOUT is the default lifetime, in seconds, of a\n// session in TLS 1.2 or earlier. This is how long we are willing to use the\n// secret to encrypt traffic without fresh key material.\n#define SSL_DEFAULT_SESSION_TIMEOUT (2 * 60 * 60)\n\n// SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT is the default lifetime, in seconds, of a\n// session for TLS 1.3 psk_dhe_ke. This is how long we are willing to use the\n// secret as an authenticator.\n#define SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT (2 * 24 * 60 * 60)\n\n// SSL_DEFAULT_SESSION_AUTH_TIMEOUT is the default non-renewable lifetime, in\n// seconds, of a TLS 1.3 session. This is how long we are willing to trust the\n// signature in the initial handshake.\n#define SSL_DEFAULT_SESSION_AUTH_TIMEOUT (7 * 24 * 60 * 60)\n\n// SSL_CTX_set_timeout sets the lifetime, in seconds, of TLS 1.2 (or earlier)\n// sessions created in |ctx| to |timeout|.\nOPENSSL_EXPORT uint32_t SSL_CTX_set_timeout(SSL_CTX *ctx, uint32_t timeout);\n\n// SSL_CTX_set_session_psk_dhe_timeout sets the lifetime, in seconds, of TLS 1.3\n// sessions created in |ctx| to |timeout|.\nOPENSSL_EXPORT void SSL_CTX_set_session_psk_dhe_timeout(SSL_CTX *ctx,\n uint32_t timeout);\n\n// SSL_CTX_get_timeout returns the lifetime, in seconds, of TLS 1.2 (or earlier)\n// sessions created in |ctx|.\nOPENSSL_EXPORT uint32_t SSL_CTX_get_timeout(const SSL_CTX *ctx);\n\n// SSL_MAX_SID_CTX_LENGTH is the maximum length of a session ID context.\n#define SSL_MAX_SID_CTX_LENGTH 32\n\n// SSL_CTX_set_session_id_context sets |ctx|'s session ID context to |sid_ctx|.\n// It returns one on success and zero on error. The session ID context is an\n// application-defined opaque byte string. A session will not be used in a\n// connection without a matching session ID context.\n//\n// For a server, if |SSL_VERIFY_PEER| is enabled, it is an error to not set a\n// session ID context.\nOPENSSL_EXPORT int SSL_CTX_set_session_id_context(SSL_CTX *ctx,\n const uint8_t *sid_ctx,\n size_t sid_ctx_len);\n\n// SSL_set_session_id_context sets |ssl|'s session ID context to |sid_ctx|. It\n// returns one on success and zero on error. See also\n// |SSL_CTX_set_session_id_context|.\nOPENSSL_EXPORT int SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx,\n size_t sid_ctx_len);\n\n// SSL_get0_session_id_context returns a pointer to |ssl|'s session ID context\n// and sets |*out_len| to its length. It returns NULL on error.\nOPENSSL_EXPORT const uint8_t *SSL_get0_session_id_context(const SSL *ssl,\n size_t *out_len);\n\n// SSL_SESSION_CACHE_MAX_SIZE_DEFAULT is the default maximum size of a session\n// cache.\n#define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT (1024 * 20)\n\n// SSL_CTX_sess_set_cache_size sets the maximum size of |ctx|'s internal session\n// cache to |size|. It returns the previous value.\nOPENSSL_EXPORT unsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx,\n unsigned long size);\n\n// SSL_CTX_sess_get_cache_size returns the maximum size of |ctx|'s internal\n// session cache.\nOPENSSL_EXPORT unsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx);\n\n// SSL_CTX_sess_number returns the number of sessions in |ctx|'s internal\n// session cache.\nOPENSSL_EXPORT size_t SSL_CTX_sess_number(const SSL_CTX *ctx);\n\n// SSL_CTX_add_session inserts |session| into |ctx|'s internal session cache. It\n// returns one on success and zero on error or if |session| is already in the\n// cache. The caller retains its reference to |session|.\nOPENSSL_EXPORT int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session);\n\n// SSL_CTX_remove_session removes |session| from |ctx|'s internal session cache.\n// It returns one on success and zero if |session| was not in the cache.\nOPENSSL_EXPORT int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session);\n\n// SSL_CTX_flush_sessions removes all sessions from |ctx| which have expired as\n// of time |time|. If |time| is zero, all sessions are removed.\nOPENSSL_EXPORT void SSL_CTX_flush_sessions(SSL_CTX *ctx, uint64_t time);\n\n// SSL_CTX_sess_set_new_cb sets the callback to be called when a new session is\n// established and ready to be cached. If the session cache is disabled (the\n// appropriate one of |SSL_SESS_CACHE_CLIENT| or |SSL_SESS_CACHE_SERVER| is\n// unset), the callback is not called.\n//\n// The callback is passed a reference to |session|. It returns one if it takes\n// ownership (and then calls |SSL_SESSION_free| when done) and zero otherwise. A\n// consumer which places |session| into an in-memory cache will likely return\n// one, with the cache calling |SSL_SESSION_free|. A consumer which serializes\n// |session| with |SSL_SESSION_to_bytes| may not need to retain |session| and\n// will likely return zero. Returning one is equivalent to calling\n// |SSL_SESSION_up_ref| and then returning zero.\n//\n// Note: For a client, the callback may be called on abbreviated handshakes if a\n// ticket is renewed. Further, it may not be called until some time after\n// |SSL_do_handshake| or |SSL_connect| completes if False Start is enabled. Thus\n// it's recommended to use this callback over calling |SSL_get_session| on\n// handshake completion.\nOPENSSL_EXPORT void SSL_CTX_sess_set_new_cb(\n SSL_CTX *ctx, int (*new_session_cb)(SSL *ssl, SSL_SESSION *session));\n\n// SSL_CTX_sess_get_new_cb returns the callback set by\n// |SSL_CTX_sess_set_new_cb|.\nOPENSSL_EXPORT int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(\n SSL *ssl, SSL_SESSION *session);\n\n// SSL_CTX_sess_set_remove_cb sets a callback which is called when a session is\n// removed from the internal session cache.\n//\n// TODO(davidben): What is the point of this callback? It seems useless since it\n// only fires on sessions in the internal cache.\nOPENSSL_EXPORT void SSL_CTX_sess_set_remove_cb(\n SSL_CTX *ctx,\n void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *session));\n\n// SSL_CTX_sess_get_remove_cb returns the callback set by\n// |SSL_CTX_sess_set_remove_cb|.\nOPENSSL_EXPORT void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(\n SSL_CTX *ctx, SSL_SESSION *session);\n\n// SSL_CTX_sess_set_get_cb sets a callback to look up a session by ID for a\n// server. The callback is passed the session ID and should return a matching\n// |SSL_SESSION| or NULL if not found. It should set |*out_copy| to zero and\n// return a new reference to the session. This callback is not used for a\n// client.\n//\n// For historical reasons, if |*out_copy| is set to one (default), the SSL\n// library will take a new reference to the returned |SSL_SESSION|, expecting\n// the callback to return a non-owning pointer. This is not recommended. If\n// |ctx| and thus the callback is used on multiple threads, the session may be\n// removed and invalidated before the SSL library calls |SSL_SESSION_up_ref|,\n// whereas the callback may synchronize internally.\n//\n// To look up a session asynchronously, the callback may return\n// |SSL_magic_pending_session_ptr|. See the documentation for that function and\n// |SSL_ERROR_PENDING_SESSION|.\n//\n// If the internal session cache is enabled, the callback is only consulted if\n// the internal cache does not return a match.\nOPENSSL_EXPORT void SSL_CTX_sess_set_get_cb(\n SSL_CTX *ctx, SSL_SESSION *(*get_session_cb)(SSL *ssl, const uint8_t *id,\n int id_len, int *out_copy));\n\n// SSL_CTX_sess_get_get_cb returns the callback set by\n// |SSL_CTX_sess_set_get_cb|.\nOPENSSL_EXPORT SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(\n SSL *ssl, const uint8_t *id, int id_len, int *out_copy);\n\n// SSL_magic_pending_session_ptr returns a magic |SSL_SESSION|* which indicates\n// that the session isn't currently unavailable. |SSL_get_error| will then\n// return |SSL_ERROR_PENDING_SESSION| and the handshake can be retried later\n// when the lookup has completed.\nOPENSSL_EXPORT SSL_SESSION *SSL_magic_pending_session_ptr(void);\n\n\n// Session tickets.\n//\n// Session tickets, from RFC 5077, allow session resumption without server-side\n// state. The server maintains a secret ticket key and sends the client opaque\n// encrypted session parameters, called a ticket. When offering the session, the\n// client sends the ticket which the server decrypts to recover session state.\n// Session tickets are enabled by default but may be disabled with\n// |SSL_OP_NO_TICKET|.\n//\n// On the client, ticket-based sessions use the same APIs as ID-based tickets.\n// Callers do not need to handle them differently.\n//\n// On the server, tickets are encrypted and authenticated with a secret key.\n// By default, an |SSL_CTX| will manage session ticket encryption keys by\n// generating them internally and rotating every 48 hours. Tickets are minted\n// and processed transparently. The following functions may be used to configure\n// a persistent key or implement more custom behavior, including key rotation\n// and sharing keys between multiple servers in a large deployment. There are\n// three levels of customisation possible:\n//\n// 1) One can simply set the keys with |SSL_CTX_set_tlsext_ticket_keys|.\n// 2) One can configure an |EVP_CIPHER_CTX| and |HMAC_CTX| directly for\n// encryption and authentication.\n// 3) One can configure an |SSL_TICKET_AEAD_METHOD| to have more control\n// and the option of asynchronous decryption.\n//\n// An attacker that compromises a server's session ticket key can impersonate\n// the server and, prior to TLS 1.3, retroactively decrypt all application\n// traffic from sessions using that ticket key. Thus ticket keys must be\n// regularly rotated for forward secrecy. Note the default key is rotated\n// automatically once every 48 hours but manually configured keys are not.\n\n// SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL is the interval with which the\n// default session ticket encryption key is rotated, if in use. If any\n// non-default ticket encryption mechanism is configured, automatic rotation is\n// disabled.\n#define SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL (2 * 24 * 60 * 60)\n\n// SSL_CTX_get_tlsext_ticket_keys writes |ctx|'s session ticket key material to\n// |len| bytes of |out|. It returns one on success and zero if |len| is not\n// 48. If |out| is NULL, it returns 48 instead.\nOPENSSL_EXPORT int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out,\n size_t len);\n\n// SSL_CTX_set_tlsext_ticket_keys sets |ctx|'s session ticket key material to\n// |len| bytes of |in|. It returns one on success and zero if |len| is not\n// 48. If |in| is NULL, it returns 48 instead.\nOPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in,\n size_t len);\n\n// SSL_TICKET_KEY_NAME_LEN is the length of the key name prefix of a session\n// ticket.\n#define SSL_TICKET_KEY_NAME_LEN 16\n\n// SSL_CTX_set_tlsext_ticket_key_cb sets the ticket callback to |callback| and\n// returns one. |callback| will be called when encrypting a new ticket and when\n// decrypting a ticket from the client.\n//\n// In both modes, |ctx| and |hmac_ctx| will already have been initialized with\n// |EVP_CIPHER_CTX_init| and |HMAC_CTX_init|, respectively. |callback|\n// configures |hmac_ctx| with an HMAC digest and key, and configures |ctx|\n// for encryption or decryption, based on the mode.\n//\n// When encrypting a new ticket, |encrypt| will be one. It writes a public\n// 16-byte key name to |key_name| and a fresh IV to |iv|. The output IV length\n// must match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,\n// |callback| returns 1 on success, 0 to decline sending a ticket, and -1 on\n// error.\n//\n// When decrypting a ticket, |encrypt| will be zero. |key_name| will point to a\n// 16-byte key name and |iv| points to an IV. The length of the IV consumed must\n// match |EVP_CIPHER_CTX_iv_length| of the cipher selected. In this mode,\n// |callback| returns -1 to abort the handshake, 0 if the ticket key was\n// unrecognized, and 1 or 2 on success. If it returns 2, the ticket will be\n// renewed. This may be used to re-key the ticket.\n//\n// WARNING: |callback| wildly breaks the usual return value convention and is\n// called in two different modes.\nOPENSSL_EXPORT int SSL_CTX_set_tlsext_ticket_key_cb(\n SSL_CTX *ctx,\n int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,\n EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx, int encrypt));\n\n// ssl_ticket_aead_result_t enumerates the possible results from decrypting a\n// ticket with an |SSL_TICKET_AEAD_METHOD|.\nenum ssl_ticket_aead_result_t BORINGSSL_ENUM_INT {\n // ssl_ticket_aead_success indicates that the ticket was successfully\n // decrypted.\n ssl_ticket_aead_success,\n // ssl_ticket_aead_retry indicates that the operation could not be\n // immediately completed and must be reattempted, via |open|, at a later\n // point.\n ssl_ticket_aead_retry,\n // ssl_ticket_aead_ignore_ticket indicates that the ticket should be ignored\n // (i.e. is corrupt or otherwise undecryptable).\n ssl_ticket_aead_ignore_ticket,\n // ssl_ticket_aead_error indicates that a fatal error occured and the\n // handshake should be terminated.\n ssl_ticket_aead_error,\n};\n\n// ssl_ticket_aead_method_st (aka |SSL_TICKET_AEAD_METHOD|) contains methods\n// for encrypting and decrypting session tickets.\nstruct ssl_ticket_aead_method_st {\n // max_overhead returns the maximum number of bytes of overhead that |seal|\n // may add.\n size_t (*max_overhead)(SSL *ssl);\n\n // seal encrypts and authenticates |in_len| bytes from |in|, writes, at most,\n // |max_out_len| bytes to |out|, and puts the number of bytes written in\n // |*out_len|. The |in| and |out| buffers may be equal but will not otherwise\n // alias. It returns one on success or zero on error. If the function returns\n // but |*out_len| is zero, BoringSSL will skip sending a ticket.\n int (*seal)(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,\n const uint8_t *in, size_t in_len);\n\n // open authenticates and decrypts |in_len| bytes from |in|, writes, at most,\n // |max_out_len| bytes of plaintext to |out|, and puts the number of bytes\n // written in |*out_len|. The |in| and |out| buffers may be equal but will\n // not otherwise alias. See |ssl_ticket_aead_result_t| for details of the\n // return values. In the case that a retry is indicated, the caller should\n // arrange for the high-level operation on |ssl| to be retried when the\n // operation is completed, which will result in another call to |open|.\n enum ssl_ticket_aead_result_t (*open)(SSL *ssl, uint8_t *out, size_t *out_len,\n size_t max_out_len, const uint8_t *in,\n size_t in_len);\n};\n\n// SSL_CTX_set_ticket_aead_method configures a custom ticket AEAD method table\n// on |ctx|. |aead_method| must remain valid for the lifetime of |ctx|.\nOPENSSL_EXPORT void SSL_CTX_set_ticket_aead_method(\n SSL_CTX *ctx, const SSL_TICKET_AEAD_METHOD *aead_method);\n\n// SSL_process_tls13_new_session_ticket processes an unencrypted TLS 1.3\n// NewSessionTicket message from |buf| and returns a resumable |SSL_SESSION|,\n// or NULL on error. The caller takes ownership of the returned session and\n// must call |SSL_SESSION_free| to free it.\n//\n// |buf| contains |buf_len| bytes that represents a complete NewSessionTicket\n// message including its header, i.e., one byte for the type (0x04) and three\n// bytes for the length. |buf| must contain only one such message.\n//\n// This function may be used to process NewSessionTicket messages in TLS 1.3\n// clients that are handling the record layer externally.\nOPENSSL_EXPORT SSL_SESSION *SSL_process_tls13_new_session_ticket(\n SSL *ssl, const uint8_t *buf, size_t buf_len);\n\n// SSL_CTX_set_num_tickets configures |ctx| to send |num_tickets| immediately\n// after a successful TLS 1.3 handshake as a server. It returns one. Large\n// values of |num_tickets| will be capped within the library.\n//\n// By default, BoringSSL sends two tickets.\nOPENSSL_EXPORT int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);\n\n// SSL_CTX_get_num_tickets returns the number of tickets |ctx| will send\n// immediately after a successful TLS 1.3 handshake as a server.\nOPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);\n\n\n// Diffie-Hellman groups and ephemeral key exchanges.\n//\n// Most TLS handshakes (ECDHE cipher suites in TLS 1.2, and all supported TLS\n// 1.3 modes) incorporate an ephemeral key exchange, most commonly using\n// Elliptic Curve Diffie-Hellman (ECDH), as described in RFC 8422. The key\n// exchange algorithm is negotiated separately from the cipher suite, using\n// NamedGroup values, which define Diffie-Hellman groups.\n//\n// Historically, these values were known as \"curves\", in reference to ECDH, and\n// some APIs refer to the original name. RFC 7919 renamed them to \"groups\" in\n// reference to Diffie-Hellman in general. These values are also used to select\n// experimental post-quantum KEMs. Though not Diffie-Hellman groups, KEMs can\n// fill a similar role in TLS, so they use the same codepoints.\n//\n// In TLS 1.2, the ECDH values also negotiate elliptic curves used in ECDSA. In\n// TLS 1.3 and later, ECDSA curves are part of the signature algorithm. See\n// |SSL_SIGN_*|.\n\n// SSL_GROUP_* define TLS group IDs.\n#define SSL_GROUP_SECP224R1 21\n#define SSL_GROUP_SECP256R1 23\n#define SSL_GROUP_SECP384R1 24\n#define SSL_GROUP_SECP521R1 25\n#define SSL_GROUP_X25519 29\n#define SSL_GROUP_X25519_MLKEM768 0x11ec\n#define SSL_GROUP_X25519_KYBER768_DRAFT00 0x6399\n\n// SSL_CTX_set1_group_ids sets the preferred groups for |ctx| to |group_ids|.\n// Each element of |group_ids| should be one of the |SSL_GROUP_*| constants. It\n// returns one on success and zero on failure.\nOPENSSL_EXPORT int SSL_CTX_set1_group_ids(SSL_CTX *ctx,\n const uint16_t *group_ids,\n size_t num_group_ids);\n\n// SSL_set1_group_ids sets the preferred groups for |ssl| to |group_ids|. Each\n// element of |group_ids| should be one of the |SSL_GROUP_*| constants. It\n// returns one on success and zero on failure.\nOPENSSL_EXPORT int SSL_set1_group_ids(SSL *ssl, const uint16_t *group_ids,\n size_t num_group_ids);\n\n// SSL_get_group_id returns the ID of the group used by |ssl|'s most recently\n// completed handshake, or 0 if not applicable.\nOPENSSL_EXPORT uint16_t SSL_get_group_id(const SSL *ssl);\n\n// SSL_get_group_name returns a human-readable name for the group specified by\n// the given TLS group ID, or NULL if the group is unknown.\nOPENSSL_EXPORT const char *SSL_get_group_name(uint16_t group_id);\n\n// SSL_get_all_group_names outputs a list of possible strings\n// |SSL_get_group_name| may return in this version of BoringSSL. It writes at\n// most |max_out| entries to |out| and returns the total number it would have\n// written, if |max_out| had been large enough. |max_out| may be initially set\n// to zero to size the output.\n//\n// This function is only intended to help initialize tables in callers that want\n// possible strings pre-declared. This list would not be suitable to set a list\n// of supported features. It is in no particular order, and may contain\n// placeholder, experimental, or deprecated values that do not apply to every\n// caller. Future versions of BoringSSL may also return strings not in this\n// list, so this does not apply if, say, sending strings across services.\nOPENSSL_EXPORT size_t SSL_get_all_group_names(const char **out, size_t max_out);\n\n// The following APIs also configure Diffie-Hellman groups, but use |NID_*|\n// constants instead of |SSL_GROUP_*| constants. These are provided for OpenSSL\n// compatibility. Where NIDs are unstable constants specific to OpenSSL and\n// BoringSSL, group IDs are defined by the TLS protocol. Prefer the group ID\n// representation if storing persistently, or exporting to another process or\n// library.\n\n// SSL_CTX_set1_groups sets the preferred groups for |ctx| to be |groups|. Each\n// element of |groups| should be a |NID_*| constant from nid.h. It returns one\n// on success and zero on failure.\nOPENSSL_EXPORT int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups,\n size_t num_groups);\n\n// SSL_set1_groups sets the preferred groups for |ssl| to be |groups|. Each\n// element of |groups| should be a |NID_*| constant from nid.h. It returns one\n// on success and zero on failure.\nOPENSSL_EXPORT int SSL_set1_groups(SSL *ssl, const int *groups,\n size_t num_groups);\n\n// SSL_CTX_set1_groups_list decodes |groups| as a colon-separated list of group\n// names (e.g. \"X25519\" or \"P-256\") and sets |ctx|'s preferred groups to the\n// result. It returns one on success and zero on failure.\nOPENSSL_EXPORT int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups);\n\n// SSL_set1_groups_list decodes |groups| as a colon-separated list of group\n// names (e.g. \"X25519\" or \"P-256\") and sets |ssl|'s preferred groups to the\n// result. It returns one on success and zero on failure.\nOPENSSL_EXPORT int SSL_set1_groups_list(SSL *ssl, const char *groups);\n\n// SSL_get_negotiated_group returns the NID of the group used by |ssl|'s most\n// recently completed handshake, or |NID_undef| if not applicable.\nOPENSSL_EXPORT int SSL_get_negotiated_group(const SSL *ssl);\n\n\n// Certificate verification.\n//\n// SSL may authenticate either endpoint with an X.509 certificate. Typically\n// this is used to authenticate the server to the client. These functions\n// configure certificate verification.\n//\n// WARNING: By default, certificate verification errors on a client are not\n// fatal. See |SSL_VERIFY_NONE| This may be configured with\n// |SSL_CTX_set_verify|.\n//\n// By default clients are anonymous but a server may request a certificate from\n// the client by setting |SSL_VERIFY_PEER|.\n//\n// Many of these functions use OpenSSL's legacy X.509 stack which is\n// underdocumented and deprecated, but the replacement isn't ready yet. For\n// now, consumers may use the existing stack or bypass it by performing\n// certificate verification externally. This may be done with\n// |SSL_CTX_set_cert_verify_callback| or by extracting the chain with\n// |SSL_get_peer_cert_chain| after the handshake. In the future, functions will\n// be added to use the SSL stack without dependency on any part of the legacy\n// X.509 and ASN.1 stack.\n//\n// To augment certificate verification, a client may also enable OCSP stapling\n// (RFC 6066) and Certificate Transparency (RFC 6962) extensions.\n\n// SSL_VERIFY_NONE, on a client, verifies the server certificate but does not\n// make errors fatal. The result may be checked with |SSL_get_verify_result|. On\n// a server it does not request a client certificate. This is the default.\n#define SSL_VERIFY_NONE 0x00\n\n// SSL_VERIFY_PEER, on a client, makes server certificate errors fatal. On a\n// server it requests a client certificate and makes errors fatal. However,\n// anonymous clients are still allowed. See\n// |SSL_VERIFY_FAIL_IF_NO_PEER_CERT|.\n#define SSL_VERIFY_PEER 0x01\n\n// SSL_VERIFY_FAIL_IF_NO_PEER_CERT configures a server to reject connections if\n// the client declines to send a certificate. This flag must be used together\n// with |SSL_VERIFY_PEER|, otherwise it won't work.\n#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02\n\n// SSL_VERIFY_PEER_IF_NO_OBC configures a server to request a client certificate\n// if and only if Channel ID is not negotiated.\n#define SSL_VERIFY_PEER_IF_NO_OBC 0x04\n\n// SSL_CTX_set_verify configures certificate verification behavior. |mode| is\n// one of the |SSL_VERIFY_*| values defined above. |callback| should be NULL.\n//\n// If |callback| is non-NULL, it is called as in |X509_STORE_CTX_set_verify_cb|,\n// which is a deprecated and fragile mechanism to run the default certificate\n// verification process, but suppress individual errors in it. See\n// |X509_STORE_CTX_set_verify_cb| for details, If set, the callback may use\n// |SSL_get_ex_data_X509_STORE_CTX_idx| with |X509_STORE_CTX_get_ex_data| to\n// look up the |SSL| from |store_ctx|.\n//\n// WARNING: |callback| is not suitable for implementing custom certificate\n// check, accepting all certificates, or extracting the certificate after\n// verification. It does not replace the default process and is called multiple\n// times throughout that process. It is also very difficult to implement this\n// callback safely, without inadvertently relying on implementation details or\n// making incorrect assumptions about when the callback is called.\n//\n// Instead, use |SSL_CTX_set_custom_verify| or\n// |SSL_CTX_set_cert_verify_callback| to customize certificate verification.\n// Those callbacks can inspect the peer-sent chain, call |X509_verify_cert| and\n// inspect the result, or perform other operations more straightforwardly.\nOPENSSL_EXPORT void SSL_CTX_set_verify(\n SSL_CTX *ctx, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx));\n\n// SSL_set_verify configures certificate verification behavior. |mode| is one of\n// the |SSL_VERIFY_*| values defined above. |callback| should be NULL.\n//\n// If |callback| is non-NULL, it is called as in |X509_STORE_CTX_set_verify_cb|,\n// which is a deprecated and fragile mechanism to run the default certificate\n// verification process, but suppress individual errors in it. See\n// |X509_STORE_CTX_set_verify_cb| for details, If set, the callback may use\n// |SSL_get_ex_data_X509_STORE_CTX_idx| with |X509_STORE_CTX_get_ex_data| to\n// look up the |SSL| from |store_ctx|.\n//\n// WARNING: |callback| is not suitable for implementing custom certificate\n// check, accepting all certificates, or extracting the certificate after\n// verification. It does not replace the default process and is called multiple\n// times throughout that process. It is also very difficult to implement this\n// callback safely, without inadvertently relying on implementation details or\n// making incorrect assumptions about when the callback is called.\n//\n// Instead, use |SSL_set_custom_verify| or |SSL_set_cert_verify_callback| to\n// customize certificate verification. Those callbacks can inspect the peer-sent\n// chain, call |X509_verify_cert| and inspect the result, or perform other\n// operations more straightforwardly.\nOPENSSL_EXPORT void SSL_set_verify(SSL *ssl, int mode,\n int (*callback)(int ok,\n X509_STORE_CTX *store_ctx));\n\nenum ssl_verify_result_t BORINGSSL_ENUM_INT {\n ssl_verify_ok,\n ssl_verify_invalid,\n ssl_verify_retry,\n};\n\n// SSL_CTX_set_custom_verify configures certificate verification. |mode| is one\n// of the |SSL_VERIFY_*| values defined above. |callback| performs the\n// certificate verification.\n//\n// The callback may call |SSL_get0_peer_certificates| for the certificate chain\n// to validate. The callback should return |ssl_verify_ok| if the certificate is\n// valid. If the certificate is invalid, the callback should return\n// |ssl_verify_invalid| and optionally set |*out_alert| to an alert to send to\n// the peer. Some useful alerts include |SSL_AD_CERTIFICATE_EXPIRED|,\n// |SSL_AD_CERTIFICATE_REVOKED|, |SSL_AD_UNKNOWN_CA|, |SSL_AD_BAD_CERTIFICATE|,\n// |SSL_AD_CERTIFICATE_UNKNOWN|, and |SSL_AD_INTERNAL_ERROR|. See RFC 5246\n// section 7.2.2 for their precise meanings. If unspecified,\n// |SSL_AD_CERTIFICATE_UNKNOWN| will be sent by default.\n//\n// To verify a certificate asynchronously, the callback may return\n// |ssl_verify_retry|. The handshake will then pause with |SSL_get_error|\n// returning |SSL_ERROR_WANT_CERTIFICATE_VERIFY|.\nOPENSSL_EXPORT void SSL_CTX_set_custom_verify(\n SSL_CTX *ctx, int mode,\n enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert));\n\n// SSL_set_custom_verify behaves like |SSL_CTX_set_custom_verify| but configures\n// an individual |SSL|.\nOPENSSL_EXPORT void SSL_set_custom_verify(\n SSL *ssl, int mode,\n enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert));\n\n// SSL_CTX_get_verify_mode returns |ctx|'s verify mode, set by\n// |SSL_CTX_set_verify|.\nOPENSSL_EXPORT int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);\n\n// SSL_get_verify_mode returns |ssl|'s verify mode, set by |SSL_CTX_set_verify|\n// or |SSL_set_verify|. It returns -1 on error.\nOPENSSL_EXPORT int SSL_get_verify_mode(const SSL *ssl);\n\n// SSL_CTX_get_verify_callback returns the callback set by\n// |SSL_CTX_set_verify|.\nOPENSSL_EXPORT int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(\n int ok, X509_STORE_CTX *store_ctx);\n\n// SSL_get_verify_callback returns the callback set by |SSL_CTX_set_verify| or\n// |SSL_set_verify|.\nOPENSSL_EXPORT int (*SSL_get_verify_callback(const SSL *ssl))(\n int ok, X509_STORE_CTX *store_ctx);\n\n// SSL_set1_host sets a DNS name that will be required to be present in the\n// verified leaf certificate. It returns one on success and zero on error.\n//\n// Note: unless _some_ name checking is performed, certificate validation is\n// ineffective. Simply checking that a host has some certificate from a CA is\n// rarely meaningful—you have to check that the CA believed that the host was\n// who you expect to be talking to.\n//\n// By default, both subject alternative names and the subject's common name\n// attribute are checked. The latter has long been deprecated, so callers should\n// call |SSL_set_hostflags| with |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use\n// the standard behavior. https://crbug.com/boringssl/464 tracks fixing the\n// default.\nOPENSSL_EXPORT int SSL_set1_host(SSL *ssl, const char *hostname);\n\n// SSL_set_hostflags calls |X509_VERIFY_PARAM_set_hostflags| on the\n// |X509_VERIFY_PARAM| associated with this |SSL*|. |flags| should be some\n// combination of the |X509_CHECK_*| constants.\nOPENSSL_EXPORT void SSL_set_hostflags(SSL *ssl, unsigned flags);\n\n// SSL_CTX_set_verify_depth sets the maximum depth of a certificate chain\n// accepted in verification. This count excludes both the target certificate and\n// the trust anchor (root certificate).\nOPENSSL_EXPORT void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);\n\n// SSL_set_verify_depth sets the maximum depth of a certificate chain accepted\n// in verification. This count excludes both the target certificate and the\n// trust anchor (root certificate).\nOPENSSL_EXPORT void SSL_set_verify_depth(SSL *ssl, int depth);\n\n// SSL_CTX_get_verify_depth returns the maximum depth of a certificate accepted\n// in verification.\nOPENSSL_EXPORT int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);\n\n// SSL_get_verify_depth returns the maximum depth of a certificate accepted in\n// verification.\nOPENSSL_EXPORT int SSL_get_verify_depth(const SSL *ssl);\n\n// SSL_CTX_set1_param sets verification parameters from |param|. It returns one\n// on success and zero on failure. The caller retains ownership of |param|.\nOPENSSL_EXPORT int SSL_CTX_set1_param(SSL_CTX *ctx,\n const X509_VERIFY_PARAM *param);\n\n// SSL_set1_param sets verification parameters from |param|. It returns one on\n// success and zero on failure. The caller retains ownership of |param|.\nOPENSSL_EXPORT int SSL_set1_param(SSL *ssl, const X509_VERIFY_PARAM *param);\n\n// SSL_CTX_get0_param returns |ctx|'s |X509_VERIFY_PARAM| for certificate\n// verification. The caller must not release the returned pointer but may call\n// functions on it to configure it.\nOPENSSL_EXPORT X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx);\n\n// SSL_get0_param returns |ssl|'s |X509_VERIFY_PARAM| for certificate\n// verification. The caller must not release the returned pointer but may call\n// functions on it to configure it.\nOPENSSL_EXPORT X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);\n\n// SSL_CTX_set_purpose sets |ctx|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to\n// |purpose|. It returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose);\n\n// SSL_set_purpose sets |ssl|'s |X509_VERIFY_PARAM|'s 'purpose' parameter to\n// |purpose|. It returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_set_purpose(SSL *ssl, int purpose);\n\n// SSL_CTX_set_trust sets |ctx|'s |X509_VERIFY_PARAM|'s 'trust' parameter to\n// |trust|. It returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_CTX_set_trust(SSL_CTX *ctx, int trust);\n\n// SSL_set_trust sets |ssl|'s |X509_VERIFY_PARAM|'s 'trust' parameter to\n// |trust|. It returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_set_trust(SSL *ssl, int trust);\n\n// SSL_CTX_set_cert_store sets |ctx|'s certificate store to |store|. It takes\n// ownership of |store|. The store is used for certificate verification.\n//\n// The store is also used for the auto-chaining feature, but this is deprecated.\n// See also |SSL_MODE_NO_AUTO_CHAIN|.\nOPENSSL_EXPORT void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store);\n\n// SSL_CTX_get_cert_store returns |ctx|'s certificate store.\nOPENSSL_EXPORT X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx);\n\n// SSL_CTX_set_default_verify_paths calls |X509_STORE_set_default_paths| on\n// |ctx|'s store. See that function for details.\n//\n// Using this function is not recommended. In OpenSSL, these defaults are\n// determined by OpenSSL's install prefix. There is no corresponding concept for\n// BoringSSL. Future versions of BoringSSL may change or remove this\n// functionality.\nOPENSSL_EXPORT int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);\n\n// SSL_CTX_load_verify_locations calls |X509_STORE_load_locations| on |ctx|'s\n// store. See that function for details.\nOPENSSL_EXPORT int SSL_CTX_load_verify_locations(SSL_CTX *ctx,\n const char *ca_file,\n const char *ca_dir);\n\n// SSL_get_verify_result returns the result of certificate verification. It is\n// either |X509_V_OK| or a |X509_V_ERR_*| value.\nOPENSSL_EXPORT long SSL_get_verify_result(const SSL *ssl);\n\n// SSL_alert_from_verify_result returns the SSL alert code, such as\n// |SSL_AD_CERTIFICATE_EXPIRED|, that corresponds to an |X509_V_ERR_*| value.\n// The return value is always an alert, even when |result| is |X509_V_OK|.\nOPENSSL_EXPORT int SSL_alert_from_verify_result(long result);\n\n// SSL_get_ex_data_X509_STORE_CTX_idx returns the ex_data index used to look up\n// the |SSL| associated with an |X509_STORE_CTX| in the verify callback.\nOPENSSL_EXPORT int SSL_get_ex_data_X509_STORE_CTX_idx(void);\n\n// SSL_CTX_set_cert_verify_callback sets a custom callback to be called on\n// certificate verification rather than |X509_verify_cert|. |store_ctx| contains\n// the verification parameters. The callback should return one on success and\n// zero on fatal error. It may use |X509_STORE_CTX_set_error| to set a\n// verification result.\n//\n// The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| to recover the\n// |SSL| object from |store_ctx|.\nOPENSSL_EXPORT void SSL_CTX_set_cert_verify_callback(\n SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *store_ctx, void *arg),\n void *arg);\n\n// SSL_enable_signed_cert_timestamps causes |ssl| (which must be the client end\n// of a connection) to request SCTs from the server. See\n// https://tools.ietf.org/html/rfc6962.\n//\n// Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the\n// handshake.\nOPENSSL_EXPORT void SSL_enable_signed_cert_timestamps(SSL *ssl);\n\n// SSL_CTX_enable_signed_cert_timestamps enables SCT requests on all client SSL\n// objects created from |ctx|.\n//\n// Call |SSL_get0_signed_cert_timestamp_list| to recover the SCT after the\n// handshake.\nOPENSSL_EXPORT void SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx);\n\n// SSL_enable_ocsp_stapling causes |ssl| (which must be the client end of a\n// connection) to request a stapled OCSP response from the server.\n//\n// Call |SSL_get0_ocsp_response| to recover the OCSP response after the\n// handshake.\nOPENSSL_EXPORT void SSL_enable_ocsp_stapling(SSL *ssl);\n\n// SSL_CTX_enable_ocsp_stapling enables OCSP stapling on all client SSL objects\n// created from |ctx|.\n//\n// Call |SSL_get0_ocsp_response| to recover the OCSP response after the\n// handshake.\nOPENSSL_EXPORT void SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx);\n\n// SSL_CTX_set0_verify_cert_store sets an |X509_STORE| that will be used\n// exclusively for certificate verification and returns one. Ownership of\n// |store| is transferred to the |SSL_CTX|.\nOPENSSL_EXPORT int SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx,\n X509_STORE *store);\n\n// SSL_CTX_set1_verify_cert_store sets an |X509_STORE| that will be used\n// exclusively for certificate verification and returns one. An additional\n// reference to |store| will be taken.\nOPENSSL_EXPORT int SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx,\n X509_STORE *store);\n\n// SSL_set0_verify_cert_store sets an |X509_STORE| that will be used\n// exclusively for certificate verification and returns one. Ownership of\n// |store| is transferred to the |SSL|.\nOPENSSL_EXPORT int SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store);\n\n// SSL_set1_verify_cert_store sets an |X509_STORE| that will be used\n// exclusively for certificate verification and returns one. An additional\n// reference to |store| will be taken.\nOPENSSL_EXPORT int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store);\n\n// SSL_CTX_set_verify_algorithm_prefs configures |ctx| to use |prefs| as the\n// preference list when verifying signatures from the peer's long-term key. It\n// returns one on zero on error. |prefs| should not include the internal-only\n// value |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.\nOPENSSL_EXPORT int SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx,\n const uint16_t *prefs,\n size_t num_prefs);\n\n// SSL_set_verify_algorithm_prefs configures |ssl| to use |prefs| as the\n// preference list when verifying signatures from the peer's long-term key. It\n// returns one on zero on error. |prefs| should not include the internal-only\n// value |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.\nOPENSSL_EXPORT int SSL_set_verify_algorithm_prefs(SSL *ssl,\n const uint16_t *prefs,\n size_t num_prefs);\n\n\n// Client certificate CA list.\n//\n// When requesting a client certificate, a server may advertise a list of\n// certificate authorities which are accepted. These functions may be used to\n// configure this list.\n\n// SSL_set_client_CA_list sets |ssl|'s client certificate CA list to\n// |name_list|. It takes ownership of |name_list|.\nOPENSSL_EXPORT void SSL_set_client_CA_list(SSL *ssl,\n STACK_OF(X509_NAME) *name_list);\n\n// SSL_CTX_set_client_CA_list sets |ctx|'s client certificate CA list to\n// |name_list|. It takes ownership of |name_list|.\nOPENSSL_EXPORT void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,\n STACK_OF(X509_NAME) *name_list);\n\n// SSL_set0_client_CAs sets |ssl|'s client certificate CA list to |name_list|,\n// which should contain DER-encoded distinguished names (RFC 5280). It takes\n// ownership of |name_list|.\nOPENSSL_EXPORT void SSL_set0_client_CAs(SSL *ssl,\n STACK_OF(CRYPTO_BUFFER) *name_list);\n\n// SSL_set0_CA_names sets |ssl|'s CA name list for the certificate authorities\n// extension to |name_list|, which should contain DER-encoded distinguished\n// names (RFC 5280). It takes ownership of |name_list|.\nOPENSSL_EXPORT void SSL_set0_CA_names(SSL *ssl,\n STACK_OF(CRYPTO_BUFFER) *name_list);\n\n// SSL_CTX_set0_client_CAs sets |ctx|'s client certificate CA list to\n// |name_list|, which should contain DER-encoded distinguished names (RFC 5280).\n// It takes ownership of |name_list|.\nOPENSSL_EXPORT void SSL_CTX_set0_client_CAs(SSL_CTX *ctx,\n STACK_OF(CRYPTO_BUFFER) *name_list);\n\n// SSL_get_client_CA_list returns |ssl|'s client certificate CA list. If |ssl|\n// has not been configured as a client, this is the list configured by\n// |SSL_CTX_set_client_CA_list|.\n//\n// If configured as a client, it returns the client certificate CA list sent by\n// the server. In this mode, the behavior is undefined except during the\n// callbacks set by |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb| or\n// when the handshake is paused because of them.\nOPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl);\n\n// SSL_get0_server_requested_CAs returns the CAs sent by a server to guide a\n// client in certificate selection. They are a series of DER-encoded X.509\n// names. This function may only be called during a callback set by\n// |SSL_CTX_set_cert_cb| or when the handshake is paused because of it.\n//\n// The returned stack is owned by |ssl|, as are its contents. It should not be\n// used past the point where the handshake is restarted after the callback.\nOPENSSL_EXPORT const STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(\n const SSL *ssl);\n\n// SSL_CTX_get_client_CA_list returns |ctx|'s client certificate CA list.\nOPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(\n const SSL_CTX *ctx);\n\n// SSL_add_client_CA appends |x509|'s subject to the client certificate CA list.\n// It returns one on success or zero on error. The caller retains ownership of\n// |x509|.\nOPENSSL_EXPORT int SSL_add_client_CA(SSL *ssl, X509 *x509);\n\n// SSL_CTX_add_client_CA appends |x509|'s subject to the client certificate CA\n// list. It returns one on success or zero on error. The caller retains\n// ownership of |x509|.\nOPENSSL_EXPORT int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509);\n\n// SSL_load_client_CA_file opens |file| and reads PEM-encoded certificates from\n// it. It returns a newly-allocated stack of the certificate subjects or NULL\n// on error. Duplicates in |file| are ignored.\nOPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);\n\n// SSL_dup_CA_list makes a deep copy of |list|. It returns the new list on\n// success or NULL on allocation error.\nOPENSSL_EXPORT STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list);\n\n// SSL_add_file_cert_subjects_to_stack behaves like |SSL_load_client_CA_file|\n// but appends the result to |out|. It returns one on success or zero on\n// error.\nOPENSSL_EXPORT int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,\n const char *file);\n\n// SSL_add_bio_cert_subjects_to_stack behaves like\n// |SSL_add_file_cert_subjects_to_stack| but reads from |bio|.\nOPENSSL_EXPORT int SSL_add_bio_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,\n BIO *bio);\n\n\n// Server name indication.\n//\n// The server_name extension (RFC 3546) allows the client to advertise the name\n// of the server it is connecting to. This is used in virtual hosting\n// deployments to select one of a several certificates on a single IP. Only the\n// host_name name type is supported.\n\n#define TLSEXT_NAMETYPE_host_name 0\n\n// SSL_set_tlsext_host_name, for a client, configures |ssl| to advertise |name|\n// in the server_name extension. It returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_set_tlsext_host_name(SSL *ssl, const char *name);\n\n// SSL_get_servername, for a server, returns the hostname supplied by the\n// client or NULL if there was none. The |type| argument must be\n// |TLSEXT_NAMETYPE_host_name|.\nOPENSSL_EXPORT const char *SSL_get_servername(const SSL *ssl, const int type);\n\n// SSL_get_servername_type, for a server, returns |TLSEXT_NAMETYPE_host_name|\n// if the client sent a hostname and -1 otherwise.\nOPENSSL_EXPORT int SSL_get_servername_type(const SSL *ssl);\n\n// SSL_CTX_set_tlsext_servername_callback configures |callback| to be called on\n// the server after ClientHello extensions have been parsed and returns one.\n// The callback may use |SSL_get_servername| to examine the server_name\n// extension and returns a |SSL_TLSEXT_ERR_*| value. The value of |arg| may be\n// set by calling |SSL_CTX_set_tlsext_servername_arg|.\n//\n// If the callback returns |SSL_TLSEXT_ERR_NOACK|, the server_name extension is\n// not acknowledged in the ServerHello. If the return value is\n// |SSL_TLSEXT_ERR_ALERT_FATAL|, then |*out_alert| is the alert to send,\n// defaulting to |SSL_AD_UNRECOGNIZED_NAME|. |SSL_TLSEXT_ERR_ALERT_WARNING| is\n// ignored and treated as |SSL_TLSEXT_ERR_OK|.\nOPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(\n SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg));\n\n// SSL_CTX_set_tlsext_servername_arg sets the argument to the servername\n// callback and returns one. See |SSL_CTX_set_tlsext_servername_callback|.\nOPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg);\n\n// SSL_TLSEXT_ERR_* are values returned by some extension-related callbacks.\n#define SSL_TLSEXT_ERR_OK 0\n#define SSL_TLSEXT_ERR_ALERT_WARNING 1\n#define SSL_TLSEXT_ERR_ALERT_FATAL 2\n#define SSL_TLSEXT_ERR_NOACK 3\n\n// SSL_set_SSL_CTX changes |ssl|'s |SSL_CTX|. |ssl| will use the\n// certificate-related settings from |ctx|, and |SSL_get_SSL_CTX| will report\n// |ctx|. This function may be used during the callbacks registered by\n// |SSL_CTX_set_select_certificate_cb|,\n// |SSL_CTX_set_tlsext_servername_callback|, and |SSL_CTX_set_cert_cb| or when\n// the handshake is paused from them. It is typically used to switch\n// certificates based on SNI.\n//\n// Note the session cache and related settings will continue to use the initial\n// |SSL_CTX|. Callers should use |SSL_CTX_set_session_id_context| to partition\n// the session cache between different domains.\n//\n// TODO(davidben): Should other settings change after this call?\nOPENSSL_EXPORT SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx);\n\n\n// Application-layer protocol negotiation.\n//\n// The ALPN extension (RFC 7301) allows negotiating different application-layer\n// protocols over a single port. This is used, for example, to negotiate\n// HTTP/2.\n\n// SSL_CTX_set_alpn_protos sets the client ALPN protocol list on |ctx| to\n// |protos|. |protos| must be in wire-format (i.e. a series of non-empty, 8-bit\n// length-prefixed strings), or the empty string to disable ALPN. It returns\n// zero on success and one on failure. Configuring a non-empty string enables\n// ALPN on a client.\n//\n// WARNING: this function is dangerous because it breaks the usual return value\n// convention.\nOPENSSL_EXPORT int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,\n size_t protos_len);\n\n// SSL_set_alpn_protos sets the client ALPN protocol list on |ssl| to |protos|.\n// |protos| must be in wire-format (i.e. a series of non-empty, 8-bit\n// length-prefixed strings), or the empty string to disable ALPN. It returns\n// zero on success and one on failure. Configuring a non-empty string enables\n// ALPN on a client.\n//\n// WARNING: this function is dangerous because it breaks the usual return value\n// convention.\nOPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos,\n size_t protos_len);\n\n// SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called\n// during ClientHello processing in order to select an ALPN protocol from the\n// client's list of offered protocols. |SSL_select_next_proto| is an optional\n// utility function which may be useful in implementing this callback.\n//\n// The callback is passed a wire-format (i.e. a series of non-empty, 8-bit\n// length-prefixed strings) ALPN protocol list in |in|. To select a protocol,\n// the callback should set |*out| and |*out_len| to the selected protocol and\n// return |SSL_TLSEXT_ERR_OK| on success. It does not pass ownership of the\n// buffer, so |*out| should point to a static string, a buffer that outlives the\n// callback call, or the corresponding entry in |in|.\n//\n// If the server supports ALPN, but there are no protocols in common, the\n// callback should return |SSL_TLSEXT_ERR_ALERT_FATAL| to abort the connection\n// with a no_application_protocol alert.\n//\n// If the server does not support ALPN, it can return |SSL_TLSEXT_ERR_NOACK| to\n// continue the handshake without negotiating a protocol. This may be useful if\n// multiple server configurations share an |SSL_CTX|, only some of which have\n// ALPN protocols configured.\n//\n// |SSL_TLSEXT_ERR_ALERT_WARNING| is ignored and will be treated as\n// |SSL_TLSEXT_ERR_NOACK|.\n//\n// The callback will only be called if the client supports ALPN. Callers that\n// wish to require ALPN for all clients must check |SSL_get0_alpn_selected|\n// after the handshake. In QUIC connections, this is done automatically.\n//\n// The cipher suite is selected before negotiating ALPN. The callback may use\n// |SSL_get_pending_cipher| to query the cipher suite. This may be used to\n// implement HTTP/2's cipher suite constraints.\nOPENSSL_EXPORT void SSL_CTX_set_alpn_select_cb(\n SSL_CTX *ctx,\n int (*cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len,\n const uint8_t *in, unsigned in_len, void *arg),\n void *arg);\n\n// SSL_get0_alpn_selected gets the selected ALPN protocol (if any) from |ssl|.\n// On return it sets |*out_data| to point to |*out_len| bytes of protocol name\n// (not including the leading length-prefix byte). If the server didn't respond\n// with a negotiated protocol then |*out_len| will be zero.\nOPENSSL_EXPORT void SSL_get0_alpn_selected(const SSL *ssl,\n const uint8_t **out_data,\n unsigned *out_len);\n\n// SSL_CTX_set_allow_unknown_alpn_protos configures client connections on |ctx|\n// to allow unknown ALPN protocols from the server. Otherwise, by default, the\n// client will require that the protocol be advertised in\n// |SSL_CTX_set_alpn_protos|.\nOPENSSL_EXPORT void SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx,\n int enabled);\n\n\n// Application-layer protocol settings\n//\n// The ALPS extension (draft-vvv-tls-alps) allows exchanging application-layer\n// settings in the TLS handshake for applications negotiated with ALPN. Note\n// that, when ALPS is negotiated, the client and server each advertise their own\n// settings, so there are functions to both configure setting to send and query\n// received settings.\n\n// SSL_add_application_settings configures |ssl| to enable ALPS with ALPN\n// protocol |proto|, sending an ALPS value of |settings|. It returns one on\n// success and zero on error. If |proto| is negotiated via ALPN and the peer\n// supports ALPS, |settings| will be sent to the peer. The peer's ALPS value can\n// be retrieved with |SSL_get0_peer_application_settings|.\n//\n// On the client, this function should be called before the handshake, once for\n// each supported ALPN protocol which uses ALPS. |proto| must be included in the\n// client's ALPN configuration (see |SSL_CTX_set_alpn_protos| and\n// |SSL_set_alpn_protos|). On the server, ALPS can be preconfigured for each\n// protocol as in the client, or configuration can be deferred to the ALPN\n// callback (see |SSL_CTX_set_alpn_select_cb|), in which case only the selected\n// protocol needs to be configured.\n//\n// ALPS can be independently configured from 0-RTT, however changes in protocol\n// settings will fallback to 1-RTT to negotiate the new value, so it is\n// recommended for |settings| to be relatively stable.\nOPENSSL_EXPORT int SSL_add_application_settings(SSL *ssl, const uint8_t *proto,\n size_t proto_len,\n const uint8_t *settings,\n size_t settings_len);\n\n// SSL_get0_peer_application_settings sets |*out_data| and |*out_len| to a\n// buffer containing the peer's ALPS value, or the empty string if ALPS was not\n// negotiated. Note an empty string could also indicate the peer sent an empty\n// settings value. Use |SSL_has_application_settings| to check if ALPS was\n// negotiated. The output buffer is owned by |ssl| and is valid until the next\n// time |ssl| is modified.\nOPENSSL_EXPORT void SSL_get0_peer_application_settings(const SSL *ssl,\n const uint8_t **out_data,\n size_t *out_len);\n\n// SSL_has_application_settings returns one if ALPS was negotiated on this\n// connection and zero otherwise.\nOPENSSL_EXPORT int SSL_has_application_settings(const SSL *ssl);\n\n// SSL_set_alps_use_new_codepoint configures whether to use the new ALPS\n// codepoint. By default, the old codepoint is used.\nOPENSSL_EXPORT void SSL_set_alps_use_new_codepoint(SSL *ssl, int use_new);\n\n\n// Certificate compression.\n//\n// Certificates in TLS 1.3 can be compressed (RFC 8879). BoringSSL supports this\n// as both a client and a server, but does not link against any specific\n// compression libraries in order to keep dependencies to a minimum. Instead,\n// hooks for compression and decompression can be installed in an |SSL_CTX| to\n// enable support.\n\n// ssl_cert_compression_func_t is a pointer to a function that performs\n// compression. It must write the compressed representation of |in| to |out|,\n// returning one on success and zero on error. The results of compressing\n// certificates are not cached internally. Implementations may wish to implement\n// their own cache if they expect it to be useful given the certificates that\n// they serve.\ntypedef int (*ssl_cert_compression_func_t)(SSL *ssl, CBB *out,\n const uint8_t *in, size_t in_len);\n\n// ssl_cert_decompression_func_t is a pointer to a function that performs\n// decompression. The compressed data from the peer is passed as |in| and the\n// decompressed result must be exactly |uncompressed_len| bytes long. It returns\n// one on success, in which case |*out| must be set to the result of\n// decompressing |in|, or zero on error. Setting |*out| transfers ownership,\n// i.e. |CRYPTO_BUFFER_free| will be called on |*out| at some point in the\n// future. The results of decompressions are not cached internally.\n// Implementations may wish to implement their own cache if they expect it to be\n// useful.\ntypedef int (*ssl_cert_decompression_func_t)(SSL *ssl, CRYPTO_BUFFER **out,\n size_t uncompressed_len,\n const uint8_t *in, size_t in_len);\n\n// SSL_CTX_add_cert_compression_alg registers a certificate compression\n// algorithm on |ctx| with ID |alg_id|. (The value of |alg_id| should be an IANA\n// assigned value and each can only be registered once.)\n//\n// One of the function pointers may be NULL to avoid having to implement both\n// sides of a compression algorithm if you're only going to use it in one\n// direction. In this case, the unimplemented direction acts like it was never\n// configured.\n//\n// For a server, algorithms are registered in preference order with the most\n// preferable first. It returns one on success or zero on error.\nOPENSSL_EXPORT int SSL_CTX_add_cert_compression_alg(\n SSL_CTX *ctx, uint16_t alg_id, ssl_cert_compression_func_t compress,\n ssl_cert_decompression_func_t decompress);\n\n\n// Next protocol negotiation.\n//\n// The NPN extension (draft-agl-tls-nextprotoneg-03) is the predecessor to ALPN\n// and deprecated in favor of it.\n\n// SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a\n// TLS server needs a list of supported protocols for Next Protocol Negotiation.\n//\n// If the callback wishes to advertise NPN to the client, it should return\n// |SSL_TLSEXT_ERR_OK| and then set |*out| and |*out_len| to describe to a\n// buffer containing a (possibly empty) list of supported protocols in wire\n// format. That is, each protocol is prefixed with a 1-byte length, then\n// concatenated. From there, the client will select a protocol, possibly one not\n// on the server's list. The caller can use |SSL_get0_next_proto_negotiated|\n// after the handshake completes to query the final protocol.\n//\n// The returned buffer must remain valid and unmodified for at least the\n// duration of the |SSL| operation (e.g. |SSL_do_handshake|) that triggered the\n// callback.\n//\n// If the caller wishes not to advertise NPN, it should return\n// |SSL_TLSEXT_ERR_NOACK|. No NPN extension will be included in the ServerHello,\n// and the TLS server will behave as if it does not implement NPN.\nOPENSSL_EXPORT void SSL_CTX_set_next_protos_advertised_cb(\n SSL_CTX *ctx,\n int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg),\n void *arg);\n\n// SSL_CTX_set_next_proto_select_cb sets a callback that is called when a client\n// needs to select a protocol from the server's provided list, passed in wire\n// format in |in_len| bytes from |in|. The callback can assume that |in| is\n// syntactically valid. |SSL_select_next_proto| is an optional utility function\n// which may be useful in implementing this callback.\n//\n// On success, the callback should return |SSL_TLSEXT_ERR_OK| and set |*out| and\n// |*out_len| to describe a buffer containing the selected protocol, or an\n// empty buffer to select no protocol. The returned buffer may point within\n// |in|, or it may point to some other buffer that remains valid and unmodified\n// for at least the duration of the |SSL| operation (e.g. |SSL_do_handshake|)\n// that triggered the callback.\n//\n// Returning any other value indicates a fatal error and will terminate the TLS\n// connection. To proceed without selecting a protocol, the callback must return\n// |SSL_TLSEXT_ERR_OK| and set |*out| and |*out_len| to an empty buffer. (E.g.\n// NULL and zero, respectively.)\n//\n// Configuring this callback enables NPN on a client. Although the callback can\n// then decline to negotiate a protocol, merely configuring the callback causes\n// the client to offer NPN in the ClientHello. Callers thus should not configure\n// this callback in TLS client contexts that are not intended to use NPN.\nOPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb(\n SSL_CTX *ctx,\n int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, const uint8_t *in,\n unsigned in_len, void *arg),\n void *arg);\n\n// SSL_get0_next_proto_negotiated sets |*out_data| and |*out_len| to point to\n// the client's requested protocol for this connection. If the client didn't\n// request any protocol, then |*out_len| is set to zero.\n//\n// Note that the client can request any protocol it chooses. The value returned\n// from this function need not be a member of the list of supported protocols\n// provided by the server.\nOPENSSL_EXPORT void SSL_get0_next_proto_negotiated(const SSL *ssl,\n const uint8_t **out_data,\n unsigned *out_len);\n\n// SSL_select_next_proto implements the standard protocol selection for either\n// ALPN servers or NPN clients. It is expected that this function is called from\n// the callback set by |SSL_CTX_set_alpn_select_cb| or\n// |SSL_CTX_set_next_proto_select_cb|.\n//\n// |peer| and |supported| contain the peer and locally-configured protocols,\n// respectively. This function finds the first protocol in |peer| which is also\n// in |supported|. If one was found, it sets |*out| and |*out_len| to point to\n// it and returns |OPENSSL_NPN_NEGOTIATED|. Otherwise, it returns\n// |OPENSSL_NPN_NO_OVERLAP| and sets |*out| and |*out_len| to the first\n// supported protocol.\n//\n// In ALPN, the server should only select protocols among those that the client\n// offered. Thus, if this function returns |OPENSSL_NPN_NO_OVERLAP|, the caller\n// should ignore |*out| and return |SSL_TLSEXT_ERR_ALERT_FATAL| from\n// |SSL_CTX_set_alpn_select_cb|'s callback to indicate there was no match.\n//\n// In NPN, the client may either select one of the server's protocols, or an\n// \"opportunistic\" protocol as described in Section 6 of\n// draft-agl-tls-nextprotoneg-03. When this function returns\n// |OPENSSL_NPN_NO_OVERLAP|, |*out| implicitly selects the first supported\n// protocol for use as the opportunistic protocol. The caller may use it,\n// ignore it and select a different opportunistic protocol, or ignore it and\n// select no protocol (empty string).\n//\n// |peer| and |supported| must be vectors of 8-bit, length-prefixed byte\n// strings. The length byte itself is not included in the length. A byte string\n// of length 0 is invalid. No byte string may be truncated. |supported| must be\n// non-empty; a caller that supports no ALPN/NPN protocols should skip\n// negotiating the extension, rather than calling this function. If any of these\n// preconditions do not hold, this function will return |OPENSSL_NPN_NO_OVERLAP|\n// and set |*out| and |*out_len| to an empty buffer for robustness, but callers\n// are not recommended to rely on this. An empty buffer is not a valid output\n// for |SSL_CTX_set_alpn_select_cb|'s callback.\n//\n// WARNING: |*out| and |*out_len| may alias either |peer| or |supported| and may\n// not be used after one of those buffers is modified or released. Additionally,\n// this function is not const-correct for compatibility reasons. Although |*out|\n// is a non-const pointer, callers may not modify the buffer though |*out|.\nOPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,\n const uint8_t *peer, unsigned peer_len,\n const uint8_t *supported,\n unsigned supported_len);\n\n#define OPENSSL_NPN_UNSUPPORTED 0\n#define OPENSSL_NPN_NEGOTIATED 1\n#define OPENSSL_NPN_NO_OVERLAP 2\n\n\n// Channel ID.\n//\n// See draft-balfanz-tls-channelid-01. This is an old, experimental mechanism\n// and should not be used in new code.\n\n// SSL_CTX_set_tls_channel_id_enabled configures whether connections associated\n// with |ctx| should enable Channel ID as a server.\nOPENSSL_EXPORT void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx,\n int enabled);\n\n// SSL_set_tls_channel_id_enabled configures whether |ssl| should enable Channel\n// ID as a server.\nOPENSSL_EXPORT void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled);\n\n// SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID\n// to compatible servers. |private_key| must be a P-256 EC key. It returns one\n// on success and zero on error.\nOPENSSL_EXPORT int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx,\n EVP_PKEY *private_key);\n\n// SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to\n// compatible servers. |private_key| must be a P-256 EC key. It returns one on\n// success and zero on error.\nOPENSSL_EXPORT int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key);\n\n// SSL_get_tls_channel_id gets the client's TLS Channel ID from a server |SSL|\n// and copies up to the first |max_out| bytes into |out|. The Channel ID\n// consists of the client's P-256 public key as an (x,y) pair where each is a\n// 32-byte, big-endian field element. It returns 0 if the client didn't offer a\n// Channel ID and the length of the complete Channel ID otherwise. This function\n// always returns zero if |ssl| is a client.\nOPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out,\n size_t max_out);\n\n\n// DTLS-SRTP.\n//\n// See RFC 5764.\n\n// srtp_protection_profile_st (aka |SRTP_PROTECTION_PROFILE|) is an SRTP\n// profile for use with the use_srtp extension.\nstruct srtp_protection_profile_st {\n const char *name;\n unsigned long id;\n} /* SRTP_PROTECTION_PROFILE */;\n\nDEFINE_CONST_STACK_OF(SRTP_PROTECTION_PROFILE)\n\n// SRTP_* define constants for SRTP profiles.\n#define SRTP_AES128_CM_SHA1_80 0x0001\n#define SRTP_AES128_CM_SHA1_32 0x0002\n#define SRTP_AES128_F8_SHA1_80 0x0003\n#define SRTP_AES128_F8_SHA1_32 0x0004\n#define SRTP_NULL_SHA1_80 0x0005\n#define SRTP_NULL_SHA1_32 0x0006\n#define SRTP_AEAD_AES_128_GCM 0x0007\n#define SRTP_AEAD_AES_256_GCM 0x0008\n\n// SSL_CTX_set_srtp_profiles enables SRTP for all SSL objects created from\n// |ctx|. |profile| contains a colon-separated list of profile names. It returns\n// one on success and zero on failure.\nOPENSSL_EXPORT int SSL_CTX_set_srtp_profiles(SSL_CTX *ctx,\n const char *profiles);\n\n// SSL_set_srtp_profiles enables SRTP for |ssl|. |profile| contains a\n// colon-separated list of profile names. It returns one on success and zero on\n// failure.\nOPENSSL_EXPORT int SSL_set_srtp_profiles(SSL *ssl, const char *profiles);\n\n// SSL_get_srtp_profiles returns the SRTP profiles supported by |ssl|.\nOPENSSL_EXPORT const STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(\n const SSL *ssl);\n\n// SSL_get_selected_srtp_profile returns the selected SRTP profile, or NULL if\n// SRTP was not negotiated.\nOPENSSL_EXPORT const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(\n SSL *ssl);\n\n\n// Pre-shared keys.\n//\n// Connections may be configured with PSK (Pre-Shared Key) cipher suites. These\n// authenticate using out-of-band pre-shared keys rather than certificates. See\n// RFC 4279.\n//\n// This implementation uses NUL-terminated C strings for identities and identity\n// hints, so values with a NUL character are not supported. (RFC 4279 does not\n// specify the format of an identity.)\n\n// PSK_MAX_IDENTITY_LEN is the maximum supported length of a PSK identity,\n// excluding the NUL terminator.\n#define PSK_MAX_IDENTITY_LEN 128\n\n// PSK_MAX_PSK_LEN is the maximum supported length of a pre-shared key.\n#define PSK_MAX_PSK_LEN 256\n\n// SSL_CTX_set_psk_client_callback sets the callback to be called when PSK is\n// negotiated on the client. This callback must be set to enable PSK cipher\n// suites on the client.\n//\n// The callback is passed the identity hint in |hint| or NULL if none was\n// provided. It should select a PSK identity and write the identity and the\n// corresponding PSK to |identity| and |psk|, respectively. The identity is\n// written as a NUL-terminated C string of length (excluding the NUL terminator)\n// at most |max_identity_len|. The PSK's length must be at most |max_psk_len|.\n// The callback returns the length of the PSK or 0 if no suitable identity was\n// found.\nOPENSSL_EXPORT void SSL_CTX_set_psk_client_callback(\n SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,\n unsigned max_identity_len, uint8_t *psk,\n unsigned max_psk_len));\n\n// SSL_set_psk_client_callback sets the callback to be called when PSK is\n// negotiated on the client. This callback must be set to enable PSK cipher\n// suites on the client. See also |SSL_CTX_set_psk_client_callback|.\nOPENSSL_EXPORT void SSL_set_psk_client_callback(\n SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,\n unsigned max_identity_len, uint8_t *psk,\n unsigned max_psk_len));\n\n// SSL_CTX_set_psk_server_callback sets the callback to be called when PSK is\n// negotiated on the server. This callback must be set to enable PSK cipher\n// suites on the server.\n//\n// The callback is passed the identity in |identity|. It should write a PSK of\n// length at most |max_psk_len| to |psk| and return the number of bytes written\n// or zero if the PSK identity is unknown.\nOPENSSL_EXPORT void SSL_CTX_set_psk_server_callback(\n SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk,\n unsigned max_psk_len));\n\n// SSL_set_psk_server_callback sets the callback to be called when PSK is\n// negotiated on the server. This callback must be set to enable PSK cipher\n// suites on the server. See also |SSL_CTX_set_psk_server_callback|.\nOPENSSL_EXPORT void SSL_set_psk_server_callback(\n SSL *ssl, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk,\n unsigned max_psk_len));\n\n// SSL_CTX_use_psk_identity_hint configures server connections to advertise an\n// identity hint of |identity_hint|. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx,\n const char *identity_hint);\n\n// SSL_use_psk_identity_hint configures server connections to advertise an\n// identity hint of |identity_hint|. It returns one on success and zero on\n// error.\nOPENSSL_EXPORT int SSL_use_psk_identity_hint(SSL *ssl,\n const char *identity_hint);\n\n// SSL_get_psk_identity_hint returns the PSK identity hint advertised for |ssl|\n// or NULL if there is none.\nOPENSSL_EXPORT const char *SSL_get_psk_identity_hint(const SSL *ssl);\n\n// SSL_get_psk_identity, after the handshake completes, returns the PSK identity\n// that was negotiated by |ssl| or NULL if PSK was not used.\nOPENSSL_EXPORT const char *SSL_get_psk_identity(const SSL *ssl);\n\n\n// Delegated credentials.\n//\n// Delegated credentials (RFC 9345) allow a TLS 1.3 endpoint to use its\n// certificate to issue new credentials for authentication. Once issued,\n// credentials can't be revoked. In order to mitigate the damage in case the\n// credential secret key is compromised, the credential is only valid for a\n// short time (days, hours, or even minutes).\n//\n// Currently only the authenticating side, as a server, is implemented. To\n// authenticate with delegated credentials, construct an |SSL_CREDENTIAL| with\n// |SSL_CREDENTIAL_new_delegated| and add it to the credential list. See also\n// |SSL_CTX_add1_credential|. Callers may configure a mix of delegated\n// credentials and X.509 credentials on the same |SSL| or |SSL_CTX| to support a\n// range of clients.\n\n// SSL_CREDENTIAL_new_delegated returns a new, empty delegated credential, or\n// NULL on error. Callers should release the result with |SSL_CREDENTIAL_free|\n// when done.\n//\n// Callers should configure a delegated credential, certificate chain and\n// private key on the credential, along with other properties, then add it with\n// |SSL_CTX_add1_credential|.\nOPENSSL_EXPORT SSL_CREDENTIAL *SSL_CREDENTIAL_new_delegated(void);\n\n// SSL_CREDENTIAL_set1_delegated_credential sets |cred|'s delegated credentials\n// structure to |dc|. It returns one on success and zero on error, including if\n// |dc| is malformed. This should be a DelegatedCredential structure, signed by\n// the end-entity certificate, as described in RFC 9345.\nOPENSSL_EXPORT int SSL_CREDENTIAL_set1_delegated_credential(\n SSL_CREDENTIAL *cred, CRYPTO_BUFFER *dc);\n\n\n// QUIC integration.\n//\n// QUIC acts as an underlying transport for the TLS 1.3 handshake. The following\n// functions allow a QUIC implementation to serve as the underlying transport as\n// described in RFC 9001.\n//\n// When configured for QUIC, |SSL_do_handshake| will drive the handshake as\n// before, but it will not use the configured |BIO|. It will call functions on\n// |SSL_QUIC_METHOD| to configure secrets and send data. If data is needed from\n// the peer, it will return |SSL_ERROR_WANT_READ|. As the caller receives data\n// it can decrypt, it calls |SSL_provide_quic_data|. Subsequent\n// |SSL_do_handshake| calls will then consume that data and progress the\n// handshake. After the handshake is complete, the caller should continue to\n// call |SSL_provide_quic_data| for any post-handshake data, followed by\n// |SSL_process_quic_post_handshake| to process it. It is an error to call\n// |SSL_read| and |SSL_write| in QUIC.\n//\n// 0-RTT behaves similarly to |TLS_method|'s usual behavior. |SSL_do_handshake|\n// returns early as soon as the client (respectively, server) is allowed to send\n// 0-RTT (respectively, half-RTT) data. The caller should then call\n// |SSL_do_handshake| again to consume the remaining handshake messages and\n// confirm the handshake. As a client, |SSL_ERROR_EARLY_DATA_REJECTED| and\n// |SSL_reset_early_data_reject| behave as usual.\n//\n// See https://www.rfc-editor.org/rfc/rfc9001.html#section-4.1 for more details.\n//\n// To avoid DoS attacks, the QUIC implementation must limit the amount of data\n// being queued up. The implementation can call\n// |SSL_quic_max_handshake_flight_len| to get the maximum buffer length at each\n// encryption level.\n//\n// QUIC implementations must additionally configure transport parameters with\n// |SSL_set_quic_transport_params|. |SSL_get_peer_quic_transport_params| may be\n// used to query the value received from the peer. BoringSSL handles this\n// extension as an opaque byte string. The caller is responsible for serializing\n// and parsing them. See https://www.rfc-editor.org/rfc/rfc9000#section-7.4 for\n// details.\n//\n// QUIC additionally imposes restrictions on 0-RTT. In particular, the QUIC\n// transport layer requires that if a server accepts 0-RTT data, then the\n// transport parameters sent on the resumed connection must not lower any limits\n// compared to the transport parameters that the server sent on the connection\n// where the ticket for 0-RTT was issued. In effect, the server must remember\n// the transport parameters with the ticket. Application protocols running on\n// QUIC may impose similar restrictions, for example HTTP/3's restrictions on\n// SETTINGS frames.\n//\n// BoringSSL implements this check by doing a byte-for-byte comparison of an\n// opaque context passed in by the server. This context must be the same on the\n// connection where the ticket was issued and the connection where that ticket\n// is used for 0-RTT. If there is a mismatch, or the context was not set,\n// BoringSSL will reject early data (but not reject the resumption attempt).\n// This context is set via |SSL_set_quic_early_data_context| and should cover\n// both transport parameters and any application state.\n// |SSL_set_quic_early_data_context| must be called on the server with a\n// non-empty context if the server is to support 0-RTT in QUIC.\n//\n// BoringSSL does not perform any client-side checks on the transport\n// parameters received from a server that also accepted early data. It is up to\n// the caller to verify that the received transport parameters do not lower any\n// limits, and to close the QUIC connection if that is not the case. The same\n// holds for any application protocol state remembered for 0-RTT, e.g. HTTP/3\n// SETTINGS.\n\n// ssl_encryption_level_t represents an encryption level in TLS 1.3. Values in\n// this enum match the first 4 epochs used in DTLS 1.3 (section 6.1).\nenum ssl_encryption_level_t BORINGSSL_ENUM_INT {\n ssl_encryption_initial = 0,\n ssl_encryption_early_data = 1,\n ssl_encryption_handshake = 2,\n ssl_encryption_application = 3,\n};\n\n// ssl_quic_method_st (aka |SSL_QUIC_METHOD|) describes custom QUIC hooks.\nstruct ssl_quic_method_st {\n // set_read_secret configures the read secret and cipher suite for the given\n // encryption level. It returns one on success and zero to terminate the\n // handshake with an error. It will be called at most once per encryption\n // level.\n //\n // BoringSSL will not release read keys before QUIC may use them. Once a level\n // has been initialized, QUIC may begin processing data from it. Handshake\n // data should be passed to |SSL_provide_quic_data| and application data (if\n // |level| is |ssl_encryption_early_data| or |ssl_encryption_application|) may\n // be processed according to the rules of the QUIC protocol.\n //\n // QUIC ACKs packets at the same encryption level they were received at,\n // except that client |ssl_encryption_early_data| (0-RTT) packets trigger\n // server |ssl_encryption_application| (1-RTT) ACKs. BoringSSL will always\n // install ACK-writing keys with |set_write_secret| before the packet-reading\n // keys with |set_read_secret|. This ensures the caller can always ACK any\n // packet it decrypts. Note this means the server installs 1-RTT write keys\n // before 0-RTT read keys.\n //\n // The converse is not true. An encryption level may be configured with write\n // secrets a roundtrip before the corresponding secrets for reading ACKs is\n // available.\n int (*set_read_secret)(SSL *ssl, enum ssl_encryption_level_t level,\n const SSL_CIPHER *cipher, const uint8_t *secret,\n size_t secret_len);\n // set_write_secret behaves like |set_read_secret| but configures the write\n // secret and cipher suite for the given encryption level. It will be called\n // at most once per encryption level.\n //\n // BoringSSL will not release write keys before QUIC may use them. If |level|\n // is |ssl_encryption_early_data| or |ssl_encryption_application|, QUIC may\n // begin sending application data at |level|. However, note that BoringSSL\n // configures server |ssl_encryption_application| write keys before the client\n // Finished. This allows QUIC to send half-RTT data, but the handshake is not\n // confirmed at this point and, if requesting client certificates, the client\n // is not yet authenticated.\n //\n // See |set_read_secret| for additional invariants between packets and their\n // ACKs.\n //\n // Note that, on 0-RTT reject, the |ssl_encryption_early_data| write secret\n // may use a different cipher suite from the other keys.\n int (*set_write_secret)(SSL *ssl, enum ssl_encryption_level_t level,\n const SSL_CIPHER *cipher, const uint8_t *secret,\n size_t secret_len);\n // add_handshake_data adds handshake data to the current flight at the given\n // encryption level. It returns one on success and zero on error.\n //\n // BoringSSL will pack data from a single encryption level together, but a\n // single handshake flight may include multiple encryption levels. Callers\n // should defer writing data to the network until |flush_flight| to better\n // pack QUIC packets into transport datagrams.\n //\n // If |level| is not |ssl_encryption_initial|, this function will not be\n // called before |level| is initialized with |set_write_secret|.\n int (*add_handshake_data)(SSL *ssl, enum ssl_encryption_level_t level,\n const uint8_t *data, size_t len);\n // flush_flight is called when the current flight is complete and should be\n // written to the transport. Note a flight may contain data at several\n // encryption levels. It returns one on success and zero on error.\n int (*flush_flight)(SSL *ssl);\n // send_alert sends a fatal alert at the specified encryption level. It\n // returns one on success and zero on error.\n //\n // If |level| is not |ssl_encryption_initial|, this function will not be\n // called before |level| is initialized with |set_write_secret|.\n int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level, uint8_t alert);\n};\n\n// SSL_quic_max_handshake_flight_len returns returns the maximum number of bytes\n// that may be received at the given encryption level. This function should be\n// used to limit buffering in the QUIC implementation.\n//\n// See https://www.rfc-editor.org/rfc/rfc9000#section-7.5\nOPENSSL_EXPORT size_t SSL_quic_max_handshake_flight_len(\n const SSL *ssl, enum ssl_encryption_level_t level);\n\n// SSL_quic_read_level returns the current read encryption level.\n//\n// TODO(davidben): Is it still necessary to expose this function to callers?\n// QUICHE does not use it.\nOPENSSL_EXPORT enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl);\n\n// SSL_quic_write_level returns the current write encryption level.\n//\n// TODO(davidben): Is it still necessary to expose this function to callers?\n// QUICHE does not use it.\nOPENSSL_EXPORT enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl);\n\n// SSL_provide_quic_data provides data from QUIC at a particular encryption\n// level |level|. It returns one on success and zero on error. Note this\n// function will return zero if the handshake is not expecting data from |level|\n// at this time. The QUIC implementation should then close the connection with\n// an error.\nOPENSSL_EXPORT int SSL_provide_quic_data(SSL *ssl,\n enum ssl_encryption_level_t level,\n const uint8_t *data, size_t len);\n\n\n// SSL_process_quic_post_handshake processes any data that QUIC has provided\n// after the handshake has completed. This includes NewSessionTicket messages\n// sent by the server. It returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_process_quic_post_handshake(SSL *ssl);\n\n// SSL_CTX_set_quic_method configures the QUIC hooks. This should only be\n// configured with a minimum version of TLS 1.3. |quic_method| must remain valid\n// for the lifetime of |ctx|. It returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_CTX_set_quic_method(SSL_CTX *ctx,\n const SSL_QUIC_METHOD *quic_method);\n\n// SSL_set_quic_method configures the QUIC hooks. This should only be\n// configured with a minimum version of TLS 1.3. |quic_method| must remain valid\n// for the lifetime of |ssl|. It returns one on success and zero on error.\nOPENSSL_EXPORT int SSL_set_quic_method(SSL *ssl,\n const SSL_QUIC_METHOD *quic_method);\n\n// SSL_set_quic_transport_params configures |ssl| to send |params| (of length\n// |params_len|) in the quic_transport_parameters extension in either the\n// ClientHello or EncryptedExtensions handshake message. It is an error to set\n// transport parameters if |ssl| is not configured for QUIC. The buffer pointed\n// to by |params| only need be valid for the duration of the call to this\n// function. This function returns 1 on success and 0 on failure.\nOPENSSL_EXPORT int SSL_set_quic_transport_params(SSL *ssl,\n const uint8_t *params,\n size_t params_len);\n\n// SSL_get_peer_quic_transport_params provides the caller with the value of the\n// quic_transport_parameters extension sent by the peer. A pointer to the buffer\n// containing the TransportParameters will be put in |*out_params|, and its\n// length in |*params_len|. This buffer will be valid for the lifetime of the\n// |SSL|. If no params were received from the peer, |*out_params_len| will be 0.\nOPENSSL_EXPORT void SSL_get_peer_quic_transport_params(\n const SSL *ssl, const uint8_t **out_params, size_t *out_params_len);\n\n// SSL_set_quic_use_legacy_codepoint configures whether to use the legacy QUIC\n// extension codepoint 0xffa5 as opposed to the official value 57. Call with\n// |use_legacy| set to 1 to use 0xffa5 and call with 0 to use 57. By default,\n// the standard code point is used.\nOPENSSL_EXPORT void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy);\n\n// SSL_set_quic_early_data_context configures a context string in QUIC servers\n// for accepting early data. If a resumption connection offers early data, the\n// server will check if the value matches that of the connection which minted\n// the ticket. If not, resumption still succeeds but early data is rejected.\n// This should include all QUIC Transport Parameters except ones specified that\n// the client MUST NOT remember. This should also include any application\n// protocol-specific state. For HTTP/3, this should be the serialized server\n// SETTINGS frame and the QUIC Transport Parameters (except the stateless reset\n// token).\n//\n// This function may be called before |SSL_do_handshake| or during server\n// certificate selection. It returns 1 on success and 0 on failure.\nOPENSSL_EXPORT int SSL_set_quic_early_data_context(SSL *ssl,\n const uint8_t *context,\n size_t context_len);\n\n\n// Early data.\n//\n// WARNING: 0-RTT support in BoringSSL is currently experimental and not fully\n// implemented. It may cause interoperability or security failures when used.\n//\n// Early data, or 0-RTT, is a feature in TLS 1.3 which allows clients to send\n// data on the first flight during a resumption handshake. This can save a\n// round-trip in some application protocols.\n//\n// WARNING: A 0-RTT handshake has different security properties from normal\n// handshake, so it is off by default unless opted in. In particular, early data\n// is replayable by a network attacker. Callers must account for this when\n// sending or processing data before the handshake is confirmed. See RFC 8446\n// for more information.\n//\n// As a server, if early data is accepted, |SSL_do_handshake| will complete as\n// soon as the ClientHello is processed and server flight sent. |SSL_write| may\n// be used to send half-RTT data. |SSL_read| will consume early data and\n// transition to 1-RTT data as appropriate. Prior to the transition,\n// |SSL_in_init| will report the handshake is still in progress. Callers may use\n// it or |SSL_in_early_data| to defer or reject requests as needed.\n//\n// Early data as a client is more complex. If the offered session (see\n// |SSL_set_session|) is 0-RTT-capable, the handshake will return after sending\n// the ClientHello. The predicted peer certificates and ALPN protocol will be\n// available via the usual APIs. |SSL_write| will write early data, up to the\n// session's limit. Writes past this limit and |SSL_read| will complete the\n// handshake before continuing. Callers may also call |SSL_do_handshake| again\n// to complete the handshake sooner.\n//\n// If the server accepts early data, the handshake will succeed. |SSL_read| and\n// |SSL_write| will then act as in a 1-RTT handshake. The peer certificates and\n// ALPN protocol will be as predicted and need not be re-queried.\n//\n// If the server rejects early data, |SSL_do_handshake| (and thus |SSL_read| and\n// |SSL_write|) will then fail with |SSL_get_error| returning\n// |SSL_ERROR_EARLY_DATA_REJECTED|. The caller should treat this as a connection\n// error and most likely perform a high-level retry. Note the server may still\n// have processed the early data due to attacker replays.\n//\n// To then continue the handshake on the original connection, use\n// |SSL_reset_early_data_reject|. The connection will then behave as one which\n// had not yet completed the handshake. This allows a faster retry than making a\n// fresh connection. |SSL_do_handshake| will complete the full handshake,\n// possibly resulting in different peer certificates, ALPN protocol, and other\n// properties. The caller must disregard any values from before the reset and\n// query again.\n//\n// Finally, to implement the fallback described in RFC 8446 appendix D.3, retry\n// on a fresh connection without 0-RTT if the handshake fails with\n// |SSL_R_WRONG_VERSION_ON_EARLY_DATA|.\n\n// SSL_CTX_set_early_data_enabled sets whether early data is allowed to be used\n// with resumptions using |ctx|.\nOPENSSL_EXPORT void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled);\n\n// SSL_set_early_data_enabled sets whether early data is allowed to be used\n// with resumptions using |ssl|. See |SSL_CTX_set_early_data_enabled| for more\n// information.\nOPENSSL_EXPORT void SSL_set_early_data_enabled(SSL *ssl, int enabled);\n\n// SSL_in_early_data returns one if |ssl| has a pending handshake that has\n// progressed enough to send or receive early data. Clients may call |SSL_write|\n// to send early data, but |SSL_read| will complete the handshake before\n// accepting application data. Servers may call |SSL_read| to read early data\n// and |SSL_write| to send half-RTT data.\nOPENSSL_EXPORT int SSL_in_early_data(const SSL *ssl);\n\n// SSL_SESSION_early_data_capable returns whether early data would have been\n// attempted with |session| if enabled.\nOPENSSL_EXPORT int SSL_SESSION_early_data_capable(const SSL_SESSION *session);\n\n// SSL_SESSION_copy_without_early_data returns a copy of |session| with early\n// data disabled. If |session| already does not support early data, it returns\n// |session| with the reference count increased. The caller takes ownership of\n// the result and must release it with |SSL_SESSION_free|.\n//\n// This function may be used on the client to clear early data support from\n// existing sessions when the server rejects early data. In particular,\n// |SSL_R_WRONG_VERSION_ON_EARLY_DATA| requires a fresh connection to retry, and\n// the client would not want 0-RTT enabled for the next connection attempt.\nOPENSSL_EXPORT SSL_SESSION *SSL_SESSION_copy_without_early_data(\n SSL_SESSION *session);\n\n// SSL_early_data_accepted returns whether early data was accepted on the\n// handshake performed by |ssl|.\nOPENSSL_EXPORT int SSL_early_data_accepted(const SSL *ssl);\n\n// SSL_reset_early_data_reject resets |ssl| after an early data reject. All\n// 0-RTT state is discarded, including any pending |SSL_write| calls. The caller\n// should treat |ssl| as a logically fresh connection, usually by driving the\n// handshake to completion using |SSL_do_handshake|.\n//\n// It is an error to call this function on an |SSL| object that is not signaling\n// |SSL_ERROR_EARLY_DATA_REJECTED|.\nOPENSSL_EXPORT void SSL_reset_early_data_reject(SSL *ssl);\n\n// SSL_get_ticket_age_skew returns the difference, in seconds, between the\n// client-sent ticket age and the server-computed value in TLS 1.3 server\n// connections which resumed a session.\nOPENSSL_EXPORT int32_t SSL_get_ticket_age_skew(const SSL *ssl);\n\n// An ssl_early_data_reason_t describes why 0-RTT was accepted or rejected.\n// These values are persisted to logs. Entries should not be renumbered and\n// numeric values should never be reused.\nenum ssl_early_data_reason_t BORINGSSL_ENUM_INT {\n // The handshake has not progressed far enough for the 0-RTT status to be\n // known.\n ssl_early_data_unknown = 0,\n // 0-RTT is disabled for this connection.\n ssl_early_data_disabled = 1,\n // 0-RTT was accepted.\n ssl_early_data_accepted = 2,\n // The negotiated protocol version does not support 0-RTT.\n ssl_early_data_protocol_version = 3,\n // The peer declined to offer or accept 0-RTT for an unknown reason.\n ssl_early_data_peer_declined = 4,\n // The client did not offer a session.\n ssl_early_data_no_session_offered = 5,\n // The server declined to resume the session.\n ssl_early_data_session_not_resumed = 6,\n // The session does not support 0-RTT.\n ssl_early_data_unsupported_for_session = 7,\n // The server sent a HelloRetryRequest.\n ssl_early_data_hello_retry_request = 8,\n // The negotiated ALPN protocol did not match the session.\n ssl_early_data_alpn_mismatch = 9,\n // The connection negotiated Channel ID, which is incompatible with 0-RTT.\n ssl_early_data_channel_id = 10,\n // Value 11 is reserved. (It has historically |ssl_early_data_token_binding|.)\n // The client and server ticket age were too far apart.\n ssl_early_data_ticket_age_skew = 12,\n // QUIC parameters differ between this connection and the original.\n ssl_early_data_quic_parameter_mismatch = 13,\n // The application settings did not match the session.\n ssl_early_data_alps_mismatch = 14,\n // The value of the largest entry.\n ssl_early_data_reason_max_value = ssl_early_data_alps_mismatch,\n};\n\n// SSL_get_early_data_reason returns details why 0-RTT was accepted or rejected\n// on |ssl|. This is primarily useful on the server.\nOPENSSL_EXPORT enum ssl_early_data_reason_t SSL_get_early_data_reason(\n const SSL *ssl);\n\n// SSL_early_data_reason_string returns a string representation for |reason|, or\n// NULL if |reason| is unknown. This function may be used for logging.\nOPENSSL_EXPORT const char *SSL_early_data_reason_string(\n enum ssl_early_data_reason_t reason);\n\n\n// Encrypted ClientHello.\n//\n// ECH is a mechanism for encrypting the entire ClientHello message in TLS 1.3.\n// This can prevent observers from seeing cleartext information about the\n// connection, such as the server_name extension.\n//\n// By default, BoringSSL will treat the server name, session ticket, and client\n// certificate as secret, but most other parameters, such as the ALPN protocol\n// list will be treated as public and sent in the cleartext ClientHello. Other\n// APIs may be added for applications with different secrecy requirements.\n//\n// ECH support in BoringSSL is still experimental and under development.\n//\n// See https://tools.ietf.org/html/draft-ietf-tls-esni-13.\n\n// SSL_set_enable_ech_grease configures whether the client will send a GREASE\n// ECH extension when no supported ECHConfig is available.\nOPENSSL_EXPORT void SSL_set_enable_ech_grease(SSL *ssl, int enable);\n\n// SSL_set1_ech_config_list configures |ssl| to, as a client, offer ECH with the\n// specified configuration. |ech_config_list| should contain a serialized\n// ECHConfigList structure. It returns one on success and zero on error.\n//\n// This function returns an error if the input is malformed. If the input is\n// valid but none of the ECHConfigs implement supported parameters, it will\n// return success and proceed without ECH.\n//\n// If a supported ECHConfig is found, |ssl| will encrypt the true ClientHello\n// parameters. If the server cannot decrypt it, e.g. due to a key mismatch, ECH\n// has a recovery flow. |ssl| will handshake using the cleartext parameters,\n// including a public name in the ECHConfig. If using\n// |SSL_CTX_set_custom_verify|, callers should use |SSL_get0_ech_name_override|\n// to verify the certificate with the public name. If using the built-in\n// verifier, the |X509_STORE_CTX| will be configured automatically.\n//\n// If no other errors are found in this handshake, it will fail with\n// |SSL_R_ECH_REJECTED|. Since it didn't use the true parameters, the connection\n// cannot be used for application data. Instead, callers should handle this\n// error by calling |SSL_get0_ech_retry_configs| and retrying the connection\n// with updated ECH parameters. If the retry also fails with\n// |SSL_R_ECH_REJECTED|, the caller should report a connection failure.\nOPENSSL_EXPORT int SSL_set1_ech_config_list(SSL *ssl,\n const uint8_t *ech_config_list,\n size_t ech_config_list_len);\n\n// SSL_get0_ech_name_override, if |ssl| is a client and the server rejected ECH,\n// sets |*out_name| and |*out_name_len| to point to a buffer containing the ECH\n// public name. Otherwise, the buffer will be empty.\n//\n// When offering ECH as a client, this function should be called during the\n// certificate verification callback (see |SSL_CTX_set_custom_verify|). If\n// |*out_name_len| is non-zero, the caller should verify the certificate against\n// the result, interpreted as a DNS name, rather than the true server name. In\n// this case, the handshake will never succeed and is only used to authenticate\n// retry configs. See also |SSL_get0_ech_retry_configs|.\nOPENSSL_EXPORT void SSL_get0_ech_name_override(const SSL *ssl,\n const char **out_name,\n size_t *out_name_len);\n\n// SSL_get0_ech_retry_configs sets |*out_retry_configs| and\n// |*out_retry_configs_len| to a buffer containing a serialized ECHConfigList.\n// If the server did not provide an ECHConfigList, |*out_retry_configs_len| will\n// be zero.\n//\n// When handling an |SSL_R_ECH_REJECTED| error code as a client, callers should\n// use this function to recover from potential key mismatches. If the result is\n// non-empty, the caller should retry the connection, passing this buffer to\n// |SSL_set1_ech_config_list|. If the result is empty, the server has rolled\n// back ECH support, and the caller should retry without ECH.\n//\n// This function must only be called in response to an |SSL_R_ECH_REJECTED|\n// error code. Calling this function on |ssl|s that have not authenticated the\n// rejection handshake will assert in debug builds and otherwise return an\n// unparsable list.\nOPENSSL_EXPORT void SSL_get0_ech_retry_configs(\n const SSL *ssl, const uint8_t **out_retry_configs,\n size_t *out_retry_configs_len);\n\n// SSL_marshal_ech_config constructs a new serialized ECHConfig. On success, it\n// sets |*out| to a newly-allocated buffer containing the result and |*out_len|\n// to the size of the buffer. The caller must call |OPENSSL_free| on |*out| to\n// release the memory. On failure, it returns zero.\n//\n// The |config_id| field is a single byte identifier for the ECHConfig. Reusing\n// config IDs is allowed, but if multiple ECHConfigs with the same config ID are\n// active at a time, server load may increase. See\n// |SSL_ECH_KEYS_has_duplicate_config_id|.\n//\n// The public key and KEM algorithm are taken from |key|. |public_name| is the\n// DNS name used to authenticate the recovery flow. |max_name_len| should be the\n// length of the longest name in the ECHConfig's anonymity set and influences\n// client padding decisions.\nOPENSSL_EXPORT int SSL_marshal_ech_config(uint8_t **out, size_t *out_len,\n uint8_t config_id,\n const EVP_HPKE_KEY *key,\n const char *public_name,\n size_t max_name_len);\n\n// SSL_ECH_KEYS_new returns a newly-allocated |SSL_ECH_KEYS| or NULL on error.\nOPENSSL_EXPORT SSL_ECH_KEYS *SSL_ECH_KEYS_new(void);\n\n// SSL_ECH_KEYS_up_ref increments the reference count of |keys|.\nOPENSSL_EXPORT void SSL_ECH_KEYS_up_ref(SSL_ECH_KEYS *keys);\n\n// SSL_ECH_KEYS_free releases memory associated with |keys|.\nOPENSSL_EXPORT void SSL_ECH_KEYS_free(SSL_ECH_KEYS *keys);\n\n// SSL_ECH_KEYS_add decodes |ech_config| as an ECHConfig and appends it with\n// |key| to |keys|. If |is_retry_config| is non-zero, this config will be\n// returned to the client on configuration mismatch. It returns one on success\n// and zero on error.\n//\n// This function should be called successively to register each ECHConfig in\n// decreasing order of preference. This configuration must be completed before\n// setting |keys| on an |SSL_CTX| with |SSL_CTX_set1_ech_keys|. After that\n// point, |keys| is immutable; no more ECHConfig values may be added.\n//\n// See also |SSL_CTX_set1_ech_keys|.\nOPENSSL_EXPORT int SSL_ECH_KEYS_add(SSL_ECH_KEYS *keys, int is_retry_config,\n const uint8_t *ech_config,\n size_t ech_config_len,\n const EVP_HPKE_KEY *key);\n\n// SSL_ECH_KEYS_has_duplicate_config_id returns one if |keys| has duplicate\n// config IDs or zero otherwise. Duplicate config IDs still work, but may\n// increase server load due to trial decryption.\nOPENSSL_EXPORT int SSL_ECH_KEYS_has_duplicate_config_id(\n const SSL_ECH_KEYS *keys);\n\n// SSL_ECH_KEYS_marshal_retry_configs serializes the retry configs in |keys| as\n// an ECHConfigList. On success, it sets |*out| to a newly-allocated buffer\n// containing the result and |*out_len| to the size of the buffer. The caller\n// must call |OPENSSL_free| on |*out| to release the memory. On failure, it\n// returns zero.\n//\n// This output may be advertised to clients in DNS.\nOPENSSL_EXPORT int SSL_ECH_KEYS_marshal_retry_configs(const SSL_ECH_KEYS *keys,\n uint8_t **out,\n size_t *out_len);\n\n// SSL_CTX_set1_ech_keys configures |ctx| to use |keys| to decrypt encrypted\n// ClientHellos. It returns one on success, and zero on failure. If |keys| does\n// not contain any retry configs, this function will fail. Retry configs are\n// marked as such when they are added to |keys| with |SSL_ECH_KEYS_add|.\n//\n// Once |keys| has been passed to this function, it is immutable. Unlike most\n// |SSL_CTX| configuration functions, this function may be called even if |ctx|\n// already has associated connections on multiple threads. This may be used to\n// rotate keys in a long-lived server process.\n//\n// The configured ECHConfig values should also be advertised out-of-band via DNS\n// (see draft-ietf-dnsop-svcb-https). Before advertising an ECHConfig in DNS,\n// deployments should ensure all instances of the service are configured with\n// the ECHConfig and corresponding private key.\n//\n// Only the most recent fully-deployed ECHConfigs should be advertised in DNS.\n// |keys| may contain a newer set if those ECHConfigs are mid-deployment. It\n// should also contain older sets, until the DNS change has rolled out and the\n// old records have expired from caches.\n//\n// If there is a mismatch, |SSL| objects associated with |ctx| will complete the\n// handshake using the cleartext ClientHello and send updated ECHConfig values\n// to the client. The client will then retry to recover, but with a latency\n// penalty. This recovery flow depends on the public name in the ECHConfig.\n// Before advertising an ECHConfig in DNS, deployments must ensure all instances\n// of the service can present a valid certificate for the public name.\n//\n// BoringSSL negotiates ECH before certificate selection callbacks are called,\n// including |SSL_CTX_set_select_certificate_cb|. If ECH is negotiated, the\n// reported |SSL_CLIENT_HELLO| structure and |SSL_get_servername| function will\n// transparently reflect the inner ClientHello. Callers should select parameters\n// based on these values to correctly handle ECH as well as the recovery flow.\nOPENSSL_EXPORT int SSL_CTX_set1_ech_keys(SSL_CTX *ctx, SSL_ECH_KEYS *keys);\n\n// SSL_ech_accepted returns one if |ssl| negotiated ECH and zero otherwise.\nOPENSSL_EXPORT int SSL_ech_accepted(const SSL *ssl);\n\n\n// Alerts.\n//\n// TLS uses alerts to signal error conditions. Alerts have a type (warning or\n// fatal) and description. OpenSSL internally handles fatal alerts with\n// dedicated error codes (see |SSL_AD_REASON_OFFSET|). Except for close_notify,\n// warning alerts are silently ignored and may only be surfaced with\n// |SSL_CTX_set_info_callback|.\n\n// SSL_AD_REASON_OFFSET is the offset between error reasons and |SSL_AD_*|\n// values. Any error code under |ERR_LIB_SSL| with an error reason above this\n// value corresponds to an alert description. Consumers may add or subtract\n// |SSL_AD_REASON_OFFSET| to convert between them.\n//\n// make_errors.go reserves error codes above 1000 for manually-assigned errors.\n// This value must be kept in sync with reservedReasonCode in make_errors.h\n#define SSL_AD_REASON_OFFSET 1000\n\n// SSL_AD_* are alert descriptions.\n#define SSL_AD_CLOSE_NOTIFY SSL3_AD_CLOSE_NOTIFY\n#define SSL_AD_UNEXPECTED_MESSAGE SSL3_AD_UNEXPECTED_MESSAGE\n#define SSL_AD_BAD_RECORD_MAC SSL3_AD_BAD_RECORD_MAC\n#define SSL_AD_DECRYPTION_FAILED TLS1_AD_DECRYPTION_FAILED\n#define SSL_AD_RECORD_OVERFLOW TLS1_AD_RECORD_OVERFLOW\n#define SSL_AD_DECOMPRESSION_FAILURE SSL3_AD_DECOMPRESSION_FAILURE\n#define SSL_AD_HANDSHAKE_FAILURE SSL3_AD_HANDSHAKE_FAILURE\n#define SSL_AD_NO_CERTIFICATE SSL3_AD_NO_CERTIFICATE // Legacy SSL 3.0 value\n#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE\n#define SSL_AD_UNSUPPORTED_CERTIFICATE SSL3_AD_UNSUPPORTED_CERTIFICATE\n#define SSL_AD_CERTIFICATE_REVOKED SSL3_AD_CERTIFICATE_REVOKED\n#define SSL_AD_CERTIFICATE_EXPIRED SSL3_AD_CERTIFICATE_EXPIRED\n#define SSL_AD_CERTIFICATE_UNKNOWN SSL3_AD_CERTIFICATE_UNKNOWN\n#define SSL_AD_ILLEGAL_PARAMETER SSL3_AD_ILLEGAL_PARAMETER\n#define SSL_AD_UNKNOWN_CA TLS1_AD_UNKNOWN_CA\n#define SSL_AD_ACCESS_DENIED TLS1_AD_ACCESS_DENIED\n#define SSL_AD_DECODE_ERROR TLS1_AD_DECODE_ERROR\n#define SSL_AD_DECRYPT_ERROR TLS1_AD_DECRYPT_ERROR\n#define SSL_AD_EXPORT_RESTRICTION TLS1_AD_EXPORT_RESTRICTION\n#define SSL_AD_PROTOCOL_VERSION TLS1_AD_PROTOCOL_VERSION\n#define SSL_AD_INSUFFICIENT_SECURITY TLS1_AD_INSUFFICIENT_SECURITY\n#define SSL_AD_INTERNAL_ERROR TLS1_AD_INTERNAL_ERROR\n#define SSL_AD_INAPPROPRIATE_FALLBACK SSL3_AD_INAPPROPRIATE_FALLBACK\n#define SSL_AD_USER_CANCELLED TLS1_AD_USER_CANCELLED\n#define SSL_AD_NO_RENEGOTIATION TLS1_AD_NO_RENEGOTIATION\n#define SSL_AD_MISSING_EXTENSION TLS1_AD_MISSING_EXTENSION\n#define SSL_AD_UNSUPPORTED_EXTENSION TLS1_AD_UNSUPPORTED_EXTENSION\n#define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE\n#define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME\n#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE \\\n TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE\n#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE\n#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY\n#define SSL_AD_CERTIFICATE_REQUIRED TLS1_AD_CERTIFICATE_REQUIRED\n#define SSL_AD_NO_APPLICATION_PROTOCOL TLS1_AD_NO_APPLICATION_PROTOCOL\n#define SSL_AD_ECH_REQUIRED TLS1_AD_ECH_REQUIRED\n\n// SSL_alert_type_string_long returns a string description of |value| as an\n// alert type (warning or fatal).\nOPENSSL_EXPORT const char *SSL_alert_type_string_long(int value);\n\n// SSL_alert_desc_string_long returns a string description of |value| as an\n// alert description or \"unknown\" if unknown.\nOPENSSL_EXPORT const char *SSL_alert_desc_string_long(int value);\n\n// SSL_send_fatal_alert sends a fatal alert over |ssl| of the specified type,\n// which should be one of the |SSL_AD_*| constants. It returns one on success\n// and <= 0 on error. The caller should pass the return value into\n// |SSL_get_error| to determine how to proceed. Once this function has been\n// called, future calls to |SSL_write| will fail.\n//\n// If retrying a failed operation due to |SSL_ERROR_WANT_WRITE|, subsequent\n// calls must use the same |alert| parameter.\nOPENSSL_EXPORT int SSL_send_fatal_alert(SSL *ssl, uint8_t alert);\n\n\n// ex_data functions.\n//\n// See |ex_data.h| for details.\n\nOPENSSL_EXPORT int SSL_set_ex_data(SSL *ssl, int idx, void *data);\nOPENSSL_EXPORT void *SSL_get_ex_data(const SSL *ssl, int idx);\nOPENSSL_EXPORT int SSL_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func);\n\nOPENSSL_EXPORT int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx,\n void *data);\nOPENSSL_EXPORT void *SSL_SESSION_get_ex_data(const SSL_SESSION *session,\n int idx);\nOPENSSL_EXPORT int SSL_SESSION_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func);\n\nOPENSSL_EXPORT int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data);\nOPENSSL_EXPORT void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx);\nOPENSSL_EXPORT int SSL_CTX_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func);\n\nOPENSSL_EXPORT int SSL_CREDENTIAL_set_ex_data(SSL_CREDENTIAL *cred, int idx,\n void *data);\nOPENSSL_EXPORT void *SSL_CREDENTIAL_get_ex_data(const SSL_CREDENTIAL *cred,\n int idx);\nOPENSSL_EXPORT int SSL_CREDENTIAL_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func);\n\n\n// Low-level record-layer state.\n\n// SSL_get_ivs sets |*out_iv_len| to the length of the IVs for the ciphers\n// underlying |ssl| and sets |*out_read_iv| and |*out_write_iv| to point to the\n// current IVs for the read and write directions. This is only meaningful for\n// connections with implicit IVs (i.e. CBC mode with TLS 1.0).\n//\n// It returns one on success or zero on error.\nOPENSSL_EXPORT int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,\n const uint8_t **out_write_iv,\n size_t *out_iv_len);\n\n// SSL_get_key_block_len returns the length of |ssl|'s key block, for TLS 1.2\n// and below. It is an error to call this function during a handshake, or if\n// |ssl| negotiated TLS 1.3.\nOPENSSL_EXPORT size_t SSL_get_key_block_len(const SSL *ssl);\n\n// SSL_generate_key_block generates |out_len| bytes of key material for |ssl|'s\n// current connection state, for TLS 1.2 and below. It is an error to call this\n// function during a handshake, or if |ssl| negotiated TLS 1.3.\nOPENSSL_EXPORT int SSL_generate_key_block(const SSL *ssl, uint8_t *out,\n size_t out_len);\n\n// SSL_get_read_sequence returns, in TLS, the expected sequence number of the\n// next incoming record in the current epoch. In DTLS, it returns the maximum\n// sequence number received in the current epoch and includes the epoch number\n// in the two most significant bytes.\nOPENSSL_EXPORT uint64_t SSL_get_read_sequence(const SSL *ssl);\n\n// SSL_get_write_sequence returns the sequence number of the next outgoing\n// record in the current epoch. In DTLS, it includes the epoch number in the\n// two most significant bytes.\nOPENSSL_EXPORT uint64_t SSL_get_write_sequence(const SSL *ssl);\n\n// SSL_CTX_set_record_protocol_version returns whether |version| is zero.\nOPENSSL_EXPORT int SSL_CTX_set_record_protocol_version(SSL_CTX *ctx,\n int version);\n\n\n// Handshake hints.\n//\n// WARNING: Contact the BoringSSL team before using this API. While this\n// mechanism was designed to gracefully recover from version skew and\n// configuration mismatch, splitting a single TLS server into multiple services\n// is complex.\n//\n// Some server deployments make asynchronous RPC calls in both ClientHello\n// dispatch and private key operations. In TLS handshakes where the private key\n// operation occurs in the first round-trip, this results in two consecutive RPC\n// round-trips. Handshake hints allow the RPC service to predict a signature.\n// If correctly predicted, this can skip the second RPC call.\n//\n// First, the server installs a certificate selection callback (see\n// |SSL_CTX_set_select_certificate_cb|). When that is called, it performs the\n// RPC as before, but includes the ClientHello and a capabilities string from\n// |SSL_serialize_capabilities|.\n//\n// Next, the RPC service creates its own |SSL| object, applies the results of\n// certificate selection, calls |SSL_request_handshake_hints|, and runs the\n// handshake. If this successfully computes handshake hints (see\n// |SSL_serialize_handshake_hints|), the RPC server should send the hints\n// alongside any certificate selection results.\n//\n// Finally, the server calls |SSL_set_handshake_hints| and applies any\n// configuration from the RPC server. It then completes the handshake as before.\n// If the hints apply, BoringSSL will use the predicted signature and skip the\n// private key callbacks. Otherwise, BoringSSL will call private key callbacks\n// to generate a signature as before.\n//\n// Callers should synchronize configuration across the two services.\n// Configuration mismatches and some cases of version skew are not fatal, but\n// may result in the hints not applying. Additionally, some handshake flows use\n// the private key in later round-trips, such as TLS 1.3 HelloRetryRequest. In\n// those cases, BoringSSL will not predict a signature as there is no benefit.\n// Callers must allow for handshakes to complete without a predicted signature.\n\n// SSL_serialize_capabilities writes an opaque byte string to |out| describing\n// some of |ssl|'s capabilities. It returns one on success and zero on error.\n//\n// This string is used by BoringSSL internally to reduce the impact of version\n// skew.\nOPENSSL_EXPORT int SSL_serialize_capabilities(const SSL *ssl, CBB *out);\n\n// SSL_request_handshake_hints configures |ssl| to generate a handshake hint for\n// |client_hello|. It returns one on success and zero on error. |client_hello|\n// should contain a serialized ClientHello structure, from the |client_hello|\n// and |client_hello_len| fields of the |SSL_CLIENT_HELLO| structure.\n// |capabilities| should contain the output of |SSL_serialize_capabilities|.\n//\n// When configured, |ssl| will perform no I/O (so there is no need to configure\n// |BIO|s). For QUIC, the caller should still configure an |SSL_QUIC_METHOD|,\n// but the callbacks themselves will never be called and may be left NULL or\n// report failure. |SSL_provide_quic_data| also should not be called.\n//\n// If hint generation is successful, |SSL_do_handshake| will stop the handshake\n// early with |SSL_get_error| returning |SSL_ERROR_HANDSHAKE_HINTS_READY|. At\n// this point, the caller should run |SSL_serialize_handshake_hints| to extract\n// the resulting hints.\n//\n// Hint generation may fail if, e.g., |ssl| was unable to process the\n// ClientHello. Callers should then complete the certificate selection RPC and\n// continue the original handshake with no hint. It will likely fail, but this\n// reports the correct alert to the client and is more robust in case of\n// mismatch.\nOPENSSL_EXPORT int SSL_request_handshake_hints(SSL *ssl,\n const uint8_t *client_hello,\n size_t client_hello_len,\n const uint8_t *capabilities,\n size_t capabilities_len);\n\n// SSL_serialize_handshake_hints writes an opaque byte string to |out|\n// containing the handshake hints computed by |out|. It returns one on success\n// and zero on error. This function should only be called if\n// |SSL_request_handshake_hints| was configured and the handshake terminated\n// with |SSL_ERROR_HANDSHAKE_HINTS_READY|.\n//\n// This string may be passed to |SSL_set_handshake_hints| on another |SSL| to\n// avoid an extra signature call.\nOPENSSL_EXPORT int SSL_serialize_handshake_hints(const SSL *ssl, CBB *out);\n\n// SSL_set_handshake_hints configures |ssl| to use |hints| as handshake hints.\n// It returns one on success and zero on error. The handshake will then continue\n// as before, but apply predicted values from |hints| where applicable.\n//\n// Hints may contain connection and session secrets, so they must not leak and\n// must come from a source trusted to terminate the connection. However, they\n// will not change |ssl|'s configuration. The caller is responsible for\n// serializing and applying options from the RPC server as needed. This ensures\n// |ssl|'s behavior is self-consistent and consistent with the caller's local\n// decisions.\nOPENSSL_EXPORT int SSL_set_handshake_hints(SSL *ssl, const uint8_t *hints,\n size_t hints_len);\n\n\n// Obscure functions.\n\n// SSL_CTX_set_msg_callback installs |cb| as the message callback for |ctx|.\n// This callback will be called when sending or receiving low-level record\n// headers, complete handshake messages, ChangeCipherSpec, alerts, and DTLS\n// ACKs. |write_p| is one for outgoing messages and zero for incoming messages.\n//\n// For each record header, |cb| is called with |version| = 0 and |content_type|\n// = |SSL3_RT_HEADER|. The |len| bytes from |buf| contain the header. Note that\n// this does not include the record body. If the record is sealed, the length\n// in the header is the length of the ciphertext.\n//\n// For each handshake message, ChangeCipherSpec, alert, and DTLS ACK, |version|\n// is the protocol version and |content_type| is the corresponding record type.\n// The |len| bytes from |buf| contain the handshake message, one-byte\n// ChangeCipherSpec body, two-byte alert, and ACK respectively.\n//\n// In connections that enable ECH, |cb| is additionally called with\n// |content_type| = |SSL3_RT_CLIENT_HELLO_INNER| for each ClientHelloInner that\n// is encrypted or decrypted. The |len| bytes from |buf| contain the\n// ClientHelloInner, including the reconstructed outer extensions and handshake\n// header.\n//\n// For a V2ClientHello, |version| is |SSL2_VERSION|, |content_type| is zero, and\n// the |len| bytes from |buf| contain the V2ClientHello structure.\nOPENSSL_EXPORT void SSL_CTX_set_msg_callback(\n SSL_CTX *ctx, void (*cb)(int is_write, int version, int content_type,\n const void *buf, size_t len, SSL *ssl, void *arg));\n\n// SSL_CTX_set_msg_callback_arg sets the |arg| parameter of the message\n// callback.\nOPENSSL_EXPORT void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);\n\n// SSL_set_msg_callback installs |cb| as the message callback of |ssl|. See\n// |SSL_CTX_set_msg_callback| for when this callback is called.\nOPENSSL_EXPORT void SSL_set_msg_callback(\n SSL *ssl, void (*cb)(int write_p, int version, int content_type,\n const void *buf, size_t len, SSL *ssl, void *arg));\n\n// SSL_set_msg_callback_arg sets the |arg| parameter of the message callback.\nOPENSSL_EXPORT void SSL_set_msg_callback_arg(SSL *ssl, void *arg);\n\n// SSL_CTX_set_keylog_callback configures a callback to log key material. This\n// is intended for debugging use with tools like Wireshark. The |cb| function\n// should log |line| followed by a newline, synchronizing with any concurrent\n// access to the log.\n//\n// The format is described in\n// https://www.ietf.org/archive/id/draft-ietf-tls-keylogfile-01.html\n//\n// WARNING: The data in |line| allows an attacker to break security properties\n// of the TLS protocol, including confidentiality, integrity, and forward\n// secrecy. This impacts both the current connection, and, in TLS 1.2, future\n// connections that resume a session from it. Both direct access to the data and\n// side channel leaks from application code are possible attack vectors. This\n// callback is intended for debugging and should not be used in production\n// connections.\nOPENSSL_EXPORT void SSL_CTX_set_keylog_callback(SSL_CTX *ctx,\n void (*cb)(const SSL *ssl,\n const char *line));\n\n// SSL_CTX_get_keylog_callback returns the callback configured by\n// |SSL_CTX_set_keylog_callback|.\nOPENSSL_EXPORT void (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(\n const SSL *ssl, const char *line);\n\n// SSL_CTX_set_current_time_cb configures a callback to retrieve the current\n// time, which should be set in |*out_clock|. This can be used for testing\n// purposes; for example, a callback can be configured that returns a time\n// set explicitly by the test. The |ssl| pointer passed to |cb| is always null.\nOPENSSL_EXPORT void SSL_CTX_set_current_time_cb(\n SSL_CTX *ctx, void (*cb)(const SSL *ssl, struct timeval *out_clock));\n\n// SSL_set_shed_handshake_config allows some of the configuration of |ssl| to be\n// freed after its handshake completes. Once configuration has been shed, APIs\n// that query it may fail. \"Configuration\" in this context means anything that\n// was set by the caller, as distinct from information derived from the\n// handshake. For example, |SSL_get_ciphers| queries how the |SSL| was\n// configured by the caller, and fails after configuration has been shed,\n// whereas |SSL_get_cipher| queries the result of the handshake, and is\n// unaffected by configuration shedding.\n//\n// If configuration shedding is enabled, it is an error to call |SSL_clear|.\n//\n// Note that configuration shedding as a client additionally depends on\n// renegotiation being disabled (see |SSL_set_renegotiate_mode|). If\n// renegotiation is possible, the configuration will be retained. If\n// configuration shedding is enabled and renegotiation later disabled after the\n// handshake, |SSL_set_renegotiate_mode| will shed configuration then. This may\n// be useful for clients which support renegotiation with some ALPN protocols,\n// such as HTTP/1.1, and not others, such as HTTP/2.\nOPENSSL_EXPORT void SSL_set_shed_handshake_config(SSL *ssl, int enable);\n\nenum ssl_renegotiate_mode_t BORINGSSL_ENUM_INT {\n ssl_renegotiate_never = 0,\n ssl_renegotiate_once,\n ssl_renegotiate_freely,\n ssl_renegotiate_ignore,\n ssl_renegotiate_explicit,\n};\n\n// SSL_set_renegotiate_mode configures how |ssl|, a client, reacts to\n// renegotiation attempts by a server. If |ssl| is a server, peer-initiated\n// renegotiations are *always* rejected and this function does nothing.\n//\n// WARNING: Renegotiation is error-prone, complicates TLS's security properties,\n// and increases its attack surface. When enabled, many common assumptions about\n// BoringSSL's behavior no longer hold, and the calling application must handle\n// more cases. Renegotiation is also incompatible with many application\n// protocols, e.g. section 9.2.1 of RFC 7540. Many functions behave in ambiguous\n// or undefined ways during a renegotiation.\n//\n// The renegotiation mode defaults to |ssl_renegotiate_never|, but may be set\n// at any point in a connection's lifetime. Set it to |ssl_renegotiate_once| to\n// allow one renegotiation, |ssl_renegotiate_freely| to allow all\n// renegotiations or |ssl_renegotiate_ignore| to ignore HelloRequest messages.\n// Note that ignoring HelloRequest messages may cause the connection to stall\n// if the server waits for the renegotiation to complete.\n//\n// If set to |ssl_renegotiate_explicit|, |SSL_read| and |SSL_peek| calls which\n// encounter a HelloRequest will pause with |SSL_ERROR_WANT_RENEGOTIATE|.\n// |SSL_write| will continue to work while paused. The caller may call\n// |SSL_renegotiate| to begin the renegotiation at a later point. This mode may\n// be used if callers wish to eagerly call |SSL_peek| without triggering a\n// renegotiation.\n//\n// If configuration shedding is enabled (see |SSL_set_shed_handshake_config|),\n// configuration is released if, at any point after the handshake, renegotiation\n// is disabled. It is not possible to switch from disabling renegotiation to\n// enabling it on a given connection. Callers that condition renegotiation on,\n// e.g., ALPN must enable renegotiation before the handshake and conditionally\n// disable it afterwards.\n//\n// When enabled, renegotiation can cause properties of |ssl|, such as the cipher\n// suite, to change during the lifetime of the connection. More over, during a\n// renegotiation, not all properties of the new handshake are available or fully\n// established. In BoringSSL, most functions, such as |SSL_get_current_cipher|,\n// report information from the most recently completed handshake, not the\n// pending one. However, renegotiation may rerun handshake callbacks, such as\n// |SSL_CTX_set_cert_cb|. Such callbacks must ensure they are acting on the\n// desired versions of each property.\n//\n// BoringSSL does not reverify peer certificates on renegotiation and instead\n// requires they match between handshakes, so certificate verification callbacks\n// (see |SSL_CTX_set_custom_verify|) may assume |ssl| is in the initial\n// handshake and use |SSL_get0_peer_certificates|, etc.\n//\n// There is no support in BoringSSL for initiating renegotiations as a client\n// or server.\nOPENSSL_EXPORT void SSL_set_renegotiate_mode(SSL *ssl,\n enum ssl_renegotiate_mode_t mode);\n\n// SSL_renegotiate starts a deferred renegotiation on |ssl| if it was configured\n// with |ssl_renegotiate_explicit| and has a pending HelloRequest. It returns\n// one on success and zero on error.\n//\n// This function does not do perform any I/O. On success, a subsequent\n// |SSL_do_handshake| call will run the handshake. |SSL_write| and\n// |SSL_read| will also complete the handshake before sending or receiving\n// application data.\nOPENSSL_EXPORT int SSL_renegotiate(SSL *ssl);\n\n// SSL_renegotiate_pending returns one if |ssl| is in the middle of a\n// renegotiation.\nOPENSSL_EXPORT int SSL_renegotiate_pending(SSL *ssl);\n\n// SSL_total_renegotiations returns the total number of renegotiation handshakes\n// performed by |ssl|. This includes the pending renegotiation, if any.\nOPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl);\n\n// SSL_MAX_CERT_LIST_DEFAULT is the default maximum length, in bytes, of a peer\n// certificate chain.\n#define SSL_MAX_CERT_LIST_DEFAULT (1024 * 100)\n\n// SSL_CTX_get_max_cert_list returns the maximum length, in bytes, of a peer\n// certificate chain accepted by |ctx|.\nOPENSSL_EXPORT size_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx);\n\n// SSL_CTX_set_max_cert_list sets the maximum length, in bytes, of a peer\n// certificate chain to |max_cert_list|. This affects how much memory may be\n// consumed during the handshake.\nOPENSSL_EXPORT void SSL_CTX_set_max_cert_list(SSL_CTX *ctx,\n size_t max_cert_list);\n\n// SSL_get_max_cert_list returns the maximum length, in bytes, of a peer\n// certificate chain accepted by |ssl|.\nOPENSSL_EXPORT size_t SSL_get_max_cert_list(const SSL *ssl);\n\n// SSL_set_max_cert_list sets the maximum length, in bytes, of a peer\n// certificate chain to |max_cert_list|. This affects how much memory may be\n// consumed during the handshake.\nOPENSSL_EXPORT void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list);\n\n// SSL_CTX_set_max_send_fragment sets the maximum length, in bytes, of records\n// sent by |ctx|. Beyond this length, handshake messages and application data\n// will be split into multiple records. It returns one on success or zero on\n// error.\nOPENSSL_EXPORT int SSL_CTX_set_max_send_fragment(SSL_CTX *ctx,\n size_t max_send_fragment);\n\n// SSL_set_max_send_fragment sets the maximum length, in bytes, of records sent\n// by |ssl|. Beyond this length, handshake messages and application data will\n// be split into multiple records. It returns one on success or zero on\n// error.\nOPENSSL_EXPORT int SSL_set_max_send_fragment(SSL *ssl,\n size_t max_send_fragment);\n\n// ssl_early_callback_ctx (aka |SSL_CLIENT_HELLO|) is passed to certain\n// callbacks that are called very early on during the server handshake. At this\n// point, much of the SSL* hasn't been filled out and only the ClientHello can\n// be depended on.\nstruct ssl_early_callback_ctx {\n SSL *ssl;\n const uint8_t *client_hello;\n size_t client_hello_len;\n uint16_t version;\n const uint8_t *random;\n size_t random_len;\n const uint8_t *session_id;\n size_t session_id_len;\n const uint8_t *dtls_cookie;\n size_t dtls_cookie_len;\n const uint8_t *cipher_suites;\n size_t cipher_suites_len;\n const uint8_t *compression_methods;\n size_t compression_methods_len;\n const uint8_t *extensions;\n size_t extensions_len;\n} /* SSL_CLIENT_HELLO */;\n\n// ssl_select_cert_result_t enumerates the possible results from selecting a\n// certificate with |select_certificate_cb|.\nenum ssl_select_cert_result_t BORINGSSL_ENUM_INT {\n // ssl_select_cert_success indicates that the certificate selection was\n // successful.\n ssl_select_cert_success = 1,\n // ssl_select_cert_retry indicates that the operation could not be\n // immediately completed and must be reattempted at a later point.\n ssl_select_cert_retry = 0,\n // ssl_select_cert_error indicates that a fatal error occured and the\n // handshake should be terminated.\n ssl_select_cert_error = -1,\n // ssl_select_cert_disable_ech indicates that, although an encrypted\n // ClientHelloInner was decrypted, it should be discarded. The certificate\n // selection callback will then be called again, passing in the\n // ClientHelloOuter instead. From there, the handshake will proceed\n // without retry_configs, to signal to the client to disable ECH.\n //\n // This value may only be returned when |SSL_ech_accepted| returnes one. It\n // may be useful if the ClientHelloInner indicated a service which does not\n // support ECH, e.g. if it is a TLS-1.2 only service.\n ssl_select_cert_disable_ech = -2,\n};\n\n// SSL_early_callback_ctx_extension_get searches the extensions in\n// |client_hello| for an extension of the given type. If not found, it returns\n// zero. Otherwise it sets |out_data| to point to the extension contents (not\n// including the type and length bytes), sets |out_len| to the length of the\n// extension contents and returns one.\nOPENSSL_EXPORT int SSL_early_callback_ctx_extension_get(\n const SSL_CLIENT_HELLO *client_hello, uint16_t extension_type,\n const uint8_t **out_data, size_t *out_len);\n\n// SSL_CTX_set_select_certificate_cb sets a callback that is called before most\n// ClientHello processing and before the decision whether to resume a session\n// is made. The callback may inspect the ClientHello and configure the\n// connection. See |ssl_select_cert_result_t| for details of the return values.\n//\n// In the case that a retry is indicated, |SSL_get_error| will return\n// |SSL_ERROR_PENDING_CERTIFICATE| and the caller should arrange for the\n// high-level operation on |ssl| to be retried at a later time, which will\n// result in another call to |cb|.\n//\n// |SSL_get_servername| may be used during this callback.\n//\n// Note: The |SSL_CLIENT_HELLO| is only valid for the duration of the callback\n// and is not valid while the handshake is paused.\nOPENSSL_EXPORT void SSL_CTX_set_select_certificate_cb(\n SSL_CTX *ctx,\n enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *));\n\n// SSL_CTX_set_dos_protection_cb sets a callback that is called once the\n// resumption decision for a ClientHello has been made. It can return one to\n// allow the handshake to continue or zero to cause the handshake to abort.\nOPENSSL_EXPORT void SSL_CTX_set_dos_protection_cb(\n SSL_CTX *ctx, int (*cb)(const SSL_CLIENT_HELLO *));\n\n// SSL_CTX_set_reverify_on_resume configures whether the certificate\n// verification callback will be used to reverify stored certificates\n// when resuming a session. This only works with |SSL_CTX_set_custom_verify|.\n// For now, this is incompatible with |SSL_VERIFY_NONE| mode, and is only\n// respected on clients.\nOPENSSL_EXPORT void SSL_CTX_set_reverify_on_resume(SSL_CTX *ctx, int enabled);\n\n// SSL_set_enforce_rsa_key_usage configures whether, when |ssl| is a client\n// negotiating TLS 1.2 or below, the keyUsage extension of RSA leaf server\n// certificates will be checked for consistency with the TLS usage. In all other\n// cases, this check is always enabled.\n//\n// This parameter may be set late; it will not be read until after the\n// certificate verification callback.\nOPENSSL_EXPORT void SSL_set_enforce_rsa_key_usage(SSL *ssl, int enabled);\n\n// SSL_was_key_usage_invalid returns one if |ssl|'s handshake succeeded despite\n// using TLS parameters which were incompatible with the leaf certificate's\n// keyUsage extension. Otherwise, it returns zero.\n//\n// If |SSL_set_enforce_rsa_key_usage| is enabled or not applicable, this\n// function will always return zero because key usages will be consistently\n// checked.\nOPENSSL_EXPORT int SSL_was_key_usage_invalid(const SSL *ssl);\n\n// SSL_ST_* are possible values for |SSL_state|, the bitmasks that make them up,\n// and some historical values for compatibility. Only |SSL_ST_INIT| and\n// |SSL_ST_OK| are ever returned.\n#define SSL_ST_CONNECT 0x1000\n#define SSL_ST_ACCEPT 0x2000\n#define SSL_ST_MASK 0x0FFF\n#define SSL_ST_INIT (SSL_ST_CONNECT | SSL_ST_ACCEPT)\n#define SSL_ST_OK 0x03\n#define SSL_ST_RENEGOTIATE (0x04 | SSL_ST_INIT)\n#define SSL_ST_BEFORE (0x05 | SSL_ST_INIT)\n\n// TLS_ST_* are aliases for |SSL_ST_*| for OpenSSL 1.1.0 compatibility.\n#define TLS_ST_OK SSL_ST_OK\n#define TLS_ST_BEFORE SSL_ST_BEFORE\n\n// SSL_CB_* are possible values for the |type| parameter in the info\n// callback and the bitmasks that make them up.\n#define SSL_CB_LOOP 0x01\n#define SSL_CB_EXIT 0x02\n#define SSL_CB_READ 0x04\n#define SSL_CB_WRITE 0x08\n#define SSL_CB_ALERT 0x4000\n#define SSL_CB_READ_ALERT (SSL_CB_ALERT | SSL_CB_READ)\n#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT | SSL_CB_WRITE)\n#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT | SSL_CB_LOOP)\n#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT | SSL_CB_EXIT)\n#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT | SSL_CB_LOOP)\n#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT | SSL_CB_EXIT)\n#define SSL_CB_HANDSHAKE_START 0x10\n#define SSL_CB_HANDSHAKE_DONE 0x20\n\n// SSL_CTX_set_info_callback configures a callback to be run when various\n// events occur during a connection's lifetime. The |type| argument determines\n// the type of event and the meaning of the |value| argument. Callbacks must\n// ignore unexpected |type| values.\n//\n// |SSL_CB_READ_ALERT| is signaled for each alert received, warning or fatal.\n// The |value| argument is a 16-bit value where the alert level (either\n// |SSL3_AL_WARNING| or |SSL3_AL_FATAL|) is in the most-significant eight bits\n// and the alert type (one of |SSL_AD_*|) is in the least-significant eight.\n//\n// |SSL_CB_WRITE_ALERT| is signaled for each alert sent. The |value| argument\n// is constructed as with |SSL_CB_READ_ALERT|.\n//\n// |SSL_CB_HANDSHAKE_START| is signaled when a handshake begins. The |value|\n// argument is always one.\n//\n// |SSL_CB_HANDSHAKE_DONE| is signaled when a handshake completes successfully.\n// The |value| argument is always one. If a handshake False Starts, this event\n// may be used to determine when the Finished message is received.\n//\n// The following event types expose implementation details of the handshake\n// state machine. Consuming them is deprecated.\n//\n// |SSL_CB_ACCEPT_LOOP| (respectively, |SSL_CB_CONNECT_LOOP|) is signaled when\n// a server (respectively, client) handshake progresses. The |value| argument\n// is always one.\n//\n// |SSL_CB_ACCEPT_EXIT| (respectively, |SSL_CB_CONNECT_EXIT|) is signaled when\n// a server (respectively, client) handshake completes, fails, or is paused.\n// The |value| argument is one if the handshake succeeded and <= 0\n// otherwise.\nOPENSSL_EXPORT void SSL_CTX_set_info_callback(SSL_CTX *ctx,\n void (*cb)(const SSL *ssl,\n int type, int value));\n\n// SSL_CTX_get_info_callback returns the callback set by\n// |SSL_CTX_set_info_callback|.\nOPENSSL_EXPORT void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,\n int type,\n int value);\n\n// SSL_set_info_callback configures a callback to be run at various events\n// during a connection's lifetime. See |SSL_CTX_set_info_callback|.\nOPENSSL_EXPORT void SSL_set_info_callback(SSL *ssl,\n void (*cb)(const SSL *ssl, int type,\n int value));\n\n// SSL_get_info_callback returns the callback set by |SSL_set_info_callback|.\nOPENSSL_EXPORT void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,\n int type,\n int value);\n\n// SSL_state_string_long returns the current state of the handshake state\n// machine as a string. This may be useful for debugging and logging.\nOPENSSL_EXPORT const char *SSL_state_string_long(const SSL *ssl);\n\n#define SSL_SENT_SHUTDOWN 1\n#define SSL_RECEIVED_SHUTDOWN 2\n\n// SSL_get_shutdown returns a bitmask with a subset of |SSL_SENT_SHUTDOWN| and\n// |SSL_RECEIVED_SHUTDOWN| to query whether close_notify was sent or received,\n// respectively.\nOPENSSL_EXPORT int SSL_get_shutdown(const SSL *ssl);\n\n// SSL_get_peer_signature_algorithm returns the signature algorithm used by the\n// peer. If not applicable, it returns zero.\nOPENSSL_EXPORT uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl);\n\n// SSL_get_client_random writes up to |max_out| bytes of the most recent\n// handshake's client_random to |out| and returns the number of bytes written.\n// If |max_out| is zero, it returns the size of the client_random.\nOPENSSL_EXPORT size_t SSL_get_client_random(const SSL *ssl, uint8_t *out,\n size_t max_out);\n\n// SSL_get_server_random writes up to |max_out| bytes of the most recent\n// handshake's server_random to |out| and returns the number of bytes written.\n// If |max_out| is zero, it returns the size of the server_random.\nOPENSSL_EXPORT size_t SSL_get_server_random(const SSL *ssl, uint8_t *out,\n size_t max_out);\n\n// SSL_get_pending_cipher returns the cipher suite for the current handshake or\n// NULL if one has not been negotiated yet or there is no pending handshake.\nOPENSSL_EXPORT const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl);\n\n// SSL_set_retain_only_sha256_of_client_certs, on a server, sets whether only\n// the SHA-256 hash of peer's certificate should be saved in memory and in the\n// session. This can save memory, ticket size and session cache space. If\n// enabled, |SSL_get_peer_certificate| will return NULL after the handshake\n// completes. See |SSL_SESSION_has_peer_sha256| and\n// |SSL_SESSION_get0_peer_sha256| to query the hash.\nOPENSSL_EXPORT void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl,\n int enable);\n\n// SSL_CTX_set_retain_only_sha256_of_client_certs, on a server, sets whether\n// only the SHA-256 hash of peer's certificate should be saved in memory and in\n// the session. This can save memory, ticket size and session cache space. If\n// enabled, |SSL_get_peer_certificate| will return NULL after the handshake\n// completes. See |SSL_SESSION_has_peer_sha256| and\n// |SSL_SESSION_get0_peer_sha256| to query the hash.\nOPENSSL_EXPORT void SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx,\n int enable);\n\n// SSL_CTX_set_grease_enabled configures whether sockets on |ctx| should enable\n// GREASE. See RFC 8701.\nOPENSSL_EXPORT void SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled);\n\n// SSL_CTX_set_permute_extensions configures whether sockets on |ctx| should\n// permute extensions. For now, this is only implemented for the ClientHello.\nOPENSSL_EXPORT void SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled);\n\n// SSL_set_permute_extensions configures whether sockets on |ssl| should\n// permute extensions. For now, this is only implemented for the ClientHello.\nOPENSSL_EXPORT void SSL_set_permute_extensions(SSL *ssl, int enabled);\n\n// SSL_max_seal_overhead returns the maximum overhead, in bytes, of sealing a\n// record with |ssl|.\nOPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl);\n\n// SSL_CTX_set_false_start_allowed_without_alpn configures whether connections\n// on |ctx| may use False Start (if |SSL_MODE_ENABLE_FALSE_START| is enabled)\n// without negotiating ALPN.\nOPENSSL_EXPORT void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx,\n int allowed);\n\n// SSL_used_hello_retry_request returns one if the TLS 1.3 HelloRetryRequest\n// message has been either sent by the server or received by the client. It\n// returns zero otherwise.\nOPENSSL_EXPORT int SSL_used_hello_retry_request(const SSL *ssl);\n\n// SSL_set_jdk11_workaround configures whether to workaround various bugs in\n// JDK 11's TLS 1.3 implementation by disabling TLS 1.3 for such clients.\n//\n// https://bugs.openjdk.java.net/browse/JDK-8211806\n// https://bugs.openjdk.java.net/browse/JDK-8212885\n// https://bugs.openjdk.java.net/browse/JDK-8213202\nOPENSSL_EXPORT void SSL_set_jdk11_workaround(SSL *ssl, int enable);\n\n// SSL_set_check_client_certificate_type configures whether the client, in\n// TLS 1.2 and below, will check its certificate against the server's requested\n// certificate types.\n//\n// By default, this option is enabled. If disabled, certificate selection within\n// the library may not function correctly. This flag is provided temporarily in\n// case of compatibility issues. It will be removed sometime after June 2024.\nOPENSSL_EXPORT void SSL_set_check_client_certificate_type(SSL *ssl, int enable);\n\n// SSL_set_check_ecdsa_curve configures whether the server, in TLS 1.2 and\n// below, will check its certificate against the client's supported ECDSA\n// curves.\n//\n// By default, this option is enabled. If disabled, certificate selection within\n// the library may not function correctly. This flag is provided temporarily in\n// case of compatibility issues. It will be removed sometime after June 2024.\nOPENSSL_EXPORT void SSL_set_check_ecdsa_curve(SSL *ssl, int enable);\n\n\n// Deprecated functions.\n\n// SSL_library_init returns one.\nOPENSSL_EXPORT int SSL_library_init(void);\n\n// SSL_CIPHER_description writes a description of |cipher| into |buf| and\n// returns |buf|. If |buf| is NULL, it returns a newly allocated string, to be\n// freed with |OPENSSL_free|, or NULL on error.\n//\n// The description includes a trailing newline and has the form:\n// AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1\n//\n// Consider |SSL_CIPHER_standard_name| or |SSL_CIPHER_get_name| instead.\nOPENSSL_EXPORT const char *SSL_CIPHER_description(const SSL_CIPHER *cipher,\n char *buf, int len);\n\n// SSL_CIPHER_get_version returns the string \"TLSv1/SSLv3\".\nOPENSSL_EXPORT const char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);\n\ntypedef void COMP_METHOD;\ntypedef struct ssl_comp_st SSL_COMP;\n\n// SSL_COMP_get_compression_methods returns NULL.\nOPENSSL_EXPORT STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);\n\n// SSL_COMP_add_compression_method returns one.\nOPENSSL_EXPORT int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);\n\n// SSL_COMP_get_name returns NULL.\nOPENSSL_EXPORT const char *SSL_COMP_get_name(const COMP_METHOD *comp);\n\n// SSL_COMP_get0_name returns the |name| member of |comp|.\nOPENSSL_EXPORT const char *SSL_COMP_get0_name(const SSL_COMP *comp);\n\n// SSL_COMP_get_id returns the |id| member of |comp|.\nOPENSSL_EXPORT int SSL_COMP_get_id(const SSL_COMP *comp);\n\n// SSL_COMP_free_compression_methods does nothing.\nOPENSSL_EXPORT void SSL_COMP_free_compression_methods(void);\n\n// SSLv23_method calls |TLS_method|.\nOPENSSL_EXPORT const SSL_METHOD *SSLv23_method(void);\n\n// These version-specific methods behave exactly like |TLS_method| and\n// |DTLS_method| except they also call |SSL_CTX_set_min_proto_version| and\n// |SSL_CTX_set_max_proto_version| to lock connections to that protocol\n// version.\nOPENSSL_EXPORT const SSL_METHOD *TLSv1_method(void);\nOPENSSL_EXPORT const SSL_METHOD *TLSv1_1_method(void);\nOPENSSL_EXPORT const SSL_METHOD *TLSv1_2_method(void);\nOPENSSL_EXPORT const SSL_METHOD *DTLSv1_method(void);\nOPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_method(void);\n\n// These client- and server-specific methods call their corresponding generic\n// methods.\nOPENSSL_EXPORT const SSL_METHOD *TLS_server_method(void);\nOPENSSL_EXPORT const SSL_METHOD *TLS_client_method(void);\nOPENSSL_EXPORT const SSL_METHOD *SSLv23_server_method(void);\nOPENSSL_EXPORT const SSL_METHOD *SSLv23_client_method(void);\nOPENSSL_EXPORT const SSL_METHOD *TLSv1_server_method(void);\nOPENSSL_EXPORT const SSL_METHOD *TLSv1_client_method(void);\nOPENSSL_EXPORT const SSL_METHOD *TLSv1_1_server_method(void);\nOPENSSL_EXPORT const SSL_METHOD *TLSv1_1_client_method(void);\nOPENSSL_EXPORT const SSL_METHOD *TLSv1_2_server_method(void);\nOPENSSL_EXPORT const SSL_METHOD *TLSv1_2_client_method(void);\nOPENSSL_EXPORT const SSL_METHOD *DTLS_server_method(void);\nOPENSSL_EXPORT const SSL_METHOD *DTLS_client_method(void);\nOPENSSL_EXPORT const SSL_METHOD *DTLSv1_server_method(void);\nOPENSSL_EXPORT const SSL_METHOD *DTLSv1_client_method(void);\nOPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_server_method(void);\nOPENSSL_EXPORT const SSL_METHOD *DTLSv1_2_client_method(void);\n\n// SSL_clear resets |ssl| to allow another connection and returns one on success\n// or zero on failure. It returns most configuration state but releases memory\n// associated with the current connection.\n//\n// Free |ssl| and create a new one instead.\nOPENSSL_EXPORT int SSL_clear(SSL *ssl);\n\n// SSL_CTX_set_tmp_rsa_callback does nothing.\nOPENSSL_EXPORT void SSL_CTX_set_tmp_rsa_callback(\n SSL_CTX *ctx, RSA *(*cb)(SSL *ssl, int is_export, int keylength));\n\n// SSL_set_tmp_rsa_callback does nothing.\nOPENSSL_EXPORT void SSL_set_tmp_rsa_callback(SSL *ssl,\n RSA *(*cb)(SSL *ssl, int is_export,\n int keylength));\n\n// SSL_CTX_sess_connect returns zero.\nOPENSSL_EXPORT int SSL_CTX_sess_connect(const SSL_CTX *ctx);\n\n// SSL_CTX_sess_connect_good returns zero.\nOPENSSL_EXPORT int SSL_CTX_sess_connect_good(const SSL_CTX *ctx);\n\n// SSL_CTX_sess_connect_renegotiate returns zero.\nOPENSSL_EXPORT int SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx);\n\n// SSL_CTX_sess_accept returns zero.\nOPENSSL_EXPORT int SSL_CTX_sess_accept(const SSL_CTX *ctx);\n\n// SSL_CTX_sess_accept_renegotiate returns zero.\nOPENSSL_EXPORT int SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx);\n\n// SSL_CTX_sess_accept_good returns zero.\nOPENSSL_EXPORT int SSL_CTX_sess_accept_good(const SSL_CTX *ctx);\n\n// SSL_CTX_sess_hits returns zero.\nOPENSSL_EXPORT int SSL_CTX_sess_hits(const SSL_CTX *ctx);\n\n// SSL_CTX_sess_cb_hits returns zero.\nOPENSSL_EXPORT int SSL_CTX_sess_cb_hits(const SSL_CTX *ctx);\n\n// SSL_CTX_sess_misses returns zero.\nOPENSSL_EXPORT int SSL_CTX_sess_misses(const SSL_CTX *ctx);\n\n// SSL_CTX_sess_timeouts returns zero.\nOPENSSL_EXPORT int SSL_CTX_sess_timeouts(const SSL_CTX *ctx);\n\n// SSL_CTX_sess_cache_full returns zero.\nOPENSSL_EXPORT int SSL_CTX_sess_cache_full(const SSL_CTX *ctx);\n\n// SSL_cutthrough_complete calls |SSL_in_false_start|.\nOPENSSL_EXPORT int SSL_cutthrough_complete(const SSL *ssl);\n\n// SSL_num_renegotiations calls |SSL_total_renegotiations|.\nOPENSSL_EXPORT int SSL_num_renegotiations(const SSL *ssl);\n\n// SSL_CTX_need_tmp_RSA returns zero.\nOPENSSL_EXPORT int SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx);\n\n// SSL_need_tmp_RSA returns zero.\nOPENSSL_EXPORT int SSL_need_tmp_RSA(const SSL *ssl);\n\n// SSL_CTX_set_tmp_rsa returns one.\nOPENSSL_EXPORT int SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa);\n\n// SSL_set_tmp_rsa returns one.\nOPENSSL_EXPORT int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa);\n\n// SSL_CTX_get_read_ahead returns zero.\nOPENSSL_EXPORT int SSL_CTX_get_read_ahead(const SSL_CTX *ctx);\n\n// SSL_CTX_set_read_ahead returns one.\nOPENSSL_EXPORT int SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes);\n\n// SSL_get_read_ahead returns zero.\nOPENSSL_EXPORT int SSL_get_read_ahead(const SSL *ssl);\n\n// SSL_set_read_ahead returns one.\nOPENSSL_EXPORT int SSL_set_read_ahead(SSL *ssl, int yes);\n\n// SSL_set_state does nothing.\nOPENSSL_EXPORT void SSL_set_state(SSL *ssl, int state);\n\n// SSL_get_shared_ciphers writes an empty string to |buf| and returns a\n// pointer to |buf|, or NULL if |len| is less than or equal to zero.\nOPENSSL_EXPORT char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len);\n\n// SSL_get_shared_sigalgs returns zero.\nOPENSSL_EXPORT int SSL_get_shared_sigalgs(SSL *ssl, int idx, int *psign,\n int *phash, int *psignandhash,\n uint8_t *rsig, uint8_t *rhash);\n\n// SSL_MODE_HANDSHAKE_CUTTHROUGH is the same as SSL_MODE_ENABLE_FALSE_START.\n#define SSL_MODE_HANDSHAKE_CUTTHROUGH SSL_MODE_ENABLE_FALSE_START\n\n// i2d_SSL_SESSION serializes |in|, as described in |i2d_SAMPLE|.\n//\n// Use |SSL_SESSION_to_bytes| instead.\nOPENSSL_EXPORT int i2d_SSL_SESSION(SSL_SESSION *in, uint8_t **pp);\n\n// d2i_SSL_SESSION parses a serialized session from the |length| bytes pointed\n// to by |*pp|, as described in |d2i_SAMPLE|.\n//\n// Use |SSL_SESSION_from_bytes| instead.\nOPENSSL_EXPORT SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp,\n long length);\n\n// i2d_SSL_SESSION_bio serializes |session| and writes the result to |bio|. It\n// returns the number of bytes written on success and <= 0 on error.\nOPENSSL_EXPORT int i2d_SSL_SESSION_bio(BIO *bio, const SSL_SESSION *session);\n\n// d2i_SSL_SESSION_bio reads a serialized |SSL_SESSION| from |bio| and returns a\n// newly-allocated |SSL_SESSION| or NULL on error. If |out| is not NULL, it also\n// frees |*out| and sets |*out| to the new |SSL_SESSION|.\nOPENSSL_EXPORT SSL_SESSION *d2i_SSL_SESSION_bio(BIO *bio, SSL_SESSION **out);\n\n// ERR_load_SSL_strings does nothing.\nOPENSSL_EXPORT void ERR_load_SSL_strings(void);\n\n// SSL_load_error_strings does nothing.\nOPENSSL_EXPORT void SSL_load_error_strings(void);\n\n// SSL_CTX_set_tlsext_use_srtp calls |SSL_CTX_set_srtp_profiles|. It returns\n// zero on success and one on failure.\n//\n// WARNING: this function is dangerous because it breaks the usual return value\n// convention. Use |SSL_CTX_set_srtp_profiles| instead.\nOPENSSL_EXPORT int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx,\n const char *profiles);\n\n// SSL_set_tlsext_use_srtp calls |SSL_set_srtp_profiles|. It returns zero on\n// success and one on failure.\n//\n// WARNING: this function is dangerous because it breaks the usual return value\n// convention. Use |SSL_set_srtp_profiles| instead.\nOPENSSL_EXPORT int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles);\n\n// SSL_get_current_compression returns NULL.\nOPENSSL_EXPORT const COMP_METHOD *SSL_get_current_compression(SSL *ssl);\n\n// SSL_get_current_expansion returns NULL.\nOPENSSL_EXPORT const COMP_METHOD *SSL_get_current_expansion(SSL *ssl);\n\n// SSL_get_server_tmp_key returns zero.\nOPENSSL_EXPORT int SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key);\n\n// SSL_CTX_set_tmp_dh returns 1.\nOPENSSL_EXPORT int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh);\n\n// SSL_set_tmp_dh returns 1.\nOPENSSL_EXPORT int SSL_set_tmp_dh(SSL *ssl, const DH *dh);\n\n// SSL_CTX_set_tmp_dh_callback does nothing.\nOPENSSL_EXPORT void SSL_CTX_set_tmp_dh_callback(\n SSL_CTX *ctx, DH *(*cb)(SSL *ssl, int is_export, int keylength));\n\n// SSL_set_tmp_dh_callback does nothing.\nOPENSSL_EXPORT void SSL_set_tmp_dh_callback(SSL *ssl,\n DH *(*cb)(SSL *ssl, int is_export,\n int keylength));\n\n// SSL_CTX_set1_sigalgs takes |num_values| ints and interprets them as pairs\n// where the first is the nid of a hash function and the second is an\n// |EVP_PKEY_*| value. It configures the signature algorithm preferences for\n// |ctx| based on them and returns one on success or zero on error.\n//\n// This API is compatible with OpenSSL. However, BoringSSL-specific code should\n// prefer |SSL_CTX_set_signing_algorithm_prefs| because it's clearer and it's\n// more convenient to codesearch for specific algorithm values.\nOPENSSL_EXPORT int SSL_CTX_set1_sigalgs(SSL_CTX *ctx, const int *values,\n size_t num_values);\n\n// SSL_set1_sigalgs takes |num_values| ints and interprets them as pairs where\n// the first is the nid of a hash function and the second is an |EVP_PKEY_*|\n// value. It configures the signature algorithm preferences for |ssl| based on\n// them and returns one on success or zero on error.\n//\n// This API is compatible with OpenSSL. However, BoringSSL-specific code should\n// prefer |SSL_CTX_set_signing_algorithm_prefs| because it's clearer and it's\n// more convenient to codesearch for specific algorithm values.\nOPENSSL_EXPORT int SSL_set1_sigalgs(SSL *ssl, const int *values,\n size_t num_values);\n\n// SSL_CTX_set1_sigalgs_list takes a textual specification of a set of signature\n// algorithms and configures them on |ctx|. It returns one on success and zero\n// on error. See\n// https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set1_sigalgs_list.html for\n// a description of the text format. Also note that TLS 1.3 names (e.g.\n// \"rsa_pkcs1_md5_sha1\") can also be used (as in OpenSSL, although OpenSSL\n// doesn't document that).\n//\n// This API is compatible with OpenSSL. However, BoringSSL-specific code should\n// prefer |SSL_CTX_set_signing_algorithm_prefs| because it's clearer and it's\n// more convenient to codesearch for specific algorithm values.\nOPENSSL_EXPORT int SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str);\n\n// SSL_set1_sigalgs_list takes a textual specification of a set of signature\n// algorithms and configures them on |ssl|. It returns one on success and zero\n// on error. See\n// https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set1_sigalgs_list.html for\n// a description of the text format. Also note that TLS 1.3 names (e.g.\n// \"rsa_pkcs1_md5_sha1\") can also be used (as in OpenSSL, although OpenSSL\n// doesn't document that).\n//\n// This API is compatible with OpenSSL. However, BoringSSL-specific code should\n// prefer |SSL_CTX_set_signing_algorithm_prefs| because it's clearer and it's\n// more convenient to codesearch for specific algorithm values.\nOPENSSL_EXPORT int SSL_set1_sigalgs_list(SSL *ssl, const char *str);\n\n#define SSL_set_app_data(s, arg) (SSL_set_ex_data(s, 0, (char *)(arg)))\n#define SSL_get_app_data(s) (SSL_get_ex_data(s, 0))\n#define SSL_SESSION_set_app_data(s, a) \\\n (SSL_SESSION_set_ex_data(s, 0, (char *)(a)))\n#define SSL_SESSION_get_app_data(s) (SSL_SESSION_get_ex_data(s, 0))\n#define SSL_CTX_get_app_data(ctx) (SSL_CTX_get_ex_data(ctx, 0))\n#define SSL_CTX_set_app_data(ctx, arg) \\\n (SSL_CTX_set_ex_data(ctx, 0, (char *)(arg)))\n\n#define OpenSSL_add_ssl_algorithms() SSL_library_init()\n#define SSLeay_add_ssl_algorithms() SSL_library_init()\n\n#define SSL_get_cipher(ssl) SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))\n#define SSL_get_cipher_bits(ssl, out_alg_bits) \\\n SSL_CIPHER_get_bits(SSL_get_current_cipher(ssl), out_alg_bits)\n#define SSL_get_cipher_version(ssl) \\\n SSL_CIPHER_get_version(SSL_get_current_cipher(ssl))\n#define SSL_get_cipher_name(ssl) \\\n SSL_CIPHER_get_name(SSL_get_current_cipher(ssl))\n#define SSL_get_time(session) SSL_SESSION_get_time(session)\n#define SSL_set_time(session, time) SSL_SESSION_set_time((session), (time))\n#define SSL_get_timeout(session) SSL_SESSION_get_timeout(session)\n#define SSL_set_timeout(session, timeout) \\\n SSL_SESSION_set_timeout((session), (timeout))\n\nstruct ssl_comp_st {\n int id;\n const char *name;\n char *method;\n};\n\nDEFINE_STACK_OF(SSL_COMP)\n\n// The following flags do nothing and are included only to make it easier to\n// compile code with BoringSSL.\n#define SSL_MODE_AUTO_RETRY 0\n#define SSL_MODE_RELEASE_BUFFERS 0\n#define SSL_MODE_SEND_CLIENTHELLO_TIME 0\n#define SSL_MODE_SEND_SERVERHELLO_TIME 0\n#define SSL_OP_ALL 0\n#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0\n#define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 0\n#define SSL_OP_EPHEMERAL_RSA 0\n#define SSL_OP_LEGACY_SERVER_CONNECT 0\n#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0\n#define SSL_OP_MICROSOFT_SESS_ID_BUG 0\n#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0\n#define SSL_OP_NETSCAPE_CA_DN_BUG 0\n#define SSL_OP_NETSCAPE_CHALLENGE_BUG 0\n#define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG 0\n#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0\n#define SSL_OP_NO_COMPRESSION 0\n#define SSL_OP_NO_RENEGOTIATION 0 // ssl_renegotiate_never is the default\n#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0\n#define SSL_OP_NO_SSLv2 0\n#define SSL_OP_NO_SSLv3 0\n#define SSL_OP_PKCS1_CHECK_1 0\n#define SSL_OP_PKCS1_CHECK_2 0\n#define SSL_OP_SINGLE_DH_USE 0\n#define SSL_OP_SINGLE_ECDH_USE 0\n#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0\n#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0\n#define SSL_OP_TLS_BLOCK_PADDING_BUG 0\n#define SSL_OP_TLS_D5_BUG 0\n#define SSL_OP_TLS_ROLLBACK_BUG 0\n#define SSL_VERIFY_CLIENT_ONCE 0\n\n// SSL_cache_hit calls |SSL_session_reused|.\nOPENSSL_EXPORT int SSL_cache_hit(SSL *ssl);\n\n// SSL_get_default_timeout returns |SSL_DEFAULT_SESSION_TIMEOUT|.\nOPENSSL_EXPORT long SSL_get_default_timeout(const SSL *ssl);\n\n// SSL_get_version returns a string describing the TLS version used by |ssl|.\n// For example, \"TLSv1.2\" or \"DTLSv1\".\nOPENSSL_EXPORT const char *SSL_get_version(const SSL *ssl);\n\n// SSL_get_all_version_names outputs a list of possible strings\n// |SSL_get_version| may return in this version of BoringSSL. It writes at most\n// |max_out| entries to |out| and returns the total number it would have\n// written, if |max_out| had been large enough. |max_out| may be initially set\n// to zero to size the output.\n//\n// This function is only intended to help initialize tables in callers that want\n// possible strings pre-declared. This list would not be suitable to set a list\n// of supported features. It is in no particular order, and may contain\n// placeholder, experimental, or deprecated values that do not apply to every\n// caller. Future versions of BoringSSL may also return strings not in this\n// list, so this does not apply if, say, sending strings across services.\nOPENSSL_EXPORT size_t SSL_get_all_version_names(const char **out,\n size_t max_out);\n\n// SSL_get_cipher_list returns the name of the |n|th cipher in the output of\n// |SSL_get_ciphers| or NULL if out of range. Use |SSL_get_ciphers| instead.\nOPENSSL_EXPORT const char *SSL_get_cipher_list(const SSL *ssl, int n);\n\n// SSL_CTX_set_client_cert_cb sets a callback which is called on the client if\n// the server requests a client certificate and none is configured. On success,\n// the callback should return one and set |*out_x509| to |*out_pkey| to a leaf\n// certificate and private key, respectively, passing ownership. It should\n// return zero to send no certificate and -1 to fail or pause the handshake. If\n// the handshake is paused, |SSL_get_error| will return\n// |SSL_ERROR_WANT_X509_LOOKUP|.\n//\n// The callback may call |SSL_get0_certificate_types| and\n// |SSL_get_client_CA_list| for information on the server's certificate request.\n//\n// Use |SSL_CTX_set_cert_cb| instead. Configuring intermediate certificates with\n// this function is confusing. This callback may not be registered concurrently\n// with |SSL_CTX_set_cert_cb| or |SSL_set_cert_cb|.\nOPENSSL_EXPORT void SSL_CTX_set_client_cert_cb(\n SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey));\n\n#define SSL_NOTHING SSL_ERROR_NONE\n#define SSL_WRITING SSL_ERROR_WANT_WRITE\n#define SSL_READING SSL_ERROR_WANT_READ\n\n// SSL_want returns one of the above values to determine what the most recent\n// operation on |ssl| was blocked on. Use |SSL_get_error| instead.\nOPENSSL_EXPORT int SSL_want(const SSL *ssl);\n\n#define SSL_want_read(ssl) (SSL_want(ssl) == SSL_READING)\n#define SSL_want_write(ssl) (SSL_want(ssl) == SSL_WRITING)\n\n// SSL_get_finished writes up to |count| bytes of the Finished message sent by\n// |ssl| to |buf|. It returns the total untruncated length or zero if none has\n// been sent yet. At TLS 1.3 and later, it returns zero.\n//\n// Use |SSL_get_tls_unique| instead.\nOPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count);\n\n// SSL_get_peer_finished writes up to |count| bytes of the Finished message\n// received from |ssl|'s peer to |buf|. It returns the total untruncated length\n// or zero if none has been received yet. At TLS 1.3 and later, it returns\n// zero.\n//\n// Use |SSL_get_tls_unique| instead.\nOPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf,\n size_t count);\n\n// SSL_alert_type_string returns \"!\". Use |SSL_alert_type_string_long|\n// instead.\nOPENSSL_EXPORT const char *SSL_alert_type_string(int value);\n\n// SSL_alert_desc_string returns \"!!\". Use |SSL_alert_desc_string_long|\n// instead.\nOPENSSL_EXPORT const char *SSL_alert_desc_string(int value);\n\n// SSL_state_string returns \"!!!!!!\". Use |SSL_state_string_long| for a more\n// intelligible string.\nOPENSSL_EXPORT const char *SSL_state_string(const SSL *ssl);\n\n// SSL_TXT_* expand to strings.\n#define SSL_TXT_MEDIUM \"MEDIUM\"\n#define SSL_TXT_HIGH \"HIGH\"\n#define SSL_TXT_FIPS \"FIPS\"\n#define SSL_TXT_kRSA \"kRSA\"\n#define SSL_TXT_kDHE \"kDHE\"\n#define SSL_TXT_kEDH \"kEDH\"\n#define SSL_TXT_kECDHE \"kECDHE\"\n#define SSL_TXT_kEECDH \"kEECDH\"\n#define SSL_TXT_kPSK \"kPSK\"\n#define SSL_TXT_aRSA \"aRSA\"\n#define SSL_TXT_aECDSA \"aECDSA\"\n#define SSL_TXT_aPSK \"aPSK\"\n#define SSL_TXT_DH \"DH\"\n#define SSL_TXT_DHE \"DHE\"\n#define SSL_TXT_EDH \"EDH\"\n#define SSL_TXT_RSA \"RSA\"\n#define SSL_TXT_ECDH \"ECDH\"\n#define SSL_TXT_ECDHE \"ECDHE\"\n#define SSL_TXT_EECDH \"EECDH\"\n#define SSL_TXT_ECDSA \"ECDSA\"\n#define SSL_TXT_PSK \"PSK\"\n#define SSL_TXT_3DES \"3DES\"\n#define SSL_TXT_RC4 \"RC4\"\n#define SSL_TXT_AES128 \"AES128\"\n#define SSL_TXT_AES256 \"AES256\"\n#define SSL_TXT_AES \"AES\"\n#define SSL_TXT_AES_GCM \"AESGCM\"\n#define SSL_TXT_CHACHA20 \"CHACHA20\"\n#define SSL_TXT_MD5 \"MD5\"\n#define SSL_TXT_SHA1 \"SHA1\"\n#define SSL_TXT_SHA \"SHA\"\n#define SSL_TXT_SHA256 \"SHA256\"\n#define SSL_TXT_SHA384 \"SHA384\"\n#define SSL_TXT_SSLV3 \"SSLv3\"\n#define SSL_TXT_TLSV1 \"TLSv1\"\n#define SSL_TXT_TLSV1_1 \"TLSv1.1\"\n#define SSL_TXT_TLSV1_2 \"TLSv1.2\"\n#define SSL_TXT_TLSV1_3 \"TLSv1.3\"\n#define SSL_TXT_ALL \"ALL\"\n#define SSL_TXT_CMPDEF \"COMPLEMENTOFDEFAULT\"\n\ntypedef struct ssl_conf_ctx_st SSL_CONF_CTX;\n\n// SSL_state returns |SSL_ST_INIT| if a handshake is in progress and |SSL_ST_OK|\n// otherwise.\n//\n// Use |SSL_is_init| instead.\nOPENSSL_EXPORT int SSL_state(const SSL *ssl);\n\n#define SSL_get_state(ssl) SSL_state(ssl)\n\n// SSL_set_shutdown causes |ssl| to behave as if the shutdown bitmask (see\n// |SSL_get_shutdown|) were |mode|. This may be used to skip sending or\n// receiving close_notify in |SSL_shutdown| by causing the implementation to\n// believe the events already happened.\n//\n// It is an error to use |SSL_set_shutdown| to unset a bit that has already been\n// set. Doing so will trigger an |assert| in debug builds and otherwise be\n// ignored.\n//\n// Use |SSL_CTX_set_quiet_shutdown| instead.\nOPENSSL_EXPORT void SSL_set_shutdown(SSL *ssl, int mode);\n\n// SSL_CTX_set_tmp_ecdh calls |SSL_CTX_set1_groups| with a one-element list\n// containing |ec_key|'s curve. The remainder of |ec_key| is ignored.\nOPENSSL_EXPORT int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key);\n\n// SSL_set_tmp_ecdh calls |SSL_set1_groups| with a one-element list containing\n// |ec_key|'s curve. The remainder of |ec_key| is ignored.\nOPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key);\n\n#if !defined(OPENSSL_NO_FILESYSTEM)\n// SSL_add_dir_cert_subjects_to_stack lists files in directory |dir|. It calls\n// |SSL_add_file_cert_subjects_to_stack| on each file and returns one on success\n// or zero on error. This function is only available from the libdecrepit\n// library.\nOPENSSL_EXPORT int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,\n const char *dir);\n#endif\n\n// SSL_CTX_enable_tls_channel_id calls |SSL_CTX_set_tls_channel_id_enabled|.\nOPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);\n\n// SSL_enable_tls_channel_id calls |SSL_set_tls_channel_id_enabled|.\nOPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);\n\n// BIO_f_ssl returns a |BIO_METHOD| that can wrap an |SSL*| in a |BIO*|. Note\n// that this has quite different behaviour from the version in OpenSSL (notably\n// that it doesn't try to auto renegotiate).\n//\n// IMPORTANT: if you are not curl, don't use this.\nOPENSSL_EXPORT const BIO_METHOD *BIO_f_ssl(void);\n\n// BIO_set_ssl sets |ssl| as the underlying connection for |bio|, which must\n// have been created using |BIO_f_ssl|. If |take_owership| is true, |bio| will\n// call |SSL_free| on |ssl| when closed. It returns one on success or something\n// other than one on error.\nOPENSSL_EXPORT long BIO_set_ssl(BIO *bio, SSL *ssl, int take_owership);\n\n// SSL_CTX_set_ecdh_auto returns one.\n#define SSL_CTX_set_ecdh_auto(ctx, onoff) 1\n\n// SSL_set_ecdh_auto returns one.\n#define SSL_set_ecdh_auto(ssl, onoff) 1\n\n// SSL_get_session returns a non-owning pointer to |ssl|'s session. For\n// historical reasons, which session it returns depends on |ssl|'s state.\n//\n// Prior to the start of the initial handshake, it returns the session the\n// caller set with |SSL_set_session|. After the initial handshake has finished\n// and if no additional handshakes are in progress, it returns the currently\n// active session. Its behavior is undefined while a handshake is in progress.\n//\n// If trying to add new sessions to an external session cache, use\n// |SSL_CTX_sess_set_new_cb| instead. In particular, using the callback is\n// required as of TLS 1.3. For compatibility, this function will return an\n// unresumable session which may be cached, but will never be resumed.\n//\n// If querying properties of the connection, use APIs on the |SSL| object.\nOPENSSL_EXPORT SSL_SESSION *SSL_get_session(const SSL *ssl);\n\n// SSL_get0_session is an alias for |SSL_get_session|.\n#define SSL_get0_session SSL_get_session\n\n// SSL_get1_session acts like |SSL_get_session| but returns a new reference to\n// the session.\nOPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);\n\n#define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0\n#define OPENSSL_INIT_LOAD_SSL_STRINGS 0\n#define OPENSSL_INIT_SSL_DEFAULT 0\n\n// OPENSSL_init_ssl returns one.\nOPENSSL_EXPORT int OPENSSL_init_ssl(uint64_t opts,\n const OPENSSL_INIT_SETTINGS *settings);\n\n// The following constants are legacy aliases for RSA-PSS with rsaEncryption\n// keys. Use the new names instead.\n#define SSL_SIGN_RSA_PSS_SHA256 SSL_SIGN_RSA_PSS_RSAE_SHA256\n#define SSL_SIGN_RSA_PSS_SHA384 SSL_SIGN_RSA_PSS_RSAE_SHA384\n#define SSL_SIGN_RSA_PSS_SHA512 SSL_SIGN_RSA_PSS_RSAE_SHA512\n\n// SSL_set_tlsext_status_type configures a client to request OCSP stapling if\n// |type| is |TLSEXT_STATUSTYPE_ocsp| and disables it otherwise. It returns one\n// on success and zero if handshake configuration has already been shed.\n//\n// Use |SSL_enable_ocsp_stapling| instead.\nOPENSSL_EXPORT int SSL_set_tlsext_status_type(SSL *ssl, int type);\n\n// SSL_get_tlsext_status_type returns |TLSEXT_STATUSTYPE_ocsp| if the client\n// requested OCSP stapling and |TLSEXT_STATUSTYPE_nothing| otherwise. On the\n// client, this reflects whether OCSP stapling was enabled via, e.g.,\n// |SSL_set_tlsext_status_type|. On the server, this is determined during the\n// handshake. It may be queried in callbacks set by |SSL_CTX_set_cert_cb|. The\n// result is undefined after the handshake completes.\nOPENSSL_EXPORT int SSL_get_tlsext_status_type(const SSL *ssl);\n\n// SSL_set_tlsext_status_ocsp_resp sets the OCSP response. It returns one on\n// success and zero on error. On success, |ssl| takes ownership of |resp|, which\n// must have been allocated by |OPENSSL_malloc|.\n//\n// Use |SSL_set_ocsp_response| instead.\nOPENSSL_EXPORT int SSL_set_tlsext_status_ocsp_resp(SSL *ssl, uint8_t *resp,\n size_t resp_len);\n\n// SSL_get_tlsext_status_ocsp_resp sets |*out| to point to the OCSP response\n// from the server. It returns the length of the response. If there was no\n// response, it sets |*out| to NULL and returns zero.\n//\n// Use |SSL_get0_ocsp_response| instead.\n//\n// WARNING: the returned data is not guaranteed to be well formed.\nOPENSSL_EXPORT size_t SSL_get_tlsext_status_ocsp_resp(const SSL *ssl,\n const uint8_t **out);\n\n// SSL_CTX_set_tlsext_status_cb configures the legacy OpenSSL OCSP callback and\n// returns one. Though the type signature is the same, this callback has\n// different behavior for client and server connections:\n//\n// For clients, the callback is called after certificate verification. It should\n// return one for success, zero for a bad OCSP response, and a negative number\n// for internal error. Instead, handle this as part of certificate verification.\n// (Historically, OpenSSL verified certificates just before parsing stapled OCSP\n// responses, but BoringSSL fixes this ordering. All server credentials are\n// available during verification.)\n//\n// Do not use this callback as a server. It is provided for compatibility\n// purposes only. For servers, it is called to configure server credentials. It\n// should return |SSL_TLSEXT_ERR_OK| on success, |SSL_TLSEXT_ERR_NOACK| to\n// ignore OCSP requests, or |SSL_TLSEXT_ERR_ALERT_FATAL| on error. It is usually\n// used to fetch OCSP responses on demand, which is not ideal. Instead, treat\n// OCSP responses like other server credentials, such as certificates or SCT\n// lists. Configure, store, and refresh them eagerly. This avoids downtime if\n// the CA's OCSP responder is briefly offline.\nOPENSSL_EXPORT int SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx,\n int (*callback)(SSL *ssl,\n void *arg));\n\n// SSL_CTX_set_tlsext_status_arg sets additional data for\n// |SSL_CTX_set_tlsext_status_cb|'s callback and returns one.\nOPENSSL_EXPORT int SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);\n\n// The following symbols are compatibility aliases for reason codes used when\n// receiving an alert from the peer. Use the other names instead, which fit the\n// naming convention.\n//\n// TODO(davidben): Fix references to |SSL_R_TLSV1_CERTIFICATE_REQUIRED| and\n// remove the compatibility value. The others come from OpenSSL.\n#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION \\\n SSL_R_TLSV1_ALERT_UNSUPPORTED_EXTENSION\n#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE \\\n SSL_R_TLSV1_ALERT_CERTIFICATE_UNOBTAINABLE\n#define SSL_R_TLSV1_UNRECOGNIZED_NAME SSL_R_TLSV1_ALERT_UNRECOGNIZED_NAME\n#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE \\\n SSL_R_TLSV1_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE\n#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE \\\n SSL_R_TLSV1_ALERT_BAD_CERTIFICATE_HASH_VALUE\n#define SSL_R_TLSV1_CERTIFICATE_REQUIRED SSL_R_TLSV1_ALERT_CERTIFICATE_REQUIRED\n\n// The following symbols are compatibility aliases for |SSL_GROUP_*|.\n#define SSL_CURVE_SECP224R1 SSL_GROUP_SECP224R1\n#define SSL_CURVE_SECP256R1 SSL_GROUP_SECP256R1\n#define SSL_CURVE_SECP384R1 SSL_GROUP_SECP384R1\n#define SSL_CURVE_SECP521R1 SSL_GROUP_SECP521R1\n#define SSL_CURVE_X25519 SSL_GROUP_X25519\n#define SSL_CURVE_X25519_KYBER768_DRAFT00 SSL_GROUP_X25519_KYBER768_DRAFT00\n\n// SSL_get_curve_id calls |SSL_get_group_id|.\nOPENSSL_EXPORT uint16_t SSL_get_curve_id(const SSL *ssl);\n\n// SSL_get_curve_name calls |SSL_get_group_name|.\nOPENSSL_EXPORT const char *SSL_get_curve_name(uint16_t curve_id);\n\n// SSL_get_all_curve_names calls |SSL_get_all_group_names|.\nOPENSSL_EXPORT size_t SSL_get_all_curve_names(const char **out, size_t max_out);\n\n// SSL_CTX_set1_curves calls |SSL_CTX_set1_groups|.\nOPENSSL_EXPORT int SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves,\n size_t num_curves);\n\n// SSL_set1_curves calls |SSL_set1_groups|.\nOPENSSL_EXPORT int SSL_set1_curves(SSL *ssl, const int *curves,\n size_t num_curves);\n\n// SSL_CTX_set1_curves_list calls |SSL_CTX_set1_groups_list|.\nOPENSSL_EXPORT int SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves);\n\n// SSL_set1_curves_list calls |SSL_set1_groups_list|.\nOPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves);\n\n// TLSEXT_nid_unknown is a constant used in OpenSSL for\n// |SSL_get_negotiated_group| to return an unrecognized group. BoringSSL never\n// returns this value, but we define this constant for compatibility.\n#define TLSEXT_nid_unknown 0x1000000\n\n// SSL_CTX_check_private_key returns one if |ctx| has both a certificate and\n// private key, and zero otherwise.\n//\n// This function does not check consistency because the library checks when the\n// certificate and key are individually configured. However, if the private key\n// is configured before the certificate, inconsistent private keys are silently\n// dropped. Some callers are inadvertently relying on this function to detect\n// when this happens.\n//\n// Instead, callers should configure the certificate first, then the private\n// key, checking for errors in each. This function is then unnecessary.\nOPENSSL_EXPORT int SSL_CTX_check_private_key(const SSL_CTX *ctx);\n\n// SSL_check_private_key returns one if |ssl| has both a certificate and private\n// key, and zero otherwise.\n//\n// See discussion in |SSL_CTX_check_private_key|.\nOPENSSL_EXPORT int SSL_check_private_key(const SSL *ssl);\n\n\n// Compliance policy configurations\n//\n// A TLS connection has a large number of different parameters. Some are well\n// known, like cipher suites, but many are obscure and configuration functions\n// for them may not exist. These policy controls allow broad configuration\n// goals to be specified so that they can flow down to all the different\n// parameters of a TLS connection.\n\nenum ssl_compliance_policy_t BORINGSSL_ENUM_INT {\n // ssl_compliance_policy_none does nothing. However, since setting this\n // doesn't undo other policies it's an error to try and set it.\n ssl_compliance_policy_none,\n\n // ssl_compliance_policy_fips_202205 configures a TLS connection to use:\n // * TLS 1.2 or 1.3\n // * For TLS 1.2, only ECDHE_[RSA|ECDSA]_WITH_AES_*_GCM_SHA*.\n // * For TLS 1.3, only AES-GCM\n // * P-256 or P-384 for key agreement.\n // * For server signatures, only PKCS#1/PSS with SHA256/384/512, or ECDSA\n // with P-256 or P-384.\n //\n // Note: this policy can be configured even if BoringSSL has not been built in\n // FIPS mode. Call |FIPS_mode| to check that.\n //\n // Note: this setting aids with compliance with NIST requirements but does not\n // guarantee it. Careful reading of SP 800-52r2 is recommended.\n ssl_compliance_policy_fips_202205,\n\n // ssl_compliance_policy_wpa3_192_202304 configures a TLS connection to use:\n // * TLS 1.2 or 1.3.\n // * For TLS 1.2, only TLS_ECDHE_[ECDSA|RSA]_WITH_AES_256_GCM_SHA384.\n // * For TLS 1.3, only AES-256-GCM.\n // * P-384 for key agreement.\n // * For handshake signatures, only ECDSA with P-384 and SHA-384, or RSA\n // with SHA-384 or SHA-512.\n //\n // No limitations on the certificate chain nor leaf public key are imposed,\n // other than by the supported signature algorithms. But WPA3's \"192-bit\"\n // mode requires at least P-384 or 3072-bit along the chain. The caller must\n // enforce this themselves on the verified chain using functions such as\n // `X509_STORE_CTX_get0_chain`.\n //\n // Note that this setting is less secure than the default. The\n // implementation risks of using a more obscure primitive like P-384\n // dominate other considerations.\n ssl_compliance_policy_wpa3_192_202304,\n\n // ssl_compliance_policy_cnsa_202407 confingures a TLS connection to use:\n // * For TLS 1.3, AES-256-GCM over AES-128-GCM over ChaCha20-Poly1305.\n //\n // I.e. it ensures that AES-GCM will be used whenever the client supports it.\n // The cipher suite configuration mini-language can be used to similarly\n // configure prior TLS versions if they are enabled.\n ssl_compliance_policy_cnsa_202407,\n};\n\n// SSL_CTX_set_compliance_policy configures various aspects of |ctx| based on\n// the given policy requirements. Subsequently calling other functions that\n// configure |ctx| may override |policy|, or may not. This should be the final\n// configuration function called in order to have defined behaviour. It's a\n// fatal error if |policy| is |ssl_compliance_policy_none|.\nOPENSSL_EXPORT int SSL_CTX_set_compliance_policy(\n SSL_CTX *ctx, enum ssl_compliance_policy_t policy);\n\n// SSL_CTX_get_compliance_policy returns the compliance policy configured on\n// |ctx|.\nOPENSSL_EXPORT enum ssl_compliance_policy_t SSL_CTX_get_compliance_policy(\n const SSL_CTX *ctx);\n\n// SSL_set_compliance_policy acts the same as |SSL_CTX_set_compliance_policy|,\n// but only configures a single |SSL*|.\nOPENSSL_EXPORT int SSL_set_compliance_policy(\n SSL *ssl, enum ssl_compliance_policy_t policy);\n\n// SSL_get_compliance_policy returns the compliance policy configured on\n// |ssl|.\nOPENSSL_EXPORT enum ssl_compliance_policy_t SSL_get_compliance_policy(\n const SSL *ssl);\n\n// Nodejs compatibility section (hidden).\n//\n// These defines exist for node.js, with the hope that we can eliminate the\n// need for them over time.\n\n#define SSLerr(function, reason) \\\n ERR_put_error(ERR_LIB_SSL, 0, reason, __FILE__, __LINE__)\n\n\n// Preprocessor compatibility section (hidden).\n//\n// Historically, a number of APIs were implemented in OpenSSL as macros and\n// constants to 'ctrl' functions. To avoid breaking #ifdefs in consumers, this\n// section defines a number of legacy macros.\n//\n// Although using either the CTRL values or their wrapper macros in #ifdefs is\n// still supported, the CTRL values may not be passed to |SSL_ctrl| and\n// |SSL_CTX_ctrl|. Call the functions (previously wrapper macros) instead.\n//\n// See PORTING.md in the BoringSSL source tree for a table of corresponding\n// functions.\n// https://boringssl.googlesource.com/boringssl/+/main/PORTING.md#Replacements-for-values\n\n#define DTLS_CTRL_GET_TIMEOUT doesnt_exist\n#define DTLS_CTRL_HANDLE_TIMEOUT doesnt_exist\n#define SSL_CTRL_CHAIN doesnt_exist\n#define SSL_CTRL_CHAIN_CERT doesnt_exist\n#define SSL_CTRL_CHANNEL_ID doesnt_exist\n#define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS doesnt_exist\n#define SSL_CTRL_CLEAR_MODE doesnt_exist\n#define SSL_CTRL_CLEAR_OPTIONS doesnt_exist\n#define SSL_CTRL_EXTRA_CHAIN_CERT doesnt_exist\n#define SSL_CTRL_GET_CHAIN_CERTS doesnt_exist\n#define SSL_CTRL_GET_CHANNEL_ID doesnt_exist\n#define SSL_CTRL_GET_CLIENT_CERT_TYPES doesnt_exist\n#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS doesnt_exist\n#define SSL_CTRL_GET_MAX_CERT_LIST doesnt_exist\n#define SSL_CTRL_GET_NEGOTIATED_GROUP doesnt_exist\n#define SSL_CTRL_GET_NUM_RENEGOTIATIONS doesnt_exist\n#define SSL_CTRL_GET_READ_AHEAD doesnt_exist\n#define SSL_CTRL_GET_RI_SUPPORT doesnt_exist\n#define SSL_CTRL_GET_SERVER_TMP_KEY doesnt_exist\n#define SSL_CTRL_GET_SESSION_REUSED doesnt_exist\n#define SSL_CTRL_GET_SESS_CACHE_MODE doesnt_exist\n#define SSL_CTRL_GET_SESS_CACHE_SIZE doesnt_exist\n#define SSL_CTRL_GET_TLSEXT_TICKET_KEYS doesnt_exist\n#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS doesnt_exist\n#define SSL_CTRL_MODE doesnt_exist\n#define SSL_CTRL_NEED_TMP_RSA doesnt_exist\n#define SSL_CTRL_OPTIONS doesnt_exist\n#define SSL_CTRL_SESS_NUMBER doesnt_exist\n#define SSL_CTRL_SET_CURVES doesnt_exist\n#define SSL_CTRL_SET_CURVES_LIST doesnt_exist\n#define SSL_CTRL_SET_GROUPS doesnt_exist\n#define SSL_CTRL_SET_GROUPS_LIST doesnt_exist\n#define SSL_CTRL_SET_ECDH_AUTO doesnt_exist\n#define SSL_CTRL_SET_MAX_CERT_LIST doesnt_exist\n#define SSL_CTRL_SET_MAX_SEND_FRAGMENT doesnt_exist\n#define SSL_CTRL_SET_MSG_CALLBACK doesnt_exist\n#define SSL_CTRL_SET_MSG_CALLBACK_ARG doesnt_exist\n#define SSL_CTRL_SET_MTU doesnt_exist\n#define SSL_CTRL_SET_READ_AHEAD doesnt_exist\n#define SSL_CTRL_SET_SESS_CACHE_MODE doesnt_exist\n#define SSL_CTRL_SET_SESS_CACHE_SIZE doesnt_exist\n#define SSL_CTRL_SET_TLSEXT_HOSTNAME doesnt_exist\n#define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG doesnt_exist\n#define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB doesnt_exist\n#define SSL_CTRL_SET_TLSEXT_TICKET_KEYS doesnt_exist\n#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB doesnt_exist\n#define SSL_CTRL_SET_TMP_DH doesnt_exist\n#define SSL_CTRL_SET_TMP_DH_CB doesnt_exist\n#define SSL_CTRL_SET_TMP_ECDH doesnt_exist\n#define SSL_CTRL_SET_TMP_ECDH_CB doesnt_exist\n#define SSL_CTRL_SET_TMP_RSA doesnt_exist\n#define SSL_CTRL_SET_TMP_RSA_CB doesnt_exist\n\n// |BORINGSSL_PREFIX| already makes each of these symbols into macros, so there\n// is no need to define conflicting macros.\n#if !defined(BORINGSSL_PREFIX)\n\n#define DTLSv1_get_timeout DTLSv1_get_timeout\n#define DTLSv1_handle_timeout DTLSv1_handle_timeout\n#define SSL_CTX_add0_chain_cert SSL_CTX_add0_chain_cert\n#define SSL_CTX_add1_chain_cert SSL_CTX_add1_chain_cert\n#define SSL_CTX_add_extra_chain_cert SSL_CTX_add_extra_chain_cert\n#define SSL_CTX_clear_extra_chain_certs SSL_CTX_clear_extra_chain_certs\n#define SSL_CTX_clear_chain_certs SSL_CTX_clear_chain_certs\n#define SSL_CTX_clear_mode SSL_CTX_clear_mode\n#define SSL_CTX_clear_options SSL_CTX_clear_options\n#define SSL_CTX_get0_chain_certs SSL_CTX_get0_chain_certs\n#define SSL_CTX_get_extra_chain_certs SSL_CTX_get_extra_chain_certs\n#define SSL_CTX_get_max_cert_list SSL_CTX_get_max_cert_list\n#define SSL_CTX_get_mode SSL_CTX_get_mode\n#define SSL_CTX_get_options SSL_CTX_get_options\n#define SSL_CTX_get_read_ahead SSL_CTX_get_read_ahead\n#define SSL_CTX_get_session_cache_mode SSL_CTX_get_session_cache_mode\n#define SSL_CTX_get_tlsext_ticket_keys SSL_CTX_get_tlsext_ticket_keys\n#define SSL_CTX_need_tmp_RSA SSL_CTX_need_tmp_RSA\n#define SSL_CTX_sess_get_cache_size SSL_CTX_sess_get_cache_size\n#define SSL_CTX_sess_number SSL_CTX_sess_number\n#define SSL_CTX_sess_set_cache_size SSL_CTX_sess_set_cache_size\n#define SSL_CTX_set0_chain SSL_CTX_set0_chain\n#define SSL_CTX_set1_chain SSL_CTX_set1_chain\n#define SSL_CTX_set1_curves SSL_CTX_set1_curves\n#define SSL_CTX_set1_groups SSL_CTX_set1_groups\n#define SSL_CTX_set_max_cert_list SSL_CTX_set_max_cert_list\n#define SSL_CTX_set_max_send_fragment SSL_CTX_set_max_send_fragment\n#define SSL_CTX_set_mode SSL_CTX_set_mode\n#define SSL_CTX_set_msg_callback_arg SSL_CTX_set_msg_callback_arg\n#define SSL_CTX_set_options SSL_CTX_set_options\n#define SSL_CTX_set_read_ahead SSL_CTX_set_read_ahead\n#define SSL_CTX_set_session_cache_mode SSL_CTX_set_session_cache_mode\n#define SSL_CTX_set_tlsext_servername_arg SSL_CTX_set_tlsext_servername_arg\n#define SSL_CTX_set_tlsext_servername_callback \\\n SSL_CTX_set_tlsext_servername_callback\n#define SSL_CTX_set_tlsext_ticket_key_cb SSL_CTX_set_tlsext_ticket_key_cb\n#define SSL_CTX_set_tlsext_ticket_keys SSL_CTX_set_tlsext_ticket_keys\n#define SSL_CTX_set_tmp_dh SSL_CTX_set_tmp_dh\n#define SSL_CTX_set_tmp_ecdh SSL_CTX_set_tmp_ecdh\n#define SSL_CTX_set_tmp_rsa SSL_CTX_set_tmp_rsa\n#define SSL_add0_chain_cert SSL_add0_chain_cert\n#define SSL_add1_chain_cert SSL_add1_chain_cert\n#define SSL_clear_chain_certs SSL_clear_chain_certs\n#define SSL_clear_mode SSL_clear_mode\n#define SSL_clear_options SSL_clear_options\n#define SSL_get0_certificate_types SSL_get0_certificate_types\n#define SSL_get0_chain_certs SSL_get0_chain_certs\n#define SSL_get_max_cert_list SSL_get_max_cert_list\n#define SSL_get_mode SSL_get_mode\n#define SSL_get_negotiated_group SSL_get_negotiated_group\n#define SSL_get_options SSL_get_options\n#define SSL_get_secure_renegotiation_support \\\n SSL_get_secure_renegotiation_support\n#define SSL_need_tmp_RSA SSL_need_tmp_RSA\n#define SSL_num_renegotiations SSL_num_renegotiations\n#define SSL_session_reused SSL_session_reused\n#define SSL_set0_chain SSL_set0_chain\n#define SSL_set1_chain SSL_set1_chain\n#define SSL_set1_curves SSL_set1_curves\n#define SSL_set1_groups SSL_set1_groups\n#define SSL_set_max_cert_list SSL_set_max_cert_list\n#define SSL_set_max_send_fragment SSL_set_max_send_fragment\n#define SSL_set_mode SSL_set_mode\n#define SSL_set_msg_callback_arg SSL_set_msg_callback_arg\n#define SSL_set_mtu SSL_set_mtu\n#define SSL_set_options SSL_set_options\n#define SSL_set_tlsext_host_name SSL_set_tlsext_host_name\n#define SSL_set_tmp_dh SSL_set_tmp_dh\n#define SSL_set_tmp_ecdh SSL_set_tmp_ecdh\n#define SSL_set_tmp_rsa SSL_set_tmp_rsa\n#define SSL_total_renegotiations SSL_total_renegotiations\n\n#endif // !defined(BORINGSSL_PREFIX)\n\n\n#if defined(__cplusplus)\n} // extern C\n\n#if !defined(BORINGSSL_NO_CXX)\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(SSL, SSL_free)\nBORINGSSL_MAKE_DELETER(SSL_CREDENTIAL, SSL_CREDENTIAL_free)\nBORINGSSL_MAKE_UP_REF(SSL_CREDENTIAL, SSL_CREDENTIAL_up_ref)\nBORINGSSL_MAKE_DELETER(SSL_CTX, SSL_CTX_free)\nBORINGSSL_MAKE_UP_REF(SSL_CTX, SSL_CTX_up_ref)\nBORINGSSL_MAKE_DELETER(SSL_ECH_KEYS, SSL_ECH_KEYS_free)\nBORINGSSL_MAKE_UP_REF(SSL_ECH_KEYS, SSL_ECH_KEYS_up_ref)\nBORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free)\nBORINGSSL_MAKE_UP_REF(SSL_SESSION, SSL_SESSION_up_ref)\n\n\n// *** DEPRECATED EXPERIMENT — DO NOT USE ***\n//\n// Split handshakes.\n//\n// WARNING: This mechanism is deprecated and should not be used. It is very\n// fragile and difficult to use correctly. The relationship between\n// configuration options across the two halves is ill-defined and not\n// self-consistent. Additionally, version skew across the two halves risks\n// unusual behavior and connection failure. New development should use the\n// handshake hints API. Existing deployments should migrate to handshake hints\n// to reduce the risk of service outages.\n//\n// Split handshakes allows the handshake part of a TLS connection to be\n// performed in a different process (or on a different machine) than the data\n// exchange. This only applies to servers.\n//\n// In the first part of a split handshake, an |SSL| (where the |SSL_CTX| has\n// been configured with |SSL_CTX_set_handoff_mode|) is used normally. Once the\n// ClientHello message has been received, the handshake will stop and\n// |SSL_get_error| will indicate |SSL_ERROR_HANDOFF|. At this point (and only\n// at this point), |SSL_serialize_handoff| can be called to write the “handoff”\n// state of the connection.\n//\n// Elsewhere, a fresh |SSL| can be used with |SSL_apply_handoff| to continue\n// the connection. The connection from the client is fed into this |SSL|, and\n// the handshake resumed. When the handshake stops again and |SSL_get_error|\n// indicates |SSL_ERROR_HANDBACK|, |SSL_serialize_handback| should be called to\n// serialize the state of the handshake again.\n//\n// Back at the first location, a fresh |SSL| can be used with\n// |SSL_apply_handback|. Then the client's connection can be processed mostly\n// as normal.\n//\n// Lastly, when a connection is in the handoff state, whether or not\n// |SSL_serialize_handoff| is called, |SSL_decline_handoff| will move it back\n// into a normal state where the connection can proceed without impact.\n//\n// WARNING: Currently only works with TLS 1.0–1.2.\n// WARNING: The serialisation formats are not yet stable: version skew may be\n// fatal.\n// WARNING: The handback data contains sensitive key material and must be\n// protected.\n// WARNING: Some calls on the final |SSL| will not work. Just as an example,\n// calls like |SSL_get0_session_id_context| and |SSL_get_privatekey| won't\n// work because the certificate used for handshaking isn't available.\n// WARNING: |SSL_apply_handoff| may trigger “msg” callback calls.\n\nOPENSSL_EXPORT void SSL_CTX_set_handoff_mode(SSL_CTX *ctx, bool on);\nOPENSSL_EXPORT void SSL_set_handoff_mode(SSL *SSL, bool on);\nOPENSSL_EXPORT bool SSL_serialize_handoff(const SSL *ssl, CBB *out,\n SSL_CLIENT_HELLO *out_hello);\nOPENSSL_EXPORT bool SSL_decline_handoff(SSL *ssl);\nOPENSSL_EXPORT bool SSL_apply_handoff(SSL *ssl, Span handoff);\nOPENSSL_EXPORT bool SSL_serialize_handback(const SSL *ssl, CBB *out);\nOPENSSL_EXPORT bool SSL_apply_handback(SSL *ssl, Span handback);\n\n// SSL_get_traffic_secrets sets |*out_read_traffic_secret| and\n// |*out_write_traffic_secret| to reference the current TLS 1.3 traffic secrets\n// for |ssl|. It returns true on success and false on error.\n//\n// This function is only valid on TLS 1.3 connections that have completed the\n// handshake. It is not valid for QUIC or DTLS, where multiple traffic secrets\n// may be active at a time.\nOPENSSL_EXPORT bool SSL_get_traffic_secrets(\n const SSL *ssl, Span *out_read_traffic_secret,\n Span *out_write_traffic_secret);\n\n// SSL_CTX_set_aes_hw_override_for_testing sets |override_value| to\n// override checking for aes hardware support for testing. If |override_value|\n// is set to true, the library will behave as if aes hardware support is\n// present. If it is set to false, the library will behave as if aes hardware\n// support is not present.\nOPENSSL_EXPORT void SSL_CTX_set_aes_hw_override_for_testing(\n SSL_CTX *ctx, bool override_value);\n\n// SSL_set_aes_hw_override_for_testing acts the same as\n// |SSL_CTX_set_aes_override_for_testing| but only configures a single |SSL*|.\nOPENSSL_EXPORT void SSL_set_aes_hw_override_for_testing(SSL *ssl,\n bool override_value);\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n\n#endif // !defined(BORINGSSL_NO_CXX)\n\n#endif\n\n#define SSL_R_APP_DATA_IN_HANDSHAKE 100\n#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101\n#define SSL_R_BAD_ALERT 102\n#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103\n#define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 104\n#define SSL_R_BAD_DH_P_LENGTH 105\n#define SSL_R_BAD_DIGEST_LENGTH 106\n#define SSL_R_BAD_ECC_CERT 107\n#define SSL_R_BAD_ECPOINT 108\n#define SSL_R_BAD_HANDSHAKE_RECORD 109\n#define SSL_R_BAD_HELLO_REQUEST 110\n#define SSL_R_BAD_LENGTH 111\n#define SSL_R_BAD_PACKET_LENGTH 112\n#define SSL_R_BAD_RSA_ENCRYPT 113\n#define SSL_R_BAD_SIGNATURE 114\n#define SSL_R_BAD_SRTP_MKI_VALUE 115\n#define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 116\n#define SSL_R_BAD_SSL_FILETYPE 117\n#define SSL_R_BAD_WRITE_RETRY 118\n#define SSL_R_BIO_NOT_SET 119\n#define SSL_R_BN_LIB 120\n#define SSL_R_BUFFER_TOO_SMALL 121\n#define SSL_R_CA_DN_LENGTH_MISMATCH 122\n#define SSL_R_CA_DN_TOO_LONG 123\n#define SSL_R_CCS_RECEIVED_EARLY 124\n#define SSL_R_CERTIFICATE_VERIFY_FAILED 125\n#define SSL_R_CERT_CB_ERROR 126\n#define SSL_R_CERT_LENGTH_MISMATCH 127\n#define SSL_R_CHANNEL_ID_NOT_P256 128\n#define SSL_R_CHANNEL_ID_SIGNATURE_INVALID 129\n#define SSL_R_CIPHER_OR_HASH_UNAVAILABLE 130\n#define SSL_R_CLIENTHELLO_PARSE_FAILED 131\n#define SSL_R_CLIENTHELLO_TLSEXT 132\n#define SSL_R_CONNECTION_REJECTED 133\n#define SSL_R_CONNECTION_TYPE_NOT_SET 134\n#define SSL_R_CUSTOM_EXTENSION_ERROR 135\n#define SSL_R_DATA_LENGTH_TOO_LONG 136\n#define SSL_R_DECODE_ERROR 137\n#define SSL_R_DECRYPTION_FAILED 138\n#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 139\n#define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 140\n#define SSL_R_DH_P_TOO_LONG 141\n#define SSL_R_DIGEST_CHECK_FAILED 142\n#define SSL_R_DTLS_MESSAGE_TOO_BIG 143\n#define SSL_R_ECC_CERT_NOT_FOR_SIGNING 144\n#define SSL_R_EMS_STATE_INCONSISTENT 145\n#define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 146\n#define SSL_R_ERROR_ADDING_EXTENSION 147\n#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST 148\n#define SSL_R_ERROR_PARSING_EXTENSION 149\n#define SSL_R_EXCESSIVE_MESSAGE_SIZE 150\n#define SSL_R_EXTRA_DATA_IN_MESSAGE 151\n#define SSL_R_FRAGMENT_MISMATCH 152\n#define SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION 153\n#define SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO 154\n#define SSL_R_HTTPS_PROXY_REQUEST 155\n#define SSL_R_HTTP_REQUEST 156\n#define SSL_R_INAPPROPRIATE_FALLBACK 157\n#define SSL_R_INVALID_COMMAND 158\n#define SSL_R_INVALID_MESSAGE 159\n#define SSL_R_INVALID_SSL_SESSION 160\n#define SSL_R_INVALID_TICKET_KEYS_LENGTH 161\n#define SSL_R_LENGTH_MISMATCH 162\n#define SSL_R_MISSING_EXTENSION 164\n#define SSL_R_MISSING_RSA_CERTIFICATE 165\n#define SSL_R_MISSING_TMP_DH_KEY 166\n#define SSL_R_MISSING_TMP_ECDH_KEY 167\n#define SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS 168\n#define SSL_R_MTU_TOO_SMALL 169\n#define SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN 170\n#define SSL_R_NESTED_GROUP 171\n#define SSL_R_NO_CERTIFICATES_RETURNED 172\n#define SSL_R_NO_CERTIFICATE_ASSIGNED 173\n#define SSL_R_NO_CERTIFICATE_SET 174\n#define SSL_R_NO_CIPHERS_AVAILABLE 175\n#define SSL_R_NO_CIPHERS_PASSED 176\n#define SSL_R_NO_CIPHER_MATCH 177\n#define SSL_R_NO_COMPRESSION_SPECIFIED 178\n#define SSL_R_NO_METHOD_SPECIFIED 179\n#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 181\n#define SSL_R_NO_RENEGOTIATION 182\n#define SSL_R_NO_REQUIRED_DIGEST 183\n#define SSL_R_NO_SHARED_CIPHER 184\n#define SSL_R_NULL_SSL_CTX 185\n#define SSL_R_NULL_SSL_METHOD_PASSED 186\n#define SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED 187\n#define SSL_R_OLD_SESSION_VERSION_NOT_RETURNED 188\n#define SSL_R_OUTPUT_ALIASES_INPUT 189\n#define SSL_R_PARSE_TLSEXT 190\n#define SSL_R_PATH_TOO_LONG 191\n#define SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE 192\n#define SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE 193\n#define SSL_R_PROTOCOL_IS_SHUTDOWN 194\n#define SSL_R_PSK_IDENTITY_NOT_FOUND 195\n#define SSL_R_PSK_NO_CLIENT_CB 196\n#define SSL_R_PSK_NO_SERVER_CB 197\n#define SSL_R_READ_TIMEOUT_EXPIRED 198\n#define SSL_R_RECORD_LENGTH_MISMATCH 199\n#define SSL_R_RECORD_TOO_LARGE 200\n#define SSL_R_RENEGOTIATION_ENCODING_ERR 201\n#define SSL_R_RENEGOTIATION_MISMATCH 202\n#define SSL_R_REQUIRED_CIPHER_MISSING 203\n#define SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION 204\n#define SSL_R_RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION 205\n#define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 206\n#define SSL_R_SERVERHELLO_TLSEXT 207\n#define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 208\n#define SSL_R_SESSION_MAY_NOT_BE_CREATED 209\n#define SSL_R_SIGNATURE_ALGORITHMS_EXTENSION_SENT_BY_SERVER 210\n#define SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES 211\n#define SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE 212\n#define SSL_R_SSL3_EXT_INVALID_SERVERNAME 213\n#define SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION 214\n#define SSL_R_SSL_HANDSHAKE_FAILURE 215\n#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 216\n#define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 217\n#define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 218\n#define SSL_R_TOO_MANY_EMPTY_FRAGMENTS 219\n#define SSL_R_TOO_MANY_WARNING_ALERTS 220\n#define SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS 221\n#define SSL_R_UNEXPECTED_EXTENSION 222\n#define SSL_R_UNEXPECTED_MESSAGE 223\n#define SSL_R_UNEXPECTED_OPERATOR_IN_GROUP 224\n#define SSL_R_UNEXPECTED_RECORD 225\n#define SSL_R_UNINITIALIZED 226\n#define SSL_R_UNKNOWN_ALERT_TYPE 227\n#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 228\n#define SSL_R_UNKNOWN_CIPHER_RETURNED 229\n#define SSL_R_UNKNOWN_CIPHER_TYPE 230\n#define SSL_R_UNKNOWN_DIGEST 231\n#define SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE 232\n#define SSL_R_UNKNOWN_PROTOCOL 233\n#define SSL_R_UNKNOWN_SSL_VERSION 234\n#define SSL_R_UNKNOWN_STATE 235\n#define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 236\n#define SSL_R_UNSUPPORTED_CIPHER 237\n#define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 238\n#define SSL_R_UNSUPPORTED_ELLIPTIC_CURVE 239\n#define SSL_R_UNSUPPORTED_PROTOCOL 240\n#define SSL_R_WRONG_CERTIFICATE_TYPE 241\n#define SSL_R_WRONG_CIPHER_RETURNED 242\n#define SSL_R_WRONG_CURVE 243\n#define SSL_R_WRONG_MESSAGE_TYPE 244\n#define SSL_R_WRONG_SIGNATURE_TYPE 245\n#define SSL_R_WRONG_SSL_VERSION 246\n#define SSL_R_WRONG_VERSION_NUMBER 247\n#define SSL_R_X509_LIB 248\n#define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 249\n#define SSL_R_SHUTDOWN_WHILE_IN_INIT 250\n#define SSL_R_INVALID_OUTER_RECORD_TYPE 251\n#define SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY 252\n#define SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS 253\n#define SSL_R_DOWNGRADE_DETECTED 254\n#define SSL_R_EXCESS_HANDSHAKE_DATA 255\n#define SSL_R_INVALID_COMPRESSION_LIST 256\n#define SSL_R_DUPLICATE_EXTENSION 257\n#define SSL_R_MISSING_KEY_SHARE 258\n#define SSL_R_INVALID_ALPN_PROTOCOL 259\n#define SSL_R_TOO_MANY_KEY_UPDATES 260\n#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG 261\n#define SSL_R_NO_CIPHERS_SPECIFIED 262\n#define SSL_R_RENEGOTIATION_EMS_MISMATCH 263\n#define SSL_R_DUPLICATE_KEY_SHARE 264\n#define SSL_R_NO_GROUPS_SPECIFIED 265\n#define SSL_R_NO_SHARED_GROUP 266\n#define SSL_R_PRE_SHARED_KEY_MUST_BE_LAST 267\n#define SSL_R_OLD_SESSION_PRF_HASH_MISMATCH 268\n#define SSL_R_INVALID_SCT_LIST 269\n#define SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA 270\n#define SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH 271\n#define SSL_R_CANNOT_PARSE_LEAF_CERT 272\n#define SSL_R_SERVER_CERT_CHANGED 273\n#define SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH 274\n#define SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD 275\n#define SSL_R_TICKET_ENCRYPTION_FAILED 276\n#define SSL_R_ALPN_MISMATCH_ON_EARLY_DATA 277\n#define SSL_R_WRONG_VERSION_ON_EARLY_DATA 278\n#define SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA 279\n#define SSL_R_NO_SUPPORTED_VERSIONS_ENABLED 280\n#define SSL_R_EMPTY_HELLO_RETRY_REQUEST 282\n#define SSL_R_EARLY_DATA_NOT_IN_USE 283\n#define SSL_R_HANDSHAKE_NOT_COMPLETE 284\n#define SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI 285\n#define SSL_R_SERVER_ECHOED_INVALID_SESSION_ID 286\n#define SSL_R_PRIVATE_KEY_OPERATION_FAILED 287\n#define SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH 288\n#define SSL_R_OCSP_CB_ERROR 289\n#define SSL_R_SSL_SESSION_ID_TOO_LONG 290\n#define SSL_R_APPLICATION_DATA_ON_SHUTDOWN 291\n#define SSL_R_CERT_DECOMPRESSION_FAILED 292\n#define SSL_R_UNCOMPRESSED_CERT_TOO_LARGE 293\n#define SSL_R_UNKNOWN_CERT_COMPRESSION_ALG 294\n#define SSL_R_INVALID_SIGNATURE_ALGORITHM 295\n#define SSL_R_DUPLICATE_SIGNATURE_ALGORITHM 296\n#define SSL_R_TLS13_DOWNGRADE 297\n#define SSL_R_QUIC_INTERNAL_ERROR 298\n#define SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED 299\n#define SSL_R_TOO_MUCH_READ_EARLY_DATA 300\n#define SSL_R_INVALID_DELEGATED_CREDENTIAL 301\n#define SSL_R_KEY_USAGE_BIT_INCORRECT 302\n#define SSL_R_INCONSISTENT_CLIENT_HELLO 303\n#define SSL_R_CIPHER_MISMATCH_ON_EARLY_DATA 304\n#define SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED 305\n#define SSL_R_UNEXPECTED_COMPATIBILITY_MODE 306\n#define SSL_R_NO_APPLICATION_PROTOCOL 307\n#define SSL_R_NEGOTIATED_ALPS_WITHOUT_ALPN 308\n#define SSL_R_ALPS_MISMATCH_ON_EARLY_DATA 309\n#define SSL_R_ECH_SERVER_CONFIG_AND_PRIVATE_KEY_MISMATCH 310\n#define SSL_R_ECH_SERVER_CONFIG_UNSUPPORTED_EXTENSION 311\n#define SSL_R_UNSUPPORTED_ECH_SERVER_CONFIG 312\n#define SSL_R_ECH_SERVER_WOULD_HAVE_NO_RETRY_CONFIGS 313\n#define SSL_R_INVALID_CLIENT_HELLO_INNER 314\n#define SSL_R_INVALID_ALPN_PROTOCOL_LIST 315\n#define SSL_R_COULD_NOT_PARSE_HINTS 316\n#define SSL_R_INVALID_ECH_PUBLIC_NAME 317\n#define SSL_R_INVALID_ECH_CONFIG_LIST 318\n#define SSL_R_ECH_REJECTED 319\n#define SSL_R_INVALID_OUTER_EXTENSION 320\n#define SSL_R_INCONSISTENT_ECH_NEGOTIATION 321\n#define SSL_R_INVALID_ALPS_CODEPOINT 322\n#define SSL_R_NO_MATCHING_ISSUER 323\n#define SSL_R_SSLV3_ALERT_CLOSE_NOTIFY 1000\n#define SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE 1010\n#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020\n#define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021\n#define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022\n#define SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE 1030\n#define SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE 1040\n#define SSL_R_SSLV3_ALERT_NO_CERTIFICATE 1041\n#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042\n#define SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE 1043\n#define SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED 1044\n#define SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED 1045\n#define SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN 1046\n#define SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER 1047\n#define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048\n#define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049\n#define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050\n#define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051\n#define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060\n#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070\n#define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071\n#define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080\n#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086\n#define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090\n#define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100\n#define SSL_R_TLSV1_ALERT_UNSUPPORTED_EXTENSION 1110\n#define SSL_R_TLSV1_ALERT_CERTIFICATE_UNOBTAINABLE 1111\n#define SSL_R_TLSV1_ALERT_UNRECOGNIZED_NAME 1112\n#define SSL_R_TLSV1_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE 1113\n#define SSL_R_TLSV1_ALERT_BAD_CERTIFICATE_HASH_VALUE 1114\n#define SSL_R_TLSV1_ALERT_UNKNOWN_PSK_IDENTITY 1115\n#define SSL_R_TLSV1_ALERT_CERTIFICATE_REQUIRED 1116\n#define SSL_R_TLSV1_ALERT_NO_APPLICATION_PROTOCOL 1120\n#define SSL_R_TLSV1_ALERT_ECH_REQUIRED 1121\n\n#endif // OPENSSL_HEADER_SSL_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_ssl3.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_SSL3_H\n#define OPENSSL_HEADER_SSL3_H\n\n#include \"CNIOBoringSSL_aead.h\"\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n\n// These are kept to support clients that negotiates higher protocol versions\n// using SSLv2 client hello records.\n#define SSL2_MT_CLIENT_HELLO 1\n#define SSL2_VERSION 0x0002\n\n// Signalling cipher suite value from RFC 5746.\n#define SSL3_CK_SCSV 0x030000FF\n// Fallback signalling cipher suite value from RFC 7507.\n#define SSL3_CK_FALLBACK_SCSV 0x03005600\n\n#define SSL3_CK_RSA_NULL_MD5 0x03000001\n#define SSL3_CK_RSA_NULL_SHA 0x03000002\n#define SSL3_CK_RSA_RC4_40_MD5 0x03000003\n#define SSL3_CK_RSA_RC4_128_MD5 0x03000004\n#define SSL3_CK_RSA_RC4_128_SHA 0x03000005\n#define SSL3_CK_RSA_RC2_40_MD5 0x03000006\n#define SSL3_CK_RSA_IDEA_128_SHA 0x03000007\n#define SSL3_CK_RSA_DES_40_CBC_SHA 0x03000008\n#define SSL3_CK_RSA_DES_64_CBC_SHA 0x03000009\n#define SSL3_CK_RSA_DES_192_CBC3_SHA 0x0300000A\n\n#define SSL3_CK_DH_DSS_DES_40_CBC_SHA 0x0300000B\n#define SSL3_CK_DH_DSS_DES_64_CBC_SHA 0x0300000C\n#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA 0x0300000D\n#define SSL3_CK_DH_RSA_DES_40_CBC_SHA 0x0300000E\n#define SSL3_CK_DH_RSA_DES_64_CBC_SHA 0x0300000F\n#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA 0x03000010\n\n#define SSL3_CK_EDH_DSS_DES_40_CBC_SHA 0x03000011\n#define SSL3_CK_EDH_DSS_DES_64_CBC_SHA 0x03000012\n#define SSL3_CK_EDH_DSS_DES_192_CBC3_SHA 0x03000013\n#define SSL3_CK_EDH_RSA_DES_40_CBC_SHA 0x03000014\n#define SSL3_CK_EDH_RSA_DES_64_CBC_SHA 0x03000015\n#define SSL3_CK_EDH_RSA_DES_192_CBC3_SHA 0x03000016\n\n#define SSL3_CK_ADH_RC4_40_MD5 0x03000017\n#define SSL3_CK_ADH_RC4_128_MD5 0x03000018\n#define SSL3_CK_ADH_DES_40_CBC_SHA 0x03000019\n#define SSL3_CK_ADH_DES_64_CBC_SHA 0x0300001A\n#define SSL3_CK_ADH_DES_192_CBC_SHA 0x0300001B\n\n#define SSL3_TXT_RSA_NULL_MD5 \"NULL-MD5\"\n#define SSL3_TXT_RSA_NULL_SHA \"NULL-SHA\"\n#define SSL3_TXT_RSA_RC4_40_MD5 \"EXP-RC4-MD5\"\n#define SSL3_TXT_RSA_RC4_128_MD5 \"RC4-MD5\"\n#define SSL3_TXT_RSA_RC4_128_SHA \"RC4-SHA\"\n#define SSL3_TXT_RSA_RC2_40_MD5 \"EXP-RC2-CBC-MD5\"\n#define SSL3_TXT_RSA_IDEA_128_SHA \"IDEA-CBC-SHA\"\n#define SSL3_TXT_RSA_DES_40_CBC_SHA \"EXP-DES-CBC-SHA\"\n#define SSL3_TXT_RSA_DES_64_CBC_SHA \"DES-CBC-SHA\"\n#define SSL3_TXT_RSA_DES_192_CBC3_SHA \"DES-CBC3-SHA\"\n\n#define SSL3_TXT_DH_DSS_DES_40_CBC_SHA \"EXP-DH-DSS-DES-CBC-SHA\"\n#define SSL3_TXT_DH_DSS_DES_64_CBC_SHA \"DH-DSS-DES-CBC-SHA\"\n#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA \"DH-DSS-DES-CBC3-SHA\"\n#define SSL3_TXT_DH_RSA_DES_40_CBC_SHA \"EXP-DH-RSA-DES-CBC-SHA\"\n#define SSL3_TXT_DH_RSA_DES_64_CBC_SHA \"DH-RSA-DES-CBC-SHA\"\n#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA \"DH-RSA-DES-CBC3-SHA\"\n\n#define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA \"EXP-EDH-DSS-DES-CBC-SHA\"\n#define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA \"EDH-DSS-DES-CBC-SHA\"\n#define SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA \"EDH-DSS-DES-CBC3-SHA\"\n#define SSL3_TXT_EDH_RSA_DES_40_CBC_SHA \"EXP-EDH-RSA-DES-CBC-SHA\"\n#define SSL3_TXT_EDH_RSA_DES_64_CBC_SHA \"EDH-RSA-DES-CBC-SHA\"\n#define SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA \"EDH-RSA-DES-CBC3-SHA\"\n\n#define SSL3_TXT_ADH_RC4_40_MD5 \"EXP-ADH-RC4-MD5\"\n#define SSL3_TXT_ADH_RC4_128_MD5 \"ADH-RC4-MD5\"\n#define SSL3_TXT_ADH_DES_40_CBC_SHA \"EXP-ADH-DES-CBC-SHA\"\n#define SSL3_TXT_ADH_DES_64_CBC_SHA \"ADH-DES-CBC-SHA\"\n#define SSL3_TXT_ADH_DES_192_CBC_SHA \"ADH-DES-CBC3-SHA\"\n\n#define SSL3_SSL_SESSION_ID_LENGTH 32\n#define SSL3_MAX_SSL_SESSION_ID_LENGTH 32\n\n#define SSL3_MASTER_SECRET_SIZE 48\n#define SSL3_RANDOM_SIZE 32\n#define SSL3_SESSION_ID_SIZE 32\n#define SSL3_RT_HEADER_LENGTH 5\n\n#define SSL3_HM_HEADER_LENGTH 4\n\n#ifndef SSL3_ALIGN_PAYLOAD\n// Some will argue that this increases memory footprint, but it's not actually\n// true. Point is that malloc has to return at least 64-bit aligned pointers,\n// meaning that allocating 5 bytes wastes 3 bytes in either case. Suggested\n// pre-gaping simply moves these wasted bytes from the end of allocated region\n// to its front, but makes data payload aligned, which improves performance.\n#define SSL3_ALIGN_PAYLOAD 8\n#else\n#if (SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) != 0\n#error \"insane SSL3_ALIGN_PAYLOAD\"\n#undef SSL3_ALIGN_PAYLOAD\n#endif\n#endif\n\n// This is the maximum MAC (digest) size used by the SSL library. Currently\n// maximum of 20 is used by SHA1, but we reserve for future extension for\n// 512-bit hashes.\n\n#define SSL3_RT_MAX_MD_SIZE 64\n\n// Maximum block size used in all ciphersuites. Currently 16 for AES.\n\n#define SSL_RT_MAX_CIPHER_BLOCK_SIZE 16\n\n// Maximum plaintext length: defined by SSL/TLS standards\n#define SSL3_RT_MAX_PLAIN_LENGTH 16384\n// Maximum compression overhead: defined by SSL/TLS standards\n#define SSL3_RT_MAX_COMPRESSED_OVERHEAD 1024\n\n// The standards give a maximum encryption overhead of 1024 bytes. In practice\n// the value is lower than this. The overhead is the maximum number of padding\n// bytes (256) plus the mac size.\n//\n// TODO(davidben): This derivation doesn't take AEADs into account, or TLS 1.1\n// explicit nonces. It happens to work because |SSL3_RT_MAX_MD_SIZE| is larger\n// than necessary and no true AEAD has variable overhead in TLS 1.2.\n#define SSL3_RT_MAX_ENCRYPTED_OVERHEAD (256 + SSL3_RT_MAX_MD_SIZE)\n\n// SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD is the maximum overhead in encrypting a\n// record. This does not include the record header. Some ciphers use explicit\n// nonces, so it includes both the AEAD overhead as well as the nonce.\n#define SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD \\\n (EVP_AEAD_MAX_OVERHEAD + EVP_AEAD_MAX_NONCE_LENGTH)\n\n// SSL3_RT_MAX_COMPRESSED_LENGTH is an alias for\n// |SSL3_RT_MAX_PLAIN_LENGTH|. Compression is gone, so don't include the\n// compression overhead.\n#define SSL3_RT_MAX_COMPRESSED_LENGTH SSL3_RT_MAX_PLAIN_LENGTH\n\n#define SSL3_RT_MAX_ENCRYPTED_LENGTH \\\n (SSL3_RT_MAX_ENCRYPTED_OVERHEAD + SSL3_RT_MAX_COMPRESSED_LENGTH)\n#define SSL3_RT_MAX_PACKET_SIZE \\\n (SSL3_RT_MAX_ENCRYPTED_LENGTH + SSL3_RT_HEADER_LENGTH)\n\n#define SSL3_MD_CLIENT_FINISHED_CONST \"\\x43\\x4C\\x4E\\x54\"\n#define SSL3_MD_SERVER_FINISHED_CONST \"\\x53\\x52\\x56\\x52\"\n\n#define SSL3_RT_CHANGE_CIPHER_SPEC 20\n#define SSL3_RT_ALERT 21\n#define SSL3_RT_HANDSHAKE 22\n#define SSL3_RT_APPLICATION_DATA 23\n#define SSL3_RT_ACK 26\n\n// Pseudo content type for SSL/TLS header info\n#define SSL3_RT_HEADER 0x100\n#define SSL3_RT_CLIENT_HELLO_INNER 0x101\n\n#define SSL3_AL_WARNING 1\n#define SSL3_AL_FATAL 2\n\n#define SSL3_AD_CLOSE_NOTIFY 0\n#define SSL3_AD_UNEXPECTED_MESSAGE 10 // fatal\n#define SSL3_AD_BAD_RECORD_MAC 20 // fatal\n#define SSL3_AD_DECOMPRESSION_FAILURE 30 // fatal\n#define SSL3_AD_HANDSHAKE_FAILURE 40 // fatal\n#define SSL3_AD_NO_CERTIFICATE 41\n#define SSL3_AD_BAD_CERTIFICATE 42\n#define SSL3_AD_UNSUPPORTED_CERTIFICATE 43\n#define SSL3_AD_CERTIFICATE_REVOKED 44\n#define SSL3_AD_CERTIFICATE_EXPIRED 45\n#define SSL3_AD_CERTIFICATE_UNKNOWN 46\n#define SSL3_AD_ILLEGAL_PARAMETER 47 // fatal\n#define SSL3_AD_INAPPROPRIATE_FALLBACK 86 // fatal\n\n#define SSL3_CT_RSA_SIGN 1\n\n#define SSL3_MT_HELLO_REQUEST 0\n#define SSL3_MT_CLIENT_HELLO 1\n#define SSL3_MT_SERVER_HELLO 2\n#define SSL3_MT_NEW_SESSION_TICKET 4\n#define SSL3_MT_END_OF_EARLY_DATA 5\n#define SSL3_MT_ENCRYPTED_EXTENSIONS 8\n#define SSL3_MT_CERTIFICATE 11\n#define SSL3_MT_SERVER_KEY_EXCHANGE 12\n#define SSL3_MT_CERTIFICATE_REQUEST 13\n#define SSL3_MT_SERVER_HELLO_DONE 14\n#define SSL3_MT_CERTIFICATE_VERIFY 15\n#define SSL3_MT_CLIENT_KEY_EXCHANGE 16\n#define SSL3_MT_FINISHED 20\n#define SSL3_MT_CERTIFICATE_STATUS 22\n#define SSL3_MT_SUPPLEMENTAL_DATA 23\n#define SSL3_MT_KEY_UPDATE 24\n#define SSL3_MT_COMPRESSED_CERTIFICATE 25\n#define SSL3_MT_NEXT_PROTO 67\n#define SSL3_MT_CHANNEL_ID 203\n#define SSL3_MT_MESSAGE_HASH 254\n#define DTLS1_MT_HELLO_VERIFY_REQUEST 3\n\n// The following are legacy aliases for consumers which use\n// |SSL_CTX_set_msg_callback|.\n#define SSL3_MT_SERVER_DONE SSL3_MT_SERVER_HELLO_DONE\n#define SSL3_MT_NEWSESSION_TICKET SSL3_MT_NEW_SESSION_TICKET\n\n\n#define SSL3_MT_CCS 1\n\n\n#ifdef __cplusplus\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_SSL3_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_stack.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_STACK_H\n#define OPENSSL_HEADER_STACK_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// A stack, in OpenSSL, is an array of pointers. They are the most commonly\n// used collection object.\n//\n// This file defines macros for type-safe use of the stack functions. A stack\n// type is named like |STACK_OF(FOO)| and is accessed with functions named\n// like |sk_FOO_*|. Note the stack will typically contain /pointers/ to |FOO|.\n//\n// The |DECLARE_STACK_OF| macro makes |STACK_OF(FOO)| available, and\n// |DEFINE_STACK_OF| makes the corresponding functions available.\n\n\n// Defining stacks.\n\n// STACK_OF expands to the stack type for |type|.\n#define STACK_OF(type) struct stack_st_##type\n\n// DECLARE_STACK_OF declares the |STACK_OF(type)| type. It does not make the\n// corresponding |sk_type_*| functions available. This macro should be used in\n// files which only need the type.\n#define DECLARE_STACK_OF(type) STACK_OF(type);\n\n// DEFINE_NAMED_STACK_OF defines |STACK_OF(name)| to be a stack whose elements\n// are |type| *. This macro makes the |sk_name_*| functions available.\n//\n// It is not necessary to use |DECLARE_STACK_OF| in files which use this macro.\n#define DEFINE_NAMED_STACK_OF(name, type) \\\n BORINGSSL_DEFINE_STACK_OF_IMPL(name, type *, const type *) \\\n BORINGSSL_DEFINE_STACK_TRAITS(name, type, false)\n\n// DEFINE_STACK_OF defines |STACK_OF(type)| to be a stack whose elements are\n// |type| *. This macro makes the |sk_type_*| functions available.\n//\n// It is not necessary to use |DECLARE_STACK_OF| in files which use this macro.\n#define DEFINE_STACK_OF(type) DEFINE_NAMED_STACK_OF(type, type)\n\n// DEFINE_CONST_STACK_OF defines |STACK_OF(type)| to be a stack whose elements\n// are const |type| *. This macro makes the |sk_type_*| functions available.\n//\n// It is not necessary to use |DECLARE_STACK_OF| in files which use this macro.\n#define DEFINE_CONST_STACK_OF(type) \\\n BORINGSSL_DEFINE_STACK_OF_IMPL(type, const type *, const type *) \\\n BORINGSSL_DEFINE_STACK_TRAITS(type, const type, true)\n\n\n// Using stacks.\n//\n// After the |DEFINE_STACK_OF| macro is used, the following functions are\n// available.\n\n#if 0 // Sample\n\n// sk_SAMPLE_free_func is a callback to free an element in a stack.\ntypedef void (*sk_SAMPLE_free_func)(SAMPLE *);\n\n// sk_SAMPLE_copy_func is a callback to copy an element in a stack. It should\n// return the copy or NULL on error.\ntypedef SAMPLE *(*sk_SAMPLE_copy_func)(const SAMPLE *);\n\n// sk_SAMPLE_cmp_func is a callback to compare |*a| to |*b|. It should return a\n// value < 0, 0, or > 0 if |*a| is less than, equal to, or greater than |*b|,\n// respectively. Note the extra indirection - the function is given a pointer\n// to a pointer to the element. This is the |qsort|/|bsearch| comparison\n// function applied to an array of |SAMPLE*|.\ntypedef int (*sk_SAMPLE_cmp_func)(const SAMPLE *const *a,\n const SAMPLE *const *b);\n\n// sk_SAMPLE_new creates a new, empty stack with the given comparison function,\n// which may be NULL. It returns the new stack or NULL on allocation failure.\nSTACK_OF(SAMPLE) *sk_SAMPLE_new(sk_SAMPLE_cmp_func comp);\n\n// sk_SAMPLE_new_null creates a new, empty stack. It returns the new stack or\n// NULL on allocation failure.\nSTACK_OF(SAMPLE) *sk_SAMPLE_new_null(void);\n\n// sk_SAMPLE_num returns the number of elements in |sk|. It is safe to cast this\n// value to |int|. |sk| is guaranteed to have at most |INT_MAX| elements. If\n// |sk| is NULL, it is treated as the empty list and this function returns zero.\nsize_t sk_SAMPLE_num(const STACK_OF(SAMPLE) *sk);\n\n// sk_SAMPLE_zero resets |sk| to the empty state but does nothing to free the\n// individual elements themselves.\nvoid sk_SAMPLE_zero(STACK_OF(SAMPLE) *sk);\n\n// sk_SAMPLE_value returns the |i|th pointer in |sk|, or NULL if |i| is out of\n// range. If |sk| is NULL, it is treated as an empty list and the function\n// returns NULL.\nSAMPLE *sk_SAMPLE_value(const STACK_OF(SAMPLE) *sk, size_t i);\n\n// sk_SAMPLE_set sets the |i|th pointer in |sk| to |p| and returns |p|. If |i|\n// is out of range, it returns NULL.\nSAMPLE *sk_SAMPLE_set(STACK_OF(SAMPLE) *sk, size_t i, SAMPLE *p);\n\n// sk_SAMPLE_free frees |sk|, but does nothing to free the individual elements.\n// Use |sk_SAMPLE_pop_free| to also free the elements.\nvoid sk_SAMPLE_free(STACK_OF(SAMPLE) *sk);\n\n// sk_SAMPLE_pop_free calls |free_func| on each element in |sk| and then\n// frees the stack itself.\nvoid sk_SAMPLE_pop_free(STACK_OF(SAMPLE) *sk, sk_SAMPLE_free_func free_func);\n\n// sk_SAMPLE_insert inserts |p| into the stack at index |where|, moving existing\n// elements if needed. It returns the length of the new stack, or zero on\n// error.\nsize_t sk_SAMPLE_insert(STACK_OF(SAMPLE) *sk, SAMPLE *p, size_t where);\n\n// sk_SAMPLE_delete removes the pointer at index |where|, moving other elements\n// down if needed. It returns the removed pointer, or NULL if |where| is out of\n// range.\nSAMPLE *sk_SAMPLE_delete(STACK_OF(SAMPLE) *sk, size_t where);\n\n// sk_SAMPLE_delete_ptr removes, at most, one instance of |p| from |sk| based on\n// pointer equality. If an instance of |p| is found then |p| is returned,\n// otherwise it returns NULL.\nSAMPLE *sk_SAMPLE_delete_ptr(STACK_OF(SAMPLE) *sk, const SAMPLE *p);\n\n// sk_SAMPLE_delete_if_func is the callback function for |sk_SAMPLE_delete_if|.\n// It should return one to remove |p| and zero to keep it.\ntypedef int (*sk_SAMPLE_delete_if_func)(SAMPLE *p, void *data);\n\n// sk_SAMPLE_delete_if calls |func| with each element of |sk| and removes the\n// entries where |func| returned one. This function does not free or return\n// removed pointers so, if |sk| owns its contents, |func| should release the\n// pointers prior to returning one.\nvoid sk_SAMPLE_delete_if(STACK_OF(SAMPLE) *sk, sk_SAMPLE_delete_if_func func,\n void *data);\n\n// sk_SAMPLE_find find the first value in |sk| equal to |p|. |sk|'s comparison\n// function determines equality, or pointer equality if |sk| has no comparison\n// function.\n//\n// If the stack is sorted (see |sk_SAMPLE_sort|), this function uses a binary\n// search. Otherwise it performs a linear search. If it finds a matching\n// element, it writes the index to |*out_index| (if |out_index| is not NULL) and\n// returns one. Otherwise, it returns zero. If |sk| is NULL, it is treated as\n// the empty list and the function returns zero.\n//\n// Note this differs from OpenSSL. The type signature is slightly different, and\n// OpenSSL's version will implicitly sort |sk| if it has a comparison function\n// defined.\nint sk_SAMPLE_find(const STACK_OF(SAMPLE) *sk, size_t *out_index,\n const SAMPLE *p);\n\n// sk_SAMPLE_shift removes and returns the first element in |sk|, or NULL if\n// |sk| is empty.\nSAMPLE *sk_SAMPLE_shift(STACK_OF(SAMPLE) *sk);\n\n// sk_SAMPLE_push appends |p| to |sk| and returns the length of the new stack,\n// or 0 on allocation failure.\nsize_t sk_SAMPLE_push(STACK_OF(SAMPLE) *sk, SAMPLE *p);\n\n// sk_SAMPLE_pop removes and returns the last element of |sk|, or NULL if |sk|\n// is empty.\nSAMPLE *sk_SAMPLE_pop(STACK_OF(SAMPLE) *sk);\n\n// sk_SAMPLE_dup performs a shallow copy of a stack and returns the new stack,\n// or NULL on error. Use |sk_SAMPLE_deep_copy| to also copy the elements.\nSTACK_OF(SAMPLE) *sk_SAMPLE_dup(const STACK_OF(SAMPLE) *sk);\n\n// sk_SAMPLE_sort sorts the elements of |sk| into ascending order based on the\n// comparison function. The stack maintains a \"sorted\" flag and sorting an\n// already sorted stack is a no-op.\nvoid sk_SAMPLE_sort(STACK_OF(SAMPLE) *sk);\n\n// sk_SAMPLE_is_sorted returns one if |sk| is known to be sorted and zero\n// otherwise.\nint sk_SAMPLE_is_sorted(const STACK_OF(SAMPLE) *sk);\n\n// sk_SAMPLE_set_cmp_func sets the comparison function to be used by |sk| and\n// returns the previous one.\nsk_SAMPLE_cmp_func sk_SAMPLE_set_cmp_func(STACK_OF(SAMPLE) *sk,\n sk_SAMPLE_cmp_func comp);\n\n// sk_SAMPLE_deep_copy performs a copy of |sk| and of each of the non-NULL\n// elements in |sk| by using |copy_func|. If an error occurs, it calls\n// |free_func| to free any copies already made and returns NULL.\nSTACK_OF(SAMPLE) *sk_SAMPLE_deep_copy(const STACK_OF(SAMPLE) *sk,\n sk_SAMPLE_copy_func copy_func,\n sk_SAMPLE_free_func free_func);\n\n#endif // Sample\n\n\n// Private functions.\n//\n// The |sk_*| functions generated above are implemented internally using the\n// type-erased functions below. Callers should use the typed wrappers instead.\n// When using the type-erased functions, callers are responsible for ensuring\n// the underlying types are correct. Casting pointers to the wrong types will\n// result in memory errors.\n\n// OPENSSL_sk_free_func is a function that frees an element in a stack. Note its\n// actual type is void (*)(T *) for some T. Low-level |sk_*| functions will be\n// passed a type-specific wrapper to call it correctly.\ntypedef void (*OPENSSL_sk_free_func)(void *ptr);\n\n// OPENSSL_sk_copy_func is a function that copies an element in a stack. Note\n// its actual type is T *(*)(const T *) for some T. Low-level |sk_*| functions\n// will be passed a type-specific wrapper to call it correctly.\ntypedef void *(*OPENSSL_sk_copy_func)(const void *ptr);\n\n// OPENSSL_sk_cmp_func is a comparison function that returns a value < 0, 0 or >\n// 0 if |*a| is less than, equal to or greater than |*b|, respectively. Note\n// the extra indirection - the function is given a pointer to a pointer to the\n// element. This differs from the usual qsort/bsearch comparison function.\n//\n// Note its actual type is |int (*)(const T *const *a, const T *const *b)|.\n// Low-level |sk_*| functions will be passed a type-specific wrapper to call it\n// correctly.\ntypedef int (*OPENSSL_sk_cmp_func)(const void *const *a, const void *const *b);\n\n// OPENSSL_sk_delete_if_func is the generic version of\n// |sk_SAMPLE_delete_if_func|.\ntypedef int (*OPENSSL_sk_delete_if_func)(void *obj, void *data);\n\n// The following function types call the above type-erased signatures with the\n// true types.\ntypedef void (*OPENSSL_sk_call_free_func)(OPENSSL_sk_free_func, void *);\ntypedef void *(*OPENSSL_sk_call_copy_func)(OPENSSL_sk_copy_func, const void *);\ntypedef int (*OPENSSL_sk_call_cmp_func)(OPENSSL_sk_cmp_func, const void *,\n const void *);\ntypedef int (*OPENSSL_sk_call_delete_if_func)(OPENSSL_sk_delete_if_func, void *,\n void *);\n\n// An OPENSSL_STACK contains an array of pointers. It is not designed to be used\n// directly, rather the wrapper macros should be used.\ntypedef struct stack_st OPENSSL_STACK;\n\n// The following are raw stack functions. They implement the corresponding typed\n// |sk_SAMPLE_*| functions generated by |DEFINE_STACK_OF|. Callers shouldn't be\n// using them. Rather, callers should use the typed functions.\nOPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_new(OPENSSL_sk_cmp_func comp);\nOPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_new_null(void);\nOPENSSL_EXPORT size_t OPENSSL_sk_num(const OPENSSL_STACK *sk);\nOPENSSL_EXPORT void OPENSSL_sk_zero(OPENSSL_STACK *sk);\nOPENSSL_EXPORT void *OPENSSL_sk_value(const OPENSSL_STACK *sk, size_t i);\nOPENSSL_EXPORT void *OPENSSL_sk_set(OPENSSL_STACK *sk, size_t i, void *p);\nOPENSSL_EXPORT void OPENSSL_sk_free(OPENSSL_STACK *sk);\nOPENSSL_EXPORT void OPENSSL_sk_pop_free_ex(\n OPENSSL_STACK *sk, OPENSSL_sk_call_free_func call_free_func,\n OPENSSL_sk_free_func free_func);\nOPENSSL_EXPORT size_t OPENSSL_sk_insert(OPENSSL_STACK *sk, void *p,\n size_t where);\nOPENSSL_EXPORT void *OPENSSL_sk_delete(OPENSSL_STACK *sk, size_t where);\nOPENSSL_EXPORT void *OPENSSL_sk_delete_ptr(OPENSSL_STACK *sk, const void *p);\nOPENSSL_EXPORT void OPENSSL_sk_delete_if(\n OPENSSL_STACK *sk, OPENSSL_sk_call_delete_if_func call_func,\n OPENSSL_sk_delete_if_func func, void *data);\nOPENSSL_EXPORT int OPENSSL_sk_find(const OPENSSL_STACK *sk, size_t *out_index,\n const void *p,\n OPENSSL_sk_call_cmp_func call_cmp_func);\nOPENSSL_EXPORT void *OPENSSL_sk_shift(OPENSSL_STACK *sk);\nOPENSSL_EXPORT size_t OPENSSL_sk_push(OPENSSL_STACK *sk, void *p);\nOPENSSL_EXPORT void *OPENSSL_sk_pop(OPENSSL_STACK *sk);\nOPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *sk);\nOPENSSL_EXPORT void OPENSSL_sk_sort(OPENSSL_STACK *sk,\n OPENSSL_sk_call_cmp_func call_cmp_func);\nOPENSSL_EXPORT int OPENSSL_sk_is_sorted(const OPENSSL_STACK *sk);\nOPENSSL_EXPORT OPENSSL_sk_cmp_func\nOPENSSL_sk_set_cmp_func(OPENSSL_STACK *sk, OPENSSL_sk_cmp_func comp);\nOPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_deep_copy(\n const OPENSSL_STACK *sk, OPENSSL_sk_call_copy_func call_copy_func,\n OPENSSL_sk_copy_func copy_func, OPENSSL_sk_call_free_func call_free_func,\n OPENSSL_sk_free_func free_func);\n\n\n// Deprecated private functions (hidden).\n//\n// TODO(crbug.com/boringssl/499): Migrate callers to the typed wrappers, or at\n// least the new names and remove the old ones.\n//\n// TODO(b/290792019, b/290785937): Ideally these would at least be inline\n// functions, so we do not squat the symbols.\n\ntypedef OPENSSL_STACK _STACK;\n\n// The following functions call the corresponding |OPENSSL_sk_*| function.\nOPENSSL_EXPORT OPENSSL_DEPRECATED OPENSSL_STACK *sk_new_null(void);\nOPENSSL_EXPORT OPENSSL_DEPRECATED size_t sk_num(const OPENSSL_STACK *sk);\nOPENSSL_EXPORT OPENSSL_DEPRECATED void *sk_value(const OPENSSL_STACK *sk,\n size_t i);\nOPENSSL_EXPORT OPENSSL_DEPRECATED void sk_free(OPENSSL_STACK *sk);\nOPENSSL_EXPORT OPENSSL_DEPRECATED size_t sk_push(OPENSSL_STACK *sk, void *p);\nOPENSSL_EXPORT OPENSSL_DEPRECATED void *sk_pop(OPENSSL_STACK *sk);\n\n// sk_pop_free_ex calls |OPENSSL_sk_pop_free_ex|.\n//\n// TODO(b/291994116): Remove this.\nOPENSSL_EXPORT OPENSSL_DEPRECATED void sk_pop_free_ex(\n OPENSSL_STACK *sk, OPENSSL_sk_call_free_func call_free_func,\n OPENSSL_sk_free_func free_func);\n\n// sk_pop_free behaves like |OPENSSL_sk_pop_free_ex| but performs an invalid\n// function pointer cast. It exists because some existing callers called\n// |sk_pop_free| directly.\n//\n// TODO(davidben): Migrate callers to bssl::UniquePtr and remove this.\nOPENSSL_EXPORT OPENSSL_DEPRECATED void sk_pop_free(\n OPENSSL_STACK *sk, OPENSSL_sk_free_func free_func);\n\n\n#if !defined(BORINGSSL_NO_CXX)\nextern \"C++\" {\nBSSL_NAMESPACE_BEGIN\nnamespace internal {\ntemplate \nstruct StackTraits {};\n}\nBSSL_NAMESPACE_END\n}\n\n#define BORINGSSL_DEFINE_STACK_TRAITS(name, type, is_const) \\\n extern \"C++\" { \\\n BSSL_NAMESPACE_BEGIN \\\n namespace internal { \\\n template <> \\\n struct StackTraits { \\\n static constexpr bool kIsStack = true; \\\n using Type = type; \\\n static constexpr bool kIsConst = is_const; \\\n }; \\\n } \\\n BSSL_NAMESPACE_END \\\n }\n\n#else\n#define BORINGSSL_DEFINE_STACK_TRAITS(name, type, is_const)\n#endif\n\n#define BORINGSSL_DEFINE_STACK_OF_IMPL(name, ptrtype, constptrtype) \\\n /* We disable MSVC C4191 in this macro, which warns when pointers are cast \\\n * to the wrong type. While the cast itself is valid, it is often a bug \\\n * because calling it through the cast is UB. However, we never actually \\\n * call functions as |OPENSSL_sk_cmp_func|. The type is just a type-erased \\\n * function pointer. (C does not guarantee function pointers fit in \\\n * |void*|, and GCC will warn on this.) Thus we just disable the false \\\n * positive warning. */ \\\n OPENSSL_MSVC_PRAGMA(warning(push)) \\\n OPENSSL_MSVC_PRAGMA(warning(disable : 4191)) \\\n OPENSSL_CLANG_PRAGMA(\"clang diagnostic push\") \\\n OPENSSL_CLANG_PRAGMA(\"clang diagnostic ignored \\\"-Wunknown-warning-option\\\"\") \\\n OPENSSL_CLANG_PRAGMA(\"clang diagnostic ignored \\\"-Wcast-function-type-strict\\\"\") \\\n \\\n DECLARE_STACK_OF(name) \\\n \\\n typedef void (*sk_##name##_free_func)(ptrtype); \\\n typedef ptrtype (*sk_##name##_copy_func)(constptrtype); \\\n typedef int (*sk_##name##_cmp_func)(constptrtype const *, \\\n constptrtype const *); \\\n typedef int (*sk_##name##_delete_if_func)(ptrtype, void *); \\\n \\\n OPENSSL_INLINE void sk_##name##_call_free_func( \\\n OPENSSL_sk_free_func free_func, void *ptr) { \\\n ((sk_##name##_free_func)free_func)((ptrtype)ptr); \\\n } \\\n \\\n OPENSSL_INLINE void *sk_##name##_call_copy_func( \\\n OPENSSL_sk_copy_func copy_func, const void *ptr) { \\\n return (void *)((sk_##name##_copy_func)copy_func)((constptrtype)ptr); \\\n } \\\n \\\n OPENSSL_INLINE int sk_##name##_call_cmp_func(OPENSSL_sk_cmp_func cmp_func, \\\n const void *a, const void *b) { \\\n constptrtype a_ptr = (constptrtype)a; \\\n constptrtype b_ptr = (constptrtype)b; \\\n /* |cmp_func| expects an extra layer of pointers to match qsort. */ \\\n return ((sk_##name##_cmp_func)cmp_func)(&a_ptr, &b_ptr); \\\n } \\\n \\\n OPENSSL_INLINE int sk_##name##_call_delete_if_func( \\\n OPENSSL_sk_delete_if_func func, void *obj, void *data) { \\\n return ((sk_##name##_delete_if_func)func)((ptrtype)obj, data); \\\n } \\\n \\\n OPENSSL_INLINE STACK_OF(name) *sk_##name##_new(sk_##name##_cmp_func comp) { \\\n return (STACK_OF(name) *)OPENSSL_sk_new((OPENSSL_sk_cmp_func)comp); \\\n } \\\n \\\n OPENSSL_INLINE STACK_OF(name) *sk_##name##_new_null(void) { \\\n return (STACK_OF(name) *)OPENSSL_sk_new_null(); \\\n } \\\n \\\n OPENSSL_INLINE size_t sk_##name##_num(const STACK_OF(name) *sk) { \\\n return OPENSSL_sk_num((const OPENSSL_STACK *)sk); \\\n } \\\n \\\n OPENSSL_INLINE void sk_##name##_zero(STACK_OF(name) *sk) { \\\n OPENSSL_sk_zero((OPENSSL_STACK *)sk); \\\n } \\\n \\\n OPENSSL_INLINE ptrtype sk_##name##_value(const STACK_OF(name) *sk, \\\n size_t i) { \\\n return (ptrtype)OPENSSL_sk_value((const OPENSSL_STACK *)sk, i); \\\n } \\\n \\\n OPENSSL_INLINE ptrtype sk_##name##_set(STACK_OF(name) *sk, size_t i, \\\n ptrtype p) { \\\n return (ptrtype)OPENSSL_sk_set((OPENSSL_STACK *)sk, i, (void *)p); \\\n } \\\n \\\n OPENSSL_INLINE void sk_##name##_free(STACK_OF(name) *sk) { \\\n OPENSSL_sk_free((OPENSSL_STACK *)sk); \\\n } \\\n \\\n OPENSSL_INLINE void sk_##name##_pop_free(STACK_OF(name) *sk, \\\n sk_##name##_free_func free_func) { \\\n OPENSSL_sk_pop_free_ex((OPENSSL_STACK *)sk, sk_##name##_call_free_func, \\\n (OPENSSL_sk_free_func)free_func); \\\n } \\\n \\\n OPENSSL_INLINE size_t sk_##name##_insert(STACK_OF(name) *sk, ptrtype p, \\\n size_t where) { \\\n return OPENSSL_sk_insert((OPENSSL_STACK *)sk, (void *)p, where); \\\n } \\\n \\\n OPENSSL_INLINE ptrtype sk_##name##_delete(STACK_OF(name) *sk, \\\n size_t where) { \\\n return (ptrtype)OPENSSL_sk_delete((OPENSSL_STACK *)sk, where); \\\n } \\\n \\\n OPENSSL_INLINE ptrtype sk_##name##_delete_ptr(STACK_OF(name) *sk, \\\n constptrtype p) { \\\n return (ptrtype)OPENSSL_sk_delete_ptr((OPENSSL_STACK *)sk, \\\n (const void *)p); \\\n } \\\n \\\n OPENSSL_INLINE void sk_##name##_delete_if( \\\n STACK_OF(name) *sk, sk_##name##_delete_if_func func, void *data) { \\\n OPENSSL_sk_delete_if((OPENSSL_STACK *)sk, sk_##name##_call_delete_if_func, \\\n (OPENSSL_sk_delete_if_func)func, data); \\\n } \\\n \\\n OPENSSL_INLINE int sk_##name##_find(const STACK_OF(name) *sk, \\\n size_t *out_index, constptrtype p) { \\\n return OPENSSL_sk_find((const OPENSSL_STACK *)sk, out_index, \\\n (const void *)p, sk_##name##_call_cmp_func); \\\n } \\\n \\\n OPENSSL_INLINE ptrtype sk_##name##_shift(STACK_OF(name) *sk) { \\\n return (ptrtype)OPENSSL_sk_shift((OPENSSL_STACK *)sk); \\\n } \\\n \\\n OPENSSL_INLINE size_t sk_##name##_push(STACK_OF(name) *sk, ptrtype p) { \\\n return OPENSSL_sk_push((OPENSSL_STACK *)sk, (void *)p); \\\n } \\\n \\\n OPENSSL_INLINE ptrtype sk_##name##_pop(STACK_OF(name) *sk) { \\\n return (ptrtype)OPENSSL_sk_pop((OPENSSL_STACK *)sk); \\\n } \\\n \\\n OPENSSL_INLINE STACK_OF(name) *sk_##name##_dup(const STACK_OF(name) *sk) { \\\n return (STACK_OF(name) *)OPENSSL_sk_dup((const OPENSSL_STACK *)sk); \\\n } \\\n \\\n OPENSSL_INLINE void sk_##name##_sort(STACK_OF(name) *sk) { \\\n OPENSSL_sk_sort((OPENSSL_STACK *)sk, sk_##name##_call_cmp_func); \\\n } \\\n \\\n OPENSSL_INLINE int sk_##name##_is_sorted(const STACK_OF(name) *sk) { \\\n return OPENSSL_sk_is_sorted((const OPENSSL_STACK *)sk); \\\n } \\\n \\\n OPENSSL_INLINE sk_##name##_cmp_func sk_##name##_set_cmp_func( \\\n STACK_OF(name) *sk, sk_##name##_cmp_func comp) { \\\n return (sk_##name##_cmp_func)OPENSSL_sk_set_cmp_func( \\\n (OPENSSL_STACK *)sk, (OPENSSL_sk_cmp_func)comp); \\\n } \\\n \\\n OPENSSL_INLINE STACK_OF(name) *sk_##name##_deep_copy( \\\n const STACK_OF(name) *sk, sk_##name##_copy_func copy_func, \\\n sk_##name##_free_func free_func) { \\\n return (STACK_OF(name) *)OPENSSL_sk_deep_copy( \\\n (const OPENSSL_STACK *)sk, sk_##name##_call_copy_func, \\\n (OPENSSL_sk_copy_func)copy_func, sk_##name##_call_free_func, \\\n (OPENSSL_sk_free_func)free_func); \\\n } \\\n \\\n OPENSSL_CLANG_PRAGMA(\"clang diagnostic pop\") \\\n OPENSSL_MSVC_PRAGMA(warning(pop))\n\n\n// Built-in stacks.\n\ntypedef char *OPENSSL_STRING;\n\nDEFINE_STACK_OF(void)\nDEFINE_NAMED_STACK_OF(OPENSSL_STRING, char)\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#if !defined(BORINGSSL_NO_CXX)\nextern \"C++\" {\n\n#include \n\nBSSL_NAMESPACE_BEGIN\n\nnamespace internal {\n\n// Stacks defined with |DEFINE_CONST_STACK_OF| are freed with |sk_free|.\ntemplate \nstruct DeleterImpl::kIsConst>> {\n static void Free(Stack *sk) {\n OPENSSL_sk_free(reinterpret_cast(sk));\n }\n};\n\n// Stacks defined with |DEFINE_STACK_OF| are freed with |sk_pop_free| and the\n// corresponding type's deleter.\ntemplate \nstruct DeleterImpl::kIsConst>> {\n static void Free(Stack *sk) {\n // sk_FOO_pop_free is defined by macros and bound by name, so we cannot\n // access it from C++ here.\n using Type = typename StackTraits::Type;\n OPENSSL_sk_pop_free_ex(\n reinterpret_cast(sk),\n [](OPENSSL_sk_free_func /* unused */, void *ptr) {\n DeleterImpl::Free(reinterpret_cast(ptr));\n },\n nullptr);\n }\n};\n\ntemplate \nclass StackIteratorImpl {\n public:\n using Type = typename StackTraits::Type;\n // Iterators must be default-constructable.\n StackIteratorImpl() : sk_(nullptr), idx_(0) {}\n StackIteratorImpl(const Stack *sk, size_t idx) : sk_(sk), idx_(idx) {}\n\n bool operator==(StackIteratorImpl other) const {\n return sk_ == other.sk_ && idx_ == other.idx_;\n }\n bool operator!=(StackIteratorImpl other) const {\n return !(*this == other);\n }\n\n Type *operator*() const {\n return reinterpret_cast(\n OPENSSL_sk_value(reinterpret_cast(sk_), idx_));\n }\n\n StackIteratorImpl &operator++(/* prefix */) {\n idx_++;\n return *this;\n }\n\n StackIteratorImpl operator++(int /* postfix */) {\n StackIteratorImpl copy(*this);\n ++(*this);\n return copy;\n }\n\n private:\n const Stack *sk_;\n size_t idx_;\n};\n\ntemplate \nusing StackIterator =\n std::enable_if_t::kIsStack, StackIteratorImpl>;\n\n} // namespace internal\n\n// PushToStack pushes |elem| to |sk|. It returns true on success and false on\n// allocation failure.\ntemplate \ninline std::enable_if_t::kIsConst, bool>\nPushToStack(Stack *sk,\n UniquePtr::Type> elem) {\n if (!OPENSSL_sk_push(reinterpret_cast(sk), elem.get())) {\n return false;\n }\n // OPENSSL_sk_push takes ownership on success.\n elem.release();\n return true;\n}\n\nBSSL_NAMESPACE_END\n\n// Define begin() and end() for stack types so C++ range for loops work.\ntemplate \ninline bssl::internal::StackIterator begin(const Stack *sk) {\n return bssl::internal::StackIterator(sk, 0);\n}\n\ntemplate \ninline bssl::internal::StackIterator end(const Stack *sk) {\n return bssl::internal::StackIterator(\n sk, OPENSSL_sk_num(reinterpret_cast(sk)));\n}\n\n} // extern C++\n#endif\n\n#endif // OPENSSL_HEADER_STACK_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_target.h", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_TARGET_H\n#define OPENSSL_HEADER_TARGET_H\n\n// Preprocessor symbols that define the target platform.\n//\n// This file may be included in C, C++, and assembler and must be compatible\n// with each environment. It is separated out only to share code between\n// and . Prefer to include those headers\n// instead.\n\n#if defined(__x86_64) || defined(_M_AMD64) || defined(_M_X64)\n#define OPENSSL_64_BIT\n#define OPENSSL_X86_64\n#elif defined(__x86) || defined(__i386) || defined(__i386__) || defined(_M_IX86)\n#define OPENSSL_32_BIT\n#define OPENSSL_X86\n#elif defined(__AARCH64EL__) || defined(_M_ARM64)\n#define OPENSSL_64_BIT\n#define OPENSSL_AARCH64\n#elif defined(__ARMEL__) || defined(_M_ARM)\n#define OPENSSL_32_BIT\n#define OPENSSL_ARM\n#elif defined(__MIPSEL__) && !defined(__LP64__)\n#define OPENSSL_32_BIT\n#define OPENSSL_MIPS\n#elif defined(__MIPSEL__) && defined(__LP64__)\n#define OPENSSL_64_BIT\n#define OPENSSL_MIPS64\n#elif defined(__riscv) && __SIZEOF_POINTER__ == 8\n#define OPENSSL_64_BIT\n#define OPENSSL_RISCV64\n#elif defined(__riscv) && __SIZEOF_POINTER__ == 4\n#define OPENSSL_32_BIT\n#elif defined(__pnacl__)\n#define OPENSSL_32_BIT\n#define OPENSSL_PNACL\n#elif defined(__wasm__)\n#define OPENSSL_32_BIT\n#elif defined(__asmjs__)\n#define OPENSSL_32_BIT\n#elif defined(__myriad2__)\n#define OPENSSL_32_BIT\n#else\n// The list above enumerates the platforms that BoringSSL supports. For these\n// platforms we keep a reasonable bar of not breaking them: automated test\n// coverage, for one, but also we need access to these types for machines for\n// fixing them.\n//\n// However, we know that anything that seems to work will soon be expected\n// to work and, quickly, the implicit expectation is that every machine will\n// always work. So this list serves to mark the boundary of what we guarantee.\n// Of course, you can run the code any many more machines, but then you're\n// taking on the burden of fixing it and, if you're doing that, then you must\n// be able to carry local patches. In which case patching this list is trivial.\n//\n// BoringSSL will only possibly work on standard 32-bit and 64-bit\n// two's-complement, little-endian architectures. Functions will not produce\n// the correct answer on other systems. Run the crypto_test binary, notably\n// crypto/compiler_test.cc, before trying a new architecture.\n#error \"Unknown target CPU\"\n#endif\n\n#if defined(__APPLE__)\n#define OPENSSL_APPLE\n#endif\n\n#if defined(_WIN32)\n#define OPENSSL_WINDOWS\n#endif\n\n// Trusty and Android baremetal aren't Linux but currently define __linux__.\n// As a workaround, we exclude them here.\n// We also exclude nanolibc/CrOS EC. nanolibc/CrOS EC sometimes build for a\n// non-Linux target (which should not define __linux__), but also sometimes\n// build for Linux. Although technically running in Linux userspace, this lacks\n// all the libc APIs we'd normally expect on Linux, so we treat it as a\n// non-Linux target.\n//\n// TODO(b/169780122): Remove this workaround once Trusty no longer defines it.\n// TODO(b/291101350): Remove this workaround once Android baremetal no longer\n// defines it.\n#if defined(__linux__) && !defined(__TRUSTY__) && \\\n !defined(ANDROID_BAREMETAL) && !defined(OPENSSL_NANOLIBC) && \\\n !defined(CROS_EC)\n#define OPENSSL_LINUX\n#endif\n\n#if defined(__Fuchsia__)\n#define OPENSSL_FUCHSIA\n#endif\n\n// Trusty is Android's TEE target. See\n// https://source.android.com/docs/security/features/trusty\n//\n// Defining this on any other platform is not supported. Other embedded\n// platforms must introduce their own defines.\n#if defined(__TRUSTY__)\n#define OPENSSL_TRUSTY\n#define OPENSSL_NO_FILESYSTEM\n#define OPENSSL_NO_POSIX_IO\n#define OPENSSL_NO_SOCK\n#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED\n#endif\n\n// nanolibc is a particular minimal libc implementation. Defining this on any\n// other platform is not supported. Other embedded platforms must introduce\n// their own defines.\n#if defined(OPENSSL_NANOLIBC)\n#define OPENSSL_NO_FILESYSTEM\n#define OPENSSL_NO_POSIX_IO\n#define OPENSSL_NO_SOCK\n#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED\n#endif\n\n// Android baremetal is an embedded target that uses a subset of bionic.\n// Defining this on any other platform is not supported. Other embedded\n// platforms must introduce their own defines.\n#if defined(ANDROID_BAREMETAL)\n#define OPENSSL_NO_FILESYSTEM\n#define OPENSSL_NO_POSIX_IO\n#define OPENSSL_NO_SOCK\n#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED\n#endif\n\n// CROS_EC is an embedded target for ChromeOS Embedded Controller. Defining\n// this on any other platform is not supported. Other embedded platforms must\n// introduce their own defines.\n//\n// https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/README.md\n#if defined(CROS_EC)\n#define OPENSSL_NO_FILESYSTEM\n#define OPENSSL_NO_POSIX_IO\n#define OPENSSL_NO_SOCK\n#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED\n#endif\n\n// Zephyr is an open source RTOS, optimized for embedded devices.\n// Defining this on any other platform is not supported. Other embedded\n// platforms must introduce their own defines.\n//\n// Zephyr supports multithreading with cooperative and preemptive scheduling.\n// It also implements POSIX Threads (pthread) API, so it's not necessary to\n// implement BoringSSL internal threading API using some custom API.\n//\n// https://www.zephyrproject.org/\n#if defined(__ZEPHYR__)\n#define OPENSSL_NO_FILESYSTEM\n#define OPENSSL_NO_POSIX_IO\n#define OPENSSL_NO_SOCK\n#endif\n\n#if defined(__ANDROID_API__)\n#define OPENSSL_ANDROID\n#endif\n\n#if defined(__FreeBSD__)\n#define OPENSSL_FREEBSD\n#endif\n\n#if defined(__OpenBSD__)\n#define OPENSSL_OPENBSD\n#endif\n\n// BoringSSL requires platform's locking APIs to make internal global state\n// thread-safe, including the PRNG. On some single-threaded embedded platforms,\n// locking APIs may not exist, so this dependency may be disabled with the\n// following build flag.\n//\n// IMPORTANT: Doing so means the consumer promises the library will never be\n// used in any multi-threaded context. It causes BoringSSL to be globally\n// thread-unsafe. Setting it inappropriately will subtly and unpredictably\n// corrupt memory and leak secret keys.\n//\n// Do not set this flag on any platform where threads are possible. BoringSSL\n// maintainers will not provide support for any consumers that do so. Changes\n// which break such unsupported configurations will not be reverted.\n#if !defined(OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED)\n#define OPENSSL_THREADS\n#endif\n\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) && \\\n !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)\n#define BORINGSSL_UNSAFE_DETERMINISTIC_MODE\n#endif\n\n#if defined(__has_feature)\n#if __has_feature(address_sanitizer)\n#define OPENSSL_ASAN\n#endif\n#if __has_feature(thread_sanitizer)\n#define OPENSSL_TSAN\n#endif\n#if __has_feature(memory_sanitizer)\n#define OPENSSL_MSAN\n#define OPENSSL_ASM_INCOMPATIBLE\n#endif\n#if __has_feature(hwaddress_sanitizer)\n#define OPENSSL_HWASAN\n#endif\n#endif\n\n// Disable 32-bit Arm assembly on Apple platforms. The last iOS version that\n// supported 32-bit Arm was iOS 10.\n#if defined(OPENSSL_APPLE) && defined(OPENSSL_ARM)\n#define OPENSSL_ASM_INCOMPATIBLE\n#endif\n\n#if defined(OPENSSL_ASM_INCOMPATIBLE)\n#undef OPENSSL_ASM_INCOMPATIBLE\n#if !defined(OPENSSL_NO_ASM)\n#define OPENSSL_NO_ASM\n#endif\n#endif // OPENSSL_ASM_INCOMPATIBLE\n\n// We do not detect any features at runtime on several 32-bit Arm platforms.\n// Apple platforms and OpenBSD require NEON and moved to 64-bit to pick up Armv8\n// extensions. Android baremetal does not aim to support 32-bit Arm at all, but\n// it simplifies things to make it build.\n#if defined(OPENSSL_ARM) && !defined(OPENSSL_STATIC_ARMCAP) && \\\n (defined(OPENSSL_APPLE) || defined(OPENSSL_OPENBSD) || \\\n defined(ANDROID_BAREMETAL))\n#define OPENSSL_STATIC_ARMCAP\n#endif\n\n#endif // OPENSSL_HEADER_TARGET_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_thread.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_THREAD_H\n#define OPENSSL_HEADER_THREAD_H\n\n#include \n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// CRYPTO_refcount_t is the type of a reference count.\n//\n// Since some platforms use C11 atomics to access this, it should have the\n// _Atomic qualifier. However, this header is included by C++ programs as well\n// as C code that might not set -std=c11. So, in practice, it's not possible to\n// do that. Instead we statically assert that the size and native alignment of\n// a plain uint32_t and an _Atomic uint32_t are equal in refcount.c.\ntypedef uint32_t CRYPTO_refcount_t;\n\n\n// Deprecated functions.\n//\n// Historically, OpenSSL required callers to provide locking callbacks.\n// BoringSSL does not use external callbacks for locking, but some old code\n// calls these functions and so no-op implementations are provided.\n\n// These defines do nothing but are provided to make old code easier to\n// compile.\n#define CRYPTO_LOCK 1\n#define CRYPTO_UNLOCK 2\n#define CRYPTO_READ 4\n#define CRYPTO_WRITE 8\n\n// CRYPTO_num_locks returns one. (This is non-zero that callers who allocate\n// sizeof(lock) times this value don't get zero and then fail because malloc(0)\n// returned NULL.)\nOPENSSL_EXPORT int CRYPTO_num_locks(void);\n\n// CRYPTO_set_locking_callback does nothing.\nOPENSSL_EXPORT void CRYPTO_set_locking_callback(\n void (*func)(int mode, int lock_num, const char *file, int line));\n\n// CRYPTO_set_add_lock_callback does nothing.\nOPENSSL_EXPORT void CRYPTO_set_add_lock_callback(int (*func)(\n int *num, int amount, int lock_num, const char *file, int line));\n\n// CRYPTO_get_locking_callback returns NULL.\nOPENSSL_EXPORT void (*CRYPTO_get_locking_callback(void))(int mode, int lock_num,\n const char *file,\n int line);\n\n// CRYPTO_get_lock_name returns a fixed, dummy string.\nOPENSSL_EXPORT const char *CRYPTO_get_lock_name(int lock_num);\n\n// CRYPTO_THREADID_set_callback returns one.\nOPENSSL_EXPORT int CRYPTO_THREADID_set_callback(\n void (*threadid_func)(CRYPTO_THREADID *threadid));\n\n// CRYPTO_THREADID_set_numeric does nothing.\nOPENSSL_EXPORT void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id,\n unsigned long val);\n\n// CRYPTO_THREADID_set_pointer does nothing.\nOPENSSL_EXPORT void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr);\n\n// CRYPTO_THREADID_current does nothing.\nOPENSSL_EXPORT void CRYPTO_THREADID_current(CRYPTO_THREADID *id);\n\n// CRYPTO_set_id_callback does nothing.\nOPENSSL_EXPORT void CRYPTO_set_id_callback(unsigned long (*func)(void));\n\ntypedef struct {\n int references;\n struct CRYPTO_dynlock_value *data;\n} CRYPTO_dynlock;\n\n// CRYPTO_set_dynlock_create_callback does nothing.\nOPENSSL_EXPORT void CRYPTO_set_dynlock_create_callback(\n struct CRYPTO_dynlock_value *(*dyn_create_function)(const char *file,\n int line));\n\n// CRYPTO_set_dynlock_lock_callback does nothing.\nOPENSSL_EXPORT void CRYPTO_set_dynlock_lock_callback(void (*dyn_lock_function)(\n int mode, struct CRYPTO_dynlock_value *l, const char *file, int line));\n\n// CRYPTO_set_dynlock_destroy_callback does nothing.\nOPENSSL_EXPORT void CRYPTO_set_dynlock_destroy_callback(\n void (*dyn_destroy_function)(struct CRYPTO_dynlock_value *l,\n const char *file, int line));\n\n// CRYPTO_get_dynlock_create_callback returns NULL.\nOPENSSL_EXPORT struct CRYPTO_dynlock_value *(\n *CRYPTO_get_dynlock_create_callback(void))(const char *file, int line);\n\n// CRYPTO_get_dynlock_lock_callback returns NULL.\nOPENSSL_EXPORT void (*CRYPTO_get_dynlock_lock_callback(void))(\n int mode, struct CRYPTO_dynlock_value *l, const char *file, int line);\n\n// CRYPTO_get_dynlock_destroy_callback returns NULL.\nOPENSSL_EXPORT void (*CRYPTO_get_dynlock_destroy_callback(void))(\n struct CRYPTO_dynlock_value *l, const char *file, int line);\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_THREAD_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_time.h", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_TIME_H\n#define OPENSSL_HEADER_TIME_H\n\n// Compatibility header, to be deprecated. use instead.\n\n#include \"CNIOBoringSSL_posix_time.h\"\n\n#endif // OPENSSL_HEADER_TIME_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_tls1.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_TLS1_H\n#define OPENSSL_HEADER_TLS1_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n\n#define TLS1_AD_END_OF_EARLY_DATA 1\n#define TLS1_AD_DECRYPTION_FAILED 21\n#define TLS1_AD_RECORD_OVERFLOW 22\n#define TLS1_AD_UNKNOWN_CA 48\n#define TLS1_AD_ACCESS_DENIED 49\n#define TLS1_AD_DECODE_ERROR 50\n#define TLS1_AD_DECRYPT_ERROR 51\n#define TLS1_AD_EXPORT_RESTRICTION 60\n#define TLS1_AD_PROTOCOL_VERSION 70\n#define TLS1_AD_INSUFFICIENT_SECURITY 71\n#define TLS1_AD_INTERNAL_ERROR 80\n#define TLS1_AD_USER_CANCELLED 90\n#define TLS1_AD_NO_RENEGOTIATION 100\n#define TLS1_AD_MISSING_EXTENSION 109\n#define TLS1_AD_UNSUPPORTED_EXTENSION 110\n#define TLS1_AD_CERTIFICATE_UNOBTAINABLE 111\n#define TLS1_AD_UNRECOGNIZED_NAME 112\n#define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113\n#define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114\n#define TLS1_AD_UNKNOWN_PSK_IDENTITY 115\n#define TLS1_AD_CERTIFICATE_REQUIRED 116\n#define TLS1_AD_NO_APPLICATION_PROTOCOL 120\n#define TLS1_AD_ECH_REQUIRED 121 // draft-ietf-tls-esni-13\n\n// ExtensionType values from RFC 6066\n#define TLSEXT_TYPE_server_name 0\n#define TLSEXT_TYPE_status_request 5\n\n// ExtensionType values from RFC 4492\n#define TLSEXT_TYPE_ec_point_formats 11\n\n// ExtensionType values from RFC 5246\n#define TLSEXT_TYPE_signature_algorithms 13\n\n// ExtensionType value from RFC 5764\n#define TLSEXT_TYPE_srtp 14\n\n// ExtensionType value from RFC 7301\n#define TLSEXT_TYPE_application_layer_protocol_negotiation 16\n\n// ExtensionType value from RFC 7685\n#define TLSEXT_TYPE_padding 21\n\n// ExtensionType value from RFC 7627\n#define TLSEXT_TYPE_extended_master_secret 23\n\n// ExtensionType value from draft-ietf-quic-tls. Drafts 00 through 32 use\n// 0xffa5 which is part of the Private Use section of the registry, and it\n// collides with TLS-LTS and, based on scans, something else too (though this\n// hasn't been a problem in practice since it's QUIC-only). Drafts 33 onward\n// use the value 57 which was officially registered with IANA.\n#define TLSEXT_TYPE_quic_transport_parameters_legacy 0xffa5\n\n// ExtensionType value from RFC 9000\n#define TLSEXT_TYPE_quic_transport_parameters 57\n\n// TLSEXT_TYPE_quic_transport_parameters_standard is an alias for\n// |TLSEXT_TYPE_quic_transport_parameters|. Use\n// |TLSEXT_TYPE_quic_transport_parameters| instead.\n#define TLSEXT_TYPE_quic_transport_parameters_standard \\\n TLSEXT_TYPE_quic_transport_parameters\n\n// ExtensionType value from RFC 8879\n#define TLSEXT_TYPE_cert_compression 27\n\n// ExtensionType value from RFC 4507\n#define TLSEXT_TYPE_session_ticket 35\n\n// ExtensionType values from RFC 8446\n#define TLSEXT_TYPE_supported_groups 10\n#define TLSEXT_TYPE_pre_shared_key 41\n#define TLSEXT_TYPE_early_data 42\n#define TLSEXT_TYPE_supported_versions 43\n#define TLSEXT_TYPE_cookie 44\n#define TLSEXT_TYPE_psk_key_exchange_modes 45\n#define TLSEXT_TYPE_certificate_authorities 47\n#define TLSEXT_TYPE_signature_algorithms_cert 50\n#define TLSEXT_TYPE_key_share 51\n\n// ExtensionType value from RFC 5746\n#define TLSEXT_TYPE_renegotiate 0xff01\n\n// ExtensionType value from RFC 9345\n#define TLSEXT_TYPE_delegated_credential 34\n\n// ExtensionType value from draft-vvv-tls-alps. This is not an IANA defined\n// extension number.\n#define TLSEXT_TYPE_application_settings_old 17513\n#define TLSEXT_TYPE_application_settings 17613\n\n// ExtensionType values from draft-ietf-tls-esni-13. This is not an IANA defined\n// extension number.\n#define TLSEXT_TYPE_encrypted_client_hello 0xfe0d\n#define TLSEXT_TYPE_ech_outer_extensions 0xfd00\n\n// ExtensionType value from RFC 6962\n#define TLSEXT_TYPE_certificate_timestamp 18\n\n// This is not an IANA defined extension number\n#define TLSEXT_TYPE_next_proto_neg 13172\n\n// This is not an IANA defined extension number\n#define TLSEXT_TYPE_channel_id 30032\n\n// status request value from RFC 3546\n#define TLSEXT_STATUSTYPE_nothing (-1)\n#define TLSEXT_STATUSTYPE_ocsp 1\n\n// ECPointFormat values from RFC 4492\n#define TLSEXT_ECPOINTFORMAT_uncompressed 0\n#define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime 1\n\n// Signature and hash algorithms from RFC 5246\n\n#define TLSEXT_signature_anonymous 0\n#define TLSEXT_signature_rsa 1\n#define TLSEXT_signature_dsa 2\n#define TLSEXT_signature_ecdsa 3\n\n#define TLSEXT_hash_none 0\n#define TLSEXT_hash_md5 1\n#define TLSEXT_hash_sha1 2\n#define TLSEXT_hash_sha224 3\n#define TLSEXT_hash_sha256 4\n#define TLSEXT_hash_sha384 5\n#define TLSEXT_hash_sha512 6\n\n// From https://www.rfc-editor.org/rfc/rfc8879.html#section-3\n#define TLSEXT_cert_compression_zlib 1\n#define TLSEXT_cert_compression_brotli 2\n\n#define TLSEXT_MAXLEN_host_name 255\n\n// PSK ciphersuites from 4279\n#define TLS1_CK_PSK_WITH_RC4_128_SHA 0x0300008A\n#define TLS1_CK_PSK_WITH_3DES_EDE_CBC_SHA 0x0300008B\n#define TLS1_CK_PSK_WITH_AES_128_CBC_SHA 0x0300008C\n#define TLS1_CK_PSK_WITH_AES_256_CBC_SHA 0x0300008D\n\n// PSK ciphersuites from RFC 5489\n#define TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA 0x0300C035\n#define TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA 0x0300C036\n\n// Additional TLS ciphersuites from expired Internet Draft\n// draft-ietf-tls-56-bit-ciphersuites-01.txt\n// (available if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES is defined, see\n// s3_lib.c). We actually treat them like SSL 3.0 ciphers, which we probably\n// shouldn't. Note that the first two are actually not in the IDs.\n#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5 0x03000060 // not in ID\n#define TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 0x03000061 // not in ID\n#define TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x03000062\n#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x03000063\n#define TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA 0x03000064\n#define TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA 0x03000065\n#define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066\n\n// AES ciphersuites from RFC 3268\n\n#define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F\n#define TLS1_CK_DH_DSS_WITH_AES_128_SHA 0x03000030\n#define TLS1_CK_DH_RSA_WITH_AES_128_SHA 0x03000031\n#define TLS1_CK_DHE_DSS_WITH_AES_128_SHA 0x03000032\n#define TLS1_CK_DHE_RSA_WITH_AES_128_SHA 0x03000033\n#define TLS1_CK_ADH_WITH_AES_128_SHA 0x03000034\n\n#define TLS1_CK_RSA_WITH_AES_256_SHA 0x03000035\n#define TLS1_CK_DH_DSS_WITH_AES_256_SHA 0x03000036\n#define TLS1_CK_DH_RSA_WITH_AES_256_SHA 0x03000037\n#define TLS1_CK_DHE_DSS_WITH_AES_256_SHA 0x03000038\n#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA 0x03000039\n#define TLS1_CK_ADH_WITH_AES_256_SHA 0x0300003A\n\n// TLS v1.2 ciphersuites\n#define TLS1_CK_RSA_WITH_NULL_SHA256 0x0300003B\n#define TLS1_CK_RSA_WITH_AES_128_SHA256 0x0300003C\n#define TLS1_CK_RSA_WITH_AES_256_SHA256 0x0300003D\n#define TLS1_CK_DH_DSS_WITH_AES_128_SHA256 0x0300003E\n#define TLS1_CK_DH_RSA_WITH_AES_128_SHA256 0x0300003F\n#define TLS1_CK_DHE_DSS_WITH_AES_128_SHA256 0x03000040\n\n// Camellia ciphersuites from RFC 4132\n#define TLS1_CK_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000041\n#define TLS1_CK_DH_DSS_WITH_CAMELLIA_128_CBC_SHA 0x03000042\n#define TLS1_CK_DH_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000043\n#define TLS1_CK_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA 0x03000044\n#define TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x03000045\n#define TLS1_CK_ADH_WITH_CAMELLIA_128_CBC_SHA 0x03000046\n\n// TLS v1.2 ciphersuites\n#define TLS1_CK_DHE_RSA_WITH_AES_128_SHA256 0x03000067\n#define TLS1_CK_DH_DSS_WITH_AES_256_SHA256 0x03000068\n#define TLS1_CK_DH_RSA_WITH_AES_256_SHA256 0x03000069\n#define TLS1_CK_DHE_DSS_WITH_AES_256_SHA256 0x0300006A\n#define TLS1_CK_DHE_RSA_WITH_AES_256_SHA256 0x0300006B\n#define TLS1_CK_ADH_WITH_AES_128_SHA256 0x0300006C\n#define TLS1_CK_ADH_WITH_AES_256_SHA256 0x0300006D\n\n// Camellia ciphersuites from RFC 4132\n#define TLS1_CK_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000084\n#define TLS1_CK_DH_DSS_WITH_CAMELLIA_256_CBC_SHA 0x03000085\n#define TLS1_CK_DH_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000086\n#define TLS1_CK_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA 0x03000087\n#define TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x03000088\n#define TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA 0x03000089\n\n// SEED ciphersuites from RFC 4162\n#define TLS1_CK_RSA_WITH_SEED_SHA 0x03000096\n#define TLS1_CK_DH_DSS_WITH_SEED_SHA 0x03000097\n#define TLS1_CK_DH_RSA_WITH_SEED_SHA 0x03000098\n#define TLS1_CK_DHE_DSS_WITH_SEED_SHA 0x03000099\n#define TLS1_CK_DHE_RSA_WITH_SEED_SHA 0x0300009A\n#define TLS1_CK_ADH_WITH_SEED_SHA 0x0300009B\n\n// TLS v1.2 GCM ciphersuites from RFC 5288\n#define TLS1_CK_RSA_WITH_AES_128_GCM_SHA256 0x0300009C\n#define TLS1_CK_RSA_WITH_AES_256_GCM_SHA384 0x0300009D\n#define TLS1_CK_DHE_RSA_WITH_AES_128_GCM_SHA256 0x0300009E\n#define TLS1_CK_DHE_RSA_WITH_AES_256_GCM_SHA384 0x0300009F\n#define TLS1_CK_DH_RSA_WITH_AES_128_GCM_SHA256 0x030000A0\n#define TLS1_CK_DH_RSA_WITH_AES_256_GCM_SHA384 0x030000A1\n#define TLS1_CK_DHE_DSS_WITH_AES_128_GCM_SHA256 0x030000A2\n#define TLS1_CK_DHE_DSS_WITH_AES_256_GCM_SHA384 0x030000A3\n#define TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256 0x030000A4\n#define TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384 0x030000A5\n#define TLS1_CK_ADH_WITH_AES_128_GCM_SHA256 0x030000A6\n#define TLS1_CK_ADH_WITH_AES_256_GCM_SHA384 0x030000A7\n\n// ECC ciphersuites from RFC 4492\n#define TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA 0x0300C001\n#define TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA 0x0300C002\n#define TLS1_CK_ECDH_ECDSA_WITH_DES_192_CBC3_SHA 0x0300C003\n#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0x0300C004\n#define TLS1_CK_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0x0300C005\n\n#define TLS1_CK_ECDHE_ECDSA_WITH_NULL_SHA 0x0300C006\n#define TLS1_CK_ECDHE_ECDSA_WITH_RC4_128_SHA 0x0300C007\n#define TLS1_CK_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA 0x0300C008\n#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0x0300C009\n#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0x0300C00A\n\n#define TLS1_CK_ECDH_RSA_WITH_NULL_SHA 0x0300C00B\n#define TLS1_CK_ECDH_RSA_WITH_RC4_128_SHA 0x0300C00C\n#define TLS1_CK_ECDH_RSA_WITH_DES_192_CBC3_SHA 0x0300C00D\n#define TLS1_CK_ECDH_RSA_WITH_AES_128_CBC_SHA 0x0300C00E\n#define TLS1_CK_ECDH_RSA_WITH_AES_256_CBC_SHA 0x0300C00F\n\n#define TLS1_CK_ECDHE_RSA_WITH_NULL_SHA 0x0300C010\n#define TLS1_CK_ECDHE_RSA_WITH_RC4_128_SHA 0x0300C011\n#define TLS1_CK_ECDHE_RSA_WITH_DES_192_CBC3_SHA 0x0300C012\n#define TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA 0x0300C013\n#define TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA 0x0300C014\n\n#define TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0x0300C027\n\n#define TLS1_CK_ECDH_anon_WITH_NULL_SHA 0x0300C015\n#define TLS1_CK_ECDH_anon_WITH_RC4_128_SHA 0x0300C016\n#define TLS1_CK_ECDH_anon_WITH_DES_192_CBC3_SHA 0x0300C017\n#define TLS1_CK_ECDH_anon_WITH_AES_128_CBC_SHA 0x0300C018\n#define TLS1_CK_ECDH_anon_WITH_AES_256_CBC_SHA 0x0300C019\n\n// SRP ciphersuites from RFC 5054\n#define TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA 0x0300C01A\n#define TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA 0x0300C01B\n#define TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA 0x0300C01C\n#define TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA 0x0300C01D\n#define TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA 0x0300C01E\n#define TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA 0x0300C01F\n#define TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA 0x0300C020\n#define TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA 0x0300C021\n#define TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA 0x0300C022\n\n// ECDH HMAC based ciphersuites from RFC 5289\n\n#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256 0x0300C023\n#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384 0x0300C024\n#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_SHA256 0x0300C025\n#define TLS1_CK_ECDH_ECDSA_WITH_AES_256_SHA384 0x0300C026\n#define TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256 0x0300C027\n#define TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384 0x0300C028\n#define TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256 0x0300C029\n#define TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384 0x0300C02A\n\n// ECDH GCM based ciphersuites from RFC 5289\n#define TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0x0300C02B\n#define TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0x0300C02C\n#define TLS1_CK_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0x0300C02D\n#define TLS1_CK_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0x0300C02E\n#define TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0x0300C02F\n#define TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0x0300C030\n#define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256 0x0300C031\n#define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384 0x0300C032\n\n// ChaCha20-Poly1305 cipher suites from RFC 7905.\n#define TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0x0300CCA8\n#define TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0x0300CCA9\n#define TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0x0300CCAC\n\n// TLS 1.3 ciphersuites from RFC 8446.\n#define TLS1_3_CK_AES_128_GCM_SHA256 0x03001301\n#define TLS1_3_CK_AES_256_GCM_SHA384 0x03001302\n#define TLS1_3_CK_CHACHA20_POLY1305_SHA256 0x03001303\n\n// The following constants are legacy aliases of |TLS1_3_CK_*|.\n// TODO(davidben): Migrate callers to the new name and remove these.\n#define TLS1_CK_AES_128_GCM_SHA256 TLS1_3_CK_AES_128_GCM_SHA256\n#define TLS1_CK_AES_256_GCM_SHA384 TLS1_3_CK_AES_256_GCM_SHA384\n#define TLS1_CK_CHACHA20_POLY1305_SHA256 TLS1_3_CK_CHACHA20_POLY1305_SHA256\n\n// XXX\n// Inconsistency alert:\n// The OpenSSL names of ciphers with ephemeral DH here include the string\n// \"DHE\", while elsewhere it has always been \"EDH\".\n// (The alias for the list of all such ciphers also is \"EDH\".)\n// The specifications speak of \"EDH\"; maybe we should allow both forms\n// for everything.\n#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5 \"EXP1024-RC4-MD5\"\n#define TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 \"EXP1024-RC2-CBC-MD5\"\n#define TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA \"EXP1024-DES-CBC-SHA\"\n#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA \\\n \"EXP1024-DHE-DSS-DES-CBC-SHA\"\n#define TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA \"EXP1024-RC4-SHA\"\n#define TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA \"EXP1024-DHE-DSS-RC4-SHA\"\n#define TLS1_TXT_DHE_DSS_WITH_RC4_128_SHA \"DHE-DSS-RC4-SHA\"\n\n// AES ciphersuites from RFC 3268\n#define TLS1_TXT_RSA_WITH_AES_128_SHA \"AES128-SHA\"\n#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA \"DH-DSS-AES128-SHA\"\n#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA \"DH-RSA-AES128-SHA\"\n#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA \"DHE-DSS-AES128-SHA\"\n#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA \"DHE-RSA-AES128-SHA\"\n#define TLS1_TXT_ADH_WITH_AES_128_SHA \"ADH-AES128-SHA\"\n\n#define TLS1_TXT_RSA_WITH_AES_256_SHA \"AES256-SHA\"\n#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA \"DH-DSS-AES256-SHA\"\n#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA \"DH-RSA-AES256-SHA\"\n#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA \"DHE-DSS-AES256-SHA\"\n#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA \"DHE-RSA-AES256-SHA\"\n#define TLS1_TXT_ADH_WITH_AES_256_SHA \"ADH-AES256-SHA\"\n\n// ECC ciphersuites from RFC 4492\n#define TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA \"ECDH-ECDSA-NULL-SHA\"\n#define TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA \"ECDH-ECDSA-RC4-SHA\"\n#define TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA \"ECDH-ECDSA-DES-CBC3-SHA\"\n#define TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA \"ECDH-ECDSA-AES128-SHA\"\n#define TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA \"ECDH-ECDSA-AES256-SHA\"\n\n#define TLS1_TXT_ECDHE_ECDSA_WITH_NULL_SHA \"ECDHE-ECDSA-NULL-SHA\"\n#define TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA \"ECDHE-ECDSA-RC4-SHA\"\n#define TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA \"ECDHE-ECDSA-DES-CBC3-SHA\"\n#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA \"ECDHE-ECDSA-AES128-SHA\"\n#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA \"ECDHE-ECDSA-AES256-SHA\"\n\n#define TLS1_TXT_ECDH_RSA_WITH_NULL_SHA \"ECDH-RSA-NULL-SHA\"\n#define TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA \"ECDH-RSA-RC4-SHA\"\n#define TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA \"ECDH-RSA-DES-CBC3-SHA\"\n#define TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA \"ECDH-RSA-AES128-SHA\"\n#define TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA \"ECDH-RSA-AES256-SHA\"\n\n#define TLS1_TXT_ECDHE_RSA_WITH_NULL_SHA \"ECDHE-RSA-NULL-SHA\"\n#define TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA \"ECDHE-RSA-RC4-SHA\"\n#define TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA \"ECDHE-RSA-DES-CBC3-SHA\"\n#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA \"ECDHE-RSA-AES128-SHA\"\n#define TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA \"ECDHE-RSA-AES256-SHA\"\n\n#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \"ECDHE-RSA-AES128-SHA256\"\n\n#define TLS1_TXT_ECDH_anon_WITH_NULL_SHA \"AECDH-NULL-SHA\"\n#define TLS1_TXT_ECDH_anon_WITH_RC4_128_SHA \"AECDH-RC4-SHA\"\n#define TLS1_TXT_ECDH_anon_WITH_DES_192_CBC3_SHA \"AECDH-DES-CBC3-SHA\"\n#define TLS1_TXT_ECDH_anon_WITH_AES_128_CBC_SHA \"AECDH-AES128-SHA\"\n#define TLS1_TXT_ECDH_anon_WITH_AES_256_CBC_SHA \"AECDH-AES256-SHA\"\n\n// PSK ciphersuites from RFC 4279\n#define TLS1_TXT_PSK_WITH_RC4_128_SHA \"PSK-RC4-SHA\"\n#define TLS1_TXT_PSK_WITH_3DES_EDE_CBC_SHA \"PSK-3DES-EDE-CBC-SHA\"\n#define TLS1_TXT_PSK_WITH_AES_128_CBC_SHA \"PSK-AES128-CBC-SHA\"\n#define TLS1_TXT_PSK_WITH_AES_256_CBC_SHA \"PSK-AES256-CBC-SHA\"\n\n// PSK ciphersuites from RFC 5489\n#define TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA \"ECDHE-PSK-AES128-CBC-SHA\"\n#define TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA \"ECDHE-PSK-AES256-CBC-SHA\"\n\n// SRP ciphersuite from RFC 5054\n#define TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA \"SRP-3DES-EDE-CBC-SHA\"\n#define TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA \"SRP-RSA-3DES-EDE-CBC-SHA\"\n#define TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA \"SRP-DSS-3DES-EDE-CBC-SHA\"\n#define TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA \"SRP-AES-128-CBC-SHA\"\n#define TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA \"SRP-RSA-AES-128-CBC-SHA\"\n#define TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA \"SRP-DSS-AES-128-CBC-SHA\"\n#define TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA \"SRP-AES-256-CBC-SHA\"\n#define TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA \"SRP-RSA-AES-256-CBC-SHA\"\n#define TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA \"SRP-DSS-AES-256-CBC-SHA\"\n\n// Camellia ciphersuites from RFC 4132\n#define TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA \"CAMELLIA128-SHA\"\n#define TLS1_TXT_DH_DSS_WITH_CAMELLIA_128_CBC_SHA \"DH-DSS-CAMELLIA128-SHA\"\n#define TLS1_TXT_DH_RSA_WITH_CAMELLIA_128_CBC_SHA \"DH-RSA-CAMELLIA128-SHA\"\n#define TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA \"DHE-DSS-CAMELLIA128-SHA\"\n#define TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA \"DHE-RSA-CAMELLIA128-SHA\"\n#define TLS1_TXT_ADH_WITH_CAMELLIA_128_CBC_SHA \"ADH-CAMELLIA128-SHA\"\n\n#define TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA \"CAMELLIA256-SHA\"\n#define TLS1_TXT_DH_DSS_WITH_CAMELLIA_256_CBC_SHA \"DH-DSS-CAMELLIA256-SHA\"\n#define TLS1_TXT_DH_RSA_WITH_CAMELLIA_256_CBC_SHA \"DH-RSA-CAMELLIA256-SHA\"\n#define TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA \"DHE-DSS-CAMELLIA256-SHA\"\n#define TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA \"DHE-RSA-CAMELLIA256-SHA\"\n#define TLS1_TXT_ADH_WITH_CAMELLIA_256_CBC_SHA \"ADH-CAMELLIA256-SHA\"\n\n// SEED ciphersuites from RFC 4162\n#define TLS1_TXT_RSA_WITH_SEED_SHA \"SEED-SHA\"\n#define TLS1_TXT_DH_DSS_WITH_SEED_SHA \"DH-DSS-SEED-SHA\"\n#define TLS1_TXT_DH_RSA_WITH_SEED_SHA \"DH-RSA-SEED-SHA\"\n#define TLS1_TXT_DHE_DSS_WITH_SEED_SHA \"DHE-DSS-SEED-SHA\"\n#define TLS1_TXT_DHE_RSA_WITH_SEED_SHA \"DHE-RSA-SEED-SHA\"\n#define TLS1_TXT_ADH_WITH_SEED_SHA \"ADH-SEED-SHA\"\n\n// TLS v1.2 ciphersuites\n#define TLS1_TXT_RSA_WITH_NULL_SHA256 \"NULL-SHA256\"\n#define TLS1_TXT_RSA_WITH_AES_128_SHA256 \"AES128-SHA256\"\n#define TLS1_TXT_RSA_WITH_AES_256_SHA256 \"AES256-SHA256\"\n#define TLS1_TXT_DH_DSS_WITH_AES_128_SHA256 \"DH-DSS-AES128-SHA256\"\n#define TLS1_TXT_DH_RSA_WITH_AES_128_SHA256 \"DH-RSA-AES128-SHA256\"\n#define TLS1_TXT_DHE_DSS_WITH_AES_128_SHA256 \"DHE-DSS-AES128-SHA256\"\n#define TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 \"DHE-RSA-AES128-SHA256\"\n#define TLS1_TXT_DH_DSS_WITH_AES_256_SHA256 \"DH-DSS-AES256-SHA256\"\n#define TLS1_TXT_DH_RSA_WITH_AES_256_SHA256 \"DH-RSA-AES256-SHA256\"\n#define TLS1_TXT_DHE_DSS_WITH_AES_256_SHA256 \"DHE-DSS-AES256-SHA256\"\n#define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 \"DHE-RSA-AES256-SHA256\"\n#define TLS1_TXT_ADH_WITH_AES_128_SHA256 \"ADH-AES128-SHA256\"\n#define TLS1_TXT_ADH_WITH_AES_256_SHA256 \"ADH-AES256-SHA256\"\n\n// TLS v1.2 GCM ciphersuites from RFC 5288\n#define TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256 \"AES128-GCM-SHA256\"\n#define TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384 \"AES256-GCM-SHA384\"\n#define TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 \"DHE-RSA-AES128-GCM-SHA256\"\n#define TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 \"DHE-RSA-AES256-GCM-SHA384\"\n#define TLS1_TXT_DH_RSA_WITH_AES_128_GCM_SHA256 \"DH-RSA-AES128-GCM-SHA256\"\n#define TLS1_TXT_DH_RSA_WITH_AES_256_GCM_SHA384 \"DH-RSA-AES256-GCM-SHA384\"\n#define TLS1_TXT_DHE_DSS_WITH_AES_128_GCM_SHA256 \"DHE-DSS-AES128-GCM-SHA256\"\n#define TLS1_TXT_DHE_DSS_WITH_AES_256_GCM_SHA384 \"DHE-DSS-AES256-GCM-SHA384\"\n#define TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256 \"DH-DSS-AES128-GCM-SHA256\"\n#define TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384 \"DH-DSS-AES256-GCM-SHA384\"\n#define TLS1_TXT_ADH_WITH_AES_128_GCM_SHA256 \"ADH-AES128-GCM-SHA256\"\n#define TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384 \"ADH-AES256-GCM-SHA384\"\n\n// ECDH HMAC based ciphersuites from RFC 5289\n\n#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256 \"ECDHE-ECDSA-AES128-SHA256\"\n#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384 \"ECDHE-ECDSA-AES256-SHA384\"\n#define TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256 \"ECDH-ECDSA-AES128-SHA256\"\n#define TLS1_TXT_ECDH_ECDSA_WITH_AES_256_SHA384 \"ECDH-ECDSA-AES256-SHA384\"\n#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 \"ECDHE-RSA-AES128-SHA256\"\n#define TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 \"ECDHE-RSA-AES256-SHA384\"\n#define TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256 \"ECDH-RSA-AES128-SHA256\"\n#define TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384 \"ECDH-RSA-AES256-SHA384\"\n\n// ECDH GCM based ciphersuites from RFC 5289\n#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 \\\n \"ECDHE-ECDSA-AES128-GCM-SHA256\"\n#define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 \\\n \"ECDHE-ECDSA-AES256-GCM-SHA384\"\n#define TLS1_TXT_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 \\\n \"ECDH-ECDSA-AES128-GCM-SHA256\"\n#define TLS1_TXT_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 \\\n \"ECDH-ECDSA-AES256-GCM-SHA384\"\n#define TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 \"ECDHE-RSA-AES128-GCM-SHA256\"\n#define TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 \"ECDHE-RSA-AES256-GCM-SHA384\"\n#define TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256 \"ECDH-RSA-AES128-GCM-SHA256\"\n#define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384 \"ECDH-RSA-AES256-GCM-SHA384\"\n\n#define TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 \\\n \"ECDHE-RSA-CHACHA20-POLY1305\"\n#define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \\\n \"ECDHE-ECDSA-CHACHA20-POLY1305\"\n#define TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 \\\n \"ECDHE-PSK-CHACHA20-POLY1305\"\n\n// TLS 1.3 ciphersuites from RFC 8446.\n#define TLS1_3_RFC_AES_128_GCM_SHA256 \"TLS_AES_128_GCM_SHA256\"\n#define TLS1_3_RFC_AES_256_GCM_SHA384 \"TLS_AES_256_GCM_SHA384\"\n#define TLS1_3_RFC_CHACHA20_POLY1305_SHA256 \"TLS_CHACHA20_POLY1305_SHA256\"\n\n// The following constants are legacy aliases of |TLS1_3_CK_*|.\n// TODO(bbe): Migrate callers to the new name and remove these.\n#define TLS1_TXT_AES_128_GCM_SHA256 TLS1_3_RFC_AES_128_GCM_SHA256\n#define TLS1_TXT_AES_256_GCM_SHA384 TLS1_3_RFC_AES_256_GCM_SHA384\n#define TLS1_TXT_CHACHA20_POLY1305_SHA256 TLS1_3_RFC_CHACHA20_POLY1305_SHA256\n\n#define TLS_CT_RSA_SIGN 1\n#define TLS_CT_DSS_SIGN 2\n#define TLS_CT_RSA_FIXED_DH 3\n#define TLS_CT_DSS_FIXED_DH 4\n#define TLS_CT_ECDSA_SIGN 64\n#define TLS_CT_RSA_FIXED_ECDH 65\n#define TLS_CT_ECDSA_FIXED_ECDH 66\n\n#define TLS_MD_MAX_CONST_SIZE 20\n\n\n#ifdef __cplusplus\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_TLS1_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_trust_token.h", "content": "/* Copyright 2020 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_TRUST_TOKEN_H\n#define OPENSSL_HEADER_TRUST_TOKEN_H\n\n#include \"CNIOBoringSSL_base.h\"\n#include \"CNIOBoringSSL_stack.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Trust Token implementation.\n//\n// Trust Token is an implementation of an experimental mechanism similar to\n// Privacy Pass which allows issuance and redemption of anonymized tokens with\n// limited private metadata.\n//\n// References:\n// https://eprint.iacr.org/2020/072.pdf\n// https://github.com/ietf-wg-privacypass/base-drafts\n// https://github.com/WICG/trust-token-api/blob/main/README.md\n//\n// WARNING: This API is unstable and subject to change.\n\n// TRUST_TOKEN_experiment_v1 is an experimental Trust Tokens protocol using\n// PMBTokens and P-384.\nOPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v1(void);\n\n// TRUST_TOKEN_experiment_v2_voprf is an experimental Trust Tokens protocol\n// using VOPRFs and P-384 with up to 6 keys, without RR verification.\nOPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_voprf(void);\n\n// TRUST_TOKEN_experiment_v2_pmb is an experimental Trust Tokens protocol using\n// PMBTokens and P-384 with up to 3 keys, without RR verification.\nOPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_pmb(void);\n\n// TRUST_TOKEN_pst_v1_voprf is an experimental Trust Tokens protocol\n// using VOPRFs and P-384 with up to 6 keys, without RR verification.\nOPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_pst_v1_voprf(void);\n\n// TRUST_TOKEN_pst_v1_pmb is an experimental Trust Tokens protocol using\n// PMBTokens and P-384 with up to 3 keys, without RR verification.\nOPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_pst_v1_pmb(void);\n\n// trust_token_st represents a single-use token for the Trust Token protocol.\n// For the client, this is the token and its corresponding signature. For the\n// issuer, this is the token itself.\nstruct trust_token_st {\n uint8_t *data;\n size_t len;\n};\n\nDEFINE_STACK_OF(TRUST_TOKEN)\n\n// TRUST_TOKEN_new creates a newly-allocated |TRUST_TOKEN| with value |data| or\n// NULL on allocation failure.\nOPENSSL_EXPORT TRUST_TOKEN *TRUST_TOKEN_new(const uint8_t *data, size_t len);\n\n// TRUST_TOKEN_free releases memory associated with |token|.\nOPENSSL_EXPORT void TRUST_TOKEN_free(TRUST_TOKEN *token);\n\n#define TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE 512\n#define TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE 512\n\n// TRUST_TOKEN_generate_key creates a new Trust Token keypair labeled with |id|\n// and serializes the private and public keys, writing the private key to\n// |out_priv_key| and setting |*out_priv_key_len| to the number of bytes\n// written, and writing the public key to |out_pub_key| and setting\n// |*out_pub_key_len| to the number of bytes written.\n//\n// At most |max_priv_key_len| and |max_pub_key_len| bytes are written. In order\n// to ensure success, these should be at least\n// |TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE| and |TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE|.\n//\n// This function returns one on success or zero on error.\nOPENSSL_EXPORT int TRUST_TOKEN_generate_key(\n const TRUST_TOKEN_METHOD *method, uint8_t *out_priv_key,\n size_t *out_priv_key_len, size_t max_priv_key_len, uint8_t *out_pub_key,\n size_t *out_pub_key_len, size_t max_pub_key_len, uint32_t id);\n\n// TRUST_TOKEN_derive_key_from_secret deterministically derives a new Trust\n// Token keypair labeled with |id| from an input |secret| and serializes the\n// private and public keys, writing the private key to |out_priv_key| and\n// setting |*out_priv_key_len| to the number of bytes written, and writing the\n// public key to |out_pub_key| and setting |*out_pub_key_len| to the number of\n// bytes written.\n//\n// At most |max_priv_key_len| and |max_pub_key_len| bytes are written. In order\n// to ensure success, these should be at least\n// |TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE| and |TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE|.\n//\n// This function returns one on success or zero on error.\nOPENSSL_EXPORT int TRUST_TOKEN_derive_key_from_secret(\n const TRUST_TOKEN_METHOD *method, uint8_t *out_priv_key,\n size_t *out_priv_key_len, size_t max_priv_key_len, uint8_t *out_pub_key,\n size_t *out_pub_key_len, size_t max_pub_key_len, uint32_t id,\n const uint8_t *secret, size_t secret_len);\n\n\n// Trust Token client implementation.\n//\n// These functions implements the client half of the Trust Token protocol. A\n// single |TRUST_TOKEN_CLIENT| can perform a single protocol operation.\n\n// TRUST_TOKEN_CLIENT_new returns a newly-allocated |TRUST_TOKEN_CLIENT|\n// configured to use a max batchsize of |max_batchsize| or NULL on error.\n// Issuance requests must be made in batches smaller than |max_batchsize|. This\n// function will return an error if |max_batchsize| is too large for Trust\n// Tokens.\nOPENSSL_EXPORT TRUST_TOKEN_CLIENT *TRUST_TOKEN_CLIENT_new(\n const TRUST_TOKEN_METHOD *method, size_t max_batchsize);\n\n// TRUST_TOKEN_CLIENT_free releases memory associated with |ctx|.\nOPENSSL_EXPORT void TRUST_TOKEN_CLIENT_free(TRUST_TOKEN_CLIENT *ctx);\n\n// TRUST_TOKEN_CLIENT_add_key configures the |ctx| to support the public key\n// |key|. It sets |*out_key_index| to the index this key has been configured to.\n// It returns one on success or zero on error if the |key| can't be parsed or\n// too many keys have been configured.\nOPENSSL_EXPORT int TRUST_TOKEN_CLIENT_add_key(TRUST_TOKEN_CLIENT *ctx,\n size_t *out_key_index,\n const uint8_t *key,\n size_t key_len);\n\n// TRUST_TOKEN_CLIENT_set_srr_key sets the public key used to verify the SRR. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int TRUST_TOKEN_CLIENT_set_srr_key(TRUST_TOKEN_CLIENT *ctx,\n EVP_PKEY *key);\n\n// TRUST_TOKEN_CLIENT_begin_issuance produces a request for |count| trust tokens\n// and serializes the request into a newly-allocated buffer, setting |*out| to\n// that buffer and |*out_len| to its length. The caller takes ownership of the\n// buffer and must call |OPENSSL_free| when done. It returns one on success and\n// zero on error.\nOPENSSL_EXPORT int TRUST_TOKEN_CLIENT_begin_issuance(TRUST_TOKEN_CLIENT *ctx,\n uint8_t **out,\n size_t *out_len,\n size_t count);\n\n// TRUST_TOKEN_CLIENT_begin_issuance_over_message produces a request for a trust\n// token derived from |msg| and serializes the request into a newly-allocated\n// buffer, setting |*out| to that buffer and |*out_len| to its length. The\n// caller takes ownership of the buffer and must call |OPENSSL_free| when done.\n// It returns one on success and zero on error.\nOPENSSL_EXPORT int TRUST_TOKEN_CLIENT_begin_issuance_over_message(\n TRUST_TOKEN_CLIENT *ctx, uint8_t **out, size_t *out_len, size_t count,\n const uint8_t *msg, size_t msg_len);\n\n// TRUST_TOKEN_CLIENT_finish_issuance consumes |response| from the issuer and\n// extracts the tokens, returning a list of tokens and the index of the key used\n// to sign the tokens in |*out_key_index|. The caller can use this to determine\n// what key was used in an issuance and to drop tokens if a new key commitment\n// arrives without the specified key present. The caller takes ownership of the\n// list and must call |sk_TRUST_TOKEN_pop_free| when done. The list is empty if\n// issuance fails.\nOPENSSL_EXPORT STACK_OF(TRUST_TOKEN) *\n TRUST_TOKEN_CLIENT_finish_issuance(TRUST_TOKEN_CLIENT *ctx,\n size_t *out_key_index,\n const uint8_t *response,\n size_t response_len);\n\n\n// TRUST_TOKEN_CLIENT_begin_redemption produces a request to redeem a token\n// |token| and receive a signature over |data| and serializes the request into\n// a newly-allocated buffer, setting |*out| to that buffer and |*out_len| to\n// its length. |time| is the number of seconds since the UNIX epoch and used to\n// verify the validity of the issuer's response in TrustTokenV1 and ignored in\n// other versions. The caller takes ownership of the buffer and must call\n// |OPENSSL_free| when done. It returns one on success or zero on error.\nOPENSSL_EXPORT int TRUST_TOKEN_CLIENT_begin_redemption(\n TRUST_TOKEN_CLIENT *ctx, uint8_t **out, size_t *out_len,\n const TRUST_TOKEN *token, const uint8_t *data, size_t data_len,\n uint64_t time);\n\n// TRUST_TOKEN_CLIENT_finish_redemption consumes |response| from the issuer. In\n// |TRUST_TOKEN_experiment_v1|, it then verifies the SRR and if valid sets\n// |*out_rr| and |*out_rr_len| (respectively, |*out_sig| and |*out_sig_len|)\n// to a newly-allocated buffer containing the SRR (respectively, the SRR\n// signature). In other versions, it sets |*out_rr| and |*out_rr_len|\n// to a newly-allocated buffer containing |response| and leaves all validation\n// to the caller. It returns one on success or zero on failure.\nOPENSSL_EXPORT int TRUST_TOKEN_CLIENT_finish_redemption(\n TRUST_TOKEN_CLIENT *ctx, uint8_t **out_rr, size_t *out_rr_len,\n uint8_t **out_sig, size_t *out_sig_len, const uint8_t *response,\n size_t response_len);\n\n\n// Trust Token issuer implementation.\n//\n// These functions implement the issuer half of the Trust Token protocol. A\n// |TRUST_TOKEN_ISSUER| can be reused across multiple protocol operations. It\n// may be used concurrently on multiple threads by non-mutating functions,\n// provided no other thread is concurrently calling a mutating function.\n// Functions which take a |const| pointer are non-mutating and functions which\n// take a non-|const| pointer are mutating.\n\n// TRUST_TOKEN_ISSUER_new returns a newly-allocated |TRUST_TOKEN_ISSUER|\n// configured to use a max batchsize of |max_batchsize| or NULL on error.\n// Issuance requests must be made in batches smaller than |max_batchsize|. This\n// function will return an error if |max_batchsize| is too large for Trust\n// Tokens.\nOPENSSL_EXPORT TRUST_TOKEN_ISSUER *TRUST_TOKEN_ISSUER_new(\n const TRUST_TOKEN_METHOD *method, size_t max_batchsize);\n\n// TRUST_TOKEN_ISSUER_free releases memory associated with |ctx|.\nOPENSSL_EXPORT void TRUST_TOKEN_ISSUER_free(TRUST_TOKEN_ISSUER *ctx);\n\n// TRUST_TOKEN_ISSUER_add_key configures the |ctx| to support the private key\n// |key|. It must be a private key returned by |TRUST_TOKEN_generate_key|. It\n// returns one on success or zero on error. This function may fail if the |key|\n// can't be parsed or too many keys have been configured.\nOPENSSL_EXPORT int TRUST_TOKEN_ISSUER_add_key(TRUST_TOKEN_ISSUER *ctx,\n const uint8_t *key,\n size_t key_len);\n\n// TRUST_TOKEN_ISSUER_set_srr_key sets the private key used to sign the SRR. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int TRUST_TOKEN_ISSUER_set_srr_key(TRUST_TOKEN_ISSUER *ctx,\n EVP_PKEY *key);\n\n// TRUST_TOKEN_ISSUER_set_metadata_key sets the key used to encrypt the private\n// metadata. The key is a randomly generated bytestring of at least 32 bytes\n// used to encode the private metadata bit in the SRR. It returns one on success\n// and zero on error.\nOPENSSL_EXPORT int TRUST_TOKEN_ISSUER_set_metadata_key(TRUST_TOKEN_ISSUER *ctx,\n const uint8_t *key,\n size_t len);\n\n// TRUST_TOKEN_ISSUER_issue ingests |request| for token issuance\n// and generates up to |max_issuance| valid tokens, producing a list of blinded\n// tokens and storing the response into a newly-allocated buffer and setting\n// |*out| to that buffer, |*out_len| to its length, and |*out_tokens_issued| to\n// the number of tokens issued. The tokens are issued with public metadata of\n// |public_metadata| and a private metadata value of |private_metadata|.\n// |public_metadata| must be one of the previously configured key IDs.\n// |private_metadata| must be 0 or 1. The caller takes ownership of the buffer\n// and must call |OPENSSL_free| when done. It returns one on success or zero on\n// error.\nOPENSSL_EXPORT int TRUST_TOKEN_ISSUER_issue(\n const TRUST_TOKEN_ISSUER *ctx, uint8_t **out, size_t *out_len,\n size_t *out_tokens_issued, const uint8_t *request, size_t request_len,\n uint32_t public_metadata, uint8_t private_metadata, size_t max_issuance);\n\n// TRUST_TOKEN_ISSUER_redeem ingests a |request| for token redemption and\n// verifies the token. The public metadata is stored in |*out_public|. The\n// private metadata (if any) is stored in |*out_private|. The extracted\n// |TRUST_TOKEN| is stored into a newly-allocated buffer and stored in\n// |*out_token|. The extracted client data is stored into a newly-allocated\n// buffer and stored in |*out_client_data|. The caller takes ownership of each\n// output buffer and must call |OPENSSL_free| when done. It returns one on\n// success or zero on error.\n//\n// The caller must keep track of all values of |*out_token| seen globally before\n// returning a response to the client. If the value has been reused, the caller\n// must report an error to the client. Returning a response with replayed values\n// allows an attacker to double-spend tokens.\nOPENSSL_EXPORT int TRUST_TOKEN_ISSUER_redeem(\n const TRUST_TOKEN_ISSUER *ctx, uint32_t *out_public, uint8_t *out_private,\n TRUST_TOKEN **out_token, uint8_t **out_client_data,\n size_t *out_client_data_len, const uint8_t *request, size_t request_len);\n\n// TRUST_TOKEN_ISSUER_redeem_raw is a legacy alias for\n// |TRUST_TOKEN_ISSUER_redeem|.\n#define TRUST_TOKEN_ISSUER_redeem_raw TRUST_TOKEN_ISSUER_redeem\n\n// TRUST_TOKEN_ISSUER_redeem_over_message ingests a |request| for token\n// redemption and a message and verifies the token and that it is derived from\n// the provided |msg|. The public metadata is stored in\n// |*out_public|. The private metadata (if any) is stored in |*out_private|. The\n// extracted |TRUST_TOKEN| is stored into a newly-allocated buffer and stored in\n// |*out_token|. The extracted client data is stored into a newly-allocated\n// buffer and stored in |*out_client_data|. The caller takes ownership of each\n// output buffer and must call |OPENSSL_free| when done. It returns one on\n// success or zero on error.\n//\n// The caller must keep track of all values of |*out_token| seen globally before\n// returning a response to the client. If the value has been reused, the caller\n// must report an error to the client. Returning a response with replayed values\n// allows an attacker to double-spend tokens.\nOPENSSL_EXPORT int TRUST_TOKEN_ISSUER_redeem_over_message(\n const TRUST_TOKEN_ISSUER *ctx, uint32_t *out_public, uint8_t *out_private,\n TRUST_TOKEN **out_token, uint8_t **out_client_data,\n size_t *out_client_data_len, const uint8_t *request, size_t request_len,\n const uint8_t *msg, size_t msg_len);\n\n// TRUST_TOKEN_decode_private_metadata decodes |encrypted_bit| using the\n// private metadata key specified by a |key| buffer of length |key_len| and the\n// nonce by a |nonce| buffer of length |nonce_len|. The nonce in\n// |TRUST_TOKEN_experiment_v1| is the token-hash field of the SRR. |*out_value|\n// is set to the decrypted value, either zero or one. It returns one on success\n// and zero on error.\nOPENSSL_EXPORT int TRUST_TOKEN_decode_private_metadata(\n const TRUST_TOKEN_METHOD *method, uint8_t *out_value, const uint8_t *key,\n size_t key_len, const uint8_t *nonce, size_t nonce_len,\n uint8_t encrypted_bit);\n\n\n#if defined(__cplusplus)\n} // extern C\n\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(TRUST_TOKEN, TRUST_TOKEN_free)\nBORINGSSL_MAKE_DELETER(TRUST_TOKEN_CLIENT, TRUST_TOKEN_CLIENT_free)\nBORINGSSL_MAKE_DELETER(TRUST_TOKEN_ISSUER, TRUST_TOKEN_ISSUER_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n#endif\n\n#define TRUST_TOKEN_R_KEYGEN_FAILURE 100\n#define TRUST_TOKEN_R_BUFFER_TOO_SMALL 101\n#define TRUST_TOKEN_R_OVER_BATCHSIZE 102\n#define TRUST_TOKEN_R_DECODE_ERROR 103\n#define TRUST_TOKEN_R_SRR_SIGNATURE_ERROR 104\n#define TRUST_TOKEN_R_DECODE_FAILURE 105\n#define TRUST_TOKEN_R_INVALID_METADATA 106\n#define TRUST_TOKEN_R_TOO_MANY_KEYS 107\n#define TRUST_TOKEN_R_NO_KEYS_CONFIGURED 108\n#define TRUST_TOKEN_R_INVALID_KEY_ID 109\n#define TRUST_TOKEN_R_INVALID_TOKEN 110\n#define TRUST_TOKEN_R_BAD_VALIDITY_CHECK 111\n#define TRUST_TOKEN_R_NO_SRR_KEY_CONFIGURED 112\n#define TRUST_TOKEN_R_INVALID_METADATA_KEY 113\n#define TRUST_TOKEN_R_INVALID_PROOF 114\n\n#endif // OPENSSL_HEADER_TRUST_TOKEN_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_type_check.h", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_TYPE_CHECK_H\n#define OPENSSL_HEADER_TYPE_CHECK_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// CHECKED_CAST casts |p| from type |from| to type |to|.\n//\n// TODO(davidben): Although this macro is not public API and is unused in\n// BoringSSL, wpa_supplicant uses it to define its own stacks. Remove this once\n// wpa_supplicant has been fixed.\n#define CHECKED_CAST(to, from, p) ((to) (1 ? (p) : (from)0))\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_TYPE_CHECK_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_X509_H\n#define OPENSSL_HEADER_X509_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#include \n\n#include \"CNIOBoringSSL_asn1.h\"\n#include \"CNIOBoringSSL_bio.h\"\n#include \"CNIOBoringSSL_cipher.h\"\n#include \"CNIOBoringSSL_conf.h\"\n#include \"CNIOBoringSSL_dh.h\"\n#include \"CNIOBoringSSL_dsa.h\"\n#include \"CNIOBoringSSL_ec.h\"\n#include \"CNIOBoringSSL_ecdh.h\"\n#include \"CNIOBoringSSL_ecdsa.h\"\n#include \"CNIOBoringSSL_evp.h\"\n#include \"CNIOBoringSSL_lhash.h\"\n#include \"CNIOBoringSSL_obj.h\"\n#include \"CNIOBoringSSL_pkcs7.h\"\n#include \"CNIOBoringSSL_pool.h\"\n#include \"CNIOBoringSSL_rsa.h\"\n#include \"CNIOBoringSSL_sha.h\"\n#include \"CNIOBoringSSL_stack.h\"\n#include \"CNIOBoringSSL_thread.h\"\n#include \"CNIOBoringSSL_x509v3_errors.h\" // IWYU pragma: export\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n// Legacy X.509 library.\n//\n// This header is part of OpenSSL's X.509 implementation. It is retained for\n// compatibility but should not be used by new code. The functions are difficult\n// to use correctly, and have buggy or non-standard behaviors. They are thus\n// particularly prone to behavior changes and API removals, as BoringSSL\n// iterates on these issues.\n//\n// In the future, a replacement library will be available. Meanwhile, minimize\n// dependencies on this header where possible.\n\n\n// Certificates.\n//\n// An |X509| object represents an X.509 certificate, defined in RFC 5280.\n//\n// Although an |X509| is a mutable object, mutating an |X509| can give incorrect\n// results. Callers typically obtain |X509|s by parsing some input with\n// |d2i_X509|, etc. Such objects carry information such as the serialized\n// TBSCertificate and decoded extensions, which will become inconsistent when\n// mutated.\n//\n// Instead, mutation functions should only be used when issuing new\n// certificates, as described in a later section.\n\nDEFINE_STACK_OF(X509)\n\n// X509 is an |ASN1_ITEM| whose ASN.1 type is X.509 Certificate (RFC 5280) and C\n// type is |X509*|.\nDECLARE_ASN1_ITEM(X509)\n\n// X509_up_ref adds one to the reference count of |x509| and returns one.\nOPENSSL_EXPORT int X509_up_ref(X509 *x509);\n\n// X509_chain_up_ref returns a newly-allocated |STACK_OF(X509)| containing a\n// shallow copy of |chain|, or NULL on error. That is, the return value has the\n// same contents as |chain|, and each |X509|'s reference count is incremented by\n// one.\nOPENSSL_EXPORT STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain);\n\n// X509_dup returns a newly-allocated copy of |x509|, or NULL on error. This\n// function works by serializing the structure, so auxiliary properties (see\n// |i2d_X509_AUX|) are not preserved. Additionally, if |x509| is incomplete,\n// this function may fail.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if |crl| was\n// mutated.\nOPENSSL_EXPORT X509 *X509_dup(X509 *x509);\n\n// X509_free decrements |x509|'s reference count and, if zero, releases memory\n// associated with |x509|.\nOPENSSL_EXPORT void X509_free(X509 *x509);\n\n// d2i_X509 parses up to |len| bytes from |*inp| as a DER-encoded X.509\n// Certificate (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT X509 *d2i_X509(X509 **out, const uint8_t **inp, long len);\n\n// X509_parse_from_buffer parses an X.509 structure from |buf| and returns a\n// fresh X509 or NULL on error. There must not be any trailing data in |buf|.\n// The returned structure (if any) holds a reference to |buf| rather than\n// copying parts of it as a normal |d2i_X509| call would do.\nOPENSSL_EXPORT X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf);\n\n// i2d_X509 marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280), as\n// described in |i2d_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if |x509| was\n// mutated.\nOPENSSL_EXPORT int i2d_X509(X509 *x509, uint8_t **outp);\n\n// X509_VERSION_* are X.509 version numbers. Note the numerical values of all\n// defined X.509 versions are one less than the named version.\n#define X509_VERSION_1 0\n#define X509_VERSION_2 1\n#define X509_VERSION_3 2\n\n// X509_get_version returns the numerical value of |x509|'s version, which will\n// be one of the |X509_VERSION_*| constants.\nOPENSSL_EXPORT long X509_get_version(const X509 *x509);\n\n// X509_get0_serialNumber returns |x509|'s serial number.\nOPENSSL_EXPORT const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509);\n\n// X509_get0_notBefore returns |x509|'s notBefore time.\nOPENSSL_EXPORT const ASN1_TIME *X509_get0_notBefore(const X509 *x509);\n\n// X509_get0_notAfter returns |x509|'s notAfter time.\nOPENSSL_EXPORT const ASN1_TIME *X509_get0_notAfter(const X509 *x509);\n\n// X509_get_issuer_name returns |x509|'s issuer.\nOPENSSL_EXPORT X509_NAME *X509_get_issuer_name(const X509 *x509);\n\n// X509_get_subject_name returns |x509|'s subject.\nOPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *x509);\n\n// X509_get_X509_PUBKEY returns the public key of |x509|. Note this function is\n// not const-correct for legacy reasons. Callers should not modify the returned\n// object.\nOPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509);\n\n// X509_get0_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the\n// public key was unsupported or could not be decoded. The |EVP_PKEY| is cached\n// in |x509|, so callers must not mutate the result.\nOPENSSL_EXPORT EVP_PKEY *X509_get0_pubkey(const X509 *x509);\n\n// X509_get_pubkey behaves like |X509_get0_pubkey| but increments the reference\n// count on the |EVP_PKEY|. The caller must release the result with\n// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |x509|, so callers\n// must not mutate the result.\nOPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(const X509 *x509);\n\n// X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public\n// key. Note this does not contain the AlgorithmIdentifier portion.\n//\n// WARNING: This function returns a non-const pointer for OpenSSL compatibility,\n// but the caller must not modify the resulting object. Doing so will break\n// internal invariants in |x509|.\nOPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x509);\n\n// X509_check_private_key returns one if |x509|'s public key matches |pkey| and\n// zero otherwise.\nOPENSSL_EXPORT int X509_check_private_key(const X509 *x509,\n const EVP_PKEY *pkey);\n\n// X509_get0_uids sets |*out_issuer_uid| to a non-owning pointer to the\n// issuerUID field of |x509|, or NULL if |x509| has no issuerUID. It similarly\n// outputs |x509|'s subjectUID field to |*out_subject_uid|.\n//\n// Callers may pass NULL to either |out_issuer_uid| or |out_subject_uid| to\n// ignore the corresponding field.\nOPENSSL_EXPORT void X509_get0_uids(const X509 *x509,\n const ASN1_BIT_STRING **out_issuer_uid,\n const ASN1_BIT_STRING **out_subject_uid);\n\n// The following bits are returned from |X509_get_extension_flags|.\n\n// EXFLAG_BCONS indicates the certificate has a basic constraints extension.\n#define EXFLAG_BCONS 0x1\n// EXFLAG_KUSAGE indicates the certifcate has a key usage extension.\n#define EXFLAG_KUSAGE 0x2\n// EXFLAG_XKUSAGE indicates the certifcate has an extended key usage extension.\n#define EXFLAG_XKUSAGE 0x4\n// EXFLAG_CA indicates the certificate has a basic constraints extension with\n// the CA bit set.\n#define EXFLAG_CA 0x10\n// EXFLAG_SI indicates the certificate is self-issued, i.e. its subject and\n// issuer names match.\n#define EXFLAG_SI 0x20\n// EXFLAG_V1 indicates an X.509v1 certificate.\n#define EXFLAG_V1 0x40\n// EXFLAG_INVALID indicates an error processing some extension. The certificate\n// should not be accepted. Note the lack of this bit does not imply all\n// extensions are valid, only those used to compute extension flags.\n#define EXFLAG_INVALID 0x80\n// EXFLAG_SET is an internal bit that indicates extension flags were computed.\n#define EXFLAG_SET 0x100\n// EXFLAG_CRITICAL indicates an unsupported critical extension. The certificate\n// should not be accepted.\n#define EXFLAG_CRITICAL 0x200\n// EXFLAG_SS indicates the certificate is likely self-signed. That is, if it is\n// self-issued, its authority key identifier (if any) matches itself, and its\n// key usage extension (if any) allows certificate signatures. The signature\n// itself is not checked in computing this bit.\n#define EXFLAG_SS 0x2000\n\n// X509_get_extension_flags decodes a set of extensions from |x509| and returns\n// a collection of |EXFLAG_*| bits which reflect |x509|. If there was an error\n// in computing this bitmask, the result will include the |EXFLAG_INVALID| bit.\nOPENSSL_EXPORT uint32_t X509_get_extension_flags(X509 *x509);\n\n// X509_get_pathlen returns path length constraint from the basic constraints\n// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the\n// constraint is not present, or if some extension in |x509| was invalid.\n//\n// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for\n// invalid extensions. To detect the error case, call\n// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit.\nOPENSSL_EXPORT long X509_get_pathlen(X509 *x509);\n\n// X509v3_KU_* are key usage bits returned from |X509_get_key_usage|.\n#define X509v3_KU_DIGITAL_SIGNATURE 0x0080\n#define X509v3_KU_NON_REPUDIATION 0x0040\n#define X509v3_KU_KEY_ENCIPHERMENT 0x0020\n#define X509v3_KU_DATA_ENCIPHERMENT 0x0010\n#define X509v3_KU_KEY_AGREEMENT 0x0008\n#define X509v3_KU_KEY_CERT_SIGN 0x0004\n#define X509v3_KU_CRL_SIGN 0x0002\n#define X509v3_KU_ENCIPHER_ONLY 0x0001\n#define X509v3_KU_DECIPHER_ONLY 0x8000\n\n// X509_get_key_usage returns a bitmask of key usages (see Section 4.2.1.3 of\n// RFC 5280) which |x509| is valid for. This function only reports the first 16\n// bits, in a little-endian byte order, but big-endian bit order. That is, bits\n// 0 though 7 are reported at 1<<7 through 1<<0, and bits 8 through 15 are\n// reported at 1<<15 through 1<<8.\n//\n// Instead of depending on this bit order, callers should compare against the\n// |X509v3_KU_*| constants.\n//\n// If |x509| has no key usage extension, all key usages are valid and this\n// function returns |UINT32_MAX|. If there was an error processing |x509|'s\n// extensions, or if the first 16 bits in the key usage extension were all zero,\n// this function returns zero.\nOPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x509);\n\n// XKU_* are extended key usage bits returned from\n// |X509_get_extended_key_usage|.\n#define XKU_SSL_SERVER 0x1\n#define XKU_SSL_CLIENT 0x2\n#define XKU_SMIME 0x4\n#define XKU_CODE_SIGN 0x8\n#define XKU_SGC 0x10\n#define XKU_OCSP_SIGN 0x20\n#define XKU_TIMESTAMP 0x40\n#define XKU_DVCS 0x80\n#define XKU_ANYEKU 0x100\n\n// X509_get_extended_key_usage returns a bitmask of extended key usages (see\n// Section 4.2.1.12 of RFC 5280) which |x509| is valid for. The result will be\n// a combination of |XKU_*| constants. If checking an extended key usage not\n// defined above, callers should extract the extended key usage extension\n// separately, e.g. via |X509_get_ext_d2i|.\n//\n// If |x509| has no extended key usage extension, all extended key usages are\n// valid and this function returns |UINT32_MAX|. If there was an error\n// processing |x509|'s extensions, or if |x509|'s extended key usage extension\n// contained no recognized usages, this function returns zero.\nOPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x509);\n\n// X509_get0_subject_key_id returns |x509|'s subject key identifier, if present.\n// (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not\n// present or if some extension in |x509| was invalid.\n//\n// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for\n// invalid extensions. To detect the error case, call\n// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit.\nOPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509);\n\n// X509_get0_authority_key_id returns keyIdentifier of |x509|'s authority key\n// identifier, if the extension and field are present. (See RFC 5280,\n// section 4.2.1.1.) It returns NULL if the extension is not present, if it is\n// present but lacks a keyIdentifier field, or if some extension in |x509| was\n// invalid.\n//\n// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for\n// invalid extensions. To detect the error case, call\n// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit.\nOPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509);\n\nDEFINE_STACK_OF(GENERAL_NAME)\ntypedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;\n\n// X509_get0_authority_issuer returns the authorityCertIssuer of |x509|'s\n// authority key identifier, if the extension and field are present. (See\n// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present,\n// if it is present but lacks a authorityCertIssuer field, or if some extension\n// in |x509| was invalid.\n//\n// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for\n// invalid extensions. To detect the error case, call\n// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit.\nOPENSSL_EXPORT const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509);\n\n// X509_get0_authority_serial returns the authorityCertSerialNumber of |x509|'s\n// authority key identifier, if the extension and field are present. (See\n// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present,\n// if it is present but lacks a authorityCertSerialNumber field, or if some\n// extension in |x509| was invalid.\n//\n// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for\n// invalid extensions. To detect the error case, call\n// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit.\nOPENSSL_EXPORT const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509);\n\n// X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits\n// it.\nOPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions(\n const X509 *x509);\n\n// X509_get_ext_count returns the number of extensions in |x|.\nOPENSSL_EXPORT int X509_get_ext_count(const X509 *x);\n\n// X509_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for\n// extensions in |x|.\nOPENSSL_EXPORT int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos);\n\n// X509_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for\n// extensions in |x|.\nOPENSSL_EXPORT int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj,\n int lastpos);\n\n// X509_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but\n// searches for extensions in |x|.\nOPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit,\n int lastpos);\n\n// X509_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| is\n// out of bounds. This function returns a non-const pointer for OpenSSL\n// compatibility, but callers should not mutate the result.\nOPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc);\n\n// X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in\n// |x509|'s extension list.\n//\n// WARNING: This function is difficult to use correctly. See the documentation\n// for |X509V3_get_d2i| for details.\nOPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid,\n int *out_critical, int *out_idx);\n\n// X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s\n// TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|.\n//\n// Certificates with mismatched signature algorithms will successfully parse,\n// but they will be rejected when verifying.\nOPENSSL_EXPORT const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x509);\n\n// X509_get0_signature sets |*out_sig| and |*out_alg| to the signature and\n// signature algorithm of |x509|, respectively. Either output pointer may be\n// NULL to ignore the value.\n//\n// This function outputs the outer signature algorithm. For the one in the\n// TBSCertificate, see |X509_get0_tbs_sigalg|. Certificates with mismatched\n// signature algorithms will successfully parse, but they will be rejected when\n// verifying.\nOPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **out_sig,\n const X509_ALGOR **out_alg,\n const X509 *x509);\n\n// X509_get_signature_nid returns the NID corresponding to |x509|'s signature\n// algorithm, or |NID_undef| if the signature algorithm does not correspond to\n// a known NID.\nOPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509);\n\n// i2d_X509_tbs serializes the TBSCertificate portion of |x509|, as described in\n// |i2d_SAMPLE|.\n//\n// This function preserves the original encoding of the TBSCertificate and may\n// not reflect modifications made to |x509|. It may be used to manually verify\n// the signature of an existing certificate. To generate certificates, use\n// |i2d_re_X509_tbs| instead.\nOPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp);\n\n// X509_verify checks that |x509| has a valid signature by |pkey|. It returns\n// one if the signature is valid and zero otherwise. Note this function only\n// checks the signature itself and does not perform a full certificate\n// validation.\nOPENSSL_EXPORT int X509_verify(X509 *x509, EVP_PKEY *pkey);\n\n// X509_get1_email returns a newly-allocated list of NUL-terminated strings\n// containing all email addresses in |x509|'s subject and all rfc822name names\n// in |x509|'s subject alternative names. Email addresses which contain embedded\n// NUL bytes are skipped.\n//\n// On error, or if there are no such email addresses, it returns NULL. When\n// done, the caller must release the result with |X509_email_free|.\nOPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_email(const X509 *x509);\n\n// X509_get1_ocsp returns a newly-allocated list of NUL-terminated strings\n// containing all OCSP URIs in |x509|. That is, it collects all URI\n// AccessDescriptions with an accessMethod of id-ad-ocsp in |x509|'s authority\n// information access extension. URIs which contain embedded NUL bytes are\n// skipped.\n//\n// On error, or if there are no such URIs, it returns NULL. When done, the\n// caller must release the result with |X509_email_free|.\nOPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(const X509 *x509);\n\n// X509_email_free releases memory associated with |sk|, including |sk| itself.\n// Each |OPENSSL_STRING| in |sk| must be a NUL-terminated string allocated with\n// |OPENSSL_malloc|. If |sk| is NULL, no action is taken.\nOPENSSL_EXPORT void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);\n\n// X509_cmp compares |a| and |b| and returns zero if they are equal, a negative\n// number if |b| sorts after |a| and a negative number if |a| sorts after |b|.\n// The sort order implemented by this function is arbitrary and does not\n// reflect properties of the certificate such as expiry. Applications should not\n// rely on the order itself.\n//\n// TODO(https://crbug.com/boringssl/355): This function works by comparing a\n// cached hash of the encoded certificate. If |a| or |b| could not be\n// serialized, the current behavior is to compare all unencodable certificates\n// as equal. This function should only be used with |X509| objects that were\n// parsed from bytes and never mutated.\n//\n// TODO(https://crbug.com/boringssl/407): This function is const, but it is not\n// always thread-safe, notably if |a| and |b| were mutated.\nOPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b);\n\n\n// Issuing certificates.\n//\n// An |X509| object may also represent an incomplete certificate. Callers may\n// construct empty |X509| objects, fill in fields individually, and finally sign\n// the result. The following functions may be used for this purpose.\n\n// X509_new returns a newly-allocated, empty |X509| object, or NULL on error.\n// This produces an incomplete certificate which may be filled in to issue a new\n// certificate.\nOPENSSL_EXPORT X509 *X509_new(void);\n\n// X509_set_version sets |x509|'s version to |version|, which should be one of\n// the |X509V_VERSION_*| constants. It returns one on success and zero on error.\n//\n// If unsure, use |X509_VERSION_3|.\nOPENSSL_EXPORT int X509_set_version(X509 *x509, long version);\n\n// X509_set_serialNumber sets |x509|'s serial number to |serial|. It returns one\n// on success and zero on error.\nOPENSSL_EXPORT int X509_set_serialNumber(X509 *x509,\n const ASN1_INTEGER *serial);\n\n// X509_set1_notBefore sets |x509|'s notBefore time to |tm|. It returns one on\n// success and zero on error.\nOPENSSL_EXPORT int X509_set1_notBefore(X509 *x509, const ASN1_TIME *tm);\n\n// X509_set1_notAfter sets |x509|'s notAfter time to |tm|. it returns one on\n// success and zero on error.\nOPENSSL_EXPORT int X509_set1_notAfter(X509 *x509, const ASN1_TIME *tm);\n\n// X509_getm_notBefore returns a mutable pointer to |x509|'s notBefore time.\nOPENSSL_EXPORT ASN1_TIME *X509_getm_notBefore(X509 *x509);\n\n// X509_getm_notAfter returns a mutable pointer to |x509|'s notAfter time.\nOPENSSL_EXPORT ASN1_TIME *X509_getm_notAfter(X509 *x);\n\n// X509_set_issuer_name sets |x509|'s issuer to a copy of |name|. It returns one\n// on success and zero on error.\nOPENSSL_EXPORT int X509_set_issuer_name(X509 *x509, X509_NAME *name);\n\n// X509_set_subject_name sets |x509|'s subject to a copy of |name|. It returns\n// one on success and zero on error.\nOPENSSL_EXPORT int X509_set_subject_name(X509 *x509, X509_NAME *name);\n\n// X509_set_pubkey sets |x509|'s public key to |pkey|. It returns one on success\n// and zero on error. This function does not take ownership of |pkey| and\n// internally copies and updates reference counts as needed.\nOPENSSL_EXPORT int X509_set_pubkey(X509 *x509, EVP_PKEY *pkey);\n\n// X509_delete_ext removes the extension in |x| at index |loc| and returns the\n// removed extension, or NULL if |loc| was out of bounds. If non-NULL, the\n// caller must release the result with |X509_EXTENSION_free|.\nOPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc);\n\n// X509_add_ext adds a copy of |ex| to |x|. It returns one on success and zero\n// on failure. The caller retains ownership of |ex| and can release it\n// independently of |x|.\n//\n// The new extension is inserted at index |loc|, shifting extensions to the\n// right. If |loc| is -1 or out of bounds, the new extension is appended to the\n// list.\nOPENSSL_EXPORT int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc);\n\n// X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to\n// |x|'s extension list.\n//\n// WARNING: This function may return zero or -1 on error. The caller must also\n// ensure |value|'s type matches |nid|. See the documentation for\n// |X509V3_add1_i2d| for details.\nOPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,\n unsigned long flags);\n\n// X509_sign signs |x509| with |pkey| and replaces the signature algorithm and\n// signature fields. It returns the length of the signature on success and zero\n// on error. This function uses digest algorithm |md|, or |pkey|'s default if\n// NULL. Other signing parameters use |pkey|'s defaults. To customize them, use\n// |X509_sign_ctx|.\nOPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md);\n\n// X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm\n// and signature fields. It returns the length of the signature on success and\n// zero on error. The signature algorithm and parameters come from |ctx|, which\n// must have been initialized with |EVP_DigestSignInit|. The caller should\n// configure the corresponding |EVP_PKEY_CTX| before calling this function.\n//\n// On success or failure, this function mutates |ctx| and resets it to the empty\n// state. Caller should not rely on its contents after the function returns.\nOPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx);\n\n// i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described\n// in |i2d_SAMPLE|.\n//\n// This function re-encodes the TBSCertificate and may not reflect |x509|'s\n// original encoding. It may be used to manually generate a signature for a new\n// certificate. To verify certificates, use |i2d_X509_tbs| instead.\nOPENSSL_EXPORT int i2d_re_X509_tbs(X509 *x509, unsigned char **outp);\n\n// X509_set1_signature_algo sets |x509|'s signature algorithm to |algo| and\n// returns one on success or zero on error. It updates both the signature field\n// of the TBSCertificate structure, and the signatureAlgorithm field of the\n// Certificate.\nOPENSSL_EXPORT int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo);\n\n// X509_set1_signature_value sets |x509|'s signature to a copy of the |sig_len|\n// bytes pointed by |sig|. It returns one on success and zero on error.\n//\n// Due to a specification error, X.509 certificates store signatures in ASN.1\n// BIT STRINGs, but signature algorithms return byte strings rather than bit\n// strings. This function creates a BIT STRING containing a whole number of\n// bytes, with the bit order matching the DER encoding. This matches the\n// encoding used by all X.509 signature algorithms.\nOPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig,\n size_t sig_len);\n\n\n// Auxiliary certificate properties.\n//\n// |X509| objects optionally maintain auxiliary properties. These are not part\n// of the certificates themselves, and thus are not covered by signatures or\n// preserved by the standard serialization. They are used as inputs or outputs\n// to other functions in this library.\n\n// i2d_X509_AUX marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280),\n// followed optionally by a separate, OpenSSL-specific structure with auxiliary\n// properties. It behaves as described in |i2d_SAMPLE|.\n//\n// Unlike similarly-named functions, this function does not output a single\n// ASN.1 element. Directly embedding the output in a larger ASN.1 structure will\n// not behave correctly.\n//\n// TODO(crbug.com/boringssl/407): |x509| should be const.\nOPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, uint8_t **outp);\n\n// d2i_X509_AUX parses up to |length| bytes from |*inp| as a DER-encoded X.509\n// Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific\n// structure with auxiliary properties. It behaves as described in |d2i_SAMPLE|.\n//\n// WARNING: Passing untrusted input to this function allows an attacker to\n// control auxiliary properties. This can allow unexpected influence over the\n// application if the certificate is used in a context that reads auxiliary\n// properties. This includes PKCS#12 serialization, trusted certificates in\n// |X509_STORE|, and callers of |X509_alias_get0| or |X509_keyid_get0|.\n//\n// Unlike similarly-named functions, this function does not parse a single\n// ASN.1 element. Trying to parse data directly embedded in a larger ASN.1\n// structure will not behave correctly.\nOPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const uint8_t **inp,\n long length);\n\n// X509_alias_set1 sets |x509|'s alias to |len| bytes from |name|. If |name| is\n// NULL, the alias is cleared instead. Aliases are not part of the certificate\n// itself and will not be serialized by |i2d_X509|. If |x509| is serialized in\n// a PKCS#12 structure, the friendlyName attribute (RFC 2985) will contain this\n// alias.\nOPENSSL_EXPORT int X509_alias_set1(X509 *x509, const uint8_t *name,\n ossl_ssize_t len);\n\n// X509_keyid_set1 sets |x509|'s key ID to |len| bytes from |id|. If |id| is\n// NULL, the key ID is cleared instead. Key IDs are not part of the certificate\n// itself and will not be serialized by |i2d_X509|.\nOPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const uint8_t *id,\n ossl_ssize_t len);\n\n// X509_alias_get0 looks up |x509|'s alias. If found, it sets |*out_len| to the\n// alias's length and returns a pointer to a buffer containing the contents. If\n// not found, it outputs the empty string by returning NULL and setting\n// |*out_len| to zero.\n//\n// If |x509| was parsed from a PKCS#12 structure (see\n// |PKCS12_get_key_and_certs|), the alias will reflect the friendlyName\n// attribute (RFC 2985).\n//\n// WARNING: In OpenSSL, this function did not set |*out_len| when the alias was\n// missing. Callers that target both OpenSSL and BoringSSL should set the value\n// to zero before calling this function.\nOPENSSL_EXPORT const uint8_t *X509_alias_get0(const X509 *x509, int *out_len);\n\n// X509_keyid_get0 looks up |x509|'s key ID. If found, it sets |*out_len| to the\n// key ID's length and returns a pointer to a buffer containing the contents. If\n// not found, it outputs the empty string by returning NULL and setting\n// |*out_len| to zero.\n//\n// WARNING: In OpenSSL, this function did not set |*out_len| when the alias was\n// missing. Callers that target both OpenSSL and BoringSSL should set the value\n// to zero before calling this function.\nOPENSSL_EXPORT const uint8_t *X509_keyid_get0(const X509 *x509, int *out_len);\n\n// X509_add1_trust_object configures |x509| as a valid trust anchor for |obj|.\n// It returns one on success and zero on error. |obj| should be a certificate\n// usage OID associated with an |X509_TRUST_*| constant.\n//\n// See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated.\n// Note this only takes effect if |x509| was configured as a trusted certificate\n// via |X509_STORE|.\nOPENSSL_EXPORT int X509_add1_trust_object(X509 *x509, const ASN1_OBJECT *obj);\n\n// X509_add1_reject_object configures |x509| as distrusted for |obj|. It returns\n// one on success and zero on error. |obj| should be a certificate usage OID\n// associated with an |X509_TRUST_*| constant.\n//\n// See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated.\n// Note this only takes effect if |x509| was configured as a trusted certificate\n// via |X509_STORE|.\nOPENSSL_EXPORT int X509_add1_reject_object(X509 *x509, const ASN1_OBJECT *obj);\n\n// X509_trust_clear clears the list of OIDs for which |x509| is trusted. See\n// also |X509_add1_trust_object|.\nOPENSSL_EXPORT void X509_trust_clear(X509 *x509);\n\n// X509_reject_clear clears the list of OIDs for which |x509| is distrusted. See\n// also |X509_add1_reject_object|.\nOPENSSL_EXPORT void X509_reject_clear(X509 *x509);\n\n\n// Certificate revocation lists.\n//\n// An |X509_CRL| object represents an X.509 certificate revocation list (CRL),\n// defined in RFC 5280. A CRL is a signed list of certificates, the\n// revokedCertificates field, which are no longer considered valid. Each entry\n// of this list is represented with an |X509_REVOKED| object, documented in the\n// \"CRL entries\" section below.\n//\n// Although an |X509_CRL| is a mutable object, mutating an |X509_CRL| or its\n// |X509_REVOKED|s can give incorrect results. Callers typically obtain\n// |X509_CRL|s by parsing some input with |d2i_X509_CRL|, etc. Such objects\n// carry information such as the serialized TBSCertList and decoded extensions,\n// which will become inconsistent when mutated.\n//\n// Instead, mutation functions should only be used when issuing new CRLs, as\n// described in a later section.\n\nDEFINE_STACK_OF(X509_CRL)\nDEFINE_STACK_OF(X509_REVOKED)\n\n// X509_CRL_up_ref adds one to the reference count of |crl| and returns one.\nOPENSSL_EXPORT int X509_CRL_up_ref(X509_CRL *crl);\n\n// X509_CRL_dup returns a newly-allocated copy of |crl|, or NULL on error. This\n// function works by serializing the structure, so if |crl| is incomplete, it\n// may fail.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if |crl| was\n// mutated.\nOPENSSL_EXPORT X509_CRL *X509_CRL_dup(X509_CRL *crl);\n\n// X509_CRL_free decrements |crl|'s reference count and, if zero, releases\n// memory associated with |crl|.\nOPENSSL_EXPORT void X509_CRL_free(X509_CRL *crl);\n\n// d2i_X509_CRL parses up to |len| bytes from |*inp| as a DER-encoded X.509\n// CertificateList (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT X509_CRL *d2i_X509_CRL(X509_CRL **out, const uint8_t **inp,\n long len);\n\n// i2d_X509_CRL marshals |crl| as a X.509 CertificateList (RFC 5280), as\n// described in |i2d_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if |crl| was\n// mutated.\nOPENSSL_EXPORT int i2d_X509_CRL(X509_CRL *crl, uint8_t **outp);\n\n// X509_CRL_match compares |a| and |b| and returns zero if they are equal, a\n// negative number if |b| sorts after |a| and a negative number if |a| sorts\n// after |b|. The sort order implemented by this function is arbitrary and does\n// not reflect properties of the CRL such as expiry. Applications should not\n// rely on the order itself.\n//\n// TODO(https://crbug.com/boringssl/355): This function works by comparing a\n// cached hash of the encoded CRL. This cached hash is computed when the CRL is\n// parsed, but not when mutating or issuing CRLs. This function should only be\n// used with |X509_CRL| objects that were parsed from bytes and never mutated.\nOPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);\n\n#define X509_CRL_VERSION_1 0\n#define X509_CRL_VERSION_2 1\n\n// X509_CRL_get_version returns the numerical value of |crl|'s version, which\n// will be one of the |X509_CRL_VERSION_*| constants.\nOPENSSL_EXPORT long X509_CRL_get_version(const X509_CRL *crl);\n\n// X509_CRL_get0_lastUpdate returns |crl|'s thisUpdate time. The OpenSSL API\n// refers to this field as lastUpdate.\nOPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);\n\n// X509_CRL_get0_nextUpdate returns |crl|'s nextUpdate time, or NULL if |crl|\n// has none.\nOPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);\n\n// X509_CRL_get_issuer returns |crl|'s issuer name. Note this function is not\n// const-correct for legacy reasons.\nOPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);\n\n// X509_CRL_get0_by_serial finds the entry in |crl| whose serial number is\n// |serial|. If found, it sets |*out| to the entry and returns one. If not\n// found, it returns zero.\n//\n// On success, |*out| continues to be owned by |crl|. It is an error to free or\n// otherwise modify |*out|.\n//\n// TODO(crbug.com/boringssl/600): Ideally |crl| would be const. It is broadly\n// thread-safe, but changes the order of entries in |crl|. It cannot be called\n// concurrently with |i2d_X509_CRL|.\nOPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **out,\n const ASN1_INTEGER *serial);\n\n// X509_CRL_get0_by_cert behaves like |X509_CRL_get0_by_serial|, except it looks\n// for the entry that matches |x509|.\nOPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **out,\n X509 *x509);\n\n// X509_CRL_get_REVOKED returns the list of revoked certificates in |crl|, or\n// NULL if |crl| omits it.\n//\n// TOOD(davidben): This function was originally a macro, without clear const\n// semantics. It should take a const input and give const output, but the latter\n// would break existing callers. For now, we match upstream.\nOPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);\n\n// X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl|\n// omits it. A CRL can have extensions on individual entries, which is\n// |X509_REVOKED_get0_extensions|, or on the overall CRL, which is this\n// function.\nOPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(\n const X509_CRL *crl);\n\n// X509_CRL_get_ext_count returns the number of extensions in |x|.\nOPENSSL_EXPORT int X509_CRL_get_ext_count(const X509_CRL *x);\n\n// X509_CRL_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for\n// extensions in |x|.\nOPENSSL_EXPORT int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid,\n int lastpos);\n\n// X509_CRL_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for\n// extensions in |x|.\nOPENSSL_EXPORT int X509_CRL_get_ext_by_OBJ(const X509_CRL *x,\n const ASN1_OBJECT *obj, int lastpos);\n\n// X509_CRL_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but\n// searches for extensions in |x|.\nOPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit,\n int lastpos);\n\n// X509_CRL_get_ext returns the extension in |x| at index |loc|, or NULL if\n// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL\n// compatibility, but callers should not mutate the result.\nOPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);\n\n// X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the\n// extension in |crl|'s extension list.\n//\n// WARNING: This function is difficult to use correctly. See the documentation\n// for |X509V3_get_d2i| for details.\nOPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid,\n int *out_critical, int *out_idx);\n\n// X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and\n// signature algorithm of |crl|, respectively. Either output pointer may be NULL\n// to ignore the value.\n//\n// This function outputs the outer signature algorithm, not the one in the\n// TBSCertList. CRLs with mismatched signature algorithms will successfully\n// parse, but they will be rejected when verifying.\nOPENSSL_EXPORT void X509_CRL_get0_signature(const X509_CRL *crl,\n const ASN1_BIT_STRING **out_sig,\n const X509_ALGOR **out_alg);\n\n// X509_CRL_get_signature_nid returns the NID corresponding to |crl|'s signature\n// algorithm, or |NID_undef| if the signature algorithm does not correspond to\n// a known NID.\nOPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl);\n\n// i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described in\n// |i2d_SAMPLE|.\n//\n// This function preserves the original encoding of the TBSCertList and may not\n// reflect modifications made to |crl|. It may be used to manually verify the\n// signature of an existing CRL. To generate CRLs, use |i2d_re_X509_CRL_tbs|\n// instead.\nOPENSSL_EXPORT int i2d_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);\n\n// X509_CRL_verify checks that |crl| has a valid signature by |pkey|. It returns\n// one if the signature is valid and zero otherwise.\nOPENSSL_EXPORT int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey);\n\n\n// Issuing certificate revocation lists.\n//\n// An |X509_CRL| object may also represent an incomplete CRL. Callers may\n// construct empty |X509_CRL| objects, fill in fields individually, and finally\n// sign the result. The following functions may be used for this purpose.\n\n// X509_CRL_new returns a newly-allocated, empty |X509_CRL| object, or NULL on\n// error. This object may be filled in and then signed to construct a CRL.\nOPENSSL_EXPORT X509_CRL *X509_CRL_new(void);\n\n// X509_CRL_set_version sets |crl|'s version to |version|, which should be one\n// of the |X509_CRL_VERSION_*| constants. It returns one on success and zero on\n// error.\n//\n// If unsure, use |X509_CRL_VERSION_2|. Note that, unlike certificates, CRL\n// versions are only defined up to v2. Callers should not use |X509_VERSION_3|.\nOPENSSL_EXPORT int X509_CRL_set_version(X509_CRL *crl, long version);\n\n// X509_CRL_set_issuer_name sets |crl|'s issuer to a copy of |name|. It returns\n// one on success and zero on error.\nOPENSSL_EXPORT int X509_CRL_set_issuer_name(X509_CRL *crl, X509_NAME *name);\n\n// X509_CRL_set1_lastUpdate sets |crl|'s thisUpdate time to |tm|. It returns one\n// on success and zero on error. The OpenSSL API refers to this field as\n// lastUpdate.\nOPENSSL_EXPORT int X509_CRL_set1_lastUpdate(X509_CRL *crl, const ASN1_TIME *tm);\n\n// X509_CRL_set1_nextUpdate sets |crl|'s nextUpdate time to |tm|. It returns one\n// on success and zero on error.\nOPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm);\n\n// X509_CRL_add0_revoked adds |rev| to |crl|. On success, it takes ownership of\n// |rev| and returns one. On error, it returns zero. If this function fails, the\n// caller retains ownership of |rev| and must release it when done.\nOPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);\n\n// X509_CRL_sort sorts the entries in |crl| by serial number. It returns one on\n// success and zero on error.\nOPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl);\n\n// X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns\n// the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the\n// caller must release the result with |X509_EXTENSION_free|.\nOPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);\n\n// X509_CRL_add_ext adds a copy of |ex| to |x|. It returns one on success and\n// zero on failure. The caller retains ownership of |ex| and can release it\n// independently of |x|.\n//\n// The new extension is inserted at index |loc|, shifting extensions to the\n// right. If |loc| is -1 or out of bounds, the new extension is appended to the\n// list.\nOPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex,\n int loc);\n\n// X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension\n// to |x|'s extension list.\n//\n// WARNING: This function may return zero or -1 on error. The caller must also\n// ensure |value|'s type matches |nid|. See the documentation for\n// |X509V3_add1_i2d| for details.\nOPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value,\n int crit, unsigned long flags);\n\n// X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm\n// and signature fields. It returns the length of the signature on success and\n// zero on error. This function uses digest algorithm |md|, or |pkey|'s default\n// if NULL. Other signing parameters use |pkey|'s defaults. To customize them,\n// use |X509_CRL_sign_ctx|.\nOPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey,\n const EVP_MD *md);\n\n// X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm\n// and signature fields. It returns the length of the signature on success and\n// zero on error. The signature algorithm and parameters come from |ctx|, which\n// must have been initialized with |EVP_DigestSignInit|. The caller should\n// configure the corresponding |EVP_PKEY_CTX| before calling this function.\n//\n// On success or failure, this function mutates |ctx| and resets it to the empty\n// state. Caller should not rely on its contents after the function returns.\nOPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx);\n\n// i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described\n// in |i2d_SAMPLE|.\n//\n// This function re-encodes the TBSCertList and may not reflect |crl|'s original\n// encoding. It may be used to manually generate a signature for a new CRL. To\n// verify CRLs, use |i2d_X509_CRL_tbs| instead.\nOPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp);\n\n// X509_CRL_set1_signature_algo sets |crl|'s signature algorithm to |algo| and\n// returns one on success or zero on error. It updates both the signature field\n// of the TBSCertList structure, and the signatureAlgorithm field of the CRL.\nOPENSSL_EXPORT int X509_CRL_set1_signature_algo(X509_CRL *crl,\n const X509_ALGOR *algo);\n\n// X509_CRL_set1_signature_value sets |crl|'s signature to a copy of the\n// |sig_len| bytes pointed by |sig|. It returns one on success and zero on\n// error.\n//\n// Due to a specification error, X.509 CRLs store signatures in ASN.1 BIT\n// STRINGs, but signature algorithms return byte strings rather than bit\n// strings. This function creates a BIT STRING containing a whole number of\n// bytes, with the bit order matching the DER encoding. This matches the\n// encoding used by all X.509 signature algorithms.\nOPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl,\n const uint8_t *sig,\n size_t sig_len);\n\n\n// CRL entries.\n//\n// Each entry of a CRL is represented as an |X509_REVOKED| object, which\n// describes a revoked certificate by serial number.\n//\n// When an |X509_REVOKED| is obtained from an |X509_CRL| object, it is an error\n// to mutate the object. Doing so may break |X509_CRL|'s and cause the library\n// to behave incorrectly.\n\n// X509_REVOKED_new returns a newly-allocated, empty |X509_REVOKED| object, or\n// NULL on allocation error.\nOPENSSL_EXPORT X509_REVOKED *X509_REVOKED_new(void);\n\n// X509_REVOKED_free releases memory associated with |rev|.\nOPENSSL_EXPORT void X509_REVOKED_free(X509_REVOKED *rev);\n\n// d2i_X509_REVOKED parses up to |len| bytes from |*inp| as a DER-encoded X.509\n// CRL entry, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT X509_REVOKED *d2i_X509_REVOKED(X509_REVOKED **out,\n const uint8_t **inp, long len);\n\n// i2d_X509_REVOKED marshals |alg| as a DER-encoded X.509 CRL entry, as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_X509_REVOKED(const X509_REVOKED *alg, uint8_t **outp);\n\n// X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error.\n// This function works by serializing the structure, so if |rev| is incomplete,\n// it may fail.\nOPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev);\n\n// X509_REVOKED_get0_serialNumber returns the serial number of the certificate\n// revoked by |revoked|.\nOPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(\n const X509_REVOKED *revoked);\n\n// X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It\n// returns one on success or zero on error.\nOPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked,\n const ASN1_INTEGER *serial);\n\n// X509_REVOKED_get0_revocationDate returns the revocation time of the\n// certificate revoked by |revoked|.\nOPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate(\n const X509_REVOKED *revoked);\n\n// X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It\n// returns one on success or zero on error.\nOPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked,\n const ASN1_TIME *tm);\n\n// X509_REVOKED_get0_extensions returns |r|'s extensions list, or NULL if |r|\n// omits it. A CRL can have extensions on individual entries, which is this\n// function, or on the overall CRL, which is |X509_CRL_get0_extensions|.\nOPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(\n const X509_REVOKED *r);\n\n // X509_REVOKED_get_ext_count returns the number of extensions in |x|.\nOPENSSL_EXPORT int X509_REVOKED_get_ext_count(const X509_REVOKED *x);\n\n// X509_REVOKED_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches\n// for extensions in |x|.\nOPENSSL_EXPORT int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid,\n int lastpos);\n\n// X509_REVOKED_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches\n// for extensions in |x|.\nOPENSSL_EXPORT int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x,\n const ASN1_OBJECT *obj,\n int lastpos);\n\n// X509_REVOKED_get_ext_by_critical behaves like |X509v3_get_ext_by_critical|\n// but searches for extensions in |x|.\nOPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x,\n int crit, int lastpos);\n\n// X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if\n// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL\n// compatibility, but callers should not mutate the result.\nOPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x,\n int loc);\n\n// X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and\n// returns the removed extension, or NULL if |loc| was out of bounds. If\n// non-NULL, the caller must release the result with |X509_EXTENSION_free|.\nOPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x,\n int loc);\n\n// X509_REVOKED_add_ext adds a copy of |ex| to |x|. It returns one on success\n// and zero on failure. The caller retains ownership of |ex| and can release it\n// independently of |x|.\n//\n// The new extension is inserted at index |loc|, shifting extensions to the\n// right. If |loc| is -1 or out of bounds, the new extension is appended to the\n// list.\nOPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x,\n const X509_EXTENSION *ex, int loc);\n\n// X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the\n// extension in |revoked|'s extension list.\n//\n// WARNING: This function is difficult to use correctly. See the documentation\n// for |X509V3_get_d2i| for details.\nOPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked,\n int nid, int *out_critical,\n int *out_idx);\n\n// X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the\n// extension to |x|'s extension list.\n//\n// WARNING: This function may return zero or -1 on error. The caller must also\n// ensure |value|'s type matches |nid|. See the documentation for\n// |X509V3_add1_i2d| for details.\nOPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid,\n void *value, int crit,\n unsigned long flags);\n\n\n// Certificate requests.\n//\n// An |X509_REQ| represents a PKCS #10 certificate request (RFC 2986). These are\n// also referred to as certificate signing requests or CSRs. CSRs are a common\n// format used to request a certificate from a CA.\n//\n// Although an |X509_REQ| is a mutable object, mutating an |X509_REQ| can give\n// incorrect results. Callers typically obtain |X509_REQ|s by parsing some input\n// with |d2i_X509_REQ|, etc. Such objects carry information such as the\n// serialized CertificationRequestInfo, which will become inconsistent when\n// mutated.\n//\n// Instead, mutation functions should only be used when issuing new CRLs, as\n// described in a later section.\n\n// X509_REQ_dup returns a newly-allocated copy of |req|, or NULL on error. This\n// function works by serializing the structure, so if |req| is incomplete, it\n// may fail.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if |req| was\n// mutated.\nOPENSSL_EXPORT X509_REQ *X509_REQ_dup(X509_REQ *req);\n\n// X509_REQ_free releases memory associated with |req|.\nOPENSSL_EXPORT void X509_REQ_free(X509_REQ *req);\n\n// d2i_X509_REQ parses up to |len| bytes from |*inp| as a DER-encoded\n// CertificateRequest (RFC 2986), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT X509_REQ *d2i_X509_REQ(X509_REQ **out, const uint8_t **inp,\n long len);\n\n// i2d_X509_REQ marshals |req| as a CertificateRequest (RFC 2986), as described\n// in |i2d_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if |req| was\n// mutated.\nOPENSSL_EXPORT int i2d_X509_REQ(X509_REQ *req, uint8_t **outp);\n\n// X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. No other\n// versions are defined.\n#define X509_REQ_VERSION_1 0\n\n// X509_REQ_get_version returns the numerical value of |req|'s version. This\n// will always be |X509_REQ_VERSION_1| for valid CSRs. For compatibility,\n// |d2i_X509_REQ| also accepts some invalid version numbers, in which case this\n// function may return other values.\nOPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req);\n\n// X509_REQ_get_subject_name returns |req|'s subject name. Note this function is\n// not const-correct for legacy reasons.\nOPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);\n\n// X509_REQ_get0_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if\n// the public key was unsupported or could not be decoded. The |EVP_PKEY| is\n// cached in |req|, so callers must not mutate the result.\nOPENSSL_EXPORT EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req);\n\n// X509_REQ_get_pubkey behaves like |X509_REQ_get0_pubkey| but increments the\n// reference count on the |EVP_PKEY|. The caller must release the result with\n// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |req|, so callers must\n// not mutate the result.\nOPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(const X509_REQ *req);\n\n// X509_REQ_check_private_key returns one if |req|'s public key matches |pkey|\n// and zero otherwise.\nOPENSSL_EXPORT int X509_REQ_check_private_key(const X509_REQ *req,\n const EVP_PKEY *pkey);\n\n// X509_REQ_get_attr_count returns the number of attributes in |req|.\nOPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req);\n\n// X509_REQ_get_attr returns the attribute at index |loc| in |req|, or NULL if\n// out of bounds.\nOPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);\n\n// X509_REQ_get_attr_by_NID returns the index of the attribute in |req| of type\n// |nid|, or a negative number if not found. If found, callers can use\n// |X509_REQ_get_attr| to look up the attribute by index.\n//\n// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers\n// can thus loop over all matching attributes by first passing -1 and then\n// passing the previously-returned value until no match is returned.\nOPENSSL_EXPORT int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid,\n int lastpos);\n\n// X509_REQ_get_attr_by_OBJ behaves like |X509_REQ_get_attr_by_NID| but looks\n// for attributes of type |obj|.\nOPENSSL_EXPORT int X509_REQ_get_attr_by_OBJ(const X509_REQ *req,\n const ASN1_OBJECT *obj,\n int lastpos);\n\n// X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type\n// for carrying extensions and zero otherwise. The supported types are\n// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req|\n// (a Microsoft szOID_CERT_EXTENSIONS variant).\nOPENSSL_EXPORT int X509_REQ_extension_nid(int nid);\n\n// X509_REQ_get_extensions decodes the most preferred list of requested\n// extensions in |req| and returns a newly-allocated |STACK_OF(X509_EXTENSION)|\n// containing the result. It returns NULL on error, or if |req| did not request\n// extensions.\n//\n// CSRs do not store extensions directly. Instead there are attribute types\n// which are defined to hold extensions. See |X509_REQ_extension_nid|. This\n// function supports both pkcs-9-at-extensionRequest from RFC 2985 and the\n// Microsoft szOID_CERT_EXTENSIONS variant. If both are present,\n// pkcs-9-at-extensionRequest is preferred.\nOPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(\n const X509_REQ *req);\n\n// X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and\n// signature algorithm of |req|, respectively. Either output pointer may be NULL\n// to ignore the value.\nOPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req,\n const ASN1_BIT_STRING **out_sig,\n const X509_ALGOR **out_alg);\n\n// X509_REQ_get_signature_nid returns the NID corresponding to |req|'s signature\n// algorithm, or |NID_undef| if the signature algorithm does not correspond to\n// a known NID.\nOPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req);\n\n// X509_REQ_verify checks that |req| has a valid signature by |pkey|. It returns\n// one if the signature is valid and zero otherwise.\nOPENSSL_EXPORT int X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey);\n\n// X509_REQ_get1_email returns a newly-allocated list of NUL-terminated strings\n// containing all email addresses in |req|'s subject and all rfc822name names\n// in |req|'s subject alternative names. The subject alternative names extension\n// is extracted from the result of |X509_REQ_get_extensions|. Email addresses\n// which contain embedded NUL bytes are skipped.\n//\n// On error, or if there are no such email addresses, it returns NULL. When\n// done, the caller must release the result with |X509_email_free|.\nOPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(\n const X509_REQ *req);\n\n\n// Issuing certificate requests.\n//\n// An |X509_REQ| object may also represent an incomplete CSR. Callers may\n// construct empty |X509_REQ| objects, fill in fields individually, and finally\n// sign the result. The following functions may be used for this purpose.\n\n// X509_REQ_new returns a newly-allocated, empty |X509_REQ| object, or NULL on\n// error. This object may be filled in and then signed to construct a CSR.\nOPENSSL_EXPORT X509_REQ *X509_REQ_new(void);\n\n// X509_REQ_set_version sets |req|'s version to |version|, which should be\n// |X509_REQ_VERSION_1|. It returns one on success and zero on error.\n//\n// The only defined CSR version is |X509_REQ_VERSION_1|, so there is no need to\n// call this function.\nOPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *req, long version);\n\n// X509_REQ_set_subject_name sets |req|'s subject to a copy of |name|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);\n\n// X509_REQ_set_pubkey sets |req|'s public key to |pkey|. It returns one on\n// success and zero on error. This function does not take ownership of |pkey|\n// and internally copies and updates reference counts as needed.\nOPENSSL_EXPORT int X509_REQ_set_pubkey(X509_REQ *req, EVP_PKEY *pkey);\n\n// X509_REQ_delete_attr removes the attribute at index |loc| in |req|. It\n// returns the removed attribute to the caller, or NULL if |loc| was out of\n// bounds. If non-NULL, the caller must release the result with\n// |X509_ATTRIBUTE_free| when done. It is also safe, but not necessary, to call\n// |X509_ATTRIBUTE_free| if the result is NULL.\nOPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);\n\n// X509_REQ_add1_attr appends a copy of |attr| to |req|'s list of attributes. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int X509_REQ_add1_attr(X509_REQ *req,\n const X509_ATTRIBUTE *attr);\n\n// X509_REQ_add1_attr_by_OBJ appends a new attribute to |req| with type |obj|.\n// It returns one on success and zero on error. The value is determined by\n// |X509_ATTRIBUTE_set1_data|.\n//\n// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and\n// error-prone. See |X509_ATTRIBUTE_set1_data| for details.\nOPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,\n const ASN1_OBJECT *obj,\n int attrtype,\n const unsigned char *data,\n int len);\n\n// X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the\n// attribute type is determined by |nid|.\nOPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid,\n int attrtype,\n const unsigned char *data,\n int len);\n\n// X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the\n// attribute type is determined by calling |OBJ_txt2obj| with |attrname|.\nOPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req,\n const char *attrname, int attrtype,\n const unsigned char *data,\n int len);\n\n// X509_REQ_add_extensions_nid adds an attribute to |req| of type |nid|, to\n// request the certificate extensions in |exts|. It returns one on success and\n// zero on error. |nid| should be |NID_ext_req| or |NID_ms_ext_req|.\nOPENSSL_EXPORT int X509_REQ_add_extensions_nid(\n X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts, int nid);\n\n// X509_REQ_add_extensions behaves like |X509_REQ_add_extensions_nid|, using the\n// standard |NID_ext_req| for the attribute type.\nOPENSSL_EXPORT int X509_REQ_add_extensions(\n X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts);\n\n// X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm\n// and signature fields. It returns the length of the signature on success and\n// zero on error. This function uses digest algorithm |md|, or |pkey|'s default\n// if NULL. Other signing parameters use |pkey|'s defaults. To customize them,\n// use |X509_REQ_sign_ctx|.\nOPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey,\n const EVP_MD *md);\n\n// X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm\n// and signature fields. It returns the length of the signature on success and\n// zero on error. The signature algorithm and parameters come from |ctx|, which\n// must have been initialized with |EVP_DigestSignInit|. The caller should\n// configure the corresponding |EVP_PKEY_CTX| before calling this function.\n//\n// On success or failure, this function mutates |ctx| and resets it to the empty\n// state. Caller should not rely on its contents after the function returns.\nOPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx);\n\n// i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986)\n// portion of |req|, as described in |i2d_SAMPLE|.\n//\n// This function re-encodes the CertificationRequestInfo and may not reflect\n// |req|'s original encoding. It may be used to manually generate a signature\n// for a new certificate request.\nOPENSSL_EXPORT int i2d_re_X509_REQ_tbs(X509_REQ *req, uint8_t **outp);\n\n// X509_REQ_set1_signature_algo sets |req|'s signature algorithm to |algo| and\n// returns one on success or zero on error.\nOPENSSL_EXPORT int X509_REQ_set1_signature_algo(X509_REQ *req,\n const X509_ALGOR *algo);\n\n// X509_REQ_set1_signature_value sets |req|'s signature to a copy of the\n// |sig_len| bytes pointed by |sig|. It returns one on success and zero on\n// error.\n//\n// Due to a specification error, PKCS#10 certificate requests store signatures\n// in ASN.1 BIT STRINGs, but signature algorithms return byte strings rather\n// than bit strings. This function creates a BIT STRING containing a whole\n// number of bytes, with the bit order matching the DER encoding. This matches\n// the encoding used by all X.509 signature algorithms.\nOPENSSL_EXPORT int X509_REQ_set1_signature_value(X509_REQ *req,\n const uint8_t *sig,\n size_t sig_len);\n\n\n// Names.\n//\n// An |X509_NAME| represents an X.509 Name structure (RFC 5280). X.509 names are\n// a complex, hierarchical structure over a collection of attributes. Each name\n// is sequence of relative distinguished names (RDNs), decreasing in\n// specificity. For example, the first RDN may specify the country, while the\n// next RDN may specify a locality. Each RDN is, itself, a set of attributes.\n// Having more than one attribute in an RDN is uncommon, but possible. Within an\n// RDN, attributes have the same level in specificity. Attribute types are\n// OBJECT IDENTIFIERs. This determines the ASN.1 type of the value, which is\n// commonly a string but may be other types.\n//\n// The |X509_NAME| representation flattens this two-level structure into a\n// single list of attributes. Each attribute is stored in an |X509_NAME_ENTRY|,\n// with also maintains the index of the RDN it is part of, accessible via\n// |X509_NAME_ENTRY_set|. This can be used to recover the two-level structure.\n//\n// X.509 names are largely vestigial. Historically, DNS names were parsed out of\n// the subject's common name attribute, but this is deprecated and has since\n// moved to the subject alternative name extension. In modern usage, X.509 names\n// are primarily opaque identifiers to link a certificate with its issuer.\n\nDEFINE_STACK_OF(X509_NAME_ENTRY)\nDEFINE_STACK_OF(X509_NAME)\n\n// X509_NAME is an |ASN1_ITEM| whose ASN.1 type is X.509 Name (RFC 5280) and C\n// type is |X509_NAME*|.\nDECLARE_ASN1_ITEM(X509_NAME)\n\n// X509_NAME_new returns a new, empty |X509_NAME|, or NULL on error.\nOPENSSL_EXPORT X509_NAME *X509_NAME_new(void);\n\n// X509_NAME_free releases memory associated with |name|.\nOPENSSL_EXPORT void X509_NAME_free(X509_NAME *name);\n\n// d2i_X509_NAME parses up to |len| bytes from |*inp| as a DER-encoded X.509\n// Name (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT X509_NAME *d2i_X509_NAME(X509_NAME **out, const uint8_t **inp,\n long len);\n\n// i2d_X509_NAME marshals |in| as a DER-encoded X.509 Name (RFC 5280), as\n// described in |i2d_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if |in| was\n// mutated.\nOPENSSL_EXPORT int i2d_X509_NAME(X509_NAME *in, uint8_t **outp);\n\n// X509_NAME_dup returns a newly-allocated copy of |name|, or NULL on error.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if |name| was\n// mutated.\nOPENSSL_EXPORT X509_NAME *X509_NAME_dup(X509_NAME *name);\n\n// X509_NAME_cmp compares |a| and |b|'s canonicalized forms. It returns zero if\n// they are equal, one if |a| sorts after |b|, -1 if |b| sorts after |a|, and -2\n// on error.\n//\n// TODO(https://crbug.com/boringssl/407): This function is const, but it is not\n// always thread-safe, notably if |name| was mutated.\n//\n// TODO(https://crbug.com/boringssl/355): The -2 return is very inconvenient to\n// pass to a sorting function. Can we make this infallible? In the meantime,\n// prefer to use this function only for equality checks rather than comparisons.\n// Although even the library itself passes this to a sorting function.\nOPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);\n\n// X509_NAME_get0_der marshals |name| as a DER-encoded X.509 Name (RFC 5280). On\n// success, it returns one and sets |*out_der| and |*out_der_len| to a buffer\n// containing the result. Otherwise, it returns zero. |*out_der| is owned by\n// |name| and must not be freed by the caller. It is invalidated after |name| is\n// mutated or freed.\n//\n// Avoid this function and prefer |i2d_X509_NAME|. It is one of the reasons\n// |X509_NAME| functions, including this one, are not consistently thread-safe\n// or const-correct. Depending on the resolution of\n// https://crbug.com/boringssl/407, this function may be removed or cause poor\n// performance.\nOPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *name, const uint8_t **out_der,\n size_t *out_der_len);\n\n// X509_NAME_set makes a copy of |name|. On success, it frees |*xn|, sets |*xn|\n// to the copy, and returns one. Otherwise, it returns zero.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if |name| was\n// mutated.\nOPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name);\n\n// X509_NAME_entry_count returns the number of entries in |name|.\nOPENSSL_EXPORT int X509_NAME_entry_count(const X509_NAME *name);\n\n// X509_NAME_get_index_by_NID returns the zero-based index of the first\n// attribute in |name| with type |nid|, or -1 if there is none. |nid| should be\n// one of the |NID_*| constants. If |lastpos| is non-negative, it begins\n// searching at |lastpos+1|. To search all attributes, pass in -1, not zero.\n//\n// Indices from this function refer to |X509_NAME|'s flattened representation.\nOPENSSL_EXPORT int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid,\n int lastpos);\n\n// X509_NAME_get_index_by_OBJ behaves like |X509_NAME_get_index_by_NID| but\n// looks for attributes with type |obj|.\nOPENSSL_EXPORT int X509_NAME_get_index_by_OBJ(const X509_NAME *name,\n const ASN1_OBJECT *obj,\n int lastpos);\n\n// X509_NAME_get_entry returns the attribute in |name| at index |loc|, or NULL\n// if |loc| is out of range. |loc| is interpreted using |X509_NAME|'s flattened\n// representation. This function returns a non-const pointer for OpenSSL\n// compatibility, but callers should not mutate the result. Doing so will break\n// internal invariants in the library.\nOPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name,\n int loc);\n\n// X509_NAME_delete_entry removes and returns the attribute in |name| at index\n// |loc|, or NULL if |loc| is out of range. |loc| is interpreted using\n// |X509_NAME|'s flattened representation. If the attribute is found, the caller\n// is responsible for releasing the result with |X509_NAME_ENTRY_free|.\n//\n// This function will internally update RDN indices (see |X509_NAME_ENTRY_set|)\n// so they continue to be consecutive.\nOPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name,\n int loc);\n\n// X509_NAME_add_entry adds a copy of |entry| to |name| and returns one on\n// success or zero on error. If |loc| is -1, the entry is appended to |name|.\n// Otherwise, it is inserted at index |loc|. If |set| is -1, the entry is added\n// to the previous entry's RDN. If it is 0, the entry becomes a singleton RDN.\n// If 1, it is added to next entry's RDN.\n//\n// This function will internally update RDN indices (see |X509_NAME_ENTRY_set|)\n// so they continue to be consecutive.\nOPENSSL_EXPORT int X509_NAME_add_entry(X509_NAME *name,\n const X509_NAME_ENTRY *entry, int loc,\n int set);\n\n// X509_NAME_add_entry_by_OBJ adds a new entry to |name| and returns one on\n// success or zero on error. The entry's attribute type is |obj|. The entry's\n// attribute value is determined by |type|, |bytes|, and |len|, as in\n// |X509_NAME_ENTRY_set_data|. The entry's position is determined by |loc| and\n// |set| as in |X509_NAME_add_entry|.\nOPENSSL_EXPORT int X509_NAME_add_entry_by_OBJ(X509_NAME *name,\n const ASN1_OBJECT *obj, int type,\n const uint8_t *bytes,\n ossl_ssize_t len, int loc,\n int set);\n\n// X509_NAME_add_entry_by_NID behaves like |X509_NAME_add_entry_by_OBJ| but sets\n// the entry's attribute type to |nid|, which should be one of the |NID_*|\n// constants.\nOPENSSL_EXPORT int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid,\n int type, const uint8_t *bytes,\n ossl_ssize_t len, int loc,\n int set);\n\n// X509_NAME_add_entry_by_txt behaves like |X509_NAME_add_entry_by_OBJ| but sets\n// the entry's attribute type to |field|, which is passed to |OBJ_txt2obj|.\nOPENSSL_EXPORT int X509_NAME_add_entry_by_txt(X509_NAME *name,\n const char *field, int type,\n const uint8_t *bytes,\n ossl_ssize_t len, int loc,\n int set);\n\n// X509_NAME_ENTRY_new returns a new, empty |X509_NAME_ENTRY|, or NULL on error.\nOPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_new(void);\n\n// X509_NAME_ENTRY_free releases memory associated with |entry|.\nOPENSSL_EXPORT void X509_NAME_ENTRY_free(X509_NAME_ENTRY *entry);\n\n// X509_NAME_ENTRY_dup returns a newly-allocated copy of |entry|, or NULL on\n// error.\nOPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_dup(\n const X509_NAME_ENTRY *entry);\n\n// X509_NAME_ENTRY_get_object returns |entry|'s attribute type. This function\n// returns a non-const pointer for OpenSSL compatibility, but callers should not\n// mutate the result. Doing so will break internal invariants in the library.\nOPENSSL_EXPORT ASN1_OBJECT *X509_NAME_ENTRY_get_object(\n const X509_NAME_ENTRY *entry);\n\n// X509_NAME_ENTRY_set_object sets |entry|'s attribute type to |obj|. It returns\n// one on success and zero on error.\nOPENSSL_EXPORT int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *entry,\n const ASN1_OBJECT *obj);\n\n// X509_NAME_ENTRY_get_data returns |entry|'s attribute value, represented as an\n// |ASN1_STRING|. This value may have any ASN.1 type, so callers must check the\n// type before interpreting the contents. This function returns a non-const\n// pointer for OpenSSL compatibility, but callers should not mutate the result.\n// Doing so will break internal invariants in the library.\n//\n// TODO(https://crbug.com/boringssl/412): Although the spec says any ASN.1 type\n// is allowed, we currently only allow an ad-hoc set of types. Additionally, it\n// is unclear if some types can even be represented by this function.\nOPENSSL_EXPORT ASN1_STRING *X509_NAME_ENTRY_get_data(\n const X509_NAME_ENTRY *entry);\n\n// X509_NAME_ENTRY_set_data sets |entry|'s value to |len| bytes from |bytes|. It\n// returns one on success and zero on error. If |len| is -1, |bytes| must be a\n// NUL-terminated C string and the length is determined by |strlen|. |bytes| is\n// converted to an ASN.1 type as follows:\n//\n// If |type| is a |MBSTRING_*| constant, the value is an ASN.1 string. The\n// string is determined by decoding |bytes| in the encoding specified by |type|,\n// and then re-encoding it in a form appropriate for |entry|'s attribute type.\n// See |ASN1_STRING_set_by_NID| for details.\n//\n// Otherwise, the value is an |ASN1_STRING| with type |type| and value |bytes|.\n// See |ASN1_STRING| for how to format ASN.1 types as an |ASN1_STRING|. If\n// |type| is |V_ASN1_UNDEF| the previous |ASN1_STRING| type is reused.\nOPENSSL_EXPORT int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *entry, int type,\n const uint8_t *bytes,\n ossl_ssize_t len);\n\n// X509_NAME_ENTRY_set returns the zero-based index of the RDN which contains\n// |entry|. Consecutive entries with the same index are part of the same RDN.\nOPENSSL_EXPORT int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *entry);\n\n// X509_NAME_ENTRY_create_by_OBJ creates a new |X509_NAME_ENTRY| with attribute\n// type |obj|. The attribute value is determined from |type|, |bytes|, and |len|\n// as in |X509_NAME_ENTRY_set_data|. It returns the |X509_NAME_ENTRY| on success\n// and NULL on error.\n//\n// If |out| is non-NULL and |*out| is NULL, it additionally sets |*out| to the\n// result on success. If both |out| and |*out| are non-NULL, it updates the\n// object at |*out| instead of allocating a new one.\nOPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(\n X509_NAME_ENTRY **out, const ASN1_OBJECT *obj, int type,\n const uint8_t *bytes, ossl_ssize_t len);\n\n// X509_NAME_ENTRY_create_by_NID behaves like |X509_NAME_ENTRY_create_by_OBJ|\n// except the attribute type is |nid|, which should be one of the |NID_*|\n// constants.\nOPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(\n X509_NAME_ENTRY **out, int nid, int type, const uint8_t *bytes,\n ossl_ssize_t len);\n\n// X509_NAME_ENTRY_create_by_txt behaves like |X509_NAME_ENTRY_create_by_OBJ|\n// except the attribute type is |field|, which is passed to |OBJ_txt2obj|.\nOPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(\n X509_NAME_ENTRY **out, const char *field, int type, const uint8_t *bytes,\n ossl_ssize_t len);\n\n\n// Public keys.\n//\n// X.509 encodes public keys as SubjectPublicKeyInfo (RFC 5280), sometimes\n// referred to as SPKI. These are represented in this library by |X509_PUBKEY|.\n\n// X509_PUBKEY_new returns a newly-allocated, empty |X509_PUBKEY| object, or\n// NULL on error.\nOPENSSL_EXPORT X509_PUBKEY *X509_PUBKEY_new(void);\n\n// X509_PUBKEY_free releases memory associated with |key|.\nOPENSSL_EXPORT void X509_PUBKEY_free(X509_PUBKEY *key);\n\n// d2i_X509_PUBKEY parses up to |len| bytes from |*inp| as a DER-encoded\n// SubjectPublicKeyInfo, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT X509_PUBKEY *d2i_X509_PUBKEY(X509_PUBKEY **out,\n const uint8_t **inp, long len);\n\n// i2d_X509_PUBKEY marshals |key| as a DER-encoded SubjectPublicKeyInfo, as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_X509_PUBKEY(const X509_PUBKEY *key, uint8_t **outp);\n\n// X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY|\n// structure. On success, it frees |*x| if non-NULL, then sets |*x| to the new\n// object, and returns one. Otherwise, it returns zero.\nOPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);\n\n// X509_PUBKEY_get0 returns |key| as an |EVP_PKEY|, or NULL if |key| either\n// could not be parsed or is an unrecognized algorithm. The |EVP_PKEY| is cached\n// in |key|, so callers must not mutate the result.\nOPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key);\n\n// X509_PUBKEY_get behaves like |X509_PUBKEY_get0| but increments the reference\n// count on the |EVP_PKEY|. The caller must release the result with\n// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |key|, so callers must\n// not mutate the result.\nOPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key);\n\n// X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier\n// determined by |obj|, |param_type|, and |param_value|, and an encoded\n// public key of |key|. On success, it gives |pub| ownership of all the other\n// parameters and returns one. Otherwise, it returns zero. |key| must have been\n// allocated by |OPENSSL_malloc|. |obj| and, if applicable, |param_value| must\n// not be freed after a successful call, and must have been allocated in a\n// manner compatible with |ASN1_OBJECT_free| or |ASN1_STRING_free|.\n//\n// |obj|, |param_type|, and |param_value| are interpreted as in\n// |X509_ALGOR_set0|. See |X509_ALGOR_set0| for details.\nOPENSSL_EXPORT int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj,\n int param_type, void *param_value,\n uint8_t *key, int key_len);\n\n// X509_PUBKEY_get0_param outputs fields of |pub| and returns one. If |out_obj|\n// is not NULL, it sets |*out_obj| to AlgorithmIdentifier's OID. If |out_key|\n// is not NULL, it sets |*out_key| and |*out_key_len| to the encoded public key.\n// If |out_alg| is not NULL, it sets |*out_alg| to the AlgorithmIdentifier.\n//\n// All pointers outputted by this function are internal to |pub| and must not be\n// freed by the caller. Additionally, although some outputs are non-const,\n// callers must not mutate the resulting objects.\n//\n// Note: X.509 SubjectPublicKeyInfo structures store the encoded public key as a\n// BIT STRING. |*out_key| and |*out_key_len| will silently pad the key with zero\n// bits if |pub| did not contain a whole number of bytes. Use\n// |X509_PUBKEY_get0_public_key| to preserve this information.\nOPENSSL_EXPORT int X509_PUBKEY_get0_param(ASN1_OBJECT **out_obj,\n const uint8_t **out_key,\n int *out_key_len,\n X509_ALGOR **out_alg,\n X509_PUBKEY *pub);\n\n// X509_PUBKEY_get0_public_key returns |pub|'s encoded public key.\nOPENSSL_EXPORT const ASN1_BIT_STRING *X509_PUBKEY_get0_public_key(\n const X509_PUBKEY *pub);\n\n\n// Extensions.\n//\n// X.509 certificates and CRLs may contain a list of extensions (RFC 5280).\n// Extensions have a type, specified by an object identifier (|ASN1_OBJECT|) and\n// a byte string value, which should a DER-encoded structure whose type is\n// determined by the extension type. This library represents extensions with the\n// |X509_EXTENSION| type.\n\n// X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC\n// 5280) and C type is |X509_EXTENSION*|.\nDECLARE_ASN1_ITEM(X509_EXTENSION)\n\n// X509_EXTENSION_new returns a newly-allocated, empty |X509_EXTENSION| object\n// or NULL on error.\nOPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_new(void);\n\n// X509_EXTENSION_free releases memory associated with |ex|.\nOPENSSL_EXPORT void X509_EXTENSION_free(X509_EXTENSION *ex);\n\n// d2i_X509_EXTENSION parses up to |len| bytes from |*inp| as a DER-encoded\n// X.509 Extension (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **out,\n const uint8_t **inp,\n long len);\n\n// i2d_X509_EXTENSION marshals |ex| as a DER-encoded X.509 Extension (RFC\n// 5280), as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_X509_EXTENSION(const X509_EXTENSION *ex, uint8_t **outp);\n\n// X509_EXTENSION_dup returns a newly-allocated copy of |ex|, or NULL on error.\n// This function works by serializing the structure, so if |ex| is incomplete,\n// it may fail.\nOPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_dup(const X509_EXTENSION *ex);\n\n// X509_EXTENSION_create_by_NID creates a new |X509_EXTENSION| with type |nid|,\n// value |data|, and critical bit |crit|. It returns an |X509_EXTENSION| on\n// success, and NULL on error. |nid| should be a |NID_*| constant.\n//\n// If |ex| and |*ex| are both non-NULL, |*ex| is used to hold the result,\n// otherwise a new object is allocated. If |ex| is non-NULL and |*ex| is NULL,\n// the function sets |*ex| to point to the newly allocated result, in addition\n// to returning the result.\nOPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_NID(\n X509_EXTENSION **ex, int nid, int crit, const ASN1_OCTET_STRING *data);\n\n// X509_EXTENSION_create_by_OBJ behaves like |X509_EXTENSION_create_by_NID|, but\n// the extension type is determined by an |ASN1_OBJECT|.\nOPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_OBJ(\n X509_EXTENSION **ex, const ASN1_OBJECT *obj, int crit,\n const ASN1_OCTET_STRING *data);\n\n// X509_EXTENSION_get_object returns |ex|'s extension type. This function\n// returns a non-const pointer for OpenSSL compatibility, but callers should not\n// mutate the result.\nOPENSSL_EXPORT ASN1_OBJECT *X509_EXTENSION_get_object(const X509_EXTENSION *ex);\n\n// X509_EXTENSION_get_data returns |ne|'s extension value. This function returns\n// a non-const pointer for OpenSSL compatibility, but callers should not mutate\n// the result.\nOPENSSL_EXPORT ASN1_OCTET_STRING *X509_EXTENSION_get_data(\n const X509_EXTENSION *ne);\n\n// X509_EXTENSION_get_critical returns one if |ex| is critical and zero\n// otherwise.\nOPENSSL_EXPORT int X509_EXTENSION_get_critical(const X509_EXTENSION *ex);\n\n// X509_EXTENSION_set_object sets |ex|'s extension type to |obj|. It returns one\n// on success and zero on error.\nOPENSSL_EXPORT int X509_EXTENSION_set_object(X509_EXTENSION *ex,\n const ASN1_OBJECT *obj);\n\n// X509_EXTENSION_set_critical sets |ex| to critical if |crit| is non-zero and\n// to non-critical if |crit| is zero.\nOPENSSL_EXPORT int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);\n\n// X509_EXTENSION_set_data set's |ex|'s extension value to a copy of |data|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex,\n const ASN1_OCTET_STRING *data);\n\n\n// Extension lists.\n//\n// The following functions manipulate lists of extensions. Most of them have\n// corresponding functions on the containing |X509|, |X509_CRL|, or\n// |X509_REVOKED|.\n\nDEFINE_STACK_OF(X509_EXTENSION)\ntypedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;\n\n// d2i_X509_EXTENSIONS parses up to |len| bytes from |*inp| as a DER-encoded\n// SEQUENCE OF Extension (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT X509_EXTENSIONS *d2i_X509_EXTENSIONS(X509_EXTENSIONS **out,\n const uint8_t **inp,\n long len);\n\n// i2d_X509_EXTENSIONS marshals |alg| as a DER-encoded SEQUENCE OF Extension\n// (RFC 5280), as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_X509_EXTENSIONS(const X509_EXTENSIONS *alg,\n uint8_t **outp);\n\n// X509v3_get_ext_count returns the number of extensions in |x|.\nOPENSSL_EXPORT int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);\n\n// X509v3_get_ext_by_NID returns the index of the first extension in |x| with\n// type |nid|, or a negative number if not found. If found, callers can use\n// |X509v3_get_ext| to look up the extension by index.\n//\n// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers\n// can thus loop over all matching extensions by first passing -1 and then\n// passing the previously-returned value until no match is returned.\nOPENSSL_EXPORT int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,\n int nid, int lastpos);\n\n// X509v3_get_ext_by_OBJ behaves like |X509v3_get_ext_by_NID| but looks for\n// extensions matching |obj|.\nOPENSSL_EXPORT int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,\n const ASN1_OBJECT *obj, int lastpos);\n\n// X509v3_get_ext_by_critical returns the index of the first extension in |x|\n// whose critical bit matches |crit|, or a negative number if no such extension\n// was found.\n//\n// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers\n// can thus loop over all matching extensions by first passing -1 and then\n// passing the previously-returned value until no match is returned.\nOPENSSL_EXPORT int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,\n int crit, int lastpos);\n\n// X509v3_get_ext returns the extension in |x| at index |loc|, or NULL if |loc|\n// is out of bounds. This function returns a non-const pointer for OpenSSL\n// compatibility, but callers should not mutate the result.\nOPENSSL_EXPORT X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x,\n int loc);\n\n// X509v3_delete_ext removes the extension in |x| at index |loc| and returns the\n// removed extension, or NULL if |loc| was out of bounds. If an extension was\n// returned, the caller must release it with |X509_EXTENSION_free|.\nOPENSSL_EXPORT X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x,\n int loc);\n\n// X509v3_add_ext adds a copy of |ex| to the extension list in |*x|. If |*x| is\n// NULL, it allocates a new |STACK_OF(X509_EXTENSION)| to hold the copy and sets\n// |*x| to the new list. It returns |*x| on success and NULL on error. The\n// caller retains ownership of |ex| and can release it independently of |*x|.\n//\n// The new extension is inserted at index |loc|, shifting extensions to the\n// right. If |loc| is -1 or out of bounds, the new extension is appended to the\n// list.\nOPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext(\n STACK_OF(X509_EXTENSION) **x, const X509_EXTENSION *ex, int loc);\n\n\n// Built-in extensions.\n//\n// Several functions in the library encode and decode extension values into a\n// C structure to that extension. The following extensions are supported:\n//\n// - |NID_authority_key_identifier| with type |AUTHORITY_KEYID|\n// - |NID_basic_constraints| with type |BASIC_CONSTRAINTS|\n// - |NID_certificate_issuer| with type |GENERAL_NAMES|\n// - |NID_certificate_policies| with type |CERTIFICATEPOLICIES|\n// - |NID_crl_distribution_points| with type |CRL_DIST_POINTS|\n// - |NID_crl_number| with type |ASN1_INTEGER|\n// - |NID_crl_reason| with type |ASN1_ENUMERATED|\n// - |NID_delta_crl| with type |ASN1_INTEGER|\n// - |NID_ext_key_usage| with type |EXTENDED_KEY_USAGE|\n// - |NID_freshest_crl| with type |ISSUING_DIST_POINT|\n// - |NID_id_pkix_OCSP_noCheck| with type |ASN1_NULL|\n// - |NID_info_access| with type |AUTHORITY_INFO_ACCESS|\n// - |NID_inhibit_any_policy| with type |ASN1_INTEGER|\n// - |NID_invalidity_date| with type |ASN1_GENERALIZEDTIME|\n// - |NID_issuer_alt_name| with type |GENERAL_NAMES|\n// - |NID_issuing_distribution_point| with type |ISSUING_DIST_POINT|\n// - |NID_key_usage| with type |ASN1_BIT_STRING|\n// - |NID_name_constraints| with type |NAME_CONSTRAINTS|\n// - |NID_netscape_base_url| with type |ASN1_IA5STRING|\n// - |NID_netscape_ca_policy_url| with type |ASN1_IA5STRING|\n// - |NID_netscape_ca_revocation_url| with type |ASN1_IA5STRING|\n// - |NID_netscape_cert_type| with type |ASN1_BIT_STRING|\n// - |NID_netscape_comment| with type |ASN1_IA5STRING|\n// - |NID_netscape_renewal_url| with type |ASN1_IA5STRING|\n// - |NID_netscape_revocation_url| with type |ASN1_IA5STRING|\n// - |NID_netscape_ssl_server_name| with type |ASN1_IA5STRING|\n// - |NID_policy_constraints| with type |POLICY_CONSTRAINTS|\n// - |NID_policy_mappings| with type |POLICY_MAPPINGS|\n// - |NID_sinfo_access| with type |AUTHORITY_INFO_ACCESS|\n// - |NID_subject_alt_name| with type |GENERAL_NAMES|\n// - |NID_subject_key_identifier| with type |ASN1_OCTET_STRING|\n//\n// If an extension does not appear in this list, e.g. for a custom extension,\n// callers can instead use functions such as |X509_get_ext_by_OBJ|,\n// |X509_EXTENSION_get_data|, and |X509_EXTENSION_create_by_OBJ| to inspect or\n// create extensions directly. Although the |X509V3_EXT_METHOD| mechanism allows\n// registering custom extensions, doing so is deprecated and may result in\n// threading or memory errors.\n\n// X509V3_EXT_d2i decodes |ext| and returns a pointer to a newly-allocated\n// structure, with type dependent on the type of the extension. It returns NULL\n// if |ext| is an unsupported extension or if there was a syntax error in the\n// extension. The caller should cast the return value to the expected type and\n// free the structure when done.\n//\n// WARNING: Casting the return value to the wrong type is a potentially\n// exploitable memory error, so callers must not use this function before\n// checking |ext| is of a known type. See the list at the top of this section\n// for the correct types.\nOPENSSL_EXPORT void *X509V3_EXT_d2i(const X509_EXTENSION *ext);\n\n// X509V3_get_d2i finds and decodes the extension in |extensions| of type |nid|.\n// If found, it decodes it and returns a newly-allocated structure, with type\n// dependent on |nid|. If the extension is not found or on error, it returns\n// NULL. The caller may distinguish these cases using the |out_critical| value.\n//\n// If |out_critical| is not NULL, this function sets |*out_critical| to one if\n// the extension is found and critical, zero if it is found and not critical, -1\n// if it is not found, and -2 if there is an invalid duplicate extension. Note\n// this function may set |*out_critical| to one or zero and still return NULL if\n// the extension is found but has a syntax error.\n//\n// If |out_idx| is not NULL, this function looks for the first occurrence of the\n// extension after |*out_idx|. It then sets |*out_idx| to the index of the\n// extension, or -1 if not found. If |out_idx| is non-NULL, duplicate extensions\n// are not treated as an error. Callers, however, should not rely on this\n// behavior as it may be removed in the future. Duplicate extensions are\n// forbidden in RFC 5280.\n//\n// WARNING: This function is difficult to use correctly. Callers should pass a\n// non-NULL |out_critical| and check both the return value and |*out_critical|\n// to handle errors. If the return value is NULL and |*out_critical| is not -1,\n// there was an error. Otherwise, the function succeeded and but may return NULL\n// for a missing extension. Callers should pass NULL to |out_idx| so that\n// duplicate extensions are handled correctly.\n//\n// Additionally, casting the return value to the wrong type is a potentially\n// exploitable memory error, so callers must ensure the cast and |nid| match.\n// See the list at the top of this section for the correct types.\nOPENSSL_EXPORT void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions,\n int nid, int *out_critical, int *out_idx);\n\n// X509V3_EXT_free casts |ext_data| into the type that corresponds to |nid| and\n// releases memory associated with it. It returns one on success and zero if\n// |nid| is not a known extension.\n//\n// WARNING: Casting |ext_data| to the wrong type is a potentially exploitable\n// memory error, so callers must ensure |ext_data|'s type matches |nid|. See the\n// list at the top of this section for the correct types.\n//\n// TODO(davidben): OpenSSL upstream no longer exposes this function. Remove it?\nOPENSSL_EXPORT int X509V3_EXT_free(int nid, void *ext_data);\n\n// X509V3_EXT_i2d casts |ext_struc| into the type that corresponds to\n// |ext_nid|, serializes it, and returns a newly-allocated |X509_EXTENSION|\n// object containing the serialization, or NULL on error. The |X509_EXTENSION|\n// has OID |ext_nid| and is critical if |crit| is one.\n//\n// WARNING: Casting |ext_struc| to the wrong type is a potentially exploitable\n// memory error, so callers must ensure |ext_struct|'s type matches |ext_nid|.\n// See the list at the top of this section for the correct types.\nOPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit,\n void *ext_struc);\n\n// The following constants control the behavior of |X509V3_add1_i2d| and related\n// functions.\n\n// X509V3_ADD_OP_MASK can be ANDed with the flags to determine how duplicate\n// extensions are processed.\n#define X509V3_ADD_OP_MASK 0xfL\n\n// X509V3_ADD_DEFAULT causes the function to fail if the extension was already\n// present.\n#define X509V3_ADD_DEFAULT 0L\n\n// X509V3_ADD_APPEND causes the function to unconditionally appended the new\n// extension to to the extensions list, even if there is a duplicate.\n#define X509V3_ADD_APPEND 1L\n\n// X509V3_ADD_REPLACE causes the function to replace the existing extension, or\n// append if it is not present.\n#define X509V3_ADD_REPLACE 2L\n\n// X509V3_ADD_REPLACE_EXISTING causes the function to replace the existing\n// extension and fail if it is not present.\n#define X509V3_ADD_REPLACE_EXISTING 3L\n\n// X509V3_ADD_KEEP_EXISTING causes the function to succeed without replacing the\n// extension if already present.\n#define X509V3_ADD_KEEP_EXISTING 4L\n\n// X509V3_ADD_DELETE causes the function to remove the matching extension. No\n// new extension is added. If there is no matching extension, the function\n// fails. The |value| parameter is ignored in this mode.\n#define X509V3_ADD_DELETE 5L\n\n// X509V3_ADD_SILENT may be ORed into one of the values above to indicate the\n// function should not add to the error queue on duplicate or missing extension.\n// The function will continue to return zero in those cases, and it will\n// continue to return -1 and add to the error queue on other errors.\n#define X509V3_ADD_SILENT 0x10\n\n// X509V3_add1_i2d casts |value| to the type that corresponds to |nid|,\n// serializes it, and appends it to the extension list in |*x|. If |*x| is NULL,\n// it will set |*x| to a newly-allocated |STACK_OF(X509_EXTENSION)| as needed.\n// The |crit| parameter determines whether the new extension is critical.\n// |flags| may be some combination of the |X509V3_ADD_*| constants to control\n// the function's behavior on duplicate extension.\n//\n// This function returns one on success, zero if the operation failed due to a\n// missing or duplicate extension, and -1 on other errors.\n//\n// WARNING: Casting |value| to the wrong type is a potentially exploitable\n// memory error, so callers must ensure |value|'s type matches |nid|. See the\n// list at the top of this section for the correct types.\nOPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid,\n void *value, int crit, unsigned long flags);\n\n\n// Basic constraints.\n//\n// The basic constraints extension (RFC 5280, section 4.2.1.9) determines\n// whether a certificate is a CA certificate and, if so, optionally constrains\n// the maximum depth of the certificate chain.\n\n// A BASIC_CONSTRAINTS_st, aka |BASIC_CONSTRAINTS| represents an\n// BasicConstraints structure (RFC 5280).\nstruct BASIC_CONSTRAINTS_st {\n ASN1_BOOLEAN ca;\n ASN1_INTEGER *pathlen;\n} /* BASIC_CONSTRAINTS */;\n\n// BASIC_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is BasicConstraints (RFC\n// 5280) and C type is |BASIC_CONSTRAINTS*|.\nDECLARE_ASN1_ITEM(BASIC_CONSTRAINTS)\n\n// BASIC_CONSTRAINTS_new returns a newly-allocated, empty |BASIC_CONSTRAINTS|\n// object, or NULL on error.\nOPENSSL_EXPORT BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void);\n\n// BASIC_CONSTRAINTS_free releases memory associated with |bcons|.\nOPENSSL_EXPORT void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *bcons);\n\n// d2i_BASIC_CONSTRAINTS parses up to |len| bytes from |*inp| as a DER-encoded\n// BasicConstraints (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **out,\n const uint8_t **inp,\n long len);\n\n// i2d_BASIC_CONSTRAINTS marshals |bcons| as a DER-encoded BasicConstraints (RFC\n// 5280), as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_BASIC_CONSTRAINTS(const BASIC_CONSTRAINTS *bcons,\n uint8_t **outp);\n\n\n// Extended key usage.\n//\n// The extended key usage extension (RFC 5280, section 4.2.1.12) indicates the\n// purposes of the certificate's public key. Such constraints are important to\n// avoid cross-protocol attacks.\n\ntypedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;\n\n// EXTENDED_KEY_USAGE is an |ASN1_ITEM| whose ASN.1 type is ExtKeyUsageSyntax\n// (RFC 5280) and C type is |STACK_OF(ASN1_OBJECT)*|, or |EXTENDED_KEY_USAGE*|.\nDECLARE_ASN1_ITEM(EXTENDED_KEY_USAGE)\n\n// EXTENDED_KEY_USAGE_new returns a newly-allocated, empty |EXTENDED_KEY_USAGE|\n// object, or NULL on error.\nOPENSSL_EXPORT EXTENDED_KEY_USAGE *EXTENDED_KEY_USAGE_new(void);\n\n// EXTENDED_KEY_USAGE_free releases memory associated with |eku|.\nOPENSSL_EXPORT void EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *eku);\n\n// d2i_EXTENDED_KEY_USAGE parses up to |len| bytes from |*inp| as a DER-encoded\n// ExtKeyUsageSyntax (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT EXTENDED_KEY_USAGE *d2i_EXTENDED_KEY_USAGE(\n EXTENDED_KEY_USAGE **out, const uint8_t **inp, long len);\n\n// i2d_EXTENDED_KEY_USAGE marshals |eku| as a DER-encoded ExtKeyUsageSyntax (RFC\n// 5280), as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_EXTENDED_KEY_USAGE(const EXTENDED_KEY_USAGE *eku,\n uint8_t **outp);\n\n\n// General names.\n//\n// A |GENERAL_NAME| represents an X.509 GeneralName structure, defined in RFC\n// 5280, Section 4.2.1.6. General names are distinct from names (|X509_NAME|). A\n// general name is a CHOICE type which may contain one of several name types,\n// most commonly a DNS name or an IP address. General names most commonly appear\n// in the subject alternative name (SAN) extension, though they are also used in\n// other extensions.\n//\n// Many extensions contain a SEQUENCE OF GeneralName, or GeneralNames, so\n// |STACK_OF(GENERAL_NAME)| is defined and aliased to |GENERAL_NAMES|.\n\ntypedef struct otherName_st {\n ASN1_OBJECT *type_id;\n ASN1_TYPE *value;\n} OTHERNAME;\n\ntypedef struct EDIPartyName_st {\n ASN1_STRING *nameAssigner;\n ASN1_STRING *partyName;\n} EDIPARTYNAME;\n\n// GEN_* are constants for the |type| field of |GENERAL_NAME|, defined below.\n#define GEN_OTHERNAME 0\n#define GEN_EMAIL 1\n#define GEN_DNS 2\n#define GEN_X400 3\n#define GEN_DIRNAME 4\n#define GEN_EDIPARTY 5\n#define GEN_URI 6\n#define GEN_IPADD 7\n#define GEN_RID 8\n\n// A GENERAL_NAME_st, aka |GENERAL_NAME|, represents an X.509 GeneralName. The\n// |type| field determines which member of |d| is active. A |GENERAL_NAME| may\n// also be empty, in which case |type| is -1 and |d| is NULL. Empty\n// |GENERAL_NAME|s are invalid and will never be returned from the parser, but\n// may be created temporarily, e.g. by |GENERAL_NAME_new|.\n//\n// WARNING: |type| and |d| must be kept consistent. An inconsistency will result\n// in a potentially exploitable memory error.\nstruct GENERAL_NAME_st {\n int type;\n union {\n char *ptr;\n OTHERNAME *otherName;\n ASN1_IA5STRING *rfc822Name;\n ASN1_IA5STRING *dNSName;\n ASN1_STRING *x400Address;\n X509_NAME *directoryName;\n EDIPARTYNAME *ediPartyName;\n ASN1_IA5STRING *uniformResourceIdentifier;\n ASN1_OCTET_STRING *iPAddress;\n ASN1_OBJECT *registeredID;\n\n // Old names\n ASN1_OCTET_STRING *ip; // iPAddress\n X509_NAME *dirn; // dirn\n ASN1_IA5STRING *ia5; // rfc822Name, dNSName, uniformResourceIdentifier\n ASN1_OBJECT *rid; // registeredID\n } d;\n} /* GENERAL_NAME */;\n\n// GENERAL_NAME_new returns a new, empty |GENERAL_NAME|, or NULL on error.\nOPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_new(void);\n\n// GENERAL_NAME_free releases memory associated with |gen|.\nOPENSSL_EXPORT void GENERAL_NAME_free(GENERAL_NAME *gen);\n\n// d2i_GENERAL_NAME parses up to |len| bytes from |*inp| as a DER-encoded X.509\n// GeneralName (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **out,\n const uint8_t **inp, long len);\n\n// i2d_GENERAL_NAME marshals |in| as a DER-encoded X.509 GeneralName (RFC 5280),\n// as described in |i2d_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if |in| is an\n// directoryName and the |X509_NAME| has been modified.\nOPENSSL_EXPORT int i2d_GENERAL_NAME(GENERAL_NAME *in, uint8_t **outp);\n\n// GENERAL_NAME_dup returns a newly-allocated copy of |gen|, or NULL on error.\n// This function works by serializing the structure, so it will fail if |gen| is\n// empty.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if |gen| is an\n// directoryName and the |X509_NAME| has been modified.\nOPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *gen);\n\n// GENERAL_NAMES_new returns a new, empty |GENERAL_NAMES|, or NULL on error.\nOPENSSL_EXPORT GENERAL_NAMES *GENERAL_NAMES_new(void);\n\n// GENERAL_NAMES_free releases memory associated with |gens|.\nOPENSSL_EXPORT void GENERAL_NAMES_free(GENERAL_NAMES *gens);\n\n// d2i_GENERAL_NAMES parses up to |len| bytes from |*inp| as a DER-encoded\n// SEQUENCE OF GeneralName, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **out,\n const uint8_t **inp, long len);\n\n// i2d_GENERAL_NAMES marshals |in| as a DER-encoded SEQUENCE OF GeneralName, as\n// described in |i2d_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/407): This function should be const and\n// thread-safe but is currently neither in some cases, notably if some element\n// of |in| is an directoryName and the |X509_NAME| has been modified.\nOPENSSL_EXPORT int i2d_GENERAL_NAMES(GENERAL_NAMES *in, uint8_t **outp);\n\n// OTHERNAME_new returns a new, empty |OTHERNAME|, or NULL on error.\nOPENSSL_EXPORT OTHERNAME *OTHERNAME_new(void);\n\n// OTHERNAME_free releases memory associated with |name|.\nOPENSSL_EXPORT void OTHERNAME_free(OTHERNAME *name);\n\n// EDIPARTYNAME_new returns a new, empty |EDIPARTYNAME|, or NULL on error.\n// EDIPartyName is rarely used in practice, so callers are unlikely to need this\n// function.\nOPENSSL_EXPORT EDIPARTYNAME *EDIPARTYNAME_new(void);\n\n// EDIPARTYNAME_free releases memory associated with |name|. EDIPartyName is\n// rarely used in practice, so callers are unlikely to need this function.\nOPENSSL_EXPORT void EDIPARTYNAME_free(EDIPARTYNAME *name);\n\n// GENERAL_NAME_set0_value set |gen|'s type and value to |type| and |value|.\n// |type| must be a |GEN_*| constant and |value| must be an object of the\n// corresponding type. |gen| takes ownership of |value|, so |value| must have\n// been an allocated object.\n//\n// WARNING: |gen| must be empty (typically as returned from |GENERAL_NAME_new|)\n// before calling this function. If |gen| already contained a value, the\n// previous contents will be leaked.\nOPENSSL_EXPORT void GENERAL_NAME_set0_value(GENERAL_NAME *gen, int type,\n void *value);\n\n// GENERAL_NAME_get0_value returns the in-memory representation of |gen|'s\n// contents and, |out_type| is not NULL, sets |*out_type| to the type of |gen|,\n// which will be a |GEN_*| constant. If |gen| is incomplete, the return value\n// will be NULL and the type will be -1.\n//\n// WARNING: Casting the result of this function to the wrong type is a\n// potentially exploitable memory error. Callers must check |gen|'s type, either\n// via |*out_type| or checking |gen->type| directly, before inspecting the\n// result.\n//\n// WARNING: This function is not const-correct. The return value should be\n// const. Callers shoudl not mutate the returned object.\nOPENSSL_EXPORT void *GENERAL_NAME_get0_value(const GENERAL_NAME *gen,\n int *out_type);\n\n// GENERAL_NAME_set0_othername sets |gen| to be an OtherName with type |oid| and\n// value |value|. On success, it returns one and takes ownership of |oid| and\n// |value|, which must be created in a way compatible with |ASN1_OBJECT_free|\n// and |ASN1_TYPE_free|, respectively. On allocation failure, it returns zero.\n// In the failure case, the caller retains ownership of |oid| and |value| and\n// must release them when done.\n//\n// WARNING: |gen| must be empty (typically as returned from |GENERAL_NAME_new|)\n// before calling this function. If |gen| already contained a value, the\n// previously contents will be leaked.\nOPENSSL_EXPORT int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,\n ASN1_OBJECT *oid,\n ASN1_TYPE *value);\n\n// GENERAL_NAME_get0_otherName, if |gen| is an OtherName, sets |*out_oid| and\n// |*out_value| to the OtherName's type-id and value, respectively, and returns\n// one. If |gen| is not an OtherName, it returns zero and leaves |*out_oid| and\n// |*out_value| unmodified. Either of |out_oid| or |out_value| may be NULL to\n// ignore the value.\n//\n// WARNING: This function is not const-correct. |out_oid| and |out_value| are\n// not const, but callers should not mutate the resulting objects.\nOPENSSL_EXPORT int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen,\n ASN1_OBJECT **out_oid,\n ASN1_TYPE **out_value);\n\n\n// Authority key identifier.\n//\n// The authority key identifier extension (RFC 5280, section 4.2.1.1) allows a\n// certificate to more precisely identify its issuer. This is helpful when\n// multiple certificates share a name. Only the keyIdentifier (|keyid| in\n// |AUTHORITY_KEYID|) field is used in practice.\n\n// A AUTHORITY_KEYID_st, aka |AUTHORITY_KEYID|, represents an\n// AuthorityKeyIdentifier structure (RFC 5280).\nstruct AUTHORITY_KEYID_st {\n ASN1_OCTET_STRING *keyid;\n GENERAL_NAMES *issuer;\n ASN1_INTEGER *serial;\n} /* AUTHORITY_KEYID */;\n\n// AUTHORITY_KEYID is an |ASN1_ITEM| whose ASN.1 type is AuthorityKeyIdentifier\n// (RFC 5280) and C type is |AUTHORITY_KEYID*|.\nDECLARE_ASN1_ITEM(AUTHORITY_KEYID)\n\n// AUTHORITY_KEYID_new returns a newly-allocated, empty |AUTHORITY_KEYID|\n// object, or NULL on error.\nOPENSSL_EXPORT AUTHORITY_KEYID *AUTHORITY_KEYID_new(void);\n\n// AUTHORITY_KEYID_free releases memory associated with |akid|.\nOPENSSL_EXPORT void AUTHORITY_KEYID_free(AUTHORITY_KEYID *akid);\n\n// d2i_AUTHORITY_KEYID parses up to |len| bytes from |*inp| as a DER-encoded\n// AuthorityKeyIdentifier (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **out,\n const uint8_t **inp,\n long len);\n\n// i2d_AUTHORITY_KEYID marshals |akid| as a DER-encoded AuthorityKeyIdentifier\n// (RFC 5280), as described in |i2d_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/407): |akid| is not const because it\n// contains an |X509_NAME|.\nOPENSSL_EXPORT int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *akid, uint8_t **outp);\n\n\n// Name constraints.\n//\n// The name constraints extension (RFC 5280, section 4.2.1.10) constrains which\n// names may be asserted by certificates issued by some CA. For example, a\n// general CA may issue an intermediate certificate to the owner of example.com,\n// but constrained to \".example.com\".\n\n// A GENERAL_SUBTREE represents a GeneralSubtree structure (RFC 5280).\ntypedef struct GENERAL_SUBTREE_st {\n GENERAL_NAME *base;\n ASN1_INTEGER *minimum;\n ASN1_INTEGER *maximum;\n} GENERAL_SUBTREE;\n\nDEFINE_STACK_OF(GENERAL_SUBTREE)\n\n// GENERAL_SUBTREE_new returns a newly-allocated, empty |GENERAL_SUBTREE|\n// object, or NULL on error.\nOPENSSL_EXPORT GENERAL_SUBTREE *GENERAL_SUBTREE_new(void);\n\n// GENERAL_SUBTREE_free releases memory associated with |subtree|.\nOPENSSL_EXPORT void GENERAL_SUBTREE_free(GENERAL_SUBTREE *subtree);\n\n// A NAME_CONSTRAINTS_st, aka |NAME_CONSTRAINTS|, represents a NameConstraints\n// structure (RFC 5280).\nstruct NAME_CONSTRAINTS_st {\n STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;\n STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;\n} /* NAME_CONSTRAINTS */;\n\n// NAME_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is NameConstraints (RFC\n// 5280) and C type is |NAME_CONSTRAINTS*|.\nDECLARE_ASN1_ITEM(NAME_CONSTRAINTS)\n\n// NAME_CONSTRAINTS_new returns a newly-allocated, empty |NAME_CONSTRAINTS|\n// object, or NULL on error.\nOPENSSL_EXPORT NAME_CONSTRAINTS *NAME_CONSTRAINTS_new(void);\n\n// NAME_CONSTRAINTS_free releases memory associated with |ncons|.\nOPENSSL_EXPORT void NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *ncons);\n\n\n// Authority information access.\n//\n// The authority information access extension (RFC 5280, 4.2.2.1) describes\n// where to obtain information about the issuer of a certificate. It is most\n// commonly used with accessMethod values of id-ad-caIssuers and id-ad-ocsp, to\n// indicate where to fetch the issuer certificate (if not provided in-band) and\n// the issuer's OCSP responder, respectively.\n\n// An ACCESS_DESCRIPTION represents an AccessDescription structure (RFC 5280).\ntypedef struct ACCESS_DESCRIPTION_st {\n ASN1_OBJECT *method;\n GENERAL_NAME *location;\n} ACCESS_DESCRIPTION;\n\nDEFINE_STACK_OF(ACCESS_DESCRIPTION)\n\n// ACCESS_DESCRIPTION_new returns a newly-allocated, empty |ACCESS_DESCRIPTION|\n// object, or NULL on error.\nOPENSSL_EXPORT ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void);\n\n// ACCESS_DESCRIPTION_free releases memory associated with |desc|.\nOPENSSL_EXPORT void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *desc);\n\ntypedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;\n\n// AUTHORITY_INFO_ACCESS is an |ASN1_ITEM| whose ASN.1 type is\n// AuthorityInfoAccessSyntax (RFC 5280) and C type is\n// |STACK_OF(ACCESS_DESCRIPTION)*|, or |AUTHORITY_INFO_ACCESS*|.\nDECLARE_ASN1_ITEM(AUTHORITY_INFO_ACCESS)\n\n// AUTHORITY_INFO_ACCESS_new returns a newly-allocated, empty\n// |AUTHORITY_INFO_ACCESS| object, or NULL on error.\nOPENSSL_EXPORT AUTHORITY_INFO_ACCESS *AUTHORITY_INFO_ACCESS_new(void);\n\n// AUTHORITY_INFO_ACCESS_free releases memory associated with |aia|.\nOPENSSL_EXPORT void AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *aia);\n\n// d2i_AUTHORITY_INFO_ACCESS parses up to |len| bytes from |*inp| as a\n// DER-encoded AuthorityInfoAccessSyntax (RFC 5280), as described in\n// |d2i_SAMPLE|.\nOPENSSL_EXPORT AUTHORITY_INFO_ACCESS *d2i_AUTHORITY_INFO_ACCESS(\n AUTHORITY_INFO_ACCESS **out, const uint8_t **inp, long len);\n\n// i2d_AUTHORITY_INFO_ACCESS marshals |aia| as a DER-encoded\n// AuthorityInfoAccessSyntax (RFC 5280), as described in |i2d_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/407): |aia| is not const because it\n// contains an |X509_NAME|.\nOPENSSL_EXPORT int i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *aia,\n uint8_t **outp);\n\n\n// CRL distribution points.\n//\n// The CRL distribution points extension (RFC 5280, 4.2.1.13) indicates where to\n// fetch a certificate issuer's CRL. The corresponding issuing distribution\n// point CRL extension (RFC 5280, section 5.2.5) matches against this extension.\n\n// A DIST_POINT_NAME represents a DistributionPointName structure (RFC 5280).\n// The |name| field contains the CHOICE value and is determined by |type|. If\n// |type| is zero, |name| must be a |fullname|. If |type| is one, |name| must be\n// a |relativename|.\n//\n// WARNING: |type| and |name| must be kept consistent. An inconsistency will\n// result in a potentially exploitable memory error.\ntypedef struct DIST_POINT_NAME_st {\n int type;\n union {\n GENERAL_NAMES *fullname;\n STACK_OF(X509_NAME_ENTRY) *relativename;\n } name;\n // If relativename then this contains the full distribution point name\n X509_NAME *dpname;\n} DIST_POINT_NAME;\n\n// DIST_POINT_NAME_new returns a newly-allocated, empty |DIST_POINT_NAME|\n// object, or NULL on error.\nOPENSSL_EXPORT DIST_POINT_NAME *DIST_POINT_NAME_new(void);\n\n// DIST_POINT_NAME_free releases memory associated with |name|.\nOPENSSL_EXPORT void DIST_POINT_NAME_free(DIST_POINT_NAME *name);\n\n// A DIST_POINT_st, aka |DIST_POINT|, represents a DistributionPoint structure\n// (RFC 5280).\nstruct DIST_POINT_st {\n DIST_POINT_NAME *distpoint;\n ASN1_BIT_STRING *reasons;\n GENERAL_NAMES *CRLissuer;\n} /* DIST_POINT */;\n\nDEFINE_STACK_OF(DIST_POINT)\n\n// DIST_POINT_new returns a newly-allocated, empty |DIST_POINT| object, or NULL\n// on error.\nOPENSSL_EXPORT DIST_POINT *DIST_POINT_new(void);\n\n// DIST_POINT_free releases memory associated with |dp|.\nOPENSSL_EXPORT void DIST_POINT_free(DIST_POINT *dp);\n\ntypedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;\n\n// CRL_DIST_POINTS is an |ASN1_ITEM| whose ASN.1 type is CRLDistributionPoints\n// (RFC 5280) and C type is |CRL_DIST_POINTS*|.\nDECLARE_ASN1_ITEM(CRL_DIST_POINTS)\n\n// CRL_DIST_POINTS_new returns a newly-allocated, empty |CRL_DIST_POINTS|\n// object, or NULL on error.\nOPENSSL_EXPORT CRL_DIST_POINTS *CRL_DIST_POINTS_new(void);\n\n// CRL_DIST_POINTS_free releases memory associated with |crldp|.\nOPENSSL_EXPORT void CRL_DIST_POINTS_free(CRL_DIST_POINTS *crldp);\n\n// d2i_CRL_DIST_POINTS parses up to |len| bytes from |*inp| as a DER-encoded\n// CRLDistributionPoints (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT CRL_DIST_POINTS *d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **out,\n const uint8_t **inp,\n long len);\n\n// i2d_CRL_DIST_POINTS marshals |crldp| as a DER-encoded CRLDistributionPoints\n// (RFC 5280), as described in |i2d_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/407): |crldp| is not const because it\n// contains an |X509_NAME|.\nOPENSSL_EXPORT int i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *crldp, uint8_t **outp);\n\n// A ISSUING_DIST_POINT_st, aka |ISSUING_DIST_POINT|, represents a\n// IssuingDistributionPoint structure (RFC 5280).\nstruct ISSUING_DIST_POINT_st {\n DIST_POINT_NAME *distpoint;\n ASN1_BOOLEAN onlyuser;\n ASN1_BOOLEAN onlyCA;\n ASN1_BIT_STRING *onlysomereasons;\n ASN1_BOOLEAN indirectCRL;\n ASN1_BOOLEAN onlyattr;\n} /* ISSUING_DIST_POINT */;\n\n// ISSUING_DIST_POINT is an |ASN1_ITEM| whose ASN.1 type is\n// IssuingDistributionPoint (RFC 5280) and C type is |ISSUING_DIST_POINT*|.\nDECLARE_ASN1_ITEM(ISSUING_DIST_POINT)\n\n// ISSUING_DIST_POINT_new returns a newly-allocated, empty |ISSUING_DIST_POINT|\n// object, or NULL on error.\nOPENSSL_EXPORT ISSUING_DIST_POINT *ISSUING_DIST_POINT_new(void);\n\n// ISSUING_DIST_POINT_free releases memory associated with |idp|.\nOPENSSL_EXPORT void ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *idp);\n\n// d2i_ISSUING_DIST_POINT parses up to |len| bytes from |*inp| as a DER-encoded\n// IssuingDistributionPoint (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT ISSUING_DIST_POINT *d2i_ISSUING_DIST_POINT(\n ISSUING_DIST_POINT **out, const uint8_t **inp, long len);\n\n// i2d_ISSUING_DIST_POINT marshals |idp| as a DER-encoded\n// IssuingDistributionPoint (RFC 5280), as described in |i2d_SAMPLE|.\n//\n// TODO(https://crbug.com/boringssl/407): |idp| is not const because it\n// contains an |X509_NAME|.\nOPENSSL_EXPORT int i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *idp,\n uint8_t **outp);\n\n\n// Certificate policies.\n//\n// The certificate policies extension (RFC 5280, section 4.2.1.4), along with a\n// suite of related extensions determines the \"policies\" that apply to a\n// certificate path. Evaluating these policies is extremely complex and has led\n// to denial-of-service vulnerabilities in several X.509 implementations. See\n// draft-ietf-lamps-x509-policy-graph.\n//\n// Do not use this mechanism.\n\n// A NOTICEREF represents a NoticeReference structure (RFC 5280).\ntypedef struct NOTICEREF_st {\n ASN1_STRING *organization;\n STACK_OF(ASN1_INTEGER) *noticenos;\n} NOTICEREF;\n\n// NOTICEREF_new returns a newly-allocated, empty |NOTICEREF| object, or NULL\n// on error.\nOPENSSL_EXPORT NOTICEREF *NOTICEREF_new(void);\n\n// NOTICEREF_free releases memory associated with |ref|.\nOPENSSL_EXPORT void NOTICEREF_free(NOTICEREF *ref);\n\n// A USERNOTICE represents a UserNotice structure (RFC 5280).\ntypedef struct USERNOTICE_st {\n NOTICEREF *noticeref;\n ASN1_STRING *exptext;\n} USERNOTICE;\n\n// USERNOTICE_new returns a newly-allocated, empty |USERNOTICE| object, or NULL\n// on error.\nOPENSSL_EXPORT USERNOTICE *USERNOTICE_new(void);\n\n// USERNOTICE_free releases memory associated with |notice|.\nOPENSSL_EXPORT void USERNOTICE_free(USERNOTICE *notice);\n\n// A POLICYQUALINFO represents a PolicyQualifierInfo structure (RFC 5280). |d|\n// contains the qualifier field of the PolicyQualifierInfo. Its type is\n// determined by |pqualid|. If |pqualid| is |NID_id_qt_cps|, |d| must be\n// |cpsuri|. If |pqualid| is |NID_id_qt_unotice|, |d| must be |usernotice|.\n// Otherwise, |d| must be |other|.\n//\n// WARNING: |pqualid| and |d| must be kept consistent. An inconsistency will\n// result in a potentially exploitable memory error.\ntypedef struct POLICYQUALINFO_st {\n ASN1_OBJECT *pqualid;\n union {\n ASN1_IA5STRING *cpsuri;\n USERNOTICE *usernotice;\n ASN1_TYPE *other;\n } d;\n} POLICYQUALINFO;\n\nDEFINE_STACK_OF(POLICYQUALINFO)\n\n// POLICYQUALINFO_new returns a newly-allocated, empty |POLICYQUALINFO| object,\n// or NULL on error.\nOPENSSL_EXPORT POLICYQUALINFO *POLICYQUALINFO_new(void);\n\n// POLICYQUALINFO_free releases memory associated with |info|.\nOPENSSL_EXPORT void POLICYQUALINFO_free(POLICYQUALINFO *info);\n\n// A POLICYINFO represents a PolicyInformation structure (RFC 5280).\ntypedef struct POLICYINFO_st {\n ASN1_OBJECT *policyid;\n STACK_OF(POLICYQUALINFO) *qualifiers;\n} POLICYINFO;\n\nDEFINE_STACK_OF(POLICYINFO)\n\n// POLICYINFO_new returns a newly-allocated, empty |POLICYINFO| object, or NULL\n// on error.\nOPENSSL_EXPORT POLICYINFO *POLICYINFO_new(void);\n\n// POLICYINFO_free releases memory associated with |info|.\nOPENSSL_EXPORT void POLICYINFO_free(POLICYINFO *info);\n\ntypedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;\n\n// CERTIFICATEPOLICIES is an |ASN1_ITEM| whose ASN.1 type is CertificatePolicies\n// (RFC 5280) and C type is |STACK_OF(POLICYINFO)*|, or |CERTIFICATEPOLICIES*|.\nDECLARE_ASN1_ITEM(CERTIFICATEPOLICIES)\n\n// CERTIFICATEPOLICIES_new returns a newly-allocated, empty\n// |CERTIFICATEPOLICIES| object, or NULL on error.\nOPENSSL_EXPORT CERTIFICATEPOLICIES *CERTIFICATEPOLICIES_new(void);\n\n// CERTIFICATEPOLICIES_free releases memory associated with |policies|.\nOPENSSL_EXPORT void CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *policies);\n\n// d2i_CERTIFICATEPOLICIES parses up to |len| bytes from |*inp| as a DER-encoded\n// CertificatePolicies (RFC 5280), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT CERTIFICATEPOLICIES *d2i_CERTIFICATEPOLICIES(\n CERTIFICATEPOLICIES **out, const uint8_t **inp, long len);\n\n// i2d_CERTIFICATEPOLICIES marshals |policies| as a DER-encoded\n// CertificatePolicies (RFC 5280), as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_CERTIFICATEPOLICIES(const CERTIFICATEPOLICIES *policies,\n uint8_t **outp);\n\n// A POLICY_MAPPING represents an individual element of a PolicyMappings\n// structure (RFC 5280).\ntypedef struct POLICY_MAPPING_st {\n ASN1_OBJECT *issuerDomainPolicy;\n ASN1_OBJECT *subjectDomainPolicy;\n} POLICY_MAPPING;\n\nDEFINE_STACK_OF(POLICY_MAPPING)\n\n// POLICY_MAPPING_new returns a newly-allocated, empty |POLICY_MAPPING| object,\n// or NULL on error.\nOPENSSL_EXPORT POLICY_MAPPING *POLICY_MAPPING_new(void);\n\n// POLICY_MAPPING_free releases memory associated with |mapping|.\nOPENSSL_EXPORT void POLICY_MAPPING_free(POLICY_MAPPING *mapping);\n\ntypedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;\n\n// POLICY_MAPPINGS is an |ASN1_ITEM| whose ASN.1 type is PolicyMappings (RFC\n// 5280) and C type is |STACK_OF(POLICY_MAPPING)*|, or |POLICY_MAPPINGS*|.\nDECLARE_ASN1_ITEM(POLICY_MAPPINGS)\n\n// A POLICY_CONSTRAINTS represents a PolicyConstraints structure (RFC 5280).\ntypedef struct POLICY_CONSTRAINTS_st {\n ASN1_INTEGER *requireExplicitPolicy;\n ASN1_INTEGER *inhibitPolicyMapping;\n} POLICY_CONSTRAINTS;\n\n// POLICY_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is PolicyConstraints\n// (RFC 5280) and C type is |POLICY_CONSTRAINTS*|.\nDECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)\n\n// POLICY_CONSTRAINTS_new returns a newly-allocated, empty |POLICY_CONSTRAINTS|\n// object, or NULL on error.\nOPENSSL_EXPORT POLICY_CONSTRAINTS *POLICY_CONSTRAINTS_new(void);\n\n// POLICY_CONSTRAINTS_free releases memory associated with |pcons|.\nOPENSSL_EXPORT void POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *pcons);\n\n\n// Algorithm identifiers.\n//\n// An |X509_ALGOR| represents an AlgorithmIdentifier structure, used in X.509\n// to represent signature algorithms and public key algorithms.\n\nDEFINE_STACK_OF(X509_ALGOR)\n\n// X509_ALGOR is an |ASN1_ITEM| whose ASN.1 type is AlgorithmIdentifier and C\n// type is |X509_ALGOR*|.\nDECLARE_ASN1_ITEM(X509_ALGOR)\n\n// X509_ALGOR_new returns a newly-allocated, empty |X509_ALGOR| object, or NULL\n// on error.\nOPENSSL_EXPORT X509_ALGOR *X509_ALGOR_new(void);\n\n// X509_ALGOR_dup returns a newly-allocated copy of |alg|, or NULL on error.\n// This function works by serializing the structure, so if |alg| is incomplete,\n// it may fail.\nOPENSSL_EXPORT X509_ALGOR *X509_ALGOR_dup(const X509_ALGOR *alg);\n\n// X509_ALGOR_free releases memory associated with |alg|.\nOPENSSL_EXPORT void X509_ALGOR_free(X509_ALGOR *alg);\n\n// d2i_X509_ALGOR parses up to |len| bytes from |*inp| as a DER-encoded\n// AlgorithmIdentifier, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT X509_ALGOR *d2i_X509_ALGOR(X509_ALGOR **out, const uint8_t **inp,\n long len);\n\n// i2d_X509_ALGOR marshals |alg| as a DER-encoded AlgorithmIdentifier, as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_X509_ALGOR(const X509_ALGOR *alg, uint8_t **outp);\n\n// X509_ALGOR_set0 sets |alg| to an AlgorithmIdentifier with algorithm |obj| and\n// parameter determined by |param_type| and |param_value|. It returns one on\n// success and zero on error. This function takes ownership of |obj| and\n// |param_value| on success.\n//\n// If |param_type| is |V_ASN1_UNDEF|, the parameter is omitted. If |param_type|\n// is zero, the parameter is left unchanged. Otherwise, |param_type| and\n// |param_value| are interpreted as in |ASN1_TYPE_set|.\n//\n// Note omitting the parameter (|V_ASN1_UNDEF|) and encoding an explicit NULL\n// value (|V_ASN1_NULL|) are different. Some algorithms require one and some the\n// other. Consult the relevant specification before calling this function. The\n// correct parameter for an RSASSA-PKCS1-v1_5 signature is |V_ASN1_NULL|. The\n// correct one for an ECDSA or Ed25519 signature is |V_ASN1_UNDEF|.\nOPENSSL_EXPORT int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *obj,\n int param_type, void *param_value);\n\n// X509_ALGOR_get0 sets |*out_obj| to the |alg|'s algorithm. If |alg|'s\n// parameter is omitted, it sets |*out_param_type| and |*out_param_value| to\n// |V_ASN1_UNDEF| and NULL. Otherwise, it sets |*out_param_type| and\n// |*out_param_value| to the parameter, using the same representation as\n// |ASN1_TYPE_set0|. See |ASN1_TYPE_set0| and |ASN1_TYPE| for details.\n//\n// Callers that require the parameter in serialized form should, after checking\n// for |V_ASN1_UNDEF|, use |ASN1_TYPE_set1| and |d2i_ASN1_TYPE|, rather than\n// inspecting |*out_param_value|.\n//\n// Each of |out_obj|, |out_param_type|, and |out_param_value| may be NULL to\n// ignore the output. If |out_param_type| is NULL, |out_param_value| is ignored.\n//\n// WARNING: If |*out_param_type| is set to |V_ASN1_UNDEF|, OpenSSL and older\n// revisions of BoringSSL leave |*out_param_value| unset rather than setting it\n// to NULL. Callers that support both OpenSSL and BoringSSL should not assume\n// |*out_param_value| is uniformly initialized.\nOPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj,\n int *out_param_type,\n const void **out_param_value,\n const X509_ALGOR *alg);\n\n// X509_ALGOR_set_md sets |alg| to the hash function |md|. Note this\n// AlgorithmIdentifier represents the hash function itself, not a signature\n// algorithm that uses |md|. It returns one on success and zero on error.\n//\n// Due to historical specification mistakes (see Section 2.1 of RFC 4055), the\n// parameters field is sometimes omitted and sometimes a NULL value. When used\n// in RSASSA-PSS and RSAES-OAEP, it should be a NULL value. In other contexts,\n// the parameters should be omitted. This function assumes the caller is\n// constructing a RSASSA-PSS or RSAES-OAEP AlgorithmIdentifier and includes a\n// NULL parameter. This differs from OpenSSL's behavior.\n//\n// TODO(davidben): Rename this function, or perhaps just add a bespoke API for\n// constructing PSS and move on.\nOPENSSL_EXPORT int X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);\n\n// X509_ALGOR_cmp returns zero if |a| and |b| are equal, and some non-zero value\n// otherwise. Note this function can only be used for equality checks, not an\n// ordering.\nOPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);\n\n\n// Attributes.\n//\n// Unlike certificates and CRLs, CSRs use a separate Attribute structure (RFC\n// 2985, RFC 2986) for extensibility. This is represented by the library as\n// |X509_ATTRIBUTE|.\n\nDEFINE_STACK_OF(X509_ATTRIBUTE)\n\n// X509_ATTRIBUTE_new returns a newly-allocated, empty |X509_ATTRIBUTE| object,\n// or NULL on error. |X509_ATTRIBUTE_set1_*| may be used to finish initializing\n// it.\nOPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_new(void);\n\n// X509_ATTRIBUTE_dup returns a newly-allocated copy of |attr|, or NULL on\n// error. This function works by serializing the structure, so if |attr| is\n// incomplete, it may fail.\nOPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(const X509_ATTRIBUTE *attr);\n\n// X509_ATTRIBUTE_free releases memory associated with |attr|.\nOPENSSL_EXPORT void X509_ATTRIBUTE_free(X509_ATTRIBUTE *attr);\n\n// d2i_X509_ATTRIBUTE parses up to |len| bytes from |*inp| as a DER-encoded\n// Attribute (RFC 2986), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT X509_ATTRIBUTE *d2i_X509_ATTRIBUTE(X509_ATTRIBUTE **out,\n const uint8_t **inp,\n long len);\n\n// i2d_X509_ATTRIBUTE marshals |alg| as a DER-encoded Attribute (RFC 2986), as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_X509_ATTRIBUTE(const X509_ATTRIBUTE *alg,\n uint8_t **outp);\n\n// X509_ATTRIBUTE_create returns a newly-allocated |X509_ATTRIBUTE|, or NULL on\n// error. The attribute has type |nid| and contains a single value determined by\n// |attrtype| and |value|, which are interpreted as in |ASN1_TYPE_set|. Note\n// this function takes ownership of |value|.\nOPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype,\n void *value);\n\n// X509_ATTRIBUTE_create_by_NID returns a newly-allocated |X509_ATTRIBUTE| of\n// type |nid|, or NULL on error. The value is determined as in\n// |X509_ATTRIBUTE_set1_data|.\n//\n// If |attr| is non-NULL, the resulting |X509_ATTRIBUTE| is also written to\n// |*attr|. If |*attr| was non-NULL when the function was called, |*attr| is\n// reused instead of creating a new object.\n//\n// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and\n// error-prone. See |X509_ATTRIBUTE_set1_data| for details.\n//\n// WARNING: The object reuse form is deprecated and may be removed in the\n// future. It also currently incorrectly appends to the reused object's value\n// set rather than overwriting it.\nOPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(\n X509_ATTRIBUTE **attr, int nid, int attrtype, const void *data, int len);\n\n// X509_ATTRIBUTE_create_by_OBJ behaves like |X509_ATTRIBUTE_create_by_NID|\n// except the attribute's type is determined by |obj|.\nOPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(\n X509_ATTRIBUTE **attr, const ASN1_OBJECT *obj, int attrtype,\n const void *data, int len);\n\n// X509_ATTRIBUTE_create_by_txt behaves like |X509_ATTRIBUTE_create_by_NID|\n// except the attribute's type is determined by calling |OBJ_txt2obj| with\n// |attrname|.\nOPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(\n X509_ATTRIBUTE **attr, const char *attrname, int type,\n const unsigned char *bytes, int len);\n\n// X509_ATTRIBUTE_set1_object sets |attr|'s type to |obj|. It returns one on\n// success and zero on error.\nOPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr,\n const ASN1_OBJECT *obj);\n\n// X509_ATTRIBUTE_set1_data appends a value to |attr|'s value set and returns\n// one on success or zero on error. The value is determined as follows:\n//\n// If |attrtype| is zero, this function returns one and does nothing. This form\n// may be used when calling |X509_ATTRIBUTE_create_by_*| to create an attribute\n// with an empty value set. Such attributes are invalid, but OpenSSL supports\n// creating them.\n//\n// Otherwise, if |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1\n// string. The string is determined by decoding |len| bytes from |data| in the\n// encoding specified by |attrtype|, and then re-encoding it in a form\n// appropriate for |attr|'s type. If |len| is -1, |strlen(data)| is used\n// instead. See |ASN1_STRING_set_by_NID| for details.\n//\n// Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an\n// |ASN1_STRING| type value and the |len| bytes from |data| are copied as the\n// type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details.\n//\n// Otherwise, if |len| is -1, the value is constructed by passing |attrtype| and\n// |data| to |ASN1_TYPE_set1|. That is, |attrtype| is an |ASN1_TYPE| type value,\n// and |data| is cast to the corresponding pointer type.\n//\n// WARNING: Despite the name, this function appends to |attr|'s value set,\n// rather than overwriting it. To overwrite the value set, create a new\n// |X509_ATTRIBUTE| with |X509_ATTRIBUTE_new|.\n//\n// WARNING: If using the |MBSTRING_*| form, pass a length rather than relying on\n// |strlen|. In particular, |strlen| will not behave correctly if the input is\n// |MBSTRING_BMP| or |MBSTRING_UNIV|.\n//\n// WARNING: This function currently misinterprets |V_ASN1_OTHER| as an\n// |MBSTRING_*| constant. This matches OpenSSL but means it is impossible to\n// construct a value with a non-universal tag.\nOPENSSL_EXPORT int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,\n const void *data, int len);\n\n// X509_ATTRIBUTE_get0_data returns the |idx|th value of |attr| in a\n// type-specific representation to |attrtype|, or NULL if out of bounds or the\n// type does not match. |attrtype| is one of the type values in |ASN1_TYPE|. On\n// match, the return value uses the same representation as |ASN1_TYPE_set0|. See\n// |ASN1_TYPE| for details.\nOPENSSL_EXPORT void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,\n int attrtype, void *unused);\n\n// X509_ATTRIBUTE_count returns the number of values in |attr|.\nOPENSSL_EXPORT int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr);\n\n// X509_ATTRIBUTE_get0_object returns the type of |attr|.\nOPENSSL_EXPORT ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);\n\n// X509_ATTRIBUTE_get0_type returns the |idx|th value in |attr|, or NULL if out\n// of bounds. Note this function returns one of |attr|'s values, not the type.\nOPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr,\n int idx);\n\n\n// Certificate stores.\n//\n// An |X509_STORE| contains trusted certificates, CRLs, and verification\n// parameters that are shared between multiple certificate verifications.\n//\n// Certificates in an |X509_STORE| are referred to as \"trusted certificates\",\n// but an individual certificate verification may not necessarily treat every\n// trusted certificate as a trust anchor. See |X509_VERIFY_PARAM_set_trust| for\n// details.\n//\n// WARNING: Although a trusted certificate which fails the\n// |X509_VERIFY_PARAM_set_trust| check is functionally an untrusted\n// intermediate certificate, callers should not rely on this to configure\n// untrusted intermediates in an |X509_STORE|. The trust check is complex, so\n// this risks inadvertently treating it as a trust anchor. Instead, configure\n// untrusted intermediates with the |chain| parameter of |X509_STORE_CTX_init|.\n//\n// Certificates in |X509_STORE| may be specified in several ways:\n// - Added by |X509_STORE_add_cert|.\n// - Returned by an |X509_LOOKUP| added by |X509_STORE_add_lookup|.\n//\n// |X509_STORE|s are reference-counted and may be shared by certificate\n// verifications running concurrently on multiple threads. However, an\n// |X509_STORE|'s verification parameters may not be modified concurrently with\n// certificate verification or other operations. Unless otherwise documented,\n// functions which take const pointer may be used concurrently, while\n// functions which take a non-const pointer may not. Callers that wish to modify\n// verification parameters in a shared |X509_STORE| should instead modify\n// |X509_STORE_CTX|s individually.\n//\n// Objects in an |X509_STORE| are represented as an |X509_OBJECT|. Some\n// functions in this library return values with this type.\n\n// X509_STORE_new returns a newly-allocated |X509_STORE|, or NULL on error.\nOPENSSL_EXPORT X509_STORE *X509_STORE_new(void);\n\n// X509_STORE_up_ref adds one to the reference count of |store| and returns one.\n// Although |store| is not const, this function's use of |store| is thread-safe.\nOPENSSL_EXPORT int X509_STORE_up_ref(X509_STORE *store);\n\n// X509_STORE_free releases memory associated with |store|.\nOPENSSL_EXPORT void X509_STORE_free(X509_STORE *store);\n\n// X509_STORE_add_cert adds |x509| to |store| as a trusted certificate. It\n// returns one on success and zero on error. This function internally increments\n// |x509|'s reference count, so the caller retains ownership of |x509|.\n//\n// Certificates configured by this function are still subject to the checks\n// described in |X509_VERIFY_PARAM_set_trust|.\n//\n// Although |store| is not const, this function's use of |store| is thread-safe.\n// However, if this function is called concurrently with |X509_verify_cert|, it\n// is a race condition whether |x509| is available for issuer lookups.\n// Moreover, the result may differ for each issuer lookup performed by a single\n// |X509_verify_cert| call.\nOPENSSL_EXPORT int X509_STORE_add_cert(X509_STORE *store, X509 *x509);\n\n// X509_STORE_add_crl adds |crl| to |store|. It returns one on success and zero\n// on error. This function internally increments |crl|'s reference count, so the\n// caller retains ownership of |crl|. CRLs added in this way are candidates for\n// CRL lookup when |X509_V_FLAG_CRL_CHECK| is set.\n//\n// Although |store| is not const, this function's use of |store| is thread-safe.\n// However, if this function is called concurrently with |X509_verify_cert|, it\n// is a race condition whether |crl| is available for CRL checks. Moreover, the\n// result may differ for each CRL check performed by a single\n// |X509_verify_cert| call.\n//\n// Note there are no supported APIs to remove CRLs from |store| once inserted.\n// To vary the set of CRLs over time, callers should either create a new\n// |X509_STORE| or configure CRLs on a per-verification basis with\n// |X509_STORE_CTX_set0_crls|.\nOPENSSL_EXPORT int X509_STORE_add_crl(X509_STORE *store, X509_CRL *crl);\n\n// X509_STORE_get0_param returns |store|'s verification parameters. This object\n// is mutable and may be modified by the caller. For an individual certificate\n// verification operation, |X509_STORE_CTX_init| initializes the\n// |X509_STORE_CTX|'s parameters with these parameters.\n//\n// WARNING: |X509_STORE_CTX_init| applies some default parameters (as in\n// |X509_VERIFY_PARAM_inherit|) after copying |store|'s parameters. This means\n// it is impossible to leave some parameters unset at |store|. They must be\n// explicitly unset after creating the |X509_STORE_CTX|.\n//\n// As of writing these late defaults are a depth limit (see\n// |X509_VERIFY_PARAM_set_depth|) and the |X509_V_FLAG_TRUSTED_FIRST| flag. This\n// warning does not apply if the parameters were set in |store|.\n//\n// TODO(crbug.com/boringssl/441): This behavior is very surprising. Can we\n// remove this notion of late defaults? The unsettable value at |X509_STORE| is\n// -1, which rejects everything but explicitly-trusted self-signed certificates.\n// |X509_V_FLAG_TRUSTED_FIRST| is mostly a workaround for poor path-building.\nOPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store);\n\n// X509_STORE_set1_param copies verification parameters from |param| as in\n// |X509_VERIFY_PARAM_set1|. It returns one on success and zero on error.\nOPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *store,\n const X509_VERIFY_PARAM *param);\n\n// X509_STORE_set_flags enables all values in |flags| in |store|'s verification\n// flags. |flags| should be a combination of |X509_V_FLAG_*| constants.\n//\n// WARNING: These flags will be combined with default flags when copied to an\n// |X509_STORE_CTX|. This means it is impossible to unset those defaults from\n// the |X509_STORE|. See discussion in |X509_STORE_get0_param|.\nOPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *store, unsigned long flags);\n\n// X509_STORE_set_depth configures |store| to, by default, limit certificate\n// chains to |depth| intermediate certificates. This count excludes both the\n// target certificate and the trust anchor (root certificate).\nOPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth);\n\n// X509_STORE_set_purpose configures the purpose check for |store|. See\n// |X509_VERIFY_PARAM_set_purpose| for details.\nOPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *store, int purpose);\n\n// X509_STORE_set_trust configures the trust check for |store|. See\n// |X509_VERIFY_PARAM_set_trust| for details.\nOPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *store, int trust);\n\n// The following constants indicate the type of an |X509_OBJECT|.\n#define X509_LU_NONE 0\n#define X509_LU_X509 1\n#define X509_LU_CRL 2\n#define X509_LU_PKEY 3\n\nDEFINE_STACK_OF(X509_OBJECT)\n\n// X509_OBJECT_new returns a newly-allocated, empty |X509_OBJECT| or NULL on\n// error.\nOPENSSL_EXPORT X509_OBJECT *X509_OBJECT_new(void);\n\n// X509_OBJECT_free releases memory associated with |obj|.\nOPENSSL_EXPORT void X509_OBJECT_free(X509_OBJECT *obj);\n\n// X509_OBJECT_get_type returns the type of |obj|, which will be one of the\n// |X509_LU_*| constants.\nOPENSSL_EXPORT int X509_OBJECT_get_type(const X509_OBJECT *obj);\n\n// X509_OBJECT_get0_X509 returns |obj| as a certificate, or NULL if |obj| is not\n// a certificate.\nOPENSSL_EXPORT X509 *X509_OBJECT_get0_X509(const X509_OBJECT *obj);\n\n// X509_STORE_get1_objects returns a newly-allocated stack containing the\n// contents of |store|, or NULL on error. The caller must release the result\n// with |sk_X509_OBJECT_pop_free| and |X509_OBJECT_free| when done.\n//\n// The result will include all certificates and CRLs added via\n// |X509_STORE_add_cert| and |X509_STORE_add_crl|, as well as any cached objects\n// added by |X509_LOOKUP_add_dir|. The last of these may change over time, as\n// different objects are loaded from the filesystem. Callers should not depend\n// on this caching behavior. The objects are returned in no particular order.\nOPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get1_objects(\n X509_STORE *store);\n\n\n// Certificate verification.\n//\n// An |X509_STORE_CTX| object represents a single certificate verification\n// operation. To verify a certificate chain, callers construct an\n// |X509_STORE_CTX|, initialize it with |X509_STORE_CTX_init|, configure extra\n// parameters with |X509_STORE_CTX_get0_param|, and call |X509_verify_cert|.\n\n// X509_STORE_CTX_new returns a newly-allocated, empty |X509_STORE_CTX|, or NULL\n// on error.\nOPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void);\n\n// X509_STORE_CTX_free releases memory associated with |ctx|.\nOPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_init initializes |ctx| to verify |x509|, using trusted\n// certificates and parameters in |store|. It returns one on success and zero on\n// error. |chain| is a list of untrusted intermediate certificates to use in\n// verification.\n//\n// |ctx| stores pointers to |store|, |x509|, and |chain|. Each of these objects\n// must outlive |ctx| and may not be mutated for the duration of the certificate\n// verification.\nOPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,\n X509 *x509, STACK_OF(X509) *chain);\n\n// X509_verify_cert performs certifice verification with |ctx|, which must have\n// been initialized with |X509_STORE_CTX_init|. It returns one on success and\n// zero on error. On success, |X509_STORE_CTX_get0_chain| or\n// |X509_STORE_CTX_get1_chain| may be used to return the verified certificate\n// chain. On error, |X509_STORE_CTX_get_error| may be used to return additional\n// error information.\n//\n// WARNING: Most failure conditions from this function do not use the error\n// queue. Use |X509_STORE_CTX_get_error| to determine the cause of the error.\nOPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_get0_chain, after a successful |X509_verify_cert| call,\n// returns the verified certificate chain. The chain begins with the leaf and\n// ends with trust anchor.\n//\n// At other points, such as after a failed verification or during the deprecated\n// verification callback, it returns the partial chain built so far. Callers\n// should avoid relying on this as this exposes unstable library implementation\n// details.\nOPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain(\n const X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_get1_chain behaves like |X509_STORE_CTX_get0_chain| but\n// returns a newly-allocated |STACK_OF(X509)| containing the completed chain,\n// with each certificate's reference count incremented. Callers must free the\n// result with |sk_X509_pop_free| and |X509_free| when done.\nOPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain(\n const X509_STORE_CTX *ctx);\n\n// The following values are possible outputs of |X509_STORE_CTX_get_error|.\n#define X509_V_OK 0\n#define X509_V_ERR_UNSPECIFIED 1\n#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2\n#define X509_V_ERR_UNABLE_TO_GET_CRL 3\n#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4\n#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5\n#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6\n#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7\n#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8\n#define X509_V_ERR_CERT_NOT_YET_VALID 9\n#define X509_V_ERR_CERT_HAS_EXPIRED 10\n#define X509_V_ERR_CRL_NOT_YET_VALID 11\n#define X509_V_ERR_CRL_HAS_EXPIRED 12\n#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13\n#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14\n#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15\n#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16\n#define X509_V_ERR_OUT_OF_MEM 17\n#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18\n#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19\n#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20\n#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21\n#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22\n#define X509_V_ERR_CERT_REVOKED 23\n#define X509_V_ERR_INVALID_CA 24\n#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25\n#define X509_V_ERR_INVALID_PURPOSE 26\n#define X509_V_ERR_CERT_UNTRUSTED 27\n#define X509_V_ERR_CERT_REJECTED 28\n#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29\n#define X509_V_ERR_AKID_SKID_MISMATCH 30\n#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31\n#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32\n#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33\n#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34\n#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35\n#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36\n#define X509_V_ERR_INVALID_NON_CA 37\n#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38\n#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39\n#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40\n#define X509_V_ERR_INVALID_EXTENSION 41\n#define X509_V_ERR_INVALID_POLICY_EXTENSION 42\n#define X509_V_ERR_NO_EXPLICIT_POLICY 43\n#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44\n#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45\n#define X509_V_ERR_UNNESTED_RESOURCE 46\n#define X509_V_ERR_PERMITTED_VIOLATION 47\n#define X509_V_ERR_EXCLUDED_VIOLATION 48\n#define X509_V_ERR_SUBTREE_MINMAX 49\n#define X509_V_ERR_APPLICATION_VERIFICATION 50\n#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51\n#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52\n#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53\n#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54\n#define X509_V_ERR_HOSTNAME_MISMATCH 62\n#define X509_V_ERR_EMAIL_MISMATCH 63\n#define X509_V_ERR_IP_ADDRESS_MISMATCH 64\n#define X509_V_ERR_INVALID_CALL 65\n#define X509_V_ERR_STORE_LOOKUP 66\n#define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67\n\n// X509_STORE_CTX_get_error, after |X509_verify_cert| returns, returns\n// |X509_V_OK| if verification succeeded or an |X509_V_ERR_*| describing why\n// verification failed. This will be consistent with |X509_verify_cert|'s return\n// value, unless the caller used the deprecated verification callback (see\n// |X509_STORE_CTX_set_verify_cb|) in a way that breaks |ctx|'s invariants.\n//\n// If called during the deprecated verification callback when |ok| is zero, it\n// returns the current error under consideration.\nOPENSSL_EXPORT int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_set_error sets |ctx|'s error to |err|, which should be\n// |X509_V_OK| or an |X509_V_ERR_*| constant. It is not expected to be called in\n// typical |X509_STORE_CTX| usage, but may be used in callback APIs where\n// applications synthesize |X509_STORE_CTX| error conditions. See also\n// |X509_STORE_CTX_set_verify_cb| and |SSL_CTX_set_cert_verify_callback|.\nOPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err);\n\n// X509_verify_cert_error_string returns |err| as a human-readable string, where\n// |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns\n// a default description.\nOPENSSL_EXPORT const char *X509_verify_cert_error_string(long err);\n\n// X509_STORE_CTX_get_error_depth returns the depth at which the error returned\n// by |X509_STORE_CTX_get_error| occured. This is zero-indexed integer into the\n// certificate chain. Zero indicates the target certificate, one its issuer, and\n// so on.\nOPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_get_current_cert returns the certificate which caused the\n// error returned by |X509_STORE_CTX_get_error|.\nOPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_get0_current_crl returns the CRL which caused the error\n// returned by |X509_STORE_CTX_get_error|.\nOPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl(\n const X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_get0_store returns the |X509_STORE| that |ctx| uses.\nOPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_get0_cert returns the leaf certificate that |ctx| is\n// verifying.\nOPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_get0_untrusted returns the stack of untrusted intermediates\n// used by |ctx| for certificate verification.\nOPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(\n const X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates\n// in |sk|. |sk| must remain valid for the duration of |ctx|. Calling this\n// function causes |ctx| to ignore any certificates configured in the\n// |X509_STORE|. Certificates in |sk| are still subject to the check described\n// in |X509_VERIFY_PARAM_set_trust|.\n//\n// WARNING: This function differs from most |set0| functions in that it does not\n// take ownership of its input. The caller is required to ensure the lifetimes\n// are consistent.\nOPENSSL_EXPORT void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx,\n STACK_OF(X509) *sk);\n\n// X509_STORE_CTX_set0_crls configures |ctx| to consider the CRLs in |sk| as\n// candidates for CRL lookup. |sk| must remain valid for the duration of |ctx|.\n// These CRLs are considered in addition to CRLs found in |X509_STORE|.\n//\n// WARNING: This function differs from most |set0| functions in that it does not\n// take ownership of its input. The caller is required to ensure the lifetimes\n// are consistent.\nOPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx,\n STACK_OF(X509_CRL) *sk);\n\n// X509_STORE_CTX_set_default looks up the set of parameters named |name| and\n// applies those default verification parameters for |ctx|. As in\n// |X509_VERIFY_PARAM_inherit|, only unset parameters are changed. This function\n// returns one on success and zero on error.\n//\n// The supported values of |name| are:\n// - \"default\" is an internal value which configures some late defaults. See the\n// discussion in |X509_STORE_get0_param|.\n// - \"pkcs7\" configures default trust and purpose checks for PKCS#7 signatures.\n// - \"smime_sign\" configures trust and purpose checks for S/MIME signatures.\n// - \"ssl_client\" configures trust and purpose checks for TLS clients.\n// - \"ssl_server\" configures trust and purpose checks for TLS servers.\n//\n// TODO(crbug.com/boringssl/441): Make \"default\" a no-op.\nOPENSSL_EXPORT int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx,\n const char *name);\n\n// X509_STORE_CTX_get0_param returns |ctx|'s verification parameters. This\n// object is mutable and may be modified by the caller.\nOPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(\n X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_set0_param returns |ctx|'s verification parameters to |param|\n// and takes ownership of |param|. After this function returns, the caller\n// should not free |param|.\n//\n// WARNING: This function discards any values which were previously applied in\n// |ctx|, including the \"default\" parameters applied late in\n// |X509_STORE_CTX_init|. These late defaults are not applied to parameters\n// created standalone by |X509_VERIFY_PARAM_new|.\n//\n// TODO(crbug.com/boringssl/441): This behavior is very surprising. Should we\n// re-apply the late defaults in |param|, or somehow avoid this notion of late\n// defaults altogether?\nOPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx,\n X509_VERIFY_PARAM *param);\n\n// X509_STORE_CTX_set_flags enables all values in |flags| in |ctx|'s\n// verification flags. |flags| should be a combination of |X509_V_FLAG_*|\n// constants.\nOPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx,\n unsigned long flags);\n\n// X509_STORE_CTX_set_time configures certificate verification to use |t|\n// instead of the current time. |flags| is ignored and should be zero.\nOPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx,\n unsigned long flags, time_t t);\n\n// X509_STORE_CTX_set_time_posix configures certificate verification to use |t|\n// instead of the current time. |t| is interpreted as a POSIX timestamp in\n// seconds. |flags| is ignored and should be zero.\nOPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx,\n unsigned long flags,\n int64_t t);\n\n// X509_STORE_CTX_set_depth configures |ctx| to, by default, limit certificate\n// chains to |depth| intermediate certificates. This count excludes both the\n// target certificate and the trust anchor (root certificate).\nOPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);\n\n// X509_STORE_CTX_set_purpose simultaneously configures |ctx|'s purpose and\n// trust checks, if unset. It returns one on success and zero if |purpose| is\n// not a valid purpose value. |purpose| should be an |X509_PURPOSE_*| constant.\n// If so, it configures |ctx| with a purpose check of |purpose| and a trust\n// check of |purpose|'s corresponding trust value. If either the purpose or\n// trust check had already been specified for |ctx|, that corresponding\n// modification is silently dropped.\n//\n// See |X509_VERIFY_PARAM_set_purpose| and |X509_VERIFY_PARAM_set_trust| for\n// details on the purpose and trust checks, respectively.\n//\n// If |purpose| is |X509_PURPOSE_ANY|, this function returns an error because it\n// has no corresponding |X509_TRUST_*| value. It is not possible to set\n// |X509_PURPOSE_ANY| with this function, only |X509_VERIFY_PARAM_set_purpose|.\n//\n// WARNING: Unlike similarly named functions in this header, this function\n// silently does not behave the same as |X509_VERIFY_PARAM_set_purpose|. Callers\n// may use |X509_VERIFY_PARAM_set_purpose| with |X509_STORE_CTX_get0_param| to\n// avoid this difference.\nOPENSSL_EXPORT int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);\n\n// X509_STORE_CTX_set_trust configures |ctx|'s trust check, if unset. It returns\n// one on success and zero if |trust| is not a valid trust value. |trust| should\n// be an |X509_TRUST_*| constant. If so, it configures |ctx| with a trust check\n// of |trust|. If the trust check had already been specified for |ctx|, it\n// silently does nothing.\n//\n// See |X509_VERIFY_PARAM_set_trust| for details on the purpose and trust check.\n//\n// WARNING: Unlike similarly named functions in this header, this function\n// does not behave the same as |X509_VERIFY_PARAM_set_trust|. Callers may use\n// |X509_VERIFY_PARAM_set_trust| with |X509_STORE_CTX_get0_param| to avoid this\n// difference.\nOPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);\n\n\n// Verification parameters.\n//\n// An |X509_VERIFY_PARAM| contains a set of parameters for certificate\n// verification.\n\n// X509_VERIFY_PARAM_new returns a newly-allocated |X509_VERIFY_PARAM|, or NULL\n// on error.\nOPENSSL_EXPORT X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void);\n\n// X509_VERIFY_PARAM_free releases memory associated with |param|.\nOPENSSL_EXPORT void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param);\n\n// X509_VERIFY_PARAM_inherit applies |from| as the default values for |to|. That\n// is, for each parameter that is unset in |to|, it copies the value in |from|.\n// This function returns one on success and zero on error.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to,\n const X509_VERIFY_PARAM *from);\n\n// X509_VERIFY_PARAM_set1 copies parameters from |from| to |to|. If a parameter\n// is unset in |from|, the existing value in |to| is preserved. This function\n// returns one on success and zero on error.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,\n const X509_VERIFY_PARAM *from);\n\n// X509_V_FLAG_* are flags for |X509_VERIFY_PARAM_set_flags| and\n// |X509_VERIFY_PARAM_clear_flags|.\n\n// X509_V_FLAG_CB_ISSUER_CHECK causes the deprecated verify callback (see\n// |X509_STORE_CTX_set_verify_cb|) to be called for errors while matching\n// subject and issuer certificates.\n#define X509_V_FLAG_CB_ISSUER_CHECK 0x1\n// X509_V_FLAG_USE_CHECK_TIME is an internal flag used to track whether\n// |X509_STORE_CTX_set_time| has been used. If cleared, the system time is\n// restored.\n#define X509_V_FLAG_USE_CHECK_TIME 0x2\n// X509_V_FLAG_CRL_CHECK enables CRL lookup and checking for the leaf.\n#define X509_V_FLAG_CRL_CHECK 0x4\n// X509_V_FLAG_CRL_CHECK_ALL enables CRL lookup and checking for the entire\n// certificate chain. |X509_V_FLAG_CRL_CHECK| must be set for this flag to take\n// effect.\n#define X509_V_FLAG_CRL_CHECK_ALL 0x8\n// X509_V_FLAG_IGNORE_CRITICAL ignores unhandled critical extensions. Do not use\n// this option. Critical extensions ensure the verifier does not bypass\n// unrecognized security restrictions in certificates.\n#define X509_V_FLAG_IGNORE_CRITICAL 0x10\n// X509_V_FLAG_X509_STRICT does nothing. Its functionality has been enabled by\n// default.\n#define X509_V_FLAG_X509_STRICT 0x00\n// X509_V_FLAG_ALLOW_PROXY_CERTS does nothing. Proxy certificate support has\n// been removed.\n#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40\n// X509_V_FLAG_POLICY_CHECK does nothing. Policy checking is always enabled.\n#define X509_V_FLAG_POLICY_CHECK 0x80\n// X509_V_FLAG_EXPLICIT_POLICY requires some policy OID to be asserted by the\n// final certificate chain. See initial-explicit-policy from RFC 5280,\n// section 6.1.1.\n#define X509_V_FLAG_EXPLICIT_POLICY 0x100\n// X509_V_FLAG_INHIBIT_ANY inhibits the anyPolicy OID. See\n// initial-any-policy-inhibit from RFC 5280, section 6.1.1.\n#define X509_V_FLAG_INHIBIT_ANY 0x200\n// X509_V_FLAG_INHIBIT_MAP inhibits policy mapping. See\n// initial-policy-mapping-inhibit from RFC 5280, section 6.1.1.\n#define X509_V_FLAG_INHIBIT_MAP 0x400\n// X509_V_FLAG_NOTIFY_POLICY does nothing. Its functionality has been removed.\n#define X509_V_FLAG_NOTIFY_POLICY 0x800\n// X509_V_FLAG_EXTENDED_CRL_SUPPORT causes all verifications to fail. Extended\n// CRL features have been removed.\n#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000\n// X509_V_FLAG_USE_DELTAS causes all verifications to fail. Delta CRL support\n// has been removed.\n#define X509_V_FLAG_USE_DELTAS 0x2000\n// X509_V_FLAG_CHECK_SS_SIGNATURE checks the redundant signature on self-signed\n// trust anchors. This check provides no security benefit and only wastes CPU.\n#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000\n// X509_V_FLAG_TRUSTED_FIRST, during path-building, checks for a match in the\n// trust store before considering an untrusted intermediate. This flag is\n// enabled by default.\n#define X509_V_FLAG_TRUSTED_FIRST 0x8000\n// X509_V_FLAG_PARTIAL_CHAIN treats all trusted certificates as trust anchors,\n// independent of the |X509_VERIFY_PARAM_set_trust| setting.\n#define X509_V_FLAG_PARTIAL_CHAIN 0x80000\n// X509_V_FLAG_NO_ALT_CHAINS disables building alternative chains if the initial\n// one was rejected.\n#define X509_V_FLAG_NO_ALT_CHAINS 0x100000\n// X509_V_FLAG_NO_CHECK_TIME disables all time checks in certificate\n// verification.\n#define X509_V_FLAG_NO_CHECK_TIME 0x200000\n\n// X509_VERIFY_PARAM_set_flags enables all values in |flags| in |param|'s\n// verification flags and returns one. |flags| should be a combination of\n// |X509_V_FLAG_*| constants.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param,\n unsigned long flags);\n\n// X509_VERIFY_PARAM_clear_flags disables all values in |flags| in |param|'s\n// verification flags and returns one. |flags| should be a combination of\n// |X509_V_FLAG_*| constants.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,\n unsigned long flags);\n\n// X509_VERIFY_PARAM_get_flags returns |param|'s verification flags.\nOPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags(\n const X509_VERIFY_PARAM *param);\n\n// X509_VERIFY_PARAM_set_depth configures |param| to limit certificate chains to\n// |depth| intermediate certificates. This count excludes both the target\n// certificate and the trust anchor (root certificate).\nOPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param,\n int depth);\n\n// X509_VERIFY_PARAM_get_depth returns the maximum depth configured in |param|.\n// See |X509_VERIFY_PARAM_set_depth|.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);\n\n// X509_VERIFY_PARAM_set_time configures certificate verification to use |t|\n// instead of the current time.\nOPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param,\n time_t t);\n\n// X509_VERIFY_PARAM_set_time_posix configures certificate verification to use\n// |t| instead of the current time. |t| is interpreted as a POSIX timestamp in\n// seconds.\nOPENSSL_EXPORT void X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param,\n int64_t t);\n\n// X509_VERIFY_PARAM_add0_policy adds |policy| to the user-initial-policy-set\n// (see Section 6.1.1 of RFC 5280). On success, it takes ownership of\n// |policy| and returns one. Otherwise, it returns zero and the caller retains\n// owneship of |policy|.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,\n ASN1_OBJECT *policy);\n\n// X509_VERIFY_PARAM_set1_policies sets the user-initial-policy-set (see\n// Section 6.1.1 of RFC 5280) to a copy of |policies|. It returns one on success\n// and zero on error.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies(\n X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies);\n\n// X509_VERIFY_PARAM_set1_host configures |param| to check for the DNS name\n// specified by |name|. It returns one on success and zero on error.\n//\n// By default, both subject alternative names and the subject's common name\n// attribute are checked. The latter has long been deprecated, so callers should\n// call |X509_VERIFY_PARAM_set_hostflags| with\n// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior.\n// https://crbug.com/boringssl/464 tracks fixing the default.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,\n const char *name,\n size_t name_len);\n\n// X509_VERIFY_PARAM_add1_host adds |name| to the list of names checked by\n// |param|. If any configured DNS name matches the certificate, verification\n// succeeds. It returns one on success and zero on error.\n//\n// By default, both subject alternative names and the subject's common name\n// attribute are checked. The latter has long been deprecated, so callers should\n// call |X509_VERIFY_PARAM_set_hostflags| with\n// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior.\n// https://crbug.com/boringssl/464 tracks fixing the default.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,\n const char *name,\n size_t name_len);\n\n// X509_CHECK_FLAG_NO_WILDCARDS disables wildcard matching for DNS names.\n#define X509_CHECK_FLAG_NO_WILDCARDS 0x2\n\n// X509_CHECK_FLAG_NEVER_CHECK_SUBJECT disables the subject fallback, normally\n// enabled when subjectAltNames is missing.\n#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20\n\n// X509_VERIFY_PARAM_set_hostflags sets the name-checking flags on |param| to\n// |flags|. |flags| should be a combination of |X509_CHECK_FLAG_*| constants.\nOPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,\n unsigned int flags);\n\n// X509_VERIFY_PARAM_set1_email configures |param| to check for the email\n// address specified by |email|. It returns one on success and zero on error.\n//\n// By default, both subject alternative names and the subject's email address\n// attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be\n// used to change this behavior.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,\n const char *email,\n size_t email_len);\n\n// X509_VERIFY_PARAM_set1_ip configures |param| to check for the IP address\n// specified by |ip|. It returns one on success and zero on error. The IP\n// address is specified in its binary representation. |ip_len| must be 4 for an\n// IPv4 address and 16 for an IPv6 address.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,\n const uint8_t *ip, size_t ip_len);\n\n// X509_VERIFY_PARAM_set1_ip_asc decodes |ipasc| as the ASCII representation of\n// an IPv4 or IPv6 address, and configures |param| to check for it. It returns\n// one on success and zero on error.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param,\n const char *ipasc);\n\n// X509_PURPOSE_SSL_CLIENT validates TLS client certificates. It checks for the\n// id-kp-clientAuth EKU and one of digitalSignature or keyAgreement key usages.\n// The TLS library is expected to check for the key usage specific to the\n// negotiated TLS parameters.\n#define X509_PURPOSE_SSL_CLIENT 1\n// X509_PURPOSE_SSL_SERVER validates TLS server certificates. It checks for the\n// id-kp-clientAuth EKU and one of digitalSignature, keyAgreement, or\n// keyEncipherment key usages. The TLS library is expected to check for the key\n// usage specific to the negotiated TLS parameters.\n#define X509_PURPOSE_SSL_SERVER 2\n// X509_PURPOSE_NS_SSL_SERVER is a legacy mode. It behaves like\n// |X509_PURPOSE_SSL_SERVER|, but only accepts the keyEncipherment key usage,\n// used by SSL 2.0 and RSA key exchange. Do not use this.\n#define X509_PURPOSE_NS_SSL_SERVER 3\n// X509_PURPOSE_SMIME_SIGN validates S/MIME signing certificates. It checks for\n// the id-kp-emailProtection EKU and one of digitalSignature or nonRepudiation\n// key usages.\n#define X509_PURPOSE_SMIME_SIGN 4\n// X509_PURPOSE_SMIME_ENCRYPT validates S/MIME encryption certificates. It\n// checks for the id-kp-emailProtection EKU and keyEncipherment key usage.\n#define X509_PURPOSE_SMIME_ENCRYPT 5\n// X509_PURPOSE_CRL_SIGN validates indirect CRL signers. It checks for the\n// cRLSign key usage. BoringSSL does not support indirect CRLs and does not use\n// this mode.\n#define X509_PURPOSE_CRL_SIGN 6\n// X509_PURPOSE_ANY performs no EKU or key usage checks. Such checks are the\n// responsibility of the caller.\n#define X509_PURPOSE_ANY 7\n// X509_PURPOSE_OCSP_HELPER performs no EKU or key usage checks. It was\n// historically used in OpenSSL's OCSP implementation, which left those checks\n// to the OCSP implementation itself.\n#define X509_PURPOSE_OCSP_HELPER 8\n// X509_PURPOSE_TIMESTAMP_SIGN validates Time Stamping Authority (RFC 3161)\n// certificates. It checks for the id-kp-timeStamping EKU and one of\n// digitalSignature or nonRepudiation key usages. It additionally checks that\n// the EKU extension is critical and that no other EKUs or key usages are\n// asserted.\n#define X509_PURPOSE_TIMESTAMP_SIGN 9\n\n// X509_VERIFY_PARAM_set_purpose configures |param| to validate certificates for\n// a specified purpose. It returns one on success and zero if |purpose| is not a\n// valid purpose type. |purpose| should be one of the |X509_PURPOSE_*| values.\n//\n// This option controls checking the extended key usage (EKU) and key usage\n// extensions. These extensions specify how a certificate's public key may be\n// used and are important to avoid cross-protocol attacks, particularly in PKIs\n// that may issue certificates for multiple protocols, or for protocols that use\n// keys in multiple ways. If not configured, these security checks are the\n// caller's responsibility.\n//\n// This library applies the EKU checks to all untrusted intermediates. Although\n// not defined in RFC 5280, this matches widely-deployed practice. It also does\n// not accept anyExtendedKeyUsage.\n//\n// Many purpose values have a corresponding trust value, which is not configured\n// by this function. See |X509_VERIFY_PARAM_set_trust| for details. Callers\n// that wish to configure both should either call both functions, or use\n// |X509_STORE_CTX_set_purpose|.\n//\n// It is currently not possible to configure custom EKU OIDs or key usage bits.\n// Contact the BoringSSL maintainers if your application needs to do so. OpenSSL\n// had an |X509_PURPOSE_add| API, but it was not thread-safe and relied on\n// global mutable state, so we removed it.\n//\n// TODO(davidben): This function additionally configures checking the legacy\n// Netscape certificate type extension. Remove this.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param,\n int purpose);\n\n// X509_TRUST_COMPAT evaluates trust using only the self-signed fallback. Trust\n// and distrust OIDs are ignored.\n#define X509_TRUST_COMPAT 1\n// X509_TRUST_SSL_CLIENT evaluates trust with the |NID_client_auth| OID, for\n// validating TLS client certificates.\n#define X509_TRUST_SSL_CLIENT 2\n// X509_TRUST_SSL_SERVER evaluates trust with the |NID_server_auth| OID, for\n// validating TLS server certificates.\n#define X509_TRUST_SSL_SERVER 3\n// X509_TRUST_EMAIL evaluates trust with the |NID_email_protect| OID, for\n// validating S/MIME email certificates.\n#define X509_TRUST_EMAIL 4\n// X509_TRUST_OBJECT_SIGN evaluates trust with the |NID_code_sign| OID, for\n// validating code signing certificates.\n#define X509_TRUST_OBJECT_SIGN 5\n// X509_TRUST_TSA evaluates trust with the |NID_time_stamp| OID, for validating\n// Time Stamping Authority (RFC 3161) certificates.\n#define X509_TRUST_TSA 8\n\n// X509_VERIFY_PARAM_set_trust configures which certificates from |X509_STORE|\n// are trust anchors. It returns one on success and zero if |trust| is not a\n// valid trust value. |trust| should be one of the |X509_TRUST_*| constants.\n// This function allows applications to vary trust anchors when the same set of\n// trusted certificates is used in multiple contexts.\n//\n// Two properties determine whether a certificate is a trust anchor:\n//\n// - Whether it is trusted or distrusted for some OID, via auxiliary information\n// configured by |X509_add1_trust_object| or |X509_add1_reject_object|.\n//\n// - Whether it is \"self-signed\". That is, whether |X509_get_extension_flags|\n// includes |EXFLAG_SS|. The signature itself is not checked.\n//\n// When this function is called, |trust| determines the OID to check in the\n// first case. If the certificate is not explicitly trusted or distrusted for\n// any OID, it is trusted if self-signed instead.\n//\n// If unset, the default behavior is to check for the |NID_anyExtendedKeyUsage|\n// OID. If the certificate is not explicitly trusted or distrusted for this OID,\n// it is trusted if self-signed instead. Note this slightly differs from the\n// above.\n//\n// If the |X509_V_FLAG_PARTIAL_CHAIN| is set, every certificate from\n// |X509_STORE| is a trust anchor, unless it was explicitly distrusted for the\n// OID.\n//\n// It is currently not possible to configure custom trust OIDs. Contact the\n// BoringSSL maintainers if your application needs to do so. OpenSSL had an\n// |X509_TRUST_add| API, but it was not thread-safe and relied on global mutable\n// state, so we removed it.\nOPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param,\n int trust);\n\n\n// Filesystem-based certificate stores.\n//\n// An |X509_STORE| may be configured to get its contents from the filesystem.\n// This is done by adding |X509_LOOKUP| structures to the |X509_STORE| with\n// |X509_STORE_add_lookup| and then configuring the |X509_LOOKUP| with paths.\n//\n// Most cases can use |X509_STORE_load_locations|, which configures the same\n// thing but is simpler to use.\n\n// X509_STORE_load_locations configures |store| to load data from filepaths\n// |file| and |dir|. It returns one on success and zero on error. Either of\n// |file| or |dir| may be NULL, but at least one must be non-NULL.\n//\n// If |file| is non-NULL, it loads CRLs and trusted certificates in PEM format\n// from the file at |file|, and them to |store|, as in |X509_load_cert_crl_file|\n// with |X509_FILETYPE_PEM|.\n//\n// If |dir| is non-NULL, it configures |store| to load CRLs and trusted\n// certificates from the directory at |dir| in PEM format, as in\n// |X509_LOOKUP_add_dir| with |X509_FILETYPE_PEM|.\nOPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *store,\n const char *file, const char *dir);\n\n// X509_STORE_add_lookup returns an |X509_LOOKUP| associated with |store| with\n// type |method|, or NULL on error. The result is owned by |store|, so callers\n// are not expected to free it. This may be used with |X509_LOOKUP_add_dir| or\n// |X509_LOOKUP_load_file|, depending on |method|, to configure |store|.\n//\n// A single |X509_LOOKUP| may be configured with multiple paths, and an\n// |X509_STORE| only contains one |X509_LOOKUP| of each type, so there is no\n// need to call this function multiple times for a single type. Calling it\n// multiple times will return the previous |X509_LOOKUP| of that type.\nOPENSSL_EXPORT X509_LOOKUP *X509_STORE_add_lookup(\n X509_STORE *store, const X509_LOOKUP_METHOD *method);\n\n// X509_LOOKUP_hash_dir creates |X509_LOOKUP|s that may be used with\n// |X509_LOOKUP_add_dir|.\nOPENSSL_EXPORT const X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);\n\n// X509_LOOKUP_file creates |X509_LOOKUP|s that may be used with\n// |X509_LOOKUP_load_file|.\n//\n// Although this is modeled as an |X509_LOOKUP|, this function is redundant. It\n// has the same effect as loading a certificate or CRL from the filesystem, in\n// the caller's desired format, and then adding it with |X509_STORE_add_cert|\n// and |X509_STORE_add_crl|.\nOPENSSL_EXPORT const X509_LOOKUP_METHOD *X509_LOOKUP_file(void);\n\n// The following constants are used to specify the format of files in an\n// |X509_LOOKUP|.\n#define X509_FILETYPE_PEM 1\n#define X509_FILETYPE_ASN1 2\n#define X509_FILETYPE_DEFAULT 3\n\n// X509_LOOKUP_load_file calls |X509_load_cert_crl_file|. |lookup| must have\n// been constructed with |X509_LOOKUP_file|.\n//\n// If |type| is |X509_FILETYPE_DEFAULT|, it ignores |file| and instead uses some\n// default system path with |X509_FILETYPE_PEM|. See also\n// |X509_STORE_set_default_paths|.\nOPENSSL_EXPORT int X509_LOOKUP_load_file(X509_LOOKUP *lookup, const char *file,\n int type);\n\n// X509_LOOKUP_add_dir configures |lookup| to load CRLs and trusted certificates\n// from the directories in |path|. It returns one on success and zero on error.\n// |lookup| must have been constructed with |X509_LOOKUP_hash_dir|.\n//\n// WARNING: |path| is interpreted as a colon-separated (semicolon-separated on\n// Windows) list of paths. It is not possible to configure a path containing the\n// separator character. https://crbug.com/boringssl/691 tracks removing this\n// behavior.\n//\n// |type| should be one of the |X509_FILETYPE_*| constants and determines the\n// format of the files. If |type| is |X509_FILETYPE_DEFAULT|, |path| is ignored\n// and some default system path is used with |X509_FILETYPE_PEM|. See also\n// |X509_STORE_set_default_paths|.\n//\n// Trusted certificates should be named HASH.N and CRLs should be\n// named HASH.rN. HASH is |X509_NAME_hash| of the certificate subject and CRL\n// issuer, respectively, in hexadecimal. N is in decimal and counts hash\n// collisions consecutively, starting from zero. For example, \"002c0b4f.0\" and\n// \"002c0b4f.r0\".\n//\n// WARNING: Objects from |path| are loaded on demand, but cached in memory on\n// the |X509_STORE|. If a CA is removed from the directory, existing\n// |X509_STORE|s will continue to trust it. Cache entries are not evicted for\n// the lifetime of the |X509_STORE|.\n//\n// WARNING: This mechanism is also not well-suited for CRL updates.\n// |X509_STORE|s rely on this cache and never load the same CRL file twice. CRL\n// updates must use a new file, with an incremented suffix, to be reflected in\n// existing |X509_STORE|s. However, this means each CRL update will use\n// additional storage and memory. Instead, configure inputs that vary per\n// verification, such as CRLs, on each |X509_STORE_CTX| separately, using\n// functions like |X509_STORE_CTX_set0_crl|.\nOPENSSL_EXPORT int X509_LOOKUP_add_dir(X509_LOOKUP *lookup, const char *path,\n int type);\n\n// X509_L_* are commands for |X509_LOOKUP_ctrl|.\n#define X509_L_FILE_LOAD 1\n#define X509_L_ADD_DIR 2\n\n// X509_LOOKUP_ctrl implements commands on |lookup|. |cmd| specifies the\n// command. The other arguments specify the operation in a command-specific way.\n// Use |X509_LOOKUP_load_file| or |X509_LOOKUP_add_dir| instead.\nOPENSSL_EXPORT int X509_LOOKUP_ctrl(X509_LOOKUP *lookup, int cmd,\n const char *argc, long argl, char **ret);\n\n// X509_load_cert_file loads trusted certificates from |file| and adds them to\n// |lookup|'s |X509_STORE|. It returns one on success and zero on error.\n//\n// If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded certificate.\n// If |type| is |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded\n// certificates. |type| may not be |X509_FILETYPE_DEFAULT|.\nOPENSSL_EXPORT int X509_load_cert_file(X509_LOOKUP *lookup, const char *file,\n int type);\n\n// X509_load_crl_file loads CRLs from |file| and add them it to |lookup|'s\n// |X509_STORE|. It returns one on success and zero on error.\n//\n// If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded CRL. If\n// |type| is |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded CRLs.\n// |type| may not be |X509_FILETYPE_DEFAULT|.\nOPENSSL_EXPORT int X509_load_crl_file(X509_LOOKUP *lookup, const char *file,\n int type);\n\n// X509_load_cert_crl_file loads CRLs and trusted certificates from |file| and\n// adds them to |lookup|'s |X509_STORE|. It returns one on success and zero on\n// error.\n//\n// If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded certificate.\n// This function cannot be used to load a DER-encoded CRL. If |type| is\n// |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded certificates and\n// CRLs. |type| may not be |X509_FILETYPE_DEFAULT|.\nOPENSSL_EXPORT int X509_load_cert_crl_file(X509_LOOKUP *lookup,\n const char *file, int type);\n\n// X509_NAME_hash returns a hash of |name|, or zero on error. This is the new\n// hash used by |X509_LOOKUP_add_dir|.\n//\n// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is\n// not suitable for general-purpose X.509 name processing. It is very short, so\n// there will be hash collisions. It also depends on an OpenSSL-specific\n// canonicalization process.\n//\n// TODO(https://crbug.com/boringssl/407): This should be const and thread-safe\n// but currently is neither, notably if |name| was modified from its parsed\n// value.\nOPENSSL_EXPORT uint32_t X509_NAME_hash(X509_NAME *name);\n\n// X509_NAME_hash_old returns a hash of |name|, or zero on error. This is the\n// legacy hash used by |X509_LOOKUP_add_dir|, which is still supported for\n// compatibility.\n//\n// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is\n// not suitable for general-purpose X.509 name processing. It is very short, so\n// there will be hash collisions.\n//\n// TODO(https://crbug.com/boringssl/407): This should be const and thread-safe\n// but currently is neither, notably if |name| was modified from its parsed\n// value.\nOPENSSL_EXPORT uint32_t X509_NAME_hash_old(X509_NAME *name);\n\n// X509_STORE_set_default_paths configures |store| to read from some \"default\"\n// filesystem paths. It returns one on success and zero on error. The filesystem\n// paths are determined by a combination of hardcoded paths and the SSL_CERT_DIR\n// and SSL_CERT_FILE environment variables.\n//\n// Using this function is not recommended. In OpenSSL, these defaults are\n// determined by OpenSSL's install prefix. There is no corresponding concept for\n// BoringSSL. Future versions of BoringSSL may change or remove this\n// functionality.\nOPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *store);\n\n// The following functions return filesystem paths used to determine the above\n// \"default\" paths, when the corresponding environment variables are not set.\n//\n// Using these functions is not recommended. In OpenSSL, these defaults are\n// determined by OpenSSL's install prefix. There is no corresponding concept for\n// BoringSSL. Future versions of BoringSSL may change or remove this\n// functionality.\nOPENSSL_EXPORT const char *X509_get_default_cert_area(void);\nOPENSSL_EXPORT const char *X509_get_default_cert_dir(void);\nOPENSSL_EXPORT const char *X509_get_default_cert_file(void);\nOPENSSL_EXPORT const char *X509_get_default_private_dir(void);\n\n// X509_get_default_cert_dir_env returns \"SSL_CERT_DIR\", an environment variable\n// used to determine the above \"default\" paths.\nOPENSSL_EXPORT const char *X509_get_default_cert_dir_env(void);\n\n// X509_get_default_cert_file_env returns \"SSL_CERT_FILE\", an environment\n// variable used to determine the above \"default\" paths.\nOPENSSL_EXPORT const char *X509_get_default_cert_file_env(void);\n\n\n// SignedPublicKeyAndChallenge structures.\n//\n// The SignedPublicKeyAndChallenge (SPKAC) is a legacy structure to request\n// certificates, primarily in the legacy HTML tag. An SPKAC structure\n// is represented by a |NETSCAPE_SPKI| structure.\n//\n// The structure is described in\n// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen\n\n// A Netscape_spki_st, or |NETSCAPE_SPKI|, represents a\n// SignedPublicKeyAndChallenge structure. Although this structure contains a\n// |spkac| field of type |NETSCAPE_SPKAC|, these are misnamed. The SPKAC is the\n// entire structure, not the signed portion.\nstruct Netscape_spki_st {\n NETSCAPE_SPKAC *spkac;\n X509_ALGOR *sig_algor;\n ASN1_BIT_STRING *signature;\n} /* NETSCAPE_SPKI */;\n\n// NETSCAPE_SPKI_new returns a newly-allocated, empty |NETSCAPE_SPKI| object, or\n// NULL on error.\nOPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_new(void);\n\n// NETSCAPE_SPKI_free releases memory associated with |spki|.\nOPENSSL_EXPORT void NETSCAPE_SPKI_free(NETSCAPE_SPKI *spki);\n\n// d2i_NETSCAPE_SPKI parses up to |len| bytes from |*inp| as a DER-encoded\n// SignedPublicKeyAndChallenge structure, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **out,\n const uint8_t **inp, long len);\n\n// i2d_NETSCAPE_SPKI marshals |spki| as a DER-encoded\n// SignedPublicKeyAndChallenge structure, as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_NETSCAPE_SPKI(const NETSCAPE_SPKI *spki, uint8_t **outp);\n\n// NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It\n// returns one if the signature is valid and zero otherwise.\nOPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey);\n\n// NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded\n// SignedPublicKeyAndChallenge structure. It returns a newly-allocated\n// |NETSCAPE_SPKI| structure with the result, or NULL on error. If |len| is 0 or\n// negative, the length is calculated with |strlen| and |str| must be a\n// NUL-terminated C string.\nOPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str,\n ossl_ssize_t len);\n\n// NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded\n// SignedPublicKeyAndChallenge structure. It returns a newly-allocated\n// NUL-terminated C string with the result, or NULL on error. The caller must\n// release the memory with |OPENSSL_free| when done.\nOPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki);\n\n// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an\n// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting\n// pointer and must call |EVP_PKEY_free| when done.\nOPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(const NETSCAPE_SPKI *spki);\n\n// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one\n// on success or zero on error. This function does not take ownership of |pkey|,\n// so the caller may continue to manage its lifetime independently of |spki|.\nOPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki,\n EVP_PKEY *pkey);\n\n// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature\n// algorithm and signature fields. It returns the length of the signature on\n// success and zero on error. This function uses digest algorithm |md|, or\n// |pkey|'s default if NULL. Other signing parameters use |pkey|'s defaults.\nOPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey,\n const EVP_MD *md);\n\n// A Netscape_spkac_st, or |NETSCAPE_SPKAC|, represents a PublicKeyAndChallenge\n// structure. This type is misnamed. The full SPKAC includes the signature,\n// which is represented with the |NETSCAPE_SPKI| type.\nstruct Netscape_spkac_st {\n X509_PUBKEY *pubkey;\n ASN1_IA5STRING *challenge;\n} /* NETSCAPE_SPKAC */;\n\n// NETSCAPE_SPKAC_new returns a newly-allocated, empty |NETSCAPE_SPKAC| object,\n// or NULL on error.\nOPENSSL_EXPORT NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void);\n\n// NETSCAPE_SPKAC_free releases memory associated with |spkac|.\nOPENSSL_EXPORT void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *spkac);\n\n// d2i_NETSCAPE_SPKAC parses up to |len| bytes from |*inp| as a DER-encoded\n// PublicKeyAndChallenge structure, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **out,\n const uint8_t **inp,\n long len);\n\n// i2d_NETSCAPE_SPKAC marshals |spkac| as a DER-encoded PublicKeyAndChallenge\n// structure, as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac,\n uint8_t **outp);\n\n\n// RSASSA-PSS Parameters.\n//\n// In X.509, RSASSA-PSS signatures and keys use a complex parameter structure,\n// defined in RFC 4055. The following functions are provided for compatibility\n// with some OpenSSL APIs relating to this. Use of RSASSA-PSS in X.509 is\n// discouraged. The parameters structure is very complex, and it takes more\n// bytes to merely encode parameters than an entire P-256 ECDSA signature.\n\n// An rsa_pss_params_st, aka |RSA_PSS_PARAMS|, represents a parsed\n// RSASSA-PSS-params structure, as defined in (RFC 4055).\nstruct rsa_pss_params_st {\n X509_ALGOR *hashAlgorithm;\n X509_ALGOR *maskGenAlgorithm;\n ASN1_INTEGER *saltLength;\n ASN1_INTEGER *trailerField;\n // OpenSSL caches the MGF hash on |RSA_PSS_PARAMS| in some cases. None of the\n // cases apply to BoringSSL, so this is always NULL, but Node expects the\n // field to be present.\n X509_ALGOR *maskHash;\n} /* RSA_PSS_PARAMS */;\n\n// RSA_PSS_PARAMS is an |ASN1_ITEM| whose ASN.1 type is RSASSA-PSS-params (RFC\n// 4055) and C type is |RSA_PSS_PARAMS*|.\nDECLARE_ASN1_ITEM(RSA_PSS_PARAMS)\n\n// RSA_PSS_PARAMS_new returns a new, empty |RSA_PSS_PARAMS|, or NULL on error.\nOPENSSL_EXPORT RSA_PSS_PARAMS *RSA_PSS_PARAMS_new(void);\n\n// RSA_PSS_PARAMS_free releases memory associated with |params|.\nOPENSSL_EXPORT void RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *params);\n\n// d2i_RSA_PSS_PARAMS parses up to |len| bytes from |*inp| as a DER-encoded\n// RSASSA-PSS-params (RFC 4055), as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT RSA_PSS_PARAMS *d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **out,\n const uint8_t **inp,\n long len);\n\n// i2d_RSA_PSS_PARAMS marshals |in| as a DER-encoded RSASSA-PSS-params (RFC\n// 4055), as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_RSA_PSS_PARAMS(const RSA_PSS_PARAMS *in, uint8_t **outp);\n\n\n// PKCS#8 private keys.\n//\n// The |PKCS8_PRIV_KEY_INFO| type represents a PKCS#8 PrivateKeyInfo (RFC 5208)\n// structure. This is analogous to SubjectPublicKeyInfo and uses the same\n// AlgorithmIdentifiers, but carries private keys and is not part of X.509\n// itself.\n//\n// TODO(davidben): Do these functions really belong in this header?\n\n// PKCS8_PRIV_KEY_INFO_new returns a newly-allocated, empty\n// |PKCS8_PRIV_KEY_INFO| object, or NULL on error.\nOPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void);\n\n// PKCS8_PRIV_KEY_INFO_free releases memory associated with |key|.\nOPENSSL_EXPORT void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *key);\n\n// d2i_PKCS8_PRIV_KEY_INFO parses up to |len| bytes from |*inp| as a DER-encoded\n// PrivateKeyInfo, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO(\n PKCS8_PRIV_KEY_INFO **out, const uint8_t **inp, long len);\n\n// i2d_PKCS8_PRIV_KEY_INFO marshals |key| as a DER-encoded PrivateKeyInfo, as\n// described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO(const PKCS8_PRIV_KEY_INFO *key,\n uint8_t **outp);\n\n// EVP_PKCS82PKEY returns |p8| as a newly-allocated |EVP_PKEY|, or NULL if the\n// key was unsupported or could not be decoded. The caller must release the\n// result with |EVP_PKEY_free| when done.\n//\n// Use |EVP_parse_private_key| instead.\nOPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8);\n\n// EVP_PKEY2PKCS8 encodes |pkey| as a PKCS#8 PrivateKeyInfo (RFC 5208),\n// represented as a newly-allocated |PKCS8_PRIV_KEY_INFO|, or NULL on error. The\n// caller must release the result with |PKCS8_PRIV_KEY_INFO_free| when done.\n//\n// Use |EVP_marshal_private_key| instead.\nOPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey);\n\n\n// Algorithm and octet string pairs.\n//\n// The |X509_SIG| type represents an ASN.1 SEQUENCE type of an\n// AlgorithmIdentifier and an OCTET STRING. Although named |X509_SIG|, there is\n// no type in X.509 which matches this format. The two common types which do are\n// DigestInfo (RFC 2315 and RFC 8017), and EncryptedPrivateKeyInfo (RFC 5208).\n\n// X509_SIG_new returns a newly-allocated, empty |X509_SIG| object, or NULL on\n// error.\nOPENSSL_EXPORT X509_SIG *X509_SIG_new(void);\n\n// X509_SIG_free releases memory associated with |key|.\nOPENSSL_EXPORT void X509_SIG_free(X509_SIG *key);\n\n// d2i_X509_SIG parses up to |len| bytes from |*inp| as a DER-encoded algorithm\n// and octet string pair, as described in |d2i_SAMPLE|.\nOPENSSL_EXPORT X509_SIG *d2i_X509_SIG(X509_SIG **out, const uint8_t **inp,\n long len);\n\n// i2d_X509_SIG marshals |sig| as a DER-encoded algorithm\n// and octet string pair, as described in |i2d_SAMPLE|.\nOPENSSL_EXPORT int i2d_X509_SIG(const X509_SIG *sig, uint8_t **outp);\n\n// X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to\n// |sig|'s algorithm and digest fields, respectively. Either |out_alg| and\n// |out_digest| may be NULL to skip those fields.\nOPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig,\n const X509_ALGOR **out_alg,\n const ASN1_OCTET_STRING **out_digest);\n\n// X509_SIG_getm behaves like |X509_SIG_get0| but returns mutable pointers.\nOPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg,\n ASN1_OCTET_STRING **out_digest);\n\n\n// Printing functions.\n//\n// The following functions output human-readable representations of\n// X.509-related structures. They should only be used for debugging or logging\n// and not parsed programmatically. In many cases, the outputs are ambiguous, so\n// attempting to parse them can lead to string injection vulnerabilities.\n\n// The following flags control |X509_print_ex| and |X509_REQ_print_ex|. These\n// flags co-exist with |X509V3_EXT_*|, so avoid collisions when adding new ones.\n\n// X509_FLAG_COMPAT disables all flags. It additionally causes names to be\n// printed with a 16-byte indent.\n#define X509_FLAG_COMPAT 0\n\n// X509_FLAG_NO_HEADER skips a header identifying the type of object printed.\n#define X509_FLAG_NO_HEADER 1L\n\n// X509_FLAG_NO_VERSION skips printing the X.509 version number.\n#define X509_FLAG_NO_VERSION (1L << 1)\n\n// X509_FLAG_NO_SERIAL skips printing the serial number. It is ignored in\n// |X509_REQ_print_fp|.\n#define X509_FLAG_NO_SERIAL (1L << 2)\n\n// X509_FLAG_NO_SIGNAME skips printing the signature algorithm in the\n// TBSCertificate. It is ignored in |X509_REQ_print_fp|.\n#define X509_FLAG_NO_SIGNAME (1L << 3)\n\n// X509_FLAG_NO_ISSUER skips printing the issuer.\n#define X509_FLAG_NO_ISSUER (1L << 4)\n\n// X509_FLAG_NO_VALIDITY skips printing the notBefore and notAfter times. It is\n// ignored in |X509_REQ_print_fp|.\n#define X509_FLAG_NO_VALIDITY (1L << 5)\n\n// X509_FLAG_NO_SUBJECT skips printing the subject.\n#define X509_FLAG_NO_SUBJECT (1L << 6)\n\n// X509_FLAG_NO_PUBKEY skips printing the public key.\n#define X509_FLAG_NO_PUBKEY (1L << 7)\n\n// X509_FLAG_NO_EXTENSIONS skips printing the extension list. It is ignored in\n// |X509_REQ_print_fp|. CSRs instead have attributes, which is controlled by\n// |X509_FLAG_NO_ATTRIBUTES|.\n#define X509_FLAG_NO_EXTENSIONS (1L << 8)\n\n// X509_FLAG_NO_SIGDUMP skips printing the signature and outer signature\n// algorithm.\n#define X509_FLAG_NO_SIGDUMP (1L << 9)\n\n// X509_FLAG_NO_AUX skips printing auxiliary properties. (See |d2i_X509_AUX| and\n// related functions.)\n#define X509_FLAG_NO_AUX (1L << 10)\n\n// X509_FLAG_NO_ATTRIBUTES skips printing CSR attributes. It does nothing for\n// certificates and CRLs.\n#define X509_FLAG_NO_ATTRIBUTES (1L << 11)\n\n// X509_FLAG_NO_IDS skips printing the issuerUniqueID and subjectUniqueID in a\n// certificate. It is ignored in |X509_REQ_print_fp|.\n#define X509_FLAG_NO_IDS (1L << 12)\n\n// The following flags control |X509_print_ex|, |X509_REQ_print_ex|,\n// |X509V3_EXT_print|, and |X509V3_extensions_print|. These flags coexist with\n// |X509_FLAG_*|, so avoid collisions when adding new ones.\n\n// X509V3_EXT_UNKNOWN_MASK is a mask that determines how unknown extensions are\n// processed.\n#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)\n\n// X509V3_EXT_DEFAULT causes unknown extensions or syntax errors to return\n// failure.\n#define X509V3_EXT_DEFAULT 0\n\n// X509V3_EXT_ERROR_UNKNOWN causes unknown extensions or syntax errors to print\n// as \"\" or \"\", respectively.\n#define X509V3_EXT_ERROR_UNKNOWN (1L << 16)\n\n// X509V3_EXT_PARSE_UNKNOWN is deprecated and behaves like\n// |X509V3_EXT_DUMP_UNKNOWN|.\n#define X509V3_EXT_PARSE_UNKNOWN (2L << 16)\n\n// X509V3_EXT_DUMP_UNKNOWN causes unknown extensions to be displayed as a\n// hexdump.\n#define X509V3_EXT_DUMP_UNKNOWN (3L << 16)\n\n// X509_print_ex writes a human-readable representation of |x| to |bp|. It\n// returns one on success and zero on error. |nmflags| is the flags parameter\n// for |X509_NAME_print_ex| when printing the subject and issuer. |cflag| should\n// be some combination of the |X509_FLAG_*| and |X509V3_EXT_*| constants.\nOPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag,\n unsigned long cflag);\n\n// X509_print_ex_fp behaves like |X509_print_ex| but writes to |fp|.\nOPENSSL_EXPORT int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag,\n unsigned long cflag);\n\n// X509_print calls |X509_print_ex| with |XN_FLAG_COMPAT| and |X509_FLAG_COMPAT|\n// flags.\nOPENSSL_EXPORT int X509_print(BIO *bp, X509 *x);\n\n// X509_print_fp behaves like |X509_print| but writes to |fp|.\nOPENSSL_EXPORT int X509_print_fp(FILE *fp, X509 *x);\n\n// X509_CRL_print writes a human-readable representation of |x| to |bp|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x);\n\n// X509_CRL_print_fp behaves like |X509_CRL_print| but writes to |fp|.\nOPENSSL_EXPORT int X509_CRL_print_fp(FILE *fp, X509_CRL *x);\n\n// X509_REQ_print_ex writes a human-readable representation of |x| to |bp|. It\n// returns one on success and zero on error. |nmflags| is the flags parameter\n// for |X509_NAME_print_ex|, when printing the subject. |cflag| should be some\n// combination of the |X509_FLAG_*| and |X509V3_EXT_*| constants.\nOPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag,\n unsigned long cflag);\n\n// X509_REQ_print calls |X509_REQ_print_ex| with |XN_FLAG_COMPAT| and\n// |X509_FLAG_COMPAT| flags.\nOPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req);\n\n// X509_REQ_print_fp behaves like |X509_REQ_print| but writes to |fp|.\nOPENSSL_EXPORT int X509_REQ_print_fp(FILE *fp, X509_REQ *req);\n\n// The following flags are control |X509_NAME_print_ex|. They must not collide\n// with |ASN1_STRFLGS_*|.\n//\n// TODO(davidben): This is far, far too many options and most of them are\n// useless. Trim this down.\n\n// XN_FLAG_COMPAT prints with |X509_NAME_print|'s format and return value\n// convention.\n#define XN_FLAG_COMPAT 0ul\n\n// XN_FLAG_SEP_MASK determines the separators to use between attributes.\n#define XN_FLAG_SEP_MASK (0xful << 16)\n\n// XN_FLAG_SEP_COMMA_PLUS separates RDNs with \",\" and attributes within an RDN\n// with \"+\", as in RFC 2253.\n#define XN_FLAG_SEP_COMMA_PLUS (1ul << 16)\n\n// XN_FLAG_SEP_CPLUS_SPC behaves like |XN_FLAG_SEP_COMMA_PLUS| but adds spaces\n// between the separators.\n#define XN_FLAG_SEP_CPLUS_SPC (2ul << 16)\n\n// XN_FLAG_SEP_SPLUS_SPC separates RDNs with \"; \" and attributes within an RDN\n// with \" + \".\n#define XN_FLAG_SEP_SPLUS_SPC (3ul << 16)\n\n// XN_FLAG_SEP_MULTILINE prints each attribute on one line.\n#define XN_FLAG_SEP_MULTILINE (4ul << 16)\n\n// XN_FLAG_DN_REV prints RDNs in reverse, from least significant to most\n// significant, as RFC 2253.\n#define XN_FLAG_DN_REV (1ul << 20)\n\n// XN_FLAG_FN_MASK determines how attribute types are displayed.\n#define XN_FLAG_FN_MASK (0x3ul << 21)\n\n// XN_FLAG_FN_SN uses the attribute type's short name, when available.\n#define XN_FLAG_FN_SN 0ul\n\n// XN_FLAG_SPC_EQ wraps the \"=\" operator with spaces when printing attributes.\n#define XN_FLAG_SPC_EQ (1ul << 23)\n\n// XN_FLAG_DUMP_UNKNOWN_FIELDS causes unknown attribute types to be printed in\n// hex, as in RFC 2253.\n#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1ul << 24)\n\n// XN_FLAG_RFC2253 prints like RFC 2253.\n#define XN_FLAG_RFC2253 \\\n (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \\\n XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS)\n\n// XN_FLAG_ONELINE prints a one-line representation of the name.\n#define XN_FLAG_ONELINE \\\n (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | \\\n XN_FLAG_SPC_EQ | XN_FLAG_FN_SN)\n\n// X509_NAME_print_ex writes a human-readable representation of |nm| to |out|.\n// Each line of output is indented by |indent| spaces. It returns the number of\n// bytes written on success, and -1 on error. If |out| is NULL, it returns the\n// number of bytes it would have written but does not write anything. |flags|\n// should be some combination of |XN_FLAG_*| and |ASN1_STRFLGS_*| values and\n// determines the output. If unsure, use |XN_FLAG_RFC2253|.\n//\n// If |flags| is |XN_FLAG_COMPAT|, or zero, this function calls\n// |X509_NAME_print| instead. In that case, it returns one on success, rather\n// than the output length.\nOPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent,\n unsigned long flags);\n\n// X509_NAME_print prints a human-readable representation of |name| to |bp|. It\n// returns one on success and zero on error. |obase| is ignored.\n//\n// This function outputs a legacy format that does not correctly handle string\n// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for\n// debugging purposes.\nOPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase);\n\n// X509_NAME_oneline writes a human-readable representation to |name| to a\n// buffer as a NUL-terminated C string.\n//\n// If |buf| is NULL, returns a newly-allocated buffer containing the result on\n// success, or NULL on error. The buffer must be released with |OPENSSL_free|\n// when done.\n//\n// If |buf| is non-NULL, at most |size| bytes of output are written to |buf|\n// instead. |size| includes the trailing NUL. The function then returns |buf| on\n// success or NULL on error. If the output does not fit in |size| bytes, the\n// output is silently truncated at an attribute boundary.\n//\n// This function outputs a legacy format that does not correctly handle string\n// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for\n// debugging purposes.\nOPENSSL_EXPORT char *X509_NAME_oneline(const X509_NAME *name, char *buf, int size);\n\n// X509_NAME_print_ex_fp behaves like |X509_NAME_print_ex| but writes to |fp|.\nOPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm,\n int indent, unsigned long flags);\n\n// X509_signature_dump writes a human-readable representation of |sig| to |bio|,\n// indented with |indent| spaces. It returns one on success and zero on error.\nOPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig,\n int indent);\n\n// X509_signature_print writes a human-readable representation of |alg| and\n// |sig| to |bio|. It returns one on success and zero on error.\nOPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg,\n const ASN1_STRING *sig);\n\n// X509V3_EXT_print prints a human-readable representation of |ext| to out. It\n// returns one on success and zero on error. The output is indented by |indent|\n// spaces. |flag| is one of the |X509V3_EXT_*| constants and controls printing\n// of unknown extensions and syntax errors.\n//\n// WARNING: Although some applications programmatically parse the output of this\n// function to process X.509 extensions, this is not safe. In many cases, the\n// outputs are ambiguous to attempting to parse them can lead to string\n// injection vulnerabilities. These functions should only be used for debugging\n// or logging.\nOPENSSL_EXPORT int X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext,\n unsigned long flag, int indent);\n\n// X509V3_EXT_print_fp behaves like |X509V3_EXT_print| but writes to a |FILE|\n// instead of a |BIO|.\nOPENSSL_EXPORT int X509V3_EXT_print_fp(FILE *out, const X509_EXTENSION *ext,\n int flag, int indent);\n\n// X509V3_extensions_print prints |title|, followed by a human-readable\n// representation of |exts| to |out|. It returns one on success and zero on\n// error. The output is indented by |indent| spaces. |flag| is one of the\n// |X509V3_EXT_*| constants and controls printing of unknown extensions and\n// syntax errors.\nOPENSSL_EXPORT int X509V3_extensions_print(BIO *out, const char *title,\n const STACK_OF(X509_EXTENSION) *exts,\n unsigned long flag, int indent);\n\n// GENERAL_NAME_print prints a human-readable representation of |gen| to |out|.\n// It returns one on success and zero on error.\n//\n// TODO(davidben): Actually, it just returns one and doesn't check for I/O or\n// allocation errors. But it should return zero on error.\nOPENSSL_EXPORT int GENERAL_NAME_print(BIO *out, const GENERAL_NAME *gen);\n\n\n// Convenience functions.\n\n// X509_pubkey_digest hashes the contents of the BIT STRING in |x509|'s\n// subjectPublicKeyInfo field with |md| and writes the result to |out|.\n// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. If\n// |out_len| is not NULL, |*out_len| is set to the number of bytes written. This\n// function returns one on success and zero on error.\n//\n// This hash omits the BIT STRING tag, length, and number of unused bits. It\n// also omits the AlgorithmIdentifier which describes the key type. It\n// corresponds to the OCSP KeyHash definition and is not suitable for other\n// purposes.\nOPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md,\n uint8_t *out, unsigned *out_len);\n\n// X509_digest hashes |x509|'s DER encoding with |md| and writes the result to\n// |out|. |EVP_MD_CTX_size| bytes are written, which is at most\n// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number\n// of bytes written. This function returns one on success and zero on error.\n// Note this digest covers the entire certificate, not just the signed portion.\nOPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out,\n unsigned *out_len);\n\n// X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result\n// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most\n// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number\n// of bytes written. This function returns one on success and zero on error.\n// Note this digest covers the entire CRL, not just the signed portion.\nOPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md,\n uint8_t *out, unsigned *out_len);\n\n// X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result\n// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most\n// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number\n// of bytes written. This function returns one on success and zero on error.\n// Note this digest covers the entire certificate request, not just the signed\n// portion.\nOPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md,\n uint8_t *out, unsigned *out_len);\n\n// X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result\n// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most\n// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number\n// of bytes written. This function returns one on success and zero on error.\nOPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md,\n uint8_t *out, unsigned *out_len);\n\n// The following functions behave like the corresponding unsuffixed |d2i_*|\n// functions, but read the result from |bp| instead. Callers using these\n// functions with memory |BIO|s to parse structures already in memory should use\n// |d2i_*| instead.\nOPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509);\nOPENSSL_EXPORT X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl);\nOPENSSL_EXPORT X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req);\nOPENSSL_EXPORT RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa);\nOPENSSL_EXPORT RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa);\nOPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa);\nOPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);\nOPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);\nOPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);\nOPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);\nOPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8);\nOPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(\n BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf);\nOPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);\nOPENSSL_EXPORT DH *d2i_DHparams_bio(BIO *bp, DH **dh);\n\n// d2i_PrivateKey_bio behaves like |d2i_AutoPrivateKey|, but reads from |bp|\n// instead.\nOPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);\n\n// The following functions behave like the corresponding unsuffixed |i2d_*|\n// functions, but write the result to |bp|. They return one on success and zero\n// on error. Callers using them with memory |BIO|s to encode structures to\n// memory should use |i2d_*| directly instead.\nOPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509);\nOPENSSL_EXPORT int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl);\nOPENSSL_EXPORT int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req);\nOPENSSL_EXPORT int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa);\nOPENSSL_EXPORT int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa);\nOPENSSL_EXPORT int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa);\nOPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa);\nOPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa);\nOPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);\nOPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);\nOPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8);\nOPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,\n PKCS8_PRIV_KEY_INFO *p8inf);\nOPENSSL_EXPORT int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);\nOPENSSL_EXPORT int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey);\nOPENSSL_EXPORT int i2d_DHparams_bio(BIO *bp, const DH *dh);\n\n// i2d_PKCS8PrivateKeyInfo_bio encodes |key| as a PKCS#8 PrivateKeyInfo\n// structure (see |EVP_marshal_private_key|) and writes the result to |bp|. It\n// returns one on success and zero on error.\nOPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);\n\n// The following functions behave like the corresponding |d2i_*_bio| functions,\n// but read from |fp| instead.\nOPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509);\nOPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl);\nOPENSSL_EXPORT X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req);\nOPENSSL_EXPORT RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa);\nOPENSSL_EXPORT RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa);\nOPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa);\nOPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);\nOPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);\nOPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);\nOPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);\nOPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8);\nOPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(\n FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf);\nOPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);\nOPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);\n\n// The following functions behave like the corresponding |i2d_*_bio| functions,\n// but write to |fp| instead.\nOPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509);\nOPENSSL_EXPORT int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl);\nOPENSSL_EXPORT int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req);\nOPENSSL_EXPORT int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa);\nOPENSSL_EXPORT int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa);\nOPENSSL_EXPORT int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa);\nOPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa);\nOPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa);\nOPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);\nOPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);\nOPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8);\nOPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,\n PKCS8_PRIV_KEY_INFO *p8inf);\nOPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);\nOPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);\nOPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);\n\n// X509_find_by_issuer_and_serial returns the first |X509| in |sk| whose issuer\n// and serial are |name| and |serial|, respectively. If no match is found, it\n// returns NULL.\nOPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk,\n X509_NAME *name,\n const ASN1_INTEGER *serial);\n\n// X509_find_by_subject returns the first |X509| in |sk| whose subject is\n// |name|. If no match is found, it returns NULL.\nOPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk,\n X509_NAME *name);\n\n// X509_cmp_time compares |s| against |*t|. On success, it returns a negative\n// number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it\n// returns zero. If |t| is NULL, it uses the current time instead of |*t|.\n//\n// WARNING: Unlike most comparison functions, this function returns zero on\n// error, not equality.\nOPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, const time_t *t);\n\n// X509_cmp_time_posix compares |s| against |t|. On success, it returns a\n// negative number if |s| <= |t| and a positive number if |s| > |t|. On error,\n// it returns zero.\n//\n// WARNING: Unlike most comparison functions, this function returns zero on\n// error, not equality.\nOPENSSL_EXPORT int X509_cmp_time_posix(const ASN1_TIME *s, int64_t t);\n\n// X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against\n// the current time.\nOPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s);\n\n// X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero.\nOPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec,\n const time_t *t);\n\n// X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If\n// |t| is NULL, it uses the current time instead of |*t|.\nOPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day,\n long offset_sec, const time_t *t);\n\n// X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the\n// current time.\nOPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec);\n\n// X509_issuer_name_cmp behaves like |X509_NAME_cmp|, but compares |a| and |b|'s\n// issuer names.\nOPENSSL_EXPORT int X509_issuer_name_cmp(const X509 *a, const X509 *b);\n\n// X509_subject_name_cmp behaves like |X509_NAME_cmp|, but compares |a| and\n// |b|'s subject names.\nOPENSSL_EXPORT int X509_subject_name_cmp(const X509 *a, const X509 *b);\n\n// X509_CRL_cmp behaves like |X509_NAME_cmp|, but compares |a| and |b|'s\n// issuer names.\n//\n// WARNING: This function is misnamed. It does not compare other parts of the\n// CRL, only the issuer fields using |X509_NAME_cmp|.\nOPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);\n\n// X509_issuer_name_hash returns the hash of |x509|'s issuer name with\n// |X509_NAME_hash|.\n//\n// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is\n// not suitable for general-purpose X.509 name processing. It is very short, so\n// there will be hash collisions. It also depends on an OpenSSL-specific\n// canonicalization process.\nOPENSSL_EXPORT uint32_t X509_issuer_name_hash(X509 *x509);\n\n// X509_subject_name_hash returns the hash of |x509|'s subject name with\n// |X509_NAME_hash|.\n//\n// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is\n// not suitable for general-purpose X.509 name processing. It is very short, so\n// there will be hash collisions. It also depends on an OpenSSL-specific\n// canonicalization process.\nOPENSSL_EXPORT uint32_t X509_subject_name_hash(X509 *x509);\n\n// X509_issuer_name_hash_old returns the hash of |x509|'s issuer name with\n// |X509_NAME_hash_old|.\n//\n// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is\n// not suitable for general-purpose X.509 name processing. It is very short, so\n// there will be hash collisions.\nOPENSSL_EXPORT uint32_t X509_issuer_name_hash_old(X509 *x509);\n\n// X509_subject_name_hash_old returns the hash of |x509|'s usjbect name with\n// |X509_NAME_hash_old|.\n//\n// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is\n// not suitable for general-purpose X.509 name processing. It is very short, so\n// there will be hash collisions.\nOPENSSL_EXPORT uint32_t X509_subject_name_hash_old(X509 *x509);\n\n\n// ex_data functions.\n//\n// See |ex_data.h| for details.\n\nOPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func);\nOPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg);\nOPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx);\n\nOPENSSL_EXPORT int X509_STORE_CTX_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func);\nOPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx,\n void *data);\nOPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx);\n\n#define X509_STORE_CTX_set_app_data(ctx, data) \\\n X509_STORE_CTX_set_ex_data(ctx, 0, data)\n#define X509_STORE_CTX_get_app_data(ctx) X509_STORE_CTX_get_ex_data(ctx, 0)\n\n\n// Hashing and signing ASN.1 structures.\n\n// ASN1_digest serializes |data| with |i2d| and then hashes the result with\n// |type|. On success, it returns one, writes the digest to |md|, and sets\n// |*len| to the digest length if non-NULL. On error, it returns zero.\n//\n// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. The\n// buffer must have sufficient space for this output.\nOPENSSL_EXPORT int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data,\n unsigned char *md, unsigned int *len);\n\n// ASN1_item_digest serializes |data| with |it| and then hashes the result with\n// |type|. On success, it returns one, writes the digest to |md|, and sets\n// |*len| to the digest length if non-NULL. On error, it returns zero.\n//\n// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. The\n// buffer must have sufficient space for this output.\n//\n// WARNING: |data| must be a pointer with the same type as |it|'s corresponding\n// C type. Using the wrong type is a potentially exploitable memory error.\nOPENSSL_EXPORT int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type,\n void *data, unsigned char *md,\n unsigned int *len);\n\n// ASN1_item_verify serializes |data| with |it| and then verifies |signature| is\n// a valid signature for the result with |algor1| and |pkey|. It returns one on\n// success and zero on error. The signature and algorithm are interpreted as in\n// X.509.\n//\n// WARNING: |data| must be a pointer with the same type as |it|'s corresponding\n// C type. Using the wrong type is a potentially exploitable memory error.\nOPENSSL_EXPORT int ASN1_item_verify(const ASN1_ITEM *it,\n const X509_ALGOR *algor1,\n const ASN1_BIT_STRING *signature,\n void *data, EVP_PKEY *pkey);\n\n// ASN1_item_sign serializes |data| with |it| and then signs the result with\n// the private key |pkey|. It returns the length of the signature on success and\n// zero on error. On success, it writes the signature to |signature| and the\n// signature algorithm to each of |algor1| and |algor2|. Either of |algor1| or\n// |algor2| may be NULL to ignore them. This function uses digest algorithm\n// |md|, or |pkey|'s default if NULL. Other signing parameters use |pkey|'s\n// defaults. To customize them, use |ASN1_item_sign_ctx|.\n//\n// WARNING: |data| must be a pointer with the same type as |it|'s corresponding\n// C type. Using the wrong type is a potentially exploitable memory error.\nOPENSSL_EXPORT int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1,\n X509_ALGOR *algor2,\n ASN1_BIT_STRING *signature, void *data,\n EVP_PKEY *pkey, const EVP_MD *type);\n\n// ASN1_item_sign_ctx behaves like |ASN1_item_sign| except the signature is\n// signed with |ctx|, |ctx|, which must have been initialized with\n// |EVP_DigestSignInit|. The caller should configure the corresponding\n// |EVP_PKEY_CTX| with any additional parameters before calling this function.\n//\n// On success or failure, this function mutates |ctx| and resets it to the empty\n// state. Caller should not rely on its contents after the function returns.\n//\n// WARNING: |data| must be a pointer with the same type as |it|'s corresponding\n// C type. Using the wrong type is a potentially exploitable memory error.\nOPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,\n X509_ALGOR *algor2,\n ASN1_BIT_STRING *signature, void *asn,\n EVP_MD_CTX *ctx);\n\n\n// Verification internals.\n//\n// The following functions expose portions of certificate validation. They are\n// exported for compatibility with existing callers, or to support some obscure\n// use cases. Most callers, however, will not need these functions and should\n// instead use |X509_STORE_CTX| APIs.\n\n// X509_supported_extension returns one if |ex| is a critical X.509 certificate\n// extension, supported by |X509_verify_cert|, and zero otherwise.\n//\n// Note this function only reports certificate extensions (as opposed to CRL or\n// CRL extensions), and only extensions that are expected to be marked critical.\n// Additionally, |X509_verify_cert| checks for unsupported critical extensions\n// internally, so most callers will not need to call this function separately.\nOPENSSL_EXPORT int X509_supported_extension(const X509_EXTENSION *ex);\n\n// X509_check_ca returns one if |x509| may be considered a CA certificate,\n// according to basic constraints and key usage extensions. Otherwise, it\n// returns zero. If |x509| is an X509v1 certificate, and thus has no extensions,\n// it is considered eligible.\n//\n// This function returning one does not indicate that |x509| is trusted, only\n// that it is eligible to be a CA.\n//\n// TODO(crbug.com/boringssl/407): |x509| should be const.\nOPENSSL_EXPORT int X509_check_ca(X509 *x509);\n\n// X509_check_issued checks if |issuer| and |subject|'s name, authority key\n// identifier, and key usage fields allow |issuer| to have issued |subject|. It\n// returns |X509_V_OK| on success and an |X509_V_ERR_*| value otherwise.\n//\n// This function does not check the signature on |subject|. Rather, it is\n// intended to prune the set of possible issuer certificates during\n// path-building.\n//\n// TODO(crbug.com/boringssl/407): Both parameters should be const.\nOPENSSL_EXPORT int X509_check_issued(X509 *issuer, X509 *subject);\n\n// NAME_CONSTRAINTS_check checks if |x509| satisfies name constraints in |nc|.\n// It returns |X509_V_OK| on success and some |X509_V_ERR_*| constant on error.\n//\n// TODO(crbug.com/boringssl/407): Both parameters should be const.\nOPENSSL_EXPORT int NAME_CONSTRAINTS_check(X509 *x509, NAME_CONSTRAINTS *nc);\n\n// X509_check_host checks if |x509| matches the DNS name |chk|. It returns one\n// on match, zero on mismatch, or a negative number on error. |flags| should be\n// some combination of |X509_CHECK_FLAG_*| and modifies the behavior. On match,\n// if |out_peername| is non-NULL, it additionally sets |*out_peername| to a\n// newly-allocated, NUL-terminated string containing the DNS name or wildcard in\n// the certificate which matched. The caller must then free |*out_peername| with\n// |OPENSSL_free| when done.\n//\n// By default, both subject alternative names and the subject's common name\n// attribute are checked. The latter has long been deprecated, so callers should\n// include |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| in |flags| to use the standard\n// behavior. https://crbug.com/boringssl/464 tracks fixing the default.\n//\n// This function does not check if |x509| is a trusted certificate, only if,\n// were it trusted, it would match |chk|.\n//\n// WARNING: This function differs from the usual calling convention and may\n// return either 0 or a negative number on error.\n//\n// TODO(davidben): Make the error case also return zero.\nOPENSSL_EXPORT int X509_check_host(const X509 *x509, const char *chk,\n size_t chklen, unsigned int flags,\n char **out_peername);\n\n// X509_check_email checks if |x509| matches the email address |chk|. It returns\n// one on match, zero on mismatch, or a negative number on error. |flags| should\n// be some combination of |X509_CHECK_FLAG_*| and modifies the behavior.\n//\n// By default, both subject alternative names and the subject's email address\n// attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be\n// used to change this behavior.\n//\n// This function does not check if |x509| is a trusted certificate, only if,\n// were it trusted, it would match |chk|.\n//\n// WARNING: This function differs from the usual calling convention and may\n// return either 0 or a negative number on error.\n//\n// TODO(davidben): Make the error case also return zero.\nOPENSSL_EXPORT int X509_check_email(const X509 *x509, const char *chk,\n size_t chklen, unsigned int flags);\n\n// X509_check_ip checks if |x509| matches the IP address |chk|. The IP address\n// is represented in byte form and should be 4 bytes for an IPv4 address and 16\n// bytes for an IPv6 address. It returns one on match, zero on mismatch, or a\n// negative number on error. |flags| should be some combination of\n// |X509_CHECK_FLAG_*| and modifies the behavior.\n//\n// This function does not check if |x509| is a trusted certificate, only if,\n// were it trusted, it would match |chk|.\n//\n// WARNING: This function differs from the usual calling convention and may\n// return either 0 or a negative number on error.\n//\n// TODO(davidben): Make the error case also return zero.\nOPENSSL_EXPORT int X509_check_ip(const X509 *x509, const uint8_t *chk,\n size_t chklen, unsigned int flags);\n\n// X509_check_ip_asc behaves like |X509_check_ip| except the IP address is\n// specified in textual form in |ipasc|.\n//\n// WARNING: This function differs from the usual calling convention and may\n// return either 0 or a negative number on error.\n//\n// TODO(davidben): Make the error case also return zero.\nOPENSSL_EXPORT int X509_check_ip_asc(const X509 *x509, const char *ipasc,\n unsigned int flags);\n\n// X509_STORE_CTX_get1_issuer looks up a candidate trusted issuer for |x509| out\n// of |ctx|'s |X509_STORE|, based on the criteria in |X509_check_issued|. If one\n// was found, it returns one and sets |*out_issuer| to the issuer. The caller\n// must release |*out_issuer| with |X509_free| when done. If none was found, it\n// returns zero and leaves |*out_issuer| unchanged.\n//\n// This function only searches for trusted issuers. It does not consider\n// untrusted intermediates passed in to |X509_STORE_CTX_init|.\n//\n// TODO(crbug.com/boringssl/407): |x509| should be const.\nOPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **out_issuer,\n X509_STORE_CTX *ctx, X509 *x509);\n\n// X509_check_purpose performs checks if |x509|'s basic constraints, key usage,\n// and extended key usage extensions for the specified purpose. |purpose| should\n// be one of |X509_PURPOSE_*| constants. See |X509_VERIFY_PARAM_set_purpose| for\n// details. It returns one if |x509|'s extensions are consistent with |purpose|\n// and zero otherwise. If |ca| is non-zero, |x509| is checked as a CA\n// certificate. Otherwise, it is checked as an end-entity certificate.\n//\n// If |purpose| is -1, this function performs no purpose checks, but it parses\n// some extensions in |x509| and may return zero on syntax error. Historically,\n// callers primarily used this function to trigger this parsing, but this is no\n// longer necessary. Functions acting on |X509| will internally parse as needed.\nOPENSSL_EXPORT int X509_check_purpose(X509 *x509, int purpose, int ca);\n\n#define X509_TRUST_TRUSTED 1\n#define X509_TRUST_REJECTED 2\n#define X509_TRUST_UNTRUSTED 3\n\n// X509_check_trust checks if |x509| is a valid trust anchor for trust type\n// |id|. See |X509_VERIFY_PARAM_set_trust| for details. It returns\n// |X509_TRUST_TRUSTED| if |x509| is a trust anchor, |X509_TRUST_REJECTED| if it\n// was distrusted, and |X509_TRUST_UNTRUSTED| otherwise. |id| should be one of\n// the |X509_TRUST_*| constants, or zero to indicate the default behavior.\n// |flags| should be zero and is ignored.\nOPENSSL_EXPORT int X509_check_trust(X509 *x509, int id, int flags);\n\n// X509_STORE_CTX_get1_certs returns a newly-allocated stack containing all\n// trusted certificates in |ctx|'s |X509_STORE| whose subject matches |name|, or\n// NULL on error. The caller must release the result with |sk_X509_pop_free| and\n// |X509_free| when done.\n//\n// TODO(crbug.com/boringssl/407): |name| should be const.\nOPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx,\n X509_NAME *name);\n\n// X509_STORE_CTX_get1_crls returns a newly-allocated stack containing all\n// CRLs in |ctx|'s |X509_STORE| whose subject matches |name|, or NULL on error.\n// The caller must release the result with |sk_X509_CRL_pop_free| and\n// |X509_CRL_free| when done.\n//\n// TODO(crbug.com/boringssl/407): |name| should be const.\nOPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx,\n X509_NAME *name);\n\n// X509_STORE_CTX_get_by_subject looks up an object of type |type| in |ctx|'s\n// |X509_STORE| that matches |name|. |type| should be one of the |X509_LU_*|\n// constants to indicate the type of object. If a match was found, it stores the\n// result in |ret| and returns one. Otherwise, it returns zero. If multiple\n// objects match, this function outputs an arbitray one.\n//\n// WARNING: |ret| must be in the empty state, as returned by |X509_OBJECT_new|.\n// Otherwise, the object currently in |ret| will be leaked when overwritten.\n// https://crbug.com/boringssl/685 tracks fixing this.\n//\n// WARNING: Multiple trusted certificates or CRLs may share a name. In this\n// case, this function returns an arbitrary match. Use\n// |X509_STORE_CTX_get1_certs| or |X509_STORE_CTX_get1_crls| instead.\n//\n// TODO(crbug.com/boringssl/407): |name| should be const.\nOPENSSL_EXPORT int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *ctx, int type,\n X509_NAME *name,\n X509_OBJECT *ret);\n\n\n// X.509 information.\n//\n// |X509_INFO| is the return type for |PEM_X509_INFO_read_bio|, defined in\n// . It is used to store a certificate, CRL, or private key. This\n// type is defined in this header for OpenSSL compatibility.\n\nstruct private_key_st {\n EVP_PKEY *dec_pkey;\n} /* X509_PKEY */;\n\nstruct X509_info_st {\n X509 *x509;\n X509_CRL *crl;\n X509_PKEY *x_pkey;\n\n EVP_CIPHER_INFO enc_cipher;\n int enc_len;\n char *enc_data;\n} /* X509_INFO */;\n\nDEFINE_STACK_OF(X509_INFO)\n\n// X509_INFO_free releases memory associated with |info|.\nOPENSSL_EXPORT void X509_INFO_free(X509_INFO *info);\n\n\n// Deprecated custom extension registration.\n//\n// The following functions allow callers to register custom extensions for use\n// with |X509V3_EXT_d2i| and related functions. This mechanism is deprecated and\n// will be removed in the future. As discussed in |X509V3_EXT_add|, it is not\n// possible to safely register a custom extension without risking race\n// conditions and memory errors when linked with other users of BoringSSL.\n//\n// Moreover, it is not necessary to register a custom extension to process\n// extensions unknown to BoringSSL. Registration does not impact certificate\n// verification. Caller should instead use functions such as\n// |ASN1_OBJECT_create|, |X509_get_ext_by_OBJ|, |X509_EXTENSION_get_data|, and\n// |X509_EXTENSION_create_by_OBJ| to inspect or create extensions directly.\n\n// The following function pointer types are used in |X509V3_EXT_METHOD|.\ntypedef void *(*X509V3_EXT_NEW)(void);\ntypedef void (*X509V3_EXT_FREE)(void *ext);\ntypedef void *(*X509V3_EXT_D2I)(void *ext, const uint8_t **inp, long len);\ntypedef int (*X509V3_EXT_I2D)(void *ext, uint8_t **outp);\ntypedef STACK_OF(CONF_VALUE) *(*X509V3_EXT_I2V)(const X509V3_EXT_METHOD *method,\n void *ext,\n STACK_OF(CONF_VALUE) *extlist);\ntypedef void *(*X509V3_EXT_V2I)(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx,\n const STACK_OF(CONF_VALUE) *values);\ntypedef char *(*X509V3_EXT_I2S)(const X509V3_EXT_METHOD *method, void *ext);\ntypedef void *(*X509V3_EXT_S2I)(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx, const char *str);\ntypedef int (*X509V3_EXT_I2R)(const X509V3_EXT_METHOD *method, void *ext,\n BIO *out, int indent);\ntypedef void *(*X509V3_EXT_R2I)(const X509V3_EXT_METHOD *method,\n const X509V3_CTX *ctx, const char *str);\n\n// A v3_ext_method, aka |X509V3_EXT_METHOD|, is a deprecated type which defines\n// a custom extension.\nstruct v3_ext_method {\n // ext_nid is the NID of the extension.\n int ext_nid;\n\n // ext_flags is a combination of |X509V3_EXT_*| constants.\n int ext_flags;\n\n // it determines how values of this extension are allocated, released, parsed,\n // and marshalled. This must be non-NULL.\n ASN1_ITEM_EXP *it;\n\n // The following functions are ignored in favor of |it|. They are retained in\n // the struct only for source compatibility with existing struct definitions.\n X509V3_EXT_NEW ext_new;\n X509V3_EXT_FREE ext_free;\n X509V3_EXT_D2I d2i;\n X509V3_EXT_I2D i2d;\n\n // The following functions are used for string extensions.\n X509V3_EXT_I2S i2s;\n X509V3_EXT_S2I s2i;\n\n // The following functions are used for multi-valued extensions.\n X509V3_EXT_I2V i2v;\n X509V3_EXT_V2I v2i;\n\n // The following functions are used for \"raw\" extensions, which implement\n // custom printing behavior.\n X509V3_EXT_I2R i2r;\n X509V3_EXT_R2I r2i;\n\n void *usr_data; // Any extension specific data\n} /* X509V3_EXT_METHOD */;\n\n// X509V3_EXT_MULTILINE causes the result of an |X509V3_EXT_METHOD|'s |i2v|\n// function to be printed on separate lines, rather than separated by commas.\n#define X509V3_EXT_MULTILINE 0x4\n\n// X509V3_EXT_get returns the |X509V3_EXT_METHOD| corresponding to |ext|'s\n// extension type, or NULL if none was registered.\nOPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get(\n const X509_EXTENSION *ext);\n\n// X509V3_EXT_get_nid returns the |X509V3_EXT_METHOD| corresponding to |nid|, or\n// NULL if none was registered.\nOPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);\n\n// X509V3_EXT_add registers |ext| as a custom extension for the extension type\n// |ext->ext_nid|. |ext| must be valid for the remainder of the address space's\n// lifetime. It returns one on success and zero on error.\n//\n// WARNING: This function modifies global state. If other code in the same\n// address space also registers an extension with type |ext->ext_nid|, the two\n// registrations will conflict. Which registration takes effect is undefined. If\n// the two registrations use incompatible in-memory representations, code\n// expecting the other registration will then cast a type to the wrong type,\n// resulting in a potentially exploitable memory error. This conflict can also\n// occur if BoringSSL later adds support for |ext->ext_nid|, with a different\n// in-memory representation than the one expected by |ext|.\n//\n// This function, additionally, is not thread-safe and cannot be called\n// concurrently with any other BoringSSL function.\n//\n// As a result, it is impossible to safely use this function. Registering a\n// custom extension has no impact on certificate verification so, instead,\n// callers should simply handle the custom extension with the byte-based\n// |X509_EXTENSION| APIs directly. Registering |ext| with the library has little\n// practical value.\nOPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add(X509V3_EXT_METHOD *ext);\n\n// X509V3_EXT_add_alias registers a custom extension with NID |nid_to|. The\n// corresponding ASN.1 type is copied from |nid_from|. It returns one on success\n// and zero on error.\n//\n// WARNING: Do not use this function. See |X509V3_EXT_add|.\nOPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to,\n int nid_from);\n\n\n// Deprecated config-based extension creation.\n//\n// The following functions allow specifying X.509 extensions using OpenSSL's\n// config file syntax, from the OpenSSL command-line tool. They are retained,\n// for now, for compatibility with legacy software but may be removed in the\n// future. Construct the extensions using the typed C APIs instead.\n//\n// Callers should especially avoid these functions if passing in non-constant\n// values. They use ad-hoc, string-based formats which are prone to injection\n// vulnerabilities. For a CA, this means using them risks misissuance.\n//\n// These functions are not safe to use with untrusted inputs. The string formats\n// may implicitly reference context information and, in OpenSSL (though not\n// BoringSSL), one even allows reading arbitrary files. Many formats can also\n// produce far larger outputs than their inputs, so untrusted inputs may lead to\n// denial-of-service attacks. Finally, the parsers see much less testing and\n// review than most of the library and may have bugs including memory leaks or\n// crashes.\n\n// v3_ext_ctx, aka |X509V3_CTX|, contains additional context information for\n// constructing extensions. Some string formats reference additional values in\n// these objects. It must be initialized with |X509V3_set_ctx| or\n// |X509V3_set_ctx_test| before use.\nstruct v3_ext_ctx {\n int flags;\n const X509 *issuer_cert;\n const X509 *subject_cert;\n const X509_REQ *subject_req;\n const X509_CRL *crl;\n const CONF *db;\n};\n\n#define X509V3_CTX_TEST 0x1\n\n// X509V3_set_ctx initializes |ctx| with the specified objects. Some string\n// formats will reference fields in these objects. Each object may be NULL to\n// omit it, in which case those formats cannot be used. |flags| should be zero,\n// unless called via |X509V3_set_ctx_test|.\n//\n// |issuer|, |subject|, |req|, and |crl|, if non-NULL, must outlive |ctx|.\nOPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer,\n const X509 *subject, const X509_REQ *req,\n const X509_CRL *crl, int flags);\n\n// X509V3_set_ctx_test calls |X509V3_set_ctx| without any reference objects and\n// mocks out some features that use them. The resulting extensions may be\n// incomplete and should be discarded. This can be used to partially validate\n// syntax.\n//\n// TODO(davidben): Can we remove this?\n#define X509V3_set_ctx_test(ctx) \\\n X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST)\n\n// X509V3_set_nconf sets |ctx| to use |conf| as the config database. |ctx| must\n// have previously been initialized by |X509V3_set_ctx| or\n// |X509V3_set_ctx_test|. Some string formats will reference sections in |conf|.\n// |conf| may be NULL, in which case these formats cannot be used. If non-NULL,\n// |conf| must outlive |ctx|.\nOPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf);\n\n// X509V3_set_ctx_nodb calls |X509V3_set_nconf| with no config database.\n#define X509V3_set_ctx_nodb(ctx) X509V3_set_nconf(ctx, NULL)\n\n// X509V3_EXT_nconf constructs an extension of type specified by |name|, and\n// value specified by |value|. It returns a newly-allocated |X509_EXTENSION|\n// object on success, or NULL on error. |conf| and |ctx| specify additional\n// information referenced by some formats. Either |conf| or |ctx| may be NULL,\n// in which case features which use it will be disabled.\n//\n// If non-NULL, |ctx| must be initialized with |X509V3_set_ctx| or\n// |X509V3_set_ctx_test|.\n//\n// Both |conf| and |ctx| provide a |CONF| object. When |ctx| is non-NULL, most\n// features use the |ctx| copy, configured with |X509V3_set_ctx|, but some use\n// |conf|. Callers should ensure the two match to avoid surprisingly behavior.\nOPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf,\n const X509V3_CTX *ctx,\n const char *name,\n const char *value);\n\n// X509V3_EXT_nconf_nid behaves like |X509V3_EXT_nconf|, except the extension\n// type is specified as a NID.\nOPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf,\n const X509V3_CTX *ctx,\n int ext_nid,\n const char *value);\n\n// X509V3_EXT_conf_nid calls |X509V3_EXT_nconf_nid|. |conf| must be NULL.\n//\n// TODO(davidben): This is the only exposed instance of an LHASH in our public\n// headers. cryptography.io wraps this function so we cannot, yet, replace the\n// type with a dummy struct.\nOPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,\n const X509V3_CTX *ctx,\n int ext_nid,\n const char *value);\n\n// X509V3_EXT_add_nconf_sk looks up the section named |section| in |conf|. For\n// each |CONF_VALUE| in the section, it constructs an extension as in\n// |X509V3_EXT_nconf|, taking |name| and |value| from the |CONF_VALUE|. Each new\n// extension is appended to |*sk|. If |*sk| is non-NULL, and at least one\n// extension is added, it sets |*sk| to a newly-allocated\n// |STACK_OF(X509_EXTENSION)|. It returns one on success and zero on error.\nOPENSSL_EXPORT int X509V3_EXT_add_nconf_sk(const CONF *conf,\n const X509V3_CTX *ctx,\n const char *section,\n STACK_OF(X509_EXTENSION) **sk);\n\n// X509V3_EXT_add_nconf adds extensions to |cert| as in\n// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error.\nOPENSSL_EXPORT int X509V3_EXT_add_nconf(const CONF *conf, const X509V3_CTX *ctx,\n const char *section, X509 *cert);\n\n// X509V3_EXT_REQ_add_nconf adds extensions to |req| as in\n// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error.\nOPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(const CONF *conf,\n const X509V3_CTX *ctx,\n const char *section, X509_REQ *req);\n\n// X509V3_EXT_CRL_add_nconf adds extensions to |crl| as in\n// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error.\nOPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(const CONF *conf,\n const X509V3_CTX *ctx,\n const char *section, X509_CRL *crl);\n\n// i2s_ASN1_OCTET_STRING returns a human-readable representation of |oct| as a\n// newly-allocated, NUL-terminated string, or NULL on error. |method| is\n// ignored. The caller must release the result with |OPENSSL_free| when done.\nOPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method,\n const ASN1_OCTET_STRING *oct);\n\n// s2i_ASN1_OCTET_STRING decodes |str| as a hexdecimal byte string, with\n// optional colon separators between bytes. It returns a newly-allocated\n// |ASN1_OCTET_STRING| with the result on success, or NULL on error. |method|\n// and |ctx| are ignored.\nOPENSSL_EXPORT ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(\n const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *str);\n\n// i2s_ASN1_INTEGER returns a human-readable representation of |aint| as a\n// newly-allocated, NUL-terminated string, or NULL on error. |method| is\n// ignored. The caller must release the result with |OPENSSL_free| when done.\nOPENSSL_EXPORT char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *method,\n const ASN1_INTEGER *aint);\n\n// s2i_ASN1_INTEGER decodes |value| as the ASCII representation of an integer,\n// and returns a newly-allocated |ASN1_INTEGER| containing the result, or NULL\n// on error. |method| is ignored. If |value| begins with \"0x\" or \"0X\", the input\n// is decoded in hexadecimal, otherwise decimal.\nOPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *method,\n const char *value);\n\n// i2s_ASN1_ENUMERATED returns a human-readable representation of |aint| as a\n// newly-allocated, NUL-terminated string, or NULL on error. |method| is\n// ignored. The caller must release the result with |OPENSSL_free| when done.\nOPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *method,\n const ASN1_ENUMERATED *aint);\n\n// X509V3_conf_free releases memory associated with |CONF_VALUE|.\nOPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val);\n\n// i2v_GENERAL_NAME serializes |gen| as a |CONF_VALUE|. If |ret| is non-NULL, it\n// appends the value to |ret| and returns |ret| on success or NULL on error. If\n// it returns NULL, the caller is still responsible for freeing |ret|. If |ret|\n// is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| containing the\n// result. |method| is ignored. When done, the caller should release the result\n// with |sk_CONF_VALUE_pop_free| and |X509V3_conf_free|.\n//\n// Do not use this function. This is an internal implementation detail of the\n// human-readable print functions. If extracting a SAN list from a certificate,\n// look at |gen| directly.\nOPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(\n const X509V3_EXT_METHOD *method, const GENERAL_NAME *gen,\n STACK_OF(CONF_VALUE) *ret);\n\n// i2v_GENERAL_NAMES serializes |gen| as a list of |CONF_VALUE|s. If |ret| is\n// non-NULL, it appends the values to |ret| and returns |ret| on success or NULL\n// on error. If it returns NULL, the caller is still responsible for freeing\n// |ret|. If |ret| is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)|\n// containing the results. |method| is ignored.\n//\n// Do not use this function. This is an internal implementation detail of the\n// human-readable print functions. If extracting a SAN list from a certificate,\n// look at |gen| directly.\nOPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(\n const X509V3_EXT_METHOD *method, const GENERAL_NAMES *gen,\n STACK_OF(CONF_VALUE) *extlist);\n\n// a2i_IPADDRESS decodes |ipasc| as the textual representation of an IPv4 or\n// IPv6 address. On success, it returns a newly-allocated |ASN1_OCTET_STRING|\n// containing the decoded IP address. IPv4 addresses are represented as 4-byte\n// strings and IPv6 addresses as 16-byte strings. On failure, it returns NULL.\nOPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);\n\n// a2i_IPADDRESS_NC decodes |ipasc| as the textual representation of an IPv4 or\n// IPv6 address range. On success, it returns a newly-allocated\n// |ASN1_OCTET_STRING| containing the decoded IP address, followed by the\n// decoded mask. IPv4 ranges are represented as 8-byte strings and IPv6 ranges\n// as 32-byte strings. On failure, it returns NULL.\n//\n// The text format decoded by this function is not the standard CIDR notiation.\n// Instead, the mask after the \"/\" is represented as another IP address. For\n// example, \"192.168.0.0/16\" would be written \"192.168.0.0/255.255.0.0\".\nOPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);\n\n\n// Deprecated functions.\n\n// X509_get_notBefore returns |x509|'s notBefore time. Note this function is not\n// const-correct for legacy reasons. Use |X509_get0_notBefore| or\n// |X509_getm_notBefore| instead.\nOPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509);\n\n// X509_get_notAfter returns |x509|'s notAfter time. Note this function is not\n// const-correct for legacy reasons. Use |X509_get0_notAfter| or\n// |X509_getm_notAfter| instead.\nOPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509);\n\n// X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore|\n// instead.\nOPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm);\n\n// X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter|\n// instead.\nOPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm);\n\n// X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s thisUpdate time.\n// The OpenSSL API refers to this field as lastUpdate.\n//\n// Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead.\nOPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl);\n\n// X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time,\n// or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or\n// |X509_CRL_set1_nextUpdate| instead.\nOPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl);\n\n// X509_extract_key is a legacy alias to |X509_get_pubkey|. Use\n// |X509_get_pubkey| instead.\n#define X509_extract_key(x) X509_get_pubkey(x)\n\n// X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|.\n#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)\n\n// X509_name_cmp is a legacy alias for |X509_NAME_cmp|.\n#define X509_name_cmp(a, b) X509_NAME_cmp((a), (b))\n\n// The following symbols are deprecated aliases to |X509_CRL_set1_*|.\n#define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate\n#define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate\n\n// X509_get_serialNumber returns a mutable pointer to |x509|'s serial number.\n// Prefer |X509_get0_serialNumber|.\nOPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509);\n\n// X509_NAME_get_text_by_OBJ finds the first attribute with type |obj| in\n// |name|. If found, it writes the value's UTF-8 representation to |buf|.\n// followed by a NUL byte, and returns the number of bytes in the output,\n// excluding the NUL byte. This is unlike OpenSSL which returns the raw\n// ASN1_STRING data. The UTF-8 encoding of the |ASN1_STRING| may not contain a 0\n// codepoint.\n//\n// This function writes at most |len| bytes, including the NUL byte. If |buf|\n// is NULL, it writes nothing and returns the number of bytes in the\n// output, excluding the NUL byte that would be required for the full UTF-8\n// output.\n//\n// This function may return -1 if an error occurs for any reason, including the\n// value not being a recognized string type, |len| being of insufficient size to\n// hold the full UTF-8 encoding and NUL byte, memory allocation failures, an\n// object with type |obj| not existing in |name|, or if the UTF-8 encoding of\n// the string contains a zero byte.\nOPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name,\n const ASN1_OBJECT *obj, char *buf,\n int len);\n\n// X509_NAME_get_text_by_NID behaves like |X509_NAME_get_text_by_OBJ| except it\n// finds an attribute of type |nid|, which should be one of the |NID_*|\n// constants.\nOPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid,\n char *buf, int len);\n\n// X509_STORE_CTX_get0_parent_ctx returns NULL.\nOPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(\n const X509_STORE_CTX *ctx);\n\n// X509_OBJECT_free_contents sets |obj| to the empty object, freeing any values\n// that were previously there.\n//\n// TODO(davidben): Unexport this function after rust-openssl is fixed to no\n// longer call it.\nOPENSSL_EXPORT void X509_OBJECT_free_contents(X509_OBJECT *obj);\n\n// X509_LOOKUP_free releases memory associated with |ctx|. This function should\n// never be used outside the library. No function in the public API hands\n// ownership of an |X509_LOOKUP| to the caller.\n//\n// TODO(davidben): Unexport this function after rust-openssl is fixed to no\n// longer call it.\nOPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx);\n\n// X509_STORE_CTX_cleanup resets |ctx| to the empty state.\n//\n// This function is a remnant of when |X509_STORE_CTX| was stack-allocated and\n// should not be used. If releasing |ctx|, call |X509_STORE_CTX_free|. If\n// reusing |ctx| for a new verification, release the old one and create a new\n// one.\nOPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);\n\n// X509V3_add_standard_extensions returns one.\nOPENSSL_EXPORT int X509V3_add_standard_extensions(void);\n\n// The following symbols are legacy aliases for |X509_STORE_CTX| functions.\n#define X509_STORE_get_by_subject X509_STORE_CTX_get_by_subject\n#define X509_STORE_get1_certs X509_STORE_CTX_get1_certs\n#define X509_STORE_get1_crls X509_STORE_CTX_get1_crls\n\n// X509_STORE_CTX_get_chain is a legacy alias for |X509_STORE_CTX_get0_chain|.\nOPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get_chain(\n const X509_STORE_CTX *ctx);\n\n// X509_STORE_CTX_trusted_stack is a deprecated alias for\n// |X509_STORE_CTX_set0_trusted_stack|.\nOPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx,\n STACK_OF(X509) *sk);\n\ntypedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);\n\n// X509_STORE_CTX_set_verify_cb configures a callback function for |ctx| that is\n// called multiple times during |X509_verify_cert|. The callback returns zero to\n// fail verification and one to proceed. Typically, it will return |ok|, which\n// preserves the default behavior. Returning one when |ok| is zero will proceed\n// past some error. The callback may inspect |ctx| and the error queue to\n// attempt to determine the current stage of certificate verification, but this\n// is often unreliable. When synthesizing an error, callbacks should use\n// |X509_STORE_CTX_set_error| to set a corresponding error.\n//\n// WARNING: Do not use this function. It is extremely fragile and unpredictable.\n// This callback exposes implementation details of certificate verification,\n// which change as the library evolves. Attempting to use it for security checks\n// can introduce vulnerabilities if making incorrect assumptions about when the\n// callback is called. Some errors, when suppressed, may implicitly suppress\n// other errors due to internal implementation details. Additionally, overriding\n// |ok| may leave |ctx| in an inconsistent state and break invariants.\n//\n// Instead, customize certificate verification by configuring options on the\n// |X509_STORE_CTX| before verification, or applying additional checks after\n// |X509_verify_cert| completes successfully.\nOPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb(\n X509_STORE_CTX *ctx, int (*verify_cb)(int ok, X509_STORE_CTX *ctx));\n\n// X509_STORE_set_verify_cb acts like |X509_STORE_CTX_set_verify_cb| but sets\n// the verify callback for any |X509_STORE_CTX| created from this |X509_STORE|\n//\n// Do not use this function. See |X509_STORE_CTX_set_verify_cb| for details.\nOPENSSL_EXPORT void X509_STORE_set_verify_cb(\n X509_STORE *store, X509_STORE_CTX_verify_cb verify_cb);\n\n// X509_STORE_set_verify_cb_func is a deprecated alias for\n// |X509_STORE_set_verify_cb|.\n#define X509_STORE_set_verify_cb_func(store, func) \\\n X509_STORE_set_verify_cb((store), (func))\n\n// X509_STORE_CTX_set_chain configures |ctx| to use |sk| for untrusted\n// intermediate certificates to use in verification. This function is redundant\n// with the |chain| parameter of |X509_STORE_CTX_init|. Use the parameter\n// instead.\n//\n// WARNING: Despite the similar name, this function is unrelated to\n// |X509_STORE_CTX_get0_chain|.\n//\n// WARNING: This function saves a pointer to |sk| without copying or\n// incrementing reference counts. |sk| must outlive |ctx| and may not be mutated\n// for the duration of the certificate verification.\nOPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx,\n STACK_OF(X509) *sk);\n\n// The following flags do nothing. The corresponding non-standard options have\n// been removed.\n#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0\n#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0\n#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0\n\n// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS does nothing, but is necessary in\n// OpenSSL to enable standard wildcard matching. In BoringSSL, this behavior is\n// always enabled.\n#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0\n\n// X509_STORE_get0_objects returns a non-owning pointer of |store|'s internal\n// object list. Although this function is not const, callers must not modify\n// the result of this function.\n//\n// WARNING: This function is not thread-safe. If |store| is shared across\n// multiple threads, callers cannot safely inspect the result of this function,\n// because another thread may have concurrently added to it. In particular,\n// |X509_LOOKUP_add_dir| treats this list as a cache and may add to it in the\n// course of certificate verification. This API additionally prevents fixing\n// some quadratic worst-case behavior in |X509_STORE| and may be removed in the\n// future. Use |X509_STORE_get1_objects| instead.\nOPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(\n X509_STORE *store);\n\n// X509_PURPOSE_get_by_sname returns the |X509_PURPOSE_*| constant corresponding\n// a short name |sname|, or -1 if |sname| was not recognized.\n//\n// Use |X509_PURPOSE_*| constants directly instead. The short names used by this\n// function look like \"sslserver\" or \"smimeencrypt\", so they do not make\n// especially good APIs.\n//\n// This function differs from OpenSSL, which returns an \"index\" to be passed to\n// |X509_PURPOSE_get0|, followed by |X509_PURPOSE_get_id|, to finally obtain an\n// |X509_PURPOSE_*| value suitable for use with |X509_VERIFY_PARAM_set_purpose|.\nOPENSSL_EXPORT int X509_PURPOSE_get_by_sname(const char *sname);\n\n// X509_PURPOSE_get0 returns the |X509_PURPOSE| object corresponding to |id|,\n// which should be one of the |X509_PURPOSE_*| constants, or NULL if none\n// exists.\n//\n// This function differs from OpenSSL, which takes an \"index\", returned from\n// |X509_PURPOSE_get_by_sname|. In BoringSSL, indices and |X509_PURPOSE_*| IDs\n// are the same.\nOPENSSL_EXPORT const X509_PURPOSE *X509_PURPOSE_get0(int id);\n\n// X509_PURPOSE_get_id returns |purpose|'s ID. This will be one of the\n// |X509_PURPOSE_*| constants.\nOPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *purpose);\n\n// The following constants are values for the legacy Netscape certificate type\n// X.509 extension, a precursor to extended key usage. These values correspond\n// to the DER encoding of the first byte of the BIT STRING. That is, 0x80 is\n// bit zero and 0x01 is bit seven.\n//\n// TODO(davidben): These constants are only used by OpenVPN, which deprecated\n// the feature in 2017. The documentation says it was removed, but they did not\n// actually remove it. See if OpenVPN will accept a patch to finish this.\n#define NS_SSL_CLIENT 0x80\n#define NS_SSL_SERVER 0x40\n#define NS_SMIME 0x20\n#define NS_OBJSIGN 0x10\n#define NS_SSL_CA 0x04\n#define NS_SMIME_CA 0x02\n#define NS_OBJSIGN_CA 0x01\n#define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA)\n\n\n// Private structures.\n\nstruct X509_algor_st {\n ASN1_OBJECT *algorithm;\n ASN1_TYPE *parameter;\n} /* X509_ALGOR */;\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#if !defined(BORINGSSL_NO_CXX)\nextern \"C++\" {\n\nBSSL_NAMESPACE_BEGIN\n\nBORINGSSL_MAKE_DELETER(ACCESS_DESCRIPTION, ACCESS_DESCRIPTION_free)\nBORINGSSL_MAKE_DELETER(AUTHORITY_KEYID, AUTHORITY_KEYID_free)\nBORINGSSL_MAKE_DELETER(BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free)\n// TODO(davidben): Move this to conf.h and rename to CONF_VALUE_free.\nBORINGSSL_MAKE_DELETER(CONF_VALUE, X509V3_conf_free)\nBORINGSSL_MAKE_DELETER(DIST_POINT, DIST_POINT_free)\nBORINGSSL_MAKE_DELETER(GENERAL_NAME, GENERAL_NAME_free)\nBORINGSSL_MAKE_DELETER(GENERAL_SUBTREE, GENERAL_SUBTREE_free)\nBORINGSSL_MAKE_DELETER(NAME_CONSTRAINTS, NAME_CONSTRAINTS_free)\nBORINGSSL_MAKE_DELETER(NETSCAPE_SPKI, NETSCAPE_SPKI_free)\nBORINGSSL_MAKE_DELETER(POLICY_MAPPING, POLICY_MAPPING_free)\nBORINGSSL_MAKE_DELETER(POLICYINFO, POLICYINFO_free)\nBORINGSSL_MAKE_DELETER(RSA_PSS_PARAMS, RSA_PSS_PARAMS_free)\nBORINGSSL_MAKE_DELETER(X509, X509_free)\nBORINGSSL_MAKE_UP_REF(X509, X509_up_ref)\nBORINGSSL_MAKE_DELETER(X509_ALGOR, X509_ALGOR_free)\nBORINGSSL_MAKE_DELETER(X509_ATTRIBUTE, X509_ATTRIBUTE_free)\nBORINGSSL_MAKE_DELETER(X509_CRL, X509_CRL_free)\nBORINGSSL_MAKE_UP_REF(X509_CRL, X509_CRL_up_ref)\nBORINGSSL_MAKE_DELETER(X509_EXTENSION, X509_EXTENSION_free)\nBORINGSSL_MAKE_DELETER(X509_INFO, X509_INFO_free)\nBORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free)\nBORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free)\nBORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free)\nBORINGSSL_MAKE_DELETER(X509_OBJECT, X509_OBJECT_free)\nBORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free)\nBORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free)\nBORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free)\nBORINGSSL_MAKE_DELETER(X509_SIG, X509_SIG_free)\nBORINGSSL_MAKE_DELETER(X509_STORE, X509_STORE_free)\nBORINGSSL_MAKE_UP_REF(X509_STORE, X509_STORE_up_ref)\nBORINGSSL_MAKE_DELETER(X509_STORE_CTX, X509_STORE_CTX_free)\nBORINGSSL_MAKE_DELETER(X509_VERIFY_PARAM, X509_VERIFY_PARAM_free)\n\nBSSL_NAMESPACE_END\n\n} // extern C++\n#endif // !BORINGSSL_NO_CXX\n\n#define X509_R_AKID_MISMATCH 100\n#define X509_R_BAD_PKCS7_VERSION 101\n#define X509_R_BAD_X509_FILETYPE 102\n#define X509_R_BASE64_DECODE_ERROR 103\n#define X509_R_CANT_CHECK_DH_KEY 104\n#define X509_R_CERT_ALREADY_IN_HASH_TABLE 105\n#define X509_R_CRL_ALREADY_DELTA 106\n#define X509_R_CRL_VERIFY_FAILURE 107\n#define X509_R_IDP_MISMATCH 108\n#define X509_R_INVALID_BIT_STRING_BITS_LEFT 109\n#define X509_R_INVALID_DIRECTORY 110\n#define X509_R_INVALID_FIELD_NAME 111\n#define X509_R_INVALID_PSS_PARAMETERS 112\n#define X509_R_INVALID_TRUST 113\n#define X509_R_ISSUER_MISMATCH 114\n#define X509_R_KEY_TYPE_MISMATCH 115\n#define X509_R_KEY_VALUES_MISMATCH 116\n#define X509_R_LOADING_CERT_DIR 117\n#define X509_R_LOADING_DEFAULTS 118\n#define X509_R_NEWER_CRL_NOT_NEWER 119\n#define X509_R_NOT_PKCS7_SIGNED_DATA 120\n#define X509_R_NO_CERTIFICATES_INCLUDED 121\n#define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 122\n#define X509_R_NO_CRLS_INCLUDED 123\n#define X509_R_NO_CRL_NUMBER 124\n#define X509_R_PUBLIC_KEY_DECODE_ERROR 125\n#define X509_R_PUBLIC_KEY_ENCODE_ERROR 126\n#define X509_R_SHOULD_RETRY 127\n#define X509_R_UNKNOWN_KEY_TYPE 128\n#define X509_R_UNKNOWN_NID 129\n#define X509_R_UNKNOWN_PURPOSE_ID 130\n#define X509_R_UNKNOWN_TRUST_ID 131\n#define X509_R_UNSUPPORTED_ALGORITHM 132\n#define X509_R_WRONG_LOOKUP_TYPE 133\n#define X509_R_WRONG_TYPE 134\n#define X509_R_NAME_TOO_LONG 135\n#define X509_R_INVALID_PARAMETER 136\n#define X509_R_SIGNATURE_ALGORITHM_MISMATCH 137\n#define X509_R_DELTA_CRL_WITHOUT_CRL_NUMBER 138\n#define X509_R_INVALID_FIELD_FOR_VERSION 139\n#define X509_R_INVALID_VERSION 140\n#define X509_R_NO_CERTIFICATE_FOUND 141\n#define X509_R_NO_CERTIFICATE_OR_CRL_FOUND 142\n#define X509_R_NO_CRL_FOUND 143\n#define X509_R_INVALID_POLICY_EXTENSION 144\n\n#endif // OPENSSL_HEADER_X509_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509_vfy.h", "content": "/* Copyright 2021 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n/* This header is provided in order to make compiling against code that expects\n OpenSSL easier. */\n\n#include \"CNIOBoringSSL_x509.h\"\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509v3.h", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_X509V3_H\n#define OPENSSL_HEADER_X509V3_H\n\n// This header primarily exists in order to make compiling against code that\n// expects OpenSSL easier. We have merged this header into .\n// However, due to conflicts, some deprecated symbols are defined here.\n#include \"CNIOBoringSSL_x509.h\"\n\n\n// CRL reason constants.\n\n// TODO(davidben): These constants live here because strongswan defines\n// conflicting symbols and has been relying on them only being defined in\n// . Defining the constants in would break\n// strongswan, but we would also like for new code to only need\n// . Introduce properly namespaced versions of these constants\n// and, separately, see if we can fix strongswan to similarly avoid the\n// conflict. Between OpenSSL, strongswan, and wincrypt.h all defining these\n// constants, it seems best for everyone to just avoid them going forward.\n#define CRL_REASON_NONE (-1)\n#define CRL_REASON_UNSPECIFIED 0\n#define CRL_REASON_KEY_COMPROMISE 1\n#define CRL_REASON_CA_COMPROMISE 2\n#define CRL_REASON_AFFILIATION_CHANGED 3\n#define CRL_REASON_SUPERSEDED 4\n#define CRL_REASON_CESSATION_OF_OPERATION 5\n#define CRL_REASON_CERTIFICATE_HOLD 6\n#define CRL_REASON_REMOVE_FROM_CRL 8\n#define CRL_REASON_PRIVILEGE_WITHDRAWN 9\n#define CRL_REASON_AA_COMPROMISE 10\n\n\n// Deprecated constants.\n\n// The following constants are legacy aliases for |X509v3_KU_*|. They are\n// defined here instead of in because NSS's public headers use\n// the same symbols. Some callers have inadvertently relied on the conflicts\n// only being defined in this header.\n#define KU_DIGITAL_SIGNATURE X509v3_KU_DIGITAL_SIGNATURE\n#define KU_NON_REPUDIATION X509v3_KU_NON_REPUDIATION\n#define KU_KEY_ENCIPHERMENT X509v3_KU_KEY_ENCIPHERMENT\n#define KU_DATA_ENCIPHERMENT X509v3_KU_DATA_ENCIPHERMENT\n#define KU_KEY_AGREEMENT X509v3_KU_KEY_AGREEMENT\n#define KU_KEY_CERT_SIGN X509v3_KU_KEY_CERT_SIGN\n#define KU_CRL_SIGN X509v3_KU_CRL_SIGN\n#define KU_ENCIPHER_ONLY X509v3_KU_ENCIPHER_ONLY\n#define KU_DECIPHER_ONLY X509v3_KU_DECIPHER_ONLY\n\n#endif // OPENSSL_HEADER_X509V3_H\n" }, { "path": "Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509v3_errors.h", "content": "/*\n * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_X509V3_ERRORS_H\n#define OPENSSL_HEADER_X509V3_ERRORS_H\n\n#define X509V3_R_BAD_IP_ADDRESS 100\n#define X509V3_R_BAD_OBJECT 101\n#define X509V3_R_BN_DEC2BN_ERROR 102\n#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 103\n#define X509V3_R_CANNOT_FIND_FREE_FUNCTION 104\n#define X509V3_R_DIRNAME_ERROR 105\n#define X509V3_R_DISTPOINT_ALREADY_SET 106\n#define X509V3_R_DUPLICATE_ZONE_ID 107\n#define X509V3_R_ERROR_CONVERTING_ZONE 108\n#define X509V3_R_ERROR_CREATING_EXTENSION 109\n#define X509V3_R_ERROR_IN_EXTENSION 110\n#define X509V3_R_EXPECTED_A_SECTION_NAME 111\n#define X509V3_R_EXTENSION_EXISTS 112\n#define X509V3_R_EXTENSION_NAME_ERROR 113\n#define X509V3_R_EXTENSION_NOT_FOUND 114\n#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 115\n#define X509V3_R_EXTENSION_VALUE_ERROR 116\n#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 117\n#define X509V3_R_ILLEGAL_HEX_DIGIT 118\n#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 119\n#define X509V3_R_INVALID_BOOLEAN_STRING 120\n#define X509V3_R_INVALID_EXTENSION_STRING 121\n#define X509V3_R_INVALID_MULTIPLE_RDNS 122\n#define X509V3_R_INVALID_NAME 123\n#define X509V3_R_INVALID_NULL_ARGUMENT 124\n#define X509V3_R_INVALID_NULL_NAME 125\n#define X509V3_R_INVALID_NULL_VALUE 126\n#define X509V3_R_INVALID_NUMBER 127\n#define X509V3_R_INVALID_NUMBERS 128\n#define X509V3_R_INVALID_OBJECT_IDENTIFIER 129\n#define X509V3_R_INVALID_OPTION 130\n#define X509V3_R_INVALID_POLICY_IDENTIFIER 131\n#define X509V3_R_INVALID_PROXY_POLICY_SETTING 132\n#define X509V3_R_INVALID_PURPOSE 133\n#define X509V3_R_INVALID_SECTION 134\n#define X509V3_R_INVALID_SYNTAX 135\n#define X509V3_R_ISSUER_DECODE_ERROR 136\n#define X509V3_R_MISSING_VALUE 137\n#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 138\n#define X509V3_R_NO_CONFIG_DATABASE 139\n#define X509V3_R_NO_ISSUER_CERTIFICATE 140\n#define X509V3_R_NO_ISSUER_DETAILS 141\n#define X509V3_R_NO_POLICY_IDENTIFIER 142\n#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 143\n#define X509V3_R_NO_PUBLIC_KEY 144\n#define X509V3_R_NO_SUBJECT_DETAILS 145\n#define X509V3_R_ODD_NUMBER_OF_DIGITS 146\n#define X509V3_R_OPERATION_NOT_DEFINED 147\n#define X509V3_R_OTHERNAME_ERROR 148\n#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 149\n#define X509V3_R_POLICY_PATH_LENGTH 150\n#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 151\n#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 152\n#define X509V3_R_SECTION_NOT_FOUND 153\n#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 154\n#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 155\n#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 156\n#define X509V3_R_UNKNOWN_EXTENSION 157\n#define X509V3_R_UNKNOWN_EXTENSION_NAME 158\n#define X509V3_R_UNKNOWN_OPTION 159\n#define X509V3_R_UNSUPPORTED_OPTION 160\n#define X509V3_R_UNSUPPORTED_TYPE 161\n#define X509V3_R_USER_TOO_LONG 162\n#define X509V3_R_INVALID_VALUE 163\n#define X509V3_R_TRAILING_DATA_IN_EXTENSION 164\n\n#endif // OPENSSL_HEADER_X509V3_ERRORS_H\n" }, { "path": "Sources/CNIOBoringSSL/include/boringssl_prefix_symbols_nasm.inc", "content": "; Copyright 2018 The BoringSSL Authors\n;\n; Permission to use, copy, modify, and/or distribute this software for any\n; purpose with or without fee is hereby granted, provided that the above\n; copyright notice and this permission notice appear in all copies.\n;\n; THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n; WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n; MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n; SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n; WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n; OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n; CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\n\n; 32-bit Windows adds underscores to C functions, while 64-bit Windows does not.\n%ifidn __OUTPUT_FORMAT__, win32\n%xdefine _ACCESS_DESCRIPTION_free _ %+ BORINGSSL_PREFIX %+ _ACCESS_DESCRIPTION_free\n%xdefine _ACCESS_DESCRIPTION_new _ %+ BORINGSSL_PREFIX %+ _ACCESS_DESCRIPTION_new\n%xdefine _AES_CMAC _ %+ BORINGSSL_PREFIX %+ _AES_CMAC\n%xdefine _AES_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _AES_cbc_encrypt\n%xdefine _AES_cfb128_encrypt _ %+ BORINGSSL_PREFIX %+ _AES_cfb128_encrypt\n%xdefine _AES_ctr128_encrypt _ %+ BORINGSSL_PREFIX %+ _AES_ctr128_encrypt\n%xdefine _AES_decrypt _ %+ BORINGSSL_PREFIX %+ _AES_decrypt\n%xdefine _AES_ecb_encrypt _ %+ BORINGSSL_PREFIX %+ _AES_ecb_encrypt\n%xdefine _AES_encrypt _ %+ BORINGSSL_PREFIX %+ _AES_encrypt\n%xdefine _AES_ofb128_encrypt _ %+ BORINGSSL_PREFIX %+ _AES_ofb128_encrypt\n%xdefine _AES_set_decrypt_key _ %+ BORINGSSL_PREFIX %+ _AES_set_decrypt_key\n%xdefine _AES_set_encrypt_key _ %+ BORINGSSL_PREFIX %+ _AES_set_encrypt_key\n%xdefine _AES_unwrap_key _ %+ BORINGSSL_PREFIX %+ _AES_unwrap_key\n%xdefine _AES_unwrap_key_padded _ %+ BORINGSSL_PREFIX %+ _AES_unwrap_key_padded\n%xdefine _AES_wrap_key _ %+ BORINGSSL_PREFIX %+ _AES_wrap_key\n%xdefine _AES_wrap_key_padded _ %+ BORINGSSL_PREFIX %+ _AES_wrap_key_padded\n%xdefine _ASN1_ANY_it _ %+ BORINGSSL_PREFIX %+ _ASN1_ANY_it\n%xdefine _ASN1_BIT_STRING_check _ %+ BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_check\n%xdefine _ASN1_BIT_STRING_free _ %+ BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_free\n%xdefine _ASN1_BIT_STRING_get_bit _ %+ BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_get_bit\n%xdefine _ASN1_BIT_STRING_it _ %+ BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_it\n%xdefine _ASN1_BIT_STRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_new\n%xdefine _ASN1_BIT_STRING_num_bytes _ %+ BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_num_bytes\n%xdefine _ASN1_BIT_STRING_set _ %+ BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_set\n%xdefine _ASN1_BIT_STRING_set_bit _ %+ BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_set_bit\n%xdefine _ASN1_BMPSTRING_free _ %+ BORINGSSL_PREFIX %+ _ASN1_BMPSTRING_free\n%xdefine _ASN1_BMPSTRING_it _ %+ BORINGSSL_PREFIX %+ _ASN1_BMPSTRING_it\n%xdefine _ASN1_BMPSTRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_BMPSTRING_new\n%xdefine _ASN1_BOOLEAN_it _ %+ BORINGSSL_PREFIX %+ _ASN1_BOOLEAN_it\n%xdefine _ASN1_ENUMERATED_free _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_free\n%xdefine _ASN1_ENUMERATED_get _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_get\n%xdefine _ASN1_ENUMERATED_get_int64 _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_get_int64\n%xdefine _ASN1_ENUMERATED_get_uint64 _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_get_uint64\n%xdefine _ASN1_ENUMERATED_it _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_it\n%xdefine _ASN1_ENUMERATED_new _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_new\n%xdefine _ASN1_ENUMERATED_set _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_set\n%xdefine _ASN1_ENUMERATED_set_int64 _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_set_int64\n%xdefine _ASN1_ENUMERATED_set_uint64 _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_set_uint64\n%xdefine _ASN1_ENUMERATED_to_BN _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_to_BN\n%xdefine _ASN1_FBOOLEAN_it _ %+ BORINGSSL_PREFIX %+ _ASN1_FBOOLEAN_it\n%xdefine _ASN1_GENERALIZEDTIME_adj _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_adj\n%xdefine _ASN1_GENERALIZEDTIME_check _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_check\n%xdefine _ASN1_GENERALIZEDTIME_free _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_free\n%xdefine _ASN1_GENERALIZEDTIME_it _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_it\n%xdefine _ASN1_GENERALIZEDTIME_new _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_new\n%xdefine _ASN1_GENERALIZEDTIME_print _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_print\n%xdefine _ASN1_GENERALIZEDTIME_set _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_set\n%xdefine _ASN1_GENERALIZEDTIME_set_string _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_set_string\n%xdefine _ASN1_GENERALSTRING_free _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALSTRING_free\n%xdefine _ASN1_GENERALSTRING_it _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALSTRING_it\n%xdefine _ASN1_GENERALSTRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALSTRING_new\n%xdefine _ASN1_IA5STRING_free _ %+ BORINGSSL_PREFIX %+ _ASN1_IA5STRING_free\n%xdefine _ASN1_IA5STRING_it _ %+ BORINGSSL_PREFIX %+ _ASN1_IA5STRING_it\n%xdefine _ASN1_IA5STRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_IA5STRING_new\n%xdefine _ASN1_INTEGER_cmp _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_cmp\n%xdefine _ASN1_INTEGER_dup _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_dup\n%xdefine _ASN1_INTEGER_free _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_free\n%xdefine _ASN1_INTEGER_get _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_get\n%xdefine _ASN1_INTEGER_get_int64 _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_get_int64\n%xdefine _ASN1_INTEGER_get_uint64 _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_get_uint64\n%xdefine _ASN1_INTEGER_it _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_it\n%xdefine _ASN1_INTEGER_new _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_new\n%xdefine _ASN1_INTEGER_set _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_set\n%xdefine _ASN1_INTEGER_set_int64 _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_set_int64\n%xdefine _ASN1_INTEGER_set_uint64 _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_set_uint64\n%xdefine _ASN1_INTEGER_to_BN _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_to_BN\n%xdefine _ASN1_NULL_free _ %+ BORINGSSL_PREFIX %+ _ASN1_NULL_free\n%xdefine _ASN1_NULL_it _ %+ BORINGSSL_PREFIX %+ _ASN1_NULL_it\n%xdefine _ASN1_NULL_new _ %+ BORINGSSL_PREFIX %+ _ASN1_NULL_new\n%xdefine _ASN1_OBJECT_create _ %+ BORINGSSL_PREFIX %+ _ASN1_OBJECT_create\n%xdefine _ASN1_OBJECT_free _ %+ BORINGSSL_PREFIX %+ _ASN1_OBJECT_free\n%xdefine _ASN1_OBJECT_it _ %+ BORINGSSL_PREFIX %+ _ASN1_OBJECT_it\n%xdefine _ASN1_OBJECT_new _ %+ BORINGSSL_PREFIX %+ _ASN1_OBJECT_new\n%xdefine _ASN1_OCTET_STRING_cmp _ %+ BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_cmp\n%xdefine _ASN1_OCTET_STRING_dup _ %+ BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_dup\n%xdefine _ASN1_OCTET_STRING_free _ %+ BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_free\n%xdefine _ASN1_OCTET_STRING_it _ %+ BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_it\n%xdefine _ASN1_OCTET_STRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_new\n%xdefine _ASN1_OCTET_STRING_set _ %+ BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_set\n%xdefine _ASN1_PRINTABLESTRING_free _ %+ BORINGSSL_PREFIX %+ _ASN1_PRINTABLESTRING_free\n%xdefine _ASN1_PRINTABLESTRING_it _ %+ BORINGSSL_PREFIX %+ _ASN1_PRINTABLESTRING_it\n%xdefine _ASN1_PRINTABLESTRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_PRINTABLESTRING_new\n%xdefine _ASN1_PRINTABLE_free _ %+ BORINGSSL_PREFIX %+ _ASN1_PRINTABLE_free\n%xdefine _ASN1_PRINTABLE_it _ %+ BORINGSSL_PREFIX %+ _ASN1_PRINTABLE_it\n%xdefine _ASN1_PRINTABLE_new _ %+ BORINGSSL_PREFIX %+ _ASN1_PRINTABLE_new\n%xdefine _ASN1_SEQUENCE_it _ %+ BORINGSSL_PREFIX %+ _ASN1_SEQUENCE_it\n%xdefine _ASN1_STRING_TABLE_add _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_TABLE_add\n%xdefine _ASN1_STRING_TABLE_cleanup _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_TABLE_cleanup\n%xdefine _ASN1_STRING_cmp _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_cmp\n%xdefine _ASN1_STRING_copy _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_copy\n%xdefine _ASN1_STRING_data _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_data\n%xdefine _ASN1_STRING_dup _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_dup\n%xdefine _ASN1_STRING_free _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_free\n%xdefine _ASN1_STRING_get0_data _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_get0_data\n%xdefine _ASN1_STRING_get_default_mask _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_get_default_mask\n%xdefine _ASN1_STRING_length _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_length\n%xdefine _ASN1_STRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_new\n%xdefine _ASN1_STRING_print _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_print\n%xdefine _ASN1_STRING_print_ex _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_print_ex\n%xdefine _ASN1_STRING_print_ex_fp _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_print_ex_fp\n%xdefine _ASN1_STRING_set _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_set\n%xdefine _ASN1_STRING_set0 _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_set0\n%xdefine _ASN1_STRING_set_by_NID _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_set_by_NID\n%xdefine _ASN1_STRING_set_default_mask _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_set_default_mask\n%xdefine _ASN1_STRING_set_default_mask_asc _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_set_default_mask_asc\n%xdefine _ASN1_STRING_to_UTF8 _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_to_UTF8\n%xdefine _ASN1_STRING_type _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_type\n%xdefine _ASN1_STRING_type_new _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_type_new\n%xdefine _ASN1_T61STRING_free _ %+ BORINGSSL_PREFIX %+ _ASN1_T61STRING_free\n%xdefine _ASN1_T61STRING_it _ %+ BORINGSSL_PREFIX %+ _ASN1_T61STRING_it\n%xdefine _ASN1_T61STRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_T61STRING_new\n%xdefine _ASN1_TBOOLEAN_it _ %+ BORINGSSL_PREFIX %+ _ASN1_TBOOLEAN_it\n%xdefine _ASN1_TIME_adj _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_adj\n%xdefine _ASN1_TIME_check _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_check\n%xdefine _ASN1_TIME_diff _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_diff\n%xdefine _ASN1_TIME_free _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_free\n%xdefine _ASN1_TIME_it _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_it\n%xdefine _ASN1_TIME_new _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_new\n%xdefine _ASN1_TIME_print _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_print\n%xdefine _ASN1_TIME_set _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_set\n%xdefine _ASN1_TIME_set_posix _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_set_posix\n%xdefine _ASN1_TIME_set_string _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_set_string\n%xdefine _ASN1_TIME_set_string_X509 _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_set_string_X509\n%xdefine _ASN1_TIME_to_generalizedtime _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_to_generalizedtime\n%xdefine _ASN1_TIME_to_posix _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_to_posix\n%xdefine _ASN1_TIME_to_posix_nonstandard _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_to_posix_nonstandard\n%xdefine _ASN1_TIME_to_time_t _ %+ BORINGSSL_PREFIX %+ _ASN1_TIME_to_time_t\n%xdefine _ASN1_TYPE_cmp _ %+ BORINGSSL_PREFIX %+ _ASN1_TYPE_cmp\n%xdefine _ASN1_TYPE_free _ %+ BORINGSSL_PREFIX %+ _ASN1_TYPE_free\n%xdefine _ASN1_TYPE_get _ %+ BORINGSSL_PREFIX %+ _ASN1_TYPE_get\n%xdefine _ASN1_TYPE_new _ %+ BORINGSSL_PREFIX %+ _ASN1_TYPE_new\n%xdefine _ASN1_TYPE_set _ %+ BORINGSSL_PREFIX %+ _ASN1_TYPE_set\n%xdefine _ASN1_TYPE_set1 _ %+ BORINGSSL_PREFIX %+ _ASN1_TYPE_set1\n%xdefine _ASN1_UNIVERSALSTRING_free _ %+ BORINGSSL_PREFIX %+ _ASN1_UNIVERSALSTRING_free\n%xdefine _ASN1_UNIVERSALSTRING_it _ %+ BORINGSSL_PREFIX %+ _ASN1_UNIVERSALSTRING_it\n%xdefine _ASN1_UNIVERSALSTRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_UNIVERSALSTRING_new\n%xdefine _ASN1_UTCTIME_adj _ %+ BORINGSSL_PREFIX %+ _ASN1_UTCTIME_adj\n%xdefine _ASN1_UTCTIME_check _ %+ BORINGSSL_PREFIX %+ _ASN1_UTCTIME_check\n%xdefine _ASN1_UTCTIME_free _ %+ BORINGSSL_PREFIX %+ _ASN1_UTCTIME_free\n%xdefine _ASN1_UTCTIME_it _ %+ BORINGSSL_PREFIX %+ _ASN1_UTCTIME_it\n%xdefine _ASN1_UTCTIME_new _ %+ BORINGSSL_PREFIX %+ _ASN1_UTCTIME_new\n%xdefine _ASN1_UTCTIME_print _ %+ BORINGSSL_PREFIX %+ _ASN1_UTCTIME_print\n%xdefine _ASN1_UTCTIME_set _ %+ BORINGSSL_PREFIX %+ _ASN1_UTCTIME_set\n%xdefine _ASN1_UTCTIME_set_string _ %+ BORINGSSL_PREFIX %+ _ASN1_UTCTIME_set_string\n%xdefine _ASN1_UTF8STRING_free _ %+ BORINGSSL_PREFIX %+ _ASN1_UTF8STRING_free\n%xdefine _ASN1_UTF8STRING_it _ %+ BORINGSSL_PREFIX %+ _ASN1_UTF8STRING_it\n%xdefine _ASN1_UTF8STRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_UTF8STRING_new\n%xdefine _ASN1_VISIBLESTRING_free _ %+ BORINGSSL_PREFIX %+ _ASN1_VISIBLESTRING_free\n%xdefine _ASN1_VISIBLESTRING_it _ %+ BORINGSSL_PREFIX %+ _ASN1_VISIBLESTRING_it\n%xdefine _ASN1_VISIBLESTRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_VISIBLESTRING_new\n%xdefine _ASN1_digest _ %+ BORINGSSL_PREFIX %+ _ASN1_digest\n%xdefine _ASN1_generate_v3 _ %+ BORINGSSL_PREFIX %+ _ASN1_generate_v3\n%xdefine _ASN1_get_object _ %+ BORINGSSL_PREFIX %+ _ASN1_get_object\n%xdefine _ASN1_item_d2i _ %+ BORINGSSL_PREFIX %+ _ASN1_item_d2i\n%xdefine _ASN1_item_d2i_bio _ %+ BORINGSSL_PREFIX %+ _ASN1_item_d2i_bio\n%xdefine _ASN1_item_d2i_fp _ %+ BORINGSSL_PREFIX %+ _ASN1_item_d2i_fp\n%xdefine _ASN1_item_digest _ %+ BORINGSSL_PREFIX %+ _ASN1_item_digest\n%xdefine _ASN1_item_dup _ %+ BORINGSSL_PREFIX %+ _ASN1_item_dup\n%xdefine _ASN1_item_ex_d2i _ %+ BORINGSSL_PREFIX %+ _ASN1_item_ex_d2i\n%xdefine _ASN1_item_ex_free _ %+ BORINGSSL_PREFIX %+ _ASN1_item_ex_free\n%xdefine _ASN1_item_ex_i2d _ %+ BORINGSSL_PREFIX %+ _ASN1_item_ex_i2d\n%xdefine _ASN1_item_ex_new _ %+ BORINGSSL_PREFIX %+ _ASN1_item_ex_new\n%xdefine _ASN1_item_free _ %+ BORINGSSL_PREFIX %+ _ASN1_item_free\n%xdefine _ASN1_item_i2d _ %+ BORINGSSL_PREFIX %+ _ASN1_item_i2d\n%xdefine _ASN1_item_i2d_bio _ %+ BORINGSSL_PREFIX %+ _ASN1_item_i2d_bio\n%xdefine _ASN1_item_i2d_fp _ %+ BORINGSSL_PREFIX %+ _ASN1_item_i2d_fp\n%xdefine _ASN1_item_new _ %+ BORINGSSL_PREFIX %+ _ASN1_item_new\n%xdefine _ASN1_item_pack _ %+ BORINGSSL_PREFIX %+ _ASN1_item_pack\n%xdefine _ASN1_item_sign _ %+ BORINGSSL_PREFIX %+ _ASN1_item_sign\n%xdefine _ASN1_item_sign_ctx _ %+ BORINGSSL_PREFIX %+ _ASN1_item_sign_ctx\n%xdefine _ASN1_item_unpack _ %+ BORINGSSL_PREFIX %+ _ASN1_item_unpack\n%xdefine _ASN1_item_verify _ %+ BORINGSSL_PREFIX %+ _ASN1_item_verify\n%xdefine _ASN1_mbstring_copy _ %+ BORINGSSL_PREFIX %+ _ASN1_mbstring_copy\n%xdefine _ASN1_mbstring_ncopy _ %+ BORINGSSL_PREFIX %+ _ASN1_mbstring_ncopy\n%xdefine _ASN1_object_size _ %+ BORINGSSL_PREFIX %+ _ASN1_object_size\n%xdefine _ASN1_primitive_free _ %+ BORINGSSL_PREFIX %+ _ASN1_primitive_free\n%xdefine _ASN1_put_eoc _ %+ BORINGSSL_PREFIX %+ _ASN1_put_eoc\n%xdefine _ASN1_put_object _ %+ BORINGSSL_PREFIX %+ _ASN1_put_object\n%xdefine _ASN1_tag2bit _ %+ BORINGSSL_PREFIX %+ _ASN1_tag2bit\n%xdefine _ASN1_tag2str _ %+ BORINGSSL_PREFIX %+ _ASN1_tag2str\n%xdefine _ASN1_template_free _ %+ BORINGSSL_PREFIX %+ _ASN1_template_free\n%xdefine _AUTHORITY_INFO_ACCESS_free _ %+ BORINGSSL_PREFIX %+ _AUTHORITY_INFO_ACCESS_free\n%xdefine _AUTHORITY_INFO_ACCESS_it _ %+ BORINGSSL_PREFIX %+ _AUTHORITY_INFO_ACCESS_it\n%xdefine _AUTHORITY_INFO_ACCESS_new _ %+ BORINGSSL_PREFIX %+ _AUTHORITY_INFO_ACCESS_new\n%xdefine _AUTHORITY_KEYID_free _ %+ BORINGSSL_PREFIX %+ _AUTHORITY_KEYID_free\n%xdefine _AUTHORITY_KEYID_it _ %+ BORINGSSL_PREFIX %+ _AUTHORITY_KEYID_it\n%xdefine _AUTHORITY_KEYID_new _ %+ BORINGSSL_PREFIX %+ _AUTHORITY_KEYID_new\n%xdefine _BASIC_CONSTRAINTS_free _ %+ BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_free\n%xdefine _BASIC_CONSTRAINTS_it _ %+ BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_it\n%xdefine _BASIC_CONSTRAINTS_new _ %+ BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_new\n%xdefine _BCM_fips_186_2_prf _ %+ BORINGSSL_PREFIX %+ _BCM_fips_186_2_prf\n%xdefine _BCM_mldsa65_generate_key _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_generate_key\n%xdefine _BCM_mldsa65_generate_key_external_entropy _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_generate_key_external_entropy\n%xdefine _BCM_mldsa65_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_marshal_private_key\n%xdefine _BCM_mldsa65_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_marshal_public_key\n%xdefine _BCM_mldsa65_parse_private_key _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_parse_private_key\n%xdefine _BCM_mldsa65_parse_public_key _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_parse_public_key\n%xdefine _BCM_mldsa65_private_key_from_seed _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_private_key_from_seed\n%xdefine _BCM_mldsa65_public_from_private _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_public_from_private\n%xdefine _BCM_mldsa65_sign _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_sign\n%xdefine _BCM_mldsa65_sign_internal _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_sign_internal\n%xdefine _BCM_mldsa65_verify _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_verify\n%xdefine _BCM_mldsa65_verify_internal _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa65_verify_internal\n%xdefine _BCM_mldsa87_generate_key _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_generate_key\n%xdefine _BCM_mldsa87_generate_key_external_entropy _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_generate_key_external_entropy\n%xdefine _BCM_mldsa87_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_marshal_private_key\n%xdefine _BCM_mldsa87_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_marshal_public_key\n%xdefine _BCM_mldsa87_parse_private_key _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_parse_private_key\n%xdefine _BCM_mldsa87_parse_public_key _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_parse_public_key\n%xdefine _BCM_mldsa87_private_key_from_seed _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_private_key_from_seed\n%xdefine _BCM_mldsa87_public_from_private _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_public_from_private\n%xdefine _BCM_mldsa87_sign _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_sign\n%xdefine _BCM_mldsa87_sign_internal _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_sign_internal\n%xdefine _BCM_mldsa87_verify _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_verify\n%xdefine _BCM_mldsa87_verify_internal _ %+ BORINGSSL_PREFIX %+ _BCM_mldsa87_verify_internal\n%xdefine _BCM_mlkem1024_decap _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem1024_decap\n%xdefine _BCM_mlkem1024_encap _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem1024_encap\n%xdefine _BCM_mlkem1024_encap_external_entropy _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem1024_encap_external_entropy\n%xdefine _BCM_mlkem1024_generate_key _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem1024_generate_key\n%xdefine _BCM_mlkem1024_generate_key_external_seed _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem1024_generate_key_external_seed\n%xdefine _BCM_mlkem1024_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem1024_marshal_private_key\n%xdefine _BCM_mlkem1024_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem1024_marshal_public_key\n%xdefine _BCM_mlkem1024_parse_private_key _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem1024_parse_private_key\n%xdefine _BCM_mlkem1024_parse_public_key _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem1024_parse_public_key\n%xdefine _BCM_mlkem1024_private_key_from_seed _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem1024_private_key_from_seed\n%xdefine _BCM_mlkem1024_public_from_private _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem1024_public_from_private\n%xdefine _BCM_mlkem768_decap _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem768_decap\n%xdefine _BCM_mlkem768_encap _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem768_encap\n%xdefine _BCM_mlkem768_encap_external_entropy _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem768_encap_external_entropy\n%xdefine _BCM_mlkem768_generate_key _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem768_generate_key\n%xdefine _BCM_mlkem768_generate_key_external_seed _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem768_generate_key_external_seed\n%xdefine _BCM_mlkem768_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem768_marshal_private_key\n%xdefine _BCM_mlkem768_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem768_marshal_public_key\n%xdefine _BCM_mlkem768_parse_private_key _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem768_parse_private_key\n%xdefine _BCM_mlkem768_parse_public_key _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem768_parse_public_key\n%xdefine _BCM_mlkem768_private_key_from_seed _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem768_private_key_from_seed\n%xdefine _BCM_mlkem768_public_from_private _ %+ BORINGSSL_PREFIX %+ _BCM_mlkem768_public_from_private\n%xdefine _BCM_rand_bytes _ %+ BORINGSSL_PREFIX %+ _BCM_rand_bytes\n%xdefine _BCM_rand_bytes_hwrng _ %+ BORINGSSL_PREFIX %+ _BCM_rand_bytes_hwrng\n%xdefine _BCM_rand_bytes_with_additional_data _ %+ BORINGSSL_PREFIX %+ _BCM_rand_bytes_with_additional_data\n%xdefine _BCM_sha1_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha1_final\n%xdefine _BCM_sha1_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha1_init\n%xdefine _BCM_sha1_transform _ %+ BORINGSSL_PREFIX %+ _BCM_sha1_transform\n%xdefine _BCM_sha1_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha1_update\n%xdefine _BCM_sha224_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha224_final\n%xdefine _BCM_sha224_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha224_init\n%xdefine _BCM_sha224_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha224_update\n%xdefine _BCM_sha256_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha256_final\n%xdefine _BCM_sha256_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha256_init\n%xdefine _BCM_sha256_transform _ %+ BORINGSSL_PREFIX %+ _BCM_sha256_transform\n%xdefine _BCM_sha256_transform_blocks _ %+ BORINGSSL_PREFIX %+ _BCM_sha256_transform_blocks\n%xdefine _BCM_sha256_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha256_update\n%xdefine _BCM_sha384_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha384_final\n%xdefine _BCM_sha384_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha384_init\n%xdefine _BCM_sha384_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha384_update\n%xdefine _BCM_sha512_256_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_256_final\n%xdefine _BCM_sha512_256_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_256_init\n%xdefine _BCM_sha512_256_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_256_update\n%xdefine _BCM_sha512_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_final\n%xdefine _BCM_sha512_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_init\n%xdefine _BCM_sha512_transform _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_transform\n%xdefine _BCM_sha512_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_update\n%xdefine _BCM_slhdsa_sha2_128s_generate_key _ %+ BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_generate_key\n%xdefine _BCM_slhdsa_sha2_128s_generate_key_from_seed _ %+ BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_generate_key_from_seed\n%xdefine _BCM_slhdsa_sha2_128s_prehash_sign _ %+ BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_prehash_sign\n%xdefine _BCM_slhdsa_sha2_128s_prehash_verify _ %+ BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_prehash_verify\n%xdefine _BCM_slhdsa_sha2_128s_public_from_private _ %+ BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_public_from_private\n%xdefine _BCM_slhdsa_sha2_128s_sign _ %+ BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_sign\n%xdefine _BCM_slhdsa_sha2_128s_sign_internal _ %+ BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_sign_internal\n%xdefine _BCM_slhdsa_sha2_128s_verify _ %+ BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_verify\n%xdefine _BCM_slhdsa_sha2_128s_verify_internal _ %+ BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_verify_internal\n%xdefine _BIO_append_filename _ %+ BORINGSSL_PREFIX %+ _BIO_append_filename\n%xdefine _BIO_callback_ctrl _ %+ BORINGSSL_PREFIX %+ _BIO_callback_ctrl\n%xdefine _BIO_clear_flags _ %+ BORINGSSL_PREFIX %+ _BIO_clear_flags\n%xdefine _BIO_clear_retry_flags _ %+ BORINGSSL_PREFIX %+ _BIO_clear_retry_flags\n%xdefine _BIO_copy_next_retry _ %+ BORINGSSL_PREFIX %+ _BIO_copy_next_retry\n%xdefine _BIO_ctrl _ %+ BORINGSSL_PREFIX %+ _BIO_ctrl\n%xdefine _BIO_ctrl_get_read_request _ %+ BORINGSSL_PREFIX %+ _BIO_ctrl_get_read_request\n%xdefine _BIO_ctrl_get_write_guarantee _ %+ BORINGSSL_PREFIX %+ _BIO_ctrl_get_write_guarantee\n%xdefine _BIO_ctrl_pending _ %+ BORINGSSL_PREFIX %+ _BIO_ctrl_pending\n%xdefine _BIO_do_connect _ %+ BORINGSSL_PREFIX %+ _BIO_do_connect\n%xdefine _BIO_eof _ %+ BORINGSSL_PREFIX %+ _BIO_eof\n%xdefine _BIO_f_ssl _ %+ BORINGSSL_PREFIX %+ _BIO_f_ssl\n%xdefine _BIO_find_type _ %+ BORINGSSL_PREFIX %+ _BIO_find_type\n%xdefine _BIO_flush _ %+ BORINGSSL_PREFIX %+ _BIO_flush\n%xdefine _BIO_free _ %+ BORINGSSL_PREFIX %+ _BIO_free\n%xdefine _BIO_free_all _ %+ BORINGSSL_PREFIX %+ _BIO_free_all\n%xdefine _BIO_get_data _ %+ BORINGSSL_PREFIX %+ _BIO_get_data\n%xdefine _BIO_get_ex_data _ %+ BORINGSSL_PREFIX %+ _BIO_get_ex_data\n%xdefine _BIO_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _BIO_get_ex_new_index\n%xdefine _BIO_get_fd _ %+ BORINGSSL_PREFIX %+ _BIO_get_fd\n%xdefine _BIO_get_fp _ %+ BORINGSSL_PREFIX %+ _BIO_get_fp\n%xdefine _BIO_get_init _ %+ BORINGSSL_PREFIX %+ _BIO_get_init\n%xdefine _BIO_get_mem_data _ %+ BORINGSSL_PREFIX %+ _BIO_get_mem_data\n%xdefine _BIO_get_mem_ptr _ %+ BORINGSSL_PREFIX %+ _BIO_get_mem_ptr\n%xdefine _BIO_get_new_index _ %+ BORINGSSL_PREFIX %+ _BIO_get_new_index\n%xdefine _BIO_get_retry_flags _ %+ BORINGSSL_PREFIX %+ _BIO_get_retry_flags\n%xdefine _BIO_get_retry_reason _ %+ BORINGSSL_PREFIX %+ _BIO_get_retry_reason\n%xdefine _BIO_get_shutdown _ %+ BORINGSSL_PREFIX %+ _BIO_get_shutdown\n%xdefine _BIO_gets _ %+ BORINGSSL_PREFIX %+ _BIO_gets\n%xdefine _BIO_hexdump _ %+ BORINGSSL_PREFIX %+ _BIO_hexdump\n%xdefine _BIO_indent _ %+ BORINGSSL_PREFIX %+ _BIO_indent\n%xdefine _BIO_int_ctrl _ %+ BORINGSSL_PREFIX %+ _BIO_int_ctrl\n%xdefine _BIO_mem_contents _ %+ BORINGSSL_PREFIX %+ _BIO_mem_contents\n%xdefine _BIO_meth_free _ %+ BORINGSSL_PREFIX %+ _BIO_meth_free\n%xdefine _BIO_meth_new _ %+ BORINGSSL_PREFIX %+ _BIO_meth_new\n%xdefine _BIO_meth_set_create _ %+ BORINGSSL_PREFIX %+ _BIO_meth_set_create\n%xdefine _BIO_meth_set_ctrl _ %+ BORINGSSL_PREFIX %+ _BIO_meth_set_ctrl\n%xdefine _BIO_meth_set_destroy _ %+ BORINGSSL_PREFIX %+ _BIO_meth_set_destroy\n%xdefine _BIO_meth_set_gets _ %+ BORINGSSL_PREFIX %+ _BIO_meth_set_gets\n%xdefine _BIO_meth_set_puts _ %+ BORINGSSL_PREFIX %+ _BIO_meth_set_puts\n%xdefine _BIO_meth_set_read _ %+ BORINGSSL_PREFIX %+ _BIO_meth_set_read\n%xdefine _BIO_meth_set_write _ %+ BORINGSSL_PREFIX %+ _BIO_meth_set_write\n%xdefine _BIO_method_type _ %+ BORINGSSL_PREFIX %+ _BIO_method_type\n%xdefine _BIO_new _ %+ BORINGSSL_PREFIX %+ _BIO_new\n%xdefine _BIO_new_bio_pair _ %+ BORINGSSL_PREFIX %+ _BIO_new_bio_pair\n%xdefine _BIO_new_connect _ %+ BORINGSSL_PREFIX %+ _BIO_new_connect\n%xdefine _BIO_new_fd _ %+ BORINGSSL_PREFIX %+ _BIO_new_fd\n%xdefine _BIO_new_file _ %+ BORINGSSL_PREFIX %+ _BIO_new_file\n%xdefine _BIO_new_fp _ %+ BORINGSSL_PREFIX %+ _BIO_new_fp\n%xdefine _BIO_new_mem_buf _ %+ BORINGSSL_PREFIX %+ _BIO_new_mem_buf\n%xdefine _BIO_new_socket _ %+ BORINGSSL_PREFIX %+ _BIO_new_socket\n%xdefine _BIO_next _ %+ BORINGSSL_PREFIX %+ _BIO_next\n%xdefine _BIO_number_read _ %+ BORINGSSL_PREFIX %+ _BIO_number_read\n%xdefine _BIO_number_written _ %+ BORINGSSL_PREFIX %+ _BIO_number_written\n%xdefine _BIO_pending _ %+ BORINGSSL_PREFIX %+ _BIO_pending\n%xdefine _BIO_pop _ %+ BORINGSSL_PREFIX %+ _BIO_pop\n%xdefine _BIO_printf _ %+ BORINGSSL_PREFIX %+ _BIO_printf\n%xdefine _BIO_ptr_ctrl _ %+ BORINGSSL_PREFIX %+ _BIO_ptr_ctrl\n%xdefine _BIO_push _ %+ BORINGSSL_PREFIX %+ _BIO_push\n%xdefine _BIO_puts _ %+ BORINGSSL_PREFIX %+ _BIO_puts\n%xdefine _BIO_read _ %+ BORINGSSL_PREFIX %+ _BIO_read\n%xdefine _BIO_read_asn1 _ %+ BORINGSSL_PREFIX %+ _BIO_read_asn1\n%xdefine _BIO_read_filename _ %+ BORINGSSL_PREFIX %+ _BIO_read_filename\n%xdefine _BIO_reset _ %+ BORINGSSL_PREFIX %+ _BIO_reset\n%xdefine _BIO_rw_filename _ %+ BORINGSSL_PREFIX %+ _BIO_rw_filename\n%xdefine _BIO_s_connect _ %+ BORINGSSL_PREFIX %+ _BIO_s_connect\n%xdefine _BIO_s_fd _ %+ BORINGSSL_PREFIX %+ _BIO_s_fd\n%xdefine _BIO_s_file _ %+ BORINGSSL_PREFIX %+ _BIO_s_file\n%xdefine _BIO_s_mem _ %+ BORINGSSL_PREFIX %+ _BIO_s_mem\n%xdefine _BIO_s_socket _ %+ BORINGSSL_PREFIX %+ _BIO_s_socket\n%xdefine _BIO_seek _ %+ BORINGSSL_PREFIX %+ _BIO_seek\n%xdefine _BIO_set_close _ %+ BORINGSSL_PREFIX %+ _BIO_set_close\n%xdefine _BIO_set_conn_hostname _ %+ BORINGSSL_PREFIX %+ _BIO_set_conn_hostname\n%xdefine _BIO_set_conn_int_port _ %+ BORINGSSL_PREFIX %+ _BIO_set_conn_int_port\n%xdefine _BIO_set_conn_port _ %+ BORINGSSL_PREFIX %+ _BIO_set_conn_port\n%xdefine _BIO_set_data _ %+ BORINGSSL_PREFIX %+ _BIO_set_data\n%xdefine _BIO_set_ex_data _ %+ BORINGSSL_PREFIX %+ _BIO_set_ex_data\n%xdefine _BIO_set_fd _ %+ BORINGSSL_PREFIX %+ _BIO_set_fd\n%xdefine _BIO_set_flags _ %+ BORINGSSL_PREFIX %+ _BIO_set_flags\n%xdefine _BIO_set_fp _ %+ BORINGSSL_PREFIX %+ _BIO_set_fp\n%xdefine _BIO_set_init _ %+ BORINGSSL_PREFIX %+ _BIO_set_init\n%xdefine _BIO_set_mem_buf _ %+ BORINGSSL_PREFIX %+ _BIO_set_mem_buf\n%xdefine _BIO_set_mem_eof_return _ %+ BORINGSSL_PREFIX %+ _BIO_set_mem_eof_return\n%xdefine _BIO_set_nbio _ %+ BORINGSSL_PREFIX %+ _BIO_set_nbio\n%xdefine _BIO_set_retry_read _ %+ BORINGSSL_PREFIX %+ _BIO_set_retry_read\n%xdefine _BIO_set_retry_reason _ %+ BORINGSSL_PREFIX %+ _BIO_set_retry_reason\n%xdefine _BIO_set_retry_special _ %+ BORINGSSL_PREFIX %+ _BIO_set_retry_special\n%xdefine _BIO_set_retry_write _ %+ BORINGSSL_PREFIX %+ _BIO_set_retry_write\n%xdefine _BIO_set_shutdown _ %+ BORINGSSL_PREFIX %+ _BIO_set_shutdown\n%xdefine _BIO_set_ssl _ %+ BORINGSSL_PREFIX %+ _BIO_set_ssl\n%xdefine _BIO_set_write_buffer_size _ %+ BORINGSSL_PREFIX %+ _BIO_set_write_buffer_size\n%xdefine _BIO_should_io_special _ %+ BORINGSSL_PREFIX %+ _BIO_should_io_special\n%xdefine _BIO_should_read _ %+ BORINGSSL_PREFIX %+ _BIO_should_read\n%xdefine _BIO_should_retry _ %+ BORINGSSL_PREFIX %+ _BIO_should_retry\n%xdefine _BIO_should_write _ %+ BORINGSSL_PREFIX %+ _BIO_should_write\n%xdefine _BIO_shutdown_wr _ %+ BORINGSSL_PREFIX %+ _BIO_shutdown_wr\n%xdefine _BIO_snprintf _ %+ BORINGSSL_PREFIX %+ _BIO_snprintf\n%xdefine _BIO_tell _ %+ BORINGSSL_PREFIX %+ _BIO_tell\n%xdefine _BIO_test_flags _ %+ BORINGSSL_PREFIX %+ _BIO_test_flags\n%xdefine _BIO_up_ref _ %+ BORINGSSL_PREFIX %+ _BIO_up_ref\n%xdefine _BIO_vfree _ %+ BORINGSSL_PREFIX %+ _BIO_vfree\n%xdefine _BIO_vsnprintf _ %+ BORINGSSL_PREFIX %+ _BIO_vsnprintf\n%xdefine _BIO_wpending _ %+ BORINGSSL_PREFIX %+ _BIO_wpending\n%xdefine _BIO_write _ %+ BORINGSSL_PREFIX %+ _BIO_write\n%xdefine _BIO_write_all _ %+ BORINGSSL_PREFIX %+ _BIO_write_all\n%xdefine _BIO_write_filename _ %+ BORINGSSL_PREFIX %+ _BIO_write_filename\n%xdefine _BLAKE2B256 _ %+ BORINGSSL_PREFIX %+ _BLAKE2B256\n%xdefine _BLAKE2B256_Final _ %+ BORINGSSL_PREFIX %+ _BLAKE2B256_Final\n%xdefine _BLAKE2B256_Init _ %+ BORINGSSL_PREFIX %+ _BLAKE2B256_Init\n%xdefine _BLAKE2B256_Update _ %+ BORINGSSL_PREFIX %+ _BLAKE2B256_Update\n%xdefine _BN_BLINDING_convert _ %+ BORINGSSL_PREFIX %+ _BN_BLINDING_convert\n%xdefine _BN_BLINDING_free _ %+ BORINGSSL_PREFIX %+ _BN_BLINDING_free\n%xdefine _BN_BLINDING_invalidate _ %+ BORINGSSL_PREFIX %+ _BN_BLINDING_invalidate\n%xdefine _BN_BLINDING_invert _ %+ BORINGSSL_PREFIX %+ _BN_BLINDING_invert\n%xdefine _BN_BLINDING_new _ %+ BORINGSSL_PREFIX %+ _BN_BLINDING_new\n%xdefine _BN_CTX_end _ %+ BORINGSSL_PREFIX %+ _BN_CTX_end\n%xdefine _BN_CTX_free _ %+ BORINGSSL_PREFIX %+ _BN_CTX_free\n%xdefine _BN_CTX_get _ %+ BORINGSSL_PREFIX %+ _BN_CTX_get\n%xdefine _BN_CTX_new _ %+ BORINGSSL_PREFIX %+ _BN_CTX_new\n%xdefine _BN_CTX_start _ %+ BORINGSSL_PREFIX %+ _BN_CTX_start\n%xdefine _BN_GENCB_call _ %+ BORINGSSL_PREFIX %+ _BN_GENCB_call\n%xdefine _BN_GENCB_free _ %+ BORINGSSL_PREFIX %+ _BN_GENCB_free\n%xdefine _BN_GENCB_get_arg _ %+ BORINGSSL_PREFIX %+ _BN_GENCB_get_arg\n%xdefine _BN_GENCB_new _ %+ BORINGSSL_PREFIX %+ _BN_GENCB_new\n%xdefine _BN_GENCB_set _ %+ BORINGSSL_PREFIX %+ _BN_GENCB_set\n%xdefine _BN_MONT_CTX_copy _ %+ BORINGSSL_PREFIX %+ _BN_MONT_CTX_copy\n%xdefine _BN_MONT_CTX_free _ %+ BORINGSSL_PREFIX %+ _BN_MONT_CTX_free\n%xdefine _BN_MONT_CTX_new _ %+ BORINGSSL_PREFIX %+ _BN_MONT_CTX_new\n%xdefine _BN_MONT_CTX_new_consttime _ %+ BORINGSSL_PREFIX %+ _BN_MONT_CTX_new_consttime\n%xdefine _BN_MONT_CTX_new_for_modulus _ %+ BORINGSSL_PREFIX %+ _BN_MONT_CTX_new_for_modulus\n%xdefine _BN_MONT_CTX_set _ %+ BORINGSSL_PREFIX %+ _BN_MONT_CTX_set\n%xdefine _BN_MONT_CTX_set_locked _ %+ BORINGSSL_PREFIX %+ _BN_MONT_CTX_set_locked\n%xdefine _BN_abs_is_word _ %+ BORINGSSL_PREFIX %+ _BN_abs_is_word\n%xdefine _BN_add _ %+ BORINGSSL_PREFIX %+ _BN_add\n%xdefine _BN_add_word _ %+ BORINGSSL_PREFIX %+ _BN_add_word\n%xdefine _BN_asc2bn _ %+ BORINGSSL_PREFIX %+ _BN_asc2bn\n%xdefine _BN_bin2bn _ %+ BORINGSSL_PREFIX %+ _BN_bin2bn\n%xdefine _BN_bn2bin _ %+ BORINGSSL_PREFIX %+ _BN_bn2bin\n%xdefine _BN_bn2bin_padded _ %+ BORINGSSL_PREFIX %+ _BN_bn2bin_padded\n%xdefine _BN_bn2binpad _ %+ BORINGSSL_PREFIX %+ _BN_bn2binpad\n%xdefine _BN_bn2cbb_padded _ %+ BORINGSSL_PREFIX %+ _BN_bn2cbb_padded\n%xdefine _BN_bn2dec _ %+ BORINGSSL_PREFIX %+ _BN_bn2dec\n%xdefine _BN_bn2hex _ %+ BORINGSSL_PREFIX %+ _BN_bn2hex\n%xdefine _BN_bn2le_padded _ %+ BORINGSSL_PREFIX %+ _BN_bn2le_padded\n%xdefine _BN_bn2lebinpad _ %+ BORINGSSL_PREFIX %+ _BN_bn2lebinpad\n%xdefine _BN_bn2mpi _ %+ BORINGSSL_PREFIX %+ _BN_bn2mpi\n%xdefine _BN_clear _ %+ BORINGSSL_PREFIX %+ _BN_clear\n%xdefine _BN_clear_bit _ %+ BORINGSSL_PREFIX %+ _BN_clear_bit\n%xdefine _BN_clear_free _ %+ BORINGSSL_PREFIX %+ _BN_clear_free\n%xdefine _BN_cmp _ %+ BORINGSSL_PREFIX %+ _BN_cmp\n%xdefine _BN_cmp_word _ %+ BORINGSSL_PREFIX %+ _BN_cmp_word\n%xdefine _BN_copy _ %+ BORINGSSL_PREFIX %+ _BN_copy\n%xdefine _BN_count_low_zero_bits _ %+ BORINGSSL_PREFIX %+ _BN_count_low_zero_bits\n%xdefine _BN_dec2bn _ %+ BORINGSSL_PREFIX %+ _BN_dec2bn\n%xdefine _BN_div _ %+ BORINGSSL_PREFIX %+ _BN_div\n%xdefine _BN_div_word _ %+ BORINGSSL_PREFIX %+ _BN_div_word\n%xdefine _BN_dup _ %+ BORINGSSL_PREFIX %+ _BN_dup\n%xdefine _BN_enhanced_miller_rabin_primality_test _ %+ BORINGSSL_PREFIX %+ _BN_enhanced_miller_rabin_primality_test\n%xdefine _BN_equal_consttime _ %+ BORINGSSL_PREFIX %+ _BN_equal_consttime\n%xdefine _BN_exp _ %+ BORINGSSL_PREFIX %+ _BN_exp\n%xdefine _BN_free _ %+ BORINGSSL_PREFIX %+ _BN_free\n%xdefine _BN_from_montgomery _ %+ BORINGSSL_PREFIX %+ _BN_from_montgomery\n%xdefine _BN_gcd _ %+ BORINGSSL_PREFIX %+ _BN_gcd\n%xdefine _BN_generate_prime_ex _ %+ BORINGSSL_PREFIX %+ _BN_generate_prime_ex\n%xdefine _BN_get_rfc3526_prime_1536 _ %+ BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_1536\n%xdefine _BN_get_rfc3526_prime_2048 _ %+ BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_2048\n%xdefine _BN_get_rfc3526_prime_3072 _ %+ BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_3072\n%xdefine _BN_get_rfc3526_prime_4096 _ %+ BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_4096\n%xdefine _BN_get_rfc3526_prime_6144 _ %+ BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_6144\n%xdefine _BN_get_rfc3526_prime_8192 _ %+ BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_8192\n%xdefine _BN_get_u64 _ %+ BORINGSSL_PREFIX %+ _BN_get_u64\n%xdefine _BN_get_word _ %+ BORINGSSL_PREFIX %+ _BN_get_word\n%xdefine _BN_hex2bn _ %+ BORINGSSL_PREFIX %+ _BN_hex2bn\n%xdefine _BN_init _ %+ BORINGSSL_PREFIX %+ _BN_init\n%xdefine _BN_is_bit_set _ %+ BORINGSSL_PREFIX %+ _BN_is_bit_set\n%xdefine _BN_is_negative _ %+ BORINGSSL_PREFIX %+ _BN_is_negative\n%xdefine _BN_is_odd _ %+ BORINGSSL_PREFIX %+ _BN_is_odd\n%xdefine _BN_is_one _ %+ BORINGSSL_PREFIX %+ _BN_is_one\n%xdefine _BN_is_pow2 _ %+ BORINGSSL_PREFIX %+ _BN_is_pow2\n%xdefine _BN_is_prime_ex _ %+ BORINGSSL_PREFIX %+ _BN_is_prime_ex\n%xdefine _BN_is_prime_fasttest_ex _ %+ BORINGSSL_PREFIX %+ _BN_is_prime_fasttest_ex\n%xdefine _BN_is_word _ %+ BORINGSSL_PREFIX %+ _BN_is_word\n%xdefine _BN_is_zero _ %+ BORINGSSL_PREFIX %+ _BN_is_zero\n%xdefine _BN_le2bn _ %+ BORINGSSL_PREFIX %+ _BN_le2bn\n%xdefine _BN_lebin2bn _ %+ BORINGSSL_PREFIX %+ _BN_lebin2bn\n%xdefine _BN_lshift _ %+ BORINGSSL_PREFIX %+ _BN_lshift\n%xdefine _BN_lshift1 _ %+ BORINGSSL_PREFIX %+ _BN_lshift1\n%xdefine _BN_marshal_asn1 _ %+ BORINGSSL_PREFIX %+ _BN_marshal_asn1\n%xdefine _BN_mask_bits _ %+ BORINGSSL_PREFIX %+ _BN_mask_bits\n%xdefine _BN_mod_add _ %+ BORINGSSL_PREFIX %+ _BN_mod_add\n%xdefine _BN_mod_add_quick _ %+ BORINGSSL_PREFIX %+ _BN_mod_add_quick\n%xdefine _BN_mod_exp _ %+ BORINGSSL_PREFIX %+ _BN_mod_exp\n%xdefine _BN_mod_exp2_mont _ %+ BORINGSSL_PREFIX %+ _BN_mod_exp2_mont\n%xdefine _BN_mod_exp_mont _ %+ BORINGSSL_PREFIX %+ _BN_mod_exp_mont\n%xdefine _BN_mod_exp_mont_consttime _ %+ BORINGSSL_PREFIX %+ _BN_mod_exp_mont_consttime\n%xdefine _BN_mod_exp_mont_word _ %+ BORINGSSL_PREFIX %+ _BN_mod_exp_mont_word\n%xdefine _BN_mod_inverse _ %+ BORINGSSL_PREFIX %+ _BN_mod_inverse\n%xdefine _BN_mod_inverse_blinded _ %+ BORINGSSL_PREFIX %+ _BN_mod_inverse_blinded\n%xdefine _BN_mod_inverse_odd _ %+ BORINGSSL_PREFIX %+ _BN_mod_inverse_odd\n%xdefine _BN_mod_lshift _ %+ BORINGSSL_PREFIX %+ _BN_mod_lshift\n%xdefine _BN_mod_lshift1 _ %+ BORINGSSL_PREFIX %+ _BN_mod_lshift1\n%xdefine _BN_mod_lshift1_quick _ %+ BORINGSSL_PREFIX %+ _BN_mod_lshift1_quick\n%xdefine _BN_mod_lshift_quick _ %+ BORINGSSL_PREFIX %+ _BN_mod_lshift_quick\n%xdefine _BN_mod_mul _ %+ BORINGSSL_PREFIX %+ _BN_mod_mul\n%xdefine _BN_mod_mul_montgomery _ %+ BORINGSSL_PREFIX %+ _BN_mod_mul_montgomery\n%xdefine _BN_mod_pow2 _ %+ BORINGSSL_PREFIX %+ _BN_mod_pow2\n%xdefine _BN_mod_sqr _ %+ BORINGSSL_PREFIX %+ _BN_mod_sqr\n%xdefine _BN_mod_sqrt _ %+ BORINGSSL_PREFIX %+ _BN_mod_sqrt\n%xdefine _BN_mod_sub _ %+ BORINGSSL_PREFIX %+ _BN_mod_sub\n%xdefine _BN_mod_sub_quick _ %+ BORINGSSL_PREFIX %+ _BN_mod_sub_quick\n%xdefine _BN_mod_word _ %+ BORINGSSL_PREFIX %+ _BN_mod_word\n%xdefine _BN_mpi2bn _ %+ BORINGSSL_PREFIX %+ _BN_mpi2bn\n%xdefine _BN_mul _ %+ BORINGSSL_PREFIX %+ _BN_mul\n%xdefine _BN_mul_word _ %+ BORINGSSL_PREFIX %+ _BN_mul_word\n%xdefine _BN_new _ %+ BORINGSSL_PREFIX %+ _BN_new\n%xdefine _BN_nnmod _ %+ BORINGSSL_PREFIX %+ _BN_nnmod\n%xdefine _BN_nnmod_pow2 _ %+ BORINGSSL_PREFIX %+ _BN_nnmod_pow2\n%xdefine _BN_num_bits _ %+ BORINGSSL_PREFIX %+ _BN_num_bits\n%xdefine _BN_num_bits_word _ %+ BORINGSSL_PREFIX %+ _BN_num_bits_word\n%xdefine _BN_num_bytes _ %+ BORINGSSL_PREFIX %+ _BN_num_bytes\n%xdefine _BN_one _ %+ BORINGSSL_PREFIX %+ _BN_one\n%xdefine _BN_parse_asn1_unsigned _ %+ BORINGSSL_PREFIX %+ _BN_parse_asn1_unsigned\n%xdefine _BN_primality_test _ %+ BORINGSSL_PREFIX %+ _BN_primality_test\n%xdefine _BN_print _ %+ BORINGSSL_PREFIX %+ _BN_print\n%xdefine _BN_print_fp _ %+ BORINGSSL_PREFIX %+ _BN_print_fp\n%xdefine _BN_pseudo_rand _ %+ BORINGSSL_PREFIX %+ _BN_pseudo_rand\n%xdefine _BN_pseudo_rand_range _ %+ BORINGSSL_PREFIX %+ _BN_pseudo_rand_range\n%xdefine _BN_rand _ %+ BORINGSSL_PREFIX %+ _BN_rand\n%xdefine _BN_rand_range _ %+ BORINGSSL_PREFIX %+ _BN_rand_range\n%xdefine _BN_rand_range_ex _ %+ BORINGSSL_PREFIX %+ _BN_rand_range_ex\n%xdefine _BN_rshift _ %+ BORINGSSL_PREFIX %+ _BN_rshift\n%xdefine _BN_rshift1 _ %+ BORINGSSL_PREFIX %+ _BN_rshift1\n%xdefine _BN_secure_new _ %+ BORINGSSL_PREFIX %+ _BN_secure_new\n%xdefine _BN_set_bit _ %+ BORINGSSL_PREFIX %+ _BN_set_bit\n%xdefine _BN_set_negative _ %+ BORINGSSL_PREFIX %+ _BN_set_negative\n%xdefine _BN_set_u64 _ %+ BORINGSSL_PREFIX %+ _BN_set_u64\n%xdefine _BN_set_word _ %+ BORINGSSL_PREFIX %+ _BN_set_word\n%xdefine _BN_sqr _ %+ BORINGSSL_PREFIX %+ _BN_sqr\n%xdefine _BN_sqrt _ %+ BORINGSSL_PREFIX %+ _BN_sqrt\n%xdefine _BN_sub _ %+ BORINGSSL_PREFIX %+ _BN_sub\n%xdefine _BN_sub_word _ %+ BORINGSSL_PREFIX %+ _BN_sub_word\n%xdefine _BN_to_ASN1_ENUMERATED _ %+ BORINGSSL_PREFIX %+ _BN_to_ASN1_ENUMERATED\n%xdefine _BN_to_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _BN_to_ASN1_INTEGER\n%xdefine _BN_to_montgomery _ %+ BORINGSSL_PREFIX %+ _BN_to_montgomery\n%xdefine _BN_uadd _ %+ BORINGSSL_PREFIX %+ _BN_uadd\n%xdefine _BN_ucmp _ %+ BORINGSSL_PREFIX %+ _BN_ucmp\n%xdefine _BN_usub _ %+ BORINGSSL_PREFIX %+ _BN_usub\n%xdefine _BN_value_one _ %+ BORINGSSL_PREFIX %+ _BN_value_one\n%xdefine _BN_zero _ %+ BORINGSSL_PREFIX %+ _BN_zero\n%xdefine _BORINGSSL_keccak _ %+ BORINGSSL_PREFIX %+ _BORINGSSL_keccak\n%xdefine _BORINGSSL_keccak_absorb _ %+ BORINGSSL_PREFIX %+ _BORINGSSL_keccak_absorb\n%xdefine _BORINGSSL_keccak_init _ %+ BORINGSSL_PREFIX %+ _BORINGSSL_keccak_init\n%xdefine _BORINGSSL_keccak_squeeze _ %+ BORINGSSL_PREFIX %+ _BORINGSSL_keccak_squeeze\n%xdefine _BORINGSSL_self_test _ %+ BORINGSSL_PREFIX %+ _BORINGSSL_self_test\n%xdefine _BUF_MEM_append _ %+ BORINGSSL_PREFIX %+ _BUF_MEM_append\n%xdefine _BUF_MEM_free _ %+ BORINGSSL_PREFIX %+ _BUF_MEM_free\n%xdefine _BUF_MEM_grow _ %+ BORINGSSL_PREFIX %+ _BUF_MEM_grow\n%xdefine _BUF_MEM_grow_clean _ %+ BORINGSSL_PREFIX %+ _BUF_MEM_grow_clean\n%xdefine _BUF_MEM_new _ %+ BORINGSSL_PREFIX %+ _BUF_MEM_new\n%xdefine _BUF_MEM_reserve _ %+ BORINGSSL_PREFIX %+ _BUF_MEM_reserve\n%xdefine _BUF_memdup _ %+ BORINGSSL_PREFIX %+ _BUF_memdup\n%xdefine _BUF_strdup _ %+ BORINGSSL_PREFIX %+ _BUF_strdup\n%xdefine _BUF_strlcat _ %+ BORINGSSL_PREFIX %+ _BUF_strlcat\n%xdefine _BUF_strlcpy _ %+ BORINGSSL_PREFIX %+ _BUF_strlcpy\n%xdefine _BUF_strndup _ %+ BORINGSSL_PREFIX %+ _BUF_strndup\n%xdefine _BUF_strnlen _ %+ BORINGSSL_PREFIX %+ _BUF_strnlen\n%xdefine _CBB_add_asn1 _ %+ BORINGSSL_PREFIX %+ _CBB_add_asn1\n%xdefine _CBB_add_asn1_bool _ %+ BORINGSSL_PREFIX %+ _CBB_add_asn1_bool\n%xdefine _CBB_add_asn1_int64 _ %+ BORINGSSL_PREFIX %+ _CBB_add_asn1_int64\n%xdefine _CBB_add_asn1_int64_with_tag _ %+ BORINGSSL_PREFIX %+ _CBB_add_asn1_int64_with_tag\n%xdefine _CBB_add_asn1_octet_string _ %+ BORINGSSL_PREFIX %+ _CBB_add_asn1_octet_string\n%xdefine _CBB_add_asn1_oid_from_text _ %+ BORINGSSL_PREFIX %+ _CBB_add_asn1_oid_from_text\n%xdefine _CBB_add_asn1_uint64 _ %+ BORINGSSL_PREFIX %+ _CBB_add_asn1_uint64\n%xdefine _CBB_add_asn1_uint64_with_tag _ %+ BORINGSSL_PREFIX %+ _CBB_add_asn1_uint64_with_tag\n%xdefine _CBB_add_bytes _ %+ BORINGSSL_PREFIX %+ _CBB_add_bytes\n%xdefine _CBB_add_latin1 _ %+ BORINGSSL_PREFIX %+ _CBB_add_latin1\n%xdefine _CBB_add_space _ %+ BORINGSSL_PREFIX %+ _CBB_add_space\n%xdefine _CBB_add_u16 _ %+ BORINGSSL_PREFIX %+ _CBB_add_u16\n%xdefine _CBB_add_u16_length_prefixed _ %+ BORINGSSL_PREFIX %+ _CBB_add_u16_length_prefixed\n%xdefine _CBB_add_u16le _ %+ BORINGSSL_PREFIX %+ _CBB_add_u16le\n%xdefine _CBB_add_u24 _ %+ BORINGSSL_PREFIX %+ _CBB_add_u24\n%xdefine _CBB_add_u24_length_prefixed _ %+ BORINGSSL_PREFIX %+ _CBB_add_u24_length_prefixed\n%xdefine _CBB_add_u32 _ %+ BORINGSSL_PREFIX %+ _CBB_add_u32\n%xdefine _CBB_add_u32le _ %+ BORINGSSL_PREFIX %+ _CBB_add_u32le\n%xdefine _CBB_add_u64 _ %+ BORINGSSL_PREFIX %+ _CBB_add_u64\n%xdefine _CBB_add_u64le _ %+ BORINGSSL_PREFIX %+ _CBB_add_u64le\n%xdefine _CBB_add_u8 _ %+ BORINGSSL_PREFIX %+ _CBB_add_u8\n%xdefine _CBB_add_u8_length_prefixed _ %+ BORINGSSL_PREFIX %+ _CBB_add_u8_length_prefixed\n%xdefine _CBB_add_ucs2_be _ %+ BORINGSSL_PREFIX %+ _CBB_add_ucs2_be\n%xdefine _CBB_add_utf32_be _ %+ BORINGSSL_PREFIX %+ _CBB_add_utf32_be\n%xdefine _CBB_add_utf8 _ %+ BORINGSSL_PREFIX %+ _CBB_add_utf8\n%xdefine _CBB_add_zeros _ %+ BORINGSSL_PREFIX %+ _CBB_add_zeros\n%xdefine _CBB_cleanup _ %+ BORINGSSL_PREFIX %+ _CBB_cleanup\n%xdefine _CBB_data _ %+ BORINGSSL_PREFIX %+ _CBB_data\n%xdefine _CBB_did_write _ %+ BORINGSSL_PREFIX %+ _CBB_did_write\n%xdefine _CBB_discard_child _ %+ BORINGSSL_PREFIX %+ _CBB_discard_child\n%xdefine _CBB_finish _ %+ BORINGSSL_PREFIX %+ _CBB_finish\n%xdefine _CBB_finish_i2d _ %+ BORINGSSL_PREFIX %+ _CBB_finish_i2d\n%xdefine _CBB_flush _ %+ BORINGSSL_PREFIX %+ _CBB_flush\n%xdefine _CBB_flush_asn1_set_of _ %+ BORINGSSL_PREFIX %+ _CBB_flush_asn1_set_of\n%xdefine _CBB_get_utf8_len _ %+ BORINGSSL_PREFIX %+ _CBB_get_utf8_len\n%xdefine _CBB_init _ %+ BORINGSSL_PREFIX %+ _CBB_init\n%xdefine _CBB_init_fixed _ %+ BORINGSSL_PREFIX %+ _CBB_init_fixed\n%xdefine _CBB_len _ %+ BORINGSSL_PREFIX %+ _CBB_len\n%xdefine _CBB_reserve _ %+ BORINGSSL_PREFIX %+ _CBB_reserve\n%xdefine _CBB_zero _ %+ BORINGSSL_PREFIX %+ _CBB_zero\n%xdefine _CBS_asn1_ber_to_der _ %+ BORINGSSL_PREFIX %+ _CBS_asn1_ber_to_der\n%xdefine _CBS_asn1_bitstring_has_bit _ %+ BORINGSSL_PREFIX %+ _CBS_asn1_bitstring_has_bit\n%xdefine _CBS_asn1_oid_to_text _ %+ BORINGSSL_PREFIX %+ _CBS_asn1_oid_to_text\n%xdefine _CBS_contains_zero_byte _ %+ BORINGSSL_PREFIX %+ _CBS_contains_zero_byte\n%xdefine _CBS_copy_bytes _ %+ BORINGSSL_PREFIX %+ _CBS_copy_bytes\n%xdefine _CBS_data _ %+ BORINGSSL_PREFIX %+ _CBS_data\n%xdefine _CBS_get_any_asn1 _ %+ BORINGSSL_PREFIX %+ _CBS_get_any_asn1\n%xdefine _CBS_get_any_asn1_element _ %+ BORINGSSL_PREFIX %+ _CBS_get_any_asn1_element\n%xdefine _CBS_get_any_ber_asn1_element _ %+ BORINGSSL_PREFIX %+ _CBS_get_any_ber_asn1_element\n%xdefine _CBS_get_asn1 _ %+ BORINGSSL_PREFIX %+ _CBS_get_asn1\n%xdefine _CBS_get_asn1_bool _ %+ BORINGSSL_PREFIX %+ _CBS_get_asn1_bool\n%xdefine _CBS_get_asn1_element _ %+ BORINGSSL_PREFIX %+ _CBS_get_asn1_element\n%xdefine _CBS_get_asn1_implicit_string _ %+ BORINGSSL_PREFIX %+ _CBS_get_asn1_implicit_string\n%xdefine _CBS_get_asn1_int64 _ %+ BORINGSSL_PREFIX %+ _CBS_get_asn1_int64\n%xdefine _CBS_get_asn1_uint64 _ %+ BORINGSSL_PREFIX %+ _CBS_get_asn1_uint64\n%xdefine _CBS_get_bytes _ %+ BORINGSSL_PREFIX %+ _CBS_get_bytes\n%xdefine _CBS_get_last_u8 _ %+ BORINGSSL_PREFIX %+ _CBS_get_last_u8\n%xdefine _CBS_get_latin1 _ %+ BORINGSSL_PREFIX %+ _CBS_get_latin1\n%xdefine _CBS_get_optional_asn1 _ %+ BORINGSSL_PREFIX %+ _CBS_get_optional_asn1\n%xdefine _CBS_get_optional_asn1_bool _ %+ BORINGSSL_PREFIX %+ _CBS_get_optional_asn1_bool\n%xdefine _CBS_get_optional_asn1_octet_string _ %+ BORINGSSL_PREFIX %+ _CBS_get_optional_asn1_octet_string\n%xdefine _CBS_get_optional_asn1_uint64 _ %+ BORINGSSL_PREFIX %+ _CBS_get_optional_asn1_uint64\n%xdefine _CBS_get_u16 _ %+ BORINGSSL_PREFIX %+ _CBS_get_u16\n%xdefine _CBS_get_u16_length_prefixed _ %+ BORINGSSL_PREFIX %+ _CBS_get_u16_length_prefixed\n%xdefine _CBS_get_u16le _ %+ BORINGSSL_PREFIX %+ _CBS_get_u16le\n%xdefine _CBS_get_u24 _ %+ BORINGSSL_PREFIX %+ _CBS_get_u24\n%xdefine _CBS_get_u24_length_prefixed _ %+ BORINGSSL_PREFIX %+ _CBS_get_u24_length_prefixed\n%xdefine _CBS_get_u32 _ %+ BORINGSSL_PREFIX %+ _CBS_get_u32\n%xdefine _CBS_get_u32le _ %+ BORINGSSL_PREFIX %+ _CBS_get_u32le\n%xdefine _CBS_get_u64 _ %+ BORINGSSL_PREFIX %+ _CBS_get_u64\n%xdefine _CBS_get_u64_decimal _ %+ BORINGSSL_PREFIX %+ _CBS_get_u64_decimal\n%xdefine _CBS_get_u64le _ %+ BORINGSSL_PREFIX %+ _CBS_get_u64le\n%xdefine _CBS_get_u8 _ %+ BORINGSSL_PREFIX %+ _CBS_get_u8\n%xdefine _CBS_get_u8_length_prefixed _ %+ BORINGSSL_PREFIX %+ _CBS_get_u8_length_prefixed\n%xdefine _CBS_get_ucs2_be _ %+ BORINGSSL_PREFIX %+ _CBS_get_ucs2_be\n%xdefine _CBS_get_until_first _ %+ BORINGSSL_PREFIX %+ _CBS_get_until_first\n%xdefine _CBS_get_utf32_be _ %+ BORINGSSL_PREFIX %+ _CBS_get_utf32_be\n%xdefine _CBS_get_utf8 _ %+ BORINGSSL_PREFIX %+ _CBS_get_utf8\n%xdefine _CBS_init _ %+ BORINGSSL_PREFIX %+ _CBS_init\n%xdefine _CBS_is_unsigned_asn1_integer _ %+ BORINGSSL_PREFIX %+ _CBS_is_unsigned_asn1_integer\n%xdefine _CBS_is_valid_asn1_bitstring _ %+ BORINGSSL_PREFIX %+ _CBS_is_valid_asn1_bitstring\n%xdefine _CBS_is_valid_asn1_integer _ %+ BORINGSSL_PREFIX %+ _CBS_is_valid_asn1_integer\n%xdefine _CBS_is_valid_asn1_oid _ %+ BORINGSSL_PREFIX %+ _CBS_is_valid_asn1_oid\n%xdefine _CBS_len _ %+ BORINGSSL_PREFIX %+ _CBS_len\n%xdefine _CBS_mem_equal _ %+ BORINGSSL_PREFIX %+ _CBS_mem_equal\n%xdefine _CBS_parse_generalized_time _ %+ BORINGSSL_PREFIX %+ _CBS_parse_generalized_time\n%xdefine _CBS_parse_utc_time _ %+ BORINGSSL_PREFIX %+ _CBS_parse_utc_time\n%xdefine _CBS_peek_asn1_tag _ %+ BORINGSSL_PREFIX %+ _CBS_peek_asn1_tag\n%xdefine _CBS_skip _ %+ BORINGSSL_PREFIX %+ _CBS_skip\n%xdefine _CBS_stow _ %+ BORINGSSL_PREFIX %+ _CBS_stow\n%xdefine _CBS_strdup _ %+ BORINGSSL_PREFIX %+ _CBS_strdup\n%xdefine _CERTIFICATEPOLICIES_free _ %+ BORINGSSL_PREFIX %+ _CERTIFICATEPOLICIES_free\n%xdefine _CERTIFICATEPOLICIES_it _ %+ BORINGSSL_PREFIX %+ _CERTIFICATEPOLICIES_it\n%xdefine _CERTIFICATEPOLICIES_new _ %+ BORINGSSL_PREFIX %+ _CERTIFICATEPOLICIES_new\n%xdefine _CMAC_CTX_copy _ %+ BORINGSSL_PREFIX %+ _CMAC_CTX_copy\n%xdefine _CMAC_CTX_free _ %+ BORINGSSL_PREFIX %+ _CMAC_CTX_free\n%xdefine _CMAC_CTX_new _ %+ BORINGSSL_PREFIX %+ _CMAC_CTX_new\n%xdefine _CMAC_Final _ %+ BORINGSSL_PREFIX %+ _CMAC_Final\n%xdefine _CMAC_Init _ %+ BORINGSSL_PREFIX %+ _CMAC_Init\n%xdefine _CMAC_Reset _ %+ BORINGSSL_PREFIX %+ _CMAC_Reset\n%xdefine _CMAC_Update _ %+ BORINGSSL_PREFIX %+ _CMAC_Update\n%xdefine _CONF_VALUE_new _ %+ BORINGSSL_PREFIX %+ _CONF_VALUE_new\n%xdefine _CONF_modules_free _ %+ BORINGSSL_PREFIX %+ _CONF_modules_free\n%xdefine _CONF_modules_load_file _ %+ BORINGSSL_PREFIX %+ _CONF_modules_load_file\n%xdefine _CONF_parse_list _ %+ BORINGSSL_PREFIX %+ _CONF_parse_list\n%xdefine _CRL_DIST_POINTS_free _ %+ BORINGSSL_PREFIX %+ _CRL_DIST_POINTS_free\n%xdefine _CRL_DIST_POINTS_it _ %+ BORINGSSL_PREFIX %+ _CRL_DIST_POINTS_it\n%xdefine _CRL_DIST_POINTS_new _ %+ BORINGSSL_PREFIX %+ _CRL_DIST_POINTS_new\n%xdefine _CRYPTO_BUFFER_POOL_free _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_POOL_free\n%xdefine _CRYPTO_BUFFER_POOL_new _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_POOL_new\n%xdefine _CRYPTO_BUFFER_alloc _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_alloc\n%xdefine _CRYPTO_BUFFER_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_data\n%xdefine _CRYPTO_BUFFER_free _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_free\n%xdefine _CRYPTO_BUFFER_init_CBS _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_init_CBS\n%xdefine _CRYPTO_BUFFER_len _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_len\n%xdefine _CRYPTO_BUFFER_new _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new\n%xdefine _CRYPTO_BUFFER_new_from_CBS _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new_from_CBS\n%xdefine _CRYPTO_BUFFER_new_from_static_data_unsafe _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new_from_static_data_unsafe\n%xdefine _CRYPTO_BUFFER_up_ref _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_up_ref\n%xdefine _CRYPTO_MUTEX_cleanup _ %+ BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_cleanup\n%xdefine _CRYPTO_MUTEX_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_init\n%xdefine _CRYPTO_MUTEX_lock_read _ %+ BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_lock_read\n%xdefine _CRYPTO_MUTEX_lock_write _ %+ BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_lock_write\n%xdefine _CRYPTO_MUTEX_unlock_read _ %+ BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_unlock_read\n%xdefine _CRYPTO_MUTEX_unlock_write _ %+ BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_unlock_write\n%xdefine _CRYPTO_POLYVAL_finish _ %+ BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_finish\n%xdefine _CRYPTO_POLYVAL_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_init\n%xdefine _CRYPTO_POLYVAL_update_blocks _ %+ BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_update_blocks\n%xdefine _CRYPTO_THREADID_current _ %+ BORINGSSL_PREFIX %+ _CRYPTO_THREADID_current\n%xdefine _CRYPTO_THREADID_set_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_THREADID_set_callback\n%xdefine _CRYPTO_THREADID_set_numeric _ %+ BORINGSSL_PREFIX %+ _CRYPTO_THREADID_set_numeric\n%xdefine _CRYPTO_THREADID_set_pointer _ %+ BORINGSSL_PREFIX %+ _CRYPTO_THREADID_set_pointer\n%xdefine _CRYPTO_atomic_compare_exchange_weak_u32 _ %+ BORINGSSL_PREFIX %+ _CRYPTO_atomic_compare_exchange_weak_u32\n%xdefine _CRYPTO_atomic_load_u32 _ %+ BORINGSSL_PREFIX %+ _CRYPTO_atomic_load_u32\n%xdefine _CRYPTO_atomic_store_u32 _ %+ BORINGSSL_PREFIX %+ _CRYPTO_atomic_store_u32\n%xdefine _CRYPTO_cbc128_decrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_cbc128_decrypt\n%xdefine _CRYPTO_cbc128_encrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_cbc128_encrypt\n%xdefine _CRYPTO_cfb128_1_encrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_cfb128_1_encrypt\n%xdefine _CRYPTO_cfb128_8_encrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_cfb128_8_encrypt\n%xdefine _CRYPTO_cfb128_encrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_cfb128_encrypt\n%xdefine _CRYPTO_chacha_20 _ %+ BORINGSSL_PREFIX %+ _CRYPTO_chacha_20\n%xdefine _CRYPTO_cleanup_all_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_cleanup_all_ex_data\n%xdefine _CRYPTO_cpu_avoid_zmm_registers _ %+ BORINGSSL_PREFIX %+ _CRYPTO_cpu_avoid_zmm_registers\n%xdefine _CRYPTO_cpu_perf_is_like_silvermont _ %+ BORINGSSL_PREFIX %+ _CRYPTO_cpu_perf_is_like_silvermont\n%xdefine _CRYPTO_ctr128_encrypt_ctr32 _ %+ BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt_ctr32\n%xdefine _CRYPTO_fips_186_2_prf _ %+ BORINGSSL_PREFIX %+ _CRYPTO_fips_186_2_prf\n%xdefine _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing _ %+ BORINGSSL_PREFIX %+ _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing\n%xdefine _CRYPTO_free _ %+ BORINGSSL_PREFIX %+ _CRYPTO_free\n%xdefine _CRYPTO_free_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_free_ex_data\n%xdefine _CRYPTO_gcm128_aad _ %+ BORINGSSL_PREFIX %+ _CRYPTO_gcm128_aad\n%xdefine _CRYPTO_gcm128_decrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_gcm128_decrypt\n%xdefine _CRYPTO_gcm128_encrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_gcm128_encrypt\n%xdefine _CRYPTO_gcm128_finish _ %+ BORINGSSL_PREFIX %+ _CRYPTO_gcm128_finish\n%xdefine _CRYPTO_gcm128_init_aes_key _ %+ BORINGSSL_PREFIX %+ _CRYPTO_gcm128_init_aes_key\n%xdefine _CRYPTO_gcm128_init_ctx _ %+ BORINGSSL_PREFIX %+ _CRYPTO_gcm128_init_ctx\n%xdefine _CRYPTO_gcm128_tag _ %+ BORINGSSL_PREFIX %+ _CRYPTO_gcm128_tag\n%xdefine _CRYPTO_get_dynlock_create_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_dynlock_create_callback\n%xdefine _CRYPTO_get_dynlock_destroy_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_dynlock_destroy_callback\n%xdefine _CRYPTO_get_dynlock_lock_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_dynlock_lock_callback\n%xdefine _CRYPTO_get_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_ex_data\n%xdefine _CRYPTO_get_ex_new_index_ex _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_ex_new_index_ex\n%xdefine _CRYPTO_get_fork_generation _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_fork_generation\n%xdefine _CRYPTO_get_lock_name _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_lock_name\n%xdefine _CRYPTO_get_locking_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_locking_callback\n%xdefine _CRYPTO_get_stderr _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_stderr\n%xdefine _CRYPTO_get_thread_local _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_thread_local\n%xdefine _CRYPTO_ghash_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_ghash_init\n%xdefine _CRYPTO_has_asm _ %+ BORINGSSL_PREFIX %+ _CRYPTO_has_asm\n%xdefine _CRYPTO_hchacha20 _ %+ BORINGSSL_PREFIX %+ _CRYPTO_hchacha20\n%xdefine _CRYPTO_init_sysrand _ %+ BORINGSSL_PREFIX %+ _CRYPTO_init_sysrand\n%xdefine _CRYPTO_is_ADX_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_ADX_capable\n%xdefine _CRYPTO_is_AESNI_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_AESNI_capable\n%xdefine _CRYPTO_is_ARMv8_AES_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_AES_capable\n%xdefine _CRYPTO_is_ARMv8_PMULL_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_PMULL_capable\n%xdefine _CRYPTO_is_ARMv8_SHA1_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_SHA1_capable\n%xdefine _CRYPTO_is_ARMv8_SHA256_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_SHA256_capable\n%xdefine _CRYPTO_is_ARMv8_SHA512_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_SHA512_capable\n%xdefine _CRYPTO_is_AVX2_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_AVX2_capable\n%xdefine _CRYPTO_is_AVX512BW_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_AVX512BW_capable\n%xdefine _CRYPTO_is_AVX512VL_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_AVX512VL_capable\n%xdefine _CRYPTO_is_AVX_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_AVX_capable\n%xdefine _CRYPTO_is_BMI1_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_BMI1_capable\n%xdefine _CRYPTO_is_BMI2_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_BMI2_capable\n%xdefine _CRYPTO_is_FXSR_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_FXSR_capable\n%xdefine _CRYPTO_is_MOVBE_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_MOVBE_capable\n%xdefine _CRYPTO_is_NEON_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_NEON_capable\n%xdefine _CRYPTO_is_PCLMUL_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_PCLMUL_capable\n%xdefine _CRYPTO_is_RDRAND_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_RDRAND_capable\n%xdefine _CRYPTO_is_SSE4_1_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_SSE4_1_capable\n%xdefine _CRYPTO_is_SSSE3_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_SSSE3_capable\n%xdefine _CRYPTO_is_VAES_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_VAES_capable\n%xdefine _CRYPTO_is_VPCLMULQDQ_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_VPCLMULQDQ_capable\n%xdefine _CRYPTO_is_confidential_build _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_confidential_build\n%xdefine _CRYPTO_is_intel_cpu _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_intel_cpu\n%xdefine _CRYPTO_is_x86_SHA_capable _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_x86_SHA_capable\n%xdefine _CRYPTO_library_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_library_init\n%xdefine _CRYPTO_malloc _ %+ BORINGSSL_PREFIX %+ _CRYPTO_malloc\n%xdefine _CRYPTO_malloc_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_malloc_init\n%xdefine _CRYPTO_memcmp _ %+ BORINGSSL_PREFIX %+ _CRYPTO_memcmp\n%xdefine _CRYPTO_new_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_new_ex_data\n%xdefine _CRYPTO_num_locks _ %+ BORINGSSL_PREFIX %+ _CRYPTO_num_locks\n%xdefine _CRYPTO_ofb128_encrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_ofb128_encrypt\n%xdefine _CRYPTO_once _ %+ BORINGSSL_PREFIX %+ _CRYPTO_once\n%xdefine _CRYPTO_poly1305_finish _ %+ BORINGSSL_PREFIX %+ _CRYPTO_poly1305_finish\n%xdefine _CRYPTO_poly1305_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_poly1305_init\n%xdefine _CRYPTO_poly1305_update _ %+ BORINGSSL_PREFIX %+ _CRYPTO_poly1305_update\n%xdefine _CRYPTO_pre_sandbox_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_pre_sandbox_init\n%xdefine _CRYPTO_rdrand _ %+ BORINGSSL_PREFIX %+ _CRYPTO_rdrand\n%xdefine _CRYPTO_rdrand_multiple8_buf _ %+ BORINGSSL_PREFIX %+ _CRYPTO_rdrand_multiple8_buf\n%xdefine _CRYPTO_realloc _ %+ BORINGSSL_PREFIX %+ _CRYPTO_realloc\n%xdefine _CRYPTO_refcount_dec_and_test_zero _ %+ BORINGSSL_PREFIX %+ _CRYPTO_refcount_dec_and_test_zero\n%xdefine _CRYPTO_refcount_inc _ %+ BORINGSSL_PREFIX %+ _CRYPTO_refcount_inc\n%xdefine _CRYPTO_secure_malloc_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_secure_malloc_init\n%xdefine _CRYPTO_secure_malloc_initialized _ %+ BORINGSSL_PREFIX %+ _CRYPTO_secure_malloc_initialized\n%xdefine _CRYPTO_secure_used _ %+ BORINGSSL_PREFIX %+ _CRYPTO_secure_used\n%xdefine _CRYPTO_set_add_lock_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_set_add_lock_callback\n%xdefine _CRYPTO_set_dynlock_create_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_set_dynlock_create_callback\n%xdefine _CRYPTO_set_dynlock_destroy_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_set_dynlock_destroy_callback\n%xdefine _CRYPTO_set_dynlock_lock_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_set_dynlock_lock_callback\n%xdefine _CRYPTO_set_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_set_ex_data\n%xdefine _CRYPTO_set_id_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_set_id_callback\n%xdefine _CRYPTO_set_locking_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_set_locking_callback\n%xdefine _CRYPTO_set_thread_local _ %+ BORINGSSL_PREFIX %+ _CRYPTO_set_thread_local\n%xdefine _CRYPTO_sysrand _ %+ BORINGSSL_PREFIX %+ _CRYPTO_sysrand\n%xdefine _CRYPTO_sysrand_for_seed _ %+ BORINGSSL_PREFIX %+ _CRYPTO_sysrand_for_seed\n%xdefine _CRYPTO_sysrand_if_available _ %+ BORINGSSL_PREFIX %+ _CRYPTO_sysrand_if_available\n%xdefine _CRYPTO_tls13_hkdf_expand_label _ %+ BORINGSSL_PREFIX %+ _CRYPTO_tls13_hkdf_expand_label\n%xdefine _CRYPTO_tls1_prf _ %+ BORINGSSL_PREFIX %+ _CRYPTO_tls1_prf\n%xdefine _CRYPTO_xor16 _ %+ BORINGSSL_PREFIX %+ _CRYPTO_xor16\n%xdefine _CTR_DRBG_clear _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_clear\n%xdefine _CTR_DRBG_free _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_free\n%xdefine _CTR_DRBG_generate _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_generate\n%xdefine _CTR_DRBG_init _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_init\n%xdefine _CTR_DRBG_new _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_new\n%xdefine _CTR_DRBG_reseed _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_reseed\n%xdefine _ChaCha20_ctr32_avx2 _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_avx2\n%xdefine _ChaCha20_ctr32_avx2_capable _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_avx2_capable\n%xdefine _ChaCha20_ctr32_neon _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_neon\n%xdefine _ChaCha20_ctr32_neon_capable _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_neon_capable\n%xdefine _ChaCha20_ctr32_nohw _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_nohw\n%xdefine _ChaCha20_ctr32_ssse3 _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3\n%xdefine _ChaCha20_ctr32_ssse3_4x _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3_4x\n%xdefine _ChaCha20_ctr32_ssse3_4x_capable _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3_4x_capable\n%xdefine _ChaCha20_ctr32_ssse3_capable _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3_capable\n%xdefine _DES_decrypt3 _ %+ BORINGSSL_PREFIX %+ _DES_decrypt3\n%xdefine _DES_ecb3_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ecb3_encrypt\n%xdefine _DES_ecb3_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ecb3_encrypt_ex\n%xdefine _DES_ecb_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ecb_encrypt\n%xdefine _DES_ecb_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ecb_encrypt_ex\n%xdefine _DES_ede2_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ede2_cbc_encrypt\n%xdefine _DES_ede3_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt\n%xdefine _DES_ede3_cbc_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt_ex\n%xdefine _DES_encrypt3 _ %+ BORINGSSL_PREFIX %+ _DES_encrypt3\n%xdefine _DES_ncbc_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ncbc_encrypt\n%xdefine _DES_ncbc_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ncbc_encrypt_ex\n%xdefine _DES_set_key _ %+ BORINGSSL_PREFIX %+ _DES_set_key\n%xdefine _DES_set_key_ex _ %+ BORINGSSL_PREFIX %+ _DES_set_key_ex\n%xdefine _DES_set_key_unchecked _ %+ BORINGSSL_PREFIX %+ _DES_set_key_unchecked\n%xdefine _DES_set_odd_parity _ %+ BORINGSSL_PREFIX %+ _DES_set_odd_parity\n%xdefine _DH_bits _ %+ BORINGSSL_PREFIX %+ _DH_bits\n%xdefine _DH_check _ %+ BORINGSSL_PREFIX %+ _DH_check\n%xdefine _DH_check_pub_key _ %+ BORINGSSL_PREFIX %+ _DH_check_pub_key\n%xdefine _DH_compute_key _ %+ BORINGSSL_PREFIX %+ _DH_compute_key\n%xdefine _DH_compute_key_hashed _ %+ BORINGSSL_PREFIX %+ _DH_compute_key_hashed\n%xdefine _DH_compute_key_padded _ %+ BORINGSSL_PREFIX %+ _DH_compute_key_padded\n%xdefine _DH_free _ %+ BORINGSSL_PREFIX %+ _DH_free\n%xdefine _DH_generate_key _ %+ BORINGSSL_PREFIX %+ _DH_generate_key\n%xdefine _DH_generate_parameters_ex _ %+ BORINGSSL_PREFIX %+ _DH_generate_parameters_ex\n%xdefine _DH_get0_g _ %+ BORINGSSL_PREFIX %+ _DH_get0_g\n%xdefine _DH_get0_key _ %+ BORINGSSL_PREFIX %+ _DH_get0_key\n%xdefine _DH_get0_p _ %+ BORINGSSL_PREFIX %+ _DH_get0_p\n%xdefine _DH_get0_pqg _ %+ BORINGSSL_PREFIX %+ _DH_get0_pqg\n%xdefine _DH_get0_priv_key _ %+ BORINGSSL_PREFIX %+ _DH_get0_priv_key\n%xdefine _DH_get0_pub_key _ %+ BORINGSSL_PREFIX %+ _DH_get0_pub_key\n%xdefine _DH_get0_q _ %+ BORINGSSL_PREFIX %+ _DH_get0_q\n%xdefine _DH_get_rfc7919_2048 _ %+ BORINGSSL_PREFIX %+ _DH_get_rfc7919_2048\n%xdefine _DH_marshal_parameters _ %+ BORINGSSL_PREFIX %+ _DH_marshal_parameters\n%xdefine _DH_new _ %+ BORINGSSL_PREFIX %+ _DH_new\n%xdefine _DH_num_bits _ %+ BORINGSSL_PREFIX %+ _DH_num_bits\n%xdefine _DH_parse_parameters _ %+ BORINGSSL_PREFIX %+ _DH_parse_parameters\n%xdefine _DH_set0_key _ %+ BORINGSSL_PREFIX %+ _DH_set0_key\n%xdefine _DH_set0_pqg _ %+ BORINGSSL_PREFIX %+ _DH_set0_pqg\n%xdefine _DH_set_length _ %+ BORINGSSL_PREFIX %+ _DH_set_length\n%xdefine _DH_size _ %+ BORINGSSL_PREFIX %+ _DH_size\n%xdefine _DH_up_ref _ %+ BORINGSSL_PREFIX %+ _DH_up_ref\n%xdefine _DHparams_dup _ %+ BORINGSSL_PREFIX %+ _DHparams_dup\n%xdefine _DIRECTORYSTRING_free _ %+ BORINGSSL_PREFIX %+ _DIRECTORYSTRING_free\n%xdefine _DIRECTORYSTRING_it _ %+ BORINGSSL_PREFIX %+ _DIRECTORYSTRING_it\n%xdefine _DIRECTORYSTRING_new _ %+ BORINGSSL_PREFIX %+ _DIRECTORYSTRING_new\n%xdefine _DISPLAYTEXT_free _ %+ BORINGSSL_PREFIX %+ _DISPLAYTEXT_free\n%xdefine _DISPLAYTEXT_it _ %+ BORINGSSL_PREFIX %+ _DISPLAYTEXT_it\n%xdefine _DISPLAYTEXT_new _ %+ BORINGSSL_PREFIX %+ _DISPLAYTEXT_new\n%xdefine _DIST_POINT_NAME_free _ %+ BORINGSSL_PREFIX %+ _DIST_POINT_NAME_free\n%xdefine _DIST_POINT_NAME_new _ %+ BORINGSSL_PREFIX %+ _DIST_POINT_NAME_new\n%xdefine _DIST_POINT_free _ %+ BORINGSSL_PREFIX %+ _DIST_POINT_free\n%xdefine _DIST_POINT_new _ %+ BORINGSSL_PREFIX %+ _DIST_POINT_new\n%xdefine _DIST_POINT_set_dpname _ %+ BORINGSSL_PREFIX %+ _DIST_POINT_set_dpname\n%xdefine _DSA_SIG_free _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_free\n%xdefine _DSA_SIG_get0 _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_get0\n%xdefine _DSA_SIG_marshal _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_marshal\n%xdefine _DSA_SIG_new _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_new\n%xdefine _DSA_SIG_parse _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_parse\n%xdefine _DSA_SIG_set0 _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_set0\n%xdefine _DSA_bits _ %+ BORINGSSL_PREFIX %+ _DSA_bits\n%xdefine _DSA_check_signature _ %+ BORINGSSL_PREFIX %+ _DSA_check_signature\n%xdefine _DSA_do_check_signature _ %+ BORINGSSL_PREFIX %+ _DSA_do_check_signature\n%xdefine _DSA_do_sign _ %+ BORINGSSL_PREFIX %+ _DSA_do_sign\n%xdefine _DSA_do_verify _ %+ BORINGSSL_PREFIX %+ _DSA_do_verify\n%xdefine _DSA_dup_DH _ %+ BORINGSSL_PREFIX %+ _DSA_dup_DH\n%xdefine _DSA_free _ %+ BORINGSSL_PREFIX %+ _DSA_free\n%xdefine _DSA_generate_key _ %+ BORINGSSL_PREFIX %+ _DSA_generate_key\n%xdefine _DSA_generate_parameters_ex _ %+ BORINGSSL_PREFIX %+ _DSA_generate_parameters_ex\n%xdefine _DSA_get0_g _ %+ BORINGSSL_PREFIX %+ _DSA_get0_g\n%xdefine _DSA_get0_key _ %+ BORINGSSL_PREFIX %+ _DSA_get0_key\n%xdefine _DSA_get0_p _ %+ BORINGSSL_PREFIX %+ _DSA_get0_p\n%xdefine _DSA_get0_pqg _ %+ BORINGSSL_PREFIX %+ _DSA_get0_pqg\n%xdefine _DSA_get0_priv_key _ %+ BORINGSSL_PREFIX %+ _DSA_get0_priv_key\n%xdefine _DSA_get0_pub_key _ %+ BORINGSSL_PREFIX %+ _DSA_get0_pub_key\n%xdefine _DSA_get0_q _ %+ BORINGSSL_PREFIX %+ _DSA_get0_q\n%xdefine _DSA_get_ex_data _ %+ BORINGSSL_PREFIX %+ _DSA_get_ex_data\n%xdefine _DSA_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _DSA_get_ex_new_index\n%xdefine _DSA_marshal_parameters _ %+ BORINGSSL_PREFIX %+ _DSA_marshal_parameters\n%xdefine _DSA_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _DSA_marshal_private_key\n%xdefine _DSA_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _DSA_marshal_public_key\n%xdefine _DSA_new _ %+ BORINGSSL_PREFIX %+ _DSA_new\n%xdefine _DSA_parse_parameters _ %+ BORINGSSL_PREFIX %+ _DSA_parse_parameters\n%xdefine _DSA_parse_private_key _ %+ BORINGSSL_PREFIX %+ _DSA_parse_private_key\n%xdefine _DSA_parse_public_key _ %+ BORINGSSL_PREFIX %+ _DSA_parse_public_key\n%xdefine _DSA_set0_key _ %+ BORINGSSL_PREFIX %+ _DSA_set0_key\n%xdefine _DSA_set0_pqg _ %+ BORINGSSL_PREFIX %+ _DSA_set0_pqg\n%xdefine _DSA_set_ex_data _ %+ BORINGSSL_PREFIX %+ _DSA_set_ex_data\n%xdefine _DSA_sign _ %+ BORINGSSL_PREFIX %+ _DSA_sign\n%xdefine _DSA_size _ %+ BORINGSSL_PREFIX %+ _DSA_size\n%xdefine _DSA_up_ref _ %+ BORINGSSL_PREFIX %+ _DSA_up_ref\n%xdefine _DSA_verify _ %+ BORINGSSL_PREFIX %+ _DSA_verify\n%xdefine _DSAparams_dup _ %+ BORINGSSL_PREFIX %+ _DSAparams_dup\n%xdefine _DTLS_client_method _ %+ BORINGSSL_PREFIX %+ _DTLS_client_method\n%xdefine _DTLS_method _ %+ BORINGSSL_PREFIX %+ _DTLS_method\n%xdefine _DTLS_server_method _ %+ BORINGSSL_PREFIX %+ _DTLS_server_method\n%xdefine _DTLS_with_buffers_method _ %+ BORINGSSL_PREFIX %+ _DTLS_with_buffers_method\n%xdefine _DTLSv1_2_client_method _ %+ BORINGSSL_PREFIX %+ _DTLSv1_2_client_method\n%xdefine _DTLSv1_2_method _ %+ BORINGSSL_PREFIX %+ _DTLSv1_2_method\n%xdefine _DTLSv1_2_server_method _ %+ BORINGSSL_PREFIX %+ _DTLSv1_2_server_method\n%xdefine _DTLSv1_client_method _ %+ BORINGSSL_PREFIX %+ _DTLSv1_client_method\n%xdefine _DTLSv1_get_timeout _ %+ BORINGSSL_PREFIX %+ _DTLSv1_get_timeout\n%xdefine _DTLSv1_handle_timeout _ %+ BORINGSSL_PREFIX %+ _DTLSv1_handle_timeout\n%xdefine _DTLSv1_method _ %+ BORINGSSL_PREFIX %+ _DTLSv1_method\n%xdefine _DTLSv1_server_method _ %+ BORINGSSL_PREFIX %+ _DTLSv1_server_method\n%xdefine _DTLSv1_set_initial_timeout_duration _ %+ BORINGSSL_PREFIX %+ _DTLSv1_set_initial_timeout_duration\n%xdefine _ECDH_compute_key _ %+ BORINGSSL_PREFIX %+ _ECDH_compute_key\n%xdefine _ECDH_compute_key_fips _ %+ BORINGSSL_PREFIX %+ _ECDH_compute_key_fips\n%xdefine _ECDSA_SIG_free _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_free\n%xdefine _ECDSA_SIG_from_bytes _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_from_bytes\n%xdefine _ECDSA_SIG_get0 _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_get0\n%xdefine _ECDSA_SIG_get0_r _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_get0_r\n%xdefine _ECDSA_SIG_get0_s _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_get0_s\n%xdefine _ECDSA_SIG_marshal _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_marshal\n%xdefine _ECDSA_SIG_max_len _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_max_len\n%xdefine _ECDSA_SIG_new _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_new\n%xdefine _ECDSA_SIG_parse _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_parse\n%xdefine _ECDSA_SIG_set0 _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_set0\n%xdefine _ECDSA_SIG_to_bytes _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_to_bytes\n%xdefine _ECDSA_do_sign _ %+ BORINGSSL_PREFIX %+ _ECDSA_do_sign\n%xdefine _ECDSA_do_verify _ %+ BORINGSSL_PREFIX %+ _ECDSA_do_verify\n%xdefine _ECDSA_sign _ %+ BORINGSSL_PREFIX %+ _ECDSA_sign\n%xdefine _ECDSA_sign_with_nonce_and_leak_private_key_for_testing _ %+ BORINGSSL_PREFIX %+ _ECDSA_sign_with_nonce_and_leak_private_key_for_testing\n%xdefine _ECDSA_size _ %+ BORINGSSL_PREFIX %+ _ECDSA_size\n%xdefine _ECDSA_verify _ %+ BORINGSSL_PREFIX %+ _ECDSA_verify\n%xdefine _EC_GFp_mont_method _ %+ BORINGSSL_PREFIX %+ _EC_GFp_mont_method\n%xdefine _EC_GFp_nistp224_method _ %+ BORINGSSL_PREFIX %+ _EC_GFp_nistp224_method\n%xdefine _EC_GFp_nistp256_method _ %+ BORINGSSL_PREFIX %+ _EC_GFp_nistp256_method\n%xdefine _EC_GFp_nistz256_method _ %+ BORINGSSL_PREFIX %+ _EC_GFp_nistz256_method\n%xdefine _EC_GROUP_cmp _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_cmp\n%xdefine _EC_GROUP_dup _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_dup\n%xdefine _EC_GROUP_free _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_free\n%xdefine _EC_GROUP_get0_generator _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_get0_generator\n%xdefine _EC_GROUP_get0_order _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_get0_order\n%xdefine _EC_GROUP_get_asn1_flag _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_get_asn1_flag\n%xdefine _EC_GROUP_get_cofactor _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_get_cofactor\n%xdefine _EC_GROUP_get_curve_GFp _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_get_curve_GFp\n%xdefine _EC_GROUP_get_curve_name _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_get_curve_name\n%xdefine _EC_GROUP_get_degree _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_get_degree\n%xdefine _EC_GROUP_get_order _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_get_order\n%xdefine _EC_GROUP_method_of _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_method_of\n%xdefine _EC_GROUP_new_by_curve_name _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_new_by_curve_name\n%xdefine _EC_GROUP_new_curve_GFp _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_new_curve_GFp\n%xdefine _EC_GROUP_order_bits _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_order_bits\n%xdefine _EC_GROUP_set_asn1_flag _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_set_asn1_flag\n%xdefine _EC_GROUP_set_generator _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_set_generator\n%xdefine _EC_GROUP_set_point_conversion_form _ %+ BORINGSSL_PREFIX %+ _EC_GROUP_set_point_conversion_form\n%xdefine _EC_KEY_check_fips _ %+ BORINGSSL_PREFIX %+ _EC_KEY_check_fips\n%xdefine _EC_KEY_check_key _ %+ BORINGSSL_PREFIX %+ _EC_KEY_check_key\n%xdefine _EC_KEY_derive_from_secret _ %+ BORINGSSL_PREFIX %+ _EC_KEY_derive_from_secret\n%xdefine _EC_KEY_dup _ %+ BORINGSSL_PREFIX %+ _EC_KEY_dup\n%xdefine _EC_KEY_free _ %+ BORINGSSL_PREFIX %+ _EC_KEY_free\n%xdefine _EC_KEY_generate_key _ %+ BORINGSSL_PREFIX %+ _EC_KEY_generate_key\n%xdefine _EC_KEY_generate_key_fips _ %+ BORINGSSL_PREFIX %+ _EC_KEY_generate_key_fips\n%xdefine _EC_KEY_get0_group _ %+ BORINGSSL_PREFIX %+ _EC_KEY_get0_group\n%xdefine _EC_KEY_get0_private_key _ %+ BORINGSSL_PREFIX %+ _EC_KEY_get0_private_key\n%xdefine _EC_KEY_get0_public_key _ %+ BORINGSSL_PREFIX %+ _EC_KEY_get0_public_key\n%xdefine _EC_KEY_get_conv_form _ %+ BORINGSSL_PREFIX %+ _EC_KEY_get_conv_form\n%xdefine _EC_KEY_get_enc_flags _ %+ BORINGSSL_PREFIX %+ _EC_KEY_get_enc_flags\n%xdefine _EC_KEY_get_ex_data _ %+ BORINGSSL_PREFIX %+ _EC_KEY_get_ex_data\n%xdefine _EC_KEY_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _EC_KEY_get_ex_new_index\n%xdefine _EC_KEY_is_opaque _ %+ BORINGSSL_PREFIX %+ _EC_KEY_is_opaque\n%xdefine _EC_KEY_key2buf _ %+ BORINGSSL_PREFIX %+ _EC_KEY_key2buf\n%xdefine _EC_KEY_marshal_curve_name _ %+ BORINGSSL_PREFIX %+ _EC_KEY_marshal_curve_name\n%xdefine _EC_KEY_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _EC_KEY_marshal_private_key\n%xdefine _EC_KEY_new _ %+ BORINGSSL_PREFIX %+ _EC_KEY_new\n%xdefine _EC_KEY_new_by_curve_name _ %+ BORINGSSL_PREFIX %+ _EC_KEY_new_by_curve_name\n%xdefine _EC_KEY_new_method _ %+ BORINGSSL_PREFIX %+ _EC_KEY_new_method\n%xdefine _EC_KEY_oct2key _ %+ BORINGSSL_PREFIX %+ _EC_KEY_oct2key\n%xdefine _EC_KEY_oct2priv _ %+ BORINGSSL_PREFIX %+ _EC_KEY_oct2priv\n%xdefine _EC_KEY_parse_curve_name _ %+ BORINGSSL_PREFIX %+ _EC_KEY_parse_curve_name\n%xdefine _EC_KEY_parse_parameters _ %+ BORINGSSL_PREFIX %+ _EC_KEY_parse_parameters\n%xdefine _EC_KEY_parse_private_key _ %+ BORINGSSL_PREFIX %+ _EC_KEY_parse_private_key\n%xdefine _EC_KEY_priv2buf _ %+ BORINGSSL_PREFIX %+ _EC_KEY_priv2buf\n%xdefine _EC_KEY_priv2oct _ %+ BORINGSSL_PREFIX %+ _EC_KEY_priv2oct\n%xdefine _EC_KEY_set_asn1_flag _ %+ BORINGSSL_PREFIX %+ _EC_KEY_set_asn1_flag\n%xdefine _EC_KEY_set_conv_form _ %+ BORINGSSL_PREFIX %+ _EC_KEY_set_conv_form\n%xdefine _EC_KEY_set_enc_flags _ %+ BORINGSSL_PREFIX %+ _EC_KEY_set_enc_flags\n%xdefine _EC_KEY_set_ex_data _ %+ BORINGSSL_PREFIX %+ _EC_KEY_set_ex_data\n%xdefine _EC_KEY_set_group _ %+ BORINGSSL_PREFIX %+ _EC_KEY_set_group\n%xdefine _EC_KEY_set_private_key _ %+ BORINGSSL_PREFIX %+ _EC_KEY_set_private_key\n%xdefine _EC_KEY_set_public_key _ %+ BORINGSSL_PREFIX %+ _EC_KEY_set_public_key\n%xdefine _EC_KEY_set_public_key_affine_coordinates _ %+ BORINGSSL_PREFIX %+ _EC_KEY_set_public_key_affine_coordinates\n%xdefine _EC_KEY_up_ref _ %+ BORINGSSL_PREFIX %+ _EC_KEY_up_ref\n%xdefine _EC_METHOD_get_field_type _ %+ BORINGSSL_PREFIX %+ _EC_METHOD_get_field_type\n%xdefine _EC_POINT_add _ %+ BORINGSSL_PREFIX %+ _EC_POINT_add\n%xdefine _EC_POINT_clear_free _ %+ BORINGSSL_PREFIX %+ _EC_POINT_clear_free\n%xdefine _EC_POINT_cmp _ %+ BORINGSSL_PREFIX %+ _EC_POINT_cmp\n%xdefine _EC_POINT_copy _ %+ BORINGSSL_PREFIX %+ _EC_POINT_copy\n%xdefine _EC_POINT_dbl _ %+ BORINGSSL_PREFIX %+ _EC_POINT_dbl\n%xdefine _EC_POINT_dup _ %+ BORINGSSL_PREFIX %+ _EC_POINT_dup\n%xdefine _EC_POINT_free _ %+ BORINGSSL_PREFIX %+ _EC_POINT_free\n%xdefine _EC_POINT_get_affine_coordinates _ %+ BORINGSSL_PREFIX %+ _EC_POINT_get_affine_coordinates\n%xdefine _EC_POINT_get_affine_coordinates_GFp _ %+ BORINGSSL_PREFIX %+ _EC_POINT_get_affine_coordinates_GFp\n%xdefine _EC_POINT_invert _ %+ BORINGSSL_PREFIX %+ _EC_POINT_invert\n%xdefine _EC_POINT_is_at_infinity _ %+ BORINGSSL_PREFIX %+ _EC_POINT_is_at_infinity\n%xdefine _EC_POINT_is_on_curve _ %+ BORINGSSL_PREFIX %+ _EC_POINT_is_on_curve\n%xdefine _EC_POINT_mul _ %+ BORINGSSL_PREFIX %+ _EC_POINT_mul\n%xdefine _EC_POINT_new _ %+ BORINGSSL_PREFIX %+ _EC_POINT_new\n%xdefine _EC_POINT_oct2point _ %+ BORINGSSL_PREFIX %+ _EC_POINT_oct2point\n%xdefine _EC_POINT_point2buf _ %+ BORINGSSL_PREFIX %+ _EC_POINT_point2buf\n%xdefine _EC_POINT_point2cbb _ %+ BORINGSSL_PREFIX %+ _EC_POINT_point2cbb\n%xdefine _EC_POINT_point2oct _ %+ BORINGSSL_PREFIX %+ _EC_POINT_point2oct\n%xdefine _EC_POINT_set_affine_coordinates _ %+ BORINGSSL_PREFIX %+ _EC_POINT_set_affine_coordinates\n%xdefine _EC_POINT_set_affine_coordinates_GFp _ %+ BORINGSSL_PREFIX %+ _EC_POINT_set_affine_coordinates_GFp\n%xdefine _EC_POINT_set_compressed_coordinates_GFp _ %+ BORINGSSL_PREFIX %+ _EC_POINT_set_compressed_coordinates_GFp\n%xdefine _EC_POINT_set_to_infinity _ %+ BORINGSSL_PREFIX %+ _EC_POINT_set_to_infinity\n%xdefine _EC_curve_nid2nist _ %+ BORINGSSL_PREFIX %+ _EC_curve_nid2nist\n%xdefine _EC_curve_nist2nid _ %+ BORINGSSL_PREFIX %+ _EC_curve_nist2nid\n%xdefine _EC_get_builtin_curves _ %+ BORINGSSL_PREFIX %+ _EC_get_builtin_curves\n%xdefine _EC_group_p224 _ %+ BORINGSSL_PREFIX %+ _EC_group_p224\n%xdefine _EC_group_p256 _ %+ BORINGSSL_PREFIX %+ _EC_group_p256\n%xdefine _EC_group_p384 _ %+ BORINGSSL_PREFIX %+ _EC_group_p384\n%xdefine _EC_group_p521 _ %+ BORINGSSL_PREFIX %+ _EC_group_p521\n%xdefine _EC_hash_to_curve_p256_xmd_sha256_sswu _ %+ BORINGSSL_PREFIX %+ _EC_hash_to_curve_p256_xmd_sha256_sswu\n%xdefine _EC_hash_to_curve_p384_xmd_sha384_sswu _ %+ BORINGSSL_PREFIX %+ _EC_hash_to_curve_p384_xmd_sha384_sswu\n%xdefine _ED25519_keypair _ %+ BORINGSSL_PREFIX %+ _ED25519_keypair\n%xdefine _ED25519_keypair_from_seed _ %+ BORINGSSL_PREFIX %+ _ED25519_keypair_from_seed\n%xdefine _ED25519_sign _ %+ BORINGSSL_PREFIX %+ _ED25519_sign\n%xdefine _ED25519_verify _ %+ BORINGSSL_PREFIX %+ _ED25519_verify\n%xdefine _EDIPARTYNAME_free _ %+ BORINGSSL_PREFIX %+ _EDIPARTYNAME_free\n%xdefine _EDIPARTYNAME_new _ %+ BORINGSSL_PREFIX %+ _EDIPARTYNAME_new\n%xdefine _ENGINE_free _ %+ BORINGSSL_PREFIX %+ _ENGINE_free\n%xdefine _ENGINE_get_ECDSA_method _ %+ BORINGSSL_PREFIX %+ _ENGINE_get_ECDSA_method\n%xdefine _ENGINE_get_RSA_method _ %+ BORINGSSL_PREFIX %+ _ENGINE_get_RSA_method\n%xdefine _ENGINE_load_builtin_engines _ %+ BORINGSSL_PREFIX %+ _ENGINE_load_builtin_engines\n%xdefine _ENGINE_new _ %+ BORINGSSL_PREFIX %+ _ENGINE_new\n%xdefine _ENGINE_register_all_complete _ %+ BORINGSSL_PREFIX %+ _ENGINE_register_all_complete\n%xdefine _ENGINE_set_ECDSA_method _ %+ BORINGSSL_PREFIX %+ _ENGINE_set_ECDSA_method\n%xdefine _ENGINE_set_RSA_method _ %+ BORINGSSL_PREFIX %+ _ENGINE_set_RSA_method\n%xdefine _ERR_GET_LIB _ %+ BORINGSSL_PREFIX %+ _ERR_GET_LIB\n%xdefine _ERR_GET_REASON _ %+ BORINGSSL_PREFIX %+ _ERR_GET_REASON\n%xdefine _ERR_SAVE_STATE_free _ %+ BORINGSSL_PREFIX %+ _ERR_SAVE_STATE_free\n%xdefine _ERR_add_error_data _ %+ BORINGSSL_PREFIX %+ _ERR_add_error_data\n%xdefine _ERR_add_error_dataf _ %+ BORINGSSL_PREFIX %+ _ERR_add_error_dataf\n%xdefine _ERR_clear_error _ %+ BORINGSSL_PREFIX %+ _ERR_clear_error\n%xdefine _ERR_clear_system_error _ %+ BORINGSSL_PREFIX %+ _ERR_clear_system_error\n%xdefine _ERR_error_string _ %+ BORINGSSL_PREFIX %+ _ERR_error_string\n%xdefine _ERR_error_string_n _ %+ BORINGSSL_PREFIX %+ _ERR_error_string_n\n%xdefine _ERR_free_strings _ %+ BORINGSSL_PREFIX %+ _ERR_free_strings\n%xdefine _ERR_func_error_string _ %+ BORINGSSL_PREFIX %+ _ERR_func_error_string\n%xdefine _ERR_get_error _ %+ BORINGSSL_PREFIX %+ _ERR_get_error\n%xdefine _ERR_get_error_line _ %+ BORINGSSL_PREFIX %+ _ERR_get_error_line\n%xdefine _ERR_get_error_line_data _ %+ BORINGSSL_PREFIX %+ _ERR_get_error_line_data\n%xdefine _ERR_get_next_error_library _ %+ BORINGSSL_PREFIX %+ _ERR_get_next_error_library\n%xdefine _ERR_lib_error_string _ %+ BORINGSSL_PREFIX %+ _ERR_lib_error_string\n%xdefine _ERR_lib_symbol_name _ %+ BORINGSSL_PREFIX %+ _ERR_lib_symbol_name\n%xdefine _ERR_load_BIO_strings _ %+ BORINGSSL_PREFIX %+ _ERR_load_BIO_strings\n%xdefine _ERR_load_ERR_strings _ %+ BORINGSSL_PREFIX %+ _ERR_load_ERR_strings\n%xdefine _ERR_load_RAND_strings _ %+ BORINGSSL_PREFIX %+ _ERR_load_RAND_strings\n%xdefine _ERR_load_SSL_strings _ %+ BORINGSSL_PREFIX %+ _ERR_load_SSL_strings\n%xdefine _ERR_load_crypto_strings _ %+ BORINGSSL_PREFIX %+ _ERR_load_crypto_strings\n%xdefine _ERR_peek_error _ %+ BORINGSSL_PREFIX %+ _ERR_peek_error\n%xdefine _ERR_peek_error_line _ %+ BORINGSSL_PREFIX %+ _ERR_peek_error_line\n%xdefine _ERR_peek_error_line_data _ %+ BORINGSSL_PREFIX %+ _ERR_peek_error_line_data\n%xdefine _ERR_peek_last_error _ %+ BORINGSSL_PREFIX %+ _ERR_peek_last_error\n%xdefine _ERR_peek_last_error_line _ %+ BORINGSSL_PREFIX %+ _ERR_peek_last_error_line\n%xdefine _ERR_peek_last_error_line_data _ %+ BORINGSSL_PREFIX %+ _ERR_peek_last_error_line_data\n%xdefine _ERR_pop_to_mark _ %+ BORINGSSL_PREFIX %+ _ERR_pop_to_mark\n%xdefine _ERR_print_errors _ %+ BORINGSSL_PREFIX %+ _ERR_print_errors\n%xdefine _ERR_print_errors_cb _ %+ BORINGSSL_PREFIX %+ _ERR_print_errors_cb\n%xdefine _ERR_print_errors_fp _ %+ BORINGSSL_PREFIX %+ _ERR_print_errors_fp\n%xdefine _ERR_put_error _ %+ BORINGSSL_PREFIX %+ _ERR_put_error\n%xdefine _ERR_reason_error_string _ %+ BORINGSSL_PREFIX %+ _ERR_reason_error_string\n%xdefine _ERR_reason_symbol_name _ %+ BORINGSSL_PREFIX %+ _ERR_reason_symbol_name\n%xdefine _ERR_remove_state _ %+ BORINGSSL_PREFIX %+ _ERR_remove_state\n%xdefine _ERR_remove_thread_state _ %+ BORINGSSL_PREFIX %+ _ERR_remove_thread_state\n%xdefine _ERR_restore_state _ %+ BORINGSSL_PREFIX %+ _ERR_restore_state\n%xdefine _ERR_save_state _ %+ BORINGSSL_PREFIX %+ _ERR_save_state\n%xdefine _ERR_set_error_data _ %+ BORINGSSL_PREFIX %+ _ERR_set_error_data\n%xdefine _ERR_set_mark _ %+ BORINGSSL_PREFIX %+ _ERR_set_mark\n%xdefine _EVP_AEAD_CTX_aead _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_aead\n%xdefine _EVP_AEAD_CTX_cleanup _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_cleanup\n%xdefine _EVP_AEAD_CTX_free _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_free\n%xdefine _EVP_AEAD_CTX_get_iv _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_get_iv\n%xdefine _EVP_AEAD_CTX_init _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_init\n%xdefine _EVP_AEAD_CTX_init_with_direction _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_init_with_direction\n%xdefine _EVP_AEAD_CTX_new _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_new\n%xdefine _EVP_AEAD_CTX_open _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_open\n%xdefine _EVP_AEAD_CTX_open_gather _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_open_gather\n%xdefine _EVP_AEAD_CTX_seal _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_seal\n%xdefine _EVP_AEAD_CTX_seal_scatter _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_seal_scatter\n%xdefine _EVP_AEAD_CTX_tag_len _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_tag_len\n%xdefine _EVP_AEAD_CTX_zero _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_zero\n%xdefine _EVP_AEAD_key_length _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_key_length\n%xdefine _EVP_AEAD_max_overhead _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_max_overhead\n%xdefine _EVP_AEAD_max_tag_len _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_max_tag_len\n%xdefine _EVP_AEAD_nonce_length _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_nonce_length\n%xdefine _EVP_BytesToKey _ %+ BORINGSSL_PREFIX %+ _EVP_BytesToKey\n%xdefine _EVP_CIPHER_CTX_block_size _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_block_size\n%xdefine _EVP_CIPHER_CTX_cipher _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_cipher\n%xdefine _EVP_CIPHER_CTX_cleanup _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_cleanup\n%xdefine _EVP_CIPHER_CTX_copy _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_copy\n%xdefine _EVP_CIPHER_CTX_ctrl _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_ctrl\n%xdefine _EVP_CIPHER_CTX_encrypting _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_encrypting\n%xdefine _EVP_CIPHER_CTX_flags _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_flags\n%xdefine _EVP_CIPHER_CTX_free _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_free\n%xdefine _EVP_CIPHER_CTX_get_app_data _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_get_app_data\n%xdefine _EVP_CIPHER_CTX_init _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_init\n%xdefine _EVP_CIPHER_CTX_iv_length _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_iv_length\n%xdefine _EVP_CIPHER_CTX_key_length _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_key_length\n%xdefine _EVP_CIPHER_CTX_mode _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_mode\n%xdefine _EVP_CIPHER_CTX_new _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_new\n%xdefine _EVP_CIPHER_CTX_nid _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_nid\n%xdefine _EVP_CIPHER_CTX_reset _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_reset\n%xdefine _EVP_CIPHER_CTX_set_app_data _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_set_app_data\n%xdefine _EVP_CIPHER_CTX_set_flags _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_set_flags\n%xdefine _EVP_CIPHER_CTX_set_key_length _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_set_key_length\n%xdefine _EVP_CIPHER_CTX_set_padding _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_set_padding\n%xdefine _EVP_CIPHER_block_size _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_block_size\n%xdefine _EVP_CIPHER_flags _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_flags\n%xdefine _EVP_CIPHER_iv_length _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_iv_length\n%xdefine _EVP_CIPHER_key_length _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_key_length\n%xdefine _EVP_CIPHER_mode _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_mode\n%xdefine _EVP_CIPHER_nid _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_nid\n%xdefine _EVP_Cipher _ %+ BORINGSSL_PREFIX %+ _EVP_Cipher\n%xdefine _EVP_CipherFinal _ %+ BORINGSSL_PREFIX %+ _EVP_CipherFinal\n%xdefine _EVP_CipherFinal_ex _ %+ BORINGSSL_PREFIX %+ _EVP_CipherFinal_ex\n%xdefine _EVP_CipherInit _ %+ BORINGSSL_PREFIX %+ _EVP_CipherInit\n%xdefine _EVP_CipherInit_ex _ %+ BORINGSSL_PREFIX %+ _EVP_CipherInit_ex\n%xdefine _EVP_CipherUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_CipherUpdate\n%xdefine _EVP_DecodeBase64 _ %+ BORINGSSL_PREFIX %+ _EVP_DecodeBase64\n%xdefine _EVP_DecodeBlock _ %+ BORINGSSL_PREFIX %+ _EVP_DecodeBlock\n%xdefine _EVP_DecodeFinal _ %+ BORINGSSL_PREFIX %+ _EVP_DecodeFinal\n%xdefine _EVP_DecodeInit _ %+ BORINGSSL_PREFIX %+ _EVP_DecodeInit\n%xdefine _EVP_DecodeUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_DecodeUpdate\n%xdefine _EVP_DecodedLength _ %+ BORINGSSL_PREFIX %+ _EVP_DecodedLength\n%xdefine _EVP_DecryptFinal _ %+ BORINGSSL_PREFIX %+ _EVP_DecryptFinal\n%xdefine _EVP_DecryptFinal_ex _ %+ BORINGSSL_PREFIX %+ _EVP_DecryptFinal_ex\n%xdefine _EVP_DecryptInit _ %+ BORINGSSL_PREFIX %+ _EVP_DecryptInit\n%xdefine _EVP_DecryptInit_ex _ %+ BORINGSSL_PREFIX %+ _EVP_DecryptInit_ex\n%xdefine _EVP_DecryptUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_DecryptUpdate\n%xdefine _EVP_Digest _ %+ BORINGSSL_PREFIX %+ _EVP_Digest\n%xdefine _EVP_DigestFinal _ %+ BORINGSSL_PREFIX %+ _EVP_DigestFinal\n%xdefine _EVP_DigestFinalXOF _ %+ BORINGSSL_PREFIX %+ _EVP_DigestFinalXOF\n%xdefine _EVP_DigestFinal_ex _ %+ BORINGSSL_PREFIX %+ _EVP_DigestFinal_ex\n%xdefine _EVP_DigestInit _ %+ BORINGSSL_PREFIX %+ _EVP_DigestInit\n%xdefine _EVP_DigestInit_ex _ %+ BORINGSSL_PREFIX %+ _EVP_DigestInit_ex\n%xdefine _EVP_DigestSign _ %+ BORINGSSL_PREFIX %+ _EVP_DigestSign\n%xdefine _EVP_DigestSignFinal _ %+ BORINGSSL_PREFIX %+ _EVP_DigestSignFinal\n%xdefine _EVP_DigestSignInit _ %+ BORINGSSL_PREFIX %+ _EVP_DigestSignInit\n%xdefine _EVP_DigestSignUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_DigestSignUpdate\n%xdefine _EVP_DigestUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_DigestUpdate\n%xdefine _EVP_DigestVerify _ %+ BORINGSSL_PREFIX %+ _EVP_DigestVerify\n%xdefine _EVP_DigestVerifyFinal _ %+ BORINGSSL_PREFIX %+ _EVP_DigestVerifyFinal\n%xdefine _EVP_DigestVerifyInit _ %+ BORINGSSL_PREFIX %+ _EVP_DigestVerifyInit\n%xdefine _EVP_DigestVerifyUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_DigestVerifyUpdate\n%xdefine _EVP_ENCODE_CTX_free _ %+ BORINGSSL_PREFIX %+ _EVP_ENCODE_CTX_free\n%xdefine _EVP_ENCODE_CTX_new _ %+ BORINGSSL_PREFIX %+ _EVP_ENCODE_CTX_new\n%xdefine _EVP_EncodeBlock _ %+ BORINGSSL_PREFIX %+ _EVP_EncodeBlock\n%xdefine _EVP_EncodeFinal _ %+ BORINGSSL_PREFIX %+ _EVP_EncodeFinal\n%xdefine _EVP_EncodeInit _ %+ BORINGSSL_PREFIX %+ _EVP_EncodeInit\n%xdefine _EVP_EncodeUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_EncodeUpdate\n%xdefine _EVP_EncodedLength _ %+ BORINGSSL_PREFIX %+ _EVP_EncodedLength\n%xdefine _EVP_EncryptFinal _ %+ BORINGSSL_PREFIX %+ _EVP_EncryptFinal\n%xdefine _EVP_EncryptFinal_ex _ %+ BORINGSSL_PREFIX %+ _EVP_EncryptFinal_ex\n%xdefine _EVP_EncryptInit _ %+ BORINGSSL_PREFIX %+ _EVP_EncryptInit\n%xdefine _EVP_EncryptInit_ex _ %+ BORINGSSL_PREFIX %+ _EVP_EncryptInit_ex\n%xdefine _EVP_EncryptUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_EncryptUpdate\n%xdefine _EVP_HPKE_AEAD_aead _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_AEAD_aead\n%xdefine _EVP_HPKE_AEAD_id _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_AEAD_id\n%xdefine _EVP_HPKE_CTX_aead _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_aead\n%xdefine _EVP_HPKE_CTX_cleanup _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_cleanup\n%xdefine _EVP_HPKE_CTX_export _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_export\n%xdefine _EVP_HPKE_CTX_free _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_free\n%xdefine _EVP_HPKE_CTX_kdf _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_kdf\n%xdefine _EVP_HPKE_CTX_kem _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_kem\n%xdefine _EVP_HPKE_CTX_max_overhead _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_max_overhead\n%xdefine _EVP_HPKE_CTX_new _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_new\n%xdefine _EVP_HPKE_CTX_open _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_open\n%xdefine _EVP_HPKE_CTX_seal _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_seal\n%xdefine _EVP_HPKE_CTX_setup_auth_recipient _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_auth_recipient\n%xdefine _EVP_HPKE_CTX_setup_auth_sender _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_auth_sender\n%xdefine _EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing\n%xdefine _EVP_HPKE_CTX_setup_recipient _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_recipient\n%xdefine _EVP_HPKE_CTX_setup_sender _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_sender\n%xdefine _EVP_HPKE_CTX_setup_sender_with_seed_for_testing _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_sender_with_seed_for_testing\n%xdefine _EVP_HPKE_CTX_zero _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_zero\n%xdefine _EVP_HPKE_KDF_hkdf_md _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KDF_hkdf_md\n%xdefine _EVP_HPKE_KDF_id _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KDF_id\n%xdefine _EVP_HPKE_KEM_enc_len _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEM_enc_len\n%xdefine _EVP_HPKE_KEM_id _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEM_id\n%xdefine _EVP_HPKE_KEM_private_key_len _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEM_private_key_len\n%xdefine _EVP_HPKE_KEM_public_key_len _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEM_public_key_len\n%xdefine _EVP_HPKE_KEY_cleanup _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_cleanup\n%xdefine _EVP_HPKE_KEY_copy _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_copy\n%xdefine _EVP_HPKE_KEY_free _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_free\n%xdefine _EVP_HPKE_KEY_generate _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_generate\n%xdefine _EVP_HPKE_KEY_init _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_init\n%xdefine _EVP_HPKE_KEY_kem _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_kem\n%xdefine _EVP_HPKE_KEY_move _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_move\n%xdefine _EVP_HPKE_KEY_new _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_new\n%xdefine _EVP_HPKE_KEY_private_key _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_private_key\n%xdefine _EVP_HPKE_KEY_public_key _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_public_key\n%xdefine _EVP_HPKE_KEY_zero _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_zero\n%xdefine _EVP_MD_CTX_block_size _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_block_size\n%xdefine _EVP_MD_CTX_cleanse _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_cleanse\n%xdefine _EVP_MD_CTX_cleanup _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_cleanup\n%xdefine _EVP_MD_CTX_copy _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_copy\n%xdefine _EVP_MD_CTX_copy_ex _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_copy_ex\n%xdefine _EVP_MD_CTX_create _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_create\n%xdefine _EVP_MD_CTX_destroy _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_destroy\n%xdefine _EVP_MD_CTX_free _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_free\n%xdefine _EVP_MD_CTX_get0_md _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_get0_md\n%xdefine _EVP_MD_CTX_init _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_init\n%xdefine _EVP_MD_CTX_md _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_md\n%xdefine _EVP_MD_CTX_move _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_move\n%xdefine _EVP_MD_CTX_new _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_new\n%xdefine _EVP_MD_CTX_reset _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_reset\n%xdefine _EVP_MD_CTX_set_flags _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_set_flags\n%xdefine _EVP_MD_CTX_size _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_size\n%xdefine _EVP_MD_CTX_type _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_type\n%xdefine _EVP_MD_block_size _ %+ BORINGSSL_PREFIX %+ _EVP_MD_block_size\n%xdefine _EVP_MD_flags _ %+ BORINGSSL_PREFIX %+ _EVP_MD_flags\n%xdefine _EVP_MD_meth_get_flags _ %+ BORINGSSL_PREFIX %+ _EVP_MD_meth_get_flags\n%xdefine _EVP_MD_nid _ %+ BORINGSSL_PREFIX %+ _EVP_MD_nid\n%xdefine _EVP_MD_size _ %+ BORINGSSL_PREFIX %+ _EVP_MD_size\n%xdefine _EVP_MD_type _ %+ BORINGSSL_PREFIX %+ _EVP_MD_type\n%xdefine _EVP_PBE_scrypt _ %+ BORINGSSL_PREFIX %+ _EVP_PBE_scrypt\n%xdefine _EVP_PKCS82PKEY _ %+ BORINGSSL_PREFIX %+ _EVP_PKCS82PKEY\n%xdefine _EVP_PKEY2PKCS8 _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY2PKCS8\n%xdefine _EVP_PKEY_CTX_add1_hkdf_info _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_add1_hkdf_info\n%xdefine _EVP_PKEY_CTX_ctrl _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_ctrl\n%xdefine _EVP_PKEY_CTX_dup _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_dup\n%xdefine _EVP_PKEY_CTX_free _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_free\n%xdefine _EVP_PKEY_CTX_get0_pkey _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get0_pkey\n%xdefine _EVP_PKEY_CTX_get0_rsa_oaep_label _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get0_rsa_oaep_label\n%xdefine _EVP_PKEY_CTX_get_rsa_mgf1_md _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get_rsa_mgf1_md\n%xdefine _EVP_PKEY_CTX_get_rsa_oaep_md _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get_rsa_oaep_md\n%xdefine _EVP_PKEY_CTX_get_rsa_padding _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get_rsa_padding\n%xdefine _EVP_PKEY_CTX_get_rsa_pss_saltlen _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get_rsa_pss_saltlen\n%xdefine _EVP_PKEY_CTX_get_signature_md _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get_signature_md\n%xdefine _EVP_PKEY_CTX_hkdf_mode _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_hkdf_mode\n%xdefine _EVP_PKEY_CTX_new _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_new\n%xdefine _EVP_PKEY_CTX_new_id _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_new_id\n%xdefine _EVP_PKEY_CTX_set0_rsa_oaep_label _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set0_rsa_oaep_label\n%xdefine _EVP_PKEY_CTX_set1_hkdf_key _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set1_hkdf_key\n%xdefine _EVP_PKEY_CTX_set1_hkdf_salt _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set1_hkdf_salt\n%xdefine _EVP_PKEY_CTX_set_dh_pad _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dh_pad\n%xdefine _EVP_PKEY_CTX_set_dsa_paramgen_bits _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dsa_paramgen_bits\n%xdefine _EVP_PKEY_CTX_set_dsa_paramgen_q_bits _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dsa_paramgen_q_bits\n%xdefine _EVP_PKEY_CTX_set_ec_param_enc _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_ec_param_enc\n%xdefine _EVP_PKEY_CTX_set_ec_paramgen_curve_nid _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_ec_paramgen_curve_nid\n%xdefine _EVP_PKEY_CTX_set_hkdf_md _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_hkdf_md\n%xdefine _EVP_PKEY_CTX_set_rsa_keygen_bits _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_keygen_bits\n%xdefine _EVP_PKEY_CTX_set_rsa_keygen_pubexp _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_keygen_pubexp\n%xdefine _EVP_PKEY_CTX_set_rsa_mgf1_md _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_mgf1_md\n%xdefine _EVP_PKEY_CTX_set_rsa_oaep_md _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_oaep_md\n%xdefine _EVP_PKEY_CTX_set_rsa_padding _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_padding\n%xdefine _EVP_PKEY_CTX_set_rsa_pss_keygen_md _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_pss_keygen_md\n%xdefine _EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md\n%xdefine _EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen\n%xdefine _EVP_PKEY_CTX_set_rsa_pss_saltlen _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_pss_saltlen\n%xdefine _EVP_PKEY_CTX_set_signature_md _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_signature_md\n%xdefine _EVP_PKEY_assign _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_assign\n%xdefine _EVP_PKEY_assign_DH _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_assign_DH\n%xdefine _EVP_PKEY_assign_DSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_assign_DSA\n%xdefine _EVP_PKEY_assign_EC_KEY _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_assign_EC_KEY\n%xdefine _EVP_PKEY_assign_RSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_assign_RSA\n%xdefine _EVP_PKEY_base_id _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_base_id\n%xdefine _EVP_PKEY_bits _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_bits\n%xdefine _EVP_PKEY_cmp _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_cmp\n%xdefine _EVP_PKEY_cmp_parameters _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_cmp_parameters\n%xdefine _EVP_PKEY_copy_parameters _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_copy_parameters\n%xdefine _EVP_PKEY_decrypt _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_decrypt\n%xdefine _EVP_PKEY_decrypt_init _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_decrypt_init\n%xdefine _EVP_PKEY_derive _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_derive\n%xdefine _EVP_PKEY_derive_init _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_derive_init\n%xdefine _EVP_PKEY_derive_set_peer _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_derive_set_peer\n%xdefine _EVP_PKEY_encrypt _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_encrypt\n%xdefine _EVP_PKEY_encrypt_init _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_encrypt_init\n%xdefine _EVP_PKEY_free _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_free\n%xdefine _EVP_PKEY_get0 _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get0\n%xdefine _EVP_PKEY_get0_DH _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get0_DH\n%xdefine _EVP_PKEY_get0_DSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get0_DSA\n%xdefine _EVP_PKEY_get0_EC_KEY _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get0_EC_KEY\n%xdefine _EVP_PKEY_get0_RSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get0_RSA\n%xdefine _EVP_PKEY_get1_DH _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get1_DH\n%xdefine _EVP_PKEY_get1_DSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get1_DSA\n%xdefine _EVP_PKEY_get1_EC_KEY _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get1_EC_KEY\n%xdefine _EVP_PKEY_get1_RSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get1_RSA\n%xdefine _EVP_PKEY_get1_tls_encodedpoint _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get1_tls_encodedpoint\n%xdefine _EVP_PKEY_get_raw_private_key _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get_raw_private_key\n%xdefine _EVP_PKEY_get_raw_public_key _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_get_raw_public_key\n%xdefine _EVP_PKEY_id _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_id\n%xdefine _EVP_PKEY_is_opaque _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_is_opaque\n%xdefine _EVP_PKEY_keygen _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_keygen\n%xdefine _EVP_PKEY_keygen_init _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_keygen_init\n%xdefine _EVP_PKEY_missing_parameters _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_missing_parameters\n%xdefine _EVP_PKEY_new _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_new\n%xdefine _EVP_PKEY_new_raw_private_key _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_new_raw_private_key\n%xdefine _EVP_PKEY_new_raw_public_key _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_new_raw_public_key\n%xdefine _EVP_PKEY_paramgen _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_paramgen\n%xdefine _EVP_PKEY_paramgen_init _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_paramgen_init\n%xdefine _EVP_PKEY_print_params _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_print_params\n%xdefine _EVP_PKEY_print_private _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_print_private\n%xdefine _EVP_PKEY_print_public _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_print_public\n%xdefine _EVP_PKEY_set1_DH _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_set1_DH\n%xdefine _EVP_PKEY_set1_DSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_set1_DSA\n%xdefine _EVP_PKEY_set1_EC_KEY _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_set1_EC_KEY\n%xdefine _EVP_PKEY_set1_RSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_set1_RSA\n%xdefine _EVP_PKEY_set1_tls_encodedpoint _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_set1_tls_encodedpoint\n%xdefine _EVP_PKEY_set_type _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_set_type\n%xdefine _EVP_PKEY_sign _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_sign\n%xdefine _EVP_PKEY_sign_init _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_sign_init\n%xdefine _EVP_PKEY_size _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_size\n%xdefine _EVP_PKEY_type _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_type\n%xdefine _EVP_PKEY_up_ref _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_up_ref\n%xdefine _EVP_PKEY_verify _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_verify\n%xdefine _EVP_PKEY_verify_init _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_verify_init\n%xdefine _EVP_PKEY_verify_recover _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_verify_recover\n%xdefine _EVP_PKEY_verify_recover_init _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_verify_recover_init\n%xdefine _EVP_SignFinal _ %+ BORINGSSL_PREFIX %+ _EVP_SignFinal\n%xdefine _EVP_SignInit _ %+ BORINGSSL_PREFIX %+ _EVP_SignInit\n%xdefine _EVP_SignInit_ex _ %+ BORINGSSL_PREFIX %+ _EVP_SignInit_ex\n%xdefine _EVP_SignUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_SignUpdate\n%xdefine _EVP_VerifyFinal _ %+ BORINGSSL_PREFIX %+ _EVP_VerifyFinal\n%xdefine _EVP_VerifyInit _ %+ BORINGSSL_PREFIX %+ _EVP_VerifyInit\n%xdefine _EVP_VerifyInit_ex _ %+ BORINGSSL_PREFIX %+ _EVP_VerifyInit_ex\n%xdefine _EVP_VerifyUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_VerifyUpdate\n%xdefine _EVP_add_cipher_alias _ %+ BORINGSSL_PREFIX %+ _EVP_add_cipher_alias\n%xdefine _EVP_add_digest _ %+ BORINGSSL_PREFIX %+ _EVP_add_digest\n%xdefine _EVP_aead_aes_128_cbc_sha1_tls _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_cbc_sha1_tls\n%xdefine _EVP_aead_aes_128_cbc_sha1_tls_implicit_iv _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_cbc_sha1_tls_implicit_iv\n%xdefine _EVP_aead_aes_128_cbc_sha256_tls _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_cbc_sha256_tls\n%xdefine _EVP_aead_aes_128_ccm_bluetooth _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_ccm_bluetooth\n%xdefine _EVP_aead_aes_128_ccm_bluetooth_8 _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_ccm_bluetooth_8\n%xdefine _EVP_aead_aes_128_ccm_matter _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_ccm_matter\n%xdefine _EVP_aead_aes_128_ctr_hmac_sha256 _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_ctr_hmac_sha256\n%xdefine _EVP_aead_aes_128_gcm _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_gcm\n%xdefine _EVP_aead_aes_128_gcm_randnonce _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_gcm_randnonce\n%xdefine _EVP_aead_aes_128_gcm_siv _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_gcm_siv\n%xdefine _EVP_aead_aes_128_gcm_tls12 _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_gcm_tls12\n%xdefine _EVP_aead_aes_128_gcm_tls13 _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_128_gcm_tls13\n%xdefine _EVP_aead_aes_192_gcm _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_192_gcm\n%xdefine _EVP_aead_aes_256_cbc_sha1_tls _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_256_cbc_sha1_tls\n%xdefine _EVP_aead_aes_256_cbc_sha1_tls_implicit_iv _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_256_cbc_sha1_tls_implicit_iv\n%xdefine _EVP_aead_aes_256_ctr_hmac_sha256 _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_256_ctr_hmac_sha256\n%xdefine _EVP_aead_aes_256_gcm _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_256_gcm\n%xdefine _EVP_aead_aes_256_gcm_randnonce _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_256_gcm_randnonce\n%xdefine _EVP_aead_aes_256_gcm_siv _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_256_gcm_siv\n%xdefine _EVP_aead_aes_256_gcm_tls12 _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_256_gcm_tls12\n%xdefine _EVP_aead_aes_256_gcm_tls13 _ %+ BORINGSSL_PREFIX %+ _EVP_aead_aes_256_gcm_tls13\n%xdefine _EVP_aead_chacha20_poly1305 _ %+ BORINGSSL_PREFIX %+ _EVP_aead_chacha20_poly1305\n%xdefine _EVP_aead_des_ede3_cbc_sha1_tls _ %+ BORINGSSL_PREFIX %+ _EVP_aead_des_ede3_cbc_sha1_tls\n%xdefine _EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv _ %+ BORINGSSL_PREFIX %+ _EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv\n%xdefine _EVP_aead_xchacha20_poly1305 _ %+ BORINGSSL_PREFIX %+ _EVP_aead_xchacha20_poly1305\n%xdefine _EVP_aes_128_cbc _ %+ BORINGSSL_PREFIX %+ _EVP_aes_128_cbc\n%xdefine _EVP_aes_128_ctr _ %+ BORINGSSL_PREFIX %+ _EVP_aes_128_ctr\n%xdefine _EVP_aes_128_ecb _ %+ BORINGSSL_PREFIX %+ _EVP_aes_128_ecb\n%xdefine _EVP_aes_128_gcm _ %+ BORINGSSL_PREFIX %+ _EVP_aes_128_gcm\n%xdefine _EVP_aes_128_ofb _ %+ BORINGSSL_PREFIX %+ _EVP_aes_128_ofb\n%xdefine _EVP_aes_192_cbc _ %+ BORINGSSL_PREFIX %+ _EVP_aes_192_cbc\n%xdefine _EVP_aes_192_ctr _ %+ BORINGSSL_PREFIX %+ _EVP_aes_192_ctr\n%xdefine _EVP_aes_192_ecb _ %+ BORINGSSL_PREFIX %+ _EVP_aes_192_ecb\n%xdefine _EVP_aes_192_gcm _ %+ BORINGSSL_PREFIX %+ _EVP_aes_192_gcm\n%xdefine _EVP_aes_192_ofb _ %+ BORINGSSL_PREFIX %+ _EVP_aes_192_ofb\n%xdefine _EVP_aes_256_cbc _ %+ BORINGSSL_PREFIX %+ _EVP_aes_256_cbc\n%xdefine _EVP_aes_256_ctr _ %+ BORINGSSL_PREFIX %+ _EVP_aes_256_ctr\n%xdefine _EVP_aes_256_ecb _ %+ BORINGSSL_PREFIX %+ _EVP_aes_256_ecb\n%xdefine _EVP_aes_256_gcm _ %+ BORINGSSL_PREFIX %+ _EVP_aes_256_gcm\n%xdefine _EVP_aes_256_ofb _ %+ BORINGSSL_PREFIX %+ _EVP_aes_256_ofb\n%xdefine _EVP_blake2b256 _ %+ BORINGSSL_PREFIX %+ _EVP_blake2b256\n%xdefine _EVP_cleanup _ %+ BORINGSSL_PREFIX %+ _EVP_cleanup\n%xdefine _EVP_des_cbc _ %+ BORINGSSL_PREFIX %+ _EVP_des_cbc\n%xdefine _EVP_des_ecb _ %+ BORINGSSL_PREFIX %+ _EVP_des_ecb\n%xdefine _EVP_des_ede _ %+ BORINGSSL_PREFIX %+ _EVP_des_ede\n%xdefine _EVP_des_ede3 _ %+ BORINGSSL_PREFIX %+ _EVP_des_ede3\n%xdefine _EVP_des_ede3_cbc _ %+ BORINGSSL_PREFIX %+ _EVP_des_ede3_cbc\n%xdefine _EVP_des_ede3_ecb _ %+ BORINGSSL_PREFIX %+ _EVP_des_ede3_ecb\n%xdefine _EVP_des_ede_cbc _ %+ BORINGSSL_PREFIX %+ _EVP_des_ede_cbc\n%xdefine _EVP_enc_null _ %+ BORINGSSL_PREFIX %+ _EVP_enc_null\n%xdefine _EVP_get_cipherbyname _ %+ BORINGSSL_PREFIX %+ _EVP_get_cipherbyname\n%xdefine _EVP_get_cipherbynid _ %+ BORINGSSL_PREFIX %+ _EVP_get_cipherbynid\n%xdefine _EVP_get_digestbyname _ %+ BORINGSSL_PREFIX %+ _EVP_get_digestbyname\n%xdefine _EVP_get_digestbynid _ %+ BORINGSSL_PREFIX %+ _EVP_get_digestbynid\n%xdefine _EVP_get_digestbyobj _ %+ BORINGSSL_PREFIX %+ _EVP_get_digestbyobj\n%xdefine _EVP_has_aes_hardware _ %+ BORINGSSL_PREFIX %+ _EVP_has_aes_hardware\n%xdefine _EVP_hpke_aes_128_gcm _ %+ BORINGSSL_PREFIX %+ _EVP_hpke_aes_128_gcm\n%xdefine _EVP_hpke_aes_256_gcm _ %+ BORINGSSL_PREFIX %+ _EVP_hpke_aes_256_gcm\n%xdefine _EVP_hpke_chacha20_poly1305 _ %+ BORINGSSL_PREFIX %+ _EVP_hpke_chacha20_poly1305\n%xdefine _EVP_hpke_hkdf_sha256 _ %+ BORINGSSL_PREFIX %+ _EVP_hpke_hkdf_sha256\n%xdefine _EVP_hpke_p256_hkdf_sha256 _ %+ BORINGSSL_PREFIX %+ _EVP_hpke_p256_hkdf_sha256\n%xdefine _EVP_hpke_x25519_hkdf_sha256 _ %+ BORINGSSL_PREFIX %+ _EVP_hpke_x25519_hkdf_sha256\n%xdefine _EVP_marshal_digest_algorithm _ %+ BORINGSSL_PREFIX %+ _EVP_marshal_digest_algorithm\n%xdefine _EVP_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _EVP_marshal_private_key\n%xdefine _EVP_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _EVP_marshal_public_key\n%xdefine _EVP_md4 _ %+ BORINGSSL_PREFIX %+ _EVP_md4\n%xdefine _EVP_md5 _ %+ BORINGSSL_PREFIX %+ _EVP_md5\n%xdefine _EVP_md5_sha1 _ %+ BORINGSSL_PREFIX %+ _EVP_md5_sha1\n%xdefine _EVP_parse_digest_algorithm _ %+ BORINGSSL_PREFIX %+ _EVP_parse_digest_algorithm\n%xdefine _EVP_parse_private_key _ %+ BORINGSSL_PREFIX %+ _EVP_parse_private_key\n%xdefine _EVP_parse_public_key _ %+ BORINGSSL_PREFIX %+ _EVP_parse_public_key\n%xdefine _EVP_rc2_40_cbc _ %+ BORINGSSL_PREFIX %+ _EVP_rc2_40_cbc\n%xdefine _EVP_rc2_cbc _ %+ BORINGSSL_PREFIX %+ _EVP_rc2_cbc\n%xdefine _EVP_rc4 _ %+ BORINGSSL_PREFIX %+ _EVP_rc4\n%xdefine _EVP_sha1 _ %+ BORINGSSL_PREFIX %+ _EVP_sha1\n%xdefine _EVP_sha1_final_with_secret_suffix _ %+ BORINGSSL_PREFIX %+ _EVP_sha1_final_with_secret_suffix\n%xdefine _EVP_sha224 _ %+ BORINGSSL_PREFIX %+ _EVP_sha224\n%xdefine _EVP_sha256 _ %+ BORINGSSL_PREFIX %+ _EVP_sha256\n%xdefine _EVP_sha256_final_with_secret_suffix _ %+ BORINGSSL_PREFIX %+ _EVP_sha256_final_with_secret_suffix\n%xdefine _EVP_sha384 _ %+ BORINGSSL_PREFIX %+ _EVP_sha384\n%xdefine _EVP_sha512 _ %+ BORINGSSL_PREFIX %+ _EVP_sha512\n%xdefine _EVP_sha512_256 _ %+ BORINGSSL_PREFIX %+ _EVP_sha512_256\n%xdefine _EVP_tls_cbc_copy_mac _ %+ BORINGSSL_PREFIX %+ _EVP_tls_cbc_copy_mac\n%xdefine _EVP_tls_cbc_digest_record _ %+ BORINGSSL_PREFIX %+ _EVP_tls_cbc_digest_record\n%xdefine _EVP_tls_cbc_record_digest_supported _ %+ BORINGSSL_PREFIX %+ _EVP_tls_cbc_record_digest_supported\n%xdefine _EVP_tls_cbc_remove_padding _ %+ BORINGSSL_PREFIX %+ _EVP_tls_cbc_remove_padding\n%xdefine _EXTENDED_KEY_USAGE_free _ %+ BORINGSSL_PREFIX %+ _EXTENDED_KEY_USAGE_free\n%xdefine _EXTENDED_KEY_USAGE_it _ %+ BORINGSSL_PREFIX %+ _EXTENDED_KEY_USAGE_it\n%xdefine _EXTENDED_KEY_USAGE_new _ %+ BORINGSSL_PREFIX %+ _EXTENDED_KEY_USAGE_new\n%xdefine _FIPS_mode _ %+ BORINGSSL_PREFIX %+ _FIPS_mode\n%xdefine _FIPS_mode_set _ %+ BORINGSSL_PREFIX %+ _FIPS_mode_set\n%xdefine _FIPS_module_name _ %+ BORINGSSL_PREFIX %+ _FIPS_module_name\n%xdefine _FIPS_query_algorithm_status _ %+ BORINGSSL_PREFIX %+ _FIPS_query_algorithm_status\n%xdefine _FIPS_read_counter _ %+ BORINGSSL_PREFIX %+ _FIPS_read_counter\n%xdefine _FIPS_service_indicator_after_call _ %+ BORINGSSL_PREFIX %+ _FIPS_service_indicator_after_call\n%xdefine _FIPS_service_indicator_before_call _ %+ BORINGSSL_PREFIX %+ _FIPS_service_indicator_before_call\n%xdefine _FIPS_version _ %+ BORINGSSL_PREFIX %+ _FIPS_version\n%xdefine _GENERAL_NAMES_free _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAMES_free\n%xdefine _GENERAL_NAMES_it _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAMES_it\n%xdefine _GENERAL_NAMES_new _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAMES_new\n%xdefine _GENERAL_NAME_cmp _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAME_cmp\n%xdefine _GENERAL_NAME_dup _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAME_dup\n%xdefine _GENERAL_NAME_free _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAME_free\n%xdefine _GENERAL_NAME_get0_otherName _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAME_get0_otherName\n%xdefine _GENERAL_NAME_get0_value _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAME_get0_value\n%xdefine _GENERAL_NAME_it _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAME_it\n%xdefine _GENERAL_NAME_new _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAME_new\n%xdefine _GENERAL_NAME_print _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAME_print\n%xdefine _GENERAL_NAME_set0_othername _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAME_set0_othername\n%xdefine _GENERAL_NAME_set0_value _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAME_set0_value\n%xdefine _GENERAL_SUBTREE_free _ %+ BORINGSSL_PREFIX %+ _GENERAL_SUBTREE_free\n%xdefine _GENERAL_SUBTREE_new _ %+ BORINGSSL_PREFIX %+ _GENERAL_SUBTREE_new\n%xdefine _HKDF _ %+ BORINGSSL_PREFIX %+ _HKDF\n%xdefine _HKDF_expand _ %+ BORINGSSL_PREFIX %+ _HKDF_expand\n%xdefine _HKDF_extract _ %+ BORINGSSL_PREFIX %+ _HKDF_extract\n%xdefine _HMAC _ %+ BORINGSSL_PREFIX %+ _HMAC\n%xdefine _HMAC_CTX_cleanse _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_cleanse\n%xdefine _HMAC_CTX_cleanup _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_cleanup\n%xdefine _HMAC_CTX_copy _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_copy\n%xdefine _HMAC_CTX_copy_ex _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_copy_ex\n%xdefine _HMAC_CTX_free _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_free\n%xdefine _HMAC_CTX_get_md _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_get_md\n%xdefine _HMAC_CTX_init _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_init\n%xdefine _HMAC_CTX_new _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_new\n%xdefine _HMAC_CTX_reset _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_reset\n%xdefine _HMAC_Final _ %+ BORINGSSL_PREFIX %+ _HMAC_Final\n%xdefine _HMAC_Init _ %+ BORINGSSL_PREFIX %+ _HMAC_Init\n%xdefine _HMAC_Init_ex _ %+ BORINGSSL_PREFIX %+ _HMAC_Init_ex\n%xdefine _HMAC_Update _ %+ BORINGSSL_PREFIX %+ _HMAC_Update\n%xdefine _HMAC_size _ %+ BORINGSSL_PREFIX %+ _HMAC_size\n%xdefine _HRSS_decap _ %+ BORINGSSL_PREFIX %+ _HRSS_decap\n%xdefine _HRSS_encap _ %+ BORINGSSL_PREFIX %+ _HRSS_encap\n%xdefine _HRSS_generate_key _ %+ BORINGSSL_PREFIX %+ _HRSS_generate_key\n%xdefine _HRSS_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _HRSS_marshal_public_key\n%xdefine _HRSS_parse_public_key _ %+ BORINGSSL_PREFIX %+ _HRSS_parse_public_key\n%xdefine _HRSS_poly3_invert _ %+ BORINGSSL_PREFIX %+ _HRSS_poly3_invert\n%xdefine _HRSS_poly3_mul _ %+ BORINGSSL_PREFIX %+ _HRSS_poly3_mul\n%xdefine _ISSUING_DIST_POINT_free _ %+ BORINGSSL_PREFIX %+ _ISSUING_DIST_POINT_free\n%xdefine _ISSUING_DIST_POINT_it _ %+ BORINGSSL_PREFIX %+ _ISSUING_DIST_POINT_it\n%xdefine _ISSUING_DIST_POINT_new _ %+ BORINGSSL_PREFIX %+ _ISSUING_DIST_POINT_new\n%xdefine _KYBER_decap _ %+ BORINGSSL_PREFIX %+ _KYBER_decap\n%xdefine _KYBER_encap _ %+ BORINGSSL_PREFIX %+ _KYBER_encap\n%xdefine _KYBER_encap_external_entropy _ %+ BORINGSSL_PREFIX %+ _KYBER_encap_external_entropy\n%xdefine _KYBER_generate_key _ %+ BORINGSSL_PREFIX %+ _KYBER_generate_key\n%xdefine _KYBER_generate_key_external_entropy _ %+ BORINGSSL_PREFIX %+ _KYBER_generate_key_external_entropy\n%xdefine _KYBER_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _KYBER_marshal_private_key\n%xdefine _KYBER_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _KYBER_marshal_public_key\n%xdefine _KYBER_parse_private_key _ %+ BORINGSSL_PREFIX %+ _KYBER_parse_private_key\n%xdefine _KYBER_parse_public_key _ %+ BORINGSSL_PREFIX %+ _KYBER_parse_public_key\n%xdefine _KYBER_public_from_private _ %+ BORINGSSL_PREFIX %+ _KYBER_public_from_private\n%xdefine _MD4 _ %+ BORINGSSL_PREFIX %+ _MD4\n%xdefine _MD4_Final _ %+ BORINGSSL_PREFIX %+ _MD4_Final\n%xdefine _MD4_Init _ %+ BORINGSSL_PREFIX %+ _MD4_Init\n%xdefine _MD4_Transform _ %+ BORINGSSL_PREFIX %+ _MD4_Transform\n%xdefine _MD4_Update _ %+ BORINGSSL_PREFIX %+ _MD4_Update\n%xdefine _MD5 _ %+ BORINGSSL_PREFIX %+ _MD5\n%xdefine _MD5_Final _ %+ BORINGSSL_PREFIX %+ _MD5_Final\n%xdefine _MD5_Init _ %+ BORINGSSL_PREFIX %+ _MD5_Init\n%xdefine _MD5_Transform _ %+ BORINGSSL_PREFIX %+ _MD5_Transform\n%xdefine _MD5_Update _ %+ BORINGSSL_PREFIX %+ _MD5_Update\n%xdefine _METHOD_ref _ %+ BORINGSSL_PREFIX %+ _METHOD_ref\n%xdefine _METHOD_unref _ %+ BORINGSSL_PREFIX %+ _METHOD_unref\n%xdefine _MLDSA65_generate_key _ %+ BORINGSSL_PREFIX %+ _MLDSA65_generate_key\n%xdefine _MLDSA65_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _MLDSA65_marshal_public_key\n%xdefine _MLDSA65_parse_public_key _ %+ BORINGSSL_PREFIX %+ _MLDSA65_parse_public_key\n%xdefine _MLDSA65_private_key_from_seed _ %+ BORINGSSL_PREFIX %+ _MLDSA65_private_key_from_seed\n%xdefine _MLDSA65_public_from_private _ %+ BORINGSSL_PREFIX %+ _MLDSA65_public_from_private\n%xdefine _MLDSA65_sign _ %+ BORINGSSL_PREFIX %+ _MLDSA65_sign\n%xdefine _MLDSA65_verify _ %+ BORINGSSL_PREFIX %+ _MLDSA65_verify\n%xdefine _MLKEM1024_decap _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_decap\n%xdefine _MLKEM1024_encap _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_encap\n%xdefine _MLKEM1024_generate_key _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_generate_key\n%xdefine _MLKEM1024_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_marshal_public_key\n%xdefine _MLKEM1024_parse_public_key _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_parse_public_key\n%xdefine _MLKEM1024_private_key_from_seed _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_private_key_from_seed\n%xdefine _MLKEM1024_public_from_private _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_public_from_private\n%xdefine _MLKEM768_decap _ %+ BORINGSSL_PREFIX %+ _MLKEM768_decap\n%xdefine _MLKEM768_encap _ %+ BORINGSSL_PREFIX %+ _MLKEM768_encap\n%xdefine _MLKEM768_generate_key _ %+ BORINGSSL_PREFIX %+ _MLKEM768_generate_key\n%xdefine _MLKEM768_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _MLKEM768_marshal_public_key\n%xdefine _MLKEM768_parse_public_key _ %+ BORINGSSL_PREFIX %+ _MLKEM768_parse_public_key\n%xdefine _MLKEM768_private_key_from_seed _ %+ BORINGSSL_PREFIX %+ _MLKEM768_private_key_from_seed\n%xdefine _MLKEM768_public_from_private _ %+ BORINGSSL_PREFIX %+ _MLKEM768_public_from_private\n%xdefine _NAME_CONSTRAINTS_check _ %+ BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_check\n%xdefine _NAME_CONSTRAINTS_free _ %+ BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_free\n%xdefine _NAME_CONSTRAINTS_it _ %+ BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_it\n%xdefine _NAME_CONSTRAINTS_new _ %+ BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_new\n%xdefine _NCONF_free _ %+ BORINGSSL_PREFIX %+ _NCONF_free\n%xdefine _NCONF_get_section _ %+ BORINGSSL_PREFIX %+ _NCONF_get_section\n%xdefine _NCONF_get_string _ %+ BORINGSSL_PREFIX %+ _NCONF_get_string\n%xdefine _NCONF_load _ %+ BORINGSSL_PREFIX %+ _NCONF_load\n%xdefine _NCONF_load_bio _ %+ BORINGSSL_PREFIX %+ _NCONF_load_bio\n%xdefine _NCONF_new _ %+ BORINGSSL_PREFIX %+ _NCONF_new\n%xdefine _NETSCAPE_SPKAC_free _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKAC_free\n%xdefine _NETSCAPE_SPKAC_it _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKAC_it\n%xdefine _NETSCAPE_SPKAC_new _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKAC_new\n%xdefine _NETSCAPE_SPKI_b64_decode _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_b64_decode\n%xdefine _NETSCAPE_SPKI_b64_encode _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_b64_encode\n%xdefine _NETSCAPE_SPKI_free _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_free\n%xdefine _NETSCAPE_SPKI_get_pubkey _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_get_pubkey\n%xdefine _NETSCAPE_SPKI_it _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_it\n%xdefine _NETSCAPE_SPKI_new _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_new\n%xdefine _NETSCAPE_SPKI_set_pubkey _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_set_pubkey\n%xdefine _NETSCAPE_SPKI_sign _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_sign\n%xdefine _NETSCAPE_SPKI_verify _ %+ BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_verify\n%xdefine _NOTICEREF_free _ %+ BORINGSSL_PREFIX %+ _NOTICEREF_free\n%xdefine _NOTICEREF_it _ %+ BORINGSSL_PREFIX %+ _NOTICEREF_it\n%xdefine _NOTICEREF_new _ %+ BORINGSSL_PREFIX %+ _NOTICEREF_new\n%xdefine _OBJ_cbs2nid _ %+ BORINGSSL_PREFIX %+ _OBJ_cbs2nid\n%xdefine _OBJ_cleanup _ %+ BORINGSSL_PREFIX %+ _OBJ_cleanup\n%xdefine _OBJ_cmp _ %+ BORINGSSL_PREFIX %+ _OBJ_cmp\n%xdefine _OBJ_create _ %+ BORINGSSL_PREFIX %+ _OBJ_create\n%xdefine _OBJ_dup _ %+ BORINGSSL_PREFIX %+ _OBJ_dup\n%xdefine _OBJ_find_sigid_algs _ %+ BORINGSSL_PREFIX %+ _OBJ_find_sigid_algs\n%xdefine _OBJ_find_sigid_by_algs _ %+ BORINGSSL_PREFIX %+ _OBJ_find_sigid_by_algs\n%xdefine _OBJ_get0_data _ %+ BORINGSSL_PREFIX %+ _OBJ_get0_data\n%xdefine _OBJ_get_undef _ %+ BORINGSSL_PREFIX %+ _OBJ_get_undef\n%xdefine _OBJ_length _ %+ BORINGSSL_PREFIX %+ _OBJ_length\n%xdefine _OBJ_ln2nid _ %+ BORINGSSL_PREFIX %+ _OBJ_ln2nid\n%xdefine _OBJ_nid2cbb _ %+ BORINGSSL_PREFIX %+ _OBJ_nid2cbb\n%xdefine _OBJ_nid2ln _ %+ BORINGSSL_PREFIX %+ _OBJ_nid2ln\n%xdefine _OBJ_nid2obj _ %+ BORINGSSL_PREFIX %+ _OBJ_nid2obj\n%xdefine _OBJ_nid2sn _ %+ BORINGSSL_PREFIX %+ _OBJ_nid2sn\n%xdefine _OBJ_obj2nid _ %+ BORINGSSL_PREFIX %+ _OBJ_obj2nid\n%xdefine _OBJ_obj2txt _ %+ BORINGSSL_PREFIX %+ _OBJ_obj2txt\n%xdefine _OBJ_sn2nid _ %+ BORINGSSL_PREFIX %+ _OBJ_sn2nid\n%xdefine _OBJ_txt2nid _ %+ BORINGSSL_PREFIX %+ _OBJ_txt2nid\n%xdefine _OBJ_txt2obj _ %+ BORINGSSL_PREFIX %+ _OBJ_txt2obj\n%xdefine _OPENSSL_add_all_algorithms_conf _ %+ BORINGSSL_PREFIX %+ _OPENSSL_add_all_algorithms_conf\n%xdefine _OPENSSL_armcap_P _ %+ BORINGSSL_PREFIX %+ _OPENSSL_armcap_P\n%xdefine _OPENSSL_asprintf _ %+ BORINGSSL_PREFIX %+ _OPENSSL_asprintf\n%xdefine _OPENSSL_calloc _ %+ BORINGSSL_PREFIX %+ _OPENSSL_calloc\n%xdefine _OPENSSL_cleanse _ %+ BORINGSSL_PREFIX %+ _OPENSSL_cleanse\n%xdefine _OPENSSL_cleanup _ %+ BORINGSSL_PREFIX %+ _OPENSSL_cleanup\n%xdefine _OPENSSL_clear_free _ %+ BORINGSSL_PREFIX %+ _OPENSSL_clear_free\n%xdefine _OPENSSL_config _ %+ BORINGSSL_PREFIX %+ _OPENSSL_config\n%xdefine _OPENSSL_cpuid_setup _ %+ BORINGSSL_PREFIX %+ _OPENSSL_cpuid_setup\n%xdefine _OPENSSL_free _ %+ BORINGSSL_PREFIX %+ _OPENSSL_free\n%xdefine _OPENSSL_fromxdigit _ %+ BORINGSSL_PREFIX %+ _OPENSSL_fromxdigit\n%xdefine _OPENSSL_get_armcap _ %+ BORINGSSL_PREFIX %+ _OPENSSL_get_armcap\n%xdefine _OPENSSL_get_armcap_pointer_for_test _ %+ BORINGSSL_PREFIX %+ _OPENSSL_get_armcap_pointer_for_test\n%xdefine _OPENSSL_get_ia32cap _ %+ BORINGSSL_PREFIX %+ _OPENSSL_get_ia32cap\n%xdefine _OPENSSL_gmtime _ %+ BORINGSSL_PREFIX %+ _OPENSSL_gmtime\n%xdefine _OPENSSL_gmtime_adj _ %+ BORINGSSL_PREFIX %+ _OPENSSL_gmtime_adj\n%xdefine _OPENSSL_gmtime_diff _ %+ BORINGSSL_PREFIX %+ _OPENSSL_gmtime_diff\n%xdefine _OPENSSL_hash32 _ %+ BORINGSSL_PREFIX %+ _OPENSSL_hash32\n%xdefine _OPENSSL_ia32cap_P _ %+ BORINGSSL_PREFIX %+ _OPENSSL_ia32cap_P\n%xdefine _OPENSSL_init_cpuid _ %+ BORINGSSL_PREFIX %+ _OPENSSL_init_cpuid\n%xdefine _OPENSSL_init_crypto _ %+ BORINGSSL_PREFIX %+ _OPENSSL_init_crypto\n%xdefine _OPENSSL_init_ssl _ %+ BORINGSSL_PREFIX %+ _OPENSSL_init_ssl\n%xdefine _OPENSSL_isalnum _ %+ BORINGSSL_PREFIX %+ _OPENSSL_isalnum\n%xdefine _OPENSSL_isalpha _ %+ BORINGSSL_PREFIX %+ _OPENSSL_isalpha\n%xdefine _OPENSSL_isdigit _ %+ BORINGSSL_PREFIX %+ _OPENSSL_isdigit\n%xdefine _OPENSSL_isspace _ %+ BORINGSSL_PREFIX %+ _OPENSSL_isspace\n%xdefine _OPENSSL_isxdigit _ %+ BORINGSSL_PREFIX %+ _OPENSSL_isxdigit\n%xdefine _OPENSSL_lh_delete _ %+ BORINGSSL_PREFIX %+ _OPENSSL_lh_delete\n%xdefine _OPENSSL_lh_doall_arg _ %+ BORINGSSL_PREFIX %+ _OPENSSL_lh_doall_arg\n%xdefine _OPENSSL_lh_free _ %+ BORINGSSL_PREFIX %+ _OPENSSL_lh_free\n%xdefine _OPENSSL_lh_insert _ %+ BORINGSSL_PREFIX %+ _OPENSSL_lh_insert\n%xdefine _OPENSSL_lh_new _ %+ BORINGSSL_PREFIX %+ _OPENSSL_lh_new\n%xdefine _OPENSSL_lh_num_items _ %+ BORINGSSL_PREFIX %+ _OPENSSL_lh_num_items\n%xdefine _OPENSSL_lh_retrieve _ %+ BORINGSSL_PREFIX %+ _OPENSSL_lh_retrieve\n%xdefine _OPENSSL_lh_retrieve_key _ %+ BORINGSSL_PREFIX %+ _OPENSSL_lh_retrieve_key\n%xdefine _OPENSSL_load_builtin_modules _ %+ BORINGSSL_PREFIX %+ _OPENSSL_load_builtin_modules\n%xdefine _OPENSSL_malloc _ %+ BORINGSSL_PREFIX %+ _OPENSSL_malloc\n%xdefine _OPENSSL_malloc_init _ %+ BORINGSSL_PREFIX %+ _OPENSSL_malloc_init\n%xdefine _OPENSSL_memdup _ %+ BORINGSSL_PREFIX %+ _OPENSSL_memdup\n%xdefine _OPENSSL_no_config _ %+ BORINGSSL_PREFIX %+ _OPENSSL_no_config\n%xdefine _OPENSSL_posix_to_tm _ %+ BORINGSSL_PREFIX %+ _OPENSSL_posix_to_tm\n%xdefine _OPENSSL_realloc _ %+ BORINGSSL_PREFIX %+ _OPENSSL_realloc\n%xdefine _OPENSSL_secure_clear_free _ %+ BORINGSSL_PREFIX %+ _OPENSSL_secure_clear_free\n%xdefine _OPENSSL_secure_malloc _ %+ BORINGSSL_PREFIX %+ _OPENSSL_secure_malloc\n%xdefine _OPENSSL_sk_deep_copy _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_deep_copy\n%xdefine _OPENSSL_sk_delete _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_delete\n%xdefine _OPENSSL_sk_delete_if _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_delete_if\n%xdefine _OPENSSL_sk_delete_ptr _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_delete_ptr\n%xdefine _OPENSSL_sk_dup _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_dup\n%xdefine _OPENSSL_sk_find _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_find\n%xdefine _OPENSSL_sk_free _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_free\n%xdefine _OPENSSL_sk_insert _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_insert\n%xdefine _OPENSSL_sk_is_sorted _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_is_sorted\n%xdefine _OPENSSL_sk_new _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_new\n%xdefine _OPENSSL_sk_new_null _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_new_null\n%xdefine _OPENSSL_sk_num _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_num\n%xdefine _OPENSSL_sk_pop _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_pop\n%xdefine _OPENSSL_sk_pop_free_ex _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_pop_free_ex\n%xdefine _OPENSSL_sk_push _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_push\n%xdefine _OPENSSL_sk_set _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_set\n%xdefine _OPENSSL_sk_set_cmp_func _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_set_cmp_func\n%xdefine _OPENSSL_sk_shift _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_shift\n%xdefine _OPENSSL_sk_sort _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_sort\n%xdefine _OPENSSL_sk_value _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_value\n%xdefine _OPENSSL_sk_zero _ %+ BORINGSSL_PREFIX %+ _OPENSSL_sk_zero\n%xdefine _OPENSSL_strcasecmp _ %+ BORINGSSL_PREFIX %+ _OPENSSL_strcasecmp\n%xdefine _OPENSSL_strdup _ %+ BORINGSSL_PREFIX %+ _OPENSSL_strdup\n%xdefine _OPENSSL_strhash _ %+ BORINGSSL_PREFIX %+ _OPENSSL_strhash\n%xdefine _OPENSSL_strlcat _ %+ BORINGSSL_PREFIX %+ _OPENSSL_strlcat\n%xdefine _OPENSSL_strlcpy _ %+ BORINGSSL_PREFIX %+ _OPENSSL_strlcpy\n%xdefine _OPENSSL_strncasecmp _ %+ BORINGSSL_PREFIX %+ _OPENSSL_strncasecmp\n%xdefine _OPENSSL_strndup _ %+ BORINGSSL_PREFIX %+ _OPENSSL_strndup\n%xdefine _OPENSSL_strnlen _ %+ BORINGSSL_PREFIX %+ _OPENSSL_strnlen\n%xdefine _OPENSSL_timegm _ %+ BORINGSSL_PREFIX %+ _OPENSSL_timegm\n%xdefine _OPENSSL_tm_to_posix _ %+ BORINGSSL_PREFIX %+ _OPENSSL_tm_to_posix\n%xdefine _OPENSSL_tolower _ %+ BORINGSSL_PREFIX %+ _OPENSSL_tolower\n%xdefine _OPENSSL_vasprintf _ %+ BORINGSSL_PREFIX %+ _OPENSSL_vasprintf\n%xdefine _OPENSSL_vasprintf_internal _ %+ BORINGSSL_PREFIX %+ _OPENSSL_vasprintf_internal\n%xdefine _OPENSSL_zalloc _ %+ BORINGSSL_PREFIX %+ _OPENSSL_zalloc\n%xdefine _OTHERNAME_free _ %+ BORINGSSL_PREFIX %+ _OTHERNAME_free\n%xdefine _OTHERNAME_new _ %+ BORINGSSL_PREFIX %+ _OTHERNAME_new\n%xdefine _OpenSSL_add_all_algorithms _ %+ BORINGSSL_PREFIX %+ _OpenSSL_add_all_algorithms\n%xdefine _OpenSSL_add_all_ciphers _ %+ BORINGSSL_PREFIX %+ _OpenSSL_add_all_ciphers\n%xdefine _OpenSSL_add_all_digests _ %+ BORINGSSL_PREFIX %+ _OpenSSL_add_all_digests\n%xdefine _OpenSSL_version _ %+ BORINGSSL_PREFIX %+ _OpenSSL_version\n%xdefine _OpenSSL_version_num _ %+ BORINGSSL_PREFIX %+ _OpenSSL_version_num\n%xdefine _PEM_ASN1_read _ %+ BORINGSSL_PREFIX %+ _PEM_ASN1_read\n%xdefine _PEM_ASN1_read_bio _ %+ BORINGSSL_PREFIX %+ _PEM_ASN1_read_bio\n%xdefine _PEM_ASN1_write _ %+ BORINGSSL_PREFIX %+ _PEM_ASN1_write\n%xdefine _PEM_ASN1_write_bio _ %+ BORINGSSL_PREFIX %+ _PEM_ASN1_write_bio\n%xdefine _PEM_X509_INFO_read _ %+ BORINGSSL_PREFIX %+ _PEM_X509_INFO_read\n%xdefine _PEM_X509_INFO_read_bio _ %+ BORINGSSL_PREFIX %+ _PEM_X509_INFO_read_bio\n%xdefine _PEM_bytes_read_bio _ %+ BORINGSSL_PREFIX %+ _PEM_bytes_read_bio\n%xdefine _PEM_def_callback _ %+ BORINGSSL_PREFIX %+ _PEM_def_callback\n%xdefine _PEM_do_header _ %+ BORINGSSL_PREFIX %+ _PEM_do_header\n%xdefine _PEM_get_EVP_CIPHER_INFO _ %+ BORINGSSL_PREFIX %+ _PEM_get_EVP_CIPHER_INFO\n%xdefine _PEM_read _ %+ BORINGSSL_PREFIX %+ _PEM_read\n%xdefine _PEM_read_DHparams _ %+ BORINGSSL_PREFIX %+ _PEM_read_DHparams\n%xdefine _PEM_read_DSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_read_DSAPrivateKey\n%xdefine _PEM_read_DSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_read_DSA_PUBKEY\n%xdefine _PEM_read_DSAparams _ %+ BORINGSSL_PREFIX %+ _PEM_read_DSAparams\n%xdefine _PEM_read_ECPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_read_ECPrivateKey\n%xdefine _PEM_read_EC_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_read_EC_PUBKEY\n%xdefine _PEM_read_PKCS7 _ %+ BORINGSSL_PREFIX %+ _PEM_read_PKCS7\n%xdefine _PEM_read_PKCS8 _ %+ BORINGSSL_PREFIX %+ _PEM_read_PKCS8\n%xdefine _PEM_read_PKCS8_PRIV_KEY_INFO _ %+ BORINGSSL_PREFIX %+ _PEM_read_PKCS8_PRIV_KEY_INFO\n%xdefine _PEM_read_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_read_PUBKEY\n%xdefine _PEM_read_PrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_read_PrivateKey\n%xdefine _PEM_read_RSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_read_RSAPrivateKey\n%xdefine _PEM_read_RSAPublicKey _ %+ BORINGSSL_PREFIX %+ _PEM_read_RSAPublicKey\n%xdefine _PEM_read_RSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_read_RSA_PUBKEY\n%xdefine _PEM_read_SSL_SESSION _ %+ BORINGSSL_PREFIX %+ _PEM_read_SSL_SESSION\n%xdefine _PEM_read_X509 _ %+ BORINGSSL_PREFIX %+ _PEM_read_X509\n%xdefine _PEM_read_X509_AUX _ %+ BORINGSSL_PREFIX %+ _PEM_read_X509_AUX\n%xdefine _PEM_read_X509_CRL _ %+ BORINGSSL_PREFIX %+ _PEM_read_X509_CRL\n%xdefine _PEM_read_X509_REQ _ %+ BORINGSSL_PREFIX %+ _PEM_read_X509_REQ\n%xdefine _PEM_read_bio _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio\n%xdefine _PEM_read_bio_DHparams _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_DHparams\n%xdefine _PEM_read_bio_DSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_DSAPrivateKey\n%xdefine _PEM_read_bio_DSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_DSA_PUBKEY\n%xdefine _PEM_read_bio_DSAparams _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_DSAparams\n%xdefine _PEM_read_bio_ECPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_ECPrivateKey\n%xdefine _PEM_read_bio_EC_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_EC_PUBKEY\n%xdefine _PEM_read_bio_PKCS7 _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_PKCS7\n%xdefine _PEM_read_bio_PKCS8 _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_PKCS8\n%xdefine _PEM_read_bio_PKCS8_PRIV_KEY_INFO _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_PKCS8_PRIV_KEY_INFO\n%xdefine _PEM_read_bio_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_PUBKEY\n%xdefine _PEM_read_bio_PrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_PrivateKey\n%xdefine _PEM_read_bio_RSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_RSAPrivateKey\n%xdefine _PEM_read_bio_RSAPublicKey _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_RSAPublicKey\n%xdefine _PEM_read_bio_RSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_RSA_PUBKEY\n%xdefine _PEM_read_bio_SSL_SESSION _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_SSL_SESSION\n%xdefine _PEM_read_bio_X509 _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_X509\n%xdefine _PEM_read_bio_X509_AUX _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_X509_AUX\n%xdefine _PEM_read_bio_X509_CRL _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_X509_CRL\n%xdefine _PEM_read_bio_X509_REQ _ %+ BORINGSSL_PREFIX %+ _PEM_read_bio_X509_REQ\n%xdefine _PEM_write _ %+ BORINGSSL_PREFIX %+ _PEM_write\n%xdefine _PEM_write_DHparams _ %+ BORINGSSL_PREFIX %+ _PEM_write_DHparams\n%xdefine _PEM_write_DSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_DSAPrivateKey\n%xdefine _PEM_write_DSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_write_DSA_PUBKEY\n%xdefine _PEM_write_DSAparams _ %+ BORINGSSL_PREFIX %+ _PEM_write_DSAparams\n%xdefine _PEM_write_ECPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_ECPrivateKey\n%xdefine _PEM_write_EC_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_write_EC_PUBKEY\n%xdefine _PEM_write_PKCS7 _ %+ BORINGSSL_PREFIX %+ _PEM_write_PKCS7\n%xdefine _PEM_write_PKCS8 _ %+ BORINGSSL_PREFIX %+ _PEM_write_PKCS8\n%xdefine _PEM_write_PKCS8PrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_PKCS8PrivateKey\n%xdefine _PEM_write_PKCS8PrivateKey_nid _ %+ BORINGSSL_PREFIX %+ _PEM_write_PKCS8PrivateKey_nid\n%xdefine _PEM_write_PKCS8_PRIV_KEY_INFO _ %+ BORINGSSL_PREFIX %+ _PEM_write_PKCS8_PRIV_KEY_INFO\n%xdefine _PEM_write_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_write_PUBKEY\n%xdefine _PEM_write_PrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_PrivateKey\n%xdefine _PEM_write_RSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_RSAPrivateKey\n%xdefine _PEM_write_RSAPublicKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_RSAPublicKey\n%xdefine _PEM_write_RSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_write_RSA_PUBKEY\n%xdefine _PEM_write_SSL_SESSION _ %+ BORINGSSL_PREFIX %+ _PEM_write_SSL_SESSION\n%xdefine _PEM_write_X509 _ %+ BORINGSSL_PREFIX %+ _PEM_write_X509\n%xdefine _PEM_write_X509_AUX _ %+ BORINGSSL_PREFIX %+ _PEM_write_X509_AUX\n%xdefine _PEM_write_X509_CRL _ %+ BORINGSSL_PREFIX %+ _PEM_write_X509_CRL\n%xdefine _PEM_write_X509_REQ _ %+ BORINGSSL_PREFIX %+ _PEM_write_X509_REQ\n%xdefine _PEM_write_X509_REQ_NEW _ %+ BORINGSSL_PREFIX %+ _PEM_write_X509_REQ_NEW\n%xdefine _PEM_write_bio _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio\n%xdefine _PEM_write_bio_DHparams _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_DHparams\n%xdefine _PEM_write_bio_DSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_DSAPrivateKey\n%xdefine _PEM_write_bio_DSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_DSA_PUBKEY\n%xdefine _PEM_write_bio_DSAparams _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_DSAparams\n%xdefine _PEM_write_bio_ECPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_ECPrivateKey\n%xdefine _PEM_write_bio_EC_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_EC_PUBKEY\n%xdefine _PEM_write_bio_PKCS7 _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_PKCS7\n%xdefine _PEM_write_bio_PKCS8 _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_PKCS8\n%xdefine _PEM_write_bio_PKCS8PrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_PKCS8PrivateKey\n%xdefine _PEM_write_bio_PKCS8PrivateKey_nid _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_PKCS8PrivateKey_nid\n%xdefine _PEM_write_bio_PKCS8_PRIV_KEY_INFO _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_PKCS8_PRIV_KEY_INFO\n%xdefine _PEM_write_bio_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_PUBKEY\n%xdefine _PEM_write_bio_PrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_PrivateKey\n%xdefine _PEM_write_bio_RSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_RSAPrivateKey\n%xdefine _PEM_write_bio_RSAPublicKey _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_RSAPublicKey\n%xdefine _PEM_write_bio_RSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_RSA_PUBKEY\n%xdefine _PEM_write_bio_SSL_SESSION _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_SSL_SESSION\n%xdefine _PEM_write_bio_X509 _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_X509\n%xdefine _PEM_write_bio_X509_AUX _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_X509_AUX\n%xdefine _PEM_write_bio_X509_CRL _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_X509_CRL\n%xdefine _PEM_write_bio_X509_REQ _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_X509_REQ\n%xdefine _PEM_write_bio_X509_REQ_NEW _ %+ BORINGSSL_PREFIX %+ _PEM_write_bio_X509_REQ_NEW\n%xdefine _PKCS12_PBE_add _ %+ BORINGSSL_PREFIX %+ _PKCS12_PBE_add\n%xdefine _PKCS12_create _ %+ BORINGSSL_PREFIX %+ _PKCS12_create\n%xdefine _PKCS12_free _ %+ BORINGSSL_PREFIX %+ _PKCS12_free\n%xdefine _PKCS12_get_key_and_certs _ %+ BORINGSSL_PREFIX %+ _PKCS12_get_key_and_certs\n%xdefine _PKCS12_parse _ %+ BORINGSSL_PREFIX %+ _PKCS12_parse\n%xdefine _PKCS12_verify_mac _ %+ BORINGSSL_PREFIX %+ _PKCS12_verify_mac\n%xdefine _PKCS1_MGF1 _ %+ BORINGSSL_PREFIX %+ _PKCS1_MGF1\n%xdefine _PKCS5_PBKDF2_HMAC _ %+ BORINGSSL_PREFIX %+ _PKCS5_PBKDF2_HMAC\n%xdefine _PKCS5_PBKDF2_HMAC_SHA1 _ %+ BORINGSSL_PREFIX %+ _PKCS5_PBKDF2_HMAC_SHA1\n%xdefine _PKCS5_pbe2_decrypt_init _ %+ BORINGSSL_PREFIX %+ _PKCS5_pbe2_decrypt_init\n%xdefine _PKCS5_pbe2_encrypt_init _ %+ BORINGSSL_PREFIX %+ _PKCS5_pbe2_encrypt_init\n%xdefine _PKCS7_bundle_CRLs _ %+ BORINGSSL_PREFIX %+ _PKCS7_bundle_CRLs\n%xdefine _PKCS7_bundle_certificates _ %+ BORINGSSL_PREFIX %+ _PKCS7_bundle_certificates\n%xdefine _PKCS7_bundle_raw_certificates _ %+ BORINGSSL_PREFIX %+ _PKCS7_bundle_raw_certificates\n%xdefine _PKCS7_free _ %+ BORINGSSL_PREFIX %+ _PKCS7_free\n%xdefine _PKCS7_get_CRLs _ %+ BORINGSSL_PREFIX %+ _PKCS7_get_CRLs\n%xdefine _PKCS7_get_PEM_CRLs _ %+ BORINGSSL_PREFIX %+ _PKCS7_get_PEM_CRLs\n%xdefine _PKCS7_get_PEM_certificates _ %+ BORINGSSL_PREFIX %+ _PKCS7_get_PEM_certificates\n%xdefine _PKCS7_get_certificates _ %+ BORINGSSL_PREFIX %+ _PKCS7_get_certificates\n%xdefine _PKCS7_get_raw_certificates _ %+ BORINGSSL_PREFIX %+ _PKCS7_get_raw_certificates\n%xdefine _PKCS7_sign _ %+ BORINGSSL_PREFIX %+ _PKCS7_sign\n%xdefine _PKCS7_type_is_data _ %+ BORINGSSL_PREFIX %+ _PKCS7_type_is_data\n%xdefine _PKCS7_type_is_digest _ %+ BORINGSSL_PREFIX %+ _PKCS7_type_is_digest\n%xdefine _PKCS7_type_is_encrypted _ %+ BORINGSSL_PREFIX %+ _PKCS7_type_is_encrypted\n%xdefine _PKCS7_type_is_enveloped _ %+ BORINGSSL_PREFIX %+ _PKCS7_type_is_enveloped\n%xdefine _PKCS7_type_is_signed _ %+ BORINGSSL_PREFIX %+ _PKCS7_type_is_signed\n%xdefine _PKCS7_type_is_signedAndEnveloped _ %+ BORINGSSL_PREFIX %+ _PKCS7_type_is_signedAndEnveloped\n%xdefine _PKCS8_PRIV_KEY_INFO_free _ %+ BORINGSSL_PREFIX %+ _PKCS8_PRIV_KEY_INFO_free\n%xdefine _PKCS8_PRIV_KEY_INFO_new _ %+ BORINGSSL_PREFIX %+ _PKCS8_PRIV_KEY_INFO_new\n%xdefine _PKCS8_decrypt _ %+ BORINGSSL_PREFIX %+ _PKCS8_decrypt\n%xdefine _PKCS8_encrypt _ %+ BORINGSSL_PREFIX %+ _PKCS8_encrypt\n%xdefine _PKCS8_marshal_encrypted_private_key _ %+ BORINGSSL_PREFIX %+ _PKCS8_marshal_encrypted_private_key\n%xdefine _PKCS8_parse_encrypted_private_key _ %+ BORINGSSL_PREFIX %+ _PKCS8_parse_encrypted_private_key\n%xdefine _POLICYINFO_free _ %+ BORINGSSL_PREFIX %+ _POLICYINFO_free\n%xdefine _POLICYINFO_it _ %+ BORINGSSL_PREFIX %+ _POLICYINFO_it\n%xdefine _POLICYINFO_new _ %+ BORINGSSL_PREFIX %+ _POLICYINFO_new\n%xdefine _POLICYQUALINFO_free _ %+ BORINGSSL_PREFIX %+ _POLICYQUALINFO_free\n%xdefine _POLICYQUALINFO_it _ %+ BORINGSSL_PREFIX %+ _POLICYQUALINFO_it\n%xdefine _POLICYQUALINFO_new _ %+ BORINGSSL_PREFIX %+ _POLICYQUALINFO_new\n%xdefine _POLICY_CONSTRAINTS_free _ %+ BORINGSSL_PREFIX %+ _POLICY_CONSTRAINTS_free\n%xdefine _POLICY_CONSTRAINTS_it _ %+ BORINGSSL_PREFIX %+ _POLICY_CONSTRAINTS_it\n%xdefine _POLICY_CONSTRAINTS_new _ %+ BORINGSSL_PREFIX %+ _POLICY_CONSTRAINTS_new\n%xdefine _POLICY_MAPPINGS_it _ %+ BORINGSSL_PREFIX %+ _POLICY_MAPPINGS_it\n%xdefine _POLICY_MAPPING_free _ %+ BORINGSSL_PREFIX %+ _POLICY_MAPPING_free\n%xdefine _POLICY_MAPPING_new _ %+ BORINGSSL_PREFIX %+ _POLICY_MAPPING_new\n%xdefine _RAND_OpenSSL _ %+ BORINGSSL_PREFIX %+ _RAND_OpenSSL\n%xdefine _RAND_SSLeay _ %+ BORINGSSL_PREFIX %+ _RAND_SSLeay\n%xdefine _RAND_add _ %+ BORINGSSL_PREFIX %+ _RAND_add\n%xdefine _RAND_bytes _ %+ BORINGSSL_PREFIX %+ _RAND_bytes\n%xdefine _RAND_cleanup _ %+ BORINGSSL_PREFIX %+ _RAND_cleanup\n%xdefine _RAND_disable_fork_unsafe_buffering _ %+ BORINGSSL_PREFIX %+ _RAND_disable_fork_unsafe_buffering\n%xdefine _RAND_egd _ %+ BORINGSSL_PREFIX %+ _RAND_egd\n%xdefine _RAND_enable_fork_unsafe_buffering _ %+ BORINGSSL_PREFIX %+ _RAND_enable_fork_unsafe_buffering\n%xdefine _RAND_file_name _ %+ BORINGSSL_PREFIX %+ _RAND_file_name\n%xdefine _RAND_get_rand_method _ %+ BORINGSSL_PREFIX %+ _RAND_get_rand_method\n%xdefine _RAND_get_system_entropy_for_custom_prng _ %+ BORINGSSL_PREFIX %+ _RAND_get_system_entropy_for_custom_prng\n%xdefine _RAND_load_file _ %+ BORINGSSL_PREFIX %+ _RAND_load_file\n%xdefine _RAND_poll _ %+ BORINGSSL_PREFIX %+ _RAND_poll\n%xdefine _RAND_pseudo_bytes _ %+ BORINGSSL_PREFIX %+ _RAND_pseudo_bytes\n%xdefine _RAND_seed _ %+ BORINGSSL_PREFIX %+ _RAND_seed\n%xdefine _RAND_set_rand_method _ %+ BORINGSSL_PREFIX %+ _RAND_set_rand_method\n%xdefine _RAND_status _ %+ BORINGSSL_PREFIX %+ _RAND_status\n%xdefine _RC4 _ %+ BORINGSSL_PREFIX %+ _RC4\n%xdefine _RC4_set_key _ %+ BORINGSSL_PREFIX %+ _RC4_set_key\n%xdefine _RSAPrivateKey_dup _ %+ BORINGSSL_PREFIX %+ _RSAPrivateKey_dup\n%xdefine _RSAPublicKey_dup _ %+ BORINGSSL_PREFIX %+ _RSAPublicKey_dup\n%xdefine _RSAZ_1024_mod_exp_avx2 _ %+ BORINGSSL_PREFIX %+ _RSAZ_1024_mod_exp_avx2\n%xdefine _RSA_PSS_PARAMS_free _ %+ BORINGSSL_PREFIX %+ _RSA_PSS_PARAMS_free\n%xdefine _RSA_PSS_PARAMS_it _ %+ BORINGSSL_PREFIX %+ _RSA_PSS_PARAMS_it\n%xdefine _RSA_PSS_PARAMS_new _ %+ BORINGSSL_PREFIX %+ _RSA_PSS_PARAMS_new\n%xdefine _RSA_add_pkcs1_prefix _ %+ BORINGSSL_PREFIX %+ _RSA_add_pkcs1_prefix\n%xdefine _RSA_bits _ %+ BORINGSSL_PREFIX %+ _RSA_bits\n%xdefine _RSA_blinding_off _ %+ BORINGSSL_PREFIX %+ _RSA_blinding_off\n%xdefine _RSA_blinding_on _ %+ BORINGSSL_PREFIX %+ _RSA_blinding_on\n%xdefine _RSA_check_fips _ %+ BORINGSSL_PREFIX %+ _RSA_check_fips\n%xdefine _RSA_check_key _ %+ BORINGSSL_PREFIX %+ _RSA_check_key\n%xdefine _RSA_decrypt _ %+ BORINGSSL_PREFIX %+ _RSA_decrypt\n%xdefine _RSA_default_method _ %+ BORINGSSL_PREFIX %+ _RSA_default_method\n%xdefine _RSA_encrypt _ %+ BORINGSSL_PREFIX %+ _RSA_encrypt\n%xdefine _RSA_flags _ %+ BORINGSSL_PREFIX %+ _RSA_flags\n%xdefine _RSA_free _ %+ BORINGSSL_PREFIX %+ _RSA_free\n%xdefine _RSA_generate_key_ex _ %+ BORINGSSL_PREFIX %+ _RSA_generate_key_ex\n%xdefine _RSA_generate_key_fips _ %+ BORINGSSL_PREFIX %+ _RSA_generate_key_fips\n%xdefine _RSA_get0_crt_params _ %+ BORINGSSL_PREFIX %+ _RSA_get0_crt_params\n%xdefine _RSA_get0_d _ %+ BORINGSSL_PREFIX %+ _RSA_get0_d\n%xdefine _RSA_get0_dmp1 _ %+ BORINGSSL_PREFIX %+ _RSA_get0_dmp1\n%xdefine _RSA_get0_dmq1 _ %+ BORINGSSL_PREFIX %+ _RSA_get0_dmq1\n%xdefine _RSA_get0_e _ %+ BORINGSSL_PREFIX %+ _RSA_get0_e\n%xdefine _RSA_get0_factors _ %+ BORINGSSL_PREFIX %+ _RSA_get0_factors\n%xdefine _RSA_get0_iqmp _ %+ BORINGSSL_PREFIX %+ _RSA_get0_iqmp\n%xdefine _RSA_get0_key _ %+ BORINGSSL_PREFIX %+ _RSA_get0_key\n%xdefine _RSA_get0_n _ %+ BORINGSSL_PREFIX %+ _RSA_get0_n\n%xdefine _RSA_get0_p _ %+ BORINGSSL_PREFIX %+ _RSA_get0_p\n%xdefine _RSA_get0_pss_params _ %+ BORINGSSL_PREFIX %+ _RSA_get0_pss_params\n%xdefine _RSA_get0_q _ %+ BORINGSSL_PREFIX %+ _RSA_get0_q\n%xdefine _RSA_get_ex_data _ %+ BORINGSSL_PREFIX %+ _RSA_get_ex_data\n%xdefine _RSA_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _RSA_get_ex_new_index\n%xdefine _RSA_is_opaque _ %+ BORINGSSL_PREFIX %+ _RSA_is_opaque\n%xdefine _RSA_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _RSA_marshal_private_key\n%xdefine _RSA_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _RSA_marshal_public_key\n%xdefine _RSA_new _ %+ BORINGSSL_PREFIX %+ _RSA_new\n%xdefine _RSA_new_method _ %+ BORINGSSL_PREFIX %+ _RSA_new_method\n%xdefine _RSA_new_method_no_e _ %+ BORINGSSL_PREFIX %+ _RSA_new_method_no_e\n%xdefine _RSA_new_private_key _ %+ BORINGSSL_PREFIX %+ _RSA_new_private_key\n%xdefine _RSA_new_private_key_large_e _ %+ BORINGSSL_PREFIX %+ _RSA_new_private_key_large_e\n%xdefine _RSA_new_private_key_no_crt _ %+ BORINGSSL_PREFIX %+ _RSA_new_private_key_no_crt\n%xdefine _RSA_new_private_key_no_e _ %+ BORINGSSL_PREFIX %+ _RSA_new_private_key_no_e\n%xdefine _RSA_new_public_key _ %+ BORINGSSL_PREFIX %+ _RSA_new_public_key\n%xdefine _RSA_new_public_key_large_e _ %+ BORINGSSL_PREFIX %+ _RSA_new_public_key_large_e\n%xdefine _RSA_padding_add_PKCS1_OAEP_mgf1 _ %+ BORINGSSL_PREFIX %+ _RSA_padding_add_PKCS1_OAEP_mgf1\n%xdefine _RSA_padding_add_PKCS1_PSS_mgf1 _ %+ BORINGSSL_PREFIX %+ _RSA_padding_add_PKCS1_PSS_mgf1\n%xdefine _RSA_padding_add_PKCS1_type_1 _ %+ BORINGSSL_PREFIX %+ _RSA_padding_add_PKCS1_type_1\n%xdefine _RSA_padding_add_none _ %+ BORINGSSL_PREFIX %+ _RSA_padding_add_none\n%xdefine _RSA_padding_check_PKCS1_OAEP_mgf1 _ %+ BORINGSSL_PREFIX %+ _RSA_padding_check_PKCS1_OAEP_mgf1\n%xdefine _RSA_padding_check_PKCS1_type_1 _ %+ BORINGSSL_PREFIX %+ _RSA_padding_check_PKCS1_type_1\n%xdefine _RSA_parse_private_key _ %+ BORINGSSL_PREFIX %+ _RSA_parse_private_key\n%xdefine _RSA_parse_public_key _ %+ BORINGSSL_PREFIX %+ _RSA_parse_public_key\n%xdefine _RSA_print _ %+ BORINGSSL_PREFIX %+ _RSA_print\n%xdefine _RSA_private_decrypt _ %+ BORINGSSL_PREFIX %+ _RSA_private_decrypt\n%xdefine _RSA_private_encrypt _ %+ BORINGSSL_PREFIX %+ _RSA_private_encrypt\n%xdefine _RSA_private_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _RSA_private_key_from_bytes\n%xdefine _RSA_private_key_to_bytes _ %+ BORINGSSL_PREFIX %+ _RSA_private_key_to_bytes\n%xdefine _RSA_public_decrypt _ %+ BORINGSSL_PREFIX %+ _RSA_public_decrypt\n%xdefine _RSA_public_encrypt _ %+ BORINGSSL_PREFIX %+ _RSA_public_encrypt\n%xdefine _RSA_public_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _RSA_public_key_from_bytes\n%xdefine _RSA_public_key_to_bytes _ %+ BORINGSSL_PREFIX %+ _RSA_public_key_to_bytes\n%xdefine _RSA_set0_crt_params _ %+ BORINGSSL_PREFIX %+ _RSA_set0_crt_params\n%xdefine _RSA_set0_factors _ %+ BORINGSSL_PREFIX %+ _RSA_set0_factors\n%xdefine _RSA_set0_key _ %+ BORINGSSL_PREFIX %+ _RSA_set0_key\n%xdefine _RSA_set_ex_data _ %+ BORINGSSL_PREFIX %+ _RSA_set_ex_data\n%xdefine _RSA_sign _ %+ BORINGSSL_PREFIX %+ _RSA_sign\n%xdefine _RSA_sign_pss_mgf1 _ %+ BORINGSSL_PREFIX %+ _RSA_sign_pss_mgf1\n%xdefine _RSA_sign_raw _ %+ BORINGSSL_PREFIX %+ _RSA_sign_raw\n%xdefine _RSA_size _ %+ BORINGSSL_PREFIX %+ _RSA_size\n%xdefine _RSA_test_flags _ %+ BORINGSSL_PREFIX %+ _RSA_test_flags\n%xdefine _RSA_up_ref _ %+ BORINGSSL_PREFIX %+ _RSA_up_ref\n%xdefine _RSA_verify _ %+ BORINGSSL_PREFIX %+ _RSA_verify\n%xdefine _RSA_verify_PKCS1_PSS_mgf1 _ %+ BORINGSSL_PREFIX %+ _RSA_verify_PKCS1_PSS_mgf1\n%xdefine _RSA_verify_pss_mgf1 _ %+ BORINGSSL_PREFIX %+ _RSA_verify_pss_mgf1\n%xdefine _RSA_verify_raw _ %+ BORINGSSL_PREFIX %+ _RSA_verify_raw\n%xdefine _SHA1 _ %+ BORINGSSL_PREFIX %+ _SHA1\n%xdefine _SHA1_Final _ %+ BORINGSSL_PREFIX %+ _SHA1_Final\n%xdefine _SHA1_Init _ %+ BORINGSSL_PREFIX %+ _SHA1_Init\n%xdefine _SHA1_Transform _ %+ BORINGSSL_PREFIX %+ _SHA1_Transform\n%xdefine _SHA1_Update _ %+ BORINGSSL_PREFIX %+ _SHA1_Update\n%xdefine _SHA224 _ %+ BORINGSSL_PREFIX %+ _SHA224\n%xdefine _SHA224_Final _ %+ BORINGSSL_PREFIX %+ _SHA224_Final\n%xdefine _SHA224_Init _ %+ BORINGSSL_PREFIX %+ _SHA224_Init\n%xdefine _SHA224_Update _ %+ BORINGSSL_PREFIX %+ _SHA224_Update\n%xdefine _SHA256 _ %+ BORINGSSL_PREFIX %+ _SHA256\n%xdefine _SHA256_Final _ %+ BORINGSSL_PREFIX %+ _SHA256_Final\n%xdefine _SHA256_Init _ %+ BORINGSSL_PREFIX %+ _SHA256_Init\n%xdefine _SHA256_Transform _ %+ BORINGSSL_PREFIX %+ _SHA256_Transform\n%xdefine _SHA256_TransformBlocks _ %+ BORINGSSL_PREFIX %+ _SHA256_TransformBlocks\n%xdefine _SHA256_Update _ %+ BORINGSSL_PREFIX %+ _SHA256_Update\n%xdefine _SHA384 _ %+ BORINGSSL_PREFIX %+ _SHA384\n%xdefine _SHA384_Final _ %+ BORINGSSL_PREFIX %+ _SHA384_Final\n%xdefine _SHA384_Init _ %+ BORINGSSL_PREFIX %+ _SHA384_Init\n%xdefine _SHA384_Update _ %+ BORINGSSL_PREFIX %+ _SHA384_Update\n%xdefine _SHA512 _ %+ BORINGSSL_PREFIX %+ _SHA512\n%xdefine _SHA512_256 _ %+ BORINGSSL_PREFIX %+ _SHA512_256\n%xdefine _SHA512_256_Final _ %+ BORINGSSL_PREFIX %+ _SHA512_256_Final\n%xdefine _SHA512_256_Init _ %+ BORINGSSL_PREFIX %+ _SHA512_256_Init\n%xdefine _SHA512_256_Update _ %+ BORINGSSL_PREFIX %+ _SHA512_256_Update\n%xdefine _SHA512_Final _ %+ BORINGSSL_PREFIX %+ _SHA512_Final\n%xdefine _SHA512_Init _ %+ BORINGSSL_PREFIX %+ _SHA512_Init\n%xdefine _SHA512_Transform _ %+ BORINGSSL_PREFIX %+ _SHA512_Transform\n%xdefine _SHA512_Update _ %+ BORINGSSL_PREFIX %+ _SHA512_Update\n%xdefine _SIPHASH_24 _ %+ BORINGSSL_PREFIX %+ _SIPHASH_24\n%xdefine _SLHDSA_SHA2_128S_generate_key _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_generate_key\n%xdefine _SLHDSA_SHA2_128S_prehash_sign _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_prehash_sign\n%xdefine _SLHDSA_SHA2_128S_prehash_verify _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_prehash_verify\n%xdefine _SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign\n%xdefine _SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify\n%xdefine _SLHDSA_SHA2_128S_public_from_private _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_public_from_private\n%xdefine _SLHDSA_SHA2_128S_sign _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_sign\n%xdefine _SLHDSA_SHA2_128S_verify _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_verify\n%xdefine _SPAKE2_CTX_free _ %+ BORINGSSL_PREFIX %+ _SPAKE2_CTX_free\n%xdefine _SPAKE2_CTX_new _ %+ BORINGSSL_PREFIX %+ _SPAKE2_CTX_new\n%xdefine _SPAKE2_generate_msg _ %+ BORINGSSL_PREFIX %+ _SPAKE2_generate_msg\n%xdefine _SPAKE2_process_msg _ %+ BORINGSSL_PREFIX %+ _SPAKE2_process_msg\n%xdefine _SSL_CIPHER_description _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_description\n%xdefine _SSL_CIPHER_get_auth_nid _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_auth_nid\n%xdefine _SSL_CIPHER_get_bits _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_bits\n%xdefine _SSL_CIPHER_get_cipher_nid _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_cipher_nid\n%xdefine _SSL_CIPHER_get_digest_nid _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_digest_nid\n%xdefine _SSL_CIPHER_get_handshake_digest _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_handshake_digest\n%xdefine _SSL_CIPHER_get_id _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_id\n%xdefine _SSL_CIPHER_get_kx_name _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_kx_name\n%xdefine _SSL_CIPHER_get_kx_nid _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_kx_nid\n%xdefine _SSL_CIPHER_get_max_version _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_max_version\n%xdefine _SSL_CIPHER_get_min_version _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_min_version\n%xdefine _SSL_CIPHER_get_name _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_name\n%xdefine _SSL_CIPHER_get_prf_nid _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_prf_nid\n%xdefine _SSL_CIPHER_get_protocol_id _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_protocol_id\n%xdefine _SSL_CIPHER_get_version _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_version\n%xdefine _SSL_CIPHER_is_aead _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_is_aead\n%xdefine _SSL_CIPHER_is_block_cipher _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_is_block_cipher\n%xdefine _SSL_CIPHER_standard_name _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_standard_name\n%xdefine _SSL_COMP_add_compression_method _ %+ BORINGSSL_PREFIX %+ _SSL_COMP_add_compression_method\n%xdefine _SSL_COMP_free_compression_methods _ %+ BORINGSSL_PREFIX %+ _SSL_COMP_free_compression_methods\n%xdefine _SSL_COMP_get0_name _ %+ BORINGSSL_PREFIX %+ _SSL_COMP_get0_name\n%xdefine _SSL_COMP_get_compression_methods _ %+ BORINGSSL_PREFIX %+ _SSL_COMP_get_compression_methods\n%xdefine _SSL_COMP_get_id _ %+ BORINGSSL_PREFIX %+ _SSL_COMP_get_id\n%xdefine _SSL_COMP_get_name _ %+ BORINGSSL_PREFIX %+ _SSL_COMP_get_name\n%xdefine _SSL_CREDENTIAL_clear_must_match_issuer _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_clear_must_match_issuer\n%xdefine _SSL_CREDENTIAL_free _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_free\n%xdefine _SSL_CREDENTIAL_get_ex_data _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_get_ex_data\n%xdefine _SSL_CREDENTIAL_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_get_ex_new_index\n%xdefine _SSL_CREDENTIAL_must_match_issuer _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_must_match_issuer\n%xdefine _SSL_CREDENTIAL_new_delegated _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_new_delegated\n%xdefine _SSL_CREDENTIAL_new_x509 _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_new_x509\n%xdefine _SSL_CREDENTIAL_set1_cert_chain _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_cert_chain\n%xdefine _SSL_CREDENTIAL_set1_delegated_credential _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_delegated_credential\n%xdefine _SSL_CREDENTIAL_set1_ocsp_response _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_ocsp_response\n%xdefine _SSL_CREDENTIAL_set1_private_key _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_private_key\n%xdefine _SSL_CREDENTIAL_set1_signed_cert_timestamp_list _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_signed_cert_timestamp_list\n%xdefine _SSL_CREDENTIAL_set1_signing_algorithm_prefs _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_signing_algorithm_prefs\n%xdefine _SSL_CREDENTIAL_set_ex_data _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set_ex_data\n%xdefine _SSL_CREDENTIAL_set_must_match_issuer _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set_must_match_issuer\n%xdefine _SSL_CREDENTIAL_set_private_key_method _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set_private_key_method\n%xdefine _SSL_CREDENTIAL_up_ref _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_up_ref\n%xdefine _SSL_CTX_add0_chain_cert _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add0_chain_cert\n%xdefine _SSL_CTX_add1_chain_cert _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add1_chain_cert\n%xdefine _SSL_CTX_add1_credential _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add1_credential\n%xdefine _SSL_CTX_add_cert_compression_alg _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add_cert_compression_alg\n%xdefine _SSL_CTX_add_client_CA _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add_client_CA\n%xdefine _SSL_CTX_add_extra_chain_cert _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add_extra_chain_cert\n%xdefine _SSL_CTX_add_session _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add_session\n%xdefine _SSL_CTX_check_private_key _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_check_private_key\n%xdefine _SSL_CTX_cipher_in_group _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_cipher_in_group\n%xdefine _SSL_CTX_clear_chain_certs _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_clear_chain_certs\n%xdefine _SSL_CTX_clear_extra_chain_certs _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_clear_extra_chain_certs\n%xdefine _SSL_CTX_clear_mode _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_clear_mode\n%xdefine _SSL_CTX_clear_options _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_clear_options\n%xdefine _SSL_CTX_enable_ocsp_stapling _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_enable_ocsp_stapling\n%xdefine _SSL_CTX_enable_signed_cert_timestamps _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_enable_signed_cert_timestamps\n%xdefine _SSL_CTX_enable_tls_channel_id _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_enable_tls_channel_id\n%xdefine _SSL_CTX_flush_sessions _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_flush_sessions\n%xdefine _SSL_CTX_free _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_free\n%xdefine _SSL_CTX_get0_certificate _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get0_certificate\n%xdefine _SSL_CTX_get0_chain _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get0_chain\n%xdefine _SSL_CTX_get0_chain_certs _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get0_chain_certs\n%xdefine _SSL_CTX_get0_param _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get0_param\n%xdefine _SSL_CTX_get0_privatekey _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get0_privatekey\n%xdefine _SSL_CTX_get_cert_store _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_cert_store\n%xdefine _SSL_CTX_get_ciphers _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_ciphers\n%xdefine _SSL_CTX_get_client_CA_list _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_client_CA_list\n%xdefine _SSL_CTX_get_compliance_policy _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_compliance_policy\n%xdefine _SSL_CTX_get_default_passwd_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_default_passwd_cb\n%xdefine _SSL_CTX_get_default_passwd_cb_userdata _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_default_passwd_cb_userdata\n%xdefine _SSL_CTX_get_ex_data _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_ex_data\n%xdefine _SSL_CTX_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_ex_new_index\n%xdefine _SSL_CTX_get_extra_chain_certs _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_extra_chain_certs\n%xdefine _SSL_CTX_get_info_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_info_callback\n%xdefine _SSL_CTX_get_keylog_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_keylog_callback\n%xdefine _SSL_CTX_get_max_cert_list _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_max_cert_list\n%xdefine _SSL_CTX_get_max_proto_version _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_max_proto_version\n%xdefine _SSL_CTX_get_min_proto_version _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_min_proto_version\n%xdefine _SSL_CTX_get_mode _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_mode\n%xdefine _SSL_CTX_get_num_tickets _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_num_tickets\n%xdefine _SSL_CTX_get_options _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_options\n%xdefine _SSL_CTX_get_quiet_shutdown _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_quiet_shutdown\n%xdefine _SSL_CTX_get_read_ahead _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_read_ahead\n%xdefine _SSL_CTX_get_session_cache_mode _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_session_cache_mode\n%xdefine _SSL_CTX_get_timeout _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_timeout\n%xdefine _SSL_CTX_get_tlsext_ticket_keys _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_tlsext_ticket_keys\n%xdefine _SSL_CTX_get_verify_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_verify_callback\n%xdefine _SSL_CTX_get_verify_depth _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_verify_depth\n%xdefine _SSL_CTX_get_verify_mode _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_get_verify_mode\n%xdefine _SSL_CTX_load_verify_locations _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_load_verify_locations\n%xdefine _SSL_CTX_need_tmp_RSA _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_need_tmp_RSA\n%xdefine _SSL_CTX_new _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_new\n%xdefine _SSL_CTX_remove_session _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_remove_session\n%xdefine _SSL_CTX_sess_accept _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_accept\n%xdefine _SSL_CTX_sess_accept_good _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_accept_good\n%xdefine _SSL_CTX_sess_accept_renegotiate _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_accept_renegotiate\n%xdefine _SSL_CTX_sess_cache_full _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_cache_full\n%xdefine _SSL_CTX_sess_cb_hits _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_cb_hits\n%xdefine _SSL_CTX_sess_connect _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_connect\n%xdefine _SSL_CTX_sess_connect_good _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_connect_good\n%xdefine _SSL_CTX_sess_connect_renegotiate _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_connect_renegotiate\n%xdefine _SSL_CTX_sess_get_cache_size _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_get_cache_size\n%xdefine _SSL_CTX_sess_get_get_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_get_get_cb\n%xdefine _SSL_CTX_sess_get_new_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_get_new_cb\n%xdefine _SSL_CTX_sess_get_remove_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_get_remove_cb\n%xdefine _SSL_CTX_sess_hits _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_hits\n%xdefine _SSL_CTX_sess_misses _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_misses\n%xdefine _SSL_CTX_sess_number _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_number\n%xdefine _SSL_CTX_sess_set_cache_size _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_set_cache_size\n%xdefine _SSL_CTX_sess_set_get_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_set_get_cb\n%xdefine _SSL_CTX_sess_set_new_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_set_new_cb\n%xdefine _SSL_CTX_sess_set_remove_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_set_remove_cb\n%xdefine _SSL_CTX_sess_timeouts _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_sess_timeouts\n%xdefine _SSL_CTX_set0_buffer_pool _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set0_buffer_pool\n%xdefine _SSL_CTX_set0_chain _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set0_chain\n%xdefine _SSL_CTX_set0_client_CAs _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set0_client_CAs\n%xdefine _SSL_CTX_set0_verify_cert_store _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set0_verify_cert_store\n%xdefine _SSL_CTX_set1_chain _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_chain\n%xdefine _SSL_CTX_set1_curves _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_curves\n%xdefine _SSL_CTX_set1_curves_list _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_curves_list\n%xdefine _SSL_CTX_set1_ech_keys _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_ech_keys\n%xdefine _SSL_CTX_set1_group_ids _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_group_ids\n%xdefine _SSL_CTX_set1_groups _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_groups\n%xdefine _SSL_CTX_set1_groups_list _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_groups_list\n%xdefine _SSL_CTX_set1_param _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_param\n%xdefine _SSL_CTX_set1_sigalgs _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_sigalgs\n%xdefine _SSL_CTX_set1_sigalgs_list _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_sigalgs_list\n%xdefine _SSL_CTX_set1_tls_channel_id _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_tls_channel_id\n%xdefine _SSL_CTX_set1_verify_cert_store _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set1_verify_cert_store\n%xdefine _SSL_CTX_set_allow_unknown_alpn_protos _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_allow_unknown_alpn_protos\n%xdefine _SSL_CTX_set_alpn_protos _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_alpn_protos\n%xdefine _SSL_CTX_set_alpn_select_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_alpn_select_cb\n%xdefine _SSL_CTX_set_cert_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_cert_cb\n%xdefine _SSL_CTX_set_cert_store _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_cert_store\n%xdefine _SSL_CTX_set_cert_verify_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_cert_verify_callback\n%xdefine _SSL_CTX_set_chain_and_key _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_chain_and_key\n%xdefine _SSL_CTX_set_cipher_list _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_cipher_list\n%xdefine _SSL_CTX_set_client_CA_list _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_client_CA_list\n%xdefine _SSL_CTX_set_client_cert_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_client_cert_cb\n%xdefine _SSL_CTX_set_compliance_policy _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_compliance_policy\n%xdefine _SSL_CTX_set_current_time_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_current_time_cb\n%xdefine _SSL_CTX_set_custom_verify _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_custom_verify\n%xdefine _SSL_CTX_set_default_passwd_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_default_passwd_cb\n%xdefine _SSL_CTX_set_default_passwd_cb_userdata _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_default_passwd_cb_userdata\n%xdefine _SSL_CTX_set_default_verify_paths _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_default_verify_paths\n%xdefine _SSL_CTX_set_dos_protection_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_dos_protection_cb\n%xdefine _SSL_CTX_set_early_data_enabled _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_early_data_enabled\n%xdefine _SSL_CTX_set_ex_data _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_ex_data\n%xdefine _SSL_CTX_set_false_start_allowed_without_alpn _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_false_start_allowed_without_alpn\n%xdefine _SSL_CTX_set_grease_enabled _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_grease_enabled\n%xdefine _SSL_CTX_set_info_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_info_callback\n%xdefine _SSL_CTX_set_keylog_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_keylog_callback\n%xdefine _SSL_CTX_set_max_cert_list _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_max_cert_list\n%xdefine _SSL_CTX_set_max_proto_version _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_max_proto_version\n%xdefine _SSL_CTX_set_max_send_fragment _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_max_send_fragment\n%xdefine _SSL_CTX_set_min_proto_version _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_min_proto_version\n%xdefine _SSL_CTX_set_mode _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_mode\n%xdefine _SSL_CTX_set_msg_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_msg_callback\n%xdefine _SSL_CTX_set_msg_callback_arg _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_msg_callback_arg\n%xdefine _SSL_CTX_set_next_proto_select_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_next_proto_select_cb\n%xdefine _SSL_CTX_set_next_protos_advertised_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_next_protos_advertised_cb\n%xdefine _SSL_CTX_set_num_tickets _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_num_tickets\n%xdefine _SSL_CTX_set_ocsp_response _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_ocsp_response\n%xdefine _SSL_CTX_set_options _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_options\n%xdefine _SSL_CTX_set_permute_extensions _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_permute_extensions\n%xdefine _SSL_CTX_set_private_key_method _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_private_key_method\n%xdefine _SSL_CTX_set_psk_client_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_psk_client_callback\n%xdefine _SSL_CTX_set_psk_server_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_psk_server_callback\n%xdefine _SSL_CTX_set_purpose _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_purpose\n%xdefine _SSL_CTX_set_quic_method _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_quic_method\n%xdefine _SSL_CTX_set_quiet_shutdown _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_quiet_shutdown\n%xdefine _SSL_CTX_set_read_ahead _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_read_ahead\n%xdefine _SSL_CTX_set_record_protocol_version _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_record_protocol_version\n%xdefine _SSL_CTX_set_retain_only_sha256_of_client_certs _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_retain_only_sha256_of_client_certs\n%xdefine _SSL_CTX_set_reverify_on_resume _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_reverify_on_resume\n%xdefine _SSL_CTX_set_select_certificate_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_select_certificate_cb\n%xdefine _SSL_CTX_set_session_cache_mode _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_session_cache_mode\n%xdefine _SSL_CTX_set_session_id_context _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_session_id_context\n%xdefine _SSL_CTX_set_session_psk_dhe_timeout _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_session_psk_dhe_timeout\n%xdefine _SSL_CTX_set_signed_cert_timestamp_list _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_signed_cert_timestamp_list\n%xdefine _SSL_CTX_set_signing_algorithm_prefs _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_signing_algorithm_prefs\n%xdefine _SSL_CTX_set_srtp_profiles _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_srtp_profiles\n%xdefine _SSL_CTX_set_strict_cipher_list _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_strict_cipher_list\n%xdefine _SSL_CTX_set_ticket_aead_method _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_ticket_aead_method\n%xdefine _SSL_CTX_set_timeout _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_timeout\n%xdefine _SSL_CTX_set_tls_channel_id_enabled _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tls_channel_id_enabled\n%xdefine _SSL_CTX_set_tlsext_servername_arg _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_servername_arg\n%xdefine _SSL_CTX_set_tlsext_servername_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_servername_callback\n%xdefine _SSL_CTX_set_tlsext_status_arg _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_status_arg\n%xdefine _SSL_CTX_set_tlsext_status_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_status_cb\n%xdefine _SSL_CTX_set_tlsext_ticket_key_cb _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_ticket_key_cb\n%xdefine _SSL_CTX_set_tlsext_ticket_keys _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_ticket_keys\n%xdefine _SSL_CTX_set_tlsext_use_srtp _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_use_srtp\n%xdefine _SSL_CTX_set_tmp_dh _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tmp_dh\n%xdefine _SSL_CTX_set_tmp_dh_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tmp_dh_callback\n%xdefine _SSL_CTX_set_tmp_ecdh _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tmp_ecdh\n%xdefine _SSL_CTX_set_tmp_rsa _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tmp_rsa\n%xdefine _SSL_CTX_set_tmp_rsa_callback _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_tmp_rsa_callback\n%xdefine _SSL_CTX_set_trust _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_trust\n%xdefine _SSL_CTX_set_verify _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_verify\n%xdefine _SSL_CTX_set_verify_algorithm_prefs _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_verify_algorithm_prefs\n%xdefine _SSL_CTX_set_verify_depth _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_set_verify_depth\n%xdefine _SSL_CTX_up_ref _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_up_ref\n%xdefine _SSL_CTX_use_PrivateKey _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_use_PrivateKey\n%xdefine _SSL_CTX_use_PrivateKey_ASN1 _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_use_PrivateKey_ASN1\n%xdefine _SSL_CTX_use_PrivateKey_file _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_use_PrivateKey_file\n%xdefine _SSL_CTX_use_RSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_use_RSAPrivateKey\n%xdefine _SSL_CTX_use_RSAPrivateKey_ASN1 _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_use_RSAPrivateKey_ASN1\n%xdefine _SSL_CTX_use_RSAPrivateKey_file _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_use_RSAPrivateKey_file\n%xdefine _SSL_CTX_use_certificate _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_use_certificate\n%xdefine _SSL_CTX_use_certificate_ASN1 _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_use_certificate_ASN1\n%xdefine _SSL_CTX_use_certificate_chain_file _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_use_certificate_chain_file\n%xdefine _SSL_CTX_use_certificate_file _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_use_certificate_file\n%xdefine _SSL_CTX_use_psk_identity_hint _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_use_psk_identity_hint\n%xdefine _SSL_ECH_KEYS_add _ %+ BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_add\n%xdefine _SSL_ECH_KEYS_free _ %+ BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_free\n%xdefine _SSL_ECH_KEYS_has_duplicate_config_id _ %+ BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_has_duplicate_config_id\n%xdefine _SSL_ECH_KEYS_marshal_retry_configs _ %+ BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_marshal_retry_configs\n%xdefine _SSL_ECH_KEYS_new _ %+ BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_new\n%xdefine _SSL_ECH_KEYS_up_ref _ %+ BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_up_ref\n%xdefine _SSL_SESSION_copy_without_early_data _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_copy_without_early_data\n%xdefine _SSL_SESSION_early_data_capable _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_early_data_capable\n%xdefine _SSL_SESSION_free _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_free\n%xdefine _SSL_SESSION_from_bytes _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_from_bytes\n%xdefine _SSL_SESSION_get0_cipher _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get0_cipher\n%xdefine _SSL_SESSION_get0_id_context _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get0_id_context\n%xdefine _SSL_SESSION_get0_ocsp_response _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get0_ocsp_response\n%xdefine _SSL_SESSION_get0_peer _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get0_peer\n%xdefine _SSL_SESSION_get0_peer_certificates _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get0_peer_certificates\n%xdefine _SSL_SESSION_get0_peer_sha256 _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get0_peer_sha256\n%xdefine _SSL_SESSION_get0_signed_cert_timestamp_list _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get0_signed_cert_timestamp_list\n%xdefine _SSL_SESSION_get0_ticket _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get0_ticket\n%xdefine _SSL_SESSION_get_ex_data _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get_ex_data\n%xdefine _SSL_SESSION_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get_ex_new_index\n%xdefine _SSL_SESSION_get_id _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get_id\n%xdefine _SSL_SESSION_get_master_key _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get_master_key\n%xdefine _SSL_SESSION_get_protocol_version _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get_protocol_version\n%xdefine _SSL_SESSION_get_ticket_lifetime_hint _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get_ticket_lifetime_hint\n%xdefine _SSL_SESSION_get_time _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get_time\n%xdefine _SSL_SESSION_get_timeout _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get_timeout\n%xdefine _SSL_SESSION_get_version _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_get_version\n%xdefine _SSL_SESSION_has_peer_sha256 _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_has_peer_sha256\n%xdefine _SSL_SESSION_has_ticket _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_has_ticket\n%xdefine _SSL_SESSION_is_resumable _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_is_resumable\n%xdefine _SSL_SESSION_new _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_new\n%xdefine _SSL_SESSION_set1_id _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_set1_id\n%xdefine _SSL_SESSION_set1_id_context _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_set1_id_context\n%xdefine _SSL_SESSION_set_ex_data _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_set_ex_data\n%xdefine _SSL_SESSION_set_protocol_version _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_set_protocol_version\n%xdefine _SSL_SESSION_set_ticket _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_set_ticket\n%xdefine _SSL_SESSION_set_time _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_set_time\n%xdefine _SSL_SESSION_set_timeout _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_set_timeout\n%xdefine _SSL_SESSION_should_be_single_use _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_should_be_single_use\n%xdefine _SSL_SESSION_to_bytes _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_to_bytes\n%xdefine _SSL_SESSION_to_bytes_for_ticket _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_to_bytes_for_ticket\n%xdefine _SSL_SESSION_up_ref _ %+ BORINGSSL_PREFIX %+ _SSL_SESSION_up_ref\n%xdefine _SSL_accept _ %+ BORINGSSL_PREFIX %+ _SSL_accept\n%xdefine _SSL_add0_chain_cert _ %+ BORINGSSL_PREFIX %+ _SSL_add0_chain_cert\n%xdefine _SSL_add1_chain_cert _ %+ BORINGSSL_PREFIX %+ _SSL_add1_chain_cert\n%xdefine _SSL_add1_credential _ %+ BORINGSSL_PREFIX %+ _SSL_add1_credential\n%xdefine _SSL_add_application_settings _ %+ BORINGSSL_PREFIX %+ _SSL_add_application_settings\n%xdefine _SSL_add_bio_cert_subjects_to_stack _ %+ BORINGSSL_PREFIX %+ _SSL_add_bio_cert_subjects_to_stack\n%xdefine _SSL_add_client_CA _ %+ BORINGSSL_PREFIX %+ _SSL_add_client_CA\n%xdefine _SSL_add_file_cert_subjects_to_stack _ %+ BORINGSSL_PREFIX %+ _SSL_add_file_cert_subjects_to_stack\n%xdefine _SSL_alert_desc_string _ %+ BORINGSSL_PREFIX %+ _SSL_alert_desc_string\n%xdefine _SSL_alert_desc_string_long _ %+ BORINGSSL_PREFIX %+ _SSL_alert_desc_string_long\n%xdefine _SSL_alert_from_verify_result _ %+ BORINGSSL_PREFIX %+ _SSL_alert_from_verify_result\n%xdefine _SSL_alert_type_string _ %+ BORINGSSL_PREFIX %+ _SSL_alert_type_string\n%xdefine _SSL_alert_type_string_long _ %+ BORINGSSL_PREFIX %+ _SSL_alert_type_string_long\n%xdefine _SSL_cache_hit _ %+ BORINGSSL_PREFIX %+ _SSL_cache_hit\n%xdefine _SSL_can_release_private_key _ %+ BORINGSSL_PREFIX %+ _SSL_can_release_private_key\n%xdefine _SSL_certs_clear _ %+ BORINGSSL_PREFIX %+ _SSL_certs_clear\n%xdefine _SSL_check_private_key _ %+ BORINGSSL_PREFIX %+ _SSL_check_private_key\n%xdefine _SSL_clear _ %+ BORINGSSL_PREFIX %+ _SSL_clear\n%xdefine _SSL_clear_chain_certs _ %+ BORINGSSL_PREFIX %+ _SSL_clear_chain_certs\n%xdefine _SSL_clear_mode _ %+ BORINGSSL_PREFIX %+ _SSL_clear_mode\n%xdefine _SSL_clear_options _ %+ BORINGSSL_PREFIX %+ _SSL_clear_options\n%xdefine _SSL_connect _ %+ BORINGSSL_PREFIX %+ _SSL_connect\n%xdefine _SSL_cutthrough_complete _ %+ BORINGSSL_PREFIX %+ _SSL_cutthrough_complete\n%xdefine _SSL_do_handshake _ %+ BORINGSSL_PREFIX %+ _SSL_do_handshake\n%xdefine _SSL_dup_CA_list _ %+ BORINGSSL_PREFIX %+ _SSL_dup_CA_list\n%xdefine _SSL_early_callback_ctx_extension_get _ %+ BORINGSSL_PREFIX %+ _SSL_early_callback_ctx_extension_get\n%xdefine _SSL_early_data_accepted _ %+ BORINGSSL_PREFIX %+ _SSL_early_data_accepted\n%xdefine _SSL_early_data_reason_string _ %+ BORINGSSL_PREFIX %+ _SSL_early_data_reason_string\n%xdefine _SSL_ech_accepted _ %+ BORINGSSL_PREFIX %+ _SSL_ech_accepted\n%xdefine _SSL_enable_ocsp_stapling _ %+ BORINGSSL_PREFIX %+ _SSL_enable_ocsp_stapling\n%xdefine _SSL_enable_signed_cert_timestamps _ %+ BORINGSSL_PREFIX %+ _SSL_enable_signed_cert_timestamps\n%xdefine _SSL_enable_tls_channel_id _ %+ BORINGSSL_PREFIX %+ _SSL_enable_tls_channel_id\n%xdefine _SSL_error_description _ %+ BORINGSSL_PREFIX %+ _SSL_error_description\n%xdefine _SSL_export_keying_material _ %+ BORINGSSL_PREFIX %+ _SSL_export_keying_material\n%xdefine _SSL_free _ %+ BORINGSSL_PREFIX %+ _SSL_free\n%xdefine _SSL_generate_key_block _ %+ BORINGSSL_PREFIX %+ _SSL_generate_key_block\n%xdefine _SSL_get0_alpn_selected _ %+ BORINGSSL_PREFIX %+ _SSL_get0_alpn_selected\n%xdefine _SSL_get0_certificate_types _ %+ BORINGSSL_PREFIX %+ _SSL_get0_certificate_types\n%xdefine _SSL_get0_chain _ %+ BORINGSSL_PREFIX %+ _SSL_get0_chain\n%xdefine _SSL_get0_chain_certs _ %+ BORINGSSL_PREFIX %+ _SSL_get0_chain_certs\n%xdefine _SSL_get0_ech_name_override _ %+ BORINGSSL_PREFIX %+ _SSL_get0_ech_name_override\n%xdefine _SSL_get0_ech_retry_configs _ %+ BORINGSSL_PREFIX %+ _SSL_get0_ech_retry_configs\n%xdefine _SSL_get0_next_proto_negotiated _ %+ BORINGSSL_PREFIX %+ _SSL_get0_next_proto_negotiated\n%xdefine _SSL_get0_ocsp_response _ %+ BORINGSSL_PREFIX %+ _SSL_get0_ocsp_response\n%xdefine _SSL_get0_param _ %+ BORINGSSL_PREFIX %+ _SSL_get0_param\n%xdefine _SSL_get0_peer_application_settings _ %+ BORINGSSL_PREFIX %+ _SSL_get0_peer_application_settings\n%xdefine _SSL_get0_peer_certificates _ %+ BORINGSSL_PREFIX %+ _SSL_get0_peer_certificates\n%xdefine _SSL_get0_peer_delegation_algorithms _ %+ BORINGSSL_PREFIX %+ _SSL_get0_peer_delegation_algorithms\n%xdefine _SSL_get0_peer_verify_algorithms _ %+ BORINGSSL_PREFIX %+ _SSL_get0_peer_verify_algorithms\n%xdefine _SSL_get0_selected_credential _ %+ BORINGSSL_PREFIX %+ _SSL_get0_selected_credential\n%xdefine _SSL_get0_server_requested_CAs _ %+ BORINGSSL_PREFIX %+ _SSL_get0_server_requested_CAs\n%xdefine _SSL_get0_session_id_context _ %+ BORINGSSL_PREFIX %+ _SSL_get0_session_id_context\n%xdefine _SSL_get0_signed_cert_timestamp_list _ %+ BORINGSSL_PREFIX %+ _SSL_get0_signed_cert_timestamp_list\n%xdefine _SSL_get1_session _ %+ BORINGSSL_PREFIX %+ _SSL_get1_session\n%xdefine _SSL_get_SSL_CTX _ %+ BORINGSSL_PREFIX %+ _SSL_get_SSL_CTX\n%xdefine _SSL_get_all_cipher_names _ %+ BORINGSSL_PREFIX %+ _SSL_get_all_cipher_names\n%xdefine _SSL_get_all_curve_names _ %+ BORINGSSL_PREFIX %+ _SSL_get_all_curve_names\n%xdefine _SSL_get_all_group_names _ %+ BORINGSSL_PREFIX %+ _SSL_get_all_group_names\n%xdefine _SSL_get_all_signature_algorithm_names _ %+ BORINGSSL_PREFIX %+ _SSL_get_all_signature_algorithm_names\n%xdefine _SSL_get_all_standard_cipher_names _ %+ BORINGSSL_PREFIX %+ _SSL_get_all_standard_cipher_names\n%xdefine _SSL_get_all_version_names _ %+ BORINGSSL_PREFIX %+ _SSL_get_all_version_names\n%xdefine _SSL_get_certificate _ %+ BORINGSSL_PREFIX %+ _SSL_get_certificate\n%xdefine _SSL_get_cipher_by_value _ %+ BORINGSSL_PREFIX %+ _SSL_get_cipher_by_value\n%xdefine _SSL_get_cipher_list _ %+ BORINGSSL_PREFIX %+ _SSL_get_cipher_list\n%xdefine _SSL_get_ciphers _ %+ BORINGSSL_PREFIX %+ _SSL_get_ciphers\n%xdefine _SSL_get_client_CA_list _ %+ BORINGSSL_PREFIX %+ _SSL_get_client_CA_list\n%xdefine _SSL_get_client_random _ %+ BORINGSSL_PREFIX %+ _SSL_get_client_random\n%xdefine _SSL_get_compliance_policy _ %+ BORINGSSL_PREFIX %+ _SSL_get_compliance_policy\n%xdefine _SSL_get_current_cipher _ %+ BORINGSSL_PREFIX %+ _SSL_get_current_cipher\n%xdefine _SSL_get_current_compression _ %+ BORINGSSL_PREFIX %+ _SSL_get_current_compression\n%xdefine _SSL_get_current_expansion _ %+ BORINGSSL_PREFIX %+ _SSL_get_current_expansion\n%xdefine _SSL_get_curve_id _ %+ BORINGSSL_PREFIX %+ _SSL_get_curve_id\n%xdefine _SSL_get_curve_name _ %+ BORINGSSL_PREFIX %+ _SSL_get_curve_name\n%xdefine _SSL_get_default_timeout _ %+ BORINGSSL_PREFIX %+ _SSL_get_default_timeout\n%xdefine _SSL_get_early_data_reason _ %+ BORINGSSL_PREFIX %+ _SSL_get_early_data_reason\n%xdefine _SSL_get_error _ %+ BORINGSSL_PREFIX %+ _SSL_get_error\n%xdefine _SSL_get_ex_data _ %+ BORINGSSL_PREFIX %+ _SSL_get_ex_data\n%xdefine _SSL_get_ex_data_X509_STORE_CTX_idx _ %+ BORINGSSL_PREFIX %+ _SSL_get_ex_data_X509_STORE_CTX_idx\n%xdefine _SSL_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _SSL_get_ex_new_index\n%xdefine _SSL_get_extms_support _ %+ BORINGSSL_PREFIX %+ _SSL_get_extms_support\n%xdefine _SSL_get_fd _ %+ BORINGSSL_PREFIX %+ _SSL_get_fd\n%xdefine _SSL_get_finished _ %+ BORINGSSL_PREFIX %+ _SSL_get_finished\n%xdefine _SSL_get_group_id _ %+ BORINGSSL_PREFIX %+ _SSL_get_group_id\n%xdefine _SSL_get_group_name _ %+ BORINGSSL_PREFIX %+ _SSL_get_group_name\n%xdefine _SSL_get_info_callback _ %+ BORINGSSL_PREFIX %+ _SSL_get_info_callback\n%xdefine _SSL_get_ivs _ %+ BORINGSSL_PREFIX %+ _SSL_get_ivs\n%xdefine _SSL_get_key_block_len _ %+ BORINGSSL_PREFIX %+ _SSL_get_key_block_len\n%xdefine _SSL_get_max_cert_list _ %+ BORINGSSL_PREFIX %+ _SSL_get_max_cert_list\n%xdefine _SSL_get_max_proto_version _ %+ BORINGSSL_PREFIX %+ _SSL_get_max_proto_version\n%xdefine _SSL_get_min_proto_version _ %+ BORINGSSL_PREFIX %+ _SSL_get_min_proto_version\n%xdefine _SSL_get_mode _ %+ BORINGSSL_PREFIX %+ _SSL_get_mode\n%xdefine _SSL_get_negotiated_group _ %+ BORINGSSL_PREFIX %+ _SSL_get_negotiated_group\n%xdefine _SSL_get_options _ %+ BORINGSSL_PREFIX %+ _SSL_get_options\n%xdefine _SSL_get_peer_cert_chain _ %+ BORINGSSL_PREFIX %+ _SSL_get_peer_cert_chain\n%xdefine _SSL_get_peer_certificate _ %+ BORINGSSL_PREFIX %+ _SSL_get_peer_certificate\n%xdefine _SSL_get_peer_finished _ %+ BORINGSSL_PREFIX %+ _SSL_get_peer_finished\n%xdefine _SSL_get_peer_full_cert_chain _ %+ BORINGSSL_PREFIX %+ _SSL_get_peer_full_cert_chain\n%xdefine _SSL_get_peer_quic_transport_params _ %+ BORINGSSL_PREFIX %+ _SSL_get_peer_quic_transport_params\n%xdefine _SSL_get_peer_signature_algorithm _ %+ BORINGSSL_PREFIX %+ _SSL_get_peer_signature_algorithm\n%xdefine _SSL_get_pending_cipher _ %+ BORINGSSL_PREFIX %+ _SSL_get_pending_cipher\n%xdefine _SSL_get_privatekey _ %+ BORINGSSL_PREFIX %+ _SSL_get_privatekey\n%xdefine _SSL_get_psk_identity _ %+ BORINGSSL_PREFIX %+ _SSL_get_psk_identity\n%xdefine _SSL_get_psk_identity_hint _ %+ BORINGSSL_PREFIX %+ _SSL_get_psk_identity_hint\n%xdefine _SSL_get_quiet_shutdown _ %+ BORINGSSL_PREFIX %+ _SSL_get_quiet_shutdown\n%xdefine _SSL_get_rbio _ %+ BORINGSSL_PREFIX %+ _SSL_get_rbio\n%xdefine _SSL_get_read_ahead _ %+ BORINGSSL_PREFIX %+ _SSL_get_read_ahead\n%xdefine _SSL_get_read_sequence _ %+ BORINGSSL_PREFIX %+ _SSL_get_read_sequence\n%xdefine _SSL_get_rfd _ %+ BORINGSSL_PREFIX %+ _SSL_get_rfd\n%xdefine _SSL_get_secure_renegotiation_support _ %+ BORINGSSL_PREFIX %+ _SSL_get_secure_renegotiation_support\n%xdefine _SSL_get_selected_srtp_profile _ %+ BORINGSSL_PREFIX %+ _SSL_get_selected_srtp_profile\n%xdefine _SSL_get_server_random _ %+ BORINGSSL_PREFIX %+ _SSL_get_server_random\n%xdefine _SSL_get_server_tmp_key _ %+ BORINGSSL_PREFIX %+ _SSL_get_server_tmp_key\n%xdefine _SSL_get_servername _ %+ BORINGSSL_PREFIX %+ _SSL_get_servername\n%xdefine _SSL_get_servername_type _ %+ BORINGSSL_PREFIX %+ _SSL_get_servername_type\n%xdefine _SSL_get_session _ %+ BORINGSSL_PREFIX %+ _SSL_get_session\n%xdefine _SSL_get_shared_ciphers _ %+ BORINGSSL_PREFIX %+ _SSL_get_shared_ciphers\n%xdefine _SSL_get_shared_sigalgs _ %+ BORINGSSL_PREFIX %+ _SSL_get_shared_sigalgs\n%xdefine _SSL_get_shutdown _ %+ BORINGSSL_PREFIX %+ _SSL_get_shutdown\n%xdefine _SSL_get_signature_algorithm_digest _ %+ BORINGSSL_PREFIX %+ _SSL_get_signature_algorithm_digest\n%xdefine _SSL_get_signature_algorithm_key_type _ %+ BORINGSSL_PREFIX %+ _SSL_get_signature_algorithm_key_type\n%xdefine _SSL_get_signature_algorithm_name _ %+ BORINGSSL_PREFIX %+ _SSL_get_signature_algorithm_name\n%xdefine _SSL_get_srtp_profiles _ %+ BORINGSSL_PREFIX %+ _SSL_get_srtp_profiles\n%xdefine _SSL_get_ticket_age_skew _ %+ BORINGSSL_PREFIX %+ _SSL_get_ticket_age_skew\n%xdefine _SSL_get_tls_channel_id _ %+ BORINGSSL_PREFIX %+ _SSL_get_tls_channel_id\n%xdefine _SSL_get_tls_unique _ %+ BORINGSSL_PREFIX %+ _SSL_get_tls_unique\n%xdefine _SSL_get_tlsext_status_ocsp_resp _ %+ BORINGSSL_PREFIX %+ _SSL_get_tlsext_status_ocsp_resp\n%xdefine _SSL_get_tlsext_status_type _ %+ BORINGSSL_PREFIX %+ _SSL_get_tlsext_status_type\n%xdefine _SSL_get_verify_callback _ %+ BORINGSSL_PREFIX %+ _SSL_get_verify_callback\n%xdefine _SSL_get_verify_depth _ %+ BORINGSSL_PREFIX %+ _SSL_get_verify_depth\n%xdefine _SSL_get_verify_mode _ %+ BORINGSSL_PREFIX %+ _SSL_get_verify_mode\n%xdefine _SSL_get_verify_result _ %+ BORINGSSL_PREFIX %+ _SSL_get_verify_result\n%xdefine _SSL_get_version _ %+ BORINGSSL_PREFIX %+ _SSL_get_version\n%xdefine _SSL_get_wbio _ %+ BORINGSSL_PREFIX %+ _SSL_get_wbio\n%xdefine _SSL_get_wfd _ %+ BORINGSSL_PREFIX %+ _SSL_get_wfd\n%xdefine _SSL_get_write_sequence _ %+ BORINGSSL_PREFIX %+ _SSL_get_write_sequence\n%xdefine _SSL_has_application_settings _ %+ BORINGSSL_PREFIX %+ _SSL_has_application_settings\n%xdefine _SSL_has_pending _ %+ BORINGSSL_PREFIX %+ _SSL_has_pending\n%xdefine _SSL_in_early_data _ %+ BORINGSSL_PREFIX %+ _SSL_in_early_data\n%xdefine _SSL_in_false_start _ %+ BORINGSSL_PREFIX %+ _SSL_in_false_start\n%xdefine _SSL_in_init _ %+ BORINGSSL_PREFIX %+ _SSL_in_init\n%xdefine _SSL_is_dtls _ %+ BORINGSSL_PREFIX %+ _SSL_is_dtls\n%xdefine _SSL_is_init_finished _ %+ BORINGSSL_PREFIX %+ _SSL_is_init_finished\n%xdefine _SSL_is_quic _ %+ BORINGSSL_PREFIX %+ _SSL_is_quic\n%xdefine _SSL_is_server _ %+ BORINGSSL_PREFIX %+ _SSL_is_server\n%xdefine _SSL_is_signature_algorithm_rsa_pss _ %+ BORINGSSL_PREFIX %+ _SSL_is_signature_algorithm_rsa_pss\n%xdefine _SSL_key_update _ %+ BORINGSSL_PREFIX %+ _SSL_key_update\n%xdefine _SSL_library_init _ %+ BORINGSSL_PREFIX %+ _SSL_library_init\n%xdefine _SSL_load_client_CA_file _ %+ BORINGSSL_PREFIX %+ _SSL_load_client_CA_file\n%xdefine _SSL_load_error_strings _ %+ BORINGSSL_PREFIX %+ _SSL_load_error_strings\n%xdefine _SSL_magic_pending_session_ptr _ %+ BORINGSSL_PREFIX %+ _SSL_magic_pending_session_ptr\n%xdefine _SSL_marshal_ech_config _ %+ BORINGSSL_PREFIX %+ _SSL_marshal_ech_config\n%xdefine _SSL_max_seal_overhead _ %+ BORINGSSL_PREFIX %+ _SSL_max_seal_overhead\n%xdefine _SSL_need_tmp_RSA _ %+ BORINGSSL_PREFIX %+ _SSL_need_tmp_RSA\n%xdefine _SSL_new _ %+ BORINGSSL_PREFIX %+ _SSL_new\n%xdefine _SSL_num_renegotiations _ %+ BORINGSSL_PREFIX %+ _SSL_num_renegotiations\n%xdefine _SSL_peek _ %+ BORINGSSL_PREFIX %+ _SSL_peek\n%xdefine _SSL_pending _ %+ BORINGSSL_PREFIX %+ _SSL_pending\n%xdefine _SSL_process_quic_post_handshake _ %+ BORINGSSL_PREFIX %+ _SSL_process_quic_post_handshake\n%xdefine _SSL_process_tls13_new_session_ticket _ %+ BORINGSSL_PREFIX %+ _SSL_process_tls13_new_session_ticket\n%xdefine _SSL_provide_quic_data _ %+ BORINGSSL_PREFIX %+ _SSL_provide_quic_data\n%xdefine _SSL_quic_max_handshake_flight_len _ %+ BORINGSSL_PREFIX %+ _SSL_quic_max_handshake_flight_len\n%xdefine _SSL_quic_read_level _ %+ BORINGSSL_PREFIX %+ _SSL_quic_read_level\n%xdefine _SSL_quic_write_level _ %+ BORINGSSL_PREFIX %+ _SSL_quic_write_level\n%xdefine _SSL_read _ %+ BORINGSSL_PREFIX %+ _SSL_read\n%xdefine _SSL_renegotiate _ %+ BORINGSSL_PREFIX %+ _SSL_renegotiate\n%xdefine _SSL_renegotiate_pending _ %+ BORINGSSL_PREFIX %+ _SSL_renegotiate_pending\n%xdefine _SSL_request_handshake_hints _ %+ BORINGSSL_PREFIX %+ _SSL_request_handshake_hints\n%xdefine _SSL_reset_early_data_reject _ %+ BORINGSSL_PREFIX %+ _SSL_reset_early_data_reject\n%xdefine _SSL_select_next_proto _ %+ BORINGSSL_PREFIX %+ _SSL_select_next_proto\n%xdefine _SSL_send_fatal_alert _ %+ BORINGSSL_PREFIX %+ _SSL_send_fatal_alert\n%xdefine _SSL_serialize_capabilities _ %+ BORINGSSL_PREFIX %+ _SSL_serialize_capabilities\n%xdefine _SSL_serialize_handshake_hints _ %+ BORINGSSL_PREFIX %+ _SSL_serialize_handshake_hints\n%xdefine _SSL_session_reused _ %+ BORINGSSL_PREFIX %+ _SSL_session_reused\n%xdefine _SSL_set0_CA_names _ %+ BORINGSSL_PREFIX %+ _SSL_set0_CA_names\n%xdefine _SSL_set0_chain _ %+ BORINGSSL_PREFIX %+ _SSL_set0_chain\n%xdefine _SSL_set0_client_CAs _ %+ BORINGSSL_PREFIX %+ _SSL_set0_client_CAs\n%xdefine _SSL_set0_rbio _ %+ BORINGSSL_PREFIX %+ _SSL_set0_rbio\n%xdefine _SSL_set0_verify_cert_store _ %+ BORINGSSL_PREFIX %+ _SSL_set0_verify_cert_store\n%xdefine _SSL_set0_wbio _ %+ BORINGSSL_PREFIX %+ _SSL_set0_wbio\n%xdefine _SSL_set1_chain _ %+ BORINGSSL_PREFIX %+ _SSL_set1_chain\n%xdefine _SSL_set1_curves _ %+ BORINGSSL_PREFIX %+ _SSL_set1_curves\n%xdefine _SSL_set1_curves_list _ %+ BORINGSSL_PREFIX %+ _SSL_set1_curves_list\n%xdefine _SSL_set1_ech_config_list _ %+ BORINGSSL_PREFIX %+ _SSL_set1_ech_config_list\n%xdefine _SSL_set1_group_ids _ %+ BORINGSSL_PREFIX %+ _SSL_set1_group_ids\n%xdefine _SSL_set1_groups _ %+ BORINGSSL_PREFIX %+ _SSL_set1_groups\n%xdefine _SSL_set1_groups_list _ %+ BORINGSSL_PREFIX %+ _SSL_set1_groups_list\n%xdefine _SSL_set1_host _ %+ BORINGSSL_PREFIX %+ _SSL_set1_host\n%xdefine _SSL_set1_param _ %+ BORINGSSL_PREFIX %+ _SSL_set1_param\n%xdefine _SSL_set1_sigalgs _ %+ BORINGSSL_PREFIX %+ _SSL_set1_sigalgs\n%xdefine _SSL_set1_sigalgs_list _ %+ BORINGSSL_PREFIX %+ _SSL_set1_sigalgs_list\n%xdefine _SSL_set1_tls_channel_id _ %+ BORINGSSL_PREFIX %+ _SSL_set1_tls_channel_id\n%xdefine _SSL_set1_verify_cert_store _ %+ BORINGSSL_PREFIX %+ _SSL_set1_verify_cert_store\n%xdefine _SSL_set_SSL_CTX _ %+ BORINGSSL_PREFIX %+ _SSL_set_SSL_CTX\n%xdefine _SSL_set_accept_state _ %+ BORINGSSL_PREFIX %+ _SSL_set_accept_state\n%xdefine _SSL_set_alpn_protos _ %+ BORINGSSL_PREFIX %+ _SSL_set_alpn_protos\n%xdefine _SSL_set_alps_use_new_codepoint _ %+ BORINGSSL_PREFIX %+ _SSL_set_alps_use_new_codepoint\n%xdefine _SSL_set_bio _ %+ BORINGSSL_PREFIX %+ _SSL_set_bio\n%xdefine _SSL_set_cert_cb _ %+ BORINGSSL_PREFIX %+ _SSL_set_cert_cb\n%xdefine _SSL_set_chain_and_key _ %+ BORINGSSL_PREFIX %+ _SSL_set_chain_and_key\n%xdefine _SSL_set_check_client_certificate_type _ %+ BORINGSSL_PREFIX %+ _SSL_set_check_client_certificate_type\n%xdefine _SSL_set_check_ecdsa_curve _ %+ BORINGSSL_PREFIX %+ _SSL_set_check_ecdsa_curve\n%xdefine _SSL_set_cipher_list _ %+ BORINGSSL_PREFIX %+ _SSL_set_cipher_list\n%xdefine _SSL_set_client_CA_list _ %+ BORINGSSL_PREFIX %+ _SSL_set_client_CA_list\n%xdefine _SSL_set_compliance_policy _ %+ BORINGSSL_PREFIX %+ _SSL_set_compliance_policy\n%xdefine _SSL_set_connect_state _ %+ BORINGSSL_PREFIX %+ _SSL_set_connect_state\n%xdefine _SSL_set_custom_verify _ %+ BORINGSSL_PREFIX %+ _SSL_set_custom_verify\n%xdefine _SSL_set_early_data_enabled _ %+ BORINGSSL_PREFIX %+ _SSL_set_early_data_enabled\n%xdefine _SSL_set_enable_ech_grease _ %+ BORINGSSL_PREFIX %+ _SSL_set_enable_ech_grease\n%xdefine _SSL_set_enforce_rsa_key_usage _ %+ BORINGSSL_PREFIX %+ _SSL_set_enforce_rsa_key_usage\n%xdefine _SSL_set_ex_data _ %+ BORINGSSL_PREFIX %+ _SSL_set_ex_data\n%xdefine _SSL_set_fd _ %+ BORINGSSL_PREFIX %+ _SSL_set_fd\n%xdefine _SSL_set_handshake_hints _ %+ BORINGSSL_PREFIX %+ _SSL_set_handshake_hints\n%xdefine _SSL_set_hostflags _ %+ BORINGSSL_PREFIX %+ _SSL_set_hostflags\n%xdefine _SSL_set_info_callback _ %+ BORINGSSL_PREFIX %+ _SSL_set_info_callback\n%xdefine _SSL_set_jdk11_workaround _ %+ BORINGSSL_PREFIX %+ _SSL_set_jdk11_workaround\n%xdefine _SSL_set_max_cert_list _ %+ BORINGSSL_PREFIX %+ _SSL_set_max_cert_list\n%xdefine _SSL_set_max_proto_version _ %+ BORINGSSL_PREFIX %+ _SSL_set_max_proto_version\n%xdefine _SSL_set_max_send_fragment _ %+ BORINGSSL_PREFIX %+ _SSL_set_max_send_fragment\n%xdefine _SSL_set_min_proto_version _ %+ BORINGSSL_PREFIX %+ _SSL_set_min_proto_version\n%xdefine _SSL_set_mode _ %+ BORINGSSL_PREFIX %+ _SSL_set_mode\n%xdefine _SSL_set_msg_callback _ %+ BORINGSSL_PREFIX %+ _SSL_set_msg_callback\n%xdefine _SSL_set_msg_callback_arg _ %+ BORINGSSL_PREFIX %+ _SSL_set_msg_callback_arg\n%xdefine _SSL_set_mtu _ %+ BORINGSSL_PREFIX %+ _SSL_set_mtu\n%xdefine _SSL_set_ocsp_response _ %+ BORINGSSL_PREFIX %+ _SSL_set_ocsp_response\n%xdefine _SSL_set_options _ %+ BORINGSSL_PREFIX %+ _SSL_set_options\n%xdefine _SSL_set_permute_extensions _ %+ BORINGSSL_PREFIX %+ _SSL_set_permute_extensions\n%xdefine _SSL_set_private_key_method _ %+ BORINGSSL_PREFIX %+ _SSL_set_private_key_method\n%xdefine _SSL_set_psk_client_callback _ %+ BORINGSSL_PREFIX %+ _SSL_set_psk_client_callback\n%xdefine _SSL_set_psk_server_callback _ %+ BORINGSSL_PREFIX %+ _SSL_set_psk_server_callback\n%xdefine _SSL_set_purpose _ %+ BORINGSSL_PREFIX %+ _SSL_set_purpose\n%xdefine _SSL_set_quic_early_data_context _ %+ BORINGSSL_PREFIX %+ _SSL_set_quic_early_data_context\n%xdefine _SSL_set_quic_method _ %+ BORINGSSL_PREFIX %+ _SSL_set_quic_method\n%xdefine _SSL_set_quic_transport_params _ %+ BORINGSSL_PREFIX %+ _SSL_set_quic_transport_params\n%xdefine _SSL_set_quic_use_legacy_codepoint _ %+ BORINGSSL_PREFIX %+ _SSL_set_quic_use_legacy_codepoint\n%xdefine _SSL_set_quiet_shutdown _ %+ BORINGSSL_PREFIX %+ _SSL_set_quiet_shutdown\n%xdefine _SSL_set_read_ahead _ %+ BORINGSSL_PREFIX %+ _SSL_set_read_ahead\n%xdefine _SSL_set_renegotiate_mode _ %+ BORINGSSL_PREFIX %+ _SSL_set_renegotiate_mode\n%xdefine _SSL_set_retain_only_sha256_of_client_certs _ %+ BORINGSSL_PREFIX %+ _SSL_set_retain_only_sha256_of_client_certs\n%xdefine _SSL_set_rfd _ %+ BORINGSSL_PREFIX %+ _SSL_set_rfd\n%xdefine _SSL_set_session _ %+ BORINGSSL_PREFIX %+ _SSL_set_session\n%xdefine _SSL_set_session_id_context _ %+ BORINGSSL_PREFIX %+ _SSL_set_session_id_context\n%xdefine _SSL_set_shed_handshake_config _ %+ BORINGSSL_PREFIX %+ _SSL_set_shed_handshake_config\n%xdefine _SSL_set_shutdown _ %+ BORINGSSL_PREFIX %+ _SSL_set_shutdown\n%xdefine _SSL_set_signed_cert_timestamp_list _ %+ BORINGSSL_PREFIX %+ _SSL_set_signed_cert_timestamp_list\n%xdefine _SSL_set_signing_algorithm_prefs _ %+ BORINGSSL_PREFIX %+ _SSL_set_signing_algorithm_prefs\n%xdefine _SSL_set_srtp_profiles _ %+ BORINGSSL_PREFIX %+ _SSL_set_srtp_profiles\n%xdefine _SSL_set_state _ %+ BORINGSSL_PREFIX %+ _SSL_set_state\n%xdefine _SSL_set_strict_cipher_list _ %+ BORINGSSL_PREFIX %+ _SSL_set_strict_cipher_list\n%xdefine _SSL_set_tls_channel_id_enabled _ %+ BORINGSSL_PREFIX %+ _SSL_set_tls_channel_id_enabled\n%xdefine _SSL_set_tlsext_host_name _ %+ BORINGSSL_PREFIX %+ _SSL_set_tlsext_host_name\n%xdefine _SSL_set_tlsext_status_ocsp_resp _ %+ BORINGSSL_PREFIX %+ _SSL_set_tlsext_status_ocsp_resp\n%xdefine _SSL_set_tlsext_status_type _ %+ BORINGSSL_PREFIX %+ _SSL_set_tlsext_status_type\n%xdefine _SSL_set_tlsext_use_srtp _ %+ BORINGSSL_PREFIX %+ _SSL_set_tlsext_use_srtp\n%xdefine _SSL_set_tmp_dh _ %+ BORINGSSL_PREFIX %+ _SSL_set_tmp_dh\n%xdefine _SSL_set_tmp_dh_callback _ %+ BORINGSSL_PREFIX %+ _SSL_set_tmp_dh_callback\n%xdefine _SSL_set_tmp_ecdh _ %+ BORINGSSL_PREFIX %+ _SSL_set_tmp_ecdh\n%xdefine _SSL_set_tmp_rsa _ %+ BORINGSSL_PREFIX %+ _SSL_set_tmp_rsa\n%xdefine _SSL_set_tmp_rsa_callback _ %+ BORINGSSL_PREFIX %+ _SSL_set_tmp_rsa_callback\n%xdefine _SSL_set_trust _ %+ BORINGSSL_PREFIX %+ _SSL_set_trust\n%xdefine _SSL_set_verify _ %+ BORINGSSL_PREFIX %+ _SSL_set_verify\n%xdefine _SSL_set_verify_algorithm_prefs _ %+ BORINGSSL_PREFIX %+ _SSL_set_verify_algorithm_prefs\n%xdefine _SSL_set_verify_depth _ %+ BORINGSSL_PREFIX %+ _SSL_set_verify_depth\n%xdefine _SSL_set_wfd _ %+ BORINGSSL_PREFIX %+ _SSL_set_wfd\n%xdefine _SSL_shutdown _ %+ BORINGSSL_PREFIX %+ _SSL_shutdown\n%xdefine _SSL_state _ %+ BORINGSSL_PREFIX %+ _SSL_state\n%xdefine _SSL_state_string _ %+ BORINGSSL_PREFIX %+ _SSL_state_string\n%xdefine _SSL_state_string_long _ %+ BORINGSSL_PREFIX %+ _SSL_state_string_long\n%xdefine _SSL_total_renegotiations _ %+ BORINGSSL_PREFIX %+ _SSL_total_renegotiations\n%xdefine _SSL_use_PrivateKey _ %+ BORINGSSL_PREFIX %+ _SSL_use_PrivateKey\n%xdefine _SSL_use_PrivateKey_ASN1 _ %+ BORINGSSL_PREFIX %+ _SSL_use_PrivateKey_ASN1\n%xdefine _SSL_use_PrivateKey_file _ %+ BORINGSSL_PREFIX %+ _SSL_use_PrivateKey_file\n%xdefine _SSL_use_RSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _SSL_use_RSAPrivateKey\n%xdefine _SSL_use_RSAPrivateKey_ASN1 _ %+ BORINGSSL_PREFIX %+ _SSL_use_RSAPrivateKey_ASN1\n%xdefine _SSL_use_RSAPrivateKey_file _ %+ BORINGSSL_PREFIX %+ _SSL_use_RSAPrivateKey_file\n%xdefine _SSL_use_certificate _ %+ BORINGSSL_PREFIX %+ _SSL_use_certificate\n%xdefine _SSL_use_certificate_ASN1 _ %+ BORINGSSL_PREFIX %+ _SSL_use_certificate_ASN1\n%xdefine _SSL_use_certificate_file _ %+ BORINGSSL_PREFIX %+ _SSL_use_certificate_file\n%xdefine _SSL_use_psk_identity_hint _ %+ BORINGSSL_PREFIX %+ _SSL_use_psk_identity_hint\n%xdefine _SSL_used_hello_retry_request _ %+ BORINGSSL_PREFIX %+ _SSL_used_hello_retry_request\n%xdefine _SSL_version _ %+ BORINGSSL_PREFIX %+ _SSL_version\n%xdefine _SSL_want _ %+ BORINGSSL_PREFIX %+ _SSL_want\n%xdefine _SSL_was_key_usage_invalid _ %+ BORINGSSL_PREFIX %+ _SSL_was_key_usage_invalid\n%xdefine _SSL_write _ %+ BORINGSSL_PREFIX %+ _SSL_write\n%xdefine _SSLeay _ %+ BORINGSSL_PREFIX %+ _SSLeay\n%xdefine _SSLeay_version _ %+ BORINGSSL_PREFIX %+ _SSLeay_version\n%xdefine _SSLv23_client_method _ %+ BORINGSSL_PREFIX %+ _SSLv23_client_method\n%xdefine _SSLv23_method _ %+ BORINGSSL_PREFIX %+ _SSLv23_method\n%xdefine _SSLv23_server_method _ %+ BORINGSSL_PREFIX %+ _SSLv23_server_method\n%xdefine _TLS_client_method _ %+ BORINGSSL_PREFIX %+ _TLS_client_method\n%xdefine _TLS_method _ %+ BORINGSSL_PREFIX %+ _TLS_method\n%xdefine _TLS_server_method _ %+ BORINGSSL_PREFIX %+ _TLS_server_method\n%xdefine _TLS_with_buffers_method _ %+ BORINGSSL_PREFIX %+ _TLS_with_buffers_method\n%xdefine _TLSv1_1_client_method _ %+ BORINGSSL_PREFIX %+ _TLSv1_1_client_method\n%xdefine _TLSv1_1_method _ %+ BORINGSSL_PREFIX %+ _TLSv1_1_method\n%xdefine _TLSv1_1_server_method _ %+ BORINGSSL_PREFIX %+ _TLSv1_1_server_method\n%xdefine _TLSv1_2_client_method _ %+ BORINGSSL_PREFIX %+ _TLSv1_2_client_method\n%xdefine _TLSv1_2_method _ %+ BORINGSSL_PREFIX %+ _TLSv1_2_method\n%xdefine _TLSv1_2_server_method _ %+ BORINGSSL_PREFIX %+ _TLSv1_2_server_method\n%xdefine _TLSv1_client_method _ %+ BORINGSSL_PREFIX %+ _TLSv1_client_method\n%xdefine _TLSv1_method _ %+ BORINGSSL_PREFIX %+ _TLSv1_method\n%xdefine _TLSv1_server_method _ %+ BORINGSSL_PREFIX %+ _TLSv1_server_method\n%xdefine _TRUST_TOKEN_CLIENT_add_key _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_add_key\n%xdefine _TRUST_TOKEN_CLIENT_begin_issuance _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_begin_issuance\n%xdefine _TRUST_TOKEN_CLIENT_begin_issuance_over_message _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_begin_issuance_over_message\n%xdefine _TRUST_TOKEN_CLIENT_begin_redemption _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_begin_redemption\n%xdefine _TRUST_TOKEN_CLIENT_finish_issuance _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_finish_issuance\n%xdefine _TRUST_TOKEN_CLIENT_finish_redemption _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_finish_redemption\n%xdefine _TRUST_TOKEN_CLIENT_free _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_free\n%xdefine _TRUST_TOKEN_CLIENT_new _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_new\n%xdefine _TRUST_TOKEN_CLIENT_set_srr_key _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_set_srr_key\n%xdefine _TRUST_TOKEN_ISSUER_add_key _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_add_key\n%xdefine _TRUST_TOKEN_ISSUER_free _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_free\n%xdefine _TRUST_TOKEN_ISSUER_issue _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_issue\n%xdefine _TRUST_TOKEN_ISSUER_new _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_new\n%xdefine _TRUST_TOKEN_ISSUER_redeem _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_redeem\n%xdefine _TRUST_TOKEN_ISSUER_redeem_over_message _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_redeem_over_message\n%xdefine _TRUST_TOKEN_ISSUER_set_metadata_key _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_set_metadata_key\n%xdefine _TRUST_TOKEN_ISSUER_set_srr_key _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_set_srr_key\n%xdefine _TRUST_TOKEN_PRETOKEN_free _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_PRETOKEN_free\n%xdefine _TRUST_TOKEN_decode_private_metadata _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_decode_private_metadata\n%xdefine _TRUST_TOKEN_derive_key_from_secret _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_derive_key_from_secret\n%xdefine _TRUST_TOKEN_experiment_v1 _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v1\n%xdefine _TRUST_TOKEN_experiment_v2_pmb _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v2_pmb\n%xdefine _TRUST_TOKEN_experiment_v2_voprf _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v2_voprf\n%xdefine _TRUST_TOKEN_free _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_free\n%xdefine _TRUST_TOKEN_generate_key _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_generate_key\n%xdefine _TRUST_TOKEN_new _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_new\n%xdefine _TRUST_TOKEN_pst_v1_pmb _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_pst_v1_pmb\n%xdefine _TRUST_TOKEN_pst_v1_voprf _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_pst_v1_voprf\n%xdefine _USERNOTICE_free _ %+ BORINGSSL_PREFIX %+ _USERNOTICE_free\n%xdefine _USERNOTICE_it _ %+ BORINGSSL_PREFIX %+ _USERNOTICE_it\n%xdefine _USERNOTICE_new _ %+ BORINGSSL_PREFIX %+ _USERNOTICE_new\n%xdefine _X25519 _ %+ BORINGSSL_PREFIX %+ _X25519\n%xdefine _X25519_keypair _ %+ BORINGSSL_PREFIX %+ _X25519_keypair\n%xdefine _X25519_public_from_private _ %+ BORINGSSL_PREFIX %+ _X25519_public_from_private\n%xdefine _X509V3_EXT_CRL_add_nconf _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_CRL_add_nconf\n%xdefine _X509V3_EXT_REQ_add_nconf _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_REQ_add_nconf\n%xdefine _X509V3_EXT_add _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_add\n%xdefine _X509V3_EXT_add_alias _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_add_alias\n%xdefine _X509V3_EXT_add_nconf _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_add_nconf\n%xdefine _X509V3_EXT_add_nconf_sk _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_add_nconf_sk\n%xdefine _X509V3_EXT_d2i _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_d2i\n%xdefine _X509V3_EXT_free _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_free\n%xdefine _X509V3_EXT_get _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_get\n%xdefine _X509V3_EXT_get_nid _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_get_nid\n%xdefine _X509V3_EXT_i2d _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_i2d\n%xdefine _X509V3_EXT_nconf _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_nconf\n%xdefine _X509V3_EXT_nconf_nid _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_nconf_nid\n%xdefine _X509V3_EXT_print _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_print\n%xdefine _X509V3_EXT_print_fp _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_print_fp\n%xdefine _X509V3_NAME_from_section _ %+ BORINGSSL_PREFIX %+ _X509V3_NAME_from_section\n%xdefine _X509V3_add1_i2d _ %+ BORINGSSL_PREFIX %+ _X509V3_add1_i2d\n%xdefine _X509V3_add_standard_extensions _ %+ BORINGSSL_PREFIX %+ _X509V3_add_standard_extensions\n%xdefine _X509V3_add_value _ %+ BORINGSSL_PREFIX %+ _X509V3_add_value\n%xdefine _X509V3_add_value_bool _ %+ BORINGSSL_PREFIX %+ _X509V3_add_value_bool\n%xdefine _X509V3_add_value_int _ %+ BORINGSSL_PREFIX %+ _X509V3_add_value_int\n%xdefine _X509V3_bool_from_string _ %+ BORINGSSL_PREFIX %+ _X509V3_bool_from_string\n%xdefine _X509V3_conf_free _ %+ BORINGSSL_PREFIX %+ _X509V3_conf_free\n%xdefine _X509V3_extensions_print _ %+ BORINGSSL_PREFIX %+ _X509V3_extensions_print\n%xdefine _X509V3_get_d2i _ %+ BORINGSSL_PREFIX %+ _X509V3_get_d2i\n%xdefine _X509V3_get_section _ %+ BORINGSSL_PREFIX %+ _X509V3_get_section\n%xdefine _X509V3_get_value_bool _ %+ BORINGSSL_PREFIX %+ _X509V3_get_value_bool\n%xdefine _X509V3_get_value_int _ %+ BORINGSSL_PREFIX %+ _X509V3_get_value_int\n%xdefine _X509V3_parse_list _ %+ BORINGSSL_PREFIX %+ _X509V3_parse_list\n%xdefine _X509V3_set_ctx _ %+ BORINGSSL_PREFIX %+ _X509V3_set_ctx\n%xdefine _X509V3_set_nconf _ %+ BORINGSSL_PREFIX %+ _X509V3_set_nconf\n%xdefine _X509_ALGOR_cmp _ %+ BORINGSSL_PREFIX %+ _X509_ALGOR_cmp\n%xdefine _X509_ALGOR_dup _ %+ BORINGSSL_PREFIX %+ _X509_ALGOR_dup\n%xdefine _X509_ALGOR_free _ %+ BORINGSSL_PREFIX %+ _X509_ALGOR_free\n%xdefine _X509_ALGOR_get0 _ %+ BORINGSSL_PREFIX %+ _X509_ALGOR_get0\n%xdefine _X509_ALGOR_it _ %+ BORINGSSL_PREFIX %+ _X509_ALGOR_it\n%xdefine _X509_ALGOR_new _ %+ BORINGSSL_PREFIX %+ _X509_ALGOR_new\n%xdefine _X509_ALGOR_set0 _ %+ BORINGSSL_PREFIX %+ _X509_ALGOR_set0\n%xdefine _X509_ALGOR_set_md _ %+ BORINGSSL_PREFIX %+ _X509_ALGOR_set_md\n%xdefine _X509_ATTRIBUTE_count _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_count\n%xdefine _X509_ATTRIBUTE_create _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_create\n%xdefine _X509_ATTRIBUTE_create_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_create_by_NID\n%xdefine _X509_ATTRIBUTE_create_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_create_by_OBJ\n%xdefine _X509_ATTRIBUTE_create_by_txt _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_create_by_txt\n%xdefine _X509_ATTRIBUTE_dup _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_dup\n%xdefine _X509_ATTRIBUTE_free _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_free\n%xdefine _X509_ATTRIBUTE_get0_data _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_get0_data\n%xdefine _X509_ATTRIBUTE_get0_object _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_get0_object\n%xdefine _X509_ATTRIBUTE_get0_type _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_get0_type\n%xdefine _X509_ATTRIBUTE_it _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_it\n%xdefine _X509_ATTRIBUTE_new _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_new\n%xdefine _X509_ATTRIBUTE_set1_data _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_set1_data\n%xdefine _X509_ATTRIBUTE_set1_object _ %+ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_set1_object\n%xdefine _X509_CERT_AUX_free _ %+ BORINGSSL_PREFIX %+ _X509_CERT_AUX_free\n%xdefine _X509_CERT_AUX_it _ %+ BORINGSSL_PREFIX %+ _X509_CERT_AUX_it\n%xdefine _X509_CERT_AUX_new _ %+ BORINGSSL_PREFIX %+ _X509_CERT_AUX_new\n%xdefine _X509_CERT_AUX_print _ %+ BORINGSSL_PREFIX %+ _X509_CERT_AUX_print\n%xdefine _X509_CINF_free _ %+ BORINGSSL_PREFIX %+ _X509_CINF_free\n%xdefine _X509_CINF_it _ %+ BORINGSSL_PREFIX %+ _X509_CINF_it\n%xdefine _X509_CINF_new _ %+ BORINGSSL_PREFIX %+ _X509_CINF_new\n%xdefine _X509_CRL_INFO_free _ %+ BORINGSSL_PREFIX %+ _X509_CRL_INFO_free\n%xdefine _X509_CRL_INFO_it _ %+ BORINGSSL_PREFIX %+ _X509_CRL_INFO_it\n%xdefine _X509_CRL_INFO_new _ %+ BORINGSSL_PREFIX %+ _X509_CRL_INFO_new\n%xdefine _X509_CRL_add0_revoked _ %+ BORINGSSL_PREFIX %+ _X509_CRL_add0_revoked\n%xdefine _X509_CRL_add1_ext_i2d _ %+ BORINGSSL_PREFIX %+ _X509_CRL_add1_ext_i2d\n%xdefine _X509_CRL_add_ext _ %+ BORINGSSL_PREFIX %+ _X509_CRL_add_ext\n%xdefine _X509_CRL_cmp _ %+ BORINGSSL_PREFIX %+ _X509_CRL_cmp\n%xdefine _X509_CRL_delete_ext _ %+ BORINGSSL_PREFIX %+ _X509_CRL_delete_ext\n%xdefine _X509_CRL_digest _ %+ BORINGSSL_PREFIX %+ _X509_CRL_digest\n%xdefine _X509_CRL_dup _ %+ BORINGSSL_PREFIX %+ _X509_CRL_dup\n%xdefine _X509_CRL_free _ %+ BORINGSSL_PREFIX %+ _X509_CRL_free\n%xdefine _X509_CRL_get0_by_cert _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get0_by_cert\n%xdefine _X509_CRL_get0_by_serial _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get0_by_serial\n%xdefine _X509_CRL_get0_extensions _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get0_extensions\n%xdefine _X509_CRL_get0_lastUpdate _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get0_lastUpdate\n%xdefine _X509_CRL_get0_nextUpdate _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get0_nextUpdate\n%xdefine _X509_CRL_get0_signature _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get0_signature\n%xdefine _X509_CRL_get_REVOKED _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_REVOKED\n%xdefine _X509_CRL_get_ext _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_ext\n%xdefine _X509_CRL_get_ext_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_ext_by_NID\n%xdefine _X509_CRL_get_ext_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_ext_by_OBJ\n%xdefine _X509_CRL_get_ext_by_critical _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_ext_by_critical\n%xdefine _X509_CRL_get_ext_count _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_ext_count\n%xdefine _X509_CRL_get_ext_d2i _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_ext_d2i\n%xdefine _X509_CRL_get_issuer _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_issuer\n%xdefine _X509_CRL_get_lastUpdate _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_lastUpdate\n%xdefine _X509_CRL_get_nextUpdate _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_nextUpdate\n%xdefine _X509_CRL_get_signature_nid _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_signature_nid\n%xdefine _X509_CRL_get_version _ %+ BORINGSSL_PREFIX %+ _X509_CRL_get_version\n%xdefine _X509_CRL_it _ %+ BORINGSSL_PREFIX %+ _X509_CRL_it\n%xdefine _X509_CRL_match _ %+ BORINGSSL_PREFIX %+ _X509_CRL_match\n%xdefine _X509_CRL_new _ %+ BORINGSSL_PREFIX %+ _X509_CRL_new\n%xdefine _X509_CRL_print _ %+ BORINGSSL_PREFIX %+ _X509_CRL_print\n%xdefine _X509_CRL_print_fp _ %+ BORINGSSL_PREFIX %+ _X509_CRL_print_fp\n%xdefine _X509_CRL_set1_lastUpdate _ %+ BORINGSSL_PREFIX %+ _X509_CRL_set1_lastUpdate\n%xdefine _X509_CRL_set1_nextUpdate _ %+ BORINGSSL_PREFIX %+ _X509_CRL_set1_nextUpdate\n%xdefine _X509_CRL_set1_signature_algo _ %+ BORINGSSL_PREFIX %+ _X509_CRL_set1_signature_algo\n%xdefine _X509_CRL_set1_signature_value _ %+ BORINGSSL_PREFIX %+ _X509_CRL_set1_signature_value\n%xdefine _X509_CRL_set_issuer_name _ %+ BORINGSSL_PREFIX %+ _X509_CRL_set_issuer_name\n%xdefine _X509_CRL_set_version _ %+ BORINGSSL_PREFIX %+ _X509_CRL_set_version\n%xdefine _X509_CRL_sign _ %+ BORINGSSL_PREFIX %+ _X509_CRL_sign\n%xdefine _X509_CRL_sign_ctx _ %+ BORINGSSL_PREFIX %+ _X509_CRL_sign_ctx\n%xdefine _X509_CRL_sort _ %+ BORINGSSL_PREFIX %+ _X509_CRL_sort\n%xdefine _X509_CRL_up_ref _ %+ BORINGSSL_PREFIX %+ _X509_CRL_up_ref\n%xdefine _X509_CRL_verify _ %+ BORINGSSL_PREFIX %+ _X509_CRL_verify\n%xdefine _X509_EXTENSIONS_it _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSIONS_it\n%xdefine _X509_EXTENSION_create_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_create_by_NID\n%xdefine _X509_EXTENSION_create_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_create_by_OBJ\n%xdefine _X509_EXTENSION_dup _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_dup\n%xdefine _X509_EXTENSION_free _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_free\n%xdefine _X509_EXTENSION_get_critical _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_get_critical\n%xdefine _X509_EXTENSION_get_data _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_get_data\n%xdefine _X509_EXTENSION_get_object _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_get_object\n%xdefine _X509_EXTENSION_it _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_it\n%xdefine _X509_EXTENSION_new _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_new\n%xdefine _X509_EXTENSION_set_critical _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_set_critical\n%xdefine _X509_EXTENSION_set_data _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_set_data\n%xdefine _X509_EXTENSION_set_object _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_set_object\n%xdefine _X509_INFO_free _ %+ BORINGSSL_PREFIX %+ _X509_INFO_free\n%xdefine _X509_LOOKUP_add_dir _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_add_dir\n%xdefine _X509_LOOKUP_ctrl _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_ctrl\n%xdefine _X509_LOOKUP_file _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_file\n%xdefine _X509_LOOKUP_free _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_free\n%xdefine _X509_LOOKUP_hash_dir _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_hash_dir\n%xdefine _X509_LOOKUP_load_file _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_load_file\n%xdefine _X509_NAME_ENTRY_create_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_NID\n%xdefine _X509_NAME_ENTRY_create_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_OBJ\n%xdefine _X509_NAME_ENTRY_create_by_txt _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_txt\n%xdefine _X509_NAME_ENTRY_dup _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_dup\n%xdefine _X509_NAME_ENTRY_free _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_free\n%xdefine _X509_NAME_ENTRY_get_data _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_get_data\n%xdefine _X509_NAME_ENTRY_get_object _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_get_object\n%xdefine _X509_NAME_ENTRY_it _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_it\n%xdefine _X509_NAME_ENTRY_new _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_new\n%xdefine _X509_NAME_ENTRY_set _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_set\n%xdefine _X509_NAME_ENTRY_set_data _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_set_data\n%xdefine _X509_NAME_ENTRY_set_object _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_set_object\n%xdefine _X509_NAME_add_entry _ %+ BORINGSSL_PREFIX %+ _X509_NAME_add_entry\n%xdefine _X509_NAME_add_entry_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_NAME_add_entry_by_NID\n%xdefine _X509_NAME_add_entry_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_NAME_add_entry_by_OBJ\n%xdefine _X509_NAME_add_entry_by_txt _ %+ BORINGSSL_PREFIX %+ _X509_NAME_add_entry_by_txt\n%xdefine _X509_NAME_cmp _ %+ BORINGSSL_PREFIX %+ _X509_NAME_cmp\n%xdefine _X509_NAME_delete_entry _ %+ BORINGSSL_PREFIX %+ _X509_NAME_delete_entry\n%xdefine _X509_NAME_digest _ %+ BORINGSSL_PREFIX %+ _X509_NAME_digest\n%xdefine _X509_NAME_dup _ %+ BORINGSSL_PREFIX %+ _X509_NAME_dup\n%xdefine _X509_NAME_entry_count _ %+ BORINGSSL_PREFIX %+ _X509_NAME_entry_count\n%xdefine _X509_NAME_free _ %+ BORINGSSL_PREFIX %+ _X509_NAME_free\n%xdefine _X509_NAME_get0_der _ %+ BORINGSSL_PREFIX %+ _X509_NAME_get0_der\n%xdefine _X509_NAME_get_entry _ %+ BORINGSSL_PREFIX %+ _X509_NAME_get_entry\n%xdefine _X509_NAME_get_index_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_NAME_get_index_by_NID\n%xdefine _X509_NAME_get_index_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_NAME_get_index_by_OBJ\n%xdefine _X509_NAME_get_text_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_NAME_get_text_by_NID\n%xdefine _X509_NAME_get_text_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_NAME_get_text_by_OBJ\n%xdefine _X509_NAME_hash _ %+ BORINGSSL_PREFIX %+ _X509_NAME_hash\n%xdefine _X509_NAME_hash_old _ %+ BORINGSSL_PREFIX %+ _X509_NAME_hash_old\n%xdefine _X509_NAME_it _ %+ BORINGSSL_PREFIX %+ _X509_NAME_it\n%xdefine _X509_NAME_new _ %+ BORINGSSL_PREFIX %+ _X509_NAME_new\n%xdefine _X509_NAME_oneline _ %+ BORINGSSL_PREFIX %+ _X509_NAME_oneline\n%xdefine _X509_NAME_print _ %+ BORINGSSL_PREFIX %+ _X509_NAME_print\n%xdefine _X509_NAME_print_ex _ %+ BORINGSSL_PREFIX %+ _X509_NAME_print_ex\n%xdefine _X509_NAME_print_ex_fp _ %+ BORINGSSL_PREFIX %+ _X509_NAME_print_ex_fp\n%xdefine _X509_NAME_set _ %+ BORINGSSL_PREFIX %+ _X509_NAME_set\n%xdefine _X509_OBJECT_free _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_free\n%xdefine _X509_OBJECT_free_contents _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_free_contents\n%xdefine _X509_OBJECT_get0_X509 _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_get0_X509\n%xdefine _X509_OBJECT_get_type _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_get_type\n%xdefine _X509_OBJECT_new _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_new\n%xdefine _X509_PUBKEY_free _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_free\n%xdefine _X509_PUBKEY_get _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get\n%xdefine _X509_PUBKEY_get0 _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get0\n%xdefine _X509_PUBKEY_get0_param _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_param\n%xdefine _X509_PUBKEY_get0_public_key _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_public_key\n%xdefine _X509_PUBKEY_it _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_it\n%xdefine _X509_PUBKEY_new _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_new\n%xdefine _X509_PUBKEY_set _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_set\n%xdefine _X509_PUBKEY_set0_param _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_set0_param\n%xdefine _X509_PURPOSE_get0 _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get0\n%xdefine _X509_PURPOSE_get_by_sname _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get_by_sname\n%xdefine _X509_PURPOSE_get_id _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get_id\n%xdefine _X509_PURPOSE_get_trust _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get_trust\n%xdefine _X509_REQ_INFO_free _ %+ BORINGSSL_PREFIX %+ _X509_REQ_INFO_free\n%xdefine _X509_REQ_INFO_it _ %+ BORINGSSL_PREFIX %+ _X509_REQ_INFO_it\n%xdefine _X509_REQ_INFO_new _ %+ BORINGSSL_PREFIX %+ _X509_REQ_INFO_new\n%xdefine _X509_REQ_add1_attr _ %+ BORINGSSL_PREFIX %+ _X509_REQ_add1_attr\n%xdefine _X509_REQ_add1_attr_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_REQ_add1_attr_by_NID\n%xdefine _X509_REQ_add1_attr_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_REQ_add1_attr_by_OBJ\n%xdefine _X509_REQ_add1_attr_by_txt _ %+ BORINGSSL_PREFIX %+ _X509_REQ_add1_attr_by_txt\n%xdefine _X509_REQ_add_extensions _ %+ BORINGSSL_PREFIX %+ _X509_REQ_add_extensions\n%xdefine _X509_REQ_add_extensions_nid _ %+ BORINGSSL_PREFIX %+ _X509_REQ_add_extensions_nid\n%xdefine _X509_REQ_check_private_key _ %+ BORINGSSL_PREFIX %+ _X509_REQ_check_private_key\n%xdefine _X509_REQ_delete_attr _ %+ BORINGSSL_PREFIX %+ _X509_REQ_delete_attr\n%xdefine _X509_REQ_digest _ %+ BORINGSSL_PREFIX %+ _X509_REQ_digest\n%xdefine _X509_REQ_dup _ %+ BORINGSSL_PREFIX %+ _X509_REQ_dup\n%xdefine _X509_REQ_extension_nid _ %+ BORINGSSL_PREFIX %+ _X509_REQ_extension_nid\n%xdefine _X509_REQ_free _ %+ BORINGSSL_PREFIX %+ _X509_REQ_free\n%xdefine _X509_REQ_get0_pubkey _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get0_pubkey\n%xdefine _X509_REQ_get0_signature _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get0_signature\n%xdefine _X509_REQ_get1_email _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get1_email\n%xdefine _X509_REQ_get_attr _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get_attr\n%xdefine _X509_REQ_get_attr_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get_attr_by_NID\n%xdefine _X509_REQ_get_attr_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get_attr_by_OBJ\n%xdefine _X509_REQ_get_attr_count _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get_attr_count\n%xdefine _X509_REQ_get_extensions _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get_extensions\n%xdefine _X509_REQ_get_pubkey _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get_pubkey\n%xdefine _X509_REQ_get_signature_nid _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get_signature_nid\n%xdefine _X509_REQ_get_subject_name _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get_subject_name\n%xdefine _X509_REQ_get_version _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get_version\n%xdefine _X509_REQ_it _ %+ BORINGSSL_PREFIX %+ _X509_REQ_it\n%xdefine _X509_REQ_new _ %+ BORINGSSL_PREFIX %+ _X509_REQ_new\n%xdefine _X509_REQ_print _ %+ BORINGSSL_PREFIX %+ _X509_REQ_print\n%xdefine _X509_REQ_print_ex _ %+ BORINGSSL_PREFIX %+ _X509_REQ_print_ex\n%xdefine _X509_REQ_print_fp _ %+ BORINGSSL_PREFIX %+ _X509_REQ_print_fp\n%xdefine _X509_REQ_set1_signature_algo _ %+ BORINGSSL_PREFIX %+ _X509_REQ_set1_signature_algo\n%xdefine _X509_REQ_set1_signature_value _ %+ BORINGSSL_PREFIX %+ _X509_REQ_set1_signature_value\n%xdefine _X509_REQ_set_pubkey _ %+ BORINGSSL_PREFIX %+ _X509_REQ_set_pubkey\n%xdefine _X509_REQ_set_subject_name _ %+ BORINGSSL_PREFIX %+ _X509_REQ_set_subject_name\n%xdefine _X509_REQ_set_version _ %+ BORINGSSL_PREFIX %+ _X509_REQ_set_version\n%xdefine _X509_REQ_sign _ %+ BORINGSSL_PREFIX %+ _X509_REQ_sign\n%xdefine _X509_REQ_sign_ctx _ %+ BORINGSSL_PREFIX %+ _X509_REQ_sign_ctx\n%xdefine _X509_REQ_verify _ %+ BORINGSSL_PREFIX %+ _X509_REQ_verify\n%xdefine _X509_REVOKED_add1_ext_i2d _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_add1_ext_i2d\n%xdefine _X509_REVOKED_add_ext _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_add_ext\n%xdefine _X509_REVOKED_delete_ext _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_delete_ext\n%xdefine _X509_REVOKED_dup _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_dup\n%xdefine _X509_REVOKED_free _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_free\n%xdefine _X509_REVOKED_get0_extensions _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_get0_extensions\n%xdefine _X509_REVOKED_get0_revocationDate _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_get0_revocationDate\n%xdefine _X509_REVOKED_get0_serialNumber _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_get0_serialNumber\n%xdefine _X509_REVOKED_get_ext _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext\n%xdefine _X509_REVOKED_get_ext_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext_by_NID\n%xdefine _X509_REVOKED_get_ext_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext_by_OBJ\n%xdefine _X509_REVOKED_get_ext_by_critical _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext_by_critical\n%xdefine _X509_REVOKED_get_ext_count _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext_count\n%xdefine _X509_REVOKED_get_ext_d2i _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext_d2i\n%xdefine _X509_REVOKED_it _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_it\n%xdefine _X509_REVOKED_new _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_new\n%xdefine _X509_REVOKED_set_revocationDate _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_set_revocationDate\n%xdefine _X509_REVOKED_set_serialNumber _ %+ BORINGSSL_PREFIX %+ _X509_REVOKED_set_serialNumber\n%xdefine _X509_SIG_free _ %+ BORINGSSL_PREFIX %+ _X509_SIG_free\n%xdefine _X509_SIG_get0 _ %+ BORINGSSL_PREFIX %+ _X509_SIG_get0\n%xdefine _X509_SIG_getm _ %+ BORINGSSL_PREFIX %+ _X509_SIG_getm\n%xdefine _X509_SIG_new _ %+ BORINGSSL_PREFIX %+ _X509_SIG_new\n%xdefine _X509_STORE_CTX_cleanup _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_cleanup\n%xdefine _X509_STORE_CTX_free _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_free\n%xdefine _X509_STORE_CTX_get0_cert _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_cert\n%xdefine _X509_STORE_CTX_get0_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_chain\n%xdefine _X509_STORE_CTX_get0_current_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_current_crl\n%xdefine _X509_STORE_CTX_get0_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_param\n%xdefine _X509_STORE_CTX_get0_parent_ctx _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_parent_ctx\n%xdefine _X509_STORE_CTX_get0_store _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_store\n%xdefine _X509_STORE_CTX_get0_untrusted _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_untrusted\n%xdefine _X509_STORE_CTX_get1_certs _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_certs\n%xdefine _X509_STORE_CTX_get1_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_chain\n%xdefine _X509_STORE_CTX_get1_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_crls\n%xdefine _X509_STORE_CTX_get1_issuer _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_issuer\n%xdefine _X509_STORE_CTX_get_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_by_subject\n%xdefine _X509_STORE_CTX_get_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_chain\n%xdefine _X509_STORE_CTX_get_current_cert _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_current_cert\n%xdefine _X509_STORE_CTX_get_error _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_error\n%xdefine _X509_STORE_CTX_get_error_depth _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_error_depth\n%xdefine _X509_STORE_CTX_get_ex_data _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_ex_data\n%xdefine _X509_STORE_CTX_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_ex_new_index\n%xdefine _X509_STORE_CTX_init _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_init\n%xdefine _X509_STORE_CTX_new _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_new\n%xdefine _X509_STORE_CTX_set0_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_crls\n%xdefine _X509_STORE_CTX_set0_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_param\n%xdefine _X509_STORE_CTX_set0_trusted_stack _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_trusted_stack\n%xdefine _X509_STORE_CTX_set_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_chain\n%xdefine _X509_STORE_CTX_set_default _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_default\n%xdefine _X509_STORE_CTX_set_depth _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_depth\n%xdefine _X509_STORE_CTX_set_error _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_error\n%xdefine _X509_STORE_CTX_set_ex_data _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_ex_data\n%xdefine _X509_STORE_CTX_set_flags _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_flags\n%xdefine _X509_STORE_CTX_set_purpose _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_purpose\n%xdefine _X509_STORE_CTX_set_time _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_time\n%xdefine _X509_STORE_CTX_set_time_posix _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_time_posix\n%xdefine _X509_STORE_CTX_set_trust _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_trust\n%xdefine _X509_STORE_CTX_set_verify_cb _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_verify_cb\n%xdefine _X509_STORE_CTX_trusted_stack _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_trusted_stack\n%xdefine _X509_STORE_add_cert _ %+ BORINGSSL_PREFIX %+ _X509_STORE_add_cert\n%xdefine _X509_STORE_add_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_add_crl\n%xdefine _X509_STORE_add_lookup _ %+ BORINGSSL_PREFIX %+ _X509_STORE_add_lookup\n%xdefine _X509_STORE_free _ %+ BORINGSSL_PREFIX %+ _X509_STORE_free\n%xdefine _X509_STORE_get0_objects _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get0_objects\n%xdefine _X509_STORE_get0_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get0_param\n%xdefine _X509_STORE_get1_objects _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get1_objects\n%xdefine _X509_STORE_load_locations _ %+ BORINGSSL_PREFIX %+ _X509_STORE_load_locations\n%xdefine _X509_STORE_new _ %+ BORINGSSL_PREFIX %+ _X509_STORE_new\n%xdefine _X509_STORE_set1_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set1_param\n%xdefine _X509_STORE_set_default_paths _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_default_paths\n%xdefine _X509_STORE_set_depth _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_depth\n%xdefine _X509_STORE_set_flags _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_flags\n%xdefine _X509_STORE_set_purpose _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_purpose\n%xdefine _X509_STORE_set_trust _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_trust\n%xdefine _X509_STORE_set_verify_cb _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_verify_cb\n%xdefine _X509_STORE_up_ref _ %+ BORINGSSL_PREFIX %+ _X509_STORE_up_ref\n%xdefine _X509_VAL_free _ %+ BORINGSSL_PREFIX %+ _X509_VAL_free\n%xdefine _X509_VAL_it _ %+ BORINGSSL_PREFIX %+ _X509_VAL_it\n%xdefine _X509_VAL_new _ %+ BORINGSSL_PREFIX %+ _X509_VAL_new\n%xdefine _X509_VERIFY_PARAM_add0_policy _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_add0_policy\n%xdefine _X509_VERIFY_PARAM_add1_host _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_add1_host\n%xdefine _X509_VERIFY_PARAM_clear_flags _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_clear_flags\n%xdefine _X509_VERIFY_PARAM_free _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_free\n%xdefine _X509_VERIFY_PARAM_get_depth _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_depth\n%xdefine _X509_VERIFY_PARAM_get_flags _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_flags\n%xdefine _X509_VERIFY_PARAM_inherit _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_inherit\n%xdefine _X509_VERIFY_PARAM_lookup _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_lookup\n%xdefine _X509_VERIFY_PARAM_new _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_new\n%xdefine _X509_VERIFY_PARAM_set1 _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1\n%xdefine _X509_VERIFY_PARAM_set1_email _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_email\n%xdefine _X509_VERIFY_PARAM_set1_host _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_host\n%xdefine _X509_VERIFY_PARAM_set1_ip _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip\n%xdefine _X509_VERIFY_PARAM_set1_ip_asc _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip_asc\n%xdefine _X509_VERIFY_PARAM_set1_policies _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_policies\n%xdefine _X509_VERIFY_PARAM_set_depth _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_depth\n%xdefine _X509_VERIFY_PARAM_set_flags _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_flags\n%xdefine _X509_VERIFY_PARAM_set_hostflags _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_hostflags\n%xdefine _X509_VERIFY_PARAM_set_purpose _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_purpose\n%xdefine _X509_VERIFY_PARAM_set_time _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_time\n%xdefine _X509_VERIFY_PARAM_set_time_posix _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_time_posix\n%xdefine _X509_VERIFY_PARAM_set_trust _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_trust\n%xdefine _X509_add1_ext_i2d _ %+ BORINGSSL_PREFIX %+ _X509_add1_ext_i2d\n%xdefine _X509_add1_reject_object _ %+ BORINGSSL_PREFIX %+ _X509_add1_reject_object\n%xdefine _X509_add1_trust_object _ %+ BORINGSSL_PREFIX %+ _X509_add1_trust_object\n%xdefine _X509_add_ext _ %+ BORINGSSL_PREFIX %+ _X509_add_ext\n%xdefine _X509_alias_get0 _ %+ BORINGSSL_PREFIX %+ _X509_alias_get0\n%xdefine _X509_alias_set1 _ %+ BORINGSSL_PREFIX %+ _X509_alias_set1\n%xdefine _X509_chain_up_ref _ %+ BORINGSSL_PREFIX %+ _X509_chain_up_ref\n%xdefine _X509_check_akid _ %+ BORINGSSL_PREFIX %+ _X509_check_akid\n%xdefine _X509_check_ca _ %+ BORINGSSL_PREFIX %+ _X509_check_ca\n%xdefine _X509_check_email _ %+ BORINGSSL_PREFIX %+ _X509_check_email\n%xdefine _X509_check_host _ %+ BORINGSSL_PREFIX %+ _X509_check_host\n%xdefine _X509_check_ip _ %+ BORINGSSL_PREFIX %+ _X509_check_ip\n%xdefine _X509_check_ip_asc _ %+ BORINGSSL_PREFIX %+ _X509_check_ip_asc\n%xdefine _X509_check_issued _ %+ BORINGSSL_PREFIX %+ _X509_check_issued\n%xdefine _X509_check_private_key _ %+ BORINGSSL_PREFIX %+ _X509_check_private_key\n%xdefine _X509_check_purpose _ %+ BORINGSSL_PREFIX %+ _X509_check_purpose\n%xdefine _X509_check_trust _ %+ BORINGSSL_PREFIX %+ _X509_check_trust\n%xdefine _X509_cmp _ %+ BORINGSSL_PREFIX %+ _X509_cmp\n%xdefine _X509_cmp_current_time _ %+ BORINGSSL_PREFIX %+ _X509_cmp_current_time\n%xdefine _X509_cmp_time _ %+ BORINGSSL_PREFIX %+ _X509_cmp_time\n%xdefine _X509_cmp_time_posix _ %+ BORINGSSL_PREFIX %+ _X509_cmp_time_posix\n%xdefine _X509_delete_ext _ %+ BORINGSSL_PREFIX %+ _X509_delete_ext\n%xdefine _X509_digest _ %+ BORINGSSL_PREFIX %+ _X509_digest\n%xdefine _X509_dup _ %+ BORINGSSL_PREFIX %+ _X509_dup\n%xdefine _X509_email_free _ %+ BORINGSSL_PREFIX %+ _X509_email_free\n%xdefine _X509_find_by_issuer_and_serial _ %+ BORINGSSL_PREFIX %+ _X509_find_by_issuer_and_serial\n%xdefine _X509_find_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_find_by_subject\n%xdefine _X509_free _ %+ BORINGSSL_PREFIX %+ _X509_free\n%xdefine _X509_get0_authority_issuer _ %+ BORINGSSL_PREFIX %+ _X509_get0_authority_issuer\n%xdefine _X509_get0_authority_key_id _ %+ BORINGSSL_PREFIX %+ _X509_get0_authority_key_id\n%xdefine _X509_get0_authority_serial _ %+ BORINGSSL_PREFIX %+ _X509_get0_authority_serial\n%xdefine _X509_get0_extensions _ %+ BORINGSSL_PREFIX %+ _X509_get0_extensions\n%xdefine _X509_get0_notAfter _ %+ BORINGSSL_PREFIX %+ _X509_get0_notAfter\n%xdefine _X509_get0_notBefore _ %+ BORINGSSL_PREFIX %+ _X509_get0_notBefore\n%xdefine _X509_get0_pubkey _ %+ BORINGSSL_PREFIX %+ _X509_get0_pubkey\n%xdefine _X509_get0_pubkey_bitstr _ %+ BORINGSSL_PREFIX %+ _X509_get0_pubkey_bitstr\n%xdefine _X509_get0_serialNumber _ %+ BORINGSSL_PREFIX %+ _X509_get0_serialNumber\n%xdefine _X509_get0_signature _ %+ BORINGSSL_PREFIX %+ _X509_get0_signature\n%xdefine _X509_get0_subject_key_id _ %+ BORINGSSL_PREFIX %+ _X509_get0_subject_key_id\n%xdefine _X509_get0_tbs_sigalg _ %+ BORINGSSL_PREFIX %+ _X509_get0_tbs_sigalg\n%xdefine _X509_get0_uids _ %+ BORINGSSL_PREFIX %+ _X509_get0_uids\n%xdefine _X509_get1_email _ %+ BORINGSSL_PREFIX %+ _X509_get1_email\n%xdefine _X509_get1_ocsp _ %+ BORINGSSL_PREFIX %+ _X509_get1_ocsp\n%xdefine _X509_get_X509_PUBKEY _ %+ BORINGSSL_PREFIX %+ _X509_get_X509_PUBKEY\n%xdefine _X509_get_default_cert_area _ %+ BORINGSSL_PREFIX %+ _X509_get_default_cert_area\n%xdefine _X509_get_default_cert_dir _ %+ BORINGSSL_PREFIX %+ _X509_get_default_cert_dir\n%xdefine _X509_get_default_cert_dir_env _ %+ BORINGSSL_PREFIX %+ _X509_get_default_cert_dir_env\n%xdefine _X509_get_default_cert_file _ %+ BORINGSSL_PREFIX %+ _X509_get_default_cert_file\n%xdefine _X509_get_default_cert_file_env _ %+ BORINGSSL_PREFIX %+ _X509_get_default_cert_file_env\n%xdefine _X509_get_default_private_dir _ %+ BORINGSSL_PREFIX %+ _X509_get_default_private_dir\n%xdefine _X509_get_ex_data _ %+ BORINGSSL_PREFIX %+ _X509_get_ex_data\n%xdefine _X509_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _X509_get_ex_new_index\n%xdefine _X509_get_ext _ %+ BORINGSSL_PREFIX %+ _X509_get_ext\n%xdefine _X509_get_ext_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_get_ext_by_NID\n%xdefine _X509_get_ext_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_get_ext_by_OBJ\n%xdefine _X509_get_ext_by_critical _ %+ BORINGSSL_PREFIX %+ _X509_get_ext_by_critical\n%xdefine _X509_get_ext_count _ %+ BORINGSSL_PREFIX %+ _X509_get_ext_count\n%xdefine _X509_get_ext_d2i _ %+ BORINGSSL_PREFIX %+ _X509_get_ext_d2i\n%xdefine _X509_get_extended_key_usage _ %+ BORINGSSL_PREFIX %+ _X509_get_extended_key_usage\n%xdefine _X509_get_extension_flags _ %+ BORINGSSL_PREFIX %+ _X509_get_extension_flags\n%xdefine _X509_get_issuer_name _ %+ BORINGSSL_PREFIX %+ _X509_get_issuer_name\n%xdefine _X509_get_key_usage _ %+ BORINGSSL_PREFIX %+ _X509_get_key_usage\n%xdefine _X509_get_notAfter _ %+ BORINGSSL_PREFIX %+ _X509_get_notAfter\n%xdefine _X509_get_notBefore _ %+ BORINGSSL_PREFIX %+ _X509_get_notBefore\n%xdefine _X509_get_pathlen _ %+ BORINGSSL_PREFIX %+ _X509_get_pathlen\n%xdefine _X509_get_pubkey _ %+ BORINGSSL_PREFIX %+ _X509_get_pubkey\n%xdefine _X509_get_serialNumber _ %+ BORINGSSL_PREFIX %+ _X509_get_serialNumber\n%xdefine _X509_get_signature_nid _ %+ BORINGSSL_PREFIX %+ _X509_get_signature_nid\n%xdefine _X509_get_subject_name _ %+ BORINGSSL_PREFIX %+ _X509_get_subject_name\n%xdefine _X509_get_version _ %+ BORINGSSL_PREFIX %+ _X509_get_version\n%xdefine _X509_getm_notAfter _ %+ BORINGSSL_PREFIX %+ _X509_getm_notAfter\n%xdefine _X509_getm_notBefore _ %+ BORINGSSL_PREFIX %+ _X509_getm_notBefore\n%xdefine _X509_gmtime_adj _ %+ BORINGSSL_PREFIX %+ _X509_gmtime_adj\n%xdefine _X509_is_valid_trust_id _ %+ BORINGSSL_PREFIX %+ _X509_is_valid_trust_id\n%xdefine _X509_issuer_name_cmp _ %+ BORINGSSL_PREFIX %+ _X509_issuer_name_cmp\n%xdefine _X509_issuer_name_hash _ %+ BORINGSSL_PREFIX %+ _X509_issuer_name_hash\n%xdefine _X509_issuer_name_hash_old _ %+ BORINGSSL_PREFIX %+ _X509_issuer_name_hash_old\n%xdefine _X509_it _ %+ BORINGSSL_PREFIX %+ _X509_it\n%xdefine _X509_keyid_get0 _ %+ BORINGSSL_PREFIX %+ _X509_keyid_get0\n%xdefine _X509_keyid_set1 _ %+ BORINGSSL_PREFIX %+ _X509_keyid_set1\n%xdefine _X509_load_cert_crl_file _ %+ BORINGSSL_PREFIX %+ _X509_load_cert_crl_file\n%xdefine _X509_load_cert_file _ %+ BORINGSSL_PREFIX %+ _X509_load_cert_file\n%xdefine _X509_load_crl_file _ %+ BORINGSSL_PREFIX %+ _X509_load_crl_file\n%xdefine _X509_new _ %+ BORINGSSL_PREFIX %+ _X509_new\n%xdefine _X509_parse_from_buffer _ %+ BORINGSSL_PREFIX %+ _X509_parse_from_buffer\n%xdefine _X509_policy_check _ %+ BORINGSSL_PREFIX %+ _X509_policy_check\n%xdefine _X509_print _ %+ BORINGSSL_PREFIX %+ _X509_print\n%xdefine _X509_print_ex _ %+ BORINGSSL_PREFIX %+ _X509_print_ex\n%xdefine _X509_print_ex_fp _ %+ BORINGSSL_PREFIX %+ _X509_print_ex_fp\n%xdefine _X509_print_fp _ %+ BORINGSSL_PREFIX %+ _X509_print_fp\n%xdefine _X509_pubkey_digest _ %+ BORINGSSL_PREFIX %+ _X509_pubkey_digest\n%xdefine _X509_reject_clear _ %+ BORINGSSL_PREFIX %+ _X509_reject_clear\n%xdefine _X509_set1_notAfter _ %+ BORINGSSL_PREFIX %+ _X509_set1_notAfter\n%xdefine _X509_set1_notBefore _ %+ BORINGSSL_PREFIX %+ _X509_set1_notBefore\n%xdefine _X509_set1_signature_algo _ %+ BORINGSSL_PREFIX %+ _X509_set1_signature_algo\n%xdefine _X509_set1_signature_value _ %+ BORINGSSL_PREFIX %+ _X509_set1_signature_value\n%xdefine _X509_set_ex_data _ %+ BORINGSSL_PREFIX %+ _X509_set_ex_data\n%xdefine _X509_set_issuer_name _ %+ BORINGSSL_PREFIX %+ _X509_set_issuer_name\n%xdefine _X509_set_notAfter _ %+ BORINGSSL_PREFIX %+ _X509_set_notAfter\n%xdefine _X509_set_notBefore _ %+ BORINGSSL_PREFIX %+ _X509_set_notBefore\n%xdefine _X509_set_pubkey _ %+ BORINGSSL_PREFIX %+ _X509_set_pubkey\n%xdefine _X509_set_serialNumber _ %+ BORINGSSL_PREFIX %+ _X509_set_serialNumber\n%xdefine _X509_set_subject_name _ %+ BORINGSSL_PREFIX %+ _X509_set_subject_name\n%xdefine _X509_set_version _ %+ BORINGSSL_PREFIX %+ _X509_set_version\n%xdefine _X509_sign _ %+ BORINGSSL_PREFIX %+ _X509_sign\n%xdefine _X509_sign_ctx _ %+ BORINGSSL_PREFIX %+ _X509_sign_ctx\n%xdefine _X509_signature_dump _ %+ BORINGSSL_PREFIX %+ _X509_signature_dump\n%xdefine _X509_signature_print _ %+ BORINGSSL_PREFIX %+ _X509_signature_print\n%xdefine _X509_subject_name_cmp _ %+ BORINGSSL_PREFIX %+ _X509_subject_name_cmp\n%xdefine _X509_subject_name_hash _ %+ BORINGSSL_PREFIX %+ _X509_subject_name_hash\n%xdefine _X509_subject_name_hash_old _ %+ BORINGSSL_PREFIX %+ _X509_subject_name_hash_old\n%xdefine _X509_supported_extension _ %+ BORINGSSL_PREFIX %+ _X509_supported_extension\n%xdefine _X509_time_adj _ %+ BORINGSSL_PREFIX %+ _X509_time_adj\n%xdefine _X509_time_adj_ex _ %+ BORINGSSL_PREFIX %+ _X509_time_adj_ex\n%xdefine _X509_trust_clear _ %+ BORINGSSL_PREFIX %+ _X509_trust_clear\n%xdefine _X509_up_ref _ %+ BORINGSSL_PREFIX %+ _X509_up_ref\n%xdefine _X509_verify _ %+ BORINGSSL_PREFIX %+ _X509_verify\n%xdefine _X509_verify_cert _ %+ BORINGSSL_PREFIX %+ _X509_verify_cert\n%xdefine _X509_verify_cert_error_string _ %+ BORINGSSL_PREFIX %+ _X509_verify_cert_error_string\n%xdefine _X509v3_add_ext _ %+ BORINGSSL_PREFIX %+ _X509v3_add_ext\n%xdefine _X509v3_delete_ext _ %+ BORINGSSL_PREFIX %+ _X509v3_delete_ext\n%xdefine _X509v3_get_ext _ %+ BORINGSSL_PREFIX %+ _X509v3_get_ext\n%xdefine _X509v3_get_ext_by_NID _ %+ BORINGSSL_PREFIX %+ _X509v3_get_ext_by_NID\n%xdefine _X509v3_get_ext_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509v3_get_ext_by_OBJ\n%xdefine _X509v3_get_ext_by_critical _ %+ BORINGSSL_PREFIX %+ _X509v3_get_ext_by_critical\n%xdefine _X509v3_get_ext_count _ %+ BORINGSSL_PREFIX %+ _X509v3_get_ext_count\n%xdefine ___clang_call_terminate _ %+ BORINGSSL_PREFIX %+ ___clang_call_terminate\n%xdefine _a2i_IPADDRESS _ %+ BORINGSSL_PREFIX %+ _a2i_IPADDRESS\n%xdefine _a2i_IPADDRESS_NC _ %+ BORINGSSL_PREFIX %+ _a2i_IPADDRESS_NC\n%xdefine _aes128gcmsiv_aes_ks _ %+ BORINGSSL_PREFIX %+ _aes128gcmsiv_aes_ks\n%xdefine _aes128gcmsiv_aes_ks_enc_x1 _ %+ BORINGSSL_PREFIX %+ _aes128gcmsiv_aes_ks_enc_x1\n%xdefine _aes128gcmsiv_dec _ %+ BORINGSSL_PREFIX %+ _aes128gcmsiv_dec\n%xdefine _aes128gcmsiv_ecb_enc_block _ %+ BORINGSSL_PREFIX %+ _aes128gcmsiv_ecb_enc_block\n%xdefine _aes128gcmsiv_enc_msg_x4 _ %+ BORINGSSL_PREFIX %+ _aes128gcmsiv_enc_msg_x4\n%xdefine _aes128gcmsiv_enc_msg_x8 _ %+ BORINGSSL_PREFIX %+ _aes128gcmsiv_enc_msg_x8\n%xdefine _aes128gcmsiv_kdf _ %+ BORINGSSL_PREFIX %+ _aes128gcmsiv_kdf\n%xdefine _aes256gcmsiv_aes_ks _ %+ BORINGSSL_PREFIX %+ _aes256gcmsiv_aes_ks\n%xdefine _aes256gcmsiv_aes_ks_enc_x1 _ %+ BORINGSSL_PREFIX %+ _aes256gcmsiv_aes_ks_enc_x1\n%xdefine _aes256gcmsiv_dec _ %+ BORINGSSL_PREFIX %+ _aes256gcmsiv_dec\n%xdefine _aes256gcmsiv_ecb_enc_block _ %+ BORINGSSL_PREFIX %+ _aes256gcmsiv_ecb_enc_block\n%xdefine _aes256gcmsiv_enc_msg_x4 _ %+ BORINGSSL_PREFIX %+ _aes256gcmsiv_enc_msg_x4\n%xdefine _aes256gcmsiv_enc_msg_x8 _ %+ BORINGSSL_PREFIX %+ _aes256gcmsiv_enc_msg_x8\n%xdefine _aes256gcmsiv_kdf _ %+ BORINGSSL_PREFIX %+ _aes256gcmsiv_kdf\n%xdefine _aes_ctr_set_key _ %+ BORINGSSL_PREFIX %+ _aes_ctr_set_key\n%xdefine _aes_gcm_dec_kernel _ %+ BORINGSSL_PREFIX %+ _aes_gcm_dec_kernel\n%xdefine _aes_gcm_dec_update_vaes_avx10_512 _ %+ BORINGSSL_PREFIX %+ _aes_gcm_dec_update_vaes_avx10_512\n%xdefine _aes_gcm_dec_update_vaes_avx2 _ %+ BORINGSSL_PREFIX %+ _aes_gcm_dec_update_vaes_avx2\n%xdefine _aes_gcm_enc_kernel _ %+ BORINGSSL_PREFIX %+ _aes_gcm_enc_kernel\n%xdefine _aes_gcm_enc_update_vaes_avx10_512 _ %+ BORINGSSL_PREFIX %+ _aes_gcm_enc_update_vaes_avx10_512\n%xdefine _aes_gcm_enc_update_vaes_avx2 _ %+ BORINGSSL_PREFIX %+ _aes_gcm_enc_update_vaes_avx2\n%xdefine _aes_hw_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _aes_hw_cbc_encrypt\n%xdefine _aes_hw_ctr32_encrypt_blocks _ %+ BORINGSSL_PREFIX %+ _aes_hw_ctr32_encrypt_blocks\n%xdefine _aes_hw_decrypt _ %+ BORINGSSL_PREFIX %+ _aes_hw_decrypt\n%xdefine _aes_hw_ecb_encrypt _ %+ BORINGSSL_PREFIX %+ _aes_hw_ecb_encrypt\n%xdefine _aes_hw_encrypt _ %+ BORINGSSL_PREFIX %+ _aes_hw_encrypt\n%xdefine _aes_hw_encrypt_key_to_decrypt_key _ %+ BORINGSSL_PREFIX %+ _aes_hw_encrypt_key_to_decrypt_key\n%xdefine _aes_hw_set_decrypt_key _ %+ BORINGSSL_PREFIX %+ _aes_hw_set_decrypt_key\n%xdefine _aes_hw_set_encrypt_key _ %+ BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key\n%xdefine _aes_hw_set_encrypt_key_alt _ %+ BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key_alt\n%xdefine _aes_hw_set_encrypt_key_alt_preferred _ %+ BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key_alt_preferred\n%xdefine _aes_hw_set_encrypt_key_base _ %+ BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key_base\n%xdefine _aes_nohw_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _aes_nohw_cbc_encrypt\n%xdefine _aes_nohw_ctr32_encrypt_blocks _ %+ BORINGSSL_PREFIX %+ _aes_nohw_ctr32_encrypt_blocks\n%xdefine _aes_nohw_decrypt _ %+ BORINGSSL_PREFIX %+ _aes_nohw_decrypt\n%xdefine _aes_nohw_encrypt _ %+ BORINGSSL_PREFIX %+ _aes_nohw_encrypt\n%xdefine _aes_nohw_set_decrypt_key _ %+ BORINGSSL_PREFIX %+ _aes_nohw_set_decrypt_key\n%xdefine _aes_nohw_set_encrypt_key _ %+ BORINGSSL_PREFIX %+ _aes_nohw_set_encrypt_key\n%xdefine _aesgcmsiv_htable6_init _ %+ BORINGSSL_PREFIX %+ _aesgcmsiv_htable6_init\n%xdefine _aesgcmsiv_htable_init _ %+ BORINGSSL_PREFIX %+ _aesgcmsiv_htable_init\n%xdefine _aesgcmsiv_htable_polyval _ %+ BORINGSSL_PREFIX %+ _aesgcmsiv_htable_polyval\n%xdefine _aesgcmsiv_polyval_horner _ %+ BORINGSSL_PREFIX %+ _aesgcmsiv_polyval_horner\n%xdefine _aesni_gcm_decrypt _ %+ BORINGSSL_PREFIX %+ _aesni_gcm_decrypt\n%xdefine _aesni_gcm_encrypt _ %+ BORINGSSL_PREFIX %+ _aesni_gcm_encrypt\n%xdefine _asn1_bit_string_length _ %+ BORINGSSL_PREFIX %+ _asn1_bit_string_length\n%xdefine _asn1_do_adb _ %+ BORINGSSL_PREFIX %+ _asn1_do_adb\n%xdefine _asn1_enc_free _ %+ BORINGSSL_PREFIX %+ _asn1_enc_free\n%xdefine _asn1_enc_init _ %+ BORINGSSL_PREFIX %+ _asn1_enc_init\n%xdefine _asn1_enc_restore _ %+ BORINGSSL_PREFIX %+ _asn1_enc_restore\n%xdefine _asn1_enc_save _ %+ BORINGSSL_PREFIX %+ _asn1_enc_save\n%xdefine _asn1_encoding_clear _ %+ BORINGSSL_PREFIX %+ _asn1_encoding_clear\n%xdefine _asn1_generalizedtime_to_tm _ %+ BORINGSSL_PREFIX %+ _asn1_generalizedtime_to_tm\n%xdefine _asn1_get_choice_selector _ %+ BORINGSSL_PREFIX %+ _asn1_get_choice_selector\n%xdefine _asn1_get_field_ptr _ %+ BORINGSSL_PREFIX %+ _asn1_get_field_ptr\n%xdefine _asn1_get_string_table_for_testing _ %+ BORINGSSL_PREFIX %+ _asn1_get_string_table_for_testing\n%xdefine _asn1_is_printable _ %+ BORINGSSL_PREFIX %+ _asn1_is_printable\n%xdefine _asn1_refcount_dec_and_test_zero _ %+ BORINGSSL_PREFIX %+ _asn1_refcount_dec_and_test_zero\n%xdefine _asn1_refcount_set_one _ %+ BORINGSSL_PREFIX %+ _asn1_refcount_set_one\n%xdefine _asn1_set_choice_selector _ %+ BORINGSSL_PREFIX %+ _asn1_set_choice_selector\n%xdefine _asn1_type_cleanup _ %+ BORINGSSL_PREFIX %+ _asn1_type_cleanup\n%xdefine _asn1_type_set0_string _ %+ BORINGSSL_PREFIX %+ _asn1_type_set0_string\n%xdefine _asn1_type_value_as_pointer _ %+ BORINGSSL_PREFIX %+ _asn1_type_value_as_pointer\n%xdefine _asn1_utctime_to_tm _ %+ BORINGSSL_PREFIX %+ _asn1_utctime_to_tm\n%xdefine _bcm_as_approved_status _ %+ BORINGSSL_PREFIX %+ _bcm_as_approved_status\n%xdefine _bcm_success _ %+ BORINGSSL_PREFIX %+ _bcm_success\n%xdefine _beeu_mod_inverse_vartime _ %+ BORINGSSL_PREFIX %+ _beeu_mod_inverse_vartime\n%xdefine _bio_clear_socket_error _ %+ BORINGSSL_PREFIX %+ _bio_clear_socket_error\n%xdefine _bio_errno_should_retry _ %+ BORINGSSL_PREFIX %+ _bio_errno_should_retry\n%xdefine _bio_ip_and_port_to_socket_and_addr _ %+ BORINGSSL_PREFIX %+ _bio_ip_and_port_to_socket_and_addr\n%xdefine _bio_sock_error _ %+ BORINGSSL_PREFIX %+ _bio_sock_error\n%xdefine _bio_socket_nbio _ %+ BORINGSSL_PREFIX %+ _bio_socket_nbio\n%xdefine _bio_socket_should_retry _ %+ BORINGSSL_PREFIX %+ _bio_socket_should_retry\n%xdefine _bn_abs_sub_consttime _ %+ BORINGSSL_PREFIX %+ _bn_abs_sub_consttime\n%xdefine _bn_add_words _ %+ BORINGSSL_PREFIX %+ _bn_add_words\n%xdefine _bn_assert_fits_in_bytes _ %+ BORINGSSL_PREFIX %+ _bn_assert_fits_in_bytes\n%xdefine _bn_big_endian_to_words _ %+ BORINGSSL_PREFIX %+ _bn_big_endian_to_words\n%xdefine _bn_copy_words _ %+ BORINGSSL_PREFIX %+ _bn_copy_words\n%xdefine _bn_declassify _ %+ BORINGSSL_PREFIX %+ _bn_declassify\n%xdefine _bn_div_consttime _ %+ BORINGSSL_PREFIX %+ _bn_div_consttime\n%xdefine _bn_expand _ %+ BORINGSSL_PREFIX %+ _bn_expand\n%xdefine _bn_fits_in_words _ %+ BORINGSSL_PREFIX %+ _bn_fits_in_words\n%xdefine _bn_from_montgomery_small _ %+ BORINGSSL_PREFIX %+ _bn_from_montgomery_small\n%xdefine _bn_gather5 _ %+ BORINGSSL_PREFIX %+ _bn_gather5\n%xdefine _bn_in_range_words _ %+ BORINGSSL_PREFIX %+ _bn_in_range_words\n%xdefine _bn_is_bit_set_words _ %+ BORINGSSL_PREFIX %+ _bn_is_bit_set_words\n%xdefine _bn_is_relatively_prime _ %+ BORINGSSL_PREFIX %+ _bn_is_relatively_prime\n%xdefine _bn_jacobi _ %+ BORINGSSL_PREFIX %+ _bn_jacobi\n%xdefine _bn_lcm_consttime _ %+ BORINGSSL_PREFIX %+ _bn_lcm_consttime\n%xdefine _bn_less_than_montgomery_R _ %+ BORINGSSL_PREFIX %+ _bn_less_than_montgomery_R\n%xdefine _bn_less_than_words _ %+ BORINGSSL_PREFIX %+ _bn_less_than_words\n%xdefine _bn_miller_rabin_init _ %+ BORINGSSL_PREFIX %+ _bn_miller_rabin_init\n%xdefine _bn_miller_rabin_iteration _ %+ BORINGSSL_PREFIX %+ _bn_miller_rabin_iteration\n%xdefine _bn_minimal_width _ %+ BORINGSSL_PREFIX %+ _bn_minimal_width\n%xdefine _bn_mod_add_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mod_add_consttime\n%xdefine _bn_mod_add_words _ %+ BORINGSSL_PREFIX %+ _bn_mod_add_words\n%xdefine _bn_mod_exp_mont_small _ %+ BORINGSSL_PREFIX %+ _bn_mod_exp_mont_small\n%xdefine _bn_mod_inverse0_prime_mont_small _ %+ BORINGSSL_PREFIX %+ _bn_mod_inverse0_prime_mont_small\n%xdefine _bn_mod_inverse_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mod_inverse_consttime\n%xdefine _bn_mod_inverse_prime _ %+ BORINGSSL_PREFIX %+ _bn_mod_inverse_prime\n%xdefine _bn_mod_inverse_secret_prime _ %+ BORINGSSL_PREFIX %+ _bn_mod_inverse_secret_prime\n%xdefine _bn_mod_lshift1_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mod_lshift1_consttime\n%xdefine _bn_mod_lshift_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mod_lshift_consttime\n%xdefine _bn_mod_mul_montgomery_small _ %+ BORINGSSL_PREFIX %+ _bn_mod_mul_montgomery_small\n%xdefine _bn_mod_sub_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mod_sub_consttime\n%xdefine _bn_mod_sub_words _ %+ BORINGSSL_PREFIX %+ _bn_mod_sub_words\n%xdefine _bn_mod_u16_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mod_u16_consttime\n%xdefine _bn_mont_ctx_cleanup _ %+ BORINGSSL_PREFIX %+ _bn_mont_ctx_cleanup\n%xdefine _bn_mont_ctx_init _ %+ BORINGSSL_PREFIX %+ _bn_mont_ctx_init\n%xdefine _bn_mont_ctx_set_RR_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mont_ctx_set_RR_consttime\n%xdefine _bn_mont_n0 _ %+ BORINGSSL_PREFIX %+ _bn_mont_n0\n%xdefine _bn_mul4x_mont _ %+ BORINGSSL_PREFIX %+ _bn_mul4x_mont\n%xdefine _bn_mul4x_mont_capable _ %+ BORINGSSL_PREFIX %+ _bn_mul4x_mont_capable\n%xdefine _bn_mul4x_mont_gather5 _ %+ BORINGSSL_PREFIX %+ _bn_mul4x_mont_gather5\n%xdefine _bn_mul4x_mont_gather5_capable _ %+ BORINGSSL_PREFIX %+ _bn_mul4x_mont_gather5_capable\n%xdefine _bn_mul_add_words _ %+ BORINGSSL_PREFIX %+ _bn_mul_add_words\n%xdefine _bn_mul_comba4 _ %+ BORINGSSL_PREFIX %+ _bn_mul_comba4\n%xdefine _bn_mul_comba8 _ %+ BORINGSSL_PREFIX %+ _bn_mul_comba8\n%xdefine _bn_mul_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mul_consttime\n%xdefine _bn_mul_mont _ %+ BORINGSSL_PREFIX %+ _bn_mul_mont\n%xdefine _bn_mul_mont_gather5_nohw _ %+ BORINGSSL_PREFIX %+ _bn_mul_mont_gather5_nohw\n%xdefine _bn_mul_mont_nohw _ %+ BORINGSSL_PREFIX %+ _bn_mul_mont_nohw\n%xdefine _bn_mul_small _ %+ BORINGSSL_PREFIX %+ _bn_mul_small\n%xdefine _bn_mul_words _ %+ BORINGSSL_PREFIX %+ _bn_mul_words\n%xdefine _bn_mulx4x_mont _ %+ BORINGSSL_PREFIX %+ _bn_mulx4x_mont\n%xdefine _bn_mulx4x_mont_capable _ %+ BORINGSSL_PREFIX %+ _bn_mulx4x_mont_capable\n%xdefine _bn_mulx4x_mont_gather5 _ %+ BORINGSSL_PREFIX %+ _bn_mulx4x_mont_gather5\n%xdefine _bn_mulx4x_mont_gather5_capable _ %+ BORINGSSL_PREFIX %+ _bn_mulx4x_mont_gather5_capable\n%xdefine _bn_mulx_adx_capable _ %+ BORINGSSL_PREFIX %+ _bn_mulx_adx_capable\n%xdefine _bn_odd_number_is_obviously_composite _ %+ BORINGSSL_PREFIX %+ _bn_odd_number_is_obviously_composite\n%xdefine _bn_one_to_montgomery _ %+ BORINGSSL_PREFIX %+ _bn_one_to_montgomery\n%xdefine _bn_power5_capable _ %+ BORINGSSL_PREFIX %+ _bn_power5_capable\n%xdefine _bn_power5_nohw _ %+ BORINGSSL_PREFIX %+ _bn_power5_nohw\n%xdefine _bn_powerx5 _ %+ BORINGSSL_PREFIX %+ _bn_powerx5\n%xdefine _bn_powerx5_capable _ %+ BORINGSSL_PREFIX %+ _bn_powerx5_capable\n%xdefine _bn_rand_range_words _ %+ BORINGSSL_PREFIX %+ _bn_rand_range_words\n%xdefine _bn_rand_secret_range _ %+ BORINGSSL_PREFIX %+ _bn_rand_secret_range\n%xdefine _bn_reduce_once _ %+ BORINGSSL_PREFIX %+ _bn_reduce_once\n%xdefine _bn_reduce_once_in_place _ %+ BORINGSSL_PREFIX %+ _bn_reduce_once_in_place\n%xdefine _bn_resize_words _ %+ BORINGSSL_PREFIX %+ _bn_resize_words\n%xdefine _bn_rshift1_words _ %+ BORINGSSL_PREFIX %+ _bn_rshift1_words\n%xdefine _bn_rshift_secret_shift _ %+ BORINGSSL_PREFIX %+ _bn_rshift_secret_shift\n%xdefine _bn_rshift_words _ %+ BORINGSSL_PREFIX %+ _bn_rshift_words\n%xdefine _bn_scatter5 _ %+ BORINGSSL_PREFIX %+ _bn_scatter5\n%xdefine _bn_secret _ %+ BORINGSSL_PREFIX %+ _bn_secret\n%xdefine _bn_select_words _ %+ BORINGSSL_PREFIX %+ _bn_select_words\n%xdefine _bn_set_minimal_width _ %+ BORINGSSL_PREFIX %+ _bn_set_minimal_width\n%xdefine _bn_set_static_words _ %+ BORINGSSL_PREFIX %+ _bn_set_static_words\n%xdefine _bn_set_words _ %+ BORINGSSL_PREFIX %+ _bn_set_words\n%xdefine _bn_sqr8x_internal _ %+ BORINGSSL_PREFIX %+ _bn_sqr8x_internal\n%xdefine _bn_sqr8x_mont _ %+ BORINGSSL_PREFIX %+ _bn_sqr8x_mont\n%xdefine _bn_sqr8x_mont_capable _ %+ BORINGSSL_PREFIX %+ _bn_sqr8x_mont_capable\n%xdefine _bn_sqr_comba4 _ %+ BORINGSSL_PREFIX %+ _bn_sqr_comba4\n%xdefine _bn_sqr_comba8 _ %+ BORINGSSL_PREFIX %+ _bn_sqr_comba8\n%xdefine _bn_sqr_consttime _ %+ BORINGSSL_PREFIX %+ _bn_sqr_consttime\n%xdefine _bn_sqr_small _ %+ BORINGSSL_PREFIX %+ _bn_sqr_small\n%xdefine _bn_sqr_words _ %+ BORINGSSL_PREFIX %+ _bn_sqr_words\n%xdefine _bn_sqrx8x_internal _ %+ BORINGSSL_PREFIX %+ _bn_sqrx8x_internal\n%xdefine _bn_sub_words _ %+ BORINGSSL_PREFIX %+ _bn_sub_words\n%xdefine _bn_to_montgomery_small _ %+ BORINGSSL_PREFIX %+ _bn_to_montgomery_small\n%xdefine _bn_uadd_consttime _ %+ BORINGSSL_PREFIX %+ _bn_uadd_consttime\n%xdefine _bn_usub_consttime _ %+ BORINGSSL_PREFIX %+ _bn_usub_consttime\n%xdefine _bn_wexpand _ %+ BORINGSSL_PREFIX %+ _bn_wexpand\n%xdefine _bn_words_to_big_endian _ %+ BORINGSSL_PREFIX %+ _bn_words_to_big_endian\n%xdefine _boringssl_ensure_ecc_self_test _ %+ BORINGSSL_PREFIX %+ _boringssl_ensure_ecc_self_test\n%xdefine _boringssl_ensure_ffdh_self_test _ %+ BORINGSSL_PREFIX %+ _boringssl_ensure_ffdh_self_test\n%xdefine _boringssl_ensure_rsa_self_test _ %+ BORINGSSL_PREFIX %+ _boringssl_ensure_rsa_self_test\n%xdefine _boringssl_fips_break_test _ %+ BORINGSSL_PREFIX %+ _boringssl_fips_break_test\n%xdefine _boringssl_fips_inc_counter _ %+ BORINGSSL_PREFIX %+ _boringssl_fips_inc_counter\n%xdefine _boringssl_self_test_hmac_sha256 _ %+ BORINGSSL_PREFIX %+ _boringssl_self_test_hmac_sha256\n%xdefine _boringssl_self_test_sha256 _ %+ BORINGSSL_PREFIX %+ _boringssl_self_test_sha256\n%xdefine _boringssl_self_test_sha512 _ %+ BORINGSSL_PREFIX %+ _boringssl_self_test_sha512\n%xdefine _bsaes_capable _ %+ BORINGSSL_PREFIX %+ _bsaes_capable\n%xdefine _bsaes_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _bsaes_cbc_encrypt\n%xdefine _c2i_ASN1_BIT_STRING _ %+ BORINGSSL_PREFIX %+ _c2i_ASN1_BIT_STRING\n%xdefine _c2i_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _c2i_ASN1_INTEGER\n%xdefine _c2i_ASN1_OBJECT _ %+ BORINGSSL_PREFIX %+ _c2i_ASN1_OBJECT\n%xdefine _chacha20_poly1305_asm_capable _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_asm_capable\n%xdefine _chacha20_poly1305_open _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_open\n%xdefine _chacha20_poly1305_open_avx2 _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_open_avx2\n%xdefine _chacha20_poly1305_open_nohw _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_open_nohw\n%xdefine _chacha20_poly1305_seal _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_seal\n%xdefine _chacha20_poly1305_seal_avx2 _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_avx2\n%xdefine _chacha20_poly1305_seal_nohw _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_nohw\n%xdefine _crypto_gcm_clmul_enabled _ %+ BORINGSSL_PREFIX %+ _crypto_gcm_clmul_enabled\n%xdefine _d2i_ASN1_BIT_STRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_BIT_STRING\n%xdefine _d2i_ASN1_BMPSTRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_BMPSTRING\n%xdefine _d2i_ASN1_BOOLEAN _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_BOOLEAN\n%xdefine _d2i_ASN1_ENUMERATED _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_ENUMERATED\n%xdefine _d2i_ASN1_GENERALIZEDTIME _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_GENERALIZEDTIME\n%xdefine _d2i_ASN1_GENERALSTRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_GENERALSTRING\n%xdefine _d2i_ASN1_IA5STRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_IA5STRING\n%xdefine _d2i_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_INTEGER\n%xdefine _d2i_ASN1_NULL _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_NULL\n%xdefine _d2i_ASN1_OBJECT _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_OBJECT\n%xdefine _d2i_ASN1_OCTET_STRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_OCTET_STRING\n%xdefine _d2i_ASN1_PRINTABLE _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_PRINTABLE\n%xdefine _d2i_ASN1_PRINTABLESTRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_PRINTABLESTRING\n%xdefine _d2i_ASN1_SEQUENCE_ANY _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_SEQUENCE_ANY\n%xdefine _d2i_ASN1_SET_ANY _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_SET_ANY\n%xdefine _d2i_ASN1_T61STRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_T61STRING\n%xdefine _d2i_ASN1_TIME _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_TIME\n%xdefine _d2i_ASN1_TYPE _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_TYPE\n%xdefine _d2i_ASN1_UNIVERSALSTRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_UNIVERSALSTRING\n%xdefine _d2i_ASN1_UTCTIME _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_UTCTIME\n%xdefine _d2i_ASN1_UTF8STRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_UTF8STRING\n%xdefine _d2i_ASN1_VISIBLESTRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_VISIBLESTRING\n%xdefine _d2i_AUTHORITY_INFO_ACCESS _ %+ BORINGSSL_PREFIX %+ _d2i_AUTHORITY_INFO_ACCESS\n%xdefine _d2i_AUTHORITY_KEYID _ %+ BORINGSSL_PREFIX %+ _d2i_AUTHORITY_KEYID\n%xdefine _d2i_AutoPrivateKey _ %+ BORINGSSL_PREFIX %+ _d2i_AutoPrivateKey\n%xdefine _d2i_BASIC_CONSTRAINTS _ %+ BORINGSSL_PREFIX %+ _d2i_BASIC_CONSTRAINTS\n%xdefine _d2i_CERTIFICATEPOLICIES _ %+ BORINGSSL_PREFIX %+ _d2i_CERTIFICATEPOLICIES\n%xdefine _d2i_CRL_DIST_POINTS _ %+ BORINGSSL_PREFIX %+ _d2i_CRL_DIST_POINTS\n%xdefine _d2i_DHparams _ %+ BORINGSSL_PREFIX %+ _d2i_DHparams\n%xdefine _d2i_DHparams_bio _ %+ BORINGSSL_PREFIX %+ _d2i_DHparams_bio\n%xdefine _d2i_DIRECTORYSTRING _ %+ BORINGSSL_PREFIX %+ _d2i_DIRECTORYSTRING\n%xdefine _d2i_DISPLAYTEXT _ %+ BORINGSSL_PREFIX %+ _d2i_DISPLAYTEXT\n%xdefine _d2i_DSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey\n%xdefine _d2i_DSAPrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey_bio\n%xdefine _d2i_DSAPrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey_fp\n%xdefine _d2i_DSAPublicKey _ %+ BORINGSSL_PREFIX %+ _d2i_DSAPublicKey\n%xdefine _d2i_DSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _d2i_DSA_PUBKEY\n%xdefine _d2i_DSA_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _d2i_DSA_PUBKEY_bio\n%xdefine _d2i_DSA_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _d2i_DSA_PUBKEY_fp\n%xdefine _d2i_DSA_SIG _ %+ BORINGSSL_PREFIX %+ _d2i_DSA_SIG\n%xdefine _d2i_DSAparams _ %+ BORINGSSL_PREFIX %+ _d2i_DSAparams\n%xdefine _d2i_ECDSA_SIG _ %+ BORINGSSL_PREFIX %+ _d2i_ECDSA_SIG\n%xdefine _d2i_ECPKParameters _ %+ BORINGSSL_PREFIX %+ _d2i_ECPKParameters\n%xdefine _d2i_ECParameters _ %+ BORINGSSL_PREFIX %+ _d2i_ECParameters\n%xdefine _d2i_ECPrivateKey _ %+ BORINGSSL_PREFIX %+ _d2i_ECPrivateKey\n%xdefine _d2i_ECPrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _d2i_ECPrivateKey_bio\n%xdefine _d2i_ECPrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _d2i_ECPrivateKey_fp\n%xdefine _d2i_EC_PUBKEY _ %+ BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY\n%xdefine _d2i_EC_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_bio\n%xdefine _d2i_EC_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_fp\n%xdefine _d2i_EXTENDED_KEY_USAGE _ %+ BORINGSSL_PREFIX %+ _d2i_EXTENDED_KEY_USAGE\n%xdefine _d2i_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _d2i_GENERAL_NAME\n%xdefine _d2i_GENERAL_NAMES _ %+ BORINGSSL_PREFIX %+ _d2i_GENERAL_NAMES\n%xdefine _d2i_ISSUING_DIST_POINT _ %+ BORINGSSL_PREFIX %+ _d2i_ISSUING_DIST_POINT\n%xdefine _d2i_NETSCAPE_SPKAC _ %+ BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKAC\n%xdefine _d2i_NETSCAPE_SPKI _ %+ BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKI\n%xdefine _d2i_PKCS12 _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS12\n%xdefine _d2i_PKCS12_bio _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS12_bio\n%xdefine _d2i_PKCS12_fp _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS12_fp\n%xdefine _d2i_PKCS7 _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS7\n%xdefine _d2i_PKCS7_bio _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS7_bio\n%xdefine _d2i_PKCS8PrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS8PrivateKey_bio\n%xdefine _d2i_PKCS8PrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS8PrivateKey_fp\n%xdefine _d2i_PKCS8_PRIV_KEY_INFO _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS8_PRIV_KEY_INFO\n%xdefine _d2i_PKCS8_PRIV_KEY_INFO_bio _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS8_PRIV_KEY_INFO_bio\n%xdefine _d2i_PKCS8_PRIV_KEY_INFO_fp _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS8_PRIV_KEY_INFO_fp\n%xdefine _d2i_PKCS8_bio _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS8_bio\n%xdefine _d2i_PKCS8_fp _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS8_fp\n%xdefine _d2i_PUBKEY _ %+ BORINGSSL_PREFIX %+ _d2i_PUBKEY\n%xdefine _d2i_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _d2i_PUBKEY_bio\n%xdefine _d2i_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _d2i_PUBKEY_fp\n%xdefine _d2i_PrivateKey _ %+ BORINGSSL_PREFIX %+ _d2i_PrivateKey\n%xdefine _d2i_PrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _d2i_PrivateKey_bio\n%xdefine _d2i_PrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _d2i_PrivateKey_fp\n%xdefine _d2i_PublicKey _ %+ BORINGSSL_PREFIX %+ _d2i_PublicKey\n%xdefine _d2i_RSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _d2i_RSAPrivateKey\n%xdefine _d2i_RSAPrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _d2i_RSAPrivateKey_bio\n%xdefine _d2i_RSAPrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _d2i_RSAPrivateKey_fp\n%xdefine _d2i_RSAPublicKey _ %+ BORINGSSL_PREFIX %+ _d2i_RSAPublicKey\n%xdefine _d2i_RSAPublicKey_bio _ %+ BORINGSSL_PREFIX %+ _d2i_RSAPublicKey_bio\n%xdefine _d2i_RSAPublicKey_fp _ %+ BORINGSSL_PREFIX %+ _d2i_RSAPublicKey_fp\n%xdefine _d2i_RSA_PSS_PARAMS _ %+ BORINGSSL_PREFIX %+ _d2i_RSA_PSS_PARAMS\n%xdefine _d2i_RSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _d2i_RSA_PUBKEY\n%xdefine _d2i_RSA_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _d2i_RSA_PUBKEY_bio\n%xdefine _d2i_RSA_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _d2i_RSA_PUBKEY_fp\n%xdefine _d2i_SSL_SESSION _ %+ BORINGSSL_PREFIX %+ _d2i_SSL_SESSION\n%xdefine _d2i_SSL_SESSION_bio _ %+ BORINGSSL_PREFIX %+ _d2i_SSL_SESSION_bio\n%xdefine _d2i_X509 _ %+ BORINGSSL_PREFIX %+ _d2i_X509\n%xdefine _d2i_X509_ALGOR _ %+ BORINGSSL_PREFIX %+ _d2i_X509_ALGOR\n%xdefine _d2i_X509_ATTRIBUTE _ %+ BORINGSSL_PREFIX %+ _d2i_X509_ATTRIBUTE\n%xdefine _d2i_X509_AUX _ %+ BORINGSSL_PREFIX %+ _d2i_X509_AUX\n%xdefine _d2i_X509_CERT_AUX _ %+ BORINGSSL_PREFIX %+ _d2i_X509_CERT_AUX\n%xdefine _d2i_X509_CINF _ %+ BORINGSSL_PREFIX %+ _d2i_X509_CINF\n%xdefine _d2i_X509_CRL _ %+ BORINGSSL_PREFIX %+ _d2i_X509_CRL\n%xdefine _d2i_X509_CRL_INFO _ %+ BORINGSSL_PREFIX %+ _d2i_X509_CRL_INFO\n%xdefine _d2i_X509_CRL_bio _ %+ BORINGSSL_PREFIX %+ _d2i_X509_CRL_bio\n%xdefine _d2i_X509_CRL_fp _ %+ BORINGSSL_PREFIX %+ _d2i_X509_CRL_fp\n%xdefine _d2i_X509_EXTENSION _ %+ BORINGSSL_PREFIX %+ _d2i_X509_EXTENSION\n%xdefine _d2i_X509_EXTENSIONS _ %+ BORINGSSL_PREFIX %+ _d2i_X509_EXTENSIONS\n%xdefine _d2i_X509_NAME _ %+ BORINGSSL_PREFIX %+ _d2i_X509_NAME\n%xdefine _d2i_X509_PUBKEY _ %+ BORINGSSL_PREFIX %+ _d2i_X509_PUBKEY\n%xdefine _d2i_X509_REQ _ %+ BORINGSSL_PREFIX %+ _d2i_X509_REQ\n%xdefine _d2i_X509_REQ_INFO _ %+ BORINGSSL_PREFIX %+ _d2i_X509_REQ_INFO\n%xdefine _d2i_X509_REQ_bio _ %+ BORINGSSL_PREFIX %+ _d2i_X509_REQ_bio\n%xdefine _d2i_X509_REQ_fp _ %+ BORINGSSL_PREFIX %+ _d2i_X509_REQ_fp\n%xdefine _d2i_X509_REVOKED _ %+ BORINGSSL_PREFIX %+ _d2i_X509_REVOKED\n%xdefine _d2i_X509_SIG _ %+ BORINGSSL_PREFIX %+ _d2i_X509_SIG\n%xdefine _d2i_X509_VAL _ %+ BORINGSSL_PREFIX %+ _d2i_X509_VAL\n%xdefine _d2i_X509_bio _ %+ BORINGSSL_PREFIX %+ _d2i_X509_bio\n%xdefine _d2i_X509_fp _ %+ BORINGSSL_PREFIX %+ _d2i_X509_fp\n%xdefine _dh_asn1_meth _ %+ BORINGSSL_PREFIX %+ _dh_asn1_meth\n%xdefine _dh_check_params_fast _ %+ BORINGSSL_PREFIX %+ _dh_check_params_fast\n%xdefine _dh_compute_key_padded_no_self_test _ %+ BORINGSSL_PREFIX %+ _dh_compute_key_padded_no_self_test\n%xdefine _dh_pkey_meth _ %+ BORINGSSL_PREFIX %+ _dh_pkey_meth\n%xdefine _dsa_asn1_meth _ %+ BORINGSSL_PREFIX %+ _dsa_asn1_meth\n%xdefine _dsa_check_key _ %+ BORINGSSL_PREFIX %+ _dsa_check_key\n%xdefine _ec_GFp_mont_add _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_add\n%xdefine _ec_GFp_mont_dbl _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_dbl\n%xdefine _ec_GFp_mont_felem_exp _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_exp\n%xdefine _ec_GFp_mont_felem_from_bytes _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_from_bytes\n%xdefine _ec_GFp_mont_felem_mul _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_mul\n%xdefine _ec_GFp_mont_felem_reduce _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_reduce\n%xdefine _ec_GFp_mont_felem_sqr _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_sqr\n%xdefine _ec_GFp_mont_felem_to_bytes _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_to_bytes\n%xdefine _ec_GFp_mont_init_precomp _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_init_precomp\n%xdefine _ec_GFp_mont_mul _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_mul\n%xdefine _ec_GFp_mont_mul_base _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_mul_base\n%xdefine _ec_GFp_mont_mul_batch _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_mul_batch\n%xdefine _ec_GFp_mont_mul_precomp _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_mul_precomp\n%xdefine _ec_GFp_mont_mul_public_batch _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_mul_public_batch\n%xdefine _ec_GFp_nistp_recode_scalar_bits _ %+ BORINGSSL_PREFIX %+ _ec_GFp_nistp_recode_scalar_bits\n%xdefine _ec_GFp_simple_cmp_x_coordinate _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_cmp_x_coordinate\n%xdefine _ec_GFp_simple_felem_from_bytes _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_felem_from_bytes\n%xdefine _ec_GFp_simple_felem_to_bytes _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_felem_to_bytes\n%xdefine _ec_GFp_simple_group_get_curve _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_group_get_curve\n%xdefine _ec_GFp_simple_group_set_curve _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_group_set_curve\n%xdefine _ec_GFp_simple_invert _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_invert\n%xdefine _ec_GFp_simple_is_at_infinity _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_is_at_infinity\n%xdefine _ec_GFp_simple_is_on_curve _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_is_on_curve\n%xdefine _ec_GFp_simple_point_copy _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_point_copy\n%xdefine _ec_GFp_simple_point_init _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_point_init\n%xdefine _ec_GFp_simple_point_set_to_infinity _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_point_set_to_infinity\n%xdefine _ec_GFp_simple_points_equal _ %+ BORINGSSL_PREFIX %+ _ec_GFp_simple_points_equal\n%xdefine _ec_affine_jacobian_equal _ %+ BORINGSSL_PREFIX %+ _ec_affine_jacobian_equal\n%xdefine _ec_affine_select _ %+ BORINGSSL_PREFIX %+ _ec_affine_select\n%xdefine _ec_affine_to_jacobian _ %+ BORINGSSL_PREFIX %+ _ec_affine_to_jacobian\n%xdefine _ec_asn1_meth _ %+ BORINGSSL_PREFIX %+ _ec_asn1_meth\n%xdefine _ec_bignum_to_felem _ %+ BORINGSSL_PREFIX %+ _ec_bignum_to_felem\n%xdefine _ec_bignum_to_scalar _ %+ BORINGSSL_PREFIX %+ _ec_bignum_to_scalar\n%xdefine _ec_cmp_x_coordinate _ %+ BORINGSSL_PREFIX %+ _ec_cmp_x_coordinate\n%xdefine _ec_compute_wNAF _ %+ BORINGSSL_PREFIX %+ _ec_compute_wNAF\n%xdefine _ec_felem_add _ %+ BORINGSSL_PREFIX %+ _ec_felem_add\n%xdefine _ec_felem_equal _ %+ BORINGSSL_PREFIX %+ _ec_felem_equal\n%xdefine _ec_felem_from_bytes _ %+ BORINGSSL_PREFIX %+ _ec_felem_from_bytes\n%xdefine _ec_felem_neg _ %+ BORINGSSL_PREFIX %+ _ec_felem_neg\n%xdefine _ec_felem_non_zero_mask _ %+ BORINGSSL_PREFIX %+ _ec_felem_non_zero_mask\n%xdefine _ec_felem_one _ %+ BORINGSSL_PREFIX %+ _ec_felem_one\n%xdefine _ec_felem_select _ %+ BORINGSSL_PREFIX %+ _ec_felem_select\n%xdefine _ec_felem_sub _ %+ BORINGSSL_PREFIX %+ _ec_felem_sub\n%xdefine _ec_felem_to_bignum _ %+ BORINGSSL_PREFIX %+ _ec_felem_to_bignum\n%xdefine _ec_felem_to_bytes _ %+ BORINGSSL_PREFIX %+ _ec_felem_to_bytes\n%xdefine _ec_get_x_coordinate_as_bytes _ %+ BORINGSSL_PREFIX %+ _ec_get_x_coordinate_as_bytes\n%xdefine _ec_get_x_coordinate_as_scalar _ %+ BORINGSSL_PREFIX %+ _ec_get_x_coordinate_as_scalar\n%xdefine _ec_hash_to_curve_p256_xmd_sha256_sswu _ %+ BORINGSSL_PREFIX %+ _ec_hash_to_curve_p256_xmd_sha256_sswu\n%xdefine _ec_hash_to_curve_p384_xmd_sha384_sswu _ %+ BORINGSSL_PREFIX %+ _ec_hash_to_curve_p384_xmd_sha384_sswu\n%xdefine _ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 _ %+ BORINGSSL_PREFIX %+ _ec_hash_to_curve_p384_xmd_sha512_sswu_draft07\n%xdefine _ec_hash_to_scalar_p384_xmd_sha384 _ %+ BORINGSSL_PREFIX %+ _ec_hash_to_scalar_p384_xmd_sha384\n%xdefine _ec_hash_to_scalar_p384_xmd_sha512_draft07 _ %+ BORINGSSL_PREFIX %+ _ec_hash_to_scalar_p384_xmd_sha512_draft07\n%xdefine _ec_init_precomp _ %+ BORINGSSL_PREFIX %+ _ec_init_precomp\n%xdefine _ec_jacobian_to_affine _ %+ BORINGSSL_PREFIX %+ _ec_jacobian_to_affine\n%xdefine _ec_jacobian_to_affine_batch _ %+ BORINGSSL_PREFIX %+ _ec_jacobian_to_affine_batch\n%xdefine _ec_pkey_meth _ %+ BORINGSSL_PREFIX %+ _ec_pkey_meth\n%xdefine _ec_point_byte_len _ %+ BORINGSSL_PREFIX %+ _ec_point_byte_len\n%xdefine _ec_point_from_uncompressed _ %+ BORINGSSL_PREFIX %+ _ec_point_from_uncompressed\n%xdefine _ec_point_mul_no_self_test _ %+ BORINGSSL_PREFIX %+ _ec_point_mul_no_self_test\n%xdefine _ec_point_mul_scalar _ %+ BORINGSSL_PREFIX %+ _ec_point_mul_scalar\n%xdefine _ec_point_mul_scalar_base _ %+ BORINGSSL_PREFIX %+ _ec_point_mul_scalar_base\n%xdefine _ec_point_mul_scalar_batch _ %+ BORINGSSL_PREFIX %+ _ec_point_mul_scalar_batch\n%xdefine _ec_point_mul_scalar_precomp _ %+ BORINGSSL_PREFIX %+ _ec_point_mul_scalar_precomp\n%xdefine _ec_point_mul_scalar_public _ %+ BORINGSSL_PREFIX %+ _ec_point_mul_scalar_public\n%xdefine _ec_point_mul_scalar_public_batch _ %+ BORINGSSL_PREFIX %+ _ec_point_mul_scalar_public_batch\n%xdefine _ec_point_select _ %+ BORINGSSL_PREFIX %+ _ec_point_select\n%xdefine _ec_point_set_affine_coordinates _ %+ BORINGSSL_PREFIX %+ _ec_point_set_affine_coordinates\n%xdefine _ec_point_to_bytes _ %+ BORINGSSL_PREFIX %+ _ec_point_to_bytes\n%xdefine _ec_precomp_select _ %+ BORINGSSL_PREFIX %+ _ec_precomp_select\n%xdefine _ec_random_nonzero_scalar _ %+ BORINGSSL_PREFIX %+ _ec_random_nonzero_scalar\n%xdefine _ec_random_scalar _ %+ BORINGSSL_PREFIX %+ _ec_random_scalar\n%xdefine _ec_scalar_add _ %+ BORINGSSL_PREFIX %+ _ec_scalar_add\n%xdefine _ec_scalar_equal_vartime _ %+ BORINGSSL_PREFIX %+ _ec_scalar_equal_vartime\n%xdefine _ec_scalar_from_bytes _ %+ BORINGSSL_PREFIX %+ _ec_scalar_from_bytes\n%xdefine _ec_scalar_from_montgomery _ %+ BORINGSSL_PREFIX %+ _ec_scalar_from_montgomery\n%xdefine _ec_scalar_inv0_montgomery _ %+ BORINGSSL_PREFIX %+ _ec_scalar_inv0_montgomery\n%xdefine _ec_scalar_is_zero _ %+ BORINGSSL_PREFIX %+ _ec_scalar_is_zero\n%xdefine _ec_scalar_mul_montgomery _ %+ BORINGSSL_PREFIX %+ _ec_scalar_mul_montgomery\n%xdefine _ec_scalar_neg _ %+ BORINGSSL_PREFIX %+ _ec_scalar_neg\n%xdefine _ec_scalar_reduce _ %+ BORINGSSL_PREFIX %+ _ec_scalar_reduce\n%xdefine _ec_scalar_select _ %+ BORINGSSL_PREFIX %+ _ec_scalar_select\n%xdefine _ec_scalar_sub _ %+ BORINGSSL_PREFIX %+ _ec_scalar_sub\n%xdefine _ec_scalar_to_bytes _ %+ BORINGSSL_PREFIX %+ _ec_scalar_to_bytes\n%xdefine _ec_scalar_to_montgomery _ %+ BORINGSSL_PREFIX %+ _ec_scalar_to_montgomery\n%xdefine _ec_scalar_to_montgomery_inv_vartime _ %+ BORINGSSL_PREFIX %+ _ec_scalar_to_montgomery_inv_vartime\n%xdefine _ec_set_to_safe_point _ %+ BORINGSSL_PREFIX %+ _ec_set_to_safe_point\n%xdefine _ec_simple_scalar_inv0_montgomery _ %+ BORINGSSL_PREFIX %+ _ec_simple_scalar_inv0_montgomery\n%xdefine _ec_simple_scalar_to_montgomery_inv_vartime _ %+ BORINGSSL_PREFIX %+ _ec_simple_scalar_to_montgomery_inv_vartime\n%xdefine _ecdsa_sign_fixed _ %+ BORINGSSL_PREFIX %+ _ecdsa_sign_fixed\n%xdefine _ecdsa_sign_fixed_with_nonce_for_known_answer_test _ %+ BORINGSSL_PREFIX %+ _ecdsa_sign_fixed_with_nonce_for_known_answer_test\n%xdefine _ecdsa_verify_fixed _ %+ BORINGSSL_PREFIX %+ _ecdsa_verify_fixed\n%xdefine _ecdsa_verify_fixed_no_self_test _ %+ BORINGSSL_PREFIX %+ _ecdsa_verify_fixed_no_self_test\n%xdefine _ecp_nistz256_div_by_2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_div_by_2\n%xdefine _ecp_nistz256_mul_by_2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_2\n%xdefine _ecp_nistz256_mul_by_3 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_3\n%xdefine _ecp_nistz256_mul_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont\n%xdefine _ecp_nistz256_mul_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_adx\n%xdefine _ecp_nistz256_mul_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_nohw\n%xdefine _ecp_nistz256_neg _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_neg\n%xdefine _ecp_nistz256_ord_mul_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont\n%xdefine _ecp_nistz256_ord_mul_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_adx\n%xdefine _ecp_nistz256_ord_mul_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_nohw\n%xdefine _ecp_nistz256_ord_sqr_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont\n%xdefine _ecp_nistz256_ord_sqr_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_adx\n%xdefine _ecp_nistz256_ord_sqr_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_nohw\n%xdefine _ecp_nistz256_point_add _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add\n%xdefine _ecp_nistz256_point_add_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_adx\n%xdefine _ecp_nistz256_point_add_affine _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine\n%xdefine _ecp_nistz256_point_add_affine_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_adx\n%xdefine _ecp_nistz256_point_add_affine_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_nohw\n%xdefine _ecp_nistz256_point_add_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_nohw\n%xdefine _ecp_nistz256_point_double _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_double\n%xdefine _ecp_nistz256_point_double_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_adx\n%xdefine _ecp_nistz256_point_double_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_nohw\n%xdefine _ecp_nistz256_select_w5 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5\n%xdefine _ecp_nistz256_select_w5_avx2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_avx2\n%xdefine _ecp_nistz256_select_w5_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_nohw\n%xdefine _ecp_nistz256_select_w7 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7\n%xdefine _ecp_nistz256_select_w7_avx2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_avx2\n%xdefine _ecp_nistz256_select_w7_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_nohw\n%xdefine _ecp_nistz256_sqr_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont\n%xdefine _ecp_nistz256_sqr_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_adx\n%xdefine _ecp_nistz256_sqr_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_nohw\n%xdefine _ecp_nistz256_sub _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sub\n%xdefine _ed25519_asn1_meth _ %+ BORINGSSL_PREFIX %+ _ed25519_asn1_meth\n%xdefine _ed25519_pkey_meth _ %+ BORINGSSL_PREFIX %+ _ed25519_pkey_meth\n%xdefine _evp_pkey_set_method _ %+ BORINGSSL_PREFIX %+ _evp_pkey_set_method\n%xdefine _fiat_curve25519_adx_mul _ %+ BORINGSSL_PREFIX %+ _fiat_curve25519_adx_mul\n%xdefine _fiat_curve25519_adx_square _ %+ BORINGSSL_PREFIX %+ _fiat_curve25519_adx_square\n%xdefine _fiat_p256_adx_mul _ %+ BORINGSSL_PREFIX %+ _fiat_p256_adx_mul\n%xdefine _fiat_p256_adx_sqr _ %+ BORINGSSL_PREFIX %+ _fiat_p256_adx_sqr\n%xdefine _gcm_ghash_avx _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_avx\n%xdefine _gcm_ghash_clmul _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_clmul\n%xdefine _gcm_ghash_neon _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_neon\n%xdefine _gcm_ghash_nohw _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_nohw\n%xdefine _gcm_ghash_ssse3 _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_ssse3\n%xdefine _gcm_ghash_v8 _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_v8\n%xdefine _gcm_ghash_vpclmulqdq_avx10_512 _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_vpclmulqdq_avx10_512\n%xdefine _gcm_ghash_vpclmulqdq_avx2 _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_vpclmulqdq_avx2\n%xdefine _gcm_gmult_avx _ %+ BORINGSSL_PREFIX %+ _gcm_gmult_avx\n%xdefine _gcm_gmult_clmul _ %+ BORINGSSL_PREFIX %+ _gcm_gmult_clmul\n%xdefine _gcm_gmult_neon _ %+ BORINGSSL_PREFIX %+ _gcm_gmult_neon\n%xdefine _gcm_gmult_nohw _ %+ BORINGSSL_PREFIX %+ _gcm_gmult_nohw\n%xdefine _gcm_gmult_ssse3 _ %+ BORINGSSL_PREFIX %+ _gcm_gmult_ssse3\n%xdefine _gcm_gmult_v8 _ %+ BORINGSSL_PREFIX %+ _gcm_gmult_v8\n%xdefine _gcm_gmult_vpclmulqdq_avx10 _ %+ BORINGSSL_PREFIX %+ _gcm_gmult_vpclmulqdq_avx10\n%xdefine _gcm_gmult_vpclmulqdq_avx2 _ %+ BORINGSSL_PREFIX %+ _gcm_gmult_vpclmulqdq_avx2\n%xdefine _gcm_init_avx _ %+ BORINGSSL_PREFIX %+ _gcm_init_avx\n%xdefine _gcm_init_clmul _ %+ BORINGSSL_PREFIX %+ _gcm_init_clmul\n%xdefine _gcm_init_neon _ %+ BORINGSSL_PREFIX %+ _gcm_init_neon\n%xdefine _gcm_init_nohw _ %+ BORINGSSL_PREFIX %+ _gcm_init_nohw\n%xdefine _gcm_init_ssse3 _ %+ BORINGSSL_PREFIX %+ _gcm_init_ssse3\n%xdefine _gcm_init_v8 _ %+ BORINGSSL_PREFIX %+ _gcm_init_v8\n%xdefine _gcm_init_vpclmulqdq_avx10_512 _ %+ BORINGSSL_PREFIX %+ _gcm_init_vpclmulqdq_avx10_512\n%xdefine _gcm_init_vpclmulqdq_avx2 _ %+ BORINGSSL_PREFIX %+ _gcm_init_vpclmulqdq_avx2\n%xdefine _gcm_neon_capable _ %+ BORINGSSL_PREFIX %+ _gcm_neon_capable\n%xdefine _gcm_pmull_capable _ %+ BORINGSSL_PREFIX %+ _gcm_pmull_capable\n%xdefine _have_fast_rdrand _ %+ BORINGSSL_PREFIX %+ _have_fast_rdrand\n%xdefine _have_rdrand _ %+ BORINGSSL_PREFIX %+ _have_rdrand\n%xdefine _hkdf_pkey_meth _ %+ BORINGSSL_PREFIX %+ _hkdf_pkey_meth\n%xdefine _hwaes_capable _ %+ BORINGSSL_PREFIX %+ _hwaes_capable\n%xdefine _i2a_ASN1_ENUMERATED _ %+ BORINGSSL_PREFIX %+ _i2a_ASN1_ENUMERATED\n%xdefine _i2a_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _i2a_ASN1_INTEGER\n%xdefine _i2a_ASN1_OBJECT _ %+ BORINGSSL_PREFIX %+ _i2a_ASN1_OBJECT\n%xdefine _i2a_ASN1_STRING _ %+ BORINGSSL_PREFIX %+ _i2a_ASN1_STRING\n%xdefine _i2c_ASN1_BIT_STRING _ %+ BORINGSSL_PREFIX %+ _i2c_ASN1_BIT_STRING\n%xdefine _i2c_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _i2c_ASN1_INTEGER\n%xdefine _i2d_ASN1_BIT_STRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_BIT_STRING\n%xdefine _i2d_ASN1_BMPSTRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_BMPSTRING\n%xdefine _i2d_ASN1_BOOLEAN _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_BOOLEAN\n%xdefine _i2d_ASN1_ENUMERATED _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_ENUMERATED\n%xdefine _i2d_ASN1_GENERALIZEDTIME _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_GENERALIZEDTIME\n%xdefine _i2d_ASN1_GENERALSTRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_GENERALSTRING\n%xdefine _i2d_ASN1_IA5STRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_IA5STRING\n%xdefine _i2d_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_INTEGER\n%xdefine _i2d_ASN1_NULL _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_NULL\n%xdefine _i2d_ASN1_OBJECT _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_OBJECT\n%xdefine _i2d_ASN1_OCTET_STRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_OCTET_STRING\n%xdefine _i2d_ASN1_PRINTABLE _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_PRINTABLE\n%xdefine _i2d_ASN1_PRINTABLESTRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_PRINTABLESTRING\n%xdefine _i2d_ASN1_SEQUENCE_ANY _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_SEQUENCE_ANY\n%xdefine _i2d_ASN1_SET_ANY _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_SET_ANY\n%xdefine _i2d_ASN1_T61STRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_T61STRING\n%xdefine _i2d_ASN1_TIME _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_TIME\n%xdefine _i2d_ASN1_TYPE _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_TYPE\n%xdefine _i2d_ASN1_UNIVERSALSTRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_UNIVERSALSTRING\n%xdefine _i2d_ASN1_UTCTIME _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_UTCTIME\n%xdefine _i2d_ASN1_UTF8STRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_UTF8STRING\n%xdefine _i2d_ASN1_VISIBLESTRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_VISIBLESTRING\n%xdefine _i2d_AUTHORITY_INFO_ACCESS _ %+ BORINGSSL_PREFIX %+ _i2d_AUTHORITY_INFO_ACCESS\n%xdefine _i2d_AUTHORITY_KEYID _ %+ BORINGSSL_PREFIX %+ _i2d_AUTHORITY_KEYID\n%xdefine _i2d_BASIC_CONSTRAINTS _ %+ BORINGSSL_PREFIX %+ _i2d_BASIC_CONSTRAINTS\n%xdefine _i2d_CERTIFICATEPOLICIES _ %+ BORINGSSL_PREFIX %+ _i2d_CERTIFICATEPOLICIES\n%xdefine _i2d_CRL_DIST_POINTS _ %+ BORINGSSL_PREFIX %+ _i2d_CRL_DIST_POINTS\n%xdefine _i2d_DHparams _ %+ BORINGSSL_PREFIX %+ _i2d_DHparams\n%xdefine _i2d_DHparams_bio _ %+ BORINGSSL_PREFIX %+ _i2d_DHparams_bio\n%xdefine _i2d_DIRECTORYSTRING _ %+ BORINGSSL_PREFIX %+ _i2d_DIRECTORYSTRING\n%xdefine _i2d_DISPLAYTEXT _ %+ BORINGSSL_PREFIX %+ _i2d_DISPLAYTEXT\n%xdefine _i2d_DSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey\n%xdefine _i2d_DSAPrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey_bio\n%xdefine _i2d_DSAPrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey_fp\n%xdefine _i2d_DSAPublicKey _ %+ BORINGSSL_PREFIX %+ _i2d_DSAPublicKey\n%xdefine _i2d_DSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _i2d_DSA_PUBKEY\n%xdefine _i2d_DSA_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _i2d_DSA_PUBKEY_bio\n%xdefine _i2d_DSA_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _i2d_DSA_PUBKEY_fp\n%xdefine _i2d_DSA_SIG _ %+ BORINGSSL_PREFIX %+ _i2d_DSA_SIG\n%xdefine _i2d_DSAparams _ %+ BORINGSSL_PREFIX %+ _i2d_DSAparams\n%xdefine _i2d_ECDSA_SIG _ %+ BORINGSSL_PREFIX %+ _i2d_ECDSA_SIG\n%xdefine _i2d_ECPKParameters _ %+ BORINGSSL_PREFIX %+ _i2d_ECPKParameters\n%xdefine _i2d_ECParameters _ %+ BORINGSSL_PREFIX %+ _i2d_ECParameters\n%xdefine _i2d_ECPrivateKey _ %+ BORINGSSL_PREFIX %+ _i2d_ECPrivateKey\n%xdefine _i2d_ECPrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _i2d_ECPrivateKey_bio\n%xdefine _i2d_ECPrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _i2d_ECPrivateKey_fp\n%xdefine _i2d_EC_PUBKEY _ %+ BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY\n%xdefine _i2d_EC_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_bio\n%xdefine _i2d_EC_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_fp\n%xdefine _i2d_EXTENDED_KEY_USAGE _ %+ BORINGSSL_PREFIX %+ _i2d_EXTENDED_KEY_USAGE\n%xdefine _i2d_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _i2d_GENERAL_NAME\n%xdefine _i2d_GENERAL_NAMES _ %+ BORINGSSL_PREFIX %+ _i2d_GENERAL_NAMES\n%xdefine _i2d_ISSUING_DIST_POINT _ %+ BORINGSSL_PREFIX %+ _i2d_ISSUING_DIST_POINT\n%xdefine _i2d_NETSCAPE_SPKAC _ %+ BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKAC\n%xdefine _i2d_NETSCAPE_SPKI _ %+ BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKI\n%xdefine _i2d_PKCS12 _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS12\n%xdefine _i2d_PKCS12_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS12_bio\n%xdefine _i2d_PKCS12_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS12_fp\n%xdefine _i2d_PKCS7 _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS7\n%xdefine _i2d_PKCS7_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS7_bio\n%xdefine _i2d_PKCS8PrivateKeyInfo_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKeyInfo_bio\n%xdefine _i2d_PKCS8PrivateKeyInfo_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKeyInfo_fp\n%xdefine _i2d_PKCS8PrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKey_bio\n%xdefine _i2d_PKCS8PrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKey_fp\n%xdefine _i2d_PKCS8PrivateKey_nid_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKey_nid_bio\n%xdefine _i2d_PKCS8PrivateKey_nid_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKey_nid_fp\n%xdefine _i2d_PKCS8_PRIV_KEY_INFO _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8_PRIV_KEY_INFO\n%xdefine _i2d_PKCS8_PRIV_KEY_INFO_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8_PRIV_KEY_INFO_bio\n%xdefine _i2d_PKCS8_PRIV_KEY_INFO_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8_PRIV_KEY_INFO_fp\n%xdefine _i2d_PKCS8_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8_bio\n%xdefine _i2d_PKCS8_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8_fp\n%xdefine _i2d_PUBKEY _ %+ BORINGSSL_PREFIX %+ _i2d_PUBKEY\n%xdefine _i2d_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PUBKEY_bio\n%xdefine _i2d_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PUBKEY_fp\n%xdefine _i2d_PrivateKey _ %+ BORINGSSL_PREFIX %+ _i2d_PrivateKey\n%xdefine _i2d_PrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PrivateKey_bio\n%xdefine _i2d_PrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PrivateKey_fp\n%xdefine _i2d_PublicKey _ %+ BORINGSSL_PREFIX %+ _i2d_PublicKey\n%xdefine _i2d_RSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _i2d_RSAPrivateKey\n%xdefine _i2d_RSAPrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _i2d_RSAPrivateKey_bio\n%xdefine _i2d_RSAPrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _i2d_RSAPrivateKey_fp\n%xdefine _i2d_RSAPublicKey _ %+ BORINGSSL_PREFIX %+ _i2d_RSAPublicKey\n%xdefine _i2d_RSAPublicKey_bio _ %+ BORINGSSL_PREFIX %+ _i2d_RSAPublicKey_bio\n%xdefine _i2d_RSAPublicKey_fp _ %+ BORINGSSL_PREFIX %+ _i2d_RSAPublicKey_fp\n%xdefine _i2d_RSA_PSS_PARAMS _ %+ BORINGSSL_PREFIX %+ _i2d_RSA_PSS_PARAMS\n%xdefine _i2d_RSA_PUBKEY _ %+ BORINGSSL_PREFIX %+ _i2d_RSA_PUBKEY\n%xdefine _i2d_RSA_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _i2d_RSA_PUBKEY_bio\n%xdefine _i2d_RSA_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _i2d_RSA_PUBKEY_fp\n%xdefine _i2d_SSL_SESSION _ %+ BORINGSSL_PREFIX %+ _i2d_SSL_SESSION\n%xdefine _i2d_SSL_SESSION_bio _ %+ BORINGSSL_PREFIX %+ _i2d_SSL_SESSION_bio\n%xdefine _i2d_X509 _ %+ BORINGSSL_PREFIX %+ _i2d_X509\n%xdefine _i2d_X509_ALGOR _ %+ BORINGSSL_PREFIX %+ _i2d_X509_ALGOR\n%xdefine _i2d_X509_ATTRIBUTE _ %+ BORINGSSL_PREFIX %+ _i2d_X509_ATTRIBUTE\n%xdefine _i2d_X509_AUX _ %+ BORINGSSL_PREFIX %+ _i2d_X509_AUX\n%xdefine _i2d_X509_CERT_AUX _ %+ BORINGSSL_PREFIX %+ _i2d_X509_CERT_AUX\n%xdefine _i2d_X509_CINF _ %+ BORINGSSL_PREFIX %+ _i2d_X509_CINF\n%xdefine _i2d_X509_CRL _ %+ BORINGSSL_PREFIX %+ _i2d_X509_CRL\n%xdefine _i2d_X509_CRL_INFO _ %+ BORINGSSL_PREFIX %+ _i2d_X509_CRL_INFO\n%xdefine _i2d_X509_CRL_bio _ %+ BORINGSSL_PREFIX %+ _i2d_X509_CRL_bio\n%xdefine _i2d_X509_CRL_fp _ %+ BORINGSSL_PREFIX %+ _i2d_X509_CRL_fp\n%xdefine _i2d_X509_CRL_tbs _ %+ BORINGSSL_PREFIX %+ _i2d_X509_CRL_tbs\n%xdefine _i2d_X509_EXTENSION _ %+ BORINGSSL_PREFIX %+ _i2d_X509_EXTENSION\n%xdefine _i2d_X509_EXTENSIONS _ %+ BORINGSSL_PREFIX %+ _i2d_X509_EXTENSIONS\n%xdefine _i2d_X509_NAME _ %+ BORINGSSL_PREFIX %+ _i2d_X509_NAME\n%xdefine _i2d_X509_PUBKEY _ %+ BORINGSSL_PREFIX %+ _i2d_X509_PUBKEY\n%xdefine _i2d_X509_REQ _ %+ BORINGSSL_PREFIX %+ _i2d_X509_REQ\n%xdefine _i2d_X509_REQ_INFO _ %+ BORINGSSL_PREFIX %+ _i2d_X509_REQ_INFO\n%xdefine _i2d_X509_REQ_bio _ %+ BORINGSSL_PREFIX %+ _i2d_X509_REQ_bio\n%xdefine _i2d_X509_REQ_fp _ %+ BORINGSSL_PREFIX %+ _i2d_X509_REQ_fp\n%xdefine _i2d_X509_REVOKED _ %+ BORINGSSL_PREFIX %+ _i2d_X509_REVOKED\n%xdefine _i2d_X509_SIG _ %+ BORINGSSL_PREFIX %+ _i2d_X509_SIG\n%xdefine _i2d_X509_VAL _ %+ BORINGSSL_PREFIX %+ _i2d_X509_VAL\n%xdefine _i2d_X509_bio _ %+ BORINGSSL_PREFIX %+ _i2d_X509_bio\n%xdefine _i2d_X509_fp _ %+ BORINGSSL_PREFIX %+ _i2d_X509_fp\n%xdefine _i2d_X509_tbs _ %+ BORINGSSL_PREFIX %+ _i2d_X509_tbs\n%xdefine _i2d_re_X509_CRL_tbs _ %+ BORINGSSL_PREFIX %+ _i2d_re_X509_CRL_tbs\n%xdefine _i2d_re_X509_REQ_tbs _ %+ BORINGSSL_PREFIX %+ _i2d_re_X509_REQ_tbs\n%xdefine _i2d_re_X509_tbs _ %+ BORINGSSL_PREFIX %+ _i2d_re_X509_tbs\n%xdefine _i2o_ECPublicKey _ %+ BORINGSSL_PREFIX %+ _i2o_ECPublicKey\n%xdefine _i2s_ASN1_ENUMERATED _ %+ BORINGSSL_PREFIX %+ _i2s_ASN1_ENUMERATED\n%xdefine _i2s_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _i2s_ASN1_INTEGER\n%xdefine _i2s_ASN1_OCTET_STRING _ %+ BORINGSSL_PREFIX %+ _i2s_ASN1_OCTET_STRING\n%xdefine _i2t_ASN1_OBJECT _ %+ BORINGSSL_PREFIX %+ _i2t_ASN1_OBJECT\n%xdefine _i2v_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _i2v_GENERAL_NAME\n%xdefine _i2v_GENERAL_NAMES _ %+ BORINGSSL_PREFIX %+ _i2v_GENERAL_NAMES\n%xdefine _k25519Precomp _ %+ BORINGSSL_PREFIX %+ _k25519Precomp\n%xdefine _kBoringSSLRSASqrtTwo _ %+ BORINGSSL_PREFIX %+ _kBoringSSLRSASqrtTwo\n%xdefine _kBoringSSLRSASqrtTwoLen _ %+ BORINGSSL_PREFIX %+ _kBoringSSLRSASqrtTwoLen\n%xdefine _kOpenSSLReasonStringData _ %+ BORINGSSL_PREFIX %+ _kOpenSSLReasonStringData\n%xdefine _kOpenSSLReasonValues _ %+ BORINGSSL_PREFIX %+ _kOpenSSLReasonValues\n%xdefine _kOpenSSLReasonValuesLen _ %+ BORINGSSL_PREFIX %+ _kOpenSSLReasonValuesLen\n%xdefine _lh_CONF_SECTION_call_cmp_func _ %+ BORINGSSL_PREFIX %+ _lh_CONF_SECTION_call_cmp_func\n%xdefine _lh_CONF_SECTION_call_doall_arg _ %+ BORINGSSL_PREFIX %+ _lh_CONF_SECTION_call_doall_arg\n%xdefine _lh_CONF_SECTION_call_hash_func _ %+ BORINGSSL_PREFIX %+ _lh_CONF_SECTION_call_hash_func\n%xdefine _lh_CONF_SECTION_doall_arg _ %+ BORINGSSL_PREFIX %+ _lh_CONF_SECTION_doall_arg\n%xdefine _lh_CONF_SECTION_free _ %+ BORINGSSL_PREFIX %+ _lh_CONF_SECTION_free\n%xdefine _lh_CONF_SECTION_insert _ %+ BORINGSSL_PREFIX %+ _lh_CONF_SECTION_insert\n%xdefine _lh_CONF_SECTION_new _ %+ BORINGSSL_PREFIX %+ _lh_CONF_SECTION_new\n%xdefine _lh_CONF_SECTION_retrieve _ %+ BORINGSSL_PREFIX %+ _lh_CONF_SECTION_retrieve\n%xdefine _lh_CONF_VALUE_call_cmp_func _ %+ BORINGSSL_PREFIX %+ _lh_CONF_VALUE_call_cmp_func\n%xdefine _lh_CONF_VALUE_call_doall_arg _ %+ BORINGSSL_PREFIX %+ _lh_CONF_VALUE_call_doall_arg\n%xdefine _lh_CONF_VALUE_call_hash_func _ %+ BORINGSSL_PREFIX %+ _lh_CONF_VALUE_call_hash_func\n%xdefine _lh_CONF_VALUE_doall_arg _ %+ BORINGSSL_PREFIX %+ _lh_CONF_VALUE_doall_arg\n%xdefine _lh_CONF_VALUE_free _ %+ BORINGSSL_PREFIX %+ _lh_CONF_VALUE_free\n%xdefine _lh_CONF_VALUE_insert _ %+ BORINGSSL_PREFIX %+ _lh_CONF_VALUE_insert\n%xdefine _lh_CONF_VALUE_new _ %+ BORINGSSL_PREFIX %+ _lh_CONF_VALUE_new\n%xdefine _lh_CONF_VALUE_retrieve _ %+ BORINGSSL_PREFIX %+ _lh_CONF_VALUE_retrieve\n%xdefine _lh_CRYPTO_BUFFER_call_cmp_func _ %+ BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_call_cmp_func\n%xdefine _lh_CRYPTO_BUFFER_call_hash_func _ %+ BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_call_hash_func\n%xdefine _lh_CRYPTO_BUFFER_delete _ %+ BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_delete\n%xdefine _lh_CRYPTO_BUFFER_free _ %+ BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_free\n%xdefine _lh_CRYPTO_BUFFER_insert _ %+ BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_insert\n%xdefine _lh_CRYPTO_BUFFER_new _ %+ BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_new\n%xdefine _lh_CRYPTO_BUFFER_num_items _ %+ BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_num_items\n%xdefine _lh_CRYPTO_BUFFER_retrieve _ %+ BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_retrieve\n%xdefine _md5_block_asm_data_order _ %+ BORINGSSL_PREFIX %+ _md5_block_asm_data_order\n%xdefine _o2i_ECPublicKey _ %+ BORINGSSL_PREFIX %+ _o2i_ECPublicKey\n%xdefine _pkcs12_iterations_acceptable _ %+ BORINGSSL_PREFIX %+ _pkcs12_iterations_acceptable\n%xdefine _pkcs12_key_gen _ %+ BORINGSSL_PREFIX %+ _pkcs12_key_gen\n%xdefine _pkcs12_pbe_encrypt_init _ %+ BORINGSSL_PREFIX %+ _pkcs12_pbe_encrypt_init\n%xdefine _pkcs7_add_signed_data _ %+ BORINGSSL_PREFIX %+ _pkcs7_add_signed_data\n%xdefine _pkcs7_parse_header _ %+ BORINGSSL_PREFIX %+ _pkcs7_parse_header\n%xdefine _pkcs8_pbe_decrypt _ %+ BORINGSSL_PREFIX %+ _pkcs8_pbe_decrypt\n%xdefine _pmbtoken_exp1_blind _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp1_blind\n%xdefine _pmbtoken_exp1_client_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp1_client_key_from_bytes\n%xdefine _pmbtoken_exp1_derive_key_from_secret _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp1_derive_key_from_secret\n%xdefine _pmbtoken_exp1_generate_key _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp1_generate_key\n%xdefine _pmbtoken_exp1_get_h_for_testing _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp1_get_h_for_testing\n%xdefine _pmbtoken_exp1_issuer_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp1_issuer_key_from_bytes\n%xdefine _pmbtoken_exp1_read _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp1_read\n%xdefine _pmbtoken_exp1_sign _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp1_sign\n%xdefine _pmbtoken_exp1_unblind _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp1_unblind\n%xdefine _pmbtoken_exp2_blind _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp2_blind\n%xdefine _pmbtoken_exp2_client_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp2_client_key_from_bytes\n%xdefine _pmbtoken_exp2_derive_key_from_secret _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp2_derive_key_from_secret\n%xdefine _pmbtoken_exp2_generate_key _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp2_generate_key\n%xdefine _pmbtoken_exp2_get_h_for_testing _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp2_get_h_for_testing\n%xdefine _pmbtoken_exp2_issuer_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp2_issuer_key_from_bytes\n%xdefine _pmbtoken_exp2_read _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp2_read\n%xdefine _pmbtoken_exp2_sign _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp2_sign\n%xdefine _pmbtoken_exp2_unblind _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp2_unblind\n%xdefine _pmbtoken_pst1_blind _ %+ BORINGSSL_PREFIX %+ _pmbtoken_pst1_blind\n%xdefine _pmbtoken_pst1_client_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _pmbtoken_pst1_client_key_from_bytes\n%xdefine _pmbtoken_pst1_derive_key_from_secret _ %+ BORINGSSL_PREFIX %+ _pmbtoken_pst1_derive_key_from_secret\n%xdefine _pmbtoken_pst1_generate_key _ %+ BORINGSSL_PREFIX %+ _pmbtoken_pst1_generate_key\n%xdefine _pmbtoken_pst1_get_h_for_testing _ %+ BORINGSSL_PREFIX %+ _pmbtoken_pst1_get_h_for_testing\n%xdefine _pmbtoken_pst1_issuer_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _pmbtoken_pst1_issuer_key_from_bytes\n%xdefine _pmbtoken_pst1_read _ %+ BORINGSSL_PREFIX %+ _pmbtoken_pst1_read\n%xdefine _pmbtoken_pst1_sign _ %+ BORINGSSL_PREFIX %+ _pmbtoken_pst1_sign\n%xdefine _pmbtoken_pst1_unblind _ %+ BORINGSSL_PREFIX %+ _pmbtoken_pst1_unblind\n%xdefine _poly_Rq_mul _ %+ BORINGSSL_PREFIX %+ _poly_Rq_mul\n%xdefine _rand_fork_unsafe_buffering_enabled _ %+ BORINGSSL_PREFIX %+ _rand_fork_unsafe_buffering_enabled\n%xdefine _rsa_asn1_meth _ %+ BORINGSSL_PREFIX %+ _rsa_asn1_meth\n%xdefine _rsa_check_public_key _ %+ BORINGSSL_PREFIX %+ _rsa_check_public_key\n%xdefine _rsa_default_private_transform _ %+ BORINGSSL_PREFIX %+ _rsa_default_private_transform\n%xdefine _rsa_default_sign_raw _ %+ BORINGSSL_PREFIX %+ _rsa_default_sign_raw\n%xdefine _rsa_invalidate_key _ %+ BORINGSSL_PREFIX %+ _rsa_invalidate_key\n%xdefine _rsa_pkey_meth _ %+ BORINGSSL_PREFIX %+ _rsa_pkey_meth\n%xdefine _rsa_private_transform _ %+ BORINGSSL_PREFIX %+ _rsa_private_transform\n%xdefine _rsa_private_transform_no_self_test _ %+ BORINGSSL_PREFIX %+ _rsa_private_transform_no_self_test\n%xdefine _rsa_sign_no_self_test _ %+ BORINGSSL_PREFIX %+ _rsa_sign_no_self_test\n%xdefine _rsa_verify_no_self_test _ %+ BORINGSSL_PREFIX %+ _rsa_verify_no_self_test\n%xdefine _rsa_verify_raw_no_self_test _ %+ BORINGSSL_PREFIX %+ _rsa_verify_raw_no_self_test\n%xdefine _rsaz_1024_gather5_avx2 _ %+ BORINGSSL_PREFIX %+ _rsaz_1024_gather5_avx2\n%xdefine _rsaz_1024_mul_avx2 _ %+ BORINGSSL_PREFIX %+ _rsaz_1024_mul_avx2\n%xdefine _rsaz_1024_norm2red_avx2 _ %+ BORINGSSL_PREFIX %+ _rsaz_1024_norm2red_avx2\n%xdefine _rsaz_1024_red2norm_avx2 _ %+ BORINGSSL_PREFIX %+ _rsaz_1024_red2norm_avx2\n%xdefine _rsaz_1024_scatter5_avx2 _ %+ BORINGSSL_PREFIX %+ _rsaz_1024_scatter5_avx2\n%xdefine _rsaz_1024_sqr_avx2 _ %+ BORINGSSL_PREFIX %+ _rsaz_1024_sqr_avx2\n%xdefine _rsaz_avx2_preferred _ %+ BORINGSSL_PREFIX %+ _rsaz_avx2_preferred\n%xdefine _s2i_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _s2i_ASN1_INTEGER\n%xdefine _s2i_ASN1_OCTET_STRING _ %+ BORINGSSL_PREFIX %+ _s2i_ASN1_OCTET_STRING\n%xdefine _sha1_avx2_capable _ %+ BORINGSSL_PREFIX %+ _sha1_avx2_capable\n%xdefine _sha1_avx_capable _ %+ BORINGSSL_PREFIX %+ _sha1_avx_capable\n%xdefine _sha1_block_data_order_avx _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_avx\n%xdefine _sha1_block_data_order_avx2 _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_avx2\n%xdefine _sha1_block_data_order_hw _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_hw\n%xdefine _sha1_block_data_order_nohw _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_nohw\n%xdefine _sha1_block_data_order_ssse3 _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_ssse3\n%xdefine _sha1_hw_capable _ %+ BORINGSSL_PREFIX %+ _sha1_hw_capable\n%xdefine _sha1_ssse3_capable _ %+ BORINGSSL_PREFIX %+ _sha1_ssse3_capable\n%xdefine _sha256_avx_capable _ %+ BORINGSSL_PREFIX %+ _sha256_avx_capable\n%xdefine _sha256_block_data_order_avx _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_avx\n%xdefine _sha256_block_data_order_hw _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_hw\n%xdefine _sha256_block_data_order_nohw _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_nohw\n%xdefine _sha256_block_data_order_ssse3 _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_ssse3\n%xdefine _sha256_hw_capable _ %+ BORINGSSL_PREFIX %+ _sha256_hw_capable\n%xdefine _sha256_ssse3_capable _ %+ BORINGSSL_PREFIX %+ _sha256_ssse3_capable\n%xdefine _sha512_avx_capable _ %+ BORINGSSL_PREFIX %+ _sha512_avx_capable\n%xdefine _sha512_block_data_order_avx _ %+ BORINGSSL_PREFIX %+ _sha512_block_data_order_avx\n%xdefine _sha512_block_data_order_hw _ %+ BORINGSSL_PREFIX %+ _sha512_block_data_order_hw\n%xdefine _sha512_block_data_order_nohw _ %+ BORINGSSL_PREFIX %+ _sha512_block_data_order_nohw\n%xdefine _sha512_hw_capable _ %+ BORINGSSL_PREFIX %+ _sha512_hw_capable\n%xdefine _sk_ACCESS_DESCRIPTION_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_call_free_func\n%xdefine _sk_ACCESS_DESCRIPTION_new_null _ %+ BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_new_null\n%xdefine _sk_ACCESS_DESCRIPTION_num _ %+ BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_num\n%xdefine _sk_ACCESS_DESCRIPTION_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_pop_free\n%xdefine _sk_ACCESS_DESCRIPTION_push _ %+ BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_push\n%xdefine _sk_ACCESS_DESCRIPTION_value _ %+ BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_value\n%xdefine _sk_ASN1_INTEGER_num _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_INTEGER_num\n%xdefine _sk_ASN1_INTEGER_push _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_INTEGER_push\n%xdefine _sk_ASN1_INTEGER_value _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_INTEGER_value\n%xdefine _sk_ASN1_OBJECT_call_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_call_cmp_func\n%xdefine _sk_ASN1_OBJECT_call_copy_func _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_call_copy_func\n%xdefine _sk_ASN1_OBJECT_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_call_free_func\n%xdefine _sk_ASN1_OBJECT_deep_copy _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_deep_copy\n%xdefine _sk_ASN1_OBJECT_dup _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_dup\n%xdefine _sk_ASN1_OBJECT_find _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_find\n%xdefine _sk_ASN1_OBJECT_free _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_free\n%xdefine _sk_ASN1_OBJECT_is_sorted _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_is_sorted\n%xdefine _sk_ASN1_OBJECT_new_null _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_new_null\n%xdefine _sk_ASN1_OBJECT_num _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_num\n%xdefine _sk_ASN1_OBJECT_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_pop_free\n%xdefine _sk_ASN1_OBJECT_push _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_push\n%xdefine _sk_ASN1_OBJECT_set_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_set_cmp_func\n%xdefine _sk_ASN1_OBJECT_sort _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_sort\n%xdefine _sk_ASN1_OBJECT_value _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_value\n%xdefine _sk_ASN1_TYPE_num _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_TYPE_num\n%xdefine _sk_ASN1_TYPE_push _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_TYPE_push\n%xdefine _sk_ASN1_TYPE_value _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_TYPE_value\n%xdefine _sk_ASN1_VALUE_free _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_free\n%xdefine _sk_ASN1_VALUE_new_null _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_new_null\n%xdefine _sk_ASN1_VALUE_num _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_num\n%xdefine _sk_ASN1_VALUE_pop _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_pop\n%xdefine _sk_ASN1_VALUE_push _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_push\n%xdefine _sk_ASN1_VALUE_value _ %+ BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_value\n%xdefine _sk_CONF_VALUE_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_CONF_VALUE_call_free_func\n%xdefine _sk_CONF_VALUE_delete_ptr _ %+ BORINGSSL_PREFIX %+ _sk_CONF_VALUE_delete_ptr\n%xdefine _sk_CONF_VALUE_free _ %+ BORINGSSL_PREFIX %+ _sk_CONF_VALUE_free\n%xdefine _sk_CONF_VALUE_new_null _ %+ BORINGSSL_PREFIX %+ _sk_CONF_VALUE_new_null\n%xdefine _sk_CONF_VALUE_num _ %+ BORINGSSL_PREFIX %+ _sk_CONF_VALUE_num\n%xdefine _sk_CONF_VALUE_pop _ %+ BORINGSSL_PREFIX %+ _sk_CONF_VALUE_pop\n%xdefine _sk_CONF_VALUE_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_CONF_VALUE_pop_free\n%xdefine _sk_CONF_VALUE_push _ %+ BORINGSSL_PREFIX %+ _sk_CONF_VALUE_push\n%xdefine _sk_CONF_VALUE_value _ %+ BORINGSSL_PREFIX %+ _sk_CONF_VALUE_value\n%xdefine _sk_CRYPTO_BUFFER_call_copy_func _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_call_copy_func\n%xdefine _sk_CRYPTO_BUFFER_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_call_free_func\n%xdefine _sk_CRYPTO_BUFFER_deep_copy _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_deep_copy\n%xdefine _sk_CRYPTO_BUFFER_new_null _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_new_null\n%xdefine _sk_CRYPTO_BUFFER_num _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_num\n%xdefine _sk_CRYPTO_BUFFER_pop _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_pop\n%xdefine _sk_CRYPTO_BUFFER_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_pop_free\n%xdefine _sk_CRYPTO_BUFFER_push _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_push\n%xdefine _sk_CRYPTO_BUFFER_set _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_set\n%xdefine _sk_CRYPTO_BUFFER_value _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_value\n%xdefine _sk_DIST_POINT_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_DIST_POINT_call_free_func\n%xdefine _sk_DIST_POINT_new_null _ %+ BORINGSSL_PREFIX %+ _sk_DIST_POINT_new_null\n%xdefine _sk_DIST_POINT_num _ %+ BORINGSSL_PREFIX %+ _sk_DIST_POINT_num\n%xdefine _sk_DIST_POINT_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_DIST_POINT_pop_free\n%xdefine _sk_DIST_POINT_push _ %+ BORINGSSL_PREFIX %+ _sk_DIST_POINT_push\n%xdefine _sk_DIST_POINT_value _ %+ BORINGSSL_PREFIX %+ _sk_DIST_POINT_value\n%xdefine _sk_GENERAL_NAME_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_call_free_func\n%xdefine _sk_GENERAL_NAME_new_null _ %+ BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_new_null\n%xdefine _sk_GENERAL_NAME_num _ %+ BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_num\n%xdefine _sk_GENERAL_NAME_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_pop_free\n%xdefine _sk_GENERAL_NAME_push _ %+ BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_push\n%xdefine _sk_GENERAL_NAME_set _ %+ BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_set\n%xdefine _sk_GENERAL_NAME_value _ %+ BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_value\n%xdefine _sk_GENERAL_SUBTREE_new_null _ %+ BORINGSSL_PREFIX %+ _sk_GENERAL_SUBTREE_new_null\n%xdefine _sk_GENERAL_SUBTREE_num _ %+ BORINGSSL_PREFIX %+ _sk_GENERAL_SUBTREE_num\n%xdefine _sk_GENERAL_SUBTREE_push _ %+ BORINGSSL_PREFIX %+ _sk_GENERAL_SUBTREE_push\n%xdefine _sk_GENERAL_SUBTREE_value _ %+ BORINGSSL_PREFIX %+ _sk_GENERAL_SUBTREE_value\n%xdefine _sk_OPENSSL_STRING_call_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_call_cmp_func\n%xdefine _sk_OPENSSL_STRING_call_copy_func _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_call_copy_func\n%xdefine _sk_OPENSSL_STRING_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_call_free_func\n%xdefine _sk_OPENSSL_STRING_deep_copy _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_deep_copy\n%xdefine _sk_OPENSSL_STRING_find _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_find\n%xdefine _sk_OPENSSL_STRING_free _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_free\n%xdefine _sk_OPENSSL_STRING_new _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_new\n%xdefine _sk_OPENSSL_STRING_new_null _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_new_null\n%xdefine _sk_OPENSSL_STRING_num _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_num\n%xdefine _sk_OPENSSL_STRING_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_pop_free\n%xdefine _sk_OPENSSL_STRING_push _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_push\n%xdefine _sk_OPENSSL_STRING_sort _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_sort\n%xdefine _sk_OPENSSL_STRING_value _ %+ BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_value\n%xdefine _sk_POLICYINFO_call_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_POLICYINFO_call_cmp_func\n%xdefine _sk_POLICYINFO_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_POLICYINFO_call_free_func\n%xdefine _sk_POLICYINFO_find _ %+ BORINGSSL_PREFIX %+ _sk_POLICYINFO_find\n%xdefine _sk_POLICYINFO_is_sorted _ %+ BORINGSSL_PREFIX %+ _sk_POLICYINFO_is_sorted\n%xdefine _sk_POLICYINFO_new_null _ %+ BORINGSSL_PREFIX %+ _sk_POLICYINFO_new_null\n%xdefine _sk_POLICYINFO_num _ %+ BORINGSSL_PREFIX %+ _sk_POLICYINFO_num\n%xdefine _sk_POLICYINFO_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_POLICYINFO_pop_free\n%xdefine _sk_POLICYINFO_push _ %+ BORINGSSL_PREFIX %+ _sk_POLICYINFO_push\n%xdefine _sk_POLICYINFO_set_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_POLICYINFO_set_cmp_func\n%xdefine _sk_POLICYINFO_sort _ %+ BORINGSSL_PREFIX %+ _sk_POLICYINFO_sort\n%xdefine _sk_POLICYINFO_value _ %+ BORINGSSL_PREFIX %+ _sk_POLICYINFO_value\n%xdefine _sk_POLICYQUALINFO_new_null _ %+ BORINGSSL_PREFIX %+ _sk_POLICYQUALINFO_new_null\n%xdefine _sk_POLICYQUALINFO_num _ %+ BORINGSSL_PREFIX %+ _sk_POLICYQUALINFO_num\n%xdefine _sk_POLICYQUALINFO_push _ %+ BORINGSSL_PREFIX %+ _sk_POLICYQUALINFO_push\n%xdefine _sk_POLICYQUALINFO_value _ %+ BORINGSSL_PREFIX %+ _sk_POLICYQUALINFO_value\n%xdefine _sk_POLICY_MAPPING_call_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_call_cmp_func\n%xdefine _sk_POLICY_MAPPING_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_call_free_func\n%xdefine _sk_POLICY_MAPPING_find _ %+ BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_find\n%xdefine _sk_POLICY_MAPPING_is_sorted _ %+ BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_is_sorted\n%xdefine _sk_POLICY_MAPPING_new_null _ %+ BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_new_null\n%xdefine _sk_POLICY_MAPPING_num _ %+ BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_num\n%xdefine _sk_POLICY_MAPPING_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_pop_free\n%xdefine _sk_POLICY_MAPPING_push _ %+ BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_push\n%xdefine _sk_POLICY_MAPPING_set_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_set_cmp_func\n%xdefine _sk_POLICY_MAPPING_sort _ %+ BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_sort\n%xdefine _sk_POLICY_MAPPING_value _ %+ BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_value\n%xdefine _sk_SRTP_PROTECTION_PROFILE_new_null _ %+ BORINGSSL_PREFIX %+ _sk_SRTP_PROTECTION_PROFILE_new_null\n%xdefine _sk_SRTP_PROTECTION_PROFILE_num _ %+ BORINGSSL_PREFIX %+ _sk_SRTP_PROTECTION_PROFILE_num\n%xdefine _sk_SRTP_PROTECTION_PROFILE_push _ %+ BORINGSSL_PREFIX %+ _sk_SRTP_PROTECTION_PROFILE_push\n%xdefine _sk_SSL_CIPHER_call_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_call_cmp_func\n%xdefine _sk_SSL_CIPHER_delete _ %+ BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_delete\n%xdefine _sk_SSL_CIPHER_dup _ %+ BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_dup\n%xdefine _sk_SSL_CIPHER_find _ %+ BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_find\n%xdefine _sk_SSL_CIPHER_new_null _ %+ BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_new_null\n%xdefine _sk_SSL_CIPHER_num _ %+ BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_num\n%xdefine _sk_SSL_CIPHER_push _ %+ BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_push\n%xdefine _sk_SSL_CIPHER_value _ %+ BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_value\n%xdefine _sk_TRUST_TOKEN_PRETOKEN_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_call_free_func\n%xdefine _sk_TRUST_TOKEN_PRETOKEN_new_null _ %+ BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_new_null\n%xdefine _sk_TRUST_TOKEN_PRETOKEN_num _ %+ BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_num\n%xdefine _sk_TRUST_TOKEN_PRETOKEN_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_pop_free\n%xdefine _sk_TRUST_TOKEN_PRETOKEN_push _ %+ BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_push\n%xdefine _sk_TRUST_TOKEN_PRETOKEN_value _ %+ BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_value\n%xdefine _sk_TRUST_TOKEN_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_call_free_func\n%xdefine _sk_TRUST_TOKEN_new_null _ %+ BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_new_null\n%xdefine _sk_TRUST_TOKEN_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_pop_free\n%xdefine _sk_TRUST_TOKEN_push _ %+ BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_push\n%xdefine _sk_X509_ATTRIBUTE_delete _ %+ BORINGSSL_PREFIX %+ _sk_X509_ATTRIBUTE_delete\n%xdefine _sk_X509_ATTRIBUTE_new_null _ %+ BORINGSSL_PREFIX %+ _sk_X509_ATTRIBUTE_new_null\n%xdefine _sk_X509_ATTRIBUTE_num _ %+ BORINGSSL_PREFIX %+ _sk_X509_ATTRIBUTE_num\n%xdefine _sk_X509_ATTRIBUTE_push _ %+ BORINGSSL_PREFIX %+ _sk_X509_ATTRIBUTE_push\n%xdefine _sk_X509_ATTRIBUTE_value _ %+ BORINGSSL_PREFIX %+ _sk_X509_ATTRIBUTE_value\n%xdefine _sk_X509_CRL_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_CRL_call_free_func\n%xdefine _sk_X509_CRL_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_CRL_free\n%xdefine _sk_X509_CRL_new_null _ %+ BORINGSSL_PREFIX %+ _sk_X509_CRL_new_null\n%xdefine _sk_X509_CRL_num _ %+ BORINGSSL_PREFIX %+ _sk_X509_CRL_num\n%xdefine _sk_X509_CRL_pop _ %+ BORINGSSL_PREFIX %+ _sk_X509_CRL_pop\n%xdefine _sk_X509_CRL_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_CRL_pop_free\n%xdefine _sk_X509_CRL_push _ %+ BORINGSSL_PREFIX %+ _sk_X509_CRL_push\n%xdefine _sk_X509_CRL_value _ %+ BORINGSSL_PREFIX %+ _sk_X509_CRL_value\n%xdefine _sk_X509_EXTENSION_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_call_free_func\n%xdefine _sk_X509_EXTENSION_delete _ %+ BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_delete\n%xdefine _sk_X509_EXTENSION_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_free\n%xdefine _sk_X509_EXTENSION_insert _ %+ BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_insert\n%xdefine _sk_X509_EXTENSION_new_null _ %+ BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_new_null\n%xdefine _sk_X509_EXTENSION_num _ %+ BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_num\n%xdefine _sk_X509_EXTENSION_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_pop_free\n%xdefine _sk_X509_EXTENSION_push _ %+ BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_push\n%xdefine _sk_X509_EXTENSION_set _ %+ BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_set\n%xdefine _sk_X509_EXTENSION_value _ %+ BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_value\n%xdefine _sk_X509_INFO_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_INFO_call_free_func\n%xdefine _sk_X509_INFO_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_INFO_free\n%xdefine _sk_X509_INFO_new_null _ %+ BORINGSSL_PREFIX %+ _sk_X509_INFO_new_null\n%xdefine _sk_X509_INFO_num _ %+ BORINGSSL_PREFIX %+ _sk_X509_INFO_num\n%xdefine _sk_X509_INFO_pop _ %+ BORINGSSL_PREFIX %+ _sk_X509_INFO_pop\n%xdefine _sk_X509_INFO_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_INFO_pop_free\n%xdefine _sk_X509_INFO_push _ %+ BORINGSSL_PREFIX %+ _sk_X509_INFO_push\n%xdefine _sk_X509_INFO_value _ %+ BORINGSSL_PREFIX %+ _sk_X509_INFO_value\n%xdefine _sk_X509_LOOKUP_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_call_free_func\n%xdefine _sk_X509_LOOKUP_new_null _ %+ BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_new_null\n%xdefine _sk_X509_LOOKUP_num _ %+ BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_num\n%xdefine _sk_X509_LOOKUP_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_pop_free\n%xdefine _sk_X509_LOOKUP_push _ %+ BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_push\n%xdefine _sk_X509_LOOKUP_value _ %+ BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_value\n%xdefine _sk_X509_NAME_ENTRY_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_call_free_func\n%xdefine _sk_X509_NAME_ENTRY_delete _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_delete\n%xdefine _sk_X509_NAME_ENTRY_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_free\n%xdefine _sk_X509_NAME_ENTRY_insert _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_insert\n%xdefine _sk_X509_NAME_ENTRY_new_null _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_new_null\n%xdefine _sk_X509_NAME_ENTRY_num _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_num\n%xdefine _sk_X509_NAME_ENTRY_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_pop_free\n%xdefine _sk_X509_NAME_ENTRY_push _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_push\n%xdefine _sk_X509_NAME_ENTRY_set _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_set\n%xdefine _sk_X509_NAME_ENTRY_value _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_value\n%xdefine _sk_X509_NAME_call_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_call_cmp_func\n%xdefine _sk_X509_NAME_call_copy_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_call_copy_func\n%xdefine _sk_X509_NAME_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_call_free_func\n%xdefine _sk_X509_NAME_deep_copy _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_deep_copy\n%xdefine _sk_X509_NAME_find _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_find\n%xdefine _sk_X509_NAME_new _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_new\n%xdefine _sk_X509_NAME_new_null _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_new_null\n%xdefine _sk_X509_NAME_num _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_num\n%xdefine _sk_X509_NAME_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_pop_free\n%xdefine _sk_X509_NAME_set _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_set\n%xdefine _sk_X509_NAME_set_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_set_cmp_func\n%xdefine _sk_X509_NAME_sort _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_sort\n%xdefine _sk_X509_NAME_value _ %+ BORINGSSL_PREFIX %+ _sk_X509_NAME_value\n%xdefine _sk_X509_OBJECT_call_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_OBJECT_call_cmp_func\n%xdefine _sk_X509_OBJECT_call_copy_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_OBJECT_call_copy_func\n%xdefine _sk_X509_OBJECT_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_OBJECT_call_free_func\n%xdefine _sk_X509_OBJECT_deep_copy _ %+ BORINGSSL_PREFIX %+ _sk_X509_OBJECT_deep_copy\n%xdefine _sk_X509_OBJECT_find _ %+ BORINGSSL_PREFIX %+ _sk_X509_OBJECT_find\n%xdefine _sk_X509_OBJECT_new _ %+ BORINGSSL_PREFIX %+ _sk_X509_OBJECT_new\n%xdefine _sk_X509_OBJECT_num _ %+ BORINGSSL_PREFIX %+ _sk_X509_OBJECT_num\n%xdefine _sk_X509_OBJECT_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_OBJECT_pop_free\n%xdefine _sk_X509_OBJECT_push _ %+ BORINGSSL_PREFIX %+ _sk_X509_OBJECT_push\n%xdefine _sk_X509_OBJECT_sort _ %+ BORINGSSL_PREFIX %+ _sk_X509_OBJECT_sort\n%xdefine _sk_X509_OBJECT_value _ %+ BORINGSSL_PREFIX %+ _sk_X509_OBJECT_value\n%xdefine _sk_X509_REVOKED_call_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_REVOKED_call_cmp_func\n%xdefine _sk_X509_REVOKED_find _ %+ BORINGSSL_PREFIX %+ _sk_X509_REVOKED_find\n%xdefine _sk_X509_REVOKED_is_sorted _ %+ BORINGSSL_PREFIX %+ _sk_X509_REVOKED_is_sorted\n%xdefine _sk_X509_REVOKED_new _ %+ BORINGSSL_PREFIX %+ _sk_X509_REVOKED_new\n%xdefine _sk_X509_REVOKED_num _ %+ BORINGSSL_PREFIX %+ _sk_X509_REVOKED_num\n%xdefine _sk_X509_REVOKED_push _ %+ BORINGSSL_PREFIX %+ _sk_X509_REVOKED_push\n%xdefine _sk_X509_REVOKED_set_cmp_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_REVOKED_set_cmp_func\n%xdefine _sk_X509_REVOKED_sort _ %+ BORINGSSL_PREFIX %+ _sk_X509_REVOKED_sort\n%xdefine _sk_X509_REVOKED_value _ %+ BORINGSSL_PREFIX %+ _sk_X509_REVOKED_value\n%xdefine _sk_X509_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_X509_call_free_func\n%xdefine _sk_X509_delete _ %+ BORINGSSL_PREFIX %+ _sk_X509_delete\n%xdefine _sk_X509_delete_ptr _ %+ BORINGSSL_PREFIX %+ _sk_X509_delete_ptr\n%xdefine _sk_X509_dup _ %+ BORINGSSL_PREFIX %+ _sk_X509_dup\n%xdefine _sk_X509_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_free\n%xdefine _sk_X509_new_null _ %+ BORINGSSL_PREFIX %+ _sk_X509_new_null\n%xdefine _sk_X509_num _ %+ BORINGSSL_PREFIX %+ _sk_X509_num\n%xdefine _sk_X509_pop _ %+ BORINGSSL_PREFIX %+ _sk_X509_pop\n%xdefine _sk_X509_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_X509_pop_free\n%xdefine _sk_X509_push _ %+ BORINGSSL_PREFIX %+ _sk_X509_push\n%xdefine _sk_X509_set _ %+ BORINGSSL_PREFIX %+ _sk_X509_set\n%xdefine _sk_X509_shift _ %+ BORINGSSL_PREFIX %+ _sk_X509_shift\n%xdefine _sk_X509_value _ %+ BORINGSSL_PREFIX %+ _sk_X509_value\n%xdefine _sk_free _ %+ BORINGSSL_PREFIX %+ _sk_free\n%xdefine _sk_new_null _ %+ BORINGSSL_PREFIX %+ _sk_new_null\n%xdefine _sk_num _ %+ BORINGSSL_PREFIX %+ _sk_num\n%xdefine _sk_pop _ %+ BORINGSSL_PREFIX %+ _sk_pop\n%xdefine _sk_pop_free _ %+ BORINGSSL_PREFIX %+ _sk_pop_free\n%xdefine _sk_pop_free_ex _ %+ BORINGSSL_PREFIX %+ _sk_pop_free_ex\n%xdefine _sk_push _ %+ BORINGSSL_PREFIX %+ _sk_push\n%xdefine _sk_value _ %+ BORINGSSL_PREFIX %+ _sk_value\n%xdefine _sk_void_free _ %+ BORINGSSL_PREFIX %+ _sk_void_free\n%xdefine _sk_void_new_null _ %+ BORINGSSL_PREFIX %+ _sk_void_new_null\n%xdefine _sk_void_num _ %+ BORINGSSL_PREFIX %+ _sk_void_num\n%xdefine _sk_void_push _ %+ BORINGSSL_PREFIX %+ _sk_void_push\n%xdefine _sk_void_set _ %+ BORINGSSL_PREFIX %+ _sk_void_set\n%xdefine _sk_void_value _ %+ BORINGSSL_PREFIX %+ _sk_void_value\n%xdefine _slhdsa_copy_keypair_addr _ %+ BORINGSSL_PREFIX %+ _slhdsa_copy_keypair_addr\n%xdefine _slhdsa_fors_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _slhdsa_fors_pk_from_sig\n%xdefine _slhdsa_fors_sign _ %+ BORINGSSL_PREFIX %+ _slhdsa_fors_sign\n%xdefine _slhdsa_fors_sk_gen _ %+ BORINGSSL_PREFIX %+ _slhdsa_fors_sk_gen\n%xdefine _slhdsa_fors_treehash _ %+ BORINGSSL_PREFIX %+ _slhdsa_fors_treehash\n%xdefine _slhdsa_get_tree_index _ %+ BORINGSSL_PREFIX %+ _slhdsa_get_tree_index\n%xdefine _slhdsa_ht_sign _ %+ BORINGSSL_PREFIX %+ _slhdsa_ht_sign\n%xdefine _slhdsa_ht_verify _ %+ BORINGSSL_PREFIX %+ _slhdsa_ht_verify\n%xdefine _slhdsa_set_chain_addr _ %+ BORINGSSL_PREFIX %+ _slhdsa_set_chain_addr\n%xdefine _slhdsa_set_hash_addr _ %+ BORINGSSL_PREFIX %+ _slhdsa_set_hash_addr\n%xdefine _slhdsa_set_keypair_addr _ %+ BORINGSSL_PREFIX %+ _slhdsa_set_keypair_addr\n%xdefine _slhdsa_set_layer_addr _ %+ BORINGSSL_PREFIX %+ _slhdsa_set_layer_addr\n%xdefine _slhdsa_set_tree_addr _ %+ BORINGSSL_PREFIX %+ _slhdsa_set_tree_addr\n%xdefine _slhdsa_set_tree_height _ %+ BORINGSSL_PREFIX %+ _slhdsa_set_tree_height\n%xdefine _slhdsa_set_tree_index _ %+ BORINGSSL_PREFIX %+ _slhdsa_set_tree_index\n%xdefine _slhdsa_set_type _ %+ BORINGSSL_PREFIX %+ _slhdsa_set_type\n%xdefine _slhdsa_thash_f _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_f\n%xdefine _slhdsa_thash_h _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_h\n%xdefine _slhdsa_thash_hmsg _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_hmsg\n%xdefine _slhdsa_thash_prf _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_prf\n%xdefine _slhdsa_thash_prfmsg _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_prfmsg\n%xdefine _slhdsa_thash_tk _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_tk\n%xdefine _slhdsa_thash_tl _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_tl\n%xdefine _slhdsa_treehash _ %+ BORINGSSL_PREFIX %+ _slhdsa_treehash\n%xdefine _slhdsa_wots_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _slhdsa_wots_pk_from_sig\n%xdefine _slhdsa_wots_pk_gen _ %+ BORINGSSL_PREFIX %+ _slhdsa_wots_pk_gen\n%xdefine _slhdsa_wots_sign _ %+ BORINGSSL_PREFIX %+ _slhdsa_wots_sign\n%xdefine _slhdsa_xmss_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _slhdsa_xmss_pk_from_sig\n%xdefine _slhdsa_xmss_sign _ %+ BORINGSSL_PREFIX %+ _slhdsa_xmss_sign\n%xdefine _v2i_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME\n%xdefine _v2i_GENERAL_NAMES _ %+ BORINGSSL_PREFIX %+ _v2i_GENERAL_NAMES\n%xdefine _v2i_GENERAL_NAME_ex _ %+ BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME_ex\n%xdefine _v3_akey_id _ %+ BORINGSSL_PREFIX %+ _v3_akey_id\n%xdefine _v3_alt _ %+ BORINGSSL_PREFIX %+ _v3_alt\n%xdefine _v3_bcons _ %+ BORINGSSL_PREFIX %+ _v3_bcons\n%xdefine _v3_cpols _ %+ BORINGSSL_PREFIX %+ _v3_cpols\n%xdefine _v3_crl_invdate _ %+ BORINGSSL_PREFIX %+ _v3_crl_invdate\n%xdefine _v3_crl_num _ %+ BORINGSSL_PREFIX %+ _v3_crl_num\n%xdefine _v3_crl_reason _ %+ BORINGSSL_PREFIX %+ _v3_crl_reason\n%xdefine _v3_crld _ %+ BORINGSSL_PREFIX %+ _v3_crld\n%xdefine _v3_delta_crl _ %+ BORINGSSL_PREFIX %+ _v3_delta_crl\n%xdefine _v3_ext_ku _ %+ BORINGSSL_PREFIX %+ _v3_ext_ku\n%xdefine _v3_freshest_crl _ %+ BORINGSSL_PREFIX %+ _v3_freshest_crl\n%xdefine _v3_idp _ %+ BORINGSSL_PREFIX %+ _v3_idp\n%xdefine _v3_info _ %+ BORINGSSL_PREFIX %+ _v3_info\n%xdefine _v3_inhibit_anyp _ %+ BORINGSSL_PREFIX %+ _v3_inhibit_anyp\n%xdefine _v3_key_usage _ %+ BORINGSSL_PREFIX %+ _v3_key_usage\n%xdefine _v3_name_constraints _ %+ BORINGSSL_PREFIX %+ _v3_name_constraints\n%xdefine _v3_ns_ia5_list _ %+ BORINGSSL_PREFIX %+ _v3_ns_ia5_list\n%xdefine _v3_nscert _ %+ BORINGSSL_PREFIX %+ _v3_nscert\n%xdefine _v3_ocsp_accresp _ %+ BORINGSSL_PREFIX %+ _v3_ocsp_accresp\n%xdefine _v3_ocsp_nocheck _ %+ BORINGSSL_PREFIX %+ _v3_ocsp_nocheck\n%xdefine _v3_policy_constraints _ %+ BORINGSSL_PREFIX %+ _v3_policy_constraints\n%xdefine _v3_policy_mappings _ %+ BORINGSSL_PREFIX %+ _v3_policy_mappings\n%xdefine _v3_sinfo _ %+ BORINGSSL_PREFIX %+ _v3_sinfo\n%xdefine _v3_skey_id _ %+ BORINGSSL_PREFIX %+ _v3_skey_id\n%xdefine _voprf_exp2_blind _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_blind\n%xdefine _voprf_exp2_client_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_client_key_from_bytes\n%xdefine _voprf_exp2_derive_key_from_secret _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_derive_key_from_secret\n%xdefine _voprf_exp2_generate_key _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_generate_key\n%xdefine _voprf_exp2_issuer_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_issuer_key_from_bytes\n%xdefine _voprf_exp2_read _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_read\n%xdefine _voprf_exp2_sign _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_sign\n%xdefine _voprf_exp2_unblind _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_unblind\n%xdefine _voprf_pst1_blind _ %+ BORINGSSL_PREFIX %+ _voprf_pst1_blind\n%xdefine _voprf_pst1_client_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _voprf_pst1_client_key_from_bytes\n%xdefine _voprf_pst1_derive_key_from_secret _ %+ BORINGSSL_PREFIX %+ _voprf_pst1_derive_key_from_secret\n%xdefine _voprf_pst1_generate_key _ %+ BORINGSSL_PREFIX %+ _voprf_pst1_generate_key\n%xdefine _voprf_pst1_issuer_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _voprf_pst1_issuer_key_from_bytes\n%xdefine _voprf_pst1_read _ %+ BORINGSSL_PREFIX %+ _voprf_pst1_read\n%xdefine _voprf_pst1_sign _ %+ BORINGSSL_PREFIX %+ _voprf_pst1_sign\n%xdefine _voprf_pst1_sign_with_proof_scalar_for_testing _ %+ BORINGSSL_PREFIX %+ _voprf_pst1_sign_with_proof_scalar_for_testing\n%xdefine _voprf_pst1_unblind _ %+ BORINGSSL_PREFIX %+ _voprf_pst1_unblind\n%xdefine _vpaes_capable _ %+ BORINGSSL_PREFIX %+ _vpaes_capable\n%xdefine _vpaes_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _vpaes_cbc_encrypt\n%xdefine _vpaes_ctr32_encrypt_blocks _ %+ BORINGSSL_PREFIX %+ _vpaes_ctr32_encrypt_blocks\n%xdefine _vpaes_decrypt _ %+ BORINGSSL_PREFIX %+ _vpaes_decrypt\n%xdefine _vpaes_decrypt_key_to_bsaes _ %+ BORINGSSL_PREFIX %+ _vpaes_decrypt_key_to_bsaes\n%xdefine _vpaes_encrypt _ %+ BORINGSSL_PREFIX %+ _vpaes_encrypt\n%xdefine _vpaes_set_decrypt_key _ %+ BORINGSSL_PREFIX %+ _vpaes_set_decrypt_key\n%xdefine _vpaes_set_encrypt_key _ %+ BORINGSSL_PREFIX %+ _vpaes_set_encrypt_key\n%xdefine _x25519_asn1_meth _ %+ BORINGSSL_PREFIX %+ _x25519_asn1_meth\n%xdefine _x25519_ge_add _ %+ BORINGSSL_PREFIX %+ _x25519_ge_add\n%xdefine _x25519_ge_frombytes_vartime _ %+ BORINGSSL_PREFIX %+ _x25519_ge_frombytes_vartime\n%xdefine _x25519_ge_p1p1_to_p2 _ %+ BORINGSSL_PREFIX %+ _x25519_ge_p1p1_to_p2\n%xdefine _x25519_ge_p1p1_to_p3 _ %+ BORINGSSL_PREFIX %+ _x25519_ge_p1p1_to_p3\n%xdefine _x25519_ge_p3_to_cached _ %+ BORINGSSL_PREFIX %+ _x25519_ge_p3_to_cached\n%xdefine _x25519_ge_scalarmult _ %+ BORINGSSL_PREFIX %+ _x25519_ge_scalarmult\n%xdefine _x25519_ge_scalarmult_base _ %+ BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_base\n%xdefine _x25519_ge_scalarmult_base_adx _ %+ BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_base_adx\n%xdefine _x25519_ge_scalarmult_small_precomp _ %+ BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_small_precomp\n%xdefine _x25519_ge_sub _ %+ BORINGSSL_PREFIX %+ _x25519_ge_sub\n%xdefine _x25519_ge_tobytes _ %+ BORINGSSL_PREFIX %+ _x25519_ge_tobytes\n%xdefine _x25519_pkey_meth _ %+ BORINGSSL_PREFIX %+ _x25519_pkey_meth\n%xdefine _x25519_sc_reduce _ %+ BORINGSSL_PREFIX %+ _x25519_sc_reduce\n%xdefine _x25519_scalar_mult_adx _ %+ BORINGSSL_PREFIX %+ _x25519_scalar_mult_adx\n%xdefine _x509V3_add_value_asn1_string _ %+ BORINGSSL_PREFIX %+ _x509V3_add_value_asn1_string\n%xdefine _x509_check_issued_with_callback _ %+ BORINGSSL_PREFIX %+ _x509_check_issued_with_callback\n%xdefine _x509_digest_sign_algorithm _ %+ BORINGSSL_PREFIX %+ _x509_digest_sign_algorithm\n%xdefine _x509_digest_verify_init _ %+ BORINGSSL_PREFIX %+ _x509_digest_verify_init\n%xdefine _x509_print_rsa_pss_params _ %+ BORINGSSL_PREFIX %+ _x509_print_rsa_pss_params\n%xdefine _x509_rsa_ctx_to_pss _ %+ BORINGSSL_PREFIX %+ _x509_rsa_ctx_to_pss\n%xdefine _x509_rsa_pss_to_ctx _ %+ BORINGSSL_PREFIX %+ _x509_rsa_pss_to_ctx\n%xdefine _x509v3_a2i_ipadd _ %+ BORINGSSL_PREFIX %+ _x509v3_a2i_ipadd\n%xdefine _x509v3_bytes_to_hex _ %+ BORINGSSL_PREFIX %+ _x509v3_bytes_to_hex\n%xdefine _x509v3_cache_extensions _ %+ BORINGSSL_PREFIX %+ _x509v3_cache_extensions\n%xdefine _x509v3_conf_name_matches _ %+ BORINGSSL_PREFIX %+ _x509v3_conf_name_matches\n%xdefine _x509v3_hex_to_bytes _ %+ BORINGSSL_PREFIX %+ _x509v3_hex_to_bytes\n%xdefine _x509v3_looks_like_dns_name _ %+ BORINGSSL_PREFIX %+ _x509v3_looks_like_dns_name\n%else\n%xdefine ACCESS_DESCRIPTION_free BORINGSSL_PREFIX %+ _ACCESS_DESCRIPTION_free\n%xdefine ACCESS_DESCRIPTION_new BORINGSSL_PREFIX %+ _ACCESS_DESCRIPTION_new\n%xdefine AES_CMAC BORINGSSL_PREFIX %+ _AES_CMAC\n%xdefine AES_cbc_encrypt BORINGSSL_PREFIX %+ _AES_cbc_encrypt\n%xdefine AES_cfb128_encrypt BORINGSSL_PREFIX %+ _AES_cfb128_encrypt\n%xdefine AES_ctr128_encrypt BORINGSSL_PREFIX %+ _AES_ctr128_encrypt\n%xdefine AES_decrypt BORINGSSL_PREFIX %+ _AES_decrypt\n%xdefine AES_ecb_encrypt BORINGSSL_PREFIX %+ _AES_ecb_encrypt\n%xdefine AES_encrypt BORINGSSL_PREFIX %+ _AES_encrypt\n%xdefine AES_ofb128_encrypt BORINGSSL_PREFIX %+ _AES_ofb128_encrypt\n%xdefine AES_set_decrypt_key BORINGSSL_PREFIX %+ _AES_set_decrypt_key\n%xdefine AES_set_encrypt_key BORINGSSL_PREFIX %+ _AES_set_encrypt_key\n%xdefine AES_unwrap_key BORINGSSL_PREFIX %+ _AES_unwrap_key\n%xdefine AES_unwrap_key_padded BORINGSSL_PREFIX %+ _AES_unwrap_key_padded\n%xdefine AES_wrap_key BORINGSSL_PREFIX %+ _AES_wrap_key\n%xdefine AES_wrap_key_padded BORINGSSL_PREFIX %+ _AES_wrap_key_padded\n%xdefine ASN1_ANY_it BORINGSSL_PREFIX %+ _ASN1_ANY_it\n%xdefine ASN1_BIT_STRING_check BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_check\n%xdefine ASN1_BIT_STRING_free BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_free\n%xdefine ASN1_BIT_STRING_get_bit BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_get_bit\n%xdefine ASN1_BIT_STRING_it BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_it\n%xdefine ASN1_BIT_STRING_new BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_new\n%xdefine ASN1_BIT_STRING_num_bytes BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_num_bytes\n%xdefine ASN1_BIT_STRING_set BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_set\n%xdefine ASN1_BIT_STRING_set_bit BORINGSSL_PREFIX %+ _ASN1_BIT_STRING_set_bit\n%xdefine ASN1_BMPSTRING_free BORINGSSL_PREFIX %+ _ASN1_BMPSTRING_free\n%xdefine ASN1_BMPSTRING_it BORINGSSL_PREFIX %+ _ASN1_BMPSTRING_it\n%xdefine ASN1_BMPSTRING_new BORINGSSL_PREFIX %+ _ASN1_BMPSTRING_new\n%xdefine ASN1_BOOLEAN_it BORINGSSL_PREFIX %+ _ASN1_BOOLEAN_it\n%xdefine ASN1_ENUMERATED_free BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_free\n%xdefine ASN1_ENUMERATED_get BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_get\n%xdefine ASN1_ENUMERATED_get_int64 BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_get_int64\n%xdefine ASN1_ENUMERATED_get_uint64 BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_get_uint64\n%xdefine ASN1_ENUMERATED_it BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_it\n%xdefine ASN1_ENUMERATED_new BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_new\n%xdefine ASN1_ENUMERATED_set BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_set\n%xdefine ASN1_ENUMERATED_set_int64 BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_set_int64\n%xdefine ASN1_ENUMERATED_set_uint64 BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_set_uint64\n%xdefine ASN1_ENUMERATED_to_BN BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_to_BN\n%xdefine ASN1_FBOOLEAN_it BORINGSSL_PREFIX %+ _ASN1_FBOOLEAN_it\n%xdefine ASN1_GENERALIZEDTIME_adj BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_adj\n%xdefine ASN1_GENERALIZEDTIME_check BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_check\n%xdefine ASN1_GENERALIZEDTIME_free BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_free\n%xdefine ASN1_GENERALIZEDTIME_it BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_it\n%xdefine ASN1_GENERALIZEDTIME_new BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_new\n%xdefine ASN1_GENERALIZEDTIME_print BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_print\n%xdefine ASN1_GENERALIZEDTIME_set BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_set\n%xdefine ASN1_GENERALIZEDTIME_set_string BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_set_string\n%xdefine ASN1_GENERALSTRING_free BORINGSSL_PREFIX %+ _ASN1_GENERALSTRING_free\n%xdefine ASN1_GENERALSTRING_it BORINGSSL_PREFIX %+ _ASN1_GENERALSTRING_it\n%xdefine ASN1_GENERALSTRING_new BORINGSSL_PREFIX %+ _ASN1_GENERALSTRING_new\n%xdefine ASN1_IA5STRING_free BORINGSSL_PREFIX %+ _ASN1_IA5STRING_free\n%xdefine ASN1_IA5STRING_it BORINGSSL_PREFIX %+ _ASN1_IA5STRING_it\n%xdefine ASN1_IA5STRING_new BORINGSSL_PREFIX %+ _ASN1_IA5STRING_new\n%xdefine ASN1_INTEGER_cmp BORINGSSL_PREFIX %+ _ASN1_INTEGER_cmp\n%xdefine ASN1_INTEGER_dup BORINGSSL_PREFIX %+ _ASN1_INTEGER_dup\n%xdefine ASN1_INTEGER_free BORINGSSL_PREFIX %+ _ASN1_INTEGER_free\n%xdefine ASN1_INTEGER_get BORINGSSL_PREFIX %+ _ASN1_INTEGER_get\n%xdefine ASN1_INTEGER_get_int64 BORINGSSL_PREFIX %+ _ASN1_INTEGER_get_int64\n%xdefine ASN1_INTEGER_get_uint64 BORINGSSL_PREFIX %+ _ASN1_INTEGER_get_uint64\n%xdefine ASN1_INTEGER_it BORINGSSL_PREFIX %+ _ASN1_INTEGER_it\n%xdefine ASN1_INTEGER_new BORINGSSL_PREFIX %+ _ASN1_INTEGER_new\n%xdefine ASN1_INTEGER_set BORINGSSL_PREFIX %+ _ASN1_INTEGER_set\n%xdefine ASN1_INTEGER_set_int64 BORINGSSL_PREFIX %+ _ASN1_INTEGER_set_int64\n%xdefine ASN1_INTEGER_set_uint64 BORINGSSL_PREFIX %+ _ASN1_INTEGER_set_uint64\n%xdefine ASN1_INTEGER_to_BN BORINGSSL_PREFIX %+ _ASN1_INTEGER_to_BN\n%xdefine ASN1_NULL_free BORINGSSL_PREFIX %+ _ASN1_NULL_free\n%xdefine ASN1_NULL_it BORINGSSL_PREFIX %+ _ASN1_NULL_it\n%xdefine ASN1_NULL_new BORINGSSL_PREFIX %+ _ASN1_NULL_new\n%xdefine ASN1_OBJECT_create BORINGSSL_PREFIX %+ _ASN1_OBJECT_create\n%xdefine ASN1_OBJECT_free BORINGSSL_PREFIX %+ _ASN1_OBJECT_free\n%xdefine ASN1_OBJECT_it BORINGSSL_PREFIX %+ _ASN1_OBJECT_it\n%xdefine ASN1_OBJECT_new BORINGSSL_PREFIX %+ _ASN1_OBJECT_new\n%xdefine ASN1_OCTET_STRING_cmp BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_cmp\n%xdefine ASN1_OCTET_STRING_dup BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_dup\n%xdefine ASN1_OCTET_STRING_free BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_free\n%xdefine ASN1_OCTET_STRING_it BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_it\n%xdefine ASN1_OCTET_STRING_new BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_new\n%xdefine ASN1_OCTET_STRING_set BORINGSSL_PREFIX %+ _ASN1_OCTET_STRING_set\n%xdefine ASN1_PRINTABLESTRING_free BORINGSSL_PREFIX %+ _ASN1_PRINTABLESTRING_free\n%xdefine ASN1_PRINTABLESTRING_it BORINGSSL_PREFIX %+ _ASN1_PRINTABLESTRING_it\n%xdefine ASN1_PRINTABLESTRING_new BORINGSSL_PREFIX %+ _ASN1_PRINTABLESTRING_new\n%xdefine ASN1_PRINTABLE_free BORINGSSL_PREFIX %+ _ASN1_PRINTABLE_free\n%xdefine ASN1_PRINTABLE_it BORINGSSL_PREFIX %+ _ASN1_PRINTABLE_it\n%xdefine ASN1_PRINTABLE_new BORINGSSL_PREFIX %+ _ASN1_PRINTABLE_new\n%xdefine ASN1_SEQUENCE_it BORINGSSL_PREFIX %+ _ASN1_SEQUENCE_it\n%xdefine ASN1_STRING_TABLE_add BORINGSSL_PREFIX %+ _ASN1_STRING_TABLE_add\n%xdefine ASN1_STRING_TABLE_cleanup BORINGSSL_PREFIX %+ _ASN1_STRING_TABLE_cleanup\n%xdefine ASN1_STRING_cmp BORINGSSL_PREFIX %+ _ASN1_STRING_cmp\n%xdefine ASN1_STRING_copy BORINGSSL_PREFIX %+ _ASN1_STRING_copy\n%xdefine ASN1_STRING_data BORINGSSL_PREFIX %+ _ASN1_STRING_data\n%xdefine ASN1_STRING_dup BORINGSSL_PREFIX %+ _ASN1_STRING_dup\n%xdefine ASN1_STRING_free BORINGSSL_PREFIX %+ _ASN1_STRING_free\n%xdefine ASN1_STRING_get0_data BORINGSSL_PREFIX %+ _ASN1_STRING_get0_data\n%xdefine ASN1_STRING_get_default_mask BORINGSSL_PREFIX %+ _ASN1_STRING_get_default_mask\n%xdefine ASN1_STRING_length BORINGSSL_PREFIX %+ _ASN1_STRING_length\n%xdefine ASN1_STRING_new BORINGSSL_PREFIX %+ _ASN1_STRING_new\n%xdefine ASN1_STRING_print BORINGSSL_PREFIX %+ _ASN1_STRING_print\n%xdefine ASN1_STRING_print_ex BORINGSSL_PREFIX %+ _ASN1_STRING_print_ex\n%xdefine ASN1_STRING_print_ex_fp BORINGSSL_PREFIX %+ _ASN1_STRING_print_ex_fp\n%xdefine ASN1_STRING_set BORINGSSL_PREFIX %+ _ASN1_STRING_set\n%xdefine ASN1_STRING_set0 BORINGSSL_PREFIX %+ _ASN1_STRING_set0\n%xdefine ASN1_STRING_set_by_NID BORINGSSL_PREFIX %+ _ASN1_STRING_set_by_NID\n%xdefine ASN1_STRING_set_default_mask BORINGSSL_PREFIX %+ _ASN1_STRING_set_default_mask\n%xdefine ASN1_STRING_set_default_mask_asc BORINGSSL_PREFIX %+ _ASN1_STRING_set_default_mask_asc\n%xdefine ASN1_STRING_to_UTF8 BORINGSSL_PREFIX %+ _ASN1_STRING_to_UTF8\n%xdefine ASN1_STRING_type BORINGSSL_PREFIX %+ _ASN1_STRING_type\n%xdefine ASN1_STRING_type_new BORINGSSL_PREFIX %+ _ASN1_STRING_type_new\n%xdefine ASN1_T61STRING_free BORINGSSL_PREFIX %+ _ASN1_T61STRING_free\n%xdefine ASN1_T61STRING_it BORINGSSL_PREFIX %+ _ASN1_T61STRING_it\n%xdefine ASN1_T61STRING_new BORINGSSL_PREFIX %+ _ASN1_T61STRING_new\n%xdefine ASN1_TBOOLEAN_it BORINGSSL_PREFIX %+ _ASN1_TBOOLEAN_it\n%xdefine ASN1_TIME_adj BORINGSSL_PREFIX %+ _ASN1_TIME_adj\n%xdefine ASN1_TIME_check BORINGSSL_PREFIX %+ _ASN1_TIME_check\n%xdefine ASN1_TIME_diff BORINGSSL_PREFIX %+ _ASN1_TIME_diff\n%xdefine ASN1_TIME_free BORINGSSL_PREFIX %+ _ASN1_TIME_free\n%xdefine ASN1_TIME_it BORINGSSL_PREFIX %+ _ASN1_TIME_it\n%xdefine ASN1_TIME_new BORINGSSL_PREFIX %+ _ASN1_TIME_new\n%xdefine ASN1_TIME_print BORINGSSL_PREFIX %+ _ASN1_TIME_print\n%xdefine ASN1_TIME_set BORINGSSL_PREFIX %+ _ASN1_TIME_set\n%xdefine ASN1_TIME_set_posix BORINGSSL_PREFIX %+ _ASN1_TIME_set_posix\n%xdefine ASN1_TIME_set_string BORINGSSL_PREFIX %+ _ASN1_TIME_set_string\n%xdefine ASN1_TIME_set_string_X509 BORINGSSL_PREFIX %+ _ASN1_TIME_set_string_X509\n%xdefine ASN1_TIME_to_generalizedtime BORINGSSL_PREFIX %+ _ASN1_TIME_to_generalizedtime\n%xdefine ASN1_TIME_to_posix BORINGSSL_PREFIX %+ _ASN1_TIME_to_posix\n%xdefine ASN1_TIME_to_posix_nonstandard BORINGSSL_PREFIX %+ _ASN1_TIME_to_posix_nonstandard\n%xdefine ASN1_TIME_to_time_t BORINGSSL_PREFIX %+ _ASN1_TIME_to_time_t\n%xdefine ASN1_TYPE_cmp BORINGSSL_PREFIX %+ _ASN1_TYPE_cmp\n%xdefine ASN1_TYPE_free BORINGSSL_PREFIX %+ _ASN1_TYPE_free\n%xdefine ASN1_TYPE_get BORINGSSL_PREFIX %+ _ASN1_TYPE_get\n%xdefine ASN1_TYPE_new BORINGSSL_PREFIX %+ _ASN1_TYPE_new\n%xdefine ASN1_TYPE_set BORINGSSL_PREFIX %+ _ASN1_TYPE_set\n%xdefine ASN1_TYPE_set1 BORINGSSL_PREFIX %+ _ASN1_TYPE_set1\n%xdefine ASN1_UNIVERSALSTRING_free BORINGSSL_PREFIX %+ _ASN1_UNIVERSALSTRING_free\n%xdefine ASN1_UNIVERSALSTRING_it BORINGSSL_PREFIX %+ _ASN1_UNIVERSALSTRING_it\n%xdefine ASN1_UNIVERSALSTRING_new BORINGSSL_PREFIX %+ _ASN1_UNIVERSALSTRING_new\n%xdefine ASN1_UTCTIME_adj BORINGSSL_PREFIX %+ _ASN1_UTCTIME_adj\n%xdefine ASN1_UTCTIME_check BORINGSSL_PREFIX %+ _ASN1_UTCTIME_check\n%xdefine ASN1_UTCTIME_free BORINGSSL_PREFIX %+ _ASN1_UTCTIME_free\n%xdefine ASN1_UTCTIME_it BORINGSSL_PREFIX %+ _ASN1_UTCTIME_it\n%xdefine ASN1_UTCTIME_new BORINGSSL_PREFIX %+ _ASN1_UTCTIME_new\n%xdefine ASN1_UTCTIME_print BORINGSSL_PREFIX %+ _ASN1_UTCTIME_print\n%xdefine ASN1_UTCTIME_set BORINGSSL_PREFIX %+ _ASN1_UTCTIME_set\n%xdefine ASN1_UTCTIME_set_string BORINGSSL_PREFIX %+ _ASN1_UTCTIME_set_string\n%xdefine ASN1_UTF8STRING_free BORINGSSL_PREFIX %+ _ASN1_UTF8STRING_free\n%xdefine ASN1_UTF8STRING_it BORINGSSL_PREFIX %+ _ASN1_UTF8STRING_it\n%xdefine ASN1_UTF8STRING_new BORINGSSL_PREFIX %+ _ASN1_UTF8STRING_new\n%xdefine ASN1_VISIBLESTRING_free BORINGSSL_PREFIX %+ _ASN1_VISIBLESTRING_free\n%xdefine ASN1_VISIBLESTRING_it BORINGSSL_PREFIX %+ _ASN1_VISIBLESTRING_it\n%xdefine ASN1_VISIBLESTRING_new BORINGSSL_PREFIX %+ _ASN1_VISIBLESTRING_new\n%xdefine ASN1_digest BORINGSSL_PREFIX %+ _ASN1_digest\n%xdefine ASN1_generate_v3 BORINGSSL_PREFIX %+ _ASN1_generate_v3\n%xdefine ASN1_get_object BORINGSSL_PREFIX %+ _ASN1_get_object\n%xdefine ASN1_item_d2i BORINGSSL_PREFIX %+ _ASN1_item_d2i\n%xdefine ASN1_item_d2i_bio BORINGSSL_PREFIX %+ _ASN1_item_d2i_bio\n%xdefine ASN1_item_d2i_fp BORINGSSL_PREFIX %+ _ASN1_item_d2i_fp\n%xdefine ASN1_item_digest BORINGSSL_PREFIX %+ _ASN1_item_digest\n%xdefine ASN1_item_dup BORINGSSL_PREFIX %+ _ASN1_item_dup\n%xdefine ASN1_item_ex_d2i BORINGSSL_PREFIX %+ _ASN1_item_ex_d2i\n%xdefine ASN1_item_ex_free BORINGSSL_PREFIX %+ _ASN1_item_ex_free\n%xdefine ASN1_item_ex_i2d BORINGSSL_PREFIX %+ _ASN1_item_ex_i2d\n%xdefine ASN1_item_ex_new BORINGSSL_PREFIX %+ _ASN1_item_ex_new\n%xdefine ASN1_item_free BORINGSSL_PREFIX %+ _ASN1_item_free\n%xdefine ASN1_item_i2d BORINGSSL_PREFIX %+ _ASN1_item_i2d\n%xdefine ASN1_item_i2d_bio BORINGSSL_PREFIX %+ _ASN1_item_i2d_bio\n%xdefine ASN1_item_i2d_fp BORINGSSL_PREFIX %+ _ASN1_item_i2d_fp\n%xdefine ASN1_item_new BORINGSSL_PREFIX %+ _ASN1_item_new\n%xdefine ASN1_item_pack BORINGSSL_PREFIX %+ _ASN1_item_pack\n%xdefine ASN1_item_sign BORINGSSL_PREFIX %+ _ASN1_item_sign\n%xdefine ASN1_item_sign_ctx BORINGSSL_PREFIX %+ _ASN1_item_sign_ctx\n%xdefine ASN1_item_unpack BORINGSSL_PREFIX %+ _ASN1_item_unpack\n%xdefine ASN1_item_verify BORINGSSL_PREFIX %+ _ASN1_item_verify\n%xdefine ASN1_mbstring_copy BORINGSSL_PREFIX %+ _ASN1_mbstring_copy\n%xdefine ASN1_mbstring_ncopy BORINGSSL_PREFIX %+ _ASN1_mbstring_ncopy\n%xdefine ASN1_object_size BORINGSSL_PREFIX %+ _ASN1_object_size\n%xdefine ASN1_primitive_free BORINGSSL_PREFIX %+ _ASN1_primitive_free\n%xdefine ASN1_put_eoc BORINGSSL_PREFIX %+ _ASN1_put_eoc\n%xdefine ASN1_put_object BORINGSSL_PREFIX %+ _ASN1_put_object\n%xdefine ASN1_tag2bit BORINGSSL_PREFIX %+ _ASN1_tag2bit\n%xdefine ASN1_tag2str BORINGSSL_PREFIX %+ _ASN1_tag2str\n%xdefine ASN1_template_free BORINGSSL_PREFIX %+ _ASN1_template_free\n%xdefine AUTHORITY_INFO_ACCESS_free BORINGSSL_PREFIX %+ _AUTHORITY_INFO_ACCESS_free\n%xdefine AUTHORITY_INFO_ACCESS_it BORINGSSL_PREFIX %+ _AUTHORITY_INFO_ACCESS_it\n%xdefine AUTHORITY_INFO_ACCESS_new BORINGSSL_PREFIX %+ _AUTHORITY_INFO_ACCESS_new\n%xdefine AUTHORITY_KEYID_free BORINGSSL_PREFIX %+ _AUTHORITY_KEYID_free\n%xdefine AUTHORITY_KEYID_it BORINGSSL_PREFIX %+ _AUTHORITY_KEYID_it\n%xdefine AUTHORITY_KEYID_new BORINGSSL_PREFIX %+ _AUTHORITY_KEYID_new\n%xdefine BASIC_CONSTRAINTS_free BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_free\n%xdefine BASIC_CONSTRAINTS_it BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_it\n%xdefine BASIC_CONSTRAINTS_new BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_new\n%xdefine BCM_fips_186_2_prf BORINGSSL_PREFIX %+ _BCM_fips_186_2_prf\n%xdefine BCM_mldsa65_generate_key BORINGSSL_PREFIX %+ _BCM_mldsa65_generate_key\n%xdefine BCM_mldsa65_generate_key_external_entropy BORINGSSL_PREFIX %+ _BCM_mldsa65_generate_key_external_entropy\n%xdefine BCM_mldsa65_marshal_private_key BORINGSSL_PREFIX %+ _BCM_mldsa65_marshal_private_key\n%xdefine BCM_mldsa65_marshal_public_key BORINGSSL_PREFIX %+ _BCM_mldsa65_marshal_public_key\n%xdefine BCM_mldsa65_parse_private_key BORINGSSL_PREFIX %+ _BCM_mldsa65_parse_private_key\n%xdefine BCM_mldsa65_parse_public_key BORINGSSL_PREFIX %+ _BCM_mldsa65_parse_public_key\n%xdefine BCM_mldsa65_private_key_from_seed BORINGSSL_PREFIX %+ _BCM_mldsa65_private_key_from_seed\n%xdefine BCM_mldsa65_public_from_private BORINGSSL_PREFIX %+ _BCM_mldsa65_public_from_private\n%xdefine BCM_mldsa65_sign BORINGSSL_PREFIX %+ _BCM_mldsa65_sign\n%xdefine BCM_mldsa65_sign_internal BORINGSSL_PREFIX %+ _BCM_mldsa65_sign_internal\n%xdefine BCM_mldsa65_verify BORINGSSL_PREFIX %+ _BCM_mldsa65_verify\n%xdefine BCM_mldsa65_verify_internal BORINGSSL_PREFIX %+ _BCM_mldsa65_verify_internal\n%xdefine BCM_mldsa87_generate_key BORINGSSL_PREFIX %+ _BCM_mldsa87_generate_key\n%xdefine BCM_mldsa87_generate_key_external_entropy BORINGSSL_PREFIX %+ _BCM_mldsa87_generate_key_external_entropy\n%xdefine BCM_mldsa87_marshal_private_key BORINGSSL_PREFIX %+ _BCM_mldsa87_marshal_private_key\n%xdefine BCM_mldsa87_marshal_public_key BORINGSSL_PREFIX %+ _BCM_mldsa87_marshal_public_key\n%xdefine BCM_mldsa87_parse_private_key BORINGSSL_PREFIX %+ _BCM_mldsa87_parse_private_key\n%xdefine BCM_mldsa87_parse_public_key BORINGSSL_PREFIX %+ _BCM_mldsa87_parse_public_key\n%xdefine BCM_mldsa87_private_key_from_seed BORINGSSL_PREFIX %+ _BCM_mldsa87_private_key_from_seed\n%xdefine BCM_mldsa87_public_from_private BORINGSSL_PREFIX %+ _BCM_mldsa87_public_from_private\n%xdefine BCM_mldsa87_sign BORINGSSL_PREFIX %+ _BCM_mldsa87_sign\n%xdefine BCM_mldsa87_sign_internal BORINGSSL_PREFIX %+ _BCM_mldsa87_sign_internal\n%xdefine BCM_mldsa87_verify BORINGSSL_PREFIX %+ _BCM_mldsa87_verify\n%xdefine BCM_mldsa87_verify_internal BORINGSSL_PREFIX %+ _BCM_mldsa87_verify_internal\n%xdefine BCM_mlkem1024_decap BORINGSSL_PREFIX %+ _BCM_mlkem1024_decap\n%xdefine BCM_mlkem1024_encap BORINGSSL_PREFIX %+ _BCM_mlkem1024_encap\n%xdefine BCM_mlkem1024_encap_external_entropy BORINGSSL_PREFIX %+ _BCM_mlkem1024_encap_external_entropy\n%xdefine BCM_mlkem1024_generate_key BORINGSSL_PREFIX %+ _BCM_mlkem1024_generate_key\n%xdefine BCM_mlkem1024_generate_key_external_seed BORINGSSL_PREFIX %+ _BCM_mlkem1024_generate_key_external_seed\n%xdefine BCM_mlkem1024_marshal_private_key BORINGSSL_PREFIX %+ _BCM_mlkem1024_marshal_private_key\n%xdefine BCM_mlkem1024_marshal_public_key BORINGSSL_PREFIX %+ _BCM_mlkem1024_marshal_public_key\n%xdefine BCM_mlkem1024_parse_private_key BORINGSSL_PREFIX %+ _BCM_mlkem1024_parse_private_key\n%xdefine BCM_mlkem1024_parse_public_key BORINGSSL_PREFIX %+ _BCM_mlkem1024_parse_public_key\n%xdefine BCM_mlkem1024_private_key_from_seed BORINGSSL_PREFIX %+ _BCM_mlkem1024_private_key_from_seed\n%xdefine BCM_mlkem1024_public_from_private BORINGSSL_PREFIX %+ _BCM_mlkem1024_public_from_private\n%xdefine BCM_mlkem768_decap BORINGSSL_PREFIX %+ _BCM_mlkem768_decap\n%xdefine BCM_mlkem768_encap BORINGSSL_PREFIX %+ _BCM_mlkem768_encap\n%xdefine BCM_mlkem768_encap_external_entropy BORINGSSL_PREFIX %+ _BCM_mlkem768_encap_external_entropy\n%xdefine BCM_mlkem768_generate_key BORINGSSL_PREFIX %+ _BCM_mlkem768_generate_key\n%xdefine BCM_mlkem768_generate_key_external_seed BORINGSSL_PREFIX %+ _BCM_mlkem768_generate_key_external_seed\n%xdefine BCM_mlkem768_marshal_private_key BORINGSSL_PREFIX %+ _BCM_mlkem768_marshal_private_key\n%xdefine BCM_mlkem768_marshal_public_key BORINGSSL_PREFIX %+ _BCM_mlkem768_marshal_public_key\n%xdefine BCM_mlkem768_parse_private_key BORINGSSL_PREFIX %+ _BCM_mlkem768_parse_private_key\n%xdefine BCM_mlkem768_parse_public_key BORINGSSL_PREFIX %+ _BCM_mlkem768_parse_public_key\n%xdefine BCM_mlkem768_private_key_from_seed BORINGSSL_PREFIX %+ _BCM_mlkem768_private_key_from_seed\n%xdefine BCM_mlkem768_public_from_private BORINGSSL_PREFIX %+ _BCM_mlkem768_public_from_private\n%xdefine BCM_rand_bytes BORINGSSL_PREFIX %+ _BCM_rand_bytes\n%xdefine BCM_rand_bytes_hwrng BORINGSSL_PREFIX %+ _BCM_rand_bytes_hwrng\n%xdefine BCM_rand_bytes_with_additional_data BORINGSSL_PREFIX %+ _BCM_rand_bytes_with_additional_data\n%xdefine BCM_sha1_final BORINGSSL_PREFIX %+ _BCM_sha1_final\n%xdefine BCM_sha1_init BORINGSSL_PREFIX %+ _BCM_sha1_init\n%xdefine BCM_sha1_transform BORINGSSL_PREFIX %+ _BCM_sha1_transform\n%xdefine BCM_sha1_update BORINGSSL_PREFIX %+ _BCM_sha1_update\n%xdefine BCM_sha224_final BORINGSSL_PREFIX %+ _BCM_sha224_final\n%xdefine BCM_sha224_init BORINGSSL_PREFIX %+ _BCM_sha224_init\n%xdefine BCM_sha224_update BORINGSSL_PREFIX %+ _BCM_sha224_update\n%xdefine BCM_sha256_final BORINGSSL_PREFIX %+ _BCM_sha256_final\n%xdefine BCM_sha256_init BORINGSSL_PREFIX %+ _BCM_sha256_init\n%xdefine BCM_sha256_transform BORINGSSL_PREFIX %+ _BCM_sha256_transform\n%xdefine BCM_sha256_transform_blocks BORINGSSL_PREFIX %+ _BCM_sha256_transform_blocks\n%xdefine BCM_sha256_update BORINGSSL_PREFIX %+ _BCM_sha256_update\n%xdefine BCM_sha384_final BORINGSSL_PREFIX %+ _BCM_sha384_final\n%xdefine BCM_sha384_init BORINGSSL_PREFIX %+ _BCM_sha384_init\n%xdefine BCM_sha384_update BORINGSSL_PREFIX %+ _BCM_sha384_update\n%xdefine BCM_sha512_256_final BORINGSSL_PREFIX %+ _BCM_sha512_256_final\n%xdefine BCM_sha512_256_init BORINGSSL_PREFIX %+ _BCM_sha512_256_init\n%xdefine BCM_sha512_256_update BORINGSSL_PREFIX %+ _BCM_sha512_256_update\n%xdefine BCM_sha512_final BORINGSSL_PREFIX %+ _BCM_sha512_final\n%xdefine BCM_sha512_init BORINGSSL_PREFIX %+ _BCM_sha512_init\n%xdefine BCM_sha512_transform BORINGSSL_PREFIX %+ _BCM_sha512_transform\n%xdefine BCM_sha512_update BORINGSSL_PREFIX %+ _BCM_sha512_update\n%xdefine BCM_slhdsa_sha2_128s_generate_key BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_generate_key\n%xdefine BCM_slhdsa_sha2_128s_generate_key_from_seed BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_generate_key_from_seed\n%xdefine BCM_slhdsa_sha2_128s_prehash_sign BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_prehash_sign\n%xdefine BCM_slhdsa_sha2_128s_prehash_verify BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_prehash_verify\n%xdefine BCM_slhdsa_sha2_128s_public_from_private BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_public_from_private\n%xdefine BCM_slhdsa_sha2_128s_sign BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_sign\n%xdefine BCM_slhdsa_sha2_128s_sign_internal BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_sign_internal\n%xdefine BCM_slhdsa_sha2_128s_verify BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_verify\n%xdefine BCM_slhdsa_sha2_128s_verify_internal BORINGSSL_PREFIX %+ _BCM_slhdsa_sha2_128s_verify_internal\n%xdefine BIO_append_filename BORINGSSL_PREFIX %+ _BIO_append_filename\n%xdefine BIO_callback_ctrl BORINGSSL_PREFIX %+ _BIO_callback_ctrl\n%xdefine BIO_clear_flags BORINGSSL_PREFIX %+ _BIO_clear_flags\n%xdefine BIO_clear_retry_flags BORINGSSL_PREFIX %+ _BIO_clear_retry_flags\n%xdefine BIO_copy_next_retry BORINGSSL_PREFIX %+ _BIO_copy_next_retry\n%xdefine BIO_ctrl BORINGSSL_PREFIX %+ _BIO_ctrl\n%xdefine BIO_ctrl_get_read_request BORINGSSL_PREFIX %+ _BIO_ctrl_get_read_request\n%xdefine BIO_ctrl_get_write_guarantee BORINGSSL_PREFIX %+ _BIO_ctrl_get_write_guarantee\n%xdefine BIO_ctrl_pending BORINGSSL_PREFIX %+ _BIO_ctrl_pending\n%xdefine BIO_do_connect BORINGSSL_PREFIX %+ _BIO_do_connect\n%xdefine BIO_eof BORINGSSL_PREFIX %+ _BIO_eof\n%xdefine BIO_f_ssl BORINGSSL_PREFIX %+ _BIO_f_ssl\n%xdefine BIO_find_type BORINGSSL_PREFIX %+ _BIO_find_type\n%xdefine BIO_flush BORINGSSL_PREFIX %+ _BIO_flush\n%xdefine BIO_free BORINGSSL_PREFIX %+ _BIO_free\n%xdefine BIO_free_all BORINGSSL_PREFIX %+ _BIO_free_all\n%xdefine BIO_get_data BORINGSSL_PREFIX %+ _BIO_get_data\n%xdefine BIO_get_ex_data BORINGSSL_PREFIX %+ _BIO_get_ex_data\n%xdefine BIO_get_ex_new_index BORINGSSL_PREFIX %+ _BIO_get_ex_new_index\n%xdefine BIO_get_fd BORINGSSL_PREFIX %+ _BIO_get_fd\n%xdefine BIO_get_fp BORINGSSL_PREFIX %+ _BIO_get_fp\n%xdefine BIO_get_init BORINGSSL_PREFIX %+ _BIO_get_init\n%xdefine BIO_get_mem_data BORINGSSL_PREFIX %+ _BIO_get_mem_data\n%xdefine BIO_get_mem_ptr BORINGSSL_PREFIX %+ _BIO_get_mem_ptr\n%xdefine BIO_get_new_index BORINGSSL_PREFIX %+ _BIO_get_new_index\n%xdefine BIO_get_retry_flags BORINGSSL_PREFIX %+ _BIO_get_retry_flags\n%xdefine BIO_get_retry_reason BORINGSSL_PREFIX %+ _BIO_get_retry_reason\n%xdefine BIO_get_shutdown BORINGSSL_PREFIX %+ _BIO_get_shutdown\n%xdefine BIO_gets BORINGSSL_PREFIX %+ _BIO_gets\n%xdefine BIO_hexdump BORINGSSL_PREFIX %+ _BIO_hexdump\n%xdefine BIO_indent BORINGSSL_PREFIX %+ _BIO_indent\n%xdefine BIO_int_ctrl BORINGSSL_PREFIX %+ _BIO_int_ctrl\n%xdefine BIO_mem_contents BORINGSSL_PREFIX %+ _BIO_mem_contents\n%xdefine BIO_meth_free BORINGSSL_PREFIX %+ _BIO_meth_free\n%xdefine BIO_meth_new BORINGSSL_PREFIX %+ _BIO_meth_new\n%xdefine BIO_meth_set_create BORINGSSL_PREFIX %+ _BIO_meth_set_create\n%xdefine BIO_meth_set_ctrl BORINGSSL_PREFIX %+ _BIO_meth_set_ctrl\n%xdefine BIO_meth_set_destroy BORINGSSL_PREFIX %+ _BIO_meth_set_destroy\n%xdefine BIO_meth_set_gets BORINGSSL_PREFIX %+ _BIO_meth_set_gets\n%xdefine BIO_meth_set_puts BORINGSSL_PREFIX %+ _BIO_meth_set_puts\n%xdefine BIO_meth_set_read BORINGSSL_PREFIX %+ _BIO_meth_set_read\n%xdefine BIO_meth_set_write BORINGSSL_PREFIX %+ _BIO_meth_set_write\n%xdefine BIO_method_type BORINGSSL_PREFIX %+ _BIO_method_type\n%xdefine BIO_new BORINGSSL_PREFIX %+ _BIO_new\n%xdefine BIO_new_bio_pair BORINGSSL_PREFIX %+ _BIO_new_bio_pair\n%xdefine BIO_new_connect BORINGSSL_PREFIX %+ _BIO_new_connect\n%xdefine BIO_new_fd BORINGSSL_PREFIX %+ _BIO_new_fd\n%xdefine BIO_new_file BORINGSSL_PREFIX %+ _BIO_new_file\n%xdefine BIO_new_fp BORINGSSL_PREFIX %+ _BIO_new_fp\n%xdefine BIO_new_mem_buf BORINGSSL_PREFIX %+ _BIO_new_mem_buf\n%xdefine BIO_new_socket BORINGSSL_PREFIX %+ _BIO_new_socket\n%xdefine BIO_next BORINGSSL_PREFIX %+ _BIO_next\n%xdefine BIO_number_read BORINGSSL_PREFIX %+ _BIO_number_read\n%xdefine BIO_number_written BORINGSSL_PREFIX %+ _BIO_number_written\n%xdefine BIO_pending BORINGSSL_PREFIX %+ _BIO_pending\n%xdefine BIO_pop BORINGSSL_PREFIX %+ _BIO_pop\n%xdefine BIO_printf BORINGSSL_PREFIX %+ _BIO_printf\n%xdefine BIO_ptr_ctrl BORINGSSL_PREFIX %+ _BIO_ptr_ctrl\n%xdefine BIO_push BORINGSSL_PREFIX %+ _BIO_push\n%xdefine BIO_puts BORINGSSL_PREFIX %+ _BIO_puts\n%xdefine BIO_read BORINGSSL_PREFIX %+ _BIO_read\n%xdefine BIO_read_asn1 BORINGSSL_PREFIX %+ _BIO_read_asn1\n%xdefine BIO_read_filename BORINGSSL_PREFIX %+ _BIO_read_filename\n%xdefine BIO_reset BORINGSSL_PREFIX %+ _BIO_reset\n%xdefine BIO_rw_filename BORINGSSL_PREFIX %+ _BIO_rw_filename\n%xdefine BIO_s_connect BORINGSSL_PREFIX %+ _BIO_s_connect\n%xdefine BIO_s_fd BORINGSSL_PREFIX %+ _BIO_s_fd\n%xdefine BIO_s_file BORINGSSL_PREFIX %+ _BIO_s_file\n%xdefine BIO_s_mem BORINGSSL_PREFIX %+ _BIO_s_mem\n%xdefine BIO_s_socket BORINGSSL_PREFIX %+ _BIO_s_socket\n%xdefine BIO_seek BORINGSSL_PREFIX %+ _BIO_seek\n%xdefine BIO_set_close BORINGSSL_PREFIX %+ _BIO_set_close\n%xdefine BIO_set_conn_hostname BORINGSSL_PREFIX %+ _BIO_set_conn_hostname\n%xdefine BIO_set_conn_int_port BORINGSSL_PREFIX %+ _BIO_set_conn_int_port\n%xdefine BIO_set_conn_port BORINGSSL_PREFIX %+ _BIO_set_conn_port\n%xdefine BIO_set_data BORINGSSL_PREFIX %+ _BIO_set_data\n%xdefine BIO_set_ex_data BORINGSSL_PREFIX %+ _BIO_set_ex_data\n%xdefine BIO_set_fd BORINGSSL_PREFIX %+ _BIO_set_fd\n%xdefine BIO_set_flags BORINGSSL_PREFIX %+ _BIO_set_flags\n%xdefine BIO_set_fp BORINGSSL_PREFIX %+ _BIO_set_fp\n%xdefine BIO_set_init BORINGSSL_PREFIX %+ _BIO_set_init\n%xdefine BIO_set_mem_buf BORINGSSL_PREFIX %+ _BIO_set_mem_buf\n%xdefine BIO_set_mem_eof_return BORINGSSL_PREFIX %+ _BIO_set_mem_eof_return\n%xdefine BIO_set_nbio BORINGSSL_PREFIX %+ _BIO_set_nbio\n%xdefine BIO_set_retry_read BORINGSSL_PREFIX %+ _BIO_set_retry_read\n%xdefine BIO_set_retry_reason BORINGSSL_PREFIX %+ _BIO_set_retry_reason\n%xdefine BIO_set_retry_special BORINGSSL_PREFIX %+ _BIO_set_retry_special\n%xdefine BIO_set_retry_write BORINGSSL_PREFIX %+ _BIO_set_retry_write\n%xdefine BIO_set_shutdown BORINGSSL_PREFIX %+ _BIO_set_shutdown\n%xdefine BIO_set_ssl BORINGSSL_PREFIX %+ _BIO_set_ssl\n%xdefine BIO_set_write_buffer_size BORINGSSL_PREFIX %+ _BIO_set_write_buffer_size\n%xdefine BIO_should_io_special BORINGSSL_PREFIX %+ _BIO_should_io_special\n%xdefine BIO_should_read BORINGSSL_PREFIX %+ _BIO_should_read\n%xdefine BIO_should_retry BORINGSSL_PREFIX %+ _BIO_should_retry\n%xdefine BIO_should_write BORINGSSL_PREFIX %+ _BIO_should_write\n%xdefine BIO_shutdown_wr BORINGSSL_PREFIX %+ _BIO_shutdown_wr\n%xdefine BIO_snprintf BORINGSSL_PREFIX %+ _BIO_snprintf\n%xdefine BIO_tell BORINGSSL_PREFIX %+ _BIO_tell\n%xdefine BIO_test_flags BORINGSSL_PREFIX %+ _BIO_test_flags\n%xdefine BIO_up_ref BORINGSSL_PREFIX %+ _BIO_up_ref\n%xdefine BIO_vfree BORINGSSL_PREFIX %+ _BIO_vfree\n%xdefine BIO_vsnprintf BORINGSSL_PREFIX %+ _BIO_vsnprintf\n%xdefine BIO_wpending BORINGSSL_PREFIX %+ _BIO_wpending\n%xdefine BIO_write BORINGSSL_PREFIX %+ _BIO_write\n%xdefine BIO_write_all BORINGSSL_PREFIX %+ _BIO_write_all\n%xdefine BIO_write_filename BORINGSSL_PREFIX %+ _BIO_write_filename\n%xdefine BLAKE2B256 BORINGSSL_PREFIX %+ _BLAKE2B256\n%xdefine BLAKE2B256_Final BORINGSSL_PREFIX %+ _BLAKE2B256_Final\n%xdefine BLAKE2B256_Init BORINGSSL_PREFIX %+ _BLAKE2B256_Init\n%xdefine BLAKE2B256_Update BORINGSSL_PREFIX %+ _BLAKE2B256_Update\n%xdefine BN_BLINDING_convert BORINGSSL_PREFIX %+ _BN_BLINDING_convert\n%xdefine BN_BLINDING_free BORINGSSL_PREFIX %+ _BN_BLINDING_free\n%xdefine BN_BLINDING_invalidate BORINGSSL_PREFIX %+ _BN_BLINDING_invalidate\n%xdefine BN_BLINDING_invert BORINGSSL_PREFIX %+ _BN_BLINDING_invert\n%xdefine BN_BLINDING_new BORINGSSL_PREFIX %+ _BN_BLINDING_new\n%xdefine BN_CTX_end BORINGSSL_PREFIX %+ _BN_CTX_end\n%xdefine BN_CTX_free BORINGSSL_PREFIX %+ _BN_CTX_free\n%xdefine BN_CTX_get BORINGSSL_PREFIX %+ _BN_CTX_get\n%xdefine BN_CTX_new BORINGSSL_PREFIX %+ _BN_CTX_new\n%xdefine BN_CTX_start BORINGSSL_PREFIX %+ _BN_CTX_start\n%xdefine BN_GENCB_call BORINGSSL_PREFIX %+ _BN_GENCB_call\n%xdefine BN_GENCB_free BORINGSSL_PREFIX %+ _BN_GENCB_free\n%xdefine BN_GENCB_get_arg BORINGSSL_PREFIX %+ _BN_GENCB_get_arg\n%xdefine BN_GENCB_new BORINGSSL_PREFIX %+ _BN_GENCB_new\n%xdefine BN_GENCB_set BORINGSSL_PREFIX %+ _BN_GENCB_set\n%xdefine BN_MONT_CTX_copy BORINGSSL_PREFIX %+ _BN_MONT_CTX_copy\n%xdefine BN_MONT_CTX_free BORINGSSL_PREFIX %+ _BN_MONT_CTX_free\n%xdefine BN_MONT_CTX_new BORINGSSL_PREFIX %+ _BN_MONT_CTX_new\n%xdefine BN_MONT_CTX_new_consttime BORINGSSL_PREFIX %+ _BN_MONT_CTX_new_consttime\n%xdefine BN_MONT_CTX_new_for_modulus BORINGSSL_PREFIX %+ _BN_MONT_CTX_new_for_modulus\n%xdefine BN_MONT_CTX_set BORINGSSL_PREFIX %+ _BN_MONT_CTX_set\n%xdefine BN_MONT_CTX_set_locked BORINGSSL_PREFIX %+ _BN_MONT_CTX_set_locked\n%xdefine BN_abs_is_word BORINGSSL_PREFIX %+ _BN_abs_is_word\n%xdefine BN_add BORINGSSL_PREFIX %+ _BN_add\n%xdefine BN_add_word BORINGSSL_PREFIX %+ _BN_add_word\n%xdefine BN_asc2bn BORINGSSL_PREFIX %+ _BN_asc2bn\n%xdefine BN_bin2bn BORINGSSL_PREFIX %+ _BN_bin2bn\n%xdefine BN_bn2bin BORINGSSL_PREFIX %+ _BN_bn2bin\n%xdefine BN_bn2bin_padded BORINGSSL_PREFIX %+ _BN_bn2bin_padded\n%xdefine BN_bn2binpad BORINGSSL_PREFIX %+ _BN_bn2binpad\n%xdefine BN_bn2cbb_padded BORINGSSL_PREFIX %+ _BN_bn2cbb_padded\n%xdefine BN_bn2dec BORINGSSL_PREFIX %+ _BN_bn2dec\n%xdefine BN_bn2hex BORINGSSL_PREFIX %+ _BN_bn2hex\n%xdefine BN_bn2le_padded BORINGSSL_PREFIX %+ _BN_bn2le_padded\n%xdefine BN_bn2lebinpad BORINGSSL_PREFIX %+ _BN_bn2lebinpad\n%xdefine BN_bn2mpi BORINGSSL_PREFIX %+ _BN_bn2mpi\n%xdefine BN_clear BORINGSSL_PREFIX %+ _BN_clear\n%xdefine BN_clear_bit BORINGSSL_PREFIX %+ _BN_clear_bit\n%xdefine BN_clear_free BORINGSSL_PREFIX %+ _BN_clear_free\n%xdefine BN_cmp BORINGSSL_PREFIX %+ _BN_cmp\n%xdefine BN_cmp_word BORINGSSL_PREFIX %+ _BN_cmp_word\n%xdefine BN_copy BORINGSSL_PREFIX %+ _BN_copy\n%xdefine BN_count_low_zero_bits BORINGSSL_PREFIX %+ _BN_count_low_zero_bits\n%xdefine BN_dec2bn BORINGSSL_PREFIX %+ _BN_dec2bn\n%xdefine BN_div BORINGSSL_PREFIX %+ _BN_div\n%xdefine BN_div_word BORINGSSL_PREFIX %+ _BN_div_word\n%xdefine BN_dup BORINGSSL_PREFIX %+ _BN_dup\n%xdefine BN_enhanced_miller_rabin_primality_test BORINGSSL_PREFIX %+ _BN_enhanced_miller_rabin_primality_test\n%xdefine BN_equal_consttime BORINGSSL_PREFIX %+ _BN_equal_consttime\n%xdefine BN_exp BORINGSSL_PREFIX %+ _BN_exp\n%xdefine BN_free BORINGSSL_PREFIX %+ _BN_free\n%xdefine BN_from_montgomery BORINGSSL_PREFIX %+ _BN_from_montgomery\n%xdefine BN_gcd BORINGSSL_PREFIX %+ _BN_gcd\n%xdefine BN_generate_prime_ex BORINGSSL_PREFIX %+ _BN_generate_prime_ex\n%xdefine BN_get_rfc3526_prime_1536 BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_1536\n%xdefine BN_get_rfc3526_prime_2048 BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_2048\n%xdefine BN_get_rfc3526_prime_3072 BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_3072\n%xdefine BN_get_rfc3526_prime_4096 BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_4096\n%xdefine BN_get_rfc3526_prime_6144 BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_6144\n%xdefine BN_get_rfc3526_prime_8192 BORINGSSL_PREFIX %+ _BN_get_rfc3526_prime_8192\n%xdefine BN_get_u64 BORINGSSL_PREFIX %+ _BN_get_u64\n%xdefine BN_get_word BORINGSSL_PREFIX %+ _BN_get_word\n%xdefine BN_hex2bn BORINGSSL_PREFIX %+ _BN_hex2bn\n%xdefine BN_init BORINGSSL_PREFIX %+ _BN_init\n%xdefine BN_is_bit_set BORINGSSL_PREFIX %+ _BN_is_bit_set\n%xdefine BN_is_negative BORINGSSL_PREFIX %+ _BN_is_negative\n%xdefine BN_is_odd BORINGSSL_PREFIX %+ _BN_is_odd\n%xdefine BN_is_one BORINGSSL_PREFIX %+ _BN_is_one\n%xdefine BN_is_pow2 BORINGSSL_PREFIX %+ _BN_is_pow2\n%xdefine BN_is_prime_ex BORINGSSL_PREFIX %+ _BN_is_prime_ex\n%xdefine BN_is_prime_fasttest_ex BORINGSSL_PREFIX %+ _BN_is_prime_fasttest_ex\n%xdefine BN_is_word BORINGSSL_PREFIX %+ _BN_is_word\n%xdefine BN_is_zero BORINGSSL_PREFIX %+ _BN_is_zero\n%xdefine BN_le2bn BORINGSSL_PREFIX %+ _BN_le2bn\n%xdefine BN_lebin2bn BORINGSSL_PREFIX %+ _BN_lebin2bn\n%xdefine BN_lshift BORINGSSL_PREFIX %+ _BN_lshift\n%xdefine BN_lshift1 BORINGSSL_PREFIX %+ _BN_lshift1\n%xdefine BN_marshal_asn1 BORINGSSL_PREFIX %+ _BN_marshal_asn1\n%xdefine BN_mask_bits BORINGSSL_PREFIX %+ _BN_mask_bits\n%xdefine BN_mod_add BORINGSSL_PREFIX %+ _BN_mod_add\n%xdefine BN_mod_add_quick BORINGSSL_PREFIX %+ _BN_mod_add_quick\n%xdefine BN_mod_exp BORINGSSL_PREFIX %+ _BN_mod_exp\n%xdefine BN_mod_exp2_mont BORINGSSL_PREFIX %+ _BN_mod_exp2_mont\n%xdefine BN_mod_exp_mont BORINGSSL_PREFIX %+ _BN_mod_exp_mont\n%xdefine BN_mod_exp_mont_consttime BORINGSSL_PREFIX %+ _BN_mod_exp_mont_consttime\n%xdefine BN_mod_exp_mont_word BORINGSSL_PREFIX %+ _BN_mod_exp_mont_word\n%xdefine BN_mod_inverse BORINGSSL_PREFIX %+ _BN_mod_inverse\n%xdefine BN_mod_inverse_blinded BORINGSSL_PREFIX %+ _BN_mod_inverse_blinded\n%xdefine BN_mod_inverse_odd BORINGSSL_PREFIX %+ _BN_mod_inverse_odd\n%xdefine BN_mod_lshift BORINGSSL_PREFIX %+ _BN_mod_lshift\n%xdefine BN_mod_lshift1 BORINGSSL_PREFIX %+ _BN_mod_lshift1\n%xdefine BN_mod_lshift1_quick BORINGSSL_PREFIX %+ _BN_mod_lshift1_quick\n%xdefine BN_mod_lshift_quick BORINGSSL_PREFIX %+ _BN_mod_lshift_quick\n%xdefine BN_mod_mul BORINGSSL_PREFIX %+ _BN_mod_mul\n%xdefine BN_mod_mul_montgomery BORINGSSL_PREFIX %+ _BN_mod_mul_montgomery\n%xdefine BN_mod_pow2 BORINGSSL_PREFIX %+ _BN_mod_pow2\n%xdefine BN_mod_sqr BORINGSSL_PREFIX %+ _BN_mod_sqr\n%xdefine BN_mod_sqrt BORINGSSL_PREFIX %+ _BN_mod_sqrt\n%xdefine BN_mod_sub BORINGSSL_PREFIX %+ _BN_mod_sub\n%xdefine BN_mod_sub_quick BORINGSSL_PREFIX %+ _BN_mod_sub_quick\n%xdefine BN_mod_word BORINGSSL_PREFIX %+ _BN_mod_word\n%xdefine BN_mpi2bn BORINGSSL_PREFIX %+ _BN_mpi2bn\n%xdefine BN_mul BORINGSSL_PREFIX %+ _BN_mul\n%xdefine BN_mul_word BORINGSSL_PREFIX %+ _BN_mul_word\n%xdefine BN_new BORINGSSL_PREFIX %+ _BN_new\n%xdefine BN_nnmod BORINGSSL_PREFIX %+ _BN_nnmod\n%xdefine BN_nnmod_pow2 BORINGSSL_PREFIX %+ _BN_nnmod_pow2\n%xdefine BN_num_bits BORINGSSL_PREFIX %+ _BN_num_bits\n%xdefine BN_num_bits_word BORINGSSL_PREFIX %+ _BN_num_bits_word\n%xdefine BN_num_bytes BORINGSSL_PREFIX %+ _BN_num_bytes\n%xdefine BN_one BORINGSSL_PREFIX %+ _BN_one\n%xdefine BN_parse_asn1_unsigned BORINGSSL_PREFIX %+ _BN_parse_asn1_unsigned\n%xdefine BN_primality_test BORINGSSL_PREFIX %+ _BN_primality_test\n%xdefine BN_print BORINGSSL_PREFIX %+ _BN_print\n%xdefine BN_print_fp BORINGSSL_PREFIX %+ _BN_print_fp\n%xdefine BN_pseudo_rand BORINGSSL_PREFIX %+ _BN_pseudo_rand\n%xdefine BN_pseudo_rand_range BORINGSSL_PREFIX %+ _BN_pseudo_rand_range\n%xdefine BN_rand BORINGSSL_PREFIX %+ _BN_rand\n%xdefine BN_rand_range BORINGSSL_PREFIX %+ _BN_rand_range\n%xdefine BN_rand_range_ex BORINGSSL_PREFIX %+ _BN_rand_range_ex\n%xdefine BN_rshift BORINGSSL_PREFIX %+ _BN_rshift\n%xdefine BN_rshift1 BORINGSSL_PREFIX %+ _BN_rshift1\n%xdefine BN_secure_new BORINGSSL_PREFIX %+ _BN_secure_new\n%xdefine BN_set_bit BORINGSSL_PREFIX %+ _BN_set_bit\n%xdefine BN_set_negative BORINGSSL_PREFIX %+ _BN_set_negative\n%xdefine BN_set_u64 BORINGSSL_PREFIX %+ _BN_set_u64\n%xdefine BN_set_word BORINGSSL_PREFIX %+ _BN_set_word\n%xdefine BN_sqr BORINGSSL_PREFIX %+ _BN_sqr\n%xdefine BN_sqrt BORINGSSL_PREFIX %+ _BN_sqrt\n%xdefine BN_sub BORINGSSL_PREFIX %+ _BN_sub\n%xdefine BN_sub_word BORINGSSL_PREFIX %+ _BN_sub_word\n%xdefine BN_to_ASN1_ENUMERATED BORINGSSL_PREFIX %+ _BN_to_ASN1_ENUMERATED\n%xdefine BN_to_ASN1_INTEGER BORINGSSL_PREFIX %+ _BN_to_ASN1_INTEGER\n%xdefine BN_to_montgomery BORINGSSL_PREFIX %+ _BN_to_montgomery\n%xdefine BN_uadd BORINGSSL_PREFIX %+ _BN_uadd\n%xdefine BN_ucmp BORINGSSL_PREFIX %+ _BN_ucmp\n%xdefine BN_usub BORINGSSL_PREFIX %+ _BN_usub\n%xdefine BN_value_one BORINGSSL_PREFIX %+ _BN_value_one\n%xdefine BN_zero BORINGSSL_PREFIX %+ _BN_zero\n%xdefine BORINGSSL_keccak BORINGSSL_PREFIX %+ _BORINGSSL_keccak\n%xdefine BORINGSSL_keccak_absorb BORINGSSL_PREFIX %+ _BORINGSSL_keccak_absorb\n%xdefine BORINGSSL_keccak_init BORINGSSL_PREFIX %+ _BORINGSSL_keccak_init\n%xdefine BORINGSSL_keccak_squeeze BORINGSSL_PREFIX %+ _BORINGSSL_keccak_squeeze\n%xdefine BORINGSSL_self_test BORINGSSL_PREFIX %+ _BORINGSSL_self_test\n%xdefine BUF_MEM_append BORINGSSL_PREFIX %+ _BUF_MEM_append\n%xdefine BUF_MEM_free BORINGSSL_PREFIX %+ _BUF_MEM_free\n%xdefine BUF_MEM_grow BORINGSSL_PREFIX %+ _BUF_MEM_grow\n%xdefine BUF_MEM_grow_clean BORINGSSL_PREFIX %+ _BUF_MEM_grow_clean\n%xdefine BUF_MEM_new BORINGSSL_PREFIX %+ _BUF_MEM_new\n%xdefine BUF_MEM_reserve BORINGSSL_PREFIX %+ _BUF_MEM_reserve\n%xdefine BUF_memdup BORINGSSL_PREFIX %+ _BUF_memdup\n%xdefine BUF_strdup BORINGSSL_PREFIX %+ _BUF_strdup\n%xdefine BUF_strlcat BORINGSSL_PREFIX %+ _BUF_strlcat\n%xdefine BUF_strlcpy BORINGSSL_PREFIX %+ _BUF_strlcpy\n%xdefine BUF_strndup BORINGSSL_PREFIX %+ _BUF_strndup\n%xdefine BUF_strnlen BORINGSSL_PREFIX %+ _BUF_strnlen\n%xdefine CBB_add_asn1 BORINGSSL_PREFIX %+ _CBB_add_asn1\n%xdefine CBB_add_asn1_bool BORINGSSL_PREFIX %+ _CBB_add_asn1_bool\n%xdefine CBB_add_asn1_int64 BORINGSSL_PREFIX %+ _CBB_add_asn1_int64\n%xdefine CBB_add_asn1_int64_with_tag BORINGSSL_PREFIX %+ _CBB_add_asn1_int64_with_tag\n%xdefine CBB_add_asn1_octet_string BORINGSSL_PREFIX %+ _CBB_add_asn1_octet_string\n%xdefine CBB_add_asn1_oid_from_text BORINGSSL_PREFIX %+ _CBB_add_asn1_oid_from_text\n%xdefine CBB_add_asn1_uint64 BORINGSSL_PREFIX %+ _CBB_add_asn1_uint64\n%xdefine CBB_add_asn1_uint64_with_tag BORINGSSL_PREFIX %+ _CBB_add_asn1_uint64_with_tag\n%xdefine CBB_add_bytes BORINGSSL_PREFIX %+ _CBB_add_bytes\n%xdefine CBB_add_latin1 BORINGSSL_PREFIX %+ _CBB_add_latin1\n%xdefine CBB_add_space BORINGSSL_PREFIX %+ _CBB_add_space\n%xdefine CBB_add_u16 BORINGSSL_PREFIX %+ _CBB_add_u16\n%xdefine CBB_add_u16_length_prefixed BORINGSSL_PREFIX %+ _CBB_add_u16_length_prefixed\n%xdefine CBB_add_u16le BORINGSSL_PREFIX %+ _CBB_add_u16le\n%xdefine CBB_add_u24 BORINGSSL_PREFIX %+ _CBB_add_u24\n%xdefine CBB_add_u24_length_prefixed BORINGSSL_PREFIX %+ _CBB_add_u24_length_prefixed\n%xdefine CBB_add_u32 BORINGSSL_PREFIX %+ _CBB_add_u32\n%xdefine CBB_add_u32le BORINGSSL_PREFIX %+ _CBB_add_u32le\n%xdefine CBB_add_u64 BORINGSSL_PREFIX %+ _CBB_add_u64\n%xdefine CBB_add_u64le BORINGSSL_PREFIX %+ _CBB_add_u64le\n%xdefine CBB_add_u8 BORINGSSL_PREFIX %+ _CBB_add_u8\n%xdefine CBB_add_u8_length_prefixed BORINGSSL_PREFIX %+ _CBB_add_u8_length_prefixed\n%xdefine CBB_add_ucs2_be BORINGSSL_PREFIX %+ _CBB_add_ucs2_be\n%xdefine CBB_add_utf32_be BORINGSSL_PREFIX %+ _CBB_add_utf32_be\n%xdefine CBB_add_utf8 BORINGSSL_PREFIX %+ _CBB_add_utf8\n%xdefine CBB_add_zeros BORINGSSL_PREFIX %+ _CBB_add_zeros\n%xdefine CBB_cleanup BORINGSSL_PREFIX %+ _CBB_cleanup\n%xdefine CBB_data BORINGSSL_PREFIX %+ _CBB_data\n%xdefine CBB_did_write BORINGSSL_PREFIX %+ _CBB_did_write\n%xdefine CBB_discard_child BORINGSSL_PREFIX %+ _CBB_discard_child\n%xdefine CBB_finish BORINGSSL_PREFIX %+ _CBB_finish\n%xdefine CBB_finish_i2d BORINGSSL_PREFIX %+ _CBB_finish_i2d\n%xdefine CBB_flush BORINGSSL_PREFIX %+ _CBB_flush\n%xdefine CBB_flush_asn1_set_of BORINGSSL_PREFIX %+ _CBB_flush_asn1_set_of\n%xdefine CBB_get_utf8_len BORINGSSL_PREFIX %+ _CBB_get_utf8_len\n%xdefine CBB_init BORINGSSL_PREFIX %+ _CBB_init\n%xdefine CBB_init_fixed BORINGSSL_PREFIX %+ _CBB_init_fixed\n%xdefine CBB_len BORINGSSL_PREFIX %+ _CBB_len\n%xdefine CBB_reserve BORINGSSL_PREFIX %+ _CBB_reserve\n%xdefine CBB_zero BORINGSSL_PREFIX %+ _CBB_zero\n%xdefine CBS_asn1_ber_to_der BORINGSSL_PREFIX %+ _CBS_asn1_ber_to_der\n%xdefine CBS_asn1_bitstring_has_bit BORINGSSL_PREFIX %+ _CBS_asn1_bitstring_has_bit\n%xdefine CBS_asn1_oid_to_text BORINGSSL_PREFIX %+ _CBS_asn1_oid_to_text\n%xdefine CBS_contains_zero_byte BORINGSSL_PREFIX %+ _CBS_contains_zero_byte\n%xdefine CBS_copy_bytes BORINGSSL_PREFIX %+ _CBS_copy_bytes\n%xdefine CBS_data BORINGSSL_PREFIX %+ _CBS_data\n%xdefine CBS_get_any_asn1 BORINGSSL_PREFIX %+ _CBS_get_any_asn1\n%xdefine CBS_get_any_asn1_element BORINGSSL_PREFIX %+ _CBS_get_any_asn1_element\n%xdefine CBS_get_any_ber_asn1_element BORINGSSL_PREFIX %+ _CBS_get_any_ber_asn1_element\n%xdefine CBS_get_asn1 BORINGSSL_PREFIX %+ _CBS_get_asn1\n%xdefine CBS_get_asn1_bool BORINGSSL_PREFIX %+ _CBS_get_asn1_bool\n%xdefine CBS_get_asn1_element BORINGSSL_PREFIX %+ _CBS_get_asn1_element\n%xdefine CBS_get_asn1_implicit_string BORINGSSL_PREFIX %+ _CBS_get_asn1_implicit_string\n%xdefine CBS_get_asn1_int64 BORINGSSL_PREFIX %+ _CBS_get_asn1_int64\n%xdefine CBS_get_asn1_uint64 BORINGSSL_PREFIX %+ _CBS_get_asn1_uint64\n%xdefine CBS_get_bytes BORINGSSL_PREFIX %+ _CBS_get_bytes\n%xdefine CBS_get_last_u8 BORINGSSL_PREFIX %+ _CBS_get_last_u8\n%xdefine CBS_get_latin1 BORINGSSL_PREFIX %+ _CBS_get_latin1\n%xdefine CBS_get_optional_asn1 BORINGSSL_PREFIX %+ _CBS_get_optional_asn1\n%xdefine CBS_get_optional_asn1_bool BORINGSSL_PREFIX %+ _CBS_get_optional_asn1_bool\n%xdefine CBS_get_optional_asn1_octet_string BORINGSSL_PREFIX %+ _CBS_get_optional_asn1_octet_string\n%xdefine CBS_get_optional_asn1_uint64 BORINGSSL_PREFIX %+ _CBS_get_optional_asn1_uint64\n%xdefine CBS_get_u16 BORINGSSL_PREFIX %+ _CBS_get_u16\n%xdefine CBS_get_u16_length_prefixed BORINGSSL_PREFIX %+ _CBS_get_u16_length_prefixed\n%xdefine CBS_get_u16le BORINGSSL_PREFIX %+ _CBS_get_u16le\n%xdefine CBS_get_u24 BORINGSSL_PREFIX %+ _CBS_get_u24\n%xdefine CBS_get_u24_length_prefixed BORINGSSL_PREFIX %+ _CBS_get_u24_length_prefixed\n%xdefine CBS_get_u32 BORINGSSL_PREFIX %+ _CBS_get_u32\n%xdefine CBS_get_u32le BORINGSSL_PREFIX %+ _CBS_get_u32le\n%xdefine CBS_get_u64 BORINGSSL_PREFIX %+ _CBS_get_u64\n%xdefine CBS_get_u64_decimal BORINGSSL_PREFIX %+ _CBS_get_u64_decimal\n%xdefine CBS_get_u64le BORINGSSL_PREFIX %+ _CBS_get_u64le\n%xdefine CBS_get_u8 BORINGSSL_PREFIX %+ _CBS_get_u8\n%xdefine CBS_get_u8_length_prefixed BORINGSSL_PREFIX %+ _CBS_get_u8_length_prefixed\n%xdefine CBS_get_ucs2_be BORINGSSL_PREFIX %+ _CBS_get_ucs2_be\n%xdefine CBS_get_until_first BORINGSSL_PREFIX %+ _CBS_get_until_first\n%xdefine CBS_get_utf32_be BORINGSSL_PREFIX %+ _CBS_get_utf32_be\n%xdefine CBS_get_utf8 BORINGSSL_PREFIX %+ _CBS_get_utf8\n%xdefine CBS_init BORINGSSL_PREFIX %+ _CBS_init\n%xdefine CBS_is_unsigned_asn1_integer BORINGSSL_PREFIX %+ _CBS_is_unsigned_asn1_integer\n%xdefine CBS_is_valid_asn1_bitstring BORINGSSL_PREFIX %+ _CBS_is_valid_asn1_bitstring\n%xdefine CBS_is_valid_asn1_integer BORINGSSL_PREFIX %+ _CBS_is_valid_asn1_integer\n%xdefine CBS_is_valid_asn1_oid BORINGSSL_PREFIX %+ _CBS_is_valid_asn1_oid\n%xdefine CBS_len BORINGSSL_PREFIX %+ _CBS_len\n%xdefine CBS_mem_equal BORINGSSL_PREFIX %+ _CBS_mem_equal\n%xdefine CBS_parse_generalized_time BORINGSSL_PREFIX %+ _CBS_parse_generalized_time\n%xdefine CBS_parse_utc_time BORINGSSL_PREFIX %+ _CBS_parse_utc_time\n%xdefine CBS_peek_asn1_tag BORINGSSL_PREFIX %+ _CBS_peek_asn1_tag\n%xdefine CBS_skip BORINGSSL_PREFIX %+ _CBS_skip\n%xdefine CBS_stow BORINGSSL_PREFIX %+ _CBS_stow\n%xdefine CBS_strdup BORINGSSL_PREFIX %+ _CBS_strdup\n%xdefine CERTIFICATEPOLICIES_free BORINGSSL_PREFIX %+ _CERTIFICATEPOLICIES_free\n%xdefine CERTIFICATEPOLICIES_it BORINGSSL_PREFIX %+ _CERTIFICATEPOLICIES_it\n%xdefine CERTIFICATEPOLICIES_new BORINGSSL_PREFIX %+ _CERTIFICATEPOLICIES_new\n%xdefine CMAC_CTX_copy BORINGSSL_PREFIX %+ _CMAC_CTX_copy\n%xdefine CMAC_CTX_free BORINGSSL_PREFIX %+ _CMAC_CTX_free\n%xdefine CMAC_CTX_new BORINGSSL_PREFIX %+ _CMAC_CTX_new\n%xdefine CMAC_Final BORINGSSL_PREFIX %+ _CMAC_Final\n%xdefine CMAC_Init BORINGSSL_PREFIX %+ _CMAC_Init\n%xdefine CMAC_Reset BORINGSSL_PREFIX %+ _CMAC_Reset\n%xdefine CMAC_Update BORINGSSL_PREFIX %+ _CMAC_Update\n%xdefine CONF_VALUE_new BORINGSSL_PREFIX %+ _CONF_VALUE_new\n%xdefine CONF_modules_free BORINGSSL_PREFIX %+ _CONF_modules_free\n%xdefine CONF_modules_load_file BORINGSSL_PREFIX %+ _CONF_modules_load_file\n%xdefine CONF_parse_list BORINGSSL_PREFIX %+ _CONF_parse_list\n%xdefine CRL_DIST_POINTS_free BORINGSSL_PREFIX %+ _CRL_DIST_POINTS_free\n%xdefine CRL_DIST_POINTS_it BORINGSSL_PREFIX %+ _CRL_DIST_POINTS_it\n%xdefine CRL_DIST_POINTS_new BORINGSSL_PREFIX %+ _CRL_DIST_POINTS_new\n%xdefine CRYPTO_BUFFER_POOL_free BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_POOL_free\n%xdefine CRYPTO_BUFFER_POOL_new BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_POOL_new\n%xdefine CRYPTO_BUFFER_alloc BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_alloc\n%xdefine CRYPTO_BUFFER_data BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_data\n%xdefine CRYPTO_BUFFER_free BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_free\n%xdefine CRYPTO_BUFFER_init_CBS BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_init_CBS\n%xdefine CRYPTO_BUFFER_len BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_len\n%xdefine CRYPTO_BUFFER_new BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new\n%xdefine CRYPTO_BUFFER_new_from_CBS BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new_from_CBS\n%xdefine CRYPTO_BUFFER_new_from_static_data_unsafe BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new_from_static_data_unsafe\n%xdefine CRYPTO_BUFFER_up_ref BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_up_ref\n%xdefine CRYPTO_MUTEX_cleanup BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_cleanup\n%xdefine CRYPTO_MUTEX_init BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_init\n%xdefine CRYPTO_MUTEX_lock_read BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_lock_read\n%xdefine CRYPTO_MUTEX_lock_write BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_lock_write\n%xdefine CRYPTO_MUTEX_unlock_read BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_unlock_read\n%xdefine CRYPTO_MUTEX_unlock_write BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_unlock_write\n%xdefine CRYPTO_POLYVAL_finish BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_finish\n%xdefine CRYPTO_POLYVAL_init BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_init\n%xdefine CRYPTO_POLYVAL_update_blocks BORINGSSL_PREFIX %+ _CRYPTO_POLYVAL_update_blocks\n%xdefine CRYPTO_THREADID_current BORINGSSL_PREFIX %+ _CRYPTO_THREADID_current\n%xdefine CRYPTO_THREADID_set_callback BORINGSSL_PREFIX %+ _CRYPTO_THREADID_set_callback\n%xdefine CRYPTO_THREADID_set_numeric BORINGSSL_PREFIX %+ _CRYPTO_THREADID_set_numeric\n%xdefine CRYPTO_THREADID_set_pointer BORINGSSL_PREFIX %+ _CRYPTO_THREADID_set_pointer\n%xdefine CRYPTO_atomic_compare_exchange_weak_u32 BORINGSSL_PREFIX %+ _CRYPTO_atomic_compare_exchange_weak_u32\n%xdefine CRYPTO_atomic_load_u32 BORINGSSL_PREFIX %+ _CRYPTO_atomic_load_u32\n%xdefine CRYPTO_atomic_store_u32 BORINGSSL_PREFIX %+ _CRYPTO_atomic_store_u32\n%xdefine CRYPTO_cbc128_decrypt BORINGSSL_PREFIX %+ _CRYPTO_cbc128_decrypt\n%xdefine CRYPTO_cbc128_encrypt BORINGSSL_PREFIX %+ _CRYPTO_cbc128_encrypt\n%xdefine CRYPTO_cfb128_1_encrypt BORINGSSL_PREFIX %+ _CRYPTO_cfb128_1_encrypt\n%xdefine CRYPTO_cfb128_8_encrypt BORINGSSL_PREFIX %+ _CRYPTO_cfb128_8_encrypt\n%xdefine CRYPTO_cfb128_encrypt BORINGSSL_PREFIX %+ _CRYPTO_cfb128_encrypt\n%xdefine CRYPTO_chacha_20 BORINGSSL_PREFIX %+ _CRYPTO_chacha_20\n%xdefine CRYPTO_cleanup_all_ex_data BORINGSSL_PREFIX %+ _CRYPTO_cleanup_all_ex_data\n%xdefine CRYPTO_cpu_avoid_zmm_registers BORINGSSL_PREFIX %+ _CRYPTO_cpu_avoid_zmm_registers\n%xdefine CRYPTO_cpu_perf_is_like_silvermont BORINGSSL_PREFIX %+ _CRYPTO_cpu_perf_is_like_silvermont\n%xdefine CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt_ctr32\n%xdefine CRYPTO_fips_186_2_prf BORINGSSL_PREFIX %+ _CRYPTO_fips_186_2_prf\n%xdefine CRYPTO_fork_detect_force_madv_wipeonfork_for_testing BORINGSSL_PREFIX %+ _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing\n%xdefine CRYPTO_free BORINGSSL_PREFIX %+ _CRYPTO_free\n%xdefine CRYPTO_free_ex_data BORINGSSL_PREFIX %+ _CRYPTO_free_ex_data\n%xdefine CRYPTO_gcm128_aad BORINGSSL_PREFIX %+ _CRYPTO_gcm128_aad\n%xdefine CRYPTO_gcm128_decrypt BORINGSSL_PREFIX %+ _CRYPTO_gcm128_decrypt\n%xdefine CRYPTO_gcm128_encrypt BORINGSSL_PREFIX %+ _CRYPTO_gcm128_encrypt\n%xdefine CRYPTO_gcm128_finish BORINGSSL_PREFIX %+ _CRYPTO_gcm128_finish\n%xdefine CRYPTO_gcm128_init_aes_key BORINGSSL_PREFIX %+ _CRYPTO_gcm128_init_aes_key\n%xdefine CRYPTO_gcm128_init_ctx BORINGSSL_PREFIX %+ _CRYPTO_gcm128_init_ctx\n%xdefine CRYPTO_gcm128_tag BORINGSSL_PREFIX %+ _CRYPTO_gcm128_tag\n%xdefine CRYPTO_get_dynlock_create_callback BORINGSSL_PREFIX %+ _CRYPTO_get_dynlock_create_callback\n%xdefine CRYPTO_get_dynlock_destroy_callback BORINGSSL_PREFIX %+ _CRYPTO_get_dynlock_destroy_callback\n%xdefine CRYPTO_get_dynlock_lock_callback BORINGSSL_PREFIX %+ _CRYPTO_get_dynlock_lock_callback\n%xdefine CRYPTO_get_ex_data BORINGSSL_PREFIX %+ _CRYPTO_get_ex_data\n%xdefine CRYPTO_get_ex_new_index_ex BORINGSSL_PREFIX %+ _CRYPTO_get_ex_new_index_ex\n%xdefine CRYPTO_get_fork_generation BORINGSSL_PREFIX %+ _CRYPTO_get_fork_generation\n%xdefine CRYPTO_get_lock_name BORINGSSL_PREFIX %+ _CRYPTO_get_lock_name\n%xdefine CRYPTO_get_locking_callback BORINGSSL_PREFIX %+ _CRYPTO_get_locking_callback\n%xdefine CRYPTO_get_stderr BORINGSSL_PREFIX %+ _CRYPTO_get_stderr\n%xdefine CRYPTO_get_thread_local BORINGSSL_PREFIX %+ _CRYPTO_get_thread_local\n%xdefine CRYPTO_ghash_init BORINGSSL_PREFIX %+ _CRYPTO_ghash_init\n%xdefine CRYPTO_has_asm BORINGSSL_PREFIX %+ _CRYPTO_has_asm\n%xdefine CRYPTO_hchacha20 BORINGSSL_PREFIX %+ _CRYPTO_hchacha20\n%xdefine CRYPTO_init_sysrand BORINGSSL_PREFIX %+ _CRYPTO_init_sysrand\n%xdefine CRYPTO_is_ADX_capable BORINGSSL_PREFIX %+ _CRYPTO_is_ADX_capable\n%xdefine CRYPTO_is_AESNI_capable BORINGSSL_PREFIX %+ _CRYPTO_is_AESNI_capable\n%xdefine CRYPTO_is_ARMv8_AES_capable BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_AES_capable\n%xdefine CRYPTO_is_ARMv8_PMULL_capable BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_PMULL_capable\n%xdefine CRYPTO_is_ARMv8_SHA1_capable BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_SHA1_capable\n%xdefine CRYPTO_is_ARMv8_SHA256_capable BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_SHA256_capable\n%xdefine CRYPTO_is_ARMv8_SHA512_capable BORINGSSL_PREFIX %+ _CRYPTO_is_ARMv8_SHA512_capable\n%xdefine CRYPTO_is_AVX2_capable BORINGSSL_PREFIX %+ _CRYPTO_is_AVX2_capable\n%xdefine CRYPTO_is_AVX512BW_capable BORINGSSL_PREFIX %+ _CRYPTO_is_AVX512BW_capable\n%xdefine CRYPTO_is_AVX512VL_capable BORINGSSL_PREFIX %+ _CRYPTO_is_AVX512VL_capable\n%xdefine CRYPTO_is_AVX_capable BORINGSSL_PREFIX %+ _CRYPTO_is_AVX_capable\n%xdefine CRYPTO_is_BMI1_capable BORINGSSL_PREFIX %+ _CRYPTO_is_BMI1_capable\n%xdefine CRYPTO_is_BMI2_capable BORINGSSL_PREFIX %+ _CRYPTO_is_BMI2_capable\n%xdefine CRYPTO_is_FXSR_capable BORINGSSL_PREFIX %+ _CRYPTO_is_FXSR_capable\n%xdefine CRYPTO_is_MOVBE_capable BORINGSSL_PREFIX %+ _CRYPTO_is_MOVBE_capable\n%xdefine CRYPTO_is_NEON_capable BORINGSSL_PREFIX %+ _CRYPTO_is_NEON_capable\n%xdefine CRYPTO_is_PCLMUL_capable BORINGSSL_PREFIX %+ _CRYPTO_is_PCLMUL_capable\n%xdefine CRYPTO_is_RDRAND_capable BORINGSSL_PREFIX %+ _CRYPTO_is_RDRAND_capable\n%xdefine CRYPTO_is_SSE4_1_capable BORINGSSL_PREFIX %+ _CRYPTO_is_SSE4_1_capable\n%xdefine CRYPTO_is_SSSE3_capable BORINGSSL_PREFIX %+ _CRYPTO_is_SSSE3_capable\n%xdefine CRYPTO_is_VAES_capable BORINGSSL_PREFIX %+ _CRYPTO_is_VAES_capable\n%xdefine CRYPTO_is_VPCLMULQDQ_capable BORINGSSL_PREFIX %+ _CRYPTO_is_VPCLMULQDQ_capable\n%xdefine CRYPTO_is_confidential_build BORINGSSL_PREFIX %+ _CRYPTO_is_confidential_build\n%xdefine CRYPTO_is_intel_cpu BORINGSSL_PREFIX %+ _CRYPTO_is_intel_cpu\n%xdefine CRYPTO_is_x86_SHA_capable BORINGSSL_PREFIX %+ _CRYPTO_is_x86_SHA_capable\n%xdefine CRYPTO_library_init BORINGSSL_PREFIX %+ _CRYPTO_library_init\n%xdefine CRYPTO_malloc BORINGSSL_PREFIX %+ _CRYPTO_malloc\n%xdefine CRYPTO_malloc_init BORINGSSL_PREFIX %+ _CRYPTO_malloc_init\n%xdefine CRYPTO_memcmp BORINGSSL_PREFIX %+ _CRYPTO_memcmp\n%xdefine CRYPTO_new_ex_data BORINGSSL_PREFIX %+ _CRYPTO_new_ex_data\n%xdefine CRYPTO_num_locks BORINGSSL_PREFIX %+ _CRYPTO_num_locks\n%xdefine CRYPTO_ofb128_encrypt BORINGSSL_PREFIX %+ _CRYPTO_ofb128_encrypt\n%xdefine CRYPTO_once BORINGSSL_PREFIX %+ _CRYPTO_once\n%xdefine CRYPTO_poly1305_finish BORINGSSL_PREFIX %+ _CRYPTO_poly1305_finish\n%xdefine CRYPTO_poly1305_init BORINGSSL_PREFIX %+ _CRYPTO_poly1305_init\n%xdefine CRYPTO_poly1305_update BORINGSSL_PREFIX %+ _CRYPTO_poly1305_update\n%xdefine CRYPTO_pre_sandbox_init BORINGSSL_PREFIX %+ _CRYPTO_pre_sandbox_init\n%xdefine CRYPTO_rdrand BORINGSSL_PREFIX %+ _CRYPTO_rdrand\n%xdefine CRYPTO_rdrand_multiple8_buf BORINGSSL_PREFIX %+ _CRYPTO_rdrand_multiple8_buf\n%xdefine CRYPTO_realloc BORINGSSL_PREFIX %+ _CRYPTO_realloc\n%xdefine CRYPTO_refcount_dec_and_test_zero BORINGSSL_PREFIX %+ _CRYPTO_refcount_dec_and_test_zero\n%xdefine CRYPTO_refcount_inc BORINGSSL_PREFIX %+ _CRYPTO_refcount_inc\n%xdefine CRYPTO_secure_malloc_init BORINGSSL_PREFIX %+ _CRYPTO_secure_malloc_init\n%xdefine CRYPTO_secure_malloc_initialized BORINGSSL_PREFIX %+ _CRYPTO_secure_malloc_initialized\n%xdefine CRYPTO_secure_used BORINGSSL_PREFIX %+ _CRYPTO_secure_used\n%xdefine CRYPTO_set_add_lock_callback BORINGSSL_PREFIX %+ _CRYPTO_set_add_lock_callback\n%xdefine CRYPTO_set_dynlock_create_callback BORINGSSL_PREFIX %+ _CRYPTO_set_dynlock_create_callback\n%xdefine CRYPTO_set_dynlock_destroy_callback BORINGSSL_PREFIX %+ _CRYPTO_set_dynlock_destroy_callback\n%xdefine CRYPTO_set_dynlock_lock_callback BORINGSSL_PREFIX %+ _CRYPTO_set_dynlock_lock_callback\n%xdefine CRYPTO_set_ex_data BORINGSSL_PREFIX %+ _CRYPTO_set_ex_data\n%xdefine CRYPTO_set_id_callback BORINGSSL_PREFIX %+ _CRYPTO_set_id_callback\n%xdefine CRYPTO_set_locking_callback BORINGSSL_PREFIX %+ _CRYPTO_set_locking_callback\n%xdefine CRYPTO_set_thread_local BORINGSSL_PREFIX %+ _CRYPTO_set_thread_local\n%xdefine CRYPTO_sysrand BORINGSSL_PREFIX %+ _CRYPTO_sysrand\n%xdefine CRYPTO_sysrand_for_seed BORINGSSL_PREFIX %+ _CRYPTO_sysrand_for_seed\n%xdefine CRYPTO_sysrand_if_available BORINGSSL_PREFIX %+ _CRYPTO_sysrand_if_available\n%xdefine CRYPTO_tls13_hkdf_expand_label BORINGSSL_PREFIX %+ _CRYPTO_tls13_hkdf_expand_label\n%xdefine CRYPTO_tls1_prf BORINGSSL_PREFIX %+ _CRYPTO_tls1_prf\n%xdefine CRYPTO_xor16 BORINGSSL_PREFIX %+ _CRYPTO_xor16\n%xdefine CTR_DRBG_clear BORINGSSL_PREFIX %+ _CTR_DRBG_clear\n%xdefine CTR_DRBG_free BORINGSSL_PREFIX %+ _CTR_DRBG_free\n%xdefine CTR_DRBG_generate BORINGSSL_PREFIX %+ _CTR_DRBG_generate\n%xdefine CTR_DRBG_init BORINGSSL_PREFIX %+ _CTR_DRBG_init\n%xdefine CTR_DRBG_new BORINGSSL_PREFIX %+ _CTR_DRBG_new\n%xdefine CTR_DRBG_reseed BORINGSSL_PREFIX %+ _CTR_DRBG_reseed\n%xdefine ChaCha20_ctr32_avx2 BORINGSSL_PREFIX %+ _ChaCha20_ctr32_avx2\n%xdefine ChaCha20_ctr32_avx2_capable BORINGSSL_PREFIX %+ _ChaCha20_ctr32_avx2_capable\n%xdefine ChaCha20_ctr32_neon BORINGSSL_PREFIX %+ _ChaCha20_ctr32_neon\n%xdefine ChaCha20_ctr32_neon_capable BORINGSSL_PREFIX %+ _ChaCha20_ctr32_neon_capable\n%xdefine ChaCha20_ctr32_nohw BORINGSSL_PREFIX %+ _ChaCha20_ctr32_nohw\n%xdefine ChaCha20_ctr32_ssse3 BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3\n%xdefine ChaCha20_ctr32_ssse3_4x BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3_4x\n%xdefine ChaCha20_ctr32_ssse3_4x_capable BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3_4x_capable\n%xdefine ChaCha20_ctr32_ssse3_capable BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3_capable\n%xdefine DES_decrypt3 BORINGSSL_PREFIX %+ _DES_decrypt3\n%xdefine DES_ecb3_encrypt BORINGSSL_PREFIX %+ _DES_ecb3_encrypt\n%xdefine DES_ecb3_encrypt_ex BORINGSSL_PREFIX %+ _DES_ecb3_encrypt_ex\n%xdefine DES_ecb_encrypt BORINGSSL_PREFIX %+ _DES_ecb_encrypt\n%xdefine DES_ecb_encrypt_ex BORINGSSL_PREFIX %+ _DES_ecb_encrypt_ex\n%xdefine DES_ede2_cbc_encrypt BORINGSSL_PREFIX %+ _DES_ede2_cbc_encrypt\n%xdefine DES_ede3_cbc_encrypt BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt\n%xdefine DES_ede3_cbc_encrypt_ex BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt_ex\n%xdefine DES_encrypt3 BORINGSSL_PREFIX %+ _DES_encrypt3\n%xdefine DES_ncbc_encrypt BORINGSSL_PREFIX %+ _DES_ncbc_encrypt\n%xdefine DES_ncbc_encrypt_ex BORINGSSL_PREFIX %+ _DES_ncbc_encrypt_ex\n%xdefine DES_set_key BORINGSSL_PREFIX %+ _DES_set_key\n%xdefine DES_set_key_ex BORINGSSL_PREFIX %+ _DES_set_key_ex\n%xdefine DES_set_key_unchecked BORINGSSL_PREFIX %+ _DES_set_key_unchecked\n%xdefine DES_set_odd_parity BORINGSSL_PREFIX %+ _DES_set_odd_parity\n%xdefine DH_bits BORINGSSL_PREFIX %+ _DH_bits\n%xdefine DH_check BORINGSSL_PREFIX %+ _DH_check\n%xdefine DH_check_pub_key BORINGSSL_PREFIX %+ _DH_check_pub_key\n%xdefine DH_compute_key BORINGSSL_PREFIX %+ _DH_compute_key\n%xdefine DH_compute_key_hashed BORINGSSL_PREFIX %+ _DH_compute_key_hashed\n%xdefine DH_compute_key_padded BORINGSSL_PREFIX %+ _DH_compute_key_padded\n%xdefine DH_free BORINGSSL_PREFIX %+ _DH_free\n%xdefine DH_generate_key BORINGSSL_PREFIX %+ _DH_generate_key\n%xdefine DH_generate_parameters_ex BORINGSSL_PREFIX %+ _DH_generate_parameters_ex\n%xdefine DH_get0_g BORINGSSL_PREFIX %+ _DH_get0_g\n%xdefine DH_get0_key BORINGSSL_PREFIX %+ _DH_get0_key\n%xdefine DH_get0_p BORINGSSL_PREFIX %+ _DH_get0_p\n%xdefine DH_get0_pqg BORINGSSL_PREFIX %+ _DH_get0_pqg\n%xdefine DH_get0_priv_key BORINGSSL_PREFIX %+ _DH_get0_priv_key\n%xdefine DH_get0_pub_key BORINGSSL_PREFIX %+ _DH_get0_pub_key\n%xdefine DH_get0_q BORINGSSL_PREFIX %+ _DH_get0_q\n%xdefine DH_get_rfc7919_2048 BORINGSSL_PREFIX %+ _DH_get_rfc7919_2048\n%xdefine DH_marshal_parameters BORINGSSL_PREFIX %+ _DH_marshal_parameters\n%xdefine DH_new BORINGSSL_PREFIX %+ _DH_new\n%xdefine DH_num_bits BORINGSSL_PREFIX %+ _DH_num_bits\n%xdefine DH_parse_parameters BORINGSSL_PREFIX %+ _DH_parse_parameters\n%xdefine DH_set0_key BORINGSSL_PREFIX %+ _DH_set0_key\n%xdefine DH_set0_pqg BORINGSSL_PREFIX %+ _DH_set0_pqg\n%xdefine DH_set_length BORINGSSL_PREFIX %+ _DH_set_length\n%xdefine DH_size BORINGSSL_PREFIX %+ _DH_size\n%xdefine DH_up_ref BORINGSSL_PREFIX %+ _DH_up_ref\n%xdefine DHparams_dup BORINGSSL_PREFIX %+ _DHparams_dup\n%xdefine DIRECTORYSTRING_free BORINGSSL_PREFIX %+ _DIRECTORYSTRING_free\n%xdefine DIRECTORYSTRING_it BORINGSSL_PREFIX %+ _DIRECTORYSTRING_it\n%xdefine DIRECTORYSTRING_new BORINGSSL_PREFIX %+ _DIRECTORYSTRING_new\n%xdefine DISPLAYTEXT_free BORINGSSL_PREFIX %+ _DISPLAYTEXT_free\n%xdefine DISPLAYTEXT_it BORINGSSL_PREFIX %+ _DISPLAYTEXT_it\n%xdefine DISPLAYTEXT_new BORINGSSL_PREFIX %+ _DISPLAYTEXT_new\n%xdefine DIST_POINT_NAME_free BORINGSSL_PREFIX %+ _DIST_POINT_NAME_free\n%xdefine DIST_POINT_NAME_new BORINGSSL_PREFIX %+ _DIST_POINT_NAME_new\n%xdefine DIST_POINT_free BORINGSSL_PREFIX %+ _DIST_POINT_free\n%xdefine DIST_POINT_new BORINGSSL_PREFIX %+ _DIST_POINT_new\n%xdefine DIST_POINT_set_dpname BORINGSSL_PREFIX %+ _DIST_POINT_set_dpname\n%xdefine DSA_SIG_free BORINGSSL_PREFIX %+ _DSA_SIG_free\n%xdefine DSA_SIG_get0 BORINGSSL_PREFIX %+ _DSA_SIG_get0\n%xdefine DSA_SIG_marshal BORINGSSL_PREFIX %+ _DSA_SIG_marshal\n%xdefine DSA_SIG_new BORINGSSL_PREFIX %+ _DSA_SIG_new\n%xdefine DSA_SIG_parse BORINGSSL_PREFIX %+ _DSA_SIG_parse\n%xdefine DSA_SIG_set0 BORINGSSL_PREFIX %+ _DSA_SIG_set0\n%xdefine DSA_bits BORINGSSL_PREFIX %+ _DSA_bits\n%xdefine DSA_check_signature BORINGSSL_PREFIX %+ _DSA_check_signature\n%xdefine DSA_do_check_signature BORINGSSL_PREFIX %+ _DSA_do_check_signature\n%xdefine DSA_do_sign BORINGSSL_PREFIX %+ _DSA_do_sign\n%xdefine DSA_do_verify BORINGSSL_PREFIX %+ _DSA_do_verify\n%xdefine DSA_dup_DH BORINGSSL_PREFIX %+ _DSA_dup_DH\n%xdefine DSA_free BORINGSSL_PREFIX %+ _DSA_free\n%xdefine DSA_generate_key BORINGSSL_PREFIX %+ _DSA_generate_key\n%xdefine DSA_generate_parameters_ex BORINGSSL_PREFIX %+ _DSA_generate_parameters_ex\n%xdefine DSA_get0_g BORINGSSL_PREFIX %+ _DSA_get0_g\n%xdefine DSA_get0_key BORINGSSL_PREFIX %+ _DSA_get0_key\n%xdefine DSA_get0_p BORINGSSL_PREFIX %+ _DSA_get0_p\n%xdefine DSA_get0_pqg BORINGSSL_PREFIX %+ _DSA_get0_pqg\n%xdefine DSA_get0_priv_key BORINGSSL_PREFIX %+ _DSA_get0_priv_key\n%xdefine DSA_get0_pub_key BORINGSSL_PREFIX %+ _DSA_get0_pub_key\n%xdefine DSA_get0_q BORINGSSL_PREFIX %+ _DSA_get0_q\n%xdefine DSA_get_ex_data BORINGSSL_PREFIX %+ _DSA_get_ex_data\n%xdefine DSA_get_ex_new_index BORINGSSL_PREFIX %+ _DSA_get_ex_new_index\n%xdefine DSA_marshal_parameters BORINGSSL_PREFIX %+ _DSA_marshal_parameters\n%xdefine DSA_marshal_private_key BORINGSSL_PREFIX %+ _DSA_marshal_private_key\n%xdefine DSA_marshal_public_key BORINGSSL_PREFIX %+ _DSA_marshal_public_key\n%xdefine DSA_new BORINGSSL_PREFIX %+ _DSA_new\n%xdefine DSA_parse_parameters BORINGSSL_PREFIX %+ _DSA_parse_parameters\n%xdefine DSA_parse_private_key BORINGSSL_PREFIX %+ _DSA_parse_private_key\n%xdefine DSA_parse_public_key BORINGSSL_PREFIX %+ _DSA_parse_public_key\n%xdefine DSA_set0_key BORINGSSL_PREFIX %+ _DSA_set0_key\n%xdefine DSA_set0_pqg BORINGSSL_PREFIX %+ _DSA_set0_pqg\n%xdefine DSA_set_ex_data BORINGSSL_PREFIX %+ _DSA_set_ex_data\n%xdefine DSA_sign BORINGSSL_PREFIX %+ _DSA_sign\n%xdefine DSA_size BORINGSSL_PREFIX %+ _DSA_size\n%xdefine DSA_up_ref BORINGSSL_PREFIX %+ _DSA_up_ref\n%xdefine DSA_verify BORINGSSL_PREFIX %+ _DSA_verify\n%xdefine DSAparams_dup BORINGSSL_PREFIX %+ _DSAparams_dup\n%xdefine DTLS_client_method BORINGSSL_PREFIX %+ _DTLS_client_method\n%xdefine DTLS_method BORINGSSL_PREFIX %+ _DTLS_method\n%xdefine DTLS_server_method BORINGSSL_PREFIX %+ _DTLS_server_method\n%xdefine DTLS_with_buffers_method BORINGSSL_PREFIX %+ _DTLS_with_buffers_method\n%xdefine DTLSv1_2_client_method BORINGSSL_PREFIX %+ _DTLSv1_2_client_method\n%xdefine DTLSv1_2_method BORINGSSL_PREFIX %+ _DTLSv1_2_method\n%xdefine DTLSv1_2_server_method BORINGSSL_PREFIX %+ _DTLSv1_2_server_method\n%xdefine DTLSv1_client_method BORINGSSL_PREFIX %+ _DTLSv1_client_method\n%xdefine DTLSv1_get_timeout BORINGSSL_PREFIX %+ _DTLSv1_get_timeout\n%xdefine DTLSv1_handle_timeout BORINGSSL_PREFIX %+ _DTLSv1_handle_timeout\n%xdefine DTLSv1_method BORINGSSL_PREFIX %+ _DTLSv1_method\n%xdefine DTLSv1_server_method BORINGSSL_PREFIX %+ _DTLSv1_server_method\n%xdefine DTLSv1_set_initial_timeout_duration BORINGSSL_PREFIX %+ _DTLSv1_set_initial_timeout_duration\n%xdefine ECDH_compute_key BORINGSSL_PREFIX %+ _ECDH_compute_key\n%xdefine ECDH_compute_key_fips BORINGSSL_PREFIX %+ _ECDH_compute_key_fips\n%xdefine ECDSA_SIG_free BORINGSSL_PREFIX %+ _ECDSA_SIG_free\n%xdefine ECDSA_SIG_from_bytes BORINGSSL_PREFIX %+ _ECDSA_SIG_from_bytes\n%xdefine ECDSA_SIG_get0 BORINGSSL_PREFIX %+ _ECDSA_SIG_get0\n%xdefine ECDSA_SIG_get0_r BORINGSSL_PREFIX %+ _ECDSA_SIG_get0_r\n%xdefine ECDSA_SIG_get0_s BORINGSSL_PREFIX %+ _ECDSA_SIG_get0_s\n%xdefine ECDSA_SIG_marshal BORINGSSL_PREFIX %+ _ECDSA_SIG_marshal\n%xdefine ECDSA_SIG_max_len BORINGSSL_PREFIX %+ _ECDSA_SIG_max_len\n%xdefine ECDSA_SIG_new BORINGSSL_PREFIX %+ _ECDSA_SIG_new\n%xdefine ECDSA_SIG_parse BORINGSSL_PREFIX %+ _ECDSA_SIG_parse\n%xdefine ECDSA_SIG_set0 BORINGSSL_PREFIX %+ _ECDSA_SIG_set0\n%xdefine ECDSA_SIG_to_bytes BORINGSSL_PREFIX %+ _ECDSA_SIG_to_bytes\n%xdefine ECDSA_do_sign BORINGSSL_PREFIX %+ _ECDSA_do_sign\n%xdefine ECDSA_do_verify BORINGSSL_PREFIX %+ _ECDSA_do_verify\n%xdefine ECDSA_sign BORINGSSL_PREFIX %+ _ECDSA_sign\n%xdefine ECDSA_sign_with_nonce_and_leak_private_key_for_testing BORINGSSL_PREFIX %+ _ECDSA_sign_with_nonce_and_leak_private_key_for_testing\n%xdefine ECDSA_size BORINGSSL_PREFIX %+ _ECDSA_size\n%xdefine ECDSA_verify BORINGSSL_PREFIX %+ _ECDSA_verify\n%xdefine EC_GFp_mont_method BORINGSSL_PREFIX %+ _EC_GFp_mont_method\n%xdefine EC_GFp_nistp224_method BORINGSSL_PREFIX %+ _EC_GFp_nistp224_method\n%xdefine EC_GFp_nistp256_method BORINGSSL_PREFIX %+ _EC_GFp_nistp256_method\n%xdefine EC_GFp_nistz256_method BORINGSSL_PREFIX %+ _EC_GFp_nistz256_method\n%xdefine EC_GROUP_cmp BORINGSSL_PREFIX %+ _EC_GROUP_cmp\n%xdefine EC_GROUP_dup BORINGSSL_PREFIX %+ _EC_GROUP_dup\n%xdefine EC_GROUP_free BORINGSSL_PREFIX %+ _EC_GROUP_free\n%xdefine EC_GROUP_get0_generator BORINGSSL_PREFIX %+ _EC_GROUP_get0_generator\n%xdefine EC_GROUP_get0_order BORINGSSL_PREFIX %+ _EC_GROUP_get0_order\n%xdefine EC_GROUP_get_asn1_flag BORINGSSL_PREFIX %+ _EC_GROUP_get_asn1_flag\n%xdefine EC_GROUP_get_cofactor BORINGSSL_PREFIX %+ _EC_GROUP_get_cofactor\n%xdefine EC_GROUP_get_curve_GFp BORINGSSL_PREFIX %+ _EC_GROUP_get_curve_GFp\n%xdefine EC_GROUP_get_curve_name BORINGSSL_PREFIX %+ _EC_GROUP_get_curve_name\n%xdefine EC_GROUP_get_degree BORINGSSL_PREFIX %+ _EC_GROUP_get_degree\n%xdefine EC_GROUP_get_order BORINGSSL_PREFIX %+ _EC_GROUP_get_order\n%xdefine EC_GROUP_method_of BORINGSSL_PREFIX %+ _EC_GROUP_method_of\n%xdefine EC_GROUP_new_by_curve_name BORINGSSL_PREFIX %+ _EC_GROUP_new_by_curve_name\n%xdefine EC_GROUP_new_curve_GFp BORINGSSL_PREFIX %+ _EC_GROUP_new_curve_GFp\n%xdefine EC_GROUP_order_bits BORINGSSL_PREFIX %+ _EC_GROUP_order_bits\n%xdefine EC_GROUP_set_asn1_flag BORINGSSL_PREFIX %+ _EC_GROUP_set_asn1_flag\n%xdefine EC_GROUP_set_generator BORINGSSL_PREFIX %+ _EC_GROUP_set_generator\n%xdefine EC_GROUP_set_point_conversion_form BORINGSSL_PREFIX %+ _EC_GROUP_set_point_conversion_form\n%xdefine EC_KEY_check_fips BORINGSSL_PREFIX %+ _EC_KEY_check_fips\n%xdefine EC_KEY_check_key BORINGSSL_PREFIX %+ _EC_KEY_check_key\n%xdefine EC_KEY_derive_from_secret BORINGSSL_PREFIX %+ _EC_KEY_derive_from_secret\n%xdefine EC_KEY_dup BORINGSSL_PREFIX %+ _EC_KEY_dup\n%xdefine EC_KEY_free BORINGSSL_PREFIX %+ _EC_KEY_free\n%xdefine EC_KEY_generate_key BORINGSSL_PREFIX %+ _EC_KEY_generate_key\n%xdefine EC_KEY_generate_key_fips BORINGSSL_PREFIX %+ _EC_KEY_generate_key_fips\n%xdefine EC_KEY_get0_group BORINGSSL_PREFIX %+ _EC_KEY_get0_group\n%xdefine EC_KEY_get0_private_key BORINGSSL_PREFIX %+ _EC_KEY_get0_private_key\n%xdefine EC_KEY_get0_public_key BORINGSSL_PREFIX %+ _EC_KEY_get0_public_key\n%xdefine EC_KEY_get_conv_form BORINGSSL_PREFIX %+ _EC_KEY_get_conv_form\n%xdefine EC_KEY_get_enc_flags BORINGSSL_PREFIX %+ _EC_KEY_get_enc_flags\n%xdefine EC_KEY_get_ex_data BORINGSSL_PREFIX %+ _EC_KEY_get_ex_data\n%xdefine EC_KEY_get_ex_new_index BORINGSSL_PREFIX %+ _EC_KEY_get_ex_new_index\n%xdefine EC_KEY_is_opaque BORINGSSL_PREFIX %+ _EC_KEY_is_opaque\n%xdefine EC_KEY_key2buf BORINGSSL_PREFIX %+ _EC_KEY_key2buf\n%xdefine EC_KEY_marshal_curve_name BORINGSSL_PREFIX %+ _EC_KEY_marshal_curve_name\n%xdefine EC_KEY_marshal_private_key BORINGSSL_PREFIX %+ _EC_KEY_marshal_private_key\n%xdefine EC_KEY_new BORINGSSL_PREFIX %+ _EC_KEY_new\n%xdefine EC_KEY_new_by_curve_name BORINGSSL_PREFIX %+ _EC_KEY_new_by_curve_name\n%xdefine EC_KEY_new_method BORINGSSL_PREFIX %+ _EC_KEY_new_method\n%xdefine EC_KEY_oct2key BORINGSSL_PREFIX %+ _EC_KEY_oct2key\n%xdefine EC_KEY_oct2priv BORINGSSL_PREFIX %+ _EC_KEY_oct2priv\n%xdefine EC_KEY_parse_curve_name BORINGSSL_PREFIX %+ _EC_KEY_parse_curve_name\n%xdefine EC_KEY_parse_parameters BORINGSSL_PREFIX %+ _EC_KEY_parse_parameters\n%xdefine EC_KEY_parse_private_key BORINGSSL_PREFIX %+ _EC_KEY_parse_private_key\n%xdefine EC_KEY_priv2buf BORINGSSL_PREFIX %+ _EC_KEY_priv2buf\n%xdefine EC_KEY_priv2oct BORINGSSL_PREFIX %+ _EC_KEY_priv2oct\n%xdefine EC_KEY_set_asn1_flag BORINGSSL_PREFIX %+ _EC_KEY_set_asn1_flag\n%xdefine EC_KEY_set_conv_form BORINGSSL_PREFIX %+ _EC_KEY_set_conv_form\n%xdefine EC_KEY_set_enc_flags BORINGSSL_PREFIX %+ _EC_KEY_set_enc_flags\n%xdefine EC_KEY_set_ex_data BORINGSSL_PREFIX %+ _EC_KEY_set_ex_data\n%xdefine EC_KEY_set_group BORINGSSL_PREFIX %+ _EC_KEY_set_group\n%xdefine EC_KEY_set_private_key BORINGSSL_PREFIX %+ _EC_KEY_set_private_key\n%xdefine EC_KEY_set_public_key BORINGSSL_PREFIX %+ _EC_KEY_set_public_key\n%xdefine EC_KEY_set_public_key_affine_coordinates BORINGSSL_PREFIX %+ _EC_KEY_set_public_key_affine_coordinates\n%xdefine EC_KEY_up_ref BORINGSSL_PREFIX %+ _EC_KEY_up_ref\n%xdefine EC_METHOD_get_field_type BORINGSSL_PREFIX %+ _EC_METHOD_get_field_type\n%xdefine EC_POINT_add BORINGSSL_PREFIX %+ _EC_POINT_add\n%xdefine EC_POINT_clear_free BORINGSSL_PREFIX %+ _EC_POINT_clear_free\n%xdefine EC_POINT_cmp BORINGSSL_PREFIX %+ _EC_POINT_cmp\n%xdefine EC_POINT_copy BORINGSSL_PREFIX %+ _EC_POINT_copy\n%xdefine EC_POINT_dbl BORINGSSL_PREFIX %+ _EC_POINT_dbl\n%xdefine EC_POINT_dup BORINGSSL_PREFIX %+ _EC_POINT_dup\n%xdefine EC_POINT_free BORINGSSL_PREFIX %+ _EC_POINT_free\n%xdefine EC_POINT_get_affine_coordinates BORINGSSL_PREFIX %+ _EC_POINT_get_affine_coordinates\n%xdefine EC_POINT_get_affine_coordinates_GFp BORINGSSL_PREFIX %+ _EC_POINT_get_affine_coordinates_GFp\n%xdefine EC_POINT_invert BORINGSSL_PREFIX %+ _EC_POINT_invert\n%xdefine EC_POINT_is_at_infinity BORINGSSL_PREFIX %+ _EC_POINT_is_at_infinity\n%xdefine EC_POINT_is_on_curve BORINGSSL_PREFIX %+ _EC_POINT_is_on_curve\n%xdefine EC_POINT_mul BORINGSSL_PREFIX %+ _EC_POINT_mul\n%xdefine EC_POINT_new BORINGSSL_PREFIX %+ _EC_POINT_new\n%xdefine EC_POINT_oct2point BORINGSSL_PREFIX %+ _EC_POINT_oct2point\n%xdefine EC_POINT_point2buf BORINGSSL_PREFIX %+ _EC_POINT_point2buf\n%xdefine EC_POINT_point2cbb BORINGSSL_PREFIX %+ _EC_POINT_point2cbb\n%xdefine EC_POINT_point2oct BORINGSSL_PREFIX %+ _EC_POINT_point2oct\n%xdefine EC_POINT_set_affine_coordinates BORINGSSL_PREFIX %+ _EC_POINT_set_affine_coordinates\n%xdefine EC_POINT_set_affine_coordinates_GFp BORINGSSL_PREFIX %+ _EC_POINT_set_affine_coordinates_GFp\n%xdefine EC_POINT_set_compressed_coordinates_GFp BORINGSSL_PREFIX %+ _EC_POINT_set_compressed_coordinates_GFp\n%xdefine EC_POINT_set_to_infinity BORINGSSL_PREFIX %+ _EC_POINT_set_to_infinity\n%xdefine EC_curve_nid2nist BORINGSSL_PREFIX %+ _EC_curve_nid2nist\n%xdefine EC_curve_nist2nid BORINGSSL_PREFIX %+ _EC_curve_nist2nid\n%xdefine EC_get_builtin_curves BORINGSSL_PREFIX %+ _EC_get_builtin_curves\n%xdefine EC_group_p224 BORINGSSL_PREFIX %+ _EC_group_p224\n%xdefine EC_group_p256 BORINGSSL_PREFIX %+ _EC_group_p256\n%xdefine EC_group_p384 BORINGSSL_PREFIX %+ _EC_group_p384\n%xdefine EC_group_p521 BORINGSSL_PREFIX %+ _EC_group_p521\n%xdefine EC_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_PREFIX %+ _EC_hash_to_curve_p256_xmd_sha256_sswu\n%xdefine EC_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_PREFIX %+ _EC_hash_to_curve_p384_xmd_sha384_sswu\n%xdefine ED25519_keypair BORINGSSL_PREFIX %+ _ED25519_keypair\n%xdefine ED25519_keypair_from_seed BORINGSSL_PREFIX %+ _ED25519_keypair_from_seed\n%xdefine ED25519_sign BORINGSSL_PREFIX %+ _ED25519_sign\n%xdefine ED25519_verify BORINGSSL_PREFIX %+ _ED25519_verify\n%xdefine EDIPARTYNAME_free BORINGSSL_PREFIX %+ _EDIPARTYNAME_free\n%xdefine EDIPARTYNAME_new BORINGSSL_PREFIX %+ _EDIPARTYNAME_new\n%xdefine ENGINE_free BORINGSSL_PREFIX %+ _ENGINE_free\n%xdefine ENGINE_get_ECDSA_method BORINGSSL_PREFIX %+ _ENGINE_get_ECDSA_method\n%xdefine ENGINE_get_RSA_method BORINGSSL_PREFIX %+ _ENGINE_get_RSA_method\n%xdefine ENGINE_load_builtin_engines BORINGSSL_PREFIX %+ _ENGINE_load_builtin_engines\n%xdefine ENGINE_new BORINGSSL_PREFIX %+ _ENGINE_new\n%xdefine ENGINE_register_all_complete BORINGSSL_PREFIX %+ _ENGINE_register_all_complete\n%xdefine ENGINE_set_ECDSA_method BORINGSSL_PREFIX %+ _ENGINE_set_ECDSA_method\n%xdefine ENGINE_set_RSA_method BORINGSSL_PREFIX %+ _ENGINE_set_RSA_method\n%xdefine ERR_GET_LIB BORINGSSL_PREFIX %+ _ERR_GET_LIB\n%xdefine ERR_GET_REASON BORINGSSL_PREFIX %+ _ERR_GET_REASON\n%xdefine ERR_SAVE_STATE_free BORINGSSL_PREFIX %+ _ERR_SAVE_STATE_free\n%xdefine ERR_add_error_data BORINGSSL_PREFIX %+ _ERR_add_error_data\n%xdefine ERR_add_error_dataf BORINGSSL_PREFIX %+ _ERR_add_error_dataf\n%xdefine ERR_clear_error BORINGSSL_PREFIX %+ _ERR_clear_error\n%xdefine ERR_clear_system_error BORINGSSL_PREFIX %+ _ERR_clear_system_error\n%xdefine ERR_error_string BORINGSSL_PREFIX %+ _ERR_error_string\n%xdefine ERR_error_string_n BORINGSSL_PREFIX %+ _ERR_error_string_n\n%xdefine ERR_free_strings BORINGSSL_PREFIX %+ _ERR_free_strings\n%xdefine ERR_func_error_string BORINGSSL_PREFIX %+ _ERR_func_error_string\n%xdefine ERR_get_error BORINGSSL_PREFIX %+ _ERR_get_error\n%xdefine ERR_get_error_line BORINGSSL_PREFIX %+ _ERR_get_error_line\n%xdefine ERR_get_error_line_data BORINGSSL_PREFIX %+ _ERR_get_error_line_data\n%xdefine ERR_get_next_error_library BORINGSSL_PREFIX %+ _ERR_get_next_error_library\n%xdefine ERR_lib_error_string BORINGSSL_PREFIX %+ _ERR_lib_error_string\n%xdefine ERR_lib_symbol_name BORINGSSL_PREFIX %+ _ERR_lib_symbol_name\n%xdefine ERR_load_BIO_strings BORINGSSL_PREFIX %+ _ERR_load_BIO_strings\n%xdefine ERR_load_ERR_strings BORINGSSL_PREFIX %+ _ERR_load_ERR_strings\n%xdefine ERR_load_RAND_strings BORINGSSL_PREFIX %+ _ERR_load_RAND_strings\n%xdefine ERR_load_SSL_strings BORINGSSL_PREFIX %+ _ERR_load_SSL_strings\n%xdefine ERR_load_crypto_strings BORINGSSL_PREFIX %+ _ERR_load_crypto_strings\n%xdefine ERR_peek_error BORINGSSL_PREFIX %+ _ERR_peek_error\n%xdefine ERR_peek_error_line BORINGSSL_PREFIX %+ _ERR_peek_error_line\n%xdefine ERR_peek_error_line_data BORINGSSL_PREFIX %+ _ERR_peek_error_line_data\n%xdefine ERR_peek_last_error BORINGSSL_PREFIX %+ _ERR_peek_last_error\n%xdefine ERR_peek_last_error_line BORINGSSL_PREFIX %+ _ERR_peek_last_error_line\n%xdefine ERR_peek_last_error_line_data BORINGSSL_PREFIX %+ _ERR_peek_last_error_line_data\n%xdefine ERR_pop_to_mark BORINGSSL_PREFIX %+ _ERR_pop_to_mark\n%xdefine ERR_print_errors BORINGSSL_PREFIX %+ _ERR_print_errors\n%xdefine ERR_print_errors_cb BORINGSSL_PREFIX %+ _ERR_print_errors_cb\n%xdefine ERR_print_errors_fp BORINGSSL_PREFIX %+ _ERR_print_errors_fp\n%xdefine ERR_put_error BORINGSSL_PREFIX %+ _ERR_put_error\n%xdefine ERR_reason_error_string BORINGSSL_PREFIX %+ _ERR_reason_error_string\n%xdefine ERR_reason_symbol_name BORINGSSL_PREFIX %+ _ERR_reason_symbol_name\n%xdefine ERR_remove_state BORINGSSL_PREFIX %+ _ERR_remove_state\n%xdefine ERR_remove_thread_state BORINGSSL_PREFIX %+ _ERR_remove_thread_state\n%xdefine ERR_restore_state BORINGSSL_PREFIX %+ _ERR_restore_state\n%xdefine ERR_save_state BORINGSSL_PREFIX %+ _ERR_save_state\n%xdefine ERR_set_error_data BORINGSSL_PREFIX %+ _ERR_set_error_data\n%xdefine ERR_set_mark BORINGSSL_PREFIX %+ _ERR_set_mark\n%xdefine EVP_AEAD_CTX_aead BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_aead\n%xdefine EVP_AEAD_CTX_cleanup BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_cleanup\n%xdefine EVP_AEAD_CTX_free BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_free\n%xdefine EVP_AEAD_CTX_get_iv BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_get_iv\n%xdefine EVP_AEAD_CTX_init BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_init\n%xdefine EVP_AEAD_CTX_init_with_direction BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_init_with_direction\n%xdefine EVP_AEAD_CTX_new BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_new\n%xdefine EVP_AEAD_CTX_open BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_open\n%xdefine EVP_AEAD_CTX_open_gather BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_open_gather\n%xdefine EVP_AEAD_CTX_seal BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_seal\n%xdefine EVP_AEAD_CTX_seal_scatter BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_seal_scatter\n%xdefine EVP_AEAD_CTX_tag_len BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_tag_len\n%xdefine EVP_AEAD_CTX_zero BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_zero\n%xdefine EVP_AEAD_key_length BORINGSSL_PREFIX %+ _EVP_AEAD_key_length\n%xdefine EVP_AEAD_max_overhead BORINGSSL_PREFIX %+ _EVP_AEAD_max_overhead\n%xdefine EVP_AEAD_max_tag_len BORINGSSL_PREFIX %+ _EVP_AEAD_max_tag_len\n%xdefine EVP_AEAD_nonce_length BORINGSSL_PREFIX %+ _EVP_AEAD_nonce_length\n%xdefine EVP_BytesToKey BORINGSSL_PREFIX %+ _EVP_BytesToKey\n%xdefine EVP_CIPHER_CTX_block_size BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_block_size\n%xdefine EVP_CIPHER_CTX_cipher BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_cipher\n%xdefine EVP_CIPHER_CTX_cleanup BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_cleanup\n%xdefine EVP_CIPHER_CTX_copy BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_copy\n%xdefine EVP_CIPHER_CTX_ctrl BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_ctrl\n%xdefine EVP_CIPHER_CTX_encrypting BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_encrypting\n%xdefine EVP_CIPHER_CTX_flags BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_flags\n%xdefine EVP_CIPHER_CTX_free BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_free\n%xdefine EVP_CIPHER_CTX_get_app_data BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_get_app_data\n%xdefine EVP_CIPHER_CTX_init BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_init\n%xdefine EVP_CIPHER_CTX_iv_length BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_iv_length\n%xdefine EVP_CIPHER_CTX_key_length BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_key_length\n%xdefine EVP_CIPHER_CTX_mode BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_mode\n%xdefine EVP_CIPHER_CTX_new BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_new\n%xdefine EVP_CIPHER_CTX_nid BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_nid\n%xdefine EVP_CIPHER_CTX_reset BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_reset\n%xdefine EVP_CIPHER_CTX_set_app_data BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_set_app_data\n%xdefine EVP_CIPHER_CTX_set_flags BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_set_flags\n%xdefine EVP_CIPHER_CTX_set_key_length BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_set_key_length\n%xdefine EVP_CIPHER_CTX_set_padding BORINGSSL_PREFIX %+ _EVP_CIPHER_CTX_set_padding\n%xdefine EVP_CIPHER_block_size BORINGSSL_PREFIX %+ _EVP_CIPHER_block_size\n%xdefine EVP_CIPHER_flags BORINGSSL_PREFIX %+ _EVP_CIPHER_flags\n%xdefine EVP_CIPHER_iv_length BORINGSSL_PREFIX %+ _EVP_CIPHER_iv_length\n%xdefine EVP_CIPHER_key_length BORINGSSL_PREFIX %+ _EVP_CIPHER_key_length\n%xdefine EVP_CIPHER_mode BORINGSSL_PREFIX %+ _EVP_CIPHER_mode\n%xdefine EVP_CIPHER_nid BORINGSSL_PREFIX %+ _EVP_CIPHER_nid\n%xdefine EVP_Cipher BORINGSSL_PREFIX %+ _EVP_Cipher\n%xdefine EVP_CipherFinal BORINGSSL_PREFIX %+ _EVP_CipherFinal\n%xdefine EVP_CipherFinal_ex BORINGSSL_PREFIX %+ _EVP_CipherFinal_ex\n%xdefine EVP_CipherInit BORINGSSL_PREFIX %+ _EVP_CipherInit\n%xdefine EVP_CipherInit_ex BORINGSSL_PREFIX %+ _EVP_CipherInit_ex\n%xdefine EVP_CipherUpdate BORINGSSL_PREFIX %+ _EVP_CipherUpdate\n%xdefine EVP_DecodeBase64 BORINGSSL_PREFIX %+ _EVP_DecodeBase64\n%xdefine EVP_DecodeBlock BORINGSSL_PREFIX %+ _EVP_DecodeBlock\n%xdefine EVP_DecodeFinal BORINGSSL_PREFIX %+ _EVP_DecodeFinal\n%xdefine EVP_DecodeInit BORINGSSL_PREFIX %+ _EVP_DecodeInit\n%xdefine EVP_DecodeUpdate BORINGSSL_PREFIX %+ _EVP_DecodeUpdate\n%xdefine EVP_DecodedLength BORINGSSL_PREFIX %+ _EVP_DecodedLength\n%xdefine EVP_DecryptFinal BORINGSSL_PREFIX %+ _EVP_DecryptFinal\n%xdefine EVP_DecryptFinal_ex BORINGSSL_PREFIX %+ _EVP_DecryptFinal_ex\n%xdefine EVP_DecryptInit BORINGSSL_PREFIX %+ _EVP_DecryptInit\n%xdefine EVP_DecryptInit_ex BORINGSSL_PREFIX %+ _EVP_DecryptInit_ex\n%xdefine EVP_DecryptUpdate BORINGSSL_PREFIX %+ _EVP_DecryptUpdate\n%xdefine EVP_Digest BORINGSSL_PREFIX %+ _EVP_Digest\n%xdefine EVP_DigestFinal BORINGSSL_PREFIX %+ _EVP_DigestFinal\n%xdefine EVP_DigestFinalXOF BORINGSSL_PREFIX %+ _EVP_DigestFinalXOF\n%xdefine EVP_DigestFinal_ex BORINGSSL_PREFIX %+ _EVP_DigestFinal_ex\n%xdefine EVP_DigestInit BORINGSSL_PREFIX %+ _EVP_DigestInit\n%xdefine EVP_DigestInit_ex BORINGSSL_PREFIX %+ _EVP_DigestInit_ex\n%xdefine EVP_DigestSign BORINGSSL_PREFIX %+ _EVP_DigestSign\n%xdefine EVP_DigestSignFinal BORINGSSL_PREFIX %+ _EVP_DigestSignFinal\n%xdefine EVP_DigestSignInit BORINGSSL_PREFIX %+ _EVP_DigestSignInit\n%xdefine EVP_DigestSignUpdate BORINGSSL_PREFIX %+ _EVP_DigestSignUpdate\n%xdefine EVP_DigestUpdate BORINGSSL_PREFIX %+ _EVP_DigestUpdate\n%xdefine EVP_DigestVerify BORINGSSL_PREFIX %+ _EVP_DigestVerify\n%xdefine EVP_DigestVerifyFinal BORINGSSL_PREFIX %+ _EVP_DigestVerifyFinal\n%xdefine EVP_DigestVerifyInit BORINGSSL_PREFIX %+ _EVP_DigestVerifyInit\n%xdefine EVP_DigestVerifyUpdate BORINGSSL_PREFIX %+ _EVP_DigestVerifyUpdate\n%xdefine EVP_ENCODE_CTX_free BORINGSSL_PREFIX %+ _EVP_ENCODE_CTX_free\n%xdefine EVP_ENCODE_CTX_new BORINGSSL_PREFIX %+ _EVP_ENCODE_CTX_new\n%xdefine EVP_EncodeBlock BORINGSSL_PREFIX %+ _EVP_EncodeBlock\n%xdefine EVP_EncodeFinal BORINGSSL_PREFIX %+ _EVP_EncodeFinal\n%xdefine EVP_EncodeInit BORINGSSL_PREFIX %+ _EVP_EncodeInit\n%xdefine EVP_EncodeUpdate BORINGSSL_PREFIX %+ _EVP_EncodeUpdate\n%xdefine EVP_EncodedLength BORINGSSL_PREFIX %+ _EVP_EncodedLength\n%xdefine EVP_EncryptFinal BORINGSSL_PREFIX %+ _EVP_EncryptFinal\n%xdefine EVP_EncryptFinal_ex BORINGSSL_PREFIX %+ _EVP_EncryptFinal_ex\n%xdefine EVP_EncryptInit BORINGSSL_PREFIX %+ _EVP_EncryptInit\n%xdefine EVP_EncryptInit_ex BORINGSSL_PREFIX %+ _EVP_EncryptInit_ex\n%xdefine EVP_EncryptUpdate BORINGSSL_PREFIX %+ _EVP_EncryptUpdate\n%xdefine EVP_HPKE_AEAD_aead BORINGSSL_PREFIX %+ _EVP_HPKE_AEAD_aead\n%xdefine EVP_HPKE_AEAD_id BORINGSSL_PREFIX %+ _EVP_HPKE_AEAD_id\n%xdefine EVP_HPKE_CTX_aead BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_aead\n%xdefine EVP_HPKE_CTX_cleanup BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_cleanup\n%xdefine EVP_HPKE_CTX_export BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_export\n%xdefine EVP_HPKE_CTX_free BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_free\n%xdefine EVP_HPKE_CTX_kdf BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_kdf\n%xdefine EVP_HPKE_CTX_kem BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_kem\n%xdefine EVP_HPKE_CTX_max_overhead BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_max_overhead\n%xdefine EVP_HPKE_CTX_new BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_new\n%xdefine EVP_HPKE_CTX_open BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_open\n%xdefine EVP_HPKE_CTX_seal BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_seal\n%xdefine EVP_HPKE_CTX_setup_auth_recipient BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_auth_recipient\n%xdefine EVP_HPKE_CTX_setup_auth_sender BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_auth_sender\n%xdefine EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing\n%xdefine EVP_HPKE_CTX_setup_recipient BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_recipient\n%xdefine EVP_HPKE_CTX_setup_sender BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_sender\n%xdefine EVP_HPKE_CTX_setup_sender_with_seed_for_testing BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_setup_sender_with_seed_for_testing\n%xdefine EVP_HPKE_CTX_zero BORINGSSL_PREFIX %+ _EVP_HPKE_CTX_zero\n%xdefine EVP_HPKE_KDF_hkdf_md BORINGSSL_PREFIX %+ _EVP_HPKE_KDF_hkdf_md\n%xdefine EVP_HPKE_KDF_id BORINGSSL_PREFIX %+ _EVP_HPKE_KDF_id\n%xdefine EVP_HPKE_KEM_enc_len BORINGSSL_PREFIX %+ _EVP_HPKE_KEM_enc_len\n%xdefine EVP_HPKE_KEM_id BORINGSSL_PREFIX %+ _EVP_HPKE_KEM_id\n%xdefine EVP_HPKE_KEM_private_key_len BORINGSSL_PREFIX %+ _EVP_HPKE_KEM_private_key_len\n%xdefine EVP_HPKE_KEM_public_key_len BORINGSSL_PREFIX %+ _EVP_HPKE_KEM_public_key_len\n%xdefine EVP_HPKE_KEY_cleanup BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_cleanup\n%xdefine EVP_HPKE_KEY_copy BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_copy\n%xdefine EVP_HPKE_KEY_free BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_free\n%xdefine EVP_HPKE_KEY_generate BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_generate\n%xdefine EVP_HPKE_KEY_init BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_init\n%xdefine EVP_HPKE_KEY_kem BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_kem\n%xdefine EVP_HPKE_KEY_move BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_move\n%xdefine EVP_HPKE_KEY_new BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_new\n%xdefine EVP_HPKE_KEY_private_key BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_private_key\n%xdefine EVP_HPKE_KEY_public_key BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_public_key\n%xdefine EVP_HPKE_KEY_zero BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_zero\n%xdefine EVP_MD_CTX_block_size BORINGSSL_PREFIX %+ _EVP_MD_CTX_block_size\n%xdefine EVP_MD_CTX_cleanse BORINGSSL_PREFIX %+ _EVP_MD_CTX_cleanse\n%xdefine EVP_MD_CTX_cleanup BORINGSSL_PREFIX %+ _EVP_MD_CTX_cleanup\n%xdefine EVP_MD_CTX_copy BORINGSSL_PREFIX %+ _EVP_MD_CTX_copy\n%xdefine EVP_MD_CTX_copy_ex BORINGSSL_PREFIX %+ _EVP_MD_CTX_copy_ex\n%xdefine EVP_MD_CTX_create BORINGSSL_PREFIX %+ _EVP_MD_CTX_create\n%xdefine EVP_MD_CTX_destroy BORINGSSL_PREFIX %+ _EVP_MD_CTX_destroy\n%xdefine EVP_MD_CTX_free BORINGSSL_PREFIX %+ _EVP_MD_CTX_free\n%xdefine EVP_MD_CTX_get0_md BORINGSSL_PREFIX %+ _EVP_MD_CTX_get0_md\n%xdefine EVP_MD_CTX_init BORINGSSL_PREFIX %+ _EVP_MD_CTX_init\n%xdefine EVP_MD_CTX_md BORINGSSL_PREFIX %+ _EVP_MD_CTX_md\n%xdefine EVP_MD_CTX_move BORINGSSL_PREFIX %+ _EVP_MD_CTX_move\n%xdefine EVP_MD_CTX_new BORINGSSL_PREFIX %+ _EVP_MD_CTX_new\n%xdefine EVP_MD_CTX_reset BORINGSSL_PREFIX %+ _EVP_MD_CTX_reset\n%xdefine EVP_MD_CTX_set_flags BORINGSSL_PREFIX %+ _EVP_MD_CTX_set_flags\n%xdefine EVP_MD_CTX_size BORINGSSL_PREFIX %+ _EVP_MD_CTX_size\n%xdefine EVP_MD_CTX_type BORINGSSL_PREFIX %+ _EVP_MD_CTX_type\n%xdefine EVP_MD_block_size BORINGSSL_PREFIX %+ _EVP_MD_block_size\n%xdefine EVP_MD_flags BORINGSSL_PREFIX %+ _EVP_MD_flags\n%xdefine EVP_MD_meth_get_flags BORINGSSL_PREFIX %+ _EVP_MD_meth_get_flags\n%xdefine EVP_MD_nid BORINGSSL_PREFIX %+ _EVP_MD_nid\n%xdefine EVP_MD_size BORINGSSL_PREFIX %+ _EVP_MD_size\n%xdefine EVP_MD_type BORINGSSL_PREFIX %+ _EVP_MD_type\n%xdefine EVP_PBE_scrypt BORINGSSL_PREFIX %+ _EVP_PBE_scrypt\n%xdefine EVP_PKCS82PKEY BORINGSSL_PREFIX %+ _EVP_PKCS82PKEY\n%xdefine EVP_PKEY2PKCS8 BORINGSSL_PREFIX %+ _EVP_PKEY2PKCS8\n%xdefine EVP_PKEY_CTX_add1_hkdf_info BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_add1_hkdf_info\n%xdefine EVP_PKEY_CTX_ctrl BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_ctrl\n%xdefine EVP_PKEY_CTX_dup BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_dup\n%xdefine EVP_PKEY_CTX_free BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_free\n%xdefine EVP_PKEY_CTX_get0_pkey BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get0_pkey\n%xdefine EVP_PKEY_CTX_get0_rsa_oaep_label BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get0_rsa_oaep_label\n%xdefine EVP_PKEY_CTX_get_rsa_mgf1_md BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get_rsa_mgf1_md\n%xdefine EVP_PKEY_CTX_get_rsa_oaep_md BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get_rsa_oaep_md\n%xdefine EVP_PKEY_CTX_get_rsa_padding BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get_rsa_padding\n%xdefine EVP_PKEY_CTX_get_rsa_pss_saltlen BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get_rsa_pss_saltlen\n%xdefine EVP_PKEY_CTX_get_signature_md BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_get_signature_md\n%xdefine EVP_PKEY_CTX_hkdf_mode BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_hkdf_mode\n%xdefine EVP_PKEY_CTX_new BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_new\n%xdefine EVP_PKEY_CTX_new_id BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_new_id\n%xdefine EVP_PKEY_CTX_set0_rsa_oaep_label BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set0_rsa_oaep_label\n%xdefine EVP_PKEY_CTX_set1_hkdf_key BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set1_hkdf_key\n%xdefine EVP_PKEY_CTX_set1_hkdf_salt BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set1_hkdf_salt\n%xdefine EVP_PKEY_CTX_set_dh_pad BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dh_pad\n%xdefine EVP_PKEY_CTX_set_dsa_paramgen_bits BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dsa_paramgen_bits\n%xdefine EVP_PKEY_CTX_set_dsa_paramgen_q_bits BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dsa_paramgen_q_bits\n%xdefine EVP_PKEY_CTX_set_ec_param_enc BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_ec_param_enc\n%xdefine EVP_PKEY_CTX_set_ec_paramgen_curve_nid BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_ec_paramgen_curve_nid\n%xdefine EVP_PKEY_CTX_set_hkdf_md BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_hkdf_md\n%xdefine EVP_PKEY_CTX_set_rsa_keygen_bits BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_keygen_bits\n%xdefine EVP_PKEY_CTX_set_rsa_keygen_pubexp BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_keygen_pubexp\n%xdefine EVP_PKEY_CTX_set_rsa_mgf1_md BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_mgf1_md\n%xdefine EVP_PKEY_CTX_set_rsa_oaep_md BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_oaep_md\n%xdefine EVP_PKEY_CTX_set_rsa_padding BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_padding\n%xdefine EVP_PKEY_CTX_set_rsa_pss_keygen_md BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_pss_keygen_md\n%xdefine EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md\n%xdefine EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen\n%xdefine EVP_PKEY_CTX_set_rsa_pss_saltlen BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_pss_saltlen\n%xdefine EVP_PKEY_CTX_set_signature_md BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_signature_md\n%xdefine EVP_PKEY_assign BORINGSSL_PREFIX %+ _EVP_PKEY_assign\n%xdefine EVP_PKEY_assign_DH BORINGSSL_PREFIX %+ _EVP_PKEY_assign_DH\n%xdefine EVP_PKEY_assign_DSA BORINGSSL_PREFIX %+ _EVP_PKEY_assign_DSA\n%xdefine EVP_PKEY_assign_EC_KEY BORINGSSL_PREFIX %+ _EVP_PKEY_assign_EC_KEY\n%xdefine EVP_PKEY_assign_RSA BORINGSSL_PREFIX %+ _EVP_PKEY_assign_RSA\n%xdefine EVP_PKEY_base_id BORINGSSL_PREFIX %+ _EVP_PKEY_base_id\n%xdefine EVP_PKEY_bits BORINGSSL_PREFIX %+ _EVP_PKEY_bits\n%xdefine EVP_PKEY_cmp BORINGSSL_PREFIX %+ _EVP_PKEY_cmp\n%xdefine EVP_PKEY_cmp_parameters BORINGSSL_PREFIX %+ _EVP_PKEY_cmp_parameters\n%xdefine EVP_PKEY_copy_parameters BORINGSSL_PREFIX %+ _EVP_PKEY_copy_parameters\n%xdefine EVP_PKEY_decrypt BORINGSSL_PREFIX %+ _EVP_PKEY_decrypt\n%xdefine EVP_PKEY_decrypt_init BORINGSSL_PREFIX %+ _EVP_PKEY_decrypt_init\n%xdefine EVP_PKEY_derive BORINGSSL_PREFIX %+ _EVP_PKEY_derive\n%xdefine EVP_PKEY_derive_init BORINGSSL_PREFIX %+ _EVP_PKEY_derive_init\n%xdefine EVP_PKEY_derive_set_peer BORINGSSL_PREFIX %+ _EVP_PKEY_derive_set_peer\n%xdefine EVP_PKEY_encrypt BORINGSSL_PREFIX %+ _EVP_PKEY_encrypt\n%xdefine EVP_PKEY_encrypt_init BORINGSSL_PREFIX %+ _EVP_PKEY_encrypt_init\n%xdefine EVP_PKEY_free BORINGSSL_PREFIX %+ _EVP_PKEY_free\n%xdefine EVP_PKEY_get0 BORINGSSL_PREFIX %+ _EVP_PKEY_get0\n%xdefine EVP_PKEY_get0_DH BORINGSSL_PREFIX %+ _EVP_PKEY_get0_DH\n%xdefine EVP_PKEY_get0_DSA BORINGSSL_PREFIX %+ _EVP_PKEY_get0_DSA\n%xdefine EVP_PKEY_get0_EC_KEY BORINGSSL_PREFIX %+ _EVP_PKEY_get0_EC_KEY\n%xdefine EVP_PKEY_get0_RSA BORINGSSL_PREFIX %+ _EVP_PKEY_get0_RSA\n%xdefine EVP_PKEY_get1_DH BORINGSSL_PREFIX %+ _EVP_PKEY_get1_DH\n%xdefine EVP_PKEY_get1_DSA BORINGSSL_PREFIX %+ _EVP_PKEY_get1_DSA\n%xdefine EVP_PKEY_get1_EC_KEY BORINGSSL_PREFIX %+ _EVP_PKEY_get1_EC_KEY\n%xdefine EVP_PKEY_get1_RSA BORINGSSL_PREFIX %+ _EVP_PKEY_get1_RSA\n%xdefine EVP_PKEY_get1_tls_encodedpoint BORINGSSL_PREFIX %+ _EVP_PKEY_get1_tls_encodedpoint\n%xdefine EVP_PKEY_get_raw_private_key BORINGSSL_PREFIX %+ _EVP_PKEY_get_raw_private_key\n%xdefine EVP_PKEY_get_raw_public_key BORINGSSL_PREFIX %+ _EVP_PKEY_get_raw_public_key\n%xdefine EVP_PKEY_id BORINGSSL_PREFIX %+ _EVP_PKEY_id\n%xdefine EVP_PKEY_is_opaque BORINGSSL_PREFIX %+ _EVP_PKEY_is_opaque\n%xdefine EVP_PKEY_keygen BORINGSSL_PREFIX %+ _EVP_PKEY_keygen\n%xdefine EVP_PKEY_keygen_init BORINGSSL_PREFIX %+ _EVP_PKEY_keygen_init\n%xdefine EVP_PKEY_missing_parameters BORINGSSL_PREFIX %+ _EVP_PKEY_missing_parameters\n%xdefine EVP_PKEY_new BORINGSSL_PREFIX %+ _EVP_PKEY_new\n%xdefine EVP_PKEY_new_raw_private_key BORINGSSL_PREFIX %+ _EVP_PKEY_new_raw_private_key\n%xdefine EVP_PKEY_new_raw_public_key BORINGSSL_PREFIX %+ _EVP_PKEY_new_raw_public_key\n%xdefine EVP_PKEY_paramgen BORINGSSL_PREFIX %+ _EVP_PKEY_paramgen\n%xdefine EVP_PKEY_paramgen_init BORINGSSL_PREFIX %+ _EVP_PKEY_paramgen_init\n%xdefine EVP_PKEY_print_params BORINGSSL_PREFIX %+ _EVP_PKEY_print_params\n%xdefine EVP_PKEY_print_private BORINGSSL_PREFIX %+ _EVP_PKEY_print_private\n%xdefine EVP_PKEY_print_public BORINGSSL_PREFIX %+ _EVP_PKEY_print_public\n%xdefine EVP_PKEY_set1_DH BORINGSSL_PREFIX %+ _EVP_PKEY_set1_DH\n%xdefine EVP_PKEY_set1_DSA BORINGSSL_PREFIX %+ _EVP_PKEY_set1_DSA\n%xdefine EVP_PKEY_set1_EC_KEY BORINGSSL_PREFIX %+ _EVP_PKEY_set1_EC_KEY\n%xdefine EVP_PKEY_set1_RSA BORINGSSL_PREFIX %+ _EVP_PKEY_set1_RSA\n%xdefine EVP_PKEY_set1_tls_encodedpoint BORINGSSL_PREFIX %+ _EVP_PKEY_set1_tls_encodedpoint\n%xdefine EVP_PKEY_set_type BORINGSSL_PREFIX %+ _EVP_PKEY_set_type\n%xdefine EVP_PKEY_sign BORINGSSL_PREFIX %+ _EVP_PKEY_sign\n%xdefine EVP_PKEY_sign_init BORINGSSL_PREFIX %+ _EVP_PKEY_sign_init\n%xdefine EVP_PKEY_size BORINGSSL_PREFIX %+ _EVP_PKEY_size\n%xdefine EVP_PKEY_type BORINGSSL_PREFIX %+ _EVP_PKEY_type\n%xdefine EVP_PKEY_up_ref BORINGSSL_PREFIX %+ _EVP_PKEY_up_ref\n%xdefine EVP_PKEY_verify BORINGSSL_PREFIX %+ _EVP_PKEY_verify\n%xdefine EVP_PKEY_verify_init BORINGSSL_PREFIX %+ _EVP_PKEY_verify_init\n%xdefine EVP_PKEY_verify_recover BORINGSSL_PREFIX %+ _EVP_PKEY_verify_recover\n%xdefine EVP_PKEY_verify_recover_init BORINGSSL_PREFIX %+ _EVP_PKEY_verify_recover_init\n%xdefine EVP_SignFinal BORINGSSL_PREFIX %+ _EVP_SignFinal\n%xdefine EVP_SignInit BORINGSSL_PREFIX %+ _EVP_SignInit\n%xdefine EVP_SignInit_ex BORINGSSL_PREFIX %+ _EVP_SignInit_ex\n%xdefine EVP_SignUpdate BORINGSSL_PREFIX %+ _EVP_SignUpdate\n%xdefine EVP_VerifyFinal BORINGSSL_PREFIX %+ _EVP_VerifyFinal\n%xdefine EVP_VerifyInit BORINGSSL_PREFIX %+ _EVP_VerifyInit\n%xdefine EVP_VerifyInit_ex BORINGSSL_PREFIX %+ _EVP_VerifyInit_ex\n%xdefine EVP_VerifyUpdate BORINGSSL_PREFIX %+ _EVP_VerifyUpdate\n%xdefine EVP_add_cipher_alias BORINGSSL_PREFIX %+ _EVP_add_cipher_alias\n%xdefine EVP_add_digest BORINGSSL_PREFIX %+ _EVP_add_digest\n%xdefine EVP_aead_aes_128_cbc_sha1_tls BORINGSSL_PREFIX %+ _EVP_aead_aes_128_cbc_sha1_tls\n%xdefine EVP_aead_aes_128_cbc_sha1_tls_implicit_iv BORINGSSL_PREFIX %+ _EVP_aead_aes_128_cbc_sha1_tls_implicit_iv\n%xdefine EVP_aead_aes_128_cbc_sha256_tls BORINGSSL_PREFIX %+ _EVP_aead_aes_128_cbc_sha256_tls\n%xdefine EVP_aead_aes_128_ccm_bluetooth BORINGSSL_PREFIX %+ _EVP_aead_aes_128_ccm_bluetooth\n%xdefine EVP_aead_aes_128_ccm_bluetooth_8 BORINGSSL_PREFIX %+ _EVP_aead_aes_128_ccm_bluetooth_8\n%xdefine EVP_aead_aes_128_ccm_matter BORINGSSL_PREFIX %+ _EVP_aead_aes_128_ccm_matter\n%xdefine EVP_aead_aes_128_ctr_hmac_sha256 BORINGSSL_PREFIX %+ _EVP_aead_aes_128_ctr_hmac_sha256\n%xdefine EVP_aead_aes_128_gcm BORINGSSL_PREFIX %+ _EVP_aead_aes_128_gcm\n%xdefine EVP_aead_aes_128_gcm_randnonce BORINGSSL_PREFIX %+ _EVP_aead_aes_128_gcm_randnonce\n%xdefine EVP_aead_aes_128_gcm_siv BORINGSSL_PREFIX %+ _EVP_aead_aes_128_gcm_siv\n%xdefine EVP_aead_aes_128_gcm_tls12 BORINGSSL_PREFIX %+ _EVP_aead_aes_128_gcm_tls12\n%xdefine EVP_aead_aes_128_gcm_tls13 BORINGSSL_PREFIX %+ _EVP_aead_aes_128_gcm_tls13\n%xdefine EVP_aead_aes_192_gcm BORINGSSL_PREFIX %+ _EVP_aead_aes_192_gcm\n%xdefine EVP_aead_aes_256_cbc_sha1_tls BORINGSSL_PREFIX %+ _EVP_aead_aes_256_cbc_sha1_tls\n%xdefine EVP_aead_aes_256_cbc_sha1_tls_implicit_iv BORINGSSL_PREFIX %+ _EVP_aead_aes_256_cbc_sha1_tls_implicit_iv\n%xdefine EVP_aead_aes_256_ctr_hmac_sha256 BORINGSSL_PREFIX %+ _EVP_aead_aes_256_ctr_hmac_sha256\n%xdefine EVP_aead_aes_256_gcm BORINGSSL_PREFIX %+ _EVP_aead_aes_256_gcm\n%xdefine EVP_aead_aes_256_gcm_randnonce BORINGSSL_PREFIX %+ _EVP_aead_aes_256_gcm_randnonce\n%xdefine EVP_aead_aes_256_gcm_siv BORINGSSL_PREFIX %+ _EVP_aead_aes_256_gcm_siv\n%xdefine EVP_aead_aes_256_gcm_tls12 BORINGSSL_PREFIX %+ _EVP_aead_aes_256_gcm_tls12\n%xdefine EVP_aead_aes_256_gcm_tls13 BORINGSSL_PREFIX %+ _EVP_aead_aes_256_gcm_tls13\n%xdefine EVP_aead_chacha20_poly1305 BORINGSSL_PREFIX %+ _EVP_aead_chacha20_poly1305\n%xdefine EVP_aead_des_ede3_cbc_sha1_tls BORINGSSL_PREFIX %+ _EVP_aead_des_ede3_cbc_sha1_tls\n%xdefine EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv BORINGSSL_PREFIX %+ _EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv\n%xdefine EVP_aead_xchacha20_poly1305 BORINGSSL_PREFIX %+ _EVP_aead_xchacha20_poly1305\n%xdefine EVP_aes_128_cbc BORINGSSL_PREFIX %+ _EVP_aes_128_cbc\n%xdefine EVP_aes_128_ctr BORINGSSL_PREFIX %+ _EVP_aes_128_ctr\n%xdefine EVP_aes_128_ecb BORINGSSL_PREFIX %+ _EVP_aes_128_ecb\n%xdefine EVP_aes_128_gcm BORINGSSL_PREFIX %+ _EVP_aes_128_gcm\n%xdefine EVP_aes_128_ofb BORINGSSL_PREFIX %+ _EVP_aes_128_ofb\n%xdefine EVP_aes_192_cbc BORINGSSL_PREFIX %+ _EVP_aes_192_cbc\n%xdefine EVP_aes_192_ctr BORINGSSL_PREFIX %+ _EVP_aes_192_ctr\n%xdefine EVP_aes_192_ecb BORINGSSL_PREFIX %+ _EVP_aes_192_ecb\n%xdefine EVP_aes_192_gcm BORINGSSL_PREFIX %+ _EVP_aes_192_gcm\n%xdefine EVP_aes_192_ofb BORINGSSL_PREFIX %+ _EVP_aes_192_ofb\n%xdefine EVP_aes_256_cbc BORINGSSL_PREFIX %+ _EVP_aes_256_cbc\n%xdefine EVP_aes_256_ctr BORINGSSL_PREFIX %+ _EVP_aes_256_ctr\n%xdefine EVP_aes_256_ecb BORINGSSL_PREFIX %+ _EVP_aes_256_ecb\n%xdefine EVP_aes_256_gcm BORINGSSL_PREFIX %+ _EVP_aes_256_gcm\n%xdefine EVP_aes_256_ofb BORINGSSL_PREFIX %+ _EVP_aes_256_ofb\n%xdefine EVP_blake2b256 BORINGSSL_PREFIX %+ _EVP_blake2b256\n%xdefine EVP_cleanup BORINGSSL_PREFIX %+ _EVP_cleanup\n%xdefine EVP_des_cbc BORINGSSL_PREFIX %+ _EVP_des_cbc\n%xdefine EVP_des_ecb BORINGSSL_PREFIX %+ _EVP_des_ecb\n%xdefine EVP_des_ede BORINGSSL_PREFIX %+ _EVP_des_ede\n%xdefine EVP_des_ede3 BORINGSSL_PREFIX %+ _EVP_des_ede3\n%xdefine EVP_des_ede3_cbc BORINGSSL_PREFIX %+ _EVP_des_ede3_cbc\n%xdefine EVP_des_ede3_ecb BORINGSSL_PREFIX %+ _EVP_des_ede3_ecb\n%xdefine EVP_des_ede_cbc BORINGSSL_PREFIX %+ _EVP_des_ede_cbc\n%xdefine EVP_enc_null BORINGSSL_PREFIX %+ _EVP_enc_null\n%xdefine EVP_get_cipherbyname BORINGSSL_PREFIX %+ _EVP_get_cipherbyname\n%xdefine EVP_get_cipherbynid BORINGSSL_PREFIX %+ _EVP_get_cipherbynid\n%xdefine EVP_get_digestbyname BORINGSSL_PREFIX %+ _EVP_get_digestbyname\n%xdefine EVP_get_digestbynid BORINGSSL_PREFIX %+ _EVP_get_digestbynid\n%xdefine EVP_get_digestbyobj BORINGSSL_PREFIX %+ _EVP_get_digestbyobj\n%xdefine EVP_has_aes_hardware BORINGSSL_PREFIX %+ _EVP_has_aes_hardware\n%xdefine EVP_hpke_aes_128_gcm BORINGSSL_PREFIX %+ _EVP_hpke_aes_128_gcm\n%xdefine EVP_hpke_aes_256_gcm BORINGSSL_PREFIX %+ _EVP_hpke_aes_256_gcm\n%xdefine EVP_hpke_chacha20_poly1305 BORINGSSL_PREFIX %+ _EVP_hpke_chacha20_poly1305\n%xdefine EVP_hpke_hkdf_sha256 BORINGSSL_PREFIX %+ _EVP_hpke_hkdf_sha256\n%xdefine EVP_hpke_p256_hkdf_sha256 BORINGSSL_PREFIX %+ _EVP_hpke_p256_hkdf_sha256\n%xdefine EVP_hpke_x25519_hkdf_sha256 BORINGSSL_PREFIX %+ _EVP_hpke_x25519_hkdf_sha256\n%xdefine EVP_marshal_digest_algorithm BORINGSSL_PREFIX %+ _EVP_marshal_digest_algorithm\n%xdefine EVP_marshal_private_key BORINGSSL_PREFIX %+ _EVP_marshal_private_key\n%xdefine EVP_marshal_public_key BORINGSSL_PREFIX %+ _EVP_marshal_public_key\n%xdefine EVP_md4 BORINGSSL_PREFIX %+ _EVP_md4\n%xdefine EVP_md5 BORINGSSL_PREFIX %+ _EVP_md5\n%xdefine EVP_md5_sha1 BORINGSSL_PREFIX %+ _EVP_md5_sha1\n%xdefine EVP_parse_digest_algorithm BORINGSSL_PREFIX %+ _EVP_parse_digest_algorithm\n%xdefine EVP_parse_private_key BORINGSSL_PREFIX %+ _EVP_parse_private_key\n%xdefine EVP_parse_public_key BORINGSSL_PREFIX %+ _EVP_parse_public_key\n%xdefine EVP_rc2_40_cbc BORINGSSL_PREFIX %+ _EVP_rc2_40_cbc\n%xdefine EVP_rc2_cbc BORINGSSL_PREFIX %+ _EVP_rc2_cbc\n%xdefine EVP_rc4 BORINGSSL_PREFIX %+ _EVP_rc4\n%xdefine EVP_sha1 BORINGSSL_PREFIX %+ _EVP_sha1\n%xdefine EVP_sha1_final_with_secret_suffix BORINGSSL_PREFIX %+ _EVP_sha1_final_with_secret_suffix\n%xdefine EVP_sha224 BORINGSSL_PREFIX %+ _EVP_sha224\n%xdefine EVP_sha256 BORINGSSL_PREFIX %+ _EVP_sha256\n%xdefine EVP_sha256_final_with_secret_suffix BORINGSSL_PREFIX %+ _EVP_sha256_final_with_secret_suffix\n%xdefine EVP_sha384 BORINGSSL_PREFIX %+ _EVP_sha384\n%xdefine EVP_sha512 BORINGSSL_PREFIX %+ _EVP_sha512\n%xdefine EVP_sha512_256 BORINGSSL_PREFIX %+ _EVP_sha512_256\n%xdefine EVP_tls_cbc_copy_mac BORINGSSL_PREFIX %+ _EVP_tls_cbc_copy_mac\n%xdefine EVP_tls_cbc_digest_record BORINGSSL_PREFIX %+ _EVP_tls_cbc_digest_record\n%xdefine EVP_tls_cbc_record_digest_supported BORINGSSL_PREFIX %+ _EVP_tls_cbc_record_digest_supported\n%xdefine EVP_tls_cbc_remove_padding BORINGSSL_PREFIX %+ _EVP_tls_cbc_remove_padding\n%xdefine EXTENDED_KEY_USAGE_free BORINGSSL_PREFIX %+ _EXTENDED_KEY_USAGE_free\n%xdefine EXTENDED_KEY_USAGE_it BORINGSSL_PREFIX %+ _EXTENDED_KEY_USAGE_it\n%xdefine EXTENDED_KEY_USAGE_new BORINGSSL_PREFIX %+ _EXTENDED_KEY_USAGE_new\n%xdefine FIPS_mode BORINGSSL_PREFIX %+ _FIPS_mode\n%xdefine FIPS_mode_set BORINGSSL_PREFIX %+ _FIPS_mode_set\n%xdefine FIPS_module_name BORINGSSL_PREFIX %+ _FIPS_module_name\n%xdefine FIPS_query_algorithm_status BORINGSSL_PREFIX %+ _FIPS_query_algorithm_status\n%xdefine FIPS_read_counter BORINGSSL_PREFIX %+ _FIPS_read_counter\n%xdefine FIPS_service_indicator_after_call BORINGSSL_PREFIX %+ _FIPS_service_indicator_after_call\n%xdefine FIPS_service_indicator_before_call BORINGSSL_PREFIX %+ _FIPS_service_indicator_before_call\n%xdefine FIPS_version BORINGSSL_PREFIX %+ _FIPS_version\n%xdefine GENERAL_NAMES_free BORINGSSL_PREFIX %+ _GENERAL_NAMES_free\n%xdefine GENERAL_NAMES_it BORINGSSL_PREFIX %+ _GENERAL_NAMES_it\n%xdefine GENERAL_NAMES_new BORINGSSL_PREFIX %+ _GENERAL_NAMES_new\n%xdefine GENERAL_NAME_cmp BORINGSSL_PREFIX %+ _GENERAL_NAME_cmp\n%xdefine GENERAL_NAME_dup BORINGSSL_PREFIX %+ _GENERAL_NAME_dup\n%xdefine GENERAL_NAME_free BORINGSSL_PREFIX %+ _GENERAL_NAME_free\n%xdefine GENERAL_NAME_get0_otherName BORINGSSL_PREFIX %+ _GENERAL_NAME_get0_otherName\n%xdefine GENERAL_NAME_get0_value BORINGSSL_PREFIX %+ _GENERAL_NAME_get0_value\n%xdefine GENERAL_NAME_it BORINGSSL_PREFIX %+ _GENERAL_NAME_it\n%xdefine GENERAL_NAME_new BORINGSSL_PREFIX %+ _GENERAL_NAME_new\n%xdefine GENERAL_NAME_print BORINGSSL_PREFIX %+ _GENERAL_NAME_print\n%xdefine GENERAL_NAME_set0_othername BORINGSSL_PREFIX %+ _GENERAL_NAME_set0_othername\n%xdefine GENERAL_NAME_set0_value BORINGSSL_PREFIX %+ _GENERAL_NAME_set0_value\n%xdefine GENERAL_SUBTREE_free BORINGSSL_PREFIX %+ _GENERAL_SUBTREE_free\n%xdefine GENERAL_SUBTREE_new BORINGSSL_PREFIX %+ _GENERAL_SUBTREE_new\n%xdefine HKDF BORINGSSL_PREFIX %+ _HKDF\n%xdefine HKDF_expand BORINGSSL_PREFIX %+ _HKDF_expand\n%xdefine HKDF_extract BORINGSSL_PREFIX %+ _HKDF_extract\n%xdefine HMAC BORINGSSL_PREFIX %+ _HMAC\n%xdefine HMAC_CTX_cleanse BORINGSSL_PREFIX %+ _HMAC_CTX_cleanse\n%xdefine HMAC_CTX_cleanup BORINGSSL_PREFIX %+ _HMAC_CTX_cleanup\n%xdefine HMAC_CTX_copy BORINGSSL_PREFIX %+ _HMAC_CTX_copy\n%xdefine HMAC_CTX_copy_ex BORINGSSL_PREFIX %+ _HMAC_CTX_copy_ex\n%xdefine HMAC_CTX_free BORINGSSL_PREFIX %+ _HMAC_CTX_free\n%xdefine HMAC_CTX_get_md BORINGSSL_PREFIX %+ _HMAC_CTX_get_md\n%xdefine HMAC_CTX_init BORINGSSL_PREFIX %+ _HMAC_CTX_init\n%xdefine HMAC_CTX_new BORINGSSL_PREFIX %+ _HMAC_CTX_new\n%xdefine HMAC_CTX_reset BORINGSSL_PREFIX %+ _HMAC_CTX_reset\n%xdefine HMAC_Final BORINGSSL_PREFIX %+ _HMAC_Final\n%xdefine HMAC_Init BORINGSSL_PREFIX %+ _HMAC_Init\n%xdefine HMAC_Init_ex BORINGSSL_PREFIX %+ _HMAC_Init_ex\n%xdefine HMAC_Update BORINGSSL_PREFIX %+ _HMAC_Update\n%xdefine HMAC_size BORINGSSL_PREFIX %+ _HMAC_size\n%xdefine HRSS_decap BORINGSSL_PREFIX %+ _HRSS_decap\n%xdefine HRSS_encap BORINGSSL_PREFIX %+ _HRSS_encap\n%xdefine HRSS_generate_key BORINGSSL_PREFIX %+ _HRSS_generate_key\n%xdefine HRSS_marshal_public_key BORINGSSL_PREFIX %+ _HRSS_marshal_public_key\n%xdefine HRSS_parse_public_key BORINGSSL_PREFIX %+ _HRSS_parse_public_key\n%xdefine HRSS_poly3_invert BORINGSSL_PREFIX %+ _HRSS_poly3_invert\n%xdefine HRSS_poly3_mul BORINGSSL_PREFIX %+ _HRSS_poly3_mul\n%xdefine ISSUING_DIST_POINT_free BORINGSSL_PREFIX %+ _ISSUING_DIST_POINT_free\n%xdefine ISSUING_DIST_POINT_it BORINGSSL_PREFIX %+ _ISSUING_DIST_POINT_it\n%xdefine ISSUING_DIST_POINT_new BORINGSSL_PREFIX %+ _ISSUING_DIST_POINT_new\n%xdefine KYBER_decap BORINGSSL_PREFIX %+ _KYBER_decap\n%xdefine KYBER_encap BORINGSSL_PREFIX %+ _KYBER_encap\n%xdefine KYBER_encap_external_entropy BORINGSSL_PREFIX %+ _KYBER_encap_external_entropy\n%xdefine KYBER_generate_key BORINGSSL_PREFIX %+ _KYBER_generate_key\n%xdefine KYBER_generate_key_external_entropy BORINGSSL_PREFIX %+ _KYBER_generate_key_external_entropy\n%xdefine KYBER_marshal_private_key BORINGSSL_PREFIX %+ _KYBER_marshal_private_key\n%xdefine KYBER_marshal_public_key BORINGSSL_PREFIX %+ _KYBER_marshal_public_key\n%xdefine KYBER_parse_private_key BORINGSSL_PREFIX %+ _KYBER_parse_private_key\n%xdefine KYBER_parse_public_key BORINGSSL_PREFIX %+ _KYBER_parse_public_key\n%xdefine KYBER_public_from_private BORINGSSL_PREFIX %+ _KYBER_public_from_private\n%xdefine MD4 BORINGSSL_PREFIX %+ _MD4\n%xdefine MD4_Final BORINGSSL_PREFIX %+ _MD4_Final\n%xdefine MD4_Init BORINGSSL_PREFIX %+ _MD4_Init\n%xdefine MD4_Transform BORINGSSL_PREFIX %+ _MD4_Transform\n%xdefine MD4_Update BORINGSSL_PREFIX %+ _MD4_Update\n%xdefine MD5 BORINGSSL_PREFIX %+ _MD5\n%xdefine MD5_Final BORINGSSL_PREFIX %+ _MD5_Final\n%xdefine MD5_Init BORINGSSL_PREFIX %+ _MD5_Init\n%xdefine MD5_Transform BORINGSSL_PREFIX %+ _MD5_Transform\n%xdefine MD5_Update BORINGSSL_PREFIX %+ _MD5_Update\n%xdefine METHOD_ref BORINGSSL_PREFIX %+ _METHOD_ref\n%xdefine METHOD_unref BORINGSSL_PREFIX %+ _METHOD_unref\n%xdefine MLDSA65_generate_key BORINGSSL_PREFIX %+ _MLDSA65_generate_key\n%xdefine MLDSA65_marshal_public_key BORINGSSL_PREFIX %+ _MLDSA65_marshal_public_key\n%xdefine MLDSA65_parse_public_key BORINGSSL_PREFIX %+ _MLDSA65_parse_public_key\n%xdefine MLDSA65_private_key_from_seed BORINGSSL_PREFIX %+ _MLDSA65_private_key_from_seed\n%xdefine MLDSA65_public_from_private BORINGSSL_PREFIX %+ _MLDSA65_public_from_private\n%xdefine MLDSA65_sign BORINGSSL_PREFIX %+ _MLDSA65_sign\n%xdefine MLDSA65_verify BORINGSSL_PREFIX %+ _MLDSA65_verify\n%xdefine MLKEM1024_decap BORINGSSL_PREFIX %+ _MLKEM1024_decap\n%xdefine MLKEM1024_encap BORINGSSL_PREFIX %+ _MLKEM1024_encap\n%xdefine MLKEM1024_generate_key BORINGSSL_PREFIX %+ _MLKEM1024_generate_key\n%xdefine MLKEM1024_marshal_public_key BORINGSSL_PREFIX %+ _MLKEM1024_marshal_public_key\n%xdefine MLKEM1024_parse_public_key BORINGSSL_PREFIX %+ _MLKEM1024_parse_public_key\n%xdefine MLKEM1024_private_key_from_seed BORINGSSL_PREFIX %+ _MLKEM1024_private_key_from_seed\n%xdefine MLKEM1024_public_from_private BORINGSSL_PREFIX %+ _MLKEM1024_public_from_private\n%xdefine MLKEM768_decap BORINGSSL_PREFIX %+ _MLKEM768_decap\n%xdefine MLKEM768_encap BORINGSSL_PREFIX %+ _MLKEM768_encap\n%xdefine MLKEM768_generate_key BORINGSSL_PREFIX %+ _MLKEM768_generate_key\n%xdefine MLKEM768_marshal_public_key BORINGSSL_PREFIX %+ _MLKEM768_marshal_public_key\n%xdefine MLKEM768_parse_public_key BORINGSSL_PREFIX %+ _MLKEM768_parse_public_key\n%xdefine MLKEM768_private_key_from_seed BORINGSSL_PREFIX %+ _MLKEM768_private_key_from_seed\n%xdefine MLKEM768_public_from_private BORINGSSL_PREFIX %+ _MLKEM768_public_from_private\n%xdefine NAME_CONSTRAINTS_check BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_check\n%xdefine NAME_CONSTRAINTS_free BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_free\n%xdefine NAME_CONSTRAINTS_it BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_it\n%xdefine NAME_CONSTRAINTS_new BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_new\n%xdefine NCONF_free BORINGSSL_PREFIX %+ _NCONF_free\n%xdefine NCONF_get_section BORINGSSL_PREFIX %+ _NCONF_get_section\n%xdefine NCONF_get_string BORINGSSL_PREFIX %+ _NCONF_get_string\n%xdefine NCONF_load BORINGSSL_PREFIX %+ _NCONF_load\n%xdefine NCONF_load_bio BORINGSSL_PREFIX %+ _NCONF_load_bio\n%xdefine NCONF_new BORINGSSL_PREFIX %+ _NCONF_new\n%xdefine NETSCAPE_SPKAC_free BORINGSSL_PREFIX %+ _NETSCAPE_SPKAC_free\n%xdefine NETSCAPE_SPKAC_it BORINGSSL_PREFIX %+ _NETSCAPE_SPKAC_it\n%xdefine NETSCAPE_SPKAC_new BORINGSSL_PREFIX %+ _NETSCAPE_SPKAC_new\n%xdefine NETSCAPE_SPKI_b64_decode BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_b64_decode\n%xdefine NETSCAPE_SPKI_b64_encode BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_b64_encode\n%xdefine NETSCAPE_SPKI_free BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_free\n%xdefine NETSCAPE_SPKI_get_pubkey BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_get_pubkey\n%xdefine NETSCAPE_SPKI_it BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_it\n%xdefine NETSCAPE_SPKI_new BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_new\n%xdefine NETSCAPE_SPKI_set_pubkey BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_set_pubkey\n%xdefine NETSCAPE_SPKI_sign BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_sign\n%xdefine NETSCAPE_SPKI_verify BORINGSSL_PREFIX %+ _NETSCAPE_SPKI_verify\n%xdefine NOTICEREF_free BORINGSSL_PREFIX %+ _NOTICEREF_free\n%xdefine NOTICEREF_it BORINGSSL_PREFIX %+ _NOTICEREF_it\n%xdefine NOTICEREF_new BORINGSSL_PREFIX %+ _NOTICEREF_new\n%xdefine OBJ_cbs2nid BORINGSSL_PREFIX %+ _OBJ_cbs2nid\n%xdefine OBJ_cleanup BORINGSSL_PREFIX %+ _OBJ_cleanup\n%xdefine OBJ_cmp BORINGSSL_PREFIX %+ _OBJ_cmp\n%xdefine OBJ_create BORINGSSL_PREFIX %+ _OBJ_create\n%xdefine OBJ_dup BORINGSSL_PREFIX %+ _OBJ_dup\n%xdefine OBJ_find_sigid_algs BORINGSSL_PREFIX %+ _OBJ_find_sigid_algs\n%xdefine OBJ_find_sigid_by_algs BORINGSSL_PREFIX %+ _OBJ_find_sigid_by_algs\n%xdefine OBJ_get0_data BORINGSSL_PREFIX %+ _OBJ_get0_data\n%xdefine OBJ_get_undef BORINGSSL_PREFIX %+ _OBJ_get_undef\n%xdefine OBJ_length BORINGSSL_PREFIX %+ _OBJ_length\n%xdefine OBJ_ln2nid BORINGSSL_PREFIX %+ _OBJ_ln2nid\n%xdefine OBJ_nid2cbb BORINGSSL_PREFIX %+ _OBJ_nid2cbb\n%xdefine OBJ_nid2ln BORINGSSL_PREFIX %+ _OBJ_nid2ln\n%xdefine OBJ_nid2obj BORINGSSL_PREFIX %+ _OBJ_nid2obj\n%xdefine OBJ_nid2sn BORINGSSL_PREFIX %+ _OBJ_nid2sn\n%xdefine OBJ_obj2nid BORINGSSL_PREFIX %+ _OBJ_obj2nid\n%xdefine OBJ_obj2txt BORINGSSL_PREFIX %+ _OBJ_obj2txt\n%xdefine OBJ_sn2nid BORINGSSL_PREFIX %+ _OBJ_sn2nid\n%xdefine OBJ_txt2nid BORINGSSL_PREFIX %+ _OBJ_txt2nid\n%xdefine OBJ_txt2obj BORINGSSL_PREFIX %+ _OBJ_txt2obj\n%xdefine OPENSSL_add_all_algorithms_conf BORINGSSL_PREFIX %+ _OPENSSL_add_all_algorithms_conf\n%xdefine OPENSSL_armcap_P BORINGSSL_PREFIX %+ _OPENSSL_armcap_P\n%xdefine OPENSSL_asprintf BORINGSSL_PREFIX %+ _OPENSSL_asprintf\n%xdefine OPENSSL_calloc BORINGSSL_PREFIX %+ _OPENSSL_calloc\n%xdefine OPENSSL_cleanse BORINGSSL_PREFIX %+ _OPENSSL_cleanse\n%xdefine OPENSSL_cleanup BORINGSSL_PREFIX %+ _OPENSSL_cleanup\n%xdefine OPENSSL_clear_free BORINGSSL_PREFIX %+ _OPENSSL_clear_free\n%xdefine OPENSSL_config BORINGSSL_PREFIX %+ _OPENSSL_config\n%xdefine OPENSSL_cpuid_setup BORINGSSL_PREFIX %+ _OPENSSL_cpuid_setup\n%xdefine OPENSSL_free BORINGSSL_PREFIX %+ _OPENSSL_free\n%xdefine OPENSSL_fromxdigit BORINGSSL_PREFIX %+ _OPENSSL_fromxdigit\n%xdefine OPENSSL_get_armcap BORINGSSL_PREFIX %+ _OPENSSL_get_armcap\n%xdefine OPENSSL_get_armcap_pointer_for_test BORINGSSL_PREFIX %+ _OPENSSL_get_armcap_pointer_for_test\n%xdefine OPENSSL_get_ia32cap BORINGSSL_PREFIX %+ _OPENSSL_get_ia32cap\n%xdefine OPENSSL_gmtime BORINGSSL_PREFIX %+ _OPENSSL_gmtime\n%xdefine OPENSSL_gmtime_adj BORINGSSL_PREFIX %+ _OPENSSL_gmtime_adj\n%xdefine OPENSSL_gmtime_diff BORINGSSL_PREFIX %+ _OPENSSL_gmtime_diff\n%xdefine OPENSSL_hash32 BORINGSSL_PREFIX %+ _OPENSSL_hash32\n%xdefine OPENSSL_ia32cap_P BORINGSSL_PREFIX %+ _OPENSSL_ia32cap_P\n%xdefine OPENSSL_init_cpuid BORINGSSL_PREFIX %+ _OPENSSL_init_cpuid\n%xdefine OPENSSL_init_crypto BORINGSSL_PREFIX %+ _OPENSSL_init_crypto\n%xdefine OPENSSL_init_ssl BORINGSSL_PREFIX %+ _OPENSSL_init_ssl\n%xdefine OPENSSL_isalnum BORINGSSL_PREFIX %+ _OPENSSL_isalnum\n%xdefine OPENSSL_isalpha BORINGSSL_PREFIX %+ _OPENSSL_isalpha\n%xdefine OPENSSL_isdigit BORINGSSL_PREFIX %+ _OPENSSL_isdigit\n%xdefine OPENSSL_isspace BORINGSSL_PREFIX %+ _OPENSSL_isspace\n%xdefine OPENSSL_isxdigit BORINGSSL_PREFIX %+ _OPENSSL_isxdigit\n%xdefine OPENSSL_lh_delete BORINGSSL_PREFIX %+ _OPENSSL_lh_delete\n%xdefine OPENSSL_lh_doall_arg BORINGSSL_PREFIX %+ _OPENSSL_lh_doall_arg\n%xdefine OPENSSL_lh_free BORINGSSL_PREFIX %+ _OPENSSL_lh_free\n%xdefine OPENSSL_lh_insert BORINGSSL_PREFIX %+ _OPENSSL_lh_insert\n%xdefine OPENSSL_lh_new BORINGSSL_PREFIX %+ _OPENSSL_lh_new\n%xdefine OPENSSL_lh_num_items BORINGSSL_PREFIX %+ _OPENSSL_lh_num_items\n%xdefine OPENSSL_lh_retrieve BORINGSSL_PREFIX %+ _OPENSSL_lh_retrieve\n%xdefine OPENSSL_lh_retrieve_key BORINGSSL_PREFIX %+ _OPENSSL_lh_retrieve_key\n%xdefine OPENSSL_load_builtin_modules BORINGSSL_PREFIX %+ _OPENSSL_load_builtin_modules\n%xdefine OPENSSL_malloc BORINGSSL_PREFIX %+ _OPENSSL_malloc\n%xdefine OPENSSL_malloc_init BORINGSSL_PREFIX %+ _OPENSSL_malloc_init\n%xdefine OPENSSL_memdup BORINGSSL_PREFIX %+ _OPENSSL_memdup\n%xdefine OPENSSL_no_config BORINGSSL_PREFIX %+ _OPENSSL_no_config\n%xdefine OPENSSL_posix_to_tm BORINGSSL_PREFIX %+ _OPENSSL_posix_to_tm\n%xdefine OPENSSL_realloc BORINGSSL_PREFIX %+ _OPENSSL_realloc\n%xdefine OPENSSL_secure_clear_free BORINGSSL_PREFIX %+ _OPENSSL_secure_clear_free\n%xdefine OPENSSL_secure_malloc BORINGSSL_PREFIX %+ _OPENSSL_secure_malloc\n%xdefine OPENSSL_sk_deep_copy BORINGSSL_PREFIX %+ _OPENSSL_sk_deep_copy\n%xdefine OPENSSL_sk_delete BORINGSSL_PREFIX %+ _OPENSSL_sk_delete\n%xdefine OPENSSL_sk_delete_if BORINGSSL_PREFIX %+ _OPENSSL_sk_delete_if\n%xdefine OPENSSL_sk_delete_ptr BORINGSSL_PREFIX %+ _OPENSSL_sk_delete_ptr\n%xdefine OPENSSL_sk_dup BORINGSSL_PREFIX %+ _OPENSSL_sk_dup\n%xdefine OPENSSL_sk_find BORINGSSL_PREFIX %+ _OPENSSL_sk_find\n%xdefine OPENSSL_sk_free BORINGSSL_PREFIX %+ _OPENSSL_sk_free\n%xdefine OPENSSL_sk_insert BORINGSSL_PREFIX %+ _OPENSSL_sk_insert\n%xdefine OPENSSL_sk_is_sorted BORINGSSL_PREFIX %+ _OPENSSL_sk_is_sorted\n%xdefine OPENSSL_sk_new BORINGSSL_PREFIX %+ _OPENSSL_sk_new\n%xdefine OPENSSL_sk_new_null BORINGSSL_PREFIX %+ _OPENSSL_sk_new_null\n%xdefine OPENSSL_sk_num BORINGSSL_PREFIX %+ _OPENSSL_sk_num\n%xdefine OPENSSL_sk_pop BORINGSSL_PREFIX %+ _OPENSSL_sk_pop\n%xdefine OPENSSL_sk_pop_free_ex BORINGSSL_PREFIX %+ _OPENSSL_sk_pop_free_ex\n%xdefine OPENSSL_sk_push BORINGSSL_PREFIX %+ _OPENSSL_sk_push\n%xdefine OPENSSL_sk_set BORINGSSL_PREFIX %+ _OPENSSL_sk_set\n%xdefine OPENSSL_sk_set_cmp_func BORINGSSL_PREFIX %+ _OPENSSL_sk_set_cmp_func\n%xdefine OPENSSL_sk_shift BORINGSSL_PREFIX %+ _OPENSSL_sk_shift\n%xdefine OPENSSL_sk_sort BORINGSSL_PREFIX %+ _OPENSSL_sk_sort\n%xdefine OPENSSL_sk_value BORINGSSL_PREFIX %+ _OPENSSL_sk_value\n%xdefine OPENSSL_sk_zero BORINGSSL_PREFIX %+ _OPENSSL_sk_zero\n%xdefine OPENSSL_strcasecmp BORINGSSL_PREFIX %+ _OPENSSL_strcasecmp\n%xdefine OPENSSL_strdup BORINGSSL_PREFIX %+ _OPENSSL_strdup\n%xdefine OPENSSL_strhash BORINGSSL_PREFIX %+ _OPENSSL_strhash\n%xdefine OPENSSL_strlcat BORINGSSL_PREFIX %+ _OPENSSL_strlcat\n%xdefine OPENSSL_strlcpy BORINGSSL_PREFIX %+ _OPENSSL_strlcpy\n%xdefine OPENSSL_strncasecmp BORINGSSL_PREFIX %+ _OPENSSL_strncasecmp\n%xdefine OPENSSL_strndup BORINGSSL_PREFIX %+ _OPENSSL_strndup\n%xdefine OPENSSL_strnlen BORINGSSL_PREFIX %+ _OPENSSL_strnlen\n%xdefine OPENSSL_timegm BORINGSSL_PREFIX %+ _OPENSSL_timegm\n%xdefine OPENSSL_tm_to_posix BORINGSSL_PREFIX %+ _OPENSSL_tm_to_posix\n%xdefine OPENSSL_tolower BORINGSSL_PREFIX %+ _OPENSSL_tolower\n%xdefine OPENSSL_vasprintf BORINGSSL_PREFIX %+ _OPENSSL_vasprintf\n%xdefine OPENSSL_vasprintf_internal BORINGSSL_PREFIX %+ _OPENSSL_vasprintf_internal\n%xdefine OPENSSL_zalloc BORINGSSL_PREFIX %+ _OPENSSL_zalloc\n%xdefine OTHERNAME_free BORINGSSL_PREFIX %+ _OTHERNAME_free\n%xdefine OTHERNAME_new BORINGSSL_PREFIX %+ _OTHERNAME_new\n%xdefine OpenSSL_add_all_algorithms BORINGSSL_PREFIX %+ _OpenSSL_add_all_algorithms\n%xdefine OpenSSL_add_all_ciphers BORINGSSL_PREFIX %+ _OpenSSL_add_all_ciphers\n%xdefine OpenSSL_add_all_digests BORINGSSL_PREFIX %+ _OpenSSL_add_all_digests\n%xdefine OpenSSL_version BORINGSSL_PREFIX %+ _OpenSSL_version\n%xdefine OpenSSL_version_num BORINGSSL_PREFIX %+ _OpenSSL_version_num\n%xdefine PEM_ASN1_read BORINGSSL_PREFIX %+ _PEM_ASN1_read\n%xdefine PEM_ASN1_read_bio BORINGSSL_PREFIX %+ _PEM_ASN1_read_bio\n%xdefine PEM_ASN1_write BORINGSSL_PREFIX %+ _PEM_ASN1_write\n%xdefine PEM_ASN1_write_bio BORINGSSL_PREFIX %+ _PEM_ASN1_write_bio\n%xdefine PEM_X509_INFO_read BORINGSSL_PREFIX %+ _PEM_X509_INFO_read\n%xdefine PEM_X509_INFO_read_bio BORINGSSL_PREFIX %+ _PEM_X509_INFO_read_bio\n%xdefine PEM_bytes_read_bio BORINGSSL_PREFIX %+ _PEM_bytes_read_bio\n%xdefine PEM_def_callback BORINGSSL_PREFIX %+ _PEM_def_callback\n%xdefine PEM_do_header BORINGSSL_PREFIX %+ _PEM_do_header\n%xdefine PEM_get_EVP_CIPHER_INFO BORINGSSL_PREFIX %+ _PEM_get_EVP_CIPHER_INFO\n%xdefine PEM_read BORINGSSL_PREFIX %+ _PEM_read\n%xdefine PEM_read_DHparams BORINGSSL_PREFIX %+ _PEM_read_DHparams\n%xdefine PEM_read_DSAPrivateKey BORINGSSL_PREFIX %+ _PEM_read_DSAPrivateKey\n%xdefine PEM_read_DSA_PUBKEY BORINGSSL_PREFIX %+ _PEM_read_DSA_PUBKEY\n%xdefine PEM_read_DSAparams BORINGSSL_PREFIX %+ _PEM_read_DSAparams\n%xdefine PEM_read_ECPrivateKey BORINGSSL_PREFIX %+ _PEM_read_ECPrivateKey\n%xdefine PEM_read_EC_PUBKEY BORINGSSL_PREFIX %+ _PEM_read_EC_PUBKEY\n%xdefine PEM_read_PKCS7 BORINGSSL_PREFIX %+ _PEM_read_PKCS7\n%xdefine PEM_read_PKCS8 BORINGSSL_PREFIX %+ _PEM_read_PKCS8\n%xdefine PEM_read_PKCS8_PRIV_KEY_INFO BORINGSSL_PREFIX %+ _PEM_read_PKCS8_PRIV_KEY_INFO\n%xdefine PEM_read_PUBKEY BORINGSSL_PREFIX %+ _PEM_read_PUBKEY\n%xdefine PEM_read_PrivateKey BORINGSSL_PREFIX %+ _PEM_read_PrivateKey\n%xdefine PEM_read_RSAPrivateKey BORINGSSL_PREFIX %+ _PEM_read_RSAPrivateKey\n%xdefine PEM_read_RSAPublicKey BORINGSSL_PREFIX %+ _PEM_read_RSAPublicKey\n%xdefine PEM_read_RSA_PUBKEY BORINGSSL_PREFIX %+ _PEM_read_RSA_PUBKEY\n%xdefine PEM_read_SSL_SESSION BORINGSSL_PREFIX %+ _PEM_read_SSL_SESSION\n%xdefine PEM_read_X509 BORINGSSL_PREFIX %+ _PEM_read_X509\n%xdefine PEM_read_X509_AUX BORINGSSL_PREFIX %+ _PEM_read_X509_AUX\n%xdefine PEM_read_X509_CRL BORINGSSL_PREFIX %+ _PEM_read_X509_CRL\n%xdefine PEM_read_X509_REQ BORINGSSL_PREFIX %+ _PEM_read_X509_REQ\n%xdefine PEM_read_bio BORINGSSL_PREFIX %+ _PEM_read_bio\n%xdefine PEM_read_bio_DHparams BORINGSSL_PREFIX %+ _PEM_read_bio_DHparams\n%xdefine PEM_read_bio_DSAPrivateKey BORINGSSL_PREFIX %+ _PEM_read_bio_DSAPrivateKey\n%xdefine PEM_read_bio_DSA_PUBKEY BORINGSSL_PREFIX %+ _PEM_read_bio_DSA_PUBKEY\n%xdefine PEM_read_bio_DSAparams BORINGSSL_PREFIX %+ _PEM_read_bio_DSAparams\n%xdefine PEM_read_bio_ECPrivateKey BORINGSSL_PREFIX %+ _PEM_read_bio_ECPrivateKey\n%xdefine PEM_read_bio_EC_PUBKEY BORINGSSL_PREFIX %+ _PEM_read_bio_EC_PUBKEY\n%xdefine PEM_read_bio_PKCS7 BORINGSSL_PREFIX %+ _PEM_read_bio_PKCS7\n%xdefine PEM_read_bio_PKCS8 BORINGSSL_PREFIX %+ _PEM_read_bio_PKCS8\n%xdefine PEM_read_bio_PKCS8_PRIV_KEY_INFO BORINGSSL_PREFIX %+ _PEM_read_bio_PKCS8_PRIV_KEY_INFO\n%xdefine PEM_read_bio_PUBKEY BORINGSSL_PREFIX %+ _PEM_read_bio_PUBKEY\n%xdefine PEM_read_bio_PrivateKey BORINGSSL_PREFIX %+ _PEM_read_bio_PrivateKey\n%xdefine PEM_read_bio_RSAPrivateKey BORINGSSL_PREFIX %+ _PEM_read_bio_RSAPrivateKey\n%xdefine PEM_read_bio_RSAPublicKey BORINGSSL_PREFIX %+ _PEM_read_bio_RSAPublicKey\n%xdefine PEM_read_bio_RSA_PUBKEY BORINGSSL_PREFIX %+ _PEM_read_bio_RSA_PUBKEY\n%xdefine PEM_read_bio_SSL_SESSION BORINGSSL_PREFIX %+ _PEM_read_bio_SSL_SESSION\n%xdefine PEM_read_bio_X509 BORINGSSL_PREFIX %+ _PEM_read_bio_X509\n%xdefine PEM_read_bio_X509_AUX BORINGSSL_PREFIX %+ _PEM_read_bio_X509_AUX\n%xdefine PEM_read_bio_X509_CRL BORINGSSL_PREFIX %+ _PEM_read_bio_X509_CRL\n%xdefine PEM_read_bio_X509_REQ BORINGSSL_PREFIX %+ _PEM_read_bio_X509_REQ\n%xdefine PEM_write BORINGSSL_PREFIX %+ _PEM_write\n%xdefine PEM_write_DHparams BORINGSSL_PREFIX %+ _PEM_write_DHparams\n%xdefine PEM_write_DSAPrivateKey BORINGSSL_PREFIX %+ _PEM_write_DSAPrivateKey\n%xdefine PEM_write_DSA_PUBKEY BORINGSSL_PREFIX %+ _PEM_write_DSA_PUBKEY\n%xdefine PEM_write_DSAparams BORINGSSL_PREFIX %+ _PEM_write_DSAparams\n%xdefine PEM_write_ECPrivateKey BORINGSSL_PREFIX %+ _PEM_write_ECPrivateKey\n%xdefine PEM_write_EC_PUBKEY BORINGSSL_PREFIX %+ _PEM_write_EC_PUBKEY\n%xdefine PEM_write_PKCS7 BORINGSSL_PREFIX %+ _PEM_write_PKCS7\n%xdefine PEM_write_PKCS8 BORINGSSL_PREFIX %+ _PEM_write_PKCS8\n%xdefine PEM_write_PKCS8PrivateKey BORINGSSL_PREFIX %+ _PEM_write_PKCS8PrivateKey\n%xdefine PEM_write_PKCS8PrivateKey_nid BORINGSSL_PREFIX %+ _PEM_write_PKCS8PrivateKey_nid\n%xdefine PEM_write_PKCS8_PRIV_KEY_INFO BORINGSSL_PREFIX %+ _PEM_write_PKCS8_PRIV_KEY_INFO\n%xdefine PEM_write_PUBKEY BORINGSSL_PREFIX %+ _PEM_write_PUBKEY\n%xdefine PEM_write_PrivateKey BORINGSSL_PREFIX %+ _PEM_write_PrivateKey\n%xdefine PEM_write_RSAPrivateKey BORINGSSL_PREFIX %+ _PEM_write_RSAPrivateKey\n%xdefine PEM_write_RSAPublicKey BORINGSSL_PREFIX %+ _PEM_write_RSAPublicKey\n%xdefine PEM_write_RSA_PUBKEY BORINGSSL_PREFIX %+ _PEM_write_RSA_PUBKEY\n%xdefine PEM_write_SSL_SESSION BORINGSSL_PREFIX %+ _PEM_write_SSL_SESSION\n%xdefine PEM_write_X509 BORINGSSL_PREFIX %+ _PEM_write_X509\n%xdefine PEM_write_X509_AUX BORINGSSL_PREFIX %+ _PEM_write_X509_AUX\n%xdefine PEM_write_X509_CRL BORINGSSL_PREFIX %+ _PEM_write_X509_CRL\n%xdefine PEM_write_X509_REQ BORINGSSL_PREFIX %+ _PEM_write_X509_REQ\n%xdefine PEM_write_X509_REQ_NEW BORINGSSL_PREFIX %+ _PEM_write_X509_REQ_NEW\n%xdefine PEM_write_bio BORINGSSL_PREFIX %+ _PEM_write_bio\n%xdefine PEM_write_bio_DHparams BORINGSSL_PREFIX %+ _PEM_write_bio_DHparams\n%xdefine PEM_write_bio_DSAPrivateKey BORINGSSL_PREFIX %+ _PEM_write_bio_DSAPrivateKey\n%xdefine PEM_write_bio_DSA_PUBKEY BORINGSSL_PREFIX %+ _PEM_write_bio_DSA_PUBKEY\n%xdefine PEM_write_bio_DSAparams BORINGSSL_PREFIX %+ _PEM_write_bio_DSAparams\n%xdefine PEM_write_bio_ECPrivateKey BORINGSSL_PREFIX %+ _PEM_write_bio_ECPrivateKey\n%xdefine PEM_write_bio_EC_PUBKEY BORINGSSL_PREFIX %+ _PEM_write_bio_EC_PUBKEY\n%xdefine PEM_write_bio_PKCS7 BORINGSSL_PREFIX %+ _PEM_write_bio_PKCS7\n%xdefine PEM_write_bio_PKCS8 BORINGSSL_PREFIX %+ _PEM_write_bio_PKCS8\n%xdefine PEM_write_bio_PKCS8PrivateKey BORINGSSL_PREFIX %+ _PEM_write_bio_PKCS8PrivateKey\n%xdefine PEM_write_bio_PKCS8PrivateKey_nid BORINGSSL_PREFIX %+ _PEM_write_bio_PKCS8PrivateKey_nid\n%xdefine PEM_write_bio_PKCS8_PRIV_KEY_INFO BORINGSSL_PREFIX %+ _PEM_write_bio_PKCS8_PRIV_KEY_INFO\n%xdefine PEM_write_bio_PUBKEY BORINGSSL_PREFIX %+ _PEM_write_bio_PUBKEY\n%xdefine PEM_write_bio_PrivateKey BORINGSSL_PREFIX %+ _PEM_write_bio_PrivateKey\n%xdefine PEM_write_bio_RSAPrivateKey BORINGSSL_PREFIX %+ _PEM_write_bio_RSAPrivateKey\n%xdefine PEM_write_bio_RSAPublicKey BORINGSSL_PREFIX %+ _PEM_write_bio_RSAPublicKey\n%xdefine PEM_write_bio_RSA_PUBKEY BORINGSSL_PREFIX %+ _PEM_write_bio_RSA_PUBKEY\n%xdefine PEM_write_bio_SSL_SESSION BORINGSSL_PREFIX %+ _PEM_write_bio_SSL_SESSION\n%xdefine PEM_write_bio_X509 BORINGSSL_PREFIX %+ _PEM_write_bio_X509\n%xdefine PEM_write_bio_X509_AUX BORINGSSL_PREFIX %+ _PEM_write_bio_X509_AUX\n%xdefine PEM_write_bio_X509_CRL BORINGSSL_PREFIX %+ _PEM_write_bio_X509_CRL\n%xdefine PEM_write_bio_X509_REQ BORINGSSL_PREFIX %+ _PEM_write_bio_X509_REQ\n%xdefine PEM_write_bio_X509_REQ_NEW BORINGSSL_PREFIX %+ _PEM_write_bio_X509_REQ_NEW\n%xdefine PKCS12_PBE_add BORINGSSL_PREFIX %+ _PKCS12_PBE_add\n%xdefine PKCS12_create BORINGSSL_PREFIX %+ _PKCS12_create\n%xdefine PKCS12_free BORINGSSL_PREFIX %+ _PKCS12_free\n%xdefine PKCS12_get_key_and_certs BORINGSSL_PREFIX %+ _PKCS12_get_key_and_certs\n%xdefine PKCS12_parse BORINGSSL_PREFIX %+ _PKCS12_parse\n%xdefine PKCS12_verify_mac BORINGSSL_PREFIX %+ _PKCS12_verify_mac\n%xdefine PKCS1_MGF1 BORINGSSL_PREFIX %+ _PKCS1_MGF1\n%xdefine PKCS5_PBKDF2_HMAC BORINGSSL_PREFIX %+ _PKCS5_PBKDF2_HMAC\n%xdefine PKCS5_PBKDF2_HMAC_SHA1 BORINGSSL_PREFIX %+ _PKCS5_PBKDF2_HMAC_SHA1\n%xdefine PKCS5_pbe2_decrypt_init BORINGSSL_PREFIX %+ _PKCS5_pbe2_decrypt_init\n%xdefine PKCS5_pbe2_encrypt_init BORINGSSL_PREFIX %+ _PKCS5_pbe2_encrypt_init\n%xdefine PKCS7_bundle_CRLs BORINGSSL_PREFIX %+ _PKCS7_bundle_CRLs\n%xdefine PKCS7_bundle_certificates BORINGSSL_PREFIX %+ _PKCS7_bundle_certificates\n%xdefine PKCS7_bundle_raw_certificates BORINGSSL_PREFIX %+ _PKCS7_bundle_raw_certificates\n%xdefine PKCS7_free BORINGSSL_PREFIX %+ _PKCS7_free\n%xdefine PKCS7_get_CRLs BORINGSSL_PREFIX %+ _PKCS7_get_CRLs\n%xdefine PKCS7_get_PEM_CRLs BORINGSSL_PREFIX %+ _PKCS7_get_PEM_CRLs\n%xdefine PKCS7_get_PEM_certificates BORINGSSL_PREFIX %+ _PKCS7_get_PEM_certificates\n%xdefine PKCS7_get_certificates BORINGSSL_PREFIX %+ _PKCS7_get_certificates\n%xdefine PKCS7_get_raw_certificates BORINGSSL_PREFIX %+ _PKCS7_get_raw_certificates\n%xdefine PKCS7_sign BORINGSSL_PREFIX %+ _PKCS7_sign\n%xdefine PKCS7_type_is_data BORINGSSL_PREFIX %+ _PKCS7_type_is_data\n%xdefine PKCS7_type_is_digest BORINGSSL_PREFIX %+ _PKCS7_type_is_digest\n%xdefine PKCS7_type_is_encrypted BORINGSSL_PREFIX %+ _PKCS7_type_is_encrypted\n%xdefine PKCS7_type_is_enveloped BORINGSSL_PREFIX %+ _PKCS7_type_is_enveloped\n%xdefine PKCS7_type_is_signed BORINGSSL_PREFIX %+ _PKCS7_type_is_signed\n%xdefine PKCS7_type_is_signedAndEnveloped BORINGSSL_PREFIX %+ _PKCS7_type_is_signedAndEnveloped\n%xdefine PKCS8_PRIV_KEY_INFO_free BORINGSSL_PREFIX %+ _PKCS8_PRIV_KEY_INFO_free\n%xdefine PKCS8_PRIV_KEY_INFO_new BORINGSSL_PREFIX %+ _PKCS8_PRIV_KEY_INFO_new\n%xdefine PKCS8_decrypt BORINGSSL_PREFIX %+ _PKCS8_decrypt\n%xdefine PKCS8_encrypt BORINGSSL_PREFIX %+ _PKCS8_encrypt\n%xdefine PKCS8_marshal_encrypted_private_key BORINGSSL_PREFIX %+ _PKCS8_marshal_encrypted_private_key\n%xdefine PKCS8_parse_encrypted_private_key BORINGSSL_PREFIX %+ _PKCS8_parse_encrypted_private_key\n%xdefine POLICYINFO_free BORINGSSL_PREFIX %+ _POLICYINFO_free\n%xdefine POLICYINFO_it BORINGSSL_PREFIX %+ _POLICYINFO_it\n%xdefine POLICYINFO_new BORINGSSL_PREFIX %+ _POLICYINFO_new\n%xdefine POLICYQUALINFO_free BORINGSSL_PREFIX %+ _POLICYQUALINFO_free\n%xdefine POLICYQUALINFO_it BORINGSSL_PREFIX %+ _POLICYQUALINFO_it\n%xdefine POLICYQUALINFO_new BORINGSSL_PREFIX %+ _POLICYQUALINFO_new\n%xdefine POLICY_CONSTRAINTS_free BORINGSSL_PREFIX %+ _POLICY_CONSTRAINTS_free\n%xdefine POLICY_CONSTRAINTS_it BORINGSSL_PREFIX %+ _POLICY_CONSTRAINTS_it\n%xdefine POLICY_CONSTRAINTS_new BORINGSSL_PREFIX %+ _POLICY_CONSTRAINTS_new\n%xdefine POLICY_MAPPINGS_it BORINGSSL_PREFIX %+ _POLICY_MAPPINGS_it\n%xdefine POLICY_MAPPING_free BORINGSSL_PREFIX %+ _POLICY_MAPPING_free\n%xdefine POLICY_MAPPING_new BORINGSSL_PREFIX %+ _POLICY_MAPPING_new\n%xdefine RAND_OpenSSL BORINGSSL_PREFIX %+ _RAND_OpenSSL\n%xdefine RAND_SSLeay BORINGSSL_PREFIX %+ _RAND_SSLeay\n%xdefine RAND_add BORINGSSL_PREFIX %+ _RAND_add\n%xdefine RAND_bytes BORINGSSL_PREFIX %+ _RAND_bytes\n%xdefine RAND_cleanup BORINGSSL_PREFIX %+ _RAND_cleanup\n%xdefine RAND_disable_fork_unsafe_buffering BORINGSSL_PREFIX %+ _RAND_disable_fork_unsafe_buffering\n%xdefine RAND_egd BORINGSSL_PREFIX %+ _RAND_egd\n%xdefine RAND_enable_fork_unsafe_buffering BORINGSSL_PREFIX %+ _RAND_enable_fork_unsafe_buffering\n%xdefine RAND_file_name BORINGSSL_PREFIX %+ _RAND_file_name\n%xdefine RAND_get_rand_method BORINGSSL_PREFIX %+ _RAND_get_rand_method\n%xdefine RAND_get_system_entropy_for_custom_prng BORINGSSL_PREFIX %+ _RAND_get_system_entropy_for_custom_prng\n%xdefine RAND_load_file BORINGSSL_PREFIX %+ _RAND_load_file\n%xdefine RAND_poll BORINGSSL_PREFIX %+ _RAND_poll\n%xdefine RAND_pseudo_bytes BORINGSSL_PREFIX %+ _RAND_pseudo_bytes\n%xdefine RAND_seed BORINGSSL_PREFIX %+ _RAND_seed\n%xdefine RAND_set_rand_method BORINGSSL_PREFIX %+ _RAND_set_rand_method\n%xdefine RAND_status BORINGSSL_PREFIX %+ _RAND_status\n%xdefine RC4 BORINGSSL_PREFIX %+ _RC4\n%xdefine RC4_set_key BORINGSSL_PREFIX %+ _RC4_set_key\n%xdefine RSAPrivateKey_dup BORINGSSL_PREFIX %+ _RSAPrivateKey_dup\n%xdefine RSAPublicKey_dup BORINGSSL_PREFIX %+ _RSAPublicKey_dup\n%xdefine RSAZ_1024_mod_exp_avx2 BORINGSSL_PREFIX %+ _RSAZ_1024_mod_exp_avx2\n%xdefine RSA_PSS_PARAMS_free BORINGSSL_PREFIX %+ _RSA_PSS_PARAMS_free\n%xdefine RSA_PSS_PARAMS_it BORINGSSL_PREFIX %+ _RSA_PSS_PARAMS_it\n%xdefine RSA_PSS_PARAMS_new BORINGSSL_PREFIX %+ _RSA_PSS_PARAMS_new\n%xdefine RSA_add_pkcs1_prefix BORINGSSL_PREFIX %+ _RSA_add_pkcs1_prefix\n%xdefine RSA_bits BORINGSSL_PREFIX %+ _RSA_bits\n%xdefine RSA_blinding_off BORINGSSL_PREFIX %+ _RSA_blinding_off\n%xdefine RSA_blinding_on BORINGSSL_PREFIX %+ _RSA_blinding_on\n%xdefine RSA_check_fips BORINGSSL_PREFIX %+ _RSA_check_fips\n%xdefine RSA_check_key BORINGSSL_PREFIX %+ _RSA_check_key\n%xdefine RSA_decrypt BORINGSSL_PREFIX %+ _RSA_decrypt\n%xdefine RSA_default_method BORINGSSL_PREFIX %+ _RSA_default_method\n%xdefine RSA_encrypt BORINGSSL_PREFIX %+ _RSA_encrypt\n%xdefine RSA_flags BORINGSSL_PREFIX %+ _RSA_flags\n%xdefine RSA_free BORINGSSL_PREFIX %+ _RSA_free\n%xdefine RSA_generate_key_ex BORINGSSL_PREFIX %+ _RSA_generate_key_ex\n%xdefine RSA_generate_key_fips BORINGSSL_PREFIX %+ _RSA_generate_key_fips\n%xdefine RSA_get0_crt_params BORINGSSL_PREFIX %+ _RSA_get0_crt_params\n%xdefine RSA_get0_d BORINGSSL_PREFIX %+ _RSA_get0_d\n%xdefine RSA_get0_dmp1 BORINGSSL_PREFIX %+ _RSA_get0_dmp1\n%xdefine RSA_get0_dmq1 BORINGSSL_PREFIX %+ _RSA_get0_dmq1\n%xdefine RSA_get0_e BORINGSSL_PREFIX %+ _RSA_get0_e\n%xdefine RSA_get0_factors BORINGSSL_PREFIX %+ _RSA_get0_factors\n%xdefine RSA_get0_iqmp BORINGSSL_PREFIX %+ _RSA_get0_iqmp\n%xdefine RSA_get0_key BORINGSSL_PREFIX %+ _RSA_get0_key\n%xdefine RSA_get0_n BORINGSSL_PREFIX %+ _RSA_get0_n\n%xdefine RSA_get0_p BORINGSSL_PREFIX %+ _RSA_get0_p\n%xdefine RSA_get0_pss_params BORINGSSL_PREFIX %+ _RSA_get0_pss_params\n%xdefine RSA_get0_q BORINGSSL_PREFIX %+ _RSA_get0_q\n%xdefine RSA_get_ex_data BORINGSSL_PREFIX %+ _RSA_get_ex_data\n%xdefine RSA_get_ex_new_index BORINGSSL_PREFIX %+ _RSA_get_ex_new_index\n%xdefine RSA_is_opaque BORINGSSL_PREFIX %+ _RSA_is_opaque\n%xdefine RSA_marshal_private_key BORINGSSL_PREFIX %+ _RSA_marshal_private_key\n%xdefine RSA_marshal_public_key BORINGSSL_PREFIX %+ _RSA_marshal_public_key\n%xdefine RSA_new BORINGSSL_PREFIX %+ _RSA_new\n%xdefine RSA_new_method BORINGSSL_PREFIX %+ _RSA_new_method\n%xdefine RSA_new_method_no_e BORINGSSL_PREFIX %+ _RSA_new_method_no_e\n%xdefine RSA_new_private_key BORINGSSL_PREFIX %+ _RSA_new_private_key\n%xdefine RSA_new_private_key_large_e BORINGSSL_PREFIX %+ _RSA_new_private_key_large_e\n%xdefine RSA_new_private_key_no_crt BORINGSSL_PREFIX %+ _RSA_new_private_key_no_crt\n%xdefine RSA_new_private_key_no_e BORINGSSL_PREFIX %+ _RSA_new_private_key_no_e\n%xdefine RSA_new_public_key BORINGSSL_PREFIX %+ _RSA_new_public_key\n%xdefine RSA_new_public_key_large_e BORINGSSL_PREFIX %+ _RSA_new_public_key_large_e\n%xdefine RSA_padding_add_PKCS1_OAEP_mgf1 BORINGSSL_PREFIX %+ _RSA_padding_add_PKCS1_OAEP_mgf1\n%xdefine RSA_padding_add_PKCS1_PSS_mgf1 BORINGSSL_PREFIX %+ _RSA_padding_add_PKCS1_PSS_mgf1\n%xdefine RSA_padding_add_PKCS1_type_1 BORINGSSL_PREFIX %+ _RSA_padding_add_PKCS1_type_1\n%xdefine RSA_padding_add_none BORINGSSL_PREFIX %+ _RSA_padding_add_none\n%xdefine RSA_padding_check_PKCS1_OAEP_mgf1 BORINGSSL_PREFIX %+ _RSA_padding_check_PKCS1_OAEP_mgf1\n%xdefine RSA_padding_check_PKCS1_type_1 BORINGSSL_PREFIX %+ _RSA_padding_check_PKCS1_type_1\n%xdefine RSA_parse_private_key BORINGSSL_PREFIX %+ _RSA_parse_private_key\n%xdefine RSA_parse_public_key BORINGSSL_PREFIX %+ _RSA_parse_public_key\n%xdefine RSA_print BORINGSSL_PREFIX %+ _RSA_print\n%xdefine RSA_private_decrypt BORINGSSL_PREFIX %+ _RSA_private_decrypt\n%xdefine RSA_private_encrypt BORINGSSL_PREFIX %+ _RSA_private_encrypt\n%xdefine RSA_private_key_from_bytes BORINGSSL_PREFIX %+ _RSA_private_key_from_bytes\n%xdefine RSA_private_key_to_bytes BORINGSSL_PREFIX %+ _RSA_private_key_to_bytes\n%xdefine RSA_public_decrypt BORINGSSL_PREFIX %+ _RSA_public_decrypt\n%xdefine RSA_public_encrypt BORINGSSL_PREFIX %+ _RSA_public_encrypt\n%xdefine RSA_public_key_from_bytes BORINGSSL_PREFIX %+ _RSA_public_key_from_bytes\n%xdefine RSA_public_key_to_bytes BORINGSSL_PREFIX %+ _RSA_public_key_to_bytes\n%xdefine RSA_set0_crt_params BORINGSSL_PREFIX %+ _RSA_set0_crt_params\n%xdefine RSA_set0_factors BORINGSSL_PREFIX %+ _RSA_set0_factors\n%xdefine RSA_set0_key BORINGSSL_PREFIX %+ _RSA_set0_key\n%xdefine RSA_set_ex_data BORINGSSL_PREFIX %+ _RSA_set_ex_data\n%xdefine RSA_sign BORINGSSL_PREFIX %+ _RSA_sign\n%xdefine RSA_sign_pss_mgf1 BORINGSSL_PREFIX %+ _RSA_sign_pss_mgf1\n%xdefine RSA_sign_raw BORINGSSL_PREFIX %+ _RSA_sign_raw\n%xdefine RSA_size BORINGSSL_PREFIX %+ _RSA_size\n%xdefine RSA_test_flags BORINGSSL_PREFIX %+ _RSA_test_flags\n%xdefine RSA_up_ref BORINGSSL_PREFIX %+ _RSA_up_ref\n%xdefine RSA_verify BORINGSSL_PREFIX %+ _RSA_verify\n%xdefine RSA_verify_PKCS1_PSS_mgf1 BORINGSSL_PREFIX %+ _RSA_verify_PKCS1_PSS_mgf1\n%xdefine RSA_verify_pss_mgf1 BORINGSSL_PREFIX %+ _RSA_verify_pss_mgf1\n%xdefine RSA_verify_raw BORINGSSL_PREFIX %+ _RSA_verify_raw\n%xdefine SHA1 BORINGSSL_PREFIX %+ _SHA1\n%xdefine SHA1_Final BORINGSSL_PREFIX %+ _SHA1_Final\n%xdefine SHA1_Init BORINGSSL_PREFIX %+ _SHA1_Init\n%xdefine SHA1_Transform BORINGSSL_PREFIX %+ _SHA1_Transform\n%xdefine SHA1_Update BORINGSSL_PREFIX %+ _SHA1_Update\n%xdefine SHA224 BORINGSSL_PREFIX %+ _SHA224\n%xdefine SHA224_Final BORINGSSL_PREFIX %+ _SHA224_Final\n%xdefine SHA224_Init BORINGSSL_PREFIX %+ _SHA224_Init\n%xdefine SHA224_Update BORINGSSL_PREFIX %+ _SHA224_Update\n%xdefine SHA256 BORINGSSL_PREFIX %+ _SHA256\n%xdefine SHA256_Final BORINGSSL_PREFIX %+ _SHA256_Final\n%xdefine SHA256_Init BORINGSSL_PREFIX %+ _SHA256_Init\n%xdefine SHA256_Transform BORINGSSL_PREFIX %+ _SHA256_Transform\n%xdefine SHA256_TransformBlocks BORINGSSL_PREFIX %+ _SHA256_TransformBlocks\n%xdefine SHA256_Update BORINGSSL_PREFIX %+ _SHA256_Update\n%xdefine SHA384 BORINGSSL_PREFIX %+ _SHA384\n%xdefine SHA384_Final BORINGSSL_PREFIX %+ _SHA384_Final\n%xdefine SHA384_Init BORINGSSL_PREFIX %+ _SHA384_Init\n%xdefine SHA384_Update BORINGSSL_PREFIX %+ _SHA384_Update\n%xdefine SHA512 BORINGSSL_PREFIX %+ _SHA512\n%xdefine SHA512_256 BORINGSSL_PREFIX %+ _SHA512_256\n%xdefine SHA512_256_Final BORINGSSL_PREFIX %+ _SHA512_256_Final\n%xdefine SHA512_256_Init BORINGSSL_PREFIX %+ _SHA512_256_Init\n%xdefine SHA512_256_Update BORINGSSL_PREFIX %+ _SHA512_256_Update\n%xdefine SHA512_Final BORINGSSL_PREFIX %+ _SHA512_Final\n%xdefine SHA512_Init BORINGSSL_PREFIX %+ _SHA512_Init\n%xdefine SHA512_Transform BORINGSSL_PREFIX %+ _SHA512_Transform\n%xdefine SHA512_Update BORINGSSL_PREFIX %+ _SHA512_Update\n%xdefine SIPHASH_24 BORINGSSL_PREFIX %+ _SIPHASH_24\n%xdefine SLHDSA_SHA2_128S_generate_key BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_generate_key\n%xdefine SLHDSA_SHA2_128S_prehash_sign BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_prehash_sign\n%xdefine SLHDSA_SHA2_128S_prehash_verify BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_prehash_verify\n%xdefine SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign\n%xdefine SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify\n%xdefine SLHDSA_SHA2_128S_public_from_private BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_public_from_private\n%xdefine SLHDSA_SHA2_128S_sign BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_sign\n%xdefine SLHDSA_SHA2_128S_verify BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_verify\n%xdefine SPAKE2_CTX_free BORINGSSL_PREFIX %+ _SPAKE2_CTX_free\n%xdefine SPAKE2_CTX_new BORINGSSL_PREFIX %+ _SPAKE2_CTX_new\n%xdefine SPAKE2_generate_msg BORINGSSL_PREFIX %+ _SPAKE2_generate_msg\n%xdefine SPAKE2_process_msg BORINGSSL_PREFIX %+ _SPAKE2_process_msg\n%xdefine SSL_CIPHER_description BORINGSSL_PREFIX %+ _SSL_CIPHER_description\n%xdefine SSL_CIPHER_get_auth_nid BORINGSSL_PREFIX %+ _SSL_CIPHER_get_auth_nid\n%xdefine SSL_CIPHER_get_bits BORINGSSL_PREFIX %+ _SSL_CIPHER_get_bits\n%xdefine SSL_CIPHER_get_cipher_nid BORINGSSL_PREFIX %+ _SSL_CIPHER_get_cipher_nid\n%xdefine SSL_CIPHER_get_digest_nid BORINGSSL_PREFIX %+ _SSL_CIPHER_get_digest_nid\n%xdefine SSL_CIPHER_get_handshake_digest BORINGSSL_PREFIX %+ _SSL_CIPHER_get_handshake_digest\n%xdefine SSL_CIPHER_get_id BORINGSSL_PREFIX %+ _SSL_CIPHER_get_id\n%xdefine SSL_CIPHER_get_kx_name BORINGSSL_PREFIX %+ _SSL_CIPHER_get_kx_name\n%xdefine SSL_CIPHER_get_kx_nid BORINGSSL_PREFIX %+ _SSL_CIPHER_get_kx_nid\n%xdefine SSL_CIPHER_get_max_version BORINGSSL_PREFIX %+ _SSL_CIPHER_get_max_version\n%xdefine SSL_CIPHER_get_min_version BORINGSSL_PREFIX %+ _SSL_CIPHER_get_min_version\n%xdefine SSL_CIPHER_get_name BORINGSSL_PREFIX %+ _SSL_CIPHER_get_name\n%xdefine SSL_CIPHER_get_prf_nid BORINGSSL_PREFIX %+ _SSL_CIPHER_get_prf_nid\n%xdefine SSL_CIPHER_get_protocol_id BORINGSSL_PREFIX %+ _SSL_CIPHER_get_protocol_id\n%xdefine SSL_CIPHER_get_version BORINGSSL_PREFIX %+ _SSL_CIPHER_get_version\n%xdefine SSL_CIPHER_is_aead BORINGSSL_PREFIX %+ _SSL_CIPHER_is_aead\n%xdefine SSL_CIPHER_is_block_cipher BORINGSSL_PREFIX %+ _SSL_CIPHER_is_block_cipher\n%xdefine SSL_CIPHER_standard_name BORINGSSL_PREFIX %+ _SSL_CIPHER_standard_name\n%xdefine SSL_COMP_add_compression_method BORINGSSL_PREFIX %+ _SSL_COMP_add_compression_method\n%xdefine SSL_COMP_free_compression_methods BORINGSSL_PREFIX %+ _SSL_COMP_free_compression_methods\n%xdefine SSL_COMP_get0_name BORINGSSL_PREFIX %+ _SSL_COMP_get0_name\n%xdefine SSL_COMP_get_compression_methods BORINGSSL_PREFIX %+ _SSL_COMP_get_compression_methods\n%xdefine SSL_COMP_get_id BORINGSSL_PREFIX %+ _SSL_COMP_get_id\n%xdefine SSL_COMP_get_name BORINGSSL_PREFIX %+ _SSL_COMP_get_name\n%xdefine SSL_CREDENTIAL_clear_must_match_issuer BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_clear_must_match_issuer\n%xdefine SSL_CREDENTIAL_free BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_free\n%xdefine SSL_CREDENTIAL_get_ex_data BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_get_ex_data\n%xdefine SSL_CREDENTIAL_get_ex_new_index BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_get_ex_new_index\n%xdefine SSL_CREDENTIAL_must_match_issuer BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_must_match_issuer\n%xdefine SSL_CREDENTIAL_new_delegated BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_new_delegated\n%xdefine SSL_CREDENTIAL_new_x509 BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_new_x509\n%xdefine SSL_CREDENTIAL_set1_cert_chain BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_cert_chain\n%xdefine SSL_CREDENTIAL_set1_delegated_credential BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_delegated_credential\n%xdefine SSL_CREDENTIAL_set1_ocsp_response BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_ocsp_response\n%xdefine SSL_CREDENTIAL_set1_private_key BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_private_key\n%xdefine SSL_CREDENTIAL_set1_signed_cert_timestamp_list BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_signed_cert_timestamp_list\n%xdefine SSL_CREDENTIAL_set1_signing_algorithm_prefs BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_signing_algorithm_prefs\n%xdefine SSL_CREDENTIAL_set_ex_data BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set_ex_data\n%xdefine SSL_CREDENTIAL_set_must_match_issuer BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set_must_match_issuer\n%xdefine SSL_CREDENTIAL_set_private_key_method BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set_private_key_method\n%xdefine SSL_CREDENTIAL_up_ref BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_up_ref\n%xdefine SSL_CTX_add0_chain_cert BORINGSSL_PREFIX %+ _SSL_CTX_add0_chain_cert\n%xdefine SSL_CTX_add1_chain_cert BORINGSSL_PREFIX %+ _SSL_CTX_add1_chain_cert\n%xdefine SSL_CTX_add1_credential BORINGSSL_PREFIX %+ _SSL_CTX_add1_credential\n%xdefine SSL_CTX_add_cert_compression_alg BORINGSSL_PREFIX %+ _SSL_CTX_add_cert_compression_alg\n%xdefine SSL_CTX_add_client_CA BORINGSSL_PREFIX %+ _SSL_CTX_add_client_CA\n%xdefine SSL_CTX_add_extra_chain_cert BORINGSSL_PREFIX %+ _SSL_CTX_add_extra_chain_cert\n%xdefine SSL_CTX_add_session BORINGSSL_PREFIX %+ _SSL_CTX_add_session\n%xdefine SSL_CTX_check_private_key BORINGSSL_PREFIX %+ _SSL_CTX_check_private_key\n%xdefine SSL_CTX_cipher_in_group BORINGSSL_PREFIX %+ _SSL_CTX_cipher_in_group\n%xdefine SSL_CTX_clear_chain_certs BORINGSSL_PREFIX %+ _SSL_CTX_clear_chain_certs\n%xdefine SSL_CTX_clear_extra_chain_certs BORINGSSL_PREFIX %+ _SSL_CTX_clear_extra_chain_certs\n%xdefine SSL_CTX_clear_mode BORINGSSL_PREFIX %+ _SSL_CTX_clear_mode\n%xdefine SSL_CTX_clear_options BORINGSSL_PREFIX %+ _SSL_CTX_clear_options\n%xdefine SSL_CTX_enable_ocsp_stapling BORINGSSL_PREFIX %+ _SSL_CTX_enable_ocsp_stapling\n%xdefine SSL_CTX_enable_signed_cert_timestamps BORINGSSL_PREFIX %+ _SSL_CTX_enable_signed_cert_timestamps\n%xdefine SSL_CTX_enable_tls_channel_id BORINGSSL_PREFIX %+ _SSL_CTX_enable_tls_channel_id\n%xdefine SSL_CTX_flush_sessions BORINGSSL_PREFIX %+ _SSL_CTX_flush_sessions\n%xdefine SSL_CTX_free BORINGSSL_PREFIX %+ _SSL_CTX_free\n%xdefine SSL_CTX_get0_certificate BORINGSSL_PREFIX %+ _SSL_CTX_get0_certificate\n%xdefine SSL_CTX_get0_chain BORINGSSL_PREFIX %+ _SSL_CTX_get0_chain\n%xdefine SSL_CTX_get0_chain_certs BORINGSSL_PREFIX %+ _SSL_CTX_get0_chain_certs\n%xdefine SSL_CTX_get0_param BORINGSSL_PREFIX %+ _SSL_CTX_get0_param\n%xdefine SSL_CTX_get0_privatekey BORINGSSL_PREFIX %+ _SSL_CTX_get0_privatekey\n%xdefine SSL_CTX_get_cert_store BORINGSSL_PREFIX %+ _SSL_CTX_get_cert_store\n%xdefine SSL_CTX_get_ciphers BORINGSSL_PREFIX %+ _SSL_CTX_get_ciphers\n%xdefine SSL_CTX_get_client_CA_list BORINGSSL_PREFIX %+ _SSL_CTX_get_client_CA_list\n%xdefine SSL_CTX_get_compliance_policy BORINGSSL_PREFIX %+ _SSL_CTX_get_compliance_policy\n%xdefine SSL_CTX_get_default_passwd_cb BORINGSSL_PREFIX %+ _SSL_CTX_get_default_passwd_cb\n%xdefine SSL_CTX_get_default_passwd_cb_userdata BORINGSSL_PREFIX %+ _SSL_CTX_get_default_passwd_cb_userdata\n%xdefine SSL_CTX_get_ex_data BORINGSSL_PREFIX %+ _SSL_CTX_get_ex_data\n%xdefine SSL_CTX_get_ex_new_index BORINGSSL_PREFIX %+ _SSL_CTX_get_ex_new_index\n%xdefine SSL_CTX_get_extra_chain_certs BORINGSSL_PREFIX %+ _SSL_CTX_get_extra_chain_certs\n%xdefine SSL_CTX_get_info_callback BORINGSSL_PREFIX %+ _SSL_CTX_get_info_callback\n%xdefine SSL_CTX_get_keylog_callback BORINGSSL_PREFIX %+ _SSL_CTX_get_keylog_callback\n%xdefine SSL_CTX_get_max_cert_list BORINGSSL_PREFIX %+ _SSL_CTX_get_max_cert_list\n%xdefine SSL_CTX_get_max_proto_version BORINGSSL_PREFIX %+ _SSL_CTX_get_max_proto_version\n%xdefine SSL_CTX_get_min_proto_version BORINGSSL_PREFIX %+ _SSL_CTX_get_min_proto_version\n%xdefine SSL_CTX_get_mode BORINGSSL_PREFIX %+ _SSL_CTX_get_mode\n%xdefine SSL_CTX_get_num_tickets BORINGSSL_PREFIX %+ _SSL_CTX_get_num_tickets\n%xdefine SSL_CTX_get_options BORINGSSL_PREFIX %+ _SSL_CTX_get_options\n%xdefine SSL_CTX_get_quiet_shutdown BORINGSSL_PREFIX %+ _SSL_CTX_get_quiet_shutdown\n%xdefine SSL_CTX_get_read_ahead BORINGSSL_PREFIX %+ _SSL_CTX_get_read_ahead\n%xdefine SSL_CTX_get_session_cache_mode BORINGSSL_PREFIX %+ _SSL_CTX_get_session_cache_mode\n%xdefine SSL_CTX_get_timeout BORINGSSL_PREFIX %+ _SSL_CTX_get_timeout\n%xdefine SSL_CTX_get_tlsext_ticket_keys BORINGSSL_PREFIX %+ _SSL_CTX_get_tlsext_ticket_keys\n%xdefine SSL_CTX_get_verify_callback BORINGSSL_PREFIX %+ _SSL_CTX_get_verify_callback\n%xdefine SSL_CTX_get_verify_depth BORINGSSL_PREFIX %+ _SSL_CTX_get_verify_depth\n%xdefine SSL_CTX_get_verify_mode BORINGSSL_PREFIX %+ _SSL_CTX_get_verify_mode\n%xdefine SSL_CTX_load_verify_locations BORINGSSL_PREFIX %+ _SSL_CTX_load_verify_locations\n%xdefine SSL_CTX_need_tmp_RSA BORINGSSL_PREFIX %+ _SSL_CTX_need_tmp_RSA\n%xdefine SSL_CTX_new BORINGSSL_PREFIX %+ _SSL_CTX_new\n%xdefine SSL_CTX_remove_session BORINGSSL_PREFIX %+ _SSL_CTX_remove_session\n%xdefine SSL_CTX_sess_accept BORINGSSL_PREFIX %+ _SSL_CTX_sess_accept\n%xdefine SSL_CTX_sess_accept_good BORINGSSL_PREFIX %+ _SSL_CTX_sess_accept_good\n%xdefine SSL_CTX_sess_accept_renegotiate BORINGSSL_PREFIX %+ _SSL_CTX_sess_accept_renegotiate\n%xdefine SSL_CTX_sess_cache_full BORINGSSL_PREFIX %+ _SSL_CTX_sess_cache_full\n%xdefine SSL_CTX_sess_cb_hits BORINGSSL_PREFIX %+ _SSL_CTX_sess_cb_hits\n%xdefine SSL_CTX_sess_connect BORINGSSL_PREFIX %+ _SSL_CTX_sess_connect\n%xdefine SSL_CTX_sess_connect_good BORINGSSL_PREFIX %+ _SSL_CTX_sess_connect_good\n%xdefine SSL_CTX_sess_connect_renegotiate BORINGSSL_PREFIX %+ _SSL_CTX_sess_connect_renegotiate\n%xdefine SSL_CTX_sess_get_cache_size BORINGSSL_PREFIX %+ _SSL_CTX_sess_get_cache_size\n%xdefine SSL_CTX_sess_get_get_cb BORINGSSL_PREFIX %+ _SSL_CTX_sess_get_get_cb\n%xdefine SSL_CTX_sess_get_new_cb BORINGSSL_PREFIX %+ _SSL_CTX_sess_get_new_cb\n%xdefine SSL_CTX_sess_get_remove_cb BORINGSSL_PREFIX %+ _SSL_CTX_sess_get_remove_cb\n%xdefine SSL_CTX_sess_hits BORINGSSL_PREFIX %+ _SSL_CTX_sess_hits\n%xdefine SSL_CTX_sess_misses BORINGSSL_PREFIX %+ _SSL_CTX_sess_misses\n%xdefine SSL_CTX_sess_number BORINGSSL_PREFIX %+ _SSL_CTX_sess_number\n%xdefine SSL_CTX_sess_set_cache_size BORINGSSL_PREFIX %+ _SSL_CTX_sess_set_cache_size\n%xdefine SSL_CTX_sess_set_get_cb BORINGSSL_PREFIX %+ _SSL_CTX_sess_set_get_cb\n%xdefine SSL_CTX_sess_set_new_cb BORINGSSL_PREFIX %+ _SSL_CTX_sess_set_new_cb\n%xdefine SSL_CTX_sess_set_remove_cb BORINGSSL_PREFIX %+ _SSL_CTX_sess_set_remove_cb\n%xdefine SSL_CTX_sess_timeouts BORINGSSL_PREFIX %+ _SSL_CTX_sess_timeouts\n%xdefine SSL_CTX_set0_buffer_pool BORINGSSL_PREFIX %+ _SSL_CTX_set0_buffer_pool\n%xdefine SSL_CTX_set0_chain BORINGSSL_PREFIX %+ _SSL_CTX_set0_chain\n%xdefine SSL_CTX_set0_client_CAs BORINGSSL_PREFIX %+ _SSL_CTX_set0_client_CAs\n%xdefine SSL_CTX_set0_verify_cert_store BORINGSSL_PREFIX %+ _SSL_CTX_set0_verify_cert_store\n%xdefine SSL_CTX_set1_chain BORINGSSL_PREFIX %+ _SSL_CTX_set1_chain\n%xdefine SSL_CTX_set1_curves BORINGSSL_PREFIX %+ _SSL_CTX_set1_curves\n%xdefine SSL_CTX_set1_curves_list BORINGSSL_PREFIX %+ _SSL_CTX_set1_curves_list\n%xdefine SSL_CTX_set1_ech_keys BORINGSSL_PREFIX %+ _SSL_CTX_set1_ech_keys\n%xdefine SSL_CTX_set1_group_ids BORINGSSL_PREFIX %+ _SSL_CTX_set1_group_ids\n%xdefine SSL_CTX_set1_groups BORINGSSL_PREFIX %+ _SSL_CTX_set1_groups\n%xdefine SSL_CTX_set1_groups_list BORINGSSL_PREFIX %+ _SSL_CTX_set1_groups_list\n%xdefine SSL_CTX_set1_param BORINGSSL_PREFIX %+ _SSL_CTX_set1_param\n%xdefine SSL_CTX_set1_sigalgs BORINGSSL_PREFIX %+ _SSL_CTX_set1_sigalgs\n%xdefine SSL_CTX_set1_sigalgs_list BORINGSSL_PREFIX %+ _SSL_CTX_set1_sigalgs_list\n%xdefine SSL_CTX_set1_tls_channel_id BORINGSSL_PREFIX %+ _SSL_CTX_set1_tls_channel_id\n%xdefine SSL_CTX_set1_verify_cert_store BORINGSSL_PREFIX %+ _SSL_CTX_set1_verify_cert_store\n%xdefine SSL_CTX_set_allow_unknown_alpn_protos BORINGSSL_PREFIX %+ _SSL_CTX_set_allow_unknown_alpn_protos\n%xdefine SSL_CTX_set_alpn_protos BORINGSSL_PREFIX %+ _SSL_CTX_set_alpn_protos\n%xdefine SSL_CTX_set_alpn_select_cb BORINGSSL_PREFIX %+ _SSL_CTX_set_alpn_select_cb\n%xdefine SSL_CTX_set_cert_cb BORINGSSL_PREFIX %+ _SSL_CTX_set_cert_cb\n%xdefine SSL_CTX_set_cert_store BORINGSSL_PREFIX %+ _SSL_CTX_set_cert_store\n%xdefine SSL_CTX_set_cert_verify_callback BORINGSSL_PREFIX %+ _SSL_CTX_set_cert_verify_callback\n%xdefine SSL_CTX_set_chain_and_key BORINGSSL_PREFIX %+ _SSL_CTX_set_chain_and_key\n%xdefine SSL_CTX_set_cipher_list BORINGSSL_PREFIX %+ _SSL_CTX_set_cipher_list\n%xdefine SSL_CTX_set_client_CA_list BORINGSSL_PREFIX %+ _SSL_CTX_set_client_CA_list\n%xdefine SSL_CTX_set_client_cert_cb BORINGSSL_PREFIX %+ _SSL_CTX_set_client_cert_cb\n%xdefine SSL_CTX_set_compliance_policy BORINGSSL_PREFIX %+ _SSL_CTX_set_compliance_policy\n%xdefine SSL_CTX_set_current_time_cb BORINGSSL_PREFIX %+ _SSL_CTX_set_current_time_cb\n%xdefine SSL_CTX_set_custom_verify BORINGSSL_PREFIX %+ _SSL_CTX_set_custom_verify\n%xdefine SSL_CTX_set_default_passwd_cb BORINGSSL_PREFIX %+ _SSL_CTX_set_default_passwd_cb\n%xdefine SSL_CTX_set_default_passwd_cb_userdata BORINGSSL_PREFIX %+ _SSL_CTX_set_default_passwd_cb_userdata\n%xdefine SSL_CTX_set_default_verify_paths BORINGSSL_PREFIX %+ _SSL_CTX_set_default_verify_paths\n%xdefine SSL_CTX_set_dos_protection_cb BORINGSSL_PREFIX %+ _SSL_CTX_set_dos_protection_cb\n%xdefine SSL_CTX_set_early_data_enabled BORINGSSL_PREFIX %+ _SSL_CTX_set_early_data_enabled\n%xdefine SSL_CTX_set_ex_data BORINGSSL_PREFIX %+ _SSL_CTX_set_ex_data\n%xdefine SSL_CTX_set_false_start_allowed_without_alpn BORINGSSL_PREFIX %+ _SSL_CTX_set_false_start_allowed_without_alpn\n%xdefine SSL_CTX_set_grease_enabled BORINGSSL_PREFIX %+ _SSL_CTX_set_grease_enabled\n%xdefine SSL_CTX_set_info_callback BORINGSSL_PREFIX %+ _SSL_CTX_set_info_callback\n%xdefine SSL_CTX_set_keylog_callback BORINGSSL_PREFIX %+ _SSL_CTX_set_keylog_callback\n%xdefine SSL_CTX_set_max_cert_list BORINGSSL_PREFIX %+ _SSL_CTX_set_max_cert_list\n%xdefine SSL_CTX_set_max_proto_version BORINGSSL_PREFIX %+ _SSL_CTX_set_max_proto_version\n%xdefine SSL_CTX_set_max_send_fragment BORINGSSL_PREFIX %+ _SSL_CTX_set_max_send_fragment\n%xdefine SSL_CTX_set_min_proto_version BORINGSSL_PREFIX %+ _SSL_CTX_set_min_proto_version\n%xdefine SSL_CTX_set_mode BORINGSSL_PREFIX %+ _SSL_CTX_set_mode\n%xdefine SSL_CTX_set_msg_callback BORINGSSL_PREFIX %+ _SSL_CTX_set_msg_callback\n%xdefine SSL_CTX_set_msg_callback_arg BORINGSSL_PREFIX %+ _SSL_CTX_set_msg_callback_arg\n%xdefine SSL_CTX_set_next_proto_select_cb BORINGSSL_PREFIX %+ _SSL_CTX_set_next_proto_select_cb\n%xdefine SSL_CTX_set_next_protos_advertised_cb BORINGSSL_PREFIX %+ _SSL_CTX_set_next_protos_advertised_cb\n%xdefine SSL_CTX_set_num_tickets BORINGSSL_PREFIX %+ _SSL_CTX_set_num_tickets\n%xdefine SSL_CTX_set_ocsp_response BORINGSSL_PREFIX %+ _SSL_CTX_set_ocsp_response\n%xdefine SSL_CTX_set_options BORINGSSL_PREFIX %+ _SSL_CTX_set_options\n%xdefine SSL_CTX_set_permute_extensions BORINGSSL_PREFIX %+ _SSL_CTX_set_permute_extensions\n%xdefine SSL_CTX_set_private_key_method BORINGSSL_PREFIX %+ _SSL_CTX_set_private_key_method\n%xdefine SSL_CTX_set_psk_client_callback BORINGSSL_PREFIX %+ _SSL_CTX_set_psk_client_callback\n%xdefine SSL_CTX_set_psk_server_callback BORINGSSL_PREFIX %+ _SSL_CTX_set_psk_server_callback\n%xdefine SSL_CTX_set_purpose BORINGSSL_PREFIX %+ _SSL_CTX_set_purpose\n%xdefine SSL_CTX_set_quic_method BORINGSSL_PREFIX %+ _SSL_CTX_set_quic_method\n%xdefine SSL_CTX_set_quiet_shutdown BORINGSSL_PREFIX %+ _SSL_CTX_set_quiet_shutdown\n%xdefine SSL_CTX_set_read_ahead BORINGSSL_PREFIX %+ _SSL_CTX_set_read_ahead\n%xdefine SSL_CTX_set_record_protocol_version BORINGSSL_PREFIX %+ _SSL_CTX_set_record_protocol_version\n%xdefine SSL_CTX_set_retain_only_sha256_of_client_certs BORINGSSL_PREFIX %+ _SSL_CTX_set_retain_only_sha256_of_client_certs\n%xdefine SSL_CTX_set_reverify_on_resume BORINGSSL_PREFIX %+ _SSL_CTX_set_reverify_on_resume\n%xdefine SSL_CTX_set_select_certificate_cb BORINGSSL_PREFIX %+ _SSL_CTX_set_select_certificate_cb\n%xdefine SSL_CTX_set_session_cache_mode BORINGSSL_PREFIX %+ _SSL_CTX_set_session_cache_mode\n%xdefine SSL_CTX_set_session_id_context BORINGSSL_PREFIX %+ _SSL_CTX_set_session_id_context\n%xdefine SSL_CTX_set_session_psk_dhe_timeout BORINGSSL_PREFIX %+ _SSL_CTX_set_session_psk_dhe_timeout\n%xdefine SSL_CTX_set_signed_cert_timestamp_list BORINGSSL_PREFIX %+ _SSL_CTX_set_signed_cert_timestamp_list\n%xdefine SSL_CTX_set_signing_algorithm_prefs BORINGSSL_PREFIX %+ _SSL_CTX_set_signing_algorithm_prefs\n%xdefine SSL_CTX_set_srtp_profiles BORINGSSL_PREFIX %+ _SSL_CTX_set_srtp_profiles\n%xdefine SSL_CTX_set_strict_cipher_list BORINGSSL_PREFIX %+ _SSL_CTX_set_strict_cipher_list\n%xdefine SSL_CTX_set_ticket_aead_method BORINGSSL_PREFIX %+ _SSL_CTX_set_ticket_aead_method\n%xdefine SSL_CTX_set_timeout BORINGSSL_PREFIX %+ _SSL_CTX_set_timeout\n%xdefine SSL_CTX_set_tls_channel_id_enabled BORINGSSL_PREFIX %+ _SSL_CTX_set_tls_channel_id_enabled\n%xdefine SSL_CTX_set_tlsext_servername_arg BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_servername_arg\n%xdefine SSL_CTX_set_tlsext_servername_callback BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_servername_callback\n%xdefine SSL_CTX_set_tlsext_status_arg BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_status_arg\n%xdefine SSL_CTX_set_tlsext_status_cb BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_status_cb\n%xdefine SSL_CTX_set_tlsext_ticket_key_cb BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_ticket_key_cb\n%xdefine SSL_CTX_set_tlsext_ticket_keys BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_ticket_keys\n%xdefine SSL_CTX_set_tlsext_use_srtp BORINGSSL_PREFIX %+ _SSL_CTX_set_tlsext_use_srtp\n%xdefine SSL_CTX_set_tmp_dh BORINGSSL_PREFIX %+ _SSL_CTX_set_tmp_dh\n%xdefine SSL_CTX_set_tmp_dh_callback BORINGSSL_PREFIX %+ _SSL_CTX_set_tmp_dh_callback\n%xdefine SSL_CTX_set_tmp_ecdh BORINGSSL_PREFIX %+ _SSL_CTX_set_tmp_ecdh\n%xdefine SSL_CTX_set_tmp_rsa BORINGSSL_PREFIX %+ _SSL_CTX_set_tmp_rsa\n%xdefine SSL_CTX_set_tmp_rsa_callback BORINGSSL_PREFIX %+ _SSL_CTX_set_tmp_rsa_callback\n%xdefine SSL_CTX_set_trust BORINGSSL_PREFIX %+ _SSL_CTX_set_trust\n%xdefine SSL_CTX_set_verify BORINGSSL_PREFIX %+ _SSL_CTX_set_verify\n%xdefine SSL_CTX_set_verify_algorithm_prefs BORINGSSL_PREFIX %+ _SSL_CTX_set_verify_algorithm_prefs\n%xdefine SSL_CTX_set_verify_depth BORINGSSL_PREFIX %+ _SSL_CTX_set_verify_depth\n%xdefine SSL_CTX_up_ref BORINGSSL_PREFIX %+ _SSL_CTX_up_ref\n%xdefine SSL_CTX_use_PrivateKey BORINGSSL_PREFIX %+ _SSL_CTX_use_PrivateKey\n%xdefine SSL_CTX_use_PrivateKey_ASN1 BORINGSSL_PREFIX %+ _SSL_CTX_use_PrivateKey_ASN1\n%xdefine SSL_CTX_use_PrivateKey_file BORINGSSL_PREFIX %+ _SSL_CTX_use_PrivateKey_file\n%xdefine SSL_CTX_use_RSAPrivateKey BORINGSSL_PREFIX %+ _SSL_CTX_use_RSAPrivateKey\n%xdefine SSL_CTX_use_RSAPrivateKey_ASN1 BORINGSSL_PREFIX %+ _SSL_CTX_use_RSAPrivateKey_ASN1\n%xdefine SSL_CTX_use_RSAPrivateKey_file BORINGSSL_PREFIX %+ _SSL_CTX_use_RSAPrivateKey_file\n%xdefine SSL_CTX_use_certificate BORINGSSL_PREFIX %+ _SSL_CTX_use_certificate\n%xdefine SSL_CTX_use_certificate_ASN1 BORINGSSL_PREFIX %+ _SSL_CTX_use_certificate_ASN1\n%xdefine SSL_CTX_use_certificate_chain_file BORINGSSL_PREFIX %+ _SSL_CTX_use_certificate_chain_file\n%xdefine SSL_CTX_use_certificate_file BORINGSSL_PREFIX %+ _SSL_CTX_use_certificate_file\n%xdefine SSL_CTX_use_psk_identity_hint BORINGSSL_PREFIX %+ _SSL_CTX_use_psk_identity_hint\n%xdefine SSL_ECH_KEYS_add BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_add\n%xdefine SSL_ECH_KEYS_free BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_free\n%xdefine SSL_ECH_KEYS_has_duplicate_config_id BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_has_duplicate_config_id\n%xdefine SSL_ECH_KEYS_marshal_retry_configs BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_marshal_retry_configs\n%xdefine SSL_ECH_KEYS_new BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_new\n%xdefine SSL_ECH_KEYS_up_ref BORINGSSL_PREFIX %+ _SSL_ECH_KEYS_up_ref\n%xdefine SSL_SESSION_copy_without_early_data BORINGSSL_PREFIX %+ _SSL_SESSION_copy_without_early_data\n%xdefine SSL_SESSION_early_data_capable BORINGSSL_PREFIX %+ _SSL_SESSION_early_data_capable\n%xdefine SSL_SESSION_free BORINGSSL_PREFIX %+ _SSL_SESSION_free\n%xdefine SSL_SESSION_from_bytes BORINGSSL_PREFIX %+ _SSL_SESSION_from_bytes\n%xdefine SSL_SESSION_get0_cipher BORINGSSL_PREFIX %+ _SSL_SESSION_get0_cipher\n%xdefine SSL_SESSION_get0_id_context BORINGSSL_PREFIX %+ _SSL_SESSION_get0_id_context\n%xdefine SSL_SESSION_get0_ocsp_response BORINGSSL_PREFIX %+ _SSL_SESSION_get0_ocsp_response\n%xdefine SSL_SESSION_get0_peer BORINGSSL_PREFIX %+ _SSL_SESSION_get0_peer\n%xdefine SSL_SESSION_get0_peer_certificates BORINGSSL_PREFIX %+ _SSL_SESSION_get0_peer_certificates\n%xdefine SSL_SESSION_get0_peer_sha256 BORINGSSL_PREFIX %+ _SSL_SESSION_get0_peer_sha256\n%xdefine SSL_SESSION_get0_signed_cert_timestamp_list BORINGSSL_PREFIX %+ _SSL_SESSION_get0_signed_cert_timestamp_list\n%xdefine SSL_SESSION_get0_ticket BORINGSSL_PREFIX %+ _SSL_SESSION_get0_ticket\n%xdefine SSL_SESSION_get_ex_data BORINGSSL_PREFIX %+ _SSL_SESSION_get_ex_data\n%xdefine SSL_SESSION_get_ex_new_index BORINGSSL_PREFIX %+ _SSL_SESSION_get_ex_new_index\n%xdefine SSL_SESSION_get_id BORINGSSL_PREFIX %+ _SSL_SESSION_get_id\n%xdefine SSL_SESSION_get_master_key BORINGSSL_PREFIX %+ _SSL_SESSION_get_master_key\n%xdefine SSL_SESSION_get_protocol_version BORINGSSL_PREFIX %+ _SSL_SESSION_get_protocol_version\n%xdefine SSL_SESSION_get_ticket_lifetime_hint BORINGSSL_PREFIX %+ _SSL_SESSION_get_ticket_lifetime_hint\n%xdefine SSL_SESSION_get_time BORINGSSL_PREFIX %+ _SSL_SESSION_get_time\n%xdefine SSL_SESSION_get_timeout BORINGSSL_PREFIX %+ _SSL_SESSION_get_timeout\n%xdefine SSL_SESSION_get_version BORINGSSL_PREFIX %+ _SSL_SESSION_get_version\n%xdefine SSL_SESSION_has_peer_sha256 BORINGSSL_PREFIX %+ _SSL_SESSION_has_peer_sha256\n%xdefine SSL_SESSION_has_ticket BORINGSSL_PREFIX %+ _SSL_SESSION_has_ticket\n%xdefine SSL_SESSION_is_resumable BORINGSSL_PREFIX %+ _SSL_SESSION_is_resumable\n%xdefine SSL_SESSION_new BORINGSSL_PREFIX %+ _SSL_SESSION_new\n%xdefine SSL_SESSION_set1_id BORINGSSL_PREFIX %+ _SSL_SESSION_set1_id\n%xdefine SSL_SESSION_set1_id_context BORINGSSL_PREFIX %+ _SSL_SESSION_set1_id_context\n%xdefine SSL_SESSION_set_ex_data BORINGSSL_PREFIX %+ _SSL_SESSION_set_ex_data\n%xdefine SSL_SESSION_set_protocol_version BORINGSSL_PREFIX %+ _SSL_SESSION_set_protocol_version\n%xdefine SSL_SESSION_set_ticket BORINGSSL_PREFIX %+ _SSL_SESSION_set_ticket\n%xdefine SSL_SESSION_set_time BORINGSSL_PREFIX %+ _SSL_SESSION_set_time\n%xdefine SSL_SESSION_set_timeout BORINGSSL_PREFIX %+ _SSL_SESSION_set_timeout\n%xdefine SSL_SESSION_should_be_single_use BORINGSSL_PREFIX %+ _SSL_SESSION_should_be_single_use\n%xdefine SSL_SESSION_to_bytes BORINGSSL_PREFIX %+ _SSL_SESSION_to_bytes\n%xdefine SSL_SESSION_to_bytes_for_ticket BORINGSSL_PREFIX %+ _SSL_SESSION_to_bytes_for_ticket\n%xdefine SSL_SESSION_up_ref BORINGSSL_PREFIX %+ _SSL_SESSION_up_ref\n%xdefine SSL_accept BORINGSSL_PREFIX %+ _SSL_accept\n%xdefine SSL_add0_chain_cert BORINGSSL_PREFIX %+ _SSL_add0_chain_cert\n%xdefine SSL_add1_chain_cert BORINGSSL_PREFIX %+ _SSL_add1_chain_cert\n%xdefine SSL_add1_credential BORINGSSL_PREFIX %+ _SSL_add1_credential\n%xdefine SSL_add_application_settings BORINGSSL_PREFIX %+ _SSL_add_application_settings\n%xdefine SSL_add_bio_cert_subjects_to_stack BORINGSSL_PREFIX %+ _SSL_add_bio_cert_subjects_to_stack\n%xdefine SSL_add_client_CA BORINGSSL_PREFIX %+ _SSL_add_client_CA\n%xdefine SSL_add_file_cert_subjects_to_stack BORINGSSL_PREFIX %+ _SSL_add_file_cert_subjects_to_stack\n%xdefine SSL_alert_desc_string BORINGSSL_PREFIX %+ _SSL_alert_desc_string\n%xdefine SSL_alert_desc_string_long BORINGSSL_PREFIX %+ _SSL_alert_desc_string_long\n%xdefine SSL_alert_from_verify_result BORINGSSL_PREFIX %+ _SSL_alert_from_verify_result\n%xdefine SSL_alert_type_string BORINGSSL_PREFIX %+ _SSL_alert_type_string\n%xdefine SSL_alert_type_string_long BORINGSSL_PREFIX %+ _SSL_alert_type_string_long\n%xdefine SSL_cache_hit BORINGSSL_PREFIX %+ _SSL_cache_hit\n%xdefine SSL_can_release_private_key BORINGSSL_PREFIX %+ _SSL_can_release_private_key\n%xdefine SSL_certs_clear BORINGSSL_PREFIX %+ _SSL_certs_clear\n%xdefine SSL_check_private_key BORINGSSL_PREFIX %+ _SSL_check_private_key\n%xdefine SSL_clear BORINGSSL_PREFIX %+ _SSL_clear\n%xdefine SSL_clear_chain_certs BORINGSSL_PREFIX %+ _SSL_clear_chain_certs\n%xdefine SSL_clear_mode BORINGSSL_PREFIX %+ _SSL_clear_mode\n%xdefine SSL_clear_options BORINGSSL_PREFIX %+ _SSL_clear_options\n%xdefine SSL_connect BORINGSSL_PREFIX %+ _SSL_connect\n%xdefine SSL_cutthrough_complete BORINGSSL_PREFIX %+ _SSL_cutthrough_complete\n%xdefine SSL_do_handshake BORINGSSL_PREFIX %+ _SSL_do_handshake\n%xdefine SSL_dup_CA_list BORINGSSL_PREFIX %+ _SSL_dup_CA_list\n%xdefine SSL_early_callback_ctx_extension_get BORINGSSL_PREFIX %+ _SSL_early_callback_ctx_extension_get\n%xdefine SSL_early_data_accepted BORINGSSL_PREFIX %+ _SSL_early_data_accepted\n%xdefine SSL_early_data_reason_string BORINGSSL_PREFIX %+ _SSL_early_data_reason_string\n%xdefine SSL_ech_accepted BORINGSSL_PREFIX %+ _SSL_ech_accepted\n%xdefine SSL_enable_ocsp_stapling BORINGSSL_PREFIX %+ _SSL_enable_ocsp_stapling\n%xdefine SSL_enable_signed_cert_timestamps BORINGSSL_PREFIX %+ _SSL_enable_signed_cert_timestamps\n%xdefine SSL_enable_tls_channel_id BORINGSSL_PREFIX %+ _SSL_enable_tls_channel_id\n%xdefine SSL_error_description BORINGSSL_PREFIX %+ _SSL_error_description\n%xdefine SSL_export_keying_material BORINGSSL_PREFIX %+ _SSL_export_keying_material\n%xdefine SSL_free BORINGSSL_PREFIX %+ _SSL_free\n%xdefine SSL_generate_key_block BORINGSSL_PREFIX %+ _SSL_generate_key_block\n%xdefine SSL_get0_alpn_selected BORINGSSL_PREFIX %+ _SSL_get0_alpn_selected\n%xdefine SSL_get0_certificate_types BORINGSSL_PREFIX %+ _SSL_get0_certificate_types\n%xdefine SSL_get0_chain BORINGSSL_PREFIX %+ _SSL_get0_chain\n%xdefine SSL_get0_chain_certs BORINGSSL_PREFIX %+ _SSL_get0_chain_certs\n%xdefine SSL_get0_ech_name_override BORINGSSL_PREFIX %+ _SSL_get0_ech_name_override\n%xdefine SSL_get0_ech_retry_configs BORINGSSL_PREFIX %+ _SSL_get0_ech_retry_configs\n%xdefine SSL_get0_next_proto_negotiated BORINGSSL_PREFIX %+ _SSL_get0_next_proto_negotiated\n%xdefine SSL_get0_ocsp_response BORINGSSL_PREFIX %+ _SSL_get0_ocsp_response\n%xdefine SSL_get0_param BORINGSSL_PREFIX %+ _SSL_get0_param\n%xdefine SSL_get0_peer_application_settings BORINGSSL_PREFIX %+ _SSL_get0_peer_application_settings\n%xdefine SSL_get0_peer_certificates BORINGSSL_PREFIX %+ _SSL_get0_peer_certificates\n%xdefine SSL_get0_peer_delegation_algorithms BORINGSSL_PREFIX %+ _SSL_get0_peer_delegation_algorithms\n%xdefine SSL_get0_peer_verify_algorithms BORINGSSL_PREFIX %+ _SSL_get0_peer_verify_algorithms\n%xdefine SSL_get0_selected_credential BORINGSSL_PREFIX %+ _SSL_get0_selected_credential\n%xdefine SSL_get0_server_requested_CAs BORINGSSL_PREFIX %+ _SSL_get0_server_requested_CAs\n%xdefine SSL_get0_session_id_context BORINGSSL_PREFIX %+ _SSL_get0_session_id_context\n%xdefine SSL_get0_signed_cert_timestamp_list BORINGSSL_PREFIX %+ _SSL_get0_signed_cert_timestamp_list\n%xdefine SSL_get1_session BORINGSSL_PREFIX %+ _SSL_get1_session\n%xdefine SSL_get_SSL_CTX BORINGSSL_PREFIX %+ _SSL_get_SSL_CTX\n%xdefine SSL_get_all_cipher_names BORINGSSL_PREFIX %+ _SSL_get_all_cipher_names\n%xdefine SSL_get_all_curve_names BORINGSSL_PREFIX %+ _SSL_get_all_curve_names\n%xdefine SSL_get_all_group_names BORINGSSL_PREFIX %+ _SSL_get_all_group_names\n%xdefine SSL_get_all_signature_algorithm_names BORINGSSL_PREFIX %+ _SSL_get_all_signature_algorithm_names\n%xdefine SSL_get_all_standard_cipher_names BORINGSSL_PREFIX %+ _SSL_get_all_standard_cipher_names\n%xdefine SSL_get_all_version_names BORINGSSL_PREFIX %+ _SSL_get_all_version_names\n%xdefine SSL_get_certificate BORINGSSL_PREFIX %+ _SSL_get_certificate\n%xdefine SSL_get_cipher_by_value BORINGSSL_PREFIX %+ _SSL_get_cipher_by_value\n%xdefine SSL_get_cipher_list BORINGSSL_PREFIX %+ _SSL_get_cipher_list\n%xdefine SSL_get_ciphers BORINGSSL_PREFIX %+ _SSL_get_ciphers\n%xdefine SSL_get_client_CA_list BORINGSSL_PREFIX %+ _SSL_get_client_CA_list\n%xdefine SSL_get_client_random BORINGSSL_PREFIX %+ _SSL_get_client_random\n%xdefine SSL_get_compliance_policy BORINGSSL_PREFIX %+ _SSL_get_compliance_policy\n%xdefine SSL_get_current_cipher BORINGSSL_PREFIX %+ _SSL_get_current_cipher\n%xdefine SSL_get_current_compression BORINGSSL_PREFIX %+ _SSL_get_current_compression\n%xdefine SSL_get_current_expansion BORINGSSL_PREFIX %+ _SSL_get_current_expansion\n%xdefine SSL_get_curve_id BORINGSSL_PREFIX %+ _SSL_get_curve_id\n%xdefine SSL_get_curve_name BORINGSSL_PREFIX %+ _SSL_get_curve_name\n%xdefine SSL_get_default_timeout BORINGSSL_PREFIX %+ _SSL_get_default_timeout\n%xdefine SSL_get_early_data_reason BORINGSSL_PREFIX %+ _SSL_get_early_data_reason\n%xdefine SSL_get_error BORINGSSL_PREFIX %+ _SSL_get_error\n%xdefine SSL_get_ex_data BORINGSSL_PREFIX %+ _SSL_get_ex_data\n%xdefine SSL_get_ex_data_X509_STORE_CTX_idx BORINGSSL_PREFIX %+ _SSL_get_ex_data_X509_STORE_CTX_idx\n%xdefine SSL_get_ex_new_index BORINGSSL_PREFIX %+ _SSL_get_ex_new_index\n%xdefine SSL_get_extms_support BORINGSSL_PREFIX %+ _SSL_get_extms_support\n%xdefine SSL_get_fd BORINGSSL_PREFIX %+ _SSL_get_fd\n%xdefine SSL_get_finished BORINGSSL_PREFIX %+ _SSL_get_finished\n%xdefine SSL_get_group_id BORINGSSL_PREFIX %+ _SSL_get_group_id\n%xdefine SSL_get_group_name BORINGSSL_PREFIX %+ _SSL_get_group_name\n%xdefine SSL_get_info_callback BORINGSSL_PREFIX %+ _SSL_get_info_callback\n%xdefine SSL_get_ivs BORINGSSL_PREFIX %+ _SSL_get_ivs\n%xdefine SSL_get_key_block_len BORINGSSL_PREFIX %+ _SSL_get_key_block_len\n%xdefine SSL_get_max_cert_list BORINGSSL_PREFIX %+ _SSL_get_max_cert_list\n%xdefine SSL_get_max_proto_version BORINGSSL_PREFIX %+ _SSL_get_max_proto_version\n%xdefine SSL_get_min_proto_version BORINGSSL_PREFIX %+ _SSL_get_min_proto_version\n%xdefine SSL_get_mode BORINGSSL_PREFIX %+ _SSL_get_mode\n%xdefine SSL_get_negotiated_group BORINGSSL_PREFIX %+ _SSL_get_negotiated_group\n%xdefine SSL_get_options BORINGSSL_PREFIX %+ _SSL_get_options\n%xdefine SSL_get_peer_cert_chain BORINGSSL_PREFIX %+ _SSL_get_peer_cert_chain\n%xdefine SSL_get_peer_certificate BORINGSSL_PREFIX %+ _SSL_get_peer_certificate\n%xdefine SSL_get_peer_finished BORINGSSL_PREFIX %+ _SSL_get_peer_finished\n%xdefine SSL_get_peer_full_cert_chain BORINGSSL_PREFIX %+ _SSL_get_peer_full_cert_chain\n%xdefine SSL_get_peer_quic_transport_params BORINGSSL_PREFIX %+ _SSL_get_peer_quic_transport_params\n%xdefine SSL_get_peer_signature_algorithm BORINGSSL_PREFIX %+ _SSL_get_peer_signature_algorithm\n%xdefine SSL_get_pending_cipher BORINGSSL_PREFIX %+ _SSL_get_pending_cipher\n%xdefine SSL_get_privatekey BORINGSSL_PREFIX %+ _SSL_get_privatekey\n%xdefine SSL_get_psk_identity BORINGSSL_PREFIX %+ _SSL_get_psk_identity\n%xdefine SSL_get_psk_identity_hint BORINGSSL_PREFIX %+ _SSL_get_psk_identity_hint\n%xdefine SSL_get_quiet_shutdown BORINGSSL_PREFIX %+ _SSL_get_quiet_shutdown\n%xdefine SSL_get_rbio BORINGSSL_PREFIX %+ _SSL_get_rbio\n%xdefine SSL_get_read_ahead BORINGSSL_PREFIX %+ _SSL_get_read_ahead\n%xdefine SSL_get_read_sequence BORINGSSL_PREFIX %+ _SSL_get_read_sequence\n%xdefine SSL_get_rfd BORINGSSL_PREFIX %+ _SSL_get_rfd\n%xdefine SSL_get_secure_renegotiation_support BORINGSSL_PREFIX %+ _SSL_get_secure_renegotiation_support\n%xdefine SSL_get_selected_srtp_profile BORINGSSL_PREFIX %+ _SSL_get_selected_srtp_profile\n%xdefine SSL_get_server_random BORINGSSL_PREFIX %+ _SSL_get_server_random\n%xdefine SSL_get_server_tmp_key BORINGSSL_PREFIX %+ _SSL_get_server_tmp_key\n%xdefine SSL_get_servername BORINGSSL_PREFIX %+ _SSL_get_servername\n%xdefine SSL_get_servername_type BORINGSSL_PREFIX %+ _SSL_get_servername_type\n%xdefine SSL_get_session BORINGSSL_PREFIX %+ _SSL_get_session\n%xdefine SSL_get_shared_ciphers BORINGSSL_PREFIX %+ _SSL_get_shared_ciphers\n%xdefine SSL_get_shared_sigalgs BORINGSSL_PREFIX %+ _SSL_get_shared_sigalgs\n%xdefine SSL_get_shutdown BORINGSSL_PREFIX %+ _SSL_get_shutdown\n%xdefine SSL_get_signature_algorithm_digest BORINGSSL_PREFIX %+ _SSL_get_signature_algorithm_digest\n%xdefine SSL_get_signature_algorithm_key_type BORINGSSL_PREFIX %+ _SSL_get_signature_algorithm_key_type\n%xdefine SSL_get_signature_algorithm_name BORINGSSL_PREFIX %+ _SSL_get_signature_algorithm_name\n%xdefine SSL_get_srtp_profiles BORINGSSL_PREFIX %+ _SSL_get_srtp_profiles\n%xdefine SSL_get_ticket_age_skew BORINGSSL_PREFIX %+ _SSL_get_ticket_age_skew\n%xdefine SSL_get_tls_channel_id BORINGSSL_PREFIX %+ _SSL_get_tls_channel_id\n%xdefine SSL_get_tls_unique BORINGSSL_PREFIX %+ _SSL_get_tls_unique\n%xdefine SSL_get_tlsext_status_ocsp_resp BORINGSSL_PREFIX %+ _SSL_get_tlsext_status_ocsp_resp\n%xdefine SSL_get_tlsext_status_type BORINGSSL_PREFIX %+ _SSL_get_tlsext_status_type\n%xdefine SSL_get_verify_callback BORINGSSL_PREFIX %+ _SSL_get_verify_callback\n%xdefine SSL_get_verify_depth BORINGSSL_PREFIX %+ _SSL_get_verify_depth\n%xdefine SSL_get_verify_mode BORINGSSL_PREFIX %+ _SSL_get_verify_mode\n%xdefine SSL_get_verify_result BORINGSSL_PREFIX %+ _SSL_get_verify_result\n%xdefine SSL_get_version BORINGSSL_PREFIX %+ _SSL_get_version\n%xdefine SSL_get_wbio BORINGSSL_PREFIX %+ _SSL_get_wbio\n%xdefine SSL_get_wfd BORINGSSL_PREFIX %+ _SSL_get_wfd\n%xdefine SSL_get_write_sequence BORINGSSL_PREFIX %+ _SSL_get_write_sequence\n%xdefine SSL_has_application_settings BORINGSSL_PREFIX %+ _SSL_has_application_settings\n%xdefine SSL_has_pending BORINGSSL_PREFIX %+ _SSL_has_pending\n%xdefine SSL_in_early_data BORINGSSL_PREFIX %+ _SSL_in_early_data\n%xdefine SSL_in_false_start BORINGSSL_PREFIX %+ _SSL_in_false_start\n%xdefine SSL_in_init BORINGSSL_PREFIX %+ _SSL_in_init\n%xdefine SSL_is_dtls BORINGSSL_PREFIX %+ _SSL_is_dtls\n%xdefine SSL_is_init_finished BORINGSSL_PREFIX %+ _SSL_is_init_finished\n%xdefine SSL_is_quic BORINGSSL_PREFIX %+ _SSL_is_quic\n%xdefine SSL_is_server BORINGSSL_PREFIX %+ _SSL_is_server\n%xdefine SSL_is_signature_algorithm_rsa_pss BORINGSSL_PREFIX %+ _SSL_is_signature_algorithm_rsa_pss\n%xdefine SSL_key_update BORINGSSL_PREFIX %+ _SSL_key_update\n%xdefine SSL_library_init BORINGSSL_PREFIX %+ _SSL_library_init\n%xdefine SSL_load_client_CA_file BORINGSSL_PREFIX %+ _SSL_load_client_CA_file\n%xdefine SSL_load_error_strings BORINGSSL_PREFIX %+ _SSL_load_error_strings\n%xdefine SSL_magic_pending_session_ptr BORINGSSL_PREFIX %+ _SSL_magic_pending_session_ptr\n%xdefine SSL_marshal_ech_config BORINGSSL_PREFIX %+ _SSL_marshal_ech_config\n%xdefine SSL_max_seal_overhead BORINGSSL_PREFIX %+ _SSL_max_seal_overhead\n%xdefine SSL_need_tmp_RSA BORINGSSL_PREFIX %+ _SSL_need_tmp_RSA\n%xdefine SSL_new BORINGSSL_PREFIX %+ _SSL_new\n%xdefine SSL_num_renegotiations BORINGSSL_PREFIX %+ _SSL_num_renegotiations\n%xdefine SSL_peek BORINGSSL_PREFIX %+ _SSL_peek\n%xdefine SSL_pending BORINGSSL_PREFIX %+ _SSL_pending\n%xdefine SSL_process_quic_post_handshake BORINGSSL_PREFIX %+ _SSL_process_quic_post_handshake\n%xdefine SSL_process_tls13_new_session_ticket BORINGSSL_PREFIX %+ _SSL_process_tls13_new_session_ticket\n%xdefine SSL_provide_quic_data BORINGSSL_PREFIX %+ _SSL_provide_quic_data\n%xdefine SSL_quic_max_handshake_flight_len BORINGSSL_PREFIX %+ _SSL_quic_max_handshake_flight_len\n%xdefine SSL_quic_read_level BORINGSSL_PREFIX %+ _SSL_quic_read_level\n%xdefine SSL_quic_write_level BORINGSSL_PREFIX %+ _SSL_quic_write_level\n%xdefine SSL_read BORINGSSL_PREFIX %+ _SSL_read\n%xdefine SSL_renegotiate BORINGSSL_PREFIX %+ _SSL_renegotiate\n%xdefine SSL_renegotiate_pending BORINGSSL_PREFIX %+ _SSL_renegotiate_pending\n%xdefine SSL_request_handshake_hints BORINGSSL_PREFIX %+ _SSL_request_handshake_hints\n%xdefine SSL_reset_early_data_reject BORINGSSL_PREFIX %+ _SSL_reset_early_data_reject\n%xdefine SSL_select_next_proto BORINGSSL_PREFIX %+ _SSL_select_next_proto\n%xdefine SSL_send_fatal_alert BORINGSSL_PREFIX %+ _SSL_send_fatal_alert\n%xdefine SSL_serialize_capabilities BORINGSSL_PREFIX %+ _SSL_serialize_capabilities\n%xdefine SSL_serialize_handshake_hints BORINGSSL_PREFIX %+ _SSL_serialize_handshake_hints\n%xdefine SSL_session_reused BORINGSSL_PREFIX %+ _SSL_session_reused\n%xdefine SSL_set0_CA_names BORINGSSL_PREFIX %+ _SSL_set0_CA_names\n%xdefine SSL_set0_chain BORINGSSL_PREFIX %+ _SSL_set0_chain\n%xdefine SSL_set0_client_CAs BORINGSSL_PREFIX %+ _SSL_set0_client_CAs\n%xdefine SSL_set0_rbio BORINGSSL_PREFIX %+ _SSL_set0_rbio\n%xdefine SSL_set0_verify_cert_store BORINGSSL_PREFIX %+ _SSL_set0_verify_cert_store\n%xdefine SSL_set0_wbio BORINGSSL_PREFIX %+ _SSL_set0_wbio\n%xdefine SSL_set1_chain BORINGSSL_PREFIX %+ _SSL_set1_chain\n%xdefine SSL_set1_curves BORINGSSL_PREFIX %+ _SSL_set1_curves\n%xdefine SSL_set1_curves_list BORINGSSL_PREFIX %+ _SSL_set1_curves_list\n%xdefine SSL_set1_ech_config_list BORINGSSL_PREFIX %+ _SSL_set1_ech_config_list\n%xdefine SSL_set1_group_ids BORINGSSL_PREFIX %+ _SSL_set1_group_ids\n%xdefine SSL_set1_groups BORINGSSL_PREFIX %+ _SSL_set1_groups\n%xdefine SSL_set1_groups_list BORINGSSL_PREFIX %+ _SSL_set1_groups_list\n%xdefine SSL_set1_host BORINGSSL_PREFIX %+ _SSL_set1_host\n%xdefine SSL_set1_param BORINGSSL_PREFIX %+ _SSL_set1_param\n%xdefine SSL_set1_sigalgs BORINGSSL_PREFIX %+ _SSL_set1_sigalgs\n%xdefine SSL_set1_sigalgs_list BORINGSSL_PREFIX %+ _SSL_set1_sigalgs_list\n%xdefine SSL_set1_tls_channel_id BORINGSSL_PREFIX %+ _SSL_set1_tls_channel_id\n%xdefine SSL_set1_verify_cert_store BORINGSSL_PREFIX %+ _SSL_set1_verify_cert_store\n%xdefine SSL_set_SSL_CTX BORINGSSL_PREFIX %+ _SSL_set_SSL_CTX\n%xdefine SSL_set_accept_state BORINGSSL_PREFIX %+ _SSL_set_accept_state\n%xdefine SSL_set_alpn_protos BORINGSSL_PREFIX %+ _SSL_set_alpn_protos\n%xdefine SSL_set_alps_use_new_codepoint BORINGSSL_PREFIX %+ _SSL_set_alps_use_new_codepoint\n%xdefine SSL_set_bio BORINGSSL_PREFIX %+ _SSL_set_bio\n%xdefine SSL_set_cert_cb BORINGSSL_PREFIX %+ _SSL_set_cert_cb\n%xdefine SSL_set_chain_and_key BORINGSSL_PREFIX %+ _SSL_set_chain_and_key\n%xdefine SSL_set_check_client_certificate_type BORINGSSL_PREFIX %+ _SSL_set_check_client_certificate_type\n%xdefine SSL_set_check_ecdsa_curve BORINGSSL_PREFIX %+ _SSL_set_check_ecdsa_curve\n%xdefine SSL_set_cipher_list BORINGSSL_PREFIX %+ _SSL_set_cipher_list\n%xdefine SSL_set_client_CA_list BORINGSSL_PREFIX %+ _SSL_set_client_CA_list\n%xdefine SSL_set_compliance_policy BORINGSSL_PREFIX %+ _SSL_set_compliance_policy\n%xdefine SSL_set_connect_state BORINGSSL_PREFIX %+ _SSL_set_connect_state\n%xdefine SSL_set_custom_verify BORINGSSL_PREFIX %+ _SSL_set_custom_verify\n%xdefine SSL_set_early_data_enabled BORINGSSL_PREFIX %+ _SSL_set_early_data_enabled\n%xdefine SSL_set_enable_ech_grease BORINGSSL_PREFIX %+ _SSL_set_enable_ech_grease\n%xdefine SSL_set_enforce_rsa_key_usage BORINGSSL_PREFIX %+ _SSL_set_enforce_rsa_key_usage\n%xdefine SSL_set_ex_data BORINGSSL_PREFIX %+ _SSL_set_ex_data\n%xdefine SSL_set_fd BORINGSSL_PREFIX %+ _SSL_set_fd\n%xdefine SSL_set_handshake_hints BORINGSSL_PREFIX %+ _SSL_set_handshake_hints\n%xdefine SSL_set_hostflags BORINGSSL_PREFIX %+ _SSL_set_hostflags\n%xdefine SSL_set_info_callback BORINGSSL_PREFIX %+ _SSL_set_info_callback\n%xdefine SSL_set_jdk11_workaround BORINGSSL_PREFIX %+ _SSL_set_jdk11_workaround\n%xdefine SSL_set_max_cert_list BORINGSSL_PREFIX %+ _SSL_set_max_cert_list\n%xdefine SSL_set_max_proto_version BORINGSSL_PREFIX %+ _SSL_set_max_proto_version\n%xdefine SSL_set_max_send_fragment BORINGSSL_PREFIX %+ _SSL_set_max_send_fragment\n%xdefine SSL_set_min_proto_version BORINGSSL_PREFIX %+ _SSL_set_min_proto_version\n%xdefine SSL_set_mode BORINGSSL_PREFIX %+ _SSL_set_mode\n%xdefine SSL_set_msg_callback BORINGSSL_PREFIX %+ _SSL_set_msg_callback\n%xdefine SSL_set_msg_callback_arg BORINGSSL_PREFIX %+ _SSL_set_msg_callback_arg\n%xdefine SSL_set_mtu BORINGSSL_PREFIX %+ _SSL_set_mtu\n%xdefine SSL_set_ocsp_response BORINGSSL_PREFIX %+ _SSL_set_ocsp_response\n%xdefine SSL_set_options BORINGSSL_PREFIX %+ _SSL_set_options\n%xdefine SSL_set_permute_extensions BORINGSSL_PREFIX %+ _SSL_set_permute_extensions\n%xdefine SSL_set_private_key_method BORINGSSL_PREFIX %+ _SSL_set_private_key_method\n%xdefine SSL_set_psk_client_callback BORINGSSL_PREFIX %+ _SSL_set_psk_client_callback\n%xdefine SSL_set_psk_server_callback BORINGSSL_PREFIX %+ _SSL_set_psk_server_callback\n%xdefine SSL_set_purpose BORINGSSL_PREFIX %+ _SSL_set_purpose\n%xdefine SSL_set_quic_early_data_context BORINGSSL_PREFIX %+ _SSL_set_quic_early_data_context\n%xdefine SSL_set_quic_method BORINGSSL_PREFIX %+ _SSL_set_quic_method\n%xdefine SSL_set_quic_transport_params BORINGSSL_PREFIX %+ _SSL_set_quic_transport_params\n%xdefine SSL_set_quic_use_legacy_codepoint BORINGSSL_PREFIX %+ _SSL_set_quic_use_legacy_codepoint\n%xdefine SSL_set_quiet_shutdown BORINGSSL_PREFIX %+ _SSL_set_quiet_shutdown\n%xdefine SSL_set_read_ahead BORINGSSL_PREFIX %+ _SSL_set_read_ahead\n%xdefine SSL_set_renegotiate_mode BORINGSSL_PREFIX %+ _SSL_set_renegotiate_mode\n%xdefine SSL_set_retain_only_sha256_of_client_certs BORINGSSL_PREFIX %+ _SSL_set_retain_only_sha256_of_client_certs\n%xdefine SSL_set_rfd BORINGSSL_PREFIX %+ _SSL_set_rfd\n%xdefine SSL_set_session BORINGSSL_PREFIX %+ _SSL_set_session\n%xdefine SSL_set_session_id_context BORINGSSL_PREFIX %+ _SSL_set_session_id_context\n%xdefine SSL_set_shed_handshake_config BORINGSSL_PREFIX %+ _SSL_set_shed_handshake_config\n%xdefine SSL_set_shutdown BORINGSSL_PREFIX %+ _SSL_set_shutdown\n%xdefine SSL_set_signed_cert_timestamp_list BORINGSSL_PREFIX %+ _SSL_set_signed_cert_timestamp_list\n%xdefine SSL_set_signing_algorithm_prefs BORINGSSL_PREFIX %+ _SSL_set_signing_algorithm_prefs\n%xdefine SSL_set_srtp_profiles BORINGSSL_PREFIX %+ _SSL_set_srtp_profiles\n%xdefine SSL_set_state BORINGSSL_PREFIX %+ _SSL_set_state\n%xdefine SSL_set_strict_cipher_list BORINGSSL_PREFIX %+ _SSL_set_strict_cipher_list\n%xdefine SSL_set_tls_channel_id_enabled BORINGSSL_PREFIX %+ _SSL_set_tls_channel_id_enabled\n%xdefine SSL_set_tlsext_host_name BORINGSSL_PREFIX %+ _SSL_set_tlsext_host_name\n%xdefine SSL_set_tlsext_status_ocsp_resp BORINGSSL_PREFIX %+ _SSL_set_tlsext_status_ocsp_resp\n%xdefine SSL_set_tlsext_status_type BORINGSSL_PREFIX %+ _SSL_set_tlsext_status_type\n%xdefine SSL_set_tlsext_use_srtp BORINGSSL_PREFIX %+ _SSL_set_tlsext_use_srtp\n%xdefine SSL_set_tmp_dh BORINGSSL_PREFIX %+ _SSL_set_tmp_dh\n%xdefine SSL_set_tmp_dh_callback BORINGSSL_PREFIX %+ _SSL_set_tmp_dh_callback\n%xdefine SSL_set_tmp_ecdh BORINGSSL_PREFIX %+ _SSL_set_tmp_ecdh\n%xdefine SSL_set_tmp_rsa BORINGSSL_PREFIX %+ _SSL_set_tmp_rsa\n%xdefine SSL_set_tmp_rsa_callback BORINGSSL_PREFIX %+ _SSL_set_tmp_rsa_callback\n%xdefine SSL_set_trust BORINGSSL_PREFIX %+ _SSL_set_trust\n%xdefine SSL_set_verify BORINGSSL_PREFIX %+ _SSL_set_verify\n%xdefine SSL_set_verify_algorithm_prefs BORINGSSL_PREFIX %+ _SSL_set_verify_algorithm_prefs\n%xdefine SSL_set_verify_depth BORINGSSL_PREFIX %+ _SSL_set_verify_depth\n%xdefine SSL_set_wfd BORINGSSL_PREFIX %+ _SSL_set_wfd\n%xdefine SSL_shutdown BORINGSSL_PREFIX %+ _SSL_shutdown\n%xdefine SSL_state BORINGSSL_PREFIX %+ _SSL_state\n%xdefine SSL_state_string BORINGSSL_PREFIX %+ _SSL_state_string\n%xdefine SSL_state_string_long BORINGSSL_PREFIX %+ _SSL_state_string_long\n%xdefine SSL_total_renegotiations BORINGSSL_PREFIX %+ _SSL_total_renegotiations\n%xdefine SSL_use_PrivateKey BORINGSSL_PREFIX %+ _SSL_use_PrivateKey\n%xdefine SSL_use_PrivateKey_ASN1 BORINGSSL_PREFIX %+ _SSL_use_PrivateKey_ASN1\n%xdefine SSL_use_PrivateKey_file BORINGSSL_PREFIX %+ _SSL_use_PrivateKey_file\n%xdefine SSL_use_RSAPrivateKey BORINGSSL_PREFIX %+ _SSL_use_RSAPrivateKey\n%xdefine SSL_use_RSAPrivateKey_ASN1 BORINGSSL_PREFIX %+ _SSL_use_RSAPrivateKey_ASN1\n%xdefine SSL_use_RSAPrivateKey_file BORINGSSL_PREFIX %+ _SSL_use_RSAPrivateKey_file\n%xdefine SSL_use_certificate BORINGSSL_PREFIX %+ _SSL_use_certificate\n%xdefine SSL_use_certificate_ASN1 BORINGSSL_PREFIX %+ _SSL_use_certificate_ASN1\n%xdefine SSL_use_certificate_file BORINGSSL_PREFIX %+ _SSL_use_certificate_file\n%xdefine SSL_use_psk_identity_hint BORINGSSL_PREFIX %+ _SSL_use_psk_identity_hint\n%xdefine SSL_used_hello_retry_request BORINGSSL_PREFIX %+ _SSL_used_hello_retry_request\n%xdefine SSL_version BORINGSSL_PREFIX %+ _SSL_version\n%xdefine SSL_want BORINGSSL_PREFIX %+ _SSL_want\n%xdefine SSL_was_key_usage_invalid BORINGSSL_PREFIX %+ _SSL_was_key_usage_invalid\n%xdefine SSL_write BORINGSSL_PREFIX %+ _SSL_write\n%xdefine SSLeay BORINGSSL_PREFIX %+ _SSLeay\n%xdefine SSLeay_version BORINGSSL_PREFIX %+ _SSLeay_version\n%xdefine SSLv23_client_method BORINGSSL_PREFIX %+ _SSLv23_client_method\n%xdefine SSLv23_method BORINGSSL_PREFIX %+ _SSLv23_method\n%xdefine SSLv23_server_method BORINGSSL_PREFIX %+ _SSLv23_server_method\n%xdefine TLS_client_method BORINGSSL_PREFIX %+ _TLS_client_method\n%xdefine TLS_method BORINGSSL_PREFIX %+ _TLS_method\n%xdefine TLS_server_method BORINGSSL_PREFIX %+ _TLS_server_method\n%xdefine TLS_with_buffers_method BORINGSSL_PREFIX %+ _TLS_with_buffers_method\n%xdefine TLSv1_1_client_method BORINGSSL_PREFIX %+ _TLSv1_1_client_method\n%xdefine TLSv1_1_method BORINGSSL_PREFIX %+ _TLSv1_1_method\n%xdefine TLSv1_1_server_method BORINGSSL_PREFIX %+ _TLSv1_1_server_method\n%xdefine TLSv1_2_client_method BORINGSSL_PREFIX %+ _TLSv1_2_client_method\n%xdefine TLSv1_2_method BORINGSSL_PREFIX %+ _TLSv1_2_method\n%xdefine TLSv1_2_server_method BORINGSSL_PREFIX %+ _TLSv1_2_server_method\n%xdefine TLSv1_client_method BORINGSSL_PREFIX %+ _TLSv1_client_method\n%xdefine TLSv1_method BORINGSSL_PREFIX %+ _TLSv1_method\n%xdefine TLSv1_server_method BORINGSSL_PREFIX %+ _TLSv1_server_method\n%xdefine TRUST_TOKEN_CLIENT_add_key BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_add_key\n%xdefine TRUST_TOKEN_CLIENT_begin_issuance BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_begin_issuance\n%xdefine TRUST_TOKEN_CLIENT_begin_issuance_over_message BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_begin_issuance_over_message\n%xdefine TRUST_TOKEN_CLIENT_begin_redemption BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_begin_redemption\n%xdefine TRUST_TOKEN_CLIENT_finish_issuance BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_finish_issuance\n%xdefine TRUST_TOKEN_CLIENT_finish_redemption BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_finish_redemption\n%xdefine TRUST_TOKEN_CLIENT_free BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_free\n%xdefine TRUST_TOKEN_CLIENT_new BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_new\n%xdefine TRUST_TOKEN_CLIENT_set_srr_key BORINGSSL_PREFIX %+ _TRUST_TOKEN_CLIENT_set_srr_key\n%xdefine TRUST_TOKEN_ISSUER_add_key BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_add_key\n%xdefine TRUST_TOKEN_ISSUER_free BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_free\n%xdefine TRUST_TOKEN_ISSUER_issue BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_issue\n%xdefine TRUST_TOKEN_ISSUER_new BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_new\n%xdefine TRUST_TOKEN_ISSUER_redeem BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_redeem\n%xdefine TRUST_TOKEN_ISSUER_redeem_over_message BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_redeem_over_message\n%xdefine TRUST_TOKEN_ISSUER_set_metadata_key BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_set_metadata_key\n%xdefine TRUST_TOKEN_ISSUER_set_srr_key BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_set_srr_key\n%xdefine TRUST_TOKEN_PRETOKEN_free BORINGSSL_PREFIX %+ _TRUST_TOKEN_PRETOKEN_free\n%xdefine TRUST_TOKEN_decode_private_metadata BORINGSSL_PREFIX %+ _TRUST_TOKEN_decode_private_metadata\n%xdefine TRUST_TOKEN_derive_key_from_secret BORINGSSL_PREFIX %+ _TRUST_TOKEN_derive_key_from_secret\n%xdefine TRUST_TOKEN_experiment_v1 BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v1\n%xdefine TRUST_TOKEN_experiment_v2_pmb BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v2_pmb\n%xdefine TRUST_TOKEN_experiment_v2_voprf BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v2_voprf\n%xdefine TRUST_TOKEN_free BORINGSSL_PREFIX %+ _TRUST_TOKEN_free\n%xdefine TRUST_TOKEN_generate_key BORINGSSL_PREFIX %+ _TRUST_TOKEN_generate_key\n%xdefine TRUST_TOKEN_new BORINGSSL_PREFIX %+ _TRUST_TOKEN_new\n%xdefine TRUST_TOKEN_pst_v1_pmb BORINGSSL_PREFIX %+ _TRUST_TOKEN_pst_v1_pmb\n%xdefine TRUST_TOKEN_pst_v1_voprf BORINGSSL_PREFIX %+ _TRUST_TOKEN_pst_v1_voprf\n%xdefine USERNOTICE_free BORINGSSL_PREFIX %+ _USERNOTICE_free\n%xdefine USERNOTICE_it BORINGSSL_PREFIX %+ _USERNOTICE_it\n%xdefine USERNOTICE_new BORINGSSL_PREFIX %+ _USERNOTICE_new\n%xdefine X25519 BORINGSSL_PREFIX %+ _X25519\n%xdefine X25519_keypair BORINGSSL_PREFIX %+ _X25519_keypair\n%xdefine X25519_public_from_private BORINGSSL_PREFIX %+ _X25519_public_from_private\n%xdefine X509V3_EXT_CRL_add_nconf BORINGSSL_PREFIX %+ _X509V3_EXT_CRL_add_nconf\n%xdefine X509V3_EXT_REQ_add_nconf BORINGSSL_PREFIX %+ _X509V3_EXT_REQ_add_nconf\n%xdefine X509V3_EXT_add BORINGSSL_PREFIX %+ _X509V3_EXT_add\n%xdefine X509V3_EXT_add_alias BORINGSSL_PREFIX %+ _X509V3_EXT_add_alias\n%xdefine X509V3_EXT_add_nconf BORINGSSL_PREFIX %+ _X509V3_EXT_add_nconf\n%xdefine X509V3_EXT_add_nconf_sk BORINGSSL_PREFIX %+ _X509V3_EXT_add_nconf_sk\n%xdefine X509V3_EXT_d2i BORINGSSL_PREFIX %+ _X509V3_EXT_d2i\n%xdefine X509V3_EXT_free BORINGSSL_PREFIX %+ _X509V3_EXT_free\n%xdefine X509V3_EXT_get BORINGSSL_PREFIX %+ _X509V3_EXT_get\n%xdefine X509V3_EXT_get_nid BORINGSSL_PREFIX %+ _X509V3_EXT_get_nid\n%xdefine X509V3_EXT_i2d BORINGSSL_PREFIX %+ _X509V3_EXT_i2d\n%xdefine X509V3_EXT_nconf BORINGSSL_PREFIX %+ _X509V3_EXT_nconf\n%xdefine X509V3_EXT_nconf_nid BORINGSSL_PREFIX %+ _X509V3_EXT_nconf_nid\n%xdefine X509V3_EXT_print BORINGSSL_PREFIX %+ _X509V3_EXT_print\n%xdefine X509V3_EXT_print_fp BORINGSSL_PREFIX %+ _X509V3_EXT_print_fp\n%xdefine X509V3_NAME_from_section BORINGSSL_PREFIX %+ _X509V3_NAME_from_section\n%xdefine X509V3_add1_i2d BORINGSSL_PREFIX %+ _X509V3_add1_i2d\n%xdefine X509V3_add_standard_extensions BORINGSSL_PREFIX %+ _X509V3_add_standard_extensions\n%xdefine X509V3_add_value BORINGSSL_PREFIX %+ _X509V3_add_value\n%xdefine X509V3_add_value_bool BORINGSSL_PREFIX %+ _X509V3_add_value_bool\n%xdefine X509V3_add_value_int BORINGSSL_PREFIX %+ _X509V3_add_value_int\n%xdefine X509V3_bool_from_string BORINGSSL_PREFIX %+ _X509V3_bool_from_string\n%xdefine X509V3_conf_free BORINGSSL_PREFIX %+ _X509V3_conf_free\n%xdefine X509V3_extensions_print BORINGSSL_PREFIX %+ _X509V3_extensions_print\n%xdefine X509V3_get_d2i BORINGSSL_PREFIX %+ _X509V3_get_d2i\n%xdefine X509V3_get_section BORINGSSL_PREFIX %+ _X509V3_get_section\n%xdefine X509V3_get_value_bool BORINGSSL_PREFIX %+ _X509V3_get_value_bool\n%xdefine X509V3_get_value_int BORINGSSL_PREFIX %+ _X509V3_get_value_int\n%xdefine X509V3_parse_list BORINGSSL_PREFIX %+ _X509V3_parse_list\n%xdefine X509V3_set_ctx BORINGSSL_PREFIX %+ _X509V3_set_ctx\n%xdefine X509V3_set_nconf BORINGSSL_PREFIX %+ _X509V3_set_nconf\n%xdefine X509_ALGOR_cmp BORINGSSL_PREFIX %+ _X509_ALGOR_cmp\n%xdefine X509_ALGOR_dup BORINGSSL_PREFIX %+ _X509_ALGOR_dup\n%xdefine X509_ALGOR_free BORINGSSL_PREFIX %+ _X509_ALGOR_free\n%xdefine X509_ALGOR_get0 BORINGSSL_PREFIX %+ _X509_ALGOR_get0\n%xdefine X509_ALGOR_it BORINGSSL_PREFIX %+ _X509_ALGOR_it\n%xdefine X509_ALGOR_new BORINGSSL_PREFIX %+ _X509_ALGOR_new\n%xdefine X509_ALGOR_set0 BORINGSSL_PREFIX %+ _X509_ALGOR_set0\n%xdefine X509_ALGOR_set_md BORINGSSL_PREFIX %+ _X509_ALGOR_set_md\n%xdefine X509_ATTRIBUTE_count BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_count\n%xdefine X509_ATTRIBUTE_create BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_create\n%xdefine X509_ATTRIBUTE_create_by_NID BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_create_by_NID\n%xdefine X509_ATTRIBUTE_create_by_OBJ BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_create_by_OBJ\n%xdefine X509_ATTRIBUTE_create_by_txt BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_create_by_txt\n%xdefine X509_ATTRIBUTE_dup BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_dup\n%xdefine X509_ATTRIBUTE_free BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_free\n%xdefine X509_ATTRIBUTE_get0_data BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_get0_data\n%xdefine X509_ATTRIBUTE_get0_object BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_get0_object\n%xdefine X509_ATTRIBUTE_get0_type BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_get0_type\n%xdefine X509_ATTRIBUTE_it BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_it\n%xdefine X509_ATTRIBUTE_new BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_new\n%xdefine X509_ATTRIBUTE_set1_data BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_set1_data\n%xdefine X509_ATTRIBUTE_set1_object BORINGSSL_PREFIX %+ _X509_ATTRIBUTE_set1_object\n%xdefine X509_CERT_AUX_free BORINGSSL_PREFIX %+ _X509_CERT_AUX_free\n%xdefine X509_CERT_AUX_it BORINGSSL_PREFIX %+ _X509_CERT_AUX_it\n%xdefine X509_CERT_AUX_new BORINGSSL_PREFIX %+ _X509_CERT_AUX_new\n%xdefine X509_CERT_AUX_print BORINGSSL_PREFIX %+ _X509_CERT_AUX_print\n%xdefine X509_CINF_free BORINGSSL_PREFIX %+ _X509_CINF_free\n%xdefine X509_CINF_it BORINGSSL_PREFIX %+ _X509_CINF_it\n%xdefine X509_CINF_new BORINGSSL_PREFIX %+ _X509_CINF_new\n%xdefine X509_CRL_INFO_free BORINGSSL_PREFIX %+ _X509_CRL_INFO_free\n%xdefine X509_CRL_INFO_it BORINGSSL_PREFIX %+ _X509_CRL_INFO_it\n%xdefine X509_CRL_INFO_new BORINGSSL_PREFIX %+ _X509_CRL_INFO_new\n%xdefine X509_CRL_add0_revoked BORINGSSL_PREFIX %+ _X509_CRL_add0_revoked\n%xdefine X509_CRL_add1_ext_i2d BORINGSSL_PREFIX %+ _X509_CRL_add1_ext_i2d\n%xdefine X509_CRL_add_ext BORINGSSL_PREFIX %+ _X509_CRL_add_ext\n%xdefine X509_CRL_cmp BORINGSSL_PREFIX %+ _X509_CRL_cmp\n%xdefine X509_CRL_delete_ext BORINGSSL_PREFIX %+ _X509_CRL_delete_ext\n%xdefine X509_CRL_digest BORINGSSL_PREFIX %+ _X509_CRL_digest\n%xdefine X509_CRL_dup BORINGSSL_PREFIX %+ _X509_CRL_dup\n%xdefine X509_CRL_free BORINGSSL_PREFIX %+ _X509_CRL_free\n%xdefine X509_CRL_get0_by_cert BORINGSSL_PREFIX %+ _X509_CRL_get0_by_cert\n%xdefine X509_CRL_get0_by_serial BORINGSSL_PREFIX %+ _X509_CRL_get0_by_serial\n%xdefine X509_CRL_get0_extensions BORINGSSL_PREFIX %+ _X509_CRL_get0_extensions\n%xdefine X509_CRL_get0_lastUpdate BORINGSSL_PREFIX %+ _X509_CRL_get0_lastUpdate\n%xdefine X509_CRL_get0_nextUpdate BORINGSSL_PREFIX %+ _X509_CRL_get0_nextUpdate\n%xdefine X509_CRL_get0_signature BORINGSSL_PREFIX %+ _X509_CRL_get0_signature\n%xdefine X509_CRL_get_REVOKED BORINGSSL_PREFIX %+ _X509_CRL_get_REVOKED\n%xdefine X509_CRL_get_ext BORINGSSL_PREFIX %+ _X509_CRL_get_ext\n%xdefine X509_CRL_get_ext_by_NID BORINGSSL_PREFIX %+ _X509_CRL_get_ext_by_NID\n%xdefine X509_CRL_get_ext_by_OBJ BORINGSSL_PREFIX %+ _X509_CRL_get_ext_by_OBJ\n%xdefine X509_CRL_get_ext_by_critical BORINGSSL_PREFIX %+ _X509_CRL_get_ext_by_critical\n%xdefine X509_CRL_get_ext_count BORINGSSL_PREFIX %+ _X509_CRL_get_ext_count\n%xdefine X509_CRL_get_ext_d2i BORINGSSL_PREFIX %+ _X509_CRL_get_ext_d2i\n%xdefine X509_CRL_get_issuer BORINGSSL_PREFIX %+ _X509_CRL_get_issuer\n%xdefine X509_CRL_get_lastUpdate BORINGSSL_PREFIX %+ _X509_CRL_get_lastUpdate\n%xdefine X509_CRL_get_nextUpdate BORINGSSL_PREFIX %+ _X509_CRL_get_nextUpdate\n%xdefine X509_CRL_get_signature_nid BORINGSSL_PREFIX %+ _X509_CRL_get_signature_nid\n%xdefine X509_CRL_get_version BORINGSSL_PREFIX %+ _X509_CRL_get_version\n%xdefine X509_CRL_it BORINGSSL_PREFIX %+ _X509_CRL_it\n%xdefine X509_CRL_match BORINGSSL_PREFIX %+ _X509_CRL_match\n%xdefine X509_CRL_new BORINGSSL_PREFIX %+ _X509_CRL_new\n%xdefine X509_CRL_print BORINGSSL_PREFIX %+ _X509_CRL_print\n%xdefine X509_CRL_print_fp BORINGSSL_PREFIX %+ _X509_CRL_print_fp\n%xdefine X509_CRL_set1_lastUpdate BORINGSSL_PREFIX %+ _X509_CRL_set1_lastUpdate\n%xdefine X509_CRL_set1_nextUpdate BORINGSSL_PREFIX %+ _X509_CRL_set1_nextUpdate\n%xdefine X509_CRL_set1_signature_algo BORINGSSL_PREFIX %+ _X509_CRL_set1_signature_algo\n%xdefine X509_CRL_set1_signature_value BORINGSSL_PREFIX %+ _X509_CRL_set1_signature_value\n%xdefine X509_CRL_set_issuer_name BORINGSSL_PREFIX %+ _X509_CRL_set_issuer_name\n%xdefine X509_CRL_set_version BORINGSSL_PREFIX %+ _X509_CRL_set_version\n%xdefine X509_CRL_sign BORINGSSL_PREFIX %+ _X509_CRL_sign\n%xdefine X509_CRL_sign_ctx BORINGSSL_PREFIX %+ _X509_CRL_sign_ctx\n%xdefine X509_CRL_sort BORINGSSL_PREFIX %+ _X509_CRL_sort\n%xdefine X509_CRL_up_ref BORINGSSL_PREFIX %+ _X509_CRL_up_ref\n%xdefine X509_CRL_verify BORINGSSL_PREFIX %+ _X509_CRL_verify\n%xdefine X509_EXTENSIONS_it BORINGSSL_PREFIX %+ _X509_EXTENSIONS_it\n%xdefine X509_EXTENSION_create_by_NID BORINGSSL_PREFIX %+ _X509_EXTENSION_create_by_NID\n%xdefine X509_EXTENSION_create_by_OBJ BORINGSSL_PREFIX %+ _X509_EXTENSION_create_by_OBJ\n%xdefine X509_EXTENSION_dup BORINGSSL_PREFIX %+ _X509_EXTENSION_dup\n%xdefine X509_EXTENSION_free BORINGSSL_PREFIX %+ _X509_EXTENSION_free\n%xdefine X509_EXTENSION_get_critical BORINGSSL_PREFIX %+ _X509_EXTENSION_get_critical\n%xdefine X509_EXTENSION_get_data BORINGSSL_PREFIX %+ _X509_EXTENSION_get_data\n%xdefine X509_EXTENSION_get_object BORINGSSL_PREFIX %+ _X509_EXTENSION_get_object\n%xdefine X509_EXTENSION_it BORINGSSL_PREFIX %+ _X509_EXTENSION_it\n%xdefine X509_EXTENSION_new BORINGSSL_PREFIX %+ _X509_EXTENSION_new\n%xdefine X509_EXTENSION_set_critical BORINGSSL_PREFIX %+ _X509_EXTENSION_set_critical\n%xdefine X509_EXTENSION_set_data BORINGSSL_PREFIX %+ _X509_EXTENSION_set_data\n%xdefine X509_EXTENSION_set_object BORINGSSL_PREFIX %+ _X509_EXTENSION_set_object\n%xdefine X509_INFO_free BORINGSSL_PREFIX %+ _X509_INFO_free\n%xdefine X509_LOOKUP_add_dir BORINGSSL_PREFIX %+ _X509_LOOKUP_add_dir\n%xdefine X509_LOOKUP_ctrl BORINGSSL_PREFIX %+ _X509_LOOKUP_ctrl\n%xdefine X509_LOOKUP_file BORINGSSL_PREFIX %+ _X509_LOOKUP_file\n%xdefine X509_LOOKUP_free BORINGSSL_PREFIX %+ _X509_LOOKUP_free\n%xdefine X509_LOOKUP_hash_dir BORINGSSL_PREFIX %+ _X509_LOOKUP_hash_dir\n%xdefine X509_LOOKUP_load_file BORINGSSL_PREFIX %+ _X509_LOOKUP_load_file\n%xdefine X509_NAME_ENTRY_create_by_NID BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_NID\n%xdefine X509_NAME_ENTRY_create_by_OBJ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_OBJ\n%xdefine X509_NAME_ENTRY_create_by_txt BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_txt\n%xdefine X509_NAME_ENTRY_dup BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_dup\n%xdefine X509_NAME_ENTRY_free BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_free\n%xdefine X509_NAME_ENTRY_get_data BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_get_data\n%xdefine X509_NAME_ENTRY_get_object BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_get_object\n%xdefine X509_NAME_ENTRY_it BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_it\n%xdefine X509_NAME_ENTRY_new BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_new\n%xdefine X509_NAME_ENTRY_set BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_set\n%xdefine X509_NAME_ENTRY_set_data BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_set_data\n%xdefine X509_NAME_ENTRY_set_object BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_set_object\n%xdefine X509_NAME_add_entry BORINGSSL_PREFIX %+ _X509_NAME_add_entry\n%xdefine X509_NAME_add_entry_by_NID BORINGSSL_PREFIX %+ _X509_NAME_add_entry_by_NID\n%xdefine X509_NAME_add_entry_by_OBJ BORINGSSL_PREFIX %+ _X509_NAME_add_entry_by_OBJ\n%xdefine X509_NAME_add_entry_by_txt BORINGSSL_PREFIX %+ _X509_NAME_add_entry_by_txt\n%xdefine X509_NAME_cmp BORINGSSL_PREFIX %+ _X509_NAME_cmp\n%xdefine X509_NAME_delete_entry BORINGSSL_PREFIX %+ _X509_NAME_delete_entry\n%xdefine X509_NAME_digest BORINGSSL_PREFIX %+ _X509_NAME_digest\n%xdefine X509_NAME_dup BORINGSSL_PREFIX %+ _X509_NAME_dup\n%xdefine X509_NAME_entry_count BORINGSSL_PREFIX %+ _X509_NAME_entry_count\n%xdefine X509_NAME_free BORINGSSL_PREFIX %+ _X509_NAME_free\n%xdefine X509_NAME_get0_der BORINGSSL_PREFIX %+ _X509_NAME_get0_der\n%xdefine X509_NAME_get_entry BORINGSSL_PREFIX %+ _X509_NAME_get_entry\n%xdefine X509_NAME_get_index_by_NID BORINGSSL_PREFIX %+ _X509_NAME_get_index_by_NID\n%xdefine X509_NAME_get_index_by_OBJ BORINGSSL_PREFIX %+ _X509_NAME_get_index_by_OBJ\n%xdefine X509_NAME_get_text_by_NID BORINGSSL_PREFIX %+ _X509_NAME_get_text_by_NID\n%xdefine X509_NAME_get_text_by_OBJ BORINGSSL_PREFIX %+ _X509_NAME_get_text_by_OBJ\n%xdefine X509_NAME_hash BORINGSSL_PREFIX %+ _X509_NAME_hash\n%xdefine X509_NAME_hash_old BORINGSSL_PREFIX %+ _X509_NAME_hash_old\n%xdefine X509_NAME_it BORINGSSL_PREFIX %+ _X509_NAME_it\n%xdefine X509_NAME_new BORINGSSL_PREFIX %+ _X509_NAME_new\n%xdefine X509_NAME_oneline BORINGSSL_PREFIX %+ _X509_NAME_oneline\n%xdefine X509_NAME_print BORINGSSL_PREFIX %+ _X509_NAME_print\n%xdefine X509_NAME_print_ex BORINGSSL_PREFIX %+ _X509_NAME_print_ex\n%xdefine X509_NAME_print_ex_fp BORINGSSL_PREFIX %+ _X509_NAME_print_ex_fp\n%xdefine X509_NAME_set BORINGSSL_PREFIX %+ _X509_NAME_set\n%xdefine X509_OBJECT_free BORINGSSL_PREFIX %+ _X509_OBJECT_free\n%xdefine X509_OBJECT_free_contents BORINGSSL_PREFIX %+ _X509_OBJECT_free_contents\n%xdefine X509_OBJECT_get0_X509 BORINGSSL_PREFIX %+ _X509_OBJECT_get0_X509\n%xdefine X509_OBJECT_get_type BORINGSSL_PREFIX %+ _X509_OBJECT_get_type\n%xdefine X509_OBJECT_new BORINGSSL_PREFIX %+ _X509_OBJECT_new\n%xdefine X509_PUBKEY_free BORINGSSL_PREFIX %+ _X509_PUBKEY_free\n%xdefine X509_PUBKEY_get BORINGSSL_PREFIX %+ _X509_PUBKEY_get\n%xdefine X509_PUBKEY_get0 BORINGSSL_PREFIX %+ _X509_PUBKEY_get0\n%xdefine X509_PUBKEY_get0_param BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_param\n%xdefine X509_PUBKEY_get0_public_key BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_public_key\n%xdefine X509_PUBKEY_it BORINGSSL_PREFIX %+ _X509_PUBKEY_it\n%xdefine X509_PUBKEY_new BORINGSSL_PREFIX %+ _X509_PUBKEY_new\n%xdefine X509_PUBKEY_set BORINGSSL_PREFIX %+ _X509_PUBKEY_set\n%xdefine X509_PUBKEY_set0_param BORINGSSL_PREFIX %+ _X509_PUBKEY_set0_param\n%xdefine X509_PURPOSE_get0 BORINGSSL_PREFIX %+ _X509_PURPOSE_get0\n%xdefine X509_PURPOSE_get_by_sname BORINGSSL_PREFIX %+ _X509_PURPOSE_get_by_sname\n%xdefine X509_PURPOSE_get_id BORINGSSL_PREFIX %+ _X509_PURPOSE_get_id\n%xdefine X509_PURPOSE_get_trust BORINGSSL_PREFIX %+ _X509_PURPOSE_get_trust\n%xdefine X509_REQ_INFO_free BORINGSSL_PREFIX %+ _X509_REQ_INFO_free\n%xdefine X509_REQ_INFO_it BORINGSSL_PREFIX %+ _X509_REQ_INFO_it\n%xdefine X509_REQ_INFO_new BORINGSSL_PREFIX %+ _X509_REQ_INFO_new\n%xdefine X509_REQ_add1_attr BORINGSSL_PREFIX %+ _X509_REQ_add1_attr\n%xdefine X509_REQ_add1_attr_by_NID BORINGSSL_PREFIX %+ _X509_REQ_add1_attr_by_NID\n%xdefine X509_REQ_add1_attr_by_OBJ BORINGSSL_PREFIX %+ _X509_REQ_add1_attr_by_OBJ\n%xdefine X509_REQ_add1_attr_by_txt BORINGSSL_PREFIX %+ _X509_REQ_add1_attr_by_txt\n%xdefine X509_REQ_add_extensions BORINGSSL_PREFIX %+ _X509_REQ_add_extensions\n%xdefine X509_REQ_add_extensions_nid BORINGSSL_PREFIX %+ _X509_REQ_add_extensions_nid\n%xdefine X509_REQ_check_private_key BORINGSSL_PREFIX %+ _X509_REQ_check_private_key\n%xdefine X509_REQ_delete_attr BORINGSSL_PREFIX %+ _X509_REQ_delete_attr\n%xdefine X509_REQ_digest BORINGSSL_PREFIX %+ _X509_REQ_digest\n%xdefine X509_REQ_dup BORINGSSL_PREFIX %+ _X509_REQ_dup\n%xdefine X509_REQ_extension_nid BORINGSSL_PREFIX %+ _X509_REQ_extension_nid\n%xdefine X509_REQ_free BORINGSSL_PREFIX %+ _X509_REQ_free\n%xdefine X509_REQ_get0_pubkey BORINGSSL_PREFIX %+ _X509_REQ_get0_pubkey\n%xdefine X509_REQ_get0_signature BORINGSSL_PREFIX %+ _X509_REQ_get0_signature\n%xdefine X509_REQ_get1_email BORINGSSL_PREFIX %+ _X509_REQ_get1_email\n%xdefine X509_REQ_get_attr BORINGSSL_PREFIX %+ _X509_REQ_get_attr\n%xdefine X509_REQ_get_attr_by_NID BORINGSSL_PREFIX %+ _X509_REQ_get_attr_by_NID\n%xdefine X509_REQ_get_attr_by_OBJ BORINGSSL_PREFIX %+ _X509_REQ_get_attr_by_OBJ\n%xdefine X509_REQ_get_attr_count BORINGSSL_PREFIX %+ _X509_REQ_get_attr_count\n%xdefine X509_REQ_get_extensions BORINGSSL_PREFIX %+ _X509_REQ_get_extensions\n%xdefine X509_REQ_get_pubkey BORINGSSL_PREFIX %+ _X509_REQ_get_pubkey\n%xdefine X509_REQ_get_signature_nid BORINGSSL_PREFIX %+ _X509_REQ_get_signature_nid\n%xdefine X509_REQ_get_subject_name BORINGSSL_PREFIX %+ _X509_REQ_get_subject_name\n%xdefine X509_REQ_get_version BORINGSSL_PREFIX %+ _X509_REQ_get_version\n%xdefine X509_REQ_it BORINGSSL_PREFIX %+ _X509_REQ_it\n%xdefine X509_REQ_new BORINGSSL_PREFIX %+ _X509_REQ_new\n%xdefine X509_REQ_print BORINGSSL_PREFIX %+ _X509_REQ_print\n%xdefine X509_REQ_print_ex BORINGSSL_PREFIX %+ _X509_REQ_print_ex\n%xdefine X509_REQ_print_fp BORINGSSL_PREFIX %+ _X509_REQ_print_fp\n%xdefine X509_REQ_set1_signature_algo BORINGSSL_PREFIX %+ _X509_REQ_set1_signature_algo\n%xdefine X509_REQ_set1_signature_value BORINGSSL_PREFIX %+ _X509_REQ_set1_signature_value\n%xdefine X509_REQ_set_pubkey BORINGSSL_PREFIX %+ _X509_REQ_set_pubkey\n%xdefine X509_REQ_set_subject_name BORINGSSL_PREFIX %+ _X509_REQ_set_subject_name\n%xdefine X509_REQ_set_version BORINGSSL_PREFIX %+ _X509_REQ_set_version\n%xdefine X509_REQ_sign BORINGSSL_PREFIX %+ _X509_REQ_sign\n%xdefine X509_REQ_sign_ctx BORINGSSL_PREFIX %+ _X509_REQ_sign_ctx\n%xdefine X509_REQ_verify BORINGSSL_PREFIX %+ _X509_REQ_verify\n%xdefine X509_REVOKED_add1_ext_i2d BORINGSSL_PREFIX %+ _X509_REVOKED_add1_ext_i2d\n%xdefine X509_REVOKED_add_ext BORINGSSL_PREFIX %+ _X509_REVOKED_add_ext\n%xdefine X509_REVOKED_delete_ext BORINGSSL_PREFIX %+ _X509_REVOKED_delete_ext\n%xdefine X509_REVOKED_dup BORINGSSL_PREFIX %+ _X509_REVOKED_dup\n%xdefine X509_REVOKED_free BORINGSSL_PREFIX %+ _X509_REVOKED_free\n%xdefine X509_REVOKED_get0_extensions BORINGSSL_PREFIX %+ _X509_REVOKED_get0_extensions\n%xdefine X509_REVOKED_get0_revocationDate BORINGSSL_PREFIX %+ _X509_REVOKED_get0_revocationDate\n%xdefine X509_REVOKED_get0_serialNumber BORINGSSL_PREFIX %+ _X509_REVOKED_get0_serialNumber\n%xdefine X509_REVOKED_get_ext BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext\n%xdefine X509_REVOKED_get_ext_by_NID BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext_by_NID\n%xdefine X509_REVOKED_get_ext_by_OBJ BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext_by_OBJ\n%xdefine X509_REVOKED_get_ext_by_critical BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext_by_critical\n%xdefine X509_REVOKED_get_ext_count BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext_count\n%xdefine X509_REVOKED_get_ext_d2i BORINGSSL_PREFIX %+ _X509_REVOKED_get_ext_d2i\n%xdefine X509_REVOKED_it BORINGSSL_PREFIX %+ _X509_REVOKED_it\n%xdefine X509_REVOKED_new BORINGSSL_PREFIX %+ _X509_REVOKED_new\n%xdefine X509_REVOKED_set_revocationDate BORINGSSL_PREFIX %+ _X509_REVOKED_set_revocationDate\n%xdefine X509_REVOKED_set_serialNumber BORINGSSL_PREFIX %+ _X509_REVOKED_set_serialNumber\n%xdefine X509_SIG_free BORINGSSL_PREFIX %+ _X509_SIG_free\n%xdefine X509_SIG_get0 BORINGSSL_PREFIX %+ _X509_SIG_get0\n%xdefine X509_SIG_getm BORINGSSL_PREFIX %+ _X509_SIG_getm\n%xdefine X509_SIG_new BORINGSSL_PREFIX %+ _X509_SIG_new\n%xdefine X509_STORE_CTX_cleanup BORINGSSL_PREFIX %+ _X509_STORE_CTX_cleanup\n%xdefine X509_STORE_CTX_free BORINGSSL_PREFIX %+ _X509_STORE_CTX_free\n%xdefine X509_STORE_CTX_get0_cert BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_cert\n%xdefine X509_STORE_CTX_get0_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_chain\n%xdefine X509_STORE_CTX_get0_current_crl BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_current_crl\n%xdefine X509_STORE_CTX_get0_param BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_param\n%xdefine X509_STORE_CTX_get0_parent_ctx BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_parent_ctx\n%xdefine X509_STORE_CTX_get0_store BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_store\n%xdefine X509_STORE_CTX_get0_untrusted BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_untrusted\n%xdefine X509_STORE_CTX_get1_certs BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_certs\n%xdefine X509_STORE_CTX_get1_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_chain\n%xdefine X509_STORE_CTX_get1_crls BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_crls\n%xdefine X509_STORE_CTX_get1_issuer BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_issuer\n%xdefine X509_STORE_CTX_get_by_subject BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_by_subject\n%xdefine X509_STORE_CTX_get_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_chain\n%xdefine X509_STORE_CTX_get_current_cert BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_current_cert\n%xdefine X509_STORE_CTX_get_error BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_error\n%xdefine X509_STORE_CTX_get_error_depth BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_error_depth\n%xdefine X509_STORE_CTX_get_ex_data BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_ex_data\n%xdefine X509_STORE_CTX_get_ex_new_index BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_ex_new_index\n%xdefine X509_STORE_CTX_init BORINGSSL_PREFIX %+ _X509_STORE_CTX_init\n%xdefine X509_STORE_CTX_new BORINGSSL_PREFIX %+ _X509_STORE_CTX_new\n%xdefine X509_STORE_CTX_set0_crls BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_crls\n%xdefine X509_STORE_CTX_set0_param BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_param\n%xdefine X509_STORE_CTX_set0_trusted_stack BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_trusted_stack\n%xdefine X509_STORE_CTX_set_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_chain\n%xdefine X509_STORE_CTX_set_default BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_default\n%xdefine X509_STORE_CTX_set_depth BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_depth\n%xdefine X509_STORE_CTX_set_error BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_error\n%xdefine X509_STORE_CTX_set_ex_data BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_ex_data\n%xdefine X509_STORE_CTX_set_flags BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_flags\n%xdefine X509_STORE_CTX_set_purpose BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_purpose\n%xdefine X509_STORE_CTX_set_time BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_time\n%xdefine X509_STORE_CTX_set_time_posix BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_time_posix\n%xdefine X509_STORE_CTX_set_trust BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_trust\n%xdefine X509_STORE_CTX_set_verify_cb BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_verify_cb\n%xdefine X509_STORE_CTX_trusted_stack BORINGSSL_PREFIX %+ _X509_STORE_CTX_trusted_stack\n%xdefine X509_STORE_add_cert BORINGSSL_PREFIX %+ _X509_STORE_add_cert\n%xdefine X509_STORE_add_crl BORINGSSL_PREFIX %+ _X509_STORE_add_crl\n%xdefine X509_STORE_add_lookup BORINGSSL_PREFIX %+ _X509_STORE_add_lookup\n%xdefine X509_STORE_free BORINGSSL_PREFIX %+ _X509_STORE_free\n%xdefine X509_STORE_get0_objects BORINGSSL_PREFIX %+ _X509_STORE_get0_objects\n%xdefine X509_STORE_get0_param BORINGSSL_PREFIX %+ _X509_STORE_get0_param\n%xdefine X509_STORE_get1_objects BORINGSSL_PREFIX %+ _X509_STORE_get1_objects\n%xdefine X509_STORE_load_locations BORINGSSL_PREFIX %+ _X509_STORE_load_locations\n%xdefine X509_STORE_new BORINGSSL_PREFIX %+ _X509_STORE_new\n%xdefine X509_STORE_set1_param BORINGSSL_PREFIX %+ _X509_STORE_set1_param\n%xdefine X509_STORE_set_default_paths BORINGSSL_PREFIX %+ _X509_STORE_set_default_paths\n%xdefine X509_STORE_set_depth BORINGSSL_PREFIX %+ _X509_STORE_set_depth\n%xdefine X509_STORE_set_flags BORINGSSL_PREFIX %+ _X509_STORE_set_flags\n%xdefine X509_STORE_set_purpose BORINGSSL_PREFIX %+ _X509_STORE_set_purpose\n%xdefine X509_STORE_set_trust BORINGSSL_PREFIX %+ _X509_STORE_set_trust\n%xdefine X509_STORE_set_verify_cb BORINGSSL_PREFIX %+ _X509_STORE_set_verify_cb\n%xdefine X509_STORE_up_ref BORINGSSL_PREFIX %+ _X509_STORE_up_ref\n%xdefine X509_VAL_free BORINGSSL_PREFIX %+ _X509_VAL_free\n%xdefine X509_VAL_it BORINGSSL_PREFIX %+ _X509_VAL_it\n%xdefine X509_VAL_new BORINGSSL_PREFIX %+ _X509_VAL_new\n%xdefine X509_VERIFY_PARAM_add0_policy BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_add0_policy\n%xdefine X509_VERIFY_PARAM_add1_host BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_add1_host\n%xdefine X509_VERIFY_PARAM_clear_flags BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_clear_flags\n%xdefine X509_VERIFY_PARAM_free BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_free\n%xdefine X509_VERIFY_PARAM_get_depth BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_depth\n%xdefine X509_VERIFY_PARAM_get_flags BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_flags\n%xdefine X509_VERIFY_PARAM_inherit BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_inherit\n%xdefine X509_VERIFY_PARAM_lookup BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_lookup\n%xdefine X509_VERIFY_PARAM_new BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_new\n%xdefine X509_VERIFY_PARAM_set1 BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1\n%xdefine X509_VERIFY_PARAM_set1_email BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_email\n%xdefine X509_VERIFY_PARAM_set1_host BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_host\n%xdefine X509_VERIFY_PARAM_set1_ip BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip\n%xdefine X509_VERIFY_PARAM_set1_ip_asc BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip_asc\n%xdefine X509_VERIFY_PARAM_set1_policies BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_policies\n%xdefine X509_VERIFY_PARAM_set_depth BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_depth\n%xdefine X509_VERIFY_PARAM_set_flags BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_flags\n%xdefine X509_VERIFY_PARAM_set_hostflags BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_hostflags\n%xdefine X509_VERIFY_PARAM_set_purpose BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_purpose\n%xdefine X509_VERIFY_PARAM_set_time BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_time\n%xdefine X509_VERIFY_PARAM_set_time_posix BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_time_posix\n%xdefine X509_VERIFY_PARAM_set_trust BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_trust\n%xdefine X509_add1_ext_i2d BORINGSSL_PREFIX %+ _X509_add1_ext_i2d\n%xdefine X509_add1_reject_object BORINGSSL_PREFIX %+ _X509_add1_reject_object\n%xdefine X509_add1_trust_object BORINGSSL_PREFIX %+ _X509_add1_trust_object\n%xdefine X509_add_ext BORINGSSL_PREFIX %+ _X509_add_ext\n%xdefine X509_alias_get0 BORINGSSL_PREFIX %+ _X509_alias_get0\n%xdefine X509_alias_set1 BORINGSSL_PREFIX %+ _X509_alias_set1\n%xdefine X509_chain_up_ref BORINGSSL_PREFIX %+ _X509_chain_up_ref\n%xdefine X509_check_akid BORINGSSL_PREFIX %+ _X509_check_akid\n%xdefine X509_check_ca BORINGSSL_PREFIX %+ _X509_check_ca\n%xdefine X509_check_email BORINGSSL_PREFIX %+ _X509_check_email\n%xdefine X509_check_host BORINGSSL_PREFIX %+ _X509_check_host\n%xdefine X509_check_ip BORINGSSL_PREFIX %+ _X509_check_ip\n%xdefine X509_check_ip_asc BORINGSSL_PREFIX %+ _X509_check_ip_asc\n%xdefine X509_check_issued BORINGSSL_PREFIX %+ _X509_check_issued\n%xdefine X509_check_private_key BORINGSSL_PREFIX %+ _X509_check_private_key\n%xdefine X509_check_purpose BORINGSSL_PREFIX %+ _X509_check_purpose\n%xdefine X509_check_trust BORINGSSL_PREFIX %+ _X509_check_trust\n%xdefine X509_cmp BORINGSSL_PREFIX %+ _X509_cmp\n%xdefine X509_cmp_current_time BORINGSSL_PREFIX %+ _X509_cmp_current_time\n%xdefine X509_cmp_time BORINGSSL_PREFIX %+ _X509_cmp_time\n%xdefine X509_cmp_time_posix BORINGSSL_PREFIX %+ _X509_cmp_time_posix\n%xdefine X509_delete_ext BORINGSSL_PREFIX %+ _X509_delete_ext\n%xdefine X509_digest BORINGSSL_PREFIX %+ _X509_digest\n%xdefine X509_dup BORINGSSL_PREFIX %+ _X509_dup\n%xdefine X509_email_free BORINGSSL_PREFIX %+ _X509_email_free\n%xdefine X509_find_by_issuer_and_serial BORINGSSL_PREFIX %+ _X509_find_by_issuer_and_serial\n%xdefine X509_find_by_subject BORINGSSL_PREFIX %+ _X509_find_by_subject\n%xdefine X509_free BORINGSSL_PREFIX %+ _X509_free\n%xdefine X509_get0_authority_issuer BORINGSSL_PREFIX %+ _X509_get0_authority_issuer\n%xdefine X509_get0_authority_key_id BORINGSSL_PREFIX %+ _X509_get0_authority_key_id\n%xdefine X509_get0_authority_serial BORINGSSL_PREFIX %+ _X509_get0_authority_serial\n%xdefine X509_get0_extensions BORINGSSL_PREFIX %+ _X509_get0_extensions\n%xdefine X509_get0_notAfter BORINGSSL_PREFIX %+ _X509_get0_notAfter\n%xdefine X509_get0_notBefore BORINGSSL_PREFIX %+ _X509_get0_notBefore\n%xdefine X509_get0_pubkey BORINGSSL_PREFIX %+ _X509_get0_pubkey\n%xdefine X509_get0_pubkey_bitstr BORINGSSL_PREFIX %+ _X509_get0_pubkey_bitstr\n%xdefine X509_get0_serialNumber BORINGSSL_PREFIX %+ _X509_get0_serialNumber\n%xdefine X509_get0_signature BORINGSSL_PREFIX %+ _X509_get0_signature\n%xdefine X509_get0_subject_key_id BORINGSSL_PREFIX %+ _X509_get0_subject_key_id\n%xdefine X509_get0_tbs_sigalg BORINGSSL_PREFIX %+ _X509_get0_tbs_sigalg\n%xdefine X509_get0_uids BORINGSSL_PREFIX %+ _X509_get0_uids\n%xdefine X509_get1_email BORINGSSL_PREFIX %+ _X509_get1_email\n%xdefine X509_get1_ocsp BORINGSSL_PREFIX %+ _X509_get1_ocsp\n%xdefine X509_get_X509_PUBKEY BORINGSSL_PREFIX %+ _X509_get_X509_PUBKEY\n%xdefine X509_get_default_cert_area BORINGSSL_PREFIX %+ _X509_get_default_cert_area\n%xdefine X509_get_default_cert_dir BORINGSSL_PREFIX %+ _X509_get_default_cert_dir\n%xdefine X509_get_default_cert_dir_env BORINGSSL_PREFIX %+ _X509_get_default_cert_dir_env\n%xdefine X509_get_default_cert_file BORINGSSL_PREFIX %+ _X509_get_default_cert_file\n%xdefine X509_get_default_cert_file_env BORINGSSL_PREFIX %+ _X509_get_default_cert_file_env\n%xdefine X509_get_default_private_dir BORINGSSL_PREFIX %+ _X509_get_default_private_dir\n%xdefine X509_get_ex_data BORINGSSL_PREFIX %+ _X509_get_ex_data\n%xdefine X509_get_ex_new_index BORINGSSL_PREFIX %+ _X509_get_ex_new_index\n%xdefine X509_get_ext BORINGSSL_PREFIX %+ _X509_get_ext\n%xdefine X509_get_ext_by_NID BORINGSSL_PREFIX %+ _X509_get_ext_by_NID\n%xdefine X509_get_ext_by_OBJ BORINGSSL_PREFIX %+ _X509_get_ext_by_OBJ\n%xdefine X509_get_ext_by_critical BORINGSSL_PREFIX %+ _X509_get_ext_by_critical\n%xdefine X509_get_ext_count BORINGSSL_PREFIX %+ _X509_get_ext_count\n%xdefine X509_get_ext_d2i BORINGSSL_PREFIX %+ _X509_get_ext_d2i\n%xdefine X509_get_extended_key_usage BORINGSSL_PREFIX %+ _X509_get_extended_key_usage\n%xdefine X509_get_extension_flags BORINGSSL_PREFIX %+ _X509_get_extension_flags\n%xdefine X509_get_issuer_name BORINGSSL_PREFIX %+ _X509_get_issuer_name\n%xdefine X509_get_key_usage BORINGSSL_PREFIX %+ _X509_get_key_usage\n%xdefine X509_get_notAfter BORINGSSL_PREFIX %+ _X509_get_notAfter\n%xdefine X509_get_notBefore BORINGSSL_PREFIX %+ _X509_get_notBefore\n%xdefine X509_get_pathlen BORINGSSL_PREFIX %+ _X509_get_pathlen\n%xdefine X509_get_pubkey BORINGSSL_PREFIX %+ _X509_get_pubkey\n%xdefine X509_get_serialNumber BORINGSSL_PREFIX %+ _X509_get_serialNumber\n%xdefine X509_get_signature_nid BORINGSSL_PREFIX %+ _X509_get_signature_nid\n%xdefine X509_get_subject_name BORINGSSL_PREFIX %+ _X509_get_subject_name\n%xdefine X509_get_version BORINGSSL_PREFIX %+ _X509_get_version\n%xdefine X509_getm_notAfter BORINGSSL_PREFIX %+ _X509_getm_notAfter\n%xdefine X509_getm_notBefore BORINGSSL_PREFIX %+ _X509_getm_notBefore\n%xdefine X509_gmtime_adj BORINGSSL_PREFIX %+ _X509_gmtime_adj\n%xdefine X509_is_valid_trust_id BORINGSSL_PREFIX %+ _X509_is_valid_trust_id\n%xdefine X509_issuer_name_cmp BORINGSSL_PREFIX %+ _X509_issuer_name_cmp\n%xdefine X509_issuer_name_hash BORINGSSL_PREFIX %+ _X509_issuer_name_hash\n%xdefine X509_issuer_name_hash_old BORINGSSL_PREFIX %+ _X509_issuer_name_hash_old\n%xdefine X509_it BORINGSSL_PREFIX %+ _X509_it\n%xdefine X509_keyid_get0 BORINGSSL_PREFIX %+ _X509_keyid_get0\n%xdefine X509_keyid_set1 BORINGSSL_PREFIX %+ _X509_keyid_set1\n%xdefine X509_load_cert_crl_file BORINGSSL_PREFIX %+ _X509_load_cert_crl_file\n%xdefine X509_load_cert_file BORINGSSL_PREFIX %+ _X509_load_cert_file\n%xdefine X509_load_crl_file BORINGSSL_PREFIX %+ _X509_load_crl_file\n%xdefine X509_new BORINGSSL_PREFIX %+ _X509_new\n%xdefine X509_parse_from_buffer BORINGSSL_PREFIX %+ _X509_parse_from_buffer\n%xdefine X509_policy_check BORINGSSL_PREFIX %+ _X509_policy_check\n%xdefine X509_print BORINGSSL_PREFIX %+ _X509_print\n%xdefine X509_print_ex BORINGSSL_PREFIX %+ _X509_print_ex\n%xdefine X509_print_ex_fp BORINGSSL_PREFIX %+ _X509_print_ex_fp\n%xdefine X509_print_fp BORINGSSL_PREFIX %+ _X509_print_fp\n%xdefine X509_pubkey_digest BORINGSSL_PREFIX %+ _X509_pubkey_digest\n%xdefine X509_reject_clear BORINGSSL_PREFIX %+ _X509_reject_clear\n%xdefine X509_set1_notAfter BORINGSSL_PREFIX %+ _X509_set1_notAfter\n%xdefine X509_set1_notBefore BORINGSSL_PREFIX %+ _X509_set1_notBefore\n%xdefine X509_set1_signature_algo BORINGSSL_PREFIX %+ _X509_set1_signature_algo\n%xdefine X509_set1_signature_value BORINGSSL_PREFIX %+ _X509_set1_signature_value\n%xdefine X509_set_ex_data BORINGSSL_PREFIX %+ _X509_set_ex_data\n%xdefine X509_set_issuer_name BORINGSSL_PREFIX %+ _X509_set_issuer_name\n%xdefine X509_set_notAfter BORINGSSL_PREFIX %+ _X509_set_notAfter\n%xdefine X509_set_notBefore BORINGSSL_PREFIX %+ _X509_set_notBefore\n%xdefine X509_set_pubkey BORINGSSL_PREFIX %+ _X509_set_pubkey\n%xdefine X509_set_serialNumber BORINGSSL_PREFIX %+ _X509_set_serialNumber\n%xdefine X509_set_subject_name BORINGSSL_PREFIX %+ _X509_set_subject_name\n%xdefine X509_set_version BORINGSSL_PREFIX %+ _X509_set_version\n%xdefine X509_sign BORINGSSL_PREFIX %+ _X509_sign\n%xdefine X509_sign_ctx BORINGSSL_PREFIX %+ _X509_sign_ctx\n%xdefine X509_signature_dump BORINGSSL_PREFIX %+ _X509_signature_dump\n%xdefine X509_signature_print BORINGSSL_PREFIX %+ _X509_signature_print\n%xdefine X509_subject_name_cmp BORINGSSL_PREFIX %+ _X509_subject_name_cmp\n%xdefine X509_subject_name_hash BORINGSSL_PREFIX %+ _X509_subject_name_hash\n%xdefine X509_subject_name_hash_old BORINGSSL_PREFIX %+ _X509_subject_name_hash_old\n%xdefine X509_supported_extension BORINGSSL_PREFIX %+ _X509_supported_extension\n%xdefine X509_time_adj BORINGSSL_PREFIX %+ _X509_time_adj\n%xdefine X509_time_adj_ex BORINGSSL_PREFIX %+ _X509_time_adj_ex\n%xdefine X509_trust_clear BORINGSSL_PREFIX %+ _X509_trust_clear\n%xdefine X509_up_ref BORINGSSL_PREFIX %+ _X509_up_ref\n%xdefine X509_verify BORINGSSL_PREFIX %+ _X509_verify\n%xdefine X509_verify_cert BORINGSSL_PREFIX %+ _X509_verify_cert\n%xdefine X509_verify_cert_error_string BORINGSSL_PREFIX %+ _X509_verify_cert_error_string\n%xdefine X509v3_add_ext BORINGSSL_PREFIX %+ _X509v3_add_ext\n%xdefine X509v3_delete_ext BORINGSSL_PREFIX %+ _X509v3_delete_ext\n%xdefine X509v3_get_ext BORINGSSL_PREFIX %+ _X509v3_get_ext\n%xdefine X509v3_get_ext_by_NID BORINGSSL_PREFIX %+ _X509v3_get_ext_by_NID\n%xdefine X509v3_get_ext_by_OBJ BORINGSSL_PREFIX %+ _X509v3_get_ext_by_OBJ\n%xdefine X509v3_get_ext_by_critical BORINGSSL_PREFIX %+ _X509v3_get_ext_by_critical\n%xdefine X509v3_get_ext_count BORINGSSL_PREFIX %+ _X509v3_get_ext_count\n%xdefine __clang_call_terminate BORINGSSL_PREFIX %+ ___clang_call_terminate\n%xdefine a2i_IPADDRESS BORINGSSL_PREFIX %+ _a2i_IPADDRESS\n%xdefine a2i_IPADDRESS_NC BORINGSSL_PREFIX %+ _a2i_IPADDRESS_NC\n%xdefine aes128gcmsiv_aes_ks BORINGSSL_PREFIX %+ _aes128gcmsiv_aes_ks\n%xdefine aes128gcmsiv_aes_ks_enc_x1 BORINGSSL_PREFIX %+ _aes128gcmsiv_aes_ks_enc_x1\n%xdefine aes128gcmsiv_dec BORINGSSL_PREFIX %+ _aes128gcmsiv_dec\n%xdefine aes128gcmsiv_ecb_enc_block BORINGSSL_PREFIX %+ _aes128gcmsiv_ecb_enc_block\n%xdefine aes128gcmsiv_enc_msg_x4 BORINGSSL_PREFIX %+ _aes128gcmsiv_enc_msg_x4\n%xdefine aes128gcmsiv_enc_msg_x8 BORINGSSL_PREFIX %+ _aes128gcmsiv_enc_msg_x8\n%xdefine aes128gcmsiv_kdf BORINGSSL_PREFIX %+ _aes128gcmsiv_kdf\n%xdefine aes256gcmsiv_aes_ks BORINGSSL_PREFIX %+ _aes256gcmsiv_aes_ks\n%xdefine aes256gcmsiv_aes_ks_enc_x1 BORINGSSL_PREFIX %+ _aes256gcmsiv_aes_ks_enc_x1\n%xdefine aes256gcmsiv_dec BORINGSSL_PREFIX %+ _aes256gcmsiv_dec\n%xdefine aes256gcmsiv_ecb_enc_block BORINGSSL_PREFIX %+ _aes256gcmsiv_ecb_enc_block\n%xdefine aes256gcmsiv_enc_msg_x4 BORINGSSL_PREFIX %+ _aes256gcmsiv_enc_msg_x4\n%xdefine aes256gcmsiv_enc_msg_x8 BORINGSSL_PREFIX %+ _aes256gcmsiv_enc_msg_x8\n%xdefine aes256gcmsiv_kdf BORINGSSL_PREFIX %+ _aes256gcmsiv_kdf\n%xdefine aes_ctr_set_key BORINGSSL_PREFIX %+ _aes_ctr_set_key\n%xdefine aes_gcm_dec_kernel BORINGSSL_PREFIX %+ _aes_gcm_dec_kernel\n%xdefine aes_gcm_dec_update_vaes_avx10_512 BORINGSSL_PREFIX %+ _aes_gcm_dec_update_vaes_avx10_512\n%xdefine aes_gcm_dec_update_vaes_avx2 BORINGSSL_PREFIX %+ _aes_gcm_dec_update_vaes_avx2\n%xdefine aes_gcm_enc_kernel BORINGSSL_PREFIX %+ _aes_gcm_enc_kernel\n%xdefine aes_gcm_enc_update_vaes_avx10_512 BORINGSSL_PREFIX %+ _aes_gcm_enc_update_vaes_avx10_512\n%xdefine aes_gcm_enc_update_vaes_avx2 BORINGSSL_PREFIX %+ _aes_gcm_enc_update_vaes_avx2\n%xdefine aes_hw_cbc_encrypt BORINGSSL_PREFIX %+ _aes_hw_cbc_encrypt\n%xdefine aes_hw_ctr32_encrypt_blocks BORINGSSL_PREFIX %+ _aes_hw_ctr32_encrypt_blocks\n%xdefine aes_hw_decrypt BORINGSSL_PREFIX %+ _aes_hw_decrypt\n%xdefine aes_hw_ecb_encrypt BORINGSSL_PREFIX %+ _aes_hw_ecb_encrypt\n%xdefine aes_hw_encrypt BORINGSSL_PREFIX %+ _aes_hw_encrypt\n%xdefine aes_hw_encrypt_key_to_decrypt_key BORINGSSL_PREFIX %+ _aes_hw_encrypt_key_to_decrypt_key\n%xdefine aes_hw_set_decrypt_key BORINGSSL_PREFIX %+ _aes_hw_set_decrypt_key\n%xdefine aes_hw_set_encrypt_key BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key\n%xdefine aes_hw_set_encrypt_key_alt BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key_alt\n%xdefine aes_hw_set_encrypt_key_alt_preferred BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key_alt_preferred\n%xdefine aes_hw_set_encrypt_key_base BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key_base\n%xdefine aes_nohw_cbc_encrypt BORINGSSL_PREFIX %+ _aes_nohw_cbc_encrypt\n%xdefine aes_nohw_ctr32_encrypt_blocks BORINGSSL_PREFIX %+ _aes_nohw_ctr32_encrypt_blocks\n%xdefine aes_nohw_decrypt BORINGSSL_PREFIX %+ _aes_nohw_decrypt\n%xdefine aes_nohw_encrypt BORINGSSL_PREFIX %+ _aes_nohw_encrypt\n%xdefine aes_nohw_set_decrypt_key BORINGSSL_PREFIX %+ _aes_nohw_set_decrypt_key\n%xdefine aes_nohw_set_encrypt_key BORINGSSL_PREFIX %+ _aes_nohw_set_encrypt_key\n%xdefine aesgcmsiv_htable6_init BORINGSSL_PREFIX %+ _aesgcmsiv_htable6_init\n%xdefine aesgcmsiv_htable_init BORINGSSL_PREFIX %+ _aesgcmsiv_htable_init\n%xdefine aesgcmsiv_htable_polyval BORINGSSL_PREFIX %+ _aesgcmsiv_htable_polyval\n%xdefine aesgcmsiv_polyval_horner BORINGSSL_PREFIX %+ _aesgcmsiv_polyval_horner\n%xdefine aesni_gcm_decrypt BORINGSSL_PREFIX %+ _aesni_gcm_decrypt\n%xdefine aesni_gcm_encrypt BORINGSSL_PREFIX %+ _aesni_gcm_encrypt\n%xdefine asn1_bit_string_length BORINGSSL_PREFIX %+ _asn1_bit_string_length\n%xdefine asn1_do_adb BORINGSSL_PREFIX %+ _asn1_do_adb\n%xdefine asn1_enc_free BORINGSSL_PREFIX %+ _asn1_enc_free\n%xdefine asn1_enc_init BORINGSSL_PREFIX %+ _asn1_enc_init\n%xdefine asn1_enc_restore BORINGSSL_PREFIX %+ _asn1_enc_restore\n%xdefine asn1_enc_save BORINGSSL_PREFIX %+ _asn1_enc_save\n%xdefine asn1_encoding_clear BORINGSSL_PREFIX %+ _asn1_encoding_clear\n%xdefine asn1_generalizedtime_to_tm BORINGSSL_PREFIX %+ _asn1_generalizedtime_to_tm\n%xdefine asn1_get_choice_selector BORINGSSL_PREFIX %+ _asn1_get_choice_selector\n%xdefine asn1_get_field_ptr BORINGSSL_PREFIX %+ _asn1_get_field_ptr\n%xdefine asn1_get_string_table_for_testing BORINGSSL_PREFIX %+ _asn1_get_string_table_for_testing\n%xdefine asn1_is_printable BORINGSSL_PREFIX %+ _asn1_is_printable\n%xdefine asn1_refcount_dec_and_test_zero BORINGSSL_PREFIX %+ _asn1_refcount_dec_and_test_zero\n%xdefine asn1_refcount_set_one BORINGSSL_PREFIX %+ _asn1_refcount_set_one\n%xdefine asn1_set_choice_selector BORINGSSL_PREFIX %+ _asn1_set_choice_selector\n%xdefine asn1_type_cleanup BORINGSSL_PREFIX %+ _asn1_type_cleanup\n%xdefine asn1_type_set0_string BORINGSSL_PREFIX %+ _asn1_type_set0_string\n%xdefine asn1_type_value_as_pointer BORINGSSL_PREFIX %+ _asn1_type_value_as_pointer\n%xdefine asn1_utctime_to_tm BORINGSSL_PREFIX %+ _asn1_utctime_to_tm\n%xdefine bcm_as_approved_status BORINGSSL_PREFIX %+ _bcm_as_approved_status\n%xdefine bcm_success BORINGSSL_PREFIX %+ _bcm_success\n%xdefine beeu_mod_inverse_vartime BORINGSSL_PREFIX %+ _beeu_mod_inverse_vartime\n%xdefine bio_clear_socket_error BORINGSSL_PREFIX %+ _bio_clear_socket_error\n%xdefine bio_errno_should_retry BORINGSSL_PREFIX %+ _bio_errno_should_retry\n%xdefine bio_ip_and_port_to_socket_and_addr BORINGSSL_PREFIX %+ _bio_ip_and_port_to_socket_and_addr\n%xdefine bio_sock_error BORINGSSL_PREFIX %+ _bio_sock_error\n%xdefine bio_socket_nbio BORINGSSL_PREFIX %+ _bio_socket_nbio\n%xdefine bio_socket_should_retry BORINGSSL_PREFIX %+ _bio_socket_should_retry\n%xdefine bn_abs_sub_consttime BORINGSSL_PREFIX %+ _bn_abs_sub_consttime\n%xdefine bn_add_words BORINGSSL_PREFIX %+ _bn_add_words\n%xdefine bn_assert_fits_in_bytes BORINGSSL_PREFIX %+ _bn_assert_fits_in_bytes\n%xdefine bn_big_endian_to_words BORINGSSL_PREFIX %+ _bn_big_endian_to_words\n%xdefine bn_copy_words BORINGSSL_PREFIX %+ _bn_copy_words\n%xdefine bn_declassify BORINGSSL_PREFIX %+ _bn_declassify\n%xdefine bn_div_consttime BORINGSSL_PREFIX %+ _bn_div_consttime\n%xdefine bn_expand BORINGSSL_PREFIX %+ _bn_expand\n%xdefine bn_fits_in_words BORINGSSL_PREFIX %+ _bn_fits_in_words\n%xdefine bn_from_montgomery_small BORINGSSL_PREFIX %+ _bn_from_montgomery_small\n%xdefine bn_gather5 BORINGSSL_PREFIX %+ _bn_gather5\n%xdefine bn_in_range_words BORINGSSL_PREFIX %+ _bn_in_range_words\n%xdefine bn_is_bit_set_words BORINGSSL_PREFIX %+ _bn_is_bit_set_words\n%xdefine bn_is_relatively_prime BORINGSSL_PREFIX %+ _bn_is_relatively_prime\n%xdefine bn_jacobi BORINGSSL_PREFIX %+ _bn_jacobi\n%xdefine bn_lcm_consttime BORINGSSL_PREFIX %+ _bn_lcm_consttime\n%xdefine bn_less_than_montgomery_R BORINGSSL_PREFIX %+ _bn_less_than_montgomery_R\n%xdefine bn_less_than_words BORINGSSL_PREFIX %+ _bn_less_than_words\n%xdefine bn_miller_rabin_init BORINGSSL_PREFIX %+ _bn_miller_rabin_init\n%xdefine bn_miller_rabin_iteration BORINGSSL_PREFIX %+ _bn_miller_rabin_iteration\n%xdefine bn_minimal_width BORINGSSL_PREFIX %+ _bn_minimal_width\n%xdefine bn_mod_add_consttime BORINGSSL_PREFIX %+ _bn_mod_add_consttime\n%xdefine bn_mod_add_words BORINGSSL_PREFIX %+ _bn_mod_add_words\n%xdefine bn_mod_exp_mont_small BORINGSSL_PREFIX %+ _bn_mod_exp_mont_small\n%xdefine bn_mod_inverse0_prime_mont_small BORINGSSL_PREFIX %+ _bn_mod_inverse0_prime_mont_small\n%xdefine bn_mod_inverse_consttime BORINGSSL_PREFIX %+ _bn_mod_inverse_consttime\n%xdefine bn_mod_inverse_prime BORINGSSL_PREFIX %+ _bn_mod_inverse_prime\n%xdefine bn_mod_inverse_secret_prime BORINGSSL_PREFIX %+ _bn_mod_inverse_secret_prime\n%xdefine bn_mod_lshift1_consttime BORINGSSL_PREFIX %+ _bn_mod_lshift1_consttime\n%xdefine bn_mod_lshift_consttime BORINGSSL_PREFIX %+ _bn_mod_lshift_consttime\n%xdefine bn_mod_mul_montgomery_small BORINGSSL_PREFIX %+ _bn_mod_mul_montgomery_small\n%xdefine bn_mod_sub_consttime BORINGSSL_PREFIX %+ _bn_mod_sub_consttime\n%xdefine bn_mod_sub_words BORINGSSL_PREFIX %+ _bn_mod_sub_words\n%xdefine bn_mod_u16_consttime BORINGSSL_PREFIX %+ _bn_mod_u16_consttime\n%xdefine bn_mont_ctx_cleanup BORINGSSL_PREFIX %+ _bn_mont_ctx_cleanup\n%xdefine bn_mont_ctx_init BORINGSSL_PREFIX %+ _bn_mont_ctx_init\n%xdefine bn_mont_ctx_set_RR_consttime BORINGSSL_PREFIX %+ _bn_mont_ctx_set_RR_consttime\n%xdefine bn_mont_n0 BORINGSSL_PREFIX %+ _bn_mont_n0\n%xdefine bn_mul4x_mont BORINGSSL_PREFIX %+ _bn_mul4x_mont\n%xdefine bn_mul4x_mont_capable BORINGSSL_PREFIX %+ _bn_mul4x_mont_capable\n%xdefine bn_mul4x_mont_gather5 BORINGSSL_PREFIX %+ _bn_mul4x_mont_gather5\n%xdefine bn_mul4x_mont_gather5_capable BORINGSSL_PREFIX %+ _bn_mul4x_mont_gather5_capable\n%xdefine bn_mul_add_words BORINGSSL_PREFIX %+ _bn_mul_add_words\n%xdefine bn_mul_comba4 BORINGSSL_PREFIX %+ _bn_mul_comba4\n%xdefine bn_mul_comba8 BORINGSSL_PREFIX %+ _bn_mul_comba8\n%xdefine bn_mul_consttime BORINGSSL_PREFIX %+ _bn_mul_consttime\n%xdefine bn_mul_mont BORINGSSL_PREFIX %+ _bn_mul_mont\n%xdefine bn_mul_mont_gather5_nohw BORINGSSL_PREFIX %+ _bn_mul_mont_gather5_nohw\n%xdefine bn_mul_mont_nohw BORINGSSL_PREFIX %+ _bn_mul_mont_nohw\n%xdefine bn_mul_small BORINGSSL_PREFIX %+ _bn_mul_small\n%xdefine bn_mul_words BORINGSSL_PREFIX %+ _bn_mul_words\n%xdefine bn_mulx4x_mont BORINGSSL_PREFIX %+ _bn_mulx4x_mont\n%xdefine bn_mulx4x_mont_capable BORINGSSL_PREFIX %+ _bn_mulx4x_mont_capable\n%xdefine bn_mulx4x_mont_gather5 BORINGSSL_PREFIX %+ _bn_mulx4x_mont_gather5\n%xdefine bn_mulx4x_mont_gather5_capable BORINGSSL_PREFIX %+ _bn_mulx4x_mont_gather5_capable\n%xdefine bn_mulx_adx_capable BORINGSSL_PREFIX %+ _bn_mulx_adx_capable\n%xdefine bn_odd_number_is_obviously_composite BORINGSSL_PREFIX %+ _bn_odd_number_is_obviously_composite\n%xdefine bn_one_to_montgomery BORINGSSL_PREFIX %+ _bn_one_to_montgomery\n%xdefine bn_power5_capable BORINGSSL_PREFIX %+ _bn_power5_capable\n%xdefine bn_power5_nohw BORINGSSL_PREFIX %+ _bn_power5_nohw\n%xdefine bn_powerx5 BORINGSSL_PREFIX %+ _bn_powerx5\n%xdefine bn_powerx5_capable BORINGSSL_PREFIX %+ _bn_powerx5_capable\n%xdefine bn_rand_range_words BORINGSSL_PREFIX %+ _bn_rand_range_words\n%xdefine bn_rand_secret_range BORINGSSL_PREFIX %+ _bn_rand_secret_range\n%xdefine bn_reduce_once BORINGSSL_PREFIX %+ _bn_reduce_once\n%xdefine bn_reduce_once_in_place BORINGSSL_PREFIX %+ _bn_reduce_once_in_place\n%xdefine bn_resize_words BORINGSSL_PREFIX %+ _bn_resize_words\n%xdefine bn_rshift1_words BORINGSSL_PREFIX %+ _bn_rshift1_words\n%xdefine bn_rshift_secret_shift BORINGSSL_PREFIX %+ _bn_rshift_secret_shift\n%xdefine bn_rshift_words BORINGSSL_PREFIX %+ _bn_rshift_words\n%xdefine bn_scatter5 BORINGSSL_PREFIX %+ _bn_scatter5\n%xdefine bn_secret BORINGSSL_PREFIX %+ _bn_secret\n%xdefine bn_select_words BORINGSSL_PREFIX %+ _bn_select_words\n%xdefine bn_set_minimal_width BORINGSSL_PREFIX %+ _bn_set_minimal_width\n%xdefine bn_set_static_words BORINGSSL_PREFIX %+ _bn_set_static_words\n%xdefine bn_set_words BORINGSSL_PREFIX %+ _bn_set_words\n%xdefine bn_sqr8x_internal BORINGSSL_PREFIX %+ _bn_sqr8x_internal\n%xdefine bn_sqr8x_mont BORINGSSL_PREFIX %+ _bn_sqr8x_mont\n%xdefine bn_sqr8x_mont_capable BORINGSSL_PREFIX %+ _bn_sqr8x_mont_capable\n%xdefine bn_sqr_comba4 BORINGSSL_PREFIX %+ _bn_sqr_comba4\n%xdefine bn_sqr_comba8 BORINGSSL_PREFIX %+ _bn_sqr_comba8\n%xdefine bn_sqr_consttime BORINGSSL_PREFIX %+ _bn_sqr_consttime\n%xdefine bn_sqr_small BORINGSSL_PREFIX %+ _bn_sqr_small\n%xdefine bn_sqr_words BORINGSSL_PREFIX %+ _bn_sqr_words\n%xdefine bn_sqrx8x_internal BORINGSSL_PREFIX %+ _bn_sqrx8x_internal\n%xdefine bn_sub_words BORINGSSL_PREFIX %+ _bn_sub_words\n%xdefine bn_to_montgomery_small BORINGSSL_PREFIX %+ _bn_to_montgomery_small\n%xdefine bn_uadd_consttime BORINGSSL_PREFIX %+ _bn_uadd_consttime\n%xdefine bn_usub_consttime BORINGSSL_PREFIX %+ _bn_usub_consttime\n%xdefine bn_wexpand BORINGSSL_PREFIX %+ _bn_wexpand\n%xdefine bn_words_to_big_endian BORINGSSL_PREFIX %+ _bn_words_to_big_endian\n%xdefine boringssl_ensure_ecc_self_test BORINGSSL_PREFIX %+ _boringssl_ensure_ecc_self_test\n%xdefine boringssl_ensure_ffdh_self_test BORINGSSL_PREFIX %+ _boringssl_ensure_ffdh_self_test\n%xdefine boringssl_ensure_rsa_self_test BORINGSSL_PREFIX %+ _boringssl_ensure_rsa_self_test\n%xdefine boringssl_fips_break_test BORINGSSL_PREFIX %+ _boringssl_fips_break_test\n%xdefine boringssl_fips_inc_counter BORINGSSL_PREFIX %+ _boringssl_fips_inc_counter\n%xdefine boringssl_self_test_hmac_sha256 BORINGSSL_PREFIX %+ _boringssl_self_test_hmac_sha256\n%xdefine boringssl_self_test_sha256 BORINGSSL_PREFIX %+ _boringssl_self_test_sha256\n%xdefine boringssl_self_test_sha512 BORINGSSL_PREFIX %+ _boringssl_self_test_sha512\n%xdefine bsaes_capable BORINGSSL_PREFIX %+ _bsaes_capable\n%xdefine bsaes_cbc_encrypt BORINGSSL_PREFIX %+ _bsaes_cbc_encrypt\n%xdefine c2i_ASN1_BIT_STRING BORINGSSL_PREFIX %+ _c2i_ASN1_BIT_STRING\n%xdefine c2i_ASN1_INTEGER BORINGSSL_PREFIX %+ _c2i_ASN1_INTEGER\n%xdefine c2i_ASN1_OBJECT BORINGSSL_PREFIX %+ _c2i_ASN1_OBJECT\n%xdefine chacha20_poly1305_asm_capable BORINGSSL_PREFIX %+ _chacha20_poly1305_asm_capable\n%xdefine chacha20_poly1305_open BORINGSSL_PREFIX %+ _chacha20_poly1305_open\n%xdefine chacha20_poly1305_open_avx2 BORINGSSL_PREFIX %+ _chacha20_poly1305_open_avx2\n%xdefine chacha20_poly1305_open_nohw BORINGSSL_PREFIX %+ _chacha20_poly1305_open_nohw\n%xdefine chacha20_poly1305_seal BORINGSSL_PREFIX %+ _chacha20_poly1305_seal\n%xdefine chacha20_poly1305_seal_avx2 BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_avx2\n%xdefine chacha20_poly1305_seal_nohw BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_nohw\n%xdefine crypto_gcm_clmul_enabled BORINGSSL_PREFIX %+ _crypto_gcm_clmul_enabled\n%xdefine d2i_ASN1_BIT_STRING BORINGSSL_PREFIX %+ _d2i_ASN1_BIT_STRING\n%xdefine d2i_ASN1_BMPSTRING BORINGSSL_PREFIX %+ _d2i_ASN1_BMPSTRING\n%xdefine d2i_ASN1_BOOLEAN BORINGSSL_PREFIX %+ _d2i_ASN1_BOOLEAN\n%xdefine d2i_ASN1_ENUMERATED BORINGSSL_PREFIX %+ _d2i_ASN1_ENUMERATED\n%xdefine d2i_ASN1_GENERALIZEDTIME BORINGSSL_PREFIX %+ _d2i_ASN1_GENERALIZEDTIME\n%xdefine d2i_ASN1_GENERALSTRING BORINGSSL_PREFIX %+ _d2i_ASN1_GENERALSTRING\n%xdefine d2i_ASN1_IA5STRING BORINGSSL_PREFIX %+ _d2i_ASN1_IA5STRING\n%xdefine d2i_ASN1_INTEGER BORINGSSL_PREFIX %+ _d2i_ASN1_INTEGER\n%xdefine d2i_ASN1_NULL BORINGSSL_PREFIX %+ _d2i_ASN1_NULL\n%xdefine d2i_ASN1_OBJECT BORINGSSL_PREFIX %+ _d2i_ASN1_OBJECT\n%xdefine d2i_ASN1_OCTET_STRING BORINGSSL_PREFIX %+ _d2i_ASN1_OCTET_STRING\n%xdefine d2i_ASN1_PRINTABLE BORINGSSL_PREFIX %+ _d2i_ASN1_PRINTABLE\n%xdefine d2i_ASN1_PRINTABLESTRING BORINGSSL_PREFIX %+ _d2i_ASN1_PRINTABLESTRING\n%xdefine d2i_ASN1_SEQUENCE_ANY BORINGSSL_PREFIX %+ _d2i_ASN1_SEQUENCE_ANY\n%xdefine d2i_ASN1_SET_ANY BORINGSSL_PREFIX %+ _d2i_ASN1_SET_ANY\n%xdefine d2i_ASN1_T61STRING BORINGSSL_PREFIX %+ _d2i_ASN1_T61STRING\n%xdefine d2i_ASN1_TIME BORINGSSL_PREFIX %+ _d2i_ASN1_TIME\n%xdefine d2i_ASN1_TYPE BORINGSSL_PREFIX %+ _d2i_ASN1_TYPE\n%xdefine d2i_ASN1_UNIVERSALSTRING BORINGSSL_PREFIX %+ _d2i_ASN1_UNIVERSALSTRING\n%xdefine d2i_ASN1_UTCTIME BORINGSSL_PREFIX %+ _d2i_ASN1_UTCTIME\n%xdefine d2i_ASN1_UTF8STRING BORINGSSL_PREFIX %+ _d2i_ASN1_UTF8STRING\n%xdefine d2i_ASN1_VISIBLESTRING BORINGSSL_PREFIX %+ _d2i_ASN1_VISIBLESTRING\n%xdefine d2i_AUTHORITY_INFO_ACCESS BORINGSSL_PREFIX %+ _d2i_AUTHORITY_INFO_ACCESS\n%xdefine d2i_AUTHORITY_KEYID BORINGSSL_PREFIX %+ _d2i_AUTHORITY_KEYID\n%xdefine d2i_AutoPrivateKey BORINGSSL_PREFIX %+ _d2i_AutoPrivateKey\n%xdefine d2i_BASIC_CONSTRAINTS BORINGSSL_PREFIX %+ _d2i_BASIC_CONSTRAINTS\n%xdefine d2i_CERTIFICATEPOLICIES BORINGSSL_PREFIX %+ _d2i_CERTIFICATEPOLICIES\n%xdefine d2i_CRL_DIST_POINTS BORINGSSL_PREFIX %+ _d2i_CRL_DIST_POINTS\n%xdefine d2i_DHparams BORINGSSL_PREFIX %+ _d2i_DHparams\n%xdefine d2i_DHparams_bio BORINGSSL_PREFIX %+ _d2i_DHparams_bio\n%xdefine d2i_DIRECTORYSTRING BORINGSSL_PREFIX %+ _d2i_DIRECTORYSTRING\n%xdefine d2i_DISPLAYTEXT BORINGSSL_PREFIX %+ _d2i_DISPLAYTEXT\n%xdefine d2i_DSAPrivateKey BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey\n%xdefine d2i_DSAPrivateKey_bio BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey_bio\n%xdefine d2i_DSAPrivateKey_fp BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey_fp\n%xdefine d2i_DSAPublicKey BORINGSSL_PREFIX %+ _d2i_DSAPublicKey\n%xdefine d2i_DSA_PUBKEY BORINGSSL_PREFIX %+ _d2i_DSA_PUBKEY\n%xdefine d2i_DSA_PUBKEY_bio BORINGSSL_PREFIX %+ _d2i_DSA_PUBKEY_bio\n%xdefine d2i_DSA_PUBKEY_fp BORINGSSL_PREFIX %+ _d2i_DSA_PUBKEY_fp\n%xdefine d2i_DSA_SIG BORINGSSL_PREFIX %+ _d2i_DSA_SIG\n%xdefine d2i_DSAparams BORINGSSL_PREFIX %+ _d2i_DSAparams\n%xdefine d2i_ECDSA_SIG BORINGSSL_PREFIX %+ _d2i_ECDSA_SIG\n%xdefine d2i_ECPKParameters BORINGSSL_PREFIX %+ _d2i_ECPKParameters\n%xdefine d2i_ECParameters BORINGSSL_PREFIX %+ _d2i_ECParameters\n%xdefine d2i_ECPrivateKey BORINGSSL_PREFIX %+ _d2i_ECPrivateKey\n%xdefine d2i_ECPrivateKey_bio BORINGSSL_PREFIX %+ _d2i_ECPrivateKey_bio\n%xdefine d2i_ECPrivateKey_fp BORINGSSL_PREFIX %+ _d2i_ECPrivateKey_fp\n%xdefine d2i_EC_PUBKEY BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY\n%xdefine d2i_EC_PUBKEY_bio BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_bio\n%xdefine d2i_EC_PUBKEY_fp BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_fp\n%xdefine d2i_EXTENDED_KEY_USAGE BORINGSSL_PREFIX %+ _d2i_EXTENDED_KEY_USAGE\n%xdefine d2i_GENERAL_NAME BORINGSSL_PREFIX %+ _d2i_GENERAL_NAME\n%xdefine d2i_GENERAL_NAMES BORINGSSL_PREFIX %+ _d2i_GENERAL_NAMES\n%xdefine d2i_ISSUING_DIST_POINT BORINGSSL_PREFIX %+ _d2i_ISSUING_DIST_POINT\n%xdefine d2i_NETSCAPE_SPKAC BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKAC\n%xdefine d2i_NETSCAPE_SPKI BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKI\n%xdefine d2i_PKCS12 BORINGSSL_PREFIX %+ _d2i_PKCS12\n%xdefine d2i_PKCS12_bio BORINGSSL_PREFIX %+ _d2i_PKCS12_bio\n%xdefine d2i_PKCS12_fp BORINGSSL_PREFIX %+ _d2i_PKCS12_fp\n%xdefine d2i_PKCS7 BORINGSSL_PREFIX %+ _d2i_PKCS7\n%xdefine d2i_PKCS7_bio BORINGSSL_PREFIX %+ _d2i_PKCS7_bio\n%xdefine d2i_PKCS8PrivateKey_bio BORINGSSL_PREFIX %+ _d2i_PKCS8PrivateKey_bio\n%xdefine d2i_PKCS8PrivateKey_fp BORINGSSL_PREFIX %+ _d2i_PKCS8PrivateKey_fp\n%xdefine d2i_PKCS8_PRIV_KEY_INFO BORINGSSL_PREFIX %+ _d2i_PKCS8_PRIV_KEY_INFO\n%xdefine d2i_PKCS8_PRIV_KEY_INFO_bio BORINGSSL_PREFIX %+ _d2i_PKCS8_PRIV_KEY_INFO_bio\n%xdefine d2i_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_PREFIX %+ _d2i_PKCS8_PRIV_KEY_INFO_fp\n%xdefine d2i_PKCS8_bio BORINGSSL_PREFIX %+ _d2i_PKCS8_bio\n%xdefine d2i_PKCS8_fp BORINGSSL_PREFIX %+ _d2i_PKCS8_fp\n%xdefine d2i_PUBKEY BORINGSSL_PREFIX %+ _d2i_PUBKEY\n%xdefine d2i_PUBKEY_bio BORINGSSL_PREFIX %+ _d2i_PUBKEY_bio\n%xdefine d2i_PUBKEY_fp BORINGSSL_PREFIX %+ _d2i_PUBKEY_fp\n%xdefine d2i_PrivateKey BORINGSSL_PREFIX %+ _d2i_PrivateKey\n%xdefine d2i_PrivateKey_bio BORINGSSL_PREFIX %+ _d2i_PrivateKey_bio\n%xdefine d2i_PrivateKey_fp BORINGSSL_PREFIX %+ _d2i_PrivateKey_fp\n%xdefine d2i_PublicKey BORINGSSL_PREFIX %+ _d2i_PublicKey\n%xdefine d2i_RSAPrivateKey BORINGSSL_PREFIX %+ _d2i_RSAPrivateKey\n%xdefine d2i_RSAPrivateKey_bio BORINGSSL_PREFIX %+ _d2i_RSAPrivateKey_bio\n%xdefine d2i_RSAPrivateKey_fp BORINGSSL_PREFIX %+ _d2i_RSAPrivateKey_fp\n%xdefine d2i_RSAPublicKey BORINGSSL_PREFIX %+ _d2i_RSAPublicKey\n%xdefine d2i_RSAPublicKey_bio BORINGSSL_PREFIX %+ _d2i_RSAPublicKey_bio\n%xdefine d2i_RSAPublicKey_fp BORINGSSL_PREFIX %+ _d2i_RSAPublicKey_fp\n%xdefine d2i_RSA_PSS_PARAMS BORINGSSL_PREFIX %+ _d2i_RSA_PSS_PARAMS\n%xdefine d2i_RSA_PUBKEY BORINGSSL_PREFIX %+ _d2i_RSA_PUBKEY\n%xdefine d2i_RSA_PUBKEY_bio BORINGSSL_PREFIX %+ _d2i_RSA_PUBKEY_bio\n%xdefine d2i_RSA_PUBKEY_fp BORINGSSL_PREFIX %+ _d2i_RSA_PUBKEY_fp\n%xdefine d2i_SSL_SESSION BORINGSSL_PREFIX %+ _d2i_SSL_SESSION\n%xdefine d2i_SSL_SESSION_bio BORINGSSL_PREFIX %+ _d2i_SSL_SESSION_bio\n%xdefine d2i_X509 BORINGSSL_PREFIX %+ _d2i_X509\n%xdefine d2i_X509_ALGOR BORINGSSL_PREFIX %+ _d2i_X509_ALGOR\n%xdefine d2i_X509_ATTRIBUTE BORINGSSL_PREFIX %+ _d2i_X509_ATTRIBUTE\n%xdefine d2i_X509_AUX BORINGSSL_PREFIX %+ _d2i_X509_AUX\n%xdefine d2i_X509_CERT_AUX BORINGSSL_PREFIX %+ _d2i_X509_CERT_AUX\n%xdefine d2i_X509_CINF BORINGSSL_PREFIX %+ _d2i_X509_CINF\n%xdefine d2i_X509_CRL BORINGSSL_PREFIX %+ _d2i_X509_CRL\n%xdefine d2i_X509_CRL_INFO BORINGSSL_PREFIX %+ _d2i_X509_CRL_INFO\n%xdefine d2i_X509_CRL_bio BORINGSSL_PREFIX %+ _d2i_X509_CRL_bio\n%xdefine d2i_X509_CRL_fp BORINGSSL_PREFIX %+ _d2i_X509_CRL_fp\n%xdefine d2i_X509_EXTENSION BORINGSSL_PREFIX %+ _d2i_X509_EXTENSION\n%xdefine d2i_X509_EXTENSIONS BORINGSSL_PREFIX %+ _d2i_X509_EXTENSIONS\n%xdefine d2i_X509_NAME BORINGSSL_PREFIX %+ _d2i_X509_NAME\n%xdefine d2i_X509_PUBKEY BORINGSSL_PREFIX %+ _d2i_X509_PUBKEY\n%xdefine d2i_X509_REQ BORINGSSL_PREFIX %+ _d2i_X509_REQ\n%xdefine d2i_X509_REQ_INFO BORINGSSL_PREFIX %+ _d2i_X509_REQ_INFO\n%xdefine d2i_X509_REQ_bio BORINGSSL_PREFIX %+ _d2i_X509_REQ_bio\n%xdefine d2i_X509_REQ_fp BORINGSSL_PREFIX %+ _d2i_X509_REQ_fp\n%xdefine d2i_X509_REVOKED BORINGSSL_PREFIX %+ _d2i_X509_REVOKED\n%xdefine d2i_X509_SIG BORINGSSL_PREFIX %+ _d2i_X509_SIG\n%xdefine d2i_X509_VAL BORINGSSL_PREFIX %+ _d2i_X509_VAL\n%xdefine d2i_X509_bio BORINGSSL_PREFIX %+ _d2i_X509_bio\n%xdefine d2i_X509_fp BORINGSSL_PREFIX %+ _d2i_X509_fp\n%xdefine dh_asn1_meth BORINGSSL_PREFIX %+ _dh_asn1_meth\n%xdefine dh_check_params_fast BORINGSSL_PREFIX %+ _dh_check_params_fast\n%xdefine dh_compute_key_padded_no_self_test BORINGSSL_PREFIX %+ _dh_compute_key_padded_no_self_test\n%xdefine dh_pkey_meth BORINGSSL_PREFIX %+ _dh_pkey_meth\n%xdefine dsa_asn1_meth BORINGSSL_PREFIX %+ _dsa_asn1_meth\n%xdefine dsa_check_key BORINGSSL_PREFIX %+ _dsa_check_key\n%xdefine ec_GFp_mont_add BORINGSSL_PREFIX %+ _ec_GFp_mont_add\n%xdefine ec_GFp_mont_dbl BORINGSSL_PREFIX %+ _ec_GFp_mont_dbl\n%xdefine ec_GFp_mont_felem_exp BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_exp\n%xdefine ec_GFp_mont_felem_from_bytes BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_from_bytes\n%xdefine ec_GFp_mont_felem_mul BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_mul\n%xdefine ec_GFp_mont_felem_reduce BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_reduce\n%xdefine ec_GFp_mont_felem_sqr BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_sqr\n%xdefine ec_GFp_mont_felem_to_bytes BORINGSSL_PREFIX %+ _ec_GFp_mont_felem_to_bytes\n%xdefine ec_GFp_mont_init_precomp BORINGSSL_PREFIX %+ _ec_GFp_mont_init_precomp\n%xdefine ec_GFp_mont_mul BORINGSSL_PREFIX %+ _ec_GFp_mont_mul\n%xdefine ec_GFp_mont_mul_base BORINGSSL_PREFIX %+ _ec_GFp_mont_mul_base\n%xdefine ec_GFp_mont_mul_batch BORINGSSL_PREFIX %+ _ec_GFp_mont_mul_batch\n%xdefine ec_GFp_mont_mul_precomp BORINGSSL_PREFIX %+ _ec_GFp_mont_mul_precomp\n%xdefine ec_GFp_mont_mul_public_batch BORINGSSL_PREFIX %+ _ec_GFp_mont_mul_public_batch\n%xdefine ec_GFp_nistp_recode_scalar_bits BORINGSSL_PREFIX %+ _ec_GFp_nistp_recode_scalar_bits\n%xdefine ec_GFp_simple_cmp_x_coordinate BORINGSSL_PREFIX %+ _ec_GFp_simple_cmp_x_coordinate\n%xdefine ec_GFp_simple_felem_from_bytes BORINGSSL_PREFIX %+ _ec_GFp_simple_felem_from_bytes\n%xdefine ec_GFp_simple_felem_to_bytes BORINGSSL_PREFIX %+ _ec_GFp_simple_felem_to_bytes\n%xdefine ec_GFp_simple_group_get_curve BORINGSSL_PREFIX %+ _ec_GFp_simple_group_get_curve\n%xdefine ec_GFp_simple_group_set_curve BORINGSSL_PREFIX %+ _ec_GFp_simple_group_set_curve\n%xdefine ec_GFp_simple_invert BORINGSSL_PREFIX %+ _ec_GFp_simple_invert\n%xdefine ec_GFp_simple_is_at_infinity BORINGSSL_PREFIX %+ _ec_GFp_simple_is_at_infinity\n%xdefine ec_GFp_simple_is_on_curve BORINGSSL_PREFIX %+ _ec_GFp_simple_is_on_curve\n%xdefine ec_GFp_simple_point_copy BORINGSSL_PREFIX %+ _ec_GFp_simple_point_copy\n%xdefine ec_GFp_simple_point_init BORINGSSL_PREFIX %+ _ec_GFp_simple_point_init\n%xdefine ec_GFp_simple_point_set_to_infinity BORINGSSL_PREFIX %+ _ec_GFp_simple_point_set_to_infinity\n%xdefine ec_GFp_simple_points_equal BORINGSSL_PREFIX %+ _ec_GFp_simple_points_equal\n%xdefine ec_affine_jacobian_equal BORINGSSL_PREFIX %+ _ec_affine_jacobian_equal\n%xdefine ec_affine_select BORINGSSL_PREFIX %+ _ec_affine_select\n%xdefine ec_affine_to_jacobian BORINGSSL_PREFIX %+ _ec_affine_to_jacobian\n%xdefine ec_asn1_meth BORINGSSL_PREFIX %+ _ec_asn1_meth\n%xdefine ec_bignum_to_felem BORINGSSL_PREFIX %+ _ec_bignum_to_felem\n%xdefine ec_bignum_to_scalar BORINGSSL_PREFIX %+ _ec_bignum_to_scalar\n%xdefine ec_cmp_x_coordinate BORINGSSL_PREFIX %+ _ec_cmp_x_coordinate\n%xdefine ec_compute_wNAF BORINGSSL_PREFIX %+ _ec_compute_wNAF\n%xdefine ec_felem_add BORINGSSL_PREFIX %+ _ec_felem_add\n%xdefine ec_felem_equal BORINGSSL_PREFIX %+ _ec_felem_equal\n%xdefine ec_felem_from_bytes BORINGSSL_PREFIX %+ _ec_felem_from_bytes\n%xdefine ec_felem_neg BORINGSSL_PREFIX %+ _ec_felem_neg\n%xdefine ec_felem_non_zero_mask BORINGSSL_PREFIX %+ _ec_felem_non_zero_mask\n%xdefine ec_felem_one BORINGSSL_PREFIX %+ _ec_felem_one\n%xdefine ec_felem_select BORINGSSL_PREFIX %+ _ec_felem_select\n%xdefine ec_felem_sub BORINGSSL_PREFIX %+ _ec_felem_sub\n%xdefine ec_felem_to_bignum BORINGSSL_PREFIX %+ _ec_felem_to_bignum\n%xdefine ec_felem_to_bytes BORINGSSL_PREFIX %+ _ec_felem_to_bytes\n%xdefine ec_get_x_coordinate_as_bytes BORINGSSL_PREFIX %+ _ec_get_x_coordinate_as_bytes\n%xdefine ec_get_x_coordinate_as_scalar BORINGSSL_PREFIX %+ _ec_get_x_coordinate_as_scalar\n%xdefine ec_hash_to_curve_p256_xmd_sha256_sswu BORINGSSL_PREFIX %+ _ec_hash_to_curve_p256_xmd_sha256_sswu\n%xdefine ec_hash_to_curve_p384_xmd_sha384_sswu BORINGSSL_PREFIX %+ _ec_hash_to_curve_p384_xmd_sha384_sswu\n%xdefine ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 BORINGSSL_PREFIX %+ _ec_hash_to_curve_p384_xmd_sha512_sswu_draft07\n%xdefine ec_hash_to_scalar_p384_xmd_sha384 BORINGSSL_PREFIX %+ _ec_hash_to_scalar_p384_xmd_sha384\n%xdefine ec_hash_to_scalar_p384_xmd_sha512_draft07 BORINGSSL_PREFIX %+ _ec_hash_to_scalar_p384_xmd_sha512_draft07\n%xdefine ec_init_precomp BORINGSSL_PREFIX %+ _ec_init_precomp\n%xdefine ec_jacobian_to_affine BORINGSSL_PREFIX %+ _ec_jacobian_to_affine\n%xdefine ec_jacobian_to_affine_batch BORINGSSL_PREFIX %+ _ec_jacobian_to_affine_batch\n%xdefine ec_pkey_meth BORINGSSL_PREFIX %+ _ec_pkey_meth\n%xdefine ec_point_byte_len BORINGSSL_PREFIX %+ _ec_point_byte_len\n%xdefine ec_point_from_uncompressed BORINGSSL_PREFIX %+ _ec_point_from_uncompressed\n%xdefine ec_point_mul_no_self_test BORINGSSL_PREFIX %+ _ec_point_mul_no_self_test\n%xdefine ec_point_mul_scalar BORINGSSL_PREFIX %+ _ec_point_mul_scalar\n%xdefine ec_point_mul_scalar_base BORINGSSL_PREFIX %+ _ec_point_mul_scalar_base\n%xdefine ec_point_mul_scalar_batch BORINGSSL_PREFIX %+ _ec_point_mul_scalar_batch\n%xdefine ec_point_mul_scalar_precomp BORINGSSL_PREFIX %+ _ec_point_mul_scalar_precomp\n%xdefine ec_point_mul_scalar_public BORINGSSL_PREFIX %+ _ec_point_mul_scalar_public\n%xdefine ec_point_mul_scalar_public_batch BORINGSSL_PREFIX %+ _ec_point_mul_scalar_public_batch\n%xdefine ec_point_select BORINGSSL_PREFIX %+ _ec_point_select\n%xdefine ec_point_set_affine_coordinates BORINGSSL_PREFIX %+ _ec_point_set_affine_coordinates\n%xdefine ec_point_to_bytes BORINGSSL_PREFIX %+ _ec_point_to_bytes\n%xdefine ec_precomp_select BORINGSSL_PREFIX %+ _ec_precomp_select\n%xdefine ec_random_nonzero_scalar BORINGSSL_PREFIX %+ _ec_random_nonzero_scalar\n%xdefine ec_random_scalar BORINGSSL_PREFIX %+ _ec_random_scalar\n%xdefine ec_scalar_add BORINGSSL_PREFIX %+ _ec_scalar_add\n%xdefine ec_scalar_equal_vartime BORINGSSL_PREFIX %+ _ec_scalar_equal_vartime\n%xdefine ec_scalar_from_bytes BORINGSSL_PREFIX %+ _ec_scalar_from_bytes\n%xdefine ec_scalar_from_montgomery BORINGSSL_PREFIX %+ _ec_scalar_from_montgomery\n%xdefine ec_scalar_inv0_montgomery BORINGSSL_PREFIX %+ _ec_scalar_inv0_montgomery\n%xdefine ec_scalar_is_zero BORINGSSL_PREFIX %+ _ec_scalar_is_zero\n%xdefine ec_scalar_mul_montgomery BORINGSSL_PREFIX %+ _ec_scalar_mul_montgomery\n%xdefine ec_scalar_neg BORINGSSL_PREFIX %+ _ec_scalar_neg\n%xdefine ec_scalar_reduce BORINGSSL_PREFIX %+ _ec_scalar_reduce\n%xdefine ec_scalar_select BORINGSSL_PREFIX %+ _ec_scalar_select\n%xdefine ec_scalar_sub BORINGSSL_PREFIX %+ _ec_scalar_sub\n%xdefine ec_scalar_to_bytes BORINGSSL_PREFIX %+ _ec_scalar_to_bytes\n%xdefine ec_scalar_to_montgomery BORINGSSL_PREFIX %+ _ec_scalar_to_montgomery\n%xdefine ec_scalar_to_montgomery_inv_vartime BORINGSSL_PREFIX %+ _ec_scalar_to_montgomery_inv_vartime\n%xdefine ec_set_to_safe_point BORINGSSL_PREFIX %+ _ec_set_to_safe_point\n%xdefine ec_simple_scalar_inv0_montgomery BORINGSSL_PREFIX %+ _ec_simple_scalar_inv0_montgomery\n%xdefine ec_simple_scalar_to_montgomery_inv_vartime BORINGSSL_PREFIX %+ _ec_simple_scalar_to_montgomery_inv_vartime\n%xdefine ecdsa_sign_fixed BORINGSSL_PREFIX %+ _ecdsa_sign_fixed\n%xdefine ecdsa_sign_fixed_with_nonce_for_known_answer_test BORINGSSL_PREFIX %+ _ecdsa_sign_fixed_with_nonce_for_known_answer_test\n%xdefine ecdsa_verify_fixed BORINGSSL_PREFIX %+ _ecdsa_verify_fixed\n%xdefine ecdsa_verify_fixed_no_self_test BORINGSSL_PREFIX %+ _ecdsa_verify_fixed_no_self_test\n%xdefine ecp_nistz256_div_by_2 BORINGSSL_PREFIX %+ _ecp_nistz256_div_by_2\n%xdefine ecp_nistz256_mul_by_2 BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_2\n%xdefine ecp_nistz256_mul_by_3 BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_3\n%xdefine ecp_nistz256_mul_mont BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont\n%xdefine ecp_nistz256_mul_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_adx\n%xdefine ecp_nistz256_mul_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_nohw\n%xdefine ecp_nistz256_neg BORINGSSL_PREFIX %+ _ecp_nistz256_neg\n%xdefine ecp_nistz256_ord_mul_mont BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont\n%xdefine ecp_nistz256_ord_mul_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_adx\n%xdefine ecp_nistz256_ord_mul_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_nohw\n%xdefine ecp_nistz256_ord_sqr_mont BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont\n%xdefine ecp_nistz256_ord_sqr_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_adx\n%xdefine ecp_nistz256_ord_sqr_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_nohw\n%xdefine ecp_nistz256_point_add BORINGSSL_PREFIX %+ _ecp_nistz256_point_add\n%xdefine ecp_nistz256_point_add_adx BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_adx\n%xdefine ecp_nistz256_point_add_affine BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine\n%xdefine ecp_nistz256_point_add_affine_adx BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_adx\n%xdefine ecp_nistz256_point_add_affine_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_nohw\n%xdefine ecp_nistz256_point_add_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_nohw\n%xdefine ecp_nistz256_point_double BORINGSSL_PREFIX %+ _ecp_nistz256_point_double\n%xdefine ecp_nistz256_point_double_adx BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_adx\n%xdefine ecp_nistz256_point_double_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_nohw\n%xdefine ecp_nistz256_select_w5 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5\n%xdefine ecp_nistz256_select_w5_avx2 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_avx2\n%xdefine ecp_nistz256_select_w5_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_nohw\n%xdefine ecp_nistz256_select_w7 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7\n%xdefine ecp_nistz256_select_w7_avx2 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_avx2\n%xdefine ecp_nistz256_select_w7_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_nohw\n%xdefine ecp_nistz256_sqr_mont BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont\n%xdefine ecp_nistz256_sqr_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_adx\n%xdefine ecp_nistz256_sqr_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_nohw\n%xdefine ecp_nistz256_sub BORINGSSL_PREFIX %+ _ecp_nistz256_sub\n%xdefine ed25519_asn1_meth BORINGSSL_PREFIX %+ _ed25519_asn1_meth\n%xdefine ed25519_pkey_meth BORINGSSL_PREFIX %+ _ed25519_pkey_meth\n%xdefine evp_pkey_set_method BORINGSSL_PREFIX %+ _evp_pkey_set_method\n%xdefine fiat_curve25519_adx_mul BORINGSSL_PREFIX %+ _fiat_curve25519_adx_mul\n%xdefine fiat_curve25519_adx_square BORINGSSL_PREFIX %+ _fiat_curve25519_adx_square\n%xdefine fiat_p256_adx_mul BORINGSSL_PREFIX %+ _fiat_p256_adx_mul\n%xdefine fiat_p256_adx_sqr BORINGSSL_PREFIX %+ _fiat_p256_adx_sqr\n%xdefine gcm_ghash_avx BORINGSSL_PREFIX %+ _gcm_ghash_avx\n%xdefine gcm_ghash_clmul BORINGSSL_PREFIX %+ _gcm_ghash_clmul\n%xdefine gcm_ghash_neon BORINGSSL_PREFIX %+ _gcm_ghash_neon\n%xdefine gcm_ghash_nohw BORINGSSL_PREFIX %+ _gcm_ghash_nohw\n%xdefine gcm_ghash_ssse3 BORINGSSL_PREFIX %+ _gcm_ghash_ssse3\n%xdefine gcm_ghash_v8 BORINGSSL_PREFIX %+ _gcm_ghash_v8\n%xdefine gcm_ghash_vpclmulqdq_avx10_512 BORINGSSL_PREFIX %+ _gcm_ghash_vpclmulqdq_avx10_512\n%xdefine gcm_ghash_vpclmulqdq_avx2 BORINGSSL_PREFIX %+ _gcm_ghash_vpclmulqdq_avx2\n%xdefine gcm_gmult_avx BORINGSSL_PREFIX %+ _gcm_gmult_avx\n%xdefine gcm_gmult_clmul BORINGSSL_PREFIX %+ _gcm_gmult_clmul\n%xdefine gcm_gmult_neon BORINGSSL_PREFIX %+ _gcm_gmult_neon\n%xdefine gcm_gmult_nohw BORINGSSL_PREFIX %+ _gcm_gmult_nohw\n%xdefine gcm_gmult_ssse3 BORINGSSL_PREFIX %+ _gcm_gmult_ssse3\n%xdefine gcm_gmult_v8 BORINGSSL_PREFIX %+ _gcm_gmult_v8\n%xdefine gcm_gmult_vpclmulqdq_avx10 BORINGSSL_PREFIX %+ _gcm_gmult_vpclmulqdq_avx10\n%xdefine gcm_gmult_vpclmulqdq_avx2 BORINGSSL_PREFIX %+ _gcm_gmult_vpclmulqdq_avx2\n%xdefine gcm_init_avx BORINGSSL_PREFIX %+ _gcm_init_avx\n%xdefine gcm_init_clmul BORINGSSL_PREFIX %+ _gcm_init_clmul\n%xdefine gcm_init_neon BORINGSSL_PREFIX %+ _gcm_init_neon\n%xdefine gcm_init_nohw BORINGSSL_PREFIX %+ _gcm_init_nohw\n%xdefine gcm_init_ssse3 BORINGSSL_PREFIX %+ _gcm_init_ssse3\n%xdefine gcm_init_v8 BORINGSSL_PREFIX %+ _gcm_init_v8\n%xdefine gcm_init_vpclmulqdq_avx10_512 BORINGSSL_PREFIX %+ _gcm_init_vpclmulqdq_avx10_512\n%xdefine gcm_init_vpclmulqdq_avx2 BORINGSSL_PREFIX %+ _gcm_init_vpclmulqdq_avx2\n%xdefine gcm_neon_capable BORINGSSL_PREFIX %+ _gcm_neon_capable\n%xdefine gcm_pmull_capable BORINGSSL_PREFIX %+ _gcm_pmull_capable\n%xdefine have_fast_rdrand BORINGSSL_PREFIX %+ _have_fast_rdrand\n%xdefine have_rdrand BORINGSSL_PREFIX %+ _have_rdrand\n%xdefine hkdf_pkey_meth BORINGSSL_PREFIX %+ _hkdf_pkey_meth\n%xdefine hwaes_capable BORINGSSL_PREFIX %+ _hwaes_capable\n%xdefine i2a_ASN1_ENUMERATED BORINGSSL_PREFIX %+ _i2a_ASN1_ENUMERATED\n%xdefine i2a_ASN1_INTEGER BORINGSSL_PREFIX %+ _i2a_ASN1_INTEGER\n%xdefine i2a_ASN1_OBJECT BORINGSSL_PREFIX %+ _i2a_ASN1_OBJECT\n%xdefine i2a_ASN1_STRING BORINGSSL_PREFIX %+ _i2a_ASN1_STRING\n%xdefine i2c_ASN1_BIT_STRING BORINGSSL_PREFIX %+ _i2c_ASN1_BIT_STRING\n%xdefine i2c_ASN1_INTEGER BORINGSSL_PREFIX %+ _i2c_ASN1_INTEGER\n%xdefine i2d_ASN1_BIT_STRING BORINGSSL_PREFIX %+ _i2d_ASN1_BIT_STRING\n%xdefine i2d_ASN1_BMPSTRING BORINGSSL_PREFIX %+ _i2d_ASN1_BMPSTRING\n%xdefine i2d_ASN1_BOOLEAN BORINGSSL_PREFIX %+ _i2d_ASN1_BOOLEAN\n%xdefine i2d_ASN1_ENUMERATED BORINGSSL_PREFIX %+ _i2d_ASN1_ENUMERATED\n%xdefine i2d_ASN1_GENERALIZEDTIME BORINGSSL_PREFIX %+ _i2d_ASN1_GENERALIZEDTIME\n%xdefine i2d_ASN1_GENERALSTRING BORINGSSL_PREFIX %+ _i2d_ASN1_GENERALSTRING\n%xdefine i2d_ASN1_IA5STRING BORINGSSL_PREFIX %+ _i2d_ASN1_IA5STRING\n%xdefine i2d_ASN1_INTEGER BORINGSSL_PREFIX %+ _i2d_ASN1_INTEGER\n%xdefine i2d_ASN1_NULL BORINGSSL_PREFIX %+ _i2d_ASN1_NULL\n%xdefine i2d_ASN1_OBJECT BORINGSSL_PREFIX %+ _i2d_ASN1_OBJECT\n%xdefine i2d_ASN1_OCTET_STRING BORINGSSL_PREFIX %+ _i2d_ASN1_OCTET_STRING\n%xdefine i2d_ASN1_PRINTABLE BORINGSSL_PREFIX %+ _i2d_ASN1_PRINTABLE\n%xdefine i2d_ASN1_PRINTABLESTRING BORINGSSL_PREFIX %+ _i2d_ASN1_PRINTABLESTRING\n%xdefine i2d_ASN1_SEQUENCE_ANY BORINGSSL_PREFIX %+ _i2d_ASN1_SEQUENCE_ANY\n%xdefine i2d_ASN1_SET_ANY BORINGSSL_PREFIX %+ _i2d_ASN1_SET_ANY\n%xdefine i2d_ASN1_T61STRING BORINGSSL_PREFIX %+ _i2d_ASN1_T61STRING\n%xdefine i2d_ASN1_TIME BORINGSSL_PREFIX %+ _i2d_ASN1_TIME\n%xdefine i2d_ASN1_TYPE BORINGSSL_PREFIX %+ _i2d_ASN1_TYPE\n%xdefine i2d_ASN1_UNIVERSALSTRING BORINGSSL_PREFIX %+ _i2d_ASN1_UNIVERSALSTRING\n%xdefine i2d_ASN1_UTCTIME BORINGSSL_PREFIX %+ _i2d_ASN1_UTCTIME\n%xdefine i2d_ASN1_UTF8STRING BORINGSSL_PREFIX %+ _i2d_ASN1_UTF8STRING\n%xdefine i2d_ASN1_VISIBLESTRING BORINGSSL_PREFIX %+ _i2d_ASN1_VISIBLESTRING\n%xdefine i2d_AUTHORITY_INFO_ACCESS BORINGSSL_PREFIX %+ _i2d_AUTHORITY_INFO_ACCESS\n%xdefine i2d_AUTHORITY_KEYID BORINGSSL_PREFIX %+ _i2d_AUTHORITY_KEYID\n%xdefine i2d_BASIC_CONSTRAINTS BORINGSSL_PREFIX %+ _i2d_BASIC_CONSTRAINTS\n%xdefine i2d_CERTIFICATEPOLICIES BORINGSSL_PREFIX %+ _i2d_CERTIFICATEPOLICIES\n%xdefine i2d_CRL_DIST_POINTS BORINGSSL_PREFIX %+ _i2d_CRL_DIST_POINTS\n%xdefine i2d_DHparams BORINGSSL_PREFIX %+ _i2d_DHparams\n%xdefine i2d_DHparams_bio BORINGSSL_PREFIX %+ _i2d_DHparams_bio\n%xdefine i2d_DIRECTORYSTRING BORINGSSL_PREFIX %+ _i2d_DIRECTORYSTRING\n%xdefine i2d_DISPLAYTEXT BORINGSSL_PREFIX %+ _i2d_DISPLAYTEXT\n%xdefine i2d_DSAPrivateKey BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey\n%xdefine i2d_DSAPrivateKey_bio BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey_bio\n%xdefine i2d_DSAPrivateKey_fp BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey_fp\n%xdefine i2d_DSAPublicKey BORINGSSL_PREFIX %+ _i2d_DSAPublicKey\n%xdefine i2d_DSA_PUBKEY BORINGSSL_PREFIX %+ _i2d_DSA_PUBKEY\n%xdefine i2d_DSA_PUBKEY_bio BORINGSSL_PREFIX %+ _i2d_DSA_PUBKEY_bio\n%xdefine i2d_DSA_PUBKEY_fp BORINGSSL_PREFIX %+ _i2d_DSA_PUBKEY_fp\n%xdefine i2d_DSA_SIG BORINGSSL_PREFIX %+ _i2d_DSA_SIG\n%xdefine i2d_DSAparams BORINGSSL_PREFIX %+ _i2d_DSAparams\n%xdefine i2d_ECDSA_SIG BORINGSSL_PREFIX %+ _i2d_ECDSA_SIG\n%xdefine i2d_ECPKParameters BORINGSSL_PREFIX %+ _i2d_ECPKParameters\n%xdefine i2d_ECParameters BORINGSSL_PREFIX %+ _i2d_ECParameters\n%xdefine i2d_ECPrivateKey BORINGSSL_PREFIX %+ _i2d_ECPrivateKey\n%xdefine i2d_ECPrivateKey_bio BORINGSSL_PREFIX %+ _i2d_ECPrivateKey_bio\n%xdefine i2d_ECPrivateKey_fp BORINGSSL_PREFIX %+ _i2d_ECPrivateKey_fp\n%xdefine i2d_EC_PUBKEY BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY\n%xdefine i2d_EC_PUBKEY_bio BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_bio\n%xdefine i2d_EC_PUBKEY_fp BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_fp\n%xdefine i2d_EXTENDED_KEY_USAGE BORINGSSL_PREFIX %+ _i2d_EXTENDED_KEY_USAGE\n%xdefine i2d_GENERAL_NAME BORINGSSL_PREFIX %+ _i2d_GENERAL_NAME\n%xdefine i2d_GENERAL_NAMES BORINGSSL_PREFIX %+ _i2d_GENERAL_NAMES\n%xdefine i2d_ISSUING_DIST_POINT BORINGSSL_PREFIX %+ _i2d_ISSUING_DIST_POINT\n%xdefine i2d_NETSCAPE_SPKAC BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKAC\n%xdefine i2d_NETSCAPE_SPKI BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKI\n%xdefine i2d_PKCS12 BORINGSSL_PREFIX %+ _i2d_PKCS12\n%xdefine i2d_PKCS12_bio BORINGSSL_PREFIX %+ _i2d_PKCS12_bio\n%xdefine i2d_PKCS12_fp BORINGSSL_PREFIX %+ _i2d_PKCS12_fp\n%xdefine i2d_PKCS7 BORINGSSL_PREFIX %+ _i2d_PKCS7\n%xdefine i2d_PKCS7_bio BORINGSSL_PREFIX %+ _i2d_PKCS7_bio\n%xdefine i2d_PKCS8PrivateKeyInfo_bio BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKeyInfo_bio\n%xdefine i2d_PKCS8PrivateKeyInfo_fp BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKeyInfo_fp\n%xdefine i2d_PKCS8PrivateKey_bio BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKey_bio\n%xdefine i2d_PKCS8PrivateKey_fp BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKey_fp\n%xdefine i2d_PKCS8PrivateKey_nid_bio BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKey_nid_bio\n%xdefine i2d_PKCS8PrivateKey_nid_fp BORINGSSL_PREFIX %+ _i2d_PKCS8PrivateKey_nid_fp\n%xdefine i2d_PKCS8_PRIV_KEY_INFO BORINGSSL_PREFIX %+ _i2d_PKCS8_PRIV_KEY_INFO\n%xdefine i2d_PKCS8_PRIV_KEY_INFO_bio BORINGSSL_PREFIX %+ _i2d_PKCS8_PRIV_KEY_INFO_bio\n%xdefine i2d_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_PREFIX %+ _i2d_PKCS8_PRIV_KEY_INFO_fp\n%xdefine i2d_PKCS8_bio BORINGSSL_PREFIX %+ _i2d_PKCS8_bio\n%xdefine i2d_PKCS8_fp BORINGSSL_PREFIX %+ _i2d_PKCS8_fp\n%xdefine i2d_PUBKEY BORINGSSL_PREFIX %+ _i2d_PUBKEY\n%xdefine i2d_PUBKEY_bio BORINGSSL_PREFIX %+ _i2d_PUBKEY_bio\n%xdefine i2d_PUBKEY_fp BORINGSSL_PREFIX %+ _i2d_PUBKEY_fp\n%xdefine i2d_PrivateKey BORINGSSL_PREFIX %+ _i2d_PrivateKey\n%xdefine i2d_PrivateKey_bio BORINGSSL_PREFIX %+ _i2d_PrivateKey_bio\n%xdefine i2d_PrivateKey_fp BORINGSSL_PREFIX %+ _i2d_PrivateKey_fp\n%xdefine i2d_PublicKey BORINGSSL_PREFIX %+ _i2d_PublicKey\n%xdefine i2d_RSAPrivateKey BORINGSSL_PREFIX %+ _i2d_RSAPrivateKey\n%xdefine i2d_RSAPrivateKey_bio BORINGSSL_PREFIX %+ _i2d_RSAPrivateKey_bio\n%xdefine i2d_RSAPrivateKey_fp BORINGSSL_PREFIX %+ _i2d_RSAPrivateKey_fp\n%xdefine i2d_RSAPublicKey BORINGSSL_PREFIX %+ _i2d_RSAPublicKey\n%xdefine i2d_RSAPublicKey_bio BORINGSSL_PREFIX %+ _i2d_RSAPublicKey_bio\n%xdefine i2d_RSAPublicKey_fp BORINGSSL_PREFIX %+ _i2d_RSAPublicKey_fp\n%xdefine i2d_RSA_PSS_PARAMS BORINGSSL_PREFIX %+ _i2d_RSA_PSS_PARAMS\n%xdefine i2d_RSA_PUBKEY BORINGSSL_PREFIX %+ _i2d_RSA_PUBKEY\n%xdefine i2d_RSA_PUBKEY_bio BORINGSSL_PREFIX %+ _i2d_RSA_PUBKEY_bio\n%xdefine i2d_RSA_PUBKEY_fp BORINGSSL_PREFIX %+ _i2d_RSA_PUBKEY_fp\n%xdefine i2d_SSL_SESSION BORINGSSL_PREFIX %+ _i2d_SSL_SESSION\n%xdefine i2d_SSL_SESSION_bio BORINGSSL_PREFIX %+ _i2d_SSL_SESSION_bio\n%xdefine i2d_X509 BORINGSSL_PREFIX %+ _i2d_X509\n%xdefine i2d_X509_ALGOR BORINGSSL_PREFIX %+ _i2d_X509_ALGOR\n%xdefine i2d_X509_ATTRIBUTE BORINGSSL_PREFIX %+ _i2d_X509_ATTRIBUTE\n%xdefine i2d_X509_AUX BORINGSSL_PREFIX %+ _i2d_X509_AUX\n%xdefine i2d_X509_CERT_AUX BORINGSSL_PREFIX %+ _i2d_X509_CERT_AUX\n%xdefine i2d_X509_CINF BORINGSSL_PREFIX %+ _i2d_X509_CINF\n%xdefine i2d_X509_CRL BORINGSSL_PREFIX %+ _i2d_X509_CRL\n%xdefine i2d_X509_CRL_INFO BORINGSSL_PREFIX %+ _i2d_X509_CRL_INFO\n%xdefine i2d_X509_CRL_bio BORINGSSL_PREFIX %+ _i2d_X509_CRL_bio\n%xdefine i2d_X509_CRL_fp BORINGSSL_PREFIX %+ _i2d_X509_CRL_fp\n%xdefine i2d_X509_CRL_tbs BORINGSSL_PREFIX %+ _i2d_X509_CRL_tbs\n%xdefine i2d_X509_EXTENSION BORINGSSL_PREFIX %+ _i2d_X509_EXTENSION\n%xdefine i2d_X509_EXTENSIONS BORINGSSL_PREFIX %+ _i2d_X509_EXTENSIONS\n%xdefine i2d_X509_NAME BORINGSSL_PREFIX %+ _i2d_X509_NAME\n%xdefine i2d_X509_PUBKEY BORINGSSL_PREFIX %+ _i2d_X509_PUBKEY\n%xdefine i2d_X509_REQ BORINGSSL_PREFIX %+ _i2d_X509_REQ\n%xdefine i2d_X509_REQ_INFO BORINGSSL_PREFIX %+ _i2d_X509_REQ_INFO\n%xdefine i2d_X509_REQ_bio BORINGSSL_PREFIX %+ _i2d_X509_REQ_bio\n%xdefine i2d_X509_REQ_fp BORINGSSL_PREFIX %+ _i2d_X509_REQ_fp\n%xdefine i2d_X509_REVOKED BORINGSSL_PREFIX %+ _i2d_X509_REVOKED\n%xdefine i2d_X509_SIG BORINGSSL_PREFIX %+ _i2d_X509_SIG\n%xdefine i2d_X509_VAL BORINGSSL_PREFIX %+ _i2d_X509_VAL\n%xdefine i2d_X509_bio BORINGSSL_PREFIX %+ _i2d_X509_bio\n%xdefine i2d_X509_fp BORINGSSL_PREFIX %+ _i2d_X509_fp\n%xdefine i2d_X509_tbs BORINGSSL_PREFIX %+ _i2d_X509_tbs\n%xdefine i2d_re_X509_CRL_tbs BORINGSSL_PREFIX %+ _i2d_re_X509_CRL_tbs\n%xdefine i2d_re_X509_REQ_tbs BORINGSSL_PREFIX %+ _i2d_re_X509_REQ_tbs\n%xdefine i2d_re_X509_tbs BORINGSSL_PREFIX %+ _i2d_re_X509_tbs\n%xdefine i2o_ECPublicKey BORINGSSL_PREFIX %+ _i2o_ECPublicKey\n%xdefine i2s_ASN1_ENUMERATED BORINGSSL_PREFIX %+ _i2s_ASN1_ENUMERATED\n%xdefine i2s_ASN1_INTEGER BORINGSSL_PREFIX %+ _i2s_ASN1_INTEGER\n%xdefine i2s_ASN1_OCTET_STRING BORINGSSL_PREFIX %+ _i2s_ASN1_OCTET_STRING\n%xdefine i2t_ASN1_OBJECT BORINGSSL_PREFIX %+ _i2t_ASN1_OBJECT\n%xdefine i2v_GENERAL_NAME BORINGSSL_PREFIX %+ _i2v_GENERAL_NAME\n%xdefine i2v_GENERAL_NAMES BORINGSSL_PREFIX %+ _i2v_GENERAL_NAMES\n%xdefine k25519Precomp BORINGSSL_PREFIX %+ _k25519Precomp\n%xdefine kBoringSSLRSASqrtTwo BORINGSSL_PREFIX %+ _kBoringSSLRSASqrtTwo\n%xdefine kBoringSSLRSASqrtTwoLen BORINGSSL_PREFIX %+ _kBoringSSLRSASqrtTwoLen\n%xdefine kOpenSSLReasonStringData BORINGSSL_PREFIX %+ _kOpenSSLReasonStringData\n%xdefine kOpenSSLReasonValues BORINGSSL_PREFIX %+ _kOpenSSLReasonValues\n%xdefine kOpenSSLReasonValuesLen BORINGSSL_PREFIX %+ _kOpenSSLReasonValuesLen\n%xdefine lh_CONF_SECTION_call_cmp_func BORINGSSL_PREFIX %+ _lh_CONF_SECTION_call_cmp_func\n%xdefine lh_CONF_SECTION_call_doall_arg BORINGSSL_PREFIX %+ _lh_CONF_SECTION_call_doall_arg\n%xdefine lh_CONF_SECTION_call_hash_func BORINGSSL_PREFIX %+ _lh_CONF_SECTION_call_hash_func\n%xdefine lh_CONF_SECTION_doall_arg BORINGSSL_PREFIX %+ _lh_CONF_SECTION_doall_arg\n%xdefine lh_CONF_SECTION_free BORINGSSL_PREFIX %+ _lh_CONF_SECTION_free\n%xdefine lh_CONF_SECTION_insert BORINGSSL_PREFIX %+ _lh_CONF_SECTION_insert\n%xdefine lh_CONF_SECTION_new BORINGSSL_PREFIX %+ _lh_CONF_SECTION_new\n%xdefine lh_CONF_SECTION_retrieve BORINGSSL_PREFIX %+ _lh_CONF_SECTION_retrieve\n%xdefine lh_CONF_VALUE_call_cmp_func BORINGSSL_PREFIX %+ _lh_CONF_VALUE_call_cmp_func\n%xdefine lh_CONF_VALUE_call_doall_arg BORINGSSL_PREFIX %+ _lh_CONF_VALUE_call_doall_arg\n%xdefine lh_CONF_VALUE_call_hash_func BORINGSSL_PREFIX %+ _lh_CONF_VALUE_call_hash_func\n%xdefine lh_CONF_VALUE_doall_arg BORINGSSL_PREFIX %+ _lh_CONF_VALUE_doall_arg\n%xdefine lh_CONF_VALUE_free BORINGSSL_PREFIX %+ _lh_CONF_VALUE_free\n%xdefine lh_CONF_VALUE_insert BORINGSSL_PREFIX %+ _lh_CONF_VALUE_insert\n%xdefine lh_CONF_VALUE_new BORINGSSL_PREFIX %+ _lh_CONF_VALUE_new\n%xdefine lh_CONF_VALUE_retrieve BORINGSSL_PREFIX %+ _lh_CONF_VALUE_retrieve\n%xdefine lh_CRYPTO_BUFFER_call_cmp_func BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_call_cmp_func\n%xdefine lh_CRYPTO_BUFFER_call_hash_func BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_call_hash_func\n%xdefine lh_CRYPTO_BUFFER_delete BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_delete\n%xdefine lh_CRYPTO_BUFFER_free BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_free\n%xdefine lh_CRYPTO_BUFFER_insert BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_insert\n%xdefine lh_CRYPTO_BUFFER_new BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_new\n%xdefine lh_CRYPTO_BUFFER_num_items BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_num_items\n%xdefine lh_CRYPTO_BUFFER_retrieve BORINGSSL_PREFIX %+ _lh_CRYPTO_BUFFER_retrieve\n%xdefine md5_block_asm_data_order BORINGSSL_PREFIX %+ _md5_block_asm_data_order\n%xdefine o2i_ECPublicKey BORINGSSL_PREFIX %+ _o2i_ECPublicKey\n%xdefine pkcs12_iterations_acceptable BORINGSSL_PREFIX %+ _pkcs12_iterations_acceptable\n%xdefine pkcs12_key_gen BORINGSSL_PREFIX %+ _pkcs12_key_gen\n%xdefine pkcs12_pbe_encrypt_init BORINGSSL_PREFIX %+ _pkcs12_pbe_encrypt_init\n%xdefine pkcs7_add_signed_data BORINGSSL_PREFIX %+ _pkcs7_add_signed_data\n%xdefine pkcs7_parse_header BORINGSSL_PREFIX %+ _pkcs7_parse_header\n%xdefine pkcs8_pbe_decrypt BORINGSSL_PREFIX %+ _pkcs8_pbe_decrypt\n%xdefine pmbtoken_exp1_blind BORINGSSL_PREFIX %+ _pmbtoken_exp1_blind\n%xdefine pmbtoken_exp1_client_key_from_bytes BORINGSSL_PREFIX %+ _pmbtoken_exp1_client_key_from_bytes\n%xdefine pmbtoken_exp1_derive_key_from_secret BORINGSSL_PREFIX %+ _pmbtoken_exp1_derive_key_from_secret\n%xdefine pmbtoken_exp1_generate_key BORINGSSL_PREFIX %+ _pmbtoken_exp1_generate_key\n%xdefine pmbtoken_exp1_get_h_for_testing BORINGSSL_PREFIX %+ _pmbtoken_exp1_get_h_for_testing\n%xdefine pmbtoken_exp1_issuer_key_from_bytes BORINGSSL_PREFIX %+ _pmbtoken_exp1_issuer_key_from_bytes\n%xdefine pmbtoken_exp1_read BORINGSSL_PREFIX %+ _pmbtoken_exp1_read\n%xdefine pmbtoken_exp1_sign BORINGSSL_PREFIX %+ _pmbtoken_exp1_sign\n%xdefine pmbtoken_exp1_unblind BORINGSSL_PREFIX %+ _pmbtoken_exp1_unblind\n%xdefine pmbtoken_exp2_blind BORINGSSL_PREFIX %+ _pmbtoken_exp2_blind\n%xdefine pmbtoken_exp2_client_key_from_bytes BORINGSSL_PREFIX %+ _pmbtoken_exp2_client_key_from_bytes\n%xdefine pmbtoken_exp2_derive_key_from_secret BORINGSSL_PREFIX %+ _pmbtoken_exp2_derive_key_from_secret\n%xdefine pmbtoken_exp2_generate_key BORINGSSL_PREFIX %+ _pmbtoken_exp2_generate_key\n%xdefine pmbtoken_exp2_get_h_for_testing BORINGSSL_PREFIX %+ _pmbtoken_exp2_get_h_for_testing\n%xdefine pmbtoken_exp2_issuer_key_from_bytes BORINGSSL_PREFIX %+ _pmbtoken_exp2_issuer_key_from_bytes\n%xdefine pmbtoken_exp2_read BORINGSSL_PREFIX %+ _pmbtoken_exp2_read\n%xdefine pmbtoken_exp2_sign BORINGSSL_PREFIX %+ _pmbtoken_exp2_sign\n%xdefine pmbtoken_exp2_unblind BORINGSSL_PREFIX %+ _pmbtoken_exp2_unblind\n%xdefine pmbtoken_pst1_blind BORINGSSL_PREFIX %+ _pmbtoken_pst1_blind\n%xdefine pmbtoken_pst1_client_key_from_bytes BORINGSSL_PREFIX %+ _pmbtoken_pst1_client_key_from_bytes\n%xdefine pmbtoken_pst1_derive_key_from_secret BORINGSSL_PREFIX %+ _pmbtoken_pst1_derive_key_from_secret\n%xdefine pmbtoken_pst1_generate_key BORINGSSL_PREFIX %+ _pmbtoken_pst1_generate_key\n%xdefine pmbtoken_pst1_get_h_for_testing BORINGSSL_PREFIX %+ _pmbtoken_pst1_get_h_for_testing\n%xdefine pmbtoken_pst1_issuer_key_from_bytes BORINGSSL_PREFIX %+ _pmbtoken_pst1_issuer_key_from_bytes\n%xdefine pmbtoken_pst1_read BORINGSSL_PREFIX %+ _pmbtoken_pst1_read\n%xdefine pmbtoken_pst1_sign BORINGSSL_PREFIX %+ _pmbtoken_pst1_sign\n%xdefine pmbtoken_pst1_unblind BORINGSSL_PREFIX %+ _pmbtoken_pst1_unblind\n%xdefine poly_Rq_mul BORINGSSL_PREFIX %+ _poly_Rq_mul\n%xdefine rand_fork_unsafe_buffering_enabled BORINGSSL_PREFIX %+ _rand_fork_unsafe_buffering_enabled\n%xdefine rsa_asn1_meth BORINGSSL_PREFIX %+ _rsa_asn1_meth\n%xdefine rsa_check_public_key BORINGSSL_PREFIX %+ _rsa_check_public_key\n%xdefine rsa_default_private_transform BORINGSSL_PREFIX %+ _rsa_default_private_transform\n%xdefine rsa_default_sign_raw BORINGSSL_PREFIX %+ _rsa_default_sign_raw\n%xdefine rsa_invalidate_key BORINGSSL_PREFIX %+ _rsa_invalidate_key\n%xdefine rsa_pkey_meth BORINGSSL_PREFIX %+ _rsa_pkey_meth\n%xdefine rsa_private_transform BORINGSSL_PREFIX %+ _rsa_private_transform\n%xdefine rsa_private_transform_no_self_test BORINGSSL_PREFIX %+ _rsa_private_transform_no_self_test\n%xdefine rsa_sign_no_self_test BORINGSSL_PREFIX %+ _rsa_sign_no_self_test\n%xdefine rsa_verify_no_self_test BORINGSSL_PREFIX %+ _rsa_verify_no_self_test\n%xdefine rsa_verify_raw_no_self_test BORINGSSL_PREFIX %+ _rsa_verify_raw_no_self_test\n%xdefine rsaz_1024_gather5_avx2 BORINGSSL_PREFIX %+ _rsaz_1024_gather5_avx2\n%xdefine rsaz_1024_mul_avx2 BORINGSSL_PREFIX %+ _rsaz_1024_mul_avx2\n%xdefine rsaz_1024_norm2red_avx2 BORINGSSL_PREFIX %+ _rsaz_1024_norm2red_avx2\n%xdefine rsaz_1024_red2norm_avx2 BORINGSSL_PREFIX %+ _rsaz_1024_red2norm_avx2\n%xdefine rsaz_1024_scatter5_avx2 BORINGSSL_PREFIX %+ _rsaz_1024_scatter5_avx2\n%xdefine rsaz_1024_sqr_avx2 BORINGSSL_PREFIX %+ _rsaz_1024_sqr_avx2\n%xdefine rsaz_avx2_preferred BORINGSSL_PREFIX %+ _rsaz_avx2_preferred\n%xdefine s2i_ASN1_INTEGER BORINGSSL_PREFIX %+ _s2i_ASN1_INTEGER\n%xdefine s2i_ASN1_OCTET_STRING BORINGSSL_PREFIX %+ _s2i_ASN1_OCTET_STRING\n%xdefine sha1_avx2_capable BORINGSSL_PREFIX %+ _sha1_avx2_capable\n%xdefine sha1_avx_capable BORINGSSL_PREFIX %+ _sha1_avx_capable\n%xdefine sha1_block_data_order_avx BORINGSSL_PREFIX %+ _sha1_block_data_order_avx\n%xdefine sha1_block_data_order_avx2 BORINGSSL_PREFIX %+ _sha1_block_data_order_avx2\n%xdefine sha1_block_data_order_hw BORINGSSL_PREFIX %+ _sha1_block_data_order_hw\n%xdefine sha1_block_data_order_nohw BORINGSSL_PREFIX %+ _sha1_block_data_order_nohw\n%xdefine sha1_block_data_order_ssse3 BORINGSSL_PREFIX %+ _sha1_block_data_order_ssse3\n%xdefine sha1_hw_capable BORINGSSL_PREFIX %+ _sha1_hw_capable\n%xdefine sha1_ssse3_capable BORINGSSL_PREFIX %+ _sha1_ssse3_capable\n%xdefine sha256_avx_capable BORINGSSL_PREFIX %+ _sha256_avx_capable\n%xdefine sha256_block_data_order_avx BORINGSSL_PREFIX %+ _sha256_block_data_order_avx\n%xdefine sha256_block_data_order_hw BORINGSSL_PREFIX %+ _sha256_block_data_order_hw\n%xdefine sha256_block_data_order_nohw BORINGSSL_PREFIX %+ _sha256_block_data_order_nohw\n%xdefine sha256_block_data_order_ssse3 BORINGSSL_PREFIX %+ _sha256_block_data_order_ssse3\n%xdefine sha256_hw_capable BORINGSSL_PREFIX %+ _sha256_hw_capable\n%xdefine sha256_ssse3_capable BORINGSSL_PREFIX %+ _sha256_ssse3_capable\n%xdefine sha512_avx_capable BORINGSSL_PREFIX %+ _sha512_avx_capable\n%xdefine sha512_block_data_order_avx BORINGSSL_PREFIX %+ _sha512_block_data_order_avx\n%xdefine sha512_block_data_order_hw BORINGSSL_PREFIX %+ _sha512_block_data_order_hw\n%xdefine sha512_block_data_order_nohw BORINGSSL_PREFIX %+ _sha512_block_data_order_nohw\n%xdefine sha512_hw_capable BORINGSSL_PREFIX %+ _sha512_hw_capable\n%xdefine sk_ACCESS_DESCRIPTION_call_free_func BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_call_free_func\n%xdefine sk_ACCESS_DESCRIPTION_new_null BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_new_null\n%xdefine sk_ACCESS_DESCRIPTION_num BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_num\n%xdefine sk_ACCESS_DESCRIPTION_pop_free BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_pop_free\n%xdefine sk_ACCESS_DESCRIPTION_push BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_push\n%xdefine sk_ACCESS_DESCRIPTION_value BORINGSSL_PREFIX %+ _sk_ACCESS_DESCRIPTION_value\n%xdefine sk_ASN1_INTEGER_num BORINGSSL_PREFIX %+ _sk_ASN1_INTEGER_num\n%xdefine sk_ASN1_INTEGER_push BORINGSSL_PREFIX %+ _sk_ASN1_INTEGER_push\n%xdefine sk_ASN1_INTEGER_value BORINGSSL_PREFIX %+ _sk_ASN1_INTEGER_value\n%xdefine sk_ASN1_OBJECT_call_cmp_func BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_call_cmp_func\n%xdefine sk_ASN1_OBJECT_call_copy_func BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_call_copy_func\n%xdefine sk_ASN1_OBJECT_call_free_func BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_call_free_func\n%xdefine sk_ASN1_OBJECT_deep_copy BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_deep_copy\n%xdefine sk_ASN1_OBJECT_dup BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_dup\n%xdefine sk_ASN1_OBJECT_find BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_find\n%xdefine sk_ASN1_OBJECT_free BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_free\n%xdefine sk_ASN1_OBJECT_is_sorted BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_is_sorted\n%xdefine sk_ASN1_OBJECT_new_null BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_new_null\n%xdefine sk_ASN1_OBJECT_num BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_num\n%xdefine sk_ASN1_OBJECT_pop_free BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_pop_free\n%xdefine sk_ASN1_OBJECT_push BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_push\n%xdefine sk_ASN1_OBJECT_set_cmp_func BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_set_cmp_func\n%xdefine sk_ASN1_OBJECT_sort BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_sort\n%xdefine sk_ASN1_OBJECT_value BORINGSSL_PREFIX %+ _sk_ASN1_OBJECT_value\n%xdefine sk_ASN1_TYPE_num BORINGSSL_PREFIX %+ _sk_ASN1_TYPE_num\n%xdefine sk_ASN1_TYPE_push BORINGSSL_PREFIX %+ _sk_ASN1_TYPE_push\n%xdefine sk_ASN1_TYPE_value BORINGSSL_PREFIX %+ _sk_ASN1_TYPE_value\n%xdefine sk_ASN1_VALUE_free BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_free\n%xdefine sk_ASN1_VALUE_new_null BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_new_null\n%xdefine sk_ASN1_VALUE_num BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_num\n%xdefine sk_ASN1_VALUE_pop BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_pop\n%xdefine sk_ASN1_VALUE_push BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_push\n%xdefine sk_ASN1_VALUE_value BORINGSSL_PREFIX %+ _sk_ASN1_VALUE_value\n%xdefine sk_CONF_VALUE_call_free_func BORINGSSL_PREFIX %+ _sk_CONF_VALUE_call_free_func\n%xdefine sk_CONF_VALUE_delete_ptr BORINGSSL_PREFIX %+ _sk_CONF_VALUE_delete_ptr\n%xdefine sk_CONF_VALUE_free BORINGSSL_PREFIX %+ _sk_CONF_VALUE_free\n%xdefine sk_CONF_VALUE_new_null BORINGSSL_PREFIX %+ _sk_CONF_VALUE_new_null\n%xdefine sk_CONF_VALUE_num BORINGSSL_PREFIX %+ _sk_CONF_VALUE_num\n%xdefine sk_CONF_VALUE_pop BORINGSSL_PREFIX %+ _sk_CONF_VALUE_pop\n%xdefine sk_CONF_VALUE_pop_free BORINGSSL_PREFIX %+ _sk_CONF_VALUE_pop_free\n%xdefine sk_CONF_VALUE_push BORINGSSL_PREFIX %+ _sk_CONF_VALUE_push\n%xdefine sk_CONF_VALUE_value BORINGSSL_PREFIX %+ _sk_CONF_VALUE_value\n%xdefine sk_CRYPTO_BUFFER_call_copy_func BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_call_copy_func\n%xdefine sk_CRYPTO_BUFFER_call_free_func BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_call_free_func\n%xdefine sk_CRYPTO_BUFFER_deep_copy BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_deep_copy\n%xdefine sk_CRYPTO_BUFFER_new_null BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_new_null\n%xdefine sk_CRYPTO_BUFFER_num BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_num\n%xdefine sk_CRYPTO_BUFFER_pop BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_pop\n%xdefine sk_CRYPTO_BUFFER_pop_free BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_pop_free\n%xdefine sk_CRYPTO_BUFFER_push BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_push\n%xdefine sk_CRYPTO_BUFFER_set BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_set\n%xdefine sk_CRYPTO_BUFFER_value BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_value\n%xdefine sk_DIST_POINT_call_free_func BORINGSSL_PREFIX %+ _sk_DIST_POINT_call_free_func\n%xdefine sk_DIST_POINT_new_null BORINGSSL_PREFIX %+ _sk_DIST_POINT_new_null\n%xdefine sk_DIST_POINT_num BORINGSSL_PREFIX %+ _sk_DIST_POINT_num\n%xdefine sk_DIST_POINT_pop_free BORINGSSL_PREFIX %+ _sk_DIST_POINT_pop_free\n%xdefine sk_DIST_POINT_push BORINGSSL_PREFIX %+ _sk_DIST_POINT_push\n%xdefine sk_DIST_POINT_value BORINGSSL_PREFIX %+ _sk_DIST_POINT_value\n%xdefine sk_GENERAL_NAME_call_free_func BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_call_free_func\n%xdefine sk_GENERAL_NAME_new_null BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_new_null\n%xdefine sk_GENERAL_NAME_num BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_num\n%xdefine sk_GENERAL_NAME_pop_free BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_pop_free\n%xdefine sk_GENERAL_NAME_push BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_push\n%xdefine sk_GENERAL_NAME_set BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_set\n%xdefine sk_GENERAL_NAME_value BORINGSSL_PREFIX %+ _sk_GENERAL_NAME_value\n%xdefine sk_GENERAL_SUBTREE_new_null BORINGSSL_PREFIX %+ _sk_GENERAL_SUBTREE_new_null\n%xdefine sk_GENERAL_SUBTREE_num BORINGSSL_PREFIX %+ _sk_GENERAL_SUBTREE_num\n%xdefine sk_GENERAL_SUBTREE_push BORINGSSL_PREFIX %+ _sk_GENERAL_SUBTREE_push\n%xdefine sk_GENERAL_SUBTREE_value BORINGSSL_PREFIX %+ _sk_GENERAL_SUBTREE_value\n%xdefine sk_OPENSSL_STRING_call_cmp_func BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_call_cmp_func\n%xdefine sk_OPENSSL_STRING_call_copy_func BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_call_copy_func\n%xdefine sk_OPENSSL_STRING_call_free_func BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_call_free_func\n%xdefine sk_OPENSSL_STRING_deep_copy BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_deep_copy\n%xdefine sk_OPENSSL_STRING_find BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_find\n%xdefine sk_OPENSSL_STRING_free BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_free\n%xdefine sk_OPENSSL_STRING_new BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_new\n%xdefine sk_OPENSSL_STRING_new_null BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_new_null\n%xdefine sk_OPENSSL_STRING_num BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_num\n%xdefine sk_OPENSSL_STRING_pop_free BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_pop_free\n%xdefine sk_OPENSSL_STRING_push BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_push\n%xdefine sk_OPENSSL_STRING_sort BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_sort\n%xdefine sk_OPENSSL_STRING_value BORINGSSL_PREFIX %+ _sk_OPENSSL_STRING_value\n%xdefine sk_POLICYINFO_call_cmp_func BORINGSSL_PREFIX %+ _sk_POLICYINFO_call_cmp_func\n%xdefine sk_POLICYINFO_call_free_func BORINGSSL_PREFIX %+ _sk_POLICYINFO_call_free_func\n%xdefine sk_POLICYINFO_find BORINGSSL_PREFIX %+ _sk_POLICYINFO_find\n%xdefine sk_POLICYINFO_is_sorted BORINGSSL_PREFIX %+ _sk_POLICYINFO_is_sorted\n%xdefine sk_POLICYINFO_new_null BORINGSSL_PREFIX %+ _sk_POLICYINFO_new_null\n%xdefine sk_POLICYINFO_num BORINGSSL_PREFIX %+ _sk_POLICYINFO_num\n%xdefine sk_POLICYINFO_pop_free BORINGSSL_PREFIX %+ _sk_POLICYINFO_pop_free\n%xdefine sk_POLICYINFO_push BORINGSSL_PREFIX %+ _sk_POLICYINFO_push\n%xdefine sk_POLICYINFO_set_cmp_func BORINGSSL_PREFIX %+ _sk_POLICYINFO_set_cmp_func\n%xdefine sk_POLICYINFO_sort BORINGSSL_PREFIX %+ _sk_POLICYINFO_sort\n%xdefine sk_POLICYINFO_value BORINGSSL_PREFIX %+ _sk_POLICYINFO_value\n%xdefine sk_POLICYQUALINFO_new_null BORINGSSL_PREFIX %+ _sk_POLICYQUALINFO_new_null\n%xdefine sk_POLICYQUALINFO_num BORINGSSL_PREFIX %+ _sk_POLICYQUALINFO_num\n%xdefine sk_POLICYQUALINFO_push BORINGSSL_PREFIX %+ _sk_POLICYQUALINFO_push\n%xdefine sk_POLICYQUALINFO_value BORINGSSL_PREFIX %+ _sk_POLICYQUALINFO_value\n%xdefine sk_POLICY_MAPPING_call_cmp_func BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_call_cmp_func\n%xdefine sk_POLICY_MAPPING_call_free_func BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_call_free_func\n%xdefine sk_POLICY_MAPPING_find BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_find\n%xdefine sk_POLICY_MAPPING_is_sorted BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_is_sorted\n%xdefine sk_POLICY_MAPPING_new_null BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_new_null\n%xdefine sk_POLICY_MAPPING_num BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_num\n%xdefine sk_POLICY_MAPPING_pop_free BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_pop_free\n%xdefine sk_POLICY_MAPPING_push BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_push\n%xdefine sk_POLICY_MAPPING_set_cmp_func BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_set_cmp_func\n%xdefine sk_POLICY_MAPPING_sort BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_sort\n%xdefine sk_POLICY_MAPPING_value BORINGSSL_PREFIX %+ _sk_POLICY_MAPPING_value\n%xdefine sk_SRTP_PROTECTION_PROFILE_new_null BORINGSSL_PREFIX %+ _sk_SRTP_PROTECTION_PROFILE_new_null\n%xdefine sk_SRTP_PROTECTION_PROFILE_num BORINGSSL_PREFIX %+ _sk_SRTP_PROTECTION_PROFILE_num\n%xdefine sk_SRTP_PROTECTION_PROFILE_push BORINGSSL_PREFIX %+ _sk_SRTP_PROTECTION_PROFILE_push\n%xdefine sk_SSL_CIPHER_call_cmp_func BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_call_cmp_func\n%xdefine sk_SSL_CIPHER_delete BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_delete\n%xdefine sk_SSL_CIPHER_dup BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_dup\n%xdefine sk_SSL_CIPHER_find BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_find\n%xdefine sk_SSL_CIPHER_new_null BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_new_null\n%xdefine sk_SSL_CIPHER_num BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_num\n%xdefine sk_SSL_CIPHER_push BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_push\n%xdefine sk_SSL_CIPHER_value BORINGSSL_PREFIX %+ _sk_SSL_CIPHER_value\n%xdefine sk_TRUST_TOKEN_PRETOKEN_call_free_func BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_call_free_func\n%xdefine sk_TRUST_TOKEN_PRETOKEN_new_null BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_new_null\n%xdefine sk_TRUST_TOKEN_PRETOKEN_num BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_num\n%xdefine sk_TRUST_TOKEN_PRETOKEN_pop_free BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_pop_free\n%xdefine sk_TRUST_TOKEN_PRETOKEN_push BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_push\n%xdefine sk_TRUST_TOKEN_PRETOKEN_value BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_PRETOKEN_value\n%xdefine sk_TRUST_TOKEN_call_free_func BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_call_free_func\n%xdefine sk_TRUST_TOKEN_new_null BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_new_null\n%xdefine sk_TRUST_TOKEN_pop_free BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_pop_free\n%xdefine sk_TRUST_TOKEN_push BORINGSSL_PREFIX %+ _sk_TRUST_TOKEN_push\n%xdefine sk_X509_ATTRIBUTE_delete BORINGSSL_PREFIX %+ _sk_X509_ATTRIBUTE_delete\n%xdefine sk_X509_ATTRIBUTE_new_null BORINGSSL_PREFIX %+ _sk_X509_ATTRIBUTE_new_null\n%xdefine sk_X509_ATTRIBUTE_num BORINGSSL_PREFIX %+ _sk_X509_ATTRIBUTE_num\n%xdefine sk_X509_ATTRIBUTE_push BORINGSSL_PREFIX %+ _sk_X509_ATTRIBUTE_push\n%xdefine sk_X509_ATTRIBUTE_value BORINGSSL_PREFIX %+ _sk_X509_ATTRIBUTE_value\n%xdefine sk_X509_CRL_call_free_func BORINGSSL_PREFIX %+ _sk_X509_CRL_call_free_func\n%xdefine sk_X509_CRL_free BORINGSSL_PREFIX %+ _sk_X509_CRL_free\n%xdefine sk_X509_CRL_new_null BORINGSSL_PREFIX %+ _sk_X509_CRL_new_null\n%xdefine sk_X509_CRL_num BORINGSSL_PREFIX %+ _sk_X509_CRL_num\n%xdefine sk_X509_CRL_pop BORINGSSL_PREFIX %+ _sk_X509_CRL_pop\n%xdefine sk_X509_CRL_pop_free BORINGSSL_PREFIX %+ _sk_X509_CRL_pop_free\n%xdefine sk_X509_CRL_push BORINGSSL_PREFIX %+ _sk_X509_CRL_push\n%xdefine sk_X509_CRL_value BORINGSSL_PREFIX %+ _sk_X509_CRL_value\n%xdefine sk_X509_EXTENSION_call_free_func BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_call_free_func\n%xdefine sk_X509_EXTENSION_delete BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_delete\n%xdefine sk_X509_EXTENSION_free BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_free\n%xdefine sk_X509_EXTENSION_insert BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_insert\n%xdefine sk_X509_EXTENSION_new_null BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_new_null\n%xdefine sk_X509_EXTENSION_num BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_num\n%xdefine sk_X509_EXTENSION_pop_free BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_pop_free\n%xdefine sk_X509_EXTENSION_push BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_push\n%xdefine sk_X509_EXTENSION_set BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_set\n%xdefine sk_X509_EXTENSION_value BORINGSSL_PREFIX %+ _sk_X509_EXTENSION_value\n%xdefine sk_X509_INFO_call_free_func BORINGSSL_PREFIX %+ _sk_X509_INFO_call_free_func\n%xdefine sk_X509_INFO_free BORINGSSL_PREFIX %+ _sk_X509_INFO_free\n%xdefine sk_X509_INFO_new_null BORINGSSL_PREFIX %+ _sk_X509_INFO_new_null\n%xdefine sk_X509_INFO_num BORINGSSL_PREFIX %+ _sk_X509_INFO_num\n%xdefine sk_X509_INFO_pop BORINGSSL_PREFIX %+ _sk_X509_INFO_pop\n%xdefine sk_X509_INFO_pop_free BORINGSSL_PREFIX %+ _sk_X509_INFO_pop_free\n%xdefine sk_X509_INFO_push BORINGSSL_PREFIX %+ _sk_X509_INFO_push\n%xdefine sk_X509_INFO_value BORINGSSL_PREFIX %+ _sk_X509_INFO_value\n%xdefine sk_X509_LOOKUP_call_free_func BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_call_free_func\n%xdefine sk_X509_LOOKUP_new_null BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_new_null\n%xdefine sk_X509_LOOKUP_num BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_num\n%xdefine sk_X509_LOOKUP_pop_free BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_pop_free\n%xdefine sk_X509_LOOKUP_push BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_push\n%xdefine sk_X509_LOOKUP_value BORINGSSL_PREFIX %+ _sk_X509_LOOKUP_value\n%xdefine sk_X509_NAME_ENTRY_call_free_func BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_call_free_func\n%xdefine sk_X509_NAME_ENTRY_delete BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_delete\n%xdefine sk_X509_NAME_ENTRY_free BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_free\n%xdefine sk_X509_NAME_ENTRY_insert BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_insert\n%xdefine sk_X509_NAME_ENTRY_new_null BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_new_null\n%xdefine sk_X509_NAME_ENTRY_num BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_num\n%xdefine sk_X509_NAME_ENTRY_pop_free BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_pop_free\n%xdefine sk_X509_NAME_ENTRY_push BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_push\n%xdefine sk_X509_NAME_ENTRY_set BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_set\n%xdefine sk_X509_NAME_ENTRY_value BORINGSSL_PREFIX %+ _sk_X509_NAME_ENTRY_value\n%xdefine sk_X509_NAME_call_cmp_func BORINGSSL_PREFIX %+ _sk_X509_NAME_call_cmp_func\n%xdefine sk_X509_NAME_call_copy_func BORINGSSL_PREFIX %+ _sk_X509_NAME_call_copy_func\n%xdefine sk_X509_NAME_call_free_func BORINGSSL_PREFIX %+ _sk_X509_NAME_call_free_func\n%xdefine sk_X509_NAME_deep_copy BORINGSSL_PREFIX %+ _sk_X509_NAME_deep_copy\n%xdefine sk_X509_NAME_find BORINGSSL_PREFIX %+ _sk_X509_NAME_find\n%xdefine sk_X509_NAME_new BORINGSSL_PREFIX %+ _sk_X509_NAME_new\n%xdefine sk_X509_NAME_new_null BORINGSSL_PREFIX %+ _sk_X509_NAME_new_null\n%xdefine sk_X509_NAME_num BORINGSSL_PREFIX %+ _sk_X509_NAME_num\n%xdefine sk_X509_NAME_pop_free BORINGSSL_PREFIX %+ _sk_X509_NAME_pop_free\n%xdefine sk_X509_NAME_set BORINGSSL_PREFIX %+ _sk_X509_NAME_set\n%xdefine sk_X509_NAME_set_cmp_func BORINGSSL_PREFIX %+ _sk_X509_NAME_set_cmp_func\n%xdefine sk_X509_NAME_sort BORINGSSL_PREFIX %+ _sk_X509_NAME_sort\n%xdefine sk_X509_NAME_value BORINGSSL_PREFIX %+ _sk_X509_NAME_value\n%xdefine sk_X509_OBJECT_call_cmp_func BORINGSSL_PREFIX %+ _sk_X509_OBJECT_call_cmp_func\n%xdefine sk_X509_OBJECT_call_copy_func BORINGSSL_PREFIX %+ _sk_X509_OBJECT_call_copy_func\n%xdefine sk_X509_OBJECT_call_free_func BORINGSSL_PREFIX %+ _sk_X509_OBJECT_call_free_func\n%xdefine sk_X509_OBJECT_deep_copy BORINGSSL_PREFIX %+ _sk_X509_OBJECT_deep_copy\n%xdefine sk_X509_OBJECT_find BORINGSSL_PREFIX %+ _sk_X509_OBJECT_find\n%xdefine sk_X509_OBJECT_new BORINGSSL_PREFIX %+ _sk_X509_OBJECT_new\n%xdefine sk_X509_OBJECT_num BORINGSSL_PREFIX %+ _sk_X509_OBJECT_num\n%xdefine sk_X509_OBJECT_pop_free BORINGSSL_PREFIX %+ _sk_X509_OBJECT_pop_free\n%xdefine sk_X509_OBJECT_push BORINGSSL_PREFIX %+ _sk_X509_OBJECT_push\n%xdefine sk_X509_OBJECT_sort BORINGSSL_PREFIX %+ _sk_X509_OBJECT_sort\n%xdefine sk_X509_OBJECT_value BORINGSSL_PREFIX %+ _sk_X509_OBJECT_value\n%xdefine sk_X509_REVOKED_call_cmp_func BORINGSSL_PREFIX %+ _sk_X509_REVOKED_call_cmp_func\n%xdefine sk_X509_REVOKED_find BORINGSSL_PREFIX %+ _sk_X509_REVOKED_find\n%xdefine sk_X509_REVOKED_is_sorted BORINGSSL_PREFIX %+ _sk_X509_REVOKED_is_sorted\n%xdefine sk_X509_REVOKED_new BORINGSSL_PREFIX %+ _sk_X509_REVOKED_new\n%xdefine sk_X509_REVOKED_num BORINGSSL_PREFIX %+ _sk_X509_REVOKED_num\n%xdefine sk_X509_REVOKED_push BORINGSSL_PREFIX %+ _sk_X509_REVOKED_push\n%xdefine sk_X509_REVOKED_set_cmp_func BORINGSSL_PREFIX %+ _sk_X509_REVOKED_set_cmp_func\n%xdefine sk_X509_REVOKED_sort BORINGSSL_PREFIX %+ _sk_X509_REVOKED_sort\n%xdefine sk_X509_REVOKED_value BORINGSSL_PREFIX %+ _sk_X509_REVOKED_value\n%xdefine sk_X509_call_free_func BORINGSSL_PREFIX %+ _sk_X509_call_free_func\n%xdefine sk_X509_delete BORINGSSL_PREFIX %+ _sk_X509_delete\n%xdefine sk_X509_delete_ptr BORINGSSL_PREFIX %+ _sk_X509_delete_ptr\n%xdefine sk_X509_dup BORINGSSL_PREFIX %+ _sk_X509_dup\n%xdefine sk_X509_free BORINGSSL_PREFIX %+ _sk_X509_free\n%xdefine sk_X509_new_null BORINGSSL_PREFIX %+ _sk_X509_new_null\n%xdefine sk_X509_num BORINGSSL_PREFIX %+ _sk_X509_num\n%xdefine sk_X509_pop BORINGSSL_PREFIX %+ _sk_X509_pop\n%xdefine sk_X509_pop_free BORINGSSL_PREFIX %+ _sk_X509_pop_free\n%xdefine sk_X509_push BORINGSSL_PREFIX %+ _sk_X509_push\n%xdefine sk_X509_set BORINGSSL_PREFIX %+ _sk_X509_set\n%xdefine sk_X509_shift BORINGSSL_PREFIX %+ _sk_X509_shift\n%xdefine sk_X509_value BORINGSSL_PREFIX %+ _sk_X509_value\n%xdefine sk_free BORINGSSL_PREFIX %+ _sk_free\n%xdefine sk_new_null BORINGSSL_PREFIX %+ _sk_new_null\n%xdefine sk_num BORINGSSL_PREFIX %+ _sk_num\n%xdefine sk_pop BORINGSSL_PREFIX %+ _sk_pop\n%xdefine sk_pop_free BORINGSSL_PREFIX %+ _sk_pop_free\n%xdefine sk_pop_free_ex BORINGSSL_PREFIX %+ _sk_pop_free_ex\n%xdefine sk_push BORINGSSL_PREFIX %+ _sk_push\n%xdefine sk_value BORINGSSL_PREFIX %+ _sk_value\n%xdefine sk_void_free BORINGSSL_PREFIX %+ _sk_void_free\n%xdefine sk_void_new_null BORINGSSL_PREFIX %+ _sk_void_new_null\n%xdefine sk_void_num BORINGSSL_PREFIX %+ _sk_void_num\n%xdefine sk_void_push BORINGSSL_PREFIX %+ _sk_void_push\n%xdefine sk_void_set BORINGSSL_PREFIX %+ _sk_void_set\n%xdefine sk_void_value BORINGSSL_PREFIX %+ _sk_void_value\n%xdefine slhdsa_copy_keypair_addr BORINGSSL_PREFIX %+ _slhdsa_copy_keypair_addr\n%xdefine slhdsa_fors_pk_from_sig BORINGSSL_PREFIX %+ _slhdsa_fors_pk_from_sig\n%xdefine slhdsa_fors_sign BORINGSSL_PREFIX %+ _slhdsa_fors_sign\n%xdefine slhdsa_fors_sk_gen BORINGSSL_PREFIX %+ _slhdsa_fors_sk_gen\n%xdefine slhdsa_fors_treehash BORINGSSL_PREFIX %+ _slhdsa_fors_treehash\n%xdefine slhdsa_get_tree_index BORINGSSL_PREFIX %+ _slhdsa_get_tree_index\n%xdefine slhdsa_ht_sign BORINGSSL_PREFIX %+ _slhdsa_ht_sign\n%xdefine slhdsa_ht_verify BORINGSSL_PREFIX %+ _slhdsa_ht_verify\n%xdefine slhdsa_set_chain_addr BORINGSSL_PREFIX %+ _slhdsa_set_chain_addr\n%xdefine slhdsa_set_hash_addr BORINGSSL_PREFIX %+ _slhdsa_set_hash_addr\n%xdefine slhdsa_set_keypair_addr BORINGSSL_PREFIX %+ _slhdsa_set_keypair_addr\n%xdefine slhdsa_set_layer_addr BORINGSSL_PREFIX %+ _slhdsa_set_layer_addr\n%xdefine slhdsa_set_tree_addr BORINGSSL_PREFIX %+ _slhdsa_set_tree_addr\n%xdefine slhdsa_set_tree_height BORINGSSL_PREFIX %+ _slhdsa_set_tree_height\n%xdefine slhdsa_set_tree_index BORINGSSL_PREFIX %+ _slhdsa_set_tree_index\n%xdefine slhdsa_set_type BORINGSSL_PREFIX %+ _slhdsa_set_type\n%xdefine slhdsa_thash_f BORINGSSL_PREFIX %+ _slhdsa_thash_f\n%xdefine slhdsa_thash_h BORINGSSL_PREFIX %+ _slhdsa_thash_h\n%xdefine slhdsa_thash_hmsg BORINGSSL_PREFIX %+ _slhdsa_thash_hmsg\n%xdefine slhdsa_thash_prf BORINGSSL_PREFIX %+ _slhdsa_thash_prf\n%xdefine slhdsa_thash_prfmsg BORINGSSL_PREFIX %+ _slhdsa_thash_prfmsg\n%xdefine slhdsa_thash_tk BORINGSSL_PREFIX %+ _slhdsa_thash_tk\n%xdefine slhdsa_thash_tl BORINGSSL_PREFIX %+ _slhdsa_thash_tl\n%xdefine slhdsa_treehash BORINGSSL_PREFIX %+ _slhdsa_treehash\n%xdefine slhdsa_wots_pk_from_sig BORINGSSL_PREFIX %+ _slhdsa_wots_pk_from_sig\n%xdefine slhdsa_wots_pk_gen BORINGSSL_PREFIX %+ _slhdsa_wots_pk_gen\n%xdefine slhdsa_wots_sign BORINGSSL_PREFIX %+ _slhdsa_wots_sign\n%xdefine slhdsa_xmss_pk_from_sig BORINGSSL_PREFIX %+ _slhdsa_xmss_pk_from_sig\n%xdefine slhdsa_xmss_sign BORINGSSL_PREFIX %+ _slhdsa_xmss_sign\n%xdefine v2i_GENERAL_NAME BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME\n%xdefine v2i_GENERAL_NAMES BORINGSSL_PREFIX %+ _v2i_GENERAL_NAMES\n%xdefine v2i_GENERAL_NAME_ex BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME_ex\n%xdefine v3_akey_id BORINGSSL_PREFIX %+ _v3_akey_id\n%xdefine v3_alt BORINGSSL_PREFIX %+ _v3_alt\n%xdefine v3_bcons BORINGSSL_PREFIX %+ _v3_bcons\n%xdefine v3_cpols BORINGSSL_PREFIX %+ _v3_cpols\n%xdefine v3_crl_invdate BORINGSSL_PREFIX %+ _v3_crl_invdate\n%xdefine v3_crl_num BORINGSSL_PREFIX %+ _v3_crl_num\n%xdefine v3_crl_reason BORINGSSL_PREFIX %+ _v3_crl_reason\n%xdefine v3_crld BORINGSSL_PREFIX %+ _v3_crld\n%xdefine v3_delta_crl BORINGSSL_PREFIX %+ _v3_delta_crl\n%xdefine v3_ext_ku BORINGSSL_PREFIX %+ _v3_ext_ku\n%xdefine v3_freshest_crl BORINGSSL_PREFIX %+ _v3_freshest_crl\n%xdefine v3_idp BORINGSSL_PREFIX %+ _v3_idp\n%xdefine v3_info BORINGSSL_PREFIX %+ _v3_info\n%xdefine v3_inhibit_anyp BORINGSSL_PREFIX %+ _v3_inhibit_anyp\n%xdefine v3_key_usage BORINGSSL_PREFIX %+ _v3_key_usage\n%xdefine v3_name_constraints BORINGSSL_PREFIX %+ _v3_name_constraints\n%xdefine v3_ns_ia5_list BORINGSSL_PREFIX %+ _v3_ns_ia5_list\n%xdefine v3_nscert BORINGSSL_PREFIX %+ _v3_nscert\n%xdefine v3_ocsp_accresp BORINGSSL_PREFIX %+ _v3_ocsp_accresp\n%xdefine v3_ocsp_nocheck BORINGSSL_PREFIX %+ _v3_ocsp_nocheck\n%xdefine v3_policy_constraints BORINGSSL_PREFIX %+ _v3_policy_constraints\n%xdefine v3_policy_mappings BORINGSSL_PREFIX %+ _v3_policy_mappings\n%xdefine v3_sinfo BORINGSSL_PREFIX %+ _v3_sinfo\n%xdefine v3_skey_id BORINGSSL_PREFIX %+ _v3_skey_id\n%xdefine voprf_exp2_blind BORINGSSL_PREFIX %+ _voprf_exp2_blind\n%xdefine voprf_exp2_client_key_from_bytes BORINGSSL_PREFIX %+ _voprf_exp2_client_key_from_bytes\n%xdefine voprf_exp2_derive_key_from_secret BORINGSSL_PREFIX %+ _voprf_exp2_derive_key_from_secret\n%xdefine voprf_exp2_generate_key BORINGSSL_PREFIX %+ _voprf_exp2_generate_key\n%xdefine voprf_exp2_issuer_key_from_bytes BORINGSSL_PREFIX %+ _voprf_exp2_issuer_key_from_bytes\n%xdefine voprf_exp2_read BORINGSSL_PREFIX %+ _voprf_exp2_read\n%xdefine voprf_exp2_sign BORINGSSL_PREFIX %+ _voprf_exp2_sign\n%xdefine voprf_exp2_unblind BORINGSSL_PREFIX %+ _voprf_exp2_unblind\n%xdefine voprf_pst1_blind BORINGSSL_PREFIX %+ _voprf_pst1_blind\n%xdefine voprf_pst1_client_key_from_bytes BORINGSSL_PREFIX %+ _voprf_pst1_client_key_from_bytes\n%xdefine voprf_pst1_derive_key_from_secret BORINGSSL_PREFIX %+ _voprf_pst1_derive_key_from_secret\n%xdefine voprf_pst1_generate_key BORINGSSL_PREFIX %+ _voprf_pst1_generate_key\n%xdefine voprf_pst1_issuer_key_from_bytes BORINGSSL_PREFIX %+ _voprf_pst1_issuer_key_from_bytes\n%xdefine voprf_pst1_read BORINGSSL_PREFIX %+ _voprf_pst1_read\n%xdefine voprf_pst1_sign BORINGSSL_PREFIX %+ _voprf_pst1_sign\n%xdefine voprf_pst1_sign_with_proof_scalar_for_testing BORINGSSL_PREFIX %+ _voprf_pst1_sign_with_proof_scalar_for_testing\n%xdefine voprf_pst1_unblind BORINGSSL_PREFIX %+ _voprf_pst1_unblind\n%xdefine vpaes_capable BORINGSSL_PREFIX %+ _vpaes_capable\n%xdefine vpaes_cbc_encrypt BORINGSSL_PREFIX %+ _vpaes_cbc_encrypt\n%xdefine vpaes_ctr32_encrypt_blocks BORINGSSL_PREFIX %+ _vpaes_ctr32_encrypt_blocks\n%xdefine vpaes_decrypt BORINGSSL_PREFIX %+ _vpaes_decrypt\n%xdefine vpaes_decrypt_key_to_bsaes BORINGSSL_PREFIX %+ _vpaes_decrypt_key_to_bsaes\n%xdefine vpaes_encrypt BORINGSSL_PREFIX %+ _vpaes_encrypt\n%xdefine vpaes_set_decrypt_key BORINGSSL_PREFIX %+ _vpaes_set_decrypt_key\n%xdefine vpaes_set_encrypt_key BORINGSSL_PREFIX %+ _vpaes_set_encrypt_key\n%xdefine x25519_asn1_meth BORINGSSL_PREFIX %+ _x25519_asn1_meth\n%xdefine x25519_ge_add BORINGSSL_PREFIX %+ _x25519_ge_add\n%xdefine x25519_ge_frombytes_vartime BORINGSSL_PREFIX %+ _x25519_ge_frombytes_vartime\n%xdefine x25519_ge_p1p1_to_p2 BORINGSSL_PREFIX %+ _x25519_ge_p1p1_to_p2\n%xdefine x25519_ge_p1p1_to_p3 BORINGSSL_PREFIX %+ _x25519_ge_p1p1_to_p3\n%xdefine x25519_ge_p3_to_cached BORINGSSL_PREFIX %+ _x25519_ge_p3_to_cached\n%xdefine x25519_ge_scalarmult BORINGSSL_PREFIX %+ _x25519_ge_scalarmult\n%xdefine x25519_ge_scalarmult_base BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_base\n%xdefine x25519_ge_scalarmult_base_adx BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_base_adx\n%xdefine x25519_ge_scalarmult_small_precomp BORINGSSL_PREFIX %+ _x25519_ge_scalarmult_small_precomp\n%xdefine x25519_ge_sub BORINGSSL_PREFIX %+ _x25519_ge_sub\n%xdefine x25519_ge_tobytes BORINGSSL_PREFIX %+ _x25519_ge_tobytes\n%xdefine x25519_pkey_meth BORINGSSL_PREFIX %+ _x25519_pkey_meth\n%xdefine x25519_sc_reduce BORINGSSL_PREFIX %+ _x25519_sc_reduce\n%xdefine x25519_scalar_mult_adx BORINGSSL_PREFIX %+ _x25519_scalar_mult_adx\n%xdefine x509V3_add_value_asn1_string BORINGSSL_PREFIX %+ _x509V3_add_value_asn1_string\n%xdefine x509_check_issued_with_callback BORINGSSL_PREFIX %+ _x509_check_issued_with_callback\n%xdefine x509_digest_sign_algorithm BORINGSSL_PREFIX %+ _x509_digest_sign_algorithm\n%xdefine x509_digest_verify_init BORINGSSL_PREFIX %+ _x509_digest_verify_init\n%xdefine x509_print_rsa_pss_params BORINGSSL_PREFIX %+ _x509_print_rsa_pss_params\n%xdefine x509_rsa_ctx_to_pss BORINGSSL_PREFIX %+ _x509_rsa_ctx_to_pss\n%xdefine x509_rsa_pss_to_ctx BORINGSSL_PREFIX %+ _x509_rsa_pss_to_ctx\n%xdefine x509v3_a2i_ipadd BORINGSSL_PREFIX %+ _x509v3_a2i_ipadd\n%xdefine x509v3_bytes_to_hex BORINGSSL_PREFIX %+ _x509v3_bytes_to_hex\n%xdefine x509v3_cache_extensions BORINGSSL_PREFIX %+ _x509v3_cache_extensions\n%xdefine x509v3_conf_name_matches BORINGSSL_PREFIX %+ _x509v3_conf_name_matches\n%xdefine x509v3_hex_to_bytes BORINGSSL_PREFIX %+ _x509v3_hex_to_bytes\n%xdefine x509v3_looks_like_dns_name BORINGSSL_PREFIX %+ _x509v3_looks_like_dns_name\n%endif\n" }, { "path": "Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_kyber.h", "content": "/* Copyright 2023 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#ifndef OPENSSL_HEADER_KYBER_H\n#define OPENSSL_HEADER_KYBER_H\n\n#include \"CNIOBoringSSL_base.h\"\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\n\n#if defined(OPENSSL_UNSTABLE_EXPERIMENTAL_KYBER)\n// This header implements experimental, draft versions of not-yet-standardized\n// primitives. When the standard is complete, these functions will be removed\n// and replaced with the final, incompatible standard version. They are\n// available now for short-lived experiments, but must not be deployed anywhere\n// durable, such as a long-lived key store. To use these functions define\n// OPENSSL_UNSTABLE_EXPERIMENTAL_KYBER\n\n// Kyber768.\n//\n// This implements the round-3 specification of Kyber, defined at\n// https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf\n\n\n// KYBER_public_key contains a Kyber768 public key. The contents of this\n// object should never leave the address space since the format is unstable.\nstruct KYBER_public_key {\n union {\n uint8_t bytes[512 * (3 + 9) + 32 + 32];\n uint16_t alignment;\n } opaque;\n};\n\n// KYBER_private_key contains a Kyber768 private key. The contents of this\n// object should never leave the address space since the format is unstable.\nstruct KYBER_private_key {\n union {\n uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32];\n uint16_t alignment;\n } opaque;\n};\n\n// KYBER_PUBLIC_KEY_BYTES is the number of bytes in an encoded Kyber768 public\n// key.\n#define KYBER_PUBLIC_KEY_BYTES 1184\n\n// KYBER_SHARED_SECRET_BYTES is the number of bytes in the Kyber768 shared\n// secret. Although the round-3 specification has a variable-length output, the\n// final ML-KEM construction is expected to use a fixed 32-byte output. To\n// simplify the future transition, we apply the same restriction.\n#define KYBER_SHARED_SECRET_BYTES 32\n\n// KYBER_generate_key generates a random public/private key pair, writes the\n// encoded public key to |out_encoded_public_key| and sets |out_private_key| to\n// the private key.\nOPENSSL_EXPORT void KYBER_generate_key(\n uint8_t out_encoded_public_key[KYBER_PUBLIC_KEY_BYTES],\n struct KYBER_private_key *out_private_key);\n\n// KYBER_public_from_private sets |*out_public_key| to the public key that\n// corresponds to |private_key|. (This is faster than parsing the output of\n// |KYBER_generate_key| if, for some reason, you need to encapsulate to a key\n// that was just generated.)\nOPENSSL_EXPORT void KYBER_public_from_private(\n struct KYBER_public_key *out_public_key,\n const struct KYBER_private_key *private_key);\n\n// KYBER_CIPHERTEXT_BYTES is number of bytes in the Kyber768 ciphertext.\n#define KYBER_CIPHERTEXT_BYTES 1088\n\n// KYBER_encap encrypts a random shared secret for |public_key|, writes the\n// ciphertext to |out_ciphertext|, and writes the random shared secret to\n// |out_shared_secret|.\nOPENSSL_EXPORT void KYBER_encap(\n uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES],\n uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES],\n const struct KYBER_public_key *public_key);\n\n// KYBER_decap decrypts a shared secret from |ciphertext| using |private_key|\n// and writes it to |out_shared_secret|. If |ciphertext| is invalid,\n// |out_shared_secret| is filled with a key that will always be the same for the\n// same |ciphertext| and |private_key|, but which appears to be random unless\n// one has access to |private_key|. These alternatives occur in constant time.\n// Any subsequent symmetric encryption using |out_shared_secret| must use an\n// authenticated encryption scheme in order to discover the decapsulation\n// failure.\nOPENSSL_EXPORT void KYBER_decap(\n uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES],\n const uint8_t ciphertext[KYBER_CIPHERTEXT_BYTES],\n const struct KYBER_private_key *private_key);\n\n\n// Serialisation of keys.\n\n// KYBER_marshal_public_key serializes |public_key| to |out| in the standard\n// format for Kyber public keys. It returns one on success or zero on allocation\n// error.\nOPENSSL_EXPORT int KYBER_marshal_public_key(\n CBB *out, const struct KYBER_public_key *public_key);\n\n// KYBER_parse_public_key parses a public key, in the format generated by\n// |KYBER_marshal_public_key|, from |in| and writes the result to\n// |out_public_key|. It returns one on success or zero on parse error or if\n// there are trailing bytes in |in|.\nOPENSSL_EXPORT int KYBER_parse_public_key(\n struct KYBER_public_key *out_public_key, CBS *in);\n\n// KYBER_marshal_private_key serializes |private_key| to |out| in the standard\n// format for Kyber private keys. It returns one on success or zero on\n// allocation error.\nOPENSSL_EXPORT int KYBER_marshal_private_key(\n CBB *out, const struct KYBER_private_key *private_key);\n\n// KYBER_PRIVATE_KEY_BYTES is the length of the data produced by\n// |KYBER_marshal_private_key|.\n#define KYBER_PRIVATE_KEY_BYTES 2400\n\n// KYBER_parse_private_key parses a private key, in the format generated by\n// |KYBER_marshal_private_key|, from |in| and writes the result to\n// |out_private_key|. It returns one on success or zero on parse error or if\n// there are trailing bytes in |in|.\nOPENSSL_EXPORT int KYBER_parse_private_key(\n struct KYBER_private_key *out_private_key, CBS *in);\n\n#endif // OPENSSL_UNSTABLE_EXPERIMENTAL_KYBER\n\n\n#if defined(__cplusplus)\n} // extern C\n#endif\n\n#endif // OPENSSL_HEADER_KYBER_H\n" }, { "path": "Sources/CNIOBoringSSL/include/module.modulemap", "content": "module CNIOBoringSSL {\n umbrella header \"CNIOBoringSSL.h\"\n export *\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/bio_ssl.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n\nstatic SSL *get_ssl(BIO *bio) { return reinterpret_cast(bio->ptr); }\n\nstatic int ssl_read(BIO *bio, char *out, int outl) {\n SSL *ssl = get_ssl(bio);\n if (ssl == NULL) {\n return 0;\n }\n\n BIO_clear_retry_flags(bio);\n\n const int ret = SSL_read(ssl, out, outl);\n\n switch (SSL_get_error(ssl, ret)) {\n case SSL_ERROR_WANT_READ:\n BIO_set_retry_read(bio);\n break;\n\n case SSL_ERROR_WANT_WRITE:\n BIO_set_retry_write(bio);\n break;\n\n case SSL_ERROR_WANT_ACCEPT:\n BIO_set_retry_special(bio);\n BIO_set_retry_reason(bio, BIO_RR_ACCEPT);\n break;\n\n case SSL_ERROR_WANT_CONNECT:\n BIO_set_retry_special(bio);\n BIO_set_retry_reason(bio, BIO_RR_CONNECT);\n break;\n\n case SSL_ERROR_NONE:\n case SSL_ERROR_SYSCALL:\n case SSL_ERROR_SSL:\n case SSL_ERROR_ZERO_RETURN:\n default:\n break;\n }\n\n return ret;\n}\n\nstatic int ssl_write(BIO *bio, const char *out, int outl) {\n SSL *ssl = get_ssl(bio);\n if (ssl == NULL) {\n return 0;\n }\n\n BIO_clear_retry_flags(bio);\n\n const int ret = SSL_write(ssl, out, outl);\n\n switch (SSL_get_error(ssl, ret)) {\n case SSL_ERROR_WANT_WRITE:\n BIO_set_retry_write(bio);\n break;\n\n case SSL_ERROR_WANT_READ:\n BIO_set_retry_read(bio);\n break;\n\n case SSL_ERROR_WANT_CONNECT:\n BIO_set_retry_special(bio);\n BIO_set_retry_reason(bio, BIO_RR_CONNECT);\n break;\n\n case SSL_ERROR_NONE:\n case SSL_ERROR_SYSCALL:\n case SSL_ERROR_SSL:\n default:\n break;\n }\n\n return ret;\n}\n\nstatic long ssl_ctrl(BIO *bio, int cmd, long num, void *ptr) {\n SSL *ssl = get_ssl(bio);\n if (ssl == NULL && cmd != BIO_C_SET_SSL) {\n return 0;\n }\n\n switch (cmd) {\n case BIO_C_SET_SSL:\n if (ssl != NULL) {\n // OpenSSL allows reusing an SSL BIO with a different SSL object. We do\n // not support this.\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n // Note this differs from upstream OpenSSL, which synchronizes\n // |bio->next_bio| with |ssl|'s rbio here, and on |BIO_CTRL_PUSH|. We call\n // into the corresponding |BIO| directly. (We can implement the upstream\n // behavior if it ends up necessary.)\n bio->shutdown = static_cast(num);\n bio->ptr = ptr;\n bio->init = 1;\n return 1;\n\n case BIO_CTRL_GET_CLOSE:\n return bio->shutdown;\n\n case BIO_CTRL_SET_CLOSE:\n bio->shutdown = static_cast(num);\n return 1;\n\n case BIO_CTRL_WPENDING:\n return BIO_ctrl(SSL_get_wbio(ssl), cmd, num, ptr);\n\n case BIO_CTRL_PENDING:\n return SSL_pending(ssl);\n\n case BIO_CTRL_FLUSH: {\n BIO *wbio = SSL_get_wbio(ssl);\n BIO_clear_retry_flags(bio);\n long ret = BIO_ctrl(wbio, cmd, num, ptr);\n BIO_set_flags(bio, BIO_get_retry_flags(wbio));\n BIO_set_retry_reason(bio, BIO_get_retry_reason(wbio));\n return ret;\n }\n\n case BIO_CTRL_PUSH:\n case BIO_CTRL_POP:\n case BIO_CTRL_DUP:\n return -1;\n\n default:\n return BIO_ctrl(SSL_get_rbio(ssl), cmd, num, ptr);\n }\n}\n\nstatic int ssl_new(BIO *bio) { return 1; }\n\nstatic int ssl_free(BIO *bio) {\n SSL *ssl = get_ssl(bio);\n\n if (ssl == NULL) {\n return 1;\n }\n\n SSL_shutdown(ssl);\n if (bio->shutdown) {\n SSL_free(ssl);\n }\n\n return 1;\n}\n\nstatic long ssl_callback_ctrl(BIO *bio, int cmd, bio_info_cb fp) {\n SSL *ssl = get_ssl(bio);\n if (ssl == NULL) {\n return 0;\n }\n\n switch (cmd) {\n case BIO_CTRL_SET_CALLBACK:\n return -1;\n\n default:\n return BIO_callback_ctrl(SSL_get_rbio(ssl), cmd, fp);\n }\n}\n\nstatic const BIO_METHOD ssl_method = {\n BIO_TYPE_SSL, \"SSL\", ssl_write, ssl_read, NULL,\n NULL, ssl_ctrl, ssl_new, ssl_free, ssl_callback_ctrl,\n};\n\nconst BIO_METHOD *BIO_f_ssl(void) { return &ssl_method; }\n\nlong BIO_set_ssl(BIO *bio, SSL *ssl, int take_owership) {\n return BIO_ctrl(bio, BIO_C_SET_SSL, take_owership, ssl);\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/d1_both.cc", "content": "/*\n * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\n// TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable\n// for these values? Notably, why is kMinMTU a function of the transport\n// protocol's overhead rather than, say, what's needed to hold a minimally-sized\n// handshake fragment plus protocol overhead.\n\n// kMinMTU is the minimum acceptable MTU value.\nstatic const unsigned int kMinMTU = 256 - 28;\n\n// kDefaultMTU is the default MTU value to use if neither the user nor\n// the underlying BIO supplies one.\nstatic const unsigned int kDefaultMTU = 1500 - 28;\n\n// BitRange returns a |uint8_t| with bits |start|, inclusive, to |end|,\n// exclusive, set.\nstatic uint8_t BitRange(size_t start, size_t end) {\n assert(start <= end && end <= 8);\n return static_cast(~((1u << start) - 1) & ((1u << end) - 1));\n}\n\n// FirstUnmarkedRangeInByte returns the first unmarked range in bits |b|.\nstatic DTLSMessageBitmap::Range FirstUnmarkedRangeInByte(uint8_t b) {\n size_t start, end;\n for (start = 0; start < 8; start++) {\n if ((b & (1u << start)) == 0) {\n break;\n }\n }\n for (end = start; end < 8; end++) {\n if ((b & (1u << end)) != 0) {\n break;\n }\n }\n return DTLSMessageBitmap::Range{start, end};\n}\n\nbool DTLSMessageBitmap::Init(size_t num_bits) {\n if (num_bits + 7 < num_bits) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return false;\n }\n size_t num_bytes = (num_bits + 7) / 8;\n size_t bits_rounded = num_bytes * 8;\n if (!bytes_.Init(num_bytes)) {\n return false;\n }\n MarkRange(num_bits, bits_rounded);\n first_unmarked_byte_ = 0;\n return true;\n}\n\nvoid DTLSMessageBitmap::MarkRange(size_t start, size_t end) {\n assert(start <= end);\n // Don't bother touching bytes that have already been marked.\n start = std::max(start, first_unmarked_byte_ << 3);\n // Clamp everything within range.\n start = std::min(start, bytes_.size() << 3);\n end = std::min(end, bytes_.size() << 3);\n if (start >= end) {\n return;\n }\n\n if ((start >> 3) == (end >> 3)) {\n bytes_[start >> 3] |= BitRange(start & 7, end & 7);\n } else {\n bytes_[start >> 3] |= BitRange(start & 7, 8);\n for (size_t i = (start >> 3) + 1; i < (end >> 3); i++) {\n bytes_[i] = 0xff;\n }\n if ((end & 7) != 0) {\n bytes_[end >> 3] |= BitRange(0, end & 7);\n }\n }\n\n // Maintain the |first_unmarked_byte_| invariant. This work is amortized\n // across all |MarkRange| calls.\n while (first_unmarked_byte_ < bytes_.size() &&\n bytes_[first_unmarked_byte_] == 0xff) {\n first_unmarked_byte_++;\n }\n // If the whole message is marked, we no longer need to spend memory on the\n // bitmap.\n if (first_unmarked_byte_ >= bytes_.size()) {\n bytes_.Reset();\n first_unmarked_byte_ = 0;\n }\n}\n\nDTLSMessageBitmap::Range DTLSMessageBitmap::NextUnmarkedRange(\n size_t start) const {\n // Don't bother looking at bytes that are known to be fully marked.\n start = std::max(start, first_unmarked_byte_ << 3);\n\n size_t idx = start >> 3;\n if (idx >= bytes_.size()) {\n return Range{0, 0};\n }\n\n // Look at the bits from |start| up to a byte boundary.\n uint8_t byte = bytes_[idx] | BitRange(0, start & 7);\n if (byte == 0xff) {\n // Nothing unmarked at this byte. Keep searching for an unmarked bit.\n for (idx = idx + 1; idx < bytes_.size(); idx++) {\n if (bytes_[idx] != 0xff) {\n byte = bytes_[idx];\n break;\n }\n }\n if (idx >= bytes_.size()) {\n return Range{0, 0};\n }\n }\n\n Range range = FirstUnmarkedRangeInByte(byte);\n assert(!range.empty());\n bool should_extend = range.end == 8;\n range.start += idx << 3;\n range.end += idx << 3;\n if (!should_extend) {\n // The range did not end at a byte boundary. We're done.\n return range;\n }\n\n // Collect all fully unmarked bytes.\n for (idx = idx + 1; idx < bytes_.size(); idx++) {\n if (bytes_[idx] != 0) {\n break;\n }\n }\n range.end = idx << 3;\n\n // Add any bits from the remaining byte, if any.\n if (idx < bytes_.size()) {\n Range extra = FirstUnmarkedRangeInByte(bytes_[idx]);\n if (extra.start == 0) {\n range.end += extra.end;\n }\n }\n\n return range;\n}\n\n// Receiving handshake messages.\n\nstatic UniquePtr dtls_new_incoming_message(\n const struct hm_header_st *msg_hdr) {\n ScopedCBB cbb;\n UniquePtr frag = MakeUnique();\n if (!frag) {\n return nullptr;\n }\n frag->type = msg_hdr->type;\n frag->seq = msg_hdr->seq;\n\n // Allocate space for the reassembled message and fill in the header.\n if (!frag->data.InitForOverwrite(DTLS1_HM_HEADER_LENGTH + msg_hdr->msg_len)) {\n return nullptr;\n }\n\n if (!CBB_init_fixed(cbb.get(), frag->data.data(), DTLS1_HM_HEADER_LENGTH) ||\n !CBB_add_u8(cbb.get(), msg_hdr->type) ||\n !CBB_add_u24(cbb.get(), msg_hdr->msg_len) ||\n !CBB_add_u16(cbb.get(), msg_hdr->seq) ||\n !CBB_add_u24(cbb.get(), 0 /* frag_off */) ||\n !CBB_add_u24(cbb.get(), msg_hdr->msg_len) ||\n !CBB_finish(cbb.get(), NULL, NULL)) {\n return nullptr;\n }\n\n if (!frag->reassembly.Init(msg_hdr->msg_len)) {\n return nullptr;\n }\n\n return frag;\n}\n\n// dtls1_is_current_message_complete returns whether the current handshake\n// message is complete.\nstatic bool dtls1_is_current_message_complete(const SSL *ssl) {\n size_t idx = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;\n DTLSIncomingMessage *frag = ssl->d1->incoming_messages[idx].get();\n return frag != nullptr && frag->reassembly.IsComplete();\n}\n\n// dtls1_get_incoming_message returns the incoming message corresponding to\n// |msg_hdr|. If none exists, it creates a new one and inserts it in the\n// queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It\n// returns NULL on failure. The caller does not take ownership of the result.\nstatic DTLSIncomingMessage *dtls1_get_incoming_message(\n SSL *ssl, uint8_t *out_alert, const struct hm_header_st *msg_hdr) {\n if (msg_hdr->seq < ssl->d1->handshake_read_seq ||\n msg_hdr->seq - ssl->d1->handshake_read_seq >= SSL_MAX_HANDSHAKE_FLIGHT) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return NULL;\n }\n\n size_t idx = msg_hdr->seq % SSL_MAX_HANDSHAKE_FLIGHT;\n DTLSIncomingMessage *frag = ssl->d1->incoming_messages[idx].get();\n if (frag != NULL) {\n assert(frag->seq == msg_hdr->seq);\n // The new fragment must be compatible with the previous fragments from this\n // message.\n if (frag->type != msg_hdr->type || //\n frag->msg_len() != msg_hdr->msg_len) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return NULL;\n }\n return frag;\n }\n\n // This is the first fragment from this message.\n ssl->d1->incoming_messages[idx] = dtls_new_incoming_message(msg_hdr);\n if (!ssl->d1->incoming_messages[idx]) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return NULL;\n }\n return ssl->d1->incoming_messages[idx].get();\n}\n\nbool dtls1_process_handshake_fragments(SSL *ssl, uint8_t *out_alert,\n DTLSRecordNumber record_number,\n Span record) {\n bool implicit_ack = false;\n bool skipped_fragments = false;\n CBS cbs = record;\n while (CBS_len(&cbs) > 0) {\n // Read a handshake fragment.\n struct hm_header_st msg_hdr;\n CBS body;\n if (!dtls1_parse_fragment(&cbs, &msg_hdr, &body)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HANDSHAKE_RECORD);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n const size_t frag_off = msg_hdr.frag_off;\n const size_t frag_len = msg_hdr.frag_len;\n const size_t msg_len = msg_hdr.msg_len;\n if (frag_off > msg_len || frag_len > msg_len - frag_off) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HANDSHAKE_RECORD);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n if (msg_hdr.seq < ssl->d1->handshake_read_seq ||\n ssl->d1->handshake_read_overflow) {\n // Ignore fragments from the past. This is a retransmit of data we already\n // received.\n //\n // TODO(crbug.com/42290594): Use this to drive retransmits.\n continue;\n }\n\n if (record_number.epoch() != ssl->d1->read_epoch.epoch ||\n ssl->d1->next_read_epoch != nullptr) {\n // New messages can only arrive in the latest epoch. This can fail if the\n // record came from |prev_read_epoch|, or if it came from |read_epoch| but\n // |next_read_epoch| exists. (It cannot come from |next_read_epoch|\n // because |next_read_epoch| becomes |read_epoch| once it receives a\n // record.)\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return false;\n }\n\n if (msg_len > ssl_max_handshake_message_len(ssl)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n if (SSL_in_init(ssl) && ssl_has_final_version(ssl) &&\n ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n // During the handshake, if we receive any portion of the next flight, the\n // peer must have received our most recent flight. In DTLS 1.3, this is an\n // implicit ACK. See RFC 9147, Section 7.1.\n //\n // This only applies during the handshake. After the handshake, the next\n // message may be part of a post-handshake transaction. It also does not\n // apply immediately after the handshake. As a client, receiving a\n // KeyUpdate or NewSessionTicket does not imply the server has received\n // our Finished. The server may have sent those messages in half-RTT.\n implicit_ack = true;\n }\n\n if (msg_hdr.seq - ssl->d1->handshake_read_seq > SSL_MAX_HANDSHAKE_FLIGHT) {\n // Ignore fragments too far in the future.\n skipped_fragments = true;\n continue;\n }\n\n DTLSIncomingMessage *frag =\n dtls1_get_incoming_message(ssl, out_alert, &msg_hdr);\n if (frag == nullptr) {\n return false;\n }\n assert(frag->msg_len() == msg_len);\n\n if (frag->reassembly.IsComplete()) {\n // The message is already assembled.\n continue;\n }\n assert(msg_len > 0);\n\n // Copy the body into the fragment.\n Span dest = frag->msg().subspan(frag_off, CBS_len(&body));\n OPENSSL_memcpy(dest.data(), CBS_data(&body), CBS_len(&body));\n frag->reassembly.MarkRange(frag_off, frag_off + frag_len);\n }\n\n if (implicit_ack) {\n dtls1_stop_timer(ssl);\n dtls_clear_outgoing_messages(ssl);\n }\n\n if (!skipped_fragments) {\n ssl->d1->records_to_ack.PushBack(record_number);\n\n if (ssl_has_final_version(ssl) &&\n ssl_protocol_version(ssl) >= TLS1_3_VERSION &&\n !ssl->d1->ack_timer.IsSet() && !ssl->d1->sending_ack) {\n // Schedule sending an ACK. The delay serves several purposes:\n // - If there are more records to come, we send only one ACK.\n // - If there are more records to come and the flight is now complete, we\n // will send the reply (which implicitly ACKs the previous flight) and\n // cancel the timer.\n // - If there are more records to come, the flight is now complete, but\n // generating the response is delayed (e.g. a slow, async private key),\n // the timer will fire and we send an ACK anyway.\n OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());\n ssl->d1->ack_timer.StartMicroseconds(\n now, uint64_t{ssl->d1->timeout_duration_ms} * 1000 / 4);\n }\n }\n\n return true;\n}\n\nssl_open_record_t dtls1_open_handshake(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert, Span in) {\n uint8_t type;\n DTLSRecordNumber record_number;\n Span record;\n auto ret = dtls_open_record(ssl, &type, &record_number, &record, out_consumed,\n out_alert, in);\n if (ret != ssl_open_record_success) {\n return ret;\n }\n\n switch (type) {\n case SSL3_RT_APPLICATION_DATA:\n // In DTLS 1.2, out-of-order application data may be received between\n // ChangeCipherSpec and Finished. Discard it.\n return ssl_open_record_discard;\n\n case SSL3_RT_CHANGE_CIPHER_SPEC:\n if (record.size() != 1u || record[0] != SSL3_MT_CCS) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_CHANGE_CIPHER_SPEC);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return ssl_open_record_error;\n }\n\n // We do not support renegotiation, so encrypted ChangeCipherSpec records\n // are illegal.\n if (record_number.epoch() != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n\n // Ignore ChangeCipherSpec from a previous epoch.\n if (record_number.epoch() != ssl->d1->read_epoch.epoch) {\n return ssl_open_record_discard;\n }\n\n // Flag the ChangeCipherSpec for later.\n // TODO(crbug.com/42290594): Should we reject this in DTLS 1.3?\n ssl->d1->has_change_cipher_spec = true;\n ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_CHANGE_CIPHER_SPEC,\n record);\n return ssl_open_record_success;\n\n case SSL3_RT_ACK:\n return dtls1_process_ack(ssl, out_alert, record_number, record);\n\n case SSL3_RT_HANDSHAKE:\n if (!dtls1_process_handshake_fragments(ssl, out_alert, record_number,\n record)) {\n return ssl_open_record_error;\n }\n return ssl_open_record_success;\n\n default:\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n}\n\nbool dtls1_get_message(const SSL *ssl, SSLMessage *out) {\n if (!dtls1_is_current_message_complete(ssl)) {\n return false;\n }\n\n size_t idx = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;\n const DTLSIncomingMessage *frag = ssl->d1->incoming_messages[idx].get();\n out->type = frag->type;\n out->raw = CBS(frag->data);\n out->body = CBS(frag->msg());\n out->is_v2_hello = false;\n if (!ssl->s3->has_message) {\n ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, out->raw);\n ssl->s3->has_message = true;\n }\n return true;\n}\n\nvoid dtls1_next_message(SSL *ssl) {\n assert(ssl->s3->has_message);\n assert(dtls1_is_current_message_complete(ssl));\n size_t index = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;\n ssl->d1->incoming_messages[index].reset();\n ssl->d1->handshake_read_seq++;\n if (ssl->d1->handshake_read_seq == 0) {\n ssl->d1->handshake_read_overflow = true;\n }\n ssl->s3->has_message = false;\n // If we previously sent a flight, mark it as having a reply, so\n // |on_handshake_complete| can manage post-handshake retransmission.\n if (ssl->d1->outgoing_messages_complete) {\n ssl->d1->flight_has_reply = true;\n }\n}\n\nbool dtls_has_unprocessed_handshake_data(const SSL *ssl) {\n size_t current = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;\n for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) {\n // Skip the current message.\n if (ssl->s3->has_message && i == current) {\n assert(dtls1_is_current_message_complete(ssl));\n continue;\n }\n if (ssl->d1->incoming_messages[i] != nullptr) {\n return true;\n }\n }\n return false;\n}\n\nbool dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr,\n CBS *out_body) {\n OPENSSL_memset(out_hdr, 0x00, sizeof(struct hm_header_st));\n\n if (!CBS_get_u8(cbs, &out_hdr->type) ||\n !CBS_get_u24(cbs, &out_hdr->msg_len) ||\n !CBS_get_u16(cbs, &out_hdr->seq) ||\n !CBS_get_u24(cbs, &out_hdr->frag_off) ||\n !CBS_get_u24(cbs, &out_hdr->frag_len) ||\n !CBS_get_bytes(cbs, out_body, out_hdr->frag_len)) {\n return false;\n }\n\n return true;\n}\n\nssl_open_record_t dtls1_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert,\n Span in) {\n if (!ssl->d1->has_change_cipher_spec) {\n // dtls1_open_handshake processes both handshake and ChangeCipherSpec.\n auto ret = dtls1_open_handshake(ssl, out_consumed, out_alert, in);\n if (ret != ssl_open_record_success) {\n return ret;\n }\n }\n if (ssl->d1->has_change_cipher_spec) {\n ssl->d1->has_change_cipher_spec = false;\n return ssl_open_record_success;\n }\n return ssl_open_record_discard;\n}\n\n\n// Sending handshake messages.\n\nvoid dtls_clear_outgoing_messages(SSL *ssl) {\n ssl->d1->outgoing_messages.clear();\n ssl->d1->sent_records = nullptr;\n ssl->d1->outgoing_written = 0;\n ssl->d1->outgoing_offset = 0;\n ssl->d1->outgoing_messages_complete = false;\n ssl->d1->flight_has_reply = false;\n ssl->d1->sending_flight = false;\n dtls_clear_unused_write_epochs(ssl);\n}\n\nvoid dtls_clear_unused_write_epochs(SSL *ssl) {\n ssl->d1->extra_write_epochs.EraseIf(\n [ssl](const UniquePtr &write_epoch) -> bool {\n // Non-current epochs may be discarded once there are no incomplete\n // outgoing messages that reference them.\n //\n // TODO(crbug.com/42290594): Epoch 1 (0-RTT) should be retained until\n // epoch 3 (app data) is available.\n for (const auto &msg : ssl->d1->outgoing_messages) {\n if (msg.epoch == write_epoch->epoch() && !msg.IsFullyAcked()) {\n return false;\n }\n }\n return true;\n });\n}\n\nbool dtls1_init_message(const SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {\n // Pick a modest size hint to save most of the |realloc| calls.\n if (!CBB_init(cbb, 64) || //\n !CBB_add_u8(cbb, type) || //\n !CBB_add_u24(cbb, 0 /* length (filled in later) */) || //\n !CBB_add_u16(cbb, ssl->d1->handshake_write_seq) || //\n !CBB_add_u24(cbb, 0 /* offset */) || //\n !CBB_add_u24_length_prefixed(cbb, body)) {\n return false;\n }\n\n return true;\n}\n\nbool dtls1_finish_message(const SSL *ssl, CBB *cbb, Array *out_msg) {\n if (!CBBFinishArray(cbb, out_msg) ||\n out_msg->size() < DTLS1_HM_HEADER_LENGTH) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n // Fix up the header. Copy the fragment length into the total message\n // length.\n OPENSSL_memcpy(out_msg->data() + 1,\n out_msg->data() + DTLS1_HM_HEADER_LENGTH - 3, 3);\n return true;\n}\n\n// add_outgoing adds a new handshake message or ChangeCipherSpec to the current\n// outgoing flight. It returns true on success and false on error.\nstatic bool add_outgoing(SSL *ssl, bool is_ccs, Array data) {\n if (ssl->d1->outgoing_messages_complete) {\n // If we've begun writing a new flight, we received the peer flight. Discard\n // the timer and the our flight.\n dtls1_stop_timer(ssl);\n dtls_clear_outgoing_messages(ssl);\n }\n\n if (!is_ccs) {\n if (ssl->d1->handshake_write_overflow) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return false;\n }\n // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript\n // on hs.\n if (ssl->s3->hs != NULL && !ssl->s3->hs->transcript.Update(data)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n ssl->d1->handshake_write_seq++;\n if (ssl->d1->handshake_write_seq == 0) {\n ssl->d1->handshake_write_overflow = true;\n }\n }\n\n DTLSOutgoingMessage msg;\n msg.data = std::move(data);\n msg.epoch = ssl->d1->write_epoch.epoch();\n msg.is_ccs = is_ccs;\n // Zero-length messages need 1 bit to track whether the peer has received the\n // message header. (Normally the message header is implicitly received when\n // any fragment of the message is received at all.)\n if (!is_ccs && !msg.acked.Init(std::max(msg.msg_len(), size_t{1}))) {\n return false;\n }\n\n // This should not fail if |SSL_MAX_HANDSHAKE_FLIGHT| was sized correctly.\n //\n // TODO(crbug.com/42290594): This can currently fail in DTLS 1.3. The caller\n // can configure how many tickets to send, up to kMaxTickets. Additionally, if\n // we send 0.5-RTT tickets in 0-RTT, we may even have tickets queued up with\n // the server flight.\n if (!ssl->d1->outgoing_messages.TryPushBack(std::move(msg))) {\n assert(false);\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n return true;\n}\n\nbool dtls1_add_message(SSL *ssl, Array data) {\n return add_outgoing(ssl, false /* handshake */, std::move(data));\n}\n\nbool dtls1_add_change_cipher_spec(SSL *ssl) {\n // DTLS 1.3 disables compatibility mode, which means that DTLS 1.3 never sends\n // a ChangeCipherSpec message.\n if (ssl_protocol_version(ssl) > TLS1_2_VERSION) {\n return true;\n }\n return add_outgoing(ssl, true /* ChangeCipherSpec */, Array());\n}\n\n// dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above\n// the minimum.\nstatic void dtls1_update_mtu(SSL *ssl) {\n // TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the\n // only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use\n // |SSL_set_mtu|. Does this need to be so complex?\n if (ssl->d1->mtu < dtls1_min_mtu() &&\n !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {\n long mtu = BIO_ctrl(ssl->wbio.get(), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);\n if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {\n ssl->d1->mtu = (unsigned)mtu;\n } else {\n ssl->d1->mtu = kDefaultMTU;\n BIO_ctrl(ssl->wbio.get(), BIO_CTRL_DGRAM_SET_MTU, ssl->d1->mtu, NULL);\n }\n }\n\n // The MTU should be above the minimum now.\n assert(ssl->d1->mtu >= dtls1_min_mtu());\n}\n\nenum seal_result_t {\n seal_error,\n seal_continue,\n seal_flush,\n};\n\n// seal_next_record seals one record's worth of messages to |out| and advances\n// |ssl|'s internal state past the data that was sealed. If progress was made,\n// it returns |seal_flush| or |seal_continue| and sets\n// |*out_len| to the number of bytes written.\n//\n// If the function stopped because the next message could not be combined into\n// this record, it returns |seal_continue| and the caller should loop again.\n// Otherwise, it returns |seal_flush| and the packet is complete (either because\n// there are no more messages or the packet is full).\nstatic seal_result_t seal_next_record(SSL *ssl, Span out,\n size_t *out_len) {\n *out_len = 0;\n\n // Skip any fully acked messages.\n while (ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size() &&\n ssl->d1->outgoing_messages[ssl->d1->outgoing_written].IsFullyAcked()) {\n ssl->d1->outgoing_offset = 0;\n ssl->d1->outgoing_written++;\n }\n\n // There was nothing left to write.\n if (ssl->d1->outgoing_written >= ssl->d1->outgoing_messages.size()) {\n return seal_flush;\n }\n\n const auto &first_msg = ssl->d1->outgoing_messages[ssl->d1->outgoing_written];\n size_t prefix_len = dtls_seal_prefix_len(ssl, first_msg.epoch);\n size_t max_in_len = dtls_seal_max_input_len(ssl, first_msg.epoch, out.size());\n if (max_in_len == 0) {\n // There is no room for a single record.\n return seal_flush;\n }\n\n if (first_msg.is_ccs) {\n static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};\n DTLSRecordNumber record_number;\n if (!dtls_seal_record(ssl, &record_number, out.data(), out_len, out.size(),\n SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec,\n sizeof(kChangeCipherSpec), first_msg.epoch)) {\n return seal_error;\n }\n\n ssl_do_msg_callback(ssl, /*is_write=*/1, SSL3_RT_CHANGE_CIPHER_SPEC,\n kChangeCipherSpec);\n ssl->d1->outgoing_offset = 0;\n ssl->d1->outgoing_written++;\n return seal_continue;\n }\n\n // TODO(crbug.com/374991962): For now, only send one message per record in\n // epoch 0. Sending multiple is allowed and more efficient, but breaks\n // b/378742138.\n const bool allow_multiple_messages = first_msg.epoch != 0;\n\n // Pack as many handshake fragments into one record as we can. We stage the\n // fragments in the output buffer, to be sealed in-place.\n bool should_continue = false;\n Span fragments = out.subspan(prefix_len, max_in_len);\n CBB cbb;\n CBB_init_fixed(&cbb, fragments.data(), fragments.size());\n DTLSSentRecord sent_record;\n sent_record.first_msg = ssl->d1->outgoing_written;\n sent_record.first_msg_start = ssl->d1->outgoing_offset;\n while (ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size()) {\n const auto &msg = ssl->d1->outgoing_messages[ssl->d1->outgoing_written];\n if (msg.epoch != first_msg.epoch || msg.is_ccs) {\n // We can only pack messages if the epoch matches. There may be more room\n // in the packet, so tell the caller to keep going.\n should_continue = true;\n break;\n }\n\n // Decode |msg|'s header.\n CBS cbs(msg.data), body_cbs;\n struct hm_header_st hdr;\n if (!dtls1_parse_fragment(&cbs, &hdr, &body_cbs) || //\n hdr.frag_off != 0 || //\n hdr.frag_len != CBS_len(&body_cbs) || //\n hdr.msg_len != CBS_len(&body_cbs) || //\n CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return seal_error;\n }\n\n // Iterate over every un-acked range in the message, if any.\n Span body = body_cbs;\n for (;;) {\n auto range = msg.acked.NextUnmarkedRange(ssl->d1->outgoing_offset);\n if (range.empty()) {\n // Advance to the next message.\n ssl->d1->outgoing_offset = 0;\n ssl->d1->outgoing_written++;\n break;\n }\n\n // Determine how much progress can be made (minimum one byte of progress).\n size_t capacity = fragments.size() - CBB_len(&cbb);\n if (capacity < DTLS1_HM_HEADER_LENGTH + 1) {\n goto packet_full;\n }\n size_t todo = std::min(range.size(), capacity - DTLS1_HM_HEADER_LENGTH);\n\n // Empty messages are special-cased in ACK tracking. We act as if they\n // have one byte, but in reality that byte is tracking the header.\n Span frag;\n if (!body.empty()) {\n frag = body.subspan(range.start, todo);\n }\n\n // Assemble the fragment.\n size_t frag_start = CBB_len(&cbb);\n CBB child;\n if (!CBB_add_u8(&cbb, hdr.type) || //\n !CBB_add_u24(&cbb, hdr.msg_len) || //\n !CBB_add_u16(&cbb, hdr.seq) || //\n !CBB_add_u24(&cbb, range.start) || //\n !CBB_add_u24_length_prefixed(&cbb, &child) || //\n !CBB_add_bytes(&child, frag.data(), frag.size()) || //\n !CBB_flush(&cbb)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return seal_error;\n }\n size_t frag_end = CBB_len(&cbb);\n\n // TODO(davidben): It is odd that, on output, we inform the caller of\n // retransmits and individual fragments, but on input we only inform the\n // caller of complete messages.\n ssl_do_msg_callback(ssl, /*is_write=*/1, SSL3_RT_HANDSHAKE,\n fragments.subspan(frag_start, frag_end - frag_start));\n\n ssl->d1->outgoing_offset = range.start + todo;\n if (todo < range.size()) {\n // The packet was the limiting factor.\n goto packet_full;\n }\n }\n\n if (!allow_multiple_messages) {\n should_continue = true;\n break;\n }\n }\n\npacket_full:\n sent_record.last_msg = ssl->d1->outgoing_written;\n sent_record.last_msg_end = ssl->d1->outgoing_offset;\n\n // We could not fit anything. Don't try to make a record.\n if (CBB_len(&cbb) == 0) {\n assert(!should_continue);\n return seal_flush;\n }\n\n if (!dtls_seal_record(ssl, &sent_record.number, out.data(), out_len,\n out.size(), SSL3_RT_HANDSHAKE, CBB_data(&cbb),\n CBB_len(&cbb), first_msg.epoch)) {\n return seal_error;\n }\n\n // If DTLS 1.3 (or if the version is not yet known and it may be DTLS 1.3),\n // save the record number to match against ACKs later.\n if (ssl->s3->version == 0 || ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n if (ssl->d1->sent_records == nullptr) {\n ssl->d1->sent_records =\n MakeUnique>();\n if (ssl->d1->sent_records == nullptr) {\n return seal_error;\n }\n }\n ssl->d1->sent_records->PushBack(sent_record);\n }\n\n return should_continue ? seal_continue : seal_flush;\n}\n\n// seal_next_packet writes as much of the next flight as possible to |out| and\n// advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as\n// appropriate.\nstatic bool seal_next_packet(SSL *ssl, Span out, size_t *out_len) {\n size_t total = 0;\n for (;;) {\n size_t len;\n seal_result_t ret = seal_next_record(ssl, out, &len);\n switch (ret) {\n case seal_error:\n return false;\n\n case seal_flush:\n case seal_continue:\n out = out.subspan(len);\n total += len;\n break;\n }\n\n if (ret == seal_flush) {\n break;\n }\n }\n\n *out_len = total;\n return true;\n}\n\nstatic int send_flight(SSL *ssl) {\n if (ssl->s3->write_shutdown != ssl_shutdown_none) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);\n return -1;\n }\n\n if (ssl->wbio == nullptr) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);\n return -1;\n }\n\n if (ssl->d1->num_timeouts > DTLS1_MAX_TIMEOUTS) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_READ_TIMEOUT_EXPIRED);\n return -1;\n }\n\n dtls1_update_mtu(ssl);\n\n Array packet;\n if (!packet.InitForOverwrite(ssl->d1->mtu)) {\n return -1;\n }\n\n while (ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size()) {\n uint8_t old_written = ssl->d1->outgoing_written;\n uint32_t old_offset = ssl->d1->outgoing_offset;\n\n size_t packet_len;\n if (!seal_next_packet(ssl, Span(packet), &packet_len)) {\n return -1;\n }\n\n if (packet_len == 0 &&\n ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size()) {\n // We made no progress with the packet size available, but did not reach\n // the end.\n OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);\n return false;\n }\n\n if (packet_len != 0) {\n int bio_ret = BIO_write(ssl->wbio.get(), packet.data(), packet_len);\n if (bio_ret <= 0) {\n // Retry this packet the next time around.\n ssl->d1->outgoing_written = old_written;\n ssl->d1->outgoing_offset = old_offset;\n ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;\n return bio_ret;\n }\n }\n }\n\n if (BIO_flush(ssl->wbio.get()) <= 0) {\n ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;\n return -1;\n }\n\n return 1;\n}\n\nvoid dtls1_finish_flight(SSL *ssl) {\n if (ssl->d1->outgoing_messages.empty() ||\n ssl->d1->outgoing_messages_complete) {\n return; // Nothing to do.\n }\n\n if (ssl->d1->outgoing_messages[0].epoch <= 2) {\n // DTLS 1.3 handshake messages (epoch 2 and below) implicitly ACK the\n // previous flight, so there is no need to ACK previous records. This\n // clears the ACK buffer slightly earlier than the specification suggests.\n // See the discussion in\n // https://mailarchive.ietf.org/arch/msg/tls/kjJnquJOVaWxu5hUCmNzB35eqY0/\n ssl->d1->records_to_ack.Clear();\n ssl->d1->ack_timer.Stop();\n ssl->d1->sending_ack = false;\n }\n\n ssl->d1->outgoing_messages_complete = true;\n ssl->d1->sending_flight = true;\n // Stop retransmitting the previous flight. In DTLS 1.3, we'll have stopped\n // the timer already, but DTLS 1.2 keeps it running until the next flight is\n // ready.\n dtls1_stop_timer(ssl);\n}\n\nvoid dtls1_schedule_ack(SSL *ssl) {\n ssl->d1->ack_timer.Stop();\n ssl->d1->sending_ack = !ssl->d1->records_to_ack.empty();\n}\n\nstatic int send_ack(SSL *ssl) {\n assert(ssl_protocol_version(ssl) >= TLS1_3_VERSION);\n\n // Ensure we don't send so many ACKs that we overflow the MTU. There is a\n // 2-byte length prefix and each ACK is 16 bytes.\n dtls1_update_mtu(ssl);\n size_t max_plaintext =\n dtls_seal_max_input_len(ssl, ssl->d1->write_epoch.epoch(), ssl->d1->mtu);\n if (max_plaintext < 2 + 16) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL); // No room for even one ACK.\n return -1;\n }\n size_t num_acks =\n std::min((max_plaintext - 2) / 16, ssl->d1->records_to_ack.size());\n\n // Assemble the ACK. RFC 9147 says to sort ACKs numerically. It is unclear if\n // other implementations do this, but go ahead and sort for now. See\n // https://mailarchive.ietf.org/arch/msg/tls/kjJnquJOVaWxu5hUCmNzB35eqY0/.\n // Remove this if rfc9147bis removes this requirement.\n InplaceVector sorted;\n for (size_t i = ssl->d1->records_to_ack.size() - num_acks;\n i < ssl->d1->records_to_ack.size(); i++) {\n sorted.PushBack(ssl->d1->records_to_ack[i]);\n }\n std::sort(sorted.begin(), sorted.end());\n\n uint8_t buf[2 + 16 * DTLS_MAX_ACK_BUFFER];\n CBB cbb, child;\n CBB_init_fixed(&cbb, buf, sizeof(buf));\n BSSL_CHECK(CBB_add_u16_length_prefixed(&cbb, &child));\n for (const auto &number : sorted) {\n BSSL_CHECK(CBB_add_u64(&child, number.epoch()));\n BSSL_CHECK(CBB_add_u64(&child, number.sequence()));\n }\n BSSL_CHECK(CBB_flush(&cbb));\n\n // Encrypt it.\n uint8_t record[DTLS1_3_RECORD_HEADER_WRITE_LENGTH + sizeof(buf) +\n 1 /* record type */ + EVP_AEAD_MAX_OVERHEAD];\n size_t record_len;\n DTLSRecordNumber record_number;\n if (!dtls_seal_record(ssl, &record_number, record, &record_len,\n sizeof(record), SSL3_RT_ACK, CBB_data(&cbb),\n CBB_len(&cbb), ssl->d1->write_epoch.epoch())) {\n return -1;\n }\n\n ssl_do_msg_callback(ssl, /*is_write=*/1, SSL3_RT_ACK,\n Span(CBB_data(&cbb), CBB_len(&cbb)));\n\n int bio_ret =\n BIO_write(ssl->wbio.get(), record, static_cast(record_len));\n if (bio_ret <= 0) {\n ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;\n return bio_ret;\n }\n\n if (BIO_flush(ssl->wbio.get()) <= 0) {\n ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;\n return -1;\n }\n\n return 1;\n}\n\nint dtls1_flush(SSL *ssl) {\n // Send the pending ACK, if any.\n if (ssl->d1->sending_ack) {\n int ret = send_ack(ssl);\n if (ret <= 0) {\n return ret;\n }\n ssl->d1->sending_ack = false;\n }\n\n // Send the pending flight, if any.\n if (ssl->d1->sending_flight) {\n int ret = send_flight(ssl);\n if (ret <= 0) {\n return ret;\n }\n\n // Reset state for the next send.\n ssl->d1->outgoing_written = 0;\n ssl->d1->outgoing_offset = 0;\n ssl->d1->sending_flight = false;\n\n // Schedule the next retransmit timer. In DTLS 1.3, we retransmit all\n // flights until ACKed. In DTLS 1.2, the final Finished flight is never\n // ACKed, so we do not keep the timer running after the handshake.\n if (SSL_in_init(ssl) || ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n if (ssl->d1->num_timeouts == 0) {\n ssl->d1->timeout_duration_ms = ssl->initial_timeout_duration_ms;\n } else {\n ssl->d1->timeout_duration_ms =\n std::min(ssl->d1->timeout_duration_ms * 2, uint32_t{60000});\n }\n\n OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());\n ssl->d1->retransmit_timer.StartMicroseconds(\n now, uint64_t{ssl->d1->timeout_duration_ms} * 1000);\n }\n }\n\n return 1;\n}\n\nunsigned int dtls1_min_mtu(void) { return kMinMTU; }\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/d1_lib.cc", "content": "/*\n * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nDTLS1_STATE::DTLS1_STATE()\n : has_change_cipher_spec(false),\n outgoing_messages_complete(false),\n flight_has_reply(false),\n handshake_write_overflow(false),\n handshake_read_overflow(false),\n sending_flight(false),\n sending_ack(false),\n queued_key_update(QueuedKeyUpdate::kNone) {}\n\nDTLS1_STATE::~DTLS1_STATE() {}\n\nbool DTLS1_STATE::Init() {\n // Set up the initial epochs.\n read_epoch.aead = SSLAEADContext::CreateNullCipher();\n write_epoch.aead = SSLAEADContext::CreateNullCipher();\n if (read_epoch.aead == nullptr || write_epoch.aead == nullptr) {\n return false;\n }\n\n return true;\n}\n\nbool dtls1_new(SSL *ssl) {\n if (!tls_new(ssl)) {\n return false;\n }\n UniquePtr d1 = MakeUnique();\n if (!d1 || !d1->Init()) {\n tls_free(ssl);\n return false;\n }\n\n ssl->d1 = d1.release();\n return true;\n}\n\nvoid dtls1_free(SSL *ssl) {\n tls_free(ssl);\n\n if (ssl == NULL) {\n return;\n }\n\n Delete(ssl->d1);\n ssl->d1 = NULL;\n}\n\nvoid DTLSTimer::StartMicroseconds(OPENSSL_timeval now, uint64_t microseconds) {\n uint64_t seconds = microseconds / 1000000;\n microseconds %= 1000000;\n\n now.tv_usec += microseconds;\n if (now.tv_usec >= 1000000) {\n now.tv_usec -= 1000000;\n seconds++;\n }\n\n if (now.tv_sec > UINT64_MAX - seconds) {\n Stop();\n return;\n }\n now.tv_sec += seconds;\n expire_time_ = now;\n}\n\nvoid DTLSTimer::Stop() { expire_time_ = {0, 0}; }\n\nbool DTLSTimer::IsExpired(OPENSSL_timeval now) const {\n return MicrosecondsRemaining(now) == 0;\n}\n\nbool DTLSTimer::IsSet() const {\n return expire_time_.tv_sec != 0 || expire_time_.tv_usec != 0;\n}\n\nuint64_t DTLSTimer::MicrosecondsRemaining(OPENSSL_timeval now) const {\n if (!IsSet()) {\n return kNever;\n }\n\n if (now.tv_sec > expire_time_.tv_sec ||\n (now.tv_sec == expire_time_.tv_sec &&\n now.tv_usec >= expire_time_.tv_usec)) {\n return 0;\n }\n\n uint64_t sec = expire_time_.tv_sec - now.tv_sec;\n uint32_t usec;\n if (expire_time_.tv_usec >= now.tv_usec) {\n usec = expire_time_.tv_usec - now.tv_usec;\n } else {\n sec--;\n usec = expire_time_.tv_usec + 1000000 - now.tv_usec;\n }\n\n // If remaining time is less than 15 ms, return 0 to prevent issues because of\n // small divergences with socket timeouts.\n if (sec == 0 && usec < 15000) {\n return 0;\n }\n\n if (sec > UINT64_MAX / 1000000) {\n return kNever;\n }\n sec *= 1000000;\n if (sec > UINT64_MAX - usec) {\n return kNever;\n }\n return sec + usec;\n}\n\nvoid dtls1_stop_timer(SSL *ssl) {\n ssl->d1->num_timeouts = 0;\n ssl->d1->retransmit_timer.Stop();\n ssl->d1->timeout_duration_ms = ssl->initial_timeout_duration_ms;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nvoid DTLSv1_set_initial_timeout_duration(SSL *ssl, uint32_t duration_ms) {\n ssl->initial_timeout_duration_ms = duration_ms;\n}\n\nint DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) {\n if (!SSL_is_dtls(ssl)) {\n return 0;\n }\n\n OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());\n uint64_t remaining_usec =\n ssl->d1->retransmit_timer.MicrosecondsRemaining(now);\n remaining_usec =\n std::min(remaining_usec, ssl->d1->ack_timer.MicrosecondsRemaining(now));\n if (remaining_usec == DTLSTimer::kNever) {\n return 0; // No timeout is set.\n }\n\n uint64_t remaining_sec = remaining_usec / 1000000;\n remaining_usec %= 1000000;\n\n // |timeval| uses |time_t|, which may be 32-bit.\n const auto kTvSecMax = std::numeric_limitstv_sec)>::max();\n if (remaining_sec > static_cast(kTvSecMax)) {\n out->tv_sec = kTvSecMax; // Saturate the output.\n out->tv_usec = 999999;\n } else {\n out->tv_sec = static_casttv_sec)>(remaining_sec);\n }\n out->tv_usec = remaining_usec;\n return 1;\n}\n\nint DTLSv1_handle_timeout(SSL *ssl) {\n ssl_reset_error_state(ssl);\n\n if (!SSL_is_dtls(ssl)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return -1;\n }\n\n if (!ssl->d1->ack_timer.IsSet() && !ssl->d1->retransmit_timer.IsSet()) {\n // No timers are running. Don't bother querying the clock.\n return 0;\n }\n\n OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());\n bool any_timer_expired = false;\n if (ssl->d1->ack_timer.IsExpired(now)) {\n any_timer_expired = true;\n ssl->d1->sending_ack = true;\n ssl->d1->ack_timer.Stop();\n }\n\n if (ssl->d1->retransmit_timer.IsExpired(now)) {\n any_timer_expired = true;\n ssl->d1->sending_flight = true;\n ssl->d1->retransmit_timer.Stop();\n\n ssl->d1->num_timeouts++;\n // Reduce MTU after 2 unsuccessful retransmissions.\n if (ssl->d1->num_timeouts > DTLS1_MTU_TIMEOUTS &&\n !(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {\n long mtu = BIO_ctrl(ssl->wbio.get(), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0,\n nullptr);\n if (mtu >= 0 && mtu <= (1 << 30) && (unsigned)mtu >= dtls1_min_mtu()) {\n ssl->d1->mtu = (unsigned)mtu;\n }\n }\n }\n\n if (!any_timer_expired) {\n return 0;\n }\n\n return dtls1_flush(ssl);\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/d1_pkt.cc", "content": "/*\n * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nssl_open_record_t dtls1_process_ack(SSL *ssl, uint8_t *out_alert,\n DTLSRecordNumber ack_record_number,\n Span data) {\n // As a DTLS-1.3-capable client, it is possible to receive an ACK before we\n // receive ServerHello and learned the server picked DTLS 1.3. Thus, tolerate\n // but ignore ACKs before the version is set.\n if (!ssl_has_final_version(ssl)) {\n return ssl_open_record_discard;\n }\n\n // ACKs are only allowed in DTLS 1.3. Reject them if we've negotiated a\n // version and it's not 1.3.\n if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n\n CBS cbs = data, record_numbers;\n if (!CBS_get_u16_length_prefixed(&cbs, &record_numbers) ||\n CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return ssl_open_record_error;\n }\n\n while (CBS_len(&record_numbers) != 0) {\n uint64_t epoch, seq;\n if (!CBS_get_u64(&record_numbers, &epoch) ||\n !CBS_get_u64(&record_numbers, &seq)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return ssl_open_record_error;\n }\n\n // During the handshake, records must be ACKed at the same or higher epoch.\n // See https://www.rfc-editor.org/errata/eid8108. Additionally, if the\n // record does not fit in DTLSRecordNumber, it is definitely not a record\n // number that we sent.\n if ((ack_record_number.epoch() < ssl_encryption_application &&\n epoch > ack_record_number.epoch()) ||\n epoch > UINT16_MAX || seq > DTLSRecordNumber::kMaxSequence) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return ssl_open_record_error;\n }\n\n // Find the sent record that matches this ACK.\n DTLSRecordNumber number(static_cast(epoch), seq);\n DTLSSentRecord *sent_record = nullptr;\n if (ssl->d1->sent_records != nullptr) {\n for (size_t i = 0; i < ssl->d1->sent_records->size(); i++) {\n if ((*ssl->d1->sent_records)[i].number == number) {\n sent_record = &(*ssl->d1->sent_records)[i];\n break;\n }\n }\n }\n if (sent_record == nullptr) {\n // We may have sent this record and forgotten it, so this is not an error.\n continue;\n }\n\n // Mark each message as ACKed.\n if (sent_record->first_msg == sent_record->last_msg) {\n ssl->d1->outgoing_messages[sent_record->first_msg].acked.MarkRange(\n sent_record->first_msg_start, sent_record->last_msg_end);\n } else {\n ssl->d1->outgoing_messages[sent_record->first_msg].acked.MarkRange(\n sent_record->first_msg_start, SIZE_MAX);\n for (size_t i = size_t{sent_record->first_msg} + 1;\n i < sent_record->last_msg; i++) {\n ssl->d1->outgoing_messages[i].acked.MarkRange(0, SIZE_MAX);\n }\n if (sent_record->last_msg_end != 0) {\n ssl->d1->outgoing_messages[sent_record->last_msg].acked.MarkRange(\n 0, sent_record->last_msg_end);\n }\n }\n\n // Clear the state so we don't bother re-marking the messages next time.\n sent_record->first_msg = 0;\n sent_record->first_msg_start = 0;\n sent_record->last_msg = 0;\n sent_record->last_msg_end = 0;\n }\n\n // If the outgoing flight is now fully ACKed, we are done retransmitting.\n if (std::all_of(ssl->d1->outgoing_messages.begin(),\n ssl->d1->outgoing_messages.end(),\n [](const auto &msg) { return msg.IsFullyAcked(); })) {\n dtls1_stop_timer(ssl);\n dtls_clear_outgoing_messages(ssl);\n\n // DTLS 1.3 defers the key update to when the message is ACKed.\n if (ssl->s3->key_update_pending) {\n if (!tls13_rotate_traffic_key(ssl, evp_aead_seal)) {\n return ssl_open_record_error;\n }\n ssl->s3->key_update_pending = false;\n }\n\n // Check for deferred messages.\n if (ssl->d1->queued_key_update != QueuedKeyUpdate::kNone) {\n int request_type =\n ssl->d1->queued_key_update == QueuedKeyUpdate::kUpdateRequested\n ? SSL_KEY_UPDATE_REQUESTED\n : SSL_KEY_UPDATE_NOT_REQUESTED;\n ssl->d1->queued_key_update = QueuedKeyUpdate::kNone;\n if (!tls13_add_key_update(ssl, request_type)) {\n return ssl_open_record_error;\n }\n }\n } else {\n // We may still be able to drop unused write epochs.\n dtls_clear_unused_write_epochs(ssl);\n\n // TODO(crbug.com/42290594): Schedule a retransmit. The peer will have\n // waited before sending the ACK, so a partial ACK suggests packet loss.\n }\n\n ssl_do_msg_callback(ssl, /*is_write=*/0, SSL3_RT_ACK, data);\n return ssl_open_record_discard;\n}\n\nssl_open_record_t dtls1_open_app_data(SSL *ssl, Span *out,\n size_t *out_consumed, uint8_t *out_alert,\n Span in) {\n assert(!SSL_in_init(ssl));\n\n uint8_t type;\n DTLSRecordNumber record_number;\n Span record;\n auto ret = dtls_open_record(ssl, &type, &record_number, &record, out_consumed,\n out_alert, in);\n if (ret != ssl_open_record_success) {\n return ret;\n }\n\n if (type == SSL3_RT_HANDSHAKE) {\n // Process handshake fragments for DTLS 1.3 post-handshake messages.\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n if (!dtls1_process_handshake_fragments(ssl, out_alert, record_number,\n record)) {\n return ssl_open_record_error;\n }\n return ssl_open_record_discard;\n }\n\n // Parse the first fragment header to determine if this is a pre-CCS or\n // post-CCS handshake record. DTLS resets handshake message numbers on each\n // handshake, so renegotiations and retransmissions are ambiguous.\n //\n // TODO(crbug.com/42290594): Move this logic into\n // |dtls1_process_handshake_fragments| and integrate it into DTLS 1.3\n // retransmit conditions.\n CBS cbs, body;\n struct hm_header_st msg_hdr;\n CBS_init(&cbs, record.data(), record.size());\n if (!dtls1_parse_fragment(&cbs, &msg_hdr, &body)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HANDSHAKE_RECORD);\n *out_alert = SSL_AD_DECODE_ERROR;\n return ssl_open_record_error;\n }\n\n if (msg_hdr.type == SSL3_MT_FINISHED &&\n msg_hdr.seq == ssl->d1->handshake_read_seq - 1) {\n if (!ssl->d1->sending_flight && msg_hdr.frag_off == 0) {\n // Retransmit our last flight of messages. If the peer sends the second\n // Finished, they may not have received ours. Only do this for the\n // first fragment, in case the Finished was fragmented.\n //\n // This is not really a timeout, but increment the timeout count so we\n // eventually give up.\n ssl->d1->num_timeouts++;\n ssl->d1->sending_flight = true;\n }\n return ssl_open_record_discard;\n }\n\n // Otherwise, this is a pre-CCS handshake message from an unsupported\n // renegotiation attempt. Fall through to the error path.\n }\n\n if (type == SSL3_RT_ACK) {\n return dtls1_process_ack(ssl, out_alert, record_number, record);\n }\n\n if (type != SSL3_RT_APPLICATION_DATA) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n\n if (record.empty()) {\n return ssl_open_record_discard;\n }\n\n *out = record;\n return ssl_open_record_success;\n}\n\nint dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,\n size_t *out_bytes_written, Span in) {\n assert(!SSL_in_init(ssl));\n *out_needs_handshake = false;\n\n if (ssl->s3->write_shutdown != ssl_shutdown_none) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);\n return -1;\n }\n\n // DTLS does not split the input across records.\n if (in.size() > SSL3_RT_MAX_PLAIN_LENGTH) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DTLS_MESSAGE_TOO_BIG);\n return -1;\n }\n\n if (in.empty()) {\n *out_bytes_written = 0;\n return 1;\n }\n\n // TODO(crbug.com/381113363): Use the 0-RTT epoch if writing 0-RTT.\n int ret = dtls1_write_record(ssl, SSL3_RT_APPLICATION_DATA, in,\n ssl->d1->write_epoch.epoch());\n if (ret <= 0) {\n return ret;\n }\n *out_bytes_written = in.size();\n return 1;\n}\n\nint dtls1_write_record(SSL *ssl, int type, Span in,\n uint16_t epoch) {\n SSLBuffer *buf = &ssl->s3->write_buffer;\n assert(in.size() <= SSL3_RT_MAX_PLAIN_LENGTH);\n // There should never be a pending write buffer in DTLS. One can't write half\n // a datagram, so the write buffer is always dropped in\n // |ssl_write_buffer_flush|.\n assert(buf->empty());\n\n if (in.size() > SSL3_RT_MAX_PLAIN_LENGTH) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return -1;\n }\n\n DTLSRecordNumber record_number;\n size_t ciphertext_len;\n if (!buf->EnsureCap(dtls_seal_prefix_len(ssl, epoch),\n in.size() + SSL_max_seal_overhead(ssl)) ||\n !dtls_seal_record(ssl, &record_number, buf->remaining().data(),\n &ciphertext_len, buf->remaining().size(), type,\n in.data(), in.size(), epoch)) {\n buf->Clear();\n return -1;\n }\n buf->DidWrite(ciphertext_len);\n\n int ret = ssl_write_buffer_flush(ssl);\n if (ret <= 0) {\n return ret;\n }\n return 1;\n}\n\nint dtls1_dispatch_alert(SSL *ssl) {\n int ret = dtls1_write_record(ssl, SSL3_RT_ALERT, ssl->s3->send_alert,\n ssl->d1->write_epoch.epoch());\n if (ret <= 0) {\n return ret;\n }\n ssl->s3->alert_dispatch = false;\n\n // If the alert is fatal, flush the BIO now.\n if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {\n BIO_flush(ssl->wbio.get());\n }\n\n ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, ssl->s3->send_alert);\n\n int alert = (ssl->s3->send_alert[0] << 8) | ssl->s3->send_alert[1];\n ssl_do_info_callback(ssl, SSL_CB_WRITE_ALERT, alert);\n\n return 1;\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/d1_srtp.cc", "content": "/*\n * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n/*\n DTLS code by Eric Rescorla \n\n Copyright (C) 2006, Network Resonance, Inc.\n Copyright (C) 2011, RTFM, Inc.\n*/\n\n#include \n\n#include \n\n#include \n#include \n\n#include \"internal.h\"\n\n\nusing namespace bssl;\n\nstatic const SRTP_PROTECTION_PROFILE kSRTPProfiles[] = {\n {\"SRTP_AES128_CM_SHA1_80\", SRTP_AES128_CM_SHA1_80},\n {\"SRTP_AES128_CM_SHA1_32\", SRTP_AES128_CM_SHA1_32},\n {\"SRTP_AEAD_AES_128_GCM\", SRTP_AEAD_AES_128_GCM},\n {\"SRTP_AEAD_AES_256_GCM\", SRTP_AEAD_AES_256_GCM},\n {0, 0},\n};\n\nstatic int find_profile_by_name(const char *profile_name,\n const SRTP_PROTECTION_PROFILE **pptr,\n size_t len) {\n const SRTP_PROTECTION_PROFILE *p = kSRTPProfiles;\n while (p->name) {\n if (len == strlen(p->name) && !strncmp(p->name, profile_name, len)) {\n *pptr = p;\n return 1;\n }\n\n p++;\n }\n\n return 0;\n}\n\nstatic int ssl_ctx_make_profiles(\n const char *profiles_string,\n UniquePtr *out) {\n UniquePtr profiles(\n sk_SRTP_PROTECTION_PROFILE_new_null());\n if (profiles == nullptr) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES);\n return 0;\n }\n\n const char *col;\n const char *ptr = profiles_string;\n do {\n col = strchr(ptr, ':');\n\n const SRTP_PROTECTION_PROFILE *profile;\n if (!find_profile_by_name(ptr, &profile,\n col ? (size_t)(col - ptr) : strlen(ptr))) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);\n return 0;\n }\n\n if (!sk_SRTP_PROTECTION_PROFILE_push(profiles.get(), profile)) {\n return 0;\n }\n\n if (col) {\n ptr = col + 1;\n }\n } while (col);\n\n *out = std::move(profiles);\n return 1;\n}\n\nint SSL_CTX_set_srtp_profiles(SSL_CTX *ctx, const char *profiles) {\n return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles);\n}\n\nint SSL_set_srtp_profiles(SSL *ssl, const char *profiles) {\n return ssl->config != nullptr &&\n ssl_ctx_make_profiles(profiles, &ssl->config->srtp_profiles);\n}\n\nconst STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(const SSL *ssl) {\n if (ssl == nullptr) {\n return nullptr;\n }\n\n if (ssl->config == nullptr) {\n assert(0);\n return nullptr;\n }\n\n return ssl->config->srtp_profiles != nullptr\n ? ssl->config->srtp_profiles.get()\n : ssl->ctx->srtp_profiles.get();\n}\n\nconst SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *ssl) {\n return ssl->s3->srtp_profile;\n}\n\nint SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) {\n // This API inverts its return value.\n return !SSL_CTX_set_srtp_profiles(ctx, profiles);\n}\n\nint SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles) {\n // This API inverts its return value.\n return !SSL_set_srtp_profiles(ssl, profiles);\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/dtls_method.cc", "content": "/*\n * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nusing namespace bssl;\n\nstatic void dtls1_on_handshake_complete(SSL *ssl) {\n if (ssl_protocol_version(ssl) <= TLS1_2_VERSION) {\n // Stop the reply timer left by the last flight we sent. In DTLS 1.2, the\n // retransmission timer ends when the handshake completes. If we sent the\n // final flight, we may still need to retransmit it, but that is driven by\n // messages from the peer.\n dtls1_stop_timer(ssl);\n // If the final flight had a reply, we know the peer has received it. If\n // not, we must leave the flight around for post-handshake retransmission.\n if (ssl->d1->flight_has_reply) {\n dtls_clear_outgoing_messages(ssl);\n }\n }\n}\n\nstatic bool next_epoch(const SSL *ssl, uint16_t *out,\n ssl_encryption_level_t level, uint16_t prev) {\n switch (level) {\n case ssl_encryption_initial:\n case ssl_encryption_early_data:\n case ssl_encryption_handshake:\n *out = static_cast(level);\n return true;\n\n case ssl_encryption_application:\n if (prev < ssl_encryption_application &&\n ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n *out = static_cast(level);\n return true;\n }\n\n if (prev == 0xffff) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_KEY_UPDATES);\n return false;\n }\n *out = prev + 1;\n return true;\n }\n\n assert(0);\n return false;\n}\n\nstatic bool dtls1_set_read_state(SSL *ssl, ssl_encryption_level_t level,\n UniquePtr aead_ctx,\n Span traffic_secret) {\n // Cipher changes are forbidden if the current epoch has leftover data.\n if (dtls_has_unprocessed_handshake_data(ssl)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n return false;\n }\n\n DTLSReadEpoch new_epoch;\n new_epoch.aead = std::move(aead_ctx);\n if (!next_epoch(ssl, &new_epoch.epoch, level, ssl->d1->read_epoch.epoch)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n return false;\n }\n\n if (ssl_protocol_version(ssl) > TLS1_2_VERSION) {\n new_epoch.rn_encrypter =\n RecordNumberEncrypter::Create(new_epoch.aead->cipher(), traffic_secret);\n if (new_epoch.rn_encrypter == nullptr) {\n return false;\n }\n\n // In DTLS 1.3, new read epochs are not applied immediately. In principle,\n // we could do the same in DTLS 1.2, but we would ignore every record from\n // the previous epoch anyway.\n assert(ssl->d1->next_read_epoch == nullptr);\n ssl->d1->next_read_epoch = MakeUnique(std::move(new_epoch));\n if (ssl->d1->next_read_epoch == nullptr) {\n return false;\n }\n } else {\n ssl->d1->read_epoch = std::move(new_epoch);\n ssl->d1->has_change_cipher_spec = false;\n }\n return true;\n}\n\nstatic bool dtls1_set_write_state(SSL *ssl, ssl_encryption_level_t level,\n UniquePtr aead_ctx,\n Span traffic_secret) {\n uint16_t epoch;\n if (!next_epoch(ssl, &epoch, level, ssl->d1->write_epoch.epoch())) {\n return false;\n }\n\n DTLSWriteEpoch new_epoch;\n new_epoch.aead = std::move(aead_ctx);\n new_epoch.next_record = DTLSRecordNumber(epoch, 0);\n if (ssl_protocol_version(ssl) > TLS1_2_VERSION) {\n new_epoch.rn_encrypter =\n RecordNumberEncrypter::Create(new_epoch.aead->cipher(), traffic_secret);\n if (new_epoch.rn_encrypter == nullptr) {\n return false;\n }\n }\n\n auto current = MakeUnique(std::move(ssl->d1->write_epoch));\n if (current == nullptr) {\n return false;\n }\n\n ssl->d1->write_epoch = std::move(new_epoch);\n ssl->d1->extra_write_epochs.PushBack(std::move(current));\n dtls_clear_unused_write_epochs(ssl);\n return true;\n}\n\nstatic const SSL_PROTOCOL_METHOD kDTLSProtocolMethod = {\n true /* is_dtls */,\n dtls1_new,\n dtls1_free,\n dtls1_get_message,\n dtls1_next_message,\n dtls_has_unprocessed_handshake_data,\n dtls1_open_handshake,\n dtls1_open_change_cipher_spec,\n dtls1_open_app_data,\n dtls1_write_app_data,\n dtls1_dispatch_alert,\n dtls1_init_message,\n dtls1_finish_message,\n dtls1_add_message,\n dtls1_add_change_cipher_spec,\n dtls1_finish_flight,\n dtls1_schedule_ack,\n dtls1_flush,\n dtls1_on_handshake_complete,\n dtls1_set_read_state,\n dtls1_set_write_state,\n};\n\nconst SSL_METHOD *DTLS_method(void) {\n static const SSL_METHOD kMethod = {\n 0,\n &kDTLSProtocolMethod,\n &ssl_crypto_x509_method,\n };\n return &kMethod;\n}\n\nconst SSL_METHOD *DTLS_with_buffers_method(void) {\n static const SSL_METHOD kMethod = {\n 0,\n &kDTLSProtocolMethod,\n &ssl_noop_x509_method,\n };\n return &kMethod;\n}\n\n// Legacy version-locked methods.\n\nconst SSL_METHOD *DTLSv1_2_method(void) {\n static const SSL_METHOD kMethod = {\n DTLS1_2_VERSION,\n &kDTLSProtocolMethod,\n &ssl_crypto_x509_method,\n };\n return &kMethod;\n}\n\nconst SSL_METHOD *DTLSv1_method(void) {\n static const SSL_METHOD kMethod = {\n DTLS1_VERSION,\n &kDTLSProtocolMethod,\n &ssl_crypto_x509_method,\n };\n return &kMethod;\n}\n\n// Legacy side-specific methods.\n\nconst SSL_METHOD *DTLSv1_2_server_method(void) { return DTLSv1_2_method(); }\n\nconst SSL_METHOD *DTLSv1_server_method(void) { return DTLSv1_method(); }\n\nconst SSL_METHOD *DTLSv1_2_client_method(void) { return DTLSv1_2_method(); }\n\nconst SSL_METHOD *DTLSv1_client_method(void) { return DTLSv1_method(); }\n\nconst SSL_METHOD *DTLS_server_method(void) { return DTLS_method(); }\n\nconst SSL_METHOD *DTLS_client_method(void) { return DTLS_method(); }\n" }, { "path": "Sources/CNIOBoringSSL/ssl/dtls_record.cc", "content": "/*\n * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nbool DTLSReplayBitmap::ShouldDiscard(uint64_t seq_num) const {\n const size_t kWindowSize = map_.size();\n\n if (seq_num > max_seq_num_) {\n return false;\n }\n uint64_t idx = max_seq_num_ - seq_num;\n return idx >= kWindowSize || map_[idx];\n}\n\nvoid DTLSReplayBitmap::Record(uint64_t seq_num) {\n const size_t kWindowSize = map_.size();\n\n // Shift the window if necessary.\n if (seq_num > max_seq_num_) {\n uint64_t shift = seq_num - max_seq_num_;\n if (shift >= kWindowSize) {\n map_.reset();\n } else {\n map_ <<= shift;\n }\n max_seq_num_ = seq_num;\n }\n\n uint64_t idx = max_seq_num_ - seq_num;\n if (idx < kWindowSize) {\n map_[idx] = true;\n }\n}\n\nstatic uint16_t dtls_record_version(const SSL *ssl) {\n if (ssl->s3->version == 0) {\n // Before the version is determined, outgoing records use dTLS 1.0 for\n // historical compatibility requirements.\n return DTLS1_VERSION;\n }\n // DTLS 1.3 freezes the record version at DTLS 1.2. Previous ones use the\n // version itself.\n return ssl_protocol_version(ssl) >= TLS1_3_VERSION ? DTLS1_2_VERSION\n : ssl->s3->version;\n}\n\nstatic uint64_t dtls_aead_sequence(const SSL *ssl, DTLSRecordNumber num) {\n // DTLS 1.3 uses the sequence number with the AEAD, while DTLS 1.2 uses the\n // combined value. If the version is not known, the epoch is unencrypted and\n // the value is ignored.\n return (ssl->s3->version != 0 && ssl_protocol_version(ssl) >= TLS1_3_VERSION)\n ? num.sequence()\n : num.combined();\n}\n\n// reconstruct_epoch finds the largest epoch that ends with the epoch bits from\n// |wire_epoch| that is less than or equal to |current_epoch|, to match the\n// epoch reconstruction algorithm described in RFC 9147 section 4.2.2.\nstatic uint16_t reconstruct_epoch(uint8_t wire_epoch, uint16_t current_epoch) {\n uint16_t current_epoch_high = current_epoch & 0xfffc;\n uint16_t epoch = (wire_epoch & 0x3) | current_epoch_high;\n if (epoch > current_epoch && current_epoch_high > 0) {\n epoch -= 0x4;\n }\n return epoch;\n}\n\nuint64_t reconstruct_seqnum(uint16_t wire_seq, uint64_t seq_mask,\n uint64_t max_valid_seqnum) {\n // Although DTLS 1.3 can support sequence numbers up to 2^64-1, we continue to\n // enforce the DTLS 1.2 2^48-1 limit. With a minimal DTLS 1.3 record header (2\n // bytes), no payload, and 16 byte AEAD overhead, sending 2^48 records would\n // require 5 petabytes. This allows us to continue to pack a DTLS record\n // number into an 8-byte structure.\n assert(max_valid_seqnum <= DTLSRecordNumber::kMaxSequence);\n assert(seq_mask == 0xff || seq_mask == 0xffff);\n\n uint64_t max_seqnum_plus_one = max_valid_seqnum + 1;\n uint64_t diff = (wire_seq - max_seqnum_plus_one) & seq_mask;\n uint64_t step = seq_mask + 1;\n // This addition cannot overflow. It is at most 2^48 + seq_mask. It, however,\n // may exceed 2^48-1.\n uint64_t seqnum = max_seqnum_plus_one + diff;\n bool too_large = seqnum > DTLSRecordNumber::kMaxSequence;\n // If the diff is larger than half the step size, then the closest seqnum\n // to max_seqnum_plus_one (in Z_{2^64}) is seqnum minus step instead of\n // seqnum.\n bool closer_is_less = diff > step / 2;\n // Subtracting step from seqnum will cause underflow if seqnum is too small.\n bool would_underflow = seqnum < step;\n if (too_large || (closer_is_less && !would_underflow)) {\n seqnum -= step;\n }\n assert(seqnum <= DTLSRecordNumber::kMaxSequence);\n return seqnum;\n}\n\nstatic Span cbs_to_writable_bytes(CBS cbs) {\n return Span(const_cast(CBS_data(&cbs)), CBS_len(&cbs));\n}\n\nstruct ParsedDTLSRecord {\n // read_epoch will be null if the record is for an unrecognized epoch. In that\n // case, |number| may be unset.\n DTLSReadEpoch *read_epoch = nullptr;\n DTLSRecordNumber number;\n CBS header, body;\n uint8_t type = 0;\n uint16_t version = 0;\n};\n\nstatic bool use_dtls13_record_header(const SSL *ssl, uint16_t epoch) {\n // Plaintext records in DTLS 1.3 also use the DTLSPlaintext structure for\n // backwards compatibility.\n return ssl->s3->version != 0 && ssl_protocol_version(ssl) > TLS1_2_VERSION &&\n epoch > 0;\n}\n\nstatic bool parse_dtls13_record(SSL *ssl, CBS *in, ParsedDTLSRecord *out) {\n if (out->type & 0x10) {\n // Connection ID bit set, which we didn't negotiate.\n return false;\n }\n\n uint16_t max_epoch = ssl->d1->read_epoch.epoch;\n if (ssl->d1->next_read_epoch != nullptr) {\n max_epoch = std::max(max_epoch, ssl->d1->next_read_epoch->epoch);\n }\n uint16_t epoch = reconstruct_epoch(out->type, max_epoch);\n size_t seq_len = (out->type & 0x08) ? 2 : 1;\n CBS seq_bytes;\n if (!CBS_get_bytes(in, &seq_bytes, seq_len)) {\n return false;\n }\n if (out->type & 0x04) {\n // 16-bit length present\n if (!CBS_get_u16_length_prefixed(in, &out->body)) {\n return false;\n }\n } else {\n // No length present - the remaining contents are the whole packet.\n // CBS_get_bytes is used here to advance |in| to the end so that future\n // code that computes the number of consumed bytes functions correctly.\n BSSL_CHECK(CBS_get_bytes(in, &out->body, CBS_len(in)));\n }\n\n // Drop the previous read epoch if expired.\n if (ssl->d1->prev_read_epoch != nullptr &&\n ssl_ctx_get_current_time(ssl->ctx.get()).tv_sec >\n ssl->d1->prev_read_epoch->expire) {\n ssl->d1->prev_read_epoch = nullptr;\n }\n\n // Look up the corresponding epoch. This header form only matches encrypted\n // DTLS 1.3 epochs.\n DTLSReadEpoch *read_epoch = nullptr;\n if (epoch == ssl->d1->read_epoch.epoch) {\n read_epoch = &ssl->d1->read_epoch;\n } else if (ssl->d1->next_read_epoch != nullptr &&\n epoch == ssl->d1->next_read_epoch->epoch) {\n read_epoch = ssl->d1->next_read_epoch.get();\n } else if (ssl->d1->prev_read_epoch != nullptr &&\n epoch == ssl->d1->prev_read_epoch->epoch.epoch) {\n read_epoch = &ssl->d1->prev_read_epoch->epoch;\n }\n if (read_epoch != nullptr && use_dtls13_record_header(ssl, epoch)) {\n out->read_epoch = read_epoch;\n\n // Decrypt and reconstruct the sequence number:\n uint8_t mask[2];\n if (!read_epoch->rn_encrypter->GenerateMask(mask, out->body)) {\n // GenerateMask most likely failed because the record body was not long\n // enough.\n return false;\n }\n // Apply the mask to the sequence number in-place. The header (with the\n // decrypted sequence number bytes) is used as the additional data for the\n // AEAD function.\n auto writable_seq = cbs_to_writable_bytes(seq_bytes);\n uint64_t seq = 0;\n for (size_t i = 0; i < writable_seq.size(); i++) {\n writable_seq[i] ^= mask[i];\n seq = (seq << 8) | writable_seq[i];\n }\n uint64_t full_seq = reconstruct_seqnum(seq, (1 << (seq_len * 8)) - 1,\n read_epoch->bitmap.max_seq_num());\n out->number = DTLSRecordNumber(epoch, full_seq);\n }\n\n return true;\n}\n\nstatic bool parse_dtls12_record(SSL *ssl, CBS *in, ParsedDTLSRecord *out) {\n uint64_t epoch_and_seq;\n if (!CBS_get_u16(in, &out->version) || //\n !CBS_get_u64(in, &epoch_and_seq) ||\n !CBS_get_u16_length_prefixed(in, &out->body)) {\n return false;\n }\n out->number = DTLSRecordNumber::FromCombined(epoch_and_seq);\n\n uint16_t epoch = out->number.epoch();\n bool version_ok;\n if (epoch == 0) {\n // Only check the first byte. Enforcing beyond that can prevent decoding\n // version negotiation failure alerts.\n version_ok = (out->version >> 8) == DTLS1_VERSION_MAJOR;\n } else {\n version_ok = out->version == dtls_record_version(ssl);\n }\n if (!version_ok) {\n return false;\n }\n\n // Look up the corresponding epoch. In DTLS 1.2, we only need to consider one\n // epoch.\n if (epoch == ssl->d1->read_epoch.epoch &&\n !use_dtls13_record_header(ssl, epoch)) {\n out->read_epoch = &ssl->d1->read_epoch;\n }\n\n return true;\n}\n\nstatic bool parse_dtls_record(SSL *ssl, CBS *cbs, ParsedDTLSRecord *out) {\n CBS copy = *cbs;\n if (!CBS_get_u8(cbs, &out->type)) {\n return false;\n }\n\n bool ok;\n if ((out->type & 0xe0) == 0x20) {\n ok = parse_dtls13_record(ssl, cbs, out);\n } else {\n ok = parse_dtls12_record(ssl, cbs, out);\n }\n if (!ok) {\n return false;\n }\n\n if (CBS_len(&out->body) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {\n return false;\n }\n\n size_t header_len = CBS_data(&out->body) - CBS_data(©);\n BSSL_CHECK(CBS_get_bytes(©, &out->header, header_len));\n return true;\n}\n\nenum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,\n DTLSRecordNumber *out_number,\n Span *out,\n size_t *out_consumed,\n uint8_t *out_alert, Span in) {\n *out_consumed = 0;\n if (ssl->s3->read_shutdown == ssl_shutdown_close_notify) {\n return ssl_open_record_close_notify;\n }\n\n if (in.empty()) {\n return ssl_open_record_partial;\n }\n\n CBS cbs(in);\n ParsedDTLSRecord record;\n if (!parse_dtls_record(ssl, &cbs, &record)) {\n // The record header was incomplete or malformed. Drop the entire packet.\n *out_consumed = in.size();\n return ssl_open_record_discard;\n }\n\n ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HEADER, record.header);\n\n if (record.read_epoch == nullptr ||\n record.read_epoch->bitmap.ShouldDiscard(record.number.sequence())) {\n // Drop this record. It's from an unknown epoch or is a replay. Note that if\n // the record is from next epoch, it could be buffered for later. For\n // simplicity, drop it and expect retransmit to handle it later; DTLS must\n // handle packet loss anyway.\n *out_consumed = in.size() - CBS_len(&cbs);\n return ssl_open_record_discard;\n }\n\n // Decrypt the body in-place.\n if (!record.read_epoch->aead->Open(out, record.type, record.version,\n dtls_aead_sequence(ssl, record.number),\n record.header,\n cbs_to_writable_bytes(record.body))) {\n // Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347.\n // Clear the error queue of any errors decryption may have added. Drop the\n // entire packet as it must not have come from the peer.\n //\n // TODO(davidben): This doesn't distinguish malloc failures from encryption\n // failures.\n ERR_clear_error();\n *out_consumed = in.size() - CBS_len(&cbs);\n return ssl_open_record_discard;\n }\n *out_consumed = in.size() - CBS_len(&cbs);\n\n // DTLS 1.3 hides the record type inside the encrypted data.\n bool has_padding = !record.read_epoch->aead->is_null_cipher() &&\n ssl_protocol_version(ssl) >= TLS1_3_VERSION;\n // Check the plaintext length.\n size_t plaintext_limit = SSL3_RT_MAX_PLAIN_LENGTH + (has_padding ? 1 : 0);\n if (out->size() > plaintext_limit) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);\n *out_alert = SSL_AD_RECORD_OVERFLOW;\n return ssl_open_record_error;\n }\n\n if (has_padding) {\n do {\n if (out->empty()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);\n *out_alert = SSL_AD_DECRYPT_ERROR;\n return ssl_open_record_error;\n }\n record.type = out->back();\n *out = out->subspan(0, out->size() - 1);\n } while (record.type == 0);\n }\n\n record.read_epoch->bitmap.Record(record.number.sequence());\n\n // Once we receive a record from the next epoch in DTLS 1.3, it becomes the\n // current epoch. Also save the previous epoch. This allows us to handle\n // packet reordering on KeyUpdate, as well as ACK retransmissions of the\n // Finished flight.\n if (record.read_epoch == ssl->d1->next_read_epoch.get()) {\n assert(ssl_protocol_version(ssl) >= TLS1_3_VERSION);\n auto prev = MakeUnique();\n if (prev == nullptr) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return ssl_open_record_error;\n }\n\n // Release the epoch after a timeout.\n prev->expire = ssl_ctx_get_current_time(ssl->ctx.get()).tv_sec;\n if (prev->expire >= UINT64_MAX - DTLS_PREV_READ_EPOCH_EXPIRE_SECONDS) {\n prev->expire = UINT64_MAX; // Saturate on overflow.\n } else {\n prev->expire += DTLS_PREV_READ_EPOCH_EXPIRE_SECONDS;\n }\n\n prev->epoch = std::move(ssl->d1->read_epoch);\n ssl->d1->prev_read_epoch = std::move(prev);\n ssl->d1->read_epoch = std::move(*ssl->d1->next_read_epoch);\n ssl->d1->next_read_epoch = nullptr;\n }\n\n // TODO(davidben): Limit the number of empty records as in TLS? This is only\n // useful if we also limit discarded packets.\n\n if (record.type == SSL3_RT_ALERT) {\n return ssl_process_alert(ssl, out_alert, *out);\n }\n\n // Reject application data in epochs that do not allow it.\n if (record.type == SSL3_RT_APPLICATION_DATA) {\n bool app_data_allowed;\n if (ssl->s3->version != 0 && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n // Application data is allowed in 0-RTT (epoch 1) and after the handshake\n // (3 and up).\n app_data_allowed =\n record.number.epoch() == 1 || record.number.epoch() >= 3;\n } else {\n // Application data is allowed starting epoch 1.\n app_data_allowed = record.number.epoch() >= 1;\n }\n if (!app_data_allowed) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n }\n\n ssl->s3->warning_alert_count = 0;\n\n *out_type = record.type;\n *out_number = record.number;\n return ssl_open_record_success;\n}\n\nstatic DTLSWriteEpoch *get_write_epoch(const SSL *ssl, uint16_t epoch) {\n if (ssl->d1->write_epoch.epoch() == epoch) {\n return &ssl->d1->write_epoch;\n }\n for (const auto &e : ssl->d1->extra_write_epochs) {\n if (e->epoch() == epoch) {\n return e.get();\n }\n }\n return nullptr;\n}\n\nsize_t dtls_record_header_write_len(const SSL *ssl, uint16_t epoch) {\n if (!use_dtls13_record_header(ssl, epoch)) {\n return DTLS_PLAINTEXT_RECORD_HEADER_LENGTH;\n }\n // The DTLS 1.3 has a variable length record header. We never send Connection\n // ID, we always send 16-bit sequence numbers, and we send a length. (Length\n // can be omitted, but only for the last record of a packet. Since we send\n // multiple records in one packet, it's easier to implement always sending the\n // length.)\n return DTLS1_3_RECORD_HEADER_WRITE_LENGTH;\n}\n\nsize_t dtls_max_seal_overhead(const SSL *ssl, uint16_t epoch) {\n DTLSWriteEpoch *write_epoch = get_write_epoch(ssl, epoch);\n if (write_epoch == nullptr) {\n return 0;\n }\n size_t ret = dtls_record_header_write_len(ssl, epoch) +\n write_epoch->aead->MaxOverhead();\n if (use_dtls13_record_header(ssl, epoch)) {\n // Add 1 byte for the encrypted record type.\n ret++;\n }\n return ret;\n}\n\nsize_t dtls_seal_prefix_len(const SSL *ssl, uint16_t epoch) {\n DTLSWriteEpoch *write_epoch = get_write_epoch(ssl, epoch);\n if (write_epoch == nullptr) {\n return 0;\n }\n return dtls_record_header_write_len(ssl, epoch) +\n write_epoch->aead->ExplicitNonceLen();\n}\n\nsize_t dtls_seal_max_input_len(const SSL *ssl, uint16_t epoch, size_t max_out) {\n DTLSWriteEpoch *write_epoch = get_write_epoch(ssl, epoch);\n if (write_epoch == nullptr) {\n return 0;\n }\n size_t header_len = dtls_record_header_write_len(ssl, epoch);\n if (max_out <= header_len) {\n return 0;\n }\n max_out -= header_len;\n max_out = write_epoch->aead->MaxSealInputLen(max_out);\n if (max_out > 0 && use_dtls13_record_header(ssl, epoch)) {\n // Remove 1 byte for the encrypted record type.\n max_out--;\n }\n return max_out;\n}\n\nbool dtls_seal_record(SSL *ssl, DTLSRecordNumber *out_number, uint8_t *out,\n size_t *out_len, size_t max_out, uint8_t type,\n const uint8_t *in, size_t in_len, uint16_t epoch) {\n const size_t prefix = dtls_seal_prefix_len(ssl, epoch);\n if (buffers_alias(in, in_len, out, max_out) &&\n (max_out < prefix || out + prefix != in)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);\n return false;\n }\n\n // Determine the parameters for the current epoch.\n DTLSWriteEpoch *write_epoch = get_write_epoch(ssl, epoch);\n if (write_epoch == nullptr) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n const size_t record_header_len = dtls_record_header_write_len(ssl, epoch);\n\n // Ensure the sequence number update does not overflow.\n DTLSRecordNumber record_number = write_epoch->next_record;\n if (!record_number.HasNext()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return false;\n }\n\n bool dtls13_header = use_dtls13_record_header(ssl, epoch);\n uint8_t *extra_in = NULL;\n size_t extra_in_len = 0;\n if (dtls13_header) {\n extra_in = &type;\n extra_in_len = 1;\n }\n\n size_t ciphertext_len;\n if (!write_epoch->aead->CiphertextLen(&ciphertext_len, in_len,\n extra_in_len)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);\n return false;\n }\n if (max_out < record_header_len + ciphertext_len) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);\n return false;\n }\n\n uint16_t record_version = dtls_record_version(ssl);\n if (dtls13_header) {\n // The first byte of the DTLS 1.3 record header has the following format:\n // 0 1 2 3 4 5 6 7\n // +-+-+-+-+-+-+-+-+\n // |0|0|1|C|S|L|E E|\n // +-+-+-+-+-+-+-+-+\n //\n // We set C=0 (no Connection ID), S=1 (16-bit sequence number), L=1 (length\n // is present), which is a mask of 0x2c. The E E bits are the low-order two\n // bits of the epoch.\n //\n // +-+-+-+-+-+-+-+-+\n // |0|0|1|0|1|1|E E|\n // +-+-+-+-+-+-+-+-+\n out[0] = 0x2c | (epoch & 0x3);\n // We always use a two-byte sequence number. A one-byte sequence number\n // would require coordinating with the application on ACK feedback to know\n // that the peer is not too far behind.\n CRYPTO_store_u16_be(out + 1, write_epoch->next_record.sequence());\n // TODO(crbug.com/42290594): When we know the record is last in the packet,\n // omit the length.\n CRYPTO_store_u16_be(out + 3, ciphertext_len);\n } else {\n out[0] = type;\n CRYPTO_store_u16_be(out + 1, record_version);\n CRYPTO_store_u64_be(out + 3, record_number.combined());\n CRYPTO_store_u16_be(out + 11, ciphertext_len);\n }\n Span header(out, record_header_len);\n\n if (!write_epoch->aead->SealScatter(\n out + record_header_len, out + prefix, out + prefix + in_len, type,\n record_version, dtls_aead_sequence(ssl, record_number), header, in,\n in_len, extra_in, extra_in_len)) {\n return false;\n }\n\n // Perform record number encryption (RFC 9147 section 4.2.3).\n if (dtls13_header) {\n // Record number encryption uses bytes from the ciphertext as a sample to\n // generate the mask used for encryption. For simplicity, pass in the whole\n // ciphertext as the sample - GenerateRecordNumberMask will read only what\n // it needs (and error if |sample| is too short).\n Span sample(out + record_header_len, ciphertext_len);\n uint8_t mask[2];\n if (!write_epoch->rn_encrypter->GenerateMask(mask, sample)) {\n return false;\n }\n out[1] ^= mask[0];\n out[2] ^= mask[1];\n }\n\n *out_number = record_number;\n write_epoch->next_record = record_number.Next();\n *out_len = record_header_len + ciphertext_len;\n ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, header);\n return true;\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/encrypted_client_hello.cc", "content": "/* Copyright 2021 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\n// ECH reuses the extension code point for the version number.\nstatic constexpr uint16_t kECHConfigVersion =\n TLSEXT_TYPE_encrypted_client_hello;\n\nstatic const decltype(&EVP_hpke_aes_128_gcm) kSupportedAEADs[] = {\n &EVP_hpke_aes_128_gcm,\n &EVP_hpke_aes_256_gcm,\n &EVP_hpke_chacha20_poly1305,\n};\n\nstatic const EVP_HPKE_AEAD *get_ech_aead(uint16_t aead_id) {\n for (const auto aead_func : kSupportedAEADs) {\n const EVP_HPKE_AEAD *aead = aead_func();\n if (aead_id == EVP_HPKE_AEAD_id(aead)) {\n return aead;\n }\n }\n return nullptr;\n}\n\n// ssl_client_hello_write_without_extensions serializes |client_hello| into\n// |out|, omitting the length-prefixed extensions. It serializes individual\n// fields, starting with |client_hello->version|, and ignores the\n// |client_hello->client_hello| field. It returns true on success and false on\n// failure.\nstatic bool ssl_client_hello_write_without_extensions(\n const SSL_CLIENT_HELLO *client_hello, CBB *out) {\n CBB cbb;\n if (!CBB_add_u16(out, client_hello->version) ||\n !CBB_add_bytes(out, client_hello->random, client_hello->random_len) ||\n !CBB_add_u8_length_prefixed(out, &cbb) ||\n !CBB_add_bytes(&cbb, client_hello->session_id,\n client_hello->session_id_len)) {\n return false;\n }\n if (SSL_is_dtls(client_hello->ssl)) {\n if (!CBB_add_u8_length_prefixed(out, &cbb) ||\n !CBB_add_bytes(&cbb, client_hello->dtls_cookie,\n client_hello->dtls_cookie_len)) {\n return false;\n }\n }\n if (!CBB_add_u16_length_prefixed(out, &cbb) ||\n !CBB_add_bytes(&cbb, client_hello->cipher_suites,\n client_hello->cipher_suites_len) ||\n !CBB_add_u8_length_prefixed(out, &cbb) ||\n !CBB_add_bytes(&cbb, client_hello->compression_methods,\n client_hello->compression_methods_len) ||\n !CBB_flush(out)) {\n return false;\n }\n return true;\n}\n\nstatic bool is_valid_client_hello_inner(SSL *ssl, uint8_t *out_alert,\n Span body) {\n // See draft-ietf-tls-esni-13, section 7.1.\n SSL_CLIENT_HELLO client_hello;\n CBS extension;\n if (!ssl_client_hello_init(ssl, &client_hello, body) ||\n !ssl_client_hello_get_extension(&client_hello, &extension,\n TLSEXT_TYPE_encrypted_client_hello) ||\n CBS_len(&extension) != 1 || //\n CBS_data(&extension)[0] != ECH_CLIENT_INNER ||\n !ssl_client_hello_get_extension(&client_hello, &extension,\n TLSEXT_TYPE_supported_versions)) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_CLIENT_HELLO_INNER);\n return false;\n }\n // Parse supported_versions and reject TLS versions prior to TLS 1.3. Older\n // versions are incompatible with ECH.\n CBS versions;\n if (!CBS_get_u8_length_prefixed(&extension, &versions) ||\n CBS_len(&extension) != 0 || //\n CBS_len(&versions) == 0) {\n *out_alert = SSL_AD_DECODE_ERROR;\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n while (CBS_len(&versions) != 0) {\n uint16_t version;\n if (!CBS_get_u16(&versions, &version)) {\n *out_alert = SSL_AD_DECODE_ERROR;\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n if (version == SSL3_VERSION || version == TLS1_VERSION ||\n version == TLS1_1_VERSION || version == TLS1_2_VERSION ||\n version == DTLS1_VERSION || version == DTLS1_2_VERSION) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_CLIENT_HELLO_INNER);\n return false;\n }\n }\n return true;\n}\n\nbool ssl_decode_client_hello_inner(\n SSL *ssl, uint8_t *out_alert, Array *out_client_hello_inner,\n Span encoded_client_hello_inner,\n const SSL_CLIENT_HELLO *client_hello_outer) {\n SSL_CLIENT_HELLO client_hello_inner;\n CBS cbs = encoded_client_hello_inner;\n if (!ssl_parse_client_hello_with_trailing_data(ssl, &cbs,\n &client_hello_inner)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n // The remaining data is padding.\n uint8_t padding;\n while (CBS_get_u8(&cbs, &padding)) {\n if (padding != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n }\n\n // TLS 1.3 ClientHellos must have extensions, and EncodedClientHelloInners use\n // ClientHelloOuter's session_id.\n if (client_hello_inner.extensions_len == 0 ||\n client_hello_inner.session_id_len != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n client_hello_inner.session_id = client_hello_outer->session_id;\n client_hello_inner.session_id_len = client_hello_outer->session_id_len;\n\n // Begin serializing a message containing the ClientHelloInner in |cbb|.\n ScopedCBB cbb;\n CBB body, extensions_cbb;\n if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CLIENT_HELLO) ||\n !ssl_client_hello_write_without_extensions(&client_hello_inner, &body) ||\n !CBB_add_u16_length_prefixed(&body, &extensions_cbb)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n auto inner_extensions =\n Span(client_hello_inner.extensions, client_hello_inner.extensions_len);\n CBS ext_list_wrapper;\n if (!ssl_client_hello_get_extension(&client_hello_inner, &ext_list_wrapper,\n TLSEXT_TYPE_ech_outer_extensions)) {\n // No ech_outer_extensions. Copy everything.\n if (!CBB_add_bytes(&extensions_cbb, inner_extensions.data(),\n inner_extensions.size())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n } else {\n const size_t offset = CBS_data(&ext_list_wrapper) - inner_extensions.data();\n auto inner_extensions_before =\n inner_extensions.subspan(0, offset - 4 /* extension header */);\n auto inner_extensions_after =\n inner_extensions.subspan(offset + CBS_len(&ext_list_wrapper));\n if (!CBB_add_bytes(&extensions_cbb, inner_extensions_before.data(),\n inner_extensions_before.size())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n // Expand ech_outer_extensions. See draft-ietf-tls-esni-13, Appendix B.\n CBS ext_list;\n if (!CBS_get_u8_length_prefixed(&ext_list_wrapper, &ext_list) ||\n CBS_len(&ext_list) == 0 || CBS_len(&ext_list_wrapper) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n CBS outer_extensions;\n CBS_init(&outer_extensions, client_hello_outer->extensions,\n client_hello_outer->extensions_len);\n while (CBS_len(&ext_list) != 0) {\n // Find the next extension to copy.\n uint16_t want;\n if (!CBS_get_u16(&ext_list, &want)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n // The ECH extension itself is not in the AAD and may not be referenced.\n if (want == TLSEXT_TYPE_encrypted_client_hello) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_EXTENSION);\n return false;\n }\n // Seek to |want| in |outer_extensions|. |ext_list| is required to match\n // ClientHelloOuter in order.\n uint16_t found;\n CBS ext_body;\n do {\n if (CBS_len(&outer_extensions) == 0) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_EXTENSION);\n return false;\n }\n if (!CBS_get_u16(&outer_extensions, &found) ||\n !CBS_get_u16_length_prefixed(&outer_extensions, &ext_body)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n } while (found != want);\n // Copy the extension.\n if (!CBB_add_u16(&extensions_cbb, found) ||\n !CBB_add_u16(&extensions_cbb, CBS_len(&ext_body)) ||\n !CBB_add_bytes(&extensions_cbb, CBS_data(&ext_body),\n CBS_len(&ext_body))) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n }\n\n if (!CBB_add_bytes(&extensions_cbb, inner_extensions_after.data(),\n inner_extensions_after.size())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n }\n if (!CBB_flush(&body)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n if (!is_valid_client_hello_inner(ssl, out_alert,\n Span(CBB_data(&body), CBB_len(&body)))) {\n return false;\n }\n\n if (!ssl->method->finish_message(ssl, cbb.get(), out_client_hello_inner)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n return true;\n}\n\nbool ssl_client_hello_decrypt(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n bool *out_is_decrypt_error, Array *out,\n const SSL_CLIENT_HELLO *client_hello_outer,\n Span payload) {\n *out_is_decrypt_error = false;\n\n // The ClientHelloOuterAAD is |client_hello_outer| with |payload| (which must\n // point within |client_hello_outer->extensions|) replaced with zeros. See\n // draft-ietf-tls-esni-13, section 5.2.\n Array aad;\n if (!aad.CopyFrom(Span(client_hello_outer->client_hello,\n client_hello_outer->client_hello_len))) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n\n // We assert with |uintptr_t| because the comparison would be UB if they\n // didn't alias.\n assert(reinterpret_cast(client_hello_outer->extensions) <=\n reinterpret_cast(payload.data()));\n assert(reinterpret_cast(client_hello_outer->extensions +\n client_hello_outer->extensions_len) >=\n reinterpret_cast(payload.data() + payload.size()));\n Span payload_aad = Span(aad).subspan(\n payload.data() - client_hello_outer->client_hello, payload.size());\n OPENSSL_memset(payload_aad.data(), 0, payload_aad.size());\n\n // Decrypt the EncodedClientHelloInner.\n Array encoded;\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n // In fuzzer mode, disable encryption to improve coverage. We reserve a short\n // input to signal decryption failure, so the fuzzer can explore fallback to\n // ClientHelloOuter.\n const uint8_t kBadPayload[] = {0xff};\n if (payload == kBadPayload) {\n *out_alert = SSL_AD_DECRYPT_ERROR;\n *out_is_decrypt_error = true;\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);\n return false;\n }\n if (!encoded.CopyFrom(payload)) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n#else\n if (!encoded.InitForOverwrite(payload.size())) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n size_t len;\n if (!EVP_HPKE_CTX_open(hs->ech_hpke_ctx.get(), encoded.data(), &len,\n encoded.size(), payload.data(), payload.size(),\n aad.data(), aad.size())) {\n *out_alert = SSL_AD_DECRYPT_ERROR;\n *out_is_decrypt_error = true;\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);\n return false;\n }\n encoded.Shrink(len);\n#endif\n\n if (!ssl_decode_client_hello_inner(hs->ssl, out_alert, out, encoded,\n client_hello_outer)) {\n return false;\n }\n\n ssl_do_msg_callback(hs->ssl, /*is_write=*/0, SSL3_RT_CLIENT_HELLO_INNER,\n *out);\n return true;\n}\n\nstatic bool is_hex_component(Span in) {\n if (in.size() < 2 || in[0] != '0' || (in[1] != 'x' && in[1] != 'X')) {\n return false;\n }\n for (uint8_t b : in.subspan(2)) {\n if (!OPENSSL_isxdigit(b)) {\n return false;\n }\n }\n return true;\n}\n\nstatic bool is_decimal_component(Span in) {\n if (in.empty()) {\n return false;\n }\n for (uint8_t b : in) {\n if (!('0' <= b && b <= '9')) {\n return false;\n }\n }\n return true;\n}\n\nbool ssl_is_valid_ech_public_name(Span public_name) {\n // See draft-ietf-tls-esni-13, Section 4 and RFC 5890, Section 2.3.1. The\n // public name must be a dot-separated sequence of LDH labels and not begin or\n // end with a dot.\n auto remaining = public_name;\n if (remaining.empty()) {\n return false;\n }\n Span last;\n while (!remaining.empty()) {\n // Find the next dot-separated component.\n auto dot = std::find(remaining.begin(), remaining.end(), '.');\n Span component;\n if (dot == remaining.end()) {\n component = remaining;\n last = component;\n remaining = Span();\n } else {\n component = remaining.subspan(0, dot - remaining.begin());\n // Skip the dot.\n remaining = remaining.subspan(dot - remaining.begin() + 1);\n if (remaining.empty()) {\n // Trailing dots are not allowed.\n return false;\n }\n }\n // |component| must be a valid LDH label. Checking for empty components also\n // rejects leading dots.\n if (component.empty() || component.size() > 63 ||\n component.front() == '-' || component.back() == '-') {\n return false;\n }\n for (uint8_t c : component) {\n if (!OPENSSL_isalnum(c) && c != '-') {\n return false;\n }\n }\n }\n\n // The WHATWG URL parser additionally does not allow any DNS names that end in\n // a numeric component. See:\n // https://url.spec.whatwg.org/#concept-host-parser\n // https://url.spec.whatwg.org/#ends-in-a-number-checker\n //\n // The WHATWG parser is formulated in terms of parsing decimal, octal, and\n // hex, along with a separate ASCII digits check. The ASCII digits check\n // subsumes the decimal and octal check, so we only need to check two cases.\n return !is_hex_component(last) && !is_decimal_component(last);\n}\n\nstatic bool parse_ech_config(CBS *cbs, ECHConfig *out, bool *out_supported,\n bool all_extensions_mandatory) {\n uint16_t version;\n CBS orig = *cbs;\n CBS contents;\n if (!CBS_get_u16(cbs, &version) ||\n !CBS_get_u16_length_prefixed(cbs, &contents)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n\n if (version != kECHConfigVersion) {\n *out_supported = false;\n return true;\n }\n\n // Make a copy of the ECHConfig and parse from it, so the results alias into\n // the saved copy.\n if (!out->raw.CopyFrom(\n Span(CBS_data(&orig), CBS_len(&orig) - CBS_len(cbs)))) {\n return false;\n }\n\n CBS ech_config(out->raw);\n CBS public_name, public_key, cipher_suites, extensions;\n if (!CBS_skip(&ech_config, 2) || // version\n !CBS_get_u16_length_prefixed(&ech_config, &contents) ||\n !CBS_get_u8(&contents, &out->config_id) ||\n !CBS_get_u16(&contents, &out->kem_id) ||\n !CBS_get_u16_length_prefixed(&contents, &public_key) ||\n CBS_len(&public_key) == 0 ||\n !CBS_get_u16_length_prefixed(&contents, &cipher_suites) ||\n CBS_len(&cipher_suites) == 0 || CBS_len(&cipher_suites) % 4 != 0 ||\n !CBS_get_u8(&contents, &out->maximum_name_length) ||\n !CBS_get_u8_length_prefixed(&contents, &public_name) ||\n CBS_len(&public_name) == 0 ||\n !CBS_get_u16_length_prefixed(&contents, &extensions) ||\n CBS_len(&contents) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n\n if (!ssl_is_valid_ech_public_name(public_name)) {\n // TODO(https://crbug.com/boringssl/275): The draft says ECHConfigs with\n // invalid public names should be ignored, but LDH syntax failures are\n // unambiguously invalid.\n *out_supported = false;\n return true;\n }\n\n out->public_key = public_key;\n out->public_name = public_name;\n // This function does not ensure |out->kem_id| and |out->cipher_suites| use\n // supported algorithms. The caller must do this.\n out->cipher_suites = cipher_suites;\n\n bool has_unknown_mandatory_extension = false;\n while (CBS_len(&extensions) != 0) {\n uint16_t type;\n CBS body;\n if (!CBS_get_u16(&extensions, &type) ||\n !CBS_get_u16_length_prefixed(&extensions, &body)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n // We currently do not support any extensions.\n if (type & 0x8000 || all_extensions_mandatory) {\n // Extension numbers with the high bit set are mandatory. Continue parsing\n // to enforce syntax, but we will ultimately ignore this ECHConfig as a\n // client and reject it as a server.\n has_unknown_mandatory_extension = true;\n }\n }\n\n *out_supported = !has_unknown_mandatory_extension;\n return true;\n}\n\nbool ECHServerConfig::Init(Span ech_config,\n const EVP_HPKE_KEY *key, bool is_retry_config) {\n is_retry_config_ = is_retry_config;\n\n // Parse the ECHConfig, rejecting all unsupported parameters and extensions.\n // Unlike most server options, ECH's server configuration is serialized and\n // configured in both the server and DNS. If the caller configures an\n // unsupported parameter, this is a deployment error. To catch these errors,\n // we fail early.\n CBS cbs = ech_config;\n bool supported;\n if (!parse_ech_config(&cbs, &ech_config_, &supported,\n /*all_extensions_mandatory=*/true)) {\n return false;\n }\n if (CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n if (!supported) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ECH_SERVER_CONFIG);\n return false;\n }\n\n CBS cipher_suites = ech_config_.cipher_suites;\n while (CBS_len(&cipher_suites) > 0) {\n uint16_t kdf_id, aead_id;\n if (!CBS_get_u16(&cipher_suites, &kdf_id) ||\n !CBS_get_u16(&cipher_suites, &aead_id)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n // The server promises to support every option in the ECHConfig, so reject\n // any unsupported cipher suites.\n if (kdf_id != EVP_HPKE_HKDF_SHA256 || get_ech_aead(aead_id) == nullptr) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ECH_SERVER_CONFIG);\n return false;\n }\n }\n\n // Check the public key in the ECHConfig matches |key|.\n uint8_t expected_public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH];\n size_t expected_public_key_len;\n if (!EVP_HPKE_KEY_public_key(key, expected_public_key,\n &expected_public_key_len,\n sizeof(expected_public_key))) {\n return false;\n }\n if (ech_config_.kem_id != EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(key)) ||\n Span(expected_public_key, expected_public_key_len) !=\n ech_config_.public_key) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_ECH_SERVER_CONFIG_AND_PRIVATE_KEY_MISMATCH);\n return false;\n }\n\n if (!EVP_HPKE_KEY_copy(key_.get(), key)) {\n return false;\n }\n\n return true;\n}\n\nbool ECHServerConfig::SetupContext(EVP_HPKE_CTX *ctx, uint16_t kdf_id,\n uint16_t aead_id,\n Span enc) const {\n // Check the cipher suite is supported by this ECHServerConfig.\n CBS cbs(ech_config_.cipher_suites);\n bool cipher_ok = false;\n while (CBS_len(&cbs) != 0) {\n uint16_t supported_kdf_id, supported_aead_id;\n if (!CBS_get_u16(&cbs, &supported_kdf_id) ||\n !CBS_get_u16(&cbs, &supported_aead_id)) {\n return false;\n }\n if (kdf_id == supported_kdf_id && aead_id == supported_aead_id) {\n cipher_ok = true;\n break;\n }\n }\n if (!cipher_ok) {\n return false;\n }\n\n static const uint8_t kInfoLabel[] = \"tls ech\";\n ScopedCBB info_cbb;\n if (!CBB_init(info_cbb.get(), sizeof(kInfoLabel) + ech_config_.raw.size()) ||\n !CBB_add_bytes(info_cbb.get(), kInfoLabel,\n sizeof(kInfoLabel) /* includes trailing NUL */) ||\n !CBB_add_bytes(info_cbb.get(), ech_config_.raw.data(),\n ech_config_.raw.size())) {\n return false;\n }\n\n assert(kdf_id == EVP_HPKE_HKDF_SHA256);\n assert(get_ech_aead(aead_id) != NULL);\n return EVP_HPKE_CTX_setup_recipient(ctx, key_.get(), EVP_hpke_hkdf_sha256(),\n get_ech_aead(aead_id), enc.data(),\n enc.size(), CBB_data(info_cbb.get()),\n CBB_len(info_cbb.get()));\n}\n\nbool ssl_is_valid_ech_config_list(Span ech_config_list) {\n CBS cbs = ech_config_list, child;\n if (!CBS_get_u16_length_prefixed(&cbs, &child) || //\n CBS_len(&child) == 0 || //\n CBS_len(&cbs) > 0) {\n return false;\n }\n while (CBS_len(&child) > 0) {\n ECHConfig ech_config;\n bool supported;\n if (!parse_ech_config(&child, &ech_config, &supported,\n /*all_extensions_mandatory=*/false)) {\n return false;\n }\n }\n return true;\n}\n\nstatic bool select_ech_cipher_suite(const EVP_HPKE_KDF **out_kdf,\n const EVP_HPKE_AEAD **out_aead,\n Span cipher_suites,\n const bool has_aes_hardware) {\n const EVP_HPKE_AEAD *aead = nullptr;\n CBS cbs = cipher_suites;\n while (CBS_len(&cbs) != 0) {\n uint16_t kdf_id, aead_id;\n if (!CBS_get_u16(&cbs, &kdf_id) || //\n !CBS_get_u16(&cbs, &aead_id)) {\n return false;\n }\n // Pick the first common cipher suite, but prefer ChaCha20-Poly1305 if we\n // don't have AES hardware.\n const EVP_HPKE_AEAD *candidate = get_ech_aead(aead_id);\n if (kdf_id != EVP_HPKE_HKDF_SHA256 || candidate == nullptr) {\n continue;\n }\n if (aead == nullptr ||\n (!has_aes_hardware && aead_id == EVP_HPKE_CHACHA20_POLY1305)) {\n aead = candidate;\n }\n }\n if (aead == nullptr) {\n return false;\n }\n\n *out_kdf = EVP_hpke_hkdf_sha256();\n *out_aead = aead;\n return true;\n}\n\nbool ssl_select_ech_config(SSL_HANDSHAKE *hs, Span out_enc,\n size_t *out_enc_len) {\n *out_enc_len = 0;\n if (hs->max_version < TLS1_3_VERSION) {\n // ECH requires TLS 1.3.\n return true;\n }\n\n if (!hs->config->client_ech_config_list.empty()) {\n CBS cbs = CBS(hs->config->client_ech_config_list);\n CBS child;\n if (!CBS_get_u16_length_prefixed(&cbs, &child) || //\n CBS_len(&child) == 0 || //\n CBS_len(&cbs) > 0) {\n return false;\n }\n // Look for the first ECHConfig with supported parameters.\n while (CBS_len(&child) > 0) {\n ECHConfig ech_config;\n bool supported;\n if (!parse_ech_config(&child, &ech_config, &supported,\n /*all_extensions_mandatory=*/false)) {\n return false;\n }\n const EVP_HPKE_KEM *kem = EVP_hpke_x25519_hkdf_sha256();\n const EVP_HPKE_KDF *kdf;\n const EVP_HPKE_AEAD *aead;\n if (supported && //\n ech_config.kem_id == EVP_HPKE_DHKEM_X25519_HKDF_SHA256 &&\n select_ech_cipher_suite(&kdf, &aead, ech_config.cipher_suites,\n hs->ssl->config->aes_hw_override\n ? hs->ssl->config->aes_hw_override_value\n : EVP_has_aes_hardware())) {\n ScopedCBB info;\n static const uint8_t kInfoLabel[] = \"tls ech\"; // includes trailing NUL\n if (!CBB_init(info.get(), sizeof(kInfoLabel) + ech_config.raw.size()) ||\n !CBB_add_bytes(info.get(), kInfoLabel, sizeof(kInfoLabel)) ||\n !CBB_add_bytes(info.get(), ech_config.raw.data(),\n ech_config.raw.size())) {\n return false;\n }\n\n if (!EVP_HPKE_CTX_setup_sender(\n hs->ech_hpke_ctx.get(), out_enc.data(), out_enc_len,\n out_enc.size(), kem, kdf, aead, ech_config.public_key.data(),\n ech_config.public_key.size(), CBB_data(info.get()),\n CBB_len(info.get())) ||\n !hs->inner_transcript.Init()) {\n return false;\n }\n\n hs->selected_ech_config = MakeUnique(std::move(ech_config));\n return hs->selected_ech_config != nullptr;\n }\n }\n }\n\n return true;\n}\n\nstatic size_t aead_overhead(const EVP_HPKE_AEAD *aead) {\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n // TODO(https://crbug.com/boringssl/275): Having to adjust the overhead\n // everywhere is tedious. Change fuzzer mode to append a fake tag but still\n // otherwise be cleartext, refresh corpora, and then inline this function.\n return 0;\n#else\n return EVP_AEAD_max_overhead(EVP_HPKE_AEAD_aead(aead));\n#endif\n}\n\n// random_size returns a random value between |min| and |max|, inclusive.\nstatic size_t random_size(size_t min, size_t max) {\n assert(min < max);\n size_t value;\n RAND_bytes(reinterpret_cast(&value), sizeof(value));\n return value % (max - min + 1) + min;\n}\n\nstatic bool setup_ech_grease(SSL_HANDSHAKE *hs) {\n assert(!hs->selected_ech_config);\n if (hs->max_version < TLS1_3_VERSION || !hs->config->ech_grease_enabled) {\n return true;\n }\n\n const uint16_t kdf_id = EVP_HPKE_HKDF_SHA256;\n const bool has_aes_hw = hs->ssl->config->aes_hw_override\n ? hs->ssl->config->aes_hw_override_value\n : EVP_has_aes_hardware();\n const EVP_HPKE_AEAD *aead =\n has_aes_hw ? EVP_hpke_aes_128_gcm() : EVP_hpke_chacha20_poly1305();\n static_assert(ssl_grease_ech_config_id < sizeof(hs->grease_seed),\n \"hs->grease_seed is too small\");\n uint8_t config_id = hs->grease_seed[ssl_grease_ech_config_id];\n\n uint8_t enc[X25519_PUBLIC_VALUE_LEN];\n uint8_t private_key_unused[X25519_PRIVATE_KEY_LEN];\n X25519_keypair(enc, private_key_unused);\n\n // To determine a plausible length for the payload, we estimate the size of a\n // typical EncodedClientHelloInner without resumption:\n //\n // 2+32+1+2 version, random, legacy_session_id, legacy_compression_methods\n // 2+4*2 cipher_suites (three TLS 1.3 ciphers, GREASE)\n // 2 extensions prefix\n // 5 inner encrypted_client_hello\n // 4+1+2*2 supported_versions (TLS 1.3, GREASE)\n // 4+1+10*2 outer_extensions (key_share, sigalgs, sct, alpn,\n // supported_groups, status_request, psk_key_exchange_modes,\n // compress_certificate, GREASE x2)\n //\n // The server_name extension has an overhead of 9 bytes. For now, arbitrarily\n // estimate maximum_name_length to be between 32 and 100 bytes. Then round up\n // to a multiple of 32, to match draft-ietf-tls-esni-13, section 6.1.3.\n const size_t payload_len =\n 32 * random_size(128 / 32, 224 / 32) + aead_overhead(aead);\n bssl::ScopedCBB cbb;\n CBB enc_cbb, payload_cbb;\n uint8_t *payload;\n if (!CBB_init(cbb.get(), 256) || !CBB_add_u16(cbb.get(), kdf_id) ||\n !CBB_add_u16(cbb.get(), EVP_HPKE_AEAD_id(aead)) ||\n !CBB_add_u8(cbb.get(), config_id) ||\n !CBB_add_u16_length_prefixed(cbb.get(), &enc_cbb) ||\n !CBB_add_bytes(&enc_cbb, enc, sizeof(enc)) ||\n !CBB_add_u16_length_prefixed(cbb.get(), &payload_cbb) ||\n !CBB_add_space(&payload_cbb, &payload, payload_len) ||\n !RAND_bytes(payload, payload_len) ||\n !CBBFinishArray(cbb.get(), &hs->ech_client_outer)) {\n return false;\n }\n return true;\n}\n\nbool ssl_encrypt_client_hello(SSL_HANDSHAKE *hs, Span enc) {\n SSL *const ssl = hs->ssl;\n if (!hs->selected_ech_config) {\n return setup_ech_grease(hs);\n }\n\n // Construct ClientHelloInner and EncodedClientHelloInner. See\n // draft-ietf-tls-esni-13, sections 5.1 and 6.1.\n ScopedCBB cbb, encoded_cbb;\n CBB body;\n bool needs_psk_binder;\n Array hello_inner;\n if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CLIENT_HELLO) ||\n !CBB_init(encoded_cbb.get(), 256) ||\n !ssl_write_client_hello_without_extensions(hs, &body,\n ssl_client_hello_inner,\n /*empty_session_id=*/false) ||\n !ssl_write_client_hello_without_extensions(hs, encoded_cbb.get(),\n ssl_client_hello_inner,\n /*empty_session_id=*/true) ||\n !ssl_add_clienthello_tlsext(hs, &body, encoded_cbb.get(),\n &needs_psk_binder, ssl_client_hello_inner,\n CBB_len(&body)) ||\n !ssl->method->finish_message(ssl, cbb.get(), &hello_inner)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n if (needs_psk_binder) {\n size_t binder_len;\n if (!tls13_write_psk_binder(hs, hs->inner_transcript, Span(hello_inner),\n &binder_len)) {\n return false;\n }\n // Also update the EncodedClientHelloInner.\n auto encoded_binder =\n Span(const_cast(CBB_data(encoded_cbb.get())),\n CBB_len(encoded_cbb.get()))\n .last(binder_len);\n auto hello_inner_binder = Span(hello_inner).last(binder_len);\n OPENSSL_memcpy(encoded_binder.data(), hello_inner_binder.data(),\n binder_len);\n }\n\n ssl_do_msg_callback(ssl, /*is_write=*/1, SSL3_RT_CLIENT_HELLO_INNER,\n hello_inner);\n if (!hs->inner_transcript.Update(hello_inner)) {\n return false;\n }\n\n // Pad the EncodedClientHelloInner. See draft-ietf-tls-esni-13, section 6.1.3.\n size_t padding_len = 0;\n size_t maximum_name_length = hs->selected_ech_config->maximum_name_length;\n if (ssl->hostname) {\n size_t hostname_len = strlen(ssl->hostname.get());\n if (hostname_len <= maximum_name_length) {\n padding_len = maximum_name_length - hostname_len;\n }\n } else {\n // No SNI. Pad up to |maximum_name_length|, including server_name extension\n // overhead.\n padding_len = 9 + maximum_name_length;\n }\n // Pad the whole thing to a multiple of 32 bytes.\n padding_len += 31 - ((CBB_len(encoded_cbb.get()) + padding_len - 1) % 32);\n Array encoded;\n if (!CBB_add_zeros(encoded_cbb.get(), padding_len) ||\n !CBBFinishArray(encoded_cbb.get(), &encoded)) {\n return false;\n }\n\n // Encrypt |encoded|. See draft-ietf-tls-esni-13, section 6.1.1. First,\n // assemble the extension with a placeholder value for ClientHelloOuterAAD.\n // See draft-ietf-tls-esni-13, section 5.2.\n const EVP_HPKE_KDF *kdf = EVP_HPKE_CTX_kdf(hs->ech_hpke_ctx.get());\n const EVP_HPKE_AEAD *aead = EVP_HPKE_CTX_aead(hs->ech_hpke_ctx.get());\n size_t payload_len = encoded.size() + aead_overhead(aead);\n CBB enc_cbb, payload_cbb;\n if (!CBB_init(cbb.get(), 256) ||\n !CBB_add_u16(cbb.get(), EVP_HPKE_KDF_id(kdf)) ||\n !CBB_add_u16(cbb.get(), EVP_HPKE_AEAD_id(aead)) ||\n !CBB_add_u8(cbb.get(), hs->selected_ech_config->config_id) ||\n !CBB_add_u16_length_prefixed(cbb.get(), &enc_cbb) ||\n !CBB_add_bytes(&enc_cbb, enc.data(), enc.size()) ||\n !CBB_add_u16_length_prefixed(cbb.get(), &payload_cbb) ||\n !CBB_add_zeros(&payload_cbb, payload_len) ||\n !CBBFinishArray(cbb.get(), &hs->ech_client_outer)) {\n return false;\n }\n\n // Construct ClientHelloOuterAAD.\n // TODO(https://crbug.com/boringssl/275): This ends up constructing the\n // ClientHelloOuter twice. Instead, reuse |aad| for the ClientHello, now that\n // draft-12 made the length prefixes match.\n bssl::ScopedCBB aad;\n if (!CBB_init(aad.get(), 256) ||\n !ssl_write_client_hello_without_extensions(hs, aad.get(),\n ssl_client_hello_outer,\n /*empty_session_id=*/false) ||\n !ssl_add_clienthello_tlsext(hs, aad.get(), /*out_encoded=*/nullptr,\n &needs_psk_binder, ssl_client_hello_outer,\n CBB_len(aad.get()))) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n // ClientHelloOuter may not require a PSK binder. Otherwise, we have a\n // circular dependency.\n assert(!needs_psk_binder);\n\n // Replace the payload in |hs->ech_client_outer| with the encrypted value.\n auto payload_span = Span(hs->ech_client_outer).last(payload_len);\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n // In fuzzer mode, the server expects a cleartext payload.\n assert(payload_span.size() == encoded.size());\n OPENSSL_memcpy(payload_span.data(), encoded.data(), encoded.size());\n#else\n if (!EVP_HPKE_CTX_seal(hs->ech_hpke_ctx.get(), payload_span.data(),\n &payload_len, payload_span.size(), encoded.data(),\n encoded.size(), CBB_data(aad.get()),\n CBB_len(aad.get())) ||\n payload_len != payload_span.size()) {\n return false;\n }\n#endif // BORINGSSL_UNSAFE_FUZZER_MODE\n\n return true;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nvoid SSL_set_enable_ech_grease(SSL *ssl, int enable) {\n if (!ssl->config) {\n return;\n }\n ssl->config->ech_grease_enabled = !!enable;\n}\n\nint SSL_set1_ech_config_list(SSL *ssl, const uint8_t *ech_config_list,\n size_t ech_config_list_len) {\n if (!ssl->config) {\n return 0;\n }\n\n auto span = Span(ech_config_list, ech_config_list_len);\n if (!ssl_is_valid_ech_config_list(span)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ECH_CONFIG_LIST);\n return 0;\n }\n return ssl->config->client_ech_config_list.CopyFrom(span);\n}\n\nvoid SSL_get0_ech_name_override(const SSL *ssl, const char **out_name,\n size_t *out_name_len) {\n // When ECH is rejected, we use the public name. Note that, if\n // |SSL_CTX_set_reverify_on_resume| is enabled, we reverify the certificate\n // before the 0-RTT point. If also offering ECH, we verify as if\n // ClientHelloInner was accepted and do not override. This works because, at\n // this point, |ech_status| will be |ssl_ech_none|. See the\n // ECH-Client-Reject-EarlyDataReject-OverrideNameOnRetry tests in runner.go.\n const SSL_HANDSHAKE *hs = ssl->s3->hs.get();\n if (!ssl->server && hs && ssl->s3->ech_status == ssl_ech_rejected) {\n *out_name = reinterpret_cast(\n hs->selected_ech_config->public_name.data());\n *out_name_len = hs->selected_ech_config->public_name.size();\n } else {\n *out_name = nullptr;\n *out_name_len = 0;\n }\n}\n\nvoid SSL_get0_ech_retry_configs(const SSL *ssl,\n const uint8_t **out_retry_configs,\n size_t *out_retry_configs_len) {\n const SSL_HANDSHAKE *hs = ssl->s3->hs.get();\n if (!hs || !hs->ech_authenticated_reject) {\n // It is an error to call this function except in response to\n // |SSL_R_ECH_REJECTED|. Returning an empty string risks the caller\n // mistakenly believing the server has disabled ECH. Instead, return a\n // non-empty ECHConfigList with a syntax error, so the subsequent\n // |SSL_set1_ech_config_list| call will fail.\n assert(0);\n static const uint8_t kPlaceholder[] = {\n kECHConfigVersion >> 8, kECHConfigVersion & 0xff, 0xff, 0xff, 0xff};\n *out_retry_configs = kPlaceholder;\n *out_retry_configs_len = sizeof(kPlaceholder);\n return;\n }\n\n *out_retry_configs = hs->ech_retry_configs.data();\n *out_retry_configs_len = hs->ech_retry_configs.size();\n}\n\nint SSL_marshal_ech_config(uint8_t **out, size_t *out_len, uint8_t config_id,\n const EVP_HPKE_KEY *key, const char *public_name,\n size_t max_name_len) {\n Span public_name_u8 = StringAsBytes(public_name);\n if (!ssl_is_valid_ech_public_name(public_name_u8)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ECH_PUBLIC_NAME);\n return 0;\n }\n\n // The maximum name length is encoded in one byte.\n if (max_name_len > 0xff) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH);\n return 0;\n }\n\n // See draft-ietf-tls-esni-13, section 4.\n ScopedCBB cbb;\n CBB contents, child;\n uint8_t *public_key;\n size_t public_key_len;\n if (!CBB_init(cbb.get(), 128) || //\n !CBB_add_u16(cbb.get(), kECHConfigVersion) ||\n !CBB_add_u16_length_prefixed(cbb.get(), &contents) ||\n !CBB_add_u8(&contents, config_id) ||\n !CBB_add_u16(&contents, EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(key))) ||\n !CBB_add_u16_length_prefixed(&contents, &child) ||\n !CBB_reserve(&child, &public_key, EVP_HPKE_MAX_PUBLIC_KEY_LENGTH) ||\n !EVP_HPKE_KEY_public_key(key, public_key, &public_key_len,\n EVP_HPKE_MAX_PUBLIC_KEY_LENGTH) ||\n !CBB_did_write(&child, public_key_len) ||\n !CBB_add_u16_length_prefixed(&contents, &child) ||\n // Write a default cipher suite configuration.\n !CBB_add_u16(&child, EVP_HPKE_HKDF_SHA256) ||\n !CBB_add_u16(&child, EVP_HPKE_AES_128_GCM) ||\n !CBB_add_u16(&child, EVP_HPKE_HKDF_SHA256) ||\n !CBB_add_u16(&child, EVP_HPKE_CHACHA20_POLY1305) ||\n !CBB_add_u8(&contents, max_name_len) ||\n !CBB_add_u8_length_prefixed(&contents, &child) ||\n !CBB_add_bytes(&child, public_name_u8.data(), public_name_u8.size()) ||\n // TODO(https://crbug.com/boringssl/275): Reserve some GREASE extensions\n // and include some.\n !CBB_add_u16(&contents, 0 /* no extensions */) ||\n !CBB_finish(cbb.get(), out, out_len)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n return 1;\n}\n\nSSL_ECH_KEYS *SSL_ECH_KEYS_new() { return New(); }\n\nvoid SSL_ECH_KEYS_up_ref(SSL_ECH_KEYS *keys) { keys->UpRefInternal(); }\n\nvoid SSL_ECH_KEYS_free(SSL_ECH_KEYS *keys) {\n if (keys != nullptr) {\n keys->DecRefInternal();\n }\n}\n\nint SSL_ECH_KEYS_add(SSL_ECH_KEYS *configs, int is_retry_config,\n const uint8_t *ech_config, size_t ech_config_len,\n const EVP_HPKE_KEY *key) {\n UniquePtr parsed_config = MakeUnique();\n if (!parsed_config) {\n return 0;\n }\n if (!parsed_config->Init(Span(ech_config, ech_config_len), key,\n !!is_retry_config)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return 0;\n }\n if (!configs->configs.Push(std::move(parsed_config))) {\n return 0;\n }\n return 1;\n}\n\nint SSL_ECH_KEYS_has_duplicate_config_id(const SSL_ECH_KEYS *keys) {\n bool seen[256] = {false};\n for (const auto &config : keys->configs) {\n if (seen[config->ech_config().config_id]) {\n return 1;\n }\n seen[config->ech_config().config_id] = true;\n }\n return 0;\n}\n\nint SSL_ECH_KEYS_marshal_retry_configs(const SSL_ECH_KEYS *keys, uint8_t **out,\n size_t *out_len) {\n ScopedCBB cbb;\n CBB child;\n if (!CBB_init(cbb.get(), 128) ||\n !CBB_add_u16_length_prefixed(cbb.get(), &child)) {\n return false;\n }\n for (const auto &config : keys->configs) {\n if (config->is_retry_config() &&\n !CBB_add_bytes(&child, config->ech_config().raw.data(),\n config->ech_config().raw.size())) {\n return false;\n }\n }\n return CBB_finish(cbb.get(), out, out_len);\n}\n\nint SSL_CTX_set1_ech_keys(SSL_CTX *ctx, SSL_ECH_KEYS *keys) {\n bool has_retry_config = false;\n for (const auto &config : keys->configs) {\n if (config->is_retry_config()) {\n has_retry_config = true;\n break;\n }\n }\n if (!has_retry_config) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_ECH_SERVER_WOULD_HAVE_NO_RETRY_CONFIGS);\n return 0;\n }\n UniquePtr owned_keys = UpRef(keys);\n MutexWriteLock lock(&ctx->lock);\n ctx->ech_keys.swap(owned_keys);\n return 1;\n}\n\nint SSL_ech_accepted(const SSL *ssl) {\n if (SSL_in_early_data(ssl) && !ssl->server) {\n // In the client early data state, we report properties as if the server\n // accepted early data. The server can only accept early data with\n // ClientHelloInner.\n return ssl->s3->hs->selected_ech_config != nullptr;\n }\n\n return ssl->s3->ech_status == ssl_ech_accepted;\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/extensions.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nstatic bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs);\nstatic bool ssl_check_serverhello_tlsext(SSL_HANDSHAKE *hs);\n\nstatic int compare_uint16_t(const void *p1, const void *p2) {\n uint16_t u1 = *((const uint16_t *)p1);\n uint16_t u2 = *((const uint16_t *)p2);\n if (u1 < u2) {\n return -1;\n } else if (u1 > u2) {\n return 1;\n } else {\n return 0;\n }\n}\n\n// Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be\n// more than one extension of the same type in a ClientHello or ServerHello.\n// This function does an initial scan over the extensions block to filter those\n// out.\nstatic bool tls1_check_duplicate_extensions(const CBS *cbs) {\n // First pass: count the extensions.\n size_t num_extensions = 0;\n CBS extensions = *cbs;\n while (CBS_len(&extensions) > 0) {\n uint16_t type;\n CBS extension;\n\n if (!CBS_get_u16(&extensions, &type) ||\n !CBS_get_u16_length_prefixed(&extensions, &extension)) {\n return false;\n }\n\n num_extensions++;\n }\n\n if (num_extensions == 0) {\n return true;\n }\n\n Array extension_types;\n if (!extension_types.InitForOverwrite(num_extensions)) {\n return false;\n }\n\n // Second pass: gather the extension types.\n extensions = *cbs;\n for (size_t i = 0; i < extension_types.size(); i++) {\n CBS extension;\n\n if (!CBS_get_u16(&extensions, &extension_types[i]) ||\n !CBS_get_u16_length_prefixed(&extensions, &extension)) {\n // This should not happen.\n return false;\n }\n }\n assert(CBS_len(&extensions) == 0);\n\n // Sort the extensions and make sure there are no duplicates.\n qsort(extension_types.data(), extension_types.size(), sizeof(uint16_t),\n compare_uint16_t);\n for (size_t i = 1; i < num_extensions; i++) {\n if (extension_types[i - 1] == extension_types[i]) {\n return false;\n }\n }\n\n return true;\n}\n\nstatic bool is_post_quantum_group(uint16_t id) {\n switch (id) {\n case SSL_GROUP_X25519_KYBER768_DRAFT00:\n case SSL_GROUP_X25519_MLKEM768:\n return true;\n default:\n return false;\n }\n}\n\nbool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,\n Span body) {\n CBS cbs = body;\n if (!ssl_parse_client_hello_with_trailing_data(ssl, &cbs, out) ||\n CBS_len(&cbs) != 0) {\n return false;\n }\n return true;\n}\n\nbool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs,\n SSL_CLIENT_HELLO *out) {\n OPENSSL_memset(out, 0, sizeof(*out));\n out->ssl = const_cast(ssl);\n\n CBS copy = *cbs;\n CBS random, session_id;\n if (!CBS_get_u16(cbs, &out->version) ||\n !CBS_get_bytes(cbs, &random, SSL3_RANDOM_SIZE) ||\n !CBS_get_u8_length_prefixed(cbs, &session_id) ||\n CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {\n return false;\n }\n\n out->random = CBS_data(&random);\n out->random_len = CBS_len(&random);\n out->session_id = CBS_data(&session_id);\n out->session_id_len = CBS_len(&session_id);\n\n if (SSL_is_dtls(out->ssl)) {\n CBS cookie;\n if (!CBS_get_u8_length_prefixed(cbs, &cookie)) {\n return false;\n }\n out->dtls_cookie = CBS_data(&cookie);\n out->dtls_cookie_len = CBS_len(&cookie);\n } else {\n out->dtls_cookie = nullptr;\n out->dtls_cookie_len = 0;\n }\n\n CBS cipher_suites, compression_methods;\n if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites) ||\n CBS_len(&cipher_suites) < 2 || (CBS_len(&cipher_suites) & 1) != 0 ||\n !CBS_get_u8_length_prefixed(cbs, &compression_methods) ||\n CBS_len(&compression_methods) < 1) {\n return false;\n }\n\n out->cipher_suites = CBS_data(&cipher_suites);\n out->cipher_suites_len = CBS_len(&cipher_suites);\n out->compression_methods = CBS_data(&compression_methods);\n out->compression_methods_len = CBS_len(&compression_methods);\n\n // If the ClientHello ends here then it's valid, but doesn't have any\n // extensions.\n if (CBS_len(cbs) == 0) {\n out->extensions = nullptr;\n out->extensions_len = 0;\n } else {\n // Extract extensions and check it is valid.\n CBS extensions;\n if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||\n !tls1_check_duplicate_extensions(&extensions)) {\n return false;\n }\n out->extensions = CBS_data(&extensions);\n out->extensions_len = CBS_len(&extensions);\n }\n\n out->client_hello = CBS_data(©);\n out->client_hello_len = CBS_len(©) - CBS_len(cbs);\n return true;\n}\n\nbool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,\n CBS *out, uint16_t extension_type) {\n CBS extensions;\n CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);\n while (CBS_len(&extensions) != 0) {\n // Decode the next extension.\n uint16_t type;\n CBS extension;\n if (!CBS_get_u16(&extensions, &type) ||\n !CBS_get_u16_length_prefixed(&extensions, &extension)) {\n return false;\n }\n\n if (type == extension_type) {\n *out = extension;\n return true;\n }\n }\n\n return false;\n}\n\nstatic const uint16_t kDefaultGroups[] = {\n SSL_GROUP_X25519,\n SSL_GROUP_SECP256R1,\n SSL_GROUP_SECP384R1,\n};\n\nSpan tls1_get_grouplist(const SSL_HANDSHAKE *hs) {\n if (!hs->config->supported_group_list.empty()) {\n return hs->config->supported_group_list;\n }\n return Span(kDefaultGroups);\n}\n\nbool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id) {\n SSL *const ssl = hs->ssl;\n assert(ssl->server);\n\n // Clients are not required to send a supported_groups extension. In this\n // case, the server is free to pick any group it likes. See RFC 4492,\n // section 4, paragraph 3.\n //\n // However, in the interests of compatibility, we will skip ECDH if the\n // client didn't send an extension because we can't be sure that they'll\n // support our favoured group. Thus we do not special-case an emtpy\n // |peer_supported_group_list|.\n\n Span groups = tls1_get_grouplist(hs);\n Span pref, supp;\n if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {\n pref = groups;\n supp = hs->peer_supported_group_list;\n } else {\n pref = hs->peer_supported_group_list;\n supp = groups;\n }\n\n for (uint16_t pref_group : pref) {\n for (uint16_t supp_group : supp) {\n if (pref_group == supp_group &&\n // Post-quantum key agreements don't fit in the u8-length-prefixed\n // ECPoint field in TLS 1.2 and below.\n (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||\n !is_post_quantum_group(pref_group))) {\n *out_group_id = pref_group;\n return true;\n }\n }\n }\n\n return false;\n}\n\nbool tls1_check_group_id(const SSL_HANDSHAKE *hs, uint16_t group_id) {\n if (is_post_quantum_group(group_id) &&\n ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {\n // Post-quantum \"groups\" require TLS 1.3.\n return false;\n }\n\n // We internally assume zero is never allocated as a group ID.\n if (group_id == 0) {\n return false;\n }\n\n for (uint16_t supported : tls1_get_grouplist(hs)) {\n if (supported == group_id) {\n return true;\n }\n }\n\n return false;\n}\n\n// kVerifySignatureAlgorithms is the default list of accepted signature\n// algorithms for verifying.\nstatic const uint16_t kVerifySignatureAlgorithms[] = {\n // List our preferred algorithms first.\n SSL_SIGN_ECDSA_SECP256R1_SHA256,\n SSL_SIGN_RSA_PSS_RSAE_SHA256,\n SSL_SIGN_RSA_PKCS1_SHA256,\n\n // Larger hashes are acceptable.\n SSL_SIGN_ECDSA_SECP384R1_SHA384,\n SSL_SIGN_RSA_PSS_RSAE_SHA384,\n SSL_SIGN_RSA_PKCS1_SHA384,\n\n SSL_SIGN_RSA_PSS_RSAE_SHA512,\n SSL_SIGN_RSA_PKCS1_SHA512,\n\n // For now, SHA-1 is still accepted but least preferable.\n SSL_SIGN_RSA_PKCS1_SHA1,\n};\n\n// kSignSignatureAlgorithms is the default list of supported signature\n// algorithms for signing.\nstatic const uint16_t kSignSignatureAlgorithms[] = {\n // List our preferred algorithms first.\n SSL_SIGN_ED25519,\n SSL_SIGN_ECDSA_SECP256R1_SHA256,\n SSL_SIGN_RSA_PSS_RSAE_SHA256,\n SSL_SIGN_RSA_PKCS1_SHA256,\n\n // If needed, sign larger hashes.\n //\n // TODO(davidben): Determine which of these may be pruned.\n SSL_SIGN_ECDSA_SECP384R1_SHA384,\n SSL_SIGN_RSA_PSS_RSAE_SHA384,\n SSL_SIGN_RSA_PKCS1_SHA384,\n\n SSL_SIGN_ECDSA_SECP521R1_SHA512,\n SSL_SIGN_RSA_PSS_RSAE_SHA512,\n SSL_SIGN_RSA_PKCS1_SHA512,\n\n // If the peer supports nothing else, sign with SHA-1.\n SSL_SIGN_ECDSA_SHA1,\n SSL_SIGN_RSA_PKCS1_SHA1,\n};\n\nstatic Span tls12_get_verify_sigalgs(const SSL_HANDSHAKE *hs) {\n if (hs->config->verify_sigalgs.empty()) {\n return Span(kVerifySignatureAlgorithms);\n }\n return hs->config->verify_sigalgs;\n}\n\nbool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) {\n for (uint16_t sigalg : tls12_get_verify_sigalgs(hs)) {\n if (!CBB_add_u16(out, sigalg)) {\n return false;\n }\n }\n return true;\n}\n\nbool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,\n uint16_t sigalg, EVP_PKEY *pkey) {\n // The peer must have selected an algorithm that is consistent with its public\n // key, the TLS version, and what we advertised.\n Span sigalgs = tls12_get_verify_sigalgs(hs);\n if (std::find(sigalgs.begin(), sigalgs.end(), sigalg) == sigalgs.end() ||\n !ssl_pkey_supports_algorithm(hs->ssl, pkey, sigalg, /*is_verify=*/true)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n return true;\n}\n\n// tls_extension represents a TLS extension that is handled internally.\n//\n// The parse callbacks receive a |CBS| that contains the contents of the\n// extension (i.e. not including the type and length bytes). If an extension is\n// not received then the parse callbacks will be called with a NULL CBS so that\n// they can do any processing needed to handle the absence of an extension.\n//\n// The add callbacks receive a |CBB| to which the extension can be appended but\n// the function is responsible for appending the type and length bytes too.\n//\n// |add_clienthello| may be called multiple times and must not mutate |hs|. It\n// is additionally passed two output |CBB|s. If the extension is the same\n// independent of the value of |type|, the callback may write to\n// |out_compressible| instead of |out|. When serializing the ClientHelloInner,\n// all compressible extensions will be made continguous and replaced with\n// ech_outer_extensions when encrypted. When serializing the ClientHelloOuter\n// or not offering ECH, |out| will be equal to |out_compressible|, so writing to\n// |out_compressible| still works.\n//\n// Note the |parse_serverhello| and |add_serverhello| callbacks refer to the\n// TLS 1.2 ServerHello. In TLS 1.3, these callbacks act on EncryptedExtensions,\n// with ServerHello extensions handled elsewhere in the handshake.\n//\n// All callbacks return true for success and false for error. If a parse\n// function returns zero then a fatal alert with value |*out_alert| will be\n// sent. If |*out_alert| isn't set, then a |decode_error| alert will be sent.\nstruct tls_extension {\n uint16_t value;\n\n bool (*add_clienthello)(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible, ssl_client_hello_type_t type);\n bool (*parse_serverhello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents);\n\n bool (*parse_clienthello)(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents);\n bool (*add_serverhello)(SSL_HANDSHAKE *hs, CBB *out);\n};\n\nstatic bool forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n if (contents != NULL) {\n // Servers MUST NOT send this extension.\n *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);\n return false;\n }\n\n return true;\n}\n\nstatic bool ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n // This extension from the client is handled elsewhere.\n return true;\n}\n\nstatic bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { return true; }\n\n// Server name indication (SNI).\n//\n// https://tools.ietf.org/html/rfc6066#section-3.\n\nstatic bool ext_sni_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n // If offering ECH, send the public name instead of the configured name.\n Span hostname;\n if (type == ssl_client_hello_outer) {\n hostname = hs->selected_ech_config->public_name;\n } else {\n if (ssl->hostname == nullptr) {\n return true;\n }\n hostname = StringAsBytes(ssl->hostname.get());\n }\n\n CBB contents, server_name_list, name;\n if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||\n !CBB_add_u16_length_prefixed(out, &contents) ||\n !CBB_add_u16_length_prefixed(&contents, &server_name_list) ||\n !CBB_add_u8(&server_name_list, TLSEXT_NAMETYPE_host_name) ||\n !CBB_add_u16_length_prefixed(&server_name_list, &name) ||\n !CBB_add_bytes(&name, hostname.data(), hostname.size()) ||\n !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_sni_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n // The server may acknowledge SNI with an empty extension. We check the syntax\n // but otherwise ignore this signal.\n return contents == NULL || CBS_len(contents) == 0;\n}\n\nstatic bool ext_sni_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n // SNI has already been parsed earlier in the handshake. See |extract_sni|.\n return true;\n}\n\nstatic bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n if (hs->ssl->s3->session_reused || //\n !hs->should_ack_sni) {\n return true;\n }\n\n if (!CBB_add_u16(out, TLSEXT_TYPE_server_name) ||\n !CBB_add_u16(out, 0 /* length */)) {\n return false;\n }\n\n return true;\n}\n\n\n// Encrypted ClientHello (ECH)\n//\n// https://tools.ietf.org/html/draft-ietf-tls-esni-13\n\nstatic bool ext_ech_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n if (type == ssl_client_hello_inner) {\n if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||\n !CBB_add_u16(out, /* length */ 1) ||\n !CBB_add_u8(out, ECH_CLIENT_INNER)) {\n return false;\n }\n return true;\n }\n\n if (hs->ech_client_outer.empty()) {\n return true;\n }\n\n CBB ech_body;\n if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||\n !CBB_add_u16_length_prefixed(out, &ech_body) ||\n !CBB_add_u8(&ech_body, ECH_CLIENT_OUTER) ||\n !CBB_add_bytes(&ech_body, hs->ech_client_outer.data(),\n hs->ech_client_outer.size()) ||\n !CBB_flush(out)) {\n return false;\n }\n return true;\n}\n\nstatic bool ext_ech_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (contents == NULL) {\n return true;\n }\n\n // The ECH extension may not be sent in TLS 1.2 ServerHello, only TLS 1.3\n // EncryptedExtensions. It also may not be sent in response to an inner ECH\n // extension.\n if (ssl_protocol_version(ssl) < TLS1_3_VERSION ||\n ssl->s3->ech_status == ssl_ech_accepted) {\n *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);\n return false;\n }\n\n if (!ssl_is_valid_ech_config_list(*contents)) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n if (ssl->s3->ech_status == ssl_ech_rejected &&\n !hs->ech_retry_configs.CopyFrom(*contents)) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_ech_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n if (contents == nullptr) {\n return true;\n }\n\n uint8_t type;\n if (!CBS_get_u8(contents, &type)) {\n return false;\n }\n if (type == ECH_CLIENT_OUTER) {\n // Outer ECH extensions are handled outside the callback.\n return true;\n }\n if (type != ECH_CLIENT_INNER || CBS_len(contents) != 0) {\n return false;\n }\n\n hs->ech_is_inner = true;\n return true;\n}\n\nstatic bool ext_ech_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n SSL *const ssl = hs->ssl;\n if (ssl_protocol_version(ssl) < TLS1_3_VERSION ||\n ssl->s3->ech_status == ssl_ech_accepted || //\n hs->ech_keys == nullptr) {\n return true;\n }\n\n // Write the list of retry configs to |out|. Note |SSL_CTX_set1_ech_keys|\n // ensures |ech_keys| contains at least one retry config.\n CBB body, retry_configs;\n if (!CBB_add_u16(out, TLSEXT_TYPE_encrypted_client_hello) ||\n !CBB_add_u16_length_prefixed(out, &body) ||\n !CBB_add_u16_length_prefixed(&body, &retry_configs)) {\n return false;\n }\n for (const auto &config : hs->ech_keys->configs) {\n if (!config->is_retry_config()) {\n continue;\n }\n if (!CBB_add_bytes(&retry_configs, config->ech_config().raw.data(),\n config->ech_config().raw.size())) {\n return false;\n }\n }\n return CBB_flush(out);\n}\n\n\n// Renegotiation indication.\n//\n// https://tools.ietf.org/html/rfc5746\n\nstatic bool ext_ri_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n // Renegotiation indication is not necessary in TLS 1.3.\n if (hs->min_version >= TLS1_3_VERSION || //\n type == ssl_client_hello_inner) {\n return true;\n }\n\n assert(ssl->s3->initial_handshake_complete ==\n !ssl->s3->previous_client_finished.empty());\n\n CBB contents, prev_finished;\n if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||\n !CBB_add_u16_length_prefixed(out, &contents) ||\n !CBB_add_u8_length_prefixed(&contents, &prev_finished) ||\n !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished.data(),\n ssl->s3->previous_client_finished.size()) ||\n !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (contents != NULL && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n // Servers may not switch between omitting the extension and supporting it.\n // See RFC 5746, sections 3.5 and 4.2.\n if (ssl->s3->initial_handshake_complete &&\n (contents != NULL) != ssl->s3->send_connection_binding) {\n *out_alert = SSL_AD_HANDSHAKE_FAILURE;\n OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);\n return false;\n }\n\n if (contents == NULL) {\n // Strictly speaking, if we want to avoid an attack we should *always* see\n // RI even on initial ServerHello because the client doesn't see any\n // renegotiation during an attack. However this would mean we could not\n // connect to any server which doesn't support RI.\n //\n // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in\n // practical terms every client sets it so it's just assumed here.\n return true;\n }\n\n // Check for logic errors.\n assert(ssl->s3->previous_client_finished.size() ==\n ssl->s3->previous_server_finished.size());\n assert(ssl->s3->initial_handshake_complete ==\n !ssl->s3->previous_client_finished.empty());\n\n // Parse out the extension contents.\n CBS renegotiated_connection;\n if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||\n CBS_len(contents) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n // Check that the extension matches.\n CBS client_verify, server_verify;\n if (!CBS_get_bytes(&renegotiated_connection, &client_verify,\n ssl->s3->previous_client_finished.size()) ||\n !CBS_get_bytes(&renegotiated_connection, &server_verify,\n ssl->s3->previous_server_finished.size()) ||\n CBS_len(&renegotiated_connection) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);\n *out_alert = SSL_AD_HANDSHAKE_FAILURE;\n return false;\n }\n\n bool ok =\n CBS_mem_equal(&client_verify, ssl->s3->previous_client_finished.data(),\n ssl->s3->previous_client_finished.size()) &&\n CBS_mem_equal(&server_verify, ssl->s3->previous_server_finished.data(),\n ssl->s3->previous_server_finished.size());\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n ok = true;\n#endif\n if (!ok) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);\n *out_alert = SSL_AD_HANDSHAKE_FAILURE;\n return false;\n }\n\n ssl->s3->send_connection_binding = true;\n return true;\n}\n\nstatic bool ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n // Renegotiation isn't supported as a server so this function should never be\n // called after the initial handshake.\n assert(!ssl->s3->initial_handshake_complete);\n\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return true;\n }\n\n if (contents == NULL) {\n return true;\n }\n\n CBS renegotiated_connection;\n if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||\n CBS_len(contents) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_ENCODING_ERR);\n return false;\n }\n\n // Check that the extension matches. We do not support renegotiation as a\n // server, so this must be empty.\n if (CBS_len(&renegotiated_connection) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);\n *out_alert = SSL_AD_HANDSHAKE_FAILURE;\n return false;\n }\n\n ssl->s3->send_connection_binding = true;\n\n return true;\n}\n\nstatic bool ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n SSL *const ssl = hs->ssl;\n // Renegotiation isn't supported as a server so this function should never be\n // called after the initial handshake.\n assert(!ssl->s3->initial_handshake_complete);\n\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return true;\n }\n\n if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) ||\n !CBB_add_u16(out, 1 /* length */) ||\n !CBB_add_u8(out, 0 /* empty renegotiation info */)) {\n return false;\n }\n\n return true;\n}\n\n\n// Extended Master Secret.\n//\n// https://tools.ietf.org/html/rfc7627\n\nstatic bool ext_ems_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n // Extended master secret is not necessary in TLS 1.3.\n if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner) {\n return true;\n }\n\n if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||\n !CBB_add_u16(out, 0 /* length */)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_ems_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n\n if (contents != NULL) {\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || //\n CBS_len(contents) != 0) {\n return false;\n }\n\n hs->extended_master_secret = true;\n }\n\n // Whether EMS is negotiated may not change on renegotiation.\n if (ssl->s3->established_session != nullptr &&\n hs->extended_master_secret !=\n !!ssl->s3->established_session->extended_master_secret) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_ems_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {\n return true;\n }\n\n if (contents == NULL) {\n return true;\n }\n\n if (CBS_len(contents) != 0) {\n return false;\n }\n\n hs->extended_master_secret = true;\n return true;\n}\n\nstatic bool ext_ems_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n if (!hs->extended_master_secret) {\n return true;\n }\n\n if (!CBB_add_u16(out, TLSEXT_TYPE_extended_master_secret) ||\n !CBB_add_u16(out, 0 /* length */)) {\n return false;\n }\n\n return true;\n}\n\n\n// Session tickets.\n//\n// https://tools.ietf.org/html/rfc5077\n\nstatic bool ext_ticket_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n // TLS 1.3 uses a different ticket extension.\n if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner ||\n SSL_get_options(ssl) & SSL_OP_NO_TICKET) {\n return true;\n }\n\n // Renegotiation does not participate in session resumption. However, still\n // advertise the extension to avoid potentially breaking servers which carry\n // over the state from the previous handshake, such as OpenSSL servers\n // without upstream's 3c3f0259238594d77264a78944d409f2127642c4.\n Span ticket;\n if (!ssl->s3->initial_handshake_complete && //\n ssl->session != nullptr &&\n ssl_session_get_type(ssl->session.get()) == SSLSessionType::kTicket) {\n ticket = ssl->session->ticket;\n }\n\n CBB ticket_cbb;\n if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||\n !CBB_add_u16_length_prefixed(out, &ticket_cbb) ||\n !CBB_add_bytes(&ticket_cbb, ticket.data(), ticket.size()) ||\n !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_ticket_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (contents == NULL) {\n return true;\n }\n\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return false;\n }\n\n // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and\n // this function should never be called, even if the server tries to send the\n // extension.\n assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);\n\n if (CBS_len(contents) != 0) {\n return false;\n }\n\n hs->ticket_expected = true;\n return true;\n}\n\nstatic bool ext_ticket_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n if (!hs->ticket_expected) {\n return true;\n }\n\n // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true.\n assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);\n\n if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||\n !CBB_add_u16(out, 0 /* length */)) {\n return false;\n }\n\n return true;\n}\n\n\n// Signature Algorithms.\n//\n// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1\n\nstatic bool ext_sigalgs_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n if (hs->max_version < TLS1_2_VERSION) {\n return true;\n }\n\n CBB contents, sigalgs_cbb;\n if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_signature_algorithms) ||\n !CBB_add_u16_length_prefixed(out_compressible, &contents) ||\n !CBB_add_u16_length_prefixed(&contents, &sigalgs_cbb) ||\n !tls12_add_verify_sigalgs(hs, &sigalgs_cbb) ||\n !CBB_flush(out_compressible)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_sigalgs_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n hs->peer_sigalgs.Reset();\n if (contents == NULL) {\n return true;\n }\n\n CBS supported_signature_algorithms;\n if (!CBS_get_u16_length_prefixed(contents, &supported_signature_algorithms) ||\n CBS_len(contents) != 0 ||\n !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {\n return false;\n }\n\n return true;\n}\n\n\n// OCSP Stapling.\n//\n// https://tools.ietf.org/html/rfc6066#section-8\n\nstatic bool ext_ocsp_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n if (!hs->config->ocsp_stapling_enabled) {\n return true;\n }\n\n CBB contents;\n if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_status_request) ||\n !CBB_add_u16_length_prefixed(out_compressible, &contents) ||\n !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||\n !CBB_add_u16(&contents, 0 /* empty responder ID list */) ||\n !CBB_add_u16(&contents, 0 /* empty request extensions */) ||\n !CBB_flush(out_compressible)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_ocsp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (contents == NULL) {\n return true;\n }\n\n // TLS 1.3 OCSP responses are included in the Certificate extensions.\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return false;\n }\n\n // OCSP stapling is forbidden on non-certificate ciphers.\n if (CBS_len(contents) != 0 ||\n !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {\n return false;\n }\n\n // Note this does not check for resumption in TLS 1.2. Sending\n // status_request here does not make sense, but OpenSSL does so and the\n // specification does not say anything. Tolerate it but ignore it.\n\n hs->certificate_status_expected = true;\n return true;\n}\n\nstatic bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n if (contents == NULL) {\n return true;\n }\n\n uint8_t status_type;\n if (!CBS_get_u8(contents, &status_type)) {\n return false;\n }\n\n // We cannot decide whether OCSP stapling will occur yet because the correct\n // SSL_CTX might not have been selected.\n hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;\n\n return true;\n}\n\nstatic bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n SSL *const ssl = hs->ssl;\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||\n !hs->ocsp_stapling_requested || ssl->s3->session_reused ||\n !ssl_cipher_uses_certificate_auth(hs->new_cipher) ||\n hs->credential->ocsp_response == nullptr) {\n return true;\n }\n\n hs->certificate_status_expected = true;\n\n return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&\n CBB_add_u16(out, 0 /* length */);\n}\n\n\n// Next protocol negotiation.\n//\n// https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html\n\nstatic bool ext_npn_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n if (ssl->ctx->next_proto_select_cb == NULL ||\n // Do not allow NPN to change on renegotiation.\n ssl->s3->initial_handshake_complete ||\n // NPN is not defined in DTLS or TLS 1.3.\n SSL_is_dtls(ssl) || hs->min_version >= TLS1_3_VERSION ||\n type == ssl_client_hello_inner) {\n return true;\n }\n\n if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||\n !CBB_add_u16(out, 0 /* length */)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_npn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (contents == NULL) {\n return true;\n }\n\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return false;\n }\n\n // If any of these are false then we should never have sent the NPN\n // extension in the ClientHello and thus this function should never have been\n // called.\n assert(!ssl->s3->initial_handshake_complete);\n assert(!SSL_is_dtls(ssl));\n assert(ssl->ctx->next_proto_select_cb != NULL);\n\n if (!ssl->s3->alpn_selected.empty()) {\n // NPN and ALPN may not be negotiated in the same connection.\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);\n return false;\n }\n\n const uint8_t *const orig_contents = CBS_data(contents);\n const size_t orig_len = CBS_len(contents);\n\n while (CBS_len(contents) != 0) {\n CBS proto;\n if (!CBS_get_u8_length_prefixed(contents, &proto) || //\n CBS_len(&proto) == 0) {\n return false;\n }\n }\n\n // |orig_len| fits in |unsigned| because TLS extensions use 16-bit lengths.\n uint8_t *selected;\n uint8_t selected_len;\n if (ssl->ctx->next_proto_select_cb(\n ssl, &selected, &selected_len, orig_contents,\n static_cast(orig_len),\n ssl->ctx->next_proto_select_cb_arg) != SSL_TLSEXT_ERR_OK ||\n !ssl->s3->next_proto_negotiated.CopyFrom(Span(selected, selected_len))) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n\n hs->next_proto_neg_seen = true;\n return true;\n}\n\nstatic bool ext_npn_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return true;\n }\n\n if (contents != NULL && CBS_len(contents) != 0) {\n return false;\n }\n\n if (contents == NULL || //\n ssl->s3->initial_handshake_complete || //\n ssl->ctx->next_protos_advertised_cb == NULL || //\n SSL_is_dtls(ssl)) {\n return true;\n }\n\n hs->next_proto_neg_seen = true;\n return true;\n}\n\nstatic bool ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n SSL *const ssl = hs->ssl;\n // |next_proto_neg_seen| might have been cleared when an ALPN extension was\n // parsed.\n if (!hs->next_proto_neg_seen) {\n return true;\n }\n\n const uint8_t *npa;\n unsigned npa_len;\n\n if (ssl->ctx->next_protos_advertised_cb(\n ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=\n SSL_TLSEXT_ERR_OK) {\n hs->next_proto_neg_seen = false;\n return true;\n }\n\n CBB contents;\n if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) || //\n !CBB_add_u16_length_prefixed(out, &contents) || //\n !CBB_add_bytes(&contents, npa, npa_len) || //\n !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\n\n// Signed certificate timestamps.\n//\n// https://tools.ietf.org/html/rfc6962#section-3.3.1\n\nstatic bool ext_sct_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n if (!hs->config->signed_cert_timestamps_enabled) {\n return true;\n }\n\n if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_certificate_timestamp) ||\n !CBB_add_u16(out_compressible, 0 /* length */)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_sct_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (contents == NULL) {\n return true;\n }\n\n // TLS 1.3 SCTs are included in the Certificate extensions.\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n // If this is false then we should never have sent the SCT extension in the\n // ClientHello and thus this function should never have been called.\n assert(hs->config->signed_cert_timestamps_enabled);\n\n if (!ssl_is_sct_list_valid(contents)) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n // Session resumption uses the original session information. The extension\n // should not be sent on resumption, but RFC 6962 did not make it a\n // requirement, so tolerate this.\n //\n // TODO(davidben): Enforce this anyway.\n if (!ssl->s3->session_reused) {\n hs->new_session->signed_cert_timestamp_list.reset(\n CRYPTO_BUFFER_new_from_CBS(contents, ssl->ctx->pool));\n if (hs->new_session->signed_cert_timestamp_list == nullptr) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n }\n\n return true;\n}\n\nstatic bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n if (contents == NULL) {\n return true;\n }\n\n if (CBS_len(contents) != 0) {\n return false;\n }\n\n hs->scts_requested = true;\n return true;\n}\n\nstatic bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n SSL *const ssl = hs->ssl;\n assert(hs->scts_requested);\n // The extension shouldn't be sent when resuming sessions.\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused ||\n !ssl_cipher_uses_certificate_auth(hs->new_cipher) ||\n hs->credential->signed_cert_timestamp_list == nullptr) {\n return true;\n }\n\n CBB contents;\n return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) &&\n CBB_add_u16_length_prefixed(out, &contents) &&\n CBB_add_bytes(&contents,\n CRYPTO_BUFFER_data(\n hs->credential->signed_cert_timestamp_list.get()),\n CRYPTO_BUFFER_len(\n hs->credential->signed_cert_timestamp_list.get())) &&\n CBB_flush(out);\n}\n\n\n// Application-level Protocol Negotiation.\n//\n// https://tools.ietf.org/html/rfc7301\n\nstatic bool ext_alpn_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n if (hs->config->alpn_client_proto_list.empty() && SSL_is_quic(ssl)) {\n // ALPN MUST be used with QUIC.\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);\n return false;\n }\n\n if (hs->config->alpn_client_proto_list.empty() ||\n ssl->s3->initial_handshake_complete) {\n return true;\n }\n\n CBB contents, proto_list;\n if (!CBB_add_u16(out_compressible,\n TLSEXT_TYPE_application_layer_protocol_negotiation) ||\n !CBB_add_u16_length_prefixed(out_compressible, &contents) ||\n !CBB_add_u16_length_prefixed(&contents, &proto_list) ||\n !CBB_add_bytes(&proto_list, hs->config->alpn_client_proto_list.data(),\n hs->config->alpn_client_proto_list.size()) ||\n !CBB_flush(out_compressible)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_alpn_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (contents == NULL) {\n if (SSL_is_quic(ssl)) {\n // ALPN is required when QUIC is used.\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);\n *out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;\n return false;\n }\n return true;\n }\n\n assert(!ssl->s3->initial_handshake_complete);\n assert(!hs->config->alpn_client_proto_list.empty());\n\n if (hs->next_proto_neg_seen) {\n // NPN and ALPN may not be negotiated in the same connection.\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);\n return false;\n }\n\n // The extension data consists of a ProtocolNameList which must have\n // exactly one ProtocolName. Each of these is length-prefixed.\n CBS protocol_name_list, protocol_name;\n if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) || //\n CBS_len(contents) != 0 || //\n !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) || //\n // Empty protocol names are forbidden.\n CBS_len(&protocol_name) == 0 || //\n CBS_len(&protocol_name_list) != 0) {\n return false;\n }\n\n if (!ssl_is_alpn_protocol_allowed(hs, protocol_name)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n if (!ssl->s3->alpn_selected.CopyFrom(protocol_name)) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n\n return true;\n}\n\nbool ssl_is_valid_alpn_list(Span in) {\n CBS protocol_name_list = in;\n if (CBS_len(&protocol_name_list) == 0) {\n return false;\n }\n while (CBS_len(&protocol_name_list) > 0) {\n CBS protocol_name;\n if (!CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||\n // Empty protocol names are forbidden.\n CBS_len(&protocol_name) == 0) {\n return false;\n }\n }\n return true;\n}\n\nbool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,\n Span protocol) {\n if (hs->config->alpn_client_proto_list.empty()) {\n return false;\n }\n\n if (hs->ssl->ctx->allow_unknown_alpn_protos) {\n return true;\n }\n\n // Check that the protocol name is one of the ones we advertised.\n return ssl_alpn_list_contains_protocol(hs->config->alpn_client_proto_list,\n protocol);\n}\n\nbool ssl_alpn_list_contains_protocol(Span list,\n Span protocol) {\n CBS cbs = list, candidate;\n while (CBS_len(&cbs) > 0) {\n if (!CBS_get_u8_length_prefixed(&cbs, &candidate)) {\n return false;\n }\n\n if (candidate == protocol) {\n return true;\n }\n }\n\n return false;\n}\n\nbool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n const SSL_CLIENT_HELLO *client_hello) {\n SSL *const ssl = hs->ssl;\n CBS contents;\n if (ssl->ctx->alpn_select_cb == NULL ||\n !ssl_client_hello_get_extension(\n client_hello, &contents,\n TLSEXT_TYPE_application_layer_protocol_negotiation)) {\n if (SSL_is_quic(ssl)) {\n // ALPN is required when QUIC is used.\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);\n *out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;\n return false;\n }\n // Ignore ALPN if not configured or no extension was supplied.\n return true;\n }\n\n // ALPN takes precedence over NPN.\n hs->next_proto_neg_seen = false;\n\n CBS protocol_name_list;\n if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) || //\n CBS_len(&contents) != 0 || //\n !ssl_is_valid_alpn_list(protocol_name_list)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n // |protocol_name_list| fits in |unsigned| because TLS extensions use 16-bit\n // lengths.\n const uint8_t *selected;\n uint8_t selected_len;\n int ret = ssl->ctx->alpn_select_cb(\n ssl, &selected, &selected_len, CBS_data(&protocol_name_list),\n static_cast(CBS_len(&protocol_name_list)),\n ssl->ctx->alpn_select_cb_arg);\n // ALPN is required when QUIC is used.\n if (SSL_is_quic(ssl) &&\n (ret == SSL_TLSEXT_ERR_NOACK || ret == SSL_TLSEXT_ERR_ALERT_WARNING)) {\n ret = SSL_TLSEXT_ERR_ALERT_FATAL;\n }\n switch (ret) {\n case SSL_TLSEXT_ERR_OK:\n if (selected_len == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n if (!ssl->s3->alpn_selected.CopyFrom(Span(selected, selected_len))) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n break;\n case SSL_TLSEXT_ERR_NOACK:\n case SSL_TLSEXT_ERR_ALERT_WARNING:\n break;\n case SSL_TLSEXT_ERR_ALERT_FATAL:\n *out_alert = SSL_AD_NO_APPLICATION_PROTOCOL;\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_APPLICATION_PROTOCOL);\n return false;\n default:\n // Invalid return value.\n *out_alert = SSL_AD_INTERNAL_ERROR;\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_alpn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n SSL *const ssl = hs->ssl;\n if (ssl->s3->alpn_selected.empty()) {\n return true;\n }\n\n CBB contents, proto_list, proto;\n if (!CBB_add_u16(out, TLSEXT_TYPE_application_layer_protocol_negotiation) ||\n !CBB_add_u16_length_prefixed(out, &contents) ||\n !CBB_add_u16_length_prefixed(&contents, &proto_list) ||\n !CBB_add_u8_length_prefixed(&proto_list, &proto) ||\n !CBB_add_bytes(&proto, ssl->s3->alpn_selected.data(),\n ssl->s3->alpn_selected.size()) ||\n !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\n\n// Channel ID.\n//\n// https://tools.ietf.org/html/draft-balfanz-tls-channelid-01\n\nstatic bool ext_channel_id_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n if (!hs->config->channel_id_private || SSL_is_dtls(ssl) ||\n // Don't offer Channel ID in ClientHelloOuter. ClientHelloOuter handshakes\n // are not authenticated for the name that can learn the Channel ID.\n //\n // We could alternatively offer the extension but sign with a random key.\n // For other extensions, we try to align |ssl_client_hello_outer| and\n // |ssl_client_hello_unencrypted|, to improve the effectiveness of ECH\n // GREASE. However, Channel ID is deprecated and unlikely to be used with\n // ECH, so do the simplest thing.\n type == ssl_client_hello_outer) {\n return true;\n }\n\n if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||\n !CBB_add_u16(out, 0 /* length */)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_channel_id_parse_serverhello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n if (contents == NULL) {\n return true;\n }\n\n assert(!SSL_is_dtls(hs->ssl));\n assert(hs->config->channel_id_private);\n\n if (CBS_len(contents) != 0) {\n return false;\n }\n\n hs->channel_id_negotiated = true;\n return true;\n}\n\nstatic bool ext_channel_id_parse_clienthello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (contents == NULL || !hs->config->channel_id_enabled || SSL_is_dtls(ssl)) {\n return true;\n }\n\n if (CBS_len(contents) != 0) {\n return false;\n }\n\n hs->channel_id_negotiated = true;\n return true;\n}\n\nstatic bool ext_channel_id_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n if (!hs->channel_id_negotiated) {\n return true;\n }\n\n if (!CBB_add_u16(out, TLSEXT_TYPE_channel_id) ||\n !CBB_add_u16(out, 0 /* length */)) {\n return false;\n }\n\n return true;\n}\n\n\n// Secure Real-time Transport Protocol (SRTP) extension.\n//\n// https://tools.ietf.org/html/rfc5764\n\nstatic bool ext_srtp_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n const STACK_OF(SRTP_PROTECTION_PROFILE) *profiles =\n SSL_get_srtp_profiles(ssl);\n if (profiles == NULL || //\n sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0 || //\n !SSL_is_dtls(ssl)) {\n return true;\n }\n\n CBB contents, profile_ids;\n if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_srtp) ||\n !CBB_add_u16_length_prefixed(out_compressible, &contents) ||\n !CBB_add_u16_length_prefixed(&contents, &profile_ids)) {\n return false;\n }\n\n for (const SRTP_PROTECTION_PROFILE *profile : profiles) {\n if (!CBB_add_u16(&profile_ids, profile->id)) {\n return false;\n }\n }\n\n if (!CBB_add_u8(&contents, 0 /* empty use_mki value */) ||\n !CBB_flush(out_compressible)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_srtp_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (contents == NULL) {\n return true;\n }\n\n // The extension consists of a u16-prefixed profile ID list containing a\n // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.\n //\n // See https://tools.ietf.org/html/rfc5764#section-4.1.1\n assert(SSL_is_dtls(ssl));\n CBS profile_ids, srtp_mki;\n uint16_t profile_id;\n if (!CBS_get_u16_length_prefixed(contents, &profile_ids) || //\n !CBS_get_u16(&profile_ids, &profile_id) || //\n CBS_len(&profile_ids) != 0 || //\n !CBS_get_u8_length_prefixed(contents, &srtp_mki) || //\n CBS_len(contents) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);\n return false;\n }\n\n if (CBS_len(&srtp_mki) != 0) {\n // Must be no MKI, since we never offer one.\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n // Check to see if the server gave us something we support and offered.\n for (const SRTP_PROTECTION_PROFILE *profile : SSL_get_srtp_profiles(ssl)) {\n if (profile->id == profile_id) {\n ssl->s3->srtp_profile = profile;\n return true;\n }\n }\n\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n}\n\nstatic bool ext_srtp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n // DTLS-SRTP is only defined for DTLS.\n if (contents == NULL || !SSL_is_dtls(ssl)) {\n return true;\n }\n\n CBS profile_ids, srtp_mki;\n if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||\n CBS_len(&profile_ids) < 2 ||\n !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||\n CBS_len(contents) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);\n return false;\n }\n // Discard the MKI value for now.\n\n const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =\n SSL_get_srtp_profiles(ssl);\n\n // Pick the server's most preferred profile.\n for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) {\n CBS profile_ids_tmp;\n CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));\n\n while (CBS_len(&profile_ids_tmp) > 0) {\n uint16_t profile_id;\n if (!CBS_get_u16(&profile_ids_tmp, &profile_id)) {\n return false;\n }\n\n if (server_profile->id == profile_id) {\n ssl->s3->srtp_profile = server_profile;\n return true;\n }\n }\n }\n\n return true;\n}\n\nstatic bool ext_srtp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n SSL *const ssl = hs->ssl;\n if (ssl->s3->srtp_profile == NULL) {\n return true;\n }\n\n assert(SSL_is_dtls(ssl));\n CBB contents, profile_ids;\n if (!CBB_add_u16(out, TLSEXT_TYPE_srtp) ||\n !CBB_add_u16_length_prefixed(out, &contents) ||\n !CBB_add_u16_length_prefixed(&contents, &profile_ids) ||\n !CBB_add_u16(&profile_ids, ssl->s3->srtp_profile->id) ||\n !CBB_add_u8(&contents, 0 /* empty MKI */) || !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\n\n// EC point formats.\n//\n// https://tools.ietf.org/html/rfc4492#section-5.1.2\n\nstatic bool ext_ec_point_add_extension(const SSL_HANDSHAKE *hs, CBB *out) {\n CBB contents, formats;\n if (!CBB_add_u16(out, TLSEXT_TYPE_ec_point_formats) ||\n !CBB_add_u16_length_prefixed(out, &contents) ||\n !CBB_add_u8_length_prefixed(&contents, &formats) ||\n !CBB_add_u8(&formats, TLSEXT_ECPOINTFORMAT_uncompressed) ||\n !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_ec_point_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n // The point format extension is unnecessary in TLS 1.3.\n if (hs->min_version >= TLS1_3_VERSION || type == ssl_client_hello_inner) {\n return true;\n }\n\n return ext_ec_point_add_extension(hs, out);\n}\n\nstatic bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert, CBS *contents) {\n if (contents == NULL) {\n return true;\n }\n\n if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {\n return false;\n }\n\n CBS ec_point_format_list;\n if (!CBS_get_u8_length_prefixed(contents, &ec_point_format_list) ||\n CBS_len(contents) != 0) {\n return false;\n }\n\n // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed\n // point format.\n if (OPENSSL_memchr(CBS_data(&ec_point_format_list),\n TLSEXT_ECPOINTFORMAT_uncompressed,\n CBS_len(&ec_point_format_list)) == NULL) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert, CBS *contents) {\n if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {\n return true;\n }\n\n return ext_ec_point_parse_serverhello(hs, out_alert, contents);\n}\n\nstatic bool ext_ec_point_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n SSL *const ssl = hs->ssl;\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return true;\n }\n\n const uint32_t alg_k = hs->new_cipher->algorithm_mkey;\n const uint32_t alg_a = hs->new_cipher->algorithm_auth;\n const bool using_ecc = (alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA);\n\n if (!using_ecc) {\n return true;\n }\n\n return ext_ec_point_add_extension(hs, out);\n}\n\n\n// Pre Shared Key\n//\n// https://tools.ietf.org/html/rfc8446#section-4.2.11\n\nstatic bool should_offer_psk(const SSL_HANDSHAKE *hs,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n if (hs->max_version < TLS1_3_VERSION || ssl->session == nullptr ||\n ssl_session_get_type(ssl->session.get()) !=\n SSLSessionType::kPreSharedKey ||\n // TODO(https://crbug.com/boringssl/275): Should we synthesize a\n // placeholder PSK, at least when we offer early data? Otherwise\n // ClientHelloOuter will contain an early_data extension without a\n // pre_shared_key extension and potentially break the recovery flow.\n type == ssl_client_hello_outer) {\n return false;\n }\n\n // Per RFC 8446 section 4.1.4, skip offering the session if the selected\n // cipher in HelloRetryRequest does not match. This avoids performing the\n // transcript hash transformation for multiple hashes.\n if (ssl->s3->used_hello_retry_request &&\n ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {\n return false;\n }\n\n return true;\n}\n\nstatic size_t ext_pre_shared_key_clienthello_length(\n const SSL_HANDSHAKE *hs, ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n if (!should_offer_psk(hs, type)) {\n return 0;\n }\n\n size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));\n return 15 + ssl->session->ticket.size() + binder_len;\n}\n\nstatic bool ext_pre_shared_key_add_clienthello(const SSL_HANDSHAKE *hs,\n CBB *out, bool *out_needs_binder,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n *out_needs_binder = false;\n if (!should_offer_psk(hs, type)) {\n return true;\n }\n\n OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());\n uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);\n uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;\n\n // Fill in a placeholder zero binder of the appropriate length. It will be\n // computed and filled in later after length prefixes are computed.\n size_t binder_len = EVP_MD_size(ssl_session_get_digest(ssl->session.get()));\n\n CBB contents, identity, ticket, binders, binder;\n if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||\n !CBB_add_u16_length_prefixed(out, &contents) ||\n !CBB_add_u16_length_prefixed(&contents, &identity) ||\n !CBB_add_u16_length_prefixed(&identity, &ticket) ||\n !CBB_add_bytes(&ticket, ssl->session->ticket.data(),\n ssl->session->ticket.size()) ||\n !CBB_add_u32(&identity, obfuscated_ticket_age) ||\n !CBB_add_u16_length_prefixed(&contents, &binders) ||\n !CBB_add_u8_length_prefixed(&binders, &binder) ||\n !CBB_add_zeros(&binder, binder_len)) {\n return false;\n }\n\n *out_needs_binder = true;\n return CBB_flush(out);\n}\n\nbool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n uint16_t psk_id;\n if (!CBS_get_u16(contents, &psk_id) || //\n CBS_len(contents) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n // We only advertise one PSK identity, so the only legal index is zero.\n if (psk_id != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);\n *out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;\n return false;\n }\n\n return true;\n}\n\nbool ssl_ext_pre_shared_key_parse_clienthello(\n SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,\n uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert,\n const SSL_CLIENT_HELLO *client_hello, CBS *contents) {\n // Verify that the pre_shared_key extension is the last extension in\n // ClientHello.\n if (CBS_data(contents) + CBS_len(contents) !=\n client_hello->extensions + client_hello->extensions_len) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n // We only process the first PSK identity since we don't support pure PSK.\n CBS identities, binders;\n if (!CBS_get_u16_length_prefixed(contents, &identities) || //\n !CBS_get_u16_length_prefixed(&identities, out_ticket) || //\n !CBS_get_u32(&identities, out_obfuscated_ticket_age) || //\n !CBS_get_u16_length_prefixed(contents, &binders) || //\n CBS_len(&binders) == 0 || //\n CBS_len(contents) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n *out_binders = binders;\n\n // Check the syntax of the remaining identities, but do not process them.\n size_t num_identities = 1;\n while (CBS_len(&identities) != 0) {\n CBS unused_ticket;\n uint32_t unused_obfuscated_ticket_age;\n if (!CBS_get_u16_length_prefixed(&identities, &unused_ticket) ||\n !CBS_get_u32(&identities, &unused_obfuscated_ticket_age)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n num_identities++;\n }\n\n // Check the syntax of the binders. The value will be checked later if\n // resuming.\n size_t num_binders = 0;\n while (CBS_len(&binders) != 0) {\n CBS binder;\n if (!CBS_get_u8_length_prefixed(&binders, &binder)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n num_binders++;\n }\n\n if (num_identities != num_binders) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_BINDER_COUNT_MISMATCH);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n return true;\n}\n\nbool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n if (!hs->ssl->s3->session_reused) {\n return true;\n }\n\n CBB contents;\n if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) || //\n !CBB_add_u16_length_prefixed(out, &contents) || //\n // We only consider the first identity for resumption\n !CBB_add_u16(&contents, 0) || //\n !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\n\n// Pre-Shared Key Exchange Modes\n//\n// https://tools.ietf.org/html/rfc8446#section-4.2.9\n\nstatic bool ext_psk_key_exchange_modes_add_clienthello(\n const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,\n ssl_client_hello_type_t type) {\n if (hs->max_version < TLS1_3_VERSION) {\n return true;\n }\n\n CBB contents, ke_modes;\n if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_psk_key_exchange_modes) ||\n !CBB_add_u16_length_prefixed(out_compressible, &contents) ||\n !CBB_add_u8_length_prefixed(&contents, &ke_modes) ||\n !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE)) {\n return false;\n }\n\n return CBB_flush(out_compressible);\n}\n\nstatic bool ext_psk_key_exchange_modes_parse_clienthello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n if (contents == NULL) {\n return true;\n }\n\n CBS ke_modes;\n if (!CBS_get_u8_length_prefixed(contents, &ke_modes) || //\n CBS_len(&ke_modes) == 0 || //\n CBS_len(contents) != 0) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n // We only support tickets with PSK_DHE_KE.\n hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,\n CBS_len(&ke_modes)) != NULL;\n\n return true;\n}\n\n\n// Early Data Indication\n//\n// https://tools.ietf.org/html/rfc8446#section-4.2.10\n\nstatic bool ext_early_data_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n // The second ClientHello never offers early data, and we must have already\n // filled in |early_data_reason| by this point.\n if (ssl->s3->used_hello_retry_request) {\n assert(ssl->s3->early_data_reason != ssl_early_data_unknown);\n return true;\n }\n\n if (!hs->early_data_offered) {\n return true;\n }\n\n // If offering ECH, the extension only applies to ClientHelloInner, but we\n // send the extension in both ClientHellos. This ensures that, if the server\n // handshakes with ClientHelloOuter, it can skip past early data. See\n // draft-ietf-tls-esni-13, section 6.1.\n if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_early_data) || //\n !CBB_add_u16(out_compressible, 0) || //\n !CBB_flush(out_compressible)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_early_data_parse_serverhello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (contents == NULL) {\n if (hs->early_data_offered && !ssl->s3->used_hello_retry_request) {\n ssl->s3->early_data_reason = ssl->s3->session_reused\n ? ssl_early_data_peer_declined\n : ssl_early_data_session_not_resumed;\n } else {\n // We already filled in |early_data_reason| when declining to offer 0-RTT\n // or handling the implicit HelloRetryRequest reject.\n assert(ssl->s3->early_data_reason != ssl_early_data_unknown);\n }\n return true;\n }\n\n // If we received an HRR, the second ClientHello never offers early data, so\n // the extensions logic will automatically reject early data extensions as\n // unsolicited. This covered by the ServerAcceptsEarlyDataOnHRR test.\n assert(!ssl->s3->used_hello_retry_request);\n\n if (CBS_len(contents) != 0) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n if (!ssl->s3->session_reused) {\n *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);\n return false;\n }\n\n ssl->s3->early_data_reason = ssl_early_data_accepted;\n ssl->s3->early_data_accepted = true;\n return true;\n}\n\nstatic bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n SSL *const ssl = hs->ssl;\n if (contents == NULL || ssl_protocol_version(ssl) < TLS1_3_VERSION) {\n return true;\n }\n\n if (CBS_len(contents) != 0) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n hs->early_data_offered = true;\n return true;\n}\n\nstatic bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n if (!hs->ssl->s3->early_data_accepted) {\n return true;\n }\n\n if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) || //\n !CBB_add_u16(out, 0) || //\n !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\n\n// Key Share\n//\n// https://tools.ietf.org/html/rfc8446#section-4.2.8\n\nbool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id) {\n SSL *const ssl = hs->ssl;\n hs->key_shares[0].reset();\n hs->key_shares[1].reset();\n hs->key_share_bytes.Reset();\n\n if (hs->max_version < TLS1_3_VERSION) {\n return true;\n }\n\n bssl::ScopedCBB cbb;\n if (!CBB_init(cbb.get(), 64)) {\n return false;\n }\n\n if (override_group_id == 0 && ssl->ctx->grease_enabled) {\n // Add a fake group. See RFC 8701.\n if (!CBB_add_u16(cbb.get(), ssl_get_grease_value(hs, ssl_grease_group)) ||\n !CBB_add_u16(cbb.get(), 1 /* length */) ||\n !CBB_add_u8(cbb.get(), 0 /* one byte key share */)) {\n return false;\n }\n }\n\n uint16_t group_id = override_group_id;\n uint16_t second_group_id = 0;\n if (override_group_id == 0) {\n // Predict the most preferred group.\n Span groups = tls1_get_grouplist(hs);\n if (groups.empty()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_GROUPS_SPECIFIED);\n return false;\n }\n\n group_id = groups[0];\n\n // We'll try to include one post-quantum and one classical initial key\n // share.\n for (size_t i = 1; i < groups.size() && second_group_id == 0; i++) {\n if (is_post_quantum_group(group_id) != is_post_quantum_group(groups[i])) {\n second_group_id = groups[i];\n assert(second_group_id != group_id);\n }\n }\n }\n\n CBB key_exchange;\n hs->key_shares[0] = SSLKeyShare::Create(group_id);\n if (!hs->key_shares[0] || //\n !CBB_add_u16(cbb.get(), group_id) ||\n !CBB_add_u16_length_prefixed(cbb.get(), &key_exchange) ||\n !hs->key_shares[0]->Generate(&key_exchange)) {\n return false;\n }\n\n if (second_group_id != 0) {\n hs->key_shares[1] = SSLKeyShare::Create(second_group_id);\n if (!hs->key_shares[1] || //\n !CBB_add_u16(cbb.get(), second_group_id) ||\n !CBB_add_u16_length_prefixed(cbb.get(), &key_exchange) ||\n !hs->key_shares[1]->Generate(&key_exchange)) {\n return false;\n }\n }\n\n return CBBFinishArray(cbb.get(), &hs->key_share_bytes);\n}\n\nstatic bool ext_key_share_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n if (hs->max_version < TLS1_3_VERSION) {\n return true;\n }\n\n assert(!hs->key_share_bytes.empty());\n CBB contents, kse_bytes;\n if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_key_share) ||\n !CBB_add_u16_length_prefixed(out_compressible, &contents) ||\n !CBB_add_u16_length_prefixed(&contents, &kse_bytes) ||\n !CBB_add_bytes(&kse_bytes, hs->key_share_bytes.data(),\n hs->key_share_bytes.size()) ||\n !CBB_flush(out_compressible)) {\n return false;\n }\n\n return true;\n}\n\nbool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,\n Array *out_secret,\n uint8_t *out_alert, CBS *contents) {\n CBS ciphertext;\n uint16_t group_id;\n if (!CBS_get_u16(contents, &group_id) ||\n !CBS_get_u16_length_prefixed(contents, &ciphertext) ||\n CBS_len(contents) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n SSLKeyShare *key_share = hs->key_shares[0].get();\n if (key_share->GroupID() != group_id) {\n if (!hs->key_shares[1] || hs->key_shares[1]->GroupID() != group_id) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);\n return false;\n }\n key_share = hs->key_shares[1].get();\n }\n\n if (!key_share->Decap(out_secret, out_alert, ciphertext)) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n\n hs->new_session->group_id = group_id;\n hs->key_shares[0].reset();\n hs->key_shares[1].reset();\n return true;\n}\n\nbool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,\n Span *out_peer_key,\n uint8_t *out_alert,\n const SSL_CLIENT_HELLO *client_hello) {\n // We only support connections that include an ECDHE key exchange.\n CBS contents;\n if (!ssl_client_hello_get_extension(client_hello, &contents,\n TLSEXT_TYPE_key_share)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);\n *out_alert = SSL_AD_MISSING_EXTENSION;\n return false;\n }\n\n CBS key_shares;\n if (!CBS_get_u16_length_prefixed(&contents, &key_shares) ||\n CBS_len(&contents) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n\n // Find the corresponding key share.\n const uint16_t group_id = hs->new_session->group_id;\n CBS peer_key;\n CBS_init(&peer_key, nullptr, 0);\n while (CBS_len(&key_shares) > 0) {\n uint16_t id;\n CBS peer_key_tmp;\n if (!CBS_get_u16(&key_shares, &id) ||\n !CBS_get_u16_length_prefixed(&key_shares, &peer_key_tmp) ||\n CBS_len(&peer_key_tmp) == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n\n if (id == group_id) {\n if (CBS_len(&peer_key) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_KEY_SHARE);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n peer_key = peer_key_tmp;\n // Continue parsing the structure to keep peers honest.\n }\n }\n\n if (out_peer_key != nullptr) {\n *out_peer_key = peer_key;\n }\n *out_found = CBS_len(&peer_key) != 0;\n return true;\n}\n\nbool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n CBB entry, ciphertext;\n if (!CBB_add_u16(out, TLSEXT_TYPE_key_share) ||\n !CBB_add_u16_length_prefixed(out, &entry) ||\n !CBB_add_u16(&entry, hs->new_session->group_id) ||\n !CBB_add_u16_length_prefixed(&entry, &ciphertext) ||\n !CBB_add_bytes(&ciphertext, hs->key_share_ciphertext.data(),\n hs->key_share_ciphertext.size()) ||\n !CBB_flush(out)) {\n return false;\n }\n return true;\n}\n\n\n// Supported Versions\n//\n// https://tools.ietf.org/html/rfc8446#section-4.2.1\n\nstatic bool ext_supported_versions_add_clienthello(\n const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n if (hs->max_version <= TLS1_2_VERSION) {\n return true;\n }\n\n // supported_versions is compressible in ECH if ClientHelloOuter already\n // requires TLS 1.3. Otherwise the extensions differ in the older versions.\n if (hs->min_version >= TLS1_3_VERSION) {\n out = out_compressible;\n }\n\n CBB contents, versions;\n if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||\n !CBB_add_u16_length_prefixed(out, &contents) ||\n !CBB_add_u8_length_prefixed(&contents, &versions)) {\n return false;\n }\n\n // Add a fake version. See RFC 8701.\n if (ssl->ctx->grease_enabled &&\n !CBB_add_u16(&versions, ssl_get_grease_value(hs, ssl_grease_version))) {\n return false;\n }\n\n // Encrypted ClientHellos requires TLS 1.3 or later.\n uint16_t extra_min_version =\n type == ssl_client_hello_inner ? TLS1_3_VERSION : 0;\n if (!ssl_add_supported_versions(hs, &versions, extra_min_version) ||\n !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\n\n// Cookie\n//\n// https://tools.ietf.org/html/rfc8446#section-4.2.2\n\nstatic bool ext_cookie_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n if (hs->cookie.empty()) {\n return true;\n }\n\n CBB contents, cookie;\n if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_cookie) ||\n !CBB_add_u16_length_prefixed(out_compressible, &contents) ||\n !CBB_add_u16_length_prefixed(&contents, &cookie) ||\n !CBB_add_bytes(&cookie, hs->cookie.data(), hs->cookie.size()) ||\n !CBB_flush(out_compressible)) {\n return false;\n }\n\n return true;\n}\n\n\n// Supported Groups\n//\n// https://tools.ietf.org/html/rfc4492#section-5.1.1\n// https://tools.ietf.org/html/rfc8446#section-4.2.7\n\nstatic bool ext_supported_groups_add_clienthello(const SSL_HANDSHAKE *hs,\n CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n CBB contents, groups_bytes;\n if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_supported_groups) ||\n !CBB_add_u16_length_prefixed(out_compressible, &contents) ||\n !CBB_add_u16_length_prefixed(&contents, &groups_bytes)) {\n return false;\n }\n\n // Add a fake group. See RFC 8701.\n if (ssl->ctx->grease_enabled &&\n !CBB_add_u16(&groups_bytes, ssl_get_grease_value(hs, ssl_grease_group))) {\n return false;\n }\n\n for (uint16_t group : tls1_get_grouplist(hs)) {\n if (is_post_quantum_group(group) && hs->max_version < TLS1_3_VERSION) {\n continue;\n }\n if (!CBB_add_u16(&groups_bytes, group)) {\n return false;\n }\n }\n\n return CBB_flush(out_compressible);\n}\n\nstatic bool ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n // This extension is not expected to be echoed by servers in TLS 1.2, but some\n // BigIP servers send it nonetheless, so do not enforce this.\n return true;\n}\n\nstatic bool parse_u16_array(const CBS *cbs, Array *out) {\n CBS copy = *cbs;\n if ((CBS_len(©) & 1) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n\n Array ret;\n if (!ret.InitForOverwrite(CBS_len(©) / 2)) {\n return false;\n }\n for (size_t i = 0; i < ret.size(); i++) {\n if (!CBS_get_u16(©, &ret[i])) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n }\n\n assert(CBS_len(©) == 0);\n *out = std::move(ret);\n return true;\n}\n\nstatic bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n if (contents == NULL) {\n return true;\n }\n\n CBS supported_group_list;\n if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) || //\n CBS_len(&supported_group_list) == 0 || //\n CBS_len(contents) != 0 || //\n !parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) {\n return false;\n }\n\n return true;\n}\n\n\n// Certificate Authorities.\n//\n// https://tools.ietf.org/html/rfc8446#section-4.2.4\n\nstatic bool ext_certificate_authorities_add_clienthello(\n const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,\n ssl_client_hello_type_t type) {\n if (ssl_has_CA_names(hs->config)) {\n CBB ca_contents;\n if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_authorities) || //\n !CBB_add_u16_length_prefixed(out, &ca_contents) || //\n !ssl_add_CA_names(hs, &ca_contents) || //\n !CBB_flush(out)) {\n return false;\n }\n }\n return true;\n}\n\nstatic bool ext_certificate_authorities_parse_clienthello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n if (contents == NULL) {\n return true;\n }\n\n if (CBS_len(contents) == 0) {\n return false;\n }\n\n hs->ca_names = SSL_parse_CA_list(hs->ssl, out_alert, contents);\n if (!hs->ca_names) {\n return false;\n }\n\n return true;\n}\n\n\n// QUIC Transport Parameters\n\nstatic bool ext_quic_transport_params_add_clienthello_impl(\n const SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) {\n if (hs->config->quic_transport_params.empty() && !SSL_is_quic(hs->ssl)) {\n return true;\n }\n if (hs->config->quic_transport_params.empty() || !SSL_is_quic(hs->ssl)) {\n // QUIC Transport Parameters must be sent over QUIC, and they must not be\n // sent over non-QUIC transports. If transport params are set, then\n // SSL(_CTX)_set_quic_method must also be called.\n OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);\n return false;\n }\n assert(hs->min_version > TLS1_2_VERSION);\n if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {\n // Do nothing, we'll send the other codepoint.\n return true;\n }\n\n uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters;\n if (hs->config->quic_use_legacy_codepoint) {\n extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;\n }\n\n CBB contents;\n if (!CBB_add_u16(out, extension_type) ||\n !CBB_add_u16_length_prefixed(out, &contents) ||\n !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),\n hs->config->quic_transport_params.size()) ||\n !CBB_flush(out)) {\n return false;\n }\n return true;\n}\n\nstatic bool ext_quic_transport_params_add_clienthello(\n const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,\n ssl_client_hello_type_t type) {\n return ext_quic_transport_params_add_clienthello_impl(\n hs, out_compressible, /*use_legacy_codepoint=*/false);\n}\n\nstatic bool ext_quic_transport_params_add_clienthello_legacy(\n const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,\n ssl_client_hello_type_t type) {\n return ext_quic_transport_params_add_clienthello_impl(\n hs, out_compressible, /*use_legacy_codepoint=*/true);\n}\n\nstatic bool ext_quic_transport_params_parse_serverhello_impl(\n SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents,\n bool used_legacy_codepoint) {\n SSL *const ssl = hs->ssl;\n if (contents == nullptr) {\n if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {\n // Silently ignore because we expect the other QUIC codepoint.\n return true;\n }\n if (!SSL_is_quic(ssl)) {\n return true;\n }\n *out_alert = SSL_AD_MISSING_EXTENSION;\n return false;\n }\n // The extensions parser will check for unsolicited extensions before\n // calling the callback.\n assert(SSL_is_quic(ssl));\n assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);\n assert(used_legacy_codepoint == hs->config->quic_use_legacy_codepoint);\n return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);\n}\n\nstatic bool ext_quic_transport_params_parse_serverhello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n return ext_quic_transport_params_parse_serverhello_impl(\n hs, out_alert, contents, /*used_legacy_codepoint=*/false);\n}\n\nstatic bool ext_quic_transport_params_parse_serverhello_legacy(\n SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) {\n return ext_quic_transport_params_parse_serverhello_impl(\n hs, out_alert, contents, /*used_legacy_codepoint=*/true);\n}\n\nstatic bool ext_quic_transport_params_parse_clienthello_impl(\n SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents,\n bool used_legacy_codepoint) {\n SSL *const ssl = hs->ssl;\n if (!contents) {\n if (!SSL_is_quic(ssl)) {\n if (hs->config->quic_transport_params.empty()) {\n return true;\n }\n // QUIC transport parameters must not be set if |ssl| is not configured\n // for QUIC.\n OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {\n // Silently ignore because we expect the other QUIC codepoint.\n return true;\n }\n *out_alert = SSL_AD_MISSING_EXTENSION;\n return false;\n }\n if (!SSL_is_quic(ssl)) {\n if (used_legacy_codepoint) {\n // Ignore the legacy private-use codepoint because that could be sent\n // to mean something else than QUIC transport parameters.\n return true;\n }\n // Fail if we received the codepoint registered with IANA for QUIC\n // because that is not allowed outside of QUIC.\n *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;\n return false;\n }\n assert(ssl_protocol_version(ssl) == TLS1_3_VERSION);\n if (used_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {\n // Silently ignore because we expect the other QUIC codepoint.\n return true;\n }\n return ssl->s3->peer_quic_transport_params.CopyFrom(*contents);\n}\n\nstatic bool ext_quic_transport_params_parse_clienthello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n return ext_quic_transport_params_parse_clienthello_impl(\n hs, out_alert, contents, /*used_legacy_codepoint=*/false);\n}\n\nstatic bool ext_quic_transport_params_parse_clienthello_legacy(\n SSL_HANDSHAKE *hs, uint8_t *out_alert, CBS *contents) {\n return ext_quic_transport_params_parse_clienthello_impl(\n hs, out_alert, contents, /*used_legacy_codepoint=*/true);\n}\n\nstatic bool ext_quic_transport_params_add_serverhello_impl(\n SSL_HANDSHAKE *hs, CBB *out, bool use_legacy_codepoint) {\n if (!SSL_is_quic(hs->ssl) && use_legacy_codepoint) {\n // Ignore the legacy private-use codepoint because that could be sent\n // to mean something else than QUIC transport parameters.\n return true;\n }\n assert(SSL_is_quic(hs->ssl));\n if (hs->config->quic_transport_params.empty()) {\n // Transport parameters must be set when using QUIC.\n OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_TRANSPORT_PARAMETERS_MISCONFIGURED);\n return false;\n }\n if (use_legacy_codepoint != hs->config->quic_use_legacy_codepoint) {\n // Do nothing, we'll send the other codepoint.\n return true;\n }\n\n uint16_t extension_type = TLSEXT_TYPE_quic_transport_parameters;\n if (hs->config->quic_use_legacy_codepoint) {\n extension_type = TLSEXT_TYPE_quic_transport_parameters_legacy;\n }\n\n CBB contents;\n if (!CBB_add_u16(out, extension_type) ||\n !CBB_add_u16_length_prefixed(out, &contents) ||\n !CBB_add_bytes(&contents, hs->config->quic_transport_params.data(),\n hs->config->quic_transport_params.size()) ||\n !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_quic_transport_params_add_serverhello(SSL_HANDSHAKE *hs,\n CBB *out) {\n return ext_quic_transport_params_add_serverhello_impl(\n hs, out, /*use_legacy_codepoint=*/false);\n}\n\nstatic bool ext_quic_transport_params_add_serverhello_legacy(SSL_HANDSHAKE *hs,\n CBB *out) {\n return ext_quic_transport_params_add_serverhello_impl(\n hs, out, /*use_legacy_codepoint=*/true);\n}\n\n// Delegated credentials.\n//\n// https://www.rfc-editor.org/rfc/rfc9345.html\n\nstatic bool ext_delegated_credential_add_clienthello(\n const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible,\n ssl_client_hello_type_t type) {\n return true;\n}\n\nstatic bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n if (contents == nullptr || ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {\n // Don't use delegated credentials unless we're negotiating TLS 1.3 or\n // higher.\n return true;\n }\n\n // The contents of the extension are the signature algorithms the client will\n // accept for a delegated credential.\n CBS sigalg_list;\n if (!CBS_get_u16_length_prefixed(contents, &sigalg_list) || //\n CBS_len(&sigalg_list) == 0 || //\n CBS_len(contents) != 0 || //\n !parse_u16_array(&sigalg_list, &hs->peer_delegated_credential_sigalgs)) {\n return false;\n }\n\n return true;\n}\n\n// Certificate compression\n\nstatic bool cert_compression_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n bool first = true;\n CBB contents, algs;\n\n for (const auto &alg : hs->ssl->ctx->cert_compression_algs) {\n if (alg.decompress == nullptr) {\n continue;\n }\n\n if (first &&\n (!CBB_add_u16(out_compressible, TLSEXT_TYPE_cert_compression) ||\n !CBB_add_u16_length_prefixed(out_compressible, &contents) ||\n !CBB_add_u8_length_prefixed(&contents, &algs))) {\n return false;\n }\n first = false;\n if (!CBB_add_u16(&algs, alg.alg_id)) {\n return false;\n }\n }\n\n return first || CBB_flush(out_compressible);\n}\n\nstatic bool cert_compression_parse_serverhello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n if (contents == nullptr) {\n return true;\n }\n\n // The server may not echo this extension. Any server to client negotiation is\n // advertised in the CertificateRequest message.\n return false;\n}\n\nstatic bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents) {\n if (contents == nullptr) {\n return true;\n }\n\n const SSL_CTX *ctx = hs->ssl->ctx.get();\n const size_t num_algs = ctx->cert_compression_algs.size();\n\n CBS alg_ids;\n if (!CBS_get_u8_length_prefixed(contents, &alg_ids) || //\n CBS_len(contents) != 0 || //\n CBS_len(&alg_ids) == 0 || //\n CBS_len(&alg_ids) % 2 == 1) {\n return false;\n }\n\n const size_t num_given_alg_ids = CBS_len(&alg_ids) / 2;\n Array given_alg_ids;\n if (!given_alg_ids.InitForOverwrite(num_given_alg_ids)) {\n return false;\n }\n\n size_t best_index = num_algs;\n size_t given_alg_idx = 0;\n\n while (CBS_len(&alg_ids) > 0) {\n uint16_t alg_id;\n if (!CBS_get_u16(&alg_ids, &alg_id)) {\n return false;\n }\n\n given_alg_ids[given_alg_idx++] = alg_id;\n\n for (size_t i = 0; i < num_algs; i++) {\n const auto &alg = ctx->cert_compression_algs[i];\n if (alg.alg_id == alg_id && alg.compress != nullptr) {\n if (i < best_index) {\n best_index = i;\n }\n break;\n }\n }\n }\n\n qsort(given_alg_ids.data(), given_alg_ids.size(), sizeof(uint16_t),\n compare_uint16_t);\n for (size_t i = 1; i < num_given_alg_ids; i++) {\n if (given_alg_ids[i - 1] == given_alg_ids[i]) {\n return false;\n }\n }\n\n if (best_index < num_algs &&\n ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {\n hs->cert_compression_negotiated = true;\n hs->cert_compression_alg_id = ctx->cert_compression_algs[best_index].alg_id;\n }\n\n return true;\n}\n\nstatic bool cert_compression_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n return true;\n}\n\n// Application-level Protocol Settings\n//\n// https://tools.ietf.org/html/draft-vvv-tls-alps-01\n\nbool ssl_get_local_application_settings(const SSL_HANDSHAKE *hs,\n Span *out_settings,\n Span protocol) {\n for (const ALPSConfig &config : hs->config->alps_configs) {\n if (protocol == config.protocol) {\n *out_settings = config.settings;\n return true;\n }\n }\n return false;\n}\n\nstatic bool ext_alps_add_clienthello_impl(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type,\n bool use_new_codepoint) {\n const SSL *const ssl = hs->ssl;\n if ( // ALPS requires TLS 1.3.\n hs->max_version < TLS1_3_VERSION ||\n // Do not offer ALPS without ALPN.\n hs->config->alpn_client_proto_list.empty() ||\n // Do not offer ALPS if not configured.\n hs->config->alps_configs.empty() ||\n // Do not offer ALPS on renegotiation handshakes.\n ssl->s3->initial_handshake_complete) {\n return true;\n }\n\n if (use_new_codepoint != hs->config->alps_use_new_codepoint) {\n // Do nothing, we'll send the other codepoint.\n return true;\n }\n\n uint16_t extension_type = TLSEXT_TYPE_application_settings_old;\n if (hs->config->alps_use_new_codepoint) {\n extension_type = TLSEXT_TYPE_application_settings;\n }\n\n CBB contents, proto_list, proto;\n if (!CBB_add_u16(out_compressible, extension_type) ||\n !CBB_add_u16_length_prefixed(out_compressible, &contents) ||\n !CBB_add_u16_length_prefixed(&contents, &proto_list)) {\n return false;\n }\n\n for (const ALPSConfig &config : hs->config->alps_configs) {\n if (!CBB_add_u8_length_prefixed(&proto_list, &proto) ||\n !CBB_add_bytes(&proto, config.protocol.data(),\n config.protocol.size())) {\n return false;\n }\n }\n\n return CBB_flush(out_compressible);\n}\n\nstatic bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n return ext_alps_add_clienthello_impl(hs, out, out_compressible, type,\n /*use_new_codepoint=*/true);\n}\n\nstatic bool ext_alps_add_clienthello_old(const SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_compressible,\n ssl_client_hello_type_t type) {\n return ext_alps_add_clienthello_impl(hs, out, out_compressible, type,\n /*use_new_codepoint=*/false);\n}\n\nstatic bool ext_alps_parse_serverhello_impl(SSL_HANDSHAKE *hs,\n uint8_t *out_alert, CBS *contents,\n bool use_new_codepoint) {\n SSL *const ssl = hs->ssl;\n if (contents == nullptr) {\n return true;\n }\n\n assert(!ssl->s3->initial_handshake_complete);\n assert(!hs->config->alpn_client_proto_list.empty());\n assert(!hs->config->alps_configs.empty());\n assert(use_new_codepoint == hs->config->alps_use_new_codepoint);\n\n // ALPS requires TLS 1.3.\n if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {\n *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);\n return false;\n }\n\n // Note extension callbacks may run in any order, so we defer checking\n // consistency with ALPN to |ssl_check_serverhello_tlsext|.\n if (!hs->new_session->peer_application_settings.CopyFrom(*contents)) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n\n hs->new_session->has_application_settings = true;\n return true;\n}\n\nstatic bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n CBS *contents) {\n return ext_alps_parse_serverhello_impl(hs, out_alert, contents,\n /*use_new_codepoint=*/true);\n}\n\nstatic bool ext_alps_parse_serverhello_old(SSL_HANDSHAKE *hs,\n uint8_t *out_alert, CBS *contents) {\n return ext_alps_parse_serverhello_impl(hs, out_alert, contents,\n /*use_new_codepoint=*/false);\n}\n\nstatic bool ext_alps_add_serverhello_impl(SSL_HANDSHAKE *hs, CBB *out,\n bool use_new_codepoint) {\n SSL *const ssl = hs->ssl;\n // If early data is accepted, we omit the ALPS extension. It is implicitly\n // carried over from the previous connection.\n if (hs->new_session == nullptr ||\n !hs->new_session->has_application_settings ||\n ssl->s3->early_data_accepted) {\n return true;\n }\n\n if (use_new_codepoint != hs->config->alps_use_new_codepoint) {\n // Do nothing, we'll send the other codepoint.\n return true;\n }\n\n uint16_t extension_type = TLSEXT_TYPE_application_settings_old;\n if (hs->config->alps_use_new_codepoint) {\n extension_type = TLSEXT_TYPE_application_settings;\n }\n\n CBB contents;\n if (!CBB_add_u16(out, extension_type) ||\n !CBB_add_u16_length_prefixed(out, &contents) ||\n !CBB_add_bytes(&contents,\n hs->new_session->local_application_settings.data(),\n hs->new_session->local_application_settings.size()) ||\n !CBB_flush(out)) {\n return false;\n }\n\n return true;\n}\n\nstatic bool ext_alps_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {\n return ext_alps_add_serverhello_impl(hs, out, /*use_new_codepoint=*/true);\n}\n\nstatic bool ext_alps_add_serverhello_old(SSL_HANDSHAKE *hs, CBB *out) {\n return ext_alps_add_serverhello_impl(hs, out, /*use_new_codepoint=*/false);\n}\n\nbool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n const SSL_CLIENT_HELLO *client_hello) {\n SSL *const ssl = hs->ssl;\n if (ssl->s3->alpn_selected.empty()) {\n return true;\n }\n\n // If we negotiate ALPN over TLS 1.3, try to negotiate ALPS.\n CBS alps_contents;\n Span settings;\n uint16_t extension_type = TLSEXT_TYPE_application_settings_old;\n if (hs->config->alps_use_new_codepoint) {\n extension_type = TLSEXT_TYPE_application_settings;\n }\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION &&\n ssl_get_local_application_settings(hs, &settings,\n ssl->s3->alpn_selected) &&\n ssl_client_hello_get_extension(client_hello, &alps_contents,\n extension_type)) {\n // Check if the client supports ALPS with the selected ALPN.\n bool found = false;\n CBS alps_list;\n if (!CBS_get_u16_length_prefixed(&alps_contents, &alps_list) || //\n CBS_len(&alps_contents) != 0 || //\n CBS_len(&alps_list) == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n while (CBS_len(&alps_list) > 0) {\n CBS protocol_name;\n if (!CBS_get_u8_length_prefixed(&alps_list, &protocol_name) ||\n // Empty protocol names are forbidden.\n CBS_len(&protocol_name) == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n if (protocol_name == Span(ssl->s3->alpn_selected)) {\n found = true;\n }\n }\n\n // Negotiate ALPS if both client also supports ALPS for this protocol.\n if (found) {\n hs->new_session->has_application_settings = true;\n if (!hs->new_session->local_application_settings.CopyFrom(settings)) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n }\n }\n\n return true;\n}\n\n// kExtensions contains all the supported extensions.\nstatic const struct tls_extension kExtensions[] = {\n {\n TLSEXT_TYPE_server_name,\n ext_sni_add_clienthello,\n ext_sni_parse_serverhello,\n ext_sni_parse_clienthello,\n ext_sni_add_serverhello,\n },\n {\n TLSEXT_TYPE_encrypted_client_hello,\n ext_ech_add_clienthello,\n ext_ech_parse_serverhello,\n ext_ech_parse_clienthello,\n ext_ech_add_serverhello,\n },\n {\n TLSEXT_TYPE_extended_master_secret,\n ext_ems_add_clienthello,\n ext_ems_parse_serverhello,\n ext_ems_parse_clienthello,\n ext_ems_add_serverhello,\n },\n {\n TLSEXT_TYPE_renegotiate,\n ext_ri_add_clienthello,\n ext_ri_parse_serverhello,\n ext_ri_parse_clienthello,\n ext_ri_add_serverhello,\n },\n {\n TLSEXT_TYPE_supported_groups,\n ext_supported_groups_add_clienthello,\n ext_supported_groups_parse_serverhello,\n ext_supported_groups_parse_clienthello,\n dont_add_serverhello,\n },\n {\n TLSEXT_TYPE_ec_point_formats,\n ext_ec_point_add_clienthello,\n ext_ec_point_parse_serverhello,\n ext_ec_point_parse_clienthello,\n ext_ec_point_add_serverhello,\n },\n {\n TLSEXT_TYPE_session_ticket,\n ext_ticket_add_clienthello,\n ext_ticket_parse_serverhello,\n // Ticket extension client parsing is handled in ssl_session.c\n ignore_parse_clienthello,\n ext_ticket_add_serverhello,\n },\n {\n TLSEXT_TYPE_application_layer_protocol_negotiation,\n ext_alpn_add_clienthello,\n ext_alpn_parse_serverhello,\n // ALPN is negotiated late in |ssl_negotiate_alpn|.\n ignore_parse_clienthello,\n ext_alpn_add_serverhello,\n },\n {\n TLSEXT_TYPE_status_request,\n ext_ocsp_add_clienthello,\n ext_ocsp_parse_serverhello,\n ext_ocsp_parse_clienthello,\n ext_ocsp_add_serverhello,\n },\n {\n TLSEXT_TYPE_signature_algorithms,\n ext_sigalgs_add_clienthello,\n forbid_parse_serverhello,\n ext_sigalgs_parse_clienthello,\n dont_add_serverhello,\n },\n {\n TLSEXT_TYPE_next_proto_neg,\n ext_npn_add_clienthello,\n ext_npn_parse_serverhello,\n ext_npn_parse_clienthello,\n ext_npn_add_serverhello,\n },\n {\n TLSEXT_TYPE_certificate_timestamp,\n ext_sct_add_clienthello,\n ext_sct_parse_serverhello,\n ext_sct_parse_clienthello,\n ext_sct_add_serverhello,\n },\n {\n TLSEXT_TYPE_channel_id,\n ext_channel_id_add_clienthello,\n ext_channel_id_parse_serverhello,\n ext_channel_id_parse_clienthello,\n ext_channel_id_add_serverhello,\n },\n {\n TLSEXT_TYPE_srtp,\n ext_srtp_add_clienthello,\n ext_srtp_parse_serverhello,\n ext_srtp_parse_clienthello,\n ext_srtp_add_serverhello,\n },\n {\n TLSEXT_TYPE_key_share,\n ext_key_share_add_clienthello,\n forbid_parse_serverhello,\n ignore_parse_clienthello,\n dont_add_serverhello,\n },\n {\n TLSEXT_TYPE_psk_key_exchange_modes,\n ext_psk_key_exchange_modes_add_clienthello,\n forbid_parse_serverhello,\n ext_psk_key_exchange_modes_parse_clienthello,\n dont_add_serverhello,\n },\n {\n TLSEXT_TYPE_early_data,\n ext_early_data_add_clienthello,\n ext_early_data_parse_serverhello,\n ext_early_data_parse_clienthello,\n ext_early_data_add_serverhello,\n },\n {\n TLSEXT_TYPE_supported_versions,\n ext_supported_versions_add_clienthello,\n forbid_parse_serverhello,\n ignore_parse_clienthello,\n dont_add_serverhello,\n },\n {\n TLSEXT_TYPE_cookie,\n ext_cookie_add_clienthello,\n forbid_parse_serverhello,\n ignore_parse_clienthello,\n dont_add_serverhello,\n },\n {\n TLSEXT_TYPE_quic_transport_parameters,\n ext_quic_transport_params_add_clienthello,\n ext_quic_transport_params_parse_serverhello,\n ext_quic_transport_params_parse_clienthello,\n ext_quic_transport_params_add_serverhello,\n },\n {\n TLSEXT_TYPE_quic_transport_parameters_legacy,\n ext_quic_transport_params_add_clienthello_legacy,\n ext_quic_transport_params_parse_serverhello_legacy,\n ext_quic_transport_params_parse_clienthello_legacy,\n ext_quic_transport_params_add_serverhello_legacy,\n },\n {\n TLSEXT_TYPE_cert_compression,\n cert_compression_add_clienthello,\n cert_compression_parse_serverhello,\n cert_compression_parse_clienthello,\n cert_compression_add_serverhello,\n },\n {\n TLSEXT_TYPE_delegated_credential,\n ext_delegated_credential_add_clienthello,\n forbid_parse_serverhello,\n ext_delegated_credential_parse_clienthello,\n dont_add_serverhello,\n },\n {\n TLSEXT_TYPE_application_settings,\n ext_alps_add_clienthello,\n ext_alps_parse_serverhello,\n // ALPS is negotiated late in |ssl_negotiate_alpn|.\n ignore_parse_clienthello,\n ext_alps_add_serverhello,\n },\n {\n TLSEXT_TYPE_application_settings_old,\n ext_alps_add_clienthello_old,\n ext_alps_parse_serverhello_old,\n // ALPS is negotiated late in |ssl_negotiate_alpn|.\n ignore_parse_clienthello,\n ext_alps_add_serverhello_old,\n },\n {\n TLSEXT_TYPE_certificate_authorities,\n ext_certificate_authorities_add_clienthello,\n forbid_parse_serverhello,\n ext_certificate_authorities_parse_clienthello,\n dont_add_serverhello,\n },\n};\n\n#define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))\n\nstatic_assert(kNumExtensions <=\n sizeof(((SSL_HANDSHAKE *)NULL)->extensions.sent) * 8,\n \"too many extensions for sent bitset\");\nstatic_assert(kNumExtensions <=\n sizeof(((SSL_HANDSHAKE *)NULL)->extensions.received) * 8,\n \"too many extensions for received bitset\");\n\nbool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs) {\n if (!hs->config->permute_extensions) {\n return true;\n }\n\n static_assert(kNumExtensions <= UINT8_MAX,\n \"extensions_permutation type is too small\");\n uint32_t seeds[kNumExtensions - 1];\n Array permutation;\n if (!RAND_bytes(reinterpret_cast(seeds), sizeof(seeds)) ||\n !permutation.InitForOverwrite(kNumExtensions)) {\n return false;\n }\n for (size_t i = 0; i < kNumExtensions; i++) {\n permutation[i] = i;\n }\n for (size_t i = kNumExtensions - 1; i > 0; i--) {\n // Set element |i| to a randomly-selected element 0 <= j <= i.\n std::swap(permutation[i], permutation[seeds[i - 1] % (i + 1)]);\n }\n hs->extension_permutation = std::move(permutation);\n return true;\n}\n\nstatic const struct tls_extension *tls_extension_find(uint32_t *out_index,\n uint16_t value) {\n unsigned i;\n for (i = 0; i < kNumExtensions; i++) {\n if (kExtensions[i].value == value) {\n *out_index = i;\n return &kExtensions[i];\n }\n }\n\n return NULL;\n}\n\nstatic bool add_padding_extension(CBB *cbb, uint16_t ext, size_t len) {\n CBB child;\n if (!CBB_add_u16(cbb, ext) || //\n !CBB_add_u16_length_prefixed(cbb, &child) ||\n !CBB_add_zeros(&child, len)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n return CBB_flush(cbb);\n}\n\nstatic bool ssl_add_clienthello_tlsext_inner(SSL_HANDSHAKE *hs, CBB *out,\n CBB *out_encoded,\n bool *out_needs_psk_binder) {\n // When writing ClientHelloInner, we construct the real and encoded\n // ClientHellos concurrently, to handle compression. Uncompressed extensions\n // are written to |extensions| and copied to |extensions_encoded|. Compressed\n // extensions are buffered in |compressed| and written to the end. (ECH can\n // only compress continguous extensions.)\n SSL *const ssl = hs->ssl;\n bssl::ScopedCBB compressed, outer_extensions;\n CBB extensions, extensions_encoded;\n if (!CBB_add_u16_length_prefixed(out, &extensions) ||\n !CBB_add_u16_length_prefixed(out_encoded, &extensions_encoded) ||\n !CBB_init(compressed.get(), 64) ||\n !CBB_init(outer_extensions.get(), 64)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n hs->inner_extensions_sent = 0;\n\n if (ssl->ctx->grease_enabled) {\n // Add a fake empty extension. See RFC 8701. This always matches\n // |ssl_add_clienthello_tlsext|, so compress it.\n uint16_t grease_ext = ssl_get_grease_value(hs, ssl_grease_extension1);\n if (!add_padding_extension(compressed.get(), grease_ext, 0) ||\n !CBB_add_u16(outer_extensions.get(), grease_ext)) {\n return false;\n }\n }\n\n for (size_t unpermuted = 0; unpermuted < kNumExtensions; unpermuted++) {\n size_t i = hs->extension_permutation.empty()\n ? unpermuted\n : hs->extension_permutation[unpermuted];\n const size_t len_before = CBB_len(&extensions);\n const size_t len_compressed_before = CBB_len(compressed.get());\n if (!kExtensions[i].add_clienthello(hs, &extensions, compressed.get(),\n ssl_client_hello_inner)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);\n ERR_add_error_dataf(\"extension %u\", (unsigned)kExtensions[i].value);\n return false;\n }\n\n const size_t bytes_written = CBB_len(&extensions) - len_before;\n const size_t bytes_written_compressed =\n CBB_len(compressed.get()) - len_compressed_before;\n // The callback may write to at most one output.\n assert(bytes_written == 0 || bytes_written_compressed == 0);\n if (bytes_written != 0 || bytes_written_compressed != 0) {\n hs->inner_extensions_sent |= (1u << i);\n }\n // If compressed, update the running ech_outer_extensions extension.\n if (bytes_written_compressed != 0 &&\n !CBB_add_u16(outer_extensions.get(), kExtensions[i].value)) {\n return false;\n }\n }\n\n if (ssl->ctx->grease_enabled) {\n // Add a fake non-empty extension. See RFC 8701. This always matches\n // |ssl_add_clienthello_tlsext|, so compress it.\n uint16_t grease_ext = ssl_get_grease_value(hs, ssl_grease_extension2);\n if (!add_padding_extension(compressed.get(), grease_ext, 1) ||\n !CBB_add_u16(outer_extensions.get(), grease_ext)) {\n return false;\n }\n }\n\n // Uncompressed extensions are encoded as-is.\n if (!CBB_add_bytes(&extensions_encoded, CBB_data(&extensions),\n CBB_len(&extensions))) {\n return false;\n }\n\n // Flush all the compressed extensions.\n if (CBB_len(compressed.get()) != 0) {\n CBB extension, child;\n // Copy them as-is in the real ClientHelloInner.\n if (!CBB_add_bytes(&extensions, CBB_data(compressed.get()),\n CBB_len(compressed.get())) ||\n // Replace with ech_outer_extensions in the encoded form.\n !CBB_add_u16(&extensions_encoded, TLSEXT_TYPE_ech_outer_extensions) ||\n !CBB_add_u16_length_prefixed(&extensions_encoded, &extension) ||\n !CBB_add_u8_length_prefixed(&extension, &child) ||\n !CBB_add_bytes(&child, CBB_data(outer_extensions.get()),\n CBB_len(outer_extensions.get())) ||\n !CBB_flush(&extensions_encoded)) {\n return false;\n }\n }\n\n // The PSK extension must be last. It is never compressed. Note, if there is a\n // binder, the caller will need to update both ClientHelloInner and\n // EncodedClientHelloInner after computing it.\n const size_t len_before = CBB_len(&extensions);\n if (!ext_pre_shared_key_add_clienthello(hs, &extensions, out_needs_psk_binder,\n ssl_client_hello_inner) ||\n !CBB_add_bytes(&extensions_encoded, CBB_data(&extensions) + len_before,\n CBB_len(&extensions) - len_before) ||\n !CBB_flush(out) || //\n !CBB_flush(out_encoded)) {\n return false;\n }\n\n return true;\n}\n\nbool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, CBB *out_encoded,\n bool *out_needs_psk_binder,\n ssl_client_hello_type_t type,\n size_t header_len) {\n *out_needs_psk_binder = false;\n\n if (type == ssl_client_hello_inner) {\n return ssl_add_clienthello_tlsext_inner(hs, out, out_encoded,\n out_needs_psk_binder);\n }\n\n assert(out_encoded == nullptr); // Only ClientHelloInner needs two outputs.\n SSL *const ssl = hs->ssl;\n CBB extensions;\n if (!CBB_add_u16_length_prefixed(out, &extensions)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n // Note we may send multiple ClientHellos for DTLS HelloVerifyRequest and TLS\n // 1.3 HelloRetryRequest. For the latter, the extensions may change, so it is\n // important to reset this value.\n hs->extensions.sent = 0;\n\n // Add a fake empty extension. See RFC 8701.\n if (ssl->ctx->grease_enabled &&\n !add_padding_extension(\n &extensions, ssl_get_grease_value(hs, ssl_grease_extension1), 0)) {\n return false;\n }\n\n bool last_was_empty = false;\n for (size_t unpermuted = 0; unpermuted < kNumExtensions; unpermuted++) {\n size_t i = hs->extension_permutation.empty()\n ? unpermuted\n : hs->extension_permutation[unpermuted];\n const size_t len_before = CBB_len(&extensions);\n if (!kExtensions[i].add_clienthello(hs, &extensions, &extensions, type)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);\n ERR_add_error_dataf(\"extension %u\", (unsigned)kExtensions[i].value);\n return false;\n }\n\n const size_t bytes_written = CBB_len(&extensions) - len_before;\n if (bytes_written != 0) {\n hs->extensions.sent |= (1u << i);\n }\n // If the difference in lengths is only four bytes then the extension had\n // an empty body.\n last_was_empty = (bytes_written == 4);\n }\n\n if (ssl->ctx->grease_enabled) {\n // Add a fake non-empty extension. See RFC 8701.\n if (!add_padding_extension(\n &extensions, ssl_get_grease_value(hs, ssl_grease_extension2), 1)) {\n return false;\n }\n last_was_empty = false;\n }\n\n // In cleartext ClientHellos, we add the padding extension to work around\n // bugs. We also apply this padding to ClientHelloOuter, to keep the wire\n // images aligned.\n size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs, type);\n if (!SSL_is_dtls(ssl) && !SSL_is_quic(ssl) &&\n !ssl->s3->used_hello_retry_request) {\n header_len +=\n SSL3_HM_HEADER_LENGTH + 2 + CBB_len(&extensions) + psk_extension_len;\n size_t padding_len = 0;\n\n // The final extension must be non-empty. WebSphere Application\n // Server 7.0 is intolerant to the last extension being zero-length. See\n // https://crbug.com/363583.\n if (last_was_empty && psk_extension_len == 0) {\n padding_len = 1;\n // The addition of the padding extension may push us into the F5 bug.\n header_len += 4 + padding_len;\n }\n\n // Add padding to workaround bugs in F5 terminators. See RFC 7685.\n //\n // NB: because this code works out the length of all existing extensions\n // it MUST always appear last (save for any PSK extension).\n if (header_len > 0xff && header_len < 0x200) {\n // If our calculations already included a padding extension, remove that\n // factor because we're about to change its length.\n if (padding_len != 0) {\n header_len -= 4 + padding_len;\n }\n padding_len = 0x200 - header_len;\n // Extensions take at least four bytes to encode. Always include at least\n // one byte of data if including the extension. WebSphere Application\n // Server 7.0 is intolerant to the last extension being zero-length. See\n // https://crbug.com/363583.\n if (padding_len >= 4 + 1) {\n padding_len -= 4;\n } else {\n padding_len = 1;\n }\n }\n\n if (padding_len != 0 &&\n !add_padding_extension(&extensions, TLSEXT_TYPE_padding, padding_len)) {\n return false;\n }\n }\n\n // The PSK extension must be last, including after the padding.\n const size_t len_before = CBB_len(&extensions);\n if (!ext_pre_shared_key_add_clienthello(hs, &extensions, out_needs_psk_binder,\n type)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n assert(psk_extension_len == CBB_len(&extensions) - len_before);\n (void)len_before; // |assert| is omitted in release builds.\n\n // Discard empty extensions blocks.\n if (CBB_len(&extensions) == 0) {\n CBB_discard_child(out);\n }\n\n return CBB_flush(out);\n}\n\nbool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out) {\n SSL *const ssl = hs->ssl;\n CBB extensions;\n if (!CBB_add_u16_length_prefixed(out, &extensions)) {\n goto err;\n }\n\n for (unsigned i = 0; i < kNumExtensions; i++) {\n if (!(hs->extensions.received & (1u << i))) {\n // Don't send extensions that were not received.\n continue;\n }\n\n if (!kExtensions[i].add_serverhello(hs, &extensions)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_ADDING_EXTENSION);\n ERR_add_error_dataf(\"extension %u\", (unsigned)kExtensions[i].value);\n goto err;\n }\n }\n\n // Discard empty extensions blocks before TLS 1.3.\n if (ssl_protocol_version(ssl) < TLS1_3_VERSION && //\n CBB_len(&extensions) == 0) {\n CBB_discard_child(out);\n }\n\n return CBB_flush(out);\n\nerr:\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n}\n\nstatic bool ssl_scan_clienthello_tlsext(SSL_HANDSHAKE *hs,\n const SSL_CLIENT_HELLO *client_hello,\n int *out_alert) {\n hs->extensions.received = 0;\n CBS extensions;\n CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);\n while (CBS_len(&extensions) != 0) {\n uint16_t type;\n CBS extension;\n\n // Decode the next extension.\n if (!CBS_get_u16(&extensions, &type) ||\n !CBS_get_u16_length_prefixed(&extensions, &extension)) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n unsigned ext_index;\n const struct tls_extension *const ext =\n tls_extension_find(&ext_index, type);\n if (ext == NULL) {\n continue;\n }\n\n hs->extensions.received |= (1u << ext_index);\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ext->parse_clienthello(hs, &alert, &extension)) {\n *out_alert = alert;\n OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);\n ERR_add_error_dataf(\"extension %u\", (unsigned)type);\n return false;\n }\n }\n\n for (size_t i = 0; i < kNumExtensions; i++) {\n if (hs->extensions.received & (1u << i)) {\n continue;\n }\n\n CBS *contents = NULL, fake_contents;\n static const uint8_t kFakeRenegotiateExtension[] = {0};\n if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&\n ssl_client_cipher_list_contains_cipher(client_hello,\n SSL3_CK_SCSV & 0xffff)) {\n // The renegotiation SCSV was received so pretend that we received a\n // renegotiation extension.\n CBS_init(&fake_contents, kFakeRenegotiateExtension,\n sizeof(kFakeRenegotiateExtension));\n contents = &fake_contents;\n hs->extensions.received |= (1u << i);\n }\n\n // Extension wasn't observed so call the callback with a NULL\n // parameter.\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);\n ERR_add_error_dataf(\"extension %u\", (unsigned)kExtensions[i].value);\n *out_alert = alert;\n return false;\n }\n }\n\n return true;\n}\n\nbool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,\n const SSL_CLIENT_HELLO *client_hello) {\n SSL *const ssl = hs->ssl;\n int alert = SSL_AD_DECODE_ERROR;\n if (!ssl_scan_clienthello_tlsext(hs, client_hello, &alert)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return false;\n }\n\n if (!ssl_check_clienthello_tlsext(hs)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_TLSEXT);\n return false;\n }\n\n return true;\n}\n\nstatic bool ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *cbs,\n int *out_alert) {\n CBS extensions = *cbs;\n if (!tls1_check_duplicate_extensions(&extensions)) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n uint32_t received = 0;\n while (CBS_len(&extensions) != 0) {\n uint16_t type;\n CBS extension;\n\n // Decode the next extension.\n if (!CBS_get_u16(&extensions, &type) ||\n !CBS_get_u16_length_prefixed(&extensions, &extension)) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n unsigned ext_index;\n const struct tls_extension *const ext =\n tls_extension_find(&ext_index, type);\n\n if (ext == NULL) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);\n ERR_add_error_dataf(\"extension %u\", (unsigned)type);\n *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;\n return false;\n }\n\n static_assert(kNumExtensions <= sizeof(hs->extensions.sent) * 8,\n \"too many bits\");\n\n if (!(hs->extensions.sent & (1u << ext_index))) {\n // If the extension was never sent then it is illegal.\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);\n ERR_add_error_dataf(\"extension %u\", (unsigned)type);\n *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;\n return false;\n }\n\n received |= (1u << ext_index);\n\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ext->parse_serverhello(hs, &alert, &extension)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);\n ERR_add_error_dataf(\"extension %u\", (unsigned)type);\n *out_alert = alert;\n return false;\n }\n }\n\n for (size_t i = 0; i < kNumExtensions; i++) {\n if (!(received & (1u << i))) {\n // Extension wasn't observed so call the callback with a NULL\n // parameter.\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);\n ERR_add_error_dataf(\"extension %u\", (unsigned)kExtensions[i].value);\n *out_alert = alert;\n return false;\n }\n }\n }\n\n return true;\n}\n\nstatic bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n int ret = SSL_TLSEXT_ERR_NOACK;\n int al = SSL_AD_UNRECOGNIZED_NAME;\n if (ssl->ctx->servername_callback != 0) {\n ret = ssl->ctx->servername_callback(ssl, &al, ssl->ctx->servername_arg);\n } else if (ssl->session_ctx->servername_callback != 0) {\n ret = ssl->session_ctx->servername_callback(\n ssl, &al, ssl->session_ctx->servername_arg);\n }\n\n switch (ret) {\n case SSL_TLSEXT_ERR_ALERT_FATAL:\n ssl_send_alert(ssl, SSL3_AL_FATAL, al);\n return false;\n\n case SSL_TLSEXT_ERR_NOACK:\n hs->should_ack_sni = false;\n return true;\n\n default:\n hs->should_ack_sni = ssl->s3->hostname != nullptr;\n return true;\n }\n}\n\nstatic bool ssl_check_serverhello_tlsext(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n // ALPS and ALPN have a dependency between each other, so we defer checking\n // consistency to after the callbacks run.\n if (hs->new_session != nullptr && hs->new_session->has_application_settings) {\n // ALPN must be negotiated.\n if (ssl->s3->alpn_selected.empty()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_ALPS_WITHOUT_ALPN);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return false;\n }\n\n // The negotiated protocol must be one of the ones we advertised for ALPS.\n Span settings;\n if (!ssl_get_local_application_settings(hs, &settings,\n ssl->s3->alpn_selected)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return false;\n }\n\n if (!hs->new_session->local_application_settings.CopyFrom(settings)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return false;\n }\n }\n\n return true;\n}\n\nbool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *cbs) {\n SSL *const ssl = hs->ssl;\n int alert = SSL_AD_DECODE_ERROR;\n if (!ssl_scan_serverhello_tlsext(hs, cbs, &alert)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return false;\n }\n\n if (!ssl_check_serverhello_tlsext(hs)) {\n return false;\n }\n\n return true;\n}\n\nstatic enum ssl_ticket_aead_result_t decrypt_ticket_with_cipher_ctx(\n Array *out, EVP_CIPHER_CTX *cipher_ctx, HMAC_CTX *hmac_ctx,\n Span ticket) {\n size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);\n\n // Check the MAC at the end of the ticket.\n uint8_t mac[EVP_MAX_MD_SIZE];\n size_t mac_len = HMAC_size(hmac_ctx);\n if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {\n // The ticket must be large enough for key name, IV, data, and MAC.\n return ssl_ticket_aead_ignore_ticket;\n }\n // Split the ticket into the ticket and the MAC.\n auto ticket_mac = ticket.last(mac_len);\n ticket = ticket.first(ticket.size() - mac_len);\n HMAC_Update(hmac_ctx, ticket.data(), ticket.size());\n HMAC_Final(hmac_ctx, mac, NULL);\n assert(mac_len == ticket_mac.size());\n bool mac_ok = CRYPTO_memcmp(mac, ticket_mac.data(), mac_len) == 0;\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n mac_ok = true;\n#endif\n if (!mac_ok) {\n return ssl_ticket_aead_ignore_ticket;\n }\n\n // Decrypt the session data.\n auto ciphertext = ticket.subspan(SSL_TICKET_KEY_NAME_LEN + iv_len);\n Array plaintext;\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n if (!plaintext.CopyFrom(ciphertext)) {\n return ssl_ticket_aead_error;\n }\n#else\n if (ciphertext.size() >= INT_MAX) {\n return ssl_ticket_aead_ignore_ticket;\n }\n if (!plaintext.InitForOverwrite(ciphertext.size())) {\n return ssl_ticket_aead_error;\n }\n int len1, len2;\n if (!EVP_DecryptUpdate(cipher_ctx, plaintext.data(), &len1, ciphertext.data(),\n (int)ciphertext.size()) ||\n !EVP_DecryptFinal_ex(cipher_ctx, plaintext.data() + len1, &len2)) {\n ERR_clear_error();\n return ssl_ticket_aead_ignore_ticket;\n }\n plaintext.Shrink(static_cast(len1) + len2);\n#endif\n\n *out = std::move(plaintext);\n return ssl_ticket_aead_success;\n}\n\nstatic enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(\n SSL_HANDSHAKE *hs, Array *out, bool *out_renew_ticket,\n Span ticket) {\n assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);\n ScopedEVP_CIPHER_CTX cipher_ctx;\n ScopedHMAC_CTX hmac_ctx;\n auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);\n // The actual IV is shorter, but the length is determined by the callback's\n // chosen cipher. Instead we pass in |EVP_MAX_IV_LENGTH| worth of IV to ensure\n // the callback has enough.\n auto iv = ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_MAX_IV_LENGTH);\n int cb_ret = hs->ssl->session_ctx->ticket_key_cb(\n hs->ssl, const_cast(name.data()),\n const_cast(iv.data()), cipher_ctx.get(), hmac_ctx.get(),\n 0 /* decrypt */);\n if (cb_ret < 0) {\n return ssl_ticket_aead_error;\n } else if (cb_ret == 0) {\n return ssl_ticket_aead_ignore_ticket;\n } else if (cb_ret == 2) {\n *out_renew_ticket = true;\n } else {\n assert(cb_ret == 1);\n }\n return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),\n ticket);\n}\n\nstatic enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_ticket_keys(\n SSL_HANDSHAKE *hs, Array *out, Span ticket) {\n assert(ticket.size() >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);\n SSL_CTX *ctx = hs->ssl->session_ctx.get();\n\n // Rotate the ticket key if necessary.\n if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {\n return ssl_ticket_aead_error;\n }\n\n const EVP_CIPHER *cipher = EVP_aes_128_cbc();\n auto name = ticket.subspan(0, SSL_TICKET_KEY_NAME_LEN);\n auto iv =\n ticket.subspan(SSL_TICKET_KEY_NAME_LEN, EVP_CIPHER_iv_length(cipher));\n\n // Pick the matching ticket key and decrypt.\n ScopedEVP_CIPHER_CTX cipher_ctx;\n ScopedHMAC_CTX hmac_ctx;\n {\n MutexReadLock lock(&ctx->lock);\n const TicketKey *key;\n if (ctx->ticket_key_current && name == ctx->ticket_key_current->name) {\n key = ctx->ticket_key_current.get();\n } else if (ctx->ticket_key_prev && name == ctx->ticket_key_prev->name) {\n key = ctx->ticket_key_prev.get();\n } else {\n return ssl_ticket_aead_ignore_ticket;\n }\n if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key),\n tlsext_tick_md(), NULL) ||\n !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL, key->aes_key,\n iv.data())) {\n return ssl_ticket_aead_error;\n }\n }\n return decrypt_ticket_with_cipher_ctx(out, cipher_ctx.get(), hmac_ctx.get(),\n ticket);\n}\n\nstatic enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(\n SSL_HANDSHAKE *hs, Array *out, bool *out_renew_ticket,\n Span ticket) {\n Array plaintext;\n if (!plaintext.InitForOverwrite(ticket.size())) {\n return ssl_ticket_aead_error;\n }\n\n size_t plaintext_len;\n const enum ssl_ticket_aead_result_t result =\n hs->ssl->session_ctx->ticket_aead_method->open(\n hs->ssl, plaintext.data(), &plaintext_len, ticket.size(),\n ticket.data(), ticket.size());\n if (result != ssl_ticket_aead_success) {\n return result;\n }\n\n plaintext.Shrink(plaintext_len);\n *out = std::move(plaintext);\n return ssl_ticket_aead_success;\n}\n\nenum ssl_ticket_aead_result_t ssl_process_ticket(\n SSL_HANDSHAKE *hs, UniquePtr *out_session,\n bool *out_renew_ticket, Span ticket,\n Span session_id) {\n SSL *const ssl = hs->ssl;\n *out_renew_ticket = false;\n out_session->reset();\n\n if ((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) ||\n session_id.size() > SSL_MAX_SSL_SESSION_ID_LENGTH) {\n return ssl_ticket_aead_ignore_ticket;\n }\n\n // Tickets in TLS 1.3 are tied into pre-shared keys (PSKs), unlike in TLS 1.2\n // where that concept doesn't exist. The |decrypted_psk| and |ignore_psk|\n // hints only apply to PSKs. We check the version to determine which this is.\n const bool is_psk = ssl_protocol_version(ssl) >= TLS1_3_VERSION;\n\n Array plaintext;\n enum ssl_ticket_aead_result_t result;\n SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();\n if (is_psk && hints && !hs->hints_requested &&\n !hints->decrypted_psk.empty()) {\n result = plaintext.CopyFrom(hints->decrypted_psk) ? ssl_ticket_aead_success\n : ssl_ticket_aead_error;\n } else if (is_psk && hints && !hs->hints_requested && hints->ignore_psk) {\n result = ssl_ticket_aead_ignore_ticket;\n } else if (!is_psk && hints && !hs->hints_requested &&\n !hints->decrypted_ticket.empty()) {\n if (plaintext.CopyFrom(hints->decrypted_ticket)) {\n result = ssl_ticket_aead_success;\n *out_renew_ticket = hints->renew_ticket;\n } else {\n result = ssl_ticket_aead_error;\n }\n } else if (!is_psk && hints && !hs->hints_requested && hints->ignore_ticket) {\n result = ssl_ticket_aead_ignore_ticket;\n } else if (ssl->session_ctx->ticket_aead_method != NULL) {\n result = ssl_decrypt_ticket_with_method(hs, &plaintext, out_renew_ticket,\n ticket);\n } else {\n // Ensure there is room for the key name and the largest IV |ticket_key_cb|\n // may try to consume. The real limit may be lower, but the maximum IV\n // length should be well under the minimum size for the session material and\n // HMAC.\n if (ticket.size() < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {\n result = ssl_ticket_aead_ignore_ticket;\n } else if (ssl->session_ctx->ticket_key_cb != NULL) {\n result =\n ssl_decrypt_ticket_with_cb(hs, &plaintext, out_renew_ticket, ticket);\n } else {\n result = ssl_decrypt_ticket_with_ticket_keys(hs, &plaintext, ticket);\n }\n }\n\n if (hints && hs->hints_requested) {\n if (result == ssl_ticket_aead_ignore_ticket) {\n if (is_psk) {\n hints->ignore_psk = true;\n } else {\n hints->ignore_ticket = true;\n }\n } else if (result == ssl_ticket_aead_success) {\n if (is_psk) {\n if (!hints->decrypted_psk.CopyFrom(plaintext)) {\n return ssl_ticket_aead_error;\n }\n } else {\n if (!hints->decrypted_ticket.CopyFrom(plaintext)) {\n return ssl_ticket_aead_error;\n }\n hints->renew_ticket = *out_renew_ticket;\n }\n }\n }\n\n if (result != ssl_ticket_aead_success) {\n return result;\n }\n\n // Decode the session.\n UniquePtr session(SSL_SESSION_from_bytes(\n plaintext.data(), plaintext.size(), ssl->ctx.get()));\n if (!session) {\n ERR_clear_error(); // Don't leave an error on the queue.\n return ssl_ticket_aead_ignore_ticket;\n }\n\n // Envoy's tests expect the session to have a session ID that matches the\n // placeholder used by the client. It's unclear whether this is a good idea,\n // but we maintain it for now.\n session->session_id.ResizeForOverwrite(SHA256_DIGEST_LENGTH);\n SHA256(ticket.data(), ticket.size(), session->session_id.data());\n\n *out_session = std::move(session);\n return ssl_ticket_aead_success;\n}\n\nbool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {\n // Extension ignored for inappropriate versions\n if (ssl_protocol_version(hs->ssl) < TLS1_2_VERSION) {\n return true;\n }\n\n // In all contexts, the signature algorithms list may not be empty. (It may be\n // omitted by clients in TLS 1.2, but then the entire extension is omitted.)\n return CBS_len(in_sigalgs) != 0 &&\n parse_u16_array(in_sigalgs, &hs->peer_sigalgs);\n}\n\nbool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) {\n switch (EVP_PKEY_id(pkey)) {\n case EVP_PKEY_RSA:\n *out = SSL_SIGN_RSA_PKCS1_MD5_SHA1;\n return true;\n case EVP_PKEY_EC:\n *out = SSL_SIGN_ECDSA_SHA1;\n return true;\n default:\n return false;\n }\n}\n\nbool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs,\n const SSL_CREDENTIAL *cred,\n uint16_t *out) {\n SSL *const ssl = hs->ssl;\n if (!cred->UsesPrivateKey()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);\n return false;\n }\n\n // Before TLS 1.2, the signature algorithm isn't negotiated as part of the\n // handshake.\n uint16_t version = ssl_protocol_version(ssl);\n if (version < TLS1_2_VERSION) {\n if (!tls1_get_legacy_signature_algorithm(out, cred->pubkey.get())) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);\n return false;\n }\n return true;\n }\n\n Span peer_sigalgs;\n if (cred->type == SSLCredentialType::kDelegated) {\n peer_sigalgs = hs->peer_delegated_credential_sigalgs;\n } else {\n peer_sigalgs = hs->peer_sigalgs;\n if (peer_sigalgs.empty() && version == TLS1_2_VERSION) {\n // If the client didn't specify any signature_algorithms extension, it is\n // interpreted as SHA-1. See\n // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1\n static const uint16_t kTLS12Default[] = {SSL_SIGN_RSA_PKCS1_SHA1,\n SSL_SIGN_ECDSA_SHA1};\n peer_sigalgs = kTLS12Default;\n }\n }\n\n Span sigalgs =\n cred->sigalgs.empty() ? Span(kSignSignatureAlgorithms) : cred->sigalgs;\n for (uint16_t sigalg : sigalgs) {\n if (!ssl_pkey_supports_algorithm(ssl, cred->pubkey.get(), sigalg,\n /*is_verify=*/false)) {\n continue;\n }\n\n if (std::find(peer_sigalgs.begin(), peer_sigalgs.end(), sigalg) !=\n peer_sigalgs.end()) {\n *out = sigalg;\n return true;\n }\n }\n\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);\n return false;\n}\n\nbool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {\n SSL *const ssl = hs->ssl;\n // A Channel ID handshake message is structured to contain multiple\n // extensions, but the only one that can be present is Channel ID.\n uint16_t extension_type;\n CBS channel_id = msg.body, extension;\n if (!CBS_get_u16(&channel_id, &extension_type) || //\n !CBS_get_u16_length_prefixed(&channel_id, &extension) || //\n CBS_len(&channel_id) != 0 || //\n extension_type != TLSEXT_TYPE_channel_id || //\n CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return false;\n }\n\n const EC_GROUP *p256 = EC_group_p256();\n UniquePtr sig(ECDSA_SIG_new());\n UniquePtr x(BN_new()), y(BN_new());\n if (!sig || !x || !y) {\n return false;\n }\n\n const uint8_t *p = CBS_data(&extension);\n if (BN_bin2bn(p + 0, 32, x.get()) == NULL ||\n BN_bin2bn(p + 32, 32, y.get()) == NULL ||\n BN_bin2bn(p + 64, 32, sig->r) == NULL ||\n BN_bin2bn(p + 96, 32, sig->s) == NULL) {\n return false;\n }\n\n UniquePtr key(EC_KEY_new());\n UniquePtr point(EC_POINT_new(p256));\n if (!key || !point ||\n !EC_POINT_set_affine_coordinates_GFp(p256, point.get(), x.get(), y.get(),\n nullptr) ||\n !EC_KEY_set_group(key.get(), p256) ||\n !EC_KEY_set_public_key(key.get(), point.get())) {\n return false;\n }\n\n uint8_t digest[EVP_MAX_MD_SIZE];\n size_t digest_len;\n if (!tls1_channel_id_hash(hs, digest, &digest_len)) {\n return false;\n }\n\n bool sig_ok = ECDSA_do_verify(digest, digest_len, sig.get(), key.get());\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n sig_ok = true;\n ERR_clear_error();\n#endif\n if (!sig_ok) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);\n return false;\n }\n\n OPENSSL_memcpy(ssl->s3->channel_id, p, 64);\n ssl->s3->channel_id_valid = true;\n return true;\n}\n\nbool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb) {\n uint8_t digest[EVP_MAX_MD_SIZE];\n size_t digest_len;\n if (!tls1_channel_id_hash(hs, digest, &digest_len)) {\n return false;\n }\n\n EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(hs->config->channel_id_private.get());\n if (ec_key == nullptr) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n UniquePtr x(BN_new()), y(BN_new());\n if (!x || !y ||\n !EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec_key),\n EC_KEY_get0_public_key(ec_key),\n x.get(), y.get(), nullptr)) {\n return false;\n }\n\n UniquePtr sig(ECDSA_do_sign(digest, digest_len, ec_key));\n if (!sig) {\n return false;\n }\n\n CBB child;\n if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) || //\n !CBB_add_u16_length_prefixed(cbb, &child) || //\n !BN_bn2cbb_padded(&child, 32, x.get()) || //\n !BN_bn2cbb_padded(&child, 32, y.get()) || //\n !BN_bn2cbb_padded(&child, 32, sig->r) || //\n !BN_bn2cbb_padded(&child, 32, sig->s) || //\n !CBB_flush(cbb)) {\n return false;\n }\n\n return true;\n}\n\nbool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) {\n SSL *const ssl = hs->ssl;\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n Array msg;\n if (!tls13_get_cert_verify_signature_input(hs, &msg,\n ssl_cert_verify_channel_id)) {\n return false;\n }\n SHA256(msg.data(), msg.size(), out);\n *out_len = SHA256_DIGEST_LENGTH;\n return true;\n }\n\n SHA256_CTX ctx;\n\n SHA256_Init(&ctx);\n static const char kClientIDMagic[] = \"TLS Channel ID signature\";\n SHA256_Update(&ctx, kClientIDMagic, sizeof(kClientIDMagic));\n\n if (ssl->session != NULL) {\n static const char kResumptionMagic[] = \"Resumption\";\n SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic));\n if (ssl->session->original_handshake_hash.empty()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n SHA256_Update(&ctx, ssl->session->original_handshake_hash.data(),\n ssl->session->original_handshake_hash.size());\n }\n\n uint8_t hs_hash[EVP_MAX_MD_SIZE];\n size_t hs_hash_len;\n if (!hs->transcript.GetHash(hs_hash, &hs_hash_len)) {\n return false;\n }\n SHA256_Update(&ctx, hs_hash, (size_t)hs_hash_len);\n SHA256_Final(out, &ctx);\n *out_len = SHA256_DIGEST_LENGTH;\n return true;\n}\n\nbool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n // This function should never be called for a resumed session because the\n // handshake hashes that we wish to record are for the original, full\n // handshake.\n if (ssl->session != NULL) {\n return false;\n }\n\n size_t digest_len;\n hs->new_session->original_handshake_hash.ResizeForOverwrite(\n hs->transcript.DigestLen());\n if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash.data(),\n &digest_len)) {\n return false;\n }\n assert(digest_len == hs->new_session->original_handshake_hash.size());\n return true;\n}\n\nbool ssl_is_sct_list_valid(const CBS *contents) {\n // Shallow parse the SCT list for sanity. By the RFC\n // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any\n // of the SCTs may be empty.\n CBS copy = *contents;\n CBS sct_list;\n if (!CBS_get_u16_length_prefixed(©, &sct_list) || CBS_len(©) != 0 ||\n CBS_len(&sct_list) == 0) {\n return false;\n }\n\n while (CBS_len(&sct_list) > 0) {\n CBS sct;\n if (!CBS_get_u16_length_prefixed(&sct_list, &sct) || CBS_len(&sct) == 0) {\n return false;\n }\n }\n\n return true;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nint SSL_early_callback_ctx_extension_get(const SSL_CLIENT_HELLO *client_hello,\n uint16_t extension_type,\n const uint8_t **out_data,\n size_t *out_len) {\n CBS cbs;\n if (!ssl_client_hello_get_extension(client_hello, &cbs, extension_type)) {\n return 0;\n }\n\n *out_data = CBS_data(&cbs);\n *out_len = CBS_len(&cbs);\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/handoff.cc", "content": "/* Copyright 2018 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nconstexpr int kHandoffVersion = 0;\nconstexpr int kHandbackVersion = 0;\n\nstatic const CBS_ASN1_TAG kHandoffTagALPS = CBS_ASN1_CONTEXT_SPECIFIC | 0;\n\n// early_data_t represents the state of early data in a more compact way than\n// the 3 bits used by the implementation.\nenum early_data_t {\n early_data_not_offered = 0,\n early_data_accepted = 1,\n early_data_rejected_hrr = 2,\n early_data_skipped = 3,\n\n early_data_max_value = early_data_skipped,\n};\n\n// serialize_features adds a description of features supported by this binary to\n// |out|. Returns true on success and false on error.\nstatic bool serialize_features(CBB *out) {\n CBB ciphers;\n if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) {\n return false;\n }\n Span all_ciphers = AllCiphers();\n for (const SSL_CIPHER &cipher : all_ciphers) {\n if (!CBB_add_u16(&ciphers, static_cast(cipher.id))) {\n return false;\n }\n }\n CBB groups;\n if (!CBB_add_asn1(out, &groups, CBS_ASN1_OCTETSTRING)) {\n return false;\n }\n for (const NamedGroup &g : NamedGroups()) {\n if (!CBB_add_u16(&groups, g.group_id)) {\n return false;\n }\n }\n // ALPS is a draft protocol and may change over time. The handoff structure\n // contains a [0] IMPLICIT OCTET STRING OPTIONAL, containing a list of u16\n // ALPS versions that the binary supports. For now we name them by codepoint.\n // Once ALPS is finalized and past the support horizon, this field can be\n // removed.\n CBB alps;\n if (!CBB_add_asn1(out, &alps, kHandoffTagALPS) ||\n !CBB_add_u16(&alps, TLSEXT_TYPE_application_settings_old) ||\n !CBB_add_u16(&alps, TLSEXT_TYPE_application_settings)) {\n return false;\n }\n return CBB_flush(out);\n}\n\nbool SSL_serialize_handoff(const SSL *ssl, CBB *out,\n SSL_CLIENT_HELLO *out_hello) {\n const SSL3_STATE *const s3 = ssl->s3;\n if (!ssl->server || //\n s3->hs == nullptr || //\n s3->rwstate != SSL_ERROR_HANDOFF) {\n return false;\n }\n\n CBB seq;\n SSLMessage msg;\n Span transcript = s3->hs->transcript.buffer();\n\n if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&seq, kHandoffVersion) ||\n !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||\n !CBB_add_asn1_octet_string(&seq,\n reinterpret_cast(s3->hs_buf->data),\n s3->hs_buf->length) ||\n !serialize_features(&seq) || !CBB_flush(out) ||\n !ssl->method->get_message(ssl, &msg) ||\n !ssl_client_hello_init(ssl, out_hello, msg.body)) {\n return false;\n }\n\n return true;\n}\n\nbool SSL_decline_handoff(SSL *ssl) {\n const SSL3_STATE *const s3 = ssl->s3;\n if (!ssl->server || s3->hs == nullptr || s3->rwstate != SSL_ERROR_HANDOFF) {\n return false;\n }\n\n s3->hs->config->handoff = false;\n return true;\n}\n\n// apply_remote_features reads a list of supported features from |in| and\n// (possibly) reconfigures |ssl| to disallow the negotation of features whose\n// support has not been indicated. (This prevents the the handshake from\n// committing to features that are not supported on the handoff/handback side.)\nstatic bool apply_remote_features(SSL *ssl, CBS *in) {\n CBS ciphers;\n if (!CBS_get_asn1(in, &ciphers, CBS_ASN1_OCTETSTRING)) {\n return false;\n }\n bssl::UniquePtr supported(sk_SSL_CIPHER_new_null());\n if (!supported) {\n return false;\n }\n while (CBS_len(&ciphers)) {\n uint16_t id;\n if (!CBS_get_u16(&ciphers, &id)) {\n return false;\n }\n const SSL_CIPHER *cipher = SSL_get_cipher_by_value(id);\n if (!cipher) {\n continue;\n }\n if (!sk_SSL_CIPHER_push(supported.get(), cipher)) {\n return false;\n }\n }\n STACK_OF(SSL_CIPHER) *configured =\n ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()\n : ssl->ctx->cipher_list->ciphers.get();\n bssl::UniquePtr unsupported(sk_SSL_CIPHER_new_null());\n if (!unsupported) {\n return false;\n }\n for (const SSL_CIPHER *configured_cipher : configured) {\n if (sk_SSL_CIPHER_find(supported.get(), nullptr, configured_cipher)) {\n continue;\n }\n if (!sk_SSL_CIPHER_push(unsupported.get(), configured_cipher)) {\n return false;\n }\n }\n if (sk_SSL_CIPHER_num(unsupported.get()) && !ssl->config->cipher_list) {\n ssl->config->cipher_list = bssl::MakeUnique();\n if (!ssl->config->cipher_list ||\n !ssl->config->cipher_list->Init(*ssl->ctx->cipher_list)) {\n return false;\n }\n }\n for (const SSL_CIPHER *unsupported_cipher : unsupported.get()) {\n ssl->config->cipher_list->Remove(unsupported_cipher);\n }\n if (sk_SSL_CIPHER_num(SSL_get_ciphers(ssl)) == 0) {\n return false;\n }\n\n CBS groups;\n if (!CBS_get_asn1(in, &groups, CBS_ASN1_OCTETSTRING)) {\n return false;\n }\n Array supported_groups;\n if (!supported_groups.InitForOverwrite(CBS_len(&groups) / 2)) {\n return false;\n }\n size_t idx = 0;\n while (CBS_len(&groups)) {\n uint16_t group;\n if (!CBS_get_u16(&groups, &group)) {\n return false;\n }\n supported_groups[idx++] = group;\n }\n Span configured_groups =\n tls1_get_grouplist(ssl->s3->hs.get());\n Array new_configured_groups;\n if (!new_configured_groups.InitForOverwrite(configured_groups.size())) {\n return false;\n }\n idx = 0;\n for (uint16_t configured_group : configured_groups) {\n bool ok = false;\n for (uint16_t supported_group : supported_groups) {\n if (supported_group == configured_group) {\n ok = true;\n break;\n }\n }\n if (ok) {\n new_configured_groups[idx++] = configured_group;\n }\n }\n if (idx == 0) {\n return false;\n }\n new_configured_groups.Shrink(idx);\n ssl->config->supported_group_list = std::move(new_configured_groups);\n\n CBS alps;\n CBS_init(&alps, nullptr, 0);\n if (!CBS_get_optional_asn1(in, &alps, /*out_present=*/nullptr,\n kHandoffTagALPS)) {\n return false;\n }\n bool supports_alps = false;\n while (CBS_len(&alps) != 0) {\n uint16_t id;\n if (!CBS_get_u16(&alps, &id)) {\n return false;\n }\n // For now, we support two ALPS codepoints, so we need to extract both\n // codepoints, and then filter what the handshaker might try to send.\n if ((id == TLSEXT_TYPE_application_settings &&\n ssl->config->alps_use_new_codepoint) ||\n (id == TLSEXT_TYPE_application_settings_old &&\n !ssl->config->alps_use_new_codepoint)) {\n supports_alps = true;\n break;\n }\n }\n if (!supports_alps) {\n ssl->config->alps_configs.clear();\n }\n\n return true;\n}\n\n// uses_disallowed_feature returns true iff |ssl| enables a feature that\n// disqualifies it for split handshakes.\nstatic bool uses_disallowed_feature(const SSL *ssl) {\n return ssl->method->is_dtls || !ssl->config->cert->credentials.empty() ||\n ssl->config->quic_transport_params.size() > 0 || ssl->ctx->ech_keys;\n}\n\nbool SSL_apply_handoff(SSL *ssl, Span handoff) {\n if (uses_disallowed_feature(ssl)) {\n return false;\n }\n\n CBS seq, handoff_cbs(handoff);\n uint64_t handoff_version;\n if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1_uint64(&seq, &handoff_version) ||\n handoff_version != kHandoffVersion) {\n return false;\n }\n\n CBS transcript, hs_buf;\n if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING) ||\n !apply_remote_features(ssl, &seq)) {\n return false;\n }\n\n SSL_set_accept_state(ssl);\n\n SSL3_STATE *const s3 = ssl->s3;\n s3->v2_hello_done = true;\n s3->has_message = true;\n\n s3->hs_buf.reset(BUF_MEM_new());\n if (!s3->hs_buf ||\n !BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) {\n return false;\n }\n\n if (CBS_len(&transcript) != 0) {\n s3->hs->transcript.Update(transcript);\n s3->is_v2_hello = true;\n }\n s3->hs->handback = true;\n\n return true;\n}\n\nbool SSL_serialize_handback(const SSL *ssl, CBB *out) {\n if (!ssl->server || uses_disallowed_feature(ssl)) {\n return false;\n }\n const SSL3_STATE *const s3 = ssl->s3;\n SSL_HANDSHAKE *const hs = s3->hs.get();\n handback_t type;\n switch (hs->state) {\n case state12_read_change_cipher_spec:\n type = handback_after_session_resumption;\n break;\n case state12_read_client_certificate:\n type = handback_after_ecdhe;\n break;\n case state12_finish_server_handshake:\n type = handback_after_handshake;\n break;\n case state12_tls13:\n if (hs->tls13_state != state13_send_half_rtt_ticket) {\n return false;\n }\n type = handback_tls13;\n break;\n default:\n return false;\n }\n\n size_t hostname_len = 0;\n if (s3->hostname) {\n hostname_len = strlen(s3->hostname.get());\n }\n\n Span transcript;\n if (type != handback_after_handshake) {\n transcript = s3->hs->transcript.buffer();\n }\n size_t write_iv_len = 0;\n const uint8_t *write_iv = nullptr;\n if ((type == handback_after_session_resumption ||\n type == handback_after_handshake) &&\n ssl->s3->version == TLS1_VERSION &&\n SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&\n !s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {\n return false;\n }\n size_t read_iv_len = 0;\n const uint8_t *read_iv = nullptr;\n if (type == handback_after_handshake && //\n ssl->s3->version == TLS1_VERSION && //\n SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) && //\n !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {\n return false;\n }\n\n // TODO(mab): make sure everything is serialized.\n CBB seq, key_share;\n const SSL_SESSION *session;\n if (type == handback_tls13) {\n session = hs->new_session.get();\n } else {\n session = s3->session_reused ? ssl->session.get() : hs->new_session.get();\n }\n uint8_t read_sequence[8], write_sequence[8];\n CRYPTO_store_u64_be(read_sequence, s3->read_sequence);\n CRYPTO_store_u64_be(write_sequence, s3->write_sequence);\n static const uint8_t kUnusedChannelID[64] = {0};\n if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&seq, kHandbackVersion) ||\n !CBB_add_asn1_uint64(&seq, type) ||\n !CBB_add_asn1_octet_string(&seq, read_sequence, sizeof(read_sequence)) ||\n !CBB_add_asn1_octet_string(&seq, write_sequence,\n sizeof(write_sequence)) ||\n !CBB_add_asn1_octet_string(&seq, s3->server_random,\n sizeof(s3->server_random)) ||\n !CBB_add_asn1_octet_string(&seq, s3->client_random,\n sizeof(s3->client_random)) ||\n !CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) ||\n !CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) ||\n !CBB_add_asn1_bool(&seq, s3->session_reused) ||\n !CBB_add_asn1_bool(&seq, hs->channel_id_negotiated) ||\n !ssl_session_serialize(session, &seq) ||\n !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),\n s3->next_proto_negotiated.size()) ||\n !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),\n s3->alpn_selected.size()) ||\n !CBB_add_asn1_octet_string(\n &seq, reinterpret_cast(s3->hostname.get()),\n hostname_len) ||\n !CBB_add_asn1_octet_string(&seq, kUnusedChannelID,\n sizeof(kUnusedChannelID)) ||\n // These two fields were historically |token_binding_negotiated| and\n // |negotiated_token_binding_param|.\n !CBB_add_asn1_bool(&seq, 0) || //\n !CBB_add_asn1_uint64(&seq, 0) ||\n !CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||\n !CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||\n !CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||\n !CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||\n !CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||\n !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||\n !CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {\n return false;\n }\n if (type == handback_after_ecdhe) {\n CBB private_key;\n if (!CBB_add_asn1_uint64(&key_share, s3->hs->key_shares[0]->GroupID()) ||\n !CBB_add_asn1(&key_share, &private_key, CBS_ASN1_OCTETSTRING) ||\n !s3->hs->key_shares[0]->SerializePrivateKey(&private_key) ||\n !CBB_flush(&key_share)) {\n return false;\n }\n }\n if (type == handback_tls13) {\n early_data_t early_data;\n // Check early data invariants.\n if (ssl->enable_early_data ==\n (s3->early_data_reason == ssl_early_data_disabled)) {\n return false;\n }\n if (hs->early_data_offered) {\n if (s3->early_data_accepted && !s3->skip_early_data) {\n early_data = early_data_accepted;\n } else if (!s3->early_data_accepted && !s3->skip_early_data) {\n early_data = early_data_rejected_hrr;\n } else if (!s3->early_data_accepted && s3->skip_early_data) {\n early_data = early_data_skipped;\n } else {\n return false;\n }\n } else if (!s3->early_data_accepted && !s3->skip_early_data) {\n early_data = early_data_not_offered;\n } else {\n return false;\n }\n if (!CBB_add_asn1_octet_string(&seq, hs->client_traffic_secret_0.data(),\n hs->client_traffic_secret_0.size()) ||\n !CBB_add_asn1_octet_string(&seq, hs->server_traffic_secret_0.data(),\n hs->server_traffic_secret_0.size()) ||\n !CBB_add_asn1_octet_string(&seq, hs->client_handshake_secret.data(),\n hs->client_handshake_secret.size()) ||\n !CBB_add_asn1_octet_string(&seq, hs->server_handshake_secret.data(),\n hs->server_handshake_secret.size()) ||\n !CBB_add_asn1_octet_string(&seq, hs->secret.data(),\n hs->secret.size()) ||\n !CBB_add_asn1_octet_string(&seq, s3->exporter_secret.data(),\n s3->exporter_secret.size()) ||\n !CBB_add_asn1_bool(&seq, s3->used_hello_retry_request) ||\n !CBB_add_asn1_bool(&seq, hs->accept_psk_mode) ||\n !CBB_add_asn1_int64(&seq, s3->ticket_age_skew) ||\n !CBB_add_asn1_uint64(&seq, s3->early_data_reason) ||\n !CBB_add_asn1_uint64(&seq, early_data)) {\n return false;\n }\n if (early_data == early_data_accepted &&\n !CBB_add_asn1_octet_string(&seq, hs->early_traffic_secret.data(),\n hs->early_traffic_secret.size())) {\n return false;\n }\n\n if (session->has_application_settings) {\n uint16_t alps_codepoint = TLSEXT_TYPE_application_settings_old;\n if (hs->config->alps_use_new_codepoint) {\n alps_codepoint = TLSEXT_TYPE_application_settings;\n }\n if (!CBB_add_asn1_uint64(&seq, alps_codepoint)) {\n return false;\n }\n }\n }\n return CBB_flush(out);\n}\n\nstatic bool CopyExact(Span out, const CBS *in) {\n if (CBS_len(in) != out.size()) {\n return false;\n }\n OPENSSL_memcpy(out.data(), CBS_data(in), out.size());\n return true;\n}\n\nbool SSL_apply_handback(SSL *ssl, Span handback) {\n if (ssl->do_handshake != nullptr || //\n ssl->method->is_dtls) {\n return false;\n }\n\n SSL3_STATE *const s3 = ssl->s3;\n uint64_t handback_version, unused_token_binding_param, cipher, type_u64,\n alps_codepoint;\n\n CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,\n next_proto, alpn, hostname, unused_channel_id, transcript, key_share;\n int session_reused, channel_id_negotiated, cert_request,\n extended_master_secret, ticket_expected, unused_token_binding,\n next_proto_neg_seen;\n SSL_SESSION *session = nullptr;\n\n CBS handback_cbs(handback);\n if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) || //\n !CBS_get_asn1_uint64(&seq, &handback_version) || //\n handback_version != kHandbackVersion || //\n !CBS_get_asn1_uint64(&seq, &type_u64) || //\n type_u64 > handback_max_value) {\n return false;\n }\n\n handback_t type = static_cast(type_u64);\n if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||\n CBS_len(&read_seq) != sizeof(s3->read_sequence) ||\n !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||\n CBS_len(&write_seq) != sizeof(s3->write_sequence) ||\n !CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||\n CBS_len(&server_rand) != sizeof(s3->server_random) ||\n !CBS_copy_bytes(&server_rand, s3->server_random,\n sizeof(s3->server_random)) ||\n !CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||\n CBS_len(&client_rand) != sizeof(s3->client_random) ||\n !CBS_copy_bytes(&client_rand, s3->client_random,\n sizeof(s3->client_random)) ||\n !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1_bool(&seq, &session_reused) ||\n !CBS_get_asn1_bool(&seq, &channel_id_negotiated)) {\n return false;\n }\n\n s3->hs = ssl_handshake_new(ssl);\n if (!s3->hs) {\n return false;\n }\n SSL_HANDSHAKE *const hs = s3->hs.get();\n if (!session_reused || type == handback_tls13) {\n hs->new_session =\n SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);\n session = hs->new_session.get();\n } else {\n ssl->session =\n SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);\n session = ssl->session.get();\n }\n\n if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&seq, &unused_channel_id, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1_bool(&seq, &unused_token_binding) ||\n !CBS_get_asn1_uint64(&seq, &unused_token_binding_param) ||\n !CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||\n !CBS_get_asn1_bool(&seq, &cert_request) ||\n !CBS_get_asn1_bool(&seq, &extended_master_secret) ||\n !CBS_get_asn1_bool(&seq, &ticket_expected) ||\n !CBS_get_asn1_uint64(&seq, &cipher)) {\n return false;\n }\n if ((hs->new_cipher =\n SSL_get_cipher_by_value(static_cast(cipher))) == nullptr) {\n return false;\n }\n if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {\n return false;\n }\n CBS client_handshake_secret, server_handshake_secret, client_traffic_secret_0,\n server_traffic_secret_0, secret, exporter_secret, early_traffic_secret;\n if (type == handback_tls13) {\n int used_hello_retry_request, accept_psk_mode;\n uint64_t early_data, early_data_reason;\n int64_t ticket_age_skew;\n if (!CBS_get_asn1(&seq, &client_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&seq, &server_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&seq, &client_handshake_secret, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&seq, &server_handshake_secret, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&seq, &secret, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1(&seq, &exporter_secret, CBS_ASN1_OCTETSTRING) ||\n !CBS_get_asn1_bool(&seq, &used_hello_retry_request) ||\n !CBS_get_asn1_bool(&seq, &accept_psk_mode) ||\n !CBS_get_asn1_int64(&seq, &ticket_age_skew) ||\n !CBS_get_asn1_uint64(&seq, &early_data_reason) ||\n early_data_reason > ssl_early_data_reason_max_value ||\n !CBS_get_asn1_uint64(&seq, &early_data) ||\n early_data > early_data_max_value) {\n return false;\n }\n early_data_t early_data_type = static_cast(early_data);\n if (early_data_type == early_data_accepted &&\n !CBS_get_asn1(&seq, &early_traffic_secret, CBS_ASN1_OCTETSTRING)) {\n return false;\n }\n\n if (session->has_application_settings) {\n // Making it optional to keep compatibility with older handshakers.\n // Older handshakers won't send the field.\n if (CBS_len(&seq) == 0) {\n hs->config->alps_use_new_codepoint = false;\n } else {\n if (!CBS_get_asn1_uint64(&seq, &alps_codepoint)) {\n return false;\n }\n\n if (alps_codepoint == TLSEXT_TYPE_application_settings) {\n hs->config->alps_use_new_codepoint = true;\n } else if (alps_codepoint == TLSEXT_TYPE_application_settings_old) {\n hs->config->alps_use_new_codepoint = false;\n } else {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPS_CODEPOINT);\n return false;\n }\n }\n }\n\n if (ticket_age_skew > std::numeric_limits::max() ||\n ticket_age_skew < std::numeric_limits::min()) {\n return false;\n }\n s3->ticket_age_skew = static_cast(ticket_age_skew);\n s3->used_hello_retry_request = used_hello_retry_request;\n hs->accept_psk_mode = accept_psk_mode;\n\n s3->early_data_reason =\n static_cast(early_data_reason);\n ssl->enable_early_data = s3->early_data_reason != ssl_early_data_disabled;\n s3->skip_early_data = false;\n s3->early_data_accepted = false;\n hs->early_data_offered = false;\n switch (early_data_type) {\n case early_data_not_offered:\n break;\n case early_data_accepted:\n s3->early_data_accepted = true;\n hs->early_data_offered = true;\n hs->can_early_write = true;\n hs->can_early_read = true;\n hs->in_early_data = true;\n break;\n case early_data_rejected_hrr:\n hs->early_data_offered = true;\n break;\n case early_data_skipped:\n s3->skip_early_data = true;\n hs->early_data_offered = true;\n break;\n default:\n return false;\n }\n } else {\n s3->early_data_reason = ssl_early_data_protocol_version;\n }\n\n ssl->s3->version = session->ssl_version;\n if (!ssl_method_supports_version(ssl->method, ssl->s3->version) ||\n session->cipher != hs->new_cipher ||\n ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||\n SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {\n return false;\n }\n ssl->do_handshake = ssl_server_handshake;\n ssl->server = true;\n switch (type) {\n case handback_after_session_resumption:\n hs->state = state12_read_change_cipher_spec;\n if (!session_reused) {\n return false;\n }\n break;\n case handback_after_ecdhe:\n hs->state = state12_read_client_certificate;\n if (session_reused) {\n return false;\n }\n break;\n case handback_after_handshake:\n hs->state = state12_finish_server_handshake;\n break;\n case handback_tls13:\n hs->state = state12_tls13;\n hs->tls13_state = state13_send_half_rtt_ticket;\n break;\n default:\n return false;\n }\n s3->session_reused = session_reused;\n hs->channel_id_negotiated = channel_id_negotiated;\n if (!s3->next_proto_negotiated.CopyFrom(next_proto) ||\n !s3->alpn_selected.CopyFrom(alpn)) {\n return false;\n }\n\n const size_t hostname_len = CBS_len(&hostname);\n if (hostname_len == 0) {\n s3->hostname.reset();\n } else {\n char *hostname_str = nullptr;\n if (!CBS_strdup(&hostname, &hostname_str)) {\n return false;\n }\n s3->hostname.reset(hostname_str);\n }\n\n hs->next_proto_neg_seen = next_proto_neg_seen;\n hs->wait = ssl_hs_flush;\n hs->extended_master_secret = extended_master_secret;\n hs->ticket_expected = ticket_expected;\n hs->cert_request = cert_request;\n\n if (type != handback_after_handshake &&\n (!hs->transcript.Init() ||\n !hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||\n !hs->transcript.Update(transcript))) {\n return false;\n }\n if (type == handback_tls13) {\n if (!hs->client_traffic_secret_0.TryCopyFrom(client_traffic_secret_0) ||\n !hs->server_traffic_secret_0.TryCopyFrom(server_traffic_secret_0) ||\n !hs->client_handshake_secret.TryCopyFrom(client_handshake_secret) ||\n !hs->server_handshake_secret.TryCopyFrom(server_handshake_secret) ||\n !hs->secret.TryCopyFrom(secret) ||\n !s3->exporter_secret.TryCopyFrom(exporter_secret)) {\n return false;\n }\n\n if (s3->early_data_accepted &&\n !hs->early_traffic_secret.TryCopyFrom(early_traffic_secret)) {\n return false;\n }\n }\n Array key_block;\n switch (type) {\n case handback_after_session_resumption:\n // The write keys are installed after server Finished, but the client\n // keys must wait for ChangeCipherSpec.\n if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,\n write_iv)) {\n return false;\n }\n break;\n case handback_after_ecdhe:\n // The premaster secret is not yet computed, so install no keys.\n break;\n case handback_after_handshake:\n // The handshake is complete, so both keys are installed.\n if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,\n write_iv) ||\n !tls1_configure_aead(ssl, evp_aead_open, &key_block, session,\n read_iv)) {\n return false;\n }\n break;\n case handback_tls13:\n // After server Finished, the application write keys are installed, but\n // none of the read keys. The read keys are installed in the state machine\n // immediately after processing handback.\n if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,\n hs->new_session.get(),\n hs->server_traffic_secret_0)) {\n return false;\n }\n break;\n }\n uint8_t read_sequence[8], write_sequence[8];\n if (!CopyExact(read_sequence, &read_seq) ||\n !CopyExact(write_sequence, &write_seq)) {\n return false;\n }\n s3->read_sequence = CRYPTO_load_u64_be(read_sequence);\n s3->write_sequence = CRYPTO_load_u64_be(write_sequence);\n if (type == handback_after_ecdhe) {\n uint64_t group_id;\n CBS private_key;\n if (!CBS_get_asn1_uint64(&key_share, &group_id) || //\n group_id > 0xffff ||\n !CBS_get_asn1(&key_share, &private_key, CBS_ASN1_OCTETSTRING)) {\n return false;\n }\n hs->key_shares[0] = SSLKeyShare::Create(group_id);\n if (!hs->key_shares[0] ||\n !hs->key_shares[0]->DeserializePrivateKey(&private_key)) {\n return false;\n }\n }\n return true; // Trailing data allowed for extensibility.\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nint SSL_serialize_capabilities(const SSL *ssl, CBB *out) {\n CBB seq;\n if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||\n !serialize_features(&seq) || //\n !CBB_flush(out)) {\n return 0;\n }\n\n return 1;\n}\n\nint SSL_request_handshake_hints(SSL *ssl, const uint8_t *client_hello,\n size_t client_hello_len,\n const uint8_t *capabilities,\n size_t capabilities_len) {\n if (SSL_is_dtls(ssl)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n CBS cbs, seq;\n CBS_init(&cbs, capabilities, capabilities_len);\n UniquePtr hints = MakeUnique();\n if (hints == nullptr || //\n !CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) || //\n !apply_remote_features(ssl, &seq)) {\n return 0;\n }\n\n SSL3_STATE *const s3 = ssl->s3;\n s3->v2_hello_done = true;\n s3->has_message = true;\n\n Array client_hello_msg;\n ScopedCBB client_hello_cbb;\n CBB client_hello_body;\n if (!ssl->method->init_message(ssl, client_hello_cbb.get(),\n &client_hello_body, SSL3_MT_CLIENT_HELLO) ||\n !CBB_add_bytes(&client_hello_body, client_hello, client_hello_len) ||\n !ssl->method->finish_message(ssl, client_hello_cbb.get(),\n &client_hello_msg)) {\n return 0;\n }\n\n s3->hs_buf.reset(BUF_MEM_new());\n if (!s3->hs_buf || !BUF_MEM_append(s3->hs_buf.get(), client_hello_msg.data(),\n client_hello_msg.size())) {\n return 0;\n }\n\n s3->hs->hints_requested = true;\n s3->hs->hints = std::move(hints);\n return 1;\n}\n\n// |SSL_HANDSHAKE_HINTS| is serialized as the following ASN.1 structure. We use\n// implicit tagging to make it a little more compact.\n//\n// HandshakeHints ::= SEQUENCE {\n// serverRandomTLS13 [0] IMPLICIT OCTET STRING OPTIONAL,\n// keyShareHint [1] IMPLICIT KeyShareHint OPTIONAL,\n// signatureHint [2] IMPLICIT SignatureHint OPTIONAL,\n// -- At most one of decryptedPSKHint or ignorePSKHint may be present. It\n// -- corresponds to the first entry in pre_shared_keys. TLS 1.2 session\n// -- tickets use a separate hint, to ensure the caller does not apply the\n// -- hint to the wrong field.\n// decryptedPSKHint [3] IMPLICIT OCTET STRING OPTIONAL,\n// ignorePSKHint [4] IMPLICIT NULL OPTIONAL,\n// compressCertificateHint [5] IMPLICIT CompressCertificateHint OPTIONAL,\n// -- TLS 1.2 and 1.3 use different server random hints because one contains\n// -- a timestamp while the other doesn't. If the hint was generated\n// -- assuming TLS 1.3 but we actually negotiate TLS 1.2, mixing the two\n// -- will break this.\n// serverRandomTLS12 [6] IMPLICIT OCTET STRING OPTIONAL,\n// ecdheHint [7] IMPLICIT ECDHEHint OPTIONAL\n// -- At most one of decryptedTicketHint or ignoreTicketHint may be present.\n// -- renewTicketHint requires decryptedTicketHint.\n// decryptedTicketHint [8] IMPLICIT OCTET STRING OPTIONAL,\n// renewTicketHint [9] IMPLICIT NULL OPTIONAL,\n// ignoreTicketHint [10] IMPLICIT NULL OPTIONAL,\n// }\n//\n// KeyShareHint ::= SEQUENCE {\n// groupId INTEGER,\n// ciphertext OCTET STRING,\n// secret OCTET STRING,\n// }\n//\n// SignatureHint ::= SEQUENCE {\n// algorithm INTEGER,\n// input OCTET STRING,\n// subjectPublicKeyInfo OCTET STRING,\n// signature OCTET STRING,\n// }\n//\n// CompressCertificateHint ::= SEQUENCE {\n// algorithm INTEGER,\n// input OCTET STRING,\n// compressed OCTET STRING,\n// }\n//\n// ECDHEHint ::= SEQUENCE {\n// groupId INTEGER,\n// publicKey OCTET STRING,\n// privateKey OCTET STRING,\n// }\n\n// HandshakeHints tags.\nstatic const CBS_ASN1_TAG kServerRandomTLS13Tag = CBS_ASN1_CONTEXT_SPECIFIC | 0;\nstatic const CBS_ASN1_TAG kKeyShareHintTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;\nstatic const CBS_ASN1_TAG kSignatureHintTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2;\nstatic const CBS_ASN1_TAG kDecryptedPSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 3;\nstatic const CBS_ASN1_TAG kIgnorePSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 4;\nstatic const CBS_ASN1_TAG kCompressCertificateTag =\n CBS_ASN1_CONTEXT_SPECIFIC | 5;\nstatic const CBS_ASN1_TAG kServerRandomTLS12Tag = CBS_ASN1_CONTEXT_SPECIFIC | 6;\nstatic const CBS_ASN1_TAG kECDHEHintTag = CBS_ASN1_CONSTRUCTED | 7;\nstatic const CBS_ASN1_TAG kDecryptedTicketTag = CBS_ASN1_CONTEXT_SPECIFIC | 8;\nstatic const CBS_ASN1_TAG kRenewTicketTag = CBS_ASN1_CONTEXT_SPECIFIC | 9;\nstatic const CBS_ASN1_TAG kIgnoreTicketTag = CBS_ASN1_CONTEXT_SPECIFIC | 10;\n\nint SSL_serialize_handshake_hints(const SSL *ssl, CBB *out) {\n const SSL_HANDSHAKE *hs = ssl->s3->hs.get();\n if (!ssl->server || !hs->hints_requested) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n const SSL_HANDSHAKE_HINTS *hints = hs->hints.get();\n CBB seq, child;\n if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE)) {\n return 0;\n }\n\n if (!hints->server_random_tls13.empty()) {\n if (!CBB_add_asn1(&seq, &child, kServerRandomTLS13Tag) ||\n !CBB_add_bytes(&child, hints->server_random_tls13.data(),\n hints->server_random_tls13.size())) {\n return 0;\n }\n }\n\n if (hints->key_share_group_id != 0 && !hints->key_share_ciphertext.empty() &&\n !hints->key_share_secret.empty()) {\n if (!CBB_add_asn1(&seq, &child, kKeyShareHintTag) ||\n !CBB_add_asn1_uint64(&child, hints->key_share_group_id) ||\n !CBB_add_asn1_octet_string(&child, hints->key_share_ciphertext.data(),\n hints->key_share_ciphertext.size()) ||\n !CBB_add_asn1_octet_string(&child, hints->key_share_secret.data(),\n hints->key_share_secret.size())) {\n return 0;\n }\n }\n\n if (hints->signature_algorithm != 0 && !hints->signature_input.empty() &&\n !hints->signature.empty()) {\n if (!CBB_add_asn1(&seq, &child, kSignatureHintTag) ||\n !CBB_add_asn1_uint64(&child, hints->signature_algorithm) ||\n !CBB_add_asn1_octet_string(&child, hints->signature_input.data(),\n hints->signature_input.size()) ||\n !CBB_add_asn1_octet_string(&child, hints->signature_spki.data(),\n hints->signature_spki.size()) ||\n !CBB_add_asn1_octet_string(&child, hints->signature.data(),\n hints->signature.size())) {\n return 0;\n }\n }\n\n if (!hints->decrypted_psk.empty()) {\n if (!CBB_add_asn1(&seq, &child, kDecryptedPSKTag) ||\n !CBB_add_bytes(&child, hints->decrypted_psk.data(),\n hints->decrypted_psk.size())) {\n return 0;\n }\n }\n\n if (hints->ignore_psk && //\n !CBB_add_asn1(&seq, &child, kIgnorePSKTag)) {\n return 0;\n }\n\n if (hints->cert_compression_alg_id != 0 &&\n !hints->cert_compression_input.empty() &&\n !hints->cert_compression_output.empty()) {\n if (!CBB_add_asn1(&seq, &child, kCompressCertificateTag) ||\n !CBB_add_asn1_uint64(&child, hints->cert_compression_alg_id) ||\n !CBB_add_asn1_octet_string(&child, hints->cert_compression_input.data(),\n hints->cert_compression_input.size()) ||\n !CBB_add_asn1_octet_string(&child,\n hints->cert_compression_output.data(),\n hints->cert_compression_output.size())) {\n return 0;\n }\n }\n\n if (!hints->server_random_tls12.empty()) {\n if (!CBB_add_asn1(&seq, &child, kServerRandomTLS12Tag) ||\n !CBB_add_bytes(&child, hints->server_random_tls12.data(),\n hints->server_random_tls12.size())) {\n return 0;\n }\n }\n\n if (hints->ecdhe_group_id != 0 && !hints->ecdhe_public_key.empty() &&\n !hints->ecdhe_private_key.empty()) {\n if (!CBB_add_asn1(&seq, &child, kECDHEHintTag) ||\n !CBB_add_asn1_uint64(&child, hints->ecdhe_group_id) ||\n !CBB_add_asn1_octet_string(&child, hints->ecdhe_public_key.data(),\n hints->ecdhe_public_key.size()) ||\n !CBB_add_asn1_octet_string(&child, hints->ecdhe_private_key.data(),\n hints->ecdhe_private_key.size())) {\n return 0;\n }\n }\n\n\n if (!hints->decrypted_ticket.empty()) {\n if (!CBB_add_asn1(&seq, &child, kDecryptedTicketTag) ||\n !CBB_add_bytes(&child, hints->decrypted_ticket.data(),\n hints->decrypted_ticket.size())) {\n return 0;\n }\n }\n\n if (hints->renew_ticket && //\n !CBB_add_asn1(&seq, &child, kRenewTicketTag)) {\n return 0;\n }\n\n if (hints->ignore_ticket && //\n !CBB_add_asn1(&seq, &child, kIgnoreTicketTag)) {\n return 0;\n }\n\n return CBB_flush(out);\n}\n\nstatic bool get_optional_implicit_null(CBS *cbs, bool *out_present,\n CBS_ASN1_TAG tag) {\n CBS value;\n int present;\n if (!CBS_get_optional_asn1(cbs, &value, &present, tag) ||\n (present && CBS_len(&value) != 0)) {\n return false;\n }\n *out_present = present;\n return true;\n}\n\nint SSL_set_handshake_hints(SSL *ssl, const uint8_t *hints, size_t hints_len) {\n if (SSL_is_dtls(ssl)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n UniquePtr hints_obj = MakeUnique();\n if (hints_obj == nullptr) {\n return 0;\n }\n\n CBS cbs, seq, server_random_tls13, key_share, signature_hint, psk,\n cert_compression, server_random_tls12, ecdhe, ticket;\n int has_server_random_tls13, has_key_share, has_signature_hint, has_psk,\n has_cert_compression, has_server_random_tls12, has_ecdhe, has_ticket;\n CBS_init(&cbs, hints, hints_len);\n if (!CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) ||\n !CBS_get_optional_asn1(&seq, &server_random_tls13,\n &has_server_random_tls13, kServerRandomTLS13Tag) ||\n !CBS_get_optional_asn1(&seq, &key_share, &has_key_share,\n kKeyShareHintTag) ||\n !CBS_get_optional_asn1(&seq, &signature_hint, &has_signature_hint,\n kSignatureHintTag) ||\n !CBS_get_optional_asn1(&seq, &psk, &has_psk, kDecryptedPSKTag) ||\n !get_optional_implicit_null(&seq, &hints_obj->ignore_psk,\n kIgnorePSKTag) ||\n !CBS_get_optional_asn1(&seq, &cert_compression, &has_cert_compression,\n kCompressCertificateTag) ||\n !CBS_get_optional_asn1(&seq, &server_random_tls12,\n &has_server_random_tls12, kServerRandomTLS12Tag) ||\n !CBS_get_optional_asn1(&seq, &ecdhe, &has_ecdhe, kECDHEHintTag) ||\n !CBS_get_optional_asn1(&seq, &ticket, &has_ticket, kDecryptedTicketTag) ||\n !get_optional_implicit_null(&seq, &hints_obj->renew_ticket,\n kRenewTicketTag) ||\n !get_optional_implicit_null(&seq, &hints_obj->ignore_ticket,\n kIgnoreTicketTag)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);\n return 0;\n }\n\n if (has_server_random_tls13 &&\n !hints_obj->server_random_tls13.CopyFrom(server_random_tls13)) {\n return 0;\n }\n\n if (has_key_share) {\n uint64_t group_id;\n CBS ciphertext, secret;\n if (!CBS_get_asn1_uint64(&key_share, &group_id) || //\n group_id == 0 || group_id > 0xffff ||\n !CBS_get_asn1(&key_share, &ciphertext, CBS_ASN1_OCTETSTRING) ||\n !hints_obj->key_share_ciphertext.CopyFrom(ciphertext) ||\n !CBS_get_asn1(&key_share, &secret, CBS_ASN1_OCTETSTRING) ||\n !hints_obj->key_share_secret.CopyFrom(secret)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);\n return 0;\n }\n hints_obj->key_share_group_id = static_cast(group_id);\n }\n\n if (has_signature_hint) {\n uint64_t sig_alg;\n CBS input, spki, signature;\n if (!CBS_get_asn1_uint64(&signature_hint, &sig_alg) || //\n sig_alg == 0 || sig_alg > 0xffff ||\n !CBS_get_asn1(&signature_hint, &input, CBS_ASN1_OCTETSTRING) ||\n !hints_obj->signature_input.CopyFrom(input) ||\n !CBS_get_asn1(&signature_hint, &spki, CBS_ASN1_OCTETSTRING) ||\n !hints_obj->signature_spki.CopyFrom(spki) ||\n !CBS_get_asn1(&signature_hint, &signature, CBS_ASN1_OCTETSTRING) ||\n !hints_obj->signature.CopyFrom(signature)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);\n return 0;\n }\n hints_obj->signature_algorithm = static_cast(sig_alg);\n }\n\n if (has_psk && !hints_obj->decrypted_psk.CopyFrom(psk)) {\n return 0;\n }\n if (has_psk && hints_obj->ignore_psk) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);\n return 0;\n }\n\n if (has_cert_compression) {\n uint64_t alg;\n CBS input, output;\n if (!CBS_get_asn1_uint64(&cert_compression, &alg) || //\n alg == 0 || alg > 0xffff ||\n !CBS_get_asn1(&cert_compression, &input, CBS_ASN1_OCTETSTRING) ||\n !hints_obj->cert_compression_input.CopyFrom(input) ||\n !CBS_get_asn1(&cert_compression, &output, CBS_ASN1_OCTETSTRING) ||\n !hints_obj->cert_compression_output.CopyFrom(output)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);\n return 0;\n }\n hints_obj->cert_compression_alg_id = static_cast(alg);\n }\n\n if (has_server_random_tls12 &&\n !hints_obj->server_random_tls12.CopyFrom(server_random_tls12)) {\n return 0;\n }\n\n if (has_ecdhe) {\n uint64_t group_id;\n CBS public_key, private_key;\n if (!CBS_get_asn1_uint64(&ecdhe, &group_id) || //\n group_id == 0 || group_id > 0xffff ||\n !CBS_get_asn1(&ecdhe, &public_key, CBS_ASN1_OCTETSTRING) ||\n !hints_obj->ecdhe_public_key.CopyFrom(public_key) ||\n !CBS_get_asn1(&ecdhe, &private_key, CBS_ASN1_OCTETSTRING) ||\n !hints_obj->ecdhe_private_key.CopyFrom(private_key)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);\n return 0;\n }\n hints_obj->ecdhe_group_id = static_cast(group_id);\n }\n\n if (has_ticket && !hints_obj->decrypted_ticket.CopyFrom(ticket)) {\n return 0;\n }\n if (has_ticket && hints_obj->ignore_ticket) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);\n return 0;\n }\n if (!has_ticket && hints_obj->renew_ticket) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_COULD_NOT_PARSE_HINTS);\n return 0;\n }\n\n ssl->s3->hs->hints = std::move(hints_obj);\n return 1;\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/handshake.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n\n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nSSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)\n : ssl(ssl_arg),\n transcript(SSL_is_dtls(ssl_arg)),\n inner_transcript(SSL_is_dtls(ssl_arg)),\n ech_is_inner(false),\n ech_authenticated_reject(false),\n scts_requested(false),\n handshake_finalized(false),\n accept_psk_mode(false),\n cert_request(false),\n certificate_status_expected(false),\n ocsp_stapling_requested(false),\n should_ack_sni(false),\n in_false_start(false),\n in_early_data(false),\n early_data_offered(false),\n can_early_read(false),\n can_early_write(false),\n is_early_version(false),\n next_proto_neg_seen(false),\n ticket_expected(false),\n extended_master_secret(false),\n pending_private_key_op(false),\n handback(false),\n hints_requested(false),\n cert_compression_negotiated(false),\n apply_jdk11_workaround(false),\n can_release_private_key(false),\n channel_id_negotiated(false),\n received_hello_verify_request(false) {\n assert(ssl);\n\n // Draw entropy for all GREASE values at once. This avoids calling\n // |RAND_bytes| repeatedly and makes the values consistent within a\n // connection. The latter is so the second ClientHello matches after\n // HelloRetryRequest and so supported_groups and key_shares are consistent.\n RAND_bytes(grease_seed, sizeof(grease_seed));\n}\n\nSSL_HANDSHAKE::~SSL_HANDSHAKE() {\n ssl->ctx->x509_method->hs_flush_cached_ca_names(this);\n}\n\nbool SSL_HANDSHAKE::GetClientHello(SSLMessage *out_msg,\n SSL_CLIENT_HELLO *out_client_hello) {\n if (!ech_client_hello_buf.empty()) {\n // If the backing buffer is non-empty, the ClientHelloInner has been set.\n out_msg->is_v2_hello = false;\n out_msg->type = SSL3_MT_CLIENT_HELLO;\n out_msg->raw = CBS(ech_client_hello_buf);\n size_t header_len =\n SSL_is_dtls(ssl) ? DTLS1_HM_HEADER_LENGTH : SSL3_HM_HEADER_LENGTH;\n out_msg->body = CBS(Span(ech_client_hello_buf).subspan(header_len));\n } else if (!ssl->method->get_message(ssl, out_msg)) {\n // The message has already been read, so this cannot fail.\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n if (!ssl_client_hello_init(ssl, out_client_hello, out_msg->body)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return false;\n }\n return true;\n}\n\nUniquePtr ssl_handshake_new(SSL *ssl) {\n UniquePtr hs = MakeUnique(ssl);\n if (!hs || !hs->transcript.Init()) {\n return nullptr;\n }\n hs->config = ssl->config.get();\n if (!hs->config) {\n assert(hs->config);\n return nullptr;\n }\n return hs;\n}\n\nbool ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type) {\n if (msg.type != type) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);\n ERR_add_error_dataf(\"got type %d, wanted type %d\", msg.type, type);\n return false;\n }\n\n return true;\n}\n\nbool ssl_add_message_cbb(SSL *ssl, CBB *cbb) {\n Array msg;\n if (!ssl->method->finish_message(ssl, cbb, &msg) ||\n !ssl->method->add_message(ssl, std::move(msg))) {\n return false;\n }\n\n return true;\n}\n\nsize_t ssl_max_handshake_message_len(const SSL *ssl) {\n // kMaxMessageLen is the default maximum message size for handshakes which do\n // not accept peer certificate chains.\n static const size_t kMaxMessageLen = 16384;\n\n if (SSL_in_init(ssl)) {\n SSL_CONFIG *config = ssl->config.get(); // SSL_in_init() implies not NULL.\n if ((!ssl->server || (config->verify_mode & SSL_VERIFY_PEER)) &&\n kMaxMessageLen < ssl->max_cert_list) {\n return ssl->max_cert_list;\n }\n return kMaxMessageLen;\n }\n\n if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {\n // In TLS 1.2 and below, the largest acceptable post-handshake message is\n // a HelloRequest.\n return 0;\n }\n\n if (ssl->server) {\n // The largest acceptable post-handshake message for a server is a\n // KeyUpdate. We will never initiate post-handshake auth.\n return 1;\n }\n\n // Clients must accept NewSessionTicket, so allow the default size.\n return kMaxMessageLen;\n}\n\nbool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) {\n // V2ClientHello messages are pre-hashed.\n if (msg.is_v2_hello) {\n return true;\n }\n\n return hs->transcript.Update(msg.raw);\n}\n\nbool ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,\n std::initializer_list extensions,\n bool ignore_unknown) {\n // Reset everything.\n for (SSLExtension *ext : extensions) {\n ext->present = false;\n CBS_init(&ext->data, nullptr, 0);\n if (!ext->allowed) {\n assert(!ignore_unknown);\n }\n }\n\n CBS copy = *cbs;\n while (CBS_len(©) != 0) {\n uint16_t type;\n CBS data;\n if (!CBS_get_u16(©, &type) ||\n !CBS_get_u16_length_prefixed(©, &data)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n SSLExtension *found = nullptr;\n for (SSLExtension *ext : extensions) {\n if (type == ext->type && ext->allowed) {\n found = ext;\n break;\n }\n }\n\n if (found == nullptr) {\n if (ignore_unknown) {\n continue;\n }\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);\n ERR_add_error_dataf(\"extension %u\", unsigned{type});\n *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;\n return false;\n }\n\n // Duplicate ext_types are forbidden.\n if (found->present) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n found->present = true;\n found->data = data;\n }\n\n return true;\n}\n\nenum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n const SSL_SESSION *prev_session = ssl->s3->established_session.get();\n if (prev_session != NULL) {\n // If renegotiating, the server must not change the server certificate. See\n // https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,\n // so this check is sufficient to ensure the reported peer certificate never\n // changes on renegotiation.\n assert(!ssl->server);\n if (sk_CRYPTO_BUFFER_num(prev_session->certs.get()) !=\n sk_CRYPTO_BUFFER_num(hs->new_session->certs.get())) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_verify_invalid;\n }\n\n for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(hs->new_session->certs.get());\n i++) {\n const CRYPTO_BUFFER *old_cert =\n sk_CRYPTO_BUFFER_value(prev_session->certs.get(), i);\n const CRYPTO_BUFFER *new_cert =\n sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), i);\n if (Span(CRYPTO_BUFFER_data(old_cert), CRYPTO_BUFFER_len(old_cert)) !=\n Span(CRYPTO_BUFFER_data(new_cert), CRYPTO_BUFFER_len(new_cert))) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_verify_invalid;\n }\n }\n\n // The certificate is identical, so we may skip re-verifying the\n // certificate. Since we only authenticated the previous one, copy other\n // authentication from the established session and ignore what was newly\n // received.\n hs->new_session->ocsp_response = UpRef(prev_session->ocsp_response);\n hs->new_session->signed_cert_timestamp_list =\n UpRef(prev_session->signed_cert_timestamp_list);\n hs->new_session->verify_result = prev_session->verify_result;\n return ssl_verify_ok;\n }\n\n uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN;\n enum ssl_verify_result_t ret;\n if (hs->config->custom_verify_callback != nullptr) {\n ret = hs->config->custom_verify_callback(ssl, &alert);\n switch (ret) {\n case ssl_verify_ok:\n hs->new_session->verify_result = X509_V_OK;\n break;\n case ssl_verify_invalid:\n // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.\n if (hs->config->verify_mode == SSL_VERIFY_NONE) {\n ERR_clear_error();\n ret = ssl_verify_ok;\n }\n hs->new_session->verify_result = X509_V_ERR_APPLICATION_VERIFICATION;\n break;\n case ssl_verify_retry:\n break;\n }\n } else {\n ret = ssl->ctx->x509_method->session_verify_cert_chain(\n hs->new_session.get(), hs, &alert)\n ? ssl_verify_ok\n : ssl_verify_invalid;\n }\n\n if (ret == ssl_verify_invalid) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n }\n\n // Emulate OpenSSL's client OCSP callback. OpenSSL verifies certificates\n // before it receives the OCSP, so it needs a second callback for OCSP.\n if (ret == ssl_verify_ok && !ssl->server &&\n hs->config->ocsp_stapling_enabled &&\n ssl->ctx->legacy_ocsp_callback != nullptr) {\n int cb_ret =\n ssl->ctx->legacy_ocsp_callback(ssl, ssl->ctx->legacy_ocsp_callback_arg);\n if (cb_ret <= 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_OCSP_CB_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL,\n cb_ret == 0 ? SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE\n : SSL_AD_INTERNAL_ERROR);\n ret = ssl_verify_invalid;\n }\n }\n\n return ret;\n}\n\n// Verifies a stored certificate when resuming a session. A few things are\n// different from verify_peer_cert:\n// 1. We can't be renegotiating if we're resuming a session.\n// 2. The session is immutable, so we don't support verify_mode ==\n// SSL_VERIFY_NONE\n// 3. We don't call the OCSP callback.\n// 4. We only support custom verify callbacks.\nenum ssl_verify_result_t ssl_reverify_peer_cert(SSL_HANDSHAKE *hs,\n bool send_alert) {\n SSL *const ssl = hs->ssl;\n assert(ssl->s3->established_session == nullptr);\n assert(hs->config->verify_mode != SSL_VERIFY_NONE);\n\n uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN;\n enum ssl_verify_result_t ret = ssl_verify_invalid;\n if (hs->config->custom_verify_callback != nullptr) {\n ret = hs->config->custom_verify_callback(ssl, &alert);\n }\n\n if (ret == ssl_verify_invalid) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);\n if (send_alert) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n }\n }\n\n return ret;\n}\n\nstatic uint16_t grease_index_to_value(const SSL_HANDSHAKE *hs,\n enum ssl_grease_index_t index) {\n // This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16.\n uint16_t ret = hs->grease_seed[index];\n ret = (ret & 0xf0) | 0x0a;\n ret |= ret << 8;\n return ret;\n}\n\nuint16_t ssl_get_grease_value(const SSL_HANDSHAKE *hs,\n enum ssl_grease_index_t index) {\n uint16_t ret = grease_index_to_value(hs, index);\n if (index == ssl_grease_extension2 &&\n ret == grease_index_to_value(hs, ssl_grease_extension1)) {\n // The two fake extensions must not have the same value. GREASE values are\n // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different\n // one.\n ret ^= 0x1010;\n }\n return ret;\n}\n\nenum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED)) {\n return ssl_hs_error;\n }\n\n // Snapshot the finished hash before incorporating the new message.\n uint8_t finished[EVP_MAX_MD_SIZE];\n size_t finished_len;\n if (!hs->transcript.GetFinishedMAC(finished, &finished_len,\n ssl_handshake_session(hs), !ssl->server) ||\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n int finished_ok = CBS_mem_equal(&msg.body, finished, finished_len);\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n finished_ok = 1;\n#endif\n if (!finished_ok) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);\n return ssl_hs_error;\n }\n\n // Copy the Finished so we can use it for renegotiation checks.\n if (finished_len > ssl->s3->previous_client_finished.capacity() ||\n finished_len > ssl->s3->previous_server_finished.capacity()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n if (ssl->server) {\n ssl->s3->previous_client_finished.CopyFrom(Span(finished, finished_len));\n } else {\n ssl->s3->previous_server_finished.CopyFrom(Span(finished, finished_len));\n }\n\n // The Finished message should be the end of a flight.\n if (ssl->method->has_unprocessed_handshake_data(ssl)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n return ssl_hs_ok;\n}\n\nbool ssl_send_finished(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n const SSL_SESSION *session = ssl_handshake_session(hs);\n\n uint8_t finished_buf[EVP_MAX_MD_SIZE];\n size_t finished_len;\n if (!hs->transcript.GetFinishedMAC(finished_buf, &finished_len, session,\n ssl->server)) {\n return false;\n }\n auto finished = Span(finished_buf, finished_len);\n\n // Log the master secret, if logging is enabled.\n if (!ssl_log_secret(ssl, \"CLIENT_RANDOM\", session->secret)) {\n return false;\n }\n\n // Copy the Finished so we can use it for renegotiation checks.\n bool ok = ssl->server\n ? ssl->s3->previous_server_finished.TryCopyFrom(finished)\n : ssl->s3->previous_client_finished.TryCopyFrom(finished);\n if (!ok) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n ScopedCBB cbb;\n CBB body;\n if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||\n !CBB_add_bytes(&body, finished.data(), finished.size()) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n return true;\n}\n\nbool ssl_send_tls12_certificate(SSL_HANDSHAKE *hs) {\n ScopedCBB cbb;\n CBB body, certs, cert;\n if (!hs->ssl->method->init_message(hs->ssl, cbb.get(), &body,\n SSL3_MT_CERTIFICATE) ||\n !CBB_add_u24_length_prefixed(&body, &certs)) {\n return false;\n }\n\n if (hs->credential != nullptr) {\n assert(hs->credential->type == SSLCredentialType::kX509);\n STACK_OF(CRYPTO_BUFFER) *chain = hs->credential->chain.get();\n for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(chain); i++) {\n CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(chain, i);\n if (!CBB_add_u24_length_prefixed(&certs, &cert) ||\n !CBB_add_bytes(&cert, CRYPTO_BUFFER_data(buffer),\n CRYPTO_BUFFER_len(buffer))) {\n return false;\n }\n }\n }\n\n return ssl_add_message_cbb(hs->ssl, cbb.get());\n}\n\nconst SSL_SESSION *ssl_handshake_session(const SSL_HANDSHAKE *hs) {\n if (hs->new_session) {\n return hs->new_session.get();\n }\n return hs->ssl->session.get();\n}\n\nint ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {\n SSL *const ssl = hs->ssl;\n for (;;) {\n // If a timeout during the handshake triggered a DTLS ACK or retransmit, we\n // resolve that first. E.g., if |ssl_hs_private_key_operation| is slow, the\n // ACK timer may fire.\n if (hs->wait != ssl_hs_error && SSL_is_dtls(ssl)) {\n int ret = ssl->method->flush(ssl);\n if (ret <= 0) {\n return ret;\n }\n }\n\n // Resolve the operation the handshake was waiting on. Each condition may\n // halt the handshake by returning, or continue executing if the handshake\n // may immediately proceed. Cases which halt the handshake can clear\n // |hs->wait| to re-enter the state machine on the next iteration, or leave\n // it set to keep the condition sticky.\n switch (hs->wait) {\n case ssl_hs_error:\n ERR_restore_state(hs->error.get());\n return -1;\n\n case ssl_hs_flush: {\n int ret = ssl->method->flush(ssl);\n if (ret <= 0) {\n return ret;\n }\n break;\n }\n\n case ssl_hs_read_server_hello:\n case ssl_hs_read_message:\n case ssl_hs_read_change_cipher_spec: {\n if (SSL_is_quic(ssl)) {\n // QUIC has no ChangeCipherSpec messages.\n assert(hs->wait != ssl_hs_read_change_cipher_spec);\n // The caller should call |SSL_provide_quic_data|. Clear |hs->wait| so\n // the handshake can check if there is sufficient data next iteration.\n ssl->s3->rwstate = SSL_ERROR_WANT_READ;\n hs->wait = ssl_hs_ok;\n return -1;\n }\n\n uint8_t alert = SSL_AD_DECODE_ERROR;\n size_t consumed = 0;\n ssl_open_record_t ret;\n if (hs->wait == ssl_hs_read_change_cipher_spec) {\n ret = ssl_open_change_cipher_spec(ssl, &consumed, &alert,\n ssl->s3->read_buffer.span());\n } else {\n ret = ssl_open_handshake(ssl, &consumed, &alert,\n ssl->s3->read_buffer.span());\n }\n if (ret == ssl_open_record_error &&\n hs->wait == ssl_hs_read_server_hello) {\n uint32_t err = ERR_peek_error();\n if (ERR_GET_LIB(err) == ERR_LIB_SSL &&\n ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE) {\n // Add a dedicated error code to the queue for a handshake_failure\n // alert in response to ClientHello. This matches NSS's client\n // behavior and gives a better error on a (probable) failure to\n // negotiate initial parameters. Note: this error code comes after\n // the original one.\n //\n // See https://crbug.com/446505.\n OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO);\n }\n }\n bool retry;\n int bio_ret = ssl_handle_open_record(ssl, &retry, ret, consumed, alert);\n if (bio_ret <= 0) {\n return bio_ret;\n }\n if (retry) {\n continue;\n }\n ssl->s3->read_buffer.DiscardConsumed();\n break;\n }\n\n case ssl_hs_read_end_of_early_data: {\n if (ssl->s3->hs->can_early_read) {\n // While we are processing early data, the handshake returns early.\n *out_early_return = true;\n return 1;\n }\n hs->wait = ssl_hs_ok;\n break;\n }\n\n case ssl_hs_certificate_selection_pending:\n ssl->s3->rwstate = SSL_ERROR_PENDING_CERTIFICATE;\n hs->wait = ssl_hs_ok;\n return -1;\n\n case ssl_hs_handoff:\n ssl->s3->rwstate = SSL_ERROR_HANDOFF;\n hs->wait = ssl_hs_ok;\n return -1;\n\n case ssl_hs_handback: {\n int ret = ssl->method->flush(ssl);\n if (ret <= 0) {\n return ret;\n }\n ssl->s3->rwstate = SSL_ERROR_HANDBACK;\n hs->wait = ssl_hs_handback;\n return -1;\n }\n\n // The following cases are associated with callback APIs which expect to\n // be called each time the state machine runs. Thus they set |hs->wait|\n // to |ssl_hs_ok| so that, next time, we re-enter the state machine and\n // call the callback again.\n case ssl_hs_x509_lookup:\n ssl->s3->rwstate = SSL_ERROR_WANT_X509_LOOKUP;\n hs->wait = ssl_hs_ok;\n return -1;\n case ssl_hs_private_key_operation:\n ssl->s3->rwstate = SSL_ERROR_WANT_PRIVATE_KEY_OPERATION;\n hs->wait = ssl_hs_ok;\n return -1;\n case ssl_hs_pending_session:\n ssl->s3->rwstate = SSL_ERROR_PENDING_SESSION;\n hs->wait = ssl_hs_ok;\n return -1;\n case ssl_hs_pending_ticket:\n ssl->s3->rwstate = SSL_ERROR_PENDING_TICKET;\n hs->wait = ssl_hs_ok;\n return -1;\n case ssl_hs_certificate_verify:\n ssl->s3->rwstate = SSL_ERROR_WANT_CERTIFICATE_VERIFY;\n hs->wait = ssl_hs_ok;\n return -1;\n\n case ssl_hs_early_data_rejected:\n assert(ssl->s3->early_data_reason != ssl_early_data_unknown);\n assert(!hs->can_early_write);\n ssl->s3->rwstate = SSL_ERROR_EARLY_DATA_REJECTED;\n return -1;\n\n case ssl_hs_early_return:\n if (!ssl->server) {\n // On ECH reject, the handshake should never complete.\n assert(ssl->s3->ech_status != ssl_ech_rejected);\n }\n *out_early_return = true;\n hs->wait = ssl_hs_ok;\n return 1;\n\n case ssl_hs_hints_ready:\n ssl->s3->rwstate = SSL_ERROR_HANDSHAKE_HINTS_READY;\n return -1;\n\n case ssl_hs_ok:\n break;\n }\n\n // Run the state machine again.\n hs->wait = ssl->do_handshake(hs);\n if (hs->wait == ssl_hs_error) {\n hs->error.reset(ERR_save_state());\n return -1;\n }\n if (hs->wait == ssl_hs_ok) {\n if (!ssl->server) {\n // On ECH reject, the handshake should never complete.\n assert(ssl->s3->ech_status != ssl_ech_rejected);\n }\n // The handshake has completed.\n *out_early_return = false;\n return 1;\n }\n // If the handshake returns |ssl_hs_flush|, implicitly finish the flight.\n // This is a convenience so we do not need to manually insert this\n // throughout the handshake.\n if (hs->wait == ssl_hs_flush) {\n ssl->method->finish_flight(ssl);\n }\n\n // Loop to the beginning and resolve what was blocking the handshake.\n }\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/handshake_client.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nenum ssl_client_hs_state_t {\n state_start_connect = 0,\n state_enter_early_data,\n state_early_reverify_server_certificate,\n state_read_server_hello,\n state_tls13,\n state_read_server_certificate,\n state_read_certificate_status,\n state_verify_server_certificate,\n state_reverify_server_certificate,\n state_read_server_key_exchange,\n state_read_certificate_request,\n state_read_server_hello_done,\n state_send_client_certificate,\n state_send_client_key_exchange,\n state_send_client_certificate_verify,\n state_send_client_finished,\n state_finish_flight,\n state_read_session_ticket,\n state_process_change_cipher_spec,\n state_read_server_finished,\n state_finish_client_handshake,\n state_done,\n};\n\n// ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of\n// disabled algorithms.\nstatic void ssl_get_client_disabled(const SSL_HANDSHAKE *hs,\n uint32_t *out_mask_a,\n uint32_t *out_mask_k) {\n *out_mask_a = 0;\n *out_mask_k = 0;\n\n // PSK requires a client callback.\n if (hs->config->psk_client_callback == NULL) {\n *out_mask_a |= SSL_aPSK;\n *out_mask_k |= SSL_kPSK;\n }\n}\n\nstatic bool ssl_add_tls13_cipher(CBB *cbb, uint16_t cipher_id,\n ssl_compliance_policy_t policy) {\n if (ssl_tls13_cipher_meets_policy(cipher_id, policy)) {\n return CBB_add_u16(cbb, cipher_id);\n }\n return true;\n}\n\nstatic bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,\n ssl_client_hello_type_t type) {\n const SSL *const ssl = hs->ssl;\n uint32_t mask_a, mask_k;\n ssl_get_client_disabled(hs, &mask_a, &mask_k);\n\n CBB child;\n if (!CBB_add_u16_length_prefixed(out, &child)) {\n return false;\n }\n\n // Add a fake cipher suite. See RFC 8701.\n if (ssl->ctx->grease_enabled &&\n !CBB_add_u16(&child, ssl_get_grease_value(hs, ssl_grease_cipher))) {\n return false;\n }\n\n // Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on\n // hardware support.\n if (hs->max_version >= TLS1_3_VERSION) {\n static const uint16_t kCiphersNoAESHardware[] = {\n TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,\n TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,\n TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,\n };\n static const uint16_t kCiphersAESHardware[] = {\n TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,\n TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,\n TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,\n };\n static const uint16_t kCiphersCNSA[] = {\n TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,\n TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,\n TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,\n };\n\n const bool has_aes_hw = ssl->config->aes_hw_override\n ? ssl->config->aes_hw_override_value\n : EVP_has_aes_hardware();\n const bssl::Span ciphers =\n ssl->config->compliance_policy == ssl_compliance_policy_cnsa_202407\n ? bssl::Span(kCiphersCNSA)\n : (has_aes_hw ? bssl::Span(kCiphersAESHardware)\n : bssl::Span(kCiphersNoAESHardware));\n\n for (auto cipher : ciphers) {\n if (!ssl_add_tls13_cipher(&child, cipher,\n ssl->config->compliance_policy)) {\n return false;\n }\n }\n }\n\n if (hs->min_version < TLS1_3_VERSION && type != ssl_client_hello_inner) {\n bool any_enabled = false;\n for (const SSL_CIPHER *cipher : SSL_get_ciphers(ssl)) {\n // Skip disabled ciphers\n if ((cipher->algorithm_mkey & mask_k) ||\n (cipher->algorithm_auth & mask_a)) {\n continue;\n }\n if (SSL_CIPHER_get_min_version(cipher) > hs->max_version ||\n SSL_CIPHER_get_max_version(cipher) < hs->min_version) {\n continue;\n }\n any_enabled = true;\n if (!CBB_add_u16(&child, SSL_CIPHER_get_protocol_id(cipher))) {\n return false;\n }\n }\n\n // If all ciphers were disabled, return the error to the caller.\n if (!any_enabled && hs->max_version < TLS1_3_VERSION) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);\n return false;\n }\n }\n\n if (ssl->mode & SSL_MODE_SEND_FALLBACK_SCSV) {\n if (!CBB_add_u16(&child, SSL3_CK_FALLBACK_SCSV & 0xffff)) {\n return false;\n }\n }\n\n return CBB_flush(out);\n}\n\nbool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs,\n CBB *cbb,\n ssl_client_hello_type_t type,\n bool empty_session_id) {\n const SSL *const ssl = hs->ssl;\n CBB child;\n if (!CBB_add_u16(cbb, hs->client_version) ||\n !CBB_add_bytes(cbb,\n type == ssl_client_hello_inner ? hs->inner_client_random\n : ssl->s3->client_random,\n SSL3_RANDOM_SIZE) ||\n !CBB_add_u8_length_prefixed(cbb, &child)) {\n return false;\n }\n\n // Do not send a session ID on renegotiation.\n if (!ssl->s3->initial_handshake_complete && //\n !empty_session_id && //\n !CBB_add_bytes(&child, hs->session_id.data(), hs->session_id.size())) {\n return false;\n }\n\n if (SSL_is_dtls(ssl)) {\n if (!CBB_add_u8_length_prefixed(cbb, &child) ||\n !CBB_add_bytes(&child, hs->dtls_cookie.data(),\n hs->dtls_cookie.size())) {\n return false;\n }\n }\n\n if (!ssl_write_client_cipher_list(hs, cbb, type) ||\n !CBB_add_u8(cbb, 1 /* one compression method */) ||\n !CBB_add_u8(cbb, 0 /* null compression */)) {\n return false;\n }\n return true;\n}\n\nbool ssl_add_client_hello(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n ScopedCBB cbb;\n CBB body;\n ssl_client_hello_type_t type = hs->selected_ech_config\n ? ssl_client_hello_outer\n : ssl_client_hello_unencrypted;\n bool needs_psk_binder;\n Array msg;\n if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CLIENT_HELLO) ||\n !ssl_write_client_hello_without_extensions(hs, &body, type,\n /*empty_session_id=*/false) ||\n !ssl_add_clienthello_tlsext(hs, &body, /*out_encoded=*/nullptr,\n &needs_psk_binder, type, CBB_len(&body)) ||\n !ssl->method->finish_message(ssl, cbb.get(), &msg)) {\n return false;\n }\n\n // Now that the length prefixes have been computed, fill in the placeholder\n // PSK binder.\n if (needs_psk_binder) {\n // ClientHelloOuter cannot have a PSK binder. Otherwise the\n // ClientHellOuterAAD computation would break.\n assert(type != ssl_client_hello_outer);\n if (!tls13_write_psk_binder(hs, hs->transcript, Span(msg),\n /*out_binder_len=*/0)) {\n return false;\n }\n }\n\n return ssl->method->add_message(ssl, std::move(msg));\n}\n\nstatic bool parse_server_version(const SSL_HANDSHAKE *hs, uint16_t *out_version,\n uint8_t *out_alert,\n const ParsedServerHello &server_hello) {\n uint16_t legacy_version = TLS1_2_VERSION;\n if (SSL_is_dtls(hs->ssl)) {\n legacy_version = DTLS1_2_VERSION;\n }\n // If the outer version is not TLS 1.2, use it.\n // TODO(davidben): This function doesn't quite match the RFC8446 formulation.\n if (server_hello.legacy_version != legacy_version) {\n *out_version = server_hello.legacy_version;\n return true;\n }\n\n SSLExtension supported_versions(TLSEXT_TYPE_supported_versions);\n CBS extensions = server_hello.extensions;\n if (!ssl_parse_extensions(&extensions, out_alert, {&supported_versions},\n /*ignore_unknown=*/true)) {\n return false;\n }\n\n if (!supported_versions.present) {\n *out_version = server_hello.legacy_version;\n return true;\n }\n\n if (!CBS_get_u16(&supported_versions.data, out_version) || //\n CBS_len(&supported_versions.data) != 0) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n return true;\n}\n\n// should_offer_early_data returns |ssl_early_data_accepted| if |hs| should\n// offer early data, and some other reason code otherwise.\nstatic ssl_early_data_reason_t should_offer_early_data(\n const SSL_HANDSHAKE *hs) {\n const SSL *const ssl = hs->ssl;\n assert(!ssl->server);\n if (!ssl->enable_early_data) {\n return ssl_early_data_disabled;\n }\n\n if (hs->max_version < TLS1_3_VERSION || SSL_is_dtls(ssl)) {\n // We discard inapplicable sessions, so this is redundant with the session\n // checks below, but reporting that TLS 1.3 was disabled is more useful.\n //\n // TODO(crbug.com/381113363): Support early data in DTLS 1.3.\n return ssl_early_data_protocol_version;\n }\n\n if (ssl->session == nullptr) {\n return ssl_early_data_no_session_offered;\n }\n\n if (ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||\n ssl->session->ticket_max_early_data == 0) {\n return ssl_early_data_unsupported_for_session;\n }\n\n if (!ssl->session->early_alpn.empty()) {\n if (!ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn)) {\n // Avoid reporting a confusing value in |SSL_get0_alpn_selected|.\n return ssl_early_data_alpn_mismatch;\n }\n\n // If the previous connection negotiated ALPS, only offer 0-RTT when the\n // local are settings are consistent with what we'd offer for this\n // connection.\n if (ssl->session->has_application_settings) {\n Span settings;\n if (!ssl_get_local_application_settings(hs, &settings,\n ssl->session->early_alpn) ||\n settings != ssl->session->local_application_settings) {\n return ssl_early_data_alps_mismatch;\n }\n }\n }\n\n // Early data has not yet been accepted, but we use it as a success code.\n return ssl_early_data_accepted;\n}\n\nvoid ssl_done_writing_client_hello(SSL_HANDSHAKE *hs) {\n hs->ech_client_outer.Reset();\n hs->cookie.Reset();\n hs->key_share_bytes.Reset();\n}\n\nstatic enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);\n // |session_reused| must be reset in case this is a renegotiation.\n ssl->s3->session_reused = false;\n\n // Freeze the version range.\n if (!ssl_get_version_range(hs, &hs->min_version, &hs->max_version)) {\n return ssl_hs_error;\n }\n\n uint8_t ech_enc[EVP_HPKE_MAX_ENC_LENGTH];\n size_t ech_enc_len;\n if (!ssl_select_ech_config(hs, ech_enc, &ech_enc_len)) {\n return ssl_hs_error;\n }\n\n // Always advertise the ClientHello version from the original maximum version,\n // even on renegotiation. The static RSA key exchange uses this field, and\n // some servers fail when it changes across handshakes.\n if (SSL_is_dtls(hs->ssl)) {\n hs->client_version =\n hs->max_version >= TLS1_2_VERSION ? DTLS1_2_VERSION : DTLS1_VERSION;\n } else {\n hs->client_version =\n hs->max_version >= TLS1_2_VERSION ? TLS1_2_VERSION : hs->max_version;\n }\n\n // If the configured session has expired or is not usable, drop it. We also do\n // not offer sessions on renegotiation.\n SSLSessionType session_type = SSLSessionType::kNotResumable;\n if (ssl->session != nullptr) {\n session_type = ssl_session_get_type(ssl->session.get());\n if (ssl->session->is_server ||\n !ssl_supports_version(hs, ssl->session->ssl_version) ||\n // Do not offer TLS 1.2 sessions with ECH. ClientHelloInner does not\n // offer TLS 1.2, and the cleartext session ID may leak the server\n // identity.\n (hs->selected_ech_config &&\n ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) ||\n session_type == SSLSessionType::kNotResumable ||\n // Don't offer TLS 1.2 tickets if disabled.\n (session_type == SSLSessionType::kTicket &&\n (SSL_get_options(ssl) & SSL_OP_NO_TICKET)) ||\n !ssl_session_is_time_valid(ssl, ssl->session.get()) ||\n SSL_is_quic(ssl) != int{ssl->session->is_quic} ||\n ssl->s3->initial_handshake_complete) {\n ssl_set_session(ssl, nullptr);\n session_type = SSLSessionType::kNotResumable;\n }\n }\n\n if (!RAND_bytes(ssl->s3->client_random, sizeof(ssl->s3->client_random))) {\n return ssl_hs_error;\n }\n if (hs->selected_ech_config &&\n !RAND_bytes(hs->inner_client_random, sizeof(hs->inner_client_random))) {\n return ssl_hs_error;\n }\n\n // Compatibility mode sends a random session ID. Compatibility mode is\n // enabled for TLS 1.3, but not when it's run over QUIC or DTLS.\n const bool enable_compatibility_mode = hs->max_version >= TLS1_3_VERSION &&\n !SSL_is_quic(ssl) && !SSL_is_dtls(ssl);\n if (session_type == SSLSessionType::kID) {\n hs->session_id = ssl->session->session_id;\n } else if (session_type == SSLSessionType::kTicket ||\n enable_compatibility_mode) {\n // TLS 1.2 session tickets require a placeholder value to signal resumption.\n hs->session_id.ResizeForOverwrite(SSL_MAX_SSL_SESSION_ID_LENGTH);\n if (!RAND_bytes(hs->session_id.data(), hs->session_id.size())) {\n return ssl_hs_error;\n }\n }\n\n ssl_early_data_reason_t reason = should_offer_early_data(hs);\n if (reason != ssl_early_data_accepted) {\n ssl->s3->early_data_reason = reason;\n } else {\n hs->early_data_offered = true;\n }\n\n if (!ssl_setup_key_shares(hs, /*override_group_id=*/0) ||\n !ssl_setup_extension_permutation(hs) ||\n !ssl_encrypt_client_hello(hs, Span(ech_enc, ech_enc_len)) ||\n !ssl_add_client_hello(hs)) {\n return ssl_hs_error;\n }\n\n hs->state = state_enter_early_data;\n return ssl_hs_flush;\n}\n\nstatic enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (!hs->early_data_offered) {\n hs->state = state_read_server_hello;\n return ssl_hs_ok;\n }\n\n // Stash the early data session and activate the early version. This must\n // happen before |do_early_reverify_server_certificate|, so early connection\n // properties are available to the callback. Note the early version may be\n // overwritten later by the final version.\n hs->early_session = UpRef(ssl->session);\n ssl->s3->version = hs->early_session->ssl_version;\n hs->is_early_version = true;\n hs->state = state_early_reverify_server_certificate;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_early_reverify_server_certificate(\n SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (ssl->ctx->reverify_on_resume) {\n // Don't send an alert on error. The alert would be in the clear, which the\n // server is not expecting anyway. Alerts in between ClientHello and\n // ServerHello cannot usefully be delivered in TLS 1.3.\n //\n // TODO(davidben): The client behavior should be to verify the certificate\n // before deciding whether to offer the session and, if invalid, decline to\n // send the session.\n switch (ssl_reverify_peer_cert(hs, /*send_alert=*/false)) {\n case ssl_verify_ok:\n break;\n case ssl_verify_invalid:\n return ssl_hs_error;\n case ssl_verify_retry:\n hs->state = state_early_reverify_server_certificate;\n return ssl_hs_certificate_verify;\n }\n }\n\n if (!ssl->method->add_change_cipher_spec(ssl)) {\n return ssl_hs_error;\n }\n\n // Defer releasing the 0-RTT key to after certificate reverification, so the\n // QUIC implementation does not accidentally write data too early.\n if (!tls13_init_early_key_schedule(hs, hs->early_session.get()) ||\n !tls13_derive_early_secret(hs) ||\n !tls13_set_traffic_key(hs->ssl, ssl_encryption_early_data, evp_aead_seal,\n hs->early_session.get(),\n hs->early_traffic_secret)) {\n return ssl_hs_error;\n }\n\n hs->in_early_data = true;\n hs->can_early_write = true;\n hs->state = state_read_server_hello;\n return ssl_hs_early_return;\n}\n\nstatic bool handle_hello_verify_request(SSL_HANDSHAKE *hs,\n const SSLMessage &msg) {\n SSL *const ssl = hs->ssl;\n assert(SSL_is_dtls(ssl));\n assert(msg.type == DTLS1_MT_HELLO_VERIFY_REQUEST);\n assert(!hs->received_hello_verify_request);\n\n CBS hello_verify_request = msg.body, cookie;\n uint16_t server_version;\n if (!CBS_get_u16(&hello_verify_request, &server_version) ||\n !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||\n CBS_len(&hello_verify_request) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return false;\n }\n\n if (!hs->dtls_cookie.CopyFrom(cookie)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return false;\n }\n hs->received_hello_verify_request = true;\n\n ssl->method->next_message(ssl);\n\n // DTLS resets the handshake buffer after HelloVerifyRequest.\n if (!hs->transcript.Init()) {\n return false;\n }\n\n return ssl_add_client_hello(hs);\n}\n\nbool ssl_parse_server_hello(ParsedServerHello *out, uint8_t *out_alert,\n const SSLMessage &msg) {\n if (msg.type != SSL3_MT_SERVER_HELLO) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return false;\n }\n out->raw = msg.raw;\n CBS body = msg.body;\n if (!CBS_get_u16(&body, &out->legacy_version) ||\n !CBS_get_bytes(&body, &out->random, SSL3_RANDOM_SIZE) ||\n !CBS_get_u8_length_prefixed(&body, &out->session_id) ||\n CBS_len(&out->session_id) > SSL3_SESSION_ID_SIZE ||\n !CBS_get_u16(&body, &out->cipher_suite) ||\n !CBS_get_u8(&body, &out->compression_method)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n // In TLS 1.2 and below, empty extensions blocks may be omitted. In TLS 1.3,\n // ServerHellos always have extensions, so this can be applied generically.\n CBS_init(&out->extensions, nullptr, 0);\n if ((CBS_len(&body) != 0 &&\n !CBS_get_u16_length_prefixed(&body, &out->extensions)) ||\n CBS_len(&body) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n return true;\n}\n\nstatic enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_server_hello;\n }\n\n if (SSL_is_dtls(ssl) && !hs->received_hello_verify_request &&\n msg.type == DTLS1_MT_HELLO_VERIFY_REQUEST) {\n if (!handle_hello_verify_request(hs, msg)) {\n return ssl_hs_error;\n }\n hs->received_hello_verify_request = true;\n hs->state = state_read_server_hello;\n return ssl_hs_flush;\n }\n\n ParsedServerHello server_hello;\n uint16_t server_version;\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ssl_parse_server_hello(&server_hello, &alert, msg) ||\n !parse_server_version(hs, &server_version, &alert, server_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n if (!ssl_supports_version(hs, server_version)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);\n return ssl_hs_error;\n }\n\n if (!ssl->s3->initial_handshake_complete) {\n // |ssl->s3->version| may be set due to 0-RTT. If it was to a different\n // value, the check below will fire.\n assert(ssl->s3->version == 0 ||\n (hs->is_early_version &&\n ssl->s3->version == hs->early_session->ssl_version));\n ssl->s3->version = server_version;\n hs->is_early_version = false;\n } else if (server_version != ssl->s3->version) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);\n return ssl_hs_error;\n }\n\n // If the version did not match, stop sending 0-RTT data.\n if (hs->early_data_offered &&\n ssl->s3->version != hs->early_session->ssl_version) {\n // This is currently only possible by reading a TLS 1.2 (or earlier)\n // ServerHello in response to TLS 1.3. If there is ever a TLS 1.4, or\n // another variant of TLS 1.3, the fatal error below will need to be a clean\n // 0-RTT reject.\n assert(ssl_protocol_version(ssl) < TLS1_3_VERSION);\n assert(ssl_session_protocol_version(hs->early_session.get()) >=\n TLS1_3_VERSION);\n\n // A TLS 1.2 server would not know to skip the early data we offered, so\n // there is no point in continuing the handshake. Report an error code as\n // soon as we detect this. The caller may use this error code to implement\n // the fallback described in RFC 8446 appendix D.3.\n //\n // Disconnect early writes. This ensures subsequent |SSL_write| calls query\n // the handshake which, in turn, will replay the error code rather than fail\n // at the |write_shutdown| check. See https://crbug.com/1078515.\n // TODO(davidben): Should all handshake errors do this? What about record\n // decryption failures?\n //\n // TODO(crbug.com/381113363): Although missing from the spec, a DTLS 1.2\n // server will already naturally skip 0-RTT data. If we implement DTLS 1.3\n // 0-RTT, we may want a clean reject.\n assert(!SSL_is_dtls(ssl));\n hs->can_early_write = false;\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);\n return ssl_hs_error;\n }\n\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n if (hs->received_hello_verify_request) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_MESSAGE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);\n return ssl_hs_error;\n }\n\n hs->state = state_tls13;\n return ssl_hs_ok;\n }\n\n // Clear some TLS 1.3 state that no longer needs to be retained.\n hs->key_shares[0].reset();\n hs->key_shares[1].reset();\n ssl_done_writing_client_hello(hs);\n\n // TLS 1.2 handshakes cannot accept ECH.\n if (hs->selected_ech_config) {\n ssl->s3->ech_status = ssl_ech_rejected;\n }\n\n // Copy over the server random.\n OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_hello.random),\n SSL3_RANDOM_SIZE);\n\n // Enforce the TLS 1.3 anti-downgrade feature.\n if (!ssl->s3->initial_handshake_complete &&\n hs->max_version >= TLS1_3_VERSION) {\n static_assert(\n sizeof(kTLS12DowngradeRandom) == sizeof(kTLS13DowngradeRandom),\n \"downgrade signals have different size\");\n static_assert(\n sizeof(kJDK11DowngradeRandom) == sizeof(kTLS13DowngradeRandom),\n \"downgrade signals have different size\");\n auto suffix =\n Span(ssl->s3->server_random).last(sizeof(kTLS13DowngradeRandom));\n if (suffix == kTLS12DowngradeRandom || suffix == kTLS13DowngradeRandom ||\n suffix == kJDK11DowngradeRandom) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_TLS13_DOWNGRADE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n }\n\n // The cipher must be allowed in the selected version and enabled.\n const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);\n uint32_t mask_a, mask_k;\n ssl_get_client_disabled(hs, &mask_a, &mask_k);\n if (cipher == nullptr || //\n (cipher->algorithm_mkey & mask_k) || //\n (cipher->algorithm_auth & mask_a) || //\n SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) || //\n SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) || //\n !sk_SSL_CIPHER_find(SSL_get_ciphers(ssl), nullptr, cipher)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n hs->new_cipher = cipher;\n\n if (!hs->session_id.empty() &&\n Span(server_hello.session_id) == hs->session_id) {\n // Echoing the ClientHello session ID in TLS 1.2, whether from the session\n // or a synthetic one, indicates resumption. If there was no session (or if\n // the session was only offered in ECH ClientHelloInner), this was the\n // TLS 1.3 compatibility mode session ID. As we know this is not a session\n // the server knows about, any server resuming it is in error. Reject the\n // first connection deterministicly, rather than installing an invalid\n // session into the session cache. https://crbug.com/796910\n if (ssl->session == nullptr || ssl->s3->ech_status == ssl_ech_rejected) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_ECHOED_INVALID_SESSION_ID);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n if (ssl->session->ssl_version != ssl->s3->version) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n if (ssl->session->cipher != hs->new_cipher) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n if (!ssl_session_is_context_valid(hs, ssl->session.get())) {\n // This is actually a client application bug.\n OPENSSL_PUT_ERROR(SSL,\n SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n // We never offer sessions on renegotiation.\n assert(!ssl->s3->initial_handshake_complete);\n ssl->s3->session_reused = true;\n } else {\n // The session wasn't resumed. Create a fresh SSL_SESSION to fill out.\n ssl_set_session(ssl, NULL);\n if (!ssl_get_new_session(hs)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n // Save the session ID from the server. This may be empty if the session\n // isn't resumable, or if we'll receive a session ticket later. The\n // ServerHello parser ensures |server_hello.session_id| is within bounds.\n hs->new_session->session_id.CopyFrom(server_hello.session_id);\n hs->new_session->cipher = hs->new_cipher;\n }\n\n // Now that the cipher is known, initialize the handshake hash and hash the\n // ServerHello.\n if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||\n !ssl_hash_message(hs, msg)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n // If doing a full handshake, the server may request a client certificate\n // which requires hashing the handshake transcript. Otherwise, the handshake\n // buffer may be released.\n if (ssl->session != NULL ||\n !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {\n hs->transcript.FreeBuffer();\n }\n\n // Only the NULL compression algorithm is supported.\n if (server_hello.compression_method != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n if (!ssl_parse_serverhello_tlsext(hs, &server_hello.extensions)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);\n return ssl_hs_error;\n }\n\n if (ssl->session != NULL &&\n hs->extended_master_secret != ssl->session->extended_master_secret) {\n if (ssl->session->extended_master_secret) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);\n } else {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION);\n }\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n\n if (ssl->session != NULL) {\n if (ssl->ctx->reverify_on_resume &&\n ssl_cipher_uses_certificate_auth(hs->new_cipher)) {\n hs->state = state_reverify_server_certificate;\n } else {\n hs->state = state_read_session_ticket;\n }\n return ssl_hs_ok;\n }\n\n hs->state = state_read_server_certificate;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) {\n enum ssl_hs_wait_t wait = tls13_client_handshake(hs);\n if (wait == ssl_hs_ok) {\n hs->state = state_finish_client_handshake;\n return ssl_hs_ok;\n }\n\n return wait;\n}\n\nstatic enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {\n hs->state = state_read_certificate_status;\n return ssl_hs_ok;\n }\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n CBS body = msg.body;\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ssl_parse_cert_chain(&alert, &hs->new_session->certs, &hs->peer_pubkey,\n NULL, &body, ssl->ctx->pool)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0 ||\n CBS_len(&body) != 0 ||\n !ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (!ssl_check_leaf_certificate(\n hs, hs->peer_pubkey.get(),\n sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0))) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n\n hs->state = state_read_certificate_status;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_certificate_status(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (!hs->certificate_status_expected) {\n hs->state = state_verify_server_certificate;\n return ssl_hs_ok;\n }\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (msg.type != SSL3_MT_CERTIFICATE_STATUS) {\n // A server may send status_request in ServerHello and then change its mind\n // about sending CertificateStatus.\n hs->state = state_verify_server_certificate;\n return ssl_hs_ok;\n }\n\n if (!ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n CBS certificate_status = msg.body, ocsp_response;\n uint8_t status_type;\n if (!CBS_get_u8(&certificate_status, &status_type) || //\n status_type != TLSEXT_STATUSTYPE_ocsp || //\n !CBS_get_u24_length_prefixed(&certificate_status, &ocsp_response) || //\n CBS_len(&ocsp_response) == 0 || //\n CBS_len(&certificate_status) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n hs->new_session->ocsp_response.reset(\n CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool));\n if (hs->new_session->ocsp_response == nullptr) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n\n hs->state = state_verify_server_certificate;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_verify_server_certificate(SSL_HANDSHAKE *hs) {\n if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {\n hs->state = state_read_server_key_exchange;\n return ssl_hs_ok;\n }\n\n switch (ssl_verify_peer_cert(hs)) {\n case ssl_verify_ok:\n break;\n case ssl_verify_invalid:\n return ssl_hs_error;\n case ssl_verify_retry:\n hs->state = state_verify_server_certificate;\n return ssl_hs_certificate_verify;\n }\n\n hs->state = state_read_server_key_exchange;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_reverify_server_certificate(SSL_HANDSHAKE *hs) {\n assert(hs->ssl->ctx->reverify_on_resume);\n\n switch (ssl_reverify_peer_cert(hs, /*send_alert=*/true)) {\n case ssl_verify_ok:\n break;\n case ssl_verify_invalid:\n return ssl_hs_error;\n case ssl_verify_retry:\n hs->state = state_reverify_server_certificate;\n return ssl_hs_certificate_verify;\n }\n\n hs->state = state_read_session_ticket;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (msg.type != SSL3_MT_SERVER_KEY_EXCHANGE) {\n // Some ciphers (pure PSK) have an optional ServerKeyExchange message.\n if (ssl_cipher_requires_server_key_exchange(hs->new_cipher)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n return ssl_hs_error;\n }\n\n hs->state = state_read_certificate_request;\n return ssl_hs_ok;\n }\n\n if (!ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n uint32_t alg_k = hs->new_cipher->algorithm_mkey;\n uint32_t alg_a = hs->new_cipher->algorithm_auth;\n CBS server_key_exchange = msg.body;\n if (alg_a & SSL_aPSK) {\n CBS psk_identity_hint;\n\n // Each of the PSK key exchanges begins with a psk_identity_hint.\n if (!CBS_get_u16_length_prefixed(&server_key_exchange,\n &psk_identity_hint)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n // Store the PSK identity hint for the ClientKeyExchange. Assume that the\n // maximum length of a PSK identity hint can be as long as the maximum\n // length of a PSK identity. Also do not allow NULL characters; identities\n // are saved as C strings.\n //\n // TODO(davidben): Should invalid hints be ignored? It's a hint rather than\n // a specific identity.\n if (CBS_len(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN ||\n CBS_contains_zero_byte(&psk_identity_hint)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n\n // Save non-empty identity hints as a C string. Empty identity hints we\n // treat as missing. Plain PSK makes it possible to send either no hint\n // (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell\n // empty hint. Having different capabilities is odd, so we interpret empty\n // and missing as identical.\n char *raw = nullptr;\n if (CBS_len(&psk_identity_hint) != 0 &&\n !CBS_strdup(&psk_identity_hint, &raw)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n hs->peer_psk_identity_hint.reset(raw);\n }\n\n if (alg_k & SSL_kECDHE) {\n // Parse the server parameters.\n uint8_t group_type;\n uint16_t group_id;\n CBS point;\n if (!CBS_get_u8(&server_key_exchange, &group_type) ||\n group_type != NAMED_CURVE_TYPE ||\n !CBS_get_u16(&server_key_exchange, &group_id) ||\n !CBS_get_u8_length_prefixed(&server_key_exchange, &point)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n // Ensure the group is consistent with preferences.\n if (!tls1_check_group_id(hs, group_id)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n // Save the group and peer public key for later.\n hs->new_session->group_id = group_id;\n if (!hs->peer_key.CopyFrom(point)) {\n return ssl_hs_error;\n }\n } else if (!(alg_k & SSL_kPSK)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n return ssl_hs_error;\n }\n\n // At this point, |server_key_exchange| contains the signature, if any, while\n // |msg.body| contains the entire message. From that, derive a CBS containing\n // just the parameter.\n CBS parameter;\n CBS_init(¶meter, CBS_data(&msg.body),\n CBS_len(&msg.body) - CBS_len(&server_key_exchange));\n\n // ServerKeyExchange should be signed by the server's public key.\n if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {\n uint16_t signature_algorithm = 0;\n if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {\n if (!CBS_get_u16(&server_key_exchange, &signature_algorithm)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,\n hs->peer_pubkey.get())) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n hs->new_session->peer_signature_algorithm = signature_algorithm;\n } else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm,\n hs->peer_pubkey.get())) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE);\n return ssl_hs_error;\n }\n\n // The last field in |server_key_exchange| is the signature.\n CBS signature;\n if (!CBS_get_u16_length_prefixed(&server_key_exchange, &signature) ||\n CBS_len(&server_key_exchange) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n ScopedCBB transcript;\n Array transcript_data;\n if (!CBB_init(transcript.get(),\n 2 * SSL3_RANDOM_SIZE + CBS_len(¶meter)) ||\n !CBB_add_bytes(transcript.get(), ssl->s3->client_random,\n SSL3_RANDOM_SIZE) ||\n !CBB_add_bytes(transcript.get(), ssl->s3->server_random,\n SSL3_RANDOM_SIZE) ||\n !CBB_add_bytes(transcript.get(), CBS_data(¶meter),\n CBS_len(¶meter)) ||\n !CBBFinishArray(transcript.get(), &transcript_data)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n if (!ssl_public_key_verify(ssl, signature, signature_algorithm,\n hs->peer_pubkey.get(), transcript_data)) {\n // bad signature\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);\n return ssl_hs_error;\n }\n } else {\n // PSK ciphers are the only supported certificate-less ciphers.\n assert(alg_a == SSL_aPSK);\n\n if (CBS_len(&server_key_exchange) > 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXTRA_DATA_IN_MESSAGE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n }\n\n ssl->method->next_message(ssl);\n hs->state = state_read_certificate_request;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {\n hs->state = state_read_server_hello_done;\n return ssl_hs_ok;\n }\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (msg.type == SSL3_MT_SERVER_HELLO_DONE) {\n // If we get here we don't need the handshake buffer as we won't be doing\n // client auth.\n hs->transcript.FreeBuffer();\n hs->state = state_read_server_hello_done;\n return ssl_hs_ok;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_REQUEST) ||\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n // Get the certificate types.\n CBS body = msg.body, certificate_types;\n if (!CBS_get_u8_length_prefixed(&body, &certificate_types)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (!hs->certificate_types.CopyFrom(certificate_types)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {\n CBS supported_signature_algorithms;\n if (!CBS_get_u16_length_prefixed(&body, &supported_signature_algorithms) ||\n !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return ssl_hs_error;\n }\n }\n\n uint8_t alert = SSL_AD_DECODE_ERROR;\n UniquePtr ca_names =\n SSL_parse_CA_list(ssl, &alert, &body);\n if (!ca_names) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n if (CBS_len(&body) != 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n hs->cert_request = true;\n hs->ca_names = std::move(ca_names);\n ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);\n\n ssl->method->next_message(ssl);\n hs->state = state_read_server_hello_done;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_server_hello_done(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO_DONE) ||\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n // ServerHelloDone is empty.\n if (CBS_len(&msg.body) != 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n // ServerHelloDone should be the end of the flight.\n if (ssl->method->has_unprocessed_handshake_data(ssl)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->state = state_send_client_certificate;\n return ssl_hs_ok;\n}\n\nstatic bool check_credential(SSL_HANDSHAKE *hs, const SSL_CREDENTIAL *cred,\n uint16_t *out_sigalg) {\n if (cred->type != SSLCredentialType::kX509) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);\n return false;\n }\n\n if (hs->config->check_client_certificate_type) {\n // Check the certificate types advertised by the peer.\n uint8_t cert_type;\n switch (EVP_PKEY_id(cred->pubkey.get())) {\n case EVP_PKEY_RSA:\n cert_type = SSL3_CT_RSA_SIGN;\n break;\n case EVP_PKEY_EC:\n case EVP_PKEY_ED25519:\n cert_type = TLS_CT_ECDSA_SIGN;\n break;\n default:\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);\n return false;\n }\n if (std::find(hs->certificate_types.begin(), hs->certificate_types.end(),\n cert_type) == hs->certificate_types.end()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);\n return false;\n }\n }\n\n // All currently supported credentials require a signature. Note this does not\n // check the ECDSA curve. Prior to TLS 1.3, there is no way to determine which\n // ECDSA curves are supported by the peer, so we must assume all curves are\n // supported.\n return tls1_choose_signature_algorithm(hs, cred, out_sigalg);\n}\n\nstatic enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n // The peer didn't request a certificate.\n if (!hs->cert_request) {\n hs->state = state_send_client_key_exchange;\n return ssl_hs_ok;\n }\n\n if (ssl->s3->ech_status == ssl_ech_rejected) {\n // Do not send client certificates on ECH reject. We have not authenticated\n // the server for the name that can learn the certificate.\n SSL_certs_clear(ssl);\n } else if (hs->config->cert->cert_cb != nullptr) {\n // Call cert_cb to update the certificate.\n int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);\n if (rv == 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);\n return ssl_hs_error;\n }\n if (rv < 0) {\n hs->state = state_send_client_certificate;\n return ssl_hs_x509_lookup;\n }\n }\n\n Array creds;\n if (!ssl_get_credential_list(hs, &creds)) {\n return ssl_hs_error;\n }\n\n if (creds.empty()) {\n // If there were no credentials, proceed without a client certificate. In\n // this case, the handshake buffer may be released early.\n hs->transcript.FreeBuffer();\n } else {\n // Select the credential to use.\n for (SSL_CREDENTIAL *cred : creds) {\n ERR_clear_error();\n uint16_t sigalg;\n if (check_credential(hs, cred, &sigalg)) {\n hs->credential = UpRef(cred);\n hs->signature_algorithm = sigalg;\n break;\n }\n }\n if (hs->credential == nullptr) {\n // The error from the last attempt is in the error queue.\n assert(ERR_peek_error() != 0);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n }\n\n if (!ssl_send_tls12_certificate(hs)) {\n return ssl_hs_error;\n }\n\n hs->state = state_send_client_key_exchange;\n return ssl_hs_ok;\n}\n\nstatic_assert(sizeof(size_t) >= sizeof(unsigned),\n \"size_t is smaller than unsigned\");\n\nstatic enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n ScopedCBB cbb;\n CBB body;\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_CLIENT_KEY_EXCHANGE)) {\n return ssl_hs_error;\n }\n\n Array pms;\n uint32_t alg_k = hs->new_cipher->algorithm_mkey;\n uint32_t alg_a = hs->new_cipher->algorithm_auth;\n if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {\n const CRYPTO_BUFFER *leaf =\n sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);\n CBS leaf_cbs;\n CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);\n\n // Check the key usage matches the cipher suite. We do this unconditionally\n // for non-RSA certificates. In particular, it's needed to distinguish ECDH\n // certificates, which we do not support, from ECDSA certificates.\n // Historically, we have not checked RSA key usages, so it is controlled by\n // a flag for now. See https://crbug.com/795089.\n ssl_key_usage_t intended_use = (alg_k & SSL_kRSA)\n ? key_usage_encipherment\n : key_usage_digital_signature;\n if (!ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {\n if (hs->config->enforce_rsa_key_usage ||\n EVP_PKEY_id(hs->peer_pubkey.get()) != EVP_PKEY_RSA) {\n return ssl_hs_error;\n }\n ERR_clear_error();\n ssl->s3->was_key_usage_invalid = true;\n }\n }\n\n // If using a PSK key exchange, prepare the pre-shared key.\n unsigned psk_len = 0;\n uint8_t psk[PSK_MAX_PSK_LEN];\n if (alg_a & SSL_aPSK) {\n if (hs->config->psk_client_callback == NULL) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_NO_CLIENT_CB);\n return ssl_hs_error;\n }\n\n char identity[PSK_MAX_IDENTITY_LEN + 1];\n OPENSSL_memset(identity, 0, sizeof(identity));\n psk_len = hs->config->psk_client_callback(\n ssl, hs->peer_psk_identity_hint.get(), identity, sizeof(identity), psk,\n sizeof(psk));\n if (psk_len == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n assert(psk_len <= PSK_MAX_PSK_LEN);\n\n hs->new_session->psk_identity.reset(OPENSSL_strdup(identity));\n if (hs->new_session->psk_identity == nullptr) {\n return ssl_hs_error;\n }\n\n // Write out psk_identity.\n CBB child;\n if (!CBB_add_u16_length_prefixed(&body, &child) ||\n !CBB_add_bytes(&child, (const uint8_t *)identity,\n OPENSSL_strnlen(identity, sizeof(identity))) ||\n !CBB_flush(&body)) {\n return ssl_hs_error;\n }\n }\n\n // Depending on the key exchange method, compute |pms|.\n if (alg_k & SSL_kRSA) {\n RSA *rsa = EVP_PKEY_get0_RSA(hs->peer_pubkey.get());\n if (rsa == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n if (!pms.InitForOverwrite(SSL_MAX_MASTER_KEY_LENGTH)) {\n return ssl_hs_error;\n }\n pms[0] = hs->client_version >> 8;\n pms[1] = hs->client_version & 0xff;\n if (!RAND_bytes(&pms[2], SSL_MAX_MASTER_KEY_LENGTH - 2)) {\n return ssl_hs_error;\n }\n\n CBB enc_pms;\n uint8_t *ptr;\n size_t enc_pms_len;\n if (!CBB_add_u16_length_prefixed(&body, &enc_pms) || //\n !CBB_reserve(&enc_pms, &ptr, RSA_size(rsa)) || //\n !RSA_encrypt(rsa, &enc_pms_len, ptr, RSA_size(rsa), pms.data(),\n pms.size(), RSA_PKCS1_PADDING) || //\n !CBB_did_write(&enc_pms, enc_pms_len) || //\n !CBB_flush(&body)) {\n return ssl_hs_error;\n }\n } else if (alg_k & SSL_kECDHE) {\n CBB child;\n if (!CBB_add_u8_length_prefixed(&body, &child)) {\n return ssl_hs_error;\n }\n\n // Generate a premaster secret and encapsulate it.\n bssl::UniquePtr kem =\n SSLKeyShare::Create(hs->new_session->group_id);\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!kem || !kem->Encap(&child, &pms, &alert, hs->peer_key)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n if (!CBB_flush(&body)) {\n return ssl_hs_error;\n }\n\n // The peer key can now be discarded.\n hs->peer_key.Reset();\n } else if (alg_k & SSL_kPSK) {\n // For plain PSK, other_secret is a block of 0s with the same length as\n // the pre-shared key.\n if (!pms.Init(psk_len)) {\n return ssl_hs_error;\n }\n } else {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n // For a PSK cipher suite, other_secret is combined with the pre-shared\n // key.\n if (alg_a & SSL_aPSK) {\n ScopedCBB pms_cbb;\n CBB child;\n if (!CBB_init(pms_cbb.get(), 2 + psk_len + 2 + pms.size()) ||\n !CBB_add_u16_length_prefixed(pms_cbb.get(), &child) ||\n !CBB_add_bytes(&child, pms.data(), pms.size()) ||\n !CBB_add_u16_length_prefixed(pms_cbb.get(), &child) ||\n !CBB_add_bytes(&child, psk, psk_len) ||\n !CBBFinishArray(pms_cbb.get(), &pms)) {\n return ssl_hs_error;\n }\n }\n\n // The message must be added to the finished hash before calculating the\n // master secret.\n if (!ssl_add_message_cbb(ssl, cbb.get())) {\n return ssl_hs_error;\n }\n\n hs->new_session->secret.ResizeForOverwrite(SSL3_MASTER_SECRET_SIZE);\n if (!tls1_generate_master_secret(hs, Span(hs->new_session->secret), pms)) {\n return ssl_hs_error;\n }\n\n hs->new_session->extended_master_secret = hs->extended_master_secret;\n hs->state = state_send_client_certificate_verify;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (!hs->cert_request || hs->credential == nullptr) {\n hs->state = state_send_client_finished;\n return ssl_hs_ok;\n }\n\n ScopedCBB cbb;\n CBB body, child;\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_CERTIFICATE_VERIFY)) {\n return ssl_hs_error;\n }\n\n assert(hs->signature_algorithm != 0);\n if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {\n // Write out the digest type in TLS 1.2.\n if (!CBB_add_u16(&body, hs->signature_algorithm)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n }\n\n // Set aside space for the signature.\n const size_t max_sig_len = EVP_PKEY_size(hs->credential->pubkey.get());\n uint8_t *ptr;\n if (!CBB_add_u16_length_prefixed(&body, &child) ||\n !CBB_reserve(&child, &ptr, max_sig_len)) {\n return ssl_hs_error;\n }\n\n size_t sig_len = max_sig_len;\n switch (ssl_private_key_sign(hs, ptr, &sig_len, max_sig_len,\n hs->signature_algorithm,\n hs->transcript.buffer())) {\n case ssl_private_key_success:\n break;\n case ssl_private_key_failure:\n return ssl_hs_error;\n case ssl_private_key_retry:\n hs->state = state_send_client_certificate_verify;\n return ssl_hs_private_key_operation;\n }\n\n if (!CBB_did_write(&child, sig_len) || //\n !ssl_add_message_cbb(ssl, cbb.get())) {\n return ssl_hs_error;\n }\n\n // The handshake buffer is no longer necessary.\n hs->transcript.FreeBuffer();\n\n hs->state = state_send_client_finished;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_client_finished(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n hs->can_release_private_key = true;\n if (!ssl->method->add_change_cipher_spec(ssl) ||\n !tls1_change_cipher_state(hs, evp_aead_seal)) {\n return ssl_hs_error;\n }\n\n if (hs->next_proto_neg_seen) {\n static const uint8_t kZero[32] = {0};\n size_t padding_len =\n 32 - ((ssl->s3->next_proto_negotiated.size() + 2) % 32);\n\n ScopedCBB cbb;\n CBB body, child;\n if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_NEXT_PROTO) ||\n !CBB_add_u8_length_prefixed(&body, &child) ||\n !CBB_add_bytes(&child, ssl->s3->next_proto_negotiated.data(),\n ssl->s3->next_proto_negotiated.size()) ||\n !CBB_add_u8_length_prefixed(&body, &child) ||\n !CBB_add_bytes(&child, kZero, padding_len) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n }\n\n if (hs->channel_id_negotiated) {\n ScopedCBB cbb;\n CBB body;\n if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||\n !tls1_write_channel_id(hs, &body) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n }\n\n if (!ssl_send_finished(hs)) {\n return ssl_hs_error;\n }\n\n hs->state = state_finish_flight;\n return ssl_hs_flush;\n}\n\nstatic bool can_false_start(const SSL_HANDSHAKE *hs) {\n const SSL *const ssl = hs->ssl;\n\n // False Start bypasses the Finished check's downgrade protection. This can\n // enable attacks where we send data under weaker settings than supported\n // (e.g. the Logjam attack). Thus we require TLS 1.2 with an ECDHE+AEAD\n // cipher, our strongest settings before TLS 1.3.\n //\n // Now that TLS 1.3 exists, we would like to avoid similar attacks between\n // TLS 1.2 and TLS 1.3, but there are too many TLS 1.2 deployments to\n // sacrifice False Start on them. Instead, we rely on the ServerHello.random\n // downgrade signal, which we unconditionally enforce.\n if (SSL_is_dtls(ssl) || //\n SSL_version(ssl) != TLS1_2_VERSION || //\n hs->new_cipher->algorithm_mkey != SSL_kECDHE || //\n hs->new_cipher->algorithm_mac != SSL_AEAD) {\n return false;\n }\n\n // If ECH was rejected, disable False Start. We run the handshake to\n // completion, including the Finished downgrade check, to authenticate the\n // recovery flow.\n if (ssl->s3->ech_status == ssl_ech_rejected) {\n return false;\n }\n\n // Additionally require ALPN or NPN by default.\n //\n // TODO(davidben): Can this constraint be relaxed globally now that cipher\n // suite requirements have been tightened?\n if (!ssl->ctx->false_start_allowed_without_alpn &&\n ssl->s3->alpn_selected.empty() &&\n ssl->s3->next_proto_negotiated.empty()) {\n return false;\n }\n\n return true;\n}\n\nstatic enum ssl_hs_wait_t do_finish_flight(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (ssl->session != NULL) {\n hs->state = state_finish_client_handshake;\n return ssl_hs_ok;\n }\n\n // This is a full handshake. If it involves ChannelID, then record the\n // handshake hashes at this point in the session so that any resumption of\n // this session with ChannelID can sign those hashes.\n if (!tls1_record_handshake_hashes_for_channel_id(hs)) {\n return ssl_hs_error;\n }\n\n hs->state = state_read_session_ticket;\n\n if ((SSL_get_mode(ssl) & SSL_MODE_ENABLE_FALSE_START) &&\n can_false_start(hs) &&\n // No False Start on renegotiation (would complicate the state machine).\n !ssl->s3->initial_handshake_complete) {\n hs->in_false_start = true;\n hs->can_early_write = true;\n return ssl_hs_early_return;\n }\n\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (!hs->ticket_expected) {\n hs->state = state_process_change_cipher_spec;\n return ssl_hs_read_change_cipher_spec;\n }\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_NEW_SESSION_TICKET) ||\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n CBS new_session_ticket = msg.body, ticket;\n uint32_t ticket_lifetime_hint;\n if (!CBS_get_u32(&new_session_ticket, &ticket_lifetime_hint) ||\n !CBS_get_u16_length_prefixed(&new_session_ticket, &ticket) ||\n CBS_len(&new_session_ticket) != 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (CBS_len(&ticket) == 0) {\n // RFC 5077 allows a server to change its mind and send no ticket after\n // negotiating the extension. The value of |ticket_expected| is checked in\n // |ssl_update_cache| so is cleared here to avoid an unnecessary update.\n hs->ticket_expected = false;\n ssl->method->next_message(ssl);\n hs->state = state_process_change_cipher_spec;\n return ssl_hs_read_change_cipher_spec;\n }\n\n if (ssl->session != nullptr) {\n // The server is sending a new ticket for an existing session. Sessions are\n // immutable once established, so duplicate all but the ticket of the\n // existing session.\n assert(!hs->new_session);\n hs->new_session =\n SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH);\n if (!hs->new_session) {\n return ssl_hs_error;\n }\n }\n\n // |ticket_lifetime_hint| is measured from when the ticket was issued.\n ssl_session_rebase_time(ssl, hs->new_session.get());\n\n if (!hs->new_session->ticket.CopyFrom(ticket)) {\n return ssl_hs_error;\n }\n hs->new_session->ticket_lifetime_hint = ticket_lifetime_hint;\n\n // Historically, OpenSSL filled in fake session IDs for ticket-based sessions.\n // TODO(davidben): Are external callers relying on this? Try removing this.\n hs->new_session->session_id.ResizeForOverwrite(SHA256_DIGEST_LENGTH);\n SHA256(CBS_data(&ticket), CBS_len(&ticket),\n hs->new_session->session_id.data());\n\n ssl->method->next_message(ssl);\n hs->state = state_process_change_cipher_spec;\n return ssl_hs_read_change_cipher_spec;\n}\n\nstatic enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {\n if (!tls1_change_cipher_state(hs, evp_aead_open)) {\n return ssl_hs_error;\n }\n\n hs->state = state_read_server_finished;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n enum ssl_hs_wait_t wait = ssl_get_finished(hs);\n if (wait != ssl_hs_ok) {\n return wait;\n }\n\n if (ssl->session != NULL) {\n hs->state = state_send_client_finished;\n return ssl_hs_ok;\n }\n\n hs->state = state_finish_client_handshake;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_finish_client_handshake(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (ssl->s3->ech_status == ssl_ech_rejected) {\n // Release the retry configs.\n hs->ech_authenticated_reject = true;\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ECH_REQUIRED);\n OPENSSL_PUT_ERROR(SSL, SSL_R_ECH_REJECTED);\n return ssl_hs_error;\n }\n\n ssl->method->on_handshake_complete(ssl);\n\n // Note TLS 1.2 resumptions with ticket renewal have both |ssl->session| (the\n // resumed session) and |hs->new_session| (the session with the new ticket).\n bool has_new_session = hs->new_session != nullptr;\n if (has_new_session) {\n // When False Start is enabled, the handshake reports completion early. The\n // caller may then have passed the (then unresuable) |hs->new_session| to\n // another thread via |SSL_get0_session| for resumption. To avoid potential\n // race conditions in such callers, we duplicate the session before\n // clearing |not_resumable|.\n ssl->s3->established_session =\n SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_DUP_ALL);\n if (!ssl->s3->established_session) {\n return ssl_hs_error;\n }\n // Renegotiations do not participate in session resumption.\n if (!ssl->s3->initial_handshake_complete) {\n ssl->s3->established_session->not_resumable = false;\n }\n\n hs->new_session.reset();\n } else {\n assert(ssl->session != nullptr);\n ssl->s3->established_session = UpRef(ssl->session);\n }\n\n hs->handshake_finalized = true;\n ssl->s3->initial_handshake_complete = true;\n if (has_new_session) {\n ssl_update_cache(ssl);\n }\n\n hs->state = state_done;\n return ssl_hs_ok;\n}\n\nenum ssl_hs_wait_t ssl_client_handshake(SSL_HANDSHAKE *hs) {\n while (hs->state != state_done) {\n enum ssl_hs_wait_t ret = ssl_hs_error;\n enum ssl_client_hs_state_t state =\n static_cast(hs->state);\n switch (state) {\n case state_start_connect:\n ret = do_start_connect(hs);\n break;\n case state_enter_early_data:\n ret = do_enter_early_data(hs);\n break;\n case state_early_reverify_server_certificate:\n ret = do_early_reverify_server_certificate(hs);\n break;\n case state_read_server_hello:\n ret = do_read_server_hello(hs);\n break;\n case state_tls13:\n ret = do_tls13(hs);\n break;\n case state_read_server_certificate:\n ret = do_read_server_certificate(hs);\n break;\n case state_read_certificate_status:\n ret = do_read_certificate_status(hs);\n break;\n case state_verify_server_certificate:\n ret = do_verify_server_certificate(hs);\n break;\n case state_reverify_server_certificate:\n ret = do_reverify_server_certificate(hs);\n break;\n case state_read_server_key_exchange:\n ret = do_read_server_key_exchange(hs);\n break;\n case state_read_certificate_request:\n ret = do_read_certificate_request(hs);\n break;\n case state_read_server_hello_done:\n ret = do_read_server_hello_done(hs);\n break;\n case state_send_client_certificate:\n ret = do_send_client_certificate(hs);\n break;\n case state_send_client_key_exchange:\n ret = do_send_client_key_exchange(hs);\n break;\n case state_send_client_certificate_verify:\n ret = do_send_client_certificate_verify(hs);\n break;\n case state_send_client_finished:\n ret = do_send_client_finished(hs);\n break;\n case state_finish_flight:\n ret = do_finish_flight(hs);\n break;\n case state_read_session_ticket:\n ret = do_read_session_ticket(hs);\n break;\n case state_process_change_cipher_spec:\n ret = do_process_change_cipher_spec(hs);\n break;\n case state_read_server_finished:\n ret = do_read_server_finished(hs);\n break;\n case state_finish_client_handshake:\n ret = do_finish_client_handshake(hs);\n break;\n case state_done:\n ret = ssl_hs_ok;\n break;\n }\n\n if (hs->state != state) {\n ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);\n }\n\n if (ret != ssl_hs_ok) {\n return ret;\n }\n }\n\n ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_DONE, 1);\n return ssl_hs_ok;\n}\n\nconst char *ssl_client_handshake_state(SSL_HANDSHAKE *hs) {\n enum ssl_client_hs_state_t state =\n static_cast(hs->state);\n switch (state) {\n case state_start_connect:\n return \"TLS client start_connect\";\n case state_enter_early_data:\n return \"TLS client enter_early_data\";\n case state_early_reverify_server_certificate:\n return \"TLS client early_reverify_server_certificate\";\n case state_read_server_hello:\n return \"TLS client read_server_hello\";\n case state_tls13:\n return tls13_client_handshake_state(hs);\n case state_read_server_certificate:\n return \"TLS client read_server_certificate\";\n case state_read_certificate_status:\n return \"TLS client read_certificate_status\";\n case state_verify_server_certificate:\n return \"TLS client verify_server_certificate\";\n case state_reverify_server_certificate:\n return \"TLS client reverify_server_certificate\";\n case state_read_server_key_exchange:\n return \"TLS client read_server_key_exchange\";\n case state_read_certificate_request:\n return \"TLS client read_certificate_request\";\n case state_read_server_hello_done:\n return \"TLS client read_server_hello_done\";\n case state_send_client_certificate:\n return \"TLS client send_client_certificate\";\n case state_send_client_key_exchange:\n return \"TLS client send_client_key_exchange\";\n case state_send_client_certificate_verify:\n return \"TLS client send_client_certificate_verify\";\n case state_send_client_finished:\n return \"TLS client send_client_finished\";\n case state_finish_flight:\n return \"TLS client finish_flight\";\n case state_read_session_ticket:\n return \"TLS client read_session_ticket\";\n case state_process_change_cipher_spec:\n return \"TLS client process_change_cipher_spec\";\n case state_read_server_finished:\n return \"TLS client read_server_finished\";\n case state_finish_client_handshake:\n return \"TLS client finish_client_handshake\";\n case state_done:\n return \"TLS client done\";\n }\n\n return \"TLS client unknown\";\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/handshake_server.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nbool ssl_client_cipher_list_contains_cipher(\n const SSL_CLIENT_HELLO *client_hello, uint16_t id) {\n CBS cipher_suites;\n CBS_init(&cipher_suites, client_hello->cipher_suites,\n client_hello->cipher_suites_len);\n\n while (CBS_len(&cipher_suites) > 0) {\n uint16_t got_id;\n if (!CBS_get_u16(&cipher_suites, &got_id)) {\n return false;\n }\n\n if (got_id == id) {\n return true;\n }\n }\n\n return false;\n}\n\nstatic bool negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n const SSL_CLIENT_HELLO *client_hello) {\n SSL *const ssl = hs->ssl;\n assert(ssl->s3->version == 0);\n CBS supported_versions, versions;\n if (ssl_client_hello_get_extension(client_hello, &supported_versions,\n TLSEXT_TYPE_supported_versions)) {\n if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) || //\n CBS_len(&supported_versions) != 0 || //\n CBS_len(&versions) == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n } else {\n // Convert the ClientHello version to an equivalent supported_versions\n // extension.\n static const uint8_t kTLSVersions[] = {\n 0x03, 0x03, // TLS 1.2\n 0x03, 0x02, // TLS 1.1\n 0x03, 0x01, // TLS 1\n };\n\n static const uint8_t kDTLSVersions[] = {\n 0xfe, 0xfd, // DTLS 1.2\n 0xfe, 0xff, // DTLS 1.0\n };\n\n size_t versions_len = 0;\n if (SSL_is_dtls(ssl)) {\n if (client_hello->version <= DTLS1_2_VERSION) {\n versions_len = 4;\n } else if (client_hello->version <= DTLS1_VERSION) {\n versions_len = 2;\n }\n versions = Span(kDTLSVersions).last(versions_len);\n } else {\n if (client_hello->version >= TLS1_2_VERSION) {\n versions_len = 6;\n } else if (client_hello->version >= TLS1_1_VERSION) {\n versions_len = 4;\n } else if (client_hello->version >= TLS1_VERSION) {\n versions_len = 2;\n }\n versions = Span(kTLSVersions).last(versions_len);\n }\n }\n\n if (!ssl_negotiate_version(hs, out_alert, &ssl->s3->version, &versions)) {\n return false;\n }\n\n // Handle FALLBACK_SCSV.\n if (ssl_client_cipher_list_contains_cipher(client_hello,\n SSL3_CK_FALLBACK_SCSV & 0xffff) &&\n ssl_protocol_version(ssl) < hs->max_version) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK);\n *out_alert = SSL3_AD_INAPPROPRIATE_FALLBACK;\n return false;\n }\n\n return true;\n}\n\nstatic UniquePtr ssl_parse_client_cipher_list(\n const SSL_CLIENT_HELLO *client_hello) {\n CBS cipher_suites;\n CBS_init(&cipher_suites, client_hello->cipher_suites,\n client_hello->cipher_suites_len);\n\n UniquePtr sk(sk_SSL_CIPHER_new_null());\n if (!sk) {\n return nullptr;\n }\n\n while (CBS_len(&cipher_suites) > 0) {\n uint16_t cipher_suite;\n\n if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);\n return nullptr;\n }\n\n const SSL_CIPHER *c = SSL_get_cipher_by_value(cipher_suite);\n if (c != NULL && !sk_SSL_CIPHER_push(sk.get(), c)) {\n return nullptr;\n }\n }\n\n return sk;\n}\n\nstatic const SSL_CIPHER *choose_cipher(SSL_HANDSHAKE *hs,\n const STACK_OF(SSL_CIPHER) *client_pref,\n uint32_t mask_k, uint32_t mask_a) {\n SSL *const ssl = hs->ssl;\n const STACK_OF(SSL_CIPHER) *prio, *allow;\n // in_group_flags will either be NULL, or will point to an array of bytes\n // which indicate equal-preference groups in the |prio| stack. See the\n // comment about |in_group_flags| in the |SSLCipherPreferenceList|\n // struct.\n const bool *in_group_flags;\n // group_min contains the minimal index so far found in a group, or -1 if no\n // such value exists yet.\n int group_min = -1;\n\n const SSLCipherPreferenceList *server_pref =\n hs->config->cipher_list ? hs->config->cipher_list.get()\n : ssl->ctx->cipher_list.get();\n if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {\n prio = server_pref->ciphers.get();\n in_group_flags = server_pref->in_group_flags;\n allow = client_pref;\n } else {\n prio = client_pref;\n in_group_flags = NULL;\n allow = server_pref->ciphers.get();\n }\n\n for (size_t i = 0; i < sk_SSL_CIPHER_num(prio); i++) {\n const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i);\n\n size_t cipher_index;\n if ( // Check if the cipher is supported for the current version.\n SSL_CIPHER_get_min_version(c) <= ssl_protocol_version(ssl) && //\n ssl_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) && //\n // Check the cipher is supported for the server configuration.\n (c->algorithm_mkey & mask_k) && //\n (c->algorithm_auth & mask_a) && //\n // Check the cipher is in the |allow| list.\n sk_SSL_CIPHER_find(allow, &cipher_index, c)) {\n if (in_group_flags != NULL && in_group_flags[i]) {\n // This element of |prio| is in a group. Update the minimum index found\n // so far and continue looking.\n if (group_min == -1 || (size_t)group_min > cipher_index) {\n group_min = cipher_index;\n }\n } else {\n if (group_min != -1 && (size_t)group_min < cipher_index) {\n cipher_index = group_min;\n }\n return sk_SSL_CIPHER_value(allow, cipher_index);\n }\n }\n\n if (in_group_flags != NULL && !in_group_flags[i] && group_min != -1) {\n // We are about to leave a group, but we found a match in it, so that's\n // our answer.\n return sk_SSL_CIPHER_value(allow, group_min);\n }\n }\n\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);\n return nullptr;\n}\n\nstruct TLS12ServerParams {\n bool ok() const { return cipher != nullptr; }\n\n const SSL_CIPHER *cipher = nullptr;\n uint16_t signature_algorithm = 0;\n};\n\nstatic TLS12ServerParams choose_params(SSL_HANDSHAKE *hs,\n const SSL_CREDENTIAL *cred,\n const STACK_OF(SSL_CIPHER) *client_pref,\n bool has_ecdhe_group) {\n // Determine the usable cipher suites.\n uint32_t mask_k = 0, mask_a = 0;\n if (has_ecdhe_group) {\n mask_k |= SSL_kECDHE;\n }\n if (hs->config->psk_server_callback != nullptr) {\n mask_k |= SSL_kPSK;\n mask_a |= SSL_aPSK;\n }\n uint16_t sigalg = 0;\n if (cred != nullptr && cred->type == SSLCredentialType::kX509) {\n bool sign_ok = tls1_choose_signature_algorithm(hs, cred, &sigalg);\n ERR_clear_error();\n\n // ECDSA keys must additionally be checked against the peer's supported\n // curve list.\n int key_type = EVP_PKEY_id(cred->pubkey.get());\n if (hs->config->check_ecdsa_curve && key_type == EVP_PKEY_EC) {\n EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(cred->pubkey.get());\n uint16_t group_id;\n if (!ssl_nid_to_group_id(\n &group_id, EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key))) ||\n std::find(hs->peer_supported_group_list.begin(),\n hs->peer_supported_group_list.end(),\n group_id) == hs->peer_supported_group_list.end()) {\n sign_ok = false;\n\n // If this would make us unable to pick any cipher, return an error.\n // This is not strictly necessary, but it gives us a more specific\n // error to help the caller diagnose issues.\n if (mask_a == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);\n return TLS12ServerParams();\n }\n }\n }\n\n mask_a |= ssl_cipher_auth_mask_for_key(cred->pubkey.get(), sign_ok);\n if (key_type == EVP_PKEY_RSA) {\n mask_k |= SSL_kRSA;\n }\n }\n\n TLS12ServerParams params;\n params.cipher = choose_cipher(hs, client_pref, mask_k, mask_a);\n if (params.cipher == nullptr) {\n return TLS12ServerParams();\n }\n if (ssl_cipher_requires_server_key_exchange(params.cipher) &&\n ssl_cipher_uses_certificate_auth(params.cipher)) {\n params.signature_algorithm = sigalg;\n }\n return params;\n}\n\nstatic enum ssl_hs_wait_t do_start_accept(SSL_HANDSHAKE *hs) {\n ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_START, 1);\n hs->state = state12_read_client_hello;\n return ssl_hs_ok;\n}\n\n// is_probably_jdk11_with_tls13 returns whether |client_hello| was probably sent\n// from a JDK 11 client with both TLS 1.3 and a prior version enabled.\nstatic bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) {\n // JDK 11 ClientHellos contain a number of unusual properties which should\n // limit false positives.\n\n // JDK 11 does not support ChaCha20-Poly1305. This is unusual: many modern\n // clients implement ChaCha20-Poly1305.\n if (ssl_client_cipher_list_contains_cipher(\n client_hello, TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {\n return false;\n }\n\n // JDK 11 always sends extensions in a particular order.\n constexpr uint16_t kMaxFragmentLength = 0x0001;\n constexpr uint16_t kStatusRequestV2 = 0x0011;\n static constexpr struct {\n uint16_t id;\n bool required;\n } kJavaExtensions[] = {\n {TLSEXT_TYPE_server_name, false},\n {kMaxFragmentLength, false},\n {TLSEXT_TYPE_status_request, false},\n {TLSEXT_TYPE_supported_groups, true},\n {TLSEXT_TYPE_ec_point_formats, false},\n {TLSEXT_TYPE_signature_algorithms, true},\n // Java always sends signature_algorithms_cert.\n {TLSEXT_TYPE_signature_algorithms_cert, true},\n {TLSEXT_TYPE_application_layer_protocol_negotiation, false},\n {kStatusRequestV2, false},\n {TLSEXT_TYPE_extended_master_secret, false},\n {TLSEXT_TYPE_supported_versions, true},\n {TLSEXT_TYPE_cookie, false},\n {TLSEXT_TYPE_psk_key_exchange_modes, true},\n {TLSEXT_TYPE_key_share, true},\n {TLSEXT_TYPE_renegotiate, false},\n {TLSEXT_TYPE_pre_shared_key, false},\n };\n Span sigalgs, sigalgs_cert;\n bool has_status_request = false, has_status_request_v2 = false;\n CBS extensions, supported_groups;\n CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);\n for (const auto &java_extension : kJavaExtensions) {\n CBS copy = extensions;\n uint16_t id;\n if (CBS_get_u16(©, &id) && id == java_extension.id) {\n // The next extension is the one we expected.\n extensions = copy;\n CBS body;\n if (!CBS_get_u16_length_prefixed(&extensions, &body)) {\n return false;\n }\n switch (id) {\n case TLSEXT_TYPE_status_request:\n has_status_request = true;\n break;\n case kStatusRequestV2:\n has_status_request_v2 = true;\n break;\n case TLSEXT_TYPE_signature_algorithms:\n sigalgs = body;\n break;\n case TLSEXT_TYPE_signature_algorithms_cert:\n sigalgs_cert = body;\n break;\n case TLSEXT_TYPE_supported_groups:\n supported_groups = body;\n break;\n }\n } else if (java_extension.required) {\n return false;\n }\n }\n if (CBS_len(&extensions) != 0) {\n return false;\n }\n\n // JDK 11 never advertises X25519. It is not offered by default, and\n // -Djdk.tls.namedGroups=x25519 does not work. This is unusual: many modern\n // clients implement X25519.\n while (CBS_len(&supported_groups) > 0) {\n uint16_t group;\n if (!CBS_get_u16(&supported_groups, &group) || //\n group == SSL_GROUP_X25519) {\n return false;\n }\n }\n\n if ( // JDK 11 always sends the same contents in signature_algorithms and\n // signature_algorithms_cert. This is unusual:\n // signature_algorithms_cert, if omitted, is treated as if it were\n // signature_algorithms.\n sigalgs != sigalgs_cert ||\n // When TLS 1.2 or below is enabled, JDK 11 sends status_request_v2 iff it\n // sends status_request. This is unusual: status_request_v2 is not widely\n // implemented.\n has_status_request != has_status_request_v2) {\n return false;\n }\n\n return true;\n}\n\nstatic bool decrypt_ech(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n const SSL_CLIENT_HELLO *client_hello) {\n SSL *const ssl = hs->ssl;\n CBS body;\n if (!ssl_client_hello_get_extension(client_hello, &body,\n TLSEXT_TYPE_encrypted_client_hello)) {\n return true;\n }\n uint8_t type;\n if (!CBS_get_u8(&body, &type)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n if (type != ECH_CLIENT_OUTER) {\n return true;\n }\n // This is a ClientHelloOuter ECH extension. Attempt to decrypt it.\n uint8_t config_id;\n uint16_t kdf_id, aead_id;\n CBS enc, payload;\n if (!CBS_get_u16(&body, &kdf_id) || //\n !CBS_get_u16(&body, &aead_id) || //\n !CBS_get_u8(&body, &config_id) ||\n !CBS_get_u16_length_prefixed(&body, &enc) ||\n !CBS_get_u16_length_prefixed(&body, &payload) || //\n CBS_len(&body) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n {\n MutexReadLock lock(&ssl->ctx->lock);\n hs->ech_keys = UpRef(ssl->ctx->ech_keys);\n }\n\n if (!hs->ech_keys) {\n ssl->s3->ech_status = ssl_ech_rejected;\n return true;\n }\n\n for (const auto &config : hs->ech_keys->configs) {\n hs->ech_hpke_ctx.Reset();\n if (config_id != config->ech_config().config_id ||\n !config->SetupContext(hs->ech_hpke_ctx.get(), kdf_id, aead_id, enc)) {\n // Ignore the error and try another ECHConfig.\n ERR_clear_error();\n continue;\n }\n bool is_decrypt_error;\n if (!ssl_client_hello_decrypt(hs, out_alert, &is_decrypt_error,\n &hs->ech_client_hello_buf, client_hello,\n payload)) {\n if (is_decrypt_error) {\n // Ignore the error and try another ECHConfig.\n ERR_clear_error();\n // The |out_alert| calling convention currently relies on a default of\n // |SSL_AD_DECODE_ERROR|. https://crbug.com/boringssl/373 tracks\n // switching to sum types, which avoids this.\n *out_alert = SSL_AD_DECODE_ERROR;\n continue;\n }\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);\n return false;\n }\n hs->ech_config_id = config_id;\n ssl->s3->ech_status = ssl_ech_accepted;\n return true;\n }\n\n // If we did not accept ECH, proceed with the ClientHelloOuter. Note this\n // could be key mismatch or ECH GREASE, so we must complete the handshake\n // as usual, except EncryptedExtensions will contain retry configs.\n ssl->s3->ech_status = ssl_ech_rejected;\n return true;\n}\n\nstatic bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n const SSL_CLIENT_HELLO *client_hello) {\n SSL *const ssl = hs->ssl;\n CBS sni;\n if (!ssl_client_hello_get_extension(client_hello, &sni,\n TLSEXT_TYPE_server_name)) {\n // No SNI extension to parse.\n //\n // Clear state in case we previously extracted SNI from ClientHelloOuter.\n ssl->s3->hostname.reset();\n return true;\n }\n\n CBS server_name_list, host_name;\n uint8_t name_type;\n if (!CBS_get_u16_length_prefixed(&sni, &server_name_list) || //\n !CBS_get_u8(&server_name_list, &name_type) || //\n // Although the server_name extension was intended to be extensible to\n // new name types and multiple names, OpenSSL 1.0.x had a bug which meant\n // different name types will cause an error. Further, RFC 4366 originally\n // defined syntax inextensibly. RFC 6066 corrected this mistake, but\n // adding new name types is no longer feasible.\n //\n // Act as if the extensibility does not exist to simplify parsing.\n !CBS_get_u16_length_prefixed(&server_name_list, &host_name) || //\n CBS_len(&server_name_list) != 0 || //\n CBS_len(&sni) != 0) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n if (name_type != TLSEXT_NAMETYPE_host_name || //\n CBS_len(&host_name) == 0 || //\n CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || //\n CBS_contains_zero_byte(&host_name)) {\n *out_alert = SSL_AD_UNRECOGNIZED_NAME;\n return false;\n }\n\n // Copy the hostname as a string.\n char *raw = nullptr;\n if (!CBS_strdup(&host_name, &raw)) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n ssl->s3->hostname.reset(raw);\n return true;\n}\n\nstatic enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {\n return ssl_hs_error;\n }\n\n SSL_CLIENT_HELLO client_hello;\n if (!ssl_client_hello_init(ssl, &client_hello, msg.body)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n // ClientHello should be the end of the flight. We check this early to cover\n // all protocol versions.\n if (ssl->method->has_unprocessed_handshake_data(ssl)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);\n return ssl_hs_error;\n }\n\n if (hs->config->handoff) {\n return ssl_hs_handoff;\n }\n\n uint8_t alert = SSL_AD_DECODE_ERROR;\n // We check for rejection status in case we've rewound the state machine after\n // determining `ClientHelloInner` is invalid.\n if (ssl->s3->ech_status != ssl_ech_rejected &&\n !decrypt_ech(hs, &alert, &client_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n // ECH may have changed which ClientHello we process. Update |msg| and\n // |client_hello| in case.\n if (!hs->GetClientHello(&msg, &client_hello)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n if (!extract_sni(hs, &alert, &client_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n hs->state = state12_read_client_hello_after_ech;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n SSLMessage msg_unused;\n SSL_CLIENT_HELLO client_hello;\n if (!hs->GetClientHello(&msg_unused, &client_hello)) {\n return ssl_hs_error;\n }\n\n // Run the early callback.\n if (ssl->ctx->select_certificate_cb != NULL) {\n switch (ssl->ctx->select_certificate_cb(&client_hello)) {\n case ssl_select_cert_retry:\n return ssl_hs_certificate_selection_pending;\n\n case ssl_select_cert_disable_ech:\n hs->ech_client_hello_buf.Reset();\n hs->ech_keys = nullptr;\n hs->state = state12_read_client_hello;\n ssl->s3->ech_status = ssl_ech_rejected;\n return ssl_hs_ok;\n\n case ssl_select_cert_error:\n // Connection rejected.\n OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n\n default:\n /* fallthrough */;\n }\n }\n\n // Freeze the version range after the early callback.\n if (!ssl_get_version_range(hs, &hs->min_version, &hs->max_version)) {\n return ssl_hs_error;\n }\n\n if (hs->config->jdk11_workaround &&\n is_probably_jdk11_with_tls13(&client_hello)) {\n hs->apply_jdk11_workaround = true;\n }\n\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!negotiate_version(hs, &alert, &client_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n hs->client_version = client_hello.version;\n if (client_hello.random_len != SSL3_RANDOM_SIZE) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n OPENSSL_memcpy(ssl->s3->client_random, client_hello.random,\n client_hello.random_len);\n\n // Only null compression is supported. TLS 1.3 further requires the peer\n // advertise no other compression.\n if (OPENSSL_memchr(client_hello.compression_methods, 0,\n client_hello.compression_methods_len) == NULL ||\n (ssl_protocol_version(ssl) >= TLS1_3_VERSION &&\n client_hello.compression_methods_len != 1)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n // TLS extensions.\n if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);\n return ssl_hs_error;\n }\n\n hs->state = state12_cert_callback;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_cert_callback(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n // Call |cert_cb| to update server certificates if required.\n if (hs->config->cert->cert_cb != NULL) {\n int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);\n if (rv == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n if (rv < 0) {\n return ssl_hs_x509_lookup;\n }\n }\n\n if (hs->ocsp_stapling_requested &&\n ssl->ctx->legacy_ocsp_callback != nullptr) {\n switch (ssl->ctx->legacy_ocsp_callback(\n ssl, ssl->ctx->legacy_ocsp_callback_arg)) {\n case SSL_TLSEXT_ERR_OK:\n break;\n case SSL_TLSEXT_ERR_NOACK:\n hs->ocsp_stapling_requested = false;\n break;\n default:\n OPENSSL_PUT_ERROR(SSL, SSL_R_OCSP_CB_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n }\n\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n // Jump to the TLS 1.3 state machine.\n hs->state = state12_tls13;\n return ssl_hs_ok;\n }\n\n // It should not be possible to negotiate TLS 1.2 with ECH. The\n // ClientHelloInner decoding function rejects ClientHellos which offer TLS 1.2\n // or below.\n assert(ssl->s3->ech_status != ssl_ech_accepted);\n\n ssl->s3->early_data_reason = ssl_early_data_protocol_version;\n\n hs->state = state12_select_parameters;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) {\n enum ssl_hs_wait_t wait = tls13_server_handshake(hs);\n if (wait == ssl_hs_ok) {\n hs->state = state12_finish_server_handshake;\n return ssl_hs_ok;\n }\n\n return wait;\n}\n\nstatic enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n SSL_CLIENT_HELLO client_hello;\n if (!hs->GetClientHello(&msg, &client_hello)) {\n return ssl_hs_error;\n }\n\n // Determine the ECDHE group to use, if we are to use ECDHE.\n uint16_t group_id = 0;\n bool has_ecdhe_group = tls1_get_shared_group(hs, &group_id);\n\n // Select the credential and cipher suite. This must be done after |cert_cb|\n // runs, so the final credential list is known.\n //\n // TODO(davidben): In the course of picking these, we also pick the ECDHE\n // group and signature algorithm. It would be tidier if we saved that decision\n // and avoided redoing it later.\n UniquePtr client_pref =\n ssl_parse_client_cipher_list(&client_hello);\n if (client_pref == nullptr) {\n return ssl_hs_error;\n }\n Array creds;\n if (!ssl_get_credential_list(hs, &creds)) {\n return ssl_hs_error;\n }\n TLS12ServerParams params;\n if (creds.empty()) {\n // The caller may have configured no credentials, but set a PSK callback.\n params =\n choose_params(hs, /*cred=*/nullptr, client_pref.get(), has_ecdhe_group);\n } else {\n // Select the first credential which works.\n for (SSL_CREDENTIAL *cred : creds) {\n ERR_clear_error();\n params = choose_params(hs, cred, client_pref.get(), has_ecdhe_group);\n if (params.ok()) {\n hs->credential = UpRef(cred);\n break;\n }\n }\n }\n if (!params.ok()) {\n // The error from the last attempt is in the error queue.\n assert(ERR_peek_error() != 0);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n hs->new_cipher = params.cipher;\n hs->signature_algorithm = params.signature_algorithm;\n\n // |ssl_client_hello_init| checks that |client_hello.session_id| is not too\n // large.\n hs->session_id.CopyFrom(\n Span(client_hello.session_id, client_hello.session_id_len));\n\n // Determine whether we are doing session resumption.\n UniquePtr session;\n bool tickets_supported = false, renew_ticket = false;\n enum ssl_hs_wait_t wait = ssl_get_prev_session(\n hs, &session, &tickets_supported, &renew_ticket, &client_hello);\n if (wait != ssl_hs_ok) {\n return wait;\n }\n\n if (session) {\n if (session->extended_master_secret && !hs->extended_master_secret) {\n // A ClientHello without EMS that attempts to resume a session with EMS\n // is fatal to the connection.\n OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n\n if (!ssl_session_is_resumable(hs, session.get()) ||\n // If the client offers the EMS extension, but the previous session\n // didn't use it, then negotiate a new session.\n hs->extended_master_secret != session->extended_master_secret) {\n session.reset();\n }\n }\n\n if (session) {\n // Use the old session.\n hs->ticket_expected = renew_ticket;\n ssl->session = std::move(session);\n ssl->s3->session_reused = true;\n hs->can_release_private_key = true;\n } else {\n hs->ticket_expected = tickets_supported;\n ssl_set_session(ssl, nullptr);\n if (!ssl_get_new_session(hs)) {\n return ssl_hs_error;\n }\n\n // Assign a session ID if not using session tickets.\n if (!hs->ticket_expected &&\n (ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) {\n hs->new_session->session_id.ResizeForOverwrite(\n SSL3_SSL_SESSION_ID_LENGTH);\n RAND_bytes(hs->new_session->session_id.data(),\n hs->new_session->session_id.size());\n }\n }\n\n if (ssl->ctx->dos_protection_cb != NULL &&\n ssl->ctx->dos_protection_cb(&client_hello) == 0) {\n // Connection rejected for DOS reasons.\n OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n if (ssl->session == NULL) {\n hs->new_session->cipher = hs->new_cipher;\n if (hs->new_session->cipher->algorithm_mkey & SSL_kECDHE) {\n assert(has_ecdhe_group);\n hs->new_session->group_id = group_id;\n }\n\n // Determine whether to request a client certificate.\n hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);\n // Only request a certificate if Channel ID isn't negotiated.\n if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&\n hs->channel_id_negotiated) {\n hs->cert_request = false;\n }\n // CertificateRequest may only be sent in certificate-based ciphers.\n if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {\n hs->cert_request = false;\n }\n\n if (!hs->cert_request) {\n // OpenSSL returns X509_V_OK when no certificates are requested. This is\n // classed by them as a bug, but it's assumed by at least NGINX.\n hs->new_session->verify_result = X509_V_OK;\n }\n }\n\n // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was\n // deferred. Complete it now.\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n // Now that all parameters are known, initialize the handshake hash and hash\n // the ClientHello.\n if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n // Handback includes the whole handshake transcript, so we cannot free the\n // transcript buffer in the handback case.\n if (!hs->cert_request && !hs->handback) {\n hs->transcript.FreeBuffer();\n }\n\n if (!ssl_hash_message(hs, msg)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n\n hs->state = state12_send_server_hello;\n return ssl_hs_ok;\n}\n\nstatic void copy_suffix(Span out, Span in) {\n out = out.last(in.size());\n OPENSSL_memcpy(out.data(), in.data(), in.size());\n}\n\nstatic enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n // We only accept ChannelIDs on connections with ECDHE in order to avoid a\n // known attack while we fix ChannelID itself.\n if (hs->channel_id_negotiated &&\n (hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {\n hs->channel_id_negotiated = false;\n }\n\n // If this is a resumption and the original handshake didn't support\n // ChannelID then we didn't record the original handshake hashes in the\n // session and so cannot resume with ChannelIDs.\n if (ssl->session != nullptr &&\n ssl->session->original_handshake_hash.empty()) {\n hs->channel_id_negotiated = false;\n }\n\n SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();\n if (hints && !hs->hints_requested &&\n hints->server_random_tls12.size() == SSL3_RANDOM_SIZE) {\n OPENSSL_memcpy(ssl->s3->server_random, hints->server_random_tls12.data(),\n SSL3_RANDOM_SIZE);\n } else {\n OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());\n CRYPTO_store_u32_be(ssl->s3->server_random,\n static_cast(now.tv_sec));\n if (!RAND_bytes(ssl->s3->server_random + 4, SSL3_RANDOM_SIZE - 4)) {\n return ssl_hs_error;\n }\n if (hints && hs->hints_requested &&\n !hints->server_random_tls12.CopyFrom(ssl->s3->server_random)) {\n return ssl_hs_error;\n }\n }\n\n // Implement the TLS 1.3 anti-downgrade feature.\n if (hs->max_version >= TLS1_3_VERSION) {\n if (ssl_protocol_version(ssl) == TLS1_2_VERSION) {\n if (hs->apply_jdk11_workaround) {\n // JDK 11 implements the TLS 1.3 downgrade signal, so we cannot send it\n // here. However, the signal is only effective if all TLS 1.2\n // ServerHellos produced by the server are marked. Thus we send a\n // different non-standard signal for the time being, until JDK 11.0.2 is\n // released and clients have updated.\n copy_suffix(ssl->s3->server_random, kJDK11DowngradeRandom);\n } else {\n copy_suffix(ssl->s3->server_random, kTLS13DowngradeRandom);\n }\n } else {\n copy_suffix(ssl->s3->server_random, kTLS12DowngradeRandom);\n }\n }\n\n Span session_id;\n if (ssl->session != nullptr) {\n // Echo the session ID from the ClientHello to indicate resumption.\n session_id = hs->session_id;\n } else {\n session_id = hs->new_session->session_id;\n }\n\n ScopedCBB cbb;\n CBB body, session_id_bytes;\n if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||\n !CBB_add_u16(&body, ssl->s3->version) ||\n !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||\n !CBB_add_u8_length_prefixed(&body, &session_id_bytes) ||\n !CBB_add_bytes(&session_id_bytes, session_id.data(), session_id.size()) ||\n !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||\n !CBB_add_u8(&body, 0 /* no compression */) ||\n !ssl_add_serverhello_tlsext(hs, &body) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n if (ssl->session != nullptr) {\n // No additional hints to generate in resumption.\n if (hs->hints_requested) {\n return ssl_hs_hints_ready;\n }\n hs->state = state12_send_server_finished;\n } else {\n hs->state = state12_send_server_certificate;\n }\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n ScopedCBB cbb;\n\n if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {\n assert(hs->credential != nullptr);\n if (!ssl_send_tls12_certificate(hs)) {\n return ssl_hs_error;\n }\n\n if (hs->certificate_status_expected) {\n CBB body, ocsp_response;\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_CERTIFICATE_STATUS) ||\n !CBB_add_u8(&body, TLSEXT_STATUSTYPE_ocsp) ||\n !CBB_add_u24_length_prefixed(&body, &ocsp_response) ||\n !CBB_add_bytes(\n &ocsp_response,\n CRYPTO_BUFFER_data(hs->credential->ocsp_response.get()),\n CRYPTO_BUFFER_len(hs->credential->ocsp_response.get())) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n }\n }\n\n // Assemble ServerKeyExchange parameters if needed.\n uint32_t alg_k = hs->new_cipher->algorithm_mkey;\n uint32_t alg_a = hs->new_cipher->algorithm_auth;\n if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) ||\n ((alg_a & SSL_aPSK) && hs->config->psk_identity_hint)) {\n // Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend\n // the client and server randoms for the signing transcript.\n CBB child;\n if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) ||\n !CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) ||\n !CBB_add_bytes(cbb.get(), ssl->s3->server_random, SSL3_RANDOM_SIZE)) {\n return ssl_hs_error;\n }\n\n // PSK ciphers begin with an identity hint.\n if (alg_a & SSL_aPSK) {\n size_t len = hs->config->psk_identity_hint == nullptr\n ? 0\n : strlen(hs->config->psk_identity_hint.get());\n if (!CBB_add_u16_length_prefixed(cbb.get(), &child) ||\n !CBB_add_bytes(&child,\n (const uint8_t *)hs->config->psk_identity_hint.get(),\n len)) {\n return ssl_hs_error;\n }\n }\n\n if (alg_k & SSL_kECDHE) {\n assert(hs->new_session->group_id != 0);\n hs->key_shares[0] = SSLKeyShare::Create(hs->new_session->group_id);\n if (!hs->key_shares[0] || //\n !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) || //\n !CBB_add_u16(cbb.get(), hs->new_session->group_id) || //\n !CBB_add_u8_length_prefixed(cbb.get(), &child)) {\n return ssl_hs_error;\n }\n\n SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();\n bool hint_ok = false;\n if (hints && !hs->hints_requested &&\n hints->ecdhe_group_id == hs->new_session->group_id &&\n !hints->ecdhe_public_key.empty() &&\n !hints->ecdhe_private_key.empty()) {\n CBS cbs = CBS(hints->ecdhe_private_key);\n hint_ok = hs->key_shares[0]->DeserializePrivateKey(&cbs);\n }\n if (hint_ok) {\n // Reuse the ECDH key from handshake hints.\n if (!CBB_add_bytes(&child, hints->ecdhe_public_key.data(),\n hints->ecdhe_public_key.size())) {\n return ssl_hs_error;\n }\n } else {\n // Generate a key, and emit the public half.\n if (!hs->key_shares[0]->Generate(&child)) {\n return ssl_hs_error;\n }\n // If generating hints, save the ECDHE key.\n if (hints && hs->hints_requested) {\n bssl::ScopedCBB private_key_cbb;\n if (!hints->ecdhe_public_key.CopyFrom(\n Span(CBB_data(&child), CBB_len(&child))) ||\n !CBB_init(private_key_cbb.get(), 32) ||\n !hs->key_shares[0]->SerializePrivateKey(private_key_cbb.get()) ||\n !CBBFinishArray(private_key_cbb.get(),\n &hints->ecdhe_private_key)) {\n return ssl_hs_error;\n }\n hints->ecdhe_group_id = hs->new_session->group_id;\n }\n }\n } else {\n assert(alg_k & SSL_kPSK);\n }\n\n if (!CBBFinishArray(cbb.get(), &hs->server_params)) {\n return ssl_hs_error;\n }\n }\n\n hs->state = state12_send_server_key_exchange;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (hs->server_params.size() == 0) {\n hs->state = state12_send_server_hello_done;\n return ssl_hs_ok;\n }\n\n ScopedCBB cbb;\n CBB body, child;\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_SERVER_KEY_EXCHANGE) ||\n // |hs->server_params| contains a prefix for signing.\n hs->server_params.size() < 2 * SSL3_RANDOM_SIZE ||\n !CBB_add_bytes(&body, hs->server_params.data() + 2 * SSL3_RANDOM_SIZE,\n hs->server_params.size() - 2 * SSL3_RANDOM_SIZE)) {\n return ssl_hs_error;\n }\n\n // Add a signature.\n if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {\n // Determine the signature algorithm.\n uint16_t signature_algorithm;\n if (!tls1_choose_signature_algorithm(hs, hs->credential.get(),\n &signature_algorithm)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {\n if (!CBB_add_u16(&body, signature_algorithm)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n }\n\n // Add space for the signature.\n const size_t max_sig_len = EVP_PKEY_size(hs->credential->pubkey.get());\n uint8_t *ptr;\n if (!CBB_add_u16_length_prefixed(&body, &child) ||\n !CBB_reserve(&child, &ptr, max_sig_len)) {\n return ssl_hs_error;\n }\n\n size_t sig_len;\n switch (ssl_private_key_sign(hs, ptr, &sig_len, max_sig_len,\n signature_algorithm, hs->server_params)) {\n case ssl_private_key_success:\n if (!CBB_did_write(&child, sig_len)) {\n return ssl_hs_error;\n }\n break;\n case ssl_private_key_failure:\n return ssl_hs_error;\n case ssl_private_key_retry:\n return ssl_hs_private_key_operation;\n }\n }\n\n hs->can_release_private_key = true;\n if (!ssl_add_message_cbb(ssl, cbb.get())) {\n return ssl_hs_error;\n }\n\n hs->server_params.Reset();\n\n hs->state = state12_send_server_hello_done;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_server_hello_done(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (hs->hints_requested) {\n return ssl_hs_hints_ready;\n }\n\n ScopedCBB cbb;\n CBB body;\n\n if (hs->cert_request) {\n CBB cert_types, sigalgs_cbb;\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_CERTIFICATE_REQUEST) ||\n !CBB_add_u8_length_prefixed(&body, &cert_types) ||\n !CBB_add_u8(&cert_types, SSL3_CT_RSA_SIGN) ||\n !CBB_add_u8(&cert_types, TLS_CT_ECDSA_SIGN) ||\n (ssl_protocol_version(ssl) >= TLS1_2_VERSION &&\n (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb) ||\n !tls12_add_verify_sigalgs(hs, &sigalgs_cbb))) ||\n !ssl_add_client_CA_list(hs, &body) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n }\n\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_SERVER_HELLO_DONE) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n hs->state = state12_read_client_certificate;\n return ssl_hs_flush;\n}\n\nstatic enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (hs->handback && hs->new_cipher->algorithm_mkey == SSL_kECDHE) {\n return ssl_hs_handback;\n }\n if (!hs->cert_request) {\n hs->state = state12_verify_client_certificate;\n return ssl_hs_ok;\n }\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {\n return ssl_hs_error;\n }\n\n if (!ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n CBS certificate_msg = msg.body;\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ssl_parse_cert_chain(&alert, &hs->new_session->certs, &hs->peer_pubkey,\n hs->config->retain_only_sha256_of_client_certs\n ? hs->new_session->peer_sha256\n : nullptr,\n &certificate_msg, ssl->ctx->pool)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n if (CBS_len(&certificate_msg) != 0 ||\n !ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {\n // No client certificate so the handshake buffer may be discarded.\n hs->transcript.FreeBuffer();\n\n if (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {\n // Fail for TLS only if we required a certificate\n OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n\n // OpenSSL returns X509_V_OK when no certificates are received. This is\n // classed by them as a bug, but it's assumed by at least NGINX.\n hs->new_session->verify_result = X509_V_OK;\n } else if (hs->config->retain_only_sha256_of_client_certs) {\n // The hash will have been filled in.\n hs->new_session->peer_sha256_valid = true;\n }\n\n ssl->method->next_message(ssl);\n hs->state = state12_verify_client_certificate;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_verify_client_certificate(SSL_HANDSHAKE *hs) {\n if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) > 0) {\n switch (ssl_verify_peer_cert(hs)) {\n case ssl_verify_ok:\n break;\n case ssl_verify_invalid:\n return ssl_hs_error;\n case ssl_verify_retry:\n return ssl_hs_certificate_verify;\n }\n }\n\n hs->state = state12_read_client_key_exchange;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_KEY_EXCHANGE)) {\n return ssl_hs_error;\n }\n\n CBS client_key_exchange = msg.body;\n uint32_t alg_k = hs->new_cipher->algorithm_mkey;\n uint32_t alg_a = hs->new_cipher->algorithm_auth;\n\n // If using a PSK key exchange, parse the PSK identity.\n if (alg_a & SSL_aPSK) {\n CBS psk_identity;\n\n // If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,\n // then this is the only field in the message.\n if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) ||\n ((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (CBS_len(&psk_identity) > PSK_MAX_IDENTITY_LEN ||\n CBS_contains_zero_byte(&psk_identity)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n char *raw = nullptr;\n if (!CBS_strdup(&psk_identity, &raw)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n hs->new_session->psk_identity.reset(raw);\n }\n\n // Depending on the key exchange method, compute |premaster_secret|.\n Array premaster_secret;\n if (alg_k & SSL_kRSA) {\n CBS encrypted_premaster_secret;\n if (!CBS_get_u16_length_prefixed(&client_key_exchange,\n &encrypted_premaster_secret) ||\n CBS_len(&client_key_exchange) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n // Allocate a buffer large enough for an RSA decryption.\n Array decrypt_buf;\n if (!decrypt_buf.InitForOverwrite(\n EVP_PKEY_size(hs->credential->pubkey.get()))) {\n return ssl_hs_error;\n }\n\n // Decrypt with no padding. PKCS#1 padding will be removed as part of the\n // timing-sensitive code below.\n size_t decrypt_len;\n switch (ssl_private_key_decrypt(hs, decrypt_buf.data(), &decrypt_len,\n decrypt_buf.size(),\n encrypted_premaster_secret)) {\n case ssl_private_key_success:\n break;\n case ssl_private_key_failure:\n return ssl_hs_error;\n case ssl_private_key_retry:\n return ssl_hs_private_key_operation;\n }\n\n if (decrypt_len != decrypt_buf.size()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);\n return ssl_hs_error;\n }\n\n CONSTTIME_SECRET(decrypt_buf.data(), decrypt_len);\n\n // Prepare a random premaster, to be used on invalid padding. See RFC 5246,\n // section 7.4.7.1.\n if (!premaster_secret.InitForOverwrite(SSL_MAX_MASTER_KEY_LENGTH) ||\n !RAND_bytes(premaster_secret.data(), premaster_secret.size())) {\n return ssl_hs_error;\n }\n\n // The smallest padded premaster is 11 bytes of overhead. Small keys are\n // publicly invalid.\n if (decrypt_len < 11 + premaster_secret.size()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);\n return ssl_hs_error;\n }\n\n // Check the padding. See RFC 3447, section 7.2.2.\n size_t padding_len = decrypt_len - premaster_secret.size();\n uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) &\n constant_time_eq_int_8(decrypt_buf[1], 2);\n for (size_t i = 2; i < padding_len - 1; i++) {\n good &= ~constant_time_is_zero_8(decrypt_buf[i]);\n }\n good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]);\n\n // The premaster secret must begin with |client_version|. This too must be\n // checked in constant time (http://eprint.iacr.org/2003/052/).\n good &= constant_time_eq_8(decrypt_buf[padding_len],\n (unsigned)(hs->client_version >> 8));\n good &= constant_time_eq_8(decrypt_buf[padding_len + 1],\n (unsigned)(hs->client_version & 0xff));\n\n // Select, in constant time, either the decrypted premaster or the random\n // premaster based on |good|.\n for (size_t i = 0; i < premaster_secret.size(); i++) {\n premaster_secret[i] = constant_time_select_8(\n good, decrypt_buf[padding_len + i], premaster_secret[i]);\n }\n } else if (alg_k & SSL_kECDHE) {\n // Parse the ClientKeyExchange.\n CBS ciphertext;\n if (!CBS_get_u8_length_prefixed(&client_key_exchange, &ciphertext) ||\n CBS_len(&client_key_exchange) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n // Decapsulate the premaster secret.\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!hs->key_shares[0]->Decap(&premaster_secret, &alert, ciphertext)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n // The key exchange state may now be discarded.\n hs->key_shares[0].reset();\n hs->key_shares[1].reset();\n } else if (!(alg_k & SSL_kPSK)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n\n // For a PSK cipher suite, the actual pre-master secret is combined with the\n // pre-shared key.\n if (alg_a & SSL_aPSK) {\n if (hs->config->psk_server_callback == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n // Look up the key for the identity.\n uint8_t psk[PSK_MAX_PSK_LEN];\n unsigned psk_len = hs->config->psk_server_callback(\n ssl, hs->new_session->psk_identity.get(), psk, sizeof(psk));\n if (psk_len > PSK_MAX_PSK_LEN) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n } else if (psk_len == 0) {\n // PSK related to the given identity not found.\n OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY);\n return ssl_hs_error;\n }\n\n if (alg_k & SSL_kPSK) {\n // In plain PSK, other_secret is a block of 0s with the same length as the\n // pre-shared key.\n if (!premaster_secret.Init(psk_len)) {\n return ssl_hs_error;\n }\n }\n\n ScopedCBB new_premaster;\n CBB child;\n if (!CBB_init(new_premaster.get(),\n 2 + psk_len + 2 + premaster_secret.size()) ||\n !CBB_add_u16_length_prefixed(new_premaster.get(), &child) ||\n !CBB_add_bytes(&child, premaster_secret.data(),\n premaster_secret.size()) ||\n !CBB_add_u16_length_prefixed(new_premaster.get(), &child) ||\n !CBB_add_bytes(&child, psk, psk_len) ||\n !CBBFinishArray(new_premaster.get(), &premaster_secret)) {\n return ssl_hs_error;\n }\n }\n\n if (!ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n // Compute the master secret.\n hs->new_session->secret.ResizeForOverwrite(SSL3_MASTER_SECRET_SIZE);\n if (!tls1_generate_master_secret(hs, Span(hs->new_session->secret),\n premaster_secret)) {\n return ssl_hs_error;\n }\n hs->new_session->extended_master_secret = hs->extended_master_secret;\n // Declassify the secret to undo the RSA decryption validation above. We are\n // not currently running most of the TLS library with constant-time\n // validation.\n // TODO(crbug.com/42290551): Remove this and cover the TLS library too.\n CONSTTIME_DECLASSIFY(hs->new_session->secret.data(),\n hs->new_session->secret.size());\n hs->can_release_private_key = true;\n\n ssl->method->next_message(ssl);\n hs->state = state12_read_client_certificate_verify;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n // Only RSA and ECDSA client certificates are supported, so a\n // CertificateVerify is required if and only if there's a client certificate.\n if (!hs->peer_pubkey) {\n hs->transcript.FreeBuffer();\n hs->state = state12_read_change_cipher_spec;\n return ssl_hs_ok;\n }\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY)) {\n return ssl_hs_error;\n }\n\n // The peer certificate must be valid for signing.\n const CRYPTO_BUFFER *leaf =\n sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);\n CBS leaf_cbs;\n CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);\n if (!ssl_cert_check_key_usage(&leaf_cbs, key_usage_digital_signature)) {\n return ssl_hs_error;\n }\n\n CBS certificate_verify = msg.body, signature;\n\n // Determine the signature algorithm.\n uint16_t signature_algorithm = 0;\n if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {\n if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,\n hs->peer_pubkey.get())) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n hs->new_session->peer_signature_algorithm = signature_algorithm;\n } else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm,\n hs->peer_pubkey.get())) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE);\n return ssl_hs_error;\n }\n\n // Parse and verify the signature.\n if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||\n CBS_len(&certificate_verify) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (!ssl_public_key_verify(ssl, signature, signature_algorithm,\n hs->peer_pubkey.get(), hs->transcript.buffer())) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);\n return ssl_hs_error;\n }\n\n // The handshake buffer is no longer necessary, and we may hash the current\n // message.\n hs->transcript.FreeBuffer();\n if (!ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->state = state12_read_change_cipher_spec;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_change_cipher_spec(SSL_HANDSHAKE *hs) {\n if (hs->handback && hs->ssl->session != NULL) {\n return ssl_hs_handback;\n }\n hs->state = state12_process_change_cipher_spec;\n return ssl_hs_read_change_cipher_spec;\n}\n\nstatic enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {\n if (!tls1_change_cipher_state(hs, evp_aead_open)) {\n return ssl_hs_error;\n }\n\n hs->state = state12_read_next_proto;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_next_proto(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (!hs->next_proto_neg_seen) {\n hs->state = state12_read_channel_id;\n return ssl_hs_ok;\n }\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_NEXT_PROTO) ||\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n CBS next_protocol = msg.body, selected_protocol, padding;\n if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) ||\n !CBS_get_u8_length_prefixed(&next_protocol, &padding) ||\n CBS_len(&next_protocol) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (!ssl->s3->next_proto_negotiated.CopyFrom(selected_protocol)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->state = state12_read_channel_id;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (!hs->channel_id_negotiated) {\n hs->state = state12_read_client_finished;\n return ssl_hs_ok;\n }\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||\n !tls1_verify_channel_id(hs, msg) || //\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->state = state12_read_client_finished;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n enum ssl_hs_wait_t wait = ssl_get_finished(hs);\n if (wait != ssl_hs_ok) {\n return wait;\n }\n\n if (ssl->session != NULL) {\n hs->state = state12_finish_server_handshake;\n } else {\n hs->state = state12_send_server_finished;\n }\n\n // If this is a full handshake with ChannelID then record the handshake\n // hashes in |hs->new_session| in case we need them to verify a\n // ChannelID signature on a resumption of this session in the future.\n if (ssl->session == NULL && ssl->s3->channel_id_valid &&\n !tls1_record_handshake_hashes_for_channel_id(hs)) {\n return ssl_hs_error;\n }\n\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (hs->ticket_expected) {\n const SSL_SESSION *session;\n UniquePtr session_copy;\n if (ssl->session == NULL) {\n // Fix the timeout to measure from the ticket issuance time.\n ssl_session_rebase_time(ssl, hs->new_session.get());\n session = hs->new_session.get();\n } else {\n // We are renewing an existing session. Duplicate the session to adjust\n // the timeout.\n session_copy =\n SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH);\n if (!session_copy) {\n return ssl_hs_error;\n }\n\n ssl_session_rebase_time(ssl, session_copy.get());\n session = session_copy.get();\n }\n\n ScopedCBB cbb;\n CBB body, ticket;\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_NEW_SESSION_TICKET) ||\n !CBB_add_u32(&body, session->timeout) ||\n !CBB_add_u16_length_prefixed(&body, &ticket) ||\n !ssl_encrypt_ticket(hs, &ticket, session) ||\n // |ticket| may be empty to skip sending a ticket. In TLS 1.2, servers\n // skip sending tickets by sending empty NewSessionTicket, so no special\n // handling is needed.\n !ssl_add_message_cbb(ssl, cbb.get())) {\n return ssl_hs_error;\n }\n }\n\n if (!ssl->method->add_change_cipher_spec(ssl) || //\n !tls1_change_cipher_state(hs, evp_aead_seal) || //\n !ssl_send_finished(hs)) {\n return ssl_hs_error;\n }\n\n if (ssl->session != NULL) {\n hs->state = state12_read_change_cipher_spec;\n } else {\n hs->state = state12_finish_server_handshake;\n }\n return ssl_hs_flush;\n}\n\nstatic enum ssl_hs_wait_t do_finish_server_handshake(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (hs->handback) {\n return ssl_hs_handback;\n }\n\n ssl->method->on_handshake_complete(ssl);\n\n // If we aren't retaining peer certificates then we can discard it now.\n if (hs->new_session != NULL &&\n hs->config->retain_only_sha256_of_client_certs) {\n hs->new_session->certs.reset();\n ssl->ctx->x509_method->session_clear(hs->new_session.get());\n }\n\n bool has_new_session = hs->new_session != nullptr;\n if (has_new_session) {\n assert(ssl->session == nullptr);\n ssl->s3->established_session = std::move(hs->new_session);\n ssl->s3->established_session->not_resumable = false;\n } else {\n assert(ssl->session != nullptr);\n ssl->s3->established_session = UpRef(ssl->session);\n }\n\n hs->handshake_finalized = true;\n ssl->s3->initial_handshake_complete = true;\n if (has_new_session) {\n ssl_update_cache(ssl);\n }\n\n hs->state = state12_done;\n return ssl_hs_ok;\n}\n\nenum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs) {\n while (hs->state != state12_done) {\n enum ssl_hs_wait_t ret = ssl_hs_error;\n enum tls12_server_hs_state_t state =\n static_cast(hs->state);\n switch (state) {\n case state12_start_accept:\n ret = do_start_accept(hs);\n break;\n case state12_read_client_hello:\n ret = do_read_client_hello(hs);\n break;\n case state12_read_client_hello_after_ech:\n ret = do_read_client_hello_after_ech(hs);\n break;\n case state12_cert_callback:\n ret = do_cert_callback(hs);\n break;\n case state12_tls13:\n ret = do_tls13(hs);\n break;\n case state12_select_parameters:\n ret = do_select_parameters(hs);\n break;\n case state12_send_server_hello:\n ret = do_send_server_hello(hs);\n break;\n case state12_send_server_certificate:\n ret = do_send_server_certificate(hs);\n break;\n case state12_send_server_key_exchange:\n ret = do_send_server_key_exchange(hs);\n break;\n case state12_send_server_hello_done:\n ret = do_send_server_hello_done(hs);\n break;\n case state12_read_client_certificate:\n ret = do_read_client_certificate(hs);\n break;\n case state12_verify_client_certificate:\n ret = do_verify_client_certificate(hs);\n break;\n case state12_read_client_key_exchange:\n ret = do_read_client_key_exchange(hs);\n break;\n case state12_read_client_certificate_verify:\n ret = do_read_client_certificate_verify(hs);\n break;\n case state12_read_change_cipher_spec:\n ret = do_read_change_cipher_spec(hs);\n break;\n case state12_process_change_cipher_spec:\n ret = do_process_change_cipher_spec(hs);\n break;\n case state12_read_next_proto:\n ret = do_read_next_proto(hs);\n break;\n case state12_read_channel_id:\n ret = do_read_channel_id(hs);\n break;\n case state12_read_client_finished:\n ret = do_read_client_finished(hs);\n break;\n case state12_send_server_finished:\n ret = do_send_server_finished(hs);\n break;\n case state12_finish_server_handshake:\n ret = do_finish_server_handshake(hs);\n break;\n case state12_done:\n ret = ssl_hs_ok;\n break;\n }\n\n if (hs->state != state) {\n ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);\n }\n\n if (ret != ssl_hs_ok) {\n return ret;\n }\n }\n\n ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_DONE, 1);\n return ssl_hs_ok;\n}\n\nconst char *ssl_server_handshake_state(SSL_HANDSHAKE *hs) {\n enum tls12_server_hs_state_t state =\n static_cast(hs->state);\n switch (state) {\n case state12_start_accept:\n return \"TLS server start_accept\";\n case state12_read_client_hello:\n return \"TLS server read_client_hello\";\n case state12_read_client_hello_after_ech:\n return \"TLS server read_client_hello_after_ech\";\n case state12_cert_callback:\n return \"TLS server cert_callback\";\n case state12_tls13:\n return tls13_server_handshake_state(hs);\n case state12_select_parameters:\n return \"TLS server select_parameters\";\n case state12_send_server_hello:\n return \"TLS server send_server_hello\";\n case state12_send_server_certificate:\n return \"TLS server send_server_certificate\";\n case state12_send_server_key_exchange:\n return \"TLS server send_server_key_exchange\";\n case state12_send_server_hello_done:\n return \"TLS server send_server_hello_done\";\n case state12_read_client_certificate:\n return \"TLS server read_client_certificate\";\n case state12_verify_client_certificate:\n return \"TLS server verify_client_certificate\";\n case state12_read_client_key_exchange:\n return \"TLS server read_client_key_exchange\";\n case state12_read_client_certificate_verify:\n return \"TLS server read_client_certificate_verify\";\n case state12_read_change_cipher_spec:\n return \"TLS server read_change_cipher_spec\";\n case state12_process_change_cipher_spec:\n return \"TLS server process_change_cipher_spec\";\n case state12_read_next_proto:\n return \"TLS server read_next_proto\";\n case state12_read_channel_id:\n return \"TLS server read_channel_id\";\n case state12_read_client_finished:\n return \"TLS server read_client_finished\";\n case state12_send_server_finished:\n return \"TLS server send_server_finished\";\n case state12_finish_server_handshake:\n return \"TLS server finish_server_handshake\";\n case state12_done:\n return \"TLS server done\";\n }\n\n return \"TLS server unknown\";\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/internal.h", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#ifndef OPENSSL_HEADER_SSL_INTERNAL_H\n#define OPENSSL_HEADER_SSL_INTERNAL_H\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/err/internal.h\"\n#include \"../crypto/internal.h\"\n#include \"../crypto/lhash/internal.h\"\n\n\n#if defined(OPENSSL_WINDOWS)\n// Windows defines struct timeval in winsock2.h.\nOPENSSL_MSVC_PRAGMA(warning(push, 3))\n#include \nOPENSSL_MSVC_PRAGMA(warning(pop))\n#else\n#include \n#endif\n\n\nBSSL_NAMESPACE_BEGIN\n\nstruct SSL_CONFIG;\nstruct SSL_HANDSHAKE;\nstruct SSL_PROTOCOL_METHOD;\nstruct SSL_X509_METHOD;\n\n// C++ utilities.\n\n// New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It\n// returns nullptr on allocation error. It only implements single-object\n// allocation and not new T[n].\n//\n// Note: unlike |new|, this does not support non-public constructors.\ntemplate \nT *New(Args &&...args) {\n void *t = OPENSSL_malloc(sizeof(T));\n if (t == nullptr) {\n return nullptr;\n }\n return new (t) T(std::forward(args)...);\n}\n\n// Delete behaves like |delete| but uses |OPENSSL_free| to release memory.\n//\n// Note: unlike |delete| this does not support non-public destructors.\ntemplate \nvoid Delete(T *t) {\n if (t != nullptr) {\n t->~T();\n OPENSSL_free(t);\n }\n}\n\n// All types with kAllowUniquePtr set may be used with UniquePtr. Other types\n// may be C structs which require a |BORINGSSL_MAKE_DELETER| registration.\nnamespace internal {\ntemplate \nstruct DeleterImpl> {\n static void Free(T *t) { Delete(t); }\n};\n} // namespace internal\n\n// MakeUnique behaves like |std::make_unique| but returns nullptr on allocation\n// error.\ntemplate \nUniquePtr MakeUnique(Args &&...args) {\n return UniquePtr(New(std::forward(args)...));\n}\n\n// Array is an owning array of elements of |T|.\ntemplate \nclass Array {\n public:\n // Array's default constructor creates an empty array.\n Array() {}\n Array(const Array &) = delete;\n Array(Array &&other) { *this = std::move(other); }\n\n ~Array() { Reset(); }\n\n Array &operator=(const Array &) = delete;\n Array &operator=(Array &&other) {\n Reset();\n other.Release(&data_, &size_);\n return *this;\n }\n\n const T *data() const { return data_; }\n T *data() { return data_; }\n size_t size() const { return size_; }\n bool empty() const { return size_ == 0; }\n\n const T &operator[](size_t i) const {\n BSSL_CHECK(i < size_);\n return data_[i];\n }\n T &operator[](size_t i) {\n BSSL_CHECK(i < size_);\n return data_[i];\n }\n\n T *begin() { return data_; }\n const T *begin() const { return data_; }\n T *end() { return data_ + size_; }\n const T *end() const { return data_ + size_; }\n\n void Reset() { Reset(nullptr, 0); }\n\n // Reset releases the current contents of the array and takes ownership of the\n // raw pointer supplied by the caller.\n void Reset(T *new_data, size_t new_size) {\n std::destroy_n(data_, size_);\n OPENSSL_free(data_);\n data_ = new_data;\n size_ = new_size;\n }\n\n // Release releases ownership of the array to a raw pointer supplied by the\n // caller.\n void Release(T **out, size_t *out_size) {\n *out = data_;\n *out_size = size_;\n data_ = nullptr;\n size_ = 0;\n }\n\n // Init replaces the array with a newly-allocated array of |new_size|\n // value-constructed copies of |T|. It returns true on success and false on\n // error. If |T| is a primitive type like |uint8_t|, value-construction means\n // it will be zero-initialized.\n [[nodiscard]] bool Init(size_t new_size) {\n if (!InitUninitialized(new_size)) {\n return false;\n }\n std::uninitialized_value_construct_n(data_, size_);\n return true;\n }\n\n // InitForOverwrite behaves like |Init| but it default-constructs each element\n // instead. This means that, if |T| is a primitive type, the array will be\n // uninitialized and thus must be filled in by the caller.\n [[nodiscard]] bool InitForOverwrite(size_t new_size) {\n if (!InitUninitialized(new_size)) {\n return false;\n }\n std::uninitialized_default_construct_n(data_, size_);\n return true;\n }\n\n // CopyFrom replaces the array with a newly-allocated copy of |in|. It returns\n // true on success and false on error.\n [[nodiscard]] bool CopyFrom(Span in) {\n if (!InitUninitialized(in.size())) {\n return false;\n }\n std::uninitialized_copy(in.begin(), in.end(), data_);\n return true;\n }\n\n // Shrink shrinks the stored size of the array to |new_size|. It crashes if\n // the new size is larger. Note this does not shrink the allocation itself.\n void Shrink(size_t new_size) {\n if (new_size > size_) {\n abort();\n }\n std::destroy_n(data_ + new_size, size_ - new_size);\n size_ = new_size;\n }\n\n private:\n // InitUninitialized replaces the array with a newly-allocated array of\n // |new_size| elements, but whose constructor has not yet run. On success, the\n // elements must be constructed before returning control to the caller.\n bool InitUninitialized(size_t new_size) {\n Reset();\n if (new_size == 0) {\n return true;\n }\n\n if (new_size > std::numeric_limits::max() / sizeof(T)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return false;\n }\n data_ = reinterpret_cast(OPENSSL_malloc(new_size * sizeof(T)));\n if (data_ == nullptr) {\n return false;\n }\n size_ = new_size;\n return true;\n }\n\n T *data_ = nullptr;\n size_t size_ = 0;\n};\n\n// Vector is a resizable array of elements of |T|.\ntemplate \nclass Vector {\n public:\n Vector() = default;\n Vector(const Vector &) = delete;\n Vector(Vector &&other) { *this = std::move(other); }\n ~Vector() { clear(); }\n\n Vector &operator=(const Vector &) = delete;\n Vector &operator=(Vector &&other) {\n clear();\n std::swap(data_, other.data_);\n std::swap(size_, other.size_);\n std::swap(capacity_, other.capacity_);\n return *this;\n }\n\n const T *data() const { return data_; }\n T *data() { return data_; }\n size_t size() const { return size_; }\n bool empty() const { return size_ == 0; }\n\n const T &operator[](size_t i) const {\n BSSL_CHECK(i < size_);\n return data_[i];\n }\n T &operator[](size_t i) {\n BSSL_CHECK(i < size_);\n return data_[i];\n }\n\n T *begin() { return data_; }\n const T *begin() const { return data_; }\n T *end() { return data_ + size_; }\n const T *end() const { return data_ + size_; }\n\n void clear() {\n std::destroy_n(data_, size_);\n OPENSSL_free(data_);\n data_ = nullptr;\n size_ = 0;\n capacity_ = 0;\n }\n\n // Push adds |elem| at the end of the internal array, growing if necessary. It\n // returns false when allocation fails.\n [[nodiscard]] bool Push(T elem) {\n if (!MaybeGrow()) {\n return false;\n }\n new (&data_[size_]) T(std::move(elem));\n size_++;\n return true;\n }\n\n // CopyFrom replaces the contents of the array with a copy of |in|. It returns\n // true on success and false on allocation error.\n [[nodiscard]] bool CopyFrom(Span in) {\n Array copy;\n if (!copy.CopyFrom(in)) {\n return false;\n }\n\n clear();\n copy.Release(&data_, &size_);\n capacity_ = size_;\n return true;\n }\n\n private:\n // If there is no room for one more element, creates a new backing array with\n // double the size of the old one and copies elements over.\n bool MaybeGrow() {\n // No need to grow if we have room for one more T.\n if (size_ < capacity_) {\n return true;\n }\n size_t new_capacity = kDefaultSize;\n if (capacity_ > 0) {\n // Double the array's size if it's safe to do so.\n if (capacity_ > std::numeric_limits::max() / 2) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return false;\n }\n new_capacity = capacity_ * 2;\n }\n if (new_capacity > std::numeric_limits::max() / sizeof(T)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return false;\n }\n T *new_data =\n reinterpret_cast(OPENSSL_malloc(new_capacity * sizeof(T)));\n if (new_data == nullptr) {\n return false;\n }\n size_t new_size = size_;\n std::uninitialized_move(begin(), end(), new_data);\n clear();\n data_ = new_data;\n size_ = new_size;\n capacity_ = new_capacity;\n return true;\n }\n\n // data_ is a pointer to |capacity_| objects of size |T|, the first |size_| of\n // which are constructed.\n T *data_ = nullptr;\n // |size_| is the number of elements stored in this Vector.\n size_t size_ = 0;\n // |capacity_| is the number of elements allocated in this Vector.\n size_t capacity_ = 0;\n // |kDefaultSize| is the default initial size of the backing array.\n static constexpr size_t kDefaultSize = 16;\n};\n\n// A PackedSize is an integer that can store values from 0 to N, represented as\n// a minimal-width integer.\ntemplate \nusing PackedSize = std::conditional_t<\n N <= 0xff, uint8_t,\n std::conditional_t>>;\n\n// An InplaceVector is like a Vector, but stores up to N elements inline in the\n// object. It is inspired by std::inplace_vector in C++26.\ntemplate \nclass InplaceVector {\n public:\n InplaceVector() = default;\n InplaceVector(const InplaceVector &other) { *this = other; }\n InplaceVector(InplaceVector &&other) { *this = std::move(other); }\n ~InplaceVector() { clear(); }\n InplaceVector &operator=(const InplaceVector &other) {\n if (this != &other) {\n CopyFrom(other);\n }\n return *this;\n }\n InplaceVector &operator=(InplaceVector &&other) {\n clear();\n std::uninitialized_move(other.begin(), other.end(), data());\n size_ = other.size();\n return *this;\n }\n\n const T *data() const { return reinterpret_cast(storage_); }\n T *data() { return reinterpret_cast(storage_); }\n size_t size() const { return size_; }\n static constexpr size_t capacity() { return N; }\n bool empty() const { return size_ == 0; }\n\n const T &operator[](size_t i) const {\n BSSL_CHECK(i < size_);\n return data()[i];\n }\n T &operator[](size_t i) {\n BSSL_CHECK(i < size_);\n return data()[i];\n }\n\n T *begin() { return data(); }\n const T *begin() const { return data(); }\n T *end() { return data() + size_; }\n const T *end() const { return data() + size_; }\n\n void clear() { Shrink(0); }\n\n // Shrink resizes the vector to |new_size|, which must not be larger than the\n // current size. Unlike |Resize|, this can be called when |T| is not\n // default-constructible.\n void Shrink(size_t new_size) {\n BSSL_CHECK(new_size <= size_);\n std::destroy_n(data() + new_size, size_ - new_size);\n size_ = static_cast>(new_size);\n }\n\n // TryResize resizes the vector to |new_size| and returns true, or returns\n // false if |new_size| is too large. Any newly-added elements are\n // value-initialized.\n [[nodiscard]] bool TryResize(size_t new_size) {\n if (new_size <= size_) {\n Shrink(new_size);\n return true;\n }\n if (new_size > capacity()) {\n return false;\n }\n std::uninitialized_value_construct_n(data() + size_, new_size - size_);\n size_ = static_cast>(new_size);\n return true;\n }\n\n // TryResizeForOverwrite behaves like |TryResize|, but newly-added elements\n // are default-initialized, so POD types may contain uninitialized values that\n // the caller is responsible for filling in.\n [[nodiscard]] bool TryResizeForOverwrite(size_t new_size) {\n if (new_size <= size_) {\n Shrink(new_size);\n return true;\n }\n if (new_size > capacity()) {\n return false;\n }\n std::uninitialized_default_construct_n(data() + size_, new_size - size_);\n size_ = static_cast>(new_size);\n return true;\n }\n\n // TryCopyFrom sets the vector to a copy of |in| and returns true, or returns\n // false if |in| is too large.\n [[nodiscard]] bool TryCopyFrom(Span in) {\n if (in.size() > capacity()) {\n return false;\n }\n clear();\n std::uninitialized_copy(in.begin(), in.end(), data());\n size_ = in.size();\n return true;\n }\n\n // TryPushBack appends |val| to the vector and returns a pointer to the\n // newly-inserted value, or nullptr if the vector is at capacity.\n [[nodiscard]] T *TryPushBack(T val) {\n if (size() >= capacity()) {\n return nullptr;\n }\n T *ret = &data()[size_];\n new (ret) T(std::move(val));\n size_++;\n return ret;\n }\n\n // The following methods behave like their |Try*| counterparts, but abort the\n // program on failure.\n void Resize(size_t size) { BSSL_CHECK(TryResize(size)); }\n void ResizeForOverwrite(size_t size) {\n BSSL_CHECK(TryResizeForOverwrite(size));\n }\n void CopyFrom(Span in) { BSSL_CHECK(TryCopyFrom(in)); }\n T &PushBack(T val) {\n T *ret = TryPushBack(std::move(val));\n BSSL_CHECK(ret != nullptr);\n return *ret;\n }\n\n template \n void EraseIf(Pred pred) {\n // See if anything needs to be erased at all. This avoids a self-move.\n auto iter = std::find_if(begin(), end(), pred);\n if (iter == end()) {\n return;\n }\n\n // Elements before the first to be erased may be left as-is.\n size_t new_size = iter - begin();\n // Swap all subsequent elements in if they are to be kept.\n for (size_t i = new_size + 1; i < size(); i++) {\n if (!pred((*this)[i])) {\n (*this)[new_size] = std::move((*this)[i]);\n new_size++;\n }\n }\n\n Shrink(new_size);\n }\n\n private:\n alignas(T) char storage_[sizeof(T[N])];\n PackedSize size_ = 0;\n};\n\n// An MRUQueue maintains a queue of up to |N| objects of type |T|. If the queue\n// is at capacity, adding to the queue pops the least recently added element.\ntemplate \nclass MRUQueue {\n public:\n static constexpr bool kAllowUniquePtr = true;\n\n MRUQueue() = default;\n\n // If we ever need to make this type movable, we could. (The defaults almost\n // work except we need |start_| to be reset when moved-from.)\n MRUQueue(const MRUQueue &other) = delete;\n MRUQueue &operator=(const MRUQueue &other) = delete;\n\n bool empty() const { return size() == 0; }\n size_t size() const { return storage_.size(); }\n\n T &operator[](size_t i) {\n BSSL_CHECK(i < size());\n return storage_[(start_ + i) % N];\n }\n const T &operator[](size_t i) const {\n return (*const_cast(this))[i];\n }\n\n void Clear() {\n storage_.clear();\n start_ = 0;\n }\n\n void PushBack(T t) {\n if (storage_.size() < N) {\n assert(start_ == 0);\n storage_.PushBack(std::move(t));\n } else {\n (*this)[0] = std::move(t);\n start_ = (start_ + 1) % N;\n }\n }\n\n private:\n InplaceVector storage_;\n PackedSize start_ = 0;\n};\n\n// CBBFinishArray behaves like |CBB_finish| but stores the result in an Array.\nOPENSSL_EXPORT bool CBBFinishArray(CBB *cbb, Array *out);\n\n// GetAllNames helps to implement |*_get_all_*_names| style functions. It\n// writes at most |max_out| string pointers to |out| and returns the number that\n// it would have liked to have written. The strings written consist of\n// |fixed_names_len| strings from |fixed_names| followed by |objects_len|\n// strings taken by projecting |objects| through |name|.\ntemplate \ninline size_t GetAllNames(const char **out, size_t max_out,\n Span fixed_names, Name(T::*name),\n Span objects) {\n auto span = bssl::Span(out, max_out);\n for (size_t i = 0; !span.empty() && i < fixed_names.size(); i++) {\n span[0] = fixed_names[i];\n span = span.subspan(1);\n }\n span = span.subspan(0, objects.size());\n for (size_t i = 0; i < span.size(); i++) {\n span[i] = objects[i].*name;\n }\n return fixed_names.size() + objects.size();\n}\n\n// RefCounted is a common base for ref-counted types. This is an instance of the\n// C++ curiously-recurring template pattern, so a type Foo must subclass\n// RefCounted. It additionally must friend RefCounted to allow calling\n// the destructor.\ntemplate \nclass RefCounted {\n public:\n RefCounted(const RefCounted &) = delete;\n RefCounted &operator=(const RefCounted &) = delete;\n\n // These methods are intentionally named differently from `bssl::UpRef` to\n // avoid a collision. Only the implementations of `FOO_up_ref` and `FOO_free`\n // should call these.\n void UpRefInternal() { CRYPTO_refcount_inc(&references_); }\n void DecRefInternal() {\n if (CRYPTO_refcount_dec_and_test_zero(&references_)) {\n Derived *d = static_cast(this);\n d->~Derived();\n OPENSSL_free(d);\n }\n }\n\n protected:\n // Ensure that only `Derived`, which must inherit from `RefCounted`,\n // can call the constructor. This catches bugs where someone inherited from\n // the wrong base.\n class CheckSubClass {\n private:\n friend Derived;\n CheckSubClass() = default;\n };\n RefCounted(CheckSubClass) {\n static_assert(std::is_base_of::value,\n \"Derived must subclass RefCounted\");\n }\n\n ~RefCounted() = default;\n\n private:\n CRYPTO_refcount_t references_ = 1;\n};\n\n\n// Protocol versions.\n//\n// Due to DTLS's historical wire version differences, we maintain two notions of\n// version.\n//\n// The \"version\" or \"wire version\" is the actual 16-bit value that appears on\n// the wire. It uniquely identifies a version and is also used at API\n// boundaries. The set of supported versions differs between TLS and DTLS. Wire\n// versions are opaque values and may not be compared numerically.\n//\n// The \"protocol version\" identifies the high-level handshake variant being\n// used. DTLS versions map to the corresponding TLS versions. Protocol versions\n// are sequential and may be compared numerically.\n\n// ssl_protocol_version_from_wire sets |*out| to the protocol version\n// corresponding to wire version |version| and returns true. If |version| is not\n// a valid TLS or DTLS version, it returns false.\n//\n// Note this simultaneously handles both DTLS and TLS. Use one of the\n// higher-level functions below for most operations.\nbool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version);\n\n// ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the\n// minimum and maximum enabled protocol versions, respectively.\nbool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,\n uint16_t *out_max_version);\n\n// ssl_supports_version returns whether |hs| supports |version|.\nbool ssl_supports_version(const SSL_HANDSHAKE *hs, uint16_t version);\n\n// ssl_method_supports_version returns whether |method| supports |version|.\nbool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,\n uint16_t version);\n\n// ssl_add_supported_versions writes the supported versions of |hs| to |cbb|, in\n// decreasing preference order. The version list is filtered to those whose\n// protocol version is at least |extra_min_version|.\nbool ssl_add_supported_versions(const SSL_HANDSHAKE *hs, CBB *cbb,\n uint16_t extra_min_version);\n\n// ssl_negotiate_version negotiates a common version based on |hs|'s preferences\n// and the peer preference list in |peer_versions|. On success, it returns true\n// and sets |*out_version| to the selected version. Otherwise, it returns false\n// and sets |*out_alert| to an alert to send.\nbool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n uint16_t *out_version, const CBS *peer_versions);\n\n// ssl_has_final_version returns whether |ssl| has determined the final version.\n// This may be used to distinguish the predictive 0-RTT version from the final\n// one.\nbool ssl_has_final_version(const SSL *ssl);\n\n// ssl_protocol_version returns |ssl|'s protocol version. It is an error to\n// call this function before the version is determined.\nuint16_t ssl_protocol_version(const SSL *ssl);\n\n// Cipher suites.\n\nBSSL_NAMESPACE_END\n\nstruct ssl_cipher_st {\n // name is the OpenSSL name for the cipher.\n const char *name;\n // standard_name is the IETF name for the cipher.\n const char *standard_name;\n // id is the cipher suite value bitwise OR-d with 0x03000000.\n uint32_t id;\n\n // algorithm_* determine the cipher suite. See constants below for the values.\n uint32_t algorithm_mkey;\n uint32_t algorithm_auth;\n uint32_t algorithm_enc;\n uint32_t algorithm_mac;\n uint32_t algorithm_prf;\n};\n\nBSSL_NAMESPACE_BEGIN\n\n// Bits for |algorithm_mkey| (key exchange algorithm).\n#define SSL_kRSA 0x00000001u\n#define SSL_kECDHE 0x00000002u\n// SSL_kPSK is only set for plain PSK, not ECDHE_PSK.\n#define SSL_kPSK 0x00000004u\n#define SSL_kGENERIC 0x00000008u\n\n// Bits for |algorithm_auth| (server authentication).\n#define SSL_aRSA_SIGN 0x00000001u\n#define SSL_aRSA_DECRYPT 0x00000002u\n#define SSL_aECDSA 0x00000004u\n// SSL_aPSK is set for both PSK and ECDHE_PSK.\n#define SSL_aPSK 0x00000008u\n#define SSL_aGENERIC 0x00000010u\n\n#define SSL_aCERT (SSL_aRSA_SIGN | SSL_aRSA_DECRYPT | SSL_aECDSA)\n\n// Bits for |algorithm_enc| (symmetric encryption).\n#define SSL_3DES 0x00000001u\n#define SSL_AES128 0x00000002u\n#define SSL_AES256 0x00000004u\n#define SSL_AES128GCM 0x00000008u\n#define SSL_AES256GCM 0x00000010u\n#define SSL_CHACHA20POLY1305 0x00000020u\n\n#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)\n\n// Bits for |algorithm_mac| (symmetric authentication).\n#define SSL_SHA1 0x00000001u\n#define SSL_SHA256 0x00000002u\n// SSL_AEAD is set for all AEADs.\n#define SSL_AEAD 0x00000004u\n\n// Bits for |algorithm_prf| (handshake digest).\n#define SSL_HANDSHAKE_MAC_DEFAULT 0x1\n#define SSL_HANDSHAKE_MAC_SHA256 0x2\n#define SSL_HANDSHAKE_MAC_SHA384 0x4\n\n// SSL_MAX_MD_SIZE is size of the largest hash function used in TLS, SHA-384.\n#define SSL_MAX_MD_SIZE 48\n\n// An SSLCipherPreferenceList contains a list of SSL_CIPHERs with equal-\n// preference groups. For TLS clients, the groups are moot because the server\n// picks the cipher and groups cannot be expressed on the wire. However, for\n// servers, the equal-preference groups allow the client's preferences to be\n// partially respected. (This only has an effect with\n// SSL_OP_CIPHER_SERVER_PREFERENCE).\n//\n// The equal-preference groups are expressed by grouping SSL_CIPHERs together.\n// All elements of a group have the same priority: no ordering is expressed\n// within a group.\n//\n// The values in |ciphers| are in one-to-one correspondence with\n// |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of\n// bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to\n// indicate that the corresponding SSL_CIPHER is not the last element of a\n// group, or 0 to indicate that it is.\n//\n// For example, if |in_group_flags| contains all zeros then that indicates a\n// traditional, fully-ordered preference. Every SSL_CIPHER is the last element\n// of the group (i.e. they are all in a one-element group).\n//\n// For a more complex example, consider:\n// ciphers: A B C D E F\n// in_group_flags: 1 1 0 0 1 0\n//\n// That would express the following, order:\n//\n// A E\n// B -> D -> F\n// C\nstruct SSLCipherPreferenceList {\n static constexpr bool kAllowUniquePtr = true;\n\n SSLCipherPreferenceList() = default;\n ~SSLCipherPreferenceList();\n\n bool Init(UniquePtr ciphers,\n Span in_group_flags);\n bool Init(const SSLCipherPreferenceList &);\n\n void Remove(const SSL_CIPHER *cipher);\n\n UniquePtr ciphers;\n bool *in_group_flags = nullptr;\n};\n\n// AllCiphers returns an array of all supported ciphers, sorted by id.\nSpan AllCiphers();\n\n// ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD\n// object for |cipher| protocol version |version|. It sets |*out_mac_secret_len|\n// and |*out_fixed_iv_len| to the MAC key length and fixed IV length,\n// respectively. The MAC key length is zero except for legacy block and stream\n// ciphers. It returns true on success and false on error.\nbool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,\n size_t *out_mac_secret_len,\n size_t *out_fixed_iv_len, const SSL_CIPHER *cipher,\n uint16_t version);\n\n// ssl_get_handshake_digest returns the |EVP_MD| corresponding to |version| and\n// |cipher|.\nconst EVP_MD *ssl_get_handshake_digest(uint16_t version,\n const SSL_CIPHER *cipher);\n\n// ssl_create_cipher_list evaluates |rule_str|. It sets |*out_cipher_list| to a\n// newly-allocated |SSLCipherPreferenceList| containing the result. It returns\n// true on success and false on failure. If |strict| is true, nonsense will be\n// rejected. If false, nonsense will be silently ignored. An empty result is\n// considered an error regardless of |strict|. |has_aes_hw| indicates if the\n// list should be ordered based on having support for AES in hardware or not.\nbool ssl_create_cipher_list(UniquePtr *out_cipher_list,\n const bool has_aes_hw, const char *rule_str,\n bool strict);\n\n// ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth|\n// values suitable for use with |key| in TLS 1.2 and below. |sign_ok| indicates\n// whether |key| may be used for signing.\nuint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key, bool sign_ok);\n\n// ssl_cipher_uses_certificate_auth returns whether |cipher| authenticates the\n// server and, optionally, the client with a certificate.\nbool ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher);\n\n// ssl_cipher_requires_server_key_exchange returns whether |cipher| requires a\n// ServerKeyExchange message.\n//\n// This function may return false while still allowing |cipher| an optional\n// ServerKeyExchange. This is the case for plain PSK ciphers.\nbool ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher);\n\n// ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the\n// length of an encrypted 1-byte record, for use in record-splitting. Otherwise\n// it returns zero.\nsize_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher);\n\n// ssl_choose_tls13_cipher returns an |SSL_CIPHER| corresponding with the best\n// available from |cipher_suites| compatible with |version| and |policy|. It\n// returns NULL if there isn't a compatible cipher. |has_aes_hw| indicates if\n// the choice should be made as if support for AES in hardware is available.\nconst SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw,\n uint16_t version,\n enum ssl_compliance_policy_t policy);\n\n// ssl_tls13_cipher_meets_policy returns true if |cipher_id| is acceptable given\n// |policy|.\nbool ssl_tls13_cipher_meets_policy(uint16_t cipher_id,\n enum ssl_compliance_policy_t policy);\n\n// ssl_cipher_is_deprecated returns true if |cipher| is deprecated.\nOPENSSL_EXPORT bool ssl_cipher_is_deprecated(const SSL_CIPHER *cipher);\n\n\n// Transcript layer.\n\n// SSLTranscript maintains the handshake transcript as a combination of a\n// buffer and running hash.\nclass SSLTranscript {\n public:\n explicit SSLTranscript(bool is_dtls);\n ~SSLTranscript();\n\n SSLTranscript(SSLTranscript &&other) = default;\n SSLTranscript &operator=(SSLTranscript &&other) = default;\n\n // Init initializes the handshake transcript. If called on an existing\n // transcript, it resets the transcript and hash. It returns true on success\n // and false on failure.\n bool Init();\n\n // InitHash initializes the handshake hash based on the PRF and contents of\n // the handshake transcript. Subsequent calls to |Update| will update the\n // rolling hash. It returns one on success and zero on failure. It is an error\n // to call this function after the handshake buffer is released. This may be\n // called multiple times to change the hash function.\n bool InitHash(uint16_t version, const SSL_CIPHER *cipher);\n\n // UpdateForHelloRetryRequest resets the rolling hash with the\n // HelloRetryRequest construction. It returns true on success and false on\n // failure. It is an error to call this function before the handshake buffer\n // is released.\n bool UpdateForHelloRetryRequest();\n\n // CopyToHashContext initializes |ctx| with |digest| and the data thus far in\n // the transcript. It returns true on success and false on failure. If the\n // handshake buffer is still present, |digest| may be any supported digest.\n // Otherwise, |digest| must match the transcript hash.\n bool CopyToHashContext(EVP_MD_CTX *ctx, const EVP_MD *digest) const;\n\n Span buffer() const {\n return Span(reinterpret_cast(buffer_->data),\n buffer_->length);\n }\n\n // FreeBuffer releases the handshake buffer. Subsequent calls to\n // |Update| will not update the handshake buffer.\n void FreeBuffer();\n\n // DigestLen returns the length of the PRF hash.\n size_t DigestLen() const;\n\n // Digest returns the PRF hash. For TLS 1.1 and below, this is\n // |EVP_md5_sha1|.\n const EVP_MD *Digest() const;\n\n // Update adds |in| to the handshake buffer and handshake hash, whichever is\n // enabled. It returns true on success and false on failure.\n bool Update(Span in);\n\n // GetHash writes the handshake hash to |out| which must have room for at\n // least |DigestLen| bytes. On success, it returns true and sets |*out_len| to\n // the number of bytes written. Otherwise, it returns false.\n bool GetHash(uint8_t *out, size_t *out_len) const;\n\n // GetFinishedMAC computes the MAC for the Finished message into the bytes\n // pointed by |out| and writes the number of bytes to |*out_len|. |out| must\n // have room for |EVP_MAX_MD_SIZE| bytes. It returns true on success and false\n // on failure.\n bool GetFinishedMAC(uint8_t *out, size_t *out_len, const SSL_SESSION *session,\n bool from_server) const;\n\n private:\n // HashBuffer initializes |ctx| to use |digest| and writes the contents of\n // |buffer_| to |ctx|. If this SSLTranscript is for DTLS 1.3, the appropriate\n // bytes in |buffer_| will be skipped when hashing the buffer.\n bool HashBuffer(EVP_MD_CTX *ctx, const EVP_MD *digest) const;\n\n // AddToBufferOrHash directly adds the contents of |in| to |buffer_| and/or\n // |hash_|.\n bool AddToBufferOrHash(Span in);\n\n // buffer_, if non-null, contains the handshake transcript.\n UniquePtr buffer_;\n // hash, if initialized with an |EVP_MD|, maintains the handshake hash.\n ScopedEVP_MD_CTX hash_;\n // is_dtls_ indicates whether this is a transcript for a DTLS connection.\n bool is_dtls_ : 1;\n // version_ contains the version for the connection (if known).\n uint16_t version_ = 0;\n};\n\n// tls1_prf computes the PRF function for |ssl|. It fills |out|, using |secret|\n// as the secret and |label| as the label. |seed1| and |seed2| are concatenated\n// to form the seed parameter. It returns true on success and false on failure.\nbool tls1_prf(const EVP_MD *digest, Span out,\n Span secret, std::string_view label,\n Span seed1, Span seed2);\n\n\n// Encryption layer.\n\n// SSLAEADContext contains information about an AEAD that is being used to\n// encrypt an SSL connection.\nclass SSLAEADContext {\n public:\n explicit SSLAEADContext(const SSL_CIPHER *cipher);\n ~SSLAEADContext();\n static constexpr bool kAllowUniquePtr = true;\n\n SSLAEADContext(const SSLAEADContext &&) = delete;\n SSLAEADContext &operator=(const SSLAEADContext &&) = delete;\n\n // CreateNullCipher creates an |SSLAEADContext| for the null cipher.\n static UniquePtr CreateNullCipher();\n\n // Create creates an |SSLAEADContext| using the supplied key material. It\n // returns nullptr on error. Only one of |Open| or |Seal| may be used with the\n // resulting object, depending on |direction|. |version| is the wire version.\n static UniquePtr Create(enum evp_aead_direction_t direction,\n uint16_t version,\n const SSL_CIPHER *cipher,\n Span enc_key,\n Span mac_key,\n Span fixed_iv);\n\n // CreatePlaceholderForQUIC creates a placeholder |SSLAEADContext| for the\n // given cipher. The resulting object can be queried for various properties\n // but cannot encrypt or decrypt data.\n static UniquePtr CreatePlaceholderForQUIC(\n const SSL_CIPHER *cipher);\n\n const SSL_CIPHER *cipher() const { return cipher_; }\n\n // is_null_cipher returns true if this is the null cipher.\n bool is_null_cipher() const { return !cipher_; }\n\n // ExplicitNonceLen returns the length of the explicit nonce.\n size_t ExplicitNonceLen() const;\n\n // MaxOverhead returns the maximum overhead of calling |Seal|.\n size_t MaxOverhead() const;\n\n // MaxSealInputLen returns the maximum length for |Seal| that can fit in\n // |max_out| output bytes, or zero if no input may fit.\n size_t MaxSealInputLen(size_t max_out) const;\n\n // SuffixLen calculates the suffix length written by |SealScatter| and writes\n // it to |*out_suffix_len|. It returns true on success and false on error.\n // |in_len| and |extra_in_len| should equal the argument of the same names\n // passed to |SealScatter|.\n bool SuffixLen(size_t *out_suffix_len, size_t in_len,\n size_t extra_in_len) const;\n\n // CiphertextLen calculates the total ciphertext length written by\n // |SealScatter| and writes it to |*out_len|. It returns true on success and\n // false on error. |in_len| and |extra_in_len| should equal the argument of\n // the same names passed to |SealScatter|.\n bool CiphertextLen(size_t *out_len, size_t in_len, size_t extra_in_len) const;\n\n // Open authenticates and decrypts |in| in-place. On success, it sets |*out|\n // to the plaintext in |in| and returns true. Otherwise, it returns\n // false. The output will always be |ExplicitNonceLen| bytes ahead of |in|.\n bool Open(Span *out, uint8_t type, uint16_t record_version,\n uint64_t seqnum, Span header, Span in);\n\n // Seal encrypts and authenticates |in_len| bytes from |in| and writes the\n // result to |out|. It returns true on success and false on error.\n //\n // If |in| and |out| alias then |out| + |ExplicitNonceLen| must be == |in|.\n bool Seal(uint8_t *out, size_t *out_len, size_t max_out, uint8_t type,\n uint16_t record_version, uint64_t seqnum,\n Span header, const uint8_t *in, size_t in_len);\n\n // SealScatter encrypts and authenticates |in_len| bytes from |in| and splits\n // the result between |out_prefix|, |out| and |out_suffix|. It returns one on\n // success and zero on error.\n //\n // On successful return, exactly |ExplicitNonceLen| bytes are written to\n // |out_prefix|, |in_len| bytes to |out|, and |SuffixLen| bytes to\n // |out_suffix|.\n //\n // |extra_in| may point to an additional plaintext buffer. If present,\n // |extra_in_len| additional bytes are encrypted and authenticated, and the\n // ciphertext is written to the beginning of |out_suffix|. |SuffixLen| should\n // be used to size |out_suffix| accordingly.\n //\n // If |in| and |out| alias then |out| must be == |in|. Other arguments may not\n // alias anything.\n bool SealScatter(uint8_t *out_prefix, uint8_t *out, uint8_t *out_suffix,\n uint8_t type, uint16_t record_version, uint64_t seqnum,\n Span header, const uint8_t *in, size_t in_len,\n const uint8_t *extra_in, size_t extra_in_len);\n\n bool GetIV(const uint8_t **out_iv, size_t *out_iv_len) const;\n\n private:\n // GetAdditionalData returns the additional data, writing into |storage| if\n // necessary.\n Span GetAdditionalData(uint8_t storage[13], uint8_t type,\n uint16_t record_version,\n uint64_t seqnum, size_t plaintext_len,\n Span header);\n\n const SSL_CIPHER *cipher_;\n ScopedEVP_AEAD_CTX ctx_;\n // fixed_nonce_ contains any bytes of the nonce that are fixed for all\n // records.\n InplaceVector fixed_nonce_;\n uint8_t variable_nonce_len_ = 0;\n // variable_nonce_included_in_record_ is true if the variable nonce\n // for a record is included as a prefix before the ciphertext.\n bool variable_nonce_included_in_record_ : 1;\n // random_variable_nonce_ is true if the variable nonce is\n // randomly generated, rather than derived from the sequence\n // number.\n bool random_variable_nonce_ : 1;\n // xor_fixed_nonce_ is true if the fixed nonce should be XOR'd into the\n // variable nonce rather than prepended.\n bool xor_fixed_nonce_ : 1;\n // omit_length_in_ad_ is true if the length should be omitted in the\n // AEAD's ad parameter.\n bool omit_length_in_ad_ : 1;\n // ad_is_header_ is true if the AEAD's ad parameter is the record header.\n bool ad_is_header_ : 1;\n};\n\n\n// DTLS replay bitmap.\n\n// DTLSReplayBitmap maintains a sliding window of sequence numbers to detect\n// replayed packets.\nclass DTLSReplayBitmap {\n public:\n // ShouldDiscard returns true if |seq_num| has been seen in\n // |bitmap| or is stale. Otherwise it returns false.\n bool ShouldDiscard(uint64_t seqnum) const;\n\n // Record updates the bitmap to record receipt of sequence number\n // |seq_num|. It slides the window forward if needed. It is an error to call\n // this function on a stale sequence number.\n void Record(uint64_t seqnum);\n\n uint64_t max_seq_num() const { return max_seq_num_; }\n\n private:\n // map is a bitset of sequence numbers that have been seen. Bit i corresponds\n // to |max_seq_num_ - i|.\n std::bitset<256> map_;\n // max_seq_num_ is the largest sequence number seen so far as a 64-bit\n // integer.\n uint64_t max_seq_num_ = 0;\n};\n\n// reconstruct_seqnum takes the low order bits of a record sequence number from\n// the wire and reconstructs the full sequence number. It does so using the\n// algorithm described in section 4.2.2 of RFC 9147, where |wire_seq| is the\n// low bits of the sequence number as seen on the wire, |seq_mask| is a bitmask\n// of 8 or 16 1 bits corresponding to the length of the sequence number on the\n// wire, and |max_valid_seqnum| is the largest sequence number of a record\n// successfully deprotected in this epoch. This function returns the sequence\n// number that is numerically closest to one plus |max_valid_seqnum| that when\n// bitwise and-ed with |seq_mask| equals |wire_seq|.\n//\n// |max_valid_seqnum| must be most 2^48-1, in which case the output will also be\n// at most 2^48-1.\nOPENSSL_EXPORT uint64_t reconstruct_seqnum(uint16_t wire_seq, uint64_t seq_mask,\n uint64_t max_valid_seqnum);\n\n\n// Record layer.\n\nclass DTLSRecordNumber {\n public:\n static constexpr uint64_t kMaxSequence = (uint64_t{1} << 48) - 1;\n\n DTLSRecordNumber() = default;\n DTLSRecordNumber(uint16_t epoch, uint64_t sequence) {\n BSSL_CHECK(sequence <= kMaxSequence);\n combined_ = (uint64_t{epoch} << 48) | sequence;\n }\n\n static DTLSRecordNumber FromCombined(uint64_t combined) {\n return DTLSRecordNumber(combined);\n }\n\n bool operator==(DTLSRecordNumber r) const {\n return combined() == r.combined();\n }\n bool operator!=(DTLSRecordNumber r) const { return !((*this) == r); }\n bool operator<(DTLSRecordNumber r) const { return combined() < r.combined(); }\n\n uint64_t combined() const { return combined_; }\n uint16_t epoch() const { return combined_ >> 48; }\n uint64_t sequence() const { return combined_ & kMaxSequence; }\n\n bool HasNext() const { return sequence() < kMaxSequence; }\n DTLSRecordNumber Next() const {\n BSSL_CHECK(HasNext());\n // This will not overflow into the epoch.\n return DTLSRecordNumber::FromCombined(combined_ + 1);\n }\n\n private:\n explicit DTLSRecordNumber(uint64_t combined) : combined_(combined) {}\n\n uint64_t combined_ = 0;\n};\n\nclass RecordNumberEncrypter {\n public:\n static constexpr bool kAllowUniquePtr = true;\n static constexpr size_t kMaxKeySize = 32;\n\n // Create returns a DTLS 1.3 record number encrypter for |traffic_secret|, or\n // nullptr on error.\n static UniquePtr Create(\n const SSL_CIPHER *cipher, Span traffic_secret);\n\n virtual ~RecordNumberEncrypter() = default;\n virtual size_t KeySize() = 0;\n virtual bool SetKey(Span key) = 0;\n virtual bool GenerateMask(Span out, Span sample) = 0;\n};\n\nstruct DTLSReadEpoch {\n static constexpr bool kAllowUniquePtr = true;\n\n // TODO(davidben): This could be made slightly more compact if |bitmap| stored\n // a DTLSRecordNumber.\n uint16_t epoch = 0;\n UniquePtr aead;\n UniquePtr rn_encrypter;\n DTLSReplayBitmap bitmap;\n};\n\nstruct DTLSWriteEpoch {\n static constexpr bool kAllowUniquePtr = true;\n\n uint16_t epoch() const { return next_record.epoch(); }\n\n DTLSRecordNumber next_record;\n UniquePtr aead;\n UniquePtr rn_encrypter;\n};\n\n// ssl_record_prefix_len returns the length of the prefix before the ciphertext\n// of a record for |ssl|.\n//\n// TODO(davidben): Expose this as part of public API once the high-level\n// buffer-free APIs are available.\nsize_t ssl_record_prefix_len(const SSL *ssl);\n\nenum ssl_open_record_t {\n ssl_open_record_success,\n ssl_open_record_discard,\n ssl_open_record_partial,\n ssl_open_record_close_notify,\n ssl_open_record_error,\n};\n\n// tls_open_record decrypts a record from |in| in-place.\n//\n// If the input did not contain a complete record, it returns\n// |ssl_open_record_partial|. It sets |*out_consumed| to the total number of\n// bytes necessary. It is guaranteed that a successful call to |tls_open_record|\n// will consume at least that many bytes.\n//\n// Otherwise, it sets |*out_consumed| to the number of bytes of input\n// consumed. Note that input may be consumed on all return codes if a record was\n// decrypted.\n//\n// On success, it returns |ssl_open_record_success|. It sets |*out_type| to the\n// record type and |*out| to the record body in |in|. Note that |*out| may be\n// empty.\n//\n// If a record was successfully processed but should be discarded, it returns\n// |ssl_open_record_discard|.\n//\n// If a record was successfully processed but is a close_notify, it returns\n// |ssl_open_record_close_notify|.\n//\n// On failure or fatal alert, it returns |ssl_open_record_error| and sets\n// |*out_alert| to an alert to emit, or zero if no alert should be emitted.\nenum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type,\n Span *out, size_t *out_consumed,\n uint8_t *out_alert, Span in);\n\n// dtls_open_record implements |tls_open_record| for DTLS. It only returns\n// |ssl_open_record_partial| if |in| was empty and sets |*out_consumed| to\n// zero. The caller should read one packet and try again. On success,\n// |*out_number| is set to the record number of the record.\nenum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,\n DTLSRecordNumber *out_number,\n Span *out,\n size_t *out_consumed,\n uint8_t *out_alert, Span in);\n\n// ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher\n// state needs record-splitting and zero otherwise.\nbool ssl_needs_record_splitting(const SSL *ssl);\n\n// tls_seal_record seals a new record of type |type| and body |in| and writes it\n// to |out|. At most |max_out| bytes will be written. It returns true on success\n// and false on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC\n// 1/n-1 record splitting and may write two records concatenated.\n//\n// For a large record, the bulk of the ciphertext will begin\n// |tls_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may\n// improve performance. It writes at most |in_len| + |SSL_max_seal_overhead|\n// bytes to |out|.\n//\n// |in| and |out| may not alias.\nbool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,\n uint8_t type, const uint8_t *in, size_t in_len);\n\n// dtls_record_header_write_len returns the length of the record header that\n// will be written at |epoch|.\nsize_t dtls_record_header_write_len(const SSL *ssl, uint16_t epoch);\n\n// dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a\n// record.\nsize_t dtls_max_seal_overhead(const SSL *ssl, uint16_t epoch);\n\n// dtls_seal_prefix_len returns the number of bytes of prefix to reserve in\n// front of the plaintext when sealing a record in-place.\nsize_t dtls_seal_prefix_len(const SSL *ssl, uint16_t epoch);\n\n// dtls_seal_max_input_len returns the maximum number of input bytes that can\n// fit in a record of up to |max_out| bytes, or zero if none may fit.\nsize_t dtls_seal_max_input_len(const SSL *ssl, uint16_t epoch, size_t max_out);\n\n// dtls_seal_record implements |tls_seal_record| for DTLS. |epoch| selects which\n// epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out| may\n// alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes\n// ahead of |out|. On success, |*out_number| is set to the record number of the\n// record.\nbool dtls_seal_record(SSL *ssl, DTLSRecordNumber *out_number, uint8_t *out,\n size_t *out_len, size_t max_out, uint8_t type,\n const uint8_t *in, size_t in_len, uint16_t epoch);\n\n// ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown\n// state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|,\n// |ssl_open_record_close_notify|, or |ssl_open_record_fatal_alert| as\n// appropriate.\nenum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,\n Span in);\n\n\n// Private key operations.\n\n// ssl_private_key_* perform the corresponding operation on\n// |SSL_PRIVATE_KEY_METHOD|. If there is a custom private key configured, they\n// call the corresponding function or |complete| depending on whether there is a\n// pending operation. Otherwise, they implement the operation with\n// |EVP_PKEY|.\n\nenum ssl_private_key_result_t ssl_private_key_sign(\n SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,\n uint16_t sigalg, Span in);\n\nenum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,\n uint8_t *out,\n size_t *out_len,\n size_t max_out,\n Span in);\n\n// ssl_pkey_supports_algorithm returns whether |pkey| may be used to sign\n// |sigalg|.\nbool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,\n uint16_t sigalg, bool is_verify);\n\n// ssl_public_key_verify verifies that the |signature| is valid for the public\n// key |pkey| and input |in|, using the signature algorithm |sigalg|.\nbool ssl_public_key_verify(SSL *ssl, Span signature,\n uint16_t sigalg, EVP_PKEY *pkey,\n Span in);\n\n\n// Key shares.\n\n// SSLKeyShare abstracts over KEM-like constructions, for use with TLS 1.2 ECDHE\n// cipher suites and the TLS 1.3 key_share extension.\n//\n// TODO(davidben): This class is named SSLKeyShare after the TLS 1.3 key_share\n// extension, but it really implements a KEM abstraction. Additionally, we use\n// the same type for Encap, which is a one-off, stateless operation, as Generate\n// and Decap. Slightly tidier would be for Generate to return a new SSLKEMKey\n// (or we introduce EVP_KEM and EVP_KEM_KEY), with a Decap method, and for Encap\n// to be static function.\nclass SSLKeyShare {\n public:\n virtual ~SSLKeyShare() {}\n static constexpr bool kAllowUniquePtr = true;\n\n // Create returns a SSLKeyShare instance for use with group |group_id| or\n // nullptr on error.\n static UniquePtr Create(uint16_t group_id);\n\n // GroupID returns the group ID.\n virtual uint16_t GroupID() const = 0;\n\n // Generate generates a keypair and writes the public key to |out_public_key|.\n // It returns true on success and false on error.\n virtual bool Generate(CBB *out_public_key) = 0;\n\n // Encap generates an ephemeral, symmetric secret and encapsulates it with\n // |peer_key|. On success, it returns true, writes the encapsulated secret to\n // |out_ciphertext|, and sets |*out_secret| to the shared secret. On failure,\n // it returns false and sets |*out_alert| to an alert to send to the peer.\n virtual bool Encap(CBB *out_ciphertext, Array *out_secret,\n uint8_t *out_alert, Span peer_key) = 0;\n\n // Decap decapsulates the symmetric secret in |ciphertext|. On success, it\n // returns true and sets |*out_secret| to the shared secret. On failure, it\n // returns false and sets |*out_alert| to an alert to send to the peer.\n virtual bool Decap(Array *out_secret, uint8_t *out_alert,\n Span ciphertext) = 0;\n\n // SerializePrivateKey writes the private key to |out|, returning true if\n // successful and false otherwise. It should be called after |Generate|.\n virtual bool SerializePrivateKey(CBB *out) { return false; }\n\n // DeserializePrivateKey initializes the state of the key exchange from |in|,\n // returning true if successful and false otherwise.\n virtual bool DeserializePrivateKey(CBS *in) { return false; }\n};\n\nstruct NamedGroup {\n int nid;\n uint16_t group_id;\n const char name[32], alias[32];\n};\n\n// NamedGroups returns all supported groups.\nSpan NamedGroups();\n\n// ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it\n// sets |*out_group_id| to the group ID and returns true. Otherwise, it returns\n// false.\nbool ssl_nid_to_group_id(uint16_t *out_group_id, int nid);\n\n// ssl_name_to_group_id looks up the group corresponding to the |name| string of\n// length |len|. On success, it sets |*out_group_id| to the group ID and returns\n// true. Otherwise, it returns false.\nbool ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len);\n\n// ssl_group_id_to_nid returns the NID corresponding to |group_id| or\n// |NID_undef| if unknown.\nint ssl_group_id_to_nid(uint16_t group_id);\n\n\n// Handshake messages.\n\nstruct SSLMessage {\n bool is_v2_hello;\n uint8_t type;\n CBS body;\n // raw is the entire serialized handshake message, including the TLS or DTLS\n // message header.\n CBS raw;\n};\n\n// SSL_MAX_HANDSHAKE_FLIGHT is the number of messages, including\n// ChangeCipherSpec, in the longest handshake flight. Currently this is the\n// client's second leg in a full handshake when client certificates, NPN, and\n// Channel ID, are all enabled.\n#define SSL_MAX_HANDSHAKE_FLIGHT 7\n\nextern const uint8_t kHelloRetryRequest[SSL3_RANDOM_SIZE];\nextern const uint8_t kTLS12DowngradeRandom[8];\nextern const uint8_t kTLS13DowngradeRandom[8];\nextern const uint8_t kJDK11DowngradeRandom[8];\n\n// ssl_max_handshake_message_len returns the maximum number of bytes permitted\n// in a handshake message for |ssl|.\nsize_t ssl_max_handshake_message_len(const SSL *ssl);\n\n// tls_can_accept_handshake_data returns whether |ssl| is able to accept more\n// data into handshake buffer.\nbool tls_can_accept_handshake_data(const SSL *ssl, uint8_t *out_alert);\n\n// tls_has_unprocessed_handshake_data returns whether there is buffered\n// handshake data that has not been consumed by |get_message|.\nbool tls_has_unprocessed_handshake_data(const SSL *ssl);\n\n// tls_append_handshake_data appends |data| to the handshake buffer. It returns\n// true on success and false on allocation failure.\nbool tls_append_handshake_data(SSL *ssl, Span data);\n\n// dtls_has_unprocessed_handshake_data behaves like\n// |tls_has_unprocessed_handshake_data| for DTLS.\nbool dtls_has_unprocessed_handshake_data(const SSL *ssl);\n\n// tls_flush_pending_hs_data flushes any handshake plaintext data.\nbool tls_flush_pending_hs_data(SSL *ssl);\n\n// dtls_clear_outgoing_messages releases all buffered outgoing messages.\nvoid dtls_clear_outgoing_messages(SSL *ssl);\n\n// dtls_clear_unused_write_epochs releases any write epochs that are no longer\n// needed.\nvoid dtls_clear_unused_write_epochs(SSL *ssl);\n\n\n// Callbacks.\n\n// ssl_do_info_callback calls |ssl|'s info callback, if set.\nvoid ssl_do_info_callback(const SSL *ssl, int type, int value);\n\n// ssl_do_msg_callback calls |ssl|'s message callback, if set.\nvoid ssl_do_msg_callback(const SSL *ssl, int is_write, int content_type,\n Span in);\n\n\n// Transport buffers.\n\nclass SSLBuffer {\n public:\n SSLBuffer() {}\n ~SSLBuffer() { Clear(); }\n\n SSLBuffer(const SSLBuffer &) = delete;\n SSLBuffer &operator=(const SSLBuffer &) = delete;\n\n uint8_t *data() { return buf_ + offset_; }\n size_t size() const { return size_; }\n bool empty() const { return size_ == 0; }\n size_t cap() const { return cap_; }\n\n Span span() { return Span(data(), size()); }\n\n Span remaining() { return Span(data() + size(), cap() - size()); }\n\n // Clear releases the buffer.\n void Clear();\n\n // EnsureCap ensures the buffer has capacity at least |new_cap|, aligned such\n // that data written after |header_len| is aligned to a\n // |SSL3_ALIGN_PAYLOAD|-byte boundary. It returns true on success and false\n // on error.\n bool EnsureCap(size_t header_len, size_t new_cap);\n\n // DidWrite extends the buffer by |len|. The caller must have filled in to\n // this point.\n void DidWrite(size_t len);\n\n // Consume consumes |len| bytes from the front of the buffer. The memory\n // consumed will remain valid until the next call to |DiscardConsumed| or\n // |Clear|.\n void Consume(size_t len);\n\n // DiscardConsumed discards the consumed bytes from the buffer. If the buffer\n // is now empty, it releases memory used by it.\n void DiscardConsumed();\n\n private:\n // buf_ is the memory allocated for this buffer.\n uint8_t *buf_ = nullptr;\n // offset_ is the offset into |buf_| which the buffer contents start at.\n uint16_t offset_ = 0;\n // size_ is the size of the buffer contents from |buf_| + |offset_|.\n uint16_t size_ = 0;\n // cap_ is how much memory beyond |buf_| + |offset_| is available.\n uint16_t cap_ = 0;\n // inline_buf_ is a static buffer for short reads.\n uint8_t inline_buf_[SSL3_RT_HEADER_LENGTH];\n};\n\n// ssl_read_buffer_extend_to extends the read buffer to the desired length. For\n// TLS, it reads to the end of the buffer until the buffer is |len| bytes\n// long. For DTLS, it reads a new packet and ignores |len|. It returns one on\n// success, zero on EOF, and a negative number on error.\n//\n// It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is\n// non-empty.\nint ssl_read_buffer_extend_to(SSL *ssl, size_t len);\n\n// ssl_handle_open_record handles the result of passing |ssl->s3->read_buffer|\n// to a record-processing function. If |ret| is a success or if the caller\n// should retry, it returns one and sets |*out_retry|. Otherwise, it returns <=\n// 0.\nint ssl_handle_open_record(SSL *ssl, bool *out_retry, ssl_open_record_t ret,\n size_t consumed, uint8_t alert);\n\n// ssl_write_buffer_flush flushes the write buffer to the transport. It returns\n// one on success and <= 0 on error. For DTLS, whether or not the write\n// succeeds, the write buffer will be cleared.\nint ssl_write_buffer_flush(SSL *ssl);\n\n\n// Certificate functions.\n\n// ssl_parse_cert_chain parses a certificate list from |cbs| in the format used\n// by a TLS Certificate message. On success, it advances |cbs| and returns\n// true. Otherwise, it returns false and sets |*out_alert| to an alert to send\n// to the peer.\n//\n// If the list is non-empty then |*out_chain| and |*out_pubkey| will be set to\n// the certificate chain and the leaf certificate's public key\n// respectively. Otherwise, both will be set to nullptr.\n//\n// If the list is non-empty and |out_leaf_sha256| is non-NULL, it writes the\n// SHA-256 hash of the leaf to |out_leaf_sha256|.\nbool ssl_parse_cert_chain(uint8_t *out_alert,\n UniquePtr *out_chain,\n UniquePtr *out_pubkey,\n uint8_t *out_leaf_sha256, CBS *cbs,\n CRYPTO_BUFFER_POOL *pool);\n\nenum ssl_key_usage_t {\n key_usage_digital_signature = 0,\n key_usage_encipherment = 2,\n};\n\n// ssl_cert_check_key_usage parses the DER-encoded, X.509 certificate in |in|\n// and returns true if doesn't specify a key usage or, if it does, if it\n// includes |bit|. Otherwise it pushes to the error queue and returns false.\nOPENSSL_EXPORT bool ssl_cert_check_key_usage(const CBS *in,\n enum ssl_key_usage_t bit);\n\n// ssl_cert_extract_issuer parses the DER-encoded, X.509 certificate in |in|\n// and extracts the issuer. On success it returns true and the DER encoded\n// issuer is in |out_dn|, otherwise it returns false.\nOPENSSL_EXPORT bool ssl_cert_extract_issuer(const CBS *in, CBS *out_dn);\n\n// ssl_cert_matches_issuer parses the DER-encoded, X.509 certificate in |in|\n// and returns true if its issuer is an exact match for the DER encoded\n// distinguished name in |dn|\nbool ssl_cert_matches_issuer(const CBS *in, const CBS *dn);\n\n// ssl_cert_parse_pubkey extracts the public key from the DER-encoded, X.509\n// certificate in |in|. It returns an allocated |EVP_PKEY| or else returns\n// nullptr and pushes to the error queue.\nUniquePtr ssl_cert_parse_pubkey(const CBS *in);\n\n// SSL_parse_CA_list parses a CA list from |cbs| in the format used by a TLS\n// CertificateRequest message and Certificate Authorities extension. On success,\n// it returns a newly-allocated |CRYPTO_BUFFER| list and advances\n// |cbs|. Otherwise, it returns nullptr and sets |*out_alert| to an alert to\n// send to the peer.\nUniquePtr SSL_parse_CA_list(SSL *ssl,\n uint8_t *out_alert,\n CBS *cbs);\n\n// ssl_has_client_CAs returns whether there are configured CAs.\nbool ssl_has_client_CAs(const SSL_CONFIG *cfg);\n\n// ssl_add_client_CA_list adds the configured CA list to |cbb| in the format\n// used by a TLS CertificateRequest message. It returns true on success and\n// false on error.\nbool ssl_add_client_CA_list(const SSL_HANDSHAKE *hs, CBB *cbb);\n\n// ssl_has_CA_names returns whether there are configured CA names.\nbool ssl_has_CA_names(const SSL_CONFIG *cfg);\n\n// ssl_add_CA_names adds the configured CA_names list to |cbb| in the format\n// used by a TLS Certificate Authorities extension. It returns true on success\n// and false on error.\nbool ssl_add_CA_names(const SSL_HANDSHAKE *hs, CBB *cbb);\n\n// ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as\n// a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes\n// an error on the error queue.\nbool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,\n const CRYPTO_BUFFER *leaf);\n\n\n// TLS 1.3 key derivation.\n\n// tls13_init_key_schedule initializes the handshake hash and key derivation\n// state, and incorporates the PSK. The cipher suite and PRF hash must have been\n// selected at this point. It returns true on success and false on error.\nbool tls13_init_key_schedule(SSL_HANDSHAKE *hs, Span psk);\n\n// tls13_init_early_key_schedule initializes the handshake hash and key\n// derivation state from |session| for use with 0-RTT. It returns one on success\n// and zero on error.\nbool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs,\n const SSL_SESSION *session);\n\n// tls13_advance_key_schedule incorporates |in| into the key schedule with\n// HKDF-Extract. It returns true on success and false on error.\nbool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, Span in);\n\n// tls13_set_traffic_key sets the read or write traffic keys to\n// |traffic_secret|. The version and cipher suite are determined from |session|.\n// It returns true on success and false on error.\nbool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,\n enum evp_aead_direction_t direction,\n const SSL_SESSION *session,\n Span traffic_secret);\n\n// tls13_derive_early_secret derives the early traffic secret. It returns true\n// on success and false on error.\nbool tls13_derive_early_secret(SSL_HANDSHAKE *hs);\n\n// tls13_derive_handshake_secrets derives the handshake traffic secret. It\n// returns true on success and false on error.\nbool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs);\n\n// tls13_rotate_traffic_key derives the next read or write traffic secret. It\n// returns true on success and false on error.\nbool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction);\n\n// tls13_derive_application_secrets derives the initial application data traffic\n// and exporter secrets based on the handshake transcripts and |master_secret|.\n// It returns true on success and false on error.\nbool tls13_derive_application_secrets(SSL_HANDSHAKE *hs);\n\n// tls13_derive_resumption_secret derives the |resumption_secret|.\nbool tls13_derive_resumption_secret(SSL_HANDSHAKE *hs);\n\n// tls13_export_keying_material provides an exporter interface to use the\n// |exporter_secret|.\nbool tls13_export_keying_material(SSL *ssl, Span out,\n Span secret,\n std::string_view label,\n Span context);\n\n// tls13_finished_mac calculates the MAC of the handshake transcript to verify\n// the integrity of the Finished message, and stores the result in |out| and\n// length in |out_len|. |is_server| is true if this is for the Server Finished\n// and false for the Client Finished.\nbool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,\n bool is_server);\n\n// tls13_derive_session_psk calculates the PSK for this session based on the\n// resumption master secret and |nonce|. It returns true on success, and false\n// on failure.\nbool tls13_derive_session_psk(SSL_SESSION *session, Span nonce,\n bool is_dtls);\n\n// tls13_write_psk_binder calculates the PSK binder value over |transcript| and\n// |msg|, and replaces the last bytes of |msg| with the resulting value. It\n// returns true on success, and false on failure. If |out_binder_len| is\n// non-NULL, it sets |*out_binder_len| to the length of the value computed.\nbool tls13_write_psk_binder(const SSL_HANDSHAKE *hs,\n const SSLTranscript &transcript, Span msg,\n size_t *out_binder_len);\n\n// tls13_verify_psk_binder verifies that the handshake transcript, truncated up\n// to the binders has a valid signature using the value of |session|'s\n// resumption secret. It returns true on success, and false on failure.\nbool tls13_verify_psk_binder(const SSL_HANDSHAKE *hs,\n const SSL_SESSION *session, const SSLMessage &msg,\n CBS *binders);\n\n\n// Encrypted ClientHello.\n\nstruct ECHConfig {\n static constexpr bool kAllowUniquePtr = true;\n // raw contains the serialized ECHConfig.\n Array raw;\n // The following fields alias into |raw|.\n Span public_key;\n Span public_name;\n Span cipher_suites;\n uint16_t kem_id = 0;\n uint8_t maximum_name_length = 0;\n uint8_t config_id = 0;\n};\n\nclass ECHServerConfig {\n public:\n static constexpr bool kAllowUniquePtr = true;\n ECHServerConfig() = default;\n ECHServerConfig(const ECHServerConfig &other) = delete;\n ECHServerConfig &operator=(ECHServerConfig &&) = delete;\n\n // Init parses |ech_config| as an ECHConfig and saves a copy of |key|.\n // It returns true on success and false on error.\n bool Init(Span ech_config, const EVP_HPKE_KEY *key,\n bool is_retry_config);\n\n // SetupContext sets up |ctx| for a new connection, given the specified\n // HPKE ciphersuite and encapsulated KEM key. It returns true on success and\n // false on error. This function may only be called on an initialized object.\n bool SetupContext(EVP_HPKE_CTX *ctx, uint16_t kdf_id, uint16_t aead_id,\n Span enc) const;\n\n const ECHConfig &ech_config() const { return ech_config_; }\n bool is_retry_config() const { return is_retry_config_; }\n\n private:\n ECHConfig ech_config_;\n ScopedEVP_HPKE_KEY key_;\n bool is_retry_config_ = false;\n};\n\nenum ssl_client_hello_type_t {\n ssl_client_hello_unencrypted,\n ssl_client_hello_inner,\n ssl_client_hello_outer,\n};\n\n// ECH_CLIENT_* are types for the ClientHello encrypted_client_hello extension.\n#define ECH_CLIENT_OUTER 0\n#define ECH_CLIENT_INNER 1\n\n// ssl_decode_client_hello_inner recovers the full ClientHelloInner from the\n// EncodedClientHelloInner |encoded_client_hello_inner| by replacing its\n// outer_extensions extension with the referenced extensions from the\n// ClientHelloOuter |client_hello_outer|. If successful, it writes the recovered\n// ClientHelloInner to |out_client_hello_inner|. It returns true on success and\n// false on failure.\n//\n// This function is exported for fuzzing.\nOPENSSL_EXPORT bool ssl_decode_client_hello_inner(\n SSL *ssl, uint8_t *out_alert, Array *out_client_hello_inner,\n Span encoded_client_hello_inner,\n const SSL_CLIENT_HELLO *client_hello_outer);\n\n// ssl_client_hello_decrypt attempts to decrypt and decode the |payload|. It\n// writes the result to |*out|. |payload| must point into |client_hello_outer|.\n// It returns true on success and false on error. On error, it sets\n// |*out_is_decrypt_error| to whether the failure was due to a bad ciphertext.\nbool ssl_client_hello_decrypt(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n bool *out_is_decrypt_error, Array *out,\n const SSL_CLIENT_HELLO *client_hello_outer,\n Span payload);\n\n#define ECH_CONFIRMATION_SIGNAL_LEN 8\n\n// ssl_ech_confirmation_signal_hello_offset returns the offset of the ECH\n// confirmation signal in a ServerHello message, including the handshake header.\nsize_t ssl_ech_confirmation_signal_hello_offset(const SSL *ssl);\n\n// ssl_ech_accept_confirmation computes the server's ECH acceptance signal,\n// writing it to |out|. The transcript portion is the concatenation of\n// |transcript| with |msg|. The |ECH_CONFIRMATION_SIGNAL_LEN| bytes from\n// |offset| in |msg| are replaced with zeros before hashing. This function\n// returns true on success, and false on failure.\nbool ssl_ech_accept_confirmation(const SSL_HANDSHAKE *hs, Span out,\n Span client_random,\n const SSLTranscript &transcript, bool is_hrr,\n Span msg, size_t offset);\n\n// ssl_is_valid_ech_public_name returns true if |public_name| is a valid ECH\n// public name and false otherwise. It is exported for testing.\nOPENSSL_EXPORT bool ssl_is_valid_ech_public_name(\n Span public_name);\n\n// ssl_is_valid_ech_config_list returns true if |ech_config_list| is a valid\n// ECHConfigList structure and false otherwise.\nbool ssl_is_valid_ech_config_list(Span ech_config_list);\n\n// ssl_select_ech_config selects an ECHConfig and associated parameters to offer\n// on the client and updates |hs|. It returns true on success, whether an\n// ECHConfig was found or not, and false on internal error. On success, the\n// encapsulated key is written to |out_enc| and |*out_enc_len| is set to the\n// number of bytes written. If the function did not select an ECHConfig, the\n// encapsulated key is the empty string.\nbool ssl_select_ech_config(SSL_HANDSHAKE *hs, Span out_enc,\n size_t *out_enc_len);\n\n// ssl_ech_extension_body_length returns the length of the body of a ClientHello\n// ECH extension that encrypts |in_len| bytes with |aead| and an 'enc' value of\n// length |enc_len|. The result does not include the four-byte extension header.\nsize_t ssl_ech_extension_body_length(const EVP_HPKE_AEAD *aead, size_t enc_len,\n size_t in_len);\n\n// ssl_encrypt_client_hello constructs a new ClientHelloInner, adds it to the\n// inner transcript, and encrypts for inclusion in the ClientHelloOuter. |enc|\n// is the encapsulated key to include in the extension. It returns true on\n// success and false on error. If not offering ECH, |enc| is ignored and the\n// function will compute a GREASE ECH extension if necessary, and otherwise\n// return success while doing nothing.\n//\n// Encrypting the ClientHelloInner incorporates all extensions in the\n// ClientHelloOuter, so all other state necessary for |ssl_add_client_hello|\n// must already be computed.\nbool ssl_encrypt_client_hello(SSL_HANDSHAKE *hs, Span enc);\n\n\n// Credentials.\n\nenum class SSLCredentialType {\n kX509,\n kDelegated,\n};\n\nBSSL_NAMESPACE_END\n\n// SSL_CREDENTIAL is exported to C, so it must be defined outside the namespace.\nstruct ssl_credential_st : public bssl::RefCounted {\n explicit ssl_credential_st(bssl::SSLCredentialType type);\n ssl_credential_st(const ssl_credential_st &) = delete;\n ssl_credential_st &operator=(const ssl_credential_st &) = delete;\n\n // Dup returns a copy of the credential, or nullptr on error. The |ex_data|\n // values are not copied. This is only used on the legacy credential, whose\n // |ex_data| is inaccessible.\n bssl::UniquePtr Dup() const;\n\n // ClearCertAndKey erases any certificate and private key on the credential.\n void ClearCertAndKey();\n\n // UsesX509 returns true if the credential type uses an X.509 certificate.\n bool UsesX509() const;\n\n // UsesPrivateKey returns true if the credential type uses an asymmetric\n // private key.\n bool UsesPrivateKey() const;\n\n // IsComplete returns whether all required fields in the credential have been\n // filled in.\n bool IsComplete() const;\n\n // SetLeafCert sets the leaf certificate to |leaf|, leaving the remaining\n // certificates unmodified. It returns true on success and false on error. If\n // |discard_key_on_mismatch| is true and the private key is inconsistent with\n // the new leaf certificate, it is silently discarded.\n bool SetLeafCert(bssl::UniquePtr leaf,\n bool discard_key_on_mismatch);\n\n // ClearIntermediateCerts clears intermediate certificates in the certificate\n // chain, while preserving the leaf.\n void ClearIntermediateCerts();\n\n // AppendIntermediateCert appends |cert| to the certificate chain. If there is\n // no leaf certificate configured, it leaves a placeholder null in |chain|. It\n // returns one on success and zero on error.\n bool AppendIntermediateCert(bssl::UniquePtr cert);\n\n // ChainContainsIssuer returns true if |dn| is a byte for byte match with the\n // issuer of any certificate in |chain|, false otherwise.\n bool ChainContainsIssuer(bssl::Span dn) const;\n\n // type is the credential type and determines which other fields apply.\n bssl::SSLCredentialType type;\n\n // pubkey is the cached public key of the credential. Unlike |privkey|, it is\n // always present and is extracted from the certificate, delegated credential,\n // etc.\n bssl::UniquePtr pubkey;\n\n // privkey is the private key of the credential. It may be omitted in favor of\n // |key_method|.\n bssl::UniquePtr privkey;\n\n // key_method, if non-null, is a set of callbacks to call for private key\n // operations.\n const SSL_PRIVATE_KEY_METHOD *key_method = nullptr;\n\n // sigalgs, if non-empty, is the set of signature algorithms supported by the\n // private key in decreasing order of preference. If empty, the default list\n // is used.\n //\n // In delegated credentials, this field is not configurable and is instead\n // computed from the dc_cert_verify_algorithm field.\n bssl::Array sigalgs;\n\n // chain contains the certificate chain, with the leaf at the beginning. The\n // first element of |chain| may be nullptr to indicate that the leaf\n // certificate has not yet been set.\n // If |chain| != nullptr -> len(chain) >= 1\n // If |chain[0]| == nullptr -> len(chain) >= 2.\n // |chain[1..]| != nullptr\n bssl::UniquePtr chain;\n\n // dc is the DelegatedCredential structure, if this is a delegated credential.\n bssl::UniquePtr dc;\n\n // dc_algorithm is the signature scheme of the signature over the delegated\n // credential itself, made by the end-entity certificate's public key.\n uint16_t dc_algorithm = 0;\n\n // Signed certificate timestamp list to be sent to the client, if requested\n bssl::UniquePtr signed_cert_timestamp_list;\n\n // OCSP response to be sent to the client, if requested.\n bssl::UniquePtr ocsp_response;\n\n CRYPTO_EX_DATA ex_data;\n\n // must_match_issuer is a flag indicating that this credential should be\n // considered only when it matches a peer request for a particular issuer via\n // a negotiation mechanism (such as the certificate_authorities extension).\n bool must_match_issuer = false;\n\n private:\n friend RefCounted;\n ~ssl_credential_st();\n};\n\nBSSL_NAMESPACE_BEGIN\n\n// ssl_get_credential_list computes |hs|'s credential list. On success, it\n// writes it to |*out| and returns true. Otherwise, it returns false. The\n// credential list may be empty, in which case this function will successfully\n// return an empty array.\n//\n// The pointers in the result are only valid until |hs| is next mutated.\nbool ssl_get_credential_list(SSL_HANDSHAKE *hs, Array *out);\n\n// ssl_credential_matches_requested_issuers returns true if |cred| is a\n// usable match for any requested issuers in |hs|, and false with an error\n// otherwise.\nbool ssl_credential_matches_requested_issuers(SSL_HANDSHAKE *hs,\n const SSL_CREDENTIAL *cred);\n\n// Handshake functions.\n\nenum ssl_hs_wait_t {\n ssl_hs_error,\n ssl_hs_ok,\n ssl_hs_read_server_hello,\n ssl_hs_read_message,\n ssl_hs_flush,\n ssl_hs_certificate_selection_pending,\n ssl_hs_handoff,\n ssl_hs_handback,\n ssl_hs_x509_lookup,\n ssl_hs_private_key_operation,\n ssl_hs_pending_session,\n ssl_hs_pending_ticket,\n ssl_hs_early_return,\n ssl_hs_early_data_rejected,\n ssl_hs_read_end_of_early_data,\n ssl_hs_read_change_cipher_spec,\n ssl_hs_certificate_verify,\n ssl_hs_hints_ready,\n};\n\nenum ssl_grease_index_t {\n ssl_grease_cipher = 0,\n ssl_grease_group,\n ssl_grease_extension1,\n ssl_grease_extension2,\n ssl_grease_version,\n ssl_grease_ticket_extension,\n ssl_grease_ech_config_id,\n ssl_grease_last_index = ssl_grease_ech_config_id,\n};\n\nenum tls12_server_hs_state_t {\n state12_start_accept = 0,\n state12_read_client_hello,\n state12_read_client_hello_after_ech,\n state12_cert_callback,\n state12_tls13,\n state12_select_parameters,\n state12_send_server_hello,\n state12_send_server_certificate,\n state12_send_server_key_exchange,\n state12_send_server_hello_done,\n state12_read_client_certificate,\n state12_verify_client_certificate,\n state12_read_client_key_exchange,\n state12_read_client_certificate_verify,\n state12_read_change_cipher_spec,\n state12_process_change_cipher_spec,\n state12_read_next_proto,\n state12_read_channel_id,\n state12_read_client_finished,\n state12_send_server_finished,\n state12_finish_server_handshake,\n state12_done,\n};\n\nenum tls13_server_hs_state_t {\n state13_select_parameters = 0,\n state13_select_session,\n state13_send_hello_retry_request,\n state13_read_second_client_hello,\n state13_send_server_hello,\n state13_send_server_certificate_verify,\n state13_send_server_finished,\n state13_send_half_rtt_ticket,\n state13_read_second_client_flight,\n state13_process_end_of_early_data,\n state13_read_client_encrypted_extensions,\n state13_read_client_certificate,\n state13_read_client_certificate_verify,\n state13_read_channel_id,\n state13_read_client_finished,\n state13_send_new_session_ticket,\n state13_done,\n};\n\n// handback_t lists the points in the state machine where a handback can occur.\n// These are the different points at which key material is no longer needed.\nenum handback_t {\n handback_after_session_resumption = 0,\n handback_after_ecdhe = 1,\n handback_after_handshake = 2,\n handback_tls13 = 3,\n handback_max_value = handback_tls13,\n};\n\n// SSL_HANDSHAKE_HINTS contains handshake hints for a connection. See\n// |SSL_request_handshake_hints| and related functions.\nstruct SSL_HANDSHAKE_HINTS {\n static constexpr bool kAllowUniquePtr = true;\n\n Array server_random_tls12;\n Array server_random_tls13;\n\n uint16_t key_share_group_id = 0;\n Array key_share_ciphertext;\n Array key_share_secret;\n\n uint16_t signature_algorithm = 0;\n Array signature_input;\n Array signature_spki;\n Array signature;\n\n Array decrypted_psk;\n bool ignore_psk = false;\n\n uint16_t cert_compression_alg_id = 0;\n Array cert_compression_input;\n Array cert_compression_output;\n\n uint16_t ecdhe_group_id = 0;\n Array ecdhe_public_key;\n Array ecdhe_private_key;\n\n Array decrypted_ticket;\n bool renew_ticket = false;\n bool ignore_ticket = false;\n};\n\nstruct SSL_HANDSHAKE {\n explicit SSL_HANDSHAKE(SSL *ssl);\n ~SSL_HANDSHAKE();\n static constexpr bool kAllowUniquePtr = true;\n\n // ssl is a non-owning pointer to the parent |SSL| object.\n SSL *ssl;\n\n // config is a non-owning pointer to the handshake configuration.\n SSL_CONFIG *config;\n\n // wait contains the operation the handshake is currently blocking on or\n // |ssl_hs_ok| if none.\n enum ssl_hs_wait_t wait = ssl_hs_ok;\n\n // state is the internal state for the TLS 1.2 and below handshake. Its\n // values depend on |do_handshake| but the starting state is always zero.\n int state = 0;\n\n // tls13_state is the internal state for the TLS 1.3 handshake. Its values\n // depend on |do_handshake| but the starting state is always zero.\n int tls13_state = 0;\n\n // min_version is the minimum accepted protocol version, taking account both\n // |SSL_OP_NO_*| and |SSL_CTX_set_min_proto_version| APIs.\n uint16_t min_version = 0;\n\n // max_version is the maximum accepted protocol version, taking account both\n // |SSL_OP_NO_*| and |SSL_CTX_set_max_proto_version| APIs.\n uint16_t max_version = 0;\n\n InplaceVector secret;\n InplaceVector early_traffic_secret;\n InplaceVector client_handshake_secret;\n InplaceVector server_handshake_secret;\n InplaceVector client_traffic_secret_0;\n InplaceVector server_traffic_secret_0;\n InplaceVector expected_client_finished;\n\n // GetClientHello, on the server, returns either the normal ClientHello\n // message or the ClientHelloInner if it has been serialized to\n // |ech_client_hello_buf|. This function should only be called when the\n // current message is a ClientHello. It returns true on success and false on\n // error.\n //\n // Note that fields of the returned |out_msg| and |out_client_hello| point\n // into a handshake-owned buffer, so their lifetimes should not exceed this\n // SSL_HANDSHAKE.\n bool GetClientHello(SSLMessage *out_msg, SSL_CLIENT_HELLO *out_client_hello);\n\n union {\n // sent is a bitset where the bits correspond to elements of kExtensions\n // in extensions.cc. Each bit is set if that extension was sent in a\n // ClientHello. It's not used by servers.\n uint32_t sent = 0;\n // received is a bitset, like |sent|, but is used by servers to record\n // which extensions were received from a client.\n uint32_t received;\n } extensions;\n\n // inner_extensions_sent, on clients that offer ECH, is |extensions.sent| for\n // the ClientHelloInner.\n uint32_t inner_extensions_sent = 0;\n\n // error, if |wait| is |ssl_hs_error|, is the error the handshake failed on.\n UniquePtr error;\n\n // key_shares are the current key exchange instances. The second is only used\n // as a client if we believe that we should offer two key shares in a\n // ClientHello.\n UniquePtr key_shares[2];\n\n // transcript is the current handshake transcript.\n SSLTranscript transcript;\n\n // inner_transcript, on the client, is the handshake transcript for the\n // ClientHelloInner handshake. It is moved to |transcript| if the server\n // accepts ECH.\n SSLTranscript inner_transcript;\n\n // inner_client_random is the ClientHello random value used with\n // ClientHelloInner.\n uint8_t inner_client_random[SSL3_RANDOM_SIZE] = {0};\n\n // cookie is the value of the cookie in HelloRetryRequest, or empty if none\n // was received.\n Array cookie;\n\n // dtls_cookie is the value of the cookie in DTLS HelloVerifyRequest. If\n // empty, either none was received or HelloVerifyRequest contained an empty\n // cookie. Check the received_hello_verify_request field to distinguish an\n // empty cookie from no HelloVerifyRequest message being received.\n Array dtls_cookie;\n\n // ech_client_outer contains the outer ECH extension to send in the\n // ClientHello, excluding the header and type byte.\n Array ech_client_outer;\n\n // ech_retry_configs, on the client, contains the retry configs from the\n // server as a serialized ECHConfigList.\n Array ech_retry_configs;\n\n // ech_client_hello_buf, on the server, contains the bytes of the\n // reconstructed ClientHelloInner message.\n Array ech_client_hello_buf;\n\n // key_share_bytes is the key_share extension that the client should send.\n Array key_share_bytes;\n\n // key_share_ciphertext, for servers, is encapsulated shared secret to be sent\n // to the client in the TLS 1.3 key_share extension.\n Array key_share_ciphertext;\n\n // peer_sigalgs are the signature algorithms that the peer supports. These are\n // taken from the contents of the signature algorithms extension for a server\n // or from the CertificateRequest for a client.\n Array peer_sigalgs;\n\n // peer_supported_group_list contains the supported group IDs advertised by\n // the peer. This is only set on the server's end. The server does not\n // advertise this extension to the client.\n Array peer_supported_group_list;\n\n // peer_delegated_credential_sigalgs are the signature algorithms the peer\n // supports with delegated credentials, or empty if the peer does not support\n // delegated credentials.\n Array peer_delegated_credential_sigalgs;\n\n // peer_key is the peer's ECDH key for a TLS 1.2 client.\n Array peer_key;\n\n // extension_permutation is the permutation to apply to ClientHello\n // extensions. It maps indices into the |kExtensions| table into other\n // indices.\n Array extension_permutation;\n\n // cert_compression_alg_id, for a server, contains the negotiated certificate\n // compression algorithm for this client. It is only valid if\n // |cert_compression_negotiated| is true.\n uint16_t cert_compression_alg_id;\n\n // ech_hpke_ctx is the HPKE context used in ECH. On the server, it is\n // initialized if |ech_status| is |ssl_ech_accepted|. On the client, it is\n // initialized if |selected_ech_config| is not nullptr.\n ScopedEVP_HPKE_CTX ech_hpke_ctx;\n\n // server_params, in a TLS 1.2 server, stores the ServerKeyExchange\n // parameters. It has client and server randoms prepended for signing\n // convenience.\n Array server_params;\n\n // peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the\n // server when using a TLS 1.2 PSK key exchange.\n UniquePtr peer_psk_identity_hint;\n\n // ca_names contains the list of CAs received via the Certificate Authorities\n // extension in our peer's CertificateRequest or ClientHello message\n UniquePtr ca_names;\n\n // cached_x509_ca_names contains a cache of parsed versions of the elements of\n // |ca_names|. This pointer is left non-owning so only\n // |ssl_crypto_x509_method| needs to link against crypto/x509.\n STACK_OF(X509_NAME) *cached_x509_ca_names = nullptr;\n\n // certificate_types, on the client, contains the set of certificate types\n // received in a CertificateRequest message.\n Array certificate_types;\n\n // credential is the credential we are using for the handshake.\n UniquePtr credential;\n\n // peer_pubkey is the public key parsed from the peer's leaf certificate.\n UniquePtr peer_pubkey;\n\n // new_session is the new mutable session being established by the current\n // handshake. It should not be cached.\n UniquePtr new_session;\n\n // early_session is the session corresponding to the current 0-RTT state on\n // the client if |in_early_data| is true.\n UniquePtr early_session;\n\n // ssl_ech_keys, for servers, is the set of ECH keys to use with this\n // handshake. This is copied from |SSL_CTX| to ensure consistent behavior as\n // |SSL_CTX| rotates keys.\n UniquePtr ech_keys;\n\n // selected_ech_config, for clients, is the ECHConfig the client uses to offer\n // ECH, or nullptr if ECH is not being offered. If non-NULL, |ech_hpke_ctx|\n // will be initialized.\n UniquePtr selected_ech_config;\n\n // new_cipher is the cipher being negotiated in this handshake.\n const SSL_CIPHER *new_cipher = nullptr;\n\n // key_block is the record-layer key block for TLS 1.2 and earlier.\n Array key_block;\n\n // hints contains the handshake hints for this connection. If\n // |hints_requested| is true, this field is non-null and contains the pending\n // hints to filled as the predicted handshake progresses. Otherwise, this\n // field, if non-null, contains hints configured by the caller and will\n // influence the handshake on match.\n UniquePtr hints;\n\n // ech_is_inner, on the server, indicates whether the ClientHello contained an\n // inner ECH extension.\n bool ech_is_inner : 1;\n\n // ech_authenticated_reject, on the client, indicates whether an ECH rejection\n // handshake has been authenticated.\n bool ech_authenticated_reject : 1;\n\n // scts_requested is true if the SCT extension is in the ClientHello.\n bool scts_requested : 1;\n\n // handshake_finalized is true once the handshake has completed, at which\n // point accessors should use the established state.\n bool handshake_finalized : 1;\n\n // accept_psk_mode stores whether the client's PSK mode is compatible with our\n // preferences.\n bool accept_psk_mode : 1;\n\n // cert_request is true if a client certificate was requested.\n bool cert_request : 1;\n\n // certificate_status_expected is true if OCSP stapling was negotiated and the\n // server is expected to send a CertificateStatus message. (This is used on\n // both the client and server sides.)\n bool certificate_status_expected : 1;\n\n // ocsp_stapling_requested is true if a client requested OCSP stapling.\n bool ocsp_stapling_requested : 1;\n\n // should_ack_sni is used by a server and indicates that the SNI extension\n // should be echoed in the ServerHello.\n bool should_ack_sni : 1;\n\n // in_false_start is true if there is a pending client handshake in False\n // Start. The client may write data at this point.\n bool in_false_start : 1;\n\n // in_early_data is true if there is a pending handshake that has progressed\n // enough to send and receive early data.\n bool in_early_data : 1;\n\n // early_data_offered is true if the client sent the early_data extension.\n bool early_data_offered : 1;\n\n // can_early_read is true if application data may be read at this point in the\n // handshake.\n bool can_early_read : 1;\n\n // can_early_write is true if application data may be written at this point in\n // the handshake.\n bool can_early_write : 1;\n\n // is_early_version is true if the protocol version configured is not\n // necessarily the final version and is just the predicted 0-RTT version.\n bool is_early_version : 1;\n\n // next_proto_neg_seen is one of NPN was negotiated.\n bool next_proto_neg_seen : 1;\n\n // ticket_expected is true if a TLS 1.2 NewSessionTicket message is to be sent\n // or received.\n bool ticket_expected : 1;\n\n // extended_master_secret is true if the extended master secret extension is\n // negotiated in this handshake.\n bool extended_master_secret : 1;\n\n // pending_private_key_op is true if there is a pending private key operation\n // in progress.\n bool pending_private_key_op : 1;\n\n // handback indicates that a server should pause the handshake after\n // finishing operations that require private key material, in such a way that\n // |SSL_get_error| returns |SSL_ERROR_HANDBACK|. It is set by\n // |SSL_apply_handoff|.\n bool handback : 1;\n\n // hints_requested indicates the caller has requested handshake hints. Only\n // the first round-trip of the handshake will complete, after which the\n // |hints| structure can be serialized.\n bool hints_requested : 1;\n\n // cert_compression_negotiated is true iff |cert_compression_alg_id| is valid.\n bool cert_compression_negotiated : 1;\n\n // apply_jdk11_workaround is true if the peer is probably a JDK 11 client\n // which implemented TLS 1.3 incorrectly.\n bool apply_jdk11_workaround : 1;\n\n // can_release_private_key is true if the private key will no longer be used\n // in this handshake.\n bool can_release_private_key : 1;\n\n // channel_id_negotiated is true if Channel ID should be used in this\n // handshake.\n bool channel_id_negotiated : 1;\n\n // received_hello_verify_request is true if we received a HelloVerifyRequest\n // message from the server.\n bool received_hello_verify_request : 1;\n\n // client_version is the value sent or received in the ClientHello version.\n uint16_t client_version = 0;\n\n // early_data_read is the amount of early data that has been read by the\n // record layer.\n uint16_t early_data_read = 0;\n\n // early_data_written is the amount of early data that has been written by the\n // record layer.\n uint16_t early_data_written = 0;\n\n // signature_algorithm is the signature algorithm to be used in signing with\n // the selected credential, or zero if not applicable or not yet selected.\n uint16_t signature_algorithm = 0;\n\n // ech_config_id is the ECH config sent by the client.\n uint8_t ech_config_id = 0;\n\n // session_id is the session ID in the ClientHello.\n InplaceVector session_id;\n\n // grease_seed is the entropy for GREASE values.\n uint8_t grease_seed[ssl_grease_last_index + 1] = {0};\n};\n\n// kMaxTickets is the maximum number of tickets to send immediately after the\n// handshake. We use a one-byte ticket nonce, and there is no point in sending\n// so many tickets.\nconstexpr size_t kMaxTickets = 16;\n\nUniquePtr ssl_handshake_new(SSL *ssl);\n\n// ssl_check_message_type checks if |msg| has type |type|. If so it returns\n// one. Otherwise, it sends an alert and returns zero.\nbool ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type);\n\n// ssl_run_handshake runs the TLS handshake. It returns one on success and <= 0\n// on error. It sets |out_early_return| to one if we've completed the handshake\n// early.\nint ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return);\n\n// The following are implementations of |do_handshake| for the client and\n// server.\nenum ssl_hs_wait_t ssl_client_handshake(SSL_HANDSHAKE *hs);\nenum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs);\nenum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs);\nenum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs);\n\n// The following functions return human-readable representations of the TLS\n// handshake states for debugging.\nconst char *ssl_client_handshake_state(SSL_HANDSHAKE *hs);\nconst char *ssl_server_handshake_state(SSL_HANDSHAKE *hs);\nconst char *tls13_client_handshake_state(SSL_HANDSHAKE *hs);\nconst char *tls13_server_handshake_state(SSL_HANDSHAKE *hs);\n\n// tls13_add_key_update queues a KeyUpdate message on |ssl|. |request_type| must\n// be one of |SSL_KEY_UPDATE_REQUESTED| or |SSL_KEY_UPDATE_NOT_REQUESTED|.\nbool tls13_add_key_update(SSL *ssl, int request_type);\n\n// tls13_post_handshake processes a post-handshake message. It returns true on\n// success and false on failure.\nbool tls13_post_handshake(SSL *ssl, const SSLMessage &msg);\n\nbool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,\n bool allow_anonymous);\nbool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg);\n\n// tls13_process_finished processes |msg| as a Finished message from the\n// peer. If |use_saved_value| is true, the verify_data is compared against\n// |hs->expected_client_finished| rather than computed fresh.\nbool tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,\n bool use_saved_value);\n\nbool tls13_add_certificate(SSL_HANDSHAKE *hs);\n\n// tls13_add_certificate_verify adds a TLS 1.3 CertificateVerify message to the\n// handshake. If it returns |ssl_private_key_retry|, it should be called again\n// to retry when the signing operation is completed.\nenum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs);\n\nbool tls13_add_finished(SSL_HANDSHAKE *hs);\nbool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg);\nbssl::UniquePtr tls13_create_session_with_ticket(SSL *ssl,\n CBS *body);\n\n// ssl_setup_extension_permutation computes a ClientHello extension permutation\n// for |hs|, if applicable. It returns true on success and false on error.\nbool ssl_setup_extension_permutation(SSL_HANDSHAKE *hs);\n\n// ssl_setup_key_shares computes client key shares and saves them in |hs|. It\n// returns true on success and false on failure. If |override_group_id| is zero,\n// it offers the default groups, including GREASE. If it is non-zero, it offers\n// a single key share of the specified group.\nbool ssl_setup_key_shares(SSL_HANDSHAKE *hs, uint16_t override_group_id);\n\nbool ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs,\n Array *out_secret,\n uint8_t *out_alert, CBS *contents);\nbool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,\n Span *out_peer_key,\n uint8_t *out_alert,\n const SSL_CLIENT_HELLO *client_hello);\nbool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out);\n\nbool ssl_ext_pre_shared_key_parse_serverhello(SSL_HANDSHAKE *hs,\n uint8_t *out_alert,\n CBS *contents);\nbool ssl_ext_pre_shared_key_parse_clienthello(\n SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,\n uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert,\n const SSL_CLIENT_HELLO *client_hello, CBS *contents);\nbool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out);\n\n// ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and\n// returns whether it's valid.\nbool ssl_is_sct_list_valid(const CBS *contents);\n\n// ssl_write_client_hello_without_extensions writes a ClientHello to |out|,\n// up to the extensions field. |type| determines the type of ClientHello to\n// write. If |omit_session_id| is true, the session ID is empty.\nbool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs,\n CBB *cbb,\n ssl_client_hello_type_t type,\n bool empty_session_id);\n\n// ssl_add_client_hello constructs a ClientHello and adds it to the outgoing\n// flight. It returns true on success and false on error.\nbool ssl_add_client_hello(SSL_HANDSHAKE *hs);\n\nstruct ParsedServerHello {\n CBS raw;\n uint16_t legacy_version = 0;\n CBS random;\n CBS session_id;\n uint16_t cipher_suite = 0;\n uint8_t compression_method = 0;\n CBS extensions;\n};\n\n// ssl_parse_server_hello parses |msg| as a ServerHello. On success, it writes\n// the result to |*out| and returns true. Otherwise, it returns false and sets\n// |*out_alert| to an alert to send to the peer.\nbool ssl_parse_server_hello(ParsedServerHello *out, uint8_t *out_alert,\n const SSLMessage &msg);\n\nenum ssl_cert_verify_context_t {\n ssl_cert_verify_server,\n ssl_cert_verify_client,\n ssl_cert_verify_channel_id,\n};\n\n// tls13_get_cert_verify_signature_input generates the message to be signed for\n// TLS 1.3's CertificateVerify message. |cert_verify_context| determines the\n// type of signature. It sets |*out| to a newly allocated buffer containing the\n// result. This function returns true on success and false on failure.\nbool tls13_get_cert_verify_signature_input(\n SSL_HANDSHAKE *hs, Array *out,\n enum ssl_cert_verify_context_t cert_verify_context);\n\n// ssl_is_valid_alpn_list returns whether |in| is a valid ALPN protocol list.\nbool ssl_is_valid_alpn_list(Span in);\n\n// ssl_is_alpn_protocol_allowed returns whether |protocol| is a valid server\n// selection for |hs->ssl|'s client preferences.\nbool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs,\n Span protocol);\n\n// ssl_alpn_list_contains_protocol returns whether |list|, a serialized ALPN\n// protocol list, contains |protocol|.\nbool ssl_alpn_list_contains_protocol(Span list,\n Span protocol);\n\n// ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns\n// true on successful negotiation or if nothing was negotiated. It returns false\n// and sets |*out_alert| to an alert on error.\nbool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n const SSL_CLIENT_HELLO *client_hello);\n\n// ssl_get_local_application_settings looks up the configured ALPS value for\n// |protocol|. If found, it sets |*out_settings| to the value and returns true.\n// Otherwise, it returns false.\nbool ssl_get_local_application_settings(const SSL_HANDSHAKE *hs,\n Span *out_settings,\n Span protocol);\n\n// ssl_negotiate_alps negotiates the ALPS extension, if applicable. It returns\n// true on successful negotiation or if nothing was negotiated. It returns false\n// and sets |*out_alert| to an alert on error.\nbool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n const SSL_CLIENT_HELLO *client_hello);\n\nstruct SSLExtension {\n SSLExtension(uint16_t type_arg, bool allowed_arg = true)\n : type(type_arg), allowed(allowed_arg), present(false) {\n CBS_init(&data, nullptr, 0);\n }\n\n uint16_t type;\n bool allowed;\n bool present;\n CBS data;\n};\n\n// ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances\n// it. It writes the parsed extensions to pointers in |extensions|. On success,\n// it fills in the |present| and |data| fields and returns true. Otherwise, it\n// sets |*out_alert| to an alert to send and returns false. Unknown extensions\n// are rejected unless |ignore_unknown| is true.\nbool ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,\n std::initializer_list extensions,\n bool ignore_unknown);\n\n// ssl_verify_peer_cert verifies the peer certificate for |hs|.\nenum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs);\n// ssl_reverify_peer_cert verifies the peer certificate for |hs| when resuming a\n// session.\nenum ssl_verify_result_t ssl_reverify_peer_cert(SSL_HANDSHAKE *hs,\n bool send_alert);\n\nenum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs);\n\n// ssl_send_finished adds a Finished message to the current flight of messages.\n// It returns true on success and false on error.\nbool ssl_send_finished(SSL_HANDSHAKE *hs);\n\n// ssl_send_tls12_certificate adds a TLS 1.2 Certificate message to the current\n// flight of messages. It returns true on success and false on error.\nbool ssl_send_tls12_certificate(SSL_HANDSHAKE *hs);\n\n// ssl_handshake_session returns the |SSL_SESSION| corresponding to the current\n// handshake. Note, in TLS 1.2 resumptions, this session is immutable.\nconst SSL_SESSION *ssl_handshake_session(const SSL_HANDSHAKE *hs);\n\n// ssl_done_writing_client_hello is called after the last ClientHello is written\n// by |hs|. It releases some memory that is no longer needed.\nvoid ssl_done_writing_client_hello(SSL_HANDSHAKE *hs);\n\n\n// SSLKEYLOGFILE functions.\n\n// ssl_log_secret logs |secret| with label |label|, if logging is enabled for\n// |ssl|. It returns true on success and false on failure.\nbool ssl_log_secret(const SSL *ssl, const char *label,\n Span secret);\n\n\n// ClientHello functions.\n\n// ssl_client_hello_init parses |body| as a ClientHello message, excluding the\n// message header, and writes the result to |*out|. It returns true on success\n// and false on error. This function is exported for testing.\nOPENSSL_EXPORT bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out,\n Span body);\n\nbool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs,\n SSL_CLIENT_HELLO *out);\n\nbool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello,\n CBS *out, uint16_t extension_type);\n\nbool ssl_client_cipher_list_contains_cipher(\n const SSL_CLIENT_HELLO *client_hello, uint16_t id);\n\n\n// GREASE.\n\n// ssl_get_grease_value returns a GREASE value for |hs|. For a given\n// connection, the values for each index will be deterministic. This allows the\n// same ClientHello be sent twice for a HelloRetryRequest or the same group be\n// advertised in both supported_groups and key_shares.\nuint16_t ssl_get_grease_value(const SSL_HANDSHAKE *hs,\n enum ssl_grease_index_t index);\n\n\n// Signature algorithms.\n\n// tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature\n// algorithms and saves them on |hs|. It returns true on success and false on\n// error.\nbool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs);\n\n// tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm\n// that should be used with |pkey| in TLS 1.1 and earlier. It returns true on\n// success and false if |pkey| may not be used at those versions.\nbool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey);\n\n// tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use\n// with |cred| based on the peer's preferences and the algorithms supported. It\n// returns true on success and false on error.\nbool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs,\n const SSL_CREDENTIAL *cred, uint16_t *out);\n\n// tls12_add_verify_sigalgs adds the signature algorithms acceptable for the\n// peer signature to |out|. It returns true on success and false on error.\nbool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out);\n\n// tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer\n// signature from |pkey|. It returns true on success and false on error, setting\n// |*out_alert| to an alert to send.\nbool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert,\n uint16_t sigalg, EVP_PKEY *pkey);\n\n\n// Underdocumented functions.\n//\n// Functions below here haven't been touched up and may be underdocumented.\n\n#define TLSEXT_CHANNEL_ID_SIZE 128\n\n// From RFC 4492, used in encoding the curve type in ECParameters\n#define NAMED_CURVE_TYPE 3\n\nstruct CERT {\n static constexpr bool kAllowUniquePtr = true;\n\n explicit CERT(const SSL_X509_METHOD *x509_method);\n ~CERT();\n\n bool is_valid() const { return legacy_credential != nullptr; }\n\n // credentials is the list of credentials to select between. Elements of this\n // array immutable.\n Vector> credentials;\n\n // legacy_credential is the credential configured by the legacy\n // non-credential-based APIs. If IsComplete() returns true, it is appended to\n // the list of credentials.\n UniquePtr legacy_credential;\n\n // x509_method contains pointers to functions that might deal with |X509|\n // compatibility, or might be a no-op, depending on the application.\n const SSL_X509_METHOD *x509_method = nullptr;\n\n // x509_chain may contain a parsed copy of |chain[1..]| from the legacy\n // credential. This is only used as a cache in order to implement “get0”\n // functions that return a non-owning pointer to the certificate chain.\n STACK_OF(X509) *x509_chain = nullptr;\n\n // x509_leaf may contain a parsed copy of the first element of |chain| from\n // the legacy credential. This is only used as a cache in order to implement\n // “get0” functions that return a non-owning pointer to the certificate chain.\n X509 *x509_leaf = nullptr;\n\n // x509_stash contains the last |X509| object append to the legacy\n // credential's chain. This is a workaround for some third-party code that\n // continue to use an |X509| object even after passing ownership with an\n // “add0” function.\n X509 *x509_stash = nullptr;\n\n // Certificate setup callback: if set is called whenever a\n // certificate may be required (client or server). the callback\n // can then examine any appropriate parameters and setup any\n // certificates required. This allows advanced applications\n // to select certificates on the fly: for example based on\n // supported signature algorithms or curves.\n int (*cert_cb)(SSL *ssl, void *arg) = nullptr;\n void *cert_cb_arg = nullptr;\n\n // Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX\n // store is used instead.\n X509_STORE *verify_store = nullptr;\n\n // sid_ctx partitions the session space within a shared session cache or\n // ticket key. Only sessions with a matching value will be accepted.\n InplaceVector sid_ctx;\n};\n\n// |SSL_PROTOCOL_METHOD| abstracts between TLS and DTLS.\nstruct SSL_PROTOCOL_METHOD {\n bool is_dtls;\n bool (*ssl_new)(SSL *ssl);\n void (*ssl_free)(SSL *ssl);\n // get_message sets |*out| to the current handshake message and returns true\n // if one has been received. It returns false if more input is needed.\n bool (*get_message)(const SSL *ssl, SSLMessage *out);\n // next_message is called to release the current handshake message.\n void (*next_message)(SSL *ssl);\n // has_unprocessed_handshake_data returns whether there is buffered\n // handshake data that has not been consumed by |get_message|.\n bool (*has_unprocessed_handshake_data)(const SSL *ssl);\n // Use the |ssl_open_handshake| wrapper.\n ssl_open_record_t (*open_handshake)(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert, Span in);\n // Use the |ssl_open_change_cipher_spec| wrapper.\n ssl_open_record_t (*open_change_cipher_spec)(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert,\n Span in);\n // Use the |ssl_open_app_data| wrapper.\n ssl_open_record_t (*open_app_data)(SSL *ssl, Span *out,\n size_t *out_consumed, uint8_t *out_alert,\n Span in);\n // write_app_data encrypts and writes |in| as application data. On success, it\n // returns one and sets |*out_bytes_written| to the number of bytes of |in|\n // written. Otherwise, it returns <= 0 and sets |*out_needs_handshake| to\n // whether the operation failed because the caller needs to drive the\n // handshake.\n int (*write_app_data)(SSL *ssl, bool *out_needs_handshake,\n size_t *out_bytes_written, Span in);\n int (*dispatch_alert)(SSL *ssl);\n // init_message begins a new handshake message of type |type|. |cbb| is the\n // root CBB to be passed into |finish_message|. |*body| is set to a child CBB\n // the caller should write to. It returns true on success and false on error.\n bool (*init_message)(const SSL *ssl, CBB *cbb, CBB *body, uint8_t type);\n // finish_message finishes a handshake message. It sets |*out_msg| to the\n // serialized message. It returns true on success and false on error.\n bool (*finish_message)(const SSL *ssl, CBB *cbb,\n bssl::Array *out_msg);\n // add_message adds a handshake message to the pending flight. It returns\n // true on success and false on error.\n bool (*add_message)(SSL *ssl, bssl::Array msg);\n // add_change_cipher_spec adds a ChangeCipherSpec record to the pending\n // flight. It returns true on success and false on error.\n bool (*add_change_cipher_spec)(SSL *ssl);\n // finish_flight marks the pending flight as finished and ready to send.\n // |flush| must be called to write it.\n void (*finish_flight)(SSL *ssl);\n // schedule_ack schedules a DTLS 1.3 ACK to be sent, without an ACK delay.\n // |flush| must be called to write it.\n void (*schedule_ack)(SSL *ssl);\n // flush writes any scheduled data to the transport. It returns one on success\n // and <= 0 on error.\n int (*flush)(SSL *ssl);\n // on_handshake_complete is called when the handshake is complete.\n void (*on_handshake_complete)(SSL *ssl);\n // set_read_state sets |ssl|'s read cipher state and level to |aead_ctx| and\n // |level|. In QUIC, |aead_ctx| is a placeholder object. In TLS 1.3,\n // |traffic_secret| is the original traffic secret. This function returns true\n // on success and false on error.\n //\n // TODO(crbug.com/371998381): Take the traffic secrets as input and let the\n // function create the SSLAEADContext.\n bool (*set_read_state)(SSL *ssl, ssl_encryption_level_t level,\n UniquePtr aead_ctx,\n Span traffic_secret);\n // set_write_state sets |ssl|'s write cipher state and level to |aead_ctx| and\n // |level|. In QUIC, |aead_ctx| is a placeholder object In TLS 1.3,\n // |traffic_secret| is the original traffic secret. This function returns true\n // on success and false on error.\n //\n // TODO(crbug.com/371998381): Take the traffic secrets as input and let the\n // function create the SSLAEADContext.\n bool (*set_write_state)(SSL *ssl, ssl_encryption_level_t level,\n UniquePtr aead_ctx,\n Span traffic_secret);\n};\n\n// The following wrappers call |open_*| but handle |read_shutdown| correctly.\n\n// ssl_open_handshake processes a record from |in| for reading a handshake\n// message.\nssl_open_record_t ssl_open_handshake(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert, Span in);\n\n// ssl_open_change_cipher_spec processes a record from |in| for reading a\n// ChangeCipherSpec.\nssl_open_record_t ssl_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert,\n Span in);\n\n// ssl_open_app_data processes a record from |in| for reading application data.\n// On success, it returns |ssl_open_record_success| and sets |*out| to the\n// input. If it encounters a post-handshake message, it returns\n// |ssl_open_record_discard|. The caller should then retry, after processing any\n// messages received with |get_message|.\nssl_open_record_t ssl_open_app_data(SSL *ssl, Span *out,\n size_t *out_consumed, uint8_t *out_alert,\n Span in);\n\nstruct SSL_X509_METHOD {\n // check_CA_list returns one if |names| is a good list of X.509 distinguished\n // names and zero otherwise. This is used to ensure that we can reject\n // unparsable values at handshake time when using crypto/x509.\n bool (*check_CA_list)(STACK_OF(CRYPTO_BUFFER) *names);\n\n // cert_clear frees and NULLs all X509 certificate-related state.\n void (*cert_clear)(CERT *cert);\n // cert_free frees all X509-related state.\n void (*cert_free)(CERT *cert);\n // cert_flush_cached_chain drops any cached |X509|-based certificate chain\n // from |cert|.\n // cert_dup duplicates any needed fields from |cert| to |new_cert|.\n void (*cert_dup)(CERT *new_cert, const CERT *cert);\n void (*cert_flush_cached_chain)(CERT *cert);\n // cert_flush_cached_chain drops any cached |X509|-based leaf certificate\n // from |cert|.\n void (*cert_flush_cached_leaf)(CERT *cert);\n\n // session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain|\n // from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns\n // true on success or false on error.\n bool (*session_cache_objects)(SSL_SESSION *session);\n // session_dup duplicates any needed fields from |session| to |new_session|.\n // It returns true on success or false on error.\n bool (*session_dup)(SSL_SESSION *new_session, const SSL_SESSION *session);\n // session_clear frees any X509-related state from |session|.\n void (*session_clear)(SSL_SESSION *session);\n // session_verify_cert_chain verifies the certificate chain in |session|,\n // sets |session->verify_result| and returns true on success or false on\n // error.\n bool (*session_verify_cert_chain)(SSL_SESSION *session, SSL_HANDSHAKE *ssl,\n uint8_t *out_alert);\n\n // hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|.\n void (*hs_flush_cached_ca_names)(SSL_HANDSHAKE *hs);\n // ssl_new does any necessary initialisation of |hs|. It returns true on\n // success or false on error.\n bool (*ssl_new)(SSL_HANDSHAKE *hs);\n // ssl_free frees anything created by |ssl_new|.\n void (*ssl_config_free)(SSL_CONFIG *cfg);\n // ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|.\n void (*ssl_flush_cached_client_CA)(SSL_CONFIG *cfg);\n // ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if\n // necessary. On success, it updates |ssl|'s certificate configuration as\n // needed and returns true. Otherwise, it returns false.\n bool (*ssl_auto_chain_if_needed)(SSL_HANDSHAKE *hs);\n // ssl_ctx_new does any necessary initialisation of |ctx|. It returns true on\n // success or false on error.\n bool (*ssl_ctx_new)(SSL_CTX *ctx);\n // ssl_ctx_free frees anything created by |ssl_ctx_new|.\n void (*ssl_ctx_free)(SSL_CTX *ctx);\n // ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|.\n void (*ssl_ctx_flush_cached_client_CA)(SSL_CTX *ssl);\n};\n\n// ssl_crypto_x509_method provides the |SSL_X509_METHOD| functions using\n// crypto/x509.\nextern const SSL_X509_METHOD ssl_crypto_x509_method;\n\n// ssl_noop_x509_method provides the |SSL_X509_METHOD| functions that avoid\n// crypto/x509.\nextern const SSL_X509_METHOD ssl_noop_x509_method;\n\nstruct TicketKey {\n static constexpr bool kAllowUniquePtr = true;\n\n uint8_t name[SSL_TICKET_KEY_NAME_LEN] = {0};\n uint8_t hmac_key[16] = {0};\n uint8_t aes_key[16] = {0};\n // next_rotation_tv_sec is the time (in seconds from the epoch) when the\n // current key should be superseded by a new key, or the time when a previous\n // key should be dropped. If zero, then the key should not be automatically\n // rotated.\n uint64_t next_rotation_tv_sec = 0;\n};\n\nstruct CertCompressionAlg {\n static constexpr bool kAllowUniquePtr = true;\n\n ssl_cert_compression_func_t compress = nullptr;\n ssl_cert_decompression_func_t decompress = nullptr;\n uint16_t alg_id = 0;\n};\n\nBSSL_NAMESPACE_END\n\nDEFINE_LHASH_OF(SSL_SESSION)\n\nBSSL_NAMESPACE_BEGIN\n\n// An ssl_shutdown_t describes the shutdown state of one end of the connection,\n// whether it is alive or has been shutdown via close_notify or fatal alert.\nenum ssl_shutdown_t {\n ssl_shutdown_none = 0,\n ssl_shutdown_close_notify = 1,\n ssl_shutdown_error = 2,\n};\n\nenum ssl_ech_status_t {\n // ssl_ech_none indicates ECH was not offered, or we have not gotten far\n // enough in the handshake to determine the status.\n ssl_ech_none,\n // ssl_ech_accepted indicates the server accepted ECH.\n ssl_ech_accepted,\n // ssl_ech_rejected indicates the server was offered ECH but rejected it.\n ssl_ech_rejected,\n};\n\nstruct SSL3_STATE {\n static constexpr bool kAllowUniquePtr = true;\n\n SSL3_STATE();\n ~SSL3_STATE();\n\n uint64_t read_sequence = 0;\n uint64_t write_sequence = 0;\n\n uint8_t server_random[SSL3_RANDOM_SIZE] = {0};\n uint8_t client_random[SSL3_RANDOM_SIZE] = {0};\n\n // read_buffer holds data from the transport to be processed.\n SSLBuffer read_buffer;\n // write_buffer holds data to be written to the transport.\n SSLBuffer write_buffer;\n\n // pending_app_data is the unconsumed application data. It points into\n // |read_buffer|.\n Span pending_app_data;\n\n // unreported_bytes_written is the number of bytes successfully written to the\n // transport, but not yet reported to the caller. The next |SSL_write| will\n // skip this many bytes from the input. This is used if\n // |SSL_MODE_ENABLE_PARTIAL_WRITE| is disabled, in which case |SSL_write| only\n // reports bytes written when the full caller input is written.\n size_t unreported_bytes_written = 0;\n\n // pending_write, if |has_pending_write| is true, is the caller-supplied data\n // corresponding to the current pending write. This is used to check the\n // caller retried with a compatible buffer.\n Span pending_write;\n\n // pending_write_type, if |has_pending_write| is true, is the record type\n // for the current pending write.\n //\n // TODO(davidben): Remove this when alerts are moved out of this write path.\n uint8_t pending_write_type = 0;\n\n // read_shutdown is the shutdown state for the read half of the connection.\n enum ssl_shutdown_t read_shutdown = ssl_shutdown_none;\n\n // write_shutdown is the shutdown state for the write half of the connection.\n enum ssl_shutdown_t write_shutdown = ssl_shutdown_none;\n\n // read_error, if |read_shutdown| is |ssl_shutdown_error|, is the error for\n // the receive half of the connection.\n UniquePtr read_error;\n\n int total_renegotiations = 0;\n\n // This holds a variable that indicates what we were doing when a 0 or -1 is\n // returned. This is needed for non-blocking IO so we know what request\n // needs re-doing when in SSL_accept or SSL_connect\n int rwstate = SSL_ERROR_NONE;\n\n enum ssl_encryption_level_t quic_read_level = ssl_encryption_initial;\n enum ssl_encryption_level_t quic_write_level = ssl_encryption_initial;\n\n // version is the protocol version, or zero if the version has not yet been\n // set. In clients offering 0-RTT, this version will initially be set to the\n // early version, then switched to the final version. To distinguish these\n // cases, use |ssl_has_final_version|.\n uint16_t version = 0;\n\n // early_data_skipped is the amount of early data that has been skipped by the\n // record layer.\n uint16_t early_data_skipped = 0;\n\n // empty_record_count is the number of consecutive empty records received.\n uint8_t empty_record_count = 0;\n\n // warning_alert_count is the number of consecutive warning alerts\n // received.\n uint8_t warning_alert_count = 0;\n\n // key_update_count is the number of consecutive KeyUpdates received.\n uint8_t key_update_count = 0;\n\n // ech_status indicates whether ECH was accepted by the server.\n ssl_ech_status_t ech_status = ssl_ech_none;\n\n // skip_early_data instructs the record layer to skip unexpected early data\n // messages when 0RTT is rejected.\n bool skip_early_data : 1;\n\n // v2_hello_done is true if the peer's V2ClientHello, if any, has been handled\n // and future messages should use the record layer.\n bool v2_hello_done : 1;\n\n // is_v2_hello is true if the current handshake message was derived from a\n // V2ClientHello rather than received from the peer directly.\n bool is_v2_hello : 1;\n\n // has_message is true if the current handshake message has been returned\n // at least once by |get_message| and false otherwise.\n bool has_message : 1;\n\n // initial_handshake_complete is true if the initial handshake has\n // completed.\n bool initial_handshake_complete : 1;\n\n // session_reused indicates whether a session was resumed.\n bool session_reused : 1;\n\n bool send_connection_binding : 1;\n\n // channel_id_valid is true if, on the server, the client has negotiated a\n // Channel ID and the |channel_id| field is filled in.\n bool channel_id_valid : 1;\n\n // key_update_pending is true if we are in the process of sending a KeyUpdate\n // message. As a DoS mitigation (and a requirement in DTLS), we never send\n // more than one KeyUpdate at once. In DTLS, this tracks whether there is an\n // unACKed KeyUpdate.\n bool key_update_pending : 1;\n\n // early_data_accepted is true if early data was accepted by the server.\n bool early_data_accepted : 1;\n\n // alert_dispatch is true there is an alert in |send_alert| to be sent.\n bool alert_dispatch : 1;\n\n // renegotiate_pending is whether the read half of the channel is blocked on a\n // HelloRequest.\n bool renegotiate_pending : 1;\n\n // used_hello_retry_request is whether the handshake used a TLS 1.3\n // HelloRetryRequest message.\n bool used_hello_retry_request : 1;\n\n // was_key_usage_invalid is whether the handshake succeeded despite using a\n // TLS mode which was incompatible with the leaf certificate's keyUsage\n // extension.\n bool was_key_usage_invalid : 1;\n\n // hs_buf is the buffer of handshake data to process.\n UniquePtr hs_buf;\n\n // pending_hs_data contains the pending handshake data that has not yet\n // been encrypted to |pending_flight|. This allows packing the handshake into\n // fewer records.\n UniquePtr pending_hs_data;\n\n // pending_flight is the pending outgoing flight. This is used to flush each\n // handshake flight in a single write. |write_buffer| must be written out\n // before this data.\n UniquePtr pending_flight;\n\n // pending_flight_offset is the number of bytes of |pending_flight| which have\n // been successfully written.\n uint32_t pending_flight_offset = 0;\n\n // ticket_age_skew is the difference, in seconds, between the client-sent\n // ticket age and the server-computed value in TLS 1.3 server connections\n // which resumed a session.\n int32_t ticket_age_skew = 0;\n\n // ssl_early_data_reason stores details on why 0-RTT was accepted or rejected.\n enum ssl_early_data_reason_t early_data_reason = ssl_early_data_unknown;\n\n // aead_read_ctx is the current read cipher state.\n UniquePtr aead_read_ctx;\n\n // aead_write_ctx is the current write cipher state.\n UniquePtr aead_write_ctx;\n\n // hs is the handshake state for the current handshake or NULL if there isn't\n // one.\n UniquePtr hs;\n\n InplaceVector write_traffic_secret;\n InplaceVector read_traffic_secret;\n InplaceVector exporter_secret;\n\n // Connection binding to prevent renegotiation attacks\n InplaceVector previous_client_finished;\n InplaceVector previous_server_finished;\n\n uint8_t send_alert[2] = {0};\n\n // established_session is the session established by the connection. This\n // session is only filled upon the completion of the handshake and is\n // immutable.\n UniquePtr established_session;\n\n // Next protocol negotiation. For the client, this is the protocol that we\n // sent in NextProtocol and is set when handling ServerHello extensions.\n //\n // For a server, this is the client's selected_protocol from NextProtocol and\n // is set when handling the NextProtocol message, before the Finished\n // message.\n Array next_proto_negotiated;\n\n // ALPN information\n // (we are in the process of transitioning from NPN to ALPN.)\n\n // In a server these point to the selected ALPN protocol after the\n // ClientHello has been processed. In a client these contain the protocol\n // that the server selected once the ServerHello has been processed.\n Array alpn_selected;\n\n // hostname, on the server, is the value of the SNI extension.\n UniquePtr hostname;\n\n // For a server:\n // If |channel_id_valid| is true, then this contains the\n // verified Channel ID from the client: a P256 point, (x,y), where\n // each are big-endian values.\n uint8_t channel_id[64] = {0};\n\n // Contains the QUIC transport params received by the peer.\n Array peer_quic_transport_params;\n\n // srtp_profile is the selected SRTP protection profile for\n // DTLS-SRTP.\n const SRTP_PROTECTION_PROFILE *srtp_profile = nullptr;\n};\n\n// lengths of messages\n#define DTLS1_RT_MAX_HEADER_LENGTH 13\n\n// DTLS_PLAINTEXT_RECORD_HEADER_LENGTH is the length of the DTLS record header\n// for plaintext records (in DTLS 1.3) or DTLS versions <= 1.2.\n#define DTLS_PLAINTEXT_RECORD_HEADER_LENGTH 13\n\n// DTLS1_3_RECORD_HEADER_LENGTH is the length of the DTLS 1.3 record header\n// sent by BoringSSL for encrypted records. Note that received encrypted DTLS\n// 1.3 records might have a different length header.\n#define DTLS1_3_RECORD_HEADER_WRITE_LENGTH 5\n\nstatic_assert(DTLS1_RT_MAX_HEADER_LENGTH >= DTLS_PLAINTEXT_RECORD_HEADER_LENGTH,\n \"DTLS1_RT_MAX_HEADER_LENGTH must not be smaller than defined \"\n \"record header lengths\");\nstatic_assert(DTLS1_RT_MAX_HEADER_LENGTH >= DTLS1_3_RECORD_HEADER_WRITE_LENGTH,\n \"DTLS1_RT_MAX_HEADER_LENGTH must not be smaller than defined \"\n \"record header lengths\");\n\n#define DTLS1_HM_HEADER_LENGTH 12\n\n// A DTLSMessageBitmap maintains a list of bits which may be marked to indicate\n// a portion of a message was received or ACKed.\nclass DTLSMessageBitmap {\n public:\n // A Range represents a range of bits from |start|, inclusive, to |end|,\n // exclusive.\n struct Range {\n size_t start = 0;\n size_t end = 0;\n\n bool empty() const { return start == end; }\n size_t size() const { return end - start; }\n bool operator==(const Range &r) const {\n return start == r.start && end == r.end;\n }\n bool operator!=(const Range &r) const { return !(*this == r); }\n };\n\n // Init initializes the structure with |num_bits| unmarked bits, from zero\n // to |num_bits - 1|.\n bool Init(size_t num_bits);\n\n // MarkRange marks the bits from |start|, inclusive, to |end|, exclusive.\n void MarkRange(size_t start, size_t end);\n\n // NextUnmarkedRange returns the next range of unmarked bits, starting from\n // |start|, inclusive. If all bits after |start| are marked, it returns an\n // empty range.\n Range NextUnmarkedRange(size_t start) const;\n\n // IsComplete returns whether every bit in the bitmask has been marked.\n bool IsComplete() const { return bytes_.empty(); }\n\n private:\n // bytes_ contains the unmarked bits. We maintain an invariant: if |bytes_| is\n // not empty, some bit is unset.\n Array bytes_;\n // first_unmarked_byte_ is the index of first byte in |bytes_| that is not\n // 0xff. This is maintained to amortize checking if the message is complete.\n size_t first_unmarked_byte_ = 0;\n};\n\nstruct hm_header_st {\n uint8_t type;\n uint32_t msg_len;\n uint16_t seq;\n uint32_t frag_off;\n uint32_t frag_len;\n};\n\n// An DTLSIncomingMessage is an incoming DTLS message, possibly not yet\n// assembled.\nstruct DTLSIncomingMessage {\n static constexpr bool kAllowUniquePtr = true;\n\n Span msg() { return Span(data).subspan(DTLS1_HM_HEADER_LENGTH); }\n Span msg() const {\n return Span(data).subspan(DTLS1_HM_HEADER_LENGTH);\n }\n size_t msg_len() const { return msg().size(); }\n\n // type is the type of the message.\n uint8_t type = 0;\n // seq is the sequence number of this message.\n uint16_t seq = 0;\n // data contains the message, including the message header of length\n // |DTLS1_HM_HEADER_LENGTH|.\n Array data;\n // reassembly tracks which parts of the message have been received.\n DTLSMessageBitmap reassembly;\n};\n\nstruct DTLSOutgoingMessage {\n size_t msg_len() const {\n assert(!is_ccs);\n assert(data.size() >= DTLS1_HM_HEADER_LENGTH);\n return data.size() - DTLS1_HM_HEADER_LENGTH;\n }\n\n bool IsFullyAcked() const {\n // ACKs only exist in DTLS 1.3, which does not send ChangeCipherSpec.\n return !is_ccs && acked.IsComplete();\n }\n\n Array data;\n uint16_t epoch = 0;\n bool is_ccs = false;\n // acked tracks which bits of the message have been ACKed by the peer. If\n // |msg_len| is zero, it tracks one bit for whether the header has been\n // received.\n DTLSMessageBitmap acked;\n};\n\nstruct OPENSSL_timeval {\n uint64_t tv_sec;\n uint32_t tv_usec;\n};\n\nstruct DTLSTimer {\n public:\n static constexpr uint64_t kNever = UINT64_MAX;\n\n // StartMicroseconds schedules the timer to expire the specified number of\n // microseconds from |now|.\n void StartMicroseconds(OPENSSL_timeval now, uint64_t microseconds);\n\n // Stop disables the timer.\n void Stop();\n\n // IsExpired returns true if the timer was set and is expired at time |now|.\n bool IsExpired(OPENSSL_timeval now) const;\n\n // IsSet returns true if the timer is scheduled or expired, and false if it is\n // stopped.\n bool IsSet() const;\n\n // MicrosecondsRemaining returns the time remaining, in microseconds, at\n // |now|, or |kNever| if the timer is unset.\n uint64_t MicrosecondsRemaining(OPENSSL_timeval now) const;\n\n private:\n // expire_time_ is the time when the timer expires, or zero if the timer is\n // unset.\n //\n // TODO(crbug.com/366284846): This is an extremely inconvenient time\n // representation. Switch libssl to something like a 64-bit count of\n // microseconds. While it's decidedly past 1970 now, zero is a less obviously\n // sound distinguished value for the monotonic clock, so maybe we should use a\n // different distinguished time, like |INT64_MAX| in the microseconds\n // representation.\n OPENSSL_timeval expire_time_ = {0, 0};\n};\n\n// DTLS_MAX_EXTRA_WRITE_EPOCHS is the maximum number of additional write epochs\n// that DTLS may need to retain.\n//\n// The maximum is, as a DTLS 1.3 server, immediately after sending Finished. At\n// this point, the current epoch is the application write keys (epoch 3), but we\n// may have ServerHello (epoch 0) and EncryptedExtensions (epoch 1) to\n// retransmit. KeyUpdate does not increase this count. If the server were to\n// initiate KeyUpdate from this state, it would not apply the new epoch until\n// the client's ACKs have caught up. At that point, epochs 0 and 1 can be\n// discarded.\n#define DTLS_MAX_EXTRA_WRITE_EPOCHS 2\n\n// DTLS_MAX_ACK_BUFFER is the maximum number of records worth of data we'll keep\n// track of with DTLS 1.3 ACKs. When we exceed this value, information about\n// stale records will be dropped. This will not break the connection but may\n// cause ACKs to perform worse and retransmit unnecessary information.\n#define DTLS_MAX_ACK_BUFFER 32\n\n// A DTLSSentRecord records information about a record we sent. Each record\n// covers all bytes from |first_msg_start| (inclusive) of |first_msg| to\n// |last_msg_end| (exclusive) of |last_msg|. Messages are referenced by index\n// into |outgoing_messages|. |last_msg_end| may be |outgoing_messages.size()| if\n// |last_msg_end| is zero.\n//\n// When the message is empty, |first_msg_start| and |last_msg_end| are\n// maintained as if there is a single bit in the message representing the\n// header. See |acked| in DTLSOutgoingMessage.\nstruct DTLSSentRecord {\n DTLSRecordNumber number;\n PackedSize first_msg = 0;\n PackedSize last_msg = 0;\n uint32_t first_msg_start = 0;\n uint32_t last_msg_end = 0;\n};\n\nenum class QueuedKeyUpdate {\n kNone,\n kUpdateNotRequested,\n kUpdateRequested,\n};\n\n// DTLS_PREV_READ_EPOCH_EXPIRE_SECONDS is how long to retain the previous read\n// epoch in DTLS 1.3. This value is set based on the following:\n//\n// - Section 4.2.1 of RFC 9147 recommends retaining past read epochs for the\n// default TCP MSL. This accommodates packet reordering with KeyUpdate.\n//\n// - Section 5.8.1 of RFC 9147 requires being capable of ACKing the client's\n// final flight for at least twice the default MSL. That requires retaining\n// epoch 2 after the handshake.\n//\n// - Section 4 of RFC 9293 defines the MSL to be two minutes.\n#define DTLS_PREV_READ_EPOCH_EXPIRE_SECONDS (4 * 60)\n\nstruct DTLSPrevReadEpoch {\n static constexpr bool kAllowUniquePtr = true;\n DTLSReadEpoch epoch;\n // expire is the expiration time of the read epoch, expressed as a POSIX\n // timestamp in seconds.\n uint64_t expire;\n};\n\nstruct DTLS1_STATE {\n static constexpr bool kAllowUniquePtr = true;\n\n DTLS1_STATE();\n ~DTLS1_STATE();\n\n bool Init();\n\n // has_change_cipher_spec is true if we have received a ChangeCipherSpec from\n // the peer in this epoch.\n bool has_change_cipher_spec : 1;\n\n // outgoing_messages_complete is true if |outgoing_messages| has been\n // completed by an attempt to flush it. Future calls to |add_message| and\n // |add_change_cipher_spec| will start a new flight.\n bool outgoing_messages_complete : 1;\n\n // flight_has_reply is true if the current outgoing flight is complete and has\n // processed at least one message. This is used to detect whether we or the\n // peer sent the final flight.\n bool flight_has_reply : 1;\n\n // handshake_write_overflow and handshake_read_overflow are true if\n // handshake_write_seq and handshake_read_seq, respectively have overflowed.\n bool handshake_write_overflow : 1;\n bool handshake_read_overflow : 1;\n\n // sending_flight and sending_ack are true if we are in the process of sending\n // a handshake flight and ACK, respectively.\n bool sending_flight : 1;\n bool sending_ack : 1;\n\n // queued_key_update, if not kNone, indicates we've queued a KeyUpdate message\n // to send after the current flight is ACKed.\n QueuedKeyUpdate queued_key_update : 2;\n\n uint16_t handshake_write_seq = 0;\n uint16_t handshake_read_seq = 0;\n\n // read_epoch is the current read epoch.\n DTLSReadEpoch read_epoch;\n\n // next_read_epoch is the next read epoch in DTLS 1.3. It will become\n // current once a record is received from it.\n UniquePtr next_read_epoch;\n\n // prev_read_epoch is the previous read epoch in DTLS 1.3.\n UniquePtr prev_read_epoch;\n\n // write_epoch is the current DTLS write epoch. Non-retransmit records will\n // generally use this epoch.\n // TODO(crbug.com/381113363): 0-RTT will be the exception, when implemented.\n DTLSWriteEpoch write_epoch;\n\n // extra_write_epochs is the collection available write epochs.\n InplaceVector, DTLS_MAX_EXTRA_WRITE_EPOCHS>\n extra_write_epochs;\n\n // incoming_messages is a ring buffer of incoming handshake messages that have\n // yet to be processed. The front of the ring buffer is message number\n // |handshake_read_seq|, at position |handshake_read_seq| %\n // |SSL_MAX_HANDSHAKE_FLIGHT|.\n UniquePtr incoming_messages[SSL_MAX_HANDSHAKE_FLIGHT];\n\n // outgoing_messages is the queue of outgoing messages from the last handshake\n // flight.\n InplaceVector\n outgoing_messages;\n\n // sent_records is a queue of records we sent, for processing ACKs. To save\n // memory in the steady state, the structure is stored on the heap and dropped\n // when empty.\n UniquePtr> sent_records;\n\n // records_to_ack is a queue of received records that we should ACK. This is\n // not stored on the heap because, in the steady state, DTLS 1.3 does not\n // necessarily empty this list. (We probably could drop records from here once\n // they are sufficiently old.)\n MRUQueue records_to_ack;\n\n // outgoing_written is the number of outgoing messages that have been\n // written.\n uint8_t outgoing_written = 0;\n // outgoing_offset is the number of bytes of the next outgoing message have\n // been written.\n uint32_t outgoing_offset = 0;\n\n unsigned mtu = 0; // max DTLS packet size\n\n // num_timeouts is the number of times the retransmit timer has fired since\n // the last time it was reset.\n unsigned num_timeouts = 0;\n\n // retransmit_timer tracks when to schedule the next DTLS retransmit if we do\n // not hear from the peer.\n DTLSTimer retransmit_timer;\n\n // ack_timer tracks when to send an ACK.\n DTLSTimer ack_timer;\n\n // timeout_duration_ms is the timeout duration in milliseconds.\n uint32_t timeout_duration_ms = 0;\n};\n\n// An ALPSConfig is a pair of ALPN protocol and settings value to use with ALPS.\nstruct ALPSConfig {\n Array protocol;\n Array settings;\n};\n\n// SSL_CONFIG contains configuration bits that can be shed after the handshake\n// completes. Objects of this type are not shared; they are unique to a\n// particular |SSL|.\n//\n// See SSL_shed_handshake_config() for more about the conditions under which\n// configuration can be shed.\nstruct SSL_CONFIG {\n static constexpr bool kAllowUniquePtr = true;\n\n explicit SSL_CONFIG(SSL *ssl_arg);\n ~SSL_CONFIG();\n\n // ssl is a non-owning pointer to the parent |SSL| object.\n SSL *const ssl = nullptr;\n\n // conf_max_version is the maximum acceptable version configured by\n // |SSL_set_max_proto_version|. Note this version is not normalized in DTLS\n // and is further constrained by |SSL_OP_NO_*|.\n uint16_t conf_max_version = 0;\n\n // conf_min_version is the minimum acceptable version configured by\n // |SSL_set_min_proto_version|. Note this version is not normalized in DTLS\n // and is further constrained by |SSL_OP_NO_*|.\n uint16_t conf_min_version = 0;\n\n X509_VERIFY_PARAM *param = nullptr;\n\n // crypto\n UniquePtr cipher_list;\n\n // This is used to hold the local certificate used (i.e. the server\n // certificate for a server or the client certificate for a client).\n UniquePtr cert;\n\n int (*verify_callback)(int ok,\n X509_STORE_CTX *ctx) =\n nullptr; // fail if callback returns 0\n\n enum ssl_verify_result_t (*custom_verify_callback)(\n SSL *ssl, uint8_t *out_alert) = nullptr;\n // Server-only: psk_identity_hint is the identity hint to send in\n // PSK-based key exchanges.\n UniquePtr psk_identity_hint;\n\n unsigned (*psk_client_callback)(SSL *ssl, const char *hint, char *identity,\n unsigned max_identity_len, uint8_t *psk,\n unsigned max_psk_len) = nullptr;\n unsigned (*psk_server_callback)(SSL *ssl, const char *identity, uint8_t *psk,\n unsigned max_psk_len) = nullptr;\n\n // for server side, keep the list of CA_dn we can use\n UniquePtr client_CA;\n\n // cached_x509_client_CA is a cache of parsed versions of the elements of\n // |client_CA|.\n STACK_OF(X509_NAME) *cached_x509_client_CA = nullptr;\n\n // For client side, keep the list of CA distinguished names we can use\n // for the Certificate Authorities extension.\n // TODO(bbe) having this separate from the client side (above) is mildly\n // silly, but OpenSSL has *_client_CA API's for this exposed, and for the\n // moment we are not crossing those streams.\n UniquePtr CA_names;\n\n Array supported_group_list; // our list\n\n // channel_id_private is the client's Channel ID private key, or null if\n // Channel ID should not be offered on this connection.\n UniquePtr channel_id_private;\n\n // For a client, this contains the list of supported protocols in wire\n // format.\n Array alpn_client_proto_list;\n\n // alps_configs contains the list of supported protocols to use with ALPS,\n // along with their corresponding ALPS values.\n Vector alps_configs;\n\n // Contains the QUIC transport params that this endpoint will send.\n Array quic_transport_params;\n\n // Contains the context used to decide whether to accept early data in QUIC.\n Array quic_early_data_context;\n\n // verify_sigalgs, if not empty, is the set of signature algorithms\n // accepted from the peer in decreasing order of preference.\n Array verify_sigalgs;\n\n // srtp_profiles is the list of configured SRTP protection profiles for\n // DTLS-SRTP.\n UniquePtr srtp_profiles;\n\n // client_ech_config_list, if not empty, is a serialized ECHConfigList\n // structure for the client to use when negotiating ECH.\n Array client_ech_config_list;\n\n // compliance_policy limits the set of ciphers that can be selected when\n // negotiating a TLS 1.3 connection.\n enum ssl_compliance_policy_t compliance_policy = ssl_compliance_policy_none;\n\n // verify_mode is a bitmask of |SSL_VERIFY_*| values.\n uint8_t verify_mode = SSL_VERIFY_NONE;\n\n // ech_grease_enabled controls whether ECH GREASE may be sent in the\n // ClientHello.\n bool ech_grease_enabled : 1;\n\n // Enable signed certificate time stamps. Currently client only.\n bool signed_cert_timestamps_enabled : 1;\n\n // ocsp_stapling_enabled is only used by client connections and indicates\n // whether OCSP stapling will be requested.\n bool ocsp_stapling_enabled : 1;\n\n // channel_id_enabled is copied from the |SSL_CTX|. For a server, it means\n // that we'll accept Channel IDs from clients. It is ignored on the client.\n bool channel_id_enabled : 1;\n\n // If enforce_rsa_key_usage is true, the handshake will fail if the\n // keyUsage extension is present and incompatible with the TLS usage.\n // This field is not read until after certificate verification.\n bool enforce_rsa_key_usage : 1;\n\n // retain_only_sha256_of_client_certs is true if we should compute the SHA256\n // hash of the peer's certificate and then discard it to save memory and\n // session space. Only effective on the server side.\n bool retain_only_sha256_of_client_certs : 1;\n\n // handoff indicates that a server should stop after receiving the\n // ClientHello and pause the handshake in such a way that |SSL_get_error|\n // returns |SSL_ERROR_HANDOFF|. This is copied in |SSL_new| from the |SSL_CTX|\n // element of the same name and may be cleared if the handoff is declined.\n bool handoff : 1;\n\n // shed_handshake_config indicates that the handshake config (this object!)\n // should be freed after the handshake completes.\n bool shed_handshake_config : 1;\n\n // jdk11_workaround is whether to disable TLS 1.3 for JDK 11 clients, as a\n // workaround for https://bugs.openjdk.java.net/browse/JDK-8211806.\n bool jdk11_workaround : 1;\n\n // QUIC drafts up to and including 32 used a different TLS extension\n // codepoint to convey QUIC's transport parameters.\n bool quic_use_legacy_codepoint : 1;\n\n // permute_extensions is whether to permute extensions when sending messages.\n bool permute_extensions : 1;\n\n // aes_hw_override if set indicates we should override checking for aes\n // hardware support, and use the value in aes_hw_override_value instead.\n bool aes_hw_override : 1;\n\n // aes_hw_override_value is used for testing to indicate the support or lack\n // of support for AES hw. The value is only considered if |aes_hw_override| is\n // true.\n bool aes_hw_override_value : 1;\n\n // alps_use_new_codepoint if set indicates we use new ALPS extension codepoint\n // to negotiate and convey application settings.\n bool alps_use_new_codepoint : 1;\n\n // check_client_certificate_type indicates whether the client, in TLS 1.2 and\n // below, will check its certificate against the server's requested\n // certificate types.\n bool check_client_certificate_type : 1;\n\n // check_ecdsa_curve indicates whether the server, in TLS 1.2 and below, will\n // check its certificate against the client's supported ECDSA curves.\n bool check_ecdsa_curve : 1;\n};\n\n// From RFC 8446, used in determining PSK modes.\n#define SSL_PSK_DHE_KE 0x1\n\n// kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early\n// data that will be accepted. This value should be slightly below\n// kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext.\nstatic const size_t kMaxEarlyDataAccepted = 14336;\n\nUniquePtr ssl_cert_dup(CERT *cert);\nbool ssl_set_cert(CERT *cert, UniquePtr buffer);\nbool ssl_is_key_type_supported(int key_type);\n// ssl_compare_public_and_private_key returns true if |pubkey| is the public\n// counterpart to |privkey|. Otherwise it returns false and pushes a helpful\n// message on the error queue.\nbool ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,\n const EVP_PKEY *privkey);\nbool ssl_get_new_session(SSL_HANDSHAKE *hs);\n\n// ssl_encrypt_ticket encrypt a ticket for |session| and writes the result to\n// |out|. It returns true on success and false on error. If, on success, nothing\n// was written to |out|, the caller should skip sending a ticket.\nbool ssl_encrypt_ticket(SSL_HANDSHAKE *hs, CBB *out,\n const SSL_SESSION *session);\n\nbool ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx);\n\n// ssl_session_new returns a newly-allocated blank |SSL_SESSION| or nullptr on\n// error.\nUniquePtr ssl_session_new(const SSL_X509_METHOD *x509_method);\n\n// ssl_hash_session_id returns a hash of |session_id|, suitable for a hash table\n// keyed on session IDs.\nuint32_t ssl_hash_session_id(Span session_id);\n\n// SSL_SESSION_parse parses an |SSL_SESSION| from |cbs| and advances |cbs| over\n// the parsed data.\nOPENSSL_EXPORT UniquePtr SSL_SESSION_parse(\n CBS *cbs, const SSL_X509_METHOD *x509_method, CRYPTO_BUFFER_POOL *pool);\n\n// ssl_session_serialize writes |in| to |cbb| as if it were serialising a\n// session for Session-ID resumption. It returns true on success and false on\n// error.\nOPENSSL_EXPORT bool ssl_session_serialize(const SSL_SESSION *in, CBB *cbb);\n\nenum class SSLSessionType {\n // The session is not resumable.\n kNotResumable,\n // The session uses a TLS 1.2 session ID.\n kID,\n // The session uses a TLS 1.2 ticket.\n kTicket,\n // The session uses a TLS 1.3 pre-shared key.\n kPreSharedKey,\n};\n\n// ssl_session_get_type returns the type of |session|.\nSSLSessionType ssl_session_get_type(const SSL_SESSION *session);\n\n// ssl_session_is_context_valid returns whether |session|'s session ID context\n// matches the one set on |hs|.\nbool ssl_session_is_context_valid(const SSL_HANDSHAKE *hs,\n const SSL_SESSION *session);\n\n// ssl_session_is_time_valid returns true if |session| is still valid and false\n// if it has expired.\nbool ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session);\n\n// ssl_session_is_resumable returns whether |session| is resumable for |hs|.\nbool ssl_session_is_resumable(const SSL_HANDSHAKE *hs,\n const SSL_SESSION *session);\n\n// ssl_session_protocol_version returns the protocol version associated with\n// |session|. Note that despite the name, this is not the same as\n// |SSL_SESSION_get_protocol_version|. The latter is based on upstream's name.\nuint16_t ssl_session_protocol_version(const SSL_SESSION *session);\n\n// ssl_session_get_digest returns the digest used in |session|.\nconst EVP_MD *ssl_session_get_digest(const SSL_SESSION *session);\n\nvoid ssl_set_session(SSL *ssl, SSL_SESSION *session);\n\n// ssl_get_prev_session looks up the previous session based on |client_hello|.\n// On success, it sets |*out_session| to the session or nullptr if none was\n// found. If the session could not be looked up synchronously, it returns\n// |ssl_hs_pending_session| and should be called again. If a ticket could not be\n// decrypted immediately it returns |ssl_hs_pending_ticket| and should also\n// be called again. Otherwise, it returns |ssl_hs_error|.\nenum ssl_hs_wait_t ssl_get_prev_session(SSL_HANDSHAKE *hs,\n UniquePtr *out_session,\n bool *out_tickets_supported,\n bool *out_renew_ticket,\n const SSL_CLIENT_HELLO *client_hello);\n\n// The following flags determine which parts of the session are duplicated.\n#define SSL_SESSION_DUP_AUTH_ONLY 0x0\n#define SSL_SESSION_INCLUDE_TICKET 0x1\n#define SSL_SESSION_INCLUDE_NONAUTH 0x2\n#define SSL_SESSION_DUP_ALL \\\n (SSL_SESSION_INCLUDE_TICKET | SSL_SESSION_INCLUDE_NONAUTH)\n\n// SSL_SESSION_dup returns a newly-allocated |SSL_SESSION| with a copy of the\n// fields in |session| or nullptr on error. The new session is non-resumable and\n// must be explicitly marked resumable once it has been filled in.\nOPENSSL_EXPORT UniquePtr SSL_SESSION_dup(SSL_SESSION *session,\n int dup_flags);\n\n// ssl_session_rebase_time updates |session|'s start time to the current time,\n// adjusting the timeout so the expiration time is unchanged.\nvoid ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session);\n\n// ssl_session_renew_timeout calls |ssl_session_rebase_time| and renews\n// |session|'s timeout to |timeout| (measured from the current time). The\n// renewal is clamped to the session's auth_timeout.\nvoid ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session,\n uint32_t timeout);\n\nvoid ssl_update_cache(SSL *ssl);\n\nvoid ssl_send_alert(SSL *ssl, int level, int desc);\nint ssl_send_alert_impl(SSL *ssl, int level, int desc);\nbool tls_get_message(const SSL *ssl, SSLMessage *out);\nssl_open_record_t tls_open_handshake(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert, Span in);\nvoid tls_next_message(SSL *ssl);\n\nint tls_dispatch_alert(SSL *ssl);\nssl_open_record_t tls_open_app_data(SSL *ssl, Span *out,\n size_t *out_consumed, uint8_t *out_alert,\n Span in);\nssl_open_record_t tls_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert,\n Span in);\nint tls_write_app_data(SSL *ssl, bool *out_needs_handshake,\n size_t *out_bytes_written, Span in);\n\nbool tls_new(SSL *ssl);\nvoid tls_free(SSL *ssl);\n\nbool tls_init_message(const SSL *ssl, CBB *cbb, CBB *body, uint8_t type);\nbool tls_finish_message(const SSL *ssl, CBB *cbb, Array *out_msg);\nbool tls_add_message(SSL *ssl, Array msg);\nbool tls_add_change_cipher_spec(SSL *ssl);\nint tls_flush(SSL *ssl);\n\nbool dtls1_init_message(const SSL *ssl, CBB *cbb, CBB *body, uint8_t type);\nbool dtls1_finish_message(const SSL *ssl, CBB *cbb, Array *out_msg);\nbool dtls1_add_message(SSL *ssl, Array msg);\nbool dtls1_add_change_cipher_spec(SSL *ssl);\nvoid dtls1_finish_flight(SSL *ssl);\nvoid dtls1_schedule_ack(SSL *ssl);\nint dtls1_flush(SSL *ssl);\n\n// ssl_add_message_cbb finishes the handshake message in |cbb| and adds it to\n// the pending flight. It returns true on success and false on error.\nbool ssl_add_message_cbb(SSL *ssl, CBB *cbb);\n\n// ssl_hash_message incorporates |msg| into the handshake hash. It returns true\n// on success and false on allocation failure.\nbool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg);\n\nssl_open_record_t dtls1_process_ack(SSL *ssl, uint8_t *out_alert,\n DTLSRecordNumber ack_record_number,\n Span data);\nssl_open_record_t dtls1_open_app_data(SSL *ssl, Span *out,\n size_t *out_consumed, uint8_t *out_alert,\n Span in);\nssl_open_record_t dtls1_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert,\n Span in);\n\nint dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,\n size_t *out_bytes_written, Span in);\n\n// dtls1_write_record sends a record. It returns one on success and <= 0 on\n// error.\nint dtls1_write_record(SSL *ssl, int type, Span in,\n uint16_t epoch);\n\nbool dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr,\n CBS *out_body);\n\n// DTLS1_MTU_TIMEOUTS is the maximum number of retransmit timeouts to expire\n// before starting to decrease the MTU.\n#define DTLS1_MTU_TIMEOUTS 2\n\n// DTLS1_MAX_TIMEOUTS is the maximum number of retransmit timeouts to expire\n// before failing the DTLS handshake.\n#define DTLS1_MAX_TIMEOUTS 12\n\nvoid dtls1_stop_timer(SSL *ssl);\n\nunsigned int dtls1_min_mtu(void);\n\nbool dtls1_new(SSL *ssl);\nvoid dtls1_free(SSL *ssl);\n\nbool dtls1_process_handshake_fragments(SSL *ssl, uint8_t *out_alert,\n DTLSRecordNumber record_number,\n Span record);\nbool dtls1_get_message(const SSL *ssl, SSLMessage *out);\nssl_open_record_t dtls1_open_handshake(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert, Span in);\nvoid dtls1_next_message(SSL *ssl);\nint dtls1_dispatch_alert(SSL *ssl);\n\n// tls1_configure_aead configures either the read or write direction AEAD (as\n// determined by |direction|) using the keys generated by the TLS KDF. The\n// |key_block_cache| argument is used to store the generated key block, if\n// empty. Otherwise it's assumed that the key block is already contained within\n// it. It returns true on success or false on error.\nbool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,\n Array *key_block_cache,\n const SSL_SESSION *session,\n Span iv_override);\n\nbool tls1_change_cipher_state(SSL_HANDSHAKE *hs,\n evp_aead_direction_t direction);\n\n// tls1_generate_master_secret computes the master secret from |premaster| and\n// writes it to |out|. |out| must have size |SSL3_MASTER_SECRET_SIZE|.\nbool tls1_generate_master_secret(SSL_HANDSHAKE *hs, Span out,\n Span premaster);\n\n// tls1_get_grouplist returns the locally-configured group preference list.\nSpan tls1_get_grouplist(const SSL_HANDSHAKE *ssl);\n\n// tls1_check_group_id returns whether |group_id| is consistent with locally-\n// configured group preferences.\nbool tls1_check_group_id(const SSL_HANDSHAKE *ssl, uint16_t group_id);\n\n// tls1_get_shared_group sets |*out_group_id| to the first preferred shared\n// group between client and server preferences and returns true. If none may be\n// found, it returns false.\nbool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id);\n\n// ssl_add_clienthello_tlsext writes ClientHello extensions to |out| for |type|.\n// It returns true on success and false on failure. The |header_len| argument is\n// the length of the ClientHello written so far and is used to compute the\n// padding length. (It does not include the record header or handshake headers.)\n//\n// If |type| is |ssl_client_hello_inner|, this function also writes the\n// compressed extensions to |out_encoded|. Otherwise, |out_encoded| should be\n// nullptr.\n//\n// On success, the function sets |*out_needs_psk_binder| to whether the last\n// ClientHello extension was the pre_shared_key extension and needs a PSK binder\n// filled in. The caller should then update |out| and, if applicable,\n// |out_encoded| with the binder after completing the whole message.\nbool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, CBB *out_encoded,\n bool *out_needs_psk_binder,\n ssl_client_hello_type_t type,\n size_t header_len);\n\nbool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out);\nbool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs,\n const SSL_CLIENT_HELLO *client_hello);\nbool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *extensions);\n\n#define tlsext_tick_md EVP_sha256\n\n// ssl_process_ticket processes a session ticket from the client. It returns\n// one of:\n// |ssl_ticket_aead_success|: |*out_session| is set to the parsed session and\n// |*out_renew_ticket| is set to whether the ticket should be renewed.\n// |ssl_ticket_aead_ignore_ticket|: |*out_renew_ticket| is set to whether a\n// fresh ticket should be sent, but the given ticket cannot be used.\n// |ssl_ticket_aead_retry|: the ticket could not be immediately decrypted.\n// Retry later.\n// |ssl_ticket_aead_error|: an error occured that is fatal to the connection.\nenum ssl_ticket_aead_result_t ssl_process_ticket(\n SSL_HANDSHAKE *hs, UniquePtr *out_session,\n bool *out_renew_ticket, Span ticket,\n Span session_id);\n\n// tls1_verify_channel_id processes |msg| as a Channel ID message, and verifies\n// the signature. If the key is valid, it saves the Channel ID and returns true.\n// Otherwise, it returns false.\nbool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg);\n\n// tls1_write_channel_id generates a Channel ID message and puts the output in\n// |cbb|. |ssl->channel_id_private| must already be set before calling. This\n// function returns true on success and false on error.\nbool tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb);\n\n// tls1_channel_id_hash computes the hash to be signed by Channel ID and writes\n// it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns\n// true on success and false on failure.\nbool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len);\n\n// tls1_record_handshake_hashes_for_channel_id records the current handshake\n// hashes in |hs->new_session| so that Channel ID resumptions can sign that\n// data.\nbool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs);\n\n// ssl_can_write returns whether |ssl| is allowed to write.\nbool ssl_can_write(const SSL *ssl);\n\n// ssl_can_read returns wheter |ssl| is allowed to read.\nbool ssl_can_read(const SSL *ssl);\n\nOPENSSL_timeval ssl_ctx_get_current_time(const SSL_CTX *ctx);\n\n// ssl_reset_error_state resets state for |SSL_get_error|.\nvoid ssl_reset_error_state(SSL *ssl);\n\n// ssl_set_read_error sets |ssl|'s read half into an error state, saving the\n// current state of the error queue.\nvoid ssl_set_read_error(SSL *ssl);\n\nBSSL_NAMESPACE_END\n\n\n// Opaque C types.\n//\n// The following types are exported to C code as public typedefs, so they must\n// be defined outside of the namespace.\n\n// ssl_method_st backs the public |SSL_METHOD| type. It is a compatibility\n// structure to support the legacy version-locked methods.\nstruct ssl_method_st {\n // version, if non-zero, is the only protocol version acceptable to an\n // SSL_CTX initialized from this method.\n uint16_t version;\n // method is the underlying SSL_PROTOCOL_METHOD that initializes the\n // SSL_CTX.\n const bssl::SSL_PROTOCOL_METHOD *method;\n // x509_method contains pointers to functions that might deal with |X509|\n // compatibility, or might be a no-op, depending on the application.\n const bssl::SSL_X509_METHOD *x509_method;\n};\n\nstruct ssl_ctx_st : public bssl::RefCounted {\n explicit ssl_ctx_st(const SSL_METHOD *ssl_method);\n ssl_ctx_st(const ssl_ctx_st &) = delete;\n ssl_ctx_st &operator=(const ssl_ctx_st &) = delete;\n\n const bssl::SSL_PROTOCOL_METHOD *method = nullptr;\n const bssl::SSL_X509_METHOD *x509_method = nullptr;\n\n // lock is used to protect various operations on this object.\n CRYPTO_MUTEX lock;\n\n // conf_max_version is the maximum acceptable protocol version configured by\n // |SSL_CTX_set_max_proto_version|. Note this version is normalized in DTLS\n // and is further constrainted by |SSL_OP_NO_*|.\n uint16_t conf_max_version = 0;\n\n // conf_min_version is the minimum acceptable protocol version configured by\n // |SSL_CTX_set_min_proto_version|. Note this version is normalized in DTLS\n // and is further constrainted by |SSL_OP_NO_*|.\n uint16_t conf_min_version = 0;\n\n // num_tickets is the number of tickets to send immediately after the TLS 1.3\n // handshake. TLS 1.3 recommends single-use tickets so, by default, issue two\n /// in case the client makes several connections before getting a renewal.\n uint8_t num_tickets = 2;\n\n // quic_method is the method table corresponding to the QUIC hooks.\n const SSL_QUIC_METHOD *quic_method = nullptr;\n\n bssl::UniquePtr cipher_list;\n\n X509_STORE *cert_store = nullptr;\n LHASH_OF(SSL_SESSION) *sessions = nullptr;\n // Most session-ids that will be cached, default is\n // SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited.\n unsigned long session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT;\n SSL_SESSION *session_cache_head = nullptr;\n SSL_SESSION *session_cache_tail = nullptr;\n\n // handshakes_since_cache_flush is the number of successful handshakes since\n // the last cache flush.\n int handshakes_since_cache_flush = 0;\n\n // This can have one of 2 values, ored together,\n // SSL_SESS_CACHE_CLIENT,\n // SSL_SESS_CACHE_SERVER,\n // Default is SSL_SESSION_CACHE_SERVER, which means only\n // SSL_accept which cache SSL_SESSIONS.\n int session_cache_mode = SSL_SESS_CACHE_SERVER;\n\n // session_timeout is the default lifetime for new sessions in TLS 1.2 and\n // earlier, in seconds.\n uint32_t session_timeout = SSL_DEFAULT_SESSION_TIMEOUT;\n\n // session_psk_dhe_timeout is the default lifetime for new sessions in TLS\n // 1.3, in seconds.\n uint32_t session_psk_dhe_timeout = SSL_DEFAULT_SESSION_PSK_DHE_TIMEOUT;\n\n // If this callback is not null, it will be called each time a session id is\n // added to the cache. If this function returns 1, it means that the\n // callback will do a SSL_SESSION_free() when it has finished using it.\n // Otherwise, on 0, it means the callback has finished with it. If\n // remove_session_cb is not null, it will be called when a session-id is\n // removed from the cache. After the call, OpenSSL will SSL_SESSION_free()\n // it.\n int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess) = nullptr;\n void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess) = nullptr;\n SSL_SESSION *(*get_session_cb)(SSL *ssl, const uint8_t *data, int len,\n int *copy) = nullptr;\n\n // if defined, these override the X509_verify_cert() calls\n int (*app_verify_callback)(X509_STORE_CTX *store_ctx, void *arg) = nullptr;\n void *app_verify_arg = nullptr;\n\n ssl_verify_result_t (*custom_verify_callback)(SSL *ssl,\n uint8_t *out_alert) = nullptr;\n\n // Default password callback.\n pem_password_cb *default_passwd_callback = nullptr;\n\n // Default password callback user data.\n void *default_passwd_callback_userdata = nullptr;\n\n // get client cert callback\n int (*client_cert_cb)(SSL *ssl, X509 **out_x509,\n EVP_PKEY **out_pkey) = nullptr;\n\n CRYPTO_EX_DATA ex_data;\n\n // Default values used when no per-SSL value is defined follow\n\n void (*info_callback)(const SSL *ssl, int type, int value) = nullptr;\n\n // what we put in client cert requests\n bssl::UniquePtr client_CA;\n\n // cached_x509_client_CA is a cache of parsed versions of the elements of\n // |client_CA|.\n STACK_OF(X509_NAME) *cached_x509_client_CA = nullptr;\n\n // What we put in client hello in the CA extension.\n bssl::UniquePtr CA_names;\n\n // Default values to use in SSL structures follow (these are copied by\n // SSL_new)\n\n uint32_t options = 0;\n // Disable the auto-chaining feature by default. wpa_supplicant relies on this\n // feature, but require callers opt into it.\n uint32_t mode = SSL_MODE_NO_AUTO_CHAIN;\n uint32_t max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;\n\n bssl::UniquePtr cert;\n\n // callback that allows applications to peek at protocol messages\n void (*msg_callback)(int is_write, int version, int content_type,\n const void *buf, size_t len, SSL *ssl,\n void *arg) = nullptr;\n void *msg_callback_arg = nullptr;\n\n int verify_mode = SSL_VERIFY_NONE;\n int (*default_verify_callback)(int ok, X509_STORE_CTX *ctx) =\n nullptr; // called 'verify_callback' in the SSL\n\n X509_VERIFY_PARAM *param = nullptr;\n\n // select_certificate_cb is called before most ClientHello processing and\n // before the decision whether to resume a session is made. See\n // |ssl_select_cert_result_t| for details of the return values.\n ssl_select_cert_result_t (*select_certificate_cb)(const SSL_CLIENT_HELLO *) =\n nullptr;\n\n // dos_protection_cb is called once the resumption decision for a ClientHello\n // has been made. It returns one to continue the handshake or zero to\n // abort.\n int (*dos_protection_cb)(const SSL_CLIENT_HELLO *) = nullptr;\n\n // Controls whether to verify certificates when resuming connections. They\n // were already verified when the connection was first made, so the default is\n // false. For now, this is only respected on clients, not servers.\n bool reverify_on_resume = false;\n\n // Maximum amount of data to send in one fragment. actual record size can be\n // more than this due to padding and MAC overheads.\n uint16_t max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;\n\n // TLS extensions servername callback\n int (*servername_callback)(SSL *, int *, void *) = nullptr;\n void *servername_arg = nullptr;\n\n // RFC 4507 session ticket keys. |ticket_key_current| may be NULL before the\n // first handshake and |ticket_key_prev| may be NULL at any time.\n // Automatically generated ticket keys are rotated as needed at handshake\n // time. Hence, all access must be synchronized through |lock|.\n bssl::UniquePtr ticket_key_current;\n bssl::UniquePtr ticket_key_prev;\n\n // Callback to support customisation of ticket key setting\n int (*ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv,\n EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc) = nullptr;\n\n // Server-only: psk_identity_hint is the default identity hint to send in\n // PSK-based key exchanges.\n bssl::UniquePtr psk_identity_hint;\n\n unsigned (*psk_client_callback)(SSL *ssl, const char *hint, char *identity,\n unsigned max_identity_len, uint8_t *psk,\n unsigned max_psk_len) = nullptr;\n unsigned (*psk_server_callback)(SSL *ssl, const char *identity, uint8_t *psk,\n unsigned max_psk_len) = nullptr;\n\n\n // Next protocol negotiation information\n // (for experimental NPN extension).\n\n // For a server, this contains a callback function by which the set of\n // advertised protocols can be provided.\n int (*next_protos_advertised_cb)(SSL *ssl, const uint8_t **out,\n unsigned *out_len, void *arg) = nullptr;\n void *next_protos_advertised_cb_arg = nullptr;\n // For a client, this contains a callback function that selects the\n // next protocol from the list provided by the server.\n int (*next_proto_select_cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,\n const uint8_t *in, unsigned in_len,\n void *arg) = nullptr;\n void *next_proto_select_cb_arg = nullptr;\n\n // ALPN information\n // (we are in the process of transitioning from NPN to ALPN.)\n\n // For a server, this contains a callback function that allows the\n // server to select the protocol for the connection.\n // out: on successful return, this must point to the raw protocol\n // name (without the length prefix).\n // outlen: on successful return, this contains the length of |*out|.\n // in: points to the client's list of supported protocols in\n // wire-format.\n // inlen: the length of |in|.\n int (*alpn_select_cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len,\n const uint8_t *in, unsigned in_len,\n void *arg) = nullptr;\n void *alpn_select_cb_arg = nullptr;\n\n // For a client, this contains the list of supported protocols in wire\n // format.\n bssl::Array alpn_client_proto_list;\n\n // SRTP profiles we are willing to do from RFC 5764\n bssl::UniquePtr srtp_profiles;\n\n // Defined compression algorithms for certificates.\n bssl::Vector cert_compression_algs;\n\n // Supported group values inherited by SSL structure\n bssl::Array supported_group_list;\n\n // channel_id_private is the client's Channel ID private key, or null if\n // Channel ID should not be offered on this connection.\n bssl::UniquePtr channel_id_private;\n\n // ech_keys contains the server's list of ECHConfig values and associated\n // private keys. This list may be swapped out at any time, so all access must\n // be synchronized through |lock|.\n bssl::UniquePtr ech_keys;\n\n // keylog_callback, if not NULL, is the key logging callback. See\n // |SSL_CTX_set_keylog_callback|.\n void (*keylog_callback)(const SSL *ssl, const char *line) = nullptr;\n\n // current_time_cb, if not NULL, is the function to use to get the current\n // time. It sets |*out_clock| to the current time. The |ssl| argument is\n // always NULL. See |SSL_CTX_set_current_time_cb|.\n void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock) = nullptr;\n\n // pool is used for all |CRYPTO_BUFFER|s in case we wish to share certificate\n // memory.\n CRYPTO_BUFFER_POOL *pool = nullptr;\n\n // ticket_aead_method contains function pointers for opening and sealing\n // session tickets.\n const SSL_TICKET_AEAD_METHOD *ticket_aead_method = nullptr;\n\n // legacy_ocsp_callback implements an OCSP-related callback for OpenSSL\n // compatibility.\n int (*legacy_ocsp_callback)(SSL *ssl, void *arg) = nullptr;\n void *legacy_ocsp_callback_arg = nullptr;\n\n // compliance_policy limits the set of ciphers that can be selected when\n // negotiating a TLS 1.3 connection.\n enum ssl_compliance_policy_t compliance_policy = ssl_compliance_policy_none;\n\n // verify_sigalgs, if not empty, is the set of signature algorithms\n // accepted from the peer in decreasing order of preference.\n bssl::Array verify_sigalgs;\n\n // retain_only_sha256_of_client_certs is true if we should compute the SHA256\n // hash of the peer's certificate and then discard it to save memory and\n // session space. Only effective on the server side.\n bool retain_only_sha256_of_client_certs : 1;\n\n // quiet_shutdown is true if the connection should not send a close_notify on\n // shutdown.\n bool quiet_shutdown : 1;\n\n // ocsp_stapling_enabled is only used by client connections and indicates\n // whether OCSP stapling will be requested.\n bool ocsp_stapling_enabled : 1;\n\n // If true, a client will request certificate timestamps.\n bool signed_cert_timestamps_enabled : 1;\n\n // channel_id_enabled is whether Channel ID is enabled. For a server, means\n // that we'll accept Channel IDs from clients. For a client, means that we'll\n // advertise support.\n bool channel_id_enabled : 1;\n\n // grease_enabled is whether GREASE (RFC 8701) is enabled.\n bool grease_enabled : 1;\n\n // permute_extensions is whether to permute extensions when sending messages.\n bool permute_extensions : 1;\n\n // allow_unknown_alpn_protos is whether the client allows unsolicited ALPN\n // protocols from the peer.\n bool allow_unknown_alpn_protos : 1;\n\n // false_start_allowed_without_alpn is whether False Start (if\n // |SSL_MODE_ENABLE_FALSE_START| is enabled) is allowed without ALPN.\n bool false_start_allowed_without_alpn : 1;\n\n // handoff indicates that a server should stop after receiving the\n // ClientHello and pause the handshake in such a way that |SSL_get_error|\n // returns |SSL_ERROR_HANDOFF|.\n bool handoff : 1;\n\n // If enable_early_data is true, early data can be sent and accepted.\n bool enable_early_data : 1;\n\n // aes_hw_override if set indicates we should override checking for AES\n // hardware support, and use the value in aes_hw_override_value instead.\n bool aes_hw_override : 1;\n\n // aes_hw_override_value is used for testing to indicate the support or lack\n // of support for AES hardware. The value is only considered if\n // |aes_hw_override| is true.\n bool aes_hw_override_value : 1;\n\n private:\n friend RefCounted;\n ~ssl_ctx_st();\n};\n\nstruct ssl_st {\n explicit ssl_st(SSL_CTX *ctx_arg);\n ssl_st(const ssl_st &) = delete;\n ssl_st &operator=(const ssl_st &) = delete;\n ~ssl_st();\n\n // method is the method table corresponding to the current protocol (DTLS or\n // TLS).\n const bssl::SSL_PROTOCOL_METHOD *method = nullptr;\n\n // config is a container for handshake configuration. Accesses to this field\n // should check for nullptr, since configuration may be shed after the\n // handshake completes. (If you have the |SSL_HANDSHAKE| object at hand, use\n // that instead, and skip the null check.)\n bssl::UniquePtr config;\n\n uint16_t max_send_fragment = 0;\n\n // There are 2 BIO's even though they are normally both the same. This is so\n // data can be read and written to different handlers\n\n bssl::UniquePtr rbio; // used by SSL_read\n bssl::UniquePtr wbio; // used by SSL_write\n\n // do_handshake runs the handshake. On completion, it returns |ssl_hs_ok|.\n // Otherwise, it returns a value corresponding to what operation is needed to\n // progress.\n bssl::ssl_hs_wait_t (*do_handshake)(bssl::SSL_HANDSHAKE *hs) = nullptr;\n\n bssl::SSL3_STATE *s3 = nullptr; // TLS variables\n bssl::DTLS1_STATE *d1 = nullptr; // DTLS variables\n\n // callback that allows applications to peek at protocol messages\n void (*msg_callback)(int write_p, int version, int content_type,\n const void *buf, size_t len, SSL *ssl,\n void *arg) = nullptr;\n void *msg_callback_arg = nullptr;\n\n // session info\n\n // initial_timeout_duration_ms is the default DTLS timeout duration in\n // milliseconds. It's used to initialize the timer any time it's restarted. We\n // default to RFC 9147's recommendation for real-time applications, 400ms.\n uint32_t initial_timeout_duration_ms = 400;\n\n // session is the configured session to be offered by the client. This session\n // is immutable.\n bssl::UniquePtr session;\n\n void (*info_callback)(const SSL *ssl, int type, int value) = nullptr;\n\n bssl::UniquePtr ctx;\n\n // session_ctx is the |SSL_CTX| used for the session cache and related\n // settings.\n bssl::UniquePtr session_ctx;\n\n // extra application data\n CRYPTO_EX_DATA ex_data;\n\n uint32_t options = 0; // protocol behaviour\n uint32_t mode = 0; // API behaviour\n uint32_t max_cert_list = 0;\n bssl::UniquePtr hostname;\n\n // quic_method is the method table corresponding to the QUIC hooks.\n const SSL_QUIC_METHOD *quic_method = nullptr;\n\n // renegotiate_mode controls how peer renegotiation attempts are handled.\n ssl_renegotiate_mode_t renegotiate_mode = ssl_renegotiate_never;\n\n // server is true iff the this SSL* is the server half. Note: before the SSL*\n // is initialized by either SSL_set_accept_state or SSL_set_connect_state,\n // the side is not determined. In this state, server is always false.\n bool server : 1;\n\n // quiet_shutdown is true if the connection should not send a close_notify on\n // shutdown.\n bool quiet_shutdown : 1;\n\n // If enable_early_data is true, early data can be sent and accepted.\n bool enable_early_data : 1;\n};\n\nstruct ssl_session_st : public bssl::RefCounted {\n explicit ssl_session_st(const bssl::SSL_X509_METHOD *method);\n ssl_session_st(const ssl_session_st &) = delete;\n ssl_session_st &operator=(const ssl_session_st &) = delete;\n\n // ssl_version is the (D)TLS version that established the session.\n uint16_t ssl_version = 0;\n\n // group_id is the ID of the ECDH group used to establish this session or zero\n // if not applicable or unknown.\n uint16_t group_id = 0;\n\n // peer_signature_algorithm is the signature algorithm used to authenticate\n // the peer, or zero if not applicable or unknown.\n uint16_t peer_signature_algorithm = 0;\n\n // secret, in TLS 1.2 and below, is the master secret associated with the\n // session. In TLS 1.3 and up, it is the resumption PSK for sessions handed to\n // the caller, but it stores the resumption secret when stored on |SSL|\n // objects.\n bssl::InplaceVector secret;\n\n bssl::InplaceVector session_id;\n\n // this is used to determine whether the session is being reused in\n // the appropriate context. It is up to the application to set this,\n // via SSL_new\n bssl::InplaceVector sid_ctx;\n\n bssl::UniquePtr psk_identity;\n\n // certs contains the certificate chain from the peer, starting with the leaf\n // certificate.\n bssl::UniquePtr certs;\n\n const bssl::SSL_X509_METHOD *x509_method = nullptr;\n\n // x509_peer is the peer's certificate.\n X509 *x509_peer = nullptr;\n\n // x509_chain is the certificate chain sent by the peer. NOTE: for historical\n // reasons, when a client (so the peer is a server), the chain includes\n // |peer|, but when a server it does not.\n STACK_OF(X509) *x509_chain = nullptr;\n\n // x509_chain_without_leaf is a lazily constructed copy of |x509_chain| that\n // omits the leaf certificate. This exists because OpenSSL, historically,\n // didn't include the leaf certificate in the chain for a server, but did for\n // a client. The |x509_chain| always includes it and, if an API call requires\n // a chain without, it is stored here.\n STACK_OF(X509) *x509_chain_without_leaf = nullptr;\n\n // verify_result is the result of certificate verification in the case of\n // non-fatal certificate errors.\n long verify_result = X509_V_ERR_INVALID_CALL;\n\n // timeout is the lifetime of the session in seconds, measured from |time|.\n // This is renewable up to |auth_timeout|.\n uint32_t timeout = SSL_DEFAULT_SESSION_TIMEOUT;\n\n // auth_timeout is the non-renewable lifetime of the session in seconds,\n // measured from |time|.\n uint32_t auth_timeout = SSL_DEFAULT_SESSION_TIMEOUT;\n\n // time is the time the session was issued, measured in seconds from the UNIX\n // epoch.\n uint64_t time = 0;\n\n const SSL_CIPHER *cipher = nullptr;\n\n CRYPTO_EX_DATA ex_data; // application specific data\n\n // These are used to make removal of session-ids more efficient and to\n // implement a maximum cache size.\n SSL_SESSION *prev = nullptr, *next = nullptr;\n\n bssl::Array ticket;\n\n bssl::UniquePtr signed_cert_timestamp_list;\n\n // The OCSP response that came with the session.\n bssl::UniquePtr ocsp_response;\n\n // peer_sha256 contains the SHA-256 hash of the peer's certificate if\n // |peer_sha256_valid| is true.\n uint8_t peer_sha256[SHA256_DIGEST_LENGTH] = {0};\n\n // original_handshake_hash contains the handshake hash (either SHA-1+MD5 or\n // SHA-2, depending on TLS version) for the original, full handshake that\n // created a session. This is used by Channel IDs during resumption.\n bssl::InplaceVector original_handshake_hash;\n\n uint32_t ticket_lifetime_hint = 0; // Session lifetime hint in seconds\n\n uint32_t ticket_age_add = 0;\n\n // ticket_max_early_data is the maximum amount of data allowed to be sent as\n // early data. If zero, 0-RTT is disallowed.\n uint32_t ticket_max_early_data = 0;\n\n // early_alpn is the ALPN protocol from the initial handshake. This is only\n // stored for TLS 1.3 and above in order to enforce ALPN matching for 0-RTT\n // resumptions. For the current connection's ALPN protocol, see\n // |alpn_selected| on |SSL3_STATE|.\n bssl::Array early_alpn;\n\n // local_application_settings, if |has_application_settings| is true, is the\n // local ALPS value for this connection.\n bssl::Array local_application_settings;\n\n // peer_application_settings, if |has_application_settings| is true, is the\n // peer ALPS value for this connection.\n bssl::Array peer_application_settings;\n\n // extended_master_secret is whether the master secret in this session was\n // generated using EMS and thus isn't vulnerable to the Triple Handshake\n // attack.\n bool extended_master_secret : 1;\n\n // peer_sha256_valid is whether |peer_sha256| is valid.\n bool peer_sha256_valid : 1; // Non-zero if peer_sha256 is valid\n\n // not_resumable is used to indicate that session resumption is disallowed.\n bool not_resumable : 1;\n\n // ticket_age_add_valid is whether |ticket_age_add| is valid.\n bool ticket_age_add_valid : 1;\n\n // is_server is whether this session was created by a server.\n bool is_server : 1;\n\n // is_quic indicates whether this session was created using QUIC.\n bool is_quic : 1;\n\n // has_application_settings indicates whether ALPS was negotiated in this\n // session.\n bool has_application_settings : 1;\n\n // quic_early_data_context is used to determine whether early data must be\n // rejected when performing a QUIC handshake.\n bssl::Array quic_early_data_context;\n\n private:\n friend RefCounted;\n ~ssl_session_st();\n};\n\nstruct ssl_ech_keys_st : public bssl::RefCounted {\n ssl_ech_keys_st() : RefCounted(CheckSubClass()) {}\n\n bssl::Vector> configs;\n\n private:\n friend RefCounted;\n ~ssl_ech_keys_st() = default;\n};\n\n#endif // OPENSSL_HEADER_SSL_INTERNAL_H\n" }, { "path": "Sources/CNIOBoringSSL/ssl/s3_both.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nstatic bool add_record_to_flight(SSL *ssl, uint8_t type,\n Span in) {\n // The caller should have flushed |pending_hs_data| first.\n assert(!ssl->s3->pending_hs_data);\n // We'll never add a flight while in the process of writing it out.\n assert(ssl->s3->pending_flight_offset == 0);\n\n if (ssl->s3->pending_flight == nullptr) {\n ssl->s3->pending_flight.reset(BUF_MEM_new());\n if (ssl->s3->pending_flight == nullptr) {\n return false;\n }\n }\n\n size_t max_out = in.size() + SSL_max_seal_overhead(ssl);\n size_t new_cap = ssl->s3->pending_flight->length + max_out;\n if (max_out < in.size() || new_cap < max_out) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return false;\n }\n\n size_t len;\n if (!BUF_MEM_reserve(ssl->s3->pending_flight.get(), new_cap) ||\n !tls_seal_record(ssl,\n (uint8_t *)ssl->s3->pending_flight->data +\n ssl->s3->pending_flight->length,\n &len, max_out, type, in.data(), in.size())) {\n return false;\n }\n\n ssl->s3->pending_flight->length += len;\n return true;\n}\n\nbool tls_init_message(const SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {\n // Pick a modest size hint to save most of the |realloc| calls.\n if (!CBB_init(cbb, 64) || //\n !CBB_add_u8(cbb, type) || //\n !CBB_add_u24_length_prefixed(cbb, body)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n CBB_cleanup(cbb);\n return false;\n }\n\n return true;\n}\n\nbool tls_finish_message(const SSL *ssl, CBB *cbb, Array *out_msg) {\n return CBBFinishArray(cbb, out_msg);\n}\n\nbool tls_add_message(SSL *ssl, Array msg) {\n // Pack handshake data into the minimal number of records. This avoids\n // unnecessary encryption overhead, notably in TLS 1.3 where we send several\n // encrypted messages in a row. For now, we do not do this for the null\n // cipher. The benefit is smaller and there is a risk of breaking buggy\n // implementations.\n //\n // TODO(crbug.com/374991962): See if we can do this uniformly.\n Span rest = msg;\n if (!SSL_is_quic(ssl) && ssl->s3->aead_write_ctx->is_null_cipher()) {\n while (!rest.empty()) {\n Span chunk = rest.subspan(0, ssl->max_send_fragment);\n rest = rest.subspan(chunk.size());\n\n if (!add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, chunk)) {\n return false;\n }\n }\n } else {\n while (!rest.empty()) {\n // Flush if |pending_hs_data| is full.\n if (ssl->s3->pending_hs_data &&\n ssl->s3->pending_hs_data->length >= ssl->max_send_fragment &&\n !tls_flush_pending_hs_data(ssl)) {\n return false;\n }\n\n size_t pending_len =\n ssl->s3->pending_hs_data ? ssl->s3->pending_hs_data->length : 0;\n Span chunk =\n rest.subspan(0, ssl->max_send_fragment - pending_len);\n assert(!chunk.empty());\n rest = rest.subspan(chunk.size());\n\n if (!ssl->s3->pending_hs_data) {\n ssl->s3->pending_hs_data.reset(BUF_MEM_new());\n }\n if (!ssl->s3->pending_hs_data ||\n !BUF_MEM_append(ssl->s3->pending_hs_data.get(), chunk.data(),\n chunk.size())) {\n return false;\n }\n }\n }\n\n ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg);\n // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on\n // hs.\n if (ssl->s3->hs != NULL && //\n !ssl->s3->hs->transcript.Update(msg)) {\n return false;\n }\n return true;\n}\n\nbool tls_flush_pending_hs_data(SSL *ssl) {\n if (!ssl->s3->pending_hs_data || ssl->s3->pending_hs_data->length == 0) {\n return true;\n }\n\n UniquePtr pending_hs_data = std::move(ssl->s3->pending_hs_data);\n auto data = Span(reinterpret_cast(pending_hs_data->data),\n pending_hs_data->length);\n if (SSL_is_quic(ssl)) {\n if ((ssl->s3->hs == nullptr || !ssl->s3->hs->hints_requested) &&\n !ssl->quic_method->add_handshake_data(ssl, ssl->s3->quic_write_level,\n data.data(), data.size())) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);\n return false;\n }\n return true;\n }\n\n return add_record_to_flight(ssl, SSL3_RT_HANDSHAKE, data);\n}\n\nbool tls_add_change_cipher_spec(SSL *ssl) {\n if (SSL_is_quic(ssl)) {\n return true;\n }\n\n static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};\n if (!tls_flush_pending_hs_data(ssl) ||\n !add_record_to_flight(ssl, SSL3_RT_CHANGE_CIPHER_SPEC,\n kChangeCipherSpec)) {\n return false;\n }\n\n ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_CHANGE_CIPHER_SPEC,\n kChangeCipherSpec);\n return true;\n}\n\nint tls_flush(SSL *ssl) {\n if (!tls_flush_pending_hs_data(ssl)) {\n return -1;\n }\n\n if (SSL_is_quic(ssl)) {\n if (ssl->s3->write_shutdown != ssl_shutdown_none) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);\n return -1;\n }\n\n if (!ssl->quic_method->flush_flight(ssl)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);\n return -1;\n }\n }\n\n if (ssl->s3->pending_flight == nullptr) {\n return 1;\n }\n\n if (ssl->s3->write_shutdown != ssl_shutdown_none) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);\n return -1;\n }\n\n static_assert(INT_MAX <= 0xffffffff, \"int is larger than 32 bits\");\n if (ssl->s3->pending_flight->length > INT_MAX) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return -1;\n }\n\n // If there is pending data in the write buffer, it must be flushed out before\n // any new data in pending_flight.\n if (!ssl->s3->write_buffer.empty()) {\n int ret = ssl_write_buffer_flush(ssl);\n if (ret <= 0) {\n ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;\n return ret;\n }\n }\n\n if (ssl->wbio == nullptr) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);\n return -1;\n }\n\n // Write the pending flight.\n while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {\n int ret = BIO_write(\n ssl->wbio.get(),\n ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,\n ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset);\n if (ret <= 0) {\n ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;\n return ret;\n }\n\n ssl->s3->pending_flight_offset += ret;\n }\n\n if (BIO_flush(ssl->wbio.get()) <= 0) {\n ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;\n return -1;\n }\n\n ssl->s3->pending_flight.reset();\n ssl->s3->pending_flight_offset = 0;\n return 1;\n}\n\nstatic ssl_open_record_t read_v2_client_hello(SSL *ssl, size_t *out_consumed,\n Span in) {\n *out_consumed = 0;\n assert(in.size() >= SSL3_RT_HEADER_LENGTH);\n // Determine the length of the V2ClientHello.\n size_t msg_length = ((in[0] & 0x7f) << 8) | in[1];\n if (msg_length > (1024 * 4)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);\n return ssl_open_record_error;\n }\n if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {\n // Reject lengths that are too short early. We have already read\n // |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an\n // (invalid) V2ClientHello which would be shorter than that.\n OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);\n return ssl_open_record_error;\n }\n\n // Ask for the remainder of the V2ClientHello.\n if (in.size() < 2 + msg_length) {\n *out_consumed = 2 + msg_length;\n return ssl_open_record_partial;\n }\n\n CBS v2_client_hello = CBS(in.subspan(2, msg_length));\n // The V2ClientHello without the length is incorporated into the handshake\n // hash. This is only ever called at the start of the handshake, so hs is\n // guaranteed to be non-NULL.\n if (!ssl->s3->hs->transcript.Update(v2_client_hello)) {\n return ssl_open_record_error;\n }\n\n ssl_do_msg_callback(ssl, 0 /* read */, 0 /* V2ClientHello */,\n v2_client_hello);\n\n uint8_t msg_type;\n uint16_t version, cipher_spec_length, session_id_length, challenge_length;\n CBS cipher_specs, session_id, challenge;\n if (!CBS_get_u8(&v2_client_hello, &msg_type) ||\n !CBS_get_u16(&v2_client_hello, &version) ||\n !CBS_get_u16(&v2_client_hello, &cipher_spec_length) ||\n !CBS_get_u16(&v2_client_hello, &session_id_length) ||\n !CBS_get_u16(&v2_client_hello, &challenge_length) ||\n !CBS_get_bytes(&v2_client_hello, &cipher_specs, cipher_spec_length) ||\n !CBS_get_bytes(&v2_client_hello, &session_id, session_id_length) ||\n !CBS_get_bytes(&v2_client_hello, &challenge, challenge_length) ||\n CBS_len(&v2_client_hello) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return ssl_open_record_error;\n }\n\n // msg_type has already been checked.\n assert(msg_type == SSL2_MT_CLIENT_HELLO);\n\n // The client_random is the V2ClientHello challenge. Truncate or left-pad with\n // zeros as needed.\n size_t rand_len = CBS_len(&challenge);\n if (rand_len > SSL3_RANDOM_SIZE) {\n rand_len = SSL3_RANDOM_SIZE;\n }\n uint8_t random[SSL3_RANDOM_SIZE];\n OPENSSL_memset(random, 0, SSL3_RANDOM_SIZE);\n OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),\n rand_len);\n\n // Write out an equivalent TLS ClientHello directly to the handshake buffer.\n size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +\n SSL3_RANDOM_SIZE + 1 /* session ID length */ +\n 2 /* cipher list length */ +\n CBS_len(&cipher_specs) / 3 * 2 +\n 1 /* compression length */ + 1 /* compression */;\n ScopedCBB client_hello;\n CBB hello_body, cipher_suites;\n if (!ssl->s3->hs_buf) {\n ssl->s3->hs_buf.reset(BUF_MEM_new());\n }\n if (!ssl->s3->hs_buf ||\n !BUF_MEM_reserve(ssl->s3->hs_buf.get(), max_v3_client_hello) ||\n !CBB_init_fixed(client_hello.get(), (uint8_t *)ssl->s3->hs_buf->data,\n ssl->s3->hs_buf->max) ||\n !CBB_add_u8(client_hello.get(), SSL3_MT_CLIENT_HELLO) ||\n !CBB_add_u24_length_prefixed(client_hello.get(), &hello_body) ||\n !CBB_add_u16(&hello_body, version) ||\n !CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||\n // No session id.\n !CBB_add_u8(&hello_body, 0) ||\n !CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {\n return ssl_open_record_error;\n }\n\n // Copy the cipher suites.\n while (CBS_len(&cipher_specs) > 0) {\n uint32_t cipher_spec;\n if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return ssl_open_record_error;\n }\n\n // Skip SSLv2 ciphers.\n if ((cipher_spec & 0xff0000) != 0) {\n continue;\n }\n if (!CBB_add_u16(&cipher_suites, cipher_spec)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_open_record_error;\n }\n }\n\n // Add the null compression scheme and finish.\n if (!CBB_add_u8(&hello_body, 1) || //\n !CBB_add_u8(&hello_body, 0) || //\n !CBB_finish(client_hello.get(), NULL, &ssl->s3->hs_buf->length)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_open_record_error;\n }\n\n *out_consumed = 2 + msg_length;\n ssl->s3->is_v2_hello = true;\n return ssl_open_record_success;\n}\n\nstatic bool parse_message(const SSL *ssl, SSLMessage *out,\n size_t *out_bytes_needed) {\n if (!ssl->s3->hs_buf) {\n *out_bytes_needed = 4;\n return false;\n }\n\n CBS cbs;\n uint32_t len;\n CBS_init(&cbs, reinterpret_cast(ssl->s3->hs_buf->data),\n ssl->s3->hs_buf->length);\n if (!CBS_get_u8(&cbs, &out->type) || //\n !CBS_get_u24(&cbs, &len)) {\n *out_bytes_needed = 4;\n return false;\n }\n\n if (!CBS_get_bytes(&cbs, &out->body, len)) {\n *out_bytes_needed = 4 + len;\n return false;\n }\n\n CBS_init(&out->raw, reinterpret_cast(ssl->s3->hs_buf->data),\n 4 + len);\n out->is_v2_hello = ssl->s3->is_v2_hello;\n return true;\n}\n\nbool tls_get_message(const SSL *ssl, SSLMessage *out) {\n size_t unused;\n if (!parse_message(ssl, out, &unused)) {\n return false;\n }\n if (!ssl->s3->has_message) {\n if (!out->is_v2_hello) {\n ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, out->raw);\n }\n ssl->s3->has_message = true;\n }\n return true;\n}\n\nbool tls_can_accept_handshake_data(const SSL *ssl, uint8_t *out_alert) {\n // If there is a complete message, the caller must have consumed it first.\n SSLMessage msg;\n size_t bytes_needed;\n if (parse_message(ssl, &msg, &bytes_needed)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n\n // Enforce the limit so the peer cannot force us to buffer 16MB.\n if (bytes_needed > 4 + ssl_max_handshake_message_len(ssl)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n return true;\n}\n\nbool tls_has_unprocessed_handshake_data(const SSL *ssl) {\n size_t msg_len = 0;\n if (ssl->s3->has_message) {\n SSLMessage msg;\n size_t unused;\n if (parse_message(ssl, &msg, &unused)) {\n msg_len = CBS_len(&msg.raw);\n }\n }\n\n return ssl->s3->hs_buf && ssl->s3->hs_buf->length > msg_len;\n}\n\nbool tls_append_handshake_data(SSL *ssl, Span data) {\n // Re-create the handshake buffer if needed.\n if (!ssl->s3->hs_buf) {\n ssl->s3->hs_buf.reset(BUF_MEM_new());\n }\n return ssl->s3->hs_buf &&\n BUF_MEM_append(ssl->s3->hs_buf.get(), data.data(), data.size());\n}\n\nssl_open_record_t tls_open_handshake(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert, Span in) {\n *out_consumed = 0;\n // Bypass the record layer for the first message to handle V2ClientHello.\n if (ssl->server && !ssl->s3->v2_hello_done) {\n // Ask for the first 5 bytes, the size of the TLS record header. This is\n // sufficient to detect a V2ClientHello and ensures that we never read\n // beyond the first record.\n if (in.size() < SSL3_RT_HEADER_LENGTH) {\n *out_consumed = SSL3_RT_HEADER_LENGTH;\n return ssl_open_record_partial;\n }\n\n // Some dedicated error codes for protocol mixups should the application\n // wish to interpret them differently. (These do not overlap with\n // ClientHello or V2ClientHello.)\n auto str = bssl::BytesAsStringView(in);\n if (str.substr(0, 4) == \"GET \" || //\n str.substr(0, 5) == \"POST \" || //\n str.substr(0, 5) == \"HEAD \" || //\n str.substr(0, 4) == \"PUT \") {\n OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);\n *out_alert = 0;\n return ssl_open_record_error;\n }\n if (str.substr(0, 5) == \"CONNE\") {\n OPENSSL_PUT_ERROR(SSL, SSL_R_HTTPS_PROXY_REQUEST);\n *out_alert = 0;\n return ssl_open_record_error;\n }\n\n // Check for a V2ClientHello.\n if ((in[0] & 0x80) != 0 && in[2] == SSL2_MT_CLIENT_HELLO &&\n in[3] == SSL3_VERSION_MAJOR) {\n auto ret = read_v2_client_hello(ssl, out_consumed, in);\n if (ret == ssl_open_record_error) {\n *out_alert = 0;\n } else if (ret == ssl_open_record_success) {\n ssl->s3->v2_hello_done = true;\n }\n return ret;\n }\n\n ssl->s3->v2_hello_done = true;\n }\n\n uint8_t type;\n Span body;\n auto ret = tls_open_record(ssl, &type, &body, out_consumed, out_alert, in);\n if (ret != ssl_open_record_success) {\n return ret;\n }\n\n if (type != SSL3_RT_HANDSHAKE) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n\n // Append the entire handshake record to the buffer.\n if (!tls_append_handshake_data(ssl, body)) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return ssl_open_record_error;\n }\n\n return ssl_open_record_success;\n}\n\nvoid tls_next_message(SSL *ssl) {\n SSLMessage msg;\n if (!tls_get_message(ssl, &msg) || //\n !ssl->s3->hs_buf || //\n ssl->s3->hs_buf->length < CBS_len(&msg.raw)) {\n assert(0);\n return;\n }\n\n OPENSSL_memmove(ssl->s3->hs_buf->data,\n ssl->s3->hs_buf->data + CBS_len(&msg.raw),\n ssl->s3->hs_buf->length - CBS_len(&msg.raw));\n ssl->s3->hs_buf->length -= CBS_len(&msg.raw);\n ssl->s3->is_v2_hello = false;\n ssl->s3->has_message = false;\n\n // Post-handshake messages are rare, so release the buffer after every\n // message. During the handshake, |on_handshake_complete| will release it.\n if (!SSL_in_init(ssl) && ssl->s3->hs_buf->length == 0) {\n ssl->s3->hs_buf.reset();\n }\n}\n\nnamespace {\n\nclass CipherScorer {\n public:\n using Score = int;\n static constexpr Score kMinScore = 0;\n\n virtual ~CipherScorer() = default;\n\n virtual Score Evaluate(const SSL_CIPHER *cipher) const = 0;\n};\n\n// AesHwCipherScorer scores cipher suites based on whether AES is supported in\n// hardware.\nclass AesHwCipherScorer : public CipherScorer {\n public:\n explicit AesHwCipherScorer(bool has_aes_hw) : aes_is_fine_(has_aes_hw) {}\n\n virtual ~AesHwCipherScorer() override = default;\n\n Score Evaluate(const SSL_CIPHER *a) const override {\n return\n // Something is always preferable to nothing.\n 1 +\n // Either AES is fine, or else ChaCha20 is preferred.\n ((aes_is_fine_ || a->algorithm_enc == SSL_CHACHA20POLY1305) ? 1 : 0);\n }\n\n private:\n const bool aes_is_fine_;\n};\n\n// CNsaCipherScorer prefers AES-256-GCM over AES-128-GCM over anything else.\nclass CNsaCipherScorer : public CipherScorer {\n public:\n virtual ~CNsaCipherScorer() override = default;\n\n Score Evaluate(const SSL_CIPHER *a) const override {\n if (a->id == TLS1_3_CK_AES_256_GCM_SHA384) {\n return 3;\n } else if (a->id == TLS1_3_CK_AES_128_GCM_SHA256) {\n return 2;\n }\n return 1;\n }\n};\n\n} // namespace\n\nbool ssl_tls13_cipher_meets_policy(uint16_t cipher_id,\n enum ssl_compliance_policy_t policy) {\n switch (policy) {\n case ssl_compliance_policy_none:\n case ssl_compliance_policy_cnsa_202407:\n return true;\n\n case ssl_compliance_policy_fips_202205:\n switch (cipher_id) {\n case TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff:\n case TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff:\n return true;\n case TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff:\n return false;\n default:\n assert(false);\n return false;\n }\n\n case ssl_compliance_policy_wpa3_192_202304:\n switch (cipher_id) {\n case TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff:\n return true;\n case TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff:\n case TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff:\n return false;\n default:\n assert(false);\n return false;\n }\n }\n\n assert(false);\n return false;\n}\n\nconst SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw,\n uint16_t version,\n enum ssl_compliance_policy_t policy) {\n if (CBS_len(&cipher_suites) % 2 != 0) {\n return nullptr;\n }\n\n const SSL_CIPHER *best = nullptr;\n AesHwCipherScorer aes_hw_scorer(has_aes_hw);\n CNsaCipherScorer cnsa_scorer;\n CipherScorer *const scorer =\n (policy == ssl_compliance_policy_cnsa_202407)\n ? static_cast(&cnsa_scorer)\n : static_cast(&aes_hw_scorer);\n CipherScorer::Score best_score = CipherScorer::kMinScore;\n\n while (CBS_len(&cipher_suites) > 0) {\n uint16_t cipher_suite;\n if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {\n return nullptr;\n }\n\n // Limit to TLS 1.3 ciphers we know about.\n const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);\n if (candidate == nullptr ||\n SSL_CIPHER_get_min_version(candidate) > version ||\n SSL_CIPHER_get_max_version(candidate) < version) {\n continue;\n }\n\n if (!ssl_tls13_cipher_meets_policy(SSL_CIPHER_get_protocol_id(candidate),\n policy)) {\n continue;\n }\n\n const CipherScorer::Score candidate_score = scorer->Evaluate(candidate);\n // |candidate_score| must be larger to displace the current choice. That way\n // the client's order controls between ciphers with an equal score.\n if (candidate_score > best_score) {\n best = candidate;\n best_score = candidate_score;\n }\n }\n\n return best;\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/s3_lib.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nSSL3_STATE::SSL3_STATE()\n : skip_early_data(false),\n v2_hello_done(false),\n is_v2_hello(false),\n has_message(false),\n initial_handshake_complete(false),\n session_reused(false),\n send_connection_binding(false),\n channel_id_valid(false),\n key_update_pending(false),\n early_data_accepted(false),\n alert_dispatch(false),\n renegotiate_pending(false),\n used_hello_retry_request(false),\n was_key_usage_invalid(false) {}\n\nSSL3_STATE::~SSL3_STATE() {}\n\nbool tls_new(SSL *ssl) {\n UniquePtr s3 = MakeUnique();\n if (!s3) {\n return false;\n }\n\n // TODO(crbug.com/368805255): Fields that aren't used in DTLS should not be\n // allocated at all.\n // TODO(crbug.com/371998381): Don't create these in QUIC either, once the\n // placeholder QUIC ones for subsequent epochs are removed.\n if (!SSL_is_dtls(ssl)) {\n s3->aead_read_ctx = SSLAEADContext::CreateNullCipher();\n s3->aead_write_ctx = SSLAEADContext::CreateNullCipher();\n if (!s3->aead_read_ctx || !s3->aead_write_ctx) {\n return false;\n }\n }\n\n s3->hs = ssl_handshake_new(ssl);\n if (!s3->hs) {\n return false;\n }\n\n ssl->s3 = s3.release();\n return true;\n}\n\nvoid tls_free(SSL *ssl) {\n if (ssl->s3 == NULL) {\n return;\n }\n\n Delete(ssl->s3);\n ssl->s3 = NULL;\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/s3_pkt.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../crypto/err/internal.h\"\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nstatic int do_tls_write(SSL *ssl, size_t *out_bytes_written, uint8_t type,\n Span in);\n\nint tls_write_app_data(SSL *ssl, bool *out_needs_handshake,\n size_t *out_bytes_written, Span in) {\n assert(ssl_can_write(ssl));\n assert(!ssl->s3->aead_write_ctx->is_null_cipher());\n\n *out_needs_handshake = false;\n\n if (ssl->s3->write_shutdown != ssl_shutdown_none) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);\n return -1;\n }\n\n size_t total_bytes_written = ssl->s3->unreported_bytes_written;\n if (in.size() < total_bytes_written) {\n // This can happen if the caller disables |SSL_MODE_ENABLE_PARTIAL_WRITE|,\n // asks us to write some input of length N, we successfully encrypt M bytes\n // and write it, but fail to write the rest. We will report\n // |SSL_ERROR_WANT_WRITE|. If the caller then retries with fewer than M\n // bytes, we cannot satisfy that request. The caller is required to always\n // retry with at least as many bytes as the previous attempt.\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH);\n return -1;\n }\n\n in = in.subspan(total_bytes_written);\n\n const bool is_early_data_write =\n !ssl->server && SSL_in_early_data(ssl) && ssl->s3->hs->can_early_write;\n for (;;) {\n size_t max_send_fragment = ssl->max_send_fragment;\n if (is_early_data_write) {\n SSL_HANDSHAKE *hs = ssl->s3->hs.get();\n if (hs->early_data_written >= hs->early_session->ticket_max_early_data) {\n ssl->s3->unreported_bytes_written = total_bytes_written;\n hs->can_early_write = false;\n *out_needs_handshake = true;\n return -1;\n }\n max_send_fragment = std::min(\n max_send_fragment, size_t{hs->early_session->ticket_max_early_data -\n hs->early_data_written});\n }\n\n const size_t to_write = std::min(max_send_fragment, in.size());\n size_t bytes_written;\n int ret = do_tls_write(ssl, &bytes_written, SSL3_RT_APPLICATION_DATA,\n in.subspan(0, to_write));\n if (ret <= 0) {\n ssl->s3->unreported_bytes_written = total_bytes_written;\n return ret;\n }\n\n // Note |bytes_written| may be less than |to_write| if there was a pending\n // record from a smaller write attempt.\n assert(bytes_written <= to_write);\n total_bytes_written += bytes_written;\n in = in.subspan(bytes_written);\n if (is_early_data_write) {\n ssl->s3->hs->early_data_written += bytes_written;\n }\n\n if (in.empty() || (ssl->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)) {\n ssl->s3->unreported_bytes_written = 0;\n *out_bytes_written = total_bytes_written;\n return 1;\n }\n }\n}\n\n// tls_seal_align_prefix_len returns the length of the prefix before the start\n// of the bulk of the ciphertext when sealing a record with |ssl|. Callers may\n// use this to align buffers.\n//\n// Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte\n// record and is the offset into second record's ciphertext. Thus sealing a\n// small record may result in a smaller output than this value.\n//\n// TODO(davidben): Is this alignment valuable? Record-splitting makes this a\n// mess.\nstatic size_t tls_seal_align_prefix_len(const SSL *ssl) {\n size_t ret =\n SSL3_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen();\n if (ssl_needs_record_splitting(ssl)) {\n ret += SSL3_RT_HEADER_LENGTH;\n ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());\n }\n return ret;\n}\n\n// do_tls_write writes an SSL record of the given type. On success, it sets\n// |*out_bytes_written| to number of bytes successfully written and returns one.\n// On error, it returns a value <= 0 from the underlying |BIO|.\nstatic int do_tls_write(SSL *ssl, size_t *out_bytes_written, uint8_t type,\n Span in) {\n // If there is a pending write, the retry must be consistent.\n if (!ssl->s3->pending_write.empty() &&\n (ssl->s3->pending_write.size() > in.size() ||\n (!(ssl->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER) &&\n ssl->s3->pending_write.data() != in.data()) ||\n ssl->s3->pending_write_type != type)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_WRITE_RETRY);\n return -1;\n }\n\n // Flush any unwritten data to the transport. There may be data to flush even\n // if |wpend_tot| is zero.\n int ret = ssl_write_buffer_flush(ssl);\n if (ret <= 0) {\n return ret;\n }\n\n // If there is a pending write, we just completed it. Report it to the caller.\n if (!ssl->s3->pending_write.empty()) {\n *out_bytes_written = ssl->s3->pending_write.size();\n ssl->s3->pending_write = {};\n return 1;\n }\n\n SSLBuffer *buf = &ssl->s3->write_buffer;\n if (in.size() > SSL3_RT_MAX_PLAIN_LENGTH || buf->size() > 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return -1;\n }\n\n if (!tls_flush_pending_hs_data(ssl)) {\n return -1;\n }\n\n // We may have unflushed handshake data that must be written before |in|. This\n // may be a KeyUpdate acknowledgment, 0-RTT key change messages, or a\n // NewSessionTicket.\n Span pending_flight;\n if (ssl->s3->pending_flight != nullptr) {\n pending_flight =\n Span(reinterpret_cast(ssl->s3->pending_flight->data),\n ssl->s3->pending_flight->length);\n pending_flight = pending_flight.subspan(ssl->s3->pending_flight_offset);\n }\n\n size_t max_out = pending_flight.size();\n if (!in.empty()) {\n const size_t max_ciphertext_len = in.size() + SSL_max_seal_overhead(ssl);\n if (max_ciphertext_len < in.size() ||\n max_out + max_ciphertext_len < max_out) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return -1;\n }\n max_out += max_ciphertext_len;\n }\n\n if (max_out == 0) {\n // Nothing to write.\n *out_bytes_written = 0;\n return 1;\n }\n\n if (!buf->EnsureCap(pending_flight.size() + tls_seal_align_prefix_len(ssl),\n max_out)) {\n return -1;\n }\n\n // Copy |pending_flight| to the output.\n if (!pending_flight.empty()) {\n OPENSSL_memcpy(buf->remaining().data(), pending_flight.data(),\n pending_flight.size());\n ssl->s3->pending_flight.reset();\n ssl->s3->pending_flight_offset = 0;\n buf->DidWrite(pending_flight.size());\n }\n\n if (!in.empty()) {\n size_t ciphertext_len;\n if (!tls_seal_record(ssl, buf->remaining().data(), &ciphertext_len,\n buf->remaining().size(), type, in.data(), in.size())) {\n return -1;\n }\n buf->DidWrite(ciphertext_len);\n }\n\n // Now that we've made progress on the connection, uncork KeyUpdate\n // acknowledgments.\n ssl->s3->key_update_pending = false;\n\n // Flush the write buffer.\n ret = ssl_write_buffer_flush(ssl);\n if (ret <= 0) {\n // Track the unfinished write.\n if (!in.empty()) {\n ssl->s3->pending_write = in;\n ssl->s3->pending_write_type = type;\n }\n return ret;\n }\n\n *out_bytes_written = in.size();\n return 1;\n}\n\nssl_open_record_t tls_open_app_data(SSL *ssl, Span *out,\n size_t *out_consumed, uint8_t *out_alert,\n Span in) {\n assert(ssl_can_read(ssl));\n assert(!ssl->s3->aead_read_ctx->is_null_cipher());\n\n uint8_t type;\n Span body;\n auto ret = tls_open_record(ssl, &type, &body, out_consumed, out_alert, in);\n if (ret != ssl_open_record_success) {\n return ret;\n }\n\n const bool is_early_data_read = ssl->server && SSL_in_early_data(ssl);\n\n if (type == SSL3_RT_HANDSHAKE) {\n // Post-handshake data prior to TLS 1.3 is always renegotiation, which we\n // never accept as a server. Otherwise |tls_get_message| will send\n // |SSL_R_EXCESSIVE_MESSAGE_SIZE|.\n if (ssl->server && ssl_protocol_version(ssl) < TLS1_3_VERSION) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);\n *out_alert = SSL_AD_NO_RENEGOTIATION;\n return ssl_open_record_error;\n }\n\n if (!tls_append_handshake_data(ssl, body)) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return ssl_open_record_error;\n }\n return ssl_open_record_discard;\n }\n\n if (type != SSL3_RT_APPLICATION_DATA) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n\n if (is_early_data_read) {\n if (body.size() > kMaxEarlyDataAccepted - ssl->s3->hs->early_data_read) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MUCH_READ_EARLY_DATA);\n *out_alert = SSL3_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n\n ssl->s3->hs->early_data_read += body.size();\n }\n\n if (body.empty()) {\n return ssl_open_record_discard;\n }\n\n *out = body;\n return ssl_open_record_success;\n}\n\nssl_open_record_t tls_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert,\n Span in) {\n uint8_t type;\n Span body;\n auto ret = tls_open_record(ssl, &type, &body, out_consumed, out_alert, in);\n if (ret != ssl_open_record_success) {\n return ret;\n }\n\n if (type != SSL3_RT_CHANGE_CIPHER_SPEC) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n\n if (body.size() != 1 || body[0] != SSL3_MT_CCS) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_CHANGE_CIPHER_SPEC);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return ssl_open_record_error;\n }\n\n ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_CHANGE_CIPHER_SPEC, body);\n return ssl_open_record_success;\n}\n\nvoid ssl_send_alert(SSL *ssl, int level, int desc) {\n // This function is called in response to a fatal error from the peer. Ignore\n // any failures writing the alert and report only the original error. In\n // particular, if the transport uses |SSL_write|, our existing error will be\n // clobbered so we must save and restore the error queue. See\n // https://crbug.com/959305.\n //\n // TODO(davidben): Return the alert out of the handshake, rather than calling\n // this function internally everywhere.\n //\n // TODO(davidben): This does not allow retrying if the alert hit EAGAIN. See\n // https://crbug.com/boringssl/130.\n UniquePtr err_state(ERR_save_state());\n ssl_send_alert_impl(ssl, level, desc);\n ERR_restore_state(err_state.get());\n}\n\nint ssl_send_alert_impl(SSL *ssl, int level, int desc) {\n // It is illegal to send an alert when we've already sent a closing one.\n if (ssl->s3->write_shutdown != ssl_shutdown_none) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);\n return -1;\n }\n\n if (level == SSL3_AL_WARNING && desc == SSL_AD_CLOSE_NOTIFY) {\n ssl->s3->write_shutdown = ssl_shutdown_close_notify;\n } else {\n assert(level == SSL3_AL_FATAL);\n assert(desc != SSL_AD_CLOSE_NOTIFY);\n ssl->s3->write_shutdown = ssl_shutdown_error;\n }\n\n ssl->s3->alert_dispatch = true;\n ssl->s3->send_alert[0] = level;\n ssl->s3->send_alert[1] = desc;\n if (ssl->s3->write_buffer.empty()) {\n // Nothing is being written out, so the alert may be dispatched\n // immediately.\n return ssl->method->dispatch_alert(ssl);\n }\n\n // The alert will be dispatched later.\n return -1;\n}\n\nint tls_dispatch_alert(SSL *ssl) {\n if (SSL_is_quic(ssl)) {\n if (!ssl->quic_method->send_alert(ssl, ssl->s3->quic_write_level,\n ssl->s3->send_alert[1])) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);\n return 0;\n }\n } else {\n size_t bytes_written;\n int ret =\n do_tls_write(ssl, &bytes_written, SSL3_RT_ALERT, ssl->s3->send_alert);\n if (ret <= 0) {\n return ret;\n }\n assert(bytes_written == 2);\n }\n\n ssl->s3->alert_dispatch = false;\n\n // If the alert is fatal, flush the BIO now.\n if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {\n BIO_flush(ssl->wbio.get());\n }\n\n ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, ssl->s3->send_alert);\n\n int alert = (ssl->s3->send_alert[0] << 8) | ssl->s3->send_alert[1];\n ssl_do_info_callback(ssl, SSL_CB_WRITE_ALERT, alert);\n\n return 1;\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_aead_ctx.cc", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n#define FUZZER_MODE true\n#else\n#define FUZZER_MODE false\n#endif\n\nBSSL_NAMESPACE_BEGIN\n\nSSLAEADContext::SSLAEADContext(const SSL_CIPHER *cipher_arg)\n : cipher_(cipher_arg),\n variable_nonce_included_in_record_(false),\n random_variable_nonce_(false),\n xor_fixed_nonce_(false),\n omit_length_in_ad_(false),\n ad_is_header_(false) {}\n\nSSLAEADContext::~SSLAEADContext() {}\n\nUniquePtr SSLAEADContext::CreateNullCipher() {\n return MakeUnique(/*cipher=*/nullptr);\n}\n\nUniquePtr SSLAEADContext::Create(\n enum evp_aead_direction_t direction, uint16_t version,\n const SSL_CIPHER *cipher, Span enc_key,\n Span mac_key, Span fixed_iv) {\n const EVP_AEAD *aead;\n uint16_t protocol_version;\n size_t expected_mac_key_len, expected_fixed_iv_len;\n if (!ssl_protocol_version_from_wire(&protocol_version, version) ||\n !ssl_cipher_get_evp_aead(&aead, &expected_mac_key_len,\n &expected_fixed_iv_len, cipher,\n protocol_version) ||\n // Ensure the caller returned correct key sizes.\n expected_fixed_iv_len != fixed_iv.size() ||\n expected_mac_key_len != mac_key.size()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return nullptr;\n }\n\n UniquePtr aead_ctx = MakeUnique(cipher);\n if (!aead_ctx) {\n return nullptr;\n }\n\n uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH];\n assert(EVP_AEAD_nonce_length(aead) <= EVP_AEAD_MAX_NONCE_LENGTH);\n static_assert(EVP_AEAD_MAX_NONCE_LENGTH < 256,\n \"variable_nonce_len doesn't fit in uint8_t\");\n aead_ctx->variable_nonce_len_ = (uint8_t)EVP_AEAD_nonce_length(aead);\n if (mac_key.empty()) {\n // This is an actual AEAD.\n aead_ctx->fixed_nonce_.CopyFrom(fixed_iv);\n\n if (protocol_version >= TLS1_3_VERSION ||\n cipher->algorithm_enc & SSL_CHACHA20POLY1305) {\n // TLS 1.3, and TLS 1.2 ChaCha20-Poly1305, XOR the fixed IV with the\n // sequence number to form the nonce.\n aead_ctx->xor_fixed_nonce_ = true;\n aead_ctx->variable_nonce_len_ = 8;\n assert(fixed_iv.size() >= aead_ctx->variable_nonce_len_);\n } else {\n // TLS 1.2 AES-GCM prepends the fixed IV to an explicit nonce.\n assert(fixed_iv.size() <= aead_ctx->variable_nonce_len_);\n assert(cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM));\n aead_ctx->variable_nonce_len_ -= fixed_iv.size();\n aead_ctx->variable_nonce_included_in_record_ = true;\n }\n\n // Starting TLS 1.3, the AAD is the whole record header.\n if (protocol_version >= TLS1_3_VERSION) {\n aead_ctx->ad_is_header_ = true;\n }\n } else {\n // This is a CBC cipher suite that implements the |EVP_AEAD| interface. The\n // |EVP_AEAD| takes the MAC key, encryption key, and fixed IV concatenated\n // as its input key.\n assert(protocol_version < TLS1_3_VERSION);\n BSSL_CHECK(mac_key.size() + enc_key.size() + fixed_iv.size() <=\n sizeof(merged_key));\n OPENSSL_memcpy(merged_key, mac_key.data(), mac_key.size());\n OPENSSL_memcpy(merged_key + mac_key.size(), enc_key.data(), enc_key.size());\n OPENSSL_memcpy(merged_key + mac_key.size() + enc_key.size(),\n fixed_iv.data(), fixed_iv.size());\n enc_key =\n Span(merged_key, enc_key.size() + mac_key.size() + fixed_iv.size());\n\n // The |EVP_AEAD|'s per-encryption nonce, if any, is actually the CBC IV. It\n // must be generated randomly and prepended to the record.\n aead_ctx->variable_nonce_included_in_record_ = true;\n aead_ctx->random_variable_nonce_ = true;\n aead_ctx->omit_length_in_ad_ = true;\n }\n\n if (!EVP_AEAD_CTX_init_with_direction(\n aead_ctx->ctx_.get(), aead, enc_key.data(), enc_key.size(),\n EVP_AEAD_DEFAULT_TAG_LENGTH, direction)) {\n return nullptr;\n }\n\n return aead_ctx;\n}\n\nUniquePtr SSLAEADContext::CreatePlaceholderForQUIC(\n const SSL_CIPHER *cipher) {\n return MakeUnique(cipher);\n}\n\nsize_t SSLAEADContext::ExplicitNonceLen() const {\n if (!FUZZER_MODE && variable_nonce_included_in_record_) {\n return variable_nonce_len_;\n }\n return 0;\n}\n\nbool SSLAEADContext::SuffixLen(size_t *out_suffix_len, const size_t in_len,\n const size_t extra_in_len) const {\n if (is_null_cipher() || FUZZER_MODE) {\n *out_suffix_len = extra_in_len;\n return true;\n }\n return !!EVP_AEAD_CTX_tag_len(ctx_.get(), out_suffix_len, in_len,\n extra_in_len);\n}\n\nbool SSLAEADContext::CiphertextLen(size_t *out_len, const size_t in_len,\n const size_t extra_in_len) const {\n size_t len;\n if (!SuffixLen(&len, in_len, extra_in_len)) {\n return false;\n }\n len += ExplicitNonceLen();\n len += in_len;\n if (len < in_len || len >= 0xffff) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return false;\n }\n *out_len = len;\n return true;\n}\n\nsize_t SSLAEADContext::MaxOverhead() const {\n return ExplicitNonceLen() +\n (is_null_cipher() || FUZZER_MODE\n ? 0\n : EVP_AEAD_max_overhead(EVP_AEAD_CTX_aead(ctx_.get())));\n}\n\nsize_t SSLAEADContext::MaxSealInputLen(size_t max_out) const {\n size_t explicit_nonce_len = ExplicitNonceLen();\n if (max_out <= explicit_nonce_len) {\n return 0;\n }\n max_out -= explicit_nonce_len;\n if (is_null_cipher() || FUZZER_MODE) {\n return max_out;\n }\n // TODO(crbug.com/42290602): This should be part of |EVP_AEAD_CTX|.\n size_t overhead = EVP_AEAD_max_overhead(EVP_AEAD_CTX_aead(ctx_.get()));\n if (SSL_CIPHER_is_block_cipher(cipher())) {\n size_t block_size;\n switch (cipher()->algorithm_enc) {\n case SSL_AES128:\n case SSL_AES256:\n block_size = 16;\n break;\n case SSL_3DES:\n block_size = 8;\n break;\n default:\n abort();\n }\n\n // The output for a CBC cipher is always a whole number of blocks. Round the\n // remaining capacity down.\n max_out &= ~(block_size - 1);\n // The maximum overhead is a full block of padding and the MAC, but the\n // minimum overhead is one byte of padding, once we know the output is\n // rounded down.\n assert(overhead > block_size);\n overhead -= block_size - 1;\n }\n return max_out <= overhead ? 0 : max_out - overhead;\n}\n\nSpan SSLAEADContext::GetAdditionalData(\n uint8_t storage[13], uint8_t type, uint16_t record_version, uint64_t seqnum,\n size_t plaintext_len, Span header) {\n if (ad_is_header_) {\n return header;\n }\n\n CRYPTO_store_u64_be(storage, seqnum);\n size_t len = 8;\n storage[len++] = type;\n storage[len++] = static_cast((record_version >> 8));\n storage[len++] = static_cast(record_version);\n if (!omit_length_in_ad_) {\n storage[len++] = static_cast((plaintext_len >> 8));\n storage[len++] = static_cast(plaintext_len);\n }\n return Span(storage, len);\n}\n\nbool SSLAEADContext::Open(Span *out, uint8_t type,\n uint16_t record_version, uint64_t seqnum,\n Span header, Span in) {\n if (is_null_cipher() || FUZZER_MODE) {\n // Handle the initial NULL cipher.\n *out = in;\n return true;\n }\n\n // TLS 1.2 AEADs include the length in the AD and are assumed to have fixed\n // overhead. Otherwise the parameter is unused.\n size_t plaintext_len = 0;\n if (!omit_length_in_ad_) {\n size_t overhead = MaxOverhead();\n if (in.size() < overhead) {\n // Publicly invalid.\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);\n return false;\n }\n plaintext_len = in.size() - overhead;\n }\n\n uint8_t ad_storage[13];\n Span ad = GetAdditionalData(ad_storage, type, record_version,\n seqnum, plaintext_len, header);\n\n // Assemble the nonce.\n uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];\n size_t nonce_len = 0;\n\n // Prepend the fixed nonce, or left-pad with zeros if XORing.\n if (xor_fixed_nonce_) {\n nonce_len = fixed_nonce_.size() - variable_nonce_len_;\n OPENSSL_memset(nonce, 0, nonce_len);\n } else {\n OPENSSL_memcpy(nonce, fixed_nonce_.data(), fixed_nonce_.size());\n nonce_len += fixed_nonce_.size();\n }\n\n // Add the variable nonce.\n if (variable_nonce_included_in_record_) {\n if (in.size() < variable_nonce_len_) {\n // Publicly invalid.\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);\n return false;\n }\n OPENSSL_memcpy(nonce + nonce_len, in.data(), variable_nonce_len_);\n in = in.subspan(variable_nonce_len_);\n } else {\n assert(variable_nonce_len_ == 8);\n CRYPTO_store_u64_be(nonce + nonce_len, seqnum);\n }\n nonce_len += variable_nonce_len_;\n\n // XOR the fixed nonce, if necessary.\n if (xor_fixed_nonce_) {\n assert(nonce_len == fixed_nonce_.size());\n for (size_t i = 0; i < fixed_nonce_.size(); i++) {\n nonce[i] ^= fixed_nonce_[i];\n }\n }\n\n // Decrypt in-place.\n size_t len;\n if (!EVP_AEAD_CTX_open(ctx_.get(), in.data(), &len, in.size(), nonce,\n nonce_len, in.data(), in.size(), ad.data(),\n ad.size())) {\n return false;\n }\n *out = in.subspan(0, len);\n return true;\n}\n\nbool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out,\n uint8_t *out_suffix, uint8_t type,\n uint16_t record_version, uint64_t seqnum,\n Span header, const uint8_t *in,\n size_t in_len, const uint8_t *extra_in,\n size_t extra_in_len) {\n const size_t prefix_len = ExplicitNonceLen();\n size_t suffix_len;\n if (!SuffixLen(&suffix_len, in_len, extra_in_len)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);\n return false;\n }\n if ((in != out && buffers_alias(in, in_len, out, in_len)) ||\n buffers_alias(in, in_len, out_prefix, prefix_len) ||\n buffers_alias(in, in_len, out_suffix, suffix_len)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);\n return false;\n }\n\n if (is_null_cipher() || FUZZER_MODE) {\n // Handle the initial NULL cipher.\n OPENSSL_memmove(out, in, in_len);\n OPENSSL_memmove(out_suffix, extra_in, extra_in_len);\n return true;\n }\n\n uint8_t ad_storage[13];\n Span ad = GetAdditionalData(ad_storage, type, record_version,\n seqnum, in_len, header);\n\n // Assemble the nonce.\n uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];\n size_t nonce_len = 0;\n\n // Prepend the fixed nonce, or left-pad with zeros if XORing.\n if (xor_fixed_nonce_) {\n nonce_len = fixed_nonce_.size() - variable_nonce_len_;\n OPENSSL_memset(nonce, 0, nonce_len);\n } else {\n OPENSSL_memcpy(nonce, fixed_nonce_.data(), fixed_nonce_.size());\n nonce_len += fixed_nonce_.size();\n }\n\n // Select the variable nonce.\n if (random_variable_nonce_) {\n assert(variable_nonce_included_in_record_);\n if (!RAND_bytes(nonce + nonce_len, variable_nonce_len_)) {\n return false;\n }\n } else {\n // When sending we use the sequence number as the variable part of the\n // nonce.\n assert(variable_nonce_len_ == 8);\n CRYPTO_store_u64_be(nonce + nonce_len, seqnum);\n }\n nonce_len += variable_nonce_len_;\n\n // Emit the variable nonce if included in the record.\n if (variable_nonce_included_in_record_) {\n assert(!xor_fixed_nonce_);\n if (buffers_alias(in, in_len, out_prefix, variable_nonce_len_)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);\n return false;\n }\n OPENSSL_memcpy(out_prefix, nonce + fixed_nonce_.size(),\n variable_nonce_len_);\n }\n\n // XOR the fixed nonce, if necessary.\n if (xor_fixed_nonce_) {\n assert(nonce_len == fixed_nonce_.size());\n for (size_t i = 0; i < fixed_nonce_.size(); i++) {\n nonce[i] ^= fixed_nonce_[i];\n }\n }\n\n size_t written_suffix_len;\n bool result = !!EVP_AEAD_CTX_seal_scatter(\n ctx_.get(), out, out_suffix, &written_suffix_len, suffix_len, nonce,\n nonce_len, in, in_len, extra_in, extra_in_len, ad.data(), ad.size());\n assert(!result || written_suffix_len == suffix_len);\n return result;\n}\n\nbool SSLAEADContext::Seal(uint8_t *out, size_t *out_len, size_t max_out_len,\n uint8_t type, uint16_t record_version,\n uint64_t seqnum, Span header,\n const uint8_t *in, size_t in_len) {\n const size_t prefix_len = ExplicitNonceLen();\n size_t suffix_len;\n if (!SuffixLen(&suffix_len, in_len, 0)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);\n return false;\n }\n if (in_len + prefix_len < in_len ||\n in_len + prefix_len + suffix_len < in_len + prefix_len) {\n OPENSSL_PUT_ERROR(CIPHER, SSL_R_RECORD_TOO_LARGE);\n return false;\n }\n if (in_len + prefix_len + suffix_len > max_out_len) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);\n return false;\n }\n\n if (!SealScatter(out, out + prefix_len, out + prefix_len + in_len, type,\n record_version, seqnum, header, in, in_len, 0, 0)) {\n return false;\n }\n *out_len = prefix_len + in_len + suffix_len;\n return true;\n}\n\nbool SSLAEADContext::GetIV(const uint8_t **out_iv, size_t *out_iv_len) const {\n return !is_null_cipher() &&\n EVP_AEAD_CTX_get_iv(ctx_.get(), out_iv, out_iv_len);\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_asn1.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\n// An SSL_SESSION is serialized as the following ASN.1 structure:\n//\n// SSLSession ::= SEQUENCE {\n// version INTEGER (1), -- session structure version\n// sslVersion INTEGER, -- protocol version number\n// cipher OCTET STRING, -- two bytes long\n// sessionID OCTET STRING,\n// secret OCTET STRING,\n// time [1] INTEGER, -- seconds since UNIX epoch\n// timeout [2] INTEGER, -- in seconds\n// peer [3] Certificate OPTIONAL,\n// sessionIDContext [4] OCTET STRING OPTIONAL,\n// verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes\n// pskIdentity [8] OCTET STRING OPTIONAL,\n// ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only\n// ticket [10] OCTET STRING OPTIONAL, -- client-only\n// peerSHA256 [13] OCTET STRING OPTIONAL,\n// originalHandshakeHash [14] OCTET STRING OPTIONAL,\n// signedCertTimestampList [15] OCTET STRING OPTIONAL,\n// -- contents of SCT extension\n// ocspResponse [16] OCTET STRING OPTIONAL,\n// -- stapled OCSP response from the server\n// extendedMasterSecret [17] BOOLEAN OPTIONAL,\n// groupID [18] INTEGER OPTIONAL,\n// certChain [19] SEQUENCE OF Certificate OPTIONAL,\n// ticketAgeAdd [21] OCTET STRING OPTIONAL,\n// isServer [22] BOOLEAN DEFAULT TRUE,\n// peerSignatureAlgorithm [23] INTEGER OPTIONAL,\n// ticketMaxEarlyData [24] INTEGER OPTIONAL,\n// authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout\n// earlyALPN [26] OCTET STRING OPTIONAL,\n// isQuic [27] BOOLEAN OPTIONAL,\n// quicEarlyDataHash [28] OCTET STRING OPTIONAL,\n// localALPS [29] OCTET STRING OPTIONAL,\n// peerALPS [30] OCTET STRING OPTIONAL,\n// -- Either both or none of localALPS and peerALPS must be present. If both\n// -- are present, earlyALPN must be present and non-empty.\n// }\n//\n// Note: historically this serialization has included other optional\n// fields. Their presence is currently treated as a parse error, except for\n// hostName, which is ignored.\n//\n// keyArg [0] IMPLICIT OCTET STRING OPTIONAL,\n// hostName [6] OCTET STRING OPTIONAL,\n// pskIdentityHint [7] OCTET STRING OPTIONAL,\n// compressionMethod [11] OCTET STRING OPTIONAL,\n// srpUsername [12] OCTET STRING OPTIONAL,\n// ticketFlags [20] INTEGER OPTIONAL,\n\nstatic const unsigned kVersion = 1;\n\nstatic const CBS_ASN1_TAG kTimeTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;\nstatic const CBS_ASN1_TAG kTimeoutTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2;\nstatic const CBS_ASN1_TAG kPeerTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3;\nstatic const CBS_ASN1_TAG kSessionIDContextTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 4;\nstatic const CBS_ASN1_TAG kVerifyResultTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 5;\nstatic const CBS_ASN1_TAG kHostNameTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 6;\nstatic const CBS_ASN1_TAG kPSKIdentityTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 8;\nstatic const CBS_ASN1_TAG kTicketLifetimeHintTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 9;\nstatic const CBS_ASN1_TAG kTicketTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 10;\nstatic const CBS_ASN1_TAG kPeerSHA256Tag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 13;\nstatic const CBS_ASN1_TAG kOriginalHandshakeHashTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 14;\nstatic const CBS_ASN1_TAG kSignedCertTimestampListTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 15;\nstatic const CBS_ASN1_TAG kOCSPResponseTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 16;\nstatic const CBS_ASN1_TAG kExtendedMasterSecretTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 17;\nstatic const CBS_ASN1_TAG kGroupIDTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 18;\nstatic const CBS_ASN1_TAG kCertChainTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 19;\nstatic const CBS_ASN1_TAG kTicketAgeAddTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 21;\nstatic const CBS_ASN1_TAG kIsServerTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 22;\nstatic const CBS_ASN1_TAG kPeerSignatureAlgorithmTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 23;\nstatic const CBS_ASN1_TAG kTicketMaxEarlyDataTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 24;\nstatic const CBS_ASN1_TAG kAuthTimeoutTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 25;\nstatic const CBS_ASN1_TAG kEarlyALPNTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 26;\nstatic const CBS_ASN1_TAG kIsQuicTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 27;\nstatic const CBS_ASN1_TAG kQuicEarlyDataContextTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 28;\nstatic const CBS_ASN1_TAG kLocalALPSTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 29;\nstatic const CBS_ASN1_TAG kPeerALPSTag =\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 30;\n\nstatic int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb,\n int for_ticket) {\n if (in == NULL || in->cipher == NULL) {\n return 0;\n }\n\n CBB session, child, child2;\n if (!CBB_add_asn1(cbb, &session, CBS_ASN1_SEQUENCE) ||\n !CBB_add_asn1_uint64(&session, kVersion) ||\n !CBB_add_asn1_uint64(&session, in->ssl_version) ||\n !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) ||\n // The session ID is irrelevant for a session ticket.\n !CBB_add_asn1_octet_string(&session, in->session_id.data(),\n for_ticket ? 0 : in->session_id.size()) ||\n !CBB_add_asn1_octet_string(&session, in->secret.data(),\n in->secret.size()) ||\n !CBB_add_asn1(&session, &child, kTimeTag) ||\n !CBB_add_asn1_uint64(&child, in->time) ||\n !CBB_add_asn1(&session, &child, kTimeoutTag) ||\n !CBB_add_asn1_uint64(&child, in->timeout)) {\n return 0;\n }\n\n // The peer certificate is only serialized if the SHA-256 isn't\n // serialized instead.\n if (sk_CRYPTO_BUFFER_num(in->certs.get()) > 0 && !in->peer_sha256_valid) {\n const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs.get(), 0);\n if (!CBB_add_asn1(&session, &child, kPeerTag) ||\n !CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),\n CRYPTO_BUFFER_len(buffer))) {\n return 0;\n }\n }\n\n // Although it is OPTIONAL and usually empty, OpenSSL has\n // historically always encoded the sid_ctx.\n if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) ||\n !CBB_add_asn1_octet_string(&child, in->sid_ctx.data(),\n in->sid_ctx.size())) {\n return 0;\n }\n\n if (in->verify_result != X509_V_OK) {\n if (!CBB_add_asn1(&session, &child, kVerifyResultTag) ||\n !CBB_add_asn1_uint64(&child, in->verify_result)) {\n return 0;\n }\n }\n\n if (in->psk_identity) {\n if (!CBB_add_asn1(&session, &child, kPSKIdentityTag) ||\n !CBB_add_asn1_octet_string(&child,\n (const uint8_t *)in->psk_identity.get(),\n strlen(in->psk_identity.get()))) {\n return 0;\n }\n }\n\n if (in->ticket_lifetime_hint > 0) {\n if (!CBB_add_asn1(&session, &child, kTicketLifetimeHintTag) ||\n !CBB_add_asn1_uint64(&child, in->ticket_lifetime_hint)) {\n return 0;\n }\n }\n\n if (!in->ticket.empty() && !for_ticket) {\n if (!CBB_add_asn1(&session, &child, kTicketTag) ||\n !CBB_add_asn1_octet_string(&child, in->ticket.data(),\n in->ticket.size())) {\n return 0;\n }\n }\n\n if (in->peer_sha256_valid) {\n if (!CBB_add_asn1(&session, &child, kPeerSHA256Tag) ||\n !CBB_add_asn1_octet_string(&child, in->peer_sha256,\n sizeof(in->peer_sha256))) {\n return 0;\n }\n }\n\n if (!in->original_handshake_hash.empty()) {\n if (!CBB_add_asn1(&session, &child, kOriginalHandshakeHashTag) ||\n !CBB_add_asn1_octet_string(&child, in->original_handshake_hash.data(),\n in->original_handshake_hash.size())) {\n return 0;\n }\n }\n\n if (in->signed_cert_timestamp_list != nullptr) {\n if (!CBB_add_asn1(&session, &child, kSignedCertTimestampListTag) ||\n !CBB_add_asn1_octet_string(\n &child, CRYPTO_BUFFER_data(in->signed_cert_timestamp_list.get()),\n CRYPTO_BUFFER_len(in->signed_cert_timestamp_list.get()))) {\n return 0;\n }\n }\n\n if (in->ocsp_response != nullptr) {\n if (!CBB_add_asn1(&session, &child, kOCSPResponseTag) ||\n !CBB_add_asn1_octet_string(\n &child, CRYPTO_BUFFER_data(in->ocsp_response.get()),\n CRYPTO_BUFFER_len(in->ocsp_response.get()))) {\n return 0;\n }\n }\n\n if (in->extended_master_secret) {\n if (!CBB_add_asn1(&session, &child, kExtendedMasterSecretTag) ||\n !CBB_add_asn1_bool(&child, true)) {\n return 0;\n }\n }\n\n if (in->group_id > 0 && //\n (!CBB_add_asn1(&session, &child, kGroupIDTag) || //\n !CBB_add_asn1_uint64(&child, in->group_id))) {\n return 0;\n }\n\n // The certificate chain is only serialized if the leaf's SHA-256 isn't\n // serialized instead.\n if (in->certs != NULL && //\n !in->peer_sha256_valid && //\n sk_CRYPTO_BUFFER_num(in->certs.get()) >= 2) {\n if (!CBB_add_asn1(&session, &child, kCertChainTag)) {\n return 0;\n }\n for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(in->certs.get()); i++) {\n const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs.get(), i);\n if (!CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),\n CRYPTO_BUFFER_len(buffer))) {\n return 0;\n }\n }\n }\n\n if (in->ticket_age_add_valid) {\n if (!CBB_add_asn1(&session, &child, kTicketAgeAddTag) ||\n !CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||\n !CBB_add_u32(&child2, in->ticket_age_add)) {\n return 0;\n }\n }\n\n if (!in->is_server) {\n if (!CBB_add_asn1(&session, &child, kIsServerTag) ||\n !CBB_add_asn1_bool(&child, false)) {\n return 0;\n }\n }\n\n if (in->peer_signature_algorithm != 0 &&\n (!CBB_add_asn1(&session, &child, kPeerSignatureAlgorithmTag) ||\n !CBB_add_asn1_uint64(&child, in->peer_signature_algorithm))) {\n return 0;\n }\n\n if (in->ticket_max_early_data != 0 &&\n (!CBB_add_asn1(&session, &child, kTicketMaxEarlyDataTag) ||\n !CBB_add_asn1_uint64(&child, in->ticket_max_early_data))) {\n return 0;\n }\n\n if (in->timeout != in->auth_timeout &&\n (!CBB_add_asn1(&session, &child, kAuthTimeoutTag) ||\n !CBB_add_asn1_uint64(&child, in->auth_timeout))) {\n return 0;\n }\n\n if (!in->early_alpn.empty()) {\n if (!CBB_add_asn1(&session, &child, kEarlyALPNTag) ||\n !CBB_add_asn1_octet_string(&child, in->early_alpn.data(),\n in->early_alpn.size())) {\n return 0;\n }\n }\n\n if (in->is_quic) {\n if (!CBB_add_asn1(&session, &child, kIsQuicTag) ||\n !CBB_add_asn1_bool(&child, true)) {\n return 0;\n }\n }\n\n if (!in->quic_early_data_context.empty()) {\n if (!CBB_add_asn1(&session, &child, kQuicEarlyDataContextTag) ||\n !CBB_add_asn1_octet_string(&child, in->quic_early_data_context.data(),\n in->quic_early_data_context.size())) {\n return 0;\n }\n }\n\n if (in->has_application_settings) {\n if (!CBB_add_asn1(&session, &child, kLocalALPSTag) ||\n !CBB_add_asn1_octet_string(&child,\n in->local_application_settings.data(),\n in->local_application_settings.size()) ||\n !CBB_add_asn1(&session, &child, kPeerALPSTag) ||\n !CBB_add_asn1_octet_string(&child, in->peer_application_settings.data(),\n in->peer_application_settings.size())) {\n return 0;\n }\n }\n\n return CBB_flush(cbb);\n}\n\n// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING explicitly\n// tagged with |tag| from |cbs| and saves it in |*out|. If the element was not\n// found, it sets |*out| to NULL. It returns one on success, whether or not the\n// element was found, and zero on decode error.\nstatic int SSL_SESSION_parse_string(CBS *cbs, UniquePtr *out,\n CBS_ASN1_TAG tag) {\n CBS value;\n int present;\n if (!CBS_get_optional_asn1_octet_string(cbs, &value, &present, tag)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return 0;\n }\n if (present) {\n if (CBS_contains_zero_byte(&value)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return 0;\n }\n char *raw = nullptr;\n if (!CBS_strdup(&value, &raw)) {\n return 0;\n }\n out->reset(raw);\n } else {\n out->reset();\n }\n return 1;\n}\n\n// SSL_SESSION_parse_octet_string gets an optional ASN.1 OCTET STRING explicitly\n// tagged with |tag| from |cbs| and stows it in |*out|. It returns one on\n// success, whether or not the element was found, and zero on decode error.\nstatic bool SSL_SESSION_parse_octet_string(CBS *cbs, Array *out,\n CBS_ASN1_TAG tag) {\n CBS value;\n if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return false;\n }\n return out->CopyFrom(value);\n}\n\nstatic int SSL_SESSION_parse_crypto_buffer(CBS *cbs,\n UniquePtr *out,\n CBS_ASN1_TAG tag,\n CRYPTO_BUFFER_POOL *pool) {\n if (!CBS_peek_asn1_tag(cbs, tag)) {\n return 1;\n }\n\n CBS child, value;\n if (!CBS_get_asn1(cbs, &child, tag) ||\n !CBS_get_asn1(&child, &value, CBS_ASN1_OCTETSTRING) ||\n CBS_len(&child) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return 0;\n }\n out->reset(CRYPTO_BUFFER_new_from_CBS(&value, pool));\n if (*out == nullptr) {\n return 0;\n }\n return 1;\n}\n\nstatic int SSL_SESSION_parse_long(CBS *cbs, long *out, CBS_ASN1_TAG tag,\n long default_value) {\n uint64_t value;\n if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,\n (uint64_t)default_value) ||\n value > LONG_MAX) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return 0;\n }\n *out = (long)value;\n return 1;\n}\n\nstatic int SSL_SESSION_parse_u32(CBS *cbs, uint32_t *out, CBS_ASN1_TAG tag,\n uint32_t default_value) {\n uint64_t value;\n if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,\n (uint64_t)default_value) ||\n value > 0xffffffff) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return 0;\n }\n *out = (uint32_t)value;\n return 1;\n}\n\nstatic int SSL_SESSION_parse_u16(CBS *cbs, uint16_t *out, CBS_ASN1_TAG tag,\n uint16_t default_value) {\n uint64_t value;\n if (!CBS_get_optional_asn1_uint64(cbs, &value, tag,\n (uint64_t)default_value) ||\n value > 0xffff) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return 0;\n }\n *out = (uint16_t)value;\n return 1;\n}\n\nUniquePtr SSL_SESSION_parse(CBS *cbs,\n const SSL_X509_METHOD *x509_method,\n CRYPTO_BUFFER_POOL *pool) {\n UniquePtr ret = ssl_session_new(x509_method);\n if (!ret) {\n return nullptr;\n }\n\n CBS session;\n uint64_t version, ssl_version;\n uint16_t unused;\n if (!CBS_get_asn1(cbs, &session, CBS_ASN1_SEQUENCE) || //\n !CBS_get_asn1_uint64(&session, &version) || //\n version != kVersion || //\n !CBS_get_asn1_uint64(&session, &ssl_version) || //\n // Require sessions have versions valid in either TLS or DTLS. The session\n // will not be used by the handshake if not applicable, but, for\n // simplicity, never parse a session that does not pass\n // |ssl_protocol_version_from_wire|.\n ssl_version > UINT16_MAX || //\n !ssl_protocol_version_from_wire(&unused, ssl_version)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n ret->ssl_version = ssl_version;\n\n CBS cipher;\n uint16_t cipher_value;\n if (!CBS_get_asn1(&session, &cipher, CBS_ASN1_OCTETSTRING) || //\n !CBS_get_u16(&cipher, &cipher_value) || //\n CBS_len(&cipher) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n ret->cipher = SSL_get_cipher_by_value(cipher_value);\n if (ret->cipher == NULL) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_CIPHER);\n return nullptr;\n }\n\n CBS session_id, secret, child;\n uint64_t timeout;\n if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) ||\n !ret->session_id.TryCopyFrom(session_id) ||\n !CBS_get_asn1(&session, &secret, CBS_ASN1_OCTETSTRING) ||\n !ret->secret.TryCopyFrom(secret) ||\n !CBS_get_asn1(&session, &child, kTimeTag) ||\n !CBS_get_asn1_uint64(&child, &ret->time) ||\n !CBS_get_asn1(&session, &child, kTimeoutTag) ||\n !CBS_get_asn1_uint64(&child, &timeout) || //\n timeout > UINT32_MAX) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n\n ret->timeout = (uint32_t)timeout;\n\n CBS peer;\n int has_peer;\n if (!CBS_get_optional_asn1(&session, &peer, &has_peer, kPeerTag) ||\n (has_peer && CBS_len(&peer) == 0)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n // |peer| is processed with the certificate chain.\n\n CBS sid_ctx;\n if (!CBS_get_optional_asn1_octet_string(\n &session, &sid_ctx, /*out_present=*/nullptr, kSessionIDContextTag) ||\n !ret->sid_ctx.TryCopyFrom(sid_ctx) ||\n !SSL_SESSION_parse_long(&session, &ret->verify_result, kVerifyResultTag,\n X509_V_OK)) {\n return nullptr;\n }\n\n // Skip the historical hostName field.\n CBS unused_hostname;\n if (!CBS_get_optional_asn1(&session, &unused_hostname, nullptr,\n kHostNameTag)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n\n if (!SSL_SESSION_parse_string(&session, &ret->psk_identity,\n kPSKIdentityTag) ||\n !SSL_SESSION_parse_u32(&session, &ret->ticket_lifetime_hint,\n kTicketLifetimeHintTag, 0) ||\n !SSL_SESSION_parse_octet_string(&session, &ret->ticket, kTicketTag)) {\n return nullptr;\n }\n\n if (CBS_peek_asn1_tag(&session, kPeerSHA256Tag)) {\n CBS peer_sha256;\n if (!CBS_get_asn1(&session, &child, kPeerSHA256Tag) ||\n !CBS_get_asn1(&child, &peer_sha256, CBS_ASN1_OCTETSTRING) ||\n CBS_len(&peer_sha256) != sizeof(ret->peer_sha256) ||\n CBS_len(&child) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n OPENSSL_memcpy(ret->peer_sha256, CBS_data(&peer_sha256),\n sizeof(ret->peer_sha256));\n ret->peer_sha256_valid = true;\n } else {\n ret->peer_sha256_valid = false;\n }\n\n CBS original_handshake_hash;\n if (!CBS_get_optional_asn1_octet_string(&session, &original_handshake_hash,\n /*out_present=*/nullptr,\n kOriginalHandshakeHashTag) ||\n !ret->original_handshake_hash.TryCopyFrom(original_handshake_hash) ||\n !SSL_SESSION_parse_crypto_buffer(&session,\n &ret->signed_cert_timestamp_list,\n kSignedCertTimestampListTag, pool) ||\n !SSL_SESSION_parse_crypto_buffer(&session, &ret->ocsp_response,\n kOCSPResponseTag, pool)) {\n return nullptr;\n }\n\n int extended_master_secret;\n if (!CBS_get_optional_asn1_bool(&session, &extended_master_secret,\n kExtendedMasterSecretTag,\n 0 /* default to false */)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n ret->extended_master_secret = !!extended_master_secret;\n\n if (!SSL_SESSION_parse_u16(&session, &ret->group_id, kGroupIDTag, 0)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n\n CBS cert_chain;\n CBS_init(&cert_chain, NULL, 0);\n int has_cert_chain;\n if (!CBS_get_optional_asn1(&session, &cert_chain, &has_cert_chain,\n kCertChainTag) ||\n (has_cert_chain && CBS_len(&cert_chain) == 0)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n if (has_cert_chain && !has_peer) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n if (has_peer || has_cert_chain) {\n ret->certs.reset(sk_CRYPTO_BUFFER_new_null());\n if (ret->certs == nullptr) {\n return nullptr;\n }\n\n if (has_peer) {\n UniquePtr buffer(CRYPTO_BUFFER_new_from_CBS(&peer, pool));\n if (!buffer || //\n !PushToStack(ret->certs.get(), std::move(buffer))) {\n return nullptr;\n }\n }\n\n while (CBS_len(&cert_chain) > 0) {\n CBS cert;\n if (!CBS_get_any_asn1_element(&cert_chain, &cert, NULL, NULL) ||\n CBS_len(&cert) == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n\n UniquePtr buffer(CRYPTO_BUFFER_new_from_CBS(&cert, pool));\n if (buffer == nullptr ||\n !PushToStack(ret->certs.get(), std::move(buffer))) {\n return nullptr;\n }\n }\n }\n\n CBS age_add;\n int age_add_present;\n if (!CBS_get_optional_asn1_octet_string(&session, &age_add, &age_add_present,\n kTicketAgeAddTag) ||\n (age_add_present && //\n !CBS_get_u32(&age_add, &ret->ticket_age_add)) || //\n CBS_len(&age_add) != 0) {\n return nullptr;\n }\n ret->ticket_age_add_valid = age_add_present != 0;\n\n int is_server;\n if (!CBS_get_optional_asn1_bool(&session, &is_server, kIsServerTag,\n 1 /* default to true */)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n /* TODO: in time we can include |is_server| for servers too, then we can\n enforce that client and server sessions are never mixed up. */\n\n ret->is_server = is_server;\n\n int is_quic;\n if (!SSL_SESSION_parse_u16(&session, &ret->peer_signature_algorithm,\n kPeerSignatureAlgorithmTag, 0) ||\n !SSL_SESSION_parse_u32(&session, &ret->ticket_max_early_data,\n kTicketMaxEarlyDataTag, 0) ||\n !SSL_SESSION_parse_u32(&session, &ret->auth_timeout, kAuthTimeoutTag,\n ret->timeout) ||\n !SSL_SESSION_parse_octet_string(&session, &ret->early_alpn,\n kEarlyALPNTag) ||\n !CBS_get_optional_asn1_bool(&session, &is_quic, kIsQuicTag,\n /*default_value=*/false) ||\n !SSL_SESSION_parse_octet_string(&session, &ret->quic_early_data_context,\n kQuicEarlyDataContextTag)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n\n CBS settings;\n int has_local_alps, has_peer_alps;\n if (!CBS_get_optional_asn1_octet_string(&session, &settings, &has_local_alps,\n kLocalALPSTag) ||\n !ret->local_application_settings.CopyFrom(settings) ||\n !CBS_get_optional_asn1_octet_string(&session, &settings, &has_peer_alps,\n kPeerALPSTag) ||\n !ret->peer_application_settings.CopyFrom(settings) ||\n CBS_len(&session) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n ret->is_quic = is_quic;\n\n // The two ALPS values and ALPN must be consistent.\n if (has_local_alps != has_peer_alps ||\n (has_local_alps && ret->early_alpn.empty())) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n ret->has_application_settings = has_local_alps;\n\n if (!x509_method->session_cache_objects(ret.get())) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return nullptr;\n }\n\n return ret;\n}\n\nbool ssl_session_serialize(const SSL_SESSION *in, CBB *cbb) {\n return SSL_SESSION_to_bytes_full(in, cbb, 0);\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nint SSL_SESSION_to_bytes(const SSL_SESSION *in, uint8_t **out_data,\n size_t *out_len) {\n if (in->not_resumable) {\n // If the caller has an unresumable session, e.g. if |SSL_get_session| were\n // called on a TLS 1.3 or False Started connection, serialize with a\n // placeholder value so it is not accidentally deserialized into a resumable\n // one.\n static const char kNotResumableSession[] = \"NOT RESUMABLE\";\n\n *out_len = strlen(kNotResumableSession);\n *out_data = (uint8_t *)OPENSSL_memdup(kNotResumableSession, *out_len);\n if (*out_data == NULL) {\n return 0;\n }\n\n return 1;\n }\n\n ScopedCBB cbb;\n if (!CBB_init(cbb.get(), 256) ||\n !SSL_SESSION_to_bytes_full(in, cbb.get(), 0) ||\n !CBB_finish(cbb.get(), out_data, out_len)) {\n return 0;\n }\n\n return 1;\n}\n\nint SSL_SESSION_to_bytes_for_ticket(const SSL_SESSION *in, uint8_t **out_data,\n size_t *out_len) {\n ScopedCBB cbb;\n if (!CBB_init(cbb.get(), 256) ||\n !SSL_SESSION_to_bytes_full(in, cbb.get(), 1) ||\n !CBB_finish(cbb.get(), out_data, out_len)) {\n return 0;\n }\n\n return 1;\n}\n\nint i2d_SSL_SESSION(SSL_SESSION *in, uint8_t **pp) {\n uint8_t *out;\n size_t len;\n\n if (!SSL_SESSION_to_bytes(in, &out, &len)) {\n return -1;\n }\n\n if (len > INT_MAX) {\n OPENSSL_free(out);\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return -1;\n }\n\n if (pp) {\n OPENSSL_memcpy(*pp, out, len);\n *pp += len;\n }\n OPENSSL_free(out);\n\n return len;\n}\n\nSSL_SESSION *SSL_SESSION_from_bytes(const uint8_t *in, size_t in_len,\n const SSL_CTX *ctx) {\n CBS cbs;\n CBS_init(&cbs, in, in_len);\n UniquePtr ret =\n SSL_SESSION_parse(&cbs, ctx->x509_method, ctx->pool);\n if (!ret) {\n return NULL;\n }\n if (CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);\n return NULL;\n }\n return ret.release();\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_buffer.cc", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\n// BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will\n// not overflow.\nstatic_assert(0xffff <= INT_MAX, \"uint16_t does not fit in int\");\n\nstatic_assert((SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) == 0,\n \"SSL3_ALIGN_PAYLOAD must be a power of 2\");\n\nvoid SSLBuffer::Clear() {\n if (buf_ != inline_buf_) {\n free(buf_); // Allocated with malloc().\n }\n buf_ = nullptr;\n offset_ = 0;\n size_ = 0;\n cap_ = 0;\n}\n\nbool SSLBuffer::EnsureCap(size_t header_len, size_t new_cap) {\n if (new_cap > 0xffff) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n if (cap_ >= new_cap) {\n return true;\n }\n\n uint8_t *new_buf;\n size_t new_offset;\n if (new_cap <= sizeof(inline_buf_)) {\n // This function is called twice per TLS record, first for the five-byte\n // header. To avoid allocating twice, use an inline buffer for short inputs.\n new_buf = inline_buf_;\n new_offset = 0;\n } else {\n // Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment.\n //\n // Since this buffer gets allocated quite frequently and doesn't contain any\n // sensitive data, we allocate with malloc rather than |OPENSSL_malloc| and\n // avoid zeroing on free.\n new_buf = (uint8_t *)malloc(new_cap + SSL3_ALIGN_PAYLOAD - 1);\n if (new_buf == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);\n return false;\n }\n\n // Offset the buffer such that the record body is aligned.\n new_offset =\n (0 - header_len - (uintptr_t)new_buf) & (SSL3_ALIGN_PAYLOAD - 1);\n }\n\n // Note if the both old and new buffer are inline, the source and destination\n // may alias.\n OPENSSL_memmove(new_buf + new_offset, buf_ + offset_, size_);\n\n if (buf_ != inline_buf_) {\n free(buf_); // Allocated with malloc().\n }\n\n buf_ = new_buf;\n offset_ = new_offset;\n cap_ = new_cap;\n return true;\n}\n\nvoid SSLBuffer::DidWrite(size_t new_size) {\n if (new_size > cap() - size()) {\n abort();\n }\n size_ += new_size;\n}\n\nvoid SSLBuffer::Consume(size_t len) {\n if (len > size_) {\n abort();\n }\n offset_ += (uint16_t)len;\n size_ -= (uint16_t)len;\n cap_ -= (uint16_t)len;\n}\n\nvoid SSLBuffer::DiscardConsumed() {\n if (size_ == 0) {\n Clear();\n }\n}\n\nstatic int dtls_read_buffer_next_packet(SSL *ssl) {\n SSLBuffer *buf = &ssl->s3->read_buffer;\n\n if (!buf->empty()) {\n // It is an error to call |dtls_read_buffer_extend| when the read buffer is\n // not empty.\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return -1;\n }\n\n // Read a single packet from |ssl->rbio|. |buf->cap()| must fit in an int.\n int ret =\n BIO_read(ssl->rbio.get(), buf->data(), static_cast(buf->cap()));\n if (ret <= 0) {\n ssl->s3->rwstate = SSL_ERROR_WANT_READ;\n return ret;\n }\n buf->DidWrite(static_cast(ret));\n return 1;\n}\n\nstatic int tls_read_buffer_extend_to(SSL *ssl, size_t len) {\n SSLBuffer *buf = &ssl->s3->read_buffer;\n\n if (len > buf->cap()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);\n return -1;\n }\n\n // Read until the target length is reached.\n while (buf->size() < len) {\n // The amount of data to read is bounded by |buf->cap|, which must fit in an\n // int.\n int ret = BIO_read(ssl->rbio.get(), buf->data() + buf->size(),\n static_cast(len - buf->size()));\n if (ret <= 0) {\n ssl->s3->rwstate = SSL_ERROR_WANT_READ;\n return ret;\n }\n buf->DidWrite(static_cast(ret));\n }\n\n return 1;\n}\n\nint ssl_read_buffer_extend_to(SSL *ssl, size_t len) {\n // |ssl_read_buffer_extend_to| implicitly discards any consumed data.\n ssl->s3->read_buffer.DiscardConsumed();\n\n if (SSL_is_dtls(ssl)) {\n static_assert(\n DTLS1_RT_MAX_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= 0xffff,\n \"DTLS read buffer is too large\");\n\n // The |len| parameter is ignored in DTLS.\n len = DTLS1_RT_MAX_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;\n }\n\n // The DTLS record header can have a variable length, so the |header_len|\n // value provided for buffer alignment only works if the header is the maximum\n // length.\n if (!ssl->s3->read_buffer.EnsureCap(DTLS1_RT_MAX_HEADER_LENGTH, len)) {\n return -1;\n }\n\n if (ssl->rbio == nullptr) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);\n return -1;\n }\n\n int ret;\n if (SSL_is_dtls(ssl)) {\n // |len| is ignored for a datagram transport.\n ret = dtls_read_buffer_next_packet(ssl);\n } else {\n ret = tls_read_buffer_extend_to(ssl, len);\n }\n\n if (ret <= 0) {\n // If the buffer was empty originally and remained empty after attempting to\n // extend it, release the buffer until the next attempt.\n ssl->s3->read_buffer.DiscardConsumed();\n }\n return ret;\n}\n\nint ssl_handle_open_record(SSL *ssl, bool *out_retry, ssl_open_record_t ret,\n size_t consumed, uint8_t alert) {\n *out_retry = false;\n if (ret != ssl_open_record_partial) {\n ssl->s3->read_buffer.Consume(consumed);\n }\n if (ret != ssl_open_record_success) {\n // Nothing was returned to the caller, so discard anything marked consumed.\n ssl->s3->read_buffer.DiscardConsumed();\n }\n switch (ret) {\n case ssl_open_record_success:\n return 1;\n\n case ssl_open_record_partial: {\n int read_ret = ssl_read_buffer_extend_to(ssl, consumed);\n if (read_ret <= 0) {\n return read_ret;\n }\n *out_retry = true;\n return 1;\n }\n\n case ssl_open_record_discard:\n *out_retry = true;\n return 1;\n\n case ssl_open_record_close_notify:\n ssl->s3->rwstate = SSL_ERROR_ZERO_RETURN;\n return 0;\n\n case ssl_open_record_error:\n if (alert != 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n }\n return -1;\n }\n assert(0);\n return -1;\n}\n\n\nstatic_assert(SSL3_RT_HEADER_LENGTH * 2 +\n SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD * 2 +\n SSL3_RT_MAX_PLAIN_LENGTH <=\n 0xffff,\n \"maximum TLS write buffer is too large\");\n\nstatic_assert(DTLS1_RT_MAX_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD +\n SSL3_RT_MAX_PLAIN_LENGTH <=\n 0xffff,\n \"maximum DTLS write buffer is too large\");\n\nstatic int tls_write_buffer_flush(SSL *ssl) {\n SSLBuffer *buf = &ssl->s3->write_buffer;\n\n while (!buf->empty()) {\n int ret = BIO_write(ssl->wbio.get(), buf->data(), buf->size());\n if (ret <= 0) {\n ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;\n return ret;\n }\n buf->Consume(static_cast(ret));\n }\n buf->Clear();\n return 1;\n}\n\nstatic int dtls_write_buffer_flush(SSL *ssl) {\n SSLBuffer *buf = &ssl->s3->write_buffer;\n if (buf->empty()) {\n return 1;\n }\n\n int ret = BIO_write(ssl->wbio.get(), buf->data(), buf->size());\n if (ret <= 0) {\n ssl->s3->rwstate = SSL_ERROR_WANT_WRITE;\n // If the write failed, drop the write buffer anyway. Datagram transports\n // can't write half a packet, so the caller is expected to retry from the\n // top.\n buf->Clear();\n return ret;\n }\n buf->Clear();\n return 1;\n}\n\nint ssl_write_buffer_flush(SSL *ssl) {\n if (ssl->wbio == nullptr) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BIO_NOT_SET);\n return -1;\n }\n\n if (SSL_is_dtls(ssl)) {\n return dtls_write_buffer_flush(ssl);\n } else {\n return tls_write_buffer_flush(ssl);\n }\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_cert.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nCERT::CERT(const SSL_X509_METHOD *x509_method_arg)\n : legacy_credential(MakeUnique(SSLCredentialType::kX509)),\n x509_method(x509_method_arg) {}\n\nCERT::~CERT() { x509_method->cert_free(this); }\n\nUniquePtr ssl_cert_dup(CERT *cert) {\n UniquePtr ret = MakeUnique(cert->x509_method);\n if (!ret) {\n return nullptr;\n }\n\n // TODO(crbug.com/boringssl/431): This should just be |CopyFrom|.\n for (const auto &cred : cert->credentials) {\n if (!ret->credentials.Push(UpRef(cred))) {\n return nullptr;\n }\n }\n\n // |legacy_credential| is mutable, so it must be copied. We cannot simply\n // bump the reference count.\n ret->legacy_credential = cert->legacy_credential->Dup();\n if (ret->legacy_credential == nullptr) {\n return nullptr;\n }\n\n ret->cert_cb = cert->cert_cb;\n ret->cert_cb_arg = cert->cert_cb_arg;\n\n ret->x509_method->cert_dup(ret.get(), cert);\n\n ret->sid_ctx = cert->sid_ctx;\n return ret;\n}\n\nstatic void ssl_cert_set_cert_cb(CERT *cert, int (*cb)(SSL *ssl, void *arg),\n void *arg) {\n cert->cert_cb = cb;\n cert->cert_cb_arg = arg;\n}\n\nstatic int cert_set_chain_and_key(\n CERT *cert, CRYPTO_BUFFER *const *certs, size_t num_certs,\n EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method) {\n if (num_certs == 0 || //\n (privkey == NULL && privkey_method == NULL)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n if (privkey != NULL && privkey_method != NULL) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD);\n return 0;\n }\n\n cert->legacy_credential->ClearCertAndKey();\n if (!SSL_CREDENTIAL_set1_cert_chain(cert->legacy_credential.get(), certs,\n num_certs)) {\n return 0;\n }\n\n cert->x509_method->cert_flush_cached_leaf(cert);\n cert->x509_method->cert_flush_cached_chain(cert);\n\n return privkey != nullptr\n ? SSL_CREDENTIAL_set1_private_key(cert->legacy_credential.get(),\n privkey)\n : SSL_CREDENTIAL_set_private_key_method(\n cert->legacy_credential.get(), privkey_method);\n}\n\nbool ssl_set_cert(CERT *cert, UniquePtr buffer) {\n // Don't fail for a cert/key mismatch, just free the current private key.\n // (When switching to a different keypair, the caller should switch the\n // certificate, then the key.)\n if (!cert->legacy_credential->SetLeafCert(std::move(buffer),\n /*discard_key_on_mismatch=*/true)) {\n return false;\n }\n\n cert->x509_method->cert_flush_cached_leaf(cert);\n return true;\n}\n\nbool ssl_parse_cert_chain(uint8_t *out_alert,\n UniquePtr *out_chain,\n UniquePtr *out_pubkey,\n uint8_t *out_leaf_sha256, CBS *cbs,\n CRYPTO_BUFFER_POOL *pool) {\n out_chain->reset();\n out_pubkey->reset();\n\n CBS certificate_list;\n if (!CBS_get_u24_length_prefixed(cbs, &certificate_list)) {\n *out_alert = SSL_AD_DECODE_ERROR;\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n\n if (CBS_len(&certificate_list) == 0) {\n return true;\n }\n\n UniquePtr chain(sk_CRYPTO_BUFFER_new_null());\n if (!chain) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n\n UniquePtr pubkey;\n while (CBS_len(&certificate_list) > 0) {\n CBS certificate;\n if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||\n CBS_len(&certificate) == 0) {\n *out_alert = SSL_AD_DECODE_ERROR;\n OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);\n return false;\n }\n\n if (sk_CRYPTO_BUFFER_num(chain.get()) == 0) {\n pubkey = ssl_cert_parse_pubkey(&certificate);\n if (!pubkey) {\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n // Retain the hash of the leaf certificate if requested.\n if (out_leaf_sha256 != NULL) {\n SHA256(CBS_data(&certificate), CBS_len(&certificate), out_leaf_sha256);\n }\n }\n\n UniquePtr buf(\n CRYPTO_BUFFER_new_from_CBS(&certificate, pool));\n if (!buf || //\n !PushToStack(chain.get(), std::move(buf))) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n }\n\n *out_chain = std::move(chain);\n *out_pubkey = std::move(pubkey);\n return true;\n}\n\n// ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and\n// positions |*out_tbs_cert| to cover the TBSCertificate, starting at the\n// subjectPublicKeyInfo.\nstatic bool ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {\n /* From RFC 5280, section 4.1\n * Certificate ::= SEQUENCE {\n * tbsCertificate TBSCertificate,\n * signatureAlgorithm AlgorithmIdentifier,\n * signatureValue BIT STRING }\n\n * TBSCertificate ::= SEQUENCE {\n * version [0] EXPLICIT Version DEFAULT v1,\n * serialNumber CertificateSerialNumber,\n * signature AlgorithmIdentifier,\n * issuer Name,\n * validity Validity,\n * subject Name,\n * subjectPublicKeyInfo SubjectPublicKeyInfo,\n * ... } */\n CBS buf = *in;\n\n CBS toplevel;\n if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) || //\n CBS_len(&buf) != 0 || //\n !CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) || //\n // version\n !CBS_get_optional_asn1(\n out_tbs_cert, NULL, NULL,\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) || //\n\n // serialNumber\n !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_INTEGER) ||\n // signature algorithm\n !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||\n // issuer\n !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||\n // validity\n !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||\n // subject\n !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) {\n return false;\n }\n\n return true;\n}\n\nbool ssl_cert_extract_issuer(const CBS *in, CBS *out_dn) {\n CBS buf = *in;\n\n CBS toplevel;\n CBS cert;\n if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) || //\n CBS_len(&buf) != 0 || //\n !CBS_get_asn1(&toplevel, &cert, CBS_ASN1_SEQUENCE) || //\n // version\n !CBS_get_optional_asn1(\n &cert, NULL, NULL,\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) || //\n // serialNumber\n !CBS_get_asn1(&cert, NULL, CBS_ASN1_INTEGER) || //\n // signature algorithm\n !CBS_get_asn1(&cert, NULL, CBS_ASN1_SEQUENCE) || //\n // issuer\n !CBS_get_asn1_element(&cert, out_dn, CBS_ASN1_SEQUENCE)) {\n return false;\n }\n return true;\n}\n\nbool ssl_cert_matches_issuer(const CBS *in, const CBS *dn) {\n CBS issuer;\n\n if (!ssl_cert_extract_issuer(in, &issuer)) {\n return false;\n }\n return CBS_mem_equal(&issuer, CBS_data(dn), CBS_len(dn));\n}\n\nUniquePtr ssl_cert_parse_pubkey(const CBS *in) {\n CBS buf = *in, tbs_cert;\n if (!ssl_cert_skip_to_spki(&buf, &tbs_cert)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);\n return nullptr;\n }\n\n return UniquePtr(EVP_parse_public_key(&tbs_cert));\n}\n\nbool ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,\n const EVP_PKEY *privkey) {\n if (EVP_PKEY_is_opaque(privkey)) {\n // We cannot check an opaque private key and have to trust that it\n // matches.\n return true;\n }\n\n switch (EVP_PKEY_cmp(pubkey, privkey)) {\n case 1:\n return true;\n case 0:\n OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH);\n return false;\n case -1:\n OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH);\n return false;\n case -2:\n OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);\n return false;\n }\n\n assert(0);\n return false;\n}\n\nbool ssl_cert_check_key_usage(const CBS *in, enum ssl_key_usage_t bit) {\n CBS buf = *in;\n\n CBS tbs_cert, outer_extensions;\n int has_extensions;\n if (!ssl_cert_skip_to_spki(&buf, &tbs_cert) ||\n // subjectPublicKeyInfo\n !CBS_get_asn1(&tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||\n // issuerUniqueID\n !CBS_get_optional_asn1(&tbs_cert, NULL, NULL,\n CBS_ASN1_CONTEXT_SPECIFIC | 1) ||\n // subjectUniqueID\n !CBS_get_optional_asn1(&tbs_cert, NULL, NULL,\n CBS_ASN1_CONTEXT_SPECIFIC | 2) ||\n !CBS_get_optional_asn1(\n &tbs_cert, &outer_extensions, &has_extensions,\n CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);\n return false;\n }\n\n if (!has_extensions) {\n return true;\n }\n\n CBS extensions;\n if (!CBS_get_asn1(&outer_extensions, &extensions, CBS_ASN1_SEQUENCE)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);\n return false;\n }\n\n while (CBS_len(&extensions) > 0) {\n CBS extension, oid, contents;\n if (!CBS_get_asn1(&extensions, &extension, CBS_ASN1_SEQUENCE) ||\n !CBS_get_asn1(&extension, &oid, CBS_ASN1_OBJECT) ||\n (CBS_peek_asn1_tag(&extension, CBS_ASN1_BOOLEAN) &&\n !CBS_get_asn1(&extension, NULL, CBS_ASN1_BOOLEAN)) ||\n !CBS_get_asn1(&extension, &contents, CBS_ASN1_OCTETSTRING) ||\n CBS_len(&extension) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);\n return false;\n }\n\n static const uint8_t kKeyUsageOID[3] = {0x55, 0x1d, 0x0f};\n if (CBS_len(&oid) != sizeof(kKeyUsageOID) ||\n OPENSSL_memcmp(CBS_data(&oid), kKeyUsageOID, sizeof(kKeyUsageOID)) !=\n 0) {\n continue;\n }\n\n CBS bit_string;\n if (!CBS_get_asn1(&contents, &bit_string, CBS_ASN1_BITSTRING) ||\n CBS_len(&contents) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);\n return false;\n }\n\n // This is the KeyUsage extension. See\n // https://tools.ietf.org/html/rfc5280#section-4.2.1.3\n if (!CBS_is_valid_asn1_bitstring(&bit_string)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);\n return false;\n }\n\n if (!CBS_asn1_bitstring_has_bit(&bit_string, bit)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_KEY_USAGE_BIT_INCORRECT);\n return false;\n }\n\n return true;\n }\n\n // No KeyUsage extension found.\n return true;\n}\n\nUniquePtr SSL_parse_CA_list(SSL *ssl,\n uint8_t *out_alert,\n CBS *cbs) {\n CRYPTO_BUFFER_POOL *const pool = ssl->ctx->pool;\n\n UniquePtr ret(sk_CRYPTO_BUFFER_new_null());\n if (!ret) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return nullptr;\n }\n\n CBS child;\n if (!CBS_get_u16_length_prefixed(cbs, &child)) {\n *out_alert = SSL_AD_DECODE_ERROR;\n OPENSSL_PUT_ERROR(SSL, SSL_R_LENGTH_MISMATCH);\n return nullptr;\n }\n\n while (CBS_len(&child) > 0) {\n CBS distinguished_name;\n if (!CBS_get_u16_length_prefixed(&child, &distinguished_name)) {\n *out_alert = SSL_AD_DECODE_ERROR;\n OPENSSL_PUT_ERROR(SSL, SSL_R_CA_DN_TOO_LONG);\n return nullptr;\n }\n\n UniquePtr buffer(\n CRYPTO_BUFFER_new_from_CBS(&distinguished_name, pool));\n if (!buffer || //\n !PushToStack(ret.get(), std::move(buffer))) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return nullptr;\n }\n }\n\n if (!ssl->ctx->x509_method->check_CA_list(ret.get())) {\n *out_alert = SSL_AD_DECODE_ERROR;\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return nullptr;\n }\n\n return ret;\n}\n\nstatic bool CA_names_non_empty(const STACK_OF(CRYPTO_BUFFER) *config_names,\n const STACK_OF(CRYPTO_BUFFER) *ctx_names) {\n if (config_names != nullptr) {\n return sk_CRYPTO_BUFFER_num(config_names) > 0;\n }\n if (ctx_names != nullptr) {\n return sk_CRYPTO_BUFFER_num(ctx_names) > 0;\n }\n return false;\n}\n\n\nstatic bool marshal_CA_names(const STACK_OF(CRYPTO_BUFFER) *config_names,\n const STACK_OF(CRYPTO_BUFFER) *ctx_names,\n CBB *cbb) {\n const STACK_OF(CRYPTO_BUFFER) *names =\n config_names == nullptr ? ctx_names : config_names;\n CBB child, name_cbb;\n\n if (!CBB_add_u16_length_prefixed(cbb, &child)) {\n return false;\n }\n\n if (names == nullptr) {\n return CBB_flush(cbb);\n }\n\n for (const CRYPTO_BUFFER *name : names) {\n if (!CBB_add_u16_length_prefixed(&child, &name_cbb) ||\n !CBB_add_bytes(&name_cbb, CRYPTO_BUFFER_data(name),\n CRYPTO_BUFFER_len(name))) {\n return false;\n }\n }\n\n return CBB_flush(cbb);\n}\n\nbool ssl_has_client_CAs(const SSL_CONFIG *cfg) {\n return CA_names_non_empty(cfg->client_CA.get(),\n cfg->ssl->ctx->client_CA.get());\n}\n\nbool ssl_has_CA_names(const SSL_CONFIG *cfg) {\n return CA_names_non_empty(cfg->CA_names.get(), cfg->ssl->ctx->CA_names.get());\n}\n\nbool ssl_add_client_CA_list(const SSL_HANDSHAKE *hs, CBB *cbb) {\n return marshal_CA_names(hs->config->client_CA.get(),\n hs->ssl->ctx->client_CA.get(), cbb);\n}\n\nbool ssl_add_CA_names(const SSL_HANDSHAKE *hs, CBB *cbb) {\n return marshal_CA_names(hs->config->CA_names.get(),\n hs->ssl->ctx->CA_names.get(), cbb);\n}\n\nbool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,\n const CRYPTO_BUFFER *leaf) {\n assert(ssl_protocol_version(hs->ssl) < TLS1_3_VERSION);\n\n // Check the certificate's type matches the cipher. This does not check key\n // usage restrictions, which are handled separately.\n //\n // TODO(davidben): Put the key type and key usage checks in one place.\n if (!(hs->new_cipher->algorithm_auth &\n ssl_cipher_auth_mask_for_key(pkey, /*sign_ok=*/true))) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE);\n return false;\n }\n\n if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {\n // Check the key's group and point format are acceptable.\n EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);\n uint16_t group_id;\n if (!ssl_nid_to_group_id(\n &group_id, EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key))) ||\n !tls1_check_group_id(hs, group_id) ||\n EC_KEY_get_conv_form(ec_key) != POINT_CONVERSION_UNCOMPRESSED) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECC_CERT);\n return false;\n }\n }\n\n return true;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nint SSL_set_chain_and_key(SSL *ssl, CRYPTO_BUFFER *const *certs,\n size_t num_certs, EVP_PKEY *privkey,\n const SSL_PRIVATE_KEY_METHOD *privkey_method) {\n if (!ssl->config) {\n return 0;\n }\n return cert_set_chain_and_key(ssl->config->cert.get(), certs, num_certs,\n privkey, privkey_method);\n}\n\nint SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs,\n size_t num_certs, EVP_PKEY *privkey,\n const SSL_PRIVATE_KEY_METHOD *privkey_method) {\n return cert_set_chain_and_key(ctx->cert.get(), certs, num_certs, privkey,\n privkey_method);\n}\n\nvoid SSL_certs_clear(SSL *ssl) {\n if (!ssl->config) {\n return;\n }\n\n CERT *cert = ssl->config->cert.get();\n cert->x509_method->cert_clear(cert);\n cert->credentials.clear();\n cert->legacy_credential->ClearCertAndKey();\n}\n\nconst STACK_OF(CRYPTO_BUFFER) *SSL_CTX_get0_chain(const SSL_CTX *ctx) {\n return ctx->cert->legacy_credential->chain.get();\n}\n\nconst STACK_OF(CRYPTO_BUFFER) *SSL_get0_chain(const SSL *ssl) {\n if (!ssl->config) {\n return nullptr;\n }\n return ssl->config->cert->legacy_credential->chain.get();\n}\n\nint SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,\n const uint8_t *der) {\n UniquePtr buffer(CRYPTO_BUFFER_new(der, der_len, NULL));\n if (!buffer) {\n return 0;\n }\n\n return ssl_set_cert(ctx->cert.get(), std::move(buffer));\n}\n\nint SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {\n UniquePtr buffer(CRYPTO_BUFFER_new(der, der_len, NULL));\n if (!buffer || !ssl->config) {\n return 0;\n }\n\n return ssl_set_cert(ssl->config->cert.get(), std::move(buffer));\n}\n\nvoid SSL_CTX_set_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg),\n void *arg) {\n ssl_cert_set_cert_cb(ctx->cert.get(), cb, arg);\n}\n\nvoid SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) {\n if (!ssl->config) {\n return;\n }\n ssl_cert_set_cert_cb(ssl->config->cert.get(), cb, arg);\n}\n\nconst STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(const SSL *ssl) {\n SSL_SESSION *session = SSL_get_session(ssl);\n if (session == NULL) {\n return NULL;\n }\n\n return session->certs.get();\n}\n\nconst STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(const SSL *ssl) {\n if (ssl->s3->hs == NULL) {\n return NULL;\n }\n return ssl->s3->hs->ca_names.get();\n}\n\nint SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx, const uint8_t *list,\n size_t list_len) {\n UniquePtr buf(CRYPTO_BUFFER_new(list, list_len, nullptr));\n return buf != nullptr && SSL_CREDENTIAL_set1_signed_cert_timestamp_list(\n ctx->cert->legacy_credential.get(), buf.get());\n}\n\nint SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list,\n size_t list_len) {\n if (!ssl->config) {\n return 0;\n }\n UniquePtr buf(CRYPTO_BUFFER_new(list, list_len, nullptr));\n return buf != nullptr &&\n SSL_CREDENTIAL_set1_signed_cert_timestamp_list(\n ssl->config->cert->legacy_credential.get(), buf.get());\n}\n\nint SSL_CTX_set_ocsp_response(SSL_CTX *ctx, const uint8_t *response,\n size_t response_len) {\n UniquePtr buf(\n CRYPTO_BUFFER_new(response, response_len, nullptr));\n return buf != nullptr && SSL_CREDENTIAL_set1_ocsp_response(\n ctx->cert->legacy_credential.get(), buf.get());\n}\n\nint SSL_set_ocsp_response(SSL *ssl, const uint8_t *response,\n size_t response_len) {\n if (!ssl->config) {\n return 0;\n }\n UniquePtr buf(\n CRYPTO_BUFFER_new(response, response_len, nullptr));\n return buf != nullptr &&\n SSL_CREDENTIAL_set1_ocsp_response(\n ssl->config->cert->legacy_credential.get(), buf.get());\n}\n\nvoid SSL_CTX_set0_client_CAs(SSL_CTX *ctx, STACK_OF(CRYPTO_BUFFER) *name_list) {\n ctx->x509_method->ssl_ctx_flush_cached_client_CA(ctx);\n ctx->client_CA.reset(name_list);\n}\n\nvoid SSL_set0_client_CAs(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) {\n if (!ssl->config) {\n return;\n }\n ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config.get());\n ssl->config->client_CA.reset(name_list);\n}\n\nvoid SSL_set0_CA_names(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) {\n if (!ssl->config) {\n return;\n }\n ssl->config->CA_names.reset(name_list);\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_cipher.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nstatic constexpr SSL_CIPHER kCiphers[] = {\n // The RSA ciphers\n\n // Cipher 0A\n {\n SSL3_TXT_RSA_DES_192_CBC3_SHA,\n \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n SSL3_CK_RSA_DES_192_CBC3_SHA,\n SSL_kRSA,\n SSL_aRSA_DECRYPT,\n SSL_3DES,\n SSL_SHA1,\n SSL_HANDSHAKE_MAC_DEFAULT,\n },\n\n\n // New AES ciphersuites\n\n // Cipher 2F\n {\n TLS1_TXT_RSA_WITH_AES_128_SHA,\n \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n TLS1_CK_RSA_WITH_AES_128_SHA,\n SSL_kRSA,\n SSL_aRSA_DECRYPT,\n SSL_AES128,\n SSL_SHA1,\n SSL_HANDSHAKE_MAC_DEFAULT,\n },\n\n // Cipher 35\n {\n TLS1_TXT_RSA_WITH_AES_256_SHA,\n \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n TLS1_CK_RSA_WITH_AES_256_SHA,\n SSL_kRSA,\n SSL_aRSA_DECRYPT,\n SSL_AES256,\n SSL_SHA1,\n SSL_HANDSHAKE_MAC_DEFAULT,\n },\n\n // PSK cipher suites.\n\n // Cipher 8C\n {\n TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,\n \"TLS_PSK_WITH_AES_128_CBC_SHA\",\n TLS1_CK_PSK_WITH_AES_128_CBC_SHA,\n SSL_kPSK,\n SSL_aPSK,\n SSL_AES128,\n SSL_SHA1,\n SSL_HANDSHAKE_MAC_DEFAULT,\n },\n\n // Cipher 8D\n {\n TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,\n \"TLS_PSK_WITH_AES_256_CBC_SHA\",\n TLS1_CK_PSK_WITH_AES_256_CBC_SHA,\n SSL_kPSK,\n SSL_aPSK,\n SSL_AES256,\n SSL_SHA1,\n SSL_HANDSHAKE_MAC_DEFAULT,\n },\n\n // GCM ciphersuites from RFC 5288\n\n // Cipher 9C\n {\n TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,\n \"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,\n SSL_kRSA,\n SSL_aRSA_DECRYPT,\n SSL_AES128GCM,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA256,\n },\n\n // Cipher 9D\n {\n TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,\n \"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,\n SSL_kRSA,\n SSL_aRSA_DECRYPT,\n SSL_AES256GCM,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA384,\n },\n\n // TLS 1.3 suites.\n\n // Cipher 1301\n {\n TLS1_3_RFC_AES_128_GCM_SHA256,\n \"TLS_AES_128_GCM_SHA256\",\n TLS1_3_CK_AES_128_GCM_SHA256,\n SSL_kGENERIC,\n SSL_aGENERIC,\n SSL_AES128GCM,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA256,\n },\n\n // Cipher 1302\n {\n TLS1_3_RFC_AES_256_GCM_SHA384,\n \"TLS_AES_256_GCM_SHA384\",\n TLS1_3_CK_AES_256_GCM_SHA384,\n SSL_kGENERIC,\n SSL_aGENERIC,\n SSL_AES256GCM,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA384,\n },\n\n // Cipher 1303\n {\n TLS1_3_RFC_CHACHA20_POLY1305_SHA256,\n \"TLS_CHACHA20_POLY1305_SHA256\",\n TLS1_3_CK_CHACHA20_POLY1305_SHA256,\n SSL_kGENERIC,\n SSL_aGENERIC,\n SSL_CHACHA20POLY1305,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA256,\n },\n\n // Cipher C009\n {\n TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,\n \"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA\",\n TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,\n SSL_kECDHE,\n SSL_aECDSA,\n SSL_AES128,\n SSL_SHA1,\n SSL_HANDSHAKE_MAC_DEFAULT,\n },\n\n // Cipher C00A\n {\n TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,\n \"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\",\n TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,\n SSL_kECDHE,\n SSL_aECDSA,\n SSL_AES256,\n SSL_SHA1,\n SSL_HANDSHAKE_MAC_DEFAULT,\n },\n\n // Cipher C013\n {\n TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,\n \"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\",\n TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,\n SSL_kECDHE,\n SSL_aRSA_SIGN,\n SSL_AES128,\n SSL_SHA1,\n SSL_HANDSHAKE_MAC_DEFAULT,\n },\n\n // Cipher C014\n {\n TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,\n \"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\",\n TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,\n SSL_kECDHE,\n SSL_aRSA_SIGN,\n SSL_AES256,\n SSL_SHA1,\n SSL_HANDSHAKE_MAC_DEFAULT,\n },\n\n // Cipher C027\n {\n TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\n \"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256\",\n TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\n SSL_kECDHE,\n SSL_aRSA_SIGN,\n SSL_AES128,\n SSL_SHA256,\n SSL_HANDSHAKE_MAC_SHA256,\n },\n\n // GCM based TLS v1.2 ciphersuites from RFC 5289\n\n // Cipher C02B\n {\n TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\n \"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256\",\n TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\n SSL_kECDHE,\n SSL_aECDSA,\n SSL_AES128GCM,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA256,\n },\n\n // Cipher C02C\n {\n TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\n \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\",\n TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\n SSL_kECDHE,\n SSL_aECDSA,\n SSL_AES256GCM,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA384,\n },\n\n // Cipher C02F\n {\n TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\n \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\",\n TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\n SSL_kECDHE,\n SSL_aRSA_SIGN,\n SSL_AES128GCM,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA256,\n },\n\n // Cipher C030\n {\n TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\n \"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\n TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\n SSL_kECDHE,\n SSL_aRSA_SIGN,\n SSL_AES256GCM,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA384,\n },\n\n // ECDHE-PSK cipher suites.\n\n // Cipher C035\n {\n TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,\n \"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA\",\n TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,\n SSL_kECDHE,\n SSL_aPSK,\n SSL_AES128,\n SSL_SHA1,\n SSL_HANDSHAKE_MAC_DEFAULT,\n },\n\n // Cipher C036\n {\n TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,\n \"TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA\",\n TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,\n SSL_kECDHE,\n SSL_aPSK,\n SSL_AES256,\n SSL_SHA1,\n SSL_HANDSHAKE_MAC_DEFAULT,\n },\n\n // ChaCha20-Poly1305 cipher suites.\n\n // Cipher CCA8\n {\n TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,\n \"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\",\n TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,\n SSL_kECDHE,\n SSL_aRSA_SIGN,\n SSL_CHACHA20POLY1305,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA256,\n },\n\n // Cipher CCA9\n {\n TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\n \"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256\",\n TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,\n SSL_kECDHE,\n SSL_aECDSA,\n SSL_CHACHA20POLY1305,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA256,\n },\n\n // Cipher CCAB\n {\n TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,\n \"TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256\",\n TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,\n SSL_kECDHE,\n SSL_aPSK,\n SSL_CHACHA20POLY1305,\n SSL_AEAD,\n SSL_HANDSHAKE_MAC_SHA256,\n },\n\n};\n\nSpan AllCiphers() { return kCiphers; }\n\nstatic constexpr size_t NumTLS13Ciphers() {\n size_t num = 0;\n for (const auto &cipher : kCiphers) {\n if (cipher.algorithm_mkey == SSL_kGENERIC) {\n num++;\n }\n }\n return num;\n}\n\n#define CIPHER_ADD 1\n#define CIPHER_KILL 2\n#define CIPHER_DEL 3\n#define CIPHER_ORD 4\n#define CIPHER_SPECIAL 5\n\ntypedef struct cipher_order_st {\n const SSL_CIPHER *cipher;\n bool active;\n bool in_group;\n struct cipher_order_st *next, *prev;\n} CIPHER_ORDER;\n\ntypedef struct cipher_alias_st {\n // name is the name of the cipher alias.\n const char *name = nullptr;\n\n // The following fields are bitmasks for the corresponding fields on\n // |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the\n // bit corresponding to the cipher's value is set to 1. If any bitmask is\n // all zeroes, the alias matches nothing. Use |~0u| for the default value.\n uint32_t algorithm_mkey = ~0u;\n uint32_t algorithm_auth = ~0u;\n uint32_t algorithm_enc = ~0u;\n uint32_t algorithm_mac = ~0u;\n\n // min_version, if non-zero, matches all ciphers which were added in that\n // particular protocol version.\n uint16_t min_version = 0;\n\n // include_deprecated, if true, means this alias includes deprecated ciphers.\n bool include_deprecated = false;\n} CIPHER_ALIAS;\n\nstatic const CIPHER_ALIAS kCipherAliases[] = {\n {\"ALL\", ~0u, ~0u, ~0u, ~0u, 0},\n\n // The \"COMPLEMENTOFDEFAULT\" rule is omitted. It matches nothing.\n\n // key exchange aliases\n // (some of those using only a single bit here combine\n // multiple key exchange algs according to the RFCs.\n {\"kRSA\", SSL_kRSA, ~0u, ~0u, ~0u, 0},\n\n {\"kECDHE\", SSL_kECDHE, ~0u, ~0u, ~0u, 0},\n {\"kEECDH\", SSL_kECDHE, ~0u, ~0u, ~0u, 0},\n {\"ECDH\", SSL_kECDHE, ~0u, ~0u, ~0u, 0},\n\n {\"kPSK\", SSL_kPSK, ~0u, ~0u, ~0u, 0},\n\n // server authentication aliases\n {\"aRSA\", ~0u, SSL_aRSA_SIGN | SSL_aRSA_DECRYPT, ~0u, ~0u, 0},\n {\"aECDSA\", ~0u, SSL_aECDSA, ~0u, ~0u, 0},\n {\"ECDSA\", ~0u, SSL_aECDSA, ~0u, ~0u, 0},\n {\"aPSK\", ~0u, SSL_aPSK, ~0u, ~0u, 0},\n\n // aliases combining key exchange and server authentication\n {\"ECDHE\", SSL_kECDHE, ~0u, ~0u, ~0u, 0},\n {\"EECDH\", SSL_kECDHE, ~0u, ~0u, ~0u, 0},\n {\"RSA\", SSL_kRSA, SSL_aRSA_SIGN | SSL_aRSA_DECRYPT, ~0u, ~0u, 0},\n {\"PSK\", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},\n\n // symmetric encryption aliases\n {\"3DES\", ~0u, ~0u, SSL_3DES, ~0u, 0, /*include_deprecated=*/true},\n {\"AES128\", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0,\n /*include_deprecated=*/false},\n {\"AES256\", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0,\n /*include_deprecated=*/false},\n {\"AES\", ~0u, ~0u, SSL_AES, ~0u, 0},\n {\"AESGCM\", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0,\n /*include_deprecated=*/false},\n {\"CHACHA20\", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0,\n /*include_deprecated=*/false},\n\n // MAC aliases\n {\"SHA1\", ~0u, ~0u, ~0u, SSL_SHA1, 0},\n {\"SHA\", ~0u, ~0u, ~0u, SSL_SHA1, 0},\n\n // Legacy protocol minimum version aliases. \"TLSv1\" is intentionally the\n // same as \"SSLv3\".\n {\"SSLv3\", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},\n {\"TLSv1\", ~0u, ~0u, ~0u, ~0u, SSL3_VERSION},\n {\"TLSv1.2\", ~0u, ~0u, ~0u, ~0u, TLS1_2_VERSION},\n\n // Legacy strength classes.\n {\"HIGH\", ~0u, ~0u, ~0u, ~0u, 0},\n {\"FIPS\", ~0u, ~0u, ~0u, ~0u, 0},\n\n // Temporary no-op aliases corresponding to removed SHA-2 legacy CBC\n // ciphers. These should be removed after 2018-05-14.\n {\"SHA256\", 0, 0, 0, 0, 0},\n {\"SHA384\", 0, 0, 0, 0, 0},\n};\n\nstatic const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases);\n\nbool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,\n size_t *out_mac_secret_len,\n size_t *out_fixed_iv_len, const SSL_CIPHER *cipher,\n uint16_t version) {\n *out_aead = NULL;\n *out_mac_secret_len = 0;\n *out_fixed_iv_len = 0;\n\n if (cipher->algorithm_mac == SSL_AEAD) {\n if (cipher->algorithm_enc == SSL_AES128GCM) {\n if (version < TLS1_3_VERSION) {\n *out_aead = EVP_aead_aes_128_gcm_tls12();\n } else {\n *out_aead = EVP_aead_aes_128_gcm_tls13();\n }\n *out_fixed_iv_len = 4;\n } else if (cipher->algorithm_enc == SSL_AES256GCM) {\n if (version < TLS1_3_VERSION) {\n *out_aead = EVP_aead_aes_256_gcm_tls12();\n } else {\n *out_aead = EVP_aead_aes_256_gcm_tls13();\n }\n *out_fixed_iv_len = 4;\n } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {\n *out_aead = EVP_aead_chacha20_poly1305();\n *out_fixed_iv_len = 12;\n } else {\n return false;\n }\n\n // In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code\n // above computes the TLS 1.2 construction.\n if (version >= TLS1_3_VERSION) {\n *out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);\n }\n } else if (cipher->algorithm_mac == SSL_SHA1) {\n if (cipher->algorithm_enc == SSL_3DES) {\n if (version == TLS1_VERSION) {\n *out_aead = EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv();\n *out_fixed_iv_len = 8;\n } else {\n *out_aead = EVP_aead_des_ede3_cbc_sha1_tls();\n }\n } else if (cipher->algorithm_enc == SSL_AES128) {\n if (version == TLS1_VERSION) {\n *out_aead = EVP_aead_aes_128_cbc_sha1_tls_implicit_iv();\n *out_fixed_iv_len = 16;\n } else {\n *out_aead = EVP_aead_aes_128_cbc_sha1_tls();\n }\n } else if (cipher->algorithm_enc == SSL_AES256) {\n if (version == TLS1_VERSION) {\n *out_aead = EVP_aead_aes_256_cbc_sha1_tls_implicit_iv();\n *out_fixed_iv_len = 16;\n } else {\n *out_aead = EVP_aead_aes_256_cbc_sha1_tls();\n }\n } else {\n return false;\n }\n\n *out_mac_secret_len = SHA_DIGEST_LENGTH;\n } else if (cipher->algorithm_mac == SSL_SHA256) {\n if (cipher->algorithm_enc == SSL_AES128) {\n *out_aead = EVP_aead_aes_128_cbc_sha256_tls();\n } else {\n return false;\n }\n\n *out_mac_secret_len = SHA256_DIGEST_LENGTH;\n } else {\n return false;\n }\n\n return true;\n}\n\nconst EVP_MD *ssl_get_handshake_digest(uint16_t version,\n const SSL_CIPHER *cipher) {\n switch (cipher->algorithm_prf) {\n case SSL_HANDSHAKE_MAC_DEFAULT:\n return version >= TLS1_2_VERSION ? EVP_sha256() : EVP_md5_sha1();\n case SSL_HANDSHAKE_MAC_SHA256:\n return EVP_sha256();\n case SSL_HANDSHAKE_MAC_SHA384:\n return EVP_sha384();\n default:\n assert(0);\n return NULL;\n }\n}\n\nstatic bool is_cipher_list_separator(char c, bool is_strict) {\n if (c == ':') {\n return true;\n }\n return !is_strict && (c == ' ' || c == ';' || c == ',');\n}\n\n// rule_equals returns whether the NUL-terminated string |rule| is equal to the\n// |buf_len| bytes at |buf|.\nstatic bool rule_equals(const char *rule, const char *buf, size_t buf_len) {\n // |strncmp| alone only checks that |buf| is a prefix of |rule|.\n return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\\0';\n}\n\nstatic void ll_append_tail(CIPHER_ORDER **head, CIPHER_ORDER *curr,\n CIPHER_ORDER **tail) {\n if (curr == *tail) {\n return;\n }\n if (curr == *head) {\n *head = curr->next;\n }\n if (curr->prev != NULL) {\n curr->prev->next = curr->next;\n }\n if (curr->next != NULL) {\n curr->next->prev = curr->prev;\n }\n (*tail)->next = curr;\n curr->prev = *tail;\n curr->next = NULL;\n *tail = curr;\n}\n\nstatic void ll_append_head(CIPHER_ORDER **head, CIPHER_ORDER *curr,\n CIPHER_ORDER **tail) {\n if (curr == *head) {\n return;\n }\n if (curr == *tail) {\n *tail = curr->prev;\n }\n if (curr->next != NULL) {\n curr->next->prev = curr->prev;\n }\n if (curr->prev != NULL) {\n curr->prev->next = curr->next;\n }\n (*head)->prev = curr;\n curr->next = *head;\n curr->prev = NULL;\n *head = curr;\n}\n\nSSLCipherPreferenceList::~SSLCipherPreferenceList() {\n OPENSSL_free(in_group_flags);\n}\n\nbool SSLCipherPreferenceList::Init(UniquePtr ciphers_arg,\n Span in_group_flags_arg) {\n if (sk_SSL_CIPHER_num(ciphers_arg.get()) != in_group_flags_arg.size()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n Array copy;\n if (!copy.CopyFrom(in_group_flags_arg)) {\n return false;\n }\n ciphers = std::move(ciphers_arg);\n size_t unused_len;\n copy.Release(&in_group_flags, &unused_len);\n return true;\n}\n\nbool SSLCipherPreferenceList::Init(const SSLCipherPreferenceList &other) {\n size_t size = sk_SSL_CIPHER_num(other.ciphers.get());\n Span other_flags(other.in_group_flags, size);\n UniquePtr other_ciphers(\n sk_SSL_CIPHER_dup(other.ciphers.get()));\n if (!other_ciphers) {\n return false;\n }\n return Init(std::move(other_ciphers), other_flags);\n}\n\nvoid SSLCipherPreferenceList::Remove(const SSL_CIPHER *cipher) {\n size_t index;\n if (!sk_SSL_CIPHER_find(ciphers.get(), &index, cipher)) {\n return;\n }\n if (!in_group_flags[index] /* last element of group */ && index > 0) {\n in_group_flags[index - 1] = false;\n }\n for (size_t i = index; i < sk_SSL_CIPHER_num(ciphers.get()) - 1; ++i) {\n in_group_flags[i] = in_group_flags[i + 1];\n }\n sk_SSL_CIPHER_delete(ciphers.get(), index);\n}\n\nbool ssl_cipher_is_deprecated(const SSL_CIPHER *cipher) {\n return cipher->id == TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ||\n cipher->algorithm_enc == SSL_3DES;\n}\n\n// ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its\n// parameters in the linked list from |*head_p| to |*tail_p|. It writes the new\n// head and tail of the list to |*head_p| and |*tail_p|, respectively.\n//\n// - If |cipher_id| is non-zero, only that cipher is selected.\n// - Otherwise, if |strength_bits| is non-negative, it selects ciphers\n// of that strength.\n// - Otherwise, |alias| must be non-null. It selects ciphers that matches\n// |*alias|.\nstatic void ssl_cipher_apply_rule(uint32_t cipher_id, const CIPHER_ALIAS *alias,\n int rule, int strength_bits, bool in_group,\n CIPHER_ORDER **head_p,\n CIPHER_ORDER **tail_p) {\n CIPHER_ORDER *head, *tail, *curr, *next, *last;\n const SSL_CIPHER *cp;\n bool reverse = false;\n\n if (cipher_id == 0 && strength_bits == -1 && alias->min_version == 0 &&\n (alias->algorithm_mkey == 0 || alias->algorithm_auth == 0 ||\n alias->algorithm_enc == 0 || alias->algorithm_mac == 0)) {\n // The rule matches nothing, so bail early.\n return;\n }\n\n if (rule == CIPHER_DEL) {\n // needed to maintain sorting between currently deleted ciphers\n reverse = true;\n }\n\n head = *head_p;\n tail = *tail_p;\n\n if (reverse) {\n next = tail;\n last = head;\n } else {\n next = head;\n last = tail;\n }\n\n curr = NULL;\n for (;;) {\n if (curr == last) {\n break;\n }\n\n curr = next;\n if (curr == NULL) {\n break;\n }\n\n next = reverse ? curr->prev : curr->next;\n cp = curr->cipher;\n\n // Selection criteria is either a specific cipher, the value of\n // |strength_bits|, or the algorithms used.\n if (cipher_id != 0) {\n if (cipher_id != cp->id) {\n continue;\n }\n } else if (strength_bits >= 0) {\n if (strength_bits != SSL_CIPHER_get_bits(cp, NULL)) {\n continue;\n }\n } else {\n if (!(alias->algorithm_mkey & cp->algorithm_mkey) ||\n !(alias->algorithm_auth & cp->algorithm_auth) ||\n !(alias->algorithm_enc & cp->algorithm_enc) ||\n !(alias->algorithm_mac & cp->algorithm_mac) ||\n (alias->min_version != 0 &&\n SSL_CIPHER_get_min_version(cp) != alias->min_version) ||\n (!alias->include_deprecated && ssl_cipher_is_deprecated(cp))) {\n continue;\n }\n }\n\n // add the cipher if it has not been added yet.\n if (rule == CIPHER_ADD) {\n // reverse == false\n if (!curr->active) {\n ll_append_tail(&head, curr, &tail);\n curr->active = true;\n curr->in_group = in_group;\n }\n }\n\n // Move the added cipher to this location\n else if (rule == CIPHER_ORD) {\n // reverse == false\n if (curr->active) {\n ll_append_tail(&head, curr, &tail);\n curr->in_group = false;\n }\n } else if (rule == CIPHER_DEL) {\n // reverse == true\n if (curr->active) {\n // most recently deleted ciphersuites get best positions\n // for any future CIPHER_ADD (note that the CIPHER_DEL loop\n // works in reverse to maintain the order)\n ll_append_head(&head, curr, &tail);\n curr->active = false;\n curr->in_group = false;\n }\n } else if (rule == CIPHER_KILL) {\n // reverse == false\n if (head == curr) {\n head = curr->next;\n } else {\n curr->prev->next = curr->next;\n }\n\n if (tail == curr) {\n tail = curr->prev;\n }\n curr->active = false;\n if (curr->next != NULL) {\n curr->next->prev = curr->prev;\n }\n if (curr->prev != NULL) {\n curr->prev->next = curr->next;\n }\n curr->next = NULL;\n curr->prev = NULL;\n }\n }\n\n *head_p = head;\n *tail_p = tail;\n}\n\nstatic bool ssl_cipher_strength_sort(CIPHER_ORDER **head_p,\n CIPHER_ORDER **tail_p) {\n // This routine sorts the ciphers with descending strength. The sorting must\n // keep the pre-sorted sequence, so we apply the normal sorting routine as\n // '+' movement to the end of the list.\n int max_strength_bits = 0;\n CIPHER_ORDER *curr = *head_p;\n while (curr != NULL) {\n if (curr->active &&\n SSL_CIPHER_get_bits(curr->cipher, NULL) > max_strength_bits) {\n max_strength_bits = SSL_CIPHER_get_bits(curr->cipher, NULL);\n }\n curr = curr->next;\n }\n\n Array number_uses;\n if (!number_uses.Init(max_strength_bits + 1)) {\n return false;\n }\n\n // Now find the strength_bits values actually used.\n curr = *head_p;\n while (curr != NULL) {\n if (curr->active) {\n number_uses[SSL_CIPHER_get_bits(curr->cipher, NULL)]++;\n }\n curr = curr->next;\n }\n\n // Go through the list of used strength_bits values in descending order.\n for (int i = max_strength_bits; i >= 0; i--) {\n if (number_uses[i] > 0) {\n ssl_cipher_apply_rule(/*cipher_id=*/0, /*alias=*/nullptr, CIPHER_ORD, i,\n false, head_p, tail_p);\n }\n }\n\n return true;\n}\n\nstatic bool ssl_cipher_process_rulestr(const char *rule_str,\n CIPHER_ORDER **head_p,\n CIPHER_ORDER **tail_p, bool strict) {\n const char *l, *buf;\n bool in_group = false, has_group = false;\n size_t j, buf_len;\n char ch;\n\n l = rule_str;\n for (;;) {\n ch = *l;\n\n if (ch == '\\0') {\n break; // done\n }\n\n int rule;\n if (in_group) {\n if (ch == ']') {\n if (*tail_p) {\n (*tail_p)->in_group = false;\n }\n in_group = false;\n l++;\n continue;\n }\n\n if (ch == '|') {\n rule = CIPHER_ADD;\n l++;\n continue;\n } else if (!OPENSSL_isalnum(ch)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_OPERATOR_IN_GROUP);\n return false;\n } else {\n rule = CIPHER_ADD;\n }\n } else if (ch == '-') {\n rule = CIPHER_DEL;\n l++;\n } else if (ch == '+') {\n rule = CIPHER_ORD;\n l++;\n } else if (ch == '!') {\n rule = CIPHER_KILL;\n l++;\n } else if (ch == '@') {\n rule = CIPHER_SPECIAL;\n l++;\n } else if (ch == '[') {\n assert(!in_group);\n in_group = true;\n has_group = true;\n l++;\n continue;\n } else {\n rule = CIPHER_ADD;\n }\n\n // If preference groups are enabled, the only legal operator is +.\n // Otherwise the in_group bits will get mixed up.\n if (has_group && rule != CIPHER_ADD) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);\n return false;\n }\n\n if (is_cipher_list_separator(ch, strict)) {\n l++;\n continue;\n }\n\n bool multi = false;\n uint32_t cipher_id = 0;\n CIPHER_ALIAS alias;\n bool skip_rule = false;\n\n // When adding, exclude deprecated ciphers by default.\n alias.include_deprecated = rule != CIPHER_ADD;\n\n for (;;) {\n ch = *l;\n buf = l;\n buf_len = 0;\n while (OPENSSL_isalnum(ch) || ch == '-' || ch == '.' || ch == '_') {\n ch = *(++l);\n buf_len++;\n }\n\n if (buf_len == 0) {\n // We hit something we cannot deal with, it is no command or separator\n // nor alphanumeric, so we call this an error.\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);\n return false;\n }\n\n if (rule == CIPHER_SPECIAL) {\n break;\n }\n\n // Look for a matching exact cipher. These aren't allowed in multipart\n // rules.\n if (!multi && ch != '+') {\n for (j = 0; j < OPENSSL_ARRAY_SIZE(kCiphers); j++) {\n const SSL_CIPHER *cipher = &kCiphers[j];\n if (rule_equals(cipher->name, buf, buf_len) ||\n rule_equals(cipher->standard_name, buf, buf_len)) {\n cipher_id = cipher->id;\n break;\n }\n }\n }\n if (cipher_id == 0) {\n // If not an exact cipher, look for a matching cipher alias.\n for (j = 0; j < kCipherAliasesLen; j++) {\n if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {\n alias.algorithm_mkey &= kCipherAliases[j].algorithm_mkey;\n alias.algorithm_auth &= kCipherAliases[j].algorithm_auth;\n alias.algorithm_enc &= kCipherAliases[j].algorithm_enc;\n alias.algorithm_mac &= kCipherAliases[j].algorithm_mac;\n\n // When specifying a combination of aliases, if any aliases\n // enables deprecated ciphers, deprecated ciphers are included. This\n // is slightly different from the bitmasks in that adding aliases\n // can increase the set of matched ciphers. This is so that an alias\n // like \"RSA\" will only specifiy AES-based RSA ciphers, but\n // \"RSA+3DES\" will still specify 3DES.\n alias.include_deprecated |= kCipherAliases[j].include_deprecated;\n\n if (alias.min_version != 0 &&\n alias.min_version != kCipherAliases[j].min_version) {\n skip_rule = true;\n } else {\n alias.min_version = kCipherAliases[j].min_version;\n }\n break;\n }\n }\n if (j == kCipherAliasesLen) {\n skip_rule = true;\n if (strict) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);\n return false;\n }\n }\n }\n\n // Check for a multipart rule.\n if (ch != '+') {\n break;\n }\n l++;\n multi = true;\n }\n\n // Ok, we have the rule, now apply it.\n if (rule == CIPHER_SPECIAL) {\n if (buf_len != 8 || strncmp(buf, \"STRENGTH\", 8) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);\n return false;\n }\n if (!ssl_cipher_strength_sort(head_p, tail_p)) {\n return false;\n }\n\n // We do not support any \"multi\" options together with \"@\", so throw away\n // the rest of the command, if any left, until end or ':' is found.\n while (*l != '\\0' && !is_cipher_list_separator(*l, strict)) {\n l++;\n }\n } else if (!skip_rule) {\n ssl_cipher_apply_rule(cipher_id, &alias, rule, -1, in_group, head_p,\n tail_p);\n }\n }\n\n if (in_group) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);\n return false;\n }\n\n return true;\n}\n\nbool ssl_create_cipher_list(UniquePtr *out_cipher_list,\n const bool has_aes_hw, const char *rule_str,\n bool strict) {\n // Return with error if nothing to do.\n if (rule_str == NULL || out_cipher_list == NULL) {\n return false;\n }\n\n // We prefer ECDHE ciphers over non-PFS ciphers. Then we prefer AEAD over\n // non-AEAD. The constants are masked by 0xffff to remove the vestigial 0x03\n // byte from SSL 2.0.\n static const uint16_t kAESCiphers[] = {\n TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 & 0xffff,\n TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256 & 0xffff,\n TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 & 0xffff,\n TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384 & 0xffff,\n };\n static const uint16_t kChaChaCiphers[] = {\n TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,\n TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,\n TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 & 0xffff,\n };\n static const uint16_t kLegacyCiphers[] = {\n TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA & 0xffff,\n TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA & 0xffff,\n TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA & 0xffff,\n TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA & 0xffff,\n TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA & 0xffff,\n TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA & 0xffff,\n TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256 & 0xffff,\n TLS1_CK_RSA_WITH_AES_128_GCM_SHA256 & 0xffff,\n TLS1_CK_RSA_WITH_AES_256_GCM_SHA384 & 0xffff,\n TLS1_CK_RSA_WITH_AES_128_SHA & 0xffff,\n TLS1_CK_PSK_WITH_AES_128_CBC_SHA & 0xffff,\n TLS1_CK_RSA_WITH_AES_256_SHA & 0xffff,\n TLS1_CK_PSK_WITH_AES_256_CBC_SHA & 0xffff,\n SSL3_CK_RSA_DES_192_CBC3_SHA & 0xffff,\n };\n\n // Set up a linked list of ciphers.\n CIPHER_ORDER co_list[OPENSSL_ARRAY_SIZE(kAESCiphers) +\n OPENSSL_ARRAY_SIZE(kChaChaCiphers) +\n OPENSSL_ARRAY_SIZE(kLegacyCiphers)];\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(co_list); i++) {\n co_list[i].next =\n i + 1 < OPENSSL_ARRAY_SIZE(co_list) ? &co_list[i + 1] : nullptr;\n co_list[i].prev = i == 0 ? nullptr : &co_list[i - 1];\n co_list[i].active = false;\n co_list[i].in_group = false;\n }\n CIPHER_ORDER *head = &co_list[0];\n CIPHER_ORDER *tail = &co_list[OPENSSL_ARRAY_SIZE(co_list) - 1];\n\n // Order AES ciphers vs ChaCha ciphers based on whether we have AES hardware.\n //\n // TODO(crbug.com/boringssl/29): We should also set up equipreference groups\n // as a server.\n size_t num = 0;\n if (has_aes_hw) {\n for (uint16_t id : kAESCiphers) {\n co_list[num++].cipher = SSL_get_cipher_by_value(id);\n assert(co_list[num - 1].cipher != nullptr);\n }\n }\n for (uint16_t id : kChaChaCiphers) {\n co_list[num++].cipher = SSL_get_cipher_by_value(id);\n assert(co_list[num - 1].cipher != nullptr);\n }\n if (!has_aes_hw) {\n for (uint16_t id : kAESCiphers) {\n co_list[num++].cipher = SSL_get_cipher_by_value(id);\n assert(co_list[num - 1].cipher != nullptr);\n }\n }\n for (uint16_t id : kLegacyCiphers) {\n co_list[num++].cipher = SSL_get_cipher_by_value(id);\n assert(co_list[num - 1].cipher != nullptr);\n }\n assert(num == OPENSSL_ARRAY_SIZE(co_list));\n static_assert(OPENSSL_ARRAY_SIZE(co_list) + NumTLS13Ciphers() ==\n OPENSSL_ARRAY_SIZE(kCiphers),\n \"Not all ciphers are included in the cipher order\");\n\n // If the rule_string begins with DEFAULT, apply the default rule before\n // using the (possibly available) additional rules.\n const char *rule_p = rule_str;\n if (strncmp(rule_str, \"DEFAULT\", 7) == 0) {\n if (!ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, &head, &tail,\n strict)) {\n return false;\n }\n rule_p += 7;\n if (*rule_p == ':') {\n rule_p++;\n }\n }\n\n if (*rule_p != '\\0' &&\n !ssl_cipher_process_rulestr(rule_p, &head, &tail, strict)) {\n return false;\n }\n\n // Allocate new \"cipherstack\" for the result, return with error\n // if we cannot get one.\n UniquePtr cipherstack(sk_SSL_CIPHER_new_null());\n Array in_group_flags;\n if (cipherstack == nullptr ||\n !in_group_flags.InitForOverwrite(OPENSSL_ARRAY_SIZE(kCiphers))) {\n return false;\n }\n\n // The cipher selection for the list is done. The ciphers are added\n // to the resulting precedence to the STACK_OF(SSL_CIPHER).\n size_t num_in_group_flags = 0;\n for (CIPHER_ORDER *curr = head; curr != NULL; curr = curr->next) {\n if (curr->active) {\n if (!sk_SSL_CIPHER_push(cipherstack.get(), curr->cipher)) {\n return false;\n }\n in_group_flags[num_in_group_flags++] = curr->in_group;\n }\n }\n in_group_flags.Shrink(num_in_group_flags);\n\n UniquePtr pref_list =\n MakeUnique();\n if (!pref_list || !pref_list->Init(std::move(cipherstack), in_group_flags)) {\n return false;\n }\n\n *out_cipher_list = std::move(pref_list);\n\n // Configuring an empty cipher list is an error but still updates the\n // output.\n if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers.get()) == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);\n return false;\n }\n\n return true;\n}\n\nuint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key, bool sign_ok) {\n switch (EVP_PKEY_id(key)) {\n case EVP_PKEY_RSA:\n return sign_ok ? (SSL_aRSA_SIGN | SSL_aRSA_DECRYPT) : SSL_aRSA_DECRYPT;\n case EVP_PKEY_EC:\n case EVP_PKEY_ED25519:\n // Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers.\n return sign_ok ? SSL_aECDSA : 0;\n default:\n return 0;\n }\n}\n\nbool ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {\n return (cipher->algorithm_auth & SSL_aCERT) != 0;\n}\n\nbool ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {\n // Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. It is\n // optional or omitted in all others.\n return (cipher->algorithm_mkey & SSL_kECDHE) != 0;\n}\n\nsize_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {\n size_t block_size;\n switch (cipher->algorithm_enc) {\n case SSL_3DES:\n block_size = 8;\n break;\n case SSL_AES128:\n case SSL_AES256:\n block_size = 16;\n break;\n default:\n return 0;\n }\n\n // All supported TLS 1.0 ciphers use SHA-1.\n assert(cipher->algorithm_mac == SSL_SHA1);\n size_t ret = 1 + SHA_DIGEST_LENGTH;\n ret += block_size - (ret % block_size);\n return ret;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nstatic constexpr int ssl_cipher_id_cmp(const SSL_CIPHER *a,\n const SSL_CIPHER *b) {\n if (a->id > b->id) {\n return 1;\n }\n if (a->id < b->id) {\n return -1;\n }\n return 0;\n}\n\nstatic int ssl_cipher_id_cmp_void(const void *in_a, const void *in_b) {\n return ssl_cipher_id_cmp(reinterpret_cast(in_a),\n reinterpret_cast(in_b));\n}\n\ntemplate \nstatic constexpr bool ssl_ciphers_sorted(const SSL_CIPHER (&ciphers)[N]) {\n for (size_t i = 1; i < N; i++) {\n if (ssl_cipher_id_cmp(&ciphers[i - 1], &ciphers[i]) >= 0) {\n return false;\n }\n }\n return true;\n}\n\nstatic_assert(ssl_ciphers_sorted(kCiphers),\n \"Ciphers are not sorted, bsearch won't work\");\n\nconst SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {\n SSL_CIPHER c;\n\n c.id = 0x03000000L | value;\n return reinterpret_cast(\n bsearch(&c, kCiphers, OPENSSL_ARRAY_SIZE(kCiphers), sizeof(SSL_CIPHER),\n ssl_cipher_id_cmp_void));\n}\n\nuint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }\n\nuint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *cipher) {\n // All OpenSSL cipher IDs are prefaced with 0x03. Historically this referred\n // to SSLv2 vs SSLv3.\n assert((cipher->id & 0xff000000) == 0x03000000);\n return static_cast(cipher->id);\n}\n\nint SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {\n return (cipher->algorithm_mac & SSL_AEAD) != 0;\n}\n\nint SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *cipher) {\n switch (cipher->algorithm_enc) {\n case SSL_3DES:\n return NID_des_ede3_cbc;\n case SSL_AES128:\n return NID_aes_128_cbc;\n case SSL_AES256:\n return NID_aes_256_cbc;\n case SSL_AES128GCM:\n return NID_aes_128_gcm;\n case SSL_AES256GCM:\n return NID_aes_256_gcm;\n case SSL_CHACHA20POLY1305:\n return NID_chacha20_poly1305;\n }\n assert(0);\n return NID_undef;\n}\n\nint SSL_CIPHER_get_digest_nid(const SSL_CIPHER *cipher) {\n switch (cipher->algorithm_mac) {\n case SSL_AEAD:\n return NID_undef;\n case SSL_SHA1:\n return NID_sha1;\n case SSL_SHA256:\n return NID_sha256;\n }\n assert(0);\n return NID_undef;\n}\n\nint SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher) {\n switch (cipher->algorithm_mkey) {\n case SSL_kRSA:\n return NID_kx_rsa;\n case SSL_kECDHE:\n return NID_kx_ecdhe;\n case SSL_kPSK:\n return NID_kx_psk;\n case SSL_kGENERIC:\n return NID_kx_any;\n }\n assert(0);\n return NID_undef;\n}\n\nint SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) {\n switch (cipher->algorithm_auth) {\n case SSL_aRSA_DECRYPT:\n case SSL_aRSA_SIGN:\n return NID_auth_rsa;\n case SSL_aECDSA:\n return NID_auth_ecdsa;\n case SSL_aPSK:\n return NID_auth_psk;\n case SSL_aGENERIC:\n return NID_auth_any;\n }\n assert(0);\n return NID_undef;\n}\n\nconst EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *cipher) {\n switch (cipher->algorithm_prf) {\n case SSL_HANDSHAKE_MAC_DEFAULT:\n return EVP_md5_sha1();\n case SSL_HANDSHAKE_MAC_SHA256:\n return EVP_sha256();\n case SSL_HANDSHAKE_MAC_SHA384:\n return EVP_sha384();\n }\n assert(0);\n return NULL;\n}\n\nint SSL_CIPHER_get_prf_nid(const SSL_CIPHER *cipher) {\n const EVP_MD *md = SSL_CIPHER_get_handshake_digest(cipher);\n if (md == NULL) {\n return NID_undef;\n }\n return EVP_MD_nid(md);\n}\n\nint SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {\n return cipher->algorithm_mac != SSL_AEAD;\n}\n\nuint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {\n if (cipher->algorithm_mkey == SSL_kGENERIC ||\n cipher->algorithm_auth == SSL_aGENERIC) {\n return TLS1_3_VERSION;\n }\n\n if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {\n // Cipher suites before TLS 1.2 use the default PRF, while all those added\n // afterwards specify a particular hash.\n return TLS1_2_VERSION;\n }\n return SSL3_VERSION;\n}\n\nuint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {\n if (cipher->algorithm_mkey == SSL_kGENERIC ||\n cipher->algorithm_auth == SSL_aGENERIC) {\n return TLS1_3_VERSION;\n }\n return TLS1_2_VERSION;\n}\n\nstatic const char *kUnknownCipher = \"(NONE)\";\n\n// return the actual cipher being used\nconst char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {\n if (cipher != NULL) {\n return cipher->name;\n }\n\n return kUnknownCipher;\n}\n\nconst char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher) {\n return cipher->standard_name;\n}\n\nconst char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) {\n if (cipher == NULL) {\n return \"\";\n }\n\n switch (cipher->algorithm_mkey) {\n case SSL_kRSA:\n return \"RSA\";\n\n case SSL_kECDHE:\n switch (cipher->algorithm_auth) {\n case SSL_aECDSA:\n return \"ECDHE_ECDSA\";\n case SSL_aRSA_SIGN:\n return \"ECDHE_RSA\";\n case SSL_aPSK:\n return \"ECDHE_PSK\";\n default:\n assert(0);\n return \"UNKNOWN\";\n }\n\n case SSL_kPSK:\n assert(cipher->algorithm_auth == SSL_aPSK);\n return \"PSK\";\n\n case SSL_kGENERIC:\n assert(cipher->algorithm_auth == SSL_aGENERIC);\n return \"GENERIC\";\n\n default:\n assert(0);\n return \"UNKNOWN\";\n }\n}\n\nint SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *out_alg_bits) {\n if (cipher == NULL) {\n return 0;\n }\n\n int alg_bits, strength_bits;\n switch (cipher->algorithm_enc) {\n case SSL_AES128:\n case SSL_AES128GCM:\n alg_bits = 128;\n strength_bits = 128;\n break;\n\n case SSL_AES256:\n case SSL_AES256GCM:\n case SSL_CHACHA20POLY1305:\n alg_bits = 256;\n strength_bits = 256;\n break;\n\n case SSL_3DES:\n alg_bits = 168;\n strength_bits = 112;\n break;\n\n default:\n assert(0);\n alg_bits = 0;\n strength_bits = 0;\n }\n\n if (out_alg_bits != NULL) {\n *out_alg_bits = alg_bits;\n }\n return strength_bits;\n}\n\nconst char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf,\n int len) {\n const char *kx, *au, *enc, *mac;\n uint32_t alg_mkey, alg_auth, alg_enc, alg_mac;\n\n alg_mkey = cipher->algorithm_mkey;\n alg_auth = cipher->algorithm_auth;\n alg_enc = cipher->algorithm_enc;\n alg_mac = cipher->algorithm_mac;\n\n switch (alg_mkey) {\n case SSL_kRSA:\n kx = \"RSA\";\n break;\n\n case SSL_kECDHE:\n kx = \"ECDH\";\n break;\n\n case SSL_kPSK:\n kx = \"PSK\";\n break;\n\n case SSL_kGENERIC:\n kx = \"GENERIC\";\n break;\n\n default:\n kx = \"unknown\";\n }\n\n switch (alg_auth) {\n case SSL_aRSA_DECRYPT:\n case SSL_aRSA_SIGN:\n au = \"RSA\";\n break;\n\n case SSL_aECDSA:\n au = \"ECDSA\";\n break;\n\n case SSL_aPSK:\n au = \"PSK\";\n break;\n\n case SSL_aGENERIC:\n au = \"GENERIC\";\n break;\n\n default:\n au = \"unknown\";\n break;\n }\n\n switch (alg_enc) {\n case SSL_3DES:\n enc = \"3DES(168)\";\n break;\n\n case SSL_AES128:\n enc = \"AES(128)\";\n break;\n\n case SSL_AES256:\n enc = \"AES(256)\";\n break;\n\n case SSL_AES128GCM:\n enc = \"AESGCM(128)\";\n break;\n\n case SSL_AES256GCM:\n enc = \"AESGCM(256)\";\n break;\n\n case SSL_CHACHA20POLY1305:\n enc = \"ChaCha20-Poly1305\";\n break;\n\n default:\n enc = \"unknown\";\n break;\n }\n\n switch (alg_mac) {\n case SSL_SHA1:\n mac = \"SHA1\";\n break;\n\n case SSL_SHA256:\n mac = \"SHA256\";\n break;\n\n case SSL_AEAD:\n mac = \"AEAD\";\n break;\n\n default:\n mac = \"unknown\";\n break;\n }\n\n if (buf == NULL) {\n len = 128;\n buf = (char *)OPENSSL_malloc(len);\n if (buf == NULL) {\n return NULL;\n }\n } else if (len < 128) {\n return \"Buffer too small\";\n }\n\n snprintf(buf, len, \"%-23s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s\\n\", cipher->name,\n kx, au, enc, mac);\n return buf;\n}\n\nconst char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher) {\n return \"TLSv1/SSLv3\";\n}\n\nSTACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) { return NULL; }\n\nint SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) { return 1; }\n\nconst char *SSL_COMP_get_name(const COMP_METHOD *comp) { return NULL; }\n\nconst char *SSL_COMP_get0_name(const SSL_COMP *comp) { return comp->name; }\n\nint SSL_COMP_get_id(const SSL_COMP *comp) { return comp->id; }\n\nvoid SSL_COMP_free_compression_methods(void) {}\n\nsize_t SSL_get_all_cipher_names(const char **out, size_t max_out) {\n return GetAllNames(out, max_out, Span(&kUnknownCipher, 1), &SSL_CIPHER::name,\n Span(kCiphers));\n}\n\nsize_t SSL_get_all_standard_cipher_names(const char **out, size_t max_out) {\n return GetAllNames(out, max_out, Span(),\n &SSL_CIPHER::standard_name, Span(kCiphers));\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_credential.cc", "content": "/* Copyright 2024 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\n// new_leafless_chain returns a fresh stack of buffers set to {nullptr}.\nstatic UniquePtr new_leafless_chain(void) {\n UniquePtr chain(sk_CRYPTO_BUFFER_new_null());\n if (!chain || !sk_CRYPTO_BUFFER_push(chain.get(), nullptr)) {\n return nullptr;\n }\n\n return chain;\n}\n\nbool ssl_get_credential_list(SSL_HANDSHAKE *hs, Array *out) {\n CERT *cert = hs->config->cert.get();\n // Finish filling in the legacy credential if needed.\n if (!cert->x509_method->ssl_auto_chain_if_needed(hs)) {\n return false;\n }\n\n size_t num_creds = cert->credentials.size();\n bool include_legacy = cert->legacy_credential->IsComplete();\n if (include_legacy) {\n num_creds++;\n }\n\n if (!out->InitForOverwrite(num_creds)) {\n return false;\n }\n\n for (size_t i = 0; i < cert->credentials.size(); i++) {\n (*out)[i] = cert->credentials[i].get();\n }\n if (include_legacy) {\n (*out)[num_creds - 1] = cert->legacy_credential.get();\n }\n return true;\n}\n\nbool ssl_credential_matches_requested_issuers(SSL_HANDSHAKE *hs,\n const SSL_CREDENTIAL *cred) {\n if (!cred->must_match_issuer) {\n // This credential does not need to match a requested issuer, so\n // it is good to use without a match.\n return true;\n }\n\n // If we have names sent by the CA extension, and this\n // credential matches it, it is good.\n if (hs->ca_names != nullptr) {\n for (const CRYPTO_BUFFER *ca_name : hs->ca_names.get()) {\n if (cred->ChainContainsIssuer(\n Span(CRYPTO_BUFFER_data(ca_name), CRYPTO_BUFFER_len(ca_name)))) {\n return true;\n }\n }\n }\n // TODO(bbe): Other forms of issuer matching go here.\n\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_MATCHING_ISSUER);\n return false;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nstatic CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;\n\nssl_credential_st::ssl_credential_st(SSLCredentialType type_arg)\n : RefCounted(CheckSubClass()), type(type_arg) {\n CRYPTO_new_ex_data(&ex_data);\n}\n\nssl_credential_st::~ssl_credential_st() {\n CRYPTO_free_ex_data(&g_ex_data_class, this, &ex_data);\n}\n\nstatic CRYPTO_BUFFER *buffer_up_ref(const CRYPTO_BUFFER *buffer) {\n CRYPTO_BUFFER_up_ref(const_cast(buffer));\n return const_cast(buffer);\n}\n\nUniquePtr ssl_credential_st::Dup() const {\n assert(type == SSLCredentialType::kX509);\n UniquePtr ret = MakeUnique(type);\n if (ret == nullptr) {\n return nullptr;\n }\n\n ret->pubkey = UpRef(pubkey);\n ret->privkey = UpRef(privkey);\n ret->key_method = key_method;\n if (!ret->sigalgs.CopyFrom(sigalgs)) {\n return nullptr;\n }\n\n if (chain) {\n ret->chain.reset(sk_CRYPTO_BUFFER_deep_copy(chain.get(), buffer_up_ref,\n CRYPTO_BUFFER_free));\n if (!ret->chain) {\n return nullptr;\n }\n }\n\n ret->dc = UpRef(dc);\n ret->signed_cert_timestamp_list = UpRef(signed_cert_timestamp_list);\n ret->ocsp_response = UpRef(ocsp_response);\n ret->dc_algorithm = dc_algorithm;\n return ret;\n}\n\nvoid ssl_credential_st::ClearCertAndKey() {\n pubkey = nullptr;\n privkey = nullptr;\n key_method = nullptr;\n chain = nullptr;\n}\n\nbool ssl_credential_st::UsesX509() const {\n // Currently, all credential types use X.509. However, we may add other\n // certificate types in the future. Add the checks in the setters now, so we\n // don't forget.\n return true;\n}\n\nbool ssl_credential_st::UsesPrivateKey() const {\n // Currently, all credential types use private keys. However, we may add PSK\n return true;\n}\n\nbool ssl_credential_st::IsComplete() const {\n // APIs like |SSL_use_certificate| and |SSL_set1_chain| configure the leaf and\n // other certificates separately. It is possible for |chain| have a null leaf.\n if (UsesX509() && (sk_CRYPTO_BUFFER_num(chain.get()) == 0 ||\n sk_CRYPTO_BUFFER_value(chain.get(), 0) == nullptr)) {\n return false;\n }\n // We must have successfully extracted a public key from the certificate,\n // delegated credential, etc.\n if (UsesPrivateKey() && pubkey == nullptr) {\n return false;\n }\n if (UsesPrivateKey() && privkey == nullptr && key_method == nullptr) {\n return false;\n }\n if (type == SSLCredentialType::kDelegated && dc == nullptr) {\n return false;\n }\n return true;\n}\n\nbool ssl_credential_st::SetLeafCert(UniquePtr leaf,\n bool discard_key_on_mismatch) {\n if (!UsesX509()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return false;\n }\n\n const bool private_key_matches_leaf = type != SSLCredentialType::kDelegated;\n\n CBS cbs;\n CRYPTO_BUFFER_init_CBS(leaf.get(), &cbs);\n UniquePtr new_pubkey = ssl_cert_parse_pubkey(&cbs);\n if (new_pubkey == nullptr) {\n return false;\n }\n\n if (!ssl_is_key_type_supported(EVP_PKEY_id(new_pubkey.get()))) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);\n return false;\n }\n\n // An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA\n // certificates, so sanity-check the key usage extension.\n if (EVP_PKEY_id(new_pubkey.get()) == EVP_PKEY_EC &&\n !ssl_cert_check_key_usage(&cbs, key_usage_digital_signature)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);\n return false;\n }\n\n if (private_key_matches_leaf && privkey != nullptr &&\n !ssl_compare_public_and_private_key(new_pubkey.get(), privkey.get())) {\n if (!discard_key_on_mismatch) {\n return false;\n }\n ERR_clear_error();\n privkey = nullptr;\n }\n\n if (chain == nullptr) {\n chain = new_leafless_chain();\n if (chain == nullptr) {\n return false;\n }\n }\n\n CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_value(chain.get(), 0));\n sk_CRYPTO_BUFFER_set(chain.get(), 0, leaf.release());\n if (private_key_matches_leaf) {\n pubkey = std::move(new_pubkey);\n }\n return true;\n}\n\nvoid ssl_credential_st::ClearIntermediateCerts() {\n if (chain == nullptr) {\n return;\n }\n\n while (sk_CRYPTO_BUFFER_num(chain.get()) > 1) {\n CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_pop(chain.get()));\n }\n}\n\nbool ssl_credential_st::ChainContainsIssuer(\n bssl::Span dn) const {\n if (UsesX509()) {\n // TODO(bbe) This is used for matching a chain by CA name for the CA\n // extension. If we require a chain to be present, we could remove any\n // remaining parts of the chain after the found issuer, on the assumption\n // that the peer sending the CA extension has the issuer in their trust\n // store and does not need us to waste bytes on the wire.\n CBS dn_cbs;\n CBS_init(&dn_cbs, dn.data(), dn.size());\n for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(chain.get()); i++) {\n const CRYPTO_BUFFER *cert = sk_CRYPTO_BUFFER_value(chain.get(), i);\n CBS cert_cbs;\n CRYPTO_BUFFER_init_CBS(cert, &cert_cbs);\n if (ssl_cert_matches_issuer(&cert_cbs, &dn_cbs)) {\n return true;\n }\n }\n }\n return false;\n}\n\nbool ssl_credential_st::AppendIntermediateCert(UniquePtr cert) {\n if (!UsesX509()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return false;\n }\n\n if (chain == nullptr) {\n chain = new_leafless_chain();\n if (chain == nullptr) {\n return false;\n }\n }\n\n return PushToStack(chain.get(), std::move(cert));\n}\n\nSSL_CREDENTIAL *SSL_CREDENTIAL_new_x509(void) {\n return New(SSLCredentialType::kX509);\n}\n\nSSL_CREDENTIAL *SSL_CREDENTIAL_new_delegated(void) {\n return New(SSLCredentialType::kDelegated);\n}\n\nvoid SSL_CREDENTIAL_up_ref(SSL_CREDENTIAL *cred) { cred->UpRefInternal(); }\n\nvoid SSL_CREDENTIAL_free(SSL_CREDENTIAL *cred) {\n if (cred != nullptr) {\n cred->DecRefInternal();\n }\n}\n\nint SSL_CREDENTIAL_set1_private_key(SSL_CREDENTIAL *cred, EVP_PKEY *key) {\n if (!cred->UsesPrivateKey()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n // If the public half has been configured, check |key| matches. |pubkey| will\n // have been extracted from the certificate, delegated credential, etc.\n if (cred->pubkey != nullptr &&\n !ssl_compare_public_and_private_key(cred->pubkey.get(), key)) {\n return false;\n }\n\n cred->privkey = UpRef(key);\n cred->key_method = nullptr;\n return 1;\n}\n\nint SSL_CREDENTIAL_set_private_key_method(\n SSL_CREDENTIAL *cred, const SSL_PRIVATE_KEY_METHOD *key_method) {\n if (!cred->UsesPrivateKey()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n cred->privkey = nullptr;\n cred->key_method = key_method;\n return 1;\n}\n\nint SSL_CREDENTIAL_set1_cert_chain(SSL_CREDENTIAL *cred,\n CRYPTO_BUFFER *const *certs,\n size_t num_certs) {\n if (!cred->UsesX509() || num_certs == 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n if (!cred->SetLeafCert(UpRef(certs[0]), /*discard_key_on_mismatch=*/false)) {\n return 0;\n }\n\n cred->ClearIntermediateCerts();\n for (size_t i = 1; i < num_certs; i++) {\n if (!cred->AppendIntermediateCert(UpRef(certs[i]))) {\n return 0;\n }\n }\n\n return 1;\n}\n\nint SSL_CREDENTIAL_set1_delegated_credential(SSL_CREDENTIAL *cred,\n CRYPTO_BUFFER *dc) {\n if (cred->type != SSLCredentialType::kDelegated) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n // Parse the delegated credential to check for validity, and extract a few\n // fields from it. See RFC 9345, section 4.\n CBS cbs, spki, sig;\n uint32_t valid_time;\n uint16_t dc_cert_verify_algorithm, algorithm;\n CRYPTO_BUFFER_init_CBS(dc, &cbs);\n if (!CBS_get_u32(&cbs, &valid_time) ||\n !CBS_get_u16(&cbs, &dc_cert_verify_algorithm) ||\n !CBS_get_u24_length_prefixed(&cbs, &spki) ||\n !CBS_get_u16(&cbs, &algorithm) ||\n !CBS_get_u16_length_prefixed(&cbs, &sig) || //\n CBS_len(&sig) == 0 || //\n CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return 0;\n }\n\n // RFC 9345 forbids algorithms that use the rsaEncryption OID. As the\n // RSASSA-PSS OID is unusably complicated, this effectively means we will not\n // support RSA delegated credentials.\n if (SSL_get_signature_algorithm_key_type(dc_cert_verify_algorithm) ==\n EVP_PKEY_RSA) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n return 0;\n }\n\n UniquePtr pubkey(EVP_parse_public_key(&spki));\n if (pubkey == nullptr || CBS_len(&spki) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return 0;\n }\n\n if (!cred->sigalgs.CopyFrom(Span(&dc_cert_verify_algorithm, 1))) {\n return 0;\n }\n\n if (cred->privkey != nullptr &&\n !ssl_compare_public_and_private_key(pubkey.get(), cred->privkey.get())) {\n return 0;\n }\n\n cred->dc = UpRef(dc);\n cred->pubkey = std::move(pubkey);\n cred->dc_algorithm = algorithm;\n return 1;\n}\n\nint SSL_CREDENTIAL_set1_ocsp_response(SSL_CREDENTIAL *cred,\n CRYPTO_BUFFER *ocsp) {\n if (!cred->UsesX509()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n cred->ocsp_response = UpRef(ocsp);\n return 1;\n}\n\nint SSL_CREDENTIAL_set1_signed_cert_timestamp_list(SSL_CREDENTIAL *cred,\n CRYPTO_BUFFER *sct_list) {\n if (!cred->UsesX509()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n CBS cbs;\n CRYPTO_BUFFER_init_CBS(sct_list, &cbs);\n if (!ssl_is_sct_list_valid(&cbs)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SCT_LIST);\n return 0;\n }\n\n cred->signed_cert_timestamp_list = UpRef(sct_list);\n return 1;\n}\n\nint SSL_CTX_add1_credential(SSL_CTX *ctx, SSL_CREDENTIAL *cred) {\n if (!cred->IsComplete()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n return ctx->cert->credentials.Push(UpRef(cred));\n}\n\nint SSL_add1_credential(SSL *ssl, SSL_CREDENTIAL *cred) {\n if (ssl->config == nullptr) {\n return 0;\n }\n\n if (!cred->IsComplete()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n return ssl->config->cert->credentials.Push(UpRef(cred));\n}\n\nconst SSL_CREDENTIAL *SSL_get0_selected_credential(const SSL *ssl) {\n if (ssl->s3->hs == nullptr) {\n return nullptr;\n }\n return ssl->s3->hs->credential.get();\n}\n\nint SSL_CREDENTIAL_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func) {\n return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func);\n}\n\nint SSL_CREDENTIAL_set_ex_data(SSL_CREDENTIAL *cred, int idx, void *arg) {\n return CRYPTO_set_ex_data(&cred->ex_data, idx, arg);\n}\n\nvoid *SSL_CREDENTIAL_get_ex_data(const SSL_CREDENTIAL *cred, int idx) {\n return CRYPTO_get_ex_data(&cred->ex_data, idx);\n}\n\nvoid SSL_CREDENTIAL_set_must_match_issuer(SSL_CREDENTIAL *cred) {\n cred->must_match_issuer = true;\n}\n\nvoid SSL_CREDENTIAL_clear_must_match_issuer(SSL_CREDENTIAL *cred) {\n cred->must_match_issuer = false;\n}\n\nint SSL_CREDENTIAL_must_match_issuer(const SSL_CREDENTIAL *cred) {\n return cred->must_match_issuer ? 1 : 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_file.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nstatic int xname_cmp(const X509_NAME *const *a, const X509_NAME *const *b) {\n return X509_NAME_cmp(*a, *b);\n}\n\nstatic int add_bio_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, BIO *bio,\n bool allow_empty) {\n // This function historically sorted |out| after every addition and skipped\n // duplicates. This implementation preserves that behavior, but only sorts at\n // the end, to avoid a quadratic running time. Existing duplicates in |out|\n // are preserved, but do not introduce new duplicates.\n bssl::UniquePtr to_append(sk_X509_NAME_new(xname_cmp));\n if (to_append == nullptr) {\n return 0;\n }\n\n // Temporarily switch the comparison function for |out|.\n struct RestoreCmpFunc {\n ~RestoreCmpFunc() { sk_X509_NAME_set_cmp_func(stack, old_cmp); }\n STACK_OF(X509_NAME) *stack;\n int (*old_cmp)(const X509_NAME *const *, const X509_NAME *const *);\n };\n RestoreCmpFunc restore = {out, sk_X509_NAME_set_cmp_func(out, xname_cmp)};\n\n sk_X509_NAME_sort(out);\n bool first = true;\n for (;;) {\n bssl::UniquePtr x509(\n PEM_read_bio_X509(bio, nullptr, nullptr, nullptr));\n if (x509 == nullptr) {\n if (first && !allow_empty) {\n return 0;\n }\n // TODO(davidben): This ignores PEM syntax errors. It should only succeed\n // on |PEM_R_NO_START_LINE|.\n ERR_clear_error();\n break;\n }\n first = false;\n\n X509_NAME *subject = X509_get_subject_name(x509.get());\n // Skip if already present in |out|. Duplicates in |to_append| will be\n // handled separately.\n if (sk_X509_NAME_find(out, /*out_index=*/NULL, subject)) {\n continue;\n }\n\n bssl::UniquePtr copy(X509_NAME_dup(subject));\n if (copy == nullptr ||\n !bssl::PushToStack(to_append.get(), std::move(copy))) {\n return 0;\n }\n }\n\n // Append |to_append| to |stack|, skipping any duplicates.\n sk_X509_NAME_sort(to_append.get());\n size_t num = sk_X509_NAME_num(to_append.get());\n for (size_t i = 0; i < num; i++) {\n bssl::UniquePtr name(sk_X509_NAME_value(to_append.get(), i));\n sk_X509_NAME_set(to_append.get(), i, nullptr);\n if (i + 1 < num &&\n X509_NAME_cmp(name.get(), sk_X509_NAME_value(to_append.get(), i + 1)) ==\n 0) {\n continue;\n }\n if (!bssl::PushToStack(out, std::move(name))) {\n return 0;\n }\n }\n\n // Sort |out| one last time, to preserve the historical behavior of\n // maintaining the sorted list.\n sk_X509_NAME_sort(out);\n return 1;\n}\n\nint SSL_add_bio_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, BIO *bio) {\n return add_bio_cert_subjects_to_stack(out, bio, /*allow_empty=*/true);\n}\n\nSTACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {\n bssl::UniquePtr in(BIO_new_file(file, \"rb\"));\n if (in == nullptr) {\n return nullptr;\n }\n bssl::UniquePtr ret(sk_X509_NAME_new_null());\n if (ret == nullptr || //\n !add_bio_cert_subjects_to_stack(ret.get(), in.get(),\n /*allow_empty=*/false)) {\n return nullptr;\n }\n return ret.release();\n}\n\nint SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *out,\n const char *file) {\n bssl::UniquePtr in(BIO_new_file(file, \"rb\"));\n if (in == nullptr) {\n return 0;\n }\n return SSL_add_bio_cert_subjects_to_stack(out, in.get());\n}\n\nint SSL_use_certificate_file(SSL *ssl, const char *file, int type) {\n int reason_code;\n BIO *in;\n int ret = 0;\n X509 *x = NULL;\n\n in = BIO_new(BIO_s_file());\n if (in == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);\n goto end;\n }\n\n if (BIO_read_filename(in, file) <= 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SYS_LIB);\n goto end;\n }\n\n if (type == SSL_FILETYPE_ASN1) {\n reason_code = ERR_R_ASN1_LIB;\n x = d2i_X509_bio(in, NULL);\n } else if (type == SSL_FILETYPE_PEM) {\n reason_code = ERR_R_PEM_LIB;\n x = PEM_read_bio_X509(in, NULL, ssl->ctx->default_passwd_callback,\n ssl->ctx->default_passwd_callback_userdata);\n } else {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);\n goto end;\n }\n\n if (x == NULL) {\n OPENSSL_PUT_ERROR(SSL, reason_code);\n goto end;\n }\n\n ret = SSL_use_certificate(ssl, x);\n\nend:\n X509_free(x);\n BIO_free(in);\n\n return ret;\n}\n\nint SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type) {\n int reason_code, ret = 0;\n BIO *in;\n RSA *rsa = NULL;\n\n in = BIO_new(BIO_s_file());\n if (in == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);\n goto end;\n }\n\n if (BIO_read_filename(in, file) <= 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SYS_LIB);\n goto end;\n }\n\n if (type == SSL_FILETYPE_ASN1) {\n reason_code = ERR_R_ASN1_LIB;\n rsa = d2i_RSAPrivateKey_bio(in, NULL);\n } else if (type == SSL_FILETYPE_PEM) {\n reason_code = ERR_R_PEM_LIB;\n rsa =\n PEM_read_bio_RSAPrivateKey(in, NULL, ssl->ctx->default_passwd_callback,\n ssl->ctx->default_passwd_callback_userdata);\n } else {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);\n goto end;\n }\n\n if (rsa == NULL) {\n OPENSSL_PUT_ERROR(SSL, reason_code);\n goto end;\n }\n ret = SSL_use_RSAPrivateKey(ssl, rsa);\n RSA_free(rsa);\n\nend:\n BIO_free(in);\n return ret;\n}\n\nint SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type) {\n int reason_code, ret = 0;\n BIO *in;\n EVP_PKEY *pkey = NULL;\n\n in = BIO_new(BIO_s_file());\n if (in == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);\n goto end;\n }\n\n if (BIO_read_filename(in, file) <= 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SYS_LIB);\n goto end;\n }\n\n if (type == SSL_FILETYPE_PEM) {\n reason_code = ERR_R_PEM_LIB;\n pkey = PEM_read_bio_PrivateKey(in, NULL, ssl->ctx->default_passwd_callback,\n ssl->ctx->default_passwd_callback_userdata);\n } else if (type == SSL_FILETYPE_ASN1) {\n reason_code = ERR_R_ASN1_LIB;\n pkey = d2i_PrivateKey_bio(in, NULL);\n } else {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);\n goto end;\n }\n\n if (pkey == NULL) {\n OPENSSL_PUT_ERROR(SSL, reason_code);\n goto end;\n }\n ret = SSL_use_PrivateKey(ssl, pkey);\n EVP_PKEY_free(pkey);\n\nend:\n BIO_free(in);\n return ret;\n}\n\nint SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) {\n int reason_code;\n BIO *in;\n int ret = 0;\n X509 *x = NULL;\n\n in = BIO_new(BIO_s_file());\n if (in == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);\n goto end;\n }\n\n if (BIO_read_filename(in, file) <= 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SYS_LIB);\n goto end;\n }\n\n if (type == SSL_FILETYPE_ASN1) {\n reason_code = ERR_R_ASN1_LIB;\n x = d2i_X509_bio(in, NULL);\n } else if (type == SSL_FILETYPE_PEM) {\n reason_code = ERR_R_PEM_LIB;\n x = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,\n ctx->default_passwd_callback_userdata);\n } else {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);\n goto end;\n }\n\n if (x == NULL) {\n OPENSSL_PUT_ERROR(SSL, reason_code);\n goto end;\n }\n\n ret = SSL_CTX_use_certificate(ctx, x);\n\nend:\n X509_free(x);\n BIO_free(in);\n return ret;\n}\n\nint SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type) {\n int reason_code, ret = 0;\n BIO *in;\n RSA *rsa = NULL;\n\n in = BIO_new(BIO_s_file());\n if (in == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);\n goto end;\n }\n\n if (BIO_read_filename(in, file) <= 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SYS_LIB);\n goto end;\n }\n\n if (type == SSL_FILETYPE_ASN1) {\n reason_code = ERR_R_ASN1_LIB;\n rsa = d2i_RSAPrivateKey_bio(in, NULL);\n } else if (type == SSL_FILETYPE_PEM) {\n reason_code = ERR_R_PEM_LIB;\n rsa = PEM_read_bio_RSAPrivateKey(in, NULL, ctx->default_passwd_callback,\n ctx->default_passwd_callback_userdata);\n } else {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);\n goto end;\n }\n\n if (rsa == NULL) {\n OPENSSL_PUT_ERROR(SSL, reason_code);\n goto end;\n }\n ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);\n RSA_free(rsa);\n\nend:\n BIO_free(in);\n return ret;\n}\n\nint SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type) {\n int reason_code, ret = 0;\n BIO *in;\n EVP_PKEY *pkey = NULL;\n\n in = BIO_new(BIO_s_file());\n if (in == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);\n goto end;\n }\n\n if (BIO_read_filename(in, file) <= 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SYS_LIB);\n goto end;\n }\n\n if (type == SSL_FILETYPE_PEM) {\n reason_code = ERR_R_PEM_LIB;\n pkey = PEM_read_bio_PrivateKey(in, NULL, ctx->default_passwd_callback,\n ctx->default_passwd_callback_userdata);\n } else if (type == SSL_FILETYPE_ASN1) {\n reason_code = ERR_R_ASN1_LIB;\n pkey = d2i_PrivateKey_bio(in, NULL);\n } else {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SSL_FILETYPE);\n goto end;\n }\n\n if (pkey == NULL) {\n OPENSSL_PUT_ERROR(SSL, reason_code);\n goto end;\n }\n ret = SSL_CTX_use_PrivateKey(ctx, pkey);\n EVP_PKEY_free(pkey);\n\nend:\n BIO_free(in);\n return ret;\n}\n\n// Read a file that contains our certificate in \"PEM\" format, possibly followed\n// by a sequence of CA certificates that should be sent to the peer in the\n// Certificate message.\nint SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {\n BIO *in;\n int ret = 0;\n X509 *x = NULL;\n\n ERR_clear_error(); // clear error stack for SSL_CTX_use_certificate()\n\n in = BIO_new(BIO_s_file());\n if (in == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);\n goto end;\n }\n\n if (BIO_read_filename(in, file) <= 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SYS_LIB);\n goto end;\n }\n\n x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,\n ctx->default_passwd_callback_userdata);\n if (x == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_PEM_LIB);\n goto end;\n }\n\n ret = SSL_CTX_use_certificate(ctx, x);\n\n if (ERR_peek_error() != 0) {\n ret = 0; // Key/certificate mismatch doesn't imply ret==0 ...\n }\n\n if (ret) {\n // If we could set up our certificate, now proceed to the CA\n // certificates.\n X509 *ca;\n int r;\n uint32_t err;\n\n SSL_CTX_clear_chain_certs(ctx);\n\n while ((ca = PEM_read_bio_X509(in, NULL, ctx->default_passwd_callback,\n ctx->default_passwd_callback_userdata)) !=\n NULL) {\n r = SSL_CTX_add0_chain_cert(ctx, ca);\n if (!r) {\n X509_free(ca);\n ret = 0;\n goto end;\n }\n // Note that we must not free r if it was successfully added to the chain\n // (while we must free the main certificate, since its reference count is\n // increased by SSL_CTX_use_certificate).\n }\n\n // When the while loop ends, it's usually just EOF.\n err = ERR_peek_last_error();\n if (ERR_GET_LIB(err) == ERR_LIB_PEM &&\n ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {\n ERR_clear_error();\n } else {\n ret = 0; // some real error\n }\n }\n\nend:\n X509_free(x);\n BIO_free(in);\n return ret;\n}\n\nvoid SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) {\n ctx->default_passwd_callback = cb;\n}\n\npem_password_cb *SSL_CTX_get_default_passwd_cb(const SSL_CTX *ctx) {\n return ctx->default_passwd_callback;\n}\n\nvoid SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *data) {\n ctx->default_passwd_callback_userdata = data;\n}\n\nvoid *SSL_CTX_get_default_passwd_cb_userdata(const SSL_CTX *ctx) {\n return ctx->default_passwd_callback_userdata;\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_key_share.cc", "content": "/* Copyright 2015 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#define OPENSSL_UNSTABLE_EXPERIMENTAL_KYBER\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\nBSSL_NAMESPACE_BEGIN\n\nnamespace {\n\nclass ECKeyShare : public SSLKeyShare {\n public:\n ECKeyShare(const EC_GROUP *group, uint16_t group_id)\n : group_(group), group_id_(group_id) {}\n\n uint16_t GroupID() const override { return group_id_; }\n\n bool Generate(CBB *out) override {\n assert(!private_key_);\n // Generate a private key.\n private_key_.reset(BN_new());\n if (!private_key_ ||\n !BN_rand_range_ex(private_key_.get(), 1, EC_GROUP_get0_order(group_))) {\n return false;\n }\n\n // Compute the corresponding public key and serialize it.\n UniquePtr public_key(EC_POINT_new(group_));\n if (!public_key ||\n !EC_POINT_mul(group_, public_key.get(), private_key_.get(), nullptr,\n nullptr, /*ctx=*/nullptr) ||\n !EC_POINT_point2cbb(out, group_, public_key.get(),\n POINT_CONVERSION_UNCOMPRESSED, /*ctx=*/nullptr)) {\n return false;\n }\n\n return true;\n }\n\n bool Encap(CBB *out_ciphertext, Array *out_secret,\n uint8_t *out_alert, Span peer_key) override {\n // ECDH may be fit into a KEM-like abstraction by using a second keypair's\n // public key as the ciphertext.\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return Generate(out_ciphertext) && Decap(out_secret, out_alert, peer_key);\n }\n\n bool Decap(Array *out_secret, uint8_t *out_alert,\n Span ciphertext) override {\n assert(group_);\n assert(private_key_);\n *out_alert = SSL_AD_INTERNAL_ERROR;\n\n UniquePtr peer_point(EC_POINT_new(group_));\n UniquePtr result(EC_POINT_new(group_));\n UniquePtr x(BN_new());\n if (!peer_point || !result || !x) {\n return false;\n }\n\n if (ciphertext.empty() || ciphertext[0] != POINT_CONVERSION_UNCOMPRESSED ||\n !EC_POINT_oct2point(group_, peer_point.get(), ciphertext.data(),\n ciphertext.size(), /*ctx=*/nullptr)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n return false;\n }\n\n // Compute the x-coordinate of |peer_key| * |private_key_|.\n if (!EC_POINT_mul(group_, result.get(), nullptr, peer_point.get(),\n private_key_.get(), /*ctx=*/nullptr) ||\n !EC_POINT_get_affine_coordinates_GFp(group_, result.get(), x.get(),\n nullptr, /*ctx=*/nullptr)) {\n return false;\n }\n\n // Encode the x-coordinate left-padded with zeros.\n Array secret;\n if (!secret.InitForOverwrite((EC_GROUP_get_degree(group_) + 7) / 8) ||\n !BN_bn2bin_padded(secret.data(), secret.size(), x.get())) {\n return false;\n }\n\n *out_secret = std::move(secret);\n return true;\n }\n\n bool SerializePrivateKey(CBB *out) override {\n assert(group_);\n assert(private_key_);\n // Padding is added to avoid leaking the length.\n size_t len = BN_num_bytes(EC_GROUP_get0_order(group_));\n return BN_bn2cbb_padded(out, len, private_key_.get());\n }\n\n bool DeserializePrivateKey(CBS *in) override {\n assert(!private_key_);\n private_key_.reset(BN_bin2bn(CBS_data(in), CBS_len(in), nullptr));\n return private_key_ != nullptr;\n }\n\n private:\n UniquePtr private_key_;\n const EC_GROUP *const group_ = nullptr;\n uint16_t group_id_;\n};\n\nclass X25519KeyShare : public SSLKeyShare {\n public:\n X25519KeyShare() {}\n\n uint16_t GroupID() const override { return SSL_GROUP_X25519; }\n\n bool Generate(CBB *out) override {\n uint8_t public_key[32];\n X25519_keypair(public_key, private_key_);\n return !!CBB_add_bytes(out, public_key, sizeof(public_key));\n }\n\n bool Encap(CBB *out_ciphertext, Array *out_secret,\n uint8_t *out_alert, Span peer_key) override {\n // X25519 may be fit into a KEM-like abstraction by using a second keypair's\n // public key as the ciphertext.\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return Generate(out_ciphertext) && Decap(out_secret, out_alert, peer_key);\n }\n\n bool Decap(Array *out_secret, uint8_t *out_alert,\n Span ciphertext) override {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n\n Array secret;\n if (!secret.InitForOverwrite(32)) {\n return false;\n }\n\n if (ciphertext.size() != 32 || //\n !X25519(secret.data(), private_key_, ciphertext.data())) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);\n return false;\n }\n\n *out_secret = std::move(secret);\n return true;\n }\n\n bool SerializePrivateKey(CBB *out) override {\n return CBB_add_bytes(out, private_key_, sizeof(private_key_));\n }\n\n bool DeserializePrivateKey(CBS *in) override {\n if (CBS_len(in) != sizeof(private_key_) ||\n !CBS_copy_bytes(in, private_key_, sizeof(private_key_))) {\n return false;\n }\n return true;\n }\n\n private:\n uint8_t private_key_[32];\n};\n\n// draft-tls-westerbaan-xyber768d00-03\nclass X25519Kyber768KeyShare : public SSLKeyShare {\n public:\n X25519Kyber768KeyShare() {}\n\n uint16_t GroupID() const override {\n return SSL_GROUP_X25519_KYBER768_DRAFT00;\n }\n\n bool Generate(CBB *out) override {\n uint8_t x25519_public_key[32];\n X25519_keypair(x25519_public_key, x25519_private_key_);\n\n uint8_t kyber_public_key[KYBER_PUBLIC_KEY_BYTES];\n KYBER_generate_key(kyber_public_key, &kyber_private_key_);\n\n if (!CBB_add_bytes(out, x25519_public_key, sizeof(x25519_public_key)) ||\n !CBB_add_bytes(out, kyber_public_key, sizeof(kyber_public_key))) {\n return false;\n }\n\n return true;\n }\n\n bool Encap(CBB *out_ciphertext, Array *out_secret,\n uint8_t *out_alert, Span peer_key) override {\n Array secret;\n if (!secret.InitForOverwrite(32 + KYBER_SHARED_SECRET_BYTES)) {\n return false;\n }\n\n uint8_t x25519_public_key[32];\n X25519_keypair(x25519_public_key, x25519_private_key_);\n KYBER_public_key peer_kyber_pub;\n CBS peer_key_cbs, peer_x25519_cbs, peer_kyber_cbs;\n CBS_init(&peer_key_cbs, peer_key.data(), peer_key.size());\n if (!CBS_get_bytes(&peer_key_cbs, &peer_x25519_cbs, 32) ||\n !CBS_get_bytes(&peer_key_cbs, &peer_kyber_cbs,\n KYBER_PUBLIC_KEY_BYTES) ||\n CBS_len(&peer_key_cbs) != 0 ||\n !X25519(secret.data(), x25519_private_key_,\n CBS_data(&peer_x25519_cbs)) ||\n !KYBER_parse_public_key(&peer_kyber_pub, &peer_kyber_cbs)) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);\n return false;\n }\n\n uint8_t kyber_ciphertext[KYBER_CIPHERTEXT_BYTES];\n KYBER_encap(kyber_ciphertext, secret.data() + 32, &peer_kyber_pub);\n\n if (!CBB_add_bytes(out_ciphertext, x25519_public_key,\n sizeof(x25519_public_key)) ||\n !CBB_add_bytes(out_ciphertext, kyber_ciphertext,\n sizeof(kyber_ciphertext))) {\n return false;\n }\n\n *out_secret = std::move(secret);\n return true;\n }\n\n bool Decap(Array *out_secret, uint8_t *out_alert,\n Span ciphertext) override {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n\n Array secret;\n if (!secret.InitForOverwrite(32 + KYBER_SHARED_SECRET_BYTES)) {\n return false;\n }\n\n if (ciphertext.size() != 32 + KYBER_CIPHERTEXT_BYTES ||\n !X25519(secret.data(), x25519_private_key_, ciphertext.data())) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);\n return false;\n }\n\n KYBER_decap(secret.data() + 32, ciphertext.data() + 32,\n &kyber_private_key_);\n *out_secret = std::move(secret);\n return true;\n }\n\n private:\n uint8_t x25519_private_key_[32];\n KYBER_private_key kyber_private_key_;\n};\n\n// draft-kwiatkowski-tls-ecdhe-mlkem-01\nclass X25519MLKEM768KeyShare : public SSLKeyShare {\n public:\n X25519MLKEM768KeyShare() {}\n\n uint16_t GroupID() const override { return SSL_GROUP_X25519_MLKEM768; }\n\n bool Generate(CBB *out) override {\n uint8_t mlkem_public_key[MLKEM768_PUBLIC_KEY_BYTES];\n MLKEM768_generate_key(mlkem_public_key, /*optional_out_seed=*/nullptr,\n &mlkem_private_key_);\n\n uint8_t x25519_public_key[X25519_PUBLIC_VALUE_LEN];\n X25519_keypair(x25519_public_key, x25519_private_key_);\n\n if (!CBB_add_bytes(out, mlkem_public_key, sizeof(mlkem_public_key)) ||\n !CBB_add_bytes(out, x25519_public_key, sizeof(x25519_public_key))) {\n return false;\n }\n\n return true;\n }\n\n bool Encap(CBB *out_ciphertext, Array *out_secret,\n uint8_t *out_alert, Span peer_key) override {\n Array secret;\n if (!secret.InitForOverwrite(MLKEM_SHARED_SECRET_BYTES +\n X25519_SHARED_KEY_LEN)) {\n return false;\n }\n\n MLKEM768_public_key peer_mlkem_pub;\n uint8_t x25519_public_key[X25519_PUBLIC_VALUE_LEN];\n X25519_keypair(x25519_public_key, x25519_private_key_);\n CBS peer_key_cbs, peer_mlkem_cbs, peer_x25519_cbs;\n CBS_init(&peer_key_cbs, peer_key.data(), peer_key.size());\n if (!CBS_get_bytes(&peer_key_cbs, &peer_mlkem_cbs,\n MLKEM768_PUBLIC_KEY_BYTES) ||\n !MLKEM768_parse_public_key(&peer_mlkem_pub, &peer_mlkem_cbs) ||\n !CBS_get_bytes(&peer_key_cbs, &peer_x25519_cbs,\n X25519_PUBLIC_VALUE_LEN) ||\n CBS_len(&peer_key_cbs) != 0 ||\n !X25519(secret.data() + MLKEM_SHARED_SECRET_BYTES, x25519_private_key_,\n CBS_data(&peer_x25519_cbs))) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);\n return false;\n }\n\n uint8_t mlkem_ciphertext[MLKEM768_CIPHERTEXT_BYTES];\n MLKEM768_encap(mlkem_ciphertext, secret.data(), &peer_mlkem_pub);\n\n if (!CBB_add_bytes(out_ciphertext, mlkem_ciphertext,\n sizeof(mlkem_ciphertext)) ||\n !CBB_add_bytes(out_ciphertext, x25519_public_key,\n sizeof(x25519_public_key))) {\n return false;\n }\n\n *out_secret = std::move(secret);\n return true;\n }\n\n bool Decap(Array *out_secret, uint8_t *out_alert,\n Span ciphertext) override {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n\n Array secret;\n if (!secret.InitForOverwrite(MLKEM_SHARED_SECRET_BYTES +\n X25519_SHARED_KEY_LEN)) {\n return false;\n }\n\n if (ciphertext.size() !=\n MLKEM768_CIPHERTEXT_BYTES + X25519_PUBLIC_VALUE_LEN ||\n !MLKEM768_decap(secret.data(), ciphertext.data(),\n MLKEM768_CIPHERTEXT_BYTES, &mlkem_private_key_) ||\n !X25519(secret.data() + MLKEM_SHARED_SECRET_BYTES, x25519_private_key_,\n ciphertext.data() + MLKEM768_CIPHERTEXT_BYTES)) {\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT);\n return false;\n }\n\n *out_secret = std::move(secret);\n return true;\n }\n\n private:\n uint8_t x25519_private_key_[32];\n MLKEM768_private_key mlkem_private_key_;\n};\n\nconstexpr NamedGroup kNamedGroups[] = {\n {NID_secp224r1, SSL_GROUP_SECP224R1, \"P-224\", \"secp224r1\"},\n {NID_X9_62_prime256v1, SSL_GROUP_SECP256R1, \"P-256\", \"prime256v1\"},\n {NID_secp384r1, SSL_GROUP_SECP384R1, \"P-384\", \"secp384r1\"},\n {NID_secp521r1, SSL_GROUP_SECP521R1, \"P-521\", \"secp521r1\"},\n {NID_X25519, SSL_GROUP_X25519, \"X25519\", \"x25519\"},\n {NID_X25519Kyber768Draft00, SSL_GROUP_X25519_KYBER768_DRAFT00,\n \"X25519Kyber768Draft00\", \"\"},\n {NID_X25519MLKEM768, SSL_GROUP_X25519_MLKEM768, \"X25519MLKEM768\", \"\"},\n};\n\n} // namespace\n\nSpan NamedGroups() { return kNamedGroups; }\n\nUniquePtr SSLKeyShare::Create(uint16_t group_id) {\n switch (group_id) {\n case SSL_GROUP_SECP224R1:\n return MakeUnique(EC_group_p224(), SSL_GROUP_SECP224R1);\n case SSL_GROUP_SECP256R1:\n return MakeUnique(EC_group_p256(), SSL_GROUP_SECP256R1);\n case SSL_GROUP_SECP384R1:\n return MakeUnique(EC_group_p384(), SSL_GROUP_SECP384R1);\n case SSL_GROUP_SECP521R1:\n return MakeUnique(EC_group_p521(), SSL_GROUP_SECP521R1);\n case SSL_GROUP_X25519:\n return MakeUnique();\n case SSL_GROUP_X25519_KYBER768_DRAFT00:\n return MakeUnique();\n case SSL_GROUP_X25519_MLKEM768:\n return MakeUnique();\n default:\n return nullptr;\n }\n}\n\nbool ssl_nid_to_group_id(uint16_t *out_group_id, int nid) {\n for (const auto &group : kNamedGroups) {\n if (group.nid == nid) {\n *out_group_id = group.group_id;\n return true;\n }\n }\n return false;\n}\n\nbool ssl_name_to_group_id(uint16_t *out_group_id, const char *name,\n size_t len) {\n for (const auto &group : kNamedGroups) {\n if (len == strlen(group.name) && //\n !strncmp(group.name, name, len)) {\n *out_group_id = group.group_id;\n return true;\n }\n if (strlen(group.alias) > 0 && len == strlen(group.alias) &&\n !strncmp(group.alias, name, len)) {\n *out_group_id = group.group_id;\n return true;\n }\n }\n return false;\n}\n\nint ssl_group_id_to_nid(uint16_t group_id) {\n for (const auto &group : kNamedGroups) {\n if (group.group_id == group_id) {\n return group.nid;\n }\n }\n return NID_undef;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nconst char *SSL_get_group_name(uint16_t group_id) {\n for (const auto &group : kNamedGroups) {\n if (group.group_id == group_id) {\n return group.name;\n }\n }\n return nullptr;\n}\n\nsize_t SSL_get_all_group_names(const char **out, size_t max_out) {\n return GetAllNames(out, max_out, Span(), &NamedGroup::name,\n Span(kNamedGroups));\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_lib.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n#if defined(OPENSSL_WINDOWS)\n#include \n#else\n#include \n#include \n#endif\n\n\nBSSL_NAMESPACE_BEGIN\n\nstatic_assert(SSL3_RT_MAX_ENCRYPTED_OVERHEAD >=\n SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD,\n \"max overheads are inconsistent\");\n\n// |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it\n// to avoid downstream churn.\nOPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL)\n\n// The following errors are no longer emitted, but are used in nginx without\n// #ifdefs.\nOPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG)\nOPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED)\n\n// Some error codes are special. Ensure the make_errors.go script never\n// regresses this.\nstatic_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ==\n SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET,\n \"alert reason code mismatch\");\n\n// kMaxHandshakeSize is the maximum size, in bytes, of a handshake message.\nstatic const size_t kMaxHandshakeSize = (1u << 24) - 1;\n\nstatic CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl =\n CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;\nstatic CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx =\n CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;\n\nbool CBBFinishArray(CBB *cbb, Array *out) {\n uint8_t *ptr;\n size_t len;\n if (!CBB_finish(cbb, &ptr, &len)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n out->Reset(ptr, len);\n return true;\n}\n\nvoid ssl_reset_error_state(SSL *ssl) {\n // Functions which use |SSL_get_error| must reset I/O and error state on\n // entry.\n ssl->s3->rwstate = SSL_ERROR_NONE;\n ERR_clear_error();\n ERR_clear_system_error();\n}\n\nvoid ssl_set_read_error(SSL *ssl) {\n ssl->s3->read_shutdown = ssl_shutdown_error;\n ssl->s3->read_error.reset(ERR_save_state());\n}\n\nstatic bool check_read_error(const SSL *ssl) {\n if (ssl->s3->read_shutdown == ssl_shutdown_error) {\n ERR_restore_state(ssl->s3->read_error.get());\n return false;\n }\n return true;\n}\n\nbool ssl_can_write(const SSL *ssl) {\n return !SSL_in_init(ssl) || ssl->s3->hs->can_early_write;\n}\n\nbool ssl_can_read(const SSL *ssl) {\n return !SSL_in_init(ssl) || ssl->s3->hs->can_early_read;\n}\n\nssl_open_record_t ssl_open_handshake(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert, Span in) {\n *out_consumed = 0;\n if (!check_read_error(ssl)) {\n *out_alert = 0;\n return ssl_open_record_error;\n }\n auto ret = ssl->method->open_handshake(ssl, out_consumed, out_alert, in);\n if (ret == ssl_open_record_error) {\n ssl_set_read_error(ssl);\n }\n return ret;\n}\n\nssl_open_record_t ssl_open_change_cipher_spec(SSL *ssl, size_t *out_consumed,\n uint8_t *out_alert,\n Span in) {\n *out_consumed = 0;\n if (!check_read_error(ssl)) {\n *out_alert = 0;\n return ssl_open_record_error;\n }\n auto ret =\n ssl->method->open_change_cipher_spec(ssl, out_consumed, out_alert, in);\n if (ret == ssl_open_record_error) {\n ssl_set_read_error(ssl);\n }\n return ret;\n}\n\nssl_open_record_t ssl_open_app_data(SSL *ssl, Span *out,\n size_t *out_consumed, uint8_t *out_alert,\n Span in) {\n *out_consumed = 0;\n if (!check_read_error(ssl)) {\n *out_alert = 0;\n return ssl_open_record_error;\n }\n auto ret = ssl->method->open_app_data(ssl, out, out_consumed, out_alert, in);\n if (ret == ssl_open_record_error) {\n ssl_set_read_error(ssl);\n }\n return ret;\n}\n\nstatic uint8_t hex_char_consttime(uint8_t b) {\n declassify_assert(b < 16);\n return constant_time_select_8(constant_time_lt_8(b, 10), b + '0',\n b - 10 + 'a');\n}\n\nstatic bool cbb_add_hex_consttime(CBB *cbb, Span in) {\n uint8_t *out;\n if (!CBB_add_space(cbb, &out, in.size() * 2)) {\n return false;\n }\n\n for (uint8_t b : in) {\n *(out++) = hex_char_consttime(b >> 4);\n *(out++) = hex_char_consttime(b & 0xf);\n }\n\n return true;\n}\n\nbool ssl_log_secret(const SSL *ssl, const char *label,\n Span secret) {\n if (ssl->ctx->keylog_callback == NULL) {\n return true;\n }\n\n ScopedCBB cbb;\n Array line;\n auto label_bytes = bssl::StringAsBytes(label);\n if (!CBB_init(cbb.get(), strlen(label) + 1 + SSL3_RANDOM_SIZE * 2 + 1 +\n secret.size() * 2 + 1) ||\n !CBB_add_bytes(cbb.get(), label_bytes.data(), label_bytes.size()) ||\n !CBB_add_u8(cbb.get(), ' ') ||\n !cbb_add_hex_consttime(cbb.get(), ssl->s3->client_random) ||\n !CBB_add_u8(cbb.get(), ' ') ||\n // Convert to hex in constant time to avoid leaking |secret|. If the\n // callback discards the data, we should not introduce side channels.\n !cbb_add_hex_consttime(cbb.get(), secret) ||\n !CBB_add_u8(cbb.get(), 0 /* NUL */) ||\n !CBBFinishArray(cbb.get(), &line)) {\n return false;\n }\n\n ssl->ctx->keylog_callback(ssl, reinterpret_cast(line.data()));\n return true;\n}\n\nvoid ssl_do_info_callback(const SSL *ssl, int type, int value) {\n void (*cb)(const SSL *ssl, int type, int value) = NULL;\n if (ssl->info_callback != NULL) {\n cb = ssl->info_callback;\n } else if (ssl->ctx->info_callback != NULL) {\n cb = ssl->ctx->info_callback;\n }\n\n if (cb != NULL) {\n cb(ssl, type, value);\n }\n}\n\nvoid ssl_do_msg_callback(const SSL *ssl, int is_write, int content_type,\n Span in) {\n if (ssl->msg_callback == NULL) {\n return;\n }\n\n // |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for\n // a V2ClientHello.\n int version;\n switch (content_type) {\n case 0:\n // V2ClientHello\n version = SSL2_VERSION;\n break;\n case SSL3_RT_HEADER:\n version = 0;\n break;\n default:\n version = SSL_version(ssl);\n }\n\n ssl->msg_callback(is_write, version, content_type, in.data(), in.size(),\n const_cast(ssl), ssl->msg_callback_arg);\n}\n\nOPENSSL_timeval ssl_ctx_get_current_time(const SSL_CTX *ctx) {\n if (ctx->current_time_cb != NULL) {\n // TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See\n // https://crbug.com/boringssl/155.\n struct timeval clock;\n ctx->current_time_cb(nullptr /* ssl */, &clock);\n if (clock.tv_sec < 0) {\n assert(0);\n return {0, 0};\n } else {\n return {static_cast(clock.tv_sec),\n static_cast(clock.tv_usec)};\n }\n }\n\n#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)\n return {1234, 1234};\n#elif defined(OPENSSL_WINDOWS)\n struct _timeb time;\n _ftime(&time);\n if (time.time < 0) {\n assert(0);\n return {0, 0};\n } else {\n return {static_cast(time.time),\n static_cast(time.millitm * 1000)};\n }\n#else\n struct timeval clock;\n gettimeofday(&clock, NULL);\n if (clock.tv_sec < 0) {\n assert(0);\n return {0, 0};\n } else {\n return {static_cast(clock.tv_sec),\n static_cast(clock.tv_usec)};\n }\n#endif\n}\n\nvoid SSL_CTX_set_handoff_mode(SSL_CTX *ctx, bool on) { ctx->handoff = on; }\n\nstatic bool ssl_can_renegotiate(const SSL *ssl) {\n if (ssl->server || SSL_is_dtls(ssl)) {\n return false;\n }\n\n if (ssl->s3->version != 0 //\n && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return false;\n }\n\n // The config has already been shed.\n if (!ssl->config) {\n return false;\n }\n\n switch (ssl->renegotiate_mode) {\n case ssl_renegotiate_ignore:\n case ssl_renegotiate_never:\n return false;\n\n case ssl_renegotiate_freely:\n case ssl_renegotiate_explicit:\n return true;\n case ssl_renegotiate_once:\n return ssl->s3->total_renegotiations == 0;\n }\n\n assert(0);\n return false;\n}\n\nstatic void ssl_maybe_shed_handshake_config(SSL *ssl) {\n if (ssl->s3->hs != nullptr || //\n ssl->config == nullptr || //\n !ssl->config->shed_handshake_config || //\n ssl_can_renegotiate(ssl)) {\n return;\n }\n\n ssl->config.reset();\n}\n\nvoid SSL_set_handoff_mode(SSL *ssl, bool on) {\n if (!ssl->config) {\n return;\n }\n ssl->config->handoff = on;\n}\n\nbool SSL_get_traffic_secrets(const SSL *ssl,\n Span *out_read_traffic_secret,\n Span *out_write_traffic_secret) {\n // This API is not well-defined for DTLS 1.3 (see https://crbug.com/42290608)\n // or QUIC, where multiple epochs may be alive at once.\n if (SSL_is_dtls(ssl) || SSL_is_quic(ssl)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return false;\n }\n\n if (!ssl->s3->initial_handshake_complete) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);\n return false;\n }\n\n if (SSL_version(ssl) < TLS1_3_VERSION) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);\n return false;\n }\n\n *out_read_traffic_secret = ssl->s3->read_traffic_secret;\n *out_write_traffic_secret = ssl->s3->write_traffic_secret;\n return true;\n}\n\nvoid SSL_CTX_set_aes_hw_override_for_testing(SSL_CTX *ctx,\n bool override_value) {\n ctx->aes_hw_override = true;\n ctx->aes_hw_override_value = override_value;\n}\n\nvoid SSL_set_aes_hw_override_for_testing(SSL *ssl, bool override_value) {\n ssl->config->aes_hw_override = true;\n ssl->config->aes_hw_override_value = override_value;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nint SSL_library_init(void) { return 1; }\n\nint OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) {\n return 1;\n}\n\nstatic uint32_t ssl_session_hash(const SSL_SESSION *sess) {\n return ssl_hash_session_id(sess->session_id);\n}\n\nstatic int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) {\n return Span(a->session_id) == b->session_id ? 0 : 1;\n}\n\nssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method)\n : RefCounted(CheckSubClass()),\n method(ssl_method->method),\n x509_method(ssl_method->x509_method),\n retain_only_sha256_of_client_certs(false),\n quiet_shutdown(false),\n ocsp_stapling_enabled(false),\n signed_cert_timestamps_enabled(false),\n channel_id_enabled(false),\n grease_enabled(false),\n permute_extensions(false),\n allow_unknown_alpn_protos(false),\n false_start_allowed_without_alpn(false),\n handoff(false),\n enable_early_data(false),\n aes_hw_override(false),\n aes_hw_override_value(false) {\n CRYPTO_MUTEX_init(&lock);\n CRYPTO_new_ex_data(&ex_data);\n}\n\nssl_ctx_st::~ssl_ctx_st() {\n // Free the internal session cache. Note that this calls the caller-supplied\n // remove callback, so we must do it before clearing ex_data. (See ticket\n // [openssl.org #212].)\n SSL_CTX_flush_sessions(this, 0);\n\n CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, this, &ex_data);\n\n CRYPTO_MUTEX_cleanup(&lock);\n lh_SSL_SESSION_free(sessions);\n x509_method->ssl_ctx_free(this);\n}\n\nSSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {\n if (method == NULL) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_METHOD_PASSED);\n return nullptr;\n }\n\n UniquePtr ret = MakeUnique(method);\n if (!ret) {\n return nullptr;\n }\n\n ret->cert = MakeUnique(method->x509_method);\n ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp);\n ret->client_CA.reset(sk_CRYPTO_BUFFER_new_null());\n ret->CA_names.reset(sk_CRYPTO_BUFFER_new_null());\n if (ret->cert == nullptr || //\n !ret->cert->is_valid() || //\n ret->sessions == nullptr || //\n ret->client_CA == nullptr || //\n ret->CA_names == nullptr || //\n !ret->x509_method->ssl_ctx_new(ret.get())) {\n return nullptr;\n }\n\n if (!SSL_CTX_set_strict_cipher_list(ret.get(), SSL_DEFAULT_CIPHER_LIST) ||\n // Lock the SSL_CTX to the specified version, for compatibility with\n // legacy uses of SSL_METHOD.\n !SSL_CTX_set_max_proto_version(ret.get(), method->version) ||\n !SSL_CTX_set_min_proto_version(ret.get(), method->version)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return nullptr;\n }\n\n return ret.release();\n}\n\nint SSL_CTX_up_ref(SSL_CTX *ctx) {\n ctx->UpRefInternal();\n return 1;\n}\n\nvoid SSL_CTX_free(SSL_CTX *ctx) {\n if (ctx != nullptr) {\n ctx->DecRefInternal();\n }\n}\n\nssl_st::ssl_st(SSL_CTX *ctx_arg)\n : method(ctx_arg->method),\n max_send_fragment(ctx_arg->max_send_fragment),\n msg_callback(ctx_arg->msg_callback),\n msg_callback_arg(ctx_arg->msg_callback_arg),\n ctx(UpRef(ctx_arg)),\n session_ctx(UpRef(ctx_arg)),\n options(ctx->options),\n mode(ctx->mode),\n max_cert_list(ctx->max_cert_list),\n server(false),\n quiet_shutdown(ctx->quiet_shutdown),\n enable_early_data(ctx->enable_early_data) {\n CRYPTO_new_ex_data(&ex_data);\n}\n\nssl_st::~ssl_st() {\n CRYPTO_free_ex_data(&g_ex_data_class_ssl, this, &ex_data);\n // |config| refers to |this|, so we must release it earlier.\n config.reset();\n if (method != NULL) {\n method->ssl_free(this);\n }\n}\n\nSSL *SSL_new(SSL_CTX *ctx) {\n if (ctx == nullptr) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NULL_SSL_CTX);\n return nullptr;\n }\n\n UniquePtr ssl = MakeUnique(ctx);\n if (ssl == nullptr) {\n return nullptr;\n }\n\n ssl->config = MakeUnique(ssl.get());\n if (ssl->config == nullptr) {\n return nullptr;\n }\n ssl->config->conf_min_version = ctx->conf_min_version;\n ssl->config->conf_max_version = ctx->conf_max_version;\n\n ssl->config->cert = ssl_cert_dup(ctx->cert.get());\n if (ssl->config->cert == nullptr) {\n return nullptr;\n }\n\n ssl->config->verify_mode = ctx->verify_mode;\n ssl->config->verify_callback = ctx->default_verify_callback;\n ssl->config->custom_verify_callback = ctx->custom_verify_callback;\n ssl->config->retain_only_sha256_of_client_certs =\n ctx->retain_only_sha256_of_client_certs;\n ssl->config->permute_extensions = ctx->permute_extensions;\n ssl->config->aes_hw_override = ctx->aes_hw_override;\n ssl->config->aes_hw_override_value = ctx->aes_hw_override_value;\n ssl->config->compliance_policy = ctx->compliance_policy;\n\n if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) ||\n !ssl->config->alpn_client_proto_list.CopyFrom(\n ctx->alpn_client_proto_list) ||\n !ssl->config->verify_sigalgs.CopyFrom(ctx->verify_sigalgs)) {\n return nullptr;\n }\n\n if (ctx->psk_identity_hint) {\n ssl->config->psk_identity_hint.reset(\n OPENSSL_strdup(ctx->psk_identity_hint.get()));\n if (ssl->config->psk_identity_hint == nullptr) {\n return nullptr;\n }\n }\n ssl->config->psk_client_callback = ctx->psk_client_callback;\n ssl->config->psk_server_callback = ctx->psk_server_callback;\n\n ssl->config->channel_id_enabled = ctx->channel_id_enabled;\n ssl->config->channel_id_private = UpRef(ctx->channel_id_private);\n\n ssl->config->signed_cert_timestamps_enabled =\n ctx->signed_cert_timestamps_enabled;\n ssl->config->ocsp_stapling_enabled = ctx->ocsp_stapling_enabled;\n ssl->config->handoff = ctx->handoff;\n ssl->quic_method = ctx->quic_method;\n\n if (!ssl->method->ssl_new(ssl.get()) ||\n !ssl->ctx->x509_method->ssl_new(ssl->s3->hs.get())) {\n return nullptr;\n }\n\n return ssl.release();\n}\n\nSSL_CONFIG::SSL_CONFIG(SSL *ssl_arg)\n : ssl(ssl_arg),\n ech_grease_enabled(false),\n signed_cert_timestamps_enabled(false),\n ocsp_stapling_enabled(false),\n channel_id_enabled(false),\n enforce_rsa_key_usage(true),\n retain_only_sha256_of_client_certs(false),\n handoff(false),\n shed_handshake_config(false),\n jdk11_workaround(false),\n quic_use_legacy_codepoint(false),\n permute_extensions(false),\n alps_use_new_codepoint(false),\n check_client_certificate_type(true),\n check_ecdsa_curve(true) {\n assert(ssl);\n}\n\nSSL_CONFIG::~SSL_CONFIG() {\n if (ssl->ctx != nullptr) {\n ssl->ctx->x509_method->ssl_config_free(this);\n }\n}\n\nvoid SSL_free(SSL *ssl) { Delete(ssl); }\n\nvoid SSL_set_connect_state(SSL *ssl) {\n ssl->server = false;\n ssl->do_handshake = ssl_client_handshake;\n}\n\nvoid SSL_set_accept_state(SSL *ssl) {\n ssl->server = true;\n ssl->do_handshake = ssl_server_handshake;\n}\n\nvoid SSL_set0_rbio(SSL *ssl, BIO *rbio) { ssl->rbio.reset(rbio); }\n\nvoid SSL_set0_wbio(SSL *ssl, BIO *wbio) { ssl->wbio.reset(wbio); }\n\nvoid SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {\n // For historical reasons, this function has many different cases in ownership\n // handling.\n\n // If nothing has changed, do nothing\n if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) {\n return;\n }\n\n // If the two arguments are equal, one fewer reference is granted than\n // taken.\n if (rbio != NULL && rbio == wbio) {\n BIO_up_ref(rbio);\n }\n\n // If only the wbio is changed, adopt only one reference.\n if (rbio == SSL_get_rbio(ssl)) {\n SSL_set0_wbio(ssl, wbio);\n return;\n }\n\n // There is an asymmetry here for historical reasons. If only the rbio is\n // changed AND the rbio and wbio were originally different, then we only adopt\n // one reference.\n if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) {\n SSL_set0_rbio(ssl, rbio);\n return;\n }\n\n // Otherwise, adopt both references.\n SSL_set0_rbio(ssl, rbio);\n SSL_set0_wbio(ssl, wbio);\n}\n\nBIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio.get(); }\n\nBIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio.get(); }\n\nsize_t SSL_quic_max_handshake_flight_len(const SSL *ssl,\n enum ssl_encryption_level_t level) {\n // Limits flights to 16K by default when there are no large\n // (certificate-carrying) messages.\n static const size_t kDefaultLimit = 16384;\n\n switch (level) {\n case ssl_encryption_initial:\n return kDefaultLimit;\n case ssl_encryption_early_data:\n // QUIC does not send EndOfEarlyData.\n return 0;\n case ssl_encryption_handshake:\n if (ssl->server) {\n // Servers may receive Certificate message if configured to request\n // client certificates.\n if (!!(ssl->config->verify_mode & SSL_VERIFY_PEER) &&\n ssl->max_cert_list > kDefaultLimit) {\n return ssl->max_cert_list;\n }\n } else {\n // Clients may receive both Certificate message and a CertificateRequest\n // message.\n if (2 * ssl->max_cert_list > kDefaultLimit) {\n return 2 * ssl->max_cert_list;\n }\n }\n return kDefaultLimit;\n case ssl_encryption_application:\n // Note there is not actually a bound on the number of NewSessionTickets\n // one may send in a row. This level may need more involved flow\n // control. See https://github.com/quicwg/base-drafts/issues/1834.\n return kDefaultLimit;\n }\n\n return 0;\n}\n\nenum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl) {\n assert(SSL_is_quic(ssl));\n return ssl->s3->quic_read_level;\n}\n\nenum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl) {\n assert(SSL_is_quic(ssl));\n return ssl->s3->quic_write_level;\n}\n\nint SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level,\n const uint8_t *data, size_t len) {\n if (!SSL_is_quic(ssl)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n if (level != ssl->s3->quic_read_level) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED);\n return 0;\n }\n\n size_t new_len = (ssl->s3->hs_buf ? ssl->s3->hs_buf->length : 0) + len;\n if (new_len < len ||\n new_len > SSL_quic_max_handshake_flight_len(ssl, level)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);\n return 0;\n }\n\n return tls_append_handshake_data(ssl, Span(data, len));\n}\n\nint SSL_do_handshake(SSL *ssl) {\n ssl_reset_error_state(ssl);\n\n if (ssl->do_handshake == NULL) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET);\n return -1;\n }\n\n if (!SSL_in_init(ssl)) {\n return 1;\n }\n\n // Run the handshake.\n SSL_HANDSHAKE *hs = ssl->s3->hs.get();\n\n bool early_return = false;\n int ret = ssl_run_handshake(hs, &early_return);\n ssl_do_info_callback(\n ssl, ssl->server ? SSL_CB_ACCEPT_EXIT : SSL_CB_CONNECT_EXIT, ret);\n if (ret <= 0) {\n return ret;\n }\n\n // Destroy the handshake object if the handshake has completely finished.\n if (!early_return) {\n ssl->s3->hs.reset();\n ssl_maybe_shed_handshake_config(ssl);\n }\n\n return 1;\n}\n\nint SSL_connect(SSL *ssl) {\n if (ssl->do_handshake == NULL) {\n // Not properly initialized yet\n SSL_set_connect_state(ssl);\n }\n\n return SSL_do_handshake(ssl);\n}\n\nint SSL_accept(SSL *ssl) {\n if (ssl->do_handshake == NULL) {\n // Not properly initialized yet\n SSL_set_accept_state(ssl);\n }\n\n return SSL_do_handshake(ssl);\n}\n\nstatic int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) {\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return tls13_post_handshake(ssl, msg);\n }\n\n // Check for renegotiation on the server before parsing to use the correct\n // error. Renegotiation is triggered by a different message for servers.\n if (ssl->server) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION);\n return 0;\n }\n\n if (msg.type != SSL3_MT_HELLO_REQUEST || CBS_len(&msg.body) != 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_HELLO_REQUEST);\n return 0;\n }\n\n if (ssl->renegotiate_mode == ssl_renegotiate_ignore) {\n return 1; // Ignore the HelloRequest.\n }\n\n ssl->s3->renegotiate_pending = true;\n if (ssl->renegotiate_mode == ssl_renegotiate_explicit) {\n return 1; // Handle it later.\n }\n\n if (!SSL_renegotiate(ssl)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION);\n return 0;\n }\n\n return 1;\n}\n\nint SSL_process_quic_post_handshake(SSL *ssl) {\n ssl_reset_error_state(ssl);\n\n if (!SSL_is_quic(ssl) || SSL_in_init(ssl)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n // Replay post-handshake message errors.\n if (!check_read_error(ssl)) {\n return 0;\n }\n\n // Process any buffered post-handshake messages.\n SSLMessage msg;\n while (ssl->method->get_message(ssl, &msg)) {\n // Handle the post-handshake message and try again.\n if (!ssl_do_post_handshake(ssl, msg)) {\n ssl_set_read_error(ssl);\n return 0;\n }\n ssl->method->next_message(ssl);\n }\n\n return 1;\n}\n\nstatic int ssl_read_impl(SSL *ssl) {\n ssl_reset_error_state(ssl);\n\n if (ssl->do_handshake == NULL) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);\n return -1;\n }\n\n // Replay post-handshake message errors.\n if (!check_read_error(ssl)) {\n return -1;\n }\n\n while (ssl->s3->pending_app_data.empty()) {\n if (ssl->s3->renegotiate_pending) {\n ssl->s3->rwstate = SSL_ERROR_WANT_RENEGOTIATE;\n return -1;\n }\n\n // If a read triggered a DTLS ACK or retransmit, resolve that before reading\n // more.\n if (SSL_is_dtls(ssl)) {\n int ret = ssl->method->flush(ssl);\n if (ret <= 0) {\n return ret;\n }\n }\n\n // Complete the current handshake, if any. False Start will cause\n // |SSL_do_handshake| to return mid-handshake, so this may require multiple\n // iterations.\n while (!ssl_can_read(ssl)) {\n int ret = SSL_do_handshake(ssl);\n if (ret < 0) {\n return ret;\n }\n if (ret == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);\n return -1;\n }\n }\n\n // Process any buffered post-handshake messages.\n SSLMessage msg;\n if (ssl->method->get_message(ssl, &msg)) {\n // If we received an interrupt in early read (EndOfEarlyData), loop again\n // for the handshake to process it.\n if (SSL_in_init(ssl)) {\n ssl->s3->hs->can_early_read = false;\n continue;\n }\n\n // Handle the post-handshake message and try again.\n if (!ssl_do_post_handshake(ssl, msg)) {\n ssl_set_read_error(ssl);\n return -1;\n }\n ssl->method->next_message(ssl);\n continue; // Loop again. We may have begun a new handshake.\n }\n\n uint8_t alert = SSL_AD_DECODE_ERROR;\n size_t consumed = 0;\n auto ret = ssl_open_app_data(ssl, &ssl->s3->pending_app_data, &consumed,\n &alert, ssl->s3->read_buffer.span());\n bool retry;\n int bio_ret = ssl_handle_open_record(ssl, &retry, ret, consumed, alert);\n if (bio_ret <= 0) {\n return bio_ret;\n }\n if (!retry) {\n assert(!ssl->s3->pending_app_data.empty());\n ssl->s3->key_update_count = 0;\n }\n }\n\n return 1;\n}\n\nint SSL_read(SSL *ssl, void *buf, int num) {\n int ret = SSL_peek(ssl, buf, num);\n if (ret <= 0) {\n return ret;\n }\n // TODO(davidben): In DTLS, should the rest of the record be discarded? DTLS\n // is not a stream. See https://crbug.com/boringssl/65.\n ssl->s3->pending_app_data =\n ssl->s3->pending_app_data.subspan(static_cast(ret));\n if (ssl->s3->pending_app_data.empty()) {\n ssl->s3->read_buffer.DiscardConsumed();\n }\n return ret;\n}\n\nint SSL_peek(SSL *ssl, void *buf, int num) {\n if (SSL_is_quic(ssl)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return -1;\n }\n\n int ret = ssl_read_impl(ssl);\n if (ret <= 0) {\n return ret;\n }\n if (num <= 0) {\n return num;\n }\n size_t todo =\n std::min(ssl->s3->pending_app_data.size(), static_cast(num));\n OPENSSL_memcpy(buf, ssl->s3->pending_app_data.data(), todo);\n return static_cast(todo);\n}\n\nint SSL_write(SSL *ssl, const void *buf, int num) {\n ssl_reset_error_state(ssl);\n\n if (SSL_is_quic(ssl)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return -1;\n }\n\n if (ssl->do_handshake == NULL) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);\n return -1;\n }\n\n int ret = 0;\n size_t bytes_written = 0;\n bool needs_handshake = false;\n do {\n // If necessary, complete the handshake implicitly.\n if (!ssl_can_write(ssl)) {\n ret = SSL_do_handshake(ssl);\n if (ret < 0) {\n return ret;\n }\n if (ret == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);\n return -1;\n }\n }\n\n if (num < 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH);\n return -1;\n }\n ret = ssl->method->write_app_data(\n ssl, &needs_handshake, &bytes_written,\n Span(static_cast(buf), static_cast(num)));\n } while (needs_handshake);\n return ret <= 0 ? ret : static_cast(bytes_written);\n}\n\nint SSL_key_update(SSL *ssl, int request_type) {\n ssl_reset_error_state(ssl);\n\n if (ssl->do_handshake == NULL) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);\n return 0;\n }\n\n if (SSL_is_quic(ssl)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n if (!ssl->s3->initial_handshake_complete) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);\n return 0;\n }\n\n if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);\n return 0;\n }\n\n return tls13_add_key_update(ssl, request_type);\n}\n\nint SSL_shutdown(SSL *ssl) {\n ssl_reset_error_state(ssl);\n\n if (ssl->do_handshake == NULL) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);\n return -1;\n }\n\n // If we are in the middle of a handshake, silently succeed. Consumers often\n // call this function before |SSL_free|, whether the handshake succeeded or\n // not. We assume the caller has already handled failed handshakes.\n if (SSL_in_init(ssl)) {\n return 1;\n }\n\n if (ssl->quiet_shutdown) {\n // Do nothing if configured not to send a close_notify.\n ssl->s3->write_shutdown = ssl_shutdown_close_notify;\n ssl->s3->read_shutdown = ssl_shutdown_close_notify;\n return 1;\n }\n\n // This function completes in two stages. It sends a close_notify and then it\n // waits for a close_notify to come in. Perform exactly one action and return\n // whether or not it succeeds.\n\n if (ssl->s3->write_shutdown != ssl_shutdown_close_notify) {\n // Send a close_notify.\n if (ssl_send_alert_impl(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) {\n return -1;\n }\n } else if (ssl->s3->alert_dispatch) {\n // Finish sending the close_notify.\n if (ssl->method->dispatch_alert(ssl) <= 0) {\n return -1;\n }\n } else if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) {\n if (SSL_is_dtls(ssl)) {\n // Bidirectional shutdown doesn't make sense for an unordered\n // transport. DTLS alerts also aren't delivered reliably, so we may even\n // time out because the peer never received our close_notify. Report to\n // the caller that the channel has fully shut down.\n if (ssl->s3->read_shutdown == ssl_shutdown_error) {\n ERR_restore_state(ssl->s3->read_error.get());\n return -1;\n }\n ssl->s3->read_shutdown = ssl_shutdown_close_notify;\n } else {\n // Process records until an error, close_notify, or application data.\n if (ssl_read_impl(ssl) > 0) {\n // We received some unexpected application data.\n OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_ON_SHUTDOWN);\n return -1;\n }\n if (ssl->s3->read_shutdown != ssl_shutdown_close_notify) {\n return -1;\n }\n }\n }\n\n // Return 0 for unidirectional shutdown and 1 for bidirectional shutdown.\n return ssl->s3->read_shutdown == ssl_shutdown_close_notify;\n}\n\nint SSL_send_fatal_alert(SSL *ssl, uint8_t alert) {\n if (ssl->s3->alert_dispatch) {\n if (ssl->s3->send_alert[0] != SSL3_AL_FATAL ||\n ssl->s3->send_alert[1] != alert) {\n // We are already attempting to write a different alert.\n OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);\n return -1;\n }\n return ssl->method->dispatch_alert(ssl);\n }\n\n return ssl_send_alert_impl(ssl, SSL3_AL_FATAL, alert);\n}\n\nint SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params,\n size_t params_len) {\n return ssl->config &&\n ssl->config->quic_transport_params.CopyFrom(Span(params, params_len));\n}\n\nvoid SSL_get_peer_quic_transport_params(const SSL *ssl,\n const uint8_t **out_params,\n size_t *out_params_len) {\n *out_params = ssl->s3->peer_quic_transport_params.data();\n *out_params_len = ssl->s3->peer_quic_transport_params.size();\n}\n\nint SSL_set_quic_early_data_context(SSL *ssl, const uint8_t *context,\n size_t context_len) {\n return ssl->config && ssl->config->quic_early_data_context.CopyFrom(\n Span(context, context_len));\n}\n\nvoid SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled) {\n ctx->enable_early_data = !!enabled;\n}\n\nvoid SSL_set_early_data_enabled(SSL *ssl, int enabled) {\n ssl->enable_early_data = !!enabled;\n}\n\nint SSL_in_early_data(const SSL *ssl) {\n if (ssl->s3->hs == NULL) {\n return 0;\n }\n return ssl->s3->hs->in_early_data;\n}\n\nint SSL_early_data_accepted(const SSL *ssl) {\n return ssl->s3->early_data_accepted;\n}\n\nvoid SSL_reset_early_data_reject(SSL *ssl) {\n SSL_HANDSHAKE *hs = ssl->s3->hs.get();\n if (hs == NULL || //\n hs->wait != ssl_hs_early_data_rejected) {\n abort();\n }\n\n hs->wait = ssl_hs_ok;\n hs->in_early_data = false;\n hs->early_session.reset();\n\n // Discard any unfinished writes from the perspective of |SSL_write|'s\n // retry. The handshake will transparently flush out the pending record\n // (discarded by the server) to keep the framing correct.\n ssl->s3->pending_write = {};\n}\n\nenum ssl_early_data_reason_t SSL_get_early_data_reason(const SSL *ssl) {\n return ssl->s3->early_data_reason;\n}\n\nconst char *SSL_early_data_reason_string(enum ssl_early_data_reason_t reason) {\n switch (reason) {\n case ssl_early_data_unknown:\n return \"unknown\";\n case ssl_early_data_disabled:\n return \"disabled\";\n case ssl_early_data_accepted:\n return \"accepted\";\n case ssl_early_data_protocol_version:\n return \"protocol_version\";\n case ssl_early_data_peer_declined:\n return \"peer_declined\";\n case ssl_early_data_no_session_offered:\n return \"no_session_offered\";\n case ssl_early_data_session_not_resumed:\n return \"session_not_resumed\";\n case ssl_early_data_unsupported_for_session:\n return \"unsupported_for_session\";\n case ssl_early_data_hello_retry_request:\n return \"hello_retry_request\";\n case ssl_early_data_alpn_mismatch:\n return \"alpn_mismatch\";\n case ssl_early_data_channel_id:\n return \"channel_id\";\n case ssl_early_data_ticket_age_skew:\n return \"ticket_age_skew\";\n case ssl_early_data_quic_parameter_mismatch:\n return \"quic_parameter_mismatch\";\n case ssl_early_data_alps_mismatch:\n return \"alps_mismatch\";\n }\n\n return nullptr;\n}\n\nstatic int bio_retry_reason_to_error(int reason) {\n switch (reason) {\n case BIO_RR_CONNECT:\n return SSL_ERROR_WANT_CONNECT;\n case BIO_RR_ACCEPT:\n return SSL_ERROR_WANT_ACCEPT;\n default:\n return SSL_ERROR_SYSCALL;\n }\n}\n\nint SSL_get_error(const SSL *ssl, int ret_code) {\n if (ret_code > 0) {\n return SSL_ERROR_NONE;\n }\n\n // Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,\n // where we do encode the error\n uint32_t err = ERR_peek_error();\n if (err != 0) {\n if (ERR_GET_LIB(err) == ERR_LIB_SYS) {\n return SSL_ERROR_SYSCALL;\n }\n return SSL_ERROR_SSL;\n }\n\n if (ret_code == 0) {\n if (ssl->s3->rwstate == SSL_ERROR_ZERO_RETURN) {\n return SSL_ERROR_ZERO_RETURN;\n }\n // An EOF was observed which violates the protocol, and the underlying\n // transport does not participate in the error queue. Bubble up to the\n // caller.\n return SSL_ERROR_SYSCALL;\n }\n\n switch (ssl->s3->rwstate) {\n case SSL_ERROR_PENDING_SESSION:\n case SSL_ERROR_PENDING_CERTIFICATE:\n case SSL_ERROR_HANDOFF:\n case SSL_ERROR_HANDBACK:\n case SSL_ERROR_WANT_X509_LOOKUP:\n case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:\n case SSL_ERROR_PENDING_TICKET:\n case SSL_ERROR_EARLY_DATA_REJECTED:\n case SSL_ERROR_WANT_CERTIFICATE_VERIFY:\n case SSL_ERROR_WANT_RENEGOTIATE:\n case SSL_ERROR_HANDSHAKE_HINTS_READY:\n return ssl->s3->rwstate;\n\n case SSL_ERROR_WANT_READ: {\n if (SSL_is_quic(ssl)) {\n return SSL_ERROR_WANT_READ;\n }\n BIO *bio = SSL_get_rbio(ssl);\n if (BIO_should_read(bio)) {\n return SSL_ERROR_WANT_READ;\n }\n\n if (BIO_should_write(bio)) {\n // TODO(davidben): OpenSSL historically checked for writes on the read\n // BIO. Can this be removed?\n return SSL_ERROR_WANT_WRITE;\n }\n\n if (BIO_should_io_special(bio)) {\n return bio_retry_reason_to_error(BIO_get_retry_reason(bio));\n }\n\n break;\n }\n\n case SSL_ERROR_WANT_WRITE: {\n BIO *bio = SSL_get_wbio(ssl);\n if (BIO_should_write(bio)) {\n return SSL_ERROR_WANT_WRITE;\n }\n\n if (BIO_should_read(bio)) {\n // TODO(davidben): OpenSSL historically checked for reads on the write\n // BIO. Can this be removed?\n return SSL_ERROR_WANT_READ;\n }\n\n if (BIO_should_io_special(bio)) {\n return bio_retry_reason_to_error(BIO_get_retry_reason(bio));\n }\n\n break;\n }\n }\n\n return SSL_ERROR_SYSCALL;\n}\n\nconst char *SSL_error_description(int err) {\n switch (err) {\n case SSL_ERROR_NONE:\n return \"NONE\";\n case SSL_ERROR_SSL:\n return \"SSL\";\n case SSL_ERROR_WANT_READ:\n return \"WANT_READ\";\n case SSL_ERROR_WANT_WRITE:\n return \"WANT_WRITE\";\n case SSL_ERROR_WANT_X509_LOOKUP:\n return \"WANT_X509_LOOKUP\";\n case SSL_ERROR_SYSCALL:\n return \"SYSCALL\";\n case SSL_ERROR_ZERO_RETURN:\n return \"ZERO_RETURN\";\n case SSL_ERROR_WANT_CONNECT:\n return \"WANT_CONNECT\";\n case SSL_ERROR_WANT_ACCEPT:\n return \"WANT_ACCEPT\";\n case SSL_ERROR_PENDING_SESSION:\n return \"PENDING_SESSION\";\n case SSL_ERROR_PENDING_CERTIFICATE:\n return \"PENDING_CERTIFICATE\";\n case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:\n return \"WANT_PRIVATE_KEY_OPERATION\";\n case SSL_ERROR_PENDING_TICKET:\n return \"PENDING_TICKET\";\n case SSL_ERROR_EARLY_DATA_REJECTED:\n return \"EARLY_DATA_REJECTED\";\n case SSL_ERROR_WANT_CERTIFICATE_VERIFY:\n return \"WANT_CERTIFICATE_VERIFY\";\n case SSL_ERROR_HANDOFF:\n return \"HANDOFF\";\n case SSL_ERROR_HANDBACK:\n return \"HANDBACK\";\n case SSL_ERROR_WANT_RENEGOTIATE:\n return \"WANT_RENEGOTIATE\";\n case SSL_ERROR_HANDSHAKE_HINTS_READY:\n return \"HANDSHAKE_HINTS_READY\";\n default:\n return nullptr;\n }\n}\n\nuint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) {\n ctx->options |= options;\n return ctx->options;\n}\n\nuint32_t SSL_CTX_clear_options(SSL_CTX *ctx, uint32_t options) {\n ctx->options &= ~options;\n return ctx->options;\n}\n\nuint32_t SSL_CTX_get_options(const SSL_CTX *ctx) { return ctx->options; }\n\nuint32_t SSL_set_options(SSL *ssl, uint32_t options) {\n ssl->options |= options;\n return ssl->options;\n}\n\nuint32_t SSL_clear_options(SSL *ssl, uint32_t options) {\n ssl->options &= ~options;\n return ssl->options;\n}\n\nuint32_t SSL_get_options(const SSL *ssl) { return ssl->options; }\n\nuint32_t SSL_CTX_set_mode(SSL_CTX *ctx, uint32_t mode) {\n ctx->mode |= mode;\n return ctx->mode;\n}\n\nuint32_t SSL_CTX_clear_mode(SSL_CTX *ctx, uint32_t mode) {\n ctx->mode &= ~mode;\n return ctx->mode;\n}\n\nuint32_t SSL_CTX_get_mode(const SSL_CTX *ctx) { return ctx->mode; }\n\nuint32_t SSL_set_mode(SSL *ssl, uint32_t mode) {\n ssl->mode |= mode;\n return ssl->mode;\n}\n\nuint32_t SSL_clear_mode(SSL *ssl, uint32_t mode) {\n ssl->mode &= ~mode;\n return ssl->mode;\n}\n\nuint32_t SSL_get_mode(const SSL *ssl) { return ssl->mode; }\n\nvoid SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, CRYPTO_BUFFER_POOL *pool) {\n ctx->pool = pool;\n}\n\nint SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,\n size_t max_out) {\n *out_len = 0;\n OPENSSL_memset(out, 0, max_out);\n\n // tls-unique is not defined for TLS 1.3.\n if (!ssl->s3->initial_handshake_complete ||\n ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return 0;\n }\n\n // The tls-unique value is the first Finished message in the handshake, which\n // is the client's in a full handshake and the server's for a resumption. See\n // https://tools.ietf.org/html/rfc5929#section-3.1.\n Span finished = ssl->s3->previous_client_finished;\n if (ssl->session != NULL) {\n // tls-unique is broken for resumed sessions unless EMS is used.\n if (!ssl->session->extended_master_secret) {\n return 0;\n }\n finished = ssl->s3->previous_server_finished;\n }\n\n *out_len = finished.size();\n if (finished.size() > max_out) {\n *out_len = max_out;\n }\n\n OPENSSL_memcpy(out, finished.data(), *out_len);\n return 1;\n}\n\nstatic int set_session_id_context(CERT *cert, const uint8_t *sid_ctx,\n size_t sid_ctx_len) {\n if (!cert->sid_ctx.TryCopyFrom(Span(sid_ctx, sid_ctx_len))) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);\n return 0;\n }\n\n return 1;\n}\n\nint SSL_CTX_set_session_id_context(SSL_CTX *ctx, const uint8_t *sid_ctx,\n size_t sid_ctx_len) {\n return set_session_id_context(ctx->cert.get(), sid_ctx, sid_ctx_len);\n}\n\nint SSL_set_session_id_context(SSL *ssl, const uint8_t *sid_ctx,\n size_t sid_ctx_len) {\n if (!ssl->config) {\n return 0;\n }\n return set_session_id_context(ssl->config->cert.get(), sid_ctx, sid_ctx_len);\n}\n\nconst uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) {\n if (!ssl->config) {\n assert(ssl->config);\n *out_len = 0;\n return NULL;\n }\n *out_len = ssl->config->cert->sid_ctx.size();\n return ssl->config->cert->sid_ctx.data();\n}\n\nint SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); }\n\nint SSL_get_rfd(const SSL *ssl) {\n int ret = -1;\n BIO *b = BIO_find_type(SSL_get_rbio(ssl), BIO_TYPE_DESCRIPTOR);\n if (b != NULL) {\n BIO_get_fd(b, &ret);\n }\n return ret;\n}\n\nint SSL_get_wfd(const SSL *ssl) {\n int ret = -1;\n BIO *b = BIO_find_type(SSL_get_wbio(ssl), BIO_TYPE_DESCRIPTOR);\n if (b != NULL) {\n BIO_get_fd(b, &ret);\n }\n return ret;\n}\n\n#if !defined(OPENSSL_NO_SOCK)\nint SSL_set_fd(SSL *ssl, int fd) {\n BIO *bio = BIO_new(BIO_s_socket());\n if (bio == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);\n return 0;\n }\n BIO_set_fd(bio, fd, BIO_NOCLOSE);\n SSL_set_bio(ssl, bio, bio);\n return 1;\n}\n\nint SSL_set_wfd(SSL *ssl, int fd) {\n BIO *rbio = SSL_get_rbio(ssl);\n if (rbio == NULL || BIO_method_type(rbio) != BIO_TYPE_SOCKET ||\n BIO_get_fd(rbio, NULL) != fd) {\n BIO *bio = BIO_new(BIO_s_socket());\n if (bio == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);\n return 0;\n }\n BIO_set_fd(bio, fd, BIO_NOCLOSE);\n SSL_set0_wbio(ssl, bio);\n } else {\n // Copy the rbio over to the wbio.\n BIO_up_ref(rbio);\n SSL_set0_wbio(ssl, rbio);\n }\n\n return 1;\n}\n\nint SSL_set_rfd(SSL *ssl, int fd) {\n BIO *wbio = SSL_get_wbio(ssl);\n if (wbio == NULL || BIO_method_type(wbio) != BIO_TYPE_SOCKET ||\n BIO_get_fd(wbio, NULL) != fd) {\n BIO *bio = BIO_new(BIO_s_socket());\n if (bio == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_BUF_LIB);\n return 0;\n }\n BIO_set_fd(bio, fd, BIO_NOCLOSE);\n SSL_set0_rbio(ssl, bio);\n } else {\n // Copy the wbio over to the rbio.\n BIO_up_ref(wbio);\n SSL_set0_rbio(ssl, wbio);\n }\n return 1;\n}\n#endif // !OPENSSL_NO_SOCK\n\nstatic size_t copy_finished(void *out, size_t out_len, Span in) {\n if (out_len > in.size()) {\n out_len = in.size();\n }\n OPENSSL_memcpy(out, in.data(), out_len);\n return in.size();\n}\n\nsize_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {\n if (!ssl->s3->initial_handshake_complete ||\n ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return 0;\n }\n\n if (ssl->server) {\n return copy_finished(buf, count, ssl->s3->previous_server_finished);\n }\n\n return copy_finished(buf, count, ssl->s3->previous_client_finished);\n}\n\nsize_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {\n if (!ssl->s3->initial_handshake_complete ||\n ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return 0;\n }\n\n if (ssl->server) {\n return copy_finished(buf, count, ssl->s3->previous_client_finished);\n }\n\n return copy_finished(buf, count, ssl->s3->previous_server_finished);\n}\n\nint SSL_get_verify_mode(const SSL *ssl) {\n if (!ssl->config) {\n assert(ssl->config);\n return -1;\n }\n return ssl->config->verify_mode;\n}\n\nint SSL_get_extms_support(const SSL *ssl) {\n // TLS 1.3 does not require extended master secret and always reports as\n // supporting it.\n if (ssl->s3->version == 0) {\n return 0;\n }\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n return 1;\n }\n\n // If the initial handshake completed, query the established session.\n if (ssl->s3->established_session != NULL) {\n return ssl->s3->established_session->extended_master_secret;\n }\n\n // Otherwise, query the in-progress handshake.\n if (ssl->s3->hs != NULL) {\n return ssl->s3->hs->extended_master_secret;\n }\n assert(0);\n return 0;\n}\n\nint SSL_CTX_get_read_ahead(const SSL_CTX *ctx) { return 0; }\n\nint SSL_get_read_ahead(const SSL *ssl) { return 0; }\n\nint SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { return 1; }\n\nint SSL_set_read_ahead(SSL *ssl, int yes) { return 1; }\n\nint SSL_pending(const SSL *ssl) {\n return static_cast(ssl->s3->pending_app_data.size());\n}\n\nint SSL_has_pending(const SSL *ssl) {\n return SSL_pending(ssl) != 0 || !ssl->s3->read_buffer.empty();\n}\n\nstatic bool has_cert_and_key(const SSL_CREDENTIAL *cred) {\n // TODO(davidben): If |cred->key_method| is set, that should be fine too.\n if (cred->privkey == nullptr) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);\n return false;\n }\n\n if (cred->chain == nullptr ||\n sk_CRYPTO_BUFFER_value(cred->chain.get(), 0) == nullptr) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);\n return false;\n }\n\n return true;\n}\n\nint SSL_CTX_check_private_key(const SSL_CTX *ctx) {\n // There is no need to actually check consistency because inconsistent values\n // can never be configured.\n return has_cert_and_key(ctx->cert->legacy_credential.get());\n}\n\nint SSL_check_private_key(const SSL *ssl) {\n if (!ssl->config) {\n return 0;\n }\n\n // There is no need to actually check consistency because inconsistent values\n // can never be configured.\n return has_cert_and_key(ssl->config->cert->legacy_credential.get());\n}\n\nlong SSL_get_default_timeout(const SSL *ssl) {\n return SSL_DEFAULT_SESSION_TIMEOUT;\n}\n\nint SSL_renegotiate(SSL *ssl) {\n // Caller-initiated renegotiation is not supported.\n if (!ssl->s3->renegotiate_pending) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n if (!ssl_can_renegotiate(ssl)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);\n return 0;\n }\n\n // We should not have told the caller to release the private key.\n assert(!SSL_can_release_private_key(ssl));\n\n // Renegotiation is only supported at quiescent points in the application\n // protocol, namely in HTTPS, just before reading the HTTP response.\n // Require the record-layer be idle and avoid complexities of sending a\n // handshake record while an application_data record is being written.\n if (!ssl->s3->write_buffer.empty() ||\n ssl->s3->write_shutdown != ssl_shutdown_none) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);\n return 0;\n }\n\n // Begin a new handshake.\n if (ssl->s3->hs != nullptr) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return 0;\n }\n ssl->s3->hs = ssl_handshake_new(ssl);\n if (ssl->s3->hs == nullptr) {\n return 0;\n }\n\n ssl->s3->renegotiate_pending = false;\n ssl->s3->total_renegotiations++;\n return 1;\n}\n\nint SSL_renegotiate_pending(SSL *ssl) {\n return SSL_in_init(ssl) && ssl->s3->initial_handshake_complete;\n}\n\nint SSL_total_renegotiations(const SSL *ssl) {\n return ssl->s3->total_renegotiations;\n}\n\nsize_t SSL_CTX_get_max_cert_list(const SSL_CTX *ctx) {\n return ctx->max_cert_list;\n}\n\nvoid SSL_CTX_set_max_cert_list(SSL_CTX *ctx, size_t max_cert_list) {\n if (max_cert_list > kMaxHandshakeSize) {\n max_cert_list = kMaxHandshakeSize;\n }\n ctx->max_cert_list = (uint32_t)max_cert_list;\n}\n\nsize_t SSL_get_max_cert_list(const SSL *ssl) { return ssl->max_cert_list; }\n\nvoid SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) {\n if (max_cert_list > kMaxHandshakeSize) {\n max_cert_list = kMaxHandshakeSize;\n }\n ssl->max_cert_list = (uint32_t)max_cert_list;\n}\n\nint SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, size_t max_send_fragment) {\n if (max_send_fragment < 512) {\n max_send_fragment = 512;\n }\n if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {\n max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;\n }\n ctx->max_send_fragment = (uint16_t)max_send_fragment;\n\n return 1;\n}\n\nint SSL_set_max_send_fragment(SSL *ssl, size_t max_send_fragment) {\n if (max_send_fragment < 512) {\n max_send_fragment = 512;\n }\n if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {\n max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;\n }\n ssl->max_send_fragment = (uint16_t)max_send_fragment;\n\n return 1;\n}\n\nint SSL_set_mtu(SSL *ssl, unsigned mtu) {\n if (!SSL_is_dtls(ssl) || mtu < dtls1_min_mtu()) {\n return 0;\n }\n ssl->d1->mtu = mtu;\n return 1;\n}\n\nint SSL_get_secure_renegotiation_support(const SSL *ssl) {\n if (ssl->s3->version == 0) {\n return 0;\n }\n return ssl_protocol_version(ssl) >= TLS1_3_VERSION ||\n ssl->s3->send_connection_binding;\n}\n\nsize_t SSL_CTX_sess_number(const SSL_CTX *ctx) {\n MutexReadLock lock(const_cast(&ctx->lock));\n return lh_SSL_SESSION_num_items(ctx->sessions);\n}\n\nunsigned long SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, unsigned long size) {\n unsigned long ret = ctx->session_cache_size;\n ctx->session_cache_size = size;\n return ret;\n}\n\nunsigned long SSL_CTX_sess_get_cache_size(const SSL_CTX *ctx) {\n return ctx->session_cache_size;\n}\n\nint SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode) {\n int ret = ctx->session_cache_mode;\n ctx->session_cache_mode = mode;\n return ret;\n}\n\nint SSL_CTX_get_session_cache_mode(const SSL_CTX *ctx) {\n return ctx->session_cache_mode;\n}\n\n\nint SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) {\n if (out == NULL) {\n return 48;\n }\n if (len != 48) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);\n return 0;\n }\n\n // The default ticket keys are initialized lazily. Trigger a key\n // rotation to initialize them.\n if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {\n return 0;\n }\n\n uint8_t *out_bytes = reinterpret_cast(out);\n MutexReadLock lock(&ctx->lock);\n OPENSSL_memcpy(out_bytes, ctx->ticket_key_current->name, 16);\n OPENSSL_memcpy(out_bytes + 16, ctx->ticket_key_current->hmac_key, 16);\n OPENSSL_memcpy(out_bytes + 32, ctx->ticket_key_current->aes_key, 16);\n return 1;\n}\n\nint SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) {\n if (in == NULL) {\n return 48;\n }\n if (len != 48) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_TICKET_KEYS_LENGTH);\n return 0;\n }\n auto key = MakeUnique();\n if (!key) {\n return 0;\n }\n const uint8_t *in_bytes = reinterpret_cast(in);\n OPENSSL_memcpy(key->name, in_bytes, 16);\n OPENSSL_memcpy(key->hmac_key, in_bytes + 16, 16);\n OPENSSL_memcpy(key->aes_key, in_bytes + 32, 16);\n // Disable automatic key rotation for manually-configured keys. This is now\n // the caller's responsibility.\n key->next_rotation_tv_sec = 0;\n ctx->ticket_key_current = std::move(key);\n ctx->ticket_key_prev.reset();\n return 1;\n}\n\nint SSL_CTX_set_tlsext_ticket_key_cb(\n SSL_CTX *ctx,\n int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,\n EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx, int encrypt)) {\n ctx->ticket_key_cb = callback;\n return 1;\n}\n\nstatic bool check_group_ids(Span group_ids) {\n for (uint16_t group_id : group_ids) {\n if (ssl_group_id_to_nid(group_id) == NID_undef) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);\n return false;\n }\n }\n return true;\n}\n\nint SSL_CTX_set1_group_ids(SSL_CTX *ctx, const uint16_t *group_ids,\n size_t num_group_ids) {\n auto span = Span(group_ids, num_group_ids);\n return check_group_ids(span) && ctx->supported_group_list.CopyFrom(span);\n}\n\nint SSL_set1_group_ids(SSL *ssl, const uint16_t *group_ids,\n size_t num_group_ids) {\n if (!ssl->config) {\n return 0;\n }\n auto span = Span(group_ids, num_group_ids);\n return check_group_ids(span) &&\n ssl->config->supported_group_list.CopyFrom(span);\n}\n\nstatic bool ssl_nids_to_group_ids(Array *out_group_ids,\n Span nids) {\n Array group_ids;\n if (!group_ids.InitForOverwrite(nids.size())) {\n return false;\n }\n\n for (size_t i = 0; i < nids.size(); i++) {\n if (!ssl_nid_to_group_id(&group_ids[i], nids[i])) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);\n return false;\n }\n }\n\n *out_group_ids = std::move(group_ids);\n return true;\n}\n\nint SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t num_groups) {\n return ssl_nids_to_group_ids(&ctx->supported_group_list,\n Span(groups, num_groups));\n}\n\nint SSL_set1_groups(SSL *ssl, const int *groups, size_t num_groups) {\n if (!ssl->config) {\n return 0;\n }\n return ssl_nids_to_group_ids(&ssl->config->supported_group_list,\n Span(groups, num_groups));\n}\n\nstatic bool ssl_str_to_group_ids(Array *out_group_ids,\n const char *str) {\n // Count the number of groups in the list.\n size_t count = 0;\n const char *ptr = str, *col;\n do {\n col = strchr(ptr, ':');\n count++;\n if (col) {\n ptr = col + 1;\n }\n } while (col);\n\n Array group_ids;\n if (!group_ids.InitForOverwrite(count)) {\n return false;\n }\n\n size_t i = 0;\n ptr = str;\n do {\n col = strchr(ptr, ':');\n if (!ssl_name_to_group_id(&group_ids[i++], ptr,\n col ? (size_t)(col - ptr) : strlen(ptr))) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);\n return false;\n }\n if (col) {\n ptr = col + 1;\n }\n } while (col);\n\n assert(i == count);\n *out_group_ids = std::move(group_ids);\n return true;\n}\n\nint SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) {\n return ssl_str_to_group_ids(&ctx->supported_group_list, groups);\n}\n\nint SSL_set1_groups_list(SSL *ssl, const char *groups) {\n if (!ssl->config) {\n return 0;\n }\n return ssl_str_to_group_ids(&ssl->config->supported_group_list, groups);\n}\n\nuint16_t SSL_get_group_id(const SSL *ssl) {\n SSL_SESSION *session = SSL_get_session(ssl);\n if (session == NULL) {\n return 0;\n }\n\n return session->group_id;\n}\n\nint SSL_get_negotiated_group(const SSL *ssl) {\n uint16_t group_id = SSL_get_group_id(ssl);\n if (group_id == 0) {\n return NID_undef;\n }\n return ssl_group_id_to_nid(group_id);\n}\n\nint SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) { return 1; }\n\nint SSL_set_tmp_dh(SSL *ssl, const DH *dh) { return 1; }\n\nSTACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) {\n return ctx->cipher_list->ciphers.get();\n}\n\nint SSL_CTX_cipher_in_group(const SSL_CTX *ctx, size_t i) {\n if (i >= sk_SSL_CIPHER_num(ctx->cipher_list->ciphers.get())) {\n return 0;\n }\n return ctx->cipher_list->in_group_flags[i];\n}\n\nSTACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl) {\n if (ssl == NULL) {\n return NULL;\n }\n if (ssl->config == NULL) {\n assert(ssl->config);\n return NULL;\n }\n\n return ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()\n : ssl->ctx->cipher_list->ciphers.get();\n}\n\nconst char *SSL_get_cipher_list(const SSL *ssl, int n) {\n if (ssl == NULL) {\n return NULL;\n }\n\n STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);\n if (sk == NULL || n < 0 || (size_t)n >= sk_SSL_CIPHER_num(sk)) {\n return NULL;\n }\n\n const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, n);\n if (c == NULL) {\n return NULL;\n }\n\n return c->name;\n}\n\nint SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) {\n const bool has_aes_hw = ctx->aes_hw_override ? ctx->aes_hw_override_value\n : EVP_has_aes_hardware();\n return ssl_create_cipher_list(&ctx->cipher_list, has_aes_hw, str,\n false /* not strict */);\n}\n\nint SSL_CTX_set_strict_cipher_list(SSL_CTX *ctx, const char *str) {\n const bool has_aes_hw = ctx->aes_hw_override ? ctx->aes_hw_override_value\n : EVP_has_aes_hardware();\n return ssl_create_cipher_list(&ctx->cipher_list, has_aes_hw, str,\n true /* strict */);\n}\n\nint SSL_set_cipher_list(SSL *ssl, const char *str) {\n if (!ssl->config) {\n return 0;\n }\n const bool has_aes_hw = ssl->config->aes_hw_override\n ? ssl->config->aes_hw_override_value\n : EVP_has_aes_hardware();\n return ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str,\n false /* not strict */);\n}\n\nint SSL_set_strict_cipher_list(SSL *ssl, const char *str) {\n if (!ssl->config) {\n return 0;\n }\n const bool has_aes_hw = ssl->config->aes_hw_override\n ? ssl->config->aes_hw_override_value\n : EVP_has_aes_hardware();\n return ssl_create_cipher_list(&ssl->config->cipher_list, has_aes_hw, str,\n true /* strict */);\n}\n\nconst char *SSL_get_servername(const SSL *ssl, const int type) {\n if (type != TLSEXT_NAMETYPE_host_name) {\n return NULL;\n }\n\n // Historically, |SSL_get_servername| was also the configuration getter\n // corresponding to |SSL_set_tlsext_host_name|.\n if (ssl->hostname != nullptr) {\n return ssl->hostname.get();\n }\n\n return ssl->s3->hostname.get();\n}\n\nint SSL_get_servername_type(const SSL *ssl) {\n if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name) == NULL) {\n return -1;\n }\n return TLSEXT_NAMETYPE_host_name;\n}\n\nvoid SSL_CTX_set_custom_verify(\n SSL_CTX *ctx, int mode,\n enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) {\n ctx->verify_mode = mode;\n ctx->custom_verify_callback = callback;\n}\n\nvoid SSL_set_custom_verify(\n SSL *ssl, int mode,\n enum ssl_verify_result_t (*callback)(SSL *ssl, uint8_t *out_alert)) {\n if (!ssl->config) {\n return;\n }\n ssl->config->verify_mode = mode;\n ssl->config->custom_verify_callback = callback;\n}\n\nvoid SSL_CTX_enable_signed_cert_timestamps(SSL_CTX *ctx) {\n ctx->signed_cert_timestamps_enabled = true;\n}\n\nvoid SSL_enable_signed_cert_timestamps(SSL *ssl) {\n if (!ssl->config) {\n return;\n }\n ssl->config->signed_cert_timestamps_enabled = true;\n}\n\nvoid SSL_CTX_enable_ocsp_stapling(SSL_CTX *ctx) {\n ctx->ocsp_stapling_enabled = true;\n}\n\nvoid SSL_enable_ocsp_stapling(SSL *ssl) {\n if (!ssl->config) {\n return;\n }\n ssl->config->ocsp_stapling_enabled = true;\n}\n\nvoid SSL_get0_signed_cert_timestamp_list(const SSL *ssl, const uint8_t **out,\n size_t *out_len) {\n SSL_SESSION *session = SSL_get_session(ssl);\n if (ssl->server || !session || !session->signed_cert_timestamp_list) {\n *out_len = 0;\n *out = NULL;\n return;\n }\n\n *out = CRYPTO_BUFFER_data(session->signed_cert_timestamp_list.get());\n *out_len = CRYPTO_BUFFER_len(session->signed_cert_timestamp_list.get());\n}\n\nvoid SSL_get0_ocsp_response(const SSL *ssl, const uint8_t **out,\n size_t *out_len) {\n SSL_SESSION *session = SSL_get_session(ssl);\n if (ssl->server || !session || !session->ocsp_response) {\n *out_len = 0;\n *out = NULL;\n return;\n }\n\n *out = CRYPTO_BUFFER_data(session->ocsp_response.get());\n *out_len = CRYPTO_BUFFER_len(session->ocsp_response.get());\n}\n\nint SSL_set_tlsext_host_name(SSL *ssl, const char *name) {\n ssl->hostname.reset();\n if (name == nullptr) {\n return 1;\n }\n\n size_t len = strlen(name);\n if (len == 0 || len > TLSEXT_MAXLEN_host_name) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);\n return 0;\n }\n ssl->hostname.reset(OPENSSL_strdup(name));\n if (ssl->hostname == nullptr) {\n return 0;\n }\n return 1;\n}\n\nint SSL_CTX_set_tlsext_servername_callback(\n SSL_CTX *ctx, int (*callback)(SSL *ssl, int *out_alert, void *arg)) {\n ctx->servername_callback = callback;\n return 1;\n}\n\nint SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) {\n ctx->servername_arg = arg;\n return 1;\n}\n\nint SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer,\n unsigned peer_len, const uint8_t *supported,\n unsigned supported_len) {\n *out = nullptr;\n *out_len = 0;\n\n // Both |peer| and |supported| must be valid protocol lists, but |peer| may be\n // empty in NPN.\n auto peer_span = Span(peer, peer_len);\n auto supported_span = Span(supported, supported_len);\n if ((!peer_span.empty() && !ssl_is_valid_alpn_list(peer_span)) ||\n !ssl_is_valid_alpn_list(supported_span)) {\n return OPENSSL_NPN_NO_OVERLAP;\n }\n\n // For each protocol in peer preference order, see if we support it.\n CBS cbs = peer_span, proto;\n while (CBS_len(&cbs) != 0) {\n if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) {\n return OPENSSL_NPN_NO_OVERLAP;\n }\n\n if (ssl_alpn_list_contains_protocol(Span(supported, supported_len),\n proto)) {\n // This function is not const-correct for compatibility with existing\n // callers.\n *out = const_cast(CBS_data(&proto));\n // A u8 length prefix will fit in |uint8_t|.\n *out_len = static_cast(CBS_len(&proto));\n return OPENSSL_NPN_NEGOTIATED;\n }\n }\n\n // There's no overlap between our protocols and the peer's list. In ALPN, the\n // caller is expected to fail the connection with no_application_protocol. In\n // NPN, the caller is expected to opportunistically select the first protocol.\n // See draft-agl-tls-nextprotoneg-04, section 6.\n cbs = supported_span;\n if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) {\n return OPENSSL_NPN_NO_OVERLAP;\n }\n\n // See above.\n *out = const_cast(CBS_data(&proto));\n *out_len = static_cast(CBS_len(&proto));\n return OPENSSL_NPN_NO_OVERLAP;\n}\n\nvoid SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data,\n unsigned *out_len) {\n // NPN protocols have one-byte lengths, so they must fit in |unsigned|.\n assert(ssl->s3->next_proto_negotiated.size() <= UINT_MAX);\n *out_data = ssl->s3->next_proto_negotiated.data();\n *out_len = static_cast(ssl->s3->next_proto_negotiated.size());\n}\n\nvoid SSL_CTX_set_next_protos_advertised_cb(\n SSL_CTX *ctx,\n int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg),\n void *arg) {\n ctx->next_protos_advertised_cb = cb;\n ctx->next_protos_advertised_cb_arg = arg;\n}\n\nvoid SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx,\n int (*cb)(SSL *ssl, uint8_t **out,\n uint8_t *out_len,\n const uint8_t *in,\n unsigned in_len, void *arg),\n void *arg) {\n ctx->next_proto_select_cb = cb;\n ctx->next_proto_select_cb_arg = arg;\n}\n\nint SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const uint8_t *protos,\n size_t protos_len) {\n // Note this function's return value is backwards.\n auto span = Span(protos, protos_len);\n if (!span.empty() && !ssl_is_valid_alpn_list(span)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL_LIST);\n return 1;\n }\n return ctx->alpn_client_proto_list.CopyFrom(span) ? 0 : 1;\n}\n\nint SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, size_t protos_len) {\n // Note this function's return value is backwards.\n if (!ssl->config) {\n return 1;\n }\n auto span = Span(protos, protos_len);\n if (!span.empty() && !ssl_is_valid_alpn_list(span)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_ALPN_PROTOCOL_LIST);\n return 1;\n }\n return ssl->config->alpn_client_proto_list.CopyFrom(span) ? 0 : 1;\n}\n\nvoid SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,\n int (*cb)(SSL *ssl, const uint8_t **out,\n uint8_t *out_len, const uint8_t *in,\n unsigned in_len, void *arg),\n void *arg) {\n ctx->alpn_select_cb = cb;\n ctx->alpn_select_cb_arg = arg;\n}\n\nvoid SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,\n unsigned *out_len) {\n Span protocol;\n if (SSL_in_early_data(ssl) && !ssl->server) {\n protocol = ssl->s3->hs->early_session->early_alpn;\n } else {\n protocol = ssl->s3->alpn_selected;\n }\n // ALPN protocols have one-byte lengths, so they must fit in |unsigned|.\n assert(protocol.size() < UINT_MAX);\n *out_data = protocol.data();\n *out_len = static_cast(protocol.size());\n}\n\nvoid SSL_CTX_set_allow_unknown_alpn_protos(SSL_CTX *ctx, int enabled) {\n ctx->allow_unknown_alpn_protos = !!enabled;\n}\n\nint SSL_add_application_settings(SSL *ssl, const uint8_t *proto,\n size_t proto_len, const uint8_t *settings,\n size_t settings_len) {\n if (!ssl->config) {\n return 0;\n }\n ALPSConfig config;\n if (!config.protocol.CopyFrom(Span(proto, proto_len)) ||\n !config.settings.CopyFrom(Span(settings, settings_len)) ||\n !ssl->config->alps_configs.Push(std::move(config))) {\n return 0;\n }\n return 1;\n}\n\nvoid SSL_get0_peer_application_settings(const SSL *ssl,\n const uint8_t **out_data,\n size_t *out_len) {\n const SSL_SESSION *session = SSL_get_session(ssl);\n Span settings =\n session ? session->peer_application_settings : Span();\n *out_data = settings.data();\n *out_len = settings.size();\n}\n\nint SSL_has_application_settings(const SSL *ssl) {\n const SSL_SESSION *session = SSL_get_session(ssl);\n return session && session->has_application_settings;\n}\n\nvoid SSL_set_alps_use_new_codepoint(SSL *ssl, int use_new) {\n if (!ssl->config) {\n return;\n }\n ssl->config->alps_use_new_codepoint = !!use_new;\n}\n\nint SSL_CTX_add_cert_compression_alg(SSL_CTX *ctx, uint16_t alg_id,\n ssl_cert_compression_func_t compress,\n ssl_cert_decompression_func_t decompress) {\n assert(compress != nullptr || decompress != nullptr);\n\n for (const auto &alg : ctx->cert_compression_algs) {\n if (alg.alg_id == alg_id) {\n return 0;\n }\n }\n\n CertCompressionAlg alg;\n alg.alg_id = alg_id;\n alg.compress = compress;\n alg.decompress = decompress;\n return ctx->cert_compression_algs.Push(alg);\n}\n\nvoid SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) {\n ctx->channel_id_enabled = !!enabled;\n}\n\nint SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {\n SSL_CTX_set_tls_channel_id_enabled(ctx, 1);\n return 1;\n}\n\nvoid SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) {\n if (!ssl->config) {\n return;\n }\n ssl->config->channel_id_enabled = !!enabled;\n}\n\nint SSL_enable_tls_channel_id(SSL *ssl) {\n SSL_set_tls_channel_id_enabled(ssl, 1);\n return 1;\n}\n\nstatic int is_p256_key(EVP_PKEY *private_key) {\n const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(private_key);\n return ec_key != NULL && EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) ==\n NID_X9_62_prime256v1;\n}\n\nint SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) {\n if (!is_p256_key(private_key)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256);\n return 0;\n }\n\n ctx->channel_id_private = UpRef(private_key);\n return 1;\n}\n\nint SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) {\n if (!ssl->config) {\n return 0;\n }\n if (!is_p256_key(private_key)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_NOT_P256);\n return 0;\n }\n\n ssl->config->channel_id_private = UpRef(private_key);\n return 1;\n}\n\nsize_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) {\n if (!ssl->s3->channel_id_valid) {\n return 0;\n }\n OPENSSL_memcpy(out, ssl->s3->channel_id, (max_out < 64) ? max_out : 64);\n return 64;\n}\n\nsize_t SSL_get0_certificate_types(const SSL *ssl, const uint8_t **out_types) {\n Span types;\n if (!ssl->server && ssl->s3->hs != nullptr) {\n types = ssl->s3->hs->certificate_types;\n }\n *out_types = types.data();\n return types.size();\n}\n\nsize_t SSL_get0_peer_verify_algorithms(const SSL *ssl,\n const uint16_t **out_sigalgs) {\n Span sigalgs;\n if (ssl->s3->hs != nullptr) {\n sigalgs = ssl->s3->hs->peer_sigalgs;\n }\n *out_sigalgs = sigalgs.data();\n return sigalgs.size();\n}\n\nsize_t SSL_get0_peer_delegation_algorithms(const SSL *ssl,\n const uint16_t **out_sigalgs) {\n Span sigalgs;\n if (ssl->s3->hs != nullptr) {\n sigalgs = ssl->s3->hs->peer_delegated_credential_sigalgs;\n }\n *out_sigalgs = sigalgs.data();\n return sigalgs.size();\n}\n\nEVP_PKEY *SSL_get_privatekey(const SSL *ssl) {\n if (!ssl->config) {\n assert(ssl->config);\n return nullptr;\n }\n return ssl->config->cert->legacy_credential->privkey.get();\n}\n\nEVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) {\n return ctx->cert->legacy_credential->privkey.get();\n}\n\nconst SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) {\n const SSL_SESSION *session = SSL_get_session(ssl);\n return session == nullptr ? nullptr : session->cipher;\n}\n\nint SSL_session_reused(const SSL *ssl) {\n return ssl->s3->session_reused || SSL_in_early_data(ssl);\n}\n\nconst COMP_METHOD *SSL_get_current_compression(SSL *ssl) { return NULL; }\n\nconst COMP_METHOD *SSL_get_current_expansion(SSL *ssl) { return NULL; }\n\nint SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **out_key) { return 0; }\n\nvoid SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) {\n ctx->quiet_shutdown = (mode != 0);\n}\n\nint SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) {\n return ctx->quiet_shutdown;\n}\n\nvoid SSL_set_quiet_shutdown(SSL *ssl, int mode) {\n ssl->quiet_shutdown = (mode != 0);\n}\n\nint SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; }\n\nvoid SSL_set_shutdown(SSL *ssl, int mode) {\n // It is an error to clear any bits that have already been set. (We can't try\n // to get a second close_notify or send two.)\n assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl));\n\n if (mode & SSL_RECEIVED_SHUTDOWN &&\n ssl->s3->read_shutdown == ssl_shutdown_none) {\n ssl->s3->read_shutdown = ssl_shutdown_close_notify;\n }\n\n if (mode & SSL_SENT_SHUTDOWN &&\n ssl->s3->write_shutdown == ssl_shutdown_none) {\n ssl->s3->write_shutdown = ssl_shutdown_close_notify;\n }\n}\n\nint SSL_get_shutdown(const SSL *ssl) {\n int ret = 0;\n if (ssl->s3->read_shutdown != ssl_shutdown_none) {\n // Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify\n // and fatal alert.\n ret |= SSL_RECEIVED_SHUTDOWN;\n }\n if (ssl->s3->write_shutdown == ssl_shutdown_close_notify) {\n // Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify.\n ret |= SSL_SENT_SHUTDOWN;\n }\n return ret;\n}\n\nSSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { return ssl->ctx.get(); }\n\nSSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {\n if (!ssl->config) {\n return NULL;\n }\n if (ssl->ctx.get() == ctx) {\n return ssl->ctx.get();\n }\n\n // One cannot change the X.509 callbacks during a connection.\n if (ssl->ctx->x509_method != ctx->x509_method) {\n assert(0);\n return NULL;\n }\n\n UniquePtr new_cert = ssl_cert_dup(ctx->cert.get());\n if (!new_cert) {\n return nullptr;\n }\n\n ssl->config->cert = std::move(new_cert);\n ssl->ctx = UpRef(ctx);\n ssl->enable_early_data = ssl->ctx->enable_early_data;\n\n return ssl->ctx.get();\n}\n\nvoid SSL_set_info_callback(SSL *ssl,\n void (*cb)(const SSL *ssl, int type, int value)) {\n ssl->info_callback = cb;\n}\n\nvoid (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type,\n int value) {\n return ssl->info_callback;\n}\n\nint SSL_state(const SSL *ssl) {\n return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK;\n}\n\nvoid SSL_set_state(SSL *ssl, int state) {}\n\nchar *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) {\n if (len <= 0) {\n return NULL;\n }\n buf[0] = '\\0';\n return buf;\n}\n\nint SSL_get_shared_sigalgs(SSL *ssl, int idx, int *psign, int *phash,\n int *psignandhash, uint8_t *rsig, uint8_t *rhash) {\n return 0;\n}\n\nint SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method) {\n if (ctx->method->is_dtls) {\n return 0;\n }\n ctx->quic_method = quic_method;\n return 1;\n}\n\nint SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) {\n if (ssl->method->is_dtls) {\n return 0;\n }\n ssl->quic_method = quic_method;\n return 1;\n}\n\nint SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) {\n return CRYPTO_get_ex_new_index_ex(&g_ex_data_class_ssl, argl, argp,\n free_func);\n}\n\nint SSL_set_ex_data(SSL *ssl, int idx, void *data) {\n return CRYPTO_set_ex_data(&ssl->ex_data, idx, data);\n}\n\nvoid *SSL_get_ex_data(const SSL *ssl, int idx) {\n return CRYPTO_get_ex_data(&ssl->ex_data, idx);\n}\n\nint SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func) {\n return CRYPTO_get_ex_new_index_ex(&g_ex_data_class_ssl_ctx, argl, argp,\n free_func);\n}\n\nint SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data) {\n return CRYPTO_set_ex_data(&ctx->ex_data, idx, data);\n}\n\nvoid *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) {\n return CRYPTO_get_ex_data(&ctx->ex_data, idx);\n}\n\nint SSL_want(const SSL *ssl) {\n // Historically, OpenSSL did not track |SSL_ERROR_ZERO_RETURN| as an |rwstate|\n // value. We do, but map it back to |SSL_ERROR_NONE| to preserve the original\n // behavior.\n return ssl->s3->rwstate == SSL_ERROR_ZERO_RETURN ? SSL_ERROR_NONE\n : ssl->s3->rwstate;\n}\n\nvoid SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx,\n RSA *(*cb)(SSL *ssl, int is_export,\n int keylength)) {}\n\nvoid SSL_set_tmp_rsa_callback(SSL *ssl, RSA *(*cb)(SSL *ssl, int is_export,\n int keylength)) {}\n\nvoid SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,\n DH *(*cb)(SSL *ssl, int is_export,\n int keylength)) {}\n\nvoid SSL_set_tmp_dh_callback(SSL *ssl, DH *(*cb)(SSL *ssl, int is_export,\n int keylength)) {}\n\nstatic int use_psk_identity_hint(UniquePtr *out,\n const char *identity_hint) {\n if (identity_hint != NULL && strlen(identity_hint) > PSK_MAX_IDENTITY_LEN) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);\n return 0;\n }\n\n // Clear currently configured hint, if any.\n out->reset();\n\n // Treat the empty hint as not supplying one. Plain PSK makes it possible to\n // send either no hint (omit ServerKeyExchange) or an empty hint, while\n // ECDHE_PSK can only spell empty hint. Having different capabilities is odd,\n // so we interpret empty and missing as identical.\n if (identity_hint != NULL && identity_hint[0] != '\\0') {\n out->reset(OPENSSL_strdup(identity_hint));\n if (*out == nullptr) {\n return 0;\n }\n }\n\n return 1;\n}\n\nint SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint) {\n return use_psk_identity_hint(&ctx->psk_identity_hint, identity_hint);\n}\n\nint SSL_use_psk_identity_hint(SSL *ssl, const char *identity_hint) {\n if (!ssl->config) {\n return 0;\n }\n return use_psk_identity_hint(&ssl->config->psk_identity_hint, identity_hint);\n}\n\nconst char *SSL_get_psk_identity_hint(const SSL *ssl) {\n if (ssl == NULL) {\n return NULL;\n }\n if (ssl->config == NULL) {\n assert(ssl->config);\n return NULL;\n }\n return ssl->config->psk_identity_hint.get();\n}\n\nconst char *SSL_get_psk_identity(const SSL *ssl) {\n if (ssl == NULL) {\n return NULL;\n }\n SSL_SESSION *session = SSL_get_session(ssl);\n if (session == NULL) {\n return NULL;\n }\n return session->psk_identity.get();\n}\n\nvoid SSL_set_psk_client_callback(\n SSL *ssl, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,\n unsigned max_identity_len, uint8_t *psk,\n unsigned max_psk_len)) {\n if (!ssl->config) {\n return;\n }\n ssl->config->psk_client_callback = cb;\n}\n\nvoid SSL_CTX_set_psk_client_callback(\n SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *hint, char *identity,\n unsigned max_identity_len, uint8_t *psk,\n unsigned max_psk_len)) {\n ctx->psk_client_callback = cb;\n}\n\nvoid SSL_set_psk_server_callback(SSL *ssl,\n unsigned (*cb)(SSL *ssl, const char *identity,\n uint8_t *psk,\n unsigned max_psk_len)) {\n if (!ssl->config) {\n return;\n }\n ssl->config->psk_server_callback = cb;\n}\n\nvoid SSL_CTX_set_psk_server_callback(\n SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk,\n unsigned max_psk_len)) {\n ctx->psk_server_callback = cb;\n}\n\nvoid SSL_CTX_set_msg_callback(SSL_CTX *ctx,\n void (*cb)(int write_p, int version,\n int content_type, const void *buf,\n size_t len, SSL *ssl, void *arg)) {\n ctx->msg_callback = cb;\n}\n\nvoid SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg) {\n ctx->msg_callback_arg = arg;\n}\n\nvoid SSL_set_msg_callback(SSL *ssl,\n void (*cb)(int write_p, int version, int content_type,\n const void *buf, size_t len, SSL *ssl,\n void *arg)) {\n ssl->msg_callback = cb;\n}\n\nvoid SSL_set_msg_callback_arg(SSL *ssl, void *arg) {\n ssl->msg_callback_arg = arg;\n}\n\nvoid SSL_CTX_set_keylog_callback(SSL_CTX *ctx,\n void (*cb)(const SSL *ssl, const char *line)) {\n ctx->keylog_callback = cb;\n}\n\nvoid (*SSL_CTX_get_keylog_callback(const SSL_CTX *ctx))(const SSL *ssl,\n const char *line) {\n return ctx->keylog_callback;\n}\n\nvoid SSL_CTX_set_current_time_cb(SSL_CTX *ctx,\n void (*cb)(const SSL *ssl,\n struct timeval *out_clock)) {\n ctx->current_time_cb = cb;\n}\n\nint SSL_can_release_private_key(const SSL *ssl) {\n if (ssl_can_renegotiate(ssl)) {\n // If the connection can renegotiate (client only), the private key may be\n // used in a future handshake.\n return 0;\n }\n\n // Otherwise, this is determined by the current handshake.\n return !ssl->s3->hs || ssl->s3->hs->can_release_private_key;\n}\n\nint SSL_is_init_finished(const SSL *ssl) { return !SSL_in_init(ssl); }\n\nint SSL_in_init(const SSL *ssl) {\n // This returns false once all the handshake state has been finalized, to\n // allow callbacks and getters based on SSL_in_init to return the correct\n // values.\n SSL_HANDSHAKE *hs = ssl->s3->hs.get();\n return hs != nullptr && !hs->handshake_finalized;\n}\n\nint SSL_in_false_start(const SSL *ssl) {\n if (ssl->s3->hs == NULL) {\n return 0;\n }\n return ssl->s3->hs->in_false_start;\n}\n\nint SSL_cutthrough_complete(const SSL *ssl) { return SSL_in_false_start(ssl); }\n\nint SSL_is_server(const SSL *ssl) { return ssl->server; }\n\nint SSL_is_dtls(const SSL *ssl) { return ssl->method->is_dtls; }\n\nint SSL_is_quic(const SSL *ssl) { return ssl->quic_method != nullptr; }\n\nvoid SSL_CTX_set_select_certificate_cb(\n SSL_CTX *ctx,\n enum ssl_select_cert_result_t (*cb)(const SSL_CLIENT_HELLO *)) {\n ctx->select_certificate_cb = cb;\n}\n\nvoid SSL_CTX_set_dos_protection_cb(SSL_CTX *ctx,\n int (*cb)(const SSL_CLIENT_HELLO *)) {\n ctx->dos_protection_cb = cb;\n}\n\nvoid SSL_CTX_set_reverify_on_resume(SSL_CTX *ctx, int enabled) {\n ctx->reverify_on_resume = !!enabled;\n}\n\nvoid SSL_set_enforce_rsa_key_usage(SSL *ssl, int enabled) {\n if (!ssl->config) {\n return;\n }\n ssl->config->enforce_rsa_key_usage = !!enabled;\n}\n\nint SSL_was_key_usage_invalid(const SSL *ssl) {\n return ssl->s3->was_key_usage_invalid;\n}\n\nvoid SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode) {\n ssl->renegotiate_mode = mode;\n\n // Check if |ssl_can_renegotiate| has changed and the configuration may now be\n // shed. HTTP clients may initially allow renegotiation for HTTP/1.1, and then\n // disable after the handshake once the ALPN protocol is known to be HTTP/2.\n ssl_maybe_shed_handshake_config(ssl);\n}\n\nint SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv,\n const uint8_t **out_write_iv, size_t *out_iv_len) {\n // No cipher suites maintain stateful internal IVs in DTLS. It would not be\n // compatible with reordering.\n if (SSL_is_dtls(ssl)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n size_t write_iv_len;\n if (!ssl->s3->aead_read_ctx->GetIV(out_read_iv, out_iv_len) ||\n !ssl->s3->aead_write_ctx->GetIV(out_write_iv, &write_iv_len) ||\n *out_iv_len != write_iv_len) {\n return 0;\n }\n\n return 1;\n}\n\nuint64_t SSL_get_read_sequence(const SSL *ssl) {\n if (SSL_is_dtls(ssl)) {\n // TODO(crbug.com/42290608): This API needs to reworked.\n //\n // In DTLS 1.2, right at an epoch transition, |read_epoch| may not have\n // received any records. We will then return that sequence 0 is the highest\n // received, but it's really -1, which is not representable. This is mostly\n // moot because, after the handshake, we will never be in the state.\n //\n // In DTLS 1.3, epochs do not transition until the first record comes in.\n // This avoids the DTLS 1.2 problem but introduces a different problem:\n // during a KeyUpdate (which may occur in the steady state), both epochs are\n // live. We'll likely need a new API for DTLS offload.\n const DTLSReadEpoch *read_epoch = &ssl->d1->read_epoch;\n return DTLSRecordNumber(read_epoch->epoch, read_epoch->bitmap.max_seq_num())\n .combined();\n }\n return ssl->s3->read_sequence;\n}\n\nuint64_t SSL_get_write_sequence(const SSL *ssl) {\n if (SSL_is_dtls(ssl)) {\n return ssl->d1->write_epoch.next_record.combined();\n }\n\n return ssl->s3->write_sequence;\n}\n\nuint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {\n SSL_SESSION *session = SSL_get_session(ssl);\n if (session == NULL) {\n return 0;\n }\n\n return session->peer_signature_algorithm;\n}\n\nsize_t SSL_get_client_random(const SSL *ssl, uint8_t *out, size_t max_out) {\n if (max_out == 0) {\n return sizeof(ssl->s3->client_random);\n }\n if (max_out > sizeof(ssl->s3->client_random)) {\n max_out = sizeof(ssl->s3->client_random);\n }\n OPENSSL_memcpy(out, ssl->s3->client_random, max_out);\n return max_out;\n}\n\nsize_t SSL_get_server_random(const SSL *ssl, uint8_t *out, size_t max_out) {\n if (max_out == 0) {\n return sizeof(ssl->s3->server_random);\n }\n if (max_out > sizeof(ssl->s3->server_random)) {\n max_out = sizeof(ssl->s3->server_random);\n }\n OPENSSL_memcpy(out, ssl->s3->server_random, max_out);\n return max_out;\n}\n\nconst SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl) {\n SSL_HANDSHAKE *hs = ssl->s3->hs.get();\n if (hs == NULL) {\n return NULL;\n }\n return hs->new_cipher;\n}\n\nvoid SSL_set_retain_only_sha256_of_client_certs(SSL *ssl, int enabled) {\n if (!ssl->config) {\n return;\n }\n ssl->config->retain_only_sha256_of_client_certs = !!enabled;\n}\n\nvoid SSL_CTX_set_retain_only_sha256_of_client_certs(SSL_CTX *ctx, int enabled) {\n ctx->retain_only_sha256_of_client_certs = !!enabled;\n}\n\nvoid SSL_CTX_set_grease_enabled(SSL_CTX *ctx, int enabled) {\n ctx->grease_enabled = !!enabled;\n}\n\nvoid SSL_CTX_set_permute_extensions(SSL_CTX *ctx, int enabled) {\n ctx->permute_extensions = !!enabled;\n}\n\nvoid SSL_set_permute_extensions(SSL *ssl, int enabled) {\n if (!ssl->config) {\n return;\n }\n ssl->config->permute_extensions = !!enabled;\n}\n\nint32_t SSL_get_ticket_age_skew(const SSL *ssl) {\n return ssl->s3->ticket_age_skew;\n}\n\nvoid SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, int allowed) {\n ctx->false_start_allowed_without_alpn = !!allowed;\n}\n\nint SSL_used_hello_retry_request(const SSL *ssl) {\n return ssl->s3->used_hello_retry_request;\n}\n\nvoid SSL_set_shed_handshake_config(SSL *ssl, int enable) {\n if (!ssl->config) {\n return;\n }\n ssl->config->shed_handshake_config = !!enable;\n}\n\nvoid SSL_set_jdk11_workaround(SSL *ssl, int enable) {\n if (!ssl->config) {\n return;\n }\n ssl->config->jdk11_workaround = !!enable;\n}\n\nvoid SSL_set_check_client_certificate_type(SSL *ssl, int enable) {\n if (!ssl->config) {\n return;\n }\n ssl->config->check_client_certificate_type = !!enable;\n}\n\nvoid SSL_set_check_ecdsa_curve(SSL *ssl, int enable) {\n if (!ssl->config) {\n return;\n }\n ssl->config->check_ecdsa_curve = !!enable;\n}\n\nvoid SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy) {\n if (!ssl->config) {\n return;\n }\n ssl->config->quic_use_legacy_codepoint = !!use_legacy;\n}\n\nint SSL_clear(SSL *ssl) {\n if (!ssl->config) {\n return 0; // SSL_clear may not be used after shedding config.\n }\n\n // In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously\n // established session to be offered the next time around. wpa_supplicant\n // depends on this behavior, so emulate it.\n UniquePtr session;\n if (!ssl->server && ssl->s3->established_session != NULL) {\n session = UpRef(ssl->s3->established_session);\n }\n\n // The ssl->d1->mtu is simultaneously configuration (preserved across\n // clear) and connection-specific state (gets reset).\n //\n // TODO(davidben): Avoid this.\n unsigned mtu = 0;\n if (ssl->d1 != NULL) {\n mtu = ssl->d1->mtu;\n }\n\n ssl->method->ssl_free(ssl);\n if (!ssl->method->ssl_new(ssl)) {\n return 0;\n }\n\n if (SSL_is_dtls(ssl) && (SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {\n ssl->d1->mtu = mtu;\n }\n\n if (session != nullptr) {\n SSL_set_session(ssl, session.get());\n }\n\n return 1;\n}\n\nint SSL_CTX_sess_connect(const SSL_CTX *ctx) { return 0; }\nint SSL_CTX_sess_connect_good(const SSL_CTX *ctx) { return 0; }\nint SSL_CTX_sess_connect_renegotiate(const SSL_CTX *ctx) { return 0; }\nint SSL_CTX_sess_accept(const SSL_CTX *ctx) { return 0; }\nint SSL_CTX_sess_accept_renegotiate(const SSL_CTX *ctx) { return 0; }\nint SSL_CTX_sess_accept_good(const SSL_CTX *ctx) { return 0; }\nint SSL_CTX_sess_hits(const SSL_CTX *ctx) { return 0; }\nint SSL_CTX_sess_cb_hits(const SSL_CTX *ctx) { return 0; }\nint SSL_CTX_sess_misses(const SSL_CTX *ctx) { return 0; }\nint SSL_CTX_sess_timeouts(const SSL_CTX *ctx) { return 0; }\nint SSL_CTX_sess_cache_full(const SSL_CTX *ctx) { return 0; }\n\nint SSL_num_renegotiations(const SSL *ssl) {\n return SSL_total_renegotiations(ssl);\n}\n\nint SSL_CTX_need_tmp_RSA(const SSL_CTX *ctx) { return 0; }\nint SSL_need_tmp_RSA(const SSL *ssl) { return 0; }\nint SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, const RSA *rsa) { return 1; }\nint SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) { return 1; }\nvoid ERR_load_SSL_strings(void) {}\nvoid SSL_load_error_strings(void) {}\nint SSL_cache_hit(SSL *ssl) { return SSL_session_reused(ssl); }\n\nint SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) {\n if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));\n return SSL_CTX_set1_groups(ctx, &nid, 1);\n}\n\nint SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) {\n if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));\n return SSL_set1_groups(ssl, &nid, 1);\n}\n\nvoid SSL_CTX_set_ticket_aead_method(SSL_CTX *ctx,\n const SSL_TICKET_AEAD_METHOD *aead_method) {\n ctx->ticket_aead_method = aead_method;\n}\n\nSSL_SESSION *SSL_process_tls13_new_session_ticket(SSL *ssl, const uint8_t *buf,\n size_t buf_len) {\n if (SSL_in_init(ssl) || //\n ssl_protocol_version(ssl) != TLS1_3_VERSION || //\n ssl->server) {\n // Only TLS 1.3 clients are supported.\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return nullptr;\n }\n\n CBS cbs, body;\n CBS_init(&cbs, buf, buf_len);\n uint8_t type;\n if (!CBS_get_u8(&cbs, &type) || //\n !CBS_get_u24_length_prefixed(&cbs, &body) || //\n CBS_len(&cbs) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return nullptr;\n }\n\n UniquePtr session = tls13_create_session_with_ticket(ssl, &body);\n if (!session) {\n // |tls13_create_session_with_ticket| puts the correct error.\n return nullptr;\n }\n return session.release();\n}\n\nint SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) {\n num_tickets = std::min(num_tickets, kMaxTickets);\n static_assert(kMaxTickets <= 0xff, \"Too many tickets.\");\n ctx->num_tickets = static_cast(num_tickets);\n return 1;\n}\n\nsize_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx) { return ctx->num_tickets; }\n\nint SSL_set_tlsext_status_type(SSL *ssl, int type) {\n if (!ssl->config) {\n return 0;\n }\n ssl->config->ocsp_stapling_enabled = type == TLSEXT_STATUSTYPE_ocsp;\n return 1;\n}\n\nint SSL_get_tlsext_status_type(const SSL *ssl) {\n if (ssl->server) {\n SSL_HANDSHAKE *hs = ssl->s3->hs.get();\n return hs != nullptr && hs->ocsp_stapling_requested\n ? TLSEXT_STATUSTYPE_ocsp\n : TLSEXT_STATUSTYPE_nothing;\n }\n\n return ssl->config != nullptr && ssl->config->ocsp_stapling_enabled\n ? TLSEXT_STATUSTYPE_ocsp\n : TLSEXT_STATUSTYPE_nothing;\n}\n\nint SSL_set_tlsext_status_ocsp_resp(SSL *ssl, uint8_t *resp, size_t resp_len) {\n if (SSL_set_ocsp_response(ssl, resp, resp_len)) {\n OPENSSL_free(resp);\n return 1;\n }\n return 0;\n}\n\nsize_t SSL_get_tlsext_status_ocsp_resp(const SSL *ssl, const uint8_t **out) {\n size_t ret;\n SSL_get0_ocsp_response(ssl, out, &ret);\n return ret;\n}\n\nint SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx,\n int (*callback)(SSL *ssl, void *arg)) {\n ctx->legacy_ocsp_callback = callback;\n return 1;\n}\n\nint SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) {\n ctx->legacy_ocsp_callback_arg = arg;\n return 1;\n}\n\nuint16_t SSL_get_curve_id(const SSL *ssl) { return SSL_get_group_id(ssl); }\n\nconst char *SSL_get_curve_name(uint16_t curve_id) {\n return SSL_get_group_name(curve_id);\n}\n\nsize_t SSL_get_all_curve_names(const char **out, size_t max_out) {\n return SSL_get_all_group_names(out, max_out);\n}\n\nint SSL_CTX_set1_curves(SSL_CTX *ctx, const int *curves, size_t num_curves) {\n return SSL_CTX_set1_groups(ctx, curves, num_curves);\n}\n\nint SSL_set1_curves(SSL *ssl, const int *curves, size_t num_curves) {\n return SSL_set1_groups(ssl, curves, num_curves);\n}\n\nint SSL_CTX_set1_curves_list(SSL_CTX *ctx, const char *curves) {\n return SSL_CTX_set1_groups_list(ctx, curves);\n}\n\nint SSL_set1_curves_list(SSL *ssl, const char *curves) {\n return SSL_set1_groups_list(ssl, curves);\n}\n\nnamespace fips202205 {\n\n// (References are to SP 800-52r2):\n\n// Section 3.4.2.2\n// \"at least one of the NIST-approved curves, P-256 (secp256r1) and P384\n// (secp384r1), shall be supported as described in RFC 8422.\"\n//\n// Section 3.3.1\n// \"The server shall be configured to only use cipher suites that are\n// composed entirely of NIST approved algorithms\"\nstatic const uint16_t kGroups[] = {SSL_GROUP_SECP256R1, SSL_GROUP_SECP384R1};\n\nstatic const uint16_t kSigAlgs[] = {\n SSL_SIGN_RSA_PKCS1_SHA256,\n SSL_SIGN_RSA_PKCS1_SHA384,\n SSL_SIGN_RSA_PKCS1_SHA512,\n // Table 4.1:\n // \"The curve should be P-256 or P-384\"\n SSL_SIGN_ECDSA_SECP256R1_SHA256,\n SSL_SIGN_ECDSA_SECP384R1_SHA384,\n SSL_SIGN_RSA_PSS_RSAE_SHA256,\n SSL_SIGN_RSA_PSS_RSAE_SHA384,\n SSL_SIGN_RSA_PSS_RSAE_SHA512,\n};\n\nstatic const char kTLS12Ciphers[] =\n \"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:\"\n \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:\"\n \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:\"\n \"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\";\n\nstatic int Configure(SSL_CTX *ctx) {\n ctx->compliance_policy = ssl_compliance_policy_fips_202205;\n\n return\n // Section 3.1:\n // \"Servers that support government-only applications shall be\n // configured to use TLS 1.2 and should be configured to use TLS 1.3\n // as well. These servers should not be configured to use TLS 1.1 and\n // shall not use TLS 1.0, SSL 3.0, or SSL 2.0.\n SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) &&\n SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) &&\n // Sections 3.3.1.1.1 and 3.3.1.1.2 are ambiguous about whether\n // HMAC-SHA-1 cipher suites are permitted with TLS 1.2. However, later the\n // Encrypt-then-MAC extension is required for all CBC cipher suites and so\n // it's easier to drop them.\n SSL_CTX_set_strict_cipher_list(ctx, kTLS12Ciphers) &&\n SSL_CTX_set1_group_ids(ctx, kGroups, OPENSSL_ARRAY_SIZE(kGroups)) &&\n SSL_CTX_set_signing_algorithm_prefs(ctx, kSigAlgs,\n OPENSSL_ARRAY_SIZE(kSigAlgs)) &&\n SSL_CTX_set_verify_algorithm_prefs(ctx, kSigAlgs,\n OPENSSL_ARRAY_SIZE(kSigAlgs));\n}\n\nstatic int Configure(SSL *ssl) {\n ssl->config->compliance_policy = ssl_compliance_policy_fips_202205;\n\n // See |Configure(SSL_CTX)|, above, for reasoning.\n return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&\n SSL_set_max_proto_version(ssl, TLS1_3_VERSION) &&\n SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) &&\n SSL_set1_group_ids(ssl, kGroups, OPENSSL_ARRAY_SIZE(kGroups)) &&\n SSL_set_signing_algorithm_prefs(ssl, kSigAlgs,\n OPENSSL_ARRAY_SIZE(kSigAlgs)) &&\n SSL_set_verify_algorithm_prefs(ssl, kSigAlgs,\n OPENSSL_ARRAY_SIZE(kSigAlgs));\n}\n\n} // namespace fips202205\n\nnamespace wpa202304 {\n\n// See WPA version 3.1, section 3.5.\n\nstatic const uint16_t kGroups[] = {SSL_GROUP_SECP384R1};\n\nstatic const uint16_t kSigAlgs[] = {\n SSL_SIGN_RSA_PKCS1_SHA384, //\n SSL_SIGN_RSA_PKCS1_SHA512, //\n SSL_SIGN_ECDSA_SECP384R1_SHA384, //\n SSL_SIGN_RSA_PSS_RSAE_SHA384, //\n SSL_SIGN_RSA_PSS_RSAE_SHA512, //\n};\n\nstatic const char kTLS12Ciphers[] =\n \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:\"\n \"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\";\n\nstatic int Configure(SSL_CTX *ctx) {\n ctx->compliance_policy = ssl_compliance_policy_wpa3_192_202304;\n\n return SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) &&\n SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) &&\n SSL_CTX_set_strict_cipher_list(ctx, kTLS12Ciphers) &&\n SSL_CTX_set1_group_ids(ctx, kGroups, OPENSSL_ARRAY_SIZE(kGroups)) &&\n SSL_CTX_set_signing_algorithm_prefs(ctx, kSigAlgs,\n OPENSSL_ARRAY_SIZE(kSigAlgs)) &&\n SSL_CTX_set_verify_algorithm_prefs(ctx, kSigAlgs,\n OPENSSL_ARRAY_SIZE(kSigAlgs));\n}\n\nstatic int Configure(SSL *ssl) {\n ssl->config->compliance_policy = ssl_compliance_policy_wpa3_192_202304;\n\n return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&\n SSL_set_max_proto_version(ssl, TLS1_3_VERSION) &&\n SSL_set_strict_cipher_list(ssl, kTLS12Ciphers) &&\n SSL_set1_group_ids(ssl, kGroups, OPENSSL_ARRAY_SIZE(kGroups)) &&\n SSL_set_signing_algorithm_prefs(ssl, kSigAlgs,\n OPENSSL_ARRAY_SIZE(kSigAlgs)) &&\n SSL_set_verify_algorithm_prefs(ssl, kSigAlgs,\n OPENSSL_ARRAY_SIZE(kSigAlgs));\n}\n\n} // namespace wpa202304\n\nnamespace cnsa202407 {\n\nstatic int Configure(SSL_CTX *ctx) {\n ctx->compliance_policy = ssl_compliance_policy_cnsa_202407;\n return 1;\n}\n\nstatic int Configure(SSL *ssl) {\n ssl->config->compliance_policy = ssl_compliance_policy_cnsa_202407;\n return 1;\n}\n\n} // namespace cnsa202407\n\nint SSL_CTX_set_compliance_policy(SSL_CTX *ctx,\n enum ssl_compliance_policy_t policy) {\n switch (policy) {\n case ssl_compliance_policy_fips_202205:\n return fips202205::Configure(ctx);\n case ssl_compliance_policy_wpa3_192_202304:\n return wpa202304::Configure(ctx);\n case ssl_compliance_policy_cnsa_202407:\n return cnsa202407::Configure(ctx);\n default:\n return 0;\n }\n}\n\nenum ssl_compliance_policy_t SSL_CTX_get_compliance_policy(const SSL_CTX *ctx) {\n return ctx->compliance_policy;\n}\n\nint SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) {\n switch (policy) {\n case ssl_compliance_policy_fips_202205:\n return fips202205::Configure(ssl);\n case ssl_compliance_policy_wpa3_192_202304:\n return wpa202304::Configure(ssl);\n case ssl_compliance_policy_cnsa_202407:\n return cnsa202407::Configure(ssl);\n default:\n return 0;\n }\n}\n\nenum ssl_compliance_policy_t SSL_get_compliance_policy(const SSL *ssl) {\n return ssl->config->compliance_policy;\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_privkey.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nbool ssl_is_key_type_supported(int key_type) {\n return key_type == EVP_PKEY_RSA || key_type == EVP_PKEY_EC ||\n key_type == EVP_PKEY_ED25519;\n}\n\ntypedef struct {\n uint16_t sigalg;\n int pkey_type;\n int curve;\n const EVP_MD *(*digest_func)(void);\n bool is_rsa_pss;\n bool tls12_ok;\n bool tls13_ok;\n bool client_only;\n} SSL_SIGNATURE_ALGORITHM;\n\nstatic const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = {\n // PKCS#1 v1.5 code points are only allowed in TLS 1.2.\n {SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1,\n /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,\n /*client_only=*/false},\n {SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1,\n /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,\n /*client_only=*/false},\n {SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,\n /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,\n /*client_only=*/false},\n {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,\n /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,\n /*client_only=*/false},\n {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,\n /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,\n /*client_only=*/false},\n\n // Legacy PKCS#1 v1.5 code points are only allowed in TLS 1.3 and\n // client-only. See draft-ietf-tls-tls13-pkcs1-00.\n {SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, EVP_PKEY_RSA, NID_undef, &EVP_sha256,\n /*is_rsa_pss=*/false, /*tls12_ok=*/false, /*tls13_ok=*/true,\n /*client_only=*/true},\n\n {SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256,\n /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,\n /*client_only=*/false},\n {SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384,\n /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,\n /*client_only=*/false},\n {SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512,\n /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true,\n /*client_only=*/false},\n\n {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1,\n /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false,\n /*client_only=*/false},\n {SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1,\n &EVP_sha256, /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,\n /*client_only=*/false},\n {SSL_SIGN_ECDSA_SECP384R1_SHA384, EVP_PKEY_EC, NID_secp384r1, &EVP_sha384,\n /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,\n /*client_only=*/false},\n {SSL_SIGN_ECDSA_SECP521R1_SHA512, EVP_PKEY_EC, NID_secp521r1, &EVP_sha512,\n /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,\n /*client_only=*/false},\n\n {SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr,\n /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true,\n /*client_only=*/false},\n};\n\nstatic const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kSignatureAlgorithms); i++) {\n if (kSignatureAlgorithms[i].sigalg == sigalg) {\n return &kSignatureAlgorithms[i];\n }\n }\n return NULL;\n}\n\nbool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,\n uint16_t sigalg, bool is_verify) {\n const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);\n if (alg == NULL || EVP_PKEY_id(pkey) != alg->pkey_type) {\n return false;\n }\n\n // Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that\n // emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the\n // hash in TLS. Reasonable RSA key sizes are large enough for the largest\n // defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for\n // SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the\n // size so that we can fall back to another algorithm in that case.\n if (alg->is_rsa_pss &&\n (size_t)EVP_PKEY_size(pkey) < 2 * EVP_MD_size(alg->digest_func()) + 2) {\n return false;\n }\n\n if (ssl_protocol_version(ssl) < TLS1_2_VERSION) {\n // TLS 1.0 and 1.1 do not negotiate algorithms and always sign one of two\n // hardcoded algorithms.\n return sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||\n sigalg == SSL_SIGN_ECDSA_SHA1;\n }\n\n // |SSL_SIGN_RSA_PKCS1_MD5_SHA1| is not a real SignatureScheme for TLS 1.2 and\n // higher. It is an internal value we use to represent TLS 1.0/1.1's MD5/SHA1\n // concatenation.\n if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1) {\n return false;\n }\n\n if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n if (!alg->tls13_ok) {\n return false;\n }\n\n bool is_client_sign = ssl->server == is_verify;\n if (alg->client_only && !is_client_sign) {\n return false;\n }\n\n // EC keys have a curve requirement.\n if (alg->pkey_type == EVP_PKEY_EC &&\n (alg->curve == NID_undef ||\n EC_GROUP_get_curve_name(\n EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey))) != alg->curve)) {\n return false;\n }\n } else if (!alg->tls12_ok) {\n return false;\n }\n\n return true;\n}\n\nstatic bool setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey,\n uint16_t sigalg, bool is_verify) {\n if (!ssl_pkey_supports_algorithm(ssl, pkey, sigalg, is_verify)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);\n return false;\n }\n\n const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);\n const EVP_MD *digest = alg->digest_func != NULL ? alg->digest_func() : NULL;\n EVP_PKEY_CTX *pctx;\n if (is_verify) {\n if (!EVP_DigestVerifyInit(ctx, &pctx, digest, NULL, pkey)) {\n return false;\n }\n } else if (!EVP_DigestSignInit(ctx, &pctx, digest, NULL, pkey)) {\n return false;\n }\n\n if (alg->is_rsa_pss) {\n if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||\n !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */)) {\n return false;\n }\n }\n\n return true;\n}\n\nenum ssl_private_key_result_t ssl_private_key_sign(\n SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,\n uint16_t sigalg, Span in) {\n SSL *const ssl = hs->ssl;\n const SSL_CREDENTIAL *const cred = hs->credential.get();\n SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();\n Array spki;\n if (hints) {\n ScopedCBB spki_cbb;\n if (!CBB_init(spki_cbb.get(), 64) ||\n !EVP_marshal_public_key(spki_cbb.get(), cred->pubkey.get()) ||\n !CBBFinishArray(spki_cbb.get(), &spki)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_private_key_failure;\n }\n }\n\n // Replay the signature from handshake hints if available.\n if (hints && !hs->hints_requested && //\n sigalg == hints->signature_algorithm && //\n in == hints->signature_input && //\n Span(spki) == hints->signature_spki && //\n !hints->signature.empty() && //\n hints->signature.size() <= max_out) {\n // Signature algorithm and input both match. Reuse the signature from hints.\n *out_len = hints->signature.size();\n OPENSSL_memcpy(out, hints->signature.data(), hints->signature.size());\n return ssl_private_key_success;\n }\n\n const SSL_PRIVATE_KEY_METHOD *key_method = cred->key_method;\n EVP_PKEY *privkey = cred->privkey.get();\n assert(!hs->can_release_private_key);\n\n if (key_method != NULL) {\n enum ssl_private_key_result_t ret;\n if (hs->pending_private_key_op) {\n ret = key_method->complete(ssl, out, out_len, max_out);\n } else {\n ret = key_method->sign(ssl, out, out_len, max_out, sigalg, in.data(),\n in.size());\n }\n if (ret == ssl_private_key_failure) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED);\n }\n hs->pending_private_key_op = ret == ssl_private_key_retry;\n if (ret != ssl_private_key_success) {\n return ret;\n }\n } else {\n *out_len = max_out;\n ScopedEVP_MD_CTX ctx;\n if (!setup_ctx(ssl, ctx.get(), privkey, sigalg, false /* sign */) ||\n !EVP_DigestSign(ctx.get(), out, out_len, in.data(), in.size())) {\n return ssl_private_key_failure;\n }\n }\n\n // Save the hint if applicable.\n if (hints && hs->hints_requested) {\n hints->signature_algorithm = sigalg;\n hints->signature_spki = std::move(spki);\n if (!hints->signature_input.CopyFrom(in) ||\n !hints->signature.CopyFrom(Span(out, *out_len))) {\n return ssl_private_key_failure;\n }\n }\n return ssl_private_key_success;\n}\n\nbool ssl_public_key_verify(SSL *ssl, Span signature,\n uint16_t sigalg, EVP_PKEY *pkey,\n Span in) {\n ScopedEVP_MD_CTX ctx;\n if (!setup_ctx(ssl, ctx.get(), pkey, sigalg, true /* verify */)) {\n return false;\n }\n bool ok = EVP_DigestVerify(ctx.get(), signature.data(), signature.size(),\n in.data(), in.size());\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n ok = true;\n ERR_clear_error();\n#endif\n return ok;\n}\n\nenum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,\n uint8_t *out,\n size_t *out_len,\n size_t max_out,\n Span in) {\n SSL *const ssl = hs->ssl;\n const SSL_CREDENTIAL *const cred = hs->credential.get();\n assert(!hs->can_release_private_key);\n if (cred->key_method != NULL) {\n enum ssl_private_key_result_t ret;\n if (hs->pending_private_key_op) {\n ret = cred->key_method->complete(ssl, out, out_len, max_out);\n } else {\n ret = cred->key_method->decrypt(ssl, out, out_len, max_out, in.data(),\n in.size());\n }\n if (ret == ssl_private_key_failure) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED);\n }\n hs->pending_private_key_op = ret == ssl_private_key_retry;\n return ret;\n }\n\n RSA *rsa = EVP_PKEY_get0_RSA(cred->privkey.get());\n if (rsa == NULL) {\n // Decrypt operations are only supported for RSA keys.\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_private_key_failure;\n }\n\n // Decrypt with no padding. PKCS#1 padding will be removed as part of the\n // timing-sensitive code by the caller.\n if (!RSA_decrypt(rsa, out_len, out, max_out, in.data(), in.size(),\n RSA_NO_PADDING)) {\n return ssl_private_key_failure;\n }\n return ssl_private_key_success;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nint SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) {\n if (rsa == NULL || ssl->config == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n UniquePtr pkey(EVP_PKEY_new());\n if (!pkey || //\n !EVP_PKEY_set1_RSA(pkey.get(), rsa)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);\n return 0;\n }\n\n return SSL_use_PrivateKey(ssl, pkey.get());\n}\n\nint SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {\n UniquePtr rsa(RSA_private_key_from_bytes(der, der_len));\n if (!rsa) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);\n return 0;\n }\n\n return SSL_use_RSAPrivateKey(ssl, rsa.get());\n}\n\nint SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) {\n if (pkey == NULL || ssl->config == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n return SSL_CREDENTIAL_set1_private_key(\n ssl->config->cert->legacy_credential.get(), pkey);\n}\n\nint SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der,\n size_t der_len) {\n if (der_len > LONG_MAX) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return 0;\n }\n\n const uint8_t *p = der;\n UniquePtr pkey(d2i_PrivateKey(type, NULL, &p, (long)der_len));\n if (!pkey || p != der + der_len) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);\n return 0;\n }\n\n return SSL_use_PrivateKey(ssl, pkey.get());\n}\n\nint SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) {\n if (rsa == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n UniquePtr pkey(EVP_PKEY_new());\n if (!pkey || !EVP_PKEY_set1_RSA(pkey.get(), rsa)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);\n return 0;\n }\n\n return SSL_CTX_use_PrivateKey(ctx, pkey.get());\n}\n\nint SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der,\n size_t der_len) {\n UniquePtr rsa(RSA_private_key_from_bytes(der, der_len));\n if (!rsa) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);\n return 0;\n }\n\n return SSL_CTX_use_RSAPrivateKey(ctx, rsa.get());\n}\n\nint SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) {\n if (pkey == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n return SSL_CREDENTIAL_set1_private_key(ctx->cert->legacy_credential.get(),\n pkey);\n}\n\nint SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der,\n size_t der_len) {\n if (der_len > LONG_MAX) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return 0;\n }\n\n const uint8_t *p = der;\n UniquePtr pkey(d2i_PrivateKey(type, NULL, &p, (long)der_len));\n if (!pkey || p != der + der_len) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_ASN1_LIB);\n return 0;\n }\n\n return SSL_CTX_use_PrivateKey(ctx, pkey.get());\n}\n\nvoid SSL_set_private_key_method(SSL *ssl,\n const SSL_PRIVATE_KEY_METHOD *key_method) {\n if (!ssl->config) {\n return;\n }\n BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method(\n ssl->config->cert->legacy_credential.get(), key_method));\n}\n\nvoid SSL_CTX_set_private_key_method(SSL_CTX *ctx,\n const SSL_PRIVATE_KEY_METHOD *key_method) {\n BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method(\n ctx->cert->legacy_credential.get(), key_method));\n}\n\nstatic constexpr size_t kMaxSignatureAlgorithmNameLen = 24;\n\nstruct SignatureAlgorithmName {\n uint16_t signature_algorithm;\n const char name[kMaxSignatureAlgorithmNameLen];\n};\n\n// This was \"constexpr\" rather than \"const\", but that triggered a bug in MSVC\n// where it didn't pad the strings to the correct length.\nstatic const SignatureAlgorithmName kSignatureAlgorithmNames[] = {\n {SSL_SIGN_RSA_PKCS1_MD5_SHA1, \"rsa_pkcs1_md5_sha1\"},\n {SSL_SIGN_RSA_PKCS1_SHA1, \"rsa_pkcs1_sha1\"},\n {SSL_SIGN_RSA_PKCS1_SHA256, \"rsa_pkcs1_sha256\"},\n {SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, \"rsa_pkcs1_sha256_legacy\"},\n {SSL_SIGN_RSA_PKCS1_SHA384, \"rsa_pkcs1_sha384\"},\n {SSL_SIGN_RSA_PKCS1_SHA512, \"rsa_pkcs1_sha512\"},\n {SSL_SIGN_ECDSA_SHA1, \"ecdsa_sha1\"},\n {SSL_SIGN_ECDSA_SECP256R1_SHA256, \"ecdsa_secp256r1_sha256\"},\n {SSL_SIGN_ECDSA_SECP384R1_SHA384, \"ecdsa_secp384r1_sha384\"},\n {SSL_SIGN_ECDSA_SECP521R1_SHA512, \"ecdsa_secp521r1_sha512\"},\n {SSL_SIGN_RSA_PSS_RSAE_SHA256, \"rsa_pss_rsae_sha256\"},\n {SSL_SIGN_RSA_PSS_RSAE_SHA384, \"rsa_pss_rsae_sha384\"},\n {SSL_SIGN_RSA_PSS_RSAE_SHA512, \"rsa_pss_rsae_sha512\"},\n {SSL_SIGN_ED25519, \"ed25519\"},\n};\n\nconst char *SSL_get_signature_algorithm_name(uint16_t sigalg,\n int include_curve) {\n if (!include_curve) {\n switch (sigalg) {\n case SSL_SIGN_ECDSA_SECP256R1_SHA256:\n return \"ecdsa_sha256\";\n case SSL_SIGN_ECDSA_SECP384R1_SHA384:\n return \"ecdsa_sha384\";\n case SSL_SIGN_ECDSA_SECP521R1_SHA512:\n return \"ecdsa_sha512\";\n // If adding more here, also update\n // |SSL_get_all_signature_algorithm_names|.\n }\n }\n\n for (const auto &candidate : kSignatureAlgorithmNames) {\n if (candidate.signature_algorithm == sigalg) {\n return candidate.name;\n }\n }\n\n return NULL;\n}\n\nsize_t SSL_get_all_signature_algorithm_names(const char **out, size_t max_out) {\n const char *kPredefinedNames[] = {\"ecdsa_sha256\", \"ecdsa_sha384\",\n \"ecdsa_sha512\"};\n return GetAllNames(out, max_out, kPredefinedNames,\n &SignatureAlgorithmName::name,\n Span(kSignatureAlgorithmNames));\n}\n\nint SSL_get_signature_algorithm_key_type(uint16_t sigalg) {\n const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);\n return alg != nullptr ? alg->pkey_type : EVP_PKEY_NONE;\n}\n\nconst EVP_MD *SSL_get_signature_algorithm_digest(uint16_t sigalg) {\n const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);\n if (alg == nullptr || alg->digest_func == nullptr) {\n return nullptr;\n }\n return alg->digest_func();\n}\n\nint SSL_is_signature_algorithm_rsa_pss(uint16_t sigalg) {\n const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);\n return alg != nullptr && alg->is_rsa_pss;\n}\n\nstatic int compare_uint16_t(const void *p1, const void *p2) {\n uint16_t u1 = *((const uint16_t *)p1);\n uint16_t u2 = *((const uint16_t *)p2);\n if (u1 < u2) {\n return -1;\n } else if (u1 > u2) {\n return 1;\n } else {\n return 0;\n }\n}\n\nstatic bool sigalgs_unique(Span in_sigalgs) {\n if (in_sigalgs.size() < 2) {\n return true;\n }\n\n Array sigalgs;\n if (!sigalgs.CopyFrom(in_sigalgs)) {\n return false;\n }\n\n qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t);\n\n for (size_t i = 1; i < sigalgs.size(); i++) {\n if (sigalgs[i - 1] == sigalgs[i]) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM);\n return false;\n }\n }\n\n return true;\n}\n\nstatic bool set_sigalg_prefs(Array *out, Span prefs) {\n if (!sigalgs_unique(prefs)) {\n return false;\n }\n\n // Check for invalid algorithms, and filter out |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.\n Array filtered;\n if (!filtered.InitForOverwrite(prefs.size())) {\n return false;\n }\n size_t added = 0;\n for (uint16_t pref : prefs) {\n if (pref == SSL_SIGN_RSA_PKCS1_MD5_SHA1) {\n // Though not intended to be used with this API, we treat\n // |SSL_SIGN_RSA_PKCS1_MD5_SHA1| as a real signature algorithm in\n // |SSL_PRIVATE_KEY_METHOD|. Not accepting it here makes for a confusing\n // abstraction.\n continue;\n }\n if (get_signature_algorithm(pref) == nullptr) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n return false;\n }\n filtered[added] = pref;\n added++;\n }\n filtered.Shrink(added);\n\n // This can happen if |prefs| contained only |SSL_SIGN_RSA_PKCS1_MD5_SHA1|.\n // Leaving it empty would revert to the default, so treat this as an error\n // condition.\n if (!prefs.empty() && filtered.empty()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n return false;\n }\n\n *out = std::move(filtered);\n return true;\n}\n\nint SSL_CREDENTIAL_set1_signing_algorithm_prefs(SSL_CREDENTIAL *cred,\n const uint16_t *prefs,\n size_t num_prefs) {\n if (!cred->UsesPrivateKey()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n // Delegated credentials are constrained to a single algorithm, so there is no\n // need to configure this.\n if (cred->type == SSLCredentialType::kDelegated) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n return set_sigalg_prefs(&cred->sigalgs, Span(prefs, num_prefs));\n}\n\nint SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,\n size_t num_prefs) {\n return SSL_CREDENTIAL_set1_signing_algorithm_prefs(\n ctx->cert->legacy_credential.get(), prefs, num_prefs);\n}\n\nint SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs,\n size_t num_prefs) {\n if (!ssl->config) {\n return 0;\n }\n return SSL_CREDENTIAL_set1_signing_algorithm_prefs(\n ssl->config->cert->legacy_credential.get(), prefs, num_prefs);\n}\n\nstatic constexpr struct {\n int pkey_type;\n int hash_nid;\n uint16_t signature_algorithm;\n} kSignatureAlgorithmsMapping[] = {\n {EVP_PKEY_RSA, NID_sha1, SSL_SIGN_RSA_PKCS1_SHA1},\n {EVP_PKEY_RSA, NID_sha256, SSL_SIGN_RSA_PKCS1_SHA256},\n {EVP_PKEY_RSA, NID_sha384, SSL_SIGN_RSA_PKCS1_SHA384},\n {EVP_PKEY_RSA, NID_sha512, SSL_SIGN_RSA_PKCS1_SHA512},\n {EVP_PKEY_RSA_PSS, NID_sha256, SSL_SIGN_RSA_PSS_RSAE_SHA256},\n {EVP_PKEY_RSA_PSS, NID_sha384, SSL_SIGN_RSA_PSS_RSAE_SHA384},\n {EVP_PKEY_RSA_PSS, NID_sha512, SSL_SIGN_RSA_PSS_RSAE_SHA512},\n {EVP_PKEY_EC, NID_sha1, SSL_SIGN_ECDSA_SHA1},\n {EVP_PKEY_EC, NID_sha256, SSL_SIGN_ECDSA_SECP256R1_SHA256},\n {EVP_PKEY_EC, NID_sha384, SSL_SIGN_ECDSA_SECP384R1_SHA384},\n {EVP_PKEY_EC, NID_sha512, SSL_SIGN_ECDSA_SECP521R1_SHA512},\n {EVP_PKEY_ED25519, NID_undef, SSL_SIGN_ED25519},\n};\n\nstatic bool parse_sigalg_pairs(Array *out, const int *values,\n size_t num_values) {\n if ((num_values & 1) == 1) {\n return false;\n }\n\n const size_t num_pairs = num_values / 2;\n if (!out->InitForOverwrite(num_pairs)) {\n return false;\n }\n\n for (size_t i = 0; i < num_values; i += 2) {\n const int hash_nid = values[i];\n const int pkey_type = values[i + 1];\n\n bool found = false;\n for (const auto &candidate : kSignatureAlgorithmsMapping) {\n if (candidate.pkey_type == pkey_type && candidate.hash_nid == hash_nid) {\n (*out)[i / 2] = candidate.signature_algorithm;\n found = true;\n break;\n }\n }\n\n if (!found) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n ERR_add_error_dataf(\"unknown hash:%d pkey:%d\", hash_nid, pkey_type);\n return false;\n }\n }\n\n return true;\n}\n\nint SSL_CTX_set1_sigalgs(SSL_CTX *ctx, const int *values, size_t num_values) {\n Array sigalgs;\n if (!parse_sigalg_pairs(&sigalgs, values, num_values)) {\n return 0;\n }\n\n if (!SSL_CTX_set_signing_algorithm_prefs(ctx, sigalgs.data(),\n sigalgs.size()) ||\n !SSL_CTX_set_verify_algorithm_prefs(ctx, sigalgs.data(),\n sigalgs.size())) {\n return 0;\n }\n\n return 1;\n}\n\nint SSL_set1_sigalgs(SSL *ssl, const int *values, size_t num_values) {\n if (!ssl->config) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n Array sigalgs;\n if (!parse_sigalg_pairs(&sigalgs, values, num_values)) {\n return 0;\n }\n\n if (!SSL_set_signing_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size()) ||\n !SSL_set_verify_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size())) {\n return 0;\n }\n\n return 1;\n}\n\nstatic bool parse_sigalgs_list(Array *out, const char *str) {\n // str looks like \"RSA+SHA1:ECDSA+SHA256:ecdsa_secp256r1_sha256\".\n\n // Count colons to give the number of output elements from any successful\n // parse.\n size_t num_elements = 1;\n size_t len = 0;\n for (const char *p = str; *p; p++) {\n len++;\n if (*p == ':') {\n num_elements++;\n }\n }\n\n if (!out->InitForOverwrite(num_elements)) {\n return false;\n }\n size_t out_i = 0;\n\n enum {\n pkey_or_name,\n hash_name,\n } state = pkey_or_name;\n\n char buf[kMaxSignatureAlgorithmNameLen];\n // buf_used is always < sizeof(buf). I.e. it's always safe to write\n // buf[buf_used] = 0.\n size_t buf_used = 0;\n\n int pkey_type = 0, hash_nid = 0;\n\n // Note that the loop runs to len+1, i.e. it'll process the terminating NUL.\n for (size_t offset = 0; offset < len + 1; offset++) {\n const unsigned char c = str[offset];\n\n switch (c) {\n case '+':\n if (state == hash_name) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n ERR_add_error_dataf(\"+ found in hash name at offset %zu\", offset);\n return false;\n }\n if (buf_used == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n ERR_add_error_dataf(\"empty public key type at offset %zu\", offset);\n return false;\n }\n buf[buf_used] = 0;\n\n if (strcmp(buf, \"RSA\") == 0) {\n pkey_type = EVP_PKEY_RSA;\n } else if (strcmp(buf, \"RSA-PSS\") == 0 || //\n strcmp(buf, \"PSS\") == 0) {\n pkey_type = EVP_PKEY_RSA_PSS;\n } else if (strcmp(buf, \"ECDSA\") == 0) {\n pkey_type = EVP_PKEY_EC;\n } else {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n ERR_add_error_dataf(\"unknown public key type '%s'\", buf);\n return false;\n }\n\n state = hash_name;\n buf_used = 0;\n break;\n\n case ':':\n [[fallthrough]];\n case 0:\n if (buf_used == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n ERR_add_error_dataf(\"empty element at offset %zu\", offset);\n return false;\n }\n\n buf[buf_used] = 0;\n\n if (state == pkey_or_name) {\n // No '+' was seen thus this is a TLS 1.3-style name.\n bool found = false;\n for (const auto &candidate : kSignatureAlgorithmNames) {\n if (strcmp(candidate.name, buf) == 0) {\n assert(out_i < num_elements);\n (*out)[out_i++] = candidate.signature_algorithm;\n found = true;\n break;\n }\n }\n\n if (!found) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n ERR_add_error_dataf(\"unknown signature algorithm '%s'\", buf);\n return false;\n }\n } else {\n if (strcmp(buf, \"SHA1\") == 0) {\n hash_nid = NID_sha1;\n } else if (strcmp(buf, \"SHA256\") == 0) {\n hash_nid = NID_sha256;\n } else if (strcmp(buf, \"SHA384\") == 0) {\n hash_nid = NID_sha384;\n } else if (strcmp(buf, \"SHA512\") == 0) {\n hash_nid = NID_sha512;\n } else {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n ERR_add_error_dataf(\"unknown hash function '%s'\", buf);\n return false;\n }\n\n bool found = false;\n for (const auto &candidate : kSignatureAlgorithmsMapping) {\n if (candidate.pkey_type == pkey_type &&\n candidate.hash_nid == hash_nid) {\n assert(out_i < num_elements);\n (*out)[out_i++] = candidate.signature_algorithm;\n found = true;\n break;\n }\n }\n\n if (!found) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n ERR_add_error_dataf(\"unknown pkey:%d hash:%s\", pkey_type, buf);\n return false;\n }\n }\n\n state = pkey_or_name;\n buf_used = 0;\n break;\n\n default:\n if (buf_used == sizeof(buf) - 1) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n ERR_add_error_dataf(\"substring too long at offset %zu\", offset);\n return false;\n }\n\n if (OPENSSL_isalnum(c) || c == '-' || c == '_') {\n buf[buf_used++] = c;\n } else {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM);\n ERR_add_error_dataf(\"invalid character 0x%02x at offest %zu\", c,\n offset);\n return false;\n }\n }\n }\n\n assert(out_i == out->size());\n return true;\n}\n\nint SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str) {\n Array sigalgs;\n if (!parse_sigalgs_list(&sigalgs, str)) {\n return 0;\n }\n\n if (!SSL_CTX_set_signing_algorithm_prefs(ctx, sigalgs.data(),\n sigalgs.size()) ||\n !SSL_CTX_set_verify_algorithm_prefs(ctx, sigalgs.data(),\n sigalgs.size())) {\n return 0;\n }\n\n return 1;\n}\n\nint SSL_set1_sigalgs_list(SSL *ssl, const char *str) {\n if (!ssl->config) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n Array sigalgs;\n if (!parse_sigalgs_list(&sigalgs, str)) {\n return 0;\n }\n\n if (!SSL_set_signing_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size()) ||\n !SSL_set_verify_algorithm_prefs(ssl, sigalgs.data(), sigalgs.size())) {\n return 0;\n }\n\n return 1;\n}\n\nint SSL_CTX_set_verify_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs,\n size_t num_prefs) {\n return set_sigalg_prefs(&ctx->verify_sigalgs, Span(prefs, num_prefs));\n}\n\nint SSL_set_verify_algorithm_prefs(SSL *ssl, const uint16_t *prefs,\n size_t num_prefs) {\n if (!ssl->config) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n return set_sigalg_prefs(&ssl->config->verify_sigalgs, Span(prefs, num_prefs));\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_session.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\n// The address of this is a magic value, a pointer to which is returned by\n// SSL_magic_pending_session_ptr(). It allows a session callback to indicate\n// that it needs to asynchronously fetch session information.\nstatic const char g_pending_session_magic = 0;\n\nstatic CRYPTO_EX_DATA_CLASS g_ex_data_class =\n CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;\n\nstatic void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session);\nstatic void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *session);\n\nUniquePtr ssl_session_new(const SSL_X509_METHOD *x509_method) {\n return MakeUnique(x509_method);\n}\n\nuint32_t ssl_hash_session_id(Span session_id) {\n // Take the first four bytes of |session_id|. Session IDs are generated by the\n // server randomly, so we can assume even using the first four bytes results\n // in a good distribution.\n uint8_t tmp_storage[sizeof(uint32_t)];\n if (session_id.size() < sizeof(tmp_storage)) {\n OPENSSL_memset(tmp_storage, 0, sizeof(tmp_storage));\n OPENSSL_memcpy(tmp_storage, session_id.data(), session_id.size());\n session_id = tmp_storage;\n }\n\n uint32_t hash = ((uint32_t)session_id[0]) | ((uint32_t)session_id[1] << 8) |\n ((uint32_t)session_id[2] << 16) |\n ((uint32_t)session_id[3] << 24);\n\n return hash;\n}\n\nUniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {\n UniquePtr new_session = ssl_session_new(session->x509_method);\n if (!new_session) {\n return nullptr;\n }\n\n new_session->is_server = session->is_server;\n new_session->ssl_version = session->ssl_version;\n new_session->is_quic = session->is_quic;\n new_session->sid_ctx = session->sid_ctx;\n\n // Copy the key material.\n new_session->secret = session->secret;\n new_session->cipher = session->cipher;\n\n // Copy authentication state.\n if (session->psk_identity != nullptr) {\n new_session->psk_identity.reset(\n OPENSSL_strdup(session->psk_identity.get()));\n if (new_session->psk_identity == nullptr) {\n return nullptr;\n }\n }\n if (session->certs != nullptr) {\n auto buf_up_ref = [](const CRYPTO_BUFFER *buf) {\n CRYPTO_BUFFER_up_ref(const_cast(buf));\n return const_cast(buf);\n };\n new_session->certs.reset(sk_CRYPTO_BUFFER_deep_copy(\n session->certs.get(), buf_up_ref, CRYPTO_BUFFER_free));\n if (new_session->certs == nullptr) {\n return nullptr;\n }\n }\n\n if (!session->x509_method->session_dup(new_session.get(), session)) {\n return nullptr;\n }\n\n new_session->verify_result = session->verify_result;\n\n new_session->ocsp_response = UpRef(session->ocsp_response);\n new_session->signed_cert_timestamp_list =\n UpRef(session->signed_cert_timestamp_list);\n\n OPENSSL_memcpy(new_session->peer_sha256, session->peer_sha256,\n SHA256_DIGEST_LENGTH);\n new_session->peer_sha256_valid = session->peer_sha256_valid;\n\n new_session->peer_signature_algorithm = session->peer_signature_algorithm;\n\n new_session->timeout = session->timeout;\n new_session->auth_timeout = session->auth_timeout;\n new_session->time = session->time;\n\n // Copy non-authentication connection properties.\n if (dup_flags & SSL_SESSION_INCLUDE_NONAUTH) {\n new_session->session_id = session->session_id;\n new_session->group_id = session->group_id;\n new_session->original_handshake_hash = session->original_handshake_hash;\n new_session->ticket_lifetime_hint = session->ticket_lifetime_hint;\n new_session->ticket_age_add = session->ticket_age_add;\n new_session->ticket_max_early_data = session->ticket_max_early_data;\n new_session->extended_master_secret = session->extended_master_secret;\n new_session->has_application_settings = session->has_application_settings;\n\n if (!new_session->early_alpn.CopyFrom(session->early_alpn) ||\n !new_session->quic_early_data_context.CopyFrom(\n session->quic_early_data_context) ||\n !new_session->local_application_settings.CopyFrom(\n session->local_application_settings) ||\n !new_session->peer_application_settings.CopyFrom(\n session->peer_application_settings)) {\n return nullptr;\n }\n }\n\n // Copy the ticket.\n if (dup_flags & SSL_SESSION_INCLUDE_TICKET &&\n !new_session->ticket.CopyFrom(session->ticket)) {\n return nullptr;\n }\n\n // The new_session does not get a copy of the ex_data.\n\n new_session->not_resumable = true;\n return new_session;\n}\n\nvoid ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session) {\n OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());\n\n // To avoid overflows and underflows, if we've gone back in time, update the\n // time, but mark the session expired.\n if (session->time > now.tv_sec) {\n session->time = now.tv_sec;\n session->timeout = 0;\n session->auth_timeout = 0;\n return;\n }\n\n // Adjust the session time and timeouts. If the session has already expired,\n // clamp the timeouts at zero.\n uint64_t delta = now.tv_sec - session->time;\n session->time = now.tv_sec;\n if (session->timeout < delta) {\n session->timeout = 0;\n } else {\n session->timeout -= delta;\n }\n if (session->auth_timeout < delta) {\n session->auth_timeout = 0;\n } else {\n session->auth_timeout -= delta;\n }\n}\n\nvoid ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session,\n uint32_t timeout) {\n // Rebase the timestamp relative to the current time so |timeout| is measured\n // correctly.\n ssl_session_rebase_time(ssl, session);\n\n if (session->timeout > timeout) {\n return;\n }\n\n session->timeout = timeout;\n if (session->timeout > session->auth_timeout) {\n session->timeout = session->auth_timeout;\n }\n}\n\nuint16_t ssl_session_protocol_version(const SSL_SESSION *session) {\n uint16_t ret;\n if (!ssl_protocol_version_from_wire(&ret, session->ssl_version)) {\n // An |SSL_SESSION| will never have an invalid version. This is enforced by\n // the parser.\n assert(0);\n return 0;\n }\n\n return ret;\n}\n\nconst EVP_MD *ssl_session_get_digest(const SSL_SESSION *session) {\n return ssl_get_handshake_digest(ssl_session_protocol_version(session),\n session->cipher);\n}\n\nbool ssl_get_new_session(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (ssl->mode & SSL_MODE_NO_SESSION_CREATION) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SESSION_MAY_NOT_BE_CREATED);\n return false;\n }\n\n UniquePtr session = ssl_session_new(ssl->ctx->x509_method);\n if (session == NULL) {\n return false;\n }\n\n session->is_server = ssl->server;\n session->ssl_version = ssl->s3->version;\n session->is_quic = SSL_is_quic(ssl);\n\n // Fill in the time from the |SSL_CTX|'s clock.\n OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());\n session->time = now.tv_sec;\n\n uint16_t version = ssl_protocol_version(ssl);\n if (version >= TLS1_3_VERSION) {\n // TLS 1.3 uses tickets as authenticators, so we are willing to use them for\n // longer.\n session->timeout = ssl->session_ctx->session_psk_dhe_timeout;\n session->auth_timeout = SSL_DEFAULT_SESSION_AUTH_TIMEOUT;\n } else {\n // TLS 1.2 resumption does not incorporate new key material, so we use a\n // much shorter timeout.\n session->timeout = ssl->session_ctx->session_timeout;\n session->auth_timeout = ssl->session_ctx->session_timeout;\n }\n\n if (!session->sid_ctx.TryCopyFrom(hs->config->cert->sid_ctx)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n // The session is marked not resumable until it is completely filled in.\n session->not_resumable = true;\n session->verify_result = X509_V_ERR_INVALID_CALL;\n\n hs->new_session = std::move(session);\n ssl_set_session(ssl, NULL);\n return true;\n}\n\nbool ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) {\n OPENSSL_timeval now = ssl_ctx_get_current_time(ctx);\n {\n // Avoid acquiring a write lock in the common case (i.e. a non-default key\n // is used or the default keys have not expired yet).\n MutexReadLock lock(&ctx->lock);\n if (ctx->ticket_key_current &&\n (ctx->ticket_key_current->next_rotation_tv_sec == 0 ||\n ctx->ticket_key_current->next_rotation_tv_sec > now.tv_sec) &&\n (!ctx->ticket_key_prev ||\n ctx->ticket_key_prev->next_rotation_tv_sec > now.tv_sec)) {\n return true;\n }\n }\n\n MutexWriteLock lock(&ctx->lock);\n if (!ctx->ticket_key_current ||\n (ctx->ticket_key_current->next_rotation_tv_sec != 0 &&\n ctx->ticket_key_current->next_rotation_tv_sec <= now.tv_sec)) {\n // The current key has not been initialized or it is expired.\n auto new_key = bssl::MakeUnique();\n if (!new_key) {\n return false;\n }\n RAND_bytes(new_key->name, 16);\n RAND_bytes(new_key->hmac_key, 16);\n RAND_bytes(new_key->aes_key, 16);\n new_key->next_rotation_tv_sec =\n now.tv_sec + SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;\n if (ctx->ticket_key_current) {\n // The current key expired. Rotate it to prev and bump up its rotation\n // timestamp. Note that even with the new rotation time it may still be\n // expired and get dropped below.\n ctx->ticket_key_current->next_rotation_tv_sec +=\n SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;\n ctx->ticket_key_prev = std::move(ctx->ticket_key_current);\n }\n ctx->ticket_key_current = std::move(new_key);\n }\n\n // Drop an expired prev key.\n if (ctx->ticket_key_prev &&\n ctx->ticket_key_prev->next_rotation_tv_sec <= now.tv_sec) {\n ctx->ticket_key_prev.reset();\n }\n\n return true;\n}\n\nstatic int ssl_encrypt_ticket_with_cipher_ctx(SSL_HANDSHAKE *hs, CBB *out,\n const uint8_t *session_buf,\n size_t session_len) {\n ScopedEVP_CIPHER_CTX ctx;\n ScopedHMAC_CTX hctx;\n\n // If the session is too long, decline to send a ticket.\n static const size_t kMaxTicketOverhead =\n 16 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE;\n if (session_len > 0xffff - kMaxTicketOverhead) {\n return 1;\n }\n\n // Initialize HMAC and cipher contexts. If callback present it does all the\n // work otherwise use generated values from parent ctx.\n SSL_CTX *tctx = hs->ssl->session_ctx.get();\n uint8_t iv[EVP_MAX_IV_LENGTH];\n uint8_t key_name[16];\n if (tctx->ticket_key_cb != NULL) {\n int ret = tctx->ticket_key_cb(hs->ssl, key_name, iv, ctx.get(), hctx.get(),\n 1 /* encrypt */);\n if (ret < 0) {\n return 0;\n }\n if (ret == 0) {\n // The caller requested to send no ticket, so write nothing to |out|.\n return 1;\n }\n } else {\n // Rotate ticket key if necessary.\n if (!ssl_ctx_rotate_ticket_encryption_key(tctx)) {\n return 0;\n }\n MutexReadLock lock(&tctx->lock);\n if (!RAND_bytes(iv, 16) ||\n !EVP_EncryptInit_ex(ctx.get(), EVP_aes_128_cbc(), NULL,\n tctx->ticket_key_current->aes_key, iv) ||\n !HMAC_Init_ex(hctx.get(), tctx->ticket_key_current->hmac_key, 16,\n tlsext_tick_md(), NULL)) {\n return 0;\n }\n OPENSSL_memcpy(key_name, tctx->ticket_key_current->name, 16);\n }\n\n uint8_t *ptr;\n if (!CBB_add_bytes(out, key_name, 16) ||\n !CBB_add_bytes(out, iv, EVP_CIPHER_CTX_iv_length(ctx.get())) ||\n !CBB_reserve(out, &ptr, session_len + EVP_MAX_BLOCK_LENGTH)) {\n return 0;\n }\n\n size_t total = 0;\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n OPENSSL_memcpy(ptr, session_buf, session_len);\n total = session_len;\n#else\n int len;\n if (!EVP_EncryptUpdate(ctx.get(), ptr + total, &len, session_buf,\n session_len)) {\n return 0;\n }\n total += len;\n if (!EVP_EncryptFinal_ex(ctx.get(), ptr + total, &len)) {\n return 0;\n }\n total += len;\n#endif\n if (!CBB_did_write(out, total)) {\n return 0;\n }\n\n unsigned hlen;\n if (!HMAC_Update(hctx.get(), CBB_data(out), CBB_len(out)) || //\n !CBB_reserve(out, &ptr, EVP_MAX_MD_SIZE) || //\n !HMAC_Final(hctx.get(), ptr, &hlen) || //\n !CBB_did_write(out, hlen)) {\n return 0;\n }\n\n return 1;\n}\n\nstatic int ssl_encrypt_ticket_with_method(SSL_HANDSHAKE *hs, CBB *out,\n const uint8_t *session_buf,\n size_t session_len) {\n SSL *const ssl = hs->ssl;\n const SSL_TICKET_AEAD_METHOD *method = ssl->session_ctx->ticket_aead_method;\n const size_t max_overhead = method->max_overhead(ssl);\n const size_t max_out = session_len + max_overhead;\n if (max_out < max_overhead) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return 0;\n }\n\n uint8_t *ptr;\n if (!CBB_reserve(out, &ptr, max_out)) {\n return 0;\n }\n\n size_t out_len;\n if (!method->seal(ssl, ptr, &out_len, max_out, session_buf, session_len)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_TICKET_ENCRYPTION_FAILED);\n return 0;\n }\n\n if (!CBB_did_write(out, out_len)) {\n return 0;\n }\n\n return 1;\n}\n\nbool ssl_encrypt_ticket(SSL_HANDSHAKE *hs, CBB *out,\n const SSL_SESSION *session) {\n // Serialize the SSL_SESSION to be encoded into the ticket.\n uint8_t *session_buf = nullptr;\n size_t session_len;\n if (!SSL_SESSION_to_bytes_for_ticket(session, &session_buf, &session_len)) {\n return false;\n }\n bssl::UniquePtr free_session_buf(session_buf);\n\n if (hs->ssl->session_ctx->ticket_aead_method) {\n return ssl_encrypt_ticket_with_method(hs, out, session_buf, session_len);\n } else {\n return ssl_encrypt_ticket_with_cipher_ctx(hs, out, session_buf,\n session_len);\n }\n}\n\nSSLSessionType ssl_session_get_type(const SSL_SESSION *session) {\n if (session->not_resumable) {\n return SSLSessionType::kNotResumable;\n }\n if (ssl_session_protocol_version(session) >= TLS1_3_VERSION) {\n return session->ticket.empty() ? SSLSessionType::kNotResumable\n : SSLSessionType::kPreSharedKey;\n }\n if (!session->ticket.empty()) {\n return SSLSessionType::kTicket;\n }\n if (!session->session_id.empty()) {\n return SSLSessionType::kID;\n }\n return SSLSessionType::kNotResumable;\n}\n\nbool ssl_session_is_context_valid(const SSL_HANDSHAKE *hs,\n const SSL_SESSION *session) {\n return session != nullptr &&\n Span(session->sid_ctx) == hs->config->cert->sid_ctx;\n}\n\nbool ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session) {\n if (session == NULL) {\n return false;\n }\n\n OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());\n\n // Reject tickets from the future to avoid underflow.\n if (now.tv_sec < session->time) {\n return false;\n }\n\n return session->timeout > now.tv_sec - session->time;\n}\n\nbool ssl_session_is_resumable(const SSL_HANDSHAKE *hs,\n const SSL_SESSION *session) {\n const SSL *const ssl = hs->ssl;\n return ssl_session_is_context_valid(hs, session) &&\n // The session must have been created by the same type of end point as\n // we're now using it with.\n ssl->server == session->is_server &&\n // The session must not be expired.\n ssl_session_is_time_valid(ssl, session) &&\n // Only resume if the session's version matches the negotiated\n // version.\n ssl->s3->version == session->ssl_version &&\n // Only resume if the session's cipher matches the negotiated one. This\n // is stricter than necessary for TLS 1.3, which allows cross-cipher\n // resumption if the PRF hashes match. We require an exact match for\n // simplicity. If loosening this, the 0-RTT accept logic must be\n // updated to check the cipher.\n hs->new_cipher == session->cipher &&\n // If the session contains a client certificate (either the full\n // certificate or just the hash) then require that the form of the\n // certificate matches the current configuration.\n ((sk_CRYPTO_BUFFER_num(session->certs.get()) == 0 &&\n !session->peer_sha256_valid) ||\n session->peer_sha256_valid ==\n hs->config->retain_only_sha256_of_client_certs) &&\n // Only resume if the underlying transport protocol hasn't changed.\n // This is to prevent cross-protocol resumption between QUIC and TCP.\n SSL_is_quic(ssl) == int{session->is_quic};\n}\n\n// ssl_lookup_session looks up |session_id| in the session cache and sets\n// |*out_session| to an |SSL_SESSION| object if found.\nstatic enum ssl_hs_wait_t ssl_lookup_session(\n SSL_HANDSHAKE *hs, UniquePtr *out_session,\n Span session_id) {\n SSL *const ssl = hs->ssl;\n out_session->reset();\n\n if (session_id.empty() || session_id.size() > SSL_MAX_SSL_SESSION_ID_LENGTH) {\n return ssl_hs_ok;\n }\n\n UniquePtr session;\n // Try the internal cache, if it exists.\n if (!(ssl->session_ctx->session_cache_mode &\n SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {\n uint32_t hash = ssl_hash_session_id(session_id);\n auto cmp = [](const void *key, const SSL_SESSION *sess) -> int {\n Span key_id =\n *reinterpret_cast *>(key);\n return key_id == sess->session_id ? 0 : 1;\n };\n MutexReadLock lock(&ssl->session_ctx->lock);\n // |lh_SSL_SESSION_retrieve_key| returns a non-owning pointer.\n session = UpRef(lh_SSL_SESSION_retrieve_key(ssl->session_ctx->sessions,\n &session_id, hash, cmp));\n // TODO(davidben): This should probably move it to the front of the list.\n }\n\n // Fall back to the external cache, if it exists.\n if (!session && ssl->session_ctx->get_session_cb != nullptr) {\n int copy = 1;\n session.reset(ssl->session_ctx->get_session_cb(ssl, session_id.data(),\n session_id.size(), ©));\n if (!session) {\n return ssl_hs_ok;\n }\n\n if (session.get() == SSL_magic_pending_session_ptr()) {\n session.release(); // This pointer is not actually owned.\n return ssl_hs_pending_session;\n }\n\n // Increment reference count now if the session callback asks us to do so\n // (note that if the session structures returned by the callback are shared\n // between threads, it must handle the reference count itself [i.e. copy ==\n // 0], or things won't be thread-safe).\n if (copy) {\n SSL_SESSION_up_ref(session.get());\n }\n\n // Add the externally cached session to the internal cache if necessary.\n if (!(ssl->session_ctx->session_cache_mode &\n SSL_SESS_CACHE_NO_INTERNAL_STORE)) {\n SSL_CTX_add_session(ssl->session_ctx.get(), session.get());\n }\n }\n\n if (session && !ssl_session_is_time_valid(ssl, session.get())) {\n // The session was from the cache, so remove it.\n SSL_CTX_remove_session(ssl->session_ctx.get(), session.get());\n session.reset();\n }\n\n *out_session = std::move(session);\n return ssl_hs_ok;\n}\n\nenum ssl_hs_wait_t ssl_get_prev_session(SSL_HANDSHAKE *hs,\n UniquePtr *out_session,\n bool *out_tickets_supported,\n bool *out_renew_ticket,\n const SSL_CLIENT_HELLO *client_hello) {\n // This is used only by servers.\n assert(hs->ssl->server);\n UniquePtr session;\n bool renew_ticket = false;\n\n // If tickets are disabled, always behave as if no tickets are present.\n CBS ticket;\n const bool tickets_supported =\n !(SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) &&\n ssl_client_hello_get_extension(client_hello, &ticket,\n TLSEXT_TYPE_session_ticket);\n if (tickets_supported && CBS_len(&ticket) != 0) {\n switch (ssl_process_ticket(\n hs, &session, &renew_ticket, ticket,\n Span(client_hello->session_id, client_hello->session_id_len))) {\n case ssl_ticket_aead_success:\n break;\n case ssl_ticket_aead_ignore_ticket:\n assert(!session);\n break;\n case ssl_ticket_aead_error:\n return ssl_hs_error;\n case ssl_ticket_aead_retry:\n return ssl_hs_pending_ticket;\n }\n } else {\n // The client didn't send a ticket, so the session ID is a real ID.\n enum ssl_hs_wait_t lookup_ret = ssl_lookup_session(\n hs, &session,\n Span(client_hello->session_id, client_hello->session_id_len));\n if (lookup_ret != ssl_hs_ok) {\n return lookup_ret;\n }\n }\n\n *out_session = std::move(session);\n *out_tickets_supported = tickets_supported;\n *out_renew_ticket = renew_ticket;\n return ssl_hs_ok;\n}\n\nstatic bool remove_session(SSL_CTX *ctx, SSL_SESSION *session, bool lock) {\n if (session == nullptr || session->session_id.empty()) {\n return false;\n }\n\n if (lock) {\n CRYPTO_MUTEX_lock_write(&ctx->lock);\n }\n\n SSL_SESSION *found_session = lh_SSL_SESSION_retrieve(ctx->sessions, session);\n bool found = found_session == session;\n if (found) {\n found_session = lh_SSL_SESSION_delete(ctx->sessions, session);\n SSL_SESSION_list_remove(ctx, session);\n }\n\n if (lock) {\n CRYPTO_MUTEX_unlock_write(&ctx->lock);\n }\n\n if (found) {\n // TODO(https://crbug.com/boringssl/251): Callbacks should not be called\n // under a lock.\n if (ctx->remove_session_cb != nullptr) {\n ctx->remove_session_cb(ctx, found_session);\n }\n SSL_SESSION_free(found_session);\n }\n\n return found;\n}\n\nvoid ssl_set_session(SSL *ssl, SSL_SESSION *session) {\n if (ssl->session.get() == session) {\n return;\n }\n\n ssl->session = UpRef(session);\n}\n\n// locked by SSL_CTX in the calling function\nstatic void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session) {\n if (session->next == NULL || session->prev == NULL) {\n return;\n }\n\n if (session->next == (SSL_SESSION *)&ctx->session_cache_tail) {\n // last element in list\n if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) {\n // only one element in list\n ctx->session_cache_head = NULL;\n ctx->session_cache_tail = NULL;\n } else {\n ctx->session_cache_tail = session->prev;\n session->prev->next = (SSL_SESSION *)&(ctx->session_cache_tail);\n }\n } else {\n if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) {\n // first element in list\n ctx->session_cache_head = session->next;\n session->next->prev = (SSL_SESSION *)&(ctx->session_cache_head);\n } else { // middle of list\n session->next->prev = session->prev;\n session->prev->next = session->next;\n }\n }\n session->prev = session->next = NULL;\n}\n\nstatic void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *session) {\n if (session->next != NULL && session->prev != NULL) {\n SSL_SESSION_list_remove(ctx, session);\n }\n\n if (ctx->session_cache_head == NULL) {\n ctx->session_cache_head = session;\n ctx->session_cache_tail = session;\n session->prev = (SSL_SESSION *)&(ctx->session_cache_head);\n session->next = (SSL_SESSION *)&(ctx->session_cache_tail);\n } else {\n session->next = ctx->session_cache_head;\n session->next->prev = session;\n session->prev = (SSL_SESSION *)&(ctx->session_cache_head);\n ctx->session_cache_head = session;\n }\n}\n\nstatic bool add_session_locked(SSL_CTX *ctx, UniquePtr session) {\n SSL_SESSION *new_session = session.get();\n SSL_SESSION *old_session;\n if (!lh_SSL_SESSION_insert(ctx->sessions, &old_session, new_session)) {\n return false;\n }\n // |ctx->sessions| took ownership of |new_session| and gave us back a\n // reference to |old_session|. (|old_session| may be the same as\n // |new_session|, in which case we traded identical references with\n // |ctx->sessions|.)\n session.release();\n session.reset(old_session);\n\n if (old_session != nullptr) {\n if (old_session == new_session) {\n // |session| was already in the cache. There are no linked list pointers\n // to update.\n return false;\n }\n\n // There was a session ID collision. |old_session| was replaced with\n // |session| in the hash table, so |old_session| must be removed from the\n // linked list to match.\n SSL_SESSION_list_remove(ctx, old_session);\n }\n\n // This does not increment the reference count. Although |session| is inserted\n // into two structures (a doubly-linked list and the hash table), |ctx| only\n // takes one reference.\n SSL_SESSION_list_add(ctx, new_session);\n\n // Enforce any cache size limits.\n if (SSL_CTX_sess_get_cache_size(ctx) > 0) {\n while (lh_SSL_SESSION_num_items(ctx->sessions) >\n SSL_CTX_sess_get_cache_size(ctx)) {\n if (!remove_session(ctx, ctx->session_cache_tail,\n /*lock=*/false)) {\n break;\n }\n }\n }\n\n return true;\n}\n\nvoid ssl_update_cache(SSL *ssl) {\n SSL_CTX *ctx = ssl->session_ctx.get();\n SSL_SESSION *session = ssl->s3->established_session.get();\n int mode = SSL_is_server(ssl) ? SSL_SESS_CACHE_SERVER : SSL_SESS_CACHE_CLIENT;\n if (!SSL_SESSION_is_resumable(session) ||\n (ctx->session_cache_mode & mode) != mode) {\n return;\n }\n\n // Clients never use the internal session cache.\n if (ssl->server &&\n !(ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE)) {\n UniquePtr ref = UpRef(session);\n bool remove_expired_sessions = false;\n {\n MutexWriteLock lock(&ctx->lock);\n add_session_locked(ctx, std::move(ref));\n\n if (!(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) {\n // Automatically flush the internal session cache every 255 connections.\n ctx->handshakes_since_cache_flush++;\n if (ctx->handshakes_since_cache_flush >= 255) {\n remove_expired_sessions = true;\n ctx->handshakes_since_cache_flush = 0;\n }\n }\n }\n\n if (remove_expired_sessions) {\n // |SSL_CTX_flush_sessions| takes the lock we just released. We could\n // merge the critical sections, but we'd then call user code under a\n // lock, or compute |now| earlier, even when not flushing.\n OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());\n SSL_CTX_flush_sessions(ctx, now.tv_sec);\n }\n }\n\n if (ctx->new_session_cb != nullptr) {\n UniquePtr ref = UpRef(session);\n if (ctx->new_session_cb(ssl, ref.get())) {\n // |new_session_cb|'s return value signals whether it took ownership.\n ref.release();\n }\n }\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nssl_session_st::ssl_session_st(const SSL_X509_METHOD *method)\n : RefCounted(CheckSubClass()),\n x509_method(method),\n extended_master_secret(false),\n peer_sha256_valid(false),\n not_resumable(false),\n ticket_age_add_valid(false),\n is_server(false),\n is_quic(false),\n has_application_settings(false) {\n CRYPTO_new_ex_data(&ex_data);\n time = ::time(nullptr);\n}\n\nssl_session_st::~ssl_session_st() {\n CRYPTO_free_ex_data(&g_ex_data_class, this, &ex_data);\n x509_method->session_clear(this);\n}\n\nSSL_SESSION *SSL_SESSION_new(const SSL_CTX *ctx) {\n return ssl_session_new(ctx->x509_method).release();\n}\n\nint SSL_SESSION_up_ref(SSL_SESSION *session) {\n session->UpRefInternal();\n return 1;\n}\n\nvoid SSL_SESSION_free(SSL_SESSION *session) {\n if (session == nullptr) {\n return;\n }\n session->DecRefInternal();\n}\n\nconst uint8_t *SSL_SESSION_get_id(const SSL_SESSION *session,\n unsigned *out_len) {\n if (out_len != NULL) {\n *out_len = session->session_id.size();\n }\n return session->session_id.data();\n}\n\nint SSL_SESSION_set1_id(SSL_SESSION *session, const uint8_t *sid,\n size_t sid_len) {\n if (!session->session_id.TryCopyFrom(Span(sid, sid_len))) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_TOO_LONG);\n return 0;\n }\n\n return 1;\n}\n\nuint32_t SSL_SESSION_get_timeout(const SSL_SESSION *session) {\n return session->timeout;\n}\n\nuint64_t SSL_SESSION_get_time(const SSL_SESSION *session) {\n if (session == NULL) {\n // NULL should crash, but silently accept it here for compatibility.\n return 0;\n }\n return session->time;\n}\n\nX509 *SSL_SESSION_get0_peer(const SSL_SESSION *session) {\n return session->x509_peer;\n}\n\nconst STACK_OF(CRYPTO_BUFFER) *SSL_SESSION_get0_peer_certificates(\n const SSL_SESSION *session) {\n return session->certs.get();\n}\n\nvoid SSL_SESSION_get0_signed_cert_timestamp_list(const SSL_SESSION *session,\n const uint8_t **out,\n size_t *out_len) {\n if (session->signed_cert_timestamp_list) {\n *out = CRYPTO_BUFFER_data(session->signed_cert_timestamp_list.get());\n *out_len = CRYPTO_BUFFER_len(session->signed_cert_timestamp_list.get());\n } else {\n *out = nullptr;\n *out_len = 0;\n }\n}\n\nvoid SSL_SESSION_get0_ocsp_response(const SSL_SESSION *session,\n const uint8_t **out, size_t *out_len) {\n if (session->ocsp_response) {\n *out = CRYPTO_BUFFER_data(session->ocsp_response.get());\n *out_len = CRYPTO_BUFFER_len(session->ocsp_response.get());\n } else {\n *out = nullptr;\n *out_len = 0;\n }\n}\n\nsize_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,\n size_t max_out) {\n if (max_out == 0) {\n return session->secret.size();\n }\n if (max_out > session->secret.size()) {\n max_out = session->secret.size();\n }\n OPENSSL_memcpy(out, session->secret.data(), max_out);\n return max_out;\n}\n\nuint64_t SSL_SESSION_set_time(SSL_SESSION *session, uint64_t time) {\n if (session == NULL) {\n return 0;\n }\n\n session->time = time;\n return time;\n}\n\nuint32_t SSL_SESSION_set_timeout(SSL_SESSION *session, uint32_t timeout) {\n if (session == NULL) {\n return 0;\n }\n\n session->timeout = timeout;\n session->auth_timeout = timeout;\n return 1;\n}\n\nconst uint8_t *SSL_SESSION_get0_id_context(const SSL_SESSION *session,\n unsigned *out_len) {\n if (out_len != NULL) {\n *out_len = session->sid_ctx.size();\n }\n return session->sid_ctx.data();\n}\n\nint SSL_SESSION_set1_id_context(SSL_SESSION *session, const uint8_t *sid_ctx,\n size_t sid_ctx_len) {\n if (!session->sid_ctx.TryCopyFrom(Span(sid_ctx, sid_ctx_len))) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG);\n return 0;\n }\n\n return 1;\n}\n\nint SSL_SESSION_should_be_single_use(const SSL_SESSION *session) {\n return ssl_session_protocol_version(session) >= TLS1_3_VERSION;\n}\n\nint SSL_SESSION_is_resumable(const SSL_SESSION *session) {\n return ssl_session_get_type(session) != SSLSessionType::kNotResumable;\n}\n\nint SSL_SESSION_has_ticket(const SSL_SESSION *session) {\n return !session->ticket.empty();\n}\n\nvoid SSL_SESSION_get0_ticket(const SSL_SESSION *session,\n const uint8_t **out_ticket, size_t *out_len) {\n if (out_ticket != nullptr) {\n *out_ticket = session->ticket.data();\n }\n *out_len = session->ticket.size();\n}\n\nint SSL_SESSION_set_ticket(SSL_SESSION *session, const uint8_t *ticket,\n size_t ticket_len) {\n return session->ticket.CopyFrom(Span(ticket, ticket_len));\n}\n\nuint32_t SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *session) {\n return session->ticket_lifetime_hint;\n}\n\nconst SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *session) {\n return session->cipher;\n}\n\nint SSL_SESSION_has_peer_sha256(const SSL_SESSION *session) {\n return session->peer_sha256_valid;\n}\n\nvoid SSL_SESSION_get0_peer_sha256(const SSL_SESSION *session,\n const uint8_t **out_ptr, size_t *out_len) {\n if (session->peer_sha256_valid) {\n *out_ptr = session->peer_sha256;\n *out_len = sizeof(session->peer_sha256);\n } else {\n *out_ptr = nullptr;\n *out_len = 0;\n }\n}\n\nint SSL_SESSION_early_data_capable(const SSL_SESSION *session) {\n return ssl_session_protocol_version(session) >= TLS1_3_VERSION &&\n session->ticket_max_early_data != 0;\n}\n\nSSL_SESSION *SSL_SESSION_copy_without_early_data(SSL_SESSION *session) {\n if (!SSL_SESSION_early_data_capable(session)) {\n return UpRef(session).release();\n }\n\n bssl::UniquePtr copy =\n SSL_SESSION_dup(session, SSL_SESSION_DUP_ALL);\n if (!copy) {\n return nullptr;\n }\n\n copy->ticket_max_early_data = 0;\n // Copied sessions are non-resumable until they're completely filled in.\n copy->not_resumable = session->not_resumable;\n assert(!SSL_SESSION_early_data_capable(copy.get()));\n return copy.release();\n}\n\nSSL_SESSION *SSL_magic_pending_session_ptr(void) {\n return (SSL_SESSION *)&g_pending_session_magic;\n}\n\nSSL_SESSION *SSL_get_session(const SSL *ssl) {\n // Once the initially handshake completes, we return the most recently\n // established session. In particular, if there is a pending renegotiation, we\n // do not return information about it until it completes.\n //\n // Code in the handshake must either use |hs->new_session| (if updating a\n // partial session) or |ssl_handshake_session| (if trying to query properties\n // consistently across TLS 1.2 resumption and other handshakes).\n if (ssl->s3->established_session != nullptr) {\n return ssl->s3->established_session.get();\n }\n\n // Otherwise, we must be in the initial handshake.\n SSL_HANDSHAKE *hs = ssl->s3->hs.get();\n assert(hs != nullptr);\n assert(!ssl->s3->initial_handshake_complete);\n\n // Return the 0-RTT session, if in the 0-RTT state. While the handshake has\n // not actually completed, the public accessors all report properties as if\n // it has.\n if (hs->early_session) {\n return hs->early_session.get();\n }\n\n // Otherwise, return the partial session.\n return (SSL_SESSION *)ssl_handshake_session(hs);\n}\n\nSSL_SESSION *SSL_get1_session(SSL *ssl) {\n SSL_SESSION *ret = SSL_get_session(ssl);\n if (ret != NULL) {\n SSL_SESSION_up_ref(ret);\n }\n return ret;\n}\n\nint SSL_SESSION_get_ex_new_index(long argl, void *argp,\n CRYPTO_EX_unused *unused,\n CRYPTO_EX_dup *dup_unused,\n CRYPTO_EX_free *free_func) {\n return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func);\n}\n\nint SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg) {\n return CRYPTO_set_ex_data(&session->ex_data, idx, arg);\n}\n\nvoid *SSL_SESSION_get_ex_data(const SSL_SESSION *session, int idx) {\n return CRYPTO_get_ex_data(&session->ex_data, idx);\n}\n\nint SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session) {\n UniquePtr owned_session = UpRef(session);\n MutexWriteLock lock(&ctx->lock);\n return add_session_locked(ctx, std::move(owned_session));\n}\n\nint SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session) {\n return remove_session(ctx, session, /*lock=*/true);\n}\n\nint SSL_set_session(SSL *ssl, SSL_SESSION *session) {\n // SSL_set_session may only be called before the handshake has started.\n if (ssl->s3->initial_handshake_complete || //\n ssl->s3->hs == NULL || //\n ssl->s3->hs->state != 0) {\n abort();\n }\n\n ssl_set_session(ssl, session);\n return 1;\n}\n\nuint32_t SSL_CTX_set_timeout(SSL_CTX *ctx, uint32_t timeout) {\n if (ctx == NULL) {\n return 0;\n }\n\n // Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|.\n if (timeout == 0) {\n timeout = SSL_DEFAULT_SESSION_TIMEOUT;\n }\n\n uint32_t old_timeout = ctx->session_timeout;\n ctx->session_timeout = timeout;\n return old_timeout;\n}\n\nuint32_t SSL_CTX_get_timeout(const SSL_CTX *ctx) {\n if (ctx == NULL) {\n return 0;\n }\n\n return ctx->session_timeout;\n}\n\nvoid SSL_CTX_set_session_psk_dhe_timeout(SSL_CTX *ctx, uint32_t timeout) {\n ctx->session_psk_dhe_timeout = timeout;\n}\n\ntypedef struct timeout_param_st {\n SSL_CTX *ctx;\n uint64_t time;\n LHASH_OF(SSL_SESSION) *cache;\n} TIMEOUT_PARAM;\n\nstatic void timeout_doall_arg(SSL_SESSION *session, void *void_param) {\n TIMEOUT_PARAM *param = reinterpret_cast(void_param);\n\n if (param->time == 0 || //\n session->time + session->timeout < session->time || //\n param->time > (session->time + session->timeout)) {\n // TODO(davidben): This can probably just call |remove_session|.\n (void)lh_SSL_SESSION_delete(param->cache, session);\n SSL_SESSION_list_remove(param->ctx, session);\n // TODO(https://crbug.com/boringssl/251): Callbacks should not be called\n // under a lock.\n if (param->ctx->remove_session_cb != NULL) {\n param->ctx->remove_session_cb(param->ctx, session);\n }\n SSL_SESSION_free(session);\n }\n}\n\nvoid SSL_CTX_flush_sessions(SSL_CTX *ctx, uint64_t time) {\n TIMEOUT_PARAM tp;\n\n tp.ctx = ctx;\n tp.cache = ctx->sessions;\n if (tp.cache == NULL) {\n return;\n }\n tp.time = time;\n MutexWriteLock lock(&ctx->lock);\n lh_SSL_SESSION_doall_arg(tp.cache, timeout_doall_arg, &tp);\n}\n\nvoid SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,\n int (*cb)(SSL *ssl, SSL_SESSION *session)) {\n ctx->new_session_cb = cb;\n}\n\nint (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *session) {\n return ctx->new_session_cb;\n}\n\nvoid SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,\n void (*cb)(SSL_CTX *ctx,\n SSL_SESSION *session)) {\n ctx->remove_session_cb = cb;\n}\n\nvoid (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX *ctx,\n SSL_SESSION *session) {\n return ctx->remove_session_cb;\n}\n\nvoid SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,\n SSL_SESSION *(*cb)(SSL *ssl, const uint8_t *id,\n int id_len, int *out_copy)) {\n ctx->get_session_cb = cb;\n}\n\nSSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl,\n const uint8_t *id,\n int id_len,\n int *out_copy) {\n return ctx->get_session_cb;\n}\n\nvoid SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,\n int type, int value)) {\n ctx->info_callback = cb;\n}\n\nvoid (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type,\n int value) {\n return ctx->info_callback;\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_stat.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \"internal.h\"\n\n\nconst char *SSL_state_string_long(const SSL *ssl) {\n if (ssl->s3->hs == nullptr) {\n return \"SSL negotiation finished successfully\";\n }\n\n return ssl->server ? ssl_server_handshake_state(ssl->s3->hs.get())\n : ssl_client_handshake_state(ssl->s3->hs.get());\n}\n\nconst char *SSL_state_string(const SSL *ssl) { return \"!!!!!!\"; }\n\nconst char *SSL_alert_type_string_long(int value) {\n value >>= 8;\n if (value == SSL3_AL_WARNING) {\n return \"warning\";\n } else if (value == SSL3_AL_FATAL) {\n return \"fatal\";\n }\n\n return \"unknown\";\n}\n\nconst char *SSL_alert_type_string(int value) { return \"!\"; }\n\nconst char *SSL_alert_desc_string(int value) { return \"!!\"; }\n\nconst char *SSL_alert_desc_string_long(int value) {\n switch (value & 0xff) {\n case SSL3_AD_CLOSE_NOTIFY:\n return \"close notify\";\n\n case SSL3_AD_UNEXPECTED_MESSAGE:\n return \"unexpected_message\";\n\n case SSL3_AD_BAD_RECORD_MAC:\n return \"bad record mac\";\n\n case SSL3_AD_DECOMPRESSION_FAILURE:\n return \"decompression failure\";\n\n case SSL3_AD_HANDSHAKE_FAILURE:\n return \"handshake failure\";\n\n case SSL3_AD_NO_CERTIFICATE:\n return \"no certificate\";\n\n case SSL3_AD_BAD_CERTIFICATE:\n return \"bad certificate\";\n\n case SSL3_AD_UNSUPPORTED_CERTIFICATE:\n return \"unsupported certificate\";\n\n case SSL3_AD_CERTIFICATE_REVOKED:\n return \"certificate revoked\";\n\n case SSL3_AD_CERTIFICATE_EXPIRED:\n return \"certificate expired\";\n\n case SSL3_AD_CERTIFICATE_UNKNOWN:\n return \"certificate unknown\";\n\n case SSL3_AD_ILLEGAL_PARAMETER:\n return \"illegal parameter\";\n\n case TLS1_AD_DECRYPTION_FAILED:\n return \"decryption failed\";\n\n case TLS1_AD_RECORD_OVERFLOW:\n return \"record overflow\";\n\n case TLS1_AD_UNKNOWN_CA:\n return \"unknown CA\";\n\n case TLS1_AD_ACCESS_DENIED:\n return \"access denied\";\n\n case TLS1_AD_DECODE_ERROR:\n return \"decode error\";\n\n case TLS1_AD_DECRYPT_ERROR:\n return \"decrypt error\";\n\n case TLS1_AD_EXPORT_RESTRICTION:\n return \"export restriction\";\n\n case TLS1_AD_PROTOCOL_VERSION:\n return \"protocol version\";\n\n case TLS1_AD_INSUFFICIENT_SECURITY:\n return \"insufficient security\";\n\n case TLS1_AD_INTERNAL_ERROR:\n return \"internal error\";\n\n case SSL3_AD_INAPPROPRIATE_FALLBACK:\n return \"inappropriate fallback\";\n\n case TLS1_AD_USER_CANCELLED:\n return \"user canceled\";\n\n case TLS1_AD_NO_RENEGOTIATION:\n return \"no renegotiation\";\n\n case TLS1_AD_MISSING_EXTENSION:\n return \"missing extension\";\n\n case TLS1_AD_UNSUPPORTED_EXTENSION:\n return \"unsupported extension\";\n\n case TLS1_AD_CERTIFICATE_UNOBTAINABLE:\n return \"certificate unobtainable\";\n\n case TLS1_AD_UNRECOGNIZED_NAME:\n return \"unrecognized name\";\n\n case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE:\n return \"bad certificate status response\";\n\n case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE:\n return \"bad certificate hash value\";\n\n case TLS1_AD_UNKNOWN_PSK_IDENTITY:\n return \"unknown PSK identity\";\n\n case TLS1_AD_CERTIFICATE_REQUIRED:\n return \"certificate required\";\n\n case TLS1_AD_NO_APPLICATION_PROTOCOL:\n return \"no application protocol\";\n\n case TLS1_AD_ECH_REQUIRED:\n return \"ECH required\";\n\n default:\n return \"unknown\";\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_transcript.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nSSLTranscript::SSLTranscript(bool is_dtls) : is_dtls_(is_dtls) {}\n\nSSLTranscript::~SSLTranscript() {}\n\nbool SSLTranscript::Init() {\n buffer_.reset(BUF_MEM_new());\n if (!buffer_) {\n return false;\n }\n\n hash_.Reset();\n return true;\n}\n\nbool SSLTranscript::InitHash(uint16_t version, const SSL_CIPHER *cipher) {\n version_ = version;\n const EVP_MD *md = ssl_get_handshake_digest(version, cipher);\n if (Digest() == md) {\n // No need to re-hash the buffer.\n return true;\n }\n if (!HashBuffer(hash_.get(), md)) {\n return false;\n }\n if (is_dtls_ && version_ >= TLS1_3_VERSION) {\n // In DTLS 1.3, prior to the call to InitHash, the message (if present) in\n // the buffer has the DTLS 1.2 header. After the call to InitHash, the TLS\n // 1.3 header is written by SSLTranscript::Update. If the buffer isn't freed\n // here, it would have a mix of different header formats and using it would\n // yield wrong results. However, there's no need for the buffer once the\n // version and the digest for the cipher suite are known, so the buffer is\n // freed here to avoid potential misuse of the SSLTranscript object.\n FreeBuffer();\n }\n return true;\n}\n\nbool SSLTranscript::HashBuffer(EVP_MD_CTX *ctx, const EVP_MD *digest) const {\n if (!EVP_DigestInit_ex(ctx, digest, nullptr)) {\n return false;\n }\n if (!is_dtls_ || version_ < TLS1_3_VERSION) {\n return EVP_DigestUpdate(ctx, buffer_->data, buffer_->length);\n }\n\n // If the version is DTLS 1.3 and we still have a buffer, then there should be\n // at most a single DTLSHandshake message in the buffer, for the ClientHello.\n // On the server side, the version (DTLS 1.3) and cipher suite are chosen in\n // response to the first ClientHello, and InitHash is called before that\n // ClientHello is added to the SSLTranscript, so the buffer is empty if this\n // SSLTranscript is on the server.\n if (buffer_->length == 0) {\n return true;\n }\n\n // On the client side, we can receive either a ServerHello or\n // HelloRetryRequest in response to the ClientHello. Regardless of which\n // message we receive, the client code calls InitHash before updating the\n // transcript with that message, so the ClientHello is the only message in the\n // buffer. In DTLS 1.3, we need to skip the message_seq, fragment_offset, and\n // fragment_length fields from the DTLSHandshake message in the buffer. The\n // structure of a DTLSHandshake message is as follows (RFC 9147, section 5.2):\n //\n // struct {\n // HandshakeType msg_type; /* handshake type */\n // uint24 length; /* bytes in message */\n // uint16 message_seq; /* DTLS-required field */\n // uint24 fragment_offset; /* DTLS-required field */\n // uint24 fragment_length; /* DTLS-required field */\n // select (msg_type) {\n // /* omitted for brevity */\n // } body;\n // } DTLSHandshake;\n CBS buf, header;\n CBS_init(&buf, reinterpret_cast(buffer_->data), buffer_->length);\n if (!CBS_get_bytes(&buf, &header, 4) || //\n !CBS_skip(&buf, 8) || //\n !EVP_DigestUpdate(ctx, CBS_data(&header), CBS_len(&header)) || //\n !EVP_DigestUpdate(ctx, CBS_data(&buf), CBS_len(&buf))) {\n return false;\n }\n return true;\n}\n\nvoid SSLTranscript::FreeBuffer() { buffer_.reset(); }\n\nsize_t SSLTranscript::DigestLen() const { return EVP_MD_size(Digest()); }\n\nconst EVP_MD *SSLTranscript::Digest() const {\n return EVP_MD_CTX_get0_md(hash_.get());\n}\n\nbool SSLTranscript::UpdateForHelloRetryRequest() {\n if (buffer_) {\n buffer_->length = 0;\n }\n\n uint8_t old_hash[EVP_MAX_MD_SIZE];\n size_t hash_len;\n if (!GetHash(old_hash, &hash_len)) {\n return false;\n }\n const uint8_t header[4] = {SSL3_MT_MESSAGE_HASH, 0, 0,\n static_cast(hash_len)};\n if (!EVP_DigestInit_ex(hash_.get(), Digest(), nullptr) ||\n !AddToBufferOrHash(header) ||\n !AddToBufferOrHash(Span(old_hash, hash_len))) {\n return false;\n }\n return true;\n}\n\nbool SSLTranscript::CopyToHashContext(EVP_MD_CTX *ctx,\n const EVP_MD *digest) const {\n const EVP_MD *transcript_digest = Digest();\n if (transcript_digest != nullptr &&\n EVP_MD_type(transcript_digest) == EVP_MD_type(digest)) {\n return EVP_MD_CTX_copy_ex(ctx, hash_.get());\n }\n\n if (buffer_) {\n return HashBuffer(ctx, digest);\n }\n\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n}\n\nbool SSLTranscript::Update(Span in) {\n if (!is_dtls_ || version_ < TLS1_3_VERSION) {\n return AddToBufferOrHash(in);\n }\n if (in.size() < DTLS1_HM_HEADER_LENGTH) {\n return false;\n }\n // The message passed into Update is the whole Handshake or DTLSHandshake\n // message, including the msg_type and length. In DTLS, the DTLSHandshake\n // message also has message_seq, fragment_offset, and fragment_length\n // fields. In DTLS 1.3, those fields are omitted so that the same\n // transcript format as TLS 1.3 is used. This means we write the 1-byte\n // msg_type, 3-byte length, then skip 2+3+3 bytes for the DTLS-specific\n // fields that get omitted.\n if (!AddToBufferOrHash(in.subspan(0, 4)) ||\n !AddToBufferOrHash(in.subspan(12))) {\n return false;\n }\n return true;\n}\n\nbool SSLTranscript::AddToBufferOrHash(Span in) {\n // Depending on the state of the handshake, either the handshake buffer may be\n // active, the rolling hash, or both.\n if (buffer_ && //\n !BUF_MEM_append(buffer_.get(), in.data(), in.size())) {\n return false;\n }\n\n if (EVP_MD_CTX_md(hash_.get()) != NULL) {\n EVP_DigestUpdate(hash_.get(), in.data(), in.size());\n }\n\n return true;\n}\n\nbool SSLTranscript::GetHash(uint8_t *out, size_t *out_len) const {\n ScopedEVP_MD_CTX ctx;\n unsigned len;\n if (!EVP_MD_CTX_copy_ex(ctx.get(), hash_.get()) ||\n !EVP_DigestFinal_ex(ctx.get(), out, &len)) {\n return false;\n }\n *out_len = len;\n return true;\n}\n\nbool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,\n const SSL_SESSION *session,\n bool from_server) const {\n uint8_t digest[EVP_MAX_MD_SIZE];\n size_t digest_len;\n if (!GetHash(digest, &digest_len)) {\n return false;\n }\n\n std::string_view label = from_server ? \"server finished\" : \"client finished\";\n static const size_t kFinishedLen = 12;\n if (!tls1_prf(Digest(), Span(out, kFinishedLen), session->secret, label,\n Span(digest, digest_len), {})) {\n return false;\n }\n\n *out_len = kFinishedLen;\n return true;\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_versions.cc", "content": "/* Copyright 2017 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n\n#include \n\n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nbool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {\n switch (version) {\n case TLS1_VERSION:\n case TLS1_1_VERSION:\n case TLS1_2_VERSION:\n case TLS1_3_VERSION:\n *out = version;\n return true;\n\n case DTLS1_VERSION:\n // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.\n *out = TLS1_1_VERSION;\n return true;\n\n case DTLS1_2_VERSION:\n *out = TLS1_2_VERSION;\n return true;\n\n case DTLS1_3_VERSION:\n *out = TLS1_3_VERSION;\n return true;\n\n default:\n return false;\n }\n}\n\n// The follow arrays are the supported versions for TLS and DTLS, in order of\n// decreasing preference.\n\nstatic const uint16_t kTLSVersions[] = {\n TLS1_3_VERSION,\n TLS1_2_VERSION,\n TLS1_1_VERSION,\n TLS1_VERSION,\n};\n\nstatic const uint16_t kDTLSVersions[] = {\n DTLS1_3_VERSION,\n DTLS1_2_VERSION,\n DTLS1_VERSION,\n};\n\nstatic Span get_method_versions(\n const SSL_PROTOCOL_METHOD *method) {\n return method->is_dtls ? Span(kDTLSVersions)\n : Span(kTLSVersions);\n}\n\nbool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,\n uint16_t version) {\n for (uint16_t supported : get_method_versions(method)) {\n if (supported == version) {\n return true;\n }\n }\n return false;\n}\n\n// The following functions map between API versions and wire versions. The\n// public API works on wire versions.\n\nstatic const char *kUnknownVersion = \"unknown\";\n\nstruct VersionInfo {\n uint16_t version;\n const char *name;\n};\n\nstatic const VersionInfo kVersionNames[] = {\n {TLS1_3_VERSION, \"TLSv1.3\"},\n {TLS1_2_VERSION, \"TLSv1.2\"},\n {TLS1_1_VERSION, \"TLSv1.1\"},\n {TLS1_VERSION, \"TLSv1\"},\n {DTLS1_VERSION, \"DTLSv1\"},\n {DTLS1_2_VERSION, \"DTLSv1.2\"},\n {DTLS1_3_VERSION, \"DTLSv1.3\"},\n};\n\nstatic const char *ssl_version_to_string(uint16_t version) {\n for (const auto &v : kVersionNames) {\n if (v.version == version) {\n return v.name;\n }\n }\n return kUnknownVersion;\n}\n\nstatic uint16_t wire_version_to_api(uint16_t version) { return version; }\n\n// api_version_to_wire maps |version| to some representative wire version.\nstatic bool api_version_to_wire(uint16_t *out, uint16_t version) {\n // Check it is a real protocol version.\n uint16_t unused;\n if (!ssl_protocol_version_from_wire(&unused, version)) {\n return false;\n }\n\n *out = version;\n return true;\n}\n\nstatic bool set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,\n uint16_t version) {\n if (!api_version_to_wire(&version, version) ||\n !ssl_method_supports_version(method, version)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);\n return false;\n }\n\n *out = version;\n return true;\n}\n\nstatic bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,\n uint16_t version) {\n // Zero is interpreted as the default minimum version.\n if (version == 0) {\n *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION;\n return true;\n }\n\n return set_version_bound(method, out, version);\n}\n\nstatic bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,\n uint16_t version) {\n // Zero is interpreted as the default maximum version.\n // TODO(crbug.com/42290594): Enable DTLS 1.3 by default, after it's\n // successfully shipped in WebRTC.\n if (version == 0) {\n *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_3_VERSION;\n return true;\n }\n\n return set_version_bound(method, out, version);\n}\n\nconst struct {\n uint16_t version;\n uint32_t flag;\n} kProtocolVersions[] = {\n {TLS1_VERSION, SSL_OP_NO_TLSv1},\n {TLS1_1_VERSION, SSL_OP_NO_TLSv1_1},\n {TLS1_2_VERSION, SSL_OP_NO_TLSv1_2},\n {TLS1_3_VERSION, SSL_OP_NO_TLSv1_3},\n};\n\nbool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,\n uint16_t *out_max_version) {\n // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but\n // DTLS 1.0 should be mapped to TLS 1.1.\n uint32_t options = hs->ssl->options;\n if (SSL_is_dtls(hs->ssl)) {\n options &= ~SSL_OP_NO_TLSv1_1;\n if (options & SSL_OP_NO_DTLSv1) {\n options |= SSL_OP_NO_TLSv1_1;\n }\n }\n\n uint16_t min_version, max_version;\n if (!ssl_protocol_version_from_wire(&min_version,\n hs->config->conf_min_version) ||\n !ssl_protocol_version_from_wire(&max_version,\n hs->config->conf_max_version)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n // QUIC requires TLS 1.3.\n if (SSL_is_quic(hs->ssl) && min_version < TLS1_3_VERSION) {\n min_version = TLS1_3_VERSION;\n }\n\n // The |SSL_OP_NO_*| flags disable individual protocols. This has two\n // problems. First, prior to TLS 1.3, the protocol can only express a\n // contiguous range of versions. Second, a library consumer trying to set a\n // maximum version cannot disable protocol versions that get added in a future\n // version of the library.\n //\n // To account for both of these, OpenSSL interprets the client-side bitmask\n // as a min/max range by picking the lowest contiguous non-empty range of\n // enabled protocols. Note that this means it is impossible to set a maximum\n // version of the higest supported TLS version in a future-proof way.\n bool any_enabled = false;\n for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {\n // Only look at the versions already enabled.\n if (min_version > kProtocolVersions[i].version) {\n continue;\n }\n if (max_version < kProtocolVersions[i].version) {\n break;\n }\n\n if (!(options & kProtocolVersions[i].flag)) {\n // The minimum version is the first enabled version.\n if (!any_enabled) {\n any_enabled = true;\n min_version = kProtocolVersions[i].version;\n }\n continue;\n }\n\n // If there is a disabled version after the first enabled one, all versions\n // after it are implicitly disabled.\n if (any_enabled) {\n max_version = kProtocolVersions[i - 1].version;\n break;\n }\n }\n\n if (!any_enabled) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SUPPORTED_VERSIONS_ENABLED);\n return false;\n }\n\n *out_min_version = min_version;\n *out_max_version = max_version;\n return true;\n}\n\nstatic uint16_t ssl_version(const SSL *ssl) {\n // In early data, we report the predicted version. Note it is possible that we\n // have a predicted version and a *different* true version. This means 0-RTT\n // has been rejected, but until the reject has reported to the application and\n // applied with |SSL_reset_early_data_reject|, we continue reporting a\n // self-consistent connection.\n if (SSL_in_early_data(ssl) && !ssl->server) {\n return ssl->s3->hs->early_session->ssl_version;\n }\n if (ssl->s3->version != 0) {\n return ssl->s3->version;\n }\n // The TLS versions has not yet been negotiated. Historically, we would return\n // (D)TLS 1.2, so preserve that behavior.\n return SSL_is_dtls(ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION;\n}\n\nbool ssl_has_final_version(const SSL *ssl) {\n return ssl->s3->version != 0 &&\n (ssl->s3->hs == nullptr || !ssl->s3->hs->is_early_version);\n}\n\nuint16_t ssl_protocol_version(const SSL *ssl) {\n assert(ssl->s3->version != 0);\n uint16_t version;\n if (!ssl_protocol_version_from_wire(&version, ssl->s3->version)) {\n // |ssl->s3->version| will always be set to a valid version.\n assert(0);\n return 0;\n }\n\n return version;\n}\n\nbool ssl_supports_version(const SSL_HANDSHAKE *hs, uint16_t version) {\n const SSL *const ssl = hs->ssl;\n uint16_t protocol_version;\n if (!ssl_method_supports_version(ssl->method, version) ||\n !ssl_protocol_version_from_wire(&protocol_version, version) ||\n hs->min_version > protocol_version ||\n protocol_version > hs->max_version) {\n return false;\n }\n\n return true;\n}\n\nbool ssl_add_supported_versions(const SSL_HANDSHAKE *hs, CBB *cbb,\n uint16_t extra_min_version) {\n for (uint16_t version : get_method_versions(hs->ssl->method)) {\n uint16_t protocol_version;\n if (ssl_supports_version(hs, version) &&\n ssl_protocol_version_from_wire(&protocol_version, version) &&\n protocol_version >= extra_min_version && //\n !CBB_add_u16(cbb, version)) {\n return false;\n }\n }\n return true;\n}\n\nbool ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,\n uint16_t *out_version, const CBS *peer_versions) {\n for (uint16_t version : get_method_versions(hs->ssl->method)) {\n if (!ssl_supports_version(hs, version)) {\n continue;\n }\n\n // JDK 11, prior to 11.0.2, has a buggy TLS 1.3 implementation which fails\n // to send SNI when offering 1.3 sessions. Disable TLS 1.3 for such\n // clients. We apply this logic here rather than |ssl_supports_version| so\n // the downgrade signal continues to query the true capabilities. (The\n // workaround is a limitation of the peer's capabilities rather than our\n // own.)\n //\n // See https://bugs.openjdk.java.net/browse/JDK-8211806.\n if (version == TLS1_3_VERSION && hs->apply_jdk11_workaround) {\n continue;\n }\n\n CBS copy = *peer_versions;\n while (CBS_len(©) != 0) {\n uint16_t peer_version;\n if (!CBS_get_u16(©, &peer_version)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n\n if (peer_version == version) {\n *out_version = version;\n return true;\n }\n }\n }\n\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);\n *out_alert = SSL_AD_PROTOCOL_VERSION;\n return false;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nint SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) {\n return set_min_version(ctx->method, &ctx->conf_min_version, version);\n}\n\nint SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) {\n return set_max_version(ctx->method, &ctx->conf_max_version, version);\n}\n\nuint16_t SSL_CTX_get_min_proto_version(const SSL_CTX *ctx) {\n return ctx->conf_min_version;\n}\n\nuint16_t SSL_CTX_get_max_proto_version(const SSL_CTX *ctx) {\n return ctx->conf_max_version;\n}\n\nint SSL_set_min_proto_version(SSL *ssl, uint16_t version) {\n if (!ssl->config) {\n return 0;\n }\n return set_min_version(ssl->method, &ssl->config->conf_min_version, version);\n}\n\nint SSL_set_max_proto_version(SSL *ssl, uint16_t version) {\n if (!ssl->config) {\n return 0;\n }\n return set_max_version(ssl->method, &ssl->config->conf_max_version, version);\n}\n\nuint16_t SSL_get_min_proto_version(const SSL *ssl) {\n if (!ssl->config) {\n return 0;\n }\n return ssl->config->conf_min_version;\n}\n\nuint16_t SSL_get_max_proto_version(const SSL *ssl) {\n if (!ssl->config) {\n return 0;\n }\n return ssl->config->conf_max_version;\n}\n\nint SSL_version(const SSL *ssl) {\n return wire_version_to_api(ssl_version(ssl));\n}\n\nconst char *SSL_get_version(const SSL *ssl) {\n return ssl_version_to_string(ssl_version(ssl));\n}\n\nsize_t SSL_get_all_version_names(const char **out, size_t max_out) {\n return GetAllNames(out, max_out, Span(&kUnknownVersion, 1),\n &VersionInfo::name, Span(kVersionNames));\n}\n\nconst char *SSL_SESSION_get_version(const SSL_SESSION *session) {\n return ssl_version_to_string(session->ssl_version);\n}\n\nuint16_t SSL_SESSION_get_protocol_version(const SSL_SESSION *session) {\n return wire_version_to_api(session->ssl_version);\n}\n\nint SSL_SESSION_set_protocol_version(SSL_SESSION *session, uint16_t version) {\n // This picks a representative TLS 1.3 version, but this API should only be\n // used on unit test sessions anyway.\n return api_version_to_wire(&session->ssl_version, version);\n}\n\nint SSL_CTX_set_record_protocol_version(SSL_CTX *ctx, int version) {\n return version == 0;\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/ssl_x509.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\n// check_ssl_x509_method asserts that |ssl| has the X509-based method\n// installed. Calling an X509-based method on an |ssl| with a different method\n// will likely misbehave and possibly crash or leak memory.\nstatic void check_ssl_x509_method(const SSL *ssl) {\n assert(ssl == NULL || ssl->ctx->x509_method == &ssl_crypto_x509_method);\n}\n\n// check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an\n// |SSL_CTX|.\nstatic void check_ssl_ctx_x509_method(const SSL_CTX *ctx) {\n assert(ctx == NULL || ctx->x509_method == &ssl_crypto_x509_method);\n}\n\n// x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised\n// contents of |x509|.\nstatic UniquePtr x509_to_buffer(X509 *x509) {\n uint8_t *buf = NULL;\n int cert_len = i2d_X509(x509, &buf);\n if (cert_len <= 0) {\n return 0;\n }\n\n UniquePtr buffer(CRYPTO_BUFFER_new(buf, cert_len, NULL));\n OPENSSL_free(buf);\n\n return buffer;\n}\n\nstatic void ssl_crypto_x509_cert_flush_cached_leaf(CERT *cert) {\n X509_free(cert->x509_leaf);\n cert->x509_leaf = nullptr;\n}\n\nstatic void ssl_crypto_x509_cert_flush_cached_chain(CERT *cert) {\n sk_X509_pop_free(cert->x509_chain, X509_free);\n cert->x509_chain = nullptr;\n}\n\n// ssl_cert_set1_chain sets elements 1.. of |cert->chain| to the serialised\n// forms of elements of |chain|. It returns one on success or zero on error, in\n// which case no change to |cert->chain| is made. It preverses the existing\n// leaf from |cert->chain|, if any.\nstatic bool ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) {\n cert->legacy_credential->ClearIntermediateCerts();\n for (X509 *x509 : chain) {\n UniquePtr buffer = x509_to_buffer(x509);\n if (!buffer ||\n !cert->legacy_credential->AppendIntermediateCert(std::move(buffer))) {\n return false;\n }\n }\n\n ssl_crypto_x509_cert_flush_cached_chain(cert);\n return true;\n}\n\nstatic bool ssl_crypto_x509_check_client_CA_list(\n STACK_OF(CRYPTO_BUFFER) *names) {\n for (const CRYPTO_BUFFER *buffer : names) {\n const uint8_t *inp = CRYPTO_BUFFER_data(buffer);\n UniquePtr name(\n d2i_X509_NAME(nullptr, &inp, CRYPTO_BUFFER_len(buffer)));\n if (name == nullptr ||\n inp != CRYPTO_BUFFER_data(buffer) + CRYPTO_BUFFER_len(buffer)) {\n return false;\n }\n }\n\n return true;\n}\n\nstatic void ssl_crypto_x509_cert_clear(CERT *cert) {\n ssl_crypto_x509_cert_flush_cached_leaf(cert);\n ssl_crypto_x509_cert_flush_cached_chain(cert);\n\n X509_free(cert->x509_stash);\n cert->x509_stash = nullptr;\n}\n\nstatic void ssl_crypto_x509_cert_free(CERT *cert) {\n ssl_crypto_x509_cert_clear(cert);\n X509_STORE_free(cert->verify_store);\n}\n\nstatic void ssl_crypto_x509_cert_dup(CERT *new_cert, const CERT *cert) {\n if (cert->verify_store != nullptr) {\n X509_STORE_up_ref(cert->verify_store);\n new_cert->verify_store = cert->verify_store;\n }\n}\n\nstatic bool ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {\n bssl::UniquePtr chain, chain_without_leaf;\n if (sk_CRYPTO_BUFFER_num(sess->certs.get()) > 0) {\n chain.reset(sk_X509_new_null());\n if (!chain) {\n return false;\n }\n if (sess->is_server) {\n // chain_without_leaf is only needed for server sessions. See\n // |SSL_get_peer_cert_chain|.\n chain_without_leaf.reset(sk_X509_new_null());\n if (!chain_without_leaf) {\n return false;\n }\n }\n }\n\n bssl::UniquePtr leaf;\n for (CRYPTO_BUFFER *cert : sess->certs.get()) {\n UniquePtr x509(X509_parse_from_buffer(cert));\n if (!x509) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n if (leaf == nullptr) {\n leaf = UpRef(x509);\n } else if (chain_without_leaf &&\n !PushToStack(chain_without_leaf.get(), UpRef(x509))) {\n return false;\n }\n if (!PushToStack(chain.get(), std::move(x509))) {\n return false;\n }\n }\n\n sk_X509_pop_free(sess->x509_chain, X509_free);\n sess->x509_chain = chain.release();\n\n sk_X509_pop_free(sess->x509_chain_without_leaf, X509_free);\n sess->x509_chain_without_leaf = chain_without_leaf.release();\n\n X509_free(sess->x509_peer);\n sess->x509_peer = leaf.release();\n return true;\n}\n\nstatic bool ssl_crypto_x509_session_dup(SSL_SESSION *new_session,\n const SSL_SESSION *session) {\n new_session->x509_peer = UpRef(session->x509_peer).release();\n if (session->x509_chain != nullptr) {\n new_session->x509_chain = X509_chain_up_ref(session->x509_chain);\n if (new_session->x509_chain == nullptr) {\n return false;\n }\n }\n if (session->x509_chain_without_leaf != nullptr) {\n new_session->x509_chain_without_leaf =\n X509_chain_up_ref(session->x509_chain_without_leaf);\n if (new_session->x509_chain_without_leaf == nullptr) {\n return false;\n }\n }\n\n return true;\n}\n\nstatic void ssl_crypto_x509_session_clear(SSL_SESSION *session) {\n X509_free(session->x509_peer);\n session->x509_peer = nullptr;\n sk_X509_pop_free(session->x509_chain, X509_free);\n session->x509_chain = nullptr;\n sk_X509_pop_free(session->x509_chain_without_leaf, X509_free);\n session->x509_chain_without_leaf = nullptr;\n}\n\nstatic bool ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,\n SSL_HANDSHAKE *hs,\n uint8_t *out_alert) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n STACK_OF(X509) *const cert_chain = session->x509_chain;\n if (cert_chain == nullptr || sk_X509_num(cert_chain) == 0) {\n return false;\n }\n\n SSL *const ssl = hs->ssl;\n SSL_CTX *ssl_ctx = ssl->ctx.get();\n X509_STORE *verify_store = ssl_ctx->cert_store;\n if (hs->config->cert->verify_store != nullptr) {\n verify_store = hs->config->cert->verify_store;\n }\n\n X509 *leaf = sk_X509_value(cert_chain, 0);\n const char *name;\n size_t name_len;\n SSL_get0_ech_name_override(ssl, &name, &name_len);\n UniquePtr ctx(X509_STORE_CTX_new());\n if (!ctx || //\n !X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) || //\n !X509_STORE_CTX_set_ex_data(\n ctx.get(), SSL_get_ex_data_X509_STORE_CTX_idx(), ssl) || //\n // We need to inherit the verify parameters. These can be determined by\n // the context: if its a server it will verify SSL client certificates or\n // vice versa.\n !X509_STORE_CTX_set_default(\n ctx.get(),\n ssl->server ? \"ssl_client\" : \"ssl_server\") || //\n // Anything non-default in \"param\" should overwrite anything in the ctx.\n !X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()),\n hs->config->param) || //\n // ClientHelloOuter connections use a different name.\n (name_len != 0 && //\n !X509_VERIFY_PARAM_set1_host(X509_STORE_CTX_get0_param(ctx.get()), name,\n name_len))) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);\n return false;\n }\n\n if (hs->config->verify_callback) {\n X509_STORE_CTX_set_verify_cb(ctx.get(), hs->config->verify_callback);\n }\n\n int verify_ret;\n if (ssl_ctx->app_verify_callback != nullptr) {\n verify_ret =\n ssl_ctx->app_verify_callback(ctx.get(), ssl_ctx->app_verify_arg);\n } else {\n verify_ret = X509_verify_cert(ctx.get());\n }\n\n session->verify_result = X509_STORE_CTX_get_error(ctx.get());\n\n // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.\n if (verify_ret <= 0 && hs->config->verify_mode != SSL_VERIFY_NONE) {\n *out_alert = SSL_alert_from_verify_result(session->verify_result);\n return false;\n }\n\n ERR_clear_error();\n return true;\n}\n\nstatic void ssl_crypto_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {\n sk_X509_NAME_pop_free(hs->cached_x509_ca_names, X509_NAME_free);\n hs->cached_x509_ca_names = nullptr;\n}\n\nstatic bool ssl_crypto_x509_ssl_new(SSL_HANDSHAKE *hs) {\n hs->config->param = X509_VERIFY_PARAM_new();\n if (hs->config->param == nullptr) {\n return false;\n }\n X509_VERIFY_PARAM_inherit(hs->config->param, hs->ssl->ctx->param);\n return true;\n}\n\nstatic void ssl_crypto_x509_ssl_flush_cached_client_CA(SSL_CONFIG *cfg) {\n sk_X509_NAME_pop_free(cfg->cached_x509_client_CA, X509_NAME_free);\n cfg->cached_x509_client_CA = nullptr;\n}\n\nstatic void ssl_crypto_x509_ssl_config_free(SSL_CONFIG *cfg) {\n sk_X509_NAME_pop_free(cfg->cached_x509_client_CA, X509_NAME_free);\n cfg->cached_x509_client_CA = nullptr;\n X509_VERIFY_PARAM_free(cfg->param);\n}\n\nstatic bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {\n // Only build a chain if the feature isn't disabled, the legacy credential\n // exists but has no intermediates configured.\n SSL *ssl = hs->ssl;\n SSL_CREDENTIAL *cred = hs->config->cert->legacy_credential.get();\n if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || !cred->IsComplete() ||\n sk_CRYPTO_BUFFER_num(cred->chain.get()) != 1) {\n return true;\n }\n\n UniquePtr leaf(\n X509_parse_from_buffer(sk_CRYPTO_BUFFER_value(cred->chain.get(), 0)));\n if (!leaf) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);\n return false;\n }\n\n UniquePtr ctx(X509_STORE_CTX_new());\n if (!ctx || !X509_STORE_CTX_init(ctx.get(), ssl->ctx->cert_store, leaf.get(),\n nullptr)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);\n return false;\n }\n\n // Attempt to build a chain, ignoring the result.\n X509_verify_cert(ctx.get());\n ERR_clear_error();\n\n // Remove the leaf from the generated chain.\n UniquePtr chain(X509_STORE_CTX_get1_chain(ctx.get()));\n if (!chain) {\n return false;\n }\n X509_free(sk_X509_shift(chain.get()));\n\n return SSL_set1_chain(ssl, chain.get());\n}\n\nstatic void ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {\n sk_X509_NAME_pop_free(ctx->cached_x509_client_CA, X509_NAME_free);\n ctx->cached_x509_client_CA = nullptr;\n}\n\nstatic bool ssl_crypto_x509_ssl_ctx_new(SSL_CTX *ctx) {\n ctx->cert_store = X509_STORE_new();\n ctx->param = X509_VERIFY_PARAM_new();\n return (ctx->cert_store != nullptr && ctx->param != nullptr);\n}\n\nstatic void ssl_crypto_x509_ssl_ctx_free(SSL_CTX *ctx) {\n ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(ctx);\n X509_VERIFY_PARAM_free(ctx->param);\n X509_STORE_free(ctx->cert_store);\n}\n\nconst SSL_X509_METHOD ssl_crypto_x509_method = {\n ssl_crypto_x509_check_client_CA_list,\n ssl_crypto_x509_cert_clear,\n ssl_crypto_x509_cert_free,\n ssl_crypto_x509_cert_dup,\n ssl_crypto_x509_cert_flush_cached_chain,\n ssl_crypto_x509_cert_flush_cached_leaf,\n ssl_crypto_x509_session_cache_objects,\n ssl_crypto_x509_session_dup,\n ssl_crypto_x509_session_clear,\n ssl_crypto_x509_session_verify_cert_chain,\n ssl_crypto_x509_hs_flush_cached_ca_names,\n ssl_crypto_x509_ssl_new,\n ssl_crypto_x509_ssl_config_free,\n ssl_crypto_x509_ssl_flush_cached_client_CA,\n ssl_crypto_x509_ssl_auto_chain_if_needed,\n ssl_crypto_x509_ssl_ctx_new,\n ssl_crypto_x509_ssl_ctx_free,\n ssl_crypto_x509_ssl_ctx_flush_cached_client_CA,\n};\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nX509 *SSL_get_peer_certificate(const SSL *ssl) {\n check_ssl_x509_method(ssl);\n if (ssl == NULL) {\n return NULL;\n }\n SSL_SESSION *session = SSL_get_session(ssl);\n if (session == NULL || session->x509_peer == NULL) {\n return NULL;\n }\n X509_up_ref(session->x509_peer);\n return session->x509_peer;\n}\n\nSTACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {\n check_ssl_x509_method(ssl);\n if (ssl == nullptr) {\n return nullptr;\n }\n SSL_SESSION *session = SSL_get_session(ssl);\n if (session == nullptr) {\n return nullptr;\n }\n\n // OpenSSL historically didn't include the leaf certificate in the returned\n // certificate chain, but only for servers.\n return ssl->server ? session->x509_chain_without_leaf : session->x509_chain;\n}\n\nSTACK_OF(X509) *SSL_get_peer_full_cert_chain(const SSL *ssl) {\n check_ssl_x509_method(ssl);\n SSL_SESSION *session = SSL_get_session(ssl);\n if (session == NULL) {\n return NULL;\n }\n\n return session->x509_chain;\n}\n\nint SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose) {\n check_ssl_ctx_x509_method(ctx);\n return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose);\n}\n\nint SSL_set_purpose(SSL *ssl, int purpose) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n return X509_VERIFY_PARAM_set_purpose(ssl->config->param, purpose);\n}\n\nint SSL_CTX_set_trust(SSL_CTX *ctx, int trust) {\n check_ssl_ctx_x509_method(ctx);\n return X509_VERIFY_PARAM_set_trust(ctx->param, trust);\n}\n\nint SSL_set_trust(SSL *ssl, int trust) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n return X509_VERIFY_PARAM_set_trust(ssl->config->param, trust);\n}\n\nint SSL_CTX_set1_param(SSL_CTX *ctx, const X509_VERIFY_PARAM *param) {\n check_ssl_ctx_x509_method(ctx);\n return X509_VERIFY_PARAM_set1(ctx->param, param);\n}\n\nint SSL_set1_param(SSL *ssl, const X509_VERIFY_PARAM *param) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n return X509_VERIFY_PARAM_set1(ssl->config->param, param);\n}\n\nX509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) {\n check_ssl_ctx_x509_method(ctx);\n return ctx->param;\n}\n\nX509_VERIFY_PARAM *SSL_get0_param(SSL *ssl) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n assert(ssl->config);\n return 0;\n }\n return ssl->config->param;\n}\n\nint SSL_get_verify_depth(const SSL *ssl) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n assert(ssl->config);\n return 0;\n }\n return X509_VERIFY_PARAM_get_depth(ssl->config->param);\n}\n\nint (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n assert(ssl->config);\n return 0;\n }\n return ssl->config->verify_callback;\n}\n\nint SSL_CTX_get_verify_mode(const SSL_CTX *ctx) {\n check_ssl_ctx_x509_method(ctx);\n return ctx->verify_mode;\n}\n\nint SSL_CTX_get_verify_depth(const SSL_CTX *ctx) {\n check_ssl_ctx_x509_method(ctx);\n return X509_VERIFY_PARAM_get_depth(ctx->param);\n}\n\nint (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(\n int ok, X509_STORE_CTX *store_ctx) {\n check_ssl_ctx_x509_method(ctx);\n return ctx->default_verify_callback;\n}\n\nvoid SSL_set_verify(SSL *ssl, int mode,\n int (*callback)(int ok, X509_STORE_CTX *store_ctx)) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return;\n }\n ssl->config->verify_mode = mode;\n if (callback != NULL) {\n ssl->config->verify_callback = callback;\n }\n}\n\nvoid SSL_set_verify_depth(SSL *ssl, int depth) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return;\n }\n X509_VERIFY_PARAM_set_depth(ssl->config->param, depth);\n}\n\nvoid SSL_CTX_set_cert_verify_callback(\n SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *store_ctx, void *arg), void *arg) {\n check_ssl_ctx_x509_method(ctx);\n ctx->app_verify_callback = cb;\n ctx->app_verify_arg = arg;\n}\n\nvoid SSL_CTX_set_verify(SSL_CTX *ctx, int mode,\n int (*cb)(int, X509_STORE_CTX *)) {\n check_ssl_ctx_x509_method(ctx);\n ctx->verify_mode = mode;\n ctx->default_verify_callback = cb;\n}\n\nvoid SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) {\n check_ssl_ctx_x509_method(ctx);\n X509_VERIFY_PARAM_set_depth(ctx->param, depth);\n}\n\nint SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) {\n check_ssl_ctx_x509_method(ctx);\n return X509_STORE_set_default_paths(ctx->cert_store);\n}\n\nint SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *ca_file,\n const char *ca_dir) {\n check_ssl_ctx_x509_method(ctx);\n return X509_STORE_load_locations(ctx->cert_store, ca_file, ca_dir);\n}\n\nlong SSL_get_verify_result(const SSL *ssl) {\n check_ssl_x509_method(ssl);\n SSL_SESSION *session = SSL_get_session(ssl);\n if (session == NULL) {\n return X509_V_ERR_INVALID_CALL;\n }\n return session->verify_result;\n}\n\nX509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) {\n check_ssl_ctx_x509_method(ctx);\n return ctx->cert_store;\n}\n\nvoid SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) {\n check_ssl_ctx_x509_method(ctx);\n X509_STORE_free(ctx->cert_store);\n ctx->cert_store = store;\n}\n\nstatic int ssl_use_certificate(CERT *cert, X509 *x) {\n if (x == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);\n return 0;\n }\n\n UniquePtr buffer = x509_to_buffer(x);\n if (!buffer) {\n return 0;\n }\n\n return ssl_set_cert(cert, std::move(buffer));\n}\n\nint SSL_use_certificate(SSL *ssl, X509 *x) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n return ssl_use_certificate(ssl->config->cert.get(), x);\n}\n\nint SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) {\n check_ssl_ctx_x509_method(ctx);\n return ssl_use_certificate(ctx->cert.get(), x);\n}\n\n// ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the\n// first element of |cert->chain|.\nstatic int ssl_cert_cache_leaf_cert(CERT *cert) {\n assert(cert->x509_method);\n\n const SSL_CREDENTIAL *cred = cert->legacy_credential.get();\n if (cert->x509_leaf != NULL || cred->chain == NULL) {\n return 1;\n }\n\n CRYPTO_BUFFER *leaf = sk_CRYPTO_BUFFER_value(cred->chain.get(), 0);\n if (!leaf) {\n return 1;\n }\n\n cert->x509_leaf = X509_parse_from_buffer(leaf);\n return cert->x509_leaf != NULL;\n}\n\nstatic X509 *ssl_cert_get0_leaf(CERT *cert) {\n if (cert->x509_leaf == NULL && //\n !ssl_cert_cache_leaf_cert(cert)) {\n return NULL;\n }\n\n return cert->x509_leaf;\n}\n\nX509 *SSL_get_certificate(const SSL *ssl) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n assert(ssl->config);\n return 0;\n }\n return ssl_cert_get0_leaf(ssl->config->cert.get());\n}\n\nX509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) {\n check_ssl_ctx_x509_method(ctx);\n MutexWriteLock lock(const_cast(&ctx->lock));\n return ssl_cert_get0_leaf(ctx->cert.get());\n}\n\nstatic int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509) {\n assert(cert->x509_method);\n\n UniquePtr buffer = x509_to_buffer(x509);\n if (!buffer ||\n !cert->legacy_credential->AppendIntermediateCert(std::move(buffer))) {\n return 0;\n }\n\n ssl_crypto_x509_cert_flush_cached_chain(cert);\n return 1;\n}\n\nstatic int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) {\n if (!ssl_cert_add1_chain_cert(cert, x509)) {\n return 0;\n }\n\n X509_free(cert->x509_stash);\n cert->x509_stash = x509;\n return 1;\n}\n\nint SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {\n check_ssl_ctx_x509_method(ctx);\n if (!ssl_cert_set1_chain(ctx->cert.get(), chain)) {\n return 0;\n }\n sk_X509_pop_free(chain, X509_free);\n return 1;\n}\n\nint SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) {\n check_ssl_ctx_x509_method(ctx);\n return ssl_cert_set1_chain(ctx->cert.get(), chain);\n}\n\nint SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n if (!ssl_cert_set1_chain(ssl->config->cert.get(), chain)) {\n return 0;\n }\n sk_X509_pop_free(chain, X509_free);\n return 1;\n}\n\nint SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n return ssl_cert_set1_chain(ssl->config->cert.get(), chain);\n}\n\nint SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) {\n check_ssl_ctx_x509_method(ctx);\n return ssl_cert_add0_chain_cert(ctx->cert.get(), x509);\n}\n\nint SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) {\n check_ssl_ctx_x509_method(ctx);\n return ssl_cert_add1_chain_cert(ctx->cert.get(), x509);\n}\n\nint SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509) {\n check_ssl_ctx_x509_method(ctx);\n return SSL_CTX_add0_chain_cert(ctx, x509);\n}\n\nint SSL_add0_chain_cert(SSL *ssl, X509 *x509) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n return ssl_cert_add0_chain_cert(ssl->config->cert.get(), x509);\n}\n\nint SSL_add1_chain_cert(SSL *ssl, X509 *x509) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n return ssl_cert_add1_chain_cert(ssl->config->cert.get(), x509);\n}\n\nint SSL_CTX_clear_chain_certs(SSL_CTX *ctx) {\n check_ssl_ctx_x509_method(ctx);\n return SSL_CTX_set0_chain(ctx, NULL);\n}\n\nint SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) {\n check_ssl_ctx_x509_method(ctx);\n return SSL_CTX_clear_chain_certs(ctx);\n}\n\nint SSL_clear_chain_certs(SSL *ssl) {\n check_ssl_x509_method(ssl);\n return SSL_set0_chain(ssl, NULL);\n}\n\n// ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of\n// |cert->chain|.\nstatic int ssl_cert_cache_chain_certs(CERT *cert) {\n assert(cert->x509_method);\n\n const SSL_CREDENTIAL *cred = cert->legacy_credential.get();\n if (cert->x509_chain != nullptr || cred->chain == nullptr ||\n sk_CRYPTO_BUFFER_num(cred->chain.get()) < 2) {\n return 1;\n }\n\n UniquePtr chain(sk_X509_new_null());\n if (!chain) {\n return 0;\n }\n\n for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cred->chain.get()); i++) {\n CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(cred->chain.get(), i);\n UniquePtr x509(X509_parse_from_buffer(buffer));\n if (!x509 || //\n !PushToStack(chain.get(), std::move(x509))) {\n return 0;\n }\n }\n\n cert->x509_chain = chain.release();\n return 1;\n}\n\nint SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) {\n check_ssl_ctx_x509_method(ctx);\n MutexWriteLock lock(const_cast(&ctx->lock));\n if (!ssl_cert_cache_chain_certs(ctx->cert.get())) {\n *out_chain = NULL;\n return 0;\n }\n\n *out_chain = ctx->cert->x509_chain;\n return 1;\n}\n\nint SSL_CTX_get_extra_chain_certs(const SSL_CTX *ctx,\n STACK_OF(X509) **out_chain) {\n return SSL_CTX_get0_chain_certs(ctx, out_chain);\n}\n\nint SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n assert(ssl->config);\n return 0;\n }\n if (!ssl_cert_cache_chain_certs(ssl->config->cert.get())) {\n *out_chain = NULL;\n return 0;\n }\n\n *out_chain = ssl->config->cert->x509_chain;\n return 1;\n}\n\nSSL_SESSION *d2i_SSL_SESSION_bio(BIO *bio, SSL_SESSION **out) {\n uint8_t *data;\n size_t len;\n if (!BIO_read_asn1(bio, &data, &len, 1024 * 1024)) {\n return 0;\n }\n bssl::UniquePtr free_data(data);\n const uint8_t *ptr = data;\n return d2i_SSL_SESSION(out, &ptr, static_cast(len));\n}\n\nint i2d_SSL_SESSION_bio(BIO *bio, const SSL_SESSION *session) {\n uint8_t *data;\n size_t len;\n if (!SSL_SESSION_to_bytes(session, &data, &len)) {\n return 0;\n }\n bssl::UniquePtr free_data(data);\n return BIO_write_all(bio, data, len);\n}\n\nIMPLEMENT_PEM_rw(SSL_SESSION, SSL_SESSION, PEM_STRING_SSL_SESSION, SSL_SESSION)\n\nSSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp, long length) {\n if (length < 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return NULL;\n }\n\n CBS cbs;\n CBS_init(&cbs, *pp, length);\n\n UniquePtr ret = SSL_SESSION_parse(&cbs, &ssl_crypto_x509_method,\n NULL /* no buffer pool */);\n if (!ret) {\n return NULL;\n }\n\n if (a) {\n SSL_SESSION_free(*a);\n *a = ret.get();\n }\n *pp = CBS_data(&cbs);\n return ret.release();\n}\n\nSTACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list) {\n // TODO(https://crbug.com/boringssl/407): |X509_NAME_dup| should be const.\n auto name_dup = [](const X509_NAME *name) {\n return X509_NAME_dup(const_cast(name));\n };\n return sk_X509_NAME_deep_copy(list, name_dup, X509_NAME_free);\n}\n\nstatic void set_client_CA_list(UniquePtr *ca_list,\n const STACK_OF(X509_NAME) *name_list,\n CRYPTO_BUFFER_POOL *pool) {\n UniquePtr buffers(sk_CRYPTO_BUFFER_new_null());\n if (!buffers) {\n return;\n }\n\n for (X509_NAME *name : name_list) {\n uint8_t *outp = NULL;\n int len = i2d_X509_NAME(name, &outp);\n if (len < 0) {\n return;\n }\n\n UniquePtr buffer(CRYPTO_BUFFER_new(outp, len, pool));\n OPENSSL_free(outp);\n if (!buffer || !PushToStack(buffers.get(), std::move(buffer))) {\n return;\n }\n }\n\n *ca_list = std::move(buffers);\n}\n\nvoid SSL_set_client_CA_list(SSL *ssl, STACK_OF(X509_NAME) *name_list) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return;\n }\n ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config.get());\n set_client_CA_list(&ssl->config->client_CA, name_list, ssl->ctx->pool);\n sk_X509_NAME_pop_free(name_list, X509_NAME_free);\n}\n\nvoid SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) {\n check_ssl_ctx_x509_method(ctx);\n ctx->x509_method->ssl_ctx_flush_cached_client_CA(ctx);\n set_client_CA_list(&ctx->client_CA, name_list, ctx->pool);\n sk_X509_NAME_pop_free(name_list, X509_NAME_free);\n}\n\nstatic STACK_OF(X509_NAME) *buffer_names_to_x509(\n const STACK_OF(CRYPTO_BUFFER) *names, STACK_OF(X509_NAME) **cached) {\n if (names == NULL) {\n return NULL;\n }\n\n if (*cached != NULL) {\n return *cached;\n }\n\n UniquePtr new_cache(sk_X509_NAME_new_null());\n if (!new_cache) {\n return NULL;\n }\n\n for (const CRYPTO_BUFFER *buffer : names) {\n const uint8_t *inp = CRYPTO_BUFFER_data(buffer);\n UniquePtr name(\n d2i_X509_NAME(nullptr, &inp, CRYPTO_BUFFER_len(buffer)));\n if (!name ||\n inp != CRYPTO_BUFFER_data(buffer) + CRYPTO_BUFFER_len(buffer) ||\n !PushToStack(new_cache.get(), std::move(name))) {\n return NULL;\n }\n }\n\n *cached = new_cache.release();\n return *cached;\n}\n\nSTACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n assert(ssl->config);\n return NULL;\n }\n // For historical reasons, this function is used both to query configuration\n // state on a server as well as handshake state on a client. However, whether\n // |ssl| is a client or server is not known until explicitly configured with\n // |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an\n // indeterminate mode and |ssl->server| is unset.\n if (ssl->do_handshake != NULL && !ssl->server) {\n if (ssl->s3->hs != NULL) {\n return buffer_names_to_x509(ssl->s3->hs->ca_names.get(),\n &ssl->s3->hs->cached_x509_ca_names);\n }\n\n return NULL;\n }\n\n if (ssl->config->client_CA != NULL) {\n return buffer_names_to_x509(\n ssl->config->client_CA.get(),\n (STACK_OF(X509_NAME) **)&ssl->config->cached_x509_client_CA);\n }\n return SSL_CTX_get_client_CA_list(ssl->ctx.get());\n}\n\nSTACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {\n check_ssl_ctx_x509_method(ctx);\n // This is a logically const operation that may be called on multiple threads,\n // so it needs to lock around updating |cached_x509_client_CA|.\n MutexWriteLock lock(const_cast(&ctx->lock));\n return buffer_names_to_x509(\n ctx->client_CA.get(),\n const_cast(&ctx->cached_x509_client_CA));\n}\n\nstatic int add_client_CA(UniquePtr *names, X509 *x509,\n CRYPTO_BUFFER_POOL *pool) {\n if (x509 == NULL) {\n return 0;\n }\n\n uint8_t *outp = NULL;\n int len = i2d_X509_NAME(X509_get_subject_name(x509), &outp);\n if (len < 0) {\n return 0;\n }\n\n UniquePtr buffer(CRYPTO_BUFFER_new(outp, len, pool));\n OPENSSL_free(outp);\n if (!buffer) {\n return 0;\n }\n\n int alloced = 0;\n if (*names == nullptr) {\n names->reset(sk_CRYPTO_BUFFER_new_null());\n alloced = 1;\n\n if (*names == NULL) {\n return 0;\n }\n }\n\n if (!PushToStack(names->get(), std::move(buffer))) {\n if (alloced) {\n names->reset();\n }\n return 0;\n }\n\n return 1;\n}\n\nint SSL_add_client_CA(SSL *ssl, X509 *x509) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n if (!add_client_CA(&ssl->config->client_CA, x509, ssl->ctx->pool)) {\n return 0;\n }\n\n ssl_crypto_x509_ssl_flush_cached_client_CA(ssl->config.get());\n return 1;\n}\n\nint SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) {\n check_ssl_ctx_x509_method(ctx);\n if (!add_client_CA(&ctx->client_CA, x509, ctx->pool)) {\n return 0;\n }\n\n ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(ctx);\n return 1;\n}\n\nstatic int do_client_cert_cb(SSL *ssl, void *arg) {\n // Should only be called during handshake, but check to be sure.\n BSSL_CHECK(ssl->config);\n\n if (ssl->config->cert->legacy_credential->IsComplete() ||\n ssl->ctx->client_cert_cb == nullptr) {\n return 1;\n }\n\n X509 *x509 = NULL;\n EVP_PKEY *pkey = NULL;\n int ret = ssl->ctx->client_cert_cb(ssl, &x509, &pkey);\n if (ret < 0) {\n return -1;\n }\n UniquePtr free_x509(x509);\n UniquePtr free_pkey(pkey);\n\n if (ret != 0) {\n if (!SSL_use_certificate(ssl, x509) || //\n !SSL_use_PrivateKey(ssl, pkey)) {\n return 0;\n }\n }\n\n return 1;\n}\n\nvoid SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,\n int (*cb)(SSL *ssl, X509 **out_x509,\n EVP_PKEY **out_pkey)) {\n check_ssl_ctx_x509_method(ctx);\n // Emulate the old client certificate callback with the new one.\n SSL_CTX_set_cert_cb(ctx, do_client_cert_cb, NULL);\n ctx->client_cert_cb = cb;\n}\n\nstatic int set_cert_store(X509_STORE **store_ptr, X509_STORE *new_store,\n int take_ref) {\n X509_STORE_free(*store_ptr);\n *store_ptr = new_store;\n\n if (new_store != NULL && take_ref) {\n X509_STORE_up_ref(new_store);\n }\n\n return 1;\n}\n\nint SSL_get_ex_data_X509_STORE_CTX_idx(void) {\n // The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the\n // reserved app_data slot. Before ex_data was introduced, app_data was used.\n // Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|\n // works.\n return 0;\n}\n\nint SSL_CTX_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {\n check_ssl_ctx_x509_method(ctx);\n return set_cert_store(&ctx->cert->verify_store, store, 0);\n}\n\nint SSL_CTX_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *store) {\n check_ssl_ctx_x509_method(ctx);\n return set_cert_store(&ctx->cert->verify_store, store, 1);\n}\n\nint SSL_set0_verify_cert_store(SSL *ssl, X509_STORE *store) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n return set_cert_store(&ssl->config->cert->verify_store, store, 0);\n}\n\nint SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n return set_cert_store(&ssl->config->cert->verify_store, store, 1);\n}\n\nint SSL_set1_host(SSL *ssl, const char *hostname) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return 0;\n }\n return X509_VERIFY_PARAM_set1_host(ssl->config->param, hostname,\n strlen(hostname));\n}\n\nvoid SSL_set_hostflags(SSL *ssl, unsigned flags) {\n check_ssl_x509_method(ssl);\n if (!ssl->config) {\n return;\n }\n X509_VERIFY_PARAM_set_hostflags(ssl->config->param, flags);\n}\n\nint SSL_alert_from_verify_result(long result) {\n switch (result) {\n case X509_V_ERR_CERT_CHAIN_TOO_LONG:\n case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:\n case X509_V_ERR_INVALID_CA:\n case X509_V_ERR_PATH_LENGTH_EXCEEDED:\n case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:\n case X509_V_ERR_UNABLE_TO_GET_CRL:\n case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:\n case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:\n case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:\n case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:\n return SSL_AD_UNKNOWN_CA;\n\n case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:\n case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:\n case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:\n case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:\n case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:\n case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:\n case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:\n case X509_V_ERR_CERT_UNTRUSTED:\n case X509_V_ERR_CERT_REJECTED:\n case X509_V_ERR_HOSTNAME_MISMATCH:\n case X509_V_ERR_EMAIL_MISMATCH:\n case X509_V_ERR_IP_ADDRESS_MISMATCH:\n return SSL_AD_BAD_CERTIFICATE;\n\n case X509_V_ERR_CERT_SIGNATURE_FAILURE:\n case X509_V_ERR_CRL_SIGNATURE_FAILURE:\n return SSL_AD_DECRYPT_ERROR;\n\n case X509_V_ERR_CERT_HAS_EXPIRED:\n case X509_V_ERR_CERT_NOT_YET_VALID:\n case X509_V_ERR_CRL_HAS_EXPIRED:\n case X509_V_ERR_CRL_NOT_YET_VALID:\n return SSL_AD_CERTIFICATE_EXPIRED;\n\n case X509_V_ERR_CERT_REVOKED:\n return SSL_AD_CERTIFICATE_REVOKED;\n\n case X509_V_ERR_UNSPECIFIED:\n case X509_V_ERR_OUT_OF_MEM:\n case X509_V_ERR_INVALID_CALL:\n case X509_V_ERR_STORE_LOOKUP:\n return SSL_AD_INTERNAL_ERROR;\n\n case X509_V_ERR_APPLICATION_VERIFICATION:\n return SSL_AD_HANDSHAKE_FAILURE;\n\n case X509_V_ERR_INVALID_PURPOSE:\n return SSL_AD_UNSUPPORTED_CERTIFICATE;\n\n default:\n return SSL_AD_CERTIFICATE_UNKNOWN;\n }\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/t1_enc.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n * Copyright 2005 Nokia. All rights reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/fipsmodule/tls/internal.h\"\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nbool tls1_prf(const EVP_MD *digest, Span out,\n Span secret, std::string_view label,\n Span seed1, Span seed2) {\n return 1 == CRYPTO_tls1_prf(digest, out.data(), out.size(), secret.data(),\n secret.size(), label.data(), label.size(),\n seed1.data(), seed1.size(), seed2.data(),\n seed2.size());\n}\n\nstatic bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len,\n size_t *out_key_len, size_t *out_iv_len,\n const SSL_CIPHER *cipher) {\n const EVP_AEAD *aead = NULL;\n if (!ssl_cipher_get_evp_aead(&aead, out_mac_secret_len, out_iv_len, cipher,\n ssl_protocol_version(ssl))) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);\n return false;\n }\n\n *out_key_len = EVP_AEAD_key_length(aead);\n if (*out_mac_secret_len > 0) {\n // For \"stateful\" AEADs (i.e. compatibility with pre-AEAD cipher suites) the\n // key length reported by |EVP_AEAD_key_length| will include the MAC key\n // bytes and initial implicit IV.\n if (*out_key_len < *out_mac_secret_len + *out_iv_len) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n *out_key_len -= *out_mac_secret_len + *out_iv_len;\n }\n\n return true;\n}\n\nstatic bool generate_key_block(const SSL *ssl, Span out,\n const SSL_SESSION *session) {\n const EVP_MD *digest = ssl_session_get_digest(session);\n // Note this function assumes that |session|'s key material corresponds to\n // |ssl->s3->client_random| and |ssl->s3->server_random|.\n return tls1_prf(digest, out, session->secret, \"key expansion\",\n ssl->s3->server_random, ssl->s3->client_random);\n}\n\nbool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,\n Array *key_block_cache,\n const SSL_SESSION *session,\n Span iv_override) {\n size_t mac_secret_len, key_len, iv_len;\n if (!get_key_block_lengths(ssl, &mac_secret_len, &key_len, &iv_len,\n session->cipher)) {\n return false;\n }\n\n // Ensure that |key_block_cache| is set up.\n const size_t key_block_size = 2 * (mac_secret_len + key_len + iv_len);\n if (key_block_cache->empty()) {\n if (!key_block_cache->InitForOverwrite(key_block_size) ||\n !generate_key_block(ssl, Span(*key_block_cache), session)) {\n return false;\n }\n }\n assert(key_block_cache->size() == key_block_size);\n\n Span key_block = *key_block_cache;\n Span mac_secret, key, iv;\n if (direction == (ssl->server ? evp_aead_open : evp_aead_seal)) {\n // Use the client write (server read) keys.\n mac_secret = key_block.subspan(0, mac_secret_len);\n key = key_block.subspan(2 * mac_secret_len, key_len);\n iv = key_block.subspan(2 * mac_secret_len + 2 * key_len, iv_len);\n } else {\n // Use the server write (client read) keys.\n mac_secret = key_block.subspan(mac_secret_len, mac_secret_len);\n key = key_block.subspan(2 * mac_secret_len + key_len, key_len);\n iv = key_block.subspan(2 * mac_secret_len + 2 * key_len + iv_len, iv_len);\n }\n\n if (!iv_override.empty()) {\n if (iv_override.size() != iv_len) {\n return false;\n }\n iv = iv_override;\n }\n\n UniquePtr aead_ctx = SSLAEADContext::Create(\n direction, ssl->s3->version, session->cipher, key, mac_secret, iv);\n if (!aead_ctx) {\n return false;\n }\n\n if (direction == evp_aead_open) {\n return ssl->method->set_read_state(ssl, ssl_encryption_application,\n std::move(aead_ctx),\n /*traffic_secret=*/{});\n }\n\n return ssl->method->set_write_state(ssl, ssl_encryption_application,\n std::move(aead_ctx),\n /*traffic_secret=*/{});\n}\n\nbool tls1_change_cipher_state(SSL_HANDSHAKE *hs,\n evp_aead_direction_t direction) {\n return tls1_configure_aead(hs->ssl, direction, &hs->key_block,\n ssl_handshake_session(hs), {});\n}\n\nbool tls1_generate_master_secret(SSL_HANDSHAKE *hs, Span out,\n Span premaster) {\n BSSL_CHECK(out.size() == SSL3_MASTER_SECRET_SIZE);\n\n const SSL *ssl = hs->ssl;\n if (hs->extended_master_secret) {\n uint8_t digests[EVP_MAX_MD_SIZE];\n size_t digests_len;\n if (!hs->transcript.GetHash(digests, &digests_len) ||\n !tls1_prf(hs->transcript.Digest(), out, premaster,\n \"extended master secret\", Span(digests, digests_len), {})) {\n return false;\n }\n } else {\n if (!tls1_prf(hs->transcript.Digest(), out, premaster, \"master secret\",\n ssl->s3->client_random, ssl->s3->server_random)) {\n return false;\n }\n }\n\n return true;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nsize_t SSL_get_key_block_len(const SSL *ssl) {\n // See |SSL_generate_key_block|.\n if (SSL_in_init(ssl) || ssl_protocol_version(ssl) > TLS1_2_VERSION) {\n return 0;\n }\n\n size_t mac_secret_len, key_len, fixed_iv_len;\n if (!get_key_block_lengths(ssl, &mac_secret_len, &key_len, &fixed_iv_len,\n SSL_get_current_cipher(ssl))) {\n ERR_clear_error();\n return 0;\n }\n\n return 2 * (mac_secret_len + key_len + fixed_iv_len);\n}\n\nint SSL_generate_key_block(const SSL *ssl, uint8_t *out, size_t out_len) {\n // Which cipher state to use is ambiguous during a handshake. In particular,\n // there are points where read and write states are from different epochs.\n // During a handshake, before ChangeCipherSpec, the encryption states may not\n // match |ssl->s3->client_random| and |ssl->s3->server_random|.\n if (SSL_in_init(ssl) || ssl_protocol_version(ssl) > TLS1_2_VERSION) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);\n return 0;\n }\n\n return generate_key_block(ssl, Span(out, out_len), SSL_get_session(ssl));\n}\n\nint SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,\n const char *label, size_t label_len,\n const uint8_t *context, size_t context_len,\n int use_context) {\n auto out_span = Span(out, out_len);\n std::string_view label_sv(label, label_len);\n // In TLS 1.3, the exporter may be used whenever the secret has been derived.\n if (ssl->s3->version != 0 && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n if (ssl->s3->exporter_secret.empty()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);\n return 0;\n }\n if (!use_context) {\n context = nullptr;\n context_len = 0;\n }\n return tls13_export_keying_material(ssl, out_span, ssl->s3->exporter_secret,\n label_sv, Span(context, context_len));\n }\n\n // Exporters may be used in False Start, where the handshake has progressed\n // enough. Otherwise, they may not be used during a handshake.\n if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);\n return 0;\n }\n\n size_t seed_len = 2 * SSL3_RANDOM_SIZE;\n if (use_context) {\n if (context_len >= 1u << 16) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return 0;\n }\n seed_len += 2 + context_len;\n }\n Array seed;\n if (!seed.InitForOverwrite(seed_len)) {\n return 0;\n }\n\n OPENSSL_memcpy(seed.data(), ssl->s3->client_random, SSL3_RANDOM_SIZE);\n OPENSSL_memcpy(seed.data() + SSL3_RANDOM_SIZE, ssl->s3->server_random,\n SSL3_RANDOM_SIZE);\n if (use_context) {\n seed[2 * SSL3_RANDOM_SIZE] = static_cast(context_len >> 8);\n seed[2 * SSL3_RANDOM_SIZE + 1] = static_cast(context_len);\n OPENSSL_memcpy(seed.data() + 2 * SSL3_RANDOM_SIZE + 2, context,\n context_len);\n }\n\n const SSL_SESSION *session = SSL_get_session(ssl);\n const EVP_MD *digest = ssl_session_get_digest(session);\n return tls1_prf(digest, out_span, session->secret, label_sv, seed, {});\n}\n" }, { "path": "Sources/CNIOBoringSSL/ssl/tls13_both.cc", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\n// kMaxKeyUpdates is the number of consecutive KeyUpdates that will be\n// processed. Without this limit an attacker could force unbounded processing\n// without being able to return application data.\nstatic const uint8_t kMaxKeyUpdates = 32;\n\nconst uint8_t kHelloRetryRequest[SSL3_RANDOM_SIZE] = {\n 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c,\n 0x02, 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb,\n 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,\n};\n\n// See RFC 8446, section 4.1.3.\nconst uint8_t kTLS12DowngradeRandom[8] = {0x44, 0x4f, 0x57, 0x4e,\n 0x47, 0x52, 0x44, 0x00};\nconst uint8_t kTLS13DowngradeRandom[8] = {0x44, 0x4f, 0x57, 0x4e,\n 0x47, 0x52, 0x44, 0x01};\n\n// This is a non-standard randomly-generated value.\nconst uint8_t kJDK11DowngradeRandom[8] = {0xed, 0xbf, 0xb4, 0xa8,\n 0xc2, 0x47, 0x10, 0xff};\n\nbool tls13_get_cert_verify_signature_input(\n SSL_HANDSHAKE *hs, Array *out,\n enum ssl_cert_verify_context_t cert_verify_context) {\n ScopedCBB cbb;\n if (!CBB_init(cbb.get(), 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {\n return false;\n }\n\n for (size_t i = 0; i < 64; i++) {\n if (!CBB_add_u8(cbb.get(), 0x20)) {\n return false;\n }\n }\n\n Span context;\n if (cert_verify_context == ssl_cert_verify_server) {\n static const char kContext[] = \"TLS 1.3, server CertificateVerify\";\n context = kContext;\n } else if (cert_verify_context == ssl_cert_verify_client) {\n static const char kContext[] = \"TLS 1.3, client CertificateVerify\";\n context = kContext;\n } else if (cert_verify_context == ssl_cert_verify_channel_id) {\n static const char kContext[] = \"TLS 1.3, Channel ID\";\n context = kContext;\n } else {\n return false;\n }\n\n // Note |context| includes the NUL byte separator.\n if (!CBB_add_bytes(cbb.get(),\n reinterpret_cast(context.data()),\n context.size())) {\n return false;\n }\n\n uint8_t context_hash[EVP_MAX_MD_SIZE];\n size_t context_hash_len;\n if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||\n !CBB_add_bytes(cbb.get(), context_hash, context_hash_len) ||\n !CBBFinishArray(cbb.get(), out)) {\n return false;\n }\n\n return true;\n}\n\nbool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,\n bool allow_anonymous) {\n SSL *const ssl = hs->ssl;\n CBS body = msg.body;\n bssl::UniquePtr decompressed;\n\n if (msg.type == SSL3_MT_COMPRESSED_CERTIFICATE) {\n CBS compressed;\n uint16_t alg_id;\n uint32_t uncompressed_len;\n\n if (!CBS_get_u16(&body, &alg_id) ||\n !CBS_get_u24(&body, &uncompressed_len) ||\n !CBS_get_u24_length_prefixed(&body, &compressed) ||\n CBS_len(&body) != 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n\n if (uncompressed_len > ssl->max_cert_list) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNCOMPRESSED_CERT_TOO_LARGE);\n ERR_add_error_dataf(\"requested=%u\",\n static_cast(uncompressed_len));\n return false;\n }\n\n ssl_cert_decompression_func_t decompress = nullptr;\n for (const auto &alg : ssl->ctx->cert_compression_algs) {\n if (alg.alg_id == alg_id) {\n decompress = alg.decompress;\n break;\n }\n }\n\n if (decompress == nullptr) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERT_COMPRESSION_ALG);\n ERR_add_error_dataf(\"alg=%d\", static_cast(alg_id));\n return false;\n }\n\n CRYPTO_BUFFER *decompressed_ptr = nullptr;\n if (!decompress(ssl, &decompressed_ptr, uncompressed_len,\n CBS_data(&compressed), CBS_len(&compressed))) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_DECOMPRESSION_FAILED);\n ERR_add_error_dataf(\"alg=%d\", static_cast(alg_id));\n return false;\n }\n decompressed.reset(decompressed_ptr);\n\n if (CRYPTO_BUFFER_len(decompressed_ptr) != uncompressed_len) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_DECOMPRESSION_FAILED);\n ERR_add_error_dataf(\n \"alg=%d got=%u expected=%u\", static_cast(alg_id),\n static_cast(CRYPTO_BUFFER_len(decompressed_ptr)),\n static_cast(uncompressed_len));\n return false;\n }\n\n CBS_init(&body, CRYPTO_BUFFER_data(decompressed_ptr),\n CRYPTO_BUFFER_len(decompressed_ptr));\n } else {\n assert(msg.type == SSL3_MT_CERTIFICATE);\n }\n\n CBS context, certificate_list;\n if (!CBS_get_u8_length_prefixed(&body, &context) || //\n CBS_len(&context) != 0 || //\n !CBS_get_u24_length_prefixed(&body, &certificate_list) || //\n CBS_len(&body) != 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n\n UniquePtr certs(sk_CRYPTO_BUFFER_new_null());\n if (!certs) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return false;\n }\n\n const bool retain_sha256 =\n ssl->server && hs->config->retain_only_sha256_of_client_certs;\n UniquePtr pkey;\n while (CBS_len(&certificate_list) > 0) {\n CBS certificate, extensions;\n if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||\n !CBS_get_u16_length_prefixed(&certificate_list, &extensions) ||\n CBS_len(&certificate) == 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);\n return false;\n }\n\n if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {\n pkey = ssl_cert_parse_pubkey(&certificate);\n if (!pkey) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return false;\n }\n // TLS 1.3 always uses certificate keys for signing thus the correct\n // keyUsage is enforced.\n if (!ssl_cert_check_key_usage(&certificate,\n key_usage_digital_signature)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return false;\n }\n\n if (retain_sha256) {\n // Retain the hash of the leaf certificate if requested.\n SHA256(CBS_data(&certificate), CBS_len(&certificate),\n hs->new_session->peer_sha256);\n }\n }\n\n UniquePtr buf(\n CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool));\n if (!buf || //\n !PushToStack(certs.get(), std::move(buf))) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return false;\n }\n\n // Parse out the extensions.\n SSLExtension status_request(\n TLSEXT_TYPE_status_request,\n !ssl->server && hs->config->ocsp_stapling_enabled);\n SSLExtension sct(\n TLSEXT_TYPE_certificate_timestamp,\n !ssl->server && hs->config->signed_cert_timestamps_enabled);\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ssl_parse_extensions(&extensions, &alert, {&status_request, &sct},\n /*ignore_unknown=*/false)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return false;\n }\n\n // All Certificate extensions are parsed, but only the leaf extensions are\n // stored.\n if (status_request.present) {\n uint8_t status_type;\n CBS ocsp_response;\n if (!CBS_get_u8(&status_request.data, &status_type) ||\n status_type != TLSEXT_STATUSTYPE_ocsp ||\n !CBS_get_u24_length_prefixed(&status_request.data, &ocsp_response) ||\n CBS_len(&ocsp_response) == 0 || CBS_len(&status_request.data) != 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return false;\n }\n\n if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {\n hs->new_session->ocsp_response.reset(\n CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool));\n if (hs->new_session->ocsp_response == nullptr) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return false;\n }\n }\n }\n\n if (sct.present) {\n if (!ssl_is_sct_list_valid(&sct.data)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return false;\n }\n\n if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {\n hs->new_session->signed_cert_timestamp_list.reset(\n CRYPTO_BUFFER_new_from_CBS(&sct.data, ssl->ctx->pool));\n if (hs->new_session->signed_cert_timestamp_list == nullptr) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return false;\n }\n }\n }\n }\n\n // Store a null certificate list rather than an empty one if the peer didn't\n // send certificates.\n if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {\n certs.reset();\n }\n\n hs->peer_pubkey = std::move(pkey);\n hs->new_session->certs = std::move(certs);\n\n if (!ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return false;\n }\n\n if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {\n if (!allow_anonymous) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_CERTIFICATE_REQUIRED);\n return false;\n }\n\n // OpenSSL returns X509_V_OK when no certificates are requested. This is\n // classed by them as a bug, but it's assumed by at least NGINX.\n hs->new_session->verify_result = X509_V_OK;\n\n // No certificate, so nothing more to do.\n return true;\n }\n\n hs->new_session->peer_sha256_valid = retain_sha256;\n return true;\n}\n\nbool tls13_process_certificate_verify(SSL_HANDSHAKE *hs,\n const SSLMessage &msg) {\n SSL *const ssl = hs->ssl;\n if (hs->peer_pubkey == NULL) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n CBS body = msg.body, signature;\n uint16_t signature_algorithm;\n if (!CBS_get_u16(&body, &signature_algorithm) || //\n !CBS_get_u16_length_prefixed(&body, &signature) || //\n CBS_len(&body) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return false;\n }\n\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,\n hs->peer_pubkey.get())) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return false;\n }\n hs->new_session->peer_signature_algorithm = signature_algorithm;\n\n Array input;\n if (!tls13_get_cert_verify_signature_input(\n hs, &input,\n ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return false;\n }\n\n if (!ssl_public_key_verify(ssl, signature, signature_algorithm,\n hs->peer_pubkey.get(), input)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);\n return false;\n }\n\n return true;\n}\n\nbool tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,\n bool use_saved_value) {\n SSL *const ssl = hs->ssl;\n uint8_t verify_data_buf[EVP_MAX_MD_SIZE];\n Span verify_data;\n if (use_saved_value) {\n assert(ssl->server);\n verify_data = hs->expected_client_finished;\n } else {\n size_t len;\n if (!tls13_finished_mac(hs, verify_data_buf, &len, !ssl->server)) {\n return false;\n }\n verify_data = Span(verify_data_buf, len);\n }\n\n bool finished_ok =\n CBS_mem_equal(&msg.body, verify_data.data(), verify_data.size());\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n finished_ok = true;\n#endif\n if (!finished_ok) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);\n return false;\n }\n\n return true;\n}\n\nbool tls13_add_certificate(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n const SSL_CREDENTIAL *cred = hs->credential.get();\n\n ScopedCBB cbb;\n CBB *body, body_storage, certificate_list;\n\n if (hs->cert_compression_negotiated) {\n if (!CBB_init(cbb.get(), 1024)) {\n return false;\n }\n body = cbb.get();\n } else {\n body = &body_storage;\n if (!ssl->method->init_message(ssl, cbb.get(), body, SSL3_MT_CERTIFICATE)) {\n return false;\n }\n }\n\n if ( // The request context is always empty in the handshake.\n !CBB_add_u8(body, 0) ||\n !CBB_add_u24_length_prefixed(body, &certificate_list)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n if (hs->credential == nullptr) {\n return ssl_add_message_cbb(ssl, cbb.get());\n }\n\n assert(hs->credential->UsesX509());\n CRYPTO_BUFFER *leaf_buf = sk_CRYPTO_BUFFER_value(cred->chain.get(), 0);\n CBB leaf, extensions;\n if (!CBB_add_u24_length_prefixed(&certificate_list, &leaf) ||\n !CBB_add_bytes(&leaf, CRYPTO_BUFFER_data(leaf_buf),\n CRYPTO_BUFFER_len(leaf_buf)) ||\n !CBB_add_u16_length_prefixed(&certificate_list, &extensions)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n if (hs->scts_requested && cred->signed_cert_timestamp_list != nullptr) {\n CBB contents;\n if (!CBB_add_u16(&extensions, TLSEXT_TYPE_certificate_timestamp) ||\n !CBB_add_u16_length_prefixed(&extensions, &contents) ||\n !CBB_add_bytes(\n &contents,\n CRYPTO_BUFFER_data(cred->signed_cert_timestamp_list.get()),\n CRYPTO_BUFFER_len(cred->signed_cert_timestamp_list.get())) ||\n !CBB_flush(&extensions)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n }\n\n if (hs->ocsp_stapling_requested && cred->ocsp_response != NULL) {\n CBB contents, ocsp_response;\n if (!CBB_add_u16(&extensions, TLSEXT_TYPE_status_request) ||\n !CBB_add_u16_length_prefixed(&extensions, &contents) ||\n !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||\n !CBB_add_u24_length_prefixed(&contents, &ocsp_response) ||\n !CBB_add_bytes(&ocsp_response,\n CRYPTO_BUFFER_data(cred->ocsp_response.get()),\n CRYPTO_BUFFER_len(cred->ocsp_response.get())) ||\n !CBB_flush(&extensions)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n }\n\n if (cred->type == SSLCredentialType::kDelegated) {\n CBB child;\n if (!CBB_add_u16(&extensions, TLSEXT_TYPE_delegated_credential) ||\n !CBB_add_u16_length_prefixed(&extensions, &child) ||\n !CBB_add_bytes(&child, CRYPTO_BUFFER_data(cred->dc.get()),\n CRYPTO_BUFFER_len(cred->dc.get())) ||\n !CBB_flush(&extensions)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n }\n\n for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cred->chain.get()); i++) {\n CRYPTO_BUFFER *cert_buf = sk_CRYPTO_BUFFER_value(cred->chain.get(), i);\n CBB child;\n if (!CBB_add_u24_length_prefixed(&certificate_list, &child) ||\n !CBB_add_bytes(&child, CRYPTO_BUFFER_data(cert_buf),\n CRYPTO_BUFFER_len(cert_buf)) ||\n !CBB_add_u16(&certificate_list, 0 /* no extensions */)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n }\n\n if (!hs->cert_compression_negotiated) {\n return ssl_add_message_cbb(ssl, cbb.get());\n }\n\n Array msg;\n if (!CBBFinishArray(cbb.get(), &msg)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n const CertCompressionAlg *alg = nullptr;\n for (const auto &candidate : ssl->ctx->cert_compression_algs) {\n if (candidate.alg_id == hs->cert_compression_alg_id) {\n alg = &candidate;\n break;\n }\n }\n\n if (alg == nullptr || alg->compress == nullptr) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n CBB compressed;\n body = &body_storage;\n if (!ssl->method->init_message(ssl, cbb.get(), body,\n SSL3_MT_COMPRESSED_CERTIFICATE) ||\n !CBB_add_u16(body, hs->cert_compression_alg_id) ||\n msg.size() > (1u << 24) - 1 || //\n !CBB_add_u24(body, static_cast(msg.size())) ||\n !CBB_add_u24_length_prefixed(body, &compressed)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();\n if (hints && !hs->hints_requested &&\n hints->cert_compression_alg_id == hs->cert_compression_alg_id &&\n hints->cert_compression_input == Span(msg) &&\n !hints->cert_compression_output.empty()) {\n if (!CBB_add_bytes(&compressed, hints->cert_compression_output.data(),\n hints->cert_compression_output.size())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n } else {\n if (!alg->compress(ssl, &compressed, msg.data(), msg.size())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n if (hints && hs->hints_requested) {\n hints->cert_compression_alg_id = hs->cert_compression_alg_id;\n if (!hints->cert_compression_input.CopyFrom(msg) ||\n !hints->cert_compression_output.CopyFrom(\n Span(CBB_data(&compressed), CBB_len(&compressed)))) {\n return false;\n }\n }\n }\n\n if (!ssl_add_message_cbb(ssl, cbb.get())) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n return true;\n}\n\nenum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n assert(hs->signature_algorithm != 0);\n ScopedCBB cbb;\n CBB body;\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_CERTIFICATE_VERIFY) ||\n !CBB_add_u16(&body, hs->signature_algorithm)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_private_key_failure;\n }\n\n CBB child;\n const size_t max_sig_len = EVP_PKEY_size(hs->credential->pubkey.get());\n uint8_t *sig;\n size_t sig_len;\n if (!CBB_add_u16_length_prefixed(&body, &child) ||\n !CBB_reserve(&child, &sig, max_sig_len)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_private_key_failure;\n }\n\n Array msg;\n if (!tls13_get_cert_verify_signature_input(\n hs, &msg,\n ssl->server ? ssl_cert_verify_server : ssl_cert_verify_client)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_private_key_failure;\n }\n\n enum ssl_private_key_result_t sign_result = ssl_private_key_sign(\n hs, sig, &sig_len, max_sig_len, hs->signature_algorithm, msg);\n if (sign_result != ssl_private_key_success) {\n return sign_result;\n }\n\n if (!CBB_did_write(&child, sig_len) || //\n !ssl_add_message_cbb(ssl, cbb.get())) {\n return ssl_private_key_failure;\n }\n\n return ssl_private_key_success;\n}\n\nbool tls13_add_finished(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n size_t verify_data_len;\n uint8_t verify_data[EVP_MAX_MD_SIZE];\n\n if (!tls13_finished_mac(hs, verify_data, &verify_data_len, ssl->server)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);\n return false;\n }\n\n ScopedCBB cbb;\n CBB body;\n if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||\n !CBB_add_bytes(&body, verify_data, verify_data_len) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n return false;\n }\n\n return true;\n}\n\nbool tls13_add_key_update(SSL *ssl, int request_type) {\n if (ssl->s3->key_update_pending) {\n return true;\n }\n\n // We do not support multiple parallel outgoing flights. If there is an\n // outgoing flight pending, queue the KeyUpdate for later.\n if (SSL_is_dtls(ssl) && !ssl->d1->outgoing_messages.empty()) {\n ssl->d1->queued_key_update = request_type == SSL_KEY_UPDATE_REQUESTED\n ? QueuedKeyUpdate::kUpdateRequested\n : QueuedKeyUpdate::kUpdateNotRequested;\n return true;\n }\n\n ScopedCBB cbb;\n CBB body_cbb;\n if (!ssl->method->init_message(ssl, cbb.get(), &body_cbb,\n SSL3_MT_KEY_UPDATE) ||\n !CBB_add_u8(&body_cbb, request_type) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n return false;\n }\n\n // In DTLS, the actual key update is deferred until KeyUpdate is ACKed.\n if (!SSL_is_dtls(ssl) &&\n !tls13_rotate_traffic_key(ssl, evp_aead_seal)) {\n return false;\n }\n\n // Suppress KeyUpdate acknowledgments until this change is written to the\n // wire. This prevents us from accumulating write obligations when read and\n // write progress at different rates. See RFC 8446, section 4.6.3.\n ssl->s3->key_update_pending = true;\n ssl->method->finish_flight(ssl);\n return true;\n}\n\nstatic bool tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) {\n CBS body = msg.body;\n uint8_t key_update_request;\n if (!CBS_get_u8(&body, &key_update_request) || //\n CBS_len(&body) != 0 || //\n (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED && //\n key_update_request != SSL_KEY_UPDATE_REQUESTED)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return false;\n }\n\n if (!tls13_rotate_traffic_key(ssl, evp_aead_open)) {\n return false;\n }\n\n // Acknowledge the KeyUpdate\n if (key_update_request == SSL_KEY_UPDATE_REQUESTED &&\n !tls13_add_key_update(ssl, SSL_KEY_UPDATE_NOT_REQUESTED)) {\n return false;\n }\n\n return true;\n}\n\nbool tls13_post_handshake(SSL *ssl, const SSLMessage &msg) {\n if (msg.type == SSL3_MT_NEW_SESSION_TICKET && !ssl->server) {\n return tls13_process_new_session_ticket(ssl, msg);\n }\n\n if (msg.type == SSL3_MT_KEY_UPDATE) {\n ssl->s3->key_update_count++;\n if (SSL_is_quic(ssl) || ssl->s3->key_update_count > kMaxKeyUpdates) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_KEY_UPDATES);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n return false;\n }\n\n return tls13_receive_key_update(ssl, msg);\n }\n\n ssl->s3->key_update_count = 0;\n\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);\n return false;\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/tls13_client.cc", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n#include \n\n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nenum client_hs_state_t {\n state_read_hello_retry_request = 0,\n state_send_second_client_hello,\n state_read_server_hello,\n state_read_encrypted_extensions,\n state_read_certificate_request,\n state_read_server_certificate,\n state_read_server_certificate_verify,\n state_server_certificate_reverify,\n state_read_server_finished,\n state_send_end_of_early_data,\n state_send_client_encrypted_extensions,\n state_send_client_certificate,\n state_send_client_certificate_verify,\n state_complete_second_flight,\n state_done,\n};\n\nstatic const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};\n\n// end_of_early_data closes the early data stream for |hs| and switches the\n// encryption level to |level|. It returns true on success and false on error.\nstatic bool close_early_data(SSL_HANDSHAKE *hs, ssl_encryption_level_t level) {\n SSL *const ssl = hs->ssl;\n assert(hs->in_early_data);\n\n // Note |can_early_write| may already be false if |SSL_write| exceeded the\n // early data write limit.\n hs->can_early_write = false;\n\n // 0-RTT write states on the client differ between TLS 1.3, DTLS 1.3, and\n // QUIC. TLS 1.3 has one write encryption level at a time. 0-RTT write keys\n // overwrite the null cipher and defer handshake write keys. While a\n // HelloRetryRequest can cause us to rewind back to the null cipher, sequence\n // numbers have no effect, so we can install a \"new\" null cipher.\n //\n // In QUIC and DTLS 1.3, 0-RTT write state cannot override or defer the normal\n // write state. The two ClientHello sequence numbers must align, and handshake\n // write keys must be installed early to ACK the EncryptedExtensions.\n //\n // TODO(crbug.com/381113363): We do not support 0-RTT in DTLS 1.3 and, in\n // QUIC, the caller handles 0-RTT data, so we can skip installing 0-RTT keys\n // and act as if there is one write level. Now that we're implementing\n // DTLS 1.3, switch the abstraction to the DTLS/QUIC model where handshake\n // keys write keys are installed immediately, but the TLS record layer\n // internally waits to activate that epoch until the 0-RTT channel is closed.\n if (!SSL_is_quic(ssl)) {\n if (level == ssl_encryption_initial) {\n bssl::UniquePtr null_ctx =\n SSLAEADContext::CreateNullCipher();\n if (!null_ctx || //\n !ssl->method->set_write_state(ssl, ssl_encryption_initial,\n std::move(null_ctx),\n /*traffic_secret=*/{})) {\n return false;\n }\n } else {\n assert(level == ssl_encryption_handshake);\n if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,\n hs->new_session.get(),\n hs->client_handshake_secret)) {\n return false;\n }\n }\n } else {\n assert(ssl->s3->quic_write_level == level);\n }\n\n return true;\n}\n\nstatic bool parse_server_hello_tls13(const SSL_HANDSHAKE *hs,\n ParsedServerHello *out, uint8_t *out_alert,\n const SSLMessage &msg) {\n if (!ssl_parse_server_hello(out, out_alert, msg)) {\n return false;\n }\n uint16_t expected_version =\n SSL_is_dtls(hs->ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION;\n // DTLS 1.3 disables \"compatibility mode\" (RFC 8446, appendix D.4). When\n // disabled, servers MUST NOT echo the legacy_session_id (RFC 9147, section\n // 5). The client could have sent a session ID indicating its willingness to\n // resume a DTLS 1.2 session, so just checking that the session IDs match is\n // incorrect.\n Span expected_session_id =\n SSL_is_dtls(hs->ssl) ? Span() : Span(hs->session_id);\n\n // RFC 8446 fixes some legacy values. Check them.\n if (out->legacy_version != expected_version || //\n out->compression_method != 0 ||\n Span(out->session_id) != expected_session_id ||\n CBS_len(&out->extensions) == 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n return true;\n}\n\nstatic bool is_hello_retry_request(const ParsedServerHello &server_hello) {\n return Span(server_hello.random) == kHelloRetryRequest;\n}\n\nstatic bool check_ech_confirmation(const SSL_HANDSHAKE *hs, bool *out_accepted,\n uint8_t *out_alert,\n const ParsedServerHello &server_hello) {\n const bool is_hrr = is_hello_retry_request(server_hello);\n size_t offset;\n if (is_hrr) {\n // We check for an unsolicited extension when parsing all of them.\n SSLExtension ech(TLSEXT_TYPE_encrypted_client_hello);\n if (!ssl_parse_extensions(&server_hello.extensions, out_alert, {&ech},\n /*ignore_unknown=*/true)) {\n return false;\n }\n if (!ech.present) {\n *out_accepted = false;\n return true;\n }\n if (CBS_len(&ech.data) != ECH_CONFIRMATION_SIGNAL_LEN) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n *out_alert = SSL_AD_DECODE_ERROR;\n return false;\n }\n offset = CBS_data(&ech.data) - CBS_data(&server_hello.raw);\n } else {\n offset = ssl_ech_confirmation_signal_hello_offset(hs->ssl);\n }\n\n if (!hs->selected_ech_config) {\n *out_accepted = false;\n return true;\n }\n\n uint8_t expected[ECH_CONFIRMATION_SIGNAL_LEN];\n if (!ssl_ech_accept_confirmation(hs, expected, hs->inner_client_random,\n hs->inner_transcript, is_hrr,\n server_hello.raw, offset)) {\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return false;\n }\n\n *out_accepted = CRYPTO_memcmp(CBS_data(&server_hello.raw) + offset, expected,\n sizeof(expected)) == 0;\n return true;\n}\n\nstatic enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n assert(ssl->s3->version != 0);\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n // Queue up a ChangeCipherSpec for whenever we next send something. This\n // will be before the second ClientHello. If we offered early data, this was\n // already done.\n if (!hs->early_data_offered && //\n !ssl->method->add_change_cipher_spec(ssl)) {\n return ssl_hs_error;\n }\n\n ParsedServerHello server_hello;\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!parse_server_hello_tls13(hs, &server_hello, &alert, msg)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n // The cipher suite must be one we offered. We currently offer all supported\n // TLS 1.3 ciphers unless policy controls limited it. So we check the version\n // and that it's ok per policy.\n const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);\n if (cipher == nullptr ||\n SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||\n SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||\n !ssl_tls13_cipher_meets_policy(SSL_CIPHER_get_protocol_id(cipher),\n ssl->config->compliance_policy)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n hs->new_cipher = cipher;\n\n const bool is_hrr = is_hello_retry_request(server_hello);\n if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||\n (is_hrr && !hs->transcript.UpdateForHelloRetryRequest())) {\n return ssl_hs_error;\n }\n if (hs->selected_ech_config) {\n if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),\n hs->new_cipher) ||\n (is_hrr && !hs->inner_transcript.UpdateForHelloRetryRequest())) {\n return ssl_hs_error;\n }\n }\n\n // Determine which ClientHello the server is responding to. Run\n // |check_ech_confirmation| unconditionally, so we validate the extension\n // contents.\n bool ech_accepted;\n if (!check_ech_confirmation(hs, &ech_accepted, &alert, server_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n if (hs->selected_ech_config) {\n ssl->s3->ech_status = ech_accepted ? ssl_ech_accepted : ssl_ech_rejected;\n }\n\n if (!is_hrr) {\n hs->tls13_state = state_read_server_hello;\n return ssl_hs_ok;\n }\n\n // The ECH extension, if present, was already parsed by\n // |check_ech_confirmation|.\n SSLExtension cookie(TLSEXT_TYPE_cookie), key_share(TLSEXT_TYPE_key_share),\n supported_versions(TLSEXT_TYPE_supported_versions),\n ech_unused(TLSEXT_TYPE_encrypted_client_hello,\n hs->selected_ech_config || hs->config->ech_grease_enabled);\n if (!ssl_parse_extensions(\n &server_hello.extensions, &alert,\n {&cookie, &key_share, &supported_versions, &ech_unused},\n /*ignore_unknown=*/false)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n if (!cookie.present && !key_share.present) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n if (cookie.present) {\n CBS cookie_value;\n if (!CBS_get_u16_length_prefixed(&cookie.data, &cookie_value) || //\n CBS_len(&cookie_value) == 0 || //\n CBS_len(&cookie.data) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (!hs->cookie.CopyFrom(cookie_value)) {\n return ssl_hs_error;\n }\n }\n\n if (key_share.present) {\n uint16_t group_id;\n if (!CBS_get_u16(&key_share.data, &group_id) ||\n CBS_len(&key_share.data) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n // The group must be supported.\n if (!tls1_check_group_id(hs, group_id)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);\n return ssl_hs_error;\n }\n\n // Check that the HelloRetryRequest does not request a key share that was\n // provided in the initial ClientHello.\n if (hs->key_shares[0]->GroupID() == group_id ||\n (hs->key_shares[1] && hs->key_shares[1]->GroupID() == group_id)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);\n return ssl_hs_error;\n }\n\n if (!ssl_setup_key_shares(hs, group_id)) {\n return ssl_hs_error;\n }\n }\n\n // Although we now know whether ClientHelloInner was used, we currently\n // maintain both transcripts up to ServerHello. We could swap transcripts\n // early, but then ClientHello construction and |check_ech_confirmation|\n // become more complex.\n if (!ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n if (ssl->s3->ech_status == ssl_ech_accepted &&\n !hs->inner_transcript.Update(msg.raw)) {\n return ssl_hs_error;\n }\n\n // HelloRetryRequest should be the end of the flight.\n if (ssl->method->has_unprocessed_handshake_data(ssl)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n ssl->s3->used_hello_retry_request = true;\n hs->tls13_state = state_send_second_client_hello;\n // 0-RTT is rejected if we receive a HelloRetryRequest.\n if (hs->in_early_data) {\n ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;\n if (!close_early_data(hs, ssl_encryption_initial)) {\n return ssl_hs_error;\n }\n return ssl_hs_early_data_rejected;\n }\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {\n // Build the second ClientHelloInner, if applicable. The second ClientHello\n // uses an empty string for |enc|.\n if (hs->ssl->s3->ech_status == ssl_ech_accepted &&\n !ssl_encrypt_client_hello(hs, {})) {\n return ssl_hs_error;\n }\n\n if (!ssl_add_client_hello(hs)) {\n return ssl_hs_error;\n }\n\n ssl_done_writing_client_hello(hs);\n hs->tls13_state = state_read_server_hello;\n return ssl_hs_flush;\n}\n\nstatic enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n ParsedServerHello server_hello;\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!parse_server_hello_tls13(hs, &server_hello, &alert, msg)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n // Forbid a second HelloRetryRequest.\n if (is_hello_retry_request(server_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);\n return ssl_hs_error;\n }\n\n // Check the cipher suite, in case this is after HelloRetryRequest.\n if (SSL_CIPHER_get_protocol_id(hs->new_cipher) != server_hello.cipher_suite) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n if (ssl->s3->ech_status == ssl_ech_accepted) {\n if (ssl->s3->used_hello_retry_request) {\n // HelloRetryRequest and ServerHello must accept ECH consistently.\n bool ech_accepted;\n if (!check_ech_confirmation(hs, &ech_accepted, &alert, server_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n if (!ech_accepted) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_ECH_NEGOTIATION);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n }\n\n hs->transcript = std::move(hs->inner_transcript);\n hs->extensions.sent = hs->inner_extensions_sent;\n // Report the inner random value through |SSL_get_client_random|.\n OPENSSL_memcpy(ssl->s3->client_random, hs->inner_client_random,\n SSL3_RANDOM_SIZE);\n }\n\n OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_hello.random),\n SSL3_RANDOM_SIZE);\n\n // When offering ECH, |ssl->session| is only offered in ClientHelloInner.\n const bool pre_shared_key_allowed =\n ssl->session != nullptr &&\n ssl_session_get_type(ssl->session.get()) ==\n SSLSessionType::kPreSharedKey &&\n ssl->s3->ech_status != ssl_ech_rejected;\n SSLExtension key_share(TLSEXT_TYPE_key_share),\n pre_shared_key(TLSEXT_TYPE_pre_shared_key, pre_shared_key_allowed),\n supported_versions(TLSEXT_TYPE_supported_versions);\n if (!ssl_parse_extensions(&server_hello.extensions, &alert,\n {&key_share, &pre_shared_key, &supported_versions},\n /*ignore_unknown=*/false)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n // Recheck supported_versions, in case this is after HelloRetryRequest.\n uint16_t version;\n if (!supported_versions.present || //\n !CBS_get_u16(&supported_versions.data, &version) || //\n CBS_len(&supported_versions.data) != 0 || //\n version != ssl->s3->version) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n alert = SSL_AD_DECODE_ERROR;\n if (pre_shared_key.present) {\n if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,\n &pre_shared_key.data)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n if (ssl->session->ssl_version != ssl->s3->version) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n if (ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n if (!ssl_session_is_context_valid(hs, ssl->session.get())) {\n // This is actually a client application bug.\n OPENSSL_PUT_ERROR(SSL,\n SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n ssl->s3->session_reused = true;\n hs->can_release_private_key = true;\n // Only authentication information carries over in TLS 1.3.\n hs->new_session =\n SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);\n if (!hs->new_session) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n ssl_set_session(ssl, NULL);\n\n // Resumption incorporates fresh key material, so refresh the timeout.\n ssl_session_renew_timeout(ssl, hs->new_session.get(),\n ssl->session_ctx->session_psk_dhe_timeout);\n } else if (!ssl_get_new_session(hs)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n hs->new_session->cipher = hs->new_cipher;\n\n // Set up the key schedule and incorporate the PSK into the running secret.\n size_t hash_len = EVP_MD_size(\n ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));\n if (!tls13_init_key_schedule(hs, ssl->s3->session_reused\n ? Span(hs->new_session->secret)\n : Span(kZeroes, hash_len))) {\n return ssl_hs_error;\n }\n\n if (!key_share.present) {\n // We do not support psk_ke and thus always require a key share.\n OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);\n return ssl_hs_error;\n }\n\n // Resolve ECDHE and incorporate it into the secret.\n Array dhe_secret;\n alert = SSL_AD_DECODE_ERROR;\n if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,\n &key_share.data)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n if (!tls13_advance_key_schedule(hs, dhe_secret) || //\n !ssl_hash_message(hs, msg) || //\n !tls13_derive_handshake_secrets(hs)) {\n return ssl_hs_error;\n }\n\n // If currently sending early data over TCP, we defer installing client\n // traffic keys to when the early data stream is closed. See\n // |close_early_data|. Note if the server has already rejected 0-RTT via\n // HelloRetryRequest, |in_early_data| is already false.\n if (!hs->in_early_data || SSL_is_quic(ssl)) {\n if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,\n hs->new_session.get(),\n hs->client_handshake_secret)) {\n return ssl_hs_error;\n }\n }\n\n if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,\n hs->new_session.get(),\n hs->server_handshake_secret)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->tls13_state = state_read_encrypted_extensions;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {\n return ssl_hs_error;\n }\n\n CBS body = msg.body, extensions;\n if (!CBS_get_u16_length_prefixed(&body, &extensions) || //\n CBS_len(&body) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (!ssl_parse_serverhello_tlsext(hs, &extensions)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);\n return ssl_hs_error;\n }\n\n if (ssl->s3->early_data_accepted) {\n // The extension parser checks the server resumed the session.\n assert(ssl->s3->session_reused);\n // If offering ECH, the server may not accept early data with\n // ClientHelloOuter. We do not offer sessions with ClientHelloOuter, so this\n // this should be implied by checking |session_reused|.\n assert(ssl->s3->ech_status != ssl_ech_rejected);\n\n if (hs->early_session->cipher != hs->new_session->cipher) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_MISMATCH_ON_EARLY_DATA);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n if (Span(hs->early_session->early_alpn) != ssl->s3->alpn_selected) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n // Channel ID is incompatible with 0-RTT. The ALPS extension should be\n // negotiated implicitly.\n if (hs->channel_id_negotiated ||\n hs->new_session->has_application_settings) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n hs->new_session->has_application_settings =\n hs->early_session->has_application_settings;\n if (!hs->new_session->local_application_settings.CopyFrom(\n hs->early_session->local_application_settings) ||\n !hs->new_session->peer_application_settings.CopyFrom(\n hs->early_session->peer_application_settings)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n }\n\n // Store the negotiated ALPN in the session.\n if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n if (!ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->tls13_state = state_read_certificate_request;\n if (hs->in_early_data && !ssl->s3->early_data_accepted) {\n if (!close_early_data(hs, ssl_encryption_handshake)) {\n return ssl_hs_error;\n }\n return ssl_hs_early_data_rejected;\n }\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n // CertificateRequest may only be sent in non-resumption handshakes.\n if (ssl->s3->session_reused) {\n if (ssl->ctx->reverify_on_resume && !ssl->s3->early_data_accepted) {\n hs->tls13_state = state_server_certificate_reverify;\n return ssl_hs_ok;\n }\n hs->tls13_state = state_read_server_finished;\n return ssl_hs_ok;\n }\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n // CertificateRequest is optional.\n if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {\n hs->tls13_state = state_read_server_certificate;\n return ssl_hs_ok;\n }\n\n\n SSLExtension sigalgs(TLSEXT_TYPE_signature_algorithms),\n ca(TLSEXT_TYPE_certificate_authorities);\n CBS body = msg.body, context, extensions, supported_signature_algorithms;\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!CBS_get_u8_length_prefixed(&body, &context) ||\n // The request context is always empty during the handshake.\n CBS_len(&context) != 0 ||\n !CBS_get_u16_length_prefixed(&body, &extensions) || //\n CBS_len(&body) != 0 ||\n !ssl_parse_extensions(&extensions, &alert, {&sigalgs, &ca},\n /*ignore_unknown=*/true) ||\n !sigalgs.present ||\n !CBS_get_u16_length_prefixed(&sigalgs.data,\n &supported_signature_algorithms) ||\n !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (ca.present) {\n hs->ca_names = SSL_parse_CA_list(ssl, &alert, &ca.data);\n if (!hs->ca_names) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n } else {\n hs->ca_names.reset(sk_CRYPTO_BUFFER_new_null());\n if (!hs->ca_names) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n }\n\n hs->cert_request = true;\n ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);\n\n if (!ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->tls13_state = state_read_server_certificate;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n if (msg.type != SSL3_MT_COMPRESSED_CERTIFICATE &&\n !ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {\n return ssl_hs_error;\n }\n\n if (!tls13_process_certificate(hs, msg, false /* certificate required */) ||\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->tls13_state = state_read_server_certificate_verify;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_server_certificate_verify(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n switch (ssl_verify_peer_cert(hs)) {\n case ssl_verify_ok:\n break;\n case ssl_verify_invalid:\n return ssl_hs_error;\n case ssl_verify_retry:\n hs->tls13_state = state_read_server_certificate_verify;\n return ssl_hs_certificate_verify;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||\n !tls13_process_certificate_verify(hs, msg) ||\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->tls13_state = state_read_server_finished;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_server_certificate_reverify(SSL_HANDSHAKE *hs) {\n switch (ssl_reverify_peer_cert(hs, /*send_alert=*/true)) {\n case ssl_verify_ok:\n break;\n case ssl_verify_invalid:\n return ssl_hs_error;\n case ssl_verify_retry:\n hs->tls13_state = state_server_certificate_reverify;\n return ssl_hs_certificate_verify;\n }\n hs->tls13_state = state_read_server_finished;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||\n !tls13_process_finished(hs, msg, false /* don't use saved value */) ||\n !ssl_hash_message(hs, msg) ||\n // Update the secret to the master secret and derive traffic keys.\n !tls13_advance_key_schedule(hs,\n Span(kZeroes, hs->transcript.DigestLen())) ||\n !tls13_derive_application_secrets(hs)) {\n return ssl_hs_error;\n }\n\n // Finished should be the end of the flight.\n if (ssl->method->has_unprocessed_handshake_data(ssl)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->tls13_state = state_send_end_of_early_data;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (ssl->s3->early_data_accepted) {\n // DTLS and QUIC omit the EndOfEarlyData message. See RFC 9001, section 8.3,\n // and RFC 9147, section 5.6.\n if (!SSL_is_quic(ssl) && !SSL_is_dtls(ssl)) {\n ScopedCBB cbb;\n CBB body;\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_END_OF_EARLY_DATA) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n return ssl_hs_error;\n }\n }\n\n if (!close_early_data(hs, ssl_encryption_handshake)) {\n return ssl_hs_error;\n }\n }\n\n hs->tls13_state = state_send_client_encrypted_extensions;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_client_encrypted_extensions(\n SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n // For now, only one extension uses client EncryptedExtensions. This function\n // may be generalized if others use it in the future.\n if (hs->new_session->has_application_settings &&\n !ssl->s3->early_data_accepted) {\n ScopedCBB cbb;\n CBB body, extensions, extension;\n uint16_t extension_type = TLSEXT_TYPE_application_settings_old;\n if (hs->config->alps_use_new_codepoint) {\n extension_type = TLSEXT_TYPE_application_settings;\n }\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_ENCRYPTED_EXTENSIONS) ||\n !CBB_add_u16_length_prefixed(&body, &extensions) ||\n !CBB_add_u16(&extensions, extension_type) ||\n !CBB_add_u16_length_prefixed(&extensions, &extension) ||\n !CBB_add_bytes(&extension,\n hs->new_session->local_application_settings.data(),\n hs->new_session->local_application_settings.size()) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n return ssl_hs_error;\n }\n }\n\n hs->tls13_state = state_send_client_certificate;\n return ssl_hs_ok;\n}\n\nstatic bool check_credential(SSL_HANDSHAKE *hs, const SSL_CREDENTIAL *cred,\n uint16_t *out_sigalg) {\n if (cred->type != SSLCredentialType::kX509) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);\n return false;\n }\n\n // All currently supported credentials require a signature.\n if (!tls1_choose_signature_algorithm(hs, cred, out_sigalg)) {\n return false;\n }\n // Use this credential if it either matches a requested issuer,\n // or does not require issuer matching.\n return ssl_credential_matches_requested_issuers(hs, cred);\n}\n\nstatic enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n // The peer didn't request a certificate.\n if (!hs->cert_request) {\n hs->tls13_state = state_complete_second_flight;\n return ssl_hs_ok;\n }\n\n if (ssl->s3->ech_status == ssl_ech_rejected) {\n // Do not send client certificates on ECH reject. We have not authenticated\n // the server for the name that can learn the certificate.\n SSL_certs_clear(ssl);\n } else if (hs->config->cert->cert_cb != nullptr) {\n // Call cert_cb to update the certificate.\n int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);\n if (rv == 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);\n return ssl_hs_error;\n }\n if (rv < 0) {\n hs->tls13_state = state_send_client_certificate;\n return ssl_hs_x509_lookup;\n }\n }\n\n Array creds;\n if (!ssl_get_credential_list(hs, &creds)) {\n return ssl_hs_error;\n }\n\n if (!creds.empty()) {\n // Select the credential to use.\n for (SSL_CREDENTIAL *cred : creds) {\n ERR_clear_error();\n uint16_t sigalg;\n if (check_credential(hs, cred, &sigalg)) {\n hs->credential = UpRef(cred);\n hs->signature_algorithm = sigalg;\n break;\n }\n }\n if (hs->credential == nullptr) {\n // The error from the last attempt is in the error queue.\n assert(ERR_peek_error() != 0);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n }\n\n if (!tls13_add_certificate(hs)) {\n return ssl_hs_error;\n }\n\n hs->tls13_state = state_send_client_certificate_verify;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {\n // Don't send CertificateVerify if there is no certificate.\n if (hs->credential == nullptr) {\n hs->tls13_state = state_complete_second_flight;\n return ssl_hs_ok;\n }\n\n switch (tls13_add_certificate_verify(hs)) {\n case ssl_private_key_success:\n hs->tls13_state = state_complete_second_flight;\n return ssl_hs_ok;\n\n case ssl_private_key_retry:\n hs->tls13_state = state_send_client_certificate_verify;\n return ssl_hs_private_key_operation;\n\n case ssl_private_key_failure:\n return ssl_hs_error;\n }\n\n assert(0);\n return ssl_hs_error;\n}\n\nstatic enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n hs->can_release_private_key = true;\n\n // Send a Channel ID assertion if necessary.\n if (hs->channel_id_negotiated) {\n ScopedCBB cbb;\n CBB body;\n if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||\n !tls1_write_channel_id(hs, &body) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n return ssl_hs_error;\n }\n }\n\n // Send a Finished message.\n if (!tls13_add_finished(hs)) {\n return ssl_hs_error;\n }\n\n // Derive the final keys and enable them.\n if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,\n hs->new_session.get(),\n hs->client_traffic_secret_0) ||\n !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,\n hs->new_session.get(),\n hs->server_traffic_secret_0) ||\n !tls13_derive_resumption_secret(hs)) {\n return ssl_hs_error;\n }\n\n hs->tls13_state = state_done;\n return ssl_hs_flush;\n}\n\nenum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {\n while (hs->tls13_state != state_done) {\n enum ssl_hs_wait_t ret = ssl_hs_error;\n enum client_hs_state_t state =\n static_cast(hs->tls13_state);\n switch (state) {\n case state_read_hello_retry_request:\n ret = do_read_hello_retry_request(hs);\n break;\n case state_send_second_client_hello:\n ret = do_send_second_client_hello(hs);\n break;\n case state_read_server_hello:\n ret = do_read_server_hello(hs);\n break;\n case state_read_encrypted_extensions:\n ret = do_read_encrypted_extensions(hs);\n break;\n case state_read_certificate_request:\n ret = do_read_certificate_request(hs);\n break;\n case state_read_server_certificate:\n ret = do_read_server_certificate(hs);\n break;\n case state_read_server_certificate_verify:\n ret = do_read_server_certificate_verify(hs);\n break;\n case state_server_certificate_reverify:\n ret = do_server_certificate_reverify(hs);\n break;\n case state_read_server_finished:\n ret = do_read_server_finished(hs);\n break;\n case state_send_end_of_early_data:\n ret = do_send_end_of_early_data(hs);\n break;\n case state_send_client_certificate:\n ret = do_send_client_certificate(hs);\n break;\n case state_send_client_encrypted_extensions:\n ret = do_send_client_encrypted_extensions(hs);\n break;\n case state_send_client_certificate_verify:\n ret = do_send_client_certificate_verify(hs);\n break;\n case state_complete_second_flight:\n ret = do_complete_second_flight(hs);\n break;\n case state_done:\n ret = ssl_hs_ok;\n break;\n }\n\n if (hs->tls13_state != state) {\n ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);\n }\n\n if (ret != ssl_hs_ok) {\n return ret;\n }\n }\n\n return ssl_hs_ok;\n}\n\nconst char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {\n enum client_hs_state_t state =\n static_cast(hs->tls13_state);\n switch (state) {\n case state_read_hello_retry_request:\n return \"TLS 1.3 client read_hello_retry_request\";\n case state_send_second_client_hello:\n return \"TLS 1.3 client send_second_client_hello\";\n case state_read_server_hello:\n return \"TLS 1.3 client read_server_hello\";\n case state_read_encrypted_extensions:\n return \"TLS 1.3 client read_encrypted_extensions\";\n case state_read_certificate_request:\n return \"TLS 1.3 client read_certificate_request\";\n case state_read_server_certificate:\n return \"TLS 1.3 client read_server_certificate\";\n case state_read_server_certificate_verify:\n return \"TLS 1.3 client read_server_certificate_verify\";\n case state_server_certificate_reverify:\n return \"TLS 1.3 client server_certificate_reverify\";\n case state_read_server_finished:\n return \"TLS 1.3 client read_server_finished\";\n case state_send_end_of_early_data:\n return \"TLS 1.3 client send_end_of_early_data\";\n case state_send_client_encrypted_extensions:\n return \"TLS 1.3 client send_client_encrypted_extensions\";\n case state_send_client_certificate:\n return \"TLS 1.3 client send_client_certificate\";\n case state_send_client_certificate_verify:\n return \"TLS 1.3 client send_client_certificate_verify\";\n case state_complete_second_flight:\n return \"TLS 1.3 client complete_second_flight\";\n case state_done:\n return \"TLS 1.3 client done\";\n }\n\n return \"TLS 1.3 client unknown\";\n}\n\nbool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {\n if (ssl->s3->write_shutdown != ssl_shutdown_none) {\n // Ignore tickets on shutdown. Callers tend to indiscriminately call\n // |SSL_shutdown| before destroying an |SSL|, at which point calling the new\n // session callback may be confusing.\n return true;\n }\n\n CBS body = msg.body;\n UniquePtr session = tls13_create_session_with_ticket(ssl, &body);\n if (!session) {\n return false;\n }\n\n if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&\n ssl->session_ctx->new_session_cb != NULL &&\n ssl->session_ctx->new_session_cb(ssl, session.get())) {\n // |new_session_cb|'s return value signals that it took ownership.\n session.release();\n }\n\n return true;\n}\n\nUniquePtr tls13_create_session_with_ticket(SSL *ssl, CBS *body) {\n UniquePtr session = SSL_SESSION_dup(\n ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);\n if (!session) {\n return nullptr;\n }\n\n ssl_session_rebase_time(ssl, session.get());\n\n uint32_t server_timeout;\n CBS ticket_nonce, ticket, extensions;\n if (!CBS_get_u32(body, &server_timeout) ||\n !CBS_get_u32(body, &session->ticket_age_add) ||\n !CBS_get_u8_length_prefixed(body, &ticket_nonce) ||\n !CBS_get_u16_length_prefixed(body, &ticket) ||\n CBS_len(&ticket) == 0 || //\n !session->ticket.CopyFrom(ticket) ||\n !CBS_get_u16_length_prefixed(body, &extensions) || //\n CBS_len(body) != 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return nullptr;\n }\n\n // Cap the renewable lifetime by the server advertised value. This avoids\n // wasting bandwidth on 0-RTT when we know the server will reject it.\n if (session->timeout > server_timeout) {\n session->timeout = server_timeout;\n }\n\n if (!tls13_derive_session_psk(session.get(), ticket_nonce,\n SSL_is_dtls(ssl))) {\n return nullptr;\n }\n\n SSLExtension early_data(TLSEXT_TYPE_early_data);\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ssl_parse_extensions(&extensions, &alert, {&early_data},\n /*ignore_unknown=*/true)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return nullptr;\n }\n\n if (early_data.present) {\n if (!CBS_get_u32(&early_data.data, &session->ticket_max_early_data) ||\n CBS_len(&early_data.data) != 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return nullptr;\n }\n\n // QUIC does not use the max_early_data_size parameter and always sets it to\n // a fixed value. See RFC 9001, section 4.6.1.\n if (SSL_is_quic(ssl) && session->ticket_max_early_data != 0xffffffff) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return nullptr;\n }\n }\n\n // Historically, OpenSSL filled in fake session IDs for ticket-based sessions.\n // Envoy's tests depend on this, although perhaps they shouldn't.\n session->session_id.ResizeForOverwrite(SHA256_DIGEST_LENGTH);\n SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id.data());\n\n session->ticket_age_add_valid = true;\n session->not_resumable = false;\n\n return session;\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/tls13_enc.cc", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/fipsmodule/tls/internal.h\"\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nstatic bool init_key_schedule(SSL_HANDSHAKE *hs, SSLTranscript *transcript,\n uint16_t version, const SSL_CIPHER *cipher) {\n if (!transcript->InitHash(version, cipher)) {\n return false;\n }\n\n // Initialize the secret to the zero key.\n hs->secret.clear();\n hs->secret.Resize(transcript->DigestLen());\n return true;\n}\n\nstatic bool hkdf_extract_to_secret(SSL_HANDSHAKE *hs,\n const SSLTranscript &transcript,\n Span in) {\n size_t len;\n if (!HKDF_extract(hs->secret.data(), &len, transcript.Digest(), in.data(),\n in.size(), hs->secret.data(), hs->secret.size())) {\n return false;\n }\n assert(len == hs->secret.size());\n return true;\n}\n\nbool tls13_init_key_schedule(SSL_HANDSHAKE *hs, Span psk) {\n if (!init_key_schedule(hs, &hs->transcript, ssl_protocol_version(hs->ssl),\n hs->new_cipher)) {\n return false;\n }\n\n // Handback includes the whole handshake transcript, so we cannot free the\n // transcript buffer in the handback case.\n if (!hs->handback) {\n hs->transcript.FreeBuffer();\n }\n return hkdf_extract_to_secret(hs, hs->transcript, psk);\n}\n\nbool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs,\n const SSL_SESSION *session) {\n assert(!hs->ssl->server);\n // When offering ECH, early data is associated with ClientHelloInner, not\n // ClientHelloOuter.\n SSLTranscript *transcript =\n hs->selected_ech_config ? &hs->inner_transcript : &hs->transcript;\n return init_key_schedule(hs, transcript,\n ssl_session_protocol_version(session),\n session->cipher) &&\n hkdf_extract_to_secret(hs, *transcript, session->secret);\n}\n\nstatic bool hkdf_expand_label_with_prefix(Span out,\n const EVP_MD *digest,\n Span secret,\n std::string_view label_prefix,\n std::string_view label,\n Span hash) {\n // This is a copy of CRYPTO_tls13_hkdf_expand_label, but modified to take an\n // arbitrary prefix for the label instead of using the hardcoded \"tls13 \"\n // prefix.\n CBB cbb, child;\n uint8_t *hkdf_label = NULL;\n size_t hkdf_label_len;\n CBB_zero(&cbb);\n if (!CBB_init(&cbb,\n 2 + 1 + label_prefix.size() + label.size() + 1 + hash.size()) ||\n !CBB_add_u16(&cbb, out.size()) ||\n !CBB_add_u8_length_prefixed(&cbb, &child) ||\n !CBB_add_bytes(&child,\n reinterpret_cast(label_prefix.data()),\n label_prefix.size()) ||\n !CBB_add_bytes(&child, reinterpret_cast(label.data()),\n label.size()) ||\n !CBB_add_u8_length_prefixed(&cbb, &child) ||\n !CBB_add_bytes(&child, hash.data(), hash.size()) ||\n !CBB_finish(&cbb, &hkdf_label, &hkdf_label_len)) {\n CBB_cleanup(&cbb);\n return false;\n }\n\n const int ret = HKDF_expand(out.data(), out.size(), digest, secret.data(),\n secret.size(), hkdf_label, hkdf_label_len);\n OPENSSL_free(hkdf_label);\n return ret == 1;\n}\n\nstatic bool hkdf_expand_label(Span out, const EVP_MD *digest,\n Span secret,\n std::string_view label, Span hash,\n bool is_dtls) {\n if (is_dtls) {\n return hkdf_expand_label_with_prefix(out, digest, secret, \"dtls13\", label,\n hash);\n }\n return CRYPTO_tls13_hkdf_expand_label(\n out.data(), out.size(), digest, secret.data(), secret.size(),\n reinterpret_cast(label.data()), label.size(),\n hash.data(), hash.size()) == 1;\n}\n\nstatic const char kTLS13LabelDerived[] = \"derived\";\n\nbool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, Span in) {\n uint8_t derive_context[EVP_MAX_MD_SIZE];\n unsigned derive_context_len;\n return EVP_Digest(nullptr, 0, derive_context, &derive_context_len,\n hs->transcript.Digest(), nullptr) &&\n hkdf_expand_label(Span(hs->secret), hs->transcript.Digest(),\n hs->secret, kTLS13LabelDerived,\n Span(derive_context, derive_context_len),\n SSL_is_dtls(hs->ssl)) &&\n hkdf_extract_to_secret(hs, hs->transcript, in);\n}\n\n// derive_secret_with_transcript derives a secret of length\n// |transcript.DigestLen()| and writes the result in |out| with the given label,\n// the current base secret, and the state of |transcript|. It returns true on\n// success and false on error.\nstatic bool derive_secret_with_transcript(\n const SSL_HANDSHAKE *hs, InplaceVector *out,\n const SSLTranscript &transcript, std::string_view label) {\n uint8_t context_hash[EVP_MAX_MD_SIZE];\n size_t context_hash_len;\n if (!transcript.GetHash(context_hash, &context_hash_len)) {\n return false;\n }\n\n out->ResizeForOverwrite(transcript.DigestLen());\n return hkdf_expand_label(Span(*out), transcript.Digest(), hs->secret, label,\n Span(context_hash, context_hash_len),\n SSL_is_dtls(hs->ssl));\n}\n\nstatic bool derive_secret(SSL_HANDSHAKE *hs,\n InplaceVector *out,\n std::string_view label) {\n return derive_secret_with_transcript(hs, out, hs->transcript, label);\n}\n\nbool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,\n enum evp_aead_direction_t direction,\n const SSL_SESSION *session,\n Span traffic_secret) {\n uint16_t version = ssl_session_protocol_version(session);\n const EVP_MD *digest = ssl_session_get_digest(session);\n bool is_dtls = SSL_is_dtls(ssl);\n UniquePtr traffic_aead;\n if (SSL_is_quic(ssl)) {\n // Install a placeholder SSLAEADContext so that SSL accessors work. The\n // encryption itself will be handled by the SSL_QUIC_METHOD.\n traffic_aead = SSLAEADContext::CreatePlaceholderForQUIC(session->cipher);\n } else {\n // Look up cipher suite properties.\n const EVP_AEAD *aead;\n size_t discard;\n if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher,\n version)) {\n return false;\n }\n\n // Derive the key and IV.\n uint8_t key_buf[EVP_AEAD_MAX_KEY_LENGTH], iv_buf[EVP_AEAD_MAX_NONCE_LENGTH];\n auto key = Span(key_buf).first(EVP_AEAD_key_length(aead));\n auto iv = Span(iv_buf).first(EVP_AEAD_nonce_length(aead));\n if (!hkdf_expand_label(key, digest, traffic_secret, \"key\", {}, is_dtls) ||\n !hkdf_expand_label(iv, digest, traffic_secret, \"iv\", {}, is_dtls)) {\n return false;\n }\n\n traffic_aead = SSLAEADContext::Create(direction, session->ssl_version,\n session->cipher, key, {}, iv);\n }\n\n if (!traffic_aead) {\n return false;\n }\n\n if (direction == evp_aead_open) {\n if (!ssl->method->set_read_state(ssl, level, std::move(traffic_aead),\n traffic_secret)) {\n return false;\n }\n ssl->s3->read_traffic_secret.CopyFrom(traffic_secret);\n } else {\n if (!ssl->method->set_write_state(ssl, level, std::move(traffic_aead),\n traffic_secret)) {\n return false;\n }\n ssl->s3->write_traffic_secret.CopyFrom(traffic_secret);\n }\n\n return true;\n}\n\nnamespace {\n\nclass AESRecordNumberEncrypter : public RecordNumberEncrypter {\n public:\n bool SetKey(Span key) override {\n return AES_set_encrypt_key(key.data(), key.size() * 8, &key_) == 0;\n }\n\n bool GenerateMask(Span out, Span sample) override {\n if (sample.size() < AES_BLOCK_SIZE || out.size() > AES_BLOCK_SIZE) {\n return false;\n }\n uint8_t mask[AES_BLOCK_SIZE];\n AES_encrypt(sample.data(), mask, &key_);\n OPENSSL_memcpy(out.data(), mask, out.size());\n return true;\n }\n\n private:\n AES_KEY key_;\n};\n\nclass AES128RecordNumberEncrypter : public AESRecordNumberEncrypter {\n public:\n size_t KeySize() override { return 16; }\n};\n\nclass AES256RecordNumberEncrypter : public AESRecordNumberEncrypter {\n public:\n size_t KeySize() override { return 32; }\n};\n\nclass ChaChaRecordNumberEncrypter : public RecordNumberEncrypter {\n public:\n size_t KeySize() override { return kKeySize; }\n\n bool SetKey(Span key) override {\n if (key.size() != kKeySize) {\n return false;\n }\n OPENSSL_memcpy(key_, key.data(), key.size());\n return true;\n }\n\n bool GenerateMask(Span out, Span sample) override {\n // RFC 9147 section 4.2.3 uses the first 4 bytes of the sample as the\n // counter and the next 12 bytes as the nonce. If we have less than 4+12=16\n // bytes in the sample, then we'll read past the end of the |sample| buffer.\n // The counter is interpreted as little-endian per RFC 8439.\n if (sample.size() < 16) {\n return false;\n }\n uint32_t counter = CRYPTO_load_u32_le(sample.data());\n Span nonce = sample.subspan(4);\n OPENSSL_memset(out.data(), 0, out.size());\n CRYPTO_chacha_20(out.data(), out.data(), out.size(), key_, nonce.data(),\n counter);\n return true;\n }\n\n private:\n static constexpr size_t kKeySize = 32;\n uint8_t key_[kKeySize];\n};\n\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\nclass NullRecordNumberEncrypter : public RecordNumberEncrypter {\n public:\n size_t KeySize() override { return 0; }\n bool SetKey(Span key) override { return true; }\n bool GenerateMask(Span out, Span sample) override {\n OPENSSL_memset(out.data(), 0, out.size());\n return true;\n }\n};\n#endif // BORINGSSL_UNSAFE_FUZZER_MODE\n\n} // namespace\n\nUniquePtr RecordNumberEncrypter::Create(\n const SSL_CIPHER *cipher, Span traffic_secret) {\n const EVP_MD *digest = ssl_get_handshake_digest(TLS1_3_VERSION, cipher);\n UniquePtr ret;\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n ret = MakeUnique();\n#else\n if (cipher->algorithm_enc == SSL_AES128GCM) {\n ret = MakeUnique();\n } else if (cipher->algorithm_enc == SSL_AES256GCM) {\n ret = MakeUnique();\n } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) {\n ret = MakeUnique();\n } else {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n }\n#endif // BORINGSSL_UNSAFE_FUZZER_MODE\n if (ret == nullptr) {\n return nullptr;\n }\n\n uint8_t rne_key_buf[RecordNumberEncrypter::kMaxKeySize];\n auto rne_key = Span(rne_key_buf).first(ret->KeySize());\n if (!hkdf_expand_label(rne_key, digest, traffic_secret, \"sn\", {},\n /*is_dtls=*/true) ||\n !ret->SetKey(rne_key)) {\n return nullptr;\n }\n return ret;\n}\n\nstatic const char kTLS13LabelExporter[] = \"exp master\";\n\nstatic const char kTLS13LabelClientEarlyTraffic[] = \"c e traffic\";\nstatic const char kTLS13LabelClientHandshakeTraffic[] = \"c hs traffic\";\nstatic const char kTLS13LabelServerHandshakeTraffic[] = \"s hs traffic\";\nstatic const char kTLS13LabelClientApplicationTraffic[] = \"c ap traffic\";\nstatic const char kTLS13LabelServerApplicationTraffic[] = \"s ap traffic\";\n\nbool tls13_derive_early_secret(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n // When offering ECH on the client, early data is associated with\n // ClientHelloInner, not ClientHelloOuter.\n const SSLTranscript &transcript = (!ssl->server && hs->selected_ech_config)\n ? hs->inner_transcript\n : hs->transcript;\n if (!derive_secret_with_transcript(hs, &hs->early_traffic_secret, transcript,\n kTLS13LabelClientEarlyTraffic) ||\n !ssl_log_secret(ssl, \"CLIENT_EARLY_TRAFFIC_SECRET\",\n hs->early_traffic_secret)) {\n return false;\n }\n return true;\n}\n\nbool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (!derive_secret(hs, &hs->client_handshake_secret,\n kTLS13LabelClientHandshakeTraffic) ||\n !ssl_log_secret(ssl, \"CLIENT_HANDSHAKE_TRAFFIC_SECRET\",\n hs->client_handshake_secret) ||\n !derive_secret(hs, &hs->server_handshake_secret,\n kTLS13LabelServerHandshakeTraffic) ||\n !ssl_log_secret(ssl, \"SERVER_HANDSHAKE_TRAFFIC_SECRET\",\n hs->server_handshake_secret)) {\n return false;\n }\n\n return true;\n}\n\nbool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (!derive_secret(hs, &hs->client_traffic_secret_0,\n kTLS13LabelClientApplicationTraffic) ||\n !ssl_log_secret(ssl, \"CLIENT_TRAFFIC_SECRET_0\",\n hs->client_traffic_secret_0) ||\n !derive_secret(hs, &hs->server_traffic_secret_0,\n kTLS13LabelServerApplicationTraffic) ||\n !ssl_log_secret(ssl, \"SERVER_TRAFFIC_SECRET_0\",\n hs->server_traffic_secret_0) ||\n !derive_secret(hs, &ssl->s3->exporter_secret, kTLS13LabelExporter) ||\n !ssl_log_secret(ssl, \"EXPORTER_SECRET\", ssl->s3->exporter_secret)) {\n return false;\n }\n\n return true;\n}\n\nstatic const char kTLS13LabelApplicationTraffic[] = \"traffic upd\";\n\nbool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {\n Span secret = direction == evp_aead_open\n ? Span(ssl->s3->read_traffic_secret)\n : Span(ssl->s3->write_traffic_secret);\n\n const SSL_SESSION *session = SSL_get_session(ssl);\n const EVP_MD *digest = ssl_session_get_digest(session);\n return hkdf_expand_label(secret, digest, secret,\n kTLS13LabelApplicationTraffic, {},\n SSL_is_dtls(ssl)) &&\n tls13_set_traffic_key(ssl, ssl_encryption_application, direction,\n session, secret);\n}\n\nstatic const char kTLS13LabelResumption[] = \"res master\";\n\nbool tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {\n return derive_secret(hs, &hs->new_session->secret, kTLS13LabelResumption);\n}\n\nstatic const char kTLS13LabelFinished[] = \"finished\";\n\n// tls13_verify_data sets |out| to be the HMAC of |context| using a derived\n// Finished key for both Finished messages and the PSK binder. |out| must have\n// space available for |EVP_MAX_MD_SIZE| bytes.\nstatic bool tls13_verify_data(uint8_t *out, size_t *out_len,\n const EVP_MD *digest, uint16_t version,\n Span secret,\n Span context, bool is_dtls) {\n uint8_t key_buf[EVP_MAX_MD_SIZE];\n auto key = Span(key_buf, EVP_MD_size(digest));\n unsigned len;\n if (!hkdf_expand_label(key, digest, secret, kTLS13LabelFinished, {},\n is_dtls) ||\n HMAC(digest, key.data(), key.size(), context.data(), context.size(), out,\n &len) == nullptr) {\n return false;\n }\n *out_len = len;\n return true;\n}\n\nbool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,\n bool is_server) {\n Span traffic_secret =\n is_server ? hs->server_handshake_secret : hs->client_handshake_secret;\n\n uint8_t context_hash[EVP_MAX_MD_SIZE];\n size_t context_hash_len;\n if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||\n !tls13_verify_data(out, out_len, hs->transcript.Digest(),\n hs->ssl->s3->version, traffic_secret,\n Span(context_hash, context_hash_len),\n SSL_is_dtls(hs->ssl))) {\n return false;\n }\n return true;\n}\n\nstatic const char kTLS13LabelResumptionPSK[] = \"resumption\";\n\nbool tls13_derive_session_psk(SSL_SESSION *session, Span nonce,\n bool is_dtls) {\n const EVP_MD *digest = ssl_session_get_digest(session);\n // The session initially stores the resumption_master_secret, which we\n // override with the PSK.\n assert(session->secret.size() == EVP_MD_size(digest));\n return hkdf_expand_label(Span(session->secret), digest, session->secret,\n kTLS13LabelResumptionPSK, nonce, is_dtls);\n}\n\nstatic const char kTLS13LabelExportKeying[] = \"exporter\";\n\nbool tls13_export_keying_material(SSL *ssl, Span out,\n Span secret,\n std::string_view label,\n Span context) {\n if (secret.empty()) {\n assert(0);\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));\n\n uint8_t hash_buf[EVP_MAX_MD_SIZE];\n uint8_t export_context_buf[EVP_MAX_MD_SIZE];\n unsigned hash_len;\n unsigned export_context_len;\n if (!EVP_Digest(context.data(), context.size(), hash_buf, &hash_len, digest,\n nullptr) ||\n !EVP_Digest(nullptr, 0, export_context_buf, &export_context_len, digest,\n nullptr)) {\n return false;\n }\n\n auto hash = Span(hash_buf, hash_len);\n auto export_context = Span(export_context_buf, export_context_len);\n uint8_t derived_secret_buf[EVP_MAX_MD_SIZE];\n auto derived_secret = Span(derived_secret_buf, EVP_MD_size(digest));\n return hkdf_expand_label(derived_secret, digest, secret, label,\n export_context, SSL_is_dtls(ssl)) &&\n hkdf_expand_label(out, digest, derived_secret, kTLS13LabelExportKeying,\n hash, SSL_is_dtls(ssl));\n}\n\nstatic const char kTLS13LabelPSKBinder[] = \"res binder\";\n\nstatic bool tls13_psk_binder(uint8_t *out, size_t *out_len,\n const SSL_SESSION *session,\n const SSLTranscript &transcript,\n Span client_hello,\n size_t binders_len, bool is_dtls) {\n const EVP_MD *digest = ssl_session_get_digest(session);\n\n // Compute the binder key.\n //\n // TODO(davidben): Ideally we wouldn't recompute early secret and the binder\n // key each time.\n uint8_t binder_context[EVP_MAX_MD_SIZE];\n unsigned binder_context_len;\n uint8_t early_secret[EVP_MAX_MD_SIZE] = {0};\n size_t early_secret_len;\n uint8_t binder_key_buf[EVP_MAX_MD_SIZE] = {0};\n auto binder_key = Span(binder_key_buf, EVP_MD_size(digest));\n if (!EVP_Digest(nullptr, 0, binder_context, &binder_context_len, digest,\n nullptr) ||\n !HKDF_extract(early_secret, &early_secret_len, digest,\n session->secret.data(), session->secret.size(), nullptr,\n 0) ||\n !hkdf_expand_label(binder_key, digest,\n Span(early_secret, early_secret_len),\n kTLS13LabelPSKBinder,\n Span(binder_context, binder_context_len), is_dtls)) {\n return false;\n }\n\n // Hash the transcript and truncated ClientHello.\n if (client_hello.size() < binders_len) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n auto truncated = client_hello.subspan(0, client_hello.size() - binders_len);\n uint8_t context[EVP_MAX_MD_SIZE];\n unsigned context_len;\n ScopedEVP_MD_CTX ctx;\n if (!is_dtls) {\n if (!transcript.CopyToHashContext(ctx.get(), digest) ||\n !EVP_DigestUpdate(ctx.get(), truncated.data(), truncated.size()) ||\n !EVP_DigestFinal_ex(ctx.get(), context, &context_len)) {\n return false;\n }\n } else {\n // In DTLS 1.3, the transcript hash is computed over only the TLS 1.3\n // handshake messages (i.e. only type and length in the header), not the\n // full DTLSHandshake messages that are in |truncated|. This code pulls\n // the header and body out of the truncated ClientHello and writes those\n // to the hash context so the correct binder value is computed.\n if (truncated.size() < DTLS1_HM_HEADER_LENGTH) {\n return false;\n }\n auto header = truncated.subspan(0, 4);\n auto body = truncated.subspan(12);\n if (!transcript.CopyToHashContext(ctx.get(), digest) ||\n !EVP_DigestUpdate(ctx.get(), header.data(), header.size()) ||\n !EVP_DigestUpdate(ctx.get(), body.data(), body.size()) ||\n !EVP_DigestFinal_ex(ctx.get(), context, &context_len)) {\n return false;\n }\n }\n\n if (!tls13_verify_data(out, out_len, digest, session->ssl_version, binder_key,\n Span(context, context_len), is_dtls)) {\n return false;\n }\n\n assert(*out_len == EVP_MD_size(digest));\n return true;\n}\n\nbool tls13_write_psk_binder(const SSL_HANDSHAKE *hs,\n const SSLTranscript &transcript, Span msg,\n size_t *out_binder_len) {\n const SSL *const ssl = hs->ssl;\n const EVP_MD *digest = ssl_session_get_digest(ssl->session.get());\n const size_t hash_len = EVP_MD_size(digest);\n // We only offer one PSK, so the binders are a u16 and u8 length\n // prefix, followed by the binder. The caller is assumed to have constructed\n // |msg| with placeholder binders.\n const size_t binders_len = 3 + hash_len;\n uint8_t verify_data[EVP_MAX_MD_SIZE];\n size_t verify_data_len;\n if (!tls13_psk_binder(verify_data, &verify_data_len, ssl->session.get(),\n transcript, msg, binders_len, SSL_is_dtls(hs->ssl)) ||\n verify_data_len != hash_len) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n auto msg_binder = msg.last(verify_data_len);\n OPENSSL_memcpy(msg_binder.data(), verify_data, verify_data_len);\n if (out_binder_len != nullptr) {\n *out_binder_len = verify_data_len;\n }\n return true;\n}\n\nbool tls13_verify_psk_binder(const SSL_HANDSHAKE *hs,\n const SSL_SESSION *session, const SSLMessage &msg,\n CBS *binders) {\n uint8_t verify_data[EVP_MAX_MD_SIZE];\n size_t verify_data_len;\n CBS binder;\n // The binders are computed over |msg| with |binders| and its u16 length\n // prefix removed. The caller is assumed to have parsed |msg|, extracted\n // |binders|, and verified the PSK extension is last.\n if (!tls13_psk_binder(verify_data, &verify_data_len, session, hs->transcript,\n msg.raw, 2 + CBS_len(binders), SSL_is_dtls(hs->ssl)) ||\n // We only consider the first PSK, so compare against the first binder.\n !CBS_get_u8_length_prefixed(binders, &binder)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n bool binder_ok =\n CBS_len(&binder) == verify_data_len &&\n CRYPTO_memcmp(CBS_data(&binder), verify_data, verify_data_len) == 0;\n#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n binder_ok = true;\n#endif\n if (!binder_ok) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);\n return false;\n }\n\n return true;\n}\n\nsize_t ssl_ech_confirmation_signal_hello_offset(const SSL *ssl) {\n static_assert(ECH_CONFIRMATION_SIGNAL_LEN < SSL3_RANDOM_SIZE,\n \"the confirmation signal is a suffix of the random\");\n const size_t header_len =\n SSL_is_dtls(ssl) ? DTLS1_HM_HEADER_LENGTH : SSL3_HM_HEADER_LENGTH;\n return header_len + 2 /* version */ + SSL3_RANDOM_SIZE -\n ECH_CONFIRMATION_SIGNAL_LEN;\n}\n\nbool ssl_ech_accept_confirmation(const SSL_HANDSHAKE *hs, Span out,\n Span client_random,\n const SSLTranscript &transcript, bool is_hrr,\n Span msg, size_t offset) {\n // See draft-ietf-tls-esni-13, sections 7.2 and 7.2.1.\n static const uint8_t kZeros[EVP_MAX_MD_SIZE] = {0};\n\n // We hash |msg|, with bytes from |offset| zeroed.\n if (msg.size() < offset + ECH_CONFIRMATION_SIGNAL_LEN) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return false;\n }\n\n // We represent DTLS messages with the longer DTLS 1.2 header, but DTLS 1.3\n // removes the extra fields from the transcript.\n auto header = msg.subspan(0, SSL3_HM_HEADER_LENGTH);\n size_t full_header_len =\n SSL_is_dtls(hs->ssl) ? DTLS1_HM_HEADER_LENGTH : SSL3_HM_HEADER_LENGTH;\n auto before_zeros = msg.subspan(full_header_len, offset - full_header_len);\n auto after_zeros = msg.subspan(offset + ECH_CONFIRMATION_SIGNAL_LEN);\n\n uint8_t context[EVP_MAX_MD_SIZE];\n unsigned context_len;\n ScopedEVP_MD_CTX ctx;\n if (!transcript.CopyToHashContext(ctx.get(), transcript.Digest()) ||\n !EVP_DigestUpdate(ctx.get(), header.data(), header.size()) ||\n !EVP_DigestUpdate(ctx.get(), before_zeros.data(), before_zeros.size()) ||\n !EVP_DigestUpdate(ctx.get(), kZeros, ECH_CONFIRMATION_SIGNAL_LEN) ||\n !EVP_DigestUpdate(ctx.get(), after_zeros.data(), after_zeros.size()) ||\n !EVP_DigestFinal_ex(ctx.get(), context, &context_len)) {\n return false;\n }\n\n uint8_t secret[EVP_MAX_MD_SIZE];\n size_t secret_len;\n if (!HKDF_extract(secret, &secret_len, transcript.Digest(),\n client_random.data(), client_random.size(), kZeros,\n transcript.DigestLen())) {\n return false;\n }\n\n assert(out.size() == ECH_CONFIRMATION_SIGNAL_LEN);\n return hkdf_expand_label(\n out, transcript.Digest(), Span(secret, secret_len),\n is_hrr ? \"hrr ech accept confirmation\" : \"ech accept confirmation\",\n Span(context, context_len), SSL_is_dtls(hs->ssl));\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/tls13_server.cc", "content": "/* Copyright 2016 The BoringSSL Authors\n *\n * Permission to use, copy, modify, and/or distribute this software for any\n * purpose with or without fee is hereby granted, provided that the above\n * copyright notice and this permission notice appear in all copies.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\" AND THE AUTHOR DISCLAIMS ALL WARRANTIES\n * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF\n * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY\n * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES\n * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION\n * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n\n#include \n\n#include \n#include \n\n#include \n#include \n\n#include \n#include \n#include \n#include \n#include \n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nstatic const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};\n\n// Allow a minute of ticket age skew in either direction. This covers\n// transmission delays in ClientHello and NewSessionTicket, as well as\n// drift between client and server clock rate since the ticket was issued.\n// See RFC 8446, section 8.3.\nstatic const int32_t kMaxTicketAgeSkewSeconds = 60;\n\nstatic bool resolve_ecdhe_secret(SSL_HANDSHAKE *hs,\n const SSL_CLIENT_HELLO *client_hello) {\n SSL *const ssl = hs->ssl;\n const uint16_t group_id = hs->new_session->group_id;\n\n bool found_key_share;\n Span peer_key;\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &peer_key,\n &alert, client_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return false;\n }\n\n if (!found_key_share) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);\n return false;\n }\n\n Array secret;\n SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();\n if (hints && !hs->hints_requested && hints->key_share_group_id == group_id &&\n !hints->key_share_secret.empty()) {\n // Copy the key_share secret from hints.\n if (!hs->key_share_ciphertext.CopyFrom(hints->key_share_ciphertext) ||\n !secret.CopyFrom(hints->key_share_secret)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return false;\n }\n } else {\n ScopedCBB ciphertext;\n UniquePtr key_share = SSLKeyShare::Create(group_id);\n if (!key_share || //\n !CBB_init(ciphertext.get(), 32) ||\n !key_share->Encap(ciphertext.get(), &secret, &alert, peer_key) ||\n !CBBFinishArray(ciphertext.get(), &hs->key_share_ciphertext)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return false;\n }\n if (hints && hs->hints_requested) {\n hints->key_share_group_id = group_id;\n if (!hints->key_share_ciphertext.CopyFrom(hs->key_share_ciphertext) ||\n !hints->key_share_secret.CopyFrom(secret)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return false;\n }\n }\n }\n\n return tls13_advance_key_schedule(hs, secret);\n}\n\nstatic int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,\n CBB *out) {\n CBB contents;\n if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) || //\n !CBB_add_u16_length_prefixed(out, &contents) || //\n !CBB_add_u16(&contents, hs->ssl->s3->version) || //\n !CBB_flush(out)) {\n return 0;\n }\n\n return 1;\n}\n\nstatic const SSL_CIPHER *choose_tls13_cipher(\n const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) {\n CBS cipher_suites;\n CBS_init(&cipher_suites, client_hello->cipher_suites,\n client_hello->cipher_suites_len);\n\n const uint16_t version = ssl_protocol_version(ssl);\n\n return ssl_choose_tls13_cipher(cipher_suites,\n ssl->config->aes_hw_override\n ? ssl->config->aes_hw_override_value\n : EVP_has_aes_hardware(),\n version, ssl->config->compliance_policy);\n}\n\nstatic bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {\n SSL *const ssl = hs->ssl;\n if ( // If the client doesn't accept resumption with PSK_DHE_KE, don't send a\n // session ticket.\n !hs->accept_psk_mode ||\n // We only implement stateless resumption in TLS 1.3, so skip sending\n // tickets if disabled.\n (SSL_get_options(ssl) & SSL_OP_NO_TICKET)) {\n *out_sent_tickets = false;\n return true;\n }\n\n // Rebase the session timestamp so that it is measured from ticket\n // issuance.\n ssl_session_rebase_time(ssl, hs->new_session.get());\n\n assert(ssl->session_ctx->num_tickets <= kMaxTickets);\n bool sent_tickets = false;\n for (size_t i = 0; i < ssl->session_ctx->num_tickets; i++) {\n UniquePtr session(\n SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));\n if (!session) {\n return false;\n }\n\n if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {\n return false;\n }\n session->ticket_age_add_valid = true;\n // TODO(crbug.com/381113363): Remove the SSL_is_dtls check once we support\n // 0-RTT for DTLS 1.3.\n bool enable_early_data =\n ssl->enable_early_data &&\n (!SSL_is_quic(ssl) || !ssl->config->quic_early_data_context.empty()) &&\n !SSL_is_dtls(ssl);\n if (enable_early_data) {\n // QUIC does not use the max_early_data_size parameter and always sets it\n // to a fixed value. See RFC 9001, section 4.6.1.\n session->ticket_max_early_data =\n SSL_is_quic(ssl) ? 0xffffffff : kMaxEarlyDataAccepted;\n }\n\n static_assert(kMaxTickets < 256, \"Too many tickets\");\n assert(i < 256);\n uint8_t nonce[] = {static_cast(i)};\n\n ScopedCBB cbb;\n CBB body, nonce_cbb, ticket, extensions;\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_NEW_SESSION_TICKET) ||\n !CBB_add_u32(&body, session->timeout) ||\n !CBB_add_u32(&body, session->ticket_age_add) ||\n !CBB_add_u8_length_prefixed(&body, &nonce_cbb) ||\n !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) ||\n !tls13_derive_session_psk(session.get(), nonce, SSL_is_dtls(ssl)) ||\n !CBB_add_u16_length_prefixed(&body, &ticket) ||\n !ssl_encrypt_ticket(hs, &ticket, session.get())) {\n return false;\n }\n\n if (CBB_len(&ticket) == 0) {\n // The caller decided not to encrypt a ticket. Skip the message.\n continue;\n }\n\n if (!CBB_add_u16_length_prefixed(&body, &extensions)) {\n return false;\n }\n\n if (enable_early_data) {\n CBB early_data;\n if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) ||\n !CBB_add_u16_length_prefixed(&extensions, &early_data) ||\n !CBB_add_u32(&early_data, session->ticket_max_early_data) ||\n !CBB_flush(&extensions)) {\n return false;\n }\n }\n\n // Add a fake extension. See RFC 8701.\n if (!CBB_add_u16(&extensions,\n ssl_get_grease_value(hs, ssl_grease_ticket_extension)) ||\n !CBB_add_u16(&extensions, 0 /* empty */)) {\n return false;\n }\n\n if (!ssl_add_message_cbb(ssl, cbb.get())) {\n return false;\n }\n sent_tickets = true;\n }\n\n *out_sent_tickets = sent_tickets;\n return true;\n}\n\nstatic bool check_credential(SSL_HANDSHAKE *hs, const SSL_CREDENTIAL *cred,\n uint16_t *out_sigalg) {\n switch (cred->type) {\n case SSLCredentialType::kX509:\n break;\n case SSLCredentialType::kDelegated:\n // Check that the peer supports the signature over the delegated\n // credential.\n if (std::find(hs->peer_sigalgs.begin(), hs->peer_sigalgs.end(),\n cred->dc_algorithm) == hs->peer_sigalgs.end()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);\n return false;\n }\n break;\n }\n\n // All currently supported credentials require a signature. If |cred| is a\n // delegated credential, this also checks that the peer supports delegated\n // credentials and matched |dc_cert_verify_algorithm|.\n if (!tls1_choose_signature_algorithm(hs, cred, out_sigalg)) {\n return false;\n }\n // Use this credential if it either matches a requested issuer,\n // or does not require issuer matching.\n return ssl_credential_matches_requested_issuers(hs, cred);\n}\n\nstatic enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {\n // At this point, most ClientHello extensions have already been processed by\n // the common handshake logic. Resolve the remaining non-PSK parameters.\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n SSL_CLIENT_HELLO client_hello;\n if (!hs->GetClientHello(&msg, &client_hello)) {\n return ssl_hs_error;\n }\n\n if (SSL_is_quic(ssl) && client_hello.session_id_len > 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_COMPATIBILITY_MODE);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n // DTLS 1.3 disables compatibility mode, and even if the client advertised a\n // session ID (for resumption in DTLS 1.2), the server \"MUST NOT echo the\n // 'legacy_session_id' value from the client\" (RFC 9147, section 5) as it\n // would in a TLS 1.3 handshake.\n if (!SSL_is_dtls(ssl)) {\n hs->session_id.CopyFrom(\n Span(client_hello.session_id, client_hello.session_id_len));\n }\n\n Array creds;\n if (!ssl_get_credential_list(hs, &creds)) {\n return ssl_hs_error;\n }\n if (creds.empty()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n // Select the credential to use.\n for (SSL_CREDENTIAL *cred : creds) {\n ERR_clear_error();\n uint16_t sigalg;\n if (check_credential(hs, cred, &sigalg)) {\n hs->credential = UpRef(cred);\n hs->signature_algorithm = sigalg;\n break;\n }\n }\n if (hs->credential == nullptr) {\n // The error from the last attempt is in the error queue.\n assert(ERR_peek_error() != 0);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n\n // Negotiate the cipher suite.\n hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);\n if (hs->new_cipher == NULL) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n\n // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was\n // deferred. Complete it now.\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n // The PRF hash is now known.\n if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {\n return ssl_hs_error;\n }\n\n hs->tls13_state = state13_select_session;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_ticket_aead_result_t select_session(\n SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr *out_session,\n int32_t *out_ticket_age_skew, bool *out_offered_ticket,\n const SSLMessage &msg, const SSL_CLIENT_HELLO *client_hello) {\n SSL *const ssl = hs->ssl;\n *out_session = nullptr;\n\n CBS pre_shared_key;\n *out_offered_ticket = ssl_client_hello_get_extension(\n client_hello, &pre_shared_key, TLSEXT_TYPE_pre_shared_key);\n if (!*out_offered_ticket) {\n return ssl_ticket_aead_ignore_ticket;\n }\n\n // Per RFC 8446, section 4.2.9, servers MUST abort the handshake if the client\n // sends pre_shared_key without psk_key_exchange_modes.\n CBS unused;\n if (!ssl_client_hello_get_extension(client_hello, &unused,\n TLSEXT_TYPE_psk_key_exchange_modes)) {\n *out_alert = SSL_AD_MISSING_EXTENSION;\n OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);\n return ssl_ticket_aead_error;\n }\n\n CBS ticket, binders;\n uint32_t client_ticket_age;\n if (!ssl_ext_pre_shared_key_parse_clienthello(\n hs, &ticket, &binders, &client_ticket_age, out_alert, client_hello,\n &pre_shared_key)) {\n return ssl_ticket_aead_error;\n }\n\n // If the peer did not offer psk_dhe, ignore the resumption.\n if (!hs->accept_psk_mode) {\n return ssl_ticket_aead_ignore_ticket;\n }\n\n // TLS 1.3 session tickets are renewed separately as part of the\n // NewSessionTicket.\n bool unused_renew;\n UniquePtr session;\n enum ssl_ticket_aead_result_t ret =\n ssl_process_ticket(hs, &session, &unused_renew, ticket, {});\n switch (ret) {\n case ssl_ticket_aead_success:\n break;\n case ssl_ticket_aead_error:\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return ret;\n default:\n return ret;\n }\n\n if (!ssl_session_is_resumable(hs, session.get()) ||\n // Historically, some TLS 1.3 tickets were missing ticket_age_add.\n !session->ticket_age_add_valid) {\n return ssl_ticket_aead_ignore_ticket;\n }\n\n // Recover the client ticket age and convert to seconds.\n client_ticket_age -= session->ticket_age_add;\n client_ticket_age /= 1000;\n\n OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());\n\n // Compute the server ticket age in seconds.\n assert(now.tv_sec >= session->time);\n uint64_t server_ticket_age = now.tv_sec - session->time;\n\n // To avoid overflowing |hs->ticket_age_skew|, we will not resume\n // 68-year-old sessions.\n if (server_ticket_age > INT32_MAX) {\n return ssl_ticket_aead_ignore_ticket;\n }\n\n *out_ticket_age_skew = static_cast(client_ticket_age) -\n static_cast(server_ticket_age);\n\n // Check the PSK binder.\n if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {\n *out_alert = SSL_AD_DECRYPT_ERROR;\n return ssl_ticket_aead_error;\n }\n\n *out_session = std::move(session);\n return ssl_ticket_aead_success;\n}\n\nstatic bool quic_ticket_compatible(const SSL_SESSION *session,\n const SSL_CONFIG *config) {\n if (!session->is_quic) {\n return true;\n }\n\n if (session->quic_early_data_context.empty() ||\n config->quic_early_data_context.size() !=\n session->quic_early_data_context.size() ||\n CRYPTO_memcmp(config->quic_early_data_context.data(),\n session->quic_early_data_context.data(),\n session->quic_early_data_context.size()) != 0) {\n return false;\n }\n return true;\n}\n\nstatic enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n SSL_CLIENT_HELLO client_hello;\n if (!hs->GetClientHello(&msg, &client_hello)) {\n return ssl_hs_error;\n }\n\n uint8_t alert = SSL_AD_DECODE_ERROR;\n UniquePtr session;\n bool offered_ticket = false;\n switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew,\n &offered_ticket, msg, &client_hello)) {\n case ssl_ticket_aead_ignore_ticket:\n assert(!session);\n if (!ssl_get_new_session(hs)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n break;\n\n case ssl_ticket_aead_success:\n // Carry over authentication information from the previous handshake into\n // a fresh session.\n hs->new_session =\n SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);\n if (hs->new_session == nullptr) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n ssl->s3->session_reused = true;\n hs->can_release_private_key = true;\n\n // Resumption incorporates fresh key material, so refresh the timeout.\n ssl_session_renew_timeout(ssl, hs->new_session.get(),\n ssl->session_ctx->session_psk_dhe_timeout);\n break;\n\n case ssl_ticket_aead_error:\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n\n case ssl_ticket_aead_retry:\n hs->tls13_state = state13_select_session;\n return ssl_hs_pending_ticket;\n }\n\n // Negotiate ALPS now, after ALPN is negotiated and |hs->new_session| is\n // initialized.\n if (!ssl_negotiate_alps(hs, &alert, &client_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n // Record connection properties in the new session.\n hs->new_session->cipher = hs->new_cipher;\n if (!tls1_get_shared_group(hs, &hs->new_session->group_id)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);\n return ssl_hs_error;\n }\n\n // Determine if we need HelloRetryRequest.\n bool found_key_share;\n if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share,\n /*out_key_share=*/nullptr, &alert,\n &client_hello)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n // Determine if we're negotiating 0-RTT.\n if (!ssl->enable_early_data) {\n ssl->s3->early_data_reason = ssl_early_data_disabled;\n } else if (!offered_ticket) {\n ssl->s3->early_data_reason = ssl_early_data_no_session_offered;\n } else if (!session) {\n ssl->s3->early_data_reason = ssl_early_data_session_not_resumed;\n } else if (session->ticket_max_early_data == 0) {\n ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;\n } else if (!hs->early_data_offered) {\n ssl->s3->early_data_reason = ssl_early_data_peer_declined;\n } else if (hs->channel_id_negotiated) {\n // Channel ID is incompatible with 0-RTT.\n ssl->s3->early_data_reason = ssl_early_data_channel_id;\n } else if (Span(ssl->s3->alpn_selected) != session->early_alpn) {\n // The negotiated ALPN must match the one in the ticket.\n ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;\n } else if (hs->new_session->has_application_settings !=\n session->has_application_settings ||\n Span(hs->new_session->local_application_settings) !=\n session->local_application_settings) {\n ssl->s3->early_data_reason = ssl_early_data_alps_mismatch;\n } else if (ssl->s3->ticket_age_skew < -kMaxTicketAgeSkewSeconds ||\n kMaxTicketAgeSkewSeconds < ssl->s3->ticket_age_skew) {\n ssl->s3->early_data_reason = ssl_early_data_ticket_age_skew;\n } else if (!quic_ticket_compatible(session.get(), hs->config)) {\n ssl->s3->early_data_reason = ssl_early_data_quic_parameter_mismatch;\n } else if (!found_key_share) {\n ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;\n } else {\n // |ssl_session_is_resumable| forbids cross-cipher resumptions even if the\n // PRF hashes match.\n assert(hs->new_cipher == session->cipher);\n\n ssl->s3->early_data_reason = ssl_early_data_accepted;\n ssl->s3->early_data_accepted = true;\n }\n\n // Store the ALPN and ALPS values in the session for 0-RTT. Note the peer\n // applications settings are not generally known until client\n // EncryptedExtensions.\n if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n // The peer applications settings are usually received later, in\n // EncryptedExtensions. But, in 0-RTT handshakes, we carry over the\n // values from |session|. Do this now, before |session| is discarded.\n if (ssl->s3->early_data_accepted &&\n hs->new_session->has_application_settings &&\n !hs->new_session->peer_application_settings.CopyFrom(\n session->peer_application_settings)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n // Copy the QUIC early data context to the session.\n if (ssl->enable_early_data && SSL_is_quic(ssl)) {\n if (!hs->new_session->quic_early_data_context.CopyFrom(\n hs->config->quic_early_data_context)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n }\n\n if (ssl->ctx->dos_protection_cb != NULL &&\n ssl->ctx->dos_protection_cb(&client_hello) == 0) {\n // Connection rejected for DOS reasons.\n OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n size_t hash_len = EVP_MD_size(\n ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));\n\n // Set up the key schedule and incorporate the PSK into the running secret.\n if (!tls13_init_key_schedule(hs, ssl->s3->session_reused\n ? Span(hs->new_session->secret)\n : Span(kZeroes, hash_len)) ||\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n if (ssl->s3->early_data_accepted) {\n if (!tls13_derive_early_secret(hs)) {\n return ssl_hs_error;\n }\n } else if (hs->early_data_offered) {\n ssl->s3->skip_early_data = true;\n }\n\n if (!found_key_share) {\n ssl->method->next_message(ssl);\n if (!hs->transcript.UpdateForHelloRetryRequest()) {\n return ssl_hs_error;\n }\n hs->tls13_state = state13_send_hello_retry_request;\n return ssl_hs_ok;\n }\n\n if (!resolve_ecdhe_secret(hs, &client_hello)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->ech_client_hello_buf.Reset();\n hs->tls13_state = state13_send_server_hello;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (hs->hints_requested) {\n return ssl_hs_hints_ready;\n }\n\n ScopedCBB cbb;\n CBB body, session_id, extensions;\n if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||\n !CBB_add_u16(&body, TLS1_2_VERSION) ||\n !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) ||\n !CBB_add_u8_length_prefixed(&body, &session_id) ||\n !CBB_add_bytes(&session_id, hs->session_id.data(),\n hs->session_id.size()) ||\n !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||\n !CBB_add_u8(&body, 0 /* no compression */) ||\n !CBB_add_u16_length_prefixed(&body, &extensions) ||\n !CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) ||\n !CBB_add_u16(&extensions, 2 /* length */) ||\n !CBB_add_u16(&extensions, ssl->s3->version) ||\n !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||\n !CBB_add_u16(&extensions, 2 /* length */) ||\n !CBB_add_u16(&extensions, hs->new_session->group_id)) {\n return ssl_hs_error;\n }\n if (hs->ech_is_inner) {\n // Fill a placeholder for the ECH confirmation value.\n if (!CBB_add_u16(&extensions, TLSEXT_TYPE_encrypted_client_hello) ||\n !CBB_add_u16(&extensions, ECH_CONFIRMATION_SIGNAL_LEN) ||\n !CBB_add_zeros(&extensions, ECH_CONFIRMATION_SIGNAL_LEN)) {\n return ssl_hs_error;\n }\n }\n Array hrr;\n if (!ssl->method->finish_message(ssl, cbb.get(), &hrr)) {\n return ssl_hs_error;\n }\n if (hs->ech_is_inner) {\n // Now that the message is encoded, fill in the whole value.\n size_t offset = hrr.size() - ECH_CONFIRMATION_SIGNAL_LEN;\n if (!ssl_ech_accept_confirmation(\n hs, Span(hrr).last(ECH_CONFIRMATION_SIGNAL_LEN),\n ssl->s3->client_random, hs->transcript, /*is_hrr=*/true, hrr,\n offset)) {\n return ssl_hs_error;\n }\n }\n\n if (!ssl->method->add_message(ssl, std::move(hrr)) ||\n !ssl->method->add_change_cipher_spec(ssl)) {\n return ssl_hs_error;\n }\n\n ssl->s3->used_hello_retry_request = true;\n hs->tls13_state = state13_read_second_client_hello;\n return ssl_hs_flush;\n}\n\nstatic enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {\n return ssl_hs_error;\n }\n SSL_CLIENT_HELLO client_hello;\n if (!ssl_client_hello_init(ssl, &client_hello, msg.body)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (ssl->s3->ech_status == ssl_ech_accepted) {\n // If we previously accepted the ClientHelloInner, the second ClientHello\n // must contain an outer encrypted_client_hello extension.\n CBS ech_body;\n if (!ssl_client_hello_get_extension(&client_hello, &ech_body,\n TLSEXT_TYPE_encrypted_client_hello)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);\n return ssl_hs_error;\n }\n uint16_t kdf_id, aead_id;\n uint8_t type, config_id;\n CBS enc, payload;\n if (!CBS_get_u8(&ech_body, &type) || //\n type != ECH_CLIENT_OUTER || //\n !CBS_get_u16(&ech_body, &kdf_id) || //\n !CBS_get_u16(&ech_body, &aead_id) ||\n !CBS_get_u8(&ech_body, &config_id) ||\n !CBS_get_u16_length_prefixed(&ech_body, &enc) ||\n !CBS_get_u16_length_prefixed(&ech_body, &payload) ||\n CBS_len(&ech_body) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n if (kdf_id != EVP_HPKE_KDF_id(EVP_HPKE_CTX_kdf(hs->ech_hpke_ctx.get())) ||\n aead_id !=\n EVP_HPKE_AEAD_id(EVP_HPKE_CTX_aead(hs->ech_hpke_ctx.get())) ||\n config_id != hs->ech_config_id || CBS_len(&enc) > 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n // Decrypt the payload with the HPKE context from the first ClientHello.\n uint8_t alert = SSL_AD_DECODE_ERROR;\n bool unused;\n if (!ssl_client_hello_decrypt(hs, &alert, &unused,\n &hs->ech_client_hello_buf, &client_hello,\n payload)) {\n // Decryption failure is fatal in the second ClientHello.\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n // Reparse |client_hello| from the buffer owned by |hs|.\n if (!hs->GetClientHello(&msg, &client_hello)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n }\n\n // We perform all our negotiation based on the first ClientHello (for\n // consistency with what |select_certificate_cb| observed), which is in the\n // transcript, so we can ignore most of this second one.\n //\n // We do, however, check the second PSK binder. This covers the client key\n // share, in case we ever send half-RTT data (we currently do not). It is also\n // a tricky computation, so we enforce the peer handled it correctly.\n if (ssl->s3->session_reused) {\n CBS pre_shared_key;\n if (!ssl_client_hello_get_extension(&client_hello, &pre_shared_key,\n TLSEXT_TYPE_pre_shared_key)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_CLIENT_HELLO);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);\n return ssl_hs_error;\n }\n\n CBS ticket, binders;\n uint32_t client_ticket_age;\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ssl_ext_pre_shared_key_parse_clienthello(\n hs, &ticket, &binders, &client_ticket_age, &alert, &client_hello,\n &pre_shared_key)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n // Note it is important that we do not obtain a new |SSL_SESSION| from\n // |ticket|. We have already selected parameters based on the first\n // ClientHello (in the transcript) and must not switch partway through.\n if (!tls13_verify_psk_binder(hs, hs->new_session.get(), msg, &binders)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);\n return ssl_hs_error;\n }\n }\n\n if (!resolve_ecdhe_secret(hs, &client_hello)) {\n return ssl_hs_error;\n }\n\n if (!ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n // ClientHello should be the end of the flight.\n if (ssl->method->has_unprocessed_handshake_data(ssl)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->ech_client_hello_buf.Reset();\n hs->tls13_state = state13_send_server_hello;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n Span random(ssl->s3->server_random);\n\n SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();\n if (hints && !hs->hints_requested &&\n hints->server_random_tls13.size() == random.size()) {\n OPENSSL_memcpy(random.data(), hints->server_random_tls13.data(),\n random.size());\n } else {\n RAND_bytes(random.data(), random.size());\n if (hints && hs->hints_requested &&\n !hints->server_random_tls13.CopyFrom(random)) {\n return ssl_hs_error;\n }\n }\n\n uint16_t server_hello_version = TLS1_2_VERSION;\n if (SSL_is_dtls(ssl)) {\n server_hello_version = DTLS1_2_VERSION;\n }\n Array server_hello;\n ScopedCBB cbb;\n CBB body, extensions, session_id;\n if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||\n !CBB_add_u16(&body, server_hello_version) ||\n !CBB_add_bytes(&body, ssl->s3->server_random,\n sizeof(ssl->s3->server_random)) ||\n !CBB_add_u8_length_prefixed(&body, &session_id) ||\n !CBB_add_bytes(&session_id, hs->session_id.data(),\n hs->session_id.size()) ||\n !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||\n !CBB_add_u8(&body, 0) ||\n !CBB_add_u16_length_prefixed(&body, &extensions) ||\n !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||\n !ssl_ext_key_share_add_serverhello(hs, &extensions) ||\n !ssl_ext_supported_versions_add_serverhello(hs, &extensions) ||\n !ssl->method->finish_message(ssl, cbb.get(), &server_hello)) {\n return ssl_hs_error;\n }\n\n assert(ssl->s3->ech_status != ssl_ech_accepted || hs->ech_is_inner);\n if (hs->ech_is_inner) {\n // Fill in the ECH confirmation signal.\n const size_t offset = ssl_ech_confirmation_signal_hello_offset(ssl);\n Span random_suffix = random.last(ECH_CONFIRMATION_SIGNAL_LEN);\n if (!ssl_ech_accept_confirmation(hs, random_suffix, ssl->s3->client_random,\n hs->transcript,\n /*is_hrr=*/false, server_hello, offset)) {\n return ssl_hs_error;\n }\n\n // Update |server_hello|.\n Span server_hello_out =\n Span(server_hello).subspan(offset, ECH_CONFIRMATION_SIGNAL_LEN);\n OPENSSL_memcpy(server_hello_out.data(), random_suffix.data(),\n ECH_CONFIRMATION_SIGNAL_LEN);\n }\n\n if (!ssl->method->add_message(ssl, std::move(server_hello))) {\n return ssl_hs_error;\n }\n\n hs->key_share_ciphertext.Reset(); // No longer needed.\n if (!ssl->s3->used_hello_retry_request &&\n !ssl->method->add_change_cipher_spec(ssl)) {\n return ssl_hs_error;\n }\n\n // Derive and enable the handshake traffic secrets.\n if (!tls13_derive_handshake_secrets(hs) ||\n !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,\n hs->new_session.get(),\n hs->server_handshake_secret)) {\n return ssl_hs_error;\n }\n\n // Send EncryptedExtensions.\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_ENCRYPTED_EXTENSIONS) ||\n !ssl_add_serverhello_tlsext(hs, &body) ||\n !ssl_add_message_cbb(ssl, cbb.get())) {\n return ssl_hs_error;\n }\n\n if (!ssl->s3->session_reused) {\n // Determine whether to request a client certificate.\n hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);\n // Only request a certificate if Channel ID isn't negotiated.\n if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&\n hs->channel_id_negotiated) {\n hs->cert_request = false;\n }\n }\n\n // Send a CertificateRequest, if necessary.\n if (hs->cert_request) {\n CBB cert_request_extensions, sigalg_contents, sigalgs_cbb;\n if (!ssl->method->init_message(ssl, cbb.get(), &body,\n SSL3_MT_CERTIFICATE_REQUEST) ||\n !CBB_add_u8(&body, 0 /* no certificate_request_context. */) ||\n !CBB_add_u16_length_prefixed(&body, &cert_request_extensions) ||\n !CBB_add_u16(&cert_request_extensions,\n TLSEXT_TYPE_signature_algorithms) ||\n !CBB_add_u16_length_prefixed(&cert_request_extensions,\n &sigalg_contents) ||\n !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||\n !tls12_add_verify_sigalgs(hs, &sigalgs_cbb)) {\n return ssl_hs_error;\n }\n\n if (ssl_has_client_CAs(hs->config)) {\n CBB ca_contents;\n if (!CBB_add_u16(&cert_request_extensions,\n TLSEXT_TYPE_certificate_authorities) ||\n !CBB_add_u16_length_prefixed(&cert_request_extensions,\n &ca_contents) ||\n !ssl_add_client_CA_list(hs, &ca_contents) ||\n !CBB_flush(&cert_request_extensions)) {\n return ssl_hs_error;\n }\n }\n\n if (!ssl_add_message_cbb(ssl, cbb.get())) {\n return ssl_hs_error;\n }\n }\n\n // Send the server Certificate message, if necessary.\n if (!ssl->s3->session_reused) {\n if (!tls13_add_certificate(hs)) {\n return ssl_hs_error;\n }\n\n hs->tls13_state = state13_send_server_certificate_verify;\n return ssl_hs_ok;\n }\n\n hs->tls13_state = state13_send_server_finished;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {\n switch (tls13_add_certificate_verify(hs)) {\n case ssl_private_key_success:\n hs->tls13_state = state13_send_server_finished;\n return ssl_hs_ok;\n\n case ssl_private_key_retry:\n hs->tls13_state = state13_send_server_certificate_verify;\n return ssl_hs_private_key_operation;\n\n case ssl_private_key_failure:\n return ssl_hs_error;\n }\n\n assert(0);\n return ssl_hs_error;\n}\n\nstatic enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (hs->hints_requested) {\n return ssl_hs_hints_ready;\n }\n\n hs->can_release_private_key = true;\n if (!tls13_add_finished(hs) ||\n // Update the secret to the master secret and derive traffic keys.\n !tls13_advance_key_schedule(hs,\n Span(kZeroes, hs->transcript.DigestLen())) ||\n !tls13_derive_application_secrets(hs) ||\n !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,\n hs->new_session.get(),\n hs->server_traffic_secret_0)) {\n return ssl_hs_error;\n }\n\n hs->tls13_state = state13_send_half_rtt_ticket;\n return hs->handback ? ssl_hs_handback : ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_half_rtt_ticket(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n\n if (ssl->s3->early_data_accepted) {\n // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on\n // the wire sooner and also avoids triggering a write on |SSL_read| when\n // processing the client Finished. This requires computing the client\n // Finished early. See RFC 8446, section 4.6.1.\n static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0, 0,\n 0};\n if (!SSL_is_quic(ssl) && !hs->transcript.Update(kEndOfEarlyData)) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n size_t finished_len;\n hs->expected_client_finished.Resize(hs->transcript.DigestLen());\n if (!tls13_finished_mac(hs, hs->expected_client_finished.data(),\n &finished_len, false /* client */)) {\n return ssl_hs_error;\n }\n\n if (finished_len != hs->expected_client_finished.size()) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n // Feed the predicted Finished into the transcript. This allows us to derive\n // the resumption secret early and send half-RTT tickets.\n //\n // TODO(crbug.com/381113363): Don't use half-RTT tickets with DTLS 1.3.\n // TODO(crbug.com/376939532): Perhaps don't use half-RTT tickets at all.\n assert(!SSL_is_dtls(hs->ssl));\n assert(hs->expected_client_finished.size() <= 0xff);\n uint8_t header[4] = {\n SSL3_MT_FINISHED, 0, 0,\n static_cast(hs->expected_client_finished.size())};\n bool unused_sent_tickets;\n if (!hs->transcript.Update(header) ||\n !hs->transcript.Update(hs->expected_client_finished) ||\n !tls13_derive_resumption_secret(hs) ||\n !add_new_session_tickets(hs, &unused_sent_tickets)) {\n return ssl_hs_error;\n }\n }\n\n hs->tls13_state = state13_read_second_client_flight;\n return ssl_hs_flush;\n}\n\nstatic bool uses_end_of_early_data(const SSL *ssl) {\n // DTLS and QUIC omit the EndOfEarlyData message. See RFC 9001, section 8.3,\n // and RFC 9147, section 5.6.\n return !SSL_is_quic(ssl) && !SSL_is_dtls(ssl);\n}\n\nstatic enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (ssl->s3->early_data_accepted) {\n if (!tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open,\n hs->new_session.get(),\n hs->early_traffic_secret)) {\n return ssl_hs_error;\n }\n hs->can_early_write = true;\n hs->can_early_read = true;\n hs->in_early_data = true;\n }\n\n // If the EndOfEarlyData message is not used, switch to\n // client_handshake_secret before the early return.\n if (!uses_end_of_early_data(ssl)) {\n if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,\n hs->new_session.get(),\n hs->client_handshake_secret)) {\n return ssl_hs_error;\n }\n hs->tls13_state = state13_process_end_of_early_data;\n return ssl->s3->early_data_accepted ? ssl_hs_early_return : ssl_hs_ok;\n }\n\n hs->tls13_state = state13_process_end_of_early_data;\n return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data\n : ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n // In protocols that use EndOfEarlyData, we must consume the extra message and\n // switch to client_handshake_secret after the early return.\n if (uses_end_of_early_data(ssl)) {\n // If early data was not accepted, the EndOfEarlyData will be in the\n // discarded early data.\n if (hs->ssl->s3->early_data_accepted) {\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) {\n return ssl_hs_error;\n }\n if (CBS_len(&msg.body) != 0) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n return ssl_hs_error;\n }\n ssl->method->next_message(ssl);\n }\n if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,\n hs->new_session.get(),\n hs->client_handshake_secret)) {\n return ssl_hs_error;\n }\n }\n hs->tls13_state = state13_read_client_encrypted_extensions;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_client_encrypted_extensions(\n SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n // For now, only one extension uses client EncryptedExtensions. This function\n // may be generalized if others use it in the future.\n if (hs->new_session->has_application_settings &&\n !ssl->s3->early_data_accepted) {\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {\n return ssl_hs_error;\n }\n\n CBS body = msg.body, extensions;\n if (!CBS_get_u16_length_prefixed(&body, &extensions) ||\n CBS_len(&body) != 0) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);\n return ssl_hs_error;\n }\n\n uint16_t extension_type = TLSEXT_TYPE_application_settings_old;\n if (hs->config->alps_use_new_codepoint) {\n extension_type = TLSEXT_TYPE_application_settings;\n }\n SSLExtension application_settings(extension_type);\n uint8_t alert = SSL_AD_DECODE_ERROR;\n if (!ssl_parse_extensions(&extensions, &alert, {&application_settings},\n /*ignore_unknown=*/false)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, alert);\n return ssl_hs_error;\n }\n\n if (!application_settings.present) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);\n return ssl_hs_error;\n }\n\n // Note that, if 0-RTT was accepted, these values will already have been\n // initialized earlier.\n if (!hs->new_session->peer_application_settings.CopyFrom(\n application_settings.data) ||\n !ssl_hash_message(hs, msg)) {\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n }\n\n hs->tls13_state = state13_read_client_certificate;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (!hs->cert_request) {\n if (!ssl->s3->session_reused) {\n // OpenSSL returns X509_V_OK when no certificates are requested. This is\n // classed by them as a bug, but it's assumed by at least NGINX. (Only do\n // this in full handshakes as resumptions should carry over the previous\n // |verify_result|, though this is a no-op because servers do not\n // implement the client's odd soft-fail mode.)\n hs->new_session->verify_result = X509_V_OK;\n }\n\n // Skip this state.\n hs->tls13_state = state13_read_channel_id;\n return ssl_hs_ok;\n }\n\n const bool allow_anonymous =\n (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||\n !tls13_process_certificate(hs, msg, allow_anonymous) ||\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->tls13_state = state13_read_client_certificate_verify;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {\n // Skip this state.\n hs->tls13_state = state13_read_channel_id;\n return ssl_hs_ok;\n }\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n\n switch (ssl_verify_peer_cert(hs)) {\n case ssl_verify_ok:\n break;\n case ssl_verify_invalid:\n return ssl_hs_error;\n case ssl_verify_retry:\n hs->tls13_state = state13_read_client_certificate_verify;\n return ssl_hs_certificate_verify;\n }\n\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||\n !tls13_process_certificate_verify(hs, msg) ||\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->tls13_state = state13_read_channel_id;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n if (!hs->channel_id_negotiated) {\n hs->tls13_state = state13_read_client_finished;\n return ssl_hs_ok;\n }\n\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) || //\n !tls1_verify_channel_id(hs, msg) || //\n !ssl_hash_message(hs, msg)) {\n return ssl_hs_error;\n }\n\n ssl->method->next_message(ssl);\n hs->tls13_state = state13_read_client_finished;\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n SSLMessage msg;\n if (!ssl->method->get_message(ssl, &msg)) {\n return ssl_hs_read_message;\n }\n if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||\n // If early data was accepted, we've already computed the client Finished\n // and derived the resumption secret.\n !tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) ||\n // evp_aead_seal keys have already been switched.\n !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,\n hs->new_session.get(),\n hs->client_traffic_secret_0)) {\n return ssl_hs_error;\n }\n\n if (!ssl->s3->early_data_accepted) {\n if (!ssl_hash_message(hs, msg) || //\n !tls13_derive_resumption_secret(hs)) {\n return ssl_hs_error;\n }\n\n // We send post-handshake tickets as part of the handshake in 1-RTT.\n hs->tls13_state = state13_send_new_session_ticket;\n } else {\n // We already sent half-RTT tickets.\n hs->tls13_state = state13_done;\n }\n\n ssl->method->next_message(ssl);\n if (SSL_is_dtls(ssl)) {\n ssl->method->schedule_ack(ssl);\n return ssl_hs_flush;\n }\n return ssl_hs_ok;\n}\n\nstatic enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {\n SSL *const ssl = hs->ssl;\n bool sent_tickets;\n if (!add_new_session_tickets(hs, &sent_tickets)) {\n return ssl_hs_error;\n }\n\n hs->tls13_state = state13_done;\n // In QUIC and DTLS, we can flush the ticket to the transport immediately. In\n // TLS over TCP-like transports, we defer until the server performs a write.\n // This prevents a non-reading client from causing the server to hang in the\n // case of a small server write buffer. Consumers which don't write data to\n // the client will need to do a zero-byte write if they wish to flush the\n // tickets.\n bool should_flush = sent_tickets && (SSL_is_dtls(ssl) || SSL_is_quic(ssl));\n return should_flush ? ssl_hs_flush : ssl_hs_ok;\n}\n\nenum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {\n while (hs->tls13_state != state13_done) {\n enum ssl_hs_wait_t ret = ssl_hs_error;\n enum tls13_server_hs_state_t state =\n static_cast(hs->tls13_state);\n switch (state) {\n case state13_select_parameters:\n ret = do_select_parameters(hs);\n break;\n case state13_select_session:\n ret = do_select_session(hs);\n break;\n case state13_send_hello_retry_request:\n ret = do_send_hello_retry_request(hs);\n break;\n case state13_read_second_client_hello:\n ret = do_read_second_client_hello(hs);\n break;\n case state13_send_server_hello:\n ret = do_send_server_hello(hs);\n break;\n case state13_send_server_certificate_verify:\n ret = do_send_server_certificate_verify(hs);\n break;\n case state13_send_server_finished:\n ret = do_send_server_finished(hs);\n break;\n case state13_send_half_rtt_ticket:\n ret = do_send_half_rtt_ticket(hs);\n break;\n case state13_read_second_client_flight:\n ret = do_read_second_client_flight(hs);\n break;\n case state13_process_end_of_early_data:\n ret = do_process_end_of_early_data(hs);\n break;\n case state13_read_client_encrypted_extensions:\n ret = do_read_client_encrypted_extensions(hs);\n break;\n case state13_read_client_certificate:\n ret = do_read_client_certificate(hs);\n break;\n case state13_read_client_certificate_verify:\n ret = do_read_client_certificate_verify(hs);\n break;\n case state13_read_channel_id:\n ret = do_read_channel_id(hs);\n break;\n case state13_read_client_finished:\n ret = do_read_client_finished(hs);\n break;\n case state13_send_new_session_ticket:\n ret = do_send_new_session_ticket(hs);\n break;\n case state13_done:\n ret = ssl_hs_ok;\n break;\n }\n\n if (hs->tls13_state != state) {\n ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);\n }\n\n if (ret != ssl_hs_ok) {\n return ret;\n }\n }\n\n return ssl_hs_ok;\n}\n\nconst char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {\n enum tls13_server_hs_state_t state =\n static_cast(hs->tls13_state);\n switch (state) {\n case state13_select_parameters:\n return \"TLS 1.3 server select_parameters\";\n case state13_select_session:\n return \"TLS 1.3 server select_session\";\n case state13_send_hello_retry_request:\n return \"TLS 1.3 server send_hello_retry_request\";\n case state13_read_second_client_hello:\n return \"TLS 1.3 server read_second_client_hello\";\n case state13_send_server_hello:\n return \"TLS 1.3 server send_server_hello\";\n case state13_send_server_certificate_verify:\n return \"TLS 1.3 server send_server_certificate_verify\";\n case state13_send_half_rtt_ticket:\n return \"TLS 1.3 server send_half_rtt_ticket\";\n case state13_send_server_finished:\n return \"TLS 1.3 server send_server_finished\";\n case state13_read_second_client_flight:\n return \"TLS 1.3 server read_second_client_flight\";\n case state13_process_end_of_early_data:\n return \"TLS 1.3 server process_end_of_early_data\";\n case state13_read_client_encrypted_extensions:\n return \"TLS 1.3 server read_client_encrypted_extensions\";\n case state13_read_client_certificate:\n return \"TLS 1.3 server read_client_certificate\";\n case state13_read_client_certificate_verify:\n return \"TLS 1.3 server read_client_certificate_verify\";\n case state13_read_channel_id:\n return \"TLS 1.3 server read_channel_id\";\n case state13_read_client_finished:\n return \"TLS 1.3 server read_client_finished\";\n case state13_send_new_session_ticket:\n return \"TLS 1.3 server send_new_session_ticket\";\n case state13_done:\n return \"TLS 1.3 server done\";\n }\n\n return \"TLS 1.3 server unknown\";\n}\n\nBSSL_NAMESPACE_END\n" }, { "path": "Sources/CNIOBoringSSL/ssl/tls_method.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\nstatic void tls_on_handshake_complete(SSL *ssl) {\n // The handshake should have released its final message.\n assert(!ssl->s3->has_message);\n\n // During the handshake, |hs_buf| is retained. Release if it there is no\n // excess in it. There should not be any excess because the handshake logic\n // rejects unprocessed data after each Finished message. Note this means we do\n // not allow a TLS 1.2 HelloRequest to be packed into the same record as\n // Finished. (Schannel also rejects this.)\n assert(!ssl->s3->hs_buf || ssl->s3->hs_buf->length == 0);\n if (ssl->s3->hs_buf && ssl->s3->hs_buf->length == 0) {\n ssl->s3->hs_buf.reset();\n }\n}\n\nstatic bool tls_set_read_state(SSL *ssl, ssl_encryption_level_t level,\n UniquePtr aead_ctx,\n Span traffic_secret) {\n // Cipher changes are forbidden if the current epoch has leftover data.\n if (tls_has_unprocessed_handshake_data(ssl)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);\n ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);\n return false;\n }\n\n if (SSL_is_quic(ssl)) {\n if ((ssl->s3->hs == nullptr || !ssl->s3->hs->hints_requested) &&\n !ssl->quic_method->set_read_secret(ssl, level, aead_ctx->cipher(),\n traffic_secret.data(),\n traffic_secret.size())) {\n return false;\n }\n\n // QUIC only uses |ssl| for handshake messages, which never use early data\n // keys, so we return without installing anything. This avoids needing to\n // have two secrets active at once in 0-RTT.\n if (level == ssl_encryption_early_data) {\n return true;\n }\n ssl->s3->quic_read_level = level;\n }\n\n ssl->s3->read_sequence = 0;\n ssl->s3->aead_read_ctx = std::move(aead_ctx);\n return true;\n}\n\nstatic bool tls_set_write_state(SSL *ssl, ssl_encryption_level_t level,\n UniquePtr aead_ctx,\n Span traffic_secret) {\n if (!tls_flush_pending_hs_data(ssl)) {\n return false;\n }\n\n if (SSL_is_quic(ssl)) {\n if ((ssl->s3->hs == nullptr || !ssl->s3->hs->hints_requested) &&\n !ssl->quic_method->set_write_secret(ssl, level, aead_ctx->cipher(),\n traffic_secret.data(),\n traffic_secret.size())) {\n return false;\n }\n\n // QUIC only uses |ssl| for handshake messages, which never use early data\n // keys, so we return without installing anything. This avoids needing to\n // have two secrets active at once in 0-RTT.\n if (level == ssl_encryption_early_data) {\n return true;\n }\n ssl->s3->quic_write_level = level;\n }\n\n ssl->s3->write_sequence = 0;\n ssl->s3->aead_write_ctx = std::move(aead_ctx);\n return true;\n}\n\nstatic void tls_finish_flight(SSL *ssl) {\n // We don't track whether a flight is complete in TLS and instead always flush\n // every queued message in |tls_flush|, whether the flight is complete or not.\n}\n\nstatic void tls_schedule_ack(SSL *ssl) {\n // TLS does not use ACKs.\n}\n\nstatic const SSL_PROTOCOL_METHOD kTLSProtocolMethod = {\n false /* is_dtls */,\n tls_new,\n tls_free,\n tls_get_message,\n tls_next_message,\n tls_has_unprocessed_handshake_data,\n tls_open_handshake,\n tls_open_change_cipher_spec,\n tls_open_app_data,\n tls_write_app_data,\n tls_dispatch_alert,\n tls_init_message,\n tls_finish_message,\n tls_add_message,\n tls_add_change_cipher_spec,\n tls_finish_flight,\n tls_schedule_ack,\n tls_flush,\n tls_on_handshake_complete,\n tls_set_read_state,\n tls_set_write_state,\n};\n\nstatic bool ssl_noop_x509_check_client_CA_names(\n STACK_OF(CRYPTO_BUFFER) *names) {\n return true;\n}\n\nstatic void ssl_noop_x509_clear(CERT *cert) {}\nstatic void ssl_noop_x509_free(CERT *cert) {}\nstatic void ssl_noop_x509_dup(CERT *new_cert, const CERT *cert) {}\nstatic void ssl_noop_x509_flush_cached_leaf(CERT *cert) {}\nstatic void ssl_noop_x509_flush_cached_chain(CERT *cert) {}\nstatic bool ssl_noop_x509_session_cache_objects(SSL_SESSION *sess) {\n return true;\n}\nstatic bool ssl_noop_x509_session_dup(SSL_SESSION *new_session,\n const SSL_SESSION *session) {\n return true;\n}\nstatic void ssl_noop_x509_session_clear(SSL_SESSION *session) {}\nstatic bool ssl_noop_x509_session_verify_cert_chain(SSL_SESSION *session,\n SSL_HANDSHAKE *hs,\n uint8_t *out_alert) {\n return false;\n}\n\nstatic void ssl_noop_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {}\nstatic bool ssl_noop_x509_ssl_new(SSL_HANDSHAKE *hs) { return true; }\nstatic void ssl_noop_x509_ssl_config_free(SSL_CONFIG *cfg) {}\nstatic void ssl_noop_x509_ssl_flush_cached_client_CA(SSL_CONFIG *cfg) {}\nstatic bool ssl_noop_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {\n return true;\n}\nstatic bool ssl_noop_x509_ssl_ctx_new(SSL_CTX *ctx) { return true; }\nstatic void ssl_noop_x509_ssl_ctx_free(SSL_CTX *ctx) {}\nstatic void ssl_noop_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {}\n\nconst SSL_X509_METHOD ssl_noop_x509_method = {\n ssl_noop_x509_check_client_CA_names,\n ssl_noop_x509_clear,\n ssl_noop_x509_free,\n ssl_noop_x509_dup,\n ssl_noop_x509_flush_cached_chain,\n ssl_noop_x509_flush_cached_leaf,\n ssl_noop_x509_session_cache_objects,\n ssl_noop_x509_session_dup,\n ssl_noop_x509_session_clear,\n ssl_noop_x509_session_verify_cert_chain,\n ssl_noop_x509_hs_flush_cached_ca_names,\n ssl_noop_x509_ssl_new,\n ssl_noop_x509_ssl_config_free,\n ssl_noop_x509_ssl_flush_cached_client_CA,\n ssl_noop_x509_ssl_auto_chain_if_needed,\n ssl_noop_x509_ssl_ctx_new,\n ssl_noop_x509_ssl_ctx_free,\n ssl_noop_x509_ssl_ctx_flush_cached_client_CA,\n};\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nconst SSL_METHOD *TLS_method(void) {\n static const SSL_METHOD kMethod = {\n 0,\n &kTLSProtocolMethod,\n &ssl_crypto_x509_method,\n };\n return &kMethod;\n}\n\nconst SSL_METHOD *SSLv23_method(void) { return TLS_method(); }\n\nconst SSL_METHOD *TLS_with_buffers_method(void) {\n static const SSL_METHOD kMethod = {\n 0,\n &kTLSProtocolMethod,\n &ssl_noop_x509_method,\n };\n return &kMethod;\n}\n\n// Legacy version-locked methods.\n\nconst SSL_METHOD *TLSv1_2_method(void) {\n static const SSL_METHOD kMethod = {\n TLS1_2_VERSION,\n &kTLSProtocolMethod,\n &ssl_crypto_x509_method,\n };\n return &kMethod;\n}\n\nconst SSL_METHOD *TLSv1_1_method(void) {\n static const SSL_METHOD kMethod = {\n TLS1_1_VERSION,\n &kTLSProtocolMethod,\n &ssl_crypto_x509_method,\n };\n return &kMethod;\n}\n\nconst SSL_METHOD *TLSv1_method(void) {\n static const SSL_METHOD kMethod = {\n TLS1_VERSION,\n &kTLSProtocolMethod,\n &ssl_crypto_x509_method,\n };\n return &kMethod;\n}\n\n// Legacy side-specific methods.\n\nconst SSL_METHOD *TLSv1_2_server_method(void) { return TLSv1_2_method(); }\n\nconst SSL_METHOD *TLSv1_1_server_method(void) { return TLSv1_1_method(); }\n\nconst SSL_METHOD *TLSv1_server_method(void) { return TLSv1_method(); }\n\nconst SSL_METHOD *TLSv1_2_client_method(void) { return TLSv1_2_method(); }\n\nconst SSL_METHOD *TLSv1_1_client_method(void) { return TLSv1_1_method(); }\n\nconst SSL_METHOD *TLSv1_client_method(void) { return TLSv1_method(); }\n\nconst SSL_METHOD *SSLv23_server_method(void) { return SSLv23_method(); }\n\nconst SSL_METHOD *SSLv23_client_method(void) { return SSLv23_method(); }\n\nconst SSL_METHOD *TLS_server_method(void) { return TLS_method(); }\n\nconst SSL_METHOD *TLS_client_method(void) { return TLS_method(); }\n" }, { "path": "Sources/CNIOBoringSSL/ssl/tls_record.cc", "content": "/*\n * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.\n *\n * Licensed under the OpenSSL license (the \"License\"). You may not use\n * this file except in compliance with the License. You can obtain a copy\n * in the file LICENSE in the source distribution or at\n * https://www.openssl.org/source/license.html\n */\n\n#include \n\n#include \n#include \n\n#include \n#include \n#include \n\n#include \"../crypto/internal.h\"\n#include \"internal.h\"\n\n\nBSSL_NAMESPACE_BEGIN\n\n// kMaxEmptyRecords is the number of consecutive, empty records that will be\n// processed. Without this limit an attacker could send empty records at a\n// faster rate than we can process and cause record processing to loop\n// forever.\nstatic const uint8_t kMaxEmptyRecords = 32;\n\n// kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that\n// will be skipped. Without this limit an attacker could send records at a\n// faster rate than we can process and cause trial decryption to loop forever.\n// This value should be slightly above kMaxEarlyDataAccepted, which is measured\n// in plaintext.\nstatic const size_t kMaxEarlyDataSkipped = 16384;\n\n// kMaxWarningAlerts is the number of consecutive warning alerts that will be\n// processed.\nstatic const uint8_t kMaxWarningAlerts = 4;\n\n// ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher\n// state needs record-splitting and zero otherwise.\nbool ssl_needs_record_splitting(const SSL *ssl) {\n#if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)\n return !ssl->s3->aead_write_ctx->is_null_cipher() &&\n ssl_protocol_version(ssl) < TLS1_1_VERSION &&\n (ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 &&\n SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher());\n#else\n return false;\n#endif\n}\n\nsize_t ssl_record_prefix_len(const SSL *ssl) {\n assert(!SSL_is_dtls(ssl));\n return SSL3_RT_HEADER_LENGTH + ssl->s3->aead_read_ctx->ExplicitNonceLen();\n}\n\nstatic ssl_open_record_t skip_early_data(SSL *ssl, uint8_t *out_alert,\n size_t consumed) {\n ssl->s3->early_data_skipped += consumed;\n if (ssl->s3->early_data_skipped < consumed) {\n ssl->s3->early_data_skipped = kMaxEarlyDataSkipped + 1;\n }\n\n if (ssl->s3->early_data_skipped > kMaxEarlyDataSkipped) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MUCH_SKIPPED_EARLY_DATA);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n\n return ssl_open_record_discard;\n}\n\nstatic uint16_t tls_record_version(const SSL *ssl) {\n if (ssl->s3->version == 0) {\n // Before the version is determined, outgoing records use TLS 1.0 for\n // historical compatibility requirements.\n return TLS1_VERSION;\n }\n\n // TLS 1.3 freezes the record version at TLS 1.2. Previous ones use the\n // version itself.\n return ssl_protocol_version(ssl) >= TLS1_3_VERSION ? TLS1_2_VERSION\n : ssl->s3->version;\n}\n\nssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type,\n Span *out, size_t *out_consumed,\n uint8_t *out_alert, Span in) {\n *out_consumed = 0;\n if (ssl->s3->read_shutdown == ssl_shutdown_close_notify) {\n return ssl_open_record_close_notify;\n }\n\n // If there is an unprocessed handshake message or we are already buffering\n // too much, stop before decrypting another handshake record.\n if (!tls_can_accept_handshake_data(ssl, out_alert)) {\n return ssl_open_record_error;\n }\n\n CBS cbs = CBS(in);\n\n // Decode the record header.\n uint8_t type;\n uint16_t version, ciphertext_len;\n if (!CBS_get_u8(&cbs, &type) || //\n !CBS_get_u16(&cbs, &version) || //\n !CBS_get_u16(&cbs, &ciphertext_len)) {\n *out_consumed = SSL3_RT_HEADER_LENGTH;\n return ssl_open_record_partial;\n }\n\n bool version_ok;\n if (ssl->s3->aead_read_ctx->is_null_cipher()) {\n // Only check the first byte. Enforcing beyond that can prevent decoding\n // version negotiation failure alerts.\n version_ok = (version >> 8) == SSL3_VERSION_MAJOR;\n } else {\n version_ok = version == tls_record_version(ssl);\n }\n\n if (!version_ok) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);\n *out_alert = SSL_AD_PROTOCOL_VERSION;\n return ssl_open_record_error;\n }\n\n // Check the ciphertext length.\n if (ciphertext_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);\n *out_alert = SSL_AD_RECORD_OVERFLOW;\n return ssl_open_record_error;\n }\n\n // Extract the body.\n CBS body;\n if (!CBS_get_bytes(&cbs, &body, ciphertext_len)) {\n *out_consumed = SSL3_RT_HEADER_LENGTH + (size_t)ciphertext_len;\n return ssl_open_record_partial;\n }\n\n Span header = in.subspan(0, SSL3_RT_HEADER_LENGTH);\n ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HEADER, header);\n\n *out_consumed = in.size() - CBS_len(&cbs);\n\n // In TLS 1.3, during the handshake, skip ChangeCipherSpec records.\n static const uint8_t kChangeCipherSpec[] = {SSL3_MT_CCS};\n if (ssl_has_final_version(ssl) &&\n ssl_protocol_version(ssl) >= TLS1_3_VERSION && SSL_in_init(ssl) &&\n type == SSL3_RT_CHANGE_CIPHER_SPEC &&\n Span(body) == kChangeCipherSpec) {\n ssl->s3->empty_record_count++;\n if (ssl->s3->empty_record_count > kMaxEmptyRecords) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n return ssl_open_record_discard;\n }\n\n // Skip early data received when expecting a second ClientHello if we rejected\n // 0RTT.\n if (ssl->s3->skip_early_data && //\n ssl->s3->aead_read_ctx->is_null_cipher() && //\n type == SSL3_RT_APPLICATION_DATA) {\n return skip_early_data(ssl, out_alert, *out_consumed);\n }\n\n // Ensure the sequence number update does not overflow.\n if (ssl->s3->read_sequence + 1 == 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n *out_alert = SSL_AD_INTERNAL_ERROR;\n return ssl_open_record_error;\n }\n\n // Decrypt the body in-place.\n if (!ssl->s3->aead_read_ctx->Open(\n out, type, version, ssl->s3->read_sequence, header,\n Span(const_cast(CBS_data(&body)), CBS_len(&body)))) {\n if (ssl->s3->skip_early_data && !ssl->s3->aead_read_ctx->is_null_cipher()) {\n ERR_clear_error();\n return skip_early_data(ssl, out_alert, *out_consumed);\n }\n\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);\n *out_alert = SSL_AD_BAD_RECORD_MAC;\n return ssl_open_record_error;\n }\n\n ssl->s3->skip_early_data = false;\n ssl->s3->read_sequence++;\n\n // TLS 1.3 hides the record type inside the encrypted data.\n bool has_padding = !ssl->s3->aead_read_ctx->is_null_cipher() &&\n ssl_protocol_version(ssl) >= TLS1_3_VERSION;\n\n // If there is padding, the plaintext limit includes the padding, but includes\n // extra room for the inner content type.\n size_t plaintext_limit =\n has_padding ? SSL3_RT_MAX_PLAIN_LENGTH + 1 : SSL3_RT_MAX_PLAIN_LENGTH;\n if (out->size() > plaintext_limit) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);\n *out_alert = SSL_AD_RECORD_OVERFLOW;\n return ssl_open_record_error;\n }\n\n if (has_padding) {\n // The outer record type is always application_data.\n if (type != SSL3_RT_APPLICATION_DATA) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE);\n *out_alert = SSL_AD_DECODE_ERROR;\n return ssl_open_record_error;\n }\n\n do {\n if (out->empty()) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);\n *out_alert = SSL_AD_DECRYPT_ERROR;\n return ssl_open_record_error;\n }\n type = out->back();\n *out = out->subspan(0, out->size() - 1);\n } while (type == 0);\n }\n\n // Limit the number of consecutive empty records.\n if (out->empty()) {\n ssl->s3->empty_record_count++;\n if (ssl->s3->empty_record_count > kMaxEmptyRecords) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n // Apart from the limit, empty records are returned up to the caller. This\n // allows the caller to reject records of the wrong type.\n } else {\n ssl->s3->empty_record_count = 0;\n }\n\n if (type == SSL3_RT_ALERT) {\n return ssl_process_alert(ssl, out_alert, *out);\n }\n\n // Handshake messages may not interleave with any other record type.\n if (type != SSL3_RT_HANDSHAKE && //\n tls_has_unprocessed_handshake_data(ssl)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n return ssl_open_record_error;\n }\n\n ssl->s3->warning_alert_count = 0;\n\n *out_type = type;\n return ssl_open_record_success;\n}\n\nstatic bool do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,\n uint8_t *out_suffix, uint8_t type, const uint8_t *in,\n const size_t in_len) {\n SSLAEADContext *aead = ssl->s3->aead_write_ctx.get();\n uint8_t *extra_in = NULL;\n size_t extra_in_len = 0;\n if (!aead->is_null_cipher() && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n // TLS 1.3 hides the actual record type inside the encrypted data.\n extra_in = &type;\n extra_in_len = 1;\n }\n\n size_t suffix_len, ciphertext_len;\n if (!aead->SuffixLen(&suffix_len, in_len, extra_in_len) ||\n !aead->CiphertextLen(&ciphertext_len, in_len, extra_in_len)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);\n return false;\n }\n\n assert(in == out || !buffers_alias(in, in_len, out, in_len));\n assert(!buffers_alias(in, in_len, out_prefix, ssl_record_prefix_len(ssl)));\n assert(!buffers_alias(in, in_len, out_suffix, suffix_len));\n\n if (extra_in_len) {\n out_prefix[0] = SSL3_RT_APPLICATION_DATA;\n } else {\n out_prefix[0] = type;\n }\n\n uint16_t record_version = tls_record_version(ssl);\n out_prefix[1] = record_version >> 8;\n out_prefix[2] = record_version & 0xff;\n out_prefix[3] = ciphertext_len >> 8;\n out_prefix[4] = ciphertext_len & 0xff;\n Span header = Span(out_prefix, SSL3_RT_HEADER_LENGTH);\n\n // Ensure the sequence number update does not overflow.\n if (ssl->s3->write_sequence + 1 == 0) {\n OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);\n return false;\n }\n\n if (!aead->SealScatter(out_prefix + SSL3_RT_HEADER_LENGTH, out, out_suffix,\n out_prefix[0], record_version, ssl->s3->write_sequence,\n header, in, in_len, extra_in, extra_in_len)) {\n return false;\n }\n\n ssl->s3->write_sequence++;\n ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, header);\n return true;\n}\n\nstatic size_t tls_seal_scatter_prefix_len(const SSL *ssl, uint8_t type,\n size_t in_len) {\n size_t ret = SSL3_RT_HEADER_LENGTH;\n if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&\n ssl_needs_record_splitting(ssl)) {\n // In the case of record splitting, the 1-byte record (of the 1/n-1 split)\n // will be placed in the prefix, as will four of the five bytes of the\n // record header for the main record. The final byte will replace the first\n // byte of the plaintext that was used in the small record.\n ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());\n ret += SSL3_RT_HEADER_LENGTH - 1;\n } else {\n ret += ssl->s3->aead_write_ctx->ExplicitNonceLen();\n }\n return ret;\n}\n\nstatic bool tls_seal_scatter_suffix_len(const SSL *ssl, size_t *out_suffix_len,\n uint8_t type, size_t in_len) {\n size_t extra_in_len = 0;\n if (!ssl->s3->aead_write_ctx->is_null_cipher() &&\n ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n // TLS 1.3 adds an extra byte for encrypted record type.\n extra_in_len = 1;\n }\n // clang-format off\n if (type == SSL3_RT_APPLICATION_DATA &&\n in_len > 1 &&\n ssl_needs_record_splitting(ssl)) {\n // With record splitting enabled, the first byte gets sealed into a separate\n // record which is written into the prefix.\n in_len -= 1;\n }\n // clang-format on\n return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len,\n extra_in_len);\n}\n\n// tls_seal_scatter_record seals a new record of type |type| and body |in| and\n// splits it between |out_prefix|, |out|, and |out_suffix|. Exactly\n// |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|\n// bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It\n// returns one on success and zero on error. If enabled,\n// |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and\n// may write two records concatenated.\nstatic bool tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,\n uint8_t *out_suffix, uint8_t type,\n const uint8_t *in, size_t in_len) {\n if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&\n ssl_needs_record_splitting(ssl)) {\n assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0);\n const size_t prefix_len = SSL3_RT_HEADER_LENGTH;\n\n // Write the 1-byte fragment into |out_prefix|.\n uint8_t *split_body = out_prefix + prefix_len;\n uint8_t *split_suffix = split_body + 1;\n\n if (!do_seal_record(ssl, out_prefix, split_body, split_suffix, type, in,\n 1)) {\n return false;\n }\n\n size_t split_record_suffix_len;\n if (!ssl->s3->aead_write_ctx->SuffixLen(&split_record_suffix_len, 1, 0)) {\n assert(false);\n return false;\n }\n const size_t split_record_len = prefix_len + 1 + split_record_suffix_len;\n assert(SSL3_RT_HEADER_LENGTH + ssl_cipher_get_record_split_len(\n ssl->s3->aead_write_ctx->cipher()) ==\n split_record_len);\n\n // Write the n-1-byte fragment. The header gets split between |out_prefix|\n // (header[:-1]) and |out| (header[-1:]).\n uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH];\n if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, type, in + 1,\n in_len - 1)) {\n return false;\n }\n assert(tls_seal_scatter_prefix_len(ssl, type, in_len) ==\n split_record_len + SSL3_RT_HEADER_LENGTH - 1);\n OPENSSL_memcpy(out_prefix + split_record_len, tmp_prefix,\n SSL3_RT_HEADER_LENGTH - 1);\n OPENSSL_memcpy(out, tmp_prefix + SSL3_RT_HEADER_LENGTH - 1, 1);\n return true;\n }\n\n return do_seal_record(ssl, out_prefix, out, out_suffix, type, in, in_len);\n}\n\nbool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len,\n size_t max_out_len, uint8_t type, const uint8_t *in,\n size_t in_len) {\n if (buffers_alias(in, in_len, out, max_out_len)) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);\n return false;\n }\n\n const size_t prefix_len = tls_seal_scatter_prefix_len(ssl, type, in_len);\n size_t suffix_len;\n if (!tls_seal_scatter_suffix_len(ssl, &suffix_len, type, in_len)) {\n return false;\n }\n if (in_len + prefix_len < in_len ||\n prefix_len + in_len + suffix_len < prefix_len + in_len) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);\n return false;\n }\n if (max_out_len < in_len + prefix_len + suffix_len) {\n OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);\n return false;\n }\n\n uint8_t *prefix = out;\n uint8_t *body = out + prefix_len;\n uint8_t *suffix = body + in_len;\n if (!tls_seal_scatter_record(ssl, prefix, body, suffix, type, in, in_len)) {\n return false;\n }\n\n *out_len = prefix_len + in_len + suffix_len;\n return true;\n}\n\nenum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,\n Span in) {\n // Alerts records may not contain fragmented or multiple alerts.\n if (in.size() != 2) {\n *out_alert = SSL_AD_DECODE_ERROR;\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);\n return ssl_open_record_error;\n }\n\n ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_ALERT, in);\n\n const uint8_t alert_level = in[0];\n const uint8_t alert_descr = in[1];\n\n uint16_t alert = (alert_level << 8) | alert_descr;\n ssl_do_info_callback(ssl, SSL_CB_READ_ALERT, alert);\n\n if (alert_level == SSL3_AL_WARNING) {\n if (alert_descr == SSL_AD_CLOSE_NOTIFY) {\n ssl->s3->read_shutdown = ssl_shutdown_close_notify;\n return ssl_open_record_close_notify;\n }\n\n // Warning alerts do not exist in TLS 1.3, but RFC 8446 section 6.1\n // continues to define user_canceled as a signal to cancel the handshake,\n // without specifying how to handle it. JDK11 misuses it to signal\n // full-duplex connection close after the handshake. As a workaround, skip\n // user_canceled as in TLS 1.2. This matches NSS and OpenSSL.\n if (ssl_has_final_version(ssl) &&\n ssl_protocol_version(ssl) >= TLS1_3_VERSION &&\n alert_descr != SSL_AD_USER_CANCELLED) {\n *out_alert = SSL_AD_DECODE_ERROR;\n OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);\n return ssl_open_record_error;\n }\n\n ssl->s3->warning_alert_count++;\n if (ssl->s3->warning_alert_count > kMaxWarningAlerts) {\n *out_alert = SSL_AD_UNEXPECTED_MESSAGE;\n OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_WARNING_ALERTS);\n return ssl_open_record_error;\n }\n return ssl_open_record_discard;\n }\n\n if (alert_level == SSL3_AL_FATAL) {\n OPENSSL_PUT_ERROR(SSL, SSL_AD_REASON_OFFSET + alert_descr);\n ERR_add_error_dataf(\"SSL alert number %d\", alert_descr);\n *out_alert = 0; // No alert to send back to the peer.\n return ssl_open_record_error;\n }\n\n *out_alert = SSL_AD_ILLEGAL_PARAMETER;\n OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_ALERT_TYPE);\n return ssl_open_record_error;\n}\n\nBSSL_NAMESPACE_END\n\nusing namespace bssl;\n\nsize_t SSL_max_seal_overhead(const SSL *ssl) {\n if (SSL_is_dtls(ssl)) {\n // TODO(crbug.com/381113363): Use the 0-RTT epoch if writing 0-RTT.\n return dtls_max_seal_overhead(ssl, ssl->d1->write_epoch.epoch());\n }\n\n size_t ret = SSL3_RT_HEADER_LENGTH;\n ret += ssl->s3->aead_write_ctx->MaxOverhead();\n // TLS 1.3 needs an extra byte for the encrypted record type.\n if (!ssl->s3->aead_write_ctx->is_null_cipher() &&\n ssl_protocol_version(ssl) >= TLS1_3_VERSION) {\n ret += 1;\n }\n if (ssl_needs_record_splitting(ssl)) {\n ret *= 2;\n }\n return ret;\n}\n" }, { "path": "Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_curve25519_adx_mul.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \\\n (defined(__APPLE__) || defined(__ELF__))\n\n.intel_syntax noprefix\n.text\n#if defined(__APPLE__)\n.private_extern _fiat_curve25519_adx_mul\n.global _fiat_curve25519_adx_mul\n_fiat_curve25519_adx_mul:\n#else\n.type fiat_curve25519_adx_mul, @function\n.hidden fiat_curve25519_adx_mul\n.global fiat_curve25519_adx_mul\nfiat_curve25519_adx_mul:\n#endif\n\n.cfi_startproc\n_CET_ENDBR\npush rbp\n.cfi_adjust_cfa_offset 8\n.cfi_offset rbp, -16\nmov rbp, rsp\n\nmov rax, rdx\nmov rdx, [ rsi + 0x18 ]\nmulx r11, r10, [ rax + 0x8 ]\nmov rdx, [ rax + 0x0 ]\nmov [ rsp - 0x58 ], r15\n.cfi_offset r15, -16-0x58\nmulx r8, rcx, [ rsi + 0x18 ]\nmov rdx, [ rsi + 0x8 ]\nmov [ rsp - 0x80 ], rbx\n.cfi_offset rbx, -16-0x80\nmulx rbx, r9, [ rax + 0x18 ]\nmov rdx, [ rsi + 0x8 ]\nmov [ rsp - 0x70 ], r12\n.cfi_offset r12, -16-0x70\nmulx r15, r12, [ rax + 0x8 ]\nmov rdx, [ rsi + 0x0 ]\nmov [ rsp - 0x68 ], r13\n.cfi_offset r13, -16-0x68\nmov [ rsp - 0x60 ], r14\n.cfi_offset r14, -16-0x60\nmulx r14, r13, [ rax + 0x0 ]\nmov rdx, [ rax + 0x10 ]\nmov [ rsp - 0x18 ], r15\nmov [ rsp - 0x50 ], rdi\nmulx rdi, r15, [ rsi + 0x0 ]\nmov rdx, [ rax + 0x18 ]\nmov [ rsp - 0x48 ], r13\nmov [ rsp - 0x40 ], r9\nmulx r9, r13, [ rsi + 0x0 ]\ntest al, al\nadox rcx, rdi\nmov rdx, [ rsi + 0x10 ]\nmov [ rsp - 0x38 ], r13\nmulx r13, rdi, [ rax + 0x8 ]\nadox r10, r9\nmov rdx, 0x0\nadox rbx, rdx\nadcx rdi, rcx\nadcx r8, r10\nmov r9, rdx\nadcx r9, rbx\nmov rdx, [ rsi + 0x10 ]\nmulx r10, rcx, [ rax + 0x0 ]\nmov rdx, [ rsi + 0x0 ]\nmov [ rsp - 0x30 ], r15\nmulx r15, rbx, [ rax + 0x8 ]\nmov rdx, -0x2\ninc rdx\nadox rcx, r15\nsetc r15b\nclc\nadcx rcx, r12\nadox r10, rdi\nmov rdx, [ rax + 0x10 ]\nmov [ rsp - 0x78 ], rcx\nmulx rcx, rdi, [ rsi + 0x10 ]\nadox rdi, r8\nmov rdx, [ rax + 0x18 ]\nmov [ rsp - 0x28 ], rcx\nmulx rcx, r8, [ rsi + 0x10 ]\nmov rdx, [ rax + 0x10 ]\nmov [ rsp - 0x20 ], r8\nmulx r12, r8, [ rsi + 0x18 ]\nadox r8, r9\nmov rdx, [ rsi + 0x8 ]\nmov [ rsp - 0x10 ], r12\nmulx r12, r9, [ rax + 0x10 ]\nmovzx rdx, r15b\nlea rdx, [ rdx + rcx ]\nadcx r9, r10\nadcx r13, rdi\nmov r15, 0x0\nmov r10, r15\nadox r10, rdx\nmov rdx, [ rax + 0x18 ]\nmulx rcx, rdi, [ rsi + 0x18 ]\nadox rcx, r15\nadcx r11, r8\nmov rdx, r15\nadcx rdx, r10\nadcx rcx, r15\nmov r8, rdx\nmov rdx, [ rax + 0x0 ]\nmulx r15, r10, [ rsi + 0x8 ]\ntest al, al\nadox r10, r14\nadcx rbx, r10\nadox r15, [ rsp - 0x78 ]\nadcx r15, [ rsp - 0x30 ]\nadox r9, [ rsp - 0x18 ]\nadcx r9, [ rsp - 0x38 ]\nadox r13, [ rsp - 0x40 ]\nadcx r12, r13\nadox r11, [ rsp - 0x20 ]\nadcx r11, [ rsp - 0x28 ]\nmov rdx, 0x26\nmulx rsi, r14, r12\nadox rdi, r8\nadcx rdi, [ rsp - 0x10 ]\nmulx r10, r8, r11\nmov r13, 0x0\nadox rcx, r13\nadcx rcx, r13\nmulx r11, r12, rdi\nxor rdi, rdi\nadox r8, rbx\nadox r12, r15\nmulx rbx, r13, rcx\nadcx r14, [ rsp - 0x48 ]\nadox r13, r9\nadox rbx, rdi\nadcx rsi, r8\nadcx r10, r12\nadcx r11, r13\nadc rbx, 0x0\nmulx r9, r15, rbx\nxor r9, r9\nadox r15, r14\nmov rdi, r9\nadox rdi, rsi\nmov rcx, r9\nadox rcx, r10\nmov r8, [ rsp - 0x50 ]\nmov [ r8 + 0x8 ], rdi\nmov r12, r9\nadox r12, r11\nmov r14, r9\ncmovo r14, rdx\nmov [ r8 + 0x18 ], r12\nadcx r15, r14\nmov [ r8 + 0x0 ], r15\nmov [ r8 + 0x10 ], rcx\nmov rbx, [ rsp - 0x80 ]\n.cfi_restore rbx\nmov r12, [ rsp - 0x70 ]\n.cfi_restore r12\nmov r13, [ rsp - 0x68 ]\n.cfi_restore r13\nmov r14, [ rsp - 0x60 ]\n.cfi_restore r14\nmov r15, [ rsp - 0x58 ]\n.cfi_restore r15\n\npop rbp\n.cfi_restore rbp\n.cfi_adjust_cfa_offset -8\nret\n.cfi_endproc\n#if defined(__ELF__)\n.size fiat_curve25519_adx_mul, .-fiat_curve25519_adx_mul\n#endif\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_curve25519_adx_square.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \\\n (defined(__APPLE__) || defined(__ELF__))\n\n.intel_syntax noprefix\n.text\n#if defined(__APPLE__)\n.private_extern _fiat_curve25519_adx_square\n.global _fiat_curve25519_adx_square\n_fiat_curve25519_adx_square:\n#else\n.type fiat_curve25519_adx_square, @function\n.hidden fiat_curve25519_adx_square\n.global fiat_curve25519_adx_square\nfiat_curve25519_adx_square:\n#endif\n\n.cfi_startproc\n_CET_ENDBR\npush rbp\n.cfi_adjust_cfa_offset 8\n.cfi_offset rbp, -16\nmov rbp, rsp\n\nmov rdx, [ rsi + 0x0 ]\nmulx r10, rax, [ rsi + 0x8 ]\nmov rdx, [ rsi + 0x0 ]\nmulx rcx, r11, [ rsi + 0x10 ]\nxor rdx, rdx\nadox r11, r10\nmov rdx, [ rsi + 0x0 ]\nmulx r9, r8, [ rsi + 0x18 ]\nmov rdx, [ rsi + 0x8 ]\nmov [ rsp - 0x80 ], rbx\n.cfi_offset rbx, -16-0x80\nmulx rbx, r10, [ rsi + 0x18 ]\nadox r8, rcx\nmov [rsp - 0x48 ], rdi\nadox r10, r9\nadcx rax, rax\nmov rdx, [ rsi + 0x10 ]\nmulx r9, rcx, [ rsi + 0x18 ]\nadox rcx, rbx\nmov rdx, [ rsi + 0x10 ]\nmulx rdi, rbx, [ rsi + 0x8 ]\nmov rdx, 0x0\nadox r9, rdx\nmov [ rsp - 0x70 ], r12\n.cfi_offset r12, -16-0x70\nmov r12, -0x3\ninc r12\nadox rbx, r8\nadox rdi, r10\nadcx r11, r11\nmov r8, rdx\nadox r8, rcx\nmov r10, rdx\nadox r10, r9\nadcx rbx, rbx\nmov rdx, [ rsi + 0x0 ]\nmulx r9, rcx, rdx\nmov rdx, [ rsi + 0x8 ]\nmov [ rsp - 0x68 ], r13\n.cfi_offset r13, -16-0x68\nmov [ rsp - 0x60 ], r14\n.cfi_offset r14, -16-0x60\nmulx r14, r13, rdx\nseto dl\ninc r12\nadox r9, rax\nadox r13, r11\nadox r14, rbx\nadcx rdi, rdi\nmov al, dl\nmov rdx, [ rsi + 0x10 ]\nmulx rbx, r11, rdx\nadox r11, rdi\nadcx r8, r8\nadox rbx, r8\nadcx r10, r10\nmovzx rdx, al\nmov rdi, 0x0\nadcx rdx, rdi\nmovzx r8, al\nlea r8, [ r8 + rdx ]\nmov rdx, [ rsi + 0x18 ]\nmulx rdi, rax, rdx\nadox rax, r10\nmov rdx, 0x26\nmov [ rsp - 0x58 ], r15\n.cfi_offset r15, -16-0x58\nmulx r15, r10, r11\nclc\nadcx r10, rcx\nmulx r11, rcx, rbx\nadox r8, rdi\nmulx rdi, rbx, r8\ninc r12\nadox rcx, r9\nmulx r8, r9, rax\nadcx r15, rcx\nadox r9, r13\nadcx r11, r9\nadox rbx, r14\nadox rdi, r12\nadcx r8, rbx\nadc rdi, 0x0\nmulx r14, r13, rdi\ntest al, al\nmov rdi, [ rsp - 0x48 ]\nadox r13, r10\nmov r14, r12\nadox r14, r15\nmov [ rdi + 0x8 ], r14\nmov rax, r12\nadox rax, r11\nmov r10, r12\nadox r10, r8\nmov [ rdi + 0x10 ], rax\nmov rcx, r12\ncmovo rcx, rdx\nadcx r13, rcx\nmov [ rdi + 0x0 ], r13\nmov [ rdi + 0x18 ], r10\nmov rbx, [ rsp - 0x80 ]\n.cfi_restore rbx\nmov r12, [ rsp - 0x70 ]\n.cfi_restore r12\nmov r13, [ rsp - 0x68 ]\n.cfi_restore r13\nmov r14, [ rsp - 0x60 ]\n.cfi_restore r14\nmov r15, [ rsp - 0x58 ]\n.cfi_restore r15\n\npop rbp\n.cfi_restore rbp\n.cfi_adjust_cfa_offset -8\nret\n.cfi_endproc\n#if defined(__ELF__)\n.size fiat_curve25519_adx_square, .-fiat_curve25519_adx_square\n#endif\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_p256_adx_mul.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \\\n (defined(__APPLE__) || defined(__ELF__))\n\n.text\n#if defined(__APPLE__)\n.private_extern _fiat_p256_adx_mul\n.global _fiat_p256_adx_mul\n_fiat_p256_adx_mul:\n#else\n.type fiat_p256_adx_mul, @function\n.hidden fiat_p256_adx_mul\n.global fiat_p256_adx_mul\nfiat_p256_adx_mul:\n#endif\n\n.cfi_startproc\n_CET_ENDBR\npushq %rbp\n;.cfi_adjust_cfa_offset 8\n.cfi_offset rbp, -16\nmovq %rsp, %rbp\nmovq %rdx, %rax\nmovq (%rsi), %rdx\ntestb %al, %al\nmulxq (%rax), %rcx, %r8\nmovq %rbx, -0x80(%rsp)\n.cfi_offset rbx, -16-0x80\nmulxq 0x8(%rax), %r9, %rbx\nmovq %r14, -0x68(%rsp)\n.cfi_offset r14, -16-0x68\nadcq %r8, %r9\nmovq %r15, -0x60(%rsp)\n.cfi_offset r15, -16-0x60\nmulxq 0x10(%rax), %r14, %r15\nmovq %r12, -0x78(%rsp)\n.cfi_offset r12, -16-0x78\nadcq %rbx, %r14\nmulxq 0x18(%rax), %r10, %r11\nmovq %r13, -0x70(%rsp)\n.cfi_offset r13, -16-0x70\nadcq %r15, %r10\nmovq 0x8(%rsi), %rdx\nmulxq (%rax), %r8, %rbx\nadcq $0x0, %r11\nxorq %r15, %r15\nadcxq %r9, %r8\nadoxq %r14, %rbx\nmovq %rdi, -0x58(%rsp)\nmulxq 0x8(%rax), %r9, %rdi\nadcxq %rbx, %r9\nadoxq %r10, %rdi\nmulxq 0x10(%rax), %r14, %rbx\nadcxq %rdi, %r14\nadoxq %r11, %rbx\nmulxq 0x18(%rax), %r12, %r13\nadcxq %rbx, %r12\nmovq $0x100000000, %rdx\nmulxq %rcx, %r10, %r11\nadoxq %r15, %r13\nadcxq %r15, %r13\nxorq %rdi, %rdi\nadoxq %r8, %r10\nmulxq %r10, %rbx, %r8\nadoxq %r9, %r11\nadcxq %r11, %rbx\nadoxq %r14, %r8\nmovq $0xffffffff00000001, %rdx\nmulxq %rcx, %r15, %r9\nadcxq %r8, %r15\nadoxq %r12, %r9\nmulxq %r10, %rcx, %r14\nmovq 0x10(%rsi), %rdx\nmulxq 0x8(%rax), %r12, %r10\nadcxq %r9, %rcx\nadoxq %r13, %r14\nmulxq (%rax), %r13, %r11\nmovq %rdi, %r9\nadcxq %r9, %r14\nadoxq %rdi, %rdi\nadcq $0x0, %rdi\nxorq %r9, %r9\nadcxq %rbx, %r13\nadoxq %r15, %r11\nmovq 0x10(%rsi), %rdx\nmulxq 0x10(%rax), %r8, %r15\nadoxq %rcx, %r10\nmulxq 0x18(%rax), %rbx, %rcx\nmovq 0x18(%rsi), %rdx\nadcxq %r11, %r12\nmulxq 0x8(%rax), %r11, %rsi\nadcxq %r10, %r8\nadoxq %r14, %r15\nadcxq %r15, %rbx\nadoxq %r9, %rcx\nadcxq %r9, %rcx\nmulxq (%rax), %r10, %r15\naddq %rdi, %rcx\nmovq %r9, %r14\nadcq $0x0, %r14\nxorq %r9, %r9\nadcxq %r12, %r10\nadoxq %r8, %r15\nadcxq %r15, %r11\nadoxq %rbx, %rsi\nmulxq 0x10(%rax), %r12, %r8\nadoxq %rcx, %r8\nmulxq 0x18(%rax), %rbx, %rcx\nadcxq %rsi, %r12\nadoxq %r9, %rcx\nmovq $0x100000000, %rdx\nadcxq %r8, %rbx\nadcq $0x0, %rcx\nmulxq %r13, %r15, %rdi\nxorq %rax, %rax\nadcxq %r14, %rcx\nadcq $0x0, %rax\nxorq %r9, %r9\nadoxq %r10, %r15\nmulxq %r15, %r10, %r14\nadoxq %r11, %rdi\nmovq $0xffffffff00000001, %rdx\nadoxq %r12, %r14\nadcxq %rdi, %r10\nmulxq %r13, %r11, %r12\nadcxq %r14, %r11\nadoxq %rbx, %r12\nmulxq %r15, %r13, %rbx\nadcxq %r12, %r13\nadoxq %rcx, %rbx\nmovq %r9, %r8\nadoxq %r9, %rax\nadcxq %rbx, %r8\nadcq $0x0, %rax\nmovq %rax, %rcx\nmovq $0xffffffffffffffff, %r15\nmovq %r10, %rdi\nsubq %r15, %rdi\nmovq $0xffffffff, %r14\nmovq %r11, %r12\nsbbq %r14, %r12\nmovq %r13, %rbx\nsbbq %r9, %rbx\nmovq %rax, %rax\nmovq %r8, %rax\nsbbq %rdx, %rax\nsbbq %r9, %rcx\ncmovcq %r10, %rdi\nmovq -0x58(%rsp), %r10\ncmovcq %r13, %rbx\nmovq -0x70(%rsp), %r13\n.cfi_restore r13\ncmovcq %r11, %r12\ncmovcq %r8, %rax\nmovq %rbx, 0x10(%r10)\nmovq -0x80(%rsp), %rbx\n.cfi_restore rbx\nmovq %rdi, (%r10)\nmovq %r12, 0x8(%r10)\nmovq %rax, 0x18(%r10)\nmovq -0x78(%rsp), %r12\n.cfi_restore r12\nmovq -0x68(%rsp), %r14\n.cfi_restore r14\nmovq -0x60(%rsp), %r15\n.cfi_restore r15\npopq %rbp\n.cfi_restore rbp\n.cfi_adjust_cfa_offset -8\nretq\n.cfi_endproc\n#if defined(__ELF__)\n.size fiat_p256_adx_mul, .-fiat_p256_adx_mul\n#endif\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_p256_adx_sqr.S", "content": "#define BORINGSSL_PREFIX CNIOBoringSSL\n#include \n\n#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \\\n (defined(__APPLE__) || defined(__ELF__))\n\n.text\n#if defined(__APPLE__)\n.private_extern _fiat_p256_adx_sqr\n.global _fiat_p256_adx_sqr\n_fiat_p256_adx_sqr:\n#else\n.type fiat_p256_adx_sqr, @function\n.hidden fiat_p256_adx_sqr\n.global fiat_p256_adx_sqr\nfiat_p256_adx_sqr:\n#endif\n\n.cfi_startproc\n_CET_ENDBR\npushq %rbp\n.cfi_adjust_cfa_offset 8\n.cfi_offset rbp, -16\nmovq %rsp, %rbp\nmovq (%rsi), %rdx\nmulxq 0x18(%rsi), %rax, %r10\nmulxq %rdx, %r11, %rcx\nmulxq 0x8(%rsi), %r8, %r9\nmovq %rbx, -0x80(%rsp)\n.cfi_offset rbx, -16-0x80\nxorq %rbx, %rbx\nadoxq %r8, %r8\nmovq %r12, -0x78(%rsp)\n.cfi_offset r12, -16-0x78\nmulxq 0x10(%rsi), %rbx, %r12\nmovq 0x8(%rsi), %rdx\nmovq %r13, -0x70(%rsp)\n.cfi_offset r13, -16-0x70\nmovq %r14, -0x68(%rsp)\n.cfi_offset r14, -16-0x68\nmulxq %rdx, %r13, %r14\nmovq %r15, -0x60(%rsp)\n.cfi_offset r15, -16-0x60\nmovq %rdi, -0x58(%rsp)\nmulxq 0x10(%rsi), %r15, %rdi\nadcxq %r15, %r12\nmovq %r11, -0x50(%rsp)\nmulxq 0x18(%rsi), %r15, %r11\nadcxq %rdi, %r10\nmovq $0x0, %rdi\nadcxq %rdi, %r11\nclc\nadcxq %r9, %rbx\nadoxq %rbx, %rbx\nadcxq %r12, %rax\nadoxq %rax, %rax\nadcxq %r10, %r15\nadoxq %r15, %r15\nmovq 0x10(%rsi), %rdx\nmulxq 0x18(%rsi), %r9, %r12\nadcxq %r11, %r9\nadcxq %rdi, %r12\nmulxq %rdx, %r10, %r11\nclc\nadcxq %r8, %rcx\nadcxq %rbx, %r13\nadcxq %rax, %r14\nadoxq %r9, %r9\nadcxq %r15, %r10\nmovq 0x18(%rsi), %rdx\nmulxq %rdx, %r8, %rbx\nadoxq %r12, %r12\nadcxq %r9, %r11\nmovq -0x50(%rsp), %rsi\nadcxq %r12, %r8\nmovq $0x100000000, %rax\nmovq %rax, %rdx\nmulxq %rsi, %rax, %r15\nadcxq %rdi, %rbx\nadoxq %rdi, %rbx\nxorq %r9, %r9\nadoxq %rcx, %rax\nadoxq %r13, %r15\nmulxq %rax, %rdi, %rcx\nadcxq %r15, %rdi\nadoxq %r14, %rcx\nmovq $0xffffffff00000001, %rdx\nmulxq %rsi, %r13, %r14\nadoxq %r10, %r14\nadcxq %rcx, %r13\nmulxq %rax, %r10, %r12\nadoxq %r11, %r12\nmovq %r9, %r11\nadoxq %r8, %r11\nadcxq %r14, %r10\nmovq %r9, %r8\nadcxq %r12, %r8\nmovq %r9, %rax\nadcxq %r11, %rax\nmovq %r9, %r15\nadoxq %rbx, %r15\nmovq $0x100000000, %rdx\nmulxq %rdi, %rbx, %rcx\nmovq %r9, %r14\nadcxq %r15, %r14\nmovq %r9, %r12\nadoxq %r12, %r12\nadcxq %r9, %r12\nadoxq %r13, %rbx\nmulxq %rbx, %r13, %r11\nmovq $0xffffffff00000001, %r15\nmovq %r15, %rdx\nmulxq %rbx, %r15, %rsi\nadoxq %r10, %rcx\nadoxq %r8, %r11\nmulxq %rdi, %r10, %r8\nadcxq %rcx, %r13\nadoxq %rax, %r8\nadcxq %r11, %r10\nadoxq %r14, %rsi\nmovq %r12, %rdi\nmovq %r9, %rax\nadoxq %rax, %rdi\nadcxq %r8, %r15\nmovq %rax, %r14\nadcxq %rsi, %r14\nadcxq %r9, %rdi\ndecq %r9\nmovq %r13, %rbx\nsubq %r9, %rbx\nmovq $0xffffffff, %rcx\nmovq %r10, %r11\nsbbq %rcx, %r11\nmovq %r15, %r8\nsbbq %rax, %r8\nmovq %r14, %rsi\nsbbq %rdx, %rsi\nsbbq %rax, %rdi\ncmovcq %r13, %rbx\ncmovcq %r15, %r8\ncmovcq %r10, %r11\ncmovcq %r14, %rsi\nmovq -0x58(%rsp), %rdi\nmovq %rsi, 0x18(%rdi)\nmovq %rbx, (%rdi)\nmovq %r11, 0x8(%rdi)\nmovq %r8, 0x10(%rdi)\nmovq -0x80(%rsp), %rbx\n.cfi_restore rbx\nmovq -0x78(%rsp), %r12\n.cfi_restore r12\nmovq -0x70(%rsp), %r13\n.cfi_restore r13\nmovq -0x68(%rsp), %r14\n.cfi_restore r14\nmovq -0x60(%rsp), %r15\n.cfi_restore r15\npopq %rbp\n.cfi_restore rbp\n.cfi_adjust_cfa_offset -8\nretq\n.cfi_endproc\n#if defined(__ELF__)\n.size fiat_p256_adx_sqr, .-fiat_p256_adx_sqr\n#endif\n\n#endif\n#if defined(__linux__) && defined(__ELF__)\n.section .note.GNU-stack,\"\",%progbits\n#endif\n\n" }, { "path": "Sources/CNIOBoringSSL/third_party/fiat/curve25519_32.h", "content": "/* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier 25519 32 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */\n/* curve description: 25519 */\n/* machine_wordsize = 32 (from \"32\") */\n/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */\n/* n = 10 (from \"(auto)\") */\n/* s-c = 2^255 - [(1, 19)] (from \"2^255 - 19\") */\n/* tight_bounds_multiplier = 1 (from \"\") */\n/* */\n/* Computed values: */\n/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */\n/* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */\n/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */\n/* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */\n\n#include \ntypedef unsigned char fiat_25519_uint1;\ntypedef signed char fiat_25519_int1;\n#if defined(__GNUC__) || defined(__clang__)\n# define FIAT_25519_FIAT_INLINE __inline__\n#else\n# define FIAT_25519_FIAT_INLINE\n#endif\n\n/* The type fiat_25519_loose_field_element is a field element with loose bounds. */\n/* Bounds: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] */\ntypedef uint32_t fiat_25519_loose_field_element[10];\n\n/* The type fiat_25519_tight_field_element is a field element with tight bounds. */\n/* Bounds: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] */\ntypedef uint32_t fiat_25519_tight_field_element[10];\n\n#if (-1 & 3) != 3\n#error \"This code only works on a two's complement system\"\n#endif\n\n#if !defined(FIAT_25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__))\nstatic __inline__ uint32_t fiat_25519_value_barrier_u32(uint32_t a) {\n __asm__(\"\" : \"+r\"(a) : /* no inputs */);\n return a;\n}\n#else\n# define fiat_25519_value_barrier_u32(x) (x)\n#endif\n\n\n/*\n * The function fiat_25519_addcarryx_u26 is an addition with carry.\n *\n * Postconditions:\n * out1 = (arg1 + arg2 + arg3) mod 2^26\n * out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0x3ffffff]\n * arg3: [0x0 ~> 0x3ffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0x3ffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {\n uint32_t x1;\n uint32_t x2;\n fiat_25519_uint1 x3;\n x1 = ((arg1 + arg2) + arg3);\n x2 = (x1 & UINT32_C(0x3ffffff));\n x3 = (fiat_25519_uint1)(x1 >> 26);\n *out1 = x2;\n *out2 = x3;\n}\n\n/*\n * The function fiat_25519_subborrowx_u26 is a subtraction with borrow.\n *\n * Postconditions:\n * out1 = (-arg1 + arg2 + -arg3) mod 2^26\n * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0x3ffffff]\n * arg3: [0x0 ~> 0x3ffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0x3ffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {\n int32_t x1;\n fiat_25519_int1 x2;\n uint32_t x3;\n x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3);\n x2 = (fiat_25519_int1)(x1 >> 26);\n x3 = (x1 & UINT32_C(0x3ffffff));\n *out1 = x3;\n *out2 = (fiat_25519_uint1)(0x0 - x2);\n}\n\n/*\n * The function fiat_25519_addcarryx_u25 is an addition with carry.\n *\n * Postconditions:\n * out1 = (arg1 + arg2 + arg3) mod 2^25\n * out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0x1ffffff]\n * arg3: [0x0 ~> 0x1ffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0x1ffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {\n uint32_t x1;\n uint32_t x2;\n fiat_25519_uint1 x3;\n x1 = ((arg1 + arg2) + arg3);\n x2 = (x1 & UINT32_C(0x1ffffff));\n x3 = (fiat_25519_uint1)(x1 >> 25);\n *out1 = x2;\n *out2 = x3;\n}\n\n/*\n * The function fiat_25519_subborrowx_u25 is a subtraction with borrow.\n *\n * Postconditions:\n * out1 = (-arg1 + arg2 + -arg3) mod 2^25\n * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0x1ffffff]\n * arg3: [0x0 ~> 0x1ffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0x1ffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {\n int32_t x1;\n fiat_25519_int1 x2;\n uint32_t x3;\n x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3);\n x2 = (fiat_25519_int1)(x1 >> 25);\n x3 = (x1 & UINT32_C(0x1ffffff));\n *out1 = x3;\n *out2 = (fiat_25519_uint1)(0x0 - x2);\n}\n\n/*\n * The function fiat_25519_cmovznz_u32 is a single-word conditional move.\n *\n * Postconditions:\n * out1 = (if arg1 = 0 then arg2 else arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffff]\n * arg3: [0x0 ~> 0xffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffff]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u32(uint32_t* out1, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) {\n fiat_25519_uint1 x1;\n uint32_t x2;\n uint32_t x3;\n x1 = (!(!arg1));\n x2 = ((fiat_25519_int1)(0x0 - x1) & UINT32_C(0xffffffff));\n x3 = ((fiat_25519_value_barrier_u32(x2) & arg3) | (fiat_25519_value_barrier_u32((~x2)) & arg2));\n *out1 = x3;\n}\n\n/*\n * The function fiat_25519_carry_mul multiplies two field elements and reduces the result.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 * eval arg2) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n uint64_t x14;\n uint64_t x15;\n uint64_t x16;\n uint64_t x17;\n uint64_t x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n uint64_t x27;\n uint64_t x28;\n uint64_t x29;\n uint64_t x30;\n uint64_t x31;\n uint64_t x32;\n uint64_t x33;\n uint64_t x34;\n uint64_t x35;\n uint64_t x36;\n uint64_t x37;\n uint64_t x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n uint64_t x48;\n uint64_t x49;\n uint64_t x50;\n uint64_t x51;\n uint64_t x52;\n uint64_t x53;\n uint64_t x54;\n uint64_t x55;\n uint64_t x56;\n uint64_t x57;\n uint64_t x58;\n uint64_t x59;\n uint64_t x60;\n uint64_t x61;\n uint64_t x62;\n uint64_t x63;\n uint64_t x64;\n uint64_t x65;\n uint64_t x66;\n uint64_t x67;\n uint64_t x68;\n uint64_t x69;\n uint64_t x70;\n uint64_t x71;\n uint64_t x72;\n uint64_t x73;\n uint64_t x74;\n uint64_t x75;\n uint64_t x76;\n uint64_t x77;\n uint64_t x78;\n uint64_t x79;\n uint64_t x80;\n uint64_t x81;\n uint64_t x82;\n uint64_t x83;\n uint64_t x84;\n uint64_t x85;\n uint64_t x86;\n uint64_t x87;\n uint64_t x88;\n uint64_t x89;\n uint64_t x90;\n uint64_t x91;\n uint64_t x92;\n uint64_t x93;\n uint64_t x94;\n uint64_t x95;\n uint64_t x96;\n uint64_t x97;\n uint64_t x98;\n uint64_t x99;\n uint64_t x100;\n uint64_t x101;\n uint64_t x102;\n uint32_t x103;\n uint64_t x104;\n uint64_t x105;\n uint64_t x106;\n uint64_t x107;\n uint64_t x108;\n uint64_t x109;\n uint64_t x110;\n uint64_t x111;\n uint64_t x112;\n uint64_t x113;\n uint64_t x114;\n uint32_t x115;\n uint64_t x116;\n uint64_t x117;\n uint32_t x118;\n uint64_t x119;\n uint64_t x120;\n uint32_t x121;\n uint64_t x122;\n uint64_t x123;\n uint32_t x124;\n uint64_t x125;\n uint64_t x126;\n uint32_t x127;\n uint64_t x128;\n uint64_t x129;\n uint32_t x130;\n uint64_t x131;\n uint64_t x132;\n uint32_t x133;\n uint64_t x134;\n uint64_t x135;\n uint32_t x136;\n uint64_t x137;\n uint64_t x138;\n uint32_t x139;\n uint64_t x140;\n uint64_t x141;\n uint32_t x142;\n uint32_t x143;\n uint32_t x144;\n fiat_25519_uint1 x145;\n uint32_t x146;\n uint32_t x147;\n x1 = ((uint64_t)(arg1[9]) * ((arg2[9]) * UINT8_C(0x26)));\n x2 = ((uint64_t)(arg1[9]) * ((arg2[8]) * UINT8_C(0x13)));\n x3 = ((uint64_t)(arg1[9]) * ((arg2[7]) * UINT8_C(0x26)));\n x4 = ((uint64_t)(arg1[9]) * ((arg2[6]) * UINT8_C(0x13)));\n x5 = ((uint64_t)(arg1[9]) * ((arg2[5]) * UINT8_C(0x26)));\n x6 = ((uint64_t)(arg1[9]) * ((arg2[4]) * UINT8_C(0x13)));\n x7 = ((uint64_t)(arg1[9]) * ((arg2[3]) * UINT8_C(0x26)));\n x8 = ((uint64_t)(arg1[9]) * ((arg2[2]) * UINT8_C(0x13)));\n x9 = ((uint64_t)(arg1[9]) * ((arg2[1]) * UINT8_C(0x26)));\n x10 = ((uint64_t)(arg1[8]) * ((arg2[9]) * UINT8_C(0x13)));\n x11 = ((uint64_t)(arg1[8]) * ((arg2[8]) * UINT8_C(0x13)));\n x12 = ((uint64_t)(arg1[8]) * ((arg2[7]) * UINT8_C(0x13)));\n x13 = ((uint64_t)(arg1[8]) * ((arg2[6]) * UINT8_C(0x13)));\n x14 = ((uint64_t)(arg1[8]) * ((arg2[5]) * UINT8_C(0x13)));\n x15 = ((uint64_t)(arg1[8]) * ((arg2[4]) * UINT8_C(0x13)));\n x16 = ((uint64_t)(arg1[8]) * ((arg2[3]) * UINT8_C(0x13)));\n x17 = ((uint64_t)(arg1[8]) * ((arg2[2]) * UINT8_C(0x13)));\n x18 = ((uint64_t)(arg1[7]) * ((arg2[9]) * UINT8_C(0x26)));\n x19 = ((uint64_t)(arg1[7]) * ((arg2[8]) * UINT8_C(0x13)));\n x20 = ((uint64_t)(arg1[7]) * ((arg2[7]) * UINT8_C(0x26)));\n x21 = ((uint64_t)(arg1[7]) * ((arg2[6]) * UINT8_C(0x13)));\n x22 = ((uint64_t)(arg1[7]) * ((arg2[5]) * UINT8_C(0x26)));\n x23 = ((uint64_t)(arg1[7]) * ((arg2[4]) * UINT8_C(0x13)));\n x24 = ((uint64_t)(arg1[7]) * ((arg2[3]) * UINT8_C(0x26)));\n x25 = ((uint64_t)(arg1[6]) * ((arg2[9]) * UINT8_C(0x13)));\n x26 = ((uint64_t)(arg1[6]) * ((arg2[8]) * UINT8_C(0x13)));\n x27 = ((uint64_t)(arg1[6]) * ((arg2[7]) * UINT8_C(0x13)));\n x28 = ((uint64_t)(arg1[6]) * ((arg2[6]) * UINT8_C(0x13)));\n x29 = ((uint64_t)(arg1[6]) * ((arg2[5]) * UINT8_C(0x13)));\n x30 = ((uint64_t)(arg1[6]) * ((arg2[4]) * UINT8_C(0x13)));\n x31 = ((uint64_t)(arg1[5]) * ((arg2[9]) * UINT8_C(0x26)));\n x32 = ((uint64_t)(arg1[5]) * ((arg2[8]) * UINT8_C(0x13)));\n x33 = ((uint64_t)(arg1[5]) * ((arg2[7]) * UINT8_C(0x26)));\n x34 = ((uint64_t)(arg1[5]) * ((arg2[6]) * UINT8_C(0x13)));\n x35 = ((uint64_t)(arg1[5]) * ((arg2[5]) * UINT8_C(0x26)));\n x36 = ((uint64_t)(arg1[4]) * ((arg2[9]) * UINT8_C(0x13)));\n x37 = ((uint64_t)(arg1[4]) * ((arg2[8]) * UINT8_C(0x13)));\n x38 = ((uint64_t)(arg1[4]) * ((arg2[7]) * UINT8_C(0x13)));\n x39 = ((uint64_t)(arg1[4]) * ((arg2[6]) * UINT8_C(0x13)));\n x40 = ((uint64_t)(arg1[3]) * ((arg2[9]) * UINT8_C(0x26)));\n x41 = ((uint64_t)(arg1[3]) * ((arg2[8]) * UINT8_C(0x13)));\n x42 = ((uint64_t)(arg1[3]) * ((arg2[7]) * UINT8_C(0x26)));\n x43 = ((uint64_t)(arg1[2]) * ((arg2[9]) * UINT8_C(0x13)));\n x44 = ((uint64_t)(arg1[2]) * ((arg2[8]) * UINT8_C(0x13)));\n x45 = ((uint64_t)(arg1[1]) * ((arg2[9]) * UINT8_C(0x26)));\n x46 = ((uint64_t)(arg1[9]) * (arg2[0]));\n x47 = ((uint64_t)(arg1[8]) * (arg2[1]));\n x48 = ((uint64_t)(arg1[8]) * (arg2[0]));\n x49 = ((uint64_t)(arg1[7]) * (arg2[2]));\n x50 = ((uint64_t)(arg1[7]) * ((arg2[1]) * 0x2));\n x51 = ((uint64_t)(arg1[7]) * (arg2[0]));\n x52 = ((uint64_t)(arg1[6]) * (arg2[3]));\n x53 = ((uint64_t)(arg1[6]) * (arg2[2]));\n x54 = ((uint64_t)(arg1[6]) * (arg2[1]));\n x55 = ((uint64_t)(arg1[6]) * (arg2[0]));\n x56 = ((uint64_t)(arg1[5]) * (arg2[4]));\n x57 = ((uint64_t)(arg1[5]) * ((arg2[3]) * 0x2));\n x58 = ((uint64_t)(arg1[5]) * (arg2[2]));\n x59 = ((uint64_t)(arg1[5]) * ((arg2[1]) * 0x2));\n x60 = ((uint64_t)(arg1[5]) * (arg2[0]));\n x61 = ((uint64_t)(arg1[4]) * (arg2[5]));\n x62 = ((uint64_t)(arg1[4]) * (arg2[4]));\n x63 = ((uint64_t)(arg1[4]) * (arg2[3]));\n x64 = ((uint64_t)(arg1[4]) * (arg2[2]));\n x65 = ((uint64_t)(arg1[4]) * (arg2[1]));\n x66 = ((uint64_t)(arg1[4]) * (arg2[0]));\n x67 = ((uint64_t)(arg1[3]) * (arg2[6]));\n x68 = ((uint64_t)(arg1[3]) * ((arg2[5]) * 0x2));\n x69 = ((uint64_t)(arg1[3]) * (arg2[4]));\n x70 = ((uint64_t)(arg1[3]) * ((arg2[3]) * 0x2));\n x71 = ((uint64_t)(arg1[3]) * (arg2[2]));\n x72 = ((uint64_t)(arg1[3]) * ((arg2[1]) * 0x2));\n x73 = ((uint64_t)(arg1[3]) * (arg2[0]));\n x74 = ((uint64_t)(arg1[2]) * (arg2[7]));\n x75 = ((uint64_t)(arg1[2]) * (arg2[6]));\n x76 = ((uint64_t)(arg1[2]) * (arg2[5]));\n x77 = ((uint64_t)(arg1[2]) * (arg2[4]));\n x78 = ((uint64_t)(arg1[2]) * (arg2[3]));\n x79 = ((uint64_t)(arg1[2]) * (arg2[2]));\n x80 = ((uint64_t)(arg1[2]) * (arg2[1]));\n x81 = ((uint64_t)(arg1[2]) * (arg2[0]));\n x82 = ((uint64_t)(arg1[1]) * (arg2[8]));\n x83 = ((uint64_t)(arg1[1]) * ((arg2[7]) * 0x2));\n x84 = ((uint64_t)(arg1[1]) * (arg2[6]));\n x85 = ((uint64_t)(arg1[1]) * ((arg2[5]) * 0x2));\n x86 = ((uint64_t)(arg1[1]) * (arg2[4]));\n x87 = ((uint64_t)(arg1[1]) * ((arg2[3]) * 0x2));\n x88 = ((uint64_t)(arg1[1]) * (arg2[2]));\n x89 = ((uint64_t)(arg1[1]) * ((arg2[1]) * 0x2));\n x90 = ((uint64_t)(arg1[1]) * (arg2[0]));\n x91 = ((uint64_t)(arg1[0]) * (arg2[9]));\n x92 = ((uint64_t)(arg1[0]) * (arg2[8]));\n x93 = ((uint64_t)(arg1[0]) * (arg2[7]));\n x94 = ((uint64_t)(arg1[0]) * (arg2[6]));\n x95 = ((uint64_t)(arg1[0]) * (arg2[5]));\n x96 = ((uint64_t)(arg1[0]) * (arg2[4]));\n x97 = ((uint64_t)(arg1[0]) * (arg2[3]));\n x98 = ((uint64_t)(arg1[0]) * (arg2[2]));\n x99 = ((uint64_t)(arg1[0]) * (arg2[1]));\n x100 = ((uint64_t)(arg1[0]) * (arg2[0]));\n x101 = (x100 + (x45 + (x44 + (x42 + (x39 + (x35 + (x30 + (x24 + (x17 + x9)))))))));\n x102 = (x101 >> 26);\n x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff));\n x104 = (x91 + (x82 + (x74 + (x67 + (x61 + (x56 + (x52 + (x49 + (x47 + x46)))))))));\n x105 = (x92 + (x83 + (x75 + (x68 + (x62 + (x57 + (x53 + (x50 + (x48 + x1)))))))));\n x106 = (x93 + (x84 + (x76 + (x69 + (x63 + (x58 + (x54 + (x51 + (x10 + x2)))))))));\n x107 = (x94 + (x85 + (x77 + (x70 + (x64 + (x59 + (x55 + (x18 + (x11 + x3)))))))));\n x108 = (x95 + (x86 + (x78 + (x71 + (x65 + (x60 + (x25 + (x19 + (x12 + x4)))))))));\n x109 = (x96 + (x87 + (x79 + (x72 + (x66 + (x31 + (x26 + (x20 + (x13 + x5)))))))));\n x110 = (x97 + (x88 + (x80 + (x73 + (x36 + (x32 + (x27 + (x21 + (x14 + x6)))))))));\n x111 = (x98 + (x89 + (x81 + (x40 + (x37 + (x33 + (x28 + (x22 + (x15 + x7)))))))));\n x112 = (x99 + (x90 + (x43 + (x41 + (x38 + (x34 + (x29 + (x23 + (x16 + x8)))))))));\n x113 = (x102 + x112);\n x114 = (x113 >> 25);\n x115 = (uint32_t)(x113 & UINT32_C(0x1ffffff));\n x116 = (x114 + x111);\n x117 = (x116 >> 26);\n x118 = (uint32_t)(x116 & UINT32_C(0x3ffffff));\n x119 = (x117 + x110);\n x120 = (x119 >> 25);\n x121 = (uint32_t)(x119 & UINT32_C(0x1ffffff));\n x122 = (x120 + x109);\n x123 = (x122 >> 26);\n x124 = (uint32_t)(x122 & UINT32_C(0x3ffffff));\n x125 = (x123 + x108);\n x126 = (x125 >> 25);\n x127 = (uint32_t)(x125 & UINT32_C(0x1ffffff));\n x128 = (x126 + x107);\n x129 = (x128 >> 26);\n x130 = (uint32_t)(x128 & UINT32_C(0x3ffffff));\n x131 = (x129 + x106);\n x132 = (x131 >> 25);\n x133 = (uint32_t)(x131 & UINT32_C(0x1ffffff));\n x134 = (x132 + x105);\n x135 = (x134 >> 26);\n x136 = (uint32_t)(x134 & UINT32_C(0x3ffffff));\n x137 = (x135 + x104);\n x138 = (x137 >> 25);\n x139 = (uint32_t)(x137 & UINT32_C(0x1ffffff));\n x140 = (x138 * UINT8_C(0x13));\n x141 = (x103 + x140);\n x142 = (uint32_t)(x141 >> 26);\n x143 = (uint32_t)(x141 & UINT32_C(0x3ffffff));\n x144 = (x142 + x115);\n x145 = (fiat_25519_uint1)(x144 >> 25);\n x146 = (x144 & UINT32_C(0x1ffffff));\n x147 = (x145 + x118);\n out1[0] = x143;\n out1[1] = x146;\n out1[2] = x147;\n out1[3] = x121;\n out1[4] = x124;\n out1[5] = x127;\n out1[6] = x130;\n out1[7] = x133;\n out1[8] = x136;\n out1[9] = x139;\n}\n\n/*\n * The function fiat_25519_carry_square squares a field element and reduces the result.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 * eval arg1) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint64_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n uint64_t x11;\n uint32_t x12;\n uint32_t x13;\n uint32_t x14;\n uint32_t x15;\n uint32_t x16;\n uint32_t x17;\n uint32_t x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n uint64_t x27;\n uint64_t x28;\n uint64_t x29;\n uint64_t x30;\n uint64_t x31;\n uint64_t x32;\n uint64_t x33;\n uint64_t x34;\n uint64_t x35;\n uint64_t x36;\n uint64_t x37;\n uint64_t x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n uint64_t x48;\n uint64_t x49;\n uint64_t x50;\n uint64_t x51;\n uint64_t x52;\n uint64_t x53;\n uint64_t x54;\n uint64_t x55;\n uint64_t x56;\n uint64_t x57;\n uint64_t x58;\n uint64_t x59;\n uint64_t x60;\n uint64_t x61;\n uint64_t x62;\n uint64_t x63;\n uint64_t x64;\n uint64_t x65;\n uint64_t x66;\n uint64_t x67;\n uint64_t x68;\n uint64_t x69;\n uint64_t x70;\n uint64_t x71;\n uint64_t x72;\n uint64_t x73;\n uint64_t x74;\n uint64_t x75;\n uint32_t x76;\n uint64_t x77;\n uint64_t x78;\n uint64_t x79;\n uint64_t x80;\n uint64_t x81;\n uint64_t x82;\n uint64_t x83;\n uint64_t x84;\n uint64_t x85;\n uint64_t x86;\n uint64_t x87;\n uint32_t x88;\n uint64_t x89;\n uint64_t x90;\n uint32_t x91;\n uint64_t x92;\n uint64_t x93;\n uint32_t x94;\n uint64_t x95;\n uint64_t x96;\n uint32_t x97;\n uint64_t x98;\n uint64_t x99;\n uint32_t x100;\n uint64_t x101;\n uint64_t x102;\n uint32_t x103;\n uint64_t x104;\n uint64_t x105;\n uint32_t x106;\n uint64_t x107;\n uint64_t x108;\n uint32_t x109;\n uint64_t x110;\n uint64_t x111;\n uint32_t x112;\n uint64_t x113;\n uint64_t x114;\n uint32_t x115;\n uint32_t x116;\n uint32_t x117;\n fiat_25519_uint1 x118;\n uint32_t x119;\n uint32_t x120;\n x1 = ((arg1[9]) * UINT8_C(0x13));\n x2 = (x1 * 0x2);\n x3 = ((arg1[9]) * 0x2);\n x4 = ((arg1[8]) * UINT8_C(0x13));\n x5 = ((uint64_t)x4 * 0x2);\n x6 = ((arg1[8]) * 0x2);\n x7 = ((arg1[7]) * UINT8_C(0x13));\n x8 = (x7 * 0x2);\n x9 = ((arg1[7]) * 0x2);\n x10 = ((arg1[6]) * UINT8_C(0x13));\n x11 = ((uint64_t)x10 * 0x2);\n x12 = ((arg1[6]) * 0x2);\n x13 = ((arg1[5]) * UINT8_C(0x13));\n x14 = ((arg1[5]) * 0x2);\n x15 = ((arg1[4]) * 0x2);\n x16 = ((arg1[3]) * 0x2);\n x17 = ((arg1[2]) * 0x2);\n x18 = ((arg1[1]) * 0x2);\n x19 = ((uint64_t)(arg1[9]) * (x1 * 0x2));\n x20 = ((uint64_t)(arg1[8]) * x2);\n x21 = ((uint64_t)(arg1[8]) * x4);\n x22 = ((arg1[7]) * ((uint64_t)x2 * 0x2));\n x23 = ((arg1[7]) * x5);\n x24 = ((uint64_t)(arg1[7]) * (x7 * 0x2));\n x25 = ((uint64_t)(arg1[6]) * x2);\n x26 = ((arg1[6]) * x5);\n x27 = ((uint64_t)(arg1[6]) * x8);\n x28 = ((uint64_t)(arg1[6]) * x10);\n x29 = ((arg1[5]) * ((uint64_t)x2 * 0x2));\n x30 = ((arg1[5]) * x5);\n x31 = ((arg1[5]) * ((uint64_t)x8 * 0x2));\n x32 = ((arg1[5]) * x11);\n x33 = ((uint64_t)(arg1[5]) * (x13 * 0x2));\n x34 = ((uint64_t)(arg1[4]) * x2);\n x35 = ((arg1[4]) * x5);\n x36 = ((uint64_t)(arg1[4]) * x8);\n x37 = ((arg1[4]) * x11);\n x38 = ((uint64_t)(arg1[4]) * x14);\n x39 = ((uint64_t)(arg1[4]) * (arg1[4]));\n x40 = ((arg1[3]) * ((uint64_t)x2 * 0x2));\n x41 = ((arg1[3]) * x5);\n x42 = ((arg1[3]) * ((uint64_t)x8 * 0x2));\n x43 = ((uint64_t)(arg1[3]) * x12);\n x44 = ((uint64_t)(arg1[3]) * (x14 * 0x2));\n x45 = ((uint64_t)(arg1[3]) * x15);\n x46 = ((uint64_t)(arg1[3]) * ((arg1[3]) * 0x2));\n x47 = ((uint64_t)(arg1[2]) * x2);\n x48 = ((arg1[2]) * x5);\n x49 = ((uint64_t)(arg1[2]) * x9);\n x50 = ((uint64_t)(arg1[2]) * x12);\n x51 = ((uint64_t)(arg1[2]) * x14);\n x52 = ((uint64_t)(arg1[2]) * x15);\n x53 = ((uint64_t)(arg1[2]) * x16);\n x54 = ((uint64_t)(arg1[2]) * (arg1[2]));\n x55 = ((arg1[1]) * ((uint64_t)x2 * 0x2));\n x56 = ((uint64_t)(arg1[1]) * x6);\n x57 = ((uint64_t)(arg1[1]) * (x9 * 0x2));\n x58 = ((uint64_t)(arg1[1]) * x12);\n x59 = ((uint64_t)(arg1[1]) * (x14 * 0x2));\n x60 = ((uint64_t)(arg1[1]) * x15);\n x61 = ((uint64_t)(arg1[1]) * (x16 * 0x2));\n x62 = ((uint64_t)(arg1[1]) * x17);\n x63 = ((uint64_t)(arg1[1]) * ((arg1[1]) * 0x2));\n x64 = ((uint64_t)(arg1[0]) * x3);\n x65 = ((uint64_t)(arg1[0]) * x6);\n x66 = ((uint64_t)(arg1[0]) * x9);\n x67 = ((uint64_t)(arg1[0]) * x12);\n x68 = ((uint64_t)(arg1[0]) * x14);\n x69 = ((uint64_t)(arg1[0]) * x15);\n x70 = ((uint64_t)(arg1[0]) * x16);\n x71 = ((uint64_t)(arg1[0]) * x17);\n x72 = ((uint64_t)(arg1[0]) * x18);\n x73 = ((uint64_t)(arg1[0]) * (arg1[0]));\n x74 = (x73 + (x55 + (x48 + (x42 + (x37 + x33)))));\n x75 = (x74 >> 26);\n x76 = (uint32_t)(x74 & UINT32_C(0x3ffffff));\n x77 = (x64 + (x56 + (x49 + (x43 + x38))));\n x78 = (x65 + (x57 + (x50 + (x44 + (x39 + x19)))));\n x79 = (x66 + (x58 + (x51 + (x45 + x20))));\n x80 = (x67 + (x59 + (x52 + (x46 + (x22 + x21)))));\n x81 = (x68 + (x60 + (x53 + (x25 + x23))));\n x82 = (x69 + (x61 + (x54 + (x29 + (x26 + x24)))));\n x83 = (x70 + (x62 + (x34 + (x30 + x27))));\n x84 = (x71 + (x63 + (x40 + (x35 + (x31 + x28)))));\n x85 = (x72 + (x47 + (x41 + (x36 + x32))));\n x86 = (x75 + x85);\n x87 = (x86 >> 25);\n x88 = (uint32_t)(x86 & UINT32_C(0x1ffffff));\n x89 = (x87 + x84);\n x90 = (x89 >> 26);\n x91 = (uint32_t)(x89 & UINT32_C(0x3ffffff));\n x92 = (x90 + x83);\n x93 = (x92 >> 25);\n x94 = (uint32_t)(x92 & UINT32_C(0x1ffffff));\n x95 = (x93 + x82);\n x96 = (x95 >> 26);\n x97 = (uint32_t)(x95 & UINT32_C(0x3ffffff));\n x98 = (x96 + x81);\n x99 = (x98 >> 25);\n x100 = (uint32_t)(x98 & UINT32_C(0x1ffffff));\n x101 = (x99 + x80);\n x102 = (x101 >> 26);\n x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff));\n x104 = (x102 + x79);\n x105 = (x104 >> 25);\n x106 = (uint32_t)(x104 & UINT32_C(0x1ffffff));\n x107 = (x105 + x78);\n x108 = (x107 >> 26);\n x109 = (uint32_t)(x107 & UINT32_C(0x3ffffff));\n x110 = (x108 + x77);\n x111 = (x110 >> 25);\n x112 = (uint32_t)(x110 & UINT32_C(0x1ffffff));\n x113 = (x111 * UINT8_C(0x13));\n x114 = (x76 + x113);\n x115 = (uint32_t)(x114 >> 26);\n x116 = (uint32_t)(x114 & UINT32_C(0x3ffffff));\n x117 = (x115 + x88);\n x118 = (fiat_25519_uint1)(x117 >> 25);\n x119 = (x117 & UINT32_C(0x1ffffff));\n x120 = (x118 + x91);\n out1[0] = x116;\n out1[1] = x119;\n out1[2] = x120;\n out1[3] = x94;\n out1[4] = x97;\n out1[5] = x100;\n out1[6] = x103;\n out1[7] = x106;\n out1[8] = x109;\n out1[9] = x112;\n}\n\n/*\n * The function fiat_25519_carry reduces a field element.\n *\n * Postconditions:\n * eval out1 mod m = eval arg1 mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n uint32_t x11;\n uint32_t x12;\n uint32_t x13;\n uint32_t x14;\n uint32_t x15;\n uint32_t x16;\n uint32_t x17;\n uint32_t x18;\n uint32_t x19;\n uint32_t x20;\n uint32_t x21;\n uint32_t x22;\n x1 = (arg1[0]);\n x2 = ((x1 >> 26) + (arg1[1]));\n x3 = ((x2 >> 25) + (arg1[2]));\n x4 = ((x3 >> 26) + (arg1[3]));\n x5 = ((x4 >> 25) + (arg1[4]));\n x6 = ((x5 >> 26) + (arg1[5]));\n x7 = ((x6 >> 25) + (arg1[6]));\n x8 = ((x7 >> 26) + (arg1[7]));\n x9 = ((x8 >> 25) + (arg1[8]));\n x10 = ((x9 >> 26) + (arg1[9]));\n x11 = ((x1 & UINT32_C(0x3ffffff)) + ((x10 >> 25) * UINT8_C(0x13)));\n x12 = ((fiat_25519_uint1)(x11 >> 26) + (x2 & UINT32_C(0x1ffffff)));\n x13 = (x11 & UINT32_C(0x3ffffff));\n x14 = (x12 & UINT32_C(0x1ffffff));\n x15 = ((fiat_25519_uint1)(x12 >> 25) + (x3 & UINT32_C(0x3ffffff)));\n x16 = (x4 & UINT32_C(0x1ffffff));\n x17 = (x5 & UINT32_C(0x3ffffff));\n x18 = (x6 & UINT32_C(0x1ffffff));\n x19 = (x7 & UINT32_C(0x3ffffff));\n x20 = (x8 & UINT32_C(0x1ffffff));\n x21 = (x9 & UINT32_C(0x3ffffff));\n x22 = (x10 & UINT32_C(0x1ffffff));\n out1[0] = x13;\n out1[1] = x14;\n out1[2] = x15;\n out1[3] = x16;\n out1[4] = x17;\n out1[5] = x18;\n out1[6] = x19;\n out1[7] = x20;\n out1[8] = x21;\n out1[9] = x22;\n}\n\n/*\n * The function fiat_25519_add adds two field elements.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 + eval arg2) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n x1 = ((arg1[0]) + (arg2[0]));\n x2 = ((arg1[1]) + (arg2[1]));\n x3 = ((arg1[2]) + (arg2[2]));\n x4 = ((arg1[3]) + (arg2[3]));\n x5 = ((arg1[4]) + (arg2[4]));\n x6 = ((arg1[5]) + (arg2[5]));\n x7 = ((arg1[6]) + (arg2[6]));\n x8 = ((arg1[7]) + (arg2[7]));\n x9 = ((arg1[8]) + (arg2[8]));\n x10 = ((arg1[9]) + (arg2[9]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n out1[5] = x6;\n out1[6] = x7;\n out1[7] = x8;\n out1[8] = x9;\n out1[9] = x10;\n}\n\n/*\n * The function fiat_25519_sub subtracts two field elements.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 - eval arg2) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n x1 = ((UINT32_C(0x7ffffda) + (arg1[0])) - (arg2[0]));\n x2 = ((UINT32_C(0x3fffffe) + (arg1[1])) - (arg2[1]));\n x3 = ((UINT32_C(0x7fffffe) + (arg1[2])) - (arg2[2]));\n x4 = ((UINT32_C(0x3fffffe) + (arg1[3])) - (arg2[3]));\n x5 = ((UINT32_C(0x7fffffe) + (arg1[4])) - (arg2[4]));\n x6 = ((UINT32_C(0x3fffffe) + (arg1[5])) - (arg2[5]));\n x7 = ((UINT32_C(0x7fffffe) + (arg1[6])) - (arg2[6]));\n x8 = ((UINT32_C(0x3fffffe) + (arg1[7])) - (arg2[7]));\n x9 = ((UINT32_C(0x7fffffe) + (arg1[8])) - (arg2[8]));\n x10 = ((UINT32_C(0x3fffffe) + (arg1[9])) - (arg2[9]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n out1[5] = x6;\n out1[6] = x7;\n out1[7] = x8;\n out1[8] = x9;\n out1[9] = x10;\n}\n\n/*\n * The function fiat_25519_opp negates a field element.\n *\n * Postconditions:\n * eval out1 mod m = -eval arg1 mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n x1 = (UINT32_C(0x7ffffda) - (arg1[0]));\n x2 = (UINT32_C(0x3fffffe) - (arg1[1]));\n x3 = (UINT32_C(0x7fffffe) - (arg1[2]));\n x4 = (UINT32_C(0x3fffffe) - (arg1[3]));\n x5 = (UINT32_C(0x7fffffe) - (arg1[4]));\n x6 = (UINT32_C(0x3fffffe) - (arg1[5]));\n x7 = (UINT32_C(0x7fffffe) - (arg1[6]));\n x8 = (UINT32_C(0x3fffffe) - (arg1[7]));\n x9 = (UINT32_C(0x7fffffe) - (arg1[8]));\n x10 = (UINT32_C(0x3fffffe) - (arg1[9]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n out1[5] = x6;\n out1[6] = x7;\n out1[7] = x8;\n out1[8] = x9;\n out1[9] = x10;\n}\n\n/* Not used in BoringSSL. */\n#if 0\n/*\n * The function fiat_25519_selectznz is a multi-limb conditional select.\n *\n * Postconditions:\n * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint32_t out1[10], fiat_25519_uint1 arg1, const uint32_t arg2[10], const uint32_t arg3[10]) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n fiat_25519_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0]));\n fiat_25519_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1]));\n fiat_25519_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2]));\n fiat_25519_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3]));\n fiat_25519_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4]));\n fiat_25519_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5]));\n fiat_25519_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6]));\n fiat_25519_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7]));\n fiat_25519_cmovznz_u32(&x9, arg1, (arg2[8]), (arg3[8]));\n fiat_25519_cmovznz_u32(&x10, arg1, (arg2[9]), (arg3[9]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n out1[5] = x6;\n out1[6] = x7;\n out1[7] = x8;\n out1[8] = x9;\n out1[9] = x10;\n}\n#endif\n\n/*\n * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.\n *\n * Postconditions:\n * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]\n *\n * Output Bounds:\n * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) {\n uint32_t x1;\n fiat_25519_uint1 x2;\n uint32_t x3;\n fiat_25519_uint1 x4;\n uint32_t x5;\n fiat_25519_uint1 x6;\n uint32_t x7;\n fiat_25519_uint1 x8;\n uint32_t x9;\n fiat_25519_uint1 x10;\n uint32_t x11;\n fiat_25519_uint1 x12;\n uint32_t x13;\n fiat_25519_uint1 x14;\n uint32_t x15;\n fiat_25519_uint1 x16;\n uint32_t x17;\n fiat_25519_uint1 x18;\n uint32_t x19;\n fiat_25519_uint1 x20;\n uint32_t x21;\n uint32_t x22;\n fiat_25519_uint1 x23;\n uint32_t x24;\n fiat_25519_uint1 x25;\n uint32_t x26;\n fiat_25519_uint1 x27;\n uint32_t x28;\n fiat_25519_uint1 x29;\n uint32_t x30;\n fiat_25519_uint1 x31;\n uint32_t x32;\n fiat_25519_uint1 x33;\n uint32_t x34;\n fiat_25519_uint1 x35;\n uint32_t x36;\n fiat_25519_uint1 x37;\n uint32_t x38;\n fiat_25519_uint1 x39;\n uint32_t x40;\n fiat_25519_uint1 x41;\n uint32_t x42;\n uint32_t x43;\n uint32_t x44;\n uint32_t x45;\n uint32_t x46;\n uint32_t x47;\n uint32_t x48;\n uint32_t x49;\n uint8_t x50;\n uint32_t x51;\n uint8_t x52;\n uint32_t x53;\n uint8_t x54;\n uint8_t x55;\n uint32_t x56;\n uint8_t x57;\n uint32_t x58;\n uint8_t x59;\n uint32_t x60;\n uint8_t x61;\n uint8_t x62;\n uint32_t x63;\n uint8_t x64;\n uint32_t x65;\n uint8_t x66;\n uint32_t x67;\n uint8_t x68;\n uint8_t x69;\n uint32_t x70;\n uint8_t x71;\n uint32_t x72;\n uint8_t x73;\n uint32_t x74;\n uint8_t x75;\n uint8_t x76;\n uint32_t x77;\n uint8_t x78;\n uint32_t x79;\n uint8_t x80;\n uint32_t x81;\n uint8_t x82;\n uint8_t x83;\n uint8_t x84;\n uint32_t x85;\n uint8_t x86;\n uint32_t x87;\n uint8_t x88;\n fiat_25519_uint1 x89;\n uint32_t x90;\n uint8_t x91;\n uint32_t x92;\n uint8_t x93;\n uint32_t x94;\n uint8_t x95;\n uint8_t x96;\n uint32_t x97;\n uint8_t x98;\n uint32_t x99;\n uint8_t x100;\n uint32_t x101;\n uint8_t x102;\n uint8_t x103;\n uint32_t x104;\n uint8_t x105;\n uint32_t x106;\n uint8_t x107;\n uint32_t x108;\n uint8_t x109;\n uint8_t x110;\n uint32_t x111;\n uint8_t x112;\n uint32_t x113;\n uint8_t x114;\n uint32_t x115;\n uint8_t x116;\n uint8_t x117;\n fiat_25519_subborrowx_u26(&x1, &x2, 0x0, (arg1[0]), UINT32_C(0x3ffffed));\n fiat_25519_subborrowx_u25(&x3, &x4, x2, (arg1[1]), UINT32_C(0x1ffffff));\n fiat_25519_subborrowx_u26(&x5, &x6, x4, (arg1[2]), UINT32_C(0x3ffffff));\n fiat_25519_subborrowx_u25(&x7, &x8, x6, (arg1[3]), UINT32_C(0x1ffffff));\n fiat_25519_subborrowx_u26(&x9, &x10, x8, (arg1[4]), UINT32_C(0x3ffffff));\n fiat_25519_subborrowx_u25(&x11, &x12, x10, (arg1[5]), UINT32_C(0x1ffffff));\n fiat_25519_subborrowx_u26(&x13, &x14, x12, (arg1[6]), UINT32_C(0x3ffffff));\n fiat_25519_subborrowx_u25(&x15, &x16, x14, (arg1[7]), UINT32_C(0x1ffffff));\n fiat_25519_subborrowx_u26(&x17, &x18, x16, (arg1[8]), UINT32_C(0x3ffffff));\n fiat_25519_subborrowx_u25(&x19, &x20, x18, (arg1[9]), UINT32_C(0x1ffffff));\n fiat_25519_cmovznz_u32(&x21, x20, 0x0, UINT32_C(0xffffffff));\n fiat_25519_addcarryx_u26(&x22, &x23, 0x0, x1, (x21 & UINT32_C(0x3ffffed)));\n fiat_25519_addcarryx_u25(&x24, &x25, x23, x3, (x21 & UINT32_C(0x1ffffff)));\n fiat_25519_addcarryx_u26(&x26, &x27, x25, x5, (x21 & UINT32_C(0x3ffffff)));\n fiat_25519_addcarryx_u25(&x28, &x29, x27, x7, (x21 & UINT32_C(0x1ffffff)));\n fiat_25519_addcarryx_u26(&x30, &x31, x29, x9, (x21 & UINT32_C(0x3ffffff)));\n fiat_25519_addcarryx_u25(&x32, &x33, x31, x11, (x21 & UINT32_C(0x1ffffff)));\n fiat_25519_addcarryx_u26(&x34, &x35, x33, x13, (x21 & UINT32_C(0x3ffffff)));\n fiat_25519_addcarryx_u25(&x36, &x37, x35, x15, (x21 & UINT32_C(0x1ffffff)));\n fiat_25519_addcarryx_u26(&x38, &x39, x37, x17, (x21 & UINT32_C(0x3ffffff)));\n fiat_25519_addcarryx_u25(&x40, &x41, x39, x19, (x21 & UINT32_C(0x1ffffff)));\n x42 = (x40 << 6);\n x43 = (x38 << 4);\n x44 = (x36 << 3);\n x45 = (x34 * (uint32_t)0x2);\n x46 = (x30 << 6);\n x47 = (x28 << 5);\n x48 = (x26 << 3);\n x49 = (x24 << 2);\n x50 = (uint8_t)(x22 & UINT8_C(0xff));\n x51 = (x22 >> 8);\n x52 = (uint8_t)(x51 & UINT8_C(0xff));\n x53 = (x51 >> 8);\n x54 = (uint8_t)(x53 & UINT8_C(0xff));\n x55 = (uint8_t)(x53 >> 8);\n x56 = (x49 + (uint32_t)x55);\n x57 = (uint8_t)(x56 & UINT8_C(0xff));\n x58 = (x56 >> 8);\n x59 = (uint8_t)(x58 & UINT8_C(0xff));\n x60 = (x58 >> 8);\n x61 = (uint8_t)(x60 & UINT8_C(0xff));\n x62 = (uint8_t)(x60 >> 8);\n x63 = (x48 + (uint32_t)x62);\n x64 = (uint8_t)(x63 & UINT8_C(0xff));\n x65 = (x63 >> 8);\n x66 = (uint8_t)(x65 & UINT8_C(0xff));\n x67 = (x65 >> 8);\n x68 = (uint8_t)(x67 & UINT8_C(0xff));\n x69 = (uint8_t)(x67 >> 8);\n x70 = (x47 + (uint32_t)x69);\n x71 = (uint8_t)(x70 & UINT8_C(0xff));\n x72 = (x70 >> 8);\n x73 = (uint8_t)(x72 & UINT8_C(0xff));\n x74 = (x72 >> 8);\n x75 = (uint8_t)(x74 & UINT8_C(0xff));\n x76 = (uint8_t)(x74 >> 8);\n x77 = (x46 + (uint32_t)x76);\n x78 = (uint8_t)(x77 & UINT8_C(0xff));\n x79 = (x77 >> 8);\n x80 = (uint8_t)(x79 & UINT8_C(0xff));\n x81 = (x79 >> 8);\n x82 = (uint8_t)(x81 & UINT8_C(0xff));\n x83 = (uint8_t)(x81 >> 8);\n x84 = (uint8_t)(x32 & UINT8_C(0xff));\n x85 = (x32 >> 8);\n x86 = (uint8_t)(x85 & UINT8_C(0xff));\n x87 = (x85 >> 8);\n x88 = (uint8_t)(x87 & UINT8_C(0xff));\n x89 = (fiat_25519_uint1)(x87 >> 8);\n x90 = (x45 + (uint32_t)x89);\n x91 = (uint8_t)(x90 & UINT8_C(0xff));\n x92 = (x90 >> 8);\n x93 = (uint8_t)(x92 & UINT8_C(0xff));\n x94 = (x92 >> 8);\n x95 = (uint8_t)(x94 & UINT8_C(0xff));\n x96 = (uint8_t)(x94 >> 8);\n x97 = (x44 + (uint32_t)x96);\n x98 = (uint8_t)(x97 & UINT8_C(0xff));\n x99 = (x97 >> 8);\n x100 = (uint8_t)(x99 & UINT8_C(0xff));\n x101 = (x99 >> 8);\n x102 = (uint8_t)(x101 & UINT8_C(0xff));\n x103 = (uint8_t)(x101 >> 8);\n x104 = (x43 + (uint32_t)x103);\n x105 = (uint8_t)(x104 & UINT8_C(0xff));\n x106 = (x104 >> 8);\n x107 = (uint8_t)(x106 & UINT8_C(0xff));\n x108 = (x106 >> 8);\n x109 = (uint8_t)(x108 & UINT8_C(0xff));\n x110 = (uint8_t)(x108 >> 8);\n x111 = (x42 + (uint32_t)x110);\n x112 = (uint8_t)(x111 & UINT8_C(0xff));\n x113 = (x111 >> 8);\n x114 = (uint8_t)(x113 & UINT8_C(0xff));\n x115 = (x113 >> 8);\n x116 = (uint8_t)(x115 & UINT8_C(0xff));\n x117 = (uint8_t)(x115 >> 8);\n out1[0] = x50;\n out1[1] = x52;\n out1[2] = x54;\n out1[3] = x57;\n out1[4] = x59;\n out1[5] = x61;\n out1[6] = x64;\n out1[7] = x66;\n out1[8] = x68;\n out1[9] = x71;\n out1[10] = x73;\n out1[11] = x75;\n out1[12] = x78;\n out1[13] = x80;\n out1[14] = x82;\n out1[15] = x83;\n out1[16] = x84;\n out1[17] = x86;\n out1[18] = x88;\n out1[19] = x91;\n out1[20] = x93;\n out1[21] = x95;\n out1[22] = x98;\n out1[23] = x100;\n out1[24] = x102;\n out1[25] = x105;\n out1[26] = x107;\n out1[27] = x109;\n out1[28] = x112;\n out1[29] = x114;\n out1[30] = x116;\n out1[31] = x117;\n}\n\n/*\n * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.\n *\n * Postconditions:\n * eval out1 mod m = bytes_eval arg1 mod m\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n uint32_t x11;\n uint32_t x12;\n uint32_t x13;\n uint32_t x14;\n uint32_t x15;\n uint8_t x16;\n uint32_t x17;\n uint32_t x18;\n uint32_t x19;\n uint32_t x20;\n uint32_t x21;\n uint32_t x22;\n uint32_t x23;\n uint32_t x24;\n uint32_t x25;\n uint32_t x26;\n uint32_t x27;\n uint32_t x28;\n uint32_t x29;\n uint32_t x30;\n uint32_t x31;\n uint8_t x32;\n uint32_t x33;\n uint32_t x34;\n uint32_t x35;\n uint32_t x36;\n uint8_t x37;\n uint32_t x38;\n uint32_t x39;\n uint32_t x40;\n uint32_t x41;\n uint8_t x42;\n uint32_t x43;\n uint32_t x44;\n uint32_t x45;\n uint32_t x46;\n uint8_t x47;\n uint32_t x48;\n uint32_t x49;\n uint32_t x50;\n uint32_t x51;\n uint8_t x52;\n uint32_t x53;\n uint32_t x54;\n uint32_t x55;\n uint32_t x56;\n uint32_t x57;\n uint32_t x58;\n uint32_t x59;\n uint8_t x60;\n uint32_t x61;\n uint32_t x62;\n uint32_t x63;\n uint32_t x64;\n uint8_t x65;\n uint32_t x66;\n uint32_t x67;\n uint32_t x68;\n uint32_t x69;\n uint8_t x70;\n uint32_t x71;\n uint32_t x72;\n uint32_t x73;\n uint32_t x74;\n uint8_t x75;\n uint32_t x76;\n uint32_t x77;\n uint32_t x78;\n x1 = ((uint32_t)(arg1[31]) << 18);\n x2 = ((uint32_t)(arg1[30]) << 10);\n x3 = ((uint32_t)(arg1[29]) << 2);\n x4 = ((uint32_t)(arg1[28]) << 20);\n x5 = ((uint32_t)(arg1[27]) << 12);\n x6 = ((uint32_t)(arg1[26]) << 4);\n x7 = ((uint32_t)(arg1[25]) << 21);\n x8 = ((uint32_t)(arg1[24]) << 13);\n x9 = ((uint32_t)(arg1[23]) << 5);\n x10 = ((uint32_t)(arg1[22]) << 23);\n x11 = ((uint32_t)(arg1[21]) << 15);\n x12 = ((uint32_t)(arg1[20]) << 7);\n x13 = ((uint32_t)(arg1[19]) << 24);\n x14 = ((uint32_t)(arg1[18]) << 16);\n x15 = ((uint32_t)(arg1[17]) << 8);\n x16 = (arg1[16]);\n x17 = ((uint32_t)(arg1[15]) << 18);\n x18 = ((uint32_t)(arg1[14]) << 10);\n x19 = ((uint32_t)(arg1[13]) << 2);\n x20 = ((uint32_t)(arg1[12]) << 19);\n x21 = ((uint32_t)(arg1[11]) << 11);\n x22 = ((uint32_t)(arg1[10]) << 3);\n x23 = ((uint32_t)(arg1[9]) << 21);\n x24 = ((uint32_t)(arg1[8]) << 13);\n x25 = ((uint32_t)(arg1[7]) << 5);\n x26 = ((uint32_t)(arg1[6]) << 22);\n x27 = ((uint32_t)(arg1[5]) << 14);\n x28 = ((uint32_t)(arg1[4]) << 6);\n x29 = ((uint32_t)(arg1[3]) << 24);\n x30 = ((uint32_t)(arg1[2]) << 16);\n x31 = ((uint32_t)(arg1[1]) << 8);\n x32 = (arg1[0]);\n x33 = (x31 + (uint32_t)x32);\n x34 = (x30 + x33);\n x35 = (x29 + x34);\n x36 = (x35 & UINT32_C(0x3ffffff));\n x37 = (uint8_t)(x35 >> 26);\n x38 = (x28 + (uint32_t)x37);\n x39 = (x27 + x38);\n x40 = (x26 + x39);\n x41 = (x40 & UINT32_C(0x1ffffff));\n x42 = (uint8_t)(x40 >> 25);\n x43 = (x25 + (uint32_t)x42);\n x44 = (x24 + x43);\n x45 = (x23 + x44);\n x46 = (x45 & UINT32_C(0x3ffffff));\n x47 = (uint8_t)(x45 >> 26);\n x48 = (x22 + (uint32_t)x47);\n x49 = (x21 + x48);\n x50 = (x20 + x49);\n x51 = (x50 & UINT32_C(0x1ffffff));\n x52 = (uint8_t)(x50 >> 25);\n x53 = (x19 + (uint32_t)x52);\n x54 = (x18 + x53);\n x55 = (x17 + x54);\n x56 = (x15 + (uint32_t)x16);\n x57 = (x14 + x56);\n x58 = (x13 + x57);\n x59 = (x58 & UINT32_C(0x1ffffff));\n x60 = (uint8_t)(x58 >> 25);\n x61 = (x12 + (uint32_t)x60);\n x62 = (x11 + x61);\n x63 = (x10 + x62);\n x64 = (x63 & UINT32_C(0x3ffffff));\n x65 = (uint8_t)(x63 >> 26);\n x66 = (x9 + (uint32_t)x65);\n x67 = (x8 + x66);\n x68 = (x7 + x67);\n x69 = (x68 & UINT32_C(0x1ffffff));\n x70 = (uint8_t)(x68 >> 25);\n x71 = (x6 + (uint32_t)x70);\n x72 = (x5 + x71);\n x73 = (x4 + x72);\n x74 = (x73 & UINT32_C(0x3ffffff));\n x75 = (uint8_t)(x73 >> 26);\n x76 = (x3 + (uint32_t)x75);\n x77 = (x2 + x76);\n x78 = (x1 + x77);\n out1[0] = x36;\n out1[1] = x41;\n out1[2] = x46;\n out1[3] = x51;\n out1[4] = x55;\n out1[5] = x59;\n out1[6] = x64;\n out1[7] = x69;\n out1[8] = x74;\n out1[9] = x78;\n}\n\n/* Not used in BoringSSL. */\n#if 0\n/*\n * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements.\n *\n * Postconditions:\n * out1 = arg1\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n x1 = (arg1[0]);\n x2 = (arg1[1]);\n x3 = (arg1[2]);\n x4 = (arg1[3]);\n x5 = (arg1[4]);\n x6 = (arg1[5]);\n x7 = (arg1[6]);\n x8 = (arg1[7]);\n x9 = (arg1[8]);\n x10 = (arg1[9]);\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n out1[5] = x6;\n out1[6] = x7;\n out1[7] = x8;\n out1[8] = x9;\n out1[9] = x10;\n}\n#endif\n\n/*\n * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.\n *\n * Postconditions:\n * eval out1 mod m = (121666 * eval arg1) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint32_t x11;\n uint32_t x12;\n uint64_t x13;\n uint32_t x14;\n uint32_t x15;\n uint64_t x16;\n uint32_t x17;\n uint32_t x18;\n uint64_t x19;\n uint32_t x20;\n uint32_t x21;\n uint64_t x22;\n uint32_t x23;\n uint32_t x24;\n uint64_t x25;\n uint32_t x26;\n uint32_t x27;\n uint64_t x28;\n uint32_t x29;\n uint32_t x30;\n uint64_t x31;\n uint32_t x32;\n uint32_t x33;\n uint64_t x34;\n uint32_t x35;\n uint32_t x36;\n uint64_t x37;\n uint32_t x38;\n uint32_t x39;\n uint32_t x40;\n uint32_t x41;\n fiat_25519_uint1 x42;\n uint32_t x43;\n uint32_t x44;\n fiat_25519_uint1 x45;\n uint32_t x46;\n uint32_t x47;\n x1 = ((uint64_t)UINT32_C(0x1db42) * (arg1[9]));\n x2 = ((uint64_t)UINT32_C(0x1db42) * (arg1[8]));\n x3 = ((uint64_t)UINT32_C(0x1db42) * (arg1[7]));\n x4 = ((uint64_t)UINT32_C(0x1db42) * (arg1[6]));\n x5 = ((uint64_t)UINT32_C(0x1db42) * (arg1[5]));\n x6 = ((uint64_t)UINT32_C(0x1db42) * (arg1[4]));\n x7 = ((uint64_t)UINT32_C(0x1db42) * (arg1[3]));\n x8 = ((uint64_t)UINT32_C(0x1db42) * (arg1[2]));\n x9 = ((uint64_t)UINT32_C(0x1db42) * (arg1[1]));\n x10 = ((uint64_t)UINT32_C(0x1db42) * (arg1[0]));\n x11 = (uint32_t)(x10 >> 26);\n x12 = (uint32_t)(x10 & UINT32_C(0x3ffffff));\n x13 = (x11 + x9);\n x14 = (uint32_t)(x13 >> 25);\n x15 = (uint32_t)(x13 & UINT32_C(0x1ffffff));\n x16 = (x14 + x8);\n x17 = (uint32_t)(x16 >> 26);\n x18 = (uint32_t)(x16 & UINT32_C(0x3ffffff));\n x19 = (x17 + x7);\n x20 = (uint32_t)(x19 >> 25);\n x21 = (uint32_t)(x19 & UINT32_C(0x1ffffff));\n x22 = (x20 + x6);\n x23 = (uint32_t)(x22 >> 26);\n x24 = (uint32_t)(x22 & UINT32_C(0x3ffffff));\n x25 = (x23 + x5);\n x26 = (uint32_t)(x25 >> 25);\n x27 = (uint32_t)(x25 & UINT32_C(0x1ffffff));\n x28 = (x26 + x4);\n x29 = (uint32_t)(x28 >> 26);\n x30 = (uint32_t)(x28 & UINT32_C(0x3ffffff));\n x31 = (x29 + x3);\n x32 = (uint32_t)(x31 >> 25);\n x33 = (uint32_t)(x31 & UINT32_C(0x1ffffff));\n x34 = (x32 + x2);\n x35 = (uint32_t)(x34 >> 26);\n x36 = (uint32_t)(x34 & UINT32_C(0x3ffffff));\n x37 = (x35 + x1);\n x38 = (uint32_t)(x37 >> 25);\n x39 = (uint32_t)(x37 & UINT32_C(0x1ffffff));\n x40 = (x38 * UINT8_C(0x13));\n x41 = (x12 + x40);\n x42 = (fiat_25519_uint1)(x41 >> 26);\n x43 = (x41 & UINT32_C(0x3ffffff));\n x44 = (x42 + x15);\n x45 = (fiat_25519_uint1)(x44 >> 25);\n x46 = (x44 & UINT32_C(0x1ffffff));\n x47 = (x45 + x18);\n out1[0] = x43;\n out1[1] = x46;\n out1[2] = x47;\n out1[3] = x21;\n out1[4] = x24;\n out1[5] = x27;\n out1[6] = x30;\n out1[7] = x33;\n out1[8] = x36;\n out1[9] = x39;\n}\n" }, { "path": "Sources/CNIOBoringSSL/third_party/fiat/curve25519_64.h", "content": "/* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */\n/* curve description: 25519 */\n/* machine_wordsize = 64 (from \"64\") */\n/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */\n/* n = 5 (from \"(auto)\") */\n/* s-c = 2^255 - [(1, 19)] (from \"2^255 - 19\") */\n/* tight_bounds_multiplier = 1 (from \"\") */\n/* */\n/* Computed values: */\n/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */\n/* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */\n/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */\n/* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */\n\n#include \ntypedef unsigned char fiat_25519_uint1;\ntypedef signed char fiat_25519_int1;\n#if defined(__GNUC__) || defined(__clang__)\n# define FIAT_25519_FIAT_EXTENSION __extension__\n# define FIAT_25519_FIAT_INLINE __inline__\n#else\n# define FIAT_25519_FIAT_EXTENSION\n# define FIAT_25519_FIAT_INLINE\n#endif\n\nFIAT_25519_FIAT_EXTENSION typedef signed __int128 fiat_25519_int128;\nFIAT_25519_FIAT_EXTENSION typedef unsigned __int128 fiat_25519_uint128;\n\n/* The type fiat_25519_loose_field_element is a field element with loose bounds. */\n/* Bounds: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */\ntypedef uint64_t fiat_25519_loose_field_element[5];\n\n/* The type fiat_25519_tight_field_element is a field element with tight bounds. */\n/* Bounds: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */\ntypedef uint64_t fiat_25519_tight_field_element[5];\n\n#if (-1 & 3) != 3\n#error \"This code only works on a two's complement system\"\n#endif\n\n#if !defined(FIAT_25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__))\nstatic __inline__ uint64_t fiat_25519_value_barrier_u64(uint64_t a) {\n __asm__(\"\" : \"+r\"(a) : /* no inputs */);\n return a;\n}\n#else\n# define fiat_25519_value_barrier_u64(x) (x)\n#endif\n\n\n/*\n * The function fiat_25519_addcarryx_u51 is an addition with carry.\n *\n * Postconditions:\n * out1 = (arg1 + arg2 + arg3) mod 2^51\n * out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0x7ffffffffffff]\n * arg3: [0x0 ~> 0x7ffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0x7ffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n uint64_t x1;\n uint64_t x2;\n fiat_25519_uint1 x3;\n x1 = ((arg1 + arg2) + arg3);\n x2 = (x1 & UINT64_C(0x7ffffffffffff));\n x3 = (fiat_25519_uint1)(x1 >> 51);\n *out1 = x2;\n *out2 = x3;\n}\n\n/*\n * The function fiat_25519_subborrowx_u51 is a subtraction with borrow.\n *\n * Postconditions:\n * out1 = (-arg1 + arg2 + -arg3) mod 2^51\n * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0x7ffffffffffff]\n * arg3: [0x0 ~> 0x7ffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0x7ffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n int64_t x1;\n fiat_25519_int1 x2;\n uint64_t x3;\n x1 = ((int64_t)(arg2 - (int64_t)arg1) - (int64_t)arg3);\n x2 = (fiat_25519_int1)(x1 >> 51);\n x3 = (x1 & UINT64_C(0x7ffffffffffff));\n *out1 = x3;\n *out2 = (fiat_25519_uint1)(0x0 - x2);\n}\n\n/*\n * The function fiat_25519_cmovznz_u64 is a single-word conditional move.\n *\n * Postconditions:\n * out1 = (if arg1 = 0 then arg2 else arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n fiat_25519_uint1 x1;\n uint64_t x2;\n uint64_t x3;\n x1 = (!(!arg1));\n x2 = ((fiat_25519_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff));\n x3 = ((fiat_25519_value_barrier_u64(x2) & arg3) | (fiat_25519_value_barrier_u64((~x2)) & arg2));\n *out1 = x3;\n}\n\n/*\n * The function fiat_25519_carry_mul multiplies two field elements and reduces the result.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 * eval arg2) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) {\n fiat_25519_uint128 x1;\n fiat_25519_uint128 x2;\n fiat_25519_uint128 x3;\n fiat_25519_uint128 x4;\n fiat_25519_uint128 x5;\n fiat_25519_uint128 x6;\n fiat_25519_uint128 x7;\n fiat_25519_uint128 x8;\n fiat_25519_uint128 x9;\n fiat_25519_uint128 x10;\n fiat_25519_uint128 x11;\n fiat_25519_uint128 x12;\n fiat_25519_uint128 x13;\n fiat_25519_uint128 x14;\n fiat_25519_uint128 x15;\n fiat_25519_uint128 x16;\n fiat_25519_uint128 x17;\n fiat_25519_uint128 x18;\n fiat_25519_uint128 x19;\n fiat_25519_uint128 x20;\n fiat_25519_uint128 x21;\n fiat_25519_uint128 x22;\n fiat_25519_uint128 x23;\n fiat_25519_uint128 x24;\n fiat_25519_uint128 x25;\n fiat_25519_uint128 x26;\n uint64_t x27;\n uint64_t x28;\n fiat_25519_uint128 x29;\n fiat_25519_uint128 x30;\n fiat_25519_uint128 x31;\n fiat_25519_uint128 x32;\n fiat_25519_uint128 x33;\n uint64_t x34;\n uint64_t x35;\n fiat_25519_uint128 x36;\n uint64_t x37;\n uint64_t x38;\n fiat_25519_uint128 x39;\n uint64_t x40;\n uint64_t x41;\n fiat_25519_uint128 x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n uint64_t x48;\n uint64_t x49;\n fiat_25519_uint1 x50;\n uint64_t x51;\n uint64_t x52;\n x1 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[4]) * UINT8_C(0x13)));\n x2 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[3]) * UINT8_C(0x13)));\n x3 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[2]) * UINT8_C(0x13)));\n x4 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[1]) * UINT8_C(0x13)));\n x5 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[4]) * UINT8_C(0x13)));\n x6 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[3]) * UINT8_C(0x13)));\n x7 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[2]) * UINT8_C(0x13)));\n x8 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[4]) * UINT8_C(0x13)));\n x9 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[3]) * UINT8_C(0x13)));\n x10 = ((fiat_25519_uint128)(arg1[1]) * ((arg2[4]) * UINT8_C(0x13)));\n x11 = ((fiat_25519_uint128)(arg1[4]) * (arg2[0]));\n x12 = ((fiat_25519_uint128)(arg1[3]) * (arg2[1]));\n x13 = ((fiat_25519_uint128)(arg1[3]) * (arg2[0]));\n x14 = ((fiat_25519_uint128)(arg1[2]) * (arg2[2]));\n x15 = ((fiat_25519_uint128)(arg1[2]) * (arg2[1]));\n x16 = ((fiat_25519_uint128)(arg1[2]) * (arg2[0]));\n x17 = ((fiat_25519_uint128)(arg1[1]) * (arg2[3]));\n x18 = ((fiat_25519_uint128)(arg1[1]) * (arg2[2]));\n x19 = ((fiat_25519_uint128)(arg1[1]) * (arg2[1]));\n x20 = ((fiat_25519_uint128)(arg1[1]) * (arg2[0]));\n x21 = ((fiat_25519_uint128)(arg1[0]) * (arg2[4]));\n x22 = ((fiat_25519_uint128)(arg1[0]) * (arg2[3]));\n x23 = ((fiat_25519_uint128)(arg1[0]) * (arg2[2]));\n x24 = ((fiat_25519_uint128)(arg1[0]) * (arg2[1]));\n x25 = ((fiat_25519_uint128)(arg1[0]) * (arg2[0]));\n x26 = (x25 + (x10 + (x9 + (x7 + x4))));\n x27 = (uint64_t)(x26 >> 51);\n x28 = (uint64_t)(x26 & UINT64_C(0x7ffffffffffff));\n x29 = (x21 + (x17 + (x14 + (x12 + x11))));\n x30 = (x22 + (x18 + (x15 + (x13 + x1))));\n x31 = (x23 + (x19 + (x16 + (x5 + x2))));\n x32 = (x24 + (x20 + (x8 + (x6 + x3))));\n x33 = (x27 + x32);\n x34 = (uint64_t)(x33 >> 51);\n x35 = (uint64_t)(x33 & UINT64_C(0x7ffffffffffff));\n x36 = (x34 + x31);\n x37 = (uint64_t)(x36 >> 51);\n x38 = (uint64_t)(x36 & UINT64_C(0x7ffffffffffff));\n x39 = (x37 + x30);\n x40 = (uint64_t)(x39 >> 51);\n x41 = (uint64_t)(x39 & UINT64_C(0x7ffffffffffff));\n x42 = (x40 + x29);\n x43 = (uint64_t)(x42 >> 51);\n x44 = (uint64_t)(x42 & UINT64_C(0x7ffffffffffff));\n x45 = (x43 * UINT8_C(0x13));\n x46 = (x28 + x45);\n x47 = (x46 >> 51);\n x48 = (x46 & UINT64_C(0x7ffffffffffff));\n x49 = (x47 + x35);\n x50 = (fiat_25519_uint1)(x49 >> 51);\n x51 = (x49 & UINT64_C(0x7ffffffffffff));\n x52 = (x50 + x38);\n out1[0] = x48;\n out1[1] = x51;\n out1[2] = x52;\n out1[3] = x41;\n out1[4] = x44;\n}\n\n/*\n * The function fiat_25519_carry_square squares a field element and reduces the result.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 * eval arg1) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n fiat_25519_uint128 x9;\n fiat_25519_uint128 x10;\n fiat_25519_uint128 x11;\n fiat_25519_uint128 x12;\n fiat_25519_uint128 x13;\n fiat_25519_uint128 x14;\n fiat_25519_uint128 x15;\n fiat_25519_uint128 x16;\n fiat_25519_uint128 x17;\n fiat_25519_uint128 x18;\n fiat_25519_uint128 x19;\n fiat_25519_uint128 x20;\n fiat_25519_uint128 x21;\n fiat_25519_uint128 x22;\n fiat_25519_uint128 x23;\n fiat_25519_uint128 x24;\n uint64_t x25;\n uint64_t x26;\n fiat_25519_uint128 x27;\n fiat_25519_uint128 x28;\n fiat_25519_uint128 x29;\n fiat_25519_uint128 x30;\n fiat_25519_uint128 x31;\n uint64_t x32;\n uint64_t x33;\n fiat_25519_uint128 x34;\n uint64_t x35;\n uint64_t x36;\n fiat_25519_uint128 x37;\n uint64_t x38;\n uint64_t x39;\n fiat_25519_uint128 x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n fiat_25519_uint1 x48;\n uint64_t x49;\n uint64_t x50;\n x1 = ((arg1[4]) * UINT8_C(0x13));\n x2 = (x1 * 0x2);\n x3 = ((arg1[4]) * 0x2);\n x4 = ((arg1[3]) * UINT8_C(0x13));\n x5 = (x4 * 0x2);\n x6 = ((arg1[3]) * 0x2);\n x7 = ((arg1[2]) * 0x2);\n x8 = ((arg1[1]) * 0x2);\n x9 = ((fiat_25519_uint128)(arg1[4]) * x1);\n x10 = ((fiat_25519_uint128)(arg1[3]) * x2);\n x11 = ((fiat_25519_uint128)(arg1[3]) * x4);\n x12 = ((fiat_25519_uint128)(arg1[2]) * x2);\n x13 = ((fiat_25519_uint128)(arg1[2]) * x5);\n x14 = ((fiat_25519_uint128)(arg1[2]) * (arg1[2]));\n x15 = ((fiat_25519_uint128)(arg1[1]) * x2);\n x16 = ((fiat_25519_uint128)(arg1[1]) * x6);\n x17 = ((fiat_25519_uint128)(arg1[1]) * x7);\n x18 = ((fiat_25519_uint128)(arg1[1]) * (arg1[1]));\n x19 = ((fiat_25519_uint128)(arg1[0]) * x3);\n x20 = ((fiat_25519_uint128)(arg1[0]) * x6);\n x21 = ((fiat_25519_uint128)(arg1[0]) * x7);\n x22 = ((fiat_25519_uint128)(arg1[0]) * x8);\n x23 = ((fiat_25519_uint128)(arg1[0]) * (arg1[0]));\n x24 = (x23 + (x15 + x13));\n x25 = (uint64_t)(x24 >> 51);\n x26 = (uint64_t)(x24 & UINT64_C(0x7ffffffffffff));\n x27 = (x19 + (x16 + x14));\n x28 = (x20 + (x17 + x9));\n x29 = (x21 + (x18 + x10));\n x30 = (x22 + (x12 + x11));\n x31 = (x25 + x30);\n x32 = (uint64_t)(x31 >> 51);\n x33 = (uint64_t)(x31 & UINT64_C(0x7ffffffffffff));\n x34 = (x32 + x29);\n x35 = (uint64_t)(x34 >> 51);\n x36 = (uint64_t)(x34 & UINT64_C(0x7ffffffffffff));\n x37 = (x35 + x28);\n x38 = (uint64_t)(x37 >> 51);\n x39 = (uint64_t)(x37 & UINT64_C(0x7ffffffffffff));\n x40 = (x38 + x27);\n x41 = (uint64_t)(x40 >> 51);\n x42 = (uint64_t)(x40 & UINT64_C(0x7ffffffffffff));\n x43 = (x41 * UINT8_C(0x13));\n x44 = (x26 + x43);\n x45 = (x44 >> 51);\n x46 = (x44 & UINT64_C(0x7ffffffffffff));\n x47 = (x45 + x33);\n x48 = (fiat_25519_uint1)(x47 >> 51);\n x49 = (x47 & UINT64_C(0x7ffffffffffff));\n x50 = (x48 + x36);\n out1[0] = x46;\n out1[1] = x49;\n out1[2] = x50;\n out1[3] = x39;\n out1[4] = x42;\n}\n\n/*\n * The function fiat_25519_carry reduces a field element.\n *\n * Postconditions:\n * eval out1 mod m = eval arg1 mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n x1 = (arg1[0]);\n x2 = ((x1 >> 51) + (arg1[1]));\n x3 = ((x2 >> 51) + (arg1[2]));\n x4 = ((x3 >> 51) + (arg1[3]));\n x5 = ((x4 >> 51) + (arg1[4]));\n x6 = ((x1 & UINT64_C(0x7ffffffffffff)) + ((x5 >> 51) * UINT8_C(0x13)));\n x7 = ((fiat_25519_uint1)(x6 >> 51) + (x2 & UINT64_C(0x7ffffffffffff)));\n x8 = (x6 & UINT64_C(0x7ffffffffffff));\n x9 = (x7 & UINT64_C(0x7ffffffffffff));\n x10 = ((fiat_25519_uint1)(x7 >> 51) + (x3 & UINT64_C(0x7ffffffffffff)));\n x11 = (x4 & UINT64_C(0x7ffffffffffff));\n x12 = (x5 & UINT64_C(0x7ffffffffffff));\n out1[0] = x8;\n out1[1] = x9;\n out1[2] = x10;\n out1[3] = x11;\n out1[4] = x12;\n}\n\n/*\n * The function fiat_25519_add adds two field elements.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 + eval arg2) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n x1 = ((arg1[0]) + (arg2[0]));\n x2 = ((arg1[1]) + (arg2[1]));\n x3 = ((arg1[2]) + (arg2[2]));\n x4 = ((arg1[3]) + (arg2[3]));\n x5 = ((arg1[4]) + (arg2[4]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n}\n\n/*\n * The function fiat_25519_sub subtracts two field elements.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 - eval arg2) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n x1 = ((UINT64_C(0xfffffffffffda) + (arg1[0])) - (arg2[0]));\n x2 = ((UINT64_C(0xffffffffffffe) + (arg1[1])) - (arg2[1]));\n x3 = ((UINT64_C(0xffffffffffffe) + (arg1[2])) - (arg2[2]));\n x4 = ((UINT64_C(0xffffffffffffe) + (arg1[3])) - (arg2[3]));\n x5 = ((UINT64_C(0xffffffffffffe) + (arg1[4])) - (arg2[4]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n}\n\n/*\n * The function fiat_25519_opp negates a field element.\n *\n * Postconditions:\n * eval out1 mod m = -eval arg1 mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n x1 = (UINT64_C(0xfffffffffffda) - (arg1[0]));\n x2 = (UINT64_C(0xffffffffffffe) - (arg1[1]));\n x3 = (UINT64_C(0xffffffffffffe) - (arg1[2]));\n x4 = (UINT64_C(0xffffffffffffe) - (arg1[3]));\n x5 = (UINT64_C(0xffffffffffffe) - (arg1[4]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n}\n\n/* Not used in BoringSSL. */\n#if 0\n/*\n * The function fiat_25519_selectznz is a multi-limb conditional select.\n *\n * Postconditions:\n * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const uint64_t arg2[5], const uint64_t arg3[5]) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n fiat_25519_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0]));\n fiat_25519_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1]));\n fiat_25519_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2]));\n fiat_25519_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3]));\n fiat_25519_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n}\n#endif\n\n/*\n * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.\n *\n * Postconditions:\n * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]\n *\n * Output Bounds:\n * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) {\n uint64_t x1;\n fiat_25519_uint1 x2;\n uint64_t x3;\n fiat_25519_uint1 x4;\n uint64_t x5;\n fiat_25519_uint1 x6;\n uint64_t x7;\n fiat_25519_uint1 x8;\n uint64_t x9;\n fiat_25519_uint1 x10;\n uint64_t x11;\n uint64_t x12;\n fiat_25519_uint1 x13;\n uint64_t x14;\n fiat_25519_uint1 x15;\n uint64_t x16;\n fiat_25519_uint1 x17;\n uint64_t x18;\n fiat_25519_uint1 x19;\n uint64_t x20;\n fiat_25519_uint1 x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint8_t x26;\n uint64_t x27;\n uint8_t x28;\n uint64_t x29;\n uint8_t x30;\n uint64_t x31;\n uint8_t x32;\n uint64_t x33;\n uint8_t x34;\n uint64_t x35;\n uint8_t x36;\n uint8_t x37;\n uint64_t x38;\n uint8_t x39;\n uint64_t x40;\n uint8_t x41;\n uint64_t x42;\n uint8_t x43;\n uint64_t x44;\n uint8_t x45;\n uint64_t x46;\n uint8_t x47;\n uint64_t x48;\n uint8_t x49;\n uint8_t x50;\n uint64_t x51;\n uint8_t x52;\n uint64_t x53;\n uint8_t x54;\n uint64_t x55;\n uint8_t x56;\n uint64_t x57;\n uint8_t x58;\n uint64_t x59;\n uint8_t x60;\n uint64_t x61;\n uint8_t x62;\n uint64_t x63;\n uint8_t x64;\n fiat_25519_uint1 x65;\n uint64_t x66;\n uint8_t x67;\n uint64_t x68;\n uint8_t x69;\n uint64_t x70;\n uint8_t x71;\n uint64_t x72;\n uint8_t x73;\n uint64_t x74;\n uint8_t x75;\n uint64_t x76;\n uint8_t x77;\n uint8_t x78;\n uint64_t x79;\n uint8_t x80;\n uint64_t x81;\n uint8_t x82;\n uint64_t x83;\n uint8_t x84;\n uint64_t x85;\n uint8_t x86;\n uint64_t x87;\n uint8_t x88;\n uint64_t x89;\n uint8_t x90;\n uint8_t x91;\n fiat_25519_subborrowx_u51(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0x7ffffffffffed));\n fiat_25519_subborrowx_u51(&x3, &x4, x2, (arg1[1]), UINT64_C(0x7ffffffffffff));\n fiat_25519_subborrowx_u51(&x5, &x6, x4, (arg1[2]), UINT64_C(0x7ffffffffffff));\n fiat_25519_subborrowx_u51(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7ffffffffffff));\n fiat_25519_subborrowx_u51(&x9, &x10, x8, (arg1[4]), UINT64_C(0x7ffffffffffff));\n fiat_25519_cmovznz_u64(&x11, x10, 0x0, UINT64_C(0xffffffffffffffff));\n fiat_25519_addcarryx_u51(&x12, &x13, 0x0, x1, (x11 & UINT64_C(0x7ffffffffffed)));\n fiat_25519_addcarryx_u51(&x14, &x15, x13, x3, (x11 & UINT64_C(0x7ffffffffffff)));\n fiat_25519_addcarryx_u51(&x16, &x17, x15, x5, (x11 & UINT64_C(0x7ffffffffffff)));\n fiat_25519_addcarryx_u51(&x18, &x19, x17, x7, (x11 & UINT64_C(0x7ffffffffffff)));\n fiat_25519_addcarryx_u51(&x20, &x21, x19, x9, (x11 & UINT64_C(0x7ffffffffffff)));\n x22 = (x20 << 4);\n x23 = (x18 * (uint64_t)0x2);\n x24 = (x16 << 6);\n x25 = (x14 << 3);\n x26 = (uint8_t)(x12 & UINT8_C(0xff));\n x27 = (x12 >> 8);\n x28 = (uint8_t)(x27 & UINT8_C(0xff));\n x29 = (x27 >> 8);\n x30 = (uint8_t)(x29 & UINT8_C(0xff));\n x31 = (x29 >> 8);\n x32 = (uint8_t)(x31 & UINT8_C(0xff));\n x33 = (x31 >> 8);\n x34 = (uint8_t)(x33 & UINT8_C(0xff));\n x35 = (x33 >> 8);\n x36 = (uint8_t)(x35 & UINT8_C(0xff));\n x37 = (uint8_t)(x35 >> 8);\n x38 = (x25 + (uint64_t)x37);\n x39 = (uint8_t)(x38 & UINT8_C(0xff));\n x40 = (x38 >> 8);\n x41 = (uint8_t)(x40 & UINT8_C(0xff));\n x42 = (x40 >> 8);\n x43 = (uint8_t)(x42 & UINT8_C(0xff));\n x44 = (x42 >> 8);\n x45 = (uint8_t)(x44 & UINT8_C(0xff));\n x46 = (x44 >> 8);\n x47 = (uint8_t)(x46 & UINT8_C(0xff));\n x48 = (x46 >> 8);\n x49 = (uint8_t)(x48 & UINT8_C(0xff));\n x50 = (uint8_t)(x48 >> 8);\n x51 = (x24 + (uint64_t)x50);\n x52 = (uint8_t)(x51 & UINT8_C(0xff));\n x53 = (x51 >> 8);\n x54 = (uint8_t)(x53 & UINT8_C(0xff));\n x55 = (x53 >> 8);\n x56 = (uint8_t)(x55 & UINT8_C(0xff));\n x57 = (x55 >> 8);\n x58 = (uint8_t)(x57 & UINT8_C(0xff));\n x59 = (x57 >> 8);\n x60 = (uint8_t)(x59 & UINT8_C(0xff));\n x61 = (x59 >> 8);\n x62 = (uint8_t)(x61 & UINT8_C(0xff));\n x63 = (x61 >> 8);\n x64 = (uint8_t)(x63 & UINT8_C(0xff));\n x65 = (fiat_25519_uint1)(x63 >> 8);\n x66 = (x23 + (uint64_t)x65);\n x67 = (uint8_t)(x66 & UINT8_C(0xff));\n x68 = (x66 >> 8);\n x69 = (uint8_t)(x68 & UINT8_C(0xff));\n x70 = (x68 >> 8);\n x71 = (uint8_t)(x70 & UINT8_C(0xff));\n x72 = (x70 >> 8);\n x73 = (uint8_t)(x72 & UINT8_C(0xff));\n x74 = (x72 >> 8);\n x75 = (uint8_t)(x74 & UINT8_C(0xff));\n x76 = (x74 >> 8);\n x77 = (uint8_t)(x76 & UINT8_C(0xff));\n x78 = (uint8_t)(x76 >> 8);\n x79 = (x22 + (uint64_t)x78);\n x80 = (uint8_t)(x79 & UINT8_C(0xff));\n x81 = (x79 >> 8);\n x82 = (uint8_t)(x81 & UINT8_C(0xff));\n x83 = (x81 >> 8);\n x84 = (uint8_t)(x83 & UINT8_C(0xff));\n x85 = (x83 >> 8);\n x86 = (uint8_t)(x85 & UINT8_C(0xff));\n x87 = (x85 >> 8);\n x88 = (uint8_t)(x87 & UINT8_C(0xff));\n x89 = (x87 >> 8);\n x90 = (uint8_t)(x89 & UINT8_C(0xff));\n x91 = (uint8_t)(x89 >> 8);\n out1[0] = x26;\n out1[1] = x28;\n out1[2] = x30;\n out1[3] = x32;\n out1[4] = x34;\n out1[5] = x36;\n out1[6] = x39;\n out1[7] = x41;\n out1[8] = x43;\n out1[9] = x45;\n out1[10] = x47;\n out1[11] = x49;\n out1[12] = x52;\n out1[13] = x54;\n out1[14] = x56;\n out1[15] = x58;\n out1[16] = x60;\n out1[17] = x62;\n out1[18] = x64;\n out1[19] = x67;\n out1[20] = x69;\n out1[21] = x71;\n out1[22] = x73;\n out1[23] = x75;\n out1[24] = x77;\n out1[25] = x80;\n out1[26] = x82;\n out1[27] = x84;\n out1[28] = x86;\n out1[29] = x88;\n out1[30] = x90;\n out1[31] = x91;\n}\n\n/*\n * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.\n *\n * Postconditions:\n * eval out1 mod m = bytes_eval arg1 mod m\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n uint64_t x14;\n uint64_t x15;\n uint64_t x16;\n uint64_t x17;\n uint64_t x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n uint64_t x27;\n uint64_t x28;\n uint64_t x29;\n uint64_t x30;\n uint64_t x31;\n uint8_t x32;\n uint64_t x33;\n uint64_t x34;\n uint64_t x35;\n uint64_t x36;\n uint64_t x37;\n uint64_t x38;\n uint64_t x39;\n uint8_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n uint8_t x48;\n uint64_t x49;\n uint64_t x50;\n uint64_t x51;\n uint64_t x52;\n uint64_t x53;\n uint64_t x54;\n uint64_t x55;\n uint64_t x56;\n uint8_t x57;\n uint64_t x58;\n uint64_t x59;\n uint64_t x60;\n uint64_t x61;\n uint64_t x62;\n uint64_t x63;\n uint64_t x64;\n uint8_t x65;\n uint64_t x66;\n uint64_t x67;\n uint64_t x68;\n uint64_t x69;\n uint64_t x70;\n uint64_t x71;\n x1 = ((uint64_t)(arg1[31]) << 44);\n x2 = ((uint64_t)(arg1[30]) << 36);\n x3 = ((uint64_t)(arg1[29]) << 28);\n x4 = ((uint64_t)(arg1[28]) << 20);\n x5 = ((uint64_t)(arg1[27]) << 12);\n x6 = ((uint64_t)(arg1[26]) << 4);\n x7 = ((uint64_t)(arg1[25]) << 47);\n x8 = ((uint64_t)(arg1[24]) << 39);\n x9 = ((uint64_t)(arg1[23]) << 31);\n x10 = ((uint64_t)(arg1[22]) << 23);\n x11 = ((uint64_t)(arg1[21]) << 15);\n x12 = ((uint64_t)(arg1[20]) << 7);\n x13 = ((uint64_t)(arg1[19]) << 50);\n x14 = ((uint64_t)(arg1[18]) << 42);\n x15 = ((uint64_t)(arg1[17]) << 34);\n x16 = ((uint64_t)(arg1[16]) << 26);\n x17 = ((uint64_t)(arg1[15]) << 18);\n x18 = ((uint64_t)(arg1[14]) << 10);\n x19 = ((uint64_t)(arg1[13]) << 2);\n x20 = ((uint64_t)(arg1[12]) << 45);\n x21 = ((uint64_t)(arg1[11]) << 37);\n x22 = ((uint64_t)(arg1[10]) << 29);\n x23 = ((uint64_t)(arg1[9]) << 21);\n x24 = ((uint64_t)(arg1[8]) << 13);\n x25 = ((uint64_t)(arg1[7]) << 5);\n x26 = ((uint64_t)(arg1[6]) << 48);\n x27 = ((uint64_t)(arg1[5]) << 40);\n x28 = ((uint64_t)(arg1[4]) << 32);\n x29 = ((uint64_t)(arg1[3]) << 24);\n x30 = ((uint64_t)(arg1[2]) << 16);\n x31 = ((uint64_t)(arg1[1]) << 8);\n x32 = (arg1[0]);\n x33 = (x31 + (uint64_t)x32);\n x34 = (x30 + x33);\n x35 = (x29 + x34);\n x36 = (x28 + x35);\n x37 = (x27 + x36);\n x38 = (x26 + x37);\n x39 = (x38 & UINT64_C(0x7ffffffffffff));\n x40 = (uint8_t)(x38 >> 51);\n x41 = (x25 + (uint64_t)x40);\n x42 = (x24 + x41);\n x43 = (x23 + x42);\n x44 = (x22 + x43);\n x45 = (x21 + x44);\n x46 = (x20 + x45);\n x47 = (x46 & UINT64_C(0x7ffffffffffff));\n x48 = (uint8_t)(x46 >> 51);\n x49 = (x19 + (uint64_t)x48);\n x50 = (x18 + x49);\n x51 = (x17 + x50);\n x52 = (x16 + x51);\n x53 = (x15 + x52);\n x54 = (x14 + x53);\n x55 = (x13 + x54);\n x56 = (x55 & UINT64_C(0x7ffffffffffff));\n x57 = (uint8_t)(x55 >> 51);\n x58 = (x12 + (uint64_t)x57);\n x59 = (x11 + x58);\n x60 = (x10 + x59);\n x61 = (x9 + x60);\n x62 = (x8 + x61);\n x63 = (x7 + x62);\n x64 = (x63 & UINT64_C(0x7ffffffffffff));\n x65 = (uint8_t)(x63 >> 51);\n x66 = (x6 + (uint64_t)x65);\n x67 = (x5 + x66);\n x68 = (x4 + x67);\n x69 = (x3 + x68);\n x70 = (x2 + x69);\n x71 = (x1 + x70);\n out1[0] = x39;\n out1[1] = x47;\n out1[2] = x56;\n out1[3] = x64;\n out1[4] = x71;\n}\n\n/* Not used in BoringSSL. */\n#if 0\n/*\n * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements.\n *\n * Postconditions:\n * out1 = arg1\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n x1 = (arg1[0]);\n x2 = (arg1[1]);\n x3 = (arg1[2]);\n x4 = (arg1[3]);\n x5 = (arg1[4]);\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n}\n#endif\n\n/*\n * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.\n *\n * Postconditions:\n * eval out1 mod m = (121666 * eval arg1) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {\n fiat_25519_uint128 x1;\n fiat_25519_uint128 x2;\n fiat_25519_uint128 x3;\n fiat_25519_uint128 x4;\n fiat_25519_uint128 x5;\n uint64_t x6;\n uint64_t x7;\n fiat_25519_uint128 x8;\n uint64_t x9;\n uint64_t x10;\n fiat_25519_uint128 x11;\n uint64_t x12;\n uint64_t x13;\n fiat_25519_uint128 x14;\n uint64_t x15;\n uint64_t x16;\n fiat_25519_uint128 x17;\n uint64_t x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n fiat_25519_uint1 x22;\n uint64_t x23;\n uint64_t x24;\n fiat_25519_uint1 x25;\n uint64_t x26;\n uint64_t x27;\n x1 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[4]));\n x2 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[3]));\n x3 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[2]));\n x4 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[1]));\n x5 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[0]));\n x6 = (uint64_t)(x5 >> 51);\n x7 = (uint64_t)(x5 & UINT64_C(0x7ffffffffffff));\n x8 = (x6 + x4);\n x9 = (uint64_t)(x8 >> 51);\n x10 = (uint64_t)(x8 & UINT64_C(0x7ffffffffffff));\n x11 = (x9 + x3);\n x12 = (uint64_t)(x11 >> 51);\n x13 = (uint64_t)(x11 & UINT64_C(0x7ffffffffffff));\n x14 = (x12 + x2);\n x15 = (uint64_t)(x14 >> 51);\n x16 = (uint64_t)(x14 & UINT64_C(0x7ffffffffffff));\n x17 = (x15 + x1);\n x18 = (uint64_t)(x17 >> 51);\n x19 = (uint64_t)(x17 & UINT64_C(0x7ffffffffffff));\n x20 = (x18 * UINT8_C(0x13));\n x21 = (x7 + x20);\n x22 = (fiat_25519_uint1)(x21 >> 51);\n x23 = (x21 & UINT64_C(0x7ffffffffffff));\n x24 = (x22 + x10);\n x25 = (fiat_25519_uint1)(x24 >> 51);\n x26 = (x24 & UINT64_C(0x7ffffffffffff));\n x27 = (x25 + x13);\n out1[0] = x23;\n out1[1] = x26;\n out1[2] = x27;\n out1[3] = x16;\n out1[4] = x19;\n}\n" }, { "path": "Sources/CNIOBoringSSL/third_party/fiat/curve25519_64_adx.h", "content": "#include \n#include \"../../crypto/internal.h\"\n\n#include \n#include \n#include \n\ntypedef uint64_t fe4[4];\ntypedef uint8_t fiat_uint1;\ntypedef int8_t fiat_int1;\n\nstatic __inline__ uint64_t fiat_value_barrier_u64(uint64_t a) {\n __asm__(\"\" : \"+r\"(a) : /* no inputs */);\n return a;\n}\n\n__attribute__((target(\"adx,bmi2\")))\nstatic inline void fe4_mul(fe4 out, const fe4 x, const fe4 y) { fiat_curve25519_adx_mul(out, x, y); }\n\n__attribute__((target(\"adx,bmi2\")))\nstatic inline void fe4_sq(fe4 out, const fe4 x) { fiat_curve25519_adx_square(out, x); }\n\n/*\n * The function fiat_mulx_u64 is a multiplication, returning the full double-width result.\n *\n * Postconditions:\n * out1 = (arg1 * arg2) mod 2^64\n * out2 = ⌊arg1 * arg2 / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0xffffffffffffffff]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0xffffffffffffffff]\n */\n__attribute__((target(\"adx,bmi2\")))\nstatic inline void fiat_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {\n// NOTE: edited after generation\n#if defined(_M_X64)\n unsigned long long t;\n *out1 = _umul128(arg1, arg2, &t);\n *out2 = t;\n#elif defined(_M_ARM64)\n *out1 = arg1 * arg2;\n *out2 = __umulh(arg1, arg2);\n#else\n unsigned __int128 t = (unsigned __int128)arg1 * arg2;\n *out1 = t;\n *out2 = (t >> 64);\n#endif\n}\n\n/*\n * The function fiat_addcarryx_u64 is an addition with carry.\n *\n * Postconditions:\n * out1 = (arg1 + arg2 + arg3) mod 2^64\n * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\n__attribute__((target(\"adx,bmi2\")))\nstatic inline void fiat_addcarryx_u64(uint64_t* out1, fiat_uint1* out2, fiat_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n// NOTE: edited after generation\n#if defined(__has_builtin)\n# if __has_builtin(__builtin_ia32_addcarryx_u64)\n# define addcarry64 __builtin_ia32_addcarryx_u64\n# endif\n#endif\n#if defined(addcarry64)\n long long unsigned int t;\n *out2 = addcarry64(arg1, arg2, arg3, &t);\n *out1 = t;\n#elif defined(_M_X64)\n long long unsigned int t;\n *out2 = _addcarry_u64(arg1, arg2, arg3, out1);\n *out1 = t;\n#else\n arg2 += arg1;\n arg1 = arg2 < arg1;\n uint64_t ret = arg2 + arg3;\n arg1 += ret < arg2;\n *out1 = ret;\n *out2 = arg1;\n#endif\n#undef addcarry64\n}\n\n/*\n * The function fiat_subborrowx_u64 is a subtraction with borrow.\n *\n * Postconditions:\n * out1 = (-arg1 + arg2 + -arg3) mod 2^64\n * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\n__attribute__((target(\"adx,bmi2\")))\nstatic inline void fiat_subborrowx_u64(uint64_t* out1, fiat_uint1* out2, fiat_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n#if defined(__has_builtin)\n# if __has_builtin(__builtin_ia32_subborrow_u64)\n# define subborrow64 __builtin_ia32_subborrow_u64\n# endif\n#endif\n#if defined(subborrow64)\n long long unsigned int t;\n *out2 = subborrow64(arg1, arg2, arg3, &t);\n *out1 = t;\n#elif defined(_M_X64)\n long long unsigned int t;\n *out2 = _subborrow_u64(arg1, arg2, arg3, &t); // NOTE: edited after generation\n *out1 = t;\n#else\n *out1 = arg2 - arg3 - arg1;\n *out2 = (arg2 < arg3) | ((arg2 == arg3) & arg1);\n#endif\n#undef subborrow64\n}\n\n/*\n * The function fiat_cmovznz_u64 is a single-word conditional move.\n *\n * Postconditions:\n * out1 = (if arg1 = 0 then arg2 else arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n */\n__attribute__((target(\"adx,bmi2\")))\nstatic inline void fiat_cmovznz_u64(uint64_t* out1, fiat_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n fiat_uint1 x1;\n uint64_t x2;\n uint64_t x3;\n x1 = (!(!arg1));\n x2 = ((fiat_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff));\n x3 = ((fiat_value_barrier_u64(x2) & arg3) | (fiat_value_barrier_u64((~x2)) & arg2));\n *out1 = x3;\n}\n\n/*\n * Input Bounds:\n * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\n__attribute__((target(\"adx,bmi2\")))\nstatic void fe4_add(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {\n uint64_t x1;\n fiat_uint1 x2;\n uint64_t x3;\n fiat_uint1 x4;\n uint64_t x5;\n fiat_uint1 x6;\n uint64_t x7;\n fiat_uint1 x8;\n uint64_t x9;\n uint64_t x10;\n fiat_uint1 x11;\n uint64_t x12;\n fiat_uint1 x13;\n uint64_t x14;\n fiat_uint1 x15;\n uint64_t x16;\n fiat_uint1 x17;\n uint64_t x18;\n uint64_t x19;\n fiat_uint1 x20;\n fiat_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0]));\n fiat_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1]));\n fiat_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2]));\n fiat_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3]));\n fiat_cmovznz_u64(&x9, x8, 0x0, UINT8_C(0x26)); // NOTE: clang 14 for Zen 2 uses sbb, and\n fiat_addcarryx_u64(&x10, &x11, 0x0, x1, x9);\n fiat_addcarryx_u64(&x12, &x13, x11, x3, 0x0);\n fiat_addcarryx_u64(&x14, &x15, x13, x5, 0x0);\n fiat_addcarryx_u64(&x16, &x17, x15, x7, 0x0);\n fiat_cmovznz_u64(&x18, x17, 0x0, UINT8_C(0x26)); // NOTE: clang 14 for Zen 2 uses sbb, and\n fiat_addcarryx_u64(&x19, &x20, 0x0, x10, x18);\n out1[0] = x19;\n out1[1] = x12;\n out1[2] = x14;\n out1[3] = x16;\n}\n\n/*\n * Input Bounds:\n * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\n__attribute__((target(\"adx,bmi2\")))\nstatic void fe4_sub(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) {\n uint64_t x1;\n uint64_t x2;\n fiat_uint1 x3;\n uint64_t x4;\n uint64_t x5;\n fiat_uint1 x6;\n uint64_t x7;\n uint64_t x8;\n fiat_uint1 x9;\n uint64_t x10;\n uint64_t x11;\n fiat_uint1 x12;\n uint64_t x13;\n uint64_t x14;\n fiat_uint1 x15;\n uint64_t x16;\n fiat_uint1 x17;\n uint64_t x18;\n fiat_uint1 x19;\n uint64_t x20;\n fiat_uint1 x21;\n uint64_t x22;\n uint64_t x23;\n fiat_uint1 x24;\n x1 = (arg2[0]);\n fiat_subborrowx_u64(&x2, &x3, 0x0, (arg1[0]), x1);\n x4 = (arg2[1]);\n fiat_subborrowx_u64(&x5, &x6, x3, (arg1[1]), x4);\n x7 = (arg2[2]);\n fiat_subborrowx_u64(&x8, &x9, x6, (arg1[2]), x7);\n x10 = (arg2[3]);\n fiat_subborrowx_u64(&x11, &x12, x9, (arg1[3]), x10);\n fiat_cmovznz_u64(&x13, x12, 0x0, UINT8_C(0x26)); // NOTE: clang 14 for Zen 2 uses sbb, and\n fiat_subborrowx_u64(&x14, &x15, 0x0, x2, x13);\n fiat_subborrowx_u64(&x16, &x17, x15, x5, 0x0);\n fiat_subborrowx_u64(&x18, &x19, x17, x8, 0x0);\n fiat_subborrowx_u64(&x20, &x21, x19, x11, 0x0);\n fiat_cmovznz_u64(&x22, x21, 0x0, UINT8_C(0x26)); // NOTE: clang 14 for Zen 2 uses sbb, and\n fiat_subborrowx_u64(&x23, &x24, 0x0, x14, x22);\n out1[0] = x23;\n out1[1] = x16;\n out1[2] = x18;\n out1[3] = x20;\n}\n\n/*\n * Input Bounds:\n * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg2: [0x0 ~> 0x3ffffffffffffff] // NOTE: this is not any uint64!\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\n__attribute__((target(\"adx,bmi2\")))\nstatic void fe4_scmul(uint64_t out1[4], const uint64_t arg1[4], uint64_t arg2) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n fiat_uint1 x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n fiat_uint1 x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n fiat_uint1 x14;\n uint64_t x15;\n uint64_t x16;\n uint64_t x17;\n fiat_uint1 x18;\n uint64_t x19;\n fiat_uint1 x20;\n uint64_t x21;\n fiat_uint1 x22;\n uint64_t x23;\n fiat_uint1 x24;\n uint64_t x25;\n uint64_t x26;\n fiat_uint1 x27;\n fiat_mulx_u64(&x1, &x2, (arg1[0]), arg2);\n fiat_mulx_u64(&x3, &x4, (arg1[1]), arg2);\n fiat_addcarryx_u64(&x5, &x6, 0x0, x2, x3);\n fiat_mulx_u64(&x7, &x8, (arg1[2]), arg2);\n fiat_addcarryx_u64(&x9, &x10, x6, x4, x7);\n fiat_mulx_u64(&x11, &x12, (arg1[3]), arg2);\n fiat_addcarryx_u64(&x13, &x14, x10, x8, x11);\n fiat_mulx_u64(&x15, &x16, (x12 + (uint64_t)x14), UINT8_C(0x26));\n fiat_addcarryx_u64(&x17, &x18, 0x0, x1, x15);\n fiat_addcarryx_u64(&x19, &x20, x18, x5, 0x0);\n fiat_addcarryx_u64(&x21, &x22, x20, x9, 0x0);\n fiat_addcarryx_u64(&x23, &x24, x22, x13, 0x0);\n fiat_cmovznz_u64(&x25, x24, 0x0, UINT8_C(0x26)); // NOTE: clang 14 for Zen 2 uses sbb, and\n fiat_addcarryx_u64(&x26, &x27, 0x0, x17, x25);\n out1[0] = x26;\n out1[1] = x19;\n out1[2] = x21;\n out1[3] = x23;\n}\n\n/*\n * Input Bounds:\n * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\n__attribute__((target(\"adx,bmi2\")))\nstatic void fe4_canon(uint64_t out1[4], const uint64_t arg1[4]) {\n uint64_t x1;\n fiat_uint1 x2;\n uint64_t x3;\n fiat_uint1 x4;\n uint64_t x5;\n fiat_uint1 x6;\n uint64_t x7;\n fiat_uint1 x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n fiat_uint1 x14;\n uint64_t x15;\n fiat_uint1 x16;\n uint64_t x17;\n fiat_uint1 x18;\n uint64_t x19;\n fiat_uint1 x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n fiat_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0xffffffffffffffed));\n fiat_subborrowx_u64(&x3, &x4, x2, (arg1[1]), UINT64_C(0xffffffffffffffff));\n fiat_subborrowx_u64(&x5, &x6, x4, (arg1[2]), UINT64_C(0xffffffffffffffff));\n fiat_subborrowx_u64(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7fffffffffffffff));\n fiat_cmovznz_u64(&x9, x8, x1, (arg1[0]));\n fiat_cmovznz_u64(&x10, x8, x3, (arg1[1]));\n fiat_cmovznz_u64(&x11, x8, x5, (arg1[2]));\n fiat_cmovznz_u64(&x12, x8, x7, (arg1[3]));\n fiat_subborrowx_u64(&x13, &x14, 0x0, x9, UINT64_C(0xffffffffffffffed));\n fiat_subborrowx_u64(&x15, &x16, x14, x10, UINT64_C(0xffffffffffffffff));\n fiat_subborrowx_u64(&x17, &x18, x16, x11, UINT64_C(0xffffffffffffffff));\n fiat_subborrowx_u64(&x19, &x20, x18, x12, UINT64_C(0x7fffffffffffffff));\n fiat_cmovznz_u64(&x21, x20, x13, x9);\n fiat_cmovznz_u64(&x22, x20, x15, x10);\n fiat_cmovznz_u64(&x23, x20, x17, x11);\n fiat_cmovznz_u64(&x24, x20, x19, x12);\n out1[0] = x21;\n out1[1] = x22;\n out1[2] = x23;\n out1[3] = x24;\n}\n\n/*\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\n__attribute__((target(\"adx,bmi2\")))\nstatic void fe4_cswap(uint64_t out1[4], uint64_t out2[4], fiat_uint1 arg1, const uint64_t arg2[4], const uint64_t arg3[4]) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n // NOTE: clang 14 for Zen 2 uses YMM registers\n fiat_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0]));\n fiat_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1]));\n fiat_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2]));\n fiat_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3]));\n fiat_cmovznz_u64(&x5, arg1, (arg3[0]), (arg2[0]));\n fiat_cmovznz_u64(&x6, arg1, (arg3[1]), (arg2[1]));\n fiat_cmovznz_u64(&x7, arg1, (arg3[2]), (arg2[2]));\n fiat_cmovznz_u64(&x8, arg1, (arg3[3]), (arg2[3]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out2[0] = x5;\n out2[1] = x6;\n out2[2] = x7;\n out2[3] = x8;\n}\n\n// The following functions are adaped from crypto/curve25519/curve25519.c\n// It would be desirable to share the code, but with the current field\n// implementations both 4-limb and 5-limb versions of the curve-level code need\n// to be included in builds targetting an unknown variant of x86_64.\n\n__attribute__((target(\"adx,bmi2\")))\nstatic void fe4_invert(fe4 out, const fe4 z) {\n fe4 t0;\n fe4 t1;\n fe4 t2;\n fe4 t3;\n int i;\n\n fe4_sq(t0, z);\n fe4_sq(t1, t0);\n for (i = 1; i < 2; ++i) {\n fe4_sq(t1, t1);\n }\n fe4_mul(t1, z, t1);\n fe4_mul(t0, t0, t1);\n fe4_sq(t2, t0);\n fe4_mul(t1, t1, t2);\n fe4_sq(t2, t1);\n for (i = 1; i < 5; ++i) {\n fe4_sq(t2, t2);\n }\n fe4_mul(t1, t2, t1);\n fe4_sq(t2, t1);\n for (i = 1; i < 10; ++i) {\n fe4_sq(t2, t2);\n }\n fe4_mul(t2, t2, t1);\n fe4_sq(t3, t2);\n for (i = 1; i < 20; ++i) {\n fe4_sq(t3, t3);\n }\n fe4_mul(t2, t3, t2);\n fe4_sq(t2, t2);\n for (i = 1; i < 10; ++i) {\n fe4_sq(t2, t2);\n }\n fe4_mul(t1, t2, t1);\n fe4_sq(t2, t1);\n for (i = 1; i < 50; ++i) {\n fe4_sq(t2, t2);\n }\n fe4_mul(t2, t2, t1);\n fe4_sq(t3, t2);\n for (i = 1; i < 100; ++i) {\n fe4_sq(t3, t3);\n }\n fe4_mul(t2, t3, t2);\n fe4_sq(t2, t2);\n for (i = 1; i < 50; ++i) {\n fe4_sq(t2, t2);\n }\n fe4_mul(t1, t2, t1);\n fe4_sq(t1, t1);\n for (i = 1; i < 5; ++i) {\n fe4_sq(t1, t1);\n }\n fe4_mul(out, t1, t0);\n}\n\n__attribute__((target(\"adx,bmi2\")))\nvoid x25519_scalar_mult_adx(uint8_t out[32], const uint8_t scalar[32],\n const uint8_t point[32]) {\n uint8_t e[32];\n OPENSSL_memcpy(e, scalar, 32);\n e[0] &= 248;\n e[31] &= 127;\n e[31] |= 64;\n\n // The following implementation was transcribed to Coq and proven to\n // correspond to unary scalar multiplication in affine coordinates given that\n // x1 != 0 is the x coordinate of some point on the curve. It was also checked\n // in Coq that doing a ladderstep with x1 = x3 = 0 gives z2' = z3' = 0, and z2\n // = z3 = 0 gives z2' = z3' = 0. The statement was quantified over the\n // underlying field, so it applies to Curve25519 itself and the quadratic\n // twist of Curve25519. It was not proven in Coq that prime-field arithmetic\n // correctly simulates extension-field arithmetic on prime-field values.\n // The decoding of the byte array representation of e was not considered.\n // Specification of Montgomery curves in affine coordinates:\n // \n // Proof that these form a group that is isomorphic to a Weierstrass curve:\n // \n // Coq transcription and correctness proof of the loop (where scalarbits=255):\n // \n // \n // preconditions: 0 <= e < 2^255 (not necessarily e < order), fe_invert(0) = 0\n fe4 x1, x2 = {1}, z2 = {0}, x3, z3 = {1}, tmp0, tmp1;\n OPENSSL_memcpy(x1, point, sizeof(fe4));\n x1[3] &= (uint64_t)(-1)>>1;\n OPENSSL_memcpy(x3, x1, sizeof(fe4));\n\n unsigned swap = 0;\n int pos;\n for (pos = 254; pos >= 0; --pos) {\n // loop invariant as of right before the test, for the case where x1 != 0:\n // pos >= -1; if z2 = 0 then x2 is nonzero; if z3 = 0 then x3 is nonzero\n // let r := e >> (pos+1) in the following equalities of projective points:\n // to_xz (r*P) === if swap then (x3, z3) else (x2, z2)\n // to_xz ((r+1)*P) === if swap then (x2, z2) else (x3, z3)\n // x1 is the nonzero x coordinate of the nonzero point (r*P-(r+1)*P)\n unsigned b = 1 & (e[pos / 8] >> (pos & 7));\n swap ^= b;\n fe4_cswap(x2, x3, swap, x2, x3);\n fe4_cswap(z2, z3, swap, z2, z3);\n swap = b;\n // Coq transcription of ladderstep formula (called from transcribed loop):\n // \n // \n // x1 != 0 \n // x1 = 0 \n fe4_sub(tmp0, x3, z3);\n fe4_sub(tmp1, x2, z2);\n fe4_add(x2, x2, z2);\n fe4_add(z2, x3, z3);\n fe4_mul(z3, tmp0, x2);\n fe4_mul(z2, z2, tmp1);\n fe4_sq(tmp0, tmp1);\n fe4_sq(tmp1, x2);\n fe4_add(x3, z3, z2);\n fe4_sub(z2, z3, z2);\n fe4_mul(x2, tmp1, tmp0);\n fe4_sub(tmp1, tmp1, tmp0);\n fe4_sq(z2, z2);\n fe4_scmul(z3, tmp1, 121666);\n fe4_sq(x3, x3);\n fe4_add(tmp0, tmp0, z3);\n fe4_mul(z3, x1, z2);\n fe4_mul(z2, tmp1, tmp0);\n }\n // here pos=-1, so r=e, so to_xz (e*P) === if swap then (x3, z3) else (x2, z2)\n fe4_cswap(x2, x3, swap, x2, x3);\n fe4_cswap(z2, z3, swap, z2, z3);\n\n fe4_invert(z2, z2);\n fe4_mul(x2, x2, z2);\n fe4_canon(x2, x2);\n OPENSSL_memcpy(out, x2, sizeof(fe4));\n}\n\ntypedef struct {\n fe4 X;\n fe4 Y;\n fe4 Z;\n fe4 T;\n} ge_p3_4;\n\ntypedef struct {\n fe4 yplusx;\n fe4 yminusx;\n fe4 xy2d;\n} ge_precomp_4;\n\n__attribute__((target(\"adx,bmi2\")))\nstatic void inline_x25519_ge_dbl_4(ge_p3_4 *r, const ge_p3_4 *p, bool skip_t) {\n // Transcribed from a Coq function proven against affine coordinates.\n // https://github.com/mit-plv/fiat-crypto/blob/9943ba9e7d8f3e1c0054b2c94a5edca46ea73ef8/src/Curves/Edwards/XYZT/Basic.v#L136-L165\n fe4 trX, trZ, trT, t0, cX, cY, cZ, cT;\n fe4_sq(trX, p->X);\n fe4_sq(trZ, p->Y);\n fe4_sq(trT, p->Z);\n fe4_add(trT, trT, trT);\n fe4_add(cY, p->X, p->Y);\n fe4_sq(t0, cY);\n fe4_add(cY, trZ, trX);\n fe4_sub(cZ, trZ, trX);\n fe4_sub(cX, t0, cY);\n fe4_sub(cT, trT, cZ);\n fe4_mul(r->X, cX, cT);\n fe4_mul(r->Y, cY, cZ);\n fe4_mul(r->Z, cZ, cT);\n if (!skip_t) {\n fe4_mul(r->T, cX, cY);\n }\n}\n\n__attribute__((target(\"adx,bmi2\")))\n__attribute__((always_inline)) // 4% speedup with clang14 and zen2\nstatic inline void\nge_p3_add_p3_precomp_4(ge_p3_4 *r, const ge_p3_4 *p, const ge_precomp_4 *q) {\n fe4 A, B, C, YplusX, YminusX, D, X3, Y3, Z3, T3;\n // Transcribed from a Coq function proven against affine coordinates.\n // https://github.com/mit-plv/fiat-crypto/blob/a36568d1d73aff5d7accc79fd28be672882f9c17/src/Curves/Edwards/XYZT/Precomputed.v#L38-L56\n fe4_add(YplusX, p->Y, p->X);\n fe4_sub(YminusX, p->Y, p->X);\n fe4_mul(A, YplusX, q->yplusx);\n fe4_mul(B, YminusX, q->yminusx);\n fe4_mul(C, q->xy2d, p->T);\n fe4_add(D, p->Z, p->Z);\n fe4_sub(X3, A, B);\n fe4_add(Y3, A, B);\n fe4_add(Z3, D, C);\n fe4_sub(T3, D, C);\n fe4_mul(r->X, X3, T3);\n fe4_mul(r->Y, Y3, Z3);\n fe4_mul(r->Z, Z3, T3);\n fe4_mul(r->T, X3, Y3);\n}\n\n__attribute__((always_inline)) // 25% speedup with clang14 and zen2\nstatic inline void table_select_4(ge_precomp_4 *t, const int pos,\n const signed char b) {\n uint8_t bnegative = constant_time_msb_w(b);\n uint8_t babs = b - ((bnegative & b) << 1);\n\n uint8_t t_bytes[3][32] = {\n {static_cast(constant_time_is_zero_w(b) & 1)},\n {static_cast(constant_time_is_zero_w(b) & 1)},\n {0},\n };\n#if defined(__clang__)\n __asm__(\"\" : \"+m\" (t_bytes) : /*no inputs*/);\n#endif\n static_assert(sizeof(t_bytes) == sizeof(k25519Precomp[pos][0]), \"\");\n for (int i = 0; i < 8; i++) {\n constant_time_conditional_memxor(t_bytes, k25519Precomp[pos][i],\n sizeof(t_bytes),\n constant_time_eq_w(babs, 1 + i));\n }\n\n static_assert(sizeof(t_bytes) == sizeof(ge_precomp_4), \"\");\n\n // fe4 uses saturated 64-bit limbs, so converting from bytes is just a copy.\n OPENSSL_memcpy(t, t_bytes, sizeof(ge_precomp_4));\n\n fe4 xy2d_neg = {0};\n fe4_sub(xy2d_neg, xy2d_neg, t->xy2d);\n constant_time_conditional_memcpy(t->yplusx, t_bytes[1], sizeof(fe4),\n bnegative);\n constant_time_conditional_memcpy(t->yminusx, t_bytes[0], sizeof(fe4),\n bnegative);\n constant_time_conditional_memcpy(t->xy2d, xy2d_neg, sizeof(fe4), bnegative);\n}\n\n// h = a * B\n// where a = a[0]+256*a[1]+...+256^31 a[31]\n// B is the Ed25519 base point (x,4/5) with x positive.\n//\n// Preconditions:\n// a[31] <= 127\n__attribute__((target(\"adx,bmi2\")))\nvoid x25519_ge_scalarmult_base_adx(uint8_t h[4][32], const uint8_t a[32]) {\n signed char e[64];\n signed char carry;\n\n for (unsigned i = 0; i < 32; ++i) {\n e[2 * i + 0] = (a[i] >> 0) & 15;\n e[2 * i + 1] = (a[i] >> 4) & 15;\n }\n // each e[i] is between 0 and 15\n // e[63] is between 0 and 7\n\n carry = 0;\n for (unsigned i = 0; i < 63; ++i) {\n e[i] += carry;\n carry = e[i] + 8;\n carry >>= 4;\n e[i] -= carry << 4;\n }\n e[63] += carry;\n // each e[i] is between -8 and 8\n\n ge_p3_4 r = {{0}, {1}, {1}, {0}};\n for (unsigned i = 1; i < 64; i += 2) {\n ge_precomp_4 t;\n table_select_4(&t, i / 2, e[i]);\n ge_p3_add_p3_precomp_4(&r, &r, &t);\n }\n\n inline_x25519_ge_dbl_4(&r, &r, /*skip_t=*/true);\n inline_x25519_ge_dbl_4(&r, &r, /*skip_t=*/true);\n inline_x25519_ge_dbl_4(&r, &r, /*skip_t=*/true);\n inline_x25519_ge_dbl_4(&r, &r, /*skip_t=*/false);\n\n for (unsigned i = 0; i < 64; i += 2) {\n ge_precomp_4 t;\n table_select_4(&t, i / 2, e[i]);\n ge_p3_add_p3_precomp_4(&r, &r, &t);\n }\n\n // fe4 uses saturated 64-bit limbs, so converting to bytes is just a copy.\n // Satisfy stated precondition of fiat_25519_from_bytes; tests pass either way\n fe4_canon(r.X, r.X);\n fe4_canon(r.Y, r.Y);\n fe4_canon(r.Z, r.Z);\n fe4_canon(r.T, r.T);\n static_assert(sizeof(ge_p3_4) == sizeof(uint8_t[4][32]), \"\");\n OPENSSL_memcpy(h, &r, sizeof(ge_p3_4));\n}\n" }, { "path": "Sources/CNIOBoringSSL/third_party/fiat/curve25519_64_msvc.h", "content": "/* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier --no-wide-int 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */\n/* curve description: 25519 */\n/* machine_wordsize = 64 (from \"64\") */\n/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */\n/* n = 5 (from \"(auto)\") */\n/* s-c = 2^255 - [(1, 19)] (from \"2^255 - 19\") */\n/* tight_bounds_multiplier = 1 (from \"\") */\n/* */\n/* Computed values: */\n/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */\n/* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */\n/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */\n/* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */\n\n#include \n#include \n#if defined(_M_X64)\n#include \n#endif\n\ntypedef unsigned char fiat_25519_uint1;\ntypedef signed char fiat_25519_int1;\n\n#define FIAT_25519_FIAT_INLINE inline\n\n/* The type fiat_25519_loose_field_element is a field element with loose bounds. */\n/* Bounds: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */\ntypedef uint64_t fiat_25519_loose_field_element[5];\n\n/* The type fiat_25519_tight_field_element is a field element with tight bounds. */\n/* Bounds: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */\ntypedef uint64_t fiat_25519_tight_field_element[5];\n\n#if (-1 & 3) != 3\n#error \"This code only works on a two's complement system\"\n#endif\n\n#define fiat_25519_value_barrier_u64(x) (x)\n\n/*\n * The function fiat_25519_addcarryx_u64 is an addition with carry.\n *\n * Postconditions:\n * out1 = (arg1 + arg2 + arg3) mod 2^64\n * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u64(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n// NOTE: edited after generation\n#if defined(_M_X64)\n *out2 = _addcarry_u64(arg1, arg2, arg3, out1);\n#else\n arg2 += arg1;\n arg1 = arg2 < arg1;\n arg3 += arg2;\n arg1 += arg3 < arg2;\n *out1 = arg3;\n *out2 = arg1;\n#endif\n}\n\n/*\n * The function fiat_25519_subborrowx_u64 is a subtraction with borrow.\n *\n * Postconditions:\n * out1 = (-arg1 + arg2 + -arg3) mod 2^64\n * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u64(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n#if defined(_M_X64)\n *out2 = _subborrow_u64(arg1, arg2, arg3, out1); // NOTE: edited after generation\n#else\n *out1 = arg2 - arg3 - arg1;\n *out2 = (arg2 < arg3) | ((arg2 == arg3) & arg1);\n#endif\n}\n\n/*\n * The function fiat_25519_addcarryx_u51 is an addition with carry.\n *\n * Postconditions:\n * out1 = (arg1 + arg2 + arg3) mod 2^51\n * out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0x7ffffffffffff]\n * arg3: [0x0 ~> 0x7ffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0x7ffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n uint64_t x1;\n uint64_t x2;\n fiat_25519_uint1 x3;\n x1 = ((arg1 + arg2) + arg3);\n x2 = (x1 & UINT64_C(0x7ffffffffffff));\n x3 = (fiat_25519_uint1)(x1 >> 51);\n *out1 = x2;\n *out2 = x3;\n}\n\n/*\n * The function fiat_25519_subborrowx_u51 is a subtraction with borrow.\n *\n * Postconditions:\n * out1 = (-arg1 + arg2 + -arg3) mod 2^51\n * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0x7ffffffffffff]\n * arg3: [0x0 ~> 0x7ffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0x7ffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n int64_t x1;\n fiat_25519_int1 x2;\n uint64_t x3;\n x1 = ((int64_t)(arg2 - (int64_t)arg1) - (int64_t)arg3);\n x2 = (fiat_25519_int1)(x1 >> 51);\n x3 = (x1 & UINT64_C(0x7ffffffffffff));\n *out1 = x3;\n *out2 = (fiat_25519_uint1)(0x0 - x2);\n}\n\n/*\n * The function fiat_25519_mulx_u64 is a multiplication, returning the full double-width result.\n *\n * Postconditions:\n * out1 = (arg1 * arg2) mod 2^64\n * out2 = ⌊arg1 * arg2 / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0xffffffffffffffff]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0xffffffffffffffff]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {\n// NOTE: edited after generation\n#if defined(_M_X64)\n *out1 = _umul128(arg1, arg2, out2);\n#elif defined(_M_ARM64)\n *out1 = arg1 * arg2;\n *out2 = __umulh(arg1, arg2);\n#else\n#error \"This file is intended for MSVC on X64 or ARM64\"\n#endif\n}\n\n/*\n * The function fiat_25519_cmovznz_u64 is a single-word conditional move.\n *\n * Postconditions:\n * out1 = (if arg1 = 0 then arg2 else arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n fiat_25519_uint1 x1;\n uint64_t x2;\n uint64_t x3;\n x1 = (!(!arg1));\n x2 = ((fiat_25519_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff));\n x3 = ((fiat_25519_value_barrier_u64(x2) & arg3) | (fiat_25519_value_barrier_u64((~x2)) & arg2));\n *out1 = x3;\n}\n\n/*\n * The function fiat_25519_carry_mul multiplies two field elements and reduces the result.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 * eval arg2) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n uint64_t x14;\n uint64_t x15;\n uint64_t x16;\n uint64_t x17;\n uint64_t x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n uint64_t x27;\n uint64_t x28;\n uint64_t x29;\n uint64_t x30;\n uint64_t x31;\n uint64_t x32;\n uint64_t x33;\n uint64_t x34;\n uint64_t x35;\n uint64_t x36;\n uint64_t x37;\n uint64_t x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n uint64_t x48;\n uint64_t x49;\n uint64_t x50;\n uint64_t x51;\n fiat_25519_uint1 x52;\n uint64_t x53;\n fiat_25519_uint1 x54;\n uint64_t x55;\n fiat_25519_uint1 x56;\n uint64_t x57;\n fiat_25519_uint1 x58;\n uint64_t x59;\n fiat_25519_uint1 x60;\n uint64_t x61;\n fiat_25519_uint1 x62;\n uint64_t x63;\n fiat_25519_uint1 x64;\n uint64_t x65;\n fiat_25519_uint1 x66;\n uint64_t x67;\n uint64_t x68;\n uint64_t x69;\n fiat_25519_uint1 x70;\n uint64_t x71;\n fiat_25519_uint1 x72;\n uint64_t x73;\n fiat_25519_uint1 x74;\n uint64_t x75;\n fiat_25519_uint1 x76;\n uint64_t x77;\n fiat_25519_uint1 x78;\n uint64_t x79;\n fiat_25519_uint1 x80;\n uint64_t x81;\n fiat_25519_uint1 x82;\n uint64_t x83;\n fiat_25519_uint1 x84;\n uint64_t x85;\n fiat_25519_uint1 x86;\n uint64_t x87;\n fiat_25519_uint1 x88;\n uint64_t x89;\n fiat_25519_uint1 x90;\n uint64_t x91;\n fiat_25519_uint1 x92;\n uint64_t x93;\n fiat_25519_uint1 x94;\n uint64_t x95;\n fiat_25519_uint1 x96;\n uint64_t x97;\n fiat_25519_uint1 x98;\n uint64_t x99;\n fiat_25519_uint1 x100;\n uint64_t x101;\n fiat_25519_uint1 x102;\n uint64_t x103;\n fiat_25519_uint1 x104;\n uint64_t x105;\n fiat_25519_uint1 x106;\n uint64_t x107;\n fiat_25519_uint1 x108;\n uint64_t x109;\n fiat_25519_uint1 x110;\n uint64_t x111;\n fiat_25519_uint1 x112;\n uint64_t x113;\n fiat_25519_uint1 x114;\n uint64_t x115;\n fiat_25519_uint1 x116;\n uint64_t x117;\n fiat_25519_uint1 x118;\n uint64_t x119;\n fiat_25519_uint1 x120;\n uint64_t x121;\n fiat_25519_uint1 x122;\n uint64_t x123;\n fiat_25519_uint1 x124;\n uint64_t x125;\n fiat_25519_uint1 x126;\n uint64_t x127;\n fiat_25519_uint1 x128;\n uint64_t x129;\n fiat_25519_uint1 x130;\n uint64_t x131;\n fiat_25519_uint1 x132;\n uint64_t x133;\n fiat_25519_uint1 x134;\n uint64_t x135;\n uint64_t x136;\n uint64_t x137;\n uint64_t x138;\n fiat_25519_uint1 x139;\n uint64_t x140;\n uint64_t x141;\n uint64_t x142;\n uint64_t x143;\n fiat_25519_uint1 x144;\n uint64_t x145;\n uint64_t x146;\n uint64_t x147;\n uint64_t x148;\n fiat_25519_uint1 x149;\n uint64_t x150;\n uint64_t x151;\n uint64_t x152;\n uint64_t x153;\n uint64_t x154;\n uint64_t x155;\n uint64_t x156;\n uint64_t x157;\n fiat_25519_uint1 x158;\n uint64_t x159;\n uint64_t x160;\n fiat_25519_mulx_u64(&x1, &x2, (arg1[4]), ((arg2[4]) * UINT8_C(0x13)));\n fiat_25519_mulx_u64(&x3, &x4, (arg1[4]), ((arg2[3]) * UINT8_C(0x13)));\n fiat_25519_mulx_u64(&x5, &x6, (arg1[4]), ((arg2[2]) * UINT8_C(0x13)));\n fiat_25519_mulx_u64(&x7, &x8, (arg1[4]), ((arg2[1]) * UINT8_C(0x13)));\n fiat_25519_mulx_u64(&x9, &x10, (arg1[3]), ((arg2[4]) * UINT8_C(0x13)));\n fiat_25519_mulx_u64(&x11, &x12, (arg1[3]), ((arg2[3]) * UINT8_C(0x13)));\n fiat_25519_mulx_u64(&x13, &x14, (arg1[3]), ((arg2[2]) * UINT8_C(0x13)));\n fiat_25519_mulx_u64(&x15, &x16, (arg1[2]), ((arg2[4]) * UINT8_C(0x13)));\n fiat_25519_mulx_u64(&x17, &x18, (arg1[2]), ((arg2[3]) * UINT8_C(0x13)));\n fiat_25519_mulx_u64(&x19, &x20, (arg1[1]), ((arg2[4]) * UINT8_C(0x13)));\n fiat_25519_mulx_u64(&x21, &x22, (arg1[4]), (arg2[0]));\n fiat_25519_mulx_u64(&x23, &x24, (arg1[3]), (arg2[1]));\n fiat_25519_mulx_u64(&x25, &x26, (arg1[3]), (arg2[0]));\n fiat_25519_mulx_u64(&x27, &x28, (arg1[2]), (arg2[2]));\n fiat_25519_mulx_u64(&x29, &x30, (arg1[2]), (arg2[1]));\n fiat_25519_mulx_u64(&x31, &x32, (arg1[2]), (arg2[0]));\n fiat_25519_mulx_u64(&x33, &x34, (arg1[1]), (arg2[3]));\n fiat_25519_mulx_u64(&x35, &x36, (arg1[1]), (arg2[2]));\n fiat_25519_mulx_u64(&x37, &x38, (arg1[1]), (arg2[1]));\n fiat_25519_mulx_u64(&x39, &x40, (arg1[1]), (arg2[0]));\n fiat_25519_mulx_u64(&x41, &x42, (arg1[0]), (arg2[4]));\n fiat_25519_mulx_u64(&x43, &x44, (arg1[0]), (arg2[3]));\n fiat_25519_mulx_u64(&x45, &x46, (arg1[0]), (arg2[2]));\n fiat_25519_mulx_u64(&x47, &x48, (arg1[0]), (arg2[1]));\n fiat_25519_mulx_u64(&x49, &x50, (arg1[0]), (arg2[0]));\n fiat_25519_addcarryx_u64(&x51, &x52, 0x0, x13, x7);\n fiat_25519_addcarryx_u64(&x53, &x54, x52, x14, x8);\n fiat_25519_addcarryx_u64(&x55, &x56, 0x0, x17, x51);\n fiat_25519_addcarryx_u64(&x57, &x58, x56, x18, x53);\n fiat_25519_addcarryx_u64(&x59, &x60, 0x0, x19, x55);\n fiat_25519_addcarryx_u64(&x61, &x62, x60, x20, x57);\n fiat_25519_addcarryx_u64(&x63, &x64, 0x0, x49, x59);\n fiat_25519_addcarryx_u64(&x65, &x66, x64, x50, x61);\n x67 = ((x63 >> 51) | ((x65 << 13) & UINT64_C(0xffffffffffffffff)));\n x68 = (x63 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x69, &x70, 0x0, x23, x21);\n fiat_25519_addcarryx_u64(&x71, &x72, x70, x24, x22);\n fiat_25519_addcarryx_u64(&x73, &x74, 0x0, x27, x69);\n fiat_25519_addcarryx_u64(&x75, &x76, x74, x28, x71);\n fiat_25519_addcarryx_u64(&x77, &x78, 0x0, x33, x73);\n fiat_25519_addcarryx_u64(&x79, &x80, x78, x34, x75);\n fiat_25519_addcarryx_u64(&x81, &x82, 0x0, x41, x77);\n fiat_25519_addcarryx_u64(&x83, &x84, x82, x42, x79);\n fiat_25519_addcarryx_u64(&x85, &x86, 0x0, x25, x1);\n fiat_25519_addcarryx_u64(&x87, &x88, x86, x26, x2);\n fiat_25519_addcarryx_u64(&x89, &x90, 0x0, x29, x85);\n fiat_25519_addcarryx_u64(&x91, &x92, x90, x30, x87);\n fiat_25519_addcarryx_u64(&x93, &x94, 0x0, x35, x89);\n fiat_25519_addcarryx_u64(&x95, &x96, x94, x36, x91);\n fiat_25519_addcarryx_u64(&x97, &x98, 0x0, x43, x93);\n fiat_25519_addcarryx_u64(&x99, &x100, x98, x44, x95);\n fiat_25519_addcarryx_u64(&x101, &x102, 0x0, x9, x3);\n fiat_25519_addcarryx_u64(&x103, &x104, x102, x10, x4);\n fiat_25519_addcarryx_u64(&x105, &x106, 0x0, x31, x101);\n fiat_25519_addcarryx_u64(&x107, &x108, x106, x32, x103);\n fiat_25519_addcarryx_u64(&x109, &x110, 0x0, x37, x105);\n fiat_25519_addcarryx_u64(&x111, &x112, x110, x38, x107);\n fiat_25519_addcarryx_u64(&x113, &x114, 0x0, x45, x109);\n fiat_25519_addcarryx_u64(&x115, &x116, x114, x46, x111);\n fiat_25519_addcarryx_u64(&x117, &x118, 0x0, x11, x5);\n fiat_25519_addcarryx_u64(&x119, &x120, x118, x12, x6);\n fiat_25519_addcarryx_u64(&x121, &x122, 0x0, x15, x117);\n fiat_25519_addcarryx_u64(&x123, &x124, x122, x16, x119);\n fiat_25519_addcarryx_u64(&x125, &x126, 0x0, x39, x121);\n fiat_25519_addcarryx_u64(&x127, &x128, x126, x40, x123);\n fiat_25519_addcarryx_u64(&x129, &x130, 0x0, x47, x125);\n fiat_25519_addcarryx_u64(&x131, &x132, x130, x48, x127);\n fiat_25519_addcarryx_u64(&x133, &x134, 0x0, x67, x129);\n x135 = (x134 + x131);\n x136 = ((x133 >> 51) | ((x135 << 13) & UINT64_C(0xffffffffffffffff)));\n x137 = (x133 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x138, &x139, 0x0, x136, x113);\n x140 = (x139 + x115);\n x141 = ((x138 >> 51) | ((x140 << 13) & UINT64_C(0xffffffffffffffff)));\n x142 = (x138 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x143, &x144, 0x0, x141, x97);\n x145 = (x144 + x99);\n x146 = ((x143 >> 51) | ((x145 << 13) & UINT64_C(0xffffffffffffffff)));\n x147 = (x143 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x148, &x149, 0x0, x146, x81);\n x150 = (x149 + x83);\n x151 = ((x148 >> 51) | ((x150 << 13) & UINT64_C(0xffffffffffffffff)));\n x152 = (x148 & UINT64_C(0x7ffffffffffff));\n x153 = (x151 * UINT8_C(0x13));\n x154 = (x68 + x153);\n x155 = (x154 >> 51);\n x156 = (x154 & UINT64_C(0x7ffffffffffff));\n x157 = (x155 + x137);\n x158 = (fiat_25519_uint1)(x157 >> 51);\n x159 = (x157 & UINT64_C(0x7ffffffffffff));\n x160 = (x158 + x142);\n out1[0] = x156;\n out1[1] = x159;\n out1[2] = x160;\n out1[3] = x147;\n out1[4] = x152;\n}\n\n/*\n * The function fiat_25519_carry_square squares a field element and reduces the result.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 * eval arg1) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n uint64_t x14;\n uint64_t x15;\n uint64_t x16;\n uint64_t x17;\n uint64_t x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n uint64_t x27;\n uint64_t x28;\n uint64_t x29;\n uint64_t x30;\n uint64_t x31;\n uint64_t x32;\n uint64_t x33;\n uint64_t x34;\n uint64_t x35;\n uint64_t x36;\n uint64_t x37;\n uint64_t x38;\n uint64_t x39;\n fiat_25519_uint1 x40;\n uint64_t x41;\n fiat_25519_uint1 x42;\n uint64_t x43;\n fiat_25519_uint1 x44;\n uint64_t x45;\n fiat_25519_uint1 x46;\n uint64_t x47;\n uint64_t x48;\n uint64_t x49;\n fiat_25519_uint1 x50;\n uint64_t x51;\n fiat_25519_uint1 x52;\n uint64_t x53;\n fiat_25519_uint1 x54;\n uint64_t x55;\n fiat_25519_uint1 x56;\n uint64_t x57;\n fiat_25519_uint1 x58;\n uint64_t x59;\n fiat_25519_uint1 x60;\n uint64_t x61;\n fiat_25519_uint1 x62;\n uint64_t x63;\n fiat_25519_uint1 x64;\n uint64_t x65;\n fiat_25519_uint1 x66;\n uint64_t x67;\n fiat_25519_uint1 x68;\n uint64_t x69;\n fiat_25519_uint1 x70;\n uint64_t x71;\n fiat_25519_uint1 x72;\n uint64_t x73;\n fiat_25519_uint1 x74;\n uint64_t x75;\n fiat_25519_uint1 x76;\n uint64_t x77;\n fiat_25519_uint1 x78;\n uint64_t x79;\n fiat_25519_uint1 x80;\n uint64_t x81;\n fiat_25519_uint1 x82;\n uint64_t x83;\n uint64_t x84;\n uint64_t x85;\n uint64_t x86;\n fiat_25519_uint1 x87;\n uint64_t x88;\n uint64_t x89;\n uint64_t x90;\n uint64_t x91;\n fiat_25519_uint1 x92;\n uint64_t x93;\n uint64_t x94;\n uint64_t x95;\n uint64_t x96;\n fiat_25519_uint1 x97;\n uint64_t x98;\n uint64_t x99;\n uint64_t x100;\n uint64_t x101;\n uint64_t x102;\n uint64_t x103;\n uint64_t x104;\n uint64_t x105;\n fiat_25519_uint1 x106;\n uint64_t x107;\n uint64_t x108;\n x1 = ((arg1[4]) * UINT8_C(0x13));\n x2 = (x1 * 0x2);\n x3 = ((arg1[4]) * 0x2);\n x4 = ((arg1[3]) * UINT8_C(0x13));\n x5 = (x4 * 0x2);\n x6 = ((arg1[3]) * 0x2);\n x7 = ((arg1[2]) * 0x2);\n x8 = ((arg1[1]) * 0x2);\n fiat_25519_mulx_u64(&x9, &x10, (arg1[4]), x1);\n fiat_25519_mulx_u64(&x11, &x12, (arg1[3]), x2);\n fiat_25519_mulx_u64(&x13, &x14, (arg1[3]), x4);\n fiat_25519_mulx_u64(&x15, &x16, (arg1[2]), x2);\n fiat_25519_mulx_u64(&x17, &x18, (arg1[2]), x5);\n fiat_25519_mulx_u64(&x19, &x20, (arg1[2]), (arg1[2]));\n fiat_25519_mulx_u64(&x21, &x22, (arg1[1]), x2);\n fiat_25519_mulx_u64(&x23, &x24, (arg1[1]), x6);\n fiat_25519_mulx_u64(&x25, &x26, (arg1[1]), x7);\n fiat_25519_mulx_u64(&x27, &x28, (arg1[1]), (arg1[1]));\n fiat_25519_mulx_u64(&x29, &x30, (arg1[0]), x3);\n fiat_25519_mulx_u64(&x31, &x32, (arg1[0]), x6);\n fiat_25519_mulx_u64(&x33, &x34, (arg1[0]), x7);\n fiat_25519_mulx_u64(&x35, &x36, (arg1[0]), x8);\n fiat_25519_mulx_u64(&x37, &x38, (arg1[0]), (arg1[0]));\n fiat_25519_addcarryx_u64(&x39, &x40, 0x0, x21, x17);\n fiat_25519_addcarryx_u64(&x41, &x42, x40, x22, x18);\n fiat_25519_addcarryx_u64(&x43, &x44, 0x0, x37, x39);\n fiat_25519_addcarryx_u64(&x45, &x46, x44, x38, x41);\n x47 = ((x43 >> 51) | ((x45 << 13) & UINT64_C(0xffffffffffffffff)));\n x48 = (x43 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x49, &x50, 0x0, x23, x19);\n fiat_25519_addcarryx_u64(&x51, &x52, x50, x24, x20);\n fiat_25519_addcarryx_u64(&x53, &x54, 0x0, x29, x49);\n fiat_25519_addcarryx_u64(&x55, &x56, x54, x30, x51);\n fiat_25519_addcarryx_u64(&x57, &x58, 0x0, x25, x9);\n fiat_25519_addcarryx_u64(&x59, &x60, x58, x26, x10);\n fiat_25519_addcarryx_u64(&x61, &x62, 0x0, x31, x57);\n fiat_25519_addcarryx_u64(&x63, &x64, x62, x32, x59);\n fiat_25519_addcarryx_u64(&x65, &x66, 0x0, x27, x11);\n fiat_25519_addcarryx_u64(&x67, &x68, x66, x28, x12);\n fiat_25519_addcarryx_u64(&x69, &x70, 0x0, x33, x65);\n fiat_25519_addcarryx_u64(&x71, &x72, x70, x34, x67);\n fiat_25519_addcarryx_u64(&x73, &x74, 0x0, x15, x13);\n fiat_25519_addcarryx_u64(&x75, &x76, x74, x16, x14);\n fiat_25519_addcarryx_u64(&x77, &x78, 0x0, x35, x73);\n fiat_25519_addcarryx_u64(&x79, &x80, x78, x36, x75);\n fiat_25519_addcarryx_u64(&x81, &x82, 0x0, x47, x77);\n x83 = (x82 + x79);\n x84 = ((x81 >> 51) | ((x83 << 13) & UINT64_C(0xffffffffffffffff)));\n x85 = (x81 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x86, &x87, 0x0, x84, x69);\n x88 = (x87 + x71);\n x89 = ((x86 >> 51) | ((x88 << 13) & UINT64_C(0xffffffffffffffff)));\n x90 = (x86 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x91, &x92, 0x0, x89, x61);\n x93 = (x92 + x63);\n x94 = ((x91 >> 51) | ((x93 << 13) & UINT64_C(0xffffffffffffffff)));\n x95 = (x91 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x96, &x97, 0x0, x94, x53);\n x98 = (x97 + x55);\n x99 = ((x96 >> 51) | ((x98 << 13) & UINT64_C(0xffffffffffffffff)));\n x100 = (x96 & UINT64_C(0x7ffffffffffff));\n x101 = (x99 * UINT8_C(0x13));\n x102 = (x48 + x101);\n x103 = (x102 >> 51);\n x104 = (x102 & UINT64_C(0x7ffffffffffff));\n x105 = (x103 + x85);\n x106 = (fiat_25519_uint1)(x105 >> 51);\n x107 = (x105 & UINT64_C(0x7ffffffffffff));\n x108 = (x106 + x90);\n out1[0] = x104;\n out1[1] = x107;\n out1[2] = x108;\n out1[3] = x95;\n out1[4] = x100;\n}\n\n/*\n * The function fiat_25519_carry reduces a field element.\n *\n * Postconditions:\n * eval out1 mod m = eval arg1 mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n x1 = (arg1[0]);\n x2 = ((x1 >> 51) + (arg1[1]));\n x3 = ((x2 >> 51) + (arg1[2]));\n x4 = ((x3 >> 51) + (arg1[3]));\n x5 = ((x4 >> 51) + (arg1[4]));\n x6 = ((x1 & UINT64_C(0x7ffffffffffff)) + ((x5 >> 51) * UINT8_C(0x13)));\n x7 = ((fiat_25519_uint1)(x6 >> 51) + (x2 & UINT64_C(0x7ffffffffffff)));\n x8 = (x6 & UINT64_C(0x7ffffffffffff));\n x9 = (x7 & UINT64_C(0x7ffffffffffff));\n x10 = ((fiat_25519_uint1)(x7 >> 51) + (x3 & UINT64_C(0x7ffffffffffff)));\n x11 = (x4 & UINT64_C(0x7ffffffffffff));\n x12 = (x5 & UINT64_C(0x7ffffffffffff));\n out1[0] = x8;\n out1[1] = x9;\n out1[2] = x10;\n out1[3] = x11;\n out1[4] = x12;\n}\n\n/*\n * The function fiat_25519_add adds two field elements.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 + eval arg2) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n x1 = ((arg1[0]) + (arg2[0]));\n x2 = ((arg1[1]) + (arg2[1]));\n x3 = ((arg1[2]) + (arg2[2]));\n x4 = ((arg1[3]) + (arg2[3]));\n x5 = ((arg1[4]) + (arg2[4]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n}\n\n/*\n * The function fiat_25519_sub subtracts two field elements.\n *\n * Postconditions:\n * eval out1 mod m = (eval arg1 - eval arg2) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n x1 = ((UINT64_C(0xfffffffffffda) + (arg1[0])) - (arg2[0]));\n x2 = ((UINT64_C(0xffffffffffffe) + (arg1[1])) - (arg2[1]));\n x3 = ((UINT64_C(0xffffffffffffe) + (arg1[2])) - (arg2[2]));\n x4 = ((UINT64_C(0xffffffffffffe) + (arg1[3])) - (arg2[3]));\n x5 = ((UINT64_C(0xffffffffffffe) + (arg1[4])) - (arg2[4]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n}\n\n/*\n * The function fiat_25519_opp negates a field element.\n *\n * Postconditions:\n * eval out1 mod m = -eval arg1 mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n x1 = (UINT64_C(0xfffffffffffda) - (arg1[0]));\n x2 = (UINT64_C(0xffffffffffffe) - (arg1[1]));\n x3 = (UINT64_C(0xffffffffffffe) - (arg1[2]));\n x4 = (UINT64_C(0xffffffffffffe) - (arg1[3]));\n x5 = (UINT64_C(0xffffffffffffe) - (arg1[4]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n}\n\n/*\n * The function fiat_25519_selectznz is a multi-limb conditional select.\n *\n * Postconditions:\n * out1 = (if arg1 = 0 then arg2 else arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const uint64_t arg2[5], const uint64_t arg3[5]) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n fiat_25519_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0]));\n fiat_25519_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1]));\n fiat_25519_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2]));\n fiat_25519_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3]));\n fiat_25519_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n}\n\n/*\n * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order.\n *\n * Postconditions:\n * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]\n *\n * Output Bounds:\n * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) {\n uint64_t x1;\n fiat_25519_uint1 x2;\n uint64_t x3;\n fiat_25519_uint1 x4;\n uint64_t x5;\n fiat_25519_uint1 x6;\n uint64_t x7;\n fiat_25519_uint1 x8;\n uint64_t x9;\n fiat_25519_uint1 x10;\n uint64_t x11;\n uint64_t x12;\n fiat_25519_uint1 x13;\n uint64_t x14;\n fiat_25519_uint1 x15;\n uint64_t x16;\n fiat_25519_uint1 x17;\n uint64_t x18;\n fiat_25519_uint1 x19;\n uint64_t x20;\n fiat_25519_uint1 x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint8_t x26;\n uint64_t x27;\n uint8_t x28;\n uint64_t x29;\n uint8_t x30;\n uint64_t x31;\n uint8_t x32;\n uint64_t x33;\n uint8_t x34;\n uint64_t x35;\n uint8_t x36;\n uint8_t x37;\n uint64_t x38;\n uint8_t x39;\n uint64_t x40;\n uint8_t x41;\n uint64_t x42;\n uint8_t x43;\n uint64_t x44;\n uint8_t x45;\n uint64_t x46;\n uint8_t x47;\n uint64_t x48;\n uint8_t x49;\n uint8_t x50;\n uint64_t x51;\n uint8_t x52;\n uint64_t x53;\n uint8_t x54;\n uint64_t x55;\n uint8_t x56;\n uint64_t x57;\n uint8_t x58;\n uint64_t x59;\n uint8_t x60;\n uint64_t x61;\n uint8_t x62;\n uint64_t x63;\n uint8_t x64;\n fiat_25519_uint1 x65;\n uint64_t x66;\n uint8_t x67;\n uint64_t x68;\n uint8_t x69;\n uint64_t x70;\n uint8_t x71;\n uint64_t x72;\n uint8_t x73;\n uint64_t x74;\n uint8_t x75;\n uint64_t x76;\n uint8_t x77;\n uint8_t x78;\n uint64_t x79;\n uint8_t x80;\n uint64_t x81;\n uint8_t x82;\n uint64_t x83;\n uint8_t x84;\n uint64_t x85;\n uint8_t x86;\n uint64_t x87;\n uint8_t x88;\n uint64_t x89;\n uint8_t x90;\n uint8_t x91;\n fiat_25519_subborrowx_u51(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0x7ffffffffffed));\n fiat_25519_subborrowx_u51(&x3, &x4, x2, (arg1[1]), UINT64_C(0x7ffffffffffff));\n fiat_25519_subborrowx_u51(&x5, &x6, x4, (arg1[2]), UINT64_C(0x7ffffffffffff));\n fiat_25519_subborrowx_u51(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7ffffffffffff));\n fiat_25519_subborrowx_u51(&x9, &x10, x8, (arg1[4]), UINT64_C(0x7ffffffffffff));\n fiat_25519_cmovznz_u64(&x11, x10, 0x0, UINT64_C(0xffffffffffffffff));\n fiat_25519_addcarryx_u51(&x12, &x13, 0x0, x1, (x11 & UINT64_C(0x7ffffffffffed)));\n fiat_25519_addcarryx_u51(&x14, &x15, x13, x3, (x11 & UINT64_C(0x7ffffffffffff)));\n fiat_25519_addcarryx_u51(&x16, &x17, x15, x5, (x11 & UINT64_C(0x7ffffffffffff)));\n fiat_25519_addcarryx_u51(&x18, &x19, x17, x7, (x11 & UINT64_C(0x7ffffffffffff)));\n fiat_25519_addcarryx_u51(&x20, &x21, x19, x9, (x11 & UINT64_C(0x7ffffffffffff)));\n x22 = (x20 << 4);\n x23 = (x18 * (uint64_t)0x2);\n x24 = (x16 << 6);\n x25 = (x14 << 3);\n x26 = (uint8_t)(x12 & UINT8_C(0xff));\n x27 = (x12 >> 8);\n x28 = (uint8_t)(x27 & UINT8_C(0xff));\n x29 = (x27 >> 8);\n x30 = (uint8_t)(x29 & UINT8_C(0xff));\n x31 = (x29 >> 8);\n x32 = (uint8_t)(x31 & UINT8_C(0xff));\n x33 = (x31 >> 8);\n x34 = (uint8_t)(x33 & UINT8_C(0xff));\n x35 = (x33 >> 8);\n x36 = (uint8_t)(x35 & UINT8_C(0xff));\n x37 = (uint8_t)(x35 >> 8);\n x38 = (x25 + (uint64_t)x37);\n x39 = (uint8_t)(x38 & UINT8_C(0xff));\n x40 = (x38 >> 8);\n x41 = (uint8_t)(x40 & UINT8_C(0xff));\n x42 = (x40 >> 8);\n x43 = (uint8_t)(x42 & UINT8_C(0xff));\n x44 = (x42 >> 8);\n x45 = (uint8_t)(x44 & UINT8_C(0xff));\n x46 = (x44 >> 8);\n x47 = (uint8_t)(x46 & UINT8_C(0xff));\n x48 = (x46 >> 8);\n x49 = (uint8_t)(x48 & UINT8_C(0xff));\n x50 = (uint8_t)(x48 >> 8);\n x51 = (x24 + (uint64_t)x50);\n x52 = (uint8_t)(x51 & UINT8_C(0xff));\n x53 = (x51 >> 8);\n x54 = (uint8_t)(x53 & UINT8_C(0xff));\n x55 = (x53 >> 8);\n x56 = (uint8_t)(x55 & UINT8_C(0xff));\n x57 = (x55 >> 8);\n x58 = (uint8_t)(x57 & UINT8_C(0xff));\n x59 = (x57 >> 8);\n x60 = (uint8_t)(x59 & UINT8_C(0xff));\n x61 = (x59 >> 8);\n x62 = (uint8_t)(x61 & UINT8_C(0xff));\n x63 = (x61 >> 8);\n x64 = (uint8_t)(x63 & UINT8_C(0xff));\n x65 = (fiat_25519_uint1)(x63 >> 8);\n x66 = (x23 + (uint64_t)x65);\n x67 = (uint8_t)(x66 & UINT8_C(0xff));\n x68 = (x66 >> 8);\n x69 = (uint8_t)(x68 & UINT8_C(0xff));\n x70 = (x68 >> 8);\n x71 = (uint8_t)(x70 & UINT8_C(0xff));\n x72 = (x70 >> 8);\n x73 = (uint8_t)(x72 & UINT8_C(0xff));\n x74 = (x72 >> 8);\n x75 = (uint8_t)(x74 & UINT8_C(0xff));\n x76 = (x74 >> 8);\n x77 = (uint8_t)(x76 & UINT8_C(0xff));\n x78 = (uint8_t)(x76 >> 8);\n x79 = (x22 + (uint64_t)x78);\n x80 = (uint8_t)(x79 & UINT8_C(0xff));\n x81 = (x79 >> 8);\n x82 = (uint8_t)(x81 & UINT8_C(0xff));\n x83 = (x81 >> 8);\n x84 = (uint8_t)(x83 & UINT8_C(0xff));\n x85 = (x83 >> 8);\n x86 = (uint8_t)(x85 & UINT8_C(0xff));\n x87 = (x85 >> 8);\n x88 = (uint8_t)(x87 & UINT8_C(0xff));\n x89 = (x87 >> 8);\n x90 = (uint8_t)(x89 & UINT8_C(0xff));\n x91 = (uint8_t)(x89 >> 8);\n out1[0] = x26;\n out1[1] = x28;\n out1[2] = x30;\n out1[3] = x32;\n out1[4] = x34;\n out1[5] = x36;\n out1[6] = x39;\n out1[7] = x41;\n out1[8] = x43;\n out1[9] = x45;\n out1[10] = x47;\n out1[11] = x49;\n out1[12] = x52;\n out1[13] = x54;\n out1[14] = x56;\n out1[15] = x58;\n out1[16] = x60;\n out1[17] = x62;\n out1[18] = x64;\n out1[19] = x67;\n out1[20] = x69;\n out1[21] = x71;\n out1[22] = x73;\n out1[23] = x75;\n out1[24] = x77;\n out1[25] = x80;\n out1[26] = x82;\n out1[27] = x84;\n out1[28] = x86;\n out1[29] = x88;\n out1[30] = x90;\n out1[31] = x91;\n}\n\n/*\n * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order.\n *\n * Postconditions:\n * eval out1 mod m = bytes_eval arg1 mod m\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]]\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n uint64_t x14;\n uint64_t x15;\n uint64_t x16;\n uint64_t x17;\n uint64_t x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n uint64_t x27;\n uint64_t x28;\n uint64_t x29;\n uint64_t x30;\n uint64_t x31;\n uint8_t x32;\n uint64_t x33;\n uint64_t x34;\n uint64_t x35;\n uint64_t x36;\n uint64_t x37;\n uint64_t x38;\n uint64_t x39;\n uint8_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n uint8_t x48;\n uint64_t x49;\n uint64_t x50;\n uint64_t x51;\n uint64_t x52;\n uint64_t x53;\n uint64_t x54;\n uint64_t x55;\n uint64_t x56;\n uint8_t x57;\n uint64_t x58;\n uint64_t x59;\n uint64_t x60;\n uint64_t x61;\n uint64_t x62;\n uint64_t x63;\n uint64_t x64;\n uint8_t x65;\n uint64_t x66;\n uint64_t x67;\n uint64_t x68;\n uint64_t x69;\n uint64_t x70;\n uint64_t x71;\n x1 = ((uint64_t)(arg1[31]) << 44);\n x2 = ((uint64_t)(arg1[30]) << 36);\n x3 = ((uint64_t)(arg1[29]) << 28);\n x4 = ((uint64_t)(arg1[28]) << 20);\n x5 = ((uint64_t)(arg1[27]) << 12);\n x6 = ((uint64_t)(arg1[26]) << 4);\n x7 = ((uint64_t)(arg1[25]) << 47);\n x8 = ((uint64_t)(arg1[24]) << 39);\n x9 = ((uint64_t)(arg1[23]) << 31);\n x10 = ((uint64_t)(arg1[22]) << 23);\n x11 = ((uint64_t)(arg1[21]) << 15);\n x12 = ((uint64_t)(arg1[20]) << 7);\n x13 = ((uint64_t)(arg1[19]) << 50);\n x14 = ((uint64_t)(arg1[18]) << 42);\n x15 = ((uint64_t)(arg1[17]) << 34);\n x16 = ((uint64_t)(arg1[16]) << 26);\n x17 = ((uint64_t)(arg1[15]) << 18);\n x18 = ((uint64_t)(arg1[14]) << 10);\n x19 = ((uint64_t)(arg1[13]) << 2);\n x20 = ((uint64_t)(arg1[12]) << 45);\n x21 = ((uint64_t)(arg1[11]) << 37);\n x22 = ((uint64_t)(arg1[10]) << 29);\n x23 = ((uint64_t)(arg1[9]) << 21);\n x24 = ((uint64_t)(arg1[8]) << 13);\n x25 = ((uint64_t)(arg1[7]) << 5);\n x26 = ((uint64_t)(arg1[6]) << 48);\n x27 = ((uint64_t)(arg1[5]) << 40);\n x28 = ((uint64_t)(arg1[4]) << 32);\n x29 = ((uint64_t)(arg1[3]) << 24);\n x30 = ((uint64_t)(arg1[2]) << 16);\n x31 = ((uint64_t)(arg1[1]) << 8);\n x32 = (arg1[0]);\n x33 = (x31 + (uint64_t)x32);\n x34 = (x30 + x33);\n x35 = (x29 + x34);\n x36 = (x28 + x35);\n x37 = (x27 + x36);\n x38 = (x26 + x37);\n x39 = (x38 & UINT64_C(0x7ffffffffffff));\n x40 = (uint8_t)(x38 >> 51);\n x41 = (x25 + (uint64_t)x40);\n x42 = (x24 + x41);\n x43 = (x23 + x42);\n x44 = (x22 + x43);\n x45 = (x21 + x44);\n x46 = (x20 + x45);\n x47 = (x46 & UINT64_C(0x7ffffffffffff));\n x48 = (uint8_t)(x46 >> 51);\n x49 = (x19 + (uint64_t)x48);\n x50 = (x18 + x49);\n x51 = (x17 + x50);\n x52 = (x16 + x51);\n x53 = (x15 + x52);\n x54 = (x14 + x53);\n x55 = (x13 + x54);\n x56 = (x55 & UINT64_C(0x7ffffffffffff));\n x57 = (uint8_t)(x55 >> 51);\n x58 = (x12 + (uint64_t)x57);\n x59 = (x11 + x58);\n x60 = (x10 + x59);\n x61 = (x9 + x60);\n x62 = (x8 + x61);\n x63 = (x7 + x62);\n x64 = (x63 & UINT64_C(0x7ffffffffffff));\n x65 = (uint8_t)(x63 >> 51);\n x66 = (x6 + (uint64_t)x65);\n x67 = (x5 + x66);\n x68 = (x4 + x67);\n x69 = (x3 + x68);\n x70 = (x2 + x69);\n x71 = (x1 + x70);\n out1[0] = x39;\n out1[1] = x47;\n out1[2] = x56;\n out1[3] = x64;\n out1[4] = x71;\n}\n\n/*\n * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements.\n *\n * Postconditions:\n * out1 = arg1\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n x1 = (arg1[0]);\n x2 = (arg1[1]);\n x3 = (arg1[2]);\n x4 = (arg1[3]);\n x5 = (arg1[4]);\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n}\n\n/*\n * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result.\n *\n * Postconditions:\n * eval out1 mod m = (121666 * eval arg1) mod m\n *\n */\nstatic FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n fiat_25519_uint1 x14;\n uint64_t x15;\n uint64_t x16;\n uint64_t x17;\n uint64_t x18;\n fiat_25519_uint1 x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n fiat_25519_uint1 x24;\n uint64_t x25;\n uint64_t x26;\n uint64_t x27;\n uint64_t x28;\n fiat_25519_uint1 x29;\n uint64_t x30;\n uint64_t x31;\n uint64_t x32;\n uint64_t x33;\n uint64_t x34;\n fiat_25519_uint1 x35;\n uint64_t x36;\n uint64_t x37;\n fiat_25519_uint1 x38;\n uint64_t x39;\n uint64_t x40;\n fiat_25519_mulx_u64(&x1, &x2, UINT32_C(0x1db42), (arg1[4]));\n fiat_25519_mulx_u64(&x3, &x4, UINT32_C(0x1db42), (arg1[3]));\n fiat_25519_mulx_u64(&x5, &x6, UINT32_C(0x1db42), (arg1[2]));\n fiat_25519_mulx_u64(&x7, &x8, UINT32_C(0x1db42), (arg1[1]));\n fiat_25519_mulx_u64(&x9, &x10, UINT32_C(0x1db42), (arg1[0]));\n x11 = ((x9 >> 51) | ((x10 << 13) & UINT64_C(0xffffffffffffffff)));\n x12 = (x9 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x13, &x14, 0x0, x11, x7);\n x15 = (x14 + x8);\n x16 = ((x13 >> 51) | ((x15 << 13) & UINT64_C(0xffffffffffffffff)));\n x17 = (x13 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x18, &x19, 0x0, x16, x5);\n x20 = (x19 + x6);\n x21 = ((x18 >> 51) | ((x20 << 13) & UINT64_C(0xffffffffffffffff)));\n x22 = (x18 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x23, &x24, 0x0, x21, x3);\n x25 = (x24 + x4);\n x26 = ((x23 >> 51) | ((x25 << 13) & UINT64_C(0xffffffffffffffff)));\n x27 = (x23 & UINT64_C(0x7ffffffffffff));\n fiat_25519_addcarryx_u64(&x28, &x29, 0x0, x26, x1);\n x30 = (x29 + x2);\n x31 = ((x28 >> 51) | ((x30 << 13) & UINT64_C(0xffffffffffffffff)));\n x32 = (x28 & UINT64_C(0x7ffffffffffff));\n x33 = (x31 * UINT8_C(0x13));\n x34 = (x12 + x33);\n x35 = (fiat_25519_uint1)(x34 >> 51);\n x36 = (x34 & UINT64_C(0x7ffffffffffff));\n x37 = (x35 + x17);\n x38 = (fiat_25519_uint1)(x37 >> 51);\n x39 = (x37 & UINT64_C(0x7ffffffffffff));\n x40 = (x38 + x22);\n out1[0] = x36;\n out1[1] = x39;\n out1[2] = x40;\n out1[3] = x27;\n out1[4] = x32;\n}\n" }, { "path": "Sources/CNIOBoringSSL/third_party/fiat/p256_32.h", "content": "/* Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --inline --static --use-value-barrier p256 32 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp */\n/* curve description: p256 */\n/* machine_wordsize = 32 (from \"32\") */\n/* requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp */\n/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from \"2^256 - 2^224 + 2^192 + 2^96 - 1\") */\n/* */\n/* NOTE: In addition to the bounds specified above each function, all */\n/* functions synthesized for this Montgomery arithmetic require the */\n/* input to be strictly less than the prime modulus (m), and also */\n/* require the input to be in the unique saturated representation. */\n/* All functions also ensure that these two properties are true of */\n/* return values. */\n/* */\n/* Computed values: */\n/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */\n/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */\n/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */\n/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */\n\n#include \ntypedef unsigned char fiat_p256_uint1;\ntypedef signed char fiat_p256_int1;\n#if defined(__GNUC__) || defined(__clang__)\n# define FIAT_P256_FIAT_INLINE __inline__\n#else\n# define FIAT_P256_FIAT_INLINE inline\n#endif\n\n/* The type fiat_p256_montgomery_domain_field_element is a field element in the Montgomery domain. */\n/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */\ntypedef uint32_t fiat_p256_montgomery_domain_field_element[8];\n\n/* The type fiat_p256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */\n/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */\ntypedef uint32_t fiat_p256_non_montgomery_domain_field_element[8];\n\n#if (-1 & 3) != 3\n#error \"This code only works on a two's complement system\"\n#endif\n\n#if !defined(FIAT_P256_NO_ASM) && (defined(__GNUC__) || defined(__clang__))\nstatic __inline__ uint32_t fiat_p256_value_barrier_u32(uint32_t a) {\n __asm__(\"\" : \"+r\"(a) : /* no inputs */);\n return a;\n}\n#else\n# define fiat_p256_value_barrier_u32(x) (x)\n#endif\n\n\n/*\n * The function fiat_p256_addcarryx_u32 is an addition with carry.\n *\n * Postconditions:\n * out1 = (arg1 + arg2 + arg3) mod 2^32\n * out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffff]\n * arg3: [0x0 ~> 0xffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_addcarryx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) {\n uint64_t x1;\n uint32_t x2;\n fiat_p256_uint1 x3;\n x1 = ((arg1 + (uint64_t)arg2) + arg3);\n x2 = (uint32_t)(x1 & UINT32_C(0xffffffff));\n x3 = (fiat_p256_uint1)(x1 >> 32);\n *out1 = x2;\n *out2 = x3;\n}\n\n/*\n * The function fiat_p256_subborrowx_u32 is a subtraction with borrow.\n *\n * Postconditions:\n * out1 = (-arg1 + arg2 + -arg3) mod 2^32\n * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffff]\n * arg3: [0x0 ~> 0xffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_subborrowx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) {\n int64_t x1;\n fiat_p256_int1 x2;\n uint32_t x3;\n x1 = ((arg2 - (int64_t)arg1) - arg3);\n x2 = (fiat_p256_int1)(x1 >> 32);\n x3 = (uint32_t)(x1 & UINT32_C(0xffffffff));\n *out1 = x3;\n *out2 = (fiat_p256_uint1)(0x0 - x2);\n}\n\n/*\n * The function fiat_p256_mulx_u32 is a multiplication, returning the full double-width result.\n *\n * Postconditions:\n * out1 = (arg1 * arg2) mod 2^32\n * out2 = ⌊arg1 * arg2 / 2^32⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0xffffffff]\n * arg2: [0x0 ~> 0xffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffff]\n * out2: [0x0 ~> 0xffffffff]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) {\n uint64_t x1;\n uint32_t x2;\n uint32_t x3;\n x1 = ((uint64_t)arg1 * arg2);\n x2 = (uint32_t)(x1 & UINT32_C(0xffffffff));\n x3 = (uint32_t)(x1 >> 32);\n *out1 = x2;\n *out2 = x3;\n}\n\n/*\n * The function fiat_p256_cmovznz_u32 is a single-word conditional move.\n *\n * Postconditions:\n * out1 = (if arg1 = 0 then arg2 else arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffff]\n * arg3: [0x0 ~> 0xffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffff]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u32(uint32_t* out1, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) {\n fiat_p256_uint1 x1;\n uint32_t x2;\n uint32_t x3;\n x1 = (!(!arg1));\n x2 = ((fiat_p256_int1)(0x0 - x1) & UINT32_C(0xffffffff));\n x3 = ((fiat_p256_value_barrier_u32(x2) & arg3) | (fiat_p256_value_barrier_u32((~x2)) & arg2));\n *out1 = x3;\n}\n\n/*\n * The function fiat_p256_mul multiplies two field elements in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * 0 ≤ eval arg2 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n uint32_t x11;\n uint32_t x12;\n uint32_t x13;\n uint32_t x14;\n uint32_t x15;\n uint32_t x16;\n uint32_t x17;\n uint32_t x18;\n uint32_t x19;\n uint32_t x20;\n uint32_t x21;\n uint32_t x22;\n uint32_t x23;\n uint32_t x24;\n uint32_t x25;\n fiat_p256_uint1 x26;\n uint32_t x27;\n fiat_p256_uint1 x28;\n uint32_t x29;\n fiat_p256_uint1 x30;\n uint32_t x31;\n fiat_p256_uint1 x32;\n uint32_t x33;\n fiat_p256_uint1 x34;\n uint32_t x35;\n fiat_p256_uint1 x36;\n uint32_t x37;\n fiat_p256_uint1 x38;\n uint32_t x39;\n uint32_t x40;\n uint32_t x41;\n uint32_t x42;\n uint32_t x43;\n uint32_t x44;\n uint32_t x45;\n uint32_t x46;\n uint32_t x47;\n uint32_t x48;\n fiat_p256_uint1 x49;\n uint32_t x50;\n fiat_p256_uint1 x51;\n uint32_t x52;\n uint32_t x53;\n fiat_p256_uint1 x54;\n uint32_t x55;\n fiat_p256_uint1 x56;\n uint32_t x57;\n fiat_p256_uint1 x58;\n uint32_t x59;\n fiat_p256_uint1 x60;\n uint32_t x61;\n fiat_p256_uint1 x62;\n uint32_t x63;\n fiat_p256_uint1 x64;\n uint32_t x65;\n fiat_p256_uint1 x66;\n uint32_t x67;\n fiat_p256_uint1 x68;\n uint32_t x69;\n fiat_p256_uint1 x70;\n uint32_t x71;\n uint32_t x72;\n uint32_t x73;\n uint32_t x74;\n uint32_t x75;\n uint32_t x76;\n uint32_t x77;\n uint32_t x78;\n uint32_t x79;\n uint32_t x80;\n uint32_t x81;\n uint32_t x82;\n uint32_t x83;\n uint32_t x84;\n uint32_t x85;\n uint32_t x86;\n uint32_t x87;\n fiat_p256_uint1 x88;\n uint32_t x89;\n fiat_p256_uint1 x90;\n uint32_t x91;\n fiat_p256_uint1 x92;\n uint32_t x93;\n fiat_p256_uint1 x94;\n uint32_t x95;\n fiat_p256_uint1 x96;\n uint32_t x97;\n fiat_p256_uint1 x98;\n uint32_t x99;\n fiat_p256_uint1 x100;\n uint32_t x101;\n uint32_t x102;\n fiat_p256_uint1 x103;\n uint32_t x104;\n fiat_p256_uint1 x105;\n uint32_t x106;\n fiat_p256_uint1 x107;\n uint32_t x108;\n fiat_p256_uint1 x109;\n uint32_t x110;\n fiat_p256_uint1 x111;\n uint32_t x112;\n fiat_p256_uint1 x113;\n uint32_t x114;\n fiat_p256_uint1 x115;\n uint32_t x116;\n fiat_p256_uint1 x117;\n uint32_t x118;\n fiat_p256_uint1 x119;\n uint32_t x120;\n uint32_t x121;\n uint32_t x122;\n uint32_t x123;\n uint32_t x124;\n uint32_t x125;\n uint32_t x126;\n uint32_t x127;\n uint32_t x128;\n fiat_p256_uint1 x129;\n uint32_t x130;\n fiat_p256_uint1 x131;\n uint32_t x132;\n uint32_t x133;\n fiat_p256_uint1 x134;\n uint32_t x135;\n fiat_p256_uint1 x136;\n uint32_t x137;\n fiat_p256_uint1 x138;\n uint32_t x139;\n fiat_p256_uint1 x140;\n uint32_t x141;\n fiat_p256_uint1 x142;\n uint32_t x143;\n fiat_p256_uint1 x144;\n uint32_t x145;\n fiat_p256_uint1 x146;\n uint32_t x147;\n fiat_p256_uint1 x148;\n uint32_t x149;\n fiat_p256_uint1 x150;\n uint32_t x151;\n uint32_t x152;\n uint32_t x153;\n uint32_t x154;\n uint32_t x155;\n uint32_t x156;\n uint32_t x157;\n uint32_t x158;\n uint32_t x159;\n uint32_t x160;\n uint32_t x161;\n uint32_t x162;\n uint32_t x163;\n uint32_t x164;\n uint32_t x165;\n uint32_t x166;\n uint32_t x167;\n uint32_t x168;\n fiat_p256_uint1 x169;\n uint32_t x170;\n fiat_p256_uint1 x171;\n uint32_t x172;\n fiat_p256_uint1 x173;\n uint32_t x174;\n fiat_p256_uint1 x175;\n uint32_t x176;\n fiat_p256_uint1 x177;\n uint32_t x178;\n fiat_p256_uint1 x179;\n uint32_t x180;\n fiat_p256_uint1 x181;\n uint32_t x182;\n uint32_t x183;\n fiat_p256_uint1 x184;\n uint32_t x185;\n fiat_p256_uint1 x186;\n uint32_t x187;\n fiat_p256_uint1 x188;\n uint32_t x189;\n fiat_p256_uint1 x190;\n uint32_t x191;\n fiat_p256_uint1 x192;\n uint32_t x193;\n fiat_p256_uint1 x194;\n uint32_t x195;\n fiat_p256_uint1 x196;\n uint32_t x197;\n fiat_p256_uint1 x198;\n uint32_t x199;\n fiat_p256_uint1 x200;\n uint32_t x201;\n uint32_t x202;\n uint32_t x203;\n uint32_t x204;\n uint32_t x205;\n uint32_t x206;\n uint32_t x207;\n uint32_t x208;\n uint32_t x209;\n fiat_p256_uint1 x210;\n uint32_t x211;\n fiat_p256_uint1 x212;\n uint32_t x213;\n uint32_t x214;\n fiat_p256_uint1 x215;\n uint32_t x216;\n fiat_p256_uint1 x217;\n uint32_t x218;\n fiat_p256_uint1 x219;\n uint32_t x220;\n fiat_p256_uint1 x221;\n uint32_t x222;\n fiat_p256_uint1 x223;\n uint32_t x224;\n fiat_p256_uint1 x225;\n uint32_t x226;\n fiat_p256_uint1 x227;\n uint32_t x228;\n fiat_p256_uint1 x229;\n uint32_t x230;\n fiat_p256_uint1 x231;\n uint32_t x232;\n uint32_t x233;\n uint32_t x234;\n uint32_t x235;\n uint32_t x236;\n uint32_t x237;\n uint32_t x238;\n uint32_t x239;\n uint32_t x240;\n uint32_t x241;\n uint32_t x242;\n uint32_t x243;\n uint32_t x244;\n uint32_t x245;\n uint32_t x246;\n uint32_t x247;\n uint32_t x248;\n uint32_t x249;\n fiat_p256_uint1 x250;\n uint32_t x251;\n fiat_p256_uint1 x252;\n uint32_t x253;\n fiat_p256_uint1 x254;\n uint32_t x255;\n fiat_p256_uint1 x256;\n uint32_t x257;\n fiat_p256_uint1 x258;\n uint32_t x259;\n fiat_p256_uint1 x260;\n uint32_t x261;\n fiat_p256_uint1 x262;\n uint32_t x263;\n uint32_t x264;\n fiat_p256_uint1 x265;\n uint32_t x266;\n fiat_p256_uint1 x267;\n uint32_t x268;\n fiat_p256_uint1 x269;\n uint32_t x270;\n fiat_p256_uint1 x271;\n uint32_t x272;\n fiat_p256_uint1 x273;\n uint32_t x274;\n fiat_p256_uint1 x275;\n uint32_t x276;\n fiat_p256_uint1 x277;\n uint32_t x278;\n fiat_p256_uint1 x279;\n uint32_t x280;\n fiat_p256_uint1 x281;\n uint32_t x282;\n uint32_t x283;\n uint32_t x284;\n uint32_t x285;\n uint32_t x286;\n uint32_t x287;\n uint32_t x288;\n uint32_t x289;\n uint32_t x290;\n fiat_p256_uint1 x291;\n uint32_t x292;\n fiat_p256_uint1 x293;\n uint32_t x294;\n uint32_t x295;\n fiat_p256_uint1 x296;\n uint32_t x297;\n fiat_p256_uint1 x298;\n uint32_t x299;\n fiat_p256_uint1 x300;\n uint32_t x301;\n fiat_p256_uint1 x302;\n uint32_t x303;\n fiat_p256_uint1 x304;\n uint32_t x305;\n fiat_p256_uint1 x306;\n uint32_t x307;\n fiat_p256_uint1 x308;\n uint32_t x309;\n fiat_p256_uint1 x310;\n uint32_t x311;\n fiat_p256_uint1 x312;\n uint32_t x313;\n uint32_t x314;\n uint32_t x315;\n uint32_t x316;\n uint32_t x317;\n uint32_t x318;\n uint32_t x319;\n uint32_t x320;\n uint32_t x321;\n uint32_t x322;\n uint32_t x323;\n uint32_t x324;\n uint32_t x325;\n uint32_t x326;\n uint32_t x327;\n uint32_t x328;\n uint32_t x329;\n uint32_t x330;\n fiat_p256_uint1 x331;\n uint32_t x332;\n fiat_p256_uint1 x333;\n uint32_t x334;\n fiat_p256_uint1 x335;\n uint32_t x336;\n fiat_p256_uint1 x337;\n uint32_t x338;\n fiat_p256_uint1 x339;\n uint32_t x340;\n fiat_p256_uint1 x341;\n uint32_t x342;\n fiat_p256_uint1 x343;\n uint32_t x344;\n uint32_t x345;\n fiat_p256_uint1 x346;\n uint32_t x347;\n fiat_p256_uint1 x348;\n uint32_t x349;\n fiat_p256_uint1 x350;\n uint32_t x351;\n fiat_p256_uint1 x352;\n uint32_t x353;\n fiat_p256_uint1 x354;\n uint32_t x355;\n fiat_p256_uint1 x356;\n uint32_t x357;\n fiat_p256_uint1 x358;\n uint32_t x359;\n fiat_p256_uint1 x360;\n uint32_t x361;\n fiat_p256_uint1 x362;\n uint32_t x363;\n uint32_t x364;\n uint32_t x365;\n uint32_t x366;\n uint32_t x367;\n uint32_t x368;\n uint32_t x369;\n uint32_t x370;\n uint32_t x371;\n fiat_p256_uint1 x372;\n uint32_t x373;\n fiat_p256_uint1 x374;\n uint32_t x375;\n uint32_t x376;\n fiat_p256_uint1 x377;\n uint32_t x378;\n fiat_p256_uint1 x379;\n uint32_t x380;\n fiat_p256_uint1 x381;\n uint32_t x382;\n fiat_p256_uint1 x383;\n uint32_t x384;\n fiat_p256_uint1 x385;\n uint32_t x386;\n fiat_p256_uint1 x387;\n uint32_t x388;\n fiat_p256_uint1 x389;\n uint32_t x390;\n fiat_p256_uint1 x391;\n uint32_t x392;\n fiat_p256_uint1 x393;\n uint32_t x394;\n uint32_t x395;\n uint32_t x396;\n uint32_t x397;\n uint32_t x398;\n uint32_t x399;\n uint32_t x400;\n uint32_t x401;\n uint32_t x402;\n uint32_t x403;\n uint32_t x404;\n uint32_t x405;\n uint32_t x406;\n uint32_t x407;\n uint32_t x408;\n uint32_t x409;\n uint32_t x410;\n uint32_t x411;\n fiat_p256_uint1 x412;\n uint32_t x413;\n fiat_p256_uint1 x414;\n uint32_t x415;\n fiat_p256_uint1 x416;\n uint32_t x417;\n fiat_p256_uint1 x418;\n uint32_t x419;\n fiat_p256_uint1 x420;\n uint32_t x421;\n fiat_p256_uint1 x422;\n uint32_t x423;\n fiat_p256_uint1 x424;\n uint32_t x425;\n uint32_t x426;\n fiat_p256_uint1 x427;\n uint32_t x428;\n fiat_p256_uint1 x429;\n uint32_t x430;\n fiat_p256_uint1 x431;\n uint32_t x432;\n fiat_p256_uint1 x433;\n uint32_t x434;\n fiat_p256_uint1 x435;\n uint32_t x436;\n fiat_p256_uint1 x437;\n uint32_t x438;\n fiat_p256_uint1 x439;\n uint32_t x440;\n fiat_p256_uint1 x441;\n uint32_t x442;\n fiat_p256_uint1 x443;\n uint32_t x444;\n uint32_t x445;\n uint32_t x446;\n uint32_t x447;\n uint32_t x448;\n uint32_t x449;\n uint32_t x450;\n uint32_t x451;\n uint32_t x452;\n fiat_p256_uint1 x453;\n uint32_t x454;\n fiat_p256_uint1 x455;\n uint32_t x456;\n uint32_t x457;\n fiat_p256_uint1 x458;\n uint32_t x459;\n fiat_p256_uint1 x460;\n uint32_t x461;\n fiat_p256_uint1 x462;\n uint32_t x463;\n fiat_p256_uint1 x464;\n uint32_t x465;\n fiat_p256_uint1 x466;\n uint32_t x467;\n fiat_p256_uint1 x468;\n uint32_t x469;\n fiat_p256_uint1 x470;\n uint32_t x471;\n fiat_p256_uint1 x472;\n uint32_t x473;\n fiat_p256_uint1 x474;\n uint32_t x475;\n uint32_t x476;\n uint32_t x477;\n uint32_t x478;\n uint32_t x479;\n uint32_t x480;\n uint32_t x481;\n uint32_t x482;\n uint32_t x483;\n uint32_t x484;\n uint32_t x485;\n uint32_t x486;\n uint32_t x487;\n uint32_t x488;\n uint32_t x489;\n uint32_t x490;\n uint32_t x491;\n uint32_t x492;\n fiat_p256_uint1 x493;\n uint32_t x494;\n fiat_p256_uint1 x495;\n uint32_t x496;\n fiat_p256_uint1 x497;\n uint32_t x498;\n fiat_p256_uint1 x499;\n uint32_t x500;\n fiat_p256_uint1 x501;\n uint32_t x502;\n fiat_p256_uint1 x503;\n uint32_t x504;\n fiat_p256_uint1 x505;\n uint32_t x506;\n uint32_t x507;\n fiat_p256_uint1 x508;\n uint32_t x509;\n fiat_p256_uint1 x510;\n uint32_t x511;\n fiat_p256_uint1 x512;\n uint32_t x513;\n fiat_p256_uint1 x514;\n uint32_t x515;\n fiat_p256_uint1 x516;\n uint32_t x517;\n fiat_p256_uint1 x518;\n uint32_t x519;\n fiat_p256_uint1 x520;\n uint32_t x521;\n fiat_p256_uint1 x522;\n uint32_t x523;\n fiat_p256_uint1 x524;\n uint32_t x525;\n uint32_t x526;\n uint32_t x527;\n uint32_t x528;\n uint32_t x529;\n uint32_t x530;\n uint32_t x531;\n uint32_t x532;\n uint32_t x533;\n fiat_p256_uint1 x534;\n uint32_t x535;\n fiat_p256_uint1 x536;\n uint32_t x537;\n uint32_t x538;\n fiat_p256_uint1 x539;\n uint32_t x540;\n fiat_p256_uint1 x541;\n uint32_t x542;\n fiat_p256_uint1 x543;\n uint32_t x544;\n fiat_p256_uint1 x545;\n uint32_t x546;\n fiat_p256_uint1 x547;\n uint32_t x548;\n fiat_p256_uint1 x549;\n uint32_t x550;\n fiat_p256_uint1 x551;\n uint32_t x552;\n fiat_p256_uint1 x553;\n uint32_t x554;\n fiat_p256_uint1 x555;\n uint32_t x556;\n uint32_t x557;\n uint32_t x558;\n uint32_t x559;\n uint32_t x560;\n uint32_t x561;\n uint32_t x562;\n uint32_t x563;\n uint32_t x564;\n uint32_t x565;\n uint32_t x566;\n uint32_t x567;\n uint32_t x568;\n uint32_t x569;\n uint32_t x570;\n uint32_t x571;\n uint32_t x572;\n uint32_t x573;\n fiat_p256_uint1 x574;\n uint32_t x575;\n fiat_p256_uint1 x576;\n uint32_t x577;\n fiat_p256_uint1 x578;\n uint32_t x579;\n fiat_p256_uint1 x580;\n uint32_t x581;\n fiat_p256_uint1 x582;\n uint32_t x583;\n fiat_p256_uint1 x584;\n uint32_t x585;\n fiat_p256_uint1 x586;\n uint32_t x587;\n uint32_t x588;\n fiat_p256_uint1 x589;\n uint32_t x590;\n fiat_p256_uint1 x591;\n uint32_t x592;\n fiat_p256_uint1 x593;\n uint32_t x594;\n fiat_p256_uint1 x595;\n uint32_t x596;\n fiat_p256_uint1 x597;\n uint32_t x598;\n fiat_p256_uint1 x599;\n uint32_t x600;\n fiat_p256_uint1 x601;\n uint32_t x602;\n fiat_p256_uint1 x603;\n uint32_t x604;\n fiat_p256_uint1 x605;\n uint32_t x606;\n uint32_t x607;\n uint32_t x608;\n uint32_t x609;\n uint32_t x610;\n uint32_t x611;\n uint32_t x612;\n uint32_t x613;\n uint32_t x614;\n fiat_p256_uint1 x615;\n uint32_t x616;\n fiat_p256_uint1 x617;\n uint32_t x618;\n uint32_t x619;\n fiat_p256_uint1 x620;\n uint32_t x621;\n fiat_p256_uint1 x622;\n uint32_t x623;\n fiat_p256_uint1 x624;\n uint32_t x625;\n fiat_p256_uint1 x626;\n uint32_t x627;\n fiat_p256_uint1 x628;\n uint32_t x629;\n fiat_p256_uint1 x630;\n uint32_t x631;\n fiat_p256_uint1 x632;\n uint32_t x633;\n fiat_p256_uint1 x634;\n uint32_t x635;\n fiat_p256_uint1 x636;\n uint32_t x637;\n uint32_t x638;\n fiat_p256_uint1 x639;\n uint32_t x640;\n fiat_p256_uint1 x641;\n uint32_t x642;\n fiat_p256_uint1 x643;\n uint32_t x644;\n fiat_p256_uint1 x645;\n uint32_t x646;\n fiat_p256_uint1 x647;\n uint32_t x648;\n fiat_p256_uint1 x649;\n uint32_t x650;\n fiat_p256_uint1 x651;\n uint32_t x652;\n fiat_p256_uint1 x653;\n uint32_t x654;\n fiat_p256_uint1 x655;\n uint32_t x656;\n uint32_t x657;\n uint32_t x658;\n uint32_t x659;\n uint32_t x660;\n uint32_t x661;\n uint32_t x662;\n uint32_t x663;\n x1 = (arg1[1]);\n x2 = (arg1[2]);\n x3 = (arg1[3]);\n x4 = (arg1[4]);\n x5 = (arg1[5]);\n x6 = (arg1[6]);\n x7 = (arg1[7]);\n x8 = (arg1[0]);\n fiat_p256_mulx_u32(&x9, &x10, x8, (arg2[7]));\n fiat_p256_mulx_u32(&x11, &x12, x8, (arg2[6]));\n fiat_p256_mulx_u32(&x13, &x14, x8, (arg2[5]));\n fiat_p256_mulx_u32(&x15, &x16, x8, (arg2[4]));\n fiat_p256_mulx_u32(&x17, &x18, x8, (arg2[3]));\n fiat_p256_mulx_u32(&x19, &x20, x8, (arg2[2]));\n fiat_p256_mulx_u32(&x21, &x22, x8, (arg2[1]));\n fiat_p256_mulx_u32(&x23, &x24, x8, (arg2[0]));\n fiat_p256_addcarryx_u32(&x25, &x26, 0x0, x24, x21);\n fiat_p256_addcarryx_u32(&x27, &x28, x26, x22, x19);\n fiat_p256_addcarryx_u32(&x29, &x30, x28, x20, x17);\n fiat_p256_addcarryx_u32(&x31, &x32, x30, x18, x15);\n fiat_p256_addcarryx_u32(&x33, &x34, x32, x16, x13);\n fiat_p256_addcarryx_u32(&x35, &x36, x34, x14, x11);\n fiat_p256_addcarryx_u32(&x37, &x38, x36, x12, x9);\n x39 = (x38 + x10);\n fiat_p256_mulx_u32(&x40, &x41, x23, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x42, &x43, x23, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x44, &x45, x23, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x46, &x47, x23, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x47, x44);\n fiat_p256_addcarryx_u32(&x50, &x51, x49, x45, x42);\n x52 = (x51 + x43);\n fiat_p256_addcarryx_u32(&x53, &x54, 0x0, x23, x46);\n fiat_p256_addcarryx_u32(&x55, &x56, x54, x25, x48);\n fiat_p256_addcarryx_u32(&x57, &x58, x56, x27, x50);\n fiat_p256_addcarryx_u32(&x59, &x60, x58, x29, x52);\n fiat_p256_addcarryx_u32(&x61, &x62, x60, x31, 0x0);\n fiat_p256_addcarryx_u32(&x63, &x64, x62, x33, 0x0);\n fiat_p256_addcarryx_u32(&x65, &x66, x64, x35, x23);\n fiat_p256_addcarryx_u32(&x67, &x68, x66, x37, x40);\n fiat_p256_addcarryx_u32(&x69, &x70, x68, x39, x41);\n fiat_p256_mulx_u32(&x71, &x72, x1, (arg2[7]));\n fiat_p256_mulx_u32(&x73, &x74, x1, (arg2[6]));\n fiat_p256_mulx_u32(&x75, &x76, x1, (arg2[5]));\n fiat_p256_mulx_u32(&x77, &x78, x1, (arg2[4]));\n fiat_p256_mulx_u32(&x79, &x80, x1, (arg2[3]));\n fiat_p256_mulx_u32(&x81, &x82, x1, (arg2[2]));\n fiat_p256_mulx_u32(&x83, &x84, x1, (arg2[1]));\n fiat_p256_mulx_u32(&x85, &x86, x1, (arg2[0]));\n fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x86, x83);\n fiat_p256_addcarryx_u32(&x89, &x90, x88, x84, x81);\n fiat_p256_addcarryx_u32(&x91, &x92, x90, x82, x79);\n fiat_p256_addcarryx_u32(&x93, &x94, x92, x80, x77);\n fiat_p256_addcarryx_u32(&x95, &x96, x94, x78, x75);\n fiat_p256_addcarryx_u32(&x97, &x98, x96, x76, x73);\n fiat_p256_addcarryx_u32(&x99, &x100, x98, x74, x71);\n x101 = (x100 + x72);\n fiat_p256_addcarryx_u32(&x102, &x103, 0x0, x55, x85);\n fiat_p256_addcarryx_u32(&x104, &x105, x103, x57, x87);\n fiat_p256_addcarryx_u32(&x106, &x107, x105, x59, x89);\n fiat_p256_addcarryx_u32(&x108, &x109, x107, x61, x91);\n fiat_p256_addcarryx_u32(&x110, &x111, x109, x63, x93);\n fiat_p256_addcarryx_u32(&x112, &x113, x111, x65, x95);\n fiat_p256_addcarryx_u32(&x114, &x115, x113, x67, x97);\n fiat_p256_addcarryx_u32(&x116, &x117, x115, x69, x99);\n fiat_p256_addcarryx_u32(&x118, &x119, x117, x70, x101);\n fiat_p256_mulx_u32(&x120, &x121, x102, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x122, &x123, x102, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x124, &x125, x102, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x126, &x127, x102, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x128, &x129, 0x0, x127, x124);\n fiat_p256_addcarryx_u32(&x130, &x131, x129, x125, x122);\n x132 = (x131 + x123);\n fiat_p256_addcarryx_u32(&x133, &x134, 0x0, x102, x126);\n fiat_p256_addcarryx_u32(&x135, &x136, x134, x104, x128);\n fiat_p256_addcarryx_u32(&x137, &x138, x136, x106, x130);\n fiat_p256_addcarryx_u32(&x139, &x140, x138, x108, x132);\n fiat_p256_addcarryx_u32(&x141, &x142, x140, x110, 0x0);\n fiat_p256_addcarryx_u32(&x143, &x144, x142, x112, 0x0);\n fiat_p256_addcarryx_u32(&x145, &x146, x144, x114, x102);\n fiat_p256_addcarryx_u32(&x147, &x148, x146, x116, x120);\n fiat_p256_addcarryx_u32(&x149, &x150, x148, x118, x121);\n x151 = ((uint32_t)x150 + x119);\n fiat_p256_mulx_u32(&x152, &x153, x2, (arg2[7]));\n fiat_p256_mulx_u32(&x154, &x155, x2, (arg2[6]));\n fiat_p256_mulx_u32(&x156, &x157, x2, (arg2[5]));\n fiat_p256_mulx_u32(&x158, &x159, x2, (arg2[4]));\n fiat_p256_mulx_u32(&x160, &x161, x2, (arg2[3]));\n fiat_p256_mulx_u32(&x162, &x163, x2, (arg2[2]));\n fiat_p256_mulx_u32(&x164, &x165, x2, (arg2[1]));\n fiat_p256_mulx_u32(&x166, &x167, x2, (arg2[0]));\n fiat_p256_addcarryx_u32(&x168, &x169, 0x0, x167, x164);\n fiat_p256_addcarryx_u32(&x170, &x171, x169, x165, x162);\n fiat_p256_addcarryx_u32(&x172, &x173, x171, x163, x160);\n fiat_p256_addcarryx_u32(&x174, &x175, x173, x161, x158);\n fiat_p256_addcarryx_u32(&x176, &x177, x175, x159, x156);\n fiat_p256_addcarryx_u32(&x178, &x179, x177, x157, x154);\n fiat_p256_addcarryx_u32(&x180, &x181, x179, x155, x152);\n x182 = (x181 + x153);\n fiat_p256_addcarryx_u32(&x183, &x184, 0x0, x135, x166);\n fiat_p256_addcarryx_u32(&x185, &x186, x184, x137, x168);\n fiat_p256_addcarryx_u32(&x187, &x188, x186, x139, x170);\n fiat_p256_addcarryx_u32(&x189, &x190, x188, x141, x172);\n fiat_p256_addcarryx_u32(&x191, &x192, x190, x143, x174);\n fiat_p256_addcarryx_u32(&x193, &x194, x192, x145, x176);\n fiat_p256_addcarryx_u32(&x195, &x196, x194, x147, x178);\n fiat_p256_addcarryx_u32(&x197, &x198, x196, x149, x180);\n fiat_p256_addcarryx_u32(&x199, &x200, x198, x151, x182);\n fiat_p256_mulx_u32(&x201, &x202, x183, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x203, &x204, x183, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x205, &x206, x183, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x207, &x208, x183, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x209, &x210, 0x0, x208, x205);\n fiat_p256_addcarryx_u32(&x211, &x212, x210, x206, x203);\n x213 = (x212 + x204);\n fiat_p256_addcarryx_u32(&x214, &x215, 0x0, x183, x207);\n fiat_p256_addcarryx_u32(&x216, &x217, x215, x185, x209);\n fiat_p256_addcarryx_u32(&x218, &x219, x217, x187, x211);\n fiat_p256_addcarryx_u32(&x220, &x221, x219, x189, x213);\n fiat_p256_addcarryx_u32(&x222, &x223, x221, x191, 0x0);\n fiat_p256_addcarryx_u32(&x224, &x225, x223, x193, 0x0);\n fiat_p256_addcarryx_u32(&x226, &x227, x225, x195, x183);\n fiat_p256_addcarryx_u32(&x228, &x229, x227, x197, x201);\n fiat_p256_addcarryx_u32(&x230, &x231, x229, x199, x202);\n x232 = ((uint32_t)x231 + x200);\n fiat_p256_mulx_u32(&x233, &x234, x3, (arg2[7]));\n fiat_p256_mulx_u32(&x235, &x236, x3, (arg2[6]));\n fiat_p256_mulx_u32(&x237, &x238, x3, (arg2[5]));\n fiat_p256_mulx_u32(&x239, &x240, x3, (arg2[4]));\n fiat_p256_mulx_u32(&x241, &x242, x3, (arg2[3]));\n fiat_p256_mulx_u32(&x243, &x244, x3, (arg2[2]));\n fiat_p256_mulx_u32(&x245, &x246, x3, (arg2[1]));\n fiat_p256_mulx_u32(&x247, &x248, x3, (arg2[0]));\n fiat_p256_addcarryx_u32(&x249, &x250, 0x0, x248, x245);\n fiat_p256_addcarryx_u32(&x251, &x252, x250, x246, x243);\n fiat_p256_addcarryx_u32(&x253, &x254, x252, x244, x241);\n fiat_p256_addcarryx_u32(&x255, &x256, x254, x242, x239);\n fiat_p256_addcarryx_u32(&x257, &x258, x256, x240, x237);\n fiat_p256_addcarryx_u32(&x259, &x260, x258, x238, x235);\n fiat_p256_addcarryx_u32(&x261, &x262, x260, x236, x233);\n x263 = (x262 + x234);\n fiat_p256_addcarryx_u32(&x264, &x265, 0x0, x216, x247);\n fiat_p256_addcarryx_u32(&x266, &x267, x265, x218, x249);\n fiat_p256_addcarryx_u32(&x268, &x269, x267, x220, x251);\n fiat_p256_addcarryx_u32(&x270, &x271, x269, x222, x253);\n fiat_p256_addcarryx_u32(&x272, &x273, x271, x224, x255);\n fiat_p256_addcarryx_u32(&x274, &x275, x273, x226, x257);\n fiat_p256_addcarryx_u32(&x276, &x277, x275, x228, x259);\n fiat_p256_addcarryx_u32(&x278, &x279, x277, x230, x261);\n fiat_p256_addcarryx_u32(&x280, &x281, x279, x232, x263);\n fiat_p256_mulx_u32(&x282, &x283, x264, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x284, &x285, x264, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x286, &x287, x264, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x288, &x289, x264, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x290, &x291, 0x0, x289, x286);\n fiat_p256_addcarryx_u32(&x292, &x293, x291, x287, x284);\n x294 = (x293 + x285);\n fiat_p256_addcarryx_u32(&x295, &x296, 0x0, x264, x288);\n fiat_p256_addcarryx_u32(&x297, &x298, x296, x266, x290);\n fiat_p256_addcarryx_u32(&x299, &x300, x298, x268, x292);\n fiat_p256_addcarryx_u32(&x301, &x302, x300, x270, x294);\n fiat_p256_addcarryx_u32(&x303, &x304, x302, x272, 0x0);\n fiat_p256_addcarryx_u32(&x305, &x306, x304, x274, 0x0);\n fiat_p256_addcarryx_u32(&x307, &x308, x306, x276, x264);\n fiat_p256_addcarryx_u32(&x309, &x310, x308, x278, x282);\n fiat_p256_addcarryx_u32(&x311, &x312, x310, x280, x283);\n x313 = ((uint32_t)x312 + x281);\n fiat_p256_mulx_u32(&x314, &x315, x4, (arg2[7]));\n fiat_p256_mulx_u32(&x316, &x317, x4, (arg2[6]));\n fiat_p256_mulx_u32(&x318, &x319, x4, (arg2[5]));\n fiat_p256_mulx_u32(&x320, &x321, x4, (arg2[4]));\n fiat_p256_mulx_u32(&x322, &x323, x4, (arg2[3]));\n fiat_p256_mulx_u32(&x324, &x325, x4, (arg2[2]));\n fiat_p256_mulx_u32(&x326, &x327, x4, (arg2[1]));\n fiat_p256_mulx_u32(&x328, &x329, x4, (arg2[0]));\n fiat_p256_addcarryx_u32(&x330, &x331, 0x0, x329, x326);\n fiat_p256_addcarryx_u32(&x332, &x333, x331, x327, x324);\n fiat_p256_addcarryx_u32(&x334, &x335, x333, x325, x322);\n fiat_p256_addcarryx_u32(&x336, &x337, x335, x323, x320);\n fiat_p256_addcarryx_u32(&x338, &x339, x337, x321, x318);\n fiat_p256_addcarryx_u32(&x340, &x341, x339, x319, x316);\n fiat_p256_addcarryx_u32(&x342, &x343, x341, x317, x314);\n x344 = (x343 + x315);\n fiat_p256_addcarryx_u32(&x345, &x346, 0x0, x297, x328);\n fiat_p256_addcarryx_u32(&x347, &x348, x346, x299, x330);\n fiat_p256_addcarryx_u32(&x349, &x350, x348, x301, x332);\n fiat_p256_addcarryx_u32(&x351, &x352, x350, x303, x334);\n fiat_p256_addcarryx_u32(&x353, &x354, x352, x305, x336);\n fiat_p256_addcarryx_u32(&x355, &x356, x354, x307, x338);\n fiat_p256_addcarryx_u32(&x357, &x358, x356, x309, x340);\n fiat_p256_addcarryx_u32(&x359, &x360, x358, x311, x342);\n fiat_p256_addcarryx_u32(&x361, &x362, x360, x313, x344);\n fiat_p256_mulx_u32(&x363, &x364, x345, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x365, &x366, x345, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x367, &x368, x345, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x369, &x370, x345, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x371, &x372, 0x0, x370, x367);\n fiat_p256_addcarryx_u32(&x373, &x374, x372, x368, x365);\n x375 = (x374 + x366);\n fiat_p256_addcarryx_u32(&x376, &x377, 0x0, x345, x369);\n fiat_p256_addcarryx_u32(&x378, &x379, x377, x347, x371);\n fiat_p256_addcarryx_u32(&x380, &x381, x379, x349, x373);\n fiat_p256_addcarryx_u32(&x382, &x383, x381, x351, x375);\n fiat_p256_addcarryx_u32(&x384, &x385, x383, x353, 0x0);\n fiat_p256_addcarryx_u32(&x386, &x387, x385, x355, 0x0);\n fiat_p256_addcarryx_u32(&x388, &x389, x387, x357, x345);\n fiat_p256_addcarryx_u32(&x390, &x391, x389, x359, x363);\n fiat_p256_addcarryx_u32(&x392, &x393, x391, x361, x364);\n x394 = ((uint32_t)x393 + x362);\n fiat_p256_mulx_u32(&x395, &x396, x5, (arg2[7]));\n fiat_p256_mulx_u32(&x397, &x398, x5, (arg2[6]));\n fiat_p256_mulx_u32(&x399, &x400, x5, (arg2[5]));\n fiat_p256_mulx_u32(&x401, &x402, x5, (arg2[4]));\n fiat_p256_mulx_u32(&x403, &x404, x5, (arg2[3]));\n fiat_p256_mulx_u32(&x405, &x406, x5, (arg2[2]));\n fiat_p256_mulx_u32(&x407, &x408, x5, (arg2[1]));\n fiat_p256_mulx_u32(&x409, &x410, x5, (arg2[0]));\n fiat_p256_addcarryx_u32(&x411, &x412, 0x0, x410, x407);\n fiat_p256_addcarryx_u32(&x413, &x414, x412, x408, x405);\n fiat_p256_addcarryx_u32(&x415, &x416, x414, x406, x403);\n fiat_p256_addcarryx_u32(&x417, &x418, x416, x404, x401);\n fiat_p256_addcarryx_u32(&x419, &x420, x418, x402, x399);\n fiat_p256_addcarryx_u32(&x421, &x422, x420, x400, x397);\n fiat_p256_addcarryx_u32(&x423, &x424, x422, x398, x395);\n x425 = (x424 + x396);\n fiat_p256_addcarryx_u32(&x426, &x427, 0x0, x378, x409);\n fiat_p256_addcarryx_u32(&x428, &x429, x427, x380, x411);\n fiat_p256_addcarryx_u32(&x430, &x431, x429, x382, x413);\n fiat_p256_addcarryx_u32(&x432, &x433, x431, x384, x415);\n fiat_p256_addcarryx_u32(&x434, &x435, x433, x386, x417);\n fiat_p256_addcarryx_u32(&x436, &x437, x435, x388, x419);\n fiat_p256_addcarryx_u32(&x438, &x439, x437, x390, x421);\n fiat_p256_addcarryx_u32(&x440, &x441, x439, x392, x423);\n fiat_p256_addcarryx_u32(&x442, &x443, x441, x394, x425);\n fiat_p256_mulx_u32(&x444, &x445, x426, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x446, &x447, x426, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x448, &x449, x426, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x450, &x451, x426, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x452, &x453, 0x0, x451, x448);\n fiat_p256_addcarryx_u32(&x454, &x455, x453, x449, x446);\n x456 = (x455 + x447);\n fiat_p256_addcarryx_u32(&x457, &x458, 0x0, x426, x450);\n fiat_p256_addcarryx_u32(&x459, &x460, x458, x428, x452);\n fiat_p256_addcarryx_u32(&x461, &x462, x460, x430, x454);\n fiat_p256_addcarryx_u32(&x463, &x464, x462, x432, x456);\n fiat_p256_addcarryx_u32(&x465, &x466, x464, x434, 0x0);\n fiat_p256_addcarryx_u32(&x467, &x468, x466, x436, 0x0);\n fiat_p256_addcarryx_u32(&x469, &x470, x468, x438, x426);\n fiat_p256_addcarryx_u32(&x471, &x472, x470, x440, x444);\n fiat_p256_addcarryx_u32(&x473, &x474, x472, x442, x445);\n x475 = ((uint32_t)x474 + x443);\n fiat_p256_mulx_u32(&x476, &x477, x6, (arg2[7]));\n fiat_p256_mulx_u32(&x478, &x479, x6, (arg2[6]));\n fiat_p256_mulx_u32(&x480, &x481, x6, (arg2[5]));\n fiat_p256_mulx_u32(&x482, &x483, x6, (arg2[4]));\n fiat_p256_mulx_u32(&x484, &x485, x6, (arg2[3]));\n fiat_p256_mulx_u32(&x486, &x487, x6, (arg2[2]));\n fiat_p256_mulx_u32(&x488, &x489, x6, (arg2[1]));\n fiat_p256_mulx_u32(&x490, &x491, x6, (arg2[0]));\n fiat_p256_addcarryx_u32(&x492, &x493, 0x0, x491, x488);\n fiat_p256_addcarryx_u32(&x494, &x495, x493, x489, x486);\n fiat_p256_addcarryx_u32(&x496, &x497, x495, x487, x484);\n fiat_p256_addcarryx_u32(&x498, &x499, x497, x485, x482);\n fiat_p256_addcarryx_u32(&x500, &x501, x499, x483, x480);\n fiat_p256_addcarryx_u32(&x502, &x503, x501, x481, x478);\n fiat_p256_addcarryx_u32(&x504, &x505, x503, x479, x476);\n x506 = (x505 + x477);\n fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x459, x490);\n fiat_p256_addcarryx_u32(&x509, &x510, x508, x461, x492);\n fiat_p256_addcarryx_u32(&x511, &x512, x510, x463, x494);\n fiat_p256_addcarryx_u32(&x513, &x514, x512, x465, x496);\n fiat_p256_addcarryx_u32(&x515, &x516, x514, x467, x498);\n fiat_p256_addcarryx_u32(&x517, &x518, x516, x469, x500);\n fiat_p256_addcarryx_u32(&x519, &x520, x518, x471, x502);\n fiat_p256_addcarryx_u32(&x521, &x522, x520, x473, x504);\n fiat_p256_addcarryx_u32(&x523, &x524, x522, x475, x506);\n fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x531, &x532, x507, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x533, &x534, 0x0, x532, x529);\n fiat_p256_addcarryx_u32(&x535, &x536, x534, x530, x527);\n x537 = (x536 + x528);\n fiat_p256_addcarryx_u32(&x538, &x539, 0x0, x507, x531);\n fiat_p256_addcarryx_u32(&x540, &x541, x539, x509, x533);\n fiat_p256_addcarryx_u32(&x542, &x543, x541, x511, x535);\n fiat_p256_addcarryx_u32(&x544, &x545, x543, x513, x537);\n fiat_p256_addcarryx_u32(&x546, &x547, x545, x515, 0x0);\n fiat_p256_addcarryx_u32(&x548, &x549, x547, x517, 0x0);\n fiat_p256_addcarryx_u32(&x550, &x551, x549, x519, x507);\n fiat_p256_addcarryx_u32(&x552, &x553, x551, x521, x525);\n fiat_p256_addcarryx_u32(&x554, &x555, x553, x523, x526);\n x556 = ((uint32_t)x555 + x524);\n fiat_p256_mulx_u32(&x557, &x558, x7, (arg2[7]));\n fiat_p256_mulx_u32(&x559, &x560, x7, (arg2[6]));\n fiat_p256_mulx_u32(&x561, &x562, x7, (arg2[5]));\n fiat_p256_mulx_u32(&x563, &x564, x7, (arg2[4]));\n fiat_p256_mulx_u32(&x565, &x566, x7, (arg2[3]));\n fiat_p256_mulx_u32(&x567, &x568, x7, (arg2[2]));\n fiat_p256_mulx_u32(&x569, &x570, x7, (arg2[1]));\n fiat_p256_mulx_u32(&x571, &x572, x7, (arg2[0]));\n fiat_p256_addcarryx_u32(&x573, &x574, 0x0, x572, x569);\n fiat_p256_addcarryx_u32(&x575, &x576, x574, x570, x567);\n fiat_p256_addcarryx_u32(&x577, &x578, x576, x568, x565);\n fiat_p256_addcarryx_u32(&x579, &x580, x578, x566, x563);\n fiat_p256_addcarryx_u32(&x581, &x582, x580, x564, x561);\n fiat_p256_addcarryx_u32(&x583, &x584, x582, x562, x559);\n fiat_p256_addcarryx_u32(&x585, &x586, x584, x560, x557);\n x587 = (x586 + x558);\n fiat_p256_addcarryx_u32(&x588, &x589, 0x0, x540, x571);\n fiat_p256_addcarryx_u32(&x590, &x591, x589, x542, x573);\n fiat_p256_addcarryx_u32(&x592, &x593, x591, x544, x575);\n fiat_p256_addcarryx_u32(&x594, &x595, x593, x546, x577);\n fiat_p256_addcarryx_u32(&x596, &x597, x595, x548, x579);\n fiat_p256_addcarryx_u32(&x598, &x599, x597, x550, x581);\n fiat_p256_addcarryx_u32(&x600, &x601, x599, x552, x583);\n fiat_p256_addcarryx_u32(&x602, &x603, x601, x554, x585);\n fiat_p256_addcarryx_u32(&x604, &x605, x603, x556, x587);\n fiat_p256_mulx_u32(&x606, &x607, x588, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x608, &x609, x588, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x610, &x611, x588, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x612, &x613, x588, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x614, &x615, 0x0, x613, x610);\n fiat_p256_addcarryx_u32(&x616, &x617, x615, x611, x608);\n x618 = (x617 + x609);\n fiat_p256_addcarryx_u32(&x619, &x620, 0x0, x588, x612);\n fiat_p256_addcarryx_u32(&x621, &x622, x620, x590, x614);\n fiat_p256_addcarryx_u32(&x623, &x624, x622, x592, x616);\n fiat_p256_addcarryx_u32(&x625, &x626, x624, x594, x618);\n fiat_p256_addcarryx_u32(&x627, &x628, x626, x596, 0x0);\n fiat_p256_addcarryx_u32(&x629, &x630, x628, x598, 0x0);\n fiat_p256_addcarryx_u32(&x631, &x632, x630, x600, x588);\n fiat_p256_addcarryx_u32(&x633, &x634, x632, x602, x606);\n fiat_p256_addcarryx_u32(&x635, &x636, x634, x604, x607);\n x637 = ((uint32_t)x636 + x605);\n fiat_p256_subborrowx_u32(&x638, &x639, 0x0, x621, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x640, &x641, x639, x623, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x642, &x643, x641, x625, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x644, &x645, x643, x627, 0x0);\n fiat_p256_subborrowx_u32(&x646, &x647, x645, x629, 0x0);\n fiat_p256_subborrowx_u32(&x648, &x649, x647, x631, 0x0);\n fiat_p256_subborrowx_u32(&x650, &x651, x649, x633, 0x1);\n fiat_p256_subborrowx_u32(&x652, &x653, x651, x635, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x654, &x655, x653, x637, 0x0);\n fiat_p256_cmovznz_u32(&x656, x655, x638, x621);\n fiat_p256_cmovznz_u32(&x657, x655, x640, x623);\n fiat_p256_cmovznz_u32(&x658, x655, x642, x625);\n fiat_p256_cmovznz_u32(&x659, x655, x644, x627);\n fiat_p256_cmovznz_u32(&x660, x655, x646, x629);\n fiat_p256_cmovznz_u32(&x661, x655, x648, x631);\n fiat_p256_cmovznz_u32(&x662, x655, x650, x633);\n fiat_p256_cmovznz_u32(&x663, x655, x652, x635);\n out1[0] = x656;\n out1[1] = x657;\n out1[2] = x658;\n out1[3] = x659;\n out1[4] = x660;\n out1[5] = x661;\n out1[6] = x662;\n out1[7] = x663;\n}\n\n/*\n * The function fiat_p256_square squares a field element in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n uint32_t x11;\n uint32_t x12;\n uint32_t x13;\n uint32_t x14;\n uint32_t x15;\n uint32_t x16;\n uint32_t x17;\n uint32_t x18;\n uint32_t x19;\n uint32_t x20;\n uint32_t x21;\n uint32_t x22;\n uint32_t x23;\n uint32_t x24;\n uint32_t x25;\n fiat_p256_uint1 x26;\n uint32_t x27;\n fiat_p256_uint1 x28;\n uint32_t x29;\n fiat_p256_uint1 x30;\n uint32_t x31;\n fiat_p256_uint1 x32;\n uint32_t x33;\n fiat_p256_uint1 x34;\n uint32_t x35;\n fiat_p256_uint1 x36;\n uint32_t x37;\n fiat_p256_uint1 x38;\n uint32_t x39;\n uint32_t x40;\n uint32_t x41;\n uint32_t x42;\n uint32_t x43;\n uint32_t x44;\n uint32_t x45;\n uint32_t x46;\n uint32_t x47;\n uint32_t x48;\n fiat_p256_uint1 x49;\n uint32_t x50;\n fiat_p256_uint1 x51;\n uint32_t x52;\n uint32_t x53;\n fiat_p256_uint1 x54;\n uint32_t x55;\n fiat_p256_uint1 x56;\n uint32_t x57;\n fiat_p256_uint1 x58;\n uint32_t x59;\n fiat_p256_uint1 x60;\n uint32_t x61;\n fiat_p256_uint1 x62;\n uint32_t x63;\n fiat_p256_uint1 x64;\n uint32_t x65;\n fiat_p256_uint1 x66;\n uint32_t x67;\n fiat_p256_uint1 x68;\n uint32_t x69;\n fiat_p256_uint1 x70;\n uint32_t x71;\n uint32_t x72;\n uint32_t x73;\n uint32_t x74;\n uint32_t x75;\n uint32_t x76;\n uint32_t x77;\n uint32_t x78;\n uint32_t x79;\n uint32_t x80;\n uint32_t x81;\n uint32_t x82;\n uint32_t x83;\n uint32_t x84;\n uint32_t x85;\n uint32_t x86;\n uint32_t x87;\n fiat_p256_uint1 x88;\n uint32_t x89;\n fiat_p256_uint1 x90;\n uint32_t x91;\n fiat_p256_uint1 x92;\n uint32_t x93;\n fiat_p256_uint1 x94;\n uint32_t x95;\n fiat_p256_uint1 x96;\n uint32_t x97;\n fiat_p256_uint1 x98;\n uint32_t x99;\n fiat_p256_uint1 x100;\n uint32_t x101;\n uint32_t x102;\n fiat_p256_uint1 x103;\n uint32_t x104;\n fiat_p256_uint1 x105;\n uint32_t x106;\n fiat_p256_uint1 x107;\n uint32_t x108;\n fiat_p256_uint1 x109;\n uint32_t x110;\n fiat_p256_uint1 x111;\n uint32_t x112;\n fiat_p256_uint1 x113;\n uint32_t x114;\n fiat_p256_uint1 x115;\n uint32_t x116;\n fiat_p256_uint1 x117;\n uint32_t x118;\n fiat_p256_uint1 x119;\n uint32_t x120;\n uint32_t x121;\n uint32_t x122;\n uint32_t x123;\n uint32_t x124;\n uint32_t x125;\n uint32_t x126;\n uint32_t x127;\n uint32_t x128;\n fiat_p256_uint1 x129;\n uint32_t x130;\n fiat_p256_uint1 x131;\n uint32_t x132;\n uint32_t x133;\n fiat_p256_uint1 x134;\n uint32_t x135;\n fiat_p256_uint1 x136;\n uint32_t x137;\n fiat_p256_uint1 x138;\n uint32_t x139;\n fiat_p256_uint1 x140;\n uint32_t x141;\n fiat_p256_uint1 x142;\n uint32_t x143;\n fiat_p256_uint1 x144;\n uint32_t x145;\n fiat_p256_uint1 x146;\n uint32_t x147;\n fiat_p256_uint1 x148;\n uint32_t x149;\n fiat_p256_uint1 x150;\n uint32_t x151;\n uint32_t x152;\n uint32_t x153;\n uint32_t x154;\n uint32_t x155;\n uint32_t x156;\n uint32_t x157;\n uint32_t x158;\n uint32_t x159;\n uint32_t x160;\n uint32_t x161;\n uint32_t x162;\n uint32_t x163;\n uint32_t x164;\n uint32_t x165;\n uint32_t x166;\n uint32_t x167;\n uint32_t x168;\n fiat_p256_uint1 x169;\n uint32_t x170;\n fiat_p256_uint1 x171;\n uint32_t x172;\n fiat_p256_uint1 x173;\n uint32_t x174;\n fiat_p256_uint1 x175;\n uint32_t x176;\n fiat_p256_uint1 x177;\n uint32_t x178;\n fiat_p256_uint1 x179;\n uint32_t x180;\n fiat_p256_uint1 x181;\n uint32_t x182;\n uint32_t x183;\n fiat_p256_uint1 x184;\n uint32_t x185;\n fiat_p256_uint1 x186;\n uint32_t x187;\n fiat_p256_uint1 x188;\n uint32_t x189;\n fiat_p256_uint1 x190;\n uint32_t x191;\n fiat_p256_uint1 x192;\n uint32_t x193;\n fiat_p256_uint1 x194;\n uint32_t x195;\n fiat_p256_uint1 x196;\n uint32_t x197;\n fiat_p256_uint1 x198;\n uint32_t x199;\n fiat_p256_uint1 x200;\n uint32_t x201;\n uint32_t x202;\n uint32_t x203;\n uint32_t x204;\n uint32_t x205;\n uint32_t x206;\n uint32_t x207;\n uint32_t x208;\n uint32_t x209;\n fiat_p256_uint1 x210;\n uint32_t x211;\n fiat_p256_uint1 x212;\n uint32_t x213;\n uint32_t x214;\n fiat_p256_uint1 x215;\n uint32_t x216;\n fiat_p256_uint1 x217;\n uint32_t x218;\n fiat_p256_uint1 x219;\n uint32_t x220;\n fiat_p256_uint1 x221;\n uint32_t x222;\n fiat_p256_uint1 x223;\n uint32_t x224;\n fiat_p256_uint1 x225;\n uint32_t x226;\n fiat_p256_uint1 x227;\n uint32_t x228;\n fiat_p256_uint1 x229;\n uint32_t x230;\n fiat_p256_uint1 x231;\n uint32_t x232;\n uint32_t x233;\n uint32_t x234;\n uint32_t x235;\n uint32_t x236;\n uint32_t x237;\n uint32_t x238;\n uint32_t x239;\n uint32_t x240;\n uint32_t x241;\n uint32_t x242;\n uint32_t x243;\n uint32_t x244;\n uint32_t x245;\n uint32_t x246;\n uint32_t x247;\n uint32_t x248;\n uint32_t x249;\n fiat_p256_uint1 x250;\n uint32_t x251;\n fiat_p256_uint1 x252;\n uint32_t x253;\n fiat_p256_uint1 x254;\n uint32_t x255;\n fiat_p256_uint1 x256;\n uint32_t x257;\n fiat_p256_uint1 x258;\n uint32_t x259;\n fiat_p256_uint1 x260;\n uint32_t x261;\n fiat_p256_uint1 x262;\n uint32_t x263;\n uint32_t x264;\n fiat_p256_uint1 x265;\n uint32_t x266;\n fiat_p256_uint1 x267;\n uint32_t x268;\n fiat_p256_uint1 x269;\n uint32_t x270;\n fiat_p256_uint1 x271;\n uint32_t x272;\n fiat_p256_uint1 x273;\n uint32_t x274;\n fiat_p256_uint1 x275;\n uint32_t x276;\n fiat_p256_uint1 x277;\n uint32_t x278;\n fiat_p256_uint1 x279;\n uint32_t x280;\n fiat_p256_uint1 x281;\n uint32_t x282;\n uint32_t x283;\n uint32_t x284;\n uint32_t x285;\n uint32_t x286;\n uint32_t x287;\n uint32_t x288;\n uint32_t x289;\n uint32_t x290;\n fiat_p256_uint1 x291;\n uint32_t x292;\n fiat_p256_uint1 x293;\n uint32_t x294;\n uint32_t x295;\n fiat_p256_uint1 x296;\n uint32_t x297;\n fiat_p256_uint1 x298;\n uint32_t x299;\n fiat_p256_uint1 x300;\n uint32_t x301;\n fiat_p256_uint1 x302;\n uint32_t x303;\n fiat_p256_uint1 x304;\n uint32_t x305;\n fiat_p256_uint1 x306;\n uint32_t x307;\n fiat_p256_uint1 x308;\n uint32_t x309;\n fiat_p256_uint1 x310;\n uint32_t x311;\n fiat_p256_uint1 x312;\n uint32_t x313;\n uint32_t x314;\n uint32_t x315;\n uint32_t x316;\n uint32_t x317;\n uint32_t x318;\n uint32_t x319;\n uint32_t x320;\n uint32_t x321;\n uint32_t x322;\n uint32_t x323;\n uint32_t x324;\n uint32_t x325;\n uint32_t x326;\n uint32_t x327;\n uint32_t x328;\n uint32_t x329;\n uint32_t x330;\n fiat_p256_uint1 x331;\n uint32_t x332;\n fiat_p256_uint1 x333;\n uint32_t x334;\n fiat_p256_uint1 x335;\n uint32_t x336;\n fiat_p256_uint1 x337;\n uint32_t x338;\n fiat_p256_uint1 x339;\n uint32_t x340;\n fiat_p256_uint1 x341;\n uint32_t x342;\n fiat_p256_uint1 x343;\n uint32_t x344;\n uint32_t x345;\n fiat_p256_uint1 x346;\n uint32_t x347;\n fiat_p256_uint1 x348;\n uint32_t x349;\n fiat_p256_uint1 x350;\n uint32_t x351;\n fiat_p256_uint1 x352;\n uint32_t x353;\n fiat_p256_uint1 x354;\n uint32_t x355;\n fiat_p256_uint1 x356;\n uint32_t x357;\n fiat_p256_uint1 x358;\n uint32_t x359;\n fiat_p256_uint1 x360;\n uint32_t x361;\n fiat_p256_uint1 x362;\n uint32_t x363;\n uint32_t x364;\n uint32_t x365;\n uint32_t x366;\n uint32_t x367;\n uint32_t x368;\n uint32_t x369;\n uint32_t x370;\n uint32_t x371;\n fiat_p256_uint1 x372;\n uint32_t x373;\n fiat_p256_uint1 x374;\n uint32_t x375;\n uint32_t x376;\n fiat_p256_uint1 x377;\n uint32_t x378;\n fiat_p256_uint1 x379;\n uint32_t x380;\n fiat_p256_uint1 x381;\n uint32_t x382;\n fiat_p256_uint1 x383;\n uint32_t x384;\n fiat_p256_uint1 x385;\n uint32_t x386;\n fiat_p256_uint1 x387;\n uint32_t x388;\n fiat_p256_uint1 x389;\n uint32_t x390;\n fiat_p256_uint1 x391;\n uint32_t x392;\n fiat_p256_uint1 x393;\n uint32_t x394;\n uint32_t x395;\n uint32_t x396;\n uint32_t x397;\n uint32_t x398;\n uint32_t x399;\n uint32_t x400;\n uint32_t x401;\n uint32_t x402;\n uint32_t x403;\n uint32_t x404;\n uint32_t x405;\n uint32_t x406;\n uint32_t x407;\n uint32_t x408;\n uint32_t x409;\n uint32_t x410;\n uint32_t x411;\n fiat_p256_uint1 x412;\n uint32_t x413;\n fiat_p256_uint1 x414;\n uint32_t x415;\n fiat_p256_uint1 x416;\n uint32_t x417;\n fiat_p256_uint1 x418;\n uint32_t x419;\n fiat_p256_uint1 x420;\n uint32_t x421;\n fiat_p256_uint1 x422;\n uint32_t x423;\n fiat_p256_uint1 x424;\n uint32_t x425;\n uint32_t x426;\n fiat_p256_uint1 x427;\n uint32_t x428;\n fiat_p256_uint1 x429;\n uint32_t x430;\n fiat_p256_uint1 x431;\n uint32_t x432;\n fiat_p256_uint1 x433;\n uint32_t x434;\n fiat_p256_uint1 x435;\n uint32_t x436;\n fiat_p256_uint1 x437;\n uint32_t x438;\n fiat_p256_uint1 x439;\n uint32_t x440;\n fiat_p256_uint1 x441;\n uint32_t x442;\n fiat_p256_uint1 x443;\n uint32_t x444;\n uint32_t x445;\n uint32_t x446;\n uint32_t x447;\n uint32_t x448;\n uint32_t x449;\n uint32_t x450;\n uint32_t x451;\n uint32_t x452;\n fiat_p256_uint1 x453;\n uint32_t x454;\n fiat_p256_uint1 x455;\n uint32_t x456;\n uint32_t x457;\n fiat_p256_uint1 x458;\n uint32_t x459;\n fiat_p256_uint1 x460;\n uint32_t x461;\n fiat_p256_uint1 x462;\n uint32_t x463;\n fiat_p256_uint1 x464;\n uint32_t x465;\n fiat_p256_uint1 x466;\n uint32_t x467;\n fiat_p256_uint1 x468;\n uint32_t x469;\n fiat_p256_uint1 x470;\n uint32_t x471;\n fiat_p256_uint1 x472;\n uint32_t x473;\n fiat_p256_uint1 x474;\n uint32_t x475;\n uint32_t x476;\n uint32_t x477;\n uint32_t x478;\n uint32_t x479;\n uint32_t x480;\n uint32_t x481;\n uint32_t x482;\n uint32_t x483;\n uint32_t x484;\n uint32_t x485;\n uint32_t x486;\n uint32_t x487;\n uint32_t x488;\n uint32_t x489;\n uint32_t x490;\n uint32_t x491;\n uint32_t x492;\n fiat_p256_uint1 x493;\n uint32_t x494;\n fiat_p256_uint1 x495;\n uint32_t x496;\n fiat_p256_uint1 x497;\n uint32_t x498;\n fiat_p256_uint1 x499;\n uint32_t x500;\n fiat_p256_uint1 x501;\n uint32_t x502;\n fiat_p256_uint1 x503;\n uint32_t x504;\n fiat_p256_uint1 x505;\n uint32_t x506;\n uint32_t x507;\n fiat_p256_uint1 x508;\n uint32_t x509;\n fiat_p256_uint1 x510;\n uint32_t x511;\n fiat_p256_uint1 x512;\n uint32_t x513;\n fiat_p256_uint1 x514;\n uint32_t x515;\n fiat_p256_uint1 x516;\n uint32_t x517;\n fiat_p256_uint1 x518;\n uint32_t x519;\n fiat_p256_uint1 x520;\n uint32_t x521;\n fiat_p256_uint1 x522;\n uint32_t x523;\n fiat_p256_uint1 x524;\n uint32_t x525;\n uint32_t x526;\n uint32_t x527;\n uint32_t x528;\n uint32_t x529;\n uint32_t x530;\n uint32_t x531;\n uint32_t x532;\n uint32_t x533;\n fiat_p256_uint1 x534;\n uint32_t x535;\n fiat_p256_uint1 x536;\n uint32_t x537;\n uint32_t x538;\n fiat_p256_uint1 x539;\n uint32_t x540;\n fiat_p256_uint1 x541;\n uint32_t x542;\n fiat_p256_uint1 x543;\n uint32_t x544;\n fiat_p256_uint1 x545;\n uint32_t x546;\n fiat_p256_uint1 x547;\n uint32_t x548;\n fiat_p256_uint1 x549;\n uint32_t x550;\n fiat_p256_uint1 x551;\n uint32_t x552;\n fiat_p256_uint1 x553;\n uint32_t x554;\n fiat_p256_uint1 x555;\n uint32_t x556;\n uint32_t x557;\n uint32_t x558;\n uint32_t x559;\n uint32_t x560;\n uint32_t x561;\n uint32_t x562;\n uint32_t x563;\n uint32_t x564;\n uint32_t x565;\n uint32_t x566;\n uint32_t x567;\n uint32_t x568;\n uint32_t x569;\n uint32_t x570;\n uint32_t x571;\n uint32_t x572;\n uint32_t x573;\n fiat_p256_uint1 x574;\n uint32_t x575;\n fiat_p256_uint1 x576;\n uint32_t x577;\n fiat_p256_uint1 x578;\n uint32_t x579;\n fiat_p256_uint1 x580;\n uint32_t x581;\n fiat_p256_uint1 x582;\n uint32_t x583;\n fiat_p256_uint1 x584;\n uint32_t x585;\n fiat_p256_uint1 x586;\n uint32_t x587;\n uint32_t x588;\n fiat_p256_uint1 x589;\n uint32_t x590;\n fiat_p256_uint1 x591;\n uint32_t x592;\n fiat_p256_uint1 x593;\n uint32_t x594;\n fiat_p256_uint1 x595;\n uint32_t x596;\n fiat_p256_uint1 x597;\n uint32_t x598;\n fiat_p256_uint1 x599;\n uint32_t x600;\n fiat_p256_uint1 x601;\n uint32_t x602;\n fiat_p256_uint1 x603;\n uint32_t x604;\n fiat_p256_uint1 x605;\n uint32_t x606;\n uint32_t x607;\n uint32_t x608;\n uint32_t x609;\n uint32_t x610;\n uint32_t x611;\n uint32_t x612;\n uint32_t x613;\n uint32_t x614;\n fiat_p256_uint1 x615;\n uint32_t x616;\n fiat_p256_uint1 x617;\n uint32_t x618;\n uint32_t x619;\n fiat_p256_uint1 x620;\n uint32_t x621;\n fiat_p256_uint1 x622;\n uint32_t x623;\n fiat_p256_uint1 x624;\n uint32_t x625;\n fiat_p256_uint1 x626;\n uint32_t x627;\n fiat_p256_uint1 x628;\n uint32_t x629;\n fiat_p256_uint1 x630;\n uint32_t x631;\n fiat_p256_uint1 x632;\n uint32_t x633;\n fiat_p256_uint1 x634;\n uint32_t x635;\n fiat_p256_uint1 x636;\n uint32_t x637;\n uint32_t x638;\n fiat_p256_uint1 x639;\n uint32_t x640;\n fiat_p256_uint1 x641;\n uint32_t x642;\n fiat_p256_uint1 x643;\n uint32_t x644;\n fiat_p256_uint1 x645;\n uint32_t x646;\n fiat_p256_uint1 x647;\n uint32_t x648;\n fiat_p256_uint1 x649;\n uint32_t x650;\n fiat_p256_uint1 x651;\n uint32_t x652;\n fiat_p256_uint1 x653;\n uint32_t x654;\n fiat_p256_uint1 x655;\n uint32_t x656;\n uint32_t x657;\n uint32_t x658;\n uint32_t x659;\n uint32_t x660;\n uint32_t x661;\n uint32_t x662;\n uint32_t x663;\n x1 = (arg1[1]);\n x2 = (arg1[2]);\n x3 = (arg1[3]);\n x4 = (arg1[4]);\n x5 = (arg1[5]);\n x6 = (arg1[6]);\n x7 = (arg1[7]);\n x8 = (arg1[0]);\n fiat_p256_mulx_u32(&x9, &x10, x8, (arg1[7]));\n fiat_p256_mulx_u32(&x11, &x12, x8, (arg1[6]));\n fiat_p256_mulx_u32(&x13, &x14, x8, (arg1[5]));\n fiat_p256_mulx_u32(&x15, &x16, x8, (arg1[4]));\n fiat_p256_mulx_u32(&x17, &x18, x8, (arg1[3]));\n fiat_p256_mulx_u32(&x19, &x20, x8, (arg1[2]));\n fiat_p256_mulx_u32(&x21, &x22, x8, (arg1[1]));\n fiat_p256_mulx_u32(&x23, &x24, x8, (arg1[0]));\n fiat_p256_addcarryx_u32(&x25, &x26, 0x0, x24, x21);\n fiat_p256_addcarryx_u32(&x27, &x28, x26, x22, x19);\n fiat_p256_addcarryx_u32(&x29, &x30, x28, x20, x17);\n fiat_p256_addcarryx_u32(&x31, &x32, x30, x18, x15);\n fiat_p256_addcarryx_u32(&x33, &x34, x32, x16, x13);\n fiat_p256_addcarryx_u32(&x35, &x36, x34, x14, x11);\n fiat_p256_addcarryx_u32(&x37, &x38, x36, x12, x9);\n x39 = (x38 + x10);\n fiat_p256_mulx_u32(&x40, &x41, x23, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x42, &x43, x23, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x44, &x45, x23, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x46, &x47, x23, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x47, x44);\n fiat_p256_addcarryx_u32(&x50, &x51, x49, x45, x42);\n x52 = (x51 + x43);\n fiat_p256_addcarryx_u32(&x53, &x54, 0x0, x23, x46);\n fiat_p256_addcarryx_u32(&x55, &x56, x54, x25, x48);\n fiat_p256_addcarryx_u32(&x57, &x58, x56, x27, x50);\n fiat_p256_addcarryx_u32(&x59, &x60, x58, x29, x52);\n fiat_p256_addcarryx_u32(&x61, &x62, x60, x31, 0x0);\n fiat_p256_addcarryx_u32(&x63, &x64, x62, x33, 0x0);\n fiat_p256_addcarryx_u32(&x65, &x66, x64, x35, x23);\n fiat_p256_addcarryx_u32(&x67, &x68, x66, x37, x40);\n fiat_p256_addcarryx_u32(&x69, &x70, x68, x39, x41);\n fiat_p256_mulx_u32(&x71, &x72, x1, (arg1[7]));\n fiat_p256_mulx_u32(&x73, &x74, x1, (arg1[6]));\n fiat_p256_mulx_u32(&x75, &x76, x1, (arg1[5]));\n fiat_p256_mulx_u32(&x77, &x78, x1, (arg1[4]));\n fiat_p256_mulx_u32(&x79, &x80, x1, (arg1[3]));\n fiat_p256_mulx_u32(&x81, &x82, x1, (arg1[2]));\n fiat_p256_mulx_u32(&x83, &x84, x1, (arg1[1]));\n fiat_p256_mulx_u32(&x85, &x86, x1, (arg1[0]));\n fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x86, x83);\n fiat_p256_addcarryx_u32(&x89, &x90, x88, x84, x81);\n fiat_p256_addcarryx_u32(&x91, &x92, x90, x82, x79);\n fiat_p256_addcarryx_u32(&x93, &x94, x92, x80, x77);\n fiat_p256_addcarryx_u32(&x95, &x96, x94, x78, x75);\n fiat_p256_addcarryx_u32(&x97, &x98, x96, x76, x73);\n fiat_p256_addcarryx_u32(&x99, &x100, x98, x74, x71);\n x101 = (x100 + x72);\n fiat_p256_addcarryx_u32(&x102, &x103, 0x0, x55, x85);\n fiat_p256_addcarryx_u32(&x104, &x105, x103, x57, x87);\n fiat_p256_addcarryx_u32(&x106, &x107, x105, x59, x89);\n fiat_p256_addcarryx_u32(&x108, &x109, x107, x61, x91);\n fiat_p256_addcarryx_u32(&x110, &x111, x109, x63, x93);\n fiat_p256_addcarryx_u32(&x112, &x113, x111, x65, x95);\n fiat_p256_addcarryx_u32(&x114, &x115, x113, x67, x97);\n fiat_p256_addcarryx_u32(&x116, &x117, x115, x69, x99);\n fiat_p256_addcarryx_u32(&x118, &x119, x117, x70, x101);\n fiat_p256_mulx_u32(&x120, &x121, x102, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x122, &x123, x102, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x124, &x125, x102, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x126, &x127, x102, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x128, &x129, 0x0, x127, x124);\n fiat_p256_addcarryx_u32(&x130, &x131, x129, x125, x122);\n x132 = (x131 + x123);\n fiat_p256_addcarryx_u32(&x133, &x134, 0x0, x102, x126);\n fiat_p256_addcarryx_u32(&x135, &x136, x134, x104, x128);\n fiat_p256_addcarryx_u32(&x137, &x138, x136, x106, x130);\n fiat_p256_addcarryx_u32(&x139, &x140, x138, x108, x132);\n fiat_p256_addcarryx_u32(&x141, &x142, x140, x110, 0x0);\n fiat_p256_addcarryx_u32(&x143, &x144, x142, x112, 0x0);\n fiat_p256_addcarryx_u32(&x145, &x146, x144, x114, x102);\n fiat_p256_addcarryx_u32(&x147, &x148, x146, x116, x120);\n fiat_p256_addcarryx_u32(&x149, &x150, x148, x118, x121);\n x151 = ((uint32_t)x150 + x119);\n fiat_p256_mulx_u32(&x152, &x153, x2, (arg1[7]));\n fiat_p256_mulx_u32(&x154, &x155, x2, (arg1[6]));\n fiat_p256_mulx_u32(&x156, &x157, x2, (arg1[5]));\n fiat_p256_mulx_u32(&x158, &x159, x2, (arg1[4]));\n fiat_p256_mulx_u32(&x160, &x161, x2, (arg1[3]));\n fiat_p256_mulx_u32(&x162, &x163, x2, (arg1[2]));\n fiat_p256_mulx_u32(&x164, &x165, x2, (arg1[1]));\n fiat_p256_mulx_u32(&x166, &x167, x2, (arg1[0]));\n fiat_p256_addcarryx_u32(&x168, &x169, 0x0, x167, x164);\n fiat_p256_addcarryx_u32(&x170, &x171, x169, x165, x162);\n fiat_p256_addcarryx_u32(&x172, &x173, x171, x163, x160);\n fiat_p256_addcarryx_u32(&x174, &x175, x173, x161, x158);\n fiat_p256_addcarryx_u32(&x176, &x177, x175, x159, x156);\n fiat_p256_addcarryx_u32(&x178, &x179, x177, x157, x154);\n fiat_p256_addcarryx_u32(&x180, &x181, x179, x155, x152);\n x182 = (x181 + x153);\n fiat_p256_addcarryx_u32(&x183, &x184, 0x0, x135, x166);\n fiat_p256_addcarryx_u32(&x185, &x186, x184, x137, x168);\n fiat_p256_addcarryx_u32(&x187, &x188, x186, x139, x170);\n fiat_p256_addcarryx_u32(&x189, &x190, x188, x141, x172);\n fiat_p256_addcarryx_u32(&x191, &x192, x190, x143, x174);\n fiat_p256_addcarryx_u32(&x193, &x194, x192, x145, x176);\n fiat_p256_addcarryx_u32(&x195, &x196, x194, x147, x178);\n fiat_p256_addcarryx_u32(&x197, &x198, x196, x149, x180);\n fiat_p256_addcarryx_u32(&x199, &x200, x198, x151, x182);\n fiat_p256_mulx_u32(&x201, &x202, x183, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x203, &x204, x183, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x205, &x206, x183, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x207, &x208, x183, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x209, &x210, 0x0, x208, x205);\n fiat_p256_addcarryx_u32(&x211, &x212, x210, x206, x203);\n x213 = (x212 + x204);\n fiat_p256_addcarryx_u32(&x214, &x215, 0x0, x183, x207);\n fiat_p256_addcarryx_u32(&x216, &x217, x215, x185, x209);\n fiat_p256_addcarryx_u32(&x218, &x219, x217, x187, x211);\n fiat_p256_addcarryx_u32(&x220, &x221, x219, x189, x213);\n fiat_p256_addcarryx_u32(&x222, &x223, x221, x191, 0x0);\n fiat_p256_addcarryx_u32(&x224, &x225, x223, x193, 0x0);\n fiat_p256_addcarryx_u32(&x226, &x227, x225, x195, x183);\n fiat_p256_addcarryx_u32(&x228, &x229, x227, x197, x201);\n fiat_p256_addcarryx_u32(&x230, &x231, x229, x199, x202);\n x232 = ((uint32_t)x231 + x200);\n fiat_p256_mulx_u32(&x233, &x234, x3, (arg1[7]));\n fiat_p256_mulx_u32(&x235, &x236, x3, (arg1[6]));\n fiat_p256_mulx_u32(&x237, &x238, x3, (arg1[5]));\n fiat_p256_mulx_u32(&x239, &x240, x3, (arg1[4]));\n fiat_p256_mulx_u32(&x241, &x242, x3, (arg1[3]));\n fiat_p256_mulx_u32(&x243, &x244, x3, (arg1[2]));\n fiat_p256_mulx_u32(&x245, &x246, x3, (arg1[1]));\n fiat_p256_mulx_u32(&x247, &x248, x3, (arg1[0]));\n fiat_p256_addcarryx_u32(&x249, &x250, 0x0, x248, x245);\n fiat_p256_addcarryx_u32(&x251, &x252, x250, x246, x243);\n fiat_p256_addcarryx_u32(&x253, &x254, x252, x244, x241);\n fiat_p256_addcarryx_u32(&x255, &x256, x254, x242, x239);\n fiat_p256_addcarryx_u32(&x257, &x258, x256, x240, x237);\n fiat_p256_addcarryx_u32(&x259, &x260, x258, x238, x235);\n fiat_p256_addcarryx_u32(&x261, &x262, x260, x236, x233);\n x263 = (x262 + x234);\n fiat_p256_addcarryx_u32(&x264, &x265, 0x0, x216, x247);\n fiat_p256_addcarryx_u32(&x266, &x267, x265, x218, x249);\n fiat_p256_addcarryx_u32(&x268, &x269, x267, x220, x251);\n fiat_p256_addcarryx_u32(&x270, &x271, x269, x222, x253);\n fiat_p256_addcarryx_u32(&x272, &x273, x271, x224, x255);\n fiat_p256_addcarryx_u32(&x274, &x275, x273, x226, x257);\n fiat_p256_addcarryx_u32(&x276, &x277, x275, x228, x259);\n fiat_p256_addcarryx_u32(&x278, &x279, x277, x230, x261);\n fiat_p256_addcarryx_u32(&x280, &x281, x279, x232, x263);\n fiat_p256_mulx_u32(&x282, &x283, x264, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x284, &x285, x264, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x286, &x287, x264, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x288, &x289, x264, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x290, &x291, 0x0, x289, x286);\n fiat_p256_addcarryx_u32(&x292, &x293, x291, x287, x284);\n x294 = (x293 + x285);\n fiat_p256_addcarryx_u32(&x295, &x296, 0x0, x264, x288);\n fiat_p256_addcarryx_u32(&x297, &x298, x296, x266, x290);\n fiat_p256_addcarryx_u32(&x299, &x300, x298, x268, x292);\n fiat_p256_addcarryx_u32(&x301, &x302, x300, x270, x294);\n fiat_p256_addcarryx_u32(&x303, &x304, x302, x272, 0x0);\n fiat_p256_addcarryx_u32(&x305, &x306, x304, x274, 0x0);\n fiat_p256_addcarryx_u32(&x307, &x308, x306, x276, x264);\n fiat_p256_addcarryx_u32(&x309, &x310, x308, x278, x282);\n fiat_p256_addcarryx_u32(&x311, &x312, x310, x280, x283);\n x313 = ((uint32_t)x312 + x281);\n fiat_p256_mulx_u32(&x314, &x315, x4, (arg1[7]));\n fiat_p256_mulx_u32(&x316, &x317, x4, (arg1[6]));\n fiat_p256_mulx_u32(&x318, &x319, x4, (arg1[5]));\n fiat_p256_mulx_u32(&x320, &x321, x4, (arg1[4]));\n fiat_p256_mulx_u32(&x322, &x323, x4, (arg1[3]));\n fiat_p256_mulx_u32(&x324, &x325, x4, (arg1[2]));\n fiat_p256_mulx_u32(&x326, &x327, x4, (arg1[1]));\n fiat_p256_mulx_u32(&x328, &x329, x4, (arg1[0]));\n fiat_p256_addcarryx_u32(&x330, &x331, 0x0, x329, x326);\n fiat_p256_addcarryx_u32(&x332, &x333, x331, x327, x324);\n fiat_p256_addcarryx_u32(&x334, &x335, x333, x325, x322);\n fiat_p256_addcarryx_u32(&x336, &x337, x335, x323, x320);\n fiat_p256_addcarryx_u32(&x338, &x339, x337, x321, x318);\n fiat_p256_addcarryx_u32(&x340, &x341, x339, x319, x316);\n fiat_p256_addcarryx_u32(&x342, &x343, x341, x317, x314);\n x344 = (x343 + x315);\n fiat_p256_addcarryx_u32(&x345, &x346, 0x0, x297, x328);\n fiat_p256_addcarryx_u32(&x347, &x348, x346, x299, x330);\n fiat_p256_addcarryx_u32(&x349, &x350, x348, x301, x332);\n fiat_p256_addcarryx_u32(&x351, &x352, x350, x303, x334);\n fiat_p256_addcarryx_u32(&x353, &x354, x352, x305, x336);\n fiat_p256_addcarryx_u32(&x355, &x356, x354, x307, x338);\n fiat_p256_addcarryx_u32(&x357, &x358, x356, x309, x340);\n fiat_p256_addcarryx_u32(&x359, &x360, x358, x311, x342);\n fiat_p256_addcarryx_u32(&x361, &x362, x360, x313, x344);\n fiat_p256_mulx_u32(&x363, &x364, x345, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x365, &x366, x345, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x367, &x368, x345, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x369, &x370, x345, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x371, &x372, 0x0, x370, x367);\n fiat_p256_addcarryx_u32(&x373, &x374, x372, x368, x365);\n x375 = (x374 + x366);\n fiat_p256_addcarryx_u32(&x376, &x377, 0x0, x345, x369);\n fiat_p256_addcarryx_u32(&x378, &x379, x377, x347, x371);\n fiat_p256_addcarryx_u32(&x380, &x381, x379, x349, x373);\n fiat_p256_addcarryx_u32(&x382, &x383, x381, x351, x375);\n fiat_p256_addcarryx_u32(&x384, &x385, x383, x353, 0x0);\n fiat_p256_addcarryx_u32(&x386, &x387, x385, x355, 0x0);\n fiat_p256_addcarryx_u32(&x388, &x389, x387, x357, x345);\n fiat_p256_addcarryx_u32(&x390, &x391, x389, x359, x363);\n fiat_p256_addcarryx_u32(&x392, &x393, x391, x361, x364);\n x394 = ((uint32_t)x393 + x362);\n fiat_p256_mulx_u32(&x395, &x396, x5, (arg1[7]));\n fiat_p256_mulx_u32(&x397, &x398, x5, (arg1[6]));\n fiat_p256_mulx_u32(&x399, &x400, x5, (arg1[5]));\n fiat_p256_mulx_u32(&x401, &x402, x5, (arg1[4]));\n fiat_p256_mulx_u32(&x403, &x404, x5, (arg1[3]));\n fiat_p256_mulx_u32(&x405, &x406, x5, (arg1[2]));\n fiat_p256_mulx_u32(&x407, &x408, x5, (arg1[1]));\n fiat_p256_mulx_u32(&x409, &x410, x5, (arg1[0]));\n fiat_p256_addcarryx_u32(&x411, &x412, 0x0, x410, x407);\n fiat_p256_addcarryx_u32(&x413, &x414, x412, x408, x405);\n fiat_p256_addcarryx_u32(&x415, &x416, x414, x406, x403);\n fiat_p256_addcarryx_u32(&x417, &x418, x416, x404, x401);\n fiat_p256_addcarryx_u32(&x419, &x420, x418, x402, x399);\n fiat_p256_addcarryx_u32(&x421, &x422, x420, x400, x397);\n fiat_p256_addcarryx_u32(&x423, &x424, x422, x398, x395);\n x425 = (x424 + x396);\n fiat_p256_addcarryx_u32(&x426, &x427, 0x0, x378, x409);\n fiat_p256_addcarryx_u32(&x428, &x429, x427, x380, x411);\n fiat_p256_addcarryx_u32(&x430, &x431, x429, x382, x413);\n fiat_p256_addcarryx_u32(&x432, &x433, x431, x384, x415);\n fiat_p256_addcarryx_u32(&x434, &x435, x433, x386, x417);\n fiat_p256_addcarryx_u32(&x436, &x437, x435, x388, x419);\n fiat_p256_addcarryx_u32(&x438, &x439, x437, x390, x421);\n fiat_p256_addcarryx_u32(&x440, &x441, x439, x392, x423);\n fiat_p256_addcarryx_u32(&x442, &x443, x441, x394, x425);\n fiat_p256_mulx_u32(&x444, &x445, x426, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x446, &x447, x426, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x448, &x449, x426, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x450, &x451, x426, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x452, &x453, 0x0, x451, x448);\n fiat_p256_addcarryx_u32(&x454, &x455, x453, x449, x446);\n x456 = (x455 + x447);\n fiat_p256_addcarryx_u32(&x457, &x458, 0x0, x426, x450);\n fiat_p256_addcarryx_u32(&x459, &x460, x458, x428, x452);\n fiat_p256_addcarryx_u32(&x461, &x462, x460, x430, x454);\n fiat_p256_addcarryx_u32(&x463, &x464, x462, x432, x456);\n fiat_p256_addcarryx_u32(&x465, &x466, x464, x434, 0x0);\n fiat_p256_addcarryx_u32(&x467, &x468, x466, x436, 0x0);\n fiat_p256_addcarryx_u32(&x469, &x470, x468, x438, x426);\n fiat_p256_addcarryx_u32(&x471, &x472, x470, x440, x444);\n fiat_p256_addcarryx_u32(&x473, &x474, x472, x442, x445);\n x475 = ((uint32_t)x474 + x443);\n fiat_p256_mulx_u32(&x476, &x477, x6, (arg1[7]));\n fiat_p256_mulx_u32(&x478, &x479, x6, (arg1[6]));\n fiat_p256_mulx_u32(&x480, &x481, x6, (arg1[5]));\n fiat_p256_mulx_u32(&x482, &x483, x6, (arg1[4]));\n fiat_p256_mulx_u32(&x484, &x485, x6, (arg1[3]));\n fiat_p256_mulx_u32(&x486, &x487, x6, (arg1[2]));\n fiat_p256_mulx_u32(&x488, &x489, x6, (arg1[1]));\n fiat_p256_mulx_u32(&x490, &x491, x6, (arg1[0]));\n fiat_p256_addcarryx_u32(&x492, &x493, 0x0, x491, x488);\n fiat_p256_addcarryx_u32(&x494, &x495, x493, x489, x486);\n fiat_p256_addcarryx_u32(&x496, &x497, x495, x487, x484);\n fiat_p256_addcarryx_u32(&x498, &x499, x497, x485, x482);\n fiat_p256_addcarryx_u32(&x500, &x501, x499, x483, x480);\n fiat_p256_addcarryx_u32(&x502, &x503, x501, x481, x478);\n fiat_p256_addcarryx_u32(&x504, &x505, x503, x479, x476);\n x506 = (x505 + x477);\n fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x459, x490);\n fiat_p256_addcarryx_u32(&x509, &x510, x508, x461, x492);\n fiat_p256_addcarryx_u32(&x511, &x512, x510, x463, x494);\n fiat_p256_addcarryx_u32(&x513, &x514, x512, x465, x496);\n fiat_p256_addcarryx_u32(&x515, &x516, x514, x467, x498);\n fiat_p256_addcarryx_u32(&x517, &x518, x516, x469, x500);\n fiat_p256_addcarryx_u32(&x519, &x520, x518, x471, x502);\n fiat_p256_addcarryx_u32(&x521, &x522, x520, x473, x504);\n fiat_p256_addcarryx_u32(&x523, &x524, x522, x475, x506);\n fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x531, &x532, x507, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x533, &x534, 0x0, x532, x529);\n fiat_p256_addcarryx_u32(&x535, &x536, x534, x530, x527);\n x537 = (x536 + x528);\n fiat_p256_addcarryx_u32(&x538, &x539, 0x0, x507, x531);\n fiat_p256_addcarryx_u32(&x540, &x541, x539, x509, x533);\n fiat_p256_addcarryx_u32(&x542, &x543, x541, x511, x535);\n fiat_p256_addcarryx_u32(&x544, &x545, x543, x513, x537);\n fiat_p256_addcarryx_u32(&x546, &x547, x545, x515, 0x0);\n fiat_p256_addcarryx_u32(&x548, &x549, x547, x517, 0x0);\n fiat_p256_addcarryx_u32(&x550, &x551, x549, x519, x507);\n fiat_p256_addcarryx_u32(&x552, &x553, x551, x521, x525);\n fiat_p256_addcarryx_u32(&x554, &x555, x553, x523, x526);\n x556 = ((uint32_t)x555 + x524);\n fiat_p256_mulx_u32(&x557, &x558, x7, (arg1[7]));\n fiat_p256_mulx_u32(&x559, &x560, x7, (arg1[6]));\n fiat_p256_mulx_u32(&x561, &x562, x7, (arg1[5]));\n fiat_p256_mulx_u32(&x563, &x564, x7, (arg1[4]));\n fiat_p256_mulx_u32(&x565, &x566, x7, (arg1[3]));\n fiat_p256_mulx_u32(&x567, &x568, x7, (arg1[2]));\n fiat_p256_mulx_u32(&x569, &x570, x7, (arg1[1]));\n fiat_p256_mulx_u32(&x571, &x572, x7, (arg1[0]));\n fiat_p256_addcarryx_u32(&x573, &x574, 0x0, x572, x569);\n fiat_p256_addcarryx_u32(&x575, &x576, x574, x570, x567);\n fiat_p256_addcarryx_u32(&x577, &x578, x576, x568, x565);\n fiat_p256_addcarryx_u32(&x579, &x580, x578, x566, x563);\n fiat_p256_addcarryx_u32(&x581, &x582, x580, x564, x561);\n fiat_p256_addcarryx_u32(&x583, &x584, x582, x562, x559);\n fiat_p256_addcarryx_u32(&x585, &x586, x584, x560, x557);\n x587 = (x586 + x558);\n fiat_p256_addcarryx_u32(&x588, &x589, 0x0, x540, x571);\n fiat_p256_addcarryx_u32(&x590, &x591, x589, x542, x573);\n fiat_p256_addcarryx_u32(&x592, &x593, x591, x544, x575);\n fiat_p256_addcarryx_u32(&x594, &x595, x593, x546, x577);\n fiat_p256_addcarryx_u32(&x596, &x597, x595, x548, x579);\n fiat_p256_addcarryx_u32(&x598, &x599, x597, x550, x581);\n fiat_p256_addcarryx_u32(&x600, &x601, x599, x552, x583);\n fiat_p256_addcarryx_u32(&x602, &x603, x601, x554, x585);\n fiat_p256_addcarryx_u32(&x604, &x605, x603, x556, x587);\n fiat_p256_mulx_u32(&x606, &x607, x588, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x608, &x609, x588, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x610, &x611, x588, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x612, &x613, x588, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x614, &x615, 0x0, x613, x610);\n fiat_p256_addcarryx_u32(&x616, &x617, x615, x611, x608);\n x618 = (x617 + x609);\n fiat_p256_addcarryx_u32(&x619, &x620, 0x0, x588, x612);\n fiat_p256_addcarryx_u32(&x621, &x622, x620, x590, x614);\n fiat_p256_addcarryx_u32(&x623, &x624, x622, x592, x616);\n fiat_p256_addcarryx_u32(&x625, &x626, x624, x594, x618);\n fiat_p256_addcarryx_u32(&x627, &x628, x626, x596, 0x0);\n fiat_p256_addcarryx_u32(&x629, &x630, x628, x598, 0x0);\n fiat_p256_addcarryx_u32(&x631, &x632, x630, x600, x588);\n fiat_p256_addcarryx_u32(&x633, &x634, x632, x602, x606);\n fiat_p256_addcarryx_u32(&x635, &x636, x634, x604, x607);\n x637 = ((uint32_t)x636 + x605);\n fiat_p256_subborrowx_u32(&x638, &x639, 0x0, x621, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x640, &x641, x639, x623, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x642, &x643, x641, x625, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x644, &x645, x643, x627, 0x0);\n fiat_p256_subborrowx_u32(&x646, &x647, x645, x629, 0x0);\n fiat_p256_subborrowx_u32(&x648, &x649, x647, x631, 0x0);\n fiat_p256_subborrowx_u32(&x650, &x651, x649, x633, 0x1);\n fiat_p256_subborrowx_u32(&x652, &x653, x651, x635, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x654, &x655, x653, x637, 0x0);\n fiat_p256_cmovznz_u32(&x656, x655, x638, x621);\n fiat_p256_cmovznz_u32(&x657, x655, x640, x623);\n fiat_p256_cmovznz_u32(&x658, x655, x642, x625);\n fiat_p256_cmovznz_u32(&x659, x655, x644, x627);\n fiat_p256_cmovznz_u32(&x660, x655, x646, x629);\n fiat_p256_cmovznz_u32(&x661, x655, x648, x631);\n fiat_p256_cmovznz_u32(&x662, x655, x650, x633);\n fiat_p256_cmovznz_u32(&x663, x655, x652, x635);\n out1[0] = x656;\n out1[1] = x657;\n out1[2] = x658;\n out1[3] = x659;\n out1[4] = x660;\n out1[5] = x661;\n out1[6] = x662;\n out1[7] = x663;\n}\n\n/*\n * The function fiat_p256_add adds two field elements in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * 0 ≤ eval arg2 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_add(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {\n uint32_t x1;\n fiat_p256_uint1 x2;\n uint32_t x3;\n fiat_p256_uint1 x4;\n uint32_t x5;\n fiat_p256_uint1 x6;\n uint32_t x7;\n fiat_p256_uint1 x8;\n uint32_t x9;\n fiat_p256_uint1 x10;\n uint32_t x11;\n fiat_p256_uint1 x12;\n uint32_t x13;\n fiat_p256_uint1 x14;\n uint32_t x15;\n fiat_p256_uint1 x16;\n uint32_t x17;\n fiat_p256_uint1 x18;\n uint32_t x19;\n fiat_p256_uint1 x20;\n uint32_t x21;\n fiat_p256_uint1 x22;\n uint32_t x23;\n fiat_p256_uint1 x24;\n uint32_t x25;\n fiat_p256_uint1 x26;\n uint32_t x27;\n fiat_p256_uint1 x28;\n uint32_t x29;\n fiat_p256_uint1 x30;\n uint32_t x31;\n fiat_p256_uint1 x32;\n uint32_t x33;\n fiat_p256_uint1 x34;\n uint32_t x35;\n uint32_t x36;\n uint32_t x37;\n uint32_t x38;\n uint32_t x39;\n uint32_t x40;\n uint32_t x41;\n uint32_t x42;\n fiat_p256_addcarryx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0]));\n fiat_p256_addcarryx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1]));\n fiat_p256_addcarryx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2]));\n fiat_p256_addcarryx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3]));\n fiat_p256_addcarryx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4]));\n fiat_p256_addcarryx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5]));\n fiat_p256_addcarryx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6]));\n fiat_p256_addcarryx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7]));\n fiat_p256_subborrowx_u32(&x17, &x18, 0x0, x1, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x19, &x20, x18, x3, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x21, &x22, x20, x5, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x23, &x24, x22, x7, 0x0);\n fiat_p256_subborrowx_u32(&x25, &x26, x24, x9, 0x0);\n fiat_p256_subborrowx_u32(&x27, &x28, x26, x11, 0x0);\n fiat_p256_subborrowx_u32(&x29, &x30, x28, x13, 0x1);\n fiat_p256_subborrowx_u32(&x31, &x32, x30, x15, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x33, &x34, x32, x16, 0x0);\n fiat_p256_cmovznz_u32(&x35, x34, x17, x1);\n fiat_p256_cmovznz_u32(&x36, x34, x19, x3);\n fiat_p256_cmovznz_u32(&x37, x34, x21, x5);\n fiat_p256_cmovznz_u32(&x38, x34, x23, x7);\n fiat_p256_cmovznz_u32(&x39, x34, x25, x9);\n fiat_p256_cmovznz_u32(&x40, x34, x27, x11);\n fiat_p256_cmovznz_u32(&x41, x34, x29, x13);\n fiat_p256_cmovznz_u32(&x42, x34, x31, x15);\n out1[0] = x35;\n out1[1] = x36;\n out1[2] = x37;\n out1[3] = x38;\n out1[4] = x39;\n out1[5] = x40;\n out1[6] = x41;\n out1[7] = x42;\n}\n\n/*\n * The function fiat_p256_sub subtracts two field elements in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * 0 ≤ eval arg2 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_sub(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {\n uint32_t x1;\n fiat_p256_uint1 x2;\n uint32_t x3;\n fiat_p256_uint1 x4;\n uint32_t x5;\n fiat_p256_uint1 x6;\n uint32_t x7;\n fiat_p256_uint1 x8;\n uint32_t x9;\n fiat_p256_uint1 x10;\n uint32_t x11;\n fiat_p256_uint1 x12;\n uint32_t x13;\n fiat_p256_uint1 x14;\n uint32_t x15;\n fiat_p256_uint1 x16;\n uint32_t x17;\n uint32_t x18;\n fiat_p256_uint1 x19;\n uint32_t x20;\n fiat_p256_uint1 x21;\n uint32_t x22;\n fiat_p256_uint1 x23;\n uint32_t x24;\n fiat_p256_uint1 x25;\n uint32_t x26;\n fiat_p256_uint1 x27;\n uint32_t x28;\n fiat_p256_uint1 x29;\n uint32_t x30;\n fiat_p256_uint1 x31;\n uint32_t x32;\n fiat_p256_uint1 x33;\n fiat_p256_subborrowx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0]));\n fiat_p256_subborrowx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1]));\n fiat_p256_subborrowx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2]));\n fiat_p256_subborrowx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3]));\n fiat_p256_subborrowx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4]));\n fiat_p256_subborrowx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5]));\n fiat_p256_subborrowx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6]));\n fiat_p256_subborrowx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7]));\n fiat_p256_cmovznz_u32(&x17, x16, 0x0, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x18, &x19, 0x0, x1, x17);\n fiat_p256_addcarryx_u32(&x20, &x21, x19, x3, x17);\n fiat_p256_addcarryx_u32(&x22, &x23, x21, x5, x17);\n fiat_p256_addcarryx_u32(&x24, &x25, x23, x7, 0x0);\n fiat_p256_addcarryx_u32(&x26, &x27, x25, x9, 0x0);\n fiat_p256_addcarryx_u32(&x28, &x29, x27, x11, 0x0);\n fiat_p256_addcarryx_u32(&x30, &x31, x29, x13, (fiat_p256_uint1)(x17 & 0x1));\n fiat_p256_addcarryx_u32(&x32, &x33, x31, x15, x17);\n out1[0] = x18;\n out1[1] = x20;\n out1[2] = x22;\n out1[3] = x24;\n out1[4] = x26;\n out1[5] = x28;\n out1[6] = x30;\n out1[7] = x32;\n}\n\n/*\n * The function fiat_p256_opp negates a field element in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_opp(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {\n uint32_t x1;\n fiat_p256_uint1 x2;\n uint32_t x3;\n fiat_p256_uint1 x4;\n uint32_t x5;\n fiat_p256_uint1 x6;\n uint32_t x7;\n fiat_p256_uint1 x8;\n uint32_t x9;\n fiat_p256_uint1 x10;\n uint32_t x11;\n fiat_p256_uint1 x12;\n uint32_t x13;\n fiat_p256_uint1 x14;\n uint32_t x15;\n fiat_p256_uint1 x16;\n uint32_t x17;\n uint32_t x18;\n fiat_p256_uint1 x19;\n uint32_t x20;\n fiat_p256_uint1 x21;\n uint32_t x22;\n fiat_p256_uint1 x23;\n uint32_t x24;\n fiat_p256_uint1 x25;\n uint32_t x26;\n fiat_p256_uint1 x27;\n uint32_t x28;\n fiat_p256_uint1 x29;\n uint32_t x30;\n fiat_p256_uint1 x31;\n uint32_t x32;\n fiat_p256_uint1 x33;\n fiat_p256_subborrowx_u32(&x1, &x2, 0x0, 0x0, (arg1[0]));\n fiat_p256_subborrowx_u32(&x3, &x4, x2, 0x0, (arg1[1]));\n fiat_p256_subborrowx_u32(&x5, &x6, x4, 0x0, (arg1[2]));\n fiat_p256_subborrowx_u32(&x7, &x8, x6, 0x0, (arg1[3]));\n fiat_p256_subborrowx_u32(&x9, &x10, x8, 0x0, (arg1[4]));\n fiat_p256_subborrowx_u32(&x11, &x12, x10, 0x0, (arg1[5]));\n fiat_p256_subborrowx_u32(&x13, &x14, x12, 0x0, (arg1[6]));\n fiat_p256_subborrowx_u32(&x15, &x16, x14, 0x0, (arg1[7]));\n fiat_p256_cmovznz_u32(&x17, x16, 0x0, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x18, &x19, 0x0, x1, x17);\n fiat_p256_addcarryx_u32(&x20, &x21, x19, x3, x17);\n fiat_p256_addcarryx_u32(&x22, &x23, x21, x5, x17);\n fiat_p256_addcarryx_u32(&x24, &x25, x23, x7, 0x0);\n fiat_p256_addcarryx_u32(&x26, &x27, x25, x9, 0x0);\n fiat_p256_addcarryx_u32(&x28, &x29, x27, x11, 0x0);\n fiat_p256_addcarryx_u32(&x30, &x31, x29, x13, (fiat_p256_uint1)(x17 & 0x1));\n fiat_p256_addcarryx_u32(&x32, &x33, x31, x15, x17);\n out1[0] = x18;\n out1[1] = x20;\n out1[2] = x22;\n out1[3] = x24;\n out1[4] = x26;\n out1[5] = x28;\n out1[6] = x30;\n out1[7] = x32;\n}\n\n/*\n * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_from_montgomery(fiat_p256_non_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n fiat_p256_uint1 x11;\n uint32_t x12;\n fiat_p256_uint1 x13;\n uint32_t x14;\n fiat_p256_uint1 x15;\n uint32_t x16;\n fiat_p256_uint1 x17;\n uint32_t x18;\n fiat_p256_uint1 x19;\n uint32_t x20;\n fiat_p256_uint1 x21;\n uint32_t x22;\n fiat_p256_uint1 x23;\n uint32_t x24;\n fiat_p256_uint1 x25;\n uint32_t x26;\n fiat_p256_uint1 x27;\n uint32_t x28;\n uint32_t x29;\n uint32_t x30;\n uint32_t x31;\n uint32_t x32;\n uint32_t x33;\n uint32_t x34;\n uint32_t x35;\n uint32_t x36;\n fiat_p256_uint1 x37;\n uint32_t x38;\n fiat_p256_uint1 x39;\n uint32_t x40;\n fiat_p256_uint1 x41;\n uint32_t x42;\n fiat_p256_uint1 x43;\n uint32_t x44;\n fiat_p256_uint1 x45;\n uint32_t x46;\n fiat_p256_uint1 x47;\n uint32_t x48;\n fiat_p256_uint1 x49;\n uint32_t x50;\n fiat_p256_uint1 x51;\n uint32_t x52;\n fiat_p256_uint1 x53;\n uint32_t x54;\n fiat_p256_uint1 x55;\n uint32_t x56;\n fiat_p256_uint1 x57;\n uint32_t x58;\n uint32_t x59;\n uint32_t x60;\n uint32_t x61;\n uint32_t x62;\n uint32_t x63;\n uint32_t x64;\n uint32_t x65;\n uint32_t x66;\n fiat_p256_uint1 x67;\n uint32_t x68;\n fiat_p256_uint1 x69;\n uint32_t x70;\n fiat_p256_uint1 x71;\n uint32_t x72;\n fiat_p256_uint1 x73;\n uint32_t x74;\n fiat_p256_uint1 x75;\n uint32_t x76;\n fiat_p256_uint1 x77;\n uint32_t x78;\n fiat_p256_uint1 x79;\n uint32_t x80;\n fiat_p256_uint1 x81;\n uint32_t x82;\n fiat_p256_uint1 x83;\n uint32_t x84;\n fiat_p256_uint1 x85;\n uint32_t x86;\n fiat_p256_uint1 x87;\n uint32_t x88;\n fiat_p256_uint1 x89;\n uint32_t x90;\n fiat_p256_uint1 x91;\n uint32_t x92;\n fiat_p256_uint1 x93;\n uint32_t x94;\n fiat_p256_uint1 x95;\n uint32_t x96;\n fiat_p256_uint1 x97;\n uint32_t x98;\n fiat_p256_uint1 x99;\n uint32_t x100;\n fiat_p256_uint1 x101;\n uint32_t x102;\n uint32_t x103;\n uint32_t x104;\n uint32_t x105;\n uint32_t x106;\n uint32_t x107;\n uint32_t x108;\n uint32_t x109;\n uint32_t x110;\n fiat_p256_uint1 x111;\n uint32_t x112;\n fiat_p256_uint1 x113;\n uint32_t x114;\n fiat_p256_uint1 x115;\n uint32_t x116;\n fiat_p256_uint1 x117;\n uint32_t x118;\n fiat_p256_uint1 x119;\n uint32_t x120;\n fiat_p256_uint1 x121;\n uint32_t x122;\n fiat_p256_uint1 x123;\n uint32_t x124;\n fiat_p256_uint1 x125;\n uint32_t x126;\n fiat_p256_uint1 x127;\n uint32_t x128;\n fiat_p256_uint1 x129;\n uint32_t x130;\n fiat_p256_uint1 x131;\n uint32_t x132;\n fiat_p256_uint1 x133;\n uint32_t x134;\n fiat_p256_uint1 x135;\n uint32_t x136;\n fiat_p256_uint1 x137;\n uint32_t x138;\n fiat_p256_uint1 x139;\n uint32_t x140;\n fiat_p256_uint1 x141;\n uint32_t x142;\n fiat_p256_uint1 x143;\n uint32_t x144;\n fiat_p256_uint1 x145;\n uint32_t x146;\n fiat_p256_uint1 x147;\n uint32_t x148;\n uint32_t x149;\n uint32_t x150;\n uint32_t x151;\n uint32_t x152;\n uint32_t x153;\n uint32_t x154;\n uint32_t x155;\n uint32_t x156;\n fiat_p256_uint1 x157;\n uint32_t x158;\n fiat_p256_uint1 x159;\n uint32_t x160;\n fiat_p256_uint1 x161;\n uint32_t x162;\n fiat_p256_uint1 x163;\n uint32_t x164;\n fiat_p256_uint1 x165;\n uint32_t x166;\n fiat_p256_uint1 x167;\n uint32_t x168;\n fiat_p256_uint1 x169;\n uint32_t x170;\n fiat_p256_uint1 x171;\n uint32_t x172;\n fiat_p256_uint1 x173;\n uint32_t x174;\n fiat_p256_uint1 x175;\n uint32_t x176;\n fiat_p256_uint1 x177;\n uint32_t x178;\n fiat_p256_uint1 x179;\n uint32_t x180;\n fiat_p256_uint1 x181;\n uint32_t x182;\n fiat_p256_uint1 x183;\n uint32_t x184;\n fiat_p256_uint1 x185;\n uint32_t x186;\n fiat_p256_uint1 x187;\n uint32_t x188;\n fiat_p256_uint1 x189;\n uint32_t x190;\n fiat_p256_uint1 x191;\n uint32_t x192;\n fiat_p256_uint1 x193;\n uint32_t x194;\n uint32_t x195;\n uint32_t x196;\n uint32_t x197;\n uint32_t x198;\n uint32_t x199;\n uint32_t x200;\n uint32_t x201;\n uint32_t x202;\n fiat_p256_uint1 x203;\n uint32_t x204;\n fiat_p256_uint1 x205;\n uint32_t x206;\n fiat_p256_uint1 x207;\n uint32_t x208;\n fiat_p256_uint1 x209;\n uint32_t x210;\n fiat_p256_uint1 x211;\n uint32_t x212;\n fiat_p256_uint1 x213;\n uint32_t x214;\n fiat_p256_uint1 x215;\n uint32_t x216;\n fiat_p256_uint1 x217;\n uint32_t x218;\n fiat_p256_uint1 x219;\n uint32_t x220;\n fiat_p256_uint1 x221;\n uint32_t x222;\n fiat_p256_uint1 x223;\n uint32_t x224;\n fiat_p256_uint1 x225;\n uint32_t x226;\n fiat_p256_uint1 x227;\n uint32_t x228;\n fiat_p256_uint1 x229;\n uint32_t x230;\n fiat_p256_uint1 x231;\n uint32_t x232;\n fiat_p256_uint1 x233;\n uint32_t x234;\n fiat_p256_uint1 x235;\n uint32_t x236;\n fiat_p256_uint1 x237;\n uint32_t x238;\n fiat_p256_uint1 x239;\n uint32_t x240;\n uint32_t x241;\n uint32_t x242;\n uint32_t x243;\n uint32_t x244;\n uint32_t x245;\n uint32_t x246;\n uint32_t x247;\n uint32_t x248;\n fiat_p256_uint1 x249;\n uint32_t x250;\n fiat_p256_uint1 x251;\n uint32_t x252;\n fiat_p256_uint1 x253;\n uint32_t x254;\n fiat_p256_uint1 x255;\n uint32_t x256;\n fiat_p256_uint1 x257;\n uint32_t x258;\n fiat_p256_uint1 x259;\n uint32_t x260;\n fiat_p256_uint1 x261;\n uint32_t x262;\n fiat_p256_uint1 x263;\n uint32_t x264;\n fiat_p256_uint1 x265;\n uint32_t x266;\n fiat_p256_uint1 x267;\n uint32_t x268;\n fiat_p256_uint1 x269;\n uint32_t x270;\n fiat_p256_uint1 x271;\n uint32_t x272;\n fiat_p256_uint1 x273;\n uint32_t x274;\n fiat_p256_uint1 x275;\n uint32_t x276;\n fiat_p256_uint1 x277;\n uint32_t x278;\n fiat_p256_uint1 x279;\n uint32_t x280;\n fiat_p256_uint1 x281;\n uint32_t x282;\n fiat_p256_uint1 x283;\n uint32_t x284;\n fiat_p256_uint1 x285;\n uint32_t x286;\n uint32_t x287;\n uint32_t x288;\n uint32_t x289;\n uint32_t x290;\n uint32_t x291;\n uint32_t x292;\n uint32_t x293;\n uint32_t x294;\n fiat_p256_uint1 x295;\n uint32_t x296;\n fiat_p256_uint1 x297;\n uint32_t x298;\n fiat_p256_uint1 x299;\n uint32_t x300;\n fiat_p256_uint1 x301;\n uint32_t x302;\n fiat_p256_uint1 x303;\n uint32_t x304;\n fiat_p256_uint1 x305;\n uint32_t x306;\n fiat_p256_uint1 x307;\n uint32_t x308;\n fiat_p256_uint1 x309;\n uint32_t x310;\n fiat_p256_uint1 x311;\n uint32_t x312;\n fiat_p256_uint1 x313;\n uint32_t x314;\n fiat_p256_uint1 x315;\n uint32_t x316;\n fiat_p256_uint1 x317;\n uint32_t x318;\n fiat_p256_uint1 x319;\n uint32_t x320;\n fiat_p256_uint1 x321;\n uint32_t x322;\n fiat_p256_uint1 x323;\n uint32_t x324;\n fiat_p256_uint1 x325;\n uint32_t x326;\n fiat_p256_uint1 x327;\n uint32_t x328;\n fiat_p256_uint1 x329;\n uint32_t x330;\n fiat_p256_uint1 x331;\n uint32_t x332;\n fiat_p256_uint1 x333;\n uint32_t x334;\n uint32_t x335;\n uint32_t x336;\n uint32_t x337;\n uint32_t x338;\n uint32_t x339;\n uint32_t x340;\n uint32_t x341;\n x1 = (arg1[0]);\n fiat_p256_mulx_u32(&x2, &x3, x1, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x4, &x5, x1, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x6, &x7, x1, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x8, &x9, x1, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x10, &x11, 0x0, x9, x6);\n fiat_p256_addcarryx_u32(&x12, &x13, x11, x7, x4);\n fiat_p256_addcarryx_u32(&x14, &x15, 0x0, x1, x8);\n fiat_p256_addcarryx_u32(&x16, &x17, x15, 0x0, x10);\n fiat_p256_addcarryx_u32(&x18, &x19, x17, 0x0, x12);\n fiat_p256_addcarryx_u32(&x20, &x21, x19, 0x0, (x13 + x5));\n fiat_p256_addcarryx_u32(&x22, &x23, 0x0, x16, (arg1[1]));\n fiat_p256_addcarryx_u32(&x24, &x25, x23, x18, 0x0);\n fiat_p256_addcarryx_u32(&x26, &x27, x25, x20, 0x0);\n fiat_p256_mulx_u32(&x28, &x29, x22, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x30, &x31, x22, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x32, &x33, x22, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x34, &x35, x22, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x36, &x37, 0x0, x35, x32);\n fiat_p256_addcarryx_u32(&x38, &x39, x37, x33, x30);\n fiat_p256_addcarryx_u32(&x40, &x41, 0x0, x22, x34);\n fiat_p256_addcarryx_u32(&x42, &x43, x41, x24, x36);\n fiat_p256_addcarryx_u32(&x44, &x45, x43, x26, x38);\n fiat_p256_addcarryx_u32(&x46, &x47, x45, ((uint32_t)x27 + x21), (x39 + x31));\n fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x2, x22);\n fiat_p256_addcarryx_u32(&x50, &x51, x49, x3, x28);\n fiat_p256_addcarryx_u32(&x52, &x53, 0x0, x42, (arg1[2]));\n fiat_p256_addcarryx_u32(&x54, &x55, x53, x44, 0x0);\n fiat_p256_addcarryx_u32(&x56, &x57, x55, x46, 0x0);\n fiat_p256_mulx_u32(&x58, &x59, x52, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x60, &x61, x52, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x62, &x63, x52, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x64, &x65, x52, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x66, &x67, 0x0, x65, x62);\n fiat_p256_addcarryx_u32(&x68, &x69, x67, x63, x60);\n fiat_p256_addcarryx_u32(&x70, &x71, 0x0, x52, x64);\n fiat_p256_addcarryx_u32(&x72, &x73, x71, x54, x66);\n fiat_p256_addcarryx_u32(&x74, &x75, x73, x56, x68);\n fiat_p256_addcarryx_u32(&x76, &x77, x75, ((uint32_t)x57 + x47), (x69 + x61));\n fiat_p256_addcarryx_u32(&x78, &x79, x77, x1, 0x0);\n fiat_p256_addcarryx_u32(&x80, &x81, x79, x48, 0x0);\n fiat_p256_addcarryx_u32(&x82, &x83, x81, x50, x52);\n fiat_p256_addcarryx_u32(&x84, &x85, x83, (x51 + x29), x58);\n fiat_p256_addcarryx_u32(&x86, &x87, 0x0, x72, (arg1[3]));\n fiat_p256_addcarryx_u32(&x88, &x89, x87, x74, 0x0);\n fiat_p256_addcarryx_u32(&x90, &x91, x89, x76, 0x0);\n fiat_p256_addcarryx_u32(&x92, &x93, x91, x78, 0x0);\n fiat_p256_addcarryx_u32(&x94, &x95, x93, x80, 0x0);\n fiat_p256_addcarryx_u32(&x96, &x97, x95, x82, 0x0);\n fiat_p256_addcarryx_u32(&x98, &x99, x97, x84, 0x0);\n fiat_p256_addcarryx_u32(&x100, &x101, x99, (x85 + x59), 0x0);\n fiat_p256_mulx_u32(&x102, &x103, x86, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x104, &x105, x86, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x106, &x107, x86, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x108, &x109, x86, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x110, &x111, 0x0, x109, x106);\n fiat_p256_addcarryx_u32(&x112, &x113, x111, x107, x104);\n fiat_p256_addcarryx_u32(&x114, &x115, 0x0, x86, x108);\n fiat_p256_addcarryx_u32(&x116, &x117, x115, x88, x110);\n fiat_p256_addcarryx_u32(&x118, &x119, x117, x90, x112);\n fiat_p256_addcarryx_u32(&x120, &x121, x119, x92, (x113 + x105));\n fiat_p256_addcarryx_u32(&x122, &x123, x121, x94, 0x0);\n fiat_p256_addcarryx_u32(&x124, &x125, x123, x96, 0x0);\n fiat_p256_addcarryx_u32(&x126, &x127, x125, x98, x86);\n fiat_p256_addcarryx_u32(&x128, &x129, x127, x100, x102);\n fiat_p256_addcarryx_u32(&x130, &x131, x129, x101, x103);\n fiat_p256_addcarryx_u32(&x132, &x133, 0x0, x116, (arg1[4]));\n fiat_p256_addcarryx_u32(&x134, &x135, x133, x118, 0x0);\n fiat_p256_addcarryx_u32(&x136, &x137, x135, x120, 0x0);\n fiat_p256_addcarryx_u32(&x138, &x139, x137, x122, 0x0);\n fiat_p256_addcarryx_u32(&x140, &x141, x139, x124, 0x0);\n fiat_p256_addcarryx_u32(&x142, &x143, x141, x126, 0x0);\n fiat_p256_addcarryx_u32(&x144, &x145, x143, x128, 0x0);\n fiat_p256_addcarryx_u32(&x146, &x147, x145, x130, 0x0);\n fiat_p256_mulx_u32(&x148, &x149, x132, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x150, &x151, x132, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x152, &x153, x132, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x154, &x155, x132, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x156, &x157, 0x0, x155, x152);\n fiat_p256_addcarryx_u32(&x158, &x159, x157, x153, x150);\n fiat_p256_addcarryx_u32(&x160, &x161, 0x0, x132, x154);\n fiat_p256_addcarryx_u32(&x162, &x163, x161, x134, x156);\n fiat_p256_addcarryx_u32(&x164, &x165, x163, x136, x158);\n fiat_p256_addcarryx_u32(&x166, &x167, x165, x138, (x159 + x151));\n fiat_p256_addcarryx_u32(&x168, &x169, x167, x140, 0x0);\n fiat_p256_addcarryx_u32(&x170, &x171, x169, x142, 0x0);\n fiat_p256_addcarryx_u32(&x172, &x173, x171, x144, x132);\n fiat_p256_addcarryx_u32(&x174, &x175, x173, x146, x148);\n fiat_p256_addcarryx_u32(&x176, &x177, x175, ((uint32_t)x147 + x131), x149);\n fiat_p256_addcarryx_u32(&x178, &x179, 0x0, x162, (arg1[5]));\n fiat_p256_addcarryx_u32(&x180, &x181, x179, x164, 0x0);\n fiat_p256_addcarryx_u32(&x182, &x183, x181, x166, 0x0);\n fiat_p256_addcarryx_u32(&x184, &x185, x183, x168, 0x0);\n fiat_p256_addcarryx_u32(&x186, &x187, x185, x170, 0x0);\n fiat_p256_addcarryx_u32(&x188, &x189, x187, x172, 0x0);\n fiat_p256_addcarryx_u32(&x190, &x191, x189, x174, 0x0);\n fiat_p256_addcarryx_u32(&x192, &x193, x191, x176, 0x0);\n fiat_p256_mulx_u32(&x194, &x195, x178, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x196, &x197, x178, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x198, &x199, x178, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x200, &x201, x178, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x202, &x203, 0x0, x201, x198);\n fiat_p256_addcarryx_u32(&x204, &x205, x203, x199, x196);\n fiat_p256_addcarryx_u32(&x206, &x207, 0x0, x178, x200);\n fiat_p256_addcarryx_u32(&x208, &x209, x207, x180, x202);\n fiat_p256_addcarryx_u32(&x210, &x211, x209, x182, x204);\n fiat_p256_addcarryx_u32(&x212, &x213, x211, x184, (x205 + x197));\n fiat_p256_addcarryx_u32(&x214, &x215, x213, x186, 0x0);\n fiat_p256_addcarryx_u32(&x216, &x217, x215, x188, 0x0);\n fiat_p256_addcarryx_u32(&x218, &x219, x217, x190, x178);\n fiat_p256_addcarryx_u32(&x220, &x221, x219, x192, x194);\n fiat_p256_addcarryx_u32(&x222, &x223, x221, ((uint32_t)x193 + x177), x195);\n fiat_p256_addcarryx_u32(&x224, &x225, 0x0, x208, (arg1[6]));\n fiat_p256_addcarryx_u32(&x226, &x227, x225, x210, 0x0);\n fiat_p256_addcarryx_u32(&x228, &x229, x227, x212, 0x0);\n fiat_p256_addcarryx_u32(&x230, &x231, x229, x214, 0x0);\n fiat_p256_addcarryx_u32(&x232, &x233, x231, x216, 0x0);\n fiat_p256_addcarryx_u32(&x234, &x235, x233, x218, 0x0);\n fiat_p256_addcarryx_u32(&x236, &x237, x235, x220, 0x0);\n fiat_p256_addcarryx_u32(&x238, &x239, x237, x222, 0x0);\n fiat_p256_mulx_u32(&x240, &x241, x224, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x242, &x243, x224, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x244, &x245, x224, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x246, &x247, x224, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x248, &x249, 0x0, x247, x244);\n fiat_p256_addcarryx_u32(&x250, &x251, x249, x245, x242);\n fiat_p256_addcarryx_u32(&x252, &x253, 0x0, x224, x246);\n fiat_p256_addcarryx_u32(&x254, &x255, x253, x226, x248);\n fiat_p256_addcarryx_u32(&x256, &x257, x255, x228, x250);\n fiat_p256_addcarryx_u32(&x258, &x259, x257, x230, (x251 + x243));\n fiat_p256_addcarryx_u32(&x260, &x261, x259, x232, 0x0);\n fiat_p256_addcarryx_u32(&x262, &x263, x261, x234, 0x0);\n fiat_p256_addcarryx_u32(&x264, &x265, x263, x236, x224);\n fiat_p256_addcarryx_u32(&x266, &x267, x265, x238, x240);\n fiat_p256_addcarryx_u32(&x268, &x269, x267, ((uint32_t)x239 + x223), x241);\n fiat_p256_addcarryx_u32(&x270, &x271, 0x0, x254, (arg1[7]));\n fiat_p256_addcarryx_u32(&x272, &x273, x271, x256, 0x0);\n fiat_p256_addcarryx_u32(&x274, &x275, x273, x258, 0x0);\n fiat_p256_addcarryx_u32(&x276, &x277, x275, x260, 0x0);\n fiat_p256_addcarryx_u32(&x278, &x279, x277, x262, 0x0);\n fiat_p256_addcarryx_u32(&x280, &x281, x279, x264, 0x0);\n fiat_p256_addcarryx_u32(&x282, &x283, x281, x266, 0x0);\n fiat_p256_addcarryx_u32(&x284, &x285, x283, x268, 0x0);\n fiat_p256_mulx_u32(&x286, &x287, x270, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x288, &x289, x270, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x290, &x291, x270, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x292, &x293, x270, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x294, &x295, 0x0, x293, x290);\n fiat_p256_addcarryx_u32(&x296, &x297, x295, x291, x288);\n fiat_p256_addcarryx_u32(&x298, &x299, 0x0, x270, x292);\n fiat_p256_addcarryx_u32(&x300, &x301, x299, x272, x294);\n fiat_p256_addcarryx_u32(&x302, &x303, x301, x274, x296);\n fiat_p256_addcarryx_u32(&x304, &x305, x303, x276, (x297 + x289));\n fiat_p256_addcarryx_u32(&x306, &x307, x305, x278, 0x0);\n fiat_p256_addcarryx_u32(&x308, &x309, x307, x280, 0x0);\n fiat_p256_addcarryx_u32(&x310, &x311, x309, x282, x270);\n fiat_p256_addcarryx_u32(&x312, &x313, x311, x284, x286);\n fiat_p256_addcarryx_u32(&x314, &x315, x313, ((uint32_t)x285 + x269), x287);\n fiat_p256_subborrowx_u32(&x316, &x317, 0x0, x300, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x318, &x319, x317, x302, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x320, &x321, x319, x304, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x322, &x323, x321, x306, 0x0);\n fiat_p256_subborrowx_u32(&x324, &x325, x323, x308, 0x0);\n fiat_p256_subborrowx_u32(&x326, &x327, x325, x310, 0x0);\n fiat_p256_subborrowx_u32(&x328, &x329, x327, x312, 0x1);\n fiat_p256_subborrowx_u32(&x330, &x331, x329, x314, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x332, &x333, x331, x315, 0x0);\n fiat_p256_cmovznz_u32(&x334, x333, x316, x300);\n fiat_p256_cmovznz_u32(&x335, x333, x318, x302);\n fiat_p256_cmovznz_u32(&x336, x333, x320, x304);\n fiat_p256_cmovznz_u32(&x337, x333, x322, x306);\n fiat_p256_cmovznz_u32(&x338, x333, x324, x308);\n fiat_p256_cmovznz_u32(&x339, x333, x326, x310);\n fiat_p256_cmovznz_u32(&x340, x333, x328, x312);\n fiat_p256_cmovznz_u32(&x341, x333, x330, x314);\n out1[0] = x334;\n out1[1] = x335;\n out1[2] = x336;\n out1[3] = x337;\n out1[4] = x338;\n out1[5] = x339;\n out1[6] = x340;\n out1[7] = x341;\n}\n\n/*\n * The function fiat_p256_to_montgomery translates a field element into the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = eval arg1 mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_to_montgomery(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_non_montgomery_domain_field_element arg1) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n uint32_t x11;\n uint32_t x12;\n uint32_t x13;\n uint32_t x14;\n uint32_t x15;\n uint32_t x16;\n uint32_t x17;\n uint32_t x18;\n uint32_t x19;\n uint32_t x20;\n uint32_t x21;\n uint32_t x22;\n uint32_t x23;\n fiat_p256_uint1 x24;\n uint32_t x25;\n fiat_p256_uint1 x26;\n uint32_t x27;\n fiat_p256_uint1 x28;\n uint32_t x29;\n fiat_p256_uint1 x30;\n uint32_t x31;\n fiat_p256_uint1 x32;\n uint32_t x33;\n uint32_t x34;\n uint32_t x35;\n uint32_t x36;\n uint32_t x37;\n uint32_t x38;\n uint32_t x39;\n uint32_t x40;\n uint32_t x41;\n fiat_p256_uint1 x42;\n uint32_t x43;\n fiat_p256_uint1 x44;\n uint32_t x45;\n fiat_p256_uint1 x46;\n uint32_t x47;\n fiat_p256_uint1 x48;\n uint32_t x49;\n fiat_p256_uint1 x50;\n uint32_t x51;\n fiat_p256_uint1 x52;\n uint32_t x53;\n fiat_p256_uint1 x54;\n uint32_t x55;\n fiat_p256_uint1 x56;\n uint32_t x57;\n fiat_p256_uint1 x58;\n uint32_t x59;\n fiat_p256_uint1 x60;\n uint32_t x61;\n fiat_p256_uint1 x62;\n uint32_t x63;\n uint32_t x64;\n uint32_t x65;\n uint32_t x66;\n uint32_t x67;\n uint32_t x68;\n uint32_t x69;\n uint32_t x70;\n uint32_t x71;\n uint32_t x72;\n uint32_t x73;\n uint32_t x74;\n uint32_t x75;\n uint32_t x76;\n uint32_t x77;\n fiat_p256_uint1 x78;\n uint32_t x79;\n fiat_p256_uint1 x80;\n uint32_t x81;\n fiat_p256_uint1 x82;\n uint32_t x83;\n fiat_p256_uint1 x84;\n uint32_t x85;\n fiat_p256_uint1 x86;\n uint32_t x87;\n fiat_p256_uint1 x88;\n uint32_t x89;\n fiat_p256_uint1 x90;\n uint32_t x91;\n fiat_p256_uint1 x92;\n uint32_t x93;\n fiat_p256_uint1 x94;\n uint32_t x95;\n fiat_p256_uint1 x96;\n uint32_t x97;\n fiat_p256_uint1 x98;\n uint32_t x99;\n fiat_p256_uint1 x100;\n uint32_t x101;\n fiat_p256_uint1 x102;\n uint32_t x103;\n uint32_t x104;\n uint32_t x105;\n uint32_t x106;\n uint32_t x107;\n uint32_t x108;\n uint32_t x109;\n uint32_t x110;\n uint32_t x111;\n fiat_p256_uint1 x112;\n uint32_t x113;\n fiat_p256_uint1 x114;\n uint32_t x115;\n fiat_p256_uint1 x116;\n uint32_t x117;\n fiat_p256_uint1 x118;\n uint32_t x119;\n fiat_p256_uint1 x120;\n uint32_t x121;\n fiat_p256_uint1 x122;\n uint32_t x123;\n fiat_p256_uint1 x124;\n uint32_t x125;\n fiat_p256_uint1 x126;\n uint32_t x127;\n fiat_p256_uint1 x128;\n uint32_t x129;\n fiat_p256_uint1 x130;\n uint32_t x131;\n fiat_p256_uint1 x132;\n uint32_t x133;\n uint32_t x134;\n uint32_t x135;\n uint32_t x136;\n uint32_t x137;\n uint32_t x138;\n uint32_t x139;\n uint32_t x140;\n uint32_t x141;\n uint32_t x142;\n uint32_t x143;\n uint32_t x144;\n uint32_t x145;\n uint32_t x146;\n uint32_t x147;\n fiat_p256_uint1 x148;\n uint32_t x149;\n fiat_p256_uint1 x150;\n uint32_t x151;\n fiat_p256_uint1 x152;\n uint32_t x153;\n fiat_p256_uint1 x154;\n uint32_t x155;\n fiat_p256_uint1 x156;\n uint32_t x157;\n fiat_p256_uint1 x158;\n uint32_t x159;\n fiat_p256_uint1 x160;\n uint32_t x161;\n fiat_p256_uint1 x162;\n uint32_t x163;\n fiat_p256_uint1 x164;\n uint32_t x165;\n fiat_p256_uint1 x166;\n uint32_t x167;\n fiat_p256_uint1 x168;\n uint32_t x169;\n fiat_p256_uint1 x170;\n uint32_t x171;\n fiat_p256_uint1 x172;\n uint32_t x173;\n uint32_t x174;\n uint32_t x175;\n uint32_t x176;\n uint32_t x177;\n uint32_t x178;\n uint32_t x179;\n uint32_t x180;\n uint32_t x181;\n fiat_p256_uint1 x182;\n uint32_t x183;\n fiat_p256_uint1 x184;\n uint32_t x185;\n fiat_p256_uint1 x186;\n uint32_t x187;\n fiat_p256_uint1 x188;\n uint32_t x189;\n fiat_p256_uint1 x190;\n uint32_t x191;\n fiat_p256_uint1 x192;\n uint32_t x193;\n fiat_p256_uint1 x194;\n uint32_t x195;\n fiat_p256_uint1 x196;\n uint32_t x197;\n fiat_p256_uint1 x198;\n uint32_t x199;\n fiat_p256_uint1 x200;\n uint32_t x201;\n fiat_p256_uint1 x202;\n uint32_t x203;\n uint32_t x204;\n uint32_t x205;\n uint32_t x206;\n uint32_t x207;\n uint32_t x208;\n uint32_t x209;\n uint32_t x210;\n uint32_t x211;\n uint32_t x212;\n uint32_t x213;\n uint32_t x214;\n uint32_t x215;\n uint32_t x216;\n uint32_t x217;\n fiat_p256_uint1 x218;\n uint32_t x219;\n fiat_p256_uint1 x220;\n uint32_t x221;\n fiat_p256_uint1 x222;\n uint32_t x223;\n fiat_p256_uint1 x224;\n uint32_t x225;\n fiat_p256_uint1 x226;\n uint32_t x227;\n fiat_p256_uint1 x228;\n uint32_t x229;\n fiat_p256_uint1 x230;\n uint32_t x231;\n fiat_p256_uint1 x232;\n uint32_t x233;\n fiat_p256_uint1 x234;\n uint32_t x235;\n fiat_p256_uint1 x236;\n uint32_t x237;\n fiat_p256_uint1 x238;\n uint32_t x239;\n fiat_p256_uint1 x240;\n uint32_t x241;\n fiat_p256_uint1 x242;\n uint32_t x243;\n uint32_t x244;\n uint32_t x245;\n uint32_t x246;\n uint32_t x247;\n uint32_t x248;\n uint32_t x249;\n uint32_t x250;\n uint32_t x251;\n fiat_p256_uint1 x252;\n uint32_t x253;\n fiat_p256_uint1 x254;\n uint32_t x255;\n fiat_p256_uint1 x256;\n uint32_t x257;\n fiat_p256_uint1 x258;\n uint32_t x259;\n fiat_p256_uint1 x260;\n uint32_t x261;\n fiat_p256_uint1 x262;\n uint32_t x263;\n fiat_p256_uint1 x264;\n uint32_t x265;\n fiat_p256_uint1 x266;\n uint32_t x267;\n fiat_p256_uint1 x268;\n uint32_t x269;\n fiat_p256_uint1 x270;\n uint32_t x271;\n fiat_p256_uint1 x272;\n uint32_t x273;\n uint32_t x274;\n uint32_t x275;\n uint32_t x276;\n uint32_t x277;\n uint32_t x278;\n uint32_t x279;\n uint32_t x280;\n uint32_t x281;\n uint32_t x282;\n uint32_t x283;\n uint32_t x284;\n uint32_t x285;\n uint32_t x286;\n uint32_t x287;\n fiat_p256_uint1 x288;\n uint32_t x289;\n fiat_p256_uint1 x290;\n uint32_t x291;\n fiat_p256_uint1 x292;\n uint32_t x293;\n fiat_p256_uint1 x294;\n uint32_t x295;\n fiat_p256_uint1 x296;\n uint32_t x297;\n fiat_p256_uint1 x298;\n uint32_t x299;\n fiat_p256_uint1 x300;\n uint32_t x301;\n fiat_p256_uint1 x302;\n uint32_t x303;\n fiat_p256_uint1 x304;\n uint32_t x305;\n fiat_p256_uint1 x306;\n uint32_t x307;\n fiat_p256_uint1 x308;\n uint32_t x309;\n fiat_p256_uint1 x310;\n uint32_t x311;\n fiat_p256_uint1 x312;\n uint32_t x313;\n uint32_t x314;\n uint32_t x315;\n uint32_t x316;\n uint32_t x317;\n uint32_t x318;\n uint32_t x319;\n uint32_t x320;\n uint32_t x321;\n fiat_p256_uint1 x322;\n uint32_t x323;\n fiat_p256_uint1 x324;\n uint32_t x325;\n fiat_p256_uint1 x326;\n uint32_t x327;\n fiat_p256_uint1 x328;\n uint32_t x329;\n fiat_p256_uint1 x330;\n uint32_t x331;\n fiat_p256_uint1 x332;\n uint32_t x333;\n fiat_p256_uint1 x334;\n uint32_t x335;\n fiat_p256_uint1 x336;\n uint32_t x337;\n fiat_p256_uint1 x338;\n uint32_t x339;\n fiat_p256_uint1 x340;\n uint32_t x341;\n fiat_p256_uint1 x342;\n uint32_t x343;\n uint32_t x344;\n uint32_t x345;\n uint32_t x346;\n uint32_t x347;\n uint32_t x348;\n uint32_t x349;\n uint32_t x350;\n uint32_t x351;\n uint32_t x352;\n uint32_t x353;\n uint32_t x354;\n uint32_t x355;\n uint32_t x356;\n uint32_t x357;\n fiat_p256_uint1 x358;\n uint32_t x359;\n fiat_p256_uint1 x360;\n uint32_t x361;\n fiat_p256_uint1 x362;\n uint32_t x363;\n fiat_p256_uint1 x364;\n uint32_t x365;\n fiat_p256_uint1 x366;\n uint32_t x367;\n fiat_p256_uint1 x368;\n uint32_t x369;\n fiat_p256_uint1 x370;\n uint32_t x371;\n fiat_p256_uint1 x372;\n uint32_t x373;\n fiat_p256_uint1 x374;\n uint32_t x375;\n fiat_p256_uint1 x376;\n uint32_t x377;\n fiat_p256_uint1 x378;\n uint32_t x379;\n fiat_p256_uint1 x380;\n uint32_t x381;\n fiat_p256_uint1 x382;\n uint32_t x383;\n uint32_t x384;\n uint32_t x385;\n uint32_t x386;\n uint32_t x387;\n uint32_t x388;\n uint32_t x389;\n uint32_t x390;\n uint32_t x391;\n fiat_p256_uint1 x392;\n uint32_t x393;\n fiat_p256_uint1 x394;\n uint32_t x395;\n fiat_p256_uint1 x396;\n uint32_t x397;\n fiat_p256_uint1 x398;\n uint32_t x399;\n fiat_p256_uint1 x400;\n uint32_t x401;\n fiat_p256_uint1 x402;\n uint32_t x403;\n fiat_p256_uint1 x404;\n uint32_t x405;\n fiat_p256_uint1 x406;\n uint32_t x407;\n fiat_p256_uint1 x408;\n uint32_t x409;\n fiat_p256_uint1 x410;\n uint32_t x411;\n fiat_p256_uint1 x412;\n uint32_t x413;\n uint32_t x414;\n uint32_t x415;\n uint32_t x416;\n uint32_t x417;\n uint32_t x418;\n uint32_t x419;\n uint32_t x420;\n uint32_t x421;\n uint32_t x422;\n uint32_t x423;\n uint32_t x424;\n uint32_t x425;\n uint32_t x426;\n uint32_t x427;\n fiat_p256_uint1 x428;\n uint32_t x429;\n fiat_p256_uint1 x430;\n uint32_t x431;\n fiat_p256_uint1 x432;\n uint32_t x433;\n fiat_p256_uint1 x434;\n uint32_t x435;\n fiat_p256_uint1 x436;\n uint32_t x437;\n fiat_p256_uint1 x438;\n uint32_t x439;\n fiat_p256_uint1 x440;\n uint32_t x441;\n fiat_p256_uint1 x442;\n uint32_t x443;\n fiat_p256_uint1 x444;\n uint32_t x445;\n fiat_p256_uint1 x446;\n uint32_t x447;\n fiat_p256_uint1 x448;\n uint32_t x449;\n fiat_p256_uint1 x450;\n uint32_t x451;\n fiat_p256_uint1 x452;\n uint32_t x453;\n uint32_t x454;\n uint32_t x455;\n uint32_t x456;\n uint32_t x457;\n uint32_t x458;\n uint32_t x459;\n uint32_t x460;\n uint32_t x461;\n fiat_p256_uint1 x462;\n uint32_t x463;\n fiat_p256_uint1 x464;\n uint32_t x465;\n fiat_p256_uint1 x466;\n uint32_t x467;\n fiat_p256_uint1 x468;\n uint32_t x469;\n fiat_p256_uint1 x470;\n uint32_t x471;\n fiat_p256_uint1 x472;\n uint32_t x473;\n fiat_p256_uint1 x474;\n uint32_t x475;\n fiat_p256_uint1 x476;\n uint32_t x477;\n fiat_p256_uint1 x478;\n uint32_t x479;\n fiat_p256_uint1 x480;\n uint32_t x481;\n fiat_p256_uint1 x482;\n uint32_t x483;\n uint32_t x484;\n uint32_t x485;\n uint32_t x486;\n uint32_t x487;\n uint32_t x488;\n uint32_t x489;\n uint32_t x490;\n uint32_t x491;\n uint32_t x492;\n uint32_t x493;\n uint32_t x494;\n uint32_t x495;\n uint32_t x496;\n uint32_t x497;\n fiat_p256_uint1 x498;\n uint32_t x499;\n fiat_p256_uint1 x500;\n uint32_t x501;\n fiat_p256_uint1 x502;\n uint32_t x503;\n fiat_p256_uint1 x504;\n uint32_t x505;\n fiat_p256_uint1 x506;\n uint32_t x507;\n fiat_p256_uint1 x508;\n uint32_t x509;\n fiat_p256_uint1 x510;\n uint32_t x511;\n fiat_p256_uint1 x512;\n uint32_t x513;\n fiat_p256_uint1 x514;\n uint32_t x515;\n fiat_p256_uint1 x516;\n uint32_t x517;\n fiat_p256_uint1 x518;\n uint32_t x519;\n fiat_p256_uint1 x520;\n uint32_t x521;\n fiat_p256_uint1 x522;\n uint32_t x523;\n uint32_t x524;\n uint32_t x525;\n uint32_t x526;\n uint32_t x527;\n uint32_t x528;\n uint32_t x529;\n uint32_t x530;\n uint32_t x531;\n fiat_p256_uint1 x532;\n uint32_t x533;\n fiat_p256_uint1 x534;\n uint32_t x535;\n fiat_p256_uint1 x536;\n uint32_t x537;\n fiat_p256_uint1 x538;\n uint32_t x539;\n fiat_p256_uint1 x540;\n uint32_t x541;\n fiat_p256_uint1 x542;\n uint32_t x543;\n fiat_p256_uint1 x544;\n uint32_t x545;\n fiat_p256_uint1 x546;\n uint32_t x547;\n fiat_p256_uint1 x548;\n uint32_t x549;\n fiat_p256_uint1 x550;\n uint32_t x551;\n fiat_p256_uint1 x552;\n uint32_t x553;\n fiat_p256_uint1 x554;\n uint32_t x555;\n fiat_p256_uint1 x556;\n uint32_t x557;\n fiat_p256_uint1 x558;\n uint32_t x559;\n fiat_p256_uint1 x560;\n uint32_t x561;\n fiat_p256_uint1 x562;\n uint32_t x563;\n fiat_p256_uint1 x564;\n uint32_t x565;\n fiat_p256_uint1 x566;\n uint32_t x567;\n fiat_p256_uint1 x568;\n uint32_t x569;\n fiat_p256_uint1 x570;\n uint32_t x571;\n uint32_t x572;\n uint32_t x573;\n uint32_t x574;\n uint32_t x575;\n uint32_t x576;\n uint32_t x577;\n uint32_t x578;\n x1 = (arg1[1]);\n x2 = (arg1[2]);\n x3 = (arg1[3]);\n x4 = (arg1[4]);\n x5 = (arg1[5]);\n x6 = (arg1[6]);\n x7 = (arg1[7]);\n x8 = (arg1[0]);\n fiat_p256_mulx_u32(&x9, &x10, x8, 0x4);\n fiat_p256_mulx_u32(&x11, &x12, x8, UINT32_C(0xfffffffd));\n fiat_p256_mulx_u32(&x13, &x14, x8, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x15, &x16, x8, UINT32_C(0xfffffffe));\n fiat_p256_mulx_u32(&x17, &x18, x8, UINT32_C(0xfffffffb));\n fiat_p256_mulx_u32(&x19, &x20, x8, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x21, &x22, x8, 0x3);\n fiat_p256_addcarryx_u32(&x23, &x24, 0x0, x20, x17);\n fiat_p256_addcarryx_u32(&x25, &x26, x24, x18, x15);\n fiat_p256_addcarryx_u32(&x27, &x28, x26, x16, x13);\n fiat_p256_addcarryx_u32(&x29, &x30, x28, x14, x11);\n fiat_p256_addcarryx_u32(&x31, &x32, x30, x12, x9);\n fiat_p256_mulx_u32(&x33, &x34, x21, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x35, &x36, x21, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x37, &x38, x21, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x39, &x40, x21, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x41, &x42, 0x0, x40, x37);\n fiat_p256_addcarryx_u32(&x43, &x44, x42, x38, x35);\n fiat_p256_addcarryx_u32(&x45, &x46, 0x0, x21, x39);\n fiat_p256_addcarryx_u32(&x47, &x48, x46, x22, x41);\n fiat_p256_addcarryx_u32(&x49, &x50, x48, x19, x43);\n fiat_p256_addcarryx_u32(&x51, &x52, x50, x23, (x44 + x36));\n fiat_p256_addcarryx_u32(&x53, &x54, x52, x25, 0x0);\n fiat_p256_addcarryx_u32(&x55, &x56, x54, x27, 0x0);\n fiat_p256_addcarryx_u32(&x57, &x58, x56, x29, x21);\n fiat_p256_addcarryx_u32(&x59, &x60, x58, x31, x33);\n fiat_p256_addcarryx_u32(&x61, &x62, x60, (x32 + x10), x34);\n fiat_p256_mulx_u32(&x63, &x64, x1, 0x4);\n fiat_p256_mulx_u32(&x65, &x66, x1, UINT32_C(0xfffffffd));\n fiat_p256_mulx_u32(&x67, &x68, x1, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x69, &x70, x1, UINT32_C(0xfffffffe));\n fiat_p256_mulx_u32(&x71, &x72, x1, UINT32_C(0xfffffffb));\n fiat_p256_mulx_u32(&x73, &x74, x1, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x75, &x76, x1, 0x3);\n fiat_p256_addcarryx_u32(&x77, &x78, 0x0, x74, x71);\n fiat_p256_addcarryx_u32(&x79, &x80, x78, x72, x69);\n fiat_p256_addcarryx_u32(&x81, &x82, x80, x70, x67);\n fiat_p256_addcarryx_u32(&x83, &x84, x82, x68, x65);\n fiat_p256_addcarryx_u32(&x85, &x86, x84, x66, x63);\n fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x47, x75);\n fiat_p256_addcarryx_u32(&x89, &x90, x88, x49, x76);\n fiat_p256_addcarryx_u32(&x91, &x92, x90, x51, x73);\n fiat_p256_addcarryx_u32(&x93, &x94, x92, x53, x77);\n fiat_p256_addcarryx_u32(&x95, &x96, x94, x55, x79);\n fiat_p256_addcarryx_u32(&x97, &x98, x96, x57, x81);\n fiat_p256_addcarryx_u32(&x99, &x100, x98, x59, x83);\n fiat_p256_addcarryx_u32(&x101, &x102, x100, x61, x85);\n fiat_p256_mulx_u32(&x103, &x104, x87, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x105, &x106, x87, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x107, &x108, x87, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x109, &x110, x87, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x111, &x112, 0x0, x110, x107);\n fiat_p256_addcarryx_u32(&x113, &x114, x112, x108, x105);\n fiat_p256_addcarryx_u32(&x115, &x116, 0x0, x87, x109);\n fiat_p256_addcarryx_u32(&x117, &x118, x116, x89, x111);\n fiat_p256_addcarryx_u32(&x119, &x120, x118, x91, x113);\n fiat_p256_addcarryx_u32(&x121, &x122, x120, x93, (x114 + x106));\n fiat_p256_addcarryx_u32(&x123, &x124, x122, x95, 0x0);\n fiat_p256_addcarryx_u32(&x125, &x126, x124, x97, 0x0);\n fiat_p256_addcarryx_u32(&x127, &x128, x126, x99, x87);\n fiat_p256_addcarryx_u32(&x129, &x130, x128, x101, x103);\n fiat_p256_addcarryx_u32(&x131, &x132, x130, (((uint32_t)x102 + x62) + (x86 + x64)), x104);\n fiat_p256_mulx_u32(&x133, &x134, x2, 0x4);\n fiat_p256_mulx_u32(&x135, &x136, x2, UINT32_C(0xfffffffd));\n fiat_p256_mulx_u32(&x137, &x138, x2, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x139, &x140, x2, UINT32_C(0xfffffffe));\n fiat_p256_mulx_u32(&x141, &x142, x2, UINT32_C(0xfffffffb));\n fiat_p256_mulx_u32(&x143, &x144, x2, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x145, &x146, x2, 0x3);\n fiat_p256_addcarryx_u32(&x147, &x148, 0x0, x144, x141);\n fiat_p256_addcarryx_u32(&x149, &x150, x148, x142, x139);\n fiat_p256_addcarryx_u32(&x151, &x152, x150, x140, x137);\n fiat_p256_addcarryx_u32(&x153, &x154, x152, x138, x135);\n fiat_p256_addcarryx_u32(&x155, &x156, x154, x136, x133);\n fiat_p256_addcarryx_u32(&x157, &x158, 0x0, x117, x145);\n fiat_p256_addcarryx_u32(&x159, &x160, x158, x119, x146);\n fiat_p256_addcarryx_u32(&x161, &x162, x160, x121, x143);\n fiat_p256_addcarryx_u32(&x163, &x164, x162, x123, x147);\n fiat_p256_addcarryx_u32(&x165, &x166, x164, x125, x149);\n fiat_p256_addcarryx_u32(&x167, &x168, x166, x127, x151);\n fiat_p256_addcarryx_u32(&x169, &x170, x168, x129, x153);\n fiat_p256_addcarryx_u32(&x171, &x172, x170, x131, x155);\n fiat_p256_mulx_u32(&x173, &x174, x157, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x175, &x176, x157, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x177, &x178, x157, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x179, &x180, x157, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x181, &x182, 0x0, x180, x177);\n fiat_p256_addcarryx_u32(&x183, &x184, x182, x178, x175);\n fiat_p256_addcarryx_u32(&x185, &x186, 0x0, x157, x179);\n fiat_p256_addcarryx_u32(&x187, &x188, x186, x159, x181);\n fiat_p256_addcarryx_u32(&x189, &x190, x188, x161, x183);\n fiat_p256_addcarryx_u32(&x191, &x192, x190, x163, (x184 + x176));\n fiat_p256_addcarryx_u32(&x193, &x194, x192, x165, 0x0);\n fiat_p256_addcarryx_u32(&x195, &x196, x194, x167, 0x0);\n fiat_p256_addcarryx_u32(&x197, &x198, x196, x169, x157);\n fiat_p256_addcarryx_u32(&x199, &x200, x198, x171, x173);\n fiat_p256_addcarryx_u32(&x201, &x202, x200, (((uint32_t)x172 + x132) + (x156 + x134)), x174);\n fiat_p256_mulx_u32(&x203, &x204, x3, 0x4);\n fiat_p256_mulx_u32(&x205, &x206, x3, UINT32_C(0xfffffffd));\n fiat_p256_mulx_u32(&x207, &x208, x3, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x209, &x210, x3, UINT32_C(0xfffffffe));\n fiat_p256_mulx_u32(&x211, &x212, x3, UINT32_C(0xfffffffb));\n fiat_p256_mulx_u32(&x213, &x214, x3, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x215, &x216, x3, 0x3);\n fiat_p256_addcarryx_u32(&x217, &x218, 0x0, x214, x211);\n fiat_p256_addcarryx_u32(&x219, &x220, x218, x212, x209);\n fiat_p256_addcarryx_u32(&x221, &x222, x220, x210, x207);\n fiat_p256_addcarryx_u32(&x223, &x224, x222, x208, x205);\n fiat_p256_addcarryx_u32(&x225, &x226, x224, x206, x203);\n fiat_p256_addcarryx_u32(&x227, &x228, 0x0, x187, x215);\n fiat_p256_addcarryx_u32(&x229, &x230, x228, x189, x216);\n fiat_p256_addcarryx_u32(&x231, &x232, x230, x191, x213);\n fiat_p256_addcarryx_u32(&x233, &x234, x232, x193, x217);\n fiat_p256_addcarryx_u32(&x235, &x236, x234, x195, x219);\n fiat_p256_addcarryx_u32(&x237, &x238, x236, x197, x221);\n fiat_p256_addcarryx_u32(&x239, &x240, x238, x199, x223);\n fiat_p256_addcarryx_u32(&x241, &x242, x240, x201, x225);\n fiat_p256_mulx_u32(&x243, &x244, x227, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x245, &x246, x227, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x247, &x248, x227, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x249, &x250, x227, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x251, &x252, 0x0, x250, x247);\n fiat_p256_addcarryx_u32(&x253, &x254, x252, x248, x245);\n fiat_p256_addcarryx_u32(&x255, &x256, 0x0, x227, x249);\n fiat_p256_addcarryx_u32(&x257, &x258, x256, x229, x251);\n fiat_p256_addcarryx_u32(&x259, &x260, x258, x231, x253);\n fiat_p256_addcarryx_u32(&x261, &x262, x260, x233, (x254 + x246));\n fiat_p256_addcarryx_u32(&x263, &x264, x262, x235, 0x0);\n fiat_p256_addcarryx_u32(&x265, &x266, x264, x237, 0x0);\n fiat_p256_addcarryx_u32(&x267, &x268, x266, x239, x227);\n fiat_p256_addcarryx_u32(&x269, &x270, x268, x241, x243);\n fiat_p256_addcarryx_u32(&x271, &x272, x270, (((uint32_t)x242 + x202) + (x226 + x204)), x244);\n fiat_p256_mulx_u32(&x273, &x274, x4, 0x4);\n fiat_p256_mulx_u32(&x275, &x276, x4, UINT32_C(0xfffffffd));\n fiat_p256_mulx_u32(&x277, &x278, x4, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x279, &x280, x4, UINT32_C(0xfffffffe));\n fiat_p256_mulx_u32(&x281, &x282, x4, UINT32_C(0xfffffffb));\n fiat_p256_mulx_u32(&x283, &x284, x4, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x285, &x286, x4, 0x3);\n fiat_p256_addcarryx_u32(&x287, &x288, 0x0, x284, x281);\n fiat_p256_addcarryx_u32(&x289, &x290, x288, x282, x279);\n fiat_p256_addcarryx_u32(&x291, &x292, x290, x280, x277);\n fiat_p256_addcarryx_u32(&x293, &x294, x292, x278, x275);\n fiat_p256_addcarryx_u32(&x295, &x296, x294, x276, x273);\n fiat_p256_addcarryx_u32(&x297, &x298, 0x0, x257, x285);\n fiat_p256_addcarryx_u32(&x299, &x300, x298, x259, x286);\n fiat_p256_addcarryx_u32(&x301, &x302, x300, x261, x283);\n fiat_p256_addcarryx_u32(&x303, &x304, x302, x263, x287);\n fiat_p256_addcarryx_u32(&x305, &x306, x304, x265, x289);\n fiat_p256_addcarryx_u32(&x307, &x308, x306, x267, x291);\n fiat_p256_addcarryx_u32(&x309, &x310, x308, x269, x293);\n fiat_p256_addcarryx_u32(&x311, &x312, x310, x271, x295);\n fiat_p256_mulx_u32(&x313, &x314, x297, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x315, &x316, x297, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x317, &x318, x297, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x319, &x320, x297, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x321, &x322, 0x0, x320, x317);\n fiat_p256_addcarryx_u32(&x323, &x324, x322, x318, x315);\n fiat_p256_addcarryx_u32(&x325, &x326, 0x0, x297, x319);\n fiat_p256_addcarryx_u32(&x327, &x328, x326, x299, x321);\n fiat_p256_addcarryx_u32(&x329, &x330, x328, x301, x323);\n fiat_p256_addcarryx_u32(&x331, &x332, x330, x303, (x324 + x316));\n fiat_p256_addcarryx_u32(&x333, &x334, x332, x305, 0x0);\n fiat_p256_addcarryx_u32(&x335, &x336, x334, x307, 0x0);\n fiat_p256_addcarryx_u32(&x337, &x338, x336, x309, x297);\n fiat_p256_addcarryx_u32(&x339, &x340, x338, x311, x313);\n fiat_p256_addcarryx_u32(&x341, &x342, x340, (((uint32_t)x312 + x272) + (x296 + x274)), x314);\n fiat_p256_mulx_u32(&x343, &x344, x5, 0x4);\n fiat_p256_mulx_u32(&x345, &x346, x5, UINT32_C(0xfffffffd));\n fiat_p256_mulx_u32(&x347, &x348, x5, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x349, &x350, x5, UINT32_C(0xfffffffe));\n fiat_p256_mulx_u32(&x351, &x352, x5, UINT32_C(0xfffffffb));\n fiat_p256_mulx_u32(&x353, &x354, x5, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x355, &x356, x5, 0x3);\n fiat_p256_addcarryx_u32(&x357, &x358, 0x0, x354, x351);\n fiat_p256_addcarryx_u32(&x359, &x360, x358, x352, x349);\n fiat_p256_addcarryx_u32(&x361, &x362, x360, x350, x347);\n fiat_p256_addcarryx_u32(&x363, &x364, x362, x348, x345);\n fiat_p256_addcarryx_u32(&x365, &x366, x364, x346, x343);\n fiat_p256_addcarryx_u32(&x367, &x368, 0x0, x327, x355);\n fiat_p256_addcarryx_u32(&x369, &x370, x368, x329, x356);\n fiat_p256_addcarryx_u32(&x371, &x372, x370, x331, x353);\n fiat_p256_addcarryx_u32(&x373, &x374, x372, x333, x357);\n fiat_p256_addcarryx_u32(&x375, &x376, x374, x335, x359);\n fiat_p256_addcarryx_u32(&x377, &x378, x376, x337, x361);\n fiat_p256_addcarryx_u32(&x379, &x380, x378, x339, x363);\n fiat_p256_addcarryx_u32(&x381, &x382, x380, x341, x365);\n fiat_p256_mulx_u32(&x383, &x384, x367, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x385, &x386, x367, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x387, &x388, x367, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x389, &x390, x367, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x391, &x392, 0x0, x390, x387);\n fiat_p256_addcarryx_u32(&x393, &x394, x392, x388, x385);\n fiat_p256_addcarryx_u32(&x395, &x396, 0x0, x367, x389);\n fiat_p256_addcarryx_u32(&x397, &x398, x396, x369, x391);\n fiat_p256_addcarryx_u32(&x399, &x400, x398, x371, x393);\n fiat_p256_addcarryx_u32(&x401, &x402, x400, x373, (x394 + x386));\n fiat_p256_addcarryx_u32(&x403, &x404, x402, x375, 0x0);\n fiat_p256_addcarryx_u32(&x405, &x406, x404, x377, 0x0);\n fiat_p256_addcarryx_u32(&x407, &x408, x406, x379, x367);\n fiat_p256_addcarryx_u32(&x409, &x410, x408, x381, x383);\n fiat_p256_addcarryx_u32(&x411, &x412, x410, (((uint32_t)x382 + x342) + (x366 + x344)), x384);\n fiat_p256_mulx_u32(&x413, &x414, x6, 0x4);\n fiat_p256_mulx_u32(&x415, &x416, x6, UINT32_C(0xfffffffd));\n fiat_p256_mulx_u32(&x417, &x418, x6, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x419, &x420, x6, UINT32_C(0xfffffffe));\n fiat_p256_mulx_u32(&x421, &x422, x6, UINT32_C(0xfffffffb));\n fiat_p256_mulx_u32(&x423, &x424, x6, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x425, &x426, x6, 0x3);\n fiat_p256_addcarryx_u32(&x427, &x428, 0x0, x424, x421);\n fiat_p256_addcarryx_u32(&x429, &x430, x428, x422, x419);\n fiat_p256_addcarryx_u32(&x431, &x432, x430, x420, x417);\n fiat_p256_addcarryx_u32(&x433, &x434, x432, x418, x415);\n fiat_p256_addcarryx_u32(&x435, &x436, x434, x416, x413);\n fiat_p256_addcarryx_u32(&x437, &x438, 0x0, x397, x425);\n fiat_p256_addcarryx_u32(&x439, &x440, x438, x399, x426);\n fiat_p256_addcarryx_u32(&x441, &x442, x440, x401, x423);\n fiat_p256_addcarryx_u32(&x443, &x444, x442, x403, x427);\n fiat_p256_addcarryx_u32(&x445, &x446, x444, x405, x429);\n fiat_p256_addcarryx_u32(&x447, &x448, x446, x407, x431);\n fiat_p256_addcarryx_u32(&x449, &x450, x448, x409, x433);\n fiat_p256_addcarryx_u32(&x451, &x452, x450, x411, x435);\n fiat_p256_mulx_u32(&x453, &x454, x437, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x455, &x456, x437, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x457, &x458, x437, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x459, &x460, x437, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x461, &x462, 0x0, x460, x457);\n fiat_p256_addcarryx_u32(&x463, &x464, x462, x458, x455);\n fiat_p256_addcarryx_u32(&x465, &x466, 0x0, x437, x459);\n fiat_p256_addcarryx_u32(&x467, &x468, x466, x439, x461);\n fiat_p256_addcarryx_u32(&x469, &x470, x468, x441, x463);\n fiat_p256_addcarryx_u32(&x471, &x472, x470, x443, (x464 + x456));\n fiat_p256_addcarryx_u32(&x473, &x474, x472, x445, 0x0);\n fiat_p256_addcarryx_u32(&x475, &x476, x474, x447, 0x0);\n fiat_p256_addcarryx_u32(&x477, &x478, x476, x449, x437);\n fiat_p256_addcarryx_u32(&x479, &x480, x478, x451, x453);\n fiat_p256_addcarryx_u32(&x481, &x482, x480, (((uint32_t)x452 + x412) + (x436 + x414)), x454);\n fiat_p256_mulx_u32(&x483, &x484, x7, 0x4);\n fiat_p256_mulx_u32(&x485, &x486, x7, UINT32_C(0xfffffffd));\n fiat_p256_mulx_u32(&x487, &x488, x7, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x489, &x490, x7, UINT32_C(0xfffffffe));\n fiat_p256_mulx_u32(&x491, &x492, x7, UINT32_C(0xfffffffb));\n fiat_p256_mulx_u32(&x493, &x494, x7, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x495, &x496, x7, 0x3);\n fiat_p256_addcarryx_u32(&x497, &x498, 0x0, x494, x491);\n fiat_p256_addcarryx_u32(&x499, &x500, x498, x492, x489);\n fiat_p256_addcarryx_u32(&x501, &x502, x500, x490, x487);\n fiat_p256_addcarryx_u32(&x503, &x504, x502, x488, x485);\n fiat_p256_addcarryx_u32(&x505, &x506, x504, x486, x483);\n fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x467, x495);\n fiat_p256_addcarryx_u32(&x509, &x510, x508, x469, x496);\n fiat_p256_addcarryx_u32(&x511, &x512, x510, x471, x493);\n fiat_p256_addcarryx_u32(&x513, &x514, x512, x473, x497);\n fiat_p256_addcarryx_u32(&x515, &x516, x514, x475, x499);\n fiat_p256_addcarryx_u32(&x517, &x518, x516, x477, x501);\n fiat_p256_addcarryx_u32(&x519, &x520, x518, x479, x503);\n fiat_p256_addcarryx_u32(&x521, &x522, x520, x481, x505);\n fiat_p256_mulx_u32(&x523, &x524, x507, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff));\n fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x531, &x532, 0x0, x530, x527);\n fiat_p256_addcarryx_u32(&x533, &x534, x532, x528, x525);\n fiat_p256_addcarryx_u32(&x535, &x536, 0x0, x507, x529);\n fiat_p256_addcarryx_u32(&x537, &x538, x536, x509, x531);\n fiat_p256_addcarryx_u32(&x539, &x540, x538, x511, x533);\n fiat_p256_addcarryx_u32(&x541, &x542, x540, x513, (x534 + x526));\n fiat_p256_addcarryx_u32(&x543, &x544, x542, x515, 0x0);\n fiat_p256_addcarryx_u32(&x545, &x546, x544, x517, 0x0);\n fiat_p256_addcarryx_u32(&x547, &x548, x546, x519, x507);\n fiat_p256_addcarryx_u32(&x549, &x550, x548, x521, x523);\n fiat_p256_addcarryx_u32(&x551, &x552, x550, (((uint32_t)x522 + x482) + (x506 + x484)), x524);\n fiat_p256_subborrowx_u32(&x553, &x554, 0x0, x537, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x555, &x556, x554, x539, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x557, &x558, x556, x541, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x559, &x560, x558, x543, 0x0);\n fiat_p256_subborrowx_u32(&x561, &x562, x560, x545, 0x0);\n fiat_p256_subborrowx_u32(&x563, &x564, x562, x547, 0x0);\n fiat_p256_subborrowx_u32(&x565, &x566, x564, x549, 0x1);\n fiat_p256_subborrowx_u32(&x567, &x568, x566, x551, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x569, &x570, x568, x552, 0x0);\n fiat_p256_cmovznz_u32(&x571, x570, x553, x537);\n fiat_p256_cmovznz_u32(&x572, x570, x555, x539);\n fiat_p256_cmovznz_u32(&x573, x570, x557, x541);\n fiat_p256_cmovznz_u32(&x574, x570, x559, x543);\n fiat_p256_cmovznz_u32(&x575, x570, x561, x545);\n fiat_p256_cmovznz_u32(&x576, x570, x563, x547);\n fiat_p256_cmovznz_u32(&x577, x570, x565, x549);\n fiat_p256_cmovznz_u32(&x578, x570, x567, x551);\n out1[0] = x571;\n out1[1] = x572;\n out1[2] = x573;\n out1[3] = x574;\n out1[4] = x575;\n out1[5] = x576;\n out1[6] = x577;\n out1[7] = x578;\n}\n\n/*\n * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffff]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_nonzero(uint32_t* out1, const uint32_t arg1[8]) {\n uint32_t x1;\n x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | (arg1[7]))))))));\n *out1 = x1;\n}\n\n/*\n * The function fiat_p256_selectznz is a multi-limb conditional select.\n *\n * Postconditions:\n * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_selectznz(uint32_t out1[8], fiat_p256_uint1 arg1, const uint32_t arg2[8], const uint32_t arg3[8]) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n fiat_p256_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0]));\n fiat_p256_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1]));\n fiat_p256_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2]));\n fiat_p256_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3]));\n fiat_p256_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4]));\n fiat_p256_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5]));\n fiat_p256_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6]));\n fiat_p256_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n out1[4] = x5;\n out1[5] = x6;\n out1[6] = x7;\n out1[7] = x8;\n}\n\n/*\n * The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_to_bytes(uint8_t out1[32], const uint32_t arg1[8]) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint32_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint8_t x9;\n uint32_t x10;\n uint8_t x11;\n uint32_t x12;\n uint8_t x13;\n uint8_t x14;\n uint8_t x15;\n uint32_t x16;\n uint8_t x17;\n uint32_t x18;\n uint8_t x19;\n uint8_t x20;\n uint8_t x21;\n uint32_t x22;\n uint8_t x23;\n uint32_t x24;\n uint8_t x25;\n uint8_t x26;\n uint8_t x27;\n uint32_t x28;\n uint8_t x29;\n uint32_t x30;\n uint8_t x31;\n uint8_t x32;\n uint8_t x33;\n uint32_t x34;\n uint8_t x35;\n uint32_t x36;\n uint8_t x37;\n uint8_t x38;\n uint8_t x39;\n uint32_t x40;\n uint8_t x41;\n uint32_t x42;\n uint8_t x43;\n uint8_t x44;\n uint8_t x45;\n uint32_t x46;\n uint8_t x47;\n uint32_t x48;\n uint8_t x49;\n uint8_t x50;\n uint8_t x51;\n uint32_t x52;\n uint8_t x53;\n uint32_t x54;\n uint8_t x55;\n uint8_t x56;\n x1 = (arg1[7]);\n x2 = (arg1[6]);\n x3 = (arg1[5]);\n x4 = (arg1[4]);\n x5 = (arg1[3]);\n x6 = (arg1[2]);\n x7 = (arg1[1]);\n x8 = (arg1[0]);\n x9 = (uint8_t)(x8 & UINT8_C(0xff));\n x10 = (x8 >> 8);\n x11 = (uint8_t)(x10 & UINT8_C(0xff));\n x12 = (x10 >> 8);\n x13 = (uint8_t)(x12 & UINT8_C(0xff));\n x14 = (uint8_t)(x12 >> 8);\n x15 = (uint8_t)(x7 & UINT8_C(0xff));\n x16 = (x7 >> 8);\n x17 = (uint8_t)(x16 & UINT8_C(0xff));\n x18 = (x16 >> 8);\n x19 = (uint8_t)(x18 & UINT8_C(0xff));\n x20 = (uint8_t)(x18 >> 8);\n x21 = (uint8_t)(x6 & UINT8_C(0xff));\n x22 = (x6 >> 8);\n x23 = (uint8_t)(x22 & UINT8_C(0xff));\n x24 = (x22 >> 8);\n x25 = (uint8_t)(x24 & UINT8_C(0xff));\n x26 = (uint8_t)(x24 >> 8);\n x27 = (uint8_t)(x5 & UINT8_C(0xff));\n x28 = (x5 >> 8);\n x29 = (uint8_t)(x28 & UINT8_C(0xff));\n x30 = (x28 >> 8);\n x31 = (uint8_t)(x30 & UINT8_C(0xff));\n x32 = (uint8_t)(x30 >> 8);\n x33 = (uint8_t)(x4 & UINT8_C(0xff));\n x34 = (x4 >> 8);\n x35 = (uint8_t)(x34 & UINT8_C(0xff));\n x36 = (x34 >> 8);\n x37 = (uint8_t)(x36 & UINT8_C(0xff));\n x38 = (uint8_t)(x36 >> 8);\n x39 = (uint8_t)(x3 & UINT8_C(0xff));\n x40 = (x3 >> 8);\n x41 = (uint8_t)(x40 & UINT8_C(0xff));\n x42 = (x40 >> 8);\n x43 = (uint8_t)(x42 & UINT8_C(0xff));\n x44 = (uint8_t)(x42 >> 8);\n x45 = (uint8_t)(x2 & UINT8_C(0xff));\n x46 = (x2 >> 8);\n x47 = (uint8_t)(x46 & UINT8_C(0xff));\n x48 = (x46 >> 8);\n x49 = (uint8_t)(x48 & UINT8_C(0xff));\n x50 = (uint8_t)(x48 >> 8);\n x51 = (uint8_t)(x1 & UINT8_C(0xff));\n x52 = (x1 >> 8);\n x53 = (uint8_t)(x52 & UINT8_C(0xff));\n x54 = (x52 >> 8);\n x55 = (uint8_t)(x54 & UINT8_C(0xff));\n x56 = (uint8_t)(x54 >> 8);\n out1[0] = x9;\n out1[1] = x11;\n out1[2] = x13;\n out1[3] = x14;\n out1[4] = x15;\n out1[5] = x17;\n out1[6] = x19;\n out1[7] = x20;\n out1[8] = x21;\n out1[9] = x23;\n out1[10] = x25;\n out1[11] = x26;\n out1[12] = x27;\n out1[13] = x29;\n out1[14] = x31;\n out1[15] = x32;\n out1[16] = x33;\n out1[17] = x35;\n out1[18] = x37;\n out1[19] = x38;\n out1[20] = x39;\n out1[21] = x41;\n out1[22] = x43;\n out1[23] = x44;\n out1[24] = x45;\n out1[25] = x47;\n out1[26] = x49;\n out1[27] = x50;\n out1[28] = x51;\n out1[29] = x53;\n out1[30] = x55;\n out1[31] = x56;\n}\n\n/*\n * The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.\n *\n * Preconditions:\n * 0 ≤ bytes_eval arg1 < m\n * Postconditions:\n * eval out1 mod m = bytes_eval arg1 mod m\n * 0 ≤ eval out1 < m\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_from_bytes(uint32_t out1[8], const uint8_t arg1[32]) {\n uint32_t x1;\n uint32_t x2;\n uint32_t x3;\n uint8_t x4;\n uint32_t x5;\n uint32_t x6;\n uint32_t x7;\n uint8_t x8;\n uint32_t x9;\n uint32_t x10;\n uint32_t x11;\n uint8_t x12;\n uint32_t x13;\n uint32_t x14;\n uint32_t x15;\n uint8_t x16;\n uint32_t x17;\n uint32_t x18;\n uint32_t x19;\n uint8_t x20;\n uint32_t x21;\n uint32_t x22;\n uint32_t x23;\n uint8_t x24;\n uint32_t x25;\n uint32_t x26;\n uint32_t x27;\n uint8_t x28;\n uint32_t x29;\n uint32_t x30;\n uint32_t x31;\n uint8_t x32;\n uint32_t x33;\n uint32_t x34;\n uint32_t x35;\n uint32_t x36;\n uint32_t x37;\n uint32_t x38;\n uint32_t x39;\n uint32_t x40;\n uint32_t x41;\n uint32_t x42;\n uint32_t x43;\n uint32_t x44;\n uint32_t x45;\n uint32_t x46;\n uint32_t x47;\n uint32_t x48;\n uint32_t x49;\n uint32_t x50;\n uint32_t x51;\n uint32_t x52;\n uint32_t x53;\n uint32_t x54;\n uint32_t x55;\n uint32_t x56;\n x1 = ((uint32_t)(arg1[31]) << 24);\n x2 = ((uint32_t)(arg1[30]) << 16);\n x3 = ((uint32_t)(arg1[29]) << 8);\n x4 = (arg1[28]);\n x5 = ((uint32_t)(arg1[27]) << 24);\n x6 = ((uint32_t)(arg1[26]) << 16);\n x7 = ((uint32_t)(arg1[25]) << 8);\n x8 = (arg1[24]);\n x9 = ((uint32_t)(arg1[23]) << 24);\n x10 = ((uint32_t)(arg1[22]) << 16);\n x11 = ((uint32_t)(arg1[21]) << 8);\n x12 = (arg1[20]);\n x13 = ((uint32_t)(arg1[19]) << 24);\n x14 = ((uint32_t)(arg1[18]) << 16);\n x15 = ((uint32_t)(arg1[17]) << 8);\n x16 = (arg1[16]);\n x17 = ((uint32_t)(arg1[15]) << 24);\n x18 = ((uint32_t)(arg1[14]) << 16);\n x19 = ((uint32_t)(arg1[13]) << 8);\n x20 = (arg1[12]);\n x21 = ((uint32_t)(arg1[11]) << 24);\n x22 = ((uint32_t)(arg1[10]) << 16);\n x23 = ((uint32_t)(arg1[9]) << 8);\n x24 = (arg1[8]);\n x25 = ((uint32_t)(arg1[7]) << 24);\n x26 = ((uint32_t)(arg1[6]) << 16);\n x27 = ((uint32_t)(arg1[5]) << 8);\n x28 = (arg1[4]);\n x29 = ((uint32_t)(arg1[3]) << 24);\n x30 = ((uint32_t)(arg1[2]) << 16);\n x31 = ((uint32_t)(arg1[1]) << 8);\n x32 = (arg1[0]);\n x33 = (x31 + (uint32_t)x32);\n x34 = (x30 + x33);\n x35 = (x29 + x34);\n x36 = (x27 + (uint32_t)x28);\n x37 = (x26 + x36);\n x38 = (x25 + x37);\n x39 = (x23 + (uint32_t)x24);\n x40 = (x22 + x39);\n x41 = (x21 + x40);\n x42 = (x19 + (uint32_t)x20);\n x43 = (x18 + x42);\n x44 = (x17 + x43);\n x45 = (x15 + (uint32_t)x16);\n x46 = (x14 + x45);\n x47 = (x13 + x46);\n x48 = (x11 + (uint32_t)x12);\n x49 = (x10 + x48);\n x50 = (x9 + x49);\n x51 = (x7 + (uint32_t)x8);\n x52 = (x6 + x51);\n x53 = (x5 + x52);\n x54 = (x3 + (uint32_t)x4);\n x55 = (x2 + x54);\n x56 = (x1 + x55);\n out1[0] = x35;\n out1[1] = x38;\n out1[2] = x41;\n out1[3] = x44;\n out1[4] = x47;\n out1[5] = x50;\n out1[6] = x53;\n out1[7] = x56;\n}\n\n/*\n * The function fiat_p256_set_one returns the field element one in the Montgomery domain.\n *\n * Postconditions:\n * eval (from_montgomery out1) mod m = 1 mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_set_one(fiat_p256_montgomery_domain_field_element out1) {\n out1[0] = 0x1;\n out1[1] = 0x0;\n out1[2] = 0x0;\n out1[3] = UINT32_C(0xffffffff);\n out1[4] = UINT32_C(0xffffffff);\n out1[5] = UINT32_C(0xffffffff);\n out1[6] = UINT32_C(0xfffffffe);\n out1[7] = 0x0;\n}\n\n/*\n * The function fiat_p256_msat returns the saturated representation of the prime modulus.\n *\n * Postconditions:\n * twos_complement_eval out1 = m\n * 0 ≤ eval out1 < m\n *\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_msat(uint32_t out1[9]) {\n out1[0] = UINT32_C(0xffffffff);\n out1[1] = UINT32_C(0xffffffff);\n out1[2] = UINT32_C(0xffffffff);\n out1[3] = 0x0;\n out1[4] = 0x0;\n out1[5] = 0x0;\n out1[6] = 0x1;\n out1[7] = UINT32_C(0xffffffff);\n out1[8] = 0x0;\n}\n\n/*\n * The function fiat_p256_divstep computes a divstep.\n *\n * Preconditions:\n * 0 ≤ eval arg4 < m\n * 0 ≤ eval arg5 < m\n * Postconditions:\n * out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1)\n * twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2)\n * twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋)\n * eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m)\n * eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m)\n * 0 ≤ eval out5 < m\n * 0 ≤ eval out5 < m\n * 0 ≤ eval out2 < m\n * 0 ≤ eval out3 < m\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0xffffffff]\n * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffff]\n * out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n * out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_divstep(uint32_t* out1, uint32_t out2[9], uint32_t out3[9], uint32_t out4[8], uint32_t out5[8], uint32_t arg1, const uint32_t arg2[9], const uint32_t arg3[9], const uint32_t arg4[8], const uint32_t arg5[8]) {\n uint32_t x1;\n fiat_p256_uint1 x2;\n fiat_p256_uint1 x3;\n uint32_t x4;\n fiat_p256_uint1 x5;\n uint32_t x6;\n uint32_t x7;\n uint32_t x8;\n uint32_t x9;\n uint32_t x10;\n uint32_t x11;\n uint32_t x12;\n uint32_t x13;\n uint32_t x14;\n uint32_t x15;\n uint32_t x16;\n fiat_p256_uint1 x17;\n uint32_t x18;\n fiat_p256_uint1 x19;\n uint32_t x20;\n fiat_p256_uint1 x21;\n uint32_t x22;\n fiat_p256_uint1 x23;\n uint32_t x24;\n fiat_p256_uint1 x25;\n uint32_t x26;\n fiat_p256_uint1 x27;\n uint32_t x28;\n fiat_p256_uint1 x29;\n uint32_t x30;\n fiat_p256_uint1 x31;\n uint32_t x32;\n fiat_p256_uint1 x33;\n uint32_t x34;\n uint32_t x35;\n uint32_t x36;\n uint32_t x37;\n uint32_t x38;\n uint32_t x39;\n uint32_t x40;\n uint32_t x41;\n uint32_t x42;\n uint32_t x43;\n uint32_t x44;\n uint32_t x45;\n uint32_t x46;\n uint32_t x47;\n uint32_t x48;\n uint32_t x49;\n uint32_t x50;\n uint32_t x51;\n fiat_p256_uint1 x52;\n uint32_t x53;\n fiat_p256_uint1 x54;\n uint32_t x55;\n fiat_p256_uint1 x56;\n uint32_t x57;\n fiat_p256_uint1 x58;\n uint32_t x59;\n fiat_p256_uint1 x60;\n uint32_t x61;\n fiat_p256_uint1 x62;\n uint32_t x63;\n fiat_p256_uint1 x64;\n uint32_t x65;\n fiat_p256_uint1 x66;\n uint32_t x67;\n fiat_p256_uint1 x68;\n uint32_t x69;\n fiat_p256_uint1 x70;\n uint32_t x71;\n fiat_p256_uint1 x72;\n uint32_t x73;\n fiat_p256_uint1 x74;\n uint32_t x75;\n fiat_p256_uint1 x76;\n uint32_t x77;\n fiat_p256_uint1 x78;\n uint32_t x79;\n fiat_p256_uint1 x80;\n uint32_t x81;\n fiat_p256_uint1 x82;\n uint32_t x83;\n fiat_p256_uint1 x84;\n uint32_t x85;\n uint32_t x86;\n uint32_t x87;\n uint32_t x88;\n uint32_t x89;\n uint32_t x90;\n uint32_t x91;\n uint32_t x92;\n uint32_t x93;\n fiat_p256_uint1 x94;\n uint32_t x95;\n fiat_p256_uint1 x96;\n uint32_t x97;\n fiat_p256_uint1 x98;\n uint32_t x99;\n fiat_p256_uint1 x100;\n uint32_t x101;\n fiat_p256_uint1 x102;\n uint32_t x103;\n fiat_p256_uint1 x104;\n uint32_t x105;\n fiat_p256_uint1 x106;\n uint32_t x107;\n fiat_p256_uint1 x108;\n uint32_t x109;\n uint32_t x110;\n fiat_p256_uint1 x111;\n uint32_t x112;\n fiat_p256_uint1 x113;\n uint32_t x114;\n fiat_p256_uint1 x115;\n uint32_t x116;\n fiat_p256_uint1 x117;\n uint32_t x118;\n fiat_p256_uint1 x119;\n uint32_t x120;\n fiat_p256_uint1 x121;\n uint32_t x122;\n fiat_p256_uint1 x123;\n uint32_t x124;\n fiat_p256_uint1 x125;\n uint32_t x126;\n uint32_t x127;\n uint32_t x128;\n uint32_t x129;\n uint32_t x130;\n uint32_t x131;\n uint32_t x132;\n uint32_t x133;\n fiat_p256_uint1 x134;\n uint32_t x135;\n uint32_t x136;\n uint32_t x137;\n uint32_t x138;\n uint32_t x139;\n uint32_t x140;\n uint32_t x141;\n uint32_t x142;\n uint32_t x143;\n uint32_t x144;\n fiat_p256_uint1 x145;\n uint32_t x146;\n fiat_p256_uint1 x147;\n uint32_t x148;\n fiat_p256_uint1 x149;\n uint32_t x150;\n fiat_p256_uint1 x151;\n uint32_t x152;\n fiat_p256_uint1 x153;\n uint32_t x154;\n fiat_p256_uint1 x155;\n uint32_t x156;\n fiat_p256_uint1 x157;\n uint32_t x158;\n fiat_p256_uint1 x159;\n uint32_t x160;\n fiat_p256_uint1 x161;\n uint32_t x162;\n uint32_t x163;\n uint32_t x164;\n uint32_t x165;\n uint32_t x166;\n uint32_t x167;\n uint32_t x168;\n uint32_t x169;\n uint32_t x170;\n fiat_p256_uint1 x171;\n uint32_t x172;\n fiat_p256_uint1 x173;\n uint32_t x174;\n fiat_p256_uint1 x175;\n uint32_t x176;\n fiat_p256_uint1 x177;\n uint32_t x178;\n fiat_p256_uint1 x179;\n uint32_t x180;\n fiat_p256_uint1 x181;\n uint32_t x182;\n fiat_p256_uint1 x183;\n uint32_t x184;\n fiat_p256_uint1 x185;\n uint32_t x186;\n fiat_p256_uint1 x187;\n uint32_t x188;\n fiat_p256_uint1 x189;\n uint32_t x190;\n fiat_p256_uint1 x191;\n uint32_t x192;\n fiat_p256_uint1 x193;\n uint32_t x194;\n fiat_p256_uint1 x195;\n uint32_t x196;\n fiat_p256_uint1 x197;\n uint32_t x198;\n fiat_p256_uint1 x199;\n uint32_t x200;\n fiat_p256_uint1 x201;\n uint32_t x202;\n fiat_p256_uint1 x203;\n uint32_t x204;\n fiat_p256_uint1 x205;\n uint32_t x206;\n uint32_t x207;\n uint32_t x208;\n uint32_t x209;\n uint32_t x210;\n uint32_t x211;\n uint32_t x212;\n uint32_t x213;\n uint32_t x214;\n uint32_t x215;\n uint32_t x216;\n uint32_t x217;\n uint32_t x218;\n uint32_t x219;\n uint32_t x220;\n uint32_t x221;\n uint32_t x222;\n uint32_t x223;\n uint32_t x224;\n uint32_t x225;\n uint32_t x226;\n uint32_t x227;\n uint32_t x228;\n uint32_t x229;\n uint32_t x230;\n fiat_p256_addcarryx_u32(&x1, &x2, 0x0, (~arg1), 0x1);\n x3 = (fiat_p256_uint1)((fiat_p256_uint1)(x1 >> 31) & (fiat_p256_uint1)((arg3[0]) & 0x1));\n fiat_p256_addcarryx_u32(&x4, &x5, 0x0, (~arg1), 0x1);\n fiat_p256_cmovznz_u32(&x6, x3, arg1, x4);\n fiat_p256_cmovznz_u32(&x7, x3, (arg2[0]), (arg3[0]));\n fiat_p256_cmovznz_u32(&x8, x3, (arg2[1]), (arg3[1]));\n fiat_p256_cmovznz_u32(&x9, x3, (arg2[2]), (arg3[2]));\n fiat_p256_cmovznz_u32(&x10, x3, (arg2[3]), (arg3[3]));\n fiat_p256_cmovznz_u32(&x11, x3, (arg2[4]), (arg3[4]));\n fiat_p256_cmovznz_u32(&x12, x3, (arg2[5]), (arg3[5]));\n fiat_p256_cmovznz_u32(&x13, x3, (arg2[6]), (arg3[6]));\n fiat_p256_cmovznz_u32(&x14, x3, (arg2[7]), (arg3[7]));\n fiat_p256_cmovznz_u32(&x15, x3, (arg2[8]), (arg3[8]));\n fiat_p256_addcarryx_u32(&x16, &x17, 0x0, 0x1, (~(arg2[0])));\n fiat_p256_addcarryx_u32(&x18, &x19, x17, 0x0, (~(arg2[1])));\n fiat_p256_addcarryx_u32(&x20, &x21, x19, 0x0, (~(arg2[2])));\n fiat_p256_addcarryx_u32(&x22, &x23, x21, 0x0, (~(arg2[3])));\n fiat_p256_addcarryx_u32(&x24, &x25, x23, 0x0, (~(arg2[4])));\n fiat_p256_addcarryx_u32(&x26, &x27, x25, 0x0, (~(arg2[5])));\n fiat_p256_addcarryx_u32(&x28, &x29, x27, 0x0, (~(arg2[6])));\n fiat_p256_addcarryx_u32(&x30, &x31, x29, 0x0, (~(arg2[7])));\n fiat_p256_addcarryx_u32(&x32, &x33, x31, 0x0, (~(arg2[8])));\n fiat_p256_cmovznz_u32(&x34, x3, (arg3[0]), x16);\n fiat_p256_cmovznz_u32(&x35, x3, (arg3[1]), x18);\n fiat_p256_cmovznz_u32(&x36, x3, (arg3[2]), x20);\n fiat_p256_cmovznz_u32(&x37, x3, (arg3[3]), x22);\n fiat_p256_cmovznz_u32(&x38, x3, (arg3[4]), x24);\n fiat_p256_cmovznz_u32(&x39, x3, (arg3[5]), x26);\n fiat_p256_cmovznz_u32(&x40, x3, (arg3[6]), x28);\n fiat_p256_cmovznz_u32(&x41, x3, (arg3[7]), x30);\n fiat_p256_cmovznz_u32(&x42, x3, (arg3[8]), x32);\n fiat_p256_cmovznz_u32(&x43, x3, (arg4[0]), (arg5[0]));\n fiat_p256_cmovznz_u32(&x44, x3, (arg4[1]), (arg5[1]));\n fiat_p256_cmovznz_u32(&x45, x3, (arg4[2]), (arg5[2]));\n fiat_p256_cmovznz_u32(&x46, x3, (arg4[3]), (arg5[3]));\n fiat_p256_cmovznz_u32(&x47, x3, (arg4[4]), (arg5[4]));\n fiat_p256_cmovznz_u32(&x48, x3, (arg4[5]), (arg5[5]));\n fiat_p256_cmovznz_u32(&x49, x3, (arg4[6]), (arg5[6]));\n fiat_p256_cmovznz_u32(&x50, x3, (arg4[7]), (arg5[7]));\n fiat_p256_addcarryx_u32(&x51, &x52, 0x0, x43, x43);\n fiat_p256_addcarryx_u32(&x53, &x54, x52, x44, x44);\n fiat_p256_addcarryx_u32(&x55, &x56, x54, x45, x45);\n fiat_p256_addcarryx_u32(&x57, &x58, x56, x46, x46);\n fiat_p256_addcarryx_u32(&x59, &x60, x58, x47, x47);\n fiat_p256_addcarryx_u32(&x61, &x62, x60, x48, x48);\n fiat_p256_addcarryx_u32(&x63, &x64, x62, x49, x49);\n fiat_p256_addcarryx_u32(&x65, &x66, x64, x50, x50);\n fiat_p256_subborrowx_u32(&x67, &x68, 0x0, x51, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x69, &x70, x68, x53, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x71, &x72, x70, x55, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x73, &x74, x72, x57, 0x0);\n fiat_p256_subborrowx_u32(&x75, &x76, x74, x59, 0x0);\n fiat_p256_subborrowx_u32(&x77, &x78, x76, x61, 0x0);\n fiat_p256_subborrowx_u32(&x79, &x80, x78, x63, 0x1);\n fiat_p256_subborrowx_u32(&x81, &x82, x80, x65, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x83, &x84, x82, x66, 0x0);\n x85 = (arg4[7]);\n x86 = (arg4[6]);\n x87 = (arg4[5]);\n x88 = (arg4[4]);\n x89 = (arg4[3]);\n x90 = (arg4[2]);\n x91 = (arg4[1]);\n x92 = (arg4[0]);\n fiat_p256_subborrowx_u32(&x93, &x94, 0x0, 0x0, x92);\n fiat_p256_subborrowx_u32(&x95, &x96, x94, 0x0, x91);\n fiat_p256_subborrowx_u32(&x97, &x98, x96, 0x0, x90);\n fiat_p256_subborrowx_u32(&x99, &x100, x98, 0x0, x89);\n fiat_p256_subborrowx_u32(&x101, &x102, x100, 0x0, x88);\n fiat_p256_subborrowx_u32(&x103, &x104, x102, 0x0, x87);\n fiat_p256_subborrowx_u32(&x105, &x106, x104, 0x0, x86);\n fiat_p256_subborrowx_u32(&x107, &x108, x106, 0x0, x85);\n fiat_p256_cmovznz_u32(&x109, x108, 0x0, UINT32_C(0xffffffff));\n fiat_p256_addcarryx_u32(&x110, &x111, 0x0, x93, x109);\n fiat_p256_addcarryx_u32(&x112, &x113, x111, x95, x109);\n fiat_p256_addcarryx_u32(&x114, &x115, x113, x97, x109);\n fiat_p256_addcarryx_u32(&x116, &x117, x115, x99, 0x0);\n fiat_p256_addcarryx_u32(&x118, &x119, x117, x101, 0x0);\n fiat_p256_addcarryx_u32(&x120, &x121, x119, x103, 0x0);\n fiat_p256_addcarryx_u32(&x122, &x123, x121, x105, (fiat_p256_uint1)(x109 & 0x1));\n fiat_p256_addcarryx_u32(&x124, &x125, x123, x107, x109);\n fiat_p256_cmovznz_u32(&x126, x3, (arg5[0]), x110);\n fiat_p256_cmovznz_u32(&x127, x3, (arg5[1]), x112);\n fiat_p256_cmovznz_u32(&x128, x3, (arg5[2]), x114);\n fiat_p256_cmovznz_u32(&x129, x3, (arg5[3]), x116);\n fiat_p256_cmovznz_u32(&x130, x3, (arg5[4]), x118);\n fiat_p256_cmovznz_u32(&x131, x3, (arg5[5]), x120);\n fiat_p256_cmovznz_u32(&x132, x3, (arg5[6]), x122);\n fiat_p256_cmovznz_u32(&x133, x3, (arg5[7]), x124);\n x134 = (fiat_p256_uint1)(x34 & 0x1);\n fiat_p256_cmovznz_u32(&x135, x134, 0x0, x7);\n fiat_p256_cmovznz_u32(&x136, x134, 0x0, x8);\n fiat_p256_cmovznz_u32(&x137, x134, 0x0, x9);\n fiat_p256_cmovznz_u32(&x138, x134, 0x0, x10);\n fiat_p256_cmovznz_u32(&x139, x134, 0x0, x11);\n fiat_p256_cmovznz_u32(&x140, x134, 0x0, x12);\n fiat_p256_cmovznz_u32(&x141, x134, 0x0, x13);\n fiat_p256_cmovznz_u32(&x142, x134, 0x0, x14);\n fiat_p256_cmovznz_u32(&x143, x134, 0x0, x15);\n fiat_p256_addcarryx_u32(&x144, &x145, 0x0, x34, x135);\n fiat_p256_addcarryx_u32(&x146, &x147, x145, x35, x136);\n fiat_p256_addcarryx_u32(&x148, &x149, x147, x36, x137);\n fiat_p256_addcarryx_u32(&x150, &x151, x149, x37, x138);\n fiat_p256_addcarryx_u32(&x152, &x153, x151, x38, x139);\n fiat_p256_addcarryx_u32(&x154, &x155, x153, x39, x140);\n fiat_p256_addcarryx_u32(&x156, &x157, x155, x40, x141);\n fiat_p256_addcarryx_u32(&x158, &x159, x157, x41, x142);\n fiat_p256_addcarryx_u32(&x160, &x161, x159, x42, x143);\n fiat_p256_cmovznz_u32(&x162, x134, 0x0, x43);\n fiat_p256_cmovznz_u32(&x163, x134, 0x0, x44);\n fiat_p256_cmovznz_u32(&x164, x134, 0x0, x45);\n fiat_p256_cmovznz_u32(&x165, x134, 0x0, x46);\n fiat_p256_cmovznz_u32(&x166, x134, 0x0, x47);\n fiat_p256_cmovznz_u32(&x167, x134, 0x0, x48);\n fiat_p256_cmovznz_u32(&x168, x134, 0x0, x49);\n fiat_p256_cmovznz_u32(&x169, x134, 0x0, x50);\n fiat_p256_addcarryx_u32(&x170, &x171, 0x0, x126, x162);\n fiat_p256_addcarryx_u32(&x172, &x173, x171, x127, x163);\n fiat_p256_addcarryx_u32(&x174, &x175, x173, x128, x164);\n fiat_p256_addcarryx_u32(&x176, &x177, x175, x129, x165);\n fiat_p256_addcarryx_u32(&x178, &x179, x177, x130, x166);\n fiat_p256_addcarryx_u32(&x180, &x181, x179, x131, x167);\n fiat_p256_addcarryx_u32(&x182, &x183, x181, x132, x168);\n fiat_p256_addcarryx_u32(&x184, &x185, x183, x133, x169);\n fiat_p256_subborrowx_u32(&x186, &x187, 0x0, x170, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x188, &x189, x187, x172, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x190, &x191, x189, x174, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x192, &x193, x191, x176, 0x0);\n fiat_p256_subborrowx_u32(&x194, &x195, x193, x178, 0x0);\n fiat_p256_subborrowx_u32(&x196, &x197, x195, x180, 0x0);\n fiat_p256_subborrowx_u32(&x198, &x199, x197, x182, 0x1);\n fiat_p256_subborrowx_u32(&x200, &x201, x199, x184, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u32(&x202, &x203, x201, x185, 0x0);\n fiat_p256_addcarryx_u32(&x204, &x205, 0x0, x6, 0x1);\n x206 = ((x144 >> 1) | ((x146 << 31) & UINT32_C(0xffffffff)));\n x207 = ((x146 >> 1) | ((x148 << 31) & UINT32_C(0xffffffff)));\n x208 = ((x148 >> 1) | ((x150 << 31) & UINT32_C(0xffffffff)));\n x209 = ((x150 >> 1) | ((x152 << 31) & UINT32_C(0xffffffff)));\n x210 = ((x152 >> 1) | ((x154 << 31) & UINT32_C(0xffffffff)));\n x211 = ((x154 >> 1) | ((x156 << 31) & UINT32_C(0xffffffff)));\n x212 = ((x156 >> 1) | ((x158 << 31) & UINT32_C(0xffffffff)));\n x213 = ((x158 >> 1) | ((x160 << 31) & UINT32_C(0xffffffff)));\n x214 = ((x160 & UINT32_C(0x80000000)) | (x160 >> 1));\n fiat_p256_cmovznz_u32(&x215, x84, x67, x51);\n fiat_p256_cmovznz_u32(&x216, x84, x69, x53);\n fiat_p256_cmovznz_u32(&x217, x84, x71, x55);\n fiat_p256_cmovznz_u32(&x218, x84, x73, x57);\n fiat_p256_cmovznz_u32(&x219, x84, x75, x59);\n fiat_p256_cmovznz_u32(&x220, x84, x77, x61);\n fiat_p256_cmovznz_u32(&x221, x84, x79, x63);\n fiat_p256_cmovznz_u32(&x222, x84, x81, x65);\n fiat_p256_cmovznz_u32(&x223, x203, x186, x170);\n fiat_p256_cmovznz_u32(&x224, x203, x188, x172);\n fiat_p256_cmovznz_u32(&x225, x203, x190, x174);\n fiat_p256_cmovznz_u32(&x226, x203, x192, x176);\n fiat_p256_cmovznz_u32(&x227, x203, x194, x178);\n fiat_p256_cmovznz_u32(&x228, x203, x196, x180);\n fiat_p256_cmovznz_u32(&x229, x203, x198, x182);\n fiat_p256_cmovznz_u32(&x230, x203, x200, x184);\n *out1 = x204;\n out2[0] = x7;\n out2[1] = x8;\n out2[2] = x9;\n out2[3] = x10;\n out2[4] = x11;\n out2[5] = x12;\n out2[6] = x13;\n out2[7] = x14;\n out2[8] = x15;\n out3[0] = x206;\n out3[1] = x207;\n out3[2] = x208;\n out3[3] = x209;\n out3[4] = x210;\n out3[5] = x211;\n out3[6] = x212;\n out3[7] = x213;\n out3[8] = x214;\n out4[0] = x215;\n out4[1] = x216;\n out4[2] = x217;\n out4[3] = x218;\n out4[4] = x219;\n out4[5] = x220;\n out4[6] = x221;\n out4[7] = x222;\n out5[0] = x223;\n out5[1] = x224;\n out5[2] = x225;\n out5[3] = x226;\n out5[4] = x227;\n out5[5] = x228;\n out5[6] = x229;\n out5[7] = x230;\n}\n\n/*\n * The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).\n *\n * Postconditions:\n * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)\n * 0 ≤ eval out1 < m\n *\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_divstep_precomp(uint32_t out1[8]) {\n out1[0] = UINT32_C(0xb8000000);\n out1[1] = UINT32_C(0x67ffffff);\n out1[2] = UINT32_C(0x38000000);\n out1[3] = UINT32_C(0xc0000000);\n out1[4] = UINT32_C(0x7fffffff);\n out1[5] = UINT32_C(0xd8000000);\n out1[6] = UINT32_C(0xffffffff);\n out1[7] = UINT32_C(0x2fffffff);\n}\n" }, { "path": "Sources/CNIOBoringSSL/third_party/fiat/p256_64.h", "content": "#include \n#include \"../../crypto/internal.h\"\n\n#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) && defined(__x86_64__)\nextern \"C\" {\nvoid fiat_p256_adx_mul(uint64_t*, const uint64_t*, const uint64_t*);\nvoid fiat_p256_adx_sqr(uint64_t*, const uint64_t*);\n}\n#endif\n\n/* Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --inline --static --use-value-barrier p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp */\n/* curve description: p256 */\n/* machine_wordsize = 64 (from \"64\") */\n/* requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp */\n/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from \"2^256 - 2^224 + 2^192 + 2^96 - 1\") */\n/* */\n/* NOTE: In addition to the bounds specified above each function, all */\n/* functions synthesized for this Montgomery arithmetic require the */\n/* input to be strictly less than the prime modulus (m), and also */\n/* require the input to be in the unique saturated representation. */\n/* All functions also ensure that these two properties are true of */\n/* return values. */\n/* */\n/* Computed values: */\n/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */\n/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */\n/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */\n/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */\n\n#include \ntypedef unsigned char fiat_p256_uint1;\ntypedef signed char fiat_p256_int1;\n#if defined(__GNUC__) || defined(__clang__)\n# define FIAT_P256_FIAT_EXTENSION __extension__\n# define FIAT_P256_FIAT_INLINE __inline__\n#else\n# define FIAT_P256_FIAT_EXTENSION\n# define FIAT_P256_FIAT_INLINE\n#endif\n\nFIAT_P256_FIAT_EXTENSION typedef signed __int128 fiat_p256_int128;\nFIAT_P256_FIAT_EXTENSION typedef unsigned __int128 fiat_p256_uint128;\n\n/* The type fiat_p256_montgomery_domain_field_element is a field element in the Montgomery domain. */\n/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */\ntypedef uint64_t fiat_p256_montgomery_domain_field_element[4];\n\n/* The type fiat_p256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */\n/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */\ntypedef uint64_t fiat_p256_non_montgomery_domain_field_element[4];\n\n#if (-1 & 3) != 3\n#error \"This code only works on a two's complement system\"\n#endif\n\n#if !defined(FIAT_P256_NO_ASM) && (defined(__GNUC__) || defined(__clang__))\nstatic __inline__ uint64_t fiat_p256_value_barrier_u64(uint64_t a) {\n __asm__(\"\" : \"+r\"(a) : /* no inputs */);\n return a;\n}\n#else\n# define fiat_p256_value_barrier_u64(x) (x)\n#endif\n\n\n/*\n * The function fiat_p256_addcarryx_u64 is an addition with carry.\n *\n * Postconditions:\n * out1 = (arg1 + arg2 + arg3) mod 2^64\n * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n fiat_p256_uint128 x1;\n uint64_t x2;\n fiat_p256_uint1 x3;\n x1 = ((arg1 + (fiat_p256_uint128)arg2) + arg3);\n x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff));\n x3 = (fiat_p256_uint1)(x1 >> 64);\n *out1 = x2;\n *out2 = x3;\n}\n\n/*\n * The function fiat_p256_subborrowx_u64 is a subtraction with borrow.\n *\n * Postconditions:\n * out1 = (-arg1 + arg2 + -arg3) mod 2^64\n * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n fiat_p256_int128 x1;\n fiat_p256_int1 x2;\n uint64_t x3;\n x1 = ((arg2 - (fiat_p256_int128)arg1) - arg3);\n x2 = (fiat_p256_int1)(x1 >> 64);\n x3 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff));\n *out1 = x3;\n *out2 = (fiat_p256_uint1)(0x0 - x2);\n}\n\n/*\n * The function fiat_p256_mulx_u64 is a multiplication, returning the full double-width result.\n *\n * Postconditions:\n * out1 = (arg1 * arg2) mod 2^64\n * out2 = ⌊arg1 * arg2 / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0xffffffffffffffff]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0xffffffffffffffff]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {\n fiat_p256_uint128 x1;\n uint64_t x2;\n uint64_t x3;\n x1 = ((fiat_p256_uint128)arg1 * arg2);\n x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff));\n x3 = (uint64_t)(x1 >> 64);\n *out1 = x2;\n *out2 = x3;\n}\n\n/*\n * The function fiat_p256_cmovznz_u64 is a single-word conditional move.\n *\n * Postconditions:\n * out1 = (if arg1 = 0 then arg2 else arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n fiat_p256_uint1 x1;\n uint64_t x2;\n uint64_t x3;\n x1 = (!(!arg1));\n x2 = ((fiat_p256_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff));\n x3 = ((fiat_p256_value_barrier_u64(x2) & arg3) | (fiat_p256_value_barrier_u64((~x2)) & arg2));\n *out1 = x3;\n}\n\n/*\n * The function fiat_p256_mul multiplies two field elements in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * 0 ≤ eval arg2 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {\n#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) && defined(__x86_64__)\n if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() &&\n CRYPTO_is_ADX_capable()) {\n fiat_p256_adx_mul(out1, arg1, arg2);\n return;\n }\n#endif\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n fiat_p256_uint1 x14;\n uint64_t x15;\n fiat_p256_uint1 x16;\n uint64_t x17;\n fiat_p256_uint1 x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n fiat_p256_uint1 x27;\n uint64_t x28;\n uint64_t x29;\n fiat_p256_uint1 x30;\n uint64_t x31;\n fiat_p256_uint1 x32;\n uint64_t x33;\n fiat_p256_uint1 x34;\n uint64_t x35;\n fiat_p256_uint1 x36;\n uint64_t x37;\n fiat_p256_uint1 x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n fiat_p256_uint1 x48;\n uint64_t x49;\n fiat_p256_uint1 x50;\n uint64_t x51;\n fiat_p256_uint1 x52;\n uint64_t x53;\n uint64_t x54;\n fiat_p256_uint1 x55;\n uint64_t x56;\n fiat_p256_uint1 x57;\n uint64_t x58;\n fiat_p256_uint1 x59;\n uint64_t x60;\n fiat_p256_uint1 x61;\n uint64_t x62;\n fiat_p256_uint1 x63;\n uint64_t x64;\n uint64_t x65;\n uint64_t x66;\n uint64_t x67;\n uint64_t x68;\n uint64_t x69;\n uint64_t x70;\n fiat_p256_uint1 x71;\n uint64_t x72;\n uint64_t x73;\n fiat_p256_uint1 x74;\n uint64_t x75;\n fiat_p256_uint1 x76;\n uint64_t x77;\n fiat_p256_uint1 x78;\n uint64_t x79;\n fiat_p256_uint1 x80;\n uint64_t x81;\n fiat_p256_uint1 x82;\n uint64_t x83;\n uint64_t x84;\n uint64_t x85;\n uint64_t x86;\n uint64_t x87;\n uint64_t x88;\n uint64_t x89;\n uint64_t x90;\n uint64_t x91;\n uint64_t x92;\n fiat_p256_uint1 x93;\n uint64_t x94;\n fiat_p256_uint1 x95;\n uint64_t x96;\n fiat_p256_uint1 x97;\n uint64_t x98;\n uint64_t x99;\n fiat_p256_uint1 x100;\n uint64_t x101;\n fiat_p256_uint1 x102;\n uint64_t x103;\n fiat_p256_uint1 x104;\n uint64_t x105;\n fiat_p256_uint1 x106;\n uint64_t x107;\n fiat_p256_uint1 x108;\n uint64_t x109;\n uint64_t x110;\n uint64_t x111;\n uint64_t x112;\n uint64_t x113;\n uint64_t x114;\n uint64_t x115;\n fiat_p256_uint1 x116;\n uint64_t x117;\n uint64_t x118;\n fiat_p256_uint1 x119;\n uint64_t x120;\n fiat_p256_uint1 x121;\n uint64_t x122;\n fiat_p256_uint1 x123;\n uint64_t x124;\n fiat_p256_uint1 x125;\n uint64_t x126;\n fiat_p256_uint1 x127;\n uint64_t x128;\n uint64_t x129;\n uint64_t x130;\n uint64_t x131;\n uint64_t x132;\n uint64_t x133;\n uint64_t x134;\n uint64_t x135;\n uint64_t x136;\n uint64_t x137;\n fiat_p256_uint1 x138;\n uint64_t x139;\n fiat_p256_uint1 x140;\n uint64_t x141;\n fiat_p256_uint1 x142;\n uint64_t x143;\n uint64_t x144;\n fiat_p256_uint1 x145;\n uint64_t x146;\n fiat_p256_uint1 x147;\n uint64_t x148;\n fiat_p256_uint1 x149;\n uint64_t x150;\n fiat_p256_uint1 x151;\n uint64_t x152;\n fiat_p256_uint1 x153;\n uint64_t x154;\n uint64_t x155;\n uint64_t x156;\n uint64_t x157;\n uint64_t x158;\n uint64_t x159;\n uint64_t x160;\n fiat_p256_uint1 x161;\n uint64_t x162;\n uint64_t x163;\n fiat_p256_uint1 x164;\n uint64_t x165;\n fiat_p256_uint1 x166;\n uint64_t x167;\n fiat_p256_uint1 x168;\n uint64_t x169;\n fiat_p256_uint1 x170;\n uint64_t x171;\n fiat_p256_uint1 x172;\n uint64_t x173;\n uint64_t x174;\n fiat_p256_uint1 x175;\n uint64_t x176;\n fiat_p256_uint1 x177;\n uint64_t x178;\n fiat_p256_uint1 x179;\n uint64_t x180;\n fiat_p256_uint1 x181;\n uint64_t x182;\n fiat_p256_uint1 x183;\n uint64_t x184;\n uint64_t x185;\n uint64_t x186;\n uint64_t x187;\n x1 = (arg1[1]);\n x2 = (arg1[2]);\n x3 = (arg1[3]);\n x4 = (arg1[0]);\n fiat_p256_mulx_u64(&x5, &x6, x4, (arg2[3]));\n fiat_p256_mulx_u64(&x7, &x8, x4, (arg2[2]));\n fiat_p256_mulx_u64(&x9, &x10, x4, (arg2[1]));\n fiat_p256_mulx_u64(&x11, &x12, x4, (arg2[0]));\n fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9);\n fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7);\n fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5);\n x19 = (x18 + x6);\n fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22);\n x28 = (x27 + x23);\n fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24);\n fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26);\n fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28);\n fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20);\n fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21);\n fiat_p256_mulx_u64(&x39, &x40, x1, (arg2[3]));\n fiat_p256_mulx_u64(&x41, &x42, x1, (arg2[2]));\n fiat_p256_mulx_u64(&x43, &x44, x1, (arg2[1]));\n fiat_p256_mulx_u64(&x45, &x46, x1, (arg2[0]));\n fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43);\n fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41);\n fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39);\n x53 = (x52 + x40);\n fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45);\n fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47);\n fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49);\n fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51);\n fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53);\n fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66);\n x72 = (x71 + x67);\n fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68);\n fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70);\n fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72);\n fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64);\n fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65);\n x83 = ((uint64_t)x82 + x63);\n fiat_p256_mulx_u64(&x84, &x85, x2, (arg2[3]));\n fiat_p256_mulx_u64(&x86, &x87, x2, (arg2[2]));\n fiat_p256_mulx_u64(&x88, &x89, x2, (arg2[1]));\n fiat_p256_mulx_u64(&x90, &x91, x2, (arg2[0]));\n fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88);\n fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86);\n fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84);\n x98 = (x97 + x85);\n fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90);\n fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92);\n fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94);\n fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96);\n fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98);\n fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111);\n x117 = (x116 + x112);\n fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113);\n fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115);\n fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117);\n fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109);\n fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110);\n x128 = ((uint64_t)x127 + x108);\n fiat_p256_mulx_u64(&x129, &x130, x3, (arg2[3]));\n fiat_p256_mulx_u64(&x131, &x132, x3, (arg2[2]));\n fiat_p256_mulx_u64(&x133, &x134, x3, (arg2[1]));\n fiat_p256_mulx_u64(&x135, &x136, x3, (arg2[0]));\n fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133);\n fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131);\n fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129);\n x143 = (x142 + x130);\n fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135);\n fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137);\n fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139);\n fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141);\n fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143);\n fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156);\n x162 = (x161 + x157);\n fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158);\n fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160);\n fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162);\n fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154);\n fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155);\n x173 = ((uint64_t)x172 + x153);\n fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0);\n fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0);\n fiat_p256_cmovznz_u64(&x184, x183, x174, x165);\n fiat_p256_cmovznz_u64(&x185, x183, x176, x167);\n fiat_p256_cmovznz_u64(&x186, x183, x178, x169);\n fiat_p256_cmovznz_u64(&x187, x183, x180, x171);\n out1[0] = x184;\n out1[1] = x185;\n out1[2] = x186;\n out1[3] = x187;\n}\n\n/*\n * The function fiat_p256_square squares a field element in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {\n#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) && defined(__x86_64__)\n if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() &&\n CRYPTO_is_ADX_capable()) {\n fiat_p256_adx_sqr(out1, arg1);\n return;\n }\n#endif\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n fiat_p256_uint1 x14;\n uint64_t x15;\n fiat_p256_uint1 x16;\n uint64_t x17;\n fiat_p256_uint1 x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n fiat_p256_uint1 x27;\n uint64_t x28;\n uint64_t x29;\n fiat_p256_uint1 x30;\n uint64_t x31;\n fiat_p256_uint1 x32;\n uint64_t x33;\n fiat_p256_uint1 x34;\n uint64_t x35;\n fiat_p256_uint1 x36;\n uint64_t x37;\n fiat_p256_uint1 x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n fiat_p256_uint1 x48;\n uint64_t x49;\n fiat_p256_uint1 x50;\n uint64_t x51;\n fiat_p256_uint1 x52;\n uint64_t x53;\n uint64_t x54;\n fiat_p256_uint1 x55;\n uint64_t x56;\n fiat_p256_uint1 x57;\n uint64_t x58;\n fiat_p256_uint1 x59;\n uint64_t x60;\n fiat_p256_uint1 x61;\n uint64_t x62;\n fiat_p256_uint1 x63;\n uint64_t x64;\n uint64_t x65;\n uint64_t x66;\n uint64_t x67;\n uint64_t x68;\n uint64_t x69;\n uint64_t x70;\n fiat_p256_uint1 x71;\n uint64_t x72;\n uint64_t x73;\n fiat_p256_uint1 x74;\n uint64_t x75;\n fiat_p256_uint1 x76;\n uint64_t x77;\n fiat_p256_uint1 x78;\n uint64_t x79;\n fiat_p256_uint1 x80;\n uint64_t x81;\n fiat_p256_uint1 x82;\n uint64_t x83;\n uint64_t x84;\n uint64_t x85;\n uint64_t x86;\n uint64_t x87;\n uint64_t x88;\n uint64_t x89;\n uint64_t x90;\n uint64_t x91;\n uint64_t x92;\n fiat_p256_uint1 x93;\n uint64_t x94;\n fiat_p256_uint1 x95;\n uint64_t x96;\n fiat_p256_uint1 x97;\n uint64_t x98;\n uint64_t x99;\n fiat_p256_uint1 x100;\n uint64_t x101;\n fiat_p256_uint1 x102;\n uint64_t x103;\n fiat_p256_uint1 x104;\n uint64_t x105;\n fiat_p256_uint1 x106;\n uint64_t x107;\n fiat_p256_uint1 x108;\n uint64_t x109;\n uint64_t x110;\n uint64_t x111;\n uint64_t x112;\n uint64_t x113;\n uint64_t x114;\n uint64_t x115;\n fiat_p256_uint1 x116;\n uint64_t x117;\n uint64_t x118;\n fiat_p256_uint1 x119;\n uint64_t x120;\n fiat_p256_uint1 x121;\n uint64_t x122;\n fiat_p256_uint1 x123;\n uint64_t x124;\n fiat_p256_uint1 x125;\n uint64_t x126;\n fiat_p256_uint1 x127;\n uint64_t x128;\n uint64_t x129;\n uint64_t x130;\n uint64_t x131;\n uint64_t x132;\n uint64_t x133;\n uint64_t x134;\n uint64_t x135;\n uint64_t x136;\n uint64_t x137;\n fiat_p256_uint1 x138;\n uint64_t x139;\n fiat_p256_uint1 x140;\n uint64_t x141;\n fiat_p256_uint1 x142;\n uint64_t x143;\n uint64_t x144;\n fiat_p256_uint1 x145;\n uint64_t x146;\n fiat_p256_uint1 x147;\n uint64_t x148;\n fiat_p256_uint1 x149;\n uint64_t x150;\n fiat_p256_uint1 x151;\n uint64_t x152;\n fiat_p256_uint1 x153;\n uint64_t x154;\n uint64_t x155;\n uint64_t x156;\n uint64_t x157;\n uint64_t x158;\n uint64_t x159;\n uint64_t x160;\n fiat_p256_uint1 x161;\n uint64_t x162;\n uint64_t x163;\n fiat_p256_uint1 x164;\n uint64_t x165;\n fiat_p256_uint1 x166;\n uint64_t x167;\n fiat_p256_uint1 x168;\n uint64_t x169;\n fiat_p256_uint1 x170;\n uint64_t x171;\n fiat_p256_uint1 x172;\n uint64_t x173;\n uint64_t x174;\n fiat_p256_uint1 x175;\n uint64_t x176;\n fiat_p256_uint1 x177;\n uint64_t x178;\n fiat_p256_uint1 x179;\n uint64_t x180;\n fiat_p256_uint1 x181;\n uint64_t x182;\n fiat_p256_uint1 x183;\n uint64_t x184;\n uint64_t x185;\n uint64_t x186;\n uint64_t x187;\n x1 = (arg1[1]);\n x2 = (arg1[2]);\n x3 = (arg1[3]);\n x4 = (arg1[0]);\n fiat_p256_mulx_u64(&x5, &x6, x4, (arg1[3]));\n fiat_p256_mulx_u64(&x7, &x8, x4, (arg1[2]));\n fiat_p256_mulx_u64(&x9, &x10, x4, (arg1[1]));\n fiat_p256_mulx_u64(&x11, &x12, x4, (arg1[0]));\n fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9);\n fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7);\n fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5);\n x19 = (x18 + x6);\n fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22);\n x28 = (x27 + x23);\n fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24);\n fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26);\n fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28);\n fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20);\n fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21);\n fiat_p256_mulx_u64(&x39, &x40, x1, (arg1[3]));\n fiat_p256_mulx_u64(&x41, &x42, x1, (arg1[2]));\n fiat_p256_mulx_u64(&x43, &x44, x1, (arg1[1]));\n fiat_p256_mulx_u64(&x45, &x46, x1, (arg1[0]));\n fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43);\n fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41);\n fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39);\n x53 = (x52 + x40);\n fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45);\n fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47);\n fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49);\n fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51);\n fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53);\n fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66);\n x72 = (x71 + x67);\n fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68);\n fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70);\n fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72);\n fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64);\n fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65);\n x83 = ((uint64_t)x82 + x63);\n fiat_p256_mulx_u64(&x84, &x85, x2, (arg1[3]));\n fiat_p256_mulx_u64(&x86, &x87, x2, (arg1[2]));\n fiat_p256_mulx_u64(&x88, &x89, x2, (arg1[1]));\n fiat_p256_mulx_u64(&x90, &x91, x2, (arg1[0]));\n fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88);\n fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86);\n fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84);\n x98 = (x97 + x85);\n fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90);\n fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92);\n fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94);\n fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96);\n fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98);\n fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111);\n x117 = (x116 + x112);\n fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113);\n fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115);\n fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117);\n fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109);\n fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110);\n x128 = ((uint64_t)x127 + x108);\n fiat_p256_mulx_u64(&x129, &x130, x3, (arg1[3]));\n fiat_p256_mulx_u64(&x131, &x132, x3, (arg1[2]));\n fiat_p256_mulx_u64(&x133, &x134, x3, (arg1[1]));\n fiat_p256_mulx_u64(&x135, &x136, x3, (arg1[0]));\n fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133);\n fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131);\n fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129);\n x143 = (x142 + x130);\n fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135);\n fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137);\n fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139);\n fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141);\n fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143);\n fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156);\n x162 = (x161 + x157);\n fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158);\n fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160);\n fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162);\n fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154);\n fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155);\n x173 = ((uint64_t)x172 + x153);\n fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0);\n fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0);\n fiat_p256_cmovznz_u64(&x184, x183, x174, x165);\n fiat_p256_cmovznz_u64(&x185, x183, x176, x167);\n fiat_p256_cmovznz_u64(&x186, x183, x178, x169);\n fiat_p256_cmovznz_u64(&x187, x183, x180, x171);\n out1[0] = x184;\n out1[1] = x185;\n out1[2] = x186;\n out1[3] = x187;\n}\n\n/*\n * The function fiat_p256_add adds two field elements in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * 0 ≤ eval arg2 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_add(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {\n uint64_t x1;\n fiat_p256_uint1 x2;\n uint64_t x3;\n fiat_p256_uint1 x4;\n uint64_t x5;\n fiat_p256_uint1 x6;\n uint64_t x7;\n fiat_p256_uint1 x8;\n uint64_t x9;\n fiat_p256_uint1 x10;\n uint64_t x11;\n fiat_p256_uint1 x12;\n uint64_t x13;\n fiat_p256_uint1 x14;\n uint64_t x15;\n fiat_p256_uint1 x16;\n uint64_t x17;\n fiat_p256_uint1 x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0]));\n fiat_p256_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1]));\n fiat_p256_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2]));\n fiat_p256_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3]));\n fiat_p256_subborrowx_u64(&x9, &x10, 0x0, x1, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x11, &x12, x10, x3, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x13, &x14, x12, x5, 0x0);\n fiat_p256_subborrowx_u64(&x15, &x16, x14, x7, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x17, &x18, x16, x8, 0x0);\n fiat_p256_cmovznz_u64(&x19, x18, x9, x1);\n fiat_p256_cmovznz_u64(&x20, x18, x11, x3);\n fiat_p256_cmovznz_u64(&x21, x18, x13, x5);\n fiat_p256_cmovznz_u64(&x22, x18, x15, x7);\n out1[0] = x19;\n out1[1] = x20;\n out1[2] = x21;\n out1[3] = x22;\n}\n\n/*\n * The function fiat_p256_sub subtracts two field elements in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * 0 ≤ eval arg2 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_sub(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {\n uint64_t x1;\n fiat_p256_uint1 x2;\n uint64_t x3;\n fiat_p256_uint1 x4;\n uint64_t x5;\n fiat_p256_uint1 x6;\n uint64_t x7;\n fiat_p256_uint1 x8;\n uint64_t x9;\n uint64_t x10;\n fiat_p256_uint1 x11;\n uint64_t x12;\n fiat_p256_uint1 x13;\n uint64_t x14;\n fiat_p256_uint1 x15;\n uint64_t x16;\n fiat_p256_uint1 x17;\n fiat_p256_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0]));\n fiat_p256_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1]));\n fiat_p256_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2]));\n fiat_p256_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3]));\n fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9);\n fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff)));\n fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0);\n fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001)));\n out1[0] = x10;\n out1[1] = x12;\n out1[2] = x14;\n out1[3] = x16;\n}\n\n/*\n * The function fiat_p256_opp negates a field element in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_opp(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {\n uint64_t x1;\n fiat_p256_uint1 x2;\n uint64_t x3;\n fiat_p256_uint1 x4;\n uint64_t x5;\n fiat_p256_uint1 x6;\n uint64_t x7;\n fiat_p256_uint1 x8;\n uint64_t x9;\n uint64_t x10;\n fiat_p256_uint1 x11;\n uint64_t x12;\n fiat_p256_uint1 x13;\n uint64_t x14;\n fiat_p256_uint1 x15;\n uint64_t x16;\n fiat_p256_uint1 x17;\n fiat_p256_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0]));\n fiat_p256_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1]));\n fiat_p256_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2]));\n fiat_p256_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3]));\n fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9);\n fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff)));\n fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0);\n fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001)));\n out1[0] = x10;\n out1[1] = x12;\n out1[2] = x14;\n out1[3] = x16;\n}\n\n/*\n * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_from_montgomery(fiat_p256_non_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n fiat_p256_uint1 x9;\n uint64_t x10;\n fiat_p256_uint1 x11;\n uint64_t x12;\n fiat_p256_uint1 x13;\n uint64_t x14;\n fiat_p256_uint1 x15;\n uint64_t x16;\n uint64_t x17;\n uint64_t x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n fiat_p256_uint1 x23;\n uint64_t x24;\n fiat_p256_uint1 x25;\n uint64_t x26;\n fiat_p256_uint1 x27;\n uint64_t x28;\n fiat_p256_uint1 x29;\n uint64_t x30;\n fiat_p256_uint1 x31;\n uint64_t x32;\n fiat_p256_uint1 x33;\n uint64_t x34;\n fiat_p256_uint1 x35;\n uint64_t x36;\n fiat_p256_uint1 x37;\n uint64_t x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n fiat_p256_uint1 x45;\n uint64_t x46;\n fiat_p256_uint1 x47;\n uint64_t x48;\n fiat_p256_uint1 x49;\n uint64_t x50;\n fiat_p256_uint1 x51;\n uint64_t x52;\n fiat_p256_uint1 x53;\n uint64_t x54;\n fiat_p256_uint1 x55;\n uint64_t x56;\n fiat_p256_uint1 x57;\n uint64_t x58;\n fiat_p256_uint1 x59;\n uint64_t x60;\n uint64_t x61;\n uint64_t x62;\n uint64_t x63;\n uint64_t x64;\n uint64_t x65;\n uint64_t x66;\n fiat_p256_uint1 x67;\n uint64_t x68;\n fiat_p256_uint1 x69;\n uint64_t x70;\n fiat_p256_uint1 x71;\n uint64_t x72;\n fiat_p256_uint1 x73;\n uint64_t x74;\n fiat_p256_uint1 x75;\n uint64_t x76;\n uint64_t x77;\n fiat_p256_uint1 x78;\n uint64_t x79;\n fiat_p256_uint1 x80;\n uint64_t x81;\n fiat_p256_uint1 x82;\n uint64_t x83;\n fiat_p256_uint1 x84;\n uint64_t x85;\n fiat_p256_uint1 x86;\n uint64_t x87;\n uint64_t x88;\n uint64_t x89;\n uint64_t x90;\n x1 = (arg1[0]);\n fiat_p256_mulx_u64(&x2, &x3, x1, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x4, &x5, x1, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x6, &x7, x1, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x8, &x9, 0x0, x7, x4);\n fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x6);\n fiat_p256_addcarryx_u64(&x12, &x13, x11, 0x0, x8);\n fiat_p256_addcarryx_u64(&x14, &x15, 0x0, x12, (arg1[1]));\n fiat_p256_mulx_u64(&x16, &x17, x14, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x18, &x19, x14, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x20, &x21, x14, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x22, &x23, 0x0, x21, x18);\n fiat_p256_addcarryx_u64(&x24, &x25, 0x0, x14, x20);\n fiat_p256_addcarryx_u64(&x26, &x27, x25, (x15 + (x13 + (x9 + x5))), x22);\n fiat_p256_addcarryx_u64(&x28, &x29, x27, x2, (x23 + x19));\n fiat_p256_addcarryx_u64(&x30, &x31, x29, x3, x16);\n fiat_p256_addcarryx_u64(&x32, &x33, 0x0, x26, (arg1[2]));\n fiat_p256_addcarryx_u64(&x34, &x35, x33, x28, 0x0);\n fiat_p256_addcarryx_u64(&x36, &x37, x35, x30, 0x0);\n fiat_p256_mulx_u64(&x38, &x39, x32, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x40, &x41, x32, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x42, &x43, x32, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x44, &x45, 0x0, x43, x40);\n fiat_p256_addcarryx_u64(&x46, &x47, 0x0, x32, x42);\n fiat_p256_addcarryx_u64(&x48, &x49, x47, x34, x44);\n fiat_p256_addcarryx_u64(&x50, &x51, x49, x36, (x45 + x41));\n fiat_p256_addcarryx_u64(&x52, &x53, x51, (x37 + (x31 + x17)), x38);\n fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x48, (arg1[3]));\n fiat_p256_addcarryx_u64(&x56, &x57, x55, x50, 0x0);\n fiat_p256_addcarryx_u64(&x58, &x59, x57, x52, 0x0);\n fiat_p256_mulx_u64(&x60, &x61, x54, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x62, &x63, x54, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x66, &x67, 0x0, x65, x62);\n fiat_p256_addcarryx_u64(&x68, &x69, 0x0, x54, x64);\n fiat_p256_addcarryx_u64(&x70, &x71, x69, x56, x66);\n fiat_p256_addcarryx_u64(&x72, &x73, x71, x58, (x67 + x63));\n fiat_p256_addcarryx_u64(&x74, &x75, x73, (x59 + (x53 + x39)), x60);\n x76 = (x75 + x61);\n fiat_p256_subborrowx_u64(&x77, &x78, 0x0, x70, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x79, &x80, x78, x72, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x81, &x82, x80, x74, 0x0);\n fiat_p256_subborrowx_u64(&x83, &x84, x82, x76, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x85, &x86, x84, 0x0, 0x0);\n fiat_p256_cmovznz_u64(&x87, x86, x77, x70);\n fiat_p256_cmovznz_u64(&x88, x86, x79, x72);\n fiat_p256_cmovznz_u64(&x89, x86, x81, x74);\n fiat_p256_cmovznz_u64(&x90, x86, x83, x76);\n out1[0] = x87;\n out1[1] = x88;\n out1[2] = x89;\n out1[3] = x90;\n}\n\n/*\n * The function fiat_p256_to_montgomery translates a field element into the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = eval arg1 mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_to_montgomery(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_non_montgomery_domain_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n fiat_p256_uint1 x14;\n uint64_t x15;\n fiat_p256_uint1 x16;\n uint64_t x17;\n fiat_p256_uint1 x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n fiat_p256_uint1 x26;\n uint64_t x27;\n fiat_p256_uint1 x28;\n uint64_t x29;\n fiat_p256_uint1 x30;\n uint64_t x31;\n fiat_p256_uint1 x32;\n uint64_t x33;\n fiat_p256_uint1 x34;\n uint64_t x35;\n fiat_p256_uint1 x36;\n uint64_t x37;\n uint64_t x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n fiat_p256_uint1 x46;\n uint64_t x47;\n fiat_p256_uint1 x48;\n uint64_t x49;\n fiat_p256_uint1 x50;\n uint64_t x51;\n fiat_p256_uint1 x52;\n uint64_t x53;\n fiat_p256_uint1 x54;\n uint64_t x55;\n fiat_p256_uint1 x56;\n uint64_t x57;\n fiat_p256_uint1 x58;\n uint64_t x59;\n uint64_t x60;\n uint64_t x61;\n uint64_t x62;\n uint64_t x63;\n uint64_t x64;\n uint64_t x65;\n fiat_p256_uint1 x66;\n uint64_t x67;\n fiat_p256_uint1 x68;\n uint64_t x69;\n fiat_p256_uint1 x70;\n uint64_t x71;\n fiat_p256_uint1 x72;\n uint64_t x73;\n fiat_p256_uint1 x74;\n uint64_t x75;\n fiat_p256_uint1 x76;\n uint64_t x77;\n uint64_t x78;\n uint64_t x79;\n uint64_t x80;\n uint64_t x81;\n uint64_t x82;\n uint64_t x83;\n uint64_t x84;\n uint64_t x85;\n fiat_p256_uint1 x86;\n uint64_t x87;\n fiat_p256_uint1 x88;\n uint64_t x89;\n fiat_p256_uint1 x90;\n uint64_t x91;\n fiat_p256_uint1 x92;\n uint64_t x93;\n fiat_p256_uint1 x94;\n uint64_t x95;\n fiat_p256_uint1 x96;\n uint64_t x97;\n fiat_p256_uint1 x98;\n uint64_t x99;\n uint64_t x100;\n uint64_t x101;\n uint64_t x102;\n uint64_t x103;\n uint64_t x104;\n uint64_t x105;\n fiat_p256_uint1 x106;\n uint64_t x107;\n fiat_p256_uint1 x108;\n uint64_t x109;\n fiat_p256_uint1 x110;\n uint64_t x111;\n fiat_p256_uint1 x112;\n uint64_t x113;\n fiat_p256_uint1 x114;\n uint64_t x115;\n fiat_p256_uint1 x116;\n uint64_t x117;\n uint64_t x118;\n uint64_t x119;\n uint64_t x120;\n uint64_t x121;\n uint64_t x122;\n uint64_t x123;\n uint64_t x124;\n uint64_t x125;\n fiat_p256_uint1 x126;\n uint64_t x127;\n fiat_p256_uint1 x128;\n uint64_t x129;\n fiat_p256_uint1 x130;\n uint64_t x131;\n fiat_p256_uint1 x132;\n uint64_t x133;\n fiat_p256_uint1 x134;\n uint64_t x135;\n fiat_p256_uint1 x136;\n uint64_t x137;\n fiat_p256_uint1 x138;\n uint64_t x139;\n uint64_t x140;\n uint64_t x141;\n uint64_t x142;\n uint64_t x143;\n uint64_t x144;\n uint64_t x145;\n fiat_p256_uint1 x146;\n uint64_t x147;\n fiat_p256_uint1 x148;\n uint64_t x149;\n fiat_p256_uint1 x150;\n uint64_t x151;\n fiat_p256_uint1 x152;\n uint64_t x153;\n fiat_p256_uint1 x154;\n uint64_t x155;\n fiat_p256_uint1 x156;\n uint64_t x157;\n fiat_p256_uint1 x158;\n uint64_t x159;\n fiat_p256_uint1 x160;\n uint64_t x161;\n fiat_p256_uint1 x162;\n uint64_t x163;\n fiat_p256_uint1 x164;\n uint64_t x165;\n fiat_p256_uint1 x166;\n uint64_t x167;\n uint64_t x168;\n uint64_t x169;\n uint64_t x170;\n x1 = (arg1[1]);\n x2 = (arg1[2]);\n x3 = (arg1[3]);\n x4 = (arg1[0]);\n fiat_p256_mulx_u64(&x5, &x6, x4, UINT64_C(0x4fffffffd));\n fiat_p256_mulx_u64(&x7, &x8, x4, UINT64_C(0xfffffffffffffffe));\n fiat_p256_mulx_u64(&x9, &x10, x4, UINT64_C(0xfffffffbffffffff));\n fiat_p256_mulx_u64(&x11, &x12, x4, 0x3);\n fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9);\n fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7);\n fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5);\n fiat_p256_mulx_u64(&x19, &x20, x11, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x21, &x22, x11, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x23, &x24, x11, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x25, &x26, 0x0, x24, x21);\n fiat_p256_addcarryx_u64(&x27, &x28, 0x0, x11, x23);\n fiat_p256_addcarryx_u64(&x29, &x30, x28, x13, x25);\n fiat_p256_addcarryx_u64(&x31, &x32, x30, x15, (x26 + x22));\n fiat_p256_addcarryx_u64(&x33, &x34, x32, x17, x19);\n fiat_p256_addcarryx_u64(&x35, &x36, x34, (x18 + x6), x20);\n fiat_p256_mulx_u64(&x37, &x38, x1, UINT64_C(0x4fffffffd));\n fiat_p256_mulx_u64(&x39, &x40, x1, UINT64_C(0xfffffffffffffffe));\n fiat_p256_mulx_u64(&x41, &x42, x1, UINT64_C(0xfffffffbffffffff));\n fiat_p256_mulx_u64(&x43, &x44, x1, 0x3);\n fiat_p256_addcarryx_u64(&x45, &x46, 0x0, x44, x41);\n fiat_p256_addcarryx_u64(&x47, &x48, x46, x42, x39);\n fiat_p256_addcarryx_u64(&x49, &x50, x48, x40, x37);\n fiat_p256_addcarryx_u64(&x51, &x52, 0x0, x29, x43);\n fiat_p256_addcarryx_u64(&x53, &x54, x52, x31, x45);\n fiat_p256_addcarryx_u64(&x55, &x56, x54, x33, x47);\n fiat_p256_addcarryx_u64(&x57, &x58, x56, x35, x49);\n fiat_p256_mulx_u64(&x59, &x60, x51, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x61, &x62, x51, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x63, &x64, x51, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x65, &x66, 0x0, x64, x61);\n fiat_p256_addcarryx_u64(&x67, &x68, 0x0, x51, x63);\n fiat_p256_addcarryx_u64(&x69, &x70, x68, x53, x65);\n fiat_p256_addcarryx_u64(&x71, &x72, x70, x55, (x66 + x62));\n fiat_p256_addcarryx_u64(&x73, &x74, x72, x57, x59);\n fiat_p256_addcarryx_u64(&x75, &x76, x74, (((uint64_t)x58 + x36) + (x50 + x38)), x60);\n fiat_p256_mulx_u64(&x77, &x78, x2, UINT64_C(0x4fffffffd));\n fiat_p256_mulx_u64(&x79, &x80, x2, UINT64_C(0xfffffffffffffffe));\n fiat_p256_mulx_u64(&x81, &x82, x2, UINT64_C(0xfffffffbffffffff));\n fiat_p256_mulx_u64(&x83, &x84, x2, 0x3);\n fiat_p256_addcarryx_u64(&x85, &x86, 0x0, x84, x81);\n fiat_p256_addcarryx_u64(&x87, &x88, x86, x82, x79);\n fiat_p256_addcarryx_u64(&x89, &x90, x88, x80, x77);\n fiat_p256_addcarryx_u64(&x91, &x92, 0x0, x69, x83);\n fiat_p256_addcarryx_u64(&x93, &x94, x92, x71, x85);\n fiat_p256_addcarryx_u64(&x95, &x96, x94, x73, x87);\n fiat_p256_addcarryx_u64(&x97, &x98, x96, x75, x89);\n fiat_p256_mulx_u64(&x99, &x100, x91, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x101, &x102, x91, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x103, &x104, x91, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x105, &x106, 0x0, x104, x101);\n fiat_p256_addcarryx_u64(&x107, &x108, 0x0, x91, x103);\n fiat_p256_addcarryx_u64(&x109, &x110, x108, x93, x105);\n fiat_p256_addcarryx_u64(&x111, &x112, x110, x95, (x106 + x102));\n fiat_p256_addcarryx_u64(&x113, &x114, x112, x97, x99);\n fiat_p256_addcarryx_u64(&x115, &x116, x114, (((uint64_t)x98 + x76) + (x90 + x78)), x100);\n fiat_p256_mulx_u64(&x117, &x118, x3, UINT64_C(0x4fffffffd));\n fiat_p256_mulx_u64(&x119, &x120, x3, UINT64_C(0xfffffffffffffffe));\n fiat_p256_mulx_u64(&x121, &x122, x3, UINT64_C(0xfffffffbffffffff));\n fiat_p256_mulx_u64(&x123, &x124, x3, 0x3);\n fiat_p256_addcarryx_u64(&x125, &x126, 0x0, x124, x121);\n fiat_p256_addcarryx_u64(&x127, &x128, x126, x122, x119);\n fiat_p256_addcarryx_u64(&x129, &x130, x128, x120, x117);\n fiat_p256_addcarryx_u64(&x131, &x132, 0x0, x109, x123);\n fiat_p256_addcarryx_u64(&x133, &x134, x132, x111, x125);\n fiat_p256_addcarryx_u64(&x135, &x136, x134, x113, x127);\n fiat_p256_addcarryx_u64(&x137, &x138, x136, x115, x129);\n fiat_p256_mulx_u64(&x139, &x140, x131, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x141, &x142, x131, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x143, &x144, x131, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x145, &x146, 0x0, x144, x141);\n fiat_p256_addcarryx_u64(&x147, &x148, 0x0, x131, x143);\n fiat_p256_addcarryx_u64(&x149, &x150, x148, x133, x145);\n fiat_p256_addcarryx_u64(&x151, &x152, x150, x135, (x146 + x142));\n fiat_p256_addcarryx_u64(&x153, &x154, x152, x137, x139);\n fiat_p256_addcarryx_u64(&x155, &x156, x154, (((uint64_t)x138 + x116) + (x130 + x118)), x140);\n fiat_p256_subborrowx_u64(&x157, &x158, 0x0, x149, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x159, &x160, x158, x151, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x161, &x162, x160, x153, 0x0);\n fiat_p256_subborrowx_u64(&x163, &x164, x162, x155, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x165, &x166, x164, x156, 0x0);\n fiat_p256_cmovznz_u64(&x167, x166, x157, x149);\n fiat_p256_cmovznz_u64(&x168, x166, x159, x151);\n fiat_p256_cmovznz_u64(&x169, x166, x161, x153);\n fiat_p256_cmovznz_u64(&x170, x166, x163, x155);\n out1[0] = x167;\n out1[1] = x168;\n out1[2] = x169;\n out1[3] = x170;\n}\n\n/*\n * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_nonzero(uint64_t* out1, const uint64_t arg1[4]) {\n uint64_t x1;\n x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3]))));\n *out1 = x1;\n}\n\n/*\n * The function fiat_p256_selectznz is a multi-limb conditional select.\n *\n * Postconditions:\n * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const uint64_t arg2[4], const uint64_t arg3[4]) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n fiat_p256_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0]));\n fiat_p256_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1]));\n fiat_p256_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2]));\n fiat_p256_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n}\n\n/*\n * The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint8_t x5;\n uint64_t x6;\n uint8_t x7;\n uint64_t x8;\n uint8_t x9;\n uint64_t x10;\n uint8_t x11;\n uint64_t x12;\n uint8_t x13;\n uint64_t x14;\n uint8_t x15;\n uint64_t x16;\n uint8_t x17;\n uint8_t x18;\n uint8_t x19;\n uint64_t x20;\n uint8_t x21;\n uint64_t x22;\n uint8_t x23;\n uint64_t x24;\n uint8_t x25;\n uint64_t x26;\n uint8_t x27;\n uint64_t x28;\n uint8_t x29;\n uint64_t x30;\n uint8_t x31;\n uint8_t x32;\n uint8_t x33;\n uint64_t x34;\n uint8_t x35;\n uint64_t x36;\n uint8_t x37;\n uint64_t x38;\n uint8_t x39;\n uint64_t x40;\n uint8_t x41;\n uint64_t x42;\n uint8_t x43;\n uint64_t x44;\n uint8_t x45;\n uint8_t x46;\n uint8_t x47;\n uint64_t x48;\n uint8_t x49;\n uint64_t x50;\n uint8_t x51;\n uint64_t x52;\n uint8_t x53;\n uint64_t x54;\n uint8_t x55;\n uint64_t x56;\n uint8_t x57;\n uint64_t x58;\n uint8_t x59;\n uint8_t x60;\n x1 = (arg1[3]);\n x2 = (arg1[2]);\n x3 = (arg1[1]);\n x4 = (arg1[0]);\n x5 = (uint8_t)(x4 & UINT8_C(0xff));\n x6 = (x4 >> 8);\n x7 = (uint8_t)(x6 & UINT8_C(0xff));\n x8 = (x6 >> 8);\n x9 = (uint8_t)(x8 & UINT8_C(0xff));\n x10 = (x8 >> 8);\n x11 = (uint8_t)(x10 & UINT8_C(0xff));\n x12 = (x10 >> 8);\n x13 = (uint8_t)(x12 & UINT8_C(0xff));\n x14 = (x12 >> 8);\n x15 = (uint8_t)(x14 & UINT8_C(0xff));\n x16 = (x14 >> 8);\n x17 = (uint8_t)(x16 & UINT8_C(0xff));\n x18 = (uint8_t)(x16 >> 8);\n x19 = (uint8_t)(x3 & UINT8_C(0xff));\n x20 = (x3 >> 8);\n x21 = (uint8_t)(x20 & UINT8_C(0xff));\n x22 = (x20 >> 8);\n x23 = (uint8_t)(x22 & UINT8_C(0xff));\n x24 = (x22 >> 8);\n x25 = (uint8_t)(x24 & UINT8_C(0xff));\n x26 = (x24 >> 8);\n x27 = (uint8_t)(x26 & UINT8_C(0xff));\n x28 = (x26 >> 8);\n x29 = (uint8_t)(x28 & UINT8_C(0xff));\n x30 = (x28 >> 8);\n x31 = (uint8_t)(x30 & UINT8_C(0xff));\n x32 = (uint8_t)(x30 >> 8);\n x33 = (uint8_t)(x2 & UINT8_C(0xff));\n x34 = (x2 >> 8);\n x35 = (uint8_t)(x34 & UINT8_C(0xff));\n x36 = (x34 >> 8);\n x37 = (uint8_t)(x36 & UINT8_C(0xff));\n x38 = (x36 >> 8);\n x39 = (uint8_t)(x38 & UINT8_C(0xff));\n x40 = (x38 >> 8);\n x41 = (uint8_t)(x40 & UINT8_C(0xff));\n x42 = (x40 >> 8);\n x43 = (uint8_t)(x42 & UINT8_C(0xff));\n x44 = (x42 >> 8);\n x45 = (uint8_t)(x44 & UINT8_C(0xff));\n x46 = (uint8_t)(x44 >> 8);\n x47 = (uint8_t)(x1 & UINT8_C(0xff));\n x48 = (x1 >> 8);\n x49 = (uint8_t)(x48 & UINT8_C(0xff));\n x50 = (x48 >> 8);\n x51 = (uint8_t)(x50 & UINT8_C(0xff));\n x52 = (x50 >> 8);\n x53 = (uint8_t)(x52 & UINT8_C(0xff));\n x54 = (x52 >> 8);\n x55 = (uint8_t)(x54 & UINT8_C(0xff));\n x56 = (x54 >> 8);\n x57 = (uint8_t)(x56 & UINT8_C(0xff));\n x58 = (x56 >> 8);\n x59 = (uint8_t)(x58 & UINT8_C(0xff));\n x60 = (uint8_t)(x58 >> 8);\n out1[0] = x5;\n out1[1] = x7;\n out1[2] = x9;\n out1[3] = x11;\n out1[4] = x13;\n out1[5] = x15;\n out1[6] = x17;\n out1[7] = x18;\n out1[8] = x19;\n out1[9] = x21;\n out1[10] = x23;\n out1[11] = x25;\n out1[12] = x27;\n out1[13] = x29;\n out1[14] = x31;\n out1[15] = x32;\n out1[16] = x33;\n out1[17] = x35;\n out1[18] = x37;\n out1[19] = x39;\n out1[20] = x41;\n out1[21] = x43;\n out1[22] = x45;\n out1[23] = x46;\n out1[24] = x47;\n out1[25] = x49;\n out1[26] = x51;\n out1[27] = x53;\n out1[28] = x55;\n out1[29] = x57;\n out1[30] = x59;\n out1[31] = x60;\n}\n\n/*\n * The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.\n *\n * Preconditions:\n * 0 ≤ bytes_eval arg1 < m\n * Postconditions:\n * eval out1 mod m = bytes_eval arg1 mod m\n * 0 ≤ eval out1 < m\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_from_bytes(uint64_t out1[4], const uint8_t arg1[32]) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint8_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n uint64_t x14;\n uint64_t x15;\n uint8_t x16;\n uint64_t x17;\n uint64_t x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint8_t x24;\n uint64_t x25;\n uint64_t x26;\n uint64_t x27;\n uint64_t x28;\n uint64_t x29;\n uint64_t x30;\n uint64_t x31;\n uint8_t x32;\n uint64_t x33;\n uint64_t x34;\n uint64_t x35;\n uint64_t x36;\n uint64_t x37;\n uint64_t x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n uint64_t x48;\n uint64_t x49;\n uint64_t x50;\n uint64_t x51;\n uint64_t x52;\n uint64_t x53;\n uint64_t x54;\n uint64_t x55;\n uint64_t x56;\n uint64_t x57;\n uint64_t x58;\n uint64_t x59;\n uint64_t x60;\n x1 = ((uint64_t)(arg1[31]) << 56);\n x2 = ((uint64_t)(arg1[30]) << 48);\n x3 = ((uint64_t)(arg1[29]) << 40);\n x4 = ((uint64_t)(arg1[28]) << 32);\n x5 = ((uint64_t)(arg1[27]) << 24);\n x6 = ((uint64_t)(arg1[26]) << 16);\n x7 = ((uint64_t)(arg1[25]) << 8);\n x8 = (arg1[24]);\n x9 = ((uint64_t)(arg1[23]) << 56);\n x10 = ((uint64_t)(arg1[22]) << 48);\n x11 = ((uint64_t)(arg1[21]) << 40);\n x12 = ((uint64_t)(arg1[20]) << 32);\n x13 = ((uint64_t)(arg1[19]) << 24);\n x14 = ((uint64_t)(arg1[18]) << 16);\n x15 = ((uint64_t)(arg1[17]) << 8);\n x16 = (arg1[16]);\n x17 = ((uint64_t)(arg1[15]) << 56);\n x18 = ((uint64_t)(arg1[14]) << 48);\n x19 = ((uint64_t)(arg1[13]) << 40);\n x20 = ((uint64_t)(arg1[12]) << 32);\n x21 = ((uint64_t)(arg1[11]) << 24);\n x22 = ((uint64_t)(arg1[10]) << 16);\n x23 = ((uint64_t)(arg1[9]) << 8);\n x24 = (arg1[8]);\n x25 = ((uint64_t)(arg1[7]) << 56);\n x26 = ((uint64_t)(arg1[6]) << 48);\n x27 = ((uint64_t)(arg1[5]) << 40);\n x28 = ((uint64_t)(arg1[4]) << 32);\n x29 = ((uint64_t)(arg1[3]) << 24);\n x30 = ((uint64_t)(arg1[2]) << 16);\n x31 = ((uint64_t)(arg1[1]) << 8);\n x32 = (arg1[0]);\n x33 = (x31 + (uint64_t)x32);\n x34 = (x30 + x33);\n x35 = (x29 + x34);\n x36 = (x28 + x35);\n x37 = (x27 + x36);\n x38 = (x26 + x37);\n x39 = (x25 + x38);\n x40 = (x23 + (uint64_t)x24);\n x41 = (x22 + x40);\n x42 = (x21 + x41);\n x43 = (x20 + x42);\n x44 = (x19 + x43);\n x45 = (x18 + x44);\n x46 = (x17 + x45);\n x47 = (x15 + (uint64_t)x16);\n x48 = (x14 + x47);\n x49 = (x13 + x48);\n x50 = (x12 + x49);\n x51 = (x11 + x50);\n x52 = (x10 + x51);\n x53 = (x9 + x52);\n x54 = (x7 + (uint64_t)x8);\n x55 = (x6 + x54);\n x56 = (x5 + x55);\n x57 = (x4 + x56);\n x58 = (x3 + x57);\n x59 = (x2 + x58);\n x60 = (x1 + x59);\n out1[0] = x39;\n out1[1] = x46;\n out1[2] = x53;\n out1[3] = x60;\n}\n\n/*\n * The function fiat_p256_set_one returns the field element one in the Montgomery domain.\n *\n * Postconditions:\n * eval (from_montgomery out1) mod m = 1 mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_set_one(fiat_p256_montgomery_domain_field_element out1) {\n out1[0] = 0x1;\n out1[1] = UINT64_C(0xffffffff00000000);\n out1[2] = UINT64_C(0xffffffffffffffff);\n out1[3] = UINT32_C(0xfffffffe);\n}\n\n/*\n * The function fiat_p256_msat returns the saturated representation of the prime modulus.\n *\n * Postconditions:\n * twos_complement_eval out1 = m\n * 0 ≤ eval out1 < m\n *\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_msat(uint64_t out1[5]) {\n out1[0] = UINT64_C(0xffffffffffffffff);\n out1[1] = UINT32_C(0xffffffff);\n out1[2] = 0x0;\n out1[3] = UINT64_C(0xffffffff00000001);\n out1[4] = 0x0;\n}\n\n/*\n * The function fiat_p256_divstep computes a divstep.\n *\n * Preconditions:\n * 0 ≤ eval arg4 < m\n * 0 ≤ eval arg5 < m\n * Postconditions:\n * out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1)\n * twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2)\n * twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋)\n * eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m)\n * eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m)\n * 0 ≤ eval out5 < m\n * 0 ≤ eval out5 < m\n * 0 ≤ eval out2 < m\n * 0 ≤ eval out3 < m\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0xffffffffffffffff]\n * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_divstep(uint64_t* out1, uint64_t out2[5], uint64_t out3[5], uint64_t out4[4], uint64_t out5[4], uint64_t arg1, const uint64_t arg2[5], const uint64_t arg3[5], const uint64_t arg4[4], const uint64_t arg5[4]) {\n uint64_t x1;\n fiat_p256_uint1 x2;\n fiat_p256_uint1 x3;\n uint64_t x4;\n fiat_p256_uint1 x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n fiat_p256_uint1 x13;\n uint64_t x14;\n fiat_p256_uint1 x15;\n uint64_t x16;\n fiat_p256_uint1 x17;\n uint64_t x18;\n fiat_p256_uint1 x19;\n uint64_t x20;\n fiat_p256_uint1 x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n uint64_t x27;\n uint64_t x28;\n uint64_t x29;\n uint64_t x30;\n uint64_t x31;\n fiat_p256_uint1 x32;\n uint64_t x33;\n fiat_p256_uint1 x34;\n uint64_t x35;\n fiat_p256_uint1 x36;\n uint64_t x37;\n fiat_p256_uint1 x38;\n uint64_t x39;\n fiat_p256_uint1 x40;\n uint64_t x41;\n fiat_p256_uint1 x42;\n uint64_t x43;\n fiat_p256_uint1 x44;\n uint64_t x45;\n fiat_p256_uint1 x46;\n uint64_t x47;\n fiat_p256_uint1 x48;\n uint64_t x49;\n uint64_t x50;\n uint64_t x51;\n uint64_t x52;\n uint64_t x53;\n fiat_p256_uint1 x54;\n uint64_t x55;\n fiat_p256_uint1 x56;\n uint64_t x57;\n fiat_p256_uint1 x58;\n uint64_t x59;\n fiat_p256_uint1 x60;\n uint64_t x61;\n uint64_t x62;\n fiat_p256_uint1 x63;\n uint64_t x64;\n fiat_p256_uint1 x65;\n uint64_t x66;\n fiat_p256_uint1 x67;\n uint64_t x68;\n fiat_p256_uint1 x69;\n uint64_t x70;\n uint64_t x71;\n uint64_t x72;\n uint64_t x73;\n fiat_p256_uint1 x74;\n uint64_t x75;\n uint64_t x76;\n uint64_t x77;\n uint64_t x78;\n uint64_t x79;\n uint64_t x80;\n fiat_p256_uint1 x81;\n uint64_t x82;\n fiat_p256_uint1 x83;\n uint64_t x84;\n fiat_p256_uint1 x85;\n uint64_t x86;\n fiat_p256_uint1 x87;\n uint64_t x88;\n fiat_p256_uint1 x89;\n uint64_t x90;\n uint64_t x91;\n uint64_t x92;\n uint64_t x93;\n uint64_t x94;\n fiat_p256_uint1 x95;\n uint64_t x96;\n fiat_p256_uint1 x97;\n uint64_t x98;\n fiat_p256_uint1 x99;\n uint64_t x100;\n fiat_p256_uint1 x101;\n uint64_t x102;\n fiat_p256_uint1 x103;\n uint64_t x104;\n fiat_p256_uint1 x105;\n uint64_t x106;\n fiat_p256_uint1 x107;\n uint64_t x108;\n fiat_p256_uint1 x109;\n uint64_t x110;\n fiat_p256_uint1 x111;\n uint64_t x112;\n fiat_p256_uint1 x113;\n uint64_t x114;\n uint64_t x115;\n uint64_t x116;\n uint64_t x117;\n uint64_t x118;\n uint64_t x119;\n uint64_t x120;\n uint64_t x121;\n uint64_t x122;\n uint64_t x123;\n uint64_t x124;\n uint64_t x125;\n uint64_t x126;\n fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (~arg1), 0x1);\n x3 = (fiat_p256_uint1)((fiat_p256_uint1)(x1 >> 63) & (fiat_p256_uint1)((arg3[0]) & 0x1));\n fiat_p256_addcarryx_u64(&x4, &x5, 0x0, (~arg1), 0x1);\n fiat_p256_cmovznz_u64(&x6, x3, arg1, x4);\n fiat_p256_cmovznz_u64(&x7, x3, (arg2[0]), (arg3[0]));\n fiat_p256_cmovznz_u64(&x8, x3, (arg2[1]), (arg3[1]));\n fiat_p256_cmovznz_u64(&x9, x3, (arg2[2]), (arg3[2]));\n fiat_p256_cmovznz_u64(&x10, x3, (arg2[3]), (arg3[3]));\n fiat_p256_cmovznz_u64(&x11, x3, (arg2[4]), (arg3[4]));\n fiat_p256_addcarryx_u64(&x12, &x13, 0x0, 0x1, (~(arg2[0])));\n fiat_p256_addcarryx_u64(&x14, &x15, x13, 0x0, (~(arg2[1])));\n fiat_p256_addcarryx_u64(&x16, &x17, x15, 0x0, (~(arg2[2])));\n fiat_p256_addcarryx_u64(&x18, &x19, x17, 0x0, (~(arg2[3])));\n fiat_p256_addcarryx_u64(&x20, &x21, x19, 0x0, (~(arg2[4])));\n fiat_p256_cmovznz_u64(&x22, x3, (arg3[0]), x12);\n fiat_p256_cmovznz_u64(&x23, x3, (arg3[1]), x14);\n fiat_p256_cmovznz_u64(&x24, x3, (arg3[2]), x16);\n fiat_p256_cmovznz_u64(&x25, x3, (arg3[3]), x18);\n fiat_p256_cmovznz_u64(&x26, x3, (arg3[4]), x20);\n fiat_p256_cmovznz_u64(&x27, x3, (arg4[0]), (arg5[0]));\n fiat_p256_cmovznz_u64(&x28, x3, (arg4[1]), (arg5[1]));\n fiat_p256_cmovznz_u64(&x29, x3, (arg4[2]), (arg5[2]));\n fiat_p256_cmovznz_u64(&x30, x3, (arg4[3]), (arg5[3]));\n fiat_p256_addcarryx_u64(&x31, &x32, 0x0, x27, x27);\n fiat_p256_addcarryx_u64(&x33, &x34, x32, x28, x28);\n fiat_p256_addcarryx_u64(&x35, &x36, x34, x29, x29);\n fiat_p256_addcarryx_u64(&x37, &x38, x36, x30, x30);\n fiat_p256_subborrowx_u64(&x39, &x40, 0x0, x31, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x41, &x42, x40, x33, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x43, &x44, x42, x35, 0x0);\n fiat_p256_subborrowx_u64(&x45, &x46, x44, x37, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x47, &x48, x46, x38, 0x0);\n x49 = (arg4[3]);\n x50 = (arg4[2]);\n x51 = (arg4[1]);\n x52 = (arg4[0]);\n fiat_p256_subborrowx_u64(&x53, &x54, 0x0, 0x0, x52);\n fiat_p256_subborrowx_u64(&x55, &x56, x54, 0x0, x51);\n fiat_p256_subborrowx_u64(&x57, &x58, x56, 0x0, x50);\n fiat_p256_subborrowx_u64(&x59, &x60, x58, 0x0, x49);\n fiat_p256_cmovznz_u64(&x61, x60, 0x0, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x62, &x63, 0x0, x53, x61);\n fiat_p256_addcarryx_u64(&x64, &x65, x63, x55, (x61 & UINT32_C(0xffffffff)));\n fiat_p256_addcarryx_u64(&x66, &x67, x65, x57, 0x0);\n fiat_p256_addcarryx_u64(&x68, &x69, x67, x59, (x61 & UINT64_C(0xffffffff00000001)));\n fiat_p256_cmovznz_u64(&x70, x3, (arg5[0]), x62);\n fiat_p256_cmovznz_u64(&x71, x3, (arg5[1]), x64);\n fiat_p256_cmovznz_u64(&x72, x3, (arg5[2]), x66);\n fiat_p256_cmovznz_u64(&x73, x3, (arg5[3]), x68);\n x74 = (fiat_p256_uint1)(x22 & 0x1);\n fiat_p256_cmovznz_u64(&x75, x74, 0x0, x7);\n fiat_p256_cmovznz_u64(&x76, x74, 0x0, x8);\n fiat_p256_cmovznz_u64(&x77, x74, 0x0, x9);\n fiat_p256_cmovznz_u64(&x78, x74, 0x0, x10);\n fiat_p256_cmovznz_u64(&x79, x74, 0x0, x11);\n fiat_p256_addcarryx_u64(&x80, &x81, 0x0, x22, x75);\n fiat_p256_addcarryx_u64(&x82, &x83, x81, x23, x76);\n fiat_p256_addcarryx_u64(&x84, &x85, x83, x24, x77);\n fiat_p256_addcarryx_u64(&x86, &x87, x85, x25, x78);\n fiat_p256_addcarryx_u64(&x88, &x89, x87, x26, x79);\n fiat_p256_cmovznz_u64(&x90, x74, 0x0, x27);\n fiat_p256_cmovznz_u64(&x91, x74, 0x0, x28);\n fiat_p256_cmovznz_u64(&x92, x74, 0x0, x29);\n fiat_p256_cmovznz_u64(&x93, x74, 0x0, x30);\n fiat_p256_addcarryx_u64(&x94, &x95, 0x0, x70, x90);\n fiat_p256_addcarryx_u64(&x96, &x97, x95, x71, x91);\n fiat_p256_addcarryx_u64(&x98, &x99, x97, x72, x92);\n fiat_p256_addcarryx_u64(&x100, &x101, x99, x73, x93);\n fiat_p256_subborrowx_u64(&x102, &x103, 0x0, x94, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x104, &x105, x103, x96, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x106, &x107, x105, x98, 0x0);\n fiat_p256_subborrowx_u64(&x108, &x109, x107, x100, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x110, &x111, x109, x101, 0x0);\n fiat_p256_addcarryx_u64(&x112, &x113, 0x0, x6, 0x1);\n x114 = ((x80 >> 1) | ((x82 << 63) & UINT64_C(0xffffffffffffffff)));\n x115 = ((x82 >> 1) | ((x84 << 63) & UINT64_C(0xffffffffffffffff)));\n x116 = ((x84 >> 1) | ((x86 << 63) & UINT64_C(0xffffffffffffffff)));\n x117 = ((x86 >> 1) | ((x88 << 63) & UINT64_C(0xffffffffffffffff)));\n x118 = ((x88 & UINT64_C(0x8000000000000000)) | (x88 >> 1));\n fiat_p256_cmovznz_u64(&x119, x48, x39, x31);\n fiat_p256_cmovznz_u64(&x120, x48, x41, x33);\n fiat_p256_cmovznz_u64(&x121, x48, x43, x35);\n fiat_p256_cmovznz_u64(&x122, x48, x45, x37);\n fiat_p256_cmovznz_u64(&x123, x111, x102, x94);\n fiat_p256_cmovznz_u64(&x124, x111, x104, x96);\n fiat_p256_cmovznz_u64(&x125, x111, x106, x98);\n fiat_p256_cmovznz_u64(&x126, x111, x108, x100);\n *out1 = x112;\n out2[0] = x7;\n out2[1] = x8;\n out2[2] = x9;\n out2[3] = x10;\n out2[4] = x11;\n out3[0] = x114;\n out3[1] = x115;\n out3[2] = x116;\n out3[3] = x117;\n out3[4] = x118;\n out4[0] = x119;\n out4[1] = x120;\n out4[2] = x121;\n out4[3] = x122;\n out5[0] = x123;\n out5[1] = x124;\n out5[2] = x125;\n out5[3] = x126;\n}\n\n/*\n * The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).\n *\n * Postconditions:\n * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)\n * 0 ≤ eval out1 < m\n *\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_divstep_precomp(uint64_t out1[4]) {\n out1[0] = UINT64_C(0x67ffffffb8000000);\n out1[1] = UINT64_C(0xc000000038000000);\n out1[2] = UINT64_C(0xd80000007fffffff);\n out1[3] = UINT64_C(0x2fffffffffffffff);\n}\n" }, { "path": "Sources/CNIOBoringSSL/third_party/fiat/p256_64_msvc.h", "content": "/* Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --inline --static --use-value-barrier --no-wide-int p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp */\n/* curve description: p256 */\n/* machine_wordsize = 64 (from \"64\") */\n/* requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp */\n/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from \"2^256 - 2^224 + 2^192 + 2^96 - 1\") */\n/* */\n/* NOTE: In addition to the bounds specified above each function, all */\n/* functions synthesized for this Montgomery arithmetic require the */\n/* input to be strictly less than the prime modulus (m), and also */\n/* require the input to be in the unique saturated representation. */\n/* All functions also ensure that these two properties are true of */\n/* return values. */\n/* */\n/* Computed values: */\n/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */\n/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */\n/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */\n/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */\n\n#include \n#include \n#if defined(_M_X64)\n#include \n#endif\n\ntypedef unsigned char fiat_p256_uint1;\ntypedef signed char fiat_p256_int1;\n\n#define FIAT_P256_FIAT_INLINE inline\n\n/* The type fiat_p256_montgomery_domain_field_element is a field element in the Montgomery domain. */\n/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */\ntypedef uint64_t fiat_p256_montgomery_domain_field_element[4];\n\n/* The type fiat_p256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */\n/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */\ntypedef uint64_t fiat_p256_non_montgomery_domain_field_element[4];\n\n#if (-1 & 3) != 3\n#error \"This code only works on a two's complement system\"\n#endif\n\n#define fiat_p256_value_barrier_u64(x) (x)\n\n\n/*\n * The function fiat_p256_addcarryx_u64 is an addition with carry.\n *\n * Postconditions:\n * out1 = (arg1 + arg2 + arg3) mod 2^64\n * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n#if defined(_M_X64)\n *out2 = _addcarry_u64(arg1, arg2, arg3, out1);\n#else\n arg2 += arg1;\n arg1 = arg2 < arg1;\n arg3 += arg2;\n arg1 += arg3 < arg2;\n *out1 = arg3;\n *out2 = arg1;\n#endif\n}\n\n/*\n * The function fiat_p256_subborrowx_u64 is a subtraction with borrow.\n *\n * Postconditions:\n * out1 = (-arg1 + arg2 + -arg3) mod 2^64\n * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0x1]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n#if defined(_M_X64)\n *out2 = _subborrow_u64(arg1, arg2, arg3, out1); // NOTE: edited after generation\n#else\n *out1 = arg2 - arg3 - arg1;\n *out2 = (arg2 < arg3) | ((arg2 == arg3) & arg1);\n#endif\n}\n\n/*\n * The function fiat_p256_mulx_u64 is a multiplication, returning the full double-width result.\n *\n * Postconditions:\n * out1 = (arg1 * arg2) mod 2^64\n * out2 = ⌊arg1 * arg2 / 2^64⌋\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0xffffffffffffffff]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [0x0 ~> 0xffffffffffffffff]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) {\n// NOTE: edited after generation\n#if defined(_M_X64)\n *out1 = _umul128(arg1, arg2, out2);\n#elif defined(_M_ARM64)\n *out1 = arg1 * arg2;\n *out2 = __umulh(arg1, arg2);\n#else\n#error \"This file is intended for MSVC on X64 or ARM64\"\n#endif\n}\n\n/*\n * The function fiat_p256_cmovznz_u64 is a single-word conditional move.\n *\n * Postconditions:\n * out1 = (if arg1 = 0 then arg2 else arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [0x0 ~> 0xffffffffffffffff]\n * arg3: [0x0 ~> 0xffffffffffffffff]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) {\n fiat_p256_uint1 x1;\n uint64_t x2;\n uint64_t x3;\n x1 = (!(!arg1));\n x2 = ((fiat_p256_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff));\n x3 = ((fiat_p256_value_barrier_u64(x2) & arg3) | (fiat_p256_value_barrier_u64((~x2)) & arg2));\n *out1 = x3;\n}\n\n/*\n * The function fiat_p256_mul multiplies two field elements in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * 0 ≤ eval arg2 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n fiat_p256_uint1 x14;\n uint64_t x15;\n fiat_p256_uint1 x16;\n uint64_t x17;\n fiat_p256_uint1 x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n fiat_p256_uint1 x27;\n uint64_t x28;\n uint64_t x29;\n fiat_p256_uint1 x30;\n uint64_t x31;\n fiat_p256_uint1 x32;\n uint64_t x33;\n fiat_p256_uint1 x34;\n uint64_t x35;\n fiat_p256_uint1 x36;\n uint64_t x37;\n fiat_p256_uint1 x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n fiat_p256_uint1 x48;\n uint64_t x49;\n fiat_p256_uint1 x50;\n uint64_t x51;\n fiat_p256_uint1 x52;\n uint64_t x53;\n uint64_t x54;\n fiat_p256_uint1 x55;\n uint64_t x56;\n fiat_p256_uint1 x57;\n uint64_t x58;\n fiat_p256_uint1 x59;\n uint64_t x60;\n fiat_p256_uint1 x61;\n uint64_t x62;\n fiat_p256_uint1 x63;\n uint64_t x64;\n uint64_t x65;\n uint64_t x66;\n uint64_t x67;\n uint64_t x68;\n uint64_t x69;\n uint64_t x70;\n fiat_p256_uint1 x71;\n uint64_t x72;\n uint64_t x73;\n fiat_p256_uint1 x74;\n uint64_t x75;\n fiat_p256_uint1 x76;\n uint64_t x77;\n fiat_p256_uint1 x78;\n uint64_t x79;\n fiat_p256_uint1 x80;\n uint64_t x81;\n fiat_p256_uint1 x82;\n uint64_t x83;\n uint64_t x84;\n uint64_t x85;\n uint64_t x86;\n uint64_t x87;\n uint64_t x88;\n uint64_t x89;\n uint64_t x90;\n uint64_t x91;\n uint64_t x92;\n fiat_p256_uint1 x93;\n uint64_t x94;\n fiat_p256_uint1 x95;\n uint64_t x96;\n fiat_p256_uint1 x97;\n uint64_t x98;\n uint64_t x99;\n fiat_p256_uint1 x100;\n uint64_t x101;\n fiat_p256_uint1 x102;\n uint64_t x103;\n fiat_p256_uint1 x104;\n uint64_t x105;\n fiat_p256_uint1 x106;\n uint64_t x107;\n fiat_p256_uint1 x108;\n uint64_t x109;\n uint64_t x110;\n uint64_t x111;\n uint64_t x112;\n uint64_t x113;\n uint64_t x114;\n uint64_t x115;\n fiat_p256_uint1 x116;\n uint64_t x117;\n uint64_t x118;\n fiat_p256_uint1 x119;\n uint64_t x120;\n fiat_p256_uint1 x121;\n uint64_t x122;\n fiat_p256_uint1 x123;\n uint64_t x124;\n fiat_p256_uint1 x125;\n uint64_t x126;\n fiat_p256_uint1 x127;\n uint64_t x128;\n uint64_t x129;\n uint64_t x130;\n uint64_t x131;\n uint64_t x132;\n uint64_t x133;\n uint64_t x134;\n uint64_t x135;\n uint64_t x136;\n uint64_t x137;\n fiat_p256_uint1 x138;\n uint64_t x139;\n fiat_p256_uint1 x140;\n uint64_t x141;\n fiat_p256_uint1 x142;\n uint64_t x143;\n uint64_t x144;\n fiat_p256_uint1 x145;\n uint64_t x146;\n fiat_p256_uint1 x147;\n uint64_t x148;\n fiat_p256_uint1 x149;\n uint64_t x150;\n fiat_p256_uint1 x151;\n uint64_t x152;\n fiat_p256_uint1 x153;\n uint64_t x154;\n uint64_t x155;\n uint64_t x156;\n uint64_t x157;\n uint64_t x158;\n uint64_t x159;\n uint64_t x160;\n fiat_p256_uint1 x161;\n uint64_t x162;\n uint64_t x163;\n fiat_p256_uint1 x164;\n uint64_t x165;\n fiat_p256_uint1 x166;\n uint64_t x167;\n fiat_p256_uint1 x168;\n uint64_t x169;\n fiat_p256_uint1 x170;\n uint64_t x171;\n fiat_p256_uint1 x172;\n uint64_t x173;\n uint64_t x174;\n fiat_p256_uint1 x175;\n uint64_t x176;\n fiat_p256_uint1 x177;\n uint64_t x178;\n fiat_p256_uint1 x179;\n uint64_t x180;\n fiat_p256_uint1 x181;\n uint64_t x182;\n fiat_p256_uint1 x183;\n uint64_t x184;\n uint64_t x185;\n uint64_t x186;\n uint64_t x187;\n x1 = (arg1[1]);\n x2 = (arg1[2]);\n x3 = (arg1[3]);\n x4 = (arg1[0]);\n fiat_p256_mulx_u64(&x5, &x6, x4, (arg2[3]));\n fiat_p256_mulx_u64(&x7, &x8, x4, (arg2[2]));\n fiat_p256_mulx_u64(&x9, &x10, x4, (arg2[1]));\n fiat_p256_mulx_u64(&x11, &x12, x4, (arg2[0]));\n fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9);\n fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7);\n fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5);\n x19 = (x18 + x6);\n fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22);\n x28 = (x27 + x23);\n fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24);\n fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26);\n fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28);\n fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20);\n fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21);\n fiat_p256_mulx_u64(&x39, &x40, x1, (arg2[3]));\n fiat_p256_mulx_u64(&x41, &x42, x1, (arg2[2]));\n fiat_p256_mulx_u64(&x43, &x44, x1, (arg2[1]));\n fiat_p256_mulx_u64(&x45, &x46, x1, (arg2[0]));\n fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43);\n fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41);\n fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39);\n x53 = (x52 + x40);\n fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45);\n fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47);\n fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49);\n fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51);\n fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53);\n fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66);\n x72 = (x71 + x67);\n fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68);\n fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70);\n fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72);\n fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64);\n fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65);\n x83 = ((uint64_t)x82 + x63);\n fiat_p256_mulx_u64(&x84, &x85, x2, (arg2[3]));\n fiat_p256_mulx_u64(&x86, &x87, x2, (arg2[2]));\n fiat_p256_mulx_u64(&x88, &x89, x2, (arg2[1]));\n fiat_p256_mulx_u64(&x90, &x91, x2, (arg2[0]));\n fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88);\n fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86);\n fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84);\n x98 = (x97 + x85);\n fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90);\n fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92);\n fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94);\n fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96);\n fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98);\n fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111);\n x117 = (x116 + x112);\n fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113);\n fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115);\n fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117);\n fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109);\n fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110);\n x128 = ((uint64_t)x127 + x108);\n fiat_p256_mulx_u64(&x129, &x130, x3, (arg2[3]));\n fiat_p256_mulx_u64(&x131, &x132, x3, (arg2[2]));\n fiat_p256_mulx_u64(&x133, &x134, x3, (arg2[1]));\n fiat_p256_mulx_u64(&x135, &x136, x3, (arg2[0]));\n fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133);\n fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131);\n fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129);\n x143 = (x142 + x130);\n fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135);\n fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137);\n fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139);\n fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141);\n fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143);\n fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156);\n x162 = (x161 + x157);\n fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158);\n fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160);\n fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162);\n fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154);\n fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155);\n x173 = ((uint64_t)x172 + x153);\n fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0);\n fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0);\n fiat_p256_cmovznz_u64(&x184, x183, x174, x165);\n fiat_p256_cmovznz_u64(&x185, x183, x176, x167);\n fiat_p256_cmovznz_u64(&x186, x183, x178, x169);\n fiat_p256_cmovznz_u64(&x187, x183, x180, x171);\n out1[0] = x184;\n out1[1] = x185;\n out1[2] = x186;\n out1[3] = x187;\n}\n\n/*\n * The function fiat_p256_square squares a field element in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n fiat_p256_uint1 x14;\n uint64_t x15;\n fiat_p256_uint1 x16;\n uint64_t x17;\n fiat_p256_uint1 x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n fiat_p256_uint1 x27;\n uint64_t x28;\n uint64_t x29;\n fiat_p256_uint1 x30;\n uint64_t x31;\n fiat_p256_uint1 x32;\n uint64_t x33;\n fiat_p256_uint1 x34;\n uint64_t x35;\n fiat_p256_uint1 x36;\n uint64_t x37;\n fiat_p256_uint1 x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n fiat_p256_uint1 x48;\n uint64_t x49;\n fiat_p256_uint1 x50;\n uint64_t x51;\n fiat_p256_uint1 x52;\n uint64_t x53;\n uint64_t x54;\n fiat_p256_uint1 x55;\n uint64_t x56;\n fiat_p256_uint1 x57;\n uint64_t x58;\n fiat_p256_uint1 x59;\n uint64_t x60;\n fiat_p256_uint1 x61;\n uint64_t x62;\n fiat_p256_uint1 x63;\n uint64_t x64;\n uint64_t x65;\n uint64_t x66;\n uint64_t x67;\n uint64_t x68;\n uint64_t x69;\n uint64_t x70;\n fiat_p256_uint1 x71;\n uint64_t x72;\n uint64_t x73;\n fiat_p256_uint1 x74;\n uint64_t x75;\n fiat_p256_uint1 x76;\n uint64_t x77;\n fiat_p256_uint1 x78;\n uint64_t x79;\n fiat_p256_uint1 x80;\n uint64_t x81;\n fiat_p256_uint1 x82;\n uint64_t x83;\n uint64_t x84;\n uint64_t x85;\n uint64_t x86;\n uint64_t x87;\n uint64_t x88;\n uint64_t x89;\n uint64_t x90;\n uint64_t x91;\n uint64_t x92;\n fiat_p256_uint1 x93;\n uint64_t x94;\n fiat_p256_uint1 x95;\n uint64_t x96;\n fiat_p256_uint1 x97;\n uint64_t x98;\n uint64_t x99;\n fiat_p256_uint1 x100;\n uint64_t x101;\n fiat_p256_uint1 x102;\n uint64_t x103;\n fiat_p256_uint1 x104;\n uint64_t x105;\n fiat_p256_uint1 x106;\n uint64_t x107;\n fiat_p256_uint1 x108;\n uint64_t x109;\n uint64_t x110;\n uint64_t x111;\n uint64_t x112;\n uint64_t x113;\n uint64_t x114;\n uint64_t x115;\n fiat_p256_uint1 x116;\n uint64_t x117;\n uint64_t x118;\n fiat_p256_uint1 x119;\n uint64_t x120;\n fiat_p256_uint1 x121;\n uint64_t x122;\n fiat_p256_uint1 x123;\n uint64_t x124;\n fiat_p256_uint1 x125;\n uint64_t x126;\n fiat_p256_uint1 x127;\n uint64_t x128;\n uint64_t x129;\n uint64_t x130;\n uint64_t x131;\n uint64_t x132;\n uint64_t x133;\n uint64_t x134;\n uint64_t x135;\n uint64_t x136;\n uint64_t x137;\n fiat_p256_uint1 x138;\n uint64_t x139;\n fiat_p256_uint1 x140;\n uint64_t x141;\n fiat_p256_uint1 x142;\n uint64_t x143;\n uint64_t x144;\n fiat_p256_uint1 x145;\n uint64_t x146;\n fiat_p256_uint1 x147;\n uint64_t x148;\n fiat_p256_uint1 x149;\n uint64_t x150;\n fiat_p256_uint1 x151;\n uint64_t x152;\n fiat_p256_uint1 x153;\n uint64_t x154;\n uint64_t x155;\n uint64_t x156;\n uint64_t x157;\n uint64_t x158;\n uint64_t x159;\n uint64_t x160;\n fiat_p256_uint1 x161;\n uint64_t x162;\n uint64_t x163;\n fiat_p256_uint1 x164;\n uint64_t x165;\n fiat_p256_uint1 x166;\n uint64_t x167;\n fiat_p256_uint1 x168;\n uint64_t x169;\n fiat_p256_uint1 x170;\n uint64_t x171;\n fiat_p256_uint1 x172;\n uint64_t x173;\n uint64_t x174;\n fiat_p256_uint1 x175;\n uint64_t x176;\n fiat_p256_uint1 x177;\n uint64_t x178;\n fiat_p256_uint1 x179;\n uint64_t x180;\n fiat_p256_uint1 x181;\n uint64_t x182;\n fiat_p256_uint1 x183;\n uint64_t x184;\n uint64_t x185;\n uint64_t x186;\n uint64_t x187;\n x1 = (arg1[1]);\n x2 = (arg1[2]);\n x3 = (arg1[3]);\n x4 = (arg1[0]);\n fiat_p256_mulx_u64(&x5, &x6, x4, (arg1[3]));\n fiat_p256_mulx_u64(&x7, &x8, x4, (arg1[2]));\n fiat_p256_mulx_u64(&x9, &x10, x4, (arg1[1]));\n fiat_p256_mulx_u64(&x11, &x12, x4, (arg1[0]));\n fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9);\n fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7);\n fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5);\n x19 = (x18 + x6);\n fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22);\n x28 = (x27 + x23);\n fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24);\n fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26);\n fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28);\n fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20);\n fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21);\n fiat_p256_mulx_u64(&x39, &x40, x1, (arg1[3]));\n fiat_p256_mulx_u64(&x41, &x42, x1, (arg1[2]));\n fiat_p256_mulx_u64(&x43, &x44, x1, (arg1[1]));\n fiat_p256_mulx_u64(&x45, &x46, x1, (arg1[0]));\n fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43);\n fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41);\n fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39);\n x53 = (x52 + x40);\n fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45);\n fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47);\n fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49);\n fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51);\n fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53);\n fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66);\n x72 = (x71 + x67);\n fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68);\n fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70);\n fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72);\n fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64);\n fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65);\n x83 = ((uint64_t)x82 + x63);\n fiat_p256_mulx_u64(&x84, &x85, x2, (arg1[3]));\n fiat_p256_mulx_u64(&x86, &x87, x2, (arg1[2]));\n fiat_p256_mulx_u64(&x88, &x89, x2, (arg1[1]));\n fiat_p256_mulx_u64(&x90, &x91, x2, (arg1[0]));\n fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88);\n fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86);\n fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84);\n x98 = (x97 + x85);\n fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90);\n fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92);\n fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94);\n fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96);\n fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98);\n fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111);\n x117 = (x116 + x112);\n fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113);\n fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115);\n fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117);\n fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109);\n fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110);\n x128 = ((uint64_t)x127 + x108);\n fiat_p256_mulx_u64(&x129, &x130, x3, (arg1[3]));\n fiat_p256_mulx_u64(&x131, &x132, x3, (arg1[2]));\n fiat_p256_mulx_u64(&x133, &x134, x3, (arg1[1]));\n fiat_p256_mulx_u64(&x135, &x136, x3, (arg1[0]));\n fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133);\n fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131);\n fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129);\n x143 = (x142 + x130);\n fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135);\n fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137);\n fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139);\n fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141);\n fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143);\n fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156);\n x162 = (x161 + x157);\n fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158);\n fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160);\n fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162);\n fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154);\n fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155);\n x173 = ((uint64_t)x172 + x153);\n fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0);\n fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0);\n fiat_p256_cmovznz_u64(&x184, x183, x174, x165);\n fiat_p256_cmovznz_u64(&x185, x183, x176, x167);\n fiat_p256_cmovznz_u64(&x186, x183, x178, x169);\n fiat_p256_cmovznz_u64(&x187, x183, x180, x171);\n out1[0] = x184;\n out1[1] = x185;\n out1[2] = x186;\n out1[3] = x187;\n}\n\n/*\n * The function fiat_p256_add adds two field elements in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * 0 ≤ eval arg2 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_add(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {\n uint64_t x1;\n fiat_p256_uint1 x2;\n uint64_t x3;\n fiat_p256_uint1 x4;\n uint64_t x5;\n fiat_p256_uint1 x6;\n uint64_t x7;\n fiat_p256_uint1 x8;\n uint64_t x9;\n fiat_p256_uint1 x10;\n uint64_t x11;\n fiat_p256_uint1 x12;\n uint64_t x13;\n fiat_p256_uint1 x14;\n uint64_t x15;\n fiat_p256_uint1 x16;\n uint64_t x17;\n fiat_p256_uint1 x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0]));\n fiat_p256_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1]));\n fiat_p256_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2]));\n fiat_p256_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3]));\n fiat_p256_subborrowx_u64(&x9, &x10, 0x0, x1, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x11, &x12, x10, x3, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x13, &x14, x12, x5, 0x0);\n fiat_p256_subborrowx_u64(&x15, &x16, x14, x7, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x17, &x18, x16, x8, 0x0);\n fiat_p256_cmovznz_u64(&x19, x18, x9, x1);\n fiat_p256_cmovznz_u64(&x20, x18, x11, x3);\n fiat_p256_cmovznz_u64(&x21, x18, x13, x5);\n fiat_p256_cmovznz_u64(&x22, x18, x15, x7);\n out1[0] = x19;\n out1[1] = x20;\n out1[2] = x21;\n out1[3] = x22;\n}\n\n/*\n * The function fiat_p256_sub subtracts two field elements in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * 0 ≤ eval arg2 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_sub(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) {\n uint64_t x1;\n fiat_p256_uint1 x2;\n uint64_t x3;\n fiat_p256_uint1 x4;\n uint64_t x5;\n fiat_p256_uint1 x6;\n uint64_t x7;\n fiat_p256_uint1 x8;\n uint64_t x9;\n uint64_t x10;\n fiat_p256_uint1 x11;\n uint64_t x12;\n fiat_p256_uint1 x13;\n uint64_t x14;\n fiat_p256_uint1 x15;\n uint64_t x16;\n fiat_p256_uint1 x17;\n fiat_p256_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0]));\n fiat_p256_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1]));\n fiat_p256_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2]));\n fiat_p256_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3]));\n fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9);\n fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff)));\n fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0);\n fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001)));\n out1[0] = x10;\n out1[1] = x12;\n out1[2] = x14;\n out1[3] = x16;\n}\n\n/*\n * The function fiat_p256_opp negates a field element in the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_opp(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {\n uint64_t x1;\n fiat_p256_uint1 x2;\n uint64_t x3;\n fiat_p256_uint1 x4;\n uint64_t x5;\n fiat_p256_uint1 x6;\n uint64_t x7;\n fiat_p256_uint1 x8;\n uint64_t x9;\n uint64_t x10;\n fiat_p256_uint1 x11;\n uint64_t x12;\n fiat_p256_uint1 x13;\n uint64_t x14;\n fiat_p256_uint1 x15;\n uint64_t x16;\n fiat_p256_uint1 x17;\n fiat_p256_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0]));\n fiat_p256_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1]));\n fiat_p256_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2]));\n fiat_p256_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3]));\n fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9);\n fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff)));\n fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0);\n fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001)));\n out1[0] = x10;\n out1[1] = x12;\n out1[2] = x14;\n out1[3] = x16;\n}\n\n/*\n * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_from_montgomery(fiat_p256_non_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n fiat_p256_uint1 x9;\n uint64_t x10;\n fiat_p256_uint1 x11;\n uint64_t x12;\n fiat_p256_uint1 x13;\n uint64_t x14;\n fiat_p256_uint1 x15;\n uint64_t x16;\n uint64_t x17;\n uint64_t x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n fiat_p256_uint1 x23;\n uint64_t x24;\n fiat_p256_uint1 x25;\n uint64_t x26;\n fiat_p256_uint1 x27;\n uint64_t x28;\n fiat_p256_uint1 x29;\n uint64_t x30;\n fiat_p256_uint1 x31;\n uint64_t x32;\n fiat_p256_uint1 x33;\n uint64_t x34;\n fiat_p256_uint1 x35;\n uint64_t x36;\n fiat_p256_uint1 x37;\n uint64_t x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n fiat_p256_uint1 x45;\n uint64_t x46;\n fiat_p256_uint1 x47;\n uint64_t x48;\n fiat_p256_uint1 x49;\n uint64_t x50;\n fiat_p256_uint1 x51;\n uint64_t x52;\n fiat_p256_uint1 x53;\n uint64_t x54;\n fiat_p256_uint1 x55;\n uint64_t x56;\n fiat_p256_uint1 x57;\n uint64_t x58;\n fiat_p256_uint1 x59;\n uint64_t x60;\n uint64_t x61;\n uint64_t x62;\n uint64_t x63;\n uint64_t x64;\n uint64_t x65;\n uint64_t x66;\n fiat_p256_uint1 x67;\n uint64_t x68;\n fiat_p256_uint1 x69;\n uint64_t x70;\n fiat_p256_uint1 x71;\n uint64_t x72;\n fiat_p256_uint1 x73;\n uint64_t x74;\n fiat_p256_uint1 x75;\n uint64_t x76;\n uint64_t x77;\n fiat_p256_uint1 x78;\n uint64_t x79;\n fiat_p256_uint1 x80;\n uint64_t x81;\n fiat_p256_uint1 x82;\n uint64_t x83;\n fiat_p256_uint1 x84;\n uint64_t x85;\n fiat_p256_uint1 x86;\n uint64_t x87;\n uint64_t x88;\n uint64_t x89;\n uint64_t x90;\n x1 = (arg1[0]);\n fiat_p256_mulx_u64(&x2, &x3, x1, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x4, &x5, x1, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x6, &x7, x1, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x8, &x9, 0x0, x7, x4);\n fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x6);\n fiat_p256_addcarryx_u64(&x12, &x13, x11, 0x0, x8);\n fiat_p256_addcarryx_u64(&x14, &x15, 0x0, x12, (arg1[1]));\n fiat_p256_mulx_u64(&x16, &x17, x14, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x18, &x19, x14, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x20, &x21, x14, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x22, &x23, 0x0, x21, x18);\n fiat_p256_addcarryx_u64(&x24, &x25, 0x0, x14, x20);\n fiat_p256_addcarryx_u64(&x26, &x27, x25, (x15 + (x13 + (x9 + x5))), x22);\n fiat_p256_addcarryx_u64(&x28, &x29, x27, x2, (x23 + x19));\n fiat_p256_addcarryx_u64(&x30, &x31, x29, x3, x16);\n fiat_p256_addcarryx_u64(&x32, &x33, 0x0, x26, (arg1[2]));\n fiat_p256_addcarryx_u64(&x34, &x35, x33, x28, 0x0);\n fiat_p256_addcarryx_u64(&x36, &x37, x35, x30, 0x0);\n fiat_p256_mulx_u64(&x38, &x39, x32, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x40, &x41, x32, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x42, &x43, x32, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x44, &x45, 0x0, x43, x40);\n fiat_p256_addcarryx_u64(&x46, &x47, 0x0, x32, x42);\n fiat_p256_addcarryx_u64(&x48, &x49, x47, x34, x44);\n fiat_p256_addcarryx_u64(&x50, &x51, x49, x36, (x45 + x41));\n fiat_p256_addcarryx_u64(&x52, &x53, x51, (x37 + (x31 + x17)), x38);\n fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x48, (arg1[3]));\n fiat_p256_addcarryx_u64(&x56, &x57, x55, x50, 0x0);\n fiat_p256_addcarryx_u64(&x58, &x59, x57, x52, 0x0);\n fiat_p256_mulx_u64(&x60, &x61, x54, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x62, &x63, x54, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x66, &x67, 0x0, x65, x62);\n fiat_p256_addcarryx_u64(&x68, &x69, 0x0, x54, x64);\n fiat_p256_addcarryx_u64(&x70, &x71, x69, x56, x66);\n fiat_p256_addcarryx_u64(&x72, &x73, x71, x58, (x67 + x63));\n fiat_p256_addcarryx_u64(&x74, &x75, x73, (x59 + (x53 + x39)), x60);\n x76 = (x75 + x61);\n fiat_p256_subborrowx_u64(&x77, &x78, 0x0, x70, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x79, &x80, x78, x72, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x81, &x82, x80, x74, 0x0);\n fiat_p256_subborrowx_u64(&x83, &x84, x82, x76, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x85, &x86, x84, 0x0, 0x0);\n fiat_p256_cmovznz_u64(&x87, x86, x77, x70);\n fiat_p256_cmovznz_u64(&x88, x86, x79, x72);\n fiat_p256_cmovznz_u64(&x89, x86, x81, x74);\n fiat_p256_cmovznz_u64(&x90, x86, x83, x76);\n out1[0] = x87;\n out1[1] = x88;\n out1[2] = x89;\n out1[3] = x90;\n}\n\n/*\n * The function fiat_p256_to_montgomery translates a field element into the Montgomery domain.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * eval (from_montgomery out1) mod m = eval arg1 mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_to_montgomery(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_non_montgomery_domain_field_element arg1) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n fiat_p256_uint1 x14;\n uint64_t x15;\n fiat_p256_uint1 x16;\n uint64_t x17;\n fiat_p256_uint1 x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n fiat_p256_uint1 x26;\n uint64_t x27;\n fiat_p256_uint1 x28;\n uint64_t x29;\n fiat_p256_uint1 x30;\n uint64_t x31;\n fiat_p256_uint1 x32;\n uint64_t x33;\n fiat_p256_uint1 x34;\n uint64_t x35;\n fiat_p256_uint1 x36;\n uint64_t x37;\n uint64_t x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n fiat_p256_uint1 x46;\n uint64_t x47;\n fiat_p256_uint1 x48;\n uint64_t x49;\n fiat_p256_uint1 x50;\n uint64_t x51;\n fiat_p256_uint1 x52;\n uint64_t x53;\n fiat_p256_uint1 x54;\n uint64_t x55;\n fiat_p256_uint1 x56;\n uint64_t x57;\n fiat_p256_uint1 x58;\n uint64_t x59;\n uint64_t x60;\n uint64_t x61;\n uint64_t x62;\n uint64_t x63;\n uint64_t x64;\n uint64_t x65;\n fiat_p256_uint1 x66;\n uint64_t x67;\n fiat_p256_uint1 x68;\n uint64_t x69;\n fiat_p256_uint1 x70;\n uint64_t x71;\n fiat_p256_uint1 x72;\n uint64_t x73;\n fiat_p256_uint1 x74;\n uint64_t x75;\n fiat_p256_uint1 x76;\n uint64_t x77;\n uint64_t x78;\n uint64_t x79;\n uint64_t x80;\n uint64_t x81;\n uint64_t x82;\n uint64_t x83;\n uint64_t x84;\n uint64_t x85;\n fiat_p256_uint1 x86;\n uint64_t x87;\n fiat_p256_uint1 x88;\n uint64_t x89;\n fiat_p256_uint1 x90;\n uint64_t x91;\n fiat_p256_uint1 x92;\n uint64_t x93;\n fiat_p256_uint1 x94;\n uint64_t x95;\n fiat_p256_uint1 x96;\n uint64_t x97;\n fiat_p256_uint1 x98;\n uint64_t x99;\n uint64_t x100;\n uint64_t x101;\n uint64_t x102;\n uint64_t x103;\n uint64_t x104;\n uint64_t x105;\n fiat_p256_uint1 x106;\n uint64_t x107;\n fiat_p256_uint1 x108;\n uint64_t x109;\n fiat_p256_uint1 x110;\n uint64_t x111;\n fiat_p256_uint1 x112;\n uint64_t x113;\n fiat_p256_uint1 x114;\n uint64_t x115;\n fiat_p256_uint1 x116;\n uint64_t x117;\n uint64_t x118;\n uint64_t x119;\n uint64_t x120;\n uint64_t x121;\n uint64_t x122;\n uint64_t x123;\n uint64_t x124;\n uint64_t x125;\n fiat_p256_uint1 x126;\n uint64_t x127;\n fiat_p256_uint1 x128;\n uint64_t x129;\n fiat_p256_uint1 x130;\n uint64_t x131;\n fiat_p256_uint1 x132;\n uint64_t x133;\n fiat_p256_uint1 x134;\n uint64_t x135;\n fiat_p256_uint1 x136;\n uint64_t x137;\n fiat_p256_uint1 x138;\n uint64_t x139;\n uint64_t x140;\n uint64_t x141;\n uint64_t x142;\n uint64_t x143;\n uint64_t x144;\n uint64_t x145;\n fiat_p256_uint1 x146;\n uint64_t x147;\n fiat_p256_uint1 x148;\n uint64_t x149;\n fiat_p256_uint1 x150;\n uint64_t x151;\n fiat_p256_uint1 x152;\n uint64_t x153;\n fiat_p256_uint1 x154;\n uint64_t x155;\n fiat_p256_uint1 x156;\n uint64_t x157;\n fiat_p256_uint1 x158;\n uint64_t x159;\n fiat_p256_uint1 x160;\n uint64_t x161;\n fiat_p256_uint1 x162;\n uint64_t x163;\n fiat_p256_uint1 x164;\n uint64_t x165;\n fiat_p256_uint1 x166;\n uint64_t x167;\n uint64_t x168;\n uint64_t x169;\n uint64_t x170;\n x1 = (arg1[1]);\n x2 = (arg1[2]);\n x3 = (arg1[3]);\n x4 = (arg1[0]);\n fiat_p256_mulx_u64(&x5, &x6, x4, UINT64_C(0x4fffffffd));\n fiat_p256_mulx_u64(&x7, &x8, x4, UINT64_C(0xfffffffffffffffe));\n fiat_p256_mulx_u64(&x9, &x10, x4, UINT64_C(0xfffffffbffffffff));\n fiat_p256_mulx_u64(&x11, &x12, x4, 0x3);\n fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9);\n fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7);\n fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5);\n fiat_p256_mulx_u64(&x19, &x20, x11, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x21, &x22, x11, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x23, &x24, x11, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x25, &x26, 0x0, x24, x21);\n fiat_p256_addcarryx_u64(&x27, &x28, 0x0, x11, x23);\n fiat_p256_addcarryx_u64(&x29, &x30, x28, x13, x25);\n fiat_p256_addcarryx_u64(&x31, &x32, x30, x15, (x26 + x22));\n fiat_p256_addcarryx_u64(&x33, &x34, x32, x17, x19);\n fiat_p256_addcarryx_u64(&x35, &x36, x34, (x18 + x6), x20);\n fiat_p256_mulx_u64(&x37, &x38, x1, UINT64_C(0x4fffffffd));\n fiat_p256_mulx_u64(&x39, &x40, x1, UINT64_C(0xfffffffffffffffe));\n fiat_p256_mulx_u64(&x41, &x42, x1, UINT64_C(0xfffffffbffffffff));\n fiat_p256_mulx_u64(&x43, &x44, x1, 0x3);\n fiat_p256_addcarryx_u64(&x45, &x46, 0x0, x44, x41);\n fiat_p256_addcarryx_u64(&x47, &x48, x46, x42, x39);\n fiat_p256_addcarryx_u64(&x49, &x50, x48, x40, x37);\n fiat_p256_addcarryx_u64(&x51, &x52, 0x0, x29, x43);\n fiat_p256_addcarryx_u64(&x53, &x54, x52, x31, x45);\n fiat_p256_addcarryx_u64(&x55, &x56, x54, x33, x47);\n fiat_p256_addcarryx_u64(&x57, &x58, x56, x35, x49);\n fiat_p256_mulx_u64(&x59, &x60, x51, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x61, &x62, x51, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x63, &x64, x51, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x65, &x66, 0x0, x64, x61);\n fiat_p256_addcarryx_u64(&x67, &x68, 0x0, x51, x63);\n fiat_p256_addcarryx_u64(&x69, &x70, x68, x53, x65);\n fiat_p256_addcarryx_u64(&x71, &x72, x70, x55, (x66 + x62));\n fiat_p256_addcarryx_u64(&x73, &x74, x72, x57, x59);\n fiat_p256_addcarryx_u64(&x75, &x76, x74, (((uint64_t)x58 + x36) + (x50 + x38)), x60);\n fiat_p256_mulx_u64(&x77, &x78, x2, UINT64_C(0x4fffffffd));\n fiat_p256_mulx_u64(&x79, &x80, x2, UINT64_C(0xfffffffffffffffe));\n fiat_p256_mulx_u64(&x81, &x82, x2, UINT64_C(0xfffffffbffffffff));\n fiat_p256_mulx_u64(&x83, &x84, x2, 0x3);\n fiat_p256_addcarryx_u64(&x85, &x86, 0x0, x84, x81);\n fiat_p256_addcarryx_u64(&x87, &x88, x86, x82, x79);\n fiat_p256_addcarryx_u64(&x89, &x90, x88, x80, x77);\n fiat_p256_addcarryx_u64(&x91, &x92, 0x0, x69, x83);\n fiat_p256_addcarryx_u64(&x93, &x94, x92, x71, x85);\n fiat_p256_addcarryx_u64(&x95, &x96, x94, x73, x87);\n fiat_p256_addcarryx_u64(&x97, &x98, x96, x75, x89);\n fiat_p256_mulx_u64(&x99, &x100, x91, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x101, &x102, x91, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x103, &x104, x91, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x105, &x106, 0x0, x104, x101);\n fiat_p256_addcarryx_u64(&x107, &x108, 0x0, x91, x103);\n fiat_p256_addcarryx_u64(&x109, &x110, x108, x93, x105);\n fiat_p256_addcarryx_u64(&x111, &x112, x110, x95, (x106 + x102));\n fiat_p256_addcarryx_u64(&x113, &x114, x112, x97, x99);\n fiat_p256_addcarryx_u64(&x115, &x116, x114, (((uint64_t)x98 + x76) + (x90 + x78)), x100);\n fiat_p256_mulx_u64(&x117, &x118, x3, UINT64_C(0x4fffffffd));\n fiat_p256_mulx_u64(&x119, &x120, x3, UINT64_C(0xfffffffffffffffe));\n fiat_p256_mulx_u64(&x121, &x122, x3, UINT64_C(0xfffffffbffffffff));\n fiat_p256_mulx_u64(&x123, &x124, x3, 0x3);\n fiat_p256_addcarryx_u64(&x125, &x126, 0x0, x124, x121);\n fiat_p256_addcarryx_u64(&x127, &x128, x126, x122, x119);\n fiat_p256_addcarryx_u64(&x129, &x130, x128, x120, x117);\n fiat_p256_addcarryx_u64(&x131, &x132, 0x0, x109, x123);\n fiat_p256_addcarryx_u64(&x133, &x134, x132, x111, x125);\n fiat_p256_addcarryx_u64(&x135, &x136, x134, x113, x127);\n fiat_p256_addcarryx_u64(&x137, &x138, x136, x115, x129);\n fiat_p256_mulx_u64(&x139, &x140, x131, UINT64_C(0xffffffff00000001));\n fiat_p256_mulx_u64(&x141, &x142, x131, UINT32_C(0xffffffff));\n fiat_p256_mulx_u64(&x143, &x144, x131, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x145, &x146, 0x0, x144, x141);\n fiat_p256_addcarryx_u64(&x147, &x148, 0x0, x131, x143);\n fiat_p256_addcarryx_u64(&x149, &x150, x148, x133, x145);\n fiat_p256_addcarryx_u64(&x151, &x152, x150, x135, (x146 + x142));\n fiat_p256_addcarryx_u64(&x153, &x154, x152, x137, x139);\n fiat_p256_addcarryx_u64(&x155, &x156, x154, (((uint64_t)x138 + x116) + (x130 + x118)), x140);\n fiat_p256_subborrowx_u64(&x157, &x158, 0x0, x149, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x159, &x160, x158, x151, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x161, &x162, x160, x153, 0x0);\n fiat_p256_subborrowx_u64(&x163, &x164, x162, x155, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x165, &x166, x164, x156, 0x0);\n fiat_p256_cmovznz_u64(&x167, x166, x157, x149);\n fiat_p256_cmovznz_u64(&x168, x166, x159, x151);\n fiat_p256_cmovznz_u64(&x169, x166, x161, x153);\n fiat_p256_cmovznz_u64(&x170, x166, x163, x155);\n out1[0] = x167;\n out1[1] = x168;\n out1[2] = x169;\n out1[3] = x170;\n}\n\n/*\n * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_nonzero(uint64_t* out1, const uint64_t arg1[4]) {\n uint64_t x1;\n x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3]))));\n *out1 = x1;\n}\n\n/*\n * The function fiat_p256_selectznz is a multi-limb conditional select.\n *\n * Postconditions:\n * out1 = (if arg1 = 0 then arg2 else arg3)\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0x1]\n * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const uint64_t arg2[4], const uint64_t arg3[4]) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n fiat_p256_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0]));\n fiat_p256_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1]));\n fiat_p256_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2]));\n fiat_p256_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3]));\n out1[0] = x1;\n out1[1] = x2;\n out1[2] = x3;\n out1[3] = x4;\n}\n\n/*\n * The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order.\n *\n * Preconditions:\n * 0 ≤ eval arg1 < m\n * Postconditions:\n * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31]\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint8_t x5;\n uint64_t x6;\n uint8_t x7;\n uint64_t x8;\n uint8_t x9;\n uint64_t x10;\n uint8_t x11;\n uint64_t x12;\n uint8_t x13;\n uint64_t x14;\n uint8_t x15;\n uint64_t x16;\n uint8_t x17;\n uint8_t x18;\n uint8_t x19;\n uint64_t x20;\n uint8_t x21;\n uint64_t x22;\n uint8_t x23;\n uint64_t x24;\n uint8_t x25;\n uint64_t x26;\n uint8_t x27;\n uint64_t x28;\n uint8_t x29;\n uint64_t x30;\n uint8_t x31;\n uint8_t x32;\n uint8_t x33;\n uint64_t x34;\n uint8_t x35;\n uint64_t x36;\n uint8_t x37;\n uint64_t x38;\n uint8_t x39;\n uint64_t x40;\n uint8_t x41;\n uint64_t x42;\n uint8_t x43;\n uint64_t x44;\n uint8_t x45;\n uint8_t x46;\n uint8_t x47;\n uint64_t x48;\n uint8_t x49;\n uint64_t x50;\n uint8_t x51;\n uint64_t x52;\n uint8_t x53;\n uint64_t x54;\n uint8_t x55;\n uint64_t x56;\n uint8_t x57;\n uint64_t x58;\n uint8_t x59;\n uint8_t x60;\n x1 = (arg1[3]);\n x2 = (arg1[2]);\n x3 = (arg1[1]);\n x4 = (arg1[0]);\n x5 = (uint8_t)(x4 & UINT8_C(0xff));\n x6 = (x4 >> 8);\n x7 = (uint8_t)(x6 & UINT8_C(0xff));\n x8 = (x6 >> 8);\n x9 = (uint8_t)(x8 & UINT8_C(0xff));\n x10 = (x8 >> 8);\n x11 = (uint8_t)(x10 & UINT8_C(0xff));\n x12 = (x10 >> 8);\n x13 = (uint8_t)(x12 & UINT8_C(0xff));\n x14 = (x12 >> 8);\n x15 = (uint8_t)(x14 & UINT8_C(0xff));\n x16 = (x14 >> 8);\n x17 = (uint8_t)(x16 & UINT8_C(0xff));\n x18 = (uint8_t)(x16 >> 8);\n x19 = (uint8_t)(x3 & UINT8_C(0xff));\n x20 = (x3 >> 8);\n x21 = (uint8_t)(x20 & UINT8_C(0xff));\n x22 = (x20 >> 8);\n x23 = (uint8_t)(x22 & UINT8_C(0xff));\n x24 = (x22 >> 8);\n x25 = (uint8_t)(x24 & UINT8_C(0xff));\n x26 = (x24 >> 8);\n x27 = (uint8_t)(x26 & UINT8_C(0xff));\n x28 = (x26 >> 8);\n x29 = (uint8_t)(x28 & UINT8_C(0xff));\n x30 = (x28 >> 8);\n x31 = (uint8_t)(x30 & UINT8_C(0xff));\n x32 = (uint8_t)(x30 >> 8);\n x33 = (uint8_t)(x2 & UINT8_C(0xff));\n x34 = (x2 >> 8);\n x35 = (uint8_t)(x34 & UINT8_C(0xff));\n x36 = (x34 >> 8);\n x37 = (uint8_t)(x36 & UINT8_C(0xff));\n x38 = (x36 >> 8);\n x39 = (uint8_t)(x38 & UINT8_C(0xff));\n x40 = (x38 >> 8);\n x41 = (uint8_t)(x40 & UINT8_C(0xff));\n x42 = (x40 >> 8);\n x43 = (uint8_t)(x42 & UINT8_C(0xff));\n x44 = (x42 >> 8);\n x45 = (uint8_t)(x44 & UINT8_C(0xff));\n x46 = (uint8_t)(x44 >> 8);\n x47 = (uint8_t)(x1 & UINT8_C(0xff));\n x48 = (x1 >> 8);\n x49 = (uint8_t)(x48 & UINT8_C(0xff));\n x50 = (x48 >> 8);\n x51 = (uint8_t)(x50 & UINT8_C(0xff));\n x52 = (x50 >> 8);\n x53 = (uint8_t)(x52 & UINT8_C(0xff));\n x54 = (x52 >> 8);\n x55 = (uint8_t)(x54 & UINT8_C(0xff));\n x56 = (x54 >> 8);\n x57 = (uint8_t)(x56 & UINT8_C(0xff));\n x58 = (x56 >> 8);\n x59 = (uint8_t)(x58 & UINT8_C(0xff));\n x60 = (uint8_t)(x58 >> 8);\n out1[0] = x5;\n out1[1] = x7;\n out1[2] = x9;\n out1[3] = x11;\n out1[4] = x13;\n out1[5] = x15;\n out1[6] = x17;\n out1[7] = x18;\n out1[8] = x19;\n out1[9] = x21;\n out1[10] = x23;\n out1[11] = x25;\n out1[12] = x27;\n out1[13] = x29;\n out1[14] = x31;\n out1[15] = x32;\n out1[16] = x33;\n out1[17] = x35;\n out1[18] = x37;\n out1[19] = x39;\n out1[20] = x41;\n out1[21] = x43;\n out1[22] = x45;\n out1[23] = x46;\n out1[24] = x47;\n out1[25] = x49;\n out1[26] = x51;\n out1[27] = x53;\n out1[28] = x55;\n out1[29] = x57;\n out1[30] = x59;\n out1[31] = x60;\n}\n\n/*\n * The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order.\n *\n * Preconditions:\n * 0 ≤ bytes_eval arg1 < m\n * Postconditions:\n * eval out1 mod m = bytes_eval arg1 mod m\n * 0 ≤ eval out1 < m\n *\n * Input Bounds:\n * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]]\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_from_bytes(uint64_t out1[4], const uint8_t arg1[32]) {\n uint64_t x1;\n uint64_t x2;\n uint64_t x3;\n uint64_t x4;\n uint64_t x5;\n uint64_t x6;\n uint64_t x7;\n uint8_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n uint64_t x13;\n uint64_t x14;\n uint64_t x15;\n uint8_t x16;\n uint64_t x17;\n uint64_t x18;\n uint64_t x19;\n uint64_t x20;\n uint64_t x21;\n uint64_t x22;\n uint64_t x23;\n uint8_t x24;\n uint64_t x25;\n uint64_t x26;\n uint64_t x27;\n uint64_t x28;\n uint64_t x29;\n uint64_t x30;\n uint64_t x31;\n uint8_t x32;\n uint64_t x33;\n uint64_t x34;\n uint64_t x35;\n uint64_t x36;\n uint64_t x37;\n uint64_t x38;\n uint64_t x39;\n uint64_t x40;\n uint64_t x41;\n uint64_t x42;\n uint64_t x43;\n uint64_t x44;\n uint64_t x45;\n uint64_t x46;\n uint64_t x47;\n uint64_t x48;\n uint64_t x49;\n uint64_t x50;\n uint64_t x51;\n uint64_t x52;\n uint64_t x53;\n uint64_t x54;\n uint64_t x55;\n uint64_t x56;\n uint64_t x57;\n uint64_t x58;\n uint64_t x59;\n uint64_t x60;\n x1 = ((uint64_t)(arg1[31]) << 56);\n x2 = ((uint64_t)(arg1[30]) << 48);\n x3 = ((uint64_t)(arg1[29]) << 40);\n x4 = ((uint64_t)(arg1[28]) << 32);\n x5 = ((uint64_t)(arg1[27]) << 24);\n x6 = ((uint64_t)(arg1[26]) << 16);\n x7 = ((uint64_t)(arg1[25]) << 8);\n x8 = (arg1[24]);\n x9 = ((uint64_t)(arg1[23]) << 56);\n x10 = ((uint64_t)(arg1[22]) << 48);\n x11 = ((uint64_t)(arg1[21]) << 40);\n x12 = ((uint64_t)(arg1[20]) << 32);\n x13 = ((uint64_t)(arg1[19]) << 24);\n x14 = ((uint64_t)(arg1[18]) << 16);\n x15 = ((uint64_t)(arg1[17]) << 8);\n x16 = (arg1[16]);\n x17 = ((uint64_t)(arg1[15]) << 56);\n x18 = ((uint64_t)(arg1[14]) << 48);\n x19 = ((uint64_t)(arg1[13]) << 40);\n x20 = ((uint64_t)(arg1[12]) << 32);\n x21 = ((uint64_t)(arg1[11]) << 24);\n x22 = ((uint64_t)(arg1[10]) << 16);\n x23 = ((uint64_t)(arg1[9]) << 8);\n x24 = (arg1[8]);\n x25 = ((uint64_t)(arg1[7]) << 56);\n x26 = ((uint64_t)(arg1[6]) << 48);\n x27 = ((uint64_t)(arg1[5]) << 40);\n x28 = ((uint64_t)(arg1[4]) << 32);\n x29 = ((uint64_t)(arg1[3]) << 24);\n x30 = ((uint64_t)(arg1[2]) << 16);\n x31 = ((uint64_t)(arg1[1]) << 8);\n x32 = (arg1[0]);\n x33 = (x31 + (uint64_t)x32);\n x34 = (x30 + x33);\n x35 = (x29 + x34);\n x36 = (x28 + x35);\n x37 = (x27 + x36);\n x38 = (x26 + x37);\n x39 = (x25 + x38);\n x40 = (x23 + (uint64_t)x24);\n x41 = (x22 + x40);\n x42 = (x21 + x41);\n x43 = (x20 + x42);\n x44 = (x19 + x43);\n x45 = (x18 + x44);\n x46 = (x17 + x45);\n x47 = (x15 + (uint64_t)x16);\n x48 = (x14 + x47);\n x49 = (x13 + x48);\n x50 = (x12 + x49);\n x51 = (x11 + x50);\n x52 = (x10 + x51);\n x53 = (x9 + x52);\n x54 = (x7 + (uint64_t)x8);\n x55 = (x6 + x54);\n x56 = (x5 + x55);\n x57 = (x4 + x56);\n x58 = (x3 + x57);\n x59 = (x2 + x58);\n x60 = (x1 + x59);\n out1[0] = x39;\n out1[1] = x46;\n out1[2] = x53;\n out1[3] = x60;\n}\n\n/*\n * The function fiat_p256_set_one returns the field element one in the Montgomery domain.\n *\n * Postconditions:\n * eval (from_montgomery out1) mod m = 1 mod m\n * 0 ≤ eval out1 < m\n *\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_set_one(fiat_p256_montgomery_domain_field_element out1) {\n out1[0] = 0x1;\n out1[1] = UINT64_C(0xffffffff00000000);\n out1[2] = UINT64_C(0xffffffffffffffff);\n out1[3] = UINT32_C(0xfffffffe);\n}\n\n/*\n * The function fiat_p256_msat returns the saturated representation of the prime modulus.\n *\n * Postconditions:\n * twos_complement_eval out1 = m\n * 0 ≤ eval out1 < m\n *\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_msat(uint64_t out1[5]) {\n out1[0] = UINT64_C(0xffffffffffffffff);\n out1[1] = UINT32_C(0xffffffff);\n out1[2] = 0x0;\n out1[3] = UINT64_C(0xffffffff00000001);\n out1[4] = 0x0;\n}\n\n/*\n * The function fiat_p256_divstep computes a divstep.\n *\n * Preconditions:\n * 0 ≤ eval arg4 < m\n * 0 ≤ eval arg5 < m\n * Postconditions:\n * out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1)\n * twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2)\n * twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋)\n * eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m)\n * eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m)\n * 0 ≤ eval out5 < m\n * 0 ≤ eval out5 < m\n * 0 ≤ eval out2 < m\n * 0 ≤ eval out3 < m\n *\n * Input Bounds:\n * arg1: [0x0 ~> 0xffffffffffffffff]\n * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * Output Bounds:\n * out1: [0x0 ~> 0xffffffffffffffff]\n * out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n * out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_divstep(uint64_t* out1, uint64_t out2[5], uint64_t out3[5], uint64_t out4[4], uint64_t out5[4], uint64_t arg1, const uint64_t arg2[5], const uint64_t arg3[5], const uint64_t arg4[4], const uint64_t arg5[4]) {\n uint64_t x1;\n fiat_p256_uint1 x2;\n fiat_p256_uint1 x3;\n uint64_t x4;\n fiat_p256_uint1 x5;\n uint64_t x6;\n uint64_t x7;\n uint64_t x8;\n uint64_t x9;\n uint64_t x10;\n uint64_t x11;\n uint64_t x12;\n fiat_p256_uint1 x13;\n uint64_t x14;\n fiat_p256_uint1 x15;\n uint64_t x16;\n fiat_p256_uint1 x17;\n uint64_t x18;\n fiat_p256_uint1 x19;\n uint64_t x20;\n fiat_p256_uint1 x21;\n uint64_t x22;\n uint64_t x23;\n uint64_t x24;\n uint64_t x25;\n uint64_t x26;\n uint64_t x27;\n uint64_t x28;\n uint64_t x29;\n uint64_t x30;\n uint64_t x31;\n fiat_p256_uint1 x32;\n uint64_t x33;\n fiat_p256_uint1 x34;\n uint64_t x35;\n fiat_p256_uint1 x36;\n uint64_t x37;\n fiat_p256_uint1 x38;\n uint64_t x39;\n fiat_p256_uint1 x40;\n uint64_t x41;\n fiat_p256_uint1 x42;\n uint64_t x43;\n fiat_p256_uint1 x44;\n uint64_t x45;\n fiat_p256_uint1 x46;\n uint64_t x47;\n fiat_p256_uint1 x48;\n uint64_t x49;\n uint64_t x50;\n uint64_t x51;\n uint64_t x52;\n uint64_t x53;\n fiat_p256_uint1 x54;\n uint64_t x55;\n fiat_p256_uint1 x56;\n uint64_t x57;\n fiat_p256_uint1 x58;\n uint64_t x59;\n fiat_p256_uint1 x60;\n uint64_t x61;\n uint64_t x62;\n fiat_p256_uint1 x63;\n uint64_t x64;\n fiat_p256_uint1 x65;\n uint64_t x66;\n fiat_p256_uint1 x67;\n uint64_t x68;\n fiat_p256_uint1 x69;\n uint64_t x70;\n uint64_t x71;\n uint64_t x72;\n uint64_t x73;\n fiat_p256_uint1 x74;\n uint64_t x75;\n uint64_t x76;\n uint64_t x77;\n uint64_t x78;\n uint64_t x79;\n uint64_t x80;\n fiat_p256_uint1 x81;\n uint64_t x82;\n fiat_p256_uint1 x83;\n uint64_t x84;\n fiat_p256_uint1 x85;\n uint64_t x86;\n fiat_p256_uint1 x87;\n uint64_t x88;\n fiat_p256_uint1 x89;\n uint64_t x90;\n uint64_t x91;\n uint64_t x92;\n uint64_t x93;\n uint64_t x94;\n fiat_p256_uint1 x95;\n uint64_t x96;\n fiat_p256_uint1 x97;\n uint64_t x98;\n fiat_p256_uint1 x99;\n uint64_t x100;\n fiat_p256_uint1 x101;\n uint64_t x102;\n fiat_p256_uint1 x103;\n uint64_t x104;\n fiat_p256_uint1 x105;\n uint64_t x106;\n fiat_p256_uint1 x107;\n uint64_t x108;\n fiat_p256_uint1 x109;\n uint64_t x110;\n fiat_p256_uint1 x111;\n uint64_t x112;\n fiat_p256_uint1 x113;\n uint64_t x114;\n uint64_t x115;\n uint64_t x116;\n uint64_t x117;\n uint64_t x118;\n uint64_t x119;\n uint64_t x120;\n uint64_t x121;\n uint64_t x122;\n uint64_t x123;\n uint64_t x124;\n uint64_t x125;\n uint64_t x126;\n fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (~arg1), 0x1);\n x3 = (fiat_p256_uint1)((fiat_p256_uint1)(x1 >> 63) & (fiat_p256_uint1)((arg3[0]) & 0x1));\n fiat_p256_addcarryx_u64(&x4, &x5, 0x0, (~arg1), 0x1);\n fiat_p256_cmovznz_u64(&x6, x3, arg1, x4);\n fiat_p256_cmovznz_u64(&x7, x3, (arg2[0]), (arg3[0]));\n fiat_p256_cmovznz_u64(&x8, x3, (arg2[1]), (arg3[1]));\n fiat_p256_cmovznz_u64(&x9, x3, (arg2[2]), (arg3[2]));\n fiat_p256_cmovznz_u64(&x10, x3, (arg2[3]), (arg3[3]));\n fiat_p256_cmovznz_u64(&x11, x3, (arg2[4]), (arg3[4]));\n fiat_p256_addcarryx_u64(&x12, &x13, 0x0, 0x1, (~(arg2[0])));\n fiat_p256_addcarryx_u64(&x14, &x15, x13, 0x0, (~(arg2[1])));\n fiat_p256_addcarryx_u64(&x16, &x17, x15, 0x0, (~(arg2[2])));\n fiat_p256_addcarryx_u64(&x18, &x19, x17, 0x0, (~(arg2[3])));\n fiat_p256_addcarryx_u64(&x20, &x21, x19, 0x0, (~(arg2[4])));\n fiat_p256_cmovznz_u64(&x22, x3, (arg3[0]), x12);\n fiat_p256_cmovznz_u64(&x23, x3, (arg3[1]), x14);\n fiat_p256_cmovznz_u64(&x24, x3, (arg3[2]), x16);\n fiat_p256_cmovznz_u64(&x25, x3, (arg3[3]), x18);\n fiat_p256_cmovznz_u64(&x26, x3, (arg3[4]), x20);\n fiat_p256_cmovznz_u64(&x27, x3, (arg4[0]), (arg5[0]));\n fiat_p256_cmovznz_u64(&x28, x3, (arg4[1]), (arg5[1]));\n fiat_p256_cmovznz_u64(&x29, x3, (arg4[2]), (arg5[2]));\n fiat_p256_cmovznz_u64(&x30, x3, (arg4[3]), (arg5[3]));\n fiat_p256_addcarryx_u64(&x31, &x32, 0x0, x27, x27);\n fiat_p256_addcarryx_u64(&x33, &x34, x32, x28, x28);\n fiat_p256_addcarryx_u64(&x35, &x36, x34, x29, x29);\n fiat_p256_addcarryx_u64(&x37, &x38, x36, x30, x30);\n fiat_p256_subborrowx_u64(&x39, &x40, 0x0, x31, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x41, &x42, x40, x33, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x43, &x44, x42, x35, 0x0);\n fiat_p256_subborrowx_u64(&x45, &x46, x44, x37, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x47, &x48, x46, x38, 0x0);\n x49 = (arg4[3]);\n x50 = (arg4[2]);\n x51 = (arg4[1]);\n x52 = (arg4[0]);\n fiat_p256_subborrowx_u64(&x53, &x54, 0x0, 0x0, x52);\n fiat_p256_subborrowx_u64(&x55, &x56, x54, 0x0, x51);\n fiat_p256_subborrowx_u64(&x57, &x58, x56, 0x0, x50);\n fiat_p256_subborrowx_u64(&x59, &x60, x58, 0x0, x49);\n fiat_p256_cmovznz_u64(&x61, x60, 0x0, UINT64_C(0xffffffffffffffff));\n fiat_p256_addcarryx_u64(&x62, &x63, 0x0, x53, x61);\n fiat_p256_addcarryx_u64(&x64, &x65, x63, x55, (x61 & UINT32_C(0xffffffff)));\n fiat_p256_addcarryx_u64(&x66, &x67, x65, x57, 0x0);\n fiat_p256_addcarryx_u64(&x68, &x69, x67, x59, (x61 & UINT64_C(0xffffffff00000001)));\n fiat_p256_cmovznz_u64(&x70, x3, (arg5[0]), x62);\n fiat_p256_cmovznz_u64(&x71, x3, (arg5[1]), x64);\n fiat_p256_cmovznz_u64(&x72, x3, (arg5[2]), x66);\n fiat_p256_cmovznz_u64(&x73, x3, (arg5[3]), x68);\n x74 = (fiat_p256_uint1)(x22 & 0x1);\n fiat_p256_cmovznz_u64(&x75, x74, 0x0, x7);\n fiat_p256_cmovznz_u64(&x76, x74, 0x0, x8);\n fiat_p256_cmovznz_u64(&x77, x74, 0x0, x9);\n fiat_p256_cmovznz_u64(&x78, x74, 0x0, x10);\n fiat_p256_cmovznz_u64(&x79, x74, 0x0, x11);\n fiat_p256_addcarryx_u64(&x80, &x81, 0x0, x22, x75);\n fiat_p256_addcarryx_u64(&x82, &x83, x81, x23, x76);\n fiat_p256_addcarryx_u64(&x84, &x85, x83, x24, x77);\n fiat_p256_addcarryx_u64(&x86, &x87, x85, x25, x78);\n fiat_p256_addcarryx_u64(&x88, &x89, x87, x26, x79);\n fiat_p256_cmovznz_u64(&x90, x74, 0x0, x27);\n fiat_p256_cmovznz_u64(&x91, x74, 0x0, x28);\n fiat_p256_cmovznz_u64(&x92, x74, 0x0, x29);\n fiat_p256_cmovznz_u64(&x93, x74, 0x0, x30);\n fiat_p256_addcarryx_u64(&x94, &x95, 0x0, x70, x90);\n fiat_p256_addcarryx_u64(&x96, &x97, x95, x71, x91);\n fiat_p256_addcarryx_u64(&x98, &x99, x97, x72, x92);\n fiat_p256_addcarryx_u64(&x100, &x101, x99, x73, x93);\n fiat_p256_subborrowx_u64(&x102, &x103, 0x0, x94, UINT64_C(0xffffffffffffffff));\n fiat_p256_subborrowx_u64(&x104, &x105, x103, x96, UINT32_C(0xffffffff));\n fiat_p256_subborrowx_u64(&x106, &x107, x105, x98, 0x0);\n fiat_p256_subborrowx_u64(&x108, &x109, x107, x100, UINT64_C(0xffffffff00000001));\n fiat_p256_subborrowx_u64(&x110, &x111, x109, x101, 0x0);\n fiat_p256_addcarryx_u64(&x112, &x113, 0x0, x6, 0x1);\n x114 = ((x80 >> 1) | ((x82 << 63) & UINT64_C(0xffffffffffffffff)));\n x115 = ((x82 >> 1) | ((x84 << 63) & UINT64_C(0xffffffffffffffff)));\n x116 = ((x84 >> 1) | ((x86 << 63) & UINT64_C(0xffffffffffffffff)));\n x117 = ((x86 >> 1) | ((x88 << 63) & UINT64_C(0xffffffffffffffff)));\n x118 = ((x88 & UINT64_C(0x8000000000000000)) | (x88 >> 1));\n fiat_p256_cmovznz_u64(&x119, x48, x39, x31);\n fiat_p256_cmovznz_u64(&x120, x48, x41, x33);\n fiat_p256_cmovznz_u64(&x121, x48, x43, x35);\n fiat_p256_cmovznz_u64(&x122, x48, x45, x37);\n fiat_p256_cmovznz_u64(&x123, x111, x102, x94);\n fiat_p256_cmovznz_u64(&x124, x111, x104, x96);\n fiat_p256_cmovznz_u64(&x125, x111, x106, x98);\n fiat_p256_cmovznz_u64(&x126, x111, x108, x100);\n *out1 = x112;\n out2[0] = x7;\n out2[1] = x8;\n out2[2] = x9;\n out2[3] = x10;\n out2[4] = x11;\n out3[0] = x114;\n out3[1] = x115;\n out3[2] = x116;\n out3[3] = x117;\n out3[4] = x118;\n out4[0] = x119;\n out4[1] = x120;\n out4[2] = x121;\n out4[3] = x122;\n out5[0] = x123;\n out5[1] = x124;\n out5[2] = x125;\n out5[3] = x126;\n}\n\n/*\n * The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form).\n *\n * Postconditions:\n * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋)\n * 0 ≤ eval out1 < m\n *\n * Output Bounds:\n * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]]\n */\nstatic FIAT_P256_FIAT_INLINE void fiat_p256_divstep_precomp(uint64_t out1[4]) {\n out1[0] = UINT64_C(0x67ffffffb8000000);\n out1[1] = UINT64_C(0xc000000038000000);\n out1[2] = UINT64_C(0xd80000007fffffff);\n out1[3] = UINT64_C(0x2fffffffffffffff);\n}\n" }, { "path": "Sources/CNIOBoringSSLShims/include/CNIOBoringSSLShims.h", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n#ifndef C_NIO_BORINGSSL_SHIMS_H\n#define C_NIO_BORINGSSL_SHIMS_H\n\n// This is for instances when `swift package generate-xcodeproj` is used as CNIOBoringSSL\n// is treated as a framework and requires the framework's name as a prefix.\n#if __has_include()\n#include \n#else\n#include \"CNIOBoringSSL.h\"\n#endif\n\n#if defined(__cplusplus)\nextern \"C\" {\n#endif\n\nX509_EXTENSION *CNIOBoringSSLShims_sk_X509_EXTENSION_value(const STACK_OF(X509_EXTENSION) *sk, size_t i);\nsize_t CNIOBoringSSLShims_sk_X509_EXTENSION_num(const STACK_OF(X509_EXTENSION) *sk);\n\nGENERAL_NAME *CNIOBoringSSLShims_sk_GENERAL_NAME_value(const STACK_OF(GENERAL_NAME) *sk, size_t i);\nsize_t CNIOBoringSSLShims_sk_GENERAL_NAME_num(const STACK_OF(GENERAL_NAME) *sk);\n\nvoid *CNIOBoringSSLShims_SSL_CTX_get_app_data(const SSL_CTX *ctx);\nint CNIOBoringSSLShims_SSL_CTX_set_app_data(SSL_CTX *ctx, void *data);\n\nint CNIOBoringSSLShims_ERR_GET_LIB(uint32_t err);\nint CNIOBoringSSLShims_ERR_GET_REASON(uint32_t err);\n\n#if defined(__cplusplus)\n} // extern \"C\"\n#endif\n\n#endif // C_NIO_BORINGSSL_SHIMS_H\n" }, { "path": "Sources/CNIOBoringSSLShims/shims.c", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n// Unfortunately, even in our brave BoringSSL world, we have \"functions\" that are\n// macros too complex for the clang importer. This file handles them.\n#include \"CNIOBoringSSLShims.h\"\n\nX509_EXTENSION *CNIOBoringSSLShims_sk_X509_EXTENSION_value(const STACK_OF(X509_EXTENSION) *sk, size_t i) {\n return sk_X509_EXTENSION_value(sk, i);\n}\n\nsize_t CNIOBoringSSLShims_sk_X509_EXTENSION_num(const STACK_OF(X509_EXTENSION) *sk) {\n return sk_X509_EXTENSION_num(sk);\n}\n\nGENERAL_NAME *CNIOBoringSSLShims_sk_GENERAL_NAME_value(const STACK_OF(GENERAL_NAME) *sk, size_t i) {\n return sk_GENERAL_NAME_value(sk, i);\n}\n\nsize_t CNIOBoringSSLShims_sk_GENERAL_NAME_num(const STACK_OF(GENERAL_NAME) *sk) {\n return sk_GENERAL_NAME_num(sk);\n}\n\nvoid *CNIOBoringSSLShims_SSL_CTX_get_app_data(const SSL_CTX *ctx) {\n return SSL_CTX_get_app_data(ctx);\n}\n\nint CNIOBoringSSLShims_SSL_CTX_set_app_data(SSL_CTX *ctx, void *data) {\n return SSL_CTX_set_app_data(ctx, data);\n}\n\nint CNIOBoringSSLShims_ERR_GET_LIB(uint32_t err) {\n return ERR_GET_LIB(err);\n}\n\nint CNIOBoringSSLShims_ERR_GET_REASON(uint32_t err) {\n return ERR_GET_REASON(err);\n}\n" }, { "path": "Sources/NIOSSL/AndroidCABundle.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2019-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n#if os(Android)\n/// The path to the root CA bundle directory.\n///\n/// May be nil if we could not find the root CA bundle directory.\ninternal let rootCADirectoryPath: String? = locateRootCADirectory()\n\n/// This is a list of root CA directory search paths.\n///\n/// This list contains paths as validated against several distributions. If you are aware of a CA bundle on a specific distribution\n/// that is not present here, please open a pull request that adds the appropriate search path.\n/// Some distributions do not ship CA directories: as such, it is not a problem if a distribution that is present in rootCAFileSearchPaths\n/// is not present in this list.\n//see https://android.googlesource.com/platform/frameworks/base/+/8b192b19f264a8829eac2cfaf0b73f6fc188d933%5E%21/#F0\nprivate let rootCADirectorySearchPaths = [\n \"/apex/com.android.conscrypt/cacerts\", // >= Android14\n \"/system/etc/security/cacerts\", // < Android14\n]\n\nprivate func locateRootCADirectory() -> String? {\n rootCADirectorySearchPaths.first(where: { FileSystemObject.pathType(path: $0) == .directory })\n}\n#endif\n" }, { "path": "Sources/NIOSSL/ByteBufferBIO.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport NIOCore\n\n#if canImport(Darwin)\nimport Darwin.C\n#elseif canImport(Musl)\nimport Musl\n#elseif canImport(Glibc)\nimport Glibc\n#elseif canImport(Bionic)\nimport Bionic\n#else\n#error(\"unsupported os\")\n#endif\n\n/// The BoringSSL entry point to write to the `ByteBufferBIO`. This thunk unwraps the user data\n/// and then passes the call on to the specific BIO reference.\n///\n/// This specific type signature is annoying (I'd rather have UnsafeRawPointer, and rather than a separate\n/// len I'd like a buffer pointer), but this interface is required because this is passed to an BoringSSL\n/// function pointer and so needs to be @convention(c).\ninternal func boringSSLBIOWriteFunc(bio: UnsafeMutablePointer?, buf: UnsafePointer?, len: CInt) -> CInt {\n guard let concreteBIO = bio, let concreteBuf = buf else {\n preconditionFailure(\n \"Invalid pointers in boringSSLBIOWriteFunc: bio: \\(String(describing: bio)) buf: \\(String(describing: buf))\"\n )\n }\n\n // This unwrap may fail if the user has dropped the ref to the ByteBufferBIO but still has\n // a ref to the other pointer. Sigh heavily and just fail.\n guard let userPtr = CNIOBoringSSL_BIO_get_data(concreteBIO) else {\n return -1\n }\n\n // Begin by clearing retry flags. We do this at all BoringSSL entry points.\n CNIOBoringSSL_BIO_clear_retry_flags(concreteBIO)\n\n // In the event a write of 0 bytes has been asked for, just return early, don't bother with the other work.\n guard len > 0 else {\n return 0\n }\n\n let swiftBIO: ByteBufferBIO = Unmanaged.fromOpaque(userPtr).takeUnretainedValue()\n let bufferPtr = UnsafeRawBufferPointer(start: concreteBuf, count: Int(len))\n return swiftBIO.sslWrite(buffer: bufferPtr)\n}\n\n/// The BoringSSL entry point to read from the `ByteBufferBIO`. This thunk unwraps the user data\n/// and then passes the call on to the specific BIO reference.\n///\n/// This specific type signature is annoying (I'd rather have UnsafeRawPointer, and rather than a separate\n/// len I'd like a buffer pointer), but this interface is required because this is passed to an BoringSSL\n/// function pointer and so needs to be @convention(c).\ninternal func boringSSLBIOReadFunc(\n bio: UnsafeMutablePointer?,\n buf: UnsafeMutablePointer?,\n len: CInt\n) -> CInt {\n guard let concreteBIO = bio, let concreteBuf = buf else {\n preconditionFailure(\n \"Invalid pointers in boringSSLBIOReadFunc: bio: \\(String(describing: bio)) buf: \\(String(describing: buf))\"\n )\n }\n\n // This unwrap may fail if the user has dropped the ref to the ByteBufferBIO but still has\n // a ref to the other pointer. Sigh heavily and just fail.\n guard let userPtr = CNIOBoringSSL_BIO_get_data(concreteBIO) else {\n return -1\n }\n\n // Begin by clearing retry flags. We do this at all BoringSSL entry points.\n CNIOBoringSSL_BIO_clear_retry_flags(concreteBIO)\n\n // In the event a read for 0 bytes has been asked for, just return early, don't bother with the other work.\n guard len > 0 else {\n return 0\n }\n\n let swiftBIO: ByteBufferBIO = Unmanaged.fromOpaque(userPtr).takeUnretainedValue()\n let bufferPtr = UnsafeMutableRawBufferPointer(start: concreteBuf, count: Int(len))\n return swiftBIO.sslRead(buffer: bufferPtr)\n}\n\n/// The BoringSSL entry point for `puts`. This is a silly function, so we're just going to implement it\n/// in terms of write.\n///\n/// This specific type signature is annoying (I'd rather have UnsafeRawPointer, and rather than a separate\n/// len I'd like a buffer pointer), but this interface is required because this is passed to an BoringSSL\n/// function pointer and so needs to be @convention(c).\ninternal func boringSSLBIOPutsFunc(bio: UnsafeMutablePointer?, buf: UnsafePointer?) -> CInt {\n guard let concreteBIO = bio, let concreteBuf = buf else {\n preconditionFailure(\n \"Invalid pointers in boringSSLBIOPutsFunc: bio: \\(String(describing: bio)) buf: \\(String(describing: buf))\"\n )\n }\n return boringSSLBIOWriteFunc(bio: concreteBIO, buf: concreteBuf, len: CInt(strlen(concreteBuf)))\n}\n\n/// The BoringSSL entry point for `gets`. This is a *really* silly function and we can't implement it nicely\n/// in terms of read, so we just refuse to support it.\n///\n/// This specific type signature is annoying (I'd rather have UnsafeRawPointer, and rather than a separate\n/// len I'd like a buffer pointer), but this interface is required because this is passed to an BoringSSL\n/// function pointer and so needs to be @convention(c).\ninternal func boringSSLBIOGetsFunc(\n bio: UnsafeMutablePointer?,\n buf: UnsafeMutablePointer?,\n len: CInt\n) -> CInt {\n -2\n}\n\n/// The BoringSSL entry point for `BIO_ctrl`. We don't support most of these.\ninternal func boringSSLBIOCtrlFunc(\n bio: UnsafeMutablePointer?,\n cmd: CInt,\n larg: CLong,\n parg: UnsafeMutableRawPointer?\n) -> CLong {\n switch cmd {\n case BIO_CTRL_GET_CLOSE:\n return CLong(CNIOBoringSSL_BIO_get_shutdown(bio))\n case BIO_CTRL_SET_CLOSE:\n CNIOBoringSSL_BIO_set_shutdown(bio, CInt(larg))\n return 1\n case BIO_CTRL_FLUSH:\n return 1\n default:\n return 0\n }\n}\n\ninternal func boringSSLBIOCreateFunc(bio: UnsafeMutablePointer?) -> CInt {\n 1\n}\n\ninternal func boringSSLBIODestroyFunc(bio: UnsafeMutablePointer?) -> CInt {\n 1\n}\n\n/// An BoringSSL BIO object that wraps `ByteBuffer` objects.\n///\n/// BoringSSL extensively uses an abstraction called `BIO` to manage its input and output\n/// channels. For NIO we want a BIO that operates entirely in-memory, and it's tempting\n/// to assume that BoringSSL's `BIO_s_mem` is the best choice for that. However, ultimately\n/// `BIO_s_mem` is a flat memory buffer that we end up using as a staging between one\n/// `ByteBuffer` of plaintext and one of ciphertext. We'd like to cut out that middleman.\n///\n/// For this reason, we want to create an object that implements the `BIO` abstraction\n/// but which use `ByteBuffer`s to do so. This allows us to avoid unnecessary memory copies,\n/// which can be a really large win.\nfinal class ByteBufferBIO {\n /// The unsafe pointer to the BoringSSL BIO_METHOD.\n ///\n /// This is used to give BoringSSL pointers to the methods that need to be invoked when\n /// using a ByteBufferBIO. There will only ever be one value of this in a NIO program,\n /// and it will always be non-NULL. Failure to initialize this structure is fatal to\n /// the program.\n nonisolated(unsafe) private static let boringSSLBIOMethod: UnsafeMutablePointer =\n buildBoringSSLBIOMethod()\n\n private static func buildBoringSSLBIOMethod() -> UnsafeMutablePointer {\n guard boringSSLIsInitialized else {\n preconditionFailure(\"Failed to initialize BoringSSL\")\n }\n\n let bioType = CNIOBoringSSL_BIO_get_new_index() | BIO_TYPE_SOURCE_SINK\n guard let method = CNIOBoringSSL_BIO_meth_new(bioType, \"ByteBuffer BIO\") else {\n preconditionFailure(\"Unable to allocate new BIO_METHOD\")\n }\n\n CNIOBoringSSL_BIO_meth_set_write(method, boringSSLBIOWriteFunc)\n CNIOBoringSSL_BIO_meth_set_read(method, boringSSLBIOReadFunc)\n CNIOBoringSSL_BIO_meth_set_puts(method, boringSSLBIOPutsFunc)\n CNIOBoringSSL_BIO_meth_set_gets(method, boringSSLBIOGetsFunc)\n CNIOBoringSSL_BIO_meth_set_ctrl(method, boringSSLBIOCtrlFunc)\n CNIOBoringSSL_BIO_meth_set_create(method, boringSSLBIOCreateFunc)\n CNIOBoringSSL_BIO_meth_set_destroy(method, boringSSLBIODestroyFunc)\n\n return method\n }\n\n /// Pointer to the backing BoringSSL BIO object.\n ///\n /// Generally speaking BoringSSL wants to own the object initialization logic for a BIO.\n /// This doesn't work for us, because we'd like to ensure that the `ByteBufferBIO` is\n /// correctly initialized with all the state it needs. One of those bits of state is\n /// a `ByteBuffer`, which BoringSSL cannot give us, so we need to build our `ByteBufferBIO`\n /// *first* and then use that to drive `BIO` initialization.\n ///\n /// Because of this split initialization dance, we elect to initialize this data structure,\n /// and have it own building an BoringSSL `BIO` structure.\n private let bioPtr: UnsafeMutablePointer\n\n /// The buffer of bytes received from the network.\n ///\n /// By default, `ByteBufferBIO` expects to pass data directly to BoringSSL whenever it\n /// is received. It is, in essence, a temporary container for a `ByteBuffer` on the\n /// read side. This provides a powerful optimisation, which is that the read buffer\n /// passed to the `NIOSSLHandler` can be re-used immediately upon receipt. Given that\n /// the `NIOSSLHandler` is almost always the first handler in the pipeline, this greatly\n /// improves the allocation profile of busy connections, which can more-easily re-use\n /// the receive buffer.\n private var inboundBuffer: ByteBuffer?\n\n /// The buffer of bytes to send to the network.\n ///\n /// While on the read side `ByteBufferBIO` expects to hold each bytebuffer only temporarily,\n /// on the write side we attempt to coalesce as many writes as possible. This is because a\n /// buffer can only be re-used if it is flushed to the network, and that can only happen\n /// on flush calls, so we are incentivised to write as many SSL_write calls into one buffer\n /// as possible.\n private var outboundBuffer: ByteBuffer\n\n /// An allocator to use for new buffers.\n private let allocator: ByteBufferAllocator\n\n /// The maximum capacity of the outbound buffer that we'll preserve after clearing it.\n ///\n /// When `mustClearOutboundBuffer` is `true`, this value is checked against the capacity.\n /// If the capacity of the buffer is larger than this value, the buffer is replaced with a new\n /// empty buffer sufficient to hold the next call to `SSL_write`.\n private let maximumPreservedOutboundBufferCapacity: Int\n\n /// Whether the outbound buffer should be cleared before writing.\n ///\n /// This is true only if we've flushed the buffer to the network. Rather than track an annoying\n /// boolean for this, we use a quick check on the properties of the buffer itself. This clear\n /// wants to be delayed as long as possible to maximise the possibility that it does not\n /// trigger an allocation.\n private var mustClearOutboundBuffer: Bool {\n outboundBuffer.readerIndex == outboundBuffer.writerIndex && outboundBuffer.readerIndex > 0\n }\n\n /// A test helper to provide the outbound buffer capacity.\n internal var _testOnly_outboundBufferCapacity: Int {\n self.outboundBuffer.capacity\n }\n\n init(allocator: ByteBufferAllocator, maximumPreservedOutboundBufferCapacity: Int) {\n // We allocate enough space for a single TLS record. We may not actually write a record that size, but we want to\n // give ourselves the option. We may also write more data than that: if we do, the ByteBuffer will just handle it.\n self.outboundBuffer = allocator.buffer(capacity: SSL_MAX_RECORD_SIZE)\n\n guard let bio = CNIOBoringSSL_BIO_new(ByteBufferBIO.boringSSLBIOMethod) else {\n preconditionFailure(\"Unable to initialize custom BIO\")\n }\n\n // We now need to complete the BIO initialization. The BIO takes an owned reference to self here,\n // which is broken on close().\n self.bioPtr = bio\n self.maximumPreservedOutboundBufferCapacity = maximumPreservedOutboundBufferCapacity\n self.allocator = allocator\n CNIOBoringSSL_BIO_set_data(self.bioPtr, Unmanaged.passRetained(self).toOpaque())\n CNIOBoringSSL_BIO_set_init(self.bioPtr, 1)\n CNIOBoringSSL_BIO_set_shutdown(self.bioPtr, 1)\n }\n\n deinit {\n // In debug mode we assert that we've been closed.\n assert(CNIOBoringSSL_BIO_get_data(self.bioPtr) == nil, \"must call close() on ByteBufferBIO before deinit\")\n\n // On deinit we need to drop our reference to the BIO.\n CNIOBoringSSL_BIO_free(self.bioPtr)\n }\n\n /// Shuts down the BIO, rendering it unable to be used.\n ///\n /// This method is idempotent: it is safe to call more than once.\n internal func close() {\n guard let selfRef = CNIOBoringSSL_BIO_get_data(self.bioPtr) else {\n // Shutdown is safe to call more than once.\n return\n }\n\n // We consume the original retain of self, and then nil out the ref in the BIO so that this can't happen again.\n Unmanaged.fromOpaque(selfRef).release()\n CNIOBoringSSL_BIO_set_data(self.bioPtr, nil)\n }\n\n /// Obtain an owned pointer to the backing BoringSSL BIO object.\n ///\n /// This pointer is safe to use elsewhere, as it has increased the reference to the backing\n /// `BIO`. This makes it safe to use with BoringSSL functions that require an owned reference\n /// (that is, that consume a reference count).\n ///\n /// Note that the BIO may not remain useful for long periods of time: if the `ByteBufferBIO`\n /// object that owns the BIO goes out of scope, the BIO will have its pointers invalidated\n /// and will no longer be able to send/receive data.\n internal func retainedBIO() -> UnsafeMutablePointer {\n CNIOBoringSSL_BIO_up_ref(self.bioPtr)\n return self.bioPtr\n }\n\n /// Called to obtain the outbound ciphertext written by BoringSSL.\n ///\n /// This function obtains a buffer of ciphertext that needs to be written to the network. In a\n /// normal application, this should be obtained on a call to `flush`. If no bytes have been flushed\n /// to the network, then this call will return `nil` rather than an empty byte buffer, to help signal\n /// that the `write` call should be elided.\n ///\n /// - returns: A buffer of ciphertext to send to the network, or `nil` if no buffer is available.\n func outboundCiphertext() -> ByteBuffer? {\n guard self.outboundBuffer.readableBytes > 0 else {\n // No data to send.\n return nil\n }\n\n /// Once we return from this function, we want to account for the bytes we've handed off.\n defer {\n self.outboundBuffer.moveReaderIndex(to: self.outboundBuffer.writerIndex)\n }\n\n return self.outboundBuffer\n }\n\n /// Stores a buffer received from the network for delivery to BoringSSL.\n ///\n /// Whenever a buffer is received from the network, it is passed to the BIO via this function\n /// call. In almost all cases this BIO should be immediately consumed by BoringSSL, but in some cases\n /// it may not be. In those cases, additional calls will cause byte-by-byte copies. This should\n /// be avoided, but usually only happens during asynchronous certificate verification in the\n /// handshake.\n ///\n /// - parameters:\n /// - buffer: The buffer of ciphertext bytes received from the network.\n func receiveFromNetwork(buffer: ByteBuffer) {\n var buffer = buffer\n\n if self.inboundBuffer == nil {\n self.inboundBuffer = buffer\n } else {\n self.inboundBuffer!.writeBuffer(&buffer)\n }\n }\n\n /// Retrieves any inbound data that has not been processed by BoringSSL.\n ///\n /// When unwrapping TLS from a connection, there may be application bytes that follow the terminating\n /// CLOSE_NOTIFY message. Those bytes may be in the buffer passed to this BIO, and so we need to\n /// retrieve them.\n ///\n /// This function extracts those bytes and returns them to the user, and drops the reference to them\n /// in this BIO.\n ///\n /// - returns: The unconsumed `ByteBuffer`, if any.\n func evacuateInboundData() -> ByteBuffer? {\n defer {\n self.inboundBuffer = nil\n }\n return self.inboundBuffer\n }\n\n /// BoringSSL has requested to read ciphertext bytes from the network.\n ///\n /// This function is invoked whenever BoringSSL is looking to read data.\n ///\n /// - parameters:\n /// - buffer: The buffer for NIO to copy bytes into.\n /// - returns: The number of bytes we have copied.\n fileprivate func sslRead(buffer: UnsafeMutableRawBufferPointer) -> CInt {\n guard var inboundBuffer = self.inboundBuffer else {\n // We have no bytes to read. Mark this as \"needs read retry\".\n CNIOBoringSSL_BIO_set_retry_read(self.bioPtr)\n return -1\n }\n\n let bytesToCopy = min(buffer.count, inboundBuffer.readableBytes)\n _ = inboundBuffer.readWithUnsafeReadableBytes { bytePointer in\n assert(\n bytePointer.count >= bytesToCopy,\n \"Copying more bytes (\\(bytesToCopy)) than fits in readable bytes \\((bytePointer.count))\"\n )\n assert(\n buffer.count >= bytesToCopy,\n \"Copying more bytes (\\(bytesToCopy) than contained in source buffer (\\(buffer.count))\"\n )\n buffer.baseAddress!.copyMemory(from: bytePointer.baseAddress!, byteCount: bytesToCopy)\n return bytesToCopy\n }\n\n // If we have read all the bytes from the inbound buffer, nil it out.\n if inboundBuffer.readableBytes > 0 {\n self.inboundBuffer = inboundBuffer\n } else {\n self.inboundBuffer = nil\n }\n\n return CInt(bytesToCopy)\n }\n\n /// BoringSSL has requested to write ciphertext bytes from the network.\n ///\n /// - parameters:\n /// - buffer: The buffer for NIO to copy bytes from.\n /// - returns: The number of bytes we have copied.\n fileprivate func sslWrite(buffer: UnsafeRawBufferPointer) -> CInt {\n if self.mustClearOutboundBuffer {\n // We just flushed, and this is a new write. Let's clear the buffer now.\n if self.outboundBuffer.capacity > self.maximumPreservedOutboundBufferCapacity {\n self.outboundBuffer = self.allocator.buffer(\n capacity: max(buffer.count, self.maximumPreservedOutboundBufferCapacity)\n )\n } else {\n self.outboundBuffer.clear()\n assert(!self.mustClearOutboundBuffer)\n }\n }\n\n let writtenBytes = self.outboundBuffer.writeBytes(buffer)\n return CInt(writtenBytes)\n }\n}\n" }, { "path": "Sources/NIOSSL/CustomPrivateKey.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport NIOCore\n\n/// ``NIOSSLCustomPrivateKey`` defines the interface of a custom, non-BoringSSL private key.\n///\n/// In a number of circumstances it is advantageous to store a TLS private key in some form of high-security storage,\n/// such as a smart card. In these cases it is not possible to represent the TLS private key directly as a sequence\n/// of bytes that BoringSSL will understand.\n///\n/// This protocol allows a type to implement callbacks that perform the specific operation required by the TLS handshake.\n/// Implementers are required to specify what signature algorithms they support, and then must implement **only one** of\n/// the ``NIOSSLCustomPrivateKey/sign(channel:algorithm:data:)`` and ``NIOSSLCustomPrivateKey/decrypt(channel:data:)``\n/// functions. For elliptic curve keys, implementers should implement ``NIOSSLCustomPrivateKey/sign(channel:algorithm:data:)``.\n/// For RSA keys, implementers should implement ``NIOSSLCustomPrivateKey/sign(channel:algorithm:data:)`` and, if supporting\n/// RSA key exchange in TLS versions before 1.3, you should also implement ``NIOSSLCustomPrivateKey/decrypt(channel:data:)``.\n///\n/// If the same ``NIOSSLCustomPrivateKey`` implementation is used by multiple channels at once, then no synchronization\n/// is imposed by SwiftNIO. The calls to the protocol requirements will be made on event loop threads, so if further\n/// synchronization is required it is up to the implementer to provide it. Note that it is unacceptable to block in\n/// these functions, and so potentially blocking operations must delegate to another thread.\npublic protocol NIOSSLCustomPrivateKey: _NIOPreconcurrencySendable {\n /// The signature algorithms supported by this key.\n var signatureAlgorithms: [SignatureAlgorithm] { get }\n\n /// The DER bytes for this private key.\n ///\n /// Custom key implementations should return an appropriate value, but by default, an empty array will be returned.\n var derBytes: [UInt8] { get }\n\n /// Called to perform a signing operation.\n ///\n /// The data being passed to the call has not been hashed, and it is the responsibility of the implementer\n /// to ensure that the data _is_ hashed before use. `algorithm` will control what hash algorithm should be used.\n /// This call will always execute on `channel.eventLoop`.\n ///\n /// This function should be implemented by both EC and RSA keys.\n ///\n /// - parameters:\n /// - channel: The `Channel` representing the connection for which we are performing the signing operation.\n /// - algorithm: The ``SignatureAlgorithm`` that should be used to generate the signature.\n /// - data: The data to be signed.\n /// - returns: An `EventLoopFuture` that will be fulfilled with a `ByteBuffer` containing the signature bytes, if\n /// the signing operation completes, or that will be failed with a relevant `Error` if the signature could not\n /// be produced.\n func sign(channel: Channel, algorithm: SignatureAlgorithm, data: ByteBuffer) -> EventLoopFuture\n\n /// Called to perform a decryption operation.\n ///\n /// The data being passed to the call should be decrypted using _raw_ RSA public key decryption, without padding.\n /// This call will always execute on `channel.eventLoop`.\n ///\n /// This function should only be implemented for RSA keys, and then only if you support RSA key exchange. If you\n /// are only using TLS 1.3 and later, this function is entirely unnecessary and it will never be called.\n ///\n /// - parameters:\n /// - channel: The `Channel` representing the connection for which we are performing the decryption operation.\n /// - data: The data to be decrypted.\n /// - returns: An `EventLoopFuture` that will be fulfilled with a `ByteBuffer` containing the decrypted bytes, if\n /// the decryption operation completes, or that will be failed with a relevant `Error` if the decrypted bytes\n /// could not be produced.\n func decrypt(channel: Channel, data: ByteBuffer) -> EventLoopFuture\n}\n\nextension NIOSSLCustomPrivateKey {\n @inlinable public var derBytes: [UInt8] { [] }\n}\n\n/// This is a type-erased wrapper that can be used to encapsulate a NIOSSLCustomPrivateKey and provide it with\n/// hashability and equatability.\n///\n/// While generally speaking type-erasure has some nasty performance problems, we need the type-erasure for Hashable conformance.\n@usableFromInline\ninternal struct AnyNIOSSLCustomPrivateKey: NIOSSLCustomPrivateKey, Hashable {\n @usableFromInline let _value: NIOSSLCustomPrivateKey\n\n @usableFromInline let _equalsFunction: @Sendable (NIOSSLCustomPrivateKey) -> Bool\n @usableFromInline let _hashFunction: @Sendable (inout Hasher) -> Void\n\n @inlinable init(_ key: CustomKey) {\n self._value = key\n self._equalsFunction = { ($0 as? CustomKey) == key }\n self._hashFunction = { $0.combine(key) }\n }\n\n // This method does not need to be @inlinable for performance, but it needs to be _at least_\n // @usableFromInline as it's a protocol requirement on a @usableFromInline type.\n @inlinable var signatureAlgorithms: [SignatureAlgorithm] {\n self._value.signatureAlgorithms\n }\n\n @inlinable var derBytes: [UInt8] {\n self._value.derBytes\n }\n\n // This method does not need to be @inlinable for performance, but it needs to be _at least_\n // @usableFromInline as it's a protocol requirement on a @usableFromInline type.\n @inlinable func sign(\n channel: Channel,\n algorithm: SignatureAlgorithm,\n data: ByteBuffer\n ) -> EventLoopFuture {\n self._value.sign(channel: channel, algorithm: algorithm, data: data)\n }\n\n // This method does not need to be @inlinable for performance, but it needs to be _at least_\n // @usableFromInline as it's a protocol requirement on a @usableFromInline type.\n @inlinable func decrypt(channel: Channel, data: ByteBuffer) -> EventLoopFuture {\n self._value.decrypt(channel: channel, data: data)\n }\n\n // This method does not need to be @inlinable for performance, but it needs to be _at least_\n // @usableFromInline as it's a protocol requirement on a @usableFromInline type.\n @inlinable func hash(into hasher: inout Hasher) {\n self._hashFunction(&hasher)\n }\n\n // This method does not need to be @inlinable for performance, but it needs to be _at least_\n // @usableFromInline as it's a protocol requirement on a @usableFromInline type.\n @inlinable static func == (lhs: AnyNIOSSLCustomPrivateKey, rhs: AnyNIOSSLCustomPrivateKey) -> Bool {\n lhs._equalsFunction(rhs._value)\n }\n}\n\nextension SSLConnection {\n fileprivate var customKey: NIOSSLCustomPrivateKey? {\n let source = self.currentOverride?.privateKey ?? self.parentContext.configuration.privateKey\n guard case .some(.privateKey(let key)) = source,\n case .custom(let customKey) = key.representation\n else {\n return nil\n }\n\n return customKey\n }\n\n fileprivate func customPrivateKeySign(\n signatureAlgorithm: UInt16,\n in: UnsafeBufferPointer\n ) -> ssl_private_key_result_t {\n precondition(self.customPrivateKeyResult == nil)\n\n guard let customKey = self.customKey else {\n preconditionFailure()\n }\n\n let wrappedAlgorithm = SignatureAlgorithm(rawValue: signatureAlgorithm)\n guard customKey.signatureAlgorithms.contains(wrappedAlgorithm) else {\n return ssl_private_key_failure\n }\n\n // This force-unwrap pair is safe: we can only handshake while we're in a pipeline.\n let channel = self.parentHandler!.channel!\n var inputBytes = channel.allocator.buffer(capacity: `in`.count)\n inputBytes.writeBytes(`in`)\n\n let result = customKey.sign(channel: channel, algorithm: wrappedAlgorithm, data: inputBytes)\n result.hop(to: channel.eventLoop).assumeIsolated().whenComplete { signingResult in\n self.storeCustomPrivateKeyResult(signingResult, channel: channel)\n }\n\n return ssl_private_key_retry\n }\n\n fileprivate func customPrivateKeyDecrypt(\n in: UnsafeBufferPointer\n ) -> ssl_private_key_result_t {\n precondition(self.customPrivateKeyResult == nil)\n\n guard let customKey = self.customKey else {\n preconditionFailure()\n }\n\n // This force-unwrap pair is safe: we can only handshake while we're in a pipeline.\n let channel = self.parentHandler!.channel!\n var inputBytes = channel.allocator.buffer(capacity: `in`.count)\n inputBytes.writeBytes(`in`)\n\n let result = customKey.decrypt(channel: channel, data: inputBytes)\n result.hop(to: channel.eventLoop).assumeIsolated().whenComplete { decryptionResult in\n self.storeCustomPrivateKeyResult(decryptionResult, channel: channel)\n }\n\n return ssl_private_key_retry\n }\n\n fileprivate func customPrivateKeyComplete(out: inout UnsafeMutableBufferPointer) -> ssl_private_key_result_t\n {\n switch self.customPrivateKeyResult {\n case .none:\n return ssl_private_key_retry\n case .some(.failure):\n return ssl_private_key_failure\n case .some(.success(let signingResult)):\n guard signingResult.readableBytes <= out.count else {\n return ssl_private_key_failure\n }\n\n let (_, lastIndex) = out.initialize(from: signingResult.readableBytesView)\n out = UnsafeMutableBufferPointer(rebasing: out[.., channel: Channel) {\n // When we complete here we need to set our result state, and then ask to respin the handshake.\n // If we can't respin the handshake because we've dropped the parent handler, that's fine, no harm no foul.\n // For that reason, we tolerate both the verify manager and the parent handler being nil.\n channel.eventLoop.assumeIsolated().execute {\n precondition(self.customPrivateKeyResult == nil)\n self.customPrivateKeyResult = result\n self.parentHandler?.resumeHandshake()\n }\n }\n}\n\n// We heap-allocate the SSL_PRIVATE_KEY_METHOD we need because we can't define a static stored property with fixed address\n// in Swift.\nnonisolated(unsafe) internal let customPrivateKeyMethod: UnsafePointer =\n buildCustomPrivateKeyMethod()\n\nprivate func buildCustomPrivateKeyMethod() -> UnsafePointer {\n let pointer = UnsafeMutablePointer.allocate(capacity: 1)\n pointer.pointee = .init(sign: customKeySign, decrypt: customKeyDecrypt, complete: customKeyComplete)\n return UnsafePointer(pointer)\n}\n\n/// This is our entry point from BoringSSL when we've been asked to do a sign.\nprivate func customKeySign(\n ssl: OpaquePointer?,\n out: UnsafeMutablePointer?,\n outLen: UnsafeMutablePointer?,\n maxOut: size_t,\n signatureAlgorithm: UInt16,\n in: UnsafePointer?,\n inLen: Int\n) -> ssl_private_key_result_t {\n guard let ssl = ssl, out != nil, let outLen = outLen, let `in` = `in` else {\n preconditionFailure()\n }\n\n let connection = SSLConnection.loadConnectionFromSSL(ssl)\n let inBuffer = UnsafeBufferPointer(start: `in`, count: inLen)\n\n // We never return anything here.\n outLen.pointee = 0\n\n return connection.customPrivateKeySign(signatureAlgorithm: signatureAlgorithm, in: inBuffer)\n}\n\n/// This is our entry point from BoringSSL when we've been asked to do a decrypt.\nprivate func customKeyDecrypt(\n ssl: OpaquePointer?,\n out: UnsafeMutablePointer?,\n outLen: UnsafeMutablePointer?,\n maxOut: Int,\n in: UnsafePointer?,\n inLen: Int\n) -> ssl_private_key_result_t {\n guard let ssl = ssl, out != nil, let outLen = outLen, let `in` = `in` else {\n preconditionFailure()\n }\n\n let connection = SSLConnection.loadConnectionFromSSL(ssl)\n let inBuffer = UnsafeBufferPointer(start: `in`, count: inLen)\n\n // We never return anything here.\n outLen.pointee = 0\n\n return connection.customPrivateKeyDecrypt(in: inBuffer)\n}\n\n/// When BoringSSL is asking if we're done with our key operation, we come here.\nprivate func customKeyComplete(\n ssl: OpaquePointer?,\n out: UnsafeMutablePointer?,\n outLen: UnsafeMutablePointer?,\n maxOut: Int\n) -> ssl_private_key_result_t {\n guard let ssl = ssl, let out = out, let outLen = outLen else {\n preconditionFailure()\n }\n\n let connection = SSLConnection.loadConnectionFromSSL(ssl)\n var outBuffer = UnsafeMutableBufferPointer(start: out, count: maxOut)\n let result = connection.customPrivateKeyComplete(out: &outBuffer)\n\n if result != ssl_private_key_success {\n // We need to set outLen to zero here.\n outLen.pointee = 0\n } else {\n outLen.pointee = outBuffer.count\n }\n\n return result\n}\n" }, { "path": "Sources/NIOSSL/Docs.docc/TLSConfiguration.md", "content": "# ``TLSConfiguration``\n\n## Topics\n\n### Creating a TLS configuration\n\n- ``clientDefault``\n- ``makeClientConfiguration()``\n- ``makeServerConfiguration(certificateChain:privateKey:)``\n- ``makePreSharedKeyConfiguration()``\n\n### Inspecting a configuration\n\n- ``minimumTLSVersion``\n- ``maximumTLSVersion``\n- ``certificateVerification``\n- ``trustRoots``\n- ``certificateChain``\n- ``privateKey``\n- ``applicationProtocols``\n- ``shutdownTimeout``\n- ``keyLogCallback``\n- ``renegotiationSupport``\n- ``sslContextCallback``\n\n### Inspecting configuration ciphers\n\n- ``cipherSuites``\n- ``verifySignatureAlgorithms``\n- ``signingSignatureAlgorithms``\n- ``cipherSuiteValues``\n- ``curves``\n- ``additionalTrustRoots``\n- ``sendCANameList``\n\n### Inspecting pre-shared key configurations\n\n- ``pskClientProvider``\n- ``pskHint``\n- ``pskServerProvider``\n- ``pskClientCallback``\n- ``pskServerCallback``\n\n### Comparing and Hashing TLS configurations\n\n- ``bestEffortEquals(_:)``\n- ``bestEffortHash(into:)``\n\n### Deprecated initializers\n\n- ``forClient(cipherSuites:minimumTLSVersion:maximumTLSVersion:certificateVerification:trustRoots:certificateChain:privateKey:applicationProtocols:shutdownTimeout:keyLogCallback:)``\n- ``forClient(cipherSuites:minimumTLSVersion:maximumTLSVersion:certificateVerification:trustRoots:certificateChain:privateKey:applicationProtocols:shutdownTimeout:keyLogCallback:renegotiationSupport:)``\n- ``forClient(cipherSuites:verifySignatureAlgorithms:signingSignatureAlgorithms:minimumTLSVersion:maximumTLSVersion:certificateVerification:trustRoots:certificateChain:privateKey:applicationProtocols:shutdownTimeout:keyLogCallback:renegotiationSupport:)``\n\n- ``forServer(certificateChain:privateKey:cipherSuites:minimumTLSVersion:maximumTLSVersion:certificateVerification:trustRoots:applicationProtocols:shutdownTimeout:keyLogCallback:)``\n- ``forServer(certificateChain:privateKey:cipherSuites:verifySignatureAlgorithms:signingSignatureAlgorithms:minimumTLSVersion:maximumTLSVersion:certificateVerification:trustRoots:applicationProtocols:shutdownTimeout:keyLogCallback:)``\n" }, { "path": "Sources/NIOSSL/Docs.docc/index.md", "content": "# ``NIOSSL``\n\nTLS for SwiftNIO.\n\nSwiftNIO SSL is a Swift package that contains an implementation of TLS based on BoringSSL. This package allows users of SwiftNIO to write protocol clients and servers that use TLS to secure data in flight.\n\nThe name is inspired primarily by the names of the library this package uses (BoringSSL), and not because we don't know the name of the protocol. We know the protocol is TLS!\n\n## Overview\n\n### Using SwiftNIO SSL\n\nSwiftNIO SSL provides two `ChannelHandler`s to use to secure a data stream: the ``NIOSSLClientHandler`` and the ``NIOSSLServerHandler``. Each of these can be added to a `Channel` to secure the communications on that channel.\n\nAdditionally, we provide a number of low-level primitives for configuring your TLS connections. These will be shown below.\n\nTo secure a server connection, you will need a X.509 certificate chain in a file (either PEM or DER, but PEM is far easier), and the associated private key for the leaf certificate. These objects can then be wrapped up in a ``TLSConfiguration`` object that is used to initialize the `ChannelHandler`.\n\nFor example:\n\n```swift\nlet configuration = TLSConfiguration.makeServerConfiguration(\n certificateChain: try NIOSSLCertificate.fromPEMFile(\"cert.pem\").map { .certificate($0) },\n privateKey: try .privateKey(.init(file: \"key.pem\", format: .pem))\n)\nlet sslContext = try NIOSSLContext(configuration: configuration)\n\nlet server = ServerBootstrap(group: group)\n .childChannelInitializer { channel in\n // important: The handler must be initialized _inside_ the `childChannelInitializer`\n let handler = NIOSSLServerHandler(context: sslContext)\n\n [...]\n channel.pipeline.addHandler(handler)\n [...]\n }\n```\n\nFor clients, it is a bit simpler as there is no need to have a certificate chain or private key (though clients *may* have these things). Setup for clients may be done like this:\n\n```swift\nlet configuration = TLSConfiguration.makeClientConfiguration()\nlet sslContext = try NIOSSLContext(configuration: configuration)\n\nlet client = ClientBootstrap(group: group)\n .channelInitializer { channel in\n // important: The handler must be initialized _inside_ the `channelInitializer`\n let handler = try NIOSSLClientHandler(context: sslContext)\n\n [...]\n channel.pipeline.addHandler(handler)\n [...]\n }\n```\n\nThe most recent versions of SwiftNIO SSL support Swift 5.7 and newer. The minimum Swift version supported by SwiftNIO SSL releases are detailed below:\n\nSwiftNIO SSL | Minimum Swift Version\n--------------------|----------------------\n`2.0.0 ..< 2.14.0` | 5.0\n`2.14.0 ..< 2.19.0` | 5.2\n`2.19.0 ..< 2.23.0` | 5.4\n`2.23.0 ..< 2.23.2` | 5.5.2\n`2.23.2 ..< 2.26.0` | 5.6\n`2.26.0 ..< 2.27.0` | 5.7\n`2.27.0 ...` | 5.8\n\n## Topics\n\n### Articles\n\n- \n- \n\n### Channel Handlers\n\n- ``NIOSSLClientHandler``\n- ``NIOSSLServerHandler``\n- ``NIOSSLHandler``\n\n### Certificates and Keys\n\n- ``NIOSSLCertificate``\n- ``NIOSSLPrivateKey``\n- ``NIOSSLPassphraseCallback``\n- ``NIOSSLPassphraseSetter``\n- ``NIOSSLPublicKey``\n- ``NIOSSLCustomPrivateKey``\n- ``NIOSSLPKCS12Bundle``\n\n### Custom Verification Callbacks\n\n- ``NIOSSLCustomVerificationCallback``\n- ``NIOSSLVerificationCallback``\n- ``NIOSSLVerificationResult``\n\n### Configuration and State\n\n- ``TLSConfiguration``\n- ``TLSVersion``\n- ``NIOTLSCipher``\n- ``NIOSSLSerializationFormats``\n- ``CertificateVerification``\n- ``NIORenegotiationSupport``\n- ``SignatureAlgorithm``\n- ``defaultCipherSuites``\n- ``NIOSSLTrustRoots``\n- ``NIOSSLAdditionalTrustRoots``\n- ``NIOSSLCertificateSource``\n- ``NIOSSLPrivateKeySource``\n- ``NIOSSLKeyLogCallback``\n- ``NIOPSKClientIdentityCallback``\n- ``NIOPSKServerIdentityCallback``\n- ``PSKServerIdentityResponse``\n- ``PSKClientIdentityResponse``\n- ``NIOSSLContext``\n\n### Generic TLS Abstractions\n\n- ``NIOSSLClientTLSProvider``\n\n### Utility Objects\n\n- ``NIOSSLSecureBytes``\n- ``NIOSSLObjectIdentifier``\n\n### Errors\n\n- ``NIOSSLError``\n- ``BoringSSLError``\n- ``NIOBoringSSLErrorStack``\n- ``BoringSSLInternalError``\n- ``NIOSSLCloseTimedOutError``\n- ``NIOTLSUnwrappingError``\n- ``NIOSSLExtraError``\n" }, { "path": "Sources/NIOSSL/Docs.docc/quantum-secure-tls.md", "content": "# Quantum-secure TLS\n\nTo enable quantum-secure algorithms in swift-nio-ssl requires minimal configuration changes. While the algorithms are being standardised they are off by default, but once the code points are final we will be enabling them by default.\n\nIn the meantime, if you wish to add support, you can enable ``NIOTLSCurve/x25519_MLKEM768`` with the following change:\n\n```swift\ntlsConfiguration.curves = [.x25519_MLKEM768, .x25519, .secp384r1]\n```\n\nThis configuration offers both a post-quantum hybrid key-establishment mechanism, as well as classical options. This is an appropriate choice for general-purpose use as it can support older clients, but it may not be appropriate for your use-case. If you are aiming to support _only_ post-quantum key exchange, you can do so by setting only PQ or hybrid KEMs:\n\n```swift\ntlsConfiguration.curves = [.x25519_MLKEM768]\n```" }, { "path": "Sources/NIOSSL/Docs.docc/trust-roots-behavior.md", "content": "# Trust Roots and Certificate Validation Behavior\n\nUnderstanding how ``TLSConfiguration/trustRoots`` and ``TLSConfiguration/additionalTrustRoots`` affect certificate validation across different platforms.\n\n## Overview\n\nSwiftNIO SSL provides two properties in ``TLSConfiguration`` for configuring certificate validation: ``TLSConfiguration/trustRoots`` and ``TLSConfiguration/additionalTrustRoots``. The behavior of these properties differs significantly between Apple platforms and other platforms, which can lead to unexpected certificate validation failures.\n\nThis article explains the behavioral matrix and helps you choose the right configuration for your use case.\n\n## Certificate Validation Backends\n\nSwiftNIO SSL uses different certificate validation backends depending on your configuration:\n\n- **SecTrust** (Apple platforms only): The system's native certificate validator, which is stricter and follows Apple's certificate validation policies\n- **BoringSSL**: The embedded certificate validator, which is more permissive and consistent across platforms\n\n## Behavioral Matrix\n\nThe choice of validation backend depends on your ``TLSConfiguration/trustRoots`` and ``TLSConfiguration/additionalTrustRoots`` settings:\n\n| Configuration | Apple Platforms | Other Platforms |\n|---------------|-----------------|-----------------|\n| `trustRoots = .default`, no additional trust roots | SecTrust with default settings | BoringSSL with system PEM files |\n| `trustRoots = nil`, no additional trust roots | SecTrust with default settings | BoringSSL with system PEM files |\n| `trustRoots = .file(_)`, no additional trust roots | BoringSSL with specified file | BoringSSL with specified file |\n| `trustRoots = .certificates(_)`, no additional trust roots | BoringSSL with specified certificates | BoringSSL with specified certificates |\n| `trustRoots = .default`, additional trust roots provided | SecTrust with additional roots via `SecTrustSetAnchorCertificates` | BoringSSL with system PEM files and additional roots |\n| `trustRoots = nil`, additional trust roots provided | SecTrust with additional roots via `SecTrustSetAnchorCertificates` | BoringSSL with system PEM files and additional roots |\n| `trustRoots = .file(_)`, additional trust roots provided | BoringSSL with specified file and additional roots | BoringSSL with specified file and additional roots |\n| `trustRoots = .certificates(_)`, additional trust roots provided | BoringSSL with specified certificates and additional roots | BoringSSL with specified certificates and additional roots |\n\n## Key Behavioral Differences\n\n**SecTrust:**\n- Used when `trustRoots` is `.default` or `nil` on Apple platforms\n- Enforces stricter certificate chain validation rules\n- May reject certificate chains that BoringSSL accepts\n- Behaves the same way that Safari and most other browsers do\n\n**BoringSSL:**\n- Used in all other cases, including on Apple platforms when `trustRoots` is `.file(_)` or `.certificates(_)`\n- More lenient about certificate formatting and extensions\n- Consistent behavior across all platforms\n\n## Debugging Certificate Issues\n\nWhen certificate validation fails, check the system logs for detailed error messages:\n\n```bash\n# macOS/iOS system logs often contain detailed certificate validation errors\nlog show --predicate 'subsystem == \"com.apple.security\"' --last 1m\n```\n\nThe error messages will help you understand whether the issue is with certificate formatting, missing extensions, or chain validation problems.\n\n## Topics\n\n### Related Configuration\n\n- ``TLSConfiguration/trustRoots``\n- ``TLSConfiguration/additionalTrustRoots``\n- ``TLSConfiguration/certificateVerification``\n- ``NIOSSLTrustRoots``\n- ``NIOSSLAdditionalTrustRoots``" }, { "path": "Sources/NIOSSL/IdentityVerification.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport CNIOLinux\nimport NIOCore\n\n#if canImport(Darwin)\nimport Darwin.C\n#elseif canImport(Musl)\nimport Musl\n#elseif canImport(Glibc)\nimport Glibc\n#elseif canImport(Android)\nimport Android\n#else\n#error(\"unsupported os\")\n#endif\n\nprivate let asciiIDNAIdentifier: ArraySlice = Array(\"xn--\".utf8)[...]\nprivate let asciiCapitals: ClosedRange = (UInt8(ascii: \"A\")...UInt8(ascii: \"Z\"))\nprivate let asciiLowercase: ClosedRange = (UInt8(ascii: \"a\")...UInt8(ascii: \"z\"))\nprivate let asciiNumbers: ClosedRange = (UInt8(ascii: \"0\")...UInt8(ascii: \"9\"))\nprivate let asciiHyphen: UInt8 = UInt8(ascii: \"-\")\nprivate let asciiPeriod: UInt8 = UInt8(ascii: \".\")\nprivate let asciiAsterisk: UInt8 = UInt8(ascii: \"*\")\n\nextension String {\n /// Calls `fn` with an `Array` pointing to a\n /// non-NULL-terminated sequence of ASCII bytes. If the string this method\n /// is called on contains non-ACSII code points, this method throws.\n ///\n /// This method exists to avoid doing repeated loops over the string buffer.\n /// In a naive implementation we'd loop at least three times: once to lowercase\n /// the string, once to get a buffer pointer to a contiguous buffer, and once\n /// to confirm the string is ASCII. Here we can do that all in one loop.\n fileprivate func withLowercaseASCIIBuffer(_ fn: ([UInt8]) throws -> T) throws -> T {\n let buffer: [UInt8] = try self.utf8.map { codeUnit in\n guard codeUnit.isValidDNSCharacter else {\n throw NIOSSLExtraError.serverHostnameImpossibleToMatch(hostname: self)\n }\n\n // We know we have only ASCII printables, we can safely unconditionally set the 6 bit to 1 to lowercase.\n return codeUnit | (0x20)\n }\n\n return try fn(buffer)\n }\n}\n\nextension Collection {\n /// Splits a collection in two around a given index. This index may be nil, in which case the split\n /// will occur around the end.\n fileprivate func splitAroundIndex(_ index: Index?) -> (SubSequence, SubSequence) {\n guard let index = index else {\n return (self[...], self[self.endIndex...])\n }\n\n let subsequentIndex = self.index(after: index)\n return (self[.. {\n fileprivate func caseInsensitiveElementsEqual(_ other: some Sequence) -> Bool {\n self.elementsEqual(other) { $0.lowercased() == $1.lowercased() }\n }\n}\n\nextension UInt8 {\n /// Whether this character is a valid DNS character, which is the ASCII\n /// letters, digits, the hypen, and the period.\n fileprivate var isValidDNSCharacter: Bool {\n switch self {\n case asciiCapitals, asciiLowercase, asciiNumbers, asciiHyphen, asciiPeriod:\n return true\n default:\n return false\n }\n }\n\n fileprivate func lowercased() -> UInt8 {\n asciiCapitals.contains(self) ? self | 0x20 : self\n }\n}\n\n/// Validates that a given leaf certificate is valid for a service.\n///\n/// This function implements the logic for service validation as specified by\n/// RFC 6125 (https://tools.ietf.org/search/rfc6125), which loosely speaking\n/// defines the common algorithm used for validating that an X.509 certificate\n/// is valid for a given service\n///\n/// The algorithm we're implementing is specified in RFC 6125 Section 6 if you want to\n/// follow along at home.\ninternal func validIdentityForService(\n serverHostname: String?,\n socketAddress: SocketAddress,\n leafCertificate: NIOSSLCertificate\n) throws -> Bool {\n if let serverHostname = serverHostname {\n return try serverHostname.withLowercaseASCIIBuffer {\n try validIdentityForService(\n serverHostname: $0,\n socketAddress: socketAddress,\n leafCertificate: leafCertificate\n )\n }\n } else {\n return try validIdentityForService(\n serverHostname: nil as [UInt8]?,\n socketAddress: socketAddress,\n leafCertificate: leafCertificate\n )\n }\n}\n\nprivate func validIdentityForService(\n serverHostname: [UInt8]?,\n socketAddress: SocketAddress,\n leafCertificate: NIOSSLCertificate\n) throws -> Bool {\n // Before we begin, we want to locate the first period in our own domain name. We need to do\n // this because we may need to match a wildcard label.\n var serverHostnameSlice: ArraySlice? = nil\n var firstPeriodIndex: ArraySlice.Index? = nil\n\n if let serverHostname = serverHostname {\n var tempServerHostnameSlice = serverHostname[...]\n\n // Strip trailing period\n if tempServerHostnameSlice.last == .some(asciiPeriod) {\n tempServerHostnameSlice = tempServerHostnameSlice.dropLast()\n }\n\n firstPeriodIndex = tempServerHostnameSlice.firstIndex(of: asciiPeriod)\n serverHostnameSlice = tempServerHostnameSlice\n }\n\n // We want to begin by checking the subjectAlternativeName fields. If there are any fields\n // in there that we could validate against (either IP or hostname) we will validate against\n // them, and then refuse to check the commonName field. If there are no SAN fields to\n // validate against, we'll check commonName.\n var checkedMatch = false\n for name in leafCertificate._subjectAlternativeNames() {\n checkedMatch = true\n\n switch name.nameType {\n case .dnsName:\n let dnsName = Array(name.contents)\n if matchHostname(ourHostname: serverHostnameSlice, firstPeriodIndex: firstPeriodIndex, dnsName: dnsName) {\n return true\n }\n case .ipAddress:\n if let ip = _SubjectAlternativeName.IPAddress(name),\n matchIpAddress(socketAddress: socketAddress, certificateIP: ip)\n {\n return true\n }\n default:\n continue\n }\n }\n\n guard !checkedMatch else {\n // We had some subject alternative names, but none matched. We failed here.\n return false\n }\n\n // In the absence of any matchable subjectAlternativeNames, we can fall back to checking\n // the common name. This is a deprecated practice, and in a future release we should\n // stop doing this.\n guard let commonName = leafCertificate.commonName() else {\n // No CN, no match.\n return false\n }\n\n // We have a common name. Let's check it against the provided hostname. We never check\n // the common name against the IP address.\n return matchHostname(ourHostname: serverHostnameSlice, firstPeriodIndex: firstPeriodIndex, dnsName: commonName)\n}\n\nprivate func matchHostname(\n ourHostname: ArraySlice?,\n firstPeriodIndex: ArraySlice.Index?,\n dnsName: [UInt8]\n) -> Bool {\n guard let ourHostname = ourHostname else {\n // No server hostname was provided, so we cannot match.\n return false\n }\n\n // Now we validate the cert hostname.\n var dnsName = ArraySlice(dnsName)\n guard let validatedHostname = AnalysedCertificateHostname(baseName: &dnsName) else {\n // This is a hostname we can't match, return false.\n return false\n }\n return validatedHostname.validMatchForName(ourHostname, firstPeriodIndexForName: firstPeriodIndex)\n}\n\nprivate func matchIpAddress(socketAddress: SocketAddress, certificateIP: _SubjectAlternativeName.IPAddress) -> Bool {\n // These match if the two underlying IP address structures match.\n switch (socketAddress, certificateIP) {\n case (.v4(let address), .ipv4(var addr2)):\n var addr1 = address.address.sin_addr\n return memcmp(&addr1, &addr2, MemoryLayout.size) == 0\n case (.v6(let address), .ipv6(var addr2)):\n var addr1 = address.address.sin6_addr\n return memcmp(&addr1, &addr2, MemoryLayout.size) == 0\n default:\n // Different protocol families, no match.\n return false\n }\n}\n\n/// This structure contains a certificate hostname that has been analysed and prepared for matching.\n///\n/// A certificate hostname that is valid for matching meets the following criteria:\n///\n/// 1. Contains only valid DNS characters, plus the ASCII asterisk.\n/// 2. Contains zero or one ASCII asterisks.\n/// 3. Any ASCII asterisk present must be in the first DNS label (i.e. before the first period).\n/// 4. If the first label contains an ASCII asterisk, it must not also be an IDN A label.\n///\n/// Answering these questions potentially relies on multiple searches through the hostname. That's not\n/// ideal: it'd be better to do a single search that both validates the domain name meets the criteria\n/// and that also records information needed to validate that the name matches the one we're searching for.\n/// That's what this structure does.\nprivate struct AnalysedCertificateHostname {\n /// The type we use to store the base name. The other types on this object are chosen relative to that.\n fileprivate typealias BaseNameType = ArraySlice\n\n private var name: NameType\n\n fileprivate init?(baseName: inout BaseNameType) {\n // First, strip a trailing period from this name.\n if baseName.last == .some(asciiPeriod) {\n baseName = baseName.dropLast()\n }\n\n // Ok, start looping.\n var index = baseName.startIndex\n var firstPeriodIndex: BaseNameType.Index? = nil\n var asteriskIndex: BaseNameType.Index? = nil\n\n while index < baseName.endIndex {\n switch baseName[index] {\n case asciiPeriod where firstPeriodIndex == nil:\n // This is the first period we've seen, great. Future\n // periods will be ignored.\n firstPeriodIndex = index\n\n case asciiCapitals, asciiLowercase, asciiNumbers, asciiHyphen, asciiPeriod:\n // Valid character, no notes.\n break\n\n case asciiAsterisk where asteriskIndex == nil && firstPeriodIndex == nil:\n // Found an asterisk, it's the first one, and it precedes any periods.\n asteriskIndex = index\n\n case asciiAsterisk:\n // An extra asterisk, or an asterisk after a period, is unacceptable.\n return nil\n\n default:\n // Unacceptable character in the name.\n return nil\n }\n\n baseName.formIndex(after: &index)\n }\n\n // Now we can finally initialize ourself.\n if let asteriskIndex = asteriskIndex {\n // One final check: if we found a wildcard, we need to confirm that the first label isn't an IDNA A label.\n if baseName.prefix(4).caseInsensitiveElementsEqual(asciiIDNAIdentifier) {\n return nil\n }\n\n self.name = .wildcard(baseName, asteriskIndex: asteriskIndex, firstPeriodIndex: firstPeriodIndex)\n } else {\n self.name = .singleName(baseName)\n }\n }\n\n /// Whether this parsed name is a valid match for the one passed in.\n fileprivate func validMatchForName(_ target: BaseNameType, firstPeriodIndexForName: BaseNameType.Index?) -> Bool {\n switch self.name {\n case .singleName(let baseName):\n // For non-wildcard names, we just do a straightforward string comparison.\n return baseName.caseInsensitiveElementsEqual(target)\n\n case .wildcard(let baseName, let asteriskIndex, let firstPeriodIndex):\n // The wildcard can appear more-or-less anywhere in the first label. The wildcard\n // character itself can match any number of characters, though it must match at least\n // one.\n // The algorithm for this is simple: first, we split the two names on their first period to get their\n // first label and their subsequent components. Second, we check that the subcomponents match a straightforward\n // bytewise comparison: if that fails, we can avoid the expensive wildcard checking operation.\n // Third, we split the wildcard label on the wildcard character, and and confirm that\n // the characters *before* the wildcard are the prefix of the target first label, and that the\n // characters *after* the wildcard are the suffix of the target first label. This works well because\n // the empty string is a prefix and suffix of all strings.\n let (wildcardLabel, remainingComponents) = baseName.splitAroundIndex(firstPeriodIndex)\n let (targetFirstLabel, targetRemainingComponents) = target.splitAroundIndex(firstPeriodIndexForName)\n\n guard remainingComponents.caseInsensitiveElementsEqual(targetRemainingComponents) else {\n // Wildcard is irrelevant, the remaining components don't match.\n return false\n }\n\n guard targetFirstLabel.count >= wildcardLabel.count else {\n // The target label cannot possibly match the wildcard.\n return false\n }\n\n let (wildcardLabelPrefix, wildcardLabelSuffix) = wildcardLabel.splitAroundIndex(asteriskIndex)\n let targetBeforeWildcard = targetFirstLabel.prefix(wildcardLabelPrefix.count)\n let targetAfterWildcard = targetFirstLabel.suffix(wildcardLabelSuffix.count)\n\n let leadingBytesMatch = targetBeforeWildcard.caseInsensitiveElementsEqual(wildcardLabelPrefix)\n let trailingBytesMatch = targetAfterWildcard.caseInsensitiveElementsEqual(wildcardLabelSuffix)\n\n return leadingBytesMatch && trailingBytesMatch\n }\n }\n}\n\nextension AnalysedCertificateHostname {\n private enum NameType {\n case wildcard(BaseNameType, asteriskIndex: BaseNameType.Index, firstPeriodIndex: BaseNameType.Index?)\n case singleName(BaseNameType)\n }\n}\n" }, { "path": "Sources/NIOSSL/LinuxCABundle.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2019-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n#if os(Linux) || os(FreeBSD)\n/// The path to the root CA bundle file.\n///\n/// May be nil if we could not find the root CA bundle file.\ninternal let rootCAFilePath: String? = locateRootCAFile()\n\n/// The path to the root CA bundle directory.\n///\n/// May be nil if we could not find the root CA bundle directory.\ninternal let rootCADirectoryPath: String? = locateRootCADirectory()\n\n/// This is a list of root CA file search paths. This list contains paths as validated against several distributions.\n/// If you are attempting to use SwiftNIO SSL on a platform that is not covered here and certificate validation is\n/// failing, please open a pull request that adds the appropriate search path.\nprivate let rootCAFileSearchPaths = [\n \"/etc/ssl/certs/ca-certificates.crt\", // Ubuntu, Debian, Arch, Alpine,\n \"/etc/pki/tls/certs/ca-bundle.crt\", // Fedora\n]\n\n/// This is a list of root CA directory search paths.\n///\n/// This list contains paths as validated against several distributions. If you are aware of a CA bundle on a specific distribution\n/// that is not present here, please open a pull request that adds the appropriate search path.\n/// Some distributions do not ship CA directories: as such, it is not a problem if a distribution that is present in rootCAFileSearchPaths\n/// is not present in this list.\nprivate let rootCADirectorySearchPaths = [\n \"/etc/ssl/certs\" // Ubuntu, Debian, Arch, Alpine\n]\n\nprivate func locateRootCAFile() -> String? {\n // We need to find the root CA file. We have a list of search paths: let's use them.\n rootCAFileSearchPaths.first(where: { FileSystemObject.pathType(path: $0) == .file })\n}\n\nprivate func locateRootCADirectory() -> String? {\n rootCADirectorySearchPaths.first(where: { FileSystemObject.pathType(path: $0) == .directory })\n}\n#endif\n" }, { "path": "Sources/NIOSSL/NIOSSLClientHandler.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\n\n#if canImport(Darwin)\nimport Darwin.C\n#elseif canImport(Musl)\nimport Musl\n#elseif canImport(Glibc)\nimport Glibc\n#elseif canImport(Android)\nimport Android\n#else\n#error(\"unsupported os\")\n#endif\n\nextension String {\n private func isIPAddress() -> Bool {\n // We need some scratch space to let inet_pton write into.\n var ipv4Addr = in_addr()\n var ipv6Addr = in6_addr()\n\n return self.withCString { ptr in\n inet_pton(AF_INET, ptr, &ipv4Addr) == 1 || inet_pton(AF_INET6, ptr, &ipv6Addr) == 1\n }\n }\n\n func validateSNIServerName() throws {\n guard !self.isIPAddress() else {\n throw NIOSSLExtraError.cannotUseIPAddressInSNI(ipAddress: self)\n }\n\n // no 0 bytes\n guard !self.utf8.contains(0) else {\n throw NIOSSLExtraError.invalidSNIHostname\n }\n\n guard (1...255).contains(self.utf8.count) else {\n throw NIOSSLExtraError.invalidSNIHostname\n }\n }\n}\n\n/// A channel handler that wraps a channel in TLS using NIOSSL.\n/// This handler can be used in channels that are acting as the client\n/// in the TLS dialog. For server connections, use the ``NIOSSLServerHandler``.\npublic final class NIOSSLClientHandler: NIOSSLHandler {\n /// Construct a new ``NIOSSLClientHandler`` with the given `context` and a specific `serverHostname`.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use on this connection.\n /// - serverHostname: The hostname of the server we're trying to connect to, if known. This will be used in the SNI extension,\n /// and used to validate the server certificate.\n public convenience init(context: NIOSSLContext, serverHostname: String?) throws {\n try self.init(\n context: context,\n serverHostname: serverHostname,\n optionalCustomVerificationCallbackManager: nil,\n optionalAdditionalPeerCertificateVerificationCallback: nil\n )\n }\n\n @available(*, deprecated, renamed: \"init(context:serverHostname:customVerificationCallback:)\")\n public init(\n context: NIOSSLContext,\n serverHostname: String?,\n verificationCallback: NIOSSLVerificationCallback? = nil\n ) throws {\n guard let connection = context.createConnection() else {\n fatalError(\"Failed to create new connection in NIOSSLContext\")\n }\n\n connection.setConnectState()\n if let serverHostname = serverHostname {\n try serverHostname.validateSNIServerName()\n\n // IP addresses must not be provided in the SNI extension, so filter them.\n do {\n try connection.setServerName(name: serverHostname)\n } catch {\n preconditionFailure(\n \"Bug in NIOSSL (please report): \\(Array(serverHostname.utf8)) passed NIOSSL's hostname test but failed in BoringSSL.\"\n )\n }\n }\n\n if let verificationCallback = verificationCallback {\n connection.setVerificationCallback(verificationCallback)\n }\n\n super.init(\n connection: connection,\n shutdownTimeout: context.configuration.shutdownTimeout,\n additionalPeerCertificateVerificationCallback: nil,\n maxWriteSize: NIOSSLHandler.defaultMaxWriteSize,\n configuration: Configuration()\n )\n }\n\n /// Construct a new ``NIOSSLClientHandler`` with the given `context` and a specific `serverHostname`.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use on this connection.\n /// - serverHostname: The hostname of the server we're trying to connect to, if known. This will be used in the SNI extension,\n /// and used to validate the server certificate.\n /// - customVerificationCallback: A callback to use that will override NIOSSL's normal verification logic.\n ///\n /// If set, this callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed them. The callback will not be used if the\n /// ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.\n ///\n /// - Note: Use ``init(context:serverHostname:customVerificationCallbackWithMetadata:)`` to provide a custom\n /// verification callback where the peer's *validated* certificate chain can be returned. This data can then be\n /// accessed from the handler.\n public convenience init(\n context: NIOSSLContext,\n serverHostname: String?,\n customVerificationCallback: @escaping NIOSSLCustomVerificationCallback\n ) throws {\n try self.init(\n context: context,\n serverHostname: serverHostname,\n optionalCustomVerificationCallbackManager: CustomVerifyManager(callback: customVerificationCallback),\n optionalAdditionalPeerCertificateVerificationCallback: nil\n )\n }\n\n /// Construct a new ``NIOSSLClientHandler`` with the given `context` and a specific `serverHostname`.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use on this connection.\n /// - serverHostname: The hostname of the server we're trying to connect to, if known. This will be used in the SNI extension,\n /// and used to validate the server certificate.\n /// - customVerificationCallbackWithMetadata: A callback to use that will override NIOSSL's normal verification\n /// logic. If validation is successful, the peer's validated certificate chain can be returned, and later\n /// accessed via ``NIOSSLHandler/peerValidatedCertificateChain``. The callback will not be used if the\n /// ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has\n /// ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.\n ///\n /// - This callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed\n /// them. Therefore, a validated chain must be derived *within* this callback (potentially involving fetching\n /// additional intermediate certificates). The *validated* certificate chain returned in the promise result\n /// **must** be a verified path to a trusted root. Importantly, the certificates presented by the peer should\n /// not be assumed to be valid.\n public convenience init(\n context: NIOSSLContext,\n serverHostname: String?,\n customVerificationCallbackWithMetadata: @escaping NIOSSLCustomVerificationCallbackWithMetadata\n ) throws {\n try self.init(\n context: context,\n serverHostname: serverHostname,\n optionalCustomVerificationCallbackManager: CustomVerifyManager(\n callback: customVerificationCallbackWithMetadata\n ),\n optionalAdditionalPeerCertificateVerificationCallback: nil\n )\n }\n\n /// Construct a new ``NIOSSLClientHandler`` with the given `context` and a specific `serverHostname`.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use on this connection.\n /// - serverHostname: The hostname of the server we're trying to connect to, if known. This will be used in the SNI extension,\n /// and used to validate the server certificate.\n /// - customVerificationCallback: A callback to use that will override NIOSSL's normal verification logic.\n ///\n /// If set, this callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed them. The callback will not be used if the\n /// ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.\n /// - configuration: Configuration for this handler.\n ///\n /// - Note: Use ``init(context:serverHostname:configuration:customVerificationCallbackWithMetadata:)`` to provide a\n /// custom verification callback where the peer's *validated* certificate chain can be returned. This data can\n /// then be accessed from the handler.\n public convenience init(\n context: NIOSSLContext,\n serverHostname: String?,\n customVerificationCallback: NIOSSLCustomVerificationCallback? = nil,\n configuration: Configuration\n ) throws {\n try self.init(\n context: context,\n serverHostname: serverHostname,\n optionalCustomVerificationCallbackManager: customVerificationCallback.map(CustomVerifyManager.init),\n optionalAdditionalPeerCertificateVerificationCallback: nil,\n configuration: configuration\n )\n }\n\n /// Construct a new ``NIOSSLClientHandler`` with the given `context` and a specific `serverHostname`.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use on this connection.\n /// - serverHostname: The hostname of the server we're trying to connect to, if known. This will be used in the SNI extension,\n /// and used to validate the server certificate.\n /// - configuration: Configuration for this handler.\n /// - customVerificationCallbackWithMetadata: A callback to use that will override NIOSSL's normal verification\n /// logic. If validation is successful, the peer's validated certificate chain can be returned, and later\n /// accessed via ``NIOSSLHandler/peerValidatedCertificateChain``. The callback will not be used if the\n /// ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has\n /// ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.\n ///\n /// - This callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed\n /// them. Therefore, a validated chain must be derived *within* this callback (potentially involving fetching\n /// additional intermediate certificates). The *validated* certificate chain returned in the promise result\n /// **must** be a verified path to a trusted root. Importantly, the certificates presented by the peer should\n /// not be assumed to be valid.\n public convenience init(\n context: NIOSSLContext,\n serverHostname: String?,\n configuration: Configuration,\n customVerificationCallbackWithMetadata: @escaping NIOSSLCustomVerificationCallbackWithMetadata\n ) throws {\n try self.init(\n context: context,\n serverHostname: serverHostname,\n optionalCustomVerificationCallbackManager: CustomVerifyManager(\n callback: customVerificationCallbackWithMetadata\n ),\n optionalAdditionalPeerCertificateVerificationCallback: nil,\n configuration: configuration\n )\n }\n\n /// - warning: This API is not guaranteed to be stable and is likely to be changed without further notice, hence the underscore prefix.\n public static func _makeSSLClientHandler(\n context: NIOSSLContext,\n serverHostname: String?,\n additionalPeerCertificateVerificationCallback: @escaping _NIOAdditionalPeerCertificateVerificationCallback\n ) throws -> Self {\n try .init(\n context: context,\n serverHostname: serverHostname,\n optionalCustomVerificationCallbackManager: nil,\n optionalAdditionalPeerCertificateVerificationCallback: additionalPeerCertificateVerificationCallback\n )\n }\n\n // This exists to handle the explosion of initializers we got when I tried to deprecate the first one. At least they all pass through one path now.\n internal init(\n context: NIOSSLContext,\n serverHostname: String?,\n optionalCustomVerificationCallbackManager: CustomVerifyManager?,\n optionalAdditionalPeerCertificateVerificationCallback: _NIOAdditionalPeerCertificateVerificationCallback?,\n maxWriteSize: Int = defaultMaxWriteSize,\n configuration: Configuration = .init()\n ) throws {\n guard let connection = context.createConnection() else {\n fatalError(\"Failed to create new connection in NIOSSLContext\")\n }\n\n connection.setConnectState()\n if let serverHostname = serverHostname {\n try serverHostname.validateSNIServerName()\n\n // IP addresses must not be provided in the SNI extension, so filter them.\n do {\n try connection.setServerName(name: serverHostname)\n } catch {\n preconditionFailure(\n \"Bug in NIOSSL (please report): \\(Array(serverHostname.utf8)) passed NIOSSL's hostname test but failed in BoringSSL.\"\n )\n }\n }\n\n if let verificationCallbackManager = optionalCustomVerificationCallbackManager {\n connection.setCustomVerificationCallback(verificationCallbackManager)\n }\n\n super.init(\n connection: connection,\n shutdownTimeout: context.configuration.shutdownTimeout,\n additionalPeerCertificateVerificationCallback: optionalAdditionalPeerCertificateVerificationCallback,\n maxWriteSize: maxWriteSize,\n configuration: configuration\n )\n }\n}\n\n// This conformance is technically redundant - Swift 6.2 compiler finally caught this\n#if compiler(<6.2)\n@available(*, unavailable)\nextension NIOSSLClientHandler: Sendable {}\n#endif\n" }, { "path": "Sources/NIOSSL/NIOSSLHandler+Configuration.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2023 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\nextension NIOSSLHandler {\n /// Configuration for a specific instance of ``NIOSSLHandler``, either client or server.\n ///\n /// This type is distinct from ``TLSConfiguration`` because it does not contain settings that\n /// apply to TLS itself. Instead, this configuration manages how the ``NIOSSLHandler`` itself\n /// operates.\n public struct Configuration: Hashable, Sendable {\n /// The maximum number of bytes we'll preserve in the outbound buffer that ``NIOSSLHandler``\n /// holds.\n ///\n /// This buffer is not typically deallocated, as it is re-used throughout the lifetime of\n /// the program. In cases where there are extremely large peak writes that are outliers in\n /// the code, the buffer may remain excessively large.\n ///\n /// Set this value to a lower value to avoid preserving too much memory. This will cause\n /// ``NIOSSLHandler`` to reallocate memory more often, which can inhibit performance, so\n /// avoid lowering this value unless you're running into trouble with memory pressure and\n /// are confident that ``NIOSSLHandler`` is at fault.\n public var maximumPreservedOutboundBufferCapacity: Int\n\n public init() {\n self.maximumPreservedOutboundBufferCapacity = .max\n }\n }\n}\n" }, { "path": "Sources/NIOSSL/NIOSSLHandler.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport NIOCore\nimport NIOTLS\n\n/// The base class for all NIOSSL handlers.\n///\n/// This class cannot actually be instantiated by users directly: instead, users must select\n/// which mode they would like their handler to operate in, client or server.\n///\n/// This class exists to deal with the reality that for almost the entirety of the lifetime\n/// of a TLS connection there is no meaningful distinction between a server and a client.\n/// For this reason almost the entirety of the implementation for the channel and server\n/// handlers in NIOSSL is shared, in the form of this parent class.\npublic class NIOSSLHandler: ChannelInboundHandler, ChannelOutboundHandler, RemovableChannelHandler {\n /// The default maximum write size. We cannot pass writes larger than this size to\n /// BoringSSL.\n ///\n /// We have this default here instead of hardcoded into the software for testing purposes.\n internal static let defaultMaxWriteSize = Int(CInt.max)\n\n public typealias OutboundIn = ByteBuffer\n public typealias OutboundOut = ByteBuffer\n public typealias InboundIn = ByteBuffer\n public typealias InboundOut = ByteBuffer\n\n private enum ConnectionState {\n case idle\n case handshaking\n case additionalVerification\n case active\n case unwrapping(Scheduled)\n case closing(Scheduled)\n case unwrapped\n case inputClosed\n case outputClosed\n case closed\n }\n\n private var state: ConnectionState = .idle\n private var connection: SSLConnection\n private var plaintextReadBuffer: ByteBuffer?\n private var bufferedActions: MarkedCircularBuffer\n private var closeOutputPromise: EventLoopPromise?\n private var closePromise: EventLoopPromise?\n private var shutdownPromise: EventLoopPromise?\n private var didDeliverData: Bool = false\n private var storedContext: ChannelHandlerContext? = nil\n private var shutdownTimeout: TimeAmount\n private let additionalPeerCertificateVerificationCallback: _NIOAdditionalPeerCertificateVerificationCallback?\n private let maxWriteSize: Int\n private var configuration: Configuration\n\n internal var channel: Channel? {\n self.storedContext?.channel\n }\n\n internal init(\n connection: SSLConnection,\n shutdownTimeout: TimeAmount,\n additionalPeerCertificateVerificationCallback: _NIOAdditionalPeerCertificateVerificationCallback?,\n maxWriteSize: Int,\n configuration: Configuration\n ) {\n let tlsConfiguration = connection.parentContext.configuration\n precondition(\n additionalPeerCertificateVerificationCallback == nil || tlsConfiguration.certificateVerification != .none,\n \"TLSConfiguration.certificateVerification must be either set to .optionalVerification, .noHostnameVerification, or .fullVerification if additionalPeerCertificateVerificationCallback is specified\"\n )\n self.connection = connection\n // 96 brings the total size of the buffer to just shy of one page\n self.bufferedActions = MarkedCircularBuffer(initialCapacity: 96)\n self.shutdownTimeout = shutdownTimeout\n self.additionalPeerCertificateVerificationCallback = additionalPeerCertificateVerificationCallback\n self.maxWriteSize = maxWriteSize\n self.configuration = configuration\n }\n\n public func handlerAdded(context: ChannelHandlerContext) {\n self.storedContext = context\n self.connection.setAllocator(context.channel.allocator, maximumPreservedOutboundBufferCapacity: .max)\n self.connection.parentHandler = self\n self.connection.eventLoop = context.eventLoop\n\n self.plaintextReadBuffer = context.channel.allocator.buffer(capacity: SSL_MAX_RECORD_SIZE)\n // If this channel is already active, immediately begin handshaking.\n if context.channel.isActive {\n doHandshakeStep(context: context)\n }\n }\n\n public func handlerRemoved(context: ChannelHandlerContext) {\n /// Get the connection to drop any state it might have. This state can cause reference cycles,\n /// so we need to break those when we know it's safe to do so. This is a good safe point, as no\n /// further I/O can possibly occur.\n self.connection.close()\n\n // We now want to drop the stored context.\n self.storedContext = nil\n }\n\n public func channelActive(context: ChannelHandlerContext) {\n // We fire this a bit early, entirely on purpose. This is because\n // in doHandshakeStep we may end up closing the channel again, and\n // if we do we want to make sure that the channelInactive message received\n // by later channel handlers makes sense.\n context.fireChannelActive()\n doHandshakeStep(context: context)\n }\n\n public func channelInactive(context: ChannelHandlerContext) {\n // This fires when the TCP connection goes away. Whatever happens, we end up in the closed\n // state here. This function calls out to a lot of user code, so we need to make sure we're\n // keeping track of the state we're in properly before we do anything else.\n let oldState = state\n state = .closed\n let channelError: NIOSSLError\n\n switch oldState {\n case .closed, .idle:\n // Nothing to do, but discard any buffered actions we still have.\n discardBufferedActions(reason: ChannelError.ioOnClosedChannel)\n // Return early\n context.fireChannelInactive()\n return\n case .handshaking:\n // In this case the channel is going through the doHandshake steps and\n // a channelInactive is fired taking down the connection.\n // This case propogates a .handshakeFailed instead of an .uncleanShutdown.\n // We use a synthetic error here as the error stack will be empty, and we should try to\n // provide some diagnostic help.\n channelError = NIOSSLError.handshakeFailed(.sslError([.eofDuringHandshake]))\n case .additionalVerification:\n // In this case the channel is going through the doHandshake steps and\n // a channelInactive is fired taking down the connection.\n // This case propogates a .handshakeFailed instead of an .uncleanShutdown.\n // We use a synthetic error here as the error stack will be empty, and we should try to\n // provide some diagnostic help.\n channelError = NIOSSLError.handshakeFailed(.sslError([.eofDuringAdditionalCertficiateChainValidation]))\n default:\n // This is a ragged EOF: we weren't sent a CLOSE_NOTIFY. We want to send a user\n // event to notify about this before we propagate channelInactive. We also want to fail all\n // these writes.\n channelError = NIOSSLError.uncleanShutdown\n }\n let shutdownPromise = self.shutdownPromise\n self.shutdownPromise = nil\n let closePromise = self.closePromise\n self.closePromise = nil\n\n shutdownPromise?.fail(channelError)\n closePromise?.fail(channelError)\n context.fireErrorCaught(channelError)\n discardBufferedActions(reason: channelError)\n\n context.fireChannelInactive()\n }\n\n public func channelRead(context: ChannelHandlerContext, data: NIOAny) {\n let binaryData = unwrapInboundIn(data)\n\n // The logic: feed the buffers, then take an action based on state.\n connection.consumeDataFromNetwork(binaryData)\n\n switch state {\n case .handshaking:\n doHandshakeStep(context: context)\n case .active, .outputClosed:\n doDecodeData(context: context)\n doUnbufferActions(context: context)\n case .closing:\n // Handle both natural close events and close events where data is still in\n // flight. Sending through doDecodeData will handle both conditions.\n doDecodeData(context: context)\n case .unwrapping:\n self.doShutdownStep(context: context)\n default:\n context.fireErrorCaught(NIOSSLError.readInInvalidTLSState)\n channelClose(context: context, reason: NIOSSLError.readInInvalidTLSState)\n }\n }\n\n public func channelReadComplete(context: ChannelHandlerContext) {\n guard let receiveBuffer = self.plaintextReadBuffer else {\n preconditionFailure(\"channelReadComplete called before handlerAdded\")\n }\n\n self.doFlushReadData(context: context, receiveBuffer: receiveBuffer, readOnEmptyBuffer: true)\n self.writeDataToNetwork(context: context, promise: nil)\n }\n\n public func userInboundEventTriggered(context: ChannelHandlerContext, event: Any) {\n switch event {\n case ChannelEvent.inputClosed:\n userInboundInputClosedTriggered(context: context)\n default:\n context.fireUserInboundEventTriggered(event)\n }\n }\n\n private func userInboundInputClosedTriggered(context: ChannelHandlerContext) {\n let channelError: NIOSSLError\n switch self.state {\n case .inputClosed:\n return\n case .closed, .idle:\n context.fireUserInboundEventTriggered(ChannelEvent.inputClosed)\n return\n case .handshaking:\n // In this case the channel is going through the doHandshake steps and\n // a channelInactive is fired taking down the connection.\n // This case propogates a .handshakeFailed instead of an .uncleanShutdown.\n // We use a synthetic error here as the error stack will be empty, and we should try to\n // provide some diagnostic help.\n channelError = NIOSSLError.handshakeFailed(.sslError([.eofDuringHandshake]))\n case .additionalVerification:\n // In this case the channel is going through the doHandshake steps and\n // a channelInactive is fired taking down the connection.\n // This case propogates a .handshakeFailed instead of an .uncleanShutdown.\n // We use a synthetic error here as the error stack will be empty, and we should try to\n // provide some diagnostic help.\n channelError = NIOSSLError.handshakeFailed(.sslError([.eofDuringAdditionalCertficiateChainValidation]))\n default:\n // This is a ragged EOF: we weren't sent a CLOSE_NOTIFY. We want to send a user\n // event to notify about this before we propagate channelInactive. We also want to fail all\n // these writes.\n channelError = NIOSSLError.uncleanShutdown\n }\n context.fireErrorCaught(channelError)\n context.fireUserInboundEventTriggered(ChannelEvent.inputClosed)\n }\n\n public func write(context: ChannelHandlerContext, data: NIOAny, promise: EventLoopPromise?) {\n bufferWrite(data: unwrapOutboundIn(data), promise: promise)\n }\n\n public func flush(context: ChannelHandlerContext) {\n switch self.state {\n case .idle, .handshaking, .additionalVerification:\n // we should not flush immediately as we have not completed the handshake and instead buffer the flush\n self.bufferFlush()\n case .active, .unwrapping, .closing, .unwrapped, .inputClosed, .outputClosed, .closed:\n self.bufferFlush()\n self.doUnbufferActions(context: context)\n }\n }\n\n public func close(context: ChannelHandlerContext, mode: CloseMode, promise: EventLoopPromise?) {\n switch mode {\n case .output:\n self.closeOutput(context: context, promise: promise)\n case .all:\n self.closeAll(context: context, promise: promise)\n case .input:\n promise?.fail(ChannelError.operationUnsupported)\n }\n }\n\n private func closeOutput(context: ChannelHandlerContext, promise: EventLoopPromise?) {\n switch state {\n case .closing:\n // We're in the process of TLS shutdown, which has a higher priority.\n // Therefore we skip the output closing procedure and cascade the result\n // of the TLS shutdown request to this new one.\n if let promise = promise, let closePromise = self.closePromise {\n closePromise.futureResult.cascade(to: promise)\n } else if let promise = promise {\n self.closePromise = promise\n }\n case .idle, .outputClosed, .closed, .unwrapping, .unwrapped:\n // For idle, outputClosed, closed, unwrapping, and unwrapped connections we immediately pass this on to the next\n // channel handler.\n context.close(mode: .output, promise: promise)\n case .handshaking, .additionalVerification:\n // We are still in the process of handshaking / doing additional verification.\n // This means our outstanding writes will not get flushed until we have reached the active state.\n // Therefore we buffer the .closeOuput action and wait for it to be executed after all our\n // outstanding writes have been flushed in the active state.\n self.bufferedActions.append(.closeOutput)\n self.flush(context: context)\n self.closeOutputPromise = promise\n case .inputClosed:\n // Input is already closed and we want to close our output.\n // This escalates to a full closure.\n self.close(context: context, mode: .all, promise: promise)\n case .active:\n // We need to begin processing closeOutput now.\n // We can't fire the promise for a while though.\n self.state = .outputClosed\n self.closeOutputPromise = promise\n self.flush(context: context)\n self.doShutdownStep(context: context)\n }\n }\n\n private func closeAll(context: ChannelHandlerContext, promise: EventLoopPromise?) {\n switch state {\n case .closing:\n // We're in the process of TLS shutdown, so let's let that happen. However,\n // we want to cascade the result of the first request into this new one.\n if let promise = promise, let closePromise = self.closePromise {\n closePromise.futureResult.cascade(to: promise)\n } else if let promise = promise {\n self.closePromise = promise\n }\n case .unwrapping(let scheduledShutdown):\n // We've been asked to close the connection, but we were currently unwrapping.\n // We don't have to send any CLOSE_NOTIFY, but we now need to upgrade ourselves:\n // closing is a more extreme activity than unwrapping.\n self.state = .closing(scheduledShutdown)\n if let promise = promise, let closePromise = self.closePromise {\n closePromise.futureResult.cascade(to: promise)\n } else if let promise = promise {\n self.closePromise = promise\n }\n case .idle:\n state = .closed\n fallthrough\n case .closed, .unwrapped:\n // For idle, closed, and unwrapped connections we immediately pass this on to the next\n // channel handler.\n context.close(promise: promise)\n case .active, .inputClosed, .outputClosed, .handshaking, .additionalVerification:\n // We need to begin processing shutdown now. We can't fire the promise for a\n // while though.\n self.state = .closing(self.scheduleTimedOutShutdown(context: context))\n closePromise = promise\n doShutdownStep(context: context)\n }\n }\n\n /// Attempt to perform another stage of the TLS handshake.\n ///\n /// A TLS connection has a multi-step handshake that requires at least two messages sent by each\n /// peer. As a result, a handshake will never complete in a single call to BoringSSL. This method\n /// will call `doHandshake`, and will then attempt to write whatever data this generated to the\n /// network. If we are waiting on data from the remote peer, this method will do nothing.\n ///\n /// This method must not be called once the connection is established.\n private func doHandshakeStep(context: ChannelHandlerContext) {\n switch self.state {\n case .unwrapped, .inputClosed, .outputClosed, .closed:\n // We shouldn't be handshaking in any of these state.\n return\n case .idle, .handshaking, .additionalVerification, .active, .closing, .unwrapping:\n ()\n }\n\n let result = self.connection.doHandshake()\n\n switch result {\n case .incomplete:\n state = .handshaking\n writeDataToNetwork(context: context, promise: nil)\n case .complete:\n do {\n try validateHostname(context: context)\n } catch {\n // This counts as a failure.\n context.fireErrorCaught(error)\n channelClose(context: context, reason: error)\n return\n }\n\n if let additionalPeerCertificateVerificationCallback = self.additionalPeerCertificateVerificationCallback {\n state = .additionalVerification\n guard let peerCertificate = connection.getPeerCertificate() else {\n preconditionFailure(\n \"\"\"\n Couldn't get peer certificate after chain verification was successful.\n This should be impossible as we have a precondition during creation of this handler that requires certificate verification.\n Please file an issue.\n \"\"\"\n )\n }\n additionalPeerCertificateVerificationCallback(peerCertificate, context.channel)\n .hop(to: context.eventLoop)\n .assumeIsolated()\n .whenComplete { result in\n self.completedAdditionalPeerCertificateVerification(result: result)\n }\n return\n }\n\n state = .active\n completeHandshake(context: context)\n case .failed(let err):\n writeDataToNetwork(context: context, promise: nil)\n\n // If there's a failed private key operation, we fire both errors.\n if case .failure(let privateKeyError) = self.connection.customPrivateKeyResult {\n context.fireErrorCaught(privateKeyError)\n }\n\n // If there's a failed custom context operation, we fire both errors.\n if let customContextError = self.connection.customContextManager?.loadContextError {\n context.fireErrorCaught(customContextError)\n }\n\n context.fireErrorCaught(NIOSSLError.handshakeFailed(err))\n channelClose(context: context, reason: NIOSSLError.handshakeFailed(err))\n }\n }\n\n private func completeHandshake(context: ChannelHandlerContext) {\n writeDataToNetwork(context: context, promise: nil)\n\n // TODO(cory): This event should probably fire out of the BoringSSL info callback.\n let negotiatedProtocol = connection.getAlpnProtocol()\n context.fireUserInboundEventTriggered(TLSUserEvent.handshakeCompleted(negotiatedProtocol: negotiatedProtocol))\n\n // We need to unbuffer any pending writes and reads. We will have pending writes if the user attempted to\n // write before we completed the handshake. We may also have pending reads if the user sent data immediately\n // after their FINISHED record. We decode the reads first, as those reads may trigger writes.\n self.doDecodeData(context: context)\n if let receiveBuffer = self.plaintextReadBuffer {\n self.doFlushReadData(context: context, receiveBuffer: receiveBuffer, readOnEmptyBuffer: false)\n }\n self.doUnbufferActions(context: context)\n }\n\n private func completedAdditionalPeerCertificateVerification(result: Result) {\n guard let context = self.storedContext else {\n // `self` may already be removed from the channel pipeline\n return\n }\n context.eventLoop.preconditionInEventLoop()\n\n switch self.state {\n case .idle, .handshaking, .active, .inputClosed, .outputClosed:\n preconditionFailure(\"invalid state \\(self.state)\")\n case .additionalVerification:\n switch result {\n case .failure(let error):\n // This counts as a failure.\n context.fireErrorCaught(error)\n channelClose(context: context, reason: error)\n case .success:\n state = .active\n completeHandshake(context: context)\n }\n case .unwrapping, .closing, .unwrapped, .closed:\n break\n // we are already about to close, we can safely ignore this event\n }\n }\n\n /// Attempt to perform a stage of orderly TLS shutdown.\n ///\n /// Orderly TLS shutdown requires each peer to send a TLS CloseNotify message.\n /// This message is a signal that the data being sent has been completely sent,\n /// without truncation. Where possible we attempt to perform an orderly shutdown,\n /// and so we will send a CloseNotify. We also try to wait for the remote peer to\n /// send a CloseNotify in response. This means we may call this multiple times,\n /// potentially writing our own CloseNotify each time.\n ///\n /// Once `state` has transitioned to `.closed`, further calls to this method will\n /// do nothing.\n private func doShutdownStep(context: ChannelHandlerContext) {\n if case .closed = self.state {\n return\n }\n\n let result = connection.doShutdown()\n\n var uncleanScheduledShutdown: Scheduled?\n let targetCompleteState: ConnectionState\n switch self.state {\n case .outputClosed:\n targetCompleteState = .outputClosed\n case .closing(let scheduledShutdown):\n uncleanScheduledShutdown = scheduledShutdown\n targetCompleteState = .closed\n case .unwrapping(let scheduledShutdown):\n uncleanScheduledShutdown = scheduledShutdown\n targetCompleteState = .unwrapped\n default:\n preconditionFailure(\"Shutting down in a non-shutting-down state\")\n }\n\n switch result {\n case .incomplete:\n writeDataToNetwork(context: context, promise: nil)\n\n if case .outputClosed = targetCompleteState {\n self.state = targetCompleteState\n self.channelCloseOutput(context: context)\n }\n case .complete:\n uncleanScheduledShutdown?.cancel()\n self.state = targetCompleteState\n writeDataToNetwork(context: context, promise: nil)\n\n // TODO(cory): This should probably fire out of the BoringSSL info callback.\n context.fireUserInboundEventTriggered(TLSUserEvent.shutdownCompleted)\n\n switch targetCompleteState {\n case .outputClosed:\n /// No full channel close here. We expect users to invoke a full close even when the\n /// connection has been half-closed in one direction.\n /// Note: half closure for input and output results in a full close.\n self.channelCloseOutput(context: context)\n case .closed:\n self.channelClose(context: context, reason: NIOTLSUnwrappingError.closeRequestedDuringUnwrap)\n case .unwrapped:\n self.channelUnwrap(context: context)\n default:\n preconditionFailure(\"Cannot be in \\(targetCompleteState) at this code point\")\n }\n case .failed(let err):\n uncleanScheduledShutdown?.cancel()\n // TODO(cory): This should probably fire out of the BoringSSL info callback.\n context.fireErrorCaught(NIOSSLError.shutdownFailed(err))\n channelClose(context: context, reason: NIOSSLError.shutdownFailed(err))\n }\n }\n\n /// Creates a scheduled task to perform an unclean shutdown in event of a clean shutdown timing\n /// out. This task should be cancelled if the shutdown does not time out.\n private func scheduleTimedOutShutdown(context: ChannelHandlerContext) -> Scheduled {\n context.eventLoop.assumeIsolated().scheduleTask(in: self.shutdownTimeout) {\n switch self.state {\n case .inputClosed, .outputClosed, .idle, .handshaking, .additionalVerification, .active:\n preconditionFailure(\"Cannot schedule timed out shutdown on non-shutting down handler\")\n\n case .closed, .unwrapped:\n // This means we raced with the shutdown completing. We just let this one go: do nothing.\n return\n\n case .closing:\n // We're closing, the only thing we do here is exit.\n self.state = .closed\n self.channelClose(context: context, reason: NIOSSLCloseTimedOutError())\n\n case .unwrapping:\n // The user only wants us to error and unwrap, not to close.\n self.state = .unwrapped\n self.channelUnwrap(context: context, failedWithError: NIOSSLCloseTimedOutError())\n }\n }\n }\n\n /// Loops over the `SSL` object, decoding encrypted application data until there is\n /// no more available.\n private func doDecodeData(context: ChannelHandlerContext) {\n guard var receiveBuffer = self.plaintextReadBuffer else {\n preconditionFailure(\"didDecodeData called without handlerAdded firing.\")\n }\n\n // We nil the read buffer here. This is done on purpose: we do it to ensure\n // that we don't have two references to the buffer, otherwise readDataFromNetwork\n // will trigger a CoW every time. We need to put this back on every exit from this\n // function, or before any call-out, to avoid re-entrancy issues. We validate the\n // requirement for this being non-nil on exit at the very least.\n self.plaintextReadBuffer = nil\n defer {\n assert(self.plaintextReadBuffer != nil)\n }\n\n readLoop: while true {\n let result = connection.readDataFromNetwork(outputBuffer: &receiveBuffer)\n\n switch result {\n case .complete:\n // Good read. Keep going\n continue readLoop\n\n case .incomplete:\n self.plaintextReadBuffer = receiveBuffer\n break readLoop\n\n case .failed(BoringSSLError.zeroReturn):\n let allowRemoteHalfClosure = self.getAllowRemoteHalfClosureFromChannel(context: context)\n\n switch self.state {\n case .idle, .handshaking, .additionalVerification:\n preconditionFailure(\"Should not get zeroReturn in \\(self.state)\")\n case .closed, .unwrapped:\n // This is an unexpected place to be, but it's not totally impossible. Assume this\n // is the result of a wonky I/O pattern and just ignore it.\n self.plaintextReadBuffer = receiveBuffer\n break readLoop\n case .active, .outputClosed:\n if allowRemoteHalfClosure == false {\n self.state = .closing(self.scheduleTimedOutShutdown(context: context))\n }\n case .unwrapping, .closing, .inputClosed:\n break\n }\n\n // This is a clean EOF: we can just start doing our own clean shutdown.\n self.doFlushReadData(context: context, receiveBuffer: receiveBuffer, readOnEmptyBuffer: false)\n\n if allowRemoteHalfClosure {\n switch self.state {\n case .active, .unwrapping:\n self.state = .inputClosed\n case .outputClosed:\n // Wanting to close input when output is already closed,\n // escalate to full shutdown\n self.close(context: context, mode: .all, promise: nil)\n default:\n break\n }\n context.fireUserInboundEventTriggered(ChannelEvent.inputClosed)\n } else {\n self.doShutdownStep(context: context)\n }\n\n writeDataToNetwork(context: context, promise: nil)\n break readLoop\n\n case .failed(let err):\n self.state = .closed\n self.plaintextReadBuffer = receiveBuffer\n context.fireErrorCaught(err)\n channelClose(context: context, reason: err)\n break readLoop\n }\n }\n }\n\n /// Checks if the `allowRemoteHalfClosure` channel option is set.\n private func getAllowRemoteHalfClosureFromChannel(context: ChannelHandlerContext) -> Bool {\n var halfClosureAllowed = false\n if let syncOptions = context.channel.syncOptions {\n if let result = try? syncOptions.getOption(ChannelOptions.allowRemoteHalfClosure) {\n halfClosureAllowed = result\n }\n }\n return halfClosureAllowed\n }\n\n /// Flushes any pending read plaintext. This is called whenever we hit a flush\n /// point for reads: either channelReadComplete, or we receive a CLOSE_NOTIFY.\n ///\n /// This function will always set the empty buffer back to be the plaintext read buffer.\n /// Do not do this in your own code.\n private func doFlushReadData(context: ChannelHandlerContext, receiveBuffer: ByteBuffer, readOnEmptyBuffer: Bool) {\n defer {\n // All exits from this function must restore the plaintext read buffer.\n assert(self.plaintextReadBuffer != nil)\n }\n\n // We only want to fire channelReadComplete in a situation where we have actually sent the user some data, otherwise\n // we'll be confusing the hell out of them.\n if receiveBuffer.writerIndex > receiveBuffer.readerIndex {\n // We need to be very careful here: we must not call out before we fix up our local view of this buffer. In this\n // case, we're going to set the indices back to where they were. In this case we are deliberately *not* calling\n // clear(), as we don't want to trigger a CoW for our own local refs.\n var ourNewBuffer = receiveBuffer\n ourNewBuffer.moveReaderIndex(to: 0)\n ourNewBuffer.moveWriterIndex(to: 0)\n self.plaintextReadBuffer = ourNewBuffer\n\n // Ok, we can now pass the receive buffer on and fire channelReadComplete.\n context.fireChannelRead(self.wrapInboundOut(receiveBuffer))\n context.fireChannelReadComplete()\n } else if readOnEmptyBuffer {\n // We didn't deliver data, but the channel is still active. If this channel has got\n // autoread turned off then we should call read again, because otherwise the user\n // will never see any result from their read call.\n //\n // In the unlikely event we couldn't get the answer, we assume auto-read is on.\n self.plaintextReadBuffer = receiveBuffer\n\n do {\n let autoRead = try context.channel.syncOptions?.getOption(ChannelOptions.autoRead) ?? true\n if !autoRead {\n context.read()\n }\n } catch {\n context.fireErrorCaught(error)\n }\n } else {\n // Regardless of what happens here, we need to put the plaintext read buffer back. Very important.\n self.plaintextReadBuffer = receiveBuffer\n }\n }\n\n /// Encrypts application data and writes it to the channel.\n ///\n /// This method always flushes. For this reason, it should only ever be called when a flush\n /// is intended.\n private func writeDataToNetwork(context: ChannelHandlerContext, promise: EventLoopPromise?) {\n // There may be no data to write, in which case we can just exit early.\n guard let dataToWrite = connection.getDataForNetwork() else {\n if let promise = promise {\n // If we have a promise, we need to enforce ordering so we issue a zero-length write that\n // the event loop will have to handle.\n let buffer = context.channel.allocator.buffer(capacity: 0)\n context.writeAndFlush(wrapInboundOut(buffer), promise: promise)\n }\n return\n }\n\n context.writeAndFlush(self.wrapInboundOut(dataToWrite), promise: promise)\n }\n\n /// Simply calls `ChannelHandlerContext.close(mode: .output)` with\n /// any promise we may have already been given.\n private func channelCloseOutput(context: ChannelHandlerContext) {\n let closeOutputPromise = self.closeOutputPromise\n self.closeOutputPromise = nil\n context.close(mode: .output, promise: closeOutputPromise)\n }\n\n /// Close the underlying channel.\n ///\n /// This method does not perform any kind of I/O. Instead, it simply calls ChannelHandlerContext.close with\n /// any promise we may have already been given. It also transitions our state into closed. This should only be\n /// used to clean up after an error, or to perform the final call to close after a clean shutdown attempt.\n private func channelClose(context: ChannelHandlerContext, reason: Error) {\n state = .closed\n\n let shutdownPromise = self.shutdownPromise\n self.shutdownPromise = nil\n\n let closePromise = self.closePromise\n self.closePromise = nil\n\n shutdownPromise?.fail(reason)\n context.close(promise: closePromise)\n }\n\n private func channelUnwrap(context: ChannelHandlerContext, failedWithError error: Error? = nil) {\n assert(self.closePromise == nil)\n self.state = .unwrapped\n\n let shutdownPromise = self.shutdownPromise\n self.shutdownPromise = nil\n\n // We create a promise here to make sure we operate in the special magic state\n // where we are not in the pipeline any more, but we still have a valid context.\n let removalPromise: EventLoopPromise = context.eventLoop.makePromise()\n let removalFuture = removalPromise.futureResult.assumeIsolated().map {\n // Now drop all actions.\n self.discardBufferedActions(reason: NIOTLSUnwrappingError.unflushedWriteOnUnwrap)\n\n if let unconsumedData = self.connection.extractUnconsumedData() {\n context.fireChannelRead(self.wrapInboundOut(unconsumedData))\n }\n\n if let error = error {\n context.fireErrorCaught(error)\n }\n }\n\n if let promise = shutdownPromise {\n removalFuture.whenComplete { result in\n switch (result, error) {\n case (.success, .none):\n promise.succeed(())\n case (.success, .some(let error)):\n promise.fail(error)\n case (.failure(let failure), _):\n promise.fail(failure)\n }\n }\n removalFuture.nonisolated().cascade(to: promise)\n }\n\n // Ok, we've unwrapped. Let's get out of the channel.\n context.channel.pipeline.syncOperations.removeHandler(context: context, promise: removalPromise)\n }\n\n /// Validates the hostname from the certificate against the hostname provided by\n /// the user, assuming one has been provided at all.\n private func validateHostname(context: ChannelHandlerContext) throws {\n guard connection.validateHostnames else {\n return\n }\n\n // If there is no remote address, something weird is happening here. We can't\n // validate a certificate without it, so bail.\n guard let ipAddress = context.channel.remoteAddress else {\n throw NIOSSLError.cannotFindPeerIP\n }\n\n try connection.validateHostname(address: ipAddress)\n }\n}\n\n@available(*, unavailable)\nextension NIOSSLHandler: Sendable {}\n\nextension NIOSSLHandler {\n /// Variable that can be queried during the connection lifecycle to grab the ``TLSVersion`` used on this connection.\n ///\n /// This variable **is not thread-safe**: you **must** call it from the correct event\n /// loop thread.\n public var tlsVersion: TLSVersion? {\n self.connection.getTLSVersionForConnection()\n }\n\n /// Return a NIOSSLCertificate from the verified peer after handshake has completed.\n ///\n /// Similar to getTlsVersionForConnection this **is not thread safe**.\n public var peerCertificate: NIOSSLCertificate? {\n self.connection.getPeerCertificate()\n }\n\n /// Return the *validated* certificate chain from the verified peer after handshake has completed.\n ///\n /// This property will only contain a value if the handler was initialized with a custom certificate verification\n /// callback (``NIOSSLCustomVerificationCallbackWithMetadata``) *and* if the promise in the callback was\n /// successfully completed with ``NIOSSLVerificationResultWithMetadata/certificateVerified(_:)`` (containing a\n /// ``VerificationMetadata`` instance with a ``ValidatedCertificateChain``). If either of these conditions are not\n /// met, this property will be `nil`.\n ///\n /// To create a `NIOSSLClientHandler` handler with a custom verification callback that can return the certificate\n /// chain, use:\n /// - ``NIOSSLClientHandler/init(context:serverHostname:customVerificationCallbackWithMetadata:)`` or\n /// - ``NIOSSLClientHandler/init(context:serverHostname:configuration:customVerificationCallbackWithMetadata:)``\n /// For `NIOSSLServerHandler`, use:\n /// - ``NIOSSLServerHandler/init(context:customVerificationCallbackWithMetadata:)`` or\n /// - ``NIOSSLServerHandler/init(context:configuration:customVerificationCallbackWithMetadata:)``\n ///\n public var peerValidatedCertificateChain: ValidatedCertificateChain? {\n self.connection.customVerificationManager?.verificationMetadata?.validatedCertificateChain\n }\n}\n\nextension Channel {\n /// API to extract the ``TLSVersion`` from off the `Channel`.\n public func nioSSL_tlsVersion() -> EventLoopFuture {\n self.pipeline.handler(type: NIOSSLHandler.self).map {\n $0.tlsVersion\n }\n }\n\n /// API to retrieve the verified NIOSSLCertificate of the peer off the 'Channel'\n public func nioSSL_peerCertificate() -> EventLoopFuture {\n self.pipeline.handler(type: NIOSSLHandler.self).map {\n $0.peerCertificate\n }\n }\n\n /// API to retrieve the *validated* certificate chain of the peer. See ``NIOSSLHandler/peerValidatedCertificateChain``.\n public func nioSSL_peerValidatedCertificateChain() -> EventLoopFuture {\n self.pipeline.handler(type: NIOSSLHandler.self).map {\n $0.peerValidatedCertificateChain\n }\n }\n}\n\nextension ChannelPipeline.SynchronousOperations {\n /// API to query the ``TLSVersion`` directly from the `ChannelPipeline`.\n public func nioSSL_tlsVersion() throws -> TLSVersion? {\n let handler = try self.handler(type: NIOSSLHandler.self)\n return handler.tlsVersion\n }\n\n /// API to retrieve the verified NIOSSLCertificate of the peer directly from the 'ChannelPipeline'\n public func nioSSL_peerCertificate() throws -> NIOSSLCertificate? {\n let handler = try self.handler(type: NIOSSLHandler.self)\n return handler.peerCertificate\n }\n\n /// API to retrieve the *validated* certificate chain of the peer. See ``NIOSSLHandler/peerValidatedCertificateChain``.\n public func nioSSL_peerValidatedCertificateChain() throws -> ValidatedCertificateChain? {\n let handler = try self.handler(type: NIOSSLHandler.self)\n return handler.peerValidatedCertificateChain\n }\n}\n\n// MARK:- Extension APIs for users.\nextension NIOSSLHandler {\n /// Called to instruct this handler to perform an orderly TLS shutdown and then remove itself\n /// from the pipeline. This will leave the connection established, but remove the TLS wrapper\n /// from it.\n ///\n /// This will send a `CLOSE_NOTIFY` and wait for the corresponding `CLOSE_NOTIFY`. When that next\n /// `CLOSE_NOTIFY` is received, this handler will pass on all pending writes and remove itself\n /// from the channel pipeline. If the shutdown times out then an error will fire down the\n /// pipeline, this handler will remove itself from the pipeline, but the channel will not be\n /// automatically closed.\n ///\n /// This function **is not thread-safe**: you **must** call it from the correct event\n /// loop thread.\n ///\n /// - parameters:\n /// - promise: An `EventLoopPromise` that will be completed when the unwrapping has\n /// completed.\n public func stopTLS(promise: EventLoopPromise?) {\n switch self.state {\n case .unwrapping, .closing:\n // We're shutting down here. Nothing has to be done, but we should keep track of this promise.\n if let promise = promise, let shutdownPromise = self.shutdownPromise {\n shutdownPromise.futureResult.cascade(to: promise)\n } else if let promise = promise {\n self.shutdownPromise = promise\n }\n\n case .idle:\n // We've never activated, it's easy to remove TLS from a connection that never had it.\n guard let storedContext = self.storedContext else {\n promise?.fail(NIOTLSUnwrappingError.invalidInternalState)\n return\n }\n\n self.state = .unwrapped\n self.shutdownPromise = promise\n self.channelUnwrap(context: storedContext)\n\n case .handshaking, .active, .inputClosed, .outputClosed, .additionalVerification:\n // Time to try to strip TLS.\n guard let storedContext = self.storedContext else {\n promise?.fail(NIOTLSUnwrappingError.invalidInternalState)\n return\n }\n\n self.state = .unwrapping(self.scheduleTimedOutShutdown(context: storedContext))\n self.shutdownPromise = promise\n self.doShutdownStep(context: storedContext)\n\n case .unwrapped:\n // We are already unwrapped. Succeed the promise, do nothing.\n promise?.succeed(())\n\n case .closed:\n promise?.fail(NIOTLSUnwrappingError.alreadyClosed)\n }\n }\n}\n\n// MARK: Code that handles buffering/unbuffering actions.\nextension NIOSSLHandler {\n private typealias BufferedWrite = (data: ByteBuffer, promise: EventLoopPromise?)\n private enum BufferedAction {\n case closeOutput\n case write(BufferedWrite)\n }\n\n private func bufferWrite(data: ByteBuffer, promise: EventLoopPromise?) {\n switch self.state {\n case .idle, .handshaking, .additionalVerification, .active, .unwrapping, .closing, .unwrapped, .inputClosed:\n ()\n case .outputClosed:\n promise?.fail(ChannelError.outputClosed)\n return\n case .closed:\n promise?.fail(ChannelError.ioOnClosedChannel)\n return\n }\n\n var data = data\n\n // Here we guard against the possibility that any of these writes are larger than CInt.max.\n // This is very unusual but it can happen. To work around it, we just pretend that there were\n // multiple writes.\n //\n // During the short writes we set the promise to `nil` to make sure they only arrive at the end.\n // Note that we make sure that there's always a single write, at the end, that holds the promise.\n while data.readableBytes > self.maxWriteSize, let slice = data.readSlice(length: self.maxWriteSize) {\n bufferedActions.append(.write((data: slice, promise: nil)))\n }\n\n assert(data.readableBytes <= maxWriteSize)\n bufferedActions.append(.write((data: data, promise: promise)))\n }\n\n private func bufferFlush() {\n bufferedActions.mark()\n }\n\n private func discardBufferedActions(reason: Error) {\n while let bufferedAction = self.bufferedActions.popFirst() {\n if case .write(let bufferedWrite) = bufferedAction {\n bufferedWrite.promise?.fail(reason)\n }\n }\n }\n\n private func doUnbufferActions(context: ChannelHandlerContext) {\n // Return early if the user hasn't called flush.\n guard bufferedActions.hasMark else {\n return\n }\n\n // These are some annoying variables we use to persist state across invocations of\n // our closures. A better version of this code might be able to simplify this somewhat.\n var promises: [EventLoopPromise] = []\n\n do {\n var invokeCloseOutput = false\n var bufferedActionsLoopCount = 0\n bufferedActionsLoop: while self.bufferedActions.hasMark, bufferedActionsLoopCount < 1000 {\n bufferedActionsLoopCount += 1\n var didWrite = false\n\n writeLoop: while self.bufferedActions.hasMark {\n let element = self.bufferedActions.first!\n switch element {\n case .write(let bufferedWrite):\n var data = bufferedWrite.data\n let writeSuccessful = try self._encodeSingleWrite(buf: &data)\n if writeSuccessful {\n didWrite = true\n if let promise = bufferedWrite.promise { promises.append(promise) }\n _ = self.bufferedActions.removeFirst()\n } else {\n // The write into BoringSSL unsuccessful. Break the write loop so any\n // data is written to the network before resuming.\n break writeLoop\n }\n case .closeOutput:\n invokeCloseOutput = true\n _ = self.bufferedActions.removeFirst()\n break writeLoop\n }\n }\n\n // If we got this far and did a write, we should shove the data out to the\n // network.\n if didWrite {\n let ourPromise: EventLoopPromise? = promises.flattenPromises(on: context.eventLoop)\n self.writeDataToNetwork(context: context, promise: ourPromise)\n }\n\n // We detected a .closeOutput action in our action buffer. This means we\n // close the output after we have written all pending writes.\n if invokeCloseOutput {\n self.state = .outputClosed\n self.doShutdownStep(context: context)\n self.discardBufferedActions(reason: ChannelError.outputClosed)\n break bufferedActionsLoop\n }\n }\n\n // We spun the outer loop too many times, something isn't right so let's bail out\n // instead of looping any longer.\n if bufferedActionsLoopCount >= 1000 {\n assertionFailure(\n \"\\(#function) looped too many times, please file a GitHub issue against swift-nio-ssl.\"\n )\n throw NIOSSLExtraError.noForwardProgress\n }\n } catch {\n // We encountered an error, it's cleanup time. Close ourselves down.\n channelClose(context: context, reason: error)\n\n // Fail any writes we've previously encoded but not flushed.\n for promise in promises { promise.fail(error) }\n\n // Fail close output promise if present\n let closeOutputPromise = self.closeOutputPromise\n self.closePromise = nil\n closeOutputPromise?.fail(error)\n\n // Fail everything else.\n self.discardBufferedActions(reason: error)\n }\n }\n\n /// Given a ByteBuffer to encode, passes it to BoringSSL and handles the result.\n private func _encodeSingleWrite(buf: inout ByteBuffer) throws -> Bool {\n let result = self.connection.writeDataToNetwork(&buf)\n\n switch result {\n case .complete:\n return true\n case .incomplete:\n // Ok, we can't write. Let's stop.\n return false\n case .failed(let err):\n // Once a write fails, all writes must fail. This includes prior writes\n // that successfully made it through BoringSSL.\n throw err\n }\n }\n}\n\nextension Array where Element == EventLoopPromise {\n /// Given an array of promises, flattens it out to a single promise.\n /// If the array is empty, returns nil.\n fileprivate func flattenPromises(on loop: EventLoop) -> EventLoopPromise? {\n guard self.count > 0 else {\n return nil\n }\n\n let ourPromise = loop.makePromise(of: Void.self)\n\n // We don't use cascade here because cascade has to create one closure per\n // promise. We can do better by creating only a single closure that dispatches\n // the result to all promises.\n ourPromise.futureResult.whenComplete { result in\n switch result {\n case .success:\n for result in self { result.succeed(()) }\n case .failure(let error):\n for result in self { result.fail(error) }\n }\n }\n\n return ourPromise\n }\n}\n\n// MARK:- Code for handling asynchronous handshake resumption.\nextension NIOSSLHandler {\n internal func resumeHandshake() {\n guard let storedContext = self.storedContext else {\n // Oh well, the connection is dead. Do nothing.\n return\n }\n\n self.doHandshakeStep(context: storedContext)\n }\n}\n" }, { "path": "Sources/NIOSSL/NIOSSLServerHandler.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\n\n/// A channel handler that wraps a channel in TLS using NIOSSL. This\n/// handler can be used in channels that are acting as the server in\n/// the TLS dialog. For client connections, use the ``NIOSSLClientHandler``.\npublic final class NIOSSLServerHandler: NIOSSLHandler {\n /// Construct a new ``NIOSSLServerHandler`` with the given `context`.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use on this connection.\n public convenience init(context: NIOSSLContext) {\n self.init(\n context: context,\n optionalCustomVerificationCallbackManager: nil,\n optionalAdditionalPeerCertificateVerificationCallback: nil\n )\n }\n\n @available(*, deprecated, renamed: \"init(context:customVerificationCallback:)\")\n public init(context: NIOSSLContext, verificationCallback: NIOSSLVerificationCallback? = nil) throws {\n guard let connection = context.createConnection() else {\n fatalError(\"Failed to create new connection in NIOSSLContext\")\n }\n\n connection.setAcceptState()\n\n if let verificationCallback = verificationCallback {\n connection.setVerificationCallback(verificationCallback)\n }\n\n super.init(\n connection: connection,\n shutdownTimeout: context.configuration.shutdownTimeout,\n additionalPeerCertificateVerificationCallback: nil,\n maxWriteSize: NIOSSLHandler.defaultMaxWriteSize,\n configuration: .init()\n )\n }\n\n /// Construct a new ``NIOSSLServerHandler`` with the given `context` and a specific `serverHostname`.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use on this connection.\n /// - customVerificationCallback: A callback to use that will override NIOSSL's normal verification logic.\n ///\n /// If set, this callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed them. The callback will not be used if the\n /// ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.\n ///\n /// - Note: Use ``init(context:customVerificationCallbackWithMetadata:)`` to provide a custom verification\n /// callback where the peer's *validated* certificate chain can be returned. This data can then be accessed from\n /// the handler.\n public convenience init(\n context: NIOSSLContext,\n customVerificationCallback: @escaping NIOSSLCustomVerificationCallback\n ) {\n self.init(\n context: context,\n optionalCustomVerificationCallbackManager: CustomVerifyManager(callback: customVerificationCallback),\n optionalAdditionalPeerCertificateVerificationCallback: nil\n )\n }\n\n /// Construct a new ``NIOSSLServerHandler`` with the given `context` and a specific `serverHostname`.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use on this connection.\n /// - customVerificationCallbackWithMetadata: A callback to use that will override NIOSSL's normal verification\n /// logic. If validation is successful, the peer's validated certificate chain can be returned, and later\n /// accessed via ``NIOSSLHandler/peerValidatedCertificateChain``. The callback will not be used if the\n /// ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has\n /// ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.\n ///\n /// - This callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed\n /// them. Therefore, a validated chain must be derived *within* this callback (potentially involving fetching\n /// additional intermediate certificates). The *validated* certificate chain returned in the promise result\n /// **must** be a verified path to a trusted root. Importantly, the certificates presented by the peer should\n /// not be assumed to be valid.\n public convenience init(\n context: NIOSSLContext,\n customVerificationCallbackWithMetadata: @escaping NIOSSLCustomVerificationCallbackWithMetadata\n ) {\n self.init(\n context: context,\n optionalCustomVerificationCallbackManager: CustomVerifyManager(\n callback: customVerificationCallbackWithMetadata\n ),\n optionalAdditionalPeerCertificateVerificationCallback: nil\n )\n }\n\n /// Construct a new ``NIOSSLServerHandler`` with the given `context` and a specific `serverHostname`.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use on this connection.\n /// - customVerificationCallback: A callback to use that will override NIOSSL's normal verification logic.\n ///\n /// If set, this callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed them. The callback will not be used if the\n /// ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.\n /// - configuration: Configuration for this handler.\n ///\n /// - Note: Use ``init(context:configuration:customVerificationCallbackWithMetadata:)`` to provide a custom\n /// verification callback where the peer's *validated* certificate chain can be returned. This data can then be\n /// accessed from the handler.\n public convenience init(\n context: NIOSSLContext,\n customVerificationCallback: NIOSSLCustomVerificationCallback? = nil,\n configuration: Configuration\n ) {\n self.init(\n context: context,\n optionalCustomVerificationCallbackManager: customVerificationCallback.map(CustomVerifyManager.init),\n optionalAdditionalPeerCertificateVerificationCallback: nil,\n configuration: configuration\n )\n }\n\n /// Construct a new ``NIOSSLServerHandler`` with the given `context` and a specific `serverHostname`.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use on this connection.\n /// - configuration: Configuration for this handler.\n /// - customVerificationCallbackWithMetadata: A callback to use that will override NIOSSL's normal verification\n /// logic. If validation is successful, the peer's validated certificate chain can be returned, and later\n /// accessed via ``NIOSSLHandler/peerValidatedCertificateChain``. The callback will not be used if the\n /// ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has\n /// ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.\n ///\n /// - This callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed\n /// them. Therefore, a validated chain must be derived *within* this callback (potentially involving fetching\n /// additional intermediate certificates). The *validated* certificate chain returned in the promise result\n /// **must** be a verified path to a trusted root. Importantly, the certificates presented by the peer should\n /// not be assumed to be valid.\n public convenience init(\n context: NIOSSLContext,\n configuration: Configuration,\n customVerificationCallbackWithMetadata: @escaping NIOSSLCustomVerificationCallbackWithMetadata\n ) {\n self.init(\n context: context,\n optionalCustomVerificationCallbackManager: CustomVerifyManager(\n callback: customVerificationCallbackWithMetadata\n ),\n optionalAdditionalPeerCertificateVerificationCallback: nil,\n configuration: configuration\n )\n }\n\n /// - warning: This API is not guaranteed to be stable and is likely to be changed without further notice, hence the underscore prefix.\n public static func _makeSSLServerHandler(\n context: NIOSSLContext,\n additionalPeerCertificateVerificationCallback: @escaping _NIOAdditionalPeerCertificateVerificationCallback\n ) -> Self {\n .init(\n context: context,\n optionalCustomVerificationCallbackManager: nil,\n optionalAdditionalPeerCertificateVerificationCallback: additionalPeerCertificateVerificationCallback\n )\n }\n\n /// This exists to handle the explosion of initializers I got when I deprecated the first one.\n private init(\n context: NIOSSLContext,\n optionalCustomVerificationCallbackManager: CustomVerifyManager?,\n optionalAdditionalPeerCertificateVerificationCallback: _NIOAdditionalPeerCertificateVerificationCallback?,\n configuration: Configuration = .init()\n ) {\n guard let connection = context.createConnection() else {\n fatalError(\"Failed to create new connection in NIOSSLContext\")\n }\n\n connection.setAcceptState()\n\n if let customVerificationCallbackManager = optionalCustomVerificationCallbackManager {\n connection.setCustomVerificationCallback(customVerificationCallbackManager)\n }\n\n super.init(\n connection: connection,\n shutdownTimeout: context.configuration.shutdownTimeout,\n additionalPeerCertificateVerificationCallback: optionalAdditionalPeerCertificateVerificationCallback,\n maxWriteSize: NIOSSLHandler.defaultMaxWriteSize,\n configuration: configuration\n )\n }\n}\n\n// This conformance is technically redundant - Swift 6.2 compiler finally caught this\n#if compiler(<6.2)\n@available(*, unavailable)\nextension NIOSSLServerHandler: Sendable {}\n#endif\n" }, { "path": "Sources/NIOSSL/ObjectIdentifier.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\n@_implementationOnly import CNIOBoringSSLShims\n\n/// A representation of an ASN.1 Object Identifier (OID)\npublic struct NIOSSLObjectIdentifier {\n private enum Storage {\n final class Deallocator {\n var reference: OpaquePointer!\n\n init(takeOwnershipOf reference: OpaquePointer!) {\n self.reference = reference\n }\n\n deinit {\n CNIOBoringSSL_ASN1_OBJECT_free(self.reference)\n }\n }\n\n case owned(Deallocator)\n case borrowed(reference: OpaquePointer!, owner: AnyObject)\n\n init(takeOwnershipOf reference: OpaquePointer!) {\n self = .owned(.init(takeOwnershipOf: reference))\n }\n\n init(borrowing reference: OpaquePointer!, owner: AnyObject) {\n self = .borrowed(reference: reference, owner: owner)\n }\n\n /// All operations accessing `reference` need to be implemented while guaranteeing that we still have a reference to the memory owner.\n /// Otherwise `reference` could already be freed. This would result in undefined behaviour as we access a dangling pointer.\n /// This method guarantees that `reference` is valid during execution of `body`.\n internal func withReference(\n _ body: (OpaquePointer?) throws -> Result\n ) rethrows -> Result {\n try withExtendedLifetime(self) {\n switch self {\n case .owned(let deallocator):\n return try body(deallocator.reference)\n case .borrowed(let reference, _):\n return try body(reference)\n }\n }\n }\n }\n\n private let storage: Storage\n\n /// Creates a Object Identifier (OID) from its textual dotted representation (e.g. `1.2.3`)\n ///\n /// - Parameter string: textual dotted representation of an OID\n public init?(_ string: String) {\n let result = string.withCString { string in\n // If no_name (the last parameter of CNIOBoringSSL_OBJ_txt2obj) is 0 then long names and\n // short names will be interpreted as well as numerical forms.\n // If no_name is 1 only the numerical form is acceptable.\n // source: https://www.openssl.org/docs/manmaster/man3/OBJ_txt2obj.html\n CNIOBoringSSL_OBJ_txt2obj(string, 1)\n }\n guard let reference = result else {\n return nil\n }\n self.storage = .init(takeOwnershipOf: reference)\n }\n\n /// Creates an Object Identifier (OID) from an OpenSSL reference.\n ///\n /// - Note: initialising an ``NIOSSLObjectIdentifier`` takes ownership of the reference and will free it after the reference count drops to zero\n /// - Parameter reference: reference to a valid OpenSSL OID aka OBJ\n internal init(takingOwnershipOf reference: OpaquePointer!) {\n self.storage = .init(takeOwnershipOf: reference)\n }\n\n /// Creates an Object Identifier (OID) from an OpenSSL reference.\n /// - Note: initialising an ``NIOSSLObjectIdentifier`` with *this* constructor does **not** take ownership of the memory. Instead ``NIOSSLObjectIdentifier`` keeps a reference to the owning object which it will retain for the lifetime of itself.\n /// - Parameters\n /// - reference: reference to a valid OpenSSL OID aka OBJ\n /// - owner: owner of the memory `reference` is pointing to which it will retain.\n internal init(borrowing reference: OpaquePointer!, owner: AnyObject) {\n self.storage = .init(borrowing: reference, owner: owner)\n }\n\n /// Creates a copy of an Object Identifier (OID) from an OpenSSL reference\n /// - Parameter reference: reference to a valid OpenSSL OID aka OBJ\n internal init(copyOf reference: OpaquePointer!) {\n self.init(takingOwnershipOf: CNIOBoringSSL_OBJ_dup(reference))\n }\n}\n\n// NIOSSLObjectIdentifier is immutable and therefore Sendable\nextension NIOSSLObjectIdentifier: @unchecked Sendable {}\n\nextension NIOSSLObjectIdentifier: Equatable {\n public static func == (lhs: NIOSSLObjectIdentifier, rhs: NIOSSLObjectIdentifier) -> Bool {\n lhs.storage.withReference { lhsReference in\n rhs.storage.withReference { rhsReference in\n CNIOBoringSSL_OBJ_cmp(lhsReference, rhsReference) == 0\n }\n }\n }\n}\n\nextension NIOSSLObjectIdentifier: Hashable {\n public func hash(into hasher: inout Hasher) {\n self.storage.withReference { reference in\n let length = CNIOBoringSSL_OBJ_length(reference)\n let data = CNIOBoringSSL_OBJ_get0_data(reference)\n let buffer = UnsafeRawBufferPointer(start: data, count: length)\n hasher.combine(bytes: buffer)\n }\n }\n}\n\nextension NIOSSLObjectIdentifier: LosslessStringConvertible {\n public var description: String {\n self.storage.withReference { reference in\n var failed = false\n let oid = String(customUnsafeUninitializedCapacity: 80) { buffer in\n // OBJ_obj2txt() is awkward and messy to use: it doesn't follow the convention of other OpenSSL functions where the buffer can be set to NULL to determine the amount of data that should be written. Instead buf must point to a valid buffer and buf_len should be set to a positive value. A buffer length of 80 should be more than enough to handle any OID encountered in practice.\n // source: https://linux.die.net/man/3/obj_obj2txt\n let result = buffer.withMemoryRebound(to: CChar.self) { buffer in\n // If no_name (the last argument of CNIOBoringSSL_OBJ_obj2txt) is 0 then\n // if the object has a long or short name then that will be used,\n // otherwise the numerical form will be used.\n // If no_name is 1 then the numerical form will always be used.\n // source: https://www.openssl.org/docs/manmaster/man3/OBJ_obj2txt.html\n CNIOBoringSSL_OBJ_obj2txt(buffer.baseAddress, Int32(buffer.count), reference, 1)\n }\n guard result >= 0 else {\n // result of -1 indicates an error\n failed = true\n return 0\n }\n return Int(result)\n }\n guard !failed else {\n return \"failed to convert OID to string\"\n }\n return oid\n }\n }\n}\n" }, { "path": "Sources/NIOSSL/PosixPort.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\n\n// This file contains a version of the SwiftNIO Posix enum. This is necessary\n// because SwiftNIO's version is internal. Our version exists for the same reason:\n// to ensure errno is captured correctly when doing syscalls, and that no ARC traffic\n// can happen inbetween that *could* change the errno value before we were able to\n// read it.\n//\n// The code is an exact port from SwiftNIO, so if that version ever becomes public we\n// can lift anything missing from there and move it over without change.\n#if canImport(Darwin)\nimport Darwin.C\n#elseif canImport(Musl)\nimport Musl\n#elseif canImport(Glibc)\nimport Glibc\n#elseif canImport(Android)\nimport Android\n#else\n#error(\"unsupported os\")\n#endif\n\n#if os(Android)\ninternal typealias FILEPointer = OpaquePointer\n#else\ninternal typealias FILEPointer = UnsafeMutablePointer\n#endif\n\nprivate let sysFopen = fopen\nprivate let sysMlock = mlock\nprivate let sysMunlock = munlock\nprivate let sysFclose = fclose\nprivate let sysStat = { @Sendable in stat($0, $1) }\nprivate let sysLstat = lstat\nprivate let sysReadlink = readlink\n\n// MARK:- Copied code from SwiftNIO\nprivate func isUnacceptableErrno(_ code: CInt) -> Bool {\n switch code {\n case EFAULT, EBADF:\n return true\n default:\n return false\n }\n}\n\n// Sorry, we really try hard to not use underscored attributes. In this case however we seem to break the inlining threshold which makes a system call take twice the time, ie. we need this exception.\n@inline(__always)\ninternal func wrapSyscall(where function: String = #function, _ body: () throws -> T) throws -> T\n{\n while true {\n let res = try body()\n if res == -1 {\n let err = errno\n if err == EINTR {\n continue\n }\n assert(!isUnacceptableErrno(err), \"unacceptable errno \\(err) \\(strerror(err)!)\")\n throw IOError(errnoCode: err, reason: function)\n }\n return res\n }\n}\n\n// Sorry, we really try hard to not use underscored attributes. In this case however we seem to break the inlining threshold which makes a system call take twice the time, ie. we need this exception.\n@inline(__always)\ninternal func wrapErrorIsNullReturnCall(\n errorReason: @autoclosure () -> String = #function,\n _ body: () throws -> T?\n) throws -> T {\n while true {\n guard let res = try body() else {\n let err = errno\n if err == EINTR {\n continue\n }\n assert(!isUnacceptableErrno(err), \"unacceptable errno \\(err) \\(strerror(err)!)\")\n throw IOError(errnoCode: err, reason: errorReason())\n }\n return res\n }\n}\n\n// MARK:- Our functions\ninternal enum Posix {\n @inline(never)\n internal static func fopen(file: String, mode: String) throws -> FILEPointer {\n try file.withCString { fileCString in\n try wrapErrorIsNullReturnCall(errorReason: \"fopen(file: \\\"\\(file)\\\", mode: \\\"\\(mode)\\\")\") {\n sysFopen(fileCString, mode)\n }\n }\n }\n\n @inline(never)\n internal static func fclose(file: FILEPointer) throws -> CInt {\n try wrapSyscall {\n sysFclose(file)\n }\n }\n\n @inline(never)\n internal static func readlink(\n path: UnsafePointer,\n buf: UnsafeMutablePointer,\n bufSize: Int\n ) throws -> Int {\n try wrapSyscall {\n sysReadlink(path, buf, bufSize)\n }\n }\n\n @inline(never)\n @discardableResult\n internal static func stat(path: UnsafePointer, buf: UnsafeMutablePointer) throws -> CInt {\n try wrapSyscall {\n sysStat(path, buf)\n }\n }\n\n @inline(never)\n @discardableResult\n internal static func lstat(path: UnsafePointer, buf: UnsafeMutablePointer) throws -> Int32 {\n try wrapSyscall {\n sysLstat(path, buf)\n }\n }\n\n @inline(never)\n @discardableResult\n internal static func mlock(addr: UnsafeRawPointer, len: size_t) throws -> CInt {\n try wrapSyscall {\n sysMlock(addr, len)\n }\n }\n\n @inline(never)\n @discardableResult\n internal static func munlock(addr: UnsafeRawPointer, len: size_t) throws -> CInt {\n try wrapSyscall {\n sysMunlock(addr, len)\n }\n }\n}\n" }, { "path": "Sources/NIOSSL/PrivacyInfo.xcprivacy", "content": "\n\n\n\n NSPrivacyTracking\n \n NSPrivacyAccessedAPITypes\n \n NSPrivacyCollectedDataTypes\n \n NSPrivacyTrackingDomains\n \n\n\n\n" }, { "path": "Sources/NIOSSL/SSLCallbacks.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport NIOCore\n\n#if canImport(Darwin)\nimport Darwin.C\n#elseif canImport(Musl)\nimport Musl\n#elseif canImport(Glibc)\nimport Glibc\n#elseif canImport(Bionic)\nimport Bionic\n#else\n#error(\"unsupported os\")\n#endif\n\n/// The result of an attempt to verify an X.509 certificate.\npublic enum NIOSSLVerificationResult: Sendable {\n /// The certificate was successfully verified.\n case certificateVerified\n\n /// The certificate was not verified.\n case failed\n\n internal init(fromBoringSSLPreverify preverify: CInt) {\n switch preverify {\n case 1:\n self = .certificateVerified\n case 0:\n self = .failed\n default:\n preconditionFailure(\"Invalid preverify value: \\(preverify)\")\n }\n }\n}\n\n/// The result of an attempt to verify an X.509 certificate, with associated metadata if the certificate was successfully verified.\npublic enum NIOSSLVerificationResultWithMetadata: Sendable, Hashable {\n /// The certificate was successfully verified; the associated value contains metadata captured during verification.\n case certificateVerified(VerificationMetadata)\n\n /// The certificate was not verified.\n case failed\n}\n\n/// The metadata captured during the verification of an X.509 certificate.\npublic struct VerificationMetadata: Sendable, Hashable {\n /// A container for the validated certificate chain: an array of certificates forming a verified and ordered chain\n /// of trust, starting from the peer's leaf certificate to a trusted root certificate.\n public var validatedCertificateChain: ValidatedCertificateChain?\n\n /// Creates an instance with the peer's *validated* certificate chain.\n ///\n /// - Parameter validatedCertificateChain: An optional *validated* certificate chain. If provided, it must **only**\n /// contain the **validated** chain of trust that was built and verified from the certificates presented by the peer.\n public init(_ validatedCertificateChain: ValidatedCertificateChain?) {\n self.validatedCertificateChain = validatedCertificateChain\n }\n}\n\n/// A custom verification callback.\n///\n/// This verification callback is usually called more than once per connection, as it is called once\n/// per certificate in the peer's complete certificate chain (including the root CA). The calls proceed\n/// from root to leaf, ending with the peer's leaf certificate. Each time it is invoked with 2 arguments:\n///\n/// 1. The result of the BoringSSL verification for this certificate\n/// 2. The ``NIOSSLCertificate`` for this level of the chain.\n///\n/// Please be cautious with calling out from this method. This method is always invoked on the event loop,\n/// so you must not block or wait. It is not possible to return an `EventLoopFuture` from this method, as it\n/// must not block or wait. Additionally, this method must take care to ensure that it does not cause any\n/// ChannelHandler to recursively call back into the ``NIOSSLHandler`` that triggered it, as making re-entrant\n/// calls into BoringSSL is not supported by SwiftNIO and leads to undefined behaviour.\n///\n/// In general, the only safe thing to do here is to either perform some cryptographic operations, to log,\n/// or to store the ``NIOSSLCertificate`` somewhere for later consumption. The easiest way to be sure that the\n/// ``NIOSSLCertificate`` is safe to consume is to wait for a user event that shows the handshake as completed,\n/// or for channelInactive.\n///\n/// > Warning: This callback uses the old-style OpenSSL callback behaviour and is excessively complex to program with.\n/// Instead, prefer using the NIOSSLCustomVerificationCallback style which receives the entire trust chain at once,\n/// and also supports asynchronous certificate verification.\npublic typealias NIOSSLVerificationCallback = (NIOSSLVerificationResult, NIOSSLCertificate) -> NIOSSLVerificationResult\n\n/// A custom verification callback that allows completely overriding the certificate verification logic of BoringSSL.\n///\n/// This verification callback is called no more than once per connection attempt. It is invoked with two arguments:\n///\n/// 1. The certificate chain presented by the peer, in the order the peer presented them (with the first certificate\n/// being the leaf certificate presented by the peer).\n/// 2. An `EventLoopPromise` that must be completed to signal the result of the verification.\n///\n/// Please be cautious with calling out from this method. This method is always invoked on the event loop,\n/// so you must not block or wait. However, you may perform asynchronous work by leaving the event loop context:\n/// when the verification is complete you must complete the provided `EventLoopPromise`.\n///\n/// This method must take care to ensure that it does not cause any `ChannelHandler` to recursively call back into\n/// the ``NIOSSLHandler`` that triggered it, as making re-entrant calls into BoringSSL is not supported by SwiftNIO and\n/// leads to undefined behaviour. It is acceptable to leave the event loop context and then call into the ``NIOSSLHandler``,\n/// as this will not be re-entrant.\n///\n/// - Warning: Note that setting this callback will override _all_ verification logic that BoringSSL provides.\npublic typealias NIOSSLCustomVerificationCallback = ([NIOSSLCertificate], EventLoopPromise) ->\n Void\n\n/// A custom verification callback that allows completely overriding the certificate verification logic of BoringSSL.\n/// The only difference between this callback and ``NIOSSLCustomVerificationCallback`` is that this callback allows\n/// the peer's validated certificate chain to be returned.\n///\n/// This verification callback is called no more than once per connection attempt. It is invoked with two arguments:\n///\n/// 1. The certificate chain presented by the peer, in the order the peer presented them (with the first certificate\n/// being the leaf certificate presented by the peer).\n/// 2. An `EventLoopPromise` that must be completed to signal the result of the verification. The promise must be\n/// fulfilled with a ``NIOSSLVerificationResultWithMetadata`` value which contains the validated chain.\n///\n/// Please be cautious with calling out from this method. This method is always invoked on the event loop,\n/// so you must not block or wait. However, you may perform asynchronous work by leaving the event loop context:\n/// when the verification is complete you must complete the provided `EventLoopPromise`.\n///\n/// This method must take care to ensure that it does not cause any `ChannelHandler` to recursively call back into\n/// the ``NIOSSLHandler`` that triggered it, as making re-entrant calls into BoringSSL is not supported by SwiftNIO and\n/// leads to undefined behaviour. It is acceptable to leave the event loop context and then call into the ``NIOSSLHandler``,\n/// as this will not be re-entrant.\n///\n/// - Warning: Setting this callback will override _all_ verification logic that BoringSSL provides. Therefore, a\n/// validated chain must be derived *within* this callback (potentially involving fetching additional intermediate\n/// certificates). The *validated* certificate chain returned in the promise result **must** be a verified path\n/// to a trusted root. Importantly, the certificates presented by the peer should not be assumed to be valid.\npublic typealias NIOSSLCustomVerificationCallbackWithMetadata = (\n [NIOSSLCertificate],\n EventLoopPromise\n) -> Void\n\n/// A custom verification callback that allows additional peer certificate verification logic after the logic of BoringSSL has completed successfully.\n///\n/// It is invoked with two arguments:\n/// 1. The verified leaf certificate from the peer certificate chain\n/// 2. The channel to which the certificate belongs\n///\n/// The handshake will only succeed if the returned promise completes successfully.\n///\n/// - warning: This API is not guaranteed to be stable and is likely to be changed without further notice, hence the underscore prefix.\npublic typealias _NIOAdditionalPeerCertificateVerificationCallback = (NIOSSLCertificate, Channel) -> EventLoopFuture<\n Void\n>\n\n/// A callback that can be used to implement `SSLKEYLOGFILE` support.\n///\n/// Wireshark can decrypt packet captures that contain encrypted TLS connections if they have access to the\n/// session keys used to perform the encryption. These keys are normally stored in a file that has a specific\n/// file format. This callback is the low-level primitive that can be used to write such a file.\n///\n/// When set, this callback will be invoked once per secret. The provided `ByteBuffer` will contain the bytes\n/// that need to be written into the file, including the newline character.\n///\n/// - warning: Please be aware that enabling support for `SSLKEYLOGFILE` through this callback will put the secrecy of\n/// your connections at risk. You should only do so when you are confident that it will not be possible to\n/// extract those secrets unnecessarily.\n///\npublic typealias NIOSSLKeyLogCallback = @Sendable (ByteBuffer) -> Void\n\n/// An object that provides helpers for working with a NIOSSLKeyLogCallback\ninternal struct KeyLogCallbackManager {\n private var callback: NIOSSLKeyLogCallback\n\n init(callback: @escaping NIOSSLKeyLogCallback) {\n self.callback = callback\n }\n}\n\nextension KeyLogCallbackManager {\n /// Called to log a string to the user.\n func log(_ stringPointer: UnsafePointer) {\n let len = strlen(stringPointer)\n\n // We don't cache this because `log` can be called from arbitrary threads concurrently.\n var scratchBuffer = ByteBufferAllocator().buffer(capacity: len + 1)\n\n let bufferPointer = UnsafeRawBufferPointer(start: stringPointer, count: Int(len))\n scratchBuffer.writeBytes(bufferPointer)\n scratchBuffer.writeInteger(UInt8(ascii: \"\\n\"))\n self.callback(scratchBuffer)\n }\n}\n\n/// PSK Server Context provided to the callback.\npublic struct PSKServerContext: Sendable, Hashable {\n /// Optional identity hint provided to the client by the server.\n public let hint: String?\n /// Identity provided by the client to the server.\n public let clientIdentity: String\n /// Maximum length of the returned PSK.\n public let maxPSKLength: Int\n\n /// Constructs a ``PSKServerContext``.\n ///\n /// - parameter hint: Optional identity hint provided to the client.\n /// - parameter clientIdentity: Client identity received from the client.\n /// - parameter maxPSKLength: Maximum possible length of the Pre Shared Key.\n public init(hint: String?, clientIdentity: String, maxPSKLength: Int) {\n self.hint = hint\n self.clientIdentity = clientIdentity\n self.maxPSKLength = maxPSKLength\n }\n}\n\n/// PSK Client Context provided to the callback.\npublic struct PSKClientContext: Sendable, Hashable {\n /// Optional identity hint provided by the server to the client.\n public let hint: String?\n /// Maximum length of the returned PSK.\n public let maxPSKLength: Int\n\n /// Constructs a ``PSKClientContext``.\n ///\n /// - parameter hint: Optional identity hint provided by the server.\n /// - parameter maxPSKLength: Maximum possible length of the Pre Shared Key.\n public init(hint: String?, maxPSKLength: Int) {\n self.hint = hint\n self.maxPSKLength = maxPSKLength\n }\n}\n\n/// PSK Server Identity response type used in the callback.\npublic struct PSKServerIdentityResponse: Sendable {\n /// The negotiated PSK.\n public var key: NIOSSLSecureBytes\n\n /// Constructs a ``PSKServerIdentityResponse``.\n ///\n /// - parameter key: The negotiated PSK.\n public init(key: NIOSSLSecureBytes) {\n self.key = key\n }\n}\n/// PSK Client Identity response type used in the callback.\npublic struct PSKClientIdentityResponse: Sendable {\n /// The negotiated PSK.\n public var key: NIOSSLSecureBytes\n\n /// The identity of the PSK.\n public var identity: String\n\n /// Constructs a ``PSKClientIdentityResponse``.\n ///\n /// - parameter key: The negotiated PSK.\n /// - parameter identity: The identity of the PSK.\n public init(key: NIOSSLSecureBytes, identity: String) {\n self.key = key\n self.identity = identity\n }\n}\n\n/// A structure representing values from client extensions in the SSL/TLS handshake.\n///\n/// This struct contains values obtained from the client hello message extensions during the TLS handshake process and\n/// can be manipulated or introspected by the `NIOSSLContextCallback` to alter the TLS handshake behaviour dynamically\n/// based on these values.\npublic struct NIOSSLClientExtensionValues: Hashable, Sendable {\n\n /// The hostname value from the Server Name Indication (SNI) extension.\n ///\n /// This value, if available, indicates the requested server hostname by the client.\n /// In a context where a service is handling multiple hostnames (virtual hosts, for example),\n /// this value could be used to decide which SSLContext to use for the handshake.\n public var serverHostname: String?\n\n /// Initializes a new `NIOSSLClientExtensionValues` struct.\n ///\n /// - parameter serverHostname: The hostname value from the SNI extension.\n public init(serverHostname: String?) {\n self.serverHostname = serverHostname\n }\n}\n\n/// A structure representing changes to the SSL/TLS configuration that can be applied\n/// after the client hello message extensions have been processed.\npublic struct NIOSSLContextConfigurationOverride: Sendable {\n\n /// The new certificate chain to use for the handshake.\n public var certificateChain: [NIOSSLCertificateSource]?\n\n /// The new private key to use for the handshake.\n public var privateKey: NIOSSLPrivateKeySource?\n\n public init() {}\n}\n\nextension NIOSSLContextConfigurationOverride {\n\n /// Return inside `NIOSSLContextCallback` when there are no changes to be made\n public static let noChanges = Self()\n}\n\n/// A callback that can used to support multiple or dynamic TLS hosts.\n///\n/// When set, this callback will be invoked once per TLS hello. The provided `NIOSSLClientExtensionValues` will contain the\n/// host name indicated in the TLS client hello.\n///\n/// Within this callback, the user can create and return a new `NIOSSLContextConfigurationOverride` for the given host,\n/// and the delta will be applied to the current handshake configuration.\n///\npublic typealias NIOSSLContextCallback =\n @Sendable (\n NIOSSLClientExtensionValues, EventLoopPromise\n ) -> Void\n\n/// A struct that provides helpers for working with a NIOSSLContextCallback.\ninternal struct CustomContextManager: Sendable {\n private let callback: NIOSSLContextCallback\n\n private var state: State\n\n init(callback: @escaping NIOSSLContextCallback) {\n self.callback = callback\n self.state = .notStarted\n }\n}\n\nextension CustomContextManager {\n private enum State {\n case notStarted\n\n case pendingResult\n\n case complete(Result)\n }\n}\n\nextension CustomContextManager {\n internal var loadContextError: (any Error)? {\n switch self.state {\n case .complete(.failure(let error)):\n return error\n default:\n return nil\n }\n }\n}\n\nextension CustomContextManager {\n mutating func loadContext(ssl: OpaquePointer) -> Result? {\n switch state {\n case .pendingResult:\n // In the pending case we return nil\n return nil\n case .complete(let result):\n // In the complete we can return our result\n return result\n case .notStarted:\n // Load the attached connection so we can resume handshake when future resolves\n let connection = SSLConnection.loadConnectionFromSSL(ssl)\n\n guard let eventLoop = connection.eventLoop else {\n preconditionFailure(\n \"\"\"\n SSL_CTX_set_cert_cb was executed without an event loop assigned to the connection.\n This should not be possible, please file an issue.\n \"\"\"\n )\n }\n\n // Construct extension values to be passed to callback\n let cServerHostname = CNIOBoringSSL_SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)\n let serverHostname = cServerHostname.map { String(cString: $0) }\n let values = NIOSSLClientExtensionValues(serverHostname: serverHostname)\n\n // Before invoking the user callback we can update our state to pending\n self.state = .pendingResult\n\n // We're responsible for creating the promise and the user provided callback will fulfill it\n let promise = eventLoop.makePromise(of: NIOSSLContextConfigurationOverride.self)\n self.callback(values, promise)\n\n promise.futureResult.assumeIsolated().whenComplete { result in\n // Ensure we execute any completion on the next event loop tick\n // This ensures that we suspend before calling resume\n eventLoop.assumeIsolated().execute {\n connection.customContextManager?.state = .complete(result)\n connection.parentHandler?.resumeHandshake()\n }\n }\n\n return nil\n }\n }\n\n mutating func setLoadContextError(_ error: any Error) {\n self.state = .complete(.failure(error))\n }\n}\n\n/// The callback used for providing a PSK on the client side.\n///\n/// The callback is invoked on the event loop with the PSK hint. This callback must complete synchronously: it cannot return a future.\n/// Additionally, as it is invoked on the NIO event loop, it is not possible for this to perform any I/O. As a result, lookups must be quick.\npublic typealias NIOPSKClientIdentityCallback = @Sendable (String) throws -> PSKClientIdentityResponse\n\n/// The callback used for providing a PSK on the client side.\n///\n/// The callback is invoked on the event loop with a PSK context.\n/// The context include the optional hint provided by the server.\n/// This callback must complete synchronously: it cannot return a future.\n/// Additionally, as it is invoked on the NIO event loop, it is not possible for this to perform any I/O. As a result, lookups must be quick.\npublic typealias NIOPSKClientIdentityProvider = @Sendable (PSKClientContext) throws -> PSKClientIdentityResponse\n\n/// The callback used for providing a PSK on the server side.\n///\n/// The callback is invoked on the event loop with the PSK hint provided by the server, and the PSK identity provided by the client.\n/// This callback must complete synchronously: it cannot return a future. Additionally, as it is invoked on the NIO event loop, it is\n/// not possible for this to perform any I/O. As a result, lookups must be quick.\npublic typealias NIOPSKServerIdentityCallback = @Sendable (String, String) throws -> PSKServerIdentityResponse\n\n/// The callback used for providing a PSK on the server side.\n///\n/// The callback is invoked on the event loop with a PSK context provided by the server and the client, and the PSK identity provided by the client\n/// The context includes the optional hint.\n/// This callback must complete synchronously: it cannot return a future. Additionally, as it is invoked on the NIO event loop, it is\n/// not possible for this to perform any I/O. As a result, lookups must be quick.\npublic typealias NIOPSKServerIdentityProvider = @Sendable (PSKServerContext) throws -> PSKServerIdentityResponse\n\n/// Allow internally to maintain the compatibility with the deprecated callback\ninternal enum _NIOPSKServerIdentityProvider {\n case callback(NIOPSKServerIdentityCallback)\n case provider(NIOPSKServerIdentityProvider)\n}\n\n/// Allow internally to maintain the compatibility with the deprecated callback\ninternal enum _NIOPSKClientIdentityProvider {\n case callback(NIOPSKClientIdentityCallback)\n case provider(NIOPSKClientIdentityProvider)\n}\n\n/// A struct that provides helpers for working with a NIOSSLCustomVerificationCallback.\ninternal struct CustomVerifyManager {\n private var callback: CallbackType\n\n private var result: PendingResult = .notStarted\n\n /// Contains the metadata that the callback returned. As such, this property will *only* contain a value if\n /// `self.result` is `.complete` (and if the callback promise returns metadata).\n var verificationMetadata: VerificationMetadata?\n\n init(callback: @escaping NIOSSLCustomVerificationCallback) {\n self.callback = .public(callback)\n }\n\n init(callback: @escaping NIOSSLCustomVerificationCallbackWithMetadata) {\n self.callback = .publicWithMetadata(callback)\n }\n\n init(callback: @escaping InternalCallback) {\n self.callback = .internal(callback)\n }\n}\n\nextension CustomVerifyManager {\n fileprivate enum PendingResult: Hashable {\n case notStarted\n\n case pendingResult\n\n case complete(NIOSSLVerificationResult)\n\n case completeWithMetadata(NIOSSLVerificationResultWithMetadata)\n }\n\n fileprivate protocol PendingResultConvertible {\n static func pendingResult(_ result: Result) -> PendingResult\n }\n}\n\nextension CustomVerifyManager {\n mutating func process(on connection: SSLConnection) -> ssl_verify_result_t {\n // First, check if we have a result.\n switch self.result {\n case .complete(.certificateVerified):\n return ssl_verify_ok\n case .completeWithMetadata(.certificateVerified(let metadata)):\n // Extract the metadata and store it within `self`.\n self.verificationMetadata = metadata\n return ssl_verify_ok\n case .complete(.failed), .completeWithMetadata(.failed):\n return ssl_verify_invalid\n case .pendingResult:\n // Ask me again.\n return ssl_verify_retry\n case .notStarted:\n // The rest of this method handles this case.\n break\n }\n\n self.result = .pendingResult\n\n // Ok, no result. We must invoke the callback.\n self.callback.invoke(on: connection)\n\n return ssl_verify_retry\n }\n}\n\nextension CustomVerifyManager {\n private enum CallbackType {\n case `public`(NIOSSLCustomVerificationCallback)\n case publicWithMetadata(NIOSSLCustomVerificationCallbackWithMetadata)\n case `internal`(InternalCallback)\n\n // Prepares the promise that will be provided as an argument to the callback.\n private static func preparePromise(\n on connection: SSLConnection\n ) -> EventLoopPromise {\n // We need a promise for the user to use to supply a result.\n guard let eventLoop = connection.eventLoop else {\n // No event loop. We cannot possibly be negotiating here.\n preconditionFailure(\"No event loop present\")\n }\n\n let promise = eventLoop.makePromise(of: CallbackResult.self)\n\n // We need to attach our \"do the thing\" callback. This will always invoke the \"ask me again\" API, and it will do so in a separate\n // event loop tick to avoid awkward re-entrancy with this method.\n promise.futureResult.assumeIsolated().whenComplete { result in\n // When we complete here we need to set our result state, and then ask to respin certificate verification.\n // If we can't respin verification because we've dropped the parent handler, that's fine, no harm no foul.\n // For that reason, we tolerate both the verify manager and the parent handler being nil.\n eventLoop.assumeIsolated().execute {\n // Note that we don't close over self here: that's to deal with the fact that this is a struct, and we don't want to\n // escape the mutable ownership of self.\n precondition(\n connection.customVerificationManager == nil\n || connection.customVerificationManager?.result == .some(.pendingResult)\n )\n connection.customVerificationManager?.result = CallbackResult.pendingResult(result)\n connection.parentHandler?.resumeHandshake()\n }\n }\n\n return promise\n }\n\n /// For user-supplied callbacks we need to give them public types. For internal ones, we just pass the\n /// `EventLoopPromise` object through.\n func invoke(on connection: SSLConnection) {\n switch self {\n case .internal(let internalCallback):\n let promise: EventLoopPromise = Self.preparePromise(on: connection)\n\n internalCallback(promise)\n case .public(let callback):\n let promise: EventLoopPromise = Self.preparePromise(on: connection)\n\n do {\n callback(try connection.peerCertificateChain(), promise)\n } catch {\n promise.fail(error)\n }\n case .publicWithMetadata(let callback):\n let promise: EventLoopPromise = Self.preparePromise(\n on: connection\n )\n\n do {\n callback(try connection.peerCertificateChain(), promise)\n } catch {\n promise.fail(error)\n }\n }\n }\n }\n\n internal typealias InternalCallback = (EventLoopPromise) -> Void\n}\n\nextension NIOSSLVerificationResult: CustomVerifyManager.PendingResultConvertible {\n fileprivate static func pendingResult(_ result: Result) -> CustomVerifyManager.PendingResult {\n switch result {\n case .success(let s):\n .complete(s)\n case .failure:\n .complete(.failed)\n }\n }\n}\n\nextension NIOSSLVerificationResultWithMetadata: CustomVerifyManager.PendingResultConvertible {\n fileprivate static func pendingResult(_ result: Result) -> CustomVerifyManager.PendingResult {\n switch result {\n case .success(let s):\n .completeWithMetadata(s)\n case .failure:\n .completeWithMetadata(.failed)\n }\n }\n}\n\n/// Represents a *validated* certificate chain, an array of certificates forming a verified and ordered trust path,\n/// starting from the peer's certificate to a trusted root certificate.\npublic struct ValidatedCertificateChain: Sendable, Collection, RandomAccessCollection, Hashable {\n let validatedChain: [NIOSSLCertificate]\n\n public typealias Index = Int\n public typealias Element = NIOSSLCertificate\n\n public var startIndex: Index { self.validatedChain.startIndex }\n public var endIndex: Index { self.validatedChain.endIndex }\n\n public subscript(index: Index) -> Element {\n self.validatedChain[index]\n }\n\n public func index(after i: Index) -> Index {\n self.validatedChain.index(after: i)\n }\n\n /// Creates a `ValidatedCertificateChain` instance from an array of certificates forming a *verified* chain of trust.\n ///\n /// - Parameter validatedChain: An array of `NIOSSLCertificate` objects, representing the verified and ordered trust\n /// path, starting from the peer's certificate (first element) to a trusted root certificate (last element), with\n /// intermediate certificates ordered in between.\n ///\n /// - Important: Do not blindly pass in the array of certificates presented by the peer; the array *must* represent\n /// a fully validated and trusted chain.\n ///\n /// - Precondition: `validatedChain` must contain at least one certificate.\n public init(_ validatedChain: [NIOSSLCertificate]) {\n precondition(validatedChain.count > 0, \"The provided validated chain must have at least one certificate\")\n self.validatedChain = validatedChain\n }\n\n /// Returns the first element of the chain: the leaf certificate.\n public var leaf: NIOSSLCertificate {\n // We can safely force unwrap: the initializer enforces at least one element in `validatedChain`\n self.validatedChain.first!\n }\n}\n" }, { "path": "Sources/NIOSSL/SSLCertificate.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\n@_implementationOnly import CNIOBoringSSLShims\nimport NIOCore\n\n#if canImport(Darwin)\nimport Darwin.C\n#elseif canImport(Musl)\nimport Musl\n#elseif canImport(Glibc)\nimport Glibc\n#elseif canImport(Bionic)\nimport Bionic\n#else\n#error(\"unsupported os\")\n#endif\n\n#if canImport(Darwin)\nimport struct Darwin.time_t\n#elseif canImport(Glibc)\nimport struct Glibc.time_t\n#endif\n\n/// A reference to a BoringSSL Certificate object (`X509 *`).\n///\n/// This thin wrapper class allows us to use ARC to automatically manage\n/// the memory associated with this TLS certificate. That ensures that BoringSSL\n/// will not free the underlying buffer until we are done with the certificate.\n///\n/// This class also provides several convenience constructors that allow users\n/// to obtain an in-memory representation of a TLS certificate from a buffer of\n/// bytes or from a file path.\npublic final class NIOSSLCertificate {\n @usableFromInline\n internal let _ref: OpaquePointer //\n\n @inlinable\n internal func withUnsafeMutableX509Pointer(\n _ body: (OpaquePointer) throws -> ResultType\n ) rethrows -> ResultType {\n try body(self._ref)\n }\n\n // Internal to this class we can just access the ref directly.\n private var ref: OpaquePointer {\n self._ref\n }\n\n /// The serial number of this certificate, as raw bytes.\n public var serialNumber: [UInt8] {\n let serialNumber = CNIOBoringSSL_X509_get_serialNumber(self.ref)!\n return Array(UnsafeBufferPointer(start: serialNumber.pointee.data, count: Int(serialNumber.pointee.length)))\n }\n\n private init(withOwnedReference ref: OpaquePointer) {\n self._ref = ref\n }\n\n /// Create a ``NIOSSLCertificate`` from a file at a given path in either PEM or\n /// DER format.\n ///\n /// Note that this method will only ever load the first certificate from a given file.\n ///\n /// If you want to load certificates from a PEM file use ``fromPEMFile(_:)``. To load\n /// a certificate from a DER file use ``fromDERFile(_:)``.\n ///\n /// - parameters:\n /// - file: The path to the file to load the certificate from.\n /// - format: The format to use to parse the file.\n @available(\n *,\n deprecated,\n message: \"\"\"\n Use 'fromPEMFile(_:)' to load all certificates from a PEM file or 'fromDERFile(_:)' \\\n to load a single certificate from a DER file.\n \"\"\"\n )\n public convenience init(file: String, format: NIOSSLSerializationFormats) throws {\n try self.init(_file: file, format: format)\n }\n\n /// Create a ``NIOSSLCertificate`` from a file at a given path in either PEM or\n /// DER format.\n ///\n /// Note that this method will only ever load the first certificate from a given file.\n ///\n /// - parameters:\n /// - file: The path to the file to load the certificate from.\n /// - format: The format to use to parse the file.\n internal convenience init(_file file: String, format: NIOSSLSerializationFormats) throws {\n let fileObject = try Posix.fopen(file: file, mode: \"rb\")\n defer {\n fclose(fileObject)\n }\n\n let x509: OpaquePointer?\n switch format {\n case .pem:\n x509 = CNIOBoringSSL_PEM_read_X509(fileObject, nil, nil, nil)\n case .der:\n x509 = CNIOBoringSSL_d2i_X509_fp(fileObject, nil)\n }\n\n if x509 == nil {\n throw NIOSSLError.failedToLoadCertificate\n }\n\n self.init(withOwnedReference: x509!)\n }\n\n /// Create a ``NIOSSLCertificate`` from a buffer of bytes in either PEM or\n /// DER format.\n ///\n /// - SeeAlso: `NIOSSLCertificate.init(bytes:format:)`\n @available(*, deprecated, renamed: \"NIOSSLCertificate.init(bytes:format:)\")\n public convenience init(buffer: [Int8], format: NIOSSLSerializationFormats) throws {\n try self.init(bytes: buffer.map(UInt8.init), format: format)\n }\n\n /// Create a ``NIOSSLCertificate`` from a buffer of bytes in either PEM or\n /// DER format.\n ///\n /// - parameters:\n /// - bytes: The raw bytes containing the certificate.\n /// - format: The format to use to parse the file.\n public convenience init(bytes: [UInt8], format: NIOSSLSerializationFormats) throws {\n let ref = bytes.withUnsafeBytes { (ptr) -> OpaquePointer? in\n let bio = CNIOBoringSSL_BIO_new_mem_buf(ptr.baseAddress, ptr.count)!\n\n defer {\n CNIOBoringSSL_BIO_free(bio)\n }\n\n switch format {\n case .pem:\n return CNIOBoringSSL_PEM_read_bio_X509(bio, nil, nil, nil)\n case .der:\n return CNIOBoringSSL_d2i_X509_bio(bio, nil)\n }\n }\n\n if ref == nil {\n throw NIOSSLError.failedToLoadCertificate\n }\n\n self.init(withOwnedReference: ref!)\n }\n\n /// Create a NIOSSLCertificate from a buffer of bytes in either PEM or DER format.\n internal convenience init(bytes ptr: UnsafeRawBufferPointer, format: NIOSSLSerializationFormats) throws {\n // TODO(cory):\n // The body of this method is exactly identical to the initializer above, except for the \"withUnsafeBytes\" call.\n // ContiguousBytes would have been the lowest effort way to reduce this duplication, but we can't use it without\n // bringing Foundation in. Probably we should use Sequence where Element == UInt8 and the withUnsafeContiguousBytesIfAvailable\n // method, but that's a much more substantial refactor. Let's do it later.\n let bio = CNIOBoringSSL_BIO_new_mem_buf(ptr.baseAddress, ptr.count)!\n\n defer {\n CNIOBoringSSL_BIO_free(bio)\n }\n\n let ref: OpaquePointer?\n\n switch format {\n case .pem:\n ref = CNIOBoringSSL_PEM_read_bio_X509(bio, nil, nil, nil)\n case .der:\n ref = CNIOBoringSSL_d2i_X509_bio(bio, nil)\n }\n\n if ref == nil {\n throw NIOSSLError.failedToLoadCertificate\n }\n\n self.init(withOwnedReference: ref!)\n }\n\n /// Create a NIOSSLCertificate wrapping a pointer into BoringSSL.\n ///\n /// This is a function that should be avoided as much as possible because it plays poorly with\n /// BoringSSL's reference-counted memory. This function does not increment the reference count for the `X509`\n /// object here, nor does it duplicate it: it just takes ownership of the copy here. This object\n /// **will** deallocate the underlying `X509` object when deinited, and so if you need to keep that\n /// `X509` object alive you should call `X509_dup` before passing the pointer here.\n ///\n /// In general, however, this function should be avoided in favour of one of the convenience\n /// initializers, which ensure that the lifetime of the `X509` object is better-managed.\n static func fromUnsafePointer(takingOwnership pointer: OpaquePointer) -> NIOSSLCertificate {\n NIOSSLCertificate(withOwnedReference: pointer)\n }\n\n /// Get a collection of the alternative names in the certificate.\n public func _subjectAlternativeNames() -> _SubjectAlternativeNames {\n let sanExtension = CNIOBoringSSL_X509_get_ext_d2i(self.ref, NID_subject_alt_name, nil, nil)\n return _SubjectAlternativeNames(nameStack: sanExtension.map(OpaquePointer.init))\n }\n\n /// Extracts the SHA1 hash of the subject name before it has been truncated.\n ///\n /// - returns: Numeric hash of the subject name.\n internal func getSubjectNameHash() -> UInt32 {\n CNIOBoringSSL_X509_subject_name_hash(self.ref)\n }\n\n /// Returns the commonName field in the Subject of this certificate.\n ///\n /// It is technically possible to have multiple common names in a certificate. As the primary\n /// purpose of this field in SwiftNIO is to validate TLS certificates, we only ever return\n /// the *most significant* (i.e. last) instance of commonName in the subject.\n internal func commonName() -> [UInt8]? {\n // No subject name is unexpected, but it gives us an easy time of handling this at least.\n guard let subjectName = CNIOBoringSSL_X509_get_subject_name(self.ref) else {\n return nil\n }\n\n // Per the man page, to find the first entry we set lastIndex to -1. When there are no\n // more entries, -1 is returned as the index of the next entry.\n var lastIndex: CInt = -1\n var nextIndex: CInt = -1\n repeat {\n lastIndex = nextIndex\n nextIndex = CNIOBoringSSL_X509_NAME_get_index_by_NID(subjectName, NID_commonName, lastIndex)\n } while nextIndex >= 0\n\n // It's totally allowed to have no commonName.\n guard lastIndex >= 0 else {\n return nil\n }\n\n // This is very unlikely, but it could happen.\n guard\n let nameData = CNIOBoringSSL_X509_NAME_ENTRY_get_data(\n CNIOBoringSSL_X509_NAME_get_entry(subjectName, lastIndex)\n )\n else {\n return nil\n }\n\n // Cool, we have the name. Let's have BoringSSL give it to us in UTF-8 form and then put those bytes\n // into our own array.\n var encodedName: UnsafeMutablePointer? = nil\n let stringLength = CNIOBoringSSL_ASN1_STRING_to_UTF8(&encodedName, nameData)\n\n guard let namePtr = encodedName else {\n return nil\n }\n\n let arr = [UInt8](UnsafeBufferPointer(start: namePtr, count: Int(stringLength)))\n CNIOBoringSSL_OPENSSL_free(namePtr)\n return arr\n }\n\n deinit {\n CNIOBoringSSL_X509_free(ref)\n }\n}\n\n// NIOSSLCertificate is publicly immutable and we do not internally mutate it after initialisation.\n// It is therefore Sendable.\nextension NIOSSLCertificate: @unchecked Sendable {}\n\n// MARK:- Utility Functions\n// We don't really want to get too far down the road of providing helpers for things like certificates\n// and private keys: this is really the domain of alternative cryptography libraries. However, to\n// enable users of swift-nio-ssl to use other cryptography libraries it will be helpful to provide\n// the ability to obtain the bytes that correspond to certificates and keys.\nextension NIOSSLCertificate {\n /// Obtain the public key for this ``NIOSSLCertificate``.\n ///\n /// - returns: This certificate's ``NIOSSLPublicKey``.\n /// - throws: If an error is encountered extracting the key.\n public func extractPublicKey() throws -> NIOSSLPublicKey {\n guard let key = CNIOBoringSSL_X509_get_pubkey(self.ref) else {\n fatalError(\"Failed to extract a public key reference\")\n }\n\n return NIOSSLPublicKey.fromInternalPointer(takingOwnership: key)\n }\n\n /// Extracts the bytes of this certificate in DER format.\n ///\n /// - returns: The DER-encoded bytes for this certificate.\n /// - throws: If an error occurred while serializing the certificate.\n public func toDERBytes() throws -> [UInt8] {\n try self.withUnsafeDERCertificateBuffer { Array($0) }\n }\n\n /// Create an array of ``NIOSSLCertificate``s from a buffer of bytes in PEM format.\n ///\n /// - Parameter buffer: The PEM buffer to read certificates from.\n /// - Throws: If an error is encountered while reading certificates.\n /// - SeeAlso: `NIOSSLCertificate.fromPEMBytes(_:)`\n @available(*, deprecated, renamed: \"NIOSSLCertificate.fromPEMBytes(_:)\")\n public class func fromPEMBuffer(_ buffer: [Int8]) throws -> [NIOSSLCertificate] {\n try fromPEMBytes(buffer.map(UInt8.init))\n }\n\n /// Create an array of ``NIOSSLCertificate``s from a buffer of bytes in PEM format.\n ///\n /// - Parameter bytes: The PEM buffer to read certificates from.\n /// - Throws: If an error is encountered while reading certificates.\n public class func fromPEMBytes(_ bytes: [UInt8]) throws -> [NIOSSLCertificate] {\n CNIOBoringSSL_ERR_clear_error()\n defer {\n CNIOBoringSSL_ERR_clear_error()\n }\n\n return try bytes.withUnsafeBytes { (ptr) -> [NIOSSLCertificate] in\n let bio = CNIOBoringSSL_BIO_new_mem_buf(ptr.baseAddress, ptr.count)!\n defer {\n CNIOBoringSSL_BIO_free(bio)\n }\n\n return try readCertificatesFromBIO(bio)\n }\n }\n\n /// Create an array of ``NIOSSLCertificate``s from a file at a given path in PEM format.\n ///\n /// - Parameter path: The PEM file to read certificates from.\n /// - Throws: If an error is encountered while reading certificates.\n public class func fromPEMFile(_ path: String) throws -> [NIOSSLCertificate] {\n CNIOBoringSSL_ERR_clear_error()\n defer {\n CNIOBoringSSL_ERR_clear_error()\n }\n\n guard let bio = CNIOBoringSSL_BIO_new(CNIOBoringSSL_BIO_s_file()) else {\n fatalError(\"Failed to create a BIO handle to read a PEM file\")\n }\n defer {\n CNIOBoringSSL_BIO_free(bio)\n }\n\n guard CNIOBoringSSL_BIO_read_filename(bio, path) > 0 else {\n throw NIOSSLError.failedToLoadCertificate\n }\n\n return try readCertificatesFromBIO(bio)\n }\n\n /// Create a ``NIOSSLCertificate`` from a DER file at a given path.\n ///\n /// - parameters:\n /// - path: The path to the file to load the certificate from.\n public static func fromDERFile(_ path: String) throws -> NIOSSLCertificate {\n try NIOSSLCertificate(_file: path, format: .der)\n }\n\n /// Returns the timestamp before which this certificate is not valid.\n ///\n /// The value is in seconds since the UNIX epoch.\n public var notValidBefore: time_t {\n // This ref is owned by self.\n let notBefore = CNIOBoringSSL_X509_get0_notBefore(self.ref)!\n return notBefore.timeSinceEpoch\n }\n\n /// Returns the timestamp after which this certificate is not valid.\n ///\n /// The value is in seconds since the UNIX epoch.\n public var notValidAfter: time_t {\n // This ref is owned by self.\n let notAfter = CNIOBoringSSL_X509_get0_notAfter(self.ref)!\n return notAfter.timeSinceEpoch\n }\n\n /// Reads `NIOSSLCertificate`s from the given BIO.\n private class func readCertificatesFromBIO(_ bio: UnsafeMutablePointer) throws -> [NIOSSLCertificate] {\n guard let x509 = CNIOBoringSSL_PEM_read_bio_X509_AUX(bio, nil, nil, nil) else {\n throw NIOSSLError.failedToLoadCertificate\n }\n\n var certificates = [NIOSSLCertificate(withOwnedReference: x509)]\n\n while let x = CNIOBoringSSL_PEM_read_bio_X509(bio, nil, nil, nil) {\n certificates.append(.init(withOwnedReference: x))\n }\n\n let err = CNIOBoringSSL_ERR_peek_error()\n\n // If we hit the end of the file then it's not a real error, we just read as much as we could.\n if CNIOBoringSSLShims_ERR_GET_LIB(err) == ERR_LIB_PEM\n && CNIOBoringSSLShims_ERR_GET_REASON(err) == PEM_R_NO_START_LINE\n {\n CNIOBoringSSL_ERR_clear_error()\n } else {\n throw NIOSSLError.failedToLoadCertificate\n }\n\n return certificates\n }\n\n /// Calls the given body function with a temporary buffer containing the DER-encoded bytes of this\n /// certificate. This function does allocate for these bytes, but there is no way to avoid doing so with the\n /// X509 API in BoringSSL.\n ///\n /// The pointer provided to the closure is not valid beyond the lifetime of this method call.\n private func withUnsafeDERCertificateBuffer(_ body: (UnsafeRawBufferPointer) throws -> T) throws -> T {\n guard let bio = CNIOBoringSSL_BIO_new(CNIOBoringSSL_BIO_s_mem()) else {\n fatalError(\"Failed to malloc for a BIO handler\")\n }\n\n defer {\n CNIOBoringSSL_BIO_free(bio)\n }\n\n let rc = CNIOBoringSSL_i2d_X509_bio(bio, self.ref)\n guard rc == 1 else {\n let errorStack = BoringSSLError.buildErrorStack()\n throw BoringSSLError.unknownError(errorStack)\n }\n\n var dataPtr: UnsafeMutablePointer? = nil\n let length = CNIOBoringSSL_BIO_get_mem_data(bio, &dataPtr)\n\n guard let bytes = dataPtr.map({ UnsafeRawBufferPointer(start: $0, count: length) }) else {\n fatalError(\"Failed to map bytes from a certificate\")\n }\n\n return try body(bytes)\n }\n}\n\nextension NIOSSLCertificate: Equatable {\n public static func == (lhs: NIOSSLCertificate, rhs: NIOSSLCertificate) -> Bool {\n CNIOBoringSSL_X509_cmp(lhs.ref, rhs.ref) == 0\n }\n}\n\nextension NIOSSLCertificate: Hashable {\n public func hash(into hasher: inout Hasher) {\n // We just hash the DER bytes of the cert. If we can't get the bytes, this is a fatal error as\n // we have no way to recover from it. It's unfortunate that this allocates, but the code to hash\n // a certificate in any other way is too fragile to justify.\n try! self.withUnsafeDERCertificateBuffer { hasher.combine(bytes: $0) }\n }\n}\n\nextension NIOSSLCertificate: CustomStringConvertible {\n\n public var description: String {\n let serialNumber = self.serialNumber.map { String($0, radix: 16) }.reduce(\"\", +)\n var desc = \"\"\n }\n\n}\n\nextension UnsafePointer where Pointee == ASN1_TIME {\n var timeSinceEpoch: time_t {\n let epochTime = CNIOBoringSSL_ASN1_TIME_new()!\n defer {\n CNIOBoringSSL_ASN1_TIME_free(epochTime)\n }\n\n // This sets the ASN1_TIME to epoch time.\n CNIOBoringSSL_ASN1_TIME_set(epochTime, 0)\n var day = CInt(0)\n var seconds = CInt(0)\n\n let rc = CNIOBoringSSL_ASN1_TIME_diff(&day, &seconds, epochTime, self)\n precondition(rc != 0)\n\n // 86400 seconds in a day\n return time_t(day) * 86400 + time_t(seconds)\n }\n}\n" }, { "path": "Sources/NIOSSL/SSLCertificateExtensions.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\n@_implementationOnly import CNIOBoringSSLShims\n\nextension NIOSSLCertificate {\n public struct _Extensions {\n private enum Storage {\n final class Deallocator {\n /// `reference` is optional because `CNIOBoringSSL_X509_get0_extensions` can return`nil` if no extensions are present.\n /// We therefore need to handle the `nil` case as if this collection is empty.\n let reference: OpaquePointer?\n\n init(takeOwnershipOf reference: OpaquePointer?) {\n self.reference = reference\n }\n\n deinit {\n if let reference = self.reference {\n CNIOBoringSSL_sk_X509_EXTENSION_free(reference)\n }\n }\n }\n\n case owned(Deallocator)\n /// `reference` is optional because `CNIOBoringSSL_X509_get0_extensions` can return`nil` if no extensions are present.\n /// We therefore need to handle the `nil` case as if this collection is empty.\n case borrowed(reference: OpaquePointer?, owner: AnyObject)\n\n init(takeOwnershipOf reference: OpaquePointer?) {\n self = .owned(.init(takeOwnershipOf: reference))\n }\n\n init(borrowing reference: OpaquePointer?, owner: AnyObject) {\n self = .borrowed(reference: reference, owner: owner)\n }\n\n /// The owner of the memory to which the reference points\n var owner: AnyObject {\n switch self {\n case .owned(let deallocator):\n return deallocator\n case .borrowed(_, let owner):\n return owner\n }\n }\n\n /// All operations accessing `reference` need to be implemented while guaranteeing that we still have a reference to the memory owner.\n /// Otherwise `reference` could already be freed. This would result in undefined behaviour as we access a dangling pointer.\n /// This method guarantees that `reference` is valid during execution of `body`.\n internal func withReference(\n _ body: (OpaquePointer?) throws -> Result\n ) rethrows -> Result {\n try withExtendedLifetime(self) {\n switch self {\n case .owned(let deallocator):\n return try body(deallocator.reference)\n case .borrowed(let reference, _):\n return try body(reference)\n }\n }\n }\n }\n\n @usableFromInline internal let stackSize: Int\n private let storage: Storage\n\n internal init(takeOwnershipOf reference: OpaquePointer?) {\n self.storage = .init(takeOwnershipOf: reference)\n if let reference = reference {\n self.stackSize = CNIOBoringSSL_sk_X509_EXTENSION_num(reference)\n } else {\n self.stackSize = 0\n }\n }\n\n internal init(borrowing reference: OpaquePointer?, owner: AnyObject) {\n self.storage = .init(borrowing: reference, owner: owner)\n if let reference = reference {\n self.stackSize = CNIOBoringSSL_sk_X509_EXTENSION_num(reference)\n } else {\n self.stackSize = 0\n }\n }\n }\n}\n\n// NIOSSLCertificate._Extensions is immutable and therefore Sendable\nextension NIOSSLCertificate._Extensions: @unchecked Sendable {}\n\nextension NIOSSLCertificate {\n public var _extensions: NIOSSLCertificate._Extensions {\n NIOSSLCertificate._Extensions(borrowing: CNIOBoringSSL_X509_get0_extensions(self._ref), owner: self)\n }\n}\n\nextension NIOSSLCertificate._Extensions: RandomAccessCollection {\n public subscript(position: Int) -> NIOSSLCertificate._Extension {\n precondition(self.indices.contains(position), \"index \\(position) out of bounds\")\n return self.storage.withReference { reference in\n let value = CNIOBoringSSLShims_sk_X509_EXTENSION_value(reference!, position)!\n return .init(borrowing: value, owner: self.storage.owner)\n }\n }\n\n @inlinable public var startIndex: Int { 0 }\n @inlinable public var endIndex: Int { self.stackSize }\n}\n\nextension NIOSSLCertificate {\n public struct _Extension {\n init(borrowing reference: OpaquePointer, owner: AnyObject) {\n self.owner = owner\n self._reference = reference\n }\n\n /// lifetime automatically managed by `owner`\n private let _reference: OpaquePointer\n\n /// only part of this type to keep a strong reference to the underlying storage of `reference`\n private let owner: AnyObject\n\n /// All operations accessing `reference` need to be implemented while guaranteeing that we still have a reference to the memory `owner`.\n /// Otherwise `reference` could already be freed. This would result in undefined behaviour as we access a dangling pointer.\n /// This method guarantees that `reference` is valid during execution of `body`.\n func withReference(\n _ body: (OpaquePointer?) throws -> Result\n ) rethrows -> Result {\n try withExtendedLifetime(owner) {\n try body(self._reference)\n }\n }\n\n public var objectIdentifier: NIOSSLObjectIdentifier {\n withReference {\n .init(borrowing: CNIOBoringSSL_X509_EXTENSION_get_object($0), owner: self.owner)\n }\n }\n\n public var isCritical: Bool {\n withReference {\n CNIOBoringSSL_X509_EXTENSION_get_critical($0) == 1\n }\n }\n\n public var data: Data {\n withReference {\n let data = CNIOBoringSSL_X509_EXTENSION_get_data($0)\n let buffer = UnsafeBufferPointer(\n start: CNIOBoringSSL_ASN1_STRING_get0_data(data),\n count: Int(CNIOBoringSSL_ASN1_STRING_length(data))\n )\n return .init(buffer: buffer, owner: self.owner)\n }\n }\n }\n}\n\n// NIOSSLCertificate._Extension is immutable and therefore Sendable\nextension NIOSSLCertificate._Extension: @unchecked Sendable {}\n\nextension NIOSSLCertificate._Extension {\n public struct Data {\n // only part of this type to keep a strong reference to the underlying storage of `buffer`\n private let owner: AnyObject\n // lifetime automatically managed by `owner`\n @usableFromInline internal let buffer: UnsafeBufferPointer\n\n internal init(buffer: UnsafeBufferPointer, owner: AnyObject) {\n self.buffer = buffer\n self.owner = owner\n }\n\n @inlinable public func withUnsafeBufferPointer(\n _ body: (UnsafeBufferPointer) throws -> Result\n ) rethrows -> Result {\n try withExtendedLifetime(self) {\n try body(self.buffer)\n }\n }\n @inlinable public func withUnsafeBytes(\n _ body: (UnsafeRawBufferPointer) throws -> Result\n ) rethrows -> Result {\n try withExtendedLifetime(self) {\n try body(.init(self.buffer))\n }\n }\n }\n}\n\n// NIOSSLCertificate._Extension.Data is immutable and therefore Sendable\nextension NIOSSLCertificate._Extension.Data: @unchecked Sendable {}\n\nextension NIOSSLCertificate._Extension.Data: RandomAccessCollection {\n @inlinable public var startIndex: Int { self.buffer.startIndex }\n @inlinable public var endIndex: Int { self.buffer.endIndex }\n\n @inlinable public subscript(position: Int) -> UInt8 {\n precondition(self.indices.contains(position), \"index \\(position) out of bounds\")\n return withUnsafeBufferPointer { $0[position] }\n }\n\n @inlinable public func withContiguousStorageIfAvailable(\n _ body: (UnsafeBufferPointer) throws -> Result\n ) rethrows -> Result? {\n try withUnsafeBufferPointer(body)\n }\n}\n" }, { "path": "Sources/NIOSSL/SSLCertificateName.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2025 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\n\n/// Defines the type of X509 name\npublic struct SSLCertificateNameType: Equatable, Hashable, Sendable {\n internal var nid: Int32\n public static let organization = SSLCertificateNameType(nid: NID_organizationName)\n public static let organizationalUnit = SSLCertificateNameType(nid: NID_organizationalUnitName)\n public static let state = SSLCertificateNameType(nid: NID_stateOrProvinceName)\n public static let country = SSLCertificateNameType(nid: NID_countryName)\n public static let city = SSLCertificateNameType(nid: NID_localityName)\n public static let commonName = SSLCertificateNameType(nid: NID_commonName)\n public static let emailAddress = SSLCertificateNameType(nid: NID_pkcs9_emailAddress)\n public static let userId = SSLCertificateNameType(nid: NID_userId)\n}\n\n/// Contains the string value of a X509 name\npublic struct SSLCertificateName: Equatable, Hashable, Sendable {\n public var value: String\n public var type: SSLCertificateNameType\n\n public init(_ value: String, _ type: SSLCertificateNameType) {\n self.value = value\n self.type = type\n }\n}\n\nextension NIOSSLCertificate {\n private static func convertName(_ name: OpaquePointer) -> [SSLCertificateName] {\n\n let count = CNIOBoringSSL_X509_NAME_entry_count(name)\n var names = [SSLCertificateName]()\n names.reserveCapacity(Int(count))\n for index in 0..? = nil\n let stringLength = CNIOBoringSSL_ASN1_STRING_to_UTF8(&encodedName, data)\n\n guard let namePtr = encodedName else {\n continue\n }\n\n defer {\n CNIOBoringSSL_OPENSSL_free(namePtr)\n }\n\n let arr = UnsafeBufferPointer(start: namePtr, count: Int(stringLength))\n let nameString = String(decoding: arr, as: UTF8.self)\n let nid = CNIOBoringSSL_OBJ_obj2nid(object)\n names.append(SSLCertificateName(nameString, .init(nid: nid)))\n }\n\n return names\n }\n\n /// Return an array of SSLCertificateName enums containing the subject name of the\n /// underlying X509 Certificate\n public var subjectName: [SSLCertificateName] {\n guard let subjectName = CNIOBoringSSL_X509_get_subject_name(self._ref) else {\n return []\n }\n\n return Self.convertName(subjectName)\n\n }\n\n /// Return an array of SSLCertificateName enums containing the issuer name of the\n /// underlying X509 Certificate\n public var issuerName: [SSLCertificateName] {\n guard let issuerName = CNIOBoringSSL_X509_get_issuer_name(self._ref) else {\n return []\n }\n\n return Self.convertName(issuerName)\n }\n}\n" }, { "path": "Sources/NIOSSL/SSLConnection.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport NIOCore\n\ninternal let SSL_MAX_RECORD_SIZE = 16 * 1024\n\n/// This is used as the application data index to store pointers to `SSLConnection` objects in\n/// `SSL` objects. It is only safe to use after BoringSSL initialization. As it's declared global,\n/// it will be lazily initialized and protected by a dispatch_once, ensuring that it's thread-safe.\ninternal let sslConnectionExDataIndex = CNIOBoringSSL_SSL_get_ex_new_index(0, nil, nil, nil, nil)\n\n/// Encodes the return value of a non-blocking BoringSSL method call.\n///\n/// This enum maps BoringSSL's return values to a small number of cases. A success\n/// value naturally maps to `.complete`, and most errors map to `.failed`. However,\n/// the BoringSSL \"errors\" `WANT_READ` and `WANT_WRITE` are mapped to `.incomplete`, to\n/// help distinguish them from the other error cases. This makes it easier for code to\n/// handle the \"must wait for more data\" case by calling it out directly.\nenum AsyncOperationResult {\n case incomplete\n case complete(T)\n case failed(BoringSSLError)\n}\n\n/// A wrapper class that encapsulates BoringSSL's `SSL *` object.\n///\n/// This class represents a single TLS connection, and performs all of crypto and record\n/// framing required by TLS. It also records the configuration and parent `NIOSSLContext` object\n/// used to create the connection.\ninternal final class SSLConnection {\n private let ssl: OpaquePointer\n internal let parentContext: NIOSSLContext\n private var bio: ByteBufferBIO?\n internal var expectedHostname: String?\n internal var role: ConnectionRole?\n internal var parentHandler: NIOSSLHandler?\n internal var eventLoop: EventLoop?\n\n /// Deprecated in favour of customVerificationManager\n private var verificationCallback: NIOSSLVerificationCallback?\n internal var customVerificationManager: CustomVerifyManager?\n internal var customPrivateKeyResult: Result?\n internal var customContextManager: CustomContextManager?\n internal var currentOverride: NIOSSLContextConfigurationOverride?\n\n /// Whether certificate hostnames should be validated.\n var validateHostnames: Bool {\n if case .fullVerification = parentContext.configuration.certificateVerification {\n return true\n }\n return false\n }\n\n init(ownedSSL: OpaquePointer, parentContext: NIOSSLContext) {\n self.ssl = ownedSSL\n self.parentContext = parentContext\n\n if let customContextCallback = parentContext.configuration.sslContextCallback {\n self.customContextManager = CustomContextManager(callback: customContextCallback)\n }\n\n // We pass the SSL object an unowned reference to this object.\n let pointerToSelf = Unmanaged.passUnretained(self).toOpaque()\n CNIOBoringSSL_SSL_set_ex_data(self.ssl, sslConnectionExDataIndex, pointerToSelf)\n\n self.setRenegotiationSupport(self.parentContext.configuration.renegotiationSupport)\n }\n\n deinit {\n CNIOBoringSSL_SSL_free(ssl)\n }\n\n /// Configures this as a server connection.\n func setAcceptState() {\n CNIOBoringSSL_SSL_set_accept_state(ssl)\n self.role = .server\n }\n\n /// Configures this as a client connection.\n func setConnectState() {\n CNIOBoringSSL_SSL_set_connect_state(ssl)\n self.role = .client\n }\n\n func setAllocator(_ allocator: ByteBufferAllocator, maximumPreservedOutboundBufferCapacity: Int) {\n self.bio = ByteBufferBIO(\n allocator: allocator,\n maximumPreservedOutboundBufferCapacity: maximumPreservedOutboundBufferCapacity\n )\n\n // This weird dance where we pass the *exact same* pointer in to both objects is because, weirdly,\n // the BoringSSL docs claim that only one reference count will be consumed here. We therefore need to\n // avoid calling BIO_up_ref too many times.\n let bioPtr = self.bio!.retainedBIO()\n CNIOBoringSSL_SSL_set_bio(self.ssl, bioPtr, bioPtr)\n }\n\n /// Sets the value of the SNI extension to send to the server.\n ///\n /// This method must only be called with a hostname, not an IP address. Sending\n /// an IP address in the SNI extension is invalid, and may result in handshake\n /// failure.\n func setServerName(name: String) throws {\n CNIOBoringSSL_ERR_clear_error()\n let rc = name.withCString {\n CNIOBoringSSL_SSL_set_tlsext_host_name(ssl, $0)\n }\n guard rc == 1 else {\n throw BoringSSLError.invalidSNIName(BoringSSLError.buildErrorStack())\n }\n self.expectedHostname = name\n }\n\n /// Sets the BoringSSL old-style verification callback.\n ///\n /// This is deprecated in favour of the new-style verification callback in SSLContext.\n func setVerificationCallback(_ callback: @escaping NIOSSLVerificationCallback) {\n // Store the verification callback. We need to do this to keep it alive throughout the connection.\n // We'll drop this when we're told that it's no longer needed to ensure we break the reference cycles\n // that this callback inevitably produces.\n self.verificationCallback = callback\n\n // We need to know what the current mode is.\n let currentMode = CNIOBoringSSL_SSL_get_verify_mode(self.ssl)\n CNIOBoringSSL_SSL_set_verify(self.ssl, currentMode) { preverify, storeContext in\n // To start out, let's grab the certificate we're operating on.\n guard let certPointer = CNIOBoringSSL_X509_STORE_CTX_get_current_cert(storeContext) else {\n preconditionFailure(\n \"Can only have verification function invoked with actual certificate: bad store \\(String(describing: storeContext))\"\n )\n }\n CNIOBoringSSL_X509_up_ref(certPointer)\n let cert = NIOSSLCertificate.fromUnsafePointer(takingOwnership: certPointer)\n\n // Next, prepare the verification result.\n let verificationResult = NIOSSLVerificationResult(fromBoringSSLPreverify: preverify)\n\n // Now, grab the SSLConnection object.\n guard\n let ssl = CNIOBoringSSL_X509_STORE_CTX_get_ex_data(\n storeContext,\n CNIOBoringSSL_SSL_get_ex_data_X509_STORE_CTX_idx()\n )\n else {\n preconditionFailure(\"Unable to obtain SSL * from X509_STORE_CTX * \\(String(describing: storeContext))\")\n }\n let connection = SSLConnection.loadConnectionFromSSL(OpaquePointer(ssl))\n switch connection.verificationCallback!(verificationResult, cert) {\n case .certificateVerified:\n return 1\n case .failed:\n return 0\n }\n }\n }\n\n func setCustomVerificationCallback(_ callbackManager: CustomVerifyManager) {\n // Store the verification callback. We need to do this to keep it alive throughout the connection.\n // We'll drop this when we're told that it's no longer needed to ensure we break the reference cycles\n // that this callback inevitably produces.\n self.customVerificationManager = callbackManager\n\n // We need to know what the current mode is.\n // Note that this also has the effect of ensuring that if we disabled certificate validation\n // it actually _stays_ disabled: if the verify mode is no-verification, this callback never gets called.\n let currentMode = CNIOBoringSSL_SSL_get_verify_mode(self.ssl)\n CNIOBoringSSL_SSL_set_custom_verify(self.ssl, currentMode) { ssl, outAlert in\n guard let unwrappedSSL = ssl else {\n preconditionFailure(\n \"Unexpected null pointer in custom verification callback. ssl: \\(String(describing: ssl))\"\n )\n }\n\n // Ok, this call may be a resumption of a previous negotiation. We need to check if our connection object has a pre-existing verifiation state.\n let connection = SSLConnection.loadConnectionFromSSL(unwrappedSSL)\n\n // We force unwrap the custom verification manager because for it to not be set is a programmer error.\n return connection.customVerificationManager!.process(on: connection)\n }\n }\n\n /// Sets whether renegotiation is supported.\n func setRenegotiationSupport(_ state: NIORenegotiationSupport) {\n var baseState: ssl_renegotiate_mode_t\n\n switch state {\n case .none:\n baseState = ssl_renegotiate_never\n case .once:\n baseState = ssl_renegotiate_once\n case .always:\n baseState = ssl_renegotiate_freely\n }\n\n CNIOBoringSSL_SSL_set_renegotiate_mode(self.ssl, baseState)\n }\n\n /// Performs hostname validation against the peer certificate using the configured server name.\n func validateHostname(address: SocketAddress) throws {\n // We want the leaf certificate.\n guard let peerCert = self.getPeerCertificate() else {\n throw NIOSSLError.noCertificateToValidate\n }\n\n guard\n try validIdentityForService(\n serverHostname: self.expectedHostname,\n socketAddress: address,\n leafCertificate: peerCert\n )\n else {\n throw NIOSSLExtraError.failedToValidateHostname(expectedName: self.expectedHostname ?? \"\")\n }\n }\n\n /// Spins the handshake state machine and performs the next step of the handshake\n /// protocol.\n ///\n /// This method may write data into internal buffers that must be sent: call\n /// `getDataForNetwork` after this method is called. This method also consumes\n /// data from internal buffers: call `consumeDataFromNetwork` before calling this\n /// method.\n func doHandshake() -> AsyncOperationResult {\n CNIOBoringSSL_ERR_clear_error()\n let rc = CNIOBoringSSL_SSL_do_handshake(ssl)\n\n if rc == 1 {\n return .complete(rc)\n }\n\n let result = CNIOBoringSSL_SSL_get_error(ssl, rc)\n let error = BoringSSLError.fromSSLGetErrorResult(result)!\n\n switch error {\n case .wantRead,\n .wantWrite,\n .wantCertificateVerify,\n .wantX509Lookup:\n return .incomplete\n default:\n return .failed(error)\n }\n }\n\n /// Spins the shutdown state machine and performs the next step of the shutdown\n /// protocol.\n ///\n /// This method may write data into internal buffers that must be sent: call\n /// `getDataForNetwork` after this method is called. This method also consumes\n /// data from internal buffers: call `consumeDataFromNetwork` before calling this\n /// method.\n func doShutdown() -> AsyncOperationResult {\n CNIOBoringSSL_ERR_clear_error()\n let rc = CNIOBoringSSL_SSL_shutdown(ssl)\n\n switch rc {\n case 1:\n return .complete(rc)\n case 0:\n return .incomplete\n default:\n let result = CNIOBoringSSL_SSL_get_error(ssl, rc)\n let error = BoringSSLError.fromSSLGetErrorResult(result)!\n\n switch error {\n case .wantRead,\n .wantWrite:\n return .incomplete\n default:\n return .failed(error)\n }\n }\n }\n\n /// Given some unprocessed data from the remote peer, places it into\n /// BoringSSL's receive buffer ready for handling by BoringSSL.\n ///\n /// This method should be called whenever data is received from the remote\n /// peer. It must be immediately followed by an I/O operation, e.g. `readDataFromNetwork`\n /// or `doHandshake` or `doShutdown`.\n func consumeDataFromNetwork(_ data: ByteBuffer) {\n self.bio!.receiveFromNetwork(buffer: data)\n }\n\n /// Obtains some encrypted data ready for the network from BoringSSL.\n ///\n /// This call obtains only data that BoringSSL has already written into its send\n /// buffer. As a result, it should be called last, after all other operations have\n /// been performed, to allow BoringSSL to write as much data as necessary into the\n /// `BIO`.\n ///\n /// Returns `nil` if there is no data to write. Otherwise, returns all of the pending\n /// data.\n func getDataForNetwork() -> ByteBuffer? {\n self.bio!.outboundCiphertext()\n }\n\n /// Attempts to decrypt any application data sent by the remote peer, and fills a buffer\n /// containing the cleartext bytes.\n ///\n /// This method can only consume data previously fed into BoringSSL in `consumeDataFromNetwork`.\n func readDataFromNetwork(outputBuffer: inout ByteBuffer) -> AsyncOperationResult {\n // TODO(cory): It would be nice to have an withUnsafeMutableWriteableBytes here, but we don't, so we\n // need to make do with writeWithUnsafeMutableBytes instead. The core issue is that we can't\n // safely return any of the error values that SSL_read might provide here because writeWithUnsafeMutableBytes\n // will try to use that as the number of bytes written and blow up. If we could prevent it doing that (which\n // we can with reading) that would be grand, but we can't, so instead we need to use a temp variable. Not ideal.\n //\n // We require that there is space to write at least one TLS record.\n var bytesRead: CInt = 0\n let rc = outputBuffer.writeWithUnsafeMutableBytes(minimumWritableBytes: SSL_MAX_RECORD_SIZE) {\n (pointer) -> Int in\n // We ask for the amount of spare space in the buffer, clamping to CInt.max.\n let maxReadSize = Int(CInt.max)\n let readSize = CInt(min(maxReadSize, pointer.count))\n bytesRead = CNIOBoringSSL_SSL_read(self.ssl, pointer.baseAddress, readSize)\n return bytesRead >= 0 ? Int(bytesRead) : 0\n }\n\n if bytesRead > 0 {\n return .complete(rc)\n } else {\n let result = CNIOBoringSSL_SSL_get_error(ssl, CInt(bytesRead))\n let error = BoringSSLError.fromSSLGetErrorResult(result)!\n\n switch error {\n case .wantRead,\n .wantWrite:\n return .incomplete\n default:\n return .failed(error)\n }\n }\n }\n\n /// Encrypts cleartext application data ready for sending on the network.\n ///\n /// This call will only write the data into BoringSSL's internal buffers. It needs to be obtained\n /// by calling `getDataForNetwork` after this call completes.\n func writeDataToNetwork(_ data: inout ByteBuffer) -> AsyncOperationResult {\n // BoringSSL does not allow calling SSL_write with zero-length buffers. Zero-length\n // writes always succeed.\n guard data.readableBytes > 0 else {\n return .complete(0)\n }\n\n let writtenBytes = data.withUnsafeReadableBytes { (pointer) -> CInt in\n CNIOBoringSSL_SSL_write(ssl, pointer.baseAddress, CInt(pointer.count))\n }\n\n if writtenBytes > 0 {\n // The default behaviour of SSL_write is to only return once *all* of the data has been written,\n // unless the underlying BIO cannot satisfy the need (in which case WANT_WRITE will be returned).\n // We're using our BIO, which is always writable, so WANT_WRITE cannot fire so we'd always\n // expect this to write the complete quantity of readable bytes in our buffer.\n precondition(writtenBytes == data.readableBytes)\n data.moveReaderIndex(forwardBy: Int(writtenBytes))\n return .complete(writtenBytes)\n } else {\n let result = CNIOBoringSSL_SSL_get_error(ssl, writtenBytes)\n let error = BoringSSLError.fromSSLGetErrorResult(result)!\n\n switch error {\n case .wantRead, .wantWrite:\n return .incomplete\n default:\n return .failed(error)\n }\n }\n }\n\n /// Returns the protocol negotiated via ALPN, if any. Returns `nil` if no protocol\n /// was negotiated.\n func getAlpnProtocol() -> String? {\n var protoName = UnsafePointer(bitPattern: 0)\n var protoLen: CUnsignedInt = 0\n\n CNIOBoringSSL_SSL_get0_alpn_selected(ssl, &protoName, &protoLen)\n guard protoLen > 0 else {\n return nil\n }\n\n return String(decoding: UnsafeBufferPointer(start: protoName, count: Int(protoLen)), as: UTF8.self)\n }\n\n /// Get the leaf certificate from the peer certificate chain as a managed object,\n /// if available.\n func getPeerCertificate() -> NIOSSLCertificate? {\n guard let certPtr = CNIOBoringSSL_SSL_get_peer_certificate(ssl) else {\n return nil\n }\n\n return NIOSSLCertificate.fromUnsafePointer(takingOwnership: certPtr)\n }\n\n /// Drops persistent connection state.\n ///\n /// Must only be called when the connection is no longer needed. The rest of this object\n /// preconditions on that being true, so we'll find out quickly when that's not the case.\n func close() {\n /// Drop the verification callbacks. This breaks any reference cycles that are inevitably\n /// created by these callbacks.\n self.verificationCallback = nil\n self.customVerificationManager = nil\n self.currentOverride = nil\n\n // Also drop the reference to the parent channel handler, which is a trivial reference cycle.\n self.parentHandler = nil\n\n // And finally drop the data stored by the bytebuffer BIO\n self.bio?.close()\n }\n\n /// Retrieves any inbound data that has not been processed by BoringSSL.\n ///\n /// When unwrapping TLS from a connection, there may be application bytes that follow the terminating\n /// CLOSE_NOTIFY message. Those bytes may have been passed to this `SSLConnection`, and so we need to\n /// retrieve them.\n ///\n /// This function extracts those bytes and returns them to the user. This should only be called when\n /// the connection has been shutdown.\n ///\n /// - returns: The unconsumed `ByteBuffer`, if any.\n func extractUnconsumedData() -> ByteBuffer? {\n self.bio?.evacuateInboundData()\n }\n\n /// Returns an optional `TLSVersion` used on a `Channel` through the `NIOSSLHandler` APIs.\n func getTLSVersionForConnection() -> TLSVersion? {\n let uint16Version = CNIOBoringSSL_SSL_version(self.ssl)\n switch uint16Version {\n case TLS1_3_VERSION:\n return .tlsv13\n case TLS1_2_VERSION:\n return .tlsv12\n case TLS1_1_VERSION:\n return .tlsv11\n case TLS1_VERSION:\n return .tlsv1\n default:\n return nil\n }\n }\n}\n\n/// MARK: ConnectionRole\nextension SSLConnection {\n internal enum ConnectionRole {\n case server\n case client\n }\n}\n\n// MARK: Certificate Peer Chain Buffers\nextension SSLConnection {\n /// A collection of buffers representing the DER-encoded bytes of the peer certificate chain.\n struct PeerCertificateChainBuffers {\n private let basePointer: OpaquePointer\n\n fileprivate init(basePointer: OpaquePointer) {\n self.basePointer = basePointer\n }\n }\n\n /// Invokes a block with a collection of pointers to DER-encoded bytes of the peer certificate chain.\n ///\n /// The pointers are only guaranteed to be valid for the duration of this call: it is undefined behaviour to escape\n /// any of these pointers from the block, or the certificate iterator itself from the block. Users must either use the\n /// bytes synchronously within the block, or they must copy them to a new buffer that they own.\n ///\n /// If there are no peer certificates, the body will be called with nil.\n func withPeerCertificateChainBuffers(\n _ body: (PeerCertificateChainBuffers?) throws -> Result\n ) rethrows -> Result {\n guard let stackPointer = CNIOBoringSSL_SSL_get0_peer_certificates(self.ssl) else {\n return try body(nil)\n }\n\n return try body(PeerCertificateChainBuffers(basePointer: stackPointer))\n }\n\n /// The certificate chain presented by the peer.\n func peerCertificateChain() throws -> [NIOSSLCertificate] {\n try self.withPeerCertificateChainBuffers { buffers in\n guard let buffers = buffers else {\n return []\n }\n\n return try buffers.map { try NIOSSLCertificate(bytes: $0, format: .der) }\n }\n }\n\n func applyOverride(_ changes: NIOSSLContextConfigurationOverride) throws {\n let connection = UnsafeKeyAndChainTarget.ssl(self.ssl)\n if let chain = changes.certificateChain {\n try connection.useCertificateChain(chain)\n }\n\n // Attempt to load the new private key and abort on failure\n if let pkey = changes.privateKey {\n try connection.usePrivateKeySource(pkey)\n }\n\n self.currentOverride = changes\n }\n}\n\nextension SSLConnection.PeerCertificateChainBuffers: RandomAccessCollection {\n struct Index: Hashable, Comparable, Strideable {\n typealias Stride = Int\n\n fileprivate var index: Int\n\n fileprivate init(_ index: Int) {\n self.index = index\n }\n\n static func < (lhs: Index, rhs: Index) -> Bool {\n lhs.index < rhs.index\n }\n\n func advanced(\n by n: SSLConnection.PeerCertificateChainBuffers.Index.Stride\n ) -> SSLConnection.PeerCertificateChainBuffers.Index {\n var result = self\n result.index += n\n return result\n }\n\n func distance(\n to other: SSLConnection.PeerCertificateChainBuffers.Index\n ) -> SSLConnection.PeerCertificateChainBuffers.Index.Stride {\n other.index - self.index\n }\n }\n\n typealias Element = UnsafeRawBufferPointer\n\n var startIndex: Index {\n Index(0)\n }\n\n var endIndex: Index {\n Index(self.count)\n }\n\n var count: Int {\n CNIOBoringSSL_sk_CRYPTO_BUFFER_num(self.basePointer)\n }\n\n subscript(_ index: Index) -> UnsafeRawBufferPointer {\n precondition(index < self.endIndex)\n guard let ptr = CNIOBoringSSL_sk_CRYPTO_BUFFER_value(self.basePointer, index.index) else {\n preconditionFailure(\"Unable to locate backing pointer.\")\n }\n guard let dataPointer = CNIOBoringSSL_CRYPTO_BUFFER_data(ptr) else {\n preconditionFailure(\"Unable to retrieve data pointer from crypto_buffer\")\n }\n let byteCount = CNIOBoringSSL_CRYPTO_BUFFER_len(ptr)\n\n // We want an UnsafeRawBufferPointer here, so we need to erase the pointer type.\n let bufferDataPointer = UnsafeBufferPointer(start: dataPointer, count: byteCount)\n return UnsafeRawBufferPointer(bufferDataPointer)\n }\n}\n\n// MARK: Helpers for managing ex_data\nextension SSLConnection {\n // Loads an SSLConnection from an SSL*. Does not take ownership of the pointer.\n static func loadConnectionFromSSL(_ ssl: OpaquePointer) -> SSLConnection {\n guard let connectionPointer = CNIOBoringSSL_SSL_get_ex_data(ssl, sslConnectionExDataIndex) else {\n // Uh-ok, our application state is gone. Don't let this error silently pass, go bang.\n preconditionFailure(\"Unable to find application data from SSL * \\(ssl), index \\(sslConnectionExDataIndex)\")\n }\n\n return Unmanaged.fromOpaque(connectionPointer).takeUnretainedValue()\n }\n}\n" }, { "path": "Sources/NIOSSL/SSLContext.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\n@_implementationOnly import CNIOBoringSSLShims\nimport NIOCore\n\n#if canImport(Darwin)\nimport Darwin.C\n#elseif canImport(Musl)\nimport Musl\n#elseif canImport(Glibc)\nimport Glibc\n#elseif canImport(Android)\nimport Android\n#else\n#error(\"unsupported os\")\n#endif\n\n// This is a neat trick. Swift lazily initializes module-globals based on when they're first\n// used. This lets us defer BoringSSL intialization as late as possible and only do it if people\n// actually create any object that uses BoringSSL.\ninternal let boringSSLIsInitialized: Bool = initializeBoringSSL()\n\ninternal enum FileSystemObject {\n case directory\n case file\n\n static internal func pathType(path: String) -> FileSystemObject? {\n var statObj = stat()\n do {\n try Posix.stat(path: path, buf: &statObj)\n } catch {\n return nil\n }\n\n #if os(Android) && arch(arm)\n return (statObj.st_mode & UInt32(S_IFDIR)) != 0 ? .directory : .file\n #else\n return (statObj.st_mode & S_IFDIR) != 0 ? .directory : .file\n #endif\n }\n}\n\n// This bizarre extension to UnsafeBufferPointer is very useful for handling ALPN identifiers. BoringSSL\n// likes to work with them in wire format, so rather than us decoding them we can just encode ours to\n// the wire format and then work with them from there.\nextension UnsafeBufferPointer where Element == UInt8 {\n fileprivate func locateAlpnIdentifier(identifier: UnsafeBufferPointer) -> (index: Int, length: Int)? {\n precondition(identifier.count != 0)\n let targetLength = Int(identifier[0])\n\n var index = 0\n outerLoop: while index < self.count {\n let length = Int(self[index])\n guard index + length + 1 <= self.count else {\n // Invalid length of ALPN identifier, no match.\n return nil\n }\n\n guard targetLength == length else {\n index += length + 1\n continue outerLoop\n }\n\n for innerIndex in 1...length {\n guard identifier[innerIndex] == self[index + innerIndex] else {\n index += length + 1\n continue outerLoop\n }\n }\n\n // Found it\n return (index: index + 1, length: length)\n }\n return nil\n }\n}\n\nprivate func alpnCallback(\n ssl: OpaquePointer?,\n out: UnsafeMutablePointer?>?,\n outlen: UnsafeMutablePointer?,\n in: UnsafePointer?,\n inlen: UInt32,\n appData: UnsafeMutableRawPointer?\n) -> CInt {\n // Perform some soundness checks. We don't want NULL pointers around here.\n guard let ssl = ssl, let out = out, let outlen = outlen, let `in` = `in` else {\n return SSL_TLSEXT_ERR_NOACK\n }\n\n // We want to take the SSL pointer and extract the parent Swift object.\n let parentSwiftContext = NIOSSLContext.lookupFromRawContext(ssl: ssl)\n\n let offeredProtocols = UnsafeBufferPointer(start: `in`, count: Int(inlen))\n guard let (index, length) = parentSwiftContext.alpnSelectCallback(offeredProtocols: offeredProtocols) else {\n out.pointee = nil\n outlen.pointee = 0\n return SSL_TLSEXT_ERR_NOACK\n }\n\n out.pointee = `in` + index\n outlen.pointee = UInt8(length)\n return SSL_TLSEXT_ERR_OK\n}\n\n/// PSK Callback for the server side context.\nprivate func serverPSKCallback(\n ssl: OpaquePointer?,\n identity: UnsafePointer?,\n psk: UnsafeMutablePointer?,\n max_psk_len: UInt32\n) -> UInt32 {\n\n guard let ssl = ssl else { return 0 }\n\n // Initial implementation only supports TLS 1.2 due API support exposed from BoringSSL.\n // TODO (meaton) add TLS 1.3 support when available.\n\n let parentSwiftContext = NIOSSLContext.lookupFromRawContext(ssl: ssl)\n\n guard let serverCallback = parentSwiftContext.pskServerConfigurationCallback,\n let unwrappedIdentity = identity, // Incoming identity\n let strIdentity = String(validatingCString: unwrappedIdentity),\n let outputPSK = psk // Output PSK key.\n else {\n return 0\n }\n\n // Take the hint and the possible identity and pass them down to the callback to get associated PSK from callback\n var identityResponse: PSKServerIdentityResponse? = nil\n switch serverCallback {\n case .callback(let callback):\n // Deprecated callback doesn't accept optional hint value\n guard let hint = parentSwiftContext.configuration.pskHint else { return 0 }\n identityResponse = try? callback(hint, strIdentity)\n case .provider(let provider):\n identityResponse = try? provider(\n PSKServerContext(\n hint: parentSwiftContext.configuration.pskHint,\n clientIdentity: strIdentity,\n maxPSKLength: Int(max_psk_len)\n )\n )\n }\n guard let identityResponse else {\n return 0\n }\n let serverPSK = identityResponse.key // From the callback\n\n // Make sure the key is returned by the callback and it is of proper length, otherwise, fail.\n if serverPSK.isEmpty || serverPSK.count > max_psk_len {\n return 0\n }\n let _ = serverPSK.withUnsafeBytes { (body: UnsafeRawBufferPointer) -> Void in\n memcpy(outputPSK, body.baseAddress!, body.count)\n }\n return UInt32(serverPSK.count)\n}\n\n/// PSK Callback for the client side context.\nprivate func clientPSKCallback(\n ssl: OpaquePointer?,\n hint: UnsafePointer?,\n identity: UnsafeMutablePointer?,\n max_identity_len: UInt32,\n psk: UnsafeMutablePointer?,\n max_psk_len: UInt32\n) -> UInt32 {\n\n guard let ssl = ssl else { return 0 }\n\n let parentSwiftContext = NIOSSLContext.lookupFromRawContext(ssl: ssl)\n\n guard let clientCallback = parentSwiftContext.pskClientConfigurationCallback,\n let unwrappedIdentity = identity, // Output identity that will be later be mapped from client callback\n let outputPSK = psk // Output PSK key that will later be mapped from client callback\n else {\n return 0\n }\n\n // If set, build out a hint otherwise fallback to an empty string and pass it into the client callback.\n let clientHint: String? = hint.flatMap({ String(validatingCString: $0) })\n\n // Take the hint and pass it down to the callback to get associated PSK from callback\n let pskIdentity: PSKClientIdentityResponse?\n switch clientCallback {\n case .callback(let callback):\n // Deprecated callback doesn't accept optional hint value\n guard let clientHint else { return 0 }\n pskIdentity = try? callback(clientHint)\n case .provider(let provider):\n pskIdentity = try? provider(\n PSKClientContext(\n hint: clientHint,\n maxPSKLength: Int(max_psk_len)\n )\n )\n }\n guard let pskIdentity else { return 0 }\n\n let clientPSK = pskIdentity.key // Key from the callback\n let clientIdentity = pskIdentity.identity\n\n // Use max_identity_len so it does not trigger an overrun.\n if clientIdentity.utf8.isEmpty || clientIdentity.utf8.count > max_identity_len {\n return 0\n }\n\n // Map the output identity from the one passed back from the callback.\n // This helps populate the server callback for the key exchange.\n let _ = clientIdentity.withCString { ptr in\n memcpy(unwrappedIdentity, ptr, clientIdentity.utf8.count)\n }\n\n if clientPSK.isEmpty || clientPSK.count > max_psk_len {\n return 0\n }\n let _ = clientPSK.withUnsafeBytes { (body: UnsafeRawBufferPointer) -> Void in\n memcpy(outputPSK, body.baseAddress!, body.count)\n }\n return UInt32(clientPSK.count)\n}\n\nprivate func sslContextCallback(ssl: OpaquePointer?, arg: UnsafeMutableRawPointer?) -> Int32 {\n guard let ssl = ssl else {\n preconditionFailure(\n \"\"\"\n SSL_CTX_set_cert_cb was executed with an invalid ssl pointer.\n This should not be possible, please file an issue.\n \"\"\"\n )\n }\n\n let parentSwiftContext = SSLConnection.loadConnectionFromSSL(ssl)\n\n // This is a safe force unwrap as this callback is only register directly after setting the manager\n var contextManager = parentSwiftContext.customContextManager!\n\n // Begin loading a new context\n let result = contextManager.loadContext(ssl: ssl)\n\n switch result {\n case .none:\n // If we dont have a result yet then we must suspend\n return -1\n case .failure:\n // If loading a context failed then we must signal as such\n return 0\n case .success(let changes):\n do {\n // Attempt to load the new certificate chain and abort on failure\n let ssl = SSLConnection.loadConnectionFromSSL(ssl)\n try ssl.applyOverride(changes)\n\n // We must return 1 to signal a successful load of the new context\n return 1\n } catch {\n // Althought the load was successful, the context changes failed and we must mark as such\n contextManager.setLoadContextError(error)\n return 0\n }\n }\n}\n\n/// A wrapper class that encapsulates BoringSSL's `SSL_CTX *` object.\n///\n/// This object is thread-safe and can be shared across TLS connections in your application. Even if the connections\n/// are associated with `Channel`s from different `EventLoop`s.\n///\n/// > Note: Creating a ``NIOSSLContext`` is a very expensive operation because BoringSSL will usually need to load and\n/// parse large number of certificates from the system trust store. Therefore, creating a\n/// ``NIOSSLContext`` will likely allocate many thousand times and will also _perform blocking disk I/O_.\n///\n/// > Warning: Avoid creating ``NIOSSLContext``s on any `EventLoop` because it does _blocking disk I/O_.\npublic final class NIOSSLContext {\n fileprivate let sslContext: OpaquePointer\n private let callbackManager: CallbackManagerProtocol?\n private var keyLogManager: KeyLogCallbackManager?\n internal var pskClientConfigurationCallback: _NIOPSKClientIdentityProvider?\n internal var pskServerConfigurationCallback: _NIOPSKServerIdentityProvider?\n public let configuration: TLSConfiguration\n\n /// Initialize a context that will create multiple connections, all with the same\n /// configuration.\n internal init(\n configuration: TLSConfiguration,\n callbackManager: CallbackManagerProtocol?\n ) throws {\n guard boringSSLIsInitialized else { fatalError(\"Failed to initialize BoringSSL\") }\n guard let context = CNIOBoringSSL_SSL_CTX_new(CNIOBoringSSL_TLS_method()) else {\n fatalError(\"Failed to create new BoringSSL context\")\n }\n\n let minTLSVersion: CInt\n switch configuration.minimumTLSVersion {\n case .tlsv13:\n minTLSVersion = TLS1_3_VERSION\n case .tlsv12:\n minTLSVersion = TLS1_2_VERSION\n case .tlsv11:\n minTLSVersion = TLS1_1_VERSION\n case .tlsv1:\n minTLSVersion = TLS1_VERSION\n }\n var returnCode = CNIOBoringSSL_SSL_CTX_set_min_proto_version(context, UInt16(minTLSVersion))\n precondition(1 == returnCode)\n\n let maxTLSVersion: CInt\n\n switch configuration.maximumTLSVersion {\n case .some(.tlsv1):\n maxTLSVersion = TLS1_VERSION\n case .some(.tlsv11):\n maxTLSVersion = TLS1_1_VERSION\n case .some(.tlsv12):\n maxTLSVersion = TLS1_2_VERSION\n case .some(.tlsv13), .none:\n // Unset defaults to TLS1.3 for now. BoringSSL's default is TLS 1.2.\n maxTLSVersion = TLS1_3_VERSION\n }\n returnCode = CNIOBoringSSL_SSL_CTX_set_max_proto_version(context, UInt16(maxTLSVersion))\n precondition(1 == returnCode)\n\n // Cipher suites. We just pass this straight to BoringSSL.\n returnCode = CNIOBoringSSL_SSL_CTX_set_cipher_list(context, configuration.cipherSuites)\n precondition(1 == returnCode)\n\n // Curves list.\n if let curves = configuration.curves {\n returnCode =\n curves\n .map { $0.rawValue }\n .withUnsafeBufferPointer { algo in\n CNIOBoringSSL_SSL_CTX_set1_group_ids(context, algo.baseAddress, algo.count)\n }\n if returnCode != 1 {\n let errorStack = BoringSSLError.buildErrorStack()\n throw BoringSSLError.unknownError(errorStack)\n }\n }\n\n // Set the PSK Client Configuration callback.\n if let pskClientConfigurationsCallback = configuration._pskClientIdentityProvider {\n self.pskClientConfigurationCallback = pskClientConfigurationsCallback\n CNIOBoringSSL_SSL_CTX_set_psk_client_callback(context, clientPSKCallback)\n }\n\n // Set the PSK Server Configuration callback.\n if let pskServerConfigurationCallback = configuration._pskServerIdentityProvider {\n self.pskServerConfigurationCallback = pskServerConfigurationCallback\n CNIOBoringSSL_SSL_CTX_set_psk_server_callback(context, serverPSKCallback)\n }\n\n // Set the SSL Context Configuration callback.\n // The state is managed on the connection.\n if configuration.sslContextCallback != nil {\n CNIOBoringSSL_SSL_CTX_set_cert_cb(context, sslContextCallback, nil)\n }\n\n // Set the hint no matter if it is client or server side.\n if let pskHint = configuration.pskHint {\n CNIOBoringSSL_SSL_CTX_use_psk_identity_hint(context, pskHint)\n }\n\n // On non-Linux platforms, when using the platform default trust roots, we make use of a\n // custom verify callback. If we have also been presented with additional trust roots of\n // type `.file`, we take the opportunity now to load them in memory to avoid doing so\n // repeatedly on the request path.\n //\n // However, to avoid closely coupling this code with other parts (e.g. the platform-specific\n // concerns, and the defaulting of `trustRoots` to `.default` when `nil`), we unilaterally\n // convert any `additionalTrustRoots` of type `.file` to `.certificates`.\n var configuration = configuration\n configuration.additionalTrustRoots = try configuration.additionalTrustRoots.map { trustRoots in\n switch trustRoots {\n case .file(let path):\n return .certificates(try NIOSSLCertificate.fromPEMFile(path))\n default:\n return trustRoots\n }\n }\n\n // Configure certificate validation\n try NIOSSLContext.configureCertificateValidation(\n context: context,\n verification: configuration.certificateVerification,\n trustRoots: configuration.trustRoots,\n additionalTrustRoots: configuration.additionalTrustRoots,\n sendCANames: configuration.sendCANameList\n )\n\n // Configure verification algorithms\n if let verifySignatureAlgorithms = configuration.verifySignatureAlgorithms {\n returnCode =\n verifySignatureAlgorithms\n .map { $0.rawValue }\n .withUnsafeBufferPointer { algo in\n CNIOBoringSSL_SSL_CTX_set_verify_algorithm_prefs(context, algo.baseAddress, algo.count)\n }\n if returnCode != 1 {\n let errorStack = BoringSSLError.buildErrorStack()\n throw BoringSSLError.unknownError(errorStack)\n }\n }\n\n // Configure signing algorithms\n if let signingSignatureAlgorithms = configuration.resolvedSigningSignatureAlgorithms {\n returnCode =\n signingSignatureAlgorithms\n .map { $0.rawValue }\n .withUnsafeBufferPointer { algo in\n CNIOBoringSSL_SSL_CTX_set_signing_algorithm_prefs(context, algo.baseAddress, algo.count)\n }\n if returnCode != 1 {\n let errorStack = BoringSSLError.buildErrorStack()\n throw BoringSSLError.unknownError(errorStack)\n }\n }\n\n // If we were given a certificate chain to use, load it and its associated private key. Before\n // we do, set up a passphrase callback if we need to.\n if let callbackManager = callbackManager {\n CNIOBoringSSL_SSL_CTX_set_default_passwd_cb(\n context,\n { globalBoringSSLPassphraseCallback(buf: $0, size: $1, rwflag: $2, u: $3) }\n )\n CNIOBoringSSL_SSL_CTX_set_default_passwd_cb_userdata(\n context,\n Unmanaged.passUnretained(callbackManager as AnyObject).toOpaque()\n )\n }\n\n let handle = UnsafeKeyAndChainTarget.sslContext(context)\n try handle.useCertificateChain(configuration.certificateChain)\n\n if let pkey = configuration.privateKey {\n try handle.usePrivateKeySource(pkey)\n }\n\n if configuration.encodedApplicationProtocols.count > 0 {\n try NIOSSLContext.setAlpnProtocols(configuration.encodedApplicationProtocols, context: context)\n NIOSSLContext.setAlpnCallback(context: context)\n }\n\n // Add a key log callback.\n if let keyLogCallback = configuration.keyLogCallback {\n self.keyLogManager = KeyLogCallbackManager(callback: keyLogCallback)\n try NIOSSLContext.setKeylogCallback(context: context)\n } else {\n self.keyLogManager = nil\n }\n\n self.sslContext = context\n self.configuration = configuration\n self.callbackManager = callbackManager\n\n // Always make it possible to get from an SSL_CTX structure back to this.\n let ptrToSelf = Unmanaged.passUnretained(self).toOpaque()\n CNIOBoringSSLShims_SSL_CTX_set_app_data(context, ptrToSelf)\n }\n\n /// Initialize a context that will create multiple connections, all with the same\n /// configuration.\n ///\n /// - Note: Creating a ``NIOSSLContext`` is a very expensive operation because BoringSSL will usually need to load and\n /// parse large number of certificates from the system trust store. Therefore, creating a\n /// ``NIOSSLContext`` will likely allocate many thousand times and will also _perform blocking disk I/O_.\n ///\n /// - Warning: Avoid creating ``NIOSSLContext``s on any `EventLoop` because it does _blocking disk I/O_.\n public convenience init(configuration: TLSConfiguration) throws {\n try self.init(configuration: configuration, callbackManager: nil)\n }\n\n /// Initialize a context that will create multiple connections, all with the same\n /// configuration, along with a callback that will be called when needed to decrypt any\n /// encrypted private keys.\n ///\n /// - Note: Creating a ``NIOSSLContext`` is a very expensive operation because BoringSSL will usually need to load and\n /// parse large number of certificates from the system trust store. Therefore, creating a\n /// ``NIOSSLContext`` will likely allocate many thousand times and will also _perform blocking disk I/O_.\n ///\n /// - Warning: Avoid creating ``NIOSSLContext``s on any `EventLoop` because it does _blocking disk I/O_.\n ///\n /// - parameters:\n /// - configuration: The ``TLSConfiguration`` to use for all the connections with this\n /// ``NIOSSLContext``.\n /// - passphraseCallback: The callback to use to decrypt any private keys used by this\n /// ``NIOSSLContext``. For more details on this parameter see the documentation for\n /// ``NIOSSLPassphraseCallback``.\n public convenience init(\n configuration: TLSConfiguration,\n passphraseCallback: @escaping NIOSSLPassphraseCallback\n ) throws where T.Element == UInt8 {\n let manager = BoringSSLPassphraseCallbackManager(userCallback: passphraseCallback)\n try self.init(configuration: configuration, callbackManager: manager)\n }\n\n /// Create a new connection object with the configuration from this\n /// context.\n internal func createConnection() -> SSLConnection? {\n guard let ssl = CNIOBoringSSL_SSL_new(self.sslContext) else {\n return nil\n }\n\n let conn = SSLConnection(ownedSSL: ssl, parentContext: self)\n\n // If we need to turn on the validation on Apple platforms, do it here.\n #if canImport(Darwin)\n switch self.configuration.trustRoots {\n case .some(.default), .none:\n conn.setCustomVerificationCallback(\n CustomVerifyManager(callback: {\n do {\n conn.performSecurityFrameworkValidation(\n promise: $0,\n peerCertificates: try conn.getPeerCertificatesAsSecCertificate()\n )\n } catch {\n $0.fail(error)\n }\n })\n )\n case .some(.certificates), .some(.file):\n break\n }\n #endif\n\n return conn\n }\n\n fileprivate func alpnSelectCallback(offeredProtocols: UnsafeBufferPointer) -> (index: Int, length: Int)? {\n for possibility in configuration.encodedApplicationProtocols {\n let match = possibility.withUnsafeBufferPointer {\n offeredProtocols.locateAlpnIdentifier(identifier: $0)\n }\n if match != nil { return match }\n }\n\n return nil\n }\n\n deinit {\n CNIOBoringSSL_SSL_CTX_free(self.sslContext)\n }\n}\n\n// NIOSSLContext is thread-safe and therefore Sendable\nextension NIOSSLContext: @unchecked Sendable {}\n\nextension NIOSSLContext {\n fileprivate static func lookupFromRawContext(ssl: OpaquePointer) -> NIOSSLContext {\n // We want to take the SSL pointer and extract the parent Swift object. These force-unwraps are for\n // safety: a correct NIO program can never fail to set these pointers, and if it does failing loudly is\n // more useful than failing quietly.\n let parentCtx = CNIOBoringSSL_SSL_get_SSL_CTX(ssl)!\n let parentPtr = CNIOBoringSSLShims_SSL_CTX_get_app_data(parentCtx)!\n let parentSwiftContext: NIOSSLContext = Unmanaged.fromOpaque(parentPtr).takeUnretainedValue()\n return parentSwiftContext\n }\n}\n\nextension NIOSSLContext {\n private static func setAlpnProtocols(_ protocols: [[UInt8]], context: OpaquePointer) throws {\n // This copy should be done infrequently, so we don't worry too much about it.\n let protoBuf = protocols.reduce([UInt8](), +)\n let rc = protoBuf.withUnsafeBufferPointer {\n CNIOBoringSSL_SSL_CTX_set_alpn_protos(context, $0.baseAddress!, $0.count)\n }\n\n // Annoyingly this function reverses the error convention: 0 is success, non-zero is failure.\n if rc != 0 {\n let errorStack = BoringSSLError.buildErrorStack()\n throw BoringSSLError.failedToSetALPN(errorStack)\n }\n }\n\n private static func setAlpnCallback(context: OpaquePointer) {\n // This extra closure here is very silly, but it exists to allow us to avoid writing down the type of the first\n // argument. Combined with the helper above, the compiler will be able to solve its way to success here.\n CNIOBoringSSL_SSL_CTX_set_alpn_select_cb(\n context,\n { alpnCallback(ssl: $0, out: $1, outlen: $2, in: $3, inlen: $4, appData: $5) },\n nil\n )\n }\n}\n\n// Configuring certificate verification\nextension NIOSSLContext {\n fileprivate enum VerificationMode {\n case peerCertificateRequired\n case peerCertificatesOptional\n }\n\n fileprivate static func setupVerification(\n _ context: OpaquePointer,\n _ sendCANames: Bool,\n _ trustRoots: NIOSSLTrustRoots?,\n _ additionalTrustRoots: [NIOSSLAdditionalTrustRoots],\n _ verificationMode: VerificationMode\n ) throws {\n switch verificationMode {\n case .peerCertificateRequired:\n CNIOBoringSSL_SSL_CTX_set_verify(context, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nil)\n case .peerCertificatesOptional:\n CNIOBoringSSL_SSL_CTX_set_verify(context, SSL_VERIFY_PEER, nil)\n }\n\n // Also, set TRUSTED_FIRST to work around dumb clients that don't know what they're doing and send\n // untrusted root certs. X509_VERIFY_PARAM will or-in the flags, so we don't need to load them first.\n // This is get0 so we can just ignore the pointer, we don't have an owned ref.\n let trustParams = CNIOBoringSSL_SSL_CTX_get0_param(context)!\n CNIOBoringSSL_X509_VERIFY_PARAM_set_flags(trustParams, CUnsignedLong(X509_V_FLAG_TRUSTED_FIRST))\n\n func configureTrustRoots(trustRoots: NIOSSLTrustRoots) throws {\n switch trustRoots {\n case .default:\n try NIOSSLContext.platformDefaultConfiguration(context: context)\n case .file(let path):\n try NIOSSLContext.loadVerifyLocations(path, context: context, sendCANames: sendCANames)\n case .certificates(let certs):\n for cert in certs {\n try NIOSSLContext.addRootCertificate(cert, context: context)\n // Add the CA name from the trust root\n if sendCANames {\n try NIOSSLContext.addCACertificateNameToList(context: context, certificate: cert)\n }\n }\n }\n }\n try configureTrustRoots(trustRoots: trustRoots ?? .default)\n for root in additionalTrustRoots { try configureTrustRoots(trustRoots: .init(from: root)) }\n }\n\n private static func configureCertificateValidation(\n context: OpaquePointer,\n verification: CertificateVerification,\n trustRoots: NIOSSLTrustRoots?,\n additionalTrustRoots: [NIOSSLAdditionalTrustRoots],\n sendCANames: Bool\n ) throws {\n // If validation is turned on, set the trust roots and turn on cert validation.\n switch verification {\n case .fullVerification, .noHostnameVerification:\n try setupVerification(context, sendCANames, trustRoots, additionalTrustRoots, .peerCertificateRequired)\n case .none(let opts):\n if opts.validatePresentedCertificates {\n try setupVerification(context, sendCANames, trustRoots, additionalTrustRoots, .peerCertificatesOptional)\n }\n }\n }\n\n private static func addCACertificateNameToList(context: OpaquePointer, certificate: NIOSSLCertificate) throws {\n // Adds the CA name extracted from cert to the list of CAs sent to the client when requesting a client certificate.\n try certificate.withUnsafeMutableX509Pointer { ref in\n guard 1 == CNIOBoringSSL_SSL_CTX_add_client_CA(context, ref) else {\n throw NIOSSLError.failedToLoadCertificate\n }\n }\n }\n\n private static func loadVerifyLocations(_ path: String, context: OpaquePointer, sendCANames: Bool) throws {\n let isDirectory: Bool\n switch FileSystemObject.pathType(path: path) {\n case .some(.directory):\n isDirectory = true\n case .some(.file):\n isDirectory = false\n case .none:\n throw NIOSSLError.noSuchFilesystemObject\n }\n\n let result = path.withCString { (pointer) -> CInt in\n let file = !isDirectory ? pointer : nil\n let directory = isDirectory ? pointer : nil\n return CNIOBoringSSL_SSL_CTX_load_verify_locations(context, file, directory)\n }\n\n if result == 0 {\n let errorStack = BoringSSLError.buildErrorStack()\n throw BoringSSLError.unknownError(errorStack)\n } else if sendCANames, !isDirectory {\n // For single CA file, add the CA name from the trust root.\n // This could be from a location like /etc/ssl/cert.pem as an example.\n CNIOBoringSSL_SSL_CTX_set_client_CA_list(context, CNIOBoringSSL_SSL_load_client_CA_file(path))\n } else if sendCANames, isDirectory {\n // Match the c_rehash directory format and load the certificate based on this criteria.\n let certificateFilePaths = try DirectoryContents(path: path).filter {\n try self._isRehashFormat(path: $0)\n }\n // Load only the certificates that resolve to an existing certificate in the directory.\n for symPath in certificateFilePaths {\n // c_rehash only support pem files.\n let cert = try NIOSSLCertificate(_file: symPath, format: .pem)\n try addCACertificateNameToList(context: context, certificate: cert)\n }\n }\n }\n\n private static func addRootCertificate(_ cert: NIOSSLCertificate, context: OpaquePointer) throws {\n let store = CNIOBoringSSL_SSL_CTX_get_cert_store(context)!\n let rc = cert.withUnsafeMutableX509Pointer { ref in\n CNIOBoringSSL_X509_STORE_add_cert(store, ref)\n }\n if 0 == rc {\n throw NIOSSLError.failedToLoadCertificate\n }\n }\n\n private static func platformDefaultConfiguration(context: OpaquePointer) throws {\n // Platform default trust is configured differently in different places.\n // On Linux, we use our searched heuristics to guess about where the platform trust store is.\n // On Darwin, we use a custom callback that is set later, in createConnection\n #if os(Linux)\n let result = rootCAFilePath.withCString { rootCAFilePointer in\n rootCADirectoryPath.withCString { rootCADirectoryPointer in\n CNIOBoringSSL_SSL_CTX_load_verify_locations(context, rootCAFilePointer, rootCADirectoryPointer)\n }\n }\n\n if result == 0 {\n let errorStack = BoringSSLError.buildErrorStack()\n throw BoringSSLError.unknownError(errorStack)\n }\n #elseif os(Android)\n let result = rootCADirectoryPath.withCString { rootCADirectoryPointer in\n CNIOBoringSSL_SSL_CTX_load_verify_locations(context, nil, rootCADirectoryPointer)\n }\n\n if result == 0 {\n let errorStack = BoringSSLError.buildErrorStack()\n throw BoringSSLError.unknownError(errorStack)\n }\n #endif\n }\n\n private static func setKeylogCallback(context: OpaquePointer) throws {\n CNIOBoringSSL_SSL_CTX_set_keylog_callback(context) { (ssl, linePointer) in\n guard let ssl = ssl, let linePointer = linePointer else {\n return\n }\n\n let parentSwiftContext = NIOSSLContext.lookupFromRawContext(ssl: ssl)\n\n // Similarly, this force-unwrap is safe because a correct NIO program can never fail to unwrap this entry\n // either.\n parentSwiftContext.keyLogManager!.log(linePointer)\n }\n }\n\n /// Takes a path and determines if the file at this path is of c_rehash format .\n internal static func _isRehashFormat(path: String) throws -> Bool {\n // Check if the element’s name matches the c_rehash symlink name format.\n // The links created are of the form HHHHHHHH.D, where each H is a hexadecimal character and D is a single decimal digit.\n let utf8PathView = path.utf8\n let utf8PathSplitView = utf8PathView.split(separator: UInt8(ascii: \"/\"))\n\n // Make sure the path is at least 10 units long\n guard let lastPathComponent = utf8PathSplitView.last,\n lastPathComponent.count == 10\n else { return false }\n // Split into filename parts HHHHHHHH.D -> [[HHHHHHHH], [D]]\n let filenameParts = lastPathComponent.split(separator: UInt8(ascii: \".\"))\n\n // Double check that the extension did not fail to cast to an integer.\n // Make sure that the filename is an 8 character hex based file name.\n guard filenameParts.count == 2,\n let filename = filenameParts.first,\n let fileExtension = filenameParts.last,\n fileExtension.count == 1,\n filename.count == 8,\n filename.allSatisfy({ $0.isHexDigit }),\n fileExtension.first == UInt8(ascii: \"0\")\n else { return false }\n\n // Check if the element is a symlink. If it is not, return false.\n var buffer = stat()\n let _ = try Posix.lstat(path: path, buf: &buffer)\n // Check the mode to make sure this is a symlink\n #if os(Android) && arch(arm)\n if (buffer.st_mode & UInt32(S_IFMT)) != UInt32(S_IFLNK) { return false }\n #else\n if (buffer.st_mode & S_IFMT) != S_IFLNK { return false }\n #endif\n\n // Return true at this point because the file format is considered to be in rehash format and a symlink.\n // Rehash format being \"%08lx.%d\" or HHHHHHHH.D\n return true\n }\n}\n\nextension NIOSSLContext {\n /// Exposes the CA Name list count from BoringSSL's STACK_OF(X509_NAME)\n func getX509NameListCount() -> Int {\n guard let caNameList = CNIOBoringSSL_SSL_CTX_get_client_CA_list(self.sslContext) else {\n return 0\n }\n return CNIOBoringSSL_sk_X509_NAME_num(caNameList)\n }\n}\n\n// For accessing STACK_OF(SSL_CIPHER) from a SSLContext\nextension NIOSSLContext {\n /// A collection of buffers representing a STACK_OF(SSL_CIPHER)\n struct NIOTLSCipherBuffers {\n private let basePointer: OpaquePointer\n\n fileprivate init(basePointer: OpaquePointer) {\n self.basePointer = basePointer\n }\n }\n\n /// Invokes a block with a collection of pointers to STACK_OF(SSL_CIPHER).\n ///\n /// The pointers are only guaranteed to be valid for the duration of this call. This method aligns with the RandomAccessCollection protocol\n /// to access UInt16 pointers at a specific index. This pointer is used to safely access id values of the cipher to create a new NIOTLSCipher.\n fileprivate func withStackOfCipherSuiteBuffers(\n _ body: (NIOTLSCipherBuffers?) throws -> Result\n ) rethrows -> Result {\n guard let stackPointer = CNIOBoringSSL_SSL_CTX_get_ciphers(self.sslContext) else {\n return try body(nil)\n }\n return try body(NIOTLSCipherBuffers(basePointer: stackPointer))\n }\n\n /// Access cipher suites applied to the context\n internal var cipherSuites: [NIOTLSCipher] {\n self.withStackOfCipherSuiteBuffers { buffers in\n guard let buffers = buffers else {\n return []\n }\n return Array(buffers)\n }\n }\n}\n\nextension NIOSSLContext.NIOTLSCipherBuffers: RandomAccessCollection {\n\n struct Index: Hashable, Comparable, Strideable {\n typealias Stride = Int\n\n fileprivate var index: Int\n\n fileprivate init(_ index: Int) {\n self.index = index\n }\n\n static func < (lhs: Index, rhs: Index) -> Bool {\n lhs.index < rhs.index\n }\n\n func advanced(by n: NIOSSLContext.NIOTLSCipherBuffers.Index.Stride) -> NIOSSLContext.NIOTLSCipherBuffers.Index {\n var result = self\n result.index += n\n return result\n }\n\n func distance(\n to other: NIOSSLContext.NIOTLSCipherBuffers.Index\n ) -> NIOSSLContext.NIOTLSCipherBuffers.Index.Stride {\n other.index - self.index\n }\n }\n\n typealias Element = NIOTLSCipher\n\n var startIndex: Index {\n Index(0)\n }\n\n var endIndex: Index {\n Index(self.count)\n }\n\n var count: Int {\n CNIOBoringSSL_sk_SSL_CIPHER_num(self.basePointer)\n }\n\n subscript(position: Index) -> NIOTLSCipher {\n precondition(position < self.endIndex)\n precondition(position >= self.startIndex)\n guard let ptr = CNIOBoringSSL_sk_SSL_CIPHER_value(self.basePointer, position.index) else {\n preconditionFailure(\"Unable to locate backing pointer.\")\n }\n let cipherID = CNIOBoringSSL_SSL_CIPHER_get_protocol_id(ptr)\n return NIOTLSCipher(cipherID)\n }\n}\n\nextension Optional where Wrapped == String {\n internal func withCString(_ body: (UnsafePointer?) throws -> Result) rethrows -> Result {\n switch self {\n case .some(let s):\n return try s.withCString({ try body($0) })\n case .none:\n return try body(nil)\n }\n }\n}\n\ninternal class DirectoryContents: Sequence, IteratorProtocol {\n\n typealias Element = String\n let path: String\n // Used to account between the differences of DIR being defined on Darwin.\n // Otherwise an OpaquePointer needs to be used to account for the non-defined type in glibc.\n #if canImport(Darwin)\n let dir: UnsafeMutablePointer\n #else\n let dir: OpaquePointer\n #endif\n\n init(path: String) {\n self.path = path\n self.dir = opendir(path)!\n }\n\n func next() -> String? {\n if let dirent: UnsafeMutablePointer = readdir(self.dir) {\n let name = withUnsafePointer(to: &dirent.pointee.d_name) { (ptr) -> String in\n // Pointers to homogeneous tuples in Swift are always bound to both the tuple type and the element type,\n // so the assumption below is safe.\n let elementPointer = UnsafeRawPointer(ptr).assumingMemoryBound(to: CChar.self)\n return String(cString: elementPointer)\n }\n return self.path + name\n }\n return nil\n }\n\n deinit {\n closedir(dir)\n }\n}\n\n// Used as part of the `_isRehashFormat` format to determine if the filename is a hexadecimal filename.\nextension UTF8.CodeUnit {\n private static let asciiZero = UInt8(ascii: \"0\")\n private static let asciiNine = UInt8(ascii: \"9\")\n private static let asciiLowercaseA = UInt8(ascii: \"a\")\n private static let asciiLowercaseF = UInt8(ascii: \"f\")\n private static let asciiUppercaseA = UInt8(ascii: \"A\")\n private static let asciiUppercaseF = UInt8(ascii: \"F\")\n\n var isHexDigit: Bool {\n switch self {\n case (.asciiZero)...(.asciiNine),\n (.asciiLowercaseA)...(.asciiLowercaseF),\n (.asciiUppercaseA)...(.asciiUppercaseF):\n return true\n default:\n return false\n }\n }\n}\n" }, { "path": "Sources/NIOSSL/SSLErrors.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport NIOCore\n\n/// Wraps a single error from BoringSSL.\npublic struct BoringSSLInternalError: Equatable, CustomStringConvertible, Sendable {\n private enum Backing: Hashable {\n case boringSSLErrorInfo(UInt32, String, UInt)\n case synthetic(String)\n }\n\n private var backing: Backing\n\n private var errorMessage: String? {\n switch self.backing {\n case .boringSSLErrorInfo(let errorCode, let filepath, let line):\n // TODO(cory): This should become non-optional in the future, as it always succeeds.\n var scratchBuffer = [CChar](repeating: 0, count: 512)\n return scratchBuffer.withUnsafeMutableBufferPointer { pointer in\n CNIOBoringSSL_ERR_error_string_n(errorCode, pointer.baseAddress!, pointer.count)\n let errorString = String(cString: pointer.baseAddress!)\n return \"\\(errorString) at \\(filepath):\\(line)\"\n }\n case .synthetic(let description):\n return description\n }\n }\n\n private var errorCode: String {\n switch self.backing {\n case .boringSSLErrorInfo(let code, _, _):\n return String(code, radix: 10)\n case .synthetic:\n return \"\"\n }\n }\n\n public var description: String {\n \"Error: \\(errorCode) \\(errorMessage ?? \"\")\"\n }\n\n init(errorCode: UInt32, filename: String, line: UInt) {\n self.backing = .boringSSLErrorInfo(errorCode, filename, line)\n }\n\n private init(syntheticErrorDescription description: String) {\n self.backing = .synthetic(description)\n }\n\n /// Received EOF during the TLS handshake.\n public static let eofDuringHandshake = Self(syntheticErrorDescription: \"EOF during handshake\")\n\n /// Received EOF during additional certificate chain verification.\n public static let eofDuringAdditionalCertficiateChainValidation = Self(\n syntheticErrorDescription: \"EOF during addition certificate chain validation\"\n )\n}\n\n/// A representation of BoringSSL's internal error stack: a list of BoringSSL errors.\npublic typealias NIOBoringSSLErrorStack = [BoringSSLInternalError]\n\n/// Errors that can be raised by NIO's BoringSSL wrapper.\npublic enum NIOSSLError: Error {\n case writeDuringTLSShutdown\n @available(*, deprecated, message: \"unableToAllocateBoringSSLObject can no longer be thrown\")\n case unableToAllocateBoringSSLObject\n case noSuchFilesystemObject\n case failedToLoadCertificate\n case failedToLoadPrivateKey\n case handshakeFailed(BoringSSLError)\n case shutdownFailed(BoringSSLError)\n case cannotMatchULabel\n case noCertificateToValidate\n case unableToValidateCertificate\n case cannotFindPeerIP\n case readInInvalidTLSState\n case uncleanShutdown\n}\n\nextension NIOSSLError: Equatable {}\n\n/// Closing the TLS channel cleanly timed out, so it was closed uncleanly.\npublic struct NIOSSLCloseTimedOutError: Error {}\n\n/// An enum that wraps individual BoringSSL errors directly.\npublic enum BoringSSLError: Error {\n case noError\n case zeroReturn\n case wantRead\n case wantWrite\n case wantConnect\n case wantAccept\n case wantX509Lookup\n case wantCertificateVerify\n case syscallError\n case sslError(NIOBoringSSLErrorStack)\n case unknownError(NIOBoringSSLErrorStack)\n case invalidSNIName(NIOBoringSSLErrorStack)\n case failedToSetALPN(NIOBoringSSLErrorStack)\n}\n\nextension BoringSSLError: Equatable {}\n\nextension BoringSSLError {\n static func fromSSLGetErrorResult(_ result: CInt) -> BoringSSLError? {\n switch result {\n case SSL_ERROR_NONE:\n return .noError\n case SSL_ERROR_ZERO_RETURN:\n return .zeroReturn\n case SSL_ERROR_WANT_READ:\n return .wantRead\n case SSL_ERROR_WANT_WRITE:\n return .wantWrite\n case SSL_ERROR_WANT_CONNECT:\n return .wantConnect\n case SSL_ERROR_WANT_ACCEPT:\n return .wantAccept\n case SSL_ERROR_WANT_CERTIFICATE_VERIFY:\n return .wantCertificateVerify\n case SSL_ERROR_WANT_X509_LOOKUP:\n return .wantX509Lookup\n case SSL_ERROR_SYSCALL:\n return .syscallError\n case SSL_ERROR_WANT_PRIVATE_KEY_OPERATION:\n // This is a terrible hack: we can't add cases to this enum, so we can't represent\n // this directly. In all cases this should be the same as wantCertificateVerify, so we'll just use that.\n return .wantCertificateVerify\n case SSL_ERROR_SSL:\n return .sslError(buildErrorStack())\n default:\n return .unknownError(buildErrorStack())\n }\n }\n\n static func buildErrorStack() -> NIOBoringSSLErrorStack {\n var errorStack = NIOBoringSSLErrorStack()\n\n while true {\n var file: UnsafePointer? = nil\n var line: CInt = 0\n let errorCode = CNIOBoringSSL_ERR_get_error_line(&file, &line)\n if errorCode == 0 { break }\n let fileAsString = String(cString: file!)\n errorStack.append(BoringSSLInternalError(errorCode: errorCode, filename: fileAsString, line: UInt(line)))\n }\n\n return errorStack\n }\n}\n\n/// Represents errors that may occur while attempting to unwrap TLS from a connection.\npublic enum NIOTLSUnwrappingError: Error {\n /// The TLS channel has already been closed, so it is not possible to unwrap it.\n case alreadyClosed\n\n /// The internal state of the handler is not able to process the unwrapping request.\n case invalidInternalState\n\n /// We were unwrapping the connection, but during the unwrap process a close call\n /// was made. This means the connection is now closed, not unwrapped.\n case closeRequestedDuringUnwrap\n\n /// This write was failed because the channel was unwrapped before it was flushed.\n case unflushedWriteOnUnwrap\n}\n\n/// This structure contains errors added to NIOSSL after the original ``NIOSSLError`` enum was\n/// shipped. This is an extensible error object that allows us to evolve it going forward.\npublic struct NIOSSLExtraError: Error {\n private var baseError: NIOSSLExtraError.BaseError\n\n private var _description: String?\n\n private init(baseError: NIOSSLExtraError.BaseError, description: String?) {\n self.baseError = baseError\n self._description = description\n }\n}\n\nextension NIOSSLExtraError {\n private enum BaseError: Equatable {\n case failedToValidateHostname\n case serverHostnameImpossibleToMatch\n case cannotUseIPAddressInSNI\n case invalidSNIHostname\n case unknownPrivateKeyFileType\n case noForwardProgress\n }\n}\n\nextension NIOSSLExtraError {\n /// NIOSSL was unable to validate the hostname presented by the remote peer.\n public static let failedToValidateHostname = NIOSSLExtraError(\n baseError: .failedToValidateHostname,\n description: nil\n )\n\n /// The server hostname provided by the user cannot match any names in the certificate due to containing invalid characters.\n public static let serverHostnameImpossibleToMatch = NIOSSLExtraError(\n baseError: .serverHostnameImpossibleToMatch,\n description: nil\n )\n\n /// IP addresses may not be used in SNI.\n public static let cannotUseIPAddressInSNI = NIOSSLExtraError(baseError: .cannotUseIPAddressInSNI, description: nil)\n\n /// The SNI hostname requirements have not been met.\n ///\n /// - note: Should the provided SNI hostname be an IP address instead, ``cannotUseIPAddressInSNI`` is thrown instead\n /// of this error.\n ///\n /// Reasons a hostname might not meet the requirements:\n /// - hostname in UTF8 is more than 255 bytes\n /// - hostname is the empty string\n /// - hostname contains the `0` unicode scalar (which would be encoded as the `0` byte which is unsupported).\n public static let invalidSNIHostname = NIOSSLExtraError(baseError: .invalidSNIHostname, description: nil)\n\n /// The private key file for the TLS configuration has an unknown type.\n public static let unknownPrivateKeyFileType = NIOSSLExtraError(\n baseError: .unknownPrivateKeyFileType,\n description: nil\n )\n\n /// No forward progress is being made.\n ///\n /// This can happen when the `NIOSSLHandler` is unbuffering actions and gets into a state where\n /// it would potentially spin loop indefinitely.\n static let noForwardProgress = NIOSSLExtraError(baseError: .noForwardProgress, description: nil)\n\n @inline(never)\n internal static func failedToValidateHostname(expectedName: String) -> NIOSSLExtraError {\n let description = \"Couldn't find \\(expectedName) in certificate from peer\"\n return NIOSSLExtraError(baseError: .failedToValidateHostname, description: description)\n }\n\n @inline(never)\n internal static func serverHostnameImpossibleToMatch(hostname: String) -> NIOSSLExtraError {\n let description = \"The server hostname \\(hostname) cannot be matched due to containing non-DNS characters\"\n return NIOSSLExtraError(baseError: .serverHostnameImpossibleToMatch, description: description)\n }\n\n @inline(never)\n internal static func cannotUseIPAddressInSNI(ipAddress: String) -> NIOSSLExtraError {\n let description = \"IP addresses cannot validly be used for Server Name Indication, got \\(ipAddress)\"\n return NIOSSLExtraError(baseError: .cannotUseIPAddressInSNI, description: description)\n }\n\n @inline(never)\n internal static func unknownPrivateKeyFileType(path: String) -> NIOSSLExtraError {\n let description = \"Unknown private key file type for \\(path)\"\n return NIOSSLExtraError(baseError: .unknownPrivateKeyFileType, description: description)\n }\n}\n\nextension NIOSSLExtraError: CustomStringConvertible {\n public var description: String {\n let formattedDescription = self._description.map { \": \" + $0 } ?? \"\"\n return \"NIOSSLExtraError.\\(String(describing: self.baseError))\\(formattedDescription)\"\n }\n}\n\nextension NIOSSLExtraError: Equatable {\n public static func == (lhs: NIOSSLExtraError, rhs: NIOSSLExtraError) -> Bool {\n lhs.baseError == rhs.baseError\n }\n}\n" }, { "path": "Sources/NIOSSL/SSLInit.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\n\n/// Initialize BoringSSL. Note that this function IS NOT THREAD SAFE, and so must be called inside\n/// either an explicit or implicit dispatch_once.\nfunc initializeBoringSSL() -> Bool {\n CNIOBoringSSL_CRYPTO_library_init()\n return true\n}\n" }, { "path": "Sources/NIOSSL/SSLPKCS12Bundle.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\n\n/// A container for a single PKCS#12 bundle.\n///\n/// PKCS#12 is a specification that defines an archive format for storing multiple\n/// cryptographic objects together in one file. Its most common usage, and the one\n/// that SwiftNIO is most interested in, is its use to bundle one or more X.509\n/// certificates (``NIOSSLCertificate``) together with an associated private key\n/// (``NIOSSLPrivateKey``).\n///\n/// ### Working with TLSConfiguration\n///\n/// In many cases users will want to configure a ``TLSConfiguration`` with the data\n/// from a PKCS#12 bundle. This object assists in unpacking that bundle into its\n/// associated pieces.\n///\n/// If you have a PKCS12 bundle, you configure a ``TLSConfiguration`` like this:\n///\n/// let p12Bundle = NIOSSLPKCS12Bundle(file: pathToMyP12)\n/// let config = TLSConfiguration.makeServerConfiguration(\n/// certificateChain: p12Bundle.certificateChain,\n/// privateKey: p12Bundle.privateKey\n/// )\n///\n/// The created ``TLSConfiguration`` can then be safely used for your endpoint.\npublic struct NIOSSLPKCS12Bundle: Hashable {\n /// The chain of ``NIOSSLCertificate`` objects in the PKCS#12 bundle.\n public let certificateChain: [NIOSSLCertificate]\n\n /// The ``NIOSSLPrivateKey`` object for the leaf certificate in the PKCS#12 bundle.\n public let privateKey: NIOSSLPrivateKey\n\n private init(ref: OpaquePointer, passphrase: Bytes?) throws where Bytes.Element == UInt8 {\n var pkey: OpaquePointer? = nil // \n var cert: OpaquePointer? = nil // \n var caCerts: OpaquePointer? = nil\n\n let rc = try passphrase.withSecureCString { passphrase in\n CNIOBoringSSL_PKCS12_parse(ref, passphrase, &pkey, &cert, &caCerts)\n }\n guard rc == 1 else {\n throw BoringSSLError.unknownError(BoringSSLError.buildErrorStack())\n }\n\n // Successfully parsed, let's unpack. The key and cert are mandatory,\n // the ca stack is not.\n guard let actualCert = cert, let actualKey = pkey else {\n fatalError(\"Failed to obtain cert and pkey from a PKC12 file\")\n }\n\n let certStackSize = caCerts.map { CNIOBoringSSL_sk_X509_num($0) } ?? 0\n var certs = [NIOSSLCertificate]()\n certs.reserveCapacity(Int(certStackSize) + 1)\n certs.append(NIOSSLCertificate.fromUnsafePointer(takingOwnership: actualCert))\n\n for idx in 0..(buffer: [UInt8], passphrase: Bytes?) throws where Bytes.Element == UInt8 {\n guard boringSSLIsInitialized else { fatalError(\"Failed to initialize BoringSSL\") }\n\n let p12 = buffer.withUnsafeBytes { pointer -> OpaquePointer? in\n let bio = CNIOBoringSSL_BIO_new_mem_buf(pointer.baseAddress, pointer.count)!\n defer {\n CNIOBoringSSL_BIO_free(bio)\n }\n return CNIOBoringSSL_d2i_PKCS12_bio(bio, nil)\n }\n defer {\n p12.map { CNIOBoringSSL_PKCS12_free($0) }\n }\n\n if let p12 = p12 {\n try self.init(ref: p12, passphrase: passphrase)\n } else {\n throw BoringSSLError.unknownError(BoringSSLError.buildErrorStack())\n }\n }\n\n /// Create a ``NIOSSLPKCS12Bundle`` from the given bytes on disk,\n /// optionally decrypting the bundle with the given passphrase.\n ///\n /// - parameters:\n /// - file: The path to the PKCS#12 bundle on disk.\n /// - passphrase: The passphrase used for the bundle, as a sequence of UTF-8 bytes.\n public init(file: String, passphrase: Bytes?) throws where Bytes.Element == UInt8 {\n guard boringSSLIsInitialized else { fatalError(\"Failed to initialize BoringSSL\") }\n\n let fileObject = try Posix.fopen(file: file, mode: \"rb\")\n defer {\n fclose(fileObject)\n }\n\n let p12 = CNIOBoringSSL_d2i_PKCS12_fp(fileObject, nil)\n defer {\n p12.map(CNIOBoringSSL_PKCS12_free)\n }\n\n if let p12 = p12 {\n try self.init(ref: p12, passphrase: passphrase)\n } else {\n throw BoringSSLError.unknownError(BoringSSLError.buildErrorStack())\n }\n }\n\n /// Create a ``NIOSSLPKCS12Bundle`` from the given bytes on disk,\n /// assuming it has no passphrase.\n ///\n /// If the bundle does have a passphrase, call ``init(file:passphrase:)`` instead.\n ///\n /// - parameters:\n /// - file: The path to the PKCS#12 bundle on disk.\n public init(file: String) throws {\n try self.init(file: file, passphrase: Optional<[UInt8]>.none)\n }\n\n /// Create a ``NIOSSLPKCS12Bundle`` from the given bytes in memory,\n /// assuming it has no passphrase.\n ///\n /// If the bundle does have a passphrase, call ``init(buffer:passphrase:)`` instead.\n ///\n /// - parameters:\n /// - buffer: The bytes of the PKCS#12 bundle.\n public init(buffer: [UInt8]) throws {\n try self.init(buffer: buffer, passphrase: Optional<[UInt8]>.none)\n }\n}\n\nextension NIOSSLPKCS12Bundle: Sendable {}\n\nextension NIOSSLPKCS12Bundle {\n /// Create a ``NIOSSLPKCS12Bundle`` from the given certificate chain and private key.\n /// This constructor is particularly useful to create a new PKCS#12 file:\n /// call ``serialize(passphrase:)`` to get the bytes making up the file.\n ///\n /// - parameters:\n /// - certificateChain: The chain of ``NIOSSLCertificate`` objects in the PKCS#12 bundle.\n /// - privateKey: The ``NIOSSLPrivateKey`` object for the leaf certificate in the PKCS#12 bundle.\n public init(\n certificateChain: [NIOSSLCertificate],\n privateKey: NIOSSLPrivateKey\n ) {\n self.certificateChain = certificateChain\n self.privateKey = privateKey\n }\n\n /// Serialize this bundle into a PKCS#12 file.\n ///\n /// The first certificate of the `certificateChain` array will be considered the \"primary\" certificate for\n /// this PKCS#12, and the bundle's`privateKey` must be its corresponding private key.\n /// The other certificates included in `certificates`, if any, will be considered as additional\n /// certificates in the certificate chain.\n ///\n /// - Parameters:\n /// - passphrase: The password with which to protect this PKCS#12 file.\n /// - Returns: An array of bytes making up the PKCS#12 file.\n public func serialize(\n passphrase: Bytes\n ) throws -> [UInt8] where Bytes.Element == UInt8 {\n guard let mainCertificate = self.certificateChain.first else {\n preconditionFailure(\"At least one certificate must be provided\")\n }\n\n let certificateChainStack = CNIOBoringSSL_sk_X509_new(nil)\n\n defer {\n CNIOBoringSSL_sk_X509_pop_free(certificateChainStack, CNIOBoringSSL_X509_free)\n }\n\n for additionalCertificate in self.certificateChain.dropFirst() {\n let result = additionalCertificate.withUnsafeMutableX509Pointer { certificate in\n CNIOBoringSSL_X509_up_ref(certificate)\n return CNIOBoringSSL_sk_X509_push(certificateChainStack, certificate)\n }\n if result == 0 {\n fatalError(\"Failed to add certificate to chain\")\n }\n }\n\n let pkcs12 = try passphrase.withSecureCString { passphrase in\n privateKey.withUnsafeMutableEVPPKEYPointer { privateKey in\n mainCertificate.withUnsafeMutableX509Pointer { certificate in\n CNIOBoringSSL_PKCS12_create(\n passphrase,\n nil,\n privateKey,\n certificate,\n certificateChainStack,\n 0,\n 0,\n 0,\n 0,\n 0\n )\n }\n }\n }\n\n defer {\n CNIOBoringSSL_PKCS12_free(pkcs12)\n }\n\n guard let bio = CNIOBoringSSL_BIO_new(CNIOBoringSSL_BIO_s_mem()) else {\n fatalError(\"Failed to malloc for a BIO handler\")\n }\n\n defer {\n CNIOBoringSSL_BIO_free(bio)\n }\n\n let rc = CNIOBoringSSL_i2d_PKCS12_bio(bio, pkcs12)\n guard rc == 1 else {\n let errorStack = BoringSSLError.buildErrorStack()\n throw BoringSSLError.unknownError(errorStack)\n }\n\n var dataPtr: UnsafeMutablePointer? = nil\n let length = CNIOBoringSSL_BIO_get_mem_data(bio, &dataPtr)\n guard let bytes = dataPtr.map({ UnsafeMutableRawBufferPointer(start: $0, count: length) }) else {\n fatalError(\"Failed to get bytes from private key\")\n }\n\n return Array(bytes)\n }\n}\n\nextension Collection where Element == UInt8 {\n /// Provides a contiguous copy of the bytes of this collection in a heap-allocated\n /// memory region that is locked into memory (that is, which can never be backed by a file),\n /// and which will be scrubbed and freed after use, and which is null-terminated.\n ///\n /// This method should be used when it is necessary to take a secure copy of a collection of\n /// bytes. Its implementation relies on BoringSSL directly.\n func withSecureCString(_ block: (UnsafePointer) throws -> T) throws -> T {\n // We need to allocate some memory and prevent it being swapped to disk while we use it.\n // For that reason we use mlock.\n let bufferSize = Int(self.count) + 1\n let bufferPtr = UnsafeMutableBufferPointer.allocate(capacity: bufferSize)\n defer {\n bufferPtr.deallocate()\n }\n\n try Posix.mlock(addr: bufferPtr.baseAddress!, len: bufferPtr.count)\n defer {\n // If munlock fails take out the process.\n try! Posix.munlock(addr: bufferPtr.baseAddress!, len: bufferPtr.count)\n }\n\n let (_, nextIndex) = bufferPtr.initialize(from: self)\n assert(nextIndex == (bufferPtr.endIndex - 1))\n\n // Add a null terminator.\n bufferPtr[nextIndex] = 0\n\n defer {\n // We use OpenSSL_cleanse here because the compiler can't optimize this away.\n // .initialize(repeating: 0) can be, and empirically is, optimized away, bzero\n // is deprecated, memset_s is not well supported cross-platform, and memset-to-zero\n // is famously easily optimised away. This is our best bet.\n CNIOBoringSSL_OPENSSL_cleanse(bufferPtr.baseAddress!, bufferPtr.count)\n bufferPtr.baseAddress!.deinitialize(count: bufferPtr.count)\n }\n\n // Ok, the memory is ready for use. Call the user.\n return try bufferPtr.withMemoryRebound(to: Int8.self) {\n try block($0.baseAddress!)\n }\n }\n}\n\nextension Optional where Wrapped: Collection, Wrapped.Element == UInt8 {\n func withSecureCString(_ block: (UnsafePointer?) throws -> T) throws -> T {\n if let `self` = self {\n return try self.withSecureCString({ try block($0) })\n } else {\n return try block(nil)\n }\n }\n}\n" }, { "path": "Sources/NIOSSL/SSLPrivateKey.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\n\n/// An ``NIOSSLPassphraseCallback`` is a callback that will be invoked by NIOSSL when it needs to\n/// get access to a private key that is stored in encrypted form.\n///\n/// This callback will be invoked with one argument, a non-escaping closure that must be called with the\n/// passphrase. Failing to call the closure will cause decryption to fail.\n///\n/// The reason this design has been used is to allow you to secure any memory storing the passphrase after\n/// use. We guarantee that after the ``NIOSSLPassphraseSetter`` closure has been invoked the `Collection`\n/// you have passed in will no longer be needed by BoringSSL, and so you can safely destroy any memory it\n/// may be using if you need to.\npublic typealias NIOSSLPassphraseCallback = (NIOSSLPassphraseSetter) throws -> Void\nwhere Bytes.Element == UInt8\n\n/// An ``NIOSSLPassphraseSetter`` is a closure that you must invoke to provide a passphrase to BoringSSL.\n/// It will be provided to you when your ``NIOSSLPassphraseCallback`` is invoked.\npublic typealias NIOSSLPassphraseSetter = (Bytes) -> Void where Bytes.Element == UInt8\n\n/// An internal protocol that exists to let us avoid problems with generic types.\n///\n/// The issue we have here is that we want to allow users to use whatever collection type suits them best to set\n/// the passphrase. For this reason, ``NIOSSLPassphraseSetter`` is a generic function, generic over the `Collection`\n/// protocol. However, that causes us an issue, because we need to stuff that callback into an\n/// ``BoringSSLPassphraseCallbackManager`` in order to create an `Unmanaged` and round-trip the pointer through C code.\n///\n/// That makes ``BoringSSLPassphraseCallbackManager`` a generic object, and now we're in *real* trouble, becuase\n/// `Unmanaged` requires us to specify the *complete* type of the object we want to unwrap. In this case, we\n/// don't know it, because it's generic!\n///\n/// Our way out is to note that while the class itself is generic, the only function we want to call in the\n/// ``globalBoringSSLPassphraseCallback`` is not. Thus, rather than try to hold the actual specific ``BoringSSLPassphraseManager``,\n/// we can hold it inside a protocol existential instead, so long as that protocol existential gives us the correct\n/// function to call. Hence: ``CallbackManagerProtocol``, a private protocol with a single conforming type.\ninternal protocol CallbackManagerProtocol: AnyObject {\n func invoke(buffer: UnsafeMutableBufferPointer) -> CInt\n}\n\n/// This class exists primarily to work around the fact that Swift does not let us stuff\n/// a closure into an `Unmanaged`. Instead, we use this object to keep hold of it.\nfinal class BoringSSLPassphraseCallbackManager: CallbackManagerProtocol\nwhere Bytes.Element == UInt8 {\n private let userCallback: NIOSSLPassphraseCallback\n\n init(userCallback: @escaping NIOSSLPassphraseCallback) {\n // We have to type-erase this.\n self.userCallback = userCallback\n }\n\n func invoke(buffer: UnsafeMutableBufferPointer) -> CInt {\n var count: CInt = 0\n\n do {\n try self.userCallback { passphraseBytes in\n // If we don't have enough space for the passphrase plus NUL, bail out.\n guard passphraseBytes.count < buffer.count else { return }\n _ = buffer.initialize(from: passphraseBytes.lazy.map { CChar($0) })\n count = CInt(passphraseBytes.count)\n\n // We need to add a NUL terminator, in case the user did not.\n buffer[Int(passphraseBytes.count)] = 0\n }\n } catch {\n // If we hit an error here, we just need to tolerate it. We'll return zero-length.\n count = 0\n }\n\n return count\n }\n}\n\n/// Our global static BoringSSL passphrase callback. This is used as a thunk to dispatch out to\n/// the user-provided callback.\nfunc globalBoringSSLPassphraseCallback(\n buf: UnsafeMutablePointer?,\n size: CInt,\n rwflag: CInt,\n u: UnsafeMutableRawPointer?\n) -> CInt {\n guard let buffer = buf, let userData = u else {\n preconditionFailure(\n \"Invalid pointers passed to passphrase callback, buf: \\(String(describing: buf)) u: \\(String(describing: u))\"\n )\n }\n let bufferPointer = UnsafeMutableBufferPointer(start: buffer, count: Int(size))\n guard let cbManager = Unmanaged.fromOpaque(userData).takeUnretainedValue() as? CallbackManagerProtocol\n else {\n preconditionFailure(\"Failed to pass object that can handle callback\")\n }\n return cbManager.invoke(buffer: bufferPointer)\n}\n\n/// A reference to an BoringSSL private key object in the form of an `EVP_PKEY *`.\n///\n/// This thin wrapper class allows us to use ARC to automatically manage\n/// the memory associated with this key. That ensures that BoringSSL\n/// will not free the underlying buffer until we are done with the key.\n///\n/// This class also provides several convenience constructors that allow users\n/// to obtain an in-memory representation of a key from a buffer of\n/// bytes or from a file path.\npublic final class NIOSSLPrivateKey {\n @usableFromInline\n internal enum Representation {\n case native(OpaquePointer) // \n case custom(AnyNIOSSLCustomPrivateKey)\n }\n\n @usableFromInline\n internal let representation: Representation\n\n internal func withUnsafeMutableEVPPKEYPointer(\n _ body: (OpaquePointer) throws -> ReturnType\n ) rethrows -> ReturnType {\n guard case .native(let pointer) = self.representation else {\n preconditionFailure()\n }\n\n return try body(pointer)\n }\n\n private init(withReference ref: OpaquePointer) {\n self.representation = .native(ref)\n }\n\n /// A delegating initializer for `init(file:format:passphraseCallback)` and `init(file:format:)`.\n private convenience init(\n file: String,\n format: NIOSSLSerializationFormats,\n callbackManager: CallbackManagerProtocol?\n ) throws {\n let fileObject = try Posix.fopen(file: file, mode: \"rb\")\n defer {\n // If fclose fails there is nothing we can do about it.\n _ = try? Posix.fclose(file: fileObject)\n }\n\n let key = withExtendedLifetime(callbackManager) { callbackManager -> OpaquePointer? in\n guard let bio = CNIOBoringSSL_BIO_new_fp(fileObject, BIO_NOCLOSE) else {\n return nil\n }\n defer {\n CNIOBoringSSL_BIO_free(bio)\n }\n\n switch format {\n case .pem:\n // This annoying conditional binding is used to work around the fact that I cannot pass\n // a variable to a function pointer argument.\n if let callbackManager = callbackManager {\n return CNIOBoringSSL_PEM_read_PrivateKey(\n fileObject,\n nil,\n { globalBoringSSLPassphraseCallback(buf: $0, size: $1, rwflag: $2, u: $3) },\n Unmanaged.passUnretained(callbackManager as AnyObject).toOpaque()\n )\n } else {\n return CNIOBoringSSL_PEM_read_PrivateKey(fileObject, nil, nil, nil)\n }\n case .der:\n return CNIOBoringSSL_d2i_PrivateKey_fp(fileObject, nil)\n }\n }\n\n if key == nil {\n throw NIOSSLError.failedToLoadPrivateKey\n }\n\n self.init(withReference: key!)\n }\n\n /// A delegating initializer for `init(buffer:format:passphraseCallback)` and `init(buffer:format:)`.\n private convenience init(\n bytes: [UInt8],\n format: NIOSSLSerializationFormats,\n callbackManager: CallbackManagerProtocol?\n ) throws {\n let ref = bytes.withUnsafeBytes { (ptr) -> OpaquePointer? in\n let bio = CNIOBoringSSL_BIO_new_mem_buf(ptr.baseAddress!, ptr.count)!\n defer {\n CNIOBoringSSL_BIO_free(bio)\n }\n\n return withExtendedLifetime(callbackManager) { callbackManager -> OpaquePointer? in\n switch format {\n case .pem:\n if let callbackManager = callbackManager {\n // This annoying conditional binding is used to work around the fact that I cannot pass\n // a variable to a function pointer argument.\n return CNIOBoringSSL_PEM_read_bio_PrivateKey(\n bio,\n nil,\n { globalBoringSSLPassphraseCallback(buf: $0, size: $1, rwflag: $2, u: $3) },\n Unmanaged.passUnretained(callbackManager as AnyObject).toOpaque()\n )\n } else {\n return CNIOBoringSSL_PEM_read_bio_PrivateKey(bio, nil, nil, nil)\n }\n case .der:\n return CNIOBoringSSL_d2i_PrivateKey_bio(bio, nil)\n }\n }\n }\n\n if ref == nil {\n throw NIOSSLError.failedToLoadPrivateKey\n }\n\n self.init(withReference: ref!)\n }\n\n /// Create a ``NIOSSLPrivateKey`` from a file at a given path in either PEM or\n /// DER format.\n ///\n /// - parameters:\n /// - file: The path to the file to load.\n /// - format: The format of the key to load, either DER or PEM.\n public convenience init(file: String, format: NIOSSLSerializationFormats) throws {\n try self.init(file: file, format: format, callbackManager: nil)\n }\n\n /// Create a ``NIOSSLPrivateKey`` from a file at a given path in either PEM or\n /// DER format, providing a passphrase callback.\n ///\n /// - parameters:\n /// - file: The path to the file to load.\n /// - format: The format of the key to load, either DER or PEM.\n /// - passphraseCallback: A callback to invoke to obtain the passphrase for\n /// encrypted keys.\n public convenience init(\n file: String,\n format: NIOSSLSerializationFormats,\n passphraseCallback: @escaping NIOSSLPassphraseCallback\n ) throws where T.Element == UInt8 {\n let manager = BoringSSLPassphraseCallbackManager(userCallback: passphraseCallback)\n try self.init(file: file, format: format, callbackManager: manager)\n }\n\n /// Create a ``NIOSSLPrivateKey`` from a buffer of bytes in either PEM or\n /// DER format.\n ///\n /// - parameters:\n /// - buffer: The key bytes.\n /// - format: The format of the key to load, either DER or PEM.\n /// - SeeAlso: ``NIOSSLPrivateKey/init(bytes:format:)``\n @available(*, deprecated, renamed: \"NIOSSLPrivateKey.init(bytes:format:)\")\n public convenience init(buffer: [Int8], format: NIOSSLSerializationFormats) throws {\n try self.init(bytes: buffer.map(UInt8.init), format: format)\n }\n\n /// Create a ``NIOSSLPrivateKey`` from a buffer of bytes in either PEM or\n /// DER format.\n ///\n /// - parameters:\n /// - bytes: The key bytes.\n /// - format: The format of the key to load, either DER or PEM.\n public convenience init(bytes: [UInt8], format: NIOSSLSerializationFormats) throws {\n try self.init(bytes: bytes, format: format, callbackManager: nil)\n }\n\n /// Create a ``NIOSSLPrivateKey`` from a buffer of bytes in either PEM or\n /// DER format.\n ///\n /// - parameters:\n /// - buffer: The key bytes.\n /// - format: The format of the key to load, either DER or PEM.\n /// - passphraseCallback: Optionally a callback to invoke to obtain the passphrase for\n /// encrypted keys. If not provided, or set to `nil`, the default BoringSSL\n /// behaviour will be used, which prints a prompt and requests the passphrase from\n /// stdin.\n /// - SeeAlso: `NIOSSLPrivateKey.init(bytes:format:passphraseCallback:)`\n @available(*, deprecated, renamed: \"NIOSSLPrivateKey.init(bytes:format:passphraseCallback:)\")\n public convenience init(\n buffer: [Int8],\n format: NIOSSLSerializationFormats,\n passphraseCallback: @escaping NIOSSLPassphraseCallback\n ) throws where T.Element == UInt8 {\n try self.init(bytes: buffer.map(UInt8.init), format: format, passphraseCallback: passphraseCallback)\n }\n\n /// Create a ``NIOSSLPrivateKey`` from a buffer of bytes in either PEM or\n /// DER format.\n ///\n /// - parameters:\n /// - bytes: The key bytes.\n /// - format: The format of the key to load, either DER or PEM.\n /// - passphraseCallback: Optionally a callback to invoke to obtain the passphrase for\n /// encrypted keys. If not provided, or set to `nil`, the default BoringSSL\n /// behaviour will be used, which prints a prompt and requests the passphrase from\n /// stdin.\n public convenience init(\n bytes: [UInt8],\n format: NIOSSLSerializationFormats,\n passphraseCallback: @escaping NIOSSLPassphraseCallback\n ) throws where T.Element == UInt8 {\n let manager = BoringSSLPassphraseCallbackManager(userCallback: passphraseCallback)\n try self.init(bytes: bytes, format: format, callbackManager: manager)\n }\n\n /// Create a ``NIOSSLPrivateKey`` from a custom private key callback.\n ///\n /// The private key, in addition to needing to conform to ``NIOSSLCustomPrivateKey``,\n /// is also required to be `Hashable`. This is because ``NIOSSLPrivateKey``s are `Hashable`.\n ///\n /// - parameters:\n /// - customPrivateKey: The custom private key to use with the TLS certificate.\n @inlinable\n public init(customPrivateKey: CustomKey) {\n self.representation = .custom(AnyNIOSSLCustomPrivateKey(customPrivateKey))\n }\n\n /// Create an NIOSSLPrivateKey wrapping a pointer into BoringSSL.\n ///\n /// This is a function that should be avoided as much as possible because it plays poorly with\n /// BoringSSL's reference-counted memory. This function does not increment the reference count for the EVP_PKEY\n /// object here, nor does it duplicate it: it just takes ownership of the copy here. This object\n /// **will** deallocate the underlying EVP_PKEY object when deinited, and so if you need to keep that\n /// EVP_PKEY object alive you create a new EVP_PKEY before passing that object here.\n ///\n /// In general, however, this function should be avoided in favour of one of the convenience\n /// initializers, which ensure that the lifetime of the EVP_PKEY object is better-managed.\n static internal func fromUnsafePointer(takingOwnership pointer: OpaquePointer) -> NIOSSLPrivateKey {\n NIOSSLPrivateKey(withReference: pointer)\n }\n\n deinit {\n switch self.representation {\n case .native(let ref):\n CNIOBoringSSL_EVP_PKEY_free(ref)\n case .custom:\n // Merely dropping the ref is enough.\n ()\n }\n }\n}\n\n// NIOSSLPrivateKey is publicly immutable and we do not internally mutate it after initialisation.\n// It is therefore Sendable.\nextension NIOSSLPrivateKey: @unchecked Sendable {}\n\n// MARK:- Utilities\nextension NIOSSLPrivateKey {\n /// Calls the given body function with a temporary buffer containing the DER-encoded bytes of this\n /// private key. This function does allocate for these bytes, but there is no way to avoid doing so with the\n /// X509 API in BoringSSL.\n ///\n /// The pointer provided to the closure is not valid beyond the lifetime of this method call.\n ///\n /// This method is only safe to call on native private keys.\n private static func withUnsafeDERBuffer(\n of ref: OpaquePointer,\n _ body: (UnsafeRawBufferPointer) throws -> T\n ) throws -> T {\n guard let bio = CNIOBoringSSL_BIO_new(CNIOBoringSSL_BIO_s_mem()) else {\n fatalError(\"Failed to malloc for a BIO handler\")\n }\n\n defer {\n CNIOBoringSSL_BIO_free(bio)\n }\n\n let rc = CNIOBoringSSL_i2d_PrivateKey_bio(bio, ref)\n guard rc == 1 else {\n let errorStack = BoringSSLError.buildErrorStack()\n throw BoringSSLError.unknownError(errorStack)\n }\n\n var dataPtr: UnsafeMutablePointer? = nil\n let length = CNIOBoringSSL_BIO_get_mem_data(bio, &dataPtr)\n\n guard let bytes = dataPtr.map({ UnsafeRawBufferPointer(start: $0, count: length) }) else {\n fatalError(\"Failed to map bytes from a private key\")\n }\n\n return try body(bytes)\n }\n\n /// The custom signing algorithms required by this private key, if any.\n ///\n /// Is `nil` when the key is a native key, as this is handled by BoringSSL.\n internal var customSigningAlgorithms: [SignatureAlgorithm]? {\n switch self.representation {\n case .native:\n return nil\n case .custom(let customKey):\n return customKey.signatureAlgorithms\n }\n }\n\n /// Extracts the bytes of this private key in DER format.\n /// - Returns: The DER-encoded bytes for this private key.\n public var derBytes: [UInt8] {\n get throws {\n switch self.representation {\n case .native(let evpKey):\n return try Self.withUnsafeDERBuffer(of: evpKey) { Array($0) }\n case .custom(let custom):\n return custom.derBytes\n }\n }\n }\n}\n\nextension NIOSSLPrivateKey: Equatable {\n public static func == (lhs: NIOSSLPrivateKey, rhs: NIOSSLPrivateKey) -> Bool {\n switch (lhs.representation, rhs.representation) {\n case (.native, .native):\n // Annoyingly, EVP_PKEY_cmp does not have a traditional return value pattern. 1 means equal, 0 means non-equal,\n // negative means error. Here we treat \"error\" as \"not equal\", because we have no error reporting mechanism from this call site,\n // and anyway, BoringSSL considers \"these keys aren't of the same type\" to be an error, which is in my mind pretty ludicrous.\n return lhs.withUnsafeMutableEVPPKEYPointer { lhsRef in\n rhs.withUnsafeMutableEVPPKEYPointer { rhsRef in\n CNIOBoringSSL_EVP_PKEY_cmp(lhsRef, rhsRef) == 1\n }\n }\n\n case (.custom(let lhsCustom), .custom(let rhsCustom)):\n return lhsCustom == rhsCustom\n\n case (.native, .custom), (.custom, .native):\n return false\n }\n }\n}\n\nextension NIOSSLPrivateKey: Hashable {\n public func hash(into hasher: inout Hasher) {\n switch self.representation {\n case .native(let ref):\n // Sadly, BoringSSL doesn't provide us with a nice key hashing function. We therefore have only two options:\n // we can either serialize the key into DER and feed that into the hasher, or we can attempt to hash the key parameters directly.\n // We could attempt the latter, but frankly it causes a lot of pain for minimal gain, so we don't bother. This incurs an allocation,\n // but that's ok. We crash if we hit an error here, as there is no way to recover.\n hasher.combine(0)\n try! NIOSSLPrivateKey.withUnsafeDERBuffer(of: ref) { hasher.combine(bytes: $0) }\n case .custom(let custom):\n hasher.combine(1)\n custom.hash(into: &hasher)\n }\n }\n}\n\n@available(*, unavailable)\nextension NIOSSLPrivateKey.Representation: Sendable {}\n" }, { "path": "Sources/NIOSSL/SSLPublicKey.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\n\n/// A ``NIOSSLPublicKey`` is an abstract handle to a public key owned by BoringSSL.\n///\n/// This object is of minimal utility, as it cannot be used for very many operations\n/// in ``NIOSSL``. Its primary purpose is to allow extracting public keys from\n/// ``NIOSSLCertificate`` objects to be serialized, so that they can be passed to\n/// general-purpose cryptography libraries.\npublic final class NIOSSLPublicKey {\n private let ref: OpaquePointer // \n\n fileprivate init(withOwnedReference ref: OpaquePointer) {\n self.ref = ref\n }\n\n deinit {\n CNIOBoringSSL_EVP_PKEY_free(self.ref)\n }\n}\n\n// NIOSSLPublicKey is publicly immutable and we do not internally mutate it after initialisation.\n// It is therefore Sendable.\nextension NIOSSLPublicKey: @unchecked Sendable {}\n\n// MARK:- Helpful initializers\nextension NIOSSLPublicKey {\n /// Create a ``NIOSSLPublicKey`` object from an internal `EVP_PKEY` pointer.\n ///\n /// This method expects `pointer` to be passed at +1, and consumes that reference.\n ///\n /// - parameters:\n /// - pointer: A pointer to an `EVP_PKEY` structure containing the public key.\n /// - returns: An `NIOSSLPublicKey` wrapping the pointer.\n internal static func fromInternalPointer(takingOwnership pointer: OpaquePointer) -> NIOSSLPublicKey {\n NIOSSLPublicKey(withOwnedReference: pointer)\n }\n}\n\nextension NIOSSLPublicKey {\n /// Extracts the bytes of this public key in the SubjectPublicKeyInfo format.\n ///\n /// The SubjectPublicKeyInfo format is defined in RFC 5280. In addition to the raw key bytes, it also\n /// provides an identifier of the algorithm, ensuring that the key can be unambiguously decoded.\n ///\n /// - returns: The DER-encoded SubjectPublicKeyInfo bytes for this public key.\n /// - throws: If an error occurred while serializing the key.\n public func toSPKIBytes() throws -> [UInt8] {\n guard let bio = CNIOBoringSSL_BIO_new(CNIOBoringSSL_BIO_s_mem()) else {\n fatalError(\"Failed to malloc for a BIO handler\")\n }\n\n defer {\n CNIOBoringSSL_BIO_free(bio)\n }\n\n let rc = CNIOBoringSSL_i2d_PUBKEY_bio(bio, self.ref)\n guard rc == 1 else {\n let errorStack = BoringSSLError.buildErrorStack()\n throw BoringSSLError.unknownError(errorStack)\n }\n\n var dataPtr: UnsafeMutablePointer? = nil\n let length = CNIOBoringSSL_BIO_get_mem_data(bio, &dataPtr)\n\n guard let bytes = dataPtr.map({ UnsafeMutableRawBufferPointer(start: $0, count: length) }) else {\n fatalError(\"Failed to map bytes from a public key\")\n }\n\n return Array(bytes)\n }\n}\n" }, { "path": "Sources/NIOSSL/SecurityFrameworkCertificateVerification.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n@_implementationOnly import CNIOBoringSSL\nimport NIOCore\n\n// We can only use Security.framework to validate TLS certificates on Apple platforms.\n#if canImport(Darwin)\nimport Dispatch\nimport Foundation\n@preconcurrency import Security\n\nextension SSLConnection {\n func performSecurityFrameworkValidation(\n promise: EventLoopPromise,\n peerCertificates: [SecCertificate]\n ) {\n do {\n guard case .default = self.parentContext.configuration.trustRoots ?? .default else {\n preconditionFailure(\"This callback should only be used if we are using the system-default trust.\")\n }\n\n let expectedHostname = self.validateHostnames ? self.expectedHostname : nil\n\n // This force-unwrap is safe as we must have decided if we're a client or a server before validation.\n var trust: SecTrust? = nil\n var result: OSStatus\n let policy = SecPolicyCreateSSL(self.role! == .client, expectedHostname as CFString?)\n result = SecTrustCreateWithCertificates(peerCertificates as CFArray, policy, &trust)\n guard result == errSecSuccess, let actualTrust = trust else {\n throw NIOSSLError.unableToValidateCertificate\n }\n\n // If there are additional trust roots then we need to add them to the SecTrust as anchors.\n let additionalAnchorCertificates: [SecCertificate] = try self.parentContext.configuration\n .additionalTrustRoots.flatMap { trustRoots -> [NIOSSLCertificate] in\n guard case .certificates(let certs) = trustRoots else {\n preconditionFailure(\n \"This callback happens on the request path, file-based additional trust roots should be pre-loaded when creating the SSLContext.\"\n )\n }\n return certs\n }.map {\n guard let secCert = SecCertificateCreateWithData(nil, Data(try $0.toDERBytes()) as CFData) else {\n throw NIOSSLError.failedToLoadCertificate\n }\n return secCert\n }\n if !additionalAnchorCertificates.isEmpty {\n guard\n SecTrustSetAnchorCertificates(actualTrust, additionalAnchorCertificates as CFArray) == errSecSuccess\n else {\n throw NIOSSLError.failedToLoadCertificate\n }\n // To use additional anchors _and_ the built-in ones we must reenable the built-in ones expicitly.\n guard SecTrustSetAnchorCertificatesOnly(actualTrust, false) == errSecSuccess else {\n throw NIOSSLError.failedToLoadCertificate\n }\n }\n\n // We create a DispatchQueue here to be called back on, as this validation may perform network activity.\n let callbackQueue = DispatchQueue(label: \"io.swiftnio.ssl.validationCallbackQueue\")\n\n // SecTrustEvaluateAsync and its cousin withError require that they are called from the same queue given to\n // them as a parameter. Thus, we async away now.\n callbackQueue.async {\n let result: OSStatus\n\n if #available(iOS 13, macOS 10.15, tvOS 13, watchOS 6, *) {\n result = SecTrustEvaluateAsyncWithError(actualTrust, callbackQueue) { (_, valid, _) in\n promise.succeed(valid ? .certificateVerified : .failed)\n }\n } else {\n result = SecTrustEvaluateAsync(actualTrust, callbackQueue) { (_, result) in\n promise.completeWith(result)\n }\n }\n\n if result != errSecSuccess {\n promise.fail(NIOSSLError.unableToValidateCertificate)\n }\n }\n } catch {\n promise.fail(error)\n }\n }\n}\n\nextension EventLoopPromise where Value == NIOSSLVerificationResult {\n fileprivate func completeWith(_ result: SecTrustResultType) {\n switch result {\n case .proceed, .unspecified:\n // These two cases mean we have successfully validated the certificate. We're done!\n self.succeed(.certificateVerified)\n default:\n // Oops, we failed.\n self.succeed(.failed)\n }\n }\n}\n\nextension SSLConnection {\n func getPeerCertificatesAsSecCertificate() throws -> [SecCertificate] {\n try self.withPeerCertificateChainBuffers { buffers in\n guard let buffers = buffers else {\n throw NIOSSLError.unableToValidateCertificate\n }\n\n return try buffers.map { buffer in\n let data = Data(bytes: buffer.baseAddress!, count: buffer.count)\n guard let cert = SecCertificateCreateWithData(nil, data as CFData) else {\n throw NIOSSLError.unableToValidateCertificate\n }\n return cert\n }\n }\n }\n}\n\n#endif\n" }, { "path": "Sources/NIOSSL/String+unsafeUninitializedCapacity.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nextension String {\n /// This is a backport of `String.init(unsafeUninitializedCapacity:initializingUTF8With:)`\n /// that allows writing directly into an uninitialized String's backing memory.\n ///\n /// As this API does not exist on older Apple platforms, we fake it out with a pointer and accept the extra copy.\n init(\n customUnsafeUninitializedCapacity capacity: Int,\n initializingUTF8With initializer: (_ buffer: UnsafeMutableBufferPointer) throws -> Int\n ) rethrows {\n if #available(macOS 11.0, iOS 14.0, tvOS 14.0, watchOS 7.0, *) {\n try self.init(unsafeUninitializedCapacity: capacity, initializingUTF8With: initializer)\n } else {\n try self.init(backportUnsafeUninitializedCapacity: capacity, initializingUTF8With: initializer)\n }\n }\n\n private init(\n backportUnsafeUninitializedCapacity capacity: Int,\n initializingUTF8With initializer: (_ buffer: UnsafeMutableBufferPointer) throws -> Int\n ) rethrows {\n let buffer = UnsafeMutableBufferPointer.allocate(capacity: capacity)\n defer {\n buffer.deallocate()\n }\n\n let initializedCount = try initializer(buffer)\n precondition(initializedCount <= capacity, \"Overran buffer in initializer!\")\n\n self = String(\n decoding: UnsafeMutableBufferPointer(start: buffer.baseAddress!, count: initializedCount),\n as: UTF8.self\n )\n }\n}\n" }, { "path": "Sources/NIOSSL/SubjectAlternativeName.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\n@_implementationOnly import CNIOBoringSSLShims\nimport NIOCore\n\n#if canImport(Darwin)\nimport Darwin.C\n#elseif canImport(Musl)\nimport Musl\n#elseif canImport(Glibc)\nimport Glibc\n#elseif canImport(Android)\nimport Android\n#else\n#error(\"unsupported os\")\n#endif\n\n/// Collection of all Subject Alternative Names from a `NIOSSLCertificate`\npublic struct _SubjectAlternativeNames {\n\n @usableFromInline\n internal final class Storage {\n\n fileprivate let nameStack: OpaquePointer?\n @usableFromInline internal let stackSize: Int\n\n internal init(nameStack: OpaquePointer?) {\n self.nameStack = nameStack\n if let nameStack = nameStack {\n self.stackSize = CNIOBoringSSLShims_sk_GENERAL_NAME_num(nameStack)\n } else {\n self.stackSize = 0\n }\n }\n\n public subscript(position: Int) -> Element {\n guard let name = CNIOBoringSSLShims_sk_GENERAL_NAME_value(self.nameStack!, position) else {\n fatalError(\"Unexpected null pointer when unwrapping SAN value\")\n }\n\n let contents = UnsafeBufferPointer(\n start: CNIOBoringSSL_ASN1_STRING_get0_data(name.pointee.d.ia5),\n count: Int(CNIOBoringSSL_ASN1_STRING_length(name.pointee.d.ia5))\n )\n return .init(nameType: .init(name.pointee.type), contents: .init(collection: self, buffer: contents))\n }\n\n deinit {\n if let nameStack = self.nameStack {\n CNIOBoringSSL_GENERAL_NAMES_free(nameStack)\n }\n }\n }\n\n @usableFromInline internal var storage: Storage\n\n internal init(nameStack: OpaquePointer?) {\n self.storage = .init(nameStack: nameStack)\n }\n}\n\n// _SubjectAlternativeNames is immutable and therefore Sendable\nextension _SubjectAlternativeNames: @unchecked Sendable {}\n\n// _SubjectAlternativeNames.Storage is immutable and therefore Sendable\nextension _SubjectAlternativeNames.Storage: @unchecked Sendable {}\n\nextension _SubjectAlternativeNames: RandomAccessCollection {\n\n @inlinable public subscript(position: Int) -> _SubjectAlternativeName {\n precondition(self.indices.contains(position), \"index \\(position) out of bounds\")\n return self.storage[position]\n }\n\n @inlinable public var startIndex: Int { 0 }\n @inlinable public var endIndex: Int { self.storage.stackSize }\n}\n\npublic struct _SubjectAlternativeName {\n\n public struct NameType: Hashable, Sendable {\n public var rawValue: Int\n\n public init(_ rawCode: Int) {\n self.rawValue = rawCode\n }\n\n fileprivate init(_ rawCode: Int32) {\n self.init(Int(rawCode))\n }\n\n public static let email = Self(GEN_EMAIL)\n public static let dnsName = Self(GEN_DNS)\n public static let ipAddress = Self(GEN_IPADD)\n public static let uri = Self(GEN_URI)\n }\n\n public struct Contents {\n // only part of this type to keep a strong reference to the underlying storage of `buffer`\n private let collection: _SubjectAlternativeNames.Storage\n // lifetime automatically managed by `collection`\n @usableFromInline internal let buffer: UnsafeBufferPointer\n\n internal init(collection: _SubjectAlternativeNames.Storage, buffer: UnsafeBufferPointer) {\n self.collection = collection\n self.buffer = buffer\n }\n\n @inlinable public func withUnsafeBufferPointer(\n _ body: (UnsafeBufferPointer) throws -> Result\n ) rethrows -> Result {\n try body(self.buffer)\n }\n }\n\n // should be replaced by `swift-nio`s `IPAddress` once https://github.com/apple/swift-nio/issues/1650 is resolved\n internal enum IPAddress {\n case ipv4(in_addr)\n case ipv6(in6_addr)\n }\n\n public var nameType: NameType\n public var contents: Contents\n}\n\n// _SubjectAlternativeName is immutable and therefore Sendable\nextension _SubjectAlternativeName: @unchecked Sendable {}\n\n// _SubjectAlternativeName.Contents is immutable and therefore Sendable\nextension _SubjectAlternativeName.Contents: @unchecked Sendable {}\n\nextension _SubjectAlternativeName.Contents: RandomAccessCollection {\n\n @inlinable public var startIndex: Int { self.buffer.startIndex }\n @inlinable public var endIndex: Int { self.buffer.endIndex }\n\n @inlinable public subscript(position: Int) -> UInt8 {\n precondition(self.indices.contains(position), \"index \\(position) out of bounds\")\n return self.buffer[position]\n }\n}\n\nextension _SubjectAlternativeName.IPAddress {\n\n internal init?(_ subjectAlternativeName: _SubjectAlternativeName) {\n guard subjectAlternativeName.nameType == .ipAddress else {\n return nil\n }\n switch subjectAlternativeName.contents.count {\n case 4:\n let addr = subjectAlternativeName.contents.withUnsafeBufferPointer {\n $0.baseAddress.map {\n UnsafeRawPointer($0).load(as: in_addr.self)\n }\n }\n guard let innerAddr = addr else {\n return nil\n }\n self = .ipv4(innerAddr)\n case 16:\n let addr = subjectAlternativeName.contents.withUnsafeBufferPointer {\n $0.baseAddress.map {\n UnsafeRawPointer($0).load(as: in6_addr.self)\n }\n }\n guard let innerAddr = addr else {\n return nil\n }\n self = .ipv6(innerAddr)\n default:\n return nil\n }\n }\n}\n\n// swift-format-ignore: DontRepeatTypeInStaticProperties\nextension _SubjectAlternativeName.IPAddress: CustomStringConvertible {\n private static let ipv4AddressLength = 16\n private static let ipv6AddressLength = 46\n\n /// A string representation of the IP address.\n /// E.g. IPv4: `192.168.0.1`\n /// E.g. IPv6: `2001:db8::1`\n public var description: String {\n switch self {\n case .ipv4(let addr):\n return Self.ipv4ToString(addr)\n case .ipv6(let addr):\n return Self.ipv6ToString(addr)\n }\n }\n\n static private func ipv4ToString(_ address: in_addr) -> String {\n\n var address = address\n var dest: [CChar] = Array(repeating: 0, count: Self.ipv4AddressLength)\n dest.withUnsafeMutableBufferPointer { pointer in\n let result = inet_ntop(AF_INET, &address, pointer.baseAddress!, socklen_t(pointer.count))\n precondition(\n result != nil,\n \"The IP address was invalid. This should never happen as we're within the IP address struct.\"\n )\n }\n return String(cString: &dest)\n }\n\n static private func ipv6ToString(_ address: in6_addr) -> String {\n var address = address\n var dest: [CChar] = Array(repeating: 0, count: Self.ipv6AddressLength)\n dest.withUnsafeMutableBufferPointer { pointer in\n let result = inet_ntop(AF_INET6, &address, pointer.baseAddress!, socklen_t(pointer.count))\n precondition(\n result != nil,\n \"The IP address was invalid. This should never happen as we're within the IP address struct.\"\n )\n }\n return String(cString: &dest)\n }\n}\n" }, { "path": "Sources/NIOSSL/SwiftCrypto/NIOSSLSecureBytes.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n/// Auto-zeroing storage for data in memory.\n///\n/// ``NIOSSLSecureBytes`` uses a best-effort strategy to try to remove data from memory when it is no longer in use, by\n/// automatically zeroing the heap memory it uses. This is best-effort becuase it's easy for users to accidentally copy\n/// data out of this structure. To get its best effect, do not copy this data out into another type, but operate on\n/// ``NIOSSLSecureBytes`` generically or specifically.\npublic struct NIOSSLSecureBytes {\n @usableFromInline\n var backing: Backing\n\n /// Create an empty ``NIOSSLSecureBytes``.\n @inlinable\n public init() {\n self = .init(count: 0)\n }\n\n @usableFromInline\n init(count: Int) {\n self.backing = NIOSSLSecureBytes.Backing.create(randomBytes: count)\n }\n\n init(bytes: [UInt8]) {\n self.backing = Backing.create(bytes: bytes)\n }\n /// Allows initializing a SecureBytes object with a closure that will initialize the memory.\n @usableFromInline\n init(\n unsafeUninitializedCapacity: Int,\n initializingWith callback: (inout UnsafeMutableRawBufferPointer, inout Int) throws -> Void\n ) rethrows {\n self.backing = Backing.create(capacity: unsafeUninitializedCapacity)\n try self.backing._withVeryUnsafeMutableBytes { veryUnsafePointer in\n // As Array does, we want to truncate the initializing pointer to only have the requested size.\n var veryUnsafePointer = UnsafeMutableRawBufferPointer(\n rebasing: veryUnsafePointer.prefix(unsafeUninitializedCapacity)\n )\n var initializedCount = 0\n try callback(&veryUnsafePointer, &initializedCount)\n\n self.backing.count = initializedCount\n }\n }\n}\n\n// NIOSSLSecureBytes is a Copy on Write (CoW) type and therefore Sendable\nextension NIOSSLSecureBytes: @unchecked Sendable {}\n\nextension NIOSSLSecureBytes {\n /// Append the contents of a collection of bytes to this ``NIOSSLSecureBytes``.\n ///\n /// - parameter data: The `data` to add to the ``NIOSSLSecureBytes``.\n @inlinable\n mutating public func append(_ data: C) where C.Element == UInt8 {\n let requiredCapacity = self.count + data.count\n if !isKnownUniquelyReferenced(&self.backing) || requiredCapacity > self.backing.capacity {\n let newBacking = Backing.create(capacity: requiredCapacity)\n newBacking._appendBytes(self.backing, inRange: 0..= n {\n return\n }\n\n let newBacking = Backing.create(capacity: n)\n newBacking._appendBytes(self.backing, inRange: 0..(_ body: (UnsafeRawBufferPointer) throws -> T) rethrows -> T {\n try self.backing.withUnsafeBytes(body)\n }\n}\n\n// MARK: - Equatable conformance, constant-time\nextension NIOSSLSecureBytes: Equatable {\n static public func == (lhs: NIOSSLSecureBytes, rhs: NIOSSLSecureBytes) -> Bool {\n lhs.backing.withUnsafeBytes { lhsPtr in\n rhs.backing.withUnsafeBytes { rhsPtr in\n constantTimeCompare(lhsPtr, rhsPtr)\n }\n }\n }\n}\n\n// MARK: - RandomAccessCollection conformance\nextension NIOSSLSecureBytes: RandomAccessCollection {\n @inlinable\n public var startIndex: Int { 0 }\n\n @inlinable\n public var endIndex: Int { self.count }\n\n @inlinable\n public var count: Int {\n self.backing.count\n }\n\n @inlinable\n public subscript(_ index: Int) -> UInt8 {\n get {\n self.backing[offset: index]\n }\n set {\n self.backing[offset: index] = newValue\n }\n }\n}\n\n// MARK: - MutableCollection conformance\nextension NIOSSLSecureBytes: MutableCollection {}\n\n// MARK: - RangeReplaceableCollection conformance\nextension NIOSSLSecureBytes: RangeReplaceableCollection {\n @inlinable\n mutating public func replaceSubrange(_ subrange: Range, with newElements: C)\n where C.Element == UInt8 {\n let requiredCapacity = self.backing.count - subrange.count + newElements.count\n\n if !isKnownUniquelyReferenced(&self.backing) || requiredCapacity > self.backing.capacity {\n // We have to allocate anyway, so let's use a nice straightforward copy.\n let newBacking = Backing.create(capacity: requiredCapacity)\n\n let lowerSlice = 0.. {\n @usableFromInline\n class func create(capacity: Int) -> Backing {\n let capacity = Int(UInt32(capacity).nextPowerOf2ClampedToMax())\n return Backing.create(\n minimumCapacity: capacity,\n makingHeaderWith: { _ in BackingHeader(count: 0, capacity: capacity) }\n ) as! Backing\n }\n\n @usableFromInline\n class func create(copying original: Backing) -> Backing {\n Backing.create(bytes: original.withUnsafeBytes { Array($0) })\n }\n\n @inlinable\n class func create(bytes: [UInt8]) -> Backing {\n bytes.withUnsafeBytes { bytesPtr in\n let backing = Backing.create(capacity: bytesPtr.count)\n backing._withVeryUnsafeMutableBytes { targetPtr in\n targetPtr.copyMemory(from: bytesPtr)\n }\n backing.count = bytesPtr.count\n precondition(backing.count <= backing.capacity)\n return backing\n }\n }\n\n @usableFromInline\n class func create(randomBytes: Int) -> Backing {\n let backing = Backing.create(capacity: randomBytes)\n backing._withVeryUnsafeMutableBytes { targetPtr in\n assert(targetPtr.count >= randomBytes)\n targetPtr.initializeWithRandomBytes(count: randomBytes)\n }\n backing.count = randomBytes\n return backing\n }\n\n deinit {\n // We always clear the whole capacity, even if we don't think we used it all.\n let bytesToClear = self.header.capacity\n\n _ = self.withUnsafeMutablePointerToElements { elementsPtr in\n memset_s(elementsPtr, bytesToClear, 0, bytesToClear)\n }\n }\n\n @usableFromInline\n var count: Int {\n get {\n self.header.count\n }\n set {\n self.header.count = newValue\n }\n }\n\n @usableFromInline\n subscript(offset offset: Int) -> UInt8 {\n get {\n // precondition(offset >= 0 && offset < self.count)\n self.withUnsafeMutablePointerToElements { ($0 + offset).pointee }\n }\n set {\n // precondition(offset >= 0 && offset < self.count)\n return self.withUnsafeMutablePointerToElements { ($0 + offset).pointee = newValue }\n }\n }\n }\n}\n\n// This conformance is technically redundant - Swift 6.2 compiler finally caught this\n#if compiler(<6.2)\n@available(*, unavailable)\nextension NIOSSLSecureBytes.Backing: Sendable {}\n#endif\n\nextension NIOSSLSecureBytes.Backing {\n @usableFromInline\n func replaceSubrangeFittingWithinCapacity(_ subrange: Range, with newElements: C)\n where C.Element == UInt8 {\n // This function is called when have a unique reference to the backing storage, and we have enough room to store these bytes without\n // any problem. We have one pre-existing buffer made up of 4 regions: a prefix set of bytes that are\n // before the range \"subrange\", a range of bytes to be replaced (R1), a suffix set of bytes that are after\n // the range \"subrange\" but within the valid count, and then a region of uninitialized memory. We also have\n // a new set of bytes, R2, that may be larger or smaller than R1, and could indeed be empty!\n //\n // ┌────────────────────────┬──────────────────┬──────────────────┬───────────────┐\n // │ Prefix │ R1 │ Suffix │ Uninitialized │\n // └────────────────────────┴──────────────────┴──────────────────┴───────────────┘\n //\n // ┌─────────────────────────────────────┐\n // │ R2 │\n // └─────────────────────────────────────┘\n //\n // The minimal number of steps we can take in the general case is two steps. We can't just copy R2 into the space\n // for R1 and then move the suffix, as if R2 is larger than R1 we'll have thrown some suffix bytes away. So we have\n // to move suffix first. What we do is take the bytes in suffix, and move them (via memmove). We can then copy\n // R2 in, and feel confident that the space in memory is right.\n precondition(self.count - subrange.count + newElements.count <= self.capacity, \"Insufficient capacity\")\n\n let moveDistance = newElements.count - subrange.count\n let suffixRange = subrange.upperBound..(_ bytes: C) where C.Element == UInt8 {\n let byteCount = bytes.count\n\n precondition(\n self.capacity - self.count - byteCount >= 0,\n \"Insufficient space for byte copying, must have reallocated!\"\n )\n\n let lowerOffset = self.count\n self._withVeryUnsafeMutableBytes { bytesPtr in\n let innerPtrSlice = UnsafeMutableRawBufferPointer(rebasing: bytesPtr[lowerOffset...])\n innerPtrSlice.copyBytes(from: bytes)\n }\n self.count += byteCount\n }\n\n /// Appends the bytes of a slice of another backing buffer to this storage, crashing if there\n /// is not enough room.\n @inlinable // private but inlinable\n func _appendBytes(\n _ backing: NIOSSLSecureBytes.Backing,\n inRange range: Range\n ) {\n precondition(range.lowerBound >= 0)\n precondition(range.upperBound <= backing.capacity)\n precondition(\n self.capacity - self.count - range.count >= 0,\n \"Insufficient space for byte copying, must have reallocated!\"\n )\n\n backing.withUnsafeBytes { backingPtr in\n let ptrSlice = UnsafeRawBufferPointer(rebasing: backingPtr[range])\n\n let lowerOffset = self.count\n self._withVeryUnsafeMutableBytes { bytesPtr in\n let innerPtrSlice = UnsafeMutableRawBufferPointer(rebasing: bytesPtr[lowerOffset...])\n innerPtrSlice.copyMemory(from: ptrSlice)\n }\n self.count += ptrSlice.count\n }\n }\n\n /// Moves the range of bytes identified by the slice by the delta, crashing if the move would\n /// place the bytes out of the storage. Note that this does not update the count: external code\n /// must ensure that that happens.\n @usableFromInline // private but usableFromInline\n func _moveBytes(range: Range, by delta: Int) {\n // We have to check that the range is within the delta, as is the new location.\n precondition(range.lowerBound >= 0)\n precondition(range.upperBound <= self.capacity)\n\n let shiftedRange = (range.lowerBound + delta)..<(range.upperBound + delta)\n precondition(shiftedRange.lowerBound > 0)\n precondition(shiftedRange.upperBound <= self.capacity)\n\n self._withVeryUnsafeMutableBytes { backingPtr in\n let source = UnsafeRawBufferPointer(rebasing: backingPtr[range])\n let dest = UnsafeMutableRawBufferPointer(rebasing: backingPtr[shiftedRange])\n dest.copyMemory(from: source) // copy memory uses memmove under the hood.\n }\n }\n\n // Copies some bytes into the buffer at the appropriate place. Does not update count: external code must do so.\n @inlinable // private but inlinable\n func _copyBytes(_ bytes: C, at offset: Int) where C.Element == UInt8 {\n precondition(offset >= 0)\n precondition(offset + bytes.count <= self.capacity)\n\n let byteRange = offset..<(offset + bytes.count)\n\n self._withVeryUnsafeMutableBytes { backingPtr in\n let dest = UnsafeMutableRawBufferPointer(rebasing: backingPtr[byteRange])\n dest.copyBytes(from: bytes)\n }\n }\n\n @usableFromInline\n func withUnsafeBytes(_ body: (UnsafeRawBufferPointer) throws -> T) rethrows -> T {\n let count = self.count\n\n return try self.withUnsafeMutablePointerToElements { elementsPtr in\n try body(UnsafeRawBufferPointer(start: elementsPtr, count: count))\n }\n }\n @usableFromInline\n func withUnsafeMutableBytes(_ body: (UnsafeMutableRawBufferPointer) throws -> T) rethrows -> T {\n let count = self.count\n\n return try self.withUnsafeMutablePointerToElements { elementsPtr in\n try body(UnsafeMutableRawBufferPointer(start: elementsPtr, count: count))\n }\n }\n\n /// Very unsafe in the sense that this points to uninitialized memory. Used only for implementations within this file.\n @inlinable // private but inlinable\n func _withVeryUnsafeMutableBytes(\n _ body: (UnsafeMutableRawBufferPointer) throws -> T\n ) rethrows -> T {\n let capacity = self.capacity\n\n return try self.withUnsafeMutablePointerToElements { elementsPtr in\n try body(UnsafeMutableRawBufferPointer(start: elementsPtr, count: capacity))\n }\n }\n}\n\nextension UInt32 {\n /// Returns the next power of two unless that would overflow, in which case UInt32.max (on 64-bit systems) or\n /// Int32.max (on 32-bit systems) is returned. The returned value is always safe to be cast to Int and passed\n /// to malloc on all platforms.\n func nextPowerOf2ClampedToMax() -> UInt32 {\n guard self > 0 else {\n return 1\n }\n\n var n = self\n\n #if arch(arm) || arch(i386)\n // on 32-bit platforms we can't make use of a whole UInt32.max (as it doesn't fit in an Int)\n let max = UInt32(Int.max)\n #else\n // on 64-bit platforms we're good\n let max = UInt32.max\n #endif\n\n n -= 1\n n |= n >> 1\n n |= n >> 2\n n |= n >> 4\n n |= n >> 8\n n |= n >> 16\n if n != max {\n n += 1\n }\n\n return n\n }\n}\n" }, { "path": "Sources/NIOSSL/SwiftCrypto/RNG.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nextension UnsafeMutableRawBufferPointer {\n func initializeWithRandomBytes(count: Int) {\n guard count > 0 else {\n return\n }\n\n precondition(count <= self.count)\n var rng = SystemRandomNumberGenerator()\n\n // We store bytes 64-bits at a time until we can't anymore.\n var targetPtr = self\n while targetPtr.count > 8 {\n targetPtr.storeBytes(of: rng.next(), as: UInt64.self)\n targetPtr = UnsafeMutableRawBufferPointer(rebasing: targetPtr[8...])\n }\n\n // Now we're down to having to store things an integer at a time. We do this by shifting and\n // masking.\n var remainingWord: UInt64 = rng.next()\n while targetPtr.count > 0 {\n targetPtr.storeBytes(of: UInt8(remainingWord & 0xFF), as: UInt8.self)\n remainingWord >>= 8\n targetPtr = UnsafeMutableRawBufferPointer(rebasing: targetPtr[1...])\n }\n }\n}\n" }, { "path": "Sources/NIOSSL/SwiftCrypto/SafeCompare.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n/// A straightforward constant-time comparison function for any two collections of bytes.\n@inlinable\ninternal func constantTimeCompare(_ lhs: LHS, _ rhs: RHS) -> Bool\nwhere LHS.Element == UInt8, RHS.Element == UInt8 {\n guard lhs.count == rhs.count else {\n return false\n }\n\n return zip(lhs, rhs).reduce(into: 0) { $0 |= $1.0 ^ $1.1 } == 0\n}\n" }, { "path": "Sources/NIOSSL/SwiftCrypto/Zeroization.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n@_implementationOnly import CNIOBoringSSL\n\ntypealias errno_t = CInt\n\n// This is a Swift wrapper for the libc function that does not exist on Linux. We shim it via a call to OPENSSL_cleanse.\n// We have the same syntax, but mostly ignore it.\n@discardableResult\nfunc memset_s(_ s: UnsafeMutableRawPointer!, _ smax: Int, _ byte: CInt, _ n: Int) -> errno_t {\n assert(smax == n, \"memset_s invariant not met\")\n assert(byte == 0, \"memset_s used to not zero anything\")\n CNIOBoringSSL_OPENSSL_cleanse(s, smax)\n return 0\n}\n" }, { "path": "Sources/NIOSSL/TLSConfiguration.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2025 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport NIOCore\n\n/// Known and supported TLS versions.\npublic enum TLSVersion: Sendable {\n case tlsv1\n case tlsv11\n case tlsv12\n case tlsv13\n}\n\n/// Places NIOSSL can obtain certificates from.\npublic enum NIOSSLCertificateSource: Hashable, Sendable {\n @available(\n *,\n deprecated,\n message:\n \"Use 'NIOSSLCertificate.fromPEMFile(_:)' to load the certificate(s) and use the '.certificate(NIOSSLCertificate)' case to provide them as a source\"\n )\n case file(String)\n case certificate(NIOSSLCertificate)\n}\n\n/// Places NIOSSL can obtain private keys from.\npublic enum NIOSSLPrivateKeySource: Hashable {\n /// Path to file in PEM or ASN1 format to load private key from\n ///\n /// File Extensions | Expected file format\n /// --------------- | --------------------\n /// `.pem` | PEM\n /// `.der or .key` | ASN1\n @available(*, deprecated, message: \"Use 'NIOSSLPrivateKeySource.privateKey(NIOSSLPrivateKey)' to set private key\")\n case file(String)\n\n /// Loaded Private key\n case privateKey(NIOSSLPrivateKey)\n}\n\nextension NIOSSLPrivateKeySource: Sendable {}\n\n/// Places NIOSSL can obtain a trust store from.\npublic enum NIOSSLTrustRoots: Hashable, Sendable {\n /// Path to either a file of CA certificates in PEM format, or a directory containing CA certificates in PEM format.\n ///\n /// If a path to a file is provided, the file can contain several CA certificates identified by\n ///\n /// -----BEGIN CERTIFICATE-----\n /// ... (CA certificate in base64 encoding) ...\n /// -----END CERTIFICATE-----\n ///\n /// sequences. Before, between, and after the certificates, text is allowed which can be used e.g.\n /// for descriptions of the certificates.\n ///\n /// If a path to a directory is provided, the files each contain one CA certificate in PEM format.\n case file(String)\n\n /// A list of certificates.\n case certificates([NIOSSLCertificate])\n\n /// The system default root of trust.\n case `default`\n\n internal init(from trustRoots: NIOSSLAdditionalTrustRoots) {\n switch trustRoots {\n case .file(let path):\n self = .file(path)\n case .certificates(let certs):\n self = .certificates(certs)\n }\n }\n}\n\n/// Places NIOSSL can obtain additional trust roots from.\npublic enum NIOSSLAdditionalTrustRoots: Hashable, Sendable {\n /// See ``NIOSSLTrustRoots/file(_:)``\n case file(String)\n\n /// See ``NIOSSLTrustRoots/certificates(_:)``\n case certificates([NIOSSLCertificate])\n}\n\n/// Available ciphers to use for TLS instead of a string based representation.\npublic struct NIOTLSCipher: RawRepresentable, Hashable, Sendable {\n /// Construct a ``NIOTLSCipher`` from the RFC code point for that cipher.\n public init(rawValue: UInt16) {\n self.rawValue = rawValue\n }\n\n /// Construct a ``NIOTLSCipher`` from the RFC code point for that cipher.\n public init(_ rawValue: RawValue) {\n self.rawValue = rawValue\n }\n\n /// The RFC code point for the given cipher.\n public var rawValue: UInt16\n public typealias RawValue = UInt16\n\n public static let TLS_RSA_WITH_AES_128_CBC_SHA = NIOTLSCipher(rawValue: 0x2F)\n public static let TLS_RSA_WITH_AES_256_CBC_SHA = NIOTLSCipher(rawValue: 0x35)\n public static let TLS_PSK_WITH_AES_128_CBC_SHA = NIOTLSCipher(rawValue: 0x8C)\n public static let TLS_PSK_WITH_AES_256_CBC_SHA = NIOTLSCipher(rawValue: 0x8D)\n public static let TLS_RSA_WITH_AES_128_GCM_SHA256 = NIOTLSCipher(rawValue: 0x9C)\n public static let TLS_RSA_WITH_AES_256_GCM_SHA384 = NIOTLSCipher(rawValue: 0x9D)\n public static let TLS_AES_128_GCM_SHA256 = NIOTLSCipher(rawValue: 0x1301)\n public static let TLS_AES_256_GCM_SHA384 = NIOTLSCipher(rawValue: 0x1302)\n public static let TLS_CHACHA20_POLY1305_SHA256 = NIOTLSCipher(rawValue: 0x1303)\n public static let TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = NIOTLSCipher(rawValue: 0xC009)\n public static let TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = NIOTLSCipher(rawValue: 0xC00A)\n public static let TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = NIOTLSCipher(rawValue: 0xC013)\n public static let TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = NIOTLSCipher(rawValue: 0xC014)\n public static let TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA = NIOTLSCipher(rawValue: 0xC035)\n public static let TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA = NIOTLSCipher(rawValue: 0xC036)\n public static let TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = NIOTLSCipher(rawValue: 0xC02B)\n public static let TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = NIOTLSCipher(rawValue: 0xC02C)\n public static let TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = NIOTLSCipher(rawValue: 0xC02F)\n public static let TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = NIOTLSCipher(rawValue: 0xC030)\n public static let TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = NIOTLSCipher(rawValue: 0xCCA8)\n public static let TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = NIOTLSCipher(rawValue: 0xCCA9)\n\n var standardName: String {\n let boringSSLCipher = CNIOBoringSSL_SSL_get_cipher_by_value(self.rawValue)\n return String(cString: CNIOBoringSSL_SSL_CIPHER_standard_name(boringSSLCipher))\n }\n}\n\n/// Available curves to use for TLS.\npublic struct NIOTLSCurve: RawRepresentable, Hashable, Sendable {\n /// Construct a ``NIOTLSCurve`` from the RFC code point for that curve.\n public init(rawValue: UInt16) {\n self.rawValue = rawValue\n }\n\n /// Construct a ``NIOTLSCurve`` from the RFC code point for that curve.\n public init(_ rawValue: RawValue) {\n self.rawValue = rawValue\n }\n\n /// The RFC code point for the given curve.\n public var rawValue: UInt16\n public typealias RawValue = UInt16\n\n public static let secp256r1 = NIOTLSCurve(rawValue: 0x17)\n public static let secp384r1 = NIOTLSCurve(rawValue: 0x18)\n public static let secp521r1 = NIOTLSCurve(rawValue: 0x19)\n public static let x25519 = NIOTLSCurve(rawValue: 0x1D)\n public static let x448 = NIOTLSCurve(rawValue: 0x1E)\n public static let x25519_MLKEM768 = NIOTLSCurve(rawValue: 0x11EC)\n}\n\n/// Formats NIOSSL supports for serializing keys and certificates.\npublic enum NIOSSLSerializationFormats: Sendable {\n case pem\n case der\n}\n\n/// Certificate verification modes.\npublic enum CertificateVerification: Sendable {\n public struct NoneOptions: Sendable, Equatable, Hashable {\n /// While the peer does not have to give you certificates,\n /// they can optionally be verified if the peer offers them.\n public var validatePresentedCertificates: Bool\n\n fileprivate init() {\n // Backwards-compatible\n self.validatePresentedCertificates = false\n }\n }\n\n /// Usable through ``none`` and ``optionalVerification``.\n case none(NoneOptions)\n\n /// Certificates will be validated against the trust store, but will not\n /// be checked to see if they are valid for the given hostname.\n case noHostnameVerification\n\n /// Certificates will be validated against the trust store and checked\n /// against the hostname of the service we are contacting.\n case fullVerification\n}\n\nextension CertificateVerification {\n /// Certificates will be validated if they are presented by the peer, i.e., if the peer presents\n /// certificates they must pass validation. However, if the peer does not present certificates,\n /// the connection will be accepted.\n public static var optionalVerification: CertificateVerification {\n var options = NoneOptions()\n options.validatePresentedCertificates = true\n return .none(options)\n }\n\n /// All certificate verification disabled.\n public static var none: CertificateVerification {\n .none(NoneOptions())\n }\n}\n\nextension CertificateVerification: Hashable {\n // empty\n}\n\n/// Support for TLS renegotiation.\n///\n/// In general, renegotiation should not be enabled except in circumstances where it is absolutely necessary.\n/// Renegotiation is only supported in TLS 1.2 and earlier, and generally does not work very well. NIOSSL will\n/// disallow most uses of renegotiation: the only supported use-case is to perform post-connection authentication\n/// *as a client*. There is no way to initiate a TLS renegotiation in NIOSSL.\npublic enum NIORenegotiationSupport: Sendable {\n /// No support for TLS renegotiation. The default and recommended setting.\n case none\n\n /// Allow renegotiation exactly once. If you must use renegotiation, use this setting.\n case once\n\n /// Allow repeated renegotiation. To be avoided.\n case always\n}\n\n/// Signature algorithms. The values are defined as in TLS 1.3\npublic struct SignatureAlgorithm: RawRepresentable, Hashable, Sendable {\n\n public typealias RawValue = UInt16\n public var rawValue: UInt16\n\n public init(rawValue: UInt16) {\n self.rawValue = rawValue\n }\n\n public static let rsaPkcs1Sha1 = SignatureAlgorithm(rawValue: 0x0201)\n public static let rsaPkcs1Sha256 = SignatureAlgorithm(rawValue: 0x0401)\n public static let rsaPkcs1Sha384 = SignatureAlgorithm(rawValue: 0x0501)\n public static let rsaPkcs1Sha512 = SignatureAlgorithm(rawValue: 0x0601)\n public static let ecdsaSha1 = SignatureAlgorithm(rawValue: 0x0203)\n public static let ecdsaSecp256R1Sha256 = SignatureAlgorithm(rawValue: 0x0403)\n public static let ecdsaSecp384R1Sha384 = SignatureAlgorithm(rawValue: 0x0503)\n public static let ecdsaSecp521R1Sha512 = SignatureAlgorithm(rawValue: 0x0603)\n public static let rsaPssRsaeSha256 = SignatureAlgorithm(rawValue: 0x0804)\n public static let rsaPssRsaeSha384 = SignatureAlgorithm(rawValue: 0x0805)\n public static let rsaPssRsaeSha512 = SignatureAlgorithm(rawValue: 0x0806)\n public static let ed25519 = SignatureAlgorithm(rawValue: 0x0807)\n}\n\n/// A secure default configuration of cipher suites for TLS 1.2 and earlier.\n///\n/// The goal of this cipher suite string is:\n/// - Prefer cipher suites that offer Perfect Forward Secrecy (DHE/ECDHE)\n/// - Prefer ECDH(E) to DH(E) for performance.\n/// - Prefer any AEAD cipher suite over non-AEAD suites for better performance and security\n/// - Prefer AES-GCM over ChaCha20 because hardware-accelerated AES is common\n/// - Disable NULL authentication and encryption and any appearance of MD5\npublic let defaultCipherSuites = [\n \"ECDH+AESGCM\",\n \"ECDH+CHACHA20\",\n \"DH+AESGCM\",\n \"DH+CHACHA20\",\n \"ECDH+AES256\",\n \"DH+AES256\",\n \"ECDH+AES128\",\n \"DH+AES\",\n \"RSA+AESGCM\",\n \"RSA+AES\",\n \"!aNULL\",\n \"!eNULL\",\n \"!MD5\",\n].joined(separator: \":\")\n\n/// Encodes a string to the wire format of an ALPN identifier. These MUST be ASCII, and so\n/// this routine will crash the program if they aren't, as these are always user-supplied\n/// strings.\ninternal func encodeALPNIdentifier(identifier: String) -> [UInt8] {\n var encodedIdentifier = [UInt8]()\n encodedIdentifier.append(UInt8(identifier.utf8.count))\n\n for codePoint in identifier.unicodeScalars {\n encodedIdentifier.append(contentsOf: Unicode.ASCII.encode(codePoint)!)\n }\n\n return encodedIdentifier\n}\n\n/// Decodes a string from the wire format of an ALPN identifier. These MUST be correctly\n/// formatted ALPN identifiers, and so this routine will crash the program if they aren't.\ninternal func decodeALPNIdentifier(identifier: [UInt8]) -> String {\n String(decoding: identifier[1..\n /// for detailed information about platform-specific behavior differences.\n public var trustRoots: NIOSSLTrustRoots?\n\n /// Additional trust roots to use to validate certificates, used in addition to ``trustRoots``.\n ///\n /// - NOTE: The combination of ``trustRoots`` and ``additionalTrustRoots`` affects which certificate validation\n /// backend is used on Apple platforms. See for detailed information about\n /// platform-specific behavior differences.\n public var additionalTrustRoots: [NIOSSLAdditionalTrustRoots]\n\n /// The certificates to offer during negotiation. If not present, no certificates will be offered.\n public var certificateChain: [NIOSSLCertificateSource]\n\n /// The private key associated with the leaf certificate.\n public var privateKey: NIOSSLPrivateKeySource?\n\n internal var _pskClientIdentityProvider: _NIOPSKClientIdentityProvider?\n internal var _pskServerIdentityProvider: _NIOPSKServerIdentityProvider?\n\n /// PSK Client Callback to get the key based on hint and identity.\n @available(*, deprecated, message: \"Deprecated in favor of pskClientProvider which can handle optional hint\")\n public var pskClientCallback: NIOPSKClientIdentityCallback? {\n get {\n if case .callback(let callback) = self._pskClientIdentityProvider {\n return callback\n }\n return nil\n }\n set {\n self._pskClientIdentityProvider = newValue.flatMap({ .callback($0) })\n }\n }\n\n /// SSL Context Callback to provide dynamic context based on server name\n public var sslContextCallback: NIOSSLContextCallback? = nil\n\n @available(*, deprecated, message: \"Deprecated in favor of pskServerProvider which can handle optional hint\")\n public var pskServerCallback: NIOPSKServerIdentityCallback? {\n get {\n if case .callback(let callback) = self._pskServerIdentityProvider {\n return callback\n }\n return nil\n }\n set {\n self._pskServerIdentityProvider = newValue.flatMap({ .callback($0) })\n }\n }\n\n /// PSK Client Callback to get the key based on an optional hint and identity.\n public var pskClientProvider: NIOPSKClientIdentityProvider? {\n get {\n if case .provider(let callback) = self._pskClientIdentityProvider {\n return callback\n }\n return nil\n }\n set {\n self._pskClientIdentityProvider = newValue.flatMap({ .provider($0) })\n }\n }\n\n /// PSK Server Callback to get the key based on an optional hint and identity.\n public var pskServerProvider: NIOPSKServerIdentityProvider? {\n get {\n if case .provider(let callback) = self._pskServerIdentityProvider {\n return callback\n }\n return nil\n }\n set {\n self._pskServerIdentityProvider = newValue.flatMap({ .provider($0) })\n }\n }\n\n /// Optional PSK hint to be used during SSLContext create.\n public var pskHint: String? = nil\n\n /// The application protocols to use in the connection. Should be an ordered list of ASCII\n /// strings representing the ALPN identifiers of the protocols to negotiate. For clients,\n /// the protocols will be offered in the order given. For servers, the protocols will be matched\n /// against the client's offered protocols in order.\n public var applicationProtocols: [String] {\n get {\n self.encodedApplicationProtocols.map(decodeALPNIdentifier)\n }\n set {\n self.encodedApplicationProtocols = newValue.map(encodeALPNIdentifier)\n }\n }\n\n internal var encodedApplicationProtocols: [[UInt8]]\n\n /// The amount of time to wait after initiating a shutdown before performing an unclean\n /// shutdown. Defaults to 5 seconds.\n public var shutdownTimeout: TimeAmount\n\n /// A callback that can be used to implement `SSLKEYLOGFILE` support.\n public var keyLogCallback: NIOSSLKeyLogCallback?\n\n /// Whether renegotiation is supported.\n public var renegotiationSupport: NIORenegotiationSupport\n\n /// Send the CA names derived from the ``trustRoots`` for client authentication.\n /// This instructs the client which identities can be used by evaluating what CA the identity certificate was issued from.\n public var sendCANameList: Bool\n\n private init(\n cipherSuiteValues: [NIOTLSCipher] = [],\n cipherSuites: String = defaultCipherSuites,\n verifySignatureAlgorithms: [SignatureAlgorithm]?,\n signingSignatureAlgorithms: [SignatureAlgorithm]?,\n minimumTLSVersion: TLSVersion,\n maximumTLSVersion: TLSVersion?,\n certificateVerification: CertificateVerification,\n trustRoots: NIOSSLTrustRoots,\n certificateChain: [NIOSSLCertificateSource],\n privateKey: NIOSSLPrivateKeySource?,\n applicationProtocols: [String],\n shutdownTimeout: TimeAmount,\n keyLogCallback: NIOSSLKeyLogCallback?,\n renegotiationSupport: NIORenegotiationSupport,\n additionalTrustRoots: [NIOSSLAdditionalTrustRoots],\n sendCANameList: Bool = false,\n sslContextCallback: NIOSSLContextCallback? = nil,\n pskClientProvider: NIOPSKClientIdentityProvider? = nil,\n pskServerProvider: NIOPSKServerIdentityProvider? = nil,\n pskHint: String? = nil\n ) {\n self.cipherSuites = cipherSuites\n self.verifySignatureAlgorithms = verifySignatureAlgorithms\n self.signingSignatureAlgorithms = signingSignatureAlgorithms\n self.minimumTLSVersion = minimumTLSVersion\n self.maximumTLSVersion = maximumTLSVersion\n self.trustRoots = trustRoots\n self.additionalTrustRoots = additionalTrustRoots\n self.certificateVerification = certificateVerification\n self.certificateChain = certificateChain\n self.privateKey = privateKey\n self.encodedApplicationProtocols = []\n self.shutdownTimeout = shutdownTimeout\n self.renegotiationSupport = renegotiationSupport\n self.sendCANameList = sendCANameList\n self.applicationProtocols = applicationProtocols\n self.keyLogCallback = keyLogCallback\n self.sslContextCallback = sslContextCallback\n self.pskClientProvider = pskClientProvider\n self.pskServerProvider = pskServerProvider\n self.pskHint = pskHint\n if !cipherSuiteValues.isEmpty {\n self.cipherSuiteValues = cipherSuiteValues\n }\n }\n}\n\nextension TLSConfiguration: Sendable {}\n\n// MARK: BestEffortHashable\nextension TLSConfiguration {\n /// Returns a best effort result of whether two ``TLSConfiguration`` objects are equal.\n ///\n /// The \"best effort\" stems from the fact that we are checking the pointer to the ``keyLogCallback`` closure.\n ///\n /// - warning: You should probably not use this function. This function can return false-negatives, but not false-positives.\n public func bestEffortEquals(_ comparing: TLSConfiguration) -> Bool {\n let isKeyLoggerCallbacksEqual = withUnsafeBytes(of: self.keyLogCallback) { callbackPointer1 in\n withUnsafeBytes(of: comparing.keyLogCallback) { callbackPointer2 in\n callbackPointer1.elementsEqual(callbackPointer2)\n }\n }\n let isPSKClientProviderEqual = withUnsafeBytes(of: self._pskClientIdentityProvider) { pskClientProvider1 in\n withUnsafeBytes(of: comparing._pskClientIdentityProvider) { pskClientProvider2 in\n pskClientProvider1.elementsEqual(pskClientProvider2)\n }\n }\n let isPSKServerProviderEqual = withUnsafeBytes(of: self._pskServerIdentityProvider) { pskServerProvider1 in\n withUnsafeBytes(of: comparing._pskServerIdentityProvider) { pskServerProvider2 in\n pskServerProvider1.elementsEqual(pskServerProvider2)\n }\n }\n let isSSLContextCallbackEqual = withUnsafeBytes(of: self.sslContextCallback) { sslContextCallback1 in\n withUnsafeBytes(of: comparing.sslContextCallback) { sslContextCallback2 in\n sslContextCallback1.elementsEqual(sslContextCallback2)\n }\n }\n\n return self.minimumTLSVersion == comparing.minimumTLSVersion\n && self.maximumTLSVersion == comparing.maximumTLSVersion && self.cipherSuites == comparing.cipherSuites\n && self.curves == comparing.curves && self.verifySignatureAlgorithms == comparing.verifySignatureAlgorithms\n && self.signingSignatureAlgorithms == comparing.signingSignatureAlgorithms\n && self.certificateVerification == comparing.certificateVerification\n && self.trustRoots == comparing.trustRoots && self.additionalTrustRoots == comparing.additionalTrustRoots\n && self.certificateChain == comparing.certificateChain && self.privateKey == comparing.privateKey\n && self.encodedApplicationProtocols == comparing.encodedApplicationProtocols\n && self.shutdownTimeout == comparing.shutdownTimeout && isKeyLoggerCallbacksEqual\n && self.renegotiationSupport == comparing.renegotiationSupport\n && self.sendCANameList == comparing.sendCANameList && isSSLContextCallbackEqual && isPSKClientProviderEqual\n && isPSKServerProviderEqual && self.pskHint == comparing.pskHint\n }\n\n /// Returns a best effort hash of this TLS configuration.\n ///\n /// The \"best effort\" stems from the fact that we are hashing the pointer bytes of the ``keyLogCallback`` closure.\n ///\n /// - warning: You should probably not use this function. This function can return false-negatives, but not false-positives.\n public func bestEffortHash(into hasher: inout Hasher) {\n hasher.combine(minimumTLSVersion)\n hasher.combine(maximumTLSVersion)\n hasher.combine(cipherSuites)\n hasher.combine(curves)\n hasher.combine(verifySignatureAlgorithms)\n hasher.combine(signingSignatureAlgorithms)\n hasher.combine(certificateVerification)\n hasher.combine(trustRoots)\n hasher.combine(additionalTrustRoots)\n hasher.combine(certificateChain)\n hasher.combine(privateKey)\n hasher.combine(encodedApplicationProtocols)\n hasher.combine(shutdownTimeout)\n withUnsafeBytes(of: keyLogCallback) { closureBits in\n hasher.combine(bytes: closureBits)\n }\n hasher.combine(renegotiationSupport)\n hasher.combine(sendCANameList)\n withUnsafeBytes(of: _pskClientIdentityProvider) { closureClientBits in\n hasher.combine(bytes: closureClientBits)\n }\n withUnsafeBytes(of: _pskServerIdentityProvider) { closureServerBits in\n hasher.combine(bytes: closureServerBits)\n }\n withUnsafeBytes(of: sslContextCallback) { closureServerBits in\n hasher.combine(bytes: closureServerBits)\n }\n hasher.combine(pskHint)\n }\n\n /// Creates a TLS configuration for use with client-side contexts.\n ///\n /// This provides sensible defaults, and can be used without customisation. For server-side\n /// contexts, you should use ``TLSConfiguration/makeServerConfiguration(certificateChain:privateKey:)`` instead.\n ///\n /// For customising fields, modify the returned TLSConfiguration object.\n public static func makeClientConfiguration() -> TLSConfiguration {\n TLSConfiguration(\n cipherSuites: defaultCipherSuites,\n verifySignatureAlgorithms: nil,\n signingSignatureAlgorithms: nil,\n minimumTLSVersion: .tlsv1,\n maximumTLSVersion: nil,\n certificateVerification: .fullVerification,\n trustRoots: .default,\n certificateChain: [],\n privateKey: nil,\n applicationProtocols: [],\n shutdownTimeout: .seconds(5),\n keyLogCallback: nil,\n renegotiationSupport: .none,\n additionalTrustRoots: [],\n sendCANameList: false,\n sslContextCallback: nil,\n pskClientProvider: nil,\n pskServerProvider: nil,\n pskHint: nil\n )\n }\n\n /// Create a TLS configuration for use with server-side contexts.\n ///\n /// This provides sensible defaults while requiring that you provide any data that is necessary\n /// for server-side function. For client use, try ``TLSConfiguration/makeClientConfiguration()`` instead.\n ///\n /// For customising fields, modify the returned TLSConfiguration object.\n public static func makeServerConfiguration(\n certificateChain: [NIOSSLCertificateSource],\n privateKey: NIOSSLPrivateKeySource\n ) -> TLSConfiguration {\n TLSConfiguration(\n cipherSuites: defaultCipherSuites,\n verifySignatureAlgorithms: nil,\n signingSignatureAlgorithms: nil,\n minimumTLSVersion: .tlsv1,\n maximumTLSVersion: nil,\n certificateVerification: .none,\n trustRoots: .default,\n certificateChain: certificateChain,\n privateKey: privateKey,\n applicationProtocols: [],\n shutdownTimeout: .seconds(5),\n keyLogCallback: nil,\n renegotiationSupport: .none,\n additionalTrustRoots: [],\n sendCANameList: false,\n pskClientProvider: nil,\n pskServerProvider: nil,\n pskHint: nil\n )\n }\n\n /// Create a TLS configuration for use with server-side or client-side contexts that uses Pre-Shared Keys for TLS 1.2 and below.\n ///\n /// This provides sensible defaults while requiring that you provide any data that is necessary\n /// for server-side or client-side functionality. This configuration uses Pre-Shared Keys instead of certificates.\n ///\n /// For customising fields, modify the returned TLSConfiguration object.\n public static func makePreSharedKeyConfiguration() -> TLSConfiguration {\n\n TLSConfiguration(\n cipherSuites: defaultCipherSuites,\n verifySignatureAlgorithms: nil,\n signingSignatureAlgorithms: nil,\n minimumTLSVersion: .tlsv1,\n maximumTLSVersion: nil,\n certificateVerification: .none,\n trustRoots: .default,\n certificateChain: [],\n privateKey: nil,\n applicationProtocols: [],\n shutdownTimeout: .seconds(5),\n keyLogCallback: nil,\n renegotiationSupport: .none,\n additionalTrustRoots: [],\n sendCANameList: false,\n pskClientProvider: nil,\n pskServerProvider: nil,\n pskHint: nil\n )\n }\n\n /// Create a TLS configuration for use with server-side contexts that expect to validate a client\n /// certificate (often called mTLS).\n ///\n /// This provides sensible defaults while requiring that you provide any data that is necessary\n /// for server-side function. For servers that don't need mTLS, try\n /// ``TLSConfiguration/makeServerConfiguration(certificateChain:privateKey:)`` instead.\n ///\n /// This configuration is very similar to ``TLSConfiguration/makeServerConfiguration(certificateChain:privateKey:)`` but\n /// adds a `trustRoots` requirement. These roots will be used to validate the certificate\n /// presented by the peer. It also sets the ``certificateVerification`` field to\n /// ``CertificateVerification/noHostnameVerification``, which enables verification but disables\n /// any hostname checking, which cannot succeed in a server context.\n ///\n /// For customising fields, modify the returned TLSConfiguration object.\n public static func makeServerConfigurationWithMTLS(\n certificateChain: [NIOSSLCertificateSource],\n privateKey: NIOSSLPrivateKeySource,\n trustRoots: NIOSSLTrustRoots\n ) -> TLSConfiguration {\n TLSConfiguration(\n cipherSuites: defaultCipherSuites,\n verifySignatureAlgorithms: nil,\n signingSignatureAlgorithms: nil,\n minimumTLSVersion: .tlsv1,\n maximumTLSVersion: nil,\n certificateVerification: .noHostnameVerification,\n trustRoots: trustRoots,\n certificateChain: certificateChain,\n privateKey: privateKey,\n applicationProtocols: [],\n shutdownTimeout: .seconds(5),\n keyLogCallback: nil,\n renegotiationSupport: .none,\n additionalTrustRoots: [],\n sendCANameList: false,\n pskClientProvider: nil,\n pskServerProvider: nil,\n pskHint: nil\n )\n }\n}\n\n// MARK: Deprecated constructors.\n\nextension TLSConfiguration {\n /// Create a TLS configuration for use with server-side contexts. This allows setting the ``NIOTLSCipher`` property specifically.\n ///\n /// This provides sensible defaults while requiring that you provide any data that is necessary\n /// for server-side function. For client use, try ``TLSConfiguration/makeClientConfiguration()`` instead.\n @available(*, deprecated, renamed: \"makeServerConfiguration(certificateChain:privateKey:)\")\n public static func forServer(\n certificateChain: [NIOSSLCertificateSource],\n privateKey: NIOSSLPrivateKeySource,\n cipherSuites: [NIOTLSCipher],\n verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,\n signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,\n minimumTLSVersion: TLSVersion = .tlsv1,\n maximumTLSVersion: TLSVersion? = nil,\n certificateVerification: CertificateVerification = .none,\n trustRoots: NIOSSLTrustRoots = .default,\n applicationProtocols: [String] = [],\n shutdownTimeout: TimeAmount = .seconds(5),\n keyLogCallback: NIOSSLKeyLogCallback? = nil,\n additionalTrustRoots: [NIOSSLAdditionalTrustRoots] = []\n ) -> TLSConfiguration {\n TLSConfiguration(\n cipherSuiteValues: cipherSuites,\n verifySignatureAlgorithms: verifySignatureAlgorithms,\n signingSignatureAlgorithms: signingSignatureAlgorithms,\n minimumTLSVersion: minimumTLSVersion,\n maximumTLSVersion: maximumTLSVersion,\n certificateVerification: certificateVerification,\n trustRoots: trustRoots,\n certificateChain: certificateChain,\n privateKey: privateKey,\n applicationProtocols: applicationProtocols,\n shutdownTimeout: shutdownTimeout,\n keyLogCallback: keyLogCallback,\n renegotiationSupport: .none, // Servers never support renegotiation: there's no point.\n additionalTrustRoots: additionalTrustRoots\n )\n }\n\n /// Create a TLS configuration for use with server-side contexts.\n ///\n /// This provides sensible defaults while requiring that you provide any data that is necessary\n /// for server-side function. For client use, try ``TLSConfiguration/makeClientConfiguration()`` instead.\n @available(*, deprecated, renamed: \"makeServerConfiguration(certificateChain:privateKey:)\")\n public static func forServer(\n certificateChain: [NIOSSLCertificateSource],\n privateKey: NIOSSLPrivateKeySource,\n cipherSuites: String = defaultCipherSuites,\n minimumTLSVersion: TLSVersion = .tlsv1,\n maximumTLSVersion: TLSVersion? = nil,\n certificateVerification: CertificateVerification = .none,\n trustRoots: NIOSSLTrustRoots = .default,\n applicationProtocols: [String] = [],\n shutdownTimeout: TimeAmount = .seconds(5),\n keyLogCallback: NIOSSLKeyLogCallback? = nil\n ) -> TLSConfiguration {\n TLSConfiguration(\n cipherSuites: cipherSuites,\n verifySignatureAlgorithms: nil,\n signingSignatureAlgorithms: nil,\n minimumTLSVersion: minimumTLSVersion,\n maximumTLSVersion: maximumTLSVersion,\n certificateVerification: certificateVerification,\n trustRoots: trustRoots,\n certificateChain: certificateChain,\n privateKey: privateKey,\n applicationProtocols: applicationProtocols,\n shutdownTimeout: shutdownTimeout,\n keyLogCallback: keyLogCallback,\n renegotiationSupport: .none, // Servers never support renegotiation: there's no point.\n additionalTrustRoots: []\n )\n }\n\n /// Create a TLS configuration for use with server-side contexts.\n ///\n /// This provides sensible defaults while requiring that you provide any data that is necessary\n /// for server-side function. For client use, try ``TLSConfiguration/makeClientConfiguration()`` instead.\n @available(*, deprecated, renamed: \"makeServerConfiguration(certificateChain:privateKey:)\")\n public static func forServer(\n certificateChain: [NIOSSLCertificateSource],\n privateKey: NIOSSLPrivateKeySource,\n cipherSuites: String = defaultCipherSuites,\n verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,\n signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,\n minimumTLSVersion: TLSVersion = .tlsv1,\n maximumTLSVersion: TLSVersion? = nil,\n certificateVerification: CertificateVerification = .none,\n trustRoots: NIOSSLTrustRoots = .default,\n applicationProtocols: [String] = [],\n shutdownTimeout: TimeAmount = .seconds(5),\n keyLogCallback: NIOSSLKeyLogCallback? = nil\n ) -> TLSConfiguration {\n TLSConfiguration(\n cipherSuites: cipherSuites,\n verifySignatureAlgorithms: verifySignatureAlgorithms,\n signingSignatureAlgorithms: signingSignatureAlgorithms,\n minimumTLSVersion: minimumTLSVersion,\n maximumTLSVersion: maximumTLSVersion,\n certificateVerification: certificateVerification,\n trustRoots: trustRoots,\n certificateChain: certificateChain,\n privateKey: privateKey,\n applicationProtocols: applicationProtocols,\n shutdownTimeout: shutdownTimeout,\n keyLogCallback: keyLogCallback,\n renegotiationSupport: .none, // Servers never support renegotiation: there's no point.\n additionalTrustRoots: []\n )\n }\n\n /// Create a TLS configuration for use with server-side contexts.\n ///\n /// This provides sensible defaults while requiring that you provide any data that is necessary\n /// for server-side function. For client use, try ``TLSConfiguration/makeClientConfiguration()`` instead.\n @available(*, deprecated, renamed: \"makeServerConfiguration(certificateChain:privateKey:)\")\n public static func forServer(\n certificateChain: [NIOSSLCertificateSource],\n privateKey: NIOSSLPrivateKeySource,\n cipherSuites: String = defaultCipherSuites,\n verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,\n signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,\n minimumTLSVersion: TLSVersion = .tlsv1,\n maximumTLSVersion: TLSVersion? = nil,\n certificateVerification: CertificateVerification = .none,\n trustRoots: NIOSSLTrustRoots = .default,\n applicationProtocols: [String] = [],\n shutdownTimeout: TimeAmount = .seconds(5),\n keyLogCallback: NIOSSLKeyLogCallback? = nil,\n additionalTrustRoots: [NIOSSLAdditionalTrustRoots]\n ) -> TLSConfiguration {\n TLSConfiguration(\n cipherSuites: cipherSuites,\n verifySignatureAlgorithms: verifySignatureAlgorithms,\n signingSignatureAlgorithms: signingSignatureAlgorithms,\n minimumTLSVersion: minimumTLSVersion,\n maximumTLSVersion: maximumTLSVersion,\n certificateVerification: certificateVerification,\n trustRoots: trustRoots,\n certificateChain: certificateChain,\n privateKey: privateKey,\n applicationProtocols: applicationProtocols,\n shutdownTimeout: shutdownTimeout,\n keyLogCallback: keyLogCallback,\n renegotiationSupport: .none, // Servers never support renegotiation: there's no point.\n additionalTrustRoots: additionalTrustRoots\n )\n }\n\n /// Creates a TLS configuration for use with client-side contexts. This allows setting the ``NIOTLSCipher`` property specifically.\n ///\n /// This provides sensible defaults, and can be used without customisation. For server-side\n /// contexts, you should use ``TLSConfiguration/makeServerConfiguration(certificateChain:privateKey:)`` instead.\n @available(*, deprecated, renamed: \"makeClientConfiguration()\")\n public static func forClient(\n cipherSuites: [NIOTLSCipher],\n verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,\n signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,\n minimumTLSVersion: TLSVersion = .tlsv1,\n maximumTLSVersion: TLSVersion? = nil,\n certificateVerification: CertificateVerification = .fullVerification,\n trustRoots: NIOSSLTrustRoots = .default,\n certificateChain: [NIOSSLCertificateSource] = [],\n privateKey: NIOSSLPrivateKeySource? = nil,\n applicationProtocols: [String] = [],\n shutdownTimeout: TimeAmount = .seconds(5),\n keyLogCallback: NIOSSLKeyLogCallback? = nil,\n renegotiationSupport: NIORenegotiationSupport = .none,\n additionalTrustRoots: [NIOSSLAdditionalTrustRoots] = []\n ) -> TLSConfiguration {\n TLSConfiguration(\n cipherSuiteValues: cipherSuites,\n verifySignatureAlgorithms: verifySignatureAlgorithms,\n signingSignatureAlgorithms: signingSignatureAlgorithms,\n minimumTLSVersion: minimumTLSVersion,\n maximumTLSVersion: maximumTLSVersion,\n certificateVerification: certificateVerification,\n trustRoots: trustRoots,\n certificateChain: certificateChain,\n privateKey: privateKey,\n applicationProtocols: applicationProtocols,\n shutdownTimeout: shutdownTimeout,\n keyLogCallback: keyLogCallback,\n renegotiationSupport: renegotiationSupport,\n additionalTrustRoots: additionalTrustRoots\n )\n }\n\n /// Creates a TLS configuration for use with client-side contexts.\n ///\n /// This provides sensible defaults, and can be used without customisation. For server-side\n /// contexts, you should use ``TLSConfiguration/makeServerConfiguration(certificateChain:privateKey:)`` instead.\n @available(*, deprecated, renamed: \"makeClientConfiguration()\")\n public static func forClient(\n cipherSuites: String = defaultCipherSuites,\n minimumTLSVersion: TLSVersion = .tlsv1,\n maximumTLSVersion: TLSVersion? = nil,\n certificateVerification: CertificateVerification = .fullVerification,\n trustRoots: NIOSSLTrustRoots = .default,\n certificateChain: [NIOSSLCertificateSource] = [],\n privateKey: NIOSSLPrivateKeySource? = nil,\n applicationProtocols: [String] = [],\n shutdownTimeout: TimeAmount = .seconds(5),\n keyLogCallback: NIOSSLKeyLogCallback? = nil\n ) -> TLSConfiguration {\n TLSConfiguration(\n cipherSuites: cipherSuites,\n verifySignatureAlgorithms: nil,\n signingSignatureAlgorithms: nil,\n minimumTLSVersion: minimumTLSVersion,\n maximumTLSVersion: maximumTLSVersion,\n certificateVerification: certificateVerification,\n trustRoots: trustRoots,\n certificateChain: certificateChain,\n privateKey: privateKey,\n applicationProtocols: applicationProtocols,\n shutdownTimeout: shutdownTimeout,\n keyLogCallback: keyLogCallback,\n renegotiationSupport: .none, // Default value is here for backward-compatibility.\n additionalTrustRoots: []\n )\n }\n\n /// Creates a TLS configuration for use with client-side contexts.\n ///\n /// This provides sensible defaults, and can be used without customisation. For server-side\n /// contexts, you should use ``TLSConfiguration/makeServerConfiguration(certificateChain:privateKey:)`` instead.\n @available(*, deprecated, renamed: \"makeClientConfiguration()\")\n public static func forClient(\n cipherSuites: String = defaultCipherSuites,\n minimumTLSVersion: TLSVersion = .tlsv1,\n maximumTLSVersion: TLSVersion? = nil,\n certificateVerification: CertificateVerification = .fullVerification,\n trustRoots: NIOSSLTrustRoots = .default,\n certificateChain: [NIOSSLCertificateSource] = [],\n privateKey: NIOSSLPrivateKeySource? = nil,\n applicationProtocols: [String] = [],\n shutdownTimeout: TimeAmount = .seconds(5),\n keyLogCallback: NIOSSLKeyLogCallback? = nil,\n renegotiationSupport: NIORenegotiationSupport\n ) -> TLSConfiguration {\n TLSConfiguration(\n cipherSuites: cipherSuites,\n verifySignatureAlgorithms: nil,\n signingSignatureAlgorithms: nil,\n minimumTLSVersion: minimumTLSVersion,\n maximumTLSVersion: maximumTLSVersion,\n certificateVerification: certificateVerification,\n trustRoots: trustRoots,\n certificateChain: certificateChain,\n privateKey: privateKey,\n applicationProtocols: applicationProtocols,\n shutdownTimeout: shutdownTimeout,\n keyLogCallback: keyLogCallback,\n renegotiationSupport: renegotiationSupport,\n additionalTrustRoots: []\n )\n }\n\n /// Creates a TLS configuration for use with client-side contexts.\n ///\n /// This provides sensible defaults, and can be used without customisation. For server-side\n /// contexts, you should use ``TLSConfiguration/makeServerConfiguration(certificateChain:privateKey:)`` instead.\n @available(*, deprecated, renamed: \"makeClientConfiguration()\")\n public static func forClient(\n cipherSuites: String = defaultCipherSuites,\n verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,\n signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,\n minimumTLSVersion: TLSVersion = .tlsv1,\n maximumTLSVersion: TLSVersion? = nil,\n certificateVerification: CertificateVerification = .fullVerification,\n trustRoots: NIOSSLTrustRoots = .default,\n certificateChain: [NIOSSLCertificateSource] = [],\n privateKey: NIOSSLPrivateKeySource? = nil,\n applicationProtocols: [String] = [],\n shutdownTimeout: TimeAmount = .seconds(5),\n keyLogCallback: NIOSSLKeyLogCallback? = nil,\n renegotiationSupport: NIORenegotiationSupport\n ) -> TLSConfiguration {\n TLSConfiguration(\n cipherSuites: cipherSuites,\n verifySignatureAlgorithms: verifySignatureAlgorithms,\n signingSignatureAlgorithms: signingSignatureAlgorithms,\n minimumTLSVersion: minimumTLSVersion,\n maximumTLSVersion: maximumTLSVersion,\n certificateVerification: certificateVerification,\n trustRoots: trustRoots,\n certificateChain: certificateChain,\n privateKey: privateKey,\n applicationProtocols: applicationProtocols,\n shutdownTimeout: shutdownTimeout,\n keyLogCallback: keyLogCallback,\n renegotiationSupport: renegotiationSupport,\n additionalTrustRoots: []\n )\n }\n\n /// Creates a TLS configuration for use with client-side contexts.\n ///\n /// This provides sensible defaults, and can be used without customisation. For server-side\n /// contexts, you should use ``TLSConfiguration/makeServerConfiguration(certificateChain:privateKey:)`` instead.\n @available(*, deprecated, renamed: \"makeClientConfiguration()\")\n public static func forClient(\n cipherSuites: String = defaultCipherSuites,\n verifySignatureAlgorithms: [SignatureAlgorithm]? = nil,\n signingSignatureAlgorithms: [SignatureAlgorithm]? = nil,\n minimumTLSVersion: TLSVersion = .tlsv1,\n maximumTLSVersion: TLSVersion? = nil,\n certificateVerification: CertificateVerification = .fullVerification,\n trustRoots: NIOSSLTrustRoots = .default,\n certificateChain: [NIOSSLCertificateSource] = [],\n privateKey: NIOSSLPrivateKeySource? = nil,\n applicationProtocols: [String] = [],\n shutdownTimeout: TimeAmount = .seconds(5),\n keyLogCallback: NIOSSLKeyLogCallback? = nil,\n renegotiationSupport: NIORenegotiationSupport = .none,\n additionalTrustRoots: [NIOSSLAdditionalTrustRoots]\n ) -> TLSConfiguration {\n TLSConfiguration(\n cipherSuites: cipherSuites,\n verifySignatureAlgorithms: verifySignatureAlgorithms,\n signingSignatureAlgorithms: signingSignatureAlgorithms,\n minimumTLSVersion: minimumTLSVersion,\n maximumTLSVersion: maximumTLSVersion,\n certificateVerification: certificateVerification,\n trustRoots: trustRoots,\n certificateChain: certificateChain,\n privateKey: privateKey,\n applicationProtocols: applicationProtocols,\n shutdownTimeout: shutdownTimeout,\n keyLogCallback: keyLogCallback,\n renegotiationSupport: renegotiationSupport,\n additionalTrustRoots: additionalTrustRoots\n )\n }\n}\n\nextension TLSConfiguration {\n /// Provides the resolved signature algorithms for signing, if any.\n ///\n /// Users can override the signature algorithms in two ways. Firstly, they can provide a\n /// value for the `signingSignatureAlgorithms` field in the `TLSConfiguration` structure.\n /// This acts as an artificial limiter, preventing certain algorithms from being used even\n /// though a key might nominally support them.\n ///\n /// Secondly, users can provide a custom key. This custom key is only capable of using\n /// certain signing algorithms.\n ///\n /// This property resolves these two into a single unified set by diffing them together.\n /// If there is no override (i.e. a native key and no override of the\n /// `signingSignatureAlgorithms` field then this returns `nil`.\n internal var resolvedSigningSignatureAlgorithms: [SignatureAlgorithm]? {\n switch (self.signingSignatureAlgorithms, self.privateKey?.customSigningAlgorithms) {\n case (.none, .none):\n // No overrides.\n return nil\n\n case (.some(let manualOverrides), .none):\n return manualOverrides\n\n case (.none, .some(let keyRequirements)):\n return keyRequirements\n\n case (.some(let manualOverrides), .some(let keyRequirements)):\n // Here we have to filter the set. We assume the two lists are small, and so we\n // just use `Array.filter` instead of composing into a Set. Note that the order\n // here is _semantic_: we have to filter the manual overrides array becuase\n // that order was specified by the user, and we want to honor it.\n return manualOverrides.filter { keyRequirements.contains($0) }\n }\n }\n}\n\nextension NIOSSLPrivateKeySource {\n /// The custom signing algorithms required by this private key, if any.\n ///\n /// Is `nil` when the key is a file-backed key, as this is handled by BoringSSL as a native key.\n fileprivate var customSigningAlgorithms: [SignatureAlgorithm]? {\n switch self {\n case .file:\n return nil\n case .privateKey(let key):\n return key.customSigningAlgorithms\n }\n }\n}\n" }, { "path": "Sources/NIOSSL/UniversalBootstrapSupport.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2020-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\n\n/// A wrapper around the custom verification callback types (``NIOSSLCustomVerificationCallback`` and ``NIOSSLCustomVerificationCallbackWithMetadata``)\nenum CustomCallback: Sendable {\n case callback(@Sendable ([NIOSSLCertificate], EventLoopPromise) -> Void)\n\n case callbackWithMetadata(\n @Sendable ([NIOSSLCertificate], EventLoopPromise) -> Void\n )\n\n var manager: CustomVerifyManager {\n switch self {\n /// See ``NIOSSLCustomVerificationCallback`` for more documentation\n case .callback(let callback):\n CustomVerifyManager(callback: callback)\n /// See ``NIOSSLCustomVerificationCallbackWithMetadata`` for more documentation\n case .callbackWithMetadata(let callbackWithMetadata):\n CustomVerifyManager(callback: callbackWithMetadata)\n }\n }\n}\n\n/// A TLS provider to bootstrap TLS-enabled connections with `NIOClientTCPBootstrap`.\n///\n/// Example:\n///\n/// // TLS setup.\n/// let configuration = TLSConfiguration.makeClientConfiguration()\n/// let sslContext = try NIOSSLContext(configuration: configuration)\n///\n/// // Creating the \"universal bootstrap\" with the `NIOSSLClientTLSProvider`.\n/// let tlsProvider = NIOSSLClientTLSProvider(context: sslContext, serverHostname: \"example.com\")\n/// let bootstrap = NIOClientTCPBootstrap(ClientBootstrap(group: group), tls: tlsProvider)\n///\n/// // Bootstrapping a connection using the \"universal bootstrapping mechanism\"\n/// let connection = bootstrap.enableTLS()\n/// .connect(to: \"example.com\")\n/// .wait()\npublic struct NIOSSLClientTLSProvider: NIOClientTLSProvider {\n public typealias Bootstrap = Bootstrap\n\n let context: NIOSSLContext\n let serverHostname: String?\n let customVerificationCallback: CustomCallback?\n /// See ``_NIOAdditionalPeerCertificateVerificationCallback`` for more documentation\n let additionalPeerCertificateVerificationCallback:\n (@Sendable (NIOSSLCertificate, Channel) -> EventLoopFuture)?\n\n internal init(\n context: NIOSSLContext,\n serverHostname: String?,\n customVerificationCallback: CustomCallback? = nil,\n additionalPeerCertificateVerificationCallback: (\n @Sendable (NIOSSLCertificate, Channel) -> EventLoopFuture\n )? = nil\n ) throws {\n try serverHostname.map {\n try $0.validateSNIServerName()\n }\n self.context = context\n self.serverHostname = serverHostname\n self.customVerificationCallback = customVerificationCallback\n self.additionalPeerCertificateVerificationCallback = additionalPeerCertificateVerificationCallback\n }\n\n /// Construct the TLS provider with the necessary configuration.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use with the connection.\n /// - serverHostname: The hostname of the server we're trying to connect to, if known. This will be used in the SNI extension,\n /// and used to validate the server certificate.\n /// - customVerificationCallback: A callback to use that will override NIOSSL's normal verification logic. See ``NIOSSLCustomVerificationCallback`` for complete documentation.\n ///\n /// If set, this callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed them. The callback will not be used if the\n /// ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.\n @preconcurrency\n public init(\n context: NIOSSLContext,\n serverHostname: String?,\n customVerificationCallback: (\n @Sendable ([NIOSSLCertificate], EventLoopPromise) -> Void\n )? = nil\n ) throws {\n try self.init(\n context: context,\n serverHostname: serverHostname,\n customVerificationCallback: customVerificationCallback.map { .callback($0) },\n additionalPeerCertificateVerificationCallback: nil\n )\n }\n\n /// Construct the TLS provider with the necessary configuration.\n ///\n /// - parameters:\n /// - context: The ``NIOSSLContext`` to use with the connection.\n /// - serverHostname: The hostname of the server we're trying to connect to, if known. This will be used in the SNI extension,\n /// and used to validate the server certificate.\n /// - customVerificationCallbackWithMetadata: A callback to use that will override NIOSSL's normal verification\n /// logic. If validation is successful, the peer's validated certificate chain can be returned, and later\n /// accessed via ``NIOSSLHandler/peerValidatedCertificateChain``. The callback will not be used if the\n /// ``TLSConfiguration`` that was used to construct the ``NIOSSLContext`` has\n /// ``TLSConfiguration/certificateVerification`` set to ``CertificateVerification/none``.\n ///\n /// - This callback is provided the certificates presented by the peer. NIOSSL will not have pre-processed\n /// them. Therefore, a validated chain must be derived *within* this callback (potentially involving fetching\n /// additional intermediate certificates). The *validated* certificate chain returned in the promise result\n /// **must** be a verified path to a trusted root. Importantly, the certificates presented by the peer should\n /// not be assumed to be valid.\n public init(\n context: NIOSSLContext,\n serverHostname: String?,\n customVerificationCallbackWithMetadata:\n @escaping (\n @Sendable ([NIOSSLCertificate], EventLoopPromise) -> Void\n )\n ) throws {\n try self.init(\n context: context,\n serverHostname: serverHostname,\n customVerificationCallback: .callbackWithMetadata(customVerificationCallbackWithMetadata),\n additionalPeerCertificateVerificationCallback: nil\n )\n }\n\n /// Enable TLS on the bootstrap. This is not a function you will typically call as a user, it is called by\n /// `NIOClientTCPBootstrap`.\n public func enableTLS(_ bootstrap: Bootstrap) -> Bootstrap {\n // NIOSSLClientHandler.init only throws because of `malloc` error and invalid SNI hostnames. We want to crash\n // on malloc error and we pre-checked the SNI hostname in `init` so that should be impossible here.\n bootstrap.protocolHandlers {\n [context, serverHostname, customVerificationCallback, additionalPeerCertificateVerificationCallback] in\n [\n try! NIOSSLClientHandler(\n context: context,\n serverHostname: serverHostname,\n optionalCustomVerificationCallbackManager: customVerificationCallback?.manager,\n optionalAdditionalPeerCertificateVerificationCallback: additionalPeerCertificateVerificationCallback\n )\n ]\n }\n }\n}\n\nextension NIOSSLClientTLSProvider: Sendable where Bootstrap: Sendable {}\n" }, { "path": "Sources/NIOSSL/UnsafeKeyAndChainTarget.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2024 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n@_implementationOnly import CNIOBoringSSL\n\nenum UnsafeKeyAndChainTarget {\n case sslContext(OpaquePointer)\n case ssl(OpaquePointer)\n\n func useCertificateChain(\n _ certificateChain: [NIOSSLCertificateSource]\n ) throws {\n // Clear the existing chain first.\n // So that when this function is called, `certificateChain` becomes the only certificates in the context.\n self.clearAdditionalChainCertificates()\n var leaf = true\n for source in certificateChain {\n switch source {\n case .file(let p):\n self.useCertificateChainFile(p)\n leaf = false\n case .certificate(let cert):\n if leaf {\n try self.setLeafCertificate(cert)\n leaf = false\n } else {\n try self.addAdditionalChainCertificate(cert)\n }\n }\n }\n }\n\n func useCertificateChainFile(_ path: String) {\n let result = path.withCString { (pointer) -> CInt in\n switch self {\n case .sslContext(let context):\n CNIOBoringSSL_SSL_CTX_use_certificate_chain_file(context, pointer)\n case .ssl(let ssl):\n CNIOBoringSSL_SSL_CTX_use_certificate_chain_file(ssl, pointer)\n }\n }\n\n precondition(result == 1)\n }\n\n func setLeafCertificate(_ cert: NIOSSLCertificate) throws {\n let rc = cert.withUnsafeMutableX509Pointer { ref in\n switch self {\n case .sslContext(let context):\n CNIOBoringSSL_SSL_CTX_use_certificate(context, ref)\n case .ssl(let ssl):\n CNIOBoringSSL_SSL_use_certificate(ssl, ref)\n }\n }\n guard rc == 1 else {\n throw NIOSSLError.failedToLoadCertificate\n }\n }\n\n func clearAdditionalChainCertificates() {\n switch self {\n case .sslContext(let context):\n CNIOBoringSSL_SSL_CTX_clear_chain_certs(context)\n case .ssl(let ssl):\n CNIOBoringSSL_SSL_clear_chain_certs(ssl)\n }\n }\n\n func addAdditionalChainCertificate(_ cert: NIOSSLCertificate) throws {\n let rc = cert.withUnsafeMutableX509Pointer { ref in\n switch self {\n case .sslContext(let context):\n CNIOBoringSSL_SSL_CTX_add1_chain_cert(context, ref)\n case .ssl(let ssl):\n CNIOBoringSSL_SSL_add1_chain_cert(ssl, ref)\n }\n }\n guard rc == 1 else {\n throw NIOSSLError.failedToLoadCertificate\n }\n }\n\n func usePrivateKeySource(_ privateKey: NIOSSLPrivateKeySource) throws {\n switch privateKey {\n case .file(let p):\n try self.usePrivateKeyFile(p)\n case .privateKey(let key):\n try self.setPrivateKey(key)\n }\n }\n\n func setPrivateKey(_ key: NIOSSLPrivateKey) throws {\n switch key.representation {\n case .native:\n let rc = key.withUnsafeMutableEVPPKEYPointer { ref in\n switch self {\n case .sslContext(let context):\n CNIOBoringSSL_SSL_CTX_use_PrivateKey(context, ref)\n case .ssl(let ssl):\n CNIOBoringSSL_SSL_use_PrivateKey(ssl, ref)\n }\n }\n guard 1 == rc else {\n throw NIOSSLError.failedToLoadPrivateKey\n }\n case .custom:\n switch self {\n case .sslContext(let context):\n CNIOBoringSSL_SSL_CTX_set_private_key_method(context, customPrivateKeyMethod)\n case .ssl(let ssl):\n CNIOBoringSSL_SSL_set_private_key_method(ssl, customPrivateKeyMethod)\n }\n }\n }\n\n func usePrivateKeyFile(_ path: String) throws {\n let pathExtension = path.split(separator: \".\").last\n let fileType: CInt\n\n switch pathExtension?.lowercased() {\n case .some(\"pem\"):\n fileType = SSL_FILETYPE_PEM\n case .some(\"der\"), .some(\"key\"):\n fileType = SSL_FILETYPE_ASN1\n default:\n throw NIOSSLExtraError.unknownPrivateKeyFileType(path: path)\n }\n\n let result = path.withCString { (pointer) -> CInt in\n switch self {\n case .sslContext(let context):\n CNIOBoringSSL_SSL_CTX_use_PrivateKey_file(context, pointer, fileType)\n case .ssl(let ssl):\n CNIOBoringSSL_SSL_use_PrivateKey_file(ssl, pointer, fileType)\n }\n }\n\n guard result == 1 else {\n throw NIOSSLError.failedToLoadPrivateKey\n }\n }\n}\n" }, { "path": "Sources/NIOSSLHTTP1Client/README.md", "content": "NIOSSLHTTP1Client\n---\n\nThis sample application provides a https client. Invoke it using one of the following syntaxes.\n\n```bash\nswift run NIOSSLHTTP1Client # Gets a content on a server on ::1, port 4433, using SSL/TLS\nswift run NIOSSLHTTP1Client \"https://example.com\" # Gets a content on a server on example.com, port 443, using SSL/TLS \nswift run NIOSSLHTTP1Client \"https://example.com:4433\" # Gets a content on a server on example.com, port 4433, using SSL/TLS\n```\n" }, { "path": "Sources/NIOSSLHTTP1Client/main.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport Foundation\nimport NIOCore\nimport NIOFoundationCompat\nimport NIOHTTP1\nimport NIOPosix\nimport NIOSSL\n\nprivate final class HTTPResponseHandler: ChannelInboundHandler {\n\n let promise: EventLoopPromise\n\n var closeFuture: EventLoopFuture? = nil\n\n init(_ promise: EventLoopPromise) {\n self.promise = promise\n }\n\n typealias InboundIn = HTTPClientResponsePart\n\n func channelRead(context: ChannelHandlerContext, data: NIOAny) {\n let httpResponsePart = unwrapInboundIn(data)\n switch httpResponsePart {\n case .head(let httpResponseHeader):\n print(\n \"\\(httpResponseHeader.version) \\(httpResponseHeader.status.code) \\(httpResponseHeader.status.reasonPhrase)\"\n )\n for (name, value) in httpResponseHeader.headers {\n print(\"\\(name): \\(value)\")\n }\n case .body(var byteBuffer):\n if let data = byteBuffer.readData(length: byteBuffer.readableBytes) {\n FileHandle.standardOutput.write(data)\n }\n case .end(_):\n closeFuture = context.channel.close()\n promise.succeed(())\n }\n }\n\n func channelInactive(context: ChannelHandlerContext) {\n if closeFuture == nil {\n closeFuture = context.channel.close()\n promise.fail(ChannelError.inputClosed)\n }\n }\n\n func errorCaught(context: ChannelHandlerContext, error: Error) {\n print(\"Error: \", error)\n closeFuture = context.channel.close()\n promise.succeed(())\n }\n}\n\nlet arguments = CommandLine.arguments\nlet arg1 = arguments.dropFirst().first\n\nlet url: URL\nvar cert: [NIOSSLCertificateSource] = []\nvar key: NIOSSLPrivateKeySource?\nvar trustRoot: NIOSSLTrustRoots = .default\n\nif let u = arg1 {\n url = URL(string: u)!\n} else {\n url = URL(string: \"https://::1:4433/get\")!\n}\n\n// These extra arguments aren't expected to be used, we use them for integration tests only.\nif let c = arguments.dropFirst(2).first {\n cert.append(contentsOf: try NIOSSLCertificate.fromPEMFile(c).map { .certificate($0) })\n}\nif let k = arguments.dropFirst(3).first {\n try! key = .privateKey(.init(file: k, format: .pem))\n}\nif let r = arguments.dropFirst(4).first {\n trustRoot = .file(r)\n}\n\nlet eventLoopGroup = MultiThreadedEventLoopGroup(numberOfThreads: 1)\nlet promise: EventLoopPromise = eventLoopGroup.next().makePromise(of: Void.self)\ndefer {\n try! promise.futureResult.wait()\n try! eventLoopGroup.syncShutdownGracefully()\n}\n\nvar tlsConfiguration = TLSConfiguration.makeClientConfiguration()\ntlsConfiguration.trustRoots = trustRoot\ntlsConfiguration.certificateChain = cert\ntlsConfiguration.privateKey = key\ntlsConfiguration.renegotiationSupport = .once\n\nlet sslContext = try! NIOSSLContext(configuration: tlsConfiguration)\n\nlet bootstrap = ClientBootstrap(group: eventLoopGroup)\n .channelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)\n .channelInitializer { channel in\n channel.eventLoop.makeCompletedFuture {\n let openSslHandler = try NIOSSLClientHandler(context: sslContext, serverHostname: url.host)\n try channel.pipeline.syncOperations.addHandler(openSslHandler)\n try channel.pipeline.syncOperations.addHTTPClientHandlers()\n try channel.pipeline.syncOperations.addHandler(HTTPResponseHandler(promise))\n }\n }\n\nfunc sendRequest(_ channel: Channel) -> EventLoopFuture {\n var request = HTTPRequestHead(\n version: HTTPVersion(major: 1, minor: 1),\n method: HTTPMethod.GET,\n uri: url.absoluteString\n )\n request.headers = HTTPHeaders([\n (\"Host\", url.host!),\n (\"User-Agent\", \"swift-nio\"),\n (\"Accept\", \"application/json\"),\n (\"Connection\", \"close\"),\n ])\n channel.write(HTTPClientRequestPart.head(request), promise: nil)\n return channel.writeAndFlush(HTTPClientRequestPart.end(nil))\n}\n\nbootstrap.connect(host: url.host!, port: url.port ?? 443)\n .flatMap { sendRequest($0) }\n .cascadeFailure(to: promise)\n" }, { "path": "Sources/NIOSSLPerformanceTester/BenchManyWrites.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2019-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\nimport NIOEmbedded\nimport NIOSSL\n\nfinal class BenchManyWrites: Benchmark {\n let clientContext: NIOSSLContext\n let serverContext: NIOSSLContext\n let dummyAddress: SocketAddress\n let backToBack: BackToBackEmbeddedChannel\n let loopCount: Int\n let writeSize: Int\n var buffer: ByteBuffer?\n\n init(loopCount: Int, writeSizeInBytes writeSize: Int) throws {\n self.loopCount = loopCount\n self.writeSize = writeSize\n self.serverContext = try NIOSSLContext(\n configuration: .makeServerConfiguration(\n certificateChain: [.certificate(.forTesting())],\n privateKey: .privateKey(.forTesting())\n )\n )\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.trustRoots = try .certificates([.forTesting()])\n self.clientContext = try NIOSSLContext(configuration: clientConfig)\n\n self.dummyAddress = try SocketAddress(ipAddress: \"1.2.3.4\", port: 5678)\n self.backToBack = BackToBackEmbeddedChannel()\n }\n\n func setUp() throws {\n let serverHandler = NIOSSLServerHandler(context: self.serverContext)\n let clientHandler = try NIOSSLClientHandler(context: self.clientContext, serverHostname: \"localhost\")\n try self.backToBack.client.pipeline.syncOperations.addHandler(clientHandler)\n try self.backToBack.server.pipeline.syncOperations.addHandler(serverHandler)\n\n // To trigger activation of both channels we use connect().\n try self.backToBack.client.connect(to: dummyAddress).wait()\n try self.backToBack.server.connect(to: dummyAddress).wait()\n try self.backToBack.interactInMemory()\n\n self.buffer = self.backToBack.client.allocator.buffer(capacity: self.writeSize)\n self.buffer!.writeBytes(repeatElement(0, count: self.writeSize))\n\n }\n\n func tearDown() {}\n\n func run() throws -> Int {\n guard let buffer = self.buffer else {\n fatalError(\"Couldn't get buffer\")\n }\n\n for _ in 0.. Int {\n for _ in 0.. Int\n}\n\nfunc measureAndPrint(desc: String, benchmark bench: B) throws {\n try bench.setUp()\n defer {\n bench.tearDown()\n }\n try measureAndPrint(desc: desc) {\n try bench.run()\n }\n}\n" }, { "path": "Sources/NIOSSLPerformanceTester/main.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2019-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport Dispatch\nimport Foundation\n\n// MARK: Test Harness\n\nnonisolated(unsafe) var warning: String = \"\"\n\nassert(\n {\n print(\"======================================================\")\n print(\"= YOU ARE RUNNING NIOPerformanceTester IN DEBUG MODE =\")\n print(\"======================================================\")\n warning = \" <<< DEBUG MODE >>>\"\n return true\n }()\n)\n\npublic func measure(_ fn: () throws -> Int) rethrows -> [TimeInterval] {\n func measureOne(_ fn: () throws -> Int) rethrows -> TimeInterval {\n let start = Date()\n _ = try fn()\n let end = Date()\n return end.timeIntervalSince(start)\n }\n\n _ = try measureOne(fn) // pre-heat and throw away\n var measurements = Array(repeating: 0.0, count: 10)\n for i in 0..<10 {\n measurements[i] = try measureOne(fn)\n }\n\n return measurements\n}\n\nlet limitSet = CommandLine.arguments.dropFirst()\n\npublic func measureAndPrint(desc: String, fn: () throws -> Int) rethrows {\n if limitSet.count == 0 || limitSet.contains(desc) {\n print(\"measuring\\(warning): \\(desc): \", terminator: \"\")\n let measurements = try measure(fn)\n print(measurements.reduce(\"\") { $0 + \"\\($1), \" })\n } else {\n print(\"skipping '\\(desc)', limit set = \\(limitSet)\")\n }\n}\n\n// MARK: Utilities\n\ntry measureAndPrint(desc: \"repeated_handshakes\", benchmark: try BenchRepeatedHandshakes(loopCount: 1000))\ntry measureAndPrint(desc: \"many_writes_512b\", benchmark: try BenchManyWrites(loopCount: 2000, writeSizeInBytes: 512))\n" }, { "path": "Sources/NIOSSLPerformanceTester/shared.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2019-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\nimport Foundation\nimport NIOCore\nimport NIOEmbedded\nimport NIOSSL\n\nclass BackToBackEmbeddedChannel {\n private(set) var client: EmbeddedChannel\n private(set) var server: EmbeddedChannel\n private var loop: EmbeddedEventLoop\n\n init() {\n self.loop = EmbeddedEventLoop()\n self.client = EmbeddedChannel(loop: self.loop)\n self.server = EmbeddedChannel(loop: self.loop)\n }\n\n func run() {\n self.loop.run()\n }\n\n func interactInMemory() throws {\n var workToDo = true\n\n while workToDo {\n workToDo = false\n\n self.loop.run()\n let clientDatum = try self.client.readOutbound(as: IOData.self)\n let serverDatum = try self.server.readOutbound(as: IOData.self)\n\n if let clientMsg = clientDatum {\n try self.server.writeInbound(clientMsg)\n workToDo = true\n }\n\n if let serverMsg = serverDatum {\n try self.client.writeInbound(serverMsg)\n workToDo = true\n }\n }\n }\n}\n\nextension NIOSSLCertificate {\n static func forTesting() throws -> NIOSSLCertificate {\n try .init(bytes: certificatePemBytes, format: .pem)\n }\n}\n\nextension NIOSSLPrivateKey {\n static func forTesting() throws -> NIOSSLPrivateKey {\n try .init(bytes: keyPemBytes, format: .pem)\n }\n}\n\nprivate let certificatePemBytes = Array(\n \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIBTzCB9qADAgECAhQkvv72Je/v+B/cgJ53f84O82z6WTAKBggqhkjOPQQDAjAU\n MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTkxMTI3MTAxMjMwWhcNMjkxMTI0MTAx\n MjMwWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMB\n BwNCAAShtZ9TRt7I+7Y0o99XUkrgSYmUmpr4K8CB0IkTCX6b1tXp3Xqs1V5BckTd\n qrls+zsm3AfeiNBb9EDdxiX9DdzuoyYwJDAUBgNVHREEDTALgglsb2NhbGhvc3Qw\n DAYDVR0TAQH/BAIwADAKBggqhkjOPQQDAgNIADBFAiAKxYON+YTnIHNR0R6SLP8R\n R7hjsjV5NDs18XLoeRnA1gIhANwyggmE6NQW/r9l59fexj/ZrjaS3jYOTNCfC1Lo\n 5NgJ\n -----END CERTIFICATE-----\n \"\"\".utf8\n)\n\nprivate let keyPemBytes = Array(\n \"\"\"\n -----BEGIN PRIVATE KEY-----\n MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgCn182hBmYVMAiNPO\n +7w05F40SlAqqxgBEYJZOeK47aihRANCAAShtZ9TRt7I+7Y0o99XUkrgSYmUmpr4\n K8CB0IkTCX6b1tXp3Xqs1V5BckTdqrls+zsm3AfeiNBb9EDdxiX9Ddzu\n -----END PRIVATE KEY-----\n \"\"\".utf8\n)\n" }, { "path": "Sources/NIOTLSServer/README.md", "content": "# NIOTLSServer\n---\n\nThis sample application provides a TLS server. Invoke it with the following syntax.\n\n```bash\nswift run NIOTLSServer # Gets a content on a server on ::1, port 4433, using TLS\n\n```\n" }, { "path": "Sources/NIOTLSServer/main.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\nimport NIOPosix\nimport NIOSSL\n\nimport struct Foundation.URL\n\nprivate final class EchoHandler: ChannelInboundHandler {\n public typealias InboundIn = ByteBuffer\n\n func channelRead(context: ChannelHandlerContext, data: NIOAny) {\n context.write(data, promise: nil)\n }\n\n func channelReadComplete(context: ChannelHandlerContext) {\n context.flush()\n }\n}\n\nlet certificateChain = try NIOSSLCertificate.fromPEMFile(\"cert.pem\")\nlet privateKey = try! NIOSSLPrivateKey(file: \"key.pem\", format: .pem)\nlet sslContext = try! NIOSSLContext(\n configuration: TLSConfiguration.makeServerConfiguration(\n certificateChain: certificateChain.map { .certificate($0) },\n privateKey: .privateKey(privateKey)\n )\n)\n\nlet group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\nlet bootstrap = ServerBootstrap(group: group)\n // Specify backlog and enable SO_REUSEADDR for the server itself\n .serverChannelOption(ChannelOptions.backlog, value: 256)\n .serverChannelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)\n\n // Set the handlers that are applied to the accepted channels.\n .childChannelInitializer { channel in\n channel.eventLoop.makeCompletedFuture {\n try channel.pipeline.syncOperations.addHandlers(NIOSSLServerHandler(context: sslContext), EchoHandler())\n }\n }\n\n // Enable TCP_NODELAY and SO_REUSEADDR for the accepted Channels\n .childChannelOption(ChannelOptions.socket(IPPROTO_TCP, TCP_NODELAY), value: 1)\n .childChannelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)\n\ndefer {\n try! group.syncShutdownGracefully()\n}\n\n// First argument is the program path\nlet arguments = CommandLine.arguments\nlet arg1 = arguments.dropFirst().first\nlet arg2 = arguments.dropFirst().dropFirst().first\n\nvar host: String = \"::1\"\nvar port: Int = 4433\nswitch (arg1, arg1.flatMap { Int($0) }, arg2.flatMap { Int($0) }) {\ncase (.some(let h), _, .some(let p)):\n // we got two arguments, let's interpret that as host and port\n host = h\n port = p\ncase (_, .some(let p), _):\n // only one argument --> port\n port = p\ndefault:\n ()\n}\n\nlet channel = try bootstrap.bind(host: host, port: port).wait()\n\nprint(\"Server started and listening on \\(channel.localAddress!)\")\n\n// This will never unblock as we don't close the ServerChannel\ntry channel.closeFuture.wait()\n\nprint(\"Server closed\")\n" }, { "path": "Tests/NIOSSLTests/ByteBufferBIOTest.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport NIOCore\nimport XCTest\n\n@testable import NIOSSL\n\nfinal class ByteBufferBIOTest: XCTestCase {\n override func setUp() {\n guard boringSSLIsInitialized else {\n fatalError(\"Cannot run tests without BoringSSL\")\n }\n }\n\n /// This leaks on purpose!\n private func retainedBIO() -> UnsafeMutablePointer {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n swiftBIO.close()\n return swiftBIO.retainedBIO()\n }\n\n func testExtractingBIOWrite() throws {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n XCTAssertNil(swiftBIO.outboundCiphertext())\n\n var bytesToWrite: [UInt8] = [1, 2, 3, 4, 5]\n let rc = CNIOBoringSSL_BIO_write(cBIO, &bytesToWrite, 5)\n XCTAssertEqual(rc, 5)\n\n guard\n let extractedBytes = swiftBIO.outboundCiphertext().flatMap({\n $0.getBytes(at: $0.readerIndex, length: $0.readableBytes)\n })\n else {\n XCTFail(\"No received bytes\")\n return\n }\n XCTAssertEqual(extractedBytes, bytesToWrite)\n XCTAssertNil(swiftBIO.outboundCiphertext())\n }\n\n func testManyBIOWritesAreCoalesced() throws {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n XCTAssertNil(swiftBIO.outboundCiphertext())\n\n var bytesToWrite: [UInt8] = [1, 2, 3, 4, 5]\n var expectedBytes = [UInt8]()\n for _ in 0..<10 {\n let rc = CNIOBoringSSL_BIO_write(cBIO, &bytesToWrite, 5)\n XCTAssertEqual(rc, 5)\n expectedBytes.append(contentsOf: bytesToWrite)\n }\n\n guard\n let extractedBytes = swiftBIO.outboundCiphertext().flatMap({\n $0.getBytes(at: $0.readerIndex, length: $0.readableBytes)\n })\n else {\n XCTFail(\"No received bytes\")\n return\n }\n XCTAssertEqual(extractedBytes, expectedBytes)\n XCTAssertNil(swiftBIO.outboundCiphertext())\n }\n\n func testReadWithNoDataInBIO() throws {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n var targetBuffer = [UInt8](repeating: 0, count: 512)\n let rc = CNIOBoringSSL_BIO_read(cBIO, &targetBuffer, 512)\n XCTAssertEqual(rc, -1)\n XCTAssertTrue(CNIOBoringSSL_BIO_should_retry(cBIO) != 0)\n XCTAssertTrue(CNIOBoringSSL_BIO_should_read(cBIO) != 0)\n XCTAssertEqual(targetBuffer, [UInt8](repeating: 0, count: 512))\n }\n\n func testReadWithDataInBIO() throws {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n var inboundBytes = ByteBufferAllocator().buffer(capacity: 1024)\n inboundBytes.writeBytes([1, 2, 3, 4, 5])\n swiftBIO.receiveFromNetwork(buffer: inboundBytes)\n\n var receivedBytes = ByteBufferAllocator().buffer(capacity: 1024)\n let rc = receivedBytes.writeWithUnsafeMutableBytes(minimumWritableBytes: 1024) { pointer in\n let innerRC = CNIOBoringSSL_BIO_read(cBIO, pointer.baseAddress!, CInt(pointer.count))\n XCTAssertTrue(innerRC > 0)\n return innerRC > 0 ? Int(innerRC) : 0\n }\n\n XCTAssertEqual(rc, 5)\n XCTAssertEqual(receivedBytes, inboundBytes)\n\n let secondRC = receivedBytes.withUnsafeMutableWritableBytes { pointer in\n CNIOBoringSSL_BIO_read(cBIO, pointer.baseAddress!, CInt(pointer.count))\n }\n XCTAssertEqual(secondRC, -1)\n XCTAssertTrue(CNIOBoringSSL_BIO_should_retry(cBIO) != 0)\n XCTAssertTrue(CNIOBoringSSL_BIO_should_read(cBIO) != 0)\n }\n\n func testShortReads() throws {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n var inboundBytes = ByteBufferAllocator().buffer(capacity: 1024)\n inboundBytes.writeBytes([1, 2, 3, 4, 5])\n swiftBIO.receiveFromNetwork(buffer: inboundBytes)\n\n var receivedBytes = ByteBufferAllocator().buffer(capacity: 1024)\n for _ in 0..<5 {\n let rc = receivedBytes.writeWithUnsafeMutableBytes(minimumWritableBytes: 1024) { pointer in\n let innerRC = CNIOBoringSSL_BIO_read(cBIO, pointer.baseAddress!, 1)\n XCTAssertTrue(innerRC > 0)\n return innerRC > 0 ? Int(innerRC) : 0\n }\n\n XCTAssertEqual(rc, 1)\n }\n XCTAssertEqual(receivedBytes, inboundBytes)\n\n let secondRC = receivedBytes.withUnsafeMutableWritableBytes { pointer in\n CNIOBoringSSL_BIO_read(cBIO, pointer.baseAddress!, CInt(pointer.count))\n }\n XCTAssertEqual(secondRC, -1)\n XCTAssertTrue(CNIOBoringSSL_BIO_should_retry(cBIO) != 0)\n XCTAssertTrue(CNIOBoringSSL_BIO_should_read(cBIO) != 0)\n }\n\n func testDropRefToBaseObjectOnRead() throws {\n let cBIO = self.retainedBIO()\n let receivedBytes = ByteBufferAllocator().buffer(capacity: 1024)\n receivedBytes.withVeryUnsafeBytes { pointer in\n let rc = CNIOBoringSSL_BIO_read(cBIO, UnsafeMutableRawPointer(mutating: pointer.baseAddress!), 1)\n XCTAssertEqual(rc, -1)\n XCTAssertTrue(CNIOBoringSSL_BIO_should_retry(cBIO) == 0)\n }\n }\n\n func testDropRefToBaseObjectOnWrite() throws {\n let cBIO = self.retainedBIO()\n var receivedBytes = ByteBufferAllocator().buffer(capacity: 1024)\n receivedBytes.writeBytes([1, 2, 3, 4, 5])\n receivedBytes.withVeryUnsafeBytes { pointer in\n let rc = CNIOBoringSSL_BIO_write(cBIO, pointer.baseAddress!, 1)\n XCTAssertEqual(rc, -1)\n XCTAssertTrue(CNIOBoringSSL_BIO_should_retry(cBIO) == 0)\n }\n }\n\n func testZeroLengthReadsAlwaysSucceed() throws {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n var targetBuffer = [UInt8](repeating: 0, count: 512)\n let rc = CNIOBoringSSL_BIO_read(cBIO, &targetBuffer, 0)\n XCTAssertEqual(rc, 0)\n XCTAssertEqual(targetBuffer, [UInt8](repeating: 0, count: 512))\n }\n\n func testWriteWhenHoldingBufferTriggersCoW() throws {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n var bytesToWrite: [UInt8] = [1, 2, 3, 4, 5]\n let rc = CNIOBoringSSL_BIO_write(cBIO, &bytesToWrite, 5)\n XCTAssertEqual(rc, 5)\n\n guard let firstWrite = swiftBIO.outboundCiphertext() else {\n XCTFail(\"Did not write\")\n return\n }\n\n let secondRC = CNIOBoringSSL_BIO_write(cBIO, &bytesToWrite, 5)\n XCTAssertEqual(secondRC, 5)\n guard let secondWrite = swiftBIO.outboundCiphertext() else {\n XCTFail(\"Did not write second time\")\n return\n }\n\n XCTAssertNotEqual(firstWrite.baseAddress(), secondWrite.baseAddress())\n }\n\n func testWriteWhenDroppedBufferDoesNotTriggerCoW() {\n func writeAddress(swiftBIO: ByteBufferBIO, cBIO: UnsafeMutablePointer) -> UInt? {\n var bytesToWrite: [UInt8] = [1, 2, 3, 4, 5]\n let rc = CNIOBoringSSL_BIO_write(cBIO, &bytesToWrite, 5)\n XCTAssertEqual(rc, 5)\n return swiftBIO.outboundCiphertext()?.baseAddress()\n }\n\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n let firstAddress = writeAddress(swiftBIO: swiftBIO, cBIO: cBIO)\n let secondAddress = writeAddress(swiftBIO: swiftBIO, cBIO: cBIO)\n XCTAssertNotNil(firstAddress)\n XCTAssertNotNil(secondAddress)\n XCTAssertEqual(firstAddress, secondAddress)\n }\n\n func testZeroLengthWriteIsNoOp() {\n // This test works by emulating testWriteWhenHoldingBufferTriggersCoW, but\n // with the second write at zero length. This will not trigger a CoW, as no\n // actual write will occur.\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n var bytesToWrite: [UInt8] = [1, 2, 3, 4, 5]\n let rc = CNIOBoringSSL_BIO_write(cBIO, &bytesToWrite, 5)\n XCTAssertEqual(rc, 5)\n\n guard let firstWrite = swiftBIO.outboundCiphertext() else {\n XCTFail(\"Did not write\")\n return\n }\n withExtendedLifetime(firstWrite) {\n let secondRC = CNIOBoringSSL_BIO_write(cBIO, &bytesToWrite, 0)\n XCTAssertEqual(secondRC, 0)\n XCTAssertNil(swiftBIO.outboundCiphertext())\n }\n }\n\n func testSimplePuts() {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n XCTAssertNil(swiftBIO.outboundCiphertext())\n\n let stringToWrite = \"Hello, world!\"\n let rc = stringToWrite.withCString {\n CNIOBoringSSL_BIO_puts(cBIO, $0)\n }\n XCTAssertEqual(rc, 13)\n\n let extractedString = swiftBIO.outboundCiphertext().flatMap {\n $0.getString(at: $0.readerIndex, length: $0.readableBytes)\n }\n XCTAssertEqual(extractedString, stringToWrite)\n XCTAssertNil(swiftBIO.outboundCiphertext())\n }\n\n func testGetsNotSupported() {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n var buffer = ByteBufferAllocator().buffer(capacity: 1024)\n buffer.writeStaticString(\"Hello, world!\")\n swiftBIO.receiveFromNetwork(buffer: buffer)\n\n var output = [CChar](repeating: 0, count: 1024)\n\n output.withUnsafeMutableBufferPointer { pointer in\n let rc = CNIOBoringSSL_BIO_gets(cBIO, pointer.baseAddress, CInt(pointer.count))\n XCTAssertEqual(rc, -2)\n XCTAssertTrue(CNIOBoringSSL_BIO_should_retry(cBIO) == 0)\n }\n }\n\n func testBasicCtrlDance() {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: .max)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n let originalShutdown = CNIOBoringSSL_BIO_ctrl(cBIO, BIO_CTRL_GET_CLOSE, 0, nil)\n XCTAssertEqual(originalShutdown, CLong(BIO_CLOSE))\n\n let rc = CNIOBoringSSL_BIO_set_close(cBIO, CInt(BIO_NOCLOSE))\n XCTAssertEqual(rc, 1)\n\n let newShutdown = CNIOBoringSSL_BIO_ctrl(cBIO, BIO_CTRL_GET_CLOSE, 0, nil)\n XCTAssertEqual(newShutdown, CLong(BIO_NOCLOSE))\n\n let rc2 = CNIOBoringSSL_BIO_set_close(cBIO, CInt(BIO_CLOSE))\n XCTAssertEqual(rc2, 1)\n\n let newShutdown2 = CNIOBoringSSL_BIO_ctrl(cBIO, BIO_CTRL_GET_CLOSE, 0, nil)\n XCTAssertEqual(newShutdown2, CLong(BIO_CLOSE))\n }\n\n func testMaximumPreservedCapacityIsObeyed() throws {\n let swiftBIO = ByteBufferBIO(allocator: ByteBufferAllocator(), maximumPreservedOutboundBufferCapacity: 64)\n let cBIO = swiftBIO.retainedBIO()\n defer {\n CNIOBoringSSL_BIO_free(cBIO)\n swiftBIO.close()\n }\n\n XCTAssertNil(swiftBIO.outboundCiphertext())\n\n // We're going to write 1kb, then 1 byte, in a loop. After the 1kB write, the capacity of the buffer will be 1kB (or more).\n // After the 1 byte write, the capacity will be 64 (exactly).\n var bytesToWrite: [UInt8] = .init(repeating: 0, count: 1024)\n\n for _ in 0..<10 {\n var rc = CNIOBoringSSL_BIO_write(cBIO, &bytesToWrite, CInt(bytesToWrite.count))\n XCTAssertEqual(rc, CInt(bytesToWrite.count))\n\n let capacity = swiftBIO._testOnly_outboundBufferCapacity\n XCTAssertGreaterThanOrEqual(capacity, 1024)\n\n guard swiftBIO.outboundCiphertext() != nil else {\n XCTFail(\"No received bytes\")\n return\n }\n\n // Capacity hasn't changed yet.\n XCTAssertEqual(capacity, swiftBIO._testOnly_outboundBufferCapacity)\n\n // Now write a short chunk.\n rc = CNIOBoringSSL_BIO_write(cBIO, &bytesToWrite, 1)\n XCTAssertEqual(rc, 1)\n\n // Check the capacity. It should be exactly 64.\n XCTAssertEqual(swiftBIO._testOnly_outboundBufferCapacity, 64)\n\n guard swiftBIO.outboundCiphertext() != nil else {\n XCTFail(\"No received bytes\")\n return\n }\n }\n }\n}\n\nextension ByteBuffer {\n func baseAddress() -> UInt {\n self.withVeryUnsafeBytes { UInt(bitPattern: $0.baseAddress!) }\n }\n}\n" }, { "path": "Tests/NIOSSLTests/CertificateVerificationTests.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2019-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport XCTest\n\n@testable import NIOSSL\n\nfinal class CertificateVerificationTests: XCTestCase {\n func testCanFindCAFileOnLinux() {\n // This test only runs on Linux\n #if os(Linux)\n // A valid Linux system means we can find a CA file.\n XCTAssertNotNil(rootCAFilePath)\n #endif\n }\n}\n" }, { "path": "Tests/NIOSSLTests/ClientSNITests.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\nimport NIOPosix\nimport NIOSSL\nimport NIOTLS\nimport XCTest\n\nclass ClientSNITests: XCTestCase {\n private func configuredSSLContext() throws -> NIOSSLContext {\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(NIOSSLIntegrationTest.cert)],\n privateKey: .privateKey(NIOSSLIntegrationTest.key)\n )\n config.trustRoots = .certificates([NIOSSLIntegrationTest.cert])\n let context = try NIOSSLContext(configuration: config)\n return context\n }\n\n private func assertSniResult(sniField: String?, expectedResult: SNIResult) throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try? group.syncShutdownGracefully()\n }\n\n let sniPromise: EventLoopPromise = group.next().makePromise()\n let serverChannel = try serverTLSChannel(\n context: context,\n preHandlers: [\n ByteToMessageHandler(\n SNIHandler {\n sniPromise.succeed($0)\n return group.next().makeSucceededFuture(())\n }\n )\n ],\n postHandlers: [],\n group: group\n )\n defer {\n _ = try? serverChannel.close().wait()\n }\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: sniField\n )\n defer {\n _ = try? clientChannel.close().wait()\n }\n\n let sniResult = try sniPromise.futureResult.wait()\n XCTAssertEqual(sniResult, expectedResult)\n }\n\n func testSNIIsTransmitted() throws {\n try assertSniResult(sniField: \"httpbin.org\", expectedResult: .hostname(\"httpbin.org\"))\n }\n\n func testNoSNILeadsToNoExtension() throws {\n try assertSniResult(sniField: nil, expectedResult: .fallback)\n }\n\n func testSNIIsRejectedForIPv4Addresses() throws {\n let context = try configuredSSLContext()\n\n let testString = \"192.168.0.1\"\n XCTAssertThrowsError(try NIOSSLClientTLSProvider(context: context, serverHostname: testString))\n { error in\n XCTAssertEqual(.cannotUseIPAddressInSNI, error as? NIOSSLExtraError)\n }\n XCTAssertThrowsError(try NIOSSLClientHandler(context: context, serverHostname: testString)) { error in\n XCTAssertEqual(.cannotUseIPAddressInSNI, error as? NIOSSLExtraError)\n }\n }\n\n func testSNIIsRejectedForIPv6Addresses() throws {\n let context = try configuredSSLContext()\n\n let testString = \"fe80::200:f8ff:fe21:67cf\"\n XCTAssertThrowsError(try NIOSSLClientTLSProvider(context: context, serverHostname: testString))\n { error in\n XCTAssertEqual(.cannotUseIPAddressInSNI, error as? NIOSSLExtraError)\n }\n XCTAssertThrowsError(try NIOSSLClientHandler(context: context, serverHostname: testString)) { error in\n XCTAssertEqual(.cannotUseIPAddressInSNI, error as? NIOSSLExtraError)\n }\n\n }\n\n func testSNIIsRejectedForEmptyHostname() throws {\n let context = try configuredSSLContext()\n\n let testString = \"\"\n XCTAssertThrowsError(try NIOSSLClientTLSProvider(context: context, serverHostname: testString))\n { error in\n XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)\n }\n XCTAssertThrowsError(try NIOSSLClientHandler(context: context, serverHostname: testString)) { error in\n XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)\n }\n }\n\n func testSNIIsRejectedForTooLongHostname() throws {\n let context = try configuredSSLContext()\n\n let testString = String(repeating: \"x\", count: 256)\n XCTAssertThrowsError(try NIOSSLClientTLSProvider(context: context, serverHostname: testString))\n { error in\n XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)\n }\n XCTAssertThrowsError(try NIOSSLClientHandler(context: context, serverHostname: testString)) { error in\n XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)\n }\n }\n\n func testSNIIsRejectedFor0Byte() throws {\n let context = try configuredSSLContext()\n\n let testString = String(UnicodeScalar(0)!)\n XCTAssertThrowsError(try NIOSSLClientTLSProvider(context: context, serverHostname: testString))\n { error in\n XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)\n }\n XCTAssertThrowsError(try NIOSSLClientHandler(context: context, serverHostname: testString)) { error in\n XCTAssertEqual(.invalidSNIHostname, error as? NIOSSLExtraError)\n }\n }\n\n func testSNIIsNotRejectedForAnyOfTheFirst1000CodeUnits() throws {\n let context = try configuredSSLContext()\n\n for testString in (1...Int(1000)).compactMap({ UnicodeScalar($0).map({ String($0) }) }) {\n XCTAssertNoThrow(try NIOSSLClientHandler(context: context, serverHostname: testString))\n XCTAssertNoThrow(try NIOSSLClientTLSProvider(context: context, serverHostname: testString))\n }\n }\n\n func testSNIIsNotRejectedForVeryWeirdCharacters() throws {\n let context = try configuredSSLContext()\n\n let testString = \"😎🥶💥🏴󠁧󠁢󠁥󠁮󠁧󠁿👩‍💻\"\n XCTAssertLessThanOrEqual(testString.utf8.count, 255) // just to check we didn't make this too large.\n XCTAssertNoThrow(try NIOSSLClientHandler(context: context, serverHostname: testString))\n XCTAssertNoThrow(try NIOSSLClientTLSProvider(context: context, serverHostname: testString))\n }\n}\n" }, { "path": "Tests/NIOSSLTests/CustomPrivateKeyTests.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport NIOConcurrencyHelpers\nimport NIOCore\nimport NIOEmbedded\nimport XCTest\n\n@testable import NIOSSL\n\n// This is a helper that lets us work with an EVP_PKEY.\n//\n// This type is thread-safe: it doesn't perform any mutation of the underlying object.\nprivate final class CustomPKEY: @unchecked Sendable {\n private let ref: OpaquePointer\n\n init(from key: NIOSSLPrivateKey) {\n // Extract a copy of the key reference here.\n self.ref = key.withUnsafeMutableEVPPKEYPointer { pkey in\n CNIOBoringSSL_EVP_PKEY_up_ref(pkey)\n return pkey\n }\n }\n\n init(from generator: () -> OpaquePointer) {\n self.ref = generator()\n }\n\n deinit {\n CNIOBoringSSL_EVP_PKEY_free(self.ref)\n }\n\n func sign(algorithm: SignatureAlgorithm, data: ByteBuffer) -> ByteBuffer {\n let ctx = CNIOBoringSSL_EVP_PKEY_CTX_new(self.ref, nil)!\n defer {\n CNIOBoringSSL_EVP_PKEY_CTX_free(ctx)\n }\n\n // Step 1: We need to hash the input before we sign.\n let hashContext = CNIOBoringSSL_EVP_MD_CTX_new()!\n defer {\n CNIOBoringSSL_EVP_MD_CTX_free(hashContext)\n }\n CNIOBoringSSL_EVP_MD_CTX_init(hashContext)\n CNIOBoringSSL_EVP_DigestInit_ex(hashContext, algorithm.md, nil)\n var rc = data.withUnsafeReadableBytes { bytesPtr in\n CNIOBoringSSL_EVP_DigestUpdate(\n hashContext,\n bytesPtr.baseAddress?.assumingMemoryBound(to: UInt8.self),\n bytesPtr.count\n )\n }\n precondition(rc == 1)\n\n let signatureSize = CNIOBoringSSL_EVP_MD_size(algorithm.md)\n\n var digestBuffer = ByteBuffer()\n digestBuffer.writeWithUnsafeMutableBytes(minimumWritableBytes: signatureSize) { outputPtr in\n var actualSize = CUnsignedInt(outputPtr.count)\n CNIOBoringSSL_EVP_DigestFinal_ex(\n hashContext,\n outputPtr.baseAddress?.assumingMemoryBound(to: UInt8.self),\n &actualSize\n )\n return Int(actualSize)\n }\n\n // Ok, great, we've hashed. Now let's do the signing.\n precondition(CNIOBoringSSL_EVP_PKEY_sign_init(ctx) == 1)\n // TODO: Add RSA padding when needed.\n CNIOBoringSSL_EVP_PKEY_CTX_set_signature_md(ctx, algorithm.md)\n\n // For RSA algorithms we may need to add padding.\n if let padding = algorithm.rsaPadding {\n CNIOBoringSSL_EVP_PKEY_CTX_set_rsa_padding(ctx, padding)\n }\n\n // And for some RSA padding, that may require a salt.\n if let saltLength = algorithm.saltLen {\n CNIOBoringSSL_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltLength)\n }\n\n // Now we find out the length we need.\n var signatureLength: Int = 0\n rc = digestBuffer.withUnsafeReadableBytes { bytesPtr in\n CNIOBoringSSL_EVP_PKEY_sign(\n ctx,\n nil,\n &signatureLength,\n bytesPtr.baseAddress?.assumingMemoryBound(to: UInt8.self),\n bytesPtr.count\n )\n }\n\n precondition(rc == 1)\n\n // And finally we can do the sign.\n var outputBuffer = ByteBuffer()\n outputBuffer.writeWithUnsafeMutableBytes(minimumWritableBytes: signatureLength) { outputPtr in\n precondition(signatureLength <= outputPtr.count)\n let rc = digestBuffer.withUnsafeReadableBytes { bytesPtr in\n CNIOBoringSSL_EVP_PKEY_sign(\n ctx,\n outputPtr.baseAddress?.assumingMemoryBound(to: UInt8.self),\n &signatureLength,\n bytesPtr.baseAddress?.assumingMemoryBound(to: UInt8.self),\n bytesPtr.count\n )\n }\n precondition(rc == 1)\n return signatureLength\n }\n\n return outputBuffer\n }\n\n func decrypt(data: ByteBuffer) -> ByteBuffer {\n // Decryption is only needed for RSA, so this has to work.\n let rsa = CNIOBoringSSL_EVP_PKEY_get0_RSA(self.ref)!\n let targetSize = CNIOBoringSSL_RSA_size(rsa)\n\n var output = ByteBuffer()\n output.writeWithUnsafeMutableBytes(minimumWritableBytes: Int(targetSize)) { outputBytes in\n var written = 0\n let rc = data.withUnsafeReadableBytes { inputBytes in\n CNIOBoringSSL_RSA_decrypt(\n rsa,\n &written,\n outputBytes.baseAddress?.assumingMemoryBound(to: UInt8.self),\n outputBytes.count,\n inputBytes.baseAddress?.assumingMemoryBound(to: UInt8.self),\n inputBytes.count,\n RSA_NO_PADDING\n )\n }\n precondition(rc == 1)\n return written\n }\n\n return output\n }\n}\n\nprivate final class CustomKeyImmediateResult: NIOSSLCustomPrivateKey, Hashable {\n let backing: CustomPKEY\n let signatureAlgorithms: [SignatureAlgorithm]\n let expectedChannel: Channel\n let _signCallCount: NIOLockedValueBox\n let _decryptCallCount: NIOLockedValueBox\n\n var signCallCount: Int {\n self._signCallCount.withLockedValue { $0 }\n }\n\n var decryptCallCount: Int {\n self._decryptCallCount.withLockedValue { $0 }\n }\n\n fileprivate init(_ backing: CustomPKEY, signatureAlgorithms: [SignatureAlgorithm], expectedChannel: Channel) {\n self.backing = backing\n self.signatureAlgorithms = signatureAlgorithms\n self.expectedChannel = expectedChannel\n self._signCallCount = .init(0)\n self._decryptCallCount = .init(0)\n }\n\n func sign(channel: Channel, algorithm: SignatureAlgorithm, data: ByteBuffer) -> EventLoopFuture {\n XCTAssertTrue(channel === self.expectedChannel)\n XCTAssertTrue(self.signatureAlgorithms.contains(algorithm))\n self._signCallCount.withLockedValue { $0 += 1 }\n return channel.eventLoop.makeSucceededFuture(self.backing.sign(algorithm: algorithm, data: data))\n }\n\n func decrypt(channel: Channel, data: ByteBuffer) -> EventLoopFuture {\n XCTAssertTrue(channel === self.expectedChannel)\n self._decryptCallCount.withLockedValue { $0 += 1 }\n return channel.eventLoop.makeSucceededFuture(self.backing.decrypt(data: data))\n }\n\n static func == (lhs: CustomKeyImmediateResult, rhs: CustomKeyImmediateResult) -> Bool {\n lhs.backing === rhs.backing && lhs.signatureAlgorithms == rhs.signatureAlgorithms\n }\n\n func hash(into hasher: inout Hasher) {\n hasher.combine(ObjectIdentifier(self.backing))\n hasher.combine(signatureAlgorithms)\n }\n}\n\nprivate final class CustomKeyDelayedCompletion: NIOSSLCustomPrivateKey, Hashable {\n let backing: CustomPKEY\n let signatureAlgorithms: [SignatureAlgorithm]\n let expectedChannel: Channel\n let _pendingSigningEvents: NIOLockedValueBox<[EventLoopPromise]>\n let _pendingDecryptionEvents: NIOLockedValueBox<[EventLoopPromise]>\n\n var pendingSigningEvents: [EventLoopPromise] {\n self._pendingSigningEvents.withLockedValue { $0 }\n }\n var pendingDecryptionEvents: [EventLoopPromise] {\n self._pendingDecryptionEvents.withLockedValue { $0 }\n }\n\n fileprivate init(_ backing: CustomPKEY, signatureAlgorithms: [SignatureAlgorithm], expectedChannel: Channel) {\n self.backing = backing\n self.signatureAlgorithms = signatureAlgorithms\n self.expectedChannel = expectedChannel\n self._pendingSigningEvents = .init([])\n self._pendingDecryptionEvents = .init([])\n }\n\n func sign(channel: Channel, algorithm: SignatureAlgorithm, data: ByteBuffer) -> EventLoopFuture {\n XCTAssertTrue(channel === self.expectedChannel)\n XCTAssertTrue(self.signatureAlgorithms.contains(algorithm))\n\n let promise = channel.eventLoop.makePromise(of: Void.self)\n self._pendingSigningEvents.withLockedValue { $0.append(promise) }\n return promise.futureResult.map {\n self.backing.sign(algorithm: algorithm, data: data)\n }\n }\n\n func decrypt(channel: Channel, data: ByteBuffer) -> EventLoopFuture {\n XCTAssertTrue(channel === self.expectedChannel)\n\n let promise = channel.eventLoop.makePromise(of: Void.self)\n self._pendingDecryptionEvents.withLockedValue { $0.append(promise) }\n return promise.futureResult.map {\n self.backing.decrypt(data: data)\n }\n }\n\n static func == (lhs: CustomKeyDelayedCompletion, rhs: CustomKeyDelayedCompletion) -> Bool {\n lhs.backing === rhs.backing && lhs.signatureAlgorithms == rhs.signatureAlgorithms\n }\n\n func hash(into hasher: inout Hasher) {\n hasher.combine(ObjectIdentifier(self.backing))\n hasher.combine(signatureAlgorithms)\n }\n}\n\nprivate final class CustomKeyWithoutDERBytes: NIOSSLCustomPrivateKey, Hashable {\n var signatureAlgorithms: [SignatureAlgorithm] { [] }\n\n func sign(channel: Channel, algorithm: SignatureAlgorithm, data: ByteBuffer) -> EventLoopFuture {\n fatalError(\"Not implemented\")\n }\n\n func decrypt(channel: Channel, data: ByteBuffer) -> EventLoopFuture {\n fatalError(\"Not implemented\")\n }\n\n static func == (lhs: CustomKeyWithoutDERBytes, rhs: CustomKeyWithoutDERBytes) -> Bool {\n lhs.signatureAlgorithms == rhs.signatureAlgorithms\n }\n\n func hash(into hasher: inout Hasher) {\n hasher.combine(ObjectIdentifier(self))\n hasher.combine(signatureAlgorithms)\n }\n}\n\nprivate final class CustomKeyWithDERBytes: NIOSSLCustomPrivateKey, Hashable {\n var signatureAlgorithms: [NIOSSL.SignatureAlgorithm] { [] }\n\n var derBytes: [UInt8] { [42] }\n\n func sign(channel: Channel, algorithm: SignatureAlgorithm, data: ByteBuffer) -> EventLoopFuture {\n fatalError(\"Not implemented\")\n }\n\n func decrypt(channel: Channel, data: ByteBuffer) -> EventLoopFuture {\n fatalError(\"Not implemented\")\n }\n\n static func == (lhs: CustomKeyWithDERBytes, rhs: CustomKeyWithDERBytes) -> Bool {\n lhs.signatureAlgorithms == rhs.signatureAlgorithms && lhs.derBytes == rhs.derBytes\n }\n\n func hash(into hasher: inout Hasher) {\n hasher.combine(ObjectIdentifier(self))\n hasher.combine(signatureAlgorithms)\n hasher.combine(derBytes)\n }\n}\n\nfinal class CustomPrivateKeyTests: XCTestCase {\n fileprivate static let customECDSACertAndKey: (certificate: NIOSSLCertificate, key: CustomPKEY) = {\n let (cert, originalKey) = generateSelfSignedCert(keygenFunction: {\n generateECPrivateKey(curveNID: NID_X9_62_prime256v1)\n })\n let derivedKey = CustomPKEY(from: originalKey)\n return (certificate: cert, key: derivedKey)\n }()\n\n fileprivate static let customRSACertAndKey: (certificate: NIOSSLCertificate, key: CustomPKEY) = {\n let (cert, originalKey) = generateSelfSignedCert()\n let derivedKey = CustomPKEY(from: originalKey)\n return (certificate: cert, key: derivedKey)\n }()\n\n private func configuredClientContext(\n trustRoot: NIOSSLCertificate,\n maxTLSVersion: TLSVersion? = nil,\n cipherSuites: [NIOTLSCipher]? = nil\n ) -> NIOSSLContext {\n var config = TLSConfiguration.makeClientConfiguration()\n config.trustRoots = .certificates([trustRoot])\n config.maximumTLSVersion = maxTLSVersion\n if let cipherSuites = cipherSuites {\n config.cipherSuiteValues = cipherSuites\n }\n return try! NIOSSLContext(configuration: config)\n }\n\n private func configuredServerContext(certificate: NIOSSLCertificate, privateKey: NIOSSLPrivateKey) -> NIOSSLContext\n {\n let config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(certificate)],\n privateKey: .privateKey(privateKey)\n )\n return try! NIOSSLContext(configuration: config)\n }\n\n func testHappyPathImmediateResultCustomECDSAKey() throws {\n let b2b = BackToBackEmbeddedChannel()\n let happyPathKey = CustomKeyImmediateResult(\n CustomPrivateKeyTests.customECDSACertAndKey.key,\n signatureAlgorithms: [.ecdsaSecp256R1Sha256],\n expectedChannel: b2b.server\n )\n\n let clientContext = self.configuredClientContext(\n trustRoot: CustomPrivateKeyTests.customECDSACertAndKey.certificate\n )\n let serverContext = self.configuredServerContext(\n certificate: CustomPrivateKeyTests.customECDSACertAndKey.certificate,\n privateKey: NIOSSLPrivateKey(customPrivateKey: happyPathKey)\n )\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandlers(\n [\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\"),\n HandshakeCompletedHandler(),\n ]\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandlers(\n [NIOSSLServerHandler(context: serverContext), HandshakeCompletedHandler()]\n )\n )\n\n XCTAssertNoThrow(try b2b.connectInMemory())\n XCTAssertEqual(happyPathKey.signCallCount, 1)\n XCTAssertEqual(happyPathKey.decryptCallCount, 0)\n XCTAssertTrue(b2b.client.handshakeSucceeded)\n XCTAssertTrue(b2b.server.handshakeSucceeded)\n }\n\n func testHappyPathImmediateResultCustomRSAKeyPSS() throws {\n let b2b = BackToBackEmbeddedChannel()\n let happyPathKey = CustomKeyImmediateResult(\n CustomPrivateKeyTests.customRSACertAndKey.key,\n signatureAlgorithms: [.rsaPssRsaeSha256],\n expectedChannel: b2b.server\n )\n\n let clientContext = self.configuredClientContext(\n trustRoot: CustomPrivateKeyTests.customRSACertAndKey.certificate\n )\n let serverContext = self.configuredServerContext(\n certificate: CustomPrivateKeyTests.customRSACertAndKey.certificate,\n privateKey: NIOSSLPrivateKey(customPrivateKey: happyPathKey)\n )\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandlers(\n [\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\"),\n HandshakeCompletedHandler(),\n ]\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandlers(\n [NIOSSLServerHandler(context: serverContext), HandshakeCompletedHandler()]\n )\n )\n\n XCTAssertNoThrow(try b2b.connectInMemory())\n XCTAssertEqual(happyPathKey.signCallCount, 1)\n XCTAssertEqual(happyPathKey.decryptCallCount, 0)\n XCTAssertTrue(b2b.client.handshakeSucceeded)\n XCTAssertTrue(b2b.server.handshakeSucceeded)\n }\n\n func testHappyPathImmediateResultCustomRSAKeyPKCS1() throws {\n let b2b = BackToBackEmbeddedChannel()\n let happyPathKey = CustomKeyImmediateResult(\n CustomPrivateKeyTests.customRSACertAndKey.key,\n signatureAlgorithms: [.rsaPkcs1Sha256],\n expectedChannel: b2b.server\n )\n\n // Rule out TLSv1.3, which doesn't support RSA decryption.\n // We also want to force RSA key exchange, which will let us test the decrypt\n // function.\n let clientContext = self.configuredClientContext(\n trustRoot: CustomPrivateKeyTests.customRSACertAndKey.certificate,\n maxTLSVersion: .tlsv12,\n cipherSuites: [.TLS_RSA_WITH_AES_128_GCM_SHA256]\n )\n let serverContext = self.configuredServerContext(\n certificate: CustomPrivateKeyTests.customRSACertAndKey.certificate,\n privateKey: NIOSSLPrivateKey(customPrivateKey: happyPathKey)\n )\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandlers(\n [\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\"),\n HandshakeCompletedHandler(),\n ]\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandlers(\n [NIOSSLServerHandler(context: serverContext), HandshakeCompletedHandler()]\n )\n )\n\n XCTAssertNoThrow(try b2b.connectInMemory())\n XCTAssertEqual(happyPathKey.signCallCount, 0)\n XCTAssertEqual(happyPathKey.decryptCallCount, 1)\n XCTAssertTrue(b2b.client.handshakeSucceeded)\n XCTAssertTrue(b2b.server.handshakeSucceeded)\n }\n\n func testHappyPathDelayedResultCustomECDSAKey() throws {\n let b2b = BackToBackEmbeddedChannel()\n let happyPathKey = CustomKeyDelayedCompletion(\n CustomPrivateKeyTests.customECDSACertAndKey.key,\n signatureAlgorithms: [.ecdsaSecp256R1Sha256],\n expectedChannel: b2b.server\n )\n\n let clientContext = self.configuredClientContext(\n trustRoot: CustomPrivateKeyTests.customECDSACertAndKey.certificate\n )\n let serverContext = self.configuredServerContext(\n certificate: CustomPrivateKeyTests.customECDSACertAndKey.certificate,\n privateKey: NIOSSLPrivateKey(customPrivateKey: happyPathKey)\n )\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandlers(\n [\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\"),\n HandshakeCompletedHandler(),\n ]\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandlers(\n [NIOSSLServerHandler(context: serverContext), HandshakeCompletedHandler()]\n )\n )\n\n XCTAssertNoThrow(try b2b.connectInMemory())\n XCTAssertFalse(b2b.client.handshakeSucceeded)\n XCTAssertFalse(b2b.server.handshakeSucceeded)\n\n // Complete the promise.\n XCTAssertEqual(happyPathKey.pendingSigningEvents.count, 1)\n XCTAssertEqual(happyPathKey.pendingDecryptionEvents.count, 0)\n happyPathKey.pendingSigningEvents.first?.succeed(())\n\n // Nothing happens until we start doing I/O again.\n XCTAssertFalse(b2b.client.handshakeSucceeded)\n XCTAssertFalse(b2b.server.handshakeSucceeded)\n\n XCTAssertNoThrow(try b2b.interactInMemory())\n XCTAssertTrue(b2b.client.handshakeSucceeded)\n XCTAssertTrue(b2b.server.handshakeSucceeded)\n }\n\n func testHappyPathDelayedResultCustomRSAKeyPSS() throws {\n let b2b = BackToBackEmbeddedChannel()\n let happyPathKey = CustomKeyDelayedCompletion(\n CustomPrivateKeyTests.customRSACertAndKey.key,\n signatureAlgorithms: [.rsaPssRsaeSha256],\n expectedChannel: b2b.server\n )\n\n let clientContext = self.configuredClientContext(\n trustRoot: CustomPrivateKeyTests.customRSACertAndKey.certificate\n )\n let serverContext = self.configuredServerContext(\n certificate: CustomPrivateKeyTests.customRSACertAndKey.certificate,\n privateKey: NIOSSLPrivateKey(customPrivateKey: happyPathKey)\n )\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandlers(\n [\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\"),\n HandshakeCompletedHandler(),\n ]\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandlers(\n [NIOSSLServerHandler(context: serverContext), HandshakeCompletedHandler()]\n )\n )\n\n XCTAssertNoThrow(try b2b.connectInMemory())\n XCTAssertFalse(b2b.client.handshakeSucceeded)\n XCTAssertFalse(b2b.server.handshakeSucceeded)\n\n // Complete the promise.\n XCTAssertEqual(happyPathKey.pendingSigningEvents.count, 1)\n XCTAssertEqual(happyPathKey.pendingDecryptionEvents.count, 0)\n happyPathKey.pendingSigningEvents.first?.succeed(())\n\n // Nothing happens until we start doing I/O again.\n XCTAssertFalse(b2b.client.handshakeSucceeded)\n XCTAssertFalse(b2b.server.handshakeSucceeded)\n\n XCTAssertNoThrow(try b2b.interactInMemory())\n XCTAssertTrue(b2b.client.handshakeSucceeded)\n XCTAssertTrue(b2b.server.handshakeSucceeded)\n }\n\n func testHappyPathDelayedResultCustomRSAKeyPKCS1() throws {\n let b2b = BackToBackEmbeddedChannel()\n let happyPathKey = CustomKeyDelayedCompletion(\n CustomPrivateKeyTests.customRSACertAndKey.key,\n signatureAlgorithms: [.rsaPkcs1Sha256],\n expectedChannel: b2b.server\n )\n\n // Rule out TLSv1.3, which doesn't support RSA decryption.\n // We also want to force RSA key exchange, which will let us test the decrypt\n // function.\n let clientContext = self.configuredClientContext(\n trustRoot: CustomPrivateKeyTests.customRSACertAndKey.certificate,\n maxTLSVersion: .tlsv12,\n cipherSuites: [.TLS_RSA_WITH_AES_128_GCM_SHA256]\n )\n let serverContext = self.configuredServerContext(\n certificate: CustomPrivateKeyTests.customRSACertAndKey.certificate,\n privateKey: NIOSSLPrivateKey(customPrivateKey: happyPathKey)\n )\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandlers(\n [\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\"),\n HandshakeCompletedHandler(),\n ]\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandlers(\n [NIOSSLServerHandler(context: serverContext), HandshakeCompletedHandler()]\n )\n )\n\n XCTAssertNoThrow(try b2b.connectInMemory())\n XCTAssertFalse(b2b.client.handshakeSucceeded)\n XCTAssertFalse(b2b.server.handshakeSucceeded)\n\n // Complete the promise.\n XCTAssertEqual(happyPathKey.pendingSigningEvents.count, 0)\n XCTAssertEqual(happyPathKey.pendingDecryptionEvents.count, 1)\n happyPathKey.pendingDecryptionEvents.first?.succeed(())\n\n // Nothing happens until we start doing I/O again.\n XCTAssertFalse(b2b.client.handshakeSucceeded)\n XCTAssertFalse(b2b.server.handshakeSucceeded)\n\n XCTAssertNoThrow(try b2b.interactInMemory())\n XCTAssertTrue(b2b.client.handshakeSucceeded)\n XCTAssertTrue(b2b.server.handshakeSucceeded)\n }\n\n func testMismatchedKeys() throws {\n // We're going to generate another ECDSA key here, which we'll give to the backing code.\n let alternativeKey = generateSelfSignedCert(keygenFunction: { generateECPrivateKey() }).1\n let b2b = BackToBackEmbeddedChannel()\n let happyPathKey = CustomKeyImmediateResult(\n CustomPKEY(from: alternativeKey),\n signatureAlgorithms: [.ecdsaSecp256R1Sha256],\n expectedChannel: b2b.server\n )\n\n let clientContext = self.configuredClientContext(\n trustRoot: CustomPrivateKeyTests.customECDSACertAndKey.certificate\n )\n let serverContext = self.configuredServerContext(\n certificate: CustomPrivateKeyTests.customECDSACertAndKey.certificate,\n privateKey: NIOSSLPrivateKey(customPrivateKey: happyPathKey)\n )\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandler(\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\")\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: serverContext)\n )\n )\n\n XCTAssertThrowsError(try b2b.connectInMemory())\n }\n\n func testThrowingCustomErrorsSigning() throws {\n struct CustomError: Error {}\n\n let b2b = BackToBackEmbeddedChannel()\n let happyPathKey = CustomKeyDelayedCompletion(\n CustomPrivateKeyTests.customECDSACertAndKey.key,\n signatureAlgorithms: [.ecdsaSecp256R1Sha256],\n expectedChannel: b2b.server\n )\n\n let clientContext = self.configuredClientContext(\n trustRoot: CustomPrivateKeyTests.customECDSACertAndKey.certificate\n )\n let serverContext = self.configuredServerContext(\n certificate: CustomPrivateKeyTests.customECDSACertAndKey.certificate,\n privateKey: NIOSSLPrivateKey(customPrivateKey: happyPathKey)\n )\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandler(\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\")\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: serverContext)\n )\n )\n\n XCTAssertNoThrow(try b2b.connectInMemory())\n\n // Complete the promise.\n XCTAssertEqual(happyPathKey.pendingSigningEvents.count, 1)\n XCTAssertEqual(happyPathKey.pendingDecryptionEvents.count, 0)\n happyPathKey.pendingSigningEvents.first?.fail(CustomError())\n\n XCTAssertThrowsError(try b2b.interactInMemory()) { error in\n XCTAssertTrue(error is CustomError)\n }\n }\n\n func testKeyEquatability() throws {\n let b2b = BackToBackEmbeddedChannel()\n\n let firstKey = CustomKeyDelayedCompletion(\n CustomPrivateKeyTests.customECDSACertAndKey.key,\n signatureAlgorithms: [.ecdsaSecp256R1Sha256],\n expectedChannel: b2b.server\n )\n\n // Should be non-equal to first\n let secondKey = CustomKeyDelayedCompletion(\n CustomPrivateKeyTests.customECDSACertAndKey.key,\n signatureAlgorithms: [.ecdsaSecp384R1Sha384],\n expectedChannel: b2b.server\n )\n\n // Different object to first, but same equatable, so should be equal\n let thirdKey = CustomKeyDelayedCompletion(\n CustomPrivateKeyTests.customECDSACertAndKey.key,\n signatureAlgorithms: [.ecdsaSecp256R1Sha256],\n expectedChannel: b2b.server\n )\n\n XCTAssertEqual(firstKey, thirdKey)\n XCTAssertNotEqual(firstKey, secondKey)\n XCTAssertEqual(NIOSSLPrivateKey(customPrivateKey: firstKey), NIOSSLPrivateKey(customPrivateKey: thirdKey))\n XCTAssertNotEqual(NIOSSLPrivateKey(customPrivateKey: firstKey), NIOSSLPrivateKey(customPrivateKey: secondKey))\n }\n\n func testKeyHashability() throws {\n let b2b = BackToBackEmbeddedChannel()\n\n let firstKey = CustomKeyDelayedCompletion(\n CustomPrivateKeyTests.customECDSACertAndKey.key,\n signatureAlgorithms: [.ecdsaSecp256R1Sha256],\n expectedChannel: b2b.server\n )\n\n // Should hash non-equal to first\n let secondKey = CustomKeyDelayedCompletion(\n CustomPrivateKeyTests.customECDSACertAndKey.key,\n signatureAlgorithms: [.ecdsaSecp384R1Sha384],\n expectedChannel: b2b.server\n )\n\n // Different object to first, but same hashable, so should hash the same\n let thirdKey = CustomKeyDelayedCompletion(\n CustomPrivateKeyTests.customECDSACertAndKey.key,\n signatureAlgorithms: [.ecdsaSecp256R1Sha256],\n expectedChannel: b2b.server\n )\n\n XCTAssertEqual(Set([firstKey, secondKey]), Set([firstKey, secondKey, thirdKey]))\n XCTAssertEqual(\n Set([NIOSSLPrivateKey(customPrivateKey: firstKey), NIOSSLPrivateKey(customPrivateKey: secondKey)]),\n Set([\n NIOSSLPrivateKey(customPrivateKey: firstKey), NIOSSLPrivateKey(customPrivateKey: secondKey),\n NIOSSLPrivateKey(customPrivateKey: thirdKey),\n ])\n )\n }\n\n func testSwitchFromNativeKeyToCustomKeyViaOverride() throws {\n // Cert A + native key A for the initial server config.\n let (certA, nativeKeyA) = generateSelfSignedCert(keygenFunction: {\n generateECPrivateKey(curveNID: NID_X9_62_prime256v1)\n })\n\n // Cert B + key B for the override identity.\n let (certB, nativeKeyB) = generateSelfSignedCert(keygenFunction: {\n generateECPrivateKey(curveNID: NID_X9_62_prime256v1)\n })\n let derivedKeyB = CustomPKEY(from: nativeKeyB)\n\n let b2b = BackToBackEmbeddedChannel()\n let customKey = CustomKeyImmediateResult(\n derivedKeyB,\n signatureAlgorithms: [.ecdsaSecp256R1Sha256],\n expectedChannel: b2b.server\n )\n\n // Client trusts the override cert (cert B), not the initial cert (cert A).\n let clientContext = self.configuredClientContext(trustRoot: certB)\n\n // Server initial config uses cert A + native key A.\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(certA)],\n privateKey: .privateKey(nativeKeyA)\n )\n // Override with cert B + custom key B.\n serverConfig.sslContextCallback = { _, promise in\n var `override` = NIOSSLContextConfigurationOverride()\n override.certificateChain = [.certificate(certB)]\n override.privateKey = .privateKey(NIOSSLPrivateKey(customPrivateKey: customKey))\n promise.succeed(`override`)\n }\n let serverContext = try NIOSSLContext(configuration: serverConfig)\n\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandlers(\n [\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\"),\n HandshakeCompletedHandler(),\n ]\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandlers(\n [NIOSSLServerHandler(context: serverContext), HandshakeCompletedHandler()]\n )\n )\n\n XCTAssertNoThrow(try b2b.connectInMemory())\n XCTAssertEqual(customKey.signCallCount, 1)\n XCTAssertTrue(b2b.client.handshakeSucceeded)\n XCTAssertTrue(b2b.server.handshakeSucceeded)\n }\n\n func testCustomKeyDecryptViaSSLContextCallbackOverride() throws {\n // Same as testSwitchFromNativeKeyToCustomKeyViaOverride but forces TLS 1.2\n // with RSA key exchange so BoringSSL hits the decrypt callback instead of sign.\n let (certA, nativeKeyA) = generateSelfSignedCert()\n let (certB, nativeKeyB) = generateSelfSignedCert()\n let derivedKeyB = CustomPKEY(from: nativeKeyB)\n\n let b2b = BackToBackEmbeddedChannel()\n let customKey = CustomKeyImmediateResult(\n derivedKeyB,\n signatureAlgorithms: [.rsaPkcs1Sha256],\n expectedChannel: b2b.server\n )\n\n let clientContext = self.configuredClientContext(\n trustRoot: certB,\n maxTLSVersion: .tlsv12,\n cipherSuites: [.TLS_RSA_WITH_AES_128_GCM_SHA256]\n )\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(certA)],\n privateKey: .privateKey(nativeKeyA)\n )\n serverConfig.sslContextCallback = { _, promise in\n var `override` = NIOSSLContextConfigurationOverride()\n override.certificateChain = [.certificate(certB)]\n override.privateKey = .privateKey(NIOSSLPrivateKey(customPrivateKey: customKey))\n promise.succeed(`override`)\n }\n let serverContext = try NIOSSLContext(configuration: serverConfig)\n\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandlers(\n [\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\"),\n HandshakeCompletedHandler(),\n ]\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandlers(\n [NIOSSLServerHandler(context: serverContext), HandshakeCompletedHandler()]\n )\n )\n\n XCTAssertNoThrow(try b2b.connectInMemory())\n XCTAssertEqual(customKey.signCallCount, 0)\n XCTAssertEqual(customKey.decryptCallCount, 1)\n XCTAssertTrue(b2b.client.handshakeSucceeded)\n XCTAssertTrue(b2b.server.handshakeSucceeded)\n }\n\n func testClientCustomKeyViaSSLContextCallbackOverride() throws {\n // mTLS: client starts with no cert/key, sslContextCallback provides a custom key.\n let (clientCert, clientNativeKey) = generateSelfSignedCert(keygenFunction: {\n generateECPrivateKey(curveNID: NID_X9_62_prime256v1)\n })\n let clientDerivedKey = CustomPKEY(from: clientNativeKey)\n\n let (serverCert, serverKey) = generateSelfSignedCert(keygenFunction: {\n generateECPrivateKey(curveNID: NID_X9_62_prime256v1)\n })\n\n let b2b = BackToBackEmbeddedChannel()\n let customKey = CustomKeyImmediateResult(\n clientDerivedKey,\n signatureAlgorithms: [.ecdsaSecp256R1Sha256],\n expectedChannel: b2b.client\n )\n\n // Client starts with no cert/key; the override provides them.\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([serverCert])\n clientConfig.sslContextCallback = { _, promise in\n var `override` = NIOSSLContextConfigurationOverride()\n override.certificateChain = [.certificate(clientCert)]\n override.privateKey = .privateKey(NIOSSLPrivateKey(customPrivateKey: customKey))\n promise.succeed(`override`)\n }\n let clientContext = try NIOSSLContext(configuration: clientConfig)\n\n // Server requires client certificate (mTLS).\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(serverCert)],\n privateKey: .privateKey(serverKey)\n )\n serverConfig.certificateVerification = .noHostnameVerification\n serverConfig.trustRoots = .certificates([clientCert])\n let serverContext = try NIOSSLContext(configuration: serverConfig)\n\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandlers(\n [\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\"),\n HandshakeCompletedHandler(),\n ]\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandlers(\n [NIOSSLServerHandler(context: serverContext), HandshakeCompletedHandler()]\n )\n )\n\n XCTAssertNoThrow(try b2b.connectInMemory())\n XCTAssertEqual(customKey.signCallCount, 1)\n XCTAssertEqual(customKey.decryptCallCount, 0)\n XCTAssertTrue(b2b.client.handshakeSucceeded)\n XCTAssertTrue(b2b.server.handshakeSucceeded)\n }\n\n func testSwitchFromCustomKeyToNativeKeyViaOverride() throws {\n // Server initial config uses cert A + custom key A.\n // The override switches to cert B + native key B.\n let (certA, nativeKeyA) = generateSelfSignedCert(keygenFunction: {\n generateECPrivateKey(curveNID: NID_X9_62_prime256v1)\n })\n let derivedKeyA = CustomPKEY(from: nativeKeyA)\n\n let (certB, nativeKeyB) = generateSelfSignedCert(keygenFunction: {\n generateECPrivateKey(curveNID: NID_X9_62_prime256v1)\n })\n\n let b2b = BackToBackEmbeddedChannel()\n let customKey = CustomKeyImmediateResult(\n derivedKeyA,\n signatureAlgorithms: [.ecdsaSecp256R1Sha256],\n expectedChannel: b2b.server\n )\n\n // Client trusts the override cert (cert B).\n let clientContext = self.configuredClientContext(trustRoot: certB)\n\n // Server initial config uses cert A + custom key A.\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(certA)],\n privateKey: .privateKey(NIOSSLPrivateKey(customPrivateKey: customKey))\n )\n serverConfig.sslContextCallback = { _, promise in\n var `override` = NIOSSLContextConfigurationOverride()\n override.certificateChain = [.certificate(certB)]\n override.privateKey = .privateKey(nativeKeyB)\n promise.succeed(`override`)\n }\n let serverContext = try NIOSSLContext(configuration: serverConfig)\n\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandlers(\n [\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\"),\n HandshakeCompletedHandler(),\n ]\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandlers(\n [NIOSSLServerHandler(context: serverContext), HandshakeCompletedHandler()]\n )\n )\n\n XCTAssertNoThrow(try b2b.connectInMemory())\n // The custom key should NOT have been called.\n // Assume native sign was called because the handshake succeeded.\n XCTAssertEqual(customKey.signCallCount, 0)\n XCTAssertTrue(b2b.client.handshakeSucceeded)\n XCTAssertTrue(b2b.server.handshakeSucceeded)\n }\n\n func testDERBytes_DefaultImplementation_ReturnsEmptyArray() throws {\n let customKey = CustomKeyWithoutDERBytes()\n let key = NIOSSLPrivateKey(customPrivateKey: customKey)\n let derBytes = try key.derBytes\n XCTAssertEqual(derBytes, [])\n }\n\n func testDERBytes_ReturnsBytes() throws {\n let customKey = CustomKeyWithDERBytes()\n let key = NIOSSLPrivateKey(customPrivateKey: customKey)\n let derBytes = try key.derBytes\n XCTAssertEqual(derBytes, [42])\n }\n}\n\nextension SignatureAlgorithm {\n var md: OpaquePointer {\n switch self {\n case .ecdsaSecp256R1Sha256:\n return CNIOBoringSSL_EVP_sha256()\n case .rsaPssRsaeSha256:\n return CNIOBoringSSL_EVP_sha256()\n case .rsaPkcs1Sha256:\n return CNIOBoringSSL_EVP_sha256()\n default:\n preconditionFailure()\n }\n }\n\n var rsaPadding: CInt? {\n switch self {\n case .rsaPssRsaeSha256, .rsaPssRsaeSha384, .rsaPssRsaeSha512:\n return CInt(RSA_PKCS1_PSS_PADDING)\n case .rsaPkcs1Sha1, .rsaPkcs1Sha256, .rsaPkcs1Sha384, .rsaPkcs1Sha512:\n return CInt(RSA_PKCS1_PADDING)\n default:\n return nil\n }\n }\n\n var saltLen: CInt? {\n switch self {\n case .rsaPssRsaeSha256, .rsaPssRsaeSha384, .rsaPssRsaeSha512:\n // To BoringSSL, -1 means \"salt length the size of the hash function\".\n // This is what TLS 1.3 requires.\n return -1\n default:\n return nil\n }\n }\n}\n\nextension EmbeddedChannel {\n fileprivate var handshakeSucceeded: Bool {\n let completedHandler = try! self.pipeline.syncOperations.handler(type: HandshakeCompletedHandler.self)\n return completedHandler.handshakeSucceeded\n }\n}\n" }, { "path": "Tests/NIOSSLTests/IdentityVerificationTest.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\nimport XCTest\n\n@testable import NIOSSL\n\n/// This cert contains the following SAN fields:\n/// DNS:*.WILDCARD.EXAMPLE.com - A straightforward wildcard, should be accepted\n/// DNS:FO*.EXAMPLE.com - A suffix wildcard, should be accepted\n/// DNS:*AR.EXAMPLE.com - A prefix wildcard, should be accepted\n/// DNS:B*Z.EXAMPLE.com - An infix wildcard\n/// DNS:TRAILING.PERIOD.EXAMPLE.com. - A domain with a trailing period, should match\n/// DNS:XN--STRAE-OQA.UNICODE.EXAMPLE.com. - An IDN A-label, should match.\n/// DNS:XN--X*-GIA.UNICODE.EXAMPLE.com. - An IDN A-label with a wildcard, invalid.\n/// DNS:WEIRDWILDCARD.*.EXAMPLE.com. - A wildcard not in the leftmost label, invalid.\n/// DNS:*.*.DOUBLE.EXAMPLE.com. - Two wildcards, invalid.\n/// DNS:*.XN--STRAE-OQA.EXAMPLE.com. - A wildcard followed by a new IDN A-label, this is fine.\n/// A SAN with a null in it, should be ignored.\n///\n/// This also contains a commonName of httpbin.org.\nprivate let weirdoPEMCert = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIICZjCCAgygAwIBAgIURNa5MCGhhy1TUo57ogfm5OvVBr8wCgYIKoZIzj0EAwIw\n FjEUMBIGA1UEAwwLaHR0cGJpbi5vcmcwHhcNMjQwNTEzMTI1MjUwWhcNNDAwMTAx\n MDAwMDAwWjAWMRQwEgYDVQQDDAtodHRwYmluLm9yZzBZMBMGByqGSM49AgEGCCqG\n SM49AwEHA0IABHC44jasAWsWYtYdo+cnLOAEuMQHt1zI5A7td2avNIHEfEXqiizj\n t1VPWYR6wbL/X7ZXb7IjED8v5ZeN/yK0jpGjggE2MIIBMjAJBgNVHRMEAjAAMIIB\n IwYDVR0RBIIBGjCCARaCFiouV0lMRENBUkQuRVhBTVBMRS5jb22CD0ZPKi5FWEFN\n UExFLmNvbYIPKkFSLkVYQU1QTEUuY29tgg9CKlouRVhBTVBMRS5jb22CHFRSQUlM\n SU5HLlBFUklPRC5FWEFNUExFLmNvbS6CIlhOLS1TVFJBRS1PUUEuVU5JQ09ERS5F\n WEFNUExFLmNvbS6CH1hOLS1YKi1HSUEuVU5JQ09ERS5FWEFNUExFLmNvbS6CHFdF\n SVJEV0lMRENBUkQuKi5FWEFNUExFLmNvbS6CFyouKi5ET1VCTEUuRVhBTVBMRS5j\n b20ughwqLlhOLS1TVFJBRS1PUUEuRVhBTVBMRS5jb20ughFOVUwATC5FWEFNUExF\n LmNvbTAKBggqhkjOPQQDAgNIADBFAiEAoZP9/AT/kI4XV9ComU/3TOBavn2HT4KJ\n GLTqsl138zwCIFAGdxsBH3CGfuFNYXOdYZOJ/FIqv7Ev0eGxXvTZ+bcs\n -----END CERTIFICATE-----\n \"\"\"\n\n/// Returns whether this system supports resolving IPv6 function.\nfunc ipv6Supported() throws -> Bool {\n do {\n _ = try SocketAddress.makeAddressResolvingHost(\"2001:db8::1\", port: 443)\n return true\n } catch SocketAddressError.unknown {\n return false\n }\n}\n\nclass IdentityVerificationTest: XCTestCase {\n func testCanValidateHostnameInFirstSan() throws {\n let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"localhost\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testCanValidateHostnameInSecondSan() throws {\n let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testIgnoresTrailingPeriod() throws {\n let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"example.com.\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testLowercasesHostnameForSan() throws {\n let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"LoCaLhOsT\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testRejectsIncorrectHostname() throws {\n let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"httpbin.org\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertFalse(matched)\n }\n\n func testAcceptsIpv4Address() throws {\n let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: nil,\n socketAddress: try .init(ipAddress: \"192.168.0.1\", port: 443),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testAcceptsIpv6Address() throws {\n guard try ipv6Supported() else { return }\n let ipv6Address = try SocketAddress(ipAddress: \"2001:db8::1\", port: 443)\n\n let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: nil,\n socketAddress: ipv6Address,\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testRejectsIncorrectIpv4Address() throws {\n let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: nil,\n socketAddress: try .init(ipAddress: \"192.168.0.2\", port: 443),\n leafCertificate: cert\n )\n XCTAssertFalse(matched)\n }\n\n func testRejectsIncorrectIpv6Address() throws {\n guard try ipv6Supported() else { return }\n let ipv6Address = try SocketAddress(ipAddress: \"2001:db8::2\", port: 443)\n\n let cert = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: nil,\n socketAddress: ipv6Address,\n leafCertificate: cert\n )\n XCTAssertFalse(matched)\n }\n\n func testAcceptsWildcards() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"this.wildcard.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testAcceptsSuffixWildcard() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"foo.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testAcceptsPrefixWildcard() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"bar.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testAcceptsInfixWildcard() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"baz.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testIgnoresTrailingPeriodInCert() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"trailing.period.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testRejectsEncodedIDNALabel() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n\n XCTAssertThrowsError(\n try validIdentityForService(\n serverHostname: \"straße.unicode.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n ) { error in\n XCTAssertEqual(error as? NIOSSLExtraError, .serverHostnameImpossibleToMatch)\n XCTAssertEqual(\n String(describing: error),\n \"NIOSSLExtraError.serverHostnameImpossibleToMatch: The server hostname straße.unicode.example.com cannot be matched due to containing non-DNS characters\"\n )\n }\n\n }\n\n func testMatchesUnencodedIDNALabel() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"xn--strae-oqa.unicode.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testDoesNotMatchIDNALabelWithWildcard() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"xn--xx-gia.unicode.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertFalse(matched)\n }\n\n func testDoesNotMatchNonLeftmostWildcards() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"weirdwildcard.nomatch.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertFalse(matched)\n }\n\n func testDoesNotMatchMultipleWildcards() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"one.two.double.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertFalse(matched)\n }\n\n func testRejectsWildcardBeforeUnencodedIDNALabel() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n\n XCTAssertThrowsError(\n try validIdentityForService(\n serverHostname: \"foo.straße.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n ) { error in\n XCTAssertEqual(error as? NIOSSLExtraError, .serverHostnameImpossibleToMatch)\n XCTAssertEqual(\n String(describing: error),\n \"NIOSSLExtraError.serverHostnameImpossibleToMatch: The server hostname foo.straße.example.com cannot be matched due to containing non-DNS characters\"\n )\n }\n }\n\n func testMatchesWildcardBeforeEncodedIDNALabel() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"foo.xn--strae-oqa.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testDoesNotMatchSANWithEmbeddedNULL() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n\n XCTAssertThrowsError(\n try validIdentityForService(\n serverHostname: \"nul\\u{0000}l.example.com\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n ) { error in\n XCTAssertEqual(error as? NIOSSLExtraError, .serverHostnameImpossibleToMatch)\n XCTAssertEqual(\n String(describing: error),\n \"NIOSSLExtraError.serverHostnameImpossibleToMatch: The server hostname nul\\u{0000}l.example.com cannot be matched due to containing non-DNS characters\"\n )\n }\n }\n\n func testFallsBackToCommonName() throws {\n let cert = try NIOSSLCertificate(bytes: .init(multiCNCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"localhost\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testLowercasesForCommonName() throws {\n let cert = try NIOSSLCertificate(bytes: .init(multiCNCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"LoCaLhOsT\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertTrue(matched)\n }\n\n func testRejectsUnicodeCommonNameWithUnencodedIDNALabel() throws {\n let cert = try NIOSSLCertificate(bytes: .init(unicodeCNCert.utf8), format: .pem)\n\n XCTAssertThrowsError(\n try validIdentityForService(\n serverHostname: \"straße.org\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n ) { error in\n XCTAssertEqual(error as? NIOSSLExtraError, .serverHostnameImpossibleToMatch)\n XCTAssertEqual(\n String(describing: error),\n \"NIOSSLExtraError.serverHostnameImpossibleToMatch: The server hostname straße.org cannot be matched due to containing non-DNS characters\"\n )\n }\n }\n\n func testRejectsUnicodeCommonNameWithEncodedIDNALabel() throws {\n let cert = try NIOSSLCertificate(bytes: .init(unicodeCNCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"xn--strae-oqa.org\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertFalse(matched)\n }\n\n func testHandlesMissingCommonName() throws {\n let cert = try NIOSSLCertificate(bytes: .init(noCNCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"localhost\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertFalse(matched)\n }\n\n func testDoesNotFallBackToCNWithSans() throws {\n let cert = try NIOSSLCertificate(bytes: .init(weirdoPEMCert.utf8), format: .pem)\n let matched = try validIdentityForService(\n serverHostname: \"httpbin.org\",\n socketAddress: try .init(unixDomainSocketPath: \"/path\"),\n leafCertificate: cert\n )\n XCTAssertFalse(matched)\n }\n}\n" }, { "path": "Tests/NIOSSLTests/NIOSSLALPNTest.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport NIOCore\nimport NIOPosix\nimport NIOSSL\nimport NIOTLS\nimport XCTest\n\nclass NIOSSLALPNTest: XCTestCase {\n private func configuredSSLContextWithAlpnProtocols(protocols: [String]) throws -> NIOSSLContext {\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(NIOSSLIntegrationTest.cert)],\n privateKey: .privateKey(NIOSSLIntegrationTest.key)\n )\n config.trustRoots = .certificates([NIOSSLIntegrationTest.cert])\n config.applicationProtocols = protocols\n return try NIOSSLContext(configuration: config)\n }\n\n private func assertNegotiatedProtocol(\n protocol: String?,\n serverContext: NIOSSLContext,\n clientContext: NIOSSLContext\n ) throws {\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n let serverHandler = EventRecorderHandler()\n\n let serverChannel = try serverTLSChannel(\n context: serverContext,\n handlers: [serverHandler, PromiseOnReadHandler(promise: completionPromise)],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n try clientChannel.writeAndFlush(originalBuffer).wait()\n _ = try completionPromise.futureResult.wait()\n\n let expectedEvents: [EventRecorderHandler.RecordedEvents] = [\n .Registered,\n .Active,\n .UserEvent(TLSUserEvent.handshakeCompleted(negotiatedProtocol: `protocol`)),\n .Read,\n .ReadComplete,\n ]\n XCTAssertEqual(expectedEvents, serverHandler.events)\n }\n\n func testBasicALPNNegotiation() throws {\n let context: NIOSSLContext\n context = try assertNoThrowWithValue(configuredSSLContextWithAlpnProtocols(protocols: [\"h2\", \"http/1.1\"]))\n\n XCTAssertNoThrow(try assertNegotiatedProtocol(protocol: \"h2\", serverContext: context, clientContext: context))\n }\n\n func testBasicALPNNegotiationPrefersServerPriority() throws {\n let serverCtx: NIOSSLContext\n let clientCtx: NIOSSLContext\n serverCtx = try assertNoThrowWithValue(configuredSSLContextWithAlpnProtocols(protocols: [\"h2\", \"http/1.1\"]))\n clientCtx = try assertNoThrowWithValue(configuredSSLContextWithAlpnProtocols(protocols: [\"http/1.1\", \"h2\"]))\n\n XCTAssertNoThrow(\n try assertNegotiatedProtocol(protocol: \"h2\", serverContext: serverCtx, clientContext: clientCtx)\n )\n }\n\n func testBasicALPNNegotiationNoOverlap() throws {\n let serverCtx: NIOSSLContext\n let clientCtx: NIOSSLContext\n serverCtx = try assertNoThrowWithValue(configuredSSLContextWithAlpnProtocols(protocols: [\"h2\", \"http/1.1\"]))\n clientCtx = try assertNoThrowWithValue(configuredSSLContextWithAlpnProtocols(protocols: [\"spdy/3\", \"webrtc\"]))\n XCTAssertNoThrow(\n try assertNegotiatedProtocol(protocol: nil, serverContext: serverCtx, clientContext: clientCtx)\n )\n }\n\n func testBasicALPNNegotiationNotOfferedByClient() throws {\n let serverCtx: NIOSSLContext\n let clientCtx: NIOSSLContext\n serverCtx = try assertNoThrowWithValue(configuredSSLContextWithAlpnProtocols(protocols: [\"h2\", \"http/1.1\"]))\n clientCtx = try assertNoThrowWithValue(configuredSSLContextWithAlpnProtocols(protocols: []))\n XCTAssertNoThrow(\n try assertNegotiatedProtocol(protocol: nil, serverContext: serverCtx, clientContext: clientCtx)\n )\n }\n\n func testBasicALPNNegotiationNotSupportedByServer() throws {\n let serverCtx: NIOSSLContext\n let clientCtx: NIOSSLContext\n serverCtx = try assertNoThrowWithValue(configuredSSLContextWithAlpnProtocols(protocols: []))\n clientCtx = try assertNoThrowWithValue(configuredSSLContextWithAlpnProtocols(protocols: [\"h2\", \"http/1.1\"]))\n\n XCTAssertNoThrow(\n try assertNegotiatedProtocol(protocol: nil, serverContext: serverCtx, clientContext: clientCtx)\n )\n }\n}\n" }, { "path": "Tests/NIOSSLTests/NIOSSLIntegrationTest.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport NIOConcurrencyHelpers\nimport NIOCore\nimport NIOEmbedded\nimport NIOPosix\nimport NIOTLS\nimport XCTest\n\n@testable import NIOSSL\n\npublic func assertNoThrowWithValue(\n _ body: @autoclosure () throws -> T,\n defaultValue: T? = nil,\n file: StaticString = #filePath,\n line: UInt = #line\n) throws -> T {\n do {\n return try body()\n } catch {\n XCTFail(\"unexpected error \\(error) thrown\", file: (file), line: line)\n if let defaultValue = defaultValue {\n return defaultValue\n } else {\n throw error\n }\n }\n}\n\ninternal func interactInMemory(\n clientChannel: EmbeddedChannel,\n serverChannel: EmbeddedChannel,\n runLoops: Bool = true\n) throws {\n var workToDo = true\n while workToDo {\n workToDo = false\n\n if runLoops {\n clientChannel.embeddedEventLoop.run()\n serverChannel.embeddedEventLoop.run()\n }\n\n let clientDatum = try clientChannel.readOutbound(as: IOData.self)\n let serverDatum = try serverChannel.readOutbound(as: IOData.self)\n\n if let clientMsg = clientDatum {\n try serverChannel.writeInbound(clientMsg)\n workToDo = true\n }\n\n if let serverMsg = serverDatum {\n try clientChannel.writeInbound(serverMsg)\n workToDo = true\n }\n }\n}\n\nprivate final class SimpleEchoServer: ChannelInboundHandler, Sendable {\n public typealias InboundIn = ByteBuffer\n public typealias OutboundOut = ByteBuffer\n\n public func channelRead(context: ChannelHandlerContext, data: NIOAny) {\n context.write(data, promise: nil)\n context.fireChannelRead(data)\n }\n\n public func channelReadComplete(context: ChannelHandlerContext) {\n context.flush()\n context.fireChannelReadComplete()\n }\n}\n\ninternal final class PromiseOnReadHandler: ChannelInboundHandler {\n public typealias InboundIn = ByteBuffer\n public typealias OutboundOut = ByteBuffer\n\n private let promise: EventLoopPromise\n private var data: NIOAny? = nil\n\n init(promise: EventLoopPromise) {\n self.promise = promise\n }\n\n public func channelRead(context: ChannelHandlerContext, data: NIOAny) {\n self.data = data\n context.fireChannelRead(data)\n }\n\n public func channelReadComplete(context: ChannelHandlerContext) {\n promise.succeed(unwrapInboundIn(data!))\n context.fireChannelReadComplete()\n }\n}\n\nprivate final class PromiseOnChildChannelInitHandler: ChannelInboundHandler, Sendable {\n typealias InboundIn = ByteBuffer\n\n private let promise: EventLoopPromise\n\n init(promise: EventLoopPromise) {\n self.promise = promise\n }\n\n func channelActive(context: ChannelHandlerContext) {\n self.promise.succeed(context.channel)\n context.fireChannelActive()\n }\n}\n\nprivate final class ChannelInactiveHandler: ChannelInboundHandler, Sendable {\n typealias InboundIn = ByteBuffer\n private let promise: EventLoopPromise\n\n init(promise: EventLoopPromise) {\n self.promise = promise\n }\n\n func channelInactive(context: ChannelHandlerContext) {\n self.promise.succeed()\n context.fireChannelActive()\n }\n}\n\n// Modified version taken from swift-nio/ChannelTests.swift\nenum ShutDownEvent {\n case input\n case output\n}\n\nprivate final class ShutdownVerificationHandler: ChannelInboundHandler {\n typealias InboundIn = ByteBuffer\n\n private var inputShutdownEventReceived = false\n private var outputShutdownEventReceived = false\n\n private let promise: EventLoopPromise\n private let shutdownEvent: ShutDownEvent\n\n init(shutdownEvent: ShutDownEvent, promise: EventLoopPromise) {\n self.promise = promise\n self.shutdownEvent = shutdownEvent\n }\n\n public func userInboundEventTriggered(context: ChannelHandlerContext, event: Any) {\n switch event {\n case let ev as ChannelEvent:\n switch ev {\n case .inputClosed:\n XCTAssertFalse(inputShutdownEventReceived)\n inputShutdownEventReceived = true\n\n if shutdownEvent == .input {\n promise.succeed(())\n }\n case .outputClosed:\n XCTAssertFalse(outputShutdownEventReceived)\n outputShutdownEventReceived = true\n\n if shutdownEvent == .output {\n promise.succeed(())\n }\n }\n\n fallthrough\n default:\n context.fireUserInboundEventTriggered(event)\n }\n }\n\n public func channelInactive(context: ChannelHandlerContext) {\n switch shutdownEvent {\n case .input:\n XCTAssertTrue(inputShutdownEventReceived)\n XCTAssertFalse(outputShutdownEventReceived)\n case .output:\n XCTAssertFalse(inputShutdownEventReceived)\n XCTAssertTrue(outputShutdownEventReceived)\n }\n\n promise.succeed(())\n context.fireChannelInactive()\n }\n}\n\nprivate final class ReadRecordingHandler: ChannelInboundHandler {\n public typealias InboundIn = ByteBuffer\n\n private var received: ByteBuffer?\n private let completePromise: EventLoopPromise\n\n init(completePromise: EventLoopPromise) {\n self.completePromise = completePromise\n }\n\n func channelRead(context: ChannelHandlerContext, data: NIOAny) {\n var data = self.unwrapInboundIn(data)\n\n var newBuffer: ByteBuffer\n if var received = self.received {\n received.writeBuffer(&data)\n newBuffer = received\n } else {\n newBuffer = data\n }\n\n self.received = newBuffer\n }\n\n func channelInactive(context: ChannelHandlerContext) {\n self.completePromise.succeed(self.received ?? context.channel.allocator.buffer(capacity: 0))\n }\n}\n\nprivate final class WriteCountingHandler: ChannelOutboundHandler, Sendable {\n public typealias OutboundIn = Any\n public typealias OutboundOut = Any\n\n public var writeCount: Int {\n self._writeCount.withLockedValue { $0 }\n }\n private let _writeCount: NIOLockedValueBox = .init(0)\n\n public func write(context: ChannelHandlerContext, data: NIOAny, promise: EventLoopPromise?) {\n self._writeCount.withLockedValue { $0 += 1 }\n context.write(data, promise: promise)\n }\n}\n\npublic final class EventRecorderHandler: ChannelInboundHandler where UserEventType: Equatable {\n public typealias InboundIn = ByteBuffer\n\n public enum RecordedEvents: Equatable {\n case Registered\n case Unregistered\n case Active\n case Inactive\n case Read\n case ReadComplete\n case WritabilityChanged\n case UserEvent(UserEventType)\n // Note that this omits ErrorCaught. This is because Error does not\n // require Equatable, so we can't safely record these events and expect\n // a sensible implementation of Equatable here.\n\n public static func == (lhs: RecordedEvents, rhs: RecordedEvents) -> Bool {\n switch (lhs, rhs) {\n case (.Registered, .Registered),\n (.Unregistered, .Unregistered),\n (.Active, .Active),\n (.Inactive, .Inactive),\n (.Read, .Read),\n (.ReadComplete, .ReadComplete),\n (.WritabilityChanged, .WritabilityChanged):\n return true\n case (.UserEvent(let e1), .UserEvent(let e2)):\n return e1 == e2\n default:\n return false\n }\n }\n }\n\n public var events: [RecordedEvents] {\n self._events.withLockedValue { $0 }\n }\n private let _events: NIOLockedValueBox<[RecordedEvents]> = .init([])\n\n public func channelRegistered(context: ChannelHandlerContext) {\n self._events.withLockedValue { $0.append(.Registered) }\n context.fireChannelRegistered()\n }\n\n public func channelUnregistered(context: ChannelHandlerContext) {\n self._events.withLockedValue { $0.append(.Unregistered) }\n context.fireChannelUnregistered()\n }\n\n public func channelActive(context: ChannelHandlerContext) {\n self._events.withLockedValue { $0.append(.Active) }\n context.fireChannelActive()\n }\n\n public func channelInactive(context: ChannelHandlerContext) {\n self._events.withLockedValue { $0.append(.Inactive) }\n context.fireChannelInactive()\n }\n\n public func channelRead(context: ChannelHandlerContext, data: NIOAny) {\n self._events.withLockedValue { $0.append(.Read) }\n context.fireChannelRead(data)\n }\n\n public func channelReadComplete(context: ChannelHandlerContext) {\n self._events.withLockedValue { $0.append(.ReadComplete) }\n context.fireChannelReadComplete()\n }\n\n public func channelWritabilityChanged(context: ChannelHandlerContext) {\n self._events.withLockedValue { $0.append(.WritabilityChanged) }\n context.fireChannelWritabilityChanged()\n }\n\n public func userInboundEventTriggered(context: ChannelHandlerContext, event: Any) {\n guard let ourEvent = event as? UserEventType else {\n context.fireUserInboundEventTriggered(event)\n return\n }\n self._events.withLockedValue { $0.append(.UserEvent(ourEvent)) }\n }\n}\n\nextension EventRecorderHandler: Sendable where UserEventType: Sendable {}\n\nextension EventRecorderHandler.RecordedEvents: Sendable where UserEventType: Sendable {}\n\nprivate final class ChannelActiveWaiter: ChannelInboundHandler, Sendable {\n public typealias InboundIn = Any\n\n private let activePromise: EventLoopPromise\n\n public init(promise: EventLoopPromise) {\n activePromise = promise\n }\n\n public func channelActive(context: ChannelHandlerContext) {\n activePromise.succeed(())\n }\n\n public func waitForChannelActive() throws {\n try activePromise.futureResult.wait()\n }\n}\n\n/// A channel handler that delays all writes that it receives. This is useful\n/// in tests that want to ensure that writes propagate through the system in order.\n///\n/// Note that you must call forceFlush to pass all the data through, or your tests will\n/// explode.\nprivate class WriteDelayHandler: ChannelOutboundHandler {\n public typealias OutboundIn = Any\n public typealias OutboundOut = Any\n\n private var writes: [(ChannelHandlerContext, NIOAny, EventLoopPromise?)] = []\n\n func write(context: ChannelHandlerContext, data: NIOAny, promise: EventLoopPromise?) {\n writes.append((context, data, promise))\n }\n\n func forceFlush() {\n let writes = self.writes\n self.writes = []\n for write in writes { write.0.writeAndFlush(write.1, promise: write.2) }\n }\n}\n\ninternal func serverTLSChannel(\n context: NIOSSLContext,\n handlers: @autoclosure @escaping @Sendable () -> [ChannelHandler],\n group: EventLoopGroup,\n customVerificationCallback: (\n @Sendable ([NIOSSLCertificate], EventLoopPromise) ->\n Void\n )? = nil,\n file: StaticString = #filePath,\n line: UInt = #line\n) throws -> Channel {\n try assertNoThrowWithValue(\n serverTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: handlers(),\n group: group,\n customVerificationCallback: customVerificationCallback,\n file: file,\n line: line\n ),\n file: file,\n line: line\n )\n}\n\ninternal func serverTLSChannel(\n context: NIOSSLContext,\n preHandlers: @autoclosure @escaping @Sendable () -> [ChannelHandler],\n postHandlers: @autoclosure @escaping @Sendable () -> [ChannelHandler],\n group: EventLoopGroup,\n customVerificationCallback: (\n @Sendable ([NIOSSLCertificate], EventLoopPromise) ->\n Void\n )? = nil,\n file: StaticString = #filePath,\n line: UInt = #line\n) throws -> Channel {\n try assertNoThrowWithValue(\n ServerBootstrap(group: group)\n .serverChannelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)\n .childChannelInitializer { channel in\n channel.eventLoop.makeCompletedFuture {\n try channel.pipeline.syncOperations.addHandlers(preHandlers())\n\n let handler: NIOSSLHandler\n if let verify = customVerificationCallback {\n handler = NIOSSLServerHandler(context: context, customVerificationCallback: verify)\n } else {\n handler = NIOSSLServerHandler(context: context)\n }\n try channel.pipeline.syncOperations.addHandler(handler)\n\n try channel.pipeline.syncOperations.addHandlers(postHandlers())\n }\n }.bind(host: \"127.0.0.1\", port: 0).wait(),\n file: file,\n line: line\n )\n}\n\ntypealias SendableAdditionalPeerCertificateVerificationCallback =\n @Sendable (NIOSSLCertificate, Channel) -> EventLoopFuture\n\ninternal func clientTLSChannel(\n context: NIOSSLContext,\n additionalPeerCertificateVerificationCallback: SendableAdditionalPeerCertificateVerificationCallback? = nil,\n preHandlers: @autoclosure @escaping @Sendable () -> [ChannelHandler],\n postHandlers: @autoclosure @escaping @Sendable () -> [ChannelHandler],\n group: EventLoopGroup,\n connectingTo: SocketAddress,\n serverHostname: String? = nil,\n file: StaticString = #filePath,\n line: UInt = #line\n) throws -> Channel {\n func tlsFactory() -> NIOSSLClientTLSProvider {\n try! .init(\n context: context,\n serverHostname: serverHostname,\n additionalPeerCertificateVerificationCallback: additionalPeerCertificateVerificationCallback\n )\n }\n\n return try _clientTLSChannel(\n context: context,\n preHandlers: preHandlers,\n postHandlers: postHandlers,\n group: group,\n connectingTo: connectingTo,\n tlsFactory: tlsFactory\n )\n}\n\n@available(*, deprecated, message: \"just for testing the deprecated functionality\")\nprivate struct DeprecatedTLSProviderForTests: NIOClientTLSProvider, Sendable {\n public typealias Bootstrap = Bootstrap\n\n let context: NIOSSLContext\n let serverHostname: String?\n let verificationCallback: @Sendable (NIOSSLVerificationResult, NIOSSLCertificate) -> NIOSSLVerificationResult\n\n @available(*, deprecated, renamed: \"init(context:serverHostname:customVerificationCallback:)\")\n public init(\n context: NIOSSLContext,\n serverHostname: String?,\n verificationCallback:\n @escaping @Sendable (NIOSSLVerificationResult, NIOSSLCertificate) ->\n NIOSSLVerificationResult\n ) {\n self.context = context\n self.serverHostname = serverHostname\n self.verificationCallback = verificationCallback\n }\n\n public func enableTLS(_ bootstrap: Bootstrap) -> Bootstrap {\n bootstrap.protocolHandlers { [context, serverHostname, verificationCallback] in\n // NIOSSLClientHandler.init only throws because of `malloc` error and invalid SNI hostnames. We want to crash\n // on malloc error and we pre-checked the SNI hostname in `init` so that should be impossible here.\n [\n try! NIOSSLClientHandler(\n context: context,\n serverHostname: serverHostname,\n verificationCallback: verificationCallback\n )\n ]\n }\n }\n}\n\n@available(\n *,\n deprecated,\n renamed:\n \"clientTLSChannel(context:preHandlers:postHandlers:group:connectingTo:serverHostname:customVerificationCallback:file:line:)\"\n)\ninternal func clientTLSChannel(\n context: NIOSSLContext,\n preHandlers: @autoclosure @escaping @Sendable () -> [ChannelHandler],\n postHandlers: @autoclosure @escaping @Sendable () -> [ChannelHandler],\n group: EventLoopGroup,\n connectingTo: SocketAddress,\n serverHostname: String? = nil,\n verificationCallback: @escaping @Sendable (NIOSSLVerificationResult, NIOSSLCertificate) -> NIOSSLVerificationResult,\n file: StaticString = #filePath,\n line: UInt = #line\n) throws -> Channel {\n func tlsFactory() -> DeprecatedTLSProviderForTests {\n .init(context: context, serverHostname: serverHostname, verificationCallback: verificationCallback)\n }\n\n return try _clientTLSChannel(\n context: context,\n preHandlers: preHandlers,\n postHandlers: postHandlers,\n group: group,\n connectingTo: connectingTo,\n tlsFactory: tlsFactory\n )\n}\n\ninternal func clientTLSChannel(\n context: NIOSSLContext,\n preHandlers: @autoclosure @escaping @Sendable () -> [ChannelHandler],\n postHandlers: @autoclosure @escaping @Sendable () -> [ChannelHandler],\n group: EventLoopGroup,\n connectingTo: SocketAddress,\n serverHostname: String? = nil,\n customVerificationCallback: CustomCallback,\n file: StaticString = #filePath,\n line: UInt = #line\n) throws -> Channel {\n func tlsFactory() -> NIOSSLClientTLSProvider {\n try! .init(\n context: context,\n serverHostname: serverHostname,\n customVerificationCallback: customVerificationCallback\n )\n }\n\n return try _clientTLSChannel(\n context: context,\n preHandlers: preHandlers,\n postHandlers: postHandlers,\n group: group,\n connectingTo: connectingTo,\n tlsFactory: tlsFactory\n )\n}\n\nprivate func _clientTLSChannel(\n context: NIOSSLContext,\n preHandlers: @escaping @Sendable () -> [ChannelHandler],\n postHandlers: @escaping @Sendable () -> [ChannelHandler],\n group: EventLoopGroup,\n connectingTo: SocketAddress,\n tlsFactory: @escaping () -> TLS,\n file: StaticString = #filePath,\n line: UInt = #line\n) throws -> Channel where TLS.Bootstrap == ClientBootstrap {\n let bootstrap = NIOClientTCPBootstrap(\n ClientBootstrap(group: group),\n tls: tlsFactory()\n )\n return try assertNoThrowWithValue(\n bootstrap\n .channelInitializer { channel in\n channel.eventLoop.makeCompletedFuture {\n try channel.pipeline.syncOperations.addHandlers(postHandlers())\n }\n }\n .enableTLS()\n .connect(to: connectingTo)\n .flatMap { channel in\n channel.eventLoop.makeCompletedFuture {\n try channel.pipeline.syncOperations.addHandlers(preHandlers(), position: .first)\n return channel\n }\n }\n .wait(),\n file: file,\n line: line\n )\n}\n\nstruct EventLoopFutureTimeoutError: Error {}\n\nextension EventLoopFuture {\n func timeout(after failDelay: TimeAmount) -> EventLoopFuture {\n let promise = self.eventLoop.makePromise(of: Value.self)\n\n self.whenComplete { result in\n switch result {\n case .success(let value):\n promise.assumeIsolated().succeed(value)\n case .failure(let error):\n promise.fail(error)\n }\n }\n\n self.eventLoop.scheduleTask(in: failDelay) {\n promise.fail(EventLoopFutureTimeoutError())\n }\n\n return promise.futureResult\n }\n}\n\nclass NIOSSLIntegrationTest: XCTestCase {\n private static let certAndKey = generateSelfSignedCert()\n static var cert: NIOSSLCertificate { Self.certAndKey.0 }\n static var key: NIOSSLPrivateKey { Self.certAndKey.1 }\n\n override class func setUp() {\n super.setUp()\n guard boringSSLIsInitialized else { fatalError() }\n }\n\n private static func withEncryptedKeyPath(\n _ body: (String) throws -> ReturnType\n ) throws -> ReturnType {\n let path = try keyInFile(\n key: NIOSSLIntegrationTest.key,\n passphrase: \"thisisagreatpassword\"\n )\n defer {\n unlink(path)\n }\n return try body(path)\n }\n\n private func configuredSSLContext(\n keyLogCallback: NIOSSLKeyLogCallback? = nil,\n file: StaticString = #filePath,\n line: UInt = #line\n ) throws -> NIOSSLContext {\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(NIOSSLIntegrationTest.cert)],\n privateKey: .privateKey(NIOSSLIntegrationTest.key)\n )\n config.trustRoots = .certificates([NIOSSLIntegrationTest.cert])\n config.keyLogCallback = keyLogCallback\n return try assertNoThrowWithValue(NIOSSLContext(configuration: config), file: file, line: line)\n }\n\n private func configuredClientContext(\n file: StaticString = #filePath,\n line: UInt = #line\n ) throws -> NIOSSLContext {\n var config = TLSConfiguration.makeClientConfiguration()\n config.trustRoots = .certificates([NIOSSLIntegrationTest.cert])\n return try assertNoThrowWithValue(\n NIOSSLContext(\n configuration: config,\n callbackManager: nil\n ),\n file: file,\n line: line\n )\n }\n\n static func keyInFile(key: NIOSSLPrivateKey, passphrase: String) throws -> String {\n let fileName = try makeTemporaryFile(fileExtension: \".pem\")\n let tempFile = open(fileName, O_RDWR | O_CREAT | O_TRUNC | O_CLOEXEC, 0o644)\n precondition(tempFile > 1, String(cString: strerror(errno)))\n let fileBio = CNIOBoringSSL_BIO_new_fp(fdopen(tempFile, \"w+\"), BIO_CLOSE)\n precondition(fileBio != nil)\n\n let manager = BoringSSLPassphraseCallbackManager { closure in closure(passphrase.utf8) }\n let rc = withExtendedLifetime(manager) { manager -> CInt in\n let userData = Unmanaged.passUnretained(manager).toOpaque()\n return key.withUnsafeMutableEVPPKEYPointer { ref in\n CNIOBoringSSL_PEM_write_bio_PrivateKey(\n fileBio,\n ref,\n CNIOBoringSSL_EVP_aes_256_cbc(),\n nil,\n 0,\n globalBoringSSLPassphraseCallback,\n userData\n )\n }\n }\n CNIOBoringSSL_BIO_free(fileBio)\n precondition(rc == 1)\n return fileName\n }\n\n func withTrustBundleInFile(tempFile fileName: inout String?, fn: (String) throws -> T) throws -> T {\n fileName = try makeTemporaryFile()\n guard let fileName = fileName else {\n fatalError(\"couldn't make temp file\")\n }\n let tempFile = fileName.withCString { ptr in\n open(ptr, O_RDWR | O_CREAT | O_TRUNC | O_CLOEXEC, 0o644)\n }\n precondition(tempFile > 1, String(cString: strerror(errno)))\n let fileBio = CNIOBoringSSL_BIO_new_fp(fdopen(tempFile, \"w+\"), BIO_CLOSE)\n precondition(fileBio != nil)\n\n let rc = NIOSSLIntegrationTest.cert.withUnsafeMutableX509Pointer { ref in\n CNIOBoringSSL_PEM_write_bio_X509(fileBio, ref)\n }\n CNIOBoringSSL_BIO_free(fileBio)\n precondition(rc == 1)\n return try fn(fileName)\n }\n\n func testSimpleEcho() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel: Channel = try serverTLSChannel(\n context: context,\n handlers: [SimpleEchoServer()],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n try clientChannel.writeAndFlush(originalBuffer).wait()\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n }\n\n func testHandshakeEventSequencing() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let readComplete: EventLoopPromise = group.next().makePromise()\n let serverHandler: EventRecorderHandler = EventRecorderHandler()\n let serverChannel = try serverTLSChannel(\n context: context,\n handlers: [serverHandler, PromiseOnReadHandler(promise: readComplete)],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [SimpleEchoServer()],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n try clientChannel.writeAndFlush(originalBuffer).wait()\n _ = try readComplete.futureResult.wait()\n\n // Ok, the channel is connected and we have written data to it. This means the TLS handshake is\n // done. Check the events.\n // TODO(cory): How do we wait until the read is done? Ideally we'd like to re-use the\n // PromiseOnReadHandler, but we need to get it into the pipeline first. Not sure how yet. Come back to me.\n // Maybe update serverTLSChannel to take an array of channel handlers?\n let expectedEvents: [EventRecorderHandler.RecordedEvents] = [\n .Registered,\n .Active,\n .UserEvent(TLSUserEvent.handshakeCompleted(negotiatedProtocol: nil)),\n .Read,\n .ReadComplete,\n ]\n\n XCTAssertEqual(expectedEvents, serverHandler.events)\n }\n\n func testShutdownEventSequencing() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let readComplete: EventLoopPromise = group.next().makePromise()\n let serverHandler: EventRecorderHandler = EventRecorderHandler()\n let serverChannel = try serverTLSChannel(\n context: context,\n handlers: [serverHandler, PromiseOnReadHandler(promise: readComplete)],\n group: group\n )\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [SimpleEchoServer()],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n try clientChannel.writeAndFlush(originalBuffer).wait()\n\n // Ok, we want to wait for the read to finish, then close the server and client connections.\n _ = try readComplete.futureResult.flatMap { (_: ByteBuffer) in\n serverChannel.close()\n }.flatMap {\n clientChannel.close()\n }.wait()\n\n let expectedEvents: [EventRecorderHandler.RecordedEvents] = [\n .Registered,\n .Active,\n .UserEvent(TLSUserEvent.handshakeCompleted(negotiatedProtocol: nil)),\n .Read,\n .ReadComplete,\n .UserEvent(TLSUserEvent.shutdownCompleted),\n .Inactive,\n .Unregistered,\n ]\n\n XCTAssertEqual(expectedEvents, serverHandler.events)\n }\n\n func testSubsequentWritesFailAfterCloseModeOutput() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel: Channel = try ServerBootstrap(group: group)\n .childChannelOption(ChannelOptions.allowRemoteHalfClosure, value: true) // Important!\n .serverChannelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)\n .childChannelInitializer { channel in\n channel.eventLoop.makeCompletedFuture {\n try channel.pipeline.syncOperations.addHandlers(\n NIOSSLServerHandler(context: context),\n SimpleEchoServer()\n )\n }\n }\n .bind(host: \"127.0.0.1\", port: 0)\n .wait()\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [\n PromiseOnReadHandler(promise: completionPromise)\n ],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var buffer = clientChannel.allocator.buffer(capacity: 5)\n buffer.writeString(\"Hello\")\n XCTAssertNoThrow(try clientChannel.writeAndFlush(buffer).wait())\n\n XCTAssertNoThrow(try clientChannel.close(mode: .output).wait())\n XCTAssertThrowsError(try clientChannel.writeAndFlush(buffer).wait()) { error in\n XCTAssertEqual(.outputClosed, error as? ChannelError)\n }\n }\n\n func testCloseModeOutputServerAndClient() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n let childChannelInitPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel: Channel = try ServerBootstrap(group: group)\n .childChannelOption(ChannelOptions.allowRemoteHalfClosure, value: true) // Important!\n .serverChannelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)\n .childChannelInitializer { channel in\n channel.eventLoop.makeCompletedFuture {\n try channel.pipeline.syncOperations.addHandlers(\n NIOSSLServerHandler(context: context),\n PromiseOnChildChannelInitHandler(promise: childChannelInitPromise),\n SimpleEchoServer()\n )\n }\n }\n .bind(host: \"127.0.0.1\", port: 0)\n .wait()\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannelInactivePromise: EventLoopPromise = group.next().makePromise()\n let shutdownPromise = group.next().makePromise(of: Void.self)\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [\n PromiseOnReadHandler(promise: completionPromise),\n ShutdownVerificationHandler(\n shutdownEvent: .input,\n promise: shutdownPromise\n ),\n ChannelInactiveHandler(promise: clientChannelInactivePromise),\n ],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n XCTAssertNoThrow(try clientChannel.setOption(ChannelOptions.allowRemoteHalfClosure, value: true).wait())\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n try clientChannel.writeAndFlush(originalBuffer).wait()\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n\n // Ok, the connection is definitely up.\n // Now retrieve the client channel that our server opened for the connection to our client.\n let connectionChildChannel = try childChannelInitPromise.futureResult.wait()\n\n // Closing the output of the connection on the server should automatically\n // close the input of the clientChannel.\n XCTAssertNoThrow(try connectionChildChannel.close(mode: .output).wait())\n try shutdownPromise.futureResult.wait()\n\n // Closing the output of the client channel (with input closed) should\n // result in full closure.\n XCTAssertNoThrow(try clientChannel.close(mode: .output).wait())\n XCTAssertNoThrow(try clientChannelInactivePromise.futureResult.wait())\n }\n\n func testCloseModeOutputTriggersFlush() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel: Channel = try ServerBootstrap(group: group)\n .childChannelOption(ChannelOptions.allowRemoteHalfClosure, value: true) // Important!\n .serverChannelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)\n .childChannelInitializer { channel in\n channel.eventLoop.makeCompletedFuture {\n try channel.pipeline.syncOperations.addHandlers(\n NIOSSLServerHandler(context: context),\n SimpleEchoServer()\n )\n }\n }\n .bind(host: \"127.0.0.1\", port: 0)\n .wait()\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [\n PromiseOnReadHandler(promise: completionPromise)\n ],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n let clientWriteFuture = clientChannel.write(originalBuffer)\n XCTAssertNoThrow(try clientChannel.close(mode: .output).wait())\n XCTAssertNoThrow(try clientWriteFuture.wait())\n\n let newBuffer = try assertNoThrowWithValue(completionPromise.futureResult.wait())\n XCTAssertEqual(newBuffer, originalBuffer)\n }\n\n func testMultipleCloseOutput() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel: Channel = try ServerBootstrap(group: group)\n .childChannelOption(ChannelOptions.allowRemoteHalfClosure, value: true) // Important!\n .serverChannelOption(ChannelOptions.socket(SocketOptionLevel(SOL_SOCKET), SO_REUSEADDR), value: 1)\n .childChannelInitializer { channel in\n channel.eventLoop.makeCompletedFuture {\n try channel.pipeline.syncOperations.addHandlers(\n NIOSSLServerHandler(context: context),\n SimpleEchoServer()\n )\n }\n }\n .bind(host: \"127.0.0.1\", port: 0)\n .wait()\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n try clientChannel.writeAndFlush(originalBuffer).wait()\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n\n // Ok, the connection is definitely up. Now we want to forcibly call close(mode: .output) on the channel several times with\n // different promises. None of these will fire until clean shutdown happens, but we want to confirm that *all* of them\n // fire.\n //\n // To avoid the risk of the I/O loop actually closing the connection before we're done, we need to hijack the\n // I/O loop and issue all the closes on that thread. Otherwise, the channel will probably pull off the TLS shutdown\n // before we get to the third call to close().\n let promises: [EventLoopPromise] = [\n group.next().makePromise(), group.next().makePromise(), group.next().makePromise(),\n ]\n group.next().execute {\n for promise in promises {\n clientChannel.close(mode: .output, promise: promise)\n }\n }\n\n XCTAssertNoThrow(try promises.first!.futureResult.wait())\n\n for promise in promises {\n // This should never block, but it may throw because the I/O is complete.\n // Suppress all errors, they're fine.\n _ = try? promise.futureResult.wait()\n }\n }\n\n func testMultipleClose() throws {\n var serverClosed = false\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel = try serverTLSChannel(context: context, handlers: [SimpleEchoServer()], group: group)\n defer {\n if !serverClosed {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n }\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n try clientChannel.writeAndFlush(originalBuffer).wait()\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n\n // Ok, the connection is definitely up. Now we want to forcibly call close() on the channel several times with\n // different promises. None of these will fire until clean shutdown happens, but we want to confirm that *all* of them\n // fire.\n //\n // To avoid the risk of the I/O loop actually closing the connection before we're done, we need to hijack the\n // I/O loop and issue all the closes on that thread. Otherwise, the channel will probably pull off the TLS shutdown\n // before we get to the third call to close().\n let promises: [EventLoopPromise] = [\n group.next().makePromise(), group.next().makePromise(), group.next().makePromise(),\n ]\n group.next().execute {\n for promise in promises {\n serverChannel.close(promise: promise)\n }\n }\n\n XCTAssertNoThrow(try promises.first!.futureResult.wait())\n serverClosed = true\n\n for promise in promises {\n // This should never block, but it may throw because the I/O is complete.\n // Suppress all errors, they're fine.\n _ = try? promise.futureResult.wait()\n }\n }\n\n func testCoalescedWrites() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel = try serverTLSChannel(context: context, handlers: [SimpleEchoServer()], group: group)\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let writeCounter = WriteCountingHandler()\n let readPromise: EventLoopPromise = group.next().makePromise()\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [writeCounter],\n postHandlers: [PromiseOnReadHandler(promise: readPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n // We're going to issue a number of small writes. Each of these should be coalesced together\n // such that the underlying layer sees only one write for them. The total number of\n // writes should be (after we flush) 3: one for Client Hello, one for Finished, and one\n // for the coalesced writes. However, we'll tolerate fewer!\n var originalBuffer = clientChannel.allocator.buffer(capacity: 1)\n originalBuffer.writeString(\"A\")\n var writeFutures: [EventLoopFuture<()>] = []\n for _ in 0..<5 {\n writeFutures.append(clientChannel.write(originalBuffer))\n }\n\n clientChannel.flush()\n try EventLoopFuture<()>.andAllSucceed(writeFutures, on: clientChannel.eventLoop).wait()\n let writeCount = try readPromise.futureResult.map { (_: ByteBuffer) in\n // Here we're in the I/O loop, so we know that no further channel action will happen\n // while we dispatch this callback. This is the perfect time to check how many writes\n // happened.\n writeCounter.writeCount\n }.wait()\n XCTAssertLessThanOrEqual(writeCount, 3)\n }\n\n func testCoalescedWritesWithFutures() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel = try serverTLSChannel(context: context, handlers: [SimpleEchoServer()], group: group)\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n // We're going to issue a number of small writes. Each of these should be coalesced together\n // and all their futures (along with the one for the flush) should fire, in order, with nothing\n // missed.\n let firedFutures: NIOLockedValueBox<[Int]> = .init([])\n let writeFutures: NIOLockedValueBox<[EventLoopFuture<()>]> = .init([])\n var originalBuffer = clientChannel.allocator.buffer(capacity: 1)\n originalBuffer.writeString(\"A\")\n for index in 0..<5 {\n let promise: EventLoopPromise = group.next().makePromise()\n writeFutures.withLockedValue { $0.append(promise.futureResult) }\n promise.futureResult.map {\n XCTAssertEqual(firedFutures.withLockedValue { $0.count }, index)\n firedFutures.withLockedValue { $0.append(index) }\n }.whenFailure { error in\n XCTFail(\"Write promise failed: \\(error)\")\n }\n clientChannel.write(originalBuffer, promise: promise)\n }\n\n clientChannel.flush()\n try EventLoopFuture<()>.andAllSucceed(\n writeFutures.withLockedValue { $0 },\n on: clientChannel.eventLoop\n ).map {\n XCTAssertEqual(firedFutures.withLockedValue { $0 }, [0, 1, 2, 3, 4])\n }.recover { error in\n XCTFail(\"Write promised failed: \\(error)\")\n }.wait()\n }\n\n func testImmediateCloseSatisfiesPromises() throws {\n let context = try configuredSSLContext()\n let channel = EmbeddedChannel()\n try channel.pipeline.syncOperations.addHandler(\n NIOSSLClientHandler(context: context, serverHostname: nil)\n )\n\n // Start by initiating the handshake.\n try channel.connect(to: SocketAddress(unixDomainSocketPath: \"/tmp/doesntmatter\")).wait()\n\n // Now call close. This should immediately close, satisfying the promise.\n let closePromise: EventLoopPromise = channel.eventLoop.makePromise()\n channel.close(promise: closePromise)\n\n XCTAssertNoThrow(try closePromise.futureResult.wait())\n }\n\n func testAddingTlsToActiveChannelStillHandshakes() throws {\n let context = try configuredSSLContext()\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let recorderHandler: EventRecorderHandler = EventRecorderHandler()\n let channelActiveWaiter = ChannelActiveWaiter(promise: group.next().makePromise())\n let serverChannel = try serverTLSChannel(\n context: context,\n handlers: [recorderHandler, SimpleEchoServer(), channelActiveWaiter],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n // Create a client channel without TLS in it, and connect it.\n let readPromise: EventLoopPromise = group.next().makePromise()\n let clientChannel = try ClientBootstrap(group: group)\n .channelInitializer { channel in\n channel.eventLoop.makeCompletedFuture {\n try channel.pipeline.syncOperations.addHandler(\n PromiseOnReadHandler(promise: readPromise)\n )\n }\n }\n .connect(to: serverChannel.localAddress!).wait()\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n // Wait until the channel comes up, then confirm that no handshake has been\n // received. This hardly proves much, but it's enough.\n try channelActiveWaiter.waitForChannelActive()\n try group.next().submit {\n XCTAssertEqual(recorderHandler.events, [.Registered, .Active])\n }.wait()\n\n // Now, add the TLS handler to the pipeline.\n try clientChannel.eventLoop.submit {\n try clientChannel.pipeline.syncOperations.addHandler(\n NIOSSLClientHandler(context: context, serverHostname: nil),\n position: .first\n )\n }.wait()\n\n var data = clientChannel.allocator.buffer(capacity: 1)\n data.writeStaticString(\"x\")\n try clientChannel.writeAndFlush(data).wait()\n\n // The echo should come back without error.\n _ = try readPromise.futureResult.wait()\n\n // At this point the handshake should be complete.\n try group.next().submit {\n XCTAssertEqual(\n recorderHandler.events[..<3],\n [.Registered, .Active, .UserEvent(.handshakeCompleted(negotiatedProtocol: nil))]\n )\n }.wait()\n }\n\n func testValidatesHostnameOnConnectionFails() throws {\n let serverCtx = try configuredSSLContext()\n let clientCtx = try configuredClientContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try? group.syncShutdownGracefully()\n }\n\n let serverChannel = try serverTLSChannel(\n context: serverCtx,\n handlers: [],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let errorHandler = ErrorCatcher()\n let clientChannel = try clientTLSChannel(\n context: clientCtx,\n preHandlers: [],\n postHandlers: [errorHandler],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n let writeFuture = clientChannel.writeAndFlush(originalBuffer)\n let errorsFuture: EventLoopFuture<[NIOSSLExtraError]> = writeFuture.recover { (_: Error) in\n // We're swallowing errors here, on purpose, because we'll definitely\n // hit them.\n ()\n }.map {\n errorHandler.errors\n }\n let actualErrors = try errorsFuture.wait()\n\n // This write will have failed, but that's fine: we just want it as a signal that\n // the handshake is done so we can make our assertions.\n let expectedErrors: [NIOSSLExtraError] = [NIOSSLExtraError.failedToValidateHostname]\n\n XCTAssertEqual(expectedErrors, actualErrors)\n XCTAssertEqual(\n actualErrors.first.map { String(describing: $0) },\n \"NIOSSLExtraError.failedToValidateHostname: Couldn't find in certificate from peer\"\n )\n }\n\n func testValidatesHostnameOnConnectionSucceeds() throws {\n let serverCtx = try configuredSSLContext()\n let clientCtx = try configuredClientContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel = try serverTLSChannel(\n context: serverCtx,\n handlers: [],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let eventHandler = EventRecorderHandler()\n let clientChannel = try clientTLSChannel(\n context: clientCtx,\n preHandlers: [],\n postHandlers: [eventHandler],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\"\n )\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n let writeFuture = clientChannel.writeAndFlush(originalBuffer)\n writeFuture.whenComplete { _ in\n XCTAssertEqual(\n eventHandler.events[..<3],\n [.Registered, .Active, .UserEvent(.handshakeCompleted(negotiatedProtocol: nil))]\n )\n }\n try writeFuture.wait()\n }\n\n func testAdditionalValidationOnConnectionSucceeds() throws {\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverCtx = try configuredSSLContext()\n let clientCtx = try configuredClientContext()\n\n let serverChannel = try serverTLSChannel(\n context: serverCtx,\n handlers: [],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let eventHandler = EventRecorderHandler()\n let clientChannel = try clientTLSChannel(\n context: clientCtx,\n additionalPeerCertificateVerificationCallback: { cert, channel in\n XCTAssertEqual(cert, Self.cert)\n return channel.eventLoop.makeSucceededFuture(())\n },\n preHandlers: [],\n postHandlers: [eventHandler],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\"\n )\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n let writeFuture = clientChannel.writeAndFlush(originalBuffer)\n writeFuture.whenComplete { _ in\n XCTAssertEqual(\n eventHandler.events[..<3],\n [.Registered, .Active, .UserEvent(.handshakeCompleted(negotiatedProtocol: nil))]\n )\n }\n try writeFuture.wait()\n }\n\n func testAdditionalValidationOnConnectionFails() throws {\n struct CustomUserError: Error {}\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverCtx = try configuredSSLContext()\n let clientCtx = try configuredClientContext()\n\n let serverChannel = try serverTLSChannel(\n context: serverCtx,\n handlers: [],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let errorHandler = ErrorCatcher()\n let clientChannel = try clientTLSChannel(\n context: clientCtx,\n additionalPeerCertificateVerificationCallback: { cert, channel in\n XCTAssertEqual(cert, Self.cert)\n return channel.eventLoop.makeFailedFuture(CustomUserError())\n },\n preHandlers: [],\n postHandlers: [errorHandler],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\"\n )\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n let writeFuture = clientChannel.writeAndFlush(originalBuffer)\n let errorsFuture: EventLoopFuture<[Error]> = writeFuture.recover { (_: Error) in\n // We're swallowing errors here, on purpose, because we'll definitely\n // hit them.\n ()\n }.map {\n errorHandler.errors\n }\n let actualErrors = try errorsFuture.wait()\n\n // This write will have failed, but that's fine: we just want it as a signal that\n // the handshake is done so we can make our assertions.\n XCTAssertEqual(actualErrors.count, 1)\n XCTAssertTrue(actualErrors.first is CustomUserError)\n }\n\n func testFlushWhileAdditionalValidationIsInProgressDoesNotActuallyFlush() throws {\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let additionalHandshakePromise = group.next().makePromise(of: Void.self)\n let serverCtx = try configuredSSLContext()\n let clientCtx = try configuredClientContext()\n\n let serverChannel = try serverTLSChannel(\n context: serverCtx,\n handlers: [],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let eventHandler = EventRecorderHandler()\n let clientChannel = try clientTLSChannel(\n context: clientCtx,\n additionalPeerCertificateVerificationCallback: { cert, channel in\n XCTAssertEqual(cert, Self.cert)\n channel.flush()\n return additionalHandshakePromise.futureResult\n },\n preHandlers: [],\n postHandlers: [eventHandler],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\"\n )\n let writeFuture = clientChannel.writeAndFlush(ByteBuffer(string: \"Hello\"))\n XCTAssertThrowsError(try writeFuture.timeout(after: .milliseconds(100)).wait())\n additionalHandshakePromise.succeed(())\n writeFuture.whenComplete { _ in\n XCTAssertEqual(\n eventHandler.events[..<3],\n [.Registered, .Active, .UserEvent(.handshakeCompleted(negotiatedProtocol: nil))]\n )\n }\n try writeFuture.wait()\n }\n\n func testDontLoseClosePromises() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n var channelClosed = false\n defer {\n // We know this will throw.\n _ = try? serverChannel.finish()\n _ = try? clientChannel.finish()\n }\n\n let context = try configuredSSLContext()\n\n try serverChannel.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: context)\n )\n try clientChannel.pipeline.syncOperations.addHandler(\n try NIOSSLClientHandler(context: context, serverHostname: nil)\n )\n\n let addr: SocketAddress = try SocketAddress(unixDomainSocketPath: \"/tmp/whatever\")\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n try connectFuture.wait()\n\n // Ok, we're connected. Good stuff! Now, we want to hit this specific window:\n // 1. Call close() on the server channel. This will transition it to the closing state.\n // 2. Fire channelInactive on the serverChannel. This should cause it to drop all state and\n // fire the close promise.\n // Because we're using the embedded channel here, we don't need to worry about thread\n // synchronization: all of this should succeed synchronously. If it doesn't, that's\n // a bug too!\n let closePromise = serverChannel.close()\n closePromise.assumeIsolated().whenComplete { _ in\n // This looks like unsynchronized access to channelClosed, but it isn't: as we're\n // using EmbeddedChannel here there is no cross-thread hopping.\n channelClosed = true\n }\n XCTAssertFalse(channelClosed)\n\n serverChannel.pipeline.fireChannelInactive()\n XCTAssertTrue(channelClosed)\n\n closePromise.map {\n XCTFail(\"Unexpected success\")\n }.whenFailure { error in\n switch error {\n case let e as NIOSSLError where e == .uncleanShutdown:\n break\n default:\n XCTFail(\"Unexpected error: \\(error)\")\n }\n }\n\n // Now clean up the client channel. We need to also fire the channel inactive here as there is\n // no-one left for the client channel to end the connection with.\n _ = clientChannel.close()\n clientChannel.pipeline.fireChannelInactive()\n }\n\n func testTrustStoreOnDisk() throws {\n var tempFile: String? = nil\n let serverCtx = try configuredSSLContext()\n let config: TLSConfiguration = try withTrustBundleInFile(tempFile: &tempFile) {\n var config = TLSConfiguration.makeClientConfiguration()\n config.certificateVerification = .noHostnameVerification\n config.trustRoots = .file($0)\n config.certificateChain = [.certificate(NIOSSLIntegrationTest.cert)]\n config.privateKey = .privateKey(NIOSSLIntegrationTest.key)\n return config\n }\n defer {\n precondition(\n .some(0) == tempFile.map { unlink($0) },\n \"couldn't remove temp file \\(tempFile.debugDescription)\"\n )\n }\n let clientCtx = try assertNoThrowWithValue(NIOSSLContext(configuration: config))\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n let serverChannel: Channel = try serverTLSChannel(\n context: serverCtx,\n handlers: [SimpleEchoServer()],\n group: group\n )\n defer {\n _ = try? serverChannel.close().wait()\n }\n\n let clientChannel = try clientTLSChannel(\n context: clientCtx,\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n _ = try? clientChannel.close().wait()\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n\n try clientChannel.writeAndFlush(originalBuffer).wait()\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n }\n\n func testChecksTrustStoreOnDisk() throws {\n let serverCtx = try configuredSSLContext()\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .file(FileManager.default.temporaryDirectory.path)\n clientConfig.certificateChain = [.certificate(NIOSSLIntegrationTest.cert)]\n clientConfig.privateKey = .privateKey(NIOSSLIntegrationTest.key)\n let clientCtx = try assertNoThrowWithValue(NIOSSLContext(configuration: clientConfig))\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel = try serverTLSChannel(\n context: serverCtx,\n handlers: [],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let errorHandler = ErrorCatcher()\n let clientChannel = try clientTLSChannel(\n context: clientCtx,\n preHandlers: [],\n postHandlers: [errorHandler],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n let writeFuture = clientChannel.writeAndFlush(originalBuffer)\n let errorsFuture: EventLoopFuture<[NIOSSLError]> = writeFuture.recover { (_: Error) in\n // We're swallowing errors here, on purpose, because we'll definitely\n // hit them.\n ()\n }.map {\n errorHandler.errors\n }\n let actualErrors = try errorsFuture.wait()\n\n // The actual error is non-deterministic depending on platform and version, so we don't\n // really try to make too many assertions here.\n XCTAssertEqual(actualErrors.count, 1)\n try clientChannel.closeFuture.wait()\n }\n\n func testReadAfterCloseNotifyDoesntKillProcess() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n let context = try configuredSSLContext()\n\n try serverChannel.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: context)\n )\n try clientChannel.pipeline.syncOperations.addHandler(\n try NIOSSLClientHandler(context: context, serverHostname: nil)\n )\n\n let addr = try SocketAddress(unixDomainSocketPath: \"/tmp/whatever2\")\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n try connectFuture.wait()\n\n // Ok, we're connected. Now we want to close the server, and have that trigger a client CLOSE_NOTIFY.\n // However, when we deliver that CLOSE_NOTIFY we're then going to immediately send another chunk of\n // data. We can get away with doing this because the Embedded channel fires any promise for close()\n // before it fires channelInactive, which will allow us to fire channelRead from within the callback.\n let closePromise = serverChannel.close()\n closePromise.whenComplete { _ in\n var buffer = serverChannel.allocator.buffer(capacity: 5)\n buffer.writeStaticString(\"hello\")\n serverChannel.pipeline.fireChannelRead(buffer)\n serverChannel.pipeline.fireChannelReadComplete()\n }\n\n XCTAssertNoThrow(try serverChannel.throwIfErrorCaught())\n\n XCTAssertThrowsError(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)) {\n error in\n XCTAssertEqual(.readInInvalidTLSState, error as? NIOSSLError)\n }\n }\n\n func testUnprocessedDataOnReadPathBeforeClosing() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n let context = try configuredSSLContext()\n\n let completePromise: EventLoopPromise = serverChannel.eventLoop.makePromise()\n\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: context)\n )\n )\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(\n ReadRecordingHandler(completePromise: completePromise)\n )\n )\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n try NIOSSLClientHandler(context: context, serverHostname: nil)\n )\n )\n\n let addr = try SocketAddress(unixDomainSocketPath: \"/tmp/whatever2\")\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n try connectFuture.wait()\n\n // Ok, we're connected. Now we want to close the server, and have that trigger a client CLOSE_NOTIFY.\n // After the CLOSE_NOTIFY create another chunk of data.\n let serverClosePromise = serverChannel.close()\n\n // Create a new chunk of data after the close.\n var clientBuffer = clientChannel.allocator.buffer(capacity: 5)\n clientBuffer.writeStaticString(\"hello\")\n _ = try clientChannel.writeAndFlush(clientBuffer).wait()\n let clientClosePromise = clientChannel.close()\n\n // Use interactInMemory to finish the reads and writes.\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n XCTAssertNoThrow(try clientClosePromise.wait())\n XCTAssertNoThrow(try serverClosePromise.wait())\n\n // Now check what we read.\n var readData = try assertNoThrowWithValue(completePromise.futureResult.wait())\n XCTAssertEqual(readData.readString(length: readData.readableBytes)!, \"hello\")\n }\n\n func testZeroLengthWrite() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try? group.syncShutdownGracefully()\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel = try serverTLSChannel(\n context: context,\n handlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group\n )\n defer {\n _ = try? serverChannel.close().wait()\n }\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n _ = try? clientChannel.close().wait()\n }\n\n // Write several zero-length buffers *and* one with some actual data. Only one should\n // be written.\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n let promises = (0...5).map { (_: Int) in clientChannel.write(originalBuffer) }\n originalBuffer.writeStaticString(\"hello\")\n _ = try clientChannel.writeAndFlush(originalBuffer).wait()\n\n // At this time all the writes should have succeeded.\n for promise in promises {\n XCTAssertNoThrow(try promise.wait())\n }\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n }\n\n func testZeroLengthWritePromisesFireInOrder() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n defer {\n _ = try? serverChannel.finish()\n _ = try? clientChannel.finish()\n }\n\n let context = try configuredSSLContext()\n\n try serverChannel.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: context)\n )\n try clientChannel.pipeline.syncOperations.addHandler(\n try NIOSSLClientHandler(context: context, serverHostname: nil)\n )\n\n let addr = try SocketAddress(unixDomainSocketPath: \"/tmp/whatever2\")\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n try connectFuture.wait()\n\n // This test fires three writes, flushing between them all. We want to confirm that all of the\n // writes are succeeded in order. To do that, we want to add a WriteDelayHandler to\n // prevent the EmbeddedChannel succeeding the early writes.\n let writeDelayer = WriteDelayHandler()\n try clientChannel.pipeline.syncOperations.addHandler(writeDelayer, position: .first)\n var writeCount = 0\n let emptyBuffer = clientChannel.allocator.buffer(capacity: 16)\n var buffer = clientChannel.allocator.buffer(capacity: 16)\n buffer.writeStaticString(\"hello world\")\n\n clientChannel.write(buffer).assumeIsolated().whenComplete { _ in\n XCTAssertEqual(writeCount, 0)\n writeCount = 1\n }\n clientChannel.flush()\n clientChannel.write(emptyBuffer).assumeIsolated().whenComplete { _ in\n XCTAssertEqual(writeCount, 1)\n writeCount = 2\n }\n clientChannel.flush()\n clientChannel.write(buffer).assumeIsolated().whenComplete { _ in\n XCTAssertEqual(writeCount, 2)\n writeCount = 3\n }\n clientChannel.flush()\n\n XCTAssertEqual(writeCount, 0)\n writeDelayer.forceFlush()\n XCTAssertEqual(writeCount, 3)\n\n serverChannel.pipeline.fireChannelInactive()\n clientChannel.pipeline.fireChannelInactive()\n }\n\n func testEncryptedFileInContext() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel: Channel = try serverTLSChannel(\n context: context,\n handlers: [SimpleEchoServer()],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n try clientChannel.writeAndFlush(originalBuffer).wait()\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n }\n\n func testFlushPendingReadsOnCloseNotify() throws {\n let context = try assertNoThrowWithValue(configuredSSLContext())\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n defer {\n _ = try? serverChannel.finish()\n _ = try? clientChannel.finish()\n }\n\n let completePromise: EventLoopPromise = serverChannel.eventLoop.makePromise()\n\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: context)\n )\n )\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(\n ReadRecordingHandler(completePromise: completePromise)\n )\n )\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n try NIOSSLClientHandler(context: context, serverHostname: nil)\n )\n )\n\n // Connect\n let addr = try assertNoThrowWithValue(SocketAddress(unixDomainSocketPath: \"/tmp/whatever2\"))\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n XCTAssertNoThrow(try connectFuture.wait())\n\n // Here we want to issue a write, a flush, and then a close. This will trigger a CLOSE_NOTIFY message to be emitted by the\n // client. Unfortunately, interactInMemory doesn't do quite what we want, as we need to coalesce all these writes, so\n // we'll have to do some of this ourselves.\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n clientChannel.writeAndFlush(originalBuffer, promise: nil)\n let clientClosePromise = clientChannel.close()\n\n var buffer = clientChannel.allocator.buffer(capacity: 1024)\n while case .some(.byteBuffer(var data)) = try clientChannel.readOutbound(as: IOData.self) {\n buffer.writeBuffer(&data)\n }\n XCTAssertNoThrow(try serverChannel.writeInbound(buffer))\n\n // Now we can interact. The server should close.\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n XCTAssertNoThrow(try clientClosePromise.wait())\n\n // Now check what we read.\n var readData = try assertNoThrowWithValue(completePromise.futureResult.wait())\n XCTAssertEqual(readData.readString(length: readData.readableBytes)!, \"Hello\")\n }\n\n @available(*, deprecated, message: \"Testing deprecated API surface\")\n func testForcingVerificationFailure() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel: Channel = try serverTLSChannel(context: context, handlers: [], group: group)\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let errorHandler = ErrorCatcher()\n let clientChannel = try clientTLSChannel(\n context: try configuredClientContext(),\n preHandlers: [],\n postHandlers: [errorHandler],\n group: group,\n connectingTo: serverChannel.localAddress!,\n verificationCallback: { preverify, certificate in\n XCTAssertEqual(preverify, .certificateVerified)\n return .failed\n }\n )\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n let writeFuture = clientChannel.writeAndFlush(originalBuffer)\n let errorsFuture: EventLoopFuture<[NIOSSLError]> = writeFuture.recover { (_: Error) in\n // We're swallowing errors here, on purpose, because we'll definitely\n // hit them.\n ()\n }.map {\n errorHandler.errors\n }\n let actualErrors = try errorsFuture.wait()\n\n // This write will have failed, but that's fine: we just want it as a signal that\n // the handshake is done so we can make our assertions.\n XCTAssertEqual(actualErrors.count, 1)\n switch actualErrors.first! {\n case .handshakeFailed:\n // expected\n break\n case let error:\n XCTFail(\"Unexpected error: \\(error)\")\n }\n }\n\n @available(*, deprecated, message: \"Testing deprecated API surface\")\n func testExtractingCertificates() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel: Channel = try serverTLSChannel(\n context: context,\n handlers: [SimpleEchoServer()],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let certificates = NIOLockedValueBox([NIOSSLCertificate]())\n let clientChannel = try clientTLSChannel(\n context: configuredClientContext(),\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\",\n verificationCallback: { verify, certificate in\n certificates.withLockedValue { $0.append(certificate) }\n return verify\n }\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n XCTAssertNoThrow(try clientChannel.writeAndFlush(originalBuffer).wait())\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n\n XCTAssertEqual(certificates.withLockedValue { $0.count }, 1)\n }\n\n func testForcingVerificationFailureNewCallback() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel: Channel = try serverTLSChannel(context: context, handlers: [], group: group)\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let handshakeResultPromise = group.next().makePromise(of: Void.self)\n let handshakeWatcher = WaitForHandshakeHandler(handshakeResultPromise: handshakeResultPromise)\n let clientChannel = try clientTLSChannel(\n context: try configuredClientContext(),\n preHandlers: [],\n postHandlers: [handshakeWatcher],\n group: group,\n connectingTo: serverChannel.localAddress!,\n customVerificationCallback: .callback { _, promise in\n promise.succeed(.failed)\n }\n )\n\n defer {\n // Ignore errors here, the channel should be closed already by the time this happens.\n try? clientChannel.close().wait()\n }\n\n XCTAssertThrowsError(try handshakeResultPromise.futureResult.wait())\n }\n\n func testErroringNewVerificationCallback() throws {\n enum LocalError: Error {\n case kaboom\n }\n\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel: Channel = try serverTLSChannel(context: context, handlers: [], group: group)\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let handshakeResultPromise = group.next().makePromise(of: Void.self)\n let handshakeWatcher = WaitForHandshakeHandler(handshakeResultPromise: handshakeResultPromise)\n let clientChannel = try clientTLSChannel(\n context: try configuredClientContext(),\n preHandlers: [],\n postHandlers: [handshakeWatcher],\n group: group,\n connectingTo: serverChannel.localAddress!,\n customVerificationCallback: .callback { _, promise in\n promise.fail(LocalError.kaboom)\n }\n )\n defer {\n // Ignore errors here, the channel should be closed already by the time this happens.\n try? clientChannel.close().wait()\n }\n\n XCTAssertThrowsError(try handshakeResultPromise.futureResult.wait())\n }\n\n func testReadsAreUnbufferedAfterHandshake() throws {\n // This is a regression test for rdar://96850712\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(NIOSSLIntegrationTest.cert)],\n privateKey: .privateKey(NIOSSLIntegrationTest.key)\n )\n config.certificateVerification = .noHostnameVerification\n let context = try assertNoThrowWithValue(NIOSSLContext(configuration: config))\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromiseFired = NIOLockedValueBox(false)\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n completionPromise.futureResult.whenComplete { _ in\n completionPromiseFired.withLockedValue {\n $0 = true\n }\n }\n\n let handshakeCompletePromise: NIOLockedValueBox?> = .init(nil)\n let handshakeFiredPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel: Channel = try serverTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n customVerificationCallback: { innerCertificates, promise in\n handshakeCompletePromise.withLockedValue { $0 = promise }\n handshakeFiredPromise.succeed(())\n }\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: try configuredSSLContext(),\n preHandlers: [],\n postHandlers: [],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n clientChannel.writeAndFlush(originalBuffer, promise: nil)\n\n // This has driven the handshake to begin, so we can wait for that.\n XCTAssertNoThrow(try handshakeFiredPromise.futureResult.wait())\n\n // We can now check whether the completion promise has fired: it should not have.\n completionPromiseFired.withLockedValue {\n XCTAssertFalse($0)\n }\n\n // Ok, allow the handshake to run.\n handshakeCompletePromise.withLockedValue { $0!.succeed(.certificateVerified) }\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n }\n\n func testNewCallbackCanDelayHandshake() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromiseFired = NIOLockedValueBox(false)\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n completionPromise.futureResult.whenComplete { _ in\n completionPromiseFired.withLockedValue {\n $0 = true\n }\n }\n\n let serverChannel: Channel = try serverTLSChannel(\n context: context,\n handlers: [SimpleEchoServer()],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let handshakeCompletePromise: NIOLockedValueBox?> = .init(nil)\n let handshakeFiredPromise: EventLoopPromise = group.next().makePromise()\n\n let clientChannel = try clientTLSChannel(\n context: configuredClientContext(),\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\",\n customVerificationCallback: .callback { innerCertificates, promise in\n handshakeCompletePromise.withLockedValue { $0 = promise }\n handshakeFiredPromise.succeed(())\n }\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n clientChannel.writeAndFlush(originalBuffer, promise: nil)\n\n // This has driven the handshake to begin, so we can wait for that.\n XCTAssertNoThrow(try handshakeFiredPromise.futureResult.wait())\n\n // We can now check whether the completion promise has fired: it should not have.\n completionPromiseFired.withLockedValue {\n XCTAssertFalse($0)\n }\n\n // Ok, allow the handshake to run.\n handshakeCompletePromise.withLockedValue { $0!.succeed(.certificateVerified) }\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n }\n\n func testExtractingCertificatesNewCallback() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel: Channel = try serverTLSChannel(\n context: context,\n handlers: [SimpleEchoServer()],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let certificates = NIOLockedValueBox([NIOSSLCertificate]())\n let clientChannel = try clientTLSChannel(\n context: configuredClientContext(),\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\",\n customVerificationCallback: .callback { innerCertificates, promise in\n certificates.withLockedValue { $0 = innerCertificates }\n promise.succeed(.certificateVerified)\n }\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n XCTAssertNoThrow(try clientChannel.writeAndFlush(originalBuffer).wait())\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n\n XCTAssertEqual(certificates.withLockedValue { $0 }, [NIOSSLIntegrationTest.cert])\n }\n\n func testCustomVerificationCallbackExtractingCertificateChain() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel: Channel = try serverTLSChannel(\n context: context,\n handlers: [SimpleEchoServer()],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let clientChannel = try clientTLSChannel(\n context: configuredClientContext(),\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\",\n customVerificationCallback: .callbackWithMetadata { innerCertificates, promise in\n // Return `innerCertificates` as the validated certificate chain\n promise.succeed(\n .certificateVerified(\n VerificationMetadata(ValidatedCertificateChain(innerCertificates))\n )\n )\n }\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n XCTAssertNoThrow(try clientChannel.writeAndFlush(originalBuffer).wait())\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n\n // We should be able to extract the certificate chain from the channel\n let extractedCertChain = try clientChannel.nioSSL_peerValidatedCertificateChain().wait()\n XCTAssertEqual(extractedCertChain?.validatedChain, [NIOSSLIntegrationTest.cert])\n }\n\n func testCustomVerificationCallbackNotReturningChain() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel: Channel = try serverTLSChannel(\n context: context,\n handlers: [SimpleEchoServer()],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let clientChannel = try clientTLSChannel(\n context: configuredClientContext(),\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\",\n customVerificationCallback: .callbackWithMetadata { innerCertificates, promise in\n // Initialize an empty VerificationMetadata without a chain.\n promise.succeed(.certificateVerified(VerificationMetadata(nil)))\n }\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n XCTAssertNoThrow(try clientChannel.writeAndFlush(originalBuffer).wait())\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n\n // We should not be able to extract the chain: no chain was returned\n XCTAssertNil(try clientChannel.nioSSL_peerValidatedCertificateChain().wait())\n }\n\n func testCustomVerificationCallbackDelayReturningCertificateChain() throws {\n let context = try configuredSSLContext()\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel: Channel = try serverTLSChannel(\n context: context,\n handlers: [SimpleEchoServer()],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let clientChannel = try clientTLSChannel(\n context: configuredClientContext(),\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\",\n customVerificationCallback: CustomCallback.callbackWithMetadata { innerCertificates, promise in\n // Complete the promise in 10 milliseconds\n promise.futureResult.eventLoop.scheduleTask(in: .milliseconds(10)) {\n promise.succeed(\n .certificateVerified(\n VerificationMetadata(ValidatedCertificateChain(innerCertificates))\n )\n )\n }\n }\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n XCTAssertNoThrow(try clientChannel.writeAndFlush(originalBuffer).wait())\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n\n // We should be able to extract the certificate chain.\n let extractedCertChain = try clientChannel.nioSSL_peerValidatedCertificateChain().wait()\n XCTAssertEqual(extractedCertChain?.validatedChain, [NIOSSLIntegrationTest.cert])\n }\n\n func testNewCallbackCombinedWithDefaultTrustStore() throws {\n // This test is mostly useful on macOS, where it previously failed due to an excessive assertion.\n let serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(NIOSSLIntegrationTest.cert)],\n privateKey: .privateKey(NIOSSLIntegrationTest.key)\n )\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .fullVerification\n clientConfig.trustRoots = .default\n let serverContext = try assertNoThrowWithValue(NIOSSLContext(configuration: serverConfig))\n let clientContext = try assertNoThrowWithValue(NIOSSLContext(configuration: clientConfig))\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel: Channel = try serverTLSChannel(context: serverContext, handlers: [], group: group)\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let handshakeCompletePromise = group.next().makePromise(of: Void.self)\n let customCallbackCalledPromise = group.next().makePromise(of: Void.self)\n let clientChannel = try clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [WaitForHandshakeHandler(handshakeResultPromise: handshakeCompletePromise)],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\",\n customVerificationCallback: .callback { _, promise in\n // Note that we override certificate verification here.\n customCallbackCalledPromise.succeed(())\n promise.succeed(.certificateVerified)\n }\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n XCTAssertNoThrow(try customCallbackCalledPromise.futureResult.wait())\n XCTAssertNoThrow(try handshakeCompletePromise.futureResult.wait())\n }\n\n func testMacOSVerificationCallbackIsNotUsedIfVerificationDisabled() throws {\n // This test is mostly useful on macOS, where it validates that disabling verification actually, well,\n // disables verification.\n let serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(NIOSSLIntegrationTest.cert)],\n privateKey: .privateKey(NIOSSLIntegrationTest.key)\n )\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .none\n clientConfig.trustRoots = .default\n let serverContext = try assertNoThrowWithValue(NIOSSLContext(configuration: serverConfig))\n let clientContext = try assertNoThrowWithValue(NIOSSLContext(configuration: clientConfig))\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel: Channel = try serverTLSChannel(context: serverContext, handlers: [], group: group)\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let handshakeCompletePromise = group.next().makePromise(of: Void.self)\n let clientChannel = try clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [WaitForHandshakeHandler(handshakeResultPromise: handshakeCompletePromise)],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\"\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n // This connection should succeed, as certificate verification is disabled.\n XCTAssertNoThrow(try handshakeCompletePromise.futureResult.wait())\n }\n\n func testMacOSConnectionFailsIfServerVerificationOptionalAndPeerPresentsUntrustedCert() throws {\n // This test checks that when setting verification to `.optionalVerification`, a peer cannot successfully\n // connect when they present an untrusted certificate. On macOS, this exercises the SecTrust validation backend,\n // as `serverConfig.trustRoots` is set to `.default` (see the behavioral matrix in\n // `NIOSSL/Docs/trust-roots-behavior.md`).\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(NIOSSLIntegrationTest.cert)],\n privateKey: .privateKey(NIOSSLIntegrationTest.key)\n )\n serverConfig.certificateVerification = .optionalVerification\n serverConfig.trustRoots = .default\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .default\n clientConfig.additionalTrustRoots = [.certificates([NIOSSLIntegrationTest.cert])]\n // The client presents a random cert but the server won't trust it\n let clientCertAndPrivateKey = generateSelfSignedCert()\n clientConfig.certificateChain = [.certificate(clientCertAndPrivateKey.0)]\n clientConfig.privateKey = .privateKey(clientCertAndPrivateKey.1)\n\n let serverContext = try assertNoThrowWithValue(NIOSSLContext(configuration: serverConfig))\n let clientContext = try assertNoThrowWithValue(NIOSSLContext(configuration: clientConfig))\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let handshakeCompletePromise = group.next().makePromise(of: Void.self)\n let serverChannel: Channel = try serverTLSChannel(\n context: serverContext,\n handlers: [WaitForHandshakeHandler(handshakeResultPromise: handshakeCompletePromise)],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\"\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n // The handshake should fail: certificate verification is optional and the client hasn't presented any certs.\n XCTAssertThrowsError(try handshakeCompletePromise.futureResult.wait())\n }\n\n func testMacOSConnectionSuccessfulIfServerVerificationOptionalAndPeerPresentsTrustedCert() throws {\n // This test checks that when setting verification to `.optionalVerification`, a peer can successfully\n // connect when they present a trusted certificate. On macOS, this exercises the SecTrust validation backend,\n // as `serverConfig.trustRoots` is set to `.default` and the client cert is registered under\n // `additionalTrustRoots` (see the behavioral matrix in `NIOSSL/Docs.docc/trust-roots-behavior.md`).\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .default\n clientConfig.additionalTrustRoots = [.certificates([NIOSSLIntegrationTest.cert])]\n // The client presents a generated cert\n let clientCertAndPrivateKey = generateSelfSignedCert()\n clientConfig.certificateChain = [.certificate(clientCertAndPrivateKey.0)]\n clientConfig.privateKey = .privateKey(clientCertAndPrivateKey.1)\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(NIOSSLIntegrationTest.cert)],\n privateKey: .privateKey(NIOSSLIntegrationTest.key)\n )\n serverConfig.certificateVerification = .optionalVerification\n serverConfig.trustRoots = .default\n // The server trusts the client's generated cert\n serverConfig.additionalTrustRoots = [.certificates([clientCertAndPrivateKey.0])]\n\n let serverContext = try assertNoThrowWithValue(NIOSSLContext(configuration: serverConfig))\n let clientContext = try assertNoThrowWithValue(NIOSSLContext(configuration: clientConfig))\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let handshakeCompletePromise = group.next().makePromise(of: Void.self)\n let serverChannel: Channel = try serverTLSChannel(\n context: serverContext,\n handlers: [WaitForHandshakeHandler(handshakeResultPromise: handshakeCompletePromise)],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\"\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n // The handshake should succeed: verification is optional, and the client presents a cert the server trusts.\n XCTAssertNoThrow(try handshakeCompletePromise.futureResult.wait())\n }\n\n func testMacOSConnectionSuccessfulIfServerVerificationOptionalAndNoPeerCert() throws {\n // This test checks that when setting verification to `.optionalVerification`, a peer can successfully connect\n // when they don't present any certificate. On macOS, this exercises the SecTrust validation backend, as\n // `serverConfig.trustRoots` is set to `.default` (see the behavioral matrix in\n // `NIOSSL/Docs.docc/trust-roots-behavior.md`).\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(NIOSSLIntegrationTest.cert)],\n privateKey: .privateKey(NIOSSLIntegrationTest.key)\n )\n serverConfig.certificateVerification = .optionalVerification\n serverConfig.trustRoots = .default\n\n // The client doesn't present any certs\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .default\n clientConfig.additionalTrustRoots = [.certificates([NIOSSLIntegrationTest.cert])]\n\n let serverContext = try assertNoThrowWithValue(NIOSSLContext(configuration: serverConfig))\n let clientContext = try assertNoThrowWithValue(NIOSSLContext(configuration: clientConfig))\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let handshakeCompletePromise = group.next().makePromise(of: Void.self)\n let serverChannel: Channel = try serverTLSChannel(\n context: serverContext,\n handlers: [WaitForHandshakeHandler(handshakeResultPromise: handshakeCompletePromise)],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\"\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n // The handshake should succeed: certificate verification is optional and the client hasn't presented any certs.\n XCTAssertNoThrow(try handshakeCompletePromise.futureResult.wait())\n }\n\n func testServerHasNewCallbackCalledToo() throws {\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(NIOSSLIntegrationTest.cert)],\n privateKey: .privateKey(NIOSSLIntegrationTest.key)\n )\n config.certificateVerification = .fullVerification\n config.trustRoots = .default\n let context = try assertNoThrowWithValue(NIOSSLContext(configuration: config))\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let handshakeResultPromise = group.next().makePromise(of: Void.self)\n let handshakeWatcher = WaitForHandshakeHandler(handshakeResultPromise: handshakeResultPromise)\n let serverChannel: Channel = try serverTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [handshakeWatcher],\n group: group,\n customVerificationCallback: { _, promise in\n promise.succeed(.failed)\n }\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: try configuredSSLContext(),\n preHandlers: [],\n postHandlers: [],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n\n defer {\n // Ignore errors here, the channel should be closed already by the time this happens.\n try? clientChannel.close().wait()\n }\n\n XCTAssertThrowsError(try handshakeResultPromise.futureResult.wait())\n }\n\n func testRepeatedClosure() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n defer {\n // We expect both cases to throw\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: context)\n )\n )\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n NIOSSLClientHandler(context: context, serverHostname: nil)\n )\n )\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.addHandler(handshakeHandler).wait())\n\n // Connect. This should lead to a completed handshake.\n let addr: SocketAddress = try SocketAddress(unixDomainSocketPath: \"/tmp/whatever\")\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n try connectFuture.wait()\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // We're going to close twice: the first one without a promise, the second one with one.\n let closed = NIOLockedValueBox(false)\n clientChannel.close(promise: nil)\n clientChannel.close().whenComplete { _ in\n closed.withLockedValue { $0 = true }\n }\n XCTAssertFalse(closed.withLockedValue { $0 })\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n\n // The closure should have happened.\n XCTAssertTrue(closed.withLockedValue { $0 })\n }\n\n func testClosureTimeout() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n defer {\n // We expect both cases to throw\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: context)\n )\n )\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n NIOSSLClientHandler(context: context, serverHostname: nil)\n )\n )\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.addHandler(handshakeHandler).wait())\n\n // Connect. This should lead to a completed handshake.\n let addr: SocketAddress = try SocketAddress(unixDomainSocketPath: \"/tmp/whatever\")\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n try connectFuture.wait()\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n let closed = NIOLockedValueBox(false)\n clientChannel.close().whenComplete { _ in\n closed.withLockedValue { $0 = true }\n }\n\n clientChannel.close().whenFailure { error in\n XCTAssertTrue(error is NIOSSLCloseTimedOutError)\n }\n\n // Send CLOSE_NOTIFY from the client.\n while let clientDatum = try clientChannel.readOutbound(as: IOData.self) {\n try serverChannel.writeInbound(clientDatum)\n }\n\n XCTAssertFalse(closed.withLockedValue { $0 })\n\n // Let the shutdown timeout.\n clientChannel.embeddedEventLoop.advanceTime(by: context.configuration.shutdownTimeout)\n XCTAssertTrue(closed.withLockedValue { $0 })\n\n // Let the server shutdown.\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n }\n\n func testReceivingGibberishAfterAttemptingToClose() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n let clientClosed = NIOLockedValueBox(false)\n\n defer {\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: context)\n )\n )\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n clientHandler\n )\n )\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n handshakeHandler\n )\n )\n\n // Mark the closure of the client.\n clientChannel.closeFuture.whenComplete { _ in\n clientClosed.withLockedValue { $0 = true }\n }\n\n // Connect. This should lead to a completed handshake.\n let addr: SocketAddress = try SocketAddress(unixDomainSocketPath: \"/tmp/whatever\")\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n try connectFuture.wait()\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's close the client connection.\n clientChannel.close(promise: nil)\n (clientChannel.eventLoop as! EmbeddedEventLoop).run()\n XCTAssertFalse(clientClosed.withLockedValue { $0 })\n\n // Now we're going to simulate the client receiving gibberish data in response, instead\n // of a CLOSE_NOTIFY.\n var buffer = clientChannel.allocator.buffer(capacity: 1024)\n buffer.writeStaticString(\"GET / HTTP/1.1\\r\\nHost: localhost\\r\\nContent-Length: 0\\r\\n\\r\\n\")\n\n XCTAssertThrowsError(try clientChannel.writeInbound(buffer)) { error in\n let errorString = String(describing: error)\n\n let range = NSRange(location: 0, length: errorString.utf16.count)\n let regex = try! NSRegularExpression(\n pattern:\n \"sslError\\\\(\\\\[Error\\\\: 268435703 error\\\\:100000f7\\\\:SSL routines\\\\:OPENSSL_internal\\\\:WRONG_VERSION_NUMBER at .*\\\\/[A-Za-z_]+\\\\.cc\\\\:[0-9]+\\\\]\\\\)\"\n )\n XCTAssertNotNil(regex.firstMatch(in: errorString, options: [], range: range))\n }\n (clientChannel.eventLoop as! EmbeddedEventLoop).run()\n XCTAssertTrue(clientClosed.withLockedValue { $0 })\n\n // Clean up by bringing the server up to speed\n serverChannel.pipeline.fireChannelInactive()\n }\n\n func testPendingWritesFailWhenFlushedOnClose() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n defer {\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: context)\n )\n )\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n clientHandler\n )\n )\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.addHandler(handshakeHandler).wait())\n\n // Connect. This should lead to a completed handshake.\n let addr: SocketAddress = try SocketAddress(unixDomainSocketPath: \"/tmp/whatever\")\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n try connectFuture.wait()\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Queue up a write.\n let writeCompleted = NIOLockedValueBox(false)\n var buffer = clientChannel.allocator.buffer(capacity: 1024)\n buffer.writeStaticString(\"Hello, world!\")\n clientChannel.write(buffer).map {\n XCTFail(\"Must not succeed\")\n }.whenFailure { error in\n XCTAssertEqual(error as? ChannelError, .ioOnClosedChannel)\n writeCompleted.withLockedValue { $0 = true }\n }\n\n // We haven't spun the event loop, so the handlers are still in the pipeline. Now attempt to close.\n let closed = NIOLockedValueBox(false)\n clientChannel.closeFuture.whenComplete { _ in\n closed.withLockedValue { $0 = true }\n }\n\n XCTAssertFalse(writeCompleted.withLockedValue { $0 })\n clientChannel.close(promise: nil)\n (clientChannel.eventLoop as! EmbeddedEventLoop).run()\n XCTAssertFalse(writeCompleted.withLockedValue { $0 })\n XCTAssertFalse(closed.withLockedValue { $0 })\n\n // Now try to flush the write. This should fail the write early, and take out the connection.\n clientChannel.flush()\n (clientChannel.eventLoop as! EmbeddedEventLoop).run()\n XCTAssertTrue(writeCompleted.withLockedValue { $0 })\n XCTAssertTrue(closed.withLockedValue { $0 })\n\n // Bring the server up to speed.\n serverChannel.pipeline.fireChannelInactive()\n }\n\n func testChannelInactiveAfterCloseNotify() throws {\n class SecondChannelInactiveSwallower: ChannelInboundHandler {\n typealias InboundIn = Any\n private var channelInactiveCalls = 0\n\n func channelInactive(context: ChannelHandlerContext) {\n if self.channelInactiveCalls == 0 {\n self.channelInactiveCalls += 1\n context.fireChannelInactive()\n }\n }\n }\n\n class FlushOnReadHandler: ChannelInboundHandler {\n typealias InboundIn = Any\n\n func channelRead(context: ChannelHandlerContext, data: NIOAny) {\n context.pipeline.fireChannelInactive()\n }\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n defer {\n _ = try? serverChannel.finish()\n // The client channel is closed in the test.\n }\n\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandlers(\n SecondChannelInactiveSwallower(),\n NIOSSLServerHandler(context: context),\n FlushOnReadHandler()\n )\n )\n\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n try NIOSSLClientHandler(context: context, serverHostname: nil)\n )\n )\n\n // Connect\n let addr = try assertNoThrowWithValue(SocketAddress(unixDomainSocketPath: \"/tmp/whatever2\"))\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n XCTAssertNoThrow(try serverChannel.connect(to: SocketAddress(ipAddress: \"1.2.3.4\", port: 5678)).wait())\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n XCTAssertNoThrow(try connectFuture.wait())\n\n // Here we want to issue a write, a flush, and then a close. This will trigger a CLOSE_NOTIFY message to be emitted by the\n // client. Unfortunately, interactInMemory doesn't do quite what we want, as we need to coalesce all these writes, so\n // we'll have to do some of this ourselves.\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n let clientClose = clientChannel.writeAndFlush(originalBuffer)\n clientChannel.close(promise: nil)\n\n var buffer = clientChannel.allocator.buffer(capacity: 1024)\n while case .some(.byteBuffer(var data)) = try clientChannel.readOutbound(as: IOData.self) {\n buffer.writeBuffer(&data)\n }\n\n // The client has sent CLOSE_NOTIFY, so the server will unbuffer any reads it has. This in turn\n // causes channelInactive to be fired back into the SSL handler.\n XCTAssertThrowsError(try serverChannel.writeInbound(buffer)) { error in\n XCTAssertEqual(NIOSSLError.uncleanShutdown, error as? NIOSSLError)\n }\n\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n XCTAssertNoThrow(try clientClose.wait())\n }\n\n func testKeyLoggingClientAndServer() throws {\n let clientLines: UnsafeMutableTransferBox<[ByteBuffer]> = .init([])\n let serverLines: UnsafeMutableTransferBox<[ByteBuffer]> = .init([])\n\n let clientContext = try assertNoThrowWithValue(\n self.configuredSSLContext(keyLogCallback: { clientLines.wrappedValue.append($0) })\n )\n let serverContext = try assertNoThrowWithValue(\n self.configuredSSLContext(keyLogCallback: { serverLines.wrappedValue.append($0) })\n )\n\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n defer {\n // These error as the channel is already closed.\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n // Handshake\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n NIOSSLClientHandler(context: clientContext, serverHostname: nil)\n )\n )\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: serverContext)\n )\n )\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.addHandler(handshakeHandler).wait())\n\n // Connect. This should lead to a completed handshake.\n let addr: SocketAddress = try SocketAddress(unixDomainSocketPath: \"/tmp/whatever\")\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n try connectFuture.wait()\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // In our code this should do TLS 1.3, so we expect 5 lines each.\n XCTAssertEqual(clientLines.wrappedValue.count, 5)\n XCTAssertEqual(serverLines.wrappedValue.count, 5)\n\n // Each in the same order.\n XCTAssertEqual(clientLines.wrappedValue, serverLines.wrappedValue)\n\n // Each line should be newline terminated.\n for line in clientLines.wrappedValue {\n XCTAssertTrue(line.readableBytesView.last! == UInt8(ascii: \"\\n\"))\n }\n for line in serverLines.wrappedValue {\n XCTAssertTrue(line.readableBytesView.last! == UInt8(ascii: \"\\n\"))\n }\n\n // Close and let the two channels shutdown.\n clientChannel.close(promise: nil)\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n }\n\n func testLoadsOfCloses() throws {\n let context = try configuredSSLContext()\n\n // 3 threads so server, client, and accepted all have their own thread.\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 3)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let serverChannel: Channel = try serverTLSChannel(context: context, handlers: [], group: group)\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: context,\n preHandlers: [],\n postHandlers: [],\n group: group,\n connectingTo: serverChannel.localAddress!\n )\n let closeFutures = (0..<20).map { _ in\n clientChannel.close()\n }\n XCTAssertNoThrow(try EventLoopFuture.andAllComplete(closeFutures, on: clientChannel.eventLoop).wait())\n }\n\n func testWriteFromFailureOfWrite() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n defer {\n // Both were closed uncleanly in the test, so they'll throw.\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try configuredSSLContext()\n\n try serverChannel.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: context)\n )\n try clientChannel.pipeline.syncOperations.addHandler(\n try NIOSSLClientHandler(context: context, serverHostname: nil)\n )\n\n // Do the handshake.\n let addr: SocketAddress = try SocketAddress(unixDomainSocketPath: \"/tmp/whatever\")\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n try connectFuture.wait()\n\n // Ok, we're gonna do a weird thing here. We're going to queue up a write, whose write promise is going\n // to issue another write. In older builds, this would crash due to an exclusivity violation.\n var buffer = clientChannel.allocator.buffer(capacity: 1024)\n buffer.writeBytes(\"Hello, world!\".utf8)\n\n clientChannel.write(buffer).whenComplete { [buffer] _ in\n clientChannel.writeAndFlush(buffer, promise: nil)\n }\n\n // Now we're going to fire channel inactive on the client. This used to crash: now it doesn't.\n clientChannel.pipeline.fireChannelInactive()\n\n // Do the same for the server, but we don't care about the outcome.\n serverChannel.pipeline.fireChannelInactive()\n }\n\n func testChannelInactiveDuringHandshakeSucceeded() throws {\n // This test aims to reproduce a very unusual crash. I've never been able to come up with a clear justification of\n // how we managed to hit it, but it goes a bit like this:\n //\n // 1. During a TLS handshake, a server performs a `channelRead` that triggers a handshakeCompleted message.\n // 2. Synchronously, during that pipeline traversal, we end up with a read buffer that also contains a CLOSE_NOTIFY alert.\n // This may have arrived in the same packet with the handshake completion message, or as a result of something we did.\n // 3. Additionally, we manage to synchronously enter the .closed or .unwrapped state. This is hard to imagine, but it can\n // happen in a few ways: channelInactive forces this transition, and managing to do a shutdown reentrantly due to extra\n // I/O can trigger it as well.\n // 4. We then progress through the handshake and crash.\n //\n // To make this manifest in the test we use a pair of promises and finagle the I/O such that everything goes wrong at once.\n // This can indicate how unusual the circumstance is in which this happens. Nonetheless, we've seen it happen on production\n // systems.\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n defer {\n // Both were closed uncleanly in the test, but the server error was already\n // consumed.\n XCTAssertNoThrow(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try configuredSSLContext()\n let clientChannelCompletedPromise = clientChannel.eventLoop.makePromise(of: Void.self)\n let clientChannelCompletedHandler = WaitForHandshakeHandler(\n handshakeResultPromise: clientChannelCompletedPromise\n )\n let serverChannelCompletedPromise = serverChannel.eventLoop.makePromise(of: Void.self)\n let serverChannelCompletedHandler = WaitForHandshakeHandler(\n handshakeResultPromise: serverChannelCompletedPromise\n )\n\n clientChannelCompletedPromise.futureResult.whenSuccess {\n // Here we need to immediately (and _recursively_) ask the client channel to shutdown. This should force a CLOSE_NOTIFY\n // message out in the same tick as the handshake message.\n clientChannel.close(promise: nil)\n\n // Now deliver all the client messages to the server channel _in one go_.\n var flattenedBytes = clientChannel.allocator.buffer(capacity: 1024)\n while let clientDatum = try! clientChannel.readOutbound(as: ByteBuffer.self) {\n flattenedBytes.writeImmutableBuffer(clientDatum)\n }\n\n // Can't use XCTAssertThrowsError here, this function call isn't allowed to throw.\n do {\n try serverChannel.writeInbound(flattenedBytes)\n XCTFail(\"Expected to throw\")\n } catch {\n guard case .some(.uncleanShutdown) = error as? NIOSSLError else {\n XCTFail(\"Unexpected error \\(error)\")\n return\n }\n }\n }\n\n serverChannelCompletedPromise.futureResult.whenSuccess {\n // Here we do something very, very dangerous: we call fireChannelInactive on our own channel.\n // This simulates us hitting a close condition in some other form.\n serverChannel.pipeline.fireChannelInactive()\n }\n\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandlers([\n NIOSSLServerHandler(context: context), serverChannelCompletedHandler,\n ])\n )\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandlers([\n try NIOSSLClientHandler(context: context, serverHostname: nil), clientChannelCompletedHandler,\n ])\n )\n\n // Do the handshake.\n let addr: SocketAddress = try SocketAddress(unixDomainSocketPath: \"/tmp/whatever\")\n let connectFuture = clientChannel.connect(to: addr)\n serverChannel.pipeline.fireChannelActive()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n try connectFuture.wait()\n\n // We now need to forcibly shutdown the client channel, as otherwise it'll wedge waiting for a server that never comes back.\n clientChannel.pipeline.fireChannelInactive()\n }\n\n func testTrustedFirst() throws {\n // We need to explain this test a bit.\n //\n // BoringSSL has a flag: X509_V_FLAG_TRUSTED_FIRST. This flag affects the way the X509 verifier works. In particular,\n // it causes the verifier to look for certificates in the trust store _before_ it looks for them in the chain. This\n // is important, because some misbehaving clients may send an excessively long chain that, in some cases, includes\n // certificates we don't trust!\n //\n // In this case, the server has a cert that was signed by a CA whose original certificate has expired. We, the client,\n // have a valid root certificate for the intermediate that _actually_ issued the key, which is now a root, as\n // well as the old cert. (This is important! If we don't also have the old cert, this fails.)\n // The server is, stupidly, also sending the old, _expired_, CA root cert. This test validates that we\n // ignore the dumb server and get to the valid trust chain anyway.\n let oldCA = try NIOSSLCertificate(bytes: Array(sampleExpiredCA.utf8), format: .pem)\n let oldIntermediate = try NIOSSLCertificate(bytes: Array(sampleIntermediateCA.utf8), format: .pem)\n let newCA = try NIOSSLCertificate(bytes: Array(sampleIntermediateAsRootCA.utf8), format: .pem)\n let serverCert = try NIOSSLCertificate(bytes: Array(sampleClientOfIntermediateCA.utf8), format: .pem)\n let serverKey = try NIOSSLPrivateKey(\n bytes: Array(sampleKeyForCertificateOfClientOfIntermediateCA.utf8),\n format: .pem\n )\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.trustRoots = .certificates([newCA, oldCA])\n let serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(serverCert), .certificate(oldIntermediate), .certificate(oldCA)],\n privateKey: .privateKey(serverKey)\n )\n\n let clientContext = try NIOSSLContext(configuration: clientConfig)\n let serverContext = try NIOSSLContext(configuration: serverConfig)\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let completionPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel: Channel = try serverTLSChannel(\n context: serverContext,\n handlers: [SimpleEchoServer()],\n group: group\n )\n defer {\n XCTAssertNoThrow(try serverChannel.close().wait())\n }\n\n let clientChannel = try clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [PromiseOnReadHandler(promise: completionPromise)],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: \"localhost\"\n )\n defer {\n XCTAssertNoThrow(try clientChannel.close().wait())\n }\n\n var originalBuffer = clientChannel.allocator.buffer(capacity: 5)\n originalBuffer.writeString(\"Hello\")\n try clientChannel.writeAndFlush(originalBuffer).wait()\n\n let newBuffer = try completionPromise.futureResult.wait()\n XCTAssertEqual(newBuffer, originalBuffer)\n }\n\n func testWriteSplitting() throws {\n // This test validates that we chunk writes larger than a certain value. This is an attempt\n // to regression test part of our defense against large writes, without requiring that the value end up being giant.\n let maxWriteSize = 1024\n let targetSize = (maxWriteSize * 4) + 1\n let write = ByteBuffer(repeating: 0, count: targetSize)\n\n let b2b = BackToBackEmbeddedChannel()\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([Self.cert])\n\n let serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(Self.cert)],\n privateKey: .privateKey(Self.key)\n )\n\n let clientContext = try assertNoThrowWithValue(NIOSSLContext(configuration: clientConfig))\n let serverContext = try assertNoThrowWithValue(NIOSSLContext(configuration: serverConfig))\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandler(\n try NIOSSLClientHandler(\n context: clientContext,\n serverHostname: \"localhost\",\n optionalCustomVerificationCallbackManager: nil,\n optionalAdditionalPeerCertificateVerificationCallback: nil,\n maxWriteSize: maxWriteSize\n )\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandler(\n NIOSSLServerHandler(context: serverContext)\n )\n )\n XCTAssertNoThrow(try b2b.connectInMemory())\n\n let completed = NIOLockedValueBox(false)\n let promise = b2b.loop.makePromise(of: Void.self)\n promise.futureResult.whenComplete { _ in\n completed.withLockedValue { $0 = true }\n }\n\n let recordObserver = TLS13RecordObserver()\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandler(\n recordObserver,\n position: .first\n )\n )\n\n b2b.client.writeAndFlush(write, promise: promise)\n try b2b.interactInMemory()\n\n var reads: [ByteBuffer] = []\n while let read = try b2b.server.readInbound(as: ByteBuffer.self) {\n reads.append(read)\n }\n let totalReadBytes = reads.reduce(into: 0, { $0 += $1.readableBytes })\n XCTAssertEqual(totalReadBytes, targetSize)\n XCTAssertTrue(completed.withLockedValue { $0 })\n XCTAssertEqual(recordObserver.writtenRecords.filter { $0.contentType == .applicationData }.count, 5)\n\n b2b.client.close(promise: nil)\n try b2b.interactInMemory()\n }\n\n func testDoesNotSpinLoopWhenInactiveAndActiveAreReversed() throws {\n // This is a regression test for https://github.com/apple/swift-nio-ssl/issues/467\n //\n // If channelInactive occurs before channelActive and a re-entrant write and flush occurred\n // in channelActive then 'NIOSSLHandler.doUnbufferActions(context:)' would loop\n // indefinitely.\n let eventLoop = EmbeddedEventLoop()\n let promise = eventLoop.makePromise(of: Void.self)\n\n final class WriteAndFlushOnActive: ChannelInboundHandler {\n typealias InboundIn = ByteBuffer\n typealias OutboundOut = ByteBuffer\n\n private let promise: EventLoopPromise\n\n init(promise: EventLoopPromise) {\n self.promise = promise\n }\n\n func channelActive(context: ChannelHandlerContext) {\n let buffer = context.channel.allocator.buffer(string: \"You spin me right 'round\")\n context.writeAndFlush(self.wrapOutboundOut(buffer), promise: self.promise)\n context.fireChannelActive()\n }\n }\n\n let context = try self.configuredSSLContext()\n let handler = try NIOSSLClientHandler(context: context, serverHostname: nil)\n let channel = EmbeddedChannel(\n handlers: [handler, WriteAndFlushOnActive(promise: promise)],\n loop: eventLoop\n )\n\n // Close _before_ channel active. This shouldn't (but can https://github.com/apple/swift-nio/issues/2773)\n // happen for 'real' channels by synchronously closing the channel when the connect promise\n // is succeeded.\n channel.pipeline.fireChannelInactive()\n channel.pipeline.fireChannelActive()\n\n // The handshake starts in channelActive (and handlerAdded if the channel is already\n // active). If the events are reordered then the handshake shouldn't start and there\n // shouldn't be any outbound data.\n XCTAssertNil(try channel.readOutbound(as: ByteBuffer.self))\n\n // The write promise should fail.\n XCTAssertThrowsError(try promise.futureResult.wait()) { error in\n XCTAssertEqual(error as? ChannelError, .ioOnClosedChannel)\n }\n\n // Subsequent writes should also fail.\n XCTAssertThrowsError(try channel.writeOutbound(ByteBuffer(string: \"Like a record, baby, right 'round\"))) {\n error in\n XCTAssertEqual(error as? ChannelError, .ioOnClosedChannel)\n }\n }\n}\n" }, { "path": "Tests/NIOSSLTests/NIOSSLSecureBytesTests.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\nimport XCTest\n\n@testable import NIOSSL\n\npublic enum NIOSSLSecureBytesError: Error {\n case incorrectKeySize\n}\n\nextension NIOSSLSecureBytesError: Equatable {}\n\nfinal class NIOSSLSecureBytesTests: XCTestCase {\n func testBasicSoundness() {\n var first = NIOSSLSecureBytes()\n var second = NIOSSLSecureBytes()\n\n first.append(Data(\"hello\".utf8))\n second.append(Data(\"hello\".utf8))\n\n XCTAssertEqual(first, second)\n\n first.append(Data(\"world\".utf8))\n second.append(Data(\"wrold\".utf8))\n XCTAssertNotEqual(first, second)\n }\n\n func testSimpleCollection() {\n let base = NIOSSLSecureBytes(0..<100)\n XCTAssertEqual(base.count, 100)\n XCTAssertEqual(Array(base), Array(0..<100))\n XCTAssertEqual(base.first, 0)\n XCTAssertEqual(base.last, 99)\n XCTAssertEqual(base.reduce(Int(0)) { Int($0) + Int($1) }, 4950)\n }\n\n func testSimpleBidirectionalCollection() {\n let base = NIOSSLSecureBytes(0..<100)\n let reversed = base.reversed()\n XCTAssertEqual(Array(reversed), Array(stride(from: 99, through: 0, by: -1)))\n }\n\n func testSimpleRandomAccessCollection() {\n // Not easy to test this, just try to move the indices around a bit.\n let base = NIOSSLSecureBytes(0..<100)\n let aMiddleIndex = base.index(base.startIndex, offsetBy: 48)\n let aDifferentMiddleIndex = base.index(aMiddleIndex, offsetBy: 5)\n XCTAssertEqual(base.distance(from: aMiddleIndex, to: aDifferentMiddleIndex), 5)\n\n XCTAssertEqual(base[aMiddleIndex], 48)\n XCTAssertEqual(base[aDifferentMiddleIndex], 48 + 5)\n }\n\n func testSimpleMutableCollection() {\n var base = NIOSSLSecureBytes(repeating: 0, count: 5)\n let offset = base.index(base.startIndex, offsetBy: 2)\n base[offset] = 5\n XCTAssertEqual(Array(base), [0, 0, 5, 0, 0])\n }\n\n func testSimpleRangeReplaceableCollection() {\n // This test validates RangeReplaceableCollection and the value semantics all at once.\n let base = NIOSSLSecureBytes(repeating: 0, count: 10)\n let baseBytes = Array(repeating: UInt8(0), count: 10)\n\n // There are a few ways we can \"replace\" a subrange. The first is to extend at the front by appending.\n var copy = base\n copy.insert(contentsOf: [1, 2, 3, 4], at: copy.startIndex)\n XCTAssertEqual(Array(copy), [1, 2, 3, 4] + baseBytes)\n XCTAssertEqual(Array(base), baseBytes)\n XCTAssertNotEqual(copy, base)\n\n // The second is to extend at the back.\n copy = base\n copy.append(contentsOf: [1, 2, 3, 4])\n XCTAssertEqual(Array(copy), baseBytes + [1, 2, 3, 4])\n XCTAssertEqual(Array(base), baseBytes)\n XCTAssertNotEqual(copy, base)\n\n // The third is to \"shrink\" by replacing a subrange in the middle.\n copy = base\n var aMiddleIndex = copy.index(copy.startIndex, offsetBy: 2)\n var aDifferentMiddleIndex = copy.index(aMiddleIndex, offsetBy: 5)\n copy.removeSubrange(aMiddleIndex.. Void = {\n _ = try NIOSSLSecureBytes(unsafeUninitializedCapacity: 5) { (_, _) in\n throw NIOSSLSecureBytesError.incorrectKeySize\n }\n }\n XCTAssertThrowsError(try testThrowingInitialization()) { error in\n guard case .some(.incorrectKeySize) = error as? NIOSSLSecureBytesError else {\n XCTFail(\"unexpected error: \\(error)\")\n return\n }\n }\n }\n\n func testAppendingDataPerformsACoW() {\n var base = NIOSSLSecureBytes(repeating: 0, count: 10)\n let copy = base\n\n base.append(\"Hello, world\".utf8)\n\n XCTAssertEqual(base.count, 22)\n XCTAssertEqual(copy.count, 10)\n }\n\n func testRequestingAMutablePointerPerformsACoW() {\n var base = NIOSSLSecureBytes(repeating: 0, count: 10)\n let copy = base\n let lower = base.index(base.startIndex, offsetBy: 4)\n let upper = base.index(base.startIndex, offsetBy: 7)\n base.replaceSubrange(lower...upper, with: [1, 2, 3, 4])\n XCTAssertEqual(Array(base), [0, 0, 0, 0, 1, 2, 3, 4, 0, 0])\n XCTAssertEqual(Array(copy), [0, 0, 0, 0, 0, 0, 0, 0, 0, 0])\n }\n\n func testDataCausesCoWs() {\n var base = NIOSSLSecureBytes(repeating: 0, count: 10)\n let copy = Data(base)\n XCTAssertEqual(base.count, copy.count)\n\n base.append(\"Hello, world\".utf8)\n\n XCTAssertEqual(base.count, 22)\n XCTAssertEqual(copy.count, 10)\n }\n\n func testDataFromSlice() {\n var base = NIOSSLSecureBytes(0..<10)\n let copy = Data(base.prefix(5))\n XCTAssertEqual(Array(copy), [0, 1, 2, 3, 4])\n\n base.append(\"Hello, world\".utf8)\n\n XCTAssertEqual(base.count, 22)\n XCTAssertEqual(Array(copy), [0, 1, 2, 3, 4])\n }\n\n func testEquatable() {\n var a = NIOSSLSecureBytes()\n a.append(Data(\"hello\".utf8))\n\n var b = NIOSSLSecureBytes()\n b.append(Data(\"hello\".utf8))\n XCTAssertTrue(a == b)\n\n var c = NIOSSLSecureBytes()\n c.append(Data(\"world\".utf8))\n XCTAssertFalse(a == c)\n }\n\n func testByteCreation() {\n let a = NIOSSLSecureBytes(bytes: [0x01, 0x02, 0x03, 0x04])\n let b = NIOSSLSecureBytes(bytes: [0x01, 0x02, 0x03, 0x04, 0x05])\n let c = NIOSSLSecureBytes(bytes: [0x01, 0x02, 0x03, 0x04])\n XCTAssertTrue(a == c)\n XCTAssertFalse(a == b)\n }\n\n}\n" }, { "path": "Tests/NIOSSLTests/NIOSSLTestHelpers.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport Foundation\nimport NIOCore\nimport NIOEmbedded\n\n@testable import NIOSSL\n\nlet samplePemCert = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIGGzCCBAOgAwIBAgIJAJ/X0Fo0ynmEMA0GCSqGSIb3DQEBCwUAMIGjMQswCQYD\n VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5z\n b2t5bzEuMCwGA1UECgwlU2FuIEZyYW5zb2t5byBJbnN0aXR1dGUgb2YgVGVjaG5v\n bG9neTEVMBMGA1UECwwMUm9ib3RpY3MgTGFiMSAwHgYDVQQDDBdyb2JvdHMuc2Fu\n ZnJhbnNva3lvLmVkdTAeFw0xNzEwMTYyMTAxMDJaFw00NzEwMDkyMTAxMDJaMIGj\n MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu\n IEZyYW5zb2t5bzEuMCwGA1UECgwlU2FuIEZyYW5zb2t5byBJbnN0aXR1dGUgb2Yg\n VGVjaG5vbG9neTEVMBMGA1UECwwMUm9ib3RpY3MgTGFiMSAwHgYDVQQDDBdyb2Jv\n dHMuc2FuZnJhbnNva3lvLmVkdTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC\n ggIBAO9rzJOOE8cmsIqAJMCrHDxkBAMgZhMsJ863MnWtVz5JIJK6CKI/Nu26tEzo\n kHy3EI9565RwikvauheMsWaTFA4PD/P+s1DtxRCGIcK5x+SoTN7Drn5ZueoJNZRf\n TYuN+gwyhprzrZrYjXpvEVPYuSIeUqK5XGrTyFA2uGj9wY3f9IF4rd7JT0ewRb1U\n 8OcR7xQbXKGjkY4iJE1TyfmIsBZboKaG/aYa9KbnWyTkDssaELWUIKrjwwuPgVgS\n vlAYmo12MlsGEzkO9z78jvFmhUOsaEldM8Ua2AhOKW0oSYgauVuro/Ap/o5zn8PD\n IDapl9g+5vjN2LucqX2a9utoFvxSKXT4NvfpL9fJvzdBNMM4xpqtHIkV0fkiMbWk\n EW2FFlOXKnIJV8wT4a9iduuIDMg8O7oc+gt9pG9MHTWthXm4S29DARTqfZ48bW77\n z8RrEURV03o05b/twuAJSRyyOCUi61yMo3YNytebjY2W3Pxqpq+YmT5qhqBZDLlT\n LMptuFdISv6SQgg7JoFHGMWRXUavMj/sn5qZD4pQyZToHJ2Vtg5W/MI1pKwc3oKD\n 6M3/7Gf35r92V/ox6XT7+fnEsAH8AtQiZJkEbvzJ5lpUihSIaV3a/S+jnk7Lw8Tp\n vjtpfjOg+wBblc38Oa9tk2WdXwYDbnvbeL26WmyHwQTUBi1jAgMBAAGjUDBOMB0G\n A1UdDgQWBBToPRmTBQEF5F5LcPiUI5qBNPBU+DAfBgNVHSMEGDAWgBToPRmTBQEF\n 5F5LcPiUI5qBNPBU+DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCY\n gxM5lufF2lTB9sH0s1E1VTERv37qoapNP+aw06oZkAD67QOTXFzbsM3JU1diY6rV\n Y0g9CLzRO7gZY+kmi1WWnsYiMMSIGjIfsB8S+ot43LME+AJXPVeDZQnoZ6KQ/9r+\n 71Umi4AKLoZ9dInyUIM3EHg9pg5B0eEINrh4J+OPGtlC3NMiWxdmIkZwzfXa+64Z\n 8k5aX5piMTI+9BQSMWw5l7tFT/PISuI8b/Ln4IUBXKA0xkONXVnjPOmS0h7MBoc2\n EipChDKnK+Mtm9GQewOCKdS2nsrCndGkIBnUix4ConUYIoywVzWGMD+9OzKNg76d\n O6A7MxdjEdKhf1JDvklxInntDUDTlSFL4iEFELwyRseoTzj8vJE+cL6h6ClasYQ6\n p0EeL3UpICYerfIvPhohftCivCH3k7Q1BSf0fq73cQ55nrFAHrqqYjD7HBeBS9hn\n 3L6bz9Eo6U9cuxX42k3l1N44BmgcDPin0+CRTirEmahUMb3gmvoSZqQ3Cz86GkIg\n 7cNJosc9NyevQlU9SX3ptEbv33tZtlB5GwgZ2hiGBTY0C3HaVFjLpQiSS5ygZLgI\n /+AKtah7sTHIAtpUH1ZZEgKPl1Hg6J4x/dBkuk3wxPommNHaYaHREXF+fHMhBrSi\n yH8agBmmECpa21SVnr7vrL+KSqfuF+GxwjSNsSR4SA==\n -----END CERTIFICATE-----\n \"\"\"\n\nlet samplePemKey = \"\"\"\n -----BEGIN RSA PRIVATE KEY-----\n MIIJKAIBAAKCAgEA72vMk44TxyawioAkwKscPGQEAyBmEywnzrcyda1XPkkgkroI\n oj827bq0TOiQfLcQj3nrlHCKS9q6F4yxZpMUDg8P8/6zUO3FEIYhwrnH5KhM3sOu\n flm56gk1lF9Ni436DDKGmvOtmtiNem8RU9i5Ih5SorlcatPIUDa4aP3Bjd/0gXit\n 3slPR7BFvVTw5xHvFBtcoaORjiIkTVPJ+YiwFlugpob9phr0pudbJOQOyxoQtZQg\n quPDC4+BWBK+UBiajXYyWwYTOQ73PvyO8WaFQ6xoSV0zxRrYCE4pbShJiBq5W6uj\n 8Cn+jnOfw8MgNqmX2D7m+M3Yu5ypfZr262gW/FIpdPg29+kv18m/N0E0wzjGmq0c\n iRXR+SIxtaQRbYUWU5cqcglXzBPhr2J264gMyDw7uhz6C32kb0wdNa2FebhLb0MB\n FOp9njxtbvvPxGsRRFXTejTlv+3C4AlJHLI4JSLrXIyjdg3K15uNjZbc/Gqmr5iZ\n PmqGoFkMuVMsym24V0hK/pJCCDsmgUcYxZFdRq8yP+yfmpkPilDJlOgcnZW2Dlb8\n wjWkrBzegoPozf/sZ/fmv3ZX+jHpdPv5+cSwAfwC1CJkmQRu/MnmWlSKFIhpXdr9\n L6OeTsvDxOm+O2l+M6D7AFuVzfw5r22TZZ1fBgNue9t4vbpabIfBBNQGLWMCAwEA\n AQKCAgArWV9PEBhwpIaubQk6gUC5hnpbfpA8xG/os67FM79qHZ9yMZDCn6N4Y6el\n jS4sBpFPCQoodD/2AAJVpTmxksu8x+lhiio5avOVTFPsh+qzce2JH/EGG4TX5Rb4\n aFEIBYrSjotknt49/RuQoW+HuOO8U7UulVUwWmwYae/1wow6/eOtVYZVoilil33p\n C+oaTFr3TwT0l0MRcwkTnyogrikDw09RF3vxiUvmtFkCUvCCwZNo7QsFJfv4qeEH\n a01d/zZsiowPgwgT+qu1kdDn0GIsoJi5P9DRzUx0JILHqtW1ePE6sdca8t+ON00k\n Cr5YZ1iA5NK5Fbw6K+FcRqSSduRCLYXAnI5GH1zWMki5TUdl+psvCnpdZK5wysGe\n tYfIbrVHXIlg7J3R4BrbMF4q3HwOppTHMrqsGyRVCCSjDwXjreugInV0CRzlapDs\n JNEVyrbt6Ild6ie7c1AJqTpibJ9lVYRVpG35Dni9RJy5Uk5m89uWnF9PCjCRCHOf\n 4UATY+qie6wlu0E8y43LcTvDi8ROXQQoCnys2ES8DmS+GKJ1uzG1l8jx3jF9BMAJ\n kyzZfSmPwuS2NUk8sftYQ8neJSgk4DOV4h7x5ghaBWYzseomy3uo3gD4IyuiO56K\n y7IYZnXSt2s8LfzhVcB5I4IZbSIvP/MAEkGMC09SV+dEcEJSQQKCAQEA/uJex1ef\n g+q4gb/C4/biPr+ZRFheVuHu49ES0DXxoxmTbosGRDPRFBLwtPxCLuzHXa1Du2Vc\n c0E12zLy8wNczv5bGAxynPo57twJCyeptFNFJkb+0uxRrCi+CZ56Qertg2jr460Q\n cg+TMYxauDleLzR7uwL6VnOhTSq3CVTA2TrQ+kjIHgVqmmpwgk5bPBRDj2EuqdyD\n dEQmt4z/0fFFBmW6iBcXS9y8Q1rCnAHKjDUEoXKyJYL85szupjUuerOt6iTIe7CJ\n pH0REwQO4djwM4Ju/PEGfBs+RqgNXoHmBMcFdf9RdogCuFit7lX0+LlRT/KJitan\n LaaFgY1TXTVkcwKCAQEA8HgZuPGVHQTMHCOfNesXxnCY9Dwqa9ZVukqDLMaZ0TVy\n PIqXhdNeVCWpP+VXWhj9JRLNuW8VWYMxk+poRmsZgbdwSbq30ljsGlfoupCpXfhd\n AIhUeRwLVl4XnaHW+MjAmY/rqO156/LvNbV5e0YsqObzynlTczmhhYwi48x1tdf0\n iuCn8o3+Ikv8xM7MuMnv5QmGp2l8Q3BhwxLN1x4MXfbG+4BGsqavudIkt71RVbSb\n Sp7U4Khq3UEnCekrceRLQpJykRFu11/ntPsJ0Q+fLuvuRUMg/wsq8WTuVlwLrw46\n hlRcq6S99jc9j2TbidxHyps6j8SDnEsEFHMHH8THUQKCAQAd03WN1CYZdL0UidEP\n hhNhjmAsDD814Yhn5k5SSQ22rUaAWApqrrmXpMPAGgjQnuqRfrX/VtQjtIzN0r91\n Sn5wxnj4bnR3BB0FY4A3avPD4z6jRQmKuxavk7DxRTc/QXN7vipkYRscjdAGq0ru\n ZeAsm/Kipq2Oskc81XPHxsAua2CK+TtZr/6ShUQXK34noKNrQs8IF4LWdycksX46\n Hgaawgq65CDYwsLRCuzc/qSqFYYuMlLAavyXMYH3tx9yQlZmoNlJCBaDRhNaa04m\n hZFOJcRBGx9MJI/8CqxN09uL0ZJFBZSNz0qqMc5gpnRdKqpmNZZ8xbOYdvUGfPg1\n XwsbAoIBAGdH7iRU/mp8SP48/oC1/HwqmEcuIDo40JE2t6hflGkav3npPLMp2XXi\n xxK+egokeXWW4e0nHNBZXM3e+/JixY3FL+E65QDfWGjoIPkgcN3/clJsO3vY47Ww\n rAv0GtS3xKEwA1OGy7rfmIZE72xW84+HwmXQPltbAVjOm52jj1sO6eVMIFY5TlGE\n uYf+Gkez0+lXchItaEW+2v5h8S7XpRAmkcgrjDHnDcqNy19vXKOm8pvWJDBppZxq\n A05qa1J7byekprhP+H9gnbBJsimsv/3zL19oOZ/ROBx98S/+ULZbMh/H1BWUqFI7\n 36Da/L/1cJBAo6JkEPLr9VCjJwgqCEECggEBAI6+35Lf4jDwRPvZV7kE+FQuFp1G\n /tKxIJtPOZU3sbOVlsFsOoyEfV6+HbpeWxlWnrOnKRFOLoC3s5MVTjPglu1rC0ZX\n 4b0wMetvun5S1MGadB808rvu5EsEB1vznz1vOXV8oDdkdgBiiUcKewSeCrG1IrXy\n B9ux859S3JjELzeuNdz+xHqu2AqR22gtqN72tJUEQ95qLGZ8vo+ytY9MDVDqoSWJ\n 9pqHXFUVLmwHTM0/pciXN4Kx1IL9FZ3fjXgME0vdYpWYQkcvSKLsswXN+LnYcpoQ\n h33H/Kz4yji7jPN6Uk9wMyG7XGqpjYAuKCd6V3HEHUiGJZzho/VBgb3TVnw=\n -----END RSA PRIVATE KEY-----\n \"\"\"\n\nlet sampleECPemKey = \"\"\"\n -----BEGIN EC PRIVATE KEY-----\n MHcCAQEEIMJZj2Qw9NGv83izxbgRr5xRvb0RHymOfl5hDJ/RPI2GoAoGCCqGSM49\n AwEHoUQDQgAEc5zHoemKB93GfO9MA/vLYEiYMtV3UWDIV88M/TP59R0dKIuPS2Dw\n EeAoz1vgyHNpgE73eYX8NII6U11Xv8Lmgg==\n -----END EC PRIVATE KEY-----\n \"\"\"\n\nlet samplePemRSAEncryptedKey = \"\"\"\n -----BEGIN RSA PRIVATE KEY-----\n Proc-Type: 4,ENCRYPTED\n DEK-Info: AES-256-CBC,701BA8806DAD9F13E63F41109F51B2AD\n\n i00KcJzy1B9QkBUvzzhp0RSm53Df6QJlylyIODk/F2M/62nj2eCUzRlkiM1AB6ch\n CILcSKVwKi0h77j7e9Gh5U2JoJiiq4U2PCkU35MSToYz0fxPVvlDYnGfDSa7vxQl\n 5A41xZGC8b79rE6Kyffoi9I5g3Munvn6yTqDbpg5Zr6qEsjRz5V/EejkcIM+nidl\n ZtFmKYLqy8DMApprK2O40i96Bj+j7MISZGzhWvK4Sda+HMbj39vMimR1RwtFvuNJ\n JLoozb4Za6yNjZV8U3yhFtwLZJOVb0SIivsYk29KxOi85D0s3Gv0ldo4Yn6h6Gad\n HB5Oeb0rXobi09QywiBL7Mjo/wKiVqUSNi09zZ5iNIpnflZib/DT9Ee9sJWcDwzU\n PIf6dgwU5azm12USpYWdl0Rs1b9QwTllsSmuKRRmI0O2EiQmZjrH9T0DfOYSDSkq\n Rs3HRQtIXmURSOnP9DTrf4LMjMoAg/qYDF1jXVV7Qd63Fm57H1MTQq+OhFepXBuS\n zbG7OXylcd0EqL+yiGcUcLoUlfmP0kOtdwQqmcCVwkyCAdTqV4pzeKMyG94b9P4I\n 4w4Hew717e77PdqmtosRMhxlwtUPrawkIhgatG/jzGAVE9KUxSGkdPRFAbzE8Fpt\n KiEMEw1eydwzyOxGHRiEb4axxloryBje8jKokFwQMpqmwVnOc1ElX+XagEgVNB3f\n 6Ra5EhrIIaI3OfrkRJsW0PQRZ9FA+KpDEoEDA8i0Uh69HodPFBtGcUMbGJUQvABQ\n +fcm2h3fFhD4Jzf+EA8RJPaG4UavacYplZZr8EQ8KEEmlvCz6yuQt0s/N0dCd4p2\n Pg+m37SV4d4suNZE9iVesmFzLSHEDuE0nIRRWak++QRPATLCjp6f78OPBJfbq3oU\n HPfQ6PW/q3qyR6KQ2ZMXWTaMg8G6w5x66C6ykxt/C5ljQ5rxYqCmK5BvGIoDOP3j\n F/UYJ6rs7sW9vFyws4p0TkvpPjnCeB35rCc+aj7Ddm7WJicW5zwlnpRuxHlSBAm4\n ProoGHwtZsESv+CrnHz/ZfW2e2Mg5H1KKFibqAH81FQHGwmeVbIoksy5t00WSvLQ\n QbEaqHTl8XppfldenOVNbV1gXf8/MuUfc4/2EELrq5ACoLq5SJHPg+CSlAGkQCrm\n mEfBDmMOJoYG+POANzTHhZNkq53sp8ccFRLnBtOkFZ2+2FxHKQIrU4kECeGoB0OL\n 8wq6hRIJUYitZd2eYatm4EAaTmG8C5ZkX5Zgbfjm9S1Af6z93FFgeunFMbvrh5c4\n lpIpKoEiwzmFwjMysKZPxi0BljbIRlICI0/FM3ZcB/MJCRkqCl4G+ktHYBLa4kfD\n C7yTIfRLnkCfloF9yA19ulne0HF67Mq6XBhAmNQFTLimwSM+D+QBcSxqFx2z2eSd\n pGRePIuxzf9uVqL7vi/LVNJftZsSbBj7L6PJSh/3sqUpxYqVuLvkgs9uqV5YIzig\n UrKjU1fUWnEJxKKi2CdNfKFJUpQQYmQdvGMiGhATZHIocQ1ceui0RrLrczZpNXMd\n 3piGo8YB9SPXLJ2pqzaTunz/iyUvwOqkjxhOsBt+zuLXgiJ5iP9jpnO9huqkJUJL\n YIQMaT4QvfhJBkpwujlt5fkW6lXDgDFqsoGyDhXMc8l0859Ucx4lT+IIIUKsB+ho\n zbpFWgNB+rS/i6TgKNlYO1WkPloVbNV+QQSLEtqVMerWnAnT4xMKwUEJOPrD2NWN\n N3iPNio0suvhgxAWCgFkN8qm5SnYZtC4f7gPEwLsd55APjvCiMxv1dyKt1nRoQrD\n CSWz3IvB4ZVZV3M4Ozcgn++I8ggsKfaeHxfO+I8g1NLcAQ8R4uXXjaQVjtmnT7TQ\n GHEG3kHvIcUhQHIaVu9Ph9pTAw/5BZEqBGhH2lnkb5h5GfqxUCRnDv/V7S2oh+kP\n OM1IFEEn6wfJxBE3rxBIcRPJmpLQoEulb5uhB0XooFcSJh7hf3DutCs4s3J3DYx4\n QtXoZNg+m2gK8IX7/WwG96CF4cBNmHhmzcWZRGDa96tAJ71tVX2RP5i+YshG+7OH\n VR7KRdyzmt3pvbs0zAw8bsTb8BdslowEACalysHhGNJ8QxOsE+Js/ibAOEHfR+l7\n KnmQenMrD29VrPsISxgRhcXh4/pu/GR8IFOkaMiz76zlb31UlzT24G8Go7YmWifD\n +3g/QCSZP1Fc7sOk59i+9kHXeuuDmDVIwBEBrTdXK1FVzHFqJSotLrQIzJgxCBv7\n TGCn4g/Bzn7TIwvDH3cL2/VFMK850Hh4WLkPI35wrjr9H2El+MXsPqY2Lt8dn7kB\n 0WpDlVcYcfsHLmpB92zxvoSbw7dLyRyDBrGfXfX2E8qrE+0Z+YM5oZamaZf+uErv\n g96JWgvckRR1+gDJHbl6rShk2RaTmxfxWYSYf83ecyt3a95QxQcZpHNvO0oCt+vC\n w4qy3CnDfBPv2yXg/EczrUNGSk3f31aQjz8hOsNRt5HWpNthm//bQKkfM0ShgQLW\n B0ZFeum+EwV81OQzlvgc/Aoq4zfbKZvPSf8aGXoC4yTQN79ZONAlz2rP+ullJ23C\n mqJU331Szg8rzfmpmA1DVfb12r8QG2OrI4oDM4zwJK/U4fsV5o77ZNznkUYpZIu8\n TKIpwvbkx9klES28Zvsl+N/k4yxMF4isfJjVM1DKM3ZgJqxM+AFWQSoC8PmMfUyi\n ElhvcfzCskSd2rNF3b41W7szP0iNX0jpKbzu/sEFvq2Lk4z8u0cLLvJqCVNLpNC6\n lH/FLTiCVIw5e2lfAAhqjeQ0V7g0K0uxysZouivvloIsImzD2b9Yei641Acy8UT+\n x3V/qf15oppCtr0okgvr4BZ7v9xLRCKols2xcncrMqNAVPU8xOVke55vlhRYidbl\n txA0rTk+zHy5jKGN3BHNqJPuyj2shRm7EUce86dWy9omnCk1cHOvqN1fVdq1emHj\n EX2GAkBeInoPpdn41Kq2X6jGh3NBGgovhnFDqu4ICAzCpalOjnZtb7y+SWdjSSoK\n lWixvr+CJKM5VDGtAMrGv+xZ/HNpdeghfPc+eCecC07KMSx82tomEHZirVRdcQXd\n E01IMuJH78wMnZcd2SpFSfrmBttWB+/Z91yL3fnrYsU7R/Gp6EEhRPtxEaOPqnHS\n -----END RSA PRIVATE KEY-----\n \"\"\"\n\nlet samplePKCS8PemPrivateKey = \"\"\"\n -----BEGIN ENCRYPTED PRIVATE KEY-----\n MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIShGta1Mpj/QCAggA\n MBQGCCqGSIb3DQMHBAjQbLTPjvMqpwSCBMh8omeDIM0ceuoiEhaepFqbst/jUwYh\n m1pzLokTph0GS/81vmTDr9U7uI9rHiFbACRRMQBH/cCkZFUN2Jo3pJXA4q3RvGsh\n 4UIaWiP+SNkzKR54QcuWRzYoQs/YH8VickNp2per3zQ9R0Regx1ZaHSCk3cFRFy3\n 4sJtgoquwJYD2vUdQvhwcuF2Syl/VCpaQ0+KtfBqJ+4YLJPQcsL+OKLlaWFY0ivO\n 2oSVCg3QJrVbS8TDnrIgeL8MNhyVHQbuSyh2MlXKcjiKlJHdHXSlYSINgpUsc/Eg\n cTSgod0JXvjbExrtBx2mODwM5hzDkGpdub+TptXinQg3FQjUKhBh/+wrP0HoKBcn\n UFE1emd3n1s0MFN28uSN3OcX3833Lt4KAnxF4xaPfWEAk/2yuukiUqKU+K9cEhNX\n V1arxKq8RLB7n7o6YFt3xuVgAJYWDk6nyr/0I2LgFj2Jz/C2v+YBFYGUcQUKgHQw\n OLzzZnCrPj8JIP2cUqagZrW7JOoMsFCtroJptImaqhsm/4i3tyf2uoUWglZN8DVE\n WbNbnAr5KZSl9U1/sNuEesixIWd+RrJC/l0tNmScCvJifL9WrJnccOI83EAkmz/+\n W8UpcPCscAmAdOcjFQl8T37xHGxwVcvh8LyaoacBqQCYiZzO/M6bA2YuBYVpkk4v\n DFXMmy2SaHGGhGHDmyn4uuzykGCOn1ZN92eT6PXZCmHz0/QCH6RIGx2cK5frfhUP\n icU30GnK1jRv8QFHVx9IZQpHbALRgSNMbtF8EqWmONUIs9wQIQtEMZ2AYwq8gKL2\n 9Cwk2SkqO0Y8dbE/lw+iBA37/NO7KiSLB/Mpq0/zX5SfBVcGZAVzGKiyeOW5sKcI\n pSOTTv5jLkoEnels2f0jsPM7aMjG+ys6wveL0tDhfKSbtjyC8Zw/eXpK9AHGW8Hr\n xM7hwTkQpznyt/NUIDmjrDHg7n6O9sp7KWduP1L9bYC/n5Dj2gnxHj6FFTpMqmm7\n Q6GEj/dttmqvSYeG93heWqoS/j6j45dppoKG/3vU9UWODStcc3y66WJ2ULEY0/CF\n IiBd33GJgIKUJlrMGwUSAPxH2wklF3VwWFVXMnLbqpggaWlVxzVnvGjnzoHm3AW6\n hWCMnvsP/pYVBMpaKKdPF6PCW1yQXjTbA67gxpGECoin2Bu/rp+t0GeVmgTcCS9a\n Y2Su4cpwCD1ngIrdodWhVVJSObApRdn3SDI2xOZUgZPVT52AtEMPQ3R5eoIOfLI6\n CPC7cYl2JDmMkKGLaSom1zZpCoXtPTkxDAIpaG4ofT6pIDibCSywllL1KeeVw4WX\n Cr2b/BS5TZNFyPzdrMaN5og6hNkbyca73SyEADnJtHTQc6mi/Q93al4TI3RYaVpk\n KWwIW4kZE/p5pONeZDNNt7dKrgkjaTylNpM9jdnBL3hU5Fxr4I6a6+IBWQC03EwC\n o2zT+g6YmVkod050GMv0V60npTpbOpWIamzB+q3GMMkU9NNyw8xH7RkNS78eWLVv\n niWQmWlbkzLEf5PT264+c4w9IkE8aUKY2V8Ev2k1FXZcLdfw3G5yVzrjXoAwFUaY\n xnOAdO/QLMtD55Kn+jzV6dCXmyZQkBJAMLBF5xEX9DcnXCptZ2Asgvxa4EpO7jzX\n v5o=\n -----END ENCRYPTED PRIVATE KEY-----\n \"\"\"\n\n/// A CA that expired a while ago.\nlet sampleExpiredCA = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIC5TCCAc2gAwIBAgIUTSNLkfg8YiYSq+fnrXP25txgCkUwDQYJKoZIhvcNAQEL\n BQAwIjEgMB4GA1UEAwwXYmFkQ2VydGlmaWNhdGVBdXRob3JpdHkwHhcNMTkwODA5\n MTk1MTExWhcNMTkxMTE3MTk1MTExWjAiMSAwHgYDVQQDDBdiYWRDZXJ0aWZpY2F0\n ZUF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKqWcbgw\n TFX14tKxUMIrla9Y0aLddlnnTDqsxtxJ7dSjE4+OBkVBslCq4WtjgaeubdHkTCtc\n GRVeOpXVcEyznGBGW5k/5gCkmaGPe8jI4+caavtXnoTdPU91ukYkZkBXzCgycVS8\n kQxyPwvTDUOfHQ3VqUfc2LMTXQYU3vzyrPzq7XAWgZR9d5lOtB9tpGnxCRP8GOFO\n KHa3KroiRxJb2cReJsayJWx713pje5lPKtSKP0iYICR2kYgtP+8Y3wPzcLzPRM9u\n 6a0olO6PFFWdPNRtivObCr5Y3Cy0P8i2ZSyOO2c6cn0ksLmCe/qrRX9HKx7TrmEu\n 7Rs+ql6liiyrQ7ECAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B\n AQsFAAOCAQEAWSCh35Fk5Td+8uV3oe+K+IPbTrhtNmrwC42sGw/mpQC56zNjlDt9\n jBZVZbu5iAwO/nrtn+JpCSA3ADugjisQKQdELb/ogaCnIu2vY/fjHv7a9/tYoYc2\n i/rtcXIQdhSrniZuVnKG1Keu5qohKIP1ne4TAxADTlzl3Dx7QH/32hUBlJFwYiDQ\n JIuZD9LM5Ic9jtrsfTN79tNPM3eHofWUdKyUk9fTrM7/28kSERLJJz/RcXDMP85z\n 5Y0zZar+qh+9A6kYy/xcaFVOX0bDsuArBA6d/n0skqJN8gylOvdsnpeJRrXxOSSE\n dcvafu1dqy0zZdFMSzymwRnprqgdFYC1xw==\n -----END CERTIFICATE-----\n \"\"\"\n\n/// An intermediate signed by the above CA.\nlet sampleIntermediateCA = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIC3DCCAcSgAwIBAgIUDK9fkCTocM8Yu3csdNcm86ahG4IwDQYJKoZIhvcNAQEL\n BQAwIjEgMB4GA1UEAwwXYmFkQ2VydGlmaWNhdGVBdXRob3JpdHkwHhcNMTkxMTE2\n MTk1MTExWhcNMzAwNjAyMTk1MTExWjAZMRcwFQYDVQQDDA5pbnRlcm1lZGlhdGVD\n QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALdj2KDFRR6Es/RpN+07\n q4IiQMoLVcDu/CoxCJSteNuNShmScfyqG4e6AFDOKxjv2U2NHWmhVbBYN7b9jStf\n uZBpvz4/JY4+mVfGASL7mBkcsTLzNG+7rmQ0Oi271KL5WlDmw6DUMIFNvYSy0q9y\n MFS5qSYJh4JnXXtdxkGIjDmrWy1hCRzIGCpDZXvNjnhJDphgH3Ss+PR7wTJZXRiJ\n uoO4plWWl3JsRIRoyuL7K2CeWrR7CvIEThTF/D2P/7odf+CNz//46lC83b5eKdIA\n GD+RECQaA1YFygAbvEln+za5AjnH11Y310zvzAb1gCxGuxNaABNKhYLcDpDL/Mcd\n Il0CAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA\n X4D5jVygEJyp6Ub/Yao9miF/vZW0bep00gOzHVJ8i6y1Qjn9ieVyrX9l6V8ZNwQU\n wrAkse99WoI94LT8QLWlAlDB7S0IS8IK7gkt+06pSbrhW5GJtEQJjug84DkOVqOm\n JSCupM2BEiHVQPYerF+sJ7I/4eENkafVn0zXSL9SEh9fPXBYJKiCYIxKWmGF3KOp\n KG5Y1W9sWz5NaatoL1kHFGDeuDWLwXJ8WZuNrtJNBe1iQ8yvuO1STRzjtq2iTDk3\n TCYZoKnV3ui38BJn7libgUsN3lHD4yKdrw5LNeyjrYOZ5oFhe4QBQv0ZA+wUR+h7\n 1A4gDvFcIkbYSywqlirBQg==\n -----END CERTIFICATE-----\n \"\"\"\n\n/// The intermediate above, self-signed, as a root\nlet sampleIntermediateAsRootCA = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIC0zCCAbugAwIBAgIUDK9fkCTocM8Yu3csdNcm86ahG4IwDQYJKoZIhvcNAQEL\n BQAwGTEXMBUGA1UEAwwOaW50ZXJtZWRpYXRlQ0EwHhcNMTkxMTE2MTk1MTExWhcN\n MzAwNjAyMTk1MTExWjAZMRcwFQYDVQQDDA5pbnRlcm1lZGlhdGVDQTCCASIwDQYJ\n KoZIhvcNAQEBBQADggEPADCCAQoCggEBALdj2KDFRR6Es/RpN+07q4IiQMoLVcDu\n /CoxCJSteNuNShmScfyqG4e6AFDOKxjv2U2NHWmhVbBYN7b9jStfuZBpvz4/JY4+\n mVfGASL7mBkcsTLzNG+7rmQ0Oi271KL5WlDmw6DUMIFNvYSy0q9yMFS5qSYJh4Jn\n XXtdxkGIjDmrWy1hCRzIGCpDZXvNjnhJDphgH3Ss+PR7wTJZXRiJuoO4plWWl3Js\n RIRoyuL7K2CeWrR7CvIEThTF/D2P/7odf+CNz//46lC83b5eKdIAGD+RECQaA1YF\n ygAbvEln+za5AjnH11Y310zvzAb1gCxGuxNaABNKhYLcDpDL/McdIl0CAwEAAaMT\n MBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAWervzZUKKDEb\n O9nXiJckFEBmCOlQuQ6O6+hVyRLAugtPDUyesCUDqoLF2wmMKNRM322gJKaWShaM\n ueBrXHIx+ERXKJsgFic8b2m/v+VT16aAVPvQCLmZBpWR2ICqgNTpUzoDXqIZk/9l\n ZkJZMaS9kiQmEPeTDH2O8acO9TjqmQbdZa+q6kBWBnNzLPOu5ziEdKrh7rNzikUw\n qe0yKxavA5L8l8uWumGC8L6GE7ie7X8oMLwaLXFXt2TG9ZENrVQ0xcLSKTBAF2yL\n 4lqh2YnpZhntnCtv9Qvx81Asp2+6YfocAe9IKNIA534R2FgoZwt24SokDBhfg49d\n 2fV7ZO/cqQ==\n -----END CERTIFICATE-----\n \"\"\"\n\n/// A client signed by the intermediate.\nlet sampleClientOfIntermediateCA = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIC4TCCAcmgAwIBAgIUFJCxfytdLl/FpvlUqwJbztiALjcwDQYJKoZIhvcNAQEL\n BQAwGTEXMBUGA1UEAwwOaW50ZXJtZWRpYXRlQ0EwHhcNMTkxMTE2MTk1MTExWhcN\n MzAwNTI4MTk1MTExWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3\n DQEBAQUAA4IBDwAwggEKAoIBAQDS9XBpPYlP3ToaYKmWaqhXd4lnLSvjReuknE9I\n UmvFBoPTyGRU2UNv8N9tFT3xMOX2DrGOn7eVqXBXOvKYRB8+q3CIsh3F/5smdNKQ\n PfsL2tFL4d2lvrZ+2GOr2yRtPm9nH0N2wrmJi6GtR1J+x2Uvm7EoHvk3Ujbo77fB\n HvFauvwA3GsFT10J+f5buPcNW0rdpo+ASMfMpfBMsr0Ucy1ys9XM/ehCMeWMiX/d\n d+fxqmOtl1tGyw4/Bbub5uf/HkiJStbKSCMgs7E4VgVhqFMu6jpeMlADXgDeOKEa\n rW+Ds8eb3TkdIlYE2nmwxvdOPeW3AgChkE5RCRYW0aALTwEbAgMBAAGjJjAkMAwG\n A1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUA\n A4IBAQBarG3HrdOULNMGfY/UrSoc2qCQoK33SxM43ecFSXsDbPXLOZHp9iQmib1f\n uKy2m4VVkxtxYrQ2i7bueqgRt91rM7hHR8+uopj/BdNYFZfIik+VNFoyKJeATYcx\n FRjjAAoMpVYdAJXvtckNix8mlAdan5VNL1AsHYum25BjClQEy+kHM1i3bDLOIiDB\n dKMwvI/1ZnUgrMFnAvK8U8WxbxVxij8IeloW+YgjOYXqzjCysVh3L7HkI3AOi6yw\n eMNi5idG30y1NnTJWTSWzwR4UcoeLFdzMAmAxo5IVJBYnngcLTEkfofGFC9k2ODI\n XANkLW5BKAnSmOQUBrExL4yAj5jt\n -----END CERTIFICATE-----\n \"\"\"\n\n/// The key for the above cert.\nlet sampleKeyForCertificateOfClientOfIntermediateCA = \"\"\"\n -----BEGIN PRIVATE KEY-----\n MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDS9XBpPYlP3Toa\n YKmWaqhXd4lnLSvjReuknE9IUmvFBoPTyGRU2UNv8N9tFT3xMOX2DrGOn7eVqXBX\n OvKYRB8+q3CIsh3F/5smdNKQPfsL2tFL4d2lvrZ+2GOr2yRtPm9nH0N2wrmJi6Gt\n R1J+x2Uvm7EoHvk3Ujbo77fBHvFauvwA3GsFT10J+f5buPcNW0rdpo+ASMfMpfBM\n sr0Ucy1ys9XM/ehCMeWMiX/dd+fxqmOtl1tGyw4/Bbub5uf/HkiJStbKSCMgs7E4\n VgVhqFMu6jpeMlADXgDeOKEarW+Ds8eb3TkdIlYE2nmwxvdOPeW3AgChkE5RCRYW\n 0aALTwEbAgMBAAECggEBAIzYFxv8XK+4iPFRdggZ35i+EzuSegm8Be6Z+YjUlmUt\n y1fbI7lOcOrMy669juR3/CCCgOMzGVPPk1R547vrR10FAxYQrTYjSIetWWO6LeEl\n T7U08FGXeapIeIslvTU+iQw1YEprCYqecewJgTdpktHtRaL+wu6/ci+k1G8YZJVo\n qPmkSJigrEppm8ciXjvae+89jgUSEUmumI7A+LwiD2qr1GjGMg01TvKJ3jVrU0yq\n cGP58zAY/W1DcenJm26bpirE82Wnesosv3hQf2LBMGBMyVp6ErNzITSNN1fUSfyB\n 231DlGDor9oopfGfk9ApDUUVNXfFUv6ODnCSGBcdUkkCgYEA8snNvwok8IjbXzeG\n zdDVUCVLX/o/vrFQg0KmktTArklLe7vAgcbmCp5TbdZKnpHam2KNu6ucgla5ZchV\n 5vHbAdAhhvZFnYEaDPlpvueVT2jLWZHvsld17vfy7PVpZBwJSa2SQL4aC5sk+Bsn\n 5LbSE4OL2o0KLQr6+BOAa9soVw8CgYEA3nA6u4Pxdhlf4UGo1fMWFbeXvU6myBs2\n JXiAPEM/9wKiGS3LOseqBzLBAoiWND9J7ynDJ+w5uuezwJP6MZImj+J0kbXEm0vy\n 3iUBGBQvj1FJLN+wJx1QEzZBa+rslqX7vE+YsByJwfffqonGwXpj94Qxf6HMMDea\n fRuHxqAjVTUCgYBsXe7bymdahXuFMH+W9hOARmUyXbx+HR7Wt7Up7JRkNorem5r9\n Ug3zx19tsyxzQp7UpFSm455j/tmZuKW/A0zBrmiImPvRpYI/MEQm1a8rVpcNT7ox\n XCBjnYBsi82SxYDPxg11oGR3sbP6mgRgbcmutBSEZFeaa0BB4lJ70cJbuQKBgQDE\n a1gBo3ZB8hAvafp7yqby0GbmnKA7zYOXvPuHu16tcR7QmxZ9tjgXGSNEaHYydryD\n u14AT+F+gQHCiSkCQutYXQDQdjDBbWRt80EvEQwaQw4Z2QDE2WaPQHaupAj80l8j\n nynWQa0HoilYf0cKLFhABfRrnuUeossBtKDFrTzmDQKBgH2uBQ2v0hV3EW7u2wdy\n y7V9lkY+GDm51P1GWAH5c0BBZp3iAW1IBNzbUB8wXVJmhYPWO5Mh7wCAnr18HEZz\n OjJVhqRxwhY4NEUsyI86Xxb7rV23HAM6laDItQ/bPlR+b7py5GWCH/DRhhZjHuta\n yVOAYA18BnJi7O7Cwd6krmQd\n -----END PRIVATE KEY-----\n \"\"\"\n\nlet sampleDerCertSPKI = Array(\n Data(\n base64Encoded: \"\"\"\n 'MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA72vMk44TxyawioAkwKscPGQEAyBmEywnzrcyda1XPkkgkroIoj827bq0TOiQfLcQj3nrlHCKS9q6F4yxZpMUDg8P8/6zUO3FEIYhwrnH5KhM3sOuflm56gk1lF9Ni436DDKGmvOtmtiNem8RU9i5Ih5SorlcatPIUDa4aP3Bjd/0gXit3slPR7BFvVTw5xHvFBtcoaORjiIkTVPJ+YiwFlugpob9phr0pudbJOQOyxoQtZQgquPDC4+BWBK+UBiajXYyWwYTOQ73PvyO8WaFQ6xoSV0zxRrYCE4pbShJiBq5W6uj8Cn+jnOfw8MgNqmX2D7m+M3Yu5ypfZr262gW/FIpdPg29+kv18m/N0E0wzjGmq0ciRXR+SIxtaQRbYUWU5cqcglXzBPhr2J264gMyDw7uhz6C32kb0wdNa2FebhLb0MBFOp9njxtbvvPxGsRRFXTejTlv+3C4AlJHLI4JSLrXIyjdg3K15uNjZbc/Gqmr5iZPmqGoFkMuVMsym24V0hK/pJCCDsmgUcYxZFdRq8yP+yfmpkPilDJlOgcnZW2Dlb8wjWkrBzegoPozf/sZ/fmv3ZX+jHpdPv5+cSwAfwC1CJkmQRu/MnmWlSKFIhpXdr9L6OeTsvDxOm+O2l+M6D7AFuVzfw5r22TZZ1fBgNue9t4vbpabIfBBNQGLWMCAwEAAQ=='\n \"\"\",\n options: .ignoreUnknownCharacters\n )!\n)\n\n// Custom Root for the certificates below.\n// For example the following two certificates were issued from customCARoot:\n// 1. leafCertificateForTLSIssuedFromCustomCARoot (Used for TLS)\n// 2. leafCertificateForClientAuthenticationIssuedFromCustomCARoot (Used for client authentication)\n// The client authentication certificate contains the Extension for Client Authentication.\n// Which is required for testing with the CertificateVerification case of .fullVerification.\n//\n// The certs from the custom root expire once a year, so here are the instructions\n// for when they expire again around August 14, 2026:\n//\n// 1. New custom CA:\n// - openssl genpkey -algorithm RSA -out ca_key.pem\n// - openssl req -x509 -new -key ca_key.pem -sha256 -days 1024 -out ca.pem -subj \"/CN=ca\"\n//\n// 2. New server cert:\n// - openssl genpkey -algorithm RSA -out server_key.pem\n// - openssl req -new -key server_key.pem -out server.csr -subj \"/CN=localhost\"\n// - openssl x509 -req -in server.csr -CA ca.pem -CAkey ca_key.pem -CAcreateserial -out server.pem -days 365 -sha256\n//\n// 3. New client cert:\n// - openssl genpkey -algorithm RSA -out client_key.pem\n// - now create a file called client_ext.cnf with the contents:\n// ```\n// [ v3_req ]\n// # Extensions for client authentication\n// extendedKeyUsage = clientAuth\n// ```\n// - openssl req -new -key client_key.pem -out client.csr -subj \"/CN=localhost\"\n// - openssl x509 -req -in client.csr -CA ca.pem -CAkey ca_key.pem -CAcreateserial -out client.pem -days 365 -sha256 -extfile client_ext.cnf -extensions v3_req\n//\n// Then, copy the contents of the files into the literal strings below.\nlet customCARoot = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIICljCCAX4CCQDV3NUC6QWiyDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJj\n YTAeFw0yNTA4MTQxMjM5NTZaFw0yODA2MDMxMjM5NTZaMA0xCzAJBgNVBAMMAmNh\n MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9MqFE9SHDnw3Cw5hOQuP\n gycdKyw3njytnfrRsDSRDEZDplitFmbm4DckrFwfG2xo9WXkiUZhR8JFiqnuc7gc\n Q0vtmEipoJA21t/nWtL9z0OHx8ngYTFBA72s7UocLw/5+y27CsuoamCR8br1Opxy\n JrPBihUzJzTJJ8gSPvzFyyg0dnoGswe+68GawPJmgmAzae7Yc/dqEeFYDUpb743P\n C6uirnw8rE/eLH6doLXoXGHhC0K8thfrny15n20ozMag7FDF0UdWpsfbhX6BINTf\n 5sR3teCPz+QZ8D4zkoSqf1Oeif5LsmKdtBuE8w+kgRZs+i/WwLSm70DpIfNeuu9r\n 7wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDd06g6Tk1lTg4IVUKNZ86P2HXDK0V3\n WFngU2Vsh5P+s7DHe+VFV6qE8AIs3E0OIYbmRPOm2ZRMTASVevTt+yLFs95txmid\n tjmQwD52QN3ivUTQTWvpaM8yJcji2qvPVn291ZrIGBsRF/stMlkSHDwhP+p+TQa8\n gv9LcWiTR40x/4eyC61fe8elS6vVBENJlXk91SyFSzpTnW3BElUZteaofiU26kXA\n SHbJxyRhp5xFVpxYUKGjVl0H7sHQn0NDN3wpqy4kBX8dPCEVe3IlBYG8xE/TfRAr\n 4bqP3ub5/HAabeyheEpljPehFVC65OIGHzfHBluqeEAvIm7vXaWGbwOI\n -----END CERTIFICATE-----\n \"\"\"\n\nlet leafCertificateForTLSIssuedFromCustomCARoot = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIICnTCCAYUCCQDDQzp6nuhApzANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJj\n YTAeFw0yNTA4MTQxMjM5NTZaFw0yNjA4MTQxMjM5NTZaMBQxEjAQBgNVBAMMCWxv\n Y2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLJKEReHVQT\n ltlOLEyn1Rgr+WwgzoBuLREUcdrvDFfe/75ClnadOkYcIcXNakvUiTQMHyEUXZ6Z\n dKI+98Igmcwn9xpd7Jab8S+Z+AXzVg88xMdEWC4rufITG9CSGFBKQdolv8DEGY+I\n qQMCHzBDi7oMGmmXOugIPqMUgvCYAJ/bncn6bfeWIBjXxtRxJ8Jj6++3G6IvT4gx\n g/zIdWAf2snPQItZEm6cZZMV9bwjIgxPdxK/GEAzG8rsV7m0zPpgvDS+2waf/NXw\n uItAcJWUm/ylQCZ7fUv11T9LwfWpItNu7GuLzD5NI1mpNLAbm1W8FWr98GtPzTiV\n 4GCglAomjokCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAoTejnBrluy6NK+5425an\n yPS51CzRK+o8hBg2YQ6jzioexSeRXW/ivBkKB7j+iMNkVuRpzzLTA3Wz5+OvJQyI\n itGpVhLngaAaTBBBhga/cPejaBZKNCRTeXXSe/nMSAJhjO0XaZcyUESDq2rH+m81\n LUrqfjNOZW8w7zustKJq+QqY+jEiRAzmbL1hPoDlasromZ1+6TsOM71AgAyLoKgA\n Utj/VMlOKzAUyH+z/fPzXDM9nslfLqMnhMcD9vIWi0noypYoyrcaIATkhCjNRGXH\n PvWooCpurD7+JL7imZfT8x+6lp1XI86pC6FG+JTcObBRqvdLpQRMY4chE8G/FS18\n qA==\n -----END CERTIFICATE-----\n \"\"\"\n\nlet privateKeyForLeafCertificate = \"\"\"\n -----BEGIN PRIVATE KEY-----\n MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyShEXh1UE5bZ\n TixMp9UYK/lsIM6Abi0RFHHa7wxX3v++QpZ2nTpGHCHFzWpL1Ik0DB8hFF2emXSi\n PvfCIJnMJ/caXeyWm/EvmfgF81YPPMTHRFguK7nyExvQkhhQSkHaJb/AxBmPiKkD\n Ah8wQ4u6DBpplzroCD6jFILwmACf253J+m33liAY18bUcSfCY+vvtxuiL0+IMYP8\n yHVgH9rJz0CLWRJunGWTFfW8IyIMT3cSvxhAMxvK7Fe5tMz6YLw0vtsGn/zV8LiL\n QHCVlJv8pUAme31L9dU/S8H1qSLTbuxri8w+TSNZqTSwG5tVvBVq/fBrT804leBg\n oJQKJo6JAgMBAAECggEABQtJ2IvzNeELm3vqIguGJpVvBw7x5Iu3N8kk4TFnXr9K\n 5dpJFnWfJEU86rC98/++EzrYUf2aGpRnxwARy2dSD4F9JkBKIYGqz1X/umNAJVPo\n lVqnRj4zk9HYMg09JF7D9tyjyVN/CR6o7g3MRXdSZOBcimga4FsDMWStwQ34zom+\n mnwiau/yxOt2GReRmw3ioOlorUbtJ64uU/yYjHgplfM/BMq2TCqx15wgwDTLNyLs\n Xidh8ksG2qBbESEcvGSisarz2CXkDaaAVYLjQPsE2z6tzLYX+S1nSnbNUM1H9QZF\n ipJ9AB7g+f9vRQvAYzrvLIIa2SIDQUTRT/XLw59+UQKBgQDW9miB+oEMANvZw6lq\n p7PlI9m6l1/MFvhTC5upXnhchmVGiuSTpSDazgUHRgy1wHBRk1PwIPsTaURZEUAs\n nxe4+3/Ft3FqfITNngnKNS/OCCiXQ7ysDbvLLZ2ADbOohZ8Lb2/hNm7lOain4CdE\n 2qC1Vkb/9vWmm3dhM91Pb/bJFQKBgQDU6rpdGE6TxAytKXiV1fJjuf/Fvb9BLXkn\n x+0sOO/liKnyPj4SHjePb14jcU4F2cRa7hPHY1dw9i//j17oa7Wvsb/pi06qOg3o\n /I0Txdea1EqsBCCb5qwPWT+GfspQT3EZN+qwGpN26GzsAGj+bVsCAonkg71eO6NU\n 1sSw0JAkpQKBgBbXkDtflx7jaHk3ZWVD9MXAjX5aX3+cYT7R2PSiaT/LuC9Kywc1\n YMxfYAFp3CfkDwtcEGtP1d42LWEZiCw1q5uofedQmuip2qLOzFOEW1QVYdrRA9d0\n jiQE8NuOmSyrJj9c1BKmahpJijZshz+1y6X5SQoh//B4TLMzg6zRRPQRAoGBAK2R\n QCU9+GhrDG5o/T0gML1tVf0r5mpKmJZ+W3COZbn3A5tPdCgu69oIznQUHKeWU4RQ\n ylzjNdgHSS+K/7J2g6DbRPgssQ8Bzm8c2iDBSjaUUt8RakfM7nyAo9GPMHvxluAY\n /j9bGtV3ObvVxcGLAgKMcT6QymG0Ojyh66u8CZVlAoGARoGc28exX64y1+E4QA56\n 29cu7tN8YIdegV+qIN5OVzWWDco5BxAGFUrjlP0i5S8STBncdchhbu/97xplmREC\n OW0ct2fwce8+OTFzM9TXpzsLToliL2MLfM1H2bM1lY1xA4QtQudY/Xh+5YyotmNI\n fhsXm4WK1YTrkD3bSxNpzUE=\n -----END PRIVATE KEY-----\n \"\"\"\n\nlet leafCertificateForClientAuthenticationIssuedFromCustomCARoot = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIICuzCCAaOgAwIBAgIJAMNDOnqe6ECoMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV\n BAMMAmNhMB4XDTI1MDgxNDEyMzk1NloXDTI2MDgxNDEyMzk1NlowFDESMBAGA1UE\n AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyGvt\n 9RAdndCEsZVMUvRoQ0vusQikqozTC/s5O6o6JK9M/u3NvSjywBNHtORqbuPFR3Ct\n 9X/kdoH9sPAQdCzTmDBdzktV7I2M2t94NcqsLw3k7904XtSwjXtITF7wR2zgZLjZ\n pXGjgg5ajpifLeOIT6NJo2q8qnuPf6E21dLk6jt3Mv76opfO7CoVNwEuSEEa/RWi\n IKjsjaCJ1rDaUEd9GTBXF3UoQCK1sYFRpIuZpaizAZxOO6emxqwF1OJDgoAXMrHw\n e7nWc28ntOSI3W3bkQx0oVS02uHiEvMxF4HDZes2d0kR+2SiOfivTyZQsAVA7N0A\n Z5qlfllFe9+5Nn/hiQIDAQABoxcwFTATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkq\n hkiG9w0BAQsFAAOCAQEA0blksL3YrmTnfPeh342jCnNUK9fg6cVXV+W6jccHJ7/g\n en5t+50VJ4R4NvEhCdx87mrPbozWfpPzE9OifeM+qrljXitajZtblGe2Xv0j3pWP\n Lx6ulfPSVY2Ss6Yr5O6aTovLR3QHHuud+Bw//J3s1DNpVphbB6GmLSBDx+UHf7wd\n p4FjrGJj0JrUDzX28s2v/SNhph9AhEgYu9xStrJBn38cao/Ww5rjhQkNATghLlmA\n 4ljvGb5PQcKo16gkW99gbTziyPIJ97m1+7KGIJGSIixmwZK1NIlN8pf3rJuAak4K\n Un7Y0TKn8oackbntmk7NYlaL6u3m4JzZp2nSCJ3QTA==\n -----END CERTIFICATE-----\n \"\"\"\n\nlet privateKeyForClientAuthentication = \"\"\"\n -----BEGIN PRIVATE KEY-----\n MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDIa+31EB2d0ISx\n lUxS9GhDS+6xCKSqjNML+zk7qjokr0z+7c29KPLAE0e05Gpu48VHcK31f+R2gf2w\n 8BB0LNOYMF3OS1XsjYza33g1yqwvDeTv3The1LCNe0hMXvBHbOBkuNmlcaOCDlqO\n mJ8t44hPo0mjaryqe49/oTbV0uTqO3cy/vqil87sKhU3AS5IQRr9FaIgqOyNoInW\n sNpQR30ZMFcXdShAIrWxgVGki5mlqLMBnE47p6bGrAXU4kOCgBcysfB7udZzbye0\n 5IjdbduRDHShVLTa4eIS8zEXgcNl6zZ3SRH7ZKI5+K9PJlCwBUDs3QBnmqV+WUV7\n 37k2f+GJAgMBAAECggEAQhPLbVt12D0SMpY9hrAL2/wh4v4thAlP34hhUzmJV+Tv\n 5rCyfyYL+qWgo5QXPx4bQbV1tRYIVcX/xSEw24yX6novwz71Qjtc8CBzOpDqec0D\n 6M0vs5w95Td7G6rFX1cXGD4Vi8VOmidvVcod2PxGSbNVKOqc7zwzkGmvcYnJbSu+\n XRThz03SqY6s0Jp0lKWvewTuPG6YzOlCeKlMGbxShE5zhEcGdjhND0J+Q6EUynOc\n 9tINUakrnwIo80WaPeXIk1/eCneCJ+STdTeCIfsY/X564yHwkIrzQ4So+anZ+pCW\n lZtZnsy3DdpAoP0vDUwbcsJUNtoLDFc3JiU/e/z7nQKBgQDsoHcjero1mNufZlp5\n vCGuGblMB5cOceFB0X/oTdkqLwt1+5i/ytOIFI2ZAxzJvVa/wMbsExb5XbeD66l/\n pzFj3EFymafv1Mc7k+EqBI13OBUR9udBa/CpYwZwYuxiuLPERo9Cn3UniRKU0IQb\n MaQFAkOapS9fOwVrd8DPz8dhswKBgQDY1KC18Yv9fvBPvnwoKLb7zWbFeg9CH4/B\n IbA7OtWWkjhoLew6bQGzYeIVzUpElJXetCNgkwB71fWcHRwHDXvDx+QHU/JOgp1o\n tpg/nCoiZPyL79vjy1Cr2y7MsRckLP2dOFI4WrwerzmB/vxA3LAoG60i+FYXZkm0\n NG6nOjC50wKBgGw0oOZ/i8FQqjXFJ2B9sGUd7EchPWlkmB5x/+yqFMGei74jFGG4\n DW0wAORUsQhr5cyACjcQL7ROr8nKrVLrkMFaii8upsYcZhMPd6qwNEStR61UW8Hl\n 60J6PwqLog8u6T27Cm3r3zX6D54vkAmjdJ65v1JrcTM6GStgsrIVENbTAoGAA6p0\n nR7cUwjWX0LFLpihn1g1qJkLsP5/m7BKHnY8LjOCqKA+Ii69nJ7HB79UxhwM/Jrn\n DjbuByny4RTM6IGd2g2DGWyd6B3lM2QC5vBo9fPnISaI/SzuzDkEbYmA7qekEghl\n u3YtQAeOXVhGQ4J3p/Xv02uHaRXdoSJRzJn7QOkCgYEAxvn8bj0CCczRrFBHALYV\n /4p1VRq3xIKFwDOUP42Xu1Bj5ETuVeEsnTN40VwTlvZRv1Gr6zImqcIgs03QPR2F\n +nCAt3FPsQfM+CFO3gxiir9ycLmij8sEwfqr68nQLQ+zzwEgrMU50h6IZRUGk2BJ\n /0/E9r/0VwPQn5CZSt7NQvQ=\n -----END PRIVATE KEY-----\n \"\"\"\n\n// This is a root certificate used to setup and test sending CA names to\n// a client during client authentication.\n// This certificate is used to test having multiple root certificates in a directory.\nlet secondaryRootCertificateForClientAuthentication = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIC5TCCAc2gAwIBAgIUDxjYloPbo7PQteeQLKW499sRxm0wDQYJKoZIhvcNAQEL\n BQAwGjEYMBYGA1UEAwwPU2FtcGxlUHJvamVjdENBMB4XDTIyMDgwOTE4NDQyMloX\n DTIzMDgxMTE4NDQyMlowGjEYMBYGA1UEAwwPU2FtcGxlUHJvamVjdENBMIIBIjAN\n BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5Q19OwSP4UJo35NZ0rg/+bAbBh+v\n n7lilsPwLwhmhkwWZVSTPQr8bk5ceUGJtPups3w0d1oM/t7oC43O38sFwkCYL5nt\n Z6YuQfP0ZijDjO6WiQr+gwyaAZt84/Rm1MHYqF1gBCDFQhcba3CTSd4HQzls+uRF\n EaWqu4n706e10ed9Se1uAqeufYRdGPijskFNYmw+MgXWFC/WrY/TXRIoIQsj/g8A\n jC66Ovriz+nXWYjPBSLdyXY69WVR5v6qksMeuJAYv37nsWL1H9436Q3WhxlLZ3Hl\n v3SI13Kk6y7Sp5TYDeomeMi+9aAHOtvZfZcBEw5yLCkJSXGQL3nIpk7oDQIDAQAB\n oyMwITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0B\n AQsFAAOCAQEAx+Ajc4SnzSS/1BpK+bVK2y0vH6NmF9Y9xjAi06pAWOtNpXBTH8Qe\n QdQbB/00nUDccEcIoEn46WDKwW4ebGKa4sn2BAalM0W2UoPMX0UYtUDPyNkeK8Q+\n MQVOaZX295g9t6sfQ/rbRQRGJHFH7VsRQPGHo/vYG91+ZS6judUUZw7Mcltaay2y\n ljU3QeOeO3m553tfw/MwY6UWiSs9jyZumtzxL3WS/LCssxwnknkE5IM2CA8IzBfM\n VShvzuAwd3a5ZTju3jD1cK0mwlbEYNw0xj+wjBLqwFuJI/CnQzGSElvQy0v2ygjr\n R6S+ZRBlGxAnjKbTEMg53A+0XkGg/Kgexg==\n -----END CERTIFICATE-----\n \"\"\"\n\nlet samplePemCerts = \"\\(samplePemCert)\\n\\(samplePemCert)\"\nlet sampleDerCert = pemToDer(samplePemCert)\nlet sampleDerKey = pemToDer(samplePemKey)\nlet sampleECDerKey = pemToDer(sampleECPemKey)\n// No DER version of the private key becuase encrypted DERs aren't real.\n\nfunc pemToDer(_ pem: String) -> Data {\n var lines = [String]()\n\n // This is very inefficient, but it doesn't really matter because this\n // code is run very infrequently and only in testing. Blame the inefficiency\n // on Linux Foundation, which currently lacks String.enumerateLines.\n let originalLines = pem.split(separator: \"\\n\")\n for line in originalLines {\n let line = String(line)\n if !line.hasPrefix(\"-----\") {\n lines.append(line)\n }\n }\n\n let encodedData = lines.joined(separator: \"\")\n return Data(base64Encoded: encodedData)!\n}\n\n// This function generates a random number suitable for use in an X509\n// serial field. This needs to be a positive number less than 2^159\n// (such that it will fit into 20 ASN.1 bytes).\n// This also needs to be portable across operating systems, and the easiest\n// way to do that is to use either getentropy() or read from urandom. Sadly\n// we need to support old Linuxes which may not possess getentropy as a syscall\n// (and definitely don't support it in glibc), so we need to read from urandom.\n// In the future we should just use getentropy and be happy.\nfunc randomSerialNumber() -> ASN1_INTEGER {\n let bytesToRead = 20\n let fd = open(\"/dev/urandom\", O_RDONLY)\n precondition(fd != -1)\n defer {\n close(fd)\n }\n\n var readBytes = Array.init(repeating: UInt8(0), count: bytesToRead)\n let readCount = readBytes.withUnsafeMutableBytes {\n read(fd, $0.baseAddress, bytesToRead)\n }\n precondition(readCount == bytesToRead)\n\n // Our 20-byte number needs to be converted into an integer. This is\n // too big for Swift's numbers, but BoringSSL can handle it fine.\n let bn = CNIOBoringSSL_BN_new()\n defer {\n CNIOBoringSSL_BN_free(bn)\n }\n\n _ = readBytes.withUnsafeBufferPointer {\n CNIOBoringSSL_BN_bin2bn($0.baseAddress, $0.count, bn)\n }\n\n // We want to bitshift this right by 1 bit to ensure it's smaller than\n // 2^159.\n CNIOBoringSSL_BN_rshift1(bn, bn)\n\n // Now we can turn this into our ASN1_INTEGER.\n var asn1int = ASN1_INTEGER()\n CNIOBoringSSL_BN_to_ASN1_INTEGER(bn, &asn1int)\n\n return asn1int\n}\n\nfunc generateRSAPrivateKey() -> OpaquePointer {\n let exponent = CNIOBoringSSL_BN_new()\n defer {\n CNIOBoringSSL_BN_free(exponent)\n }\n\n CNIOBoringSSL_BN_set_u64(exponent, 0x10001)\n\n let rsa = CNIOBoringSSL_RSA_new()!\n let generateRC = CNIOBoringSSL_RSA_generate_key_ex(rsa, CInt(2048), exponent, nil)\n precondition(generateRC == 1)\n\n let pkey = CNIOBoringSSL_EVP_PKEY_new()!\n let assignRC = CNIOBoringSSL_EVP_PKEY_assign_RSA(pkey, rsa)\n\n precondition(assignRC == 1)\n return pkey\n}\n\nfunc generateECPrivateKey(curveNID: CInt = NID_X9_62_prime256v1) -> OpaquePointer {\n let ctx = CNIOBoringSSL_EVP_PKEY_CTX_new_id(EVP_PKEY_EC, nil)!\n defer {\n CNIOBoringSSL_EVP_PKEY_CTX_free(ctx)\n }\n\n precondition(CNIOBoringSSL_EVP_PKEY_keygen_init(ctx) == 1)\n precondition(CNIOBoringSSL_EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, curveNID) == 1)\n\n var pkey: OpaquePointer? = nil\n precondition(CNIOBoringSSL_EVP_PKEY_keygen(ctx, &pkey) == 1)\n\n return pkey!\n}\n\nfunc addExtension(x509: OpaquePointer, nid: CInt, value: String) {\n var extensionContext = X509V3_CTX()\n\n CNIOBoringSSL_X509V3_set_ctx(&extensionContext, x509, x509, nil, nil, 0)\n let ext = value.withCString { (pointer) in\n CNIOBoringSSL_X509V3_EXT_nconf_nid(nil, &extensionContext, nid, UnsafeMutablePointer(mutating: pointer))\n }!\n CNIOBoringSSL_X509_add_ext(x509, ext, -1)\n CNIOBoringSSL_X509_EXTENSION_free(ext)\n}\n\nfunc generateSelfSignedCert(\n keygenFunction: () -> OpaquePointer = generateRSAPrivateKey\n) -> (NIOSSLCertificate, NIOSSLPrivateKey) {\n let pkey = keygenFunction()\n let x = CNIOBoringSSL_X509_new()!\n CNIOBoringSSL_X509_set_version(x, 2)\n\n // NB: X509_set_serialNumber uses an internal copy of the ASN1_INTEGER, so this is\n // safe, there will be no use-after-free.\n var serial = randomSerialNumber()\n CNIOBoringSSL_X509_set_serialNumber(x, &serial)\n\n let notBefore = CNIOBoringSSL_ASN1_TIME_new()!\n var now = time(nil)\n CNIOBoringSSL_ASN1_TIME_set(notBefore, now)\n CNIOBoringSSL_X509_set_notBefore(x, notBefore)\n CNIOBoringSSL_ASN1_TIME_free(notBefore)\n\n now += 60 * 60 // Give ourselves an hour\n let notAfter = CNIOBoringSSL_ASN1_TIME_new()!\n CNIOBoringSSL_ASN1_TIME_set(notAfter, now)\n CNIOBoringSSL_X509_set_notAfter(x, notAfter)\n CNIOBoringSSL_ASN1_TIME_free(notAfter)\n\n CNIOBoringSSL_X509_set_pubkey(x, pkey)\n\n let commonName = \"localhost\"\n let name = CNIOBoringSSL_X509_get_subject_name(x)\n commonName.withCString { (pointer: UnsafePointer) -> Void in\n pointer.withMemoryRebound(to: UInt8.self, capacity: commonName.lengthOfBytes(using: .utf8)) {\n (pointer: UnsafePointer) -> Void in\n CNIOBoringSSL_X509_NAME_add_entry_by_NID(\n name,\n NID_commonName,\n MBSTRING_UTF8,\n UnsafeMutablePointer(mutating: pointer),\n ossl_ssize_t(commonName.lengthOfBytes(using: .utf8)),\n -1,\n 0\n )\n }\n }\n CNIOBoringSSL_X509_set_issuer_name(x, name)\n\n addExtension(x509: x, nid: NID_basic_constraints, value: \"critical,CA:FALSE\")\n addExtension(x509: x, nid: NID_subject_key_identifier, value: \"hash\")\n addExtension(x509: x, nid: NID_subject_alt_name, value: \"DNS:localhost\")\n addExtension(x509: x, nid: NID_ext_key_usage, value: \"critical,serverAuth,clientAuth\")\n\n CNIOBoringSSL_X509_sign(x, pkey, CNIOBoringSSL_EVP_sha256())\n\n return (\n NIOSSLCertificate.fromUnsafePointer(takingOwnership: x),\n NIOSSLPrivateKey.fromUnsafePointer(takingOwnership: pkey)\n )\n}\n\nfinal class BackToBackEmbeddedChannel {\n private(set) var client: EmbeddedChannel\n private(set) var server: EmbeddedChannel\n private(set) var loop: EmbeddedEventLoop\n\n init() {\n self.loop = EmbeddedEventLoop()\n self.client = EmbeddedChannel(loop: self.loop)\n self.server = EmbeddedChannel(loop: self.loop)\n }\n\n func run() {\n self.loop.run()\n }\n\n func connectInMemory() throws {\n let addr = try assertNoThrowWithValue(SocketAddress(unixDomainSocketPath: \"/tmp/whatever2\"))\n let connectFuture = self.client.connect(to: addr)\n self.server.pipeline.fireChannelActive()\n try self.interactInMemory()\n try connectFuture.wait()\n }\n\n func interactInMemory() throws {\n var workToDo = true\n\n while workToDo {\n workToDo = false\n\n self.loop.run()\n let clientDatum = try self.client.readOutbound(as: IOData.self)\n let serverDatum = try self.server.readOutbound(as: IOData.self)\n\n // Reads may trigger errors. The write case is automatic.\n try self.client.throwIfErrorCaught()\n try self.server.throwIfErrorCaught()\n\n if let clientMsg = clientDatum {\n try self.server.writeInbound(clientMsg)\n workToDo = true\n }\n\n if let serverMsg = serverDatum {\n try self.client.writeInbound(serverMsg)\n workToDo = true\n }\n }\n }\n}\n" }, { "path": "Tests/NIOSSLTests/ObjectIdentifierTests.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\nimport XCTest\n\n@testable import NIOSSL\n\nprivate final class OIDMemoryOwner {\n var reference: OpaquePointer!\n public init?(_ string: String) {\n let result = string.withCString { string in\n CNIOBoringSSL_OBJ_txt2obj(string, 1)\n }\n guard let reference = result else {\n return nil\n }\n self.reference = reference\n }\n deinit {\n CNIOBoringSSL_ASN1_OBJECT_free(self.reference)\n }\n}\n\nfinal class ObjectIdentifierTests: XCTestCase {\n func testEquatable() {\n XCTAssertEqual(\n NIOSSLObjectIdentifier(\"1.1\"),\n NIOSSLObjectIdentifier(\"1.1\")\n )\n XCTAssertEqual(NIOSSLObjectIdentifier(\"1.2\"), NIOSSLObjectIdentifier(\"1.2\"))\n XCTAssertEqual(NIOSSLObjectIdentifier(\"1.2.3\"), NIOSSLObjectIdentifier(\"1.2.3\"))\n\n XCTAssertNotEqual(NIOSSLObjectIdentifier(\"1\"), NIOSSLObjectIdentifier(\"1.2\"))\n XCTAssertNotEqual(NIOSSLObjectIdentifier(\"1.2\"), NIOSSLObjectIdentifier(\"1.2.3\"))\n }\n\n func testHashable() {\n XCTAssertEqual(\n Set([\n NIOSSLObjectIdentifier(\"1.1\")\n ]),\n Set([\n NIOSSLObjectIdentifier(\"1.1\")\n ])\n )\n XCTAssertEqual(\n Set([\n NIOSSLObjectIdentifier(\"1.1\"),\n NIOSSLObjectIdentifier(\"1.2\"),\n ]),\n Set([\n NIOSSLObjectIdentifier(\"1.2\"),\n NIOSSLObjectIdentifier(\"1.1\"),\n ])\n )\n }\n\n func testCustomStringConvertible() {\n XCTAssertEqual(NIOSSLObjectIdentifier(\"1.1\")?.description, \"1.1\")\n XCTAssertEqual(NIOSSLObjectIdentifier(\"1.2\")?.description, \"1.2\")\n XCTAssertEqual(NIOSSLObjectIdentifier(\"1.2.3\")?.description, \"1.2.3\")\n XCTAssertEqual(NIOSSLObjectIdentifier(\"1.2.3.4\")?.description, \"1.2.3.4\")\n }\n\n func testUnowned() {\n var owner: Optional = OIDMemoryOwner(\"1.2.3\")!\n\n #if compiler(>=6.3)\n weak let weakReferenceToOwner = owner\n #else\n weak var weakReferenceToOwner = owner\n #endif\n\n var oid: Optional = NIOSSLObjectIdentifier(borrowing: owner!.reference, owner: owner!)\n XCTAssertEqual(oid?.description, \"1.2.3\")\n\n owner = nil\n XCTAssertNotNil(weakReferenceToOwner, \"OID should still have a strong reference to the owner\")\n\n XCTAssertEqual(oid?.description, \"1.2.3\")\n\n oid = nil\n XCTAssertNil(\n weakReferenceToOwner,\n \"OID is released and therefore no one should still have a strong reference to the owner\"\n )\n }\n\n func testCopy() {\n var owner: Optional = OIDMemoryOwner(\"1.2.3\")!\n\n #if compiler(>=6.3)\n weak let weakReferenceToOwner = owner\n #else\n weak var weakReferenceToOwner = owner\n #endif\n\n let oid: Optional = withExtendedLifetime(owner) {\n NIOSSLObjectIdentifier(copyOf: $0?.reference)\n }\n\n XCTAssertEqual(oid?.description, \"1.2.3\")\n owner = nil\n XCTAssertNil(weakReferenceToOwner, \"OID should no longer have a strong reference to the owner\")\n\n XCTAssertEqual(oid?.description, \"1.2.3\", \"copy should still work after the original owner is deallocated\")\n }\n}\n" }, { "path": "Tests/NIOSSLTests/SSLCertificateExtensionsTests.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport XCTest\n\n@testable import NIOSSL\n\nfinal class SSLCertificateExtensionsTests: XCTestCase {\n func test() throws {\n let cert = try NIOSSLCertificate(bytes: Array(samplePemCert.utf8), format: .pem)\n\n XCTAssertEqual(cert._extensions.count, 3)\n let basicConstraint = try XCTUnwrap(\n cert._extensions.first(where: { $0.objectIdentifier == .init(\"2.5.29.19\")! })\n )\n let subjectKeyIdentifier = try XCTUnwrap(\n cert._extensions.first(where: { $0.objectIdentifier == .init(\"2.5.29.14\")! })\n )\n let authorityKeyIdentifier = try XCTUnwrap(\n cert._extensions.first(where: { $0.objectIdentifier == .init(\"2.5.29.35\")! })\n )\n\n XCTAssertEqual(basicConstraint.isCritical, false)\n XCTAssertEqual(\n Array(basicConstraint.data),\n [\n 0x30, 0x3, 0x1, 0x1, 0xFF,\n ]\n )\n\n XCTAssertEqual(subjectKeyIdentifier.isCritical, false)\n XCTAssertEqual(\n Array(subjectKeyIdentifier.data),\n [\n 0x04, 0x14,\n 0xE8, 0x3D, 0x19, 0x93, 0x05, 0x01, 0x05, 0xE4, 0x5E, 0x4B,\n 0x70, 0xF8, 0x94, 0x23, 0x9A, 0x81, 0x34, 0xF0, 0x54, 0xF8,\n ]\n )\n\n XCTAssertEqual(authorityKeyIdentifier.isCritical, false)\n XCTAssertEqual(\n Array(authorityKeyIdentifier.data),\n [\n 0x30, 0x16, 0x80, 0x14,\n 0xE8, 0x3D, 0x19, 0x93, 0x05, 0x01, 0x05, 0xE4, 0x5E, 0x4B,\n 0x70, 0xF8, 0x94, 0x23, 0x9A, 0x81, 0x34, 0xF0, 0x54, 0xF8,\n ]\n )\n }\n\n func testEmptyExtensions() {\n let extensions = NIOSSLCertificate._Extensions(takeOwnershipOf: nil)\n XCTAssertEqual(extensions.count, 0)\n }\n\n func testUnowned() throws {\n var owner: Optional = try NIOSSLCertificate(bytes: Array(samplePemCert.utf8), format: .pem)\n\n #if compiler(>=6.3)\n weak let weakReferenceToOwner = owner\n #else\n weak var weakReferenceToOwner = owner\n #endif\n\n var extensions: Optional = owner!._extensions\n XCTAssertEqual(extensions.map { Array($0) }?.count, 3)\n\n owner = nil\n XCTAssertNotNil(weakReferenceToOwner, \"extensions should still have a strong reference to the owner\")\n\n XCTAssertEqual(extensions.map { Array($0) }?.count, 3)\n\n extensions = nil\n XCTAssertNil(\n weakReferenceToOwner,\n \"extensions are released and therefore no one should still have a strong reference to the owner\"\n )\n }\n}\n" }, { "path": "Tests/NIOSSLTests/SSLCertificateTest.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport Foundation\nimport NIOCore\nimport XCTest\n\n@testable import NIOSSL\n\nlet multiSanCert = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIDEzCCAfugAwIBAgIURiMaUmhI1Xr0mZ4p+JmI0XjZTaIwDQYJKoZIhvcNAQEL\n BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE3MTAzMDEyMDUwMFoXDTQwMDEw\n MTAwMDAwMFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF\n AAOCAQ8AMIIBCgKCAQEA26DcKAxqdWivhS/J3Klf+cEnrT2cDzLhmVRCHuQZXiIr\n tqr5401KDbRTVOg8v2qIyd8x4+YbpE47JP3fBrcMey70UK/Er8nu28RY3z7gZLLi\n Yf+obHdDFCK5JaCGmM61I0c0vp7aMXsyv7h3vjEzTuBMlKR8p37ftaXSUAe3Qk/D\n /fzA3k02E2e3ap0Sapd/wUu/0n/MFyy9HkkeykivAzLaaFhhvp3hATdFYC4FLld8\n OMB60bC2S13CAljpMlpjU/XLLOUbaPgnNUqE1nFqFBoTl6kV6+ii8Dd5ENVvE7pE\n SoNoyGLDUkDRJJMNUHAo0zbxyhd7WOtyZ7B4YBbPswIDAQABo10wWzBLBgNVHREE\n RDBCgglsb2NhbGhvc3SCC2V4YW1wbGUuY29tgRB1c2VyQGV4YW1wbGUuY29thwTA\n qAABhxAgAQ24AAAAAAAAAAAAAAABMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEL\n BQADggEBACYBArIoL9ZzVX3M+WmTD5epmGEffrH7diRJZsfpVXi86brBPrbvpTBx\n Fa+ZKxBAchPnWn4rxoWVJmTm4WYqZljek7oQKzidu88rMTbsxHA+/qyVPVlQ898I\n hgnW4h3FFapKOFqq5Hj2gKKItFIcGoVY2oLTBFkyfAx0ofromGQp3fh58KlPhC0W\n GX1nFCea74mGyq60X86aEWiyecYYj5AEcaDrTnGg3HLGTsD3mh8SUZPAda13rO4+\n RGtGsA1C9Yovlu9a6pWLgephYJ73XYPmRIGgM64fkUbSuvXNJMYbWnzpoCdW6hka\n IEaDUul/WnIkn/JZx8n+wgoWtyQa4EA=\n -----END CERTIFICATE-----\n \"\"\"\n\nlet multiCNCert = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIDLjCCAhagAwIBAgIUR6eOMdEFZAqorykK6u6rwPGfsh0wDQYJKoZIhvcNAQEL\n BQAwSDELMAkGA1UEBhMCVVMxEjAQBgNVBAMMCUlnbm9yZSBtZTERMA8GA1UECAwI\n TmVicmFza2ExEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNzExMDIxMzM5MjRaFw00\n MDAxMDEwMDAwMDBaMEgxCzAJBgNVBAYTAlVTMRIwEAYDVQQDDAlJZ25vcmUgbWUx\n ETAPBgNVBAgMCE5lYnJhc2thMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqG\n SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCb/wE6/pF40KmF4bgtrlInWIojsDma08q7\n cK9LpzifjYNTrlTv7+8tR3TRkWwThW4sMGckq9u1Bty9aF50sazBZaLDZYoamuHS\n 43T7hj4aX++lEq+inlXaNX3WmKkq0y0ANLBsXaLC+8J+xemlXErBsacK1Lz8Yz//\n lVOwD85LG6UN87j8L/L5+t922HyGhQRVTvcbmXa05JovMXILXnoUeEvNteZZtLa0\n zcpO+9pN/VwmxVOnQncxTG81FV6Qypx7YFf16QyEDVkXrt7/l6k+I+sAzBHIn28Y\n cPq/HfcAbWPU+gMiCLCplDi5NCyL7yyiG7bEjxR0oiWhzZG1abgjAgMBAAGjEDAO\n MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBAFAknMMePElmNsuzEUWO\n m2a6n/cHEaJzDEVLbFifcCUNU2U6o2bgXrJIBjFudISYPjpG+gmnuAwdfu6CA63M\n wiuLaLQASz6W12pRqlIriUazDn4JnIHu8wCHj8QkYTV7HunhtGJjX7xT89dRS5Y/\n IJv0Q9J2CZ16d3ETCzWp2Djq1IPggkBrsgKalJmwsiWi8UkH/GeMA+YQ1p8r9Bvp\n +Jd1VitqxJFG5tgT68dq1LxlsNb4L1Cm15m8LdhY5BgSO2AG9G4gBbO0ixZJwHbn\n TLiPC0Jd3x5tf9qeSv1eWHuhQd9R908EhZdC6rgN8fZfMux2tQxNbIsNPYAQhmsB\n /nc=\n -----END CERTIFICATE-----\n \"\"\"\n\nlet noCNCert = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIC3jCCAcagAwIBAgIUeB9gFXDDe/kTcsPGlHIZ4M+SpyYwDQYJKoZIhvcNAQEL\n BQAwIDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5lYnJhc2thMB4XDTE3MTEwMjEz\n NDIwMFoXDTQwMDEwMTAwMDAwMFowIDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5l\n YnJhc2thMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DqRr+tIXVXz\n 4VZA5dSJo4pPgC+lNngg8Bpk9pedmOj8GSdvbIkRmXPRqOIw33vurfGVqcYiX3DH\n HcVKS6ZF/ylE4dDH7JmGvCYpJTK6+02nkpdz3CzoX8lIRHBSJAJwny/UK20QBhsU\n OWm/mD0uCRfgfp9FasKqA56OBFGNYAOTAM33RHuXQNSSfV5FmSmNkWsiM1S+EUgH\n PptKQlXUfiSUFBCuyy9iItSg2fOew3C6/dXJ47T4mFi5qD/WKmI3uSNqBKNPcHI8\n EGZX4r8w0Hvq2hV13t+hexaLkS6VeZWb1kTrdgDPnjcl43txePPP7tEGRlZFO+bI\n V2j0pGb/iwIDAQABoxAwDjAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IB\n AQC27ElJn7TWhr2WcPsdXxGNUpepFgXEsEAVnoiJPI9XqXdOZCFWTUmRXrQICPUn\n 8HnVfYTFl/WZnTYhf8Ky5RB1W3X0Juo7MGge7mx6D6m8yJVBecQxPasVienTvdDg\n UZI2oodxnS7egFwlvFM2ZUmPLVvq0B7VQBSa2Ix3FChNtJ1u5yfHyoDUMRfYl0bF\n 0B3poAgLDW3FUQ7QoErMvslUJrFxmJXUKKdhg9z6jQTdcmZ6Dr8sFZQkRADbJRzm\n AYqSreeyevxdoNwQrpZMAGm61nc7OS8i0Q0JRe3FpGD29BMS0ystlzDeNnUpf+yJ\n u9dFQrCkq8MilGSO1L2bZsqY\n -----END CERTIFICATE-----\n \"\"\"\n\nlet unicodeCNCert = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIICyjCCAbKgAwIBAgIUeK7KUVK7tcUhxVnkSWEsqHj07TEwDQYJKoZIhvcNAQEL\n BQAwFjEUMBIGA1UEAwwLc3RyYcOfZS5vcmcwHhcNMTcxMTAyMTM0NzQxWhcNNDAw\n MTAxMDAwMDAwWjAWMRQwEgYDVQQDDAtzdHJhw59lLm9yZzCCASIwDQYJKoZIhvcN\n AQEBBQADggEPADCCAQoCggEBAO0Anpw+WpM897YXUNHI4oTr4BUxIcOC2A7LQiQ0\n briNXLIaIN8irwaa4TwCqvjg2B09GGO7EWvi0EX050X0jFFiSDdGhSZGMLL34nfk\n /HW14XjTCW+LkYcFAyOD8Kf3nGGLagIdtnPWQ3Atf6rTf5A35K75+penURN226xB\n t0vKqtngYTFu0n6B/+Ip6FI/Bq8yyGtPN74yR79KG3WL7mvrEHxv+TnZkb2F6f2j\n cJALEJPx8wFug154EnRDOURZMX5gmHRR/Xm9jP1R7Rch+4Ue2Fy38C1a35p0Saap\n JDKSmxr2430bQ5S41BTT5Q3N6eBD7f+cqaQyoa0u+qvl+gcCAwEAAaMQMA4wDAYD\n VR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAM7x+J+A2UN+RCKEjJUc9rM3S\n G9AxfhKO3VN1mrPRs6JG1ED7t/9e2xdjLRRl84Rz9jnaKVTS2sQ8yKYejWGUbXDq\n WO6KNlrjzspL3M8EIoi7QNwtRktviCkkxxwhzDfuH9N6ncjq0qod0vxGq0nqxrAo\n VJto6NnrshZEQHGF8uipOFPNTDAR0SpzyzXaK59oqSPJ5VrZiQ3p8izVuRE9r1u2\n i5PCcPYi39q101UIxV/WokS0mqHx/XuTYTwhWYd/C49OnM8MLZOUJd8w0VvS0ItY\n /wAv4vk0ScS4KmXTJBBGSiBqLdroaM9VKcA1p7TN0vzlut2E/nKmBhgzQJFKZA==\n -----END CERTIFICATE-----\n \"\"\"\n\n// created with the following command:\n// openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \\\n// -keyout private.pem -out cert.pem -subj '/CN=example.com' \\\n// -extensions san \\\n// -config <(echo '[req]'; echo 'distinguished_name=req';\n// echo '[san]'; echo 'subjectAltName=DNS:localhost,DNS:example.com,email:user@example.com,IP:192.168.0.1,IP:2001:db8::1,URI:http://example.com/path?query=param,URI:http://example.org/')\nlet certWithAllSupportedSANTypes = \"\"\"\n -----BEGIN CERTIFICATE-----\n MIIFOzCCAyOgAwIBAgIJALPXfgvEjcDsMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV\n BAMMC2V4YW1wbGUuY29tMB4XDTIyMDMwOTE4MTIxN1oXDTMyMDMwNjE4MTIxN1ow\n FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw\n ggIKAoICAQC7Bwqt8H+O3zotsGo4KMjipytzfmYiTOS0Id6HY1zfLVGrOSRTbFAE\n BmpPWbu4TzDZpxoNa6oQYqcpMqHTJe6+U/Coz+Xm+fSqWVZPLzcX2iW6igeS5cH5\n 2C9sWbzbYJku3qiNc0B0K+sIPQLeUM8sc2UK6rL3Vc6kt/SRRjshZNj6hPRqQNv6\n 85ul6yxICOooX6Xy/q0lqJaWaIOk2GZa/Genz/93RbKnLCpynSX0JETcIW8uFIPo\n 3BeyFcvgThYUq/KvpkkNPqOp7SOfO5rFLi9IRlDNuUF9h4hLZ+qV3NaxQ5mk+8xl\n BcNPDNqucNwQ7UKRNEfipmVPE44txMh06VcahcSzc+FKGsQmlNON0WwMfTTRhCPD\n Y2JVKZ5BpsgUtrivC4UbNmNJEVQQ9dJBcsALuwhoJo5CL0tkI2Dx/eo6fpwL6KDu\n ZE71MZ8BSJ8fW620fGedR+Cr+Jeq5H5eGGaWw55hXRKHbOQgjvIC6LKp9CB4/wNK\n jwlWEgae/EiI7iCuSOLj+yGbWvCnUcYdzYxuxZMY1x097dXxWObzJHgHllIT8639\n LqDT7+Xrhqoe0eMxeYwHzE8VMEPPpBeZAGzYO1lXF2lWqzIaPHK2oIeNj8Rskzqd\n GFJPSvTZqEUBxgITiz5Ba46G9Cyi4oVom5CIPI+UWBLxDLjUiDbYtQIDAQABo4GL\n MIGIMIGFBgNVHREEfjB8gglsb2NhbGhvc3SCC2V4YW1wbGUuY29tgRB1c2VyQGV4\n YW1wbGUuY29thwTAqAABhxAgAQ24AAAAAAAAAAAAAAABhiNodHRwOi8vZXhhbXBs\n ZS5jb20vcGF0aD9xdWVyeT1wYXJhbYYTaHR0cDovL2V4YW1wbGUub3JnLzANBgkq\n hkiG9w0BAQsFAAOCAgEAJFzzbzD5+YGnX2cXKms9ZSqzdFyzkU1/Glc4gCJJu0ch\n GxdqRA1D9eiYtaumtnTwdN/VsJGtHQy87ur+9hawQ7MwA8E45RJoibwT/trCggzK\n gjWeor9l1ahwr4eBgmmWDzmdUXd2HcCBRR5iXfU3CLj8BUT2EXx8iFbkHHc5uZGi\n 19ZfyAaWBV5KkkMjk9FMYAoFCsv/eDjtQzlfJrgKDcAZu7GD7ijYcw2buGeRl9SG\n //QKkyAVEnY2Fpn0v+pwOWBunB4EV2bRK+TbSScaU0EC3+AT9Xl62IAqJsdmTOrr\n URM7cuo6HVFLhNbAsUZMwd/orLQmKnp+njZOKdcq+J8f3aIUhKBIKg+sYcFVpV1Z\n Mpmm/M04hN+EGuZqASJRfIE1CI5PXizVd6sQd1A/zhoy9QtfbVGgxWklYgmy7ycB\n wS41t3bU8LLCC3RXflBOBz4y+/7Oe6muRWUAEXt4rgc4Zv391SfIFpwEaNOtFATl\n LzVcCAEmtY1Fyp4cOm6GEMjZ0H0buOaCRoYJb3KYZm5L6c58Ahom2GfAdtdoiRcX\n 7JHZybbOiOTgThxfXxgzABq/HVLC5PNVlAk95SYcoFMjixyDt2S9JD9fnGI3H9CT\n kVuVyNH7NBMh6YOuTL1dh55bvDjvgkuzudepsZnpfjgQKE1aZ7dL32Xi000gBM8=\n -----END CERTIFICATE-----\n \"\"\"\n\nfunc makeTemporaryFile(fileExtension: String = \"\", customPath: String = \"\") throws -> String {\n var template = \"\\(FileManager.default.temporaryDirectory.path)/niotestXXXXXXX\\(fileExtension)\"\n // If a custom file path is passed in then a new directory has to also be created. Then the file can be written to that directory.\n if !customPath.isEmpty {\n let path = \"\\(FileManager.default.temporaryDirectory.path)/\\(customPath)/\"\n try FileManager.default.createDirectory(at: URL(fileURLWithPath: path), withIntermediateDirectories: true)\n template = \"\\(FileManager.default.temporaryDirectory.path)/\\(customPath)/niotestXXXXXXX\\(fileExtension)\"\n }\n var templateBytes = template.utf8 + [0]\n let fd = templateBytes.withUnsafeMutableBufferPointer { ptr in\n ptr.baseAddress!.withMemoryRebound(to: Int8.self, capacity: ptr.count) { (ptr: UnsafeMutablePointer) in\n mkstemps(ptr, CInt(fileExtension.utf8.count))\n }\n }\n close(fd)\n templateBytes.removeLast()\n return String(decoding: templateBytes, as: UTF8.self)\n}\n\ninternal func dumpToFile(data: Data, fileExtension: String = \"\", customPath: String = \"\") throws -> String {\n let filename = try makeTemporaryFile(fileExtension: fileExtension, customPath: customPath)\n try data.write(to: URL(fileURLWithPath: filename))\n return filename\n}\n\ninternal func dumpToFile(text: String, fileExtension: String = \"\") throws -> String {\n try dumpToFile(data: text.data(using: .utf8)!, fileExtension: fileExtension)\n}\n\nclass SSLCertificateTest: XCTestCase {\n static let dynamicallyGeneratedCert = generateSelfSignedCert().0\n\n private static func withPemCertPath(\n _ body: (String) throws -> ReturnType\n ) throws -> ReturnType {\n let pemCertFilePath = try dumpToFile(text: samplePemCert)\n defer {\n unlink(pemCertFilePath)\n }\n return try body(pemCertFilePath)\n }\n\n private static func withPemCertsPath(\n _ body: (String) throws -> ReturnType\n ) throws -> ReturnType {\n let pemCertsFilePath = try dumpToFile(text: samplePemCerts)\n defer {\n unlink(pemCertsFilePath)\n }\n return try body(pemCertsFilePath)\n }\n\n private static func withDerCertPath(\n _ body: (String) throws -> ReturnType\n ) throws -> ReturnType {\n let derCertFilePath = try dumpToFile(data: sampleDerCert)\n defer {\n unlink(derCertFilePath)\n }\n return try body(derCertFilePath)\n }\n\n private func dateFromComponents(year: Int, month: Int, day: Int, hour: Int, minute: Int, second: Int) -> Date {\n var date = DateComponents()\n date.calendar = Calendar(identifier: .gregorian)\n date.year = year\n date.month = month\n date.day = day\n date.hour = hour\n date.minute = minute\n date.second = second\n date.timeZone = TimeZone(abbreviation: \"UTC\")\n return date.date!\n }\n\n func testLoadingPemCertFromFile() throws {\n let (cert1, cert2) = try Self.withPemCertPath {\n let cert = try NIOSSLCertificate.fromPEMFile($0).first!\n return (cert, cert)\n }\n\n XCTAssertEqual(cert1, cert2)\n XCTAssertEqual(cert1.hashValue, cert2.hashValue)\n XCTAssertNotEqual(cert1, SSLCertificateTest.dynamicallyGeneratedCert)\n XCTAssertNotEqual(cert1.hashValue, SSLCertificateTest.dynamicallyGeneratedCert.hashValue)\n }\n\n func testLoadingDerCertFromFile() throws {\n let (cert1, cert2) = try Self.withDerCertPath {\n let cert = try NIOSSLCertificate.fromDERFile($0)\n return (cert, cert)\n }\n\n XCTAssertEqual(cert1, cert2)\n XCTAssertEqual(cert1.hashValue, cert2.hashValue)\n XCTAssertNotEqual(cert1, SSLCertificateTest.dynamicallyGeneratedCert)\n XCTAssertNotEqual(cert1.hashValue, SSLCertificateTest.dynamicallyGeneratedCert.hashValue)\n }\n\n func testDerAndPemAreIdentical() throws {\n let cert1 = try Self.withPemCertPath {\n try NIOSSLCertificate.fromPEMFile($0).first!\n }\n let cert2 = try Self.withDerCertPath {\n try NIOSSLCertificate.fromDERFile($0)\n }\n\n XCTAssertEqual(cert1, cert2)\n XCTAssertEqual(cert1.hashValue, cert2.hashValue)\n }\n\n func testLoadingPemCertFromMemory() throws {\n let cert1 = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n let cert2 = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n\n XCTAssertEqual(cert1, cert2)\n XCTAssertEqual(cert1.hashValue, cert2.hashValue)\n }\n\n func testPemLoadingMechanismsAreIdentical() throws {\n let cert11 = try NIOSSLCertificate.fromPEMBytes(.init(samplePemCert.utf8))\n let cert12 = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n\n XCTAssertEqual(cert11, [cert12])\n XCTAssertEqual(cert11.map { $0.hashValue }, [cert12.hashValue])\n }\n\n func testLoadingPemCertsFromMemory() throws {\n let certs1 = try NIOSSLCertificate.fromPEMBytes(.init(samplePemCerts.utf8))\n let certs2 = try NIOSSLCertificate.fromPEMBytes(.init(samplePemCerts.utf8))\n\n XCTAssertEqual(certs1.count, 2)\n XCTAssertEqual(certs1, certs2)\n XCTAssertEqual(certs1.map { $0.hashValue }, certs2.map { $0.hashValue })\n }\n\n func testLoadingPemCertsFromFile() throws {\n let (certs1, certs2) = try Self.withPemCertsPath {\n (\n try NIOSSLCertificate.fromPEMFile($0),\n try NIOSSLCertificate.fromPEMFile($0)\n )\n }\n\n XCTAssertEqual(certs1.count, 2)\n XCTAssertEqual(certs1, certs2)\n XCTAssertEqual(certs1.map { $0.hashValue }, certs2.map { $0.hashValue })\n }\n\n func testLoadingDerCertFromMemory() throws {\n let certBytes = [UInt8](sampleDerCert)\n let cert1 = try NIOSSLCertificate(bytes: certBytes, format: .der)\n let cert2 = try NIOSSLCertificate(bytes: certBytes, format: .der)\n\n XCTAssertEqual(cert1, cert2)\n XCTAssertEqual(cert1.hashValue, cert2.hashValue)\n }\n\n func testLoadingGibberishFromMemoryAsPemFails() throws {\n let keyBytes: [UInt8] = [1, 2, 3]\n\n XCTAssertThrowsError(try NIOSSLCertificate(bytes: keyBytes, format: .pem)) { error in\n XCTAssertEqual(.failedToLoadCertificate, error as? NIOSSLError)\n }\n }\n\n func testLoadingGibberishFromPEMBufferFails() throws {\n let keyBytes: [UInt8] = [1, 2, 3]\n XCTAssertThrowsError(try NIOSSLCertificate.fromPEMBytes(keyBytes)) { error in\n XCTAssertEqual(.failedToLoadCertificate, error as? NIOSSLError)\n }\n }\n\n func testLoadingGibberishFromMemoryAsDerFails() throws {\n let keyBytes: [UInt8] = [1, 2, 3]\n\n XCTAssertThrowsError(try NIOSSLCertificate(bytes: keyBytes, format: .der)) { error in\n XCTAssertEqual(.failedToLoadCertificate, error as? NIOSSLError)\n }\n }\n\n func testLoadingGibberishFromFileAsPemFails() throws {\n let tempFile = try dumpToFile(text: \"hello\")\n defer {\n _ = tempFile.withCString { unlink($0) }\n }\n\n XCTAssertThrowsError(try NIOSSLCertificate.fromPEMFile(tempFile)) { error in\n XCTAssertEqual(.failedToLoadCertificate, error as? NIOSSLError)\n }\n }\n\n func testLoadingGibberishFromPEMFileFails() throws {\n let tempFile = try dumpToFile(text: \"hello\")\n defer {\n _ = tempFile.withCString { unlink($0) }\n }\n\n XCTAssertThrowsError(try NIOSSLCertificate.fromPEMFile(tempFile)) { error in\n XCTAssertEqual(.failedToLoadCertificate, error as? NIOSSLError)\n }\n }\n\n func testLoadingGibberishFromFileAsDerFails() throws {\n let tempFile = try dumpToFile(text: \"hello\")\n defer {\n _ = tempFile.withCString { unlink($0) }\n }\n\n XCTAssertThrowsError(try NIOSSLCertificate.fromDERFile(tempFile)) { error in\n XCTAssertEqual(.failedToLoadCertificate, error as? NIOSSLError)\n }\n }\n\n @available(*, deprecated, message: \"Deprecated to test deprecated functionality\")\n func testLoadingNonexistentFileAsPem() throws {\n XCTAssertThrowsError(try NIOSSLCertificate(file: \"/nonexistent/path\", format: .pem)) { error in\n guard let error = error as? IOError else {\n return XCTFail(\"unexpected error \\(error)\")\n }\n XCTAssertEqual(ENOENT, error.errnoCode)\n XCTAssertEqual(\n error.description.contains(\"/nonexistent/path\"),\n true,\n \"error description should contain file path. Description: \\(error.description)\"\n )\n }\n }\n\n func testLoadingNonexistentPEMFile() throws {\n XCTAssertThrowsError(try NIOSSLCertificate.fromPEMFile(\"/nonexistent/path\")) { error in\n XCTAssertEqual(.failedToLoadCertificate, error as? NIOSSLError)\n }\n }\n\n func testLoadingNonexistentFileAsDer() throws {\n XCTAssertThrowsError(try NIOSSLCertificate.fromDERFile(\"/nonexistent/path\")) { error in\n guard let error = error as? IOError else {\n return XCTFail(\"unexpected error \\(error)\")\n }\n XCTAssertEqual(ENOENT, error.errnoCode)\n XCTAssertEqual(\n error.description.contains(\"/nonexistent/path\"),\n true,\n \"error description should contain file path. Description: \\(error.description)\"\n )\n }\n }\n\n func testEnumeratingSanFields() throws {\n var v4addr = in_addr()\n var v6addr = in6_addr()\n precondition(inet_pton(AF_INET, \"192.168.0.1\", &v4addr) == 1)\n precondition(inet_pton(AF_INET6, \"2001:db8::1\", &v6addr) == 1)\n\n let cert = try NIOSSLCertificate(bytes: .init(certWithAllSupportedSANTypes.utf8), format: .pem)\n let sans = cert._subjectAlternativeNames()\n XCTAssertEqual(sans.count, 7)\n XCTAssertEqual(sans[0].nameType, .dnsName)\n XCTAssertEqual(String(decoding: sans[0].contents, as: UTF8.self), \"localhost\")\n XCTAssertEqual(sans[1].nameType, .dnsName)\n XCTAssertEqual(String(decoding: sans[1].contents, as: UTF8.self), \"example.com\")\n XCTAssertEqual(sans[2].nameType, .email)\n XCTAssertEqual(String(decoding: sans[2].contents, as: UTF8.self), \"user@example.com\")\n XCTAssertEqual(sans[3].nameType, .ipAddress)\n withUnsafeBytes(of: &v4addr) { v4addr in\n XCTAssertEqual(Array(sans[3].contents), Array(v4addr))\n }\n XCTAssertEqual(sans[4].nameType, .ipAddress)\n withUnsafeBytes(of: &v6addr) { v6addr in\n XCTAssertEqual(Array(sans[4].contents), Array(v6addr))\n }\n XCTAssertEqual(sans[5].nameType, .uri)\n XCTAssertEqual(String(decoding: sans[5].contents, as: UTF8.self), \"http://example.com/path?query=param\")\n XCTAssertEqual(sans[6].nameType, .uri)\n XCTAssertEqual(String(decoding: sans[6].contents, as: UTF8.self), \"http://example.org/\")\n }\n\n func testSubjectName() throws {\n let cert = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n XCTAssertEqual(\n cert.subjectName,\n [\n SSLCertificateName(\"US\", .country),\n SSLCertificateName(\"California\", .state),\n SSLCertificateName(\"San Fransokyo\", .city),\n SSLCertificateName(\"San Fransokyo Institute of Technology\", .organization),\n SSLCertificateName(\"Robotics Lab\", .organizationalUnit),\n SSLCertificateName(\"robots.sanfransokyo.edu\", .commonName),\n ]\n )\n }\n\n func testIssuerName() throws {\n let cert = try NIOSSLCertificate(bytes: .init(sampleIntermediateCA.utf8), format: .pem)\n XCTAssertEqual(cert.issuerName, [SSLCertificateName(\"badCertificateAuthority\", .commonName)])\n }\n\n func testNonexistentSan() throws {\n let cert = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n XCTAssertTrue(cert._subjectAlternativeNames().isEmpty)\n }\n\n func testCommonName() throws {\n let cert = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n XCTAssertEqual([UInt8](\"robots.sanfransokyo.edu\".utf8), cert.commonName()!)\n }\n\n func testCommonNameForGeneratedCert() throws {\n XCTAssertEqual([UInt8](\"localhost\".utf8), SSLCertificateTest.dynamicallyGeneratedCert.commonName()!)\n }\n\n func testMultipleCommonNames() throws {\n let cert = try NIOSSLCertificate(bytes: .init(multiCNCert.utf8), format: .pem)\n XCTAssertEqual([UInt8](\"localhost\".utf8), cert.commonName()!)\n }\n\n func testNoCommonName() throws {\n let cert = try NIOSSLCertificate(bytes: .init(noCNCert.utf8), format: .pem)\n XCTAssertNil(cert.commonName())\n }\n\n func testUnicodeCommonName() throws {\n let cert = try NIOSSLCertificate(bytes: .init(unicodeCNCert.utf8), format: .pem)\n XCTAssertEqual([UInt8](\"straße.org\".utf8), cert.commonName()!)\n }\n\n func testExtractingPublicKey() throws {\n let cert = try assertNoThrowWithValue(NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem))\n let publicKey = try assertNoThrowWithValue(cert.extractPublicKey())\n let spkiBytes = try assertNoThrowWithValue(publicKey.toSPKIBytes())\n\n XCTAssertEqual(spkiBytes, sampleDerCertSPKI)\n }\n\n func testDumpingPEMCert() throws {\n let expectedCertBytes = [UInt8](sampleDerCert)\n let cert = try assertNoThrowWithValue(NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem))\n let certBytes = try assertNoThrowWithValue(cert.toDERBytes())\n\n XCTAssertEqual(certBytes, expectedCertBytes)\n }\n\n func testDumpingDERCert() throws {\n let expectedCertBytes = [UInt8](sampleDerCert)\n let cert = try assertNoThrowWithValue(NIOSSLCertificate(bytes: expectedCertBytes, format: .der))\n let certBytes = try assertNoThrowWithValue(cert.toDERBytes())\n\n XCTAssertEqual(certBytes, expectedCertBytes)\n }\n\n func testPrintingDebugDetailsNoAlternativeNames() throws {\n let expectedDebugDescription =\n \"\"\n let cert = try assertNoThrowWithValue(NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem))\n let debugString = String(describing: cert)\n\n XCTAssertEqual(debugString, expectedDebugDescription)\n }\n\n func testPrintingDebugDetailsWithAlternativeNames() throws {\n let expectedDebugDescription =\n \"\"\n let cert = try assertNoThrowWithValue(NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem))\n let debugString = String(describing: cert)\n\n XCTAssertEqual(debugString, expectedDebugDescription)\n }\n\n func testNotValidBefore() throws {\n let cert = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n let notValidBeforeSeconds = cert.notValidBefore\n\n let expectedDate = self.dateFromComponents(year: 2017, month: 10, day: 16, hour: 21, minute: 01, second: 02)\n let expectedSeconds = time_t(expectedDate.timeIntervalSince1970)\n XCTAssertEqual(notValidBeforeSeconds, expectedSeconds)\n }\n\n func testNotValidAfter() throws {\n try XCTSkipUnless(MemoryLayout.size >= 8, \"size of time_t must be 64bit or greater\")\n let cert = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n let notValidBeforeSeconds = cert.notValidAfter\n\n let expectedDate = self.dateFromComponents(year: 2047, month: 10, day: 9, hour: 21, minute: 01, second: 02)\n let expectedSeconds = time_t(expectedDate.timeIntervalSince1970)\n XCTAssertEqual(notValidBeforeSeconds, expectedSeconds)\n }\n\n func testNotBeforeAfterGeneratedCert() throws {\n let notBefore = SSLCertificateTest.dynamicallyGeneratedCert.notValidBefore\n let notAfter = SSLCertificateTest.dynamicallyGeneratedCert.notValidAfter\n\n // Clock movement is tricky so we can't necessarily assert what the delta is in\n // the notBefore and now, but we know now has to be between the two values, and\n // that the two values are 1 hour apart.\n let secondsNow = time_t(Date().timeIntervalSince1970)\n XCTAssertTrue((notBefore.. NIOSSLContext {\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(SSLContextTest.cert2)],\n privateKey: .privateKey(SSLContextTest.key2)\n )\n config.trustRoots = .certificates([SSLContextTest.cert2])\n let context = try NIOSSLContext(configuration: config)\n return context\n }\n\n private func configuredServerSSLContext(\n eventLoop: EventLoop,\n throwing error: TestError? = nil\n ) throws -> NIOSSLContext {\n // Initialize with cert1\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(SSLContextTest.cert1)],\n privateKey: .privateKey(SSLContextTest.key1)\n )\n // Configure callback to return cert2\n config.sslContextCallback = { (values, promise) in\n promise.completeWithTask {\n if let error {\n throw error\n }\n var override = NIOSSLContextConfigurationOverride()\n override.certificateChain = [.certificate(SSLContextTest.cert2)]\n override.privateKey = .privateKey(SSLContextTest.key2)\n return override\n }\n }\n return try NIOSSLContext(configuration: config)\n }\n\n private func assertSniResult(sniField: String?, expectedResult: String?) throws {\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try? group.syncShutdownGracefully()\n }\n\n let handshakeResultPromise = group.next().makePromise(of: Void.self)\n let handshakeWatcher = WaitForHandshakeHandler(handshakeResultPromise: handshakeResultPromise)\n\n let clientContext = try configuredClientSSLContext()\n let serverContext = try configuredServerSSLContext(eventLoop: group.next())\n\n let sniPromise: EventLoopPromise = group.next().makePromise()\n\n let serverChannel = try serverTLSChannel(\n context: serverContext,\n preHandlers: [\n ByteToMessageHandler(\n SNIHandler {\n sniPromise.succeed($0)\n return group.next().makeSucceededFuture(())\n }\n )\n ],\n postHandlers: [],\n group: group\n )\n defer {\n _ = try? serverChannel.close().wait()\n }\n\n let clientChannel = try clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [handshakeWatcher],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: sniField\n )\n defer {\n _ = try? clientChannel.close().wait()\n }\n\n // This promise ensures we completed the handshake.\n // If the ssl context callback doesn't properly resume\n // the handshake this will never resolve.\n XCTAssertNoThrow(try handshakeResultPromise.futureResult.wait())\n\n let sniResult = try sniPromise.futureResult.wait()\n if let expectedResult {\n XCTAssertEqual(sniResult, .hostname(expectedResult))\n } else {\n XCTAssertEqual(sniResult, .fallback)\n }\n }\n\n private func assertSniError(sniField: String?, expectedError: TestError) throws {\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try? group.syncShutdownGracefully()\n }\n\n let handshakeResultPromise = group.next().makePromise(of: Void.self)\n let handshakeWatcher = WaitForHandshakeHandler(handshakeResultPromise: handshakeResultPromise)\n\n let clientContext = try configuredClientSSLContext()\n let serverContext = try configuredServerSSLContext(eventLoop: group.next(), throwing: expectedError)\n\n let sniPromise: EventLoopPromise = group.next().makePromise()\n\n let eventHandler = ErrorCatcher()\n\n let serverChannel = try serverTLSChannel(\n context: serverContext,\n preHandlers: [\n ByteToMessageHandler(\n SNIHandler {\n sniPromise.succeed($0)\n return group.next().makeSucceededFuture(())\n }\n )\n ],\n postHandlers: [eventHandler],\n group: group\n )\n defer {\n _ = try? serverChannel.close().wait()\n }\n\n let clientChannel = try clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [handshakeWatcher],\n group: group,\n connectingTo: serverChannel.localAddress!,\n serverHostname: sniField\n )\n defer {\n _ = try? clientChannel.close().wait()\n }\n\n // This promise ensures we completed the handshake.\n // If the ssl context callback doesn't properly resume\n // the handshake this will never resolve.\n XCTAssertThrowsError(try handshakeResultPromise.futureResult.wait())\n\n // The first caught item should be the error from the context callback.\n try serverChannel.eventLoop.submit {\n XCTAssertEqual(eventHandler.errors.count, 2)\n switch eventHandler.errors[0] {\n case let error as TestError:\n XCTAssertEqual(error, expectedError)\n default:\n XCTFail(\"Unexpected error: \\(eventHandler.errors[0])\")\n }\n }.wait()\n }\n\n func testSNIIsTransmitted() throws {\n try assertSniResult(sniField: \"httpbin.org\", expectedResult: \"httpbin.org\")\n }\n\n func testSNIIsNotTransmitted() throws {\n try assertSniResult(sniField: nil, expectedResult: nil)\n }\n\n func testSNIContextError() throws {\n try assertSniError(sniField: \"httpbin.org\", expectedError: .contextError)\n }\n}\n" }, { "path": "Tests/NIOSSLTests/SSLPKCS12BundleTest.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport Foundation\nimport NIOCore\nimport XCTest\n\n@testable import NIOSSL\n\n/// This is a base64-PKCS12 file that contains only samplePemCert and\n/// samplePemKey, no extra certs. The passphrase is\n/// \"thisisagreatpassword\".\nlet base64EncodedSimpleP12 = \"\"\"\n MIIQ2QIBAzCCEJ8GCSqGSIb3DQEHAaCCEJAEghCMMIIQiDCCBr8GCSqGSIb3\n DQEHBqCCBrAwggasAgEAMIIGpQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYw\n DgQI7wzJzFMFVk4CAggAgIIGeF1vL6bWY9kYYUOwGTHdKkFX9sNcI2r3lI5m\n o4knYU14oCyh8HX1I519/niqVmx9WujM4AfjVrcTh2XcTIKiqSLNXFa0r8kB\n dVR0VUBcutE7lWth5mYbWNQRrXmnH2KI6WfxplCBMk1+y973YNOTUKqOweQl\n d+2v7TPgrnKUdOYzIBPKl170F9ENFIWZJaTkvKiZhKIX/MDhj/2JorcdG2Is\n fpCz23KdWpbYN+7lVe1XuZ/sth478Op52wcd+Yhp96DSnP2Bzw17FjCq6ghu\n DU0OCp5DAZyWh/3aZHB49NojbsqC/NKrkN2dXfcTL69IzuSoK5z3q+zl5IZA\n 3AEegCDE+WmHwQu1kC/BkvJcERo2fCkoPQVbS7xQkM1ZecROVlUoYcv+Eo77\n /2iu7Yzwe9Ymnl/X7w/GqSm01z4YFwS+7Jkd+v3khlNrUh1UwF2YGeHkIs4R\n OGb/Pjfo7ciRN3vDW5c1AvmrvxKhM3NN1OcwMxSqnxkxgbdFP+LcbY7+E832\n 5vR+uhUlnbbERwPRGCxhE1qEyu1fdFpKHJUWbQAW4TtfS3OqYHud2BWMqFbx\n vAgNMJCmO6y7NUvmUGw7Zc1V/88GWA29fUuHhjvf4i9QNFr70ERm0dXBZlaM\n CnMmHaP+UlEwbvqAsFc8ZMiz+o7wVSnxIXoLKatmDQ5xn7rGBlL2MjxR/bfp\n pzLpEnIWk3sJWKYctShxJYsjQ652d+lnHLSyjTY7y5vwxhmZmI1V5cbuuKnp\n L7P/oG5WRYkV9D8VEvAOEOw5h10Rbfj1dZgn9JNmpu3dBuhaxFPq87F2u2jX\n GTIrSD8mH+hsFCMEJLsTpIB7YX81+vJ1y5nDctPTnET1qaEWRUKjOIzPOh/d\n 6acnFoQD2debEa1EB4dLYsxoXMUbTBdCyaXyvy2zhl093vDvWWkS/ufZJqND\n u/u67+fmyNCl2P94rDMqIpse6OCi6NhNUfjh++a910iiKqGbN2gAhRFv5FYm\n rqtCsHSs6VRBoF/qe8+kowl14QOAVRXPJri5YKzb1sh13kOottD3ESnabKaI\n KBp1LQSc+QGC70rdm/agJxGcLgMaR6tGVN7cFjUoebDquh86KQ/trZqcKgLV\n AjNnN1+6Ee/Vn7nDxBOxLTTvLOkTJ2SDTp31Xfb/DRPOLIdELoGp/J6x2zQT\n HDBXAHjkg8nknKwqvsLW4AFoGCLEyrREfrDlXOvkYKSOn1VAyHWS4MMi8RpU\n 9GXrcbDvlndkIIgmvyRc94Au9s1RM443Gsik59FimNCgYYJfMmiw1jx8psVO\n V6UO7B6OIc1CtgGeU8hghVkL75DevTrSlaunzWrkZ3GPzYQ/D0INp8SPU47O\n xqqaegItRISb5UHHgwIZlCTSZWz9etxx0zNbFUrZqMfD8IA3X3MZk2N1Z2XR\n 456CbxeGswzUo5XWchKN3whwCt6S23bVqTOOrX+fyC0RuYa22zbiTiyLVhK1\n Wi1c/D2G2cA0cAvSzw15bdXFX7/HUBAekmvyyOlAoKAG4tb9i95GT2qG6DQx\n ullqB0/R84G3eePTMpDBrDOj/PkmySyGQjQifRdeUMaXzSBSi0lrxLl0VSos\n wqnvhmZ0Wx6kSurfpuqq9gc8t84Dd7NrQYXpUk024+Mtcyem+jv5BiL4QFkC\n Dmv07avXTPOIlbxLyYm0vroin+XxsGv0mXTXG6j9ZwwVUtSVhdWVHnkjJ4dU\n 0ZgrSW+X6co10wrcKMTfMVrM4kcvUOIixP8XYGRQSRkAL4IPdXP3TiYdheDk\n 2o9PwTpukbjeixLLfqfbVjm5yxsPnAogMYLbo1ZPUarIUWn02cTfzD6uv1cp\n iXH3t7MU+uCkG6NYY4xzwvwFFaHXEgTTN+cEC5H9l6r6cz5K2hPp+t/FqrKK\n GXhsJOJGR0fV3FSPuPQWQGCr7skNMHjATEFSneBTfQW5LViQsFLvzk3+3kbI\n IPuwGsBiqS/jgrjUQQHb1LYsjElJ9Npv1JvybYnEJUZqd0meiho3lpkAjCgC\n GwAeOgHUinkR6iewCTkeA0+h5ISonjkokWdcDsa4/5owU7RE42wA3twr7K4l\n xP/Jndy9IUimtrQ81uWZsXQt38KWvEsQC6S19z/8iUYR01qXGm08ernLVcwJ\n lGbvZK22Z5JW0gseOaipFE3CH3sw1TDn5PzAjcykmYSxGIhyDS2esoA3AvMc\n GEFFgXNcMf15qjCCCcEGCSqGSIb3DQEHAaCCCbIEggmuMIIJqjCCCaYGCyqG\n SIb3DQEMCgECoIIJbjCCCWowHAYKKoZIhvcNAQwBAzAOBAiksVRSUP5TBgIC\n CAAEgglIKda6J5g6raXmRDIOc98FveBozM3SQCjsiaIqq6J+vDg5yatdtrd3\n jjdyv3+cR4pYGvUQb4ND7gBevtgSGINAYj8oqKI3blRbkqXPwUNR4/lJKvJ8\n 01MCEwNaxv0wLkffQocfL3ALaDVfWNdF5lMJ20OKvHOlS/aH0inbNtEGELPW\n uyYQFFwMQBXCv3EbMb+UXyM1L5tb/lKaazRt0o3IfTbvryH4qYeWD66R3UN5\n WqsnARU4b5Td2XPxW5dTHAxjkVulQSYUE/ex1Dbv4TgGPsQ1UKQvyPb3cxD4\n U+Y0zHtg1/i/RpDxfpIkmiQesWOD83azKFnFegv0quN+bULShq+aoY98qFNT\n yuFV6BpAXzD89u0XuSLaDpTFfplPwzHsaAtgK1XAuE9X+DBCn3WRSrKghT60\n OTLO1y7L5wQ5v9PbomtpiBFJpAN+fe6Y391vnTlIYQSAyWOtPiy6kuZRncSu\n kfoJ0phN3oc6KV7lRCOMi87P6TS0zRvGaT7MtL8iljI0paWzsUKf4QkK4jc6\n 4KqLRH6Uf1e0Mco2AYAJBQzAfPxyFq99v7laxFc9qrC0wMdAs+sY/FHLptMb\n vuyERFrPxHSbICJcLTjy8951jx/6MQRpzfK4jsA4jio/WNOkiI5IQO7ihOpU\n pvpxEdNYGKOHB2HPy3/JXLs/9Dv5vwQ9Baj4ncrlL+wt4ltiVKZ36F6dx7Yi\n S1o/jdkafbuZzbXf3+/iMTc8NgWh8GVhQnkabutyWcqFeTd6rATrRxr0VVeI\n 5hzwMxlABmDcAc9D4R3F8eJEbTkigah5ccnlT/wxVXB3azXJ3xQ0aEdF/IUX\n d28g9coXJgKxlMRlHXKSQEud0ffE/qbZvzI2+fycNc+3NhCLssj/76oYf1Ju\n nA+Yj7edkWLV0pnyYhehEUpC8Y8M+GZLM4li/7fYIxh1hgb6p/5FFjmbnrNM\n BpRaZdETHeLcf7jGm2gV84XK6WnmneHxIjXbhazE9RIg+VJtfRrQPF0RBy+B\n jLdwCh1Eh8sF1yOMYlPLfw0btnLTWshbo0mRVK50rElO0mqnFP3j8D6Bf4qZ\n cqHdlDQKF2or0hB0hM08Ik99Crv7Q0YKIW1BIzNYIHGtOxgntppFHdIZIr+5\n PvECPGDgAsxsCIsaHFN4xylRf8gJ3YMm4FaAcSAyfabbU52I+tOAlAaJue6Y\n GTuyDzWt/IlpvGLwLEDFPf4whDK24wjjvU5laUadWSw5ydATlrH8m1kBlr9g\n MEd0WXRAfJPMLXjEDPpMalHCtvX3FN/xEo6EkZrszuwqsVp1EKXVXDX9u+RT\n lIVZOw+y7KusiCqVLvXcA9//6w4DSpDHH2oRdnhCROq49M5EuAdAn+5exmaZ\n siIs8sNWbzdU6gl5xjRM39MyHk9Xeu82OSEfQCkFy8QprMKoE2Be1kB7onsk\n R1EhLn3u2+NovXo1tEx5j8ysMQqeDE2XwKuMlb7nCPf6e1q9vHCxn+47IjPf\n xLQAXNvbwtvUWulNGVrJaTBMbvw0i/LLNkpiLHFZ5YeuAxEQtSkLA6Guj5Fy\n GohXwz2nIGmsghKh+t7uTkRldVPPhT/YMqq/RGHr+wjLt+/LkOpCnRJ17YFk\n tN4UF0MN6UJvgOY6kxFPRQy8N19Ekxao2ix0sbqMBbgkpjiARxQaJ+7Bv4jG\n QqXGAK4+YQ1zfOCfMPNB7/BJ2D0pOHEKc1ush4wp8HVHnE60u62UY7m2oNDT\n V75ifx4zO2Uoe+kSufuAKee/ZtPbvxzzvy7ctL9tecSTFZ6vzZxbhEO20rnJ\n lB6PCZeWQTYkbSflEJpBotFaUI+GrO/G5OMSPGDn5M/arDdgfjgrfuXFquyX\n Cwdf1CTp8N6Oj7AyUnToC3ot6BGXmZethmLQDtvxZzyZyQB2QGoHFH62OPVz\n UJCwTxtlZYH40jM8n69i/NItjvOrnwcfeeZXvMOJ7cn1BLSgnKgKCRSSJvzh\n Nvy9IloJC0vnLa2c+WL9e66yp1ihzngg2iMiJei66wrmoVeLtbbAVRyIMFD1\n lr6n+vUDvIZYlUwjdH1Z9d/Mo3uS4WygQk8pBFy/3/Btjmum23sh67JTJTC4\n aOqmDV8fMlZ4btx1nYqVFlSqbgo98+CkHMN95KnE+T+8QjFbcWT/i2isMqgQ\n OY14ozTQuvTRUgcyN7wG/wggyTzIDiPCnbZKJJ3Lvg2hymdBbWhFOjUYX4MY\n 0nARGBfnSSlcYFwG/tjIe6ej1bE8o9kMRD/V1F/P8VXpAz6FlGl1Ii56Iixz\n usvtd6FfRXnziWBPbPmgIGfLxjmodcWAmD40HKVgLoyBHoW3x5MmTfelJ5rT\n YFHRqs1Sc0dPqmpH608d+8e+Bn13wgc0s6fYNQTjXnK31Scc/SSnNcTyEsvO\n UHElOuemp8hnrQnrGhVrB9wZWMJuOcNvi22Ccdkji1mjGB9Onsbj1TdVGsHi\n 39dQhODlKjC+pimqDQaaodMhFpcY8H9jETl/xxCdvaa2eSCY1NpEkfYWBngC\n CmJsWtVuNflhCwkiUJKVK1rr+YOBx1xd2HkWJxjcydb75weRIOJmVDHOAXd8\n ltfvdAWXb7au3dhhd1ofnFuMZmFkZX2C4rRaKht+gKYcC/lhRd7iTA4j8JsO\n twW7o2/mLSZDTcymXdZT/DyJp9SurBit4QLdeQc4axoiUycmgX5djJqqyN+l\n xsH83SAOspBPgl6XMuRHdLyKdC/64mvF2/C8PmjXD9VV/qk0xgwYdLcyLlD7\n eJhd5litn4ioxCEokQmTb7DtBBHZYkKb8wyr9MLteUfpg6SRnLpKcuYRYpIi\n MdWqJjlDytwFSLVqEoRAo/HwzL/ekswpJ3yM2cHZ6vubgdGQKI5zhBo0jzYK\n vSgdr6nC5pACmJuDbP1aRzw3JSRjOk1U91IQ7/JqBvMKRJPv0rN9YGbTJC1b\n o6jOHl2s4IpIOSAXqNxDnCXqdqM6S3sk2FcDNva4hNrdA7mbL5TDqZsxh05q\n NIQDEaE83XdCVU60USCmCjju/dAb/+EfqSYnjWf+Zebfutt9c3nsaksbQSp7\n 09kE8qnPjJ0wH56gHdfcszwInPXTwxHHW774Y4EKKpqZtl004VUkbAH2SC4F\n MMJvaHMzXq7rSvMP+x/96rrRhIL3At3NfIsIWjwM82go/wvHKm8mDCENMSUw\n IwYJKoZIhvcNAQkVMRYEFFd+Wbmul+GY8fpXGfcPZKp7IU20MDEwITAJBgUr\n DgMCGgUABBTh91DEvniLjCaN8lVBeRIN2l/ZewQIb6KxlvnE9hUCAggA\n \"\"\"\n\n/// This is a base64-PKCS12 file that contains samplePemCert and\n/// samplePemKey as the main cert and key, and then extra certs\n/// multiSanCert, multiCNCert, noCNCert, and unicodeCNCert. The\n/// passphrase is \"thisisagreatpassword\".\nlet base64EncodedComplexP12 = \"\"\"\n MIIdiQIBAzCCHU8GCSqGSIb3DQEHAaCCHUAEgh08MIIdODCCE28GCSqGSIb3\n DQEHBqCCE2AwghNcAgEAMIITVQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYw\n DgQI1FOPOf48OAgCAggAgIITKOaK3r7p3wDsGDjbO5yBp+MA7UelAOiUNilU\n cNcoJtNsGJmKL+MRvhD8YekoQ9lUg1T4CFmWmgIRVcLDBmOlOScv6/VFTl2T\n AgRO6cqW7QyZBi13G5wJhvIPjb+zdhZMhBN1R6145oFnDinFi65yPeui2ohn\n s+GKH0r2sJm4hMu/O8YejtItwQJwbC4Vzasa/pR6XFsXw/MNzzIql7ofziV+\n LuiZlE2z+9Ulzxn6Zaqg0B5wDa15iKk3bPe4fpAGZUu656GYYrLZMKBC39xL\n xEhzu7H5P/AF5ilIbMnVwAeRoeh5vDgs28j7gGXgklTBYJukWKAqE8bOWabd\n bddwDTCRb+ifvDFnYDSeEXLkmaA12jLEx8NF0MsUoptCq81fGbXkbUPvyU5l\n YrL1BRnisU4KnDqBDSvu5RLpOUNSq2RDfQvusSx7nXwfavM/RYHSuPEM0kQK\n XgzOU//lfXmuITnp50hy4CzYeaVhrAlTbfY+98DvKmI/go0otVNFbh9n99rU\n nwXb6tUduYlfxE2HRWaPBrA5SYF+hQJomMNqj7odeELlq6MAOqa1vzKdo270\n zXAp2lpRp5jmC7RXAJV2GKoIvdfDYBc6vci2tsyha9KqNJWZowHsStLA5fyE\n 3IO3cz5reW9izGdNn4pUAsoh8aAA6MS7cnpPqUUk3vIaAsNxcFdWk7JBDDWA\n KFVYVQRPOLRvxVyNs/wp3ySda2Dz48aoH6tCvTg6m15iRN4AKh82SBVT13ko\n jrHlIfTNvcj16ZDzXn6nQH/jKvkLhLEkBiav7+UIKzx2WvnjqBisBVRBSzqB\n 84diJrK1jHKX8yW5A+RshMcX74H2oS4yddxRAnoCRLsSu+rGoGnDw5a0kgs7\n 070wN/gE9Nl92pfy8h5G36Gzy9jU3XpfINehCc2XRVGQoCDo/bLvHMnnXzw9\n Chyr2/CEPDc2x/l8B22ptoBAU1qFxjq+wGP2ysbmKgQ85LVsLXOJpiInG1g+\n nuWBCi+xRRs3TsoTTGOF7yXV6+Tq9J0uorQehaLkAud0NKhwvuZIasWtrzWE\n QnSQ+rc9u4HkuoIJHnAnBOIIMtcRutiuqSKdUCV8XrpuLeCDBpb0FBWPYQRT\n bp/fN1rtjwTLoyYi+pfFX2cLExnVSx6eJ79Vi7BTCF/3lx9/CeA/jWgNkBVv\n +F592quY9oKfg/46aBL/XMMb8H2n1MfBrAXH/2A5cM13BY98P1GzeQ6t7yM5\n sR3/Qk1fu4151tsf3unsESIFjr2GiPZVjD5UWlOgCKViIP1UWKAOvPptXac/\n IAsQeiMKLQqDAC52pcf74o/o2FJrn31qyaMh4373ItCES5yNGEoRYPRWbydG\n mNYYOmCjfH3xvmH5j1YGhmppO+psO9B3K42UYoZkpzuFFtRRZnTxLP22SjTO\n Wwt6x8MuDOetqL85F9Dw/ph/l5Ec1iNFQl7uDczLEKakVFOYTzSstbUWNvAl\n ZfzjdWb2bSLKjRSVC4T3CK/MqVD8VKuquag167yEJzrgiIGfJ5FX+NRPg/Po\n mzy2YNivMbKXGFet3ZzYqjBvwGBjFNTmRf9jmWtSZ+TOoHaQu6aPLJzdjmsx\n AyyMgezr0lhdDdVjlcq3o9mBW3nENHChDPQ76h+NqqwE9WkVX+c8YAG/BvWM\n NXPYc2cOZhuhPHXfjsPIeyUS3xxuDNLWVihu/zpPNvcZFV+14EC52elwtTGI\n LRb8ugunBynyRx+YWVY90sGos8U+GLS8K1uWtnC4m9pIXzvTn3kGruxipQRs\n R2qfwZqaVDQoGwIzKzVxao7HDPKhHk5QApmWRMpKTWrqaLaqBpVD1aoB9Z8U\n mOEOWwP8kMbm2xD8vk9V5OWnqkmJyFNHjuzAohmGN7KcyHICDOYhbkmPxCxV\n Qgytc0QX6pEzxHKSRjeCYS3KoqLcLhJEC+5Ou3tdLmfk2WY8H27fuXydqXVY\n x6UMVPtpKH+ZsJFl3B7PS4qGjoeqI3OuMpeLry6DYVZvaSPPKOen8Ca4qA8H\n L5xvGMSHmOKxXMqOm19E0xk8DKgRQUu+2hCgzKqV9re/h2IE+cE2H6NXztvf\n rH5U3ZI6v+7FetXy0DAVwyhqqpoV35lqMFRuvchSXsJ75Q0oQ9786PK9U6hl\n VsVqVW6pY+T/HUHWv/bLSGIyl7jla3ElVTpRRapQ19ZsVivVpgLYi05EKv4U\n +/SCnaVCYuqt3xj58HTW6pvqFsxemJyn1qgFVTxqEJ+fNMWopnTKtAA41ch6\n OKO9p9KE5cT4YNR5VcpUpPpSUuB5JG9djAn7dZAsn2XiiNmTv8yBXqwuO3y8\n lkn5bau1LWvp8vMWCV7zmQy+wcfB+B5zYrUm9hYbLX+GM22hGdVuOxktRxtp\n aVdQwIMVwh2/4dnGz5VAOaJgpcnrpNLlIOMhIAgCeeqn4RnhJhmSgRqr4PBi\n G5LnV4gV8l/K5aG0ba03YtiEdvS4W09wFr2AwSXxUV9vhbsufNS0HxioQEmp\n xZ1EJpahpUiGmFHtItv0hp4Pba+4/ZvpgbP3BtaVXQsYDdpQ/0Tt6S9zwrhY\n fcAP58fFw3QyjxUoPNhXtcA+NoEdq77zCuByJnS9CWDWMVcpYRqE5eGpCQcT\n y32kMnRc1DUcOHtK9WzuJVX/cQ0Rmy56hhNSNX577ceAHbfi3WcBUoXERvMZ\n 1v34EQ5l88fmBn7gwieNfOxKacLad8mYoLyA8KWMKwwCmDVrwtqpcv78bs1Y\n 7sMt4sJWm85/87AaacuaZyufhZ8+8vju3QvC+aQHPJmQ+U3EERgvD/hx9vaf\n lPNHBTu0TP+gie+bHpm69eJ0irtAUIt2A74fsWIhu7PLNIAoT2sFcMpLa4Hi\n NbM5c9h+Q8cibXFjF0FLvDb0kEHW7uBubNHHPbHVcqkVPkDJ7PSMEjrFK7OF\n k5wHIaiWm1EacpH1CDv+P1WshulwV0HReY3RyboGtQrH6n7ph/bRiWSQaPYC\n N0L5UbHiiN+4VE96oP/Or6gvCMkEqDza7sv2mQOxNW+2Ntz6GJEkucwq2UMC\n QWWUcKEW866bbRVd2ceVDIOZE7DhY+FSRiNYoWvIVAPYKV9UC8V6wdojvLww\n Y/TZ/4XXqKmNEZWGnVrIDV/eI+AhnD0KKNWwapyuQWgNwikAashL48jk8PCu\n k6oS5z6PBXpIs8oKsBJcONAngHKxCotVzUhaiyiwjvYCDPX/rYuJZ3ABz1sd\n 4O3DLkn8Ep0FpKuyGtOhaTeqtmVRM7DHH2I4qB96H7ljP7AooILXj3o1Jq9Q\n tQ4xp9Cyb31hQg+G5ERGPDgtLSq7BtJUyoicHO6mEJiThhP4m/99miuk/MTI\n yK0V0iwxOfGOjmjC76+mypNd4fEbPd/SWr+sglBdJKh5ALipYugEfBWHZo4l\n Np7v4I+FuuiuCNXuQNPEi7qe2b9n+jKKtWnviyAgtgmx0JxLwAfvRuEHX0qA\n 8JhpG4yiKCtg/oEsvFxXCLVCKd9ywCCwq39d0CnN+PFji0pCAp5pai3WlibA\n 5lloadn6cSGH9BzU0Nkz5e7uQmrRkllkkORto7SwpmimYmU5xQijqZIlO/7N\n 8DzrnZcALrhojViHUrCjgigpLsMNKia/+tqMj07PXuh/lh7MM8qVs3L+XATi\n I+9AMcjXI/wLQxyItyHsg0gAQB0rL/gTW1A/TZratZr8FdUwp/mn9UoLeyAt\n Wp0kNgiCPhTIpNyQyEBJAlPJSPqKrnGBPga5UZZY+MUJf1JqBt28p29lMnm8\n 3x7kdPqBaBVe1xmJGoAOV4vBK30M///L+IorPGNEilixkhkz/YHEZwAE2NOs\n Ciq7Ikr3vodhwKclWyH0v5y7C9F+1q8U+61/YcUCJVcy/jEMWenS47ejYKXu\n VCZ23RkwSCg6MceQ3hLFjvsYJyXJJRzCEIdQUXDTetyAmZM2WQYQVYlFk98C\n ZQktu2G7OJM9W5FnsuI/3QmMyBFjnE3La1vOtf9RwISdwqWH8tjpaY6aRV0X\n +Ict0B6BJLslFxWILVg2t6S8hRTEXryzfh1teHkdFQbJ3FzhvQOaW5AJ8GWD\n l9BWCLwSd4IyQ4XqbdTyRFJ1kqfYhyf9ViChZNMnHVr1vyLOpaFw8yzlIkUq\n dR23PSTHrh4uFTw8XdNpuiTGW1Tvdg1ajV+rukMVbJK/KYWRNp1a13+ElI/g\n 52m4Ha+Yl9lkqZNPAI/hYxfHqmoiiAPVvgjtZdY7Fw3xCTdVuuw9kAnz5uOk\n yvmTwPXOH3EX3Y9TM5UvBL+kN3yH3e2Uycsie5kqNcUVfsbP95K4a6qIcFtk\n lgDk9k6hqFWuQ+xyfgQL9AJv1QDM0Rq0/0+5svYs0bloPXjIWv4w1ftxiZh5\n lvikKDiW8f0ia9eUpgm9wpkBRz3flnhHN3EbAKu204hXBdpHrGPF4hde4iCR\n 5h46QTflT4+uATgsjKeDRNHSlJotylXi9fDIkF+5FvbAI4NuGbNuYVGBO5Dc\n RZcE8laiol9BA8WqMy8iznZW9+GzTdH6I8VyNsllVl2Bn0/zYPsOgKgJUd4y\n 2GsrU98I0Z+VH+o2uvdsHu5DR5mNm0D0p8o6jrOOTp8WM2vdcbDrO9LX5ohP\n Vhb5Ag5rvmeUcdv6nA1jwV8VpKbmuO5pqhZRDuUBG9zBKwmkk9INVpjxc5AP\n ONKaSwhhpEi1x0tQSBWrZr3DTVmtrGi48klWIAtOCVTMBXnS85JN2HqQVgu0\n jooki5k8XU38dPsbJ4ZW+Z4l85DDvmZIDUOsdXtGDMPYBn/ZEVTFqGNrRvDd\n fo+viaUZvMZsyAsRItupapd64arkH0o6yKijRSB0XlMOmkbTCk+bk22XGjz3\n iWaoXJlssQlOjhje6A/OB17Rl1nCnJXmI/YPfuC99skgkW1AGqBzLYYJxxiJ\n OP4qHUabr563AdLEs2n6zoBff2hufTFcBbIw9xEyiiYnpIJHC+ADHCqQuJnw\n 6GGEp2Tv5nqdAhR1jBqnr9TlH1GUC3c2mEC/t9C/slJtY/VYg/JvNN/IFBzz\n Ppu0JjUdkZyoPl4SD7Yqu8zarcUpxGRSSUKwKSQNW6G4U1lkqzrXogUFSc7o\n Cp8AlTntRVf8mKTKfunqw1CrLQ0FeeDVtlsrYtQZdYVpMoMP3Ckpb3HRazhk\n OC8Dwq+9LaZRJxqQSnufhYQneqHa6wdrWzIpLyX74+gCGR5Bqi9FEc0+B6Ot\n NyNbztac+HxuPmj+VrmCr8Dbekau2ViJ3W7nE2FBzgwc2+pSddXVIRs59IUa\n QnJUa4F5YB0WgwAta2MoJ+fNYk+dV13rrwcIpZbVHemS7hYOm5pP6pkdb6Al\n LDoELX0M1xjxMvMByG4uEZcI+brza0BKp+rMDcf8O24komjO2apEltLZpONG\n 5iDjtKacrvGM4yYwAHJgY2fmg26HYlwv94gM3JS+mL7m+ossM4GjLJSBKnzK\n wSIhwITtd3LMTlVFr58R8ytZwn8JKmsyh+7rBSmpq1jE5Jx4pyz9sxFtidzQ\n q44fkAMgoeuqLwo3WOsjdwpOXeFrrYLy0I7lQ0NQwCU2dTy+JweOJy/rjClx\n GUzzsCgXd18hICO47QeA1hY+pxpBZQnachzBH47VN03Um2wZaK+EJbpIaKJ+\n O/ehnzQju2CbStW1EysrD9G0/MHrRgHInOKvIsnJEIwlksEAZNzEiM+v3Y+H\n hgFWmEkmrePLQBgw9oS1wg2pCJzFarPxITHO+E7E1xAmfUXflvgooQbnOM0V\n BDoF1Dpxy3yhxkqXPaedKWThhhNlcIlmdpl1W575kY1RBrztQo2HCFeXJIQi\n MVSYQ0+tGwXyml1uZTZ8dlX+8wC7BN0GBiraYBw4ahMki+TsfPPsPzrygSsu\n cExavBjez5WsEzAusw+0mBjpC2lR6ynTwI5z/4XpU/sQYZermAPhGAsvLpT3\n nhMAgB9KNO9CQQZYgwzIA5QrlY6DC4hlBPSa/ICu0XMOA4c9amhcgXgFJEUj\n 8uT1sfTcFDdRsIPqsszinEcGvgPTaw5XcJIS3owN8Rp7DjFO3gywPeVV788k\n NGun8cXF6Qea5neHeKavM91SGYpeyHR75ZS+k/ErZJ3rJ/MBrlNy9aTM8M/a\n z6Z5IoXddeodf9Ugj3F8HPZjVfFECX+Hq7kd/32BEAHVsctDLjBkPUTOI3oF\n cqFuFQE5Oz04wnF587bodl4qKUv2ghaBkpINl1oJkr0GKleN4Uma8P9dOmD7\n 1oy2YjQytQ2rmpUIJFWxkg9ffZqqawlzKqQn6kIAGKVKx5AtSuDasSQSo2u+\n w6YL4I042QNndjiZI4FHxmH72nw8Td19ljiy9a54kCISfom4nBhbb2+I4saX\n 15kbrWLn4lbbmxF9cSNzDIWQoC0uRqFHbbqvfeamvNg3T8IwBd1D4VAoKgW9\n Z6CGVQGUxHVN0NBk0Y0Z/cTX8uLe9A4tHmAxqOcFQTmegFW7HY2YbNCU99/o\n +BphRHp7Uw8OLpisKzi7/UZatazpPnV5K1kNisWcy20q835zeU1x/oJQtejL\n OIrTK5p1aa6PnQr83fd6fN05MIIJwQYJKoZIhvcNAQcBoIIJsgSCCa4wggmq\n MIIJpgYLKoZIhvcNAQwKAQKgggluMIIJajAcBgoqhkiG9w0BDAEDMA4ECDje\n zkPin9gMAgIIAASCCUhJe0uJLIvZERU7JtQgspaBeKRKDH71glq9ZOioDq5O\n B35+xV3F9v5RvLKveo3cRi79FaR/J2RRZVx29guL8orL+bPwqdgSAGquynL9\n A/kFbgP5OYKkaQIGldQ/6X5E2BQ/zLPE9Pj+Dj7ERNfYnWL9n2jXLrEe3ZU4\n 8w2Gko0KxE36rwxwgxAkNnxO3odGMt2FIkktpxOWpkI8sECzxf5UV1yoYhSx\n T8sxXcwFO+bIH85TolHTCSgBoM39Z69BZmlCIzRp5+h0TiYnacNwOiY5ugaI\n tRczyCbY0zXuCV38gAgMqQpfrNKpsv0zC5ro99B45/GiCBe0Kc8wP62xlfDW\n AzPVZbp0Jv8DB7YOoOn7nXbHMrg07wMmRcbEKk/1nLM0ZoULTWY1lLD0UPtQ\n YvNunuD6Qgzx6rRlMu6vk2LoXfJ84wXe86pgnDPwmebnVYLwVObrCi5GXQXc\n LRDNxUoNRoQJk2qJyugFjNfQKKWCTmRxpunlu7HwMgLKkbEjvLDmMjZ7UA8m\n daNfzXfzKimOzFUUGSicf0SHV02dKWFbYo/P+iIqTJX/Vlpb21tFkDUU6UK3\n oLGInUvnHTHsKfDsCACN9dTkGaHVlfQKgg4AY+GXXd9c+gyS4Ahd7hQmjqs9\n B5WJfKqRZ/k6XUTqfOF8SIWjrivR/ymMskZeJklCQ9btXwFKePX1PulZ9CI8\n NSZxXl5zsOQjsx+zxFzhGCiW1sNQTAkiUEbMBE51v5lOXosk9SSQ2LYoIeIj\n sc33GQAVxE53rrsNF4XxVTKXS8f94L86wERL5OXHQOGmw0s2lacJ7xITJPtl\n WqJpwnGqvp8izAfQepjkw+gf0QPTTImk04fDgu+1PcObZYlNFxUjQ6OEAymY\n B85Ts1fdQU6Pjq+bEo65vPb59+6Pa6K51WkT2FA+kVKm0FG2ACH+YB7iowgF\n cC8H3/KBKfeFL4MUCJECIxnKj9q4O1NHpW9ELgehTd+voR9Tfz5T8NYBlc/J\n omXXXsRC1CyNOe2eUmUnwv3w094uBDbt+hkKcjtHfFJ2qb1bRn8SC+EynXX+\n Abrge3bgOly/YAhq5Dy2Gv8OblJTgXTyMWz3/U5kkd2wRXSUtmmsuBq90DO5\n YKwNst5h/j48QwO1oz5IVpbFLOAOXYeOMo5nqzDcErgh7S39FcoHWegNF5ln\n EfCh9VgQN33TX0ycO6HaykHj9DGIWjgGLeDeic6Ot03cPWlb1zEVSypAjYxp\n GYWjNWTUMEnRLFIXF9tXcnLI6dFzi8XtSoOIWmWQfOdDhk5PtWkeRx8NIi6Q\n 2y0JoP0NMp/YA4Fst97CXEmxA9RkF6F/sdH3K39xCKbSKLBLvEvbjAS2Qnuf\n a+Hg4Oo1/c+og6oHlV8Z5czjx86Ccsha9O9359/Q1MvWYRucqEX8uJtZhP58\n Fr0HmkYeczP1qpNd5rABSpl8a+sQAe/3dj0TANoCxN8E5sZN9MsbGy6u9PEm\n OMn/AqJ/ts9ya/dtHtDdx5cY0lIbKv/D4GJurbRY6nrhu5l7lFw2w5Ask5ib\n FJQ3Q/DsJig+i4eA3Hq/oiFvq198gQbjy15HcIUQEP/6hgvkR3sxpjGqxytr\n KxQXCOANxhzz8lyjHOqLiLDDnmOj3KRXdLBh6UO/iMa480DRHWnfr8I0J5a4\n 4a9GksPTtu/BSHqKs8Mr1p+VGjrZO6n6sAgs9/1+amo2lKQ4MriVzSvHPJzt\n xD0cxWdYwvnZG1KVgmVe2GvW83jFkH7MPwco1lNRS6QIKxcNC8wc4u8PNAej\n 51SbfARpuM2jVTJaECxarRt84OuShXYghwQsci20Tkdz9H/ZNVfV/v+JLC95\n 6iOyQr3MtfOXSUnSXL+I5cb3uq0Bvnv11rHQfLMuhLbPfon9sRasZHmKfvfI\n 3A0J6fcH0sEwOXBZTu4TT3Riuju2q0eZyBmhl+k8GmrDZnBh9eN8enBYljWD\n z6dMTpfp0cF0BTv47r1HqEsUOLwURQR2Q/eNxM6vk6hxYXleCqNmJv+l8Rqn\n BGLRCh8aIy9CHOP34dRA1Dwfsf4WVOrNkBuxBoAhSoHBEIJErJTq9INWrBp1\n wJDH/sy7kEwj7sYBXIFeIx2r7LsAad4akuwdXEMbZVeguF2WPXNPYWQeb6R0\n PVFKz5mMBIgJf7ZtQYtt24xTCeSZVeLX4I9IkVhglwy/63n+gniZwSq5X4er\n SAtlRL01cN+yTDlf4gE6RoYYwrdQITgo6NaAfSgvG1Za87u8aFKmR6C7m4aE\n F7yc1U6Krf2n7ufTqvH64DkPiDooZ0hsx3VateiKO1q8ljFpvZGkiHkk+vu4\n 1IgnoVJOL0iREBdSy0IIGIeVN9A6RtHfht+FrwoTqoGLeGMEXNW1H4YhHxjX\n lbu42EREs45eI3jBdly0BhapkEtvu5A1kg/Q1uZ7BwVhbFcMbcYxkWBjxam6\n Wy6GOSOl8PA9IVndX/bUvIyEp+gsiZfNQDTaafuGJ6YKwMOubS3rXg5LXspz\n NzWmt1bAEGQXcV6iKHCbg9NfvDJG6Ka6oWtxTNtfiDBMpqkwfKh0qplhmh8T\n MQ8mgZmJYyWTaxqjgkny7HsX/1sbmr9w/uQMb3Z+oWfZfcgDsRsKc2l0jlGy\n zJUrqSNtTSQ2514gxt87UDYASFVuOfgD6NJ8z5T0uO3UunoHSN0nT5/rhrPJ\n 8dY3B17rTs0D2HwVoW/5W4hZULffNqQZIROUiB8ji3o8yTYqgGl9E6bOA9cF\n zDfRPLPvL7RZVxUa9cyfhbkmLN4zWLDsngYe694H5VL9FXPhDtCLK60kY3vi\n 5YsvOJ8O1nRsKvqial/KPy39TgK09qAbDkNFYZAS2SMQR5RvmZ9oeItCVK79\n IRAk9VIbnSj7pDMwxfvM1Rt2fFUu1VtrOd4YS9KsLtVIvowbyXNCDf41VdVS\n f3q5IQ6Ud9TQLxMF78031jRBNTmw11mpM70X5qadkxr+edCCO+hGmT433Xxs\n t/HYgr5FUh6MV/b/0runUDbBo2PZu2fNutDFEEm8I1MrwrKgmcXNScgOMBJr\n eQjJ8bstzEijLoW57G530fHi1xhLj4HyKvCGGsGLxAQnmQZwd6yvz2Rme6+m\n tlF6DR1qBO0YnmtaXjZpoveQcFLDpn8kAf0YHEWTcGv+2ZiYF7I8Jpokv27a\n thgINn0xJTAjBgkqhkiG9w0BCRUxFgQUV35Zua6X4Zjx+lcZ9w9kqnshTbQw\n MTAhMAkGBSsOAwIaBQAEFC9mlQ2bgjJlBI2nmTqAAL/CTILuBAjTjTK3aRzy\n qQICCAA=\n \"\"\"\n\nlet base64EncodedNoPassP12 = \"\"\"\n MIIQ2QIBAzCCEJ8GCSqGSIb3DQEHAaCCEJAEghCMMIIQiDCCBr8GCSqGSIb3\n DQEHBqCCBrAwggasAgEAMIIGpQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYw\n DgQIyaU55MJEzbICAggAgIIGeD4Qa22wjWR/Teg4nOs0uZimzn+uprlEi05s\n B0fKwpz4Ths30avHBoWTGgSlfOG1SyCjeu8L1YOYoOpwOKKLV9cZOSFb7cdk\n OCSQe8QKP1QmosYIhPs79mGc26dOLYyXV7a1IvR4fDlYfHyWKmsOCMiphVJ9\n 8NHFtLzr8xs62Su1wx+4wYgJxRQIi1dAL74wzv+SZ6kw//B+K83q+kMIiAkU\n 6HElSfD7I/V0Rug1h52Pf5OorRmf92PtKXQgxlhzCH5HCpZqQjYZiHNUqC0A\n P7R5S7zjKdDvgjpjAgE4OFdVCTuqcUYUUwrxjnkFWebJ31jyZRtYul6ItvBi\n 8wthdS0OkOP/2tu8wZyqEHN5kMMUSxQsBAP/6mGvE/aHlPk8JqWK+vW0ynAj\n YMgfrkbmAes0YJ8v7aE47mkxTRU2UrfGO/9yXvGPSowm1syTgNtppXr/zYTV\n 4jucfvGJRX066wzZklHAzTuUl/PbJZzvV4twChX19bd88BUzD1YSl8whHeNW\n rhcfl8vplMji6SEdLa6Qp0v/xTK4OIX+3CkQ0Q16TvGZqHQalGsw5TzD6kos\n YMjM+ZslRb4FBtIOPO1HgplP7DXMDJX8tFW6PsHz+YEEHm9jmxQJtypa+DX2\n C4ALBzwWMvs/SnkqVjXX1udTj0qWsRBsCFvFsGZamaLBMYSox59zpeLx/dWV\n 06Zvs0Zn/um0JcCst/GmGnsJOQ36xiSZoraEDrozxfhSuH5nqnw8b1Ja5Tu4\n iKp6Am/DP74OYxXvbre+Hg0H022/NKqB1L2tT3RKMdJhZ9Y/gucYwU/t8XmU\n s7d3gmR4veEo+pXl36bwFJxNWg7Kda7dQL2OmhX4/Z74+yPdrwNXXoFhV4zC\n lMg+5Z4LThQ2jIYluyZelM6iaHb0j7sQD7OHxdbydhR9T7OTHMAwLQqVlPZd\n kXIptKjBQqGWU0UPhJDjmjd46ySQcKNbzOv6olc/NY1T0JrAjVRiG4A5NRpy\n OZOFXlOHEulILRRx+rc4LcpX+TmkN/zYE52I54wILqx7uPnf0LaIGWNy5cop\n PZ1fiONra6P07N/GJNBn3p7SA4LvAdFN+FRCsF8kNgyw9j59MgPNAlfA+VB7\n WoLFUByYqneQbWkitwST5T6+prK4GXTwFJXu8RqHzV3aESZgmWUmgYPAWRQ1\n Hmcro0T6iimQiRKuyI6D/fND6OGQ0cfVklk2s8g/r9lFGHrapt/4P3G4Q5aD\n MZm7ywuFSTOW/7p4C6GhwUofdo8hrjJ6A6oBUVD0dEzt/QZ76a8ee02FBdFL\n KfvYXUDeOO16oWb+YQdjF9F8yaZJDSF7fMIeKk+u9EGivmjjk90c3wEbBZq9\n 1OIGlE2Htw+mJLxRBn0UrLs4JFwuw/r9+IgRIv3K1bZDH4IbuFyRAstYvt0r\n ZiapyiyJLfn58WoODJXsneUxMYREaXcf7p8Nbl+4ibsS+V0vxgtHvA9UTpAb\n cuXmTbUdwKmRrvdk6NGDCTOPVERKyzYKvJNWF05LnvQi5PJWhR/4kXDAVVwk\n 9AnnN/QEC8qk8IaYpCoLY+6AUwgNPVOoAmD2+iaoeS4MxEediAHvIzbpO9uh\n Q7zDv6KZrd7gEVRHI6NpH21648NBmv0GlqLofmzMXdcLtrBIRbaSIfaIYreX\n PcfcEwfVBrOn4W6aBCgYMUmzXAeOdNKu3TSuX7wtGxNfrcjkCqzzvDFE7ODd\n zkkBCjVtMzk4r736+g7DVB8pwsVoPffzIVny3SPuf/gbUJq8oeUnuG6Q1dM9\n BCaG7hBXNnJmvImn3hq0+oyv877v04XTsOQp9QiVp8ftLoQaBY6IyPMOOmSt\n tCfHzI9ayc6VBgwtV7iRwZTLqEsgKzObMfuu39Fx5n4JgPeHMkQJS/iI777z\n 7yLij9YwqkyjJ7B8wjnXLVs8mv6ZNs0a1RdIAcmSzDrkyzxzryLC/0vEBfe+\n zFu3C01jOrbZzZJqYTquNu+yHXQ+wYGn9L7DBy0ymyAvcmpgtdfWW1qVPyWQ\n s33eeoZ/pbpPR0jaDTgPEbsS3+6umu7ulo+w8vFztmJgz+8jUHuLyuUxtd2I\n uoK4iNjZ883Og8LTRIoqTwEEe36iLH3h7OJceEP5adMBdq9Dhpm+9rBOSU8v\n ep8f45tJ2kvrPHJLLqQq06d3KS48vZaBX/1s5rA6RjCJfejO3NCVEVYbYoR2\n qXHKAEbNkjy2yTCCCcEGCSqGSIb3DQEHAaCCCbIEggmuMIIJqjCCCaYGCyqG\n SIb3DQEMCgECoIIJbjCCCWowHAYKKoZIhvcNAQwBAzAOBAjdIC6abxVJ9wIC\n CAAEgglI0/hPzGIYeB+a2OHaH1zXHi3/mBlfKKd+QLdDdmAfd71TfXODLLN/\n MEvjyT/5nboccbnE+hWqZCQXY6t+QtSZYPGdpJfVdWbPLlRcEWRMKFXhb0K4\n /uw9k21k4gdXhyzUdUkXyopK9O2J3/UHifXRd7qkvUNga4tHrD1jJ6LSw5yI\n y1HU4wsV0TgHC3nMvjEJy/GG91IGqKRIx6ejbKAeVrsyBNWF0Y7yXnH0IUlV\n IQJK6JPKiGhPPqZtgAYTzSkT14gF9oQy3NhHQrDzrdPcF4QSi2ocqqzGfuBV\n 2D5hTnEA9wbRAF69l/5FlPsvTf9Rn+dO7zdUYm7oo0JZC/BWKwkCEdPwybSz\n OMTQJiuXPYDGm+qQm07HDndYceE8Bfsj9KX6oOwsxkZIcHumrx7qJZBd8jxm\n tmqRplhzBTiKUgDKYCtup4LwP2NftOgmuZ5RzAMj5tAV8dDR63/rhhfe6oiw\n qCprixvKMGvxDTAY7ARoruUGt6ziL7m8RqmW3Oqth0i3ZiWpX14KTGNo/DVG\n aqsqLkfZNpwvyK7TsKjabmocWJSZGbAlGsS77Z9nxleEPaO+pcvKvzXi3/Cv\n 57nresgGs7cpWxpE8EIWCHaE0eqGgZI1tPvPdzSLo/Qr73j4QQ9JtQWrsO2/\n Fc4ksLwcobkNei5mpj7Ipj1DatzGM0ZFDVzKs8vfxbLRGt4jOXXJcTD5+nKK\n 6h6fYekGbaMhgHT2LKvLA/2/XHOxQnhWlIZqUAULdzgup/R2u94za5yAYBQy\n Wwx74JQFmdqqyUpdTjU5aVMOrjlgPXE96h4Q6mTa2qUXE28RNaJ+jZy03XNA\n wb1VtRCoQOMDDlGdcPY2TiwPNNrsQdM/nzq5AXqdQBP10zYPe1E4BEdd6pEq\n JJrvuwwHxEPHjqd2f0Z0Vgj8b5nRkwxAlJ2xVT+U7aISeqYaUf3bmLAP2ZAx\n pr2y81gLaOroLKDNwwqx9iMA3lugTAmNHzqZaYQjDmm1fsQOXyMkirnO3WYN\n WGV81xEq3BJ/Bjszd6Bt1g1lHO5LtdqwiAzAF9e/zYD0mOAZ1A4yLpgz+AOv\n 2SvngpFmy3JfzVctybzFt7kcuIRlI4xTQP8TJZ3QRsegmKYsAZkSFPiGS66Z\n JSwPng7KpDOlT2wmTdRJgak6Z1Zh52PQ2VdFkm18n0UAmjqo8u+REt4gzIps\n s+Wrt2waD920Z0JFBqBD58/RDXYSBsU/XIjxwpmClWsOh0mKMyDw4dO2fTBp\n JB0reL/0rsCXJL1JFKeM+iRQ8BDyRFsk6c+LDCNwCzBBwVDA1qADC7qSClyS\n hPAPAAxCpQpF/MYLhJG0QBPHG9bkkGMCYSKFZzEUXSnY63+e6ZxdUHcRKaU0\n T8Ue0sEg3LlU3aAYvqBq+2/ILfNGI572zLpAE/8EW26YBZ+lFxKgUFMMM91x\n Hc8THk015pAd763ZG9sJEpdRtBKkoQ3/3A1sT1fe8xCRTfvLZpdb8RBxiaAC\n RTV0pXXspG8Va1YsOd9EIDPkRfkH/sRsi4UBO5zmgftBWdVn0qKwXuypCudt\n faFvoUEIc1z+qzCuMT3jPdj8hNIjacuOe1Lcpods2i5CTqP8Hraim1552PZY\n TNZsQ2aj7YtTXdoKP+KnpSPf6rrpAK7OcvKOuZHVKwbs6z+TqwGjmDT9/QbR\n vC+DVGgn2WY3BCRRqUQegY0LBJSrpJlVCmDQ1KfhKCkPyyCbHd3rIi5x6pty\n T7wp2EKplsXnn8hgdouKJX+24vV/i49DDEyC9eLpNO7WtDwQ0yHBbCael7fy\n 4CLoSMUptS9DWQPjXQ84qFdaBKgcw+ALtcVHfKmS77zp9qonS7zeGOanAOTL\n kGKHIVzyhb/cHYqCYE8ldtcGRWa9n4Ri3T6X1fZ83Bp/tzrXiA5uzAI15StY\n NQyewtou/OnDUX7weFnMMvNp7y34X2J7uIe6ujvTAHg0MFdqcoPB0bKst9iT\n IQdsWYLYMpBE0fgYlQ83uj081IPowz4FMORHrkU6sK62IViDg/rpYRkTY0E5\n AJJ0fd9HK1VTo9qg8VWyh4n9YfOOU6U+g+DXehP+LW7cmQDmsIAFcJGK2wWk\n G6V3BJgjXV9OuVhC0/2hqV7EhXitQ4FUjjiEAPsrVl3lg4k0tHkn3RTyRfqy\n HLSgrxdc+YUXIBPx6jjasP6GF3I7j7w4HoEWNI++9NxDLMahKwQTftaAT5at\n N8JStJg8++VWd7ktPNEz3q7WAKYDFalpyW/EOFQR3l3phQKZEtlEmLGV0r0M\n NVLIJwUeEhYiFhoZvZThsBhFIU5EDsc1MWbmjZf+NiCVJB9OG6adl5jV6PEV\n VzsCC9UnlHENTimRocRUzBp/85Pp7IHV10w6r0LSFyQp70OSfsEUR5CK6xTO\n UfMXOJvrG1cyGyu8I3vK9MqCEdDiXjhhuExI7a5syRAdF/qQ2OYBol57oE5z\n betp7Ph4btu76Ub43E6nnzqHB9ey5EzXxxNwaqvtlWV405Ux8annKuaiXTlv\n T69S580zYJSWDAtRhlND3IBMvAUxdTU889ZnhXIjvL/Ads1Fjh1lEkWZsrtI\n UeMAP2TiskPHNgj3Xl9yqxozYdqjRHLT0PIBmRPcaABGCtXeoX5X4wb0kFnP\n BDg9Gyxb8YAXXiKzobDOCSDBZK5P1F72y3znQG/Y/xJbKp353WNSDPXZwpvy\n NfQLotdq+Amt3tfv9OA2hi/719oUtZrIaHTerr2MBagp1SIztCoTQmmfdlyn\n eHUHi7B35vy24eAGGbSuQMnQyf7+DXnicPmptn3Ltw7hmiEIPe4UdyrrPHdT\n mpjB4JGzhlRg8s+xMI5zIdOfo+MgA+Ars2zYIoAR2B5dUbuMRU9IoiqdH0Xq\n 8z2F9MOvublsMlWbtm824Wn1KCFNTA2waVRPo2++m7yzdL8bLpVqdOmAf6UP\n Qp+RqgixT3VMIz0qORtkahGn8ebOrsVILlf5t8IACVbL37gejABhmayWBQDr\n 9Zf6dByTW/2zEu6vOkLasQBfeMQBEhOTT8BfOUH+m/XVBtg/vEmM/7STTdrj\n KzeXQaM+HR3n2bRA6Xi+9lwBnHTm+V1aCsFGKzI7yPx1PJYm5D8QgmFJmjnh\n rpYLm4HSbzLXTmbkl5Svvy4f1Y92mJdCtheR1oRa5jz7hy3gY99FXxc8MSUw\n IwYJKoZIhvcNAQkVMRYEFFd+Wbmul+GY8fpXGfcPZKp7IU20MDEwITAJBgUr\n DgMCGgUABBS/Klvbu+vi4seUykaXDZGkkw73yQQIqCWkicXrRPICAggA\n \"\"\"\n\nvar simpleP12: [UInt8] {\n Array(Data(base64Encoded: base64EncodedSimpleP12, options: .ignoreUnknownCharacters)!)\n}\n\nvar complexP12: [UInt8] {\n Array(Data(base64Encoded: base64EncodedComplexP12, options: .ignoreUnknownCharacters)!)\n}\n\nvar noPassP12: [UInt8] {\n Array(Data(base64Encoded: base64EncodedNoPassP12, options: .ignoreUnknownCharacters)!)\n}\n\nclass SSLPKCS12BundleTest: XCTestCase {\n static func withSimpleFilePath(_ body: (String) throws -> Void) throws {\n let path = try dumpToFile(\n data: Data(\n base64Encoded: base64EncodedSimpleP12,\n options: .ignoreUnknownCharacters\n )!\n )\n defer {\n unlink(path)\n }\n\n return try body(path)\n }\n\n static func withComplexFilePath(_ body: (String) throws -> Void) throws {\n let path = try dumpToFile(\n data: Data(\n base64Encoded: base64EncodedComplexP12,\n options: .ignoreUnknownCharacters\n )!\n )\n defer {\n unlink(path)\n }\n\n return try body(path)\n }\n\n static func withNoPasswordFilePath(_ body: (String) throws -> Void) throws {\n let path = try dumpToFile(\n data: Data(\n base64Encoded: base64EncodedNoPassP12,\n options: .ignoreUnknownCharacters\n )!\n )\n defer {\n unlink(path)\n }\n\n return try body(path)\n }\n\n func testDecodingSimpleP12FromMemory() throws {\n let p12Bundle = try NIOSSLPKCS12Bundle(buffer: simpleP12, passphrase: \"thisisagreatpassword\".utf8)\n let expectedKey = try NIOSSLPrivateKey(bytes: Array(samplePemKey.utf8), format: .pem)\n let expectedCert = try NIOSSLCertificate(bytes: Array(samplePemCert.utf8), format: .pem)\n\n XCTAssertEqual(p12Bundle.privateKey, expectedKey)\n XCTAssertEqual(p12Bundle.certificateChain, [expectedCert])\n }\n\n func testDecodingComplexP12FromMemory() throws {\n let p12Bundle = try NIOSSLPKCS12Bundle(buffer: complexP12, passphrase: \"thisisagreatpassword\".utf8)\n let expectedKey = try NIOSSLPrivateKey(bytes: Array(samplePemKey.utf8), format: .pem)\n let expectedCert = try NIOSSLCertificate(bytes: Array(samplePemCert.utf8), format: .pem)\n let caOne = try NIOSSLCertificate(bytes: Array(multiSanCert.utf8), format: .pem)\n let caTwo = try NIOSSLCertificate(bytes: Array(multiCNCert.utf8), format: .pem)\n let caThree = try NIOSSLCertificate(bytes: Array(noCNCert.utf8), format: .pem)\n let caFour = try NIOSSLCertificate(bytes: Array(unicodeCNCert.utf8), format: .pem)\n\n XCTAssertEqual(p12Bundle.privateKey, expectedKey)\n XCTAssertEqual(p12Bundle.certificateChain, [expectedCert, caOne, caTwo, caThree, caFour])\n }\n\n func testDecodingSimpleP12FromMemoryWithoutPassphrase() throws {\n let p12Bundle = try NIOSSLPKCS12Bundle(buffer: noPassP12)\n let expectedKey = try NIOSSLPrivateKey(bytes: Array(samplePemKey.utf8), format: .pem)\n let expectedCert = try NIOSSLCertificate(bytes: Array(samplePemCert.utf8), format: .pem)\n\n XCTAssertEqual(p12Bundle.privateKey, expectedKey)\n XCTAssertEqual(p12Bundle.certificateChain, [expectedCert])\n }\n\n func testDecodingSimpleP12FromFile() throws {\n try Self.withSimpleFilePath { simpleFilePath in\n let p12Bundle = try NIOSSLPKCS12Bundle(\n file: simpleFilePath,\n passphrase: \"thisisagreatpassword\".utf8\n )\n let expectedKey = try NIOSSLPrivateKey(bytes: .init(samplePemKey.utf8), format: .pem)\n let expectedCert = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n\n XCTAssertEqual(p12Bundle.privateKey, expectedKey)\n XCTAssertEqual(p12Bundle.certificateChain, [expectedCert])\n }\n }\n\n func testDecodingComplexP12FromFile() throws {\n try Self.withComplexFilePath { complexFilePath in\n let p12Bundle = try NIOSSLPKCS12Bundle(\n file: complexFilePath,\n passphrase: \"thisisagreatpassword\".utf8\n )\n let expectedKey = try NIOSSLPrivateKey(bytes: .init(samplePemKey.utf8), format: .pem)\n let expectedCert = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n let caOne = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)\n let caTwo = try NIOSSLCertificate(bytes: .init(multiCNCert.utf8), format: .pem)\n let caThree = try NIOSSLCertificate(bytes: .init(noCNCert.utf8), format: .pem)\n let caFour = try NIOSSLCertificate(bytes: .init(unicodeCNCert.utf8), format: .pem)\n\n XCTAssertEqual(p12Bundle.privateKey, expectedKey)\n XCTAssertEqual(p12Bundle.certificateChain, [expectedCert, caOne, caTwo, caThree, caFour])\n }\n }\n\n func testDecodingSimpleP12FromFileWithoutPassphrase() throws {\n try Self.withNoPasswordFilePath { noPassFilePath in\n let p12Bundle = try NIOSSLPKCS12Bundle(file: noPassFilePath)\n let expectedKey = try NIOSSLPrivateKey(bytes: .init(samplePemKey.utf8), format: .pem)\n let expectedCert = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n\n XCTAssertEqual(p12Bundle.privateKey, expectedKey)\n XCTAssertEqual(p12Bundle.certificateChain, [expectedCert])\n }\n }\n\n func testDecodingNonExistentPKCS12File() throws {\n XCTAssertThrowsError(try NIOSSLPKCS12Bundle(file: \"/nonexistent/path\")) { error in\n XCTAssertEqual(ENOENT, (error as? IOError).map { $0.errnoCode })\n }\n }\n\n func testEquatableAndHashable() throws {\n let bundle1_a = try NIOSSLPKCS12Bundle(buffer: simpleP12, passphrase: \"thisisagreatpassword\".utf8)\n let bundle1_b = try NIOSSLPKCS12Bundle(buffer: simpleP12, passphrase: \"thisisagreatpassword\".utf8)\n let bundle2 = try NIOSSLPKCS12Bundle(buffer: complexP12, passphrase: \"thisisagreatpassword\".utf8)\n XCTAssertEqual(bundle1_a, bundle1_a)\n XCTAssertEqual(bundle1_a, bundle1_b)\n XCTAssertNotEqual(bundle1_a, bundle2)\n\n let set = Set([bundle1_a, bundle1_b, bundle2])\n XCTAssertEqual(set.count, 2)\n XCTAssertTrue(set.contains(bundle1_a))\n XCTAssertTrue(set.contains(bundle1_b))\n XCTAssertTrue(set.contains(bundle2))\n }\n\n func testMakePKCS12() throws {\n let privateKey = try NIOSSLPrivateKey(bytes: .init(samplePemKey.utf8), format: .pem)\n let mainCert = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n let caOne = try NIOSSLCertificate(bytes: .init(multiSanCert.utf8), format: .pem)\n let caTwo = try NIOSSLCertificate(bytes: .init(multiCNCert.utf8), format: .pem)\n let caThree = try NIOSSLCertificate(bytes: .init(noCNCert.utf8), format: .pem)\n let caFour = try NIOSSLCertificate(bytes: .init(unicodeCNCert.utf8), format: .pem)\n let certificates = [mainCert, caOne, caTwo, caThree, caFour]\n\n // Create a PKCS#12...\n let bundle = NIOSSLPKCS12Bundle(\n certificateChain: certificates,\n privateKey: privateKey\n )\n let pkcs12 = try bundle.serialize(passphrase: \"thisisagreatpassword\".utf8)\n\n // And then decode it into a NIOSSLPKCS12Bundle\n let decoded = try NIOSSLPKCS12Bundle(buffer: pkcs12, passphrase: \"thisisagreatpassword\".utf8)\n\n // Make sure everything is there\n XCTAssertEqual(decoded.privateKey, privateKey)\n XCTAssertEqual(decoded.certificateChain, certificates)\n }\n\n func testMakePKCS12_IncorrectPassphrase() throws {\n let privateKey = try NIOSSLPrivateKey(bytes: .init(samplePemKey.utf8), format: .pem)\n let mainCert = try NIOSSLCertificate(bytes: .init(samplePemCert.utf8), format: .pem)\n\n // Create a PKCS#12...\n let bundle = NIOSSLPKCS12Bundle(\n certificateChain: [mainCert],\n privateKey: privateKey\n )\n let pkcs12 = try bundle.serialize(passphrase: \"thisisagreatpassword\".utf8)\n\n // And then try decoding it into a NIOSSLPKCS12Bundle, but with the wrong passphrase\n XCTAssertThrowsError(\n try NIOSSLPKCS12Bundle(\n buffer: pkcs12,\n passphrase: \"thisisagreatpasswordbutnottherightone\".utf8\n )\n ) { error in\n XCTAssertNotNil(error as? BoringSSLError)\n }\n }\n}\n" }, { "path": "Tests/NIOSSLTests/SSLPrivateKeyTests.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport Foundation\nimport NIOCore\nimport XCTest\n\n@testable import NIOSSL\n\nclass SSLPrivateKeyTest: XCTestCase {\n static let dynamicallyGeneratedKey = generateSelfSignedCert().1\n\n static func withPEMKeyFile(_ body: (String) throws -> Void) throws {\n let path = try dumpToFile(\n text: samplePemKey,\n fileExtension: \".pem\"\n )\n defer {\n unlink(path)\n }\n\n return try body(path)\n }\n\n static func withDERKeyFile(_ body: (String) throws -> Void) throws {\n let path = try dumpToFile(\n data: sampleDerKey\n )\n defer {\n unlink(path)\n }\n\n return try body(path)\n }\n\n static func withPasswordPEMKeyFile(_ body: (String) throws -> Void) throws {\n let path = try dumpToFile(\n text: samplePemRSAEncryptedKey,\n fileExtension: \".pem\"\n )\n defer {\n unlink(path)\n }\n\n return try body(path)\n }\n\n static func withPasswordPKCS8PEMKeyFile(_ body: (String) throws -> Void) throws {\n let path = try dumpToFile(\n text: samplePKCS8PemPrivateKey\n )\n defer {\n unlink(path)\n }\n\n return try body(path)\n }\n\n func testLoadingPemKeyFromFile() throws {\n try Self.withPEMKeyFile { pemKeyFilePath in\n let key1 = try NIOSSLPrivateKey(file: pemKeyFilePath, format: .pem)\n let key2 = try NIOSSLPrivateKey(file: pemKeyFilePath, format: .pem)\n\n XCTAssertEqual(key1, key2)\n XCTAssertNotEqual(key1, SSLPrivateKeyTest.dynamicallyGeneratedKey)\n }\n }\n\n func testLoadingDerKeyFromFile() throws {\n try Self.withDERKeyFile { derKeyFilePath in\n let key1 = try NIOSSLPrivateKey(file: derKeyFilePath, format: .der)\n let key2 = try NIOSSLPrivateKey(file: derKeyFilePath, format: .der)\n\n XCTAssertEqual(key1, key2)\n XCTAssertEqual(key1.hashValue, key2.hashValue)\n XCTAssertNotEqual(key1, SSLPrivateKeyTest.dynamicallyGeneratedKey)\n XCTAssertNotEqual(key1.hashValue, SSLPrivateKeyTest.dynamicallyGeneratedKey.hashValue)\n }\n }\n\n func testDerAndPemAreIdentical() throws {\n try Self.withPEMKeyFile { pemKeyFilePath in\n try Self.withDERKeyFile { derKeyFilePath in\n let key1 = try NIOSSLPrivateKey(file: pemKeyFilePath, format: .pem)\n let key2 = try NIOSSLPrivateKey(file: derKeyFilePath, format: .der)\n\n XCTAssertEqual(key1, key2)\n XCTAssertEqual(key1.hashValue, key2.hashValue)\n }\n }\n }\n\n func testLoadingPemKeyFromMemory() throws {\n let key1 = try NIOSSLPrivateKey(bytes: .init(samplePemKey.utf8), format: .pem)\n let key2 = try NIOSSLPrivateKey(bytes: .init(samplePemKey.utf8), format: .pem)\n\n XCTAssertEqual(key1, key2)\n XCTAssertEqual(key1.hashValue, key2.hashValue)\n }\n\n func testLoadingDerKeyFromMemory() throws {\n let keyBytes = [UInt8](sampleDerKey)\n let key1 = try NIOSSLPrivateKey(bytes: keyBytes, format: .der)\n let key2 = try NIOSSLPrivateKey(bytes: keyBytes, format: .der)\n\n XCTAssertEqual(key1, key2)\n XCTAssertEqual(key1.hashValue, key2.hashValue)\n }\n\n func testLoadingGibberishFromMemoryAsPemFails() throws {\n let keyBytes: [UInt8] = [1, 2, 3]\n\n XCTAssertThrowsError(try NIOSSLPrivateKey(bytes: keyBytes, format: .pem)) { error in\n XCTAssertEqual(.failedToLoadPrivateKey, error as? NIOSSLError)\n }\n }\n\n func testLoadingGibberishFromMemoryAsDerFails() throws {\n let keyBytes: [UInt8] = [1, 2, 3]\n\n XCTAssertThrowsError(try NIOSSLPrivateKey(bytes: keyBytes, format: .der)) { error in\n XCTAssertEqual(.failedToLoadPrivateKey, error as? NIOSSLError)\n }\n }\n\n func testLoadingGibberishFromFileAsPemFails() throws {\n let tempFile = try dumpToFile(text: \"hello\")\n defer {\n _ = tempFile.withCString { unlink($0) }\n }\n\n XCTAssertThrowsError(try NIOSSLPrivateKey(file: tempFile, format: .pem)) { error in\n XCTAssertEqual(.failedToLoadPrivateKey, error as? NIOSSLError)\n }\n }\n\n func testLoadingGibberishFromFileAsDerFails() throws {\n let tempFile = try dumpToFile(text: \"hello\")\n defer {\n _ = tempFile.withCString { unlink($0) }\n }\n\n XCTAssertThrowsError(try NIOSSLPrivateKey(file: tempFile, format: .der)) { error in\n XCTAssertEqual(.failedToLoadPrivateKey, error as? NIOSSLError)\n }\n }\n\n func testLoadingNonexistentFileAsPem() throws {\n\n XCTAssertThrowsError(try NIOSSLPrivateKey(file: \"/nonexistent/path\", format: .pem)) { error in\n XCTAssertEqual(ENOENT, (error as? IOError).map { $0.errnoCode })\n }\n }\n\n func testLoadingNonexistentFileAsDer() throws {\n XCTAssertThrowsError(try NIOSSLPrivateKey(file: \"/nonexistent/path\", format: .der)) { error in\n XCTAssertEqual(ENOENT, (error as? IOError).map { $0.errnoCode })\n }\n }\n\n func testLoadingNonexistentFileAsPemWithPassphrase() throws {\n XCTAssertThrowsError(\n try NIOSSLPrivateKey(file: \"/nonexistent/path\", format: .pem) { (_: NIOSSLPassphraseSetter<[UInt8]>) in\n XCTFail(\"Should not be called\")\n }\n ) { error in\n XCTAssertEqual(ENOENT, (error as? IOError).map { $0.errnoCode })\n }\n }\n\n func testLoadingNonexistentFileAsDerWithPassphrase() throws {\n XCTAssertThrowsError(\n try NIOSSLPrivateKey(file: \"/nonexistent/path\", format: .der) { (_: NIOSSLPassphraseSetter<[UInt8]>) in\n XCTFail(\"Should not be called\")\n }\n ) { error in\n XCTAssertEqual(ENOENT, (error as? IOError).map { $0.errnoCode })\n }\n }\n\n func testLoadingEncryptedRSAKeyFromMemory() throws {\n let key1 = try NIOSSLPrivateKey(bytes: .init(samplePemRSAEncryptedKey.utf8), format: .pem) { closure in\n closure(\"thisisagreatpassword\".utf8)\n }\n let key2 = try NIOSSLPrivateKey(bytes: .init(samplePemRSAEncryptedKey.utf8), format: .pem) { closure in\n closure(\"thisisagreatpassword\".utf8)\n }\n\n XCTAssertEqual(key1, key2)\n XCTAssertEqual(key1.hashValue, key2.hashValue)\n }\n\n func testLoadingEncryptedRSAPKCS8KeyFromMemory() throws {\n let key1 = try NIOSSLPrivateKey(bytes: .init(samplePKCS8PemPrivateKey.utf8), format: .pem) { closure in\n closure(\"thisisagreatpassword\".utf8)\n }\n let key2 = try NIOSSLPrivateKey(bytes: .init(samplePKCS8PemPrivateKey.utf8), format: .pem) { closure in\n closure(\"thisisagreatpassword\".utf8)\n }\n\n XCTAssertEqual(key1, key2)\n XCTAssertEqual(key1.hashValue, key2.hashValue)\n }\n\n func testLoadingEncryptedRSAKeyFromFile() throws {\n try Self.withPasswordPEMKeyFile { passwordPemKeyFilePath in\n let key1 = try NIOSSLPrivateKey(file: passwordPemKeyFilePath, format: .pem) { closure in\n closure(\"thisisagreatpassword\".utf8)\n }\n let key2 = try NIOSSLPrivateKey(file: passwordPemKeyFilePath, format: .pem) { closure in\n closure(\"thisisagreatpassword\".utf8)\n }\n\n XCTAssertEqual(key1, key2)\n XCTAssertEqual(key1.hashValue, key2.hashValue)\n }\n }\n\n func testLoadingEncryptedRSAPKCS8KeyFromFile() throws {\n try Self.withPasswordPKCS8PEMKeyFile { passwordPKCS8PemKeyFilePath in\n let key1 = try NIOSSLPrivateKey(file: passwordPKCS8PemKeyFilePath, format: .pem) { closure in\n closure(\"thisisagreatpassword\".utf8)\n }\n let key2 = try NIOSSLPrivateKey(file: passwordPKCS8PemKeyFilePath, format: .pem) { closure in\n closure(\"thisisagreatpassword\".utf8)\n }\n\n XCTAssertEqual(key1, key2)\n XCTAssertEqual(key1.hashValue, key2.hashValue)\n }\n }\n\n func testWildlyOverlongPassphraseRSAFromMemory() throws {\n XCTAssertThrowsError(\n try NIOSSLPrivateKey(bytes: .init(samplePemRSAEncryptedKey.utf8), format: .pem) { closure in\n closure(Array(repeating: UInt8(8), count: 1 << 16))\n }\n ) { error in\n XCTAssertEqual(.failedToLoadPrivateKey, error as? NIOSSLError)\n }\n }\n\n func testWildlyOverlongPassphrasePKCS8FromMemory() throws {\n XCTAssertThrowsError(\n try NIOSSLPrivateKey(bytes: .init(samplePKCS8PemPrivateKey.utf8), format: .pem) { closure in\n closure(Array(repeating: UInt8(8), count: 1 << 16))\n }\n ) { error in\n XCTAssertEqual(.failedToLoadPrivateKey, error as? NIOSSLError)\n }\n }\n\n func testWildlyOverlongPassphraseRSAFromFile() throws {\n XCTAssertThrowsError(\n try NIOSSLPrivateKey(bytes: .init(samplePemRSAEncryptedKey.utf8), format: .pem) { closure in\n closure(Array(repeating: UInt8(8), count: 1 << 16))\n }\n ) { error in\n XCTAssertEqual(.failedToLoadPrivateKey, error as? NIOSSLError)\n }\n }\n\n func testWildlyOverlongPassphrasePKCS8FromFile() throws {\n XCTAssertThrowsError(\n try NIOSSLPrivateKey(bytes: .init(samplePKCS8PemPrivateKey.utf8), format: .pem) { closure in\n closure(Array(repeating: UInt8(8), count: 1 << 16))\n }\n ) { error in\n XCTAssertEqual(.failedToLoadPrivateKey, error as? NIOSSLError)\n }\n }\n\n func testThrowingPassphraseCallback() throws {\n enum MyError: Error {\n case error\n }\n\n XCTAssertThrowsError(\n try NIOSSLPrivateKey(bytes: .init(samplePemRSAEncryptedKey.utf8), format: .pem) {\n (_: NIOSSLPassphraseSetter<[UInt8]>) in\n throw MyError.error\n }\n ) { error in\n XCTAssertEqual(.failedToLoadPrivateKey, error as? NIOSSLError)\n }\n }\n\n func testWrongPassword() {\n XCTAssertThrowsError(\n try NIOSSLPrivateKey(bytes: .init(samplePemRSAEncryptedKey.utf8), format: .pem) {\n closure in closure(\"incorrect password\".utf8)\n }\n ) { error in\n XCTAssertEqual(.failedToLoadPrivateKey, error as? NIOSSLError)\n }\n }\n\n @available(*, deprecated, message: \"`.file` NIOSSLPrivateKeySource option deprecated\")\n func testMissingPassword() throws {\n try Self.withPasswordPEMKeyFile { passwordPemKeyFilePath in\n let configuration = TLSConfiguration.makeServerConfiguration(\n certificateChain: [],\n privateKey: .file(passwordPemKeyFilePath)\n )\n\n XCTAssertThrowsError(try NIOSSLContext(configuration: configuration)) { error in\n XCTAssertEqual(.failedToLoadPrivateKey, error as? NIOSSLError)\n }\n }\n }\n\n func testECKeysWorkProperly() throws {\n let keyDerBytes = [UInt8](sampleECDerKey)\n let keyPemBytes = [UInt8](sampleECPemKey.utf8)\n\n let key1 = try assertNoThrowWithValue(NIOSSLPrivateKey(bytes: keyDerBytes, format: .der))\n let key2 = try assertNoThrowWithValue(NIOSSLPrivateKey(bytes: keyPemBytes, format: .pem))\n\n XCTAssertEqual(key1, key2)\n XCTAssertEqual(key1.hashValue, key2.hashValue)\n }\n\n func testECKeysArentEqualToRSAKeys() throws {\n let key1 = try NIOSSLPrivateKey(bytes: .init(samplePemKey.utf8), format: .pem)\n let key2 = try NIOSSLPrivateKey(bytes: .init(sampleECPemKey.utf8), format: .pem)\n\n XCTAssertNotEqual(key1, key2)\n XCTAssertNotEqual(key1.hashValue, key2.hashValue)\n }\n\n func testDERBytes() throws {\n let key = try NIOSSLPrivateKey(bytes: .init(samplePemKey.utf8), format: .pem)\n let derBytes = try key.derBytes\n XCTAssertEqual(Data(derBytes), pemToDer(samplePemKey))\n }\n}\n" }, { "path": "Tests/NIOSSLTests/SecurityFrameworkVerificationTests.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\nimport XCTest\n\n@testable import NIOSSL\n\n// We can only use Security.framework to validate TLS certificates on Apple platforms.\n#if canImport(Darwin)\nimport Dispatch\nimport Foundation\nimport Security\nimport NIOPosix\n#endif\n\nfinal class SecurityFrameworkVerificationTests: XCTestCase {\n static let selfSignedCert: NIOSSLCertificate = {\n generateSelfSignedCert().0\n }()\n\n static let anotherSelfSignedCert: NIOSSLCertificate = {\n generateSelfSignedCert().0\n }()\n\n func testDefaultVerification() throws {\n #if canImport(Darwin)\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try! group.syncShutdownGracefully()\n }\n\n let p = group.next().makePromise(of: NIOSSLVerificationResult.self)\n let context = try NIOSSLContext(configuration: .makeClientConfiguration())\n let connection = context.createConnection()!\n connection.setConnectState()\n\n connection.performSecurityFrameworkValidation(promise: p, peerCertificates: Self.appleComCertChain)\n let result = try p.futureResult.wait()\n\n XCTAssertEqual(result, .certificateVerified)\n #endif\n }\n\n func testDefaultVerificationCanFail() throws {\n #if canImport(Darwin)\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try! group.syncShutdownGracefully()\n }\n\n let p = group.next().makePromise(of: NIOSSLVerificationResult.self)\n let context = try NIOSSLContext(configuration: .makeClientConfiguration())\n let connection = context.createConnection()!\n connection.setConnectState()\n\n let certificate = SecCertificateCreateWithData(nil, Data(try! Self.selfSignedCert.toDERBytes()) as CFData)!\n\n connection.performSecurityFrameworkValidation(promise: p, peerCertificates: [certificate])\n let result = try p.futureResult.wait()\n\n XCTAssertEqual(result, .failed)\n #endif\n }\n\n func testDefaultVerificationCanValidateHostname() throws {\n #if canImport(Darwin)\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try! group.syncShutdownGracefully()\n }\n\n let p = group.next().makePromise(of: NIOSSLVerificationResult.self)\n let context = try NIOSSLContext(configuration: .makeClientConfiguration())\n let connection = context.createConnection()!\n connection.setConnectState()\n connection.expectedHostname = \"www.apple.com\"\n\n connection.performSecurityFrameworkValidation(promise: p, peerCertificates: Self.appleComCertChain)\n let result = try p.futureResult.wait()\n\n XCTAssertEqual(result, .certificateVerified)\n #endif\n }\n\n func testDefaultVerificationFailsOnInvalidHostname() throws {\n #if canImport(Darwin)\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try! group.syncShutdownGracefully()\n }\n\n let p = group.next().makePromise(of: NIOSSLVerificationResult.self)\n let context = try NIOSSLContext(configuration: .makeClientConfiguration())\n let connection = context.createConnection()!\n connection.setConnectState()\n connection.expectedHostname = \"www.swift-nio.io\"\n\n connection.performSecurityFrameworkValidation(promise: p, peerCertificates: Self.appleComCertChain)\n let result = try p.futureResult.wait()\n\n XCTAssertEqual(result, .failed)\n #endif\n }\n\n func testDefaultVerificationIgnoresHostnamesWhenConfiguredTo() throws {\n #if canImport(Darwin)\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try! group.syncShutdownGracefully()\n }\n\n let p = group.next().makePromise(of: NIOSSLVerificationResult.self)\n var configuration = TLSConfiguration.makeClientConfiguration()\n configuration.certificateVerification = .noHostnameVerification\n let context = try NIOSSLContext(configuration: configuration)\n let connection = context.createConnection()!\n connection.setConnectState()\n connection.expectedHostname = \"www.swift-nio.io\"\n\n connection.performSecurityFrameworkValidation(promise: p, peerCertificates: Self.appleComCertChain)\n let result = try p.futureResult.wait()\n\n XCTAssertEqual(result, .certificateVerified)\n #endif\n }\n\n func testDefaultVerificationPlusAdditionalCanUseAdditionalRoot() throws {\n #if canImport(Darwin)\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try! group.syncShutdownGracefully()\n }\n\n let p = group.next().makePromise(of: NIOSSLVerificationResult.self)\n\n var config = TLSConfiguration.makeClientConfiguration()\n config.additionalTrustRoots = [.certificates([Self.selfSignedCert])]\n let context = try NIOSSLContext(configuration: config)\n let connection = context.createConnection()!\n connection.setConnectState()\n\n let certificate = SecCertificateCreateWithData(nil, Data(try! Self.selfSignedCert.toDERBytes()) as CFData)!\n\n connection.performSecurityFrameworkValidation(promise: p, peerCertificates: [certificate])\n let result = try p.futureResult.wait()\n\n XCTAssertEqual(result, .certificateVerified)\n #endif\n }\n\n func testDefaultVerificationPlusAdditionalCanUseDefaultRoots() throws {\n #if canImport(Darwin)\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try! group.syncShutdownGracefully()\n }\n\n let p = group.next().makePromise(of: NIOSSLVerificationResult.self)\n\n var config = TLSConfiguration.makeClientConfiguration()\n config.additionalTrustRoots = [.certificates([Self.selfSignedCert])]\n let context = try NIOSSLContext(configuration: config)\n let connection = context.createConnection()!\n connection.setConnectState()\n\n connection.performSecurityFrameworkValidation(promise: p, peerCertificates: Self.appleComCertChain)\n let result = try p.futureResult.wait()\n\n XCTAssertEqual(result, .certificateVerified)\n #endif\n }\n\n func testDefaultVerificationPlusAdditionalCanFailWithUnknownCert() throws {\n #if canImport(Darwin)\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n try! group.syncShutdownGracefully()\n }\n\n let p = group.next().makePromise(of: NIOSSLVerificationResult.self)\n\n var config = TLSConfiguration.makeClientConfiguration()\n config.additionalTrustRoots = [.certificates([Self.selfSignedCert])]\n let context = try NIOSSLContext(configuration: config)\n let connection = context.createConnection()!\n connection.setConnectState()\n\n let certificate = SecCertificateCreateWithData(\n nil,\n Data(try! Self.anotherSelfSignedCert.toDERBytes()) as CFData\n )!\n\n connection.performSecurityFrameworkValidation(promise: p, peerCertificates: [certificate])\n let result = try p.futureResult.wait()\n\n XCTAssertEqual(result, .failed)\n #endif\n }\n}\n\n// This class allows us to work around an awkward bug with our static below.\n// We need to mark this type non-Sendable.\n#if !canImport(Darwin)\nfinal class SecCertificate {\n\n}\n\n@available(*, unavailable)\nextension SecCertificate: Sendable {}\n#endif\n\nextension SecurityFrameworkVerificationTests {\n /// If tests fail because of an expired cert, you can regenerate the leaf and intermediate certificates\n /// by running the following command, and replacing both served certificates as leaf and intermediate,\n /// in that order:\n /// `openssl s_client -connect www.apple.com:443 -servername www.apple.com -showcerts`\n nonisolated(unsafe) fileprivate static let appleComCertChain: [SecCertificate] = buildAppleComCertChain()\n\n fileprivate static func buildAppleComCertChain() -> [SecCertificate] {\n #if canImport(Darwin)\n // All certs here are PEM format, with the leading/trailing lines stripped.\n\n // Not Valid Before: 11 Feb 2026 17:44:10 GMT\n // Not Valid After: 8 Aug 2026 17:30:10 GMT\n let leaf = \"\"\"\n MIIHeDCCBmCgAwIBAgIQCiKs5C/HH0Y/lT7wtag/DDANBgkqhkiG9w0BAQsFADBR\n MQswCQYDVQQGEwJVUzETMBEGA1UEChMKQXBwbGUgSW5jLjEtMCsGA1UEAxMkQXBw\n bGUgUHVibGljIEVWIFNlcnZlciBSU0EgQ0EgMSAtIEcxMB4XDTI2MDIxMTE3NDQx\n MFoXDTI2MDgxODE3MzAxMFowgccxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0\n aW9uMRMwEQYLKwYBBAGCNzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQIMCkNhbGlm\n b3JuaWExETAPBgNVBAUTCEMwODA2NTkyMQswCQYDVQQGEwJVUzETMBEGA1UECAwK\n Q2FsaWZvcm5pYTESMBAGA1UEBwwJQ3VwZXJ0aW5vMRMwEQYDVQQKDApBcHBsZSBJ\n bmMuMRYwFAYDVQQDDA13d3cuYXBwbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC\n AQ8AMIIBCgKCAQEAk90vvxbvjCycmnxqzhVhARxSD3lFU14ECmveg1JJkfWV2tQc\n kiQjakUx3i5o4oF5BX94TgKHfbQ4CDeNkkTdgiE8c5d1SyQ30OKMmu5Png+MBtyU\n ERTYE6789ZQSX7Qj4YeZUMnBTB0gF3F0dSNI1gtEi6O0DusC6OkA+kStocebvib9\n 9VLqCJ7tTDmJGJBQqBIICVTFJrnUOLBrxrW6wYg8t4bieeaWo6aCDgMORyXYEi6s\n 8QYAVt6ELDmfY3tIK4pQxx2EWOUDAeczIFqx0PtA4csnFOU84OT6DAYZBrcrtahB\n snW9n2wx1EzvMrnYhuDJPY7dwMJIH1jFIAZLMwIDAQABo4ID0zCCA88wDAYDVR0T\n AQH/BAIwADAfBgNVHSMEGDAWgBTTvcE8oM81uTTF1NvaEA5M3mr+WDB6BggrBgEF\n BQcBAQRuMGwwMgYIKwYBBQUHMAKGJmh0dHA6Ly9jZXJ0cy5hcHBsZS5jb20vYXBl\n dnNyc2ExZzEuZGVyMDYGCCsGAQUFBzABhipodHRwOi8vb2NzcC5hcHBsZS5jb20v\n b2NzcDAzLWFwZXZzcnNhMWcxMDEwPAYDVR0RBDUwM4IQaW1hZ2VzLmFwcGxlLmNv\n bYINd3d3LmFwcGxlLmNvbYIQd3d3LmFwcGxlLmNvbS5jbjBgBgNVHSAEWTBXMEgG\n BWeBDAEBMD8wPQYIKwYBBQUHAgEWMWh0dHBzOi8vd3d3LmFwcGxlLmNvbS9jZXJ0\n aWZpY2F0ZWF1dGhvcml0eS9wdWJsaWMwCwYJYIZIAYb9bAIBMBMGA1UdJQQMMAoG\n CCsGAQUFBwMBMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9jcmwuYXBwbGUuY29t\n L2FwZXZzcnNhMWcxLmNybDAdBgNVHQ4EFgQUsYvlS10MqKLYBaxFqMlTrsUPubAw\n DgYDVR0PAQH/BAQDAgWgMA8GCSqGSIb3Y2QGVgQCBQAwggH0BgorBgEEAdZ5AgQC\n BIIB5ASCAeAB3gB1AJROQ4f67MHvgfMZJCaoGGUBx9NfOAIBP3JnfVU3LhnYAAAB\n nE3W1lgAAAQDAEYwRAIgVZYmJmSrX0I48qD3ga9siB4X+ABlwS46NibY7CGB67oC\n IBAQ/tzmhDmJTsQPVsxyB8zzNCFILG3x9KXi84xFDSn/AHYAyKPEf8ezrbk1awE/\n anoSbeM6TkOlxkb5l605dZkdz5oAAAGcTdbWbAAABAMARzBFAiEAp40+gQNimcjv\n 5nEpubXnCj+XFNybUatiM0sLr+dXiswCIB+nWWZdG8YT3lLXGMjCOz9+wYEpwnDO\n m484HO6ExgRlAHYA1219ENGn9XfCx+lf1wC/+YLJM1pl4dCzAXMXwMjFaXcAAAGc\n TdbWWgAABAMARzBFAiAIC0mUpuft8PG9ro6a3cIre4WawkbDvWNddyCEfow9gQIh\n AJeHkOZPRSpME/Q8XDSa7hIOYl/0sffaXthwn0MnZaqqAHUAwjF+V0UZo0Xufzje\n spBB68fCIVoiv3/Vta12mtkOUs0AAAGcTdbWdwAABAMARjBEAiBjs2ij+9e0NCA7\n +aUagaghDIaRm2ebKL2Oq8IHTfXrLQIgJ1LUZZI0r+DEnWN84L+kYfDE2bHKLiAq\n oRlB4aVdxMwwDQYJKoZIhvcNAQELBQADggEBAIYpW3UNZnJJGsYhOZ+CFutCLPGS\n MbKPr8nIHXlh4tP3cxkE1D8SUDzsp+81DwzhkJ8cFPz2JlxzFTWMlumo/vWFxO54\n OLp0gAbEYBjOFuzf8A32XSwSo6Xoj+dpvD24gje8+COxNaAWsbUQdm9E0oRWsMd9\n ZcORi6J1Tywhb1uqvMa1XDhtZXEG/yzwtbDQbBHYNBgXPG5odSCzuqfL2aZIcorR\n zfsZ3Q+cvy/SSsHSFKqXiZHRVuF86IxxcYtnzzppYFBi5ZfvWyyRlXvK2mGWfkjj\n H+oCFWiClVTllg31d5XLuWTSY1gc8KqbHsGIjKv9FxqHQxokzIjMlyB+T68=\n \"\"\"\n\n // Not Valid Before: 29 Apr 2020 12:55:34 GMT\n // Not Valid After: 11 Apr 2030 23:59:59 GMT\n let intermediate = \"\"\"\n MIIFHjCCBAagAwIBAgIQBPIuzCH8tDgqwouPLWQfwDANBgkqhkiG9w0BAQsFADBh\n MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\n MjAeFw0yMDA0MjkxMjU1MzRaFw0zMDA0MTAyMzU5NTlaMFExCzAJBgNVBAYTAlVT\n MRMwEQYDVQQKEwpBcHBsZSBJbmMuMS0wKwYDVQQDEyRBcHBsZSBQdWJsaWMgRVYg\n U2VydmVyIFJTQSBDQSAxIC0gRzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n AoIBAQDfn5fdV0A4cCNFu0EvUgduZVPyPZity4q8Re1TcE9qGyWoVpzHm9OluDlq\n wcvudbLwBe25PWA2Z9xFpVKK9jGW6Vt79N7if7dfi9w2+2zG+/wJu1Z6TA8RENTV\n uJTaMwqQXw1dTkZEOgjCEKa75uyzXl+mIa0s4GdxkCBclGI9WDsUFlLj3A6eBIze\n TomTl7LhIV+nQUEWTqkwG5Pcxckiv7Xn1mu7EVWUukZWY8uL+KhcTJQZYtxNj3Pe\n M73WZ3fraixPA+RBkVnG5NgObRnrk5VHwjntbit9892kp7EISZK4Izfm99QgP4V2\n IqHFsKxfCnZqfwUHikxftIVkjXIdAgMBAAGjggHgMIIB3DAdBgNVHQ4EFgQU073B\n PKDPNbk0xdTb2hAOTN5q/lgwHwYDVR0jBBgwFoAUTiJUIBiV5uNu5g/6+rkS7QYX\n jzkwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD\n AjASBgNVHRMBAf8ECDAGAQH/AgEAMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcw\n AYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEIGA1UdHwQ7MDkwN6A1oDOGMWh0\n dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RHMi5jcmww\n gdwGA1UdIASB1DCB0TCBxQYJYIZIAYb9bAIBMIG3MCgGCCsGAQUFBwIBFhxodHRw\n czovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGKBggrBgEFBQcCAjB+DHxBbnkgdXNl\n IG9mIHRoaXMgQ2VydGlmaWNhdGUgY29uc3RpdHV0ZXMgYWNjZXB0YW5jZSBvZiB0\n aGUgUmVseWluZyBQYXJ0eSBBZ3JlZW1lbnQgbG9jYXRlZCBhdCBodHRwczovL3d3\n dy5kaWdpY2VydC5jb20vcnBhLXVhMAcGBWeBDAEBMA0GCSqGSIb3DQEBCwUAA4IB\n AQBD9c6SmtMxGjRwc/A1bPiM+r1qj5xbDzGn6s6m6oggm9UeBLCSUNJthKffNPqq\n wtULeeUddssewaOZX+uHjG9bY/O9J1VQtGtXI2hndyAPiloqNjf5iBW16h3ZIUFQ\n L319hISioItFVJZnVe4gjNEWio1ZRwO5A4e/H69/lPAX294yGtYGllAdv2NexhUM\n fjODhCajoTJmkXbyIpYzTNkgDXvQptTecrvr0rPzEMWfTtGSppbOC+s/5jG3aJ6G\n Jn49Ram1ZLEGHTx9PWUoHth9Lj7vwFBD9667x9m9nUhuET9a3XvNep+N7w96ZqH2\n fAqUBW1kl6u3u67D6mvDsCQr\n \"\"\"\n\n return [leaf, intermediate].map {\n SecCertificateCreateWithData(nil, Data(base64Encoded: $0, options: .ignoreUnknownCharacters)! as CFData)!\n }\n #else\n return []\n #endif\n }\n}\n" }, { "path": "Tests/NIOSSLTests/TLS13RecordObserver.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\nimport NIOCore\n\nfinal class TLS13RecordObserver: ChannelDuplexHandler {\n typealias InboundIn = ByteBuffer\n typealias InboundOut = ByteBuffer\n typealias OutboundIn = ByteBuffer\n typealias OutboundOut = ByteBuffer\n\n var writtenRecords: [Record] = []\n\n func write(context: ChannelHandlerContext, data: NIOAny, promise: EventLoopPromise?) {\n var payload = self.unwrapOutboundIn(data)\n\n while let record = payload.readTLS13Record() {\n writtenRecords.append(record)\n }\n\n // We should have consumed everything as NIO only writes full records.\n precondition(payload.readableBytes == 0)\n\n // Forward the original payload on.\n context.write(data, promise: promise)\n }\n}\n\nextension TLS13RecordObserver {\n struct Record: Hashable {\n var contentType: ContentType\n var legacyRecordVersion: UInt16\n var encryptedRecord: ByteBuffer\n }\n}\n\nextension TLS13RecordObserver.Record {\n struct ContentType: RawRepresentable, Hashable {\n var rawValue: UInt8\n\n init(rawValue: UInt8) {\n self.rawValue = rawValue\n }\n\n static let invalid = Self(rawValue: 0)\n static let changeCipherSpec = Self(rawValue: 20)\n static let alert = Self(rawValue: 21)\n static let handshake = Self(rawValue: 22)\n static let applicationData = Self(rawValue: 23)\n }\n}\n\nextension ByteBuffer {\n fileprivate mutating func readTLS13Record() -> TLS13RecordObserver.Record? {\n guard\n let (contentType, legacyRecordVersion, length) = self.readMultipleIntegers(as: (UInt8, UInt16, UInt16).self)\n else {\n return nil\n }\n\n guard let encryptedRecord = self.readSlice(length: Int(length)) else {\n return nil\n }\n\n return .init(\n contentType: .init(rawValue: contentType),\n legacyRecordVersion: legacyRecordVersion,\n encryptedRecord: encryptedRecord\n )\n }\n}\n" }, { "path": "Tests/NIOSSLTests/TLSConfigurationTest.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n@_implementationOnly import CNIOBoringSSL\n@preconcurrency import Dispatch\nimport NIOConcurrencyHelpers\nimport NIOCore\nimport NIOEmbedded\nimport NIOPosix\nimport NIOTLS\nimport XCTest\n\n@testable import NIOSSL\n\nfinal class ErrorCatcher: ChannelInboundHandler, Sendable {\n public typealias InboundIn = Any\n let _errors: NIOLockedValueBox<[T]>\n var errors: [T] {\n self._errors.withLockedValue { $0 }\n }\n\n public init() {\n self._errors = .init([])\n }\n\n public func errorCaught(context: ChannelHandlerContext, error: Error) {\n self._errors.withLockedValue { $0.append(error as! T) }\n }\n}\n\nfinal class HandshakeCompletedHandler: ChannelInboundHandler, Sendable {\n public typealias InboundIn = Any\n let _handshakeSucceeded = NIOLockedValueBox(false)\n var handshakeSucceeded: Bool {\n self._handshakeSucceeded.withLockedValue { $0 }\n }\n\n public func userInboundEventTriggered(context: ChannelHandlerContext, event: Any) {\n if let event = event as? TLSUserEvent, case .handshakeCompleted = event {\n self._handshakeSucceeded.withLockedValue { $0 = true }\n }\n context.fireUserInboundEventTriggered(event)\n }\n}\n\nfinal class WaitForHandshakeHandler: ChannelInboundHandler, Sendable {\n public typealias InboundIn = Any\n public var handshakeResult: EventLoopFuture {\n self.handshakeResultPromise.futureResult\n }\n\n private let handshakeResultPromise: EventLoopPromise\n\n init(handshakeResultPromise: EventLoopPromise) {\n self.handshakeResultPromise = handshakeResultPromise\n }\n\n public func userInboundEventTriggered(context: ChannelHandlerContext, event: Any) {\n if let event = event as? TLSUserEvent, case .handshakeCompleted = event {\n self.handshakeResultPromise.succeed(())\n }\n context.fireUserInboundEventTriggered(event)\n }\n\n public func errorCaught(context: ChannelHandlerContext, error: Error) {\n if let error = error as? NIOSSLError, case .handshakeFailed = error {\n self.handshakeResultPromise.fail(error)\n }\n context.fireErrorCaught(error)\n }\n}\n\nclass TLSConfigurationTest: XCTestCase {\n static let _certAndKey1 = generateSelfSignedCert()\n static let cert1 = TLSConfigurationTest._certAndKey1.0\n static let key1 = TLSConfigurationTest._certAndKey1.1\n\n static let _certAndKey2 = generateSelfSignedCert()\n static let cert2 = TLSConfigurationTest._certAndKey2.0\n static let key2 = TLSConfigurationTest._certAndKey2.1\n\n func assertHandshakeError(\n withClientConfig clientConfig: TLSConfiguration,\n andServerConfig serverConfig: TLSConfiguration,\n errorTextContains message: String,\n file: StaticString = #filePath,\n line: UInt = #line\n ) throws {\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContainsAnyOf: [message],\n file: file,\n line: line\n )\n }\n\n func assertHandshakeError(\n withClientConfig clientConfig: TLSConfiguration,\n andServerConfig serverConfig: TLSConfiguration,\n errorTextContainsAnyOf messages: [String],\n file: StaticString = #filePath,\n line: UInt = #line\n ) throws {\n let clientContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: clientConfig),\n file: file,\n line: line\n )\n let serverContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: serverConfig),\n file: file,\n line: line\n )\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let eventHandler = ErrorCatcher()\n let handshakeHandler = HandshakeCompletedHandler()\n let serverChannel = try assertNoThrowWithValue(\n serverTLSChannel(context: serverContext, handlers: [], group: group),\n file: file,\n line: line\n )\n let clientChannel = try assertNoThrowWithValue(\n clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [eventHandler, handshakeHandler],\n group: group,\n connectingTo: serverChannel.localAddress!\n ),\n file: file,\n line: line\n )\n\n // We expect the channel to be closed fairly swiftly as the handshake should fail.\n clientChannel.closeFuture.whenComplete { _ in\n XCTAssertEqual(eventHandler.errors.count, 1)\n\n switch eventHandler.errors[0] {\n case .handshakeFailed(.sslError(let errs)):\n let correctError: Bool = messages.map { errs[0].description.contains($0) }.reduce(false) { $0 || $1 }\n XCTAssert(correctError, errs[0].description, file: (file), line: line)\n default:\n XCTFail(\"Unexpected error: \\(eventHandler.errors[0])\", file: (file), line: line)\n }\n\n XCTAssertFalse(handshakeHandler.handshakeSucceeded, file: (file), line: line)\n }\n try clientChannel.closeFuture.wait()\n }\n\n func assertPostHandshakeError(\n withClientConfig clientConfig: TLSConfiguration,\n andServerConfig serverConfig: TLSConfiguration,\n errorTextContainsAnyOf messages: [String],\n file: StaticString = #filePath,\n line: UInt = #line\n ) throws {\n let clientContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: clientConfig),\n file: file,\n line: line\n )\n let serverContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: serverConfig),\n file: file,\n line: line\n )\n\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let eventHandler = ErrorCatcher()\n let handshakeHandler = HandshakeCompletedHandler()\n let serverChannel = try assertNoThrowWithValue(\n serverTLSChannel(context: serverContext, handlers: [], group: group),\n file: file,\n line: line\n )\n let clientChannel = try assertNoThrowWithValue(\n clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [eventHandler, handshakeHandler],\n group: group,\n connectingTo: serverChannel.localAddress!\n ),\n file: file,\n line: line\n )\n\n // We expect the channel to be closed fairly swiftly as the handshake should fail.\n clientChannel.closeFuture.whenComplete { _ in\n XCTAssertEqual(eventHandler.errors.count, 1, file: (file), line: line)\n\n switch eventHandler.errors[0] {\n case .sslError(let errs):\n XCTAssertEqual(errs.count, 1, file: (file), line: line)\n let correctError: Bool = messages.map { errs[0].description.contains($0) }.reduce(false) { $0 || $1 }\n XCTAssert(correctError, errs[0].description, file: (file), line: line)\n default:\n XCTFail(\"Unexpected error: \\(eventHandler.errors[0])\", file: (file), line: line)\n }\n\n XCTAssertTrue(handshakeHandler.handshakeSucceeded, file: (file), line: line)\n }\n try clientChannel.closeFuture.wait()\n }\n\n /// Performs a connection in memory and validates that the handshake was successful.\n ///\n /// - NOTE: This function should only be used when you know that there is no custom verification\n /// callback in use, otherwise it will not be thread-safe.\n func assertHandshakeSucceededInMemory(\n withClientConfig clientConfig: TLSConfiguration,\n andServerConfig serverConfig: TLSConfiguration,\n file: StaticString = #filePath,\n line: UInt = #line\n ) throws {\n let clientContext = try assertNoThrowWithValue(NIOSSLContext(configuration: clientConfig))\n let serverContext = try assertNoThrowWithValue(NIOSSLContext(configuration: serverConfig))\n try self.assertHandshakeSucceededInMemory(\n withClientContext: clientContext,\n andServerContext: serverContext,\n file: file,\n line: line\n )\n }\n\n /// Performs a connection in memory and validates that the handshake was successful.\n ///\n /// - NOTE: This function should only be used when you know that there is no custom verification\n /// callback in use, otherwise it will not be thread-safe.\n func assertHandshakeSucceededInMemory(\n withClientContext clientContext: NIOSSLContext,\n andServerContext serverContext: NIOSSLContext,\n file: StaticString = #filePath,\n line: UInt = #line\n ) throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n defer {\n // We expect the server case to throw\n _ = try? serverChannel.finish()\n _ = try? clientChannel.finish()\n }\n\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: serverContext)),\n file: (file),\n line: line\n )\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n NIOSSLClientHandler(context: clientContext, serverHostname: nil)\n ),\n file: (file),\n line: line\n )\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.addHandler(handshakeHandler).wait(), file: (file), line: line)\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel), file: (file), line: line)\n XCTAssertTrue(handshakeHandler.handshakeSucceeded, file: (file), line: line)\n\n _ = serverChannel.close()\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n }\n\n /// Performs a connection using a real event loop and validates that the handshake was successful.\n ///\n /// This function is thread-safe in the presence of custom verification callbacks.\n func assertHandshakeSucceededEventLoop(\n withClientConfig clientConfig: TLSConfiguration,\n andServerConfig serverConfig: TLSConfiguration,\n serverCustomVerificationCallback: (\n @Sendable ([NIOSSLCertificate], EventLoopPromise) ->\n Void\n )? = nil,\n file: StaticString = #filePath,\n line: UInt = #line\n ) throws {\n let clientContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: clientConfig),\n file: file,\n line: line\n )\n let serverContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: serverConfig),\n file: file,\n line: line\n )\n try self.assertHandshakeSucceededEventLoop(\n withClientContext: clientContext,\n andServerContext: serverContext,\n serverCustomVerificationCallback: serverCustomVerificationCallback,\n file: file,\n line: line\n )\n }\n\n /// Performs a connection using a real event loop and validates that the handshake was successful.\n ///\n /// This function is thread-safe in the presence of custom verification callbacks.\n func assertHandshakeSucceededEventLoop(\n withClientContext clientContext: NIOSSLContext,\n andServerContext serverContext: NIOSSLContext,\n serverCustomVerificationCallback: (\n @Sendable ([NIOSSLCertificate], EventLoopPromise) ->\n Void\n )? = nil,\n file: StaticString = #filePath,\n line: UInt = #line\n ) throws {\n let group = MultiThreadedEventLoopGroup(numberOfThreads: 1)\n defer {\n XCTAssertNoThrow(try group.syncShutdownGracefully())\n }\n\n let eventHandler = ErrorCatcher()\n let handshakeHandler = HandshakeCompletedHandler()\n let handshakeResultPromise = group.next().makePromise(of: Void.self)\n let handshakeWatcher = WaitForHandshakeHandler(handshakeResultPromise: handshakeResultPromise)\n\n let serverChannel = try assertNoThrowWithValue(\n serverTLSChannel(\n context: serverContext,\n handlers: [],\n group: group,\n customVerificationCallback: serverCustomVerificationCallback\n ),\n file: file,\n line: line\n )\n let clientChannel = try assertNoThrowWithValue(\n clientTLSChannel(\n context: clientContext,\n preHandlers: [],\n postHandlers: [eventHandler, handshakeWatcher, handshakeHandler],\n group: group,\n connectingTo: serverChannel.localAddress!\n ),\n file: file,\n line: line\n )\n\n handshakeWatcher.handshakeResult.whenComplete { c in\n _ = clientChannel.close()\n }\n\n clientChannel.closeFuture.whenComplete { _ in\n XCTAssertEqual(eventHandler.errors.count, 0, file: file, line: line)\n XCTAssertTrue(handshakeHandler.handshakeSucceeded, file: file, line: line)\n }\n try clientChannel.closeFuture.wait()\n }\n\n func assertHandshakeSucceeded(\n withClientConfig clientConfig: TLSConfiguration,\n andServerConfig serverConfig: TLSConfiguration,\n file: StaticString = #filePath,\n line: UInt = #line\n ) throws {\n // The only use of a custom callback is on Darwin...\n #if os(Linux)\n return try assertHandshakeSucceededInMemory(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n file: file,\n line: line\n )\n\n #else\n return try assertHandshakeSucceededEventLoop(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n file: file,\n line: line\n )\n #endif\n }\n\n func assertHandshakeSucceeded(\n withClientContext clientContext: NIOSSLContext,\n andServerContext serverContext: NIOSSLContext,\n file: StaticString = #filePath,\n line: UInt = #line\n ) throws {\n // The only use of a custom callback is on Darwin...\n #if os(Linux)\n return try self.assertHandshakeSucceededInMemory(\n withClientContext: clientContext,\n andServerContext: serverContext,\n file: file,\n line: line\n )\n\n #else\n return try self.assertHandshakeSucceededEventLoop(\n withClientContext: clientContext,\n andServerContext: serverContext,\n file: file,\n line: line\n )\n #endif\n }\n\n func setupTLSLeafandClientIdentitiesFromCustomCARoot() throws -> (\n leafCert: NIOSSLCertificate, leafKey: NIOSSLPrivateKey,\n clientCert: NIOSSLCertificate, clientKey: NIOSSLPrivateKey\n ) {\n let leaf = try NIOSSLCertificate(bytes: .init(leafCertificateForTLSIssuedFromCustomCARoot.utf8), format: .pem)\n let leaf_privateKey = try NIOSSLPrivateKey.init(bytes: .init(privateKeyForLeafCertificate.utf8), format: .pem)\n\n let client_cert = try NIOSSLCertificate(\n bytes: .init(leafCertificateForClientAuthenticationIssuedFromCustomCARoot.utf8),\n format: .pem\n )\n let client_privateKey = try NIOSSLPrivateKey.init(\n bytes: .init(privateKeyForClientAuthentication.utf8),\n format: .pem\n )\n return (leaf, leaf_privateKey, client_cert, client_privateKey)\n }\n\n // Note that this is a stub to create the rehash file format for a certificate.\n // If needed in the future the numericExtension should be reworked to check for duplicates and increment as applicable.\n func getRehashFilename(path: String, testName: String, numericExtension: Int) -> String {\n var cert: NIOSSLCertificate!\n if path.suffix(4) == \".pem\" {\n XCTAssertNoThrow(cert = try NIOSSLCertificate.fromPEMFile(path).first)\n } else {\n XCTAssertNoThrow(cert = try NIOSSLCertificate.fromDERFile(path))\n }\n // Create a rehash format filename to symlink the hard file above to.\n let originalSubjectName = cert.getSubjectNameHash()\n let truncatedHash = String(format: \"%08lx.%d\", originalSubjectName, numericExtension)\n let tempDirPath = FileManager.default.temporaryDirectory.path + \"/\" + testName + \"/\"\n return tempDirPath + truncatedHash\n }\n\n func testNonOverlappingTLSVersions() throws {\n var clientConfig = TLSConfiguration.clientDefault\n clientConfig.minimumTLSVersion = .tlsv11\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.maximumTLSVersion = .tlsv1\n\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContains: \"ALERT_PROTOCOL_VERSION\"\n )\n }\n\n func testNonOverlappingCipherSuitesPreTLS13() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuiteValues = [.TLS_RSA_WITH_AES_128_CBC_SHA]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.cipherSuiteValues = [.TLS_RSA_WITH_AES_256_CBC_SHA]\n serverConfig.maximumTLSVersion = .tlsv12\n\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContains: \"ALERT_HANDSHAKE_FAILURE\"\n )\n }\n\n func testCannotVerifySelfSigned() throws {\n let clientConfig = TLSConfiguration.makeClientConfiguration()\n let serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContains: \"CERTIFICATE_VERIFY_FAILED\"\n )\n }\n\n func testServerCannotValidateClientPreTLS13() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.certificateChain = [.certificate(TLSConfigurationTest.cert2)]\n clientConfig.privateKey = .privateKey(TLSConfigurationTest.key2)\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .noHostnameVerification\n\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContainsAnyOf: [\"ALERT_UNKNOWN_CA\", \"ALERT_CERTIFICATE_UNKNOWN\"]\n )\n }\n\n func testServerCannotValidateClientPostTLS13() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.minimumTLSVersion = .tlsv13\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.certificateChain = [.certificate(TLSConfigurationTest.cert2)]\n clientConfig.privateKey = .privateKey(TLSConfigurationTest.key2)\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.minimumTLSVersion = .tlsv13\n serverConfig.certificateVerification = .noHostnameVerification\n\n try assertPostHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContainsAnyOf: [\"ALERT_UNKNOWN_CA\", \"ALERT_CERTIFICATE_UNKNOWN\"]\n )\n }\n\n func testMutualValidationWithCertVerificationOptionalSuccess_NoPeerCert() throws {\n // The client doesn't present a cert chain\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .default\n clientConfig.additionalTrustRoots = [.certificates([TLSConfigurationTest.cert1])]\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n // The server sets `certificateVerification` to `optionalVerification`; handshake should succeed when the client\n // hasn't presented any certs\n serverConfig.certificateVerification = .optionalVerification\n serverConfig.trustRoots = .default\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testMutualValidationWithCertVerificationOptionalError_PeerCertNotTrusted() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateChain = [.certificate(TLSConfigurationTest.cert2)]\n clientConfig.privateKey = .privateKey(TLSConfigurationTest.key2)\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .default\n clientConfig.additionalTrustRoots = [.certificates([TLSConfigurationTest.cert1])]\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.certificateVerification = .optionalVerification\n serverConfig.trustRoots = .default\n // The server doesn't trust any additional roots; the cert presented by the client will not be trusted\n serverConfig.additionalTrustRoots = []\n\n try assertPostHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContainsAnyOf: [\"SSLV3_ALERT_CERTIFICATE_UNKNOWN\", \"TLSV1_ALERT_UNKNOWN_CA\"]\n )\n }\n\n func testMutualValidationWithCertVerificationOptionalSuccess_PeerCertTrusted() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateChain = [.certificate(TLSConfigurationTest.cert2)]\n clientConfig.privateKey = .privateKey(TLSConfigurationTest.key2)\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .default\n clientConfig.additionalTrustRoots = [.certificates([TLSConfigurationTest.cert1])]\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.certificateVerification = .optionalVerification\n serverConfig.trustRoots = .default\n // The server trusts the cert presented by the client; we expect a successful handshake\n serverConfig.additionalTrustRoots = [.certificates([TLSConfigurationTest.cert2])]\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testMutualValidationRequiresClientCertificatePreTLS13() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .noHostnameVerification\n serverConfig.trustRoots = .certificates([TLSConfigurationTest.cert2])\n\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContainsAnyOf: [\"ALERT_HANDSHAKE_FAILURE\"]\n )\n }\n\n func testMutualValidationRequiresClientCertificatePostTLS13() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.minimumTLSVersion = .tlsv13\n clientConfig.certificateVerification = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.minimumTLSVersion = .tlsv13\n serverConfig.certificateVerification = .noHostnameVerification\n serverConfig.trustRoots = .certificates([TLSConfigurationTest.cert2])\n\n try assertPostHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContainsAnyOf: [\"CERTIFICATE_REQUIRED\"]\n )\n }\n\n func testIncompatibleSignatures() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.verifySignatureAlgorithms = [.ecdsaSecp384R1Sha384]\n clientConfig.minimumTLSVersion = .tlsv13\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.signingSignatureAlgorithms = [.rsaPssRsaeSha256]\n serverConfig.minimumTLSVersion = .tlsv13\n serverConfig.certificateVerification = .none\n\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContains: \"ALERT_HANDSHAKE_FAILURE\"\n )\n }\n\n func testCompatibleSignatures() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.minimumTLSVersion = .tlsv13\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.signingSignatureAlgorithms = [.rsaPssRsaeSha256]\n serverConfig.minimumTLSVersion = .tlsv13\n serverConfig.certificateVerification = .none\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testMatchingCompatibleSignatures() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.verifySignatureAlgorithms = [.rsaPssRsaeSha256]\n clientConfig.minimumTLSVersion = .tlsv13\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.signingSignatureAlgorithms = [.rsaPssRsaeSha256]\n serverConfig.minimumTLSVersion = .tlsv13\n serverConfig.certificateVerification = .none\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testMutualValidationSuccessNoAdditionalTrustRoots() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n let serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testMutualValidationSuccessWithDefaultAndAdditionalTrustRoots() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .default\n clientConfig.renegotiationSupport = .none\n clientConfig.additionalTrustRoots = [.certificates([TLSConfigurationTest.cert1])]\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.trustRoots = .default\n serverConfig.additionalTrustRoots = [.certificates([TLSConfigurationTest.cert2])]\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testMutualValidationSuccessWithOnlyAdditionalTrustRoots() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([])\n clientConfig.renegotiationSupport = .none\n clientConfig.additionalTrustRoots = [.certificates([TLSConfigurationTest.cert1])]\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.trustRoots = .certificates([])\n serverConfig.additionalTrustRoots = [.certificates([TLSConfigurationTest.cert2])]\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testFullVerificationWithCANamesFromCertificate() throws {\n // Custom certificates for TLS and client authentication.\n let root = try NIOSSLCertificate(bytes: .init(customCARoot.utf8), format: .pem)\n\n let digitalIdentities = try setupTLSLeafandClientIdentitiesFromCustomCARoot()\n\n // Client Configuration.\n //\n // This configuration disables hostname verification because the hostname verification\n // code requires IP addresses, which we don't have in EmbeddedChannel. We override the\n // trust roots to prevent execution of the SecurityFramework verification code, which doesn't\n // work with EmbeddedChannel.\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.renegotiationSupport = .none\n clientConfig.certificateChain = [.certificate(digitalIdentities.clientCert)]\n clientConfig.privateKey = .privateKey(digitalIdentities.clientKey)\n clientConfig.trustRoots = .certificates([root])\n clientConfig.certificateVerification = .noHostnameVerification\n\n // Server Configuration\n //\n // This configuration disables hostname verification because the hostname verification\n // code requires IP addresses, which we don't have in EmbeddedChannel. We override the\n // trust roots to prevent execution of the SecurityFramework verification code, which doesn't\n // work with EmbeddedChannel.\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(digitalIdentities.leafCert)],\n privateKey: .privateKey(digitalIdentities.leafKey)\n )\n serverConfig.sendCANameList = true\n serverConfig.trustRoots = .certificates([root])\n serverConfig.certificateVerification = .noHostnameVerification\n\n let clientContext = try assertNoThrowWithValue(NIOSSLContext(configuration: clientConfig))\n let serverContext = try assertNoThrowWithValue(NIOSSLContext(configuration: serverConfig))\n\n // Validation that the CA names are being sent here\n // This is essentially the heart of this unit test.\n let countAfter = serverContext.getX509NameListCount()\n XCTAssertEqual(countAfter, 1, \"CA Name List should be 1 after the Server Context is created\")\n\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n defer {\n // We expect the server case to throw\n _ = try? serverChannel.finish()\n _ = try? clientChannel.finish()\n }\n\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: serverContext))\n )\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n NIOSSLClientHandler(context: clientContext, serverHostname: nil)\n )\n )\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.addHandler(handshakeHandler).wait())\n\n // Connect. This should lead to a successful handshake.\n let addr = try assertNoThrowWithValue(SocketAddress(unixDomainSocketPath: \"/tmp/whatever2\"))\n clientChannel.connect(to: addr, promise: nil)\n serverChannel.pipeline.fireChannelActive()\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n serverChannel.close(promise: nil)\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n\n }\n\n func testFullVerificationWithCANamesFromFile() throws {\n // Custom certificates for TLS and client authentication.\n // In this test create the root certificate in the tmp directory and use it here to send the CA names.\n // This exercised the loadVerifyLocations file code path out in SSLContext\n let rootPath = try dumpToFile(data: .init(customCARoot.utf8), fileExtension: \".pem\")\n\n let digitalIdentities = try setupTLSLeafandClientIdentitiesFromCustomCARoot()\n\n // Client Configuration.\n //\n // This configuration disables hostname verification because the hostname verification\n // code requires IP addresses, which we don't have in EmbeddedChannel. We override the\n // trust roots to prevent execution of the SecurityFramework verification code, which doesn't\n // work with EmbeddedChannel.\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.renegotiationSupport = .none\n clientConfig.certificateChain = [.certificate(digitalIdentities.clientCert)]\n clientConfig.privateKey = .privateKey(digitalIdentities.clientKey)\n clientConfig.trustRoots = .file(rootPath)\n clientConfig.certificateVerification = .noHostnameVerification\n\n // Server Configuration\n //\n // This configuration disables hostname verification because the hostname verification\n // code requires IP addresses, which we don't have in EmbeddedChannel. We override the\n // trust roots to prevent execution of the SecurityFramework verification code, which doesn't\n // work with EmbeddedChannel.\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(digitalIdentities.leafCert)],\n privateKey: .privateKey(digitalIdentities.leafKey)\n )\n serverConfig.sendCANameList = true\n serverConfig.trustRoots = .file(rootPath)\n serverConfig.certificateVerification = .noHostnameVerification\n\n let clientContext = try assertNoThrowWithValue(NIOSSLContext(configuration: clientConfig))\n let serverContext = try assertNoThrowWithValue(NIOSSLContext(configuration: serverConfig))\n\n // Validation that the CA names are being sent here\n // This is essentially the heart of this unit test.\n let countAfter = serverContext.getX509NameListCount()\n XCTAssertEqual(countAfter, 1, \"CA Name List should be 1 after the Server Context is created\")\n\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n defer {\n // We expect the server case to throw\n _ = try? serverChannel.finish()\n _ = try? clientChannel.finish()\n }\n\n XCTAssertNoThrow(\n try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: serverContext))\n )\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(\n NIOSSLClientHandler(context: clientContext, serverHostname: nil)\n )\n )\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.addHandler(handshakeHandler).wait())\n\n // Connect. This should lead to a completed handshake.\n let addr = try assertNoThrowWithValue(SocketAddress(unixDomainSocketPath: \"/tmp/whatever2\"))\n clientChannel.connect(to: addr, promise: nil)\n serverChannel.pipeline.fireChannelActive()\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n serverChannel.close(promise: nil)\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n XCTAssertNoThrow(try FileManager.default.removeItem(at: URL(string: \"file://\" + rootPath)!))\n }\n\n func testRehashFormatToPopulateCANamesFromDirectory() throws {\n // Use the test name as the directory name in the temporary directory.\n let testName = String(\"\\(#function)\".dropLast(2))\n // Create 2 PEM based certs\n let rootCAPathOne = try dumpToFile(data: .init(customCARoot.utf8), fileExtension: \".pem\", customPath: testName)\n let rootCAPathTwo = try dumpToFile(\n data: .init(secondaryRootCertificateForClientAuthentication.utf8),\n fileExtension: \".pem\",\n customPath: testName\n )\n\n // Create a rehash formatted name of both certificate's subject name that was created above.\n // Take these rehash certificate names and format a symlink with them below with createSymbolicLink.\n let rehashSymlinkNameOne = getRehashFilename(path: rootCAPathOne, testName: testName, numericExtension: 0)\n let rehashSymlinkNameTwo = getRehashFilename(path: rootCAPathTwo, testName: testName, numericExtension: 0)\n // Extract just the filename of the newly create certs in the tmp directory.\n let rootCAURLOne = URL(string: \"file://\" + rootCAPathOne)!\n let rootCAURLTwo = URL(string: \"file://\" + rootCAPathTwo)!\n let rootCAFilenameOne = rootCAURLOne.lastPathComponent\n let rootCAFilenameTwo = rootCAURLTwo.lastPathComponent\n\n // Create an in-directory symlink the same way that c_rehash would do this.\n // For example: 7f44456a.0 -> niotestIEOFcMI.pem\n // NOT: 7f44456a.0 -> /var/folders/my/path/niotestIEOFcMI.pem\n XCTAssertNoThrow(\n try FileManager.default.createSymbolicLink(\n atPath: rehashSymlinkNameOne,\n withDestinationPath: rootCAFilenameOne\n )\n )\n XCTAssertNoThrow(\n try FileManager.default.createSymbolicLink(\n atPath: rehashSymlinkNameTwo,\n withDestinationPath: rootCAFilenameTwo\n )\n )\n\n defer {\n // Delete all files that were created for this test.\n XCTAssertNoThrow(try FileManager.default.removeItem(at: rootCAURLOne))\n XCTAssertNoThrow(try FileManager.default.removeItem(at: rootCAURLTwo))\n XCTAssertNoThrow(try FileManager.default.removeItem(at: URL(string: \"file://\" + rehashSymlinkNameOne)!))\n XCTAssertNoThrow(try FileManager.default.removeItem(at: URL(string: \"file://\" + rehashSymlinkNameTwo)!))\n // Remove the actual directory also.\n let removePath = \"\\(FileManager.default.temporaryDirectory.path)/\\(testName)/\"\n XCTAssertNoThrow(try FileManager.default.removeItem(at: URL(string: \"file://\" + removePath)!))\n }\n\n let tempFileDir = FileManager.default.temporaryDirectory.path + \"/\\(testName)/\"\n let digitalIdentities = try setupTLSLeafandClientIdentitiesFromCustomCARoot()\n\n // Server Configuration\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(digitalIdentities.leafCert)],\n privateKey: .privateKey(digitalIdentities.leafKey)\n )\n serverConfig.sendCANameList = true\n serverConfig.trustRoots = .file(tempFileDir) // Directory path.\n serverConfig.certificateVerification = .fullVerification\n\n var serverContext: NIOSSLContext!\n XCTAssertNoThrow(serverContext = try NIOSSLContext(configuration: serverConfig))\n // Only setup the serverContext here to define that our two certificate CA names were populated to the SSL_CTX.\n let countAfter = serverContext.getX509NameListCount()\n XCTAssertEqual(countAfter, 2, \"CA Name List should be 2 after the Server Context is created\")\n }\n\n func testRehashFormat() throws {\n // Use the test name as the directory name in the temporary directory.\n let testName = String(\"\\(#function)\".dropLast(2))\n // This test case creates path variables and files to run through the `isRehashFormat` function in `NIOSSLContext`.\n // Note that the c_rehash file format is a symlink to an original PEM or CER file in the form of HHHHHHHH.D.\n // Note that CRLs are not supported, only PEM and DER representations of certificates.\n\n // Not a valid path.\n let badPath = try NIOSSLContext._isRehashFormat(path: \"\")\n XCTAssertFalse(badPath)\n // Filename is not in rehash format.\n let acceptablePathBadFilename = try NIOSSLContext._isRehashFormat(path: \"/etc/ssl/certs/myFile.pem\")\n XCTAssertFalse(acceptablePathBadFilename)\n // Filename is in bad rehash format.\n let acceptablePathBadRehashFormat = try NIOSSLContext._isRehashFormat(path: \"/etc/ssl/certs/7f44456a.z\")\n XCTAssertFalse(acceptablePathBadRehashFormat)\n\n // Test with an actual file, but no symlink.\n let dummyFile = try dumpToFile(data: Data(), fileExtension: \".txt\", customPath: testName)\n let newPath = FileManager.default.temporaryDirectory.path + \"/\\(testName)/7f44456a.1\"\n let _ = try FileManager.default.moveItem(atPath: dummyFile, toPath: newPath)\n // Filename is in rehash format, but not a symlink.\n let acceptablePathAndRehashFormatButNoSymlink = try NIOSSLContext._isRehashFormat(path: newPath)\n XCTAssertFalse(acceptablePathAndRehashFormatButNoSymlink)\n\n // Test actual symlink\n let rootCAPathOne = try dumpToFile(data: .init(customCARoot.utf8), fileExtension: \".pem\", customPath: testName)\n let rehashSymlinkName = getRehashFilename(path: rootCAPathOne, testName: testName, numericExtension: 0)\n\n // Extract just the filename of the newly create certs in the tmp directory.\n let rootCAURLOne = URL(string: \"file://\" + rootCAPathOne)!\n let rootCAFilenameOne = rootCAURLOne.lastPathComponent\n\n XCTAssertNoThrow(\n try FileManager.default.createSymbolicLink(\n atPath: rehashSymlinkName,\n withDestinationPath: rootCAFilenameOne\n )\n )\n\n defer {\n // Delete all files that were created for this test.\n XCTAssertNoThrow(try FileManager.default.removeItem(at: URL(string: \"file://\" + rootCAPathOne)!))\n XCTAssertNoThrow(try FileManager.default.removeItem(at: URL(string: \"file://\" + rehashSymlinkName)!))\n XCTAssertNoThrow(try FileManager.default.removeItem(at: URL(string: \"file://\" + newPath)!))\n // Remove the actual directory also.\n let removePath = \"\\(FileManager.default.temporaryDirectory.path)/\\(testName)/\"\n XCTAssertNoThrow(try FileManager.default.removeItem(at: URL(string: \"file://\" + removePath)!))\n }\n\n // Test the success case for the symlink\n let successSymlink = try NIOSSLContext._isRehashFormat(path: rehashSymlinkName)\n XCTAssertTrue(successSymlink)\n }\n\n func testNonexistentFileObject() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.trustRoots = .file(\"/thispathbetternotexist/bogus.foo\")\n\n XCTAssertThrowsError(try NIOSSLContext(configuration: clientConfig)) { error in\n XCTAssertEqual(.noSuchFilesystemObject, error as? NIOSSLError)\n }\n }\n\n func testComputedApplicationProtocols() throws {\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n config.applicationProtocols = [\"http/1.1\"]\n XCTAssertEqual(config.applicationProtocols, [\"http/1.1\"])\n XCTAssertEqual(config.encodedApplicationProtocols, [[8, 104, 116, 116, 112, 47, 49, 46, 49]])\n config.applicationProtocols.insert(\"h2\", at: 0)\n XCTAssertEqual(config.applicationProtocols, [\"h2\", \"http/1.1\"])\n XCTAssertEqual(config.encodedApplicationProtocols, [[2, 104, 50], [8, 104, 116, 116, 112, 47, 49, 46, 49]])\n }\n\n func testKeyLogManagerOverlappingAccess() throws {\n // Tests that we can have overlapping calls to the log() function of the keylog manager.\n // This test fails probabilistically! DO NOT IGNORE INTERMITTENT FAILURES OF THIS TEST.\n let semaphore = DispatchSemaphore(value: 0)\n let group = DispatchGroup()\n let completionsQueue = DispatchQueue(label: \"completionsQueue\")\n let completions: UnsafeMutableTransferBox<[Bool]> = .init([])\n\n let keylogManager = KeyLogCallbackManager { _ in\n completionsQueue.sync {\n completions.wrappedValue.append(true)\n semaphore.wait()\n }\n group.leave()\n }\n\n // Now we call log twice, from different threads. These will not complete right away so we\n // do those on background threads. They should not both complete.\n group.enter()\n group.enter()\n DispatchQueue(label: \"first-thread\").async {\n keylogManager.log(\"hello!\")\n }\n DispatchQueue(label: \"second-thread\").async {\n keylogManager.log(\"world!\")\n }\n\n // We now sleep a short time to let everything catch up and the runtime catch any exclusivity violation.\n // 10ms is fine.\n usleep(10_000)\n\n // Great, signal the sempahore twice to un-wedge everything and wait for everything to exit.\n semaphore.signal()\n semaphore.signal()\n group.wait()\n XCTAssertEqual([true, true], completionsQueue.sync { completions.wrappedValue })\n }\n\n func testTheSameHashValue() {\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n config.applicationProtocols = [\"http/1.1\"]\n let theSameConfig = config\n var hasher = Hasher()\n var hasher2 = Hasher()\n config.bestEffortHash(into: &hasher)\n theSameConfig.bestEffortHash(into: &hasher2)\n XCTAssertEqual(hasher.finalize(), hasher2.finalize())\n XCTAssertTrue(config.bestEffortEquals(theSameConfig))\n }\n\n func testDifferentHashValues() {\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n config.applicationProtocols = [\"http/1.1\"]\n var differentConfig = config\n differentConfig.privateKey = .privateKey(TLSConfigurationTest.key2)\n XCTAssertFalse(config.bestEffortEquals(differentConfig))\n }\n\n func testDifferentCallbacksNotEqual() {\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n config.applicationProtocols = [\"http/1.1\"]\n config.keyLogCallback = { _ in }\n var differentConfig = config\n differentConfig.keyLogCallback = { _ in }\n XCTAssertFalse(config.bestEffortEquals(differentConfig))\n }\n\n func testDifferentSSLContextCallbacksNotEqual() throws {\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n config.applicationProtocols = [\"http/1.1\"]\n config.sslContextCallback = { _, _ in }\n var differentConfig = config\n differentConfig.sslContextCallback = { _, _ in }\n XCTAssertFalse(config.bestEffortEquals(differentConfig))\n }\n\n func testCompatibleCurves() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.curves = [.x25519]\n clientConfig.cipherSuiteValues = [.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.cipherSuiteValues = [.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]\n serverConfig.curves = [.x25519]\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .none\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testMultipleCompatibleCurves() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.curves = [.x25519]\n clientConfig.cipherSuiteValues = [.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.curves = [.x25519, .secp256r1]\n serverConfig.cipherSuiteValues = [.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .none\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testNonCompatibleCurves() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.curves = [.secp521r1]\n clientConfig.cipherSuiteValues = [.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.curves = [.x25519]\n serverConfig.cipherSuiteValues = [.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .none\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContains: \"ALERT_HANDSHAKE_FAILURE\"\n )\n }\n\n func testPQCompatibleCurves() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.curves = [.x25519_MLKEM768]\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.curves = [.x25519_MLKEM768]\n serverConfig.certificateVerification = .none\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testDefaultCurvesExcludePQ() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.curves = [.x25519_MLKEM768]\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.certificateVerification = .none\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContains: \"ALERT_HANDSHAKE_FAILURE\"\n )\n }\n\n func testUnknownCurveValuesFail() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.curves = [.init(rawValue: 0x9898)]\n\n XCTAssertThrowsError(try NIOSSLContext(configuration: clientConfig)) { error in\n XCTAssertTrue(\n String(describing: error).contains(\"UNSUPPORTED_ELLIPTIC_CURVE\"),\n \"Error \\(error) does not contain UNSUPPORTED_ELLIPTIC_CURVE\"\n )\n }\n }\n\n func testCompatibleCipherSuite() throws {\n // ECDHE_RSA is used here because the public key in .cert1 is derived from a RSA private key.\n // These could also be RSA based, but cannot be ECDHE_ECDSA.\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuiteValues = [.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.cipherSuiteValues = [.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .none\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testNonCompatibleCipherSuite() throws {\n // This test fails more importantly because ECDHE_ECDSA is being set with a public key that is RSA based.\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuiteValues = [.TLS_RSA_WITH_AES_128_GCM_SHA256]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.cipherSuiteValues = [.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .none\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContains: \"ALERT_HANDSHAKE_FAILURE\"\n )\n }\n\n func testDefaultWithRSACipherSuite() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuiteValues = [.TLS_RSA_WITH_AES_128_GCM_SHA256]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.cipherSuites = defaultCipherSuites\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .none\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testDefaultWithECDHERSACipherSuite() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuiteValues = [.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.cipherSuites = defaultCipherSuites\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .none\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testStringBasedCipherSuite() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuites = \"AES256\"\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.cipherSuites = \"AES256\"\n serverConfig.maximumTLSVersion = .tlsv12\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testMultipleCompatibleCipherSuites() throws {\n // This test is for multiple ECDHE_RSA based ciphers on the server side.\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuiteValues = [.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.cipherSuiteValues = [\n .TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\n .TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\n .TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,\n ]\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .none\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testMultipleCompatibleCipherSuitesWithStringBasedCipher() throws {\n // This test is for using multiple server side ciphers with the client side string based cipher.\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuites = \"AES256\"\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.cipherSuiteValues = [\n .TLS_RSA_WITH_AES_128_CBC_SHA,\n .TLS_RSA_WITH_AES_256_CBC_SHA,\n .TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\n .TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,\n ]\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .none\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testMultipleClientCipherSuitesWithDefaultCipher() throws {\n // Client ciphers should match one of the default ciphers.\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuiteValues = [\n .TLS_RSA_WITH_AES_128_CBC_SHA,\n .TLS_RSA_WITH_AES_256_CBC_SHA,\n .TLS_RSA_WITH_AES_128_GCM_SHA256,\n .TLS_RSA_WITH_AES_256_GCM_SHA384,\n .TLS_AES_128_GCM_SHA256,\n .TLS_AES_256_GCM_SHA384,\n .TLS_CHACHA20_POLY1305_SHA256,\n .TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\n .TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,\n .TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\n .TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,\n .TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,\n ]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.cipherSuites = defaultCipherSuites\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.certificateVerification = .none\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testNonCompatibleClientCiphersWithServerStringBasedCiphers() throws {\n // This test should fail on client hello negotiation.\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuiteValues = [\n .TLS_AES_128_GCM_SHA256,\n .TLS_AES_256_GCM_SHA384,\n .TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,\n ]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.cipherSuites = \"AES256\"\n serverConfig.maximumTLSVersion = .tlsv12\n\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContains: \"ALERT_HANDSHAKE_FAILURE\"\n )\n }\n\n func testSettingCiphersWithCipherSuiteValues() {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuiteValues = [\n .TLS_AES_128_GCM_SHA256,\n .TLS_AES_256_GCM_SHA384,\n .TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,\n ]\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.renegotiationSupport = .none\n\n XCTAssertEqual(\n clientConfig.cipherSuites,\n \"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\"\n )\n }\n\n func testSettingCiphersWithCipherSuitesString() {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.cipherSuites = \"AES256\"\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n let assignedCiphers = clientConfig.cipherSuiteValues.map { $0.standardName }\n let createdCipherSuiteValuesFromString = assignedCiphers.joined(separator: \":\")\n // Note that this includes the PSK values as well.\n XCTAssertEqual(\n createdCipherSuiteValuesFromString,\n \"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CBC_SHA:TLS_PSK_WITH_AES_256_CBC_SHA\"\n )\n }\n\n func testDefaultCipherSuiteValues() {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([])\n clientConfig.renegotiationSupport = .none\n clientConfig.additionalTrustRoots = [.certificates([TLSConfigurationTest.cert1])]\n XCTAssertEqual(clientConfig.cipherSuites, defaultCipherSuites)\n\n let assignedCiphers = clientConfig.cipherSuiteValues.map { $0.standardName }\n let defaultCipherSuiteValuesFromString = assignedCiphers.joined(separator: \":\")\n // Note that this includes the PSK values as well.\n XCTAssertEqual(\n defaultCipherSuiteValuesFromString,\n \"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_128_CBC_SHA:TLS_RSA_WITH_AES_256_CBC_SHA\"\n )\n }\n\n @available(\n *,\n deprecated,\n message: \"`TLSConfiguration.pskClientCallback` and `TLSConfiguration.pskClientCallback` are deprecated\"\n )\n func testBestEffortEquatableHashableDifferences() {\n // If this assertion fails, DON'T JUST CHANGE THE NUMBER HERE! Make sure you've added any appropriate transforms below\n // so that we're testing these best effort functions.\n XCTAssertEqual(\n MemoryLayout.size,\n 234,\n \"TLSConfiguration has changed size: you probably need to update this test!\"\n )\n\n let first = TLSConfiguration.makeClientConfiguration()\n\n let pskClientCallback: NIOPSKClientIdentityCallback = { (hint: String) -> PSKClientIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerCallback: NIOPSKServerIdentityCallback = {\n (hint: String, identity: String) -> PSKServerIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKServerIdentityResponse(key: psk)\n }\n\n let pskClientProvider: NIOPSKClientIdentityProvider = {\n (context: PSKClientContext) -> PSKClientIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerProvider: NIOPSKServerIdentityProvider = {\n (context: PSKServerContext) -> PSKServerIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKServerIdentityResponse(key: psk)\n }\n\n let sslContextCallback: NIOSSLContextCallback = { _, _ in }\n\n let transforms: [(inout TLSConfiguration) -> Void] = [\n { $0.minimumTLSVersion = .tlsv13 },\n { $0.maximumTLSVersion = .tlsv12 },\n { $0.cipherSuites = \"AES\" },\n { $0.curves = [.x25519] },\n { $0.cipherSuiteValues = [.TLS_RSA_WITH_AES_256_CBC_SHA] },\n { $0.verifySignatureAlgorithms = [.ed25519] },\n { $0.signingSignatureAlgorithms = [.ed25519] },\n { $0.certificateVerification = .noHostnameVerification },\n { $0.trustRoots = .certificates([TLSConfigurationTest.cert1]) },\n { $0.additionalTrustRoots = [.certificates([TLSConfigurationTest.cert1])] },\n { $0.certificateChain = [.certificate(TLSConfigurationTest.cert1)] },\n { $0.privateKey = .privateKey(TLSConfigurationTest.key1) },\n { $0.applicationProtocols = [\"h2\"] },\n { $0.shutdownTimeout = .seconds((60 * 24 * 24) + 1) },\n { $0.keyLogCallback = { _ in } },\n { $0.renegotiationSupport = .always },\n { $0.sendCANameList = true },\n { $0.pskClientCallback = pskClientCallback },\n { $0.pskServerCallback = pskServerCallback },\n { $0.sslContextCallback = sslContextCallback },\n { $0.pskServerCallback = pskServerCallback },\n { $0.pskClientProvider = pskClientProvider },\n { $0.pskServerProvider = pskServerProvider },\n { $0.pskHint = \"hint\" },\n ]\n\n for (index, transform) in transforms.enumerated() {\n var transformed = first\n transform(&transformed)\n XCTAssertNotEqual(\n Wrapper(config: first),\n Wrapper(config: transformed),\n \"Should have compared not equal in index \\(index)\"\n )\n XCTAssertEqual(\n Set([Wrapper(config: first), Wrapper(config: transformed)]).count,\n 2,\n \"Should have hashed non-equal in index \\(index)\"\n )\n }\n }\n\n func testObtainingTLSVersionOnClientChannel() throws {\n let b2b = BackToBackEmbeddedChannel()\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.maximumTLSVersion = .tlsv11\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.maximumTLSVersion = .tlsv11\n serverConfig.certificateVerification = .none\n\n let clientContext = try assertNoThrowWithValue(NIOSSLContext(configuration: clientConfig))\n let serverContext = try assertNoThrowWithValue(NIOSSLContext(configuration: serverConfig))\n XCTAssertNoThrow(\n try b2b.client.pipeline.syncOperations.addHandlers(\n [\n try NIOSSLClientHandler(context: clientContext, serverHostname: \"localhost\"),\n HandshakeCompletedHandler(),\n ]\n )\n )\n XCTAssertNoThrow(\n try b2b.server.pipeline.syncOperations.addHandlers(\n [NIOSSLServerHandler(context: serverContext), HandshakeCompletedHandler()]\n )\n )\n XCTAssertNoThrow(try b2b.connectInMemory())\n XCTAssertTrue(b2b.client.handshakeSucceeded)\n XCTAssertTrue(b2b.server.handshakeSucceeded)\n\n var tlsVersion: TLSVersion?\n XCTAssertNoThrow(tlsVersion = try b2b.client.pipeline.syncOperations.nioSSL_tlsVersion())\n XCTAssertEqual(tlsVersion!, .tlsv11)\n\n let tlsVersionForChannel = b2b.client.nioSSL_tlsVersion()\n var channelTLSVersion: TLSVersion?\n XCTAssertNoThrow(channelTLSVersion = try tlsVersionForChannel.wait())\n XCTAssertEqual(channelTLSVersion!, .tlsv11)\n }\n\n @available(\n *,\n deprecated,\n message: \"`TLSConfiguration.pskClientCallback` and `TLSConfiguration.pskClientCallback` are deprecated\"\n )\n func testTLSPSKWithTLS13Deprecated() throws {\n // The idea here is that adding PSKs with certificates in TLS 1.3 should NOT cause a failure.\n // Also note that the usage here of PSKs with TLS 1.3 is not supported by BoringSSL at this point.\n let pskClientCallback: NIOPSKClientIdentityCallback = { (hint: String) -> PSKClientIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(hint, \"serverPskHint\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerCallback: NIOPSKServerIdentityCallback = {\n (hint: String, identity: String) -> PSKServerIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(hint, \"serverPskHint\")\n XCTAssertEqual(identity, \"world\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKServerIdentityResponse(key: psk)\n }\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .none\n clientConfig.trustRoots = .certificates([])\n clientConfig.minimumTLSVersion = .tlsv13\n clientConfig.maximumTLSVersion = .tlsv13\n clientConfig.pskClientCallback = pskClientCallback\n clientConfig.pskHint = \"clientPskHint\"\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.minimumTLSVersion = .tlsv13\n serverConfig.maximumTLSVersion = .tlsv13\n serverConfig.certificateVerification = .none\n serverConfig.pskServerCallback = pskServerCallback\n serverConfig.pskHint = \"serverPskHint\"\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n @available(\n *,\n deprecated,\n message: \"`TLSConfiguration.pskClientCallback` and `TLSConfiguration.pskClientCallback` are deprecated\"\n )\n func testTLSPSKWithTLS12Deprecated() throws {\n // This test ensures that PSK-TLS is supported for TLS 1.2.\n let pskClientCallback: NIOPSKClientIdentityCallback = { (hint: String) -> PSKClientIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(hint, \"serverPskHint\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerCallback: NIOPSKServerIdentityCallback = {\n (hint: String, identity: String) -> PSKServerIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(hint, \"serverPskHint\")\n XCTAssertEqual(identity, \"world\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKServerIdentityResponse(key: psk)\n }\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .none\n clientConfig.minimumTLSVersion = .tlsv1\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.pskHint = \"clientPskHint\"\n clientConfig.pskClientCallback = pskClientCallback\n\n var serverConfig = TLSConfiguration.makePreSharedKeyConfiguration()\n serverConfig.minimumTLSVersion = .tlsv1\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.pskServerCallback = pskServerCallback\n serverConfig.pskHint = \"serverPskHint\"\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n @available(\n *,\n deprecated,\n message: \"`TLSConfiguration.pskClientCallback` and `TLSConfiguration.pskClientCallback` are deprecated\"\n )\n func testTLSPSKWithPinnedCiphersDeprecated() throws {\n // This test ensures that PSK-TLS is supported with pinned ciphers.\n let pskClientCallback: NIOPSKClientIdentityCallback = { (hint: String) -> PSKClientIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(hint, \"serverPskHint\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerCallback: NIOPSKServerIdentityCallback = {\n (hint: String, identity: String) -> PSKServerIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(hint, \"serverPskHint\")\n XCTAssertEqual(identity, \"world\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKServerIdentityResponse(key: psk)\n }\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .none\n clientConfig.minimumTLSVersion = .tlsv1\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.pskClientCallback = pskClientCallback\n clientConfig.pskHint = \"clientPskHint\"\n clientConfig.cipherSuiteValues = [\n .TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,\n .TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,\n .TLS_PSK_WITH_AES_128_CBC_SHA,\n .TLS_PSK_WITH_AES_256_CBC_SHA,\n ]\n\n var serverConfig = TLSConfiguration.makePreSharedKeyConfiguration()\n serverConfig.minimumTLSVersion = .tlsv1\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.pskServerCallback = pskServerCallback\n serverConfig.pskHint = \"serverPskHint\"\n serverConfig.cipherSuiteValues = [\n .TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,\n .TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,\n .TLS_PSK_WITH_AES_128_CBC_SHA,\n .TLS_PSK_WITH_AES_256_CBC_SHA,\n ]\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n @available(\n *,\n deprecated,\n message: \"`TLSConfiguration.pskClientCallback` and `TLSConfiguration.pskClientCallback` are deprecated\"\n )\n func testTLSPSKFailureDeprecated() throws {\n // This test ensures that different PSKs used on the client and server fail when passed in.\n let pskClientCallback: NIOPSKClientIdentityCallback = { (hint: String) -> PSKClientIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(hint, \"serverPskHint\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerCallback: NIOPSKServerIdentityCallback = {\n (hint: String, identity: String) -> PSKServerIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(hint, \"serverPskHint\")\n XCTAssertEqual(identity, \"world\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"server\".utf8) // Failure\n return PSKServerIdentityResponse(key: psk)\n }\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .none\n clientConfig.minimumTLSVersion = .tlsv1\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.pskClientCallback = pskClientCallback\n clientConfig.pskHint = \"clientPskHint\"\n\n var serverConfig = TLSConfiguration.makePreSharedKeyConfiguration()\n serverConfig.minimumTLSVersion = .tlsv1\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.pskServerCallback = pskServerCallback\n serverConfig.pskHint = \"serverPskHint\"\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContainsAnyOf: [\"SSLV3_ALERT_BAD_RECORD_MAC\"]\n )\n }\n\n @available(*, deprecated, message: \"`.file` NIOSSLPrivateKeySource option deprecated\")\n func testUnknownPrivateKeyFileType() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.privateKey = .file(\"key.invalidExtension\")\n\n XCTAssertThrowsError(try NIOSSLContext(configuration: clientConfig)) { error in\n guard let sslError = error as? NIOSSLExtraError else {\n return XCTFail(\"Expected NIOSSLExtraError but got \\(error)\")\n }\n\n XCTAssertEqual(sslError, .unknownPrivateKeyFileType)\n }\n }\n\n func testTLSPSKWithTLS13() throws {\n // The idea here is that adding PSKs with certificates in TLS 1.3 should NOT cause a failure.\n // Also note that the usage here of PSKs with TLS 1.3 is not supported by BoringSSL at this point.\n let pskClientProvider: NIOPSKClientIdentityProvider = {\n (context: PSKClientContext) -> PSKClientIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(context.hint, \"serverPskHint\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerProvider: NIOPSKServerIdentityProvider = {\n (context: PSKServerContext) -> PSKServerIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(context.hint, \"serverPskHint\")\n XCTAssertEqual(context.clientIdentity, \"world\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKServerIdentityResponse(key: psk)\n }\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .none\n clientConfig.trustRoots = .certificates([])\n clientConfig.minimumTLSVersion = .tlsv13\n clientConfig.maximumTLSVersion = .tlsv13\n clientConfig.pskClientProvider = pskClientProvider\n clientConfig.pskHint = \"clientPskHint\"\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.minimumTLSVersion = .tlsv13\n serverConfig.maximumTLSVersion = .tlsv13\n serverConfig.certificateVerification = .none\n serverConfig.pskServerProvider = pskServerProvider\n serverConfig.pskHint = \"serverPskHint\"\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testTLSPSKWithTLS12() throws {\n // This test ensures that PSK-TLS is supported for TLS 1.2.\n let pskClientProvider: NIOPSKClientIdentityProvider = {\n (context: PSKClientContext) -> PSKClientIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(context.hint, \"serverPskHint\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerProvider: NIOPSKServerIdentityProvider = {\n (context: PSKServerContext) -> PSKServerIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(context.hint, \"serverPskHint\")\n XCTAssertEqual(context.clientIdentity, \"world\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKServerIdentityResponse(key: psk)\n }\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .none\n clientConfig.minimumTLSVersion = .tlsv1\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.pskHint = \"clientPskHint\"\n clientConfig.pskClientProvider = pskClientProvider\n\n var serverConfig = TLSConfiguration.makePreSharedKeyConfiguration()\n serverConfig.minimumTLSVersion = .tlsv1\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.pskServerProvider = pskServerProvider\n serverConfig.pskHint = \"serverPskHint\"\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testTLSPSKWithPinnedCiphers() throws {\n // This test ensures that PSK-TLS is supported with pinned ciphers.\n let pskClientProvider: NIOPSKClientIdentityProvider = {\n (context: PSKClientContext) -> PSKClientIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(context.hint, \"serverPskHint\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerProvider: NIOPSKServerIdentityProvider = {\n (context: PSKServerContext) -> PSKServerIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(context.hint, \"serverPskHint\")\n XCTAssertEqual(context.clientIdentity, \"world\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKServerIdentityResponse(key: psk)\n }\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .none\n clientConfig.minimumTLSVersion = .tlsv1\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.pskClientProvider = pskClientProvider\n clientConfig.pskHint = \"clientPskHint\"\n clientConfig.cipherSuiteValues = [\n .TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,\n .TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,\n .TLS_PSK_WITH_AES_128_CBC_SHA,\n .TLS_PSK_WITH_AES_256_CBC_SHA,\n ]\n\n var serverConfig = TLSConfiguration.makePreSharedKeyConfiguration()\n serverConfig.minimumTLSVersion = .tlsv1\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.pskServerProvider = pskServerProvider\n serverConfig.pskHint = \"serverPskHint\"\n serverConfig.cipherSuiteValues = [\n .TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,\n .TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,\n .TLS_PSK_WITH_AES_128_CBC_SHA,\n .TLS_PSK_WITH_AES_256_CBC_SHA,\n ]\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testTLSPSKFailure() throws {\n // This test ensures that different PSKs used on the client and server fail when passed in.\n let pskClientProvider: NIOPSKClientIdentityProvider = {\n (context: PSKClientContext) -> PSKClientIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(context.hint, \"serverPskHint\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerProvider: NIOPSKServerIdentityProvider = {\n (context: PSKServerContext) -> PSKServerIdentityResponse in\n // Evaluate hint and clientIdentity to send back proper PSK.\n XCTAssertEqual(context.hint, \"serverPskHint\")\n XCTAssertEqual(context.clientIdentity, \"world\")\n var psk = NIOSSLSecureBytes()\n psk.append(\"server\".utf8) // Failure\n return PSKServerIdentityResponse(key: psk)\n }\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .none\n clientConfig.minimumTLSVersion = .tlsv1\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.pskClientProvider = pskClientProvider\n clientConfig.pskHint = \"clientPskHint\"\n\n var serverConfig = TLSConfiguration.makePreSharedKeyConfiguration()\n serverConfig.minimumTLSVersion = .tlsv1\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.pskServerProvider = pskServerProvider\n serverConfig.pskHint = \"serverPskHint\"\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContainsAnyOf: [\"SSLV3_ALERT_BAD_RECORD_MAC\"]\n )\n }\n\n func testTLSPSKNoServerHint() throws {\n let pseudoExpectation = ConditionLock(value: false)\n // This test ensures that different PSKs used on the client and server fail when passed in.\n let pskClientProvider: NIOPSKClientIdentityProvider = {\n (context: PSKClientContext) -> PSKClientIdentityResponse in\n pseudoExpectation.lock()\n pseudoExpectation.unlock(withValue: true)\n // Ensure server hint is nil\n XCTAssertEqual(context.hint, nil)\n // Evaluate hint and clientIdentity to send back proper PSK.\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerProvider: NIOPSKServerIdentityProvider = {\n (context: PSKServerContext) -> PSKServerIdentityResponse in\n // Ensure server hint is nil\n XCTAssertEqual(context.hint, nil)\n XCTAssertEqual(context.clientIdentity, \"world\")\n // Evaluate hint and clientIdentity to send back proper PSK.\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8) // Failure\n return PSKServerIdentityResponse(key: psk)\n }\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .none\n clientConfig.minimumTLSVersion = .tlsv1\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.pskClientProvider = pskClientProvider\n clientConfig.pskHint = \"clientPskHint\"\n\n var serverConfig = TLSConfiguration.makePreSharedKeyConfiguration()\n serverConfig.minimumTLSVersion = .tlsv1\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.pskServerProvider = pskServerProvider\n serverConfig.pskHint = nil\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n XCTAssertTrue(pseudoExpectation.lock(whenValue: true, timeoutSeconds: 1))\n pseudoExpectation.unlock()\n }\n\n func testTLSPSKNoClientHint() throws {\n let pseudoExpectation = ConditionLock(value: false)\n // This test ensures that different PSKs used on the client and server fail when passed in.\n let pskClientProvider: NIOPSKClientIdentityProvider = {\n (context: PSKClientContext) -> PSKClientIdentityResponse in\n pseudoExpectation.lock()\n pseudoExpectation.unlock(withValue: true)\n // Ensure server hint is nil\n XCTAssertEqual(context.hint, nil)\n // Evaluate hint and clientIdentity to send back proper PSK.\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8)\n return PSKClientIdentityResponse(key: psk, identity: \"world\")\n }\n\n let pskServerProvider: NIOPSKServerIdentityProvider = {\n (context: PSKServerContext) -> PSKServerIdentityResponse in\n // Ensure server hint is nil\n XCTAssertEqual(context.hint, nil)\n XCTAssertEqual(context.clientIdentity, \"world\")\n // Evaluate hint and clientIdentity to send back proper PSK.\n var psk = NIOSSLSecureBytes()\n psk.append(\"hello\".utf8) // Failure\n return PSKServerIdentityResponse(key: psk)\n }\n\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .none\n clientConfig.minimumTLSVersion = .tlsv1\n clientConfig.maximumTLSVersion = .tlsv12\n clientConfig.pskClientProvider = pskClientProvider\n clientConfig.pskHint = nil\n\n var serverConfig = TLSConfiguration.makePreSharedKeyConfiguration()\n serverConfig.minimumTLSVersion = .tlsv1\n serverConfig.maximumTLSVersion = .tlsv12\n serverConfig.pskServerProvider = pskServerProvider\n serverConfig.pskHint = nil\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n XCTAssertTrue(pseudoExpectation.lock(whenValue: true, timeoutSeconds: 1))\n pseudoExpectation.unlock()\n }\n\n func testClientSideCertSelection() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.sslContextCallback = { _, promise in\n var `override` = NIOSSLContextConfigurationOverride()\n override.certificateChain = [.certificate(TLSConfigurationTest.cert2)]\n override.privateKey = .privateKey(TLSConfigurationTest.key2)\n promise.succeed(override)\n }\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.certificateVerification = .noHostnameVerification\n serverConfig.trustRoots = .certificates([TLSConfigurationTest.cert2])\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n /// This test ensures that, when a certificate is overriden, only the new chain is sent, not the previous one.\n /// This test would have failed prior to the commit in which it was added.\n func testClientSideCertSelectionWithChain() throws {\n let (testIntermediate, _) = generateSelfSignedCert()\n let (testLeaf, privateKey) = generateSelfSignedCert()\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateChain = [.certificate(testLeaf), .certificate(testIntermediate)]\n clientConfig.privateKey = .privateKey(privateKey)\n\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n // This callback should be a no-op, it returns the same certs we had already set anyway\n clientConfig.sslContextCallback = { _, promise in\n var `override` = NIOSSLContextConfigurationOverride()\n override.certificateChain = [.certificate(testLeaf), .certificate(testIntermediate)]\n override.privateKey = .privateKey(privateKey)\n promise.succeed(override)\n }\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.certificateVerification = .noHostnameVerification\n\n try assertHandshakeSucceededEventLoop(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n serverCustomVerificationCallback: { certificates, promise in\n XCTAssertEqual(certificates.count, 2)\n XCTAssertEqual(certificates, [testLeaf, testIntermediate])\n // Always succeed for the purposes of this test\n promise.succeed(.certificateVerified)\n }\n )\n }\n\n func testServerSideCertSelection() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert2)],\n privateKey: .privateKey(TLSConfigurationTest.key2)\n )\n serverConfig.sslContextCallback = { _, promise in\n var `override` = NIOSSLContextConfigurationOverride()\n override.certificateChain = [.certificate(TLSConfigurationTest.cert1)]\n override.privateKey = .privateKey(TLSConfigurationTest.key1)\n promise.succeed(override)\n }\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testOverrideWithNothingIsFine() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.sslContextCallback = { _, promise in\n let `override` = NIOSSLContextConfigurationOverride()\n promise.succeed(override)\n }\n\n try assertHandshakeSucceeded(withClientConfig: clientConfig, andServerConfig: serverConfig)\n }\n\n func testOverrideToInvalidCertFailsHandshake() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert2)],\n privateKey: .privateKey(TLSConfigurationTest.key2)\n )\n serverConfig.sslContextCallback = { _, promise in\n var `override` = NIOSSLContextConfigurationOverride()\n override.certificateChain = [.certificate(TLSConfigurationTest.cert1)]\n promise.succeed(override)\n }\n\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContains: \"TLSV1_ALERT_INTERNAL_ERROR\"\n )\n }\n\n func testOverrideToInvalidKeyFailsHandshake() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.sslContextCallback = { _, promise in\n var `override` = NIOSSLContextConfigurationOverride()\n override.privateKey = .privateKey(TLSConfigurationTest.key2)\n promise.succeed(override)\n }\n\n try assertHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContains: \"TLSV1_ALERT_INTERNAL_ERROR\"\n )\n }\n\n func testClientSideCertSelection_eachConnectionSelectsAgain() throws {\n let callbackCount = NIOLockedValueBox(0)\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.sslContextCallback = { _, promise in\n callbackCount.withLockedValue { $0 += 1 }\n\n var `override` = NIOSSLContextConfigurationOverride()\n override.certificateChain = [.certificate(TLSConfigurationTest.cert2)]\n override.privateKey = .privateKey(TLSConfigurationTest.key2)\n promise.succeed(override)\n }\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1)\n )\n serverConfig.certificateVerification = .noHostnameVerification\n serverConfig.trustRoots = .certificates([TLSConfigurationTest.cert2])\n\n let clientContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: clientConfig)\n )\n let serverContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: serverConfig)\n )\n\n for _ in 0..<5 {\n try assertHandshakeSucceeded(withClientContext: clientContext, andServerContext: serverContext)\n }\n\n XCTAssertEqual(callbackCount.withLockedValue { $0 }, 5)\n }\n\n func testServerSideCertSelection_eachConnectionSelectsAgain() throws {\n let callbackCount = NIOLockedValueBox(0)\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.certificateVerification = .noHostnameVerification\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n\n var serverConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert2)],\n privateKey: .privateKey(TLSConfigurationTest.key2)\n )\n serverConfig.sslContextCallback = { _, promise in\n var `override` = NIOSSLContextConfigurationOverride()\n override.certificateChain = [.certificate(TLSConfigurationTest.cert1)]\n override.privateKey = .privateKey(TLSConfigurationTest.key1)\n callbackCount.withLockedValue { $0 += 1 }\n promise.succeed(override)\n }\n\n let clientContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: clientConfig)\n )\n let serverContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: serverConfig)\n )\n\n for _ in 0..<5 {\n try assertHandshakeSucceeded(withClientContext: clientContext, andServerContext: serverContext)\n }\n\n XCTAssertEqual(callbackCount.withLockedValue { $0 }, 5)\n }\n\n func testCorrectSetUpOfMTLSContext() throws {\n var basicConfig = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(TLSConfigurationTest.cert2)],\n privateKey: .privateKey(TLSConfigurationTest.key2)\n )\n let mtlsConfig = TLSConfiguration.makeServerConfigurationWithMTLS(\n certificateChain: [.certificate(TLSConfigurationTest.cert2)],\n privateKey: .privateKey(TLSConfigurationTest.key2),\n trustRoots: .default\n )\n XCTAssertFalse(basicConfig.bestEffortEquals(mtlsConfig))\n\n basicConfig.trustRoots = .default\n basicConfig.certificateVerification = .noHostnameVerification\n\n XCTAssertTrue(basicConfig.bestEffortEquals(mtlsConfig))\n }\n\n func testMTLSContext_happyPath() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.certificateChain = [.certificate(TLSConfigurationTest.cert2)]\n clientConfig.privateKey = .privateKey(TLSConfigurationTest.key2)\n clientConfig.certificateVerification = .noHostnameVerification\n\n let serverConfig = TLSConfiguration.makeServerConfigurationWithMTLS(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1),\n trustRoots: .certificates([TLSConfigurationTest.cert2])\n )\n\n let clientContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: clientConfig)\n )\n let serverContext = try assertNoThrowWithValue(\n NIOSSLContext(configuration: serverConfig)\n )\n\n try assertHandshakeSucceeded(withClientContext: clientContext, andServerContext: serverContext)\n }\n\n func testMTLSContext_clientPresentsWrongCert() throws {\n var clientConfig = TLSConfiguration.makeClientConfiguration()\n clientConfig.trustRoots = .certificates([TLSConfigurationTest.cert1])\n clientConfig.certificateChain = [.certificate(TLSConfigurationTest.cert1)]\n clientConfig.privateKey = .privateKey(TLSConfigurationTest.key1)\n clientConfig.certificateVerification = .noHostnameVerification\n\n let serverConfig = TLSConfiguration.makeServerConfigurationWithMTLS(\n certificateChain: [.certificate(TLSConfigurationTest.cert1)],\n privateKey: .privateKey(TLSConfigurationTest.key1),\n trustRoots: .certificates([TLSConfigurationTest.cert2])\n )\n\n try assertPostHandshakeError(\n withClientConfig: clientConfig,\n andServerConfig: serverConfig,\n errorTextContainsAnyOf: [\"ALERT_UNKNOWN_CA\", \"ALERT_CERTIFICATE_UNKNOWN\"]\n )\n }\n}\n\nextension EmbeddedChannel {\n fileprivate var handshakeSucceeded: Bool {\n let completedHandler = try! self.pipeline.syncOperations.handler(type: HandshakeCompletedHandler.self)\n return completedHandler.handshakeSucceeded\n }\n}\n\nstruct Wrapper: Hashable {\n var config: TLSConfiguration\n\n static func == (lhs: Wrapper, rhs: Wrapper) -> Bool {\n lhs.config.bestEffortEquals(rhs.config)\n }\n\n func hash(into hasher: inout Hasher) {\n self.config.bestEffortHash(into: &hasher)\n }\n}\n" }, { "path": "Tests/NIOSSLTests/UnsafeTransfer.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2022 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\n/// ``UnsafeMutableTransferBox`` can be used to make non-`Sendable` values `Sendable` and mutable.\n/// It can be used to capture local mutable values in a `@Sendable` closure and mutate them from within the closure.\n/// As the name implies, the usage of this is unsafe because it disables the sendable checking of the compiler and does not add any synchronisation.\n@usableFromInline\nfinal class UnsafeMutableTransferBox {\n @usableFromInline\n var wrappedValue: Wrapped\n\n @inlinable\n init(_ wrappedValue: Wrapped) {\n self.wrappedValue = wrappedValue\n }\n}\n\nextension UnsafeMutableTransferBox: @unchecked Sendable {}\n" }, { "path": "Tests/NIOSSLTests/UnwrappingTests.swift", "content": "//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2017-2021 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n\nimport NIOCore\nimport NIOEmbedded\nimport XCTest\n\n@testable import NIOSSL\n\nfunc connectInMemory(client: EmbeddedChannel, server: EmbeddedChannel) throws {\n let addr = try assertNoThrowWithValue(SocketAddress(unixDomainSocketPath: \"/tmp/whatever2\"))\n let connectFuture = client.connect(to: addr)\n server.pipeline.fireChannelActive()\n XCTAssertNoThrow(try interactInMemory(clientChannel: client, serverChannel: server))\n XCTAssertNoThrow(try connectFuture.wait())\n}\n\nextension ChannelPipeline.SynchronousOperations {\n func assertContains(handler: ChannelHandler, file: StaticString = #filePath, line: UInt = #line) {\n do {\n _ = try self.context(handler: handler)\n } catch {\n XCTFail(\"Handler \\(handler) missing from \\(self)\", file: (file), line: line)\n }\n }\n\n func assertDoesNotContain(handler: ChannelHandler, file: StaticString = #filePath, line: UInt = #line) {\n do {\n _ = try self.context(handler: handler)\n XCTFail(\"Handler \\(handler) present in \\(self)\", file: (file), line: line)\n } catch {\n // Expected\n }\n }\n}\n\nfinal class UnwrappingTests: XCTestCase {\n static let _certAndKey = generateSelfSignedCert()\n static let cert = UnwrappingTests._certAndKey.0\n static let key = UnwrappingTests._certAndKey.1\n\n private func configuredSSLContext(file: StaticString = #filePath, line: UInt = #line) throws -> NIOSSLContext {\n var config = TLSConfiguration.makeServerConfiguration(\n certificateChain: [.certificate(UnwrappingTests.cert)],\n privateKey: .privateKey(UnwrappingTests.key)\n )\n config.trustRoots = .certificates([UnwrappingTests.cert])\n return try assertNoThrowWithValue(NIOSSLContext(configuration: config), file: file, line: line)\n }\n\n func testSimpleUnwrapping() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var clientClosed = false\n var serverClosed = false\n var unwrapped = false\n\n defer {\n // We expect the server case to throw\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertNoThrow(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Mark the closure of the channels.\n clientChannel.closeFuture.assumeIsolated().whenComplete { _ in\n clientClosed = true\n }\n serverChannel.closeFuture.assumeIsolated().whenComplete { _ in\n serverClosed = true\n }\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the client connection. With no additional configuration, this will cause the server\n // to close. The client will not close because interactInMemory does not propagate closure.\n let stopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n stopPromise.futureResult.assumeIsolated().whenComplete { _ in\n unwrapped = true\n }\n clientHandler.stopTLS(promise: stopPromise)\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertFalse(unwrapped)\n\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n\n clientChannel.pipeline.syncOperations.assertDoesNotContain(handler: clientHandler)\n\n (serverChannel.eventLoop as! EmbeddedEventLoop).run()\n (clientChannel.eventLoop as! EmbeddedEventLoop).run()\n\n XCTAssertFalse(clientClosed)\n XCTAssertTrue(serverClosed)\n XCTAssertTrue(unwrapped)\n }\n\n func testSimultaneousUnwrapping() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var clientClosed = false\n var serverClosed = false\n var clientUnwrapped = false\n var serverUnwrapped = false\n\n defer {\n XCTAssertNoThrow(try serverChannel.finish())\n XCTAssertNoThrow(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n let serverHandler = try assertNoThrowWithValue(NIOSSLServerHandler(context: context))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(serverHandler))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Mark the closure of the channels.\n clientChannel.closeFuture.assumeIsolated().whenComplete { _ in\n clientClosed = true\n }\n serverChannel.closeFuture.assumeIsolated().whenComplete { _ in\n serverClosed = true\n }\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the client connection and the server connection at the same time. This should\n // not close either channel.\n let clientStopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n clientStopPromise.futureResult.assumeIsolated().whenComplete { _ in\n clientUnwrapped = true\n }\n clientHandler.stopTLS(promise: clientStopPromise)\n\n let serverStopPromise: EventLoopPromise = serverChannel.eventLoop.makePromise()\n serverStopPromise.futureResult.assumeIsolated().whenComplete { _ in\n serverUnwrapped = true\n }\n serverHandler.stopTLS(promise: serverStopPromise)\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertFalse(clientUnwrapped)\n XCTAssertFalse(serverUnwrapped)\n\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n\n clientChannel.pipeline.syncOperations.assertDoesNotContain(handler: clientHandler)\n serverChannel.pipeline.syncOperations.assertDoesNotContain(handler: serverHandler)\n\n (serverChannel.eventLoop as! EmbeddedEventLoop).run()\n (clientChannel.eventLoop as! EmbeddedEventLoop).run()\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertTrue(clientUnwrapped)\n XCTAssertTrue(serverUnwrapped)\n }\n\n func testUnwrappingFollowedByClosure() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var clientClosed = false\n var clientUnwrapped = false\n\n defer {\n // Both channels will already be closed\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Mark the closure of the client.\n clientChannel.closeFuture.assumeIsolated().whenComplete { _ in\n clientClosed = true\n }\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the client connection.\n let clientStopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n clientStopPromise.futureResult.assumeIsolated().map {\n XCTFail(\"Must not succeed\")\n }.whenFailure { error in\n XCTAssertEqual(error as? NIOTLSUnwrappingError, NIOTLSUnwrappingError.closeRequestedDuringUnwrap)\n clientUnwrapped = true\n }\n clientHandler.stopTLS(promise: clientStopPromise)\n\n // Now we're going to close the client.\n clientChannel.close().assumeIsolated().whenComplete { _ in\n XCTAssertFalse(clientClosed)\n XCTAssertTrue(clientUnwrapped)\n }\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(clientUnwrapped)\n\n XCTAssertNoThrow(\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel, runLoops: false)\n )\n clientChannel.pipeline.syncOperations.assertContains(handler: clientHandler)\n\n (serverChannel.eventLoop as! EmbeddedEventLoop).run()\n (clientChannel.eventLoop as! EmbeddedEventLoop).run()\n\n XCTAssertTrue(clientClosed)\n XCTAssertTrue(clientUnwrapped)\n }\n\n func testUnwrappingMeetsTCPFIN() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var clientClosed = false\n var clientUnwrapped = false\n\n defer {\n // The errors here are expected\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Mark the closure of the client.\n clientChannel.closeFuture.assumeIsolated().whenComplete { _ in\n clientClosed = true\n }\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the client connection.\n let clientStopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n clientStopPromise.futureResult.assumeIsolated().map {\n XCTFail(\"Must not succeed\")\n }.whenFailure { error in\n XCTAssertEqual(error as? NIOSSLError, .uncleanShutdown)\n clientUnwrapped = true\n }\n clientHandler.stopTLS(promise: clientStopPromise)\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(clientUnwrapped)\n\n // Now we're going to simulate the client receiving a TCP FIN the other way.\n clientChannel.pipeline.fireChannelInactive()\n clientChannel.pipeline.syncOperations.assertContains(handler: clientHandler)\n\n (clientChannel.eventLoop as! EmbeddedEventLoop).run()\n XCTAssertTrue(clientUnwrapped)\n\n // Clean up by bringing the server up to speed\n serverChannel.pipeline.fireChannelInactive()\n }\n\n func testDoubleUnwrapping() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var promiseCalled = false\n\n defer {\n // We expect the server case to throw\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertNoThrow(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the client connection twice. We'll ignore the first promise.\n let dummyPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n let stopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n stopPromise.futureResult.assumeIsolated().whenComplete { _ in\n promiseCalled = true\n }\n clientHandler.stopTLS(promise: dummyPromise)\n clientHandler.stopTLS(promise: stopPromise)\n\n XCTAssertFalse(promiseCalled)\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n XCTAssertTrue(promiseCalled)\n }\n\n func testUnwrappingAfterIgnoredUnwrapping() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var promiseCalled = false\n\n defer {\n // We expect the server case to throw\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertNoThrow(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the client connection twice. We'll only send a promise the second time.\n let stopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n stopPromise.futureResult.assumeIsolated().whenComplete { _ in\n promiseCalled = true\n }\n clientHandler.stopTLS(promise: nil)\n clientHandler.stopTLS(promise: stopPromise)\n\n XCTAssertFalse(promiseCalled)\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n XCTAssertTrue(promiseCalled)\n }\n\n func testUnwrappingIdleChannel() throws {\n let channel = EmbeddedChannel()\n\n var promiseCalled = false\n\n defer {\n XCTAssertNoThrow(try channel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let handler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try channel.pipeline.syncOperations.addHandler(handler))\n channel.pipeline.syncOperations.assertContains(handler: handler)\n\n // Let's unwrap. This should succeed easily.\n let stopPromise: EventLoopPromise = channel.eventLoop.makePromise()\n stopPromise.futureResult.assumeIsolated().whenComplete { _ in\n promiseCalled = true\n }\n\n XCTAssertFalse(promiseCalled)\n handler.stopTLS(promise: stopPromise)\n XCTAssertTrue(promiseCalled)\n }\n\n func testUnwrappingAfterSuccessfulUnwrap() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var promiseCalled = false\n\n defer {\n // We expect the server case to throw\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertNoThrow(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the client connection.\n let stopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n stopPromise.futureResult.assumeIsolated().whenComplete { _ in\n promiseCalled = true\n }\n clientHandler.stopTLS(promise: stopPromise)\n\n XCTAssertFalse(promiseCalled)\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n XCTAssertTrue(promiseCalled)\n\n // Now, let's unwrap it again.\n let secondPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n clientHandler.stopTLS(promise: secondPromise)\n do {\n try secondPromise.futureResult.wait()\n } catch {\n XCTFail(\"Unexpected error: \\(error)\")\n }\n }\n\n func testUnwrappingAfterClosure() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n defer {\n // We expect both casees to throw\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's close everything down.\n clientChannel.close(promise: nil)\n serverChannel.close(promise: nil)\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n\n // We haven't spun the event loop, so the handlers are still in the pipeline. Now attempt to unwrap.\n let stopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n clientHandler.stopTLS(promise: stopPromise)\n\n XCTAssertThrowsError(try stopPromise.futureResult.wait()) { error in\n XCTAssertEqual(.some(.alreadyClosed), error as? NIOTLSUnwrappingError)\n }\n }\n\n func testReceivingGibberishAfterAttemptingToUnwrap() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var clientClosed = false\n var clientUnwrapped = false\n\n defer {\n // The errors here are expected\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Mark the closure of the client.\n clientChannel.closeFuture.assumeIsolated().whenComplete { _ in\n clientClosed = true\n }\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the client connection.\n let clientStopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n clientStopPromise.futureResult.assumeIsolated().map {\n XCTFail(\"Must not succeed\")\n }.whenFailure { error in\n switch error as? NIOSSLError {\n case .some(.shutdownFailed):\n // Expected\n break\n default:\n XCTFail(\"Unexpected error: \\(error)\")\n }\n\n clientUnwrapped = true\n }\n clientHandler.stopTLS(promise: clientStopPromise)\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(clientUnwrapped)\n\n // Now we're going to simulate the client receiving gibberish data in response, instead\n // of a CLOSE_NOTIFY.\n var buffer = clientChannel.allocator.buffer(capacity: 1024)\n buffer.writeStaticString(\"GET / HTTP/1.1\\r\\nHost: localhost\\r\\nContent-Length: 0\\r\\n\\r\\n\")\n\n XCTAssertThrowsError(try clientChannel.writeInbound(buffer)) { error in\n switch error as? NIOSSLError {\n case .some(.shutdownFailed):\n // Expected\n break\n default:\n XCTFail(\"Unexpected error: \\(error)\")\n }\n }\n\n // The client should have errored out now. The handler should still be there, as unwrapping\n // has failed.\n XCTAssertTrue(clientUnwrapped)\n clientChannel.pipeline.syncOperations.assertContains(handler: clientHandler)\n\n // Clean up by bringing the server up to speed\n serverChannel.pipeline.fireChannelInactive()\n }\n\n func testPendingWritesFailOnUnwrap() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n defer {\n // We expect the server to throw\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertNoThrow(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Queue up a write.\n var writeCompleted = false\n var buffer = clientChannel.allocator.buffer(capacity: 1024)\n buffer.writeStaticString(\"Hello, world!\")\n clientChannel.write(buffer).assumeIsolated().map {\n XCTFail(\"Must not succeed\")\n }.whenFailure { error in\n XCTAssertEqual(error as? NIOTLSUnwrappingError, .unflushedWriteOnUnwrap)\n writeCompleted = true\n }\n\n // We haven't spun the event loop, so the handlers are still in the pipeline. Now attempt to unwrap.\n var unwrapped = false\n let stopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n stopPromise.futureResult.assumeIsolated().whenSuccess {\n XCTAssertTrue(writeCompleted)\n unwrapped = true\n }\n XCTAssertFalse(writeCompleted)\n clientHandler.stopTLS(promise: stopPromise)\n XCTAssertFalse(writeCompleted)\n XCTAssertFalse(unwrapped)\n\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n XCTAssertTrue(writeCompleted)\n XCTAssertTrue(unwrapped)\n }\n\n func testPendingWritesFailWhenFlushedOnUnwrap() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n defer {\n // We expect both cases to throw\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Queue up a write.\n var writeCompleted = false\n var buffer = clientChannel.allocator.buffer(capacity: 1024)\n buffer.writeStaticString(\"Hello, world!\")\n clientChannel.write(buffer).assumeIsolated().map {\n XCTFail(\"Must not succeed\")\n }.whenFailure { error in\n XCTAssertEqual(error as? ChannelError, .ioOnClosedChannel)\n writeCompleted = true\n }\n\n // We haven't spun the event loop, so the handlers are still in the pipeline. Now attempt to unwrap.\n var unwrapped = false\n let stopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n stopPromise.futureResult.assumeIsolated().whenFailure { error in\n switch error as? BoringSSLError {\n case .some(.sslError):\n // ok\n break\n default:\n XCTFail(\"Unexpected error: \\(error)\")\n }\n unwrapped = true\n }\n XCTAssertFalse(writeCompleted)\n clientHandler.stopTLS(promise: stopPromise)\n XCTAssertFalse(writeCompleted)\n XCTAssertFalse(unwrapped)\n\n // Now try to flush the write. This should fail the write early, and take out the connection.\n clientChannel.flush()\n XCTAssertTrue(writeCompleted)\n XCTAssertTrue(unwrapped)\n\n // Bring the server up to speed.\n serverChannel.pipeline.fireChannelInactive()\n }\n\n func testDataReceivedAfterCloseNotifyIsPassedDownThePipeline() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n defer {\n // We expect the server case to throw\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertNoThrow(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n let readPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n XCTAssertNoThrow(\n try clientChannel.pipeline.syncOperations.addHandler(PromiseOnReadHandler(promise: readPromise))\n )\n\n var readCompleted = false\n readPromise.futureResult.assumeIsolated().whenSuccess { buffer in\n XCTAssertEqual(buffer.getString(at: buffer.readerIndex, length: buffer.readableBytes), \"Hello, world!\")\n readCompleted = true\n }\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the client connection. With no additional configuration, this will cause the server\n // to close. The client will not close because interactInMemory does not propagate closure.\n var unwrapped = false\n let stopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n stopPromise.futureResult.assumeIsolated().whenSuccess {\n unwrapped = true\n }\n clientHandler.stopTLS(promise: stopPromise)\n\n // Now we want to manually handle the interaction. The client will have sent a CLOSE_NOTIFY: send it to the server.\n let clientCloseNotify = try clientChannel.readOutbound(as: ByteBuffer.self)!\n XCTAssertNoThrow(try serverChannel.writeInbound(clientCloseNotify))\n\n // The server will have sent a CLOSE_NOTIFY: grab it.\n var serverCloseNotify = try serverChannel.readOutbound(as: ByteBuffer.self)!\n\n // We're going to append some plaintext data.\n serverCloseNotify.writeStaticString(\"Hello, world!\")\n\n // Now we're going to send it to the client.\n XCTAssertFalse(unwrapped)\n XCTAssertFalse(readCompleted)\n XCTAssertNoThrow(try clientChannel.writeInbound(serverCloseNotify))\n\n // This will have triggered an unwrap.\n XCTAssertTrue(unwrapped)\n\n // We should also have received the plaintext data.\n XCTAssertTrue(readCompleted)\n }\n\n func testUnwrappingTimeout() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var clientClosed = false\n var serverClosed = false\n var unwrapped = false\n\n defer {\n XCTAssertNoThrow(try serverChannel.finish(acceptAlreadyClosed: false))\n XCTAssertNoThrow(try clientChannel.finish(acceptAlreadyClosed: false))\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let serverHandler = try assertNoThrowWithValue(NIOSSLServerHandler(context: context))\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(serverHandler))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Mark the closure of the channels.\n clientChannel.closeFuture.assumeIsolated().whenComplete { _ in\n clientClosed = true\n }\n serverChannel.closeFuture.assumeIsolated().whenComplete { _ in\n serverClosed = true\n }\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the server connection. We are not going to interact in memory, because we want to simulate a\n // timeout.\n let stopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n stopPromise.futureResult.assumeIsolated().whenComplete { result in\n unwrapped = true\n\n switch result {\n case .success:\n XCTFail(\"Shutdown succeeded unexpectedly\")\n case .failure(let err):\n XCTAssertTrue(err is NIOSSLCloseTimedOutError, \"Unexpected error: \\(err)\")\n }\n }\n serverHandler.stopTLS(promise: stopPromise)\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertFalse(unwrapped)\n XCTAssertNoThrow(try serverChannel.throwIfErrorCaught())\n\n // Advance time by 5 seconds. This should fire the timeout. We unwrap. The connection is not closed automatically.\n serverChannel.embeddedEventLoop.advanceTime(by: .seconds(5))\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertTrue(unwrapped)\n serverChannel.pipeline.syncOperations.assertDoesNotContain(handler: serverHandler)\n XCTAssertThrowsError(try serverChannel.throwIfErrorCaught()) { error in\n XCTAssertTrue(error is NIOSSLCloseTimedOutError, \"Unexpected error: \\(error)\")\n }\n\n // Now we do the same for the client to get it out of the pipeline too. Naturally, it'll time out.\n clientHandler.stopTLS(promise: nil)\n clientChannel.embeddedEventLoop.advanceTime(by: .seconds(5))\n clientChannel.pipeline.syncOperations.assertDoesNotContain(handler: clientHandler)\n XCTAssertThrowsError(try clientChannel.throwIfErrorCaught()) { error in\n XCTAssertTrue(error is NIOSSLCloseTimedOutError, \"Unexpected error: \\(error)\")\n }\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertTrue(unwrapped)\n }\n\n func testSuccessfulUnwrapCancelsTimeout() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var clientClosed = false\n var serverClosed = false\n var unwrapped = false\n\n defer {\n XCTAssertNoThrow(try serverChannel.finish(acceptAlreadyClosed: false))\n XCTAssertNoThrow(try clientChannel.finish(acceptAlreadyClosed: true))\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let serverHandler = try assertNoThrowWithValue(NIOSSLServerHandler(context: context))\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(serverHandler))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Mark the closure of the channels.\n clientChannel.closeFuture.assumeIsolated().whenComplete { _ in\n clientClosed = true\n }\n serverChannel.closeFuture.assumeIsolated().whenComplete { _ in\n serverClosed = true\n }\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the server connection.\n let stopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n stopPromise.futureResult.assumeIsolated().whenSuccess { result in\n unwrapped = true\n }\n serverHandler.stopTLS(promise: stopPromise)\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertFalse(unwrapped)\n\n // Now interact in memory.\n XCTAssertNoThrow(\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel, runLoops: false)\n )\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertTrue(unwrapped)\n serverChannel.pipeline.syncOperations.assertDoesNotContain(handler: serverHandler)\n\n // Now advance time by 5 seconds and confirm that the server doesn't get closed.\n serverChannel.embeddedEventLoop.advanceTime(by: .seconds(5))\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertTrue(unwrapped)\n serverChannel.pipeline.syncOperations.assertDoesNotContain(handler: serverHandler)\n }\n\n func testUnwrappingAndClosingShareATimeout() throws {\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var clientClosed = false\n var serverClosed = false\n var unwrapped = false\n var closed = false\n\n defer {\n XCTAssertNoThrow(try serverChannel.finish(acceptAlreadyClosed: true))\n XCTAssertNoThrow(try clientChannel.finish(acceptAlreadyClosed: false))\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n\n let serverHandler = try assertNoThrowWithValue(NIOSSLServerHandler(context: context))\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(serverHandler))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n // Mark the closure of the channels.\n clientChannel.closeFuture.assumeIsolated().whenComplete { _ in\n clientClosed = true\n }\n serverChannel.closeFuture.assumeIsolated().whenComplete { _ in\n serverClosed = true\n }\n\n // Connect. This should lead to a completed handshake.\n XCTAssertNoThrow(try connectInMemory(client: clientChannel, server: serverChannel))\n XCTAssertTrue(handshakeHandler.handshakeSucceeded)\n\n // Let's unwrap the server connection. We are not going to interact in memory, because we want to simulate a\n // timeout.\n let stopPromise: EventLoopPromise = clientChannel.eventLoop.makePromise()\n stopPromise.futureResult.assumeIsolated().whenComplete { result in\n unwrapped = true\n\n switch result {\n case .success:\n XCTFail(\"Shutdown succeeded unexpectedly\")\n case .failure(let err):\n XCTAssertTrue(err is NIOSSLCloseTimedOutError, \"Unexpected error: \\(err)\")\n }\n }\n serverHandler.stopTLS(promise: stopPromise)\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertFalse(unwrapped)\n\n // Advance time by 3 seconds. This should not fire the timeout.\n serverChannel.embeddedEventLoop.advanceTime(by: .seconds(3))\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertFalse(unwrapped)\n serverChannel.pipeline.syncOperations.assertContains(handler: serverHandler)\n\n // Now we close. This will report success.\n serverChannel.close().assumeIsolated().whenSuccess { result in\n closed = true\n }\n\n XCTAssertFalse(clientClosed)\n XCTAssertFalse(serverClosed)\n XCTAssertFalse(unwrapped)\n XCTAssertFalse(closed)\n serverChannel.pipeline.syncOperations.assertContains(handler: serverHandler)\n\n // Now we advance two more seconds. This closes the connection. All the promises succeed.\n serverChannel.embeddedEventLoop.advanceTime(by: .seconds(2))\n XCTAssertFalse(clientClosed)\n XCTAssertTrue(serverClosed)\n XCTAssertTrue(unwrapped)\n XCTAssertTrue(closed)\n serverChannel.pipeline.syncOperations.assertDoesNotContain(handler: serverHandler)\n\n // Now we do the same for the client to get it out of the pipeline too. Naturally, it'll time out.\n clientHandler.stopTLS(promise: nil)\n clientChannel.embeddedEventLoop.advanceTime(by: .seconds(5))\n clientChannel.pipeline.syncOperations.assertDoesNotContain(handler: clientHandler)\n XCTAssertThrowsError(try clientChannel.throwIfErrorCaught()) { error in\n XCTAssertTrue(error is NIOSSLCloseTimedOutError, \"Unexpected error: \\(error)\")\n }\n\n XCTAssertFalse(clientClosed)\n XCTAssertTrue(serverClosed)\n XCTAssertTrue(unwrapped)\n }\n\n func testChannelInactiveDuringHandshake() throws {\n\n let serverChannel = EmbeddedChannel()\n let clientChannel = EmbeddedChannel()\n\n var serverClosed = false\n var serverUnwrapped = false\n defer {\n // The errors here are expected\n XCTAssertThrowsError(try serverChannel.finish())\n XCTAssertThrowsError(try clientChannel.finish())\n }\n\n let context = try assertNoThrowWithValue(configuredSSLContext())\n let serverHandler = try assertNoThrowWithValue(NIOSSLServerHandler(context: context))\n let clientHandler = try assertNoThrowWithValue(NIOSSLClientHandler(context: context, serverHostname: nil))\n XCTAssertNoThrow(try serverChannel.pipeline.syncOperations.addHandler(NIOSSLServerHandler(context: context)))\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(clientHandler))\n let handshakeHandler = HandshakeCompletedHandler()\n XCTAssertNoThrow(try clientChannel.pipeline.syncOperations.addHandler(handshakeHandler))\n\n serverChannel.closeFuture.assumeIsolated().whenComplete { _ in\n serverClosed = true\n }\n\n // Place the guts of connectInMemory here to abruptly alter the handshake process\n let addr = try assertNoThrowWithValue(SocketAddress(unixDomainSocketPath: \"/tmp/whatever2\"))\n let _ = clientChannel.connect(to: addr)\n\n XCTAssertFalse(serverClosed)\n\n serverChannel.pipeline.fireChannelActive()\n clientChannel.pipeline.fireChannelActive()\n // doHandshakeStep process should start here out in NIOSSLHandler before fireChannelInactive\n serverChannel.pipeline.fireChannelInactive()\n clientChannel.pipeline.fireChannelInactive()\n\n // Need to test this error as a BoringSSLError because that means success instead of an uncleanShutdown\n do {\n try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel)\n } catch {\n switch error as? NIOSSLError {\n case .some(.handshakeFailed(let innerError)):\n // Expected to fall into .handshakeFailed with .eofDuringHandshake\n XCTAssertEqual(innerError, .sslError([.eofDuringHandshake]))\n default:\n XCTFail(\"Unexpected error: \\(error)\")\n }\n }\n clientHandler.stopTLS(promise: nil)\n\n // Go through the process of closing and verifying the close on the server side.\n XCTAssertFalse(serverUnwrapped)\n\n let serverStopPromise: EventLoopPromise = serverChannel.eventLoop.makePromise()\n serverStopPromise.futureResult.assumeIsolated().whenComplete { _ in\n serverUnwrapped = true\n }\n serverHandler.stopTLS(promise: serverStopPromise)\n XCTAssertNoThrow(try interactInMemory(clientChannel: clientChannel, serverChannel: serverChannel))\n\n (serverChannel.eventLoop as! EmbeddedEventLoop).run()\n\n XCTAssertTrue(serverClosed)\n XCTAssertTrue(serverUnwrapped)\n }\n}\n" }, { "path": "dev/git.commit.template", "content": "One line description of your change\n\nMotivation:\n\nExplain here the context, and why you're making that change.\nWhat is the problem you're trying to solve.\n\nModifications:\n\nDescribe the modifications you've done.\n\nResult:\n\nAfter your change, what will change.\n" }, { "path": "docker/Dockerfile", "content": "ARG swift_version=5.7\nARG ubuntu_version=focal\nARG base_image=swift:$swift_version-$ubuntu_version\nFROM $base_image\n# needed to do again after FROM due to docker limitation\nARG swift_version\nARG ubuntu_version\n\n# set as UTF-8\nRUN apt-get update && apt-get install -y locales locales-all\nENV LC_ALL en_US.UTF-8\nENV LANG en_US.UTF-8\nENV LANGUAGE en_US.UTF-8\n\n# dependencies\nRUN apt-get update && apt-get install -y wget\nRUN apt-get update && apt-get install -y lsof dnsutils netcat-openbsd net-tools expect curl jq # used by integration tests\nRUN apt-get update && apt-get install -y libssl-dev\nRUN apt-get update && apt-get install -y execstack\n\n# tools\nRUN mkdir -p $HOME/.tools\nRUN echo 'export PATH=\"$HOME/.tools:$PATH\"' >> $HOME/.profile\n\n# script to allow mapping framepointers on linux (until part of the toolchain)\nRUN wget -q https://raw.githubusercontent.com/apple/swift/main/utils/symbolicate-linux-fatal -O $HOME/.tools/symbolicate-linux-fatal\nRUN chmod 755 $HOME/.tools/symbolicate-linux-fatal\n" }, { "path": "docker/docker-compose.2204.510.yaml", "content": "version: \"3\"\n\nservices:\n\n runtime-setup:\n image: swift-nio-ssl:22.04-5.10\n build:\n args:\n ubuntu_version: \"jammy\"\n swift_version: \"5.10\"\n\n performance-test:\n image: swift-nio-ssl:22.04-5.10\n\n shell:\n image: swift-nio-ssl:22.04-5.10\n" }, { "path": "docker/docker-compose.2204.58.yaml", "content": "version: \"3\"\n\nservices:\n\n runtime-setup:\n image: swift-nio-ssl:22.04-5.8\n build:\n args:\n ubuntu_version: \"jammy\"\n swift_version: \"5.8\"\n\n performance-test:\n image: swift-nio-ssl:22.04-5.8\n\n shell:\n image: swift-nio-ssl:22.04-5.8\n" }, { "path": "docker/docker-compose.2204.59.yaml", "content": "version: \"3\"\n\nservices:\n\n runtime-setup:\n image: swift-nio-ssl:22.04-5.9\n build:\n args:\n ubuntu_version: \"jammy\"\n swift_version: \"5.9\"\n\n performance-test:\n image: swift-nio-ssl:22.04-5.9\n\n shell:\n image: swift-nio-ssl:22.04-5.9\n" }, { "path": "docker/docker-compose.2204.main.yaml", "content": "version: \"3\"\n\nservices:\n\n runtime-setup:\n image: swift-nio-ssl:22.04-main\n build:\n args:\n base_image: \"swiftlang/swift:nightly-main-jammy\"\n\n performance-test:\n image: swift-nio-ssl:22.04-main\n\n shell:\n image: swift-nio-ssl:22.04-main\n" }, { "path": "docker/docker-compose.yaml", "content": "# this file is not designed to be run directly\n# instead, use the docker-compose.. files\n# eg docker-compose -f docker/docker-compose.yaml -f docker/docker-compose.1804.50.yaml run test\nversion: \"3\"\n\nservices:\n\n runtime-setup:\n image: swift-nio-ssl:default\n build:\n context: .\n dockerfile: Dockerfile\n\n common: &common\n image: swift-nio-ssl:default\n depends_on: [runtime-setup]\n volumes:\n - ~/.ssh:/root/.ssh\n - ..:/swift-nio-ssl:z\n working_dir: /swift-nio-ssl\n cap_drop:\n - CAP_NET_RAW\n - CAP_NET_BIND_SERVICE\n\n test:\n <<: *common\n command: /bin/bash -xcl \"./scripts/integration_tests.sh\"\n\n performance-test:\n <<: *common\n command: /bin/bash -xcl \"swift build -c release && ./.build/release/NIOSSLPerformanceTester\"\n\n # util\n\n shell:\n <<: *common\n entrypoint: /bin/bash\n" }, { "path": "scripts/analyze_performance_results.rb", "content": "#!/usr/bin/env ruby\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\nrequire 'optparse'\n\nMETRIC=\"min\" # used for comparison\n\nmodule Enumerable\n def sum\n return self.inject(0){|accum, i| accum + i }\n end\n\n def mean\n return self.sum / self.length.to_f\n end\n\n def sample_variance\n m = self.mean\n sum = self.inject(0){|accum, i| accum + (i - m) ** 2 }\n return sum / (self.length - 1).to_f\n end\n\n def standard_deviation\n return Math.sqrt(self.sample_variance)\n end\nend\n\ndef parse_results(file)\n results = {}\n File.open(file, \"r\") do |f|\n f.each_line do |line|\n parts = line.split(':').collect(&:strip)\n throw \"invalid data format\" unless parts.length == 3\n key = parts[1]\n values = parts[2].split(',').collect(&:strip).map(&:to_f)\n results[key] = {}\n results[key][\"values\"] = values\n results[key][\"max\"] = values.max\n results[key][\"min\"] = values.min\n results[key][\"mean\"] = values.mean\n results[key][\"std\"] = values.standard_deviation\n end\n end\n results\nend\n\ndef compare_results(current, previous)\n results = {}\n current.keys.each do |key|\n results[key] = {}\n results[key][\"previous\"] = previous[key] || { ::METRIC => \"n/a\" }\n results[key][\"current\"] = current[key]\n if previous[key]\n current_value = current[key][::METRIC]\n previous_value = previous[key][::METRIC]\n delta = current_value - previous_value\n results[key][\"delta\"] = delta\n results[key][\"winner\"] = current_value <= previous_value ? \"current\" : \"previous\"\n results[key][\"diff\"] = (delta / previous_value * 100).to_i\n else\n results[key][\"winner\"] = \"n/a\"\n results[key][\"diff\"] = \"n/a\"\n end\n end\n results\nend\n\ndef print_results_markdown(results)\n columns = [\"min\", \"max\", \"mean\", \"std\"]\n puts \"| name | #{columns.join(\" | \")} |\"\n puts \"|#{Array.new(columns.size+1, '--').join(\"|\")}|\"\n results.keys.each do |key|\n print \"| #{key}\"\n columns.each do |column|\n print \" | #{results[key][column]}\"\n end\n puts \" |\\n\"\n end\nend\n\ndef print_results_html(results)\n columns = [\"min\", \"max\", \"mean\", \"std\"]\n puts \"\"\n puts \"\"\n results.keys.each do |key|\n puts \"\"\n puts \"\"\n columns.each do |column|\n puts \"\"\n end\n puts \"\"\n end\n puts \"
name#{columns.join(\"\")}
#{key}#{results[key][column]}
\"\nend\n\ndef print_results_csv(results)\n puts results.keys.join(\",\")\n puts results.keys.map{ |key| results[key][::METRIC] }.join(\",\")\nend\n\ndef print_comparison_markdown(results)\n puts \"| name | current | previous | winner | diff |\"\n puts \"|#{Array.new(5, '--').join(\"|\")}|\"\n results.keys.each do |key|\n puts \"| #{key} | #{results[key][\"current\"][::METRIC]} | #{results[key][\"previous\"][::METRIC]} | #{results[key][\"winner\"]} | #{results[key][\"diff\"]}% |\"\n end\nend\n\ndef print_comparison_html(results)\n puts \"\"\n puts \" \n \n \n \n \n \n \"\n results.keys.each do |key|\n puts \" \n \n \n \n \n \n \"\n end\n puts \"
namecurrentpreviouswinnerdiff
#{key}#{results[key][\"current\"][::METRIC]}#{results[key][\"previous\"][::METRIC]}#{results[key][\"winner\"]}#{results[key][\"diff\"]}%
\"\nend\n\n\nARGV << '-h' if ARGV.empty?\n\noptions = {}\nOptionParser.new do |opt|\n opt.on('-f', '--file file', 'file to process') { |o| options[:file] = o }\n opt.on('-p', '--previous previous', 'previous file to process') { |o| options[:previous] = o }\n opt.on('-o', '--output output', 'output format') { |o| options[:output] = o }\n opt.on_tail(\"-h\", \"--help\", \"show this message\") do\n puts opt\n end\nend.parse!\n\nif options.has_key?(:file) && options.has_key?(:previous)\n current = parse_results(options[:file])\n previous = parse_results(options[:previous])\n results = compare_results(current, previous)\n\n case options[:output]\n when \"html\"\n print_comparison_html(results)\n when \"markdown\", nil\n print_comparison_markdown(results)\n else\n throw \"invalid output format #{options[:output]}\"\n end\n\nelsif options.has_key?(:file)\n results = parse_results(options[:file])\n case options[:output]\n when \"csv\"\n print_results_csv(results)\n when \"html\", nil\n print_results_html(results)\n when \"markdown\", nil\n print_results_markdown(results)\n else\n throw \"invalid output format #{options[:output]}\"\n end\n\nelse\n throw \"invalid arguemnts\"\nend\n" }, { "path": "scripts/build-asm.py", "content": "#!/usr/bin/env python3\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2018-2019 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\n\nimport os\nimport subprocess\n\n\n# OS_ARCH_COMBOS maps from OS and platform to the OpenSSL assembly \"style\" for\n# that platform and the extension used by asm files.\nOS_ARCH_COMBOS = [\n ('ios', 'arm', 'ios32', [], 'S'),\n ('ios', 'aarch64', 'ios64', [], 'S'),\n ('linux', 'arm', 'linux32', [], 'S'),\n ('linux', 'aarch64', 'linux64', [], 'S'),\n ('linux', 'x86', 'elf', ['-fPIC', '-DOPENSSL_IA32_SSE2'], 'S'),\n ('linux', 'x86_64', 'elf', [], 'S'),\n ('mac', 'x86_64', 'macosx', [], 'S'),\n]\n\n\n# NON_PERL_FILES enumerates assembly files that are not processed by the\n# perlasm system.\nNON_PERL_FILES = {\n ('linux', 'arm'): [\n 'boringssl/crypto/curve25519/asm/x25519-asm-arm.S',\n 'boringssl/crypto/poly1305/poly1305_arm_asm.S',\n ],\n ('linux', 'x86_64'): [\n 'boringssl/crypto/hrss/asm/poly_rq_mul.S',\n ],\n}\n\n\ndef FindCMakeFiles(directory):\n \"\"\"Returns list of all CMakeLists.txt files recursively in directory.\"\"\"\n cmakefiles = []\n\n for (path, _, filenames) in os.walk(directory):\n for filename in filenames:\n if filename == 'CMakeLists.txt':\n cmakefiles.append(os.path.join(path, filename))\n\n return cmakefiles\n\n\ndef ExtractPerlAsmFromCMakeFile(cmakefile):\n \"\"\"Parses the contents of the CMakeLists.txt file passed as an argument and\n returns a list of all the perlasm() directives found in the file.\"\"\"\n perlasms = []\n with open(cmakefile) as f:\n for line in f:\n line = line.strip()\n if not line.startswith('perlasm('):\n continue\n if not line.endswith(')'):\n raise ValueError('Bad perlasm line in %s' % cmakefile)\n # Remove \"perlasm(\" from start and \")\" from end\n params = line[8:-1].split()\n if len(params) < 4:\n raise ValueError('Bad perlasm line in %s: %s' % (cmakefile, line))\n perlasms.append({\n 'arch': params[1],\n 'output': os.path.join(os.path.dirname(cmakefile), params[2]),\n 'input': os.path.join(os.path.dirname(cmakefile), params[3]),\n 'extra_args': params[4:]\n })\n\n return perlasms\n\n\ndef ReadPerlAsmOperations():\n \"\"\"Returns a list of all perlasm() directives found in CMake config files in\n src/.\"\"\"\n perlasms = []\n cmakefiles = FindCMakeFiles('boringssl')\n\n for cmakefile in cmakefiles:\n perlasms.extend(ExtractPerlAsmFromCMakeFile(cmakefile))\n\n return perlasms\n\n\ndef PerlAsm(output_filename, input_filename, perlasm_style, extra_args):\n \"\"\"Runs the a perlasm script and puts the output into output_filename.\"\"\"\n base_dir = os.path.dirname(output_filename)\n if not os.path.isdir(base_dir):\n os.makedirs(base_dir)\n subprocess.check_call(\n ['perl', input_filename, perlasm_style] + extra_args + [output_filename])\n\n\ndef WriteAsmFiles(perlasms):\n \"\"\"Generates asm files from perlasm directives for each supported OS x\n platform combination.\"\"\"\n asmfiles = {}\n\n for perlasm in perlasms:\n for (osname, arch, perlasm_style, extra_args, asm_ext) in OS_ARCH_COMBOS:\n if arch != perlasm['arch']:\n continue\n key = (osname, arch)\n outDir = '%s-%s' % key\n\n output = perlasm['output']\n if not output.startswith('boringssl/crypto'):\n raise ValueError('output missing crypto: %s' % output)\n output = os.path.join(outDir, output[17:])\n output = '%s-%s.%s' % (output, osname, asm_ext)\n per_command_extra_args = extra_args + perlasm['extra_args']\n PerlAsm(output, perlasm['input'], perlasm_style, per_command_extra_args)\n asmfiles.setdefault(key, []).append(output)\n\n return asmfiles\n\n\ndef preprocessor_arch_for_arch(arch):\n if arch == \"arm\":\n return \"__arm__\"\n elif arch == \"aarch64\":\n return \"__aarch64__\"\n elif arch == \"x86\":\n return \"__i386__\"\n elif arch == \"x86_64\":\n return \"__x86_64__\"\n\n\ndef preprocessor_platform_for_os(osname):\n if osname == 'mac' or osname == 'ios':\n return '__APPLE__'\n elif osname == 'linux':\n return '__linux__'\n\n\ndef asm_target(osname, arch, asm):\n components = asm.split('/')\n new_components = [\"boringssl/crypto\"] + components[1:-1] + [components[-1].replace('.S', '.' + osname + '.' + arch + '.S')] # noqa: E501\n return '/'.join(new_components)\n\n\ndef munge_file(pp_arch, pp_platform, source_lines, sink):\n \"\"\"\n Wraps a single assembly file in appropriate defines.\n \"\"\"\n sink.write(\"#if defined({0}) && defined({1})\\n\".format(pp_arch, pp_platform).encode()) # noqa: E501\n for line in source_lines:\n sink.write(line)\n\n sink.write(\"#endif // defined({0}) && defined({1})\\n\".format(pp_arch, pp_platform).encode()) # noqa: E501\n\n\ndef munge_all_files(osname, arch, asms):\n \"\"\"\n Puts the appropriate architecture #ifdefs around the asm.\n \"\"\"\n for asm in asms:\n pp_arch = preprocessor_arch_for_arch(arch)\n pp_platform = preprocessor_platform_for_os(osname)\n target = asm_target(osname, arch, asm)\n\n with open(asm, 'rb') as source:\n with open(target, 'wb') as sink:\n munge_file(pp_arch, pp_platform, source, sink)\n\n\ndef main():\n # First, we build all the .S files using the helper from boringssl.\n asm_outputs = WriteAsmFiles(ReadPerlAsmOperations())\n\n # Now we need to bring over all the .S files, inserting our preprocessor\n # directives along the way. We do this to allow the C preprocessor to make\n # unneeded assembly files vanish.\n for ((osname, arch), asm_files) in asm_outputs.items():\n munge_all_files(osname, arch, asm_files)\n\n for ((osname, arch), asm_files) in NON_PERL_FILES.items():\n for asm_file in asm_files:\n with open(asm_file, 'rb') as f:\n lines = f.readlines()\n\n pp_arch = preprocessor_arch_for_arch(arch)\n pp_platform = preprocessor_platform_for_os(osname)\n\n with open(asm_file, 'wb') as sink:\n munge_file(pp_arch, pp_platform, lines, sink)\n\n\nif __name__ == '__main__':\n main()\n" }, { "path": "scripts/integration_tests.sh", "content": "#!/bin/bash\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2017-2018 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\n\nset +ex\n\nmkdir -p .build # for the junit.xml file\n./IntegrationTests/run-tests.sh --junit-xml .build/junit-sh-tests.xml -i \"$@\"\n" }, { "path": "scripts/patch-1-inttypes.patch", "content": "diff --git a/Sources/CNIOBoringSSL/crypto/hrss/hrss.cc b/Sources/CNIOBoringSSL/crypto/hrss/hrss.cc\nindex 93a214e..eee4e58 100644\n--- a/Sources/CNIOBoringSSL/crypto/hrss/hrss.cc\n+++ b/Sources/CNIOBoringSSL/crypto/hrss/hrss.cc\n@@ -13,6 +13,7 @@\n * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */\n \n #include \n+#include \n \n #include \n #include \ndiff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h\nindex c86c1ef..7013140 100644\n--- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h\n+++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h\n@@ -126,7 +126,8 @@\n #include \"CNIOBoringSSL_base.h\"\n #include \"CNIOBoringSSL_thread.h\"\n \n #include // for PRIu64 and friends\n+#include \n #include // for FILE*\n \n #if defined(__cplusplus)\n" }, { "path": "scripts/patch-2-inttypes.patch", "content": "diff --git a/Sources/CNIOBoringSSL/crypto/x509/t_x509.cc b/Sources/CNIOBoringSSL/crypto/x509/t_x509.cc\nindex 7a3acc8..c0bc1c5 100644\n--- a/Sources/CNIOBoringSSL/crypto/x509/t_x509.cc\n+++ b/Sources/CNIOBoringSSL/crypto/x509/t_x509.cc\n@@ -8,6 +8,7 @@\n */\n \n #include \n+#include // for PRIu64 and friends\n \n #include \n #include \ndiff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h\nindex 557fb1d..825b4ea 100644\n--- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h\n+++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h\n@@ -126,7 +126,6 @@\n #include \"CNIOBoringSSL_base.h\"\n #include \"CNIOBoringSSL_thread.h\"\n \n-#include // for PRIu64 and friends\n #include \n #include // for FILE*\n \n" }, { "path": "scripts/patch-3-more-inttypes.patch", "content": "diff --git a/Sources/CNIOBoringSSL/crypto/evp/print.cc b/Sources/CNIOBoringSSL/crypto/evp/print.cc\nindex 89ceb32..5e6fb2f 100644\n--- a/Sources/CNIOBoringSSL/crypto/evp/print.cc\n+++ b/Sources/CNIOBoringSSL/crypto/evp/print.cc\n@@ -7,6 +7,8 @@\n * https://www.openssl.org/source/license.html\n */\n\n+#include \n+\n #include \n \n #include \n" }, { "path": "scripts/vendor-boringssl.sh", "content": "#!/bin/bash\n##===----------------------------------------------------------------------===##\n##\n## This source file is part of the SwiftNIO open source project\n##\n## Copyright (c) 2018-2019 Apple Inc. and the SwiftNIO project authors\n## Licensed under Apache License v2.0\n##\n## See LICENSE.txt for license information\n## See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n##\n## SPDX-License-Identifier: Apache-2.0\n##\n##===----------------------------------------------------------------------===##\n# This was substantially adapted from grpc-swift's vendor-boringssl.sh script.\n# The license for the original work is reproduced below. See NOTICES.txt for\n# more.\n#\n# Copyright 2016, gRPC Authors All rights reserved.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n#\n# This script creates a vendored copy of BoringSSL that is\n# suitable for building with the Swift Package Manager.\n#\n# Usage:\n# 1. Run this script in the package root. It will place\n# a local copy of the BoringSSL sources in Sources/CNIOBoringSSL.\n# Any prior contents of Sources/CNIOBoringSSL will be deleted.\n#\nset -eou pipefail\n\nHERE=$(pwd)\nDSTROOT=Sources/CNIOBoringSSL\nTMPDIR=$(mktemp -d /tmp/.workingXXXXXX)\nSRCROOT=\"${TMPDIR}/src/boringssl.googlesource.com/boringssl\"\n\n# This function namespaces the awkward inline functions declared in OpenSSL\n# and BoringSSL.\nfunction namespace_inlines {\n # Pull out all STACK_OF functions.\n STACKS=$(grep --no-filename -rE -e \"DEFINE_(SPECIAL_)?STACK_OF\\([A-Z_0-9a-z]+\\)\" -e \"DEFINE_NAMED_STACK_OF\\([A-Z_0-9a-z]+, +[A-Z_0-9a-z:]+\\)\" \"$1/\"* | grep -v '//' | grep -v '#' | $sed -e 's/DEFINE_\\(SPECIAL_\\)\\?STACK_OF(\\(.*\\))/\\2/' -e 's/DEFINE_NAMED_STACK_OF(\\(.*\\), .*)/\\1/')\n STACK_FUNCTIONS=(\"call_free_func\" \"call_copy_func\" \"call_cmp_func\" \"new\" \"new_null\" \"num\" \"zero\" \"value\" \"set\" \"free\" \"pop_free\" \"insert\" \"delete\" \"delete_ptr\" \"find\" \"shift\" \"push\" \"pop\" \"dup\" \"sort\" \"is_sorted\" \"set_cmp_func\" \"deep_copy\")\n\n for s in $STACKS; do\n for f in \"${STACK_FUNCTIONS[@]}\"; do\n echo \"#define sk_${s}_${f} BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_${s}_${f})\" >> \"$1/include/openssl/boringssl_prefix_symbols.h\"\n done\n done\n\n # Now pull out all LHASH_OF functions.\n LHASHES=$(grep --no-filename -rE \"DEFINE_LHASH_OF\\([A-Z_0-9a-z]+\\)\" \"$1/\"* | grep -v '//' | grep -v '#' | grep -v '\\\\$' | $sed 's/DEFINE_LHASH_OF(\\(.*\\))/\\1/')\n LHASH_FUNCTIONS=(\"call_cmp_func\" \"call_hash_func\" \"new\" \"free\" \"num_items\" \"retrieve\" \"call_cmp_key\" \"retrieve_key\" \"insert\" \"delete\" \"call_doall\" \"call_doall_arg\" \"doall\" \"doall_arg\")\n\n for l in $LHASHES; do\n for f in \"${LHASH_FUNCTIONS[@]}\"; do\n echo \"#define lh_${l}_${f} BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_${l}_${f})\" >> \"$1/include/openssl/boringssl_prefix_symbols.h\"\n done\n done\n}\n\n\n# This function handles mangling the symbols in BoringSSL.\nfunction mangle_symbols {\n echo \"GENERATING mangled symbol list\"\n (\n # We need a .a: may as well get SwiftPM to give it to us.\n # Temporarily enable the product we need.\n $sed -i -e 's/MANGLE_START/MANGLE_START*\\//' -e 's/MANGLE_END/\\/*MANGLE_END/' \"${HERE}/Package.swift\"\n\n export GOPATH=\"${TMPDIR}\"\n\n # Begin by building for macOS. We build for two target triples, Intel\n # and Apple Silicon\n swift build --triple \"x86_64-apple-macosx\" --product CNIOBoringSSL\n swift build --triple \"arm64-apple-macosx\" --product CNIOBoringSSL\n (\n cd \"${SRCROOT}\"\n go mod tidy -modcacherw\n go run \"util/read_symbols.go\" -out \"${TMPDIR}/symbols-macOS-intel.txt\" \"${HERE}/.build/x86_64-apple-macosx/debug/libCNIOBoringSSL.a\"\n go run \"util/read_symbols.go\" -out \"${TMPDIR}/symbols-macOS-as.txt\" \"${HERE}/.build/arm64-apple-macosx/debug/libCNIOBoringSSL.a\"\n )\n\n # Now build for iOS. We use xcodebuild for this because SwiftPM doesn't\n # meaningfully support it. Unfortunately we must archive ourselves.\n #\n # If xcodebuild complains about not finding the scheme, make sure there\n # isn't a .xcodeproj kicking around.\n xcodebuild -sdk iphoneos -scheme CNIOBoringSSL -derivedDataPath \"${TMPDIR}/iphoneos-deriveddata\" -destination generic/platform=iOS\n ar -r \"${TMPDIR}/libCNIOBoringSSL-iosarm64.a\" \"${TMPDIR}/iphoneos-deriveddata/Build/Products/Debug-iphoneos/CNIOBoringSSL.o\"\n\n (\n cd \"${SRCROOT}\"\n go run \"util/read_symbols.go\" -out \"${TMPDIR}/symbols-iOS.txt\" \"${TMPDIR}/libCNIOBoringSSL-iosarm64.a\"\n )\n\n # Now cross compile for our targets.\n docker run -t -i --rm --privileged -v\"$(pwd)\":/src -w/src --platform linux/arm64 swift:5.9-jammy \\\n swift build --product CNIOBoringSSL\n docker run -t -i --rm --privileged -v\"$(pwd)\":/src -w/src --platform linux/amd64 swift:5.9-jammy \\\n swift build --product CNIOBoringSSL\n\n # Now we need to generate symbol mangles for Linux. We can do this in\n # one go for all of them.\n (\n cd \"${SRCROOT}\"\n go run \"util/read_symbols.go\" -obj-file-format elf -out \"${TMPDIR}/symbols-linux-all.txt\" \"${HERE}\"/.build/*-unknown-linux-gnu/debug/libCNIOBoringSSL.a\n )\n\n # Now we concatenate all the symbols together and uniquify it.\n cat \"${TMPDIR}\"/symbols-*.txt | sort | uniq > \"${TMPDIR}/symbols.txt\"\n\n # Use this as the input to the mangle.\n (\n cd \"${SRCROOT}\"\n go run \"util/make_prefix_headers.go\" -out \"${HERE}/${DSTROOT}/include/openssl\" \"${TMPDIR}/symbols.txt\"\n )\n\n # Remove the product, as we no longer need it.\n $sed -i -e 's/MANGLE_START\\*\\//MANGLE_START/' -e 's/\\/\\*MANGLE_END/MANGLE_END/' \"${HERE}/Package.swift\"\n )\n\n # Now remove any weird symbols that got in and would emit warnings.\n $sed -i -e '/#define .*\\..*/d' \"${DSTROOT}\"/include/openssl/boringssl_prefix_symbols*.h\n\n # Now edit the headers again to add the symbol mangling.\n echo \"ADDING symbol mangling\"\n perl -pi -e '$_ .= qq(\\n#define BORINGSSL_PREFIX CNIOBoringSSL\\n) if /#define OPENSSL_HEADER_BASE_H/' \"$DSTROOT/include/openssl/base.h\"\n\n while IFS= read -r -d '' assembly_file\n do\n $sed -i '1 i #define BORINGSSL_PREFIX CNIOBoringSSL' \"$assembly_file\"\n done < <(find \"$DSTROOT\" -name \"*.S\" -print0)\n namespace_inlines \"$DSTROOT\"\n}\n\n\n# BoringSSL includes a few non-namespaced C++ structures. These aren't namespaced because they're exposed\n# in C-land, which doesn't know about the namespacing. Sadly, these structures include constructors and destructors,\n# and if those aren't namespaced we're still able to conflict.\n#\n# This function is responsible for identifying them and manually cleaning them up. We run this only on\n# macOS because we don't believe that the cross-platform architectures will hit any other structures.\nfunction mangle_cpp_structures {\n echo \"MANGLING C++ structures\"\n (\n # We need a .a: may as well get SwiftPM to give it to us.\n # Temporarily enable the product we need.\n $sed -i -e 's/MANGLE_START/MANGLE_START*\\//' -e 's/MANGLE_END/\\/*MANGLE_END/' \"${HERE}/Package.swift\"\n\n # Build for macOS.\n swift build --product CNIOBoringSSL\n\n # Woah, this is a hell of a command! What does it do?\n #\n # The nm command grabs all global defined symbols. We then run the C++ demangler over them and look for methods with '::' in them:\n # these are C++ methods. We then exclude any that contain CNIOBoringSSL (as those are already namespaced!) and any that contain swift\n # (as those were put there by the Swift runtime, not us). This gives us a list of symbols. The following cut command\n # grabs the type name from each of those (the bit preceding the '::'). Then, we sort and uniqify that list.\n # Finally, we remove any symbol that ends in std. This gives us all the structures that need to be renamed.\n structures=$(nm -gUj \"$(swift build --show-bin-path)/libCNIOBoringSSL.a\" | c++filt | grep \"::\" | grep -v -e \"CNIOBoringSSL\" -e \"swift\" | cut -d : -f1 | grep -v \"std$\" | $sed -E -e 's/([^<>]*)(<[^<>]*>)?/\\1/' | sort | uniq)\n\n for struct in ${structures}; do\n echo \"#define ${struct} BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ${struct})\" >> \"${DSTROOT}/include/CNIOBoringSSL_boringssl_prefix_symbols.h\"\n done\n\n # Remove the product, as we no longer need it.\n $sed -i -e 's/MANGLE_START\\*\\//MANGLE_START/' -e 's/\\/\\*MANGLE_END/MANGLE_END/' \"${HERE}/Package.swift\"\n )\n}\n\ncase \"$(uname -s)\" in\n Darwin)\n sed=gsed\n ;;\n *)\n\t# shellcheck disable=SC2209\n sed=sed\n ;;\nesac\n\nif ! hash ${sed} 2>/dev/null; then\n echo \"You need sed \\\"${sed}\\\" to run this script ...\"\n echo\n echo \"On macOS: brew install gnu-sed\"\n exit 43\nfi\n\necho \"REMOVING any previously-vendored BoringSSL code\"\nrm -rf $DSTROOT/include\nrm -rf $DSTROOT/ssl\nrm -rf $DSTROOT/crypto\nrm -rf $DSTROOT/third_party\nrm -rf $DSTROOT/gen\n\necho \"CLONING boringssl\"\nmkdir -p \"$SRCROOT\"\ngit clone https://boringssl.googlesource.com/boringssl \"$SRCROOT\"\ncd \"$SRCROOT\"\nBORINGSSL_REVISION=$(git rev-parse HEAD)\ncd \"$HERE\"\necho \"CLONED boringssl@${BORINGSSL_REVISION}\"\n\necho \"OBTAINING submodules\"\n(\n cd \"$SRCROOT\"\n git submodule update --init\n)\n\necho \"GENERATING assembly helpers\"\n(\n cd \"$SRCROOT\"\n cd ..\n mkdir -p \"${SRCROOT}/crypto/third_party/sike/asm\"\n python3 \"${HERE}/scripts/build-asm.py\"\n)\n\nPATTERNS=(\n'include/openssl/*.h'\n'include/openssl/*/*.h'\n'ssl/*.h'\n'ssl/*.cc'\n'crypto/*.h'\n'crypto/*.cc'\n'crypto/*/*.h'\n'crypto/*/*.cc'\n'crypto/*/*.S'\n'crypto/*/*/*.h'\n'crypto/*/*/*.cc.inc'\n'crypto/*/*/*.S'\n'crypto/*/*/*/*.cc.inc'\n'gen/crypto/*.cc'\n'gen/crypto/*.S'\n'gen/bcm/*.S'\n'third_party/fiat/*.h'\n'third_party/fiat/asm/*.S'\n#'third_party/fiat/*.c'\n)\n\nEXCLUDES=(\n'*_test.*'\n'test_*.*'\n'test'\n'example_*.cc'\n)\n\necho \"COPYING boringssl\"\nfor pattern in \"${PATTERNS[@]}\"\ndo\n for i in $SRCROOT/$pattern; do\n path=${i#\"$SRCROOT\"}\n dest=\"$DSTROOT$path\"\n dest_dir=$(dirname \"$dest\")\n mkdir -p \"$dest_dir\"\n cp \"$SRCROOT/$path\" \"$dest\"\n done\ndone\n\nfor exclude in \"${EXCLUDES[@]}\"\ndo\n echo \"EXCLUDING $exclude\"\n find $DSTROOT -d -name \"$exclude\" -exec rm -rf {} \\;\ndone\n\nmangle_symbols\n\necho \"RENAMING header files\"\n(\n # We need to rearrange a coouple of things here, the end state will be:\n # - Headers from 'include/openssl/' will be moved up a level to 'include/'\n # - Their names will be prefixed with 'CNIOBoringSSL_'\n # - The headers prefixed with 'boringssl_prefix_symbols' will also be prefixed with 'CNIOBoringSSL_'\n # - Any include of another header in the 'include/' directory will use quotation marks instead of angle brackets\n\n # Let's move the headers up a level first.\n cd \"$DSTROOT\"\n mv include/openssl/* include/\n rmdir \"include/openssl\"\n\n # Now let's remove the pki subdirectory, as we don't need it.\n rm -rf include/pki\n\n # Now change the imports from \" to \"\", apply the same prefix to the 'boringssl_prefix_symbols' headers.\n # shellcheck disable=SC2038\n find . -name \"*.[ch]\" -or -name \"*.cc\" -or -name \"*.S\" -or -name \"*.cc.inc\" | xargs $sed -i -r -e 's#include ]+/)*)(.+.h)>#include <\\1CNIOBoringSSL_\\3>#' -e 's+include ]+/)*)(.+.h)\"#include \"\\1CNIOBoringSSL_\\3\"#'\n\n # Okay now we need to rename the headers adding the prefix \"CNIOBoringSSL_\".\n pushd include\n for x in *.h; do mv -- \"$x\" \"CNIOBoringSSL_${x}\"; done\n for x in **/*.h; do mv -- \"$x\" \"${x%/*}/CNIOBoringSSL_${x##*/}\"; done\n\n # Finally, make sure we refer to them by their prefixed names, and change any includes from angle brackets to quotation marks.\n # shellcheck disable=SC2038\n find . -name \"*.h\" | xargs $sed -i -r -e 's#include \"(([^/\"]+/)*)(.+.h)\"#include \"\\1CNIOBoringSSL_\\3\"#' -e 's/include /include \"CNIOBoringSSL_\\1\"/'\n popd\n)\n\necho \"PATCHING BoringSSL\"\ngit apply \"${HERE}/scripts/patch-1-inttypes.patch\"\ngit apply \"${HERE}/scripts/patch-2-inttypes.patch\"\ngit apply \"${HERE}/scripts/patch-3-more-inttypes.patch\"\n\n# We need to avoid having the stack be executable. BoringSSL does this in its build system, but we can't.\necho \"PROTECTING against executable stacks\"\n(\n cd \"$DSTROOT\"\n # shellcheck disable=SC2038\n find . -name \"*.S\" | xargs $sed -i '$ a #if defined(__linux__) && defined(__ELF__)\\n.section .note.GNU-stack,\"\",%progbits\\n#endif\\n'\n)\n\nmangle_cpp_structures\n\n# We need BoringSSL to be modularised\necho \"MODULARISING BoringSSL\"\ncat << EOF > \"$DSTROOT/include/CNIOBoringSSL.h\"\n//===----------------------------------------------------------------------===//\n//\n// This source file is part of the SwiftNIO open source project\n//\n// Copyright (c) 2019 Apple Inc. and the SwiftNIO project authors\n// Licensed under Apache License v2.0\n//\n// See LICENSE.txt for license information\n// See CONTRIBUTORS.txt for the list of SwiftNIO project authors\n//\n// SPDX-License-Identifier: Apache-2.0\n//\n//===----------------------------------------------------------------------===//\n#ifndef C_NIO_BORINGSSL_H\n#define C_NIO_BORINGSSL_H\n\n#include \"CNIOBoringSSL_aead.h\"\n#include \"CNIOBoringSSL_aes.h\"\n#include \"CNIOBoringSSL_arm_arch.h\"\n#include \"CNIOBoringSSL_asm_base.h\"\n#include \"CNIOBoringSSL_asn1_mac.h\"\n#include \"CNIOBoringSSL_asn1t.h\"\n#include \"CNIOBoringSSL_base.h\"\n#include \"CNIOBoringSSL_bio.h\"\n#include \"CNIOBoringSSL_blake2.h\"\n#include \"CNIOBoringSSL_blowfish.h\"\n#include \"CNIOBoringSSL_bn.h\"\n#include \"CNIOBoringSSL_boringssl_prefix_symbols.h\"\n#include \"CNIOBoringSSL_boringssl_prefix_symbols_asm.h\"\n#include \"CNIOBoringSSL_cast.h\"\n#include \"CNIOBoringSSL_chacha.h\"\n#include \"CNIOBoringSSL_ctrdrbg.h\"\n#include \"CNIOBoringSSL_cmac.h\"\n#include \"CNIOBoringSSL_conf.h\"\n#include \"CNIOBoringSSL_cpu.h\"\n#include \"CNIOBoringSSL_curve25519.h\"\n#include \"CNIOBoringSSL_des.h\"\n#include \"CNIOBoringSSL_dtls1.h\"\n#include \"CNIOBoringSSL_e_os2.h\"\n#include \"CNIOBoringSSL_ec.h\"\n#include \"CNIOBoringSSL_ec_key.h\"\n#include \"CNIOBoringSSL_ecdsa.h\"\n#include \"CNIOBoringSSL_err.h\"\n#include \"CNIOBoringSSL_evp.h\"\n#include \"CNIOBoringSSL_hkdf.h\"\n#include \"CNIOBoringSSL_hmac.h\"\n#include \"CNIOBoringSSL_hpke.h\"\n#include \"CNIOBoringSSL_hrss.h\"\n#include \"CNIOBoringSSL_kdf.h\"\n#include \"CNIOBoringSSL_md4.h\"\n#include \"CNIOBoringSSL_md5.h\"\n#include \"CNIOBoringSSL_mldsa.h\"\n#include \"CNIOBoringSSL_mlkem.h\"\n#include \"CNIOBoringSSL_obj_mac.h\"\n#include \"CNIOBoringSSL_objects.h\"\n#include \"CNIOBoringSSL_opensslv.h\"\n#include \"CNIOBoringSSL_ossl_typ.h\"\n#include \"CNIOBoringSSL_pkcs12.h\"\n#include \"CNIOBoringSSL_poly1305.h\"\n#include \"CNIOBoringSSL_rand.h\"\n#include \"CNIOBoringSSL_rc4.h\"\n#include \"CNIOBoringSSL_ripemd.h\"\n#include \"CNIOBoringSSL_rsa.h\"\n#include \"CNIOBoringSSL_safestack.h\"\n#include \"CNIOBoringSSL_service_indicator.h\"\n#include \"CNIOBoringSSL_sha.h\"\n#include \"CNIOBoringSSL_siphash.h\"\n#include \"CNIOBoringSSL_slhdsa.h\"\n#include \"CNIOBoringSSL_srtp.h\"\n#include \"CNIOBoringSSL_ssl.h\"\n#include \"CNIOBoringSSL_time.h\"\n#include \"CNIOBoringSSL_trust_token.h\"\n#include \"CNIOBoringSSL_type_check.h\"\n#include \"CNIOBoringSSL_x509_vfy.h\"\n#include \"CNIOBoringSSL_x509v3.h\"\n#include \"experimental/CNIOBoringSSL_kyber.h\"\n\n#endif // C_NIO_BORINGSSL_H\nEOF\ncat << EOF > \"$DSTROOT/include/module.modulemap\"\nmodule CNIOBoringSSL {\n umbrella header \"CNIOBoringSSL.h\"\n export *\n}\nEOF\n\necho \"RECORDING BoringSSL revision\"\n$sed -i -e \"s/BoringSSL Commit: [0-9a-f]\\+/BoringSSL Commit: ${BORINGSSL_REVISION}/\" \"$HERE/Package\"*.swift\necho \"This directory is derived from BoringSSL cloned from https://boringssl.googlesource.com/boringssl at revision ${BORINGSSL_REVISION}\" > \"$DSTROOT/hash.txt\"\n\necho \"CLEANING temporary directory\"\nrm -rf \"${TMPDIR}\"\n\n" } ]